From b52ebeb33d4b79ff9ec399502499fc92b56a3ee1 Mon Sep 17 00:00:00 2001 From: Joe Orton Date: Aug 21 2018 07:34:34 +0000 Subject: mod_ssl: further TLSv1.3 fix (#1619389) Resolves: rhbz#1619389 --- diff --git a/httpd-2.4.34-r1827912+.patch b/httpd-2.4.34-r1827912+.patch index a4567a6..b4b2acc 100644 --- a/httpd-2.4.34-r1827912+.patch +++ b/httpd-2.4.34-r1827912+.patch @@ -9,6 +9,7 @@ http://svn.apache.org/viewvc?view=revision&revision=1828723 http://svn.apache.org/viewvc?view=revision&revision=1828790 http://svn.apache.org/viewvc?view=revision&revision=1828791 http://svn.apache.org/viewvc?view=revision&revision=1828792 +http://svn.apache.org/viewvc?view=revision&revision=1833588 --- httpd-2.4.34/modules/ssl/mod_ssl.c.r1827912+ +++ httpd-2.4.34/modules/ssl/mod_ssl.c @@ -655,6 +656,66 @@ http://svn.apache.org/viewvc?view=revision&revision=1828792 /* * Authentication Handler: * Fake a Basic authentication from the X509 client certificate. +@@ -2080,31 +2230,43 @@ + { + conn_rec *c; + server_rec *s; +- SSLConnRec *scr; + + /* Retrieve the conn_rec and the associated SSLConnRec. */ + if ((c = (conn_rec *)SSL_get_app_data((SSL *)ssl)) == NULL) { + return; + } + +- if ((scr = myConnConfig(c)) == NULL) { +- return; +- } ++ /* With TLS 1.3 this callback may be called multiple times on the first ++ * negotiation, so the below logic to detect renegotiations can't work. ++ * Fortunately renegotiations are forbidden starting with TLS 1.3, and ++ * this is enforced by OpenSSL so there's nothing to be done here. ++ */ ++#if SSL_HAVE_PROTOCOL_TLSV1_3 ++ if (SSL_version(ssl) < TLS1_3_VERSION) ++#endif ++ { ++ SSLConnRec *sslconn; + +- /* If the reneg state is to reject renegotiations, check the SSL +- * state machine and move to ABORT if a Client Hello is being +- * read. */ +- if (!scr->is_proxy && +- (where & SSL_CB_HANDSHAKE_START) && +- scr->reneg_state == RENEG_REJECT) { +- scr->reneg_state = RENEG_ABORT; ++ if ((sslconn = myConnConfig(c)) == NULL) { ++ return; ++ } ++ ++ /* If the reneg state is to reject renegotiations, check the SSL ++ * state machine and move to ABORT if a Client Hello is being ++ * read. */ ++ if (!sslconn->is_proxy && ++ (where & SSL_CB_HANDSHAKE_START) && ++ sslconn->reneg_state == RENEG_REJECT) { ++ sslconn->reneg_state = RENEG_ABORT; + ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(02042) + "rejecting client initiated renegotiation"); +- } +- /* If the first handshake is complete, change state to reject any +- * subsequent client-initiated renegotiation. */ +- else if ((where & SSL_CB_HANDSHAKE_DONE) && scr->reneg_state == RENEG_INIT) { +- scr->reneg_state = RENEG_REJECT; ++ } ++ /* If the first handshake is complete, change state to reject any ++ * subsequent client-initiated renegotiation. */ ++ else if ((where & SSL_CB_HANDSHAKE_DONE) ++ && sslconn->reneg_state == RENEG_INIT) { ++ sslconn->reneg_state = RENEG_REJECT; ++ } + } + + s = mySrvFromConn(c); --- httpd-2.4.34/modules/ssl/ssl_private.h.r1827912+ +++ httpd-2.4.34/modules/ssl/ssl_private.h @@ -132,13 +132,14 @@ diff --git a/httpd.spec b/httpd.spec index d87e1c6..697b97e 100644 --- a/httpd.spec +++ b/httpd.spec @@ -13,7 +13,7 @@ Summary: Apache HTTP Server Name: httpd Version: 2.4.34 -Release: 4%{?dist} +Release: 5%{?dist} URL: https://httpd.apache.org/ Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 Source1: index.html @@ -729,6 +729,9 @@ exit $rv %{_rpmconfigdir}/macros.d/macros.httpd %changelog +* Tue Aug 21 2018 Joe Orton - 2.4.34-5 +- mod_ssl: further TLSv1.3 fix (#1619389) + * Mon Aug 13 2018 Joe Orton - 2.4.34-4 - mod_ssl: backport TLSv1.3 support changes from upstream (#1615059)