Backport to v2.4.

*) mod_ssl: Improve compatibility with OpenSSL 3, fix build warnings about deprecated ENGINE_ API, honor OPENSSL_API_COMPAT setting while defaulting to compatibitily with version 1.1.1 (including ENGINEs / SSLCryptoDevice). mod_ssl: Disable the OpenSSL ENGINE API when OPENSSL_NO_ENGINE is set. Allow for "SSLCryptoDevice builtin" if the ENGINE API is not available, notably with OpenSSL >= 3. PR 68080. trunk patch: http://svn.apache.org/r1908537 http://svn.apache.org/r1908539 http://svn.apache.org/r1908542 http://svn.apache.org/r1913616 http://svn.apache.org/r1913815 http://svn.apache.org/r1913816 http://svn.apache.org/r1908542 http://svn.apache.org/r1913832 2.4.x patch: https://patch-diff.githubusercontent.com/raw/apache/httpd/pull/381.diff (#381) +1: ylavic, jorton, minfrin git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1913912 13f79535-47bb-0310-9956-ffa450edef68
apache · Nov 18, 2023 · 28f6fc0 · 28f6fc0
1 parent be6a1dc
commit 28f6fc0
Show file tree

Hide file tree

Showing 16 changed files with 307 additions and 164 deletions.
diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml
@@ -67,7 +67,7 @@ jobs:
           # -------------------------------------------------------------------------
           - name: GCC 10 maintainer-mode w/-Werror, install + VPATH
             config: --enable-mods-shared=reallyall --enable-maintainer-mode
-            notest-cflags: -Werror -O2 -Wno-deprecated-declarations
+            notest-cflags: -Werror -O2
             env: |
               CC=gcc-10
               TEST_VPATH=1

diff --git a/CHANGES b/CHANGES
@@ -1,6 +1,15 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.4.59
 
+  *) mod_ssl: Disable the OpenSSL ENGINE API when OPENSSL_NO_ENGINE is set.
+     Allow for "SSLCryptoDevice builtin" if the ENGINE API is not available,
+     notably with OpenSSL >= 3.  PR 68080.  [ Yann Ylavic, Joe Orton ]
+
+  *) mod_ssl: Improve compatibility with OpenSSL 3, fix build warnings about
+     deprecated ENGINE_ API, honor OPENSSL_API_COMPAT setting while defaulting
+     to compatibitily with version 1.1.1 (including ENGINEs / SSLCryptoDevice).
+     [ Yann Ylavic ]
+
   *) mod_ssl: release memory to the OS when needed. [Giovanni Bechis]
 
   *) mod_proxy: Ignore (and warn about) enablereuse=on for ProxyPassMatch when

diff --git a/STATUS b/STATUS
@@ -153,23 +153,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-  *) mod_ssl: Improve compatibility with OpenSSL 3, fix build warnings about
-     deprecated ENGINE_ API, honor OPENSSL_API_COMPAT setting while defaulting
-     to compatibitily with version 1.1.1 (including ENGINEs / SSLCryptoDevice).
-     mod_ssl: Disable the OpenSSL ENGINE API when OPENSSL_NO_ENGINE is set.
-     Allow for "SSLCryptoDevice builtin" if the ENGINE API is not available,
-     notably with OpenSSL >= 3.  PR 68080.
-     trunk patch: http://svn.apache.org/r1908537
-                  http://svn.apache.org/r1908539
-                  http://svn.apache.org/r1908542
-                  http://svn.apache.org/r1913616
-                  http://svn.apache.org/r1913815
-                  http://svn.apache.org/r1913816
-                  http://svn.apache.org/r1908542
-                  http://svn.apache.org/r1913832
-     2.4.x patch: https://patch-diff.githubusercontent.com/raw/apache/httpd/pull/381.diff
-                  (https://github.com/apache/httpd/pull/381)
-     +1: ylavic, jorton, minfrin
 
 
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:

diff --git a/modules/md/md_crypt.c b/modules/md/md_crypt.c
@@ -32,6 +32,9 @@
 #include <openssl/rand.h>
 #include <openssl/rsa.h>
 #include <openssl/x509v3.h>
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+#include <openssl/core_names.h>
+#endif
 
 #include "md.h"
 #include "md_crypt.h"
@@ -988,26 +991,42 @@ static const char *bn64(const BIGNUM *b, apr_pool_t *p)
 
 const char *md_pkey_get_rsa_e64(md_pkey_t *pkey, apr_pool_t *p)
 {
-    const BIGNUM *e;
-    RSA *rsa = EVP_PKEY_get1_RSA(pkey->pkey);
-
-    if (!rsa) {
-        return NULL;
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
+    const RSA *rsa = EVP_PKEY_get0_RSA(pkey->pkey);
+    if (rsa) {
+        const BIGNUM *e;
+        RSA_get0_key(rsa, NULL, &e, NULL);
+        return bn64(e, p);
     }
-    RSA_get0_key(rsa, NULL, &e, NULL);
-    return bn64(e, p);
+#else
+    BIGNUM *e = NULL;
+    if (EVP_PKEY_get_bn_param(pkey->pkey, OSSL_PKEY_PARAM_RSA_E, &e)) {
+        const char *e64 = bn64(e, p);
+        BN_free(e);
+        return e64;
+    }
+#endif
+    return NULL;
 }
 
 const char *md_pkey_get_rsa_n64(md_pkey_t *pkey, apr_pool_t *p)
 {
-    const BIGNUM *n;
-    RSA *rsa = EVP_PKEY_get1_RSA(pkey->pkey);
-
-    if (!rsa) {
-        return NULL;
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
+    const RSA *rsa = EVP_PKEY_get0_RSA(pkey->pkey);
+    if (rsa) {
+        const BIGNUM *n;
+        RSA_get0_key(rsa, &n, NULL, NULL);
+        return bn64(n, p);
     }
-    RSA_get0_key(rsa, &n, NULL, NULL);
-    return bn64(n, p);
+#else
+    BIGNUM *n = NULL;
+    if (EVP_PKEY_get_bn_param(pkey->pkey, OSSL_PKEY_PARAM_RSA_N, &n)) {
+        const char *n64 = bn64(n, p);
+        BN_free(n);
+        return n64;
+    }
+#endif
+    return NULL;
 }
 
 apr_status_t md_crypt_sign64(const char **psign64, md_pkey_t *pkey, apr_pool_t *p, 

diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c
@@ -25,8 +25,7 @@
  */
 
 #include "ssl_private.h"
-#include "mod_ssl.h"
-#include "mod_ssl_openssl.h"
+
 #include "util_md5.h"
 #include "util_mutex.h"
 #include "ap_provider.h"
@@ -75,11 +74,9 @@ static const command_rec ssl_config_cmds[] = {
     SSL_CMD_SRV(SessionCache, TAKE1,
                 "SSL Session Cache storage "
                 "('none', 'nonenotnull', 'dbm:/path/to/file')")
-#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
     SSL_CMD_SRV(CryptoDevice, TAKE1,
                 "SSL external Crypto Device usage "
                 "('builtin', '...')")
-#endif
     SSL_CMD_SRV(RandomSeed, TAKE23,
                 "SSL Pseudo Random Number Generator (PRNG) seeding source "
                 "('startup|connect builtin|file:/path|exec:/path [bytes]')")

diff --git a/modules/ssl/mod_ssl_openssl.h b/modules/ssl/mod_ssl_openssl.h
@@ -30,14 +30,17 @@
 
 /* OpenSSL headers */
 
-#ifndef SSL_PRIVATE_H
 #include <openssl/opensslv.h>
-#if (OPENSSL_VERSION_NUMBER >= 0x10001000)
+#if OPENSSL_VERSION_NUMBER >= 0x30000000
+#include <openssl/macros.h> /* for OPENSSL_API_LEVEL */
+#endif
+#if OPENSSL_VERSION_NUMBER >= 0x10001000
 /* must be defined before including ssl.h */
 #define OPENSSL_NO_SSL_INTERN
 #endif
 #include <openssl/ssl.h>
-#endif
+#include <openssl/evp.h>
+#include <openssl/x509.h>
 
 /**
  * init_server hook -- allow SSL_CTX-specific initialization to be performed by

diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c
@@ -27,6 +27,7 @@
                                            damned if you don't.''
                                                -- Unknown        */
 #include "ssl_private.h"
+
 #include "util_mutex.h"
 #include "ap_provider.h"
 
@@ -592,14 +593,15 @@ const char *ssl_cmd_SSLPassPhraseDialog(cmd_parms *cmd,
     return NULL;
 }
 
-#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
 const char *ssl_cmd_SSLCryptoDevice(cmd_parms *cmd,
                                     void *dcfg,
                                     const char *arg)
 {
     SSLModConfigRec *mc = myModConfig(cmd->server);
     const char *err;
+#if MODSSL_HAVE_ENGINE_API
     ENGINE *e;
+#endif
 
     if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
         return err;
@@ -608,13 +610,16 @@ const char *ssl_cmd_SSLCryptoDevice(cmd_parms *cmd,
     if (strcEQ(arg, "builtin")) {
         mc->szCryptoDevice = NULL;
     }
+#if MODSSL_HAVE_ENGINE_API
     else if ((e = ENGINE_by_id(arg))) {
         mc->szCryptoDevice = arg;
         ENGINE_free(e);
     }
+#endif
     else {
         err = "SSLCryptoDevice: Invalid argument; must be one of: "
               "'builtin' (none)";
+#if MODSSL_HAVE_ENGINE_API
         e = ENGINE_get_first();
         while (e) {
             err = apr_pstrcat(cmd->pool, err, ", '", ENGINE_get_id(e),
@@ -623,12 +628,12 @@ const char *ssl_cmd_SSLCryptoDevice(cmd_parms *cmd,
              * on the 'old' e, per the docs in engine.h. */
             e = ENGINE_get_next(e);
         }
+#endif
         return err;
     }
 
     return NULL;
 }
-#endif
 
 const char *ssl_cmd_SSLRandomSeed(cmd_parms *cmd,
                                   void *dcfg,