rpms/mod_auth_openidc
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Resolves: #1423956 fails to build with openssl 1.1.x

Browse Source 
Also rolls up all fixes to jose library before the change over to cjose
This commit is contained in:
John Dennis 2017-02-17 19:26:04 -05:00
parent 2f44085160
commit 43094417fa
2 changed files with 339 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

331
jose.patch Normal file
View File

@ -0,0 +1,331 @@
diff -u -r mod_auth_openidc-1.8.10.1/src/jose/apr_jose.h jose/apr_jose.h
--- mod_auth_openidc-1.8.10.1/src/jose/apr_jose.h 2016-07-11 09:14:40.000000000 -0400
+++ mod_auth_openidc-fb1fd4c/src/jose/apr_jose.h 2017-02-17 18:52:41.331955735 -0500
@@ -319,4 +319,10 @@
apr_byte_t apr_jwt_memcmp(const void *in_a, const void *in_b, size_t len);
+#if (OPENSSL_VERSION_NUMBER < 0x10100000)
+#include <openssl/ec.h>
+ EVP_MD_CTX * EVP_MD_CTX_new();
+ void EVP_MD_CTX_free(EVP_MD_CTX *);
+#endif
+
#endif /* _APR_JOSE_H_ */
diff -u -r mod_auth_openidc-1.8.10.1/src/jose/apr_jwe.c jose/apr_jwe.c
--- mod_auth_openidc-1.8.10.1/src/jose/apr_jwe.c 2016-07-11 09:14:40.000000000 -0400
+++ mod_auth_openidc-fb1fd4c/src/jose/apr_jwe.c 2017-02-17 18:52:41.331955735 -0500
@@ -175,10 +175,14 @@
jwk->key.rsa->private_exponent_len, private_exp);
}
+ /* private_exp is NULL for public keys */
+#if OPENSSL_VERSION_NUMBER >= 0x10100005L
+ RSA_set0_key(key, modulus, exponent, private_exp);
+#else
key->n = modulus;
key->e = exponent;
- /* private_exp is NULL for public keys */
key->d = private_exp;
+#endif
return key;
}
@@ -489,10 +493,10 @@
unsigned char *plaintext = apr_palloc(pool, p_len + AES_BLOCK_SIZE);
/* initialize decryption context */
- EVP_CIPHER_CTX decrypt_ctx;
- EVP_CIPHER_CTX_init(&decrypt_ctx);
+ EVP_CIPHER_CTX *decrypt_ctx = EVP_CIPHER_CTX_new();
+ EVP_CIPHER_CTX_init(decrypt_ctx);
/* pass the extracted encryption key and Initialization Vector */
- if (!EVP_DecryptInit_ex(&decrypt_ctx,
+ if (!EVP_DecryptInit_ex(decrypt_ctx,
apr_jwe_enc_to_openssl_cipher(header->enc), NULL, enc_key,
(const unsigned char *) iv->value)) {
apr_jwt_error_openssl(err, "EVP_DecryptInit_ex");
@@ -500,14 +504,14 @@
}
/* decrypt the ciphertext in to the plaintext */
- if (!EVP_DecryptUpdate(&decrypt_ctx, plaintext, &p_len,
+ if (!EVP_DecryptUpdate(decrypt_ctx, plaintext, &p_len,
(const unsigned char *) cipher_text->value, cipher_text->len)) {
apr_jwt_error_openssl(err, "EVP_DecryptUpdate");
return FALSE;
}
/* decrypt the remaining bits/padding */
- if (!EVP_DecryptFinal_ex(&decrypt_ctx, plaintext + p_len, &f_len)) {
+ if (!EVP_DecryptFinal_ex(decrypt_ctx, plaintext + p_len, &f_len)) {
apr_jwt_error_openssl(err, "EVP_DecryptFinal_ex");
return FALSE;
}
@@ -516,7 +520,7 @@
*decrypted = (char *) plaintext;
/* cleanup */
- EVP_CIPHER_CTX_cleanup(&decrypt_ctx);
+ EVP_CIPHER_CTX_free(decrypt_ctx);
/* if we got here, all must be fine */
return TRUE;
diff -u -r mod_auth_openidc-1.8.10.1/src/jose/apr_jwk.c jose/apr_jwk.c
--- mod_auth_openidc-1.8.10.1/src/jose/apr_jwk.c 2016-07-11 09:14:40.000000000 -0400
+++ mod_auth_openidc-fb1fd4c/src/jose/apr_jwk.c 2017-02-17 18:52:41.332955699 -0500
@@ -153,21 +153,30 @@
goto end;
}
+ const BIGNUM *rsa_n, *rsa_e, *rsa_d;
+#if OPENSSL_VERSION_NUMBER >= 0x10100005L
+ RSA_get0_key(rsa, &rsa_n, &rsa_e, &rsa_d);
+#else
+ rsa_n=rsa->n;
+ rsa_e=rsa->e;
+ rsa_d=rsa->d;
+#endif
+
/* convert the modulus bignum in to a key/len */
- key->modulus_len = BN_num_bytes(rsa->n);
+ key->modulus_len = BN_num_bytes(rsa_n);
key->modulus = apr_pcalloc(pool, key->modulus_len);
- BN_bn2bin(rsa->n, key->modulus);
+ BN_bn2bin(rsa_n, key->modulus);
/* convert the exponent bignum in to a key/len */
- key->exponent_len = BN_num_bytes(rsa->e);
+ key->exponent_len = BN_num_bytes(rsa_e);
key->exponent = apr_pcalloc(pool, key->exponent_len);
- BN_bn2bin(rsa->e, key->exponent);
+ BN_bn2bin(rsa_e, key->exponent);
/* convert the private exponent bignum in to a key/len */
- if (rsa->d != NULL) {
- key->private_exponent_len = BN_num_bytes(rsa->d);
+ if (rsa_d != NULL) {
+ key->private_exponent_len = BN_num_bytes(rsa_d);
key->private_exponent = apr_pcalloc(pool, key->private_exponent_len);
- BN_bn2bin(rsa->d, key->private_exponent);
+ BN_bn2bin(rsa_d, key->private_exponent);
}
RSA_free(rsa);
diff -u -r mod_auth_openidc-1.8.10.1/src/jose/apr_jws.c jose/apr_jws.c
--- mod_auth_openidc-1.8.10.1/src/jose/apr_jws.c 2016-07-11 09:14:40.000000000 -0400
+++ mod_auth_openidc-fb1fd4c/src/jose/apr_jws.c 2017-02-17 18:52:41.332955699 -0500
@@ -219,8 +219,8 @@
unsigned char **output, unsigned int *output_len, apr_jwt_error_t *err) {
unsigned char md_value[EVP_MAX_MD_SIZE];
- EVP_MD_CTX ctx;
- EVP_MD_CTX_init(&ctx);
+ EVP_MD_CTX *ctx = EVP_MD_CTX_new();
+ EVP_MD_CTX_init(ctx);
const EVP_MD *evp_digest = NULL;
if ((evp_digest = EVP_get_digestbyname(s_digest)) == NULL) {
@@ -230,20 +230,20 @@
return FALSE;
}
- if (!EVP_DigestInit_ex(&ctx, evp_digest, NULL)) {
+ if (!EVP_DigestInit_ex(ctx, evp_digest, NULL)) {
apr_jwt_error_openssl(err, "EVP_DigestInit_ex");
return FALSE;
}
- if (!EVP_DigestUpdate(&ctx, input, input_len)) {
+ if (!EVP_DigestUpdate(ctx, input, input_len)) {
apr_jwt_error_openssl(err, "EVP_DigestUpdate");
return FALSE;
}
- if (!EVP_DigestFinal_ex(&ctx, md_value, output_len)) {
+ if (!EVP_DigestFinal_ex(ctx, md_value, output_len)) {
apr_jwt_error_openssl(err, "EVP_DigestFinal_ex");
return FALSE;
}
- EVP_MD_CTX_cleanup(&ctx);
+ EVP_MD_CTX_free(ctx);
*output = apr_pcalloc(pool, *output_len);
memcpy(*output, md_value, *output_len);
@@ -303,8 +303,8 @@
if ((digest = apr_jws_crypto_alg_to_evp(pool, jwt->header.alg, err)) == NULL)
return FALSE;
- EVP_MD_CTX ctx;
- EVP_MD_CTX_init(&ctx);
+ EVP_MD_CTX *ctx = EVP_MD_CTX_new();
+ EVP_MD_CTX_init(ctx);
RSA * privkey = RSA_new();
@@ -317,9 +317,13 @@
BN_bin2bn(jwk->key.rsa->private_exponent,
jwk->key.rsa->private_exponent_len, private_exponent);
+#if OPENSSL_VERSION_NUMBER >= 0x10100005L
+ RSA_set0_key(privkey, modulus, exponent, private_exponent);
+#else
privkey->n = modulus;
privkey->e = exponent;
privkey->d = private_exponent;
+#endif
EVP_PKEY* pRsaKey = EVP_PKEY_new();
if (!EVP_PKEY_assign_RSA(pRsaKey, privkey)) {
@@ -333,15 +337,15 @@
unsigned char *pDigest = apr_pcalloc(pool, RSA_size(privkey));
unsigned int uDigestLen = RSA_size(privkey);
- if (!EVP_DigestInit(&ctx, digest)) {
+ if (!EVP_DigestInit(ctx, digest)) {
apr_jwt_error_openssl(err, "EVP_DigestInit");
goto end;
}
- if (!EVP_DigestUpdate(&ctx, jwt->message, strlen(jwt->message))) {
+ if (!EVP_DigestUpdate(ctx, jwt->message, strlen(jwt->message))) {
apr_jwt_error_openssl(err, "EVP_DigestUpdate");
goto end;
}
- if (!EVP_DigestFinal(&ctx, pDigest, &uDigestLen)) {
+ if (!EVP_DigestFinal(ctx, pDigest, &uDigestLen)) {
apr_jwt_error_openssl(err, "wrong key? EVP_DigestFinal");
goto end;
}
@@ -371,17 +375,17 @@
} else {
- if (!EVP_SignInit_ex(&ctx, digest, NULL)) {
+ if (!EVP_SignInit_ex(ctx, digest, NULL)) {
apr_jwt_error_openssl(err, "EVP_SignInit_ex");
goto end;
}
- if (!EVP_SignUpdate(&ctx, jwt->message, strlen(jwt->message))) {
+ if (!EVP_SignUpdate(ctx, jwt->message, strlen(jwt->message))) {
apr_jwt_error_openssl(err, "EVP_SignUpdate");
goto end;
}
- if (!EVP_SignFinal(&ctx, (unsigned char *) jwt->signature.bytes,
+ if (!EVP_SignFinal(ctx, (unsigned char *) jwt->signature.bytes,
(unsigned int *) &jwt->signature.length, pRsaKey)) {
apr_jwt_error_openssl(err, "wrong key? EVP_SignFinal");
goto end;
@@ -398,7 +402,7 @@
} else if (privkey) {
RSA_free(privkey);
}
- EVP_MD_CTX_cleanup(&ctx);
+ EVP_MD_CTX_free(ctx);
return rc;
}
@@ -416,8 +420,8 @@
if ((digest = apr_jws_crypto_alg_to_evp(pool, jwt->header.alg, err)) == NULL)
return FALSE;
- EVP_MD_CTX ctx;
- EVP_MD_CTX_init(&ctx);
+ EVP_MD_CTX *ctx = EVP_MD_CTX_new();
+ EVP_MD_CTX_init(ctx);
RSA * pubkey = RSA_new();
@@ -427,8 +431,12 @@
BN_bin2bn(jwk->key.rsa->modulus, jwk->key.rsa->modulus_len, modulus);
BN_bin2bn(jwk->key.rsa->exponent, jwk->key.rsa->exponent_len, exponent);
+#if OPENSSL_VERSION_NUMBER >= 0x10100005L
+ RSA_set0_key(pubkey, modulus, exponent, NULL);
+#else
pubkey->n = modulus;
pubkey->e = exponent;
+#endif
EVP_PKEY* pRsaKey = EVP_PKEY_new();
if (!EVP_PKEY_assign_RSA(pRsaKey, pubkey)) {
@@ -451,15 +459,15 @@
unsigned char *pDigest = apr_pcalloc(pool, RSA_size(pubkey));
unsigned int uDigestLen = RSA_size(pubkey);
- if (!EVP_DigestInit(&ctx, digest)) {
+ if (!EVP_DigestInit(ctx, digest)) {
apr_jwt_error_openssl(err, "EVP_DigestInit");
goto end;
}
- if (!EVP_DigestUpdate(&ctx, jwt->message, strlen(jwt->message))) {
+ if (!EVP_DigestUpdate(ctx, jwt->message, strlen(jwt->message))) {
apr_jwt_error_openssl(err, "EVP_DigestUpdate");
goto end;
}
- if (!EVP_DigestFinal(&ctx, pDigest, &uDigestLen)) {
+ if (!EVP_DigestFinal(ctx, pDigest, &uDigestLen)) {
apr_jwt_error_openssl(err, "wrong key? EVP_DigestFinal");
goto end;
}
@@ -477,16 +485,16 @@
} else if (apr_jws_signature_starts_with(pool, jwt->header.alg,
"RS") == TRUE) {
- if (!EVP_VerifyInit_ex(&ctx, digest, NULL)) {
+ if (!EVP_VerifyInit_ex(ctx, digest, NULL)) {
apr_jwt_error_openssl(err, "EVP_VerifyInit_ex");
goto end;
}
- if (!EVP_VerifyUpdate(&ctx, jwt->message, strlen(jwt->message))) {
+ if (!EVP_VerifyUpdate(ctx, jwt->message, strlen(jwt->message))) {
apr_jwt_error_openssl(err, "EVP_VerifyUpdate");
goto end;
}
- int rv = EVP_VerifyFinal(&ctx, (const unsigned char *) jwt->signature.bytes,
+ int rv = EVP_VerifyFinal(ctx, (const unsigned char *) jwt->signature.bytes,
jwt->signature.length, pRsaKey);
if (rv < 0) {
@@ -508,7 +516,7 @@
} else if (pubkey) {
RSA_free(pubkey);
}
- EVP_MD_CTX_cleanup(&ctx);
+ EVP_MD_CTX_free(ctx);
return rc;
}
diff -u -r mod_auth_openidc-1.8.10.1/src/jose/apr_jwt.c jose/apr_jwt.c
--- mod_auth_openidc-1.8.10.1/src/jose/apr_jwt.c 2016-07-11 09:14:40.000000000 -0400
+++ mod_auth_openidc-fb1fd4c/src/jose/apr_jwt.c 2017-02-17 18:52:41.332955699 -0500
@@ -496,12 +496,12 @@
static void apr_jwt_serialize_message(apr_pool_t *pool, apr_jwt_t *jwt) {
- char *s_hdr = json_dumps(jwt->header.value.json, JSON_ENCODE_ANY);
+ char *s_hdr = json_dumps(jwt->header.value.json, JSON_COMPACT);
apr_jwt_base64url_encode(pool, &jwt->header.value.str, s_hdr, strlen(s_hdr),
0);
free(s_hdr);
- char *s_payload = json_dumps(jwt->payload.value.json, JSON_ENCODE_ANY);
+ char *s_payload = json_dumps(jwt->payload.value.json, JSON_COMPACT);
apr_jwt_base64url_encode(pool, &jwt->payload.value.str, s_payload,
strlen(s_payload), 0);
free(s_payload);
@@ -589,3 +589,13 @@
jwt->signature.length, 0);
return apr_psprintf(pool, "%s.%s", jwt->message, b64sig);
}
+
+#if (OPENSSL_VERSION_NUMBER < 0x10100000)
+EVP_MD_CTX * EVP_MD_CTX_new() {
+ return malloc(sizeof(EVP_MD_CTX));
+}
+void EVP_MD_CTX_free(EVP_MD_CTX *ctx) {
+ if (ctx) free(ctx);
+}
+
+#endif

9
mod_auth_openidc.spec
View File

@ -15,7 +15,7 @@
Name: mod_auth_openidc
Version: 1.8.10.1
Release: 2%{?dist}
Release: 3%{?dist}
Summary: OpenID Connect auth module for Apache HTTP Server
Group: System Environment/Daemons
@ -23,6 +23,8 @@ License: ASL 2.0
URL: https://github.com/pingidentity/mod_auth_openidc
Source0: https://github.com/pingidentity/mod_auth_openidc/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
Patch1: jose.patch
BuildRequires: httpd-devel
BuildRequires: openssl-devel
BuildRequires: curl-devel
@ -39,6 +41,7 @@ an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server.
%prep
%setup -q
%patch1 -p1
%build
# workaround rpm-buildroot-usage
@ -90,6 +93,10 @@ install -m 700 -d $RPM_BUILD_ROOT%{httpd_pkg_cache_dir}/cache
%dir %attr(0700, apache, apache) %{httpd_pkg_cache_dir}/cache
%changelog
* Sat Feb 18 2017 John Dennis <jdennis@redhat.com> - 1.8.10.1-3
- Resolves: #1423956 fails to build with openssl 1.1.x
Also rolls up all fixes to jose library before the change over to cjose
* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.10.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild