segmentation fault fix (FIPS)

2019-02-05 12:39:17 +00:00 · 2019-02-05 12:39:17 +00:00 · 9e462af294
commit 9e462af294
parent 80cf4174c6
2 changed files with 48 additions and 1 deletions
--- a/httpd-2.4.37-fips-segfault.patch
+++ b/httpd-2.4.37-fips-segfault.patch
@ -0,0 +1,42 @@
+diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c
+index 37947e7..b50c259 100644
+--- a/modules/ssl/mod_ssl.c
+++ b/modules/ssl/mod_ssl.c
+@@ -331,9 +331,6 @@ static apr_status_t ssl_cleanup_pre_config(void *data)
+     /*
+      * Try to kill the internals of the SSL library.
+      */
+-#ifdef HAVE_FIPS
+-    FIPS_mode_set(0);
+-#endif
+     /* Corresponds to OBJ_create()s */
+     OBJ_cleanup();
+     /* Corresponds to OPENSSL_load_builtin_modules() */
+diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
+index 5063a72..21e41e2 100644
+--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
+@@ -183,6 +183,14 @@ int ssl_is_challenge(conn_rec *c, const char *servername,
+     return 0;
+ }
+ 
+#ifdef HAVE_FIPS
+static apr_status_t ssl_fips_cleanup(void *data)
+{
+    FIPS_mode_set(0);
+    return APR_SUCCESS;
+}
+#endif
+
+ /*
+  *  Per-module initialization
+  */
+@@ -316,6 +324,8 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog,
+             if (FIPS_mode_set(1)) {
+                 ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s, APLOGNO(01884)
+                              "Operating in SSL FIPS mode");
+                apr_pool_cleanup_register(p, NULL, ssl_fips_cleanup,
+                                          apr_pool_cleanup_null);
+             }
+             else {
+                 ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01885) "FIPS mode failed");
--- a/httpd.spec
+++ b/httpd.spec
@ -13,7 +13,7 @@
 Summary: Apache HTTP Server
 Name: httpd
 Version: 2.4.38
-Release: 4%{?dist}
+Release: 5%{?dist}
 URL: https://httpd.apache.org/
 Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
 Source1: index.html
@ -78,6 +78,7 @@ Patch34: httpd-2.4.17-socket-activation.patch
 Patch36: httpd-2.4.38-r1830819+.patch
 Patch38: httpd-2.4.34-sslciphdefault.patch
 Patch39: httpd-2.4.37-sslprotdefault.patch
+Patch40: httpd-2.4.37-fips-segfault.patch

 # Bug fixes
 # https://bugzilla.redhat.com/show_bug.cgi?id=1397243
@ -229,6 +230,7 @@ interface for storing and accessing per-user session data.
 %patch36 -p1 -b .r1830819+
 %patch38 -p1 -b .sslciphdefault
 %patch39 -p1 -b .sslprotdefault
+%patch40 -p1 -b .fipsseg

 %patch58 -p1 -b .r1738878
 %patch60 -p1 -b .enable-sslv3
@ -734,6 +736,9 @@ exit $rv
 %{_rpmconfigdir}/macros.d/macros.httpd

 %changelog
+* Tue Feb 05 2019 Lubos Uhliarik <luhliari@redhat.com> - 2.4.38-5
+- segmentation fault fix (FIPS)
+
 * Tue Feb  5 2019 Joe Orton <jorton@redhat.com> - 2.4.38-4
 - use serverroot-relative statedir, rundir by default