- new version 2.4.51 (#2011090)

- add comments to apachectl
- adjust patches
- update openssl 3.0 patch

Resolves: #2011090
This commit is contained in:
Luboš Uhliarik 2021-10-19 18:23:25 +02:00
parent 7302c9b133
commit 7f280ee9bc
6 changed files with 105 additions and 86 deletions

1
.gitignore vendored
View File

@ -40,3 +40,4 @@ x86_64
/httpd-2.4.46.tar.bz2.asc /httpd-2.4.46.tar.bz2.asc
/httpd-2.4.48.tar.bz2.asc /httpd-2.4.48.tar.bz2.asc
/httpd-2.4.49.tar.bz2.asc /httpd-2.4.49.tar.bz2.asc
/httpd-2.4.51.tar.bz2.asc

View File

@ -15,6 +15,13 @@
# See the License for the specific language governing permissions and # See the License for the specific language governing permissions and
# limitations under the License. # limitations under the License.
###
### NOTE: This is a replacement version of the "apachectl" script with
### some differences in behaviour to the version distributed with
### Apache httpd. Please read the apachectl(8) man page for more
### information.
###
if [ "x$1" = "x-k" ]; then if [ "x$1" = "x-k" ]; then
shift shift
fi fi

View File

@ -1,11 +1,9 @@
https://github.com/apache/httpd/pull/258 https://github.com/apache/httpd/pull/258
diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c --- httpd-2.4.51/modules/ssl/ssl_engine_init.c.openssl3
index 4da24eddcc..5d199cddaf 100644 +++ httpd-2.4.51/modules/ssl/ssl_engine_init.c
--- a/modules/ssl/ssl_engine_init.c @@ -91,7 +91,6 @@
+++ b/modules/ssl/ssl_engine_init.c
@@ -91,7 +91,6 @@ static int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
return 1; return 1;
} }
@ -13,7 +11,7 @@ index 4da24eddcc..5d199cddaf 100644
/* /*
* Grab well-defined DH parameters from OpenSSL, see the BN_get_rfc* * Grab well-defined DH parameters from OpenSSL, see the BN_get_rfc*
@@ -171,6 +170,7 @@ DH *modssl_get_dh_params(unsigned keylen) @@ -171,6 +170,7 @@
return NULL; /* impossible to reach. */ return NULL; /* impossible to reach. */
} }
@ -21,7 +19,7 @@ index 4da24eddcc..5d199cddaf 100644
static void ssl_add_version_components(apr_pool_t *ptemp, apr_pool_t *pconf, static void ssl_add_version_components(apr_pool_t *ptemp, apr_pool_t *pconf,
server_rec *s) server_rec *s)
@@ -440,8 +440,9 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog, @@ -440,8 +440,9 @@
modssl_init_app_data2_idx(); /* for modssl_get_app_data2() at request time */ modssl_init_app_data2_idx(); /* for modssl_get_app_data2() at request time */
@ -32,19 +30,19 @@ index 4da24eddcc..5d199cddaf 100644
init_bio_methods(); init_bio_methods();
#endif #endif
@@ -834,7 +835,11 @@ static void ssl_init_ctx_callbacks(server_rec *s, @@ -862,7 +863,11 @@
{ {
SSL_CTX *ctx = mctx->ssl_ctx; SSL_CTX *ctx = mctx->ssl_ctx;
+#if MODSSL_USE_OPENSSL_PRE_1_1_API +#if MODSSL_USE_OPENSSL_PRE_1_1_API
+ /* Note that for OpenSSL>=1.1, auto selection is enabled via
+ * SSL_CTX_set_dh_auto(,1) if no parameter is configured. */
SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH); SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH);
+#else
+ SSL_CTX_set_dh_auto(ctx, 1);
+#endif +#endif
SSL_CTX_set_info_callback(ctx, ssl_callback_Info); SSL_CTX_set_info_callback(ctx, ssl_callback_Info);
@@ -843,6 +848,23 @@ static void ssl_init_ctx_callbacks(server_rec *s, @@ -871,6 +876,23 @@
#endif #endif
} }
@ -68,7 +66,7 @@ index 4da24eddcc..5d199cddaf 100644
static apr_status_t ssl_init_ctx_verify(server_rec *s, static apr_status_t ssl_init_ctx_verify(server_rec *s,
apr_pool_t *p, apr_pool_t *p,
apr_pool_t *ptemp, apr_pool_t *ptemp,
@@ -883,10 +905,8 @@ static apr_status_t ssl_init_ctx_verify(server_rec *s, @@ -911,10 +933,8 @@
ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, s, ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, s,
"Configuring client authentication"); "Configuring client authentication");
@ -81,7 +79,7 @@ index 4da24eddcc..5d199cddaf 100644
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01895) ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01895)
"Unable to configure verify locations " "Unable to configure verify locations "
"for client authentication"); "for client authentication");
@@ -971,6 +991,23 @@ static apr_status_t ssl_init_ctx_cipher_suite(server_rec *s, @@ -999,6 +1019,23 @@
return APR_SUCCESS; return APR_SUCCESS;
} }
@ -105,7 +103,7 @@ index 4da24eddcc..5d199cddaf 100644
static apr_status_t ssl_init_ctx_crl(server_rec *s, static apr_status_t ssl_init_ctx_crl(server_rec *s,
apr_pool_t *p, apr_pool_t *p,
apr_pool_t *ptemp, apr_pool_t *ptemp,
@@ -1009,8 +1046,8 @@ static apr_status_t ssl_init_ctx_crl(server_rec *s, @@ -1037,8 +1074,8 @@
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01900) ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01900)
"Configuring certificate revocation facility"); "Configuring certificate revocation facility");
@ -116,7 +114,7 @@ index 4da24eddcc..5d199cddaf 100644
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01901) ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01901)
"Host %s: unable to configure X.509 CRL storage " "Host %s: unable to configure X.509 CRL storage "
"for certificate revocation", mctx->sc->vhost_id); "for certificate revocation", mctx->sc->vhost_id);
@@ -1239,6 +1276,31 @@ static int ssl_no_passwd_prompt_cb(char *buf, int size, int rwflag, @@ -1267,6 +1304,31 @@
return 0; return 0;
} }
@ -148,7 +146,7 @@ index 4da24eddcc..5d199cddaf 100644
static apr_status_t ssl_init_server_certs(server_rec *s, static apr_status_t ssl_init_server_certs(server_rec *s,
apr_pool_t *p, apr_pool_t *p,
apr_pool_t *ptemp, apr_pool_t *ptemp,
@@ -1249,7 +1311,7 @@ static apr_status_t ssl_init_server_certs(server_rec *s, @@ -1277,7 +1339,7 @@
const char *vhost_id = mctx->sc->vhost_id, *key_id, *certfile, *keyfile; const char *vhost_id = mctx->sc->vhost_id, *key_id, *certfile, *keyfile;
int i; int i;
X509 *cert; X509 *cert;
@ -157,7 +155,7 @@ index 4da24eddcc..5d199cddaf 100644
#ifdef HAVE_ECC #ifdef HAVE_ECC
EC_GROUP *ecparams = NULL; EC_GROUP *ecparams = NULL;
int nid; int nid;
@@ -1344,8 +1406,7 @@ static apr_status_t ssl_init_server_certs(server_rec *s, @@ -1372,8 +1434,7 @@
} }
else if ((SSL_CTX_use_PrivateKey_file(mctx->ssl_ctx, keyfile, else if ((SSL_CTX_use_PrivateKey_file(mctx->ssl_ctx, keyfile,
SSL_FILETYPE_PEM) < 1) SSL_FILETYPE_PEM) < 1)
@ -167,13 +165,15 @@ index 4da24eddcc..5d199cddaf 100644
ssl_asn1_t *asn1; ssl_asn1_t *asn1;
const unsigned char *ptr; const unsigned char *ptr;
@@ -1434,12 +1495,12 @@ static apr_status_t ssl_init_server_certs(server_rec *s, @@ -1462,13 +1523,22 @@
*/ */
certfile = APR_ARRAY_IDX(mctx->pks->cert_files, 0, const char *); certfile = APR_ARRAY_IDX(mctx->pks->cert_files, 0, const char *);
if (certfile && !modssl_is_engine_id(certfile) if (certfile && !modssl_is_engine_id(certfile)
- && (dhparams = ssl_dh_GetParamFromFile(certfile))) { - && (dhparams = ssl_dh_GetParamFromFile(certfile))) {
- SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dhparams); - SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dhparams);
+ && (dh = ssl_dh_GetParamFromFile(certfile))) { + && (dh = ssl_dh_GetParamFromFile(certfile))) {
+ /* ### This should be replaced with SSL_CTX_set0_tmp_dh_pkey()
+ * for OpenSSL 3.0+. */
+ SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dh); + SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dh);
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02540) ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02540)
"Custom DH parameters (%d bits) for %s loaded from %s", "Custom DH parameters (%d bits) for %s loaded from %s",
@ -182,9 +182,17 @@ index 4da24eddcc..5d199cddaf 100644
+ modssl_DH_bits(dh), vhost_id, certfile); + modssl_DH_bits(dh), vhost_id, certfile);
+ DH_free(dh); + DH_free(dh);
} }
+#if !MODSSL_USE_OPENSSL_PRE_1_1_API
+ else {
+ /* If no parameter is manually configured, enable auto
+ * selection. */
+ SSL_CTX_set_dh_auto(mctx->ssl_ctx, 1);
+ }
+#endif
#ifdef HAVE_ECC #ifdef HAVE_ECC
@@ -1490,6 +1551,7 @@ static apr_status_t ssl_init_ticket_key(server_rec *s, /*
@@ -1518,6 +1588,7 @@
char buf[TLSEXT_TICKET_KEY_LEN]; char buf[TLSEXT_TICKET_KEY_LEN];
char *path; char *path;
modssl_ticket_key_t *ticket_key = mctx->ticket_key; modssl_ticket_key_t *ticket_key = mctx->ticket_key;
@ -192,7 +200,7 @@ index 4da24eddcc..5d199cddaf 100644
if (!ticket_key->file_path) { if (!ticket_key->file_path) {
return APR_SUCCESS; return APR_SUCCESS;
@@ -1517,11 +1579,22 @@ static apr_status_t ssl_init_ticket_key(server_rec *s, @@ -1545,11 +1616,22 @@
} }
memcpy(ticket_key->key_name, buf, 16); memcpy(ticket_key->key_name, buf, 16);
@ -219,7 +227,7 @@ index 4da24eddcc..5d199cddaf 100644
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01913) ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01913)
"Unable to initialize TLS session ticket key callback " "Unable to initialize TLS session ticket key callback "
"(incompatible OpenSSL version?)"); "(incompatible OpenSSL version?)");
@@ -1652,7 +1725,7 @@ static apr_status_t ssl_init_proxy_certs(server_rec *s, @@ -1680,7 +1762,7 @@
return ssl_die(s); return ssl_die(s);
} }
@ -228,7 +236,7 @@ index 4da24eddcc..5d199cddaf 100644
for (n = 0; n < ncerts; n++) { for (n = 0; n < ncerts; n++) {
int i; int i;
@@ -2249,10 +2322,11 @@ apr_status_t ssl_init_ModuleKill(void *data) @@ -2277,10 +2359,11 @@
} }
@ -242,11 +250,9 @@ index 4da24eddcc..5d199cddaf 100644
return APR_SUCCESS; return APR_SUCCESS;
} }
diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c --- httpd-2.4.51/modules/ssl/ssl_engine_io.c.openssl3
index cabf753790..3db7077f1e 100644 +++ httpd-2.4.51/modules/ssl/ssl_engine_io.c
--- a/modules/ssl/ssl_engine_io.c @@ -194,6 +194,10 @@
+++ b/modules/ssl/ssl_engine_io.c
@@ -194,6 +194,10 @@ static int bio_filter_destroy(BIO *bio)
static int bio_filter_out_read(BIO *bio, char *out, int outl) static int bio_filter_out_read(BIO *bio, char *out, int outl)
{ {
/* this is never called */ /* this is never called */
@ -257,7 +263,7 @@ index cabf753790..3db7077f1e 100644
return -1; return -1;
} }
@@ -293,12 +297,20 @@ static long bio_filter_out_ctrl(BIO *bio, int cmd, long num, void *ptr) @@ -293,12 +297,20 @@
static int bio_filter_out_gets(BIO *bio, char *buf, int size) static int bio_filter_out_gets(BIO *bio, char *buf, int size)
{ {
/* this is never called */ /* this is never called */
@ -278,7 +284,7 @@ index cabf753790..3db7077f1e 100644
return -1; return -1;
} }
@@ -533,22 +545,47 @@ static int bio_filter_in_read(BIO *bio, char *in, int inlen) @@ -533,22 +545,47 @@
static int bio_filter_in_write(BIO *bio, const char *in, int inl) static int bio_filter_in_write(BIO *bio, const char *in, int inl)
{ {
@ -327,7 +333,7 @@ index cabf753790..3db7077f1e 100644
} }
#if MODSSL_USE_OPENSSL_PRE_1_1_API #if MODSSL_USE_OPENSSL_PRE_1_1_API
@@ -573,7 +610,7 @@ static BIO_METHOD bio_filter_in_method = { @@ -573,7 +610,7 @@
bio_filter_in_read, bio_filter_in_read,
bio_filter_in_puts, /* puts is never called */ bio_filter_in_puts, /* puts is never called */
bio_filter_in_gets, /* gets is never called */ bio_filter_in_gets, /* gets is never called */
@ -336,11 +342,9 @@ index cabf753790..3db7077f1e 100644
bio_filter_create, bio_filter_create,
bio_filter_destroy, bio_filter_destroy,
NULL NULL
diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c --- httpd-2.4.51/modules/ssl/ssl_engine_kernel.c.openssl3
index b99dcf19d4..aced92d2d0 100644 +++ httpd-2.4.51/modules/ssl/ssl_engine_kernel.c
--- a/modules/ssl/ssl_engine_kernel.c @@ -1685,6 +1685,7 @@
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -1685,6 +1685,7 @@ const authz_provider ssl_authz_provider_verify_client =
** _________________________________________________________________ ** _________________________________________________________________
*/ */
@ -348,7 +352,7 @@ index b99dcf19d4..aced92d2d0 100644
/* /*
* Hand out standard DH parameters, based on the authentication strength * Hand out standard DH parameters, based on the authentication strength
*/ */
@@ -1730,6 +1731,7 @@ DH *ssl_callback_TmpDH(SSL *ssl, int export, int keylen) @@ -1730,6 +1731,7 @@
return modssl_get_dh_params(keylen); return modssl_get_dh_params(keylen);
} }
@ -356,7 +360,7 @@ index b99dcf19d4..aced92d2d0 100644
/* /*
* This OpenSSL callback function is called when OpenSSL * This OpenSSL callback function is called when OpenSSL
@@ -2614,7 +2616,11 @@ int ssl_callback_SessionTicket(SSL *ssl, @@ -2614,7 +2616,11 @@
unsigned char *keyname, unsigned char *keyname,
unsigned char *iv, unsigned char *iv,
EVP_CIPHER_CTX *cipher_ctx, EVP_CIPHER_CTX *cipher_ctx,
@ -369,7 +373,7 @@ index b99dcf19d4..aced92d2d0 100644
int mode) int mode)
{ {
conn_rec *c = (conn_rec *)SSL_get_app_data(ssl); conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
@@ -2641,7 +2647,13 @@ int ssl_callback_SessionTicket(SSL *ssl, @@ -2640,7 +2646,13 @@
} }
EVP_EncryptInit_ex(cipher_ctx, EVP_aes_128_cbc(), NULL, EVP_EncryptInit_ex(cipher_ctx, EVP_aes_128_cbc(), NULL,
ticket_key->aes_key, iv); ticket_key->aes_key, iv);
@ -384,7 +388,7 @@ index b99dcf19d4..aced92d2d0 100644
ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(02289) ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(02289)
"TLS session ticket key for %s successfully set, " "TLS session ticket key for %s successfully set, "
@@ -2662,7 +2674,13 @@ int ssl_callback_SessionTicket(SSL *ssl, @@ -2661,7 +2673,13 @@
EVP_DecryptInit_ex(cipher_ctx, EVP_aes_128_cbc(), NULL, EVP_DecryptInit_ex(cipher_ctx, EVP_aes_128_cbc(), NULL,
ticket_key->aes_key, iv); ticket_key->aes_key, iv);
@ -399,11 +403,9 @@ index b99dcf19d4..aced92d2d0 100644
ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(02290) ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(02290)
"TLS session ticket key for %s successfully set, " "TLS session ticket key for %s successfully set, "
diff --git a/modules/ssl/ssl_engine_log.c b/modules/ssl/ssl_engine_log.c --- httpd-2.4.51/modules/ssl/ssl_engine_log.c.openssl3
index 7dbbbdb55e..3b3ceacf0a 100644 +++ httpd-2.4.51/modules/ssl/ssl_engine_log.c
--- a/modules/ssl/ssl_engine_log.c @@ -78,6 +78,16 @@
+++ b/modules/ssl/ssl_engine_log.c
@@ -78,6 +78,16 @@ apr_status_t ssl_die(server_rec *s)
return APR_EGENERAL; return APR_EGENERAL;
} }
@ -420,7 +422,7 @@ index 7dbbbdb55e..3b3ceacf0a 100644
/* /*
* Prints the SSL library error information. * Prints the SSL library error information.
*/ */
@@ -87,7 +97,7 @@ void ssl_log_ssl_error(const char *file, int line, int level, server_rec *s) @@ -87,7 +97,7 @@
const char *data; const char *data;
int flags; int flags;
@ -429,10 +431,8 @@ index 7dbbbdb55e..3b3ceacf0a 100644
const char *annotation; const char *annotation;
char err[256]; char err[256];
diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h --- httpd-2.4.51/modules/ssl/ssl_private.h.openssl3
index a6fc7513a2..b091c58c94 100644 +++ httpd-2.4.51/modules/ssl/ssl_private.h
--- a/modules/ssl/ssl_private.h
+++ b/modules/ssl/ssl_private.h
@@ -89,6 +89,9 @@ @@ -89,6 +89,9 @@
/* must be defined before including ssl.h */ /* must be defined before including ssl.h */
#define OPENSSL_NO_SSL_INTERN #define OPENSSL_NO_SSL_INTERN
@ -459,7 +459,7 @@ index a6fc7513a2..b091c58c94 100644
#else /* defined(LIBRESSL_VERSION_NUMBER) */ #else /* defined(LIBRESSL_VERSION_NUMBER) */
#define MODSSL_USE_OPENSSL_PRE_1_1_API (OPENSSL_VERSION_NUMBER < 0x10100000L) #define MODSSL_USE_OPENSSL_PRE_1_1_API (OPENSSL_VERSION_NUMBER < 0x10100000L)
#endif #endif
@@ -674,7 +676,11 @@ typedef struct { @@ -681,7 +683,11 @@
typedef struct { typedef struct {
const char *file_path; const char *file_path;
unsigned char key_name[16]; unsigned char key_name[16];
@ -471,7 +471,7 @@ index a6fc7513a2..b091c58c94 100644
unsigned char aes_key[16]; unsigned char aes_key[16];
} modssl_ticket_key_t; } modssl_ticket_key_t;
#endif #endif
@@ -938,8 +944,16 @@ int ssl_callback_ServerNameIndication(SSL *, int *, modssl_ctx_t *); @@ -945,8 +951,16 @@
int ssl_callback_ClientHello(SSL *, int *, void *); int ssl_callback_ClientHello(SSL *, int *, void *);
#endif #endif
#ifdef HAVE_TLS_SESSION_TICKETS #ifdef HAVE_TLS_SESSION_TICKETS
@ -490,7 +490,7 @@ index a6fc7513a2..b091c58c94 100644
#endif #endif
#ifdef HAVE_TLS_ALPN #ifdef HAVE_TLS_ALPN
@@ -1112,10 +1126,12 @@ void ssl_init_ocsp_certificates(server_rec *s, modssl_ctx_t *mctx); @@ -1124,10 +1138,12 @@
#endif #endif

View File

@ -1,8 +1,8 @@
diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
index 699bdcd..15f68f9 100644 index 211ebff..c8cb1af 100644
--- httpd-2.4.48/modules/ssl/ssl_engine_init.c.r1877397 --- a/modules/ssl/ssl_engine_init.c
+++ httpd-2.4.48/modules/ssl/ssl_engine_init.c +++ b/modules/ssl/ssl_engine_init.c
@@ -871,6 +871,13 @@ @@ -871,6 +871,13 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
SSL_CTX_set_keylog_callback(ctx, modssl_callback_keylog); SSL_CTX_set_keylog_callback(ctx, modssl_callback_keylog);
} }
#endif #endif
@ -16,7 +16,7 @@ index 699bdcd..15f68f9 100644
return APR_SUCCESS; return APR_SUCCESS;
} }
@@ -892,6 +899,14 @@ @@ -892,6 +899,14 @@ static void ssl_init_ctx_session_cache(server_rec *s,
} }
} }
@ -31,8 +31,8 @@ index 699bdcd..15f68f9 100644
static void ssl_init_ctx_callbacks(server_rec *s, static void ssl_init_ctx_callbacks(server_rec *s,
apr_pool_t *p, apr_pool_t *p,
apr_pool_t *ptemp, apr_pool_t *ptemp,
@@ -905,7 +920,13 @@ @@ -905,7 +920,13 @@ static void ssl_init_ctx_callbacks(server_rec *s,
SSL_CTX_set_dh_auto(ctx, 1); SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH);
#endif #endif
- SSL_CTX_set_info_callback(ctx, ssl_callback_Info); - SSL_CTX_set_info_callback(ctx, ssl_callback_Info);
@ -46,9 +46,11 @@ index 699bdcd..15f68f9 100644
#ifdef HAVE_TLS_ALPN #ifdef HAVE_TLS_ALPN
SSL_CTX_set_alpn_select_cb(ctx, ssl_callback_alpn_select, NULL); SSL_CTX_set_alpn_select_cb(ctx, ssl_callback_alpn_select, NULL);
--- httpd-2.4.48/modules/ssl/ssl_engine_io.c.r1877397 diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c
+++ httpd-2.4.48/modules/ssl/ssl_engine_io.c index 79b9a70..3a0c22a 100644
@@ -209,11 +209,13 @@ --- a/modules/ssl/ssl_engine_io.c
+++ b/modules/ssl/ssl_engine_io.c
@@ -209,11 +209,13 @@ static int bio_filter_out_write(BIO *bio, const char *in, int inl)
BIO_clear_retry_flags(bio); BIO_clear_retry_flags(bio);
@ -62,7 +64,7 @@ index 699bdcd..15f68f9 100644
ap_log_cerror(APLOG_MARK, APLOG_TRACE6, 0, outctx->c, ap_log_cerror(APLOG_MARK, APLOG_TRACE6, 0, outctx->c,
"bio_filter_out_write: %i bytes", inl); "bio_filter_out_write: %i bytes", inl);
@@ -474,11 +476,13 @@ @@ -474,11 +476,13 @@ static int bio_filter_in_read(BIO *bio, char *in, int inlen)
BIO_clear_retry_flags(bio); BIO_clear_retry_flags(bio);
@ -76,9 +78,11 @@ index 699bdcd..15f68f9 100644
if (!inctx->bb) { if (!inctx->bb) {
inctx->rc = APR_EOF; inctx->rc = APR_EOF;
--- httpd-2.4.48/modules/ssl/ssl_engine_kernel.c.r1877397 diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
+++ httpd-2.4.48/modules/ssl/ssl_engine_kernel.c index 591f6ae..8416864 100644
@@ -992,7 +992,7 @@ --- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -992,7 +992,7 @@ static int ssl_hook_Access_classic(request_rec *r, SSLSrvConfigRec *sc, SSLDirCo
/* Toggle the renegotiation state to allow the new /* Toggle the renegotiation state to allow the new
* handshake to proceed. */ * handshake to proceed. */
@ -87,7 +91,7 @@ index 699bdcd..15f68f9 100644
SSL_renegotiate(ssl); SSL_renegotiate(ssl);
SSL_do_handshake(ssl); SSL_do_handshake(ssl);
@@ -1019,7 +1019,7 @@ @@ -1019,7 +1019,7 @@ static int ssl_hook_Access_classic(request_rec *r, SSLSrvConfigRec *sc, SSLDirCo
*/ */
SSL_peek(ssl, peekbuf, 0); SSL_peek(ssl, peekbuf, 0);
@ -96,7 +100,7 @@ index 699bdcd..15f68f9 100644
if (!SSL_is_init_finished(ssl)) { if (!SSL_is_init_finished(ssl)) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02261) ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02261)
@@ -1078,7 +1078,7 @@ @@ -1078,7 +1078,7 @@ static int ssl_hook_Access_modern(request_rec *r, SSLSrvConfigRec *sc, SSLDirCon
(sc->server->auth.verify_mode != SSL_CVERIFY_UNSET)) { (sc->server->auth.verify_mode != SSL_CVERIFY_UNSET)) {
int vmode_inplace, vmode_needed; int vmode_inplace, vmode_needed;
int change_vmode = FALSE; int change_vmode = FALSE;
@ -105,7 +109,7 @@ index 699bdcd..15f68f9 100644
vmode_inplace = SSL_get_verify_mode(ssl); vmode_inplace = SSL_get_verify_mode(ssl);
vmode_needed = SSL_VERIFY_NONE; vmode_needed = SSL_VERIFY_NONE;
@@ -1180,8 +1180,6 @@ @@ -1180,8 +1180,6 @@ static int ssl_hook_Access_modern(request_rec *r, SSLSrvConfigRec *sc, SSLDirCon
return HTTP_FORBIDDEN; return HTTP_FORBIDDEN;
} }
@ -114,7 +118,7 @@ index 699bdcd..15f68f9 100644
modssl_set_app_data2(ssl, r); modssl_set_app_data2(ssl, r);
SSL_do_handshake(ssl); SSL_do_handshake(ssl);
@@ -1191,7 +1189,6 @@ @@ -1191,7 +1189,6 @@ static int ssl_hook_Access_modern(request_rec *r, SSLSrvConfigRec *sc, SSLDirCon
*/ */
SSL_peek(ssl, peekbuf, 0); SSL_peek(ssl, peekbuf, 0);
@ -122,7 +126,7 @@ index 699bdcd..15f68f9 100644
modssl_set_app_data2(ssl, NULL); modssl_set_app_data2(ssl, NULL);
/* /*
@@ -2263,8 +2260,8 @@ @@ -2263,8 +2260,8 @@ static void log_tracing_state(const SSL *ssl, conn_rec *c,
/* /*
* This callback function is executed while OpenSSL processes the SSL * This callback function is executed while OpenSSL processes the SSL
* handshake and does SSL record layer stuff. It's used to trap * handshake and does SSL record layer stuff. It's used to trap
@ -133,7 +137,7 @@ index 699bdcd..15f68f9 100644
*/ */
void ssl_callback_Info(const SSL *ssl, int where, int rc) void ssl_callback_Info(const SSL *ssl, int where, int rc)
{ {
@@ -2276,14 +2273,12 @@ @@ -2276,14 +2273,12 @@ void ssl_callback_Info(const SSL *ssl, int where, int rc)
return; return;
} }
@ -154,7 +158,7 @@ index 699bdcd..15f68f9 100644
{ {
SSLConnRec *sslconn; SSLConnRec *sslconn;
@@ -2308,6 +2303,7 @@ @@ -2308,6 +2303,7 @@ void ssl_callback_Info(const SSL *ssl, int where, int rc)
sslconn->reneg_state = RENEG_REJECT; sslconn->reneg_state = RENEG_REJECT;
} }
} }
@ -162,9 +166,11 @@ index 699bdcd..15f68f9 100644
s = mySrvFromConn(c); s = mySrvFromConn(c);
if (s && APLOGdebug(s)) { if (s && APLOGdebug(s)) {
--- httpd-2.4.48/modules/ssl/ssl_private.h.r1877397 diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
+++ httpd-2.4.48/modules/ssl/ssl_private.h index a329d99..7666c31 100644
@@ -512,6 +512,16 @@ --- a/modules/ssl/ssl_private.h
+++ b/modules/ssl/ssl_private.h
@@ -512,6 +512,16 @@ typedef struct {
apr_time_t source_mtime; apr_time_t source_mtime;
} ssl_asn1_t; } ssl_asn1_t;
@ -181,7 +187,7 @@ index 699bdcd..15f68f9 100644
/** /**
* Define the mod_ssl per-module configuration structure * Define the mod_ssl per-module configuration structure
* (i.e. the global configuration for each httpd process) * (i.e. the global configuration for each httpd process)
@@ -544,18 +554,13 @@ @@ -543,18 +553,13 @@ typedef struct {
NON_SSL_SET_ERROR_MSG /* Need to set the error message */ NON_SSL_SET_ERROR_MSG /* Need to set the error message */
} non_ssl_request; } non_ssl_request;
@ -207,7 +213,7 @@ index 699bdcd..15f68f9 100644
server_rec *server; server_rec *server;
SSLDirConfigRec *dc; SSLDirConfigRec *dc;
@@ -1160,6 +1165,9 @@ @@ -1158,6 +1163,9 @@ int ssl_is_challenge(conn_rec *c, const char *servername,
* the configured ENGINE. */ * the configured ENGINE. */
int modssl_is_engine_id(const char *name); int modssl_is_engine_id(const char *name);
@ -217,9 +223,11 @@ index 699bdcd..15f68f9 100644
#endif /* SSL_PRIVATE_H */ #endif /* SSL_PRIVATE_H */
/** @} */ /** @} */
--- httpd-2.4.48/modules/ssl/ssl_util_ssl.c.r1877397 diff --git a/modules/ssl/ssl_util_ssl.c b/modules/ssl/ssl_util_ssl.c
+++ httpd-2.4.48/modules/ssl/ssl_util_ssl.c index 38079a9..dafb833 100644
@@ -589,3 +589,19 @@ --- a/modules/ssl/ssl_util_ssl.c
+++ b/modules/ssl/ssl_util_ssl.c
@@ -589,3 +589,19 @@ cleanup:
} }
return rv; return rv;
} }

View File

@ -12,7 +12,7 @@
Summary: Apache HTTP Server Summary: Apache HTTP Server
Name: httpd Name: httpd
Version: 2.4.49 Version: 2.4.51
Release: 1%{?dist} Release: 1%{?dist}
URL: https://httpd.apache.org/ URL: https://httpd.apache.org/
Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
@ -100,11 +100,11 @@ Patch60: httpd-2.4.43-enable-sslv3.patch
Patch61: httpd-2.4.46-htcacheclean-dont-break.patch Patch61: httpd-2.4.46-htcacheclean-dont-break.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1986822 # https://bugzilla.redhat.com/show_bug.cgi?id=1986822
# https://bugzilla.redhat.com/show_bug.cgi?id=1976080 # https://bugzilla.redhat.com/show_bug.cgi?id=1976080
Patch62: httpd-2.4.48-openssl3.patch Patch62: httpd-2.4.51-openssl3.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1932442 # https://bugzilla.redhat.com/show_bug.cgi?id=1932442
Patch64: httpd-2.4.48-full-release.patch Patch64: httpd-2.4.48-full-release.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1950011 # https://bugzilla.redhat.com/show_bug.cgi?id=1950011
Patch65: httpd-2.4.48-r1877397.patch Patch65: httpd-2.4.51-r1877397.patch
# Security fixes # Security fixes
@ -807,6 +807,9 @@ exit $rv
%{_rpmconfigdir}/macros.d/macros.httpd %{_rpmconfigdir}/macros.d/macros.httpd
%changelog %changelog
* Tue Oct 19 2021 Luboš Uhliarik <luhliari@redhat.com> - 2.4.51-1
- new version 2.4.51 (#2011090)
* Fri Sep 17 2021 Luboš Uhliarik <luhliari@redhat.com> - 2.4.49-1 * Fri Sep 17 2021 Luboš Uhliarik <luhliari@redhat.com> - 2.4.49-1
- new version 2.4.49 (#2005339) - new version 2.4.49 (#2005339)

View File

@ -1,3 +1,3 @@
SHA512 (httpd-2.4.49.tar.bz2) = 418e277232cf30a81d02b8554e31aaae6433bbea842bdb81e47a609469395cc4891183fb6ee02bd669edb2392c2007869b19da29f5998b8fd5c7d3142db310dd SHA512 (httpd-2.4.51.tar.bz2) = 9fb07c4b176f5c0485a143e2b1bb1085345ca9120b959974f68c37a8911a57894d2cb488b1b42fdf3102860b99e890204f5e9fa7ae3828b481119c563812cc66
SHA512 (httpd-2.4.49.tar.bz2.asc) = f3d31cea838c2f965c6f7bea85afb85e4a12fbbcc5162fb8eebf2ba1e808326f99401e0c7f36bd4cb2f32bbac3c206d0bcb5f5b1b15237cb651c3b43d39f4cf4 SHA512 (httpd-2.4.51.tar.bz2.asc) = c63f2b08eb0b7e688c4a89b4be1d968c9e4a3f09714ffc4fb9b2210b6694b8c90f4067aec63601ec41987507bba8dfcef15f54b8c0707cc49414c9c76dd5d8ce
SHA512 (KEYS) = 88c848b7ab9e4915d6625dcad3e8328673b0448f2ce76f2c44eecc612cf6afbce3287a4ee7219a44c6fcc61d5ecb2a1a8545456a4a16b90400263d7249cbf192 SHA512 (KEYS) = 88c848b7ab9e4915d6625dcad3e8328673b0448f2ce76f2c44eecc612cf6afbce3287a4ee7219a44c6fcc61d5ecb2a1a8545456a4a16b90400263d7249cbf192