rpms/mod_auth_gssapi
7
0
Fork 0
Code Issues Pull Requests Releases Activity

crypto: Handle EVP changes in OpenSSL 3

Browse Source 
Resolves: #1992648
This commit is contained in:
Robbie Harwood 2021-08-25 12:14:09 +00:00
parent e6eeb1ed7d
commit 8bd9af7b3e
2 changed files with 44 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
crypto-Handle-EVP-changes-in-OpenSSL-3.patch Normal file
View File

@ -0,0 +1,36 @@
From 74fd6dc6c3ba65e48c625d4724878721c46a5e6f Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 24 Aug 2021 15:04:13 -0400
Subject: [PATCH] crypto: Handle EVP changes in OpenSSL 3
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
OpenSSL 3 changes the padding behavior of EVP_DecryptFinal_ex(), which
causes our decryption to fail. It is the opnion of the OpenSSL
developers that mod_auth_gssapi's use of this function was incorrect.
Patch suggested by Tomáš Mráz.
Related: https://github.com/openssl/openssl/issues/16351
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
(cherry picked from commit 06d1f7d36d2455747e6e8231d28e6524ea1181f1)
(cherry picked from commit 915a3d7fca3beefadd751562abe2d481354a2a9c)
---
src/crypto.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/crypto.c b/src/crypto.c
index 3f372a0..b3f7fd9 100644
--- a/src/crypto.c
+++ b/src/crypto.c
@@ -262,7 +262,7 @@ apr_status_t UNSEAL_BUFFER(apr_pool_t *p, struct seal_key *skey,
totlen += outlen;
outlen = plain->length - totlen;
- ret = EVP_DecryptFinal_ex(ctx, plain->value, &outlen);
+ ret = EVP_DecryptFinal_ex(ctx, plain->value + totlen, &outlen);
if (ret == 0) goto done;
totlen += outlen;

10
mod_auth_gssapi.spec
View File

@ -1,6 +1,6 @@
Name: mod_auth_gssapi Name: mod_auth_gssapi
Version: 1.6.3 Version: 1.6.3
Release: 6%{?dist} Release: 7%{?dist}
Summary: A GSSAPI Authentication module for Apache Summary: A GSSAPI Authentication module for Apache
License: MIT License: MIT
@ -13,6 +13,8 @@ BuildRequires: git
Requires: httpd-mmn = %{_httpd_mmn} Requires: httpd-mmn = %{_httpd_mmn}
Requires: krb5-libs >= 1.11.5 Requires: krb5-libs >= 1.11.5
Patch0: crypto-Handle-EVP-changes-in-OpenSSL-3.patch
# If you're reading this: NTLM is insecure. Migrate off it. # If you're reading this: NTLM is insecure. Migrate off it.
%if 0%{?rhel} %if 0%{?rhel}
%else %else
@ -24,7 +26,7 @@ The mod_auth_gssapi module is an authentication service that implements the
SPNEGO based HTTP Authentication protocol defined in RFC4559. SPNEGO based HTTP Authentication protocol defined in RFC4559.
%prep %prep
%autosetup -S git %autosetup -S git_am
%build %build
export APXS=%{_httpd_apxs} export APXS=%{_httpd_apxs}
@ -49,6 +51,10 @@ install -m 644 10-auth_gssapi.conf %{buildroot}%{_httpd_modconfdir}
%{_httpd_moddir}/mod_auth_gssapi.so %{_httpd_moddir}/mod_auth_gssapi.so
%changelog %changelog
* Wed Aug 25 2021 Robbie Harwood <rharwood@redhat.com> - 1.6.3-7
- crypto: Handle EVP changes in OpenSSL 3
- Resolves: #1992648
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1.6.3-6 * Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1.6.3-6
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688 Related: rhbz#1991688