Merge ~sergiodj/ubuntu/+source/squid:openssl3-test2 into ubuntu/+source/squid:ubuntu/devel
- Git
- lp:~sergiodj/ubuntu/+source/squid
- openssl3-test2
- Merge into ubuntu/devel
Status: | Merged | ||||
---|---|---|---|---|---|
Merged at revision: | 819f9438ef366292a90afe3f0c3b562fb010ac95 | ||||
Proposed branch: | ~sergiodj/ubuntu/+source/squid:openssl3-test2 | ||||
Merge into: | ubuntu/+source/squid:ubuntu/devel | ||||
Diff against target: |
911 lines (+823/-0) 14 files modified
debian/changelog (+19/-0) debian/patches/openssl3-Declaration-of-CRYPTO_EX_dup-changed-again-in-3.0.patch (+30/-0) debian/patches/openssl3-Detect-and-default-enable-OpenSSL-3.patch (+33/-0) debian/patches/openssl3-Fix-EVP_PKEY_get0_RSA-is-deprecated.patch (+30/-0) debian/patches/openssl3-Initial-DH-conversion-to-EVP_PKEY.patch (+140/-0) debian/patches/openssl3-Refactor-Ssl-createSslPrivateKey.patch (+108/-0) debian/patches/openssl3-Remove-stale-TODO-and-comment.patch (+27/-0) debian/patches/openssl3-SSL_OP_-macro-definitions-changed-in-3.0.patch (+181/-0) debian/patches/openssl3-Switch-to-BN_rand.patch (+69/-0) debian/patches/openssl3-TODO-Upgrade-API-calls-verifying-loaded-DH-params-fi.patch (+36/-0) debian/patches/openssl3-Tweak-RSA-key-generator.patch (+37/-0) debian/patches/openssl3-Update-ECDH-key-settings.patch (+73/-0) debian/patches/openssl3-Update-license-disclaimer.patch (+28/-0) debian/patches/series (+12/-0) |
||||
Related bugs: |
|
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Andreas Hasenack | Approve | ||
Canonical Server | Pending | ||
Review via email: mp+415283@code.launchpad.net |
Commit message
Description of the change
This MP fixes the current FTBFS affecting squid when it builds against OpenSSL 3.0.
As I've been mentioning during our standup calls, upstream has been reviewing its PR for quite a while now. You can find the PR here:
https:/
This is where I got all the patches from. Although the PR is still being reviewed, and despite some unaddressed comments in it, I feel reasonably confident that we can go ahead and backport everything right now. I am subscribed to the PR and will monitor future changes to it (or to any other PRs that might be created as a result of this one), and if needed I intend to backport whathever new changes are proposed.
I built the package locally and ran its autopkgtests, both successfully:
autopkgtest [18:28:58]: @@@@@@@
upstream-test-suite PASS
squid PASS
I'm also building the package in a bileto PPA here:
https:/
Once everything is built, I will trigger autopkgtest runs for all supported architectures just to be sure. But again, I'm not expecting major problems with this change.
Andreas Hasenack (ahasenack) wrote : | # |
Andreas Hasenack (ahasenack) wrote : | # |
+1
Patches match the PR commits.
I did a quick reverse-ssl-proxy test, to be sure it at least can load a certificate and handle a simple SSL connection, and it worked just fine.
Best indeed to keep an eye on that PR and adjust the patches if they change.
Thanks!
Sergio Durigan Junior (sergiodj) wrote : | # |
On Thursday, February 10 2022, Andreas Hasenack wrote:
> +1
>
> Patches match the PR commits.
>
> I did a quick reverse-ssl-proxy test, to be sure it at least can load a certificate and handle a simple SSL connection, and it worked just fine.
>
> Best indeed to keep an eye on that PR and adjust the patches if they change.
Thanks for the review, Andreas.
Uploaded:
$ dput squid_5.
Trying to upload package to ubuntu
Checking signature on .changes
gpg: /home/sergio/
Checking signature on .dsc
gpg: /home/sergio/
Uploading to ubuntu (via ftp to upload.ubuntu.com):
Uploading squid_5.
Uploading squid_5.
Uploading squid_5.
Uploading squid_5.
Successfully uploaded packages.
--
Sergio
GPG key ID: E92F D0B3 6B14 F1F4 D8E0 EB2F 106D A1C8 C3CB BF14
Preview Diff
1 | diff --git a/debian/changelog b/debian/changelog |
2 | index a01557c..e321cb3 100644 |
3 | --- a/debian/changelog |
4 | +++ b/debian/changelog |
5 | @@ -1,3 +1,22 @@ |
6 | +squid (5.2-1ubuntu3) jammy; urgency=medium |
7 | + |
8 | + * Fix FTBFS with OpenSSL 3.0 (LP: #1946205). The following new |
9 | + patches have been added: |
10 | + - d/p/openssl3-Declaration-of-CRYPTO_EX_dup-changed-again-in-3.0.patch. |
11 | + - d/p/openssl3-Detect-and-default-enable-OpenSSL-3.patch. |
12 | + - d/p/openssl3-Fix-EVP_PKEY_get0_RSA-is-deprecated.patch. |
13 | + - d/p/openssl3-Initial-DH-conversion-to-EVP_PKEY.patch. |
14 | + - d/p/openssl3-Refactor-Ssl-createSslPrivateKey.patch. |
15 | + - d/p/openssl3-Remove-stale-TODO-and-comment.patch. |
16 | + - d/p/openssl3-SSL_OP_-macro-definitions-changed-in-3.0.patch. |
17 | + - d/p/openssl3-Switch-to-BN_rand.patch. |
18 | + - d/p/openssl3-TODO-Upgrade-API-calls-verifying-loaded-DH-params-fi.patch. |
19 | + - d/p/openssl3-Tweak-RSA-key-generator.patch. |
20 | + - d/p/openssl3-Update-ECDH-key-settings.patch. |
21 | + - d/p/openssl3-Update-license-disclaimer.patch. |
22 | + |
23 | + -- Sergio Durigan Junior <sergio.durigan@canonical.com> Tue, 08 Feb 2022 17:15:20 -0500 |
24 | + |
25 | squid (5.2-1ubuntu2) jammy; urgency=medium |
26 | |
27 | * No-change rebuild against libssl3 |
28 | diff --git a/debian/patches/openssl3-Declaration-of-CRYPTO_EX_dup-changed-again-in-3.0.patch b/debian/patches/openssl3-Declaration-of-CRYPTO_EX_dup-changed-again-in-3.0.patch |
29 | new file mode 100644 |
30 | index 0000000..eea0236 |
31 | --- /dev/null |
32 | +++ b/debian/patches/openssl3-Declaration-of-CRYPTO_EX_dup-changed-again-in-3.0.patch |
33 | @@ -0,0 +1,30 @@ |
34 | +From: Amos Jeffries <amosjeffries@squid-cache.org> |
35 | +Date: Thu, 23 Jul 2020 18:51:20 +1200 |
36 | +Subject: Declaration of CRYPTO_EX_dup changed again in 3.0 |
37 | + |
38 | +--- |
39 | + src/ssl/support.cc | 6 +++++- |
40 | + 1 file changed, 5 insertions(+), 1 deletion(-) |
41 | + |
42 | +Forwarded: yes, https://github.com/squid-cache/squid/pull/694 |
43 | +Bug: https://bugs.squid-cache.org/show_bug.cgi?id=5133 |
44 | +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/squid/+bug/1946205 |
45 | +Last-Updated: 2022-02-08 |
46 | + |
47 | +diff --git a/src/ssl/support.cc b/src/ssl/support.cc |
48 | +index 3ad135d..73912ce 100644 |
49 | +--- a/src/ssl/support.cc |
50 | ++++ b/src/ssl/support.cc |
51 | +@@ -557,7 +557,11 @@ Ssl::VerifyCallbackParameters::At(Security::Connection &sconn) |
52 | + } |
53 | + |
54 | + // "dup" function for SSL_get_ex_new_index("cert_err_check") |
55 | +-#if SQUID_USE_CONST_CRYPTO_EX_DATA_DUP |
56 | ++#if OPENSSL_VERSION_MAJOR >= 3 |
57 | ++static int |
58 | ++ssl_dupAclChecklist(CRYPTO_EX_DATA *, const CRYPTO_EX_DATA *, void **, |
59 | ++ int, long, void *) |
60 | ++#elif SQUID_USE_CONST_CRYPTO_EX_DATA_DUP |
61 | + static int |
62 | + ssl_dupAclChecklist(CRYPTO_EX_DATA *, const CRYPTO_EX_DATA *, void *, |
63 | + int, long, void *) |
64 | diff --git a/debian/patches/openssl3-Detect-and-default-enable-OpenSSL-3.patch b/debian/patches/openssl3-Detect-and-default-enable-OpenSSL-3.patch |
65 | new file mode 100644 |
66 | index 0000000..194e249 |
67 | --- /dev/null |
68 | +++ b/debian/patches/openssl3-Detect-and-default-enable-OpenSSL-3.patch |
69 | @@ -0,0 +1,33 @@ |
70 | +From: Amos Jeffries <amosjeffries@squid-cache.org> |
71 | +Date: Fri, 15 Oct 2021 04:34:23 +1300 |
72 | +Subject: Detect and default-enable OpenSSL 3+ |
73 | + |
74 | +--- |
75 | + configure.ac | 9 ++++++++- |
76 | + 1 file changed, 8 insertions(+), 1 deletion(-) |
77 | + |
78 | +Forwarded: yes, https://github.com/squid-cache/squid/pull/694 |
79 | +Bug: https://bugs.squid-cache.org/show_bug.cgi?id=5133 |
80 | +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/squid/+bug/1946205 |
81 | +Last-Updated: 2022-02-08 |
82 | + |
83 | +diff --git a/configure.ac b/configure.ac |
84 | +index 4556a9e..14af6be 100644 |
85 | +--- a/configure.ac |
86 | ++++ b/configure.ac |
87 | +@@ -1326,7 +1326,14 @@ case "$with_openssl" in |
88 | + esac |
89 | + ]) |
90 | + AH_TEMPLATE(USE_OPENSSL,[OpenSSL support is available]) |
91 | +-## OpenSSL is default disable due to licensing issues on some OS |
92 | ++AS_IF([test "x$with_openssl" != "xno"],[ |
93 | ++ SQUID_STATE_SAVE(squid_openssl3_state) |
94 | ++ CPPFLAGS="$LIBOPENSSL_CFLAGS $CPPFLAGS" |
95 | ++ LIBS="$LIBS $LIBOPENSSL_PATH" |
96 | ++ PKG_CHECK_MODULES([LIBOPENSSL],[openssl >= 3],[with_openssl="yes"],[:]) |
97 | ++ SQUID_STATE_ROLLBACK(squid_openssl3_state) |
98 | ++]) |
99 | ++## OpenSSL < 3 is default disable due to licensing issues on some OS |
100 | + if test "x$with_openssl" = "xyes"; then |
101 | + AC_CHECK_HEADERS( \ |
102 | + openssl/asn1.h \ |
103 | diff --git a/debian/patches/openssl3-Fix-EVP_PKEY_get0_RSA-is-deprecated.patch b/debian/patches/openssl3-Fix-EVP_PKEY_get0_RSA-is-deprecated.patch |
104 | new file mode 100644 |
105 | index 0000000..6dec926 |
106 | --- /dev/null |
107 | +++ b/debian/patches/openssl3-Fix-EVP_PKEY_get0_RSA-is-deprecated.patch |
108 | @@ -0,0 +1,30 @@ |
109 | +From: Amos Jeffries <amosjeffries@squid-cache.org> |
110 | +Date: Wed, 6 Oct 2021 22:39:49 +1300 |
111 | +Subject: Fix EVP_PKEY_get0_RSA is deprecated |
112 | + |
113 | +--- |
114 | + src/ssl/gadgets.cc | 6 +++++- |
115 | + 1 file changed, 5 insertions(+), 1 deletion(-) |
116 | + |
117 | +Forwarded: yes, https://github.com/squid-cache/squid/pull/694 |
118 | +Bug: https://bugs.squid-cache.org/show_bug.cgi?id=5133 |
119 | +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/squid/+bug/1946205 |
120 | +Last-Updated: 2022-02-08 |
121 | + |
122 | +diff --git a/src/ssl/gadgets.cc b/src/ssl/gadgets.cc |
123 | +index 102615f..70e0a61 100644 |
124 | +--- a/src/ssl/gadgets.cc |
125 | ++++ b/src/ssl/gadgets.cc |
126 | +@@ -369,7 +369,11 @@ mimicExtensions(Security::CertPointer & cert, Security::CertPointer const &mimic |
127 | + // XXX: Add PublicKeyPointer. In OpenSSL, public and private keys are |
128 | + // internally represented by EVP_PKEY pair, but GnuTLS uses distinct types. |
129 | + const Security::PrivateKeyPointer certKey(X509_get_pubkey(mimicCert.get())); |
130 | +- const auto rsaPkey = EVP_PKEY_get0_RSA(certKey.get()) != nullptr; |
131 | ++#if OPENSSL_VERSION_MAJOR < 3 |
132 | ++ const auto rsaPkey = bool(EVP_PKEY_get0_RSA(certKey.get())); |
133 | ++#else |
134 | ++ const auto rsaPkey = EVP_PKEY_is_a(certKey.get(), "RSA"); |
135 | ++#endif |
136 | + |
137 | + int added = 0; |
138 | + int nid; |
139 | diff --git a/debian/patches/openssl3-Initial-DH-conversion-to-EVP_PKEY.patch b/debian/patches/openssl3-Initial-DH-conversion-to-EVP_PKEY.patch |
140 | new file mode 100644 |
141 | index 0000000..99bf54d |
142 | --- /dev/null |
143 | +++ b/debian/patches/openssl3-Initial-DH-conversion-to-EVP_PKEY.patch |
144 | @@ -0,0 +1,140 @@ |
145 | +From: Amos Jeffries <amosjeffries@squid-cache.org> |
146 | +Date: Wed, 6 Oct 2021 21:12:25 +1300 |
147 | +Subject: Initial DH conversion to EVP_PKEY |
148 | + |
149 | +3.0 build does not yet complete due to ENGINE and BIGNUM deprecation issues. |
150 | + |
151 | +This conversion relies on OSSL_*() functions added in 3.0. So the |
152 | +old DH loading code is left unchanged. |
153 | +--- |
154 | + configure.ac | 1 + |
155 | + src/security/ServerOptions.cc | 30 +++++++++++++++++++++++++++--- |
156 | + src/security/forward.h | 24 +++++++++++++++--------- |
157 | + 3 files changed, 43 insertions(+), 12 deletions(-) |
158 | + |
159 | +Forwarded: yes, https://github.com/squid-cache/squid/pull/694 |
160 | +Bug: https://bugs.squid-cache.org/show_bug.cgi?id=5133 |
161 | +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/squid/+bug/1946205 |
162 | +Last-Updated: 2022-02-08 |
163 | + |
164 | +diff --git a/configure.ac b/configure.ac |
165 | +index f64e4b3..4556a9e 100644 |
166 | +--- a/configure.ac |
167 | ++++ b/configure.ac |
168 | +@@ -1333,6 +1333,7 @@ if test "x$with_openssl" = "xyes"; then |
169 | + openssl/bio.h \ |
170 | + openssl/bn.h \ |
171 | + openssl/crypto.h \ |
172 | ++ openssl/decoder.h \ |
173 | + openssl/dh.h \ |
174 | + openssl/err.h \ |
175 | + openssl/evp.h \ |
176 | +diff --git a/src/security/ServerOptions.cc b/src/security/ServerOptions.cc |
177 | +index 74044fe..096d5da 100644 |
178 | +--- a/src/security/ServerOptions.cc |
179 | ++++ b/src/security/ServerOptions.cc |
180 | +@@ -19,6 +19,9 @@ |
181 | + #include "compat/openssl.h" |
182 | + #include "ssl/support.h" |
183 | + |
184 | ++#if HAVE_OPENSSL_DECODER_H |
185 | ++#include <openssl/decoder.h> |
186 | ++#endif |
187 | + #if HAVE_OPENSSL_ERR_H |
188 | + #include <openssl/err.h> |
189 | + #endif |
190 | +@@ -353,6 +356,7 @@ Security::ServerOptions::loadDhParams() |
191 | + return; |
192 | + |
193 | + #if USE_OPENSSL |
194 | ++#if OPENSSL_VERSION_MAJOR < 3 |
195 | + DH *dhp = nullptr; |
196 | + if (FILE *in = fopen(dhParamsFile.c_str(), "r")) { |
197 | + dhp = PEM_read_DHparams(in, NULL, NULL, NULL); |
198 | +@@ -364,7 +368,6 @@ Security::ServerOptions::loadDhParams() |
199 | + return; |
200 | + } |
201 | + |
202 | +-#if OPENSSL_VERSION_MAJOR < 3 |
203 | + // DH_check() removed in OpenSSL 3.0. |
204 | + // TODO: use the EVP API instead, which also works in OpenSSL 1.1. |
205 | + // But it is not yet clear exactly how that API works for DH. |
206 | +@@ -376,10 +379,31 @@ Security::ServerOptions::loadDhParams() |
207 | + dhp = nullptr; |
208 | + } |
209 | + } |
210 | +-#endif |
211 | +- |
212 | + parsedDhParams.resetWithoutLocking(dhp); |
213 | ++ |
214 | ++#else // OpenSSL 3.0+ |
215 | ++ EVP_PKEY *pkey = nullptr; |
216 | ++ if (auto *dctx = OSSL_DECODER_CTX_new_for_pkey(&pkey, "PEM", nullptr, "DH", OSSL_KEYMGMT_SELECT_ALL, nullptr, nullptr)) { |
217 | ++ if (auto *in = fopen(dhParamsFile.c_str(), "r")) { |
218 | ++ if (OSSL_DECODER_from_fp(dctx, in) == 1) { |
219 | ++ |
220 | ++ /* pkey is created with the decoded data from the bio */ |
221 | ++ Must(pkey); |
222 | ++ parsedDhParams.resetWithoutLocking(pkey); |
223 | ++ |
224 | ++ } else { |
225 | ++ debugs(83, DBG_IMPORTANT, "WARNING: Failed to decode DH parameters '" << dhParamsFile << "'"); |
226 | ++ } |
227 | ++ fclose(in); |
228 | ++ } |
229 | ++ OSSL_DECODER_CTX_free(dctx); |
230 | ++ |
231 | ++ } else { |
232 | ++ debugs(83, DBG_IMPORTANT, "WARNING: no suitable potential decoders found for DH parameters"); |
233 | ++ return; |
234 | ++ } |
235 | + #endif |
236 | ++#endif // USE_OPENSSL |
237 | + } |
238 | + |
239 | + bool |
240 | +diff --git a/src/security/forward.h b/src/security/forward.h |
241 | +index 7a5dfcc..51a8d47 100644 |
242 | +--- a/src/security/forward.h |
243 | ++++ b/src/security/forward.h |
244 | +@@ -93,9 +93,24 @@ typedef std::list<Security::CertPointer> CertList; |
245 | + typedef std::list<Security::CrlPointer> CertRevokeList; |
246 | + |
247 | + #if USE_OPENSSL |
248 | ++CtoCpp1(EVP_PKEY_free, EVP_PKEY *) |
249 | ++typedef Security::LockingPointer<EVP_PKEY, EVP_PKEY_free_cpp, HardFun<int, EVP_PKEY *, EVP_PKEY_up_ref> > PrivateKeyPointer; |
250 | ++#elif USE_GNUTLS |
251 | ++typedef std::shared_ptr<struct gnutls_x509_privkey_int> PrivateKeyPointer; |
252 | ++#else |
253 | ++typedef std::shared_ptr<void> PrivateKeyPointer; |
254 | ++#endif |
255 | ++ |
256 | ++#if USE_OPENSSL |
257 | ++#if OPENSSL_VERSION_MAJOR < 3 |
258 | + CtoCpp1(DH_free, DH *); |
259 | + typedef Security::LockingPointer<DH, DH_free_cpp, HardFun<int, DH *, DH_up_ref> > DhePointer; |
260 | + #else |
261 | ++typedef PrivateKeyPointer DhePointer; |
262 | ++#endif |
263 | ++#elif USE_GNUTLS |
264 | ++typedef void *DhePointer; |
265 | ++#else |
266 | + typedef void *DhePointer; |
267 | + #endif |
268 | + |
269 | +@@ -174,15 +189,6 @@ typedef long ParsedPortFlags; |
270 | + class PeerConnector; |
271 | + class PeerOptions; |
272 | + |
273 | +-#if USE_OPENSSL |
274 | +-CtoCpp1(EVP_PKEY_free, EVP_PKEY *) |
275 | +-typedef Security::LockingPointer<EVP_PKEY, EVP_PKEY_free_cpp, HardFun<int, EVP_PKEY *, EVP_PKEY_up_ref> > PrivateKeyPointer; |
276 | +-#elif USE_GNUTLS |
277 | +-typedef std::shared_ptr<struct gnutls_x509_privkey_int> PrivateKeyPointer; |
278 | +-#else |
279 | +-typedef std::shared_ptr<void> PrivateKeyPointer; |
280 | +-#endif |
281 | +- |
282 | + class ServerOptions; |
283 | + |
284 | + class ErrorDetail; |
285 | diff --git a/debian/patches/openssl3-Refactor-Ssl-createSslPrivateKey.patch b/debian/patches/openssl3-Refactor-Ssl-createSslPrivateKey.patch |
286 | new file mode 100644 |
287 | index 0000000..65216ec |
288 | --- /dev/null |
289 | +++ b/debian/patches/openssl3-Refactor-Ssl-createSslPrivateKey.patch |
290 | @@ -0,0 +1,108 @@ |
291 | +From: Amos Jeffries <amosjeffries@squid-cache.org> |
292 | +Date: Thu, 23 Jul 2020 21:02:36 +1200 |
293 | +Subject: Refactor Ssl::createSslPrivateKey() |
294 | + |
295 | +* Use the OpenSSL 1.1+ EVP API for generating RSA keys. |
296 | + |
297 | +* Make static since this is only used by the gadgets.cc code. |
298 | +--- |
299 | + src/ssl/gadgets.cc | 41 +++++++++++++++++------------------------ |
300 | + src/ssl/gadgets.h | 8 +------- |
301 | + 2 files changed, 18 insertions(+), 31 deletions(-) |
302 | + |
303 | +Forwarded: yes, https://github.com/squid-cache/squid/pull/694 |
304 | +Bug: https://bugs.squid-cache.org/show_bug.cgi?id=5133 |
305 | +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/squid/+bug/1946205 |
306 | +Last-Updated: 2022-02-08 |
307 | + |
308 | +diff --git a/src/ssl/gadgets.cc b/src/ssl/gadgets.cc |
309 | +index 596f258..112df22 100644 |
310 | +--- a/src/ssl/gadgets.cc |
311 | ++++ b/src/ssl/gadgets.cc |
312 | +@@ -9,35 +9,28 @@ |
313 | + #include "squid.h" |
314 | + #include "ssl/gadgets.h" |
315 | + |
316 | +-EVP_PKEY * Ssl::createSslPrivateKey() |
317 | ++static EVP_PKEY * |
318 | ++CreateRsaPrivateKey() |
319 | + { |
320 | +- Security::PrivateKeyPointer pkey(EVP_PKEY_new()); |
321 | +- |
322 | +- if (!pkey) |
323 | +- return NULL; |
324 | +- |
325 | +- BIGNUM_Pointer bn(BN_new()); |
326 | +- if (!bn) |
327 | +- return NULL; |
328 | +- |
329 | +- if (!BN_set_word(bn.get(), RSA_F4)) |
330 | +- return NULL; |
331 | +- |
332 | +- Ssl::RSA_Pointer rsa(RSA_new()); |
333 | ++ Ssl::EVP_PKEY_CTX_Pointer rsa(EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, nullptr)); |
334 | + if (!rsa) |
335 | +- return NULL; |
336 | ++ return nullptr; |
337 | + |
338 | +- int num = 2048; // Maybe use 4096 RSA keys, or better make it configurable? |
339 | +- if (!RSA_generate_key_ex(rsa.get(), num, bn.get(), NULL)) |
340 | +- return NULL; |
341 | ++ if (EVP_PKEY_keygen_init(rsa.get()) <= 0) |
342 | ++ return nullptr; |
343 | + |
344 | +- if (!rsa) |
345 | +- return NULL; |
346 | ++ int num = 2048; // Maybe use 4096 RSA keys, or better make it configurable? |
347 | ++ if (EVP_PKEY_CTX_set_rsa_keygen_bits(rsa.get(), num) <= 0) |
348 | ++ return nullptr; |
349 | + |
350 | +- if (!EVP_PKEY_assign_RSA(pkey.get(), (rsa.get()))) |
351 | +- return NULL; |
352 | ++ /* Generate key */ |
353 | ++ Security::PrivateKeyPointer pkey(EVP_PKEY_new()); |
354 | ++ if (pkey) { |
355 | ++ auto *foo = pkey.get(); |
356 | ++ if (EVP_PKEY_keygen(rsa.get(), &foo) <= 0) |
357 | ++ return nullptr; |
358 | ++ } |
359 | + |
360 | +- rsa.release(); |
361 | + return pkey.release(); |
362 | + } |
363 | + |
364 | +@@ -553,7 +546,7 @@ static bool generateFakeSslCertificate(Security::CertPointer & certToStore, Secu |
365 | + if (properties.signWithPkey.get()) |
366 | + pkey.resetAndLock(properties.signWithPkey.get()); |
367 | + else // if not exist generate one |
368 | +- pkey.resetWithoutLocking(Ssl::createSslPrivateKey()); |
369 | ++ pkey.resetWithoutLocking(CreateRsaPrivateKey()); |
370 | + |
371 | + if (!pkey) |
372 | + return false; |
373 | +diff --git a/src/ssl/gadgets.h b/src/ssl/gadgets.h |
374 | +index c486727..8d7d4cf 100644 |
375 | +--- a/src/ssl/gadgets.h |
376 | ++++ b/src/ssl/gadgets.h |
377 | +@@ -57,7 +57,7 @@ typedef std::unique_ptr<TXT_DB, HardFun<void, TXT_DB*, &TXT_DB_free>> TXT_DB_Poi |
378 | + |
379 | + typedef std::unique_ptr<X509_NAME, HardFun<void, X509_NAME*, &X509_NAME_free>> X509_NAME_Pointer; |
380 | + |
381 | +-typedef std::unique_ptr<RSA, HardFun<void, RSA*, &RSA_free>> RSA_Pointer; |
382 | ++typedef std::unique_ptr<EVP_PKEY_CTX, HardFun<void, EVP_PKEY_CTX*, &EVP_PKEY_CTX_free>> EVP_PKEY_CTX_Pointer; |
383 | + |
384 | + typedef std::unique_ptr<X509_REQ, HardFun<void, X509_REQ*, &X509_REQ_free>> X509_REQ_Pointer; |
385 | + |
386 | +@@ -71,12 +71,6 @@ typedef std::unique_ptr<GENERAL_NAME, HardFun<void, GENERAL_NAME*, &GENERAL_NAME |
387 | + typedef std::unique_ptr<X509_EXTENSION, HardFun<void, X509_EXTENSION*, &X509_EXTENSION_free>> X509_EXTENSION_Pointer; |
388 | + |
389 | + typedef std::unique_ptr<X509_STORE_CTX, HardFun<void, X509_STORE_CTX *, &X509_STORE_CTX_free>> X509_STORE_CTX_Pointer; |
390 | +-/** |
391 | +- \ingroup SslCrtdSslAPI |
392 | +- * Create 1024 bits rsa key. |
393 | +- */ |
394 | +-EVP_PKEY * createSslPrivateKey(); |
395 | +- |
396 | + /** |
397 | + \ingroup SslCrtdSslAPI |
398 | + * Write private key and SSL certificate to memory. |
399 | diff --git a/debian/patches/openssl3-Remove-stale-TODO-and-comment.patch b/debian/patches/openssl3-Remove-stale-TODO-and-comment.patch |
400 | new file mode 100644 |
401 | index 0000000..333be84 |
402 | --- /dev/null |
403 | +++ b/debian/patches/openssl3-Remove-stale-TODO-and-comment.patch |
404 | @@ -0,0 +1,27 @@ |
405 | +From: Amos Jeffries <amosjeffries@squid-cache.org> |
406 | +Date: Fri, 15 Oct 2021 04:49:46 +1300 |
407 | +Subject: Remove stale TODO and comment |
408 | + |
409 | +--- |
410 | + src/security/ServerOptions.cc | 3 --- |
411 | + 1 file changed, 3 deletions(-) |
412 | + |
413 | +Forwarded: yes, https://github.com/squid-cache/squid/pull/694 |
414 | +Bug: https://bugs.squid-cache.org/show_bug.cgi?id=5133 |
415 | +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/squid/+bug/1946205 |
416 | +Last-Updated: 2022-02-08 |
417 | + |
418 | +diff --git a/src/security/ServerOptions.cc b/src/security/ServerOptions.cc |
419 | +index e7d5c1e..bbea21d 100644 |
420 | +--- a/src/security/ServerOptions.cc |
421 | ++++ b/src/security/ServerOptions.cc |
422 | +@@ -368,9 +368,6 @@ Security::ServerOptions::loadDhParams() |
423 | + return; |
424 | + } |
425 | + |
426 | +- // DH_check() removed in OpenSSL 3.0. |
427 | +- // TODO: use the EVP API instead, which also works in OpenSSL 1.1. |
428 | +- // But it is not yet clear exactly how that API works for DH. |
429 | + int codes; |
430 | + if (DH_check(dhp, &codes) == 0) { |
431 | + if (codes) { |
432 | diff --git a/debian/patches/openssl3-SSL_OP_-macro-definitions-changed-in-3.0.patch b/debian/patches/openssl3-SSL_OP_-macro-definitions-changed-in-3.0.patch |
433 | new file mode 100644 |
434 | index 0000000..3d98500 |
435 | --- /dev/null |
436 | +++ b/debian/patches/openssl3-SSL_OP_-macro-definitions-changed-in-3.0.patch |
437 | @@ -0,0 +1,181 @@ |
438 | +From: Amos Jeffries <amosjeffries@squid-cache.org> |
439 | +Date: Sun, 10 Oct 2021 02:35:10 +1300 |
440 | +Subject: SSL_OP_* macro definitions changed in 3.0 |
441 | + |
442 | +--- |
443 | + src/security/PeerOptions.cc | 50 ++++++++++++++++++++++----------------------- |
444 | + 1 file changed, 25 insertions(+), 25 deletions(-) |
445 | + |
446 | +Forwarded: yes, https://github.com/squid-cache/squid/pull/694 |
447 | +Bug: https://bugs.squid-cache.org/show_bug.cgi?id=5133 |
448 | +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/squid/+bug/1946205 |
449 | +Last-Updated: 2022-02-08 |
450 | + |
451 | +diff --git a/src/security/PeerOptions.cc b/src/security/PeerOptions.cc |
452 | +index cf1d4ba..634ee02 100644 |
453 | +--- a/src/security/PeerOptions.cc |
454 | ++++ b/src/security/PeerOptions.cc |
455 | +@@ -297,130 +297,130 @@ static struct ssl_option { |
456 | + |
457 | + } ssl_options[] = { |
458 | + |
459 | +-#if SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG |
460 | ++#if defined(SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) |
461 | + { |
462 | + "NETSCAPE_REUSE_CIPHER_CHANGE_BUG", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG |
463 | + }, |
464 | + #endif |
465 | +-#if SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG |
466 | ++#if defined(SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG) |
467 | + { |
468 | + "SSLREF2_REUSE_CERT_TYPE_BUG", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG |
469 | + }, |
470 | + #endif |
471 | +-#if SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER |
472 | ++#if defined(SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER) |
473 | + { |
474 | + "MICROSOFT_BIG_SSLV3_BUFFER", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER |
475 | + }, |
476 | + #endif |
477 | +-#if SSL_OP_SSLEAY_080_CLIENT_DH_BUG |
478 | ++#if defined(SSL_OP_SSLEAY_080_CLIENT_DH_BUG) |
479 | + { |
480 | + "SSLEAY_080_CLIENT_DH_BUG", SSL_OP_SSLEAY_080_CLIENT_DH_BUG |
481 | + }, |
482 | + #endif |
483 | +-#if SSL_OP_TLS_D5_BUG |
484 | ++#if defined(SSL_OP_TLS_D5_BUG) |
485 | + { |
486 | + "TLS_D5_BUG", SSL_OP_TLS_D5_BUG |
487 | + }, |
488 | + #endif |
489 | +-#if SSL_OP_TLS_BLOCK_PADDING_BUG |
490 | ++#if defined(SSL_OP_TLS_BLOCK_PADDING_BUG) |
491 | + { |
492 | + "TLS_BLOCK_PADDING_BUG", SSL_OP_TLS_BLOCK_PADDING_BUG |
493 | + }, |
494 | + #endif |
495 | +-#if SSL_OP_TLS_ROLLBACK_BUG |
496 | ++#if defined(SSL_OP_TLS_ROLLBACK_BUG) |
497 | + { |
498 | + "TLS_ROLLBACK_BUG", SSL_OP_TLS_ROLLBACK_BUG |
499 | + }, |
500 | + #endif |
501 | +-#if SSL_OP_ALL |
502 | ++#if defined(SSL_OP_ALL) |
503 | + { |
504 | + "ALL", (long)SSL_OP_ALL |
505 | + }, |
506 | + #endif |
507 | +-#if SSL_OP_SINGLE_DH_USE |
508 | ++#if defined(SSL_OP_SINGLE_DH_USE) |
509 | + { |
510 | + "SINGLE_DH_USE", SSL_OP_SINGLE_DH_USE |
511 | + }, |
512 | + #endif |
513 | +-#if SSL_OP_EPHEMERAL_RSA |
514 | ++#if defined(SSL_OP_EPHEMERAL_RSA) |
515 | + { |
516 | + "EPHEMERAL_RSA", SSL_OP_EPHEMERAL_RSA |
517 | + }, |
518 | + #endif |
519 | +-#if SSL_OP_PKCS1_CHECK_1 |
520 | ++#if defined(SSL_OP_PKCS1_CHECK_1) |
521 | + { |
522 | + "PKCS1_CHECK_1", SSL_OP_PKCS1_CHECK_1 |
523 | + }, |
524 | + #endif |
525 | +-#if SSL_OP_PKCS1_CHECK_2 |
526 | ++#if defined(SSL_OP_PKCS1_CHECK_2) |
527 | + { |
528 | + "PKCS1_CHECK_2", SSL_OP_PKCS1_CHECK_2 |
529 | + }, |
530 | + #endif |
531 | +-#if SSL_OP_NETSCAPE_CA_DN_BUG |
532 | ++#if defined(SSL_OP_NETSCAPE_CA_DN_BUG) |
533 | + { |
534 | + "NETSCAPE_CA_DN_BUG", SSL_OP_NETSCAPE_CA_DN_BUG |
535 | + }, |
536 | + #endif |
537 | +-#if SSL_OP_NON_EXPORT_FIRST |
538 | ++#if defined(SSL_OP_NON_EXPORT_FIRST) |
539 | + { |
540 | + "NON_EXPORT_FIRST", SSL_OP_NON_EXPORT_FIRST |
541 | + }, |
542 | + #endif |
543 | +-#if SSL_OP_CIPHER_SERVER_PREFERENCE |
544 | ++#if defined(SSL_OP_CIPHER_SERVER_PREFERENCE) |
545 | + { |
546 | + "CIPHER_SERVER_PREFERENCE", SSL_OP_CIPHER_SERVER_PREFERENCE |
547 | + }, |
548 | + #endif |
549 | +-#if SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG |
550 | ++#if defined(SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG) |
551 | + { |
552 | + "NETSCAPE_DEMO_CIPHER_CHANGE_BUG", SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG |
553 | + }, |
554 | + #endif |
555 | +-#if SSL_OP_NO_SSLv3 |
556 | ++#if defined(SSL_OP_NO_SSLv3) |
557 | + { |
558 | + "NO_SSLv3", SSL_OP_NO_SSLv3 |
559 | + }, |
560 | + #endif |
561 | +-#if SSL_OP_NO_TLSv1 |
562 | ++#if defined(SSL_OP_NO_TLSv1) |
563 | + { |
564 | + "NO_TLSv1", SSL_OP_NO_TLSv1 |
565 | + }, |
566 | + #else |
567 | + { "NO_TLSv1", 0 }, |
568 | + #endif |
569 | +-#if SSL_OP_NO_TLSv1_1 |
570 | ++#if defined(SSL_OP_NO_TLSv1_1) |
571 | + { |
572 | + "NO_TLSv1_1", SSL_OP_NO_TLSv1_1 |
573 | + }, |
574 | + #else |
575 | + { "NO_TLSv1_1", 0 }, |
576 | + #endif |
577 | +-#if SSL_OP_NO_TLSv1_2 |
578 | ++#if defined(SSL_OP_NO_TLSv1_2) |
579 | + { |
580 | + "NO_TLSv1_2", SSL_OP_NO_TLSv1_2 |
581 | + }, |
582 | + #else |
583 | + { "NO_TLSv1_2", 0 }, |
584 | + #endif |
585 | +-#if SSL_OP_NO_TLSv1_3 |
586 | ++#if defined(SSL_OP_NO_TLSv1_3) |
587 | + { |
588 | + "NO_TLSv1_3", SSL_OP_NO_TLSv1_3 |
589 | + }, |
590 | + #else |
591 | + { "NO_TLSv1_3", 0 }, |
592 | + #endif |
593 | +-#if SSL_OP_NO_COMPRESSION |
594 | ++#if defined(SSL_OP_NO_COMPRESSION) |
595 | + { |
596 | + "No_Compression", SSL_OP_NO_COMPRESSION |
597 | + }, |
598 | + #endif |
599 | +-#if SSL_OP_NO_TICKET |
600 | ++#if defined(SSL_OP_NO_TICKET) |
601 | + { |
602 | + "NO_TICKET", SSL_OP_NO_TICKET |
603 | + }, |
604 | + #endif |
605 | +-#if SSL_OP_SINGLE_ECDH_USE |
606 | ++#if defined(SSL_OP_SINGLE_ECDH_USE) |
607 | + { |
608 | + "SINGLE_ECDH_USE", SSL_OP_SINGLE_ECDH_USE |
609 | + }, |
610 | +@@ -512,7 +512,7 @@ Security::PeerOptions::parseOptions() |
611 | + |
612 | + } |
613 | + |
614 | +-#if SSL_OP_NO_SSLv2 |
615 | ++#if defined(SSL_OP_NO_SSLv2) |
616 | + // compliance with RFC 6176: Prohibiting Secure Sockets Layer (SSL) Version 2.0 |
617 | + op = op | SSL_OP_NO_SSLv2; |
618 | + #endif |
619 | diff --git a/debian/patches/openssl3-Switch-to-BN_rand.patch b/debian/patches/openssl3-Switch-to-BN_rand.patch |
620 | new file mode 100644 |
621 | index 0000000..dec2590 |
622 | --- /dev/null |
623 | +++ b/debian/patches/openssl3-Switch-to-BN_rand.patch |
624 | @@ -0,0 +1,69 @@ |
625 | +From: Amos Jeffries <amosjeffries@squid-cache.org> |
626 | +Date: Wed, 6 Oct 2021 21:55:38 +1300 |
627 | +Subject: Switch to BN_rand() |
628 | + |
629 | +BN_pseudo_rand() has been identical since libssl 1.1.0 and is removed in libssl 3.0 |
630 | +--- |
631 | + src/cf.data.pre | 2 ++ |
632 | + src/ssl/gadgets.cc | 2 +- |
633 | + src/ssl/support.cc | 5 ++--- |
634 | + 3 files changed, 5 insertions(+), 4 deletions(-) |
635 | + |
636 | +Forwarded: yes, https://github.com/squid-cache/squid/pull/694 |
637 | +Bug: https://bugs.squid-cache.org/show_bug.cgi?id=5133 |
638 | +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/squid/+bug/1946205 |
639 | +Last-Updated: 2022-02-08 |
640 | + |
641 | +diff --git a/src/cf.data.pre b/src/cf.data.pre |
642 | +index 6692b1f..ff66b72 100644 |
643 | +--- a/src/cf.data.pre |
644 | ++++ b/src/cf.data.pre |
645 | +@@ -3050,6 +3050,8 @@ DEFAULT: none |
646 | + DOC_START |
647 | + The OpenSSL engine to use. You will need to set this if you |
648 | + would like to use hardware SSL acceleration for example. |
649 | ++ |
650 | ++ Note: OpenSSL 3.0 and newer do not provide Engine support. |
651 | + DOC_END |
652 | + |
653 | + NAME: sslproxy_session_ttl |
654 | +diff --git a/src/ssl/gadgets.cc b/src/ssl/gadgets.cc |
655 | +index 70e0a61..fb606d7 100644 |
656 | +--- a/src/ssl/gadgets.cc |
657 | ++++ b/src/ssl/gadgets.cc |
658 | +@@ -46,7 +46,7 @@ static bool setSerialNumber(ASN1_INTEGER *ai, BIGNUM const* serial) |
659 | + if (!bn) |
660 | + return false; |
661 | + |
662 | +- if (!BN_pseudo_rand(bn.get(), 64, 0, 0)) |
663 | ++ if (!BN_rand(bn.get(), 64, 0, 0)) |
664 | + return false; |
665 | + } |
666 | + |
667 | +diff --git a/src/ssl/support.cc b/src/ssl/support.cc |
668 | +index 73912ce..6bb99a7 100644 |
669 | +--- a/src/ssl/support.cc |
670 | ++++ b/src/ssl/support.cc |
671 | +@@ -658,8 +658,8 @@ Ssl::Initialize(void) |
672 | + |
673 | + SQUID_OPENSSL_init_ssl(); |
674 | + |
675 | +-#if !defined(OPENSSL_NO_ENGINE) |
676 | + if (::Config.SSL.ssl_engine) { |
677 | ++#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_VERSION_MAJOR < 3 |
678 | + ENGINE_load_builtin_engines(); |
679 | + ENGINE *e; |
680 | + if (!(e = ENGINE_by_id(::Config.SSL.ssl_engine))) |
681 | +@@ -669,11 +669,10 @@ Ssl::Initialize(void) |
682 | + const auto ssl_error = ERR_get_error(); |
683 | + fatalf("Failed to initialise SSL engine: %s\n", Security::ErrorString(ssl_error)); |
684 | + } |
685 | +- } |
686 | + #else |
687 | +- if (::Config.SSL.ssl_engine) |
688 | + fatalf("Your OpenSSL has no SSL engine support\n"); |
689 | + #endif |
690 | ++ } |
691 | + |
692 | + const char *defName = ::Config.SSL.certSignHash ? ::Config.SSL.certSignHash : SQUID_SSL_SIGN_HASH_IF_NONE; |
693 | + Ssl::DefaultSignHash = EVP_get_digestbyname(defName); |
694 | diff --git a/debian/patches/openssl3-TODO-Upgrade-API-calls-verifying-loaded-DH-params-fi.patch b/debian/patches/openssl3-TODO-Upgrade-API-calls-verifying-loaded-DH-params-fi.patch |
695 | new file mode 100644 |
696 | index 0000000..0590baa |
697 | --- /dev/null |
698 | +++ b/debian/patches/openssl3-TODO-Upgrade-API-calls-verifying-loaded-DH-params-fi.patch |
699 | @@ -0,0 +1,36 @@ |
700 | +From: Amos Jeffries <amosjeffries@squid-cache.org> |
701 | +Date: Thu, 23 Jul 2020 18:08:15 +1200 |
702 | +Subject: TODO Upgrade API calls verifying loaded DH params file |
703 | + |
704 | +--- |
705 | + src/security/ServerOptions.cc | 5 +++++ |
706 | + 1 file changed, 5 insertions(+) |
707 | + |
708 | +Forwarded: yes, https://github.com/squid-cache/squid/pull/694 |
709 | +Bug: https://bugs.squid-cache.org/show_bug.cgi?id=5133 |
710 | +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/squid/+bug/1946205 |
711 | +Last-Updated: 2022-02-08 |
712 | + |
713 | +diff --git a/src/security/ServerOptions.cc b/src/security/ServerOptions.cc |
714 | +index 3d154ad..74044fe 100644 |
715 | +--- a/src/security/ServerOptions.cc |
716 | ++++ b/src/security/ServerOptions.cc |
717 | +@@ -364,6 +364,10 @@ Security::ServerOptions::loadDhParams() |
718 | + return; |
719 | + } |
720 | + |
721 | ++#if OPENSSL_VERSION_MAJOR < 3 |
722 | ++ // DH_check() removed in OpenSSL 3.0. |
723 | ++ // TODO: use the EVP API instead, which also works in OpenSSL 1.1. |
724 | ++ // But it is not yet clear exactly how that API works for DH. |
725 | + int codes; |
726 | + if (DH_check(dhp, &codes) == 0) { |
727 | + if (codes) { |
728 | +@@ -372,6 +376,7 @@ Security::ServerOptions::loadDhParams() |
729 | + dhp = nullptr; |
730 | + } |
731 | + } |
732 | ++#endif |
733 | + |
734 | + parsedDhParams.resetWithoutLocking(dhp); |
735 | + #endif |
736 | diff --git a/debian/patches/openssl3-Tweak-RSA-key-generator.patch b/debian/patches/openssl3-Tweak-RSA-key-generator.patch |
737 | new file mode 100644 |
738 | index 0000000..0bf83cb |
739 | --- /dev/null |
740 | +++ b/debian/patches/openssl3-Tweak-RSA-key-generator.patch |
741 | @@ -0,0 +1,37 @@ |
742 | +From: Amos Jeffries <squid3@treenet.co.nz> |
743 | +Date: Tue, 10 Nov 2020 12:01:28 +1300 |
744 | +Subject: Tweak RSA key generator |
745 | + |
746 | +... rely on EVP_PKEY_keygen() allocating the key memory. |
747 | +--- |
748 | + src/ssl/gadgets.cc | 11 ++++------- |
749 | + 1 file changed, 4 insertions(+), 7 deletions(-) |
750 | + |
751 | +Forwarded: yes, https://github.com/squid-cache/squid/pull/694 |
752 | +Bug: https://bugs.squid-cache.org/show_bug.cgi?id=5133 |
753 | +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/squid/+bug/1946205 |
754 | +Last-Updated: 2022-02-08 |
755 | + |
756 | +diff --git a/src/ssl/gadgets.cc b/src/ssl/gadgets.cc |
757 | +index 112df22..102615f 100644 |
758 | +--- a/src/ssl/gadgets.cc |
759 | ++++ b/src/ssl/gadgets.cc |
760 | +@@ -24,14 +24,11 @@ CreateRsaPrivateKey() |
761 | + return nullptr; |
762 | + |
763 | + /* Generate key */ |
764 | +- Security::PrivateKeyPointer pkey(EVP_PKEY_new()); |
765 | +- if (pkey) { |
766 | +- auto *foo = pkey.get(); |
767 | +- if (EVP_PKEY_keygen(rsa.get(), &foo) <= 0) |
768 | +- return nullptr; |
769 | +- } |
770 | ++ EVP_PKEY *pkey = nullptr; |
771 | ++ if (EVP_PKEY_keygen(rsa.get(), &pkey) <= 0) |
772 | ++ return nullptr; |
773 | + |
774 | +- return pkey.release(); |
775 | ++ return pkey; |
776 | + } |
777 | + |
778 | + /** |
779 | diff --git a/debian/patches/openssl3-Update-ECDH-key-settings.patch b/debian/patches/openssl3-Update-ECDH-key-settings.patch |
780 | new file mode 100644 |
781 | index 0000000..0132a70 |
782 | --- /dev/null |
783 | +++ b/debian/patches/openssl3-Update-ECDH-key-settings.patch |
784 | @@ -0,0 +1,73 @@ |
785 | +From: Amos Jeffries <amosjeffries@squid-cache.org> |
786 | +Date: Mon, 11 Oct 2021 06:01:10 +1300 |
787 | +Subject: Update ECDH key settings |
788 | + |
789 | +--- |
790 | + src/security/ServerOptions.cc | 19 +++++++++++++++++-- |
791 | + 1 file changed, 17 insertions(+), 2 deletions(-) |
792 | + |
793 | +Forwarded: yes, https://github.com/squid-cache/squid/pull/694 |
794 | +Bug: https://bugs.squid-cache.org/show_bug.cgi?id=5133 |
795 | +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/squid/+bug/1946205 |
796 | +Last-Updated: 2022-02-08 |
797 | + |
798 | +diff --git a/src/security/ServerOptions.cc b/src/security/ServerOptions.cc |
799 | +index 096d5da..e7d5c1e 100644 |
800 | +--- a/src/security/ServerOptions.cc |
801 | ++++ b/src/security/ServerOptions.cc |
802 | +@@ -383,7 +383,12 @@ Security::ServerOptions::loadDhParams() |
803 | + |
804 | + #else // OpenSSL 3.0+ |
805 | + EVP_PKEY *pkey = nullptr; |
806 | +- if (auto *dctx = OSSL_DECODER_CTX_new_for_pkey(&pkey, "PEM", nullptr, "DH", OSSL_KEYMGMT_SELECT_ALL, nullptr, nullptr)) { |
807 | ++ const char *type = "DH"; |
808 | ++ if (!eecdhCurve.isEmpty()) |
809 | ++ type = "EC"; |
810 | ++ // XXX: use the eecdhCurve name when generating the EVP_KEY object. or at least verify it matches the loaded params. |
811 | ++ |
812 | ++ if (auto *dctx = OSSL_DECODER_CTX_new_for_pkey(&pkey, "PEM", nullptr, type, OSSL_KEYMGMT_SELECT_ALL, nullptr, nullptr)) { |
813 | + if (auto *in = fopen(dhParamsFile.c_str(), "r")) { |
814 | + if (OSSL_DECODER_from_fp(dctx, in) == 1) { |
815 | + |
816 | +@@ -480,6 +485,9 @@ Security::ServerOptions::updateContextEecdh(Security::ContextPointer &ctx) |
817 | + debugs(83, 9, "Setting Ephemeral ECDH curve to " << eecdhCurve << "."); |
818 | + |
819 | + #if USE_OPENSSL && OPENSSL_VERSION_NUMBER >= 0x0090800fL && !defined(OPENSSL_NO_ECDH) |
820 | ++ |
821 | ++ // OpenSSL 3.0+ generates the key in loadDhParams() |
822 | ++#if OPENSSL_VERSION_MAJOR < 3 |
823 | + int nid = OBJ_sn2nid(eecdhCurve.c_str()); |
824 | + if (!nid) { |
825 | + debugs(83, DBG_CRITICAL, "ERROR: Unknown EECDH curve '" << eecdhCurve << "'"); |
826 | +@@ -487,6 +495,9 @@ Security::ServerOptions::updateContextEecdh(Security::ContextPointer &ctx) |
827 | + } |
828 | + |
829 | + auto ecdh = EC_KEY_new_by_curve_name(nid); |
830 | ++#else |
831 | ++ auto ecdh = parsedDhParams.get(); |
832 | ++#endif |
833 | + if (!ecdh) { |
834 | + const auto x = ERR_get_error(); |
835 | + debugs(83, DBG_CRITICAL, "ERROR: Unable to configure Ephemeral ECDH: " << Security::ErrorString(x)); |
836 | +@@ -497,7 +508,11 @@ Security::ServerOptions::updateContextEecdh(Security::ContextPointer &ctx) |
837 | + const auto x = ERR_get_error(); |
838 | + debugs(83, DBG_CRITICAL, "ERROR: Unable to set Ephemeral ECDH: " << Security::ErrorString(x)); |
839 | + } |
840 | ++#if OPENSSL_VERSION_MAJOR < 3 |
841 | + EC_KEY_free(ecdh); |
842 | ++#else |
843 | ++ return; |
844 | ++#endif |
845 | + |
846 | + #else |
847 | + debugs(83, DBG_CRITICAL, "ERROR: EECDH is not available in this build." << |
848 | +@@ -505,8 +520,8 @@ Security::ServerOptions::updateContextEecdh(Security::ContextPointer &ctx) |
849 | + #endif |
850 | + } |
851 | + |
852 | +- // set DH parameters into the server context |
853 | + #if USE_OPENSSL |
854 | ++ // set DH parameters into the server context |
855 | + if (parsedDhParams) { |
856 | + SSL_CTX_set_tmp_dh(ctx.get(), parsedDhParams.get()); |
857 | + } |
858 | diff --git a/debian/patches/openssl3-Update-license-disclaimer.patch b/debian/patches/openssl3-Update-license-disclaimer.patch |
859 | new file mode 100644 |
860 | index 0000000..7ed08e7 |
861 | --- /dev/null |
862 | +++ b/debian/patches/openssl3-Update-license-disclaimer.patch |
863 | @@ -0,0 +1,28 @@ |
864 | +From: Amos Jeffries <amosjeffries@squid-cache.org> |
865 | +Date: Thu, 23 Jul 2020 17:38:26 +1200 |
866 | +Subject: Update license disclaimer |
867 | + |
868 | +OpenSSL 3.0 uses Apache License v2 which removes the SSLeay distribution restrictions. |
869 | +--- |
870 | + src/main.cc | 2 ++ |
871 | + 1 file changed, 2 insertions(+) |
872 | + |
873 | +Forwarded: yes, https://github.com/squid-cache/squid/pull/694 |
874 | +Bug: https://bugs.squid-cache.org/show_bug.cgi?id=5133 |
875 | +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/squid/+bug/1946205 |
876 | +Last-Updated: 2022-02-08 |
877 | + |
878 | +diff --git a/src/main.cc b/src/main.cc |
879 | +index 4b3988e..48e4777 100644 |
880 | +--- a/src/main.cc |
881 | ++++ b/src/main.cc |
882 | +@@ -678,7 +678,9 @@ mainHandleCommandLineOption(const int optId, const char *optValue) |
883 | + printf("%s\n",SQUID_BUILD_INFO); |
884 | + #if USE_OPENSSL |
885 | + printf("\nThis binary uses %s. ", OpenSSL_version(OPENSSL_VERSION)); |
886 | ++#if OPENSSL_VERSION_MAJOR < 3 |
887 | + printf("For legal restrictions on distribution see https://www.openssl.org/source/license.html\n\n"); |
888 | ++#endif |
889 | + #endif |
890 | + printf( "configure options: %s\n", SQUID_CONFIGURE_OPTIONS); |
891 | + |
892 | diff --git a/debian/patches/series b/debian/patches/series |
893 | index 9ff46c0..6d13126 100644 |
894 | --- a/debian/patches/series |
895 | +++ b/debian/patches/series |
896 | @@ -7,3 +7,15 @@ |
897 | 99-ubuntu-ssl-cert-snakeoil.patch |
898 | fix-max-pkt-sz-for-icmpEchoData-padding.patch |
899 | workaround-gcc11-wstringop-overread-bug.patch |
900 | +openssl3-Update-license-disclaimer.patch |
901 | +openssl3-TODO-Upgrade-API-calls-verifying-loaded-DH-params-fi.patch |
902 | +openssl3-Declaration-of-CRYPTO_EX_dup-changed-again-in-3.0.patch |
903 | +openssl3-Refactor-Ssl-createSslPrivateKey.patch |
904 | +openssl3-Tweak-RSA-key-generator.patch |
905 | +openssl3-Fix-EVP_PKEY_get0_RSA-is-deprecated.patch |
906 | +openssl3-Initial-DH-conversion-to-EVP_PKEY.patch |
907 | +openssl3-Switch-to-BN_rand.patch |
908 | +openssl3-SSL_OP_-macro-definitions-changed-in-3.0.patch |
909 | +openssl3-Update-ECDH-key-settings.patch |
910 | +openssl3-Detect-and-default-enable-OpenSSL-3.patch |
911 | +openssl3-Remove-stale-TODO-and-comment.patch |
I'll look at this one