pool/apache2
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 157654 from Apache

Browse Source 
Automatic submission by obs-autosubmit

OBS-URL: https://build.opensuse.org/request/show/157654
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apache2?expand=0&rev=67
This commit is contained in:
Stephan Kulow 2013-03-08 08:50:00 +00:00 committed by Git OBS Bridge
commit f98d1a791c
19 changed files with 1313 additions and 946 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
apache-20-22-upgrade
View File

@ -13,7 +13,6 @@ if a2enmod -q auth; then
a2enmod authz_groupfile
a2enmod authz_default
a2enmod authz_user
cat <<-EOF
@ -61,4 +60,11 @@ if a2enmod -q auth_ldap; then
a2enmod mod_authnz_ldap
fi
for module in mod_authn_default mod_authz_default mod_mem_cache; do
if a2enmod -q "$module"; then
echo "!!ATTENTION! $module was removed from apache version 2.4 or later, CHECK YOUR CONFIGURATION!!!"
a2dismod "$module"
fi
done
echo 'Done.'

2
apache2-default-server.conf
View File

@ -102,5 +102,5 @@ ScriptAlias /cgi-bin/ "/srv/www/cgi-bin/"
Include /etc/apache2/conf.d/*.conf
# The manual... if it is installed ('?' means it won't complain)
Include /etc/apache2/conf.d/apache2-manual?conf
IncludeOptional /etc/apache2/conf.d/apache2-manual?conf

2
apache2-httpd.conf
View File

@ -202,7 +202,7 @@ Include /etc/apache2/sysconfig.d/include.conf
# You may use the command line option '-S' to verify your virtual host
# configuration.
#
Include /etc/apache2/vhosts.d/*.conf
IncludeOptional /etc/apache2/vhosts.d/*.conf
# Note: instead of adding your own configuration here, consider

591
apache2-mod_ssl_npn.patch
View File

@ -1,51 +1,233 @@
# This patch adds hooks for Next Protocol Negotiation (NPN) into mod_ssl. This
# change is under review to be included in Apache trunk:
# https://issues.apache.org/bugzilla/show_bug.cgi?id=52210
# But until it becomes part of an Apache 2.2 release, we need to apply the patch
# ourselves.
Index: modules/ssl/ssl_private.h
===================================================================
--- modules/ssl/ssl_private.h (revision 1202283)
+++ modules/ssl/ssl_private.h (working copy)
@@ -603,6 +603,7 @@
#ifndef OPENSSL_NO_TLSEXT
int ssl_callback_ServerNameIndication(SSL *, int *, modssl_ctx_t *);
#endif
+int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data, unsigned int *len, void *arg);
--- httpd-2.4.3.orig/modules/ssl/mod_ssl.c
+++ httpd-2.4.3/modules/ssl/mod_ssl.c
@@ -94,6 +94,15 @@ static const command_rec ssl_config_cmds
SSL_CMD_SRV(PKCS7CertificateFile, TAKE1,
"PKCS#7 file containing server certificate and chain"
" certificates ('/path/to/file' - PEM encoded)")
+ SSL_CMD_ALL(RSAAuthzFile, TAKE1,
+ "RFC 5878 Authz Extension file for RSA certificate "
+ "(`/path/to/file')")
+ SSL_CMD_ALL(DSAAuthzFile, TAKE1,
+ "RFC 5878 Authz Extension file for DSA certificate "
+ "(`/path/to/file')")
+ SSL_CMD_ALL(ECAuthzFile, TAKE1,
+ "RFC 5878 Authz Extension file for EC certificate "
+ "(`/path/to/file')")
#ifdef HAVE_TLS_SESSION_TICKETS
SSL_CMD_SRV(SessionTicketKeyFile, TAKE1,
"TLS session ticket encryption/decryption key file (RFC 5077) "
@@ -148,6 +157,15 @@ static const command_rec ssl_config_cmds
SSL_CMD_SRV(StrictSNIVHostCheck, FLAG,
"Strict SNI virtual host checking")
/** Session Cache Support */
void ssl_scache_init(server_rec *, apr_pool_t *);
@@ -714,4 +715,3 @@
#endif /* SSL_PRIVATE_H */
/** @} */
-
Index: modules/ssl/ssl_engine_init.c
===================================================================
--- modules/ssl/ssl_engine_init.c (revision 1202283)
+++ modules/ssl/ssl_engine_init.c (working copy)
@@ -559,6 +559,11 @@
SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH);
SSL_CTX_set_info_callback(ctx, ssl_callback_Info);
+#ifndef OPENSSL_NO_SRP
+ SSL_CMD_SRV(SRPVerifierFile, TAKE1,
+ "SRP verifier file "
+ "('/path/to/file' - created by srptool)")
+ SSL_CMD_SRV(SRPUnknownUserSeed, TAKE1,
+ "SRP seed for unknown users (to avoid leaking a user's existence) "
+ "('some secret text')")
+#endif
+
+#if OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
+ SSL_CTX_set_next_protos_advertised_cb(
+ ctx, ssl_callback_AdvertiseNextProtos, NULL);
/*
* Proxy configuration for remote SSL connections
*/
@@ -263,6 +281,18 @@ static const command_rec ssl_config_cmds
AP_END_CMD
};
+/* Implement 'modssl_run_npn_advertise_protos_hook'. */
+APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(
+ modssl, AP, int, npn_advertise_protos_hook,
+ (conn_rec *connection, apr_array_header_t *protos),
+ (connection, protos), OK, DECLINED);
+
+/* Implement 'modssl_run_npn_proto_negotiated_hook'. */
+APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(
+ modssl, AP, int, npn_proto_negotiated_hook,
+ (conn_rec *connection, const char *proto_name, apr_size_t proto_name_len),
+ (connection, proto_name, proto_name_len), OK, DECLINED);
+
/*
* the various processing hooks
*/
--- httpd-2.4.3.orig/modules/ssl/mod_ssl.h
+++ httpd-2.4.3/modules/ssl/mod_ssl.h
@@ -63,5 +63,26 @@ APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_e
APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
+/** The npn_advertise_protos optional hook allows other modules to add entries
+ * to the list of protocol names advertised by the server during the Next
+ * Protocol Negotiation (NPN) portion of the SSL handshake. The hook callee is
+ * given the connection and an APR array; it should push one or more char*'s
+ * pointing to null-terminated strings (such as "http/1.1" or "spdy/2") onto
+ * the array and return OK, or do nothing and return DECLINED. */
+APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_advertise_protos_hook,
+ (conn_rec *connection, apr_array_header_t *protos));
+
+/** The npn_proto_negotiated optional hook allows other modules to discover the
+ * name of the protocol that was chosen during the Next Protocol Negotiation
+ * (NPN) portion of the SSL handshake. Note that this may be the empty string
+ * (in which case modules should probably assume HTTP), or it may be a protocol
+ * that was never even advertised by the server. The hook callee is given the
+ * connection, a non-null-terminated string containing the protocol name, and
+ * the length of the string; it should do something appropriate (i.e. insert or
+ * remove filters) and return OK, or do nothing and return DECLINED. */
+APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_proto_negotiated_hook,
+ (conn_rec *connection, const char *proto_name,
+ apr_size_t proto_name_len));
+
#endif /* __MOD_SSL_H__ */
/** @} */
--- httpd-2.4.3.orig/modules/ssl/ssl_engine_config.c
+++ httpd-2.4.3/modules/ssl/ssl_engine_config.c
@@ -125,6 +125,10 @@ static void modssl_ctx_init(modssl_ctx_t
mctx->crl_file = NULL;
mctx->crl_check_mode = SSL_CRLCHECK_UNSET;
+ mctx->rsa_authz_file = NULL;
+ mctx->dsa_authz_file = NULL;
+ mctx->ec_authz_file = NULL;
+
mctx->auth.ca_cert_path = NULL;
mctx->auth.ca_cert_file = NULL;
mctx->auth.cipher_suite = NULL;
@@ -149,6 +153,12 @@ static void modssl_ctx_init(modssl_ctx_t
mctx->stapling_responder_timeout = UNSET;
mctx->stapling_force_url = NULL;
#endif
+
+#ifndef OPENSSL_NO_SRP
+ mctx->srp_vfile = NULL;
+ mctx->srp_unknown_user_seed = NULL;
+ mctx->srp_vbase = NULL;
+#endif
}
static void ssl_init_ctx_verify(server_rec *s,
@@ -1352,4 +1357,3 @@
static void modssl_ctx_init_proxy(SSLSrvConfigRec *sc,
@@ -251,6 +264,10 @@ static void modssl_ctx_cfg_merge(modssl_
cfgMerge(crl_file, NULL);
cfgMerge(crl_check_mode, SSL_CRLCHECK_UNSET);
return APR_SUCCESS;
+ cfgMergeString(rsa_authz_file);
+ cfgMergeString(dsa_authz_file);
+ cfgMergeString(ec_authz_file);
+
cfgMergeString(auth.ca_cert_path);
cfgMergeString(auth.ca_cert_file);
cfgMergeString(auth.cipher_suite);
@@ -274,6 +291,11 @@ static void modssl_ctx_cfg_merge(modssl_
cfgMergeInt(stapling_responder_timeout);
cfgMerge(stapling_force_url, NULL);
#endif
+
+#ifndef OPENSSL_NO_SRP
+ cfgMergeString(srp_vfile);
+ cfgMergeString(srp_unknown_user_seed);
+#endif
}
-
Index: modules/ssl/ssl_engine_io.c
===================================================================
--- modules/ssl/ssl_engine_io.c (revision 1202283)
+++ modules/ssl/ssl_engine_io.c (working copy)
@@ -338,6 +338,7 @@
static void modssl_ctx_cfg_merge_proxy(modssl_ctx_t *base,
@@ -829,6 +871,54 @@ const char *ssl_cmd_SSLPKCS7CertificateF
return NULL;
}
+const char *ssl_cmd_SSLRSAAuthzFile(cmd_parms *cmd,
+ void *dcfg,
+ const char *arg)
+{
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+ const char *err;
+
+ if ((err = ssl_cmd_check_file(cmd, &arg))) {
+ return err;
+ }
+
+ sc->server->rsa_authz_file = arg;
+
+ return NULL;
+}
+
+const char *ssl_cmd_SSLDSAAuthzFile(cmd_parms *cmd,
+ void *dcfg,
+ const char *arg)
+{
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+ const char *err;
+
+ if ((err = ssl_cmd_check_file(cmd, &arg))) {
+ return err;
+ }
+
+ sc->server->dsa_authz_file = arg;
+
+ return NULL;
+}
+
+const char *ssl_cmd_SSLECAuthzFile(cmd_parms *cmd,
+ void *dcfg,
+ const char *arg)
+{
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+ const char *err;
+
+ if ((err = ssl_cmd_check_file(cmd, &arg))) {
+ return err;
+ }
+
+ sc->server->ec_authz_file = arg;
+
+ return NULL;
+}
+
#ifdef HAVE_TLS_SESSION_TICKETS
const char *ssl_cmd_SSLSessionTicketKeyFile(cmd_parms *cmd,
void *dcfg,
@@ -1782,6 +1872,32 @@ const char *ssl_cmd_SSLStaplingForceURL(
#endif /* HAVE_OCSP_STAPLING */
+#ifndef OPENSSL_NO_SRP
+
+const char *ssl_cmd_SSLSRPVerifierFile(cmd_parms *cmd, void *dcfg,
+ const char *arg)
+{
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+ const char *err;
+
+ if ((err = ssl_cmd_check_file(cmd, &arg)))
+ return err;
+ /* SRP_VBASE_init takes char*, not const char* */
+ sc->server->srp_vfile = apr_pstrdup(cmd->pool, arg);
+ return NULL;
+}
+
+const char *ssl_cmd_SSLSRPUnknownUserSeed(cmd_parms *cmd, void *dcfg,
+ const char *arg)
+{
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+ /* SRP_VBASE_new takes char*, not const char* */
+ sc->server->srp_unknown_user_seed = apr_pstrdup(cmd->pool, arg);
+ return NULL;
+}
+
+#endif /* OPENSSL_NO_SRP */
+
void ssl_hook_ConfigTest(apr_pool_t *pconf, server_rec *s)
{
apr_file_t *out = NULL;
--- httpd-2.4.3.orig/modules/ssl/ssl_engine_io.c
+++ httpd-2.4.3/modules/ssl/ssl_engine_io.c
@@ -28,6 +28,7 @@
core keeps dumping.''
-- Unknown */
#include "ssl_private.h"
+#include "mod_ssl.h"
#include "apr_date.h"
/* _________________________________________________________________
@@ -297,6 +298,7 @@ typedef struct {
apr_pool_t *pool;
char buffer[AP_IOBUFSIZE];
ssl_filter_ctx_t *filter_ctx;
@ -53,44 +235,99 @@ Index: modules/ssl/ssl_engine_io.c
} bio_filter_in_ctx_t;
/*
@@ -1409,6 +1410,21 @@
@@ -1374,6 +1376,26 @@ static apr_status_t ssl_io_filter_input(
APR_BRIGADE_INSERT_TAIL(bb, bucket);
}
+#ifdef HAVE_TLS_NPN
+ /* By this point, Next Protocol Negotiation (NPN) should be completed (if
+ * our version of OpenSSL supports it). If we haven't already, find out
+ * which protocol was decided upon and inform other modules by calling
+ * npn_proto_negotiated_hook. */
+ if (!inctx->npn_finished) {
+ inctx->npn_finished = 1;
+#if OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
+ const unsigned char *next_proto = NULL;
+ unsigned next_proto_len = 0;
+ SSL_get0_next_proto_negotiated(inctx->ssl, &next_proto,
+ &next_proto_len);
+ ssl_run_npn_proto_negotiated_hook(f->c, next_proto, next_proto_len);
+#endif
+
+ SSL_get0_next_proto_negotiated(
+ inctx->ssl, &next_proto, &next_proto_len);
+ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, f->c,
+ APLOGNO(02306) "SSL NPN negotiated protocol: '%*s'",
+ next_proto_len, (const char*)next_proto);
+ modssl_run_npn_proto_negotiated_hook(
+ f->c, (const char*)next_proto, next_proto_len);
+ inctx->npn_finished = 1;
+ }
+#endif
+
return APR_SUCCESS;
}
@@ -1753,6 +1769,7 @@
@@ -1855,6 +1877,7 @@ static void ssl_io_input_add_filter(ssl_
inctx->block = APR_BLOCK_READ;
inctx->pool = c->pool;
inctx->filter_ctx = filter_ctx;
+ inctx->npn_finished = 0;
}
void ssl_io_filter_init(conn_rec *c, SSL *ssl)
Index: modules/ssl/ssl_engine_kernel.c
===================================================================
--- modules/ssl/ssl_engine_kernel.c (revision 1202283)
+++ modules/ssl/ssl_engine_kernel.c (working copy)
@@ -1969,6 +1969,77 @@
}
}
/* The request_rec pointer is passed in here only to ensure that the
--- httpd-2.4.3.orig/modules/ssl/ssl_engine_kernel.c
+++ httpd-2.4.3/modules/ssl/ssl_engine_kernel.c
@@ -29,6 +29,7 @@
time I was too famous.''
-- Unknown */
#include "ssl_private.h"
+#include "mod_ssl.h"
#include "util_md5.h"
static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn);
@@ -329,6 +330,19 @@ int ssl_hook_Access(request_rec *r)
return DECLINED;
}
+#ifndef OPENSSL_NO_SRP
+ /*
+ * Support for per-directory reconfigured SSL connection parameters
+ *
+ * We do not force any renegotiation if the user is already authenticated
+ * via SRP.
+ *
+ */
+ if (SSL_get_srp_username(ssl)) {
+ return DECLINED;
+ }
+#endif
+
/*
* Support for per-directory reconfigured SSL connection parameters.
*
@@ -1088,6 +1102,10 @@ static const char *ssl_hook_Fixup_vars[]
"SSL_SERVER_A_SIG",
"SSL_SESSION_ID",
"SSL_SESSION_RESUMED",
+#ifndef OPENSSL_NO_SRP
+ "SSL_SRP_USER",
+ "SSL_SRP_USERINFO",
+#endif
NULL
};
@@ -2072,7 +2090,7 @@ static int ssl_find_vhost(void *serverna
return 0;
}
-#endif
+#endif /* OPENSSL_NO_TLSEXT */
#ifdef HAVE_TLS_SESSION_TICKETS
/*
@@ -2142,4 +2160,114 @@ int ssl_callback_SessionTicket(SSL *ssl,
/* OpenSSL is not expected to call us with modes other than 1 or 0 */
return -1;
}
-#endif
+#endif /* HAVE_TLS_SESSION_TICKETS */
+
+#ifdef HAVE_TLS_NPN
+/*
+ * This callback function is executed when SSL needs to decide what protocols
+ * to advertise during Next Protocol Negotiation (NPN). It must produce a
@ -101,55 +338,65 @@ Index: modules/ssl/ssl_engine_kernel.c
+int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data_out,
+ unsigned int *size_out, void *arg)
+{
+ conn_rec *c = (conn_rec*)SSL_get_app_data(ssl);
+ apr_array_header_t *protos;
+ int num_protos;
+ unsigned int size;
+ int i;
+ unsigned char *data;
+ unsigned char *start;
+
+ *data_out = NULL;
+ *size_out = 0;
+
+ /* Get the connection object. If it's not available, then there's nothing
+ * for us to do. */
+ conn_rec *c = (conn_rec*)SSL_get_app_data(ssl);
+ /* If the connection object is not available, then there's nothing for us
+ * to do. */
+ if (c == NULL) {
+ return SSL_TLSEXT_ERR_OK;
+ }
+
+ /* Invoke our npn_advertise_protos hook, giving other modules a chance to
+ * add alternate protocol names to advertise. */
+ apr_array_header_t *protos = apr_array_make(c->pool, 0, sizeof(char*));
+ ssl_run_npn_advertise_protos_hook(c, protos);
+ int num_protos = protos->nelts;
+
+ /* If no other modules added any alternate protocols, then we're done. */
+ if (num_protos == 0) {
+ return SSL_TLSEXT_ERR_OK;
+ }
+ protos = apr_array_make(c->pool, 0, sizeof(char*));
+ modssl_run_npn_advertise_protos_hook(c, protos);
+ num_protos = protos->nelts;
+
+ /* We now have a list of null-terminated strings; we need to concatenate
+ * them together into a single string, where each protocol name is prefixed
+ * by its length. First, calculate how long that string will be. */
+ unsigned int size = 0;
+ int i;
+ size = 0;
+ for (i = 0; i < num_protos; ++i) {
+ const char* string = APR_ARRAY_IDX(protos, i, const char*);
+ const char *string = APR_ARRAY_IDX(protos, i, const char*);
+ unsigned int length = strlen(string);
+ /* If the protocol name is too long (the length must fit in one byte),
+ * then log an error and quit. */
+ * then log an error and skip it. */
+ if (length > 255) {
+ ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
+ ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(02307)
+ "SSL NPN protocol name too long (length=%u): %s",
+ length, string);
+ return SSL_TLSEXT_ERR_OK;
+ continue;
+ }
+ /* Leave room for the length prefix (one byte) plus the protocol name
+ * itself. */
+ size += 1 + length;
+ }
+
+ /* If there is nothing to advertise (either because no modules added
+ * anything to the protos array, or because all strings added to the array
+ * were skipped), then we're done. */
+ if (size == 0) {
+ return SSL_TLSEXT_ERR_OK;
+ }
+
+ /* Now we can build the string. Copy each protocol name string into the
+ * larger string, prefixed by its length. */
+ unsigned char* data = apr_palloc(c->pool, size * sizeof(unsigned char));
+ unsigned char* start = data;
+ data = apr_palloc(c->pool, size * sizeof(unsigned char));
+ start = data;
+ for (i = 0; i < num_protos; ++i) {
+ const char* string = APR_ARRAY_IDX(protos, i, const char*);
+ size_t length = strlen(string);
+ const char *string = APR_ARRAY_IDX(protos, i, const char*);
+ apr_size_t length = strlen(string);
+ if (length > 255)
+ continue;
+ *start = (unsigned char)length;
+ ++start;
+ memcpy(start, string, length * sizeof(unsigned char));
@ -162,60 +409,144 @@ Index: modules/ssl/ssl_engine_kernel.c
+ return SSL_TLSEXT_ERR_OK;
+}
+
#ifndef OPENSSL_NO_TLSEXT
/*
* This callback function is executed when OpenSSL encounters an extended
Index: modules/ssl/mod_ssl.c
===================================================================
--- modules/ssl/mod_ssl.c (revision 1202283)
+++ modules/ssl/mod_ssl.c (working copy)
@@ -220,6 +220,18 @@
AP_END_CMD
};
+#endif /* HAVE_TLS_NPN */
+
+#ifndef OPENSSL_NO_SRP
+
+int ssl_callback_SRPServerParams(SSL *ssl, int *ad, void *arg)
+{
+ modssl_ctx_t *mctx = (modssl_ctx_t *)arg;
+ char *username = SSL_get_srp_username(ssl);
+ SRP_user_pwd *u;
+
+ if (username == NULL
+ || (u = SRP_VBASE_get_by_user(mctx->srp_vbase, username)) == NULL) {
+ *ad = SSL_AD_UNKNOWN_PSK_IDENTITY;
+ return SSL3_AL_FATAL;
+ }
+
+ if (SSL_set_srp_server_param(ssl, u->N, u->g, u->s, u->v, u->info) < 0) {
+ *ad = SSL_AD_INTERNAL_ERROR;
+ return SSL3_AL_FATAL;
+ }
+
+ /* reset all other options */
+ SSL_set_verify(ssl, SSL_VERIFY_NONE, ssl_callback_SSLVerify);
+ return SSL_ERROR_NONE;
+}
+
+#endif /* OPENSSL_NO_SRP */
--- httpd-2.4.3.orig/modules/ssl/ssl_engine_vars.c
+++ httpd-2.4.3/modules/ssl/ssl_engine_vars.c
@@ -395,6 +395,18 @@ static char *ssl_var_lookup_ssl(apr_pool
#endif
result = apr_pstrdup(p, flag ? "true" : "false");
}
+#ifndef OPENSSL_NO_SRP
+ else if (ssl != NULL && strcEQ(var, "SRP_USER")) {
+ if ((result = SSL_get_srp_username(ssl)) != NULL) {
+ result = apr_pstrdup(p, result);
+ }
+ }
+ else if (ssl != NULL && strcEQ(var, "SRP_USERINFO")) {
+ if ((result = SSL_get_srp_userinfo(ssl)) != NULL) {
+ result = apr_pstrdup(p, result);
+ }
+ }
+#endif
+/* Implement 'ssl_run_npn_advertise_protos_hook'. */
+APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(
+ ssl, AP, int, npn_advertise_protos_hook,
+ (conn_rec* connection, apr_array_header_t* protos),
+ (connection, protos), OK, DECLINED);
+
+/* Implement 'ssl_run_npn_proto_negotiated_hook'. */
+APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(
+ ssl, AP, int, npn_proto_negotiated_hook,
+ (conn_rec* connection, char* proto_name, apr_size_t proto_name_len),
+ (connection, proto_name, proto_name_len), OK, DECLINED);
+
/*
* the various processing hooks
*/
Index: modules/ssl/mod_ssl.h
===================================================================
--- modules/ssl/mod_ssl.h (revision 1202283)
+++ modules/ssl/mod_ssl.h (working copy)
@@ -60,5 +60,26 @@
return result;
}
--- httpd-2.4.3.orig/modules/ssl/ssl_private.h
+++ httpd-2.4.3/modules/ssl/ssl_private.h
@@ -139,6 +139,11 @@
#define HAVE_FIPS
#endif
APR_DECLARE_OPTIONAL_FN(apr_array_header_t *, ssl_extlist_by_oid, (request_rec *r, const char *oidstr));
+#if OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_NEXTPROTONEG) \
+ && !defined(OPENSSL_NO_TLSEXT)
+#define HAVE_TLS_NPN
+#endif
+
#if (OPENSSL_VERSION_NUMBER >= 0x10000000)
#define MODSSL_SSL_CIPHER_CONST const
#define MODSSL_SSL_METHOD_CONST const
@@ -185,6 +190,20 @@
#define OPENSSL_NO_COMP
#endif
+/** The npn_advertise_protos optional hook allows other modules to add entries
+ * to the list of protocol names advertised by the server during the Next
+ * Protocol Negotiation (NPN) portion of the SSL handshake. The hook callee is
+ * given the connection and an APR array; it should push one or more char*'s
+ * pointing to null-terminated strings (such as "http/1.1" or "spdy/2") onto
+ * the array and return OK, or do nothing and return DECLINED. */
+APR_DECLARE_EXTERNAL_HOOK(ssl, AP, int, npn_advertise_protos_hook,
+ (conn_rec* connection, apr_array_header_t* protos));
+#if !defined(OPENSSL_NO_COMP) && !defined(SSL_OP_NO_COMPRESSION) \
+ && OPENSSL_VERSION_NUMBER < 0x00908000L
+#define OPENSSL_NO_COMP
+#endif
+
+/** The npn_proto_negotiated optional hook allows other modules to discover the
+ * name of the protocol that was chosen during the Next Protocol Negotiation
+ * (NPN) portion of the SSL handshake. Note that this may be the empty string
+ * (in which case modules should probably assume HTTP), or it may be a protocol
+ * that was never even advertised by the server. The hook callee is given the
+ * connection, a non-null-terminated string containing the protocol name, and
+ * the length of the string; it should do something appropriate (i.e. insert or
+ * remove filters) and return OK, or do nothing and return DECLINED. */
+APR_DECLARE_EXTERNAL_HOOK(ssl, AP, int, npn_proto_negotiated_hook,
+ (conn_rec* connection, char* proto_name,
+ apr_size_t proto_name_len));
+/* SRP support came in OpenSSL 1.0.1 */
+#ifndef OPENSSL_NO_SRP
+#ifdef SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB
+#include <openssl/srp.h>
+#else
+#define OPENSSL_NO_SRP
+#endif
+#endif
+
#endif /* __MOD_SSL_H__ */
/** @} */
/* mod_ssl headers */
#include "ssl_util_ssl.h"
@@ -647,6 +666,17 @@ typedef struct {
const char *stapling_force_url;
#endif
+#ifndef OPENSSL_NO_SRP
+ char *srp_vfile;
+ char *srp_unknown_user_seed;
+ SRP_VBASE *srp_vbase;
+#endif
+
+ /** RFC 5878 */
+ const char *rsa_authz_file;
+ const char *dsa_authz_file;
+ const char *ec_authz_file;
+
modssl_auth_ctx_t auth;
BOOL ocsp_enabled; /* true if OCSP verification enabled */
@@ -723,6 +756,9 @@ const char *ssl_cmd_SSLCryptoDevice(cmd
const char *ssl_cmd_SSLRandomSeed(cmd_parms *, void *, const char *, const char *, const char *);
const char *ssl_cmd_SSLEngine(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLCipherSuite(cmd_parms *, void *, const char *);
+const char *ssl_cmd_SSLRSAAuthzFile(cmd_parms *, void *, const char *);
+const char *ssl_cmd_SSLDSAAuthzFile(cmd_parms *, void *, const char *);
+const char *ssl_cmd_SSLECAuthzFile(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLCertificateFile(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLCertificateKeyFile(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLCertificateChainFile(cmd_parms *, void *, const char *);
@@ -775,6 +811,11 @@ const char *ssl_cmd_SSLOCSPResponseMaxAg
const char *ssl_cmd_SSLOCSPResponderTimeout(cmd_parms *cmd, void *dcfg, const char *arg);
const char *ssl_cmd_SSLOCSPEnable(cmd_parms *cmd, void *dcfg, int flag);
+#ifndef OPENSSL_NO_SRP
+const char *ssl_cmd_SSLSRPVerifierFile(cmd_parms *cmd, void *dcfg, const char *arg);
+const char *ssl_cmd_SSLSRPUnknownUserSeed(cmd_parms *cmd, void *dcfg, const char *arg);
+#endif
+
const char *ssl_cmd_SSLFIPS(cmd_parms *cmd, void *dcfg, int flag);
/** module initialization */
@@ -820,6 +861,7 @@ int ssl_callback_ServerNameIndi
int ssl_callback_SessionTicket(SSL *, unsigned char *, unsigned char *,
EVP_CIPHER_CTX *, HMAC_CTX *, int);
#endif
+int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data, unsigned int *len, void *arg);
/** Session Cache Support */
void ssl_scache_init(server_rec *, apr_pool_t *);
@@ -851,6 +893,9 @@ void modssl_init_stapling(server
void ssl_stapling_ex_init(void);
int ssl_stapling_init_cert(server_rec *s, modssl_ctx_t *mctx, X509 *x);
#endif
+#ifndef OPENSSL_NO_SRP
+int ssl_callback_SRPServerParams(SSL *, int *, void *);
+#endif
/** I/O */
void ssl_io_filter_init(conn_rec *, request_rec *r, SSL *);

1302
apache2.2-mpm-itk-20090414-00.patch → apache2.4-mpm-itk-2.4.2-01.patch
View File

File diff suppressed because it is too large Load Diff

45
apache2.changes
View File

@ -1,8 +1,53 @@
-------------------------------------------------------------------
Mon Feb 25 08:19:41 UTC 2013 - mlin@suse.com
- Install apache2.service accordingly (/usr/lib/systemd for 12.3
and up or /lib/systemd for older versions).
-------------------------------------------------------------------
Sat Jan 26 05:06:07 UTC 2013 - crrodriguez@opensuse.org
- Apache 2.4.3
* SECURITY: CVE-2012-3502
* SECURITY: CVE-2012-2687
* mod_cache: Set content type in case we return stale content.
* lots of bugfixes see http://www.apache.org/dist/httpd/CHANGES_2.4.3
-------------------------------------------------------------------
Sat Jan 26 05:00:00 UTC 2013 - crrodriguez@opensuse.org
- Improve systemd unit file (tested for months)
-------------------------------------------------------------------
Fri Jan 18 11:52:30 CET 2013 - mhrusecky@suse.cz
- use %set_permissions instead %run_permissions (bnc#764097)
-------------------------------------------------------------------
Wed Aug 1 04:10:13 UTC 2012 - crrodriguez@opensuse.org
- Fix factory-auto (aka r2dbag) complains about URL.
- Provide a symlink for apxs2 new location otherwise
all buggy spec files of external modules will break.
-------------------------------------------------------------------
Wed Aug 1 02:21:34 UTC 2012 - crrodriguez@opensuse.org
- BuildRequire xz explicitly, fix build in !Factory
- Drop more old, unused patches
-------------------------------------------------------------------
Wed Aug 1 01:14:35 UTC 2012 - crrodriguez@opensuse.org
- Upgrade to apache 2.4.2
** ATTENTION, before installing this update YOU MUST
READ http://httpd.apache.org/docs/2.4/upgrading.html
CAREFULLY otherwise your server will most likely
fail to start due to backward incompatible changes.
* You can read the huge complete list of changes
at http://httpd.apache.org/docs/2.4/new_features_2_4.html
-------------------------------------------------------------------
Wed Jul 25 11:32:34 UTC 2012 - saschpe@suse.de

14
apache2.service
View File

@ -1,16 +1,14 @@
[Unit]
Description=apache
After=syslog.target network.target
Description=The Apache Webserver
After=network.target remote-fs.target nss-lookup.target
Before=getty@tty1.service
[Service]
Type=forking
PIDFile=/var/run/httpd2.pid
PrivateTmp=true
EnvironmentFile=/etc/sysconfig/apache2
ExecStart=/usr/sbin/start_apache2 -D SYSTEMD -k start
ExecReload=/usr/sbin/start_apache2 -D SYSTEMD -t
ExecReload=/bin/kill -HUP $MAINPID
ExecStop=/usr/sbin/httpd2 -D SYSTEMD -k stop
ExecStart=/usr/sbin/start_apache2 -D SYSTEMD -DNO_DETACH -k start
ExecReload=/usr/sbin/start_apache2 -D SYSTEMD -DNO_DETACH -t -k graceful
ExecStop=/usr/sbin/start_apache2 -D SYSTEMD -DNO_DETACH -k graceful-stop
[Install]
WantedBy=multi-user.target

83
apache2.spec
View File

@ -1,7 +1,7 @@
#
# spec file for package apache2
#
# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -25,6 +25,7 @@ BuildRequires: libapr1-devel >= 1.4.2
BuildRequires: openldap2-devel
BuildRequires: openssl-devel
BuildRequires: pcre-devel
BuildRequires: xz
BuildRequires: zlib-devel
%if %{?suse_version:1}0 && 0%{?sles_version} == 9
BuildRequires: libcap
@ -47,7 +48,7 @@ BuildRequires: expat-devel
%define pname apache2
%define vers 2
%define httpd httpd2
%define apache_mmn %(test -s %{S:0} && { echo -n apache_mmn_; bzcat %{S:0} | awk '/^#define MODULE_MAGIC_NUMBER_MAJOR/ {printf "%d", $3}'; })
%define apache_mmn %(test -s %{S:0} && { echo -n apache_mmn_; xzcat %{S:0} | awk '/^#define MODULE_MAGIC_NUMBER_MAJOR/ {printf "%d", $3}'; })
%define default_mpm prefork
%{!?prefork:%define prefork 1}
%{!?worker:%define worker 1}
@ -71,17 +72,21 @@ BuildRequires: expat-devel
%define installbuilddir %{_prefix}/share/%{pname}/build
%define userdir public_html
%define suexec_safepath /usr/local/bin:/usr/bin:/bin
%if %suse_version > 1220
%define _unitdir /usr/lib/systemd
%else
%define _unitdir /lib/systemd
%endif
# "Server:" header
%define VENDOR SUSE
%define platform_string Linux/%VENDOR
%define realver 2.2.22
Version: 2.2.22
%define realver 2.4.3
Version: 2.4.3
Release: 0
#Source0: http://www.apache.org/dist/httpd-%{version}.tar.bz2
Source0: http://httpd.apache.org/dev/dist/httpd-%{realver}.tar.bz2
Source0: httpd-%{realver}.tar.xz
# Add file to take mtime from it in prep section
Source1: apache2.changes
Source5: http://httpd.apache.org/dev/dist/httpd-%{realver}.tar.bz2.asc
Source6: 60C5442D.key
Source10: SUSE-NOTICE
Source11: rc.%{pname}
@ -134,19 +139,13 @@ Source143: apache2-systemd-ask-pass
Source144: apache2.service
Patch2: httpd-2.1.3alpha-layout.dif
Patch23: httpd-2.1.9-apachectl.dif
Patch65: httpd-2.0.49-log_server_status.dif
#Patch65: httpd-2.0.49-log_server_status.dif
Patch66: httpd-2.0.54-envvars.dif
Patch67: httpd-2.2.0-apxs-a2enmod.dif
Patch68: httpd-2.x.x-logresolve.patch
Patch69: httpd-2.2.x-bnc690734.patch
Patch100: apache2.2-mpm-itk-20090414-00.patch
Patch100: apache2.4-mpm-itk-2.4.2-01.patch
Patch101: httpd-2.2.19-linux3.patch
Patch102: httpd-keepalivetimeout-millisecs.patch
Patch104: httpd-mod_deflate_head.patch
Patch105: ssl-mode-release-buffers.patch
Patch106: httpd-2.2.x-CVE-2011-3368-server_protocl_c.diff
# PATCH-FIX-UPSTREAM https://issues.apache.org/bugzilla/show_bug.cgi?id=52623
Patch107: httpd-new_pcre.patch
# PATCH-FEATURE-UPSTREAM apache2-mod_ssl_npn.patch dimstar@opensuse.org -- Add npn support to mod_ssl (needed for spdy)
Patch108: apache2-mod_ssl_npn.patch
Provides: apache2(mod_ssl+npn)
@ -362,22 +361,15 @@ to administrators of web servers in general.
#
%setup -q -n httpd-%{realver}
%patch2 -p1
%patch23 -p1
%patch65 -p1
%patch66 -p1
%patch23
#%patch65 -p1
%patch66
%patch67 -p1
%patch68 -p1
%patch69
%patch100
#%patch69
%patch100 -p1
%patch101
%patch102
%patch104
%patch105
%patch106
%if 0%{?suse_version} >= 1220
%patch107
%endif
%patch108
%patch108 -p1
#
cat $RPM_SOURCE_DIR/SUSE-NOTICE >> NOTICE
@ -480,7 +472,8 @@ function configure {
--with-suexec-userdir=%{userdir} \
--with-suexec-uidmin=96 \
--with-suexec-gidmin=96 \
--with-suexec-safepath=%{suexec_safepath}
--with-suexec-safepath=%{suexec_safepath} \
--disable-heartbeat
}
#
@ -637,9 +630,9 @@ mkdir -p $RPM_BUILD_ROOT/etc/init.d
install -m 744 $RPM_SOURCE_DIR/rc.%{pname} $RPM_BUILD_ROOT/etc/init.d/%{pname}
install -m 744 $RPM_SOURCE_DIR/start_apache2 $RPM_BUILD_ROOT/usr/sbin/start_apache2
%if 0%{?suse_version} >= 1210
mkdir -p $RPM_BUILD_ROOT/lib/systemd/system/
mkdir -p $RPM_BUILD_ROOT%{_unitdir}/system/
install -m 744 $RPM_SOURCE_DIR/apache2-systemd-ask-pass $RPM_BUILD_ROOT/usr/sbin/apache2-systemd-ask-pass
install -m 644 $RPM_SOURCE_DIR/apache2.service $RPM_BUILD_ROOT/lib/systemd/system/apache2.service
install -m 644 $RPM_SOURCE_DIR/apache2.service $RPM_BUILD_ROOT%{_unitdir}/system/apache2.service
%endif
ln -sf ../../etc/init.d/%{pname} $RPM_BUILD_ROOT/%{_sbindir}/rc%{pname}
install -m 755 $RPM_SOURCE_DIR/load_configuration $RPM_BUILD_ROOT/%{_prefix}/share/%{pname}/
@ -737,17 +730,21 @@ pushd $RPM_BUILD_ROOT/%{_mandir}
mv $i ${i%.*}%{vers}.${i#*.*.} || true
done
popd
pushd $RPM_BUILD_ROOT/%{_bindir}
for i in ab dbmmanage htdbm htdigest htpasswd logresolve;do
mv $i ${i}%{vers} || true
done
popd
pushd $RPM_BUILD_ROOT/%{_sbindir}
for i in ab dbmmanage htdbm htdigest htpasswd logresolve rotatelogs suexec; do
for i in rotatelogs suexec; do
mv $i ${i}%{vers} || true
done
mv apachectl apachectl.tmp; mv apachectl.tmp apache%{vers}ctl
for i in dbmmanage htdbm htdigest htpasswd; do
mv ${i}%{vers} ../bin/
done
popd
# fix up apxs
pushd $RPM_BUILD_ROOT/%{_sbindir}
pushd $RPM_BUILD_ROOT/%{_bindir}
for mpm in %{mpms_to_build}; do
cat <<-EOT_ED | ed -s apxs
H
@ -776,7 +773,7 @@ popd
install -d $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/
install -m 644 %{S:49} $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/%{name}
install -m 644 %{S:50} $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/%{name}-ssl
ln -sf %{_bindir}/apxs%{vers} %{buildroot}%{_sbindir}
#
# filelists
#
@ -785,7 +782,7 @@ for mpm in %{mpms_to_build}; do
echo %dir %{_libdir}/%{pname}-$mpm >> filelist
(
echo %dir %{includedir}-$mpm
echo %{_sbindir}/apxs%{vers}-$mpm
echo %{_bindir}/apxs%{vers}-$mpm
) >> filelist-devel
done
find $RPM_BUILD_ROOT/%{includedir}/.. -type f -o -type l \
@ -827,6 +824,7 @@ sed -e 's+/usr/%_lib+'$RPM_BUILD_ROOT'/usr/%_lib+' \
-e 's+%{sysconfdir}+'$RPM_BUILD_ROOT'%{sysconfdir}+' \
-e 's+%{datadir}+'$RPM_BUILD_ROOT'%{datadir}+' \
-e 's+\.conf$+&.test+' \
-e 's+/var/log+'$RPM_BUILD_ROOT'/var/log+' \
httpd.conf > httpd.conf.test
sed -e 's+%{sysconfdir}+'$RPM_BUILD_ROOT'%{sysconfdir}+' \
default-server.conf > default-server.conf.test
@ -900,7 +898,7 @@ mv $RPM_BUILD_ROOT/%{sysconfdir}/original .
%endif
%config /etc/init.d/%{pname}
%if 0%{?suse_version} >= 1210
/lib/systemd/system/%{pname}.service
%{_unitdir}/system/%{pname}.service
%endif
#
%{_sbindir}/rc%{pname}
@ -973,6 +971,7 @@ mv $RPM_BUILD_ROOT/%{sysconfdir}/original .
%dir %{_prefix}/share/%{pname}
%dir %{installbuilddir}
%dir %{includedir}
%{_bindir}/apxs%{vers}
%{_sbindir}/apxs%{vers}
%files doc
@ -999,6 +998,8 @@ mv $RPM_BUILD_ROOT/%{sysconfdir}/original .
%doc %{_mandir}/man?/logresolve%{vers}.?.*
%doc %{_mandir}/man?/rotatelogs%{vers}.?.*
%doc %{_mandir}/man?/suexec%{vers}.?.*
%{_sbindir}/fcgistarter
%{_mandir}/man8/fcgistarter2.8.*
%{_bindir}/check_forensic%{vers}
%{_bindir}/dbmmanage%{vers}
%{_bindir}/gensslcert
@ -1006,10 +1007,10 @@ mv $RPM_BUILD_ROOT/%{sysconfdir}/original .
%{_bindir}/htdigest%{vers}
%{_bindir}/htpasswd%{vers}
%{_bindir}/split-logfile%{vers}
%{_sbindir}/ab%{vers}
%{_sbindir}/httxt2dbm
%{_bindir}/ab%{vers}
%{_bindir}/httxt2dbm
%{_sbindir}/logresolve.pl%{vers}
%{_sbindir}/logresolve%{vers}
%{_bindir}/logresolve%{vers}
%{_sbindir}/rotatelogs%{vers}
%verify(not mode) %attr(0755,root,root) %_sbindir/suexec2
%if %prefork

16
httpd-2.0.54-envvars.dif
View File

@ -1,11 +1,17 @@
diff -uNr httpd-2.0.54.orig/support/envvars-std.in httpd-2.0.54/support/envvars-std.in
--- httpd-2.0.54.orig/support/envvars-std.in 2005-02-04 21:21:18.000000000 +0100
+++ httpd-2.0.54/support/envvars-std.in 2005-10-07 13:56:49.223546288 +0200
@@ -19,6 +19,6 @@
--- support/envvars-std.in.orig
+++ support/envvars-std.in
@@ -18,11 +18,9 @@
#
# This file is generated from envvars-std.in
#
-@SHLIBPATH_VAR@="@exp_libdir@:$@SHLIBPATH_VAR@"
-if test "x$@SHLIBPATH_VAR@" != "x" ; then
- @SHLIBPATH_VAR@="@exp_libdir@:$@SHLIBPATH_VAR@"
-else
- @SHLIBPATH_VAR@="@exp_libdir@"
-fi
+
+@SHLIBPATH_VAR@="@exp_libdir@${@SHLIBPATH_VAR@+:$@SHLIBPATH_VAR@}"
+
export @SHLIBPATH_VAR@
#
@OS_SPECIFIC_VARS@

22
httpd-2.1.9-apachectl.dif
View File

@ -1,7 +1,6 @@
diff -uNr httpd-2.1.3-alpha.orig/support/apachectl.in httpd-2.1.3-alpha/support/apachectl.in
--- httpd-2.1.3-alpha.orig/support/apachectl.in 2005-02-04 21:28:49.000000000 +0100
+++ httpd-2.1.3-alpha/support/apachectl.in 2005-02-25 02:52:49.203566813 +0100
@@ -41,17 +41,32 @@
--- support/apachectl.in.orig
+++ support/apachectl.in
@@ -42,17 +42,32 @@ ARGV="$@"
# -------------------- --------------------
#
# the path to your httpd binary, including options if necessary
@ -36,16 +35,16 @@ diff -uNr httpd-2.1.3-alpha.orig/support/apachectl.in httpd-2.1.3-alpha/support/
#
# the URL to your server's mod_status status page. If you do not
# have one, then status and fullstatus will not work.
@@ -77,7 +92,7 @@
@@ -78,7 +93,7 @@ fi
case $ARGV in
case $ACMD in
start|stop|restart|graceful|graceful-stop)
- $HTTPD -k $ARGV
+ $HTTPD ${httpd_conf+-f $httpd_conf} -k $ARGV
ERROR=$?
;;
startssl|sslstart|start-SSL)
@@ -87,7 +102,7 @@
@@ -88,7 +103,7 @@ startssl|sslstart|start-SSL)
ERROR=2
;;
configtest)
@ -54,12 +53,3 @@ diff -uNr httpd-2.1.3-alpha.orig/support/apachectl.in httpd-2.1.3-alpha/support/
ERROR=$?
;;
status)
@@ -97,7 +112,7 @@
$LYNX $STATUSURL
;;
*)
- $HTTPD $ARGV
+ $HTTPD ${httpd_conf+-f $httpd_conf} $ARGV
ERROR=$?
esac

3
httpd-2.2.22.tar.bz2
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:dcdc9f1dc722f84798caf69d69dca78daa5e09a4269060045aeca7e4f44cb231
size 5378934

BIN
httpd-2.2.22.tar.bz2.asc
View File

Binary file not shown.

68
httpd-2.2.x-CVE-2011-3368-server_protocl_c.diff
View File

@ -1,68 +0,0 @@
diff -rNU 20 ../httpd-2.2.21-o/server/protocol.c ./server/protocol.c
--- ../httpd-2.2.21-o/server/protocol.c 2011-05-07 13:39:29.000000000 +0200
+++ ./server/protocol.c 2011-10-07 17:10:46.000000000 +0200
@@ -623,40 +623,64 @@
#if 0
/* XXX If we want to keep track of the Method, the protocol module should do
* it. That support isn't in the scoreboard yet. Hopefully next week
* sometime. rbb */
ap_update_connection_status(AP_CHILD_THREAD_FROM_ID(conn->id), "Method",
r->method);
#endif
uri = ap_getword_white(r->pool, &ll);
/* Provide quick information about the request method as soon as known */
r->method_number = ap_method_number_of(r->method);
if (r->method_number == M_GET && r->method[0] == 'H') {
r->header_only = 1;
}
ap_parse_uri(r, uri);
+/*
+ https://svn.apache.org/viewvc/httpd/httpd/trunk/server/protocol.c?r1=1178566&r2=1179239&pathrev=1179239&view=patch
+ This is the fix for CVE-2011-3368; via bnc#722545.
+ */
+
+ /* RFC 2616:
+ * Request-URI = "*" | absoluteURI | abs_path | authority
+ *
+ * authority is a special case for CONNECT. If the request is not
+ * using CONNECT, and the parsed URI does not have scheme, and
+ * it does not begin with '/', and it is not '*', then, fail
+ * and give a 400 response. */
+ if (r->method_number != M_CONNECT
+ && !r->parsed_uri.scheme
+ && uri[0] != '/'
+ && !(uri[0] == '*' && uri[1] == '\0')) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "invalid request-URI %s", uri);
+ r->args = NULL;
+ r->hostname = NULL;
+ r->status = HTTP_BAD_REQUEST;
+ r->uri = apr_pstrdup(r->pool, uri);
+ }
+
if (ll[0]) {
r->assbackwards = 0;
pro = ll;
len = strlen(ll);
} else {
r->assbackwards = 1;
pro = "HTTP/0.9";
len = 8;
}
r->protocol = apr_pstrmemdup(r->pool, pro, len);
/* XXX ap_update_connection_status(conn->id, "Protocol", r->protocol); */
/* Avoid sscanf in the common case */
if (len == 8
&& pro[0] == 'H' && pro[1] == 'T' && pro[2] == 'T' && pro[3] == 'P'
&& pro[4] == '/' && apr_isdigit(pro[5]) && pro[6] == '.'
&& apr_isdigit(pro[7])) {
r->proto_num = HTTP_VERSION(pro[5] - '0', pro[7] - '0');
}

21
httpd-2.2.x-bnc690734.patch
View File

@ -1,7 +1,6 @@
diff -ruN ../httpd-2.2.17-o/server/util_script.c ./server/util_script.c
--- ../httpd-2.2.17-o/server/util_script.c 2009-01-12 14:59:56.000000000 +0100
+++ ./server/util_script.c 2011-07-26 15:39:50.000000000 +0200
@@ -406,6 +406,7 @@
--- server/util_script.c.orig
+++ server/util_script.c
@@ -415,6 +415,7 @@ AP_DECLARE(int) ap_scan_script_header_er
{
char x[MAX_STRING_LEN];
char *w, *l;
@ -9,7 +8,7 @@ diff -ruN ../httpd-2.2.17-o/server/util_script.c ./server/util_script.c
int p;
int cgi_status = HTTP_UNSET;
apr_table_t *merge;
@@ -414,7 +415,14 @@
@@ -425,7 +426,14 @@ AP_DECLARE(int) ap_scan_script_header_er
if (buffer) {
*buffer = '\0';
}
@ -25,17 +24,17 @@ diff -ruN ../httpd-2.2.17-o/server/util_script.c ./server/util_script.c
/* temporary place to hold headers to merge in later */
merge = apr_table_make(r->pool, 10);
@@ -430,7 +438,7 @@
@@ -441,7 +449,7 @@ AP_DECLARE(int) ap_scan_script_header_er
while (1) {
- int rv = (*getsfunc) (w, MAX_STRING_LEN - 1, getsfunc_data);
+ int rv = (*getsfunc) (w, wlen - 1, getsfunc_data);
if (rv == 0) {
ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_TOCLIENT, 0, r,
"Premature end of script headers: %s",
@@ -537,9 +545,12 @@
const char *msg = "Premature end of script headers";
if (first_header)
@@ -553,9 +561,12 @@ AP_DECLARE(int) ap_scan_script_header_er
if (!(l = strchr(w, ':'))) {
if (!buffer) {
/* Soak up all the script output - may save an outright kill */
- while ((*getsfunc) (w, MAX_STRING_LEN - 1, getsfunc_data)) {
@ -47,4 +46,4 @@ diff -ruN ../httpd-2.2.17-o/server/util_script.c ./server/util_script.c
+ buffer[MAX_STRING_LEN - 1] = 0;
}
ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_TOCLIENT, 0, r,
ap_log_rerror(SCRIPT_LOG_MARK, APLOG_ERR|APLOG_TOCLIENT, 0, r,

3
httpd-2.4.3.tar.xz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:89ba3db446faa929206ed3f5a1bef7133e034ad8f8abfc5e8f8eb41f3cc61074
size 4032716

20
httpd-keepalivetimeout-millisecs.patch
View File

@ -1,20 +0,0 @@
--- modules/http/http_core.c.orig
+++ modules/http/http_core.c
@@ -47,12 +47,15 @@ static int ap_process_http_connection(co
static const char *set_keep_alive_timeout(cmd_parms *cmd, void *dummy,
const char *arg)
{
+ apr_interval_time_t timeout;
const char *err = ap_check_cmd_context(cmd, NOT_IN_DIR_LOC_FILE|NOT_IN_LIMIT);
if (err != NULL) {
return err;
}
-
- cmd->server->keep_alive_timeout = apr_time_from_sec(atoi(arg));
+ /* Stolen from mod_proxy.c */
+ if (ap_timeout_parameter_parse(arg, &timeout, "s") != APR_SUCCESS)
+ return "KeepAliveTimeout has wrong format";
+ cmd->server->keep_alive_timeout = timeout;
return NULL;
}

23
httpd-mod_deflate_head.patch
View File

@ -1,23 +0,0 @@
--- modules/filters/mod_deflate.c.orig
+++ modules/filters/mod_deflate.c
@@ -582,6 +582,20 @@ static apr_status_t deflate_out_filter(a
apr_bucket *b;
apr_size_t len;
+ /*
+ * Optimization: If we are a HEAD request and bytes_sent is not zero
+ * it means that we have passed the content-length filter once and
+ * have more data to sent. This means that the content-length filter
+ * could not determine our content-length for the response to the
+ * HEAD request anyway (the associated GET request would deliver the
+ * body in chunked encoding) and we can stop compressing.
+ */
+ if (r->header_only && r->bytes_sent) {
+ ap_remove_output_filter(f);
+ return ap_pass_brigade(f->next, bb);
+ }
+
+
e = APR_BRIGADE_FIRST(bb);
if (APR_BUCKET_IS_EOS(e)) {

23
httpd-new_pcre.patch
View File

@ -1,23 +0,0 @@
Index: server/util_pcre.c
===================================================================
--- server/util_pcre.c.orig 2012-02-11 10:07:31.000000000 +0100
+++ server/util_pcre.c 2012-02-11 10:08:23.062838133 +0100
@@ -128,6 +128,7 @@ AP_DECLARE(int) ap_regcomp(ap_regex_t *p
const char *errorptr;
int erroffset;
int options = 0;
+int nsub;
if ((cflags & AP_REG_ICASE) != 0) options |= PCRE_CASELESS;
if ((cflags & AP_REG_NEWLINE) != 0) options |= PCRE_MULTILINE;
@@ -137,7 +138,9 @@ preg->re_erroffset = erroffset;
if (preg->re_pcre == NULL) return AP_REG_INVARG;
-preg->re_nsub = pcre_info((const pcre *)preg->re_pcre, NULL, NULL);
+pcre_fullinfo((const pcre *)preg->re_pcre, NULL,
+ PCRE_INFO_CAPTURECOUNT, &nsub);
+preg->re_nsub = nsub;
return 0;
}

13
ssl-mode-release-buffers.patch
View File

@ -1,13 +0,0 @@
--- modules/ssl/ssl_engine_init.c.orig
+++ modules/ssl/ssl_engine_init.c
@@ -482,7 +482,9 @@ static void ssl_init_ctx_protocol(server
}
mctx->ssl_ctx = ctx;
-
+#ifdef SSL_MODE_RELEASE_BUFFERS
+ SSL_CTX_set_mode(ctx, SSL_MODE_RELEASE_BUFFERS);
+#endif
SSL_CTX_set_options(ctx, SSL_OP_ALL);
if (!(protocol & SSL_PROTOCOL_SSLV2)) {