summary refs log tree commit diff
path: root/pkgs/servers/http/apache-modules/mod_scep
diff options
context:
space:
mode:
Diffstat (limited to 'pkgs/servers/http/apache-modules/mod_scep')
-rw-r--r--pkgs/servers/http/apache-modules/mod_scep/default.nix41
-rw-r--r--pkgs/servers/http/apache-modules/mod_scep/openssl_setter_compat.h66
2 files changed, 107 insertions, 0 deletions
diff --git a/pkgs/servers/http/apache-modules/mod_scep/default.nix b/pkgs/servers/http/apache-modules/mod_scep/default.nix
new file mode 100644
index 00000000000..98703659c35
--- /dev/null
+++ b/pkgs/servers/http/apache-modules/mod_scep/default.nix
@@ -0,0 +1,41 @@
+{ stdenv, fetchurl, pkgconfig, mod_ca, apr, aprutil }:
+
+stdenv.mkDerivation rec {
+  pname = "mod_scep";
+  version = "0.2.1";
+
+  src = fetchurl {
+    url = "https://redwax.eu/dist/rs/${pname}-${version}.tar.gz";
+    sha256 = "14l8v6y6kx5dg8avb5ny95qdcgrw40ss80nqrgmw615mk7zcj81f";
+  };
+
+  nativeBuildInputs = [ pkgconfig ];
+  buildInputs = [ mod_ca apr aprutil ];
+  inherit (mod_ca) configureFlags installFlags;
+
+  # After openssl-1.0.2t, starting in  openssl-1.1.0l
+  # parts of the OpenSSL struct API was replaced by
+  # getters - but some setters where forgotten.
+  #
+  # It is expected that these are back/retrofitted in version
+  # openssl-1.1.1d -- but while fixing this it was found
+  # that there were quite a few other setters missing and
+  # that some of the memory management needed was at odds
+  # with the principles used sofar.
+  #
+  # See https://github.com/openssl/openssl/pull/10563
+  #
+  # So as a stopgap - use a minimalist compat. layer
+  # https://source.redwax.eu/projects/RS/repos/mod_csr/browse/openssl_setter_compat.h
+  #
+  preBuild = "cp ${./openssl_setter_compat.h} openssl_setter_compat.h";
+
+  meta = with stdenv.lib; {
+    description = "RedWax CA service modules for SCEP (Automatic ceritifcate issue/renewal)";
+
+    homepage = "https://redwax.eu";
+    license = licenses.asl20;
+    platforms = platforms.unix;
+    maintainers = with maintainers; [ dirkx ];
+  };
+}
diff --git a/pkgs/servers/http/apache-modules/mod_scep/openssl_setter_compat.h b/pkgs/servers/http/apache-modules/mod_scep/openssl_setter_compat.h
new file mode 100644
index 00000000000..a2a9e0f7a18
--- /dev/null
+++ b/pkgs/servers/http/apache-modules/mod_scep/openssl_setter_compat.h
@@ -0,0 +1,66 @@
+/* Licensed to Stichting The Commons Conservancy (TCC) under one or more
+ * contributor license agreements.  See the AUTHORS file distributed with
+ * this work for additional information regarding copyright ownership.
+ * TCC licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+// These routines are copies from OpenSSL/1.1.1 its x509/x509_req.c
+// and the private header files for that. They are needed as
+// starting with OpenSSL 1.1.0 the X509_req structure became
+// private; and got some get0 functions to access its internals.
+// But no getter's until post 1.1.1 (PR#10563). So this is a
+// stopgap for these lacking releases.
+//
+// Testest against: 
+//   openssl-1.0.2t 0x01000214fL (does not need it, privates still accessile)
+//   openssl-1.1.0l 0x0101000cfL (needs it)
+//   openssl-1.1.1d 0x01010104fL (last version that needs it)
+//   openssl-1.1.1-dev		 (should not need it - post PR#10563).
+//
+/* #if OPENSSL_VERSION_NUMBER >= 0x010100000L &&  OPENSSL_VERSION_NUMBER  <= 0x01010104fL */
+#if OPENSSL_VERSION_NUMBER >= 0x010100000L 
+#include "openssl/x509.h"
+
+#define HAS_OPENSSL_PR10563_WORK_AROUND
+
+struct X509_req_info_st {
+    ASN1_ENCODING enc;          
+    ASN1_INTEGER *version;     
+    X509_NAME *subject;       
+    X509_PUBKEY *pubkey;     
+    STACK_OF(X509_ATTRIBUTE) *attributes;
+};
+
+typedef _Atomic int CRYPTO_REF_COUNT;
+
+struct X509_req_st {
+    X509_REQ_INFO req_info; 
+    X509_ALGOR sig_alg;       
+    ASN1_BIT_STRING *signature; /* signature */
+    CRYPTO_REF_COUNT references;
+    CRYPTO_RWLOCK *lock;
+# ifndef OPENSSL_NO_SM2
+    ASN1_OCTET_STRING *sm2_id;
+# endif
+};
+
+
+static void _X509_REQ_set1_signature(X509_REQ *req, X509_ALGOR *palg)
+{
+    if (req->sig_alg.algorithm)
+        ASN1_OBJECT_free(req->sig_alg.algorithm);
+    if (req->sig_alg.parameter)
+        ASN1_TYPE_free(req->sig_alg.parameter);
+    req->sig_alg = *palg;
+}
+#endif
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-04-28 13:22:33 +0000