rpms/httpd
6
0
Fork 0
Code Issues Pull Requests Releases Activity

mod_ssl: fix loading keys via ENGINE API

Browse Source 
Resolves: RHEL-36755
This commit is contained in:
Joe Orton 2024-09-12 12:49:43 +01:00
parent 46fa0eee6d
commit fb547673cc
2 changed files with 72 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

64
httpd-2.4.62-engine-fallback.patch Normal file
View File

@ -0,0 +1,64 @@
Index: modules/ssl/ssl_engine_pphrase.c
===================================================================
--- modules/ssl/ssl_engine_pphrase.c (revision 1920590)
+++ modules/ssl/ssl_engine_pphrase.c (working copy)
@@ -806,6 +806,9 @@
return APR_SUCCESS;
}
+/* Tries to load the key and optionally certificate via the ENGINE
+ * API. Returns APR_ENOTIMPL if the keypair could not be loaded via an
+ * ENGINE implementation. */
static apr_status_t modssl_load_keypair_engine(server_rec *s, apr_pool_t *pconf,
apr_pool_t *ptemp,
const char *vhostid,
@@ -831,7 +834,7 @@
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10131)
"Init: Unrecognized private key identifier `%s'",
keyid);
- return ssl_die(s);
+ return APR_ENOTIMPL;
}
scheme = apr_pstrmemdup(ptemp, keyid, c - keyid);
@@ -839,8 +842,8 @@
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10132)
"Init: Failed to load engine for private key %s",
keyid);
- ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
- return ssl_die(s);
+ ssl_log_ssl_error(SSLLOG_MARK, APLOG_NOTICE, s);
+ return APR_ENOTIMPL;
}
if (!ENGINE_init(e)) {
@@ -996,15 +999,21 @@
X509 **pubkey, EVP_PKEY **privkey)
{
#if MODSSL_HAVE_ENGINE_API
- SSLModConfigRec *mc = myModConfig(s);
+ apr_status_t rv;
- /* For OpenSSL 3.x, use the STORE-based API if either ENGINE
- * support was not present compile-time, or if it's built but
- * SSLCryptoDevice is not configured. */
- if (mc->szCryptoDevice)
- return modssl_load_keypair_engine(s, pconf, ptemp,
- vhostid, certid, keyid,
- pubkey, privkey);
+ rv = modssl_load_keypair_engine(s, pconf, ptemp,
+ vhostid, certid, keyid,
+ pubkey, privkey);
+ if (rv == APR_SUCCESS) {
+ return rv;
+ }
+ /* If STORE support is not present, all errors are fatal here; if
+ * STORE is present and the ENGINE could not be loaded, ignore the
+ * error and fall through to try loading via the STORE API. */
+ else if (!MODSSL_HAVE_OPENSSL_STORE || rv != APR_ENOTIMPL) {
+ return ssl_die(s);
+ }
+
#endif
#if MODSSL_HAVE_OPENSSL_STORE
return modssl_load_keypair_store(s, ptemp, vhostid, certid, keyid,

9
httpd.spec
View File

@ -13,7 +13,7 @@
Summary: Apache HTTP Server
Name: httpd
Version: 2.4.62
Release: 1%{?dist}
Release: 2%{?dist}
URL: https://httpd.apache.org/
Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
Source1: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2.asc
@ -96,6 +96,8 @@ Patch100: httpd-2.4.43-enable-sslv3.patch
Patch101: httpd-2.4.48-full-release.patch
# https://bz.apache.org/bugzilla/show_bug.cgi?id=69197
Patch102: httpd-2.4.62-r1919325.patch
# https://issues.redhat.com/browse/RHEL-36755
Patch103: httpd-2.4.62-engine-fallback.patch
# Security fixes
# https://bugzilla.redhat.com/show_bug.cgi?id=...
@ -258,6 +260,7 @@ written in the Lua programming language.
%patch100 -p1 -b .enable-sslv3
%patch101 -p1 -b .full-release
%patch102 -p1 -b .r1919325
%patch103 -p0 -b .engine-fallback
# Patch in the vendor string
sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h
@ -819,6 +822,10 @@ exit $rv
%{_rpmconfigdir}/macros.d/macros.httpd
%changelog
* Thu Sep 12 2024 Joe Orton <jorton@redhat.com> - 2.4.62-2
- mod_ssl: fix loading keys via ENGINE API
Resolves: RHEL-36755
* Sat Aug 03 2024 Luboš Uhliarik <luhliari@redhat.com> - 2.4.62-1
- new version 2.4.62
- Resolves: RHEL-52724 - Regression introduced by CVE-2024-38474 fix