From c476545bd940364f41d6aba29d8d61e50c841ff6 Mon Sep 17 00:00:00 2001 From: Joe Orton Date: Fri, 25 Jun 2021 08:35:11 +0100 Subject: [PATCH] add OpenSSL v3 compatibility fixes (#1975201) Resolves: rhbz#1975201 --- httpd-2.4.48-r1876934.patch | 295 ++++++++++++++++++++++++++++++++++++ httpd.spec | 11 +- pullrev.sh | 2 +- 3 files changed, 304 insertions(+), 4 deletions(-) create mode 100644 httpd-2.4.48-r1876934.patch diff --git a/httpd-2.4.48-r1876934.patch b/httpd-2.4.48-r1876934.patch new file mode 100644 index 0000000..3db72d1 --- /dev/null +++ b/httpd-2.4.48-r1876934.patch @@ -0,0 +1,295 @@ +# ./pullrev.sh 1876934 +http://svn.apache.org/viewvc?view=revision&revision=1876934 + +only in patch2: +--- httpd-2.4.48/modules/ssl/ssl_engine_init.c.r1876934 ++++ httpd-2.4.48/modules/ssl/ssl_engine_init.c +@@ -879,6 +879,23 @@ + #endif + } + ++static APR_INLINE ++int modssl_CTX_load_verify_locations(SSL_CTX *ctx, ++ const char *file, ++ const char *path) ++{ ++#if OPENSSL_VERSION_NUMBER < 0x30000000L ++ if (!SSL_CTX_load_verify_locations(ctx, file, path)) ++ return 0; ++#else ++ if (file && !SSL_CTX_load_verify_file(ctx, file)) ++ return 0; ++ if (path && !SSL_CTX_load_verify_dir(ctx, path)) ++ return 0; ++#endif ++ return 1; ++} ++ + static apr_status_t ssl_init_ctx_verify(server_rec *s, + apr_pool_t *p, + apr_pool_t *ptemp, +@@ -919,10 +936,8 @@ + ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, s, + "Configuring client authentication"); + +- if (!SSL_CTX_load_verify_locations(ctx, +- mctx->auth.ca_cert_file, +- mctx->auth.ca_cert_path)) +- { ++ if (!modssl_CTX_load_verify_locations(ctx, mctx->auth.ca_cert_file, ++ mctx->auth.ca_cert_path)) { + ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01895) + "Unable to configure verify locations " + "for client authentication"); +@@ -1007,6 +1022,23 @@ + return APR_SUCCESS; + } + ++static APR_INLINE ++int modssl_X509_STORE_load_locations(X509_STORE *store, ++ const char *file, ++ const char *path) ++{ ++#if OPENSSL_VERSION_NUMBER < 0x30000000L ++ if (!X509_STORE_load_locations(store, file, path)) ++ return 0; ++#else ++ if (file && !X509_STORE_load_file(store, file)) ++ return 0; ++ if (path && !X509_STORE_load_path(store, path)) ++ return 0; ++#endif ++ return 1; ++} ++ + static apr_status_t ssl_init_ctx_crl(server_rec *s, + apr_pool_t *p, + apr_pool_t *ptemp, +@@ -1045,7 +1077,7 @@ + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01900) + "Configuring certificate revocation facility"); + +- if (!store || !X509_STORE_load_locations(store, mctx->crl_file, ++ if (!store || modssl_X509_STORE_load_locations(store, mctx->crl_file, + mctx->crl_path)) { + ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01901) + "Host %s: unable to configure X.509 CRL storage " +@@ -1285,7 +1317,7 @@ + const char *vhost_id = mctx->sc->vhost_id, *key_id, *certfile, *keyfile; + int i; + X509 *cert; +- DH *dhparams; ++ DH *dh; + #ifdef HAVE_ECC + EC_GROUP *ecparams = NULL; + int nid; +@@ -1470,12 +1502,12 @@ + */ + certfile = APR_ARRAY_IDX(mctx->pks->cert_files, 0, const char *); + if (certfile && !modssl_is_engine_id(certfile) +- && (dhparams = ssl_dh_GetParamFromFile(certfile))) { +- SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dhparams); ++ && (dh = ssl_dh_GetParamFromFile(certfile))) { ++ SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dh); + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02540) + "Custom DH parameters (%d bits) for %s loaded from %s", +- DH_bits(dhparams), vhost_id, certfile); +- DH_free(dhparams); ++ BN_num_bits(DH_get0_p(dh)), vhost_id, certfile); ++ DH_free(dh); + } + + #ifdef HAVE_ECC +@@ -1526,6 +1558,7 @@ + char buf[TLSEXT_TICKET_KEY_LEN]; + char *path; + modssl_ticket_key_t *ticket_key = mctx->ticket_key; ++ int res; + + if (!ticket_key->file_path) { + return APR_SUCCESS; +@@ -1553,11 +1586,22 @@ + } + + memcpy(ticket_key->key_name, buf, 16); +- memcpy(ticket_key->hmac_secret, buf + 16, 16); + memcpy(ticket_key->aes_key, buf + 32, 16); +- +- if (!SSL_CTX_set_tlsext_ticket_key_cb(mctx->ssl_ctx, +- ssl_callback_SessionTicket)) { ++#if OPENSSL_VERSION_NUMBER < 0x30000000L ++ memcpy(ticket_key->hmac_secret, buf + 16, 16); ++ res = SSL_CTX_set_tlsext_ticket_key_cb(mctx->ssl_ctx, ++ ssl_callback_SessionTicket); ++#else ++ ticket_key->mac_params[0] = ++ OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY, buf + 16, 16); ++ ticket_key->mac_params[1] = ++ OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST, "sha256", 0); ++ ticket_key->mac_params[2] = ++ OSSL_PARAM_construct_end(); ++ res = SSL_CTX_set_tlsext_ticket_key_evp_cb(mctx->ssl_ctx, ++ ssl_callback_SessionTicket); ++#endif ++ if (!res) { + ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01913) + "Unable to initialize TLS session ticket key callback " + "(incompatible OpenSSL version?)"); +@@ -1688,7 +1732,7 @@ + return ssl_die(s); + } + +- X509_STORE_load_locations(store, pkp->ca_cert_file, NULL); ++ modssl_X509_STORE_load_locations(store, pkp->ca_cert_file, NULL); + + for (n = 0; n < ncerts; n++) { + int i; +--- httpd-2.4.48/modules/ssl/ssl_engine_io.c.r1876934 ++++ httpd-2.4.48/modules/ssl/ssl_engine_io.c +@@ -548,7 +548,20 @@ + + static long bio_filter_in_ctrl(BIO *bio, int cmd, long num, void *ptr) + { +- return -1; ++ bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)BIO_get_data(bio); ++ switch (cmd) { ++#ifdef BIO_CTRL_EOF ++ case BIO_CTRL_EOF: ++ return inctx->rc == APR_EOF; ++#endif ++ default: ++ break; ++ } ++ ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, inctx->f->c, ++ "BUG: bio_filter_in_ctrl() should not be called with cmd=%i", ++ cmd); ++ AP_DEBUG_ASSERT(0); ++ return 0; + } + + #if MODSSL_USE_OPENSSL_PRE_1_1_API +@@ -573,7 +586,7 @@ + bio_filter_in_read, + bio_filter_in_puts, /* puts is never called */ + bio_filter_in_gets, /* gets is never called */ +- bio_filter_in_ctrl, /* ctrl is never called */ ++ bio_filter_in_ctrl, /* ctrl is called for EOF check */ + bio_filter_create, + bio_filter_destroy, + NULL +--- httpd-2.4.48/modules/ssl/ssl_engine_kernel.c.r1876934 ++++ httpd-2.4.48/modules/ssl/ssl_engine_kernel.c +@@ -2614,7 +2614,11 @@ + unsigned char *keyname, + unsigned char *iv, + EVP_CIPHER_CTX *cipher_ctx, +- HMAC_CTX *hctx, ++#if OPENSSL_VERSION_NUMBER < 0x30000000L ++ HMAC_CTX *hmac_ctx, ++#else ++ EVP_MAC_CTX *mac_ctx, ++#endif + int mode) + { + conn_rec *c = (conn_rec *)SSL_get_app_data(ssl); +@@ -2641,7 +2645,13 @@ + } + EVP_EncryptInit_ex(cipher_ctx, EVP_aes_128_cbc(), NULL, + ticket_key->aes_key, iv); +- HMAC_Init_ex(hctx, ticket_key->hmac_secret, 16, tlsext_tick_md(), NULL); ++ ++#if OPENSSL_VERSION_NUMBER < 0x30000000L ++ HMAC_Init_ex(hmac_ctx, ticket_key->hmac_secret, 16, ++ tlsext_tick_md(), NULL); ++#else ++ EVP_MAC_CTX_set_params(mac_ctx, ticket_key->mac_params); ++#endif + + ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(02289) + "TLS session ticket key for %s successfully set, " +@@ -2662,7 +2672,13 @@ + + EVP_DecryptInit_ex(cipher_ctx, EVP_aes_128_cbc(), NULL, + ticket_key->aes_key, iv); +- HMAC_Init_ex(hctx, ticket_key->hmac_secret, 16, tlsext_tick_md(), NULL); ++ ++#if OPENSSL_VERSION_NUMBER < 0x30000000L ++ HMAC_Init_ex(hmac_ctx, ticket_key->hmac_secret, 16, ++ tlsext_tick_md(), NULL); ++#else ++ EVP_MAC_CTX_set_params(mac_ctx, ticket_key->mac_params); ++#endif + + ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(02290) + "TLS session ticket key for %s successfully set, " +--- httpd-2.4.48/modules/ssl/ssl_engine_log.c.r1876934 ++++ httpd-2.4.48/modules/ssl/ssl_engine_log.c +@@ -78,6 +78,16 @@ + return APR_EGENERAL; + } + ++static APR_INLINE ++unsigned long modssl_ERR_peek_error_data(const char **data, int *flags) ++{ ++#if OPENSSL_VERSION_NUMBER < 0x30000000L ++ return ERR_peek_error_line_data(NULL, NULL, data, flags); ++#else ++ return ERR_peek_error_data(data, flags); ++#endif ++} ++ + /* + * Prints the SSL library error information. + */ +@@ -87,7 +97,7 @@ + const char *data; + int flags; + +- while ((e = ERR_peek_error_line_data(NULL, NULL, &data, &flags))) { ++ while ((e = modssl_ERR_peek_error_data(&data, &flags))) { + const char *annotation; + char err[256]; + +--- httpd-2.4.48/modules/ssl/ssl_private.h.r1876934 ++++ httpd-2.4.48/modules/ssl/ssl_private.h +@@ -89,6 +89,9 @@ + /* must be defined before including ssl.h */ + #define OPENSSL_NO_SSL_INTERN + #endif ++#if OPENSSL_VERSION_NUMBER >= 0x30000000 ++#include ++#endif + #include + #include + #include +@@ -674,7 +677,11 @@ + typedef struct { + const char *file_path; + unsigned char key_name[16]; ++#if OPENSSL_VERSION_NUMBER < 0x30000000L + unsigned char hmac_secret[16]; ++#else ++ OSSL_PARAM mac_params[3]; ++#endif + unsigned char aes_key[16]; + } modssl_ticket_key_t; + #endif +@@ -938,8 +945,16 @@ + int ssl_callback_ClientHello(SSL *, int *, void *); + #endif + #ifdef HAVE_TLS_SESSION_TICKETS +-int ssl_callback_SessionTicket(SSL *, unsigned char *, unsigned char *, +- EVP_CIPHER_CTX *, HMAC_CTX *, int); ++int ssl_callback_SessionTicket(SSL *ssl, ++ unsigned char *keyname, ++ unsigned char *iv, ++ EVP_CIPHER_CTX *cipher_ctx, ++#if OPENSSL_VERSION_NUMBER < 0x30000000L ++ HMAC_CTX *hmac_ctx, ++#else ++ EVP_MAC_CTX *mac_ctx, ++#endif ++ int mode); + #endif + + #ifdef HAVE_TLS_ALPN diff --git a/httpd.spec b/httpd.spec index e4487ba..e77490e 100644 --- a/httpd.spec +++ b/httpd.spec @@ -13,7 +13,7 @@ Summary: Apache HTTP Server Name: httpd Version: 2.4.48 -Release: 3%{?dist} +Release: 4%{?dist} URL: https://httpd.apache.org/ Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 Source1: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2.asc @@ -94,7 +94,8 @@ Patch48: httpd-2.4.46-freebind.patch # Bug fixes # https://bugzilla.redhat.com/show_bug.cgi?id=1397243 Patch60: httpd-2.4.43-enable-sslv3.patch -Patch63: httpd-2.4.46-htcacheclean-dont-break.patch +Patch61: httpd-2.4.46-htcacheclean-dont-break.patch +Patch62: httpd-2.4.48-r1876934.patch # Security fixes @@ -245,7 +246,8 @@ written in the Lua programming language. %patch48 -p1 -b .freebind %patch60 -p1 -b .enable-sslv3 -%patch63 -p1 -b .htcacheclean-dont-break +%patch61 -p1 -b .htcacheclean-dont-break +%patch62 -p1 -b .r1876934 # Patch in the vendor string sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h @@ -787,6 +789,9 @@ exit $rv %{_rpmconfigdir}/macros.d/macros.httpd %changelog +* Fri Jun 25 2021 Joe Orton - 2.4.48-4 +- add OpenSSL v3 compatibility fixes (#1975201) + * Wed Jun 16 2021 Mohan Boddu - 2.4.48-3 - Rebuilt for RHEL 9 BETA for openssl 3.0 Related: rhbz#1971065 diff --git a/pullrev.sh b/pullrev.sh index ada0076..35818df 100755 --- a/pullrev.sh +++ b/pullrev.sh @@ -7,7 +7,7 @@ fi repo="https://svn.apache.org/repos/asf/httpd/httpd/trunk" #repo="https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x" -ver=2.4.43 +ver=2.4.48 prefix="httpd-${ver}" suffix="${SUFFIX:-r$1${2:++}}" fn="${prefix}-${suffix}.patch"