rpms
/
httpd
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Update to upstream version of patch for #1976080 (no functional change, 

except it also builds on OpenSSL < 3.0)

Related: rhbz#1976080
This commit is contained in:
Joe Orton 2021-07-15 12:43:50 +01:00
parent e6d49b6319
commit 5097b89c7d
2 changed files with 15 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
httpd-2.4.48-sslprivkey.patch → httpd-2.4.48-r1891138.patch
View File

@ -1,16 +1,24 @@
# ./pullrev.sh 1891138
http://svn.apache.org/viewvc?view=revision&revision=1891138
https://bugzilla.redhat.com/show_bug.cgi?id=1976080
--- httpd-2.4.48/modules/ssl/ssl_engine_init.c.sslprivkey
--- httpd-2.4.48/modules/ssl/ssl_engine_init.c.r1891138
+++ httpd-2.4.48/modules/ssl/ssl_engine_init.c
@@ -1307,6 +1307,16 @@
@@ -1335,6 +1335,22 @@
return 0;
}
+/* SSL_CTX_use_PrivateKey_file() can fail either because the private
+ * key was encrypted, or due to a mismatch between an already-loaded
+ * cert and the key - a common misconfiguration - from calling
+ * X509_check_private_key(). This macro is passed the last error code
+ * off the OpenSSL stack and evaluates to true only for the first
+ * case. With OpenSSL < 3 the second case is identifiable by the
+ * function code, but function codes are not used from 3.0. */
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#define CHECK_PRIVKEY_ERROR(ec) (ERR_GET_FUNC(ec) != X509_F_X509_CHECK_PRIVATE_KEY))
+#define CHECK_PRIVKEY_ERROR(ec) (ERR_GET_FUNC(ec) != X509_F_X509_CHECK_PRIVATE_KEY)
+#else
+/* Check for the errors from X509_check_private_key() */
+#define CHECK_PRIVKEY_ERROR(ec) (ERR_GET_LIB != ERR_LIB_X509 \
+ || (ERR_GET_REASON(ec) != X509_R_KEY_TYPE_MISMATCH \
+ && ERR_GET_REASON(ec) != X509_R_KEY_VALUES_MISMATCH \
@ -20,7 +28,7 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1976080
static apr_status_t ssl_init_server_certs(server_rec *s,
apr_pool_t *p,
apr_pool_t *ptemp,
@@ -1412,8 +1422,7 @@
@@ -1412,8 +1412,7 @@
}
else if ((SSL_CTX_use_PrivateKey_file(mctx->ssl_ctx, keyfile,
SSL_FILETYPE_PEM) < 1)

3
httpd.spec
View File

@ -98,7 +98,8 @@ Patch49: httpd-2.4.48-ssl-proxy-chains.patch
Patch60: httpd-2.4.43-enable-sslv3.patch
Patch61: httpd-2.4.46-htcacheclean-dont-break.patch
Patch62: httpd-2.4.48-r1876934.patch
Patch63: httpd-2.4.48-sslprivkey.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1976080
Patch63: httpd-2.4.48-r1891138.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1932442
Patch64: httpd-2.4.48-full-release.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1950011