From a0baaeb8ecdfd11fa6d49f92df14840e5cc40a14dc205f21afe62500aad8a33d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cristian=20Rodr=C3=ADguez?= Date: Fri, 6 Nov 2015 01:03:35 +0000 Subject: [PATCH] Accepting request 342583 from home:elvigia:branches:Apache - 2.4.17-protocols.patch from upstream http2 module: * master conn_rec* addition to conn_rec * improved ALPN and Upgrade handling * allowing requests for servers whose TLS configuration is compatible to the SNI server ones * disabling TLS renegotiation for slave connections OBS-URL: https://build.opensuse.org/request/show/342583 OBS-URL: https://build.opensuse.org/package/show/Apache/apache2?expand=0&rev=465 --- 2.4.17-protocols.patch | 819 +++++++++++++++++++++++++++++++++++++++++ apache2.changes | 10 + apache2.spec | 2 + 3 files changed, 831 insertions(+) create mode 100644 2.4.17-protocols.patch diff --git a/2.4.17-protocols.patch b/2.4.17-protocols.patch new file mode 100644 index 0000000..b88ee1e --- /dev/null +++ b/2.4.17-protocols.patch @@ -0,0 +1,819 @@ +--- include/httpd.h.orig ++++ include/httpd.h +@@ -1167,6 +1167,9 @@ struct conn_rec { + #if APR_HAS_THREADS + apr_thread_t *current_thread; + #endif ++ ++ /** The "real" master connection. NULL if I am the master. */ ++ conn_rec *master; + }; + + /** +--- include/http_protocol.h.orig ++++ include/http_protocol.h +@@ -782,7 +782,27 @@ AP_DECLARE_HOOK(int,protocol_switch,(con + * @return The identifier of the protocol in place or NULL + */ + AP_DECLARE_HOOK(const char *,protocol_get,(const conn_rec *c)) +- ++ ++/** ++ * Get the protocols that the connection and optional request may ++ * upgrade to - besides the protocol currently active on the connection. These ++ * values may be used to announce to a client what choices it has. ++ * ++ * If report_all == 0, only protocols more preferable than the one currently ++ * being used, are reported. Otherwise, all available protocols beside the ++ * current one are being reported. ++ * ++ * @param c The current connection ++ * @param r The current request or NULL ++ * @param s The server/virtual host selected or NULL ++ * @param report_all include also protocols less preferred than the current one ++ * @param pupgrades on return, possible protocols to upgrade to in descending order ++ * of preference. Maybe NULL if none are available. ++ */ ++AP_DECLARE(apr_status_t) ap_get_protocol_upgrades(conn_rec *c, request_rec *r, ++ server_rec *s, int report_all, ++ const apr_array_header_t **pupgrades); ++ + /** + * Select a protocol for the given connection and optional request. Will return + * the protocol identifier selected which may be the protocol already in place +@@ -833,6 +853,23 @@ AP_DECLARE(apr_status_t) ap_switch_proto + */ + AP_DECLARE(const char *) ap_get_protocol(conn_rec *c); + ++/** ++ * Check if the given protocol is an allowed choice on the given ++ * combination of connection, request and server. ++ * ++ * When server is NULL, it is taken from request_rec, unless ++ * request_rec is NULL. Then it is taken from the connection base ++ * server. ++ * ++ * @param c The current connection ++ * @param r The current request or NULL ++ * @param s The server/virtual host selected or NULL ++ * @param protocol the protocol to switch to ++ * @return != 0 iff protocol is allowed ++ */ ++AP_DECLARE(int) ap_is_allowed_protocol(conn_rec *c, request_rec *r, ++ server_rec *s, const char *protocol); ++ + /** @see ap_bucket_type_error */ + typedef struct ap_bucket_error ap_bucket_error; + +--- include/ap_mmn.h.orig ++++ include/ap_mmn.h +@@ -456,6 +456,7 @@ + * ap_select_protocol(), ap_switch_protocol(), + * ap_get_protocol(). Add HTTP_MISDIRECTED_REQUEST. + * Added ap_parse_token_list_strict() to httpd.h ++ * 20120211.52 (2.4.17-dev) Add master conn_rec* member in conn_rec. + */ + + #define MODULE_MAGIC_COOKIE 0x41503234UL /* "AP24" */ +@@ -463,7 +464,7 @@ + #ifndef MODULE_MAGIC_NUMBER_MAJOR + #define MODULE_MAGIC_NUMBER_MAJOR 20120211 + #endif +-#define MODULE_MAGIC_NUMBER_MINOR 51 /* 0...n */ ++#define MODULE_MAGIC_NUMBER_MINOR 52 /* 0...n */ + + /** + * Determine if the server's current MODULE_MAGIC_NUMBER is at least a +--- server/core.c.orig ++++ server/core.c +@@ -4995,8 +4995,15 @@ static void core_dump_config(apr_pool_t + static int core_upgrade_handler(request_rec *r) + { + conn_rec *c = r->connection; +- const char *upgrade = apr_table_get(r->headers_in, "Upgrade"); ++ const char *upgrade; + ++ if (c->master) { ++ /* Not possible to perform an HTTP/1.1 upgrade from a slave ++ * connection. */ ++ return DECLINED; ++ } ++ ++ upgrade = apr_table_get(r->headers_in, "Upgrade"); + if (upgrade && *upgrade) { + const char *conn = apr_table_get(r->headers_in, "Connection"); + if (ap_find_token(r->pool, conn, "upgrade")) { +@@ -5011,8 +5018,7 @@ static int core_upgrade_handler(request_ + } + + if (offers && offers->nelts > 0) { +- const char *protocol = ap_select_protocol(c, r, r->server, +- offers); ++ const char *protocol = ap_select_protocol(c, r, NULL, offers); + if (protocol && strcmp(protocol, ap_get_protocol(c))) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02909) + "Upgrade selects '%s'", protocol); +@@ -5034,6 +5040,19 @@ static int core_upgrade_handler(request_ + } + } + } ++ else if (!c->keepalives) { ++ /* first request on a master connection, if we have protocols other ++ * than the current one enabled here, announce them to the ++ * client. If the client is already talking a protocol with requests ++ * on slave connections, leave it be. */ ++ const apr_array_header_t *upgrades; ++ ap_get_protocol_upgrades(c, r, NULL, 0, &upgrades); ++ if (upgrades && upgrades->nelts > 0) { ++ char *protocols = apr_array_pstrcat(r->pool, upgrades, ','); ++ apr_table_setn(r->headers_out, "Upgrade", protocols); ++ apr_table_setn(r->headers_out, "Connection", "Upgrade"); ++ } ++ } + + return DECLINED; + } +--- server/protocol.c.orig ++++ server/protocol.c +@@ -1823,15 +1823,61 @@ AP_DECLARE(const char *) ap_get_protocol + return protocol? protocol : AP_PROTOCOL_HTTP1; + } + ++AP_DECLARE(apr_status_t) ap_get_protocol_upgrades(conn_rec *c, request_rec *r, ++ server_rec *s, int report_all, ++ const apr_array_header_t **pupgrades) ++{ ++ apr_pool_t *pool = r? r->pool : c->pool; ++ core_server_config *conf; ++ const char *existing; ++ apr_array_header_t *upgrades = NULL; ++ ++ if (!s) { ++ s = (r? r->server : c->base_server); ++ } ++ conf = ap_get_core_module_config(s->module_config); ++ ++ if (conf->protocols->nelts > 0) { ++ existing = ap_get_protocol(c); ++ if (conf->protocols->nelts > 1 ++ || !ap_array_str_contains(conf->protocols, existing)) { ++ int i; ++ ++ /* possibly more than one choice or one, but not the ++ * existing. (TODO: maybe 426 and Upgrade then?) */ ++ upgrades = apr_array_make(pool, conf->protocols->nelts + 1, ++ sizeof(char *)); ++ for (i = 0; i < conf->protocols->nelts; i++) { ++ const char *p = APR_ARRAY_IDX(conf->protocols, i, char *); ++ if (strcmp(existing, p)) { ++ /* not the one we have and possible, add in this order */ ++ APR_ARRAY_PUSH(upgrades, const char*) = p; ++ } ++ else if (!report_all) { ++ break; ++ } ++ } ++ } ++ } ++ ++ *pupgrades = upgrades; ++ return APR_SUCCESS; ++} ++ + AP_DECLARE(const char *) ap_select_protocol(conn_rec *c, request_rec *r, + server_rec *s, + const apr_array_header_t *choices) + { + apr_pool_t *pool = r? r->pool : c->pool; +- core_server_config *conf = ap_get_core_module_config(s->module_config); ++ core_server_config *conf; + const char *protocol = NULL, *existing; + apr_array_header_t *proposals; + ++ if (!s) { ++ s = (r? r->server : c->base_server); ++ } ++ conf = ap_get_core_module_config(s->module_config); ++ + if (APLOGcdebug(c)) { + const char *p = apr_array_pstrcat(pool, conf->protocols, ','); + ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, +@@ -1937,6 +1983,22 @@ AP_DECLARE(apr_status_t) ap_switch_proto + } + } + ++AP_DECLARE(int) ap_is_allowed_protocol(conn_rec *c, request_rec *r, ++ server_rec *s, const char *protocol) ++{ ++ core_server_config *conf; ++ ++ if (!s) { ++ s = (r? r->server : c->base_server); ++ } ++ conf = ap_get_core_module_config(s->module_config); ++ ++ if (conf->protocols->nelts > 0) { ++ return ap_array_str_contains(conf->protocols, protocol); ++ } ++ return !strcmp(AP_PROTOCOL_HTTP1, protocol); ++} ++ + + AP_IMPLEMENT_HOOK_VOID(pre_read_request, + (request_rec *r, conn_rec *c), +--- modules/ssl/mod_ssl.c.orig ++++ modules/ssl/mod_ssl.c +@@ -377,6 +377,7 @@ static int ssl_hook_pre_config(apr_pool_ + static SSLConnRec *ssl_init_connection_ctx(conn_rec *c) + { + SSLConnRec *sslconn = myConnConfig(c); ++ SSLSrvConfigRec *sc; + + if (sslconn) { + return sslconn; +@@ -386,6 +387,8 @@ static SSLConnRec *ssl_init_connection_c + + sslconn->server = c->base_server; + sslconn->verify_depth = UNSET; ++ sc = mySrvConfig(c->base_server); ++ sslconn->cipher_suite = sc->server->auth.cipher_suite; + + myConnConfigSet(c, sslconn); + +@@ -525,6 +528,7 @@ static apr_port_t ssl_hook_default_port( + + static int ssl_hook_pre_connection(conn_rec *c, void *csd) + { ++ + SSLSrvConfigRec *sc; + SSLConnRec *sslconn = myConnConfig(c); + +@@ -537,8 +541,8 @@ static int ssl_hook_pre_connection(conn_ + /* + * Immediately stop processing if SSL is disabled for this connection + */ +- if (!(sc && (sc->enabled == SSL_ENABLED_TRUE || +- (sslconn && sslconn->is_proxy)))) ++ if (c->master || !(sc && (sc->enabled == SSL_ENABLED_TRUE || ++ (sslconn && sslconn->is_proxy)))) + { + return DECLINED; + } +@@ -566,6 +570,26 @@ static int ssl_hook_pre_connection(conn_ + return ssl_init_ssl_connection(c, NULL); + } + ++static int ssl_hook_process_connection(conn_rec* c) ++{ ++ SSLConnRec *sslconn = myConnConfig(c); ++ ++ if (sslconn && !sslconn->disabled) { ++ /* On an active SSL connection, let the input filters initialize ++ * themselves which triggers the handshake, which again triggers ++ * all kinds of useful things such as SNI and ALPN. ++ */ ++ apr_bucket_brigade* temp; ++ ++ temp = apr_brigade_create(c->pool, c->bucket_alloc); ++ ap_get_brigade(c->input_filters, temp, ++ AP_MODE_INIT, APR_BLOCK_READ, 0); ++ apr_brigade_destroy(temp); ++ } ++ ++ return DECLINED; ++} ++ + /* + * the module registration phase + */ +@@ -579,6 +603,8 @@ static void ssl_register_hooks(apr_pool_ + ssl_io_filter_register(p); + + ap_hook_pre_connection(ssl_hook_pre_connection,NULL,NULL, APR_HOOK_MIDDLE); ++ ap_hook_process_connection(ssl_hook_process_connection, ++ NULL, NULL, APR_HOOK_MIDDLE); + ap_hook_test_config (ssl_hook_ConfigTest, NULL,NULL, APR_HOOK_MIDDLE); + ap_hook_post_config (ssl_init_Module, NULL,NULL, APR_HOOK_MIDDLE); + ap_hook_http_scheme (ssl_hook_http_scheme, NULL,NULL, APR_HOOK_MIDDLE); +--- modules/ssl/ssl_private.h.orig ++++ modules/ssl/ssl_private.h +@@ -460,6 +460,8 @@ typedef struct { + } reneg_state; + + server_rec *server; ++ ++ const char *cipher_suite; /* cipher suite used in last reneg */ + } SSLConnRec; + + /* BIG FAT WARNING: SSLModConfigRec has unusual memory lifetime: it is +--- modules/ssl/ssl_engine_io.c.orig ++++ modules/ssl/ssl_engine_io.c +@@ -298,9 +298,6 @@ typedef struct { + apr_pool_t *pool; + char buffer[AP_IOBUFSIZE]; + ssl_filter_ctx_t *filter_ctx; +-#ifdef HAVE_TLS_ALPN +- int alpn_finished; /* 1 if ALPN has finished, 0 otherwise */ +-#endif + } bio_filter_in_ctx_t; + + /* +@@ -1418,41 +1415,6 @@ static apr_status_t ssl_io_filter_input( + APR_BRIGADE_INSERT_TAIL(bb, bucket); + } + +-#ifdef HAVE_TLS_ALPN +- /* By this point, Application-Layer Protocol Negotiation (ALPN) should be +- * completed (if our version of OpenSSL supports it). If we haven't already, +- * find out which protocol was decided upon and inform other modules +- * by calling alpn_proto_negotiated_hook. +- */ +- if (!inctx->alpn_finished) { +- SSLConnRec *sslconn = myConnConfig(f->c); +- const unsigned char *next_proto = NULL; +- unsigned next_proto_len = 0; +- const char *protocol; +- +- SSL_get0_alpn_selected(inctx->ssl, &next_proto, &next_proto_len); +- if (next_proto && next_proto_len) { +- protocol = apr_pstrmemdup(f->c->pool, (const char *)next_proto, +- next_proto_len); +- ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, f->c, +- APLOGNO(02836) "ALPN selected protocol: '%s'", +- protocol); +- +- if (strcmp(protocol, ap_get_protocol(f->c))) { +- status = ap_switch_protocol(f->c, NULL, sslconn->server, +- protocol); +- if (status != APR_SUCCESS) { +- ap_log_cerror(APLOG_MARK, APLOG_ERR, status, f->c, +- APLOGNO(02908) "protocol switch to '%s' failed", +- protocol); +- return status; +- } +- } +- } +- inctx->alpn_finished = 1; +- } +-#endif +- + return APR_SUCCESS; + } + +@@ -1934,9 +1896,6 @@ static void ssl_io_input_add_filter(ssl_ + inctx->block = APR_BLOCK_READ; + inctx->pool = c->pool; + inctx->filter_ctx = filter_ctx; +-#ifdef HAVE_TLS_ALPN +- inctx->alpn_finished = 0; +-#endif + } + + /* The request_rec pointer is passed in here only to ensure that the +--- modules/ssl/ssl_engine_vars.c.orig ++++ modules/ssl/ssl_engine_vars.c +@@ -39,7 +39,7 @@ + ** _________________________________________________________________ + */ + +-static char *ssl_var_lookup_ssl(apr_pool_t *p, conn_rec *c, request_rec *r, char *var); ++static char *ssl_var_lookup_ssl(apr_pool_t *p, SSLConnRec *sslconn, request_rec *r, char *var); + static char *ssl_var_lookup_ssl_cert(apr_pool_t *p, request_rec *r, X509 *xs, char *var); + static char *ssl_var_lookup_ssl_cert_dn(apr_pool_t *p, X509_NAME *xsname, char *var); + static char *ssl_var_lookup_ssl_cert_san(apr_pool_t *p, X509 *xs, char *var); +@@ -49,8 +49,8 @@ static char *ssl_var_lookup_ssl_cert_ser + static char *ssl_var_lookup_ssl_cert_chain(apr_pool_t *p, STACK_OF(X509) *sk, char *var); + static char *ssl_var_lookup_ssl_cert_rfc4523_cea(apr_pool_t *p, SSL *ssl); + static char *ssl_var_lookup_ssl_cert_PEM(apr_pool_t *p, X509 *xs); +-static char *ssl_var_lookup_ssl_cert_verify(apr_pool_t *p, conn_rec *c); +-static char *ssl_var_lookup_ssl_cipher(apr_pool_t *p, conn_rec *c, char *var); ++static char *ssl_var_lookup_ssl_cert_verify(apr_pool_t *p, SSLConnRec *sslconn); ++static char *ssl_var_lookup_ssl_cipher(apr_pool_t *p, SSLConnRec *sslconn, char *var); + static void ssl_var_lookup_ssl_cipher_bits(SSL *ssl, int *usekeysize, int *algkeysize); + static char *ssl_var_lookup_ssl_version(apr_pool_t *p, char *var); + static char *ssl_var_lookup_ssl_compress_meth(SSL *ssl); +@@ -77,7 +77,7 @@ static const char *expr_var_fn(ap_expr_e + char *var = (char *)data; + SSLConnRec *sslconn = myConnConfig(ctx->c); + +- return sslconn ? ssl_var_lookup_ssl(ctx->p, ctx->c, ctx->r, var) : NULL; ++ return sslconn ? ssl_var_lookup_ssl(ctx->p, sslconn, ctx->r, var) : NULL; + } + + static int ssl_expr_lookup(ap_expr_lookup_parms *parms) +@@ -245,9 +245,13 @@ char *ssl_var_lookup(apr_pool_t *p, serv + */ + if (result == NULL && c != NULL) { + SSLConnRec *sslconn = myConnConfig(c); ++ if (!(sslconn && sslconn->ssl) && c->master) { ++ /* use master connection if no SSL defined here */ ++ sslconn = myConnConfig(c->master); ++ } + if (strlen(var) > 4 && strcEQn(var, "SSL_", 4) + && sslconn && sslconn->ssl) +- result = ssl_var_lookup_ssl(p, c, r, var+4); ++ result = ssl_var_lookup_ssl(p, sslconn, r, var+4); + else if (strcEQ(var, "HTTPS")) { + if (sslconn && sslconn->ssl) + result = "on"; +@@ -317,10 +321,9 @@ char *ssl_var_lookup(apr_pool_t *p, serv + return (char *)result; + } + +-static char *ssl_var_lookup_ssl(apr_pool_t *p, conn_rec *c, request_rec *r, +- char *var) ++static char *ssl_var_lookup_ssl(apr_pool_t *p, SSLConnRec *sslconn, ++ request_rec *r, char *var) + { +- SSLConnRec *sslconn = myConnConfig(c); + char *result; + X509 *xs; + STACK_OF(X509) *sk; +@@ -360,7 +363,7 @@ static char *ssl_var_lookup_ssl(apr_pool + result = "Initial"; + } + else if (ssl != NULL && strlen(var) >= 6 && strcEQn(var, "CIPHER", 6)) { +- result = ssl_var_lookup_ssl_cipher(p, c, var+6); ++ result = ssl_var_lookup_ssl_cipher(p, sslconn, var+6); + } + else if (ssl != NULL && strlen(var) > 18 && strcEQn(var, "CLIENT_CERT_CHAIN_", 18)) { + sk = SSL_get_peer_cert_chain(ssl); +@@ -370,7 +373,7 @@ static char *ssl_var_lookup_ssl(apr_pool + result = ssl_var_lookup_ssl_cert_rfc4523_cea(p, ssl); + } + else if (ssl != NULL && strcEQ(var, "CLIENT_VERIFY")) { +- result = ssl_var_lookup_ssl_cert_verify(p, c); ++ result = ssl_var_lookup_ssl_cert_verify(p, sslconn); + } + else if (ssl != NULL && strlen(var) > 7 && strcEQn(var, "CLIENT_", 7)) { + if ((xs = SSL_get_peer_certificate(ssl)) != NULL) { +@@ -779,9 +782,8 @@ static char *ssl_var_lookup_ssl_cert_PEM + return result; + } + +-static char *ssl_var_lookup_ssl_cert_verify(apr_pool_t *p, conn_rec *c) ++static char *ssl_var_lookup_ssl_cert_verify(apr_pool_t *p, SSLConnRec *sslconn) + { +- SSLConnRec *sslconn = myConnConfig(c); + char *result; + long vrc; + const char *verr; +@@ -815,9 +817,8 @@ static char *ssl_var_lookup_ssl_cert_ver + return result; + } + +-static char *ssl_var_lookup_ssl_cipher(apr_pool_t *p, conn_rec *c, char *var) ++static char *ssl_var_lookup_ssl_cipher(apr_pool_t *p, SSLConnRec *sslconn, char *var) + { +- SSLConnRec *sslconn = myConnConfig(c); + char *result; + BOOL resdup; + int usekeysize, algkeysize; +--- modules/ssl/ssl_engine_kernel.c.orig ++++ modules/ssl/ssl_engine_kernel.c +@@ -113,6 +113,108 @@ static int has_buffered_data(request_rec + return result; + } + ++static int ap_array_same_str_set(apr_array_header_t *s1, apr_array_header_t *s2) ++{ ++ int i; ++ const char *c; ++ ++ if (s1 == s2) { ++ return 1; ++ } ++ else if (!s1 || !s2 || (s1->nelts != s2->nelts)) { ++ return 0; ++ } ++ ++ for (i = 0; i < s1->nelts; i++) { ++ c = APR_ARRAY_IDX(s1, i, const char *); ++ if (!c || !ap_array_str_contains(s2, c)) { ++ return 0; ++ } ++ } ++ return 1; ++} ++ ++static int ssl_pk_server_compatible(modssl_pk_server_t *pks1, ++ modssl_pk_server_t *pks2) ++{ ++ if (!pks1 || !pks2) { ++ return 0; ++ } ++ /* both have the same certificates? */ ++ if ((pks1->ca_name_path != pks2->ca_name_path) ++ && (!pks1->ca_name_path || !pks2->ca_name_path ++ || strcmp(pks1->ca_name_path, pks2->ca_name_path))) { ++ return 0; ++ } ++ if ((pks1->ca_name_file != pks2->ca_name_file) ++ && (!pks1->ca_name_file || !pks2->ca_name_file ++ || strcmp(pks1->ca_name_file, pks2->ca_name_file))) { ++ return 0; ++ } ++ if (!ap_array_same_str_set(pks1->cert_files, pks2->cert_files) ++ || !ap_array_same_str_set(pks1->key_files, pks2->key_files)) { ++ return 0; ++ } ++ return 1; ++} ++ ++static int ssl_auth_compatible(modssl_auth_ctx_t *a1, ++ modssl_auth_ctx_t *a2) ++{ ++ if (!a1 || !a2) { ++ return 0; ++ } ++ /* both have the same verification */ ++ if ((a1->verify_depth != a2->verify_depth) ++ || (a1->verify_mode != a2->verify_mode)) { ++ return 0; ++ } ++ /* both have the same ca path/file */ ++ if ((a1->ca_cert_path != a2->ca_cert_path) ++ && (!a1->ca_cert_path || !a2->ca_cert_path ++ || strcmp(a1->ca_cert_path, a2->ca_cert_path))) { ++ return 0; ++ } ++ if ((a1->ca_cert_file != a2->ca_cert_file) ++ && (!a1->ca_cert_file || !a2->ca_cert_file ++ || strcmp(a1->ca_cert_file, a2->ca_cert_file))) { ++ return 0; ++ } ++ /* both have the same ca cipher suite string */ ++ if ((a1->cipher_suite != a2->cipher_suite) ++ && (!a1->cipher_suite || !a2->cipher_suite ++ || strcmp(a1->cipher_suite, a2->cipher_suite))) { ++ return 0; ++ } ++ return 1; ++} ++ ++static int ssl_ctx_compatible(modssl_ctx_t *ctx1, ++ modssl_ctx_t *ctx2) ++{ ++ if (!ctx1 || !ctx2 ++ || (ctx1->protocol != ctx2->protocol) ++ || !ssl_auth_compatible(&ctx1->auth, &ctx2->auth) ++ || !ssl_pk_server_compatible(ctx1->pks, ctx2->pks)) { ++ return 0; ++ } ++ return 1; ++} ++ ++static int ssl_server_compatible(server_rec *s1, server_rec *s2) ++{ ++ SSLSrvConfigRec *sc1 = s1? mySrvConfig(s1) : NULL; ++ SSLSrvConfigRec *sc2 = s2? mySrvConfig(s2) : NULL; ++ ++ /* both use the same TLS protocol? */ ++ if (!sc1 || !sc2 ++ || !ssl_ctx_compatible(sc1->server, sc2->server)) { ++ return 0; ++ } ++ ++ return 1; ++} ++ + /* + * Post Read Request Handler + */ +@@ -137,7 +239,13 @@ int ssl_hook_ReadReq(request_rec *r) + } + } + ++ /* If we are on a slave connection, we do not expect to have an SSLConnRec, ++ * but our master connection might. */ + sslconn = myConnConfig(r->connection); ++ if (!(sslconn && sslconn->ssl) && r->connection->master) { ++ sslconn = myConnConfig(r->connection->master); ++ } ++ + if (!sslconn) { + return DECLINED; + } +@@ -195,15 +303,16 @@ int ssl_hook_ReadReq(request_rec *r) + " provided in HTTP request", servername); + return HTTP_BAD_REQUEST; + } +- if (r->server != handshakeserver) { ++ if (r->server != handshakeserver ++ && !ssl_server_compatible(sslconn->server, r->server)) { + /* +- * We are really not in Kansas anymore... + * The request does not select the virtual host that was +- * selected by the SNI. ++ * selected by the SNI and its SSL parameters are different + */ ++ + ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, APLOGNO(02032) + "Hostname %s provided via SNI and hostname %s provided" +- " via HTTP select a different server", ++ " via HTTP have no compatible SSL setup", + servername, r->hostname); + return HTTP_MISDIRECTED_REQUEST; + } +@@ -302,6 +411,7 @@ int ssl_hook_Access(request_rec *r) + SSLConnRec *sslconn = myConnConfig(r->connection); + SSL *ssl = sslconn ? sslconn->ssl : NULL; + server_rec *handshakeserver = sslconn ? sslconn->server : NULL; ++ SSLSrvConfigRec *hssc = handshakeserver? mySrvConfig(handshakeserver) : NULL; + SSL_CTX *ctx = NULL; + apr_array_header_t *requires; + ssl_require_t *ssl_requires; +@@ -313,8 +423,19 @@ int ssl_hook_Access(request_rec *r) + X509_STORE_CTX cert_store_ctx; + STACK_OF(SSL_CIPHER) *cipher_list_old = NULL, *cipher_list = NULL; + const SSL_CIPHER *cipher = NULL; +- int depth, verify_old, verify, n; ++ int depth, verify_old, verify, n, is_slave = 0; ++ const char *ncipher_suite; + ++ /* On a slave connection, we do not expect to have an SSLConnRec, but ++ * our master connection might have one. */ ++ if (!(sslconn && ssl) && r->connection->master) { ++ sslconn = myConnConfig(r->connection->master); ++ ssl = sslconn ? sslconn->ssl : NULL; ++ handshakeserver = sslconn ? sslconn->server : NULL; ++ hssc = handshakeserver? mySrvConfig(handshakeserver) : NULL; ++ is_slave = 1; ++ } ++ + if (ssl) { + /* + * We should have handshaken here (on handshakeserver), +@@ -333,7 +454,7 @@ int ssl_hook_Access(request_rec *r) + * Support for SSLRequireSSL directive + */ + if (dc->bSSLRequired && !ssl) { +- if (sc->enabled == SSL_ENABLED_OPTIONAL) { ++ if ((sc->enabled == SSL_ENABLED_OPTIONAL) && !is_slave) { + /* This vhost was configured for optional SSL, just tell the + * client that we need to upgrade. + */ +@@ -416,8 +537,13 @@ int ssl_hook_Access(request_rec *r) + * new cipher suite. This approach is fine because the user explicitly + * has to enable this via ``SSLOptions +OptRenegotiate''. So we do no + * implicit optimizations. +- */ +- if (dc->szCipherSuite || (r->server != handshakeserver)) { ++ */ ++ ncipher_suite = (dc->szCipherSuite? ++ dc->szCipherSuite : (r->server != handshakeserver)? ++ sc->server->auth.cipher_suite : NULL); ++ ++ if (ncipher_suite && (!sslconn->cipher_suite ++ || strcmp(ncipher_suite, sslconn->cipher_suite))) { + /* remember old state */ + + if (dc->nOptions & SSL_OPT_OPTRENEGOTIATE) { +@@ -432,10 +558,18 @@ int ssl_hook_Access(request_rec *r) + } + + /* configure new state */ +- if ((dc->szCipherSuite || sc->server->auth.cipher_suite) && +- !SSL_set_cipher_list(ssl, dc->szCipherSuite ? +- dc->szCipherSuite : +- sc->server->auth.cipher_suite)) { ++ if (is_slave) { ++ /* TODO: this categorically fails changed cipher suite settings ++ * on slave connections. We could do better by ++ * - create a new SSL* from our SSL_CTX and set cipher suite there, ++ * and retrieve ciphers, free afterwards ++ * Modifying the SSL on a slave connection is no good. ++ */ ++ apr_table_setn(r->notes, "ssl-renegotiate-forbidden", "cipher-suite"); ++ return HTTP_FORBIDDEN; ++ } ++ ++ if (!SSL_set_cipher_list(ssl, ncipher_suite)) { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(02253) + "Unable to reconfigure (per-directory) " + "permitted SSL ciphers"); +@@ -502,6 +636,15 @@ int ssl_hook_Access(request_rec *r) + } + + if (renegotiate) { ++ if (is_slave) { ++ /* The request causes renegotiation on a slave connection. ++ * This is not allowed since we might have concurrent requests ++ * on this connection. ++ */ ++ apr_table_setn(r->notes, "ssl-renegotiate-forbidden", "cipher-suite"); ++ return HTTP_FORBIDDEN; ++ } ++ + #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE + if (sc->cipher_server_pref == TRUE) { + SSL_set_options(ssl, SSL_OP_CIPHER_SERVER_PREFERENCE); +@@ -554,6 +697,7 @@ int ssl_hook_Access(request_rec *r) + */ + if ((dc->nVerifyClient != SSL_CVERIFY_UNSET) || + (sc->server->auth.verify_mode != SSL_CVERIFY_UNSET)) { ++ + /* remember old state */ + verify_old = SSL_get_verify_mode(ssl); + /* configure new state */ +@@ -572,6 +716,9 @@ int ssl_hook_Access(request_rec *r) + verify |= SSL_VERIFY_PEER; + } + ++ /* TODO: this seems premature since we do not know if there ++ * are any changes required. ++ */ + SSL_set_verify(ssl, verify, ssl_callback_SSLVerify); + SSL_set_verify_result(ssl, X509_V_OK); + +@@ -587,6 +734,14 @@ int ssl_hook_Access(request_rec *r) + (verify & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))) + { + renegotiate = TRUE; ++ if (is_slave) { ++ /* The request causes renegotiation on a slave connection. ++ * This is not allowed since we might have concurrent requests ++ * on this connection. ++ */ ++ apr_table_setn(r->notes, "ssl-renegotiate-forbidden", "verify-client"); ++ return HTTP_FORBIDDEN; ++ } + /* optimization */ + + if ((dc->nOptions & SSL_OPT_OPTRENEGOTIATE) && +@@ -907,6 +1062,10 @@ int ssl_hook_Access(request_rec *r) + return HTTP_FORBIDDEN; + } + } ++ /* remember any new cipher suite used in renegotiation */ ++ if (ncipher_suite) { ++ sslconn->cipher_suite = ncipher_suite; ++ } + } + + /* If we're trying to have the user name set from a client +@@ -1170,6 +1329,10 @@ int ssl_hook_Fixup(request_rec *r) + apr_table_mergen(r->headers_out, "Connection", "upgrade"); + } + ++ if (!(sslconn && sslconn->ssl) && r->connection->master) { ++ sslconn = myConnConfig(r->connection->master); ++ } ++ + /* + * Check to see if SSL is on + */ +@@ -1192,8 +1355,8 @@ int ssl_hook_Fixup(request_rec *r) + + /* standard SSL environment variables */ + if (dc->nOptions & SSL_OPT_STDENVVARS) { +- modssl_var_extract_dns(env, sslconn->ssl, r->pool); +- modssl_var_extract_san_entries(env, sslconn->ssl, r->pool); ++ modssl_var_extract_dns(env, ssl, r->pool); ++ modssl_var_extract_san_entries(env, ssl, r->pool); + + for (i = 0; ssl_hook_Fixup_vars[i]; i++) { + var = (char *)ssl_hook_Fixup_vars[i]; +@@ -2037,7 +2200,8 @@ static int ssl_find_vhost(void *serverna + * retrieval + */ + sslcon->server = s; +- ++ sslcon->cipher_suite = sc->server->auth.cipher_suite; ++ + /* + * There is one special filter callback, which is set + * very early depending on the base_server's log level. +@@ -2194,14 +2358,30 @@ int ssl_callback_alpn_select(SSL *ssl, + init_vhost(c, ssl); + + proposed = ap_select_protocol(c, NULL, sslconn->server, client_protos); +- *out = (const unsigned char *)(proposed? proposed : ap_get_protocol(c)); +- len = strlen((const char*)*out); ++ if (!proposed) { ++ proposed = ap_get_protocol(c); ++ } ++ ++ len = strlen(proposed); + if (len > 255) { + ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(02840) + "ALPN negotiated protocol name too long"); + return SSL_TLSEXT_ERR_ALERT_FATAL; + } ++ *out = (const unsigned char *)proposed; + *outlen = (unsigned char)len; ++ ++ if (strcmp(proposed, ap_get_protocol(c))) { ++ apr_status_t status; ++ ++ status = ap_switch_protocol(c, NULL, sslconn->server, proposed); ++ if (status != APR_SUCCESS) { ++ ap_log_cerror(APLOG_MARK, APLOG_ERR, status, c, ++ APLOGNO(02908) "protocol switch to '%s' failed", ++ proposed); ++ return SSL_TLSEXT_ERR_ALERT_FATAL; ++ } ++ } + + return SSL_TLSEXT_ERR_OK; + } diff --git a/apache2.changes b/apache2.changes index 73a08eb..b00f6e3 100644 --- a/apache2.changes +++ b/apache2.changes @@ -1,3 +1,13 @@ +------------------------------------------------------------------- +Thu Nov 5 16:52:45 UTC 2015 - crrodriguez@opensuse.org + +- 2.4.17-protocols.patch from upstream http2 module: +* master conn_rec* addition to conn_rec +* improved ALPN and Upgrade handling +* allowing requests for servers whose TLS configuration is compatible + to the SNI server ones +* disabling TLS renegotiation for slave connections + ------------------------------------------------------------------- Wed Nov 4 06:29:27 UTC 2015 - pgajdos@suse.com diff --git a/apache2.spec b/apache2.spec index 947c7cd..7b368dc 100644 --- a/apache2.spec +++ b/apache2.spec @@ -122,6 +122,7 @@ Patch109: httpd-2.4.3-mod_systemd.patch Patch111: httpd-visibility.patch # PATCH-FIX-UPSTREAM marguerite@opensuse.org -- compability for lua 5.2+ https://bz.apache.org/bugzilla/show_bug.cgi?id=58188 Patch114: httpd-2.4.12-lua-5.2.patch +Patch1000: https://raw.githubusercontent.com/icing/mod_h2/master/sandbox/httpd/patches/2.4.17-protocols.patch BuildRequires: automake BuildRequires: db-devel BuildRequires: ed @@ -307,6 +308,7 @@ to administrators of web servers in general. %endif %patch111 -p1 %patch114 -p1 +%patch1000 cat $RPM_SOURCE_DIR/SUSE-NOTICE >> NOTICE # install READMEs a=$(basename %{SOURCE22})