rpms/httpd
7
0
Fork 0
Code Issues Pull Requests Releases Activity

new version 2.4.62

Browse Source 
Resolves: RHEL-33446
This commit is contained in:
Luboš Uhliarik 2024-07-19 16:55:58 +02:00
parent 9d3f3ddfcd
commit 6b2ff10ef8
4 changed files with 9 additions and 226 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -51,3 +51,4 @@ x86_64
/httpd-2.4.58.tar.bz2.asc
/httpd-2.4.59.tar.bz2.asc
/httpd-2.4.61.tar.bz2.asc
/httpd-2.4.62.tar.bz2.asc

221
httpd-2.4.58-r1914365.patch
View File

@ -1,221 +0,0 @@
# ./pullrev.sh 1914365
http://svn.apache.org/viewvc?view=revision&revision=1914365
Upstream-Status: in trunk, not proposed for 2.4.x
--- httpd-2.4.58/modules/ssl/ssl_engine_init.c.r1914365
+++ httpd-2.4.58/modules/ssl/ssl_engine_init.c
@@ -1421,8 +1421,10 @@
if (cert) {
if (SSL_CTX_use_certificate(mctx->ssl_ctx, cert) < 1) {
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10137)
- "Failed to configure engine certificate %s, check %s",
- key_id, certfile);
+ "Failed to configure certificate %s from %s, check %s",
+ key_id, mc->szCryptoDevice ?
+ mc->szCryptoDevice : "provider",
+ certfile);
ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
return APR_EGENERAL;
}
@@ -1433,8 +1435,9 @@
if (SSL_CTX_use_PrivateKey(mctx->ssl_ctx, pkey) < 1) {
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10130)
- "Failed to configure private key %s from engine",
- keyfile);
+ "Failed to configure private key %s from %s",
+ keyfile, mc->szCryptoDevice ?
+ mc->szCryptoDevice : "provider");
ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
return APR_EGENERAL;
}
--- httpd-2.4.58/modules/ssl/ssl_engine_pphrase.c.r1914365
+++ httpd-2.4.58/modules/ssl/ssl_engine_pphrase.c
@@ -31,6 +31,9 @@
#include "ssl_private.h"
#include <openssl/ui.h>
+#if MODSSL_HAVE_OPENSSL_STORE
+#include <openssl/store.h>
+#endif
typedef struct {
server_rec *s;
@@ -608,7 +611,7 @@
return (len);
}
-#if MODSSL_HAVE_ENGINE_API
+#if MODSSL_HAVE_ENGINE_API || MODSSL_HAVE_OPENSSL_STORE
/* OpenSSL UI implementation for passphrase entry; largely duplicated
* from ssl_pphrase_Handle_CB but adjusted for UI API. TODO: Might be
@@ -826,13 +829,14 @@
}
#endif
-
-apr_status_t modssl_load_engine_keypair(server_rec *s, apr_pool_t *p,
+#if MODSSL_HAVE_ENGINE_API
+static apr_status_t modssl_load_keypair_engine(server_rec *s, apr_pool_t *p,
const char *vhostid,
- const char *certid, const char *keyid,
- X509 **pubkey, EVP_PKEY **privkey)
+ const char *certid,
+ const char *keyid,
+ X509 **pubkey,
+ EVP_PKEY **privkey)
{
-#if MODSSL_HAVE_ENGINE_API
const char *c, *scheme;
ENGINE *e;
UI_METHOD *ui_method = get_passphrase_ui(p);
@@ -906,6 +910,118 @@
ENGINE_free(e);
return APR_SUCCESS;
+}
+#endif
+
+#if MODSSL_HAVE_OPENSSL_STORE
+static OSSL_STORE_INFO *modssl_load_store_uri(server_rec *s, apr_pool_t *p,
+ const char *vhostid,
+ const char *uri, int info_type)
+{
+ OSSL_STORE_CTX *sctx;
+ UI_METHOD *ui_method = get_passphrase_ui(p);
+ pphrase_cb_arg_t ppcb;
+ OSSL_STORE_INFO *info = NULL;
+
+ memset(&ppcb, 0, sizeof ppcb);
+ ppcb.s = s;
+ ppcb.p = p;
+ ppcb.bPassPhraseDialogOnce = TRUE;
+ ppcb.key_id = vhostid;
+ ppcb.pkey_file = uri;
+
+ sctx = OSSL_STORE_open(uri, ui_method, &ppcb, NULL, NULL);
+ if (!sctx) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(10491)
+ "Init: OSSL_STORE_open failed for PKCS#11 URI `%s'",
+ uri);
+ return NULL;
+ }
+
+ while (!OSSL_STORE_eof(sctx)) {
+ info = OSSL_STORE_load(sctx);
+ if (!info)
+ break;
+
+ if (OSSL_STORE_INFO_get_type(info) == info_type)
+ break;
+
+ OSSL_STORE_INFO_free(info);
+ info = NULL;
+ }
+
+ OSSL_STORE_close(sctx);
+
+ return info;
+}
+
+static apr_status_t modssl_load_keypair_store(server_rec *s, apr_pool_t *p,
+ const char *vhostid,
+ const char *certid,
+ const char *keyid,
+ X509 **pubkey,
+ EVP_PKEY **privkey)
+{
+ OSSL_STORE_INFO *info = NULL;
+
+ *privkey = NULL;
+ *pubkey = NULL;
+
+ info = modssl_load_store_uri(s, p, vhostid, keyid, OSSL_STORE_INFO_PKEY);
+ if (!info) {
+ ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10492)
+ "Init: OSSL_STORE_INFO_PKEY lookup failed for private key identifier `%s'",
+ keyid);
+ return ssl_die(s);
+ }
+
+ *privkey = OSSL_STORE_INFO_get1_PKEY(info);
+ OSSL_STORE_INFO_free(info);
+ if (!*privkey) {
+ ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10493)
+ "Init: OSSL_STORE_INFO_PKEY lookup failed for private key identifier `%s'",
+ keyid);
+ return ssl_die(s);
+ }
+
+ if (certid) {
+ info = modssl_load_store_uri(s, p, vhostid, certid, OSSL_STORE_INFO_CERT);
+ if (!info) {
+ ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10494)
+ "Init: OSSL_STORE_INFO_CERT lookup failed for certificate identifier `%s'",
+ keyid);
+ return ssl_die(s);
+ }
+
+ *pubkey = OSSL_STORE_INFO_get1_CERT(info);
+ OSSL_STORE_INFO_free(info);
+ if (!*pubkey) {
+ ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10495)
+ "Init: OSSL_STORE_INFO_CERT lookup failed for certificate identifier `%s'",
+ certid);
+ return ssl_die(s);
+ }
+ }
+
+ return APR_SUCCESS;
+}
+#endif
+
+apr_status_t modssl_load_engine_keypair(server_rec *s, apr_pool_t *p,
+ const char *vhostid,
+ const char *certid, const char *keyid,
+ X509 **pubkey, EVP_PKEY **privkey)
+{
+#if MODSSL_HAVE_OPENSSL_STORE
+ SSLModConfigRec *mc = myModConfig(s);
+
+ if (!mc->szCryptoDevice)
+ return modssl_load_keypair_store(s, p, vhostid, certid, keyid,
+ pubkey, privkey);
+#endif
+#if MODSSL_HAVE_ENGINE_API
+ return modssl_load_keypair_engine(s, p, vhostid, certid, keyid,
+ pubkey, privkey);
#else
return APR_ENOTIMPL;
#endif
--- httpd-2.4.58/modules/ssl/ssl_private.h.r1914365
+++ httpd-2.4.58/modules/ssl/ssl_private.h
@@ -118,6 +118,15 @@
#define MODSSL_HAVE_ENGINE_API 0
#endif
+/* Use OpenSSL 3.x STORE for loading URI keys and certificates starting with
+ * OpenSSL 3.0
+ */
+#if OPENSSL_VERSION_NUMBER >= 0x30000000
+#define MODSSL_HAVE_OPENSSL_STORE 1
+#else
+#define MODSSL_HAVE_OPENSSL_STORE 0
+#endif
+
#if (OPENSSL_VERSION_NUMBER < 0x0090801f)
#error mod_ssl requires OpenSSL 0.9.8a or later
#endif
--- httpd-2.4.58/modules/ssl/ssl_util.c.r1914365
+++ httpd-2.4.58/modules/ssl/ssl_util.c
@@ -476,7 +476,7 @@
int modssl_is_engine_id(const char *name)
{
-#if MODSSL_HAVE_ENGINE_API
+#if MODSSL_HAVE_ENGINE_API || MODSSL_HAVE_OPENSSL_STORE
/* ### Can handle any other special ENGINE key names here? */
return strncmp(name, "pkcs11:", 7) == 0;
#else

9
httpd.spec
View File

@ -24,7 +24,7 @@
Summary: Apache HTTP Server
Name: httpd
Version: 2.4.61
Version: 2.4.62
Release: 1%{?dist}
URL: https://httpd.apache.org/
Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
@ -95,8 +95,7 @@ Patch29: httpd-2.4.43-sslprotdefault.patch
Patch30: httpd-2.4.43-logjournal.patch
Patch31: httpd-2.4.53-separate-systemd-fns.patch
Patch32: httpd-2.4.58-r1912477+.patch
Patch33: httpd-2.4.58-r1914365.patch
Patch34: httpd-2.4.54-selinux.patch
Patch33: httpd-2.4.54-selinux.patch
# Bug fixes
# https://bugzilla.redhat.com/show_bug.cgi?id=1397243
@ -825,6 +824,10 @@ exit $rv
%{_rpmconfigdir}/macros.d/macros.httpd
%changelog
* Fri Jul 19 2024 Luboš Uhliarik <luhliari@redhat.com> - 2.4.62-1
- new version 2.4.62
- Resolves: RHEL-33446
* Wed Jul 03 2024 Luboš Uhliarik <luhliari@redhat.com> - 2.4.61-1
- new version 2.4.61
- Resolves: RHEL-45753 - httpd: Potential SSRF in

4
sources
View File

@ -1,3 +1,3 @@
SHA512 (httpd-2.4.61.tar.bz2) = 00656220ecc2b80788f539536553f0a3a57602fb981be22e63af87d0f98ffe5da3056e722ce52ae8cf9c2111ad1922b3aaea1fd7d69d0ed76795199203d593ff
SHA512 (httpd-2.4.61.tar.bz2.asc) = fed6eb8ed866eba25c64bf89e959bca3dcc548134340c1c8cedbd78b93223dfd641fb2e6ab0d82f129504f7caf6f579b6f40ad03267fc9018efb0779ffcb2f64
SHA512 (httpd-2.4.62.tar.bz2) = 7db1876805d5c0f60f49bcb51f75cdf567120f2ff6349e68f084e9a86ae38265d9f1c67e7fca0082c9db136f3c408a88501ee11f26b1b68724ba240867171d77
SHA512 (httpd-2.4.62.tar.bz2.asc) = ed4d59fca7e134aa378dddfd0d62973da99fe77a82a48e268e11262af8aca4a4e90133cc979fb39a4f9cb33abbebb10b1345cb52cfad6eb58fc84d3308bc5a39
SHA512 (KEYS) = 88c848b7ab9e4915d6625dcad3e8328673b0448f2ce76f2c44eecc612cf6afbce3287a4ee7219a44c6fcc61d5ecb2a1a8545456a4a16b90400263d7249cbf192