From 6f3d7c211dbff3de06e097a281bde15b045485a4 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Mon, 13 Apr 2026 07:36:14 +0000 Subject: [PATCH 01/28] Updated dependency 'php' from version 8.5.4 to 8.5.6 --- deps-packaging/php/cfbuild-php.spec | 2 +- deps-packaging/php/distfiles | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/deps-packaging/php/cfbuild-php.spec b/deps-packaging/php/cfbuild-php.spec index f9e4806ad..3dba916b2 100644 --- a/deps-packaging/php/cfbuild-php.spec +++ b/deps-packaging/php/cfbuild-php.spec @@ -1,4 +1,4 @@ -%define php_version 8.5.4 +%define php_version 8.5.6 Summary: CFEngine Build Automation -- php Name: cfbuild-php diff --git a/deps-packaging/php/distfiles b/deps-packaging/php/distfiles index 162142d29..718f64fcb 100644 --- a/deps-packaging/php/distfiles +++ b/deps-packaging/php/distfiles @@ -1 +1 @@ -4fef7f44eff3c18e329504cb0d3eb30b41cf54e2db05cb4ebe8b78fc37d38ce1 php-8.5.4.tar.gz +169aaa21c2834b38df8e39169f43bc5bea8d4059a816cfbc59be08fc2bae60cd php-8.5.6.tar.gz From dba74b2bc1c190b8b86ed7cc806b8f178b8c82c9 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Mon, 20 Apr 2026 07:37:17 +0000 Subject: [PATCH 02/28] Updated dependency 'openssl' from version 3.6.1 to 4.0.0 (cherry picked from commit a422f99cd25a6b9803fe73fc6b77df20183b6b85) --- deps-packaging/openssl/cfbuild-openssl.spec | 2 +- deps-packaging/openssl/distfiles | 2 +- deps-packaging/openssl/source | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/deps-packaging/openssl/cfbuild-openssl.spec b/deps-packaging/openssl/cfbuild-openssl.spec index 6efacc0c9..d74ec8446 100644 --- a/deps-packaging/openssl/cfbuild-openssl.spec +++ b/deps-packaging/openssl/cfbuild-openssl.spec @@ -1,4 +1,4 @@ -%define openssl_version 3.6.1 +%define openssl_version 4.0.0 Summary: CFEngine Build Automation -- openssl Name: cfbuild-openssl diff --git a/deps-packaging/openssl/distfiles b/deps-packaging/openssl/distfiles index 51bfdf889..460505ce9 100644 --- a/deps-packaging/openssl/distfiles +++ b/deps-packaging/openssl/distfiles @@ -1 +1 @@ -b1bfedcd5b289ff22aee87c9d600f515767ebf45f77168cb6d64f231f518a82e openssl-3.6.1.tar.gz +c32cf49a959c4f345f9606982dd36e7d28f7c58b19c2e25d75624d2b3d2f79ac openssl-4.0.0.tar.gz diff --git a/deps-packaging/openssl/source b/deps-packaging/openssl/source index eab874077..0c863cbb7 100644 --- a/deps-packaging/openssl/source +++ b/deps-packaging/openssl/source @@ -1 +1 @@ -https://github.com/openssl/openssl/releases/download/openssl-3.6.1/ +https://github.com/openssl/openssl/releases/download/openssl-4.0.0/ From 8886e21df6f2666c6eaabee597d47fd63774d5d2 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Thu, 16 Apr 2026 08:20:02 -0500 Subject: [PATCH 03/28] fix: remove openssl patch for mingw that was applied to 3.6.2 The patch was applied to 3.6.2 at https://github.com/openssl/openssl/commit/a7b47bda72465ece33a70382d8da08a47e3b64aa Ticket: none Changelog: none (cherry picked from commit b9e64ff99d88cffe89a11541e4f780f931829058) --- ...ne-SIO_UDP_NETRESET-for-MinGW-builds.patch | 42 ------------------- deps-packaging/openssl/mingw/debian/rules | 1 - 2 files changed, 43 deletions(-) delete mode 100644 deps-packaging/openssl/0001-Explicitly-define-SIO_UDP_NETRESET-for-MinGW-builds.patch diff --git a/deps-packaging/openssl/0001-Explicitly-define-SIO_UDP_NETRESET-for-MinGW-builds.patch b/deps-packaging/openssl/0001-Explicitly-define-SIO_UDP_NETRESET-for-MinGW-builds.patch deleted file mode 100644 index 18a8f94a7..000000000 --- a/deps-packaging/openssl/0001-Explicitly-define-SIO_UDP_NETRESET-for-MinGW-builds.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 40d8060c0e8af7c7d3f0d70a7e2d3bf96a15fc10 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Alexander=20Hansen=20F=C3=A6r=C3=B8y?= -Date: Wed, 28 Jan 2026 17:55:02 +0100 -Subject: [PATCH 001/670] Explicitly define `SIO_UDP_NETRESET` for MinGW - builds. -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This patch explicitly defines the value `SIO_UDP_NETRESET` according to -both what Windows and ReactOS does. - -Fixes: #29818. - -Reviewed-by: Eugene Syromiatnikov -Reviewed-by: Saša Nedvědický -MergeDate: Thu Feb 5 08:54:17 2026 -(Merged from https://github.com/openssl/openssl/pull/29826) ---- - ssl/quic/quic_reactor.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/ssl/quic/quic_reactor.c b/ssl/quic/quic_reactor.c -index a754f28..deec428 100644 ---- a/ssl/quic/quic_reactor.c -+++ b/ssl/quic/quic_reactor.c -@@ -76,6 +76,12 @@ void ossl_quic_reactor_cleanup(QUIC_REACTOR *rtor) - } - - #if defined(OPENSSL_SYS_WINDOWS) -+ -+/* Work around for MinGW builds. */ -+#if defined(__MINGW32__) && !defined(SIO_UDP_NETRESET) -+#define SIO_UDP_NETRESET _WSAIOW(IOC_VENDOR, 15) -+#endif -+ - /* - * On Windows recvfrom() may return WSAECONNRESET when destination port - * used in preceding call to sendto() is no longer reachable. The reset --- -2.52.0 - diff --git a/deps-packaging/openssl/mingw/debian/rules b/deps-packaging/openssl/mingw/debian/rules index 66e49dc93..6c3b901fe 100755 --- a/deps-packaging/openssl/mingw/debian/rules +++ b/deps-packaging/openssl/mingw/debian/rules @@ -22,7 +22,6 @@ endif build: build-stamp build-stamp: dh_testdir - patch -p1 < $(CURDIR)/0001-Explicitly-define-SIO_UDP_NETRESET-for-MinGW-builds.patch # Removed "no-psk" from the options, mingw builds breaks with it CROSS_COMPILE=$(DEB_HOST_GNU_TYPE)- ./Configure \ From 21ffba0d2585c647251fa9eddeea5824207b422b Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Mon, 20 Apr 2026 07:37:17 +0000 Subject: [PATCH 04/28] Updated dependency 'nghttp2' from version 1.68.1 to 1.69.0 (cherry picked from commit 67fec117472442fab09e0f6a030274c7da1d3919) --- deps-packaging/nghttp2/cfbuild-nghttp2.spec | 2 +- deps-packaging/nghttp2/distfiles | 2 +- deps-packaging/nghttp2/source | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/deps-packaging/nghttp2/cfbuild-nghttp2.spec b/deps-packaging/nghttp2/cfbuild-nghttp2.spec index 06c9ffbb3..9181c500e 100644 --- a/deps-packaging/nghttp2/cfbuild-nghttp2.spec +++ b/deps-packaging/nghttp2/cfbuild-nghttp2.spec @@ -1,4 +1,4 @@ -%define nghttp2_version 1.68.1 +%define nghttp2_version 1.69.0 Summary: CFEngine Build Automation -- nghttp2 Name: cfbuild-nghttp2 diff --git a/deps-packaging/nghttp2/distfiles b/deps-packaging/nghttp2/distfiles index 82cbf8784..713246209 100644 --- a/deps-packaging/nghttp2/distfiles +++ b/deps-packaging/nghttp2/distfiles @@ -1 +1 @@ -6abd7ab0a7f1580d5914457cb3c85eb80455657ee5119206edbd7f848c14f0b2 nghttp2-1.68.1.tar.xz +1fb324b6ec2c56f6bde0658f4139ffd8209fa9e77ce98fd7a5f63af8d0e508ad nghttp2-1.69.0.tar.xz diff --git a/deps-packaging/nghttp2/source b/deps-packaging/nghttp2/source index 3bce8feda..5202c92a7 100644 --- a/deps-packaging/nghttp2/source +++ b/deps-packaging/nghttp2/source @@ -1 +1 @@ -https://github.com/nghttp2/nghttp2/releases/download/v1.68.1/ +https://github.com/nghttp2/nghttp2/releases/download/v1.69.0/ From 8c1af15c93387ebb37af3f9e5fe6c2c5287e0892 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Mon, 20 Apr 2026 07:37:16 +0000 Subject: [PATCH 05/28] Updated dependency 'libxml2' from version 2.15.2 to 2.15.3 (cherry picked from commit 12501c9fbd8676b2a710cb3cd0a203e4e3abe895) --- deps-packaging/libxml2/cfbuild-libxml2.spec | 2 +- deps-packaging/libxml2/distfiles | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/deps-packaging/libxml2/cfbuild-libxml2.spec b/deps-packaging/libxml2/cfbuild-libxml2.spec index dee239d1d..90559aee5 100644 --- a/deps-packaging/libxml2/cfbuild-libxml2.spec +++ b/deps-packaging/libxml2/cfbuild-libxml2.spec @@ -1,4 +1,4 @@ -%define libxml_version 2.15.2 +%define libxml_version 2.15.3 Summary: CFEngine Build Automation -- libxml2 Name: cfbuild-libxml2 diff --git a/deps-packaging/libxml2/distfiles b/deps-packaging/libxml2/distfiles index 5b301b300..035bb2aaa 100644 --- a/deps-packaging/libxml2/distfiles +++ b/deps-packaging/libxml2/distfiles @@ -1 +1 @@ -c8b9bc81f8b590c33af8cc6c336dbff2f53409973588a351c95f1c621b13d09d libxml2-2.15.2.tar.xz +78262a6e7ac170d6528ebfe2efccdf220191a5af6a6cd61ea4a9a9a5042c7a07 libxml2-2.15.3.tar.xz From baf3fa22c7e43b36211185aa83bd8cab6c5ec727 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Thu, 23 Apr 2026 12:33:19 -0500 Subject: [PATCH 06/28] fix: openssl 4.0.0 on centos-7 compilation problems Ticket: none Changelog: none --- ci/centos-7-setup-devtoolset-11.sh | 12 ++++++++++++ ci/fix-buildhost.sh | 14 ++++++++++++++ .../0010-Provide-timespec-for-centos-7.patch | 19 +++++++++++++++++++ deps-packaging/openssl/cfbuild-openssl.spec | 9 +++++++-- 4 files changed, 52 insertions(+), 2 deletions(-) create mode 100755 ci/centos-7-setup-devtoolset-11.sh create mode 100644 deps-packaging/openssl/0010-Provide-timespec-for-centos-7.patch diff --git a/ci/centos-7-setup-devtoolset-11.sh b/ci/centos-7-setup-devtoolset-11.sh new file mode 100755 index 000000000..75609b3c4 --- /dev/null +++ b/ci/centos-7-setup-devtoolset-11.sh @@ -0,0 +1,12 @@ +#!/usr/bin/env bash +set -ex +sudo yum install -y centos-release-scl +sudo rm -f /etc/yum.repos.d/CentOS-SCLo-scl.repo +sudo sed -i 's,^#baseurl.*$,baseurl=https://vault.centos.org/7.9.2009/sclo/x86_64/rh/,' /etc/yum.repos.d/CentOS-SCLo-scl-rh.repo +sudo sed -i '/mirrorlist/d' /etc/yum.repos.d/CentOS-SCLo-scl-rh.repo +sudo yum update -y +sudo yum install -y devtoolset-11 +if ! grep "source /opt/rh/devtoolset-11/enable" /usr/lib/rpm/find-debuginfo.sh; then + sed -i '1a\source /opt/rh/devtoolset-11/enable' /usr/lib/rpm/find-debuginfo.sh +fi +source /opt/rh/devtoolset-11/enable diff --git a/ci/fix-buildhost.sh b/ci/fix-buildhost.sh index 7c1671ae3..213d20fd7 100755 --- a/ci/fix-buildhost.sh +++ b/ci/fix-buildhost.sh @@ -1,3 +1,14 @@ +#!/usr/bin/env bash +set -ex +thisdir="$(dirname "$0")" + +if [ -f /etc/os-release ]; then + source /etc/os-release + if [ "$ID" = "centos" ] && [ "$VERSION_ID" = "7" ]; then + source ./centos-7-setup-devtoolset-11.sh + fi +fi + if [ "$(uname)" = "HP-UX" ]; then # /etc/profile contains tty code that won't work well when sourced and this VUE env var guards against running those bits # https://ftp.mirrorservice.org/sites/www.bitsavers.org/pdf/hp/9000_hpux/9.x/B1171-90044_HP_Visual_User_Environment_System_Administration_Manual_Nov91.pdf @@ -10,3 +21,6 @@ if [ -f /etc/profile ]; then # e.g. ent-14014: custom build of ssh needed for build-artifacts-cache needed and /etc/profile has PATH=/opt/craig/bin:$PATH . /etc/profile fi + +mkdir -p ~/.ssh +echo "build-artifacts-cache.cloud.cfengine.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGahpsY8Phk2+isBmuJQjjQVlh6BNL/Qetc14g26gowV" >> ~/.ssh/known_hosts diff --git a/deps-packaging/openssl/0010-Provide-timespec-for-centos-7.patch b/deps-packaging/openssl/0010-Provide-timespec-for-centos-7.patch new file mode 100644 index 000000000..5183a9a91 --- /dev/null +++ b/deps-packaging/openssl/0010-Provide-timespec-for-centos-7.patch @@ -0,0 +1,19 @@ +diff --git a/crypto/thread/arch/thread_posix.c b/crypto/thread/arch/thread_posix.c +index 1b285a6..b3cc67a 100644 +--- a/crypto/thread/arch/thread_posix.c ++++ b/crypto/thread/arch/thread_posix.c +@@ -9,6 +9,14 @@ + + #include + ++#ifndef _STRUCT_TIMESPEC ++#define _STRUCT_TIMESPEC ++struct timespec { ++ time_t tv_sec; /* seconds */ ++ long tv_nsec; /* nanoseconds */ ++}; ++#endif ++ + #if defined(OPENSSL_THREADS_POSIX) + #define _GNU_SOURCE + #include diff --git a/deps-packaging/openssl/cfbuild-openssl.spec b/deps-packaging/openssl/cfbuild-openssl.spec index d74ec8446..1be73b2f9 100644 --- a/deps-packaging/openssl/cfbuild-openssl.spec +++ b/deps-packaging/openssl/cfbuild-openssl.spec @@ -59,6 +59,11 @@ then then HACK_FLAGS=-D_GNU_SOURCE # CentOS 4 issue fi + if [ "$OS_VERSION_MAJOR" = "7" ] + then + # apparently our build doesn't quite work with devtoolset on centos so give it a hint where to find libraries with -L/opt/rh/devtoolset-11/root/usr/lib64 + HACK_FLAGS="-L/opt/rh/devtoolset-11/root/usr/lib64" + fi fi if [ x$SYS = "xAIX" ]; then @@ -163,8 +168,8 @@ CFEngine Build Automation -- openssl -- development files %{prefix}/bin/openssl %dir %{prefix}/lib -%{prefix}/lib/libssl.so.3 -%{prefix}/lib/libcrypto.so.3 +%{prefix}/lib/libssl.so.4 +%{prefix}/lib/libcrypto.so.4 %{prefix}/ssl/openssl.cnf %{prefix}/ssl/ct_log_list.cnf %{prefix}/ssl/ct_log_list.cnf.dist From 8d0ade81f4b81db27d9a6bc5477219fe1337f97d Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Mon, 4 May 2026 07:57:26 +0000 Subject: [PATCH 07/28] Updated dependency 'git' from version 2.53.0 to 2.54.0 (cherry picked from commit d33d4b37a567d9432634010c10d0d42fbe9f72b9) --- deps-packaging/git/cfbuild-git.spec | 2 +- deps-packaging/git/distfiles | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/deps-packaging/git/cfbuild-git.spec b/deps-packaging/git/cfbuild-git.spec index e2d50a60f..6bd8ab7c0 100644 --- a/deps-packaging/git/cfbuild-git.spec +++ b/deps-packaging/git/cfbuild-git.spec @@ -1,4 +1,4 @@ -%define git_version 2.53.0 +%define git_version 2.54.0 Summary: CFEngine Build Automation -- git Name: cfbuild-git diff --git a/deps-packaging/git/distfiles b/deps-packaging/git/distfiles index f67a1446f..b02e4b46a 100644 --- a/deps-packaging/git/distfiles +++ b/deps-packaging/git/distfiles @@ -1 +1 @@ -429dc0f5fe5f14109930cdbbb588c5d6ef5b8528910f0d738040744bebdc6275 git-2.53.0.tar.gz +45e8107643a44e3ce46f5665beb35af3932fb0d70017687905ab5d4e3aafa8eb git-2.54.0.tar.gz From 851494a76005502d0abc72f242b8e20e1c12fb90 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Mon, 4 May 2026 07:57:28 +0000 Subject: [PATCH 08/28] Updated dependency 'libexpat' from version 2.7.5 to 2.8.1 --- deps-packaging/libexpat/cfbuild-libexpat.spec | 2 +- deps-packaging/libexpat/distfiles | 2 +- deps-packaging/libexpat/source | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/deps-packaging/libexpat/cfbuild-libexpat.spec b/deps-packaging/libexpat/cfbuild-libexpat.spec index 1a8777af2..a0e177fd9 100644 --- a/deps-packaging/libexpat/cfbuild-libexpat.spec +++ b/deps-packaging/libexpat/cfbuild-libexpat.spec @@ -1,4 +1,4 @@ -%define expat_version 2.7.5 +%define expat_version 2.8.1 Summary: CFEngine Build Automation -- libexpat Name: cfbuild-libexpat diff --git a/deps-packaging/libexpat/distfiles b/deps-packaging/libexpat/distfiles index 2e8dfed90..c2bb242b7 100644 --- a/deps-packaging/libexpat/distfiles +++ b/deps-packaging/libexpat/distfiles @@ -1 +1 @@ -1032dfef4ff17f70464827daa28369b20f6584d108bc36f17ab1676e1edd2f91 expat-2.7.5.tar.xz +10b195ee78160a908388180a8fe3603d4e9a12f4755fbf5f3816b23a9d750da0 expat-2.8.1.tar.xz diff --git a/deps-packaging/libexpat/source b/deps-packaging/libexpat/source index a6177fb5e..9d573df43 100644 --- a/deps-packaging/libexpat/source +++ b/deps-packaging/libexpat/source @@ -1 +1 @@ -https://github.com/libexpat/libexpat/releases/download/R_2_7_5/ +https://github.com/libexpat/libexpat/releases/download/R_2_8_1/ From 54144692e02ae375ff8517f8077c583c3b66063e Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Mon, 4 May 2026 07:57:32 +0000 Subject: [PATCH 09/28] Updated dependency 'rsync' from version 3.4.1 to 3.4.2 (cherry picked from commit 1bcd99fc878e58f133af85fe6df71cd972613e71) --- deps-packaging/rsync/cfbuild-rsync.spec | 2 +- deps-packaging/rsync/distfiles | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/deps-packaging/rsync/cfbuild-rsync.spec b/deps-packaging/rsync/cfbuild-rsync.spec index 2f8b8fa24..9bd68eaaa 100644 --- a/deps-packaging/rsync/cfbuild-rsync.spec +++ b/deps-packaging/rsync/cfbuild-rsync.spec @@ -1,4 +1,4 @@ -%define rsync_version 3.4.1 +%define rsync_version 3.4.2 Summary: CFEngine Build Automation -- rsync Name: cfbuild-rsync diff --git a/deps-packaging/rsync/distfiles b/deps-packaging/rsync/distfiles index 1c230fdb8..ffbf276fc 100644 --- a/deps-packaging/rsync/distfiles +++ b/deps-packaging/rsync/distfiles @@ -1 +1 @@ -2924bcb3a1ed8b551fc101f740b9f0fe0a202b115027647cf69850d65fd88c52 rsync-3.4.1.tar.gz +ff10aa2c151cd4b2dbbe6135126dbc854046113d2dfb49572a348233267eb315 rsync-3.4.2.tar.gz From 96efb370f52ac2f60d64f039b2d1227ea2a286b7 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Mon, 4 May 2026 07:57:36 +0000 Subject: [PATCH 10/28] Updated Java Development Kit to 21.0.11 (cherry picked from commit bb73601bd382cd7744f6d42de8c244f52d976259) --- ci/linux-install-jdk21.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ci/linux-install-jdk21.sh b/ci/linux-install-jdk21.sh index d115853bd..cc2c836b1 100755 --- a/ci/linux-install-jdk21.sh +++ b/ci/linux-install-jdk21.sh @@ -9,15 +9,15 @@ install_jdk() { baseurl=https://download.oracle.com/java/21/archive/ major_version=21 baseurl="https://download.oracle.com/java/${major_version}/archive/" - version=21.0.10 + version=21.0.11 if uname -m | grep aarch64; then tarball=jdk-${version}_linux-aarch64_bin.tar.gz # checksum from https://download.oracle.com/java/${major_version}/archive/jdk-${version}_linux-aarch64_bin.tar.gz.sha256 - sha=edaf800c6deb1e7daeb448ef9c6a047551fd681942cb9e37e2729ae1a3918d1d + sha=2ebe89cad767abba83fb0b8cedd2d2d9bcbf947315fde78f7263a57a24f43b96 else tarball=jdk-${version}_linux-x64_bin.tar.gz # checksum from https://download.oracle.com/java/${major_version}/latest/jdk-${version}_linux-x64_bin.tar.gz.sha256 - sha=773eff7191d996d3b6ce3a99c21ce69cf2d836fd07277106313732a098d4309a + sha=e1c25a83f9e2e374c93e0c29cc3d98a947621ae0fefa4a8d932951eb160c47c3 fi wget --quiet "$baseurl$tarball" echo "$sha $tarball" | sha256sum --check - From 6ea284e113f27b8ba9edabb09d12d4c5aaa9ef62 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Fri, 1 May 2026 16:15:40 -0500 Subject: [PATCH 11/28] fix: ci/fix-buildhost.sh should only source /etc/profile on solaris and hp-ux build hosts where it is needed Sourcing this on suse-12 and suse-15 caused trouble due to a failing call to the tty command. Ticket: ENT-14040 Changelog: none (cherry picked from commit c3fedaef7fb24c0f89f90e7800a437e44cccd965) --- ci/fix-buildhost.sh | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/ci/fix-buildhost.sh b/ci/fix-buildhost.sh index 213d20fd7..bbecca2e5 100755 --- a/ci/fix-buildhost.sh +++ b/ci/fix-buildhost.sh @@ -24,3 +24,13 @@ fi mkdir -p ~/.ssh echo "build-artifacts-cache.cloud.cfengine.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGahpsY8Phk2+isBmuJQjjQVlh6BNL/Qetc14g26gowV" >> ~/.ssh/known_hosts + +# /etc/profile can contain tricky things, on suse for example it includes a call to tty which will fail in CI +# so only source /etc/profile where we absolutely need it. +if [ "$(uname)" = "HP-UX" ] || [ "$(uname)" = "SunOS" ]; then + if [ -f /etc/profile ]; then + # running on the proxied host or not we want to make sure local customizations are taken + # e.g. ent-14014: custom build of ssh needed for build-artifacts-cache needed and /etc/profile has PATH=/opt/craig/bin:$PATH + . /etc/profile + fi +fi From aaf9bb4109cf425d83ed444cbeff51640e173079 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Mon, 11 May 2026 08:11:50 +0000 Subject: [PATCH 12/28] Updated dependency 'apache' from version 2.4.66 to 2.4.67 (cherry picked from commit 28cc09638d1793448abe42de3f1f4ff5941f7ae7) --- deps-packaging/apache/cfbuild-apache.spec | 2 +- deps-packaging/apache/distfiles | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/deps-packaging/apache/cfbuild-apache.spec b/deps-packaging/apache/cfbuild-apache.spec index d014b74e2..854b8cafd 100644 --- a/deps-packaging/apache/cfbuild-apache.spec +++ b/deps-packaging/apache/cfbuild-apache.spec @@ -1,4 +1,4 @@ -%define apache_version 2.4.66 +%define apache_version 2.4.67 %global __os_install_post %{nil} Summary: CFEngine Build Automation -- apache diff --git a/deps-packaging/apache/distfiles b/deps-packaging/apache/distfiles index 115bd09b5..e2962e04d 100644 --- a/deps-packaging/apache/distfiles +++ b/deps-packaging/apache/distfiles @@ -1 +1 @@ -442184763b60936471b88a91275f79d2407733b7aac27e345f270e8bc31c3d49 httpd-2.4.66.tar.gz +10a578d199c3930250534fac629995f34ef7571709a7c88c45239e1fdc88cf77 httpd-2.4.67.tar.gz From fac54c7e0b8060b768ebe1995ba0700d59d375bf Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Wed, 13 May 2026 15:25:22 -0500 Subject: [PATCH 13/28] probably dont need deps-packaging/openssl/0010-Provide-timespec-for-centos-7.patch --- .../0010-Provide-timespec-for-centos-7.patch | 19 ------------------- 1 file changed, 19 deletions(-) delete mode 100644 deps-packaging/openssl/0010-Provide-timespec-for-centos-7.patch diff --git a/deps-packaging/openssl/0010-Provide-timespec-for-centos-7.patch b/deps-packaging/openssl/0010-Provide-timespec-for-centos-7.patch deleted file mode 100644 index 5183a9a91..000000000 --- a/deps-packaging/openssl/0010-Provide-timespec-for-centos-7.patch +++ /dev/null @@ -1,19 +0,0 @@ -diff --git a/crypto/thread/arch/thread_posix.c b/crypto/thread/arch/thread_posix.c -index 1b285a6..b3cc67a 100644 ---- a/crypto/thread/arch/thread_posix.c -+++ b/crypto/thread/arch/thread_posix.c -@@ -9,6 +9,14 @@ - - #include - -+#ifndef _STRUCT_TIMESPEC -+#define _STRUCT_TIMESPEC -+struct timespec { -+ time_t tv_sec; /* seconds */ -+ long tv_nsec; /* nanoseconds */ -+}; -+#endif -+ - #if defined(OPENSSL_THREADS_POSIX) - #define _GNU_SOURCE - #include From 780941581d1b44256b5df36aa38790020947b646 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Wed, 13 May 2026 15:55:30 -0500 Subject: [PATCH 14/28] with centos-7 fixes --- ci/centos-7-setup-devtoolset-11.sh | 2 +- ci/fix-buildhost.sh | 6 ++++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/ci/centos-7-setup-devtoolset-11.sh b/ci/centos-7-setup-devtoolset-11.sh index 75609b3c4..66250e3cf 100755 --- a/ci/centos-7-setup-devtoolset-11.sh +++ b/ci/centos-7-setup-devtoolset-11.sh @@ -7,6 +7,6 @@ sudo sed -i '/mirrorlist/d' /etc/yum.repos.d/CentOS-SCLo-scl-rh.repo sudo yum update -y sudo yum install -y devtoolset-11 if ! grep "source /opt/rh/devtoolset-11/enable" /usr/lib/rpm/find-debuginfo.sh; then - sed -i '1a\source /opt/rh/devtoolset-11/enable' /usr/lib/rpm/find-debuginfo.sh + sudo sed -i '1a\source /opt/rh/devtoolset-11/enable' /usr/lib/rpm/find-debuginfo.sh fi source /opt/rh/devtoolset-11/enable diff --git a/ci/fix-buildhost.sh b/ci/fix-buildhost.sh index bbecca2e5..688375966 100755 --- a/ci/fix-buildhost.sh +++ b/ci/fix-buildhost.sh @@ -1,11 +1,13 @@ #!/usr/bin/env bash +# it is expected that this file is sourced, not executed directly set -ex -thisdir="$(dirname "$0")" +my_path="$(realpath "${BASH_SOURCE[0]}")" +my_dir="$(dirname "$my_path")" if [ -f /etc/os-release ]; then source /etc/os-release if [ "$ID" = "centos" ] && [ "$VERSION_ID" = "7" ]; then - source ./centos-7-setup-devtoolset-11.sh + source "$my_dir"/centos-7-setup-devtoolset-11.sh fi fi From 8de2e0017208d1b42af0904aa8e3d0748ac5ecfb Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Thu, 14 May 2026 16:01:56 -0500 Subject: [PATCH 15/28] Adjusted openldap for openssl 4.0.0 Ticket: none Changelog: none --- build-scripts/install-dependencies | 7 + ...24f47574dffb1f5041625cf9d6218dbcb07d.patch | 108 ++++ ...597cb3cb6d36f888bffcbd0b010a644b92c5.patch | 73 +++ ...373426e37fd7f4e4beb3be451b5555799517.patch | 40 ++ .../openldap/cfbuild-openldap-aix.spec | 9 + deps-packaging/openldap/cfbuild-openldap.spec | 13 +- deps-packaging/openldap/debian/rules | 5 + ...9ffa10d93e841d00f05d9f56b88078acf235.patch | 493 ++++++++++++++++++ deps-packaging/openldap/gcc-8.5.patch | 29 ++ deps-packaging/openldap/mingw/debian/rules | 5 + deps-packaging/openldap/solaris/build | 4 + 11 files changed, 785 insertions(+), 1 deletion(-) create mode 100644 deps-packaging/openldap/75b624f47574dffb1f5041625cf9d6218dbcb07d.patch create mode 100644 deps-packaging/openldap/a599597cb3cb6d36f888bffcbd0b010a644b92c5.patch create mode 100644 deps-packaging/openldap/a704373426e37fd7f4e4beb3be451b5555799517.patch create mode 100644 deps-packaging/openldap/f3b49ffa10d93e841d00f05d9f56b88078acf235.patch create mode 100644 deps-packaging/openldap/gcc-8.5.patch diff --git a/build-scripts/install-dependencies b/build-scripts/install-dependencies index 8d8f4ea82..02ecd79a2 100755 --- a/build-scripts/install-dependencies +++ b/build-scripts/install-dependencies @@ -194,8 +194,15 @@ for dep in $DEPS; do "$BASEDIR/buildscripts/deps-packaging/pkg-build-$DEP_PACKAGING" \ "$dep" "$tests" "$cross" "$optimize" yes "$version" else + set +e # ignore errors for now "$BASEDIR/buildscripts/deps-packaging/pkg-build-$DEP_PACKAGING" \ "$dep" "$tests" "$cross" "$optimize" "$debugsym" "$version" + rc=$? + if [ "$rc" != "0" ]; then + echo "Failed to build $dep" + du -a | grep .rej$ | awk '{print $2}' | xargs cat + exit 42 + fi fi # Make sure package is there after building it diff --git a/deps-packaging/openldap/75b624f47574dffb1f5041625cf9d6218dbcb07d.patch b/deps-packaging/openldap/75b624f47574dffb1f5041625cf9d6218dbcb07d.patch new file mode 100644 index 000000000..533716822 --- /dev/null +++ b/deps-packaging/openldap/75b624f47574dffb1f5041625cf9d6218dbcb07d.patch @@ -0,0 +1,108 @@ +From 75b624f47574dffb1f5041625cf9d6218dbcb07d Mon Sep 17 00:00:00 2001 +From: Simon Pichugin +Date: Thu, 30 Apr 2026 16:57:27 -0700 +Subject: [PATCH] ITS#10498 libldap: more const-correctness for OpenSSL 4 + +--- + libraries/libldap/tls_o.c | 20 ++++++++++---------- + servers/slapd/overlays/autoca.c | 7 ++++++- + 2 files changed, 16 insertions(+), 11 deletions(-) + +diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c +index 428bc32c85..93a7070f81 100644 +--- a/libraries/libldap/tls_o.c ++++ b/libraries/libldap/tls_o.c +@@ -198,8 +198,8 @@ tlso_ca_list( char * bundle, char * dir, X509 *cert, STACK_OF(X509_NAME) *ca_lis + ldap_charray_free( dirs ); + } + if ( cert ) { +- X509_NAME *xn = X509_get_subject_name( cert ); +- xn = X509_NAME_dup( xn ); ++ const X509_NAME *cxn = X509_get_subject_name( cert ); ++ X509_NAME *xn = X509_NAME_dup( cxn ); + if ( xn && ca_list ) { + sk_X509_NAME_push( ca_list, xn ); + } +@@ -924,7 +924,7 @@ tlso_session_my_dn( tls_session *sess, struct berval *der_dn ) + { + tlso_session *s = (tlso_session *)sess; + X509 *x; +- X509_NAME *xn; ++ const X509_NAME *xn; + + x = SSL_get_certificate( s ); + +@@ -961,7 +961,7 @@ tlso_session_peer_dn( tls_session *sess, struct berval *der_dn ) + { + tlso_session *s = (tlso_session *)sess; + X509 *x = tlso_get_cert( s ); +- X509_NAME *xn; ++ const X509_NAME *xn; + + if ( !x ) + return LDAP_INVALID_CREDENTIALS; +@@ -1037,7 +1037,7 @@ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in ) + if (chkSAN) { + i = X509_get_ext_by_NID(x, NID_subject_alt_name, -1); + if (i >= 0) { +- X509_EXTENSION *ex; ++ const X509_EXTENSION *ex; + STACK_OF(GENERAL_NAME) *alt; + + ex = X509_get_ext(x, i); +@@ -1143,10 +1143,10 @@ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in ) + } + + if (ret != LDAP_SUCCESS) { +- X509_NAME *xn; +- X509_NAME_ENTRY *ne; ++ const X509_NAME *xn; ++ const X509_NAME_ENTRY *ne; + ASN1_OBJECT *obj; +- ASN1_STRING *cn = NULL; ++ const ASN1_STRING *cn = NULL; + char *cnstr; + int cnlen; + int navas; +@@ -1742,8 +1742,8 @@ tlso_verify_cb( int ok, X509_STORE_CTX *ctx ) + X509 *cert; + int errnum; + int errdepth; +- X509_NAME *subject; +- X509_NAME *issuer; ++ const X509_NAME *subject; ++ const X509_NAME *issuer; + char *sname; + char *iname; + char *certerr = NULL; +diff --git a/servers/slapd/overlays/autoca.c b/servers/slapd/overlays/autoca.c +index 43761655d2..da978c3233 100644 +--- a/servers/slapd/overlays/autoca.c ++++ b/servers/slapd/overlays/autoca.c +@@ -44,9 +44,13 @@ + + #if OPENSSL_VERSION_NUMBER >= 0x10100000 + #include ++#ifndef X509_get_notBefore + #define X509_get_notBefore(x) X509_getm_notBefore(x) ++#endif ++#ifndef X509_get_notAfter + #define X509_get_notAfter(x) X509_getm_notAfter(x) + #endif ++#endif + + #if OPENSSL_VERSION_MAJOR >= 3 + #define BN_pseudo_rand(bn, bits, top, bottom) BN_rand(bn, bits, top, bottom) +@@ -272,7 +276,8 @@ typedef struct genargs { + + static int autoca_gencert( Operation *op, genargs *args ) + { +- X509_NAME *subj_name, *issuer_name; ++ X509_NAME *subj_name; ++ const X509_NAME *issuer_name; + X509 *subj_cert; + struct berval derdn; + unsigned char *pp; +-- +GitLab + diff --git a/deps-packaging/openldap/a599597cb3cb6d36f888bffcbd0b010a644b92c5.patch b/deps-packaging/openldap/a599597cb3cb6d36f888bffcbd0b010a644b92c5.patch new file mode 100644 index 000000000..47d4b6927 --- /dev/null +++ b/deps-packaging/openldap/a599597cb3cb6d36f888bffcbd0b010a644b92c5.patch @@ -0,0 +1,73 @@ +From a599597cb3cb6d36f888bffcbd0b010a644b92c5 Mon Sep 17 00:00:00 2001 +From: Howard Chu +Date: Tue, 28 Apr 2026 16:49:32 +0100 +Subject: [PATCH] ITS#10498 libldap: fix for OpenSSL 4 compatibility + +--- + libraries/libldap/tls_o.c | 33 +++++++++++++++++++-------------- + 1 file changed, 19 insertions(+), 14 deletions(-) + +diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c +index 02dc4cd92f..428bc32c85 100644 +--- a/libraries/libldap/tls_o.c ++++ b/libraries/libldap/tls_o.c +@@ -1147,6 +1147,8 @@ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in ) + X509_NAME_ENTRY *ne; + ASN1_OBJECT *obj; + ASN1_STRING *cn = NULL; ++ char *cnstr; ++ int cnlen; + int navas; + + /* find the last CN */ +@@ -1174,22 +1176,25 @@ no_cn: + } + ld->ld_error = LDAP_STRDUP( + _("TLS: unable to get CN from peer certificate")); ++ } else { ++ cnlen = ASN1_STRING_length( cn ); ++ cnstr = (char *)ASN1_STRING_get0_data( cn ); ++ if ( cnlen == nlen && ++ strncasecmp( name, (char *) cnstr, nlen ) == 0 ) { ++ ret = LDAP_SUCCESS; + +- } else if ( cn->length == nlen && +- strncasecmp( name, (char *) cn->data, nlen ) == 0 ) { +- ret = LDAP_SUCCESS; +- +- } else if (( cn->data[0] == '*' ) && ( cn->data[1] == '.' )) { +- char *domain = strchr(name, '.'); +- if( domain ) { +- int dlen; ++ } else if (( cnstr[0] == '*' ) && ( cnstr[1] == '.' )) { ++ char *domain = strchr(name, '.'); ++ if( domain ) { ++ int dlen; + +- dlen = nlen - (domain-name); ++ dlen = nlen - (domain-name); + +- /* Is this a wildcard match? */ +- if ((dlen == cn->length-1) && +- !strncasecmp(domain, (char *) &cn->data[1], dlen)) { +- ret = LDAP_SUCCESS; ++ /* Is this a wildcard match? */ ++ if ((dlen == cnlen-1) && ++ !strncasecmp(domain, cnstr+1, dlen)) { ++ ret = LDAP_SUCCESS; ++ } + } + } + } +@@ -1197,7 +1202,7 @@ no_cn: + if( ret == LDAP_LOCAL_ERROR ) { + Debug3( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match " + "common name in certificate (%.*s).\n", +- name, cn->length, cn->data ); ++ name, cnlen, cnstr ); + ret = LDAP_CONNECT_ERROR; + if ( ld->ld_error ) { + LDAP_FREE( ld->ld_error ); +-- +GitLab + diff --git a/deps-packaging/openldap/a704373426e37fd7f4e4beb3be451b5555799517.patch b/deps-packaging/openldap/a704373426e37fd7f4e4beb3be451b5555799517.patch new file mode 100644 index 000000000..4c7c4f6fb --- /dev/null +++ b/deps-packaging/openldap/a704373426e37fd7f4e4beb3be451b5555799517.patch @@ -0,0 +1,40 @@ +From a704373426e37fd7f4e4beb3be451b5555799517 Mon Sep 17 00:00:00 2001 +From: Howard Chu +Date: Mon, 4 May 2026 15:35:20 +0100 +Subject: [PATCH] ITS#10498 libldap: silence a couple more warnings + +OpenSSL 3 and 4 differ on constness here, and 4 is self-inconsistent +between getter and d2i. Discard the useless const qualifiers. +--- + libraries/libldap/tls_o.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c +index 93a7070f81..4dd4ff5205 100644 +--- a/libraries/libldap/tls_o.c ++++ b/libraries/libldap/tls_o.c +@@ -557,7 +557,7 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server, char * + if ( is_server ) { + STACK_OF(X509_NAME) *ca_list = SSL_CTX_get_client_CA_list( ctx ); + if ( ca_list ) { +- X509_NAME *xn = X509_get_subject_name( cert ); ++ X509_NAME *xn = (X509_NAME *)X509_get_subject_name( cert ); + if ( xn ) + xn = X509_NAME_dup( xn ); + if ( xn ) +@@ -1037,10 +1037,10 @@ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in ) + if (chkSAN) { + i = X509_get_ext_by_NID(x, NID_subject_alt_name, -1); + if (i >= 0) { +- const X509_EXTENSION *ex; ++ X509_EXTENSION *ex; + STACK_OF(GENERAL_NAME) *alt; + +- ex = X509_get_ext(x, i); ++ ex = (X509_EXTENSION *)X509_get_ext(x, i); + alt = X509V3_EXT_d2i(ex); + if (alt) { + int n, len2 = 0; +-- +GitLab + diff --git a/deps-packaging/openldap/cfbuild-openldap-aix.spec b/deps-packaging/openldap/cfbuild-openldap-aix.spec index cbc24973b..19ce4bc5a 100644 --- a/deps-packaging/openldap/cfbuild-openldap-aix.spec +++ b/deps-packaging/openldap/cfbuild-openldap-aix.spec @@ -6,6 +6,11 @@ Version: %{version} Release: 1 Source0: openldap-%{openldap_version}.tgz Patch0: no_Sockaddr_redefine.patch +# patches for openssl 4.0.0 unavailable in a release as of 2.6.13 +Patch1: f3b49ffa10d93e841d00f05d9f56b88078acf235.patch +Patch2: a599597cb3cb6d36f888bffcbd0b010a644b92c5.patch +Patch3: 75b624f47574dffb1f5041625cf9d6218dbcb07d.patch +Patch4: a704373426e37fd7f4e4beb3be451b5555799517.patch License: MIT Group: Other Url: https://cfengine.com @@ -20,6 +25,10 @@ mkdir -p %{_builddir} %setup -q -n openldap-%{openldap_version} %patch0 -p0 +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 # Either "$LDFLAGS -L%{prefix}lib" # Or "-bsvr4 $LDFLAGS -Wl,-R,%{prefix}/lib" diff --git a/deps-packaging/openldap/cfbuild-openldap.spec b/deps-packaging/openldap/cfbuild-openldap.spec index 91ba0ddef..ade1db7be 100644 --- a/deps-packaging/openldap/cfbuild-openldap.spec +++ b/deps-packaging/openldap/cfbuild-openldap.spec @@ -6,6 +6,12 @@ Version: %{version} Release: 1 Source0: openldap-%{openldap_version}.tgz Patch0: no_Sockaddr_redefine.patch +# patches for openssl 4.0.0 unavailable in a release as of 2.6.13 +Patch1: f3b49ffa10d93e841d00f05d9f56b88078acf235.patch +Patch2: a599597cb3cb6d36f888bffcbd0b010a644b92c5.patch +Patch3: 75b624f47574dffb1f5041625cf9d6218dbcb07d.patch +Patch4: a704373426e37fd7f4e4beb3be451b5555799517.patch +Patch5: gcc-8.5.patch License: MIT Group: Other Url: https://cfengine.com @@ -19,7 +25,12 @@ AutoReqProv: no mkdir -p %{_builddir} %setup -q -n openldap-%{openldap_version} -%patch0 -p0 +%patch -P0 -p0 +%patch -P1 -p1 +%patch -P2 -p1 +%patch -P3 -p1 +%patch -P4 -p1 +%patch -P5 -p1 # we don't bundle OpenSSL on RHEL 8 (and newer in the future) %if %{?rhel}%{!?rhel:0} > 7 diff --git a/deps-packaging/openldap/debian/rules b/deps-packaging/openldap/debian/rules index 7117f9794..dc7ec5f90 100755 --- a/deps-packaging/openldap/debian/rules +++ b/deps-packaging/openldap/debian/rules @@ -26,6 +26,11 @@ build: build-stamp build-stamp: dh_testdir + patch -p1 < f3b49ffa10d93e841d00f05d9f56b88078acf235.patch + patch -p1 < a599597cb3cb6d36f888bffcbd0b010a644b92c5.patch + patch -p1 < 75b624f47574dffb1f5041625cf9d6218dbcb07d.patch + patch -p1 < a704373426e37fd7f4e4beb3be451b5555799517.patch + ./configure --prefix=$(PREFIX) \ --enable-shared \ --disable-slapd \ diff --git a/deps-packaging/openldap/f3b49ffa10d93e841d00f05d9f56b88078acf235.patch b/deps-packaging/openldap/f3b49ffa10d93e841d00f05d9f56b88078acf235.patch new file mode 100644 index 000000000..4328a2d3f --- /dev/null +++ b/deps-packaging/openldap/f3b49ffa10d93e841d00f05d9f56b88078acf235.patch @@ -0,0 +1,493 @@ +From f3b49ffa10d93e841d00f05d9f56b88078acf235 Mon Sep 17 00:00:00 2001 +From: Graham Leggett +Date: Mon, 15 Dec 2025 22:52:13 +0000 +Subject: [PATCH] ITS#10149 - Allow certificates and keys to be read from URIs + +--- + doc/man/man3/ldap_get_option.3 | 33 +++++ + include/ldap.h | 2 + + libraries/libldap/ldap-int.h | 6 +- + libraries/libldap/tls2.c | 39 +++++- + libraries/libldap/tls_g.c | 28 ++++ + libraries/libldap/tls_o.c | 227 +++++++++++++++++++++++++++++---- + 6 files changed, 305 insertions(+), 30 deletions(-) + +diff --git a/doc/man/man3/ldap_get_option.3 b/doc/man/man3/ldap_get_option.3 +index 45e91a28e5..63601f28a7 100644 +--- a/doc/man/man3/ldap_get_option.3 ++++ b/doc/man/man3/ldap_get_option.3 +@@ -678,6 +678,22 @@ must be + and its contents need to be freed by the caller using + .BR ldap_memfree (3). + .TP ++.B LDAP_OPT_X_TLS_CACERTURIS ++Sets/gets an array containing the URIs of CA certificates. The ++URIs accepted are based on the underlying crypto library. In the ++case of OpenSSL, the URIs are handled by the provider interface, and a ++URI without a scheme is treated as a file path. ++.BR outvalue ++must be a ++.BR "char ***" , ++and the caller is responsible of freeing the returned string by calling ++.BR ldap_memvfree (3), ++while ++.BR invalue ++must be a NULL-terminated ++.BR "char *const *" ; ++the library duplicates the corresponding string. ++.TP + .B LDAP_OPT_X_TLS_CERTFILE + Sets/gets the full-path of the certificate file. + .BR invalue +@@ -883,6 +899,23 @@ When using the OpenSSL library this is an SSL*. When using other + crypto libraries this is a pointer to an OpenLDAP private structure. + Applications generally should not use this option. + .TP ++.B LDAP_OPT_X_TLS_URIS ++Sets/gets an array containing the URIs of certificates, intermediate ++certificates and keys. The URIs accepted are based on the underlying ++crypto library. In the case of OpenSSL, the URIs are handled by the ++provider interface, and a URI without a scheme is treated as a file ++path. ++.BR outvalue ++must be a ++.BR "char ***" , ++and the caller is responsible of freeing the returned string by calling ++.BR ldap_memvfree (3), ++while ++.BR invalue ++must be a NULL-terminated ++.BR "char *const *" ; ++the library duplicates the corresponding string. ++.TP + .B LDAP_OPT_X_TLS_VERSION + Gets the TLS version being used on an established TLS session. + .BR outvalue +diff --git a/include/ldap.h b/include/ldap.h +index 521bc0caba..f916226f46 100644 +--- a/include/ldap.h ++++ b/include/ldap.h +@@ -164,6 +164,8 @@ LDAP_BEGIN_DECL + #define LDAP_OPT_X_TLS_PEERKEY_HASH 0x6019 + #define LDAP_OPT_X_TLS_REQUIRE_SAN 0x601a + #define LDAP_OPT_X_TLS_PROTOCOL_MAX 0x601b ++#define LDAP_OPT_X_TLS_URIS 0x601c ++#define LDAP_OPT_X_TLS_CACERTURIS 0x601d + + #define LDAP_OPT_X_TLS_NEVER 0 + #define LDAP_OPT_X_TLS_HARD 1 +diff --git a/libraries/libldap/ldap-int.h b/libraries/libldap/ldap-int.h +index 78e1f806a2..33b94a59bd 100644 +--- a/libraries/libldap/ldap-int.h ++++ b/libraries/libldap/ldap-int.h +@@ -187,6 +187,8 @@ struct ldaptls { + struct berval lt_cacert; + struct berval lt_cert; + struct berval lt_key; ++ char **lt_cacerturis; ++ char **lt_uris; + }; + #endif + +@@ -310,7 +312,9 @@ struct ldapoptions { + #define ldo_tls_cacert ldo_tls_info.lt_cacert + #define ldo_tls_cert ldo_tls_info.lt_cert + #define ldo_tls_key ldo_tls_info.lt_key +- int ldo_tls_mode; ++#define ldo_tls_uris ldo_tls_info.lt_uris ++#define ldo_tls_cacerturis ldo_tls_info.lt_cacerturis ++ int ldo_tls_mode; + int ldo_tls_require_cert; + int ldo_tls_impl; + int ldo_tls_crlcheck; +diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c +index 1fb878aab8..158b552b1a 100644 +--- a/libraries/libldap/tls2.c ++++ b/libraries/libldap/tls2.c +@@ -849,7 +849,20 @@ ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg ) + } + break; + } +- ++ case LDAP_OPT_X_TLS_URIS: ++ if( lo->ldo_tls_uris == NULL ) { ++ * (char ***) arg = NULL; ++ } else { ++ * (char ***) arg = ldap_value_dup(lo->ldo_tls_uris); ++ } ++ break; ++ case LDAP_OPT_X_TLS_CACERTURIS: ++ if( lo->ldo_tls_cacerturis == NULL ) { ++ * (char ***) arg = NULL; ++ } else { ++ * (char ***) arg = ldap_value_dup(lo->ldo_tls_cacerturis); ++ } ++ break; + default: + return -1; + } +@@ -1107,7 +1120,29 @@ ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg ) + } + + return rc; +- } ++ } ++ case LDAP_OPT_X_TLS_URIS: { ++ char *const *uris = (char *const *) arg; ++ ++ if( lo->ldo_tls_uris ) { ++ LDAP_VFREE(lo->ldo_tls_uris); ++ } ++ if ( uris ) { ++ lo->ldo_tls_uris = ldap_value_dup(uris); ++ } ++ return 0; ++ } ++ case LDAP_OPT_X_TLS_CACERTURIS: { ++ char *const *uris = (char *const *) arg; ++ ++ if( lo->ldo_tls_cacerturis ) { ++ LDAP_VFREE(lo->ldo_tls_cacerturis); ++ } ++ if ( uris ) { ++ lo->ldo_tls_cacerturis = ldap_value_dup(uris); ++ } ++ return 0; ++ } + default: + return -1; + } +diff --git a/libraries/libldap/tls_g.c b/libraries/libldap/tls_g.c +index d4e7ee0bf7..2652cf6713 100644 +--- a/libraries/libldap/tls_g.c ++++ b/libraries/libldap/tls_g.c +@@ -395,6 +395,34 @@ tlsg_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server, char * + + ctx->reqcert = lo->ldo_tls_require_cert; + ++ if ( lo->ldo_tls_uris ) ++ { ++ /* ++ * TODO: figure out URL enumeration. ++ * ++ * Hopeful functions: ++ * gnutls_privkey_import_url ++ * gnutls_url_is_supported ++ * gnutls_tpm_get_registered ++ * gnutls_tpm_key_list_get_url ++ * gnutls_pkcs11_obj_list_import_url4 ++ * gnutls_pkcs11_obj_get_type ++ */ ++ ++ Debug0( LDAP_DEBUG_ANY, ++ "TLS: uris are not supported.\n" ); ++ strncpy( errmsg, "TLS uris are not supported", ERRBUFSIZE ); ++ return -1; ++ } ++ ++ if ( lo->ldo_tls_cacerturis ) ++ { ++ Debug0( LDAP_DEBUG_ANY, ++ "TLS: cacerturis are not supported.\n" ); ++ strncpy( errmsg, "TLS cacerturis are not supported", ERRBUFSIZE ); ++ return -1; ++ } ++ + return 0; + } + +diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c +index 155f685c99..729b6e9308 100644 +--- a/libraries/libldap/tls_o.c ++++ b/libraries/libldap/tls_o.c +@@ -46,6 +46,9 @@ + #include + #include + #include ++#if OPENSSL_VERSION_MAJOR >= 3 ++#include ++#endif + #endif + + #if OPENSSL_VERSION_NUMBER >= 0x10100000 +@@ -169,37 +172,42 @@ BIO_meth_free( BIO_METHOD *meth ) + #endif /* OpenSSL 1.1 */ + + static STACK_OF(X509_NAME) * +-tlso_ca_list( char * bundle, char * dir, X509 *cert ) ++tlso_ca_list( char * bundle, char * dir, X509 *cert, STACK_OF(X509_NAME) *ca_list ) + { +- STACK_OF(X509_NAME) *ca_list = NULL; +- + if ( bundle ) { +- ca_list = SSL_load_client_CA_file( bundle ); ++ if ( !SSL_add_file_cert_subjects_to_stack( ca_list, bundle ) ) { ++ Debug1( LDAP_DEBUG_ANY, "TLS: " ++ "could not load client CA list (file:`%s').\n", ++ bundle ); ++ return NULL; ++ } + } + if ( dir ) { + char **dirs = ldap_str2charray( dir, CERTPATHSEP ); +- int freeit = 0, i, success = 0; ++ int i; + +- if ( !ca_list ) { +- ca_list = sk_X509_NAME_new_null(); +- freeit = 1; +- } + for ( i=0; dirs[i]; i++ ) { +- success += SSL_add_dir_cert_subjects_to_stack( ca_list, dir ); +- } +- if ( !success && freeit ) { +- sk_X509_NAME_free( ca_list ); +- ca_list = NULL; ++ if ( !SSL_add_dir_cert_subjects_to_stack( ca_list, dirs[i] )) { ++ Debug1( LDAP_DEBUG_ANY, "TLS: " ++ "could not load client CA list (dir:`%s').\n", ++ dirs[i] ); ++ ldap_charray_free( dirs ); ++ return NULL; ++ } + } + ldap_charray_free( dirs ); + } + if ( cert ) { + X509_NAME *xn = X509_get_subject_name( cert ); + xn = X509_NAME_dup( xn ); +- if ( !ca_list ) +- ca_list = sk_X509_NAME_new_null(); +- if ( xn && ca_list ) ++ if ( xn && ca_list ) { + sk_X509_NAME_push( ca_list, xn ); ++ } ++ else { ++ Debug0( LDAP_DEBUG_ANY, "TLS: " ++ "could not load client CA list: subject missing\n" ); ++ return NULL; ++ } + } + return ca_list; + } +@@ -456,7 +464,7 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server, char * + } + + if ( lo->ldo_tls_cacertfile == NULL && lo->ldo_tls_cacertdir == NULL && +- lo->ldo_tls_cacert.bv_val == NULL ) { ++ lo->ldo_tls_cacert.bv_val == NULL && lo->ldo_tls_cacerturis == NULL ) { + if ( !SSL_CTX_set_default_verify_paths( ctx ) ) { + Debug0( LDAP_DEBUG_ANY, "TLS: " + "could not use default certificate paths" ); +@@ -465,6 +473,12 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server, char * + } + } else { + X509 *cert = NULL; ++ ++ if ( is_server ) { ++ STACK_OF(X509_NAME) *ca_list = sk_X509_NAME_new_null(); ++ SSL_CTX_set_client_CA_list( ctx, ca_list ); ++ } ++ + if ( lo->ldo_tls_cacert.bv_val ) { + const unsigned char *pp = (const unsigned char *) (lo->ldo_tls_cacert.bv_val); + cert = d2i_X509( NULL, &pp, lo->ldo_tls_cacert.bv_len ); +@@ -509,20 +523,81 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server, char * + } + } + ++ if ( lo->ldo_tls_cacerturis ) ++ { ++#if OPENSSL_VERSION_MAJOR >= 3 ++ int i; ++ ++ for(i=0; lo->ldo_tls_cacerturis[i] != NULL; i++) { ++ OSSL_STORE_CTX *sctx; ++ OSSL_STORE_INFO *info; ++ ++ sctx = OSSL_STORE_open( lo->ldo_tls_cacerturis[i], NULL, NULL, NULL, NULL ); ++ if (!sctx) { ++ Debug1( LDAP_DEBUG_ANY, ++ "TLS: could not open uri `%s'.\n", ++ lo->ldo_tls_cacerturis[i] ); ++ tlso_report_error( errmsg ); ++ return -1; ++ } ++ ++ while ((info = OSSL_STORE_load( sctx ))) { ++ switch (OSSL_STORE_INFO_get_type( info )) { ++ case OSSL_STORE_INFO_CERT: ++ X509 *cert = OSSL_STORE_INFO_get0_CERT( info ); ++ X509_STORE *store = SSL_CTX_get_cert_store( ctx ); ++ if ( !X509_STORE_add_cert( store, cert ) ) { ++ Debug1( LDAP_DEBUG_ANY, ++ "TLS: could not use certificate from uri `%s'.\n", ++ lo->ldo_tls_cacerturis[i] ); ++ tlso_report_error( errmsg ); ++ OSSL_STORE_close( sctx ); ++ return -1; ++ } ++ if ( is_server ) { ++ STACK_OF(X509_NAME) *ca_list = SSL_CTX_get_client_CA_list( ctx ); ++ if ( ca_list ) { ++ X509_NAME *xn = X509_get_subject_name( cert ); ++ if ( xn ) ++ xn = X509_NAME_dup( xn ); ++ if ( xn ) ++ sk_X509_NAME_push( ca_list, xn ); ++ } ++ } ++ break; ++ default: ++ /* ignore other types */ ++ break; ++ } ++ OSSL_STORE_INFO_free( info ); ++ } ++ if (!OSSL_STORE_eof(sctx) && OSSL_STORE_error(sctx)) { ++ Debug1( LDAP_DEBUG_ANY, ++ "TLS: could not load from uri `%s'.\n", ++ lo->ldo_tls_uris[i] ); ++ tlso_report_error( errmsg ); ++ OSSL_STORE_close( sctx ); ++ return -1; ++ } ++ OSSL_STORE_close( sctx ); ++ } ++#else ++ Debug0( LDAP_DEBUG_ANY, ++ "TLS: cacerturis are not supported.\n" ); ++ strncpy( errmsg, "TLS: cacerturis are not supported", ERRBUFSIZE ); ++ return -1; ++#endif ++ } ++ + if ( is_server ) { +- STACK_OF(X509_NAME) *calist; ++ STACK_OF(X509_NAME) *ca_list = SSL_CTX_get_client_CA_list( ctx ); ++ + /* List of CA names to send to a client */ +- calist = tlso_ca_list( lt->lt_cacertfile, lt->lt_cacertdir, cert ); +- if ( !calist ) { +- Debug2( LDAP_DEBUG_ANY, "TLS: " +- "could not load client CA list (file:`%s',dir:`%s').\n", +- lo->ldo_tls_cacertfile ? lo->ldo_tls_cacertfile : "", +- lo->ldo_tls_cacertdir ? lo->ldo_tls_cacertdir : "" ); ++ ca_list = tlso_ca_list( lt->lt_cacertfile, lt->lt_cacertdir, cert, ca_list ); ++ if ( !ca_list ) { + tlso_report_error( errmsg ); + return -1; + } +- +- SSL_CTX_set_client_CA_list( ctx, calist ); + } + if ( cert ) + X509_free( cert ); +@@ -636,6 +711,104 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server, char * + #endif /* OPENSSL_NO_EC */ + } + ++ if ( lo->ldo_tls_uris ) ++ { ++#if OPENSSL_VERSION_MAJOR >= 3 ++ int i; ++ ++ for(i=0; lo->ldo_tls_uris[i] != NULL; i++) { ++ OSSL_STORE_CTX *sctx; ++ OSSL_STORE_INFO *info; ++ ++ sctx = OSSL_STORE_open(lo->ldo_tls_uris[i], NULL, NULL, NULL, NULL); ++ if (!sctx) { ++ Debug1( LDAP_DEBUG_ANY, ++ "TLS: could not open uri `%s'.\n", ++ lo->ldo_tls_uris[i] ); ++ tlso_report_error( errmsg ); ++ return -1; ++ } ++ ++ while ((info = OSSL_STORE_load(sctx))) { ++ switch (OSSL_STORE_INFO_get_type(info)) { ++ case OSSL_STORE_INFO_PARAMS: ++ if ( !SSL_CTX_set0_tmp_dh_pkey( ctx, ++ OSSL_STORE_INFO_get0_PARAMS(info) )) { ++ Debug1( LDAP_DEBUG_ANY, ++ "TLS: could not use params from uri `%s'.\n", ++ lo->ldo_tls_uris[i] ); ++ tlso_report_error( errmsg ); ++ OSSL_STORE_close(sctx); ++ return -1; ++ } ++ break; ++ case OSSL_STORE_INFO_PKEY: ++ if ( !SSL_CTX_use_PrivateKey( ctx, ++ OSSL_STORE_INFO_get0_PKEY(info) )) { ++ Debug1( LDAP_DEBUG_ANY, ++ "TLS: could not use private key from uri `%s'.\n", ++ lo->ldo_tls_uris[i] ); ++ tlso_report_error( errmsg ); ++ OSSL_STORE_close(sctx); ++ return -1; ++ } ++ break; ++ case OSSL_STORE_INFO_CERT: ++ X509 *cert = OSSL_STORE_INFO_get0_CERT(info); ++ int is_ca = X509_check_ca( cert ); ++ if ( !is_ca && !SSL_CTX_use_certificate( ctx, cert )) { ++ Debug1( LDAP_DEBUG_ANY, ++ "TLS: could not use leaf certificate from uri `%s'.\n", ++ lo->ldo_tls_uris[i] ); ++ tlso_report_error( errmsg ); ++ OSSL_STORE_close(sctx); ++ return -1; ++ } ++ if ( is_ca && !SSL_CTX_add_extra_chain_cert( ctx, cert )) { ++ Debug1( LDAP_DEBUG_ANY, ++ "TLS: could not use intermediate certificate from uri `%s'.\n", ++ lo->ldo_tls_uris[i] ); ++ tlso_report_error( errmsg ); ++ OSSL_STORE_close(sctx); ++ return -1; ++ } ++ break; ++ case OSSL_STORE_INFO_CRL: ++ X509_STORE *x509_s = SSL_CTX_get_cert_store( ctx ); ++ if ( !X509_STORE_add_crl( x509_s, ++ OSSL_STORE_INFO_get0_CRL(info) )) { ++ Debug1( LDAP_DEBUG_ANY, ++ "TLS: could not use crl from uri `%s'.\n", ++ lo->ldo_tls_uris[i] ); ++ tlso_report_error( errmsg ); ++ OSSL_STORE_close(sctx); ++ return -1; ++ } ++ break; ++ default: ++ /* ignore other types */ ++ break; ++ } ++ OSSL_STORE_INFO_free(info); ++ } ++ if (!OSSL_STORE_eof(sctx) && OSSL_STORE_error(sctx)) { ++ Debug1( LDAP_DEBUG_ANY, ++ "TLS: could not load from uri `%s'.\n", ++ lo->ldo_tls_uris[i] ); ++ tlso_report_error( errmsg ); ++ OSSL_STORE_close(sctx); ++ return -1; ++ } ++ OSSL_STORE_close(sctx); ++ } ++#else ++ Debug0( LDAP_DEBUG_ANY, ++ "TLS: uris are not supported.\n" ); ++ strncpy( errmsg, "TLS: uris are not supported", ERRBUFSIZE ); ++ return -1; ++#endif ++ } ++ + if ( tlso_opt_trace ) { + SSL_CTX_set_info_callback( ctx, tlso_info_cb ); + } +-- +GitLab + diff --git a/deps-packaging/openldap/gcc-8.5.patch b/deps-packaging/openldap/gcc-8.5.patch new file mode 100644 index 000000000..813de5f15 --- /dev/null +++ b/deps-packaging/openldap/gcc-8.5.patch @@ -0,0 +1,29 @@ +--- openldap-2.6.13/libraries/libldap/tls_o.c 2026-05-19 21:29:39.874030878 +0000 ++++ patched-openldap/libraries/libldap/tls_o.c 2026-05-19 21:24:52.955329138 +0000 +@@ -543,7 +543,7 @@ + + while ((info = OSSL_STORE_load( sctx ))) { + switch (OSSL_STORE_INFO_get_type( info )) { +- case OSSL_STORE_INFO_CERT: ++ case OSSL_STORE_INFO_CERT:; + X509 *cert = OSSL_STORE_INFO_get0_CERT( info ); + X509_STORE *store = SSL_CTX_get_cert_store( ctx ); + if ( !X509_STORE_add_cert( store, cert ) ) { +@@ -753,7 +753,7 @@ + return -1; + } + break; +- case OSSL_STORE_INFO_CERT: ++ case OSSL_STORE_INFO_CERT:; + X509 *cert = OSSL_STORE_INFO_get0_CERT(info); + int is_ca = X509_check_ca( cert ); + if ( !is_ca && !SSL_CTX_use_certificate( ctx, cert )) { +@@ -773,7 +773,7 @@ + return -1; + } + break; +- case OSSL_STORE_INFO_CRL: ++ case OSSL_STORE_INFO_CRL:; + X509_STORE *x509_s = SSL_CTX_get_cert_store( ctx ); + if ( !X509_STORE_add_crl( x509_s, + OSSL_STORE_INFO_get0_CRL(info) )) { diff --git a/deps-packaging/openldap/mingw/debian/rules b/deps-packaging/openldap/mingw/debian/rules index 61ce10e5a..cb7fa5029 100755 --- a/deps-packaging/openldap/mingw/debian/rules +++ b/deps-packaging/openldap/mingw/debian/rules @@ -15,6 +15,11 @@ build-stamp: patch -p0 < mingw_build_fixes.patch ln -s $(PREFIX)/bin/libgnurx-0.dll . + patch -p1 < f3b49ffa10d93e841d00f05d9f56b88078acf235.patch + patch -p1 < a599597cb3cb6d36f888bffcbd0b010a644b92c5.patch + patch -p1 < 75b624f47574dffb1f5041625cf9d6218dbcb07d.patch + patch -p1 < a704373426e37fd7f4e4beb3be451b5555799517.patch + # Configure is unable to test memcmp for cross-compilation # getaddrinfo/getnameinfo are broken in MinGW as well as socklen in2.4.36 work around it ac_cv_type_socklen_t=yes \ diff --git a/deps-packaging/openldap/solaris/build b/deps-packaging/openldap/solaris/build index 8803da231..0f82ce79f 100755 --- a/deps-packaging/openldap/solaris/build +++ b/deps-packaging/openldap/solaris/build @@ -8,6 +8,10 @@ OL=${BUILD_ROOT}/cfbuild-openldap${PREFIX} OLD=${BUILD_ROOT}/cfbuild-openldap-devel${PREFIX} # Patch +$PATCH -p1 < f3b49ffa10d93e841d00f05d9f56b88078acf235.patch +$PATCH -p1 < a599597cb3cb6d36f888bffcbd0b010a644b92c5.patch +$PATCH -p1 < 75b624f47574dffb1f5041625cf9d6218dbcb07d.patch +$PATCH -p1 < a704373426e37fd7f4e4beb3be451b5555799517.patch # Configure From 24f22eadafc308054c25b1f770a1d2b7e6bd637c Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Mon, 11 May 2026 08:11:57 +0000 Subject: [PATCH 16/28] Updated dependency 'libcurl' from version 8.17.0 to 8.20.0 (cherry picked from commit bcb631e165972ee40e114d5e2b446e358b6dad26) --- deps-packaging/libcurl/cfbuild-libcurl.spec | 2 +- deps-packaging/libcurl/distfiles | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/deps-packaging/libcurl/cfbuild-libcurl.spec b/deps-packaging/libcurl/cfbuild-libcurl.spec index 592d6c389..82023bbb7 100644 --- a/deps-packaging/libcurl/cfbuild-libcurl.spec +++ b/deps-packaging/libcurl/cfbuild-libcurl.spec @@ -1,4 +1,4 @@ -%define curl_version 8.17.0 +%define curl_version 8.20.0 Summary: CFEngine Build Automation -- libcurl Name: cfbuild-libcurl diff --git a/deps-packaging/libcurl/distfiles b/deps-packaging/libcurl/distfiles index 06c2470ca..024e5bcdd 100644 --- a/deps-packaging/libcurl/distfiles +++ b/deps-packaging/libcurl/distfiles @@ -1 +1 @@ -e8e74cdeefe5fb78b3ae6e90cd542babf788fa9480029cfcee6fd9ced42b7910 curl-8.17.0.tar.gz +fc5819cad3f9f5482669adcdc49a782c15f36d2a0715b395b06d9173593d2dc0 curl-8.20.0.tar.gz From 061fbb7e532b5401727e0ae5054e609efb4ab785 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Mon, 11 May 2026 08:11:57 +0000 Subject: [PATCH 17/28] Updated dependency 'libcurl-hub' from version 8.17.0 to 8.20.0 (cherry picked from commit ff90613ee172d72207bab5876bd267bd634269ca) --- deps-packaging/libcurl-hub/cfbuild-libcurl-hub.spec | 2 +- deps-packaging/libcurl-hub/distfiles | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/deps-packaging/libcurl-hub/cfbuild-libcurl-hub.spec b/deps-packaging/libcurl-hub/cfbuild-libcurl-hub.spec index bc9a1045d..61af2fd7e 100644 --- a/deps-packaging/libcurl-hub/cfbuild-libcurl-hub.spec +++ b/deps-packaging/libcurl-hub/cfbuild-libcurl-hub.spec @@ -1,4 +1,4 @@ -%define curl_version 8.17.0 +%define curl_version 8.20.0 Summary: CFEngine Build Automation -- libcurl Name: cfbuild-libcurl-hub diff --git a/deps-packaging/libcurl-hub/distfiles b/deps-packaging/libcurl-hub/distfiles index 06c2470ca..024e5bcdd 100644 --- a/deps-packaging/libcurl-hub/distfiles +++ b/deps-packaging/libcurl-hub/distfiles @@ -1 +1 @@ -e8e74cdeefe5fb78b3ae6e90cd542babf788fa9480029cfcee6fd9ced42b7910 curl-8.17.0.tar.gz +fc5819cad3f9f5482669adcdc49a782c15f36d2a0715b395b06d9173593d2dc0 curl-8.20.0.tar.gz From 22b9c31b2982da9a10423c5d71a8b01269f4e493 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Fri, 15 May 2026 16:31:58 -0500 Subject: [PATCH 18/28] Changed all rhel-based packages to use vendored OpenSSL On rhel-based platforms we must disable libpam integration due to libpam being linked older openssl versions which are incompatible with openssl 4 that we build against. Ticket: ENT-13750 Changelog: title --- README.md | 4 +-- build-scripts/compile-options | 5 ---- build-scripts/configure | 5 ++++ build-scripts/package | 8 ------ ci/cfengine-build-host-setup.cf | 4 --- ci/fix-buildhost.sh | 7 +++++ .../libcurl-hub/cfbuild-libcurl-hub.spec | 5 ---- deps-packaging/libcurl/cfbuild-libcurl.spec | 5 ---- deps-packaging/openldap/cfbuild-openldap.spec | 5 ---- .../cfengine-nova-hub.spec.in | 26 ------------------- packaging/cfengine-nova/cfengine-nova.spec.in | 15 ----------- 11 files changed, 13 insertions(+), 76 deletions(-) diff --git a/README.md b/README.md index 3bdcc76ff..022e947ff 100644 --- a/README.md +++ b/README.md @@ -139,7 +139,7 @@ File `install-dependencies` and the relevant subdirectories in `deps-packaging` | [libyaml](https://pyyaml.org/wiki/LibYAML) | 0.2.5 | 0.2.5 | 0.2.5 | | | [LMDB](https://github.com/LMDB/lmdb/) | 0.9.35 | 0.9.35 | 0.9.35 | | | [OpenLDAP](https://www.openldap.org/software/download/OpenLDAP/openldap-release/) | 2.6.13 | 2.6.13 | 2.6.13 | Enterprise agent only | -| [OpenSSL](https://openssl.org/) | 3.6.2 | 3.6.2 | 3.6.1 | See **note** below | +| [OpenSSL](https://openssl.org/) | 3.6.2 | 3.6.2 | 3.6.1 | | | [PCRE](https://www.pcre.org/) | - | - | - | | | [PCRE2](https://github.com/PCRE2Project/pcre2/releases/) | 10.47 | 10.47 | 10.47 | | | [pthreads-w32](https://sourceware.org/pub/pthreads-win32/) | 2-9-1 | 2-9-1 | 2-9-1 | Windows Enterprise agent | @@ -148,8 +148,6 @@ File `install-dependencies` and the relevant subdirectories in `deps-packaging` | [librsync](https://github.com/librsync/librsync/releases) | - | 2.3.4 | 2.3.4 | | | [leech](https://github.com/larsewi/leech/releases) | - | 0.2.0 | 0.2.0 | | -**Note:** We don't package OpenSSL for RHEL >= 8 and SuSE >= 15. -We use the systems bundled SSL for these platforms. ### Enterprise Hub dependencies diff --git a/build-scripts/compile-options b/build-scripts/compile-options index a7e416308..4206536d1 100644 --- a/build-scripts/compile-options +++ b/build-scripts/compile-options @@ -32,10 +32,6 @@ export PROJECT # It's a flag: if it's set to 1 - then we use system OpenSSL. # Otherwise, we build it. if [ -z "$SYSTEM_SSL" ]; then - # We don't bundle OpenSSL on some redhat-derived systems due to incompatability with libpam and our openssl. - if [ "$OS" = "rhel" ] && [ "$OS_VERSION_MAJOR" -ge "8" ]; then - SYSTEM_SSL=1 - fi if [ "$OS" = "opensuse" ] || [ "$OS" = "sles" ]; then if [ "$OS_VERSION_MAJOR" -ge "15" ]; then SYSTEM_SSL=1 @@ -126,7 +122,6 @@ solaris | aix) ;; esac -# We use system bundled SSL on RHEL >= 8 if [ "$SYSTEM_SSL" != 1 ]; then # zlib is a compression library which is a dependency of OpenSSL. # TODO: can we remove zlib dependency? (CFE-4013) diff --git a/build-scripts/configure b/build-scripts/configure index c54b7b64f..78abfa9f7 100755 --- a/build-scripts/configure +++ b/build-scripts/configure @@ -89,6 +89,11 @@ yes) ;; esac +# RHEL 8 using vendored openssl can't use libpam since the distribution libpam is linked with openssl 1.x +if [ "$OS" = "rhel" ] && [ "$_OS_VERSION_MAJOR" -eq "8" ]; then + var_append ARGS "--without-pam" +fi + # RHEL 8 requires an SELinux policy if [ "$OS" = "rhel" ] && [ "$OS_VERSION_MAJOR" -ge "8" ]; then var_append ARGS "--with-selinux-policy" diff --git a/build-scripts/package b/build-scripts/package index f156b8ac7..768083f15 100755 --- a/build-scripts/package +++ b/build-scripts/package @@ -195,13 +195,6 @@ rpm | lpp) exit 1 fi log_debug "SELinux policy version: $SELINUX_POLICY_VERSION" - # Get OpenSSL version to ensure compatibility - OPENSSL_VERSION=$(rpm -q --provides openssl-libs | grep OPENSSL_ | sed 's/^.*_\([0-9.]*\).*$/\1/' | sort -n | tail -1) - if [ -z "$OPENSSL_VERSION" ]; then - log_error "Unable to determine OpenSSL package version" - exit 1 - fi - log_debug "OpenSSL version: $OPENSSL_VERSION" fi # Generate RPM spec file from template, substituting version info and scripts @@ -210,7 +203,6 @@ rpm | lpp) -e "s/@@VERSION@@/$RPM_VERSION/g" \ -e "s/@@RELEASE@@/$safe_prefix$RPM_RELEASE/g" \ -e "s/@@SELINUX_POLICY_VERSION@@/$SELINUX_POLICY_VERSION/g" \ - -e "s/@@OPENSSL_VERSION@@/$OPENSSL_VERSION/g" \ -e "/^%pre\$/r $PREINSTALL" \ -e "/^%post\$/r $POSTINSTALL" \ -e "/^%preun\$/r $PREREMOVE" \ diff --git a/ci/cfengine-build-host-setup.cf b/ci/cfengine-build-host-setup.cf index e77a92c0e..7f9729664 100644 --- a/ci/cfengine-build-host-setup.cf +++ b/ci/cfengine-build-host-setup.cf @@ -162,16 +162,12 @@ bundle agent cfengine_build_host_setup "platform-python-devel" -> { "cfbs shebang", "ENT-11338" } comment => "py3_shebang_fix macro needs /usr/bin/pathfix.py from platform-python-devel package"; - suse_15:: - "libopenssl-devel" -> { "ENT-12528" } - comment => "like redhat, suse 15+ needs to build with system openssl."; (redhat_8|centos_8|redhat_9|redhat_10).(yum_dnf_conf_ok):: "java-1.8.0-openjdk-headless" package_policy => "delete", comment => "Installing Development Tools includes this jdk1.8 which we do not want."; "pkgconf" comment => "pkgconfig renamed to pkgconf in rhel8"; "selinux-policy-devel" comment => "maybe add to _7 and _6?"; - "openssl-devel"; (redhat_9|redhat_10).(yum_dnf_conf_ok):: "perl-Sys-Hostname" comment => "Needed by __04_examples_outputs_check_outputs_cf"; diff --git a/ci/fix-buildhost.sh b/ci/fix-buildhost.sh index 688375966..4ab265887 100755 --- a/ci/fix-buildhost.sh +++ b/ci/fix-buildhost.sh @@ -36,3 +36,10 @@ if [ "$(uname)" = "HP-UX" ] || [ "$(uname)" = "SunOS" ]; then . /etc/profile fi fi +# ENT-13750 we return to vendored openssl on rpm platforms so remove possibly installed development packages +if command -v zypper >/dev/null 2>/dev/null; then + sudo zypper remove -y libopenssl-devel || true +fi +if command -v yum >/dev/null 2>/dev/null; then + sudo yum erase -y openssl-devel || true +fi diff --git a/deps-packaging/libcurl-hub/cfbuild-libcurl-hub.spec b/deps-packaging/libcurl-hub/cfbuild-libcurl-hub.spec index 61af2fd7e..bdf2e2a9f 100644 --- a/deps-packaging/libcurl-hub/cfbuild-libcurl-hub.spec +++ b/deps-packaging/libcurl-hub/cfbuild-libcurl-hub.spec @@ -18,12 +18,7 @@ AutoReqProv: no mkdir -p %{_builddir} %setup -q -n curl-%{curl_version} -# we don't bundle OpenSSL on RHEL 8 (and newer in the future) -%if %{?rhel}%{!?rhel:0} > 7 -%define ssl_prefix /usr -%else %define ssl_prefix %{prefix} -%endif ./configure \ --with-sysroot=%{prefix} \ diff --git a/deps-packaging/libcurl/cfbuild-libcurl.spec b/deps-packaging/libcurl/cfbuild-libcurl.spec index 82023bbb7..af8b415c6 100644 --- a/deps-packaging/libcurl/cfbuild-libcurl.spec +++ b/deps-packaging/libcurl/cfbuild-libcurl.spec @@ -18,12 +18,7 @@ AutoReqProv: no mkdir -p %{_builddir} %setup -q -n curl-%{curl_version} -# we don't bundle OpenSSL on RHEL 8 & SUSE 15 (and newer in the future) -%if %{?rhel}%{!?rhel:0} > 7 || %{?suse_version}%{!?suse_version:0} >= 1500 -%define ssl_prefix /usr -%else %define ssl_prefix %{prefix} -%endif ./configure \ --with-sysroot=%{prefix} \ diff --git a/deps-packaging/openldap/cfbuild-openldap.spec b/deps-packaging/openldap/cfbuild-openldap.spec index ade1db7be..37a5fb139 100644 --- a/deps-packaging/openldap/cfbuild-openldap.spec +++ b/deps-packaging/openldap/cfbuild-openldap.spec @@ -32,12 +32,7 @@ mkdir -p %{_builddir} %patch -P4 -p1 %patch -P5 -p1 -# we don't bundle OpenSSL on RHEL 8 (and newer in the future) -%if %{?rhel}%{!?rhel:0} > 7 -CPPFLAGS=-I%{buildprefix}/include:/usr/include -%else CPPFLAGS=-I%{buildprefix}/include -%endif # # glibc-2.8 errorneously hides peercred(3) under #ifdef __USE_GNU. diff --git a/packaging/cfengine-nova-hub/cfengine-nova-hub.spec.in b/packaging/cfengine-nova-hub/cfengine-nova-hub.spec.in index 26d966570..9b13166c3 100644 --- a/packaging/cfengine-nova-hub/cfengine-nova-hub.spec.in +++ b/packaging/cfengine-nova-hub/cfengine-nova-hub.spec.in @@ -31,23 +31,6 @@ Requires(post): /usr/sbin/usermod, /bin/sed Requires: selinux-policy >= @@SELINUX_POLICY_VERSION@@ %endif -# we don't bundle OpenSSL on RHEL 8 (and newer in the future) -%if %{?rhel}%{!?rhel:0} == 8 -Requires: libssl.so.1.1()(64bit) libssl.so.1.1(OPENSSL_1_1_0)(64bit) libssl.so.1.1(OPENSSL_1_1_1)(64bit) -Requires: libcrypto.so.1.1()(64bit) libcrypto.so.1.1(OPENSSL_1_1_0)(64bit) -Requires: openssl -%endif - -# We build against systems with the latest available dependencies such as OpenSSL. -# We use rpm -q --provides to determine the highest API present in OpenSSL and then use that as a Requires. -# OPENSSL_VERSION is determined in build-scripts/package script. -# This should ensure that when packages are installed with yum/dnf any required OpenSSL package upgrades will be performed or the installation will fail. -%if %{?rhel}%{!?rhel:0} > 8 -Requires: libcrypto.so.3()(64bit) libcrypto.so.3(OPENSSL_@@OPENSSL_VERSION@@)(64bit) -Requires: libssl.so.3()(64bit) libssl.so.3(OPENSSL_@@OPENSSL_VERSION@@)(64bit) -Requires: openssl -%endif - # cfbs/Build requires Python 3.5+ (not available on RHEL 6) %if %{?rhel}%{!?rhel:0} == 7 Requires: python3 >= 3.5 @@ -106,10 +89,6 @@ rm -f %{prefix}/ssl/misc/tsget rm -f %{prefix}/ssl/openssl.cnf.dist rm -f %{prefix}/ssl/misc/tsget.pl -# Add an openssl symlink if openssl binary doesn't exist -if ! [ -f $RPM_BUILD_ROOT%{prefix}/bin/openssl ]; then - ln -s `which openssl` $RPM_BUILD_ROOT%{prefix}/bin/openssl -fi # Hub does not need cf-upgrade, it is only present in host packages rm -f $RPM_BUILD_ROOT%{prefix}/bin/cf-upgrade @@ -253,16 +232,11 @@ exit 0 # init.d script enterprise part %{prefix}/bin/cfengine3-nova-hub-init-d.sh -# OpenSSL tools (we don't bundle OpenSSL on RHEL 8) -# Note that prefix/bin/openssl is outside of `if`, since -# on RHEL8 it's a symlink to a system-wide openssl binary %{prefix}/bin/openssl -%if %{?rhel}%{!?rhel:0} <= 7 %dir %{prefix}/ssl %{prefix}/ssl/openssl.cnf %{prefix}/ssl/ct_log_list.cnf %{prefix}/ssl/ct_log_list.cnf.dist -%endif %prefix/bin/git %prefix/bin/gitk diff --git a/packaging/cfengine-nova/cfengine-nova.spec.in b/packaging/cfengine-nova/cfengine-nova.spec.in index afe2d65f4..81b018910 100644 --- a/packaging/cfengine-nova/cfengine-nova.spec.in +++ b/packaging/cfengine-nova/cfengine-nova.spec.in @@ -23,21 +23,6 @@ Recommends: gzip Requires: selinux-policy >= @@SELINUX_POLICY_VERSION@@ %endif -# We don't bundle OpenSSL on RHEL >= 8 and SuSE >= 15 -%if 0%{?SYSTEM_SSL} -Requires: libssl.so.1.1()(64bit) libssl.so.1.1(OPENSSL_1_1_0)(64bit) libssl.so.1.1(OPENSSL_1_1_1)(64bit) -Requires: libcrypto.so.1.1()(64bit) libcrypto.so.1.1(OPENSSL_1_1_0)(64bit) -%endif - -# We build against systems with the latest available dependencies such as OpenSSL. -# We use rpm -q --provides to determine the highest API present in OpenSSL and then use that as a Requires. -# OPENSSL_VERSION is determined in build-scripts/package script. -# This should ensure that when packages are installed with yum/dnf any required OpenSSL package upgrades will be performed or the installation will fail. -%if %{?rhel}%{!?rhel:0} > 8 -Requires: libcrypto.so.3()(64bit) libcrypto.so.3(OPENSSL_@@OPENSSL_VERSION@@)(64bit) -Requires: libssl.so.3()(64bit) libssl.so.3(OPENSSL_@@OPENSSL_VERSION@@)(64bit) -%endif - AutoReqProv: no %if %{?with_debugsym}%{!?with_debugsym:0} From 6bcbd2baedb8b8a5f9cdfeada026a4d563bd91a6 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Mon, 18 May 2026 09:23:21 -0500 Subject: [PATCH 19/28] with openssl4 changes, packaging in windows requires change from version 3 to 4 and new GUIDs for libcrypto and libssl dlls --- packaging/cfengine-nova/cfengine-nova.wxs | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/packaging/cfengine-nova/cfengine-nova.wxs b/packaging/cfengine-nova/cfengine-nova.wxs index 8fcc0f65b..a39117727 100644 --- a/packaging/cfengine-nova/cfengine-nova.wxs +++ b/packaging/cfengine-nova/cfengine-nova.wxs @@ -138,11 +138,11 @@ - - + + - - + + @@ -206,8 +206,8 @@ - - + + From 0a833be8ac60974334252f6dfbcbb938e442efa1 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Mon, 18 May 2026 08:23:24 +0000 Subject: [PATCH 20/28] Updated dependency 'postgresql' from version 18.3 to 18.4 (cherry picked from commit b2f6e55d26ed284bc6b36a0bfac5db1ca80e99ba) --- deps-packaging/postgresql/cfbuild-postgresql.spec | 2 +- deps-packaging/postgresql/distfiles | 2 +- deps-packaging/postgresql/source | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/deps-packaging/postgresql/cfbuild-postgresql.spec b/deps-packaging/postgresql/cfbuild-postgresql.spec index 3c73875b6..0b1d0354c 100644 --- a/deps-packaging/postgresql/cfbuild-postgresql.spec +++ b/deps-packaging/postgresql/cfbuild-postgresql.spec @@ -1,4 +1,4 @@ -%define postgresql_version 18.3 +%define postgresql_version 18.4 Summary: CFEngine Build Automation -- postgresql Name: cfbuild-postgresql diff --git a/deps-packaging/postgresql/distfiles b/deps-packaging/postgresql/distfiles index 44943e1f8..24712a098 100644 --- a/deps-packaging/postgresql/distfiles +++ b/deps-packaging/postgresql/distfiles @@ -1 +1 @@ -d95663fbbf3a80f81a9d98d895266bdcb74ba274bcc04ef6d76630a72dee016f postgresql-18.3.tar.bz2 +81a81ec695fb0c7901407defaa1d2f7973617154cf27ba74e3a7ab8e64436094 postgresql-18.4.tar.bz2 diff --git a/deps-packaging/postgresql/source b/deps-packaging/postgresql/source index 04a72e6e8..c716f16e5 100644 --- a/deps-packaging/postgresql/source +++ b/deps-packaging/postgresql/source @@ -1 +1 @@ -https://ftp.postgresql.org/pub/source/v18.3/ +https://ftp.postgresql.org/pub/source/v18.4/ From 8573bdef2f4ee666c62a4c2831ece0f4d6b16d6f Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Mon, 18 May 2026 16:21:09 -0500 Subject: [PATCH 21/28] apache httpd patch from upstream for openssl 4.0 --- .../1933586-openssl-4.0-compatibility.patch | 383 ++++++++++++++++++ deps-packaging/apache/cfbuild-apache.spec | 2 + deps-packaging/apache/debian/rules | 1 + 3 files changed, 386 insertions(+) create mode 100644 deps-packaging/apache/1933586-openssl-4.0-compatibility.patch diff --git a/deps-packaging/apache/1933586-openssl-4.0-compatibility.patch b/deps-packaging/apache/1933586-openssl-4.0-compatibility.patch new file mode 100644 index 000000000..e219add00 --- /dev/null +++ b/deps-packaging/apache/1933586-openssl-4.0-compatibility.patch @@ -0,0 +1,383 @@ +Index: modules/ssl/ssl_engine_log.c +=================================================================== +--- modules/ssl/ssl_engine_log.c (revision 1933585) ++++ modules/ssl/ssl_engine_log.c (revision 1933586) +@@ -126,7 +126,7 @@ + static void ssl_log_cert_error(const char *file, int line, int level, + apr_status_t rv, const server_rec *s, + const conn_rec *c, const request_rec *r, +- apr_pool_t *p, X509 *cert, const char *format, ++ apr_pool_t *p, const X509 *cert, const char *format, + va_list ap) + { + char buf[HUGE_STRING_LEN]; +@@ -167,14 +167,14 @@ + } + + BIO_puts(bio, " / serial: "); +- if (i2a_ASN1_INTEGER(bio, X509_get_serialNumber(cert)) == -1) ++ if (i2a_ASN1_INTEGER(bio, X509_get0_serialNumber(cert)) == -1) + BIO_puts(bio, "(ERROR)"); + + BIO_puts(bio, " / notbefore: "); +- ASN1_TIME_print(bio, X509_get_notBefore(cert)); ++ ASN1_TIME_print(bio, X509_get0_notBefore(cert)); + + BIO_puts(bio, " / notafter: "); +- ASN1_TIME_print(bio, X509_get_notAfter(cert)); ++ ASN1_TIME_print(bio, X509_get0_notAfter(cert)); + + BIO_puts(bio, "]"); + +@@ -212,7 +212,7 @@ + * in the other cases we use the connection and request pool, respectively). + */ + void ssl_log_xerror(const char *file, int line, int level, apr_status_t rv, +- apr_pool_t *ptemp, server_rec *s, X509 *cert, ++ apr_pool_t *ptemp, server_rec *s, const X509 *cert, + const char *fmt, ...) + { + if (APLOG_IS_LEVEL(s,level)) { +@@ -225,7 +225,7 @@ + } + + void ssl_log_cxerror(const char *file, int line, int level, apr_status_t rv, +- conn_rec *c, X509 *cert, const char *fmt, ...) ++ conn_rec *c, const X509 *cert, const char *fmt, ...) + { + if (APLOG_IS_LEVEL(mySrvFromConn(c),level)) { + va_list ap; +@@ -237,7 +237,7 @@ + } + + void ssl_log_rxerror(const char *file, int line, int level, apr_status_t rv, +- request_rec *r, X509 *cert, const char *fmt, ...) ++ request_rec *r, const X509 *cert, const char *fmt, ...) + { + if (APLOG_R_IS_LEVEL(r,level)) { + va_list ap; +Index: modules/ssl/ssl_engine_ocsp.c +=================================================================== +--- modules/ssl/ssl_engine_ocsp.c (revision 1933585) ++++ modules/ssl/ssl_engine_ocsp.c (revision 1933586) +@@ -38,8 +38,8 @@ + /* Name found in extension, and is a URI: */ + if (OBJ_obj2nid(value->method) == NID_ad_OCSP + && value->location->type == GEN_URI) { +- result = apr_pstrdup(pool, +- (char *)value->location->d.uniformResourceIdentifier->data); ++ const ASN1_STRING *uri = value->location->d.uniformResourceIdentifier; ++ result = modssl_ASN1_STRING_convert(pool, uri, 0); + } + } + +Index: modules/ssl/ssl_private.h +=================================================================== +--- modules/ssl/ssl_private.h (revision 1933585) ++++ modules/ssl/ssl_private.h (revision 1933586) +@@ -155,6 +155,12 @@ + #define MODSSL_SSL_METHOD_CONST + #endif + ++#if OPENSSL_VERSION_NUMBER >= 0x40000000L ++#define MODSSL_X509_EXT_CONST const ++#else ++#define MODSSL_X509_EXT_CONST ++#endif ++ + #if defined(LIBRESSL_VERSION_NUMBER) + /* Missing from LibreSSL */ + #if LIBRESSL_VERSION_NUMBER < 0x2060000f +@@ -282,6 +288,10 @@ + #define DH_bits(x) (BN_num_bits(x->p)) + #define X509_up_ref(x) (CRYPTO_add(&(x)->references, +1, CRYPTO_LOCK_X509)) + #define EVP_PKEY_up_ref(pk) (CRYPTO_add(&(pk)->references, +1, CRYPTO_LOCK_EVP_PKEY)) ++#define ASN1_STRING_get0_data(x) ((x)->data) ++#define ASN1_STRING_length(x) ((int)(x)->length) ++#define X509_get0_before(x) X509_get_before(x) ++#define X509_get0_after(x) X509_get_after(x) + #else + void init_bio_methods(void); + void free_bio_methods(void); +@@ -1212,16 +1222,16 @@ + * counterparts. */ + void ssl_log_xerror(const char *file, int line, int level, + apr_status_t rv, apr_pool_t *p, server_rec *s, +- X509 *cert, const char *format, ...) ++ const X509 *cert, const char *format, ...) + __attribute__((format(printf,8,9))); + + void ssl_log_cxerror(const char *file, int line, int level, +- apr_status_t rv, conn_rec *c, X509 *cert, ++ apr_status_t rv, conn_rec *c, const X509 *cert, + const char *format, ...) + __attribute__((format(printf,7,8))); + + void ssl_log_rxerror(const char *file, int line, int level, +- apr_status_t rv, request_rec *r, X509 *cert, ++ apr_status_t rv, request_rec *r, const X509 *cert, + const char *format, ...) + __attribute__((format(printf,7,8))); + +Index: modules/ssl/ssl_util_ssl.c +=================================================================== +--- modules/ssl/ssl_util_ssl.c (revision 1933585) ++++ modules/ssl/ssl_util_ssl.c (revision 1933586) +@@ -206,7 +206,7 @@ + /* Convert ASN.1 string to a pool-allocated char * string, escaping + * control characters. If raw is zero, convert to UTF-8, otherwise + * unchanged from the character set. */ +-static char *asn1_string_convert(apr_pool_t *p, ASN1_STRING *asn1str, int raw) ++char *modssl_ASN1_STRING_convert(apr_pool_t *p, const ASN1_STRING *asn1str, int raw) + { + BIO *bio; + int flags = ASN1_STRFLGS_ESC_CTRL; +@@ -221,13 +221,13 @@ + return modssl_bio_free_read(p, bio); + } + +-#define asn1_string_to_utf8(p, a) asn1_string_convert(p, a, 0) ++#define asn1_string_to_utf8(p, a) modssl_ASN1_STRING_convert(p, a, 0) + + /* convert a NAME_ENTRY to UTF8 string */ +-char *modssl_X509_NAME_ENTRY_to_string(apr_pool_t *p, X509_NAME_ENTRY *xsne, ++char *modssl_X509_NAME_ENTRY_to_string(apr_pool_t *p, const X509_NAME_ENTRY *xsne, + int raw) + { +- char *result = asn1_string_convert(p, X509_NAME_ENTRY_get_data(xsne), raw); ++ char *result = modssl_ASN1_STRING_convert(p, X509_NAME_ENTRY_get_data(xsne), raw); + ap_xlate_proto_from_ascii(result, len); + return result; + } +@@ -236,7 +236,7 @@ + * convert an X509_NAME to an RFC 2253 formatted string, optionally truncated + * to maxlen characters (specify a maxlen of 0 for no length limit) + */ +-char *modssl_X509_NAME_to_string(apr_pool_t *p, X509_NAME *dn, int maxlen) ++char *modssl_X509_NAME_to_string(apr_pool_t *p, const X509_NAME *dn, int maxlen) + { + char *result = NULL; + BIO *bio; +@@ -373,7 +373,7 @@ + /* return an array of (RFC 6125 coined) DNS-IDs and CN-IDs in a certificate */ + static BOOL getIDs(apr_pool_t *p, X509 *x509, apr_array_header_t **ids) + { +- X509_NAME *subj; ++ const X509_NAME *subj; + int i = -1; + + /* First, the DNS-IDs (dNSName entries in the subjectAltName extension) */ +Index: modules/ssl/ssl_util_ssl.h +=================================================================== +--- modules/ssl/ssl_util_ssl.h (revision 1933585) ++++ modules/ssl/ssl_util_ssl.h (revision 1933586) +@@ -71,13 +71,19 @@ + + int modssl_smart_shutdown(SSL *ssl); + BOOL modssl_X509_getBC(X509 *, int *, int *); +-char *modssl_X509_NAME_ENTRY_to_string(apr_pool_t *p, X509_NAME_ENTRY *xsne, ++char *modssl_X509_NAME_ENTRY_to_string(apr_pool_t *p, const X509_NAME_ENTRY *xsne, + int raw); +-char *modssl_X509_NAME_to_string(apr_pool_t *, X509_NAME *, int); ++char *modssl_X509_NAME_to_string(apr_pool_t *, const X509_NAME *, int); + BOOL modssl_X509_getSAN(apr_pool_t *, X509 *, int, const char *, int, apr_array_header_t **); + BOOL modssl_X509_match_name(apr_pool_t *, X509 *, const char *, BOOL, server_rec *); + char *modssl_SSL_SESSION_id2sz(IDCONST unsigned char *, int, char *, int); + ++/* Convert ASN.1 string to a pool-allocated char * string, escaping ++ * control characters. If raw is zero, convert to UTF-8, otherwise ++ * unchanged from the character set. */ ++char *modssl_ASN1_STRING_convert(apr_pool_t *p, const ASN1_STRING *asn1str, ++ int raw); ++ + /* Reads the remaining data in BIO, if not empty, and copies it into a + * pool-allocated string. If empty, returns NULL. BIO_free(bio) is + * called for both cases. */ +Index: modules/ssl/ssl_engine_kernel.c +=================================================================== +--- modules/ssl/ssl_engine_kernel.c (revision 1933585) ++++ modules/ssl/ssl_engine_kernel.c (revision 1933586) +@@ -1263,7 +1263,7 @@ + } + + if (!sslconn->client_dn) { +- X509_NAME *name = X509_get_subject_name(sslconn->client_cert); ++ const X509_NAME *name = X509_get_subject_name(sslconn->client_cert); + char *cp = X509_NAME_oneline(name, NULL, 0); + sslconn->client_dn = apr_pstrdup(r->connection->pool, cp); + OPENSSL_free(cp); +@@ -1817,7 +1817,7 @@ + server_rec *s = mySrvFromConn(c); + SSLSrvConfigRec *sc = mySrvConfig(s); + SSLDirConfigRec *dc = myDirConfigFromConn(c); +- X509_NAME *ca_name, *issuer, *ca_issuer; ++ const X509_NAME *ca_name, *issuer, *ca_issuer; + X509_INFO *info; + X509 *ca_cert; + STACK_OF(X509_NAME) *ca_list; +Index: modules/ssl/ssl_engine_vars.c +=================================================================== +--- modules/ssl/ssl_engine_vars.c (revision 1933585) ++++ modules/ssl/ssl_engine_vars.c (revision 1933586) +@@ -41,10 +41,10 @@ + + static const char *ssl_var_lookup_ssl(apr_pool_t *p, const SSLConnRec *sslconn, request_rec *r, const char *var); + static const char *ssl_var_lookup_ssl_cert(apr_pool_t *p, request_rec *r, X509 *xs, const char *var); +-static const char *ssl_var_lookup_ssl_cert_dn(apr_pool_t *p, X509_NAME *xsname, const char *var); ++static const char *ssl_var_lookup_ssl_cert_dn(apr_pool_t *p, const X509_NAME *xsname, const char *var); + static const char *ssl_var_lookup_ssl_cert_san(apr_pool_t *p, X509 *xs, const char *var); +-static const char *ssl_var_lookup_ssl_cert_valid(apr_pool_t *p, ASN1_TIME *tm); +-static const char *ssl_var_lookup_ssl_cert_remain(apr_pool_t *p, ASN1_TIME *tm); ++static const char *ssl_var_lookup_ssl_cert_valid(apr_pool_t *p, const ASN1_TIME *tm); ++static const char *ssl_var_lookup_ssl_cert_remain(apr_pool_t *p, const ASN1_TIME *tm); + static const char *ssl_var_lookup_ssl_cert_serial(apr_pool_t *p, X509 *xs); + static const char *ssl_var_lookup_ssl_cert_chain(apr_pool_t *p, STACK_OF(X509) *sk, const char *var, int pem); + static const char *ssl_var_lookup_ssl_cert_rfc4523_cea(apr_pool_t *p, SSL *ssl); +@@ -598,7 +598,7 @@ + } + + static const char *ssl_var_lookup_ssl_cert_dn_oneline(apr_pool_t *p, request_rec *r, +- X509_NAME *xsname) ++ const X509_NAME *xsname) + { + char *result = NULL; + SSLDirConfigRec *dc; +@@ -629,7 +629,7 @@ + const char *var) + { + const char *result; +- X509_NAME *xsname; ++ const X509_NAME *xsname; + int nid; + + result = NULL; +@@ -641,13 +641,13 @@ + result = ssl_var_lookup_ssl_cert_serial(p, xs); + } + else if (strcEQ(var, "V_START")) { +- result = ssl_var_lookup_ssl_cert_valid(p, X509_get_notBefore(xs)); ++ result = ssl_var_lookup_ssl_cert_valid(p, X509_get0_notBefore(xs)); + } + else if (strcEQ(var, "V_END")) { +- result = ssl_var_lookup_ssl_cert_valid(p, X509_get_notAfter(xs)); ++ result = ssl_var_lookup_ssl_cert_valid(p, X509_get0_notAfter(xs)); + } + else if (strcEQ(var, "V_REMAIN")) { +- result = ssl_var_lookup_ssl_cert_remain(p, X509_get_notAfter(xs)); ++ result = ssl_var_lookup_ssl_cert_remain(p, X509_get0_notAfter(xs)); + } + else if (*var && strcEQ(var+1, "_DN")) { + if (*var == 'S') +@@ -727,12 +727,12 @@ + { NULL, 0, 0 } + }; + +-static const char *ssl_var_lookup_ssl_cert_dn(apr_pool_t *p, X509_NAME *xsname, +- const char *var) ++static const char *ssl_var_lookup_ssl_cert_dn(apr_pool_t *p, const X509_NAME *xsname, ++ const char *var) + { + const char *ptr; + const char *result; +- X509_NAME_ENTRY *xsne; ++ const X509_NAME_ENTRY *xsne; + int i, j, n, idx = 0, raw = 0; + apr_size_t varlen; + +@@ -759,7 +759,7 @@ + for (j = 0; j < X509_NAME_entry_count(xsname); j++) { + xsne = X509_NAME_get_entry(xsname, j); + +- n =OBJ_obj2nid((ASN1_OBJECT *)X509_NAME_ENTRY_get_object(xsne)); ++ n = OBJ_obj2nid(X509_NAME_ENTRY_get_object(xsne)); + + if (n == ssl_var_lookup_ssl_cert_dn_rec[i].nid && idx-- == 0) { + result = modssl_X509_NAME_ENTRY_to_string(p, xsne, raw); +@@ -816,7 +816,7 @@ + return NULL; + } + +-static const char *ssl_var_lookup_ssl_cert_valid(apr_pool_t *p, ASN1_TIME *tm) ++static const char *ssl_var_lookup_ssl_cert_valid(apr_pool_t *p, const ASN1_TIME *tm) + { + BIO* bio; + +@@ -837,12 +837,12 @@ + + /* Return a string giving the number of days remaining until 'tm', or + * "0" if this can't be determined. */ +-static const char *ssl_var_lookup_ssl_cert_remain(apr_pool_t *p, ASN1_TIME *tm) ++static const char *ssl_var_lookup_ssl_cert_remain(apr_pool_t *p, const ASN1_TIME *tm) + { + #if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER) + int diff; + +- if (INVALID_ASN1_TIME(tm) || ASN1_TIME_diff(&diff, NULL, NULL, tm) != 1) { ++ if (ASN1_TIME_check(tm) != 1 || ASN1_TIME_diff(&diff, NULL, NULL, tm) != 1) { + return "0"; + } + #else +@@ -929,7 +929,7 @@ + + serialNumber = X509_get_serialNumber(xs); + if (serialNumber) { +- X509_NAME *issuer = X509_get_issuer_name(xs); ++ const X509_NAME *issuer = X509_get_issuer_name(xs); + if (issuer) { + BIGNUM *bn = ASN1_INTEGER_to_BN(serialNumber, NULL); + if((decimal = BN_bn2dec(bn)) == NULL) { +@@ -1112,9 +1112,9 @@ + /* Add each RDN in 'xn' to the table 't' where the NID is present in + * 'nids', using key prefix 'pfx'. */ + static void extract_dn(apr_table_t *t, apr_hash_t *nids, const char *pfx, +- X509_NAME *xn, apr_pool_t *p) ++ const X509_NAME *xn, apr_pool_t *p) + { +- X509_NAME_ENTRY *xsne; ++ const X509_NAME_ENTRY *xsne; + apr_hash_t *count; + int i, nid; + +@@ -1129,7 +1129,7 @@ + + /* Retrieve the nid, and check whether this is one of the nids + * which are to be extracted. */ +- nid = OBJ_obj2nid((ASN1_OBJECT *)X509_NAME_ENTRY_get_object(xsne)); ++ nid = OBJ_obj2nid(X509_NAME_ENTRY_get_object(xsne)); + + tag = apr_hash_get(nids, &nid, sizeof nid); + if (tag) { +@@ -1242,19 +1242,19 @@ + * parse the extension type as a primitive string. This will fail for + * any structured extension type per the docs. Returns non-zero on + * success and writes the string to the given bio. */ +-static int dump_extn_value(BIO *bio, ASN1_OCTET_STRING *str) ++static int dump_extn_value(BIO *bio, const ASN1_OCTET_STRING *str) + { +- const unsigned char *pp = str->data; ++ const unsigned char *pp = ASN1_STRING_get0_data(str); + ASN1_STRING *ret = ASN1_STRING_new(); + int rv = 0; + +- if(!ret) { +- return rv; ++ if (!ret) { ++ return rv; + } + + /* This allows UTF8String, IA5String, VisibleString, or BMPString; + * conversion to UTF-8 is forced. */ +- if (d2i_DISPLAYTEXT(&ret, &pp, str->length)) { ++ if (d2i_DISPLAYTEXT(&ret, &pp, ASN1_STRING_length(str))) { + ASN1_STRING_print_ex(bio, ret, ASN1_STRFLGS_UTF8_CONVERT); + rv = 1; + } +@@ -1301,7 +1301,7 @@ + */ + array = apr_array_make(p, count, sizeof(char *)); + for (j = 0; j < count; j++) { +- X509_EXTENSION *ext = X509_get_ext(xs, j); ++ MODSSL_X509_EXT_CONST X509_EXTENSION *ext = X509_get_ext(xs, j); + + if (OBJ_cmp(X509_EXTENSION_get_object(ext), oid) == 0) { + BIO *bio = BIO_new(BIO_s_mem()); diff --git a/deps-packaging/apache/cfbuild-apache.spec b/deps-packaging/apache/cfbuild-apache.spec index 854b8cafd..e3646d636 100644 --- a/deps-packaging/apache/cfbuild-apache.spec +++ b/deps-packaging/apache/cfbuild-apache.spec @@ -9,6 +9,7 @@ Source0: httpd-%{apache_version}.tar.gz Source1: httpd.conf Patch0: apachectl.patch Patch1: fixed-implicit-decl-gettid.patch +Patch2: 1933586-openssl-4.0-compatibility.patch License: MIT Group: Other Url: https://cfengine.com @@ -24,6 +25,7 @@ mkdir -p %{_builddir} %patch -P 0 %patch -P 1 -p1 +%patch -P 2 -p1 CPPFLAGS=-I%{buildprefix}/include diff --git a/deps-packaging/apache/debian/rules b/deps-packaging/apache/debian/rules index f87909918..1c5c5c129 100755 --- a/deps-packaging/apache/debian/rules +++ b/deps-packaging/apache/debian/rules @@ -17,6 +17,7 @@ build-stamp: # Fixed implicit declaration of GNU extension gettid() (See ENT-13084) patch -p1 < $(CURDIR)/fixed-implicit-decl-gettid.patch + patch -p1 < $(CURDIR)/1933586-openssl-4.0-compatibility.patch ./configure \ --prefix=$(PREFIX)/httpd \ From f4cc4b04e590974c576b5c4e2a196a5f0357d3bf Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Mon, 18 May 2026 16:40:42 -0500 Subject: [PATCH 22/28] fix: apache with openssl4 fixes and other bits --- build-scripts/install-dependencies | 2 +- ....0-compatibility-and-test-that-in-CI.patch | 578 ++++++++++++++++++ ...I-add-OpenSSL-build-binaries-to-PATH.patch | 43 ++ ...3.x-using-Apache-Test-trunk-to-pick-.patch | 33 + ...915513-to-make-the-travis_run_linux..patch | 356 +++++++++++ ...05-Part-merge-of-r1919524-from-trunk.patch | 105 ++++ ...o-engine-config-option-is-redundant-.patch | 28 + ...-0c9cd095ce9081fd225f0da7787419e80de.patch | 31 + ...-failures-during-OpenSSL-ech-job-set.patch | 90 +++ .../1933586-openssl-4.0-compatibility.patch | 383 ------------ deps-packaging/apache/apachectl.patch | 4 +- deps-packaging/apache/cfbuild-apache.spec | 18 +- deps-packaging/apache/debian/rules | 13 +- 13 files changed, 1291 insertions(+), 393 deletions(-) create mode 100644 deps-packaging/apache/0001-Fix-OpenSSL-4.0-compatibility-and-test-that-in-CI.patch create mode 100644 deps-packaging/apache/0002-CI-add-OpenSSL-build-binaries-to-PATH.patch create mode 100644 deps-packaging/apache/0003-CI-test-OpenSSL-3.x-using-Apache-Test-trunk-to-pick-.patch create mode 100644 deps-packaging/apache/0004-Part-merge-of-r1915513-to-make-the-travis_run_linux..patch create mode 100644 deps-packaging/apache/0005-Part-merge-of-r1919524-from-trunk.patch create mode 100644 deps-packaging/apache/0006-CI-The-OpenSSL-no-engine-config-option-is-redundant-.patch create mode 100644 deps-packaging/apache/0007-Cherry-pick-from-0c9cd095ce9081fd225f0da7787419e80de.patch create mode 100644 deps-packaging/apache/0008-CI-Try-to-fix-ab-failures-during-OpenSSL-ech-job-set.patch delete mode 100644 deps-packaging/apache/1933586-openssl-4.0-compatibility.patch diff --git a/build-scripts/install-dependencies b/build-scripts/install-dependencies index 02ecd79a2..917cbffc3 100755 --- a/build-scripts/install-dependencies +++ b/build-scripts/install-dependencies @@ -146,7 +146,7 @@ for dep in $DEPS; do optimize=yes debugsym=no versuffix=+untested - tests=no + tests=yes ;; RELEASE) optimize=yes diff --git a/deps-packaging/apache/0001-Fix-OpenSSL-4.0-compatibility-and-test-that-in-CI.patch b/deps-packaging/apache/0001-Fix-OpenSSL-4.0-compatibility-and-test-that-in-CI.patch new file mode 100644 index 000000000..b3eee0d54 --- /dev/null +++ b/deps-packaging/apache/0001-Fix-OpenSSL-4.0-compatibility-and-test-that-in-CI.patch @@ -0,0 +1,578 @@ +From fc41ceca63d861e6a67a3845daf5f13561fa6e44 Mon Sep 17 00:00:00 2001 +From: Joe Orton +Date: Thu, 30 Apr 2026 12:19:58 +0000 +Subject: [PATCH 1/8] Fix OpenSSL 4.0 compatibility and test that in CI. + +CI: Update to test OpenSSL 4.0.0 explicitly. +CI: No longer disable deprecated-declaration warnings for OpenSSL 3.4 -Werror build. + +* modules/ssl/ssl_engine_kernel.c (ssl_hook_UserCheck): Change name to + const X509_NAME *. + (ssl_callback_proxy_cert): Change ca_name, issuer, and ca_issuer to + const X509_NAME *. + +* modules/ssl/ssl_engine_log.c (ssl_log_cert_error): Change cert + parameter to const X509 *. Use X509_get0_serialNumber, + X509_get0_notBefore, and X509_get0_notAfter instead of non-const + variants. + (ssl_log_xerror, ssl_log_cxerror, ssl_log_rxerror): Change cert + parameter to const X509 *. + +* modules/ssl/ssl_engine_vars.c (ssl_var_lookup_ssl_cert_dn): Change + xsname parameter to const X509_NAME *. + (ssl_var_lookup_ssl_cert_dn_oneline): Change xsname parameter to + const X509_NAME *. + (ssl_var_lookup_ssl_cert): Change xsname to const X509_NAME *. + (ssl_var_lookup_ssl_cert_rfc4523_cea): Change issuer to const + X509_NAME *. + +* modules/ssl/ssl_private.h (ssl_log_xerror, ssl_log_cxerror, + ssl_log_rxerror): Update declarations to use const X509 *. + +* modules/ssl/ssl_util_ssl.c (modssl_X509_NAME_to_string): Change dn + parameter to const X509_NAME *. + (getIDs): Change subj to const X509_NAME *. + +* modules/ssl/ssl_util_ssl.h (modssl_X509_NAME_to_string): Update + declaration to use const X509_NAME *. + +* support/ab.c (ssl_print_cert_info): Change dn to const X509_NAME *. + +mod_ssl: use ASN1_STRING accessor API in dump_extn_value: + +* modules/ssl/ssl_engine_vars.c (dump_extn_value): Use + ASN1_STRING_get0_data() and ASN1_STRING_length() rather than + directly dereferencing the ASN1_OCTET_STRING structure, which is + opaque in OpenSSL 4.0. +* modules/ssl/ssl_private.h: Add compat macros for + ASN1_STRING_get0_data and ASN1_STRING_length for pre-1.1 API. + +mod_ssl: constify ASN1_TIME pointers, use X509_get0_not{Before,After}: + +* modules/ssl/ssl_engine_vars.c (ssl_var_lookup_ssl_cert_valid, + ssl_var_lookup_ssl_cert_remain): Constify ASN1_TIME * parameter. + (ssl_var_lookup_ssl_cert): Use X509_get0_notBefore() and + X509_get0_notAfter() which return const pointers. + (ssl_var_lookup_ssl_cert_remain): Use ASN1_TIME_check() directly + rather than INVALID_ASN1_TIME macro which dereferences the + ASN1_TIME structure. + (dump_extn_value): Constify ASN1_OCTET_STRING * parameter. +* modules/ssl/ssl_private.h: Add compat macros for + X509_get0_before and X509_get0_after for pre-1.1 API. + +mod_ssl: constify X509_NAME_ENTRY and X509_EXTENSION pointers: + +* modules/ssl/ssl_engine_vars.c (ssl_var_lookup_ssl_cert_dn, + extract_dn): Constify X509_NAME_ENTRY * variables, constify + X509_NAME * parameter of extract_dn, drop unnecessary casts + on X509_NAME_ENTRY_get_object() calls. + (ssl_ext_list): Use MODSSL_X509_EXT_CONST for X509_EXTENSION * + since X509_EXTENSION accessors are only constified in OpenSSL 4. +* modules/ssl/ssl_util_ssl.c, modules/ssl/ssl_util_ssl.h + (modssl_X509_NAME_ENTRY_to_string): Constify X509_NAME_ENTRY * + parameter. +* modules/ssl/ssl_private.h: Add MODSSL_X509_EXT_CONST, defined + as const for OpenSSL 4+ and empty otherwise. + +* modules/ssl/ssl_util_ssl.c (asn1_string_convert): Constify + ASN1_STRING * argument. +* modules/ssl/ssl_engine_ocsp.c (extract_responder_uri): Use + modssl_ASN1_STRING_convert instead of directly accessing ASN1_STRING + data pointer. + +* modules/ssl/ssl_util_ssl.c (modssl_ASN1_STRING_convert): Rename from + asn1_string_convert and export function. + (asn1_string_to_utf8): Update to use modssl_ASN1_STRING_convert. + (modssl_X509_NAME_ENTRY_to_string): Update to use + modssl_ASN1_STRING_convert. + +* modules/ssl/ssl_util_ssl.h (modssl_ASN1_STRING_convert): Declare new + function. + +Co-Authored-By: Claude Opus 4.6 +Github: closes #609 + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1933586 13f79535-47bb-0310-9956-ffa450edef68 +--- + .github/workflows/linux.yml | 52 +++++++++++++++++++++++++++++++ + modules/ssl/ssl_engine_kernel.c | 4 +-- + modules/ssl/ssl_engine_log.c | 14 ++++----- + modules/ssl/ssl_engine_ocsp.c | 4 +-- + modules/ssl/ssl_engine_vars.c | 54 ++++++++++++++++++++------------- + modules/ssl/ssl_private.h | 18 +++++++++-- + modules/ssl/ssl_util_ssl.c | 12 ++++---- + modules/ssl/ssl_util_ssl.h | 10 ++++-- + support/ab.c | 2 +- + 9 files changed, 126 insertions(+), 44 deletions(-) + +diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml +index 3d4d935..668dc11 100644 +--- a/.github/workflows/linux.yml ++++ b/.github/workflows/linux.yml +@@ -260,6 +260,58 @@ jobs: + # APR_VERSION=1.7.3 + # APU_VERSION=1.6.3 + # APU_CONFIG="--with-crypto --with-ldap" ++ # ------------------------------------------------------------------------- ++ - name: OpenSSL 3.0 LTS ++ config: --enable-mods-shared=most --enable-maintainer-mode --disable-md --disable-http2 --disable-ldap --disable-crypto ++ env: | ++ TEST_OPENSSL3=3.0.18 ++ APR_VERSION=1.7.6 ++ APU_VERSION=1.6.3 ++ APU_CONFIG="--without-crypto" ++ pkgs: subversion ++ # ------------------------------------------------------------------------- ++ - name: OpenSSL 3.4 -Werror ++ config: --enable-mods-shared=most --enable-maintainer-mode --disable-md --disable-http2 --disable-ldap --disable-crypto ++ notest-cflags: -Werror -O2 ++ env: | ++ TEST_OPENSSL3=3.4.4 ++ APR_VERSION=1.7.6 ++ APU_VERSION=1.6.3 ++ APU_CONFIG="--without-crypto" ++ pkgs: subversion ++ # ------------------------------------------------------------------------- ++ - name: OpenSSL 3.4 no-engine ++ config: --enable-mods-shared=most --enable-maintainer-mode --disable-md --disable-http2 --disable-ldap --disable-crypto ++ env: | ++ TEST_OPENSSL3=3.4.4 ++ OPENSSL_CONFIG=no-engine ++ APR_VERSION=1.7.6 ++ APU_VERSION=1.6.3 ++ APU_CONFIG="--without-crypto" ++ pkgs: subversion ++ # ------------------------------------------------------------------------- ++ - name: OpenSSL 3.5 no-engine -Werror ++ config: --enable-mods-shared=most --enable-maintainer-mode --disable-md --disable-http2 --disable-ldap --disable-crypto ++ notest-cflags: -Werror -O2 ++ env: | ++ TEST_OPENSSL3=3.5.5 ++ OPENSSL_CONFIG=no-engine ++ APR_VERSION=1.7.6 ++ APU_VERSION=1.6.3 ++ APU_CONFIG="--without-crypto" ++ pkgs: subversion ++ # ------------------------------------------------------------------------- ++ - name: OpenSSL 4.0 ++ config: --enable-mods-shared=most --enable-maintainer-mode --disable-md --disable-http2 --disable-ldap --disable-crypto ++ notest-cflags: -Werror -O2 ++ env: | ++ TEST_OPENSSL3=4.0.0 ++ OPENSSL_CONFIG=no-engine ++ APR_VERSION=1.7.6 ++ APU_VERSION=1.6.3 ++ APU_CONFIG="--without-crypto" ++ pkgs: subversion ++ # ------------------------------------------------------------------------- + runs-on: ${{ matrix.os == '' && 'ubuntu-latest' || matrix.os }} + timeout-minutes: 30 + env: +diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c +index 83ae90e..7d06f39 100644 +--- a/modules/ssl/ssl_engine_kernel.c ++++ b/modules/ssl/ssl_engine_kernel.c +@@ -1254,7 +1254,7 @@ int ssl_hook_UserCheck(request_rec *r) + } + + if (!sslconn->client_dn) { +- X509_NAME *name = X509_get_subject_name(sslconn->client_cert); ++ const X509_NAME *name = X509_get_subject_name(sslconn->client_cert); + char *cp = X509_NAME_oneline(name, NULL, 0); + sslconn->client_dn = apr_pstrdup(r->connection->pool, cp); + OPENSSL_free(cp); +@@ -1778,7 +1778,7 @@ int ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey) + server_rec *s = mySrvFromConn(c); + SSLSrvConfigRec *sc = mySrvConfig(s); + SSLDirConfigRec *dc = myDirConfigFromConn(c); +- X509_NAME *ca_name, *issuer, *ca_issuer; ++ const X509_NAME *ca_name, *issuer, *ca_issuer; + X509_INFO *info; + X509 *ca_cert; + STACK_OF(X509_NAME) *ca_list; +diff --git a/modules/ssl/ssl_engine_log.c b/modules/ssl/ssl_engine_log.c +index 3b3ceac..341cc0d 100644 +--- a/modules/ssl/ssl_engine_log.c ++++ b/modules/ssl/ssl_engine_log.c +@@ -126,7 +126,7 @@ void ssl_log_ssl_error(const char *file, int line, int level, server_rec *s) + static void ssl_log_cert_error(const char *file, int line, int level, + apr_status_t rv, const server_rec *s, + const conn_rec *c, const request_rec *r, +- apr_pool_t *p, X509 *cert, const char *format, ++ apr_pool_t *p, const X509 *cert, const char *format, + va_list ap) + { + char buf[HUGE_STRING_LEN]; +@@ -167,14 +167,14 @@ static void ssl_log_cert_error(const char *file, int line, int level, + } + + BIO_puts(bio, " / serial: "); +- if (i2a_ASN1_INTEGER(bio, X509_get_serialNumber(cert)) == -1) ++ if (i2a_ASN1_INTEGER(bio, X509_get0_serialNumber(cert)) == -1) + BIO_puts(bio, "(ERROR)"); + + BIO_puts(bio, " / notbefore: "); +- ASN1_TIME_print(bio, X509_get_notBefore(cert)); ++ ASN1_TIME_print(bio, X509_get0_notBefore(cert)); + + BIO_puts(bio, " / notafter: "); +- ASN1_TIME_print(bio, X509_get_notAfter(cert)); ++ ASN1_TIME_print(bio, X509_get0_notAfter(cert)); + + BIO_puts(bio, "]"); + +@@ -209,7 +209,7 @@ static void ssl_log_cert_error(const char *file, int line, int level, + * in the other cases we use the connection and request pool, respectively). + */ + void ssl_log_xerror(const char *file, int line, int level, apr_status_t rv, +- apr_pool_t *ptemp, server_rec *s, X509 *cert, ++ apr_pool_t *ptemp, server_rec *s, const X509 *cert, + const char *fmt, ...) + { + if (APLOG_IS_LEVEL(s,level)) { +@@ -222,7 +222,7 @@ void ssl_log_xerror(const char *file, int line, int level, apr_status_t rv, + } + + void ssl_log_cxerror(const char *file, int line, int level, apr_status_t rv, +- conn_rec *c, X509 *cert, const char *fmt, ...) ++ conn_rec *c, const X509 *cert, const char *fmt, ...) + { + if (APLOG_IS_LEVEL(mySrvFromConn(c),level)) { + va_list ap; +@@ -234,7 +234,7 @@ void ssl_log_cxerror(const char *file, int line, int level, apr_status_t rv, + } + + void ssl_log_rxerror(const char *file, int line, int level, apr_status_t rv, +- request_rec *r, X509 *cert, const char *fmt, ...) ++ request_rec *r, const X509 *cert, const char *fmt, ...) + { + if (APLOG_R_IS_LEVEL(r,level)) { + va_list ap; +diff --git a/modules/ssl/ssl_engine_ocsp.c b/modules/ssl/ssl_engine_ocsp.c +index 5e04512..539ed10 100644 +--- a/modules/ssl/ssl_engine_ocsp.c ++++ b/modules/ssl/ssl_engine_ocsp.c +@@ -38,8 +38,8 @@ static const char *extract_responder_uri(X509 *cert, apr_pool_t *pool) + /* Name found in extension, and is a URI: */ + if (OBJ_obj2nid(value->method) == NID_ad_OCSP + && value->location->type == GEN_URI) { +- result = apr_pstrdup(pool, +- (char *)value->location->d.uniformResourceIdentifier->data); ++ const ASN1_STRING *uri = value->location->d.uniformResourceIdentifier; ++ result = modssl_ASN1_STRING_convert(pool, uri, 0); + } + } + +diff --git a/modules/ssl/ssl_engine_vars.c b/modules/ssl/ssl_engine_vars.c +index 4060c0f..d629b58 100644 +--- a/modules/ssl/ssl_engine_vars.c ++++ b/modules/ssl/ssl_engine_vars.c +@@ -41,10 +41,10 @@ + + static char *ssl_var_lookup_ssl(apr_pool_t *p, SSLConnRec *sslconn, request_rec *r, char *var); + static char *ssl_var_lookup_ssl_cert(apr_pool_t *p, request_rec *r, X509 *xs, char *var); +-static char *ssl_var_lookup_ssl_cert_dn(apr_pool_t *p, X509_NAME *xsname, const char *var); ++static char *ssl_var_lookup_ssl_cert_dn(apr_pool_t *p, const X509_NAME *xsname, const char *var); + static char *ssl_var_lookup_ssl_cert_san(apr_pool_t *p, X509 *xs, char *var); +-static char *ssl_var_lookup_ssl_cert_valid(apr_pool_t *p, ASN1_TIME *tm); +-static char *ssl_var_lookup_ssl_cert_remain(apr_pool_t *p, ASN1_TIME *tm); ++static char *ssl_var_lookup_ssl_cert_valid(apr_pool_t *p, const ASN1_TIME *tm); ++static char *ssl_var_lookup_ssl_cert_remain(apr_pool_t *p, const ASN1_TIME *tm); + static char *ssl_var_lookup_ssl_cert_serial(apr_pool_t *p, X509 *xs); + static char *ssl_var_lookup_ssl_cert_chain(apr_pool_t *p, STACK_OF(X509) *sk, char *var); + static char *ssl_var_lookup_ssl_cert_rfc4523_cea(apr_pool_t *p, SSL *ssl); +@@ -444,7 +444,7 @@ static char *ssl_var_lookup_ssl(apr_pool_t *p, SSLConnRec *sslconn, + } + + static char *ssl_var_lookup_ssl_cert_dn_oneline(apr_pool_t *p, request_rec *r, +- X509_NAME *xsname) ++ const X509_NAME *xsname) + { + char *result = NULL; + SSLDirConfigRec *dc; +@@ -476,7 +476,7 @@ static char *ssl_var_lookup_ssl_cert(apr_pool_t *p, request_rec *r, X509 *xs, + { + char *result; + BOOL resdup; +- X509_NAME *xsname; ++ const X509_NAME *xsname; + int nid; + + result = NULL; +@@ -490,13 +490,13 @@ static char *ssl_var_lookup_ssl_cert(apr_pool_t *p, request_rec *r, X509 *xs, + result = ssl_var_lookup_ssl_cert_serial(p, xs); + } + else if (strcEQ(var, "V_START")) { +- result = ssl_var_lookup_ssl_cert_valid(p, X509_get_notBefore(xs)); ++ result = ssl_var_lookup_ssl_cert_valid(p, X509_get0_notBefore(xs)); + } + else if (strcEQ(var, "V_END")) { +- result = ssl_var_lookup_ssl_cert_valid(p, X509_get_notAfter(xs)); ++ result = ssl_var_lookup_ssl_cert_valid(p, X509_get0_notAfter(xs)); + } + else if (strcEQ(var, "V_REMAIN")) { +- result = ssl_var_lookup_ssl_cert_remain(p, X509_get_notAfter(xs)); ++ result = ssl_var_lookup_ssl_cert_remain(p, X509_get0_notAfter(xs)); + resdup = FALSE; + } + else if (*var && strcEQ(var+1, "_DN")) { +@@ -583,12 +583,12 @@ static const struct { + { NULL, 0, 0 } + }; + +-static char *ssl_var_lookup_ssl_cert_dn(apr_pool_t *p, X509_NAME *xsname, ++static char *ssl_var_lookup_ssl_cert_dn(apr_pool_t *p, const X509_NAME *xsname, + const char *var) + { + const char *ptr; + char *result; +- X509_NAME_ENTRY *xsne; ++ const X509_NAME_ENTRY *xsne; + int i, j, n, idx = 0, raw = 0; + apr_size_t varlen; + +@@ -615,7 +615,7 @@ static char *ssl_var_lookup_ssl_cert_dn(apr_pool_t *p, X509_NAME *xsname, + for (j = 0; j < X509_NAME_entry_count(xsname); j++) { + xsne = X509_NAME_get_entry(xsname, j); + +- n =OBJ_obj2nid((ASN1_OBJECT *)X509_NAME_ENTRY_get_object(xsne)); ++ n = OBJ_obj2nid(X509_NAME_ENTRY_get_object(xsne)); + + if (n == ssl_var_lookup_ssl_cert_dn_rec[i].nid && idx-- == 0) { + result = modssl_X509_NAME_ENTRY_to_string(p, xsne, raw); +@@ -672,7 +672,7 @@ static char *ssl_var_lookup_ssl_cert_san(apr_pool_t *p, X509 *xs, char *var) + return NULL; + } + +-static char *ssl_var_lookup_ssl_cert_valid(apr_pool_t *p, ASN1_TIME *tm) ++static char *ssl_var_lookup_ssl_cert_valid(apr_pool_t *p, const ASN1_TIME *tm) + { + BIO* bio; + +@@ -687,8 +687,15 @@ static char *ssl_var_lookup_ssl_cert_valid(apr_pool_t *p, ASN1_TIME *tm) + + /* Return a string giving the number of days remaining until 'tm', or + * "0" if this can't be determined. */ +-static char *ssl_var_lookup_ssl_cert_remain(apr_pool_t *p, ASN1_TIME *tm) ++static char *ssl_var_lookup_ssl_cert_remain(apr_pool_t *p, const ASN1_TIME *tm) + { ++#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER) ++ int diff; ++ ++ if (ASN1_TIME_check(tm) != 1 || ASN1_TIME_diff(&diff, NULL, NULL, tm) != 1) { ++ return "0"; ++ } ++#else + apr_time_t then, now = apr_time_now(); + apr_time_exp_t exp = {0}; + long diff; +@@ -723,6 +730,7 @@ static char *ssl_var_lookup_ssl_cert_remain(apr_pool_t *p, ASN1_TIME *tm) + } + + diff = (long)((apr_time_sec(then) - apr_time_sec(now)) / (60*60*24)); ++#endif + + return diff > 0 ? apr_ltoa(p, diff) : apr_pstrdup(p, "0"); + } +@@ -772,7 +780,7 @@ static char *ssl_var_lookup_ssl_cert_rfc4523_cea(apr_pool_t *p, SSL *ssl) + + serialNumber = X509_get_serialNumber(xs); + if (serialNumber) { +- X509_NAME *issuer = X509_get_issuer_name(xs); ++ const X509_NAME *issuer = X509_get_issuer_name(xs); + if (issuer) { + BIGNUM *bn = ASN1_INTEGER_to_BN(serialNumber, NULL); + char *decimal = BN_bn2dec(bn); +@@ -896,9 +904,9 @@ static char *ssl_var_lookup_ssl_version(apr_pool_t *p, char *var) + /* Add each RDN in 'xn' to the table 't' where the NID is present in + * 'nids', using key prefix 'pfx'. */ + static void extract_dn(apr_table_t *t, apr_hash_t *nids, const char *pfx, +- X509_NAME *xn, apr_pool_t *p) ++ const X509_NAME *xn, apr_pool_t *p) + { +- X509_NAME_ENTRY *xsne; ++ const X509_NAME_ENTRY *xsne; + apr_hash_t *count; + int i, nid; + +@@ -913,7 +921,7 @@ static void extract_dn(apr_table_t *t, apr_hash_t *nids, const char *pfx, + + /* Retrieve the nid, and check whether this is one of the nids + * which are to be extracted. */ +- nid = OBJ_obj2nid((ASN1_OBJECT *)X509_NAME_ENTRY_get_object(xsne)); ++ nid = OBJ_obj2nid(X509_NAME_ENTRY_get_object(xsne)); + + tag = apr_hash_get(nids, &nid, sizeof nid); + if (tag) { +@@ -1026,15 +1034,19 @@ void modssl_var_extract_san_entries(apr_table_t *t, SSL *ssl, apr_pool_t *p) + * parse the extension type as a primitive string. This will fail for + * any structured extension type per the docs. Returns non-zero on + * success and writes the string to the given bio. */ +-static int dump_extn_value(BIO *bio, ASN1_OCTET_STRING *str) ++static int dump_extn_value(BIO *bio, const ASN1_OCTET_STRING *str) + { +- const unsigned char *pp = str->data; ++ const unsigned char *pp = ASN1_STRING_get0_data(str); + ASN1_STRING *ret = ASN1_STRING_new(); + int rv = 0; + ++ if (!ret) { ++ return rv; ++ } ++ + /* This allows UTF8String, IA5String, VisibleString, or BMPString; + * conversion to UTF-8 is forced. */ +- if (d2i_DISPLAYTEXT(&ret, &pp, str->length)) { ++ if (d2i_DISPLAYTEXT(&ret, &pp, ASN1_STRING_length(str))) { + ASN1_STRING_print_ex(bio, ret, ASN1_STRFLGS_UTF8_CONVERT); + rv = 1; + } +@@ -1081,7 +1093,7 @@ apr_array_header_t *ssl_ext_list(apr_pool_t *p, conn_rec *c, int peer, + */ + array = apr_array_make(p, count, sizeof(char *)); + for (j = 0; j < count; j++) { +- X509_EXTENSION *ext = X509_get_ext(xs, j); ++ MODSSL_X509_EXT_CONST X509_EXTENSION *ext = X509_get_ext(xs, j); + + if (OBJ_cmp(X509_EXTENSION_get_object(ext), oid) == 0) { + BIO *bio = BIO_new(BIO_s_mem()); +diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h +index 1ec02f3..b2f5dfd 100644 +--- a/modules/ssl/ssl_private.h ++++ b/modules/ssl/ssl_private.h +@@ -145,6 +145,12 @@ + #define MODSSL_SSL_METHOD_CONST + #endif + ++#if OPENSSL_VERSION_NUMBER >= 0x40000000L ++#define MODSSL_X509_EXT_CONST const ++#else ++#define MODSSL_X509_EXT_CONST ++#endif ++ + #if defined(LIBRESSL_VERSION_NUMBER) + /* Missing from LibreSSL */ + #if LIBRESSL_VERSION_NUMBER < 0x2060000f +@@ -266,6 +272,12 @@ + #define BIO_get_shutdown(x) (x->shutdown) + #define BIO_set_shutdown(x,v) (x->shutdown=v) + #define DH_bits(x) (BN_num_bits(x->p)) ++#define X509_up_ref(x) (CRYPTO_add(&(x)->references, +1, CRYPTO_LOCK_X509)) ++#define EVP_PKEY_up_ref(pk) (CRYPTO_add(&(pk)->references, +1, CRYPTO_LOCK_EVP_PKEY)) ++#define ASN1_STRING_get0_data(x) ((x)->data) ++#define ASN1_STRING_length(x) ((int)(x)->length) ++#define X509_get0_before(x) X509_get_before(x) ++#define X509_get0_after(x) X509_get_after(x) + #else + void init_bio_methods(void); + void free_bio_methods(void); +@@ -1164,16 +1176,16 @@ void ssl_log_ssl_error(const char *, int, int, server_rec *); + * counterparts. */ + void ssl_log_xerror(const char *file, int line, int level, + apr_status_t rv, apr_pool_t *p, server_rec *s, +- X509 *cert, const char *format, ...) ++ const X509 *cert, const char *format, ...) + __attribute__((format(printf,8,9))); + + void ssl_log_cxerror(const char *file, int line, int level, +- apr_status_t rv, conn_rec *c, X509 *cert, ++ apr_status_t rv, conn_rec *c, const X509 *cert, + const char *format, ...) + __attribute__((format(printf,7,8))); + + void ssl_log_rxerror(const char *file, int line, int level, +- apr_status_t rv, request_rec *r, X509 *cert, ++ apr_status_t rv, request_rec *r, const X509 *cert, + const char *format, ...) + __attribute__((format(printf,7,8))); + +diff --git a/modules/ssl/ssl_util_ssl.c b/modules/ssl/ssl_util_ssl.c +index 8bd9c8a..85d5712 100644 +--- a/modules/ssl/ssl_util_ssl.c ++++ b/modules/ssl/ssl_util_ssl.c +@@ -202,7 +202,7 @@ char *modssl_bio_free_read(apr_pool_t *p, BIO *bio) + /* Convert ASN.1 string to a pool-allocated char * string, escaping + * control characters. If raw is zero, convert to UTF-8, otherwise + * unchanged from the character set. */ +-static char *asn1_string_convert(apr_pool_t *p, ASN1_STRING *asn1str, int raw) ++char *modssl_ASN1_STRING_convert(apr_pool_t *p, const ASN1_STRING *asn1str, int raw) + { + BIO *bio; + int flags = ASN1_STRFLGS_ESC_CTRL; +@@ -217,13 +217,13 @@ static char *asn1_string_convert(apr_pool_t *p, ASN1_STRING *asn1str, int raw) + return modssl_bio_free_read(p, bio); + } + +-#define asn1_string_to_utf8(p, a) asn1_string_convert(p, a, 0) ++#define asn1_string_to_utf8(p, a) modssl_ASN1_STRING_convert(p, a, 0) + + /* convert a NAME_ENTRY to UTF8 string */ +-char *modssl_X509_NAME_ENTRY_to_string(apr_pool_t *p, X509_NAME_ENTRY *xsne, ++char *modssl_X509_NAME_ENTRY_to_string(apr_pool_t *p, const X509_NAME_ENTRY *xsne, + int raw) + { +- char *result = asn1_string_convert(p, X509_NAME_ENTRY_get_data(xsne), raw); ++ char *result = modssl_ASN1_STRING_convert(p, X509_NAME_ENTRY_get_data(xsne), raw); + ap_xlate_proto_from_ascii(result, len); + return result; + } +@@ -232,7 +232,7 @@ char *modssl_X509_NAME_ENTRY_to_string(apr_pool_t *p, X509_NAME_ENTRY *xsne, + * convert an X509_NAME to an RFC 2253 formatted string, optionally truncated + * to maxlen characters (specify a maxlen of 0 for no length limit) + */ +-char *modssl_X509_NAME_to_string(apr_pool_t *p, X509_NAME *dn, int maxlen) ++char *modssl_X509_NAME_to_string(apr_pool_t *p, const X509_NAME *dn, int maxlen) + { + char *result = NULL; + BIO *bio; +@@ -362,7 +362,7 @@ BOOL modssl_X509_getSAN(apr_pool_t *p, X509 *x509, int type, const char *onf, + /* return an array of (RFC 6125 coined) DNS-IDs and CN-IDs in a certificate */ + static BOOL getIDs(apr_pool_t *p, X509 *x509, apr_array_header_t **ids) + { +- X509_NAME *subj; ++ const X509_NAME *subj; + int i = -1; + + /* First, the DNS-IDs (dNSName entries in the subjectAltName extension) */ +diff --git a/modules/ssl/ssl_util_ssl.h b/modules/ssl/ssl_util_ssl.h +index 443c1b7..f5ed3c2 100644 +--- a/modules/ssl/ssl_util_ssl.h ++++ b/modules/ssl/ssl_util_ssl.h +@@ -71,13 +71,19 @@ EVP_PKEY *modssl_read_privatekey(const char *filename, pem_password_cb *cb, vo + + int modssl_smart_shutdown(SSL *ssl); + BOOL modssl_X509_getBC(X509 *, int *, int *); +-char *modssl_X509_NAME_ENTRY_to_string(apr_pool_t *p, X509_NAME_ENTRY *xsne, ++char *modssl_X509_NAME_ENTRY_to_string(apr_pool_t *p, const X509_NAME_ENTRY *xsne, + int raw); +-char *modssl_X509_NAME_to_string(apr_pool_t *, X509_NAME *, int); ++char *modssl_X509_NAME_to_string(apr_pool_t *, const X509_NAME *, int); + BOOL modssl_X509_getSAN(apr_pool_t *, X509 *, int, const char *, int, apr_array_header_t **); + BOOL modssl_X509_match_name(apr_pool_t *, X509 *, const char *, BOOL, server_rec *); + char *modssl_SSL_SESSION_id2sz(IDCONST unsigned char *, int, char *, int); + ++/* Convert ASN.1 string to a pool-allocated char * string, escaping ++ * control characters. If raw is zero, convert to UTF-8, otherwise ++ * unchanged from the character set. */ ++char *modssl_ASN1_STRING_convert(apr_pool_t *p, const ASN1_STRING *asn1str, ++ int raw); ++ + /* Reads the remaining data in BIO, if not empty, and copies it into a + * pool-allocated string. If empty, returns NULL. BIO_free(bio) is + * called for both cases. */ +diff --git a/support/ab.c b/support/ab.c +index bee3812..aa92d11 100644 +--- a/support/ab.c ++++ b/support/ab.c +@@ -675,7 +675,7 @@ static int ssl_print_connection_info(BIO *bio, SSL *ssl) + + static void ssl_print_cert_info(BIO *bio, X509 *cert) + { +- X509_NAME *dn; ++ const X509_NAME *dn; + EVP_PKEY *pk; + char buf[1024]; + +-- +2.52.0 + diff --git a/deps-packaging/apache/0002-CI-add-OpenSSL-build-binaries-to-PATH.patch b/deps-packaging/apache/0002-CI-add-OpenSSL-build-binaries-to-PATH.patch new file mode 100644 index 000000000..0c9d2de1a --- /dev/null +++ b/deps-packaging/apache/0002-CI-add-OpenSSL-build-binaries-to-PATH.patch @@ -0,0 +1,43 @@ +From 61e6751006d80b4281729ca0a43368f1c6d2f638 Mon Sep 17 00:00:00 2001 +From: Joe Orton +Date: Thu, 29 Feb 2024 15:33:38 +0000 +Subject: [PATCH 2/8] CI: add OpenSSL build binaries to $PATH + +Github: closes #415 + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1916058 13f79535-47bb-0310-9956-ffa450edef68 +(cherry picked from commit f65a498b3b17ece0c394ba32293930f41536071b) +--- + test/travis_before_linux.sh | 2 +- + test/travis_run_linux.sh | 2 ++ + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/test/travis_before_linux.sh b/test/travis_before_linux.sh +index ab073f0..7329572 100755 +--- a/test/travis_before_linux.sh ++++ b/test/travis_before_linux.sh +@@ -150,7 +150,7 @@ if test -v TEST_OPENSSL3; then + curl "https://www.openssl.org/source/openssl-${TEST_OPENSSL3}.tar.gz" | + tar -xzf - + cd openssl-${TEST_OPENSSL3} +- ./Configure --prefix=$HOME/root/openssl3 shared no-tests ++ ./Configure --prefix=$HOME/root/openssl3 shared no-tests ${OPENSSL_CONFIG} + make $MFLAGS + make install_sw + touch $HOME/root/openssl-is-${TEST_OPENSSL3} +diff --git a/test/travis_run_linux.sh b/test/travis_run_linux.sh +index 67d9d00..ab0023c 100755 +--- a/test/travis_run_linux.sh ++++ b/test/travis_run_linux.sh +@@ -62,6 +62,8 @@ fi + if test -v TEST_OPENSSL3; then + CONFIG="$CONFIG --with-ssl=$HOME/root/openssl3" + export LD_LIBRARY_PATH=$HOME/root/openssl3/lib:$HOME/root/openssl3/lib64 ++ export PATH=$HOME/root/openssl3/bin:$PATH ++ openssl version + fi + + srcdir=$PWD +-- +2.52.0 + diff --git a/deps-packaging/apache/0003-CI-test-OpenSSL-3.x-using-Apache-Test-trunk-to-pick-.patch b/deps-packaging/apache/0003-CI-test-OpenSSL-3.x-using-Apache-Test-trunk-to-pick-.patch new file mode 100644 index 000000000..c5c365818 --- /dev/null +++ b/deps-packaging/apache/0003-CI-test-OpenSSL-3.x-using-Apache-Test-trunk-to-pick-.patch @@ -0,0 +1,33 @@ +From 681eec5956bd087da7b36e78ba4d93eacd6cf4cd Mon Sep 17 00:00:00 2001 +From: Joe Orton +Date: Fri, 1 Mar 2024 10:15:13 +0000 +Subject: [PATCH 3/8] CI: test OpenSSL 3.x using Apache::Test trunk to pick up + r1916067. + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1916068 13f79535-47bb-0310-9956-ffa450edef68 +(cherry picked from commit 2361315143a9de540db338bcc812877c37da0fe7) +--- + test/travis_before_linux.sh | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/test/travis_before_linux.sh b/test/travis_before_linux.sh +index 7329572..60f0cf4 100755 +--- a/test/travis_before_linux.sh ++++ b/test/travis_before_linux.sh +@@ -120,6 +120,13 @@ if ! test -v SKIP_TESTING -o -v NO_TEST_FRAMEWORK; then + + # Make a shallow clone of httpd-tests git repo. + git clone -q --depth=1 https://github.com/apache/httpd-tests.git test/perl-framework ++ ++ # For OpenSSL 3.2+ testing, Apache::Test r1916067 is required, so ++ # use a checkout of trunk until there is an updated CPAN release ++ # with that revision. ++ if test -v TEST_OPENSSL3; then ++ svn co -q https://svn.apache.org/repos/asf/perl/Apache-Test/trunk test/perl-framework/Apache-Test ++ fi + fi + + # For LDAP testing, run slapd listening on port 8389 and populate the +-- +2.52.0 + diff --git a/deps-packaging/apache/0004-Part-merge-of-r1915513-to-make-the-travis_run_linux..patch b/deps-packaging/apache/0004-Part-merge-of-r1915513-to-make-the-travis_run_linux..patch new file mode 100644 index 000000000..ba3c30c1a --- /dev/null +++ b/deps-packaging/apache/0004-Part-merge-of-r1915513-to-make-the-travis_run_linux..patch @@ -0,0 +1,356 @@ +From 053a9ccc191b089db276af79d56c6157eda8a006 Mon Sep 17 00:00:00 2001 +From: Joe Orton +Date: Fri, 1 May 2026 08:43:36 +0100 +Subject: [PATCH 4/8] Part merge of r1915513 to make the travis_run_linux.sh + diff to trunk much smaller. + +--- + test/travis_run_linux.sh | 302 ++++++++++++++++++++------------------- + 1 file changed, 157 insertions(+), 145 deletions(-) + +diff --git a/test/travis_run_linux.sh b/test/travis_run_linux.sh +index ab0023c..9c2a7b5 100755 +--- a/test/travis_run_linux.sh ++++ b/test/travis_run_linux.sh +@@ -79,6 +79,8 @@ make $MFLAGS + if test -v TEST_INSTALL; then + make install + pushd $PREFIX ++ # Basic sanity tests of the installed server. ++ ./bin/apachectl -V + test `./bin/apxs -q PREFIX` = $PREFIX + test `$PWD/bin/apxs -q PREFIX` = $PREFIX + ./bin/apxs -g -n foobar +@@ -86,174 +88,184 @@ if test -v TEST_INSTALL; then + popd + fi + +-if ! test -v SKIP_TESTING; then +- set +e +- RV=0 ++if test -v SKIP_TESTING; then ++ # Check that httpd was built successfully, nothing more. ++ ./httpd -V ++ exit 0 ++fi + +- if test -v TEST_MALLOC; then +- # Enable enhanced glibc malloc debugging, see mallopt(3) +- export MALLOC_PERTURB_=65 MALLOC_CHECK_=3 +- export LIBC_FATAL_STDERR_=1 +- fi ++############################################################### ++### Everything below is only run if SKIP_TESTING was not set ## ++############################################################### + +- if test -v TEST_UBSAN; then +- export UBSAN_OPTIONS="log_path=$PWD/ubsan.log" +- fi ++: Running tests... + +- if test -v TEST_ASAN; then +- export ASAN_OPTIONS="log_path=$PWD/asan.log:detect_leaks=0" +- fi ++set +e ++RV=0 + +- # Try to keep all potential coredumps from all processes +- sudo sysctl -w kernel.core_uses_pid=1 2>/dev/null || true +- # Systemd based systems might process core dumps via systemd-coredump. +- # But we want to have local unprocessed files. +- sudo sysctl -w kernel.core_pattern=core || true +- ulimit -c unlimited 2>/dev/null || true ++if test -v TEST_MALLOC; then ++ # Enable enhanced glibc malloc debugging, see mallopt(3) ++ export MALLOC_PERTURB_=65 MALLOC_CHECK_=3 ++ export LIBC_FATAL_STDERR_=1 ++fi + +- if test -v WITH_TEST_SUITE; then +- make check TESTS="${TESTS}" TEST_CONFIG="${TEST_ARGS}" +- RV=$? +- else +- test -v TEST_INSTALL || make install +- pushd test/perl-framework +- perl Makefile.PL -apxs $PREFIX/bin/apxs +- make test APACHE_TEST_EXTRA_ARGS="${TEST_ARGS} ${TESTS}" | tee test.log +- RV=${PIPESTATUS[0]} +- # re-run failing tests with -v, avoiding set -e +- if [ $RV -ne 0 ]; then +- #mv t/logs/error_log t/logs/error_log_save +- FAILERS="" +- while read FAILER; do +- FAILERS="$FAILERS $FAILER" +- done < <(awk '/Failed:/{print $1}' test.log) +- if [ -n "$FAILERS" ]; then +- t/TEST -v $FAILERS || true +- fi +- # set -e would have killed us after the original t/TEST +- rm -f test.log +- #mv t/logs/error_log_save t/logs/error_log +- false ++if test -v TEST_UBSAN; then ++ export UBSAN_OPTIONS="log_path=$PWD/ubsan.log" ++fi ++ ++if test -v TEST_ASAN; then ++ export ASAN_OPTIONS="log_path=$PWD/asan.log:detect_leaks=0" ++fi ++ ++# Try to keep all potential coredumps from all processes ++sudo sysctl -w kernel.core_uses_pid=1 2>/dev/null || true ++# Systemd based systems might process core dumps via systemd-coredump. ++# But we want to have local unprocessed files. ++sudo sysctl -w kernel.core_pattern=core || true ++ulimit -c unlimited 2>/dev/null || true ++ ++if test -v WITH_TEST_SUITE; then ++ make check TESTS="${TESTS}" TEST_CONFIG="${TEST_ARGS}" ++ RV=$? ++else ++ test -v TEST_INSTALL || make install ++ pushd test/perl-framework ++ perl Makefile.PL -apxs $PREFIX/bin/apxs ++ make test APACHE_TEST_EXTRA_ARGS="${TEST_ARGS} ${TESTS}" | tee test.log ++ RV=${PIPESTATUS[0]} ++ # re-run failing tests with -v, avoiding set -e ++ if [ $RV -ne 0 ]; then ++ #mv t/logs/error_log t/logs/error_log_save ++ FAILERS="" ++ while read FAILER; do ++ FAILERS="$FAILERS $FAILER" ++ done < <(awk '/Failed:/{print $1}' test.log) ++ if [ -n "$FAILERS" ]; then ++ t/TEST -v $FAILERS || true + fi +- popd +- fi ++ # set -e would have killed us after the original t/TEST ++ rm -f test.log ++ #mv t/logs/error_log_save t/logs/error_log ++ false ++ fi ++ popd ++fi + +- # Skip further testing if a core dump was created during the test +- # suite run above. +- if test $RV -eq 0 && test -n "`ls test/perl-framework/t/core{,.*} 2>/dev/null`"; then +- RV=4 +- fi ++# Skip further testing if a core dump was created during the test ++# suite run above. ++if test $RV -eq 0 && test -n "`ls test/perl-framework/t/core{,.*} 2>/dev/null`"; then ++ RV=4 ++fi + +- if test -v TEST_SSL -a $RV -eq 0; then +- pushd test/perl-framework +- # Test loading encrypted private keys +- ./t/TEST -defines "TEST_SSL_DES3_KEY TEST_SSL_PASSPHRASE_EXEC" t/ssl +- RV=$? ++if test -v TEST_SSL -a $RV -eq 0; then ++ pushd test/perl-framework ++ # Test loading encrypted private keys ++ ./t/TEST -defines "TEST_SSL_DES3_KEY TEST_SSL_PASSPHRASE_EXEC" t/ssl ++ RV=$? + +- # Log the OpenSSL version. +- grep 'mod_ssl.*compiled against' t/logs/error_log | tail -n 1 +- +- # Test various session cache backends +- for cache in shmcb redis:localhost:6379 memcache:localhost:11211; do +- test $RV -eq 0 || break +- +- SSL_SESSCACHE=$cache ./t/TEST -sslproto TLSv1.2 -defines TEST_SSL_SESSCACHE -start +- ./t/TEST t/ssl +- RV=$? +- ./t/TEST -stop +- SRV=$? +- if test $RV -eq 0 -a $SRV -ne 0; then +- RV=$SRV +- fi +- done +- popd +- fi ++ # Log the OpenSSL version. ++ grep 'mod_ssl.*compiled against' t/logs/error_log | tail -n 1 ++ ++ # Test various session cache backends ++ for cache in shmcb redis:localhost:6379 memcache:localhost:11211; do ++ test $RV -eq 0 || break + +- if test -v LITMUS -a $RV -eq 0; then +- pushd test/perl-framework +- mkdir -p t/htdocs/modules/dav +- ./t/TEST -start +- # litmus uses $TESTS, so unset it. +- unset TESTS +- litmus http://localhost:8529/modules/dav/ +- RV=$? +- ./t/TEST -stop +- popd +- fi ++ SSL_SESSCACHE=$cache ./t/TEST -sslproto TLSv1.2 -defines TEST_SSL_SESSCACHE -start ++ ./t/TEST t/ssl ++ RV=$? ++ ./t/TEST -stop ++ SRV=$? ++ if test $RV -eq 0 -a $SRV -ne 0; then ++ RV=$SRV ++ fi ++ done ++ popd ++fi + +- if test $RV -ne 0 && test -f test/perl-framework/t/logs/error_log; then +- grep -v ':\(debug\|trace[12345678]\)\]' test/perl-framework/t/logs/error_log +- fi ++if test -v LITMUS -a $RV -eq 0; then ++ pushd test/perl-framework ++ mkdir -p t/htdocs/modules/dav ++ ./t/TEST -start ++ # litmus uses $TESTS, so unset it. ++ unset TESTS ++ litmus http://localhost:8529/modules/dav/ ++ RV=$? ++ ./t/TEST -stop ++ popd ++fi + +- if test -v TEST_CORE -a $RV -eq 0; then +- # Run HTTP/2 tests. +- MPM=event py.test-3 test/modules/core +- RV=$? +- fi ++if test $RV -ne 0 && test -f test/perl-framework/t/logs/error_log; then ++ grep -v ':\(debug\|trace[12345678]\)\]' test/perl-framework/t/logs/error_log ++fi + +- if test -v TEST_H2 -a $RV -eq 0; then +- # Build the test clients +- (cd test/clients && make) +- # Run HTTP/2 tests. +- MPM=event py.test-3 test/modules/http2 +- RV=$? +- if test $RV -eq 0; then +- MPM=worker py.test-3 test/modules/http2 +- RV=$? +- fi +- fi ++if test -v TEST_CORE -a $RV -eq 0; then ++ # Run HTTP/2 tests. ++ MPM=event py.test-3 test/modules/core ++ RV=$? ++fi + +- if test -v TEST_MD -a $RV -eq 0; then +- # Run ACME tests. +- # need the go based pebble as ACME test server +- # which is a package on debian sid, but not on focal +- export GOPATH=${PREFIX}/gocode +- mkdir -p "${GOPATH}" +- export PATH="${GOROOT}/bin:${GOPATH}/bin:${PATH}" +- go get -u github.com/letsencrypt/pebble/... +- (cd $GOPATH/src/github.com/letsencrypt/pebble && go install ./...) +- +- py.test-3 test/modules/md +- RV=$? ++if test -v TEST_H2 -a $RV -eq 0; then ++ # Build the test clients ++ (cd test/clients && make) ++ # Run HTTP/2 tests. ++ MPM=event py.test-3 test/modules/http2 ++ RV=$? ++ if test $RV -eq 0; then ++ MPM=worker py.test-3 test/modules/http2 ++ RV=$? + fi ++fi + +- # Catch cases where abort()s get logged to stderr by libraries but +- # only cause child processes to terminate e.g. during shutdown, +- # which may not otherwise trigger test failures. ++if test -v TEST_MD -a $RV -eq 0; then ++ # Run ACME tests. ++ # need the go based pebble as ACME test server ++ # which is a package on debian sid, but not on focal ++ export GOPATH=${PREFIX}/gocode ++ mkdir -p "${GOPATH}" ++ export PATH="${GOROOT}/bin:${GOPATH}/bin:${PATH}" ++ go get -u github.com/letsencrypt/pebble/... ++ (cd $GOPATH/src/github.com/letsencrypt/pebble && go install ./...) ++ ++ py.test-3 test/modules/md ++ RV=$? ++fi + +- # "glibc detected": printed with LIBC_FATAL_STDERR_/MALLOC_CHECK_ +- # glibc will abort when malloc errors are detected. This will get +- # caught by the segfault grep as well. ++# Catch cases where abort()s get logged to stderr by libraries but ++# only cause child processes to terminate e.g. during shutdown, ++# which may not otherwise trigger test failures. + +- # "pool concurrency check": printed by APR built with +- # --enable-thread-debug when an APR pool concurrency check aborts ++# "glibc detected": printed with LIBC_FATAL_STDERR_/MALLOC_CHECK_ ++# glibc will abort when malloc errors are detected. This will get ++# caught by the segfault grep as well. + +- for phrase in 'Segmentation fault' 'glibc detected' 'pool concurrency check:' 'Assertion.*failed'; do +- # Ignore IO/debug logs +- if grep -v ':\(debug\|trace[12345678]\)\]' test/perl-framework/t/logs/error_log | grep -q "$phrase"; then +- grep --color=always -C5 "$phrase" test/perl-framework/t/logs/error_log +- RV=2 +- fi +- done ++# "pool concurrency check": printed by APR built with ++# --enable-thread-debug when an APR pool concurrency check aborts + +- if test -v TEST_UBSAN && test -n "`ls ubsan.log.* 2>/dev/null`"; then +- cat ubsan.log.* +- RV=3 ++for phrase in 'Segmentation fault' 'glibc detected' 'pool concurrency check:' 'Assertion.*failed'; do ++ # Ignore IO/debug logs ++ if grep -v ':\(debug\|trace[12345678]\)\]' test/perl-framework/t/logs/error_log | grep -q "$phrase"; then ++ grep --color=always -C5 "$phrase" test/perl-framework/t/logs/error_log ++ RV=2 + fi ++done + +- if test -v TEST_ASAN && test -n "`ls asan.log.* 2>/dev/null`"; then +- cat asan.log.* ++if test -v TEST_UBSAN && test -n "`ls ubsan.log.* 2>/dev/null`"; then ++ cat ubsan.log.* ++ RV=3 ++fi + +- # ASan can report memory leaks, fail on errors only +- if grep -q "ERROR: AddressSanitizer:" `ls asan.log.*`; then +- RV=4 +- fi ++if test -v TEST_ASAN && test -n "`ls asan.log.* 2>/dev/null`"; then ++ cat asan.log.* ++ ++ # ASan can report memory leaks, fail on errors only ++ if grep -q "ERROR: AddressSanitizer:" `ls asan.log.*`; then ++ RV=4 + fi ++fi + +- for core in `ls test/perl-framework/t/core{,.*} test/gen/apache/core{,.*} 2>/dev/null`; do +- gdb -ex 'thread apply all backtrace full' -batch ./httpd "$core" +- RV=5 +- done ++for core in `ls test/perl-framework/t/core{,.*} test/gen/apache/core{,.*} 2>/dev/null`; do ++ gdb -ex 'thread apply all backtrace full' -batch ./httpd "$core" ++ RV=5 ++done + +- exit $RV +-fi ++exit $RV +-- +2.52.0 + diff --git a/deps-packaging/apache/0005-Part-merge-of-r1919524-from-trunk.patch b/deps-packaging/apache/0005-Part-merge-of-r1919524-from-trunk.patch new file mode 100644 index 000000000..159b839a2 --- /dev/null +++ b/deps-packaging/apache/0005-Part-merge-of-r1919524-from-trunk.patch @@ -0,0 +1,105 @@ +From 05b09686ee19af1442ae935074a2b01594b167c3 Mon Sep 17 00:00:00 2001 +From: Joe Orton +Date: Fri, 26 Jul 2024 09:14:40 +0000 +Subject: [PATCH 5/8] Part merge of r1919524 from trunk: + +CI: Fix OpenSSL tarball download URLs after openssl.org site refresh +CI: Build OpenSSL with RPATH set so that the installed ./bin/openssl works +without LD_LIBRARY_PATH set. + +Use LD_RUN_PATH during the httpd build to achieve the same with binaries +from the httpd build, but unset it after so that it doesn't affect running +e.g. php-fpm or perl later. Should fix warning from logs when php-fpm +is executed -- + +[26-Jul-2024 07:43:34] NOTICE: PHP message: PHP Warning: PHP Startup: Unable to load dynamic library 'curl.so' (tried: /usr/lib/php/20210902/curl.so (/lib/x86_64-linux-gnu/libcurl.so.4: undefined symbol: ENGINE_init, version OPENSSL_3.0.0), /usr/lib/php/20210902/curl.so.so (/usr/lib/php/20210902/curl.so.so: cannot open shared object file: No such file or directory)) in Unknown on line 0 + +CI: Test that php-fpm works if available before testing. +CI: For paranoia/future debugging, log the OpenSSL version from compile-time +and run-time as reported by mod_ssl. + +(cherry picked from commit 4eee244d55fee6e7b5ed79591f2e097e00e3cc1e) +--- + test/travis_before_linux.sh | 7 +++++-- + test/travis_run_linux.sh | 24 +++++++++++++++++++++++- + 2 files changed, 28 insertions(+), 3 deletions(-) + +diff --git a/test/travis_before_linux.sh b/test/travis_before_linux.sh +index 60f0cf4..91f9b2b 100755 +--- a/test/travis_before_linux.sh ++++ b/test/travis_before_linux.sh +@@ -154,10 +154,13 @@ if test -v TEST_OPENSSL3; then + + mkdir -p build/openssl + pushd build/openssl +- curl "https://www.openssl.org/source/openssl-${TEST_OPENSSL3}.tar.gz" | ++ curl -L "https://github.com/openssl/openssl/releases/download/openssl-${TEST_OPENSSL3}/openssl-${TEST_OPENSSL3}.tar.gz" | + tar -xzf - + cd openssl-${TEST_OPENSSL3} +- ./Configure --prefix=$HOME/root/openssl3 shared no-tests ${OPENSSL_CONFIG} ++ # Build with RPATH so ./bin/openssl doesn't require $LD_LIBRARY_PATH ++ ./Configure --prefix=$HOME/root/openssl3 \ ++ shared no-tests ${OPENSSL_CONFIG} \ ++ '-Wl,-rpath=$(LIBRPATH)' + make $MFLAGS + make install_sw + touch $HOME/root/openssl-is-${TEST_OPENSSL3} +diff --git a/test/travis_run_linux.sh b/test/travis_run_linux.sh +index 9c2a7b5..8070519 100755 +--- a/test/travis_run_linux.sh ++++ b/test/travis_run_linux.sh +@@ -61,7 +61,9 @@ fi + + if test -v TEST_OPENSSL3; then + CONFIG="$CONFIG --with-ssl=$HOME/root/openssl3" +- export LD_LIBRARY_PATH=$HOME/root/openssl3/lib:$HOME/root/openssl3/lib64 ++ # Temporarily set LD_RUN_PATH so that httpd/mod_ssl binaries pick ++ # up the custom OpenSSL build ++ export LD_RUN_PATH=$HOME/root/openssl3/lib:$HOME/root/openssl3/lib64 + export PATH=$HOME/root/openssl3/bin:$PATH + openssl version + fi +@@ -76,6 +78,14 @@ fi + $srcdir/configure --prefix=$PREFIX $CONFIG + make $MFLAGS + ++if test -v TEST_OPENSSL3; then ++ # Clear the library/run paths so that anything else run during ++ # testing is not forced to use the custom OpenSSL build; e.g. perl, ++ # php-fpm, ... ++ unset LD_LIBRARY_PATH ++ unset LD_RUN_PATH ++fi ++ + if test -v TEST_INSTALL; then + make install + pushd $PREFIX +@@ -117,6 +127,11 @@ if test -v TEST_ASAN; then + export ASAN_OPTIONS="log_path=$PWD/asan.log:detect_leaks=0" + fi + ++if test -v PHP_FPM; then ++ # Sanity test the executable exists. ++ $PHP_FPM --version ++fi ++ + # Try to keep all potential coredumps from all processes + sudo sysctl -w kernel.core_uses_pid=1 2>/dev/null || true + # Systemd based systems might process core dumps via systemd-coredump. +@@ -157,6 +172,13 @@ if test $RV -eq 0 && test -n "`ls test/perl-framework/t/core{,.*} 2>/dev/null`"; + RV=4 + fi + ++if test \( -v TEST_SSL -o -v TEST_OPENSSL3 \) \ ++ -a -f test/perl-framework/t/logs/error_log; then ++ : -- Check OpenSSL version used by mod_ssl at compile- and run-time -- ++ grep 'mod_ssl.*compiled against' test/perl-framework/t/logs/error_log | tail -n1 | grep --color=always 'OpenSSL/[^ ]*' ++ grep 'resuming normal operations' test/perl-framework/t/logs/error_log | tail -n1 | grep --color=always 'OpenSSL/[^ ]*' ++fi ++ + if test -v TEST_SSL -a $RV -eq 0; then + pushd test/perl-framework + # Test loading encrypted private keys +-- +2.52.0 + diff --git a/deps-packaging/apache/0006-CI-The-OpenSSL-no-engine-config-option-is-redundant-.patch b/deps-packaging/apache/0006-CI-The-OpenSSL-no-engine-config-option-is-redundant-.patch new file mode 100644 index 000000000..3b953a95a --- /dev/null +++ b/deps-packaging/apache/0006-CI-The-OpenSSL-no-engine-config-option-is-redundant-.patch @@ -0,0 +1,28 @@ +From 17f0d6072e9cf61b7c211a2ddcc79e7e39d60aba Mon Sep 17 00:00:00 2001 +From: Joe Orton +Date: Fri, 1 May 2026 07:57:10 +0000 +Subject: [PATCH 6/8] CI: The OpenSSL no-engine config option is redundant as + of 4.0, remove. + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1933631 13f79535-47bb-0310-9956-ffa450edef68 +(cherry picked from commit 83f5ccc6288eab5e1f17b55505e3ea35a598c9b6) +--- + .github/workflows/linux.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml +index 668dc11..dab7058 100644 +--- a/.github/workflows/linux.yml ++++ b/.github/workflows/linux.yml +@@ -306,7 +306,7 @@ jobs: + notest-cflags: -Werror -O2 + env: | + TEST_OPENSSL3=4.0.0 +- OPENSSL_CONFIG=no-engine ++ OPENSSL_CONFIG= + APR_VERSION=1.7.6 + APU_VERSION=1.6.3 + APU_CONFIG="--without-crypto" +-- +2.52.0 + diff --git a/deps-packaging/apache/0007-Cherry-pick-from-0c9cd095ce9081fd225f0da7787419e80de.patch b/deps-packaging/apache/0007-Cherry-pick-from-0c9cd095ce9081fd225f0da7787419e80de.patch new file mode 100644 index 000000000..4f40f7233 --- /dev/null +++ b/deps-packaging/apache/0007-Cherry-pick-from-0c9cd095ce9081fd225f0da7787419e80de.patch @@ -0,0 +1,31 @@ +From 3eaf20fd008d01908cc185e5aca7147b6667d6c2 Mon Sep 17 00:00:00 2001 +From: Joe Orton +Date: Fri, 1 May 2026 09:22:24 +0100 +Subject: [PATCH 7/8] Cherry pick from 0c9cd095ce9081fd225f0da7787419e80de7c701 + +--- + test/travis_before_linux.sh | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/test/travis_before_linux.sh b/test/travis_before_linux.sh +index 91f9b2b..7cf0516 100755 +--- a/test/travis_before_linux.sh ++++ b/test/travis_before_linux.sh +@@ -154,8 +154,12 @@ if test -v TEST_OPENSSL3; then + + mkdir -p build/openssl + pushd build/openssl +- curl -L "https://github.com/openssl/openssl/releases/download/openssl-${TEST_OPENSSL3}/openssl-${TEST_OPENSSL3}.tar.gz" | +- tar -xzf - ++ if test -v TEST_OPENSSL3_BRANCH; then ++ git clone -b $TEST_OPENSSL3_BRANCH -q https://github.com/openssl/openssl openssl-${TEST_OPENSSL3} ++ else ++ curl -L "https://github.com/openssl/openssl/releases/download/openssl-${TEST_OPENSSL3}/openssl-${TEST_OPENSSL3}.tar.gz" | ++ tar -xzf - ++ fi + cd openssl-${TEST_OPENSSL3} + # Build with RPATH so ./bin/openssl doesn't require $LD_LIBRARY_PATH + ./Configure --prefix=$HOME/root/openssl3 \ +-- +2.52.0 + diff --git a/deps-packaging/apache/0008-CI-Try-to-fix-ab-failures-during-OpenSSL-ech-job-set.patch b/deps-packaging/apache/0008-CI-Try-to-fix-ab-failures-during-OpenSSL-ech-job-set.patch new file mode 100644 index 000000000..176860505 --- /dev/null +++ b/deps-packaging/apache/0008-CI-Try-to-fix-ab-failures-during-OpenSSL-ech-job-set.patch @@ -0,0 +1,90 @@ +From 05fea04b7b756eaca6cf3b38d5b80bb5a81d6394 Mon Sep 17 00:00:00 2001 +From: Joe Orton +Date: Fri, 21 Nov 2025 09:38:42 +0000 +Subject: [PATCH 8/8] CI: Try to fix ab failures during OpenSSL ech job, set + RPATH via LDFLAGS + +CI: For OpenSSL branch builds, always build a fresh version of the +OpenSSL branch and cache the commit hash to allow checking for freshness. +Also clone with --depth=1 to save time+bandwidth. + +Github: closes #579 + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1929891 13f79535-47bb-0310-9956-ffa450edef68 +(cherry picked from commit d7dec4f6765c2bcb25ba7fbcc5cc4d151accebde) +--- + test/travis_before_linux.sh | 25 +++++++++++++++++++++---- + test/travis_run_linux.sh | 5 ++--- + 2 files changed, 23 insertions(+), 7 deletions(-) + +diff --git a/test/travis_before_linux.sh b/test/travis_before_linux.sh +index 7cf0516..5296d08 100755 +--- a/test/travis_before_linux.sh ++++ b/test/travis_before_linux.sh +@@ -145,9 +145,21 @@ if test -v TEST_SSL; then + popd + fi + ++# Build the requested version of OpenSSL if it's not already installed ++# in the cached ~/root + if test -v TEST_OPENSSL3; then +- # Build the requested version of OpenSSL if it's not already +- # installed in the cached ~/root ++ # For a branch, rebuild if the remote branch has updated. ++ if test -v TEST_OPENSSL3_BRANCH -a -f $HOME/root/openssl-is-${TEST_OPENSSL3}; then ++ latest=`git ls-remote https://github.com/openssl/openssl refs/heads/${TEST_OPENSSL3_BRANCH} | cut -f1` ++ : Got branch latest commit ${latest} ++ if grep -q ^${latest} $HOME/root/openssl-is-${TEST_OPENSSL3}; then ++ : Cached repos already at ${latest} ++ else ++ : Forcing rebuild ++ rm -f $HOME/root/openssl-is-${TEST_OPENSSL3} ++ fi ++ fi ++ + if ! test -f $HOME/root/openssl-is-${TEST_OPENSSL3}; then + # Remove any previous install. + rm -rf $HOME/root/openssl3 +@@ -155,7 +167,7 @@ if test -v TEST_OPENSSL3; then + mkdir -p build/openssl + pushd build/openssl + if test -v TEST_OPENSSL3_BRANCH; then +- git clone -b $TEST_OPENSSL3_BRANCH -q https://github.com/openssl/openssl openssl-${TEST_OPENSSL3} ++ git clone --depth=1 -b $TEST_OPENSSL3_BRANCH -q https://github.com/openssl/openssl openssl-${TEST_OPENSSL3} + else + curl -L "https://github.com/openssl/openssl/releases/download/openssl-${TEST_OPENSSL3}/openssl-${TEST_OPENSSL3}.tar.gz" | + tar -xzf - +@@ -167,7 +179,12 @@ if test -v TEST_OPENSSL3; then + '-Wl,-rpath=$(LIBRPATH)' + make $MFLAGS + make install_sw +- touch $HOME/root/openssl-is-${TEST_OPENSSL3} ++ if test -d .git; then ++ : Caching git commit hash: ++ git rev-parse HEAD | tee $HOME/root/openssl-is-${TEST_OPENSSL3} ++ else ++ touch $HOME/root/openssl-is-${TEST_OPENSSL3} ++ fi + popd + fi + +diff --git a/test/travis_run_linux.sh b/test/travis_run_linux.sh +index 8070519..45e4a6b 100755 +--- a/test/travis_run_linux.sh ++++ b/test/travis_run_linux.sh +@@ -61,10 +61,9 @@ fi + + if test -v TEST_OPENSSL3; then + CONFIG="$CONFIG --with-ssl=$HOME/root/openssl3" +- # Temporarily set LD_RUN_PATH so that httpd/mod_ssl binaries pick +- # up the custom OpenSSL build +- export LD_RUN_PATH=$HOME/root/openssl3/lib:$HOME/root/openssl3/lib64 + export PATH=$HOME/root/openssl3/bin:$PATH ++ # Force everything built to hard-code an RPATH ++ export LDFLAGS="-Wl,-rpath,$HOME/root/openssl3/lib -Wl,-rpath,$HOME/root/openssl3/lib64" + openssl version + fi + +-- +2.52.0 + diff --git a/deps-packaging/apache/1933586-openssl-4.0-compatibility.patch b/deps-packaging/apache/1933586-openssl-4.0-compatibility.patch deleted file mode 100644 index e219add00..000000000 --- a/deps-packaging/apache/1933586-openssl-4.0-compatibility.patch +++ /dev/null @@ -1,383 +0,0 @@ -Index: modules/ssl/ssl_engine_log.c -=================================================================== ---- modules/ssl/ssl_engine_log.c (revision 1933585) -+++ modules/ssl/ssl_engine_log.c (revision 1933586) -@@ -126,7 +126,7 @@ - static void ssl_log_cert_error(const char *file, int line, int level, - apr_status_t rv, const server_rec *s, - const conn_rec *c, const request_rec *r, -- apr_pool_t *p, X509 *cert, const char *format, -+ apr_pool_t *p, const X509 *cert, const char *format, - va_list ap) - { - char buf[HUGE_STRING_LEN]; -@@ -167,14 +167,14 @@ - } - - BIO_puts(bio, " / serial: "); -- if (i2a_ASN1_INTEGER(bio, X509_get_serialNumber(cert)) == -1) -+ if (i2a_ASN1_INTEGER(bio, X509_get0_serialNumber(cert)) == -1) - BIO_puts(bio, "(ERROR)"); - - BIO_puts(bio, " / notbefore: "); -- ASN1_TIME_print(bio, X509_get_notBefore(cert)); -+ ASN1_TIME_print(bio, X509_get0_notBefore(cert)); - - BIO_puts(bio, " / notafter: "); -- ASN1_TIME_print(bio, X509_get_notAfter(cert)); -+ ASN1_TIME_print(bio, X509_get0_notAfter(cert)); - - BIO_puts(bio, "]"); - -@@ -212,7 +212,7 @@ - * in the other cases we use the connection and request pool, respectively). - */ - void ssl_log_xerror(const char *file, int line, int level, apr_status_t rv, -- apr_pool_t *ptemp, server_rec *s, X509 *cert, -+ apr_pool_t *ptemp, server_rec *s, const X509 *cert, - const char *fmt, ...) - { - if (APLOG_IS_LEVEL(s,level)) { -@@ -225,7 +225,7 @@ - } - - void ssl_log_cxerror(const char *file, int line, int level, apr_status_t rv, -- conn_rec *c, X509 *cert, const char *fmt, ...) -+ conn_rec *c, const X509 *cert, const char *fmt, ...) - { - if (APLOG_IS_LEVEL(mySrvFromConn(c),level)) { - va_list ap; -@@ -237,7 +237,7 @@ - } - - void ssl_log_rxerror(const char *file, int line, int level, apr_status_t rv, -- request_rec *r, X509 *cert, const char *fmt, ...) -+ request_rec *r, const X509 *cert, const char *fmt, ...) - { - if (APLOG_R_IS_LEVEL(r,level)) { - va_list ap; -Index: modules/ssl/ssl_engine_ocsp.c -=================================================================== ---- modules/ssl/ssl_engine_ocsp.c (revision 1933585) -+++ modules/ssl/ssl_engine_ocsp.c (revision 1933586) -@@ -38,8 +38,8 @@ - /* Name found in extension, and is a URI: */ - if (OBJ_obj2nid(value->method) == NID_ad_OCSP - && value->location->type == GEN_URI) { -- result = apr_pstrdup(pool, -- (char *)value->location->d.uniformResourceIdentifier->data); -+ const ASN1_STRING *uri = value->location->d.uniformResourceIdentifier; -+ result = modssl_ASN1_STRING_convert(pool, uri, 0); - } - } - -Index: modules/ssl/ssl_private.h -=================================================================== ---- modules/ssl/ssl_private.h (revision 1933585) -+++ modules/ssl/ssl_private.h (revision 1933586) -@@ -155,6 +155,12 @@ - #define MODSSL_SSL_METHOD_CONST - #endif - -+#if OPENSSL_VERSION_NUMBER >= 0x40000000L -+#define MODSSL_X509_EXT_CONST const -+#else -+#define MODSSL_X509_EXT_CONST -+#endif -+ - #if defined(LIBRESSL_VERSION_NUMBER) - /* Missing from LibreSSL */ - #if LIBRESSL_VERSION_NUMBER < 0x2060000f -@@ -282,6 +288,10 @@ - #define DH_bits(x) (BN_num_bits(x->p)) - #define X509_up_ref(x) (CRYPTO_add(&(x)->references, +1, CRYPTO_LOCK_X509)) - #define EVP_PKEY_up_ref(pk) (CRYPTO_add(&(pk)->references, +1, CRYPTO_LOCK_EVP_PKEY)) -+#define ASN1_STRING_get0_data(x) ((x)->data) -+#define ASN1_STRING_length(x) ((int)(x)->length) -+#define X509_get0_before(x) X509_get_before(x) -+#define X509_get0_after(x) X509_get_after(x) - #else - void init_bio_methods(void); - void free_bio_methods(void); -@@ -1212,16 +1222,16 @@ - * counterparts. */ - void ssl_log_xerror(const char *file, int line, int level, - apr_status_t rv, apr_pool_t *p, server_rec *s, -- X509 *cert, const char *format, ...) -+ const X509 *cert, const char *format, ...) - __attribute__((format(printf,8,9))); - - void ssl_log_cxerror(const char *file, int line, int level, -- apr_status_t rv, conn_rec *c, X509 *cert, -+ apr_status_t rv, conn_rec *c, const X509 *cert, - const char *format, ...) - __attribute__((format(printf,7,8))); - - void ssl_log_rxerror(const char *file, int line, int level, -- apr_status_t rv, request_rec *r, X509 *cert, -+ apr_status_t rv, request_rec *r, const X509 *cert, - const char *format, ...) - __attribute__((format(printf,7,8))); - -Index: modules/ssl/ssl_util_ssl.c -=================================================================== ---- modules/ssl/ssl_util_ssl.c (revision 1933585) -+++ modules/ssl/ssl_util_ssl.c (revision 1933586) -@@ -206,7 +206,7 @@ - /* Convert ASN.1 string to a pool-allocated char * string, escaping - * control characters. If raw is zero, convert to UTF-8, otherwise - * unchanged from the character set. */ --static char *asn1_string_convert(apr_pool_t *p, ASN1_STRING *asn1str, int raw) -+char *modssl_ASN1_STRING_convert(apr_pool_t *p, const ASN1_STRING *asn1str, int raw) - { - BIO *bio; - int flags = ASN1_STRFLGS_ESC_CTRL; -@@ -221,13 +221,13 @@ - return modssl_bio_free_read(p, bio); - } - --#define asn1_string_to_utf8(p, a) asn1_string_convert(p, a, 0) -+#define asn1_string_to_utf8(p, a) modssl_ASN1_STRING_convert(p, a, 0) - - /* convert a NAME_ENTRY to UTF8 string */ --char *modssl_X509_NAME_ENTRY_to_string(apr_pool_t *p, X509_NAME_ENTRY *xsne, -+char *modssl_X509_NAME_ENTRY_to_string(apr_pool_t *p, const X509_NAME_ENTRY *xsne, - int raw) - { -- char *result = asn1_string_convert(p, X509_NAME_ENTRY_get_data(xsne), raw); -+ char *result = modssl_ASN1_STRING_convert(p, X509_NAME_ENTRY_get_data(xsne), raw); - ap_xlate_proto_from_ascii(result, len); - return result; - } -@@ -236,7 +236,7 @@ - * convert an X509_NAME to an RFC 2253 formatted string, optionally truncated - * to maxlen characters (specify a maxlen of 0 for no length limit) - */ --char *modssl_X509_NAME_to_string(apr_pool_t *p, X509_NAME *dn, int maxlen) -+char *modssl_X509_NAME_to_string(apr_pool_t *p, const X509_NAME *dn, int maxlen) - { - char *result = NULL; - BIO *bio; -@@ -373,7 +373,7 @@ - /* return an array of (RFC 6125 coined) DNS-IDs and CN-IDs in a certificate */ - static BOOL getIDs(apr_pool_t *p, X509 *x509, apr_array_header_t **ids) - { -- X509_NAME *subj; -+ const X509_NAME *subj; - int i = -1; - - /* First, the DNS-IDs (dNSName entries in the subjectAltName extension) */ -Index: modules/ssl/ssl_util_ssl.h -=================================================================== ---- modules/ssl/ssl_util_ssl.h (revision 1933585) -+++ modules/ssl/ssl_util_ssl.h (revision 1933586) -@@ -71,13 +71,19 @@ - - int modssl_smart_shutdown(SSL *ssl); - BOOL modssl_X509_getBC(X509 *, int *, int *); --char *modssl_X509_NAME_ENTRY_to_string(apr_pool_t *p, X509_NAME_ENTRY *xsne, -+char *modssl_X509_NAME_ENTRY_to_string(apr_pool_t *p, const X509_NAME_ENTRY *xsne, - int raw); --char *modssl_X509_NAME_to_string(apr_pool_t *, X509_NAME *, int); -+char *modssl_X509_NAME_to_string(apr_pool_t *, const X509_NAME *, int); - BOOL modssl_X509_getSAN(apr_pool_t *, X509 *, int, const char *, int, apr_array_header_t **); - BOOL modssl_X509_match_name(apr_pool_t *, X509 *, const char *, BOOL, server_rec *); - char *modssl_SSL_SESSION_id2sz(IDCONST unsigned char *, int, char *, int); - -+/* Convert ASN.1 string to a pool-allocated char * string, escaping -+ * control characters. If raw is zero, convert to UTF-8, otherwise -+ * unchanged from the character set. */ -+char *modssl_ASN1_STRING_convert(apr_pool_t *p, const ASN1_STRING *asn1str, -+ int raw); -+ - /* Reads the remaining data in BIO, if not empty, and copies it into a - * pool-allocated string. If empty, returns NULL. BIO_free(bio) is - * called for both cases. */ -Index: modules/ssl/ssl_engine_kernel.c -=================================================================== ---- modules/ssl/ssl_engine_kernel.c (revision 1933585) -+++ modules/ssl/ssl_engine_kernel.c (revision 1933586) -@@ -1263,7 +1263,7 @@ - } - - if (!sslconn->client_dn) { -- X509_NAME *name = X509_get_subject_name(sslconn->client_cert); -+ const X509_NAME *name = X509_get_subject_name(sslconn->client_cert); - char *cp = X509_NAME_oneline(name, NULL, 0); - sslconn->client_dn = apr_pstrdup(r->connection->pool, cp); - OPENSSL_free(cp); -@@ -1817,7 +1817,7 @@ - server_rec *s = mySrvFromConn(c); - SSLSrvConfigRec *sc = mySrvConfig(s); - SSLDirConfigRec *dc = myDirConfigFromConn(c); -- X509_NAME *ca_name, *issuer, *ca_issuer; -+ const X509_NAME *ca_name, *issuer, *ca_issuer; - X509_INFO *info; - X509 *ca_cert; - STACK_OF(X509_NAME) *ca_list; -Index: modules/ssl/ssl_engine_vars.c -=================================================================== ---- modules/ssl/ssl_engine_vars.c (revision 1933585) -+++ modules/ssl/ssl_engine_vars.c (revision 1933586) -@@ -41,10 +41,10 @@ - - static const char *ssl_var_lookup_ssl(apr_pool_t *p, const SSLConnRec *sslconn, request_rec *r, const char *var); - static const char *ssl_var_lookup_ssl_cert(apr_pool_t *p, request_rec *r, X509 *xs, const char *var); --static const char *ssl_var_lookup_ssl_cert_dn(apr_pool_t *p, X509_NAME *xsname, const char *var); -+static const char *ssl_var_lookup_ssl_cert_dn(apr_pool_t *p, const X509_NAME *xsname, const char *var); - static const char *ssl_var_lookup_ssl_cert_san(apr_pool_t *p, X509 *xs, const char *var); --static const char *ssl_var_lookup_ssl_cert_valid(apr_pool_t *p, ASN1_TIME *tm); --static const char *ssl_var_lookup_ssl_cert_remain(apr_pool_t *p, ASN1_TIME *tm); -+static const char *ssl_var_lookup_ssl_cert_valid(apr_pool_t *p, const ASN1_TIME *tm); -+static const char *ssl_var_lookup_ssl_cert_remain(apr_pool_t *p, const ASN1_TIME *tm); - static const char *ssl_var_lookup_ssl_cert_serial(apr_pool_t *p, X509 *xs); - static const char *ssl_var_lookup_ssl_cert_chain(apr_pool_t *p, STACK_OF(X509) *sk, const char *var, int pem); - static const char *ssl_var_lookup_ssl_cert_rfc4523_cea(apr_pool_t *p, SSL *ssl); -@@ -598,7 +598,7 @@ - } - - static const char *ssl_var_lookup_ssl_cert_dn_oneline(apr_pool_t *p, request_rec *r, -- X509_NAME *xsname) -+ const X509_NAME *xsname) - { - char *result = NULL; - SSLDirConfigRec *dc; -@@ -629,7 +629,7 @@ - const char *var) - { - const char *result; -- X509_NAME *xsname; -+ const X509_NAME *xsname; - int nid; - - result = NULL; -@@ -641,13 +641,13 @@ - result = ssl_var_lookup_ssl_cert_serial(p, xs); - } - else if (strcEQ(var, "V_START")) { -- result = ssl_var_lookup_ssl_cert_valid(p, X509_get_notBefore(xs)); -+ result = ssl_var_lookup_ssl_cert_valid(p, X509_get0_notBefore(xs)); - } - else if (strcEQ(var, "V_END")) { -- result = ssl_var_lookup_ssl_cert_valid(p, X509_get_notAfter(xs)); -+ result = ssl_var_lookup_ssl_cert_valid(p, X509_get0_notAfter(xs)); - } - else if (strcEQ(var, "V_REMAIN")) { -- result = ssl_var_lookup_ssl_cert_remain(p, X509_get_notAfter(xs)); -+ result = ssl_var_lookup_ssl_cert_remain(p, X509_get0_notAfter(xs)); - } - else if (*var && strcEQ(var+1, "_DN")) { - if (*var == 'S') -@@ -727,12 +727,12 @@ - { NULL, 0, 0 } - }; - --static const char *ssl_var_lookup_ssl_cert_dn(apr_pool_t *p, X509_NAME *xsname, -- const char *var) -+static const char *ssl_var_lookup_ssl_cert_dn(apr_pool_t *p, const X509_NAME *xsname, -+ const char *var) - { - const char *ptr; - const char *result; -- X509_NAME_ENTRY *xsne; -+ const X509_NAME_ENTRY *xsne; - int i, j, n, idx = 0, raw = 0; - apr_size_t varlen; - -@@ -759,7 +759,7 @@ - for (j = 0; j < X509_NAME_entry_count(xsname); j++) { - xsne = X509_NAME_get_entry(xsname, j); - -- n =OBJ_obj2nid((ASN1_OBJECT *)X509_NAME_ENTRY_get_object(xsne)); -+ n = OBJ_obj2nid(X509_NAME_ENTRY_get_object(xsne)); - - if (n == ssl_var_lookup_ssl_cert_dn_rec[i].nid && idx-- == 0) { - result = modssl_X509_NAME_ENTRY_to_string(p, xsne, raw); -@@ -816,7 +816,7 @@ - return NULL; - } - --static const char *ssl_var_lookup_ssl_cert_valid(apr_pool_t *p, ASN1_TIME *tm) -+static const char *ssl_var_lookup_ssl_cert_valid(apr_pool_t *p, const ASN1_TIME *tm) - { - BIO* bio; - -@@ -837,12 +837,12 @@ - - /* Return a string giving the number of days remaining until 'tm', or - * "0" if this can't be determined. */ --static const char *ssl_var_lookup_ssl_cert_remain(apr_pool_t *p, ASN1_TIME *tm) -+static const char *ssl_var_lookup_ssl_cert_remain(apr_pool_t *p, const ASN1_TIME *tm) - { - #if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER) - int diff; - -- if (INVALID_ASN1_TIME(tm) || ASN1_TIME_diff(&diff, NULL, NULL, tm) != 1) { -+ if (ASN1_TIME_check(tm) != 1 || ASN1_TIME_diff(&diff, NULL, NULL, tm) != 1) { - return "0"; - } - #else -@@ -929,7 +929,7 @@ - - serialNumber = X509_get_serialNumber(xs); - if (serialNumber) { -- X509_NAME *issuer = X509_get_issuer_name(xs); -+ const X509_NAME *issuer = X509_get_issuer_name(xs); - if (issuer) { - BIGNUM *bn = ASN1_INTEGER_to_BN(serialNumber, NULL); - if((decimal = BN_bn2dec(bn)) == NULL) { -@@ -1112,9 +1112,9 @@ - /* Add each RDN in 'xn' to the table 't' where the NID is present in - * 'nids', using key prefix 'pfx'. */ - static void extract_dn(apr_table_t *t, apr_hash_t *nids, const char *pfx, -- X509_NAME *xn, apr_pool_t *p) -+ const X509_NAME *xn, apr_pool_t *p) - { -- X509_NAME_ENTRY *xsne; -+ const X509_NAME_ENTRY *xsne; - apr_hash_t *count; - int i, nid; - -@@ -1129,7 +1129,7 @@ - - /* Retrieve the nid, and check whether this is one of the nids - * which are to be extracted. */ -- nid = OBJ_obj2nid((ASN1_OBJECT *)X509_NAME_ENTRY_get_object(xsne)); -+ nid = OBJ_obj2nid(X509_NAME_ENTRY_get_object(xsne)); - - tag = apr_hash_get(nids, &nid, sizeof nid); - if (tag) { -@@ -1242,19 +1242,19 @@ - * parse the extension type as a primitive string. This will fail for - * any structured extension type per the docs. Returns non-zero on - * success and writes the string to the given bio. */ --static int dump_extn_value(BIO *bio, ASN1_OCTET_STRING *str) -+static int dump_extn_value(BIO *bio, const ASN1_OCTET_STRING *str) - { -- const unsigned char *pp = str->data; -+ const unsigned char *pp = ASN1_STRING_get0_data(str); - ASN1_STRING *ret = ASN1_STRING_new(); - int rv = 0; - -- if(!ret) { -- return rv; -+ if (!ret) { -+ return rv; - } - - /* This allows UTF8String, IA5String, VisibleString, or BMPString; - * conversion to UTF-8 is forced. */ -- if (d2i_DISPLAYTEXT(&ret, &pp, str->length)) { -+ if (d2i_DISPLAYTEXT(&ret, &pp, ASN1_STRING_length(str))) { - ASN1_STRING_print_ex(bio, ret, ASN1_STRFLGS_UTF8_CONVERT); - rv = 1; - } -@@ -1301,7 +1301,7 @@ - */ - array = apr_array_make(p, count, sizeof(char *)); - for (j = 0; j < count; j++) { -- X509_EXTENSION *ext = X509_get_ext(xs, j); -+ MODSSL_X509_EXT_CONST X509_EXTENSION *ext = X509_get_ext(xs, j); - - if (OBJ_cmp(X509_EXTENSION_get_object(ext), oid) == 0) { - BIO *bio = BIO_new(BIO_s_mem()); diff --git a/deps-packaging/apache/apachectl.patch b/deps-packaging/apache/apachectl.patch index b5516fa01..6f62ccc84 100644 --- a/deps-packaging/apache/apachectl.patch +++ b/deps-packaging/apache/apachectl.patch @@ -1,5 +1,5 @@ ---- support/apachectl.in.orig 2022-05-27 14:39:22.959774741 +0200 -+++ support/apachectl.in 2022-05-27 14:42:10.799591574 +0200 +--- a/support/apachectl.in.orig 2022-05-27 14:39:22.959774741 +0200 ++++ b/support/apachectl.in 2022-05-27 14:42:10.799591574 +0200 @@ -1,5 +1,14 @@ #!/bin/sh # diff --git a/deps-packaging/apache/cfbuild-apache.spec b/deps-packaging/apache/cfbuild-apache.spec index e3646d636..46ef6d854 100644 --- a/deps-packaging/apache/cfbuild-apache.spec +++ b/deps-packaging/apache/cfbuild-apache.spec @@ -7,9 +7,19 @@ Version: %{version} Release: 1 Source0: httpd-%{apache_version}.tar.gz Source1: httpd.conf -Patch0: apachectl.patch +Patch0: apachectl.patch Patch1: fixed-implicit-decl-gettid.patch -Patch2: 1933586-openssl-4.0-compatibility.patch + +# begin patches for openssl 4 support from https://github.com/apache/httpd/pull/642 +Patch2: 0001-Fix-OpenSSL-4.0-compatibility-and-test-that-in-CI.patch +Patch3: 0002-CI-add-OpenSSL-build-binaries-to-PATH.patch +Patch4: 0003-CI-test-OpenSSL-3.x-using-Apache-Test-trunk-to-pick-.patch +Patch5: 0004-Part-merge-of-r1915513-to-make-the-travis_run_linux..patch +Patch6: 0005-Part-merge-of-r1919524-from-trunk.patch +Patch7: 0006-CI-The-OpenSSL-no-engine-config-option-is-redundant-.patch +Patch8: 0007-Cherry-pick-from-0c9cd095ce9081fd225f0da7787419e80de.patch +Patch9: 0008-CI-Try-to-fix-ab-failures-during-OpenSSL-ech-job-set.patch + License: MIT Group: Other Url: https://cfengine.com @@ -23,9 +33,7 @@ AutoReqProv: no mkdir -p %{_builddir} %setup -q -n httpd-%{apache_version} -%patch -P 0 -%patch -P 1 -p1 -%patch -P 2 -p1 +%autopatch -p1 CPPFLAGS=-I%{buildprefix}/include diff --git a/deps-packaging/apache/debian/rules b/deps-packaging/apache/debian/rules index 1c5c5c129..524baa307 100755 --- a/deps-packaging/apache/debian/rules +++ b/deps-packaging/apache/debian/rules @@ -13,11 +13,20 @@ build: build-stamp build-stamp: dh_testdir - patch -p0 < $(CURDIR)/apachectl.patch + patch -p1 < $(CURDIR)/apachectl.patch # Fixed implicit declaration of GNU extension gettid() (See ENT-13084) patch -p1 < $(CURDIR)/fixed-implicit-decl-gettid.patch - patch -p1 < $(CURDIR)/1933586-openssl-4.0-compatibility.patch + + # apply patches for openssl 4 support from https://github.com/apache/httpd/pull/642 + patch -p1 < $(CURDIR)/0001-Fix-OpenSSL-4.0-compatibility-and-test-that-in-CI.patch + patch -p1 < $(CURDIR)/0002-CI-add-OpenSSL-build-binaries-to-PATH.patch + patch -p1 < $(CURDIR)/0003-CI-test-OpenSSL-3.x-using-Apache-Test-trunk-to-pick-.patch + patch -p1 < $(CURDIR)/0004-Part-merge-of-r1915513-to-make-the-travis_run_linux..patch + patch -p1 < $(CURDIR)/0005-Part-merge-of-r1919524-from-trunk.patch + patch -p1 < $(CURDIR)/0006-CI-The-OpenSSL-no-engine-config-option-is-redundant-.patch + patch -p1 < $(CURDIR)/0007-Cherry-pick-from-0c9cd095ce9081fd225f0da7787419e80de.patch + patch -p1 < $(CURDIR)/0008-CI-Try-to-fix-ab-failures-during-OpenSSL-ech-job-set.patch ./configure \ --prefix=$(PREFIX)/httpd \ From b6f1c2356edecb8771863863032332f2704a70e5 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Tue, 19 May 2026 12:37:25 -0500 Subject: [PATCH 23/28] patch php for openssl 4 --- deps-packaging/php/cfbuild-php.spec | 9 ++++++++- deps-packaging/php/debian/rules | 2 ++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/deps-packaging/php/cfbuild-php.spec b/deps-packaging/php/cfbuild-php.spec index 3dba916b2..ae4f1a4c1 100644 --- a/deps-packaging/php/cfbuild-php.spec +++ b/deps-packaging/php/cfbuild-php.spec @@ -7,6 +7,12 @@ Release: 1 Source0: php-%{php_version}.tar.gz Source1: php.ini Source2: php-fpm.conf + +Patch2: 0002-Honor-SOURCE_DATE_EPOCH-in-phar.patch +# openssl 4.0 compat patches +Patch3: 0003-replace-ERR_NUM_ERRORS-with-PHP_OPENSSL_ERR_BUFFER_S.patch +Patch4: 0004-ASN1_STRING-has-been-made-opaque-in-OpenSSL-4.patch + License: MIT Group: Other Url: https://cfengine.com @@ -25,7 +31,8 @@ then patch -p1 < %{_topdir}/SOURCES/0001-Disable-fancy-intrinsics-stuff.patch fi -patch -p1 < %{_topdir}/SOURCES/0002-Honor-SOURCE_DATE_EPOCH-in-phar.patch +# apply patches specified with PatchN above +%autopatch -p1 %if %{?rhel}%{!?rhel:0} == 8 CFLAGS="-fPIE" diff --git a/deps-packaging/php/debian/rules b/deps-packaging/php/debian/rules index d35d1b49e..9d80b9636 100755 --- a/deps-packaging/php/debian/rules +++ b/deps-packaging/php/debian/rules @@ -13,6 +13,8 @@ build-stamp: dh_testdir patch -p1 < $(CURDIR)/0002-Honor-SOURCE_DATE_EPOCH-in-phar.patch + patch -p1 < $(CURDIR)/0003-replace-ERR_NUM_ERRORS-with-PHP_OPENSSL_ERR_BUFFER_S.patch + patch -p1 < $(CURDIR)/0004-ASN1_STRING-has-been-made-opaque-in-OpenSSL-4.patch ./configure --prefix=$(PREFIX)/httpd/php \ --with-config-file-scan-dir=$(PREFIX)/httpd/php/lib \ From 98e0438c8fc00ac0f0d902b2cc2ee07ff53a9998 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Tue, 19 May 2026 14:30:16 -0500 Subject: [PATCH 24/28] php openssl4 patches --- ...ERRORS-with-PHP_OPENSSL_ERR_BUFFER_S.patch | 61 +++++++++++++ ...NG-has-been-made-opaque-in-OpenSSL-4.patch | 86 +++++++++++++++++++ 2 files changed, 147 insertions(+) create mode 100644 deps-packaging/php/0003-replace-ERR_NUM_ERRORS-with-PHP_OPENSSL_ERR_BUFFER_S.patch create mode 100644 deps-packaging/php/0004-ASN1_STRING-has-been-made-opaque-in-OpenSSL-4.patch diff --git a/deps-packaging/php/0003-replace-ERR_NUM_ERRORS-with-PHP_OPENSSL_ERR_BUFFER_S.patch b/deps-packaging/php/0003-replace-ERR_NUM_ERRORS-with-PHP_OPENSSL_ERR_BUFFER_S.patch new file mode 100644 index 000000000..54d284904 --- /dev/null +++ b/deps-packaging/php/0003-replace-ERR_NUM_ERRORS-with-PHP_OPENSSL_ERR_BUFFER_S.patch @@ -0,0 +1,61 @@ +From 266f85f4e89957a02142f5fc9baea723d57bd90b Mon Sep 17 00:00:00 2001 +From: Jordi Kroon +Date: Thu, 2 Apr 2026 17:04:56 +0200 +Subject: [PATCH] replace ERR_NUM_ERRORS with PHP_OPENSSL_ERR_BUFFER_SIZE + (#21579) + +--- + ext/openssl/openssl.c | 6 +++--- + ext/openssl/php_openssl.h | 4 +++- + 2 files changed, 6 insertions(+), 4 deletions(-) + +diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c +index bc00b6b..4baa199 100644 +--- a/ext/openssl/openssl.c ++++ b/ext/openssl/openssl.c +@@ -218,9 +218,9 @@ void php_openssl_store_errors(void) + errors = OPENSSL_G(errors); + + do { +- errors->top = (errors->top + 1) % ERR_NUM_ERRORS; ++ errors->top = (errors->top + 1) % PHP_OPENSSL_ERR_BUFFER_SIZE; + if (errors->top == errors->bottom) { +- errors->bottom = (errors->bottom + 1) % ERR_NUM_ERRORS; ++ errors->bottom = (errors->bottom + 1) % PHP_OPENSSL_ERR_BUFFER_SIZE; + } + errors->buffer[errors->top] = error_code; + } while ((error_code = ERR_get_error())); +@@ -4042,7 +4042,7 @@ PHP_FUNCTION(openssl_error_string) + RETURN_FALSE; + } + +- OPENSSL_G(errors)->bottom = (OPENSSL_G(errors)->bottom + 1) % ERR_NUM_ERRORS; ++ OPENSSL_G(errors)->bottom = (OPENSSL_G(errors)->bottom + 1) % PHP_OPENSSL_ERR_BUFFER_SIZE; + val = OPENSSL_G(errors)->buffer[OPENSSL_G(errors)->bottom]; + + if (val) { +diff --git a/ext/openssl/php_openssl.h b/ext/openssl/php_openssl.h +index 92ccd9a..e565707 100644 +--- a/ext/openssl/php_openssl.h ++++ b/ext/openssl/php_openssl.h +@@ -36,6 +36,8 @@ extern zend_module_entry openssl_module_entry; + #define PHP_OPENSSL_API_VERSION 0x30200 + #endif + ++#define PHP_OPENSSL_ERR_BUFFER_SIZE 16 ++ + #define OPENSSL_RAW_DATA 1 + #define OPENSSL_ZERO_PADDING 2 + #define OPENSSL_DONT_ZERO_PAD_KEY 4 +@@ -65,7 +67,7 @@ extern zend_module_entry openssl_module_entry; + #endif + + struct php_openssl_errors { +- int buffer[ERR_NUM_ERRORS]; ++ int buffer[PHP_OPENSSL_ERR_BUFFER_SIZE]; + int top; + int bottom; + }; +-- +2.52.0 + diff --git a/deps-packaging/php/0004-ASN1_STRING-has-been-made-opaque-in-OpenSSL-4.patch b/deps-packaging/php/0004-ASN1_STRING-has-been-made-opaque-in-OpenSSL-4.patch new file mode 100644 index 000000000..9c1eecdbb --- /dev/null +++ b/deps-packaging/php/0004-ASN1_STRING-has-been-made-opaque-in-OpenSSL-4.patch @@ -0,0 +1,86 @@ +From ff1bb13315740a80c8072acb91d82ee3aed86c9d Mon Sep 17 00:00:00 2001 +From: Remi Collet +Date: Thu, 30 Apr 2026 15:52:19 +0200 +Subject: [PATCH] ASN1_STRING has been made opaque in OpenSSL 4 + +--- + ext/openssl/openssl_backend_common.c | 10 +++++----- + ext/openssl/xp_ssl.c | 14 +++++++------- + 2 files changed, 12 insertions(+), 12 deletions(-) + +diff --git a/ext/openssl/openssl_backend_common.c b/ext/openssl/openssl_backend_common.c +index 2220539..5aa8d24 100644 +--- a/ext/openssl/openssl_backend_common.c ++++ b/ext/openssl/openssl_backend_common.c +@@ -108,7 +108,7 @@ void php_openssl_add_assoc_name_entry(zval * val, char * key, X509_NAME * name, + + void php_openssl_add_assoc_asn1_string(zval * val, char * key, ASN1_STRING * str) + { +- add_assoc_stringl(val, key, (char *)str->data, str->length); ++ add_assoc_stringl(val, key, (const char *)ASN1_STRING_get0_data(str), ASN1_STRING_length(str)); + } + + time_t php_openssl_asn1_time_to_time_t(ASN1_UTCTIME * timestr) +@@ -140,12 +140,12 @@ time_t php_openssl_asn1_time_to_time_t(ASN1_UTCTIME * timestr) + } + + if (timestr_len < 13) { +- php_error_docref(NULL, E_WARNING, "Unable to parse time string %s correctly", timestr->data); ++ php_error_docref(NULL, E_WARNING, "Unable to parse time string %s correctly", ASN1_STRING_get0_data(timestr)); + return (time_t)-1; + } + + if (ASN1_STRING_type(timestr) == V_ASN1_GENERALIZEDTIME && timestr_len < 15) { +- php_error_docref(NULL, E_WARNING, "Unable to parse time string %s correctly", timestr->data); ++ php_error_docref(NULL, E_WARNING, "Unable to parse time string %s correctly", ASN1_STRING_get0_data(timestr)); + return (time_t)-1; + } + +@@ -626,8 +626,8 @@ int openssl_x509v3_subjectAltName(BIO *bio, X509_EXTENSION *extension) + } + + extension_data = X509_EXTENSION_get_data(extension); +- p = extension_data->data; +- length = extension_data->length; ++ p = ASN1_STRING_get0_data(extension_data); ++ length = ASN1_STRING_length(extension_data); + if (method->it) { + names = (GENERAL_NAMES*) (ASN1_item_d2i(NULL, &p, length, + ASN1_ITEM_ptr(method->it))); +diff --git a/ext/openssl/xp_ssl.c b/ext/openssl/xp_ssl.c +index eea758d..64f49ca 100644 +--- a/ext/openssl/xp_ssl.c ++++ b/ext/openssl/xp_ssl.c +@@ -492,12 +492,12 @@ static bool php_openssl_matches_san_list(X509 *peer, const char *subject_name) / + } + OPENSSL_free(cert_name); + } else if (san->type == GEN_IPADD) { +- if (san->d.iPAddress->length == 4) { ++ if (ASN1_STRING_length(san->d.iPAddress) == 4) { + snprintf(ipbuffer, sizeof(ipbuffer), "%d.%d.%d.%d", +- san->d.iPAddress->data[0], +- san->d.iPAddress->data[1], +- san->d.iPAddress->data[2], +- san->d.iPAddress->data[3] ++ ASN1_STRING_get0_data(san->d.iPAddress)[0], ++ ASN1_STRING_get0_data(san->d.iPAddress)[1], ++ ASN1_STRING_get0_data(san->d.iPAddress)[2], ++ ASN1_STRING_get0_data(san->d.iPAddress)[3] + ); + if (strcasecmp(subject_name, (const char*)ipbuffer) == 0) { + sk_GENERAL_NAME_pop_free(alt_names, GENERAL_NAME_free); +@@ -506,9 +506,9 @@ static bool php_openssl_matches_san_list(X509 *peer, const char *subject_name) / + } + } + #ifdef HAVE_IPV6_SAN +- else if (san->d.ip->length == 16 && subject_name_is_ipv6) { ++ else if (ASN1_STRING_length(san->d.ip) == 16 && subject_name_is_ipv6) { + ipbuffer[0] = 0; +- EXPAND_IPV6_ADDRESS(ipbuffer, san->d.iPAddress->data); ++ EXPAND_IPV6_ADDRESS(ipbuffer, ASN1_STRING_get0_data(san->d.iPAddress)); + if (strcasecmp((const char*)subject_name_ipv6_expanded, (const char*)ipbuffer) == 0) { + sk_GENERAL_NAME_pop_free(alt_names, GENERAL_NAME_free); + +-- +2.52.0 + From fb6330340616b84f1de115443ddb7def82997f2b Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Tue, 19 May 2026 15:56:04 -0500 Subject: [PATCH 25/28] fix build host setup policy to not worry about changing sshd_config if it is not present --- ci/cfengine-build-host-setup.cf | 1 + 1 file changed, 1 insertion(+) diff --git a/ci/cfengine-build-host-setup.cf b/ci/cfengine-build-host-setup.cf index 7f9729664..acc04d5ec 100644 --- a/ci/cfengine-build-host-setup.cf +++ b/ci/cfengine-build-host-setup.cf @@ -341,6 +341,7 @@ findtime = 600", comment => "Comment out insecure SSH auth directives in sshd_config and drop-ins"; "/etc/ssh/sshd_config" edit_line => prepend_if_no_line("$(sshd_hardening_directives) no"), + if => fileexists("/etc/ssh/sshd_config"), classes => if_repaired("sshd_hardened"), comment => "Ensure SSH hardening directives are at the top of sshd_config, before any Include"; From 3bbcbffc329d40f831029128ead3b11c5ba75393 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Wed, 20 May 2026 16:13:32 -0500 Subject: [PATCH 26/28] with openldap fixes --- build-scripts/install-dependencies | 7 ------- 1 file changed, 7 deletions(-) diff --git a/build-scripts/install-dependencies b/build-scripts/install-dependencies index 917cbffc3..9ec44173d 100755 --- a/build-scripts/install-dependencies +++ b/build-scripts/install-dependencies @@ -194,15 +194,8 @@ for dep in $DEPS; do "$BASEDIR/buildscripts/deps-packaging/pkg-build-$DEP_PACKAGING" \ "$dep" "$tests" "$cross" "$optimize" yes "$version" else - set +e # ignore errors for now "$BASEDIR/buildscripts/deps-packaging/pkg-build-$DEP_PACKAGING" \ "$dep" "$tests" "$cross" "$optimize" "$debugsym" "$version" - rc=$? - if [ "$rc" != "0" ]; then - echo "Failed to build $dep" - du -a | grep .rej$ | awk '{print $2}' | xargs cat - exit 42 - fi fi # Make sure package is there after building it From a8aee58b5826ca4af61b47d25ebc90d0174b0a35 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Thu, 21 May 2026 10:35:07 -0500 Subject: [PATCH 27/28] fix: while building in a container minimally I found that revision-file incorrectly adds the nova dir for an agent build --- build-scripts/autogen | 7 +++++-- build-scripts/compare-versions | 7 +++++-- build-scripts/revision-file | 5 ++++- 3 files changed, 14 insertions(+), 5 deletions(-) diff --git a/build-scripts/autogen b/build-scripts/autogen index dee90a064..5e2f34a4a 100755 --- a/build-scripts/autogen +++ b/build-scripts/autogen @@ -43,8 +43,11 @@ esac # Determine which repositories should be included projects="core masterfiles" -if test "$NOVA" = "yes"; then - projects="$projects enterprise nova" +if [ "$NOVA" = "yes" ]; then + projects="$projects enterprise" +fi +if [ "$NOVA" = "yes" ] && [ "ROLE" = "hub" ]; then + projects="$projects nova" fi # Fail early by checking that the required repositories are present before diff --git a/build-scripts/compare-versions b/build-scripts/compare-versions index 1e9f66aef..e1d320ad0 100755 --- a/build-scripts/compare-versions +++ b/build-scripts/compare-versions @@ -43,8 +43,11 @@ esac # Determine which repositories to compare versions between projects="core masterfiles" -if test "$NOVA" = "yes"; then - projects="$projects enterprise nova" +if [ "$NOVA" = "yes" ]; then + projects="$projects enterprise" +fi +if [ "$NOVA" = "yes" ] && [ "ROLE" = "hub" ]; then + projects="$projects nova" fi # Compare versions between projects (yes this code also compares each project to diff --git a/build-scripts/revision-file b/build-scripts/revision-file index 785bbbc9a..994dfe8c7 100755 --- a/build-scripts/revision-file +++ b/build-scripts/revision-file @@ -49,7 +49,10 @@ esac # Determine which repositories should be included _dirs="core buildscripts buildscripts/deps-packaging" if test "$NOVA" = "yes"; then - _dirs="$_dirs enterprise nova" + _dirs="$_dirs enterprise" +fi +if [ "$NOVA" = "yes" ] && [ "$ROLE" = "hub" ]; then + _dirs="$_dirs nova" fi for _dir in $_dirs; do From cc630789995937bdecebcb6cf016515482145e78 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Thu, 21 May 2026 10:36:58 -0500 Subject: [PATCH 28/28] fix: cfengine-build-host-setup policy needed adjusting for ubuntu-26 --- ci/cfengine-build-host-setup.cf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ci/cfengine-build-host-setup.cf b/ci/cfengine-build-host-setup.cf index acc04d5ec..1476df9b0 100644 --- a/ci/cfengine-build-host-setup.cf +++ b/ci/cfengine-build-host-setup.cf @@ -21,10 +21,10 @@ bundle agent cfengine_build_host_setup "python3"; "python-is-python3" comment => "pipeline hosts need plain old python for buildscripts/build-scripts/get_labels_expr.py"; - debian_13|ubuntu_25:: + debian_13|ubuntu_25|ubuntu_26:: "ntpsec"; - debian.(!debian_13.!ubuntu_25):: + debian.(!debian_13.!ubuntu_25.!ubuntu_26):: "ntp"; debian|ubuntu::