diff --git a/.gitignore b/.gitignore index c3f5396..4e0c552 100644 --- a/.gitignore +++ b/.gitignore @@ -14,3 +14,4 @@ x86_64 /httpd-2.4.2.tar.bz2 /httpd-2.4.3.tar.bz2 /httpd-2.4.4.tar.bz2 +/httpd-2.4.6.tar.bz2 diff --git a/httpd-2.4.2-r1374214+.patch b/httpd-2.4.2-r1374214+.patch deleted file mode 100644 index af5d2ab..0000000 --- a/httpd-2.4.2-r1374214+.patch +++ /dev/null @@ -1,45 +0,0 @@ -# ./pullrev.sh 1374214 1375445 - -http://svn.apache.org/viewvc?view=revision&revision=1374214 -http://svn.apache.org/viewvc?view=revision&revision=1375445 - ---- httpd-2.4.2/modules/ssl/ssl_engine_init.c -+++ httpd-2.4.2/modules/ssl/ssl_engine_init.c -@@ -1381,7 +1381,7 @@ - for (n = 0; n < ncerts; n++) { - X509_INFO *inf = sk_X509_INFO_value(sk, n); - -- if (!inf->x509 || !inf->x_pkey) { -+ if (!inf->x509 || !inf->x_pkey || !inf->x_pkey->dec_pkey) { - sk_X509_INFO_free(sk); - ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, APLOGNO(02252) - "incomplete client cert configured for SSL proxy " -@@ -1389,6 +1389,15 @@ - ssl_die(s); - return; - } -+ -+ if (X509_check_private_key(inf->x509, inf->x_pkey->dec_pkey) != 1) { -+ ssl_log_xerror(SSLLOG_MARK, APLOG_STARTUP, 0, ptemp, s, inf->x509, -+ APLOGNO(02326) "proxy client certificate and " -+ "private key do not match"); -+ ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s); -+ ssl_die(s); -+ return; -+ } - } - - ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02207) -@@ -1401,7 +1410,11 @@ - return; - } - -- /* Load all of the CA certs and construct a chain */ -+ /* If SSLProxyMachineCertificateChainFile is configured, load all -+ * the CA certs and have OpenSSL attempt to construct a full chain -+ * from each configured end-entity cert up to a root. This will -+ * allow selection of the correct cert given a list of root CA -+ * names in the certificate request from the server. */ - pkp->ca_certs = (STACK_OF(X509) **) apr_pcalloc(p, ncerts * sizeof(sk)); - sctx = X509_STORE_CTX_new(); - diff --git a/httpd-2.4.3-sslsninotreq.patch b/httpd-2.4.3-sslsninotreq.patch new file mode 100644 index 0000000..6e158c6 --- /dev/null +++ b/httpd-2.4.3-sslsninotreq.patch @@ -0,0 +1,83 @@ +diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c +index 15993f1..53ed6f1 100644 +--- a/modules/ssl/ssl_engine_config.c ++++ b/modules/ssl/ssl_engine_config.c +@@ -55,6 +55,7 @@ SSLModConfigRec *ssl_config_global_create(server_rec *s) + mc = (SSLModConfigRec *)apr_palloc(pool, sizeof(*mc)); + mc->pPool = pool; + mc->bFixed = FALSE; ++ mc->sni_required = FALSE; + + /* + * initialize per-module configuration +diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c +index bf1f0e4..a7523de 100644 +--- a/modules/ssl/ssl_engine_init.c ++++ b/modules/ssl/ssl_engine_init.c +@@ -409,7 +409,7 @@ int ssl_init_Module(apr_pool_t *p, apr_pool_t *plog, + /* + * Configuration consistency checks + */ +- ssl_init_CheckServers(base_server, ptemp); ++ ssl_init_CheckServers(mc, base_server, ptemp); + + /* + * Announce mod_ssl and SSL library in HTTP Server field +@@ -1475,7 +1475,7 @@ void ssl_init_ConfigureServer(server_rec *s, + } + } + +-void ssl_init_CheckServers(server_rec *base_server, apr_pool_t *p) ++void ssl_init_CheckServers(SSLModConfigRec *mc, server_rec *base_server, apr_pool_t *p) + { + server_rec *s, *ps; + SSLSrvConfigRec *sc; +@@ -1557,6 +1557,7 @@ void ssl_init_CheckServers(server_rec *base_server, apr_pool_t *p) + } + + if (conflict) { ++ mc->sni_required = TRUE; + #ifdef OPENSSL_NO_TLSEXT + ap_log_error(APLOG_MARK, APLOG_WARNING, 0, base_server, APLOGNO(01917) + "Init: You should not use name-based " +diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c +index bc9e26b..2460f01 100644 +--- a/modules/ssl/ssl_engine_kernel.c ++++ b/modules/ssl/ssl_engine_kernel.c +@@ -164,6 +164,7 @@ int ssl_hook_ReadReq(request_rec *r) + return DECLINED; + } + #ifndef OPENSSL_NO_TLSEXT ++ if (myModConfig(r->server)->sni_required) { + if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) { + char *host, *scope_id; + apr_port_t port; +@@ -206,6 +207,7 @@ int ssl_hook_ReadReq(request_rec *r) + " virtual host"); + return HTTP_FORBIDDEN; + } ++ } + #endif + SSL_set_app_data2(ssl, r); + +diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h +index 75fc0e3..31dbfa9 100644 +--- a/modules/ssl/ssl_private.h ++++ b/modules/ssl/ssl_private.h +@@ -554,6 +554,7 @@ typedef struct { + struct { + void *pV1, *pV2, *pV3, *pV4, *pV5, *pV6, *pV7, *pV8, *pV9, *pV10; + } rCtx; ++ BOOL sni_required; + } SSLModConfigRec; + + /** Structure representing configured filenames for certs and keys for +@@ -786,7 +787,7 @@ const char *ssl_cmd_SSLFIPS(cmd_parms *cmd, void *dcfg, int flag); + int ssl_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_rec *); + void ssl_init_Engine(server_rec *, apr_pool_t *); + void ssl_init_ConfigureServer(server_rec *, apr_pool_t *, apr_pool_t *, SSLSrvConfigRec *); +-void ssl_init_CheckServers(server_rec *, apr_pool_t *); ++void ssl_init_CheckServers(SSLModConfigRec *mc, server_rec *, apr_pool_t *); + STACK_OF(X509_NAME) + *ssl_init_FindCAList(server_rec *, apr_pool_t *, const char *, const char *); + void ssl_init_Child(apr_pool_t *, server_rec *); diff --git a/httpd-2.4.4-cachehardmax.patch b/httpd-2.4.4-cachehardmax.patch new file mode 100644 index 0000000..de360ce --- /dev/null +++ b/httpd-2.4.4-cachehardmax.patch @@ -0,0 +1,82 @@ +diff --git a/modules/cache/cache_util.h b/modules/cache/cache_util.h +index eec38f3..1a2d5ee 100644 +--- a/modules/cache/cache_util.h ++++ b/modules/cache/cache_util.h +@@ -194,6 +194,9 @@ typedef struct { + unsigned int store_nostore_set:1; + unsigned int enable_set:1; + unsigned int disable_set:1; ++ /* treat maxex as hard limit */ ++ unsigned int hardmaxex:1; ++ unsigned int hardmaxex_set:1; + } cache_dir_conf; + + /* A linked-list of authn providers. */ +diff --git a/modules/cache/mod_cache.c b/modules/cache/mod_cache.c +index 4f2d3e0..30c88f4 100644 +--- a/modules/cache/mod_cache.c ++++ b/modules/cache/mod_cache.c +@@ -1299,6 +1299,11 @@ static apr_status_t cache_save_filter(ap_filter_t *f, apr_bucket_brigade *in) + exp = date + dconf->defex; + } + } ++ /* else, forcibly cap the expiry date if required */ ++ else if (dconf->hardmaxex && (date + dconf->maxex) < exp) { ++ exp = date + dconf->maxex; ++ } ++ + info->expire = exp; + + /* We found a stale entry which wasn't really stale. */ +@@ -1717,7 +1722,9 @@ static void *create_dir_config(apr_pool_t *p, char *dummy) + + /* array of providers for this URL space */ + dconf->cacheenable = apr_array_make(p, 10, sizeof(struct cache_enable)); +- ++ /* flag; treat maxex as hard limit */ ++ dconf->hardmaxex = 0; ++ dconf->hardmaxex_set = 0; + return dconf; + } + +@@ -1767,7 +1774,10 @@ static void *merge_dir_config(apr_pool_t *p, void *basev, void *addv) { + new->enable_set = add->enable_set || base->enable_set; + new->disable = (add->disable_set == 0) ? base->disable : add->disable; + new->disable_set = add->disable_set || base->disable_set; +- ++ new->hardmaxex = ++ (add->hardmaxex_set == 0) ++ ? base->hardmaxex ++ : add->hardmaxex; + return new; + } + +@@ -2096,12 +2106,18 @@ static const char *add_cache_disable(cmd_parms *parms, void *dummy, + } + + static const char *set_cache_maxex(cmd_parms *parms, void *dummy, +- const char *arg) ++ const char *arg, const char *hard) + { + cache_dir_conf *dconf = (cache_dir_conf *)dummy; + + dconf->maxex = (apr_time_t) (atol(arg) * MSEC_ONE_SEC); + dconf->maxex_set = 1; ++ ++ if (hard && strcasecmp(hard, "hard") == 0) { ++ dconf->hardmaxex = 1; ++ dconf->hardmaxex_set = 1; ++ } ++ + return NULL; + } + +@@ -2309,7 +2325,7 @@ static const command_rec cache_cmds[] = + "caching is enabled"), + AP_INIT_TAKE1("CacheDisable", add_cache_disable, NULL, RSRC_CONF|ACCESS_CONF, + "A partial URL prefix below which caching is disabled"), +- AP_INIT_TAKE1("CacheMaxExpire", set_cache_maxex, NULL, RSRC_CONF|ACCESS_CONF, ++ AP_INIT_TAKE12("CacheMaxExpire", set_cache_maxex, NULL, RSRC_CONF|ACCESS_CONF, + "The maximum time in seconds to cache a document"), + AP_INIT_TAKE1("CacheMinExpire", set_cache_minex, NULL, RSRC_CONF|ACCESS_CONF, + "The minimum time in seconds to cache a document"), diff --git a/httpd-2.4.4-malformed-host.patch b/httpd-2.4.4-malformed-host.patch new file mode 100644 index 0000000..57975e5 --- /dev/null +++ b/httpd-2.4.4-malformed-host.patch @@ -0,0 +1,12 @@ +diff --git a/server/protocol.c b/server/protocol.c +index e1ef204..d6d9165 100644 +--- a/server/protocol.c ++++ b/server/protocol.c +@@ -1049,6 +1049,7 @@ request_rec *ap_read_request(conn_rec *conn) + * now read. may update status. + */ + ap_update_vhost_from_headers(r); ++ access_status = r->status; + + /* Toggle to the Host:-based vhost's timeout mode to fetch the + * request body and send the response body, if needed. diff --git a/httpd-2.4.4-mod_unique_id.patch b/httpd-2.4.4-mod_unique_id.patch new file mode 100644 index 0000000..30bdfe0 --- /dev/null +++ b/httpd-2.4.4-mod_unique_id.patch @@ -0,0 +1,239 @@ +--- trunk/modules/metadata/mod_unique_id.c 2011/12/02 23:02:04 1209766 ++++ trunk/modules/metadata/mod_unique_id.c 2013/07/10 16:20:31 1501827 +@@ -31,14 +31,11 @@ + #include "http_log.h" + #include "http_protocol.h" /* for ap_hook_post_read_request */ + +-#if APR_HAVE_UNISTD_H +-#include /* for getpid() */ +-#endif ++#define ROOT_SIZE 10 + + typedef struct { + unsigned int stamp; +- unsigned int in_addr; +- unsigned int pid; ++ char root[ROOT_SIZE]; + unsigned short counter; + unsigned int thread_index; + } unique_id_rec; +@@ -64,20 +61,15 @@ + * gethostbyname (gethostname()) is unique across all the machines at the + * "site". + * +- * We also further assume that pids fit in 32-bits. If something uses more +- * than 32-bits, the fix is trivial, but it requires the unrolled uuencoding +- * loop to be extended. * A similar fix is needed to support multithreaded +- * servers, using a pid/tid combo. +- * +- * Together, the in_addr and pid are assumed to absolutely uniquely identify +- * this one child from all other currently running children on all servers +- * (including this physical server if it is running multiple httpds) from each ++ * The root is assumed to absolutely uniquely identify this one child ++ * from all other currently running children on all servers (including ++ * this physical server if it is running multiple httpds) from each + * other. + * +- * The stamp and counter are used to distinguish all hits for a particular +- * (in_addr,pid) pair. The stamp is updated using r->request_time, +- * saving cpu cycles. The counter is never reset, and is used to permit up to +- * 64k requests in a single second by a single child. ++ * The stamp and counter are used to distinguish all hits for a ++ * particular root. The stamp is updated using r->request_time, ++ * saving cpu cycles. The counter is never reset, and is used to ++ * permit up to 64k requests in a single second by a single child. + * + * The 144-bits of unique_id_rec are encoded using the alphabet + * [A-Za-z0-9@-], resulting in 24 bytes of printable characters. That is then +@@ -92,7 +84,7 @@ + * module change. + * + * It is highly desirable that identifiers exist for "eternity". But future +- * needs (such as much faster webservers, moving to 64-bit pids, or moving to a ++ * needs (such as much faster webservers, or moving to a + * multithreaded server) may dictate a need to change the contents of + * unique_id_rec. Such a future implementation should ensure that the first + * field is still a time_t stamp. By doing that, it is possible for a site to +@@ -100,7 +92,15 @@ + * wait one entire second, and then start all of their new-servers. This + * procedure will ensure that the new space of identifiers is completely unique + * from the old space. (Since the first four unencoded bytes always differ.) ++ * ++ * Note: previous implementations used 32-bits of IP address plus pid ++ * in place of the PRNG output in the "root" field. This was ++ * insufficient for IPv6-only hosts, required working DNS to determine ++ * a unique IP address (fragile), and needed a [0, 1) second sleep ++ * call at startup to avoid pid reuse. Use of the PRNG avoids all ++ * these issues. + */ ++ + /* + * Sun Jun 7 05:43:49 CEST 1998 -- Alvaro + * More comments: +@@ -116,8 +116,6 @@ + * htonl/ntohl. Well, this shouldn't be a problem till year 2106. + */ + +-static unsigned global_in_addr; +- + /* + * XXX: We should have a per-thread counter and not use cur_unique_id.counter + * XXX: in all threads, because this is bad for performance on multi-processor +@@ -129,7 +127,7 @@ + /* + * Number of elements in the structure unique_id_rec. + */ +-#define UNIQUE_ID_REC_MAX 5 ++#define UNIQUE_ID_REC_MAX 4 + + static unsigned short unique_id_rec_offset[UNIQUE_ID_REC_MAX], + unique_id_rec_size[UNIQUE_ID_REC_MAX], +@@ -138,113 +136,32 @@ + + static int unique_id_global_init(apr_pool_t *p, apr_pool_t *plog, apr_pool_t *ptemp, server_rec *main_server) + { +- char str[APRMAXHOSTLEN + 1]; +- apr_status_t rv; +- char *ipaddrstr; +- apr_sockaddr_t *sockaddr; +- + /* + * Calculate the sizes and offsets in cur_unique_id. + */ + unique_id_rec_offset[0] = APR_OFFSETOF(unique_id_rec, stamp); + unique_id_rec_size[0] = sizeof(cur_unique_id.stamp); +- unique_id_rec_offset[1] = APR_OFFSETOF(unique_id_rec, in_addr); +- unique_id_rec_size[1] = sizeof(cur_unique_id.in_addr); +- unique_id_rec_offset[2] = APR_OFFSETOF(unique_id_rec, pid); +- unique_id_rec_size[2] = sizeof(cur_unique_id.pid); +- unique_id_rec_offset[3] = APR_OFFSETOF(unique_id_rec, counter); +- unique_id_rec_size[3] = sizeof(cur_unique_id.counter); +- unique_id_rec_offset[4] = APR_OFFSETOF(unique_id_rec, thread_index); +- unique_id_rec_size[4] = sizeof(cur_unique_id.thread_index); ++ unique_id_rec_offset[1] = APR_OFFSETOF(unique_id_rec, root); ++ unique_id_rec_size[1] = sizeof(cur_unique_id.root); ++ unique_id_rec_offset[2] = APR_OFFSETOF(unique_id_rec, counter); ++ unique_id_rec_size[2] = sizeof(cur_unique_id.counter); ++ unique_id_rec_offset[3] = APR_OFFSETOF(unique_id_rec, thread_index); ++ unique_id_rec_size[3] = sizeof(cur_unique_id.thread_index); + unique_id_rec_total_size = unique_id_rec_size[0] + unique_id_rec_size[1] + +- unique_id_rec_size[2] + unique_id_rec_size[3] + +- unique_id_rec_size[4]; ++ unique_id_rec_size[2] + unique_id_rec_size[3]; + + /* + * Calculate the size of the structure when encoded. + */ + unique_id_rec_size_uu = (unique_id_rec_total_size*8+5)/6; + +- /* +- * Now get the global in_addr. Note that it is not sufficient to use one +- * of the addresses from the main_server, since those aren't as likely to +- * be unique as the physical address of the machine +- */ +- if ((rv = apr_gethostname(str, sizeof(str) - 1, p)) != APR_SUCCESS) { +- ap_log_error(APLOG_MARK, APLOG_ALERT, rv, main_server, APLOGNO(01563) +- "unable to find hostname of the server"); +- return HTTP_INTERNAL_SERVER_ERROR; +- } +- +- if ((rv = apr_sockaddr_info_get(&sockaddr, str, AF_INET, 0, 0, p)) == APR_SUCCESS) { +- global_in_addr = sockaddr->sa.sin.sin_addr.s_addr; +- } +- else { +- ap_log_error(APLOG_MARK, APLOG_ALERT, rv, main_server, APLOGNO(01564) +- "unable to find IPv4 address of \"%s\"", str); +-#if APR_HAVE_IPV6 +- if ((rv = apr_sockaddr_info_get(&sockaddr, str, AF_INET6, 0, 0, p)) == APR_SUCCESS) { +- memcpy(&global_in_addr, +- (char *)sockaddr->ipaddr_ptr + sockaddr->ipaddr_len - sizeof(global_in_addr), +- sizeof(global_in_addr)); +- ap_log_error(APLOG_MARK, APLOG_ALERT, rv, main_server, APLOGNO(01565) +- "using low-order bits of IPv6 address " +- "as if they were unique"); +- } +- else +-#endif +- return HTTP_INTERNAL_SERVER_ERROR; +- } +- +- apr_sockaddr_ip_get(&ipaddrstr, sockaddr); +- ap_log_error(APLOG_MARK, APLOG_INFO, 0, main_server, APLOGNO(01566) "using ip addr %s", +- ipaddrstr); +- +- /* +- * If the server is pummelled with restart requests we could possibly end +- * up in a situation where we're starting again during the same second +- * that has been used in previous identifiers. Avoid that situation. +- * +- * In truth, for this to actually happen not only would it have to restart +- * in the same second, but it would have to somehow get the same pids as +- * one of the other servers that was running in that second. Which would +- * mean a 64k wraparound on pids ... not very likely at all. +- * +- * But protecting against it is relatively cheap. We just sleep into the +- * next second. +- */ +- apr_sleep(apr_time_from_sec(1) - apr_time_usec(apr_time_now())); + return OK; + } + + static void unique_id_child_init(apr_pool_t *p, server_rec *s) + { +- pid_t pid; +- +- /* +- * Note that we use the pid because it's possible that on the same +- * physical machine there are multiple servers (i.e. using Listen). But +- * it's guaranteed that none of them will share the same pids between +- * children. +- * +- * XXX: for multithread this needs to use a pid/tid combo and probably +- * needs to be expanded to 32 bits +- */ +- pid = getpid(); +- cur_unique_id.pid = pid; +- +- /* +- * Test our assumption that the pid is 32-bits. It's possible that +- * 64-bit machines will declare pid_t to be 64 bits but only use 32 +- * of them. It would have been really nice to test this during +- * global_init ... but oh well. +- */ +- if ((pid_t)cur_unique_id.pid != pid) { +- ap_log_error(APLOG_MARK, APLOG_CRIT, 0, s, APLOGNO(01567) +- "oh no! pids are greater than 32-bits! I'm broken!"); +- } +- +- cur_unique_id.in_addr = global_in_addr; ++ ap_random_insecure_bytes(&cur_unique_id.root, ++ sizeof(cur_unique_id.root)); + + /* + * If we use 0 as the initial counter we have a little less protection +@@ -253,13 +170,6 @@ + */ + ap_random_insecure_bytes(&cur_unique_id.counter, + sizeof(cur_unique_id.counter)); +- +- /* +- * We must always use network ordering for these bytes, so that +- * identifiers are comparable between machines of different byte +- * orderings. Note in_addr is already in network order. +- */ +- cur_unique_id.pid = htonl(cur_unique_id.pid); + } + + /* NOTE: This is *NOT* the same encoding used by base64encode ... the last two +@@ -291,10 +201,8 @@ + unsigned short counter; + int i,j,k; + +- new_unique_id.in_addr = cur_unique_id.in_addr; +- new_unique_id.pid = cur_unique_id.pid; ++ memcpy(&new_unique_id.root, &cur_unique_id.root, ROOT_SIZE); + new_unique_id.counter = cur_unique_id.counter; +- + new_unique_id.stamp = htonl((unsigned int)apr_time_sec(r->request_time)); + new_unique_id.thread_index = htonl((unsigned int)r->connection->id); + diff --git a/httpd-2.4.6-r1332643+.patch b/httpd-2.4.6-r1332643+.patch new file mode 100644 index 0000000..d2e5565 --- /dev/null +++ b/httpd-2.4.6-r1332643+.patch @@ -0,0 +1,313 @@ +# ./pullrev.sh 1332643 1345599 1487772 + +https://bugzilla.redhat.com//show_bug.cgi?id=809599 + +http://svn.apache.org/viewvc?view=revision&revision=1332643 +http://svn.apache.org/viewvc?view=revision&revision=1345599 +http://svn.apache.org/viewvc?view=revision&revision=1487772 + +--- httpd-2.4.6/modules/ssl/mod_ssl.c.r1332643+ ++++ httpd-2.4.6/modules/ssl/mod_ssl.c +@@ -413,6 +413,37 @@ int ssl_engine_disable(conn_rec *c) + return 1; + } + ++static int modssl_register_npn(conn_rec *c, ++ ssl_npn_advertise_protos advertisefn, ++ ssl_npn_proto_negotiated negotiatedfn) ++{ ++#ifdef HAVE_TLS_NPN ++ SSLConnRec *sslconn = myConnConfig(c); ++ ++ if (!sslconn) { ++ return DECLINED; ++ } ++ ++ if (!sslconn->npn_advertfns) { ++ sslconn->npn_advertfns = ++ apr_array_make(c->pool, 5, sizeof(ssl_npn_advertise_protos)); ++ sslconn->npn_negofns = ++ apr_array_make(c->pool, 5, sizeof(ssl_npn_proto_negotiated)); ++ } ++ ++ if (advertisefn) ++ APR_ARRAY_PUSH(sslconn->npn_advertfns, ssl_npn_advertise_protos) = ++ advertisefn; ++ if (negotiatedfn) ++ APR_ARRAY_PUSH(sslconn->npn_negofns, ssl_npn_proto_negotiated) = ++ negotiatedfn; ++ ++ return OK; ++#else ++ return DECLINED; ++#endif ++} ++ + int ssl_init_ssl_connection(conn_rec *c, request_rec *r) + { + SSLSrvConfigRec *sc; +@@ -584,6 +615,7 @@ static void ssl_register_hooks(apr_pool_ + + APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable); + APR_REGISTER_OPTIONAL_FN(ssl_engine_disable); ++ APR_REGISTER_OPTIONAL_FN(modssl_register_npn); + + ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "ssl", + AUTHZ_PROVIDER_VERSION, +--- httpd-2.4.6/modules/ssl/mod_ssl.h.r1332643+ ++++ httpd-2.4.6/modules/ssl/mod_ssl.h +@@ -63,5 +63,40 @@ APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_e + + APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *)); + ++/** The npn_advertise_protos callback allows another modules to add ++ * entries to the list of protocol names advertised by the server ++ * during the Next Protocol Negotiation (NPN) portion of the SSL ++ * handshake. The callback is given the connection and an APR array; ++ * it should push one or more char*'s pointing to NUL-terminated ++ * strings (such as "http/1.1" or "spdy/2") onto the array and return ++ * OK. To prevent further processing of (other modules') callbacks, ++ * return DONE. */ ++typedef int (*ssl_npn_advertise_protos)(conn_rec *connection, ++ apr_array_header_t *protos); ++ ++/** The npn_proto_negotiated callback allows other modules to discover ++ * the name of the protocol that was chosen during the Next Protocol ++ * Negotiation (NPN) portion of the SSL handshake. Note that this may ++ * be the empty string (in which case modules should probably assume ++ * HTTP), or it may be a protocol that was never even advertised by ++ * the server. The callback is given the connection, a ++ * non-NUL-terminated string containing the protocol name, and the ++ * length of the string; it should do something appropriate ++ * (i.e. insert or remove filters) and return OK. To prevent further ++ * processing of (other modules') callbacks, return DONE. */ ++typedef int (*ssl_npn_proto_negotiated)(conn_rec *connection, ++ const char *proto_name, ++ apr_size_t proto_name_len); ++ ++/* An optional function which can be used to register a pair of ++ * callbacks for NPN handling. This optional function should be ++ * invoked from a pre_connection hook which runs *after* mod_ssl.c's ++ * pre_connection hook. The function returns OK if the callbacks are ++ * register, or DECLINED otherwise (for example if mod_ssl does not ++l * support NPN). */ ++APR_DECLARE_OPTIONAL_FN(int, modssl_register_npn, (conn_rec *conn, ++ ssl_npn_advertise_protos advertisefn, ++ ssl_npn_proto_negotiated negotiatedfn)); ++ + #endif /* __MOD_SSL_H__ */ + /** @} */ +--- httpd-2.4.6/modules/ssl/ssl_engine_init.c.r1332643+ ++++ httpd-2.4.6/modules/ssl/ssl_engine_init.c +@@ -725,6 +725,11 @@ static void ssl_init_ctx_callbacks(serve + #endif + + SSL_CTX_set_info_callback(ctx, ssl_callback_Info); ++ ++#ifdef HAVE_TLS_NPN ++ SSL_CTX_set_next_protos_advertised_cb( ++ ctx, ssl_callback_AdvertiseNextProtos, NULL); ++#endif + } + + static void ssl_init_ctx_verify(server_rec *s, +--- httpd-2.4.6/modules/ssl/ssl_engine_io.c.r1332643+ ++++ httpd-2.4.6/modules/ssl/ssl_engine_io.c +@@ -297,6 +297,7 @@ typedef struct { + apr_pool_t *pool; + char buffer[AP_IOBUFSIZE]; + ssl_filter_ctx_t *filter_ctx; ++ int npn_finished; /* 1 if NPN has finished, 0 otherwise */ + } bio_filter_in_ctx_t; + + /* +@@ -1400,6 +1401,37 @@ static apr_status_t ssl_io_filter_input( + APR_BRIGADE_INSERT_TAIL(bb, bucket); + } + ++#ifdef HAVE_TLS_NPN ++ /* By this point, Next Protocol Negotiation (NPN) should be completed (if ++ * our version of OpenSSL supports it). If we haven't already, find out ++ * which protocol was decided upon and inform other modules by calling ++ * npn_proto_negotiated_hook. */ ++ if (!inctx->npn_finished) { ++ SSLConnRec *sslconn = myConnConfig(f->c); ++ const unsigned char *next_proto = NULL; ++ unsigned next_proto_len = 0; ++ int n; ++ ++ if (sslconn->npn_negofns) { ++ SSL_get0_next_proto_negotiated( ++ inctx->ssl, &next_proto, &next_proto_len); ++ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, f->c, ++ APLOGNO(02306) "SSL NPN negotiated protocol: '%*s'", ++ next_proto_len, (const char*)next_proto); ++ ++ for (n = 0; n < sslconn->npn_negofns->nelts; n++) { ++ ssl_npn_proto_negotiated fn = ++ APR_ARRAY_IDX(sslconn->npn_negofns, n, ssl_npn_proto_negotiated); ++ ++ if (fn(f->c, (const char *)next_proto, next_proto_len) == DONE) ++ break; ++ } ++ } ++ ++ inctx->npn_finished = 1; ++ } ++#endif ++ + return APR_SUCCESS; + } + +@@ -1881,6 +1913,7 @@ static void ssl_io_input_add_filter(ssl_ + inctx->block = APR_BLOCK_READ; + inctx->pool = c->pool; + inctx->filter_ctx = filter_ctx; ++ inctx->npn_finished = 0; + } + + /* The request_rec pointer is passed in here only to ensure that the +--- httpd-2.4.6/modules/ssl/ssl_engine_kernel.c.r1332643+ ++++ httpd-2.4.6/modules/ssl/ssl_engine_kernel.c +@@ -2161,6 +2161,97 @@ int ssl_callback_SessionTicket(SSL *ssl, + } + #endif /* HAVE_TLS_SESSION_TICKETS */ + ++#ifdef HAVE_TLS_NPN ++/* ++ * This callback function is executed when SSL needs to decide what protocols ++ * to advertise during Next Protocol Negotiation (NPN). It must produce a ++ * string in wire format -- a sequence of length-prefixed strings -- indicating ++ * the advertised protocols. Refer to SSL_CTX_set_next_protos_advertised_cb ++ * in OpenSSL for reference. ++ */ ++int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data_out, ++ unsigned int *size_out, void *arg) ++{ ++ conn_rec *c = (conn_rec*)SSL_get_app_data(ssl); ++ SSLConnRec *sslconn = myConnConfig(c); ++ apr_array_header_t *protos; ++ int num_protos; ++ unsigned int size; ++ int i; ++ unsigned char *data; ++ unsigned char *start; ++ ++ *data_out = NULL; ++ *size_out = 0; ++ ++ /* If the connection object is not available, or there are no NPN ++ * hooks registered, then there's nothing for us to do. */ ++ if (c == NULL || sslconn->npn_advertfns == NULL) { ++ return SSL_TLSEXT_ERR_OK; ++ } ++ ++ /* Invoke our npn_advertise_protos hook, giving other modules a chance to ++ * add alternate protocol names to advertise. */ ++ protos = apr_array_make(c->pool, 0, sizeof(char *)); ++ for (i = 0; i < sslconn->npn_advertfns->nelts; i++) { ++ ssl_npn_advertise_protos fn = ++ APR_ARRAY_IDX(sslconn->npn_advertfns, i, ssl_npn_advertise_protos); ++ ++ if (fn(c, protos) == DONE) ++ break; ++ } ++ num_protos = protos->nelts; ++ ++ /* We now have a list of null-terminated strings; we need to concatenate ++ * them together into a single string, where each protocol name is prefixed ++ * by its length. First, calculate how long that string will be. */ ++ size = 0; ++ for (i = 0; i < num_protos; ++i) { ++ const char *string = APR_ARRAY_IDX(protos, i, const char*); ++ unsigned int length = strlen(string); ++ /* If the protocol name is too long (the length must fit in one byte), ++ * then log an error and skip it. */ ++ if (length > 255) { ++ ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(02307) ++ "SSL NPN protocol name too long (length=%u): %s", ++ length, string); ++ continue; ++ } ++ /* Leave room for the length prefix (one byte) plus the protocol name ++ * itself. */ ++ size += 1 + length; ++ } ++ ++ /* If there is nothing to advertise (either because no modules added ++ * anything to the protos array, or because all strings added to the array ++ * were skipped), then we're done. */ ++ if (size == 0) { ++ return SSL_TLSEXT_ERR_OK; ++ } ++ ++ /* Now we can build the string. Copy each protocol name string into the ++ * larger string, prefixed by its length. */ ++ data = apr_palloc(c->pool, size * sizeof(unsigned char)); ++ start = data; ++ for (i = 0; i < num_protos; ++i) { ++ const char *string = APR_ARRAY_IDX(protos, i, const char*); ++ apr_size_t length = strlen(string); ++ if (length > 255) ++ continue; ++ *start = (unsigned char)length; ++ ++start; ++ memcpy(start, string, length * sizeof(unsigned char)); ++ start += length; ++ } ++ ++ /* Success. */ ++ *data_out = data; ++ *size_out = size; ++ return SSL_TLSEXT_ERR_OK; ++} ++ ++#endif /* HAVE_TLS_NPN */ ++ + #ifndef OPENSSL_NO_SRP + + int ssl_callback_SRPServerParams(SSL *ssl, int *ad, void *arg) +--- httpd-2.4.6/modules/ssl/ssl_private.h.r1332643+ ++++ httpd-2.4.6/modules/ssl/ssl_private.h +@@ -98,6 +98,8 @@ + #include + #include + ++#include "mod_ssl.h" ++ + /* Avoid tripping over an engine build installed globally and detected + * when the user points at an explicit non-engine flavor of OpenSSL + */ +@@ -139,6 +141,11 @@ + #define HAVE_FIPS + #endif + ++#if OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_NEXTPROTONEG) \ ++ && !defined(OPENSSL_NO_TLSEXT) ++#define HAVE_TLS_NPN ++#endif ++ + #if (OPENSSL_VERSION_NUMBER >= 0x10000000) + #define MODSSL_SSL_CIPHER_CONST const + #define MODSSL_SSL_METHOD_CONST const +@@ -487,6 +494,12 @@ typedef struct { + * connection */ + } reneg_state; + ++#ifdef HAVE_TLS_NPN ++ /* Poor man's inter-module optional hooks for NPN. */ ++ apr_array_header_t *npn_advertfns; /* list of ssl_npn_advertise_protos callbacks */ ++ apr_array_header_t *npn_negofns; /* list of ssl_npn_proto_negotiated callbacks. */ ++#endif ++ + server_rec *server; + } SSLConnRec; + +@@ -842,6 +855,7 @@ int ssl_callback_ServerNameIndi + int ssl_callback_SessionTicket(SSL *, unsigned char *, unsigned char *, + EVP_CIPHER_CTX *, HMAC_CTX *, int); + #endif ++int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data, unsigned int *len, void *arg); + + /** Session Cache Support */ + void ssl_scache_init(server_rec *, apr_pool_t *); diff --git a/httpd-2.4.6-sslmultiproxy.patch b/httpd-2.4.6-sslmultiproxy.patch new file mode 100644 index 0000000..f8a3b4b --- /dev/null +++ b/httpd-2.4.6-sslmultiproxy.patch @@ -0,0 +1,94 @@ + +Ugly hack to enable mod_ssl and mod_nss to "share" hooks. + +--- httpd-2.4.6/modules/ssl/mod_ssl.c.sslmultiproxy ++++ httpd-2.4.6/modules/ssl/mod_ssl.c +@@ -369,6 +369,9 @@ static SSLConnRec *ssl_init_connection_c + return sslconn; + } + ++static typeof(ssl_proxy_enable) *othermod_proxy_enable; ++static typeof(ssl_engine_disable) *othermod_engine_disable; ++ + int ssl_proxy_enable(conn_rec *c) + { + SSLSrvConfigRec *sc; +@@ -377,6 +380,12 @@ int ssl_proxy_enable(conn_rec *c) + sc = mySrvConfig(sslconn->server); + + if (!sc->proxy_enabled) { ++ if (othermod_proxy_enable) { ++ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, ++ "mod_ssl proxy not configured, passing through to other module."); ++ return othermod_proxy_enable(c); ++ } ++ + ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(01961) + "SSL Proxy requested for %s but not enabled " + "[Hint: SSLProxyEngine]", sc->vhost_id); +@@ -396,6 +405,10 @@ int ssl_engine_disable(conn_rec *c) + + SSLConnRec *sslconn = myConnConfig(c); + ++ if (othermod_engine_disable) { ++ othermod_engine_disable(c); ++ } ++ + if (sslconn) { + sc = mySrvConfig(sslconn->server); + } +@@ -612,6 +625,9 @@ static void ssl_register_hooks(apr_pool_ + ap_hook_post_read_request(ssl_hook_ReadReq, pre_prr,NULL, APR_HOOK_MIDDLE); + + ssl_var_register(p); ++ ++ othermod_proxy_enable = APR_RETRIEVE_OPTIONAL_FN(ssl_proxy_enable); ++ othermod_engine_disable = APR_RETRIEVE_OPTIONAL_FN(ssl_engine_disable); + + APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable); + APR_REGISTER_OPTIONAL_FN(ssl_engine_disable); +--- httpd-2.4.6/modules/ssl/ssl_engine_vars.c.sslmultiproxy ++++ httpd-2.4.6/modules/ssl/ssl_engine_vars.c +@@ -53,10 +53,15 @@ static void ssl_var_lookup_ssl_cipher_b + static char *ssl_var_lookup_ssl_version(apr_pool_t *p, char *var); + static char *ssl_var_lookup_ssl_compress_meth(SSL *ssl); + ++static APR_OPTIONAL_FN_TYPE(ssl_is_https) *othermod_is_https; ++static APR_OPTIONAL_FN_TYPE(ssl_var_lookup) *othermod_var_lookup; ++ + static int ssl_is_https(conn_rec *c) + { + SSLConnRec *sslconn = myConnConfig(c); +- return sslconn && sslconn->ssl; ++ ++ return (sslconn && sslconn->ssl) ++ || (othermod_is_https && othermod_is_https(c)); + } + + static const char var_interface[] = "mod_ssl/" AP_SERVER_BASEREVISION; +@@ -106,6 +111,9 @@ void ssl_var_register(apr_pool_t *p) + { + char *cp, *cp2; + ++ othermod_is_https = APR_RETRIEVE_OPTIONAL_FN(ssl_is_https); ++ othermod_var_lookup = APR_RETRIEVE_OPTIONAL_FN(ssl_var_lookup); ++ + APR_REGISTER_OPTIONAL_FN(ssl_is_https); + APR_REGISTER_OPTIONAL_FN(ssl_var_lookup); + APR_REGISTER_OPTIONAL_FN(ssl_ext_list); +@@ -241,6 +249,15 @@ char *ssl_var_lookup(apr_pool_t *p, serv + */ + if (result == NULL && c != NULL) { + SSLConnRec *sslconn = myConnConfig(c); ++ ++ if (strlen(var) > 4 && strcEQn(var, "SSL_", 4) ++ && (!sslconn || !sslconn->ssl) && othermod_var_lookup) { ++ /* For an SSL_* variable, if mod_ssl is not enabled for ++ * this connection and another SSL module is present, pass ++ * through to that module. */ ++ return othermod_var_lookup(p, s, c, r, var); ++ } ++ + if (strlen(var) > 4 && strcEQn(var, "SSL_", 4) + && sslconn && sslconn->ssl) + result = ssl_var_lookup_ssl(p, c, r, var+4); diff --git a/httpd.spec b/httpd.spec index 5fe5fcf..3ee0f9f 100644 --- a/httpd.spec +++ b/httpd.spec @@ -13,8 +13,8 @@ Summary: Apache HTTP Server Name: httpd -Version: 2.4.4 -Release: 3%{?dist} +Version: 2.4.6 +Release: 2%{?dist} URL: http://httpd.apache.org/ Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 Source1: index.html @@ -57,13 +57,14 @@ Patch24: httpd-2.4.1-corelimit.patch Patch25: httpd-2.4.1-selinux.patch Patch26: httpd-2.4.4-r1337344+.patch Patch27: httpd-2.4.2-icons.patch -Patch28: httpd-2.4.4-r1332643+.patch +Patch28: httpd-2.4.6-r1332643+.patch Patch29: httpd-2.4.3-mod_systemd.patch +Patch30: httpd-2.4.4-cachehardmax.patch +Patch31: httpd-2.4.6-sslmultiproxy.patch # Bug fixes -Patch50: httpd-2.4.2-r1374214+.patch -Patch51: httpd-2.4.4-r1476674.patch -Patch52: httpd-2.4.4-mod_cache-tmppath.patch -Patch53: httpd-2.4.4-dump-vhost-twice.patch +Patch51: httpd-2.4.3-sslsninotreq.patch +Patch55: httpd-2.4.4-malformed-host.patch +Patch56: httpd-2.4.4-mod_unique_id.patch License: ASL 2.0 Group: System Environment/Daemons BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root @@ -183,11 +184,12 @@ interface for storing and accessing per-user session data. %patch27 -p1 -b .icons %patch28 -p1 -b .r1332643+ %patch29 -p1 -b .systemd +%patch30 -p1 -b .cachehardmax +%patch31 -p1 -b .sslmultiproxy -%patch50 -p1 -b .r1374214+ -%patch51 -p1 -b .r1476674 -%patch52 -p1 -b .tmppath -%patch53 -p1 -b .dumpvhost +%patch51 -p1 -b .sninotreq +%patch55 -p1 -b .malformedhost +%patch56 -p1 -b .uniqueid # Patch in the vendor string sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h @@ -409,8 +411,8 @@ rm -vf \ $RPM_BUILD_ROOT/etc/httpd/conf/mime.types \ $RPM_BUILD_ROOT%{_libdir}/httpd/modules/*.exp \ $RPM_BUILD_ROOT%{_libdir}/httpd/build/config.nice \ - $RPM_BUILD_ROOT%{_bindir}/ap?-config \ - $RPM_BUILD_ROOT%{_sbindir}/{checkgid,dbmmanage,envvars*} \ + $RPM_BUILD_ROOT%{_bindir}/{ap?-config,dbmmanage} \ + $RPM_BUILD_ROOT%{_sbindir}/{checkgid,envvars*} \ $RPM_BUILD_ROOT%{contentdir}/htdocs/* \ $RPM_BUILD_ROOT%{_mandir}/man1/dbmmanage.* \ $RPM_BUILD_ROOT%{contentdir}/cgi-bin/* @@ -568,6 +570,7 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man1/* %doc LICENSE NOTICE %exclude %{_bindir}/apxs +%exclude %{_mandir}/man1/apxs.1* %files manual %defattr(-,root,root) @@ -610,6 +613,29 @@ rm -rf $RPM_BUILD_ROOT %{_sysconfdir}/rpm/macros.httpd %changelog +* Wed Jul 31 2013 Jan Kaluza - 2.4.6-2 +- revert fix for dumping vhosts twice + +* Mon Jul 22 2013 Joe Orton - 2.4.6-1 +- update to 2.4.6 +- mod_ssl: use revised NPN API (r1487772) + +* Thu Jul 11 2013 Jan Kaluza - 2.4.4-12 +- mod_unique_id: replace use of hostname + pid with PRNG output (#976666) +- apxs: mention -p option in manpage + +* Tue Jul 2 2013 Joe Orton - 2.4.4-11 +- add patch for aarch64 (Dennis Gilmore, #925558) + +* Mon Jul 1 2013 Joe Orton - 2.4.4-10 +- remove duplicate apxs man page from httpd-tools + +* Mon Jun 17 2013 Joe Orton - 2.4.4-9 +- remove zombie dbmmanage script + +* Fri May 31 2013 Jan Kaluza - 2.4.4-8 +- return 400 Bad Request on malformed Host header + * Fri May 17 2013 Jan Kaluza - 2.4.4-3 - fix service file to not send SIGTERM after ExecStop (#906321, #912288) - execute systemctl reload as result of apachectl graceful diff --git a/sources b/sources index a228990..35e4d06 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -0e712ee2119cd798c8ae39d5f11a9206 httpd-2.4.4.tar.bz2 +ea5e361ca37b8d7853404419dd502efe httpd-2.4.6.tar.bz2