diff -Nru squid-5.2/debian/changelog squid-5.2/debian/changelog --- squid-5.2/debian/changelog 2021-11-01 23:19:59.000000000 +0100 +++ squid-5.2/debian/changelog 2021-11-19 16:36:42.000000000 +0100 @@ -1,3 +1,10 @@ +squid (5.2-1ubuntu2) jammy; urgency=medium + + * d/p/openssl3/*: Port a patchset from an upstream PR to fix the + build against OpenSSL3 (LP: #1946205) + + -- Simon Chopin Fri, 19 Nov 2021 16:36:42 +0100 + squid (5.2-1ubuntu1) jammy; urgency=medium * Merge with Debian unstable (LP: #1946903). Remaining changes: diff -Nru squid-5.2/debian/patches/openssl3/0001-Update-license-disclaimer.patch squid-5.2/debian/patches/openssl3/0001-Update-license-disclaimer.patch --- squid-5.2/debian/patches/openssl3/0001-Update-license-disclaimer.patch 1970-01-01 01:00:00.000000000 +0100 +++ squid-5.2/debian/patches/openssl3/0001-Update-license-disclaimer.patch 2021-11-19 16:36:42.000000000 +0100 @@ -0,0 +1,24 @@ +From e668a138d39981757878a4095879eae72d77968b Mon Sep 17 00:00:00 2001 +From: Amos Jeffries +Date: Thu, 23 Jul 2020 17:38:26 +1200 +Subject: [PATCH 01/11] Update license disclaimer +Origin: https://github.com/squid-cache/squid/pull/694 + +OpenSSL 3.0 uses Apache License v2 which removes the SSLeay distribution restrictions. +--- + src/main.cc | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/src/main.cc ++++ b/src/main.cc +@@ -678,8 +678,10 @@ + printf("%s\n",SQUID_BUILD_INFO); + #if USE_OPENSSL + printf("\nThis binary uses %s. ", OpenSSL_version(OPENSSL_VERSION)); ++#if OPENSSL_VERSION_MAJOR < 3 + printf("For legal restrictions on distribution see https://www.openssl.org/source/license.html\n\n"); + #endif ++#endif + printf( "configure options: %s\n", SQUID_CONFIGURE_OPTIONS); + + #if USE_WIN32_SERVICE diff -Nru squid-5.2/debian/patches/openssl3/0002-Declaration-of-CRYPTO_EX_dup-changed-again-in-3.0.patch squid-5.2/debian/patches/openssl3/0002-Declaration-of-CRYPTO_EX_dup-changed-again-in-3.0.patch --- squid-5.2/debian/patches/openssl3/0002-Declaration-of-CRYPTO_EX_dup-changed-again-in-3.0.patch 1970-01-01 01:00:00.000000000 +0100 +++ squid-5.2/debian/patches/openssl3/0002-Declaration-of-CRYPTO_EX_dup-changed-again-in-3.0.patch 2021-11-19 16:36:42.000000000 +0100 @@ -0,0 +1,25 @@ +From 8b700b092155fa8597775e83ee4a3cd793f96b38 Mon Sep 17 00:00:00 2001 +From: Amos Jeffries +Date: Thu, 23 Jul 2020 18:51:20 +1200 +Subject: [PATCH 02/11] Declaration of CRYPTO_EX_dup changed again in 3.0 +Origin: https://github.com/squid-cache/squid/pull/694 + +--- + src/ssl/support.cc | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/src/ssl/support.cc ++++ b/src/ssl/support.cc +@@ -557,7 +557,11 @@ + } + + // "dup" function for SSL_get_ex_new_index("cert_err_check") +-#if SQUID_USE_CONST_CRYPTO_EX_DATA_DUP ++#if OPENSSL_VERSION_MAJOR >= 3 ++static int ++ssl_dupAclChecklist(CRYPTO_EX_DATA *, const CRYPTO_EX_DATA *, void **, ++ int, long, void *) ++#elif SQUID_USE_CONST_CRYPTO_EX_DATA_DUP + static int + ssl_dupAclChecklist(CRYPTO_EX_DATA *, const CRYPTO_EX_DATA *, void *, + int, long, void *) diff -Nru squid-5.2/debian/patches/openssl3/0003-Refactor-Ssl-createSslPrivateKey.patch squid-5.2/debian/patches/openssl3/0003-Refactor-Ssl-createSslPrivateKey.patch --- squid-5.2/debian/patches/openssl3/0003-Refactor-Ssl-createSslPrivateKey.patch 1970-01-01 01:00:00.000000000 +0100 +++ squid-5.2/debian/patches/openssl3/0003-Refactor-Ssl-createSslPrivateKey.patch 2021-11-19 16:36:42.000000000 +0100 @@ -0,0 +1,101 @@ +From e2af6c51a9b2c99d0bd63ac3628caa7fe2c9481d Mon Sep 17 00:00:00 2001 +From: Amos Jeffries +Date: Thu, 23 Jul 2020 21:02:36 +1200 +Subject: [PATCH 03/11] Refactor Ssl::createSslPrivateKey() +Origin: https://github.com/squid-cache/squid/pull/694 + +* Use the OpenSSL 1.1+ EVP API for generating RSA keys. + +* Make static since this is only used by the gadgets.cc code. +--- + src/ssl/gadgets.cc | 41 +++++++++++++++++------------------------ + src/ssl/gadgets.h | 8 +------- + 2 files changed, 18 insertions(+), 31 deletions(-) + +--- a/src/ssl/gadgets.cc ++++ b/src/ssl/gadgets.cc +@@ -9,35 +9,28 @@ + #include "squid.h" + #include "ssl/gadgets.h" + +-EVP_PKEY * Ssl::createSslPrivateKey() ++static EVP_PKEY * ++CreateRsaPrivateKey() + { +- Security::PrivateKeyPointer pkey(EVP_PKEY_new()); +- +- if (!pkey) +- return NULL; +- +- BIGNUM_Pointer bn(BN_new()); +- if (!bn) +- return NULL; +- +- if (!BN_set_word(bn.get(), RSA_F4)) +- return NULL; +- +- Ssl::RSA_Pointer rsa(RSA_new()); ++ Ssl::EVP_PKEY_CTX_Pointer rsa(EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, nullptr)); + if (!rsa) +- return NULL; ++ return nullptr; + +- int num = 2048; // Maybe use 4096 RSA keys, or better make it configurable? +- if (!RSA_generate_key_ex(rsa.get(), num, bn.get(), NULL)) +- return NULL; ++ if (EVP_PKEY_keygen_init(rsa.get()) <= 0) ++ return nullptr; + +- if (!rsa) +- return NULL; ++ int num = 2048; // Maybe use 4096 RSA keys, or better make it configurable? ++ if (EVP_PKEY_CTX_set_rsa_keygen_bits(rsa.get(), num) <= 0) ++ return nullptr; + +- if (!EVP_PKEY_assign_RSA(pkey.get(), (rsa.get()))) +- return NULL; ++ /* Generate key */ ++ Security::PrivateKeyPointer pkey(EVP_PKEY_new()); ++ if (pkey) { ++ auto *foo = pkey.get(); ++ if (EVP_PKEY_keygen(rsa.get(), &foo) <= 0) ++ return nullptr; ++ } + +- rsa.release(); + return pkey.release(); + } + +@@ -553,7 +546,7 @@ + if (properties.signWithPkey.get()) + pkey.resetAndLock(properties.signWithPkey.get()); + else // if not exist generate one +- pkey.resetWithoutLocking(Ssl::createSslPrivateKey()); ++ pkey.resetWithoutLocking(CreateRsaPrivateKey()); + + if (!pkey) + return false; +--- a/src/ssl/gadgets.h ++++ b/src/ssl/gadgets.h +@@ -57,7 +57,7 @@ + + typedef std::unique_ptr> X509_NAME_Pointer; + +-typedef std::unique_ptr> RSA_Pointer; ++typedef std::unique_ptr> EVP_PKEY_CTX_Pointer; + + typedef std::unique_ptr> X509_REQ_Pointer; + +@@ -73,12 +73,6 @@ + typedef std::unique_ptr> X509_STORE_CTX_Pointer; + /** + \ingroup SslCrtdSslAPI +- * Create 1024 bits rsa key. +- */ +-EVP_PKEY * createSslPrivateKey(); +- +-/** +- \ingroup SslCrtdSslAPI + * Write private key and SSL certificate to memory. + */ + bool writeCertAndPrivateKeyToMemory(Security::CertPointer const & cert, Security::PrivateKeyPointer const & pkey, std::string & bufferToWrite); diff -Nru squid-5.2/debian/patches/openssl3/0004-Tweak-RSA-key-generator.patch squid-5.2/debian/patches/openssl3/0004-Tweak-RSA-key-generator.patch --- squid-5.2/debian/patches/openssl3/0004-Tweak-RSA-key-generator.patch 1970-01-01 01:00:00.000000000 +0100 +++ squid-5.2/debian/patches/openssl3/0004-Tweak-RSA-key-generator.patch 2021-11-19 16:36:42.000000000 +0100 @@ -0,0 +1,32 @@ +From 5c9c19ce107d6682511ed796b5e2448a710c81be Mon Sep 17 00:00:00 2001 +From: Amos Jeffries +Date: Tue, 10 Nov 2020 12:01:28 +1300 +Subject: [PATCH 04/11] Tweak RSA key generator +Origin: https://github.com/squid-cache/squid/pull/694 + +... rely on EVP_PKEY_keygen() allocating the key memory. +--- + src/ssl/gadgets.cc | 11 ++++------- + 1 file changed, 4 insertions(+), 7 deletions(-) + +--- a/src/ssl/gadgets.cc ++++ b/src/ssl/gadgets.cc +@@ -24,14 +24,11 @@ + return nullptr; + + /* Generate key */ +- Security::PrivateKeyPointer pkey(EVP_PKEY_new()); +- if (pkey) { +- auto *foo = pkey.get(); +- if (EVP_PKEY_keygen(rsa.get(), &foo) <= 0) +- return nullptr; +- } ++ EVP_PKEY *pkey = nullptr; ++ if (EVP_PKEY_keygen(rsa.get(), &pkey) <= 0) ++ return nullptr; + +- return pkey.release(); ++ return pkey; + } + + /** diff -Nru squid-5.2/debian/patches/openssl3/0005-Fix-EVP_PKEY_get0_RSA-is-deprecated.patch squid-5.2/debian/patches/openssl3/0005-Fix-EVP_PKEY_get0_RSA-is-deprecated.patch --- squid-5.2/debian/patches/openssl3/0005-Fix-EVP_PKEY_get0_RSA-is-deprecated.patch 1970-01-01 01:00:00.000000000 +0100 +++ squid-5.2/debian/patches/openssl3/0005-Fix-EVP_PKEY_get0_RSA-is-deprecated.patch 2021-11-19 16:36:42.000000000 +0100 @@ -0,0 +1,25 @@ +From cb5b80d44e935806c71be6d646237a78b1cc4ce2 Mon Sep 17 00:00:00 2001 +From: Amos Jeffries +Date: Wed, 6 Oct 2021 22:39:49 +1300 +Subject: [PATCH 05/11] Fix EVP_PKEY_get0_RSA is deprecated +Origin: https://github.com/squid-cache/squid/pull/694 + +--- + src/ssl/gadgets.cc | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/src/ssl/gadgets.cc ++++ b/src/ssl/gadgets.cc +@@ -369,7 +369,11 @@ + // XXX: Add PublicKeyPointer. In OpenSSL, public and private keys are + // internally represented by EVP_PKEY pair, but GnuTLS uses distinct types. + const Security::PrivateKeyPointer certKey(X509_get_pubkey(mimicCert.get())); +- const auto rsaPkey = EVP_PKEY_get0_RSA(certKey.get()) != nullptr; ++#if OPENSSL_VERSION_MAJOR < 3 ++ const auto rsaPkey = bool(EVP_PKEY_get0_RSA(certKey.get())); ++#else ++ const auto rsaPkey = EVP_PKEY_is_a(certKey.get(), "RSA"); ++#endif + + int added = 0; + int nid; diff -Nru squid-5.2/debian/patches/openssl3/0006-Initial-DH-conversion-to-EVP_PKEY.patch squid-5.2/debian/patches/openssl3/0006-Initial-DH-conversion-to-EVP_PKEY.patch --- squid-5.2/debian/patches/openssl3/0006-Initial-DH-conversion-to-EVP_PKEY.patch 1970-01-01 01:00:00.000000000 +0100 +++ squid-5.2/debian/patches/openssl3/0006-Initial-DH-conversion-to-EVP_PKEY.patch 2021-11-19 16:36:42.000000000 +0100 @@ -0,0 +1,122 @@ +From d7b0d560bb174b31fe77d7ef8be7b90405570838 Mon Sep 17 00:00:00 2001 +From: Amos Jeffries +Date: Wed, 6 Oct 2021 21:12:25 +1300 +Subject: [PATCH 06/11] Initial DH conversion to EVP_PKEY +Origin: https://github.com/squid-cache/squid/pull/694 + +3.0 build does not yet complete due to ENGINE and BIGNUM deprecation issues. + +This conversion relies on OSSL_*() functions added in 3.0. So the +old DH loading code is left unchanged. +--- + configure.ac | 1 + + src/security/ServerOptions.cc | 28 +++++++++++++++++++++++++++- + src/security/forward.h | 24 +++++++++++++++--------- + 3 files changed, 43 insertions(+), 10 deletions(-) + +--- a/configure.ac ++++ b/configure.ac +@@ -1333,6 +1333,7 @@ + openssl/bio.h \ + openssl/bn.h \ + openssl/crypto.h \ ++ openssl/decoder.h \ + openssl/dh.h \ + openssl/err.h \ + openssl/evp.h \ +--- a/src/security/ServerOptions.cc ++++ b/src/security/ServerOptions.cc +@@ -19,6 +19,9 @@ + #include "compat/openssl.h" + #include "ssl/support.h" + ++#if HAVE_OPENSSL_DECODER_H ++#include ++#endif + #if HAVE_OPENSSL_ERR_H + #include + #endif +@@ -353,6 +356,7 @@ + return; + + #if USE_OPENSSL ++#if OPENSSL_VERSION_MAJOR < 3 + DH *dhp = nullptr; + if (FILE *in = fopen(dhParamsFile.c_str(), "r")) { + dhp = PEM_read_DHparams(in, NULL, NULL, NULL); +@@ -372,9 +376,31 @@ + dhp = nullptr; + } + } +- + parsedDhParams.resetWithoutLocking(dhp); ++ ++#else // OpenSSL 3.0+ ++ EVP_PKEY *pkey = nullptr; ++ if (auto *dctx = OSSL_DECODER_CTX_new_for_pkey(&pkey, "PEM", nullptr, "DH", OSSL_KEYMGMT_SELECT_ALL, nullptr, nullptr)) { ++ if (auto *in = fopen(dhParamsFile.c_str(), "r")) { ++ if (OSSL_DECODER_from_fp(dctx, in) == 1) { ++ ++ /* pkey is created with the decoded data from the bio */ ++ Must(pkey); ++ parsedDhParams.resetWithoutLocking(pkey); ++ ++ } else { ++ debugs(83, DBG_IMPORTANT, "WARNING: Failed to decode DH parameters '" << dhParamsFile << "'"); ++ } ++ fclose(in); ++ } ++ OSSL_DECODER_CTX_free(dctx); ++ ++ } else { ++ debugs(83, DBG_IMPORTANT, "WARNING: no suitable potential decoders found for DH parameters"); ++ return; ++ } + #endif ++#endif // USE_OPENSSL + } + + bool +--- a/src/security/forward.h ++++ b/src/security/forward.h +@@ -93,9 +93,24 @@ + typedef std::list CertRevokeList; + + #if USE_OPENSSL ++CtoCpp1(EVP_PKEY_free, EVP_PKEY *) ++typedef Security::LockingPointer > PrivateKeyPointer; ++#elif USE_GNUTLS ++typedef std::shared_ptr PrivateKeyPointer; ++#else ++typedef std::shared_ptr PrivateKeyPointer; ++#endif ++ ++#if USE_OPENSSL ++#if OPENSSL_VERSION_MAJOR < 3 + CtoCpp1(DH_free, DH *); + typedef Security::LockingPointer > DhePointer; + #else ++typedef PrivateKeyPointer DhePointer; ++#endif ++#elif USE_GNUTLS ++typedef void *DhePointer; ++#else + typedef void *DhePointer; + #endif + +@@ -174,15 +189,6 @@ + class PeerConnector; + class PeerOptions; + +-#if USE_OPENSSL +-CtoCpp1(EVP_PKEY_free, EVP_PKEY *) +-typedef Security::LockingPointer > PrivateKeyPointer; +-#elif USE_GNUTLS +-typedef std::shared_ptr PrivateKeyPointer; +-#else +-typedef std::shared_ptr PrivateKeyPointer; +-#endif +- + class ServerOptions; + + class ErrorDetail; diff -Nru squid-5.2/debian/patches/openssl3/0007-Switch-to-BN_rand.patch squid-5.2/debian/patches/openssl3/0007-Switch-to-BN_rand.patch --- squid-5.2/debian/patches/openssl3/0007-Switch-to-BN_rand.patch 1970-01-01 01:00:00.000000000 +0100 +++ squid-5.2/debian/patches/openssl3/0007-Switch-to-BN_rand.patch 2021-11-19 16:36:42.000000000 +0100 @@ -0,0 +1,60 @@ +From c13a893cb6f14116d5f6de91b8985b179c212d78 Mon Sep 17 00:00:00 2001 +From: Amos Jeffries +Date: Wed, 6 Oct 2021 21:55:38 +1300 +Subject: [PATCH 07/11] Switch to BN_rand() +Origin: https://github.com/squid-cache/squid/pull/694 + +BN_pseudo_rand() has been identical since libssl 1.1.0 and is removed in libssl 3.0 +--- + src/cf.data.pre | 2 ++ + src/ssl/gadgets.cc | 2 +- + src/ssl/support.cc | 5 ++--- + 3 files changed, 5 insertions(+), 4 deletions(-) + +--- a/src/cf.data.pre ++++ b/src/cf.data.pre +@@ -3050,6 +3050,8 @@ + DOC_START + The OpenSSL engine to use. You will need to set this if you + would like to use hardware SSL acceleration for example. ++ ++ Note: OpenSSL 3.0 and newer do not provide Engine support. + DOC_END + + NAME: sslproxy_session_ttl +--- a/src/ssl/gadgets.cc ++++ b/src/ssl/gadgets.cc +@@ -46,7 +46,7 @@ + if (!bn) + return false; + +- if (!BN_pseudo_rand(bn.get(), 64, 0, 0)) ++ if (!BN_rand(bn.get(), 64, 0, 0)) + return false; + } + +--- a/src/ssl/support.cc ++++ b/src/ssl/support.cc +@@ -658,8 +658,8 @@ + + SQUID_OPENSSL_init_ssl(); + +-#if !defined(OPENSSL_NO_ENGINE) + if (::Config.SSL.ssl_engine) { ++#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_VERSION_MAJOR < 3 + ENGINE_load_builtin_engines(); + ENGINE *e; + if (!(e = ENGINE_by_id(::Config.SSL.ssl_engine))) +@@ -669,11 +669,10 @@ + const auto ssl_error = ERR_get_error(); + fatalf("Failed to initialise SSL engine: %s\n", Security::ErrorString(ssl_error)); + } +- } + #else +- if (::Config.SSL.ssl_engine) + fatalf("Your OpenSSL has no SSL engine support\n"); + #endif ++ } + + const char *defName = ::Config.SSL.certSignHash ? ::Config.SSL.certSignHash : SQUID_SSL_SIGN_HASH_IF_NONE; + Ssl::DefaultSignHash = EVP_get_digestbyname(defName); diff -Nru squid-5.2/debian/patches/openssl3/0008-SSL_OP_-macro-definitions-changed-in-3.0.patch squid-5.2/debian/patches/openssl3/0008-SSL_OP_-macro-definitions-changed-in-3.0.patch --- squid-5.2/debian/patches/openssl3/0008-SSL_OP_-macro-definitions-changed-in-3.0.patch 1970-01-01 01:00:00.000000000 +0100 +++ squid-5.2/debian/patches/openssl3/0008-SSL_OP_-macro-definitions-changed-in-3.0.patch 2021-11-19 16:36:42.000000000 +0100 @@ -0,0 +1,176 @@ +From 274732427eb37cc63fa2c4bc033a561ace68eb9e Mon Sep 17 00:00:00 2001 +From: Amos Jeffries +Date: Sun, 10 Oct 2021 02:35:10 +1300 +Subject: [PATCH 08/11] SSL_OP_* macro definitions changed in 3.0 +Origin: https://github.com/squid-cache/squid/pull/694 + +--- + src/security/PeerOptions.cc | 50 ++++++++++++++++++------------------- + 1 file changed, 25 insertions(+), 25 deletions(-) + +--- a/src/security/PeerOptions.cc ++++ b/src/security/PeerOptions.cc +@@ -297,130 +297,130 @@ + + } ssl_options[] = { + +-#if SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG ++#if defined(SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) + { + "NETSCAPE_REUSE_CIPHER_CHANGE_BUG", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG + }, + #endif +-#if SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG ++#if defined(SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG) + { + "SSLREF2_REUSE_CERT_TYPE_BUG", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG + }, + #endif +-#if SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER ++#if defined(SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER) + { + "MICROSOFT_BIG_SSLV3_BUFFER", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER + }, + #endif +-#if SSL_OP_SSLEAY_080_CLIENT_DH_BUG ++#if defined(SSL_OP_SSLEAY_080_CLIENT_DH_BUG) + { + "SSLEAY_080_CLIENT_DH_BUG", SSL_OP_SSLEAY_080_CLIENT_DH_BUG + }, + #endif +-#if SSL_OP_TLS_D5_BUG ++#if defined(SSL_OP_TLS_D5_BUG) + { + "TLS_D5_BUG", SSL_OP_TLS_D5_BUG + }, + #endif +-#if SSL_OP_TLS_BLOCK_PADDING_BUG ++#if defined(SSL_OP_TLS_BLOCK_PADDING_BUG) + { + "TLS_BLOCK_PADDING_BUG", SSL_OP_TLS_BLOCK_PADDING_BUG + }, + #endif +-#if SSL_OP_TLS_ROLLBACK_BUG ++#if defined(SSL_OP_TLS_ROLLBACK_BUG) + { + "TLS_ROLLBACK_BUG", SSL_OP_TLS_ROLLBACK_BUG + }, + #endif +-#if SSL_OP_ALL ++#if defined(SSL_OP_ALL) + { + "ALL", (long)SSL_OP_ALL + }, + #endif +-#if SSL_OP_SINGLE_DH_USE ++#if defined(SSL_OP_SINGLE_DH_USE) + { + "SINGLE_DH_USE", SSL_OP_SINGLE_DH_USE + }, + #endif +-#if SSL_OP_EPHEMERAL_RSA ++#if defined(SSL_OP_EPHEMERAL_RSA) + { + "EPHEMERAL_RSA", SSL_OP_EPHEMERAL_RSA + }, + #endif +-#if SSL_OP_PKCS1_CHECK_1 ++#if defined(SSL_OP_PKCS1_CHECK_1) + { + "PKCS1_CHECK_1", SSL_OP_PKCS1_CHECK_1 + }, + #endif +-#if SSL_OP_PKCS1_CHECK_2 ++#if defined(SSL_OP_PKCS1_CHECK_2) + { + "PKCS1_CHECK_2", SSL_OP_PKCS1_CHECK_2 + }, + #endif +-#if SSL_OP_NETSCAPE_CA_DN_BUG ++#if defined(SSL_OP_NETSCAPE_CA_DN_BUG) + { + "NETSCAPE_CA_DN_BUG", SSL_OP_NETSCAPE_CA_DN_BUG + }, + #endif +-#if SSL_OP_NON_EXPORT_FIRST ++#if defined(SSL_OP_NON_EXPORT_FIRST) + { + "NON_EXPORT_FIRST", SSL_OP_NON_EXPORT_FIRST + }, + #endif +-#if SSL_OP_CIPHER_SERVER_PREFERENCE ++#if defined(SSL_OP_CIPHER_SERVER_PREFERENCE) + { + "CIPHER_SERVER_PREFERENCE", SSL_OP_CIPHER_SERVER_PREFERENCE + }, + #endif +-#if SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG ++#if defined(SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG) + { + "NETSCAPE_DEMO_CIPHER_CHANGE_BUG", SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG + }, + #endif +-#if SSL_OP_NO_SSLv3 ++#if defined(SSL_OP_NO_SSLv3) + { + "NO_SSLv3", SSL_OP_NO_SSLv3 + }, + #endif +-#if SSL_OP_NO_TLSv1 ++#if defined(SSL_OP_NO_TLSv1) + { + "NO_TLSv1", SSL_OP_NO_TLSv1 + }, + #else + { "NO_TLSv1", 0 }, + #endif +-#if SSL_OP_NO_TLSv1_1 ++#if defined(SSL_OP_NO_TLSv1_1) + { + "NO_TLSv1_1", SSL_OP_NO_TLSv1_1 + }, + #else + { "NO_TLSv1_1", 0 }, + #endif +-#if SSL_OP_NO_TLSv1_2 ++#if defined(SSL_OP_NO_TLSv1_2) + { + "NO_TLSv1_2", SSL_OP_NO_TLSv1_2 + }, + #else + { "NO_TLSv1_2", 0 }, + #endif +-#if SSL_OP_NO_TLSv1_3 ++#if defined(SSL_OP_NO_TLSv1_3) + { + "NO_TLSv1_3", SSL_OP_NO_TLSv1_3 + }, + #else + { "NO_TLSv1_3", 0 }, + #endif +-#if SSL_OP_NO_COMPRESSION ++#if defined(SSL_OP_NO_COMPRESSION) + { + "No_Compression", SSL_OP_NO_COMPRESSION + }, + #endif +-#if SSL_OP_NO_TICKET ++#if defined(SSL_OP_NO_TICKET) + { + "NO_TICKET", SSL_OP_NO_TICKET + }, + #endif +-#if SSL_OP_SINGLE_ECDH_USE ++#if defined(SSL_OP_SINGLE_ECDH_USE) + { + "SINGLE_ECDH_USE", SSL_OP_SINGLE_ECDH_USE + }, +@@ -512,7 +512,7 @@ + + } + +-#if SSL_OP_NO_SSLv2 ++#if defined(SSL_OP_NO_SSLv2) + // compliance with RFC 6176: Prohibiting Secure Sockets Layer (SSL) Version 2.0 + op = op | SSL_OP_NO_SSLv2; + #endif diff -Nru squid-5.2/debian/patches/openssl3/0009-Update-ECDH-key-settings.patch squid-5.2/debian/patches/openssl3/0009-Update-ECDH-key-settings.patch --- squid-5.2/debian/patches/openssl3/0009-Update-ECDH-key-settings.patch 1970-01-01 01:00:00.000000000 +0100 +++ squid-5.2/debian/patches/openssl3/0009-Update-ECDH-key-settings.patch 2021-11-19 16:36:42.000000000 +0100 @@ -0,0 +1,68 @@ +From 1c67b45cf1714c454b174758a3247503a2337f47 Mon Sep 17 00:00:00 2001 +From: Amos Jeffries +Date: Mon, 11 Oct 2021 06:01:10 +1300 +Subject: [PATCH 09/11] Update ECDH key settings +Origin: https://github.com/squid-cache/squid/pull/694 + +--- + src/security/ServerOptions.cc | 19 +++++++++++++++++-- + 1 file changed, 17 insertions(+), 2 deletions(-) + +--- a/src/security/ServerOptions.cc ++++ b/src/security/ServerOptions.cc +@@ -380,7 +380,12 @@ + + #else // OpenSSL 3.0+ + EVP_PKEY *pkey = nullptr; +- if (auto *dctx = OSSL_DECODER_CTX_new_for_pkey(&pkey, "PEM", nullptr, "DH", OSSL_KEYMGMT_SELECT_ALL, nullptr, nullptr)) { ++ const char *type = "DH"; ++ if (!eecdhCurve.isEmpty()) ++ type = "EC"; ++ // XXX: use the eecdhCurve name when generating the EVP_KEY object. or at least verify it matches the loaded params. ++ ++ if (auto *dctx = OSSL_DECODER_CTX_new_for_pkey(&pkey, "PEM", nullptr, type, OSSL_KEYMGMT_SELECT_ALL, nullptr, nullptr)) { + if (auto *in = fopen(dhParamsFile.c_str(), "r")) { + if (OSSL_DECODER_from_fp(dctx, in) == 1) { + +@@ -477,6 +482,9 @@ + debugs(83, 9, "Setting Ephemeral ECDH curve to " << eecdhCurve << "."); + + #if USE_OPENSSL && OPENSSL_VERSION_NUMBER >= 0x0090800fL && !defined(OPENSSL_NO_ECDH) ++ ++ // OpenSSL 3.0+ generates the key in loadDhParams() ++#if OPENSSL_VERSION_MAJOR < 3 + int nid = OBJ_sn2nid(eecdhCurve.c_str()); + if (!nid) { + debugs(83, DBG_CRITICAL, "ERROR: Unknown EECDH curve '" << eecdhCurve << "'"); +@@ -484,6 +492,9 @@ + } + + auto ecdh = EC_KEY_new_by_curve_name(nid); ++#else ++ auto ecdh = parsedDhParams.get(); ++#endif + if (!ecdh) { + const auto x = ERR_get_error(); + debugs(83, DBG_CRITICAL, "ERROR: Unable to configure Ephemeral ECDH: " << Security::ErrorString(x)); +@@ -494,7 +505,11 @@ + const auto x = ERR_get_error(); + debugs(83, DBG_CRITICAL, "ERROR: Unable to set Ephemeral ECDH: " << Security::ErrorString(x)); + } ++#if OPENSSL_VERSION_MAJOR < 3 + EC_KEY_free(ecdh); ++#else ++ return; ++#endif + + #else + debugs(83, DBG_CRITICAL, "ERROR: EECDH is not available in this build." << +@@ -502,8 +517,8 @@ + #endif + } + +- // set DH parameters into the server context + #if USE_OPENSSL ++ // set DH parameters into the server context + if (parsedDhParams) { + SSL_CTX_set_tmp_dh(ctx.get(), parsedDhParams.get()); + } diff -Nru squid-5.2/debian/patches/openssl3/0010-Detect-and-default-enable-OpenSSL-3.patch squid-5.2/debian/patches/openssl3/0010-Detect-and-default-enable-OpenSSL-3.patch --- squid-5.2/debian/patches/openssl3/0010-Detect-and-default-enable-OpenSSL-3.patch 1970-01-01 01:00:00.000000000 +0100 +++ squid-5.2/debian/patches/openssl3/0010-Detect-and-default-enable-OpenSSL-3.patch 2021-11-19 16:36:42.000000000 +0100 @@ -0,0 +1,28 @@ +From fcd9395d07db7a3e026e7bd077b39b1bc1ab5ae0 Mon Sep 17 00:00:00 2001 +From: Amos Jeffries +Date: Fri, 15 Oct 2021 04:34:23 +1300 +Subject: [PATCH 10/11] Detect and default-enable OpenSSL 3+ +Origin: https://github.com/squid-cache/squid/pull/694 + +--- + configure.ac | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/configure.ac ++++ b/configure.ac +@@ -1326,7 +1326,14 @@ + esac + ]) + AH_TEMPLATE(USE_OPENSSL,[OpenSSL support is available]) +-## OpenSSL is default disable due to licensing issues on some OS ++AS_IF([test "x$with_openssl" != "xno"],[ ++ SQUID_STATE_SAVE(squid_openssl3_state) ++ CPPFLAGS="$LIBOPENSSL_CFLAGS $CPPFLAGS" ++ LIBS="$LIBS $LIBOPENSSL_PATH" ++ PKG_CHECK_MODULES([LIBOPENSSL],[openssl >= 3],[with_openssl="yes"],[:]) ++ SQUID_STATE_ROLLBACK(squid_openssl3_state) ++]) ++## OpenSSL < 3 is default disable due to licensing issues on some OS + if test "x$with_openssl" = "xyes"; then + AC_CHECK_HEADERS( \ + openssl/asn1.h \ diff -Nru squid-5.2/debian/patches/series squid-5.2/debian/patches/series --- squid-5.2/debian/patches/series 2021-11-01 21:40:35.000000000 +0100 +++ squid-5.2/debian/patches/series 2021-11-19 16:36:42.000000000 +0100 @@ -7,3 +7,13 @@ 99-ubuntu-ssl-cert-snakeoil.patch fix-max-pkt-sz-for-icmpEchoData-padding.patch workaround-gcc11-wstringop-overread-bug.patch +openssl3/0001-Update-license-disclaimer.patch +openssl3/0002-Declaration-of-CRYPTO_EX_dup-changed-again-in-3.0.patch +openssl3/0003-Refactor-Ssl-createSslPrivateKey.patch +openssl3/0004-Tweak-RSA-key-generator.patch +openssl3/0005-Fix-EVP_PKEY_get0_RSA-is-deprecated.patch +openssl3/0006-Initial-DH-conversion-to-EVP_PKEY.patch +openssl3/0007-Switch-to-BN_rand.patch +openssl3/0008-SSL_OP_-macro-definitions-changed-in-3.0.patch +openssl3/0009-Update-ECDH-key-settings.patch +openssl3/0010-Detect-and-default-enable-OpenSSL-3.patch