Re: mod_md in 2.4.61 fails to compile with openssl < 1.1.1
> Am 08.07.2024 um 17:07 schrieb Yann Ylavic : > > On Fri, Jul 5, 2024 at 5:59 PM Yann Ylavic wrote: >> >> On Fri, Jul 5, 2024 at 5:08 PM Ruediger Pluem wrote: >>> >>> On 7/5/24 4:09 PM, Stefan Eissing via dev wrote: The patches look good to me. I have not tested them as I have no old openssl lying around, but I trust in your build tests. >>> >>> Rebuild 2.4.61 with both patches from Yann on RedHat 7 - 9. All good now, >>> even on 7 with openssl 1.0.2 (means it compiles and no >>> more implicit declaration warnings). >>> @Yann: Care to commit the patches? >> >> Will do on the weekend if/when possible, feel free to beat me to it if >> you can ;) > > r1919026. Thanks, Yann! > >> >> >> Regards; >> Yann.
Re: mod_md in 2.4.61 fails to compile with openssl < 1.1.1
On Fri, Jul 5, 2024 at 5:59 PM Yann Ylavic wrote: > > On Fri, Jul 5, 2024 at 5:08 PM Ruediger Pluem wrote: > > > > On 7/5/24 4:09 PM, Stefan Eissing via dev wrote: > > > > > > The patches look good to me. I have not tested them as I have no old > > > openssl lying around, but I trust in your build tests. > > > > Rebuild 2.4.61 with both patches from Yann on RedHat 7 - 9. All good now, > > even on 7 with openssl 1.0.2 (means it compiles and no > > more implicit declaration warnings). > > @Yann: Care to commit the patches? > > Will do on the weekend if/when possible, feel free to beat me to it if > you can ;) r1919026. > > > Regards; > Yann.
Re: mod_md in 2.4.61 fails to compile with openssl < 1.1.1
On Fri, Jul 5, 2024 at 5:08 PM Ruediger Pluem wrote: > > On 7/5/24 4:09 PM, Stefan Eissing via dev wrote: > > > > > >> Am 05.07.2024 um 15:44 schrieb Ruediger Pluem : > >> > >> > >> > >> On 7/5/24 3:40 PM, Yann Ylavic wrote: > >>> On Fri, Jul 5, 2024 at 3:35 PM Yann Ylavic wrote: > > On Fri, Jul 5, 2024 at 3:05 PM Ruediger Pluem wrote: > > > > md_crypt.c: In function 'md_cert_get_ct_scts': > > md_crypt.c:2071:5: error: unknown type name 'SCT' > >SCT *sct_handle; > > > > This one is caused by r1918195 in >= 2.4.60. Before r1918195 > > OPENSSL_NO_CT was defined when openssl was < 1.1.1. Now it is not any > > longer and hence md_cert_get_ct_scts gets a real function body as > > > > #ifndef OPENSSL_NO_CT > > > > (line 2068) is now true. Hence we error out on the non presence of the > > SCT struct (line 2071). > > Maybe something like the attached patch for this one too (which could > avoid configure tricks for both..). > >>> > >>> Or rather this one. > >>> > >> > >> > >> Looks good to me. Waiting for Stefan's feedback. > > > > The patches look good to me. I have not tested them as I have no old > > openssl lying around, but I trust in your build tests. > > Rebuild 2.4.61 with both patches from Yann on RedHat 7 - 9. All good now, > even on 7 with openssl 1.0.2 (means it compiles and no > more implicit declaration warnings). > @Yann: Care to commit the patches? Will do on the weekend if/when possible, feel free to beat me to it if you can ;) Regards; Yann.
Re: mod_md in 2.4.61 fails to compile with openssl < 1.1.1
On 7/5/24 4:09 PM, Stefan Eissing via dev wrote: > > >> Am 05.07.2024 um 15:44 schrieb Ruediger Pluem : >> >> >> >> On 7/5/24 3:40 PM, Yann Ylavic wrote: >>> On Fri, Jul 5, 2024 at 3:35 PM Yann Ylavic wrote: On Fri, Jul 5, 2024 at 3:05 PM Ruediger Pluem wrote: > > md_crypt.c: In function 'md_cert_get_ct_scts': > md_crypt.c:2071:5: error: unknown type name 'SCT' >SCT *sct_handle; > > This one is caused by r1918195 in >= 2.4.60. Before r1918195 > OPENSSL_NO_CT was defined when openssl was < 1.1.1. Now it is not any > longer and hence md_cert_get_ct_scts gets a real function body as > > #ifndef OPENSSL_NO_CT > > (line 2068) is now true. Hence we error out on the non presence of the > SCT struct (line 2071). Maybe something like the attached patch for this one too (which could avoid configure tricks for both..). >>> >>> Or rather this one. >>> >> >> >> Looks good to me. Waiting for Stefan's feedback. > > The patches look good to me. I have not tested them as I have no old openssl > lying around, but I trust in your build tests. Rebuild 2.4.61 with both patches from Yann on RedHat 7 - 9. All good now, even on 7 with openssl 1.0.2 (means it compiles and no more implicit declaration warnings). @Yann: Care to commit the patches? Regards Rüdiger
Re: mod_md in 2.4.61 fails to compile with openssl < 1.1.1
> Am 05.07.2024 um 15:44 schrieb Ruediger Pluem : > > > > On 7/5/24 3:40 PM, Yann Ylavic wrote: >> On Fri, Jul 5, 2024 at 3:35 PM Yann Ylavic wrote: >>> >>> On Fri, Jul 5, 2024 at 3:05 PM Ruediger Pluem wrote: md_crypt.c: In function 'md_cert_get_ct_scts': md_crypt.c:2071:5: error: unknown type name 'SCT' SCT *sct_handle; This one is caused by r1918195 in >= 2.4.60. Before r1918195 OPENSSL_NO_CT was defined when openssl was < 1.1.1. Now it is not any longer and hence md_cert_get_ct_scts gets a real function body as #ifndef OPENSSL_NO_CT (line 2068) is now true. Hence we error out on the non presence of the SCT struct (line 2071). >>> >>> Maybe something like the attached patch for this one too (which could >>> avoid configure tricks for both..). >> >> Or rather this one. >> > > > Looks good to me. Waiting for Stefan's feedback. The patches look good to me. I have not tested them as I have no old openssl lying around, but I trust in your build tests. Cheers, Stefan > > Regards > > Rüdiger
Re: mod_md in 2.4.61 fails to compile with openssl < 1.1.1
On 7/5/24 3:40 PM, Yann Ylavic wrote: > On Fri, Jul 5, 2024 at 3:35 PM Yann Ylavic wrote: >> >> On Fri, Jul 5, 2024 at 3:05 PM Ruediger Pluem wrote: >>> >>> md_crypt.c: In function 'md_cert_get_ct_scts': >>> md_crypt.c:2071:5: error: unknown type name 'SCT' >>> SCT *sct_handle; >>> >>> This one is caused by r1918195 in >= 2.4.60. Before r1918195 OPENSSL_NO_CT >>> was defined when openssl was < 1.1.1. Now it is not any >>> longer and hence md_cert_get_ct_scts gets a real function body as >>> >>> #ifndef OPENSSL_NO_CT >>> >>> (line 2068) is now true. Hence we error out on the non presence of the SCT >>> struct (line 2071). >> >> Maybe something like the attached patch for this one too (which could >> avoid configure tricks for both..). > > Or rather this one. > Looks good to me. Waiting for Stefan's feedback. Regards Rüdiger
Re: mod_md in 2.4.61 fails to compile with openssl < 1.1.1
On 7/5/24 3:26 PM, Yann Ylavic wrote:
> On Fri, Jul 5, 2024 at 3:16 PM Yann Ylavic wrote:
>>
>> On Fri, Jul 5, 2024 at 3:05 PM Ruediger Pluem wrote:
>>>
>>>
>>>
>>> On 7/5/24 2:14 PM, Ruediger Pluem wrote:
On 7/5/24 2:11 PM, Ruediger Pluem wrote:
>
>
> On 7/5/24 2:04 PM, Stefan Eissing via dev wrote:
>>
>>
>>> Am 05.07.2024 um 13:51 schrieb Ruediger Pluem :
>>>
>>> I just noticed that mod_md in 2.4.61 fails to compile with openssl <
>>> 1.1.1. Below is the output against openssl 1.0.2 on RedHat 7:
>>>
>>> md_crypt.c: In function 'md_pkey_get_rsa_e64':
>>> md_crypt.c:982:5: warning: implicit declaration of function
>>> 'EVP_PKEY_get0_RSA' [-Wimplicit-function-declaration]
>>> const RSA *rsa = EVP_PKEY_get0_RSA(pkey->pkey);
>>> ^
>>> md_crypt.c:982:22: warning: initialization makes pointer from integer
>>> without a cast [enabled by default]
>>> const RSA *rsa = EVP_PKEY_get0_RSA(pkey->pkey);
>>> ^
>>> md_crypt.c: In function 'md_pkey_get_rsa_n64':
>>> md_crypt.c:1002:22: warning: initialization makes pointer from integer
>>> without a cast [enabled by default]
>>> const RSA *rsa = EVP_PKEY_get0_RSA(pkey->pkey);
>>> ^
>>>
>>> This was already the case with 2.4.59 and openssl 1.0.2. Hence we did not
>>> fail to compile but loading of mod_md likely would fail
>>> as the symbol EVP_PKEY_get0_RSA is not available with openssl 1.0.2.
>>
>> This probably comes from r1913912 (2.4.x) which backported r1913616
>> (trunk) which changed EVP_PKEY_get1_RSA() => EVP_PKEY_get0_RSA(), the
>> former being probably available in < 1.1.1.
>> So the check for using EVP_PKEY_get{0,1}_RSA() or the new openssl >= 3
>> API should probably be something like:
>>
>> #if OPENSSL_VERSION_NUMBER < 0x10101000L
>> RSA *rsa = EVP_PKEY_get1_RSA(pkey->pkey);
>> if (rsa) {
>> const char *ret;
>> const BIGNUM *e;
>> RSA_get0_key(rsa, NULL, &e, NULL);
>> ret = bn64(e, p);
>> RSA_free(rsa);
>> return ret;
>> }
>> #elif OPENSSL_VERSION_NUMBER < 0x3000L
>> ...
>> #else
>> ...
>> #endif
>>
>> ?
>
> Patch attached.
Looks good to me. Waiting for Stefan's feedback.
Regards
Rüdiger
Re: mod_md in 2.4.61 fails to compile with openssl < 1.1.1
On Fri, Jul 5, 2024 at 3:35 PM Yann Ylavic wrote:
>
> On Fri, Jul 5, 2024 at 3:05 PM Ruediger Pluem wrote:
> >
> > md_crypt.c: In function 'md_cert_get_ct_scts':
> > md_crypt.c:2071:5: error: unknown type name 'SCT'
> > SCT *sct_handle;
> >
> > This one is caused by r1918195 in >= 2.4.60. Before r1918195 OPENSSL_NO_CT
> > was defined when openssl was < 1.1.1. Now it is not any
> > longer and hence md_cert_get_ct_scts gets a real function body as
> >
> > #ifndef OPENSSL_NO_CT
> >
> > (line 2068) is now true. Hence we error out on the non presence of the SCT
> > struct (line 2071).
>
> Maybe something like the attached patch for this one too (which could
> avoid configure tricks for both..).
Or rather this one.
Index: modules/md/md_crypt.c
===
--- modules/md/md_crypt.c (revision 1918881)
+++ modules/md/md_crypt.c (working copy)
@@ -63,7 +63,11 @@
|| LIBRESSL_VERSION_NUMBER >= 0x305fL)
/* Missing from LibreSSL < 3.5.0 and only available since OpenSSL v1.1.x */
#include
+#define MD_HAVE_CT 1
#endif
+#ifndef MD_HAVE_CT
+#define MD_HAVE_CT 0
+#endif
static int initialized;
@@ -2037,11 +2061,10 @@ out:
return rv;
}
+#if MD_HAVE_CT
#define MD_OID_CT_SCTS_NUM "1.3.6.1.4.1.11129.2.4.2"
#define MD_OID_CT_SCTS_SNAME"CT-SCTs"
#define MD_OID_CT_SCTS_LNAME"CT Certificate SCTs"
-
-#ifndef OPENSSL_NO_CT
static int get_ct_scts_nid(void)
{
int nid = OBJ_txt2nid(MD_OID_CT_SCTS_NUM);
@@ -2065,7 +2088,7 @@ const char *md_nid_get_lname(int nid)
apr_status_t md_cert_get_ct_scts(apr_array_header_t *scts, apr_pool_t *p, const md_cert_t *cert)
{
-#ifndef OPENSSL_NO_CT
+#if MD_HAVE_CT
int nid, i, idx, critical;
STACK_OF(SCT) *sct_list;
SCT *sct_handle;
Re: mod_md in 2.4.61 fails to compile with openssl < 1.1.1
On 7/5/24 3:16 PM, Yann Ylavic wrote:
> On Fri, Jul 5, 2024 at 3:05 PM Ruediger Pluem wrote:
>>
>>
>>
>> On 7/5/24 2:14 PM, Ruediger Pluem wrote:
>>>
>>>
>>> On 7/5/24 2:11 PM, Ruediger Pluem wrote:
On 7/5/24 2:04 PM, Stefan Eissing via dev wrote:
>
>
>> Am 05.07.2024 um 13:51 schrieb Ruediger Pluem :
>>
>> I just noticed that mod_md in 2.4.61 fails to compile with openssl <
>> 1.1.1. Below is the output against openssl 1.0.2 on RedHat 7:
>>
>> md_crypt.c: In function 'md_pkey_get_rsa_e64':
>> md_crypt.c:982:5: warning: implicit declaration of function
>> 'EVP_PKEY_get0_RSA' [-Wimplicit-function-declaration]
>> const RSA *rsa = EVP_PKEY_get0_RSA(pkey->pkey);
>> ^
>> md_crypt.c:982:22: warning: initialization makes pointer from integer
>> without a cast [enabled by default]
>> const RSA *rsa = EVP_PKEY_get0_RSA(pkey->pkey);
>> ^
>> md_crypt.c: In function 'md_pkey_get_rsa_n64':
>> md_crypt.c:1002:22: warning: initialization makes pointer from integer
>> without a cast [enabled by default]
>> const RSA *rsa = EVP_PKEY_get0_RSA(pkey->pkey);
>> ^
>>
>> This was already the case with 2.4.59 and openssl 1.0.2. Hence we did not
>> fail to compile but loading of mod_md likely would fail
>> as the symbol EVP_PKEY_get0_RSA is not available with openssl 1.0.2.
>
> This probably comes from r1913912 (2.4.x) which backported r1913616
> (trunk) which changed EVP_PKEY_get1_RSA() => EVP_PKEY_get0_RSA(), the
> former being probably available in < 1.1.1.
> So the check for using EVP_PKEY_get{0,1}_RSA() or the new openssl >= 3
> API should probably be something like:
>
> #if OPENSSL_VERSION_NUMBER < 0x10101000L
> RSA *rsa = EVP_PKEY_get1_RSA(pkey->pkey);
> if (rsa) {
> const char *ret;
> const BIGNUM *e;
> RSA_get0_key(rsa, NULL, &e, NULL);
> ret = bn64(e, p);
> RSA_free(rsa);
> return ret;
> }
> #elif OPENSSL_VERSION_NUMBER < 0x3000L
> ...
> #else
> ...
> #endif
>
> ?
I guess the core thing is the SCT stuff. Would it make sense to define
OPENSSL_NO_CT with OPENSSL_VERSION_NUMBER < 0x1010L
again. This would make it compile again. Of course we need to fix
EVP_PKEY_get{0,1}_RSA() stuff as you propose then as well.
Regards
Rüdiger
Re: mod_md in 2.4.61 fails to compile with openssl < 1.1.1
On Fri, Jul 5, 2024 at 3:05 PM Ruediger Pluem wrote:
>
> md_crypt.c: In function 'md_cert_get_ct_scts':
> md_crypt.c:2071:5: error: unknown type name 'SCT'
> SCT *sct_handle;
>
> This one is caused by r1918195 in >= 2.4.60. Before r1918195 OPENSSL_NO_CT
> was defined when openssl was < 1.1.1. Now it is not any
> longer and hence md_cert_get_ct_scts gets a real function body as
>
> #ifndef OPENSSL_NO_CT
>
> (line 2068) is now true. Hence we error out on the non presence of the SCT
> struct (line 2071).
Maybe something like the attached patch for this one too (which could
avoid configure tricks for both..).
Index: modules/md/md_crypt.c
===
--- modules/md/md_crypt.c (revision 1918881)
+++ modules/md/md_crypt.c (working copy)
@@ -57,12 +57,14 @@
#include
#endif
-#if !defined(OPENSSL_NO_CT) \
-&& OPENSSL_VERSION_NUMBER >= 0x1010L \
-&& (!defined(LIBRESSL_VERSION_NUMBER) \
-|| LIBRESSL_VERSION_NUMBER >= 0x305fL)
+#if defined(OPENSSL_NO_CT)
+#define MD_NO_CT
+#elif (OPENSSL_VERSION_NUMBER >= 0x1010L \
+ && (!defined(LIBRESSL_VERSION_NUMBER) \
+ || LIBRESSL_VERSION_NUMBER >= 0x305fL))
/* Missing from LibreSSL < 3.5.0 and only available since OpenSSL v1.1.x */
#include
+#undef MD_NO_CT
#endif
static int initialized;
@@ -2037,11 +2059,10 @@ out:
return rv;
}
+#ifndef MD_NO_CT
#define MD_OID_CT_SCTS_NUM "1.3.6.1.4.1.11129.2.4.2"
#define MD_OID_CT_SCTS_SNAME"CT-SCTs"
#define MD_OID_CT_SCTS_LNAME"CT Certificate SCTs"
-
-#ifndef OPENSSL_NO_CT
static int get_ct_scts_nid(void)
{
int nid = OBJ_txt2nid(MD_OID_CT_SCTS_NUM);
@@ -2065,7 +2086,7 @@ const char *md_nid_get_lname(int nid)
apr_status_t md_cert_get_ct_scts(apr_array_header_t *scts, apr_pool_t *p, const md_cert_t *cert)
{
-#ifndef OPENSSL_NO_CT
+#ifndef MD_NO_CT
int nid, i, idx, critical;
STACK_OF(SCT) *sct_list;
SCT *sct_handle;
Re: mod_md in 2.4.61 fails to compile with openssl < 1.1.1
On Fri, Jul 5, 2024 at 3:16 PM Yann Ylavic wrote:
>
> On Fri, Jul 5, 2024 at 3:05 PM Ruediger Pluem wrote:
> >
> >
> >
> > On 7/5/24 2:14 PM, Ruediger Pluem wrote:
> > >
> > >
> > > On 7/5/24 2:11 PM, Ruediger Pluem wrote:
> > >>
> > >>
> > >> On 7/5/24 2:04 PM, Stefan Eissing via dev wrote:
> > >>>
> > >>>
> > Am 05.07.2024 um 13:51 schrieb Ruediger Pluem :
> >
> > I just noticed that mod_md in 2.4.61 fails to compile with openssl <
> > 1.1.1. Below is the output against openssl 1.0.2 on RedHat 7:
> >
> > md_crypt.c: In function 'md_pkey_get_rsa_e64':
> > md_crypt.c:982:5: warning: implicit declaration of function
> > 'EVP_PKEY_get0_RSA' [-Wimplicit-function-declaration]
> > const RSA *rsa = EVP_PKEY_get0_RSA(pkey->pkey);
> > ^
> > md_crypt.c:982:22: warning: initialization makes pointer from integer
> > without a cast [enabled by default]
> > const RSA *rsa = EVP_PKEY_get0_RSA(pkey->pkey);
> > ^
> > md_crypt.c: In function 'md_pkey_get_rsa_n64':
> > md_crypt.c:1002:22: warning: initialization makes pointer from integer
> > without a cast [enabled by default]
> > const RSA *rsa = EVP_PKEY_get0_RSA(pkey->pkey);
> > ^
> >
> > This was already the case with 2.4.59 and openssl 1.0.2. Hence we did not
> > fail to compile but loading of mod_md likely would fail
> > as the symbol EVP_PKEY_get0_RSA is not available with openssl 1.0.2.
>
> This probably comes from r1913912 (2.4.x) which backported r1913616
> (trunk) which changed EVP_PKEY_get1_RSA() => EVP_PKEY_get0_RSA(), the
> former being probably available in < 1.1.1.
> So the check for using EVP_PKEY_get{0,1}_RSA() or the new openssl >= 3
> API should probably be something like:
>
> #if OPENSSL_VERSION_NUMBER < 0x10101000L
> RSA *rsa = EVP_PKEY_get1_RSA(pkey->pkey);
> if (rsa) {
> const char *ret;
> const BIGNUM *e;
> RSA_get0_key(rsa, NULL, &e, NULL);
> ret = bn64(e, p);
> RSA_free(rsa);
> return ret;
> }
> #elif OPENSSL_VERSION_NUMBER < 0x3000L
> ...
> #else
> ...
> #endif
>
> ?
Patch attached.
>
>
> Regards;
> Yann.
Index: modules/md/md_crypt.c
===
--- modules/md/md_crypt.c (revision 1918881)
+++ modules/md/md_crypt.c (working copy)
@@ -978,7 +978,17 @@ static const char *bn64(const BIGNUM *b, apr_pool_
const char *md_pkey_get_rsa_e64(md_pkey_t *pkey, apr_pool_t *p)
{
-#if OPENSSL_VERSION_NUMBER < 0x3000L
+#if OPENSSL_VERSION_NUMBER < 0x10101000L
+RSA *rsa = EVP_PKEY_get1_RSA(pkey->pkey);
+if (rsa) {
+const char *ret;
+const BIGNUM *e;
+RSA_get0_key(rsa, NULL, &e, NULL);
+ret = bn64(e, p);
+RSA_free(rsa);
+return ret;
+}
+#elif OPENSSL_VERSION_NUMBER < 0x3000L
const RSA *rsa = EVP_PKEY_get0_RSA(pkey->pkey);
if (rsa) {
const BIGNUM *e;
@@ -998,7 +1008,17 @@ const char *md_pkey_get_rsa_e64(md_pkey_t *pkey, a
const char *md_pkey_get_rsa_n64(md_pkey_t *pkey, apr_pool_t *p)
{
-#if OPENSSL_VERSION_NUMBER < 0x3000L
+#if OPENSSL_VERSION_NUMBER < 0x10101000L
+RSA *rsa = EVP_PKEY_get1_RSA(pkey->pkey);
+if (rsa) {
+const char *ret;
+const BIGNUM *n;
+RSA_get0_key(rsa, &n, NULL, NULL);
+ret = bn64(n, p);
+RSA_free(rsa);
+return ret;
+}
+#elif OPENSSL_VERSION_NUMBER < 0x3000L
const RSA *rsa = EVP_PKEY_get0_RSA(pkey->pkey);
if (rsa) {
const BIGNUM *n;
Re: mod_md in 2.4.61 fails to compile with openssl < 1.1.1
On Fri, Jul 5, 2024 at 3:05 PM Ruediger Pluem wrote:
>
>
>
> On 7/5/24 2:14 PM, Ruediger Pluem wrote:
> >
> >
> > On 7/5/24 2:11 PM, Ruediger Pluem wrote:
> >>
> >>
> >> On 7/5/24 2:04 PM, Stefan Eissing via dev wrote:
> >>>
> >>>
> Am 05.07.2024 um 13:51 schrieb Ruediger Pluem :
>
> I just noticed that mod_md in 2.4.61 fails to compile with openssl <
> 1.1.1. Below is the output against openssl 1.0.2 on RedHat 7:
>
> md_crypt.c: In function 'md_pkey_get_rsa_e64':
> md_crypt.c:982:5: warning: implicit declaration of function
> 'EVP_PKEY_get0_RSA' [-Wimplicit-function-declaration]
> const RSA *rsa = EVP_PKEY_get0_RSA(pkey->pkey);
> ^
> md_crypt.c:982:22: warning: initialization makes pointer from integer
> without a cast [enabled by default]
> const RSA *rsa = EVP_PKEY_get0_RSA(pkey->pkey);
> ^
> md_crypt.c: In function 'md_pkey_get_rsa_n64':
> md_crypt.c:1002:22: warning: initialization makes pointer from integer
> without a cast [enabled by default]
> const RSA *rsa = EVP_PKEY_get0_RSA(pkey->pkey);
> ^
>
> This was already the case with 2.4.59 and openssl 1.0.2. Hence we did not
> fail to compile but loading of mod_md likely would fail
> as the symbol EVP_PKEY_get0_RSA is not available with openssl 1.0.2.
This probably comes from r1913912 (2.4.x) which backported r1913616
(trunk) which changed EVP_PKEY_get1_RSA() => EVP_PKEY_get0_RSA(), the
former being probably available in < 1.1.1.
So the check for using EVP_PKEY_get{0,1}_RSA() or the new openssl >= 3
API should probably be something like:
#if OPENSSL_VERSION_NUMBER < 0x10101000L
RSA *rsa = EVP_PKEY_get1_RSA(pkey->pkey);
if (rsa) {
const char *ret;
const BIGNUM *e;
RSA_get0_key(rsa, NULL, &e, NULL);
ret = bn64(e, p);
RSA_free(rsa);
return ret;
}
#elif OPENSSL_VERSION_NUMBER < 0x3000L
...
#else
...
#endif
?
Regards;
Yann.
Re: mod_md in 2.4.61 fails to compile with openssl < 1.1.1
On 7/5/24 2:14 PM, Ruediger Pluem wrote: > > > On 7/5/24 2:11 PM, Ruediger Pluem wrote: >> >> >> On 7/5/24 2:04 PM, Stefan Eissing via dev wrote: >>> >>> Am 05.07.2024 um 13:51 schrieb Ruediger Pluem : I just noticed that mod_md in 2.4.61 fails to compile with openssl < 1.1.1. Below is the output against openssl 1.0.2 on RedHat 7: md_crypt.c: In function 'md_pkey_get_rsa_e64': md_crypt.c:982:5: warning: implicit declaration of function 'EVP_PKEY_get0_RSA' [-Wimplicit-function-declaration] const RSA *rsa = EVP_PKEY_get0_RSA(pkey->pkey); ^ md_crypt.c:982:22: warning: initialization makes pointer from integer without a cast [enabled by default] const RSA *rsa = EVP_PKEY_get0_RSA(pkey->pkey); ^ md_crypt.c: In function 'md_pkey_get_rsa_n64': md_crypt.c:1002:22: warning: initialization makes pointer from integer without a cast [enabled by default] const RSA *rsa = EVP_PKEY_get0_RSA(pkey->pkey); ^ This was already the case with 2.4.59 and openssl 1.0.2. Hence we did not fail to compile but loading of mod_md likely would fail as the symbol EVP_PKEY_get0_RSA is not available with openssl 1.0.2. md_crypt.c: In function 'md_cert_get_ct_scts': md_crypt.c:2071:5: error: unknown type name 'SCT' SCT *sct_handle; This one is caused by r1918195 in >= 2.4.60. Before r1918195 OPENSSL_NO_CT was defined when openssl was < 1.1.1. Now it is not any longer and hence md_cert_get_ct_scts gets a real function body as #ifndef OPENSSL_NO_CT (line 2068) is now true. Hence we error out on the non presence of the SCT struct (line 2071). https://github.com/apache/httpd/blob/ecc67450d2da42d8724a5f5e8ef4cb92d4336ff2/modules/md/md_crypt.c#L2066-L2077 To summarize: With 2.4.59 it was already broken with openssl < 1.1.1 and not loadable but it still compiled. With 2.4.60+ it now fails to compile. Hence I think that checking the openssl version in configure is the correct thing to do. Regards Rüdiger
Re: mod_md in 2.4.61 fails to compile with openssl < 1.1.1
On 7/5/24 2:11 PM, Ruediger Pluem wrote: > > > On 7/5/24 2:04 PM, Stefan Eissing via dev wrote: >> >> >>> Am 05.07.2024 um 13:51 schrieb Ruediger Pluem : >>> >>> I just noticed that mod_md in 2.4.61 fails to compile with openssl < 1.1.1. >>> Below is the output against openssl 1.0.2 on RedHat 7: >>> >>> md_crypt.c: In function 'md_pkey_get_rsa_e64': >>> md_crypt.c:982:5: warning: implicit declaration of function >>> 'EVP_PKEY_get0_RSA' [-Wimplicit-function-declaration] >>> const RSA *rsa = EVP_PKEY_get0_RSA(pkey->pkey); >>> ^ >>> md_crypt.c:982:22: warning: initialization makes pointer from integer >>> without a cast [enabled by default] >>> const RSA *rsa = EVP_PKEY_get0_RSA(pkey->pkey); >>> ^ >>> md_crypt.c: In function 'md_pkey_get_rsa_n64': >>> md_crypt.c:1002:22: warning: initialization makes pointer from integer >>> without a cast [enabled by default] >>> const RSA *rsa = EVP_PKEY_get0_RSA(pkey->pkey); >>> ^ >>> md_crypt.c: In function 'md_cert_get_ct_scts': >>> md_crypt.c:2071:5: error: unknown type name 'SCT' >>> SCT *sct_handle; >>> ^ >>> In file included from /usr/include/openssl/crypto.h:129:0, >>> from /usr/include/openssl/bio.h:69, >>> from /usr/include/openssl/err.h:124, >>> from md_crypt.c:28: >>> md_crypt.c:2084:29: error: 'SCT' undeclared (first use in this function) >>>sct_handle = sk_SCT_value(sct_list, i); >>> ^ >>> md_crypt.c:2084:29: note: each undeclared identifier is reported only once >>> for each function it appears in >>> md_crypt.c:2084:29: error: expected expression before ')' token >>>sct_handle = sk_SCT_value(sct_list, i); >>> ^ >>> md_crypt.c:2087:21: warning: implicit declaration of function >>> 'SCT_get_version' [-Wimplicit-function-declaration] >>> sct->version = SCT_get_version(sct_handle); >>> ^ >>> md_crypt.c:2088:21: warning: implicit declaration of function >>> 'SCT_get_timestamp' [-Wimplicit-function-declaration] >>> sct->timestamp = >>> apr_time_from_msec(SCT_get_timestamp(sct_handle)); >>> ^ >>> md_crypt.c:2089:21: warning: implicit declaration of function >>> 'SCT_get0_log_id' [-Wimplicit-function-declaration] >>> len = SCT_get0_log_id(sct_handle, (unsigned >>> char**)&data); >>> ^ >>> md_crypt.c:2091:21: warning: implicit declaration of function >>> 'SCT_get_signature_nid' [-Wimplicit-function-declaration] >>> sct->signature_type_nid = >>> SCT_get_signature_nid(sct_handle); >>> ^ >>> md_crypt.c:2092:21: warning: implicit declaration of function >>> 'SCT_get0_signature' [-Wimplicit-function-declaration] >>> len = SCT_get0_signature(sct_handle, (unsigned >>> char**)&data); >>> ^ >>> make[4]: *** [md_crypt.slo] Error 1 >>> make[4]: *** Waiting for unfinished jobs >>> make[4]: Leaving directory >>> `/home/devil/rpmbuild/BUILD/WAO-apache-2.4.61/httpd-2.4.61/modules/md' >>> make[3]: *** [shared-build-recursive] Error 1 >>> make[3]: Leaving directory >>> `/home/devil/rpmbuild/BUILD/WAO-apache-2.4.61/httpd-2.4.61/modules/md' >>> make[2]: *** [shared-build-recursive] Error 1 >>> make[2]: Leaving directory >>> `/home/devil/rpmbuild/BUILD/WAO-apache-2.4.61/httpd-2.4.61/modules' >>> make[1]: *** [shared-build-recursive] Error 1 >>> make[1]: Leaving directory >>> `/home/devil/rpmbuild/BUILD/WAO-apache-2.4.61/httpd-2.4.61' >>> make: *** [all-recursive] Error 1 >>> >>> I am not sure if we can do without these functions or the SCT structure and >>> in the end mod_md is still experimental for 2.4.x. >>> But if we want to keep the code of mod_md as is in 2.4.x we probably should >>> add checks in the autoconf stuff that prevents it >>> from being enabled on openssl < 1.1.1. >> >> Ok, the code is from 2019, meaning we did not have that combination working >> for a long time. I think checking the openssl version in configure seems the >> best approach. > > I guess r1918195 in 2.4.x is the culprit which changed defines in the code as > I was able to compile 2.4.59 with Openssl 1.0.2 and > mod_md. Let me investigate deeper. Regards Rüdiger
Re: mod_md in 2.4.61 fails to compile with openssl < 1.1.1
On 7/5/24 2:04 PM, Stefan Eissing via dev wrote: > > >> Am 05.07.2024 um 13:51 schrieb Ruediger Pluem : >> >> I just noticed that mod_md in 2.4.61 fails to compile with openssl < 1.1.1. >> Below is the output against openssl 1.0.2 on RedHat 7: >> >> md_crypt.c: In function 'md_pkey_get_rsa_e64': >> md_crypt.c:982:5: warning: implicit declaration of function >> 'EVP_PKEY_get0_RSA' [-Wimplicit-function-declaration] >> const RSA *rsa = EVP_PKEY_get0_RSA(pkey->pkey); >> ^ >> md_crypt.c:982:22: warning: initialization makes pointer from integer >> without a cast [enabled by default] >> const RSA *rsa = EVP_PKEY_get0_RSA(pkey->pkey); >> ^ >> md_crypt.c: In function 'md_pkey_get_rsa_n64': >> md_crypt.c:1002:22: warning: initialization makes pointer from integer >> without a cast [enabled by default] >> const RSA *rsa = EVP_PKEY_get0_RSA(pkey->pkey); >> ^ >> md_crypt.c: In function 'md_cert_get_ct_scts': >> md_crypt.c:2071:5: error: unknown type name 'SCT' >> SCT *sct_handle; >> ^ >> In file included from /usr/include/openssl/crypto.h:129:0, >> from /usr/include/openssl/bio.h:69, >> from /usr/include/openssl/err.h:124, >> from md_crypt.c:28: >> md_crypt.c:2084:29: error: 'SCT' undeclared (first use in this function) >>sct_handle = sk_SCT_value(sct_list, i); >> ^ >> md_crypt.c:2084:29: note: each undeclared identifier is reported only once >> for each function it appears in >> md_crypt.c:2084:29: error: expected expression before ')' token >>sct_handle = sk_SCT_value(sct_list, i); >> ^ >> md_crypt.c:2087:21: warning: implicit declaration of function >> 'SCT_get_version' [-Wimplicit-function-declaration] >> sct->version = SCT_get_version(sct_handle); >> ^ >> md_crypt.c:2088:21: warning: implicit declaration of function >> 'SCT_get_timestamp' [-Wimplicit-function-declaration] >> sct->timestamp = >> apr_time_from_msec(SCT_get_timestamp(sct_handle)); >> ^ >> md_crypt.c:2089:21: warning: implicit declaration of function >> 'SCT_get0_log_id' [-Wimplicit-function-declaration] >> len = SCT_get0_log_id(sct_handle, (unsigned >> char**)&data); >> ^ >> md_crypt.c:2091:21: warning: implicit declaration of function >> 'SCT_get_signature_nid' [-Wimplicit-function-declaration] >> sct->signature_type_nid = >> SCT_get_signature_nid(sct_handle); >> ^ >> md_crypt.c:2092:21: warning: implicit declaration of function >> 'SCT_get0_signature' [-Wimplicit-function-declaration] >> len = SCT_get0_signature(sct_handle, (unsigned >> char**)&data); >> ^ >> make[4]: *** [md_crypt.slo] Error 1 >> make[4]: *** Waiting for unfinished jobs >> make[4]: Leaving directory >> `/home/devil/rpmbuild/BUILD/WAO-apache-2.4.61/httpd-2.4.61/modules/md' >> make[3]: *** [shared-build-recursive] Error 1 >> make[3]: Leaving directory >> `/home/devil/rpmbuild/BUILD/WAO-apache-2.4.61/httpd-2.4.61/modules/md' >> make[2]: *** [shared-build-recursive] Error 1 >> make[2]: Leaving directory >> `/home/devil/rpmbuild/BUILD/WAO-apache-2.4.61/httpd-2.4.61/modules' >> make[1]: *** [shared-build-recursive] Error 1 >> make[1]: Leaving directory >> `/home/devil/rpmbuild/BUILD/WAO-apache-2.4.61/httpd-2.4.61' >> make: *** [all-recursive] Error 1 >> >> I am not sure if we can do without these functions or the SCT structure and >> in the end mod_md is still experimental for 2.4.x. >> But if we want to keep the code of mod_md as is in 2.4.x we probably should >> add checks in the autoconf stuff that prevents it >> from being enabled on openssl < 1.1.1. > > Ok, the code is from 2019, meaning we did not have that combination working > for a long time. I think checking the openssl version in configure seems the > best approach. I guess r1918195 in 2.4.x is the culprit which changed defines in the code as I was able to compile 2.4.59 with Openssl 1.0.2 and mod_md. Regards Rüdiger
Re: mod_md in 2.4.61 fails to compile with openssl < 1.1.1
> Am 05.07.2024 um 13:51 schrieb Ruediger Pluem : > > I just noticed that mod_md in 2.4.61 fails to compile with openssl < 1.1.1. > Below is the output against openssl 1.0.2 on RedHat 7: > > md_crypt.c: In function 'md_pkey_get_rsa_e64': > md_crypt.c:982:5: warning: implicit declaration of function > 'EVP_PKEY_get0_RSA' [-Wimplicit-function-declaration] > const RSA *rsa = EVP_PKEY_get0_RSA(pkey->pkey); > ^ > md_crypt.c:982:22: warning: initialization makes pointer from integer without > a cast [enabled by default] > const RSA *rsa = EVP_PKEY_get0_RSA(pkey->pkey); > ^ > md_crypt.c: In function 'md_pkey_get_rsa_n64': > md_crypt.c:1002:22: warning: initialization makes pointer from integer > without a cast [enabled by default] > const RSA *rsa = EVP_PKEY_get0_RSA(pkey->pkey); > ^ > md_crypt.c: In function 'md_cert_get_ct_scts': > md_crypt.c:2071:5: error: unknown type name 'SCT' > SCT *sct_handle; > ^ > In file included from /usr/include/openssl/crypto.h:129:0, > from /usr/include/openssl/bio.h:69, > from /usr/include/openssl/err.h:124, > from md_crypt.c:28: > md_crypt.c:2084:29: error: 'SCT' undeclared (first use in this function) >sct_handle = sk_SCT_value(sct_list, i); > ^ > md_crypt.c:2084:29: note: each undeclared identifier is reported only once > for each function it appears in > md_crypt.c:2084:29: error: expected expression before ')' token >sct_handle = sk_SCT_value(sct_list, i); > ^ > md_crypt.c:2087:21: warning: implicit declaration of function > 'SCT_get_version' [-Wimplicit-function-declaration] > sct->version = SCT_get_version(sct_handle); > ^ > md_crypt.c:2088:21: warning: implicit declaration of function > 'SCT_get_timestamp' [-Wimplicit-function-declaration] > sct->timestamp = > apr_time_from_msec(SCT_get_timestamp(sct_handle)); > ^ > md_crypt.c:2089:21: warning: implicit declaration of function > 'SCT_get0_log_id' [-Wimplicit-function-declaration] > len = SCT_get0_log_id(sct_handle, (unsigned char**)&data); > ^ > md_crypt.c:2091:21: warning: implicit declaration of function > 'SCT_get_signature_nid' [-Wimplicit-function-declaration] > sct->signature_type_nid = > SCT_get_signature_nid(sct_handle); > ^ > md_crypt.c:2092:21: warning: implicit declaration of function > 'SCT_get0_signature' [-Wimplicit-function-declaration] > len = SCT_get0_signature(sct_handle, (unsigned > char**)&data); > ^ > make[4]: *** [md_crypt.slo] Error 1 > make[4]: *** Waiting for unfinished jobs > make[4]: Leaving directory > `/home/devil/rpmbuild/BUILD/WAO-apache-2.4.61/httpd-2.4.61/modules/md' > make[3]: *** [shared-build-recursive] Error 1 > make[3]: Leaving directory > `/home/devil/rpmbuild/BUILD/WAO-apache-2.4.61/httpd-2.4.61/modules/md' > make[2]: *** [shared-build-recursive] Error 1 > make[2]: Leaving directory > `/home/devil/rpmbuild/BUILD/WAO-apache-2.4.61/httpd-2.4.61/modules' > make[1]: *** [shared-build-recursive] Error 1 > make[1]: Leaving directory > `/home/devil/rpmbuild/BUILD/WAO-apache-2.4.61/httpd-2.4.61' > make: *** [all-recursive] Error 1 > > I am not sure if we can do without these functions or the SCT structure and > in the end mod_md is still experimental for 2.4.x. > But if we want to keep the code of mod_md as is in 2.4.x we probably should > add checks in the autoconf stuff that prevents it > from being enabled on openssl < 1.1.1. Ok, the code is from 2019, meaning we did not have that combination working for a long time. I think checking the openssl version in configure seems the best approach. Cheers, Stefan > > Regards > > Rüdiger
