httpd/httpd-2.4.27-fixticketkeys.patch

From 4171fbfcb249e63f934471054d7a0752272fb8ee Mon Sep 17 00:00:00 2001
From: Yann Ylavic <ylavic@apache.org>
Date: Tue, 22 Mar 2016 13:09:17 +0000
Subject: [PATCH] mod_ssl: return non ambigous value in
 ssl_callback_SessionTicket() for encryption mode (we used to return 0,
 OpenSSL documents returning 1 instead).

Practically this does not change anything since OpenSSL will only check for
>= 0 return value (non error) for encryption mode (the other possible return
values are only relevant for decryption mode).

However the OpenSSL documentation for SSL_CTX_set_tlsext_ticket_key_cb()
states:
"
The return value of the cb function is used by OpenSSL to determine what
further processing will occur. The following return values have meaning:

2
    This indicates that the ctx and hctx have been set and the session can
    continue on those parameters. Additionally it indicates that the session
    ticket is in a renewal period and should be replaced. The OpenSSL library
    will call cb again with an enc argument of 1 to set the new ticket (see
    RFC5077 3.3 paragraph 2).

1
    This indicates that the ctx and hctx have been set and the session can
    continue on those parameters.

0
    This indicates that it was not possible to set/retrieve a session ticket
    and the SSL/TLS session will continue by by negotiating a set of
    cryptographic parameters or using the alternate SSL/TLS resumption
    mechanism, session ids.
    If called with enc equal to 0 the library will call the cb again to get a
    new set of parameters.

less than 0
    This indicates an error.
"

So 0 is not appropriate in our code, 1 is what we really want (and it won't
break if OpenSSL later changes its checks on the callback return value).

Reported by: oknet on github, pull request #18.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1736186 13f79535-47bb-0310-9956-ffa450edef68
---
 modules/ssl/ssl_engine_kernel.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
index 91da94c4f58..91d5e926d66 100644
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -2303,7 +2303,7 @@ int ssl_callback_SessionTicket(SSL *ssl,
                       "TLS session ticket key for %s successfully set, "
                       "creating new session ticket", sc->vhost_id);
 
-        return 0;
+        return 1;
     }
     else if (mode == 0) {
         /*
Backport patch for fixing ticket key usage Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org> 2017-10-10 11:31:46 +00:00			`From 4171fbfcb249e63f934471054d7a0752272fb8ee Mon Sep 17 00:00:00 2001`
			`From: Yann Ylavic <ylavic@apache.org>`
			`Date: Tue, 22 Mar 2016 13:09:17 +0000`
			`Subject: [PATCH] mod_ssl: return non ambigous value in`
			`ssl_callback_SessionTicket() for encryption mode (we used to return 0,`
			`OpenSSL documents returning 1 instead).`

			`Practically this does not change anything since OpenSSL will only check for`
			`>= 0 return value (non error) for encryption mode (the other possible return`
			`values are only relevant for decryption mode).`

			`However the OpenSSL documentation for SSL_CTX_set_tlsext_ticket_key_cb()`
			`states:`
			`"`
			`The return value of the cb function is used by OpenSSL to determine what`
			`further processing will occur. The following return values have meaning:`

			`2`
			`This indicates that the ctx and hctx have been set and the session can`
			`continue on those parameters. Additionally it indicates that the session`
			`ticket is in a renewal period and should be replaced. The OpenSSL library`
			`will call cb again with an enc argument of 1 to set the new ticket (see`
			`RFC5077 3.3 paragraph 2).`

			`1`
			`This indicates that the ctx and hctx have been set and the session can`
			`continue on those parameters.`

			`0`
			`This indicates that it was not possible to set/retrieve a session ticket`
			`and the SSL/TLS session will continue by by negotiating a set of`
			`cryptographic parameters or using the alternate SSL/TLS resumption`
			`mechanism, session ids.`
			`If called with enc equal to 0 the library will call the cb again to get a`
			`new set of parameters.`

			`less than 0`
			`This indicates an error.`
			`"`

			`So 0 is not appropriate in our code, 1 is what we really want (and it won't`
			`break if OpenSSL later changes its checks on the callback return value).`

			`Reported by: oknet on github, pull request #18.`



			`git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1736186 13f79535-47bb-0310-9956-ffa450edef68`
			`---`
			`modules/ssl/ssl_engine_kernel.c \| 2 +-`
			`1 file changed, 1 insertion(+), 1 deletion(-)`

			`diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c`
			`index 91da94c4f58..91d5e926d66 100644`
			`--- a/modules/ssl/ssl_engine_kernel.c`
			`+++ b/modules/ssl/ssl_engine_kernel.c`
			`@@ -2303,7 +2303,7 @@ int ssl_callback_SessionTicket(SSL *ssl,`
			`"TLS session ticket key for %s successfully set, "`
			`"creating new session ticket", sc->vhost_id);`

			`- return 0;`
			`+ return 1;`
			`}`
			`else if (mode == 0) {`
			`/*`