mod_ssl: further TLSv1.3 fix (#1619389)

Resolves: rhbz#1619389

httpd-2.4.34-r1827912+.patch

@@ -9,6 +9,7 @@ http://svn.apache.org/viewvc?view=revision&revision=1828723
 http://svn.apache.org/viewvc?view=revision&revision=1828790
 http://svn.apache.org/viewvc?view=revision&revision=1828791
 http://svn.apache.org/viewvc?view=revision&revision=1828792
+http://svn.apache.org/viewvc?view=revision&revision=1833588
 
 --- httpd-2.4.34/modules/ssl/mod_ssl.c.r1827912+
 +++ httpd-2.4.34/modules/ssl/mod_ssl.c
@@ -655,6 +656,66 @@ http://svn.apache.org/viewvc?view=revision&revision=1828792
  /*
   *  Authentication Handler:
   *  Fake a Basic authentication from the X509 client certificate.
+@@ -2080,31 +2230,43 @@
+ {
+     conn_rec *c;
+     server_rec *s;
+-    SSLConnRec *scr;
+ 
+     /* Retrieve the conn_rec and the associated SSLConnRec. */
+     if ((c = (conn_rec *)SSL_get_app_data((SSL *)ssl)) == NULL) {
+         return;
+     }
+ 
+-    if ((scr = myConnConfig(c)) == NULL) {
+-        return;
+-    }
++    /* With TLS 1.3 this callback may be called multiple times on the first
++     * negotiation, so the below logic to detect renegotiations can't work.
++     * Fortunately renegotiations are forbidden starting with TLS 1.3, and
++     * this is enforced by OpenSSL so there's nothing to be done here.
++     */
++#if SSL_HAVE_PROTOCOL_TLSV1_3
++    if (SSL_version(ssl) < TLS1_3_VERSION)
++#endif
++    {
++        SSLConnRec *sslconn;
+ 
+-    /* If the reneg state is to reject renegotiations, check the SSL
+-     * state machine and move to ABORT if a Client Hello is being
+-     * read. */
+-    if (!scr->is_proxy &&
+-        (where & SSL_CB_HANDSHAKE_START) &&
+-        scr->reneg_state == RENEG_REJECT) {
+-            scr->reneg_state = RENEG_ABORT;
++        if ((sslconn = myConnConfig(c)) == NULL) {
++            return;
++        }
++
++        /* If the reneg state is to reject renegotiations, check the SSL
++         * state machine and move to ABORT if a Client Hello is being
++         * read. */
++        if (!sslconn->is_proxy &&
++                (where & SSL_CB_HANDSHAKE_START) &&
++                sslconn->reneg_state == RENEG_REJECT) {
++            sslconn->reneg_state = RENEG_ABORT;
+             ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(02042)
+                           "rejecting client initiated renegotiation");
+-    }
+-    /* If the first handshake is complete, change state to reject any
+-     * subsequent client-initiated renegotiation. */
+-    else if ((where & SSL_CB_HANDSHAKE_DONE) && scr->reneg_state == RENEG_INIT) {
+-        scr->reneg_state = RENEG_REJECT;
++        }
++        /* If the first handshake is complete, change state to reject any
++         * subsequent client-initiated renegotiation. */
++        else if ((where & SSL_CB_HANDSHAKE_DONE)
++                 && sslconn->reneg_state == RENEG_INIT) {
++            sslconn->reneg_state = RENEG_REJECT;
++        }
+     }
+ 
+     s = mySrvFromConn(c);
 --- httpd-2.4.34/modules/ssl/ssl_private.h.r1827912+
 +++ httpd-2.4.34/modules/ssl/ssl_private.h
 @@ -132,13 +132,14 @@

httpd.spec

@@ -13,7 +13,7 @@
 Summary: Apache HTTP Server
 Name: httpd
 Version: 2.4.34
-Release: 4%{?dist}
+Release: 5%{?dist}
 URL: https://httpd.apache.org/
 Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
 Source1: index.html
@@ -729,6 +729,9 @@ exit $rv
 %{_rpmconfigdir}/macros.d/macros.httpd
 
 %changelog
+* Tue Aug 21 2018 Joe Orton <jorton@redhat.com> - 2.4.34-5
+- mod_ssl: further TLSv1.3 fix (#1619389)
+
 * Mon Aug 13 2018 Joe Orton <jorton@redhat.com> - 2.4.34-4
 - mod_ssl: backport TLSv1.3 support changes from upstream (#1615059)