mod_ssl: add check for proxy keypair match (upstream r1374214)

2012-08-21 15:57:50 +01:00 · 2012-08-21 15:57:50 +01:00 · 7d53cc989e
commit 7d53cc989e
parent 130d45741f
2 changed files with 53 additions and 1 deletions
--- a/httpd-2.4.2-r1374214+.patch
+++ b/httpd-2.4.2-r1374214+.patch
@ -0,0 +1,45 @@
+# ./pullrev.sh 1374214 1375445
+
+http://svn.apache.org/viewvc?view=revision&revision=1374214
+http://svn.apache.org/viewvc?view=revision&revision=1375445
+
+--- httpd-2.4.2/modules/ssl/ssl_engine_init.c
+++ httpd-2.4.2/modules/ssl/ssl_engine_init.c
+@@ -1381,7 +1381,7 @@
+     for (n = 0; n < ncerts; n++) {
+         X509_INFO *inf = sk_X509_INFO_value(sk, n);
+ 
+-        if (!inf->x509 || !inf->x_pkey) {
+        if (!inf->x509 || !inf->x_pkey || !inf->x_pkey->dec_pkey) {
+             sk_X509_INFO_free(sk);
+             ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, APLOGNO(02252)
+                          "incomplete client cert configured for SSL proxy "
+@@ -1389,6 +1389,15 @@
+             ssl_die(s);
+             return;
+         }
+        
+        if (X509_check_private_key(inf->x509, inf->x_pkey->dec_pkey) != 1) {
+            ssl_log_xerror(SSLLOG_MARK, APLOG_STARTUP, 0, ptemp, s, inf->x509,
+                           APLOGNO(02326) "proxy client certificate and "
+                           "private key do not match");
+            ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s);
+            ssl_die(s);
+            return;
+        }
+     }
+ 
+     ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02207)
+@@ -1401,7 +1410,11 @@
+         return;
+     }
+ 
+-    /* Load all of the CA certs and construct a chain */
+    /* If SSLProxyMachineCertificateChainFile is configured, load all
+     * the CA certs and have OpenSSL attempt to construct a full chain
+     * from each configured end-entity cert up to a root.  This will
+     * allow selection of the correct cert given a list of root CA
+     * names in the certificate request from the server.  */
+     pkp->ca_certs = (STACK_OF(X509) **) apr_pcalloc(p, ncerts * sizeof(sk));
+     sctx = X509_STORE_CTX_new();
+ 
--- a/httpd.spec
+++ b/httpd.spec
@ -8,7 +8,7 @@
 Summary: Apache HTTP Server
 Name: httpd
 Version: 2.4.3
-Release: 1%{?dist}
+Release: 2%{?dist}
 URL: http://httpd.apache.org/
 Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
 Source1: index.html
@ -48,6 +48,8 @@ Patch25: httpd-2.4.1-selinux.patch
 Patch26: httpd-2.4.2-r1337344+.patch
 Patch27: httpd-2.4.2-icons.patch
 Patch28: httpd-2.4.2-r1332643+.patch
+# Bug fixes
+Patch50: httpd-2.4.2-r1374214+.patch
 License: ASL 2.0
 Group: System Environment/Daemons
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
@ -156,6 +158,8 @@ authentication to the Apache HTTP Server.
 %patch27 -p1 -b .icons
 %patch28 -p1 -b .r1332643+

+%patch50 -p1 -b .r1374214+
+
 # Patch in vendor/release string
 sed "s/@RELEASE@/%{vstring}/" < %{PATCH20} | patch --fuzz=%{_default_patch_fuzz} -p1

@ -570,6 +574,9 @@ rm -rf $RPM_BUILD_ROOT
 %{_sysconfdir}/rpm/macros.httpd

 %changelog
+* Tue Aug 21 2012 Joe Orton <jorton@redhat.com> - 2.4.3-2
+- mod_ssl: add check for proxy keypair match (upstream r1374214)
+
 * Tue Aug 21 2012 Joe Orton <jorton@redhat.com> - 2.4.3-1
 - update to 2.4.3 (#849883)
 - own the docroot (#848121)