From: Yann Ylavic Date: Sat, 11 Dec 2021 12:57:53 +0000 (+0000) Subject: Revert r1895807 [skip ci]. X-Git-Tag: candidate-2.4.52-rc1~70 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9ecde9813165549711d2e3d6302a4d2141357979;p=thirdparty%2Fapache%2Fhttpd.git Revert r1895807 [skip ci]. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1895808 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/STATUS b/STATUS index 253417622fd..7f52755b868 100644 --- a/STATUS +++ b/STATUS @@ -145,28 +145,7 @@ RELEASE SHOWSTOPPERS: PATCHES ACCEPTED TO BACKPORT FROM TRUNK: [ start all new proposals below, under PATCHES PROPOSED. ] - *) mod_ssl: Updates to support OpenSSL 3.x - trunk patch: https://svn.apache.org/r1519264 - https://svn.apache.org/r1737657 - https://svn.apache.org/r1876934 - https://svn.apache.org/r1876936 - https://svn.apache.org/r1876938 - https://svn.apache.org/r1890067 - https://svn.apache.org/r1890076 - https://svn.apache.org/r1891138 - https://svn.apache.org/r1893876 - https://svn.apache.org/r1893964 - https://svn.apache.org/r1894716 - https://svn.apache.org/r1895774 - backport PR: https://github.com/apache/httpd/pull/258 - 2.4.x patch: https://patch-diff.githubusercontent.com/raw/apache/httpd/pull/258.patch - or https://people.apache.org/~jorton/mod_ssl-openssl3.patch - +1: jorton, minfrin, ylavic - *) mod_http2: fixes PR65731 and https://github.com/icing/mod_h2/issues/212 - trunk patch: na, fixed on 2.4.x source base - backport PR: https://github.com/apache/httpd/pull/281 - +1: icing, minfrin, ylavic PATCHES PROPOSED TO BACKPORT FROM TRUNK: [ New proposals should be added at the end of the list ] @@ -217,6 +196,29 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK: w.r.t. num_buckets > 1 and ease merging of r1895553, with r1895550 for correctness of active_daemons used in r1895553 and r1895630. + *) mod_http2: fixes PR65731 and https://github.com/icing/mod_h2/issues/212 + trunk patch: na, fixed on 2.4.x source base + backport PR: https://github.com/apache/httpd/pull/281 + +1: icing, minfrin + + *) mod_ssl: Updates to support OpenSSL 3.x + trunk patch: https://svn.apache.org/r1519264 + https://svn.apache.org/r1737657 + https://svn.apache.org/r1876934 + https://svn.apache.org/r1876936 + https://svn.apache.org/r1876938 + https://svn.apache.org/r1890067 + https://svn.apache.org/r1890076 + https://svn.apache.org/r1891138 + https://svn.apache.org/r1893876 + https://svn.apache.org/r1893964 + https://svn.apache.org/r1894716 + https://svn.apache.org/r1895774 + backport PR: https://github.com/apache/httpd/pull/258 + 2.4.x patch: https://patch-diff.githubusercontent.com/raw/apache/httpd/pull/258.patch + or https://people.apache.org/~jorton/mod_ssl-openssl3.patch + +1: jorton, minfrin + PATCHES/ISSUES THAT ARE BEING WORKED [ New entries should be added at the START of the list ] diff --git a/modules/http2/h2_session.c b/modules/http2/h2_session.c index 4ccf255f3e3..dc883b5b96f 100644 --- a/modules/http2/h2_session.c +++ b/modules/http2/h2_session.c @@ -275,7 +275,7 @@ static int on_begin_headers_cb(nghttp2_session *ngh2, const nghttp2_frame *frame, void *userp) { h2_session *session = (h2_session *)userp; - h2_stream *s = NULL; + h2_stream *s; /* We may see HEADERs at the start of a stream or after all DATA * streams to carry trailers. */ @@ -284,7 +284,7 @@ static int on_begin_headers_cb(nghttp2_session *ngh2, if (s) { /* nop */ } - else if (session->local.accepting) { + else { s = h2_session_open_stream(userp, frame->hd.stream_id, 0); } return s? 0 : NGHTTP2_ERR_START_STREAM_NOT_ALLOWED; @@ -2115,16 +2115,7 @@ apr_status_t h2_session_process(h2_session *session, int async) now = apr_time_now(); session->have_read = session->have_written = 0; - /* PR65731: we may get a new connection to process while the - * MPM already is stopping. For example due to having reached - * MaxRequestsPerChild limit. - * Since this is supposed to handle things gracefully, we need to: - * a) fully initialize the session before GOAWAYing - * b) give the client the chance to submit at least one request - */ - if (session->state != H2_SESSION_ST_INIT /* no longer intializing */ - && session->local.accepted_max > 0 /* have gotten at least one stream */ - && session->local.accepting /* have not already locally shut down */ + if (session->local.accepting && !ap_mpm_query(AP_MPMQ_MPM_STATE, &mpm_state)) { if (mpm_state == AP_MPMQ_STOPPING) { dispatch_event(session, H2_SESSION_EV_MPM_STOPPING, 0, NULL); diff --git a/modules/http2/h2_version.h b/modules/http2/h2_version.h index 7cb2d3511e8..40f40a2aa5c 100644 --- a/modules/http2/h2_version.h +++ b/modules/http2/h2_version.h @@ -27,7 +27,7 @@ * @macro * Version number of the http2 module as c string */ -#define MOD_HTTP2_VERSION "1.15.26" +#define MOD_HTTP2_VERSION "1.15.24" /** * @macro @@ -35,7 +35,7 @@ * release. This is a 24 bit number with 8 bits for major number, 8 bits * for minor and 8 bits for patch. Version 1.2.3 becomes 0x010203. */ -#define MOD_HTTP2_VERSION_NUM 0x010f1a +#define MOD_HTTP2_VERSION_NUM 0x010f18 #endif /* mod_h2_h2_version_h */ diff --git a/modules/http2/h2_workers.c b/modules/http2/h2_workers.c index ae250b0f5ae..28bb428200d 100644 --- a/modules/http2/h2_workers.c +++ b/modules/http2/h2_workers.c @@ -479,6 +479,8 @@ apr_status_t h2_workers_unregister(h2_workers *workers, struct h2_mplx *m) void h2_workers_graceful_shutdown(h2_workers *workers) { workers->shutdown = 1; + workers->min_workers = 1; workers->max_idle_duration = apr_time_from_sec(1); + h2_fifo_term(workers->mplxs); wake_non_essential_workers(workers); } diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c index 43119046a94..cb1ea12a2d7 100644 --- a/modules/ssl/ssl_engine_init.c +++ b/modules/ssl/ssl_engine_init.c @@ -91,6 +91,7 @@ static int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) return 1; } +#endif /* * Grab well-defined DH parameters from OpenSSL, see the BN_get_rfc* @@ -170,7 +171,6 @@ DH *modssl_get_dh_params(unsigned keylen) return NULL; /* impossible to reach. */ } -#endif static void ssl_add_version_components(apr_pool_t *ptemp, apr_pool_t *pconf, server_rec *s) @@ -440,9 +440,8 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog, modssl_init_app_data2_idx(); /* for modssl_get_app_data2() at request time */ -#if MODSSL_USE_OPENSSL_PRE_1_1_API init_dh_params(); -#else +#if !MODSSL_USE_OPENSSL_PRE_1_1_API init_bio_methods(); #endif @@ -863,11 +862,7 @@ static void ssl_init_ctx_callbacks(server_rec *s, { SSL_CTX *ctx = mctx->ssl_ctx; -#if MODSSL_USE_OPENSSL_PRE_1_1_API - /* Note that for OpenSSL>=1.1, auto selection is enabled via - * SSL_CTX_set_dh_auto(,1) if no parameter is configured. */ SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH); -#endif SSL_CTX_set_info_callback(ctx, ssl_callback_Info); @@ -876,23 +871,6 @@ static void ssl_init_ctx_callbacks(server_rec *s, #endif } -static APR_INLINE -int modssl_CTX_load_verify_locations(SSL_CTX *ctx, - const char *file, - const char *path) -{ -#if OPENSSL_VERSION_NUMBER < 0x30000000L - if (!SSL_CTX_load_verify_locations(ctx, file, path)) - return 0; -#else - if (file && !SSL_CTX_load_verify_file(ctx, file)) - return 0; - if (path && !SSL_CTX_load_verify_dir(ctx, path)) - return 0; -#endif - return 1; -} - static apr_status_t ssl_init_ctx_verify(server_rec *s, apr_pool_t *p, apr_pool_t *ptemp, @@ -933,8 +911,10 @@ static apr_status_t ssl_init_ctx_verify(server_rec *s, ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, s, "Configuring client authentication"); - if (!modssl_CTX_load_verify_locations(ctx, mctx->auth.ca_cert_file, - mctx->auth.ca_cert_path)) { + if (!SSL_CTX_load_verify_locations(ctx, + mctx->auth.ca_cert_file, + mctx->auth.ca_cert_path)) + { ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01895) "Unable to configure verify locations " "for client authentication"); @@ -1019,23 +999,6 @@ static apr_status_t ssl_init_ctx_cipher_suite(server_rec *s, return APR_SUCCESS; } -static APR_INLINE -int modssl_X509_STORE_load_locations(X509_STORE *store, - const char *file, - const char *path) -{ -#if OPENSSL_VERSION_NUMBER < 0x30000000L - if (!X509_STORE_load_locations(store, file, path)) - return 0; -#else - if (file && !X509_STORE_load_file(store, file)) - return 0; - if (path && !X509_STORE_load_path(store, path)) - return 0; -#endif - return 1; -} - static apr_status_t ssl_init_ctx_crl(server_rec *s, apr_pool_t *p, apr_pool_t *ptemp, @@ -1074,8 +1037,8 @@ static apr_status_t ssl_init_ctx_crl(server_rec *s, ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01900) "Configuring certificate revocation facility"); - if (!store || !modssl_X509_STORE_load_locations(store, mctx->crl_file, - mctx->crl_path)) { + if (!store || !X509_STORE_load_locations(store, mctx->crl_file, + mctx->crl_path)) { ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01901) "Host %s: unable to configure X.509 CRL storage " "for certificate revocation", mctx->sc->vhost_id); @@ -1304,31 +1267,6 @@ static int ssl_no_passwd_prompt_cb(char *buf, int size, int rwflag, return 0; } -static APR_INLINE int modssl_DH_bits(DH *dh) -{ -#if OPENSSL_VERSION_NUMBER < 0x30000000L - return DH_bits(dh); -#else - return BN_num_bits(DH_get0_p(dh)); -#endif -} - -/* SSL_CTX_use_PrivateKey_file() can fail either because the private - * key was encrypted, or due to a mismatch between an already-loaded - * cert and the key - a common misconfiguration - from calling - * X509_check_private_key(). This macro is passed the last error code - * off the OpenSSL stack and evaluates to true only for the first - * case. With OpenSSL < 3 the second case is identifiable by the - * function code, but function codes are not used from 3.0. */ -#if OPENSSL_VERSION_NUMBER < 0x30000000L -#define CHECK_PRIVKEY_ERROR(ec) (ERR_GET_FUNC(ec) != X509_F_X509_CHECK_PRIVATE_KEY) -#else -#define CHECK_PRIVKEY_ERROR(ec) (ERR_GET_LIB(ec) != ERR_LIB_X509 \ - || (ERR_GET_REASON(ec) != X509_R_KEY_TYPE_MISMATCH \ - && ERR_GET_REASON(ec) != X509_R_KEY_VALUES_MISMATCH \ - && ERR_GET_REASON(ec) != X509_R_UNKNOWN_KEY_TYPE)) -#endif - static apr_status_t ssl_init_server_certs(server_rec *s, apr_pool_t *p, apr_pool_t *ptemp, @@ -1339,7 +1277,7 @@ static apr_status_t ssl_init_server_certs(server_rec *s, const char *vhost_id = mctx->sc->vhost_id, *key_id, *certfile, *keyfile; int i; X509 *cert; - DH *dh; + DH *dhparams; #ifdef HAVE_ECC EC_GROUP *ecparams = NULL; int nid; @@ -1434,7 +1372,8 @@ static apr_status_t ssl_init_server_certs(server_rec *s, } else if ((SSL_CTX_use_PrivateKey_file(mctx->ssl_ctx, keyfile, SSL_FILETYPE_PEM) < 1) - && CHECK_PRIVKEY_ERROR(ERR_peek_last_error())) { + && (ERR_GET_FUNC(ERR_peek_last_error()) + != X509_F_X509_CHECK_PRIVATE_KEY)) { ssl_asn1_t *asn1; const unsigned char *ptr; @@ -1523,22 +1462,13 @@ static apr_status_t ssl_init_server_certs(server_rec *s, */ certfile = APR_ARRAY_IDX(mctx->pks->cert_files, 0, const char *); if (certfile && !modssl_is_engine_id(certfile) - && (dh = ssl_dh_GetParamFromFile(certfile))) { - /* ### This should be replaced with SSL_CTX_set0_tmp_dh_pkey() - * for OpenSSL 3.0+. */ - SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dh); + && (dhparams = ssl_dh_GetParamFromFile(certfile))) { + SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dhparams); ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02540) "Custom DH parameters (%d bits) for %s loaded from %s", - modssl_DH_bits(dh), vhost_id, certfile); - DH_free(dh); + DH_bits(dhparams), vhost_id, certfile); + DH_free(dhparams); } -#if !MODSSL_USE_OPENSSL_PRE_1_1_API - else { - /* If no parameter is manually configured, enable auto - * selection. */ - SSL_CTX_set_dh_auto(mctx->ssl_ctx, 1); - } -#endif #ifdef HAVE_ECC /* @@ -1588,7 +1518,6 @@ static apr_status_t ssl_init_ticket_key(server_rec *s, char buf[TLSEXT_TICKET_KEY_LEN]; char *path; modssl_ticket_key_t *ticket_key = mctx->ticket_key; - int res; if (!ticket_key->file_path) { return APR_SUCCESS; @@ -1616,22 +1545,11 @@ static apr_status_t ssl_init_ticket_key(server_rec *s, } memcpy(ticket_key->key_name, buf, 16); - memcpy(ticket_key->aes_key, buf + 32, 16); -#if OPENSSL_VERSION_NUMBER < 0x30000000L memcpy(ticket_key->hmac_secret, buf + 16, 16); - res = SSL_CTX_set_tlsext_ticket_key_cb(mctx->ssl_ctx, - ssl_callback_SessionTicket); -#else - ticket_key->mac_params[0] = - OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY, buf + 16, 16); - ticket_key->mac_params[1] = - OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST, "sha256", 0); - ticket_key->mac_params[2] = - OSSL_PARAM_construct_end(); - res = SSL_CTX_set_tlsext_ticket_key_evp_cb(mctx->ssl_ctx, - ssl_callback_SessionTicket); -#endif - if (!res) { + memcpy(ticket_key->aes_key, buf + 32, 16); + + if (!SSL_CTX_set_tlsext_ticket_key_cb(mctx->ssl_ctx, + ssl_callback_SessionTicket)) { ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01913) "Unable to initialize TLS session ticket key callback " "(incompatible OpenSSL version?)"); @@ -1762,7 +1680,7 @@ static apr_status_t ssl_init_proxy_certs(server_rec *s, return ssl_die(s); } - modssl_X509_STORE_load_locations(store, pkp->ca_cert_file, NULL); + X509_STORE_load_locations(store, pkp->ca_cert_file, NULL); for (n = 0; n < ncerts; n++) { int i; @@ -2359,11 +2277,10 @@ apr_status_t ssl_init_ModuleKill(void *data) } -#if MODSSL_USE_OPENSSL_PRE_1_1_API - free_dh_params(); -#else +#if !MODSSL_USE_OPENSSL_PRE_1_1_API free_bio_methods(); #endif + free_dh_params(); return APR_SUCCESS; } diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c index f14fc9b0aae..8fad43ef427 100644 --- a/modules/ssl/ssl_engine_io.c +++ b/modules/ssl/ssl_engine_io.c @@ -194,10 +194,6 @@ static int bio_filter_destroy(BIO *bio) static int bio_filter_out_read(BIO *bio, char *out, int outl) { /* this is never called */ - bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)BIO_get_data(bio); - ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, outctx->c, - "BUG: %s() should not be called", "bio_filter_out_read"); - AP_DEBUG_ASSERT(0); return -1; } @@ -297,20 +293,12 @@ static long bio_filter_out_ctrl(BIO *bio, int cmd, long num, void *ptr) static int bio_filter_out_gets(BIO *bio, char *buf, int size) { /* this is never called */ - bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)BIO_get_data(bio); - ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, outctx->c, - "BUG: %s() should not be called", "bio_filter_out_gets"); - AP_DEBUG_ASSERT(0); return -1; } static int bio_filter_out_puts(BIO *bio, const char *str) { /* this is never called */ - bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)BIO_get_data(bio); - ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, outctx->c, - "BUG: %s() should not be called", "bio_filter_out_puts"); - AP_DEBUG_ASSERT(0); return -1; } @@ -545,46 +533,22 @@ static int bio_filter_in_read(BIO *bio, char *in, int inlen) static int bio_filter_in_write(BIO *bio, const char *in, int inl) { - bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)BIO_get_data(bio); - ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, inctx->f->c, - "BUG: %s() should not be called", "bio_filter_in_write"); - AP_DEBUG_ASSERT(0); return -1; } static int bio_filter_in_puts(BIO *bio, const char *str) { - bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)BIO_get_data(bio); - ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, inctx->f->c, - "BUG: %s() should not be called", "bio_filter_in_puts"); - AP_DEBUG_ASSERT(0); return -1; } static int bio_filter_in_gets(BIO *bio, char *buf, int size) { - bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)BIO_get_data(bio); - ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, inctx->f->c, - "BUG: %s() should not be called", "bio_filter_in_gets"); - AP_DEBUG_ASSERT(0); return -1; } static long bio_filter_in_ctrl(BIO *bio, int cmd, long num, void *ptr) { - bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)BIO_get_data(bio); - switch (cmd) { -#ifdef BIO_CTRL_EOF - case BIO_CTRL_EOF: - return inctx->rc == APR_EOF; -#endif - default: - break; - } - ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, inctx->f->c, - "BUG: bio_filter_in_ctrl() should not be called with cmd=%i", - cmd); - return 0; + return -1; } #if MODSSL_USE_OPENSSL_PRE_1_1_API @@ -609,7 +573,7 @@ static BIO_METHOD bio_filter_in_method = { bio_filter_in_read, bio_filter_in_puts, /* puts is never called */ bio_filter_in_gets, /* gets is never called */ - bio_filter_in_ctrl, /* ctrl is called for EOF check */ + bio_filter_in_ctrl, /* ctrl is never called */ bio_filter_create, bio_filter_destroy, NULL diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c index 591f6ae29c1..5211a0db348 100644 --- a/modules/ssl/ssl_engine_kernel.c +++ b/modules/ssl/ssl_engine_kernel.c @@ -1685,7 +1685,6 @@ const authz_provider ssl_authz_provider_verify_client = ** _________________________________________________________________ */ -#if MODSSL_USE_OPENSSL_PRE_1_1_API /* * Hand out standard DH parameters, based on the authentication strength */ @@ -1731,7 +1730,6 @@ DH *ssl_callback_TmpDH(SSL *ssl, int export, int keylen) return modssl_get_dh_params(keylen); } -#endif /* * This OpenSSL callback function is called when OpenSSL @@ -2616,11 +2614,7 @@ int ssl_callback_SessionTicket(SSL *ssl, unsigned char *keyname, unsigned char *iv, EVP_CIPHER_CTX *cipher_ctx, -#if OPENSSL_VERSION_NUMBER < 0x30000000L - HMAC_CTX *hmac_ctx, -#else - EVP_MAC_CTX *mac_ctx, -#endif + HMAC_CTX *hctx, int mode) { conn_rec *c = (conn_rec *)SSL_get_app_data(ssl); @@ -2646,13 +2640,7 @@ int ssl_callback_SessionTicket(SSL *ssl, } EVP_EncryptInit_ex(cipher_ctx, EVP_aes_128_cbc(), NULL, ticket_key->aes_key, iv); - -#if OPENSSL_VERSION_NUMBER < 0x30000000L - HMAC_Init_ex(hmac_ctx, ticket_key->hmac_secret, 16, - tlsext_tick_md(), NULL); -#else - EVP_MAC_CTX_set_params(mac_ctx, ticket_key->mac_params); -#endif + HMAC_Init_ex(hctx, ticket_key->hmac_secret, 16, tlsext_tick_md(), NULL); ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(02289) "TLS session ticket key for %s successfully set, " @@ -2673,13 +2661,7 @@ int ssl_callback_SessionTicket(SSL *ssl, EVP_DecryptInit_ex(cipher_ctx, EVP_aes_128_cbc(), NULL, ticket_key->aes_key, iv); - -#if OPENSSL_VERSION_NUMBER < 0x30000000L - HMAC_Init_ex(hmac_ctx, ticket_key->hmac_secret, 16, - tlsext_tick_md(), NULL); -#else - EVP_MAC_CTX_set_params(mac_ctx, ticket_key->mac_params); -#endif + HMAC_Init_ex(hctx, ticket_key->hmac_secret, 16, tlsext_tick_md(), NULL); ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(02290) "TLS session ticket key for %s successfully set, " diff --git a/modules/ssl/ssl_engine_log.c b/modules/ssl/ssl_engine_log.c index 3b3ceacf0a5..7dbbbdb55e0 100644 --- a/modules/ssl/ssl_engine_log.c +++ b/modules/ssl/ssl_engine_log.c @@ -78,16 +78,6 @@ apr_status_t ssl_die(server_rec *s) return APR_EGENERAL; } -static APR_INLINE -unsigned long modssl_ERR_peek_error_data(const char **data, int *flags) -{ -#if OPENSSL_VERSION_NUMBER < 0x30000000L - return ERR_peek_error_line_data(NULL, NULL, data, flags); -#else - return ERR_peek_error_data(data, flags); -#endif -} - /* * Prints the SSL library error information. */ @@ -97,7 +87,7 @@ void ssl_log_ssl_error(const char *file, int line, int level, server_rec *s) const char *data; int flags; - while ((e = modssl_ERR_peek_error_data(&data, &flags))) { + while ((e = ERR_peek_error_line_data(NULL, NULL, &data, &flags))) { const char *annotation; char err[256]; diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h index a329d99a031..c19427063d6 100644 --- a/modules/ssl/ssl_private.h +++ b/modules/ssl/ssl_private.h @@ -89,9 +89,6 @@ /* must be defined before including ssl.h */ #define OPENSSL_NO_SSL_INTERN #endif -#if OPENSSL_VERSION_NUMBER >= 0x30000000 -#include -#endif #include #include #include @@ -137,12 +134,13 @@ SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MIN_PROTO_VERSION, version, NULL) #define SSL_CTX_set_max_proto_version(ctx, version) \ SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, version, NULL) -#endif /* LIBRESSL_VERSION_NUMBER < 0x2060000f */ +#elif LIBRESSL_VERSION_NUMBER < 0x2070000f /* LibreSSL before 2.7 declares OPENSSL_VERSION_NUMBER == 2.0 but does not * include most changes from OpenSSL >= 1.1 (new functions, macros, * deprecations, ...), so we have to work around this... */ -#define MODSSL_USE_OPENSSL_PRE_1_1_API (LIBRESSL_VERSION_NUMBER < 0x2070000f) +#define MODSSL_USE_OPENSSL_PRE_1_1_API (1) +#endif /* LIBRESSL_VERSION_NUMBER < 0x2060000f */ #else /* defined(LIBRESSL_VERSION_NUMBER) */ #define MODSSL_USE_OPENSSL_PRE_1_1_API (OPENSSL_VERSION_NUMBER < 0x10100000L) #endif @@ -683,11 +681,7 @@ typedef struct { typedef struct { const char *file_path; unsigned char key_name[16]; -#if OPENSSL_VERSION_NUMBER < 0x30000000L unsigned char hmac_secret[16]; -#else - OSSL_PARAM mac_params[3]; -#endif unsigned char aes_key[16]; } modssl_ticket_key_t; #endif @@ -951,16 +945,8 @@ int ssl_callback_ServerNameIndication(SSL *, int *, modssl_ctx_t *); int ssl_callback_ClientHello(SSL *, int *, void *); #endif #ifdef HAVE_TLS_SESSION_TICKETS -int ssl_callback_SessionTicket(SSL *ssl, - unsigned char *keyname, - unsigned char *iv, - EVP_CIPHER_CTX *cipher_ctx, -#if OPENSSL_VERSION_NUMBER < 0x30000000L - HMAC_CTX *hmac_ctx, -#else - EVP_MAC_CTX *mac_ctx, -#endif - int mode); +int ssl_callback_SessionTicket(SSL *, unsigned char *, unsigned char *, + EVP_CIPHER_CTX *, HMAC_CTX *, int); #endif #ifdef HAVE_TLS_ALPN @@ -1138,12 +1124,10 @@ void ssl_init_ocsp_certificates(server_rec *s, modssl_ctx_t *mctx); #endif -#if MODSSL_USE_OPENSSL_PRE_1_1_API /* Retrieve DH parameters for given key length. Return value should * be treated as unmutable, since it is stored in process-global * memory. */ DH *modssl_get_dh_params(unsigned keylen); -#endif /* Returns non-zero if the request was made over SSL/TLS. If sslconn * is non-NULL and the request is using SSL/TLS, sets *sslconn to the