rpms/httpd
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Update to upstream version of patch for #1976080 (no functional change,

Browse Source 
except it also builds on OpenSSL < 3.0)

Related: rhbz#1976080
This commit is contained in:
Joe Orton 2021-07-15 12:43:50 +01:00
parent e6d49b6319
commit 5097b89c7d
2 changed files with 15 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
httpd-2.4.48-sslprivkey.patch → httpd-2.4.48-r1891138.patch
View File

@ -1,16 +1,24 @@
# ./pullrev.sh 1891138
http://svn.apache.org/viewvc?view=revision&revision=1891138
https://bugzilla.redhat.com/show_bug.cgi?id=1976080 https://bugzilla.redhat.com/show_bug.cgi?id=1976080
--- httpd-2.4.48/modules/ssl/ssl_engine_init.c.sslprivkey --- httpd-2.4.48/modules/ssl/ssl_engine_init.c.r1891138
+++ httpd-2.4.48/modules/ssl/ssl_engine_init.c +++ httpd-2.4.48/modules/ssl/ssl_engine_init.c
@@ -1307,6 +1307,16 @@ @@ -1335,6 +1335,22 @@
return 0; return 0;
} }
+/* SSL_CTX_use_PrivateKey_file() can fail either because the private
+ * key was encrypted, or due to a mismatch between an already-loaded
+ * cert and the key - a common misconfiguration - from calling
+ * X509_check_private_key(). This macro is passed the last error code
+ * off the OpenSSL stack and evaluates to true only for the first
+ * case. With OpenSSL < 3 the second case is identifiable by the
+ * function code, but function codes are not used from 3.0. */
+#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#define CHECK_PRIVKEY_ERROR(ec) (ERR_GET_FUNC(ec) != X509_F_X509_CHECK_PRIVATE_KEY)) +#define CHECK_PRIVKEY_ERROR(ec) (ERR_GET_FUNC(ec) != X509_F_X509_CHECK_PRIVATE_KEY)
+#else +#else
+/* Check for the errors from X509_check_private_key() */
+#define CHECK_PRIVKEY_ERROR(ec) (ERR_GET_LIB != ERR_LIB_X509 \ +#define CHECK_PRIVKEY_ERROR(ec) (ERR_GET_LIB != ERR_LIB_X509 \
+ || (ERR_GET_REASON(ec) != X509_R_KEY_TYPE_MISMATCH \ + || (ERR_GET_REASON(ec) != X509_R_KEY_TYPE_MISMATCH \
+ && ERR_GET_REASON(ec) != X509_R_KEY_VALUES_MISMATCH \ + && ERR_GET_REASON(ec) != X509_R_KEY_VALUES_MISMATCH \
@ -20,7 +28,7 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1976080
static apr_status_t ssl_init_server_certs(server_rec *s, static apr_status_t ssl_init_server_certs(server_rec *s,
apr_pool_t *p, apr_pool_t *p,
apr_pool_t *ptemp, apr_pool_t *ptemp,
@@ -1412,8 +1422,7 @@ @@ -1412,8 +1412,7 @@
} }
else if ((SSL_CTX_use_PrivateKey_file(mctx->ssl_ctx, keyfile, else if ((SSL_CTX_use_PrivateKey_file(mctx->ssl_ctx, keyfile,
SSL_FILETYPE_PEM) < 1) SSL_FILETYPE_PEM) < 1)

3
httpd.spec
View File

@ -98,7 +98,8 @@ Patch49: httpd-2.4.48-ssl-proxy-chains.patch
Patch60: httpd-2.4.43-enable-sslv3.patch Patch60: httpd-2.4.43-enable-sslv3.patch
Patch61: httpd-2.4.46-htcacheclean-dont-break.patch Patch61: httpd-2.4.46-htcacheclean-dont-break.patch
Patch62: httpd-2.4.48-r1876934.patch Patch62: httpd-2.4.48-r1876934.patch
Patch63: httpd-2.4.48-sslprivkey.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1976080
Patch63: httpd-2.4.48-r1891138.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1932442 # https://bugzilla.redhat.com/show_bug.cgi?id=1932442
Patch64: httpd-2.4.48-full-release.patch Patch64: httpd-2.4.48-full-release.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1950011 # https://bugzilla.redhat.com/show_bug.cgi?id=1950011