diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml index 5da65e26d9e..9f21b654f9a 100644 --- a/.github/workflows/linux.yml +++ b/.github/workflows/linux.yml @@ -287,7 +287,7 @@ jobs: # ------------------------------------------------------------------------- - name: OpenSSL 3.4 -Werror config: --enable-mods-shared=most --enable-maintainer-mode --disable-md --disable-http2 --disable-ldap --disable-crypto - notest-cflags: -Werror -O2 -Wno-deprecated-declarations + notest-cflags: -Werror -O2 env: | TEST_OPENSSL3=3.4.4 APR_VERSION=1.7.6 @@ -316,12 +316,11 @@ jobs: APU_CONFIG="--without-crypto" pkgs: subversion # ------------------------------------------------------------------------- - - name: OpenSSL ECH branch + - name: OpenSSL 4.0 config: --enable-mods-shared=most --enable-maintainer-mode --disable-md --disable-http2 --disable-ldap --disable-crypto notest-cflags: -Werror -O2 env: | - TEST_OPENSSL3=ech2 - TEST_OPENSSL3_BRANCH=feature/ech + TEST_OPENSSL3=4.0.0 OPENSSL_CONFIG=no-engine APR_VERSION=1.7.6 APU_VERSION=1.6.3 diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c index 569cb26c4d5..cb88f0112c6 100644 --- a/modules/ssl/ssl_engine_kernel.c +++ b/modules/ssl/ssl_engine_kernel.c @@ -1263,7 +1263,7 @@ int ssl_hook_UserCheck(request_rec *r) } if (!sslconn->client_dn) { - X509_NAME *name = X509_get_subject_name(sslconn->client_cert); + const X509_NAME *name = X509_get_subject_name(sslconn->client_cert); char *cp = X509_NAME_oneline(name, NULL, 0); sslconn->client_dn = apr_pstrdup(r->connection->pool, cp); OPENSSL_free(cp); @@ -1817,7 +1817,7 @@ int ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey) server_rec *s = mySrvFromConn(c); SSLSrvConfigRec *sc = mySrvConfig(s); SSLDirConfigRec *dc = myDirConfigFromConn(c); - X509_NAME *ca_name, *issuer, *ca_issuer; + const X509_NAME *ca_name, *issuer, *ca_issuer; X509_INFO *info; X509 *ca_cert; STACK_OF(X509_NAME) *ca_list; diff --git a/modules/ssl/ssl_engine_log.c b/modules/ssl/ssl_engine_log.c index 6bca827d50f..2c145692bbe 100644 --- a/modules/ssl/ssl_engine_log.c +++ b/modules/ssl/ssl_engine_log.c @@ -126,7 +126,7 @@ void ssl_log_ssl_error(const char *file, int line, int level, server_rec *s) static void ssl_log_cert_error(const char *file, int line, int level, apr_status_t rv, const server_rec *s, const conn_rec *c, const request_rec *r, - apr_pool_t *p, X509 *cert, const char *format, + apr_pool_t *p, const X509 *cert, const char *format, va_list ap) { char buf[HUGE_STRING_LEN]; @@ -167,14 +167,14 @@ static void ssl_log_cert_error(const char *file, int line, int level, } BIO_puts(bio, " / serial: "); - if (i2a_ASN1_INTEGER(bio, X509_get_serialNumber(cert)) == -1) + if (i2a_ASN1_INTEGER(bio, X509_get0_serialNumber(cert)) == -1) BIO_puts(bio, "(ERROR)"); BIO_puts(bio, " / notbefore: "); - ASN1_TIME_print(bio, X509_get_notBefore(cert)); + ASN1_TIME_print(bio, X509_get0_notBefore(cert)); BIO_puts(bio, " / notafter: "); - ASN1_TIME_print(bio, X509_get_notAfter(cert)); + ASN1_TIME_print(bio, X509_get0_notAfter(cert)); BIO_puts(bio, "]"); @@ -212,7 +212,7 @@ static void ssl_log_cert_error(const char *file, int line, int level, * in the other cases we use the connection and request pool, respectively). */ void ssl_log_xerror(const char *file, int line, int level, apr_status_t rv, - apr_pool_t *ptemp, server_rec *s, X509 *cert, + apr_pool_t *ptemp, server_rec *s, const X509 *cert, const char *fmt, ...) { if (APLOG_IS_LEVEL(s,level)) { @@ -225,7 +225,7 @@ void ssl_log_xerror(const char *file, int line, int level, apr_status_t rv, } void ssl_log_cxerror(const char *file, int line, int level, apr_status_t rv, - conn_rec *c, X509 *cert, const char *fmt, ...) + conn_rec *c, const X509 *cert, const char *fmt, ...) { if (APLOG_IS_LEVEL(mySrvFromConn(c),level)) { va_list ap; @@ -237,7 +237,7 @@ void ssl_log_cxerror(const char *file, int line, int level, apr_status_t rv, } void ssl_log_rxerror(const char *file, int line, int level, apr_status_t rv, - request_rec *r, X509 *cert, const char *fmt, ...) + request_rec *r, const X509 *cert, const char *fmt, ...) { if (APLOG_R_IS_LEVEL(r,level)) { va_list ap; diff --git a/modules/ssl/ssl_engine_ocsp.c b/modules/ssl/ssl_engine_ocsp.c index 5e045125585..539ed103eae 100644 --- a/modules/ssl/ssl_engine_ocsp.c +++ b/modules/ssl/ssl_engine_ocsp.c @@ -38,8 +38,8 @@ static const char *extract_responder_uri(X509 *cert, apr_pool_t *pool) /* Name found in extension, and is a URI: */ if (OBJ_obj2nid(value->method) == NID_ad_OCSP && value->location->type == GEN_URI) { - result = apr_pstrdup(pool, - (char *)value->location->d.uniformResourceIdentifier->data); + const ASN1_STRING *uri = value->location->d.uniformResourceIdentifier; + result = modssl_ASN1_STRING_convert(pool, uri, 0); } } diff --git a/modules/ssl/ssl_engine_vars.c b/modules/ssl/ssl_engine_vars.c index 3f9bea18b37..6c45b65d400 100644 --- a/modules/ssl/ssl_engine_vars.c +++ b/modules/ssl/ssl_engine_vars.c @@ -41,10 +41,10 @@ static const char *ssl_var_lookup_ssl(apr_pool_t *p, const SSLConnRec *sslconn, request_rec *r, const char *var); static const char *ssl_var_lookup_ssl_cert(apr_pool_t *p, request_rec *r, X509 *xs, const char *var); -static const char *ssl_var_lookup_ssl_cert_dn(apr_pool_t *p, X509_NAME *xsname, const char *var); +static const char *ssl_var_lookup_ssl_cert_dn(apr_pool_t *p, const X509_NAME *xsname, const char *var); static const char *ssl_var_lookup_ssl_cert_san(apr_pool_t *p, X509 *xs, const char *var); -static const char *ssl_var_lookup_ssl_cert_valid(apr_pool_t *p, ASN1_TIME *tm); -static const char *ssl_var_lookup_ssl_cert_remain(apr_pool_t *p, ASN1_TIME *tm); +static const char *ssl_var_lookup_ssl_cert_valid(apr_pool_t *p, const ASN1_TIME *tm); +static const char *ssl_var_lookup_ssl_cert_remain(apr_pool_t *p, const ASN1_TIME *tm); static const char *ssl_var_lookup_ssl_cert_serial(apr_pool_t *p, X509 *xs); static const char *ssl_var_lookup_ssl_cert_chain(apr_pool_t *p, STACK_OF(X509) *sk, const char *var, int pem); static const char *ssl_var_lookup_ssl_cert_rfc4523_cea(apr_pool_t *p, SSL *ssl); @@ -598,7 +598,7 @@ static const char *ssl_var_lookup_ssl(apr_pool_t *p, const SSLConnRec *sslconn, } static const char *ssl_var_lookup_ssl_cert_dn_oneline(apr_pool_t *p, request_rec *r, - X509_NAME *xsname) + const X509_NAME *xsname) { char *result = NULL; SSLDirConfigRec *dc; @@ -629,7 +629,7 @@ static const char *ssl_var_lookup_ssl_cert(apr_pool_t *p, request_rec *r, X509 * const char *var) { const char *result; - X509_NAME *xsname; + const X509_NAME *xsname; int nid; result = NULL; @@ -641,13 +641,13 @@ static const char *ssl_var_lookup_ssl_cert(apr_pool_t *p, request_rec *r, X509 * result = ssl_var_lookup_ssl_cert_serial(p, xs); } else if (strcEQ(var, "V_START")) { - result = ssl_var_lookup_ssl_cert_valid(p, X509_get_notBefore(xs)); + result = ssl_var_lookup_ssl_cert_valid(p, X509_get0_notBefore(xs)); } else if (strcEQ(var, "V_END")) { - result = ssl_var_lookup_ssl_cert_valid(p, X509_get_notAfter(xs)); + result = ssl_var_lookup_ssl_cert_valid(p, X509_get0_notAfter(xs)); } else if (strcEQ(var, "V_REMAIN")) { - result = ssl_var_lookup_ssl_cert_remain(p, X509_get_notAfter(xs)); + result = ssl_var_lookup_ssl_cert_remain(p, X509_get0_notAfter(xs)); } else if (*var && strcEQ(var+1, "_DN")) { if (*var == 'S') @@ -727,12 +727,12 @@ static const struct { { NULL, 0, 0 } }; -static const char *ssl_var_lookup_ssl_cert_dn(apr_pool_t *p, X509_NAME *xsname, - const char *var) +static const char *ssl_var_lookup_ssl_cert_dn(apr_pool_t *p, const X509_NAME *xsname, + const char *var) { const char *ptr; const char *result; - X509_NAME_ENTRY *xsne; + const X509_NAME_ENTRY *xsne; int i, j, n, idx = 0, raw = 0; apr_size_t varlen; @@ -759,7 +759,7 @@ static const char *ssl_var_lookup_ssl_cert_dn(apr_pool_t *p, X509_NAME *xsname, for (j = 0; j < X509_NAME_entry_count(xsname); j++) { xsne = X509_NAME_get_entry(xsname, j); - n =OBJ_obj2nid((ASN1_OBJECT *)X509_NAME_ENTRY_get_object(xsne)); + n = OBJ_obj2nid(X509_NAME_ENTRY_get_object(xsne)); if (n == ssl_var_lookup_ssl_cert_dn_rec[i].nid && idx-- == 0) { result = modssl_X509_NAME_ENTRY_to_string(p, xsne, raw); @@ -816,7 +816,7 @@ static const char *ssl_var_lookup_ssl_cert_san(apr_pool_t *p, X509 *xs, const ch return NULL; } -static const char *ssl_var_lookup_ssl_cert_valid(apr_pool_t *p, ASN1_TIME *tm) +static const char *ssl_var_lookup_ssl_cert_valid(apr_pool_t *p, const ASN1_TIME *tm) { BIO* bio; @@ -837,12 +837,12 @@ static const char *ssl_var_lookup_ssl_cert_valid(apr_pool_t *p, ASN1_TIME *tm) /* Return a string giving the number of days remaining until 'tm', or * "0" if this can't be determined. */ -static const char *ssl_var_lookup_ssl_cert_remain(apr_pool_t *p, ASN1_TIME *tm) +static const char *ssl_var_lookup_ssl_cert_remain(apr_pool_t *p, const ASN1_TIME *tm) { #if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER) int diff; - if (INVALID_ASN1_TIME(tm) || ASN1_TIME_diff(&diff, NULL, NULL, tm) != 1) { + if (ASN1_TIME_check(tm) != 1 || ASN1_TIME_diff(&diff, NULL, NULL, tm) != 1) { return "0"; } #else @@ -929,7 +929,7 @@ static const char *ssl_var_lookup_ssl_cert_rfc4523_cea(apr_pool_t *p, SSL *ssl) serialNumber = X509_get_serialNumber(xs); if (serialNumber) { - X509_NAME *issuer = X509_get_issuer_name(xs); + const X509_NAME *issuer = X509_get_issuer_name(xs); if (issuer) { BIGNUM *bn = ASN1_INTEGER_to_BN(serialNumber, NULL); if((decimal = BN_bn2dec(bn)) == NULL) { @@ -1112,9 +1112,9 @@ static const char *ssl_var_lookup_ssl_version(const char *var) /* Add each RDN in 'xn' to the table 't' where the NID is present in * 'nids', using key prefix 'pfx'. */ static void extract_dn(apr_table_t *t, apr_hash_t *nids, const char *pfx, - X509_NAME *xn, apr_pool_t *p) + const X509_NAME *xn, apr_pool_t *p) { - X509_NAME_ENTRY *xsne; + const X509_NAME_ENTRY *xsne; apr_hash_t *count; int i, nid; @@ -1129,7 +1129,7 @@ static void extract_dn(apr_table_t *t, apr_hash_t *nids, const char *pfx, /* Retrieve the nid, and check whether this is one of the nids * which are to be extracted. */ - nid = OBJ_obj2nid((ASN1_OBJECT *)X509_NAME_ENTRY_get_object(xsne)); + nid = OBJ_obj2nid(X509_NAME_ENTRY_get_object(xsne)); tag = apr_hash_get(nids, &nid, sizeof nid); if (tag) { @@ -1242,19 +1242,19 @@ void modssl_var_extract_san_entries(apr_table_t *t, SSL *ssl, apr_pool_t *p) * parse the extension type as a primitive string. This will fail for * any structured extension type per the docs. Returns non-zero on * success and writes the string to the given bio. */ -static int dump_extn_value(BIO *bio, ASN1_OCTET_STRING *str) +static int dump_extn_value(BIO *bio, const ASN1_OCTET_STRING *str) { - const unsigned char *pp = str->data; + const unsigned char *pp = ASN1_STRING_get0_data(str); ASN1_STRING *ret = ASN1_STRING_new(); int rv = 0; - if(!ret) { - return rv; + if (!ret) { + return rv; } /* This allows UTF8String, IA5String, VisibleString, or BMPString; * conversion to UTF-8 is forced. */ - if (d2i_DISPLAYTEXT(&ret, &pp, str->length)) { + if (d2i_DISPLAYTEXT(&ret, &pp, ASN1_STRING_length(str))) { ASN1_STRING_print_ex(bio, ret, ASN1_STRFLGS_UTF8_CONVERT); rv = 1; } @@ -1301,7 +1301,7 @@ apr_array_header_t *ssl_ext_list(apr_pool_t *p, conn_rec *c, int peer, */ array = apr_array_make(p, count, sizeof(char *)); for (j = 0; j < count; j++) { - X509_EXTENSION *ext = X509_get_ext(xs, j); + MODSSL_X509_EXT_CONST X509_EXTENSION *ext = X509_get_ext(xs, j); if (OBJ_cmp(X509_EXTENSION_get_object(ext), oid) == 0) { BIO *bio = BIO_new(BIO_s_mem()); diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h index fcaf76310ba..442b8b17ae4 100644 --- a/modules/ssl/ssl_private.h +++ b/modules/ssl/ssl_private.h @@ -155,6 +155,12 @@ #define MODSSL_SSL_METHOD_CONST #endif +#if OPENSSL_VERSION_NUMBER >= 0x40000000L +#define MODSSL_X509_EXT_CONST const +#else +#define MODSSL_X509_EXT_CONST +#endif + #if defined(LIBRESSL_VERSION_NUMBER) /* Missing from LibreSSL */ #if LIBRESSL_VERSION_NUMBER < 0x2060000f @@ -282,6 +288,10 @@ #define DH_bits(x) (BN_num_bits(x->p)) #define X509_up_ref(x) (CRYPTO_add(&(x)->references, +1, CRYPTO_LOCK_X509)) #define EVP_PKEY_up_ref(pk) (CRYPTO_add(&(pk)->references, +1, CRYPTO_LOCK_EVP_PKEY)) +#define ASN1_STRING_get0_data(x) ((x)->data) +#define ASN1_STRING_length(x) ((int)(x)->length) +#define X509_get0_before(x) X509_get_before(x) +#define X509_get0_after(x) X509_get_after(x) #else void init_bio_methods(void); void free_bio_methods(void); @@ -1212,16 +1222,16 @@ void ssl_log_ssl_error(const char *, int, int, server_rec *); * counterparts. */ void ssl_log_xerror(const char *file, int line, int level, apr_status_t rv, apr_pool_t *p, server_rec *s, - X509 *cert, const char *format, ...) + const X509 *cert, const char *format, ...) __attribute__((format(printf,8,9))); void ssl_log_cxerror(const char *file, int line, int level, - apr_status_t rv, conn_rec *c, X509 *cert, + apr_status_t rv, conn_rec *c, const X509 *cert, const char *format, ...) __attribute__((format(printf,7,8))); void ssl_log_rxerror(const char *file, int line, int level, - apr_status_t rv, request_rec *r, X509 *cert, + apr_status_t rv, request_rec *r, const X509 *cert, const char *format, ...) __attribute__((format(printf,7,8))); diff --git a/modules/ssl/ssl_util_ssl.c b/modules/ssl/ssl_util_ssl.c index a4c312b7fb3..ae5d796eb65 100644 --- a/modules/ssl/ssl_util_ssl.c +++ b/modules/ssl/ssl_util_ssl.c @@ -206,7 +206,7 @@ char *modssl_bio_free_read(apr_pool_t *p, BIO *bio) /* Convert ASN.1 string to a pool-allocated char * string, escaping * control characters. If raw is zero, convert to UTF-8, otherwise * unchanged from the character set. */ -static char *asn1_string_convert(apr_pool_t *p, ASN1_STRING *asn1str, int raw) +char *modssl_ASN1_STRING_convert(apr_pool_t *p, const ASN1_STRING *asn1str, int raw) { BIO *bio; int flags = ASN1_STRFLGS_ESC_CTRL; @@ -221,13 +221,13 @@ static char *asn1_string_convert(apr_pool_t *p, ASN1_STRING *asn1str, int raw) return modssl_bio_free_read(p, bio); } -#define asn1_string_to_utf8(p, a) asn1_string_convert(p, a, 0) +#define asn1_string_to_utf8(p, a) modssl_ASN1_STRING_convert(p, a, 0) /* convert a NAME_ENTRY to UTF8 string */ -char *modssl_X509_NAME_ENTRY_to_string(apr_pool_t *p, X509_NAME_ENTRY *xsne, +char *modssl_X509_NAME_ENTRY_to_string(apr_pool_t *p, const X509_NAME_ENTRY *xsne, int raw) { - char *result = asn1_string_convert(p, X509_NAME_ENTRY_get_data(xsne), raw); + char *result = modssl_ASN1_STRING_convert(p, X509_NAME_ENTRY_get_data(xsne), raw); ap_xlate_proto_from_ascii(result, len); return result; } @@ -236,7 +236,7 @@ char *modssl_X509_NAME_ENTRY_to_string(apr_pool_t *p, X509_NAME_ENTRY *xsne, * convert an X509_NAME to an RFC 2253 formatted string, optionally truncated * to maxlen characters (specify a maxlen of 0 for no length limit) */ -char *modssl_X509_NAME_to_string(apr_pool_t *p, X509_NAME *dn, int maxlen) +char *modssl_X509_NAME_to_string(apr_pool_t *p, const X509_NAME *dn, int maxlen) { char *result = NULL; BIO *bio; @@ -373,7 +373,7 @@ BOOL modssl_X509_getSAN(apr_pool_t *p, X509 *x509, int type, const char *onf, /* return an array of (RFC 6125 coined) DNS-IDs and CN-IDs in a certificate */ static BOOL getIDs(apr_pool_t *p, X509 *x509, apr_array_header_t **ids) { - X509_NAME *subj; + const X509_NAME *subj; int i = -1; /* First, the DNS-IDs (dNSName entries in the subjectAltName extension) */ diff --git a/modules/ssl/ssl_util_ssl.h b/modules/ssl/ssl_util_ssl.h index 443c1b7ee73..f5ed3c23aac 100644 --- a/modules/ssl/ssl_util_ssl.h +++ b/modules/ssl/ssl_util_ssl.h @@ -71,13 +71,19 @@ EVP_PKEY *modssl_read_privatekey(const char *filename, pem_password_cb *cb, vo int modssl_smart_shutdown(SSL *ssl); BOOL modssl_X509_getBC(X509 *, int *, int *); -char *modssl_X509_NAME_ENTRY_to_string(apr_pool_t *p, X509_NAME_ENTRY *xsne, +char *modssl_X509_NAME_ENTRY_to_string(apr_pool_t *p, const X509_NAME_ENTRY *xsne, int raw); -char *modssl_X509_NAME_to_string(apr_pool_t *, X509_NAME *, int); +char *modssl_X509_NAME_to_string(apr_pool_t *, const X509_NAME *, int); BOOL modssl_X509_getSAN(apr_pool_t *, X509 *, int, const char *, int, apr_array_header_t **); BOOL modssl_X509_match_name(apr_pool_t *, X509 *, const char *, BOOL, server_rec *); char *modssl_SSL_SESSION_id2sz(IDCONST unsigned char *, int, char *, int); +/* Convert ASN.1 string to a pool-allocated char * string, escaping + * control characters. If raw is zero, convert to UTF-8, otherwise + * unchanged from the character set. */ +char *modssl_ASN1_STRING_convert(apr_pool_t *p, const ASN1_STRING *asn1str, + int raw); + /* Reads the remaining data in BIO, if not empty, and copies it into a * pool-allocated string. If empty, returns NULL. BIO_free(bio) is * called for both cases. */ diff --git a/support/ab.c b/support/ab.c index e02cd6841fb..e3101a632e6 100644 --- a/support/ab.c +++ b/support/ab.c @@ -799,7 +799,7 @@ static int ssl_print_connection_info(BIO *bio, SSL *ssl) static void ssl_print_cert_info(BIO *bio, X509 *cert) { - X509_NAME *dn; + const X509_NAME *dn; EVP_PKEY *pk; char buf[1024];