Accepting request 342583 from home:elvigia:branches:Apache
- 2.4.17-protocols.patch from upstream http2 module: * master conn_rec* addition to conn_rec * improved ALPN and Upgrade handling * allowing requests for servers whose TLS configuration is compatible to the SNI server ones * disabling TLS renegotiation for slave connections OBS-URL: https://build.opensuse.org/request/show/342583 OBS-URL: https://build.opensuse.org/package/show/Apache/apache2?expand=0&rev=465
This commit is contained in:
parent
225f5532b5
commit
a0baaeb8ec
819
2.4.17-protocols.patch
Normal file
819
2.4.17-protocols.patch
Normal file
@ -0,0 +1,819 @@
|
||||
--- include/httpd.h.orig
|
||||
+++ include/httpd.h
|
||||
@@ -1167,6 +1167,9 @@ struct conn_rec {
|
||||
#if APR_HAS_THREADS
|
||||
apr_thread_t *current_thread;
|
||||
#endif
|
||||
+
|
||||
+ /** The "real" master connection. NULL if I am the master. */
|
||||
+ conn_rec *master;
|
||||
};
|
||||
|
||||
/**
|
||||
--- include/http_protocol.h.orig
|
||||
+++ include/http_protocol.h
|
||||
@@ -782,7 +782,27 @@ AP_DECLARE_HOOK(int,protocol_switch,(con
|
||||
* @return The identifier of the protocol in place or NULL
|
||||
*/
|
||||
AP_DECLARE_HOOK(const char *,protocol_get,(const conn_rec *c))
|
||||
-
|
||||
+
|
||||
+/**
|
||||
+ * Get the protocols that the connection and optional request may
|
||||
+ * upgrade to - besides the protocol currently active on the connection. These
|
||||
+ * values may be used to announce to a client what choices it has.
|
||||
+ *
|
||||
+ * If report_all == 0, only protocols more preferable than the one currently
|
||||
+ * being used, are reported. Otherwise, all available protocols beside the
|
||||
+ * current one are being reported.
|
||||
+ *
|
||||
+ * @param c The current connection
|
||||
+ * @param r The current request or NULL
|
||||
+ * @param s The server/virtual host selected or NULL
|
||||
+ * @param report_all include also protocols less preferred than the current one
|
||||
+ * @param pupgrades on return, possible protocols to upgrade to in descending order
|
||||
+ * of preference. Maybe NULL if none are available.
|
||||
+ */
|
||||
+AP_DECLARE(apr_status_t) ap_get_protocol_upgrades(conn_rec *c, request_rec *r,
|
||||
+ server_rec *s, int report_all,
|
||||
+ const apr_array_header_t **pupgrades);
|
||||
+
|
||||
/**
|
||||
* Select a protocol for the given connection and optional request. Will return
|
||||
* the protocol identifier selected which may be the protocol already in place
|
||||
@@ -833,6 +853,23 @@ AP_DECLARE(apr_status_t) ap_switch_proto
|
||||
*/
|
||||
AP_DECLARE(const char *) ap_get_protocol(conn_rec *c);
|
||||
|
||||
+/**
|
||||
+ * Check if the given protocol is an allowed choice on the given
|
||||
+ * combination of connection, request and server.
|
||||
+ *
|
||||
+ * When server is NULL, it is taken from request_rec, unless
|
||||
+ * request_rec is NULL. Then it is taken from the connection base
|
||||
+ * server.
|
||||
+ *
|
||||
+ * @param c The current connection
|
||||
+ * @param r The current request or NULL
|
||||
+ * @param s The server/virtual host selected or NULL
|
||||
+ * @param protocol the protocol to switch to
|
||||
+ * @return != 0 iff protocol is allowed
|
||||
+ */
|
||||
+AP_DECLARE(int) ap_is_allowed_protocol(conn_rec *c, request_rec *r,
|
||||
+ server_rec *s, const char *protocol);
|
||||
+
|
||||
/** @see ap_bucket_type_error */
|
||||
typedef struct ap_bucket_error ap_bucket_error;
|
||||
|
||||
--- include/ap_mmn.h.orig
|
||||
+++ include/ap_mmn.h
|
||||
@@ -456,6 +456,7 @@
|
||||
* ap_select_protocol(), ap_switch_protocol(),
|
||||
* ap_get_protocol(). Add HTTP_MISDIRECTED_REQUEST.
|
||||
* Added ap_parse_token_list_strict() to httpd.h
|
||||
+ * 20120211.52 (2.4.17-dev) Add master conn_rec* member in conn_rec.
|
||||
*/
|
||||
|
||||
#define MODULE_MAGIC_COOKIE 0x41503234UL /* "AP24" */
|
||||
@@ -463,7 +464,7 @@
|
||||
#ifndef MODULE_MAGIC_NUMBER_MAJOR
|
||||
#define MODULE_MAGIC_NUMBER_MAJOR 20120211
|
||||
#endif
|
||||
-#define MODULE_MAGIC_NUMBER_MINOR 51 /* 0...n */
|
||||
+#define MODULE_MAGIC_NUMBER_MINOR 52 /* 0...n */
|
||||
|
||||
/**
|
||||
* Determine if the server's current MODULE_MAGIC_NUMBER is at least a
|
||||
--- server/core.c.orig
|
||||
+++ server/core.c
|
||||
@@ -4995,8 +4995,15 @@ static void core_dump_config(apr_pool_t
|
||||
static int core_upgrade_handler(request_rec *r)
|
||||
{
|
||||
conn_rec *c = r->connection;
|
||||
- const char *upgrade = apr_table_get(r->headers_in, "Upgrade");
|
||||
+ const char *upgrade;
|
||||
|
||||
+ if (c->master) {
|
||||
+ /* Not possible to perform an HTTP/1.1 upgrade from a slave
|
||||
+ * connection. */
|
||||
+ return DECLINED;
|
||||
+ }
|
||||
+
|
||||
+ upgrade = apr_table_get(r->headers_in, "Upgrade");
|
||||
if (upgrade && *upgrade) {
|
||||
const char *conn = apr_table_get(r->headers_in, "Connection");
|
||||
if (ap_find_token(r->pool, conn, "upgrade")) {
|
||||
@@ -5011,8 +5018,7 @@ static int core_upgrade_handler(request_
|
||||
}
|
||||
|
||||
if (offers && offers->nelts > 0) {
|
||||
- const char *protocol = ap_select_protocol(c, r, r->server,
|
||||
- offers);
|
||||
+ const char *protocol = ap_select_protocol(c, r, NULL, offers);
|
||||
if (protocol && strcmp(protocol, ap_get_protocol(c))) {
|
||||
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02909)
|
||||
"Upgrade selects '%s'", protocol);
|
||||
@@ -5034,6 +5040,19 @@ static int core_upgrade_handler(request_
|
||||
}
|
||||
}
|
||||
}
|
||||
+ else if (!c->keepalives) {
|
||||
+ /* first request on a master connection, if we have protocols other
|
||||
+ * than the current one enabled here, announce them to the
|
||||
+ * client. If the client is already talking a protocol with requests
|
||||
+ * on slave connections, leave it be. */
|
||||
+ const apr_array_header_t *upgrades;
|
||||
+ ap_get_protocol_upgrades(c, r, NULL, 0, &upgrades);
|
||||
+ if (upgrades && upgrades->nelts > 0) {
|
||||
+ char *protocols = apr_array_pstrcat(r->pool, upgrades, ',');
|
||||
+ apr_table_setn(r->headers_out, "Upgrade", protocols);
|
||||
+ apr_table_setn(r->headers_out, "Connection", "Upgrade");
|
||||
+ }
|
||||
+ }
|
||||
|
||||
return DECLINED;
|
||||
}
|
||||
--- server/protocol.c.orig
|
||||
+++ server/protocol.c
|
||||
@@ -1823,15 +1823,61 @@ AP_DECLARE(const char *) ap_get_protocol
|
||||
return protocol? protocol : AP_PROTOCOL_HTTP1;
|
||||
}
|
||||
|
||||
+AP_DECLARE(apr_status_t) ap_get_protocol_upgrades(conn_rec *c, request_rec *r,
|
||||
+ server_rec *s, int report_all,
|
||||
+ const apr_array_header_t **pupgrades)
|
||||
+{
|
||||
+ apr_pool_t *pool = r? r->pool : c->pool;
|
||||
+ core_server_config *conf;
|
||||
+ const char *existing;
|
||||
+ apr_array_header_t *upgrades = NULL;
|
||||
+
|
||||
+ if (!s) {
|
||||
+ s = (r? r->server : c->base_server);
|
||||
+ }
|
||||
+ conf = ap_get_core_module_config(s->module_config);
|
||||
+
|
||||
+ if (conf->protocols->nelts > 0) {
|
||||
+ existing = ap_get_protocol(c);
|
||||
+ if (conf->protocols->nelts > 1
|
||||
+ || !ap_array_str_contains(conf->protocols, existing)) {
|
||||
+ int i;
|
||||
+
|
||||
+ /* possibly more than one choice or one, but not the
|
||||
+ * existing. (TODO: maybe 426 and Upgrade then?) */
|
||||
+ upgrades = apr_array_make(pool, conf->protocols->nelts + 1,
|
||||
+ sizeof(char *));
|
||||
+ for (i = 0; i < conf->protocols->nelts; i++) {
|
||||
+ const char *p = APR_ARRAY_IDX(conf->protocols, i, char *);
|
||||
+ if (strcmp(existing, p)) {
|
||||
+ /* not the one we have and possible, add in this order */
|
||||
+ APR_ARRAY_PUSH(upgrades, const char*) = p;
|
||||
+ }
|
||||
+ else if (!report_all) {
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ *pupgrades = upgrades;
|
||||
+ return APR_SUCCESS;
|
||||
+}
|
||||
+
|
||||
AP_DECLARE(const char *) ap_select_protocol(conn_rec *c, request_rec *r,
|
||||
server_rec *s,
|
||||
const apr_array_header_t *choices)
|
||||
{
|
||||
apr_pool_t *pool = r? r->pool : c->pool;
|
||||
- core_server_config *conf = ap_get_core_module_config(s->module_config);
|
||||
+ core_server_config *conf;
|
||||
const char *protocol = NULL, *existing;
|
||||
apr_array_header_t *proposals;
|
||||
|
||||
+ if (!s) {
|
||||
+ s = (r? r->server : c->base_server);
|
||||
+ }
|
||||
+ conf = ap_get_core_module_config(s->module_config);
|
||||
+
|
||||
if (APLOGcdebug(c)) {
|
||||
const char *p = apr_array_pstrcat(pool, conf->protocols, ',');
|
||||
ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c,
|
||||
@@ -1937,6 +1983,22 @@ AP_DECLARE(apr_status_t) ap_switch_proto
|
||||
}
|
||||
}
|
||||
|
||||
+AP_DECLARE(int) ap_is_allowed_protocol(conn_rec *c, request_rec *r,
|
||||
+ server_rec *s, const char *protocol)
|
||||
+{
|
||||
+ core_server_config *conf;
|
||||
+
|
||||
+ if (!s) {
|
||||
+ s = (r? r->server : c->base_server);
|
||||
+ }
|
||||
+ conf = ap_get_core_module_config(s->module_config);
|
||||
+
|
||||
+ if (conf->protocols->nelts > 0) {
|
||||
+ return ap_array_str_contains(conf->protocols, protocol);
|
||||
+ }
|
||||
+ return !strcmp(AP_PROTOCOL_HTTP1, protocol);
|
||||
+}
|
||||
+
|
||||
|
||||
AP_IMPLEMENT_HOOK_VOID(pre_read_request,
|
||||
(request_rec *r, conn_rec *c),
|
||||
--- modules/ssl/mod_ssl.c.orig
|
||||
+++ modules/ssl/mod_ssl.c
|
||||
@@ -377,6 +377,7 @@ static int ssl_hook_pre_config(apr_pool_
|
||||
static SSLConnRec *ssl_init_connection_ctx(conn_rec *c)
|
||||
{
|
||||
SSLConnRec *sslconn = myConnConfig(c);
|
||||
+ SSLSrvConfigRec *sc;
|
||||
|
||||
if (sslconn) {
|
||||
return sslconn;
|
||||
@@ -386,6 +387,8 @@ static SSLConnRec *ssl_init_connection_c
|
||||
|
||||
sslconn->server = c->base_server;
|
||||
sslconn->verify_depth = UNSET;
|
||||
+ sc = mySrvConfig(c->base_server);
|
||||
+ sslconn->cipher_suite = sc->server->auth.cipher_suite;
|
||||
|
||||
myConnConfigSet(c, sslconn);
|
||||
|
||||
@@ -525,6 +528,7 @@ static apr_port_t ssl_hook_default_port(
|
||||
|
||||
static int ssl_hook_pre_connection(conn_rec *c, void *csd)
|
||||
{
|
||||
+
|
||||
SSLSrvConfigRec *sc;
|
||||
SSLConnRec *sslconn = myConnConfig(c);
|
||||
|
||||
@@ -537,8 +541,8 @@ static int ssl_hook_pre_connection(conn_
|
||||
/*
|
||||
* Immediately stop processing if SSL is disabled for this connection
|
||||
*/
|
||||
- if (!(sc && (sc->enabled == SSL_ENABLED_TRUE ||
|
||||
- (sslconn && sslconn->is_proxy))))
|
||||
+ if (c->master || !(sc && (sc->enabled == SSL_ENABLED_TRUE ||
|
||||
+ (sslconn && sslconn->is_proxy))))
|
||||
{
|
||||
return DECLINED;
|
||||
}
|
||||
@@ -566,6 +570,26 @@ static int ssl_hook_pre_connection(conn_
|
||||
return ssl_init_ssl_connection(c, NULL);
|
||||
}
|
||||
|
||||
+static int ssl_hook_process_connection(conn_rec* c)
|
||||
+{
|
||||
+ SSLConnRec *sslconn = myConnConfig(c);
|
||||
+
|
||||
+ if (sslconn && !sslconn->disabled) {
|
||||
+ /* On an active SSL connection, let the input filters initialize
|
||||
+ * themselves which triggers the handshake, which again triggers
|
||||
+ * all kinds of useful things such as SNI and ALPN.
|
||||
+ */
|
||||
+ apr_bucket_brigade* temp;
|
||||
+
|
||||
+ temp = apr_brigade_create(c->pool, c->bucket_alloc);
|
||||
+ ap_get_brigade(c->input_filters, temp,
|
||||
+ AP_MODE_INIT, APR_BLOCK_READ, 0);
|
||||
+ apr_brigade_destroy(temp);
|
||||
+ }
|
||||
+
|
||||
+ return DECLINED;
|
||||
+}
|
||||
+
|
||||
/*
|
||||
* the module registration phase
|
||||
*/
|
||||
@@ -579,6 +603,8 @@ static void ssl_register_hooks(apr_pool_
|
||||
ssl_io_filter_register(p);
|
||||
|
||||
ap_hook_pre_connection(ssl_hook_pre_connection,NULL,NULL, APR_HOOK_MIDDLE);
|
||||
+ ap_hook_process_connection(ssl_hook_process_connection,
|
||||
+ NULL, NULL, APR_HOOK_MIDDLE);
|
||||
ap_hook_test_config (ssl_hook_ConfigTest, NULL,NULL, APR_HOOK_MIDDLE);
|
||||
ap_hook_post_config (ssl_init_Module, NULL,NULL, APR_HOOK_MIDDLE);
|
||||
ap_hook_http_scheme (ssl_hook_http_scheme, NULL,NULL, APR_HOOK_MIDDLE);
|
||||
--- modules/ssl/ssl_private.h.orig
|
||||
+++ modules/ssl/ssl_private.h
|
||||
@@ -460,6 +460,8 @@ typedef struct {
|
||||
} reneg_state;
|
||||
|
||||
server_rec *server;
|
||||
+
|
||||
+ const char *cipher_suite; /* cipher suite used in last reneg */
|
||||
} SSLConnRec;
|
||||
|
||||
/* BIG FAT WARNING: SSLModConfigRec has unusual memory lifetime: it is
|
||||
--- modules/ssl/ssl_engine_io.c.orig
|
||||
+++ modules/ssl/ssl_engine_io.c
|
||||
@@ -298,9 +298,6 @@ typedef struct {
|
||||
apr_pool_t *pool;
|
||||
char buffer[AP_IOBUFSIZE];
|
||||
ssl_filter_ctx_t *filter_ctx;
|
||||
-#ifdef HAVE_TLS_ALPN
|
||||
- int alpn_finished; /* 1 if ALPN has finished, 0 otherwise */
|
||||
-#endif
|
||||
} bio_filter_in_ctx_t;
|
||||
|
||||
/*
|
||||
@@ -1418,41 +1415,6 @@ static apr_status_t ssl_io_filter_input(
|
||||
APR_BRIGADE_INSERT_TAIL(bb, bucket);
|
||||
}
|
||||
|
||||
-#ifdef HAVE_TLS_ALPN
|
||||
- /* By this point, Application-Layer Protocol Negotiation (ALPN) should be
|
||||
- * completed (if our version of OpenSSL supports it). If we haven't already,
|
||||
- * find out which protocol was decided upon and inform other modules
|
||||
- * by calling alpn_proto_negotiated_hook.
|
||||
- */
|
||||
- if (!inctx->alpn_finished) {
|
||||
- SSLConnRec *sslconn = myConnConfig(f->c);
|
||||
- const unsigned char *next_proto = NULL;
|
||||
- unsigned next_proto_len = 0;
|
||||
- const char *protocol;
|
||||
-
|
||||
- SSL_get0_alpn_selected(inctx->ssl, &next_proto, &next_proto_len);
|
||||
- if (next_proto && next_proto_len) {
|
||||
- protocol = apr_pstrmemdup(f->c->pool, (const char *)next_proto,
|
||||
- next_proto_len);
|
||||
- ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, f->c,
|
||||
- APLOGNO(02836) "ALPN selected protocol: '%s'",
|
||||
- protocol);
|
||||
-
|
||||
- if (strcmp(protocol, ap_get_protocol(f->c))) {
|
||||
- status = ap_switch_protocol(f->c, NULL, sslconn->server,
|
||||
- protocol);
|
||||
- if (status != APR_SUCCESS) {
|
||||
- ap_log_cerror(APLOG_MARK, APLOG_ERR, status, f->c,
|
||||
- APLOGNO(02908) "protocol switch to '%s' failed",
|
||||
- protocol);
|
||||
- return status;
|
||||
- }
|
||||
- }
|
||||
- }
|
||||
- inctx->alpn_finished = 1;
|
||||
- }
|
||||
-#endif
|
||||
-
|
||||
return APR_SUCCESS;
|
||||
}
|
||||
|
||||
@@ -1934,9 +1896,6 @@ static void ssl_io_input_add_filter(ssl_
|
||||
inctx->block = APR_BLOCK_READ;
|
||||
inctx->pool = c->pool;
|
||||
inctx->filter_ctx = filter_ctx;
|
||||
-#ifdef HAVE_TLS_ALPN
|
||||
- inctx->alpn_finished = 0;
|
||||
-#endif
|
||||
}
|
||||
|
||||
/* The request_rec pointer is passed in here only to ensure that the
|
||||
--- modules/ssl/ssl_engine_vars.c.orig
|
||||
+++ modules/ssl/ssl_engine_vars.c
|
||||
@@ -39,7 +39,7 @@
|
||||
** _________________________________________________________________
|
||||
*/
|
||||
|
||||
-static char *ssl_var_lookup_ssl(apr_pool_t *p, conn_rec *c, request_rec *r, char *var);
|
||||
+static char *ssl_var_lookup_ssl(apr_pool_t *p, SSLConnRec *sslconn, request_rec *r, char *var);
|
||||
static char *ssl_var_lookup_ssl_cert(apr_pool_t *p, request_rec *r, X509 *xs, char *var);
|
||||
static char *ssl_var_lookup_ssl_cert_dn(apr_pool_t *p, X509_NAME *xsname, char *var);
|
||||
static char *ssl_var_lookup_ssl_cert_san(apr_pool_t *p, X509 *xs, char *var);
|
||||
@@ -49,8 +49,8 @@ static char *ssl_var_lookup_ssl_cert_ser
|
||||
static char *ssl_var_lookup_ssl_cert_chain(apr_pool_t *p, STACK_OF(X509) *sk, char *var);
|
||||
static char *ssl_var_lookup_ssl_cert_rfc4523_cea(apr_pool_t *p, SSL *ssl);
|
||||
static char *ssl_var_lookup_ssl_cert_PEM(apr_pool_t *p, X509 *xs);
|
||||
-static char *ssl_var_lookup_ssl_cert_verify(apr_pool_t *p, conn_rec *c);
|
||||
-static char *ssl_var_lookup_ssl_cipher(apr_pool_t *p, conn_rec *c, char *var);
|
||||
+static char *ssl_var_lookup_ssl_cert_verify(apr_pool_t *p, SSLConnRec *sslconn);
|
||||
+static char *ssl_var_lookup_ssl_cipher(apr_pool_t *p, SSLConnRec *sslconn, char *var);
|
||||
static void ssl_var_lookup_ssl_cipher_bits(SSL *ssl, int *usekeysize, int *algkeysize);
|
||||
static char *ssl_var_lookup_ssl_version(apr_pool_t *p, char *var);
|
||||
static char *ssl_var_lookup_ssl_compress_meth(SSL *ssl);
|
||||
@@ -77,7 +77,7 @@ static const char *expr_var_fn(ap_expr_e
|
||||
char *var = (char *)data;
|
||||
SSLConnRec *sslconn = myConnConfig(ctx->c);
|
||||
|
||||
- return sslconn ? ssl_var_lookup_ssl(ctx->p, ctx->c, ctx->r, var) : NULL;
|
||||
+ return sslconn ? ssl_var_lookup_ssl(ctx->p, sslconn, ctx->r, var) : NULL;
|
||||
}
|
||||
|
||||
static int ssl_expr_lookup(ap_expr_lookup_parms *parms)
|
||||
@@ -245,9 +245,13 @@ char *ssl_var_lookup(apr_pool_t *p, serv
|
||||
*/
|
||||
if (result == NULL && c != NULL) {
|
||||
SSLConnRec *sslconn = myConnConfig(c);
|
||||
+ if (!(sslconn && sslconn->ssl) && c->master) {
|
||||
+ /* use master connection if no SSL defined here */
|
||||
+ sslconn = myConnConfig(c->master);
|
||||
+ }
|
||||
if (strlen(var) > 4 && strcEQn(var, "SSL_", 4)
|
||||
&& sslconn && sslconn->ssl)
|
||||
- result = ssl_var_lookup_ssl(p, c, r, var+4);
|
||||
+ result = ssl_var_lookup_ssl(p, sslconn, r, var+4);
|
||||
else if (strcEQ(var, "HTTPS")) {
|
||||
if (sslconn && sslconn->ssl)
|
||||
result = "on";
|
||||
@@ -317,10 +321,9 @@ char *ssl_var_lookup(apr_pool_t *p, serv
|
||||
return (char *)result;
|
||||
}
|
||||
|
||||
-static char *ssl_var_lookup_ssl(apr_pool_t *p, conn_rec *c, request_rec *r,
|
||||
- char *var)
|
||||
+static char *ssl_var_lookup_ssl(apr_pool_t *p, SSLConnRec *sslconn,
|
||||
+ request_rec *r, char *var)
|
||||
{
|
||||
- SSLConnRec *sslconn = myConnConfig(c);
|
||||
char *result;
|
||||
X509 *xs;
|
||||
STACK_OF(X509) *sk;
|
||||
@@ -360,7 +363,7 @@ static char *ssl_var_lookup_ssl(apr_pool
|
||||
result = "Initial";
|
||||
}
|
||||
else if (ssl != NULL && strlen(var) >= 6 && strcEQn(var, "CIPHER", 6)) {
|
||||
- result = ssl_var_lookup_ssl_cipher(p, c, var+6);
|
||||
+ result = ssl_var_lookup_ssl_cipher(p, sslconn, var+6);
|
||||
}
|
||||
else if (ssl != NULL && strlen(var) > 18 && strcEQn(var, "CLIENT_CERT_CHAIN_", 18)) {
|
||||
sk = SSL_get_peer_cert_chain(ssl);
|
||||
@@ -370,7 +373,7 @@ static char *ssl_var_lookup_ssl(apr_pool
|
||||
result = ssl_var_lookup_ssl_cert_rfc4523_cea(p, ssl);
|
||||
}
|
||||
else if (ssl != NULL && strcEQ(var, "CLIENT_VERIFY")) {
|
||||
- result = ssl_var_lookup_ssl_cert_verify(p, c);
|
||||
+ result = ssl_var_lookup_ssl_cert_verify(p, sslconn);
|
||||
}
|
||||
else if (ssl != NULL && strlen(var) > 7 && strcEQn(var, "CLIENT_", 7)) {
|
||||
if ((xs = SSL_get_peer_certificate(ssl)) != NULL) {
|
||||
@@ -779,9 +782,8 @@ static char *ssl_var_lookup_ssl_cert_PEM
|
||||
return result;
|
||||
}
|
||||
|
||||
-static char *ssl_var_lookup_ssl_cert_verify(apr_pool_t *p, conn_rec *c)
|
||||
+static char *ssl_var_lookup_ssl_cert_verify(apr_pool_t *p, SSLConnRec *sslconn)
|
||||
{
|
||||
- SSLConnRec *sslconn = myConnConfig(c);
|
||||
char *result;
|
||||
long vrc;
|
||||
const char *verr;
|
||||
@@ -815,9 +817,8 @@ static char *ssl_var_lookup_ssl_cert_ver
|
||||
return result;
|
||||
}
|
||||
|
||||
-static char *ssl_var_lookup_ssl_cipher(apr_pool_t *p, conn_rec *c, char *var)
|
||||
+static char *ssl_var_lookup_ssl_cipher(apr_pool_t *p, SSLConnRec *sslconn, char *var)
|
||||
{
|
||||
- SSLConnRec *sslconn = myConnConfig(c);
|
||||
char *result;
|
||||
BOOL resdup;
|
||||
int usekeysize, algkeysize;
|
||||
--- modules/ssl/ssl_engine_kernel.c.orig
|
||||
+++ modules/ssl/ssl_engine_kernel.c
|
||||
@@ -113,6 +113,108 @@ static int has_buffered_data(request_rec
|
||||
return result;
|
||||
}
|
||||
|
||||
+static int ap_array_same_str_set(apr_array_header_t *s1, apr_array_header_t *s2)
|
||||
+{
|
||||
+ int i;
|
||||
+ const char *c;
|
||||
+
|
||||
+ if (s1 == s2) {
|
||||
+ return 1;
|
||||
+ }
|
||||
+ else if (!s1 || !s2 || (s1->nelts != s2->nelts)) {
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
+ for (i = 0; i < s1->nelts; i++) {
|
||||
+ c = APR_ARRAY_IDX(s1, i, const char *);
|
||||
+ if (!c || !ap_array_str_contains(s2, c)) {
|
||||
+ return 0;
|
||||
+ }
|
||||
+ }
|
||||
+ return 1;
|
||||
+}
|
||||
+
|
||||
+static int ssl_pk_server_compatible(modssl_pk_server_t *pks1,
|
||||
+ modssl_pk_server_t *pks2)
|
||||
+{
|
||||
+ if (!pks1 || !pks2) {
|
||||
+ return 0;
|
||||
+ }
|
||||
+ /* both have the same certificates? */
|
||||
+ if ((pks1->ca_name_path != pks2->ca_name_path)
|
||||
+ && (!pks1->ca_name_path || !pks2->ca_name_path
|
||||
+ || strcmp(pks1->ca_name_path, pks2->ca_name_path))) {
|
||||
+ return 0;
|
||||
+ }
|
||||
+ if ((pks1->ca_name_file != pks2->ca_name_file)
|
||||
+ && (!pks1->ca_name_file || !pks2->ca_name_file
|
||||
+ || strcmp(pks1->ca_name_file, pks2->ca_name_file))) {
|
||||
+ return 0;
|
||||
+ }
|
||||
+ if (!ap_array_same_str_set(pks1->cert_files, pks2->cert_files)
|
||||
+ || !ap_array_same_str_set(pks1->key_files, pks2->key_files)) {
|
||||
+ return 0;
|
||||
+ }
|
||||
+ return 1;
|
||||
+}
|
||||
+
|
||||
+static int ssl_auth_compatible(modssl_auth_ctx_t *a1,
|
||||
+ modssl_auth_ctx_t *a2)
|
||||
+{
|
||||
+ if (!a1 || !a2) {
|
||||
+ return 0;
|
||||
+ }
|
||||
+ /* both have the same verification */
|
||||
+ if ((a1->verify_depth != a2->verify_depth)
|
||||
+ || (a1->verify_mode != a2->verify_mode)) {
|
||||
+ return 0;
|
||||
+ }
|
||||
+ /* both have the same ca path/file */
|
||||
+ if ((a1->ca_cert_path != a2->ca_cert_path)
|
||||
+ && (!a1->ca_cert_path || !a2->ca_cert_path
|
||||
+ || strcmp(a1->ca_cert_path, a2->ca_cert_path))) {
|
||||
+ return 0;
|
||||
+ }
|
||||
+ if ((a1->ca_cert_file != a2->ca_cert_file)
|
||||
+ && (!a1->ca_cert_file || !a2->ca_cert_file
|
||||
+ || strcmp(a1->ca_cert_file, a2->ca_cert_file))) {
|
||||
+ return 0;
|
||||
+ }
|
||||
+ /* both have the same ca cipher suite string */
|
||||
+ if ((a1->cipher_suite != a2->cipher_suite)
|
||||
+ && (!a1->cipher_suite || !a2->cipher_suite
|
||||
+ || strcmp(a1->cipher_suite, a2->cipher_suite))) {
|
||||
+ return 0;
|
||||
+ }
|
||||
+ return 1;
|
||||
+}
|
||||
+
|
||||
+static int ssl_ctx_compatible(modssl_ctx_t *ctx1,
|
||||
+ modssl_ctx_t *ctx2)
|
||||
+{
|
||||
+ if (!ctx1 || !ctx2
|
||||
+ || (ctx1->protocol != ctx2->protocol)
|
||||
+ || !ssl_auth_compatible(&ctx1->auth, &ctx2->auth)
|
||||
+ || !ssl_pk_server_compatible(ctx1->pks, ctx2->pks)) {
|
||||
+ return 0;
|
||||
+ }
|
||||
+ return 1;
|
||||
+}
|
||||
+
|
||||
+static int ssl_server_compatible(server_rec *s1, server_rec *s2)
|
||||
+{
|
||||
+ SSLSrvConfigRec *sc1 = s1? mySrvConfig(s1) : NULL;
|
||||
+ SSLSrvConfigRec *sc2 = s2? mySrvConfig(s2) : NULL;
|
||||
+
|
||||
+ /* both use the same TLS protocol? */
|
||||
+ if (!sc1 || !sc2
|
||||
+ || !ssl_ctx_compatible(sc1->server, sc2->server)) {
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
+ return 1;
|
||||
+}
|
||||
+
|
||||
/*
|
||||
* Post Read Request Handler
|
||||
*/
|
||||
@@ -137,7 +239,13 @@ int ssl_hook_ReadReq(request_rec *r)
|
||||
}
|
||||
}
|
||||
|
||||
+ /* If we are on a slave connection, we do not expect to have an SSLConnRec,
|
||||
+ * but our master connection might. */
|
||||
sslconn = myConnConfig(r->connection);
|
||||
+ if (!(sslconn && sslconn->ssl) && r->connection->master) {
|
||||
+ sslconn = myConnConfig(r->connection->master);
|
||||
+ }
|
||||
+
|
||||
if (!sslconn) {
|
||||
return DECLINED;
|
||||
}
|
||||
@@ -195,15 +303,16 @@ int ssl_hook_ReadReq(request_rec *r)
|
||||
" provided in HTTP request", servername);
|
||||
return HTTP_BAD_REQUEST;
|
||||
}
|
||||
- if (r->server != handshakeserver) {
|
||||
+ if (r->server != handshakeserver
|
||||
+ && !ssl_server_compatible(sslconn->server, r->server)) {
|
||||
/*
|
||||
- * We are really not in Kansas anymore...
|
||||
* The request does not select the virtual host that was
|
||||
- * selected by the SNI.
|
||||
+ * selected by the SNI and its SSL parameters are different
|
||||
*/
|
||||
+
|
||||
ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, APLOGNO(02032)
|
||||
"Hostname %s provided via SNI and hostname %s provided"
|
||||
- " via HTTP select a different server",
|
||||
+ " via HTTP have no compatible SSL setup",
|
||||
servername, r->hostname);
|
||||
return HTTP_MISDIRECTED_REQUEST;
|
||||
}
|
||||
@@ -302,6 +411,7 @@ int ssl_hook_Access(request_rec *r)
|
||||
SSLConnRec *sslconn = myConnConfig(r->connection);
|
||||
SSL *ssl = sslconn ? sslconn->ssl : NULL;
|
||||
server_rec *handshakeserver = sslconn ? sslconn->server : NULL;
|
||||
+ SSLSrvConfigRec *hssc = handshakeserver? mySrvConfig(handshakeserver) : NULL;
|
||||
SSL_CTX *ctx = NULL;
|
||||
apr_array_header_t *requires;
|
||||
ssl_require_t *ssl_requires;
|
||||
@@ -313,8 +423,19 @@ int ssl_hook_Access(request_rec *r)
|
||||
X509_STORE_CTX cert_store_ctx;
|
||||
STACK_OF(SSL_CIPHER) *cipher_list_old = NULL, *cipher_list = NULL;
|
||||
const SSL_CIPHER *cipher = NULL;
|
||||
- int depth, verify_old, verify, n;
|
||||
+ int depth, verify_old, verify, n, is_slave = 0;
|
||||
+ const char *ncipher_suite;
|
||||
|
||||
+ /* On a slave connection, we do not expect to have an SSLConnRec, but
|
||||
+ * our master connection might have one. */
|
||||
+ if (!(sslconn && ssl) && r->connection->master) {
|
||||
+ sslconn = myConnConfig(r->connection->master);
|
||||
+ ssl = sslconn ? sslconn->ssl : NULL;
|
||||
+ handshakeserver = sslconn ? sslconn->server : NULL;
|
||||
+ hssc = handshakeserver? mySrvConfig(handshakeserver) : NULL;
|
||||
+ is_slave = 1;
|
||||
+ }
|
||||
+
|
||||
if (ssl) {
|
||||
/*
|
||||
* We should have handshaken here (on handshakeserver),
|
||||
@@ -333,7 +454,7 @@ int ssl_hook_Access(request_rec *r)
|
||||
* Support for SSLRequireSSL directive
|
||||
*/
|
||||
if (dc->bSSLRequired && !ssl) {
|
||||
- if (sc->enabled == SSL_ENABLED_OPTIONAL) {
|
||||
+ if ((sc->enabled == SSL_ENABLED_OPTIONAL) && !is_slave) {
|
||||
/* This vhost was configured for optional SSL, just tell the
|
||||
* client that we need to upgrade.
|
||||
*/
|
||||
@@ -416,8 +537,13 @@ int ssl_hook_Access(request_rec *r)
|
||||
* new cipher suite. This approach is fine because the user explicitly
|
||||
* has to enable this via ``SSLOptions +OptRenegotiate''. So we do no
|
||||
* implicit optimizations.
|
||||
- */
|
||||
- if (dc->szCipherSuite || (r->server != handshakeserver)) {
|
||||
+ */
|
||||
+ ncipher_suite = (dc->szCipherSuite?
|
||||
+ dc->szCipherSuite : (r->server != handshakeserver)?
|
||||
+ sc->server->auth.cipher_suite : NULL);
|
||||
+
|
||||
+ if (ncipher_suite && (!sslconn->cipher_suite
|
||||
+ || strcmp(ncipher_suite, sslconn->cipher_suite))) {
|
||||
/* remember old state */
|
||||
|
||||
if (dc->nOptions & SSL_OPT_OPTRENEGOTIATE) {
|
||||
@@ -432,10 +558,18 @@ int ssl_hook_Access(request_rec *r)
|
||||
}
|
||||
|
||||
/* configure new state */
|
||||
- if ((dc->szCipherSuite || sc->server->auth.cipher_suite) &&
|
||||
- !SSL_set_cipher_list(ssl, dc->szCipherSuite ?
|
||||
- dc->szCipherSuite :
|
||||
- sc->server->auth.cipher_suite)) {
|
||||
+ if (is_slave) {
|
||||
+ /* TODO: this categorically fails changed cipher suite settings
|
||||
+ * on slave connections. We could do better by
|
||||
+ * - create a new SSL* from our SSL_CTX and set cipher suite there,
|
||||
+ * and retrieve ciphers, free afterwards
|
||||
+ * Modifying the SSL on a slave connection is no good.
|
||||
+ */
|
||||
+ apr_table_setn(r->notes, "ssl-renegotiate-forbidden", "cipher-suite");
|
||||
+ return HTTP_FORBIDDEN;
|
||||
+ }
|
||||
+
|
||||
+ if (!SSL_set_cipher_list(ssl, ncipher_suite)) {
|
||||
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(02253)
|
||||
"Unable to reconfigure (per-directory) "
|
||||
"permitted SSL ciphers");
|
||||
@@ -502,6 +636,15 @@ int ssl_hook_Access(request_rec *r)
|
||||
}
|
||||
|
||||
if (renegotiate) {
|
||||
+ if (is_slave) {
|
||||
+ /* The request causes renegotiation on a slave connection.
|
||||
+ * This is not allowed since we might have concurrent requests
|
||||
+ * on this connection.
|
||||
+ */
|
||||
+ apr_table_setn(r->notes, "ssl-renegotiate-forbidden", "cipher-suite");
|
||||
+ return HTTP_FORBIDDEN;
|
||||
+ }
|
||||
+
|
||||
#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
|
||||
if (sc->cipher_server_pref == TRUE) {
|
||||
SSL_set_options(ssl, SSL_OP_CIPHER_SERVER_PREFERENCE);
|
||||
@@ -554,6 +697,7 @@ int ssl_hook_Access(request_rec *r)
|
||||
*/
|
||||
if ((dc->nVerifyClient != SSL_CVERIFY_UNSET) ||
|
||||
(sc->server->auth.verify_mode != SSL_CVERIFY_UNSET)) {
|
||||
+
|
||||
/* remember old state */
|
||||
verify_old = SSL_get_verify_mode(ssl);
|
||||
/* configure new state */
|
||||
@@ -572,6 +716,9 @@ int ssl_hook_Access(request_rec *r)
|
||||
verify |= SSL_VERIFY_PEER;
|
||||
}
|
||||
|
||||
+ /* TODO: this seems premature since we do not know if there
|
||||
+ * are any changes required.
|
||||
+ */
|
||||
SSL_set_verify(ssl, verify, ssl_callback_SSLVerify);
|
||||
SSL_set_verify_result(ssl, X509_V_OK);
|
||||
|
||||
@@ -587,6 +734,14 @@ int ssl_hook_Access(request_rec *r)
|
||||
(verify & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)))
|
||||
{
|
||||
renegotiate = TRUE;
|
||||
+ if (is_slave) {
|
||||
+ /* The request causes renegotiation on a slave connection.
|
||||
+ * This is not allowed since we might have concurrent requests
|
||||
+ * on this connection.
|
||||
+ */
|
||||
+ apr_table_setn(r->notes, "ssl-renegotiate-forbidden", "verify-client");
|
||||
+ return HTTP_FORBIDDEN;
|
||||
+ }
|
||||
/* optimization */
|
||||
|
||||
if ((dc->nOptions & SSL_OPT_OPTRENEGOTIATE) &&
|
||||
@@ -907,6 +1062,10 @@ int ssl_hook_Access(request_rec *r)
|
||||
return HTTP_FORBIDDEN;
|
||||
}
|
||||
}
|
||||
+ /* remember any new cipher suite used in renegotiation */
|
||||
+ if (ncipher_suite) {
|
||||
+ sslconn->cipher_suite = ncipher_suite;
|
||||
+ }
|
||||
}
|
||||
|
||||
/* If we're trying to have the user name set from a client
|
||||
@@ -1170,6 +1329,10 @@ int ssl_hook_Fixup(request_rec *r)
|
||||
apr_table_mergen(r->headers_out, "Connection", "upgrade");
|
||||
}
|
||||
|
||||
+ if (!(sslconn && sslconn->ssl) && r->connection->master) {
|
||||
+ sslconn = myConnConfig(r->connection->master);
|
||||
+ }
|
||||
+
|
||||
/*
|
||||
* Check to see if SSL is on
|
||||
*/
|
||||
@@ -1192,8 +1355,8 @@ int ssl_hook_Fixup(request_rec *r)
|
||||
|
||||
/* standard SSL environment variables */
|
||||
if (dc->nOptions & SSL_OPT_STDENVVARS) {
|
||||
- modssl_var_extract_dns(env, sslconn->ssl, r->pool);
|
||||
- modssl_var_extract_san_entries(env, sslconn->ssl, r->pool);
|
||||
+ modssl_var_extract_dns(env, ssl, r->pool);
|
||||
+ modssl_var_extract_san_entries(env, ssl, r->pool);
|
||||
|
||||
for (i = 0; ssl_hook_Fixup_vars[i]; i++) {
|
||||
var = (char *)ssl_hook_Fixup_vars[i];
|
||||
@@ -2037,7 +2200,8 @@ static int ssl_find_vhost(void *serverna
|
||||
* retrieval
|
||||
*/
|
||||
sslcon->server = s;
|
||||
-
|
||||
+ sslcon->cipher_suite = sc->server->auth.cipher_suite;
|
||||
+
|
||||
/*
|
||||
* There is one special filter callback, which is set
|
||||
* very early depending on the base_server's log level.
|
||||
@@ -2194,14 +2358,30 @@ int ssl_callback_alpn_select(SSL *ssl,
|
||||
init_vhost(c, ssl);
|
||||
|
||||
proposed = ap_select_protocol(c, NULL, sslconn->server, client_protos);
|
||||
- *out = (const unsigned char *)(proposed? proposed : ap_get_protocol(c));
|
||||
- len = strlen((const char*)*out);
|
||||
+ if (!proposed) {
|
||||
+ proposed = ap_get_protocol(c);
|
||||
+ }
|
||||
+
|
||||
+ len = strlen(proposed);
|
||||
if (len > 255) {
|
||||
ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(02840)
|
||||
"ALPN negotiated protocol name too long");
|
||||
return SSL_TLSEXT_ERR_ALERT_FATAL;
|
||||
}
|
||||
+ *out = (const unsigned char *)proposed;
|
||||
*outlen = (unsigned char)len;
|
||||
+
|
||||
+ if (strcmp(proposed, ap_get_protocol(c))) {
|
||||
+ apr_status_t status;
|
||||
+
|
||||
+ status = ap_switch_protocol(c, NULL, sslconn->server, proposed);
|
||||
+ if (status != APR_SUCCESS) {
|
||||
+ ap_log_cerror(APLOG_MARK, APLOG_ERR, status, c,
|
||||
+ APLOGNO(02908) "protocol switch to '%s' failed",
|
||||
+ proposed);
|
||||
+ return SSL_TLSEXT_ERR_ALERT_FATAL;
|
||||
+ }
|
||||
+ }
|
||||
|
||||
return SSL_TLSEXT_ERR_OK;
|
||||
}
|
@ -1,3 +1,13 @@
|
||||
-------------------------------------------------------------------
|
||||
Thu Nov 5 16:52:45 UTC 2015 - crrodriguez@opensuse.org
|
||||
|
||||
- 2.4.17-protocols.patch from upstream http2 module:
|
||||
* master conn_rec* addition to conn_rec
|
||||
* improved ALPN and Upgrade handling
|
||||
* allowing requests for servers whose TLS configuration is compatible
|
||||
to the SNI server ones
|
||||
* disabling TLS renegotiation for slave connections
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Nov 4 06:29:27 UTC 2015 - pgajdos@suse.com
|
||||
|
||||
|
@ -122,6 +122,7 @@ Patch109: httpd-2.4.3-mod_systemd.patch
|
||||
Patch111: httpd-visibility.patch
|
||||
# PATCH-FIX-UPSTREAM marguerite@opensuse.org -- compability for lua 5.2+ https://bz.apache.org/bugzilla/show_bug.cgi?id=58188
|
||||
Patch114: httpd-2.4.12-lua-5.2.patch
|
||||
Patch1000: https://raw.githubusercontent.com/icing/mod_h2/master/sandbox/httpd/patches/2.4.17-protocols.patch
|
||||
BuildRequires: automake
|
||||
BuildRequires: db-devel
|
||||
BuildRequires: ed
|
||||
@ -307,6 +308,7 @@ to administrators of web servers in general.
|
||||
%endif
|
||||
%patch111 -p1
|
||||
%patch114 -p1
|
||||
%patch1000
|
||||
cat $RPM_SOURCE_DIR/SUSE-NOTICE >> NOTICE
|
||||
# install READMEs
|
||||
a=$(basename %{SOURCE22})
|
||||
|
Loading…
Reference in New Issue
Block a user