net/apache/patches/020-openssl-deprecated.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177

--- a/modules/ssl/mod_ssl.c
+++ b/modules/ssl/mod_ssl.c
@@ -328,6 +328,7 @@ static int modssl_is_prelinked(void)
 
 static apr_status_t ssl_cleanup_pre_config(void *data)
 {
+#if MODSSL_USE_OPENSSL_PRE_1_1_API
     /*
      * Try to kill the internals of the SSL library.
      */
@@ -343,11 +344,9 @@ static apr_status_t ssl_cleanup_pre_config(void *data)
 #if OPENSSL_VERSION_NUMBER >= 0x1000200fL
 #ifndef OPENSSL_NO_COMP
     SSL_COMP_free_compression_methods();
-#endif
 #endif
 
     /* Usually needed per thread, but this parent process is single-threaded */
-#if MODSSL_USE_OPENSSL_PRE_1_1_API
 #if OPENSSL_VERSION_NUMBER >= 0x1000000fL
     ERR_remove_thread_state(NULL);
 #else
@@ -376,6 +375,7 @@ static apr_status_t ssl_cleanup_pre_config(void *data)
      *       (when enabled) at this late stage in the game:
      * CRYPTO_mem_leaks_fp(stderr);
      */
+#endif
     return APR_SUCCESS;
 }
 
@@ -400,14 +400,16 @@ static int ssl_hook_pre_config(apr_pool_t *pconf,
 #else
     OPENSSL_malloc_init();
 #endif
+#if MODSSL_USE_OPENSSL_PRE_1_1_API
     ERR_load_crypto_strings();
     SSL_load_error_strings();
     SSL_library_init();
+    OpenSSL_add_all_algorithms();
+    OPENSSL_load_builtin_modules();
+#endif
 #if HAVE_ENGINE_LOAD_BUILTIN_ENGINES
     ENGINE_load_builtin_engines();
 #endif
-    OpenSSL_add_all_algorithms();
-    OPENSSL_load_builtin_modules();
 
     if (OBJ_txt2nid("id-on-dnsSRV") == NID_undef) {
         (void)OBJ_create("1.3.6.1.5.5.7.8.7", "id-on-dnsSRV",
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -88,6 +88,8 @@ static int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
 
     return 1;
 }
+
+#define OpenSSL_version_num	SSLeay
 #endif
 
 /*
@@ -223,7 +225,7 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog,
     apr_status_t rv;
     apr_array_header_t *pphrases;
 
-    if (SSLeay() < MODSSL_LIBRARY_VERSION) {
+    if (OpenSSL_version_num() < MODSSL_LIBRARY_VERSION) {
         ap_log_error(APLOG_MARK, APLOG_WARNING, 0, base_server, APLOGNO(01882)
                      "Init: this version of mod_ssl was compiled against "
                      "a newer library (%s, version currently loaded is %s)"
--- a/modules/ssl/ssl_engine_io.c
+++ b/modules/ssl/ssl_engine_io.c
@@ -1255,9 +1255,9 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx)
         if (dc->proxy->ssl_check_peer_expire != FALSE) {
             if (!cert
                 || (X509_cmp_current_time(
-                     X509_get_notBefore(cert)) >= 0)
+                     X509_get0_notBefore(cert)) >= 0)
                 || (X509_cmp_current_time(
-                     X509_get_notAfter(cert)) <= 0)) {
+                     X509_get0_notAfter(cert)) <= 0)) {
                 proxy_ssl_check_peer_ok = FALSE;
                 ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, APLOGNO(02004)
                               "SSL Proxy: Peer certificate is expired");
--- a/modules/ssl/ssl_engine_log.c
+++ b/modules/ssl/ssl_engine_log.c
@@ -163,10 +163,10 @@ static void ssl_log_cert_error(const char *file, int line, int level,
                 BIO_puts(bio, "(ERROR)");
 
             BIO_puts(bio, " / notbefore: ");
-            ASN1_TIME_print(bio, X509_get_notBefore(cert));
+            ASN1_TIME_print(bio, X509_get0_notBefore(cert));
 
             BIO_puts(bio, " / notafter: ");
-            ASN1_TIME_print(bio, X509_get_notAfter(cert));
+            ASN1_TIME_print(bio, X509_get0_notAfter(cert));
 
             BIO_puts(bio, "]");
 
--- a/modules/ssl/ssl_engine_vars.c
+++ b/modules/ssl/ssl_engine_vars.c
@@ -495,13 +495,13 @@ static char *ssl_var_lookup_ssl_cert(apr_pool_t *p, request_rec *r, X509 *xs,
         result = ssl_var_lookup_ssl_cert_serial(p, xs);
     }
     else if (strcEQ(var, "V_START")) {
-        result = ssl_var_lookup_ssl_cert_valid(p, X509_get_notBefore(xs));
+        result = ssl_var_lookup_ssl_cert_valid(p, X509_getm_notBefore(xs));
     }
     else if (strcEQ(var, "V_END")) {
-        result = ssl_var_lookup_ssl_cert_valid(p, X509_get_notAfter(xs));
+        result = ssl_var_lookup_ssl_cert_valid(p, X509_getm_notAfter(xs));
     }
     else if (strcEQ(var, "V_REMAIN")) {
-        result = ssl_var_lookup_ssl_cert_remain(p, X509_get_notAfter(xs));
+        result = ssl_var_lookup_ssl_cert_remain(p, X509_getm_notAfter(xs));
         resdup = FALSE;
     }
     else if (*var && strcEQ(var+1, "_DN")) {
--- a/modules/ssl/ssl_private.h
+++ b/modules/ssl/ssl_private.h
@@ -92,6 +92,8 @@
 #include <openssl/x509.h>
 #include <openssl/pem.h>
 #include <openssl/crypto.h>
+#include <openssl/bn.h>
+#include <openssl/dh.h>
 #include <openssl/evp.h>
 #include <openssl/rand.h>
 #include <openssl/x509v3.h>
@@ -234,6 +236,10 @@
 #define BIO_get_shutdown(x)        (x->shutdown)
 #define BIO_set_shutdown(x,v)      (x->shutdown=v)
 #define DH_bits(x)                 (BN_num_bits(x->p))
+#define X509_get0_notBefore        X509_get_notBefore
+#define X509_get0_notAfter         X509_get_notAfter
+#define X509_getm_notBefore        X509_get_notBefore
+#define X509_getm_notAfter         X509_get_notAfter
 #else
 void init_bio_methods(void);
 void free_bio_methods(void);
--- a/support/ab.c
+++ b/support/ab.c
@@ -205,6 +205,10 @@ typedef STACK_OF(X509) X509_STACK_TYPE;
 #define SSL_CTX_set_max_proto_version(ctx, version) \
    SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, version, NULL)
 #endif
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#define X509_get0_notBefore X509_get_notBefore
+#define X509_get0_notAfter  X509_get_notAfter
+#endif
 #endif
 
 #include <math.h>
@@ -652,11 +656,11 @@ static void ssl_print_cert_info(BIO *bio, X509 *cert)
 
     BIO_printf(bio, "Certificate version: %ld\n", X509_get_version(cert)+1);
     BIO_printf(bio,"Valid from: ");
-    ASN1_UTCTIME_print(bio, X509_get_notBefore(cert));
+    ASN1_UTCTIME_print(bio, X509_get0_notBefore(cert));
     BIO_printf(bio,"\n");
 
     BIO_printf(bio,"Valid to  : ");
-    ASN1_UTCTIME_print(bio, X509_get_notAfter(cert));
+    ASN1_UTCTIME_print(bio, X509_get0_notAfter(cert));
     BIO_printf(bio,"\n");
 
     pk = X509_get_pubkey(cert);
@@ -2634,8 +2638,10 @@ int main(int argc, const char * const argv[])
     CRYPTO_malloc_init();
 #endif
 #endif
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
     SSL_load_error_strings();
     SSL_library_init();
+#endif
     bio_out=BIO_new_fp(stdout,BIO_NOCLOSE);
     bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);