From 5097b89c7dc07d3bc89a631b3c94d0f38cc16944 Mon Sep 17 00:00:00 2001
From: Joe Orton <jorton@redhat.com>
Date: Thu, 15 Jul 2021 12:43:50 +0100
Subject: [PATCH] Update to upstream version of patch for #1976080 (no
 functional change, except it also builds on OpenSSL < 3.0)

Related: rhbz#1976080
---
 ...rivkey.patch => httpd-2.4.48-r1891138.patch | 18 +++++++++++++-----
 httpd.spec                                     |  3 ++-
 2 files changed, 15 insertions(+), 6 deletions(-)
 rename httpd-2.4.48-sslprivkey.patch => httpd-2.4.48-r1891138.patch (63%)

diff --git a/httpd-2.4.48-sslprivkey.patch b/httpd-2.4.48-r1891138.patch
similarity index 63%
rename from httpd-2.4.48-sslprivkey.patch
rename to httpd-2.4.48-r1891138.patch
index 43adec9..9f58627 100644
--- a/httpd-2.4.48-sslprivkey.patch
+++ b/httpd-2.4.48-r1891138.patch
@@ -1,16 +1,24 @@
+# ./pullrev.sh 1891138
+http://svn.apache.org/viewvc?view=revision&revision=1891138
 
 https://bugzilla.redhat.com/show_bug.cgi?id=1976080
 
---- httpd-2.4.48/modules/ssl/ssl_engine_init.c.sslprivkey
+--- httpd-2.4.48/modules/ssl/ssl_engine_init.c.r1891138
 +++ httpd-2.4.48/modules/ssl/ssl_engine_init.c
-@@ -1307,6 +1307,16 @@
+@@ -1335,6 +1335,22 @@
     return 0;
  }
  
++/* SSL_CTX_use_PrivateKey_file() can fail either because the private
++ * key was encrypted, or due to a mismatch between an already-loaded
++ * cert and the key - a common misconfiguration - from calling
++ * X509_check_private_key().  This macro is passed the last error code
++ * off the OpenSSL stack and evaluates to true only for the first
++ * case.  With OpenSSL < 3 the second case is identifiable by the
++ * function code, but function codes are not used from 3.0. */
 +#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#define CHECK_PRIVKEY_ERROR(ec) (ERR_GET_FUNC(ec) != X509_F_X509_CHECK_PRIVATE_KEY))
++#define CHECK_PRIVKEY_ERROR(ec) (ERR_GET_FUNC(ec) != X509_F_X509_CHECK_PRIVATE_KEY)
 +#else
-+/* Check for the errors from X509_check_private_key() */
 +#define CHECK_PRIVKEY_ERROR(ec) (ERR_GET_LIB != ERR_LIB_X509            \
 +                                 || (ERR_GET_REASON(ec) != X509_R_KEY_TYPE_MISMATCH \
 +                                     && ERR_GET_REASON(ec) != X509_R_KEY_VALUES_MISMATCH \
@@ -20,7 +28,7 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1976080
  static apr_status_t ssl_init_server_certs(server_rec *s,
                                            apr_pool_t *p,
                                            apr_pool_t *ptemp,
-@@ -1412,8 +1422,7 @@
+@@ -1412,8 +1412,7 @@
          }
          else if ((SSL_CTX_use_PrivateKey_file(mctx->ssl_ctx, keyfile,
                                                SSL_FILETYPE_PEM) < 1)
diff --git a/httpd.spec b/httpd.spec
index 657612e..8603c13 100644
--- a/httpd.spec
+++ b/httpd.spec
@@ -98,7 +98,8 @@ Patch49: httpd-2.4.48-ssl-proxy-chains.patch
 Patch60: httpd-2.4.43-enable-sslv3.patch
 Patch61: httpd-2.4.46-htcacheclean-dont-break.patch
 Patch62: httpd-2.4.48-r1876934.patch
-Patch63: httpd-2.4.48-sslprivkey.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1976080
+Patch63: httpd-2.4.48-r1891138.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1932442
 Patch64: httpd-2.4.48-full-release.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1950011