rpms/httpd
7
0
Fork 0
Code Issues Pull Requests Releases Activity

mod_ssl: further TLSv1.3 fix (#1619389)

Browse Source 
Resolves: rhbz#1619389
This commit is contained in:
Joe Orton 2018-08-21 08:34:34 +01:00
parent 2f9bc4598d
commit b52ebeb33d
2 changed files with 65 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

61
httpd-2.4.34-r1827912+.patch
View File

@ -9,6 +9,7 @@ http://svn.apache.org/viewvc?view=revision&revision=1828723
http://svn.apache.org/viewvc?view=revision&revision=1828790
http://svn.apache.org/viewvc?view=revision&revision=1828791
http://svn.apache.org/viewvc?view=revision&revision=1828792
http://svn.apache.org/viewvc?view=revision&revision=1833588
--- httpd-2.4.34/modules/ssl/mod_ssl.c.r1827912+
+++ httpd-2.4.34/modules/ssl/mod_ssl.c
@ -655,6 +656,66 @@ http://svn.apache.org/viewvc?view=revision&revision=1828792
/*
* Authentication Handler:
* Fake a Basic authentication from the X509 client certificate.
@@ -2080,31 +2230,43 @@
{
conn_rec *c;
server_rec *s;
- SSLConnRec *scr;
/* Retrieve the conn_rec and the associated SSLConnRec. */
if ((c = (conn_rec *)SSL_get_app_data((SSL *)ssl)) == NULL) {
return;
}
- if ((scr = myConnConfig(c)) == NULL) {
- return;
- }
+ /* With TLS 1.3 this callback may be called multiple times on the first
+ * negotiation, so the below logic to detect renegotiations can't work.
+ * Fortunately renegotiations are forbidden starting with TLS 1.3, and
+ * this is enforced by OpenSSL so there's nothing to be done here.
+ */
+#if SSL_HAVE_PROTOCOL_TLSV1_3
+ if (SSL_version(ssl) < TLS1_3_VERSION)
+#endif
+ {
+ SSLConnRec *sslconn;
- /* If the reneg state is to reject renegotiations, check the SSL
- * state machine and move to ABORT if a Client Hello is being
- * read. */
- if (!scr->is_proxy &&
- (where & SSL_CB_HANDSHAKE_START) &&
- scr->reneg_state == RENEG_REJECT) {
- scr->reneg_state = RENEG_ABORT;
+ if ((sslconn = myConnConfig(c)) == NULL) {
+ return;
+ }
+
+ /* If the reneg state is to reject renegotiations, check the SSL
+ * state machine and move to ABORT if a Client Hello is being
+ * read. */
+ if (!sslconn->is_proxy &&
+ (where & SSL_CB_HANDSHAKE_START) &&
+ sslconn->reneg_state == RENEG_REJECT) {
+ sslconn->reneg_state = RENEG_ABORT;
ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(02042)
"rejecting client initiated renegotiation");
- }
- /* If the first handshake is complete, change state to reject any
- * subsequent client-initiated renegotiation. */
- else if ((where & SSL_CB_HANDSHAKE_DONE) && scr->reneg_state == RENEG_INIT) {
- scr->reneg_state = RENEG_REJECT;
+ }
+ /* If the first handshake is complete, change state to reject any
+ * subsequent client-initiated renegotiation. */
+ else if ((where & SSL_CB_HANDSHAKE_DONE)
+ && sslconn->reneg_state == RENEG_INIT) {
+ sslconn->reneg_state = RENEG_REJECT;
+ }
}
s = mySrvFromConn(c);
--- httpd-2.4.34/modules/ssl/ssl_private.h.r1827912+
+++ httpd-2.4.34/modules/ssl/ssl_private.h
@@ -132,13 +132,14 @@

5
httpd.spec
View File

@ -13,7 +13,7 @@
Summary: Apache HTTP Server
Name: httpd
Version: 2.4.34
Release: 4%{?dist}
Release: 5%{?dist}
URL: https://httpd.apache.org/
Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
Source1: index.html
@ -729,6 +729,9 @@ exit $rv
%{_rpmconfigdir}/macros.d/macros.httpd
%changelog
* Tue Aug 21 2018 Joe Orton <jorton@redhat.com> - 2.4.34-5
- mod_ssl: further TLSv1.3 fix (#1619389)
* Mon Aug 13 2018 Joe Orton <jorton@redhat.com> - 2.4.34-4
- mod_ssl: backport TLSv1.3 support changes from upstream (#1615059)