mod_ssl: updated patch for OpenSSL 3.0 compatibility (#2007178)

2021-10-12 13:53:59 +01:00 · 2021-10-12 13:53:59 +01:00 · 485637a10d
commit 485637a10d
parent 0da20265b4
2 changed files with 57 additions and 54 deletions
--- a/httpd-2.4.51-openssl3.patch
+++ b/httpd-2.4.51-openssl3.patch
@ -1,11 +1,9 @@
 https://github.com/apache/httpd/pull/258
-diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
+--- httpd-2.4.51/modules/ssl/ssl_engine_init.c.openssl3
-index 4da24eddcc..5d199cddaf 100644
+++ httpd-2.4.51/modules/ssl/ssl_engine_init.c
--- a/modules/ssl/ssl_engine_init.c
+@@ -91,7 +91,6 @@
 +++ b/modules/ssl/ssl_engine_init.c
@@ -91,7 +91,6 @@ static int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
     return 1;
 }
@ -13,7 +11,7 @@ index 4da24eddcc..5d199cddaf 100644
 /*
  * Grab well-defined DH parameters from OpenSSL, see the BN_get_rfc*
-@@ -171,6 +170,7 @@ DH *modssl_get_dh_params(unsigned keylen)
+@@ -171,6 +170,7 @@
     return NULL; /* impossible to reach. */
 }
@ -21,7 +19,7 @@ index 4da24eddcc..5d199cddaf 100644
 static void ssl_add_version_components(apr_pool_t *ptemp, apr_pool_t *pconf,
                                        server_rec *s)
-@@ -440,8 +440,9 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog,
+@@ -440,8 +440,9 @@
     modssl_init_app_data2_idx(); /* for modssl_get_app_data2() at request time */
@ -32,19 +30,19 @@ index 4da24eddcc..5d199cddaf 100644
     init_bio_methods();
 #endif
-@@ -834,7 +835,11 @@ static void ssl_init_ctx_callbacks(server_rec *s,
+@@ -862,7 +863,11 @@
 {
     SSL_CTX *ctx = mctx->ssl_ctx;
 +#if MODSSL_USE_OPENSSL_PRE_1_1_API
 +    /* Note that for OpenSSL>=1.1, auto selection is enabled via
 +     * SSL_CTX_set_dh_auto(,1) if no parameter is configured. */
     SSL_CTX_set_tmp_dh_callback(ctx,  ssl_callback_TmpDH);
 +#else
 +    SSL_CTX_set_dh_auto(ctx, 1);
 +#endif
     SSL_CTX_set_info_callback(ctx, ssl_callback_Info);
-@@ -843,6 +848,23 @@ static void ssl_init_ctx_callbacks(server_rec *s,
+@@ -871,6 +876,23 @@
 #endif
 }
@ -68,7 +66,7 @@ index 4da24eddcc..5d199cddaf 100644
 static apr_status_t ssl_init_ctx_verify(server_rec *s,
                                         apr_pool_t *p,
                                         apr_pool_t *ptemp,
-@@ -883,10 +905,8 @@ static apr_status_t ssl_init_ctx_verify(server_rec *s,
+@@ -911,10 +933,8 @@
         ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, s,
                      "Configuring client authentication");
@ -81,7 +79,7 @@ index 4da24eddcc..5d199cddaf 100644
             ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01895)
                     "Unable to configure verify locations "
                     "for client authentication");
-@@ -971,6 +991,23 @@ static apr_status_t ssl_init_ctx_cipher_suite(server_rec *s,
+@@ -999,6 +1019,23 @@
     return APR_SUCCESS;
 }
@ -105,7 +103,7 @@ index 4da24eddcc..5d199cddaf 100644
 static apr_status_t ssl_init_ctx_crl(server_rec *s,
                                      apr_pool_t *p,
                                      apr_pool_t *ptemp,
-@@ -1009,8 +1046,8 @@ static apr_status_t ssl_init_ctx_crl(server_rec *s,
+@@ -1037,8 +1074,8 @@
     ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01900)
                  "Configuring certificate revocation facility");
@ -116,7 +114,7 @@ index 4da24eddcc..5d199cddaf 100644
         ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01901)
                      "Host %s: unable to configure X.509 CRL storage "
                      "for certificate revocation", mctx->sc->vhost_id);
-@@ -1239,6 +1276,31 @@ static int ssl_no_passwd_prompt_cb(char *buf, int size, int rwflag,
+@@ -1267,6 +1304,31 @@
    return 0;
 }
@ -148,7 +146,7 @@ index 4da24eddcc..5d199cddaf 100644
 static apr_status_t ssl_init_server_certs(server_rec *s,
                                           apr_pool_t *p,
                                           apr_pool_t *ptemp,
-@@ -1249,7 +1311,7 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
+@@ -1277,7 +1339,7 @@
     const char *vhost_id = mctx->sc->vhost_id, *key_id, *certfile, *keyfile;
     int i;
     X509 *cert;
@ -157,7 +155,7 @@ index 4da24eddcc..5d199cddaf 100644
 #ifdef HAVE_ECC
     EC_GROUP *ecparams = NULL;
     int nid;
-@@ -1344,8 +1406,7 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
+@@ -1372,8 +1434,7 @@
         }
         else if ((SSL_CTX_use_PrivateKey_file(mctx->ssl_ctx, keyfile,
                                               SSL_FILETYPE_PEM) < 1)
@ -167,13 +165,15 @@ index 4da24eddcc..5d199cddaf 100644
             ssl_asn1_t *asn1;
             const unsigned char *ptr;
-@@ -1434,12 +1495,12 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
+@@ -1462,13 +1523,22 @@
      */
     certfile = APR_ARRAY_IDX(mctx->pks->cert_files, 0, const char *);
     if (certfile && !modssl_is_engine_id(certfile)
 -        && (dhparams = ssl_dh_GetParamFromFile(certfile))) {
 -        SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dhparams);
 +        && (dh = ssl_dh_GetParamFromFile(certfile))) {
 +        /* ### This should be replaced with SSL_CTX_set0_tmp_dh_pkey()
 +         * for OpenSSL 3.0+. */
 +        SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dh);
         ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02540)
                      "Custom DH parameters (%d bits) for %s loaded from %s",
@ -182,9 +182,17 @@ index 4da24eddcc..5d199cddaf 100644
 +                     modssl_DH_bits(dh), vhost_id, certfile);
 +        DH_free(dh);
     }
 +#if !MODSSL_USE_OPENSSL_PRE_1_1_API
 +    else {
 +        /* If no parameter is manually configured, enable auto
 +         * selection. */
 +        SSL_CTX_set_dh_auto(mctx->ssl_ctx, 1);
 +    }
 +#endif
 #ifdef HAVE_ECC
-@@ -1490,6 +1551,7 @@ static apr_status_t ssl_init_ticket_key(server_rec *s,
+     /*
@@ -1518,6 +1588,7 @@
     char buf[TLSEXT_TICKET_KEY_LEN];
     char *path;
     modssl_ticket_key_t *ticket_key = mctx->ticket_key;
@ -192,7 +200,7 @@ index 4da24eddcc..5d199cddaf 100644
     if (!ticket_key->file_path) {
         return APR_SUCCESS;
-@@ -1517,11 +1579,22 @@ static apr_status_t ssl_init_ticket_key(server_rec *s,
+@@ -1545,11 +1616,22 @@
     }
     memcpy(ticket_key->key_name, buf, 16);
@ -219,7 +227,7 @@ index 4da24eddcc..5d199cddaf 100644
         ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01913)
                      "Unable to initialize TLS session ticket key callback "
                      "(incompatible OpenSSL version?)");
-@@ -1652,7 +1725,7 @@ static apr_status_t ssl_init_proxy_certs(server_rec *s,
+@@ -1680,7 +1762,7 @@
         return ssl_die(s);
     }
@ -228,7 +236,7 @@ index 4da24eddcc..5d199cddaf 100644
     for (n = 0; n < ncerts; n++) {
         int i;
-@@ -2249,10 +2322,11 @@ apr_status_t ssl_init_ModuleKill(void *data)
+@@ -2277,10 +2359,11 @@
     }
@ -242,11 +250,9 @@ index 4da24eddcc..5d199cddaf 100644
     return APR_SUCCESS;
 }
-diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c
+--- httpd-2.4.51/modules/ssl/ssl_engine_io.c.openssl3
-index cabf753790..3db7077f1e 100644
+++ httpd-2.4.51/modules/ssl/ssl_engine_io.c
--- a/modules/ssl/ssl_engine_io.c
+@@ -194,6 +194,10 @@
 +++ b/modules/ssl/ssl_engine_io.c
@@ -194,6 +194,10 @@ static int bio_filter_destroy(BIO *bio)
 static int bio_filter_out_read(BIO *bio, char *out, int outl)
 {
     /* this is never called */
@ -257,7 +263,7 @@ index cabf753790..3db7077f1e 100644
     return -1;
 }
-@@ -293,12 +297,20 @@ static long bio_filter_out_ctrl(BIO *bio, int cmd, long num, void *ptr)
+@@ -293,12 +297,20 @@
 static int bio_filter_out_gets(BIO *bio, char *buf, int size)
 {
     /* this is never called */
@ -278,7 +284,7 @@ index cabf753790..3db7077f1e 100644
     return -1;
 }
-@@ -533,22 +545,47 @@ static int bio_filter_in_read(BIO *bio, char *in, int inlen)
+@@ -533,22 +545,47 @@
 static int bio_filter_in_write(BIO *bio, const char *in, int inl)
 {
@ -327,7 +333,7 @@ index cabf753790..3db7077f1e 100644
 }
 #if MODSSL_USE_OPENSSL_PRE_1_1_API
-@@ -573,7 +610,7 @@ static BIO_METHOD bio_filter_in_method = {
+@@ -573,7 +610,7 @@
     bio_filter_in_read,
     bio_filter_in_puts,         /* puts is never called */
     bio_filter_in_gets,         /* gets is never called */
@ -336,11 +342,9 @@ index cabf753790..3db7077f1e 100644
     bio_filter_create,
     bio_filter_destroy,
     NULL
-diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
+--- httpd-2.4.51/modules/ssl/ssl_engine_kernel.c.openssl3
-index b99dcf19d4..aced92d2d0 100644
+++ httpd-2.4.51/modules/ssl/ssl_engine_kernel.c
--- a/modules/ssl/ssl_engine_kernel.c
+@@ -1685,6 +1685,7 @@
 +++ b/modules/ssl/ssl_engine_kernel.c
@@ -1685,6 +1685,7 @@ const authz_provider ssl_authz_provider_verify_client =
 **  _________________________________________________________________
 */
@ -348,7 +352,7 @@ index b99dcf19d4..aced92d2d0 100644
 /*
  * Hand out standard DH parameters, based on the authentication strength
  */
-@@ -1730,6 +1731,7 @@ DH *ssl_callback_TmpDH(SSL *ssl, int export, int keylen)
+@@ -1730,6 +1731,7 @@
     return modssl_get_dh_params(keylen);
 }
@ -356,7 +360,7 @@ index b99dcf19d4..aced92d2d0 100644
 /*
  * This OpenSSL callback function is called when OpenSSL
-@@ -2614,7 +2616,11 @@ int ssl_callback_SessionTicket(SSL *ssl,
+@@ -2614,7 +2616,11 @@
                                unsigned char *keyname,
                                unsigned char *iv,
                                EVP_CIPHER_CTX *cipher_ctx,
@ -369,7 +373,7 @@ index b99dcf19d4..aced92d2d0 100644
                                int mode)
 {
     conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
-@@ -2641,7 +2647,13 @@ int ssl_callback_SessionTicket(SSL *ssl,
+@@ -2640,7 +2646,13 @@
         }
         EVP_EncryptInit_ex(cipher_ctx, EVP_aes_128_cbc(), NULL,
                            ticket_key->aes_key, iv);
@ -384,7 +388,7 @@ index b99dcf19d4..aced92d2d0 100644
         ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(02289)
                       "TLS session ticket key for %s successfully set, "
-@@ -2662,7 +2674,13 @@ int ssl_callback_SessionTicket(SSL *ssl,
+@@ -2661,7 +2673,13 @@
         EVP_DecryptInit_ex(cipher_ctx, EVP_aes_128_cbc(), NULL,
                            ticket_key->aes_key, iv);
@ -399,11 +403,9 @@ index b99dcf19d4..aced92d2d0 100644
         ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(02290)
                       "TLS session ticket key for %s successfully set, "
-diff --git a/modules/ssl/ssl_engine_log.c b/modules/ssl/ssl_engine_log.c
+--- httpd-2.4.51/modules/ssl/ssl_engine_log.c.openssl3
-index 7dbbbdb55e..3b3ceacf0a 100644
+++ httpd-2.4.51/modules/ssl/ssl_engine_log.c
--- a/modules/ssl/ssl_engine_log.c
+@@ -78,6 +78,16 @@
 +++ b/modules/ssl/ssl_engine_log.c
@@ -78,6 +78,16 @@ apr_status_t ssl_die(server_rec *s)
     return APR_EGENERAL;
 }
@ -420,7 +422,7 @@ index 7dbbbdb55e..3b3ceacf0a 100644
 /*
  * Prints the SSL library error information.
  */
-@@ -87,7 +97,7 @@ void ssl_log_ssl_error(const char *file, int line, int level, server_rec *s)
+@@ -87,7 +97,7 @@
     const char *data;
     int flags;
@ -429,10 +431,8 @@ index 7dbbbdb55e..3b3ceacf0a 100644
         const char *annotation;
         char err[256];
-diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
+--- httpd-2.4.51/modules/ssl/ssl_private.h.openssl3
-index a6fc7513a2..b091c58c94 100644
+++ httpd-2.4.51/modules/ssl/ssl_private.h
 --- a/modules/ssl/ssl_private.h
 +++ b/modules/ssl/ssl_private.h
@@ -89,6 +89,9 @@
 /* must be defined before including ssl.h */
 #define OPENSSL_NO_SSL_INTERN
@ -459,7 +459,7 @@ index a6fc7513a2..b091c58c94 100644
 #else /* defined(LIBRESSL_VERSION_NUMBER) */
 #define MODSSL_USE_OPENSSL_PRE_1_1_API (OPENSSL_VERSION_NUMBER < 0x10100000L)
 #endif
-@@ -674,7 +676,11 @@ typedef struct {
+@@ -681,7 +683,11 @@
 typedef struct {
     const char *file_path;
     unsigned char key_name[16];
@ -471,7 +471,7 @@ index a6fc7513a2..b091c58c94 100644
     unsigned char aes_key[16];
 } modssl_ticket_key_t;
 #endif
-@@ -938,8 +944,16 @@ int          ssl_callback_ServerNameIndication(SSL *, int *, modssl_ctx_t *);
+@@ -945,8 +951,16 @@
 int          ssl_callback_ClientHello(SSL *, int *, void *);
 #endif
 #ifdef HAVE_TLS_SESSION_TICKETS
@ -490,7 +490,7 @@ index a6fc7513a2..b091c58c94 100644
 #endif
 #ifdef HAVE_TLS_ALPN
-@@ -1112,10 +1126,12 @@ void ssl_init_ocsp_certificates(server_rec *s, modssl_ctx_t *mctx);
+@@ -1124,10 +1138,12 @@
 #endif
--- a/httpd.spec
+++ b/httpd.spec
@ -13,7 +13,7 @@
 Summary: Apache HTTP Server
 Name: httpd
 Version: 2.4.51
-Release: 1%{?dist}
+Release: 2%{?dist}
 URL: https://httpd.apache.org/
 Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
 Source1: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2.asc
@ -75,7 +75,7 @@ Patch24: httpd-2.4.43-corelimit.patch
 Patch25: httpd-2.4.43-selinux.patch
 Patch26: httpd-2.4.43-gettid.patch
 Patch27: httpd-2.4.43-icons.patch
-Patch28: httpd-2.4.48-openssl3.patch
+Patch28: httpd-2.4.51-openssl3.patch
 Patch30: httpd-2.4.43-cachehardmax.patch
 Patch34: httpd-2.4.43-socket-activation.patch
 Patch38: httpd-2.4.43-sslciphdefault.patch
@ -787,6 +787,9 @@ exit $rv
 %{_rpmconfigdir}/macros.d/macros.httpd
 %changelog
 * Tue Oct 12 2021 Joe Orton <jorton@redhat.com> - 2.4.51-2
 - mod_ssl: updated patch for OpenSSL 3.0 compatibility (#2007178)
 * Thu Oct 07 2021 Patrick Uiterwijk <patrick@puiterwijk.org> - 2.4.51-1
 - new version 2.4.51