Ubuntu
squid package

Merge ~sergiodj/ubuntu/+source/squid:openssl3-test2 into ubuntu/+source/squid:ubuntu/devel

  1. Git
  2. lp:~sergiodj/ubuntu/+source/squid
  3. openssl3-test2
  4. Merge into ubuntu/devel
Proposed by Sergio Durigan Junior
Status: Merged
Merged at revision: 819f9438ef366292a90afe3f0c3b562fb010ac95
Proposed branch: ~sergiodj/ubuntu/+source/squid:openssl3-test2
Merge into: ubuntu/+source/squid:ubuntu/devel
Diff against target: 911 lines (+823/-0)
14 files modified
debian/changelog (+19/-0)
debian/patches/openssl3-Declaration-of-CRYPTO_EX_dup-changed-again-in-3.0.patch (+30/-0)
debian/patches/openssl3-Detect-and-default-enable-OpenSSL-3.patch (+33/-0)
debian/patches/openssl3-Fix-EVP_PKEY_get0_RSA-is-deprecated.patch (+30/-0)
debian/patches/openssl3-Initial-DH-conversion-to-EVP_PKEY.patch (+140/-0)
debian/patches/openssl3-Refactor-Ssl-createSslPrivateKey.patch (+108/-0)
debian/patches/openssl3-Remove-stale-TODO-and-comment.patch (+27/-0)
debian/patches/openssl3-SSL_OP_-macro-definitions-changed-in-3.0.patch (+181/-0)
debian/patches/openssl3-Switch-to-BN_rand.patch (+69/-0)
debian/patches/openssl3-TODO-Upgrade-API-calls-verifying-loaded-DH-params-fi.patch (+36/-0)
debian/patches/openssl3-Tweak-RSA-key-generator.patch (+37/-0)
debian/patches/openssl3-Update-ECDH-key-settings.patch (+73/-0)
debian/patches/openssl3-Update-license-disclaimer.patch (+28/-0)
debian/patches/series (+12/-0)
Reviewer Review Type Date Requested Status
Andreas Hasenack Approve
Canonical Server Pending
Review via email: mp+415283@code.launchpad.net

Description of the change

This MP fixes the current FTBFS affecting squid when it builds against OpenSSL 3.0.

As I've been mentioning during our standup calls, upstream has been reviewing its PR for quite a while now. You can find the PR here:

https://github.com/squid-cache/squid/pull/694

This is where I got all the patches from. Although the PR is still being reviewed, and despite some unaddressed comments in it, I feel reasonably confident that we can go ahead and backport everything right now. I am subscribed to the PR and will monitor future changes to it (or to any other PRs that might be created as a result of this one), and if needed I intend to backport whathever new changes are proposed.

I built the package locally and ran its autopkgtests, both successfully:

autopkgtest [18:28:58]: @@@@@@@@@@@@@@@@@@@@ summary
upstream-test-suite PASS
squid PASS

I'm also building the package in a bileto PPA here:

https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/4778/+packages

Once everything is built, I will trigger autopkgtest runs for all supported architectures just to be sure. But again, I'm not expecting major problems with this change.

To post a comment you must log in.
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I'll look at this one

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

+1

Patches match the PR commits.

I did a quick reverse-ssl-proxy test, to be sure it at least can load a certificate and handle a simple SSL connection, and it worked just fine.

Best indeed to keep an eye on that PR and adjust the patches if they change.

Thanks!

review: Approve
Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

On Thursday, February 10 2022, Andreas Hasenack wrote:

> +1
>
> Patches match the PR commits.
>
> I did a quick reverse-ssl-proxy test, to be sure it at least can load a certificate and handle a simple SSL connection, and it worked just fine.
>
> Best indeed to keep an eye on that PR and adjust the patches if they change.

Thanks for the review, Andreas.

Uploaded:

$ dput squid_5.2-1ubuntu3_source.changes
Trying to upload package to ubuntu
Checking signature on .changes
gpg: /home/sergio/work/squid/squid_5.2-1ubuntu3_source.changes: Valid signature from 106DA1C8C3CBBF14
Checking signature on .dsc
gpg: /home/sergio/work/squid/squid_5.2-1ubuntu3.dsc: Valid signature from 106DA1C8C3CBBF14
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading squid_5.2-1ubuntu3.dsc: done.
  Uploading squid_5.2-1ubuntu3.debian.tar.xz: done.
  Uploading squid_5.2-1ubuntu3_source.buildinfo: done.
  Uploading squid_5.2-1ubuntu3_source.changes: done.
Successfully uploaded packages.

--
Sergio
GPG key ID: E92F D0B3 6B14 F1F4 D8E0 EB2F 106D A1C8 C3CB BF14

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/debian/changelog b/debian/changelog
index a01557c..e321cb3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,22 @@
1squid (5.2-1ubuntu3) jammy; urgency=medium
2
3 * Fix FTBFS with OpenSSL 3.0 (LP: #1946205). The following new
4 patches have been added:
5 - d/p/openssl3-Declaration-of-CRYPTO_EX_dup-changed-again-in-3.0.patch.
6 - d/p/openssl3-Detect-and-default-enable-OpenSSL-3.patch.
7 - d/p/openssl3-Fix-EVP_PKEY_get0_RSA-is-deprecated.patch.
8 - d/p/openssl3-Initial-DH-conversion-to-EVP_PKEY.patch.
9 - d/p/openssl3-Refactor-Ssl-createSslPrivateKey.patch.
10 - d/p/openssl3-Remove-stale-TODO-and-comment.patch.
11 - d/p/openssl3-SSL_OP_-macro-definitions-changed-in-3.0.patch.
12 - d/p/openssl3-Switch-to-BN_rand.patch.
13 - d/p/openssl3-TODO-Upgrade-API-calls-verifying-loaded-DH-params-fi.patch.
14 - d/p/openssl3-Tweak-RSA-key-generator.patch.
15 - d/p/openssl3-Update-ECDH-key-settings.patch.
16 - d/p/openssl3-Update-license-disclaimer.patch.
17
18 -- Sergio Durigan Junior <sergio.durigan@canonical.com> Tue, 08 Feb 2022 17:15:20 -0500
19
1squid (5.2-1ubuntu2) jammy; urgency=medium20squid (5.2-1ubuntu2) jammy; urgency=medium
221
3 * No-change rebuild against libssl322 * No-change rebuild against libssl3
diff --git a/debian/patches/openssl3-Declaration-of-CRYPTO_EX_dup-changed-again-in-3.0.patch b/debian/patches/openssl3-Declaration-of-CRYPTO_EX_dup-changed-again-in-3.0.patch
4new file mode 10064423new file mode 100644
index 0000000..eea0236
--- /dev/null
+++ b/debian/patches/openssl3-Declaration-of-CRYPTO_EX_dup-changed-again-in-3.0.patch
@@ -0,0 +1,30 @@
1From: Amos Jeffries <amosjeffries@squid-cache.org>
2Date: Thu, 23 Jul 2020 18:51:20 +1200
3Subject: Declaration of CRYPTO_EX_dup changed again in 3.0
4
5---
6 src/ssl/support.cc | 6 +++++-
7 1 file changed, 5 insertions(+), 1 deletion(-)
8
9Forwarded: yes, https://github.com/squid-cache/squid/pull/694
10Bug: https://bugs.squid-cache.org/show_bug.cgi?id=5133
11Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/squid/+bug/1946205
12Last-Updated: 2022-02-08
13
14diff --git a/src/ssl/support.cc b/src/ssl/support.cc
15index 3ad135d..73912ce 100644
16--- a/src/ssl/support.cc
17+++ b/src/ssl/support.cc
18@@ -557,7 +557,11 @@ Ssl::VerifyCallbackParameters::At(Security::Connection &sconn)
19 }
20
21 // "dup" function for SSL_get_ex_new_index("cert_err_check")
22-#if SQUID_USE_CONST_CRYPTO_EX_DATA_DUP
23+#if OPENSSL_VERSION_MAJOR >= 3
24+static int
25+ssl_dupAclChecklist(CRYPTO_EX_DATA *, const CRYPTO_EX_DATA *, void **,
26+ int, long, void *)
27+#elif SQUID_USE_CONST_CRYPTO_EX_DATA_DUP
28 static int
29 ssl_dupAclChecklist(CRYPTO_EX_DATA *, const CRYPTO_EX_DATA *, void *,
30 int, long, void *)
diff --git a/debian/patches/openssl3-Detect-and-default-enable-OpenSSL-3.patch b/debian/patches/openssl3-Detect-and-default-enable-OpenSSL-3.patch
0new file mode 10064431new file mode 100644
index 0000000..194e249
--- /dev/null
+++ b/debian/patches/openssl3-Detect-and-default-enable-OpenSSL-3.patch
@@ -0,0 +1,33 @@
1From: Amos Jeffries <amosjeffries@squid-cache.org>
2Date: Fri, 15 Oct 2021 04:34:23 +1300
3Subject: Detect and default-enable OpenSSL 3+
4
5---
6 configure.ac | 9 ++++++++-
7 1 file changed, 8 insertions(+), 1 deletion(-)
8
9Forwarded: yes, https://github.com/squid-cache/squid/pull/694
10Bug: https://bugs.squid-cache.org/show_bug.cgi?id=5133
11Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/squid/+bug/1946205
12Last-Updated: 2022-02-08
13
14diff --git a/configure.ac b/configure.ac
15index 4556a9e..14af6be 100644
16--- a/configure.ac
17+++ b/configure.ac
18@@ -1326,7 +1326,14 @@ case "$with_openssl" in
19 esac
20 ])
21 AH_TEMPLATE(USE_OPENSSL,[OpenSSL support is available])
22-## OpenSSL is default disable due to licensing issues on some OS
23+AS_IF([test "x$with_openssl" != "xno"],[
24+ SQUID_STATE_SAVE(squid_openssl3_state)
25+ CPPFLAGS="$LIBOPENSSL_CFLAGS $CPPFLAGS"
26+ LIBS="$LIBS $LIBOPENSSL_PATH"
27+ PKG_CHECK_MODULES([LIBOPENSSL],[openssl >= 3],[with_openssl="yes"],[:])
28+ SQUID_STATE_ROLLBACK(squid_openssl3_state)
29+])
30+## OpenSSL < 3 is default disable due to licensing issues on some OS
31 if test "x$with_openssl" = "xyes"; then
32 AC_CHECK_HEADERS( \
33 openssl/asn1.h \
diff --git a/debian/patches/openssl3-Fix-EVP_PKEY_get0_RSA-is-deprecated.patch b/debian/patches/openssl3-Fix-EVP_PKEY_get0_RSA-is-deprecated.patch
0new file mode 10064434new file mode 100644
index 0000000..6dec926
--- /dev/null
+++ b/debian/patches/openssl3-Fix-EVP_PKEY_get0_RSA-is-deprecated.patch
@@ -0,0 +1,30 @@
1From: Amos Jeffries <amosjeffries@squid-cache.org>
2Date: Wed, 6 Oct 2021 22:39:49 +1300
3Subject: Fix EVP_PKEY_get0_RSA is deprecated
4
5---
6 src/ssl/gadgets.cc | 6 +++++-
7 1 file changed, 5 insertions(+), 1 deletion(-)
8
9Forwarded: yes, https://github.com/squid-cache/squid/pull/694
10Bug: https://bugs.squid-cache.org/show_bug.cgi?id=5133
11Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/squid/+bug/1946205
12Last-Updated: 2022-02-08
13
14diff --git a/src/ssl/gadgets.cc b/src/ssl/gadgets.cc
15index 102615f..70e0a61 100644
16--- a/src/ssl/gadgets.cc
17+++ b/src/ssl/gadgets.cc
18@@ -369,7 +369,11 @@ mimicExtensions(Security::CertPointer & cert, Security::CertPointer const &mimic
19 // XXX: Add PublicKeyPointer. In OpenSSL, public and private keys are
20 // internally represented by EVP_PKEY pair, but GnuTLS uses distinct types.
21 const Security::PrivateKeyPointer certKey(X509_get_pubkey(mimicCert.get()));
22- const auto rsaPkey = EVP_PKEY_get0_RSA(certKey.get()) != nullptr;
23+#if OPENSSL_VERSION_MAJOR < 3
24+ const auto rsaPkey = bool(EVP_PKEY_get0_RSA(certKey.get()));
25+#else
26+ const auto rsaPkey = EVP_PKEY_is_a(certKey.get(), "RSA");
27+#endif
28
29 int added = 0;
30 int nid;
diff --git a/debian/patches/openssl3-Initial-DH-conversion-to-EVP_PKEY.patch b/debian/patches/openssl3-Initial-DH-conversion-to-EVP_PKEY.patch
0new file mode 10064431new file mode 100644
index 0000000..99bf54d
--- /dev/null
+++ b/debian/patches/openssl3-Initial-DH-conversion-to-EVP_PKEY.patch
@@ -0,0 +1,140 @@
1From: Amos Jeffries <amosjeffries@squid-cache.org>
2Date: Wed, 6 Oct 2021 21:12:25 +1300
3Subject: Initial DH conversion to EVP_PKEY
4
53.0 build does not yet complete due to ENGINE and BIGNUM deprecation issues.
6
7This conversion relies on OSSL_*() functions added in 3.0. So the
8old DH loading code is left unchanged.
9---
10 configure.ac | 1 +
11 src/security/ServerOptions.cc | 30 +++++++++++++++++++++++++++---
12 src/security/forward.h | 24 +++++++++++++++---------
13 3 files changed, 43 insertions(+), 12 deletions(-)
14
15Forwarded: yes, https://github.com/squid-cache/squid/pull/694
16Bug: https://bugs.squid-cache.org/show_bug.cgi?id=5133
17Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/squid/+bug/1946205
18Last-Updated: 2022-02-08
19
20diff --git a/configure.ac b/configure.ac
21index f64e4b3..4556a9e 100644
22--- a/configure.ac
23+++ b/configure.ac
24@@ -1333,6 +1333,7 @@ if test "x$with_openssl" = "xyes"; then
25 openssl/bio.h \
26 openssl/bn.h \
27 openssl/crypto.h \
28+ openssl/decoder.h \
29 openssl/dh.h \
30 openssl/err.h \
31 openssl/evp.h \
32diff --git a/src/security/ServerOptions.cc b/src/security/ServerOptions.cc
33index 74044fe..096d5da 100644
34--- a/src/security/ServerOptions.cc
35+++ b/src/security/ServerOptions.cc
36@@ -19,6 +19,9 @@
37 #include "compat/openssl.h"
38 #include "ssl/support.h"
39
40+#if HAVE_OPENSSL_DECODER_H
41+#include <openssl/decoder.h>
42+#endif
43 #if HAVE_OPENSSL_ERR_H
44 #include <openssl/err.h>
45 #endif
46@@ -353,6 +356,7 @@ Security::ServerOptions::loadDhParams()
47 return;
48
49 #if USE_OPENSSL
50+#if OPENSSL_VERSION_MAJOR < 3
51 DH *dhp = nullptr;
52 if (FILE *in = fopen(dhParamsFile.c_str(), "r")) {
53 dhp = PEM_read_DHparams(in, NULL, NULL, NULL);
54@@ -364,7 +368,6 @@ Security::ServerOptions::loadDhParams()
55 return;
56 }
57
58-#if OPENSSL_VERSION_MAJOR < 3
59 // DH_check() removed in OpenSSL 3.0.
60 // TODO: use the EVP API instead, which also works in OpenSSL 1.1.
61 // But it is not yet clear exactly how that API works for DH.
62@@ -376,10 +379,31 @@ Security::ServerOptions::loadDhParams()
63 dhp = nullptr;
64 }
65 }
66-#endif
67-
68 parsedDhParams.resetWithoutLocking(dhp);
69+
70+#else // OpenSSL 3.0+
71+ EVP_PKEY *pkey = nullptr;
72+ if (auto *dctx = OSSL_DECODER_CTX_new_for_pkey(&pkey, "PEM", nullptr, "DH", OSSL_KEYMGMT_SELECT_ALL, nullptr, nullptr)) {
73+ if (auto *in = fopen(dhParamsFile.c_str(), "r")) {
74+ if (OSSL_DECODER_from_fp(dctx, in) == 1) {
75+
76+ /* pkey is created with the decoded data from the bio */
77+ Must(pkey);
78+ parsedDhParams.resetWithoutLocking(pkey);
79+
80+ } else {
81+ debugs(83, DBG_IMPORTANT, "WARNING: Failed to decode DH parameters '" << dhParamsFile << "'");
82+ }
83+ fclose(in);
84+ }
85+ OSSL_DECODER_CTX_free(dctx);
86+
87+ } else {
88+ debugs(83, DBG_IMPORTANT, "WARNING: no suitable potential decoders found for DH parameters");
89+ return;
90+ }
91 #endif
92+#endif // USE_OPENSSL
93 }
94
95 bool
96diff --git a/src/security/forward.h b/src/security/forward.h
97index 7a5dfcc..51a8d47 100644
98--- a/src/security/forward.h
99+++ b/src/security/forward.h
100@@ -93,9 +93,24 @@ typedef std::list<Security::CertPointer> CertList;
101 typedef std::list<Security::CrlPointer> CertRevokeList;
102
103 #if USE_OPENSSL
104+CtoCpp1(EVP_PKEY_free, EVP_PKEY *)
105+typedef Security::LockingPointer<EVP_PKEY, EVP_PKEY_free_cpp, HardFun<int, EVP_PKEY *, EVP_PKEY_up_ref> > PrivateKeyPointer;
106+#elif USE_GNUTLS
107+typedef std::shared_ptr<struct gnutls_x509_privkey_int> PrivateKeyPointer;
108+#else
109+typedef std::shared_ptr<void> PrivateKeyPointer;
110+#endif
111+
112+#if USE_OPENSSL
113+#if OPENSSL_VERSION_MAJOR < 3
114 CtoCpp1(DH_free, DH *);
115 typedef Security::LockingPointer<DH, DH_free_cpp, HardFun<int, DH *, DH_up_ref> > DhePointer;
116 #else
117+typedef PrivateKeyPointer DhePointer;
118+#endif
119+#elif USE_GNUTLS
120+typedef void *DhePointer;
121+#else
122 typedef void *DhePointer;
123 #endif
124
125@@ -174,15 +189,6 @@ typedef long ParsedPortFlags;
126 class PeerConnector;
127 class PeerOptions;
128
129-#if USE_OPENSSL
130-CtoCpp1(EVP_PKEY_free, EVP_PKEY *)
131-typedef Security::LockingPointer<EVP_PKEY, EVP_PKEY_free_cpp, HardFun<int, EVP_PKEY *, EVP_PKEY_up_ref> > PrivateKeyPointer;
132-#elif USE_GNUTLS
133-typedef std::shared_ptr<struct gnutls_x509_privkey_int> PrivateKeyPointer;
134-#else
135-typedef std::shared_ptr<void> PrivateKeyPointer;
136-#endif
137-
138 class ServerOptions;
139
140 class ErrorDetail;
diff --git a/debian/patches/openssl3-Refactor-Ssl-createSslPrivateKey.patch b/debian/patches/openssl3-Refactor-Ssl-createSslPrivateKey.patch
0new file mode 100644141new file mode 100644
index 0000000..65216ec
--- /dev/null
+++ b/debian/patches/openssl3-Refactor-Ssl-createSslPrivateKey.patch
@@ -0,0 +1,108 @@
1From: Amos Jeffries <amosjeffries@squid-cache.org>
2Date: Thu, 23 Jul 2020 21:02:36 +1200
3Subject: Refactor Ssl::createSslPrivateKey()
4
5* Use the OpenSSL 1.1+ EVP API for generating RSA keys.
6
7* Make static since this is only used by the gadgets.cc code.
8---
9 src/ssl/gadgets.cc | 41 +++++++++++++++++------------------------
10 src/ssl/gadgets.h | 8 +-------
11 2 files changed, 18 insertions(+), 31 deletions(-)
12
13Forwarded: yes, https://github.com/squid-cache/squid/pull/694
14Bug: https://bugs.squid-cache.org/show_bug.cgi?id=5133
15Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/squid/+bug/1946205
16Last-Updated: 2022-02-08
17
18diff --git a/src/ssl/gadgets.cc b/src/ssl/gadgets.cc
19index 596f258..112df22 100644
20--- a/src/ssl/gadgets.cc
21+++ b/src/ssl/gadgets.cc
22@@ -9,35 +9,28 @@
23 #include "squid.h"
24 #include "ssl/gadgets.h"
25
26-EVP_PKEY * Ssl::createSslPrivateKey()
27+static EVP_PKEY *
28+CreateRsaPrivateKey()
29 {
30- Security::PrivateKeyPointer pkey(EVP_PKEY_new());
31-
32- if (!pkey)
33- return NULL;
34-
35- BIGNUM_Pointer bn(BN_new());
36- if (!bn)
37- return NULL;
38-
39- if (!BN_set_word(bn.get(), RSA_F4))
40- return NULL;
41-
42- Ssl::RSA_Pointer rsa(RSA_new());
43+ Ssl::EVP_PKEY_CTX_Pointer rsa(EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, nullptr));
44 if (!rsa)
45- return NULL;
46+ return nullptr;
47
48- int num = 2048; // Maybe use 4096 RSA keys, or better make it configurable?
49- if (!RSA_generate_key_ex(rsa.get(), num, bn.get(), NULL))
50- return NULL;
51+ if (EVP_PKEY_keygen_init(rsa.get()) <= 0)
52+ return nullptr;
53
54- if (!rsa)
55- return NULL;
56+ int num = 2048; // Maybe use 4096 RSA keys, or better make it configurable?
57+ if (EVP_PKEY_CTX_set_rsa_keygen_bits(rsa.get(), num) <= 0)
58+ return nullptr;
59
60- if (!EVP_PKEY_assign_RSA(pkey.get(), (rsa.get())))
61- return NULL;
62+ /* Generate key */
63+ Security::PrivateKeyPointer pkey(EVP_PKEY_new());
64+ if (pkey) {
65+ auto *foo = pkey.get();
66+ if (EVP_PKEY_keygen(rsa.get(), &foo) <= 0)
67+ return nullptr;
68+ }
69
70- rsa.release();
71 return pkey.release();
72 }
73
74@@ -553,7 +546,7 @@ static bool generateFakeSslCertificate(Security::CertPointer & certToStore, Secu
75 if (properties.signWithPkey.get())
76 pkey.resetAndLock(properties.signWithPkey.get());
77 else // if not exist generate one
78- pkey.resetWithoutLocking(Ssl::createSslPrivateKey());
79+ pkey.resetWithoutLocking(CreateRsaPrivateKey());
80
81 if (!pkey)
82 return false;
83diff --git a/src/ssl/gadgets.h b/src/ssl/gadgets.h
84index c486727..8d7d4cf 100644
85--- a/src/ssl/gadgets.h
86+++ b/src/ssl/gadgets.h
87@@ -57,7 +57,7 @@ typedef std::unique_ptr<TXT_DB, HardFun<void, TXT_DB*, &TXT_DB_free>> TXT_DB_Poi
88
89 typedef std::unique_ptr<X509_NAME, HardFun<void, X509_NAME*, &X509_NAME_free>> X509_NAME_Pointer;
90
91-typedef std::unique_ptr<RSA, HardFun<void, RSA*, &RSA_free>> RSA_Pointer;
92+typedef std::unique_ptr<EVP_PKEY_CTX, HardFun<void, EVP_PKEY_CTX*, &EVP_PKEY_CTX_free>> EVP_PKEY_CTX_Pointer;
93
94 typedef std::unique_ptr<X509_REQ, HardFun<void, X509_REQ*, &X509_REQ_free>> X509_REQ_Pointer;
95
96@@ -71,12 +71,6 @@ typedef std::unique_ptr<GENERAL_NAME, HardFun<void, GENERAL_NAME*, &GENERAL_NAME
97 typedef std::unique_ptr<X509_EXTENSION, HardFun<void, X509_EXTENSION*, &X509_EXTENSION_free>> X509_EXTENSION_Pointer;
98
99 typedef std::unique_ptr<X509_STORE_CTX, HardFun<void, X509_STORE_CTX *, &X509_STORE_CTX_free>> X509_STORE_CTX_Pointer;
100-/**
101- \ingroup SslCrtdSslAPI
102- * Create 1024 bits rsa key.
103- */
104-EVP_PKEY * createSslPrivateKey();
105-
106 /**
107 \ingroup SslCrtdSslAPI
108 * Write private key and SSL certificate to memory.
diff --git a/debian/patches/openssl3-Remove-stale-TODO-and-comment.patch b/debian/patches/openssl3-Remove-stale-TODO-and-comment.patch
0new file mode 100644109new file mode 100644
index 0000000..333be84
--- /dev/null
+++ b/debian/patches/openssl3-Remove-stale-TODO-and-comment.patch
@@ -0,0 +1,27 @@
1From: Amos Jeffries <amosjeffries@squid-cache.org>
2Date: Fri, 15 Oct 2021 04:49:46 +1300
3Subject: Remove stale TODO and comment
4
5---
6 src/security/ServerOptions.cc | 3 ---
7 1 file changed, 3 deletions(-)
8
9Forwarded: yes, https://github.com/squid-cache/squid/pull/694
10Bug: https://bugs.squid-cache.org/show_bug.cgi?id=5133
11Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/squid/+bug/1946205
12Last-Updated: 2022-02-08
13
14diff --git a/src/security/ServerOptions.cc b/src/security/ServerOptions.cc
15index e7d5c1e..bbea21d 100644
16--- a/src/security/ServerOptions.cc
17+++ b/src/security/ServerOptions.cc
18@@ -368,9 +368,6 @@ Security::ServerOptions::loadDhParams()
19 return;
20 }
21
22- // DH_check() removed in OpenSSL 3.0.
23- // TODO: use the EVP API instead, which also works in OpenSSL 1.1.
24- // But it is not yet clear exactly how that API works for DH.
25 int codes;
26 if (DH_check(dhp, &codes) == 0) {
27 if (codes) {
diff --git a/debian/patches/openssl3-SSL_OP_-macro-definitions-changed-in-3.0.patch b/debian/patches/openssl3-SSL_OP_-macro-definitions-changed-in-3.0.patch
0new file mode 10064428new file mode 100644
index 0000000..3d98500
--- /dev/null
+++ b/debian/patches/openssl3-SSL_OP_-macro-definitions-changed-in-3.0.patch
@@ -0,0 +1,181 @@
1From: Amos Jeffries <amosjeffries@squid-cache.org>
2Date: Sun, 10 Oct 2021 02:35:10 +1300
3Subject: SSL_OP_* macro definitions changed in 3.0
4
5---
6 src/security/PeerOptions.cc | 50 ++++++++++++++++++++++-----------------------
7 1 file changed, 25 insertions(+), 25 deletions(-)
8
9Forwarded: yes, https://github.com/squid-cache/squid/pull/694
10Bug: https://bugs.squid-cache.org/show_bug.cgi?id=5133
11Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/squid/+bug/1946205
12Last-Updated: 2022-02-08
13
14diff --git a/src/security/PeerOptions.cc b/src/security/PeerOptions.cc
15index cf1d4ba..634ee02 100644
16--- a/src/security/PeerOptions.cc
17+++ b/src/security/PeerOptions.cc
18@@ -297,130 +297,130 @@ static struct ssl_option {
19
20 } ssl_options[] = {
21
22-#if SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
23+#if defined(SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG)
24 {
25 "NETSCAPE_REUSE_CIPHER_CHANGE_BUG", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
26 },
27 #endif
28-#if SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
29+#if defined(SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG)
30 {
31 "SSLREF2_REUSE_CERT_TYPE_BUG", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
32 },
33 #endif
34-#if SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
35+#if defined(SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER)
36 {
37 "MICROSOFT_BIG_SSLV3_BUFFER", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
38 },
39 #endif
40-#if SSL_OP_SSLEAY_080_CLIENT_DH_BUG
41+#if defined(SSL_OP_SSLEAY_080_CLIENT_DH_BUG)
42 {
43 "SSLEAY_080_CLIENT_DH_BUG", SSL_OP_SSLEAY_080_CLIENT_DH_BUG
44 },
45 #endif
46-#if SSL_OP_TLS_D5_BUG
47+#if defined(SSL_OP_TLS_D5_BUG)
48 {
49 "TLS_D5_BUG", SSL_OP_TLS_D5_BUG
50 },
51 #endif
52-#if SSL_OP_TLS_BLOCK_PADDING_BUG
53+#if defined(SSL_OP_TLS_BLOCK_PADDING_BUG)
54 {
55 "TLS_BLOCK_PADDING_BUG", SSL_OP_TLS_BLOCK_PADDING_BUG
56 },
57 #endif
58-#if SSL_OP_TLS_ROLLBACK_BUG
59+#if defined(SSL_OP_TLS_ROLLBACK_BUG)
60 {
61 "TLS_ROLLBACK_BUG", SSL_OP_TLS_ROLLBACK_BUG
62 },
63 #endif
64-#if SSL_OP_ALL
65+#if defined(SSL_OP_ALL)
66 {
67 "ALL", (long)SSL_OP_ALL
68 },
69 #endif
70-#if SSL_OP_SINGLE_DH_USE
71+#if defined(SSL_OP_SINGLE_DH_USE)
72 {
73 "SINGLE_DH_USE", SSL_OP_SINGLE_DH_USE
74 },
75 #endif
76-#if SSL_OP_EPHEMERAL_RSA
77+#if defined(SSL_OP_EPHEMERAL_RSA)
78 {
79 "EPHEMERAL_RSA", SSL_OP_EPHEMERAL_RSA
80 },
81 #endif
82-#if SSL_OP_PKCS1_CHECK_1
83+#if defined(SSL_OP_PKCS1_CHECK_1)
84 {
85 "PKCS1_CHECK_1", SSL_OP_PKCS1_CHECK_1
86 },
87 #endif
88-#if SSL_OP_PKCS1_CHECK_2
89+#if defined(SSL_OP_PKCS1_CHECK_2)
90 {
91 "PKCS1_CHECK_2", SSL_OP_PKCS1_CHECK_2
92 },
93 #endif
94-#if SSL_OP_NETSCAPE_CA_DN_BUG
95+#if defined(SSL_OP_NETSCAPE_CA_DN_BUG)
96 {
97 "NETSCAPE_CA_DN_BUG", SSL_OP_NETSCAPE_CA_DN_BUG
98 },
99 #endif
100-#if SSL_OP_NON_EXPORT_FIRST
101+#if defined(SSL_OP_NON_EXPORT_FIRST)
102 {
103 "NON_EXPORT_FIRST", SSL_OP_NON_EXPORT_FIRST
104 },
105 #endif
106-#if SSL_OP_CIPHER_SERVER_PREFERENCE
107+#if defined(SSL_OP_CIPHER_SERVER_PREFERENCE)
108 {
109 "CIPHER_SERVER_PREFERENCE", SSL_OP_CIPHER_SERVER_PREFERENCE
110 },
111 #endif
112-#if SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG
113+#if defined(SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG)
114 {
115 "NETSCAPE_DEMO_CIPHER_CHANGE_BUG", SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG
116 },
117 #endif
118-#if SSL_OP_NO_SSLv3
119+#if defined(SSL_OP_NO_SSLv3)
120 {
121 "NO_SSLv3", SSL_OP_NO_SSLv3
122 },
123 #endif
124-#if SSL_OP_NO_TLSv1
125+#if defined(SSL_OP_NO_TLSv1)
126 {
127 "NO_TLSv1", SSL_OP_NO_TLSv1
128 },
129 #else
130 { "NO_TLSv1", 0 },
131 #endif
132-#if SSL_OP_NO_TLSv1_1
133+#if defined(SSL_OP_NO_TLSv1_1)
134 {
135 "NO_TLSv1_1", SSL_OP_NO_TLSv1_1
136 },
137 #else
138 { "NO_TLSv1_1", 0 },
139 #endif
140-#if SSL_OP_NO_TLSv1_2
141+#if defined(SSL_OP_NO_TLSv1_2)
142 {
143 "NO_TLSv1_2", SSL_OP_NO_TLSv1_2
144 },
145 #else
146 { "NO_TLSv1_2", 0 },
147 #endif
148-#if SSL_OP_NO_TLSv1_3
149+#if defined(SSL_OP_NO_TLSv1_3)
150 {
151 "NO_TLSv1_3", SSL_OP_NO_TLSv1_3
152 },
153 #else
154 { "NO_TLSv1_3", 0 },
155 #endif
156-#if SSL_OP_NO_COMPRESSION
157+#if defined(SSL_OP_NO_COMPRESSION)
158 {
159 "No_Compression", SSL_OP_NO_COMPRESSION
160 },
161 #endif
162-#if SSL_OP_NO_TICKET
163+#if defined(SSL_OP_NO_TICKET)
164 {
165 "NO_TICKET", SSL_OP_NO_TICKET
166 },
167 #endif
168-#if SSL_OP_SINGLE_ECDH_USE
169+#if defined(SSL_OP_SINGLE_ECDH_USE)
170 {
171 "SINGLE_ECDH_USE", SSL_OP_SINGLE_ECDH_USE
172 },
173@@ -512,7 +512,7 @@ Security::PeerOptions::parseOptions()
174
175 }
176
177-#if SSL_OP_NO_SSLv2
178+#if defined(SSL_OP_NO_SSLv2)
179 // compliance with RFC 6176: Prohibiting Secure Sockets Layer (SSL) Version 2.0
180 op = op | SSL_OP_NO_SSLv2;
181 #endif
diff --git a/debian/patches/openssl3-Switch-to-BN_rand.patch b/debian/patches/openssl3-Switch-to-BN_rand.patch
0new file mode 100644182new file mode 100644
index 0000000..dec2590
--- /dev/null
+++ b/debian/patches/openssl3-Switch-to-BN_rand.patch
@@ -0,0 +1,69 @@
1From: Amos Jeffries <amosjeffries@squid-cache.org>
2Date: Wed, 6 Oct 2021 21:55:38 +1300
3Subject: Switch to BN_rand()
4
5BN_pseudo_rand() has been identical since libssl 1.1.0 and is removed in libssl 3.0
6---
7 src/cf.data.pre | 2 ++
8 src/ssl/gadgets.cc | 2 +-
9 src/ssl/support.cc | 5 ++---
10 3 files changed, 5 insertions(+), 4 deletions(-)
11
12Forwarded: yes, https://github.com/squid-cache/squid/pull/694
13Bug: https://bugs.squid-cache.org/show_bug.cgi?id=5133
14Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/squid/+bug/1946205
15Last-Updated: 2022-02-08
16
17diff --git a/src/cf.data.pre b/src/cf.data.pre
18index 6692b1f..ff66b72 100644
19--- a/src/cf.data.pre
20+++ b/src/cf.data.pre
21@@ -3050,6 +3050,8 @@ DEFAULT: none
22 DOC_START
23 The OpenSSL engine to use. You will need to set this if you
24 would like to use hardware SSL acceleration for example.
25+
26+ Note: OpenSSL 3.0 and newer do not provide Engine support.
27 DOC_END
28
29 NAME: sslproxy_session_ttl
30diff --git a/src/ssl/gadgets.cc b/src/ssl/gadgets.cc
31index 70e0a61..fb606d7 100644
32--- a/src/ssl/gadgets.cc
33+++ b/src/ssl/gadgets.cc
34@@ -46,7 +46,7 @@ static bool setSerialNumber(ASN1_INTEGER *ai, BIGNUM const* serial)
35 if (!bn)
36 return false;
37
38- if (!BN_pseudo_rand(bn.get(), 64, 0, 0))
39+ if (!BN_rand(bn.get(), 64, 0, 0))
40 return false;
41 }
42
43diff --git a/src/ssl/support.cc b/src/ssl/support.cc
44index 73912ce..6bb99a7 100644
45--- a/src/ssl/support.cc
46+++ b/src/ssl/support.cc
47@@ -658,8 +658,8 @@ Ssl::Initialize(void)
48
49 SQUID_OPENSSL_init_ssl();
50
51-#if !defined(OPENSSL_NO_ENGINE)
52 if (::Config.SSL.ssl_engine) {
53+#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_VERSION_MAJOR < 3
54 ENGINE_load_builtin_engines();
55 ENGINE *e;
56 if (!(e = ENGINE_by_id(::Config.SSL.ssl_engine)))
57@@ -669,11 +669,10 @@ Ssl::Initialize(void)
58 const auto ssl_error = ERR_get_error();
59 fatalf("Failed to initialise SSL engine: %s\n", Security::ErrorString(ssl_error));
60 }
61- }
62 #else
63- if (::Config.SSL.ssl_engine)
64 fatalf("Your OpenSSL has no SSL engine support\n");
65 #endif
66+ }
67
68 const char *defName = ::Config.SSL.certSignHash ? ::Config.SSL.certSignHash : SQUID_SSL_SIGN_HASH_IF_NONE;
69 Ssl::DefaultSignHash = EVP_get_digestbyname(defName);
diff --git a/debian/patches/openssl3-TODO-Upgrade-API-calls-verifying-loaded-DH-params-fi.patch b/debian/patches/openssl3-TODO-Upgrade-API-calls-verifying-loaded-DH-params-fi.patch
0new file mode 10064470new file mode 100644
index 0000000..0590baa
--- /dev/null
+++ b/debian/patches/openssl3-TODO-Upgrade-API-calls-verifying-loaded-DH-params-fi.patch
@@ -0,0 +1,36 @@
1From: Amos Jeffries <amosjeffries@squid-cache.org>
2Date: Thu, 23 Jul 2020 18:08:15 +1200
3Subject: TODO Upgrade API calls verifying loaded DH params file
4
5---
6 src/security/ServerOptions.cc | 5 +++++
7 1 file changed, 5 insertions(+)
8
9Forwarded: yes, https://github.com/squid-cache/squid/pull/694
10Bug: https://bugs.squid-cache.org/show_bug.cgi?id=5133
11Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/squid/+bug/1946205
12Last-Updated: 2022-02-08
13
14diff --git a/src/security/ServerOptions.cc b/src/security/ServerOptions.cc
15index 3d154ad..74044fe 100644
16--- a/src/security/ServerOptions.cc
17+++ b/src/security/ServerOptions.cc
18@@ -364,6 +364,10 @@ Security::ServerOptions::loadDhParams()
19 return;
20 }
21
22+#if OPENSSL_VERSION_MAJOR < 3
23+ // DH_check() removed in OpenSSL 3.0.
24+ // TODO: use the EVP API instead, which also works in OpenSSL 1.1.
25+ // But it is not yet clear exactly how that API works for DH.
26 int codes;
27 if (DH_check(dhp, &codes) == 0) {
28 if (codes) {
29@@ -372,6 +376,7 @@ Security::ServerOptions::loadDhParams()
30 dhp = nullptr;
31 }
32 }
33+#endif
34
35 parsedDhParams.resetWithoutLocking(dhp);
36 #endif
diff --git a/debian/patches/openssl3-Tweak-RSA-key-generator.patch b/debian/patches/openssl3-Tweak-RSA-key-generator.patch
0new file mode 10064437new file mode 100644
index 0000000..0bf83cb
--- /dev/null
+++ b/debian/patches/openssl3-Tweak-RSA-key-generator.patch
@@ -0,0 +1,37 @@
1From: Amos Jeffries <squid3@treenet.co.nz>
2Date: Tue, 10 Nov 2020 12:01:28 +1300
3Subject: Tweak RSA key generator
4
5... rely on EVP_PKEY_keygen() allocating the key memory.
6---
7 src/ssl/gadgets.cc | 11 ++++-------
8 1 file changed, 4 insertions(+), 7 deletions(-)
9
10Forwarded: yes, https://github.com/squid-cache/squid/pull/694
11Bug: https://bugs.squid-cache.org/show_bug.cgi?id=5133
12Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/squid/+bug/1946205
13Last-Updated: 2022-02-08
14
15diff --git a/src/ssl/gadgets.cc b/src/ssl/gadgets.cc
16index 112df22..102615f 100644
17--- a/src/ssl/gadgets.cc
18+++ b/src/ssl/gadgets.cc
19@@ -24,14 +24,11 @@ CreateRsaPrivateKey()
20 return nullptr;
21
22 /* Generate key */
23- Security::PrivateKeyPointer pkey(EVP_PKEY_new());
24- if (pkey) {
25- auto *foo = pkey.get();
26- if (EVP_PKEY_keygen(rsa.get(), &foo) <= 0)
27- return nullptr;
28- }
29+ EVP_PKEY *pkey = nullptr;
30+ if (EVP_PKEY_keygen(rsa.get(), &pkey) <= 0)
31+ return nullptr;
32
33- return pkey.release();
34+ return pkey;
35 }
36
37 /**
diff --git a/debian/patches/openssl3-Update-ECDH-key-settings.patch b/debian/patches/openssl3-Update-ECDH-key-settings.patch
0new file mode 10064438new file mode 100644
index 0000000..0132a70
--- /dev/null
+++ b/debian/patches/openssl3-Update-ECDH-key-settings.patch
@@ -0,0 +1,73 @@
1From: Amos Jeffries <amosjeffries@squid-cache.org>
2Date: Mon, 11 Oct 2021 06:01:10 +1300
3Subject: Update ECDH key settings
4
5---
6 src/security/ServerOptions.cc | 19 +++++++++++++++++--
7 1 file changed, 17 insertions(+), 2 deletions(-)
8
9Forwarded: yes, https://github.com/squid-cache/squid/pull/694
10Bug: https://bugs.squid-cache.org/show_bug.cgi?id=5133
11Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/squid/+bug/1946205
12Last-Updated: 2022-02-08
13
14diff --git a/src/security/ServerOptions.cc b/src/security/ServerOptions.cc
15index 096d5da..e7d5c1e 100644
16--- a/src/security/ServerOptions.cc
17+++ b/src/security/ServerOptions.cc
18@@ -383,7 +383,12 @@ Security::ServerOptions::loadDhParams()
19
20 #else // OpenSSL 3.0+
21 EVP_PKEY *pkey = nullptr;
22- if (auto *dctx = OSSL_DECODER_CTX_new_for_pkey(&pkey, "PEM", nullptr, "DH", OSSL_KEYMGMT_SELECT_ALL, nullptr, nullptr)) {
23+ const char *type = "DH";
24+ if (!eecdhCurve.isEmpty())
25+ type = "EC";
26+ // XXX: use the eecdhCurve name when generating the EVP_KEY object. or at least verify it matches the loaded params.
27+
28+ if (auto *dctx = OSSL_DECODER_CTX_new_for_pkey(&pkey, "PEM", nullptr, type, OSSL_KEYMGMT_SELECT_ALL, nullptr, nullptr)) {
29 if (auto *in = fopen(dhParamsFile.c_str(), "r")) {
30 if (OSSL_DECODER_from_fp(dctx, in) == 1) {
31
32@@ -480,6 +485,9 @@ Security::ServerOptions::updateContextEecdh(Security::ContextPointer &ctx)
33 debugs(83, 9, "Setting Ephemeral ECDH curve to " << eecdhCurve << ".");
34
35 #if USE_OPENSSL && OPENSSL_VERSION_NUMBER >= 0x0090800fL && !defined(OPENSSL_NO_ECDH)
36+
37+ // OpenSSL 3.0+ generates the key in loadDhParams()
38+#if OPENSSL_VERSION_MAJOR < 3
39 int nid = OBJ_sn2nid(eecdhCurve.c_str());
40 if (!nid) {
41 debugs(83, DBG_CRITICAL, "ERROR: Unknown EECDH curve '" << eecdhCurve << "'");
42@@ -487,6 +495,9 @@ Security::ServerOptions::updateContextEecdh(Security::ContextPointer &ctx)
43 }
44
45 auto ecdh = EC_KEY_new_by_curve_name(nid);
46+#else
47+ auto ecdh = parsedDhParams.get();
48+#endif
49 if (!ecdh) {
50 const auto x = ERR_get_error();
51 debugs(83, DBG_CRITICAL, "ERROR: Unable to configure Ephemeral ECDH: " << Security::ErrorString(x));
52@@ -497,7 +508,11 @@ Security::ServerOptions::updateContextEecdh(Security::ContextPointer &ctx)
53 const auto x = ERR_get_error();
54 debugs(83, DBG_CRITICAL, "ERROR: Unable to set Ephemeral ECDH: " << Security::ErrorString(x));
55 }
56+#if OPENSSL_VERSION_MAJOR < 3
57 EC_KEY_free(ecdh);
58+#else
59+ return;
60+#endif
61
62 #else
63 debugs(83, DBG_CRITICAL, "ERROR: EECDH is not available in this build." <<
64@@ -505,8 +520,8 @@ Security::ServerOptions::updateContextEecdh(Security::ContextPointer &ctx)
65 #endif
66 }
67
68- // set DH parameters into the server context
69 #if USE_OPENSSL
70+ // set DH parameters into the server context
71 if (parsedDhParams) {
72 SSL_CTX_set_tmp_dh(ctx.get(), parsedDhParams.get());
73 }
diff --git a/debian/patches/openssl3-Update-license-disclaimer.patch b/debian/patches/openssl3-Update-license-disclaimer.patch
0new file mode 10064474new file mode 100644
index 0000000..7ed08e7
--- /dev/null
+++ b/debian/patches/openssl3-Update-license-disclaimer.patch
@@ -0,0 +1,28 @@
1From: Amos Jeffries <amosjeffries@squid-cache.org>
2Date: Thu, 23 Jul 2020 17:38:26 +1200
3Subject: Update license disclaimer
4
5OpenSSL 3.0 uses Apache License v2 which removes the SSLeay distribution restrictions.
6---
7 src/main.cc | 2 ++
8 1 file changed, 2 insertions(+)
9
10Forwarded: yes, https://github.com/squid-cache/squid/pull/694
11Bug: https://bugs.squid-cache.org/show_bug.cgi?id=5133
12Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/squid/+bug/1946205
13Last-Updated: 2022-02-08
14
15diff --git a/src/main.cc b/src/main.cc
16index 4b3988e..48e4777 100644
17--- a/src/main.cc
18+++ b/src/main.cc
19@@ -678,7 +678,9 @@ mainHandleCommandLineOption(const int optId, const char *optValue)
20 printf("%s\n",SQUID_BUILD_INFO);
21 #if USE_OPENSSL
22 printf("\nThis binary uses %s. ", OpenSSL_version(OPENSSL_VERSION));
23+#if OPENSSL_VERSION_MAJOR < 3
24 printf("For legal restrictions on distribution see https://www.openssl.org/source/license.html\n\n");
25+#endif
26 #endif
27 printf( "configure options: %s\n", SQUID_CONFIGURE_OPTIONS);
28
diff --git a/debian/patches/series b/debian/patches/series
index 9ff46c0..6d13126 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -7,3 +7,15 @@
799-ubuntu-ssl-cert-snakeoil.patch799-ubuntu-ssl-cert-snakeoil.patch
8fix-max-pkt-sz-for-icmpEchoData-padding.patch8fix-max-pkt-sz-for-icmpEchoData-padding.patch
9workaround-gcc11-wstringop-overread-bug.patch9workaround-gcc11-wstringop-overread-bug.patch
10openssl3-Update-license-disclaimer.patch
11openssl3-TODO-Upgrade-API-calls-verifying-loaded-DH-params-fi.patch
12openssl3-Declaration-of-CRYPTO_EX_dup-changed-again-in-3.0.patch
13openssl3-Refactor-Ssl-createSslPrivateKey.patch
14openssl3-Tweak-RSA-key-generator.patch
15openssl3-Fix-EVP_PKEY_get0_RSA-is-deprecated.patch
16openssl3-Initial-DH-conversion-to-EVP_PKEY.patch
17openssl3-Switch-to-BN_rand.patch
18openssl3-SSL_OP_-macro-definitions-changed-in-3.0.patch
19openssl3-Update-ECDH-key-settings.patch
20openssl3-Detect-and-default-enable-OpenSSL-3.patch
21openssl3-Remove-stale-TODO-and-comment.patch

Subscribers

People subscribed via source and target branches