From 9e462af294c3fbd19348dba908d304daf1b3b078 Mon Sep 17 00:00:00 2001
From: Lubos Uhliarik <luhliari@redhat.com>
Date: Feb 05 2019 12:39:17 +0000
Subject: segmentation fault fix (FIPS)


---

diff --git a/httpd-2.4.37-fips-segfault.patch b/httpd-2.4.37-fips-segfault.patch
new file mode 100644
index 0000000..6039980
--- /dev/null
+++ b/httpd-2.4.37-fips-segfault.patch
@@ -0,0 +1,42 @@
+diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c
+index 37947e7..b50c259 100644
+--- a/modules/ssl/mod_ssl.c
++++ b/modules/ssl/mod_ssl.c
+@@ -331,9 +331,6 @@ static apr_status_t ssl_cleanup_pre_config(void *data)
+     /*
+      * Try to kill the internals of the SSL library.
+      */
+-#ifdef HAVE_FIPS
+-    FIPS_mode_set(0);
+-#endif
+     /* Corresponds to OBJ_create()s */
+     OBJ_cleanup();
+     /* Corresponds to OPENSSL_load_builtin_modules() */
+diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
+index 5063a72..21e41e2 100644
+--- a/modules/ssl/ssl_engine_init.c
++++ b/modules/ssl/ssl_engine_init.c
+@@ -183,6 +183,14 @@ int ssl_is_challenge(conn_rec *c, const char *servername,
+     return 0;
+ }
+ 
++#ifdef HAVE_FIPS
++static apr_status_t ssl_fips_cleanup(void *data)
++{
++    FIPS_mode_set(0);
++    return APR_SUCCESS;
++}
++#endif
++
+ /*
+  *  Per-module initialization
+  */
+@@ -316,6 +324,8 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog,
+             if (FIPS_mode_set(1)) {
+                 ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s, APLOGNO(01884)
+                              "Operating in SSL FIPS mode");
++                apr_pool_cleanup_register(p, NULL, ssl_fips_cleanup,
++                                          apr_pool_cleanup_null);
+             }
+             else {
+                 ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01885) "FIPS mode failed");
diff --git a/httpd.spec b/httpd.spec
index 4285193..b7520a2 100644
--- a/httpd.spec
+++ b/httpd.spec
@@ -13,7 +13,7 @@
 Summary: Apache HTTP Server
 Name: httpd
 Version: 2.4.38
-Release: 4%{?dist}
+Release: 5%{?dist}
 URL: https://httpd.apache.org/
 Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
 Source1: index.html
@@ -78,6 +78,7 @@ Patch34: httpd-2.4.17-socket-activation.patch
 Patch36: httpd-2.4.38-r1830819+.patch
 Patch38: httpd-2.4.34-sslciphdefault.patch
 Patch39: httpd-2.4.37-sslprotdefault.patch
+Patch40: httpd-2.4.37-fips-segfault.patch
 
 # Bug fixes
 # https://bugzilla.redhat.com/show_bug.cgi?id=1397243
@@ -229,6 +230,7 @@ interface for storing and accessing per-user session data.
 %patch36 -p1 -b .r1830819+
 %patch38 -p1 -b .sslciphdefault
 %patch39 -p1 -b .sslprotdefault
+%patch40 -p1 -b .fipsseg
 
 %patch58 -p1 -b .r1738878
 %patch60 -p1 -b .enable-sslv3
@@ -734,6 +736,9 @@ exit $rv
 %{_rpmconfigdir}/macros.d/macros.httpd
 
 %changelog
+* Tue Feb 05 2019 Lubos Uhliarik <luhliari@redhat.com> - 2.4.38-5
+- segmentation fault fix (FIPS)
+
 * Tue Feb  5 2019 Joe Orton <jorton@redhat.com> - 2.4.38-4
 - use serverroot-relative statedir, rundir by default