From 8391c6f3fe27e58aee67a1863284ab160ab430e9 Mon Sep 17 00:00:00 2001
From: Daniel Baumann <daniel.baumann@progress-linux.org>
Date: Fri, 12 Apr 2024 10:32:14 +0200
Subject: Merging upstream version 2.4.59.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
---
 modules/ssl/ssl_private.h | 67 +++++++++++++++++++++++++++++++++--------------
 1 file changed, 48 insertions(+), 19 deletions(-)

(limited to 'modules/ssl/ssl_private.h')

diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
index cd8df07..859e932 100644
--- a/modules/ssl/ssl_private.h
+++ b/modules/ssl/ssl_private.h
@@ -83,16 +83,13 @@
 
 #include "ap_expr.h"
 
-/* OpenSSL headers */
-#include <openssl/opensslv.h>
-#if (OPENSSL_VERSION_NUMBER >= 0x10001000)
-/* must be defined before including ssl.h */
-#define OPENSSL_NO_SSL_INTERN
-#endif
-#if OPENSSL_VERSION_NUMBER >= 0x30000000
-#include <openssl/core_names.h>
+/* keep first for compat API */
+#ifndef OPENSSL_API_COMPAT
+#define OPENSSL_API_COMPAT 0x10101000 /* for ENGINE_ API */
 #endif
-#include <openssl/ssl.h>
+#include "mod_ssl_openssl.h"
+
+/* OpenSSL headers */
 #include <openssl/err.h>
 #include <openssl/x509.h>
 #include <openssl/pem.h>
@@ -102,12 +99,23 @@
 #include <openssl/x509v3.h>
 #include <openssl/x509_vfy.h>
 #include <openssl/ocsp.h>
+#include <openssl/dh.h>
+#if OPENSSL_VERSION_NUMBER >= 0x30000000
+#include <openssl/core_names.h>
+#endif
 
 /* Avoid tripping over an engine build installed globally and detected
  * when the user points at an explicit non-engine flavor of OpenSSL
  */
-#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
+#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT) \
+    && (OPENSSL_VERSION_NUMBER < 0x30000000 \
+        || (defined(OPENSSL_API_LEVEL) && OPENSSL_API_LEVEL < 30000)) \
+    && !defined(OPENSSL_NO_ENGINE)
 #include <openssl/engine.h>
+#define MODSSL_HAVE_ENGINE_API 1
+#endif
+#ifndef MODSSL_HAVE_ENGINE_API
+#define MODSSL_HAVE_ENGINE_API 0
 #endif
 
 #if (OPENSSL_VERSION_NUMBER < 0x0090801f)
@@ -142,10 +150,18 @@
  * include most changes from OpenSSL >= 1.1 (new functions, macros, 
  * deprecations, ...), so we have to work around this...
  */
-#define MODSSL_USE_OPENSSL_PRE_1_1_API (LIBRESSL_VERSION_NUMBER < 0x2070000f)
+#if LIBRESSL_VERSION_NUMBER < 0x2070000f
+#define MODSSL_USE_OPENSSL_PRE_1_1_API 1
+#else
+#define MODSSL_USE_OPENSSL_PRE_1_1_API 0
+#endif
 #else /* defined(LIBRESSL_VERSION_NUMBER) */
-#define MODSSL_USE_OPENSSL_PRE_1_1_API (OPENSSL_VERSION_NUMBER < 0x10100000L)
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#define MODSSL_USE_OPENSSL_PRE_1_1_API 1
+#else
+#define MODSSL_USE_OPENSSL_PRE_1_1_API 0
 #endif
+#endif /* defined(LIBRESSL_VERSION_NUMBER) */
 
 #if defined(OPENSSL_FIPS) || OPENSSL_VERSION_NUMBER >= 0x30000000L
 #define HAVE_FIPS
@@ -211,7 +227,10 @@
 #endif
 
 /* Secure Remote Password */
-#if !defined(OPENSSL_NO_SRP) && defined(SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB)
+#if !defined(OPENSSL_NO_SRP) \
+    && (OPENSSL_VERSION_NUMBER < 0x30000000L \
+        || (defined(OPENSSL_API_LEVEL) && OPENSSL_API_LEVEL < 30000)) \
+    && defined(SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB)
 #define HAVE_SRP
 #include <openssl/srp.h>
 #endif
@@ -254,6 +273,14 @@ void free_bio_methods(void);
 #endif
 #endif
 
+/* those may be deprecated */
+#ifndef X509_get_notBefore
+#define X509_get_notBefore  X509_getm_notBefore
+#endif
+#ifndef X509_get_notAfter
+#define X509_get_notAfter   X509_getm_notAfter
+#endif
+
 #if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
 #define HAVE_OPENSSL_KEYLOG
 #endif
@@ -625,9 +652,7 @@ typedef struct {
      * index), for example the string "vhost.example.com:443:0". */
     apr_hash_t     *tPrivateKey;
 
-#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
-    const char     *szCryptoDevice;
-#endif
+    const char     *szCryptoDevice; /* ENGINE device (if available) */
 
 #ifdef HAVE_OCSP_STAPLING
     const ap_socache_provider_t *stapling_cache;
@@ -1019,7 +1044,7 @@ void         modssl_callback_keylog(const SSL *ssl, const char *line);
 /**  I/O  */
 void         ssl_io_filter_init(conn_rec *, request_rec *r, SSL *);
 void         ssl_io_filter_register(apr_pool_t *);
-long         ssl_io_data_cb(BIO *, int, const char *, int, long, long);
+void         modssl_set_io_callbacks(SSL *ssl);
 
 /* ssl_io_buffer_fill fills the setaside buffering of the HTTP request
  * to allow an SSL renegotiation to take place. */
@@ -1057,9 +1082,13 @@ apr_status_t modssl_load_engine_keypair(server_rec *s, apr_pool_t *p,
                                         X509 **pubkey, EVP_PKEY **privkey);
 
 /**  Diffie-Hellman Parameter Support  */
-DH           *ssl_dh_GetParamFromFile(const char *);
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
+DH           *modssl_dh_from_file(const char *);
+#else
+EVP_PKEY     *modssl_dh_pkey_from_file(const char *);
+#endif
 #ifdef HAVE_ECC
-EC_GROUP     *ssl_ec_GetParamFromFile(const char *);
+EC_GROUP     *modssl_ec_group_from_file(const char *);
 #endif
 
 /* Store the EVP_PKEY key (serialized into DER) in the hash table with
-- 
cgit v1.2.3