external/subpack/net/apache/patches/020-openssl-deprecated.patch - T108 - Gitiles

 --- a/modules/md/md_crypt.c
 +++ b/modules/md/md_crypt.c
 @@ -1139,23 +1139,23 @@ const char *md_cert_get_serial_number(co

  int md_cert_is_valid_now(const md_cert_t *cert)
  {
 -    return ((X509_cmp_current_time(X509_get_notBefore(cert->x509)) < 0)
 -            && (X509_cmp_current_time(X509_get_notAfter(cert->x509)) > 0));
 +    return ((X509_cmp_current_time(X509_get0_notBefore(cert->x509)) < 0)
 +            && (X509_cmp_current_time(X509_get0_notAfter(cert->x509)) > 0));
  }

  int md_cert_has_expired(const md_cert_t *cert)
  {
 -    return (X509_cmp_current_time(X509_get_notAfter(cert->x509)) <= 0);
 +    return (X509_cmp_current_time(X509_get0_notAfter(cert->x509)) <= 0);
  }

  apr_time_t md_cert_get_not_after(const md_cert_t *cert)
  {
 -    return md_asn1_time_get(X509_get_notAfter(cert->x509));
 +    return md_asn1_time_get(X509_get0_notAfter(cert->x509));
  }

  apr_time_t md_cert_get_not_before(const md_cert_t *cert)
  {
 -    return md_asn1_time_get(X509_get_notBefore(cert->x509));
 +    return md_asn1_time_get(X509_get0_notBefore(cert->x509));
  }

  md_timeperiod_t md_cert_get_valid(const md_cert_t *cert)
 --- a/modules/ssl/ssl_engine_init.c
 +++ b/modules/ssl/ssl_engine_init.c
 @@ -231,7 +231,7 @@ apr_status_t ssl_init_Module(apr_pool_t
      apr_status_t rv;
      apr_array_header_t *pphrases;

 -    if (SSLeay() < MODSSL_LIBRARY_VERSION) {
 +    if (OpenSSL_version_num() < MODSSL_LIBRARY_VERSION) {
          ap_log_error(APLOG_MARK, APLOG_WARNING, 0, base_server, APLOGNO(01882)
                       "Init: this version of mod_ssl was compiled against "
                       "a newer library (%s, version currently loaded is %s)"
 --- a/modules/ssl/ssl_engine_io.c
 +++ b/modules/ssl/ssl_engine_io.c
 @@ -1316,9 +1316,9 @@ static apr_status_t ssl_io_filter_handsh
          if (dc->proxy->ssl_check_peer_expire != FALSE) {
              if (!cert
                  || (X509_cmp_current_time(
 -                     X509_get_notBefore(cert)) >= 0)
 +                     X509_get0_notBefore(cert)) >= 0)
                  || (X509_cmp_current_time(
 -                     X509_get_notAfter(cert)) <= 0)) {
 +                     X509_get0_notAfter(cert)) <= 0)) {
                  proxy_ssl_check_peer_ok = FALSE;
                  ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, APLOGNO(02004)
                                "SSL Proxy: Peer certificate is expired");
 --- a/modules/ssl/ssl_engine_log.c
 +++ b/modules/ssl/ssl_engine_log.c
 @@ -171,10 +171,10 @@ static void ssl_log_cert_error(const cha
                  BIO_puts(bio, "(ERROR)");

              BIO_puts(bio, " / notbefore: ");
 -            ASN1_TIME_print(bio, X509_get_notBefore(cert));
 +            ASN1_TIME_print(bio, X509_get0_notBefore(cert));

              BIO_puts(bio, " / notafter: ");
 -            ASN1_TIME_print(bio, X509_get_notAfter(cert));
 +            ASN1_TIME_print(bio, X509_get0_notAfter(cert));

              BIO_puts(bio, "]");

 --- a/modules/ssl/ssl_engine_vars.c
 +++ b/modules/ssl/ssl_engine_vars.c
 @@ -490,13 +490,13 @@ static char *ssl_var_lookup_ssl_cert(apr
          result = ssl_var_lookup_ssl_cert_serial(p, xs);
      }
      else if (strcEQ(var, "V_START")) {
 -        result = ssl_var_lookup_ssl_cert_valid(p, X509_get_notBefore(xs));
 +        result = ssl_var_lookup_ssl_cert_valid(p, X509_get0_notBefore(xs));
      }
      else if (strcEQ(var, "V_END")) {
 -        result = ssl_var_lookup_ssl_cert_valid(p, X509_get_notAfter(xs));
 +        result = ssl_var_lookup_ssl_cert_valid(p, X509_get0_notAfter(xs));
      }
      else if (strcEQ(var, "V_REMAIN")) {
 -        result = ssl_var_lookup_ssl_cert_remain(p, X509_get_notAfter(xs));
 +        result = ssl_var_lookup_ssl_cert_remain(p, X509_get0_notAfter(xs));
          resdup = FALSE;
      }
      else if (*var && strcEQ(var+1, "_DN")) {
 --- a/modules/ssl/ssl_private.h
 +++ b/modules/ssl/ssl_private.h
 @@ -102,6 +102,9 @@
  #include <openssl/x509v3.h>
  #include <openssl/x509_vfy.h>
  #include <openssl/ocsp.h>
 +#include <openssl/dh.h>
 +#include <openssl/bn.h>
 +#include <openssl/ui.h>

  /* Avoid tripping over an engine build installed globally and detected
   * when the user points at an explicit non-engine flavor of OpenSSL
 --- a/support/ab.c
 +++ b/support/ab.c
 @@ -652,11 +652,11 @@ static void ssl_print_cert_info(BIO *bio

      BIO_printf(bio, "Certificate version: %ld\n", X509_get_version(cert)+1);
      BIO_printf(bio,"Valid from: ");
 -    ASN1_UTCTIME_print(bio, X509_get_notBefore(cert));
 +    ASN1_UTCTIME_print(bio, X509_get0_notBefore(cert));
      BIO_printf(bio,"\n");

      BIO_printf(bio,"Valid to  : ");
 -    ASN1_UTCTIME_print(bio, X509_get_notAfter(cert));
 +    ASN1_UTCTIME_print(bio, X509_get0_notAfter(cert));
      BIO_printf(bio,"\n");

      pk = X509_get_pubkey(cert);
 @@ -2634,8 +2634,10 @@ int main(int argc, const char * const ar
      CRYPTO_malloc_init();
  #endif
  #endif
 +#if OPENSSL_VERSION_NUMBER < 0x10100000L
      SSL_load_error_strings();
      SSL_library_init();
 +#endif
      bio_out=BIO_new_fp(stdout,BIO_NOCLOSE);
      bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
	--- a/modules/md/md_crypt.c
	+++ b/modules/md/md_crypt.c
	@@ -1139,23 +1139,23 @@ const char *md_cert_get_serial_number(co

	int md_cert_is_valid_now(const md_cert_t *cert)
	{
	- return ((X509_cmp_current_time(X509_get_notBefore(cert->x509)) < 0)
	- && (X509_cmp_current_time(X509_get_notAfter(cert->x509)) > 0));
	+ return ((X509_cmp_current_time(X509_get0_notBefore(cert->x509)) < 0)
	+ && (X509_cmp_current_time(X509_get0_notAfter(cert->x509)) > 0));
	}

	int md_cert_has_expired(const md_cert_t *cert)
	{
	- return (X509_cmp_current_time(X509_get_notAfter(cert->x509)) <= 0);
	+ return (X509_cmp_current_time(X509_get0_notAfter(cert->x509)) <= 0);
	}

	apr_time_t md_cert_get_not_after(const md_cert_t *cert)
	{
	- return md_asn1_time_get(X509_get_notAfter(cert->x509));
	+ return md_asn1_time_get(X509_get0_notAfter(cert->x509));
	}

	apr_time_t md_cert_get_not_before(const md_cert_t *cert)
	{
	- return md_asn1_time_get(X509_get_notBefore(cert->x509));
	+ return md_asn1_time_get(X509_get0_notBefore(cert->x509));
	}

	md_timeperiod_t md_cert_get_valid(const md_cert_t *cert)
	--- a/modules/ssl/ssl_engine_init.c
	+++ b/modules/ssl/ssl_engine_init.c
	@@ -231,7 +231,7 @@ apr_status_t ssl_init_Module(apr_pool_t
	apr_status_t rv;
	apr_array_header_t *pphrases;

	- if (SSLeay() < MODSSL_LIBRARY_VERSION) {
	+ if (OpenSSL_version_num() < MODSSL_LIBRARY_VERSION) {
	ap_log_error(APLOG_MARK, APLOG_WARNING, 0, base_server, APLOGNO(01882)
	"Init: this version of mod_ssl was compiled against "
	"a newer library (%s, version currently loaded is %s)"
	--- a/modules/ssl/ssl_engine_io.c
	+++ b/modules/ssl/ssl_engine_io.c
	@@ -1316,9 +1316,9 @@ static apr_status_t ssl_io_filter_handsh
	if (dc->proxy->ssl_check_peer_expire != FALSE) {
	if (!cert
	\|\| (X509_cmp_current_time(
	- X509_get_notBefore(cert)) >= 0)
	+ X509_get0_notBefore(cert)) >= 0)
	\|\| (X509_cmp_current_time(
	- X509_get_notAfter(cert)) <= 0)) {
	+ X509_get0_notAfter(cert)) <= 0)) {
	proxy_ssl_check_peer_ok = FALSE;
	ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, APLOGNO(02004)
	"SSL Proxy: Peer certificate is expired");
	--- a/modules/ssl/ssl_engine_log.c
	+++ b/modules/ssl/ssl_engine_log.c
	@@ -171,10 +171,10 @@ static void ssl_log_cert_error(const cha
	BIO_puts(bio, "(ERROR)");

	BIO_puts(bio, " / notbefore: ");
	- ASN1_TIME_print(bio, X509_get_notBefore(cert));
	+ ASN1_TIME_print(bio, X509_get0_notBefore(cert));

	BIO_puts(bio, " / notafter: ");
	- ASN1_TIME_print(bio, X509_get_notAfter(cert));
	+ ASN1_TIME_print(bio, X509_get0_notAfter(cert));

	BIO_puts(bio, "]");

	--- a/modules/ssl/ssl_engine_vars.c
	+++ b/modules/ssl/ssl_engine_vars.c
	@@ -490,13 +490,13 @@ static char *ssl_var_lookup_ssl_cert(apr
	result = ssl_var_lookup_ssl_cert_serial(p, xs);
	}
	else if (strcEQ(var, "V_START")) {
	- result = ssl_var_lookup_ssl_cert_valid(p, X509_get_notBefore(xs));
	+ result = ssl_var_lookup_ssl_cert_valid(p, X509_get0_notBefore(xs));
	}
	else if (strcEQ(var, "V_END")) {
	- result = ssl_var_lookup_ssl_cert_valid(p, X509_get_notAfter(xs));
	+ result = ssl_var_lookup_ssl_cert_valid(p, X509_get0_notAfter(xs));
	}
	else if (strcEQ(var, "V_REMAIN")) {
	- result = ssl_var_lookup_ssl_cert_remain(p, X509_get_notAfter(xs));
	+ result = ssl_var_lookup_ssl_cert_remain(p, X509_get0_notAfter(xs));
	resdup = FALSE;
	}
	else if (*var && strcEQ(var+1, "_DN")) {
	--- a/modules/ssl/ssl_private.h
	+++ b/modules/ssl/ssl_private.h
	@@ -102,6 +102,9 @@
	#include <openssl/x509v3.h>
	#include <openssl/x509_vfy.h>
	#include <openssl/ocsp.h>
	+#include <openssl/dh.h>
	+#include <openssl/bn.h>
	+#include <openssl/ui.h>

	/* Avoid tripping over an engine build installed globally and detected
	* when the user points at an explicit non-engine flavor of OpenSSL
	--- a/support/ab.c
	+++ b/support/ab.c
	@@ -652,11 +652,11 @@ static void ssl_print_cert_info(BIO *bio

	BIO_printf(bio, "Certificate version: %ld\n", X509_get_version(cert)+1);
	BIO_printf(bio,"Valid from: ");
	- ASN1_UTCTIME_print(bio, X509_get_notBefore(cert));
	+ ASN1_UTCTIME_print(bio, X509_get0_notBefore(cert));
	BIO_printf(bio,"\n");

	BIO_printf(bio,"Valid to : ");
	- ASN1_UTCTIME_print(bio, X509_get_notAfter(cert));
	+ ASN1_UTCTIME_print(bio, X509_get0_notAfter(cert));
	BIO_printf(bio,"\n");

	pk = X509_get_pubkey(cert);
	@@ -2634,8 +2634,10 @@ int main(int argc, const char * const ar
	CRYPTO_malloc_init();
	#endif
	#endif
	+#if OPENSSL_VERSION_NUMBER < 0x10100000L
	SSL_load_error_strings();
	SSL_library_init();
	+#endif
	bio_out=BIO_new_fp(stdout,BIO_NOCLOSE);
	bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);