From 928c365a1b0ca95cdf2fd2305f944c0f65dbdb05 Mon Sep 17 00:00:00 2001 From: Dirk-Willem van Gulik Date: Sat, 15 Feb 2020 17:01:49 +0100 Subject: [PATCH] redwax-modules: 0.2.1 -> 0.2.2/0.2.3 --- .../http/apache-modules/mod_ca/default.nix | 8 +-- .../http/apache-modules/mod_crl/default.nix | 5 +- .../http/apache-modules/mod_csr/default.nix | 22 +------ .../mod_csr/openssl_setter_compat.h | 66 ------------------- .../http/apache-modules/mod_ocsp/default.nix | 4 +- .../apache-modules/mod_pkcs12/default.nix | 4 +- .../http/apache-modules/mod_scep/default.nix | 21 +----- .../mod_scep/openssl_setter_compat.h | 66 ------------------- .../http/apache-modules/mod_spkac/default.nix | 4 +- .../apache-modules/mod_timestamp/default.nix | 4 +- 10 files changed, 20 insertions(+), 184 deletions(-) delete mode 100644 pkgs/servers/http/apache-modules/mod_csr/openssl_setter_compat.h delete mode 100644 pkgs/servers/http/apache-modules/mod_scep/openssl_setter_compat.h diff --git a/pkgs/servers/http/apache-modules/mod_ca/default.nix b/pkgs/servers/http/apache-modules/mod_ca/default.nix index 37f2a397ae6..c4551108338 100644 --- a/pkgs/servers/http/apache-modules/mod_ca/default.nix +++ b/pkgs/servers/http/apache-modules/mod_ca/default.nix @@ -1,16 +1,16 @@ -{ stdenv, fetchurl, pkgconfig, apacheHttpd, openssl, openldap }: +{ stdenv, fetchurl, pkgconfig, apacheHttpd, openssl, openldap, apr, aprutil }: stdenv.mkDerivation rec { pname = "mod_ca"; - version = "0.2.1"; + version = "0.2.2"; src = fetchurl { url = "https://redwax.eu/dist/rs/${pname}-${version}.tar.gz"; - sha256 = "1pxapjrzdsk2s25vhgvf56fkakdqcbn9hjncwmqh0asl1pa25iic"; + sha256 = "0gs66br3aig749rzifxn6j1rz2kps4hc4jppscly48lypgyygy8s"; }; nativeBuildInputs = [ pkgconfig ]; - buildInputs = [ apacheHttpd openssl openldap ]; + buildInputs = [ apacheHttpd openssl openldap apr aprutil ]; # Note that configureFlags and installFlags are inherited by # the various submodules. diff --git a/pkgs/servers/http/apache-modules/mod_crl/default.nix b/pkgs/servers/http/apache-modules/mod_crl/default.nix index 54c0de1c701..ee7dbe3245d 100644 --- a/pkgs/servers/http/apache-modules/mod_crl/default.nix +++ b/pkgs/servers/http/apache-modules/mod_crl/default.nix @@ -1,12 +1,13 @@ { stdenv, fetchurl, pkgconfig, mod_ca, apr, aprutil }: + stdenv.mkDerivation rec { pname = "mod_crl"; - version = "0.2.1"; + version = "0.2.3"; src = fetchurl { url = "https://redwax.eu/dist/rs/${pname}-${version}.tar.gz"; - sha256 = "0k6iqn5a4bqdz3yx6d53f1r75c21jnwhxmmcq071zq0361xjzzj6"; + sha256 = "1x186kp6fr8nwg0jlv5phagxndvw4rjqfga9mkibmn6dx252p61d"; }; nativeBuildInputs = [ pkgconfig ]; diff --git a/pkgs/servers/http/apache-modules/mod_csr/default.nix b/pkgs/servers/http/apache-modules/mod_csr/default.nix index 60f97d2f361..6547d3aa2b5 100644 --- a/pkgs/servers/http/apache-modules/mod_csr/default.nix +++ b/pkgs/servers/http/apache-modules/mod_csr/default.nix @@ -1,35 +1,19 @@ { stdenv, fetchurl, pkgconfig, mod_ca, apr, aprutil }: + stdenv.mkDerivation rec { pname = "mod_csr"; - version = "0.2.1"; + version = "0.2.3"; src = fetchurl { url = "https://redwax.eu/dist/rs/${pname}-${version}.tar.gz"; - sha256 = "01sdvv07kchdd6ssrmd2cbhj50qh2ibp5g5h6jy1jqbzp0b3j9ja"; + sha256 = "1p4jc0q40453wpvwqgnr1n007b4jxpkizzy3r4jygsxxgg4x9w7x"; }; nativeBuildInputs = [ pkgconfig ]; buildInputs = [ mod_ca apr aprutil ]; inherit (mod_ca) configureFlags installFlags; - # After openssl-1.0.2t, starting in openssl-1.1.0l - # parts of the OpenSSL struct API was replaced by - # getters - but some setters where forgotten. - # - # It is expected that these are back/retrofitted in version - # openssl-1.1.1d -- but while fixing this it was found - # that there were quite a few other setters missing and - # that some of the memory management needed was at odds - # with the principles used sofar. - # - # See https://github.com/openssl/openssl/pull/10563 - # - # So as a stopgap - use a minimalist compat. layer - # https://source.redwax.eu/projects/RS/repos/mod_csr/browse/openssl_setter_compat.h - # - preBuild = "cp ${./openssl_setter_compat.h} openssl_setter_compat.h"; - meta = with stdenv.lib; { description = "RedWax CA service module to handle Certificate Signing Requests"; diff --git a/pkgs/servers/http/apache-modules/mod_csr/openssl_setter_compat.h b/pkgs/servers/http/apache-modules/mod_csr/openssl_setter_compat.h deleted file mode 100644 index a2a9e0f7a18..00000000000 --- a/pkgs/servers/http/apache-modules/mod_csr/openssl_setter_compat.h +++ /dev/null @@ -1,66 +0,0 @@ -/* Licensed to Stichting The Commons Conservancy (TCC) under one or more - * contributor license agreements. See the AUTHORS file distributed with - * this work for additional information regarding copyright ownership. - * TCC licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -// These routines are copies from OpenSSL/1.1.1 its x509/x509_req.c -// and the private header files for that. They are needed as -// starting with OpenSSL 1.1.0 the X509_req structure became -// private; and got some get0 functions to access its internals. -// But no getter's until post 1.1.1 (PR#10563). So this is a -// stopgap for these lacking releases. -// -// Testest against: -// openssl-1.0.2t 0x01000214fL (does not need it, privates still accessile) -// openssl-1.1.0l 0x0101000cfL (needs it) -// openssl-1.1.1d 0x01010104fL (last version that needs it) -// openssl-1.1.1-dev (should not need it - post PR#10563). -// -/* #if OPENSSL_VERSION_NUMBER >= 0x010100000L && OPENSSL_VERSION_NUMBER <= 0x01010104fL */ -#if OPENSSL_VERSION_NUMBER >= 0x010100000L -#include "openssl/x509.h" - -#define HAS_OPENSSL_PR10563_WORK_AROUND - -struct X509_req_info_st { - ASN1_ENCODING enc; - ASN1_INTEGER *version; - X509_NAME *subject; - X509_PUBKEY *pubkey; - STACK_OF(X509_ATTRIBUTE) *attributes; -}; - -typedef _Atomic int CRYPTO_REF_COUNT; - -struct X509_req_st { - X509_REQ_INFO req_info; - X509_ALGOR sig_alg; - ASN1_BIT_STRING *signature; /* signature */ - CRYPTO_REF_COUNT references; - CRYPTO_RWLOCK *lock; -# ifndef OPENSSL_NO_SM2 - ASN1_OCTET_STRING *sm2_id; -# endif -}; - - -static void _X509_REQ_set1_signature(X509_REQ *req, X509_ALGOR *palg) -{ - if (req->sig_alg.algorithm) - ASN1_OBJECT_free(req->sig_alg.algorithm); - if (req->sig_alg.parameter) - ASN1_TYPE_free(req->sig_alg.parameter); - req->sig_alg = *palg; -} -#endif diff --git a/pkgs/servers/http/apache-modules/mod_ocsp/default.nix b/pkgs/servers/http/apache-modules/mod_ocsp/default.nix index 6730ca16f10..6ec3f246fad 100644 --- a/pkgs/servers/http/apache-modules/mod_ocsp/default.nix +++ b/pkgs/servers/http/apache-modules/mod_ocsp/default.nix @@ -2,11 +2,11 @@ stdenv.mkDerivation rec { pname = "mod_ocsp"; - version = "0.2.1"; + version = "0.2.2"; src = fetchurl { url = "https://redwax.eu/dist/rs/${pname}-${version}.tar.gz"; - sha256 = "1vwgai56krdf8knb0mgy07ni9mqxk82bcb4gibwpnxvl6qwgv2i0"; + sha256 = "0wy5363m4gq1w08iny2b3sh925bnznlln88pr9lgj9vgbn8pqnrn"; }; nativeBuildInputs = [ pkgconfig ]; diff --git a/pkgs/servers/http/apache-modules/mod_pkcs12/default.nix b/pkgs/servers/http/apache-modules/mod_pkcs12/default.nix index 2bcf3b1d9c2..1cf68f2a276 100644 --- a/pkgs/servers/http/apache-modules/mod_pkcs12/default.nix +++ b/pkgs/servers/http/apache-modules/mod_pkcs12/default.nix @@ -2,11 +2,11 @@ stdenv.mkDerivation rec { pname = "mod_pkcs12"; - version = "0.2.1"; + version = "0.2.2"; src = fetchurl { url = "https://redwax.eu/dist/rs/${pname}-${version}.tar.gz"; - sha256 = "0by4qfjs3a8q0amzwazfq8ii6ydv36v2mjga0jzc9i6xyl4rs6ai"; + sha256 = "1jfyax3qrw9rpf2n0pn6iw4dpn2nl4j0i2a998n5p1mdmjx9ch73"; }; nativeBuildInputs = [ pkgconfig ]; diff --git a/pkgs/servers/http/apache-modules/mod_scep/default.nix b/pkgs/servers/http/apache-modules/mod_scep/default.nix index 98703659c35..1331c6da3e4 100644 --- a/pkgs/servers/http/apache-modules/mod_scep/default.nix +++ b/pkgs/servers/http/apache-modules/mod_scep/default.nix @@ -2,34 +2,17 @@ stdenv.mkDerivation rec { pname = "mod_scep"; - version = "0.2.1"; + version = "0.2.3"; src = fetchurl { url = "https://redwax.eu/dist/rs/${pname}-${version}.tar.gz"; - sha256 = "14l8v6y6kx5dg8avb5ny95qdcgrw40ss80nqrgmw615mk7zcj81f"; + sha256 = "1imddqyi81l90valvndx9r0ywn32ggijrdfrjmbx8j1abaccagrc"; }; nativeBuildInputs = [ pkgconfig ]; buildInputs = [ mod_ca apr aprutil ]; inherit (mod_ca) configureFlags installFlags; - # After openssl-1.0.2t, starting in openssl-1.1.0l - # parts of the OpenSSL struct API was replaced by - # getters - but some setters where forgotten. - # - # It is expected that these are back/retrofitted in version - # openssl-1.1.1d -- but while fixing this it was found - # that there were quite a few other setters missing and - # that some of the memory management needed was at odds - # with the principles used sofar. - # - # See https://github.com/openssl/openssl/pull/10563 - # - # So as a stopgap - use a minimalist compat. layer - # https://source.redwax.eu/projects/RS/repos/mod_csr/browse/openssl_setter_compat.h - # - preBuild = "cp ${./openssl_setter_compat.h} openssl_setter_compat.h"; - meta = with stdenv.lib; { description = "RedWax CA service modules for SCEP (Automatic ceritifcate issue/renewal)"; diff --git a/pkgs/servers/http/apache-modules/mod_scep/openssl_setter_compat.h b/pkgs/servers/http/apache-modules/mod_scep/openssl_setter_compat.h deleted file mode 100644 index a2a9e0f7a18..00000000000 --- a/pkgs/servers/http/apache-modules/mod_scep/openssl_setter_compat.h +++ /dev/null @@ -1,66 +0,0 @@ -/* Licensed to Stichting The Commons Conservancy (TCC) under one or more - * contributor license agreements. See the AUTHORS file distributed with - * this work for additional information regarding copyright ownership. - * TCC licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -// These routines are copies from OpenSSL/1.1.1 its x509/x509_req.c -// and the private header files for that. They are needed as -// starting with OpenSSL 1.1.0 the X509_req structure became -// private; and got some get0 functions to access its internals. -// But no getter's until post 1.1.1 (PR#10563). So this is a -// stopgap for these lacking releases. -// -// Testest against: -// openssl-1.0.2t 0x01000214fL (does not need it, privates still accessile) -// openssl-1.1.0l 0x0101000cfL (needs it) -// openssl-1.1.1d 0x01010104fL (last version that needs it) -// openssl-1.1.1-dev (should not need it - post PR#10563). -// -/* #if OPENSSL_VERSION_NUMBER >= 0x010100000L && OPENSSL_VERSION_NUMBER <= 0x01010104fL */ -#if OPENSSL_VERSION_NUMBER >= 0x010100000L -#include "openssl/x509.h" - -#define HAS_OPENSSL_PR10563_WORK_AROUND - -struct X509_req_info_st { - ASN1_ENCODING enc; - ASN1_INTEGER *version; - X509_NAME *subject; - X509_PUBKEY *pubkey; - STACK_OF(X509_ATTRIBUTE) *attributes; -}; - -typedef _Atomic int CRYPTO_REF_COUNT; - -struct X509_req_st { - X509_REQ_INFO req_info; - X509_ALGOR sig_alg; - ASN1_BIT_STRING *signature; /* signature */ - CRYPTO_REF_COUNT references; - CRYPTO_RWLOCK *lock; -# ifndef OPENSSL_NO_SM2 - ASN1_OCTET_STRING *sm2_id; -# endif -}; - - -static void _X509_REQ_set1_signature(X509_REQ *req, X509_ALGOR *palg) -{ - if (req->sig_alg.algorithm) - ASN1_OBJECT_free(req->sig_alg.algorithm); - if (req->sig_alg.parameter) - ASN1_TYPE_free(req->sig_alg.parameter); - req->sig_alg = *palg; -} -#endif diff --git a/pkgs/servers/http/apache-modules/mod_spkac/default.nix b/pkgs/servers/http/apache-modules/mod_spkac/default.nix index 72e0d521e3b..00f054f755e 100644 --- a/pkgs/servers/http/apache-modules/mod_spkac/default.nix +++ b/pkgs/servers/http/apache-modules/mod_spkac/default.nix @@ -2,11 +2,11 @@ stdenv.mkDerivation rec { pname = "mod_spkac"; - version = "0.2.1"; + version = "0.2.2"; src = fetchurl { url = "https://redwax.eu/dist/rs/${pname}-${version}.tar.gz"; - sha256 = "0x6ia9qcr7lx2awpv9cr4ndic5f4g8yqzmp2hz66zpzkmk2b2pyz"; + sha256 = "0hpr58yazbi21m0sjn22a8ns4h81s4jlab9szcdw7j9w9jdc7j0h"; }; nativeBuildInputs = [ pkgconfig ]; diff --git a/pkgs/servers/http/apache-modules/mod_timestamp/default.nix b/pkgs/servers/http/apache-modules/mod_timestamp/default.nix index 139da289078..9cd2a822b09 100644 --- a/pkgs/servers/http/apache-modules/mod_timestamp/default.nix +++ b/pkgs/servers/http/apache-modules/mod_timestamp/default.nix @@ -2,11 +2,11 @@ stdenv.mkDerivation rec { pname = "mod_timestamp"; - version = "0.2.1"; + version = "0.2.2"; src = fetchurl { url = "https://redwax.eu/dist/rs/${pname}-${version}.tar.gz"; - sha256 = "0j4b04dbdwn9aff3da9m0lnqi0qbw6c6hhi81skl15kyc3vzp67f"; + sha256 = "1p18mgxx2ainfrc2wm27rl3lh6yl0ihx6snib60jnp694587bfwg"; }; nativeBuildInputs = [ pkgconfig ];