From 3e530c71a2f563feae47f29466116f2fab64295d12150bde2632e4b8e0224bf3 Mon Sep 17 00:00:00 2001 From: Petr Gajdos Date: Mon, 14 Dec 2015 08:02:47 +0000 Subject: [PATCH 1/3] Accepting request 348489 from home:elvigia:branches:Apache - Update to version 2.44.18 * drop 2.4.17-protocols.patch in upstream. - Change list too long to mention here see: http://www.apache.org/dist/httpd/CHANGES_2.4.18 for details. OBS-URL: https://build.opensuse.org/request/show/348489 OBS-URL: https://build.opensuse.org/package/show/Apache/apache2?expand=0&rev=469 --- 2.4.17-protocols.patch | 819 ----------------------------------------- apache2.changes | 8 + apache2.spec | 4 +- httpd-2.4.17.tar.bz2 | 3 - httpd-2.4.18.tar.bz2 | 3 + 5 files changed, 12 insertions(+), 825 deletions(-) delete mode 100644 2.4.17-protocols.patch delete mode 100644 httpd-2.4.17.tar.bz2 create mode 100644 httpd-2.4.18.tar.bz2 diff --git a/2.4.17-protocols.patch b/2.4.17-protocols.patch deleted file mode 100644 index b88ee1e..0000000 --- a/2.4.17-protocols.patch +++ /dev/null @@ -1,819 +0,0 @@ ---- include/httpd.h.orig -+++ include/httpd.h -@@ -1167,6 +1167,9 @@ struct conn_rec { - #if APR_HAS_THREADS - apr_thread_t *current_thread; - #endif -+ -+ /** The "real" master connection. NULL if I am the master. */ -+ conn_rec *master; - }; - - /** ---- include/http_protocol.h.orig -+++ include/http_protocol.h -@@ -782,7 +782,27 @@ AP_DECLARE_HOOK(int,protocol_switch,(con - * @return The identifier of the protocol in place or NULL - */ - AP_DECLARE_HOOK(const char *,protocol_get,(const conn_rec *c)) -- -+ -+/** -+ * Get the protocols that the connection and optional request may -+ * upgrade to - besides the protocol currently active on the connection. These -+ * values may be used to announce to a client what choices it has. -+ * -+ * If report_all == 0, only protocols more preferable than the one currently -+ * being used, are reported. Otherwise, all available protocols beside the -+ * current one are being reported. -+ * -+ * @param c The current connection -+ * @param r The current request or NULL -+ * @param s The server/virtual host selected or NULL -+ * @param report_all include also protocols less preferred than the current one -+ * @param pupgrades on return, possible protocols to upgrade to in descending order -+ * of preference. Maybe NULL if none are available. -+ */ -+AP_DECLARE(apr_status_t) ap_get_protocol_upgrades(conn_rec *c, request_rec *r, -+ server_rec *s, int report_all, -+ const apr_array_header_t **pupgrades); -+ - /** - * Select a protocol for the given connection and optional request. Will return - * the protocol identifier selected which may be the protocol already in place -@@ -833,6 +853,23 @@ AP_DECLARE(apr_status_t) ap_switch_proto - */ - AP_DECLARE(const char *) ap_get_protocol(conn_rec *c); - -+/** -+ * Check if the given protocol is an allowed choice on the given -+ * combination of connection, request and server. -+ * -+ * When server is NULL, it is taken from request_rec, unless -+ * request_rec is NULL. Then it is taken from the connection base -+ * server. -+ * -+ * @param c The current connection -+ * @param r The current request or NULL -+ * @param s The server/virtual host selected or NULL -+ * @param protocol the protocol to switch to -+ * @return != 0 iff protocol is allowed -+ */ -+AP_DECLARE(int) ap_is_allowed_protocol(conn_rec *c, request_rec *r, -+ server_rec *s, const char *protocol); -+ - /** @see ap_bucket_type_error */ - typedef struct ap_bucket_error ap_bucket_error; - ---- include/ap_mmn.h.orig -+++ include/ap_mmn.h -@@ -456,6 +456,7 @@ - * ap_select_protocol(), ap_switch_protocol(), - * ap_get_protocol(). Add HTTP_MISDIRECTED_REQUEST. - * Added ap_parse_token_list_strict() to httpd.h -+ * 20120211.52 (2.4.17-dev) Add master conn_rec* member in conn_rec. - */ - - #define MODULE_MAGIC_COOKIE 0x41503234UL /* "AP24" */ -@@ -463,7 +464,7 @@ - #ifndef MODULE_MAGIC_NUMBER_MAJOR - #define MODULE_MAGIC_NUMBER_MAJOR 20120211 - #endif --#define MODULE_MAGIC_NUMBER_MINOR 51 /* 0...n */ -+#define MODULE_MAGIC_NUMBER_MINOR 52 /* 0...n */ - - /** - * Determine if the server's current MODULE_MAGIC_NUMBER is at least a ---- server/core.c.orig -+++ server/core.c -@@ -4995,8 +4995,15 @@ static void core_dump_config(apr_pool_t - static int core_upgrade_handler(request_rec *r) - { - conn_rec *c = r->connection; -- const char *upgrade = apr_table_get(r->headers_in, "Upgrade"); -+ const char *upgrade; - -+ if (c->master) { -+ /* Not possible to perform an HTTP/1.1 upgrade from a slave -+ * connection. */ -+ return DECLINED; -+ } -+ -+ upgrade = apr_table_get(r->headers_in, "Upgrade"); - if (upgrade && *upgrade) { - const char *conn = apr_table_get(r->headers_in, "Connection"); - if (ap_find_token(r->pool, conn, "upgrade")) { -@@ -5011,8 +5018,7 @@ static int core_upgrade_handler(request_ - } - - if (offers && offers->nelts > 0) { -- const char *protocol = ap_select_protocol(c, r, r->server, -- offers); -+ const char *protocol = ap_select_protocol(c, r, NULL, offers); - if (protocol && strcmp(protocol, ap_get_protocol(c))) { - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02909) - "Upgrade selects '%s'", protocol); -@@ -5034,6 +5040,19 @@ static int core_upgrade_handler(request_ - } - } - } -+ else if (!c->keepalives) { -+ /* first request on a master connection, if we have protocols other -+ * than the current one enabled here, announce them to the -+ * client. If the client is already talking a protocol with requests -+ * on slave connections, leave it be. */ -+ const apr_array_header_t *upgrades; -+ ap_get_protocol_upgrades(c, r, NULL, 0, &upgrades); -+ if (upgrades && upgrades->nelts > 0) { -+ char *protocols = apr_array_pstrcat(r->pool, upgrades, ','); -+ apr_table_setn(r->headers_out, "Upgrade", protocols); -+ apr_table_setn(r->headers_out, "Connection", "Upgrade"); -+ } -+ } - - return DECLINED; - } ---- server/protocol.c.orig -+++ server/protocol.c -@@ -1823,15 +1823,61 @@ AP_DECLARE(const char *) ap_get_protocol - return protocol? protocol : AP_PROTOCOL_HTTP1; - } - -+AP_DECLARE(apr_status_t) ap_get_protocol_upgrades(conn_rec *c, request_rec *r, -+ server_rec *s, int report_all, -+ const apr_array_header_t **pupgrades) -+{ -+ apr_pool_t *pool = r? r->pool : c->pool; -+ core_server_config *conf; -+ const char *existing; -+ apr_array_header_t *upgrades = NULL; -+ -+ if (!s) { -+ s = (r? r->server : c->base_server); -+ } -+ conf = ap_get_core_module_config(s->module_config); -+ -+ if (conf->protocols->nelts > 0) { -+ existing = ap_get_protocol(c); -+ if (conf->protocols->nelts > 1 -+ || !ap_array_str_contains(conf->protocols, existing)) { -+ int i; -+ -+ /* possibly more than one choice or one, but not the -+ * existing. (TODO: maybe 426 and Upgrade then?) */ -+ upgrades = apr_array_make(pool, conf->protocols->nelts + 1, -+ sizeof(char *)); -+ for (i = 0; i < conf->protocols->nelts; i++) { -+ const char *p = APR_ARRAY_IDX(conf->protocols, i, char *); -+ if (strcmp(existing, p)) { -+ /* not the one we have and possible, add in this order */ -+ APR_ARRAY_PUSH(upgrades, const char*) = p; -+ } -+ else if (!report_all) { -+ break; -+ } -+ } -+ } -+ } -+ -+ *pupgrades = upgrades; -+ return APR_SUCCESS; -+} -+ - AP_DECLARE(const char *) ap_select_protocol(conn_rec *c, request_rec *r, - server_rec *s, - const apr_array_header_t *choices) - { - apr_pool_t *pool = r? r->pool : c->pool; -- core_server_config *conf = ap_get_core_module_config(s->module_config); -+ core_server_config *conf; - const char *protocol = NULL, *existing; - apr_array_header_t *proposals; - -+ if (!s) { -+ s = (r? r->server : c->base_server); -+ } -+ conf = ap_get_core_module_config(s->module_config); -+ - if (APLOGcdebug(c)) { - const char *p = apr_array_pstrcat(pool, conf->protocols, ','); - ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, -@@ -1937,6 +1983,22 @@ AP_DECLARE(apr_status_t) ap_switch_proto - } - } - -+AP_DECLARE(int) ap_is_allowed_protocol(conn_rec *c, request_rec *r, -+ server_rec *s, const char *protocol) -+{ -+ core_server_config *conf; -+ -+ if (!s) { -+ s = (r? r->server : c->base_server); -+ } -+ conf = ap_get_core_module_config(s->module_config); -+ -+ if (conf->protocols->nelts > 0) { -+ return ap_array_str_contains(conf->protocols, protocol); -+ } -+ return !strcmp(AP_PROTOCOL_HTTP1, protocol); -+} -+ - - AP_IMPLEMENT_HOOK_VOID(pre_read_request, - (request_rec *r, conn_rec *c), ---- modules/ssl/mod_ssl.c.orig -+++ modules/ssl/mod_ssl.c -@@ -377,6 +377,7 @@ static int ssl_hook_pre_config(apr_pool_ - static SSLConnRec *ssl_init_connection_ctx(conn_rec *c) - { - SSLConnRec *sslconn = myConnConfig(c); -+ SSLSrvConfigRec *sc; - - if (sslconn) { - return sslconn; -@@ -386,6 +387,8 @@ static SSLConnRec *ssl_init_connection_c - - sslconn->server = c->base_server; - sslconn->verify_depth = UNSET; -+ sc = mySrvConfig(c->base_server); -+ sslconn->cipher_suite = sc->server->auth.cipher_suite; - - myConnConfigSet(c, sslconn); - -@@ -525,6 +528,7 @@ static apr_port_t ssl_hook_default_port( - - static int ssl_hook_pre_connection(conn_rec *c, void *csd) - { -+ - SSLSrvConfigRec *sc; - SSLConnRec *sslconn = myConnConfig(c); - -@@ -537,8 +541,8 @@ static int ssl_hook_pre_connection(conn_ - /* - * Immediately stop processing if SSL is disabled for this connection - */ -- if (!(sc && (sc->enabled == SSL_ENABLED_TRUE || -- (sslconn && sslconn->is_proxy)))) -+ if (c->master || !(sc && (sc->enabled == SSL_ENABLED_TRUE || -+ (sslconn && sslconn->is_proxy)))) - { - return DECLINED; - } -@@ -566,6 +570,26 @@ static int ssl_hook_pre_connection(conn_ - return ssl_init_ssl_connection(c, NULL); - } - -+static int ssl_hook_process_connection(conn_rec* c) -+{ -+ SSLConnRec *sslconn = myConnConfig(c); -+ -+ if (sslconn && !sslconn->disabled) { -+ /* On an active SSL connection, let the input filters initialize -+ * themselves which triggers the handshake, which again triggers -+ * all kinds of useful things such as SNI and ALPN. -+ */ -+ apr_bucket_brigade* temp; -+ -+ temp = apr_brigade_create(c->pool, c->bucket_alloc); -+ ap_get_brigade(c->input_filters, temp, -+ AP_MODE_INIT, APR_BLOCK_READ, 0); -+ apr_brigade_destroy(temp); -+ } -+ -+ return DECLINED; -+} -+ - /* - * the module registration phase - */ -@@ -579,6 +603,8 @@ static void ssl_register_hooks(apr_pool_ - ssl_io_filter_register(p); - - ap_hook_pre_connection(ssl_hook_pre_connection,NULL,NULL, APR_HOOK_MIDDLE); -+ ap_hook_process_connection(ssl_hook_process_connection, -+ NULL, NULL, APR_HOOK_MIDDLE); - ap_hook_test_config (ssl_hook_ConfigTest, NULL,NULL, APR_HOOK_MIDDLE); - ap_hook_post_config (ssl_init_Module, NULL,NULL, APR_HOOK_MIDDLE); - ap_hook_http_scheme (ssl_hook_http_scheme, NULL,NULL, APR_HOOK_MIDDLE); ---- modules/ssl/ssl_private.h.orig -+++ modules/ssl/ssl_private.h -@@ -460,6 +460,8 @@ typedef struct { - } reneg_state; - - server_rec *server; -+ -+ const char *cipher_suite; /* cipher suite used in last reneg */ - } SSLConnRec; - - /* BIG FAT WARNING: SSLModConfigRec has unusual memory lifetime: it is ---- modules/ssl/ssl_engine_io.c.orig -+++ modules/ssl/ssl_engine_io.c -@@ -298,9 +298,6 @@ typedef struct { - apr_pool_t *pool; - char buffer[AP_IOBUFSIZE]; - ssl_filter_ctx_t *filter_ctx; --#ifdef HAVE_TLS_ALPN -- int alpn_finished; /* 1 if ALPN has finished, 0 otherwise */ --#endif - } bio_filter_in_ctx_t; - - /* -@@ -1418,41 +1415,6 @@ static apr_status_t ssl_io_filter_input( - APR_BRIGADE_INSERT_TAIL(bb, bucket); - } - --#ifdef HAVE_TLS_ALPN -- /* By this point, Application-Layer Protocol Negotiation (ALPN) should be -- * completed (if our version of OpenSSL supports it). If we haven't already, -- * find out which protocol was decided upon and inform other modules -- * by calling alpn_proto_negotiated_hook. -- */ -- if (!inctx->alpn_finished) { -- SSLConnRec *sslconn = myConnConfig(f->c); -- const unsigned char *next_proto = NULL; -- unsigned next_proto_len = 0; -- const char *protocol; -- -- SSL_get0_alpn_selected(inctx->ssl, &next_proto, &next_proto_len); -- if (next_proto && next_proto_len) { -- protocol = apr_pstrmemdup(f->c->pool, (const char *)next_proto, -- next_proto_len); -- ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, f->c, -- APLOGNO(02836) "ALPN selected protocol: '%s'", -- protocol); -- -- if (strcmp(protocol, ap_get_protocol(f->c))) { -- status = ap_switch_protocol(f->c, NULL, sslconn->server, -- protocol); -- if (status != APR_SUCCESS) { -- ap_log_cerror(APLOG_MARK, APLOG_ERR, status, f->c, -- APLOGNO(02908) "protocol switch to '%s' failed", -- protocol); -- return status; -- } -- } -- } -- inctx->alpn_finished = 1; -- } --#endif -- - return APR_SUCCESS; - } - -@@ -1934,9 +1896,6 @@ static void ssl_io_input_add_filter(ssl_ - inctx->block = APR_BLOCK_READ; - inctx->pool = c->pool; - inctx->filter_ctx = filter_ctx; --#ifdef HAVE_TLS_ALPN -- inctx->alpn_finished = 0; --#endif - } - - /* The request_rec pointer is passed in here only to ensure that the ---- modules/ssl/ssl_engine_vars.c.orig -+++ modules/ssl/ssl_engine_vars.c -@@ -39,7 +39,7 @@ - ** _________________________________________________________________ - */ - --static char *ssl_var_lookup_ssl(apr_pool_t *p, conn_rec *c, request_rec *r, char *var); -+static char *ssl_var_lookup_ssl(apr_pool_t *p, SSLConnRec *sslconn, request_rec *r, char *var); - static char *ssl_var_lookup_ssl_cert(apr_pool_t *p, request_rec *r, X509 *xs, char *var); - static char *ssl_var_lookup_ssl_cert_dn(apr_pool_t *p, X509_NAME *xsname, char *var); - static char *ssl_var_lookup_ssl_cert_san(apr_pool_t *p, X509 *xs, char *var); -@@ -49,8 +49,8 @@ static char *ssl_var_lookup_ssl_cert_ser - static char *ssl_var_lookup_ssl_cert_chain(apr_pool_t *p, STACK_OF(X509) *sk, char *var); - static char *ssl_var_lookup_ssl_cert_rfc4523_cea(apr_pool_t *p, SSL *ssl); - static char *ssl_var_lookup_ssl_cert_PEM(apr_pool_t *p, X509 *xs); --static char *ssl_var_lookup_ssl_cert_verify(apr_pool_t *p, conn_rec *c); --static char *ssl_var_lookup_ssl_cipher(apr_pool_t *p, conn_rec *c, char *var); -+static char *ssl_var_lookup_ssl_cert_verify(apr_pool_t *p, SSLConnRec *sslconn); -+static char *ssl_var_lookup_ssl_cipher(apr_pool_t *p, SSLConnRec *sslconn, char *var); - static void ssl_var_lookup_ssl_cipher_bits(SSL *ssl, int *usekeysize, int *algkeysize); - static char *ssl_var_lookup_ssl_version(apr_pool_t *p, char *var); - static char *ssl_var_lookup_ssl_compress_meth(SSL *ssl); -@@ -77,7 +77,7 @@ static const char *expr_var_fn(ap_expr_e - char *var = (char *)data; - SSLConnRec *sslconn = myConnConfig(ctx->c); - -- return sslconn ? ssl_var_lookup_ssl(ctx->p, ctx->c, ctx->r, var) : NULL; -+ return sslconn ? ssl_var_lookup_ssl(ctx->p, sslconn, ctx->r, var) : NULL; - } - - static int ssl_expr_lookup(ap_expr_lookup_parms *parms) -@@ -245,9 +245,13 @@ char *ssl_var_lookup(apr_pool_t *p, serv - */ - if (result == NULL && c != NULL) { - SSLConnRec *sslconn = myConnConfig(c); -+ if (!(sslconn && sslconn->ssl) && c->master) { -+ /* use master connection if no SSL defined here */ -+ sslconn = myConnConfig(c->master); -+ } - if (strlen(var) > 4 && strcEQn(var, "SSL_", 4) - && sslconn && sslconn->ssl) -- result = ssl_var_lookup_ssl(p, c, r, var+4); -+ result = ssl_var_lookup_ssl(p, sslconn, r, var+4); - else if (strcEQ(var, "HTTPS")) { - if (sslconn && sslconn->ssl) - result = "on"; -@@ -317,10 +321,9 @@ char *ssl_var_lookup(apr_pool_t *p, serv - return (char *)result; - } - --static char *ssl_var_lookup_ssl(apr_pool_t *p, conn_rec *c, request_rec *r, -- char *var) -+static char *ssl_var_lookup_ssl(apr_pool_t *p, SSLConnRec *sslconn, -+ request_rec *r, char *var) - { -- SSLConnRec *sslconn = myConnConfig(c); - char *result; - X509 *xs; - STACK_OF(X509) *sk; -@@ -360,7 +363,7 @@ static char *ssl_var_lookup_ssl(apr_pool - result = "Initial"; - } - else if (ssl != NULL && strlen(var) >= 6 && strcEQn(var, "CIPHER", 6)) { -- result = ssl_var_lookup_ssl_cipher(p, c, var+6); -+ result = ssl_var_lookup_ssl_cipher(p, sslconn, var+6); - } - else if (ssl != NULL && strlen(var) > 18 && strcEQn(var, "CLIENT_CERT_CHAIN_", 18)) { - sk = SSL_get_peer_cert_chain(ssl); -@@ -370,7 +373,7 @@ static char *ssl_var_lookup_ssl(apr_pool - result = ssl_var_lookup_ssl_cert_rfc4523_cea(p, ssl); - } - else if (ssl != NULL && strcEQ(var, "CLIENT_VERIFY")) { -- result = ssl_var_lookup_ssl_cert_verify(p, c); -+ result = ssl_var_lookup_ssl_cert_verify(p, sslconn); - } - else if (ssl != NULL && strlen(var) > 7 && strcEQn(var, "CLIENT_", 7)) { - if ((xs = SSL_get_peer_certificate(ssl)) != NULL) { -@@ -779,9 +782,8 @@ static char *ssl_var_lookup_ssl_cert_PEM - return result; - } - --static char *ssl_var_lookup_ssl_cert_verify(apr_pool_t *p, conn_rec *c) -+static char *ssl_var_lookup_ssl_cert_verify(apr_pool_t *p, SSLConnRec *sslconn) - { -- SSLConnRec *sslconn = myConnConfig(c); - char *result; - long vrc; - const char *verr; -@@ -815,9 +817,8 @@ static char *ssl_var_lookup_ssl_cert_ver - return result; - } - --static char *ssl_var_lookup_ssl_cipher(apr_pool_t *p, conn_rec *c, char *var) -+static char *ssl_var_lookup_ssl_cipher(apr_pool_t *p, SSLConnRec *sslconn, char *var) - { -- SSLConnRec *sslconn = myConnConfig(c); - char *result; - BOOL resdup; - int usekeysize, algkeysize; ---- modules/ssl/ssl_engine_kernel.c.orig -+++ modules/ssl/ssl_engine_kernel.c -@@ -113,6 +113,108 @@ static int has_buffered_data(request_rec - return result; - } - -+static int ap_array_same_str_set(apr_array_header_t *s1, apr_array_header_t *s2) -+{ -+ int i; -+ const char *c; -+ -+ if (s1 == s2) { -+ return 1; -+ } -+ else if (!s1 || !s2 || (s1->nelts != s2->nelts)) { -+ return 0; -+ } -+ -+ for (i = 0; i < s1->nelts; i++) { -+ c = APR_ARRAY_IDX(s1, i, const char *); -+ if (!c || !ap_array_str_contains(s2, c)) { -+ return 0; -+ } -+ } -+ return 1; -+} -+ -+static int ssl_pk_server_compatible(modssl_pk_server_t *pks1, -+ modssl_pk_server_t *pks2) -+{ -+ if (!pks1 || !pks2) { -+ return 0; -+ } -+ /* both have the same certificates? */ -+ if ((pks1->ca_name_path != pks2->ca_name_path) -+ && (!pks1->ca_name_path || !pks2->ca_name_path -+ || strcmp(pks1->ca_name_path, pks2->ca_name_path))) { -+ return 0; -+ } -+ if ((pks1->ca_name_file != pks2->ca_name_file) -+ && (!pks1->ca_name_file || !pks2->ca_name_file -+ || strcmp(pks1->ca_name_file, pks2->ca_name_file))) { -+ return 0; -+ } -+ if (!ap_array_same_str_set(pks1->cert_files, pks2->cert_files) -+ || !ap_array_same_str_set(pks1->key_files, pks2->key_files)) { -+ return 0; -+ } -+ return 1; -+} -+ -+static int ssl_auth_compatible(modssl_auth_ctx_t *a1, -+ modssl_auth_ctx_t *a2) -+{ -+ if (!a1 || !a2) { -+ return 0; -+ } -+ /* both have the same verification */ -+ if ((a1->verify_depth != a2->verify_depth) -+ || (a1->verify_mode != a2->verify_mode)) { -+ return 0; -+ } -+ /* both have the same ca path/file */ -+ if ((a1->ca_cert_path != a2->ca_cert_path) -+ && (!a1->ca_cert_path || !a2->ca_cert_path -+ || strcmp(a1->ca_cert_path, a2->ca_cert_path))) { -+ return 0; -+ } -+ if ((a1->ca_cert_file != a2->ca_cert_file) -+ && (!a1->ca_cert_file || !a2->ca_cert_file -+ || strcmp(a1->ca_cert_file, a2->ca_cert_file))) { -+ return 0; -+ } -+ /* both have the same ca cipher suite string */ -+ if ((a1->cipher_suite != a2->cipher_suite) -+ && (!a1->cipher_suite || !a2->cipher_suite -+ || strcmp(a1->cipher_suite, a2->cipher_suite))) { -+ return 0; -+ } -+ return 1; -+} -+ -+static int ssl_ctx_compatible(modssl_ctx_t *ctx1, -+ modssl_ctx_t *ctx2) -+{ -+ if (!ctx1 || !ctx2 -+ || (ctx1->protocol != ctx2->protocol) -+ || !ssl_auth_compatible(&ctx1->auth, &ctx2->auth) -+ || !ssl_pk_server_compatible(ctx1->pks, ctx2->pks)) { -+ return 0; -+ } -+ return 1; -+} -+ -+static int ssl_server_compatible(server_rec *s1, server_rec *s2) -+{ -+ SSLSrvConfigRec *sc1 = s1? mySrvConfig(s1) : NULL; -+ SSLSrvConfigRec *sc2 = s2? mySrvConfig(s2) : NULL; -+ -+ /* both use the same TLS protocol? */ -+ if (!sc1 || !sc2 -+ || !ssl_ctx_compatible(sc1->server, sc2->server)) { -+ return 0; -+ } -+ -+ return 1; -+} -+ - /* - * Post Read Request Handler - */ -@@ -137,7 +239,13 @@ int ssl_hook_ReadReq(request_rec *r) - } - } - -+ /* If we are on a slave connection, we do not expect to have an SSLConnRec, -+ * but our master connection might. */ - sslconn = myConnConfig(r->connection); -+ if (!(sslconn && sslconn->ssl) && r->connection->master) { -+ sslconn = myConnConfig(r->connection->master); -+ } -+ - if (!sslconn) { - return DECLINED; - } -@@ -195,15 +303,16 @@ int ssl_hook_ReadReq(request_rec *r) - " provided in HTTP request", servername); - return HTTP_BAD_REQUEST; - } -- if (r->server != handshakeserver) { -+ if (r->server != handshakeserver -+ && !ssl_server_compatible(sslconn->server, r->server)) { - /* -- * We are really not in Kansas anymore... - * The request does not select the virtual host that was -- * selected by the SNI. -+ * selected by the SNI and its SSL parameters are different - */ -+ - ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, APLOGNO(02032) - "Hostname %s provided via SNI and hostname %s provided" -- " via HTTP select a different server", -+ " via HTTP have no compatible SSL setup", - servername, r->hostname); - return HTTP_MISDIRECTED_REQUEST; - } -@@ -302,6 +411,7 @@ int ssl_hook_Access(request_rec *r) - SSLConnRec *sslconn = myConnConfig(r->connection); - SSL *ssl = sslconn ? sslconn->ssl : NULL; - server_rec *handshakeserver = sslconn ? sslconn->server : NULL; -+ SSLSrvConfigRec *hssc = handshakeserver? mySrvConfig(handshakeserver) : NULL; - SSL_CTX *ctx = NULL; - apr_array_header_t *requires; - ssl_require_t *ssl_requires; -@@ -313,8 +423,19 @@ int ssl_hook_Access(request_rec *r) - X509_STORE_CTX cert_store_ctx; - STACK_OF(SSL_CIPHER) *cipher_list_old = NULL, *cipher_list = NULL; - const SSL_CIPHER *cipher = NULL; -- int depth, verify_old, verify, n; -+ int depth, verify_old, verify, n, is_slave = 0; -+ const char *ncipher_suite; - -+ /* On a slave connection, we do not expect to have an SSLConnRec, but -+ * our master connection might have one. */ -+ if (!(sslconn && ssl) && r->connection->master) { -+ sslconn = myConnConfig(r->connection->master); -+ ssl = sslconn ? sslconn->ssl : NULL; -+ handshakeserver = sslconn ? sslconn->server : NULL; -+ hssc = handshakeserver? mySrvConfig(handshakeserver) : NULL; -+ is_slave = 1; -+ } -+ - if (ssl) { - /* - * We should have handshaken here (on handshakeserver), -@@ -333,7 +454,7 @@ int ssl_hook_Access(request_rec *r) - * Support for SSLRequireSSL directive - */ - if (dc->bSSLRequired && !ssl) { -- if (sc->enabled == SSL_ENABLED_OPTIONAL) { -+ if ((sc->enabled == SSL_ENABLED_OPTIONAL) && !is_slave) { - /* This vhost was configured for optional SSL, just tell the - * client that we need to upgrade. - */ -@@ -416,8 +537,13 @@ int ssl_hook_Access(request_rec *r) - * new cipher suite. This approach is fine because the user explicitly - * has to enable this via ``SSLOptions +OptRenegotiate''. So we do no - * implicit optimizations. -- */ -- if (dc->szCipherSuite || (r->server != handshakeserver)) { -+ */ -+ ncipher_suite = (dc->szCipherSuite? -+ dc->szCipherSuite : (r->server != handshakeserver)? -+ sc->server->auth.cipher_suite : NULL); -+ -+ if (ncipher_suite && (!sslconn->cipher_suite -+ || strcmp(ncipher_suite, sslconn->cipher_suite))) { - /* remember old state */ - - if (dc->nOptions & SSL_OPT_OPTRENEGOTIATE) { -@@ -432,10 +558,18 @@ int ssl_hook_Access(request_rec *r) - } - - /* configure new state */ -- if ((dc->szCipherSuite || sc->server->auth.cipher_suite) && -- !SSL_set_cipher_list(ssl, dc->szCipherSuite ? -- dc->szCipherSuite : -- sc->server->auth.cipher_suite)) { -+ if (is_slave) { -+ /* TODO: this categorically fails changed cipher suite settings -+ * on slave connections. We could do better by -+ * - create a new SSL* from our SSL_CTX and set cipher suite there, -+ * and retrieve ciphers, free afterwards -+ * Modifying the SSL on a slave connection is no good. -+ */ -+ apr_table_setn(r->notes, "ssl-renegotiate-forbidden", "cipher-suite"); -+ return HTTP_FORBIDDEN; -+ } -+ -+ if (!SSL_set_cipher_list(ssl, ncipher_suite)) { - ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(02253) - "Unable to reconfigure (per-directory) " - "permitted SSL ciphers"); -@@ -502,6 +636,15 @@ int ssl_hook_Access(request_rec *r) - } - - if (renegotiate) { -+ if (is_slave) { -+ /* The request causes renegotiation on a slave connection. -+ * This is not allowed since we might have concurrent requests -+ * on this connection. -+ */ -+ apr_table_setn(r->notes, "ssl-renegotiate-forbidden", "cipher-suite"); -+ return HTTP_FORBIDDEN; -+ } -+ - #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE - if (sc->cipher_server_pref == TRUE) { - SSL_set_options(ssl, SSL_OP_CIPHER_SERVER_PREFERENCE); -@@ -554,6 +697,7 @@ int ssl_hook_Access(request_rec *r) - */ - if ((dc->nVerifyClient != SSL_CVERIFY_UNSET) || - (sc->server->auth.verify_mode != SSL_CVERIFY_UNSET)) { -+ - /* remember old state */ - verify_old = SSL_get_verify_mode(ssl); - /* configure new state */ -@@ -572,6 +716,9 @@ int ssl_hook_Access(request_rec *r) - verify |= SSL_VERIFY_PEER; - } - -+ /* TODO: this seems premature since we do not know if there -+ * are any changes required. -+ */ - SSL_set_verify(ssl, verify, ssl_callback_SSLVerify); - SSL_set_verify_result(ssl, X509_V_OK); - -@@ -587,6 +734,14 @@ int ssl_hook_Access(request_rec *r) - (verify & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))) - { - renegotiate = TRUE; -+ if (is_slave) { -+ /* The request causes renegotiation on a slave connection. -+ * This is not allowed since we might have concurrent requests -+ * on this connection. -+ */ -+ apr_table_setn(r->notes, "ssl-renegotiate-forbidden", "verify-client"); -+ return HTTP_FORBIDDEN; -+ } - /* optimization */ - - if ((dc->nOptions & SSL_OPT_OPTRENEGOTIATE) && -@@ -907,6 +1062,10 @@ int ssl_hook_Access(request_rec *r) - return HTTP_FORBIDDEN; - } - } -+ /* remember any new cipher suite used in renegotiation */ -+ if (ncipher_suite) { -+ sslconn->cipher_suite = ncipher_suite; -+ } - } - - /* If we're trying to have the user name set from a client -@@ -1170,6 +1329,10 @@ int ssl_hook_Fixup(request_rec *r) - apr_table_mergen(r->headers_out, "Connection", "upgrade"); - } - -+ if (!(sslconn && sslconn->ssl) && r->connection->master) { -+ sslconn = myConnConfig(r->connection->master); -+ } -+ - /* - * Check to see if SSL is on - */ -@@ -1192,8 +1355,8 @@ int ssl_hook_Fixup(request_rec *r) - - /* standard SSL environment variables */ - if (dc->nOptions & SSL_OPT_STDENVVARS) { -- modssl_var_extract_dns(env, sslconn->ssl, r->pool); -- modssl_var_extract_san_entries(env, sslconn->ssl, r->pool); -+ modssl_var_extract_dns(env, ssl, r->pool); -+ modssl_var_extract_san_entries(env, ssl, r->pool); - - for (i = 0; ssl_hook_Fixup_vars[i]; i++) { - var = (char *)ssl_hook_Fixup_vars[i]; -@@ -2037,7 +2200,8 @@ static int ssl_find_vhost(void *serverna - * retrieval - */ - sslcon->server = s; -- -+ sslcon->cipher_suite = sc->server->auth.cipher_suite; -+ - /* - * There is one special filter callback, which is set - * very early depending on the base_server's log level. -@@ -2194,14 +2358,30 @@ int ssl_callback_alpn_select(SSL *ssl, - init_vhost(c, ssl); - - proposed = ap_select_protocol(c, NULL, sslconn->server, client_protos); -- *out = (const unsigned char *)(proposed? proposed : ap_get_protocol(c)); -- len = strlen((const char*)*out); -+ if (!proposed) { -+ proposed = ap_get_protocol(c); -+ } -+ -+ len = strlen(proposed); - if (len > 255) { - ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(02840) - "ALPN negotiated protocol name too long"); - return SSL_TLSEXT_ERR_ALERT_FATAL; - } -+ *out = (const unsigned char *)proposed; - *outlen = (unsigned char)len; -+ -+ if (strcmp(proposed, ap_get_protocol(c))) { -+ apr_status_t status; -+ -+ status = ap_switch_protocol(c, NULL, sslconn->server, proposed); -+ if (status != APR_SUCCESS) { -+ ap_log_cerror(APLOG_MARK, APLOG_ERR, status, c, -+ APLOGNO(02908) "protocol switch to '%s' failed", -+ proposed); -+ return SSL_TLSEXT_ERR_ALERT_FATAL; -+ } -+ } - - return SSL_TLSEXT_ERR_OK; - } diff --git a/apache2.changes b/apache2.changes index 9e6ef87..9e4b14f 100644 --- a/apache2.changes +++ b/apache2.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Sat Dec 12 15:57:21 UTC 2015 - crrodriguez@opensuse.org + +- Update to version 2.44.18 +* drop 2.4.17-protocols.patch in upstream. +- Change list too long to mention here see: + http://www.apache.org/dist/httpd/CHANGES_2.4.18 for details. + ------------------------------------------------------------------- Mon Dec 7 18:05:37 UTC 2015 - crrodriguez@opensuse.org diff --git a/apache2.spec b/apache2.spec index 8258011..5c4fdd2 100644 --- a/apache2.spec +++ b/apache2.spec @@ -51,7 +51,7 @@ %endif Name: apache2 -Version: 2.4.17 +Version: 2.4.18 Release: 0 Summary: The Apache Web Server Version 2.4 License: Apache-2.0 @@ -125,7 +125,6 @@ Patch111: httpd-visibility.patch # PATCH-FIX-UPSTREAM marguerite@opensuse.org -- compability for lua 5.2+ https://bz.apache.org/bugzilla/show_bug.cgi?id=58188 Patch114: httpd-2.4.12-lua-5.2.patch Patch115: httpd-2.4.17-debug-crash.patch -Patch1000: https://raw.githubusercontent.com/icing/mod_h2/master/sandbox/httpd/patches/2.4.17-protocols.patch BuildRequires: automake BuildRequires: apache-rpm-macros-control BuildRequires: db-devel @@ -314,7 +313,6 @@ to administrators of web servers in general. %patch111 -p1 %patch114 -p1 %patch115 -p1 -%patch1000 cat $RPM_SOURCE_DIR/SUSE-NOTICE >> NOTICE # install READMEs a=$(basename %{SOURCE22}) diff --git a/httpd-2.4.17.tar.bz2 b/httpd-2.4.17.tar.bz2 deleted file mode 100644 index 5fd207a..0000000 --- a/httpd-2.4.17.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:331e035dec81d3db95b048f036f4d7b1a97ec8daa5b377bde42d4ccf1f2eb798 -size 5157721 diff --git a/httpd-2.4.18.tar.bz2 b/httpd-2.4.18.tar.bz2 new file mode 100644 index 0000000..f7eaf34 --- /dev/null +++ b/httpd-2.4.18.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0644b050de41f5c9f67c825285049b144690421acb709b06fe53eddfa8a9fd4c +size 5181291 From ab50a09317fab9e964783038dab9ec87595608270fa48babdb59ccced8dbe0f6 Mon Sep 17 00:00:00 2001 From: Petr Gajdos Date: Mon, 14 Dec 2015 08:03:32 +0000 Subject: [PATCH 2/3] - Update to version 2.4.18 OBS-URL: https://build.opensuse.org/package/show/Apache/apache2?expand=0&rev=470 --- apache2.changes | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apache2.changes b/apache2.changes index 9e4b14f..c5de21f 100644 --- a/apache2.changes +++ b/apache2.changes @@ -1,7 +1,7 @@ ------------------------------------------------------------------- Sat Dec 12 15:57:21 UTC 2015 - crrodriguez@opensuse.org -- Update to version 2.44.18 +- Update to version 2.4.18 * drop 2.4.17-protocols.patch in upstream. - Change list too long to mention here see: http://www.apache.org/dist/httpd/CHANGES_2.4.18 for details. From f355b093825fa5809dcab0c46b7ed5400262e3deaf969dbcf9ad35f1808818be Mon Sep 17 00:00:00 2001 From: Petr Gajdos Date: Mon, 14 Dec 2015 16:45:30 +0000 Subject: [PATCH 3/3] - fix build for SLE_11_SP4: + httpd-2.4.18-missing-semicolon.patch OBS-URL: https://build.opensuse.org/package/show/Apache/apache2?expand=0&rev=471 --- apache2.changes | 6 ++++++ apache2.spec | 4 ++++ httpd-2.4.18-missing-semicolon.patch | 13 +++++++++++++ 3 files changed, 23 insertions(+) create mode 100644 httpd-2.4.18-missing-semicolon.patch diff --git a/apache2.changes b/apache2.changes index c5de21f..2d622ae 100644 --- a/apache2.changes +++ b/apache2.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Mon Dec 14 16:44:55 UTC 2015 - pgajdos@suse.com + +- fix build for SLE_11_SP4: + + httpd-2.4.18-missing-semicolon.patch + ------------------------------------------------------------------- Sat Dec 12 15:57:21 UTC 2015 - crrodriguez@opensuse.org diff --git a/apache2.spec b/apache2.spec index 5c4fdd2..50d5169 100644 --- a/apache2.spec +++ b/apache2.spec @@ -124,7 +124,10 @@ Patch109: httpd-2.4.3-mod_systemd.patch Patch111: httpd-visibility.patch # PATCH-FIX-UPSTREAM marguerite@opensuse.org -- compability for lua 5.2+ https://bz.apache.org/bugzilla/show_bug.cgi?id=58188 Patch114: httpd-2.4.12-lua-5.2.patch +# http://svn.apache.org/viewvc?view=revision&revision=1711479 Patch115: httpd-2.4.17-debug-crash.patch +# reported to ylavic.dev gmail.com +Patch116: httpd-2.4.18-missing-semicolon.patch BuildRequires: automake BuildRequires: apache-rpm-macros-control BuildRequires: db-devel @@ -313,6 +316,7 @@ to administrators of web servers in general. %patch111 -p1 %patch114 -p1 %patch115 -p1 +%patch116 cat $RPM_SOURCE_DIR/SUSE-NOTICE >> NOTICE # install READMEs a=$(basename %{SOURCE22}) diff --git a/httpd-2.4.18-missing-semicolon.patch b/httpd-2.4.18-missing-semicolon.patch new file mode 100644 index 0000000..7bc6678 --- /dev/null +++ b/httpd-2.4.18-missing-semicolon.patch @@ -0,0 +1,13 @@ +Index: modules/ssl/ssl_engine_io.c +=================================================================== +--- modules/ssl/ssl_engine_io.c.orig 2015-11-19 20:55:25.000000000 +0100 ++++ modules/ssl/ssl_engine_io.c 2015-12-14 17:36:04.787124154 +0100 +@@ -217,7 +217,7 @@ + * so limit the performance impact to handshake time. + */ + #if OPENSSL_VERSION_NUMBER < 0x0009080df +- need_flush = !SSL_is_init_finished(outctx->filter_ctx->pssl) ++ need_flush = !SSL_is_init_finished(outctx->filter_ctx->pssl); + #else + need_flush = SSL_in_connect_init(outctx->filter_ctx->pssl); + #endif