diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml index 5da65e26d9e..f916496f785 100644 --- a/.github/workflows/linux.yml +++ b/.github/workflows/linux.yml @@ -316,12 +316,12 @@ jobs: APU_CONFIG="--without-crypto" pkgs: subversion # ------------------------------------------------------------------------- - - name: OpenSSL ECH branch + - name: OpenSSL master config: --enable-mods-shared=most --enable-maintainer-mode --disable-md --disable-http2 --disable-ldap --disable-crypto notest-cflags: -Werror -O2 env: | - TEST_OPENSSL3=ech2 - TEST_OPENSSL3_BRANCH=feature/ech + TEST_OPENSSL3=ech3 + TEST_OPENSSL3_BRANCH=master OPENSSL_CONFIG=no-engine APR_VERSION=1.7.6 APU_VERSION=1.6.3 diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c index 569cb26c4d5..cb88f0112c6 100644 --- a/modules/ssl/ssl_engine_kernel.c +++ b/modules/ssl/ssl_engine_kernel.c @@ -1263,7 +1263,7 @@ int ssl_hook_UserCheck(request_rec *r) } if (!sslconn->client_dn) { - X509_NAME *name = X509_get_subject_name(sslconn->client_cert); + const X509_NAME *name = X509_get_subject_name(sslconn->client_cert); char *cp = X509_NAME_oneline(name, NULL, 0); sslconn->client_dn = apr_pstrdup(r->connection->pool, cp); OPENSSL_free(cp); @@ -1817,7 +1817,7 @@ int ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey) server_rec *s = mySrvFromConn(c); SSLSrvConfigRec *sc = mySrvConfig(s); SSLDirConfigRec *dc = myDirConfigFromConn(c); - X509_NAME *ca_name, *issuer, *ca_issuer; + const X509_NAME *ca_name, *issuer, *ca_issuer; X509_INFO *info; X509 *ca_cert; STACK_OF(X509_NAME) *ca_list; diff --git a/modules/ssl/ssl_engine_log.c b/modules/ssl/ssl_engine_log.c index 6bca827d50f..2c145692bbe 100644 --- a/modules/ssl/ssl_engine_log.c +++ b/modules/ssl/ssl_engine_log.c @@ -126,7 +126,7 @@ void ssl_log_ssl_error(const char *file, int line, int level, server_rec *s) static void ssl_log_cert_error(const char *file, int line, int level, apr_status_t rv, const server_rec *s, const conn_rec *c, const request_rec *r, - apr_pool_t *p, X509 *cert, const char *format, + apr_pool_t *p, const X509 *cert, const char *format, va_list ap) { char buf[HUGE_STRING_LEN]; @@ -167,14 +167,14 @@ static void ssl_log_cert_error(const char *file, int line, int level, } BIO_puts(bio, " / serial: "); - if (i2a_ASN1_INTEGER(bio, X509_get_serialNumber(cert)) == -1) + if (i2a_ASN1_INTEGER(bio, X509_get0_serialNumber(cert)) == -1) BIO_puts(bio, "(ERROR)"); BIO_puts(bio, " / notbefore: "); - ASN1_TIME_print(bio, X509_get_notBefore(cert)); + ASN1_TIME_print(bio, X509_get0_notBefore(cert)); BIO_puts(bio, " / notafter: "); - ASN1_TIME_print(bio, X509_get_notAfter(cert)); + ASN1_TIME_print(bio, X509_get0_notAfter(cert)); BIO_puts(bio, "]"); @@ -212,7 +212,7 @@ static void ssl_log_cert_error(const char *file, int line, int level, * in the other cases we use the connection and request pool, respectively). */ void ssl_log_xerror(const char *file, int line, int level, apr_status_t rv, - apr_pool_t *ptemp, server_rec *s, X509 *cert, + apr_pool_t *ptemp, server_rec *s, const X509 *cert, const char *fmt, ...) { if (APLOG_IS_LEVEL(s,level)) { @@ -225,7 +225,7 @@ void ssl_log_xerror(const char *file, int line, int level, apr_status_t rv, } void ssl_log_cxerror(const char *file, int line, int level, apr_status_t rv, - conn_rec *c, X509 *cert, const char *fmt, ...) + conn_rec *c, const X509 *cert, const char *fmt, ...) { if (APLOG_IS_LEVEL(mySrvFromConn(c),level)) { va_list ap; @@ -237,7 +237,7 @@ void ssl_log_cxerror(const char *file, int line, int level, apr_status_t rv, } void ssl_log_rxerror(const char *file, int line, int level, apr_status_t rv, - request_rec *r, X509 *cert, const char *fmt, ...) + request_rec *r, const X509 *cert, const char *fmt, ...) { if (APLOG_R_IS_LEVEL(r,level)) { va_list ap; diff --git a/modules/ssl/ssl_engine_vars.c b/modules/ssl/ssl_engine_vars.c index 3f9bea18b37..45dc6fd0b97 100644 --- a/modules/ssl/ssl_engine_vars.c +++ b/modules/ssl/ssl_engine_vars.c @@ -41,7 +41,7 @@ static const char *ssl_var_lookup_ssl(apr_pool_t *p, const SSLConnRec *sslconn, request_rec *r, const char *var); static const char *ssl_var_lookup_ssl_cert(apr_pool_t *p, request_rec *r, X509 *xs, const char *var); -static const char *ssl_var_lookup_ssl_cert_dn(apr_pool_t *p, X509_NAME *xsname, const char *var); +static const char *ssl_var_lookup_ssl_cert_dn(apr_pool_t *p, const X509_NAME *xsname, const char *var); static const char *ssl_var_lookup_ssl_cert_san(apr_pool_t *p, X509 *xs, const char *var); static const char *ssl_var_lookup_ssl_cert_valid(apr_pool_t *p, ASN1_TIME *tm); static const char *ssl_var_lookup_ssl_cert_remain(apr_pool_t *p, ASN1_TIME *tm); @@ -598,7 +598,7 @@ static const char *ssl_var_lookup_ssl(apr_pool_t *p, const SSLConnRec *sslconn, } static const char *ssl_var_lookup_ssl_cert_dn_oneline(apr_pool_t *p, request_rec *r, - X509_NAME *xsname) + const X509_NAME *xsname) { char *result = NULL; SSLDirConfigRec *dc; @@ -629,7 +629,7 @@ static const char *ssl_var_lookup_ssl_cert(apr_pool_t *p, request_rec *r, X509 * const char *var) { const char *result; - X509_NAME *xsname; + const X509_NAME *xsname; int nid; result = NULL; @@ -727,8 +727,8 @@ static const struct { { NULL, 0, 0 } }; -static const char *ssl_var_lookup_ssl_cert_dn(apr_pool_t *p, X509_NAME *xsname, - const char *var) +static const char *ssl_var_lookup_ssl_cert_dn(apr_pool_t *p, const X509_NAME *xsname, + const char *var) { const char *ptr; const char *result; @@ -929,7 +929,7 @@ static const char *ssl_var_lookup_ssl_cert_rfc4523_cea(apr_pool_t *p, SSL *ssl) serialNumber = X509_get_serialNumber(xs); if (serialNumber) { - X509_NAME *issuer = X509_get_issuer_name(xs); + const X509_NAME *issuer = X509_get_issuer_name(xs); if (issuer) { BIGNUM *bn = ASN1_INTEGER_to_BN(serialNumber, NULL); if((decimal = BN_bn2dec(bn)) == NULL) { diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h index fcaf76310ba..24d442dbeb9 100644 --- a/modules/ssl/ssl_private.h +++ b/modules/ssl/ssl_private.h @@ -1212,16 +1212,16 @@ void ssl_log_ssl_error(const char *, int, int, server_rec *); * counterparts. */ void ssl_log_xerror(const char *file, int line, int level, apr_status_t rv, apr_pool_t *p, server_rec *s, - X509 *cert, const char *format, ...) + const X509 *cert, const char *format, ...) __attribute__((format(printf,8,9))); void ssl_log_cxerror(const char *file, int line, int level, - apr_status_t rv, conn_rec *c, X509 *cert, + apr_status_t rv, conn_rec *c, const X509 *cert, const char *format, ...) __attribute__((format(printf,7,8))); void ssl_log_rxerror(const char *file, int line, int level, - apr_status_t rv, request_rec *r, X509 *cert, + apr_status_t rv, request_rec *r, const X509 *cert, const char *format, ...) __attribute__((format(printf,7,8))); diff --git a/modules/ssl/ssl_util_ssl.c b/modules/ssl/ssl_util_ssl.c index a4c312b7fb3..566f4d0f7a2 100644 --- a/modules/ssl/ssl_util_ssl.c +++ b/modules/ssl/ssl_util_ssl.c @@ -236,7 +236,7 @@ char *modssl_X509_NAME_ENTRY_to_string(apr_pool_t *p, X509_NAME_ENTRY *xsne, * convert an X509_NAME to an RFC 2253 formatted string, optionally truncated * to maxlen characters (specify a maxlen of 0 for no length limit) */ -char *modssl_X509_NAME_to_string(apr_pool_t *p, X509_NAME *dn, int maxlen) +char *modssl_X509_NAME_to_string(apr_pool_t *p, const X509_NAME *dn, int maxlen) { char *result = NULL; BIO *bio; @@ -373,7 +373,7 @@ BOOL modssl_X509_getSAN(apr_pool_t *p, X509 *x509, int type, const char *onf, /* return an array of (RFC 6125 coined) DNS-IDs and CN-IDs in a certificate */ static BOOL getIDs(apr_pool_t *p, X509 *x509, apr_array_header_t **ids) { - X509_NAME *subj; + const X509_NAME *subj; int i = -1; /* First, the DNS-IDs (dNSName entries in the subjectAltName extension) */ diff --git a/modules/ssl/ssl_util_ssl.h b/modules/ssl/ssl_util_ssl.h index 443c1b7ee73..006151bc1ca 100644 --- a/modules/ssl/ssl_util_ssl.h +++ b/modules/ssl/ssl_util_ssl.h @@ -73,7 +73,7 @@ int modssl_smart_shutdown(SSL *ssl); BOOL modssl_X509_getBC(X509 *, int *, int *); char *modssl_X509_NAME_ENTRY_to_string(apr_pool_t *p, X509_NAME_ENTRY *xsne, int raw); -char *modssl_X509_NAME_to_string(apr_pool_t *, X509_NAME *, int); +char *modssl_X509_NAME_to_string(apr_pool_t *, const X509_NAME *, int); BOOL modssl_X509_getSAN(apr_pool_t *, X509 *, int, const char *, int, apr_array_header_t **); BOOL modssl_X509_match_name(apr_pool_t *, X509 *, const char *, BOOL, server_rec *); char *modssl_SSL_SESSION_id2sz(IDCONST unsigned char *, int, char *, int); diff --git a/support/ab.c b/support/ab.c index e02cd6841fb..e3101a632e6 100644 --- a/support/ab.c +++ b/support/ab.c @@ -799,7 +799,7 @@ static int ssl_print_connection_info(BIO *bio, SSL *ssl) static void ssl_print_cert_info(BIO *bio, X509 *cert) { - X509_NAME *dn; + const X509_NAME *dn; EVP_PKEY *pk; char buf[1024];