diff --git a/httpd-2.4.59-engine-finish.patch b/httpd-2.4.59-engine-finish.patch deleted file mode 100644 index 35d1970..0000000 --- a/httpd-2.4.59-engine-finish.patch +++ /dev/null @@ -1,109 +0,0 @@ - -https://issues.redhat.com/browse/RHEL-36755 - ---- httpd-2.4.59/modules/ssl/ssl_engine_init.c.24 2024-05-22 08:13:42.478057351 +0100 -+++ httpd-2.4.59/modules/ssl/ssl_engine_init.c 2024-05-22 08:13:42.489057431 +0100 -@@ -1460,7 +1460,7 @@ - if (modssl_is_engine_id(keyfile)) { - apr_status_t rv; - -- if ((rv = modssl_load_engine_keypair(s, ptemp, vhost_id, -+ if ((rv = modssl_load_engine_keypair(s, p, ptemp, vhost_id, - engine_certfile, keyfile, - &cert, &pkey))) { - return rv; ---- httpd-2.4.59/modules/ssl/ssl_engine_pphrase.c.24 2024-05-22 08:13:42.443057094 +0100 -+++ httpd-2.4.59/modules/ssl/ssl_engine_pphrase.c 2024-05-22 08:18:55.179844757 +0100 -@@ -830,8 +830,19 @@ - #endif - - #if MODSSL_HAVE_ENGINE_API --static apr_status_t modssl_load_keypair_engine(server_rec *s, apr_pool_t *p, -- const char *vhostid, -+ -+static apr_status_t modssl_engine_cleanup(void *engine) -+{ -+ ENGINE *e = engine; -+ -+ ENGINE_finish(e); -+ -+ return APR_SUCCESS; -+} -+ -+static apr_status_t modssl_load_keypair_engine(server_rec *s, -+ apr_pool_t *pconf, apr_pool_t *ptemp, -+ const char *vhostid, - const char *certid, - const char *keyid, - X509 **pubkey, -@@ -839,12 +850,12 @@ - { - const char *c, *scheme; - ENGINE *e; -- UI_METHOD *ui_method = get_passphrase_ui(p); -+ UI_METHOD *ui_method = get_passphrase_ui(ptemp); - pphrase_cb_arg_t ppcb; - - memset(&ppcb, 0, sizeof ppcb); - ppcb.s = s; -- ppcb.p = p; -+ ppcb.p = ptemp; - ppcb.bPassPhraseDialogOnce = TRUE; - ppcb.key_id = vhostid; - ppcb.pkey_file = keyid; -@@ -857,7 +868,7 @@ - return ssl_die(s); - } - -- scheme = apr_pstrmemdup(p, keyid, c - keyid); -+ scheme = apr_pstrmemdup(ptemp, keyid, c - keyid); - if (!(e = ENGINE_by_id(scheme))) { - ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10132) - "Init: Failed to load engine for private key %s", -@@ -906,7 +917,8 @@ - return ssl_die(s); - } - -- ENGINE_finish(e); -+ apr_pool_cleanup_register(pconf, e, modssl_engine_cleanup, modssl_engine_cleanup); -+ - ENGINE_free(e); - - return APR_SUCCESS; -@@ -1007,7 +1019,8 @@ - } - #endif - --apr_status_t modssl_load_engine_keypair(server_rec *s, apr_pool_t *p, -+apr_status_t modssl_load_engine_keypair(server_rec *s, -+ apr_pool_t *pconf, apr_pool_t *ptemp, - const char *vhostid, - const char *certid, const char *keyid, - X509 **pubkey, EVP_PKEY **privkey) -@@ -1016,11 +1029,11 @@ - SSLModConfigRec *mc = myModConfig(s); - - if (!mc->szCryptoDevice) -- return modssl_load_keypair_store(s, p, vhostid, certid, keyid, -+ return modssl_load_keypair_store(s, ptemp, vhostid, certid, keyid, - pubkey, privkey); - #endif - #if MODSSL_HAVE_ENGINE_API -- return modssl_load_keypair_engine(s, p, vhostid, certid, keyid, -+ return modssl_load_keypair_engine(s, pconf, ptemp, vhostid, certid, keyid, - pubkey, privkey); - #else - return APR_ENOTIMPL; -diff -uap httpd-2.4.59/modules/ssl/ssl_private.h.24 httpd-2.4.59/modules/ssl/ssl_private.h ---- httpd-2.4.59/modules/ssl/ssl_private.h.24 2024-05-22 08:13:42.479057358 +0100 -+++ httpd-2.4.59/modules/ssl/ssl_private.h 2024-05-22 08:13:42.489057431 +0100 -@@ -1090,7 +1090,8 @@ - /* Load public and/or private key from the configured ENGINE. Private - * key returned as *pkey. certid can be NULL, in which case *pubkey - * is not altered. Errors logged on failure. */ --apr_status_t modssl_load_engine_keypair(server_rec *s, apr_pool_t *p, -+apr_status_t modssl_load_engine_keypair(server_rec *s, -+ apr_pool_t *pconf, apr_pool_t *ptemp, - const char *vhostid, - const char *certid, const char *keyid, - X509 **pubkey, EVP_PKEY **privkey); diff --git a/httpd-2.4.59-no-engine.patch b/httpd-2.4.59-no-engine.patch new file mode 100644 index 0000000..e144735 --- /dev/null +++ b/httpd-2.4.59-no-engine.patch @@ -0,0 +1,11 @@ +--- httpd-2.4.59/modules/ssl/ssl_private.h.no-engine ++++ httpd-2.4.59/modules/ssl/ssl_private.h +@@ -112,7 +112,7 @@ + || (defined(OPENSSL_API_LEVEL) && OPENSSL_API_LEVEL < 30000)) \ + && !defined(OPENSSL_NO_ENGINE) + #include +-#define MODSSL_HAVE_ENGINE_API 1 ++#define MODSSL_HAVE_ENGINE_API 0 + #endif + #ifndef MODSSL_HAVE_ENGINE_API + #define MODSSL_HAVE_ENGINE_API 0 diff --git a/httpd.spec b/httpd.spec index 2ed69dd..7c6079b 100644 --- a/httpd.spec +++ b/httpd.spec @@ -105,7 +105,7 @@ Patch37: httpd-2.4.54-selinux.patch Patch60: httpd-2.4.43-enable-sslv3.patch Patch61: httpd-2.4.59-r1916863.patch Patch62: httpd-2.4.59-pr426.patch -Patch63: httpd-2.4.59-engine-finish.patch +Patch63: httpd-2.4.59-no-engine.patch # Security fixes # Patch200: ... @@ -829,9 +829,9 @@ exit $rv %{_rpmconfigdir}/macros.d/macros.httpd %changelog -* Tue May 21 2024 Joe Orton - 2.4.59-3.3 -- mod_ssl: defer ENGINE_finish() calls to a cleanup - Resolves: RHEL-36755 +* Thu May 23 2024 Joe Orton - 2.4.59-3.4 +- mod_ssl: disable ENGINE support + Resolves: RHEL-33734 * Fri May 17 2024 Joe Orton - 2.4.59-3.2 - mod_ssl: use SSL_OP_NO_RENEGOTIATION