mod_ssl: fix loading encrypted privkeys with OpenSSL 3.0 (#1976080)

Resolves: rhbz#1976080 Add rpminspect waivers.
2021-06-25 14:51:09 +01:00 · 2021-06-25 14:51:09 +01:00 · f4d5942464
commit f4d5942464
parent c476545bd9
3 changed files with 44 additions and 1 deletions
--- a/httpd-2.4.48-sslprivkey.patch
+++ b/httpd-2.4.48-sslprivkey.patch
@ -0,0 +1,32 @@
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1976080
+
+--- httpd-2.4.48/modules/ssl/ssl_engine_init.c.sslprivkey
+++ httpd-2.4.48/modules/ssl/ssl_engine_init.c
+@@ -1307,6 +1307,16 @@
+    return 0;
+ }
+ 
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#define CHECK_PRIVKEY_ERROR(ec) (ERR_GET_FUNC(ec) != X509_F_X509_CHECK_PRIVATE_KEY))
+#else
+/* Check for the errors from X509_check_private_key() */
+#define CHECK_PRIVKEY_ERROR(ec) (ERR_GET_LIB != ERR_LIB_X509            \
+                                 || (ERR_GET_REASON(ec) != X509_R_KEY_TYPE_MISMATCH \
+                                     && ERR_GET_REASON(ec) != X509_R_KEY_VALUES_MISMATCH \
+                                     && ERR_GET_REASON(ec) != X509_R_UNKNOWN_KEY_TYPE))
+#endif
+
+ static apr_status_t ssl_init_server_certs(server_rec *s,
+                                           apr_pool_t *p,
+                                           apr_pool_t *ptemp,
+@@ -1412,8 +1422,7 @@
+         }
+         else if ((SSL_CTX_use_PrivateKey_file(mctx->ssl_ctx, keyfile,
+                                               SSL_FILETYPE_PEM) < 1)
+-                 && (ERR_GET_FUNC(ERR_peek_last_error())
+-                     != X509_F_X509_CHECK_PRIVATE_KEY)) {
+                 && CHECK_PRIVKEY_ERROR(ERR_peek_last_error())) {
+             ssl_asn1_t *asn1;
+             const unsigned char *ptr;
+ 
--- a/httpd.spec
+++ b/httpd.spec
@ -13,7 +13,7 @@
 Summary: Apache HTTP Server
 Name: httpd
 Version: 2.4.48
-Release: 4%{?dist}
+Release: 5%{?dist}
 URL: https://httpd.apache.org/
 Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
 Source1: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2.asc
@ -96,6 +96,7 @@ Patch48: httpd-2.4.46-freebind.patch
 Patch60: httpd-2.4.43-enable-sslv3.patch
 Patch61: httpd-2.4.46-htcacheclean-dont-break.patch
 Patch62: httpd-2.4.48-r1876934.patch
+Patch63: httpd-2.4.48-sslprivkey.patch

 # Security fixes

@ -248,6 +249,7 @@ written in the Lua programming language.
 %patch60 -p1 -b .enable-sslv3
 %patch61 -p1 -b .htcacheclean-dont-break
 %patch62 -p1 -b .r1876934
+%patch63 -p1 -b .sslprivkey

 # Patch in the vendor string
 sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h
@ -789,6 +791,9 @@ exit $rv
 %{_rpmconfigdir}/macros.d/macros.httpd

 %changelog
+* Fri Jun 25 2021 Joe Orton <jorton@redhat.com> - 2.4.48-5
+- mod_ssl: fix loading encrypted privkeys with OpenSSL 3.0 (#1976080)
+
 * Fri Jun 25 2021 Joe Orton <jorton@redhat.com> - 2.4.48-4
 - add OpenSSL v3 compatibility fixes (#1975201)

--- a/rpminspect.yaml
+++ b/rpminspect.yaml
@ -0,0 +1,6 @@
+---
+badfuncs:
+  # mod_proxy uses inet_ntoa (safely) for IPv4 address matching,
+  # and APR interfaces for IPv6 addresses.
+  ignore:
+    - /usr/lib*/httpd/modules/mod_proxy.so