diff --git a/jose.patch b/jose.patch new file mode 100644 index 0000000..c57ae45 --- /dev/null +++ b/jose.patch @@ -0,0 +1,331 @@ +diff -u -r mod_auth_openidc-1.8.10.1/src/jose/apr_jose.h jose/apr_jose.h +--- mod_auth_openidc-1.8.10.1/src/jose/apr_jose.h 2016-07-11 09:14:40.000000000 -0400 ++++ mod_auth_openidc-fb1fd4c/src/jose/apr_jose.h 2017-02-17 18:52:41.331955735 -0500 +@@ -319,4 +319,10 @@ + + apr_byte_t apr_jwt_memcmp(const void *in_a, const void *in_b, size_t len); + ++#if (OPENSSL_VERSION_NUMBER < 0x10100000) ++#include ++ EVP_MD_CTX * EVP_MD_CTX_new(); ++ void EVP_MD_CTX_free(EVP_MD_CTX *); ++#endif ++ + #endif /* _APR_JOSE_H_ */ +diff -u -r mod_auth_openidc-1.8.10.1/src/jose/apr_jwe.c jose/apr_jwe.c +--- mod_auth_openidc-1.8.10.1/src/jose/apr_jwe.c 2016-07-11 09:14:40.000000000 -0400 ++++ mod_auth_openidc-fb1fd4c/src/jose/apr_jwe.c 2017-02-17 18:52:41.331955735 -0500 +@@ -175,10 +175,14 @@ + jwk->key.rsa->private_exponent_len, private_exp); + } + ++ /* private_exp is NULL for public keys */ ++#if OPENSSL_VERSION_NUMBER >= 0x10100005L ++ RSA_set0_key(key, modulus, exponent, private_exp); ++#else + key->n = modulus; + key->e = exponent; +- /* private_exp is NULL for public keys */ + key->d = private_exp; ++#endif + + return key; + } +@@ -489,10 +493,10 @@ + unsigned char *plaintext = apr_palloc(pool, p_len + AES_BLOCK_SIZE); + + /* initialize decryption context */ +- EVP_CIPHER_CTX decrypt_ctx; +- EVP_CIPHER_CTX_init(&decrypt_ctx); ++ EVP_CIPHER_CTX *decrypt_ctx = EVP_CIPHER_CTX_new(); ++ EVP_CIPHER_CTX_init(decrypt_ctx); + /* pass the extracted encryption key and Initialization Vector */ +- if (!EVP_DecryptInit_ex(&decrypt_ctx, ++ if (!EVP_DecryptInit_ex(decrypt_ctx, + apr_jwe_enc_to_openssl_cipher(header->enc), NULL, enc_key, + (const unsigned char *) iv->value)) { + apr_jwt_error_openssl(err, "EVP_DecryptInit_ex"); +@@ -500,14 +504,14 @@ + } + + /* decrypt the ciphertext in to the plaintext */ +- if (!EVP_DecryptUpdate(&decrypt_ctx, plaintext, &p_len, ++ if (!EVP_DecryptUpdate(decrypt_ctx, plaintext, &p_len, + (const unsigned char *) cipher_text->value, cipher_text->len)) { + apr_jwt_error_openssl(err, "EVP_DecryptUpdate"); + return FALSE; + } + + /* decrypt the remaining bits/padding */ +- if (!EVP_DecryptFinal_ex(&decrypt_ctx, plaintext + p_len, &f_len)) { ++ if (!EVP_DecryptFinal_ex(decrypt_ctx, plaintext + p_len, &f_len)) { + apr_jwt_error_openssl(err, "EVP_DecryptFinal_ex"); + return FALSE; + } +@@ -516,7 +520,7 @@ + *decrypted = (char *) plaintext; + + /* cleanup */ +- EVP_CIPHER_CTX_cleanup(&decrypt_ctx); ++ EVP_CIPHER_CTX_free(decrypt_ctx); + + /* if we got here, all must be fine */ + return TRUE; +diff -u -r mod_auth_openidc-1.8.10.1/src/jose/apr_jwk.c jose/apr_jwk.c +--- mod_auth_openidc-1.8.10.1/src/jose/apr_jwk.c 2016-07-11 09:14:40.000000000 -0400 ++++ mod_auth_openidc-fb1fd4c/src/jose/apr_jwk.c 2017-02-17 18:52:41.332955699 -0500 +@@ -153,21 +153,30 @@ + goto end; + } + ++ const BIGNUM *rsa_n, *rsa_e, *rsa_d; ++#if OPENSSL_VERSION_NUMBER >= 0x10100005L ++ RSA_get0_key(rsa, &rsa_n, &rsa_e, &rsa_d); ++#else ++ rsa_n=rsa->n; ++ rsa_e=rsa->e; ++ rsa_d=rsa->d; ++#endif ++ + /* convert the modulus bignum in to a key/len */ +- key->modulus_len = BN_num_bytes(rsa->n); ++ key->modulus_len = BN_num_bytes(rsa_n); + key->modulus = apr_pcalloc(pool, key->modulus_len); +- BN_bn2bin(rsa->n, key->modulus); ++ BN_bn2bin(rsa_n, key->modulus); + + /* convert the exponent bignum in to a key/len */ +- key->exponent_len = BN_num_bytes(rsa->e); ++ key->exponent_len = BN_num_bytes(rsa_e); + key->exponent = apr_pcalloc(pool, key->exponent_len); +- BN_bn2bin(rsa->e, key->exponent); ++ BN_bn2bin(rsa_e, key->exponent); + + /* convert the private exponent bignum in to a key/len */ +- if (rsa->d != NULL) { +- key->private_exponent_len = BN_num_bytes(rsa->d); ++ if (rsa_d != NULL) { ++ key->private_exponent_len = BN_num_bytes(rsa_d); + key->private_exponent = apr_pcalloc(pool, key->private_exponent_len); +- BN_bn2bin(rsa->d, key->private_exponent); ++ BN_bn2bin(rsa_d, key->private_exponent); + } + + RSA_free(rsa); +diff -u -r mod_auth_openidc-1.8.10.1/src/jose/apr_jws.c jose/apr_jws.c +--- mod_auth_openidc-1.8.10.1/src/jose/apr_jws.c 2016-07-11 09:14:40.000000000 -0400 ++++ mod_auth_openidc-fb1fd4c/src/jose/apr_jws.c 2017-02-17 18:52:41.332955699 -0500 +@@ -219,8 +219,8 @@ + unsigned char **output, unsigned int *output_len, apr_jwt_error_t *err) { + unsigned char md_value[EVP_MAX_MD_SIZE]; + +- EVP_MD_CTX ctx; +- EVP_MD_CTX_init(&ctx); ++ EVP_MD_CTX *ctx = EVP_MD_CTX_new(); ++ EVP_MD_CTX_init(ctx); + + const EVP_MD *evp_digest = NULL; + if ((evp_digest = EVP_get_digestbyname(s_digest)) == NULL) { +@@ -230,20 +230,20 @@ + return FALSE; + } + +- if (!EVP_DigestInit_ex(&ctx, evp_digest, NULL)) { ++ if (!EVP_DigestInit_ex(ctx, evp_digest, NULL)) { + apr_jwt_error_openssl(err, "EVP_DigestInit_ex"); + return FALSE; + } +- if (!EVP_DigestUpdate(&ctx, input, input_len)) { ++ if (!EVP_DigestUpdate(ctx, input, input_len)) { + apr_jwt_error_openssl(err, "EVP_DigestUpdate"); + return FALSE; + } +- if (!EVP_DigestFinal_ex(&ctx, md_value, output_len)) { ++ if (!EVP_DigestFinal_ex(ctx, md_value, output_len)) { + apr_jwt_error_openssl(err, "EVP_DigestFinal_ex"); + return FALSE; + } + +- EVP_MD_CTX_cleanup(&ctx); ++ EVP_MD_CTX_free(ctx); + + *output = apr_pcalloc(pool, *output_len); + memcpy(*output, md_value, *output_len); +@@ -303,8 +303,8 @@ + if ((digest = apr_jws_crypto_alg_to_evp(pool, jwt->header.alg, err)) == NULL) + return FALSE; + +- EVP_MD_CTX ctx; +- EVP_MD_CTX_init(&ctx); ++ EVP_MD_CTX *ctx = EVP_MD_CTX_new(); ++ EVP_MD_CTX_init(ctx); + + RSA * privkey = RSA_new(); + +@@ -317,9 +317,13 @@ + BN_bin2bn(jwk->key.rsa->private_exponent, + jwk->key.rsa->private_exponent_len, private_exponent); + ++#if OPENSSL_VERSION_NUMBER >= 0x10100005L ++ RSA_set0_key(privkey, modulus, exponent, private_exponent); ++#else + privkey->n = modulus; + privkey->e = exponent; + privkey->d = private_exponent; ++#endif + + EVP_PKEY* pRsaKey = EVP_PKEY_new(); + if (!EVP_PKEY_assign_RSA(pRsaKey, privkey)) { +@@ -333,15 +337,15 @@ + unsigned char *pDigest = apr_pcalloc(pool, RSA_size(privkey)); + unsigned int uDigestLen = RSA_size(privkey); + +- if (!EVP_DigestInit(&ctx, digest)) { ++ if (!EVP_DigestInit(ctx, digest)) { + apr_jwt_error_openssl(err, "EVP_DigestInit"); + goto end; + } +- if (!EVP_DigestUpdate(&ctx, jwt->message, strlen(jwt->message))) { ++ if (!EVP_DigestUpdate(ctx, jwt->message, strlen(jwt->message))) { + apr_jwt_error_openssl(err, "EVP_DigestUpdate"); + goto end; + } +- if (!EVP_DigestFinal(&ctx, pDigest, &uDigestLen)) { ++ if (!EVP_DigestFinal(ctx, pDigest, &uDigestLen)) { + apr_jwt_error_openssl(err, "wrong key? EVP_DigestFinal"); + goto end; + } +@@ -371,17 +375,17 @@ + + } else { + +- if (!EVP_SignInit_ex(&ctx, digest, NULL)) { ++ if (!EVP_SignInit_ex(ctx, digest, NULL)) { + apr_jwt_error_openssl(err, "EVP_SignInit_ex"); + goto end; + } + +- if (!EVP_SignUpdate(&ctx, jwt->message, strlen(jwt->message))) { ++ if (!EVP_SignUpdate(ctx, jwt->message, strlen(jwt->message))) { + apr_jwt_error_openssl(err, "EVP_SignUpdate"); + goto end; + } + +- if (!EVP_SignFinal(&ctx, (unsigned char *) jwt->signature.bytes, ++ if (!EVP_SignFinal(ctx, (unsigned char *) jwt->signature.bytes, + (unsigned int *) &jwt->signature.length, pRsaKey)) { + apr_jwt_error_openssl(err, "wrong key? EVP_SignFinal"); + goto end; +@@ -398,7 +402,7 @@ + } else if (privkey) { + RSA_free(privkey); + } +- EVP_MD_CTX_cleanup(&ctx); ++ EVP_MD_CTX_free(ctx); + + return rc; + } +@@ -416,8 +420,8 @@ + if ((digest = apr_jws_crypto_alg_to_evp(pool, jwt->header.alg, err)) == NULL) + return FALSE; + +- EVP_MD_CTX ctx; +- EVP_MD_CTX_init(&ctx); ++ EVP_MD_CTX *ctx = EVP_MD_CTX_new(); ++ EVP_MD_CTX_init(ctx); + + RSA * pubkey = RSA_new(); + +@@ -427,8 +431,12 @@ + BN_bin2bn(jwk->key.rsa->modulus, jwk->key.rsa->modulus_len, modulus); + BN_bin2bn(jwk->key.rsa->exponent, jwk->key.rsa->exponent_len, exponent); + ++#if OPENSSL_VERSION_NUMBER >= 0x10100005L ++ RSA_set0_key(pubkey, modulus, exponent, NULL); ++#else + pubkey->n = modulus; + pubkey->e = exponent; ++#endif + + EVP_PKEY* pRsaKey = EVP_PKEY_new(); + if (!EVP_PKEY_assign_RSA(pRsaKey, pubkey)) { +@@ -451,15 +459,15 @@ + unsigned char *pDigest = apr_pcalloc(pool, RSA_size(pubkey)); + unsigned int uDigestLen = RSA_size(pubkey); + +- if (!EVP_DigestInit(&ctx, digest)) { ++ if (!EVP_DigestInit(ctx, digest)) { + apr_jwt_error_openssl(err, "EVP_DigestInit"); + goto end; + } +- if (!EVP_DigestUpdate(&ctx, jwt->message, strlen(jwt->message))) { ++ if (!EVP_DigestUpdate(ctx, jwt->message, strlen(jwt->message))) { + apr_jwt_error_openssl(err, "EVP_DigestUpdate"); + goto end; + } +- if (!EVP_DigestFinal(&ctx, pDigest, &uDigestLen)) { ++ if (!EVP_DigestFinal(ctx, pDigest, &uDigestLen)) { + apr_jwt_error_openssl(err, "wrong key? EVP_DigestFinal"); + goto end; + } +@@ -477,16 +485,16 @@ + } else if (apr_jws_signature_starts_with(pool, jwt->header.alg, + "RS") == TRUE) { + +- if (!EVP_VerifyInit_ex(&ctx, digest, NULL)) { ++ if (!EVP_VerifyInit_ex(ctx, digest, NULL)) { + apr_jwt_error_openssl(err, "EVP_VerifyInit_ex"); + goto end; + } +- if (!EVP_VerifyUpdate(&ctx, jwt->message, strlen(jwt->message))) { ++ if (!EVP_VerifyUpdate(ctx, jwt->message, strlen(jwt->message))) { + apr_jwt_error_openssl(err, "EVP_VerifyUpdate"); + goto end; + } + +- int rv = EVP_VerifyFinal(&ctx, (const unsigned char *) jwt->signature.bytes, ++ int rv = EVP_VerifyFinal(ctx, (const unsigned char *) jwt->signature.bytes, + jwt->signature.length, pRsaKey); + + if (rv < 0) { +@@ -508,7 +516,7 @@ + } else if (pubkey) { + RSA_free(pubkey); + } +- EVP_MD_CTX_cleanup(&ctx); ++ EVP_MD_CTX_free(ctx); + + return rc; + } +diff -u -r mod_auth_openidc-1.8.10.1/src/jose/apr_jwt.c jose/apr_jwt.c +--- mod_auth_openidc-1.8.10.1/src/jose/apr_jwt.c 2016-07-11 09:14:40.000000000 -0400 ++++ mod_auth_openidc-fb1fd4c/src/jose/apr_jwt.c 2017-02-17 18:52:41.332955699 -0500 +@@ -496,12 +496,12 @@ + + static void apr_jwt_serialize_message(apr_pool_t *pool, apr_jwt_t *jwt) { + +- char *s_hdr = json_dumps(jwt->header.value.json, JSON_ENCODE_ANY); ++ char *s_hdr = json_dumps(jwt->header.value.json, JSON_COMPACT); + apr_jwt_base64url_encode(pool, &jwt->header.value.str, s_hdr, strlen(s_hdr), + 0); + free(s_hdr); + +- char *s_payload = json_dumps(jwt->payload.value.json, JSON_ENCODE_ANY); ++ char *s_payload = json_dumps(jwt->payload.value.json, JSON_COMPACT); + apr_jwt_base64url_encode(pool, &jwt->payload.value.str, s_payload, + strlen(s_payload), 0); + free(s_payload); +@@ -589,3 +589,13 @@ + jwt->signature.length, 0); + return apr_psprintf(pool, "%s.%s", jwt->message, b64sig); + } ++ ++#if (OPENSSL_VERSION_NUMBER < 0x10100000) ++EVP_MD_CTX * EVP_MD_CTX_new() { ++ return malloc(sizeof(EVP_MD_CTX)); ++} ++void EVP_MD_CTX_free(EVP_MD_CTX *ctx) { ++ if (ctx) free(ctx); ++} ++ ++#endif diff --git a/mod_auth_openidc.spec b/mod_auth_openidc.spec index 77f9443..276d773 100644 --- a/mod_auth_openidc.spec +++ b/mod_auth_openidc.spec @@ -15,7 +15,7 @@ Name: mod_auth_openidc Version: 1.8.10.1 -Release: 2%{?dist} +Release: 3%{?dist} Summary: OpenID Connect auth module for Apache HTTP Server Group: System Environment/Daemons @@ -23,6 +23,8 @@ License: ASL 2.0 URL: https://github.com/pingidentity/mod_auth_openidc Source0: https://github.com/pingidentity/mod_auth_openidc/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz +Patch1: jose.patch + BuildRequires: httpd-devel BuildRequires: openssl-devel BuildRequires: curl-devel @@ -39,6 +41,7 @@ an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server. %prep %setup -q +%patch1 -p1 %build # workaround rpm-buildroot-usage @@ -90,6 +93,10 @@ install -m 700 -d $RPM_BUILD_ROOT%{httpd_pkg_cache_dir}/cache %dir %attr(0700, apache, apache) %{httpd_pkg_cache_dir}/cache %changelog +* Sat Feb 18 2017 John Dennis - 1.8.10.1-3 +- Resolves: #1423956 fails to build with openssl 1.1.x + Also rolls up all fixes to jose library before the change over to cjose + * Fri Feb 10 2017 Fedora Release Engineering - 1.8.10.1-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild