From 48fe4ca174924547a2977a94994ea9feb34826bc Mon Sep 17 00:00:00 2001
From: Joe Orton <jorton@redhat.com>
Date: Thu, 30 May 2024 13:36:11 +0100
Subject: [PATCH] mod_ssl: restore SSL_OP_NO_RENEGOTIATE support

---
 .httpd.metadata                     |  3 ++
 httpd-2.4.48-ssl-proxy-chains.patch | 79 -----------------------------
 httpd.spec                          |  8 ++-
 3 files changed, 10 insertions(+), 80 deletions(-)
 create mode 100644 .httpd.metadata
 delete mode 100644 httpd-2.4.48-ssl-proxy-chains.patch

diff --git a/.httpd.metadata b/.httpd.metadata
new file mode 100644
index 0000000..b578afd
--- /dev/null
+++ b/.httpd.metadata
@@ -0,0 +1,3 @@
+93445483aaf136cf415e1dddeb332fc52955a70c httpd-2.4.59.tar.bz2
+702c6a5a1a33f2c481fd0b33fe7f0baed2273b56 httpd-2.4.59.tar.bz2.asc
+b2457e3ce46a7634bf9272a92b4214974b9bc9e0 KEYS
diff --git a/httpd-2.4.48-ssl-proxy-chains.patch b/httpd-2.4.48-ssl-proxy-chains.patch
deleted file mode 100644
index 95c31c8..0000000
--- a/httpd-2.4.48-ssl-proxy-chains.patch
+++ /dev/null
@@ -1,79 +0,0 @@
-diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
-index 15f68f9..e67c81d 100644
---- a/modules/ssl/ssl_engine_init.c
-+++ b/modules/ssl/ssl_engine_init.c
-@@ -1682,6 +1682,10 @@ static apr_status_t ssl_init_proxy_certs(server_rec *s,
-     STACK_OF(X509) *chain;
-     X509_STORE_CTX *sctx;
-     X509_STORE *store = SSL_CTX_get_cert_store(mctx->ssl_ctx);
-+    int addl_chain = 0; /* non-zero if additional chain certs were
-+                         * added to store */
-+
-+    ap_assert(store != NULL); /* safe to assume always non-NULL? */
- 
- #if OPENSSL_VERSION_NUMBER >= 0x1010100fL
-     /* For OpenSSL >=1.1.1, turn on client cert support which is
-@@ -1707,20 +1711,28 @@ static apr_status_t ssl_init_proxy_certs(server_rec *s,
-         ssl_init_ca_cert_path(s, ptemp, pkp->cert_path, NULL, sk);
-     }
- 
--    if ((ncerts = sk_X509_INFO_num(sk)) <= 0) {
--        sk_X509_INFO_free(sk);
--        ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, APLOGNO(02206)
--                     "no client certs found for SSL proxy");
--        return APR_SUCCESS;
--    }
--
-     /* Check that all client certs have got certificates and private
--     * keys. */
--    for (n = 0; n < ncerts; n++) {
-+     * keys.  Note the number of certs in the stack may decrease
-+     * during the loop. */
-+    for (n = 0; n < sk_X509_INFO_num(sk); n++) {
-         X509_INFO *inf = sk_X509_INFO_value(sk, n);
-+        int has_privkey = inf->x_pkey && inf->x_pkey->dec_pkey;
- 
--        if (!inf->x509 || !inf->x_pkey || !inf->x_pkey->dec_pkey ||
--            inf->enc_data) {
-+        /* For a lone certificate in the file, trust it as a
-+         * CA/intermediate certificate. */
-+        if (inf->x509 && !has_privkey && !inf->enc_data) {
-+            ssl_log_xerror(SSLLOG_MARK, APLOG_DEBUG, 0, ptemp, s, inf->x509,
-+                           APLOGNO(10261) "Trusting non-leaf certificate");
-+            X509_STORE_add_cert(store, inf->x509); /* increments inf->x509 */
-+            /* Delete from the stack and iterate again. */
-+            X509_INFO_free(inf);
-+            sk_X509_INFO_delete(sk, n);
-+            n--;
-+            addl_chain = 1;
-+            continue;
-+        }
-+
-+        if (!has_privkey || inf->enc_data) {
-             sk_X509_INFO_free(sk);
-             ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, APLOGNO(02252)
-                          "incomplete client cert configured for SSL proxy "
-@@ -1737,13 +1749,21 @@ static apr_status_t ssl_init_proxy_certs(server_rec *s,
-         }
-     }
- 
-+    if ((ncerts = sk_X509_INFO_num(sk)) <= 0) {
-+        sk_X509_INFO_free(sk);
-+        ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, APLOGNO(02206)
-+                     "no client certs found for SSL proxy");
-+        return APR_SUCCESS;
-+    }
-+
-     ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02207)
-                  "loaded %d client certs for SSL proxy",
-                  ncerts);
-     pkp->certs = sk;
- 
--
--    if (!pkp->ca_cert_file || !store) {
-+    /* If any chain certs are configured, build the ->ca_certs chains
-+     * corresponding to the loaded keypairs. */
-+    if (!pkp->ca_cert_file && !addl_chain) {
-         return APR_SUCCESS;
-     }
- 
diff --git a/httpd.spec b/httpd.spec
index 34b0e3d..06dbef9 100644
--- a/httpd.spec
+++ b/httpd.spec
@@ -13,7 +13,7 @@
 Summary: Apache HTTP Server
 Name: httpd
 Version: 2.4.59
-Release: 5%{?dist}
+Release: 6%{?dist}
 URL: https://httpd.apache.org/
 Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
 Source1: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2.asc
@@ -99,6 +99,7 @@ Patch100: httpd-2.4.43-enable-sslv3.patch
 Patch101: httpd-2.4.48-full-release.patch
 Patch102: httpd-2.4.59-r1916863.patch
 Patch103: httpd-2.4.59-engine-finish.patch
+Patch104: httpd-2.4.51-r1877397.patch
 
 # Security fixes
 # https://bugzilla.redhat.com/show_bug.cgi?id=...
@@ -264,6 +265,7 @@ written in the Lua programming language.
 %patch101 -p1 -b .full-release
 %patch102 -p1 -b .r1916863
 %patch103 -p1 -b .engine-cleanup
+%patch104 -p1 -b .r1877397
 
 # Patch in the vendor string
 sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h
@@ -825,6 +827,10 @@ exit $rv
 %{_rpmconfigdir}/macros.d/macros.httpd
 
 %changelog
+* Thu May 30 2024 Joe Orton <jorton@redhat.com> - 2.4.59-6
+- mod_ssl: restore SSL_OP_NO_RENEGOTIATE support
+  Related: RHEL-14668
+
 * Tue May 21 2024 Joe Orton <jorton@redhat.com> - 2.4.59-5
 - mod_ssl: defer ENGINE_finish() calls to a cleanup
   Resolves: RHEL-36755