parent
30c01a09c1
commit
0579fb3c3f
|
@ -41,3 +41,4 @@ x86_64
|
||||||
/httpd-2.4.48.tar.bz2.asc
|
/httpd-2.4.48.tar.bz2.asc
|
||||||
/httpd-2.4.49.tar.bz2.asc
|
/httpd-2.4.49.tar.bz2.asc
|
||||||
/httpd-2.4.51.tar.bz2.asc
|
/httpd-2.4.51.tar.bz2.asc
|
||||||
|
/httpd-2.4.53.tar.bz2.asc
|
||||||
|
|
|
@ -1,252 +0,0 @@
|
||||||
diff --git a/include/http_protocol.h b/include/http_protocol.h
|
|
||||||
index 9ccac89..20bd202 100644
|
|
||||||
--- a/include/http_protocol.h
|
|
||||||
+++ b/include/http_protocol.h
|
|
||||||
@@ -96,6 +96,13 @@ AP_DECLARE(void) ap_get_mime_headers(request_rec *r);
|
|
||||||
AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r,
|
|
||||||
apr_bucket_brigade *bb);
|
|
||||||
|
|
||||||
+/**
|
|
||||||
+ * Run post_read_request hook and validate.
|
|
||||||
+ * @param r The current request
|
|
||||||
+ * @return OK or HTTP_...
|
|
||||||
+ */
|
|
||||||
+AP_DECLARE(int) ap_post_read_request(request_rec *r);
|
|
||||||
+
|
|
||||||
/* Finish up stuff after a request */
|
|
||||||
|
|
||||||
/**
|
|
||||||
diff --git a/modules/http/http_request.c b/modules/http/http_request.c
|
|
||||||
index c9ae5af..d59cfe2 100644
|
|
||||||
--- a/modules/http/http_request.c
|
|
||||||
+++ b/modules/http/http_request.c
|
|
||||||
@@ -680,7 +680,7 @@ static request_rec *internal_internal_redirect(const char *new_uri,
|
|
||||||
* to do their thing on internal redirects as well. Perhaps this is a
|
|
||||||
* misnamed function.
|
|
||||||
*/
|
|
||||||
- if ((access_status = ap_run_post_read_request(new))) {
|
|
||||||
+ if ((access_status = ap_post_read_request(new))) {
|
|
||||||
ap_die(access_status, new);
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
diff --git a/modules/proxy/mod_proxy.c b/modules/proxy/mod_proxy.c
|
|
||||||
index ee4f1fb..ff9f81d 100644
|
|
||||||
--- a/modules/proxy/mod_proxy.c
|
|
||||||
+++ b/modules/proxy/mod_proxy.c
|
|
||||||
@@ -777,11 +777,12 @@ static int proxy_detect(request_rec *r)
|
|
||||||
|
|
||||||
if (conf->req && r->parsed_uri.scheme) {
|
|
||||||
/* but it might be something vhosted */
|
|
||||||
- if (!(r->parsed_uri.hostname
|
|
||||||
- && !ap_cstr_casecmp(r->parsed_uri.scheme, ap_http_scheme(r))
|
|
||||||
- && ap_matches_request_vhost(r, r->parsed_uri.hostname,
|
|
||||||
- (apr_port_t)(r->parsed_uri.port_str ? r->parsed_uri.port
|
|
||||||
- : ap_default_port(r))))) {
|
|
||||||
+ if (!r->parsed_uri.hostname
|
|
||||||
+ || ap_cstr_casecmp(r->parsed_uri.scheme, ap_http_scheme(r)) != 0
|
|
||||||
+ || !ap_matches_request_vhost(r, r->parsed_uri.hostname,
|
|
||||||
+ (apr_port_t)(r->parsed_uri.port_str
|
|
||||||
+ ? r->parsed_uri.port
|
|
||||||
+ : ap_default_port(r)))) {
|
|
||||||
r->proxyreq = PROXYREQ_PROXY;
|
|
||||||
r->uri = r->unparsed_uri;
|
|
||||||
r->filename = apr_pstrcat(r->pool, "proxy:", r->uri, NULL);
|
|
||||||
@@ -2021,6 +2022,7 @@ static const char *
|
|
||||||
struct proxy_alias *new;
|
|
||||||
char *f = cmd->path;
|
|
||||||
char *r = NULL;
|
|
||||||
+ const char *real;
|
|
||||||
char *word;
|
|
||||||
apr_table_t *params = apr_table_make(cmd->pool, 5);
|
|
||||||
const apr_array_header_t *arr;
|
|
||||||
@@ -2107,6 +2109,10 @@ static const char *
|
|
||||||
if (r == NULL) {
|
|
||||||
return "ProxyPass|ProxyPassMatch needs a path when not defined in a location";
|
|
||||||
}
|
|
||||||
+ if (!(real = ap_proxy_de_socketfy(cmd->temp_pool, r))) {
|
|
||||||
+ return "ProxyPass|ProxyPassMatch uses an invalid \"unix:\" URL";
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
|
|
||||||
/* if per directory, save away the single alias */
|
|
||||||
if (cmd->path) {
|
|
||||||
@@ -2123,7 +2129,7 @@ static const char *
|
|
||||||
}
|
|
||||||
|
|
||||||
new->fake = apr_pstrdup(cmd->pool, f);
|
|
||||||
- new->real = apr_pstrdup(cmd->pool, ap_proxy_de_socketfy(cmd->pool, r));
|
|
||||||
+ new->real = apr_pstrdup(cmd->pool, real);
|
|
||||||
new->flags = flags;
|
|
||||||
if (worker_type & AP_PROXY_WORKER_IS_MATCH) {
|
|
||||||
new->regex = ap_pregcomp(cmd->pool, f, AP_REG_EXTENDED);
|
|
||||||
@@ -2649,6 +2655,7 @@ static const char *add_member(cmd_parms *cmd, void *dummy, const char *arg)
|
|
||||||
proxy_worker *worker;
|
|
||||||
char *path = cmd->path;
|
|
||||||
char *name = NULL;
|
|
||||||
+ const char *real;
|
|
||||||
char *word;
|
|
||||||
apr_table_t *params = apr_table_make(cmd->pool, 5);
|
|
||||||
const apr_array_header_t *arr;
|
|
||||||
@@ -2689,6 +2696,9 @@ static const char *add_member(cmd_parms *cmd, void *dummy, const char *arg)
|
|
||||||
return "BalancerMember must define balancer name when outside <Proxy > section";
|
|
||||||
if (!name)
|
|
||||||
return "BalancerMember must define remote proxy server";
|
|
||||||
+ if (!(real = ap_proxy_de_socketfy(cmd->temp_pool, name))) {
|
|
||||||
+ return "BalancerMember uses an invalid \"unix:\" URL";
|
|
||||||
+ }
|
|
||||||
|
|
||||||
ap_str_tolower(path); /* lowercase scheme://hostname */
|
|
||||||
|
|
||||||
@@ -2701,8 +2711,7 @@ static const char *add_member(cmd_parms *cmd, void *dummy, const char *arg)
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Try to find existing worker */
|
|
||||||
- worker = ap_proxy_get_worker(cmd->temp_pool, balancer, conf,
|
|
||||||
- ap_proxy_de_socketfy(cmd->temp_pool, name));
|
|
||||||
+ worker = ap_proxy_get_worker(cmd->temp_pool, balancer, conf, real);
|
|
||||||
if (!worker) {
|
|
||||||
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd->server, APLOGNO(01147)
|
|
||||||
"Defining worker '%s' for balancer '%s'",
|
|
||||||
@@ -2799,9 +2808,14 @@ static const char *
|
|
||||||
}
|
|
||||||
}
|
|
||||||
else {
|
|
||||||
+ const char *real;
|
|
||||||
+
|
|
||||||
+ if (!(real = ap_proxy_de_socketfy(cmd->temp_pool, name))) {
|
|
||||||
+ return "ProxySet uses an invalid \"unix:\" URL";
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
worker = ap_proxy_get_worker_ex(cmd->temp_pool, NULL, conf,
|
|
||||||
- ap_proxy_de_socketfy(cmd->temp_pool, name),
|
|
||||||
- worker_type);
|
|
||||||
+ real, worker_type);
|
|
||||||
if (!worker) {
|
|
||||||
if (in_proxy_section) {
|
|
||||||
err = ap_proxy_define_worker_ex(cmd->pool, &worker, NULL,
|
|
||||||
@@ -2944,9 +2958,14 @@ static const char *proxysection(cmd_parms *cmd, void *mconfig, const char *arg)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
else {
|
|
||||||
+ const char *real;
|
|
||||||
+
|
|
||||||
+ if (!(real = ap_proxy_de_socketfy(cmd->temp_pool, conf->p))) {
|
|
||||||
+ return "<Proxy/ProxyMatch > uses an invalid \"unix:\" URL";
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
worker = ap_proxy_get_worker_ex(cmd->temp_pool, NULL, sconf,
|
|
||||||
- ap_proxy_de_socketfy(cmd->temp_pool, conf->p),
|
|
||||||
- worker_type);
|
|
||||||
+ real, worker_type);
|
|
||||||
if (!worker) {
|
|
||||||
err = ap_proxy_define_worker_ex(cmd->pool, &worker, NULL, sconf,
|
|
||||||
conf->p, worker_type);
|
|
||||||
diff --git a/modules/proxy/mod_proxy.h b/modules/proxy/mod_proxy.h
|
|
||||||
index 044a6c4..c21c4d8 100644
|
|
||||||
--- a/modules/proxy/mod_proxy.h
|
|
||||||
+++ b/modules/proxy/mod_proxy.h
|
|
||||||
@@ -751,6 +751,7 @@ PROXY_DECLARE(int) ap_proxy_worker_can_upgrade(apr_pool_t *p,
|
|
||||||
#define AP_PROXY_WORKER_IS_PREFIX (1u << 0)
|
|
||||||
#define AP_PROXY_WORKER_IS_MATCH (1u << 1)
|
|
||||||
#define AP_PROXY_WORKER_IS_MALLOCED (1u << 2)
|
|
||||||
+#define AP_PROXY_WORKER_NO_UDS (1u << 3)
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Get the worker from proxy configuration, looking for either PREFIXED or
|
|
||||||
diff --git a/modules/proxy/proxy_util.c b/modules/proxy/proxy_util.c
|
|
||||||
index 8225045..cbe300f 100644
|
|
||||||
--- a/modules/proxy/proxy_util.c
|
|
||||||
+++ b/modules/proxy/proxy_util.c
|
|
||||||
@@ -1741,7 +1741,12 @@ PROXY_DECLARE(proxy_worker *) ap_proxy_get_worker_ex(apr_pool_t *p,
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ if (!(mask & AP_PROXY_WORKER_NO_UDS)) {
|
|
||||||
url = ap_proxy_de_socketfy(p, url);
|
|
||||||
+ if (!url) {
|
|
||||||
+ return NULL;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
|
|
||||||
c = ap_strchr_c(url, ':');
|
|
||||||
if (c == NULL || c[1] != '/' || c[2] != '/' || c[3] == '\0') {
|
|
||||||
@@ -2323,22 +2328,22 @@ PROXY_DECLARE(int) ap_proxy_pre_request(proxy_worker **worker,
|
|
||||||
|
|
||||||
access_status = proxy_run_pre_request(worker, balancer, r, conf, url);
|
|
||||||
if (access_status == DECLINED && *balancer == NULL) {
|
|
||||||
- *worker = ap_proxy_get_worker(r->pool, NULL, conf, *url);
|
|
||||||
+ const int forward = (r->proxyreq == PROXYREQ_PROXY);
|
|
||||||
+ *worker = ap_proxy_get_worker_ex(r->pool, NULL, conf, *url,
|
|
||||||
+ forward ? AP_PROXY_WORKER_NO_UDS : 0);
|
|
||||||
if (*worker) {
|
|
||||||
ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r,
|
|
||||||
"%s: found worker %s for %s",
|
|
||||||
(*worker)->s->scheme, (*worker)->s->name, *url);
|
|
||||||
- *balancer = NULL;
|
|
||||||
- if (!fix_uds_filename(r, url)) {
|
|
||||||
+ if (!forward && !fix_uds_filename(r, url)) {
|
|
||||||
return HTTP_INTERNAL_SERVER_ERROR;
|
|
||||||
}
|
|
||||||
access_status = OK;
|
|
||||||
}
|
|
||||||
- else if (r->proxyreq == PROXYREQ_PROXY) {
|
|
||||||
+ else if (forward) {
|
|
||||||
if (conf->forward) {
|
|
||||||
ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r,
|
|
||||||
"*: found forward proxy worker for %s", *url);
|
|
||||||
- *balancer = NULL;
|
|
||||||
*worker = conf->forward;
|
|
||||||
access_status = OK;
|
|
||||||
/*
|
|
||||||
@@ -2352,8 +2357,8 @@ PROXY_DECLARE(int) ap_proxy_pre_request(proxy_worker **worker,
|
|
||||||
else if (r->proxyreq == PROXYREQ_REVERSE) {
|
|
||||||
if (conf->reverse) {
|
|
||||||
ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r,
|
|
||||||
- "*: using default reverse proxy worker for %s (no keepalive)", *url);
|
|
||||||
- *balancer = NULL;
|
|
||||||
+ "*: using default reverse proxy worker for %s "
|
|
||||||
+ "(no keepalive)", *url);
|
|
||||||
*worker = conf->reverse;
|
|
||||||
access_status = OK;
|
|
||||||
/*
|
|
||||||
diff --git a/server/protocol.c b/server/protocol.c
|
|
||||||
index 3d74c5b..2214f72 100644
|
|
||||||
--- a/server/protocol.c
|
|
||||||
+++ b/server/protocol.c
|
|
||||||
@@ -1548,7 +1548,7 @@ request_rec *ap_read_request(conn_rec *conn)
|
|
||||||
/* we may have switched to another server */
|
|
||||||
apply_server_config(r);
|
|
||||||
|
|
||||||
- if ((access_status = ap_run_post_read_request(r))) {
|
|
||||||
+ if ((access_status = ap_post_read_request(r))) {
|
|
||||||
goto die;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -1603,6 +1603,27 @@ ignore:
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
+AP_DECLARE(int) ap_post_read_request(request_rec *r)
|
|
||||||
+{
|
|
||||||
+ int status;
|
|
||||||
+
|
|
||||||
+ if ((status = ap_run_post_read_request(r))) {
|
|
||||||
+ return status;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /* Enforce http(s) only scheme for non-forward-proxy requests */
|
|
||||||
+ if (!r->proxyreq
|
|
||||||
+ && r->parsed_uri.scheme
|
|
||||||
+ && (ap_cstr_casecmpn(r->parsed_uri.scheme, "http", 4) != 0
|
|
||||||
+ || (r->parsed_uri.scheme[4] != '\0'
|
|
||||||
+ && (apr_tolower(r->parsed_uri.scheme[4]) != 's'
|
|
||||||
+ || r->parsed_uri.scheme[5] != '\0')))) {
|
|
||||||
+ return HTTP_BAD_REQUEST;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return OK;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
/* if a request with a body creates a subrequest, remove original request's
|
|
||||||
* input headers which pertain to the body which has already been read.
|
|
||||||
* out-of-line helper function for ap_set_sub_req_protocol.
|
|
|
@ -1,10 +0,0 @@
|
||||||
--- a/modules/lua/lua_request.c 2021/12/16 11:09:40 1896038
|
|
||||||
+++ b/modules/lua/lua_request.c 2021/12/16 11:15:47 1896039
|
|
||||||
@@ -410,6 +410,7 @@
|
|
||||||
if (end == NULL) break;
|
|
||||||
key = (char *) apr_pcalloc(r->pool, 256);
|
|
||||||
filename = (char *) apr_pcalloc(r->pool, 256);
|
|
||||||
+ if (end - crlf <= 8) break;
|
|
||||||
vlen = end - crlf - 8;
|
|
||||||
buffer = (char *) apr_pcalloc(r->pool, vlen+1);
|
|
||||||
memcpy(buffer, crlf + 4, vlen);
|
|
|
@ -1,154 +0,0 @@
|
||||||
diff --git a/modules/http/http_filters.c b/modules/http/http_filters.c
|
|
||||||
index b10d2b7..5659c4b 100644
|
|
||||||
--- a/modules/http/http_filters.c
|
|
||||||
+++ b/modules/http/http_filters.c
|
|
||||||
@@ -1595,9 +1595,9 @@ AP_DECLARE(int) ap_map_http_request_error(apr_status_t rv, int status)
|
|
||||||
*/
|
|
||||||
AP_DECLARE(int) ap_discard_request_body(request_rec *r)
|
|
||||||
{
|
|
||||||
+ int rc = OK;
|
|
||||||
+ conn_rec *c = r->connection;
|
|
||||||
apr_bucket_brigade *bb;
|
|
||||||
- int seen_eos;
|
|
||||||
- apr_status_t rv;
|
|
||||||
|
|
||||||
/* Sometimes we'll get in a state where the input handling has
|
|
||||||
* detected an error where we want to drop the connection, so if
|
|
||||||
@@ -1606,54 +1606,57 @@ AP_DECLARE(int) ap_discard_request_body(request_rec *r)
|
|
||||||
*
|
|
||||||
* This function is also a no-op on a subrequest.
|
|
||||||
*/
|
|
||||||
- if (r->main || r->connection->keepalive == AP_CONN_CLOSE ||
|
|
||||||
- ap_status_drops_connection(r->status)) {
|
|
||||||
+ if (r->main || c->keepalive == AP_CONN_CLOSE) {
|
|
||||||
+ return OK;
|
|
||||||
+ }
|
|
||||||
+ if (ap_status_drops_connection(r->status)) {
|
|
||||||
+ c->keepalive = AP_CONN_CLOSE;
|
|
||||||
return OK;
|
|
||||||
}
|
|
||||||
|
|
||||||
bb = apr_brigade_create(r->pool, r->connection->bucket_alloc);
|
|
||||||
- seen_eos = 0;
|
|
||||||
- do {
|
|
||||||
- apr_bucket *bucket;
|
|
||||||
+ for (;;) {
|
|
||||||
+ apr_status_t rv;
|
|
||||||
|
|
||||||
rv = ap_get_brigade(r->input_filters, bb, AP_MODE_READBYTES,
|
|
||||||
APR_BLOCK_READ, HUGE_STRING_LEN);
|
|
||||||
-
|
|
||||||
if (rv != APR_SUCCESS) {
|
|
||||||
- apr_brigade_destroy(bb);
|
|
||||||
- return ap_map_http_request_error(rv, HTTP_BAD_REQUEST);
|
|
||||||
+ rc = ap_map_http_request_error(rv, HTTP_BAD_REQUEST);
|
|
||||||
+ goto cleanup;
|
|
||||||
}
|
|
||||||
|
|
||||||
- for (bucket = APR_BRIGADE_FIRST(bb);
|
|
||||||
- bucket != APR_BRIGADE_SENTINEL(bb);
|
|
||||||
- bucket = APR_BUCKET_NEXT(bucket))
|
|
||||||
- {
|
|
||||||
- const char *data;
|
|
||||||
- apr_size_t len;
|
|
||||||
+ while (!APR_BRIGADE_EMPTY(bb)) {
|
|
||||||
+ apr_bucket *b = APR_BRIGADE_FIRST(bb);
|
|
||||||
|
|
||||||
- if (APR_BUCKET_IS_EOS(bucket)) {
|
|
||||||
- seen_eos = 1;
|
|
||||||
- break;
|
|
||||||
+ if (APR_BUCKET_IS_EOS(b)) {
|
|
||||||
+ goto cleanup;
|
|
||||||
}
|
|
||||||
|
|
||||||
- /* These are metadata buckets. */
|
|
||||||
- if (bucket->length == 0) {
|
|
||||||
- continue;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- /* We MUST read because in case we have an unknown-length
|
|
||||||
- * bucket or one that morphs, we want to exhaust it.
|
|
||||||
+ /* There is no need to read empty or metadata buckets or
|
|
||||||
+ * buckets of known length, but we MUST read buckets of
|
|
||||||
+ * unknown length in order to exhaust them.
|
|
||||||
*/
|
|
||||||
- rv = apr_bucket_read(bucket, &data, &len, APR_BLOCK_READ);
|
|
||||||
+ if (b->length == (apr_size_t)-1) {
|
|
||||||
+ apr_size_t len;
|
|
||||||
+ const char *data;
|
|
||||||
+
|
|
||||||
+ rv = apr_bucket_read(b, &data, &len, APR_BLOCK_READ);
|
|
||||||
if (rv != APR_SUCCESS) {
|
|
||||||
- apr_brigade_destroy(bb);
|
|
||||||
- return HTTP_BAD_REQUEST;
|
|
||||||
+ rc = HTTP_BAD_REQUEST;
|
|
||||||
+ goto cleanup;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
- apr_brigade_cleanup(bb);
|
|
||||||
- } while (!seen_eos);
|
|
||||||
|
|
||||||
- return OK;
|
|
||||||
+ apr_bucket_delete(b);
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+cleanup:
|
|
||||||
+ apr_brigade_cleanup(bb);
|
|
||||||
+ if (rc != OK) {
|
|
||||||
+ c->keepalive = AP_CONN_CLOSE;
|
|
||||||
+ }
|
|
||||||
+ return rc;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Here we deal with getting the request message body from the client.
|
|
||||||
diff --git a/server/protocol.c b/server/protocol.c
|
|
||||||
index 3d74c5b..03b5419 100644
|
|
||||||
--- a/server/protocol.c
|
|
||||||
+++ b/server/protocol.c
|
|
||||||
@@ -1666,23 +1666,29 @@ AP_DECLARE(void) ap_set_sub_req_protocol(request_rec *rnew,
|
|
||||||
rnew->main = (request_rec *) r;
|
|
||||||
}
|
|
||||||
|
|
||||||
-static void end_output_stream(request_rec *r)
|
|
||||||
+static void end_output_stream(request_rec *r, int status)
|
|
||||||
{
|
|
||||||
conn_rec *c = r->connection;
|
|
||||||
apr_bucket_brigade *bb;
|
|
||||||
apr_bucket *b;
|
|
||||||
|
|
||||||
bb = apr_brigade_create(r->pool, c->bucket_alloc);
|
|
||||||
+ if (status != OK) {
|
|
||||||
+ b = ap_bucket_error_create(status, NULL, r->pool, c->bucket_alloc);
|
|
||||||
+ APR_BRIGADE_INSERT_TAIL(bb, b);
|
|
||||||
+ }
|
|
||||||
b = apr_bucket_eos_create(c->bucket_alloc);
|
|
||||||
APR_BRIGADE_INSERT_TAIL(bb, b);
|
|
||||||
+
|
|
||||||
ap_pass_brigade(r->output_filters, bb);
|
|
||||||
+ apr_brigade_cleanup(bb);
|
|
||||||
}
|
|
||||||
|
|
||||||
AP_DECLARE(void) ap_finalize_sub_req_protocol(request_rec *sub)
|
|
||||||
{
|
|
||||||
/* tell the filter chain there is no more content coming */
|
|
||||||
if (!sub->eos_sent) {
|
|
||||||
- end_output_stream(sub);
|
|
||||||
+ end_output_stream(sub, OK);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -1693,11 +1699,11 @@ AP_DECLARE(void) ap_finalize_sub_req_protocol(request_rec *sub)
|
|
||||||
*/
|
|
||||||
AP_DECLARE(void) ap_finalize_request_protocol(request_rec *r)
|
|
||||||
{
|
|
||||||
- (void) ap_discard_request_body(r);
|
|
||||||
+ int status = ap_discard_request_body(r);
|
|
||||||
|
|
||||||
/* tell the filter chain there is no more content coming */
|
|
||||||
if (!r->eos_sent) {
|
|
||||||
- end_output_stream(r);
|
|
||||||
+ end_output_stream(r, status);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
|
@ -1,505 +0,0 @@
|
||||||
|
|
||||||
https://github.com/apache/httpd/pull/258
|
|
||||||
|
|
||||||
--- httpd-2.4.51/modules/ssl/ssl_engine_init.c.openssl3
|
|
||||||
+++ httpd-2.4.51/modules/ssl/ssl_engine_init.c
|
|
||||||
@@ -91,7 +91,6 @@
|
|
||||||
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
-#endif
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Grab well-defined DH parameters from OpenSSL, see the BN_get_rfc*
|
|
||||||
@@ -171,6 +170,7 @@
|
|
||||||
|
|
||||||
return NULL; /* impossible to reach. */
|
|
||||||
}
|
|
||||||
+#endif
|
|
||||||
|
|
||||||
static void ssl_add_version_components(apr_pool_t *ptemp, apr_pool_t *pconf,
|
|
||||||
server_rec *s)
|
|
||||||
@@ -440,8 +440,9 @@
|
|
||||||
|
|
||||||
modssl_init_app_data2_idx(); /* for modssl_get_app_data2() at request time */
|
|
||||||
|
|
||||||
+#if MODSSL_USE_OPENSSL_PRE_1_1_API
|
|
||||||
init_dh_params();
|
|
||||||
-#if !MODSSL_USE_OPENSSL_PRE_1_1_API
|
|
||||||
+#else
|
|
||||||
init_bio_methods();
|
|
||||||
#endif
|
|
||||||
|
|
||||||
@@ -862,7 +863,11 @@
|
|
||||||
{
|
|
||||||
SSL_CTX *ctx = mctx->ssl_ctx;
|
|
||||||
|
|
||||||
+#if MODSSL_USE_OPENSSL_PRE_1_1_API
|
|
||||||
+ /* Note that for OpenSSL>=1.1, auto selection is enabled via
|
|
||||||
+ * SSL_CTX_set_dh_auto(,1) if no parameter is configured. */
|
|
||||||
SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH);
|
|
||||||
+#endif
|
|
||||||
|
|
||||||
SSL_CTX_set_info_callback(ctx, ssl_callback_Info);
|
|
||||||
|
|
||||||
@@ -871,6 +876,23 @@
|
|
||||||
#endif
|
|
||||||
}
|
|
||||||
|
|
||||||
+static APR_INLINE
|
|
||||||
+int modssl_CTX_load_verify_locations(SSL_CTX *ctx,
|
|
||||||
+ const char *file,
|
|
||||||
+ const char *path)
|
|
||||||
+{
|
|
||||||
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
||||||
+ if (!SSL_CTX_load_verify_locations(ctx, file, path))
|
|
||||||
+ return 0;
|
|
||||||
+#else
|
|
||||||
+ if (file && !SSL_CTX_load_verify_file(ctx, file))
|
|
||||||
+ return 0;
|
|
||||||
+ if (path && !SSL_CTX_load_verify_dir(ctx, path))
|
|
||||||
+ return 0;
|
|
||||||
+#endif
|
|
||||||
+ return 1;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
static apr_status_t ssl_init_ctx_verify(server_rec *s,
|
|
||||||
apr_pool_t *p,
|
|
||||||
apr_pool_t *ptemp,
|
|
||||||
@@ -911,10 +933,8 @@
|
|
||||||
ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, s,
|
|
||||||
"Configuring client authentication");
|
|
||||||
|
|
||||||
- if (!SSL_CTX_load_verify_locations(ctx,
|
|
||||||
- mctx->auth.ca_cert_file,
|
|
||||||
- mctx->auth.ca_cert_path))
|
|
||||||
- {
|
|
||||||
+ if (!modssl_CTX_load_verify_locations(ctx, mctx->auth.ca_cert_file,
|
|
||||||
+ mctx->auth.ca_cert_path)) {
|
|
||||||
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01895)
|
|
||||||
"Unable to configure verify locations "
|
|
||||||
"for client authentication");
|
|
||||||
@@ -999,6 +1019,23 @@
|
|
||||||
return APR_SUCCESS;
|
|
||||||
}
|
|
||||||
|
|
||||||
+static APR_INLINE
|
|
||||||
+int modssl_X509_STORE_load_locations(X509_STORE *store,
|
|
||||||
+ const char *file,
|
|
||||||
+ const char *path)
|
|
||||||
+{
|
|
||||||
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
||||||
+ if (!X509_STORE_load_locations(store, file, path))
|
|
||||||
+ return 0;
|
|
||||||
+#else
|
|
||||||
+ if (file && !X509_STORE_load_file(store, file))
|
|
||||||
+ return 0;
|
|
||||||
+ if (path && !X509_STORE_load_path(store, path))
|
|
||||||
+ return 0;
|
|
||||||
+#endif
|
|
||||||
+ return 1;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
static apr_status_t ssl_init_ctx_crl(server_rec *s,
|
|
||||||
apr_pool_t *p,
|
|
||||||
apr_pool_t *ptemp,
|
|
||||||
@@ -1037,8 +1074,8 @@
|
|
||||||
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01900)
|
|
||||||
"Configuring certificate revocation facility");
|
|
||||||
|
|
||||||
- if (!store || !X509_STORE_load_locations(store, mctx->crl_file,
|
|
||||||
- mctx->crl_path)) {
|
|
||||||
+ if (!store || !modssl_X509_STORE_load_locations(store, mctx->crl_file,
|
|
||||||
+ mctx->crl_path)) {
|
|
||||||
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01901)
|
|
||||||
"Host %s: unable to configure X.509 CRL storage "
|
|
||||||
"for certificate revocation", mctx->sc->vhost_id);
|
|
||||||
@@ -1267,6 +1304,31 @@
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
+static APR_INLINE int modssl_DH_bits(DH *dh)
|
|
||||||
+{
|
|
||||||
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
||||||
+ return DH_bits(dh);
|
|
||||||
+#else
|
|
||||||
+ return BN_num_bits(DH_get0_p(dh));
|
|
||||||
+#endif
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+/* SSL_CTX_use_PrivateKey_file() can fail either because the private
|
|
||||||
+ * key was encrypted, or due to a mismatch between an already-loaded
|
|
||||||
+ * cert and the key - a common misconfiguration - from calling
|
|
||||||
+ * X509_check_private_key(). This macro is passed the last error code
|
|
||||||
+ * off the OpenSSL stack and evaluates to true only for the first
|
|
||||||
+ * case. With OpenSSL < 3 the second case is identifiable by the
|
|
||||||
+ * function code, but function codes are not used from 3.0. */
|
|
||||||
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
||||||
+#define CHECK_PRIVKEY_ERROR(ec) (ERR_GET_FUNC(ec) != X509_F_X509_CHECK_PRIVATE_KEY)
|
|
||||||
+#else
|
|
||||||
+#define CHECK_PRIVKEY_ERROR(ec) (ERR_GET_LIB != ERR_LIB_X509 \
|
|
||||||
+ || (ERR_GET_REASON(ec) != X509_R_KEY_TYPE_MISMATCH \
|
|
||||||
+ && ERR_GET_REASON(ec) != X509_R_KEY_VALUES_MISMATCH \
|
|
||||||
+ && ERR_GET_REASON(ec) != X509_R_UNKNOWN_KEY_TYPE))
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
static apr_status_t ssl_init_server_certs(server_rec *s,
|
|
||||||
apr_pool_t *p,
|
|
||||||
apr_pool_t *ptemp,
|
|
||||||
@@ -1277,7 +1339,7 @@
|
|
||||||
const char *vhost_id = mctx->sc->vhost_id, *key_id, *certfile, *keyfile;
|
|
||||||
int i;
|
|
||||||
X509 *cert;
|
|
||||||
- DH *dhparams;
|
|
||||||
+ DH *dh;
|
|
||||||
#ifdef HAVE_ECC
|
|
||||||
EC_GROUP *ecparams = NULL;
|
|
||||||
int nid;
|
|
||||||
@@ -1372,8 +1434,7 @@
|
|
||||||
}
|
|
||||||
else if ((SSL_CTX_use_PrivateKey_file(mctx->ssl_ctx, keyfile,
|
|
||||||
SSL_FILETYPE_PEM) < 1)
|
|
||||||
- && (ERR_GET_FUNC(ERR_peek_last_error())
|
|
||||||
- != X509_F_X509_CHECK_PRIVATE_KEY)) {
|
|
||||||
+ && CHECK_PRIVKEY_ERROR(ERR_peek_last_error())) {
|
|
||||||
ssl_asn1_t *asn1;
|
|
||||||
const unsigned char *ptr;
|
|
||||||
|
|
||||||
@@ -1462,13 +1523,22 @@
|
|
||||||
*/
|
|
||||||
certfile = APR_ARRAY_IDX(mctx->pks->cert_files, 0, const char *);
|
|
||||||
if (certfile && !modssl_is_engine_id(certfile)
|
|
||||||
- && (dhparams = ssl_dh_GetParamFromFile(certfile))) {
|
|
||||||
- SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dhparams);
|
|
||||||
+ && (dh = ssl_dh_GetParamFromFile(certfile))) {
|
|
||||||
+ /* ### This should be replaced with SSL_CTX_set0_tmp_dh_pkey()
|
|
||||||
+ * for OpenSSL 3.0+. */
|
|
||||||
+ SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dh);
|
|
||||||
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02540)
|
|
||||||
"Custom DH parameters (%d bits) for %s loaded from %s",
|
|
||||||
- DH_bits(dhparams), vhost_id, certfile);
|
|
||||||
- DH_free(dhparams);
|
|
||||||
+ modssl_DH_bits(dh), vhost_id, certfile);
|
|
||||||
+ DH_free(dh);
|
|
||||||
}
|
|
||||||
+#if !MODSSL_USE_OPENSSL_PRE_1_1_API
|
|
||||||
+ else {
|
|
||||||
+ /* If no parameter is manually configured, enable auto
|
|
||||||
+ * selection. */
|
|
||||||
+ SSL_CTX_set_dh_auto(mctx->ssl_ctx, 1);
|
|
||||||
+ }
|
|
||||||
+#endif
|
|
||||||
|
|
||||||
#ifdef HAVE_ECC
|
|
||||||
/*
|
|
||||||
@@ -1518,6 +1588,7 @@
|
|
||||||
char buf[TLSEXT_TICKET_KEY_LEN];
|
|
||||||
char *path;
|
|
||||||
modssl_ticket_key_t *ticket_key = mctx->ticket_key;
|
|
||||||
+ int res;
|
|
||||||
|
|
||||||
if (!ticket_key->file_path) {
|
|
||||||
return APR_SUCCESS;
|
|
||||||
@@ -1545,11 +1616,22 @@
|
|
||||||
}
|
|
||||||
|
|
||||||
memcpy(ticket_key->key_name, buf, 16);
|
|
||||||
- memcpy(ticket_key->hmac_secret, buf + 16, 16);
|
|
||||||
memcpy(ticket_key->aes_key, buf + 32, 16);
|
|
||||||
-
|
|
||||||
- if (!SSL_CTX_set_tlsext_ticket_key_cb(mctx->ssl_ctx,
|
|
||||||
- ssl_callback_SessionTicket)) {
|
|
||||||
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
||||||
+ memcpy(ticket_key->hmac_secret, buf + 16, 16);
|
|
||||||
+ res = SSL_CTX_set_tlsext_ticket_key_cb(mctx->ssl_ctx,
|
|
||||||
+ ssl_callback_SessionTicket);
|
|
||||||
+#else
|
|
||||||
+ ticket_key->mac_params[0] =
|
|
||||||
+ OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY, buf + 16, 16);
|
|
||||||
+ ticket_key->mac_params[1] =
|
|
||||||
+ OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST, "sha256", 0);
|
|
||||||
+ ticket_key->mac_params[2] =
|
|
||||||
+ OSSL_PARAM_construct_end();
|
|
||||||
+ res = SSL_CTX_set_tlsext_ticket_key_evp_cb(mctx->ssl_ctx,
|
|
||||||
+ ssl_callback_SessionTicket);
|
|
||||||
+#endif
|
|
||||||
+ if (!res) {
|
|
||||||
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01913)
|
|
||||||
"Unable to initialize TLS session ticket key callback "
|
|
||||||
"(incompatible OpenSSL version?)");
|
|
||||||
@@ -1680,7 +1762,7 @@
|
|
||||||
return ssl_die(s);
|
|
||||||
}
|
|
||||||
|
|
||||||
- X509_STORE_load_locations(store, pkp->ca_cert_file, NULL);
|
|
||||||
+ modssl_X509_STORE_load_locations(store, pkp->ca_cert_file, NULL);
|
|
||||||
|
|
||||||
for (n = 0; n < ncerts; n++) {
|
|
||||||
int i;
|
|
||||||
@@ -2277,10 +2359,11 @@
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
-#if !MODSSL_USE_OPENSSL_PRE_1_1_API
|
|
||||||
+#if MODSSL_USE_OPENSSL_PRE_1_1_API
|
|
||||||
+ free_dh_params();
|
|
||||||
+#else
|
|
||||||
free_bio_methods();
|
|
||||||
#endif
|
|
||||||
- free_dh_params();
|
|
||||||
|
|
||||||
return APR_SUCCESS;
|
|
||||||
}
|
|
||||||
--- httpd-2.4.51/modules/ssl/ssl_engine_io.c.openssl3
|
|
||||||
+++ httpd-2.4.51/modules/ssl/ssl_engine_io.c
|
|
||||||
@@ -194,6 +194,10 @@
|
|
||||||
static int bio_filter_out_read(BIO *bio, char *out, int outl)
|
|
||||||
{
|
|
||||||
/* this is never called */
|
|
||||||
+ bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)BIO_get_data(bio);
|
|
||||||
+ ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, outctx->c,
|
|
||||||
+ "BUG: %s() should not be called", "bio_filter_out_read");
|
|
||||||
+ AP_DEBUG_ASSERT(0);
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -293,12 +297,20 @@
|
|
||||||
static int bio_filter_out_gets(BIO *bio, char *buf, int size)
|
|
||||||
{
|
|
||||||
/* this is never called */
|
|
||||||
+ bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)BIO_get_data(bio);
|
|
||||||
+ ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, outctx->c,
|
|
||||||
+ "BUG: %s() should not be called", "bio_filter_out_gets");
|
|
||||||
+ AP_DEBUG_ASSERT(0);
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
|
|
||||||
static int bio_filter_out_puts(BIO *bio, const char *str)
|
|
||||||
{
|
|
||||||
/* this is never called */
|
|
||||||
+ bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)BIO_get_data(bio);
|
|
||||||
+ ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, outctx->c,
|
|
||||||
+ "BUG: %s() should not be called", "bio_filter_out_puts");
|
|
||||||
+ AP_DEBUG_ASSERT(0);
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -533,22 +545,47 @@
|
|
||||||
|
|
||||||
static int bio_filter_in_write(BIO *bio, const char *in, int inl)
|
|
||||||
{
|
|
||||||
+ bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)BIO_get_data(bio);
|
|
||||||
+ ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, inctx->f->c,
|
|
||||||
+ "BUG: %s() should not be called", "bio_filter_in_write");
|
|
||||||
+ AP_DEBUG_ASSERT(0);
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
|
|
||||||
static int bio_filter_in_puts(BIO *bio, const char *str)
|
|
||||||
{
|
|
||||||
+ bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)BIO_get_data(bio);
|
|
||||||
+ ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, inctx->f->c,
|
|
||||||
+ "BUG: %s() should not be called", "bio_filter_in_puts");
|
|
||||||
+ AP_DEBUG_ASSERT(0);
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
|
|
||||||
static int bio_filter_in_gets(BIO *bio, char *buf, int size)
|
|
||||||
{
|
|
||||||
+ bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)BIO_get_data(bio);
|
|
||||||
+ ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, inctx->f->c,
|
|
||||||
+ "BUG: %s() should not be called", "bio_filter_in_gets");
|
|
||||||
+ AP_DEBUG_ASSERT(0);
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
|
|
||||||
static long bio_filter_in_ctrl(BIO *bio, int cmd, long num, void *ptr)
|
|
||||||
{
|
|
||||||
- return -1;
|
|
||||||
+ bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)BIO_get_data(bio);
|
|
||||||
+ switch (cmd) {
|
|
||||||
+#ifdef BIO_CTRL_EOF
|
|
||||||
+ case BIO_CTRL_EOF:
|
|
||||||
+ return inctx->rc == APR_EOF;
|
|
||||||
+#endif
|
|
||||||
+ default:
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
+ ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, inctx->f->c,
|
|
||||||
+ "BUG: bio_filter_in_ctrl() should not be called with cmd=%i",
|
|
||||||
+ cmd);
|
|
||||||
+ AP_DEBUG_ASSERT(0);
|
|
||||||
+ return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
#if MODSSL_USE_OPENSSL_PRE_1_1_API
|
|
||||||
@@ -573,7 +610,7 @@
|
|
||||||
bio_filter_in_read,
|
|
||||||
bio_filter_in_puts, /* puts is never called */
|
|
||||||
bio_filter_in_gets, /* gets is never called */
|
|
||||||
- bio_filter_in_ctrl, /* ctrl is never called */
|
|
||||||
+ bio_filter_in_ctrl, /* ctrl is called for EOF check */
|
|
||||||
bio_filter_create,
|
|
||||||
bio_filter_destroy,
|
|
||||||
NULL
|
|
||||||
--- httpd-2.4.51/modules/ssl/ssl_engine_kernel.c.openssl3
|
|
||||||
+++ httpd-2.4.51/modules/ssl/ssl_engine_kernel.c
|
|
||||||
@@ -1685,6 +1685,7 @@
|
|
||||||
** _________________________________________________________________
|
|
||||||
*/
|
|
||||||
|
|
||||||
+#if MODSSL_USE_OPENSSL_PRE_1_1_API
|
|
||||||
/*
|
|
||||||
* Hand out standard DH parameters, based on the authentication strength
|
|
||||||
*/
|
|
||||||
@@ -1730,6 +1731,7 @@
|
|
||||||
|
|
||||||
return modssl_get_dh_params(keylen);
|
|
||||||
}
|
|
||||||
+#endif
|
|
||||||
|
|
||||||
/*
|
|
||||||
* This OpenSSL callback function is called when OpenSSL
|
|
||||||
@@ -2614,7 +2616,11 @@
|
|
||||||
unsigned char *keyname,
|
|
||||||
unsigned char *iv,
|
|
||||||
EVP_CIPHER_CTX *cipher_ctx,
|
|
||||||
- HMAC_CTX *hctx,
|
|
||||||
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
||||||
+ HMAC_CTX *hmac_ctx,
|
|
||||||
+#else
|
|
||||||
+ EVP_MAC_CTX *mac_ctx,
|
|
||||||
+#endif
|
|
||||||
int mode)
|
|
||||||
{
|
|
||||||
conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
|
|
||||||
@@ -2640,7 +2646,13 @@
|
|
||||||
}
|
|
||||||
EVP_EncryptInit_ex(cipher_ctx, EVP_aes_128_cbc(), NULL,
|
|
||||||
ticket_key->aes_key, iv);
|
|
||||||
- HMAC_Init_ex(hctx, ticket_key->hmac_secret, 16, tlsext_tick_md(), NULL);
|
|
||||||
+
|
|
||||||
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
||||||
+ HMAC_Init_ex(hmac_ctx, ticket_key->hmac_secret, 16,
|
|
||||||
+ tlsext_tick_md(), NULL);
|
|
||||||
+#else
|
|
||||||
+ EVP_MAC_CTX_set_params(mac_ctx, ticket_key->mac_params);
|
|
||||||
+#endif
|
|
||||||
|
|
||||||
ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(02289)
|
|
||||||
"TLS session ticket key for %s successfully set, "
|
|
||||||
@@ -2661,7 +2673,13 @@
|
|
||||||
|
|
||||||
EVP_DecryptInit_ex(cipher_ctx, EVP_aes_128_cbc(), NULL,
|
|
||||||
ticket_key->aes_key, iv);
|
|
||||||
- HMAC_Init_ex(hctx, ticket_key->hmac_secret, 16, tlsext_tick_md(), NULL);
|
|
||||||
+
|
|
||||||
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
||||||
+ HMAC_Init_ex(hmac_ctx, ticket_key->hmac_secret, 16,
|
|
||||||
+ tlsext_tick_md(), NULL);
|
|
||||||
+#else
|
|
||||||
+ EVP_MAC_CTX_set_params(mac_ctx, ticket_key->mac_params);
|
|
||||||
+#endif
|
|
||||||
|
|
||||||
ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(02290)
|
|
||||||
"TLS session ticket key for %s successfully set, "
|
|
||||||
--- httpd-2.4.51/modules/ssl/ssl_engine_log.c.openssl3
|
|
||||||
+++ httpd-2.4.51/modules/ssl/ssl_engine_log.c
|
|
||||||
@@ -78,6 +78,16 @@
|
|
||||||
return APR_EGENERAL;
|
|
||||||
}
|
|
||||||
|
|
||||||
+static APR_INLINE
|
|
||||||
+unsigned long modssl_ERR_peek_error_data(const char **data, int *flags)
|
|
||||||
+{
|
|
||||||
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
||||||
+ return ERR_peek_error_line_data(NULL, NULL, data, flags);
|
|
||||||
+#else
|
|
||||||
+ return ERR_peek_error_data(data, flags);
|
|
||||||
+#endif
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
/*
|
|
||||||
* Prints the SSL library error information.
|
|
||||||
*/
|
|
||||||
@@ -87,7 +97,7 @@
|
|
||||||
const char *data;
|
|
||||||
int flags;
|
|
||||||
|
|
||||||
- while ((e = ERR_peek_error_line_data(NULL, NULL, &data, &flags))) {
|
|
||||||
+ while ((e = modssl_ERR_peek_error_data(&data, &flags))) {
|
|
||||||
const char *annotation;
|
|
||||||
char err[256];
|
|
||||||
|
|
||||||
--- httpd-2.4.51/modules/ssl/ssl_private.h.openssl3
|
|
||||||
+++ httpd-2.4.51/modules/ssl/ssl_private.h
|
|
||||||
@@ -89,6 +89,9 @@
|
|
||||||
/* must be defined before including ssl.h */
|
|
||||||
#define OPENSSL_NO_SSL_INTERN
|
|
||||||
#endif
|
|
||||||
+#if OPENSSL_VERSION_NUMBER >= 0x30000000
|
|
||||||
+#include <openssl/core_names.h>
|
|
||||||
+#endif
|
|
||||||
#include <openssl/ssl.h>
|
|
||||||
#include <openssl/err.h>
|
|
||||||
#include <openssl/x509.h>
|
|
||||||
@@ -134,13 +137,12 @@
|
|
||||||
SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MIN_PROTO_VERSION, version, NULL)
|
|
||||||
#define SSL_CTX_set_max_proto_version(ctx, version) \
|
|
||||||
SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, version, NULL)
|
|
||||||
-#elif LIBRESSL_VERSION_NUMBER < 0x2070000f
|
|
||||||
+#endif /* LIBRESSL_VERSION_NUMBER < 0x2060000f */
|
|
||||||
/* LibreSSL before 2.7 declares OPENSSL_VERSION_NUMBER == 2.0 but does not
|
|
||||||
* include most changes from OpenSSL >= 1.1 (new functions, macros,
|
|
||||||
* deprecations, ...), so we have to work around this...
|
|
||||||
*/
|
|
||||||
-#define MODSSL_USE_OPENSSL_PRE_1_1_API (1)
|
|
||||||
-#endif /* LIBRESSL_VERSION_NUMBER < 0x2060000f */
|
|
||||||
+#define MODSSL_USE_OPENSSL_PRE_1_1_API (LIBRESSL_VERSION_NUMBER < 0x2070000f)
|
|
||||||
#else /* defined(LIBRESSL_VERSION_NUMBER) */
|
|
||||||
#define MODSSL_USE_OPENSSL_PRE_1_1_API (OPENSSL_VERSION_NUMBER < 0x10100000L)
|
|
||||||
#endif
|
|
||||||
@@ -681,7 +683,11 @@
|
|
||||||
typedef struct {
|
|
||||||
const char *file_path;
|
|
||||||
unsigned char key_name[16];
|
|
||||||
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
||||||
unsigned char hmac_secret[16];
|
|
||||||
+#else
|
|
||||||
+ OSSL_PARAM mac_params[3];
|
|
||||||
+#endif
|
|
||||||
unsigned char aes_key[16];
|
|
||||||
} modssl_ticket_key_t;
|
|
||||||
#endif
|
|
||||||
@@ -945,8 +951,16 @@
|
|
||||||
int ssl_callback_ClientHello(SSL *, int *, void *);
|
|
||||||
#endif
|
|
||||||
#ifdef HAVE_TLS_SESSION_TICKETS
|
|
||||||
-int ssl_callback_SessionTicket(SSL *, unsigned char *, unsigned char *,
|
|
||||||
- EVP_CIPHER_CTX *, HMAC_CTX *, int);
|
|
||||||
+int ssl_callback_SessionTicket(SSL *ssl,
|
|
||||||
+ unsigned char *keyname,
|
|
||||||
+ unsigned char *iv,
|
|
||||||
+ EVP_CIPHER_CTX *cipher_ctx,
|
|
||||||
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
||||||
+ HMAC_CTX *hmac_ctx,
|
|
||||||
+#else
|
|
||||||
+ EVP_MAC_CTX *mac_ctx,
|
|
||||||
+#endif
|
|
||||||
+ int mode);
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#ifdef HAVE_TLS_ALPN
|
|
||||||
@@ -1124,10 +1138,12 @@
|
|
||||||
|
|
||||||
#endif
|
|
||||||
|
|
||||||
+#if MODSSL_USE_OPENSSL_PRE_1_1_API
|
|
||||||
/* Retrieve DH parameters for given key length. Return value should
|
|
||||||
* be treated as unmutable, since it is stored in process-global
|
|
||||||
* memory. */
|
|
||||||
DH *modssl_get_dh_params(unsigned keylen);
|
|
||||||
+#endif
|
|
||||||
|
|
||||||
/* Returns non-zero if the request was made over SSL/TLS. If sslconn
|
|
||||||
* is non-NULL and the request is using SSL/TLS, sets *sslconn to the
|
|
|
@ -1,5 +1,5 @@
|
||||||
diff --git a/Makefile.in b/Makefile.in
|
diff --git a/Makefile.in b/Makefile.in
|
||||||
index 0b088ac..9eeb5c7 100644
|
index a2e9c82..bd8045c 100644
|
||||||
--- a/Makefile.in
|
--- a/Makefile.in
|
||||||
+++ b/Makefile.in
|
+++ b/Makefile.in
|
||||||
@@ -4,7 +4,7 @@ CLEAN_SUBDIRS = test
|
@@ -4,7 +4,7 @@ CLEAN_SUBDIRS = test
|
||||||
|
@ -12,10 +12,10 @@ index 0b088ac..9eeb5c7 100644
|
||||||
PROGRAM_DEPENDENCIES = \
|
PROGRAM_DEPENDENCIES = \
|
||||||
server/libmain.la \
|
server/libmain.la \
|
||||||
diff --git a/acinclude.m4 b/acinclude.m4
|
diff --git a/acinclude.m4 b/acinclude.m4
|
||||||
index 2a7e5d1..eb28321 100644
|
index 97484c9..05abe18 100644
|
||||||
--- a/acinclude.m4
|
--- a/acinclude.m4
|
||||||
+++ b/acinclude.m4
|
+++ b/acinclude.m4
|
||||||
@@ -624,6 +624,7 @@ case $host in
|
@@ -631,6 +631,7 @@ case $host in
|
||||||
if test "${ac_cv_header_systemd_sd_daemon_h}" = "no" || test -z "${SYSTEMD_LIBS}"; then
|
if test "${ac_cv_header_systemd_sd_daemon_h}" = "no" || test -z "${SYSTEMD_LIBS}"; then
|
||||||
AC_MSG_WARN([Your system does not support systemd.])
|
AC_MSG_WARN([Your system does not support systemd.])
|
||||||
else
|
else
|
||||||
|
@ -24,18 +24,18 @@ index 2a7e5d1..eb28321 100644
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
diff --git a/configure.in b/configure.in
|
diff --git a/configure.in b/configure.in
|
||||||
index 3618a5a..74a782b 100644
|
index cf437fe..521fc45 100644
|
||||||
--- a/configure.in
|
--- a/configure.in
|
||||||
+++ b/configure.in
|
+++ b/configure.in
|
||||||
@@ -234,6 +234,7 @@ if test "$PCRE_CONFIG" != "false"; then
|
@@ -239,6 +239,7 @@ if test "x$PCRE_CONFIG" != "x"; then
|
||||||
AC_MSG_NOTICE([Using external PCRE library from $PCRE_CONFIG])
|
AC_MSG_NOTICE([Using external PCRE library from $PCRE_CONFIG])
|
||||||
APR_ADDTO(PCRE_INCLUDES, [`$PCRE_CONFIG --cflags`])
|
APR_ADDTO(PCRE_INCLUDES, [`$PCRE_CONFIG --cflags`])
|
||||||
APR_ADDTO(PCRE_LIBS, [`$PCRE_CONFIG --libs`])
|
APR_ADDTO(PCRE_LIBS, [`$PCRE_CONFIG --libs8 2>/dev/null || $PCRE_CONFIG --libs`])
|
||||||
+ APR_ADDTO(HTTPD_LIBS, [\$(PCRE_LIBS)])
|
+ APR_ADDTO(HTTPD_LIBS, [\$(PCRE_LIBS)])
|
||||||
else
|
else
|
||||||
AC_MSG_ERROR([pcre-config for libpcre not found. PCRE is required and available from http://pcre.org/])
|
AC_MSG_ERROR([pcre(2)-config for libpcre not found. PCRE is required and available from http://pcre.org/])
|
||||||
fi
|
fi
|
||||||
@@ -710,6 +711,7 @@ APACHE_SUBST(OS_DIR)
|
@@ -734,6 +735,7 @@ APACHE_SUBST(OS_DIR)
|
||||||
APACHE_SUBST(BUILTIN_LIBS)
|
APACHE_SUBST(BUILTIN_LIBS)
|
||||||
APACHE_SUBST(SHLIBPATH_VAR)
|
APACHE_SUBST(SHLIBPATH_VAR)
|
||||||
APACHE_SUBST(OS_SPECIFIC_VARS)
|
APACHE_SUBST(OS_SPECIFIC_VARS)
|
25
httpd.spec
25
httpd.spec
|
@ -12,8 +12,8 @@
|
||||||
|
|
||||||
Summary: Apache HTTP Server
|
Summary: Apache HTTP Server
|
||||||
Name: httpd
|
Name: httpd
|
||||||
Version: 2.4.51
|
Version: 2.4.53
|
||||||
Release: 8%{?dist}
|
Release: 1%{?dist}
|
||||||
URL: https://httpd.apache.org/
|
URL: https://httpd.apache.org/
|
||||||
Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
|
Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
|
||||||
Source1: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2.asc
|
Source1: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2.asc
|
||||||
|
@ -66,7 +66,7 @@ Source48: apache-poweredby.png
|
||||||
Patch2: httpd-2.4.43-apxs.patch
|
Patch2: httpd-2.4.43-apxs.patch
|
||||||
Patch3: httpd-2.4.43-deplibs.patch
|
Patch3: httpd-2.4.43-deplibs.patch
|
||||||
# Needed for socket activation and mod_systemd patch
|
# Needed for socket activation and mod_systemd patch
|
||||||
Patch19: httpd-2.4.43-detect-systemd.patch
|
Patch19: httpd-2.4.53-detect-systemd.patch
|
||||||
# Features/functional changes
|
# Features/functional changes
|
||||||
Patch21: httpd-2.4.48-r1842929+.patch
|
Patch21: httpd-2.4.48-r1842929+.patch
|
||||||
Patch22: httpd-2.4.43-mod_systemd.patch
|
Patch22: httpd-2.4.43-mod_systemd.patch
|
||||||
|
@ -98,9 +98,6 @@ Patch50: httpd-2.4.48-r1825120.patch
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1397243
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1397243
|
||||||
Patch60: httpd-2.4.43-enable-sslv3.patch
|
Patch60: httpd-2.4.43-enable-sslv3.patch
|
||||||
Patch61: httpd-2.4.46-htcacheclean-dont-break.patch
|
Patch61: httpd-2.4.46-htcacheclean-dont-break.patch
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1986822
|
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1976080
|
|
||||||
Patch62: httpd-2.4.51-openssl3.patch
|
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1932442
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1932442
|
||||||
Patch64: httpd-2.4.48-full-release.patch
|
Patch64: httpd-2.4.48-full-release.patch
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1950011
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1950011
|
||||||
|
@ -111,12 +108,7 @@ Patch66: httpd-2.4.51-r1892413+.patch
|
||||||
Patch67: httpd-2.4.51-r1811831.patch
|
Patch67: httpd-2.4.51-r1811831.patch
|
||||||
|
|
||||||
# Security fixes
|
# Security fixes
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2034674
|
#Patch200: patchname
|
||||||
Patch200: httpd-2.4.51-CVE-2021-44790.patch
|
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2064321
|
|
||||||
Patch201: httpd-2.4.51-CVE-2022-22720.patch
|
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2034672
|
|
||||||
Patch202: httpd-2.4.51-CVE-2021-44224.patch
|
|
||||||
|
|
||||||
License: ASL 2.0
|
License: ASL 2.0
|
||||||
BuildRequires: gcc, autoconf, pkgconfig, findutils, xmlto
|
BuildRequires: gcc, autoconf, pkgconfig, findutils, xmlto
|
||||||
|
@ -267,16 +259,11 @@ written in the Lua programming language.
|
||||||
|
|
||||||
%patch60 -p1 -b .enable-sslv3
|
%patch60 -p1 -b .enable-sslv3
|
||||||
%patch61 -p1 -b .htcacheclean-dont-break
|
%patch61 -p1 -b .htcacheclean-dont-break
|
||||||
%patch62 -p1 -b .r1876934
|
|
||||||
%patch64 -p1 -b .full-release
|
%patch64 -p1 -b .full-release
|
||||||
%patch65 -p1 -b .r1877397
|
%patch65 -p1 -b .r1877397
|
||||||
%patch66 -p1 -b .r1892413+
|
%patch66 -p1 -b .r1892413+
|
||||||
%patch67 -p1 -b .r1811831
|
%patch67 -p1 -b .r1811831
|
||||||
|
|
||||||
%patch200 -p1 -b .CVE-2021-44790
|
|
||||||
%patch201 -p1 -b .CVE-2022-22720
|
|
||||||
%patch202 -p1 -b .CVE-2021-44224
|
|
||||||
|
|
||||||
# Patch in the vendor string
|
# Patch in the vendor string
|
||||||
sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h
|
sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h
|
||||||
sed -i 's/@RELEASE@/%{release}/' server/core.c
|
sed -i 's/@RELEASE@/%{release}/' server/core.c
|
||||||
|
@ -822,6 +809,10 @@ exit $rv
|
||||||
%{_rpmconfigdir}/macros.d/macros.httpd
|
%{_rpmconfigdir}/macros.d/macros.httpd
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue May 31 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.4.53-1
|
||||||
|
- new version 2.4.53
|
||||||
|
- Resolves: #2079939 - httpd rebase to 2.4.53
|
||||||
|
|
||||||
* Mon Apr 11 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.4.51-8
|
* Mon Apr 11 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.4.51-8
|
||||||
- Resolves: #2073459 - Cannot override LD_LIBARY_PATH in Apache HTTPD using
|
- Resolves: #2073459 - Cannot override LD_LIBARY_PATH in Apache HTTPD using
|
||||||
SetEnv or PassEnv
|
SetEnv or PassEnv
|
||||||
|
|
4
sources
4
sources
|
@ -1,3 +1,3 @@
|
||||||
SHA512 (httpd-2.4.51.tar.bz2) = 9fb07c4b176f5c0485a143e2b1bb1085345ca9120b959974f68c37a8911a57894d2cb488b1b42fdf3102860b99e890204f5e9fa7ae3828b481119c563812cc66
|
SHA512 (httpd-2.4.53.tar.bz2) = 07ef59594251a30a864cc9cc9a58ab788c2d006cef85b728f29533243927c63cb063e0867f2a306f37324c3adb9cf7dcb2402f3516b05c2c6f32469d475dd756
|
||||||
SHA512 (httpd-2.4.51.tar.bz2.asc) = c63f2b08eb0b7e688c4a89b4be1d968c9e4a3f09714ffc4fb9b2210b6694b8c90f4067aec63601ec41987507bba8dfcef15f54b8c0707cc49414c9c76dd5d8ce
|
SHA512 (httpd-2.4.53.tar.bz2.asc) = 553df571cf8edda9146c2aaadce7e5a204f9aa8bd05b165dd81e2339db830c06bdb2b546321d3ab1dcc3133a7d37bbbeb31944b725d8a5fc6b6dc389a5c25686
|
||||||
SHA512 (KEYS) = 88c848b7ab9e4915d6625dcad3e8328673b0448f2ce76f2c44eecc612cf6afbce3287a4ee7219a44c6fcc61d5ecb2a1a8545456a4a16b90400263d7249cbf192
|
SHA512 (KEYS) = 88c848b7ab9e4915d6625dcad3e8328673b0448f2ce76f2c44eecc612cf6afbce3287a4ee7219a44c6fcc61d5ecb2a1a8545456a4a16b90400263d7249cbf192
|
||||||
|
|
Loading…
Reference in New Issue