On 3/19/23 10:30 PM, yla...@apache.org wrote:
> Author: ylavic
> Date: Sun Mar 19 21:30:47 2023
> New Revision: 1908537
>
> URL: http://svn.apache.org/viewvc?rev=1908537&view=rev
> Log:
> mod_ssl: Fix deprecation warnings with openssl-3.
>
> * mod_ssl_openssl.h:
> Make it the first openssl to be included openssl header, selecting the
> OpenSSL api based on OPENSSL_API_COMPAT eventually.
>
> * ssl_private.h;
> Define OPENSSL_API_COMPAT to version 1.1.1 (last one supporting EGINE_ API)
> before including mod_ssl_openssl.h to enable the ENGINE_ api (TODO: switch
> to
> new "providers" api before the ENGINE_ api is abandonned..).
> mod_ssl.h is now implicitely included from there.
> Fix preprocessor "#define FOO (COND)" to "#if COND #define FOO 1 #else
> #define FOO 0".
> Define MODSSL_HAVE_ENGINE_API iff OPENSSL_API_COMPAT < 3.0 (otherwise all
> the
> engine features are disabled, only "builtin" is accepted).
> Define HAVE_SRP iff OPENSSL_API_COMPAT < 3.0 (no replacement for this api
> above, so it might not be implemenentedain httpd anymore at some point..).
> Define X509_get_not{Before,After} if missing to the non deprecated version.
> New modssl_set_io_callbacks() to factorize compat code for io callbacks.
> ssl_dh_GetParamFromFile() becomes modssl_dh_from_file() for openssl < 3.0
> and
> modssl_dh_pkey_from_file() for openssl >= 3.0.
>
> * mod_ssl.c, mod_ssl_ct.c, ssl_util_stapling:
> Including "ssl_private.h" only is suited/enough now.
>
> * mod_ssl_ct.c, ssl_ct_log_config:
> Use EVP api with openssl >= 3 instead of the deprecated SHA256 one.
>
> * ssl_engine_config.c(ssl_cmd_SSLCryptoDevice):
> Disabled engines (besides NULL/"builtin"/NULL) unless
> MODSSL_HAVE_ENGINE_API.
>
> * ssl_engine_init:
> New compat modssl_runtime_lib_version() to address deprecated SSLeay().
> ssl_init_Engine() does nothing unless MODSSL_HAVE_ENGINE_API.
> Simplify ssl_init_server_certs() (less #ifdef-ery) with scoped local vars.
> Compat loading DH parameters and EC curve from cert.
>
> * ssl_engine_io.c, ssl_engine_kernel.c:
> Implement common modssl_set_io_callbacks() and use it.
>
> * ssl_engine_pphrase(modssl_load_engine_keypair):
> Depend on MODSSL_HAVE_ENGINE_API, or return ENOTIMPL.
>
> * ssl_util.c(modssl_is_engine_id):
> No engine supported unless MODSSL_HAVE_ENGINE_API.
>
> * ssl_util_ssl.c(modssl_dh_pkey_from_file, modssl_ec_group_from_file):
> Compat with openssl >= 3.0.
>
>
> Modified:
> httpd/httpd/trunk/modules/ssl/mod_ssl.c
> httpd/httpd/trunk/modules/ssl/mod_ssl_ct.c
> httpd/httpd/trunk/modules/ssl/mod_ssl_openssl.h
> httpd/httpd/trunk/modules/ssl/ssl_ct_log_config.c
> httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
> httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
> httpd/httpd/trunk/modules/ssl/ssl_engine_io.c
> httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
> httpd/httpd/trunk/modules/ssl/ssl_engine_pphrase.c
> httpd/httpd/trunk/modules/ssl/ssl_private.h
> httpd/httpd/trunk/modules/ssl/ssl_util.c
> httpd/httpd/trunk/modules/ssl/ssl_util_ssl.c
> httpd/httpd/trunk/modules/ssl/ssl_util_stapling.c
>
return APR_SUCCESS;
>
> Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_io.c
> URL:
> http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_io.c?rev=1908537&r1=1908536&r2=1908537&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/modules/ssl/ssl_engine_io.c (original)
> +++ httpd/httpd/trunk/modules/ssl/ssl_engine_io.c Sun Mar 19 21:30:47 2023
> @@ -2402,7 +2403,7 @@ long ssl_io_data_cb(BIO *bio, int cmd,
> "%s: %s %ld/%d bytes %s BIO#%pp [mem: %pp] %s",
> MODSSL_LIBRARY_NAME,
> (cmd == (BIO_CB_WRITE|BIO_CB_RETURN) ? "write" : "read"),
> - rc, argi, (cmd == (BIO_CB_WRITE|BIO_CB_RETURN) ? "to" :
> "from"),
> + (long)rc, argi, (cmd == (BIO_CB_WRITE|BIO_CB_RETURN) ?
> "to" : "from"),
I think rc has a different meaning with OpenSSL 3. I think we need to use len
in case of OpenSSL 3.
I noticed that with OpenSSL 3 only single bytes get dumped and no longer the
whole buffer.
> bio, argp, dump);
> if (*dump != '\0' && argp != NULL)
> ssl_io_data_dump(c, s, argp, rc);
Similar to above. I think we need to use len here in case of OpenSSL 3.
If my findings are seen as correct I could work on a patch :-).
Regards
RĂ¼diger
