From 6b2ff10ef8f853ba9984988191f0fcc3ea7af987 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Fri, 19 Jul 2024 16:55:58 +0200 Subject: [PATCH] new version 2.4.62 Resolves: RHEL-33446 --- .gitignore | 1 + httpd-2.4.58-r1914365.patch | 221 ------------------------------------ httpd.spec | 9 +- sources | 4 +- 4 files changed, 9 insertions(+), 226 deletions(-) delete mode 100644 httpd-2.4.58-r1914365.patch diff --git a/.gitignore b/.gitignore index ed7e100..5bb7aaa 100644 --- a/.gitignore +++ b/.gitignore @@ -51,3 +51,4 @@ x86_64 /httpd-2.4.58.tar.bz2.asc /httpd-2.4.59.tar.bz2.asc /httpd-2.4.61.tar.bz2.asc +/httpd-2.4.62.tar.bz2.asc diff --git a/httpd-2.4.58-r1914365.patch b/httpd-2.4.58-r1914365.patch deleted file mode 100644 index 8512de3..0000000 --- a/httpd-2.4.58-r1914365.patch +++ /dev/null @@ -1,221 +0,0 @@ -# ./pullrev.sh 1914365 -http://svn.apache.org/viewvc?view=revision&revision=1914365 - -Upstream-Status: in trunk, not proposed for 2.4.x - ---- httpd-2.4.58/modules/ssl/ssl_engine_init.c.r1914365 -+++ httpd-2.4.58/modules/ssl/ssl_engine_init.c -@@ -1421,8 +1421,10 @@ - if (cert) { - if (SSL_CTX_use_certificate(mctx->ssl_ctx, cert) < 1) { - ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10137) -- "Failed to configure engine certificate %s, check %s", -- key_id, certfile); -+ "Failed to configure certificate %s from %s, check %s", -+ key_id, mc->szCryptoDevice ? -+ mc->szCryptoDevice : "provider", -+ certfile); - ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s); - return APR_EGENERAL; - } -@@ -1433,8 +1435,9 @@ - - if (SSL_CTX_use_PrivateKey(mctx->ssl_ctx, pkey) < 1) { - ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10130) -- "Failed to configure private key %s from engine", -- keyfile); -+ "Failed to configure private key %s from %s", -+ keyfile, mc->szCryptoDevice ? -+ mc->szCryptoDevice : "provider"); - ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s); - return APR_EGENERAL; - } ---- httpd-2.4.58/modules/ssl/ssl_engine_pphrase.c.r1914365 -+++ httpd-2.4.58/modules/ssl/ssl_engine_pphrase.c -@@ -31,6 +31,9 @@ - #include "ssl_private.h" - - #include -+#if MODSSL_HAVE_OPENSSL_STORE -+#include -+#endif - - typedef struct { - server_rec *s; -@@ -608,7 +611,7 @@ - return (len); - } - --#if MODSSL_HAVE_ENGINE_API -+#if MODSSL_HAVE_ENGINE_API || MODSSL_HAVE_OPENSSL_STORE - - /* OpenSSL UI implementation for passphrase entry; largely duplicated - * from ssl_pphrase_Handle_CB but adjusted for UI API. TODO: Might be -@@ -826,13 +829,14 @@ - } - #endif - -- --apr_status_t modssl_load_engine_keypair(server_rec *s, apr_pool_t *p, -+#if MODSSL_HAVE_ENGINE_API -+static apr_status_t modssl_load_keypair_engine(server_rec *s, apr_pool_t *p, - const char *vhostid, -- const char *certid, const char *keyid, -- X509 **pubkey, EVP_PKEY **privkey) -+ const char *certid, -+ const char *keyid, -+ X509 **pubkey, -+ EVP_PKEY **privkey) - { --#if MODSSL_HAVE_ENGINE_API - const char *c, *scheme; - ENGINE *e; - UI_METHOD *ui_method = get_passphrase_ui(p); -@@ -906,6 +910,118 @@ - ENGINE_free(e); - - return APR_SUCCESS; -+} -+#endif -+ -+#if MODSSL_HAVE_OPENSSL_STORE -+static OSSL_STORE_INFO *modssl_load_store_uri(server_rec *s, apr_pool_t *p, -+ const char *vhostid, -+ const char *uri, int info_type) -+{ -+ OSSL_STORE_CTX *sctx; -+ UI_METHOD *ui_method = get_passphrase_ui(p); -+ pphrase_cb_arg_t ppcb; -+ OSSL_STORE_INFO *info = NULL; -+ -+ memset(&ppcb, 0, sizeof ppcb); -+ ppcb.s = s; -+ ppcb.p = p; -+ ppcb.bPassPhraseDialogOnce = TRUE; -+ ppcb.key_id = vhostid; -+ ppcb.pkey_file = uri; -+ -+ sctx = OSSL_STORE_open(uri, ui_method, &ppcb, NULL, NULL); -+ if (!sctx) { -+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(10491) -+ "Init: OSSL_STORE_open failed for PKCS#11 URI `%s'", -+ uri); -+ return NULL; -+ } -+ -+ while (!OSSL_STORE_eof(sctx)) { -+ info = OSSL_STORE_load(sctx); -+ if (!info) -+ break; -+ -+ if (OSSL_STORE_INFO_get_type(info) == info_type) -+ break; -+ -+ OSSL_STORE_INFO_free(info); -+ info = NULL; -+ } -+ -+ OSSL_STORE_close(sctx); -+ -+ return info; -+} -+ -+static apr_status_t modssl_load_keypair_store(server_rec *s, apr_pool_t *p, -+ const char *vhostid, -+ const char *certid, -+ const char *keyid, -+ X509 **pubkey, -+ EVP_PKEY **privkey) -+{ -+ OSSL_STORE_INFO *info = NULL; -+ -+ *privkey = NULL; -+ *pubkey = NULL; -+ -+ info = modssl_load_store_uri(s, p, vhostid, keyid, OSSL_STORE_INFO_PKEY); -+ if (!info) { -+ ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10492) -+ "Init: OSSL_STORE_INFO_PKEY lookup failed for private key identifier `%s'", -+ keyid); -+ return ssl_die(s); -+ } -+ -+ *privkey = OSSL_STORE_INFO_get1_PKEY(info); -+ OSSL_STORE_INFO_free(info); -+ if (!*privkey) { -+ ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10493) -+ "Init: OSSL_STORE_INFO_PKEY lookup failed for private key identifier `%s'", -+ keyid); -+ return ssl_die(s); -+ } -+ -+ if (certid) { -+ info = modssl_load_store_uri(s, p, vhostid, certid, OSSL_STORE_INFO_CERT); -+ if (!info) { -+ ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10494) -+ "Init: OSSL_STORE_INFO_CERT lookup failed for certificate identifier `%s'", -+ keyid); -+ return ssl_die(s); -+ } -+ -+ *pubkey = OSSL_STORE_INFO_get1_CERT(info); -+ OSSL_STORE_INFO_free(info); -+ if (!*pubkey) { -+ ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10495) -+ "Init: OSSL_STORE_INFO_CERT lookup failed for certificate identifier `%s'", -+ certid); -+ return ssl_die(s); -+ } -+ } -+ -+ return APR_SUCCESS; -+} -+#endif -+ -+apr_status_t modssl_load_engine_keypair(server_rec *s, apr_pool_t *p, -+ const char *vhostid, -+ const char *certid, const char *keyid, -+ X509 **pubkey, EVP_PKEY **privkey) -+{ -+#if MODSSL_HAVE_OPENSSL_STORE -+ SSLModConfigRec *mc = myModConfig(s); -+ -+ if (!mc->szCryptoDevice) -+ return modssl_load_keypair_store(s, p, vhostid, certid, keyid, -+ pubkey, privkey); -+#endif -+#if MODSSL_HAVE_ENGINE_API -+ return modssl_load_keypair_engine(s, p, vhostid, certid, keyid, -+ pubkey, privkey); - #else - return APR_ENOTIMPL; - #endif ---- httpd-2.4.58/modules/ssl/ssl_private.h.r1914365 -+++ httpd-2.4.58/modules/ssl/ssl_private.h -@@ -118,6 +118,15 @@ - #define MODSSL_HAVE_ENGINE_API 0 - #endif - -+/* Use OpenSSL 3.x STORE for loading URI keys and certificates starting with -+ * OpenSSL 3.0 -+ */ -+#if OPENSSL_VERSION_NUMBER >= 0x30000000 -+#define MODSSL_HAVE_OPENSSL_STORE 1 -+#else -+#define MODSSL_HAVE_OPENSSL_STORE 0 -+#endif -+ - #if (OPENSSL_VERSION_NUMBER < 0x0090801f) - #error mod_ssl requires OpenSSL 0.9.8a or later - #endif ---- httpd-2.4.58/modules/ssl/ssl_util.c.r1914365 -+++ httpd-2.4.58/modules/ssl/ssl_util.c -@@ -476,7 +476,7 @@ - - int modssl_is_engine_id(const char *name) - { --#if MODSSL_HAVE_ENGINE_API -+#if MODSSL_HAVE_ENGINE_API || MODSSL_HAVE_OPENSSL_STORE - /* ### Can handle any other special ENGINE key names here? */ - return strncmp(name, "pkcs11:", 7) == 0; - #else diff --git a/httpd.spec b/httpd.spec index 8b1e47d..b16622f 100644 --- a/httpd.spec +++ b/httpd.spec @@ -24,7 +24,7 @@ Summary: Apache HTTP Server Name: httpd -Version: 2.4.61 +Version: 2.4.62 Release: 1%{?dist} URL: https://httpd.apache.org/ Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 @@ -95,8 +95,7 @@ Patch29: httpd-2.4.43-sslprotdefault.patch Patch30: httpd-2.4.43-logjournal.patch Patch31: httpd-2.4.53-separate-systemd-fns.patch Patch32: httpd-2.4.58-r1912477+.patch -Patch33: httpd-2.4.58-r1914365.patch -Patch34: httpd-2.4.54-selinux.patch +Patch33: httpd-2.4.54-selinux.patch # Bug fixes # https://bugzilla.redhat.com/show_bug.cgi?id=1397243 @@ -825,6 +824,10 @@ exit $rv %{_rpmconfigdir}/macros.d/macros.httpd %changelog +* Fri Jul 19 2024 Luboš Uhliarik - 2.4.62-1 +- new version 2.4.62 +- Resolves: RHEL-33446 + * Wed Jul 03 2024 Luboš Uhliarik - 2.4.61-1 - new version 2.4.61 - Resolves: RHEL-45753 - httpd: Potential SSRF in diff --git a/sources b/sources index 08abe25..2d4ff61 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (httpd-2.4.61.tar.bz2) = 00656220ecc2b80788f539536553f0a3a57602fb981be22e63af87d0f98ffe5da3056e722ce52ae8cf9c2111ad1922b3aaea1fd7d69d0ed76795199203d593ff -SHA512 (httpd-2.4.61.tar.bz2.asc) = fed6eb8ed866eba25c64bf89e959bca3dcc548134340c1c8cedbd78b93223dfd641fb2e6ab0d82f129504f7caf6f579b6f40ad03267fc9018efb0779ffcb2f64 +SHA512 (httpd-2.4.62.tar.bz2) = 7db1876805d5c0f60f49bcb51f75cdf567120f2ff6349e68f084e9a86ae38265d9f1c67e7fca0082c9db136f3c408a88501ee11f26b1b68724ba240867171d77 +SHA512 (httpd-2.4.62.tar.bz2.asc) = ed4d59fca7e134aa378dddfd0d62973da99fe77a82a48e268e11262af8aca4a4e90133cc979fb39a4f9cb33abbebb10b1345cb52cfad6eb58fc84d3308bc5a39 SHA512 (KEYS) = 88c848b7ab9e4915d6625dcad3e8328673b0448f2ce76f2c44eecc612cf6afbce3287a4ee7219a44c6fcc61d5ecb2a1a8545456a4a16b90400263d7249cbf192