diff -u -r mod_auth_openidc-1.8.10.1/src/jose/apr_jose.h jose/apr_jose.h

--- mod_auth_openidc-1.8.10.1/src/jose/apr_jose.h	2016-07-11 09:14:40.000000000 -0400

+++  mod_auth_openidc-fb1fd4c/src/jose/apr_jose.h	2017-02-17 18:52:41.331955735 -0500

@@ -319,4 +319,10 @@

 apr_byte_t apr_jwt_memcmp(const void *in_a, const void *in_b, size_t len);

+#if (OPENSSL_VERSION_NUMBER < 0x10100000)

+#include <openssl/ec.h>

+	EVP_MD_CTX * EVP_MD_CTX_new();

+	void EVP_MD_CTX_free(EVP_MD_CTX *);

+#endif

+

 #endif /* _APR_JOSE_H_ */

diff -u -r mod_auth_openidc-1.8.10.1/src/jose/apr_jwe.c jose/apr_jwe.c

--- mod_auth_openidc-1.8.10.1/src/jose/apr_jwe.c	2016-07-11 09:14:40.000000000 -0400

+++  mod_auth_openidc-fb1fd4c/src/jose/apr_jwe.c	2017-02-17 18:52:41.331955735 -0500

@@ -175,10 +175,14 @@

 				jwk->key.rsa->private_exponent_len, private_exp);

 	}

+	/* private_exp is NULL for public keys */

+#if OPENSSL_VERSION_NUMBER >= 0x10100005L

+	RSA_set0_key(key, modulus, exponent, private_exp);

+#else

 	key->n = modulus;

 	key->e = exponent;

-	/* private_exp is NULL for public keys */

 	key->d = private_exp;

+#endif

 	return key;

 }

@@ -489,10 +493,10 @@

 	unsigned char *plaintext = apr_palloc(pool, p_len + AES_BLOCK_SIZE);

 	/* initialize decryption context */

-	EVP_CIPHER_CTX decrypt_ctx;

-	EVP_CIPHER_CTX_init(&decrypt_ctx);

+	EVP_CIPHER_CTX *decrypt_ctx = EVP_CIPHER_CTX_new();

+	EVP_CIPHER_CTX_init(decrypt_ctx);

 	/* pass the extracted encryption key and Initialization Vector */

-	if (!EVP_DecryptInit_ex(&decrypt_ctx,

+	if (!EVP_DecryptInit_ex(decrypt_ctx,

 			apr_jwe_enc_to_openssl_cipher(header->enc), NULL, enc_key,

 			(const unsigned char *) iv->value)) {

 		apr_jwt_error_openssl(err, "EVP_DecryptInit_ex");

@@ -500,14 +504,14 @@

 	}

 	/* decrypt the ciphertext in to the plaintext */

-	if (!EVP_DecryptUpdate(&decrypt_ctx, plaintext, &p_len,

+	if (!EVP_DecryptUpdate(decrypt_ctx, plaintext, &p_len,

 			(const unsigned char *) cipher_text->value, cipher_text->len)) {

 		apr_jwt_error_openssl(err, "EVP_DecryptUpdate");

 		return FALSE;

 	}

 	/* decrypt the remaining bits/padding */

-	if (!EVP_DecryptFinal_ex(&decrypt_ctx, plaintext + p_len, &f_len)) {

+	if (!EVP_DecryptFinal_ex(decrypt_ctx, plaintext + p_len, &f_len)) {

 		apr_jwt_error_openssl(err, "EVP_DecryptFinal_ex");

 		return FALSE;

 	}

@@ -516,7 +520,7 @@

 	*decrypted = (char *) plaintext;

 	/* cleanup */

-	EVP_CIPHER_CTX_cleanup(&decrypt_ctx);

+	EVP_CIPHER_CTX_free(decrypt_ctx);

 	/* if we got here, all must be fine */

 	return TRUE;

diff -u -r mod_auth_openidc-1.8.10.1/src/jose/apr_jwk.c jose/apr_jwk.c

--- mod_auth_openidc-1.8.10.1/src/jose/apr_jwk.c	2016-07-11 09:14:40.000000000 -0400

+++  mod_auth_openidc-fb1fd4c/src/jose/apr_jwk.c	2017-02-17 18:52:41.332955699 -0500

@@ -153,21 +153,30 @@

 		goto end;

 	}

+	const BIGNUM *rsa_n, *rsa_e, *rsa_d;

+#if OPENSSL_VERSION_NUMBER >= 0x10100005L

+	RSA_get0_key(rsa, &rsa_n, &rsa_e, &rsa_d);

+#else

+	rsa_n=rsa->n;

+	rsa_e=rsa->e;

+	rsa_d=rsa->d;

+#endif

+

 	/* convert the modulus bignum in to a key/len */

-	key->modulus_len = BN_num_bytes(rsa->n);

+	key->modulus_len = BN_num_bytes(rsa_n);

 	key->modulus = apr_pcalloc(pool, key->modulus_len);

-	BN_bn2bin(rsa->n, key->modulus);

+	BN_bn2bin(rsa_n, key->modulus);

 	/* convert the exponent bignum in to a key/len */

-	key->exponent_len = BN_num_bytes(rsa->e);

+	key->exponent_len = BN_num_bytes(rsa_e);

 	key->exponent = apr_pcalloc(pool, key->exponent_len);

-	BN_bn2bin(rsa->e, key->exponent);

+	BN_bn2bin(rsa_e, key->exponent);

 	/* convert the private exponent bignum in to a key/len */

-	if (rsa->d != NULL) {

-		key->private_exponent_len = BN_num_bytes(rsa->d);

+	if (rsa_d != NULL) {

+		key->private_exponent_len = BN_num_bytes(rsa_d);

 		key->private_exponent = apr_pcalloc(pool, key->private_exponent_len);

-		BN_bn2bin(rsa->d, key->private_exponent);

+		BN_bn2bin(rsa_d, key->private_exponent);

 	}

 	RSA_free(rsa);

diff -u -r mod_auth_openidc-1.8.10.1/src/jose/apr_jws.c jose/apr_jws.c

--- mod_auth_openidc-1.8.10.1/src/jose/apr_jws.c	2016-07-11 09:14:40.000000000 -0400

+++  mod_auth_openidc-fb1fd4c/src/jose/apr_jws.c	2017-02-17 18:52:41.332955699 -0500

@@ -219,8 +219,8 @@

 		unsigned char **output, unsigned int *output_len, apr_jwt_error_t *err) {

 	unsigned char md_value[EVP_MAX_MD_SIZE];

-	EVP_MD_CTX ctx;

-	EVP_MD_CTX_init(&ctx;;

+	EVP_MD_CTX *ctx = EVP_MD_CTX_new();

+	EVP_MD_CTX_init(ctx);

 	const EVP_MD *evp_digest = NULL;

 	if ((evp_digest = EVP_get_digestbyname(s_digest)) == NULL) {

@@ -230,20 +230,20 @@

 		return FALSE;

 	}

-	if (!EVP_DigestInit_ex(&ctx, evp_digest, NULL)) {

+	if (!EVP_DigestInit_ex(ctx, evp_digest, NULL)) {

 		apr_jwt_error_openssl(err, "EVP_DigestInit_ex");

 		return FALSE;

 	}

-	if (!EVP_DigestUpdate(&ctx, input, input_len)) {

+	if (!EVP_DigestUpdate(ctx, input, input_len)) {

 		apr_jwt_error_openssl(err, "EVP_DigestUpdate");

 		return FALSE;

 	}

-	if (!EVP_DigestFinal_ex(&ctx, md_value, output_len)) {

+	if (!EVP_DigestFinal_ex(ctx, md_value, output_len)) {

 		apr_jwt_error_openssl(err, "EVP_DigestFinal_ex");

 		return FALSE;

 	}

-	EVP_MD_CTX_cleanup(&ctx;;

+	EVP_MD_CTX_free(ctx);

 	*output = apr_pcalloc(pool, *output_len);

 	memcpy(*output, md_value, *output_len);

@@ -303,8 +303,8 @@

 	if ((digest = apr_jws_crypto_alg_to_evp(pool, jwt->header.alg, err)) == NULL)

 		return FALSE;

-	EVP_MD_CTX ctx;

-	EVP_MD_CTX_init(&ctx;;

+	EVP_MD_CTX *ctx = EVP_MD_CTX_new();

+	EVP_MD_CTX_init(ctx);

 	RSA * privkey = RSA_new();

@@ -317,9 +317,13 @@

 	BN_bin2bn(jwk->key.rsa->private_exponent,

 			jwk->key.rsa->private_exponent_len, private_exponent);

+#if OPENSSL_VERSION_NUMBER >= 0x10100005L

+	RSA_set0_key(privkey, modulus, exponent, private_exponent);

+#else

 	privkey->n = modulus;

 	privkey->e = exponent;

 	privkey->d = private_exponent;

+#endif

 	EVP_PKEY* pRsaKey = EVP_PKEY_new();

 	if (!EVP_PKEY_assign_RSA(pRsaKey, privkey)) {

@@ -333,15 +337,15 @@

 		unsigned char *pDigest = apr_pcalloc(pool, RSA_size(privkey));

 		unsigned int uDigestLen = RSA_size(privkey);

-		if (!EVP_DigestInit(&ctx, digest)) {

+		if (!EVP_DigestInit(ctx, digest)) {

 			apr_jwt_error_openssl(err, "EVP_DigestInit");

 			goto end;

 		}

-		if (!EVP_DigestUpdate(&ctx, jwt->message, strlen(jwt->message))) {

+		if (!EVP_DigestUpdate(ctx, jwt->message, strlen(jwt->message))) {

 			apr_jwt_error_openssl(err, "EVP_DigestUpdate");

 			goto end;

 		}

-		if (!EVP_DigestFinal(&ctx, pDigest, &uDigestLen)) {

+		if (!EVP_DigestFinal(ctx, pDigest, &uDigestLen)) {

 			apr_jwt_error_openssl(err, "wrong key? EVP_DigestFinal");

 			goto end;

 		}

@@ -371,17 +375,17 @@

 	} else {

-		if (!EVP_SignInit_ex(&ctx, digest, NULL)) {

+		if (!EVP_SignInit_ex(ctx, digest, NULL)) {

 			apr_jwt_error_openssl(err, "EVP_SignInit_ex");

 			goto end;

 		}

-		if (!EVP_SignUpdate(&ctx, jwt->message, strlen(jwt->message))) {

+		if (!EVP_SignUpdate(ctx, jwt->message, strlen(jwt->message))) {

 			apr_jwt_error_openssl(err, "EVP_SignUpdate");

 			goto end;

 		}

-		if (!EVP_SignFinal(&ctx, (unsigned char *) jwt->signature.bytes,

+		if (!EVP_SignFinal(ctx, (unsigned char *) jwt->signature.bytes,

 				(unsigned int *) &jwt->signature.length, pRsaKey)) {

 			apr_jwt_error_openssl(err, "wrong key? EVP_SignFinal");

 			goto end;

@@ -398,7 +402,7 @@

 	} else if (privkey) {

 		RSA_free(privkey);

 	}

-	EVP_MD_CTX_cleanup(&ctx;;

+	EVP_MD_CTX_free(ctx);

 	return rc;

 }

@@ -416,8 +420,8 @@

 	if ((digest = apr_jws_crypto_alg_to_evp(pool, jwt->header.alg, err)) == NULL)

 		return FALSE;

-	EVP_MD_CTX ctx;

-	EVP_MD_CTX_init(&ctx;;

+	EVP_MD_CTX *ctx = EVP_MD_CTX_new();

+	EVP_MD_CTX_init(ctx);

 	RSA * pubkey = RSA_new();

@@ -427,8 +431,12 @@

 	BN_bin2bn(jwk->key.rsa->modulus, jwk->key.rsa->modulus_len, modulus);

 	BN_bin2bn(jwk->key.rsa->exponent, jwk->key.rsa->exponent_len, exponent);

+#if OPENSSL_VERSION_NUMBER >= 0x10100005L

+	RSA_set0_key(pubkey, modulus, exponent, NULL);

+#else

 	pubkey->n = modulus;

 	pubkey->e = exponent;

+#endif

 	EVP_PKEY* pRsaKey = EVP_PKEY_new();

 	if (!EVP_PKEY_assign_RSA(pRsaKey, pubkey)) {

@@ -451,15 +459,15 @@

 		unsigned char *pDigest = apr_pcalloc(pool, RSA_size(pubkey));

 		unsigned int uDigestLen = RSA_size(pubkey);

-		if (!EVP_DigestInit(&ctx, digest)) {

+		if (!EVP_DigestInit(ctx, digest)) {

 			apr_jwt_error_openssl(err, "EVP_DigestInit");

 			goto end;

 		}

-		if (!EVP_DigestUpdate(&ctx, jwt->message, strlen(jwt->message))) {

+		if (!EVP_DigestUpdate(ctx, jwt->message, strlen(jwt->message))) {

 			apr_jwt_error_openssl(err, "EVP_DigestUpdate");

 			goto end;

 		}

-		if (!EVP_DigestFinal(&ctx, pDigest, &uDigestLen)) {

+		if (!EVP_DigestFinal(ctx, pDigest, &uDigestLen)) {

 			apr_jwt_error_openssl(err, "wrong key? EVP_DigestFinal");

 			goto end;

 		}

@@ -477,16 +485,16 @@

 	} else if (apr_jws_signature_starts_with(pool, jwt->header.alg,

 			"RS") == TRUE) {

-		if (!EVP_VerifyInit_ex(&ctx, digest, NULL)) {

+		if (!EVP_VerifyInit_ex(ctx, digest, NULL)) {

 			apr_jwt_error_openssl(err, "EVP_VerifyInit_ex");

 			goto end;

 		}

-		if (!EVP_VerifyUpdate(&ctx, jwt->message, strlen(jwt->message))) {

+		if (!EVP_VerifyUpdate(ctx, jwt->message, strlen(jwt->message))) {

 			apr_jwt_error_openssl(err, "EVP_VerifyUpdate");

 			goto end;

 		}

-		int rv = EVP_VerifyFinal(&ctx, (const unsigned char *) jwt->signature.bytes,

+		int rv = EVP_VerifyFinal(ctx, (const unsigned char *) jwt->signature.bytes,

 				jwt->signature.length, pRsaKey);

 		if (rv < 0) {

@@ -508,7 +516,7 @@

 	} else if (pubkey) {

 		RSA_free(pubkey);

 	}

-	EVP_MD_CTX_cleanup(&ctx;;

+	EVP_MD_CTX_free(ctx);

 	return rc;

 }

diff -u -r mod_auth_openidc-1.8.10.1/src/jose/apr_jwt.c jose/apr_jwt.c

--- mod_auth_openidc-1.8.10.1/src/jose/apr_jwt.c	2016-07-11 09:14:40.000000000 -0400

+++  mod_auth_openidc-fb1fd4c/src/jose/apr_jwt.c	2017-02-17 18:52:41.332955699 -0500

@@ -496,12 +496,12 @@

 static void apr_jwt_serialize_message(apr_pool_t *pool, apr_jwt_t *jwt) {

-	char *s_hdr = json_dumps(jwt->header.value.json, JSON_ENCODE_ANY);

+	char *s_hdr = json_dumps(jwt->header.value.json, JSON_COMPACT);

 	apr_jwt_base64url_encode(pool, &jwt->header.value.str, s_hdr, strlen(s_hdr),

 			0);

 	free(s_hdr);

-	char *s_payload = json_dumps(jwt->payload.value.json, JSON_ENCODE_ANY);

+	char *s_payload = json_dumps(jwt->payload.value.json, JSON_COMPACT);

 	apr_jwt_base64url_encode(pool, &jwt->payload.value.str, s_payload,

 			strlen(s_payload), 0);

 	free(s_payload);

@@ -589,3 +589,13 @@

 			jwt->signature.length, 0);

 	return apr_psprintf(pool, "%s.%s", jwt->message, b64sig);

 }

+

+#if (OPENSSL_VERSION_NUMBER < 0x10100000)

+EVP_MD_CTX * EVP_MD_CTX_new() {

+	return malloc(sizeof(EVP_MD_CTX));

+}

+void EVP_MD_CTX_free(EVP_MD_CTX *ctx) {

+	if (ctx) free(ctx);

+}

+

+#endif