diff --git a/httpd-2.4.48-openssl3.patch b/httpd-2.4.48-openssl3.patch new file mode 100644 index 0000000..f218d16 --- /dev/null +++ b/httpd-2.4.48-openssl3.patch @@ -0,0 +1,505 @@ + +https://github.com/apache/httpd/pull/258 + +diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c +index 4da24eddcc..5d199cddaf 100644 +--- a/modules/ssl/ssl_engine_init.c ++++ b/modules/ssl/ssl_engine_init.c +@@ -91,7 +91,6 @@ static int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) + + return 1; + } +-#endif + + /* + * Grab well-defined DH parameters from OpenSSL, see the BN_get_rfc* +@@ -171,6 +170,7 @@ DH *modssl_get_dh_params(unsigned keylen) + + return NULL; /* impossible to reach. */ + } ++#endif + + static void ssl_add_version_components(apr_pool_t *ptemp, apr_pool_t *pconf, + server_rec *s) +@@ -440,8 +440,9 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog, + + modssl_init_app_data2_idx(); /* for modssl_get_app_data2() at request time */ + ++#if MODSSL_USE_OPENSSL_PRE_1_1_API + init_dh_params(); +-#if !MODSSL_USE_OPENSSL_PRE_1_1_API ++#else + init_bio_methods(); + #endif + +@@ -834,7 +835,11 @@ static void ssl_init_ctx_callbacks(server_rec *s, + { + SSL_CTX *ctx = mctx->ssl_ctx; + ++#if MODSSL_USE_OPENSSL_PRE_1_1_API + SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH); ++#else ++ SSL_CTX_set_dh_auto(ctx, 1); ++#endif + + SSL_CTX_set_info_callback(ctx, ssl_callback_Info); + +@@ -843,6 +848,23 @@ static void ssl_init_ctx_callbacks(server_rec *s, + #endif + } + ++static APR_INLINE ++int modssl_CTX_load_verify_locations(SSL_CTX *ctx, ++ const char *file, ++ const char *path) ++{ ++#if OPENSSL_VERSION_NUMBER < 0x30000000L ++ if (!SSL_CTX_load_verify_locations(ctx, file, path)) ++ return 0; ++#else ++ if (file && !SSL_CTX_load_verify_file(ctx, file)) ++ return 0; ++ if (path && !SSL_CTX_load_verify_dir(ctx, path)) ++ return 0; ++#endif ++ return 1; ++} ++ + static apr_status_t ssl_init_ctx_verify(server_rec *s, + apr_pool_t *p, + apr_pool_t *ptemp, +@@ -883,10 +905,8 @@ static apr_status_t ssl_init_ctx_verify(server_rec *s, + ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, s, + "Configuring client authentication"); + +- if (!SSL_CTX_load_verify_locations(ctx, +- mctx->auth.ca_cert_file, +- mctx->auth.ca_cert_path)) +- { ++ if (!modssl_CTX_load_verify_locations(ctx, mctx->auth.ca_cert_file, ++ mctx->auth.ca_cert_path)) { + ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01895) + "Unable to configure verify locations " + "for client authentication"); +@@ -971,6 +991,23 @@ static apr_status_t ssl_init_ctx_cipher_suite(server_rec *s, + return APR_SUCCESS; + } + ++static APR_INLINE ++int modssl_X509_STORE_load_locations(X509_STORE *store, ++ const char *file, ++ const char *path) ++{ ++#if OPENSSL_VERSION_NUMBER < 0x30000000L ++ if (!X509_STORE_load_locations(store, file, path)) ++ return 0; ++#else ++ if (file && !X509_STORE_load_file(store, file)) ++ return 0; ++ if (path && !X509_STORE_load_path(store, path)) ++ return 0; ++#endif ++ return 1; ++} ++ + static apr_status_t ssl_init_ctx_crl(server_rec *s, + apr_pool_t *p, + apr_pool_t *ptemp, +@@ -1009,8 +1046,8 @@ static apr_status_t ssl_init_ctx_crl(server_rec *s, + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01900) + "Configuring certificate revocation facility"); + +- if (!store || !X509_STORE_load_locations(store, mctx->crl_file, +- mctx->crl_path)) { ++ if (!store || !modssl_X509_STORE_load_locations(store, mctx->crl_file, ++ mctx->crl_path)) { + ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01901) + "Host %s: unable to configure X.509 CRL storage " + "for certificate revocation", mctx->sc->vhost_id); +@@ -1239,6 +1276,31 @@ static int ssl_no_passwd_prompt_cb(char *buf, int size, int rwflag, + return 0; + } + ++static APR_INLINE int modssl_DH_bits(DH *dh) ++{ ++#if OPENSSL_VERSION_NUMBER < 0x30000000L ++ return DH_bits(dh); ++#else ++ return BN_num_bits(DH_get0_p(dh)); ++#endif ++} ++ ++/* SSL_CTX_use_PrivateKey_file() can fail either because the private ++ * key was encrypted, or due to a mismatch between an already-loaded ++ * cert and the key - a common misconfiguration - from calling ++ * X509_check_private_key(). This macro is passed the last error code ++ * off the OpenSSL stack and evaluates to true only for the first ++ * case. With OpenSSL < 3 the second case is identifiable by the ++ * function code, but function codes are not used from 3.0. */ ++#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#define CHECK_PRIVKEY_ERROR(ec) (ERR_GET_FUNC(ec) != X509_F_X509_CHECK_PRIVATE_KEY) ++#else ++#define CHECK_PRIVKEY_ERROR(ec) (ERR_GET_LIB != ERR_LIB_X509 \ ++ || (ERR_GET_REASON(ec) != X509_R_KEY_TYPE_MISMATCH \ ++ && ERR_GET_REASON(ec) != X509_R_KEY_VALUES_MISMATCH \ ++ && ERR_GET_REASON(ec) != X509_R_UNKNOWN_KEY_TYPE)) ++#endif ++ + static apr_status_t ssl_init_server_certs(server_rec *s, + apr_pool_t *p, + apr_pool_t *ptemp, +@@ -1249,7 +1311,7 @@ static apr_status_t ssl_init_server_certs(server_rec *s, + const char *vhost_id = mctx->sc->vhost_id, *key_id, *certfile, *keyfile; + int i; + X509 *cert; +- DH *dhparams; ++ DH *dh; + #ifdef HAVE_ECC + EC_GROUP *ecparams = NULL; + int nid; +@@ -1344,8 +1406,7 @@ static apr_status_t ssl_init_server_certs(server_rec *s, + } + else if ((SSL_CTX_use_PrivateKey_file(mctx->ssl_ctx, keyfile, + SSL_FILETYPE_PEM) < 1) +- && (ERR_GET_FUNC(ERR_peek_last_error()) +- != X509_F_X509_CHECK_PRIVATE_KEY)) { ++ && CHECK_PRIVKEY_ERROR(ERR_peek_last_error())) { + ssl_asn1_t *asn1; + const unsigned char *ptr; + +@@ -1434,12 +1495,12 @@ static apr_status_t ssl_init_server_certs(server_rec *s, + */ + certfile = APR_ARRAY_IDX(mctx->pks->cert_files, 0, const char *); + if (certfile && !modssl_is_engine_id(certfile) +- && (dhparams = ssl_dh_GetParamFromFile(certfile))) { +- SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dhparams); ++ && (dh = ssl_dh_GetParamFromFile(certfile))) { ++ SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dh); + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02540) + "Custom DH parameters (%d bits) for %s loaded from %s", +- DH_bits(dhparams), vhost_id, certfile); +- DH_free(dhparams); ++ modssl_DH_bits(dh), vhost_id, certfile); ++ DH_free(dh); + } + + #ifdef HAVE_ECC +@@ -1490,6 +1551,7 @@ static apr_status_t ssl_init_ticket_key(server_rec *s, + char buf[TLSEXT_TICKET_KEY_LEN]; + char *path; + modssl_ticket_key_t *ticket_key = mctx->ticket_key; ++ int res; + + if (!ticket_key->file_path) { + return APR_SUCCESS; +@@ -1517,11 +1579,22 @@ static apr_status_t ssl_init_ticket_key(server_rec *s, + } + + memcpy(ticket_key->key_name, buf, 16); +- memcpy(ticket_key->hmac_secret, buf + 16, 16); + memcpy(ticket_key->aes_key, buf + 32, 16); +- +- if (!SSL_CTX_set_tlsext_ticket_key_cb(mctx->ssl_ctx, +- ssl_callback_SessionTicket)) { ++#if OPENSSL_VERSION_NUMBER < 0x30000000L ++ memcpy(ticket_key->hmac_secret, buf + 16, 16); ++ res = SSL_CTX_set_tlsext_ticket_key_cb(mctx->ssl_ctx, ++ ssl_callback_SessionTicket); ++#else ++ ticket_key->mac_params[0] = ++ OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY, buf + 16, 16); ++ ticket_key->mac_params[1] = ++ OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST, "sha256", 0); ++ ticket_key->mac_params[2] = ++ OSSL_PARAM_construct_end(); ++ res = SSL_CTX_set_tlsext_ticket_key_evp_cb(mctx->ssl_ctx, ++ ssl_callback_SessionTicket); ++#endif ++ if (!res) { + ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01913) + "Unable to initialize TLS session ticket key callback " + "(incompatible OpenSSL version?)"); +@@ -1652,7 +1725,7 @@ static apr_status_t ssl_init_proxy_certs(server_rec *s, + return ssl_die(s); + } + +- X509_STORE_load_locations(store, pkp->ca_cert_file, NULL); ++ modssl_X509_STORE_load_locations(store, pkp->ca_cert_file, NULL); + + for (n = 0; n < ncerts; n++) { + int i; +@@ -2249,10 +2322,11 @@ apr_status_t ssl_init_ModuleKill(void *data) + + } + +-#if !MODSSL_USE_OPENSSL_PRE_1_1_API ++#if MODSSL_USE_OPENSSL_PRE_1_1_API ++ free_dh_params(); ++#else + free_bio_methods(); + #endif +- free_dh_params(); + + return APR_SUCCESS; + } +diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c +index cabf753790..3db7077f1e 100644 +--- a/modules/ssl/ssl_engine_io.c ++++ b/modules/ssl/ssl_engine_io.c +@@ -194,6 +194,10 @@ static int bio_filter_destroy(BIO *bio) + static int bio_filter_out_read(BIO *bio, char *out, int outl) + { + /* this is never called */ ++ bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)BIO_get_data(bio); ++ ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, outctx->c, ++ "BUG: %s() should not be called", "bio_filter_out_read"); ++ AP_DEBUG_ASSERT(0); + return -1; + } + +@@ -293,12 +297,20 @@ static long bio_filter_out_ctrl(BIO *bio, int cmd, long num, void *ptr) + static int bio_filter_out_gets(BIO *bio, char *buf, int size) + { + /* this is never called */ ++ bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)BIO_get_data(bio); ++ ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, outctx->c, ++ "BUG: %s() should not be called", "bio_filter_out_gets"); ++ AP_DEBUG_ASSERT(0); + return -1; + } + + static int bio_filter_out_puts(BIO *bio, const char *str) + { + /* this is never called */ ++ bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)BIO_get_data(bio); ++ ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, outctx->c, ++ "BUG: %s() should not be called", "bio_filter_out_puts"); ++ AP_DEBUG_ASSERT(0); + return -1; + } + +@@ -533,22 +545,47 @@ static int bio_filter_in_read(BIO *bio, char *in, int inlen) + + static int bio_filter_in_write(BIO *bio, const char *in, int inl) + { ++ bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)BIO_get_data(bio); ++ ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, inctx->f->c, ++ "BUG: %s() should not be called", "bio_filter_in_write"); ++ AP_DEBUG_ASSERT(0); + return -1; + } + + static int bio_filter_in_puts(BIO *bio, const char *str) + { ++ bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)BIO_get_data(bio); ++ ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, inctx->f->c, ++ "BUG: %s() should not be called", "bio_filter_in_puts"); ++ AP_DEBUG_ASSERT(0); + return -1; + } + + static int bio_filter_in_gets(BIO *bio, char *buf, int size) + { ++ bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)BIO_get_data(bio); ++ ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, inctx->f->c, ++ "BUG: %s() should not be called", "bio_filter_in_gets"); ++ AP_DEBUG_ASSERT(0); + return -1; + } + + static long bio_filter_in_ctrl(BIO *bio, int cmd, long num, void *ptr) + { +- return -1; ++ bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)BIO_get_data(bio); ++ switch (cmd) { ++#ifdef BIO_CTRL_EOF ++ case BIO_CTRL_EOF: ++ return inctx->rc == APR_EOF; ++#endif ++ default: ++ break; ++ } ++ ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, inctx->f->c, ++ "BUG: bio_filter_in_ctrl() should not be called with cmd=%i", ++ cmd); ++ AP_DEBUG_ASSERT(0); ++ return 0; + } + + #if MODSSL_USE_OPENSSL_PRE_1_1_API +@@ -573,7 +610,7 @@ static BIO_METHOD bio_filter_in_method = { + bio_filter_in_read, + bio_filter_in_puts, /* puts is never called */ + bio_filter_in_gets, /* gets is never called */ +- bio_filter_in_ctrl, /* ctrl is never called */ ++ bio_filter_in_ctrl, /* ctrl is called for EOF check */ + bio_filter_create, + bio_filter_destroy, + NULL +diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c +index b99dcf19d4..aced92d2d0 100644 +--- a/modules/ssl/ssl_engine_kernel.c ++++ b/modules/ssl/ssl_engine_kernel.c +@@ -1685,6 +1685,7 @@ const authz_provider ssl_authz_provider_verify_client = + ** _________________________________________________________________ + */ + ++#if MODSSL_USE_OPENSSL_PRE_1_1_API + /* + * Hand out standard DH parameters, based on the authentication strength + */ +@@ -1730,6 +1731,7 @@ DH *ssl_callback_TmpDH(SSL *ssl, int export, int keylen) + + return modssl_get_dh_params(keylen); + } ++#endif + + /* + * This OpenSSL callback function is called when OpenSSL +@@ -2614,7 +2616,11 @@ int ssl_callback_SessionTicket(SSL *ssl, + unsigned char *keyname, + unsigned char *iv, + EVP_CIPHER_CTX *cipher_ctx, +- HMAC_CTX *hctx, ++#if OPENSSL_VERSION_NUMBER < 0x30000000L ++ HMAC_CTX *hmac_ctx, ++#else ++ EVP_MAC_CTX *mac_ctx, ++#endif + int mode) + { + conn_rec *c = (conn_rec *)SSL_get_app_data(ssl); +@@ -2641,7 +2647,13 @@ int ssl_callback_SessionTicket(SSL *ssl, + } + EVP_EncryptInit_ex(cipher_ctx, EVP_aes_128_cbc(), NULL, + ticket_key->aes_key, iv); +- HMAC_Init_ex(hctx, ticket_key->hmac_secret, 16, tlsext_tick_md(), NULL); ++ ++#if OPENSSL_VERSION_NUMBER < 0x30000000L ++ HMAC_Init_ex(hmac_ctx, ticket_key->hmac_secret, 16, ++ tlsext_tick_md(), NULL); ++#else ++ EVP_MAC_CTX_set_params(mac_ctx, ticket_key->mac_params); ++#endif + + ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(02289) + "TLS session ticket key for %s successfully set, " +@@ -2662,7 +2674,13 @@ int ssl_callback_SessionTicket(SSL *ssl, + + EVP_DecryptInit_ex(cipher_ctx, EVP_aes_128_cbc(), NULL, + ticket_key->aes_key, iv); +- HMAC_Init_ex(hctx, ticket_key->hmac_secret, 16, tlsext_tick_md(), NULL); ++ ++#if OPENSSL_VERSION_NUMBER < 0x30000000L ++ HMAC_Init_ex(hmac_ctx, ticket_key->hmac_secret, 16, ++ tlsext_tick_md(), NULL); ++#else ++ EVP_MAC_CTX_set_params(mac_ctx, ticket_key->mac_params); ++#endif + + ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(02290) + "TLS session ticket key for %s successfully set, " +diff --git a/modules/ssl/ssl_engine_log.c b/modules/ssl/ssl_engine_log.c +index 7dbbbdb55e..3b3ceacf0a 100644 +--- a/modules/ssl/ssl_engine_log.c ++++ b/modules/ssl/ssl_engine_log.c +@@ -78,6 +78,16 @@ apr_status_t ssl_die(server_rec *s) + return APR_EGENERAL; + } + ++static APR_INLINE ++unsigned long modssl_ERR_peek_error_data(const char **data, int *flags) ++{ ++#if OPENSSL_VERSION_NUMBER < 0x30000000L ++ return ERR_peek_error_line_data(NULL, NULL, data, flags); ++#else ++ return ERR_peek_error_data(data, flags); ++#endif ++} ++ + /* + * Prints the SSL library error information. + */ +@@ -87,7 +97,7 @@ void ssl_log_ssl_error(const char *file, int line, int level, server_rec *s) + const char *data; + int flags; + +- while ((e = ERR_peek_error_line_data(NULL, NULL, &data, &flags))) { ++ while ((e = modssl_ERR_peek_error_data(&data, &flags))) { + const char *annotation; + char err[256]; + +diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h +index a6fc7513a2..b091c58c94 100644 +--- a/modules/ssl/ssl_private.h ++++ b/modules/ssl/ssl_private.h +@@ -89,6 +89,9 @@ + /* must be defined before including ssl.h */ + #define OPENSSL_NO_SSL_INTERN + #endif ++#if OPENSSL_VERSION_NUMBER >= 0x30000000 ++#include ++#endif + #include + #include + #include +@@ -134,13 +137,12 @@ + SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MIN_PROTO_VERSION, version, NULL) + #define SSL_CTX_set_max_proto_version(ctx, version) \ + SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, version, NULL) +-#elif LIBRESSL_VERSION_NUMBER < 0x2070000f ++#endif /* LIBRESSL_VERSION_NUMBER < 0x2060000f */ + /* LibreSSL before 2.7 declares OPENSSL_VERSION_NUMBER == 2.0 but does not + * include most changes from OpenSSL >= 1.1 (new functions, macros, + * deprecations, ...), so we have to work around this... + */ +-#define MODSSL_USE_OPENSSL_PRE_1_1_API (1) +-#endif /* LIBRESSL_VERSION_NUMBER < 0x2060000f */ ++#define MODSSL_USE_OPENSSL_PRE_1_1_API (LIBRESSL_VERSION_NUMBER < 0x2070000f) + #else /* defined(LIBRESSL_VERSION_NUMBER) */ + #define MODSSL_USE_OPENSSL_PRE_1_1_API (OPENSSL_VERSION_NUMBER < 0x10100000L) + #endif +@@ -674,7 +676,11 @@ typedef struct { + typedef struct { + const char *file_path; + unsigned char key_name[16]; ++#if OPENSSL_VERSION_NUMBER < 0x30000000L + unsigned char hmac_secret[16]; ++#else ++ OSSL_PARAM mac_params[3]; ++#endif + unsigned char aes_key[16]; + } modssl_ticket_key_t; + #endif +@@ -938,8 +944,16 @@ int ssl_callback_ServerNameIndication(SSL *, int *, modssl_ctx_t *); + int ssl_callback_ClientHello(SSL *, int *, void *); + #endif + #ifdef HAVE_TLS_SESSION_TICKETS +-int ssl_callback_SessionTicket(SSL *, unsigned char *, unsigned char *, +- EVP_CIPHER_CTX *, HMAC_CTX *, int); ++int ssl_callback_SessionTicket(SSL *ssl, ++ unsigned char *keyname, ++ unsigned char *iv, ++ EVP_CIPHER_CTX *cipher_ctx, ++#if OPENSSL_VERSION_NUMBER < 0x30000000L ++ HMAC_CTX *hmac_ctx, ++#else ++ EVP_MAC_CTX *mac_ctx, ++#endif ++ int mode); + #endif + + #ifdef HAVE_TLS_ALPN +@@ -1112,10 +1126,12 @@ void ssl_init_ocsp_certificates(server_rec *s, modssl_ctx_t *mctx); + + #endif + ++#if MODSSL_USE_OPENSSL_PRE_1_1_API + /* Retrieve DH parameters for given key length. Return value should + * be treated as unmutable, since it is stored in process-global + * memory. */ + DH *modssl_get_dh_params(unsigned keylen); ++#endif + + /* Returns non-zero if the request was made over SSL/TLS. If sslconn + * is non-NULL and the request is using SSL/TLS, sets *sslconn to the diff --git a/httpd-2.4.48-r1876934.patch b/httpd-2.4.48-r1876934.patch deleted file mode 100644 index 3db72d1..0000000 --- a/httpd-2.4.48-r1876934.patch +++ /dev/null @@ -1,295 +0,0 @@ -# ./pullrev.sh 1876934 -http://svn.apache.org/viewvc?view=revision&revision=1876934 - -only in patch2: ---- httpd-2.4.48/modules/ssl/ssl_engine_init.c.r1876934 -+++ httpd-2.4.48/modules/ssl/ssl_engine_init.c -@@ -879,6 +879,23 @@ - #endif - } - -+static APR_INLINE -+int modssl_CTX_load_verify_locations(SSL_CTX *ctx, -+ const char *file, -+ const char *path) -+{ -+#if OPENSSL_VERSION_NUMBER < 0x30000000L -+ if (!SSL_CTX_load_verify_locations(ctx, file, path)) -+ return 0; -+#else -+ if (file && !SSL_CTX_load_verify_file(ctx, file)) -+ return 0; -+ if (path && !SSL_CTX_load_verify_dir(ctx, path)) -+ return 0; -+#endif -+ return 1; -+} -+ - static apr_status_t ssl_init_ctx_verify(server_rec *s, - apr_pool_t *p, - apr_pool_t *ptemp, -@@ -919,10 +936,8 @@ - ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, s, - "Configuring client authentication"); - -- if (!SSL_CTX_load_verify_locations(ctx, -- mctx->auth.ca_cert_file, -- mctx->auth.ca_cert_path)) -- { -+ if (!modssl_CTX_load_verify_locations(ctx, mctx->auth.ca_cert_file, -+ mctx->auth.ca_cert_path)) { - ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01895) - "Unable to configure verify locations " - "for client authentication"); -@@ -1007,6 +1022,23 @@ - return APR_SUCCESS; - } - -+static APR_INLINE -+int modssl_X509_STORE_load_locations(X509_STORE *store, -+ const char *file, -+ const char *path) -+{ -+#if OPENSSL_VERSION_NUMBER < 0x30000000L -+ if (!X509_STORE_load_locations(store, file, path)) -+ return 0; -+#else -+ if (file && !X509_STORE_load_file(store, file)) -+ return 0; -+ if (path && !X509_STORE_load_path(store, path)) -+ return 0; -+#endif -+ return 1; -+} -+ - static apr_status_t ssl_init_ctx_crl(server_rec *s, - apr_pool_t *p, - apr_pool_t *ptemp, -@@ -1045,7 +1077,7 @@ - ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01900) - "Configuring certificate revocation facility"); - -- if (!store || !X509_STORE_load_locations(store, mctx->crl_file, -+ if (!store || modssl_X509_STORE_load_locations(store, mctx->crl_file, - mctx->crl_path)) { - ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01901) - "Host %s: unable to configure X.509 CRL storage " -@@ -1285,7 +1317,7 @@ - const char *vhost_id = mctx->sc->vhost_id, *key_id, *certfile, *keyfile; - int i; - X509 *cert; -- DH *dhparams; -+ DH *dh; - #ifdef HAVE_ECC - EC_GROUP *ecparams = NULL; - int nid; -@@ -1470,12 +1502,12 @@ - */ - certfile = APR_ARRAY_IDX(mctx->pks->cert_files, 0, const char *); - if (certfile && !modssl_is_engine_id(certfile) -- && (dhparams = ssl_dh_GetParamFromFile(certfile))) { -- SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dhparams); -+ && (dh = ssl_dh_GetParamFromFile(certfile))) { -+ SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dh); - ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02540) - "Custom DH parameters (%d bits) for %s loaded from %s", -- DH_bits(dhparams), vhost_id, certfile); -- DH_free(dhparams); -+ BN_num_bits(DH_get0_p(dh)), vhost_id, certfile); -+ DH_free(dh); - } - - #ifdef HAVE_ECC -@@ -1526,6 +1558,7 @@ - char buf[TLSEXT_TICKET_KEY_LEN]; - char *path; - modssl_ticket_key_t *ticket_key = mctx->ticket_key; -+ int res; - - if (!ticket_key->file_path) { - return APR_SUCCESS; -@@ -1553,11 +1586,22 @@ - } - - memcpy(ticket_key->key_name, buf, 16); -- memcpy(ticket_key->hmac_secret, buf + 16, 16); - memcpy(ticket_key->aes_key, buf + 32, 16); -- -- if (!SSL_CTX_set_tlsext_ticket_key_cb(mctx->ssl_ctx, -- ssl_callback_SessionTicket)) { -+#if OPENSSL_VERSION_NUMBER < 0x30000000L -+ memcpy(ticket_key->hmac_secret, buf + 16, 16); -+ res = SSL_CTX_set_tlsext_ticket_key_cb(mctx->ssl_ctx, -+ ssl_callback_SessionTicket); -+#else -+ ticket_key->mac_params[0] = -+ OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY, buf + 16, 16); -+ ticket_key->mac_params[1] = -+ OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST, "sha256", 0); -+ ticket_key->mac_params[2] = -+ OSSL_PARAM_construct_end(); -+ res = SSL_CTX_set_tlsext_ticket_key_evp_cb(mctx->ssl_ctx, -+ ssl_callback_SessionTicket); -+#endif -+ if (!res) { - ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01913) - "Unable to initialize TLS session ticket key callback " - "(incompatible OpenSSL version?)"); -@@ -1688,7 +1732,7 @@ - return ssl_die(s); - } - -- X509_STORE_load_locations(store, pkp->ca_cert_file, NULL); -+ modssl_X509_STORE_load_locations(store, pkp->ca_cert_file, NULL); - - for (n = 0; n < ncerts; n++) { - int i; ---- httpd-2.4.48/modules/ssl/ssl_engine_io.c.r1876934 -+++ httpd-2.4.48/modules/ssl/ssl_engine_io.c -@@ -548,7 +548,20 @@ - - static long bio_filter_in_ctrl(BIO *bio, int cmd, long num, void *ptr) - { -- return -1; -+ bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)BIO_get_data(bio); -+ switch (cmd) { -+#ifdef BIO_CTRL_EOF -+ case BIO_CTRL_EOF: -+ return inctx->rc == APR_EOF; -+#endif -+ default: -+ break; -+ } -+ ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, inctx->f->c, -+ "BUG: bio_filter_in_ctrl() should not be called with cmd=%i", -+ cmd); -+ AP_DEBUG_ASSERT(0); -+ return 0; - } - - #if MODSSL_USE_OPENSSL_PRE_1_1_API -@@ -573,7 +586,7 @@ - bio_filter_in_read, - bio_filter_in_puts, /* puts is never called */ - bio_filter_in_gets, /* gets is never called */ -- bio_filter_in_ctrl, /* ctrl is never called */ -+ bio_filter_in_ctrl, /* ctrl is called for EOF check */ - bio_filter_create, - bio_filter_destroy, - NULL ---- httpd-2.4.48/modules/ssl/ssl_engine_kernel.c.r1876934 -+++ httpd-2.4.48/modules/ssl/ssl_engine_kernel.c -@@ -2614,7 +2614,11 @@ - unsigned char *keyname, - unsigned char *iv, - EVP_CIPHER_CTX *cipher_ctx, -- HMAC_CTX *hctx, -+#if OPENSSL_VERSION_NUMBER < 0x30000000L -+ HMAC_CTX *hmac_ctx, -+#else -+ EVP_MAC_CTX *mac_ctx, -+#endif - int mode) - { - conn_rec *c = (conn_rec *)SSL_get_app_data(ssl); -@@ -2641,7 +2645,13 @@ - } - EVP_EncryptInit_ex(cipher_ctx, EVP_aes_128_cbc(), NULL, - ticket_key->aes_key, iv); -- HMAC_Init_ex(hctx, ticket_key->hmac_secret, 16, tlsext_tick_md(), NULL); -+ -+#if OPENSSL_VERSION_NUMBER < 0x30000000L -+ HMAC_Init_ex(hmac_ctx, ticket_key->hmac_secret, 16, -+ tlsext_tick_md(), NULL); -+#else -+ EVP_MAC_CTX_set_params(mac_ctx, ticket_key->mac_params); -+#endif - - ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(02289) - "TLS session ticket key for %s successfully set, " -@@ -2662,7 +2672,13 @@ - - EVP_DecryptInit_ex(cipher_ctx, EVP_aes_128_cbc(), NULL, - ticket_key->aes_key, iv); -- HMAC_Init_ex(hctx, ticket_key->hmac_secret, 16, tlsext_tick_md(), NULL); -+ -+#if OPENSSL_VERSION_NUMBER < 0x30000000L -+ HMAC_Init_ex(hmac_ctx, ticket_key->hmac_secret, 16, -+ tlsext_tick_md(), NULL); -+#else -+ EVP_MAC_CTX_set_params(mac_ctx, ticket_key->mac_params); -+#endif - - ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(02290) - "TLS session ticket key for %s successfully set, " ---- httpd-2.4.48/modules/ssl/ssl_engine_log.c.r1876934 -+++ httpd-2.4.48/modules/ssl/ssl_engine_log.c -@@ -78,6 +78,16 @@ - return APR_EGENERAL; - } - -+static APR_INLINE -+unsigned long modssl_ERR_peek_error_data(const char **data, int *flags) -+{ -+#if OPENSSL_VERSION_NUMBER < 0x30000000L -+ return ERR_peek_error_line_data(NULL, NULL, data, flags); -+#else -+ return ERR_peek_error_data(data, flags); -+#endif -+} -+ - /* - * Prints the SSL library error information. - */ -@@ -87,7 +97,7 @@ - const char *data; - int flags; - -- while ((e = ERR_peek_error_line_data(NULL, NULL, &data, &flags))) { -+ while ((e = modssl_ERR_peek_error_data(&data, &flags))) { - const char *annotation; - char err[256]; - ---- httpd-2.4.48/modules/ssl/ssl_private.h.r1876934 -+++ httpd-2.4.48/modules/ssl/ssl_private.h -@@ -89,6 +89,9 @@ - /* must be defined before including ssl.h */ - #define OPENSSL_NO_SSL_INTERN - #endif -+#if OPENSSL_VERSION_NUMBER >= 0x30000000 -+#include -+#endif - #include - #include - #include -@@ -674,7 +677,11 @@ - typedef struct { - const char *file_path; - unsigned char key_name[16]; -+#if OPENSSL_VERSION_NUMBER < 0x30000000L - unsigned char hmac_secret[16]; -+#else -+ OSSL_PARAM mac_params[3]; -+#endif - unsigned char aes_key[16]; - } modssl_ticket_key_t; - #endif -@@ -938,8 +945,16 @@ - int ssl_callback_ClientHello(SSL *, int *, void *); - #endif - #ifdef HAVE_TLS_SESSION_TICKETS --int ssl_callback_SessionTicket(SSL *, unsigned char *, unsigned char *, -- EVP_CIPHER_CTX *, HMAC_CTX *, int); -+int ssl_callback_SessionTicket(SSL *ssl, -+ unsigned char *keyname, -+ unsigned char *iv, -+ EVP_CIPHER_CTX *cipher_ctx, -+#if OPENSSL_VERSION_NUMBER < 0x30000000L -+ HMAC_CTX *hmac_ctx, -+#else -+ EVP_MAC_CTX *mac_ctx, -+#endif -+ int mode); - #endif - - #ifdef HAVE_TLS_ALPN diff --git a/httpd-2.4.48-r1877397.patch b/httpd-2.4.48-r1877397.patch index ce267e2..030a226 100644 --- a/httpd-2.4.48-r1877397.patch +++ b/httpd-2.4.48-r1877397.patch @@ -2,7 +2,7 @@ diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c index 699bdcd..15f68f9 100644 --- httpd-2.4.48/modules/ssl/ssl_engine_init.c.r1877397 +++ httpd-2.4.48/modules/ssl/ssl_engine_init.c -@@ -870,6 +870,13 @@ +@@ -871,6 +871,13 @@ SSL_CTX_set_keylog_callback(ctx, modssl_callback_keylog); } #endif @@ -16,7 +16,7 @@ index 699bdcd..15f68f9 100644 return APR_SUCCESS; } -@@ -891,6 +898,14 @@ +@@ -892,6 +899,14 @@ } } @@ -31,9 +31,9 @@ index 699bdcd..15f68f9 100644 static void ssl_init_ctx_callbacks(server_rec *s, apr_pool_t *p, apr_pool_t *ptemp, -@@ -900,7 +915,13 @@ - - SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH); +@@ -905,7 +920,13 @@ + SSL_CTX_set_dh_auto(ctx, 1); + #endif - SSL_CTX_set_info_callback(ctx, ssl_callback_Info); + /* The info callback is used for debug-level tracing. For OpenSSL @@ -48,7 +48,7 @@ index 699bdcd..15f68f9 100644 SSL_CTX_set_alpn_select_cb(ctx, ssl_callback_alpn_select, NULL); --- httpd-2.4.48/modules/ssl/ssl_engine_io.c.r1877397 +++ httpd-2.4.48/modules/ssl/ssl_engine_io.c -@@ -205,11 +205,13 @@ +@@ -209,11 +209,13 @@ BIO_clear_retry_flags(bio); @@ -62,7 +62,7 @@ index 699bdcd..15f68f9 100644 ap_log_cerror(APLOG_MARK, APLOG_TRACE6, 0, outctx->c, "bio_filter_out_write: %i bytes", inl); -@@ -462,11 +464,13 @@ +@@ -474,11 +476,13 @@ BIO_clear_retry_flags(bio); @@ -122,7 +122,7 @@ index 699bdcd..15f68f9 100644 modssl_set_app_data2(ssl, NULL); /* -@@ -2261,8 +2258,8 @@ +@@ -2263,8 +2260,8 @@ /* * This callback function is executed while OpenSSL processes the SSL * handshake and does SSL record layer stuff. It's used to trap @@ -133,7 +133,7 @@ index 699bdcd..15f68f9 100644 */ void ssl_callback_Info(const SSL *ssl, int where, int rc) { -@@ -2274,14 +2271,12 @@ +@@ -2276,14 +2273,12 @@ return; } @@ -154,7 +154,7 @@ index 699bdcd..15f68f9 100644 { SSLConnRec *sslconn; -@@ -2306,6 +2301,7 @@ +@@ -2308,6 +2303,7 @@ sslconn->reneg_state = RENEG_REJECT; } } @@ -164,7 +164,7 @@ index 699bdcd..15f68f9 100644 if (s && APLOGdebug(s)) { --- httpd-2.4.48/modules/ssl/ssl_private.h.r1877397 +++ httpd-2.4.48/modules/ssl/ssl_private.h -@@ -513,6 +513,16 @@ +@@ -512,6 +512,16 @@ apr_time_t source_mtime; } ssl_asn1_t; @@ -181,7 +181,7 @@ index 699bdcd..15f68f9 100644 /** * Define the mod_ssl per-module configuration structure * (i.e. the global configuration for each httpd process) -@@ -545,18 +555,13 @@ +@@ -544,18 +554,13 @@ NON_SSL_SET_ERROR_MSG /* Need to set the error message */ } non_ssl_request; @@ -207,7 +207,7 @@ index 699bdcd..15f68f9 100644 server_rec *server; SSLDirConfigRec *dc; -@@ -1159,6 +1164,9 @@ +@@ -1160,6 +1165,9 @@ * the configured ENGINE. */ int modssl_is_engine_id(const char *name); diff --git a/httpd-2.4.48-r1891138.patch b/httpd-2.4.48-r1891138.patch deleted file mode 100644 index 9f58627..0000000 --- a/httpd-2.4.48-r1891138.patch +++ /dev/null @@ -1,40 +0,0 @@ -# ./pullrev.sh 1891138 -http://svn.apache.org/viewvc?view=revision&revision=1891138 - -https://bugzilla.redhat.com/show_bug.cgi?id=1976080 - ---- httpd-2.4.48/modules/ssl/ssl_engine_init.c.r1891138 -+++ httpd-2.4.48/modules/ssl/ssl_engine_init.c -@@ -1335,6 +1335,22 @@ - return 0; - } - -+/* SSL_CTX_use_PrivateKey_file() can fail either because the private -+ * key was encrypted, or due to a mismatch between an already-loaded -+ * cert and the key - a common misconfiguration - from calling -+ * X509_check_private_key(). This macro is passed the last error code -+ * off the OpenSSL stack and evaluates to true only for the first -+ * case. With OpenSSL < 3 the second case is identifiable by the -+ * function code, but function codes are not used from 3.0. */ -+#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#define CHECK_PRIVKEY_ERROR(ec) (ERR_GET_FUNC(ec) != X509_F_X509_CHECK_PRIVATE_KEY) -+#else -+#define CHECK_PRIVKEY_ERROR(ec) (ERR_GET_LIB != ERR_LIB_X509 \ -+ || (ERR_GET_REASON(ec) != X509_R_KEY_TYPE_MISMATCH \ -+ && ERR_GET_REASON(ec) != X509_R_KEY_VALUES_MISMATCH \ -+ && ERR_GET_REASON(ec) != X509_R_UNKNOWN_KEY_TYPE)) -+#endif -+ - static apr_status_t ssl_init_server_certs(server_rec *s, - apr_pool_t *p, - apr_pool_t *ptemp, -@@ -1412,8 +1412,7 @@ - } - else if ((SSL_CTX_use_PrivateKey_file(mctx->ssl_ctx, keyfile, - SSL_FILETYPE_PEM) < 1) -- && (ERR_GET_FUNC(ERR_peek_last_error()) -- != X509_F_X509_CHECK_PRIVATE_KEY)) { -+ && CHECK_PRIVKEY_ERROR(ERR_peek_last_error())) { - ssl_asn1_t *asn1; - const unsigned char *ptr; - diff --git a/httpd.spec b/httpd.spec index 8603c13..a7f3e35 100644 --- a/httpd.spec +++ b/httpd.spec @@ -13,7 +13,7 @@ Summary: Apache HTTP Server Name: httpd Version: 2.4.48 -Release: 12%{?dist} +Release: 13%{?dist} URL: https://httpd.apache.org/ Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 Source1: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2.asc @@ -97,9 +97,9 @@ Patch49: httpd-2.4.48-ssl-proxy-chains.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1397243 Patch60: httpd-2.4.43-enable-sslv3.patch Patch61: httpd-2.4.46-htcacheclean-dont-break.patch -Patch62: httpd-2.4.48-r1876934.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1986822 # https://bugzilla.redhat.com/show_bug.cgi?id=1976080 -Patch63: httpd-2.4.48-r1891138.patch +Patch62: httpd-2.4.48-openssl3.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1932442 Patch64: httpd-2.4.48-full-release.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1950011 @@ -258,7 +258,6 @@ written in the Lua programming language. %patch60 -p1 -b .enable-sslv3 %patch61 -p1 -b .htcacheclean-dont-break %patch62 -p1 -b .r1876934 -%patch63 -p1 -b .sslprivkey %patch64 -p1 -b .full-release %patch65 -p1 -b .r1877397 @@ -803,6 +802,9 @@ exit $rv %{_rpmconfigdir}/macros.d/macros.httpd %changelog +* Wed Jul 28 2021 Joe Orton - 2.4.48-13 +- mod_ssl: OpenSSL 3 compatibility update (#1986822) + * Thu Jul 15 2021 Joe Orton - 2.4.48-12 - mod_ssl: add SSLKEYLOGFILE support (#1982656)