On Mon, Apr 27, 2026 at 06:37:04AM -0400, Eric Covener wrote: > On Mon, Apr 27, 2026 at 5:49 AM Joe Orton <[email protected]> wrote: > > > > On Sun, Apr 26, 2026 at 12:49:23PM -0400, Eric Covener wrote: > > > The candidate source is found at > > > <https://svn.apache.org/repos/asf/httpd/httpd/tags/2.4.67-rc1-candidate> > > > and at <https://github.com/apache/httpd/tree/2.4.67-rc1-candidate>. > > > > As CI shows, the mod_auth_digest build is broken if apr-util is built > > without crypto support, I had not realised that the apr_crypto_equals() > > function is inside an "#if APU_HAVE_CRYPTO". The implementation of that > > function doesn't actually depend on any crypto library. > > > > Not sure if we can change that in an apr-util patch release, probably > > requires apr-util 1.7.x. Maybe necessary to have mod_auth_digest depend > > on APU_HAVE_CRYPTO for now, I will make that change in trunk. > > > > (Not sure if I'd consider this a showstopper for that RC, still running > > other tests) > > We could pull the ap_crypto_equals() stuff up somewhere common from > modules/session/mod_session_crypto.c
I took that and ran with it, wrapping the APR 1.8+ _timingsafe() functions: https://github.com/apache/httpd/pull/638
