Accepting request 207095 from home:elvigia:branches:Apache

- httpd-mod_ssl_ephemeralkeyhandling.patch obsoletes mod_ssl-2.4.x-ekh.diff this new patch is the final form of the rework, merged for 2.4.7. OBS-URL: https://build.opensuse.org/request/show/207095 OBS-URL: https://build.opensuse.org/package/show/Apache/apache2?expand=0&rev=398
2013-11-16 01:22:18 +00:00 · 2013-11-16 01:22:18 +00:00 · 8ac24cac75
commit 8ac24cac75
parent 738fecb393
3 changed files with 118 additions and 79 deletions
--- a/apache2.changes
+++ b/apache2.changes
@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Sat Nov 16 00:52:15 UTC 2013 - crrodriguez@opensuse.org
+
+- httpd-mod_ssl_ephemeralkeyhandling.patch obsoletes
+ mod_ssl-2.4.x-ekh.diff this new patch is the final
+  form of the rework, merged for 2.4.7.
+
 -------------------------------------------------------------------
 Mon Nov  4 20:55:52 UTC 2013 - freek@opensuse.org

--- a/apache2.spec
+++ b/apache2.spec
@ -163,7 +163,7 @@ Patch70:        apache2-implicit-pointer-decl.patch
 Patch109:       httpd-2.4.3-mod_systemd.patch
 Patch110:       http://people.apache.org/~minfrin/httpd-event-ssl.patch
 Patch111:       httpd-visibility.patch
-Patch112:       mod_ssl-2.4.x-ekh.diff
+Patch112:       httpd-mod_ssl_ephemeralkeyhandling.patch
 Url:            http://httpd.apache.org/
 Icon:           Apache.xpm
 Summary:        The Apache Web Server Version 2.2
@ -387,7 +387,7 @@ to administrators of web servers in general.
 %patch109 -p1
 %patch110 
 %patch111 -p1
-%patch112
+%patch112 -p1
 cat $RPM_SOURCE_DIR/SUSE-NOTICE >> NOTICE
 # install READMEs
 a=$(basename %{S:22})
--- a/httpd-mod_ssl_ephemeralkeyhandling.patch
+++ b/httpd-mod_ssl_ephemeralkeyhandling.patch
@ -1,55 +1,87 @@
-[Note: when committing, ssl_engine_dh.c needs to be svn rm'ed,
-and the following text is meant for the commit message]
+commit 3a14aba1b65f627ab27d2bd4bb10e779635b6bcc
+Author: Jim Jagielski <jim@apache.org>
+Date:   Fri Nov 15 17:06:18 2013 +0000

-backport r1526168, r1527291, r1527294, r1527295 and r1527926 from trunk
+    Merge r1526168, r1527291, r1527294, r1527295, r1527926 from trunk:
    
-Submitted by: kbrand
-Reviewed by: 
+    Streamline ephemeral key handling:
    
-Streamline and improve ephemeral key handling:
-
- drop support for ephemeral RSA keys (only allowed/needed
+    - drop support for ephemeral RSA keys (only allowed/needed
      for export ciphers)
    
- drop pTmpKeys from the per-process SSLModConfigRec, and remove
+    - drop pTmpKeys from the per-process SSLModConfigRec, and remove
      the temp key generation at startup (unnecessary for DHE/ECDHE)
    
- unconditionally disable null and export-grade ciphers by always
+    - unconditionally disable null and export-grade ciphers by always
      prepending "!aNULL:!eNULL:!EXP:" to any cipher suite string
    
- do not configure per-connection SSL_tmp_*_callbacks, as it is
+    - do not configure per-connection SSL_tmp_*_callbacks, as it is
      sufficient to set them for the SSL_CTX
    
- set default curve for ECDHE at startup, obviating the need
+    - set default curve for ECDHE at startup, obviating the need
      for a per-handshake callback, for the time being (and also
      configure SSL_OP_SINGLE_ECDH_USE, previously left out)
    
- increase minimum required OpenSSL version to 0.9.8a, as we
-  now rely on the get_rfcX_prime_Y functions from <openssl/bn.h>
+    For additional background, see
+    https://mail-archives.apache.org/mod_mbox/httpd-dev/201309.mbox/%3C52358ED1.2070704@velox.ch%3E
    
- in ssl_private.h, regroup definitions based on whether
+    
+    Follow-up fixes for r1526168:
+    
+    - drop SSL_TMP_KEY_* constants from ssl_private.h, too
+    
+    - make sure we also disable aNULL, eNULL and EXP ciphers
+      for per-directory SSLCipherSuite directives
+    
+    - apply the same treatment to SSLProxyCipherSuite
+    
+    
+    Increase minimum required OpenSSL version to 0.9.8a (in preparation
+    for the next mod_ssl commit, which will rely on the get_rfcX_prime_Y
+    functions added in that release):
+    
+    - remove obsolete #defines / macros
+    
+    - in ssl_private.h, regroup definitions based on whether
      they depend on TLS extension support or not
    
- for ECC and SRP support, set HAVE_X and change the rather awkward
+    - for ECC and SRP support, set HAVE_X and change the rather awkward
      #ifndef OPENSSL_NO_X lines accordingly
    
- allow to configure custom DHE or ECDHE parameters via the
+    For the discussion prior to taking this step, see
+    https://mail-archives.apache.org/mod_mbox/httpd-dev/201309.mbox/%3C524275C7.9060408%40velox.ch%3E
+    
+    
+    Improve ephemeral key handling (companion to r1526168):
+    
+    - allow to configure custom DHE or ECDHE parameters via the
      SSLCertificateFile directive, and adapt its documentation
      accordingly (addresses PR 49559)
    
- add standardized DH parameters from RFCs 2409 and 3526,
+    - add standardized DH parameters from RFCs 2409 and 3526,
      use them based on the length of the certificate's RSA/DSA key,
      and add a FAQ entry for clients which limit DH support
      to 1024 bits (such as Java 7 and earlier)
    
- move ssl_dh_GetParamFromFile() from ssl_engine_dh.c to
+    - move ssl_dh_GetParamFromFile() from ssl_engine_dh.c to
      ssl_util_ssl.c, and add ssl_ec_GetParamFromFile()
    
- drop ssl_engine_dh.c from mod_ssl
+    - drop ssl_engine_dh.c from mod_ssl
+    
+    For the standardized DH parameters, OpenSSL version 0.9.8a
+    or later is required, which was therefore made a new minimum
+    requirement in r1527294.
    
    
--- LAYOUT.orig
-+++ LAYOUT
+    PR 55616 (add missing APLOGNO), part 2
+    Submitted by: kbrand
+    Reviewed/backported by: jim
+    
+    
+    git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1542327 13f79535-47bb-0310-9956-ffa450edef68
+
+--- httpd-2.4.6.orig/LAYOUT
+++ httpd-2.4.6/LAYOUT
@@ -108,7 +108,6 @@ modules/ ................ Manditory and
     mod_ssl.c ............... main source file containing API structures
     mod_ssl.h ............... common header file of mod_ssl
@ -58,8 +90,8 @@ Streamline and improve ephemeral key handling:
     ssl_engine_init.c ....... module initialization
     ssl_engine_io.c ......... I/O support
     ssl_engine_kernel.c ..... SSL engine kernel
--- modules/ssl/config.m4.orig
-+++ modules/ssl/config.m4
+--- httpd-2.4.6.orig/modules/ssl/config.m4
+++ httpd-2.4.6/modules/ssl/config.m4
@@ -20,7 +20,6 @@ dnl #  list of module object files
 ssl_objs="dnl
 mod_ssl.lo dnl
@ -68,8 +100,8 @@ Streamline and improve ephemeral key handling:
 ssl_engine_init.lo dnl
 ssl_engine_io.lo dnl
 ssl_engine_kernel.lo dnl
--- modules/ssl/mod_ssl.c.orig
-+++ modules/ssl/mod_ssl.c
+--- httpd-2.4.6.orig/modules/ssl/mod_ssl.c
+++ httpd-2.4.6/modules/ssl/mod_ssl.c
@@ -148,7 +148,7 @@ static const command_rec ssl_config_cmds
     SSL_CMD_SRV(StrictSNIVHostCheck, FLAG,
                 "Strict SNI virtual host checking")
@ -95,8 +127,8 @@ Streamline and improve ephemeral key handling:
     SSL_set_verify_result(ssl, X509_V_OK);
 
     ssl_io_filter_init(c, r, ssl);
--- modules/ssl/mod_ssl.dsp.orig
-+++ modules/ssl/mod_ssl.dsp
+--- httpd-2.4.6.orig/modules/ssl/mod_ssl.dsp
+++ httpd-2.4.6/modules/ssl/mod_ssl.dsp
@@ -112,10 +112,6 @@ SOURCE=.\ssl_engine_config.c
 # End Source File
 # Begin Source File
@ -108,8 +140,8 @@ Streamline and improve ephemeral key handling:
 SOURCE=.\ssl_engine_init.c
 # End Source File
 # Begin Source File
--- modules/ssl/ssl_engine_config.c.orig
-+++ modules/ssl/ssl_engine_config.c
+--- httpd-2.4.6.orig/modules/ssl/ssl_engine_config.c
+++ httpd-2.4.6/modules/ssl/ssl_engine_config.c
@@ -75,8 +75,6 @@ SSLModConfigRec *ssl_config_global_creat
     mc->stapling_mutex         = NULL;
 #endif
@ -202,7 +234,7 @@ Streamline and improve ephemeral key handling:
 
 void ssl_hook_ConfigTest(apr_pool_t *pconf, server_rec *s)
 {
--- modules/ssl/ssl_engine_dh.c
+--- httpd-2.4.6.orig/modules/ssl/ssl_engine_dh.c
 +++ /dev/null
@@ -1,244 +0,0 @@
 -#if 0
@ -449,8 +481,8 @@ Streamline and improve ephemeral key handling:
 -
 -=pod
 -*/
--- modules/ssl/ssl_engine_init.c.orig
-+++ modules/ssl/ssl_engine_init.c
+--- httpd-2.4.6.orig/modules/ssl/ssl_engine_init.c
+++ httpd-2.4.6/modules/ssl/ssl_engine_init.c
@@ -35,7 +35,7 @@
 **  _________________________________________________________________
 */
@ -900,8 +932,8 @@ Streamline and improve ephemeral key handling:
      * Free the non-pool allocated structures
      * in the per-server configurations
      */
--- modules/ssl/ssl_engine_io.c.orig
-+++ modules/ssl/ssl_engine_io.c
+--- httpd-2.4.6.orig/modules/ssl/ssl_engine_io.c
+++ httpd-2.4.6/modules/ssl/ssl_engine_io.c
@@ -1060,7 +1060,7 @@ static apr_status_t ssl_io_filter_handsh
 
     server = sslconn->server;
@ -920,8 +952,8 @@ Streamline and improve ephemeral key handling:
         /*
          * Enable SNI for backend requests. Make sure we don't do it for
          * pure SSLv3 connections, and also prevent IP addresses
--- modules/ssl/ssl_engine_kernel.c.orig
-+++ modules/ssl/ssl_engine_kernel.c
+--- httpd-2.4.6.orig/modules/ssl/ssl_engine_kernel.c
+++ httpd-2.4.6/modules/ssl/ssl_engine_kernel.c
@@ -32,7 +32,7 @@
 #include "util_md5.h"
 
@ -1186,8 +1218,8 @@ Streamline and improve ephemeral key handling:
 
 -#endif /* OPENSSL_NO_SRP */
 +#endif /* HAVE_SRP */
--- modules/ssl/ssl_engine_pphrase.c.orig
-+++ modules/ssl/ssl_engine_pphrase.c
+--- httpd-2.4.6.orig/modules/ssl/ssl_engine_pphrase.c
+++ httpd-2.4.6/modules/ssl/ssl_engine_pphrase.c
@@ -708,7 +708,7 @@ int ssl_pphrase_Handle_CB(char *buf, int
                     ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01966)
                                  "Init: Failed to create pass phrase pipe '%s'",
@ -1215,8 +1247,8 @@ Streamline and improve ephemeral key handling:
                 memset(buf, 0, (unsigned int)bufsize);
                 return (-1);
             }
--- modules/ssl/ssl_engine_vars.c.orig
-+++ modules/ssl/ssl_engine_vars.c
+--- httpd-2.4.6.orig/modules/ssl/ssl_engine_vars.c
+++ httpd-2.4.6/modules/ssl/ssl_engine_vars.c
@@ -382,7 +382,7 @@ static char *ssl_var_lookup_ssl(apr_pool
     else if (ssl != NULL && strcEQ(var, "COMPRESS_METHOD")) {
         result = ssl_var_lookup_ssl_compress_meth(ssl);
@ -1253,8 +1285,8 @@ Streamline and improve ephemeral key handling:
     SSL_SESSION *pSession = SSL_get_session(ssl);
 
     if (pSession) {
--- modules/ssl/ssl_private.h.orig
-+++ modules/ssl/ssl_private.h
+--- httpd-2.4.6.orig/modules/ssl/ssl_private.h
+++ httpd-2.4.6/modules/ssl/ssl_private.h
@@ -105,65 +105,55 @@
 #include <openssl/engine.h>
 #endif
@ -1504,8 +1536,8 @@ Streamline and improve ephemeral key handling:
 
 unsigned char *ssl_asn1_table_set(apr_hash_t *table,
                                   const char *key,
--- modules/ssl/ssl_scache.c.orig
-+++ modules/ssl/ssl_scache.c
+--- httpd-2.4.6.orig/modules/ssl/ssl_scache.c
+++ httpd-2.4.6/modules/ssl/ssl_scache.c
@@ -148,7 +148,7 @@ SSL_SESSION *ssl_scache_retrieve(server_
     SSLModConfigRec *mc = myModConfig(s);
     unsigned char dest[SSL_SESSION_MAX_DER];
@ -1515,8 +1547,8 @@ Streamline and improve ephemeral key handling:
     apr_status_t rv;
 
     if (mc->sesscache->flags & AP_SOCACHE_FLAG_NOTMPSAFE) {
--- modules/ssl/ssl_util.c.orig
-+++ modules/ssl/ssl_util.c
+--- httpd-2.4.6.orig/modules/ssl/ssl_util.c
+++ httpd-2.4.6/modules/ssl/ssl_util.c
@@ -151,7 +151,7 @@ ssl_algo_t ssl_util_algotypeof(X509 *pCe
             case EVP_PKEY_DSA:
                 t = SSL_ALGO_DSA;
@ -1544,8 +1576,8 @@ Streamline and improve ephemeral key handling:
 static const char *ssl_asn1_key_types[] = {"RSA", "DSA", "ECC"};
 #else
 static const char *ssl_asn1_key_types[] = {"RSA", "DSA"};
--- modules/ssl/ssl_util_ssl.c.orig
-+++ modules/ssl/ssl_util_ssl.c
+--- httpd-2.4.6.orig/modules/ssl/ssl_util_ssl.c
+++ httpd-2.4.6/modules/ssl/ssl_util_ssl.c
@@ -483,6 +483,38 @@ BOOL SSL_X509_INFO_load_path(apr_pool_t
 
 /*  _________________________________________________________________