rpms/httpd
7
0
Fork 0
Code Issues Pull Requests Releases Activity

new version 2.4.43 (#1819023)

Browse Source
This commit is contained in:
Lubos Uhliarik 2020-03-31 16:30:12 +02:00
parent 002dac01c9
commit 76f6dc7dfc
26 changed files with 1395 additions and 2519 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -35,3 +35,5 @@ x86_64
/httpd.conf.5 /httpd.conf.5
/httpd-2.4.41.tar.bz2.asc /httpd-2.4.41.tar.bz2.asc
/apachectl.8 /apachectl.8
/httpd-2.4.43.tar.bz2.asc
/KEYS

75
httpd-2.4.25-detect-systemd.patch
View File

@ -1,75 +0,0 @@
diff -uap httpd-2.4.25/acinclude.m4.detectsystemd httpd-2.4.25/acinclude.m4
diff -uap httpd-2.4.25/acinclude.m4.detectsystemd httpd-2.4.25/acinclude.m4
diff -uap httpd-2.4.25/acinclude.m4.detectsystemd httpd-2.4.25/acinclude.m4
--- httpd-2.4.25/acinclude.m4.detectsystemd
+++ httpd-2.4.25/acinclude.m4
@@ -604,6 +604,30 @@
fi
])
+AC_DEFUN(APACHE_CHECK_SYSTEMD, [
+dnl Check for systemd support for listen.c's socket activation.
+case $host in
+*-linux-*)
+ if test -n "$PKGCONFIG" && $PKGCONFIG --exists libsystemd; then
+ SYSTEMD_LIBS=`$PKGCONFIG --libs libsystemd`
+ elif test -n "$PKGCONFIG" && $PKGCONFIG --exists libsystemd-daemon; then
+ SYSTEMD_LIBS=`$PKGCONFIG --libs libsystemd-daemon`
+ else
+ AC_CHECK_LIB(systemd-daemon, sd_notify, SYSTEMD_LIBS="-lsystemd-daemon")
+ fi
+ if test -n "$SYSTEMD_LIBS"; then
+ AC_CHECK_HEADERS(systemd/sd-daemon.h)
+ if test "${ac_cv_header_systemd_sd_daemon_h}" = "no" || test -z "${SYSTEMD_LIBS}"; then
+ AC_MSG_WARN([Your system does not support systemd.])
+ else
+ APR_ADDTO(HTTPD_LIBS, [$SYSTEMD_LIBS])
+ AC_DEFINE(HAVE_SYSTEMD, 1, [Define if systemd is supported])
+ fi
+ fi
+ ;;
+esac
+])
+
dnl
dnl APACHE_EXPORT_ARGUMENTS
dnl Export (via APACHE_SUBST) the various path-related variables that
diff -uap httpd-2.4.25/configure.in.detectsystemd httpd-2.4.25/configure.in
--- httpd-2.4.25/configure.in.detectsystemd
+++ httpd-2.4.25/configure.in
@@ -234,6 +234,7 @@
AC_MSG_NOTICE([Using external PCRE library from $PCRE_CONFIG])
APR_ADDTO(PCRE_INCLUDES, [`$PCRE_CONFIG --cflags`])
APR_ADDTO(PCRE_LIBS, [`$PCRE_CONFIG --libs`])
+ APR_ADDTO(HTTPD_LIBS, [\$(PCRE_LIBS)])
else
AC_MSG_ERROR([pcre-config for libpcre not found. PCRE is required and available from http://pcre.org/])
fi
@@ -504,6 +510,8 @@
AC_DEFINE(HAVE_GMTOFF, 1, [Define if struct tm has a tm_gmtoff field])
fi
+APACHE_CHECK_SYSTEMD
+
dnl ## Set up any appropriate OS-specific environment variables for apachectl
case $host in
@@ -668,6 +676,7 @@
APACHE_SUBST(BUILTIN_LIBS)
APACHE_SUBST(SHLIBPATH_VAR)
APACHE_SUBST(OS_SPECIFIC_VARS)
+APACHE_SUBST(HTTPD_LIBS)
PRE_SHARED_CMDS='echo ""'
POST_SHARED_CMDS='echo ""'
--- httpd-2.4.25/Makefile.in.detectsystemd
+++ httpd-2.4.25/Makefile.in
@@ -4,7 +4,7 @@
PROGRAM_NAME = $(progname)
PROGRAM_SOURCES = modules.c
-PROGRAM_LDADD = buildmark.o $(HTTPD_LDFLAGS) $(PROGRAM_DEPENDENCIES) $(PCRE_LIBS) $(EXTRA_LIBS) $(AP_LIBS) $(LIBS)
+PROGRAM_LDADD = buildmark.o $(HTTPD_LDFLAGS) $(PROGRAM_DEPENDENCIES) $(HTTPD_LIBS) $(EXTRA_LIBS) $(AP_LIBS) $(LIBS)
PROGRAM_PRELINK = $(COMPILE) -c $(top_srcdir)/server/buildmark.c
PROGRAM_DEPENDENCIES = \
server/libmain.la \

130
httpd-2.4.34-r1738878.patch
View File

@ -1,130 +0,0 @@
--- httpd-2.4.34/modules/proxy/ajp_header.c.r1738878
+++ httpd-2.4.34/modules/proxy/ajp_header.c
@@ -213,7 +213,8 @@
static apr_status_t ajp_marshal_into_msgb(ajp_msg_t *msg,
request_rec *r,
- apr_uri_t *uri)
+ apr_uri_t *uri,
+ const char *secret)
{
int method;
apr_uint32_t i, num_headers = 0;
@@ -293,17 +294,15 @@
i, elts[i].key, elts[i].val);
}
-/* XXXX need to figure out how to do this
- if (s->secret) {
+ if (secret) {
if (ajp_msg_append_uint8(msg, SC_A_SECRET) ||
- ajp_msg_append_string(msg, s->secret)) {
+ ajp_msg_append_string(msg, secret)) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(03228)
- "Error ajp_marshal_into_msgb - "
+ "ajp_marshal_into_msgb: "
"Error appending secret");
return APR_EGENERAL;
}
}
- */
if (r->user) {
if (ajp_msg_append_uint8(msg, SC_A_REMOTE_USER) ||
@@ -671,7 +670,8 @@
apr_status_t ajp_send_header(apr_socket_t *sock,
request_rec *r,
apr_size_t buffsize,
- apr_uri_t *uri)
+ apr_uri_t *uri,
+ const char *secret)
{
ajp_msg_t *msg;
apr_status_t rc;
@@ -683,7 +683,7 @@
return rc;
}
- rc = ajp_marshal_into_msgb(msg, r, uri);
+ rc = ajp_marshal_into_msgb(msg, r, uri, secret);
if (rc != APR_SUCCESS) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(00988)
"ajp_send_header: ajp_marshal_into_msgb failed");
--- httpd-2.4.34/modules/proxy/ajp.h.r1738878
+++ httpd-2.4.34/modules/proxy/ajp.h
@@ -413,12 +413,14 @@
* @param sock backend socket
* @param r current request
* @param buffsize max size of the AJP packet.
+ * @param secret authentication secret
* @param uri requested uri
* @return APR_SUCCESS or error
*/
apr_status_t ajp_send_header(apr_socket_t *sock, request_rec *r,
apr_size_t buffsize,
- apr_uri_t *uri);
+ apr_uri_t *uri,
+ const char *secret);
/**
* Read the ajp message and return the type of the message.
--- httpd-2.4.34/modules/proxy/mod_proxy_ajp.c.r1738878
+++ httpd-2.4.34/modules/proxy/mod_proxy_ajp.c
@@ -193,6 +193,7 @@
apr_off_t content_length = 0;
int original_status = r->status;
const char *original_status_line = r->status_line;
+ const char *secret = NULL;
if (psf->io_buffer_size_set)
maxsize = psf->io_buffer_size;
@@ -202,12 +203,15 @@
maxsize = AJP_MSG_BUFFER_SZ;
maxsize = APR_ALIGN(maxsize, 1024);
+ if (*conn->worker->s->secret)
+ secret = conn->worker->s->secret;
+
/*
* Send the AJP request to the remote server
*/
/* send request headers */
- status = ajp_send_header(conn->sock, r, maxsize, uri);
+ status = ajp_send_header(conn->sock, r, maxsize, uri, secret);
if (status != APR_SUCCESS) {
conn->close = 1;
ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, APLOGNO(00868)
--- httpd-2.4.34/modules/proxy/mod_proxy.c.r1738878
+++ httpd-2.4.34/modules/proxy/mod_proxy.c
@@ -319,6 +319,12 @@
(int)sizeof(worker->s->upgrade));
}
}
+ else if (!strcasecmp(key, "secret")) {
+ if (PROXY_STRNCPY(worker->s->secret, val) != APR_SUCCESS) {
+ return apr_psprintf(p, "Secret length must be < %d characters",
+ (int)sizeof(worker->s->secret));
+ }
+ }
else if (!strcasecmp(key, "responsefieldsize")) {
long s = atol(val);
if (s < 0) {
--- httpd-2.4.34/modules/proxy/mod_proxy.h.r1738878
+++ httpd-2.4.34/modules/proxy/mod_proxy.h
@@ -357,6 +357,7 @@
#define PROXY_WORKER_MAX_HOSTNAME_SIZE 64
#define PROXY_BALANCER_MAX_HOSTNAME_SIZE PROXY_WORKER_MAX_HOSTNAME_SIZE
#define PROXY_BALANCER_MAX_STICKY_SIZE 64
+#define PROXY_WORKER_MAX_SECRET_SIZE 64
#define PROXY_RFC1035_HOSTNAME_SIZE 256
@@ -453,6 +454,7 @@
char hostname_ex[PROXY_RFC1035_HOSTNAME_SIZE]; /* RFC1035 compliant version of the remote backend address */
apr_size_t response_field_size; /* Size of proxy response buffer in bytes. */
unsigned int response_field_size_set:1;
+ char secret[PROXY_WORKER_MAX_SECRET_SIZE]; /* authentication secret (e.g. AJP13) */
} proxy_worker_shared;
#define ALIGNED_PROXY_WORKER_SHARED_SIZE (APR_ALIGN_DEFAULT(sizeof(proxy_worker_shared)))

677
httpd-2.4.38-r1830819+.patch
View File

@ -1,677 +0,0 @@
# ./pullrev.sh 1830819 1830836 1830912 1830913 1830927 1831168 1831173
http://svn.apache.org/viewvc?view=revision&revision=1830819
http://svn.apache.org/viewvc?view=revision&revision=1830912
http://svn.apache.org/viewvc?view=revision&revision=1830913
http://svn.apache.org/viewvc?view=revision&revision=1830927
http://svn.apache.org/viewvc?view=revision&revision=1831168
http://svn.apache.org/viewvc?view=revision&revision=1831173
http://svn.apache.org/viewvc?view=revision&revision=1835240
http://svn.apache.org/viewvc?view=revision&revision=1835242
diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c
index d276fea..5467d23 100644
--- httpd-2.4.38/modules/ssl/ssl_engine_config.c.r1830819+
+++ httpd-2.4.38/modules/ssl/ssl_engine_config.c
@@ -916,7 +916,9 @@
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
const char *err;
- if ((err = ssl_cmd_check_file(cmd, &arg))) {
+ /* Only check for non-ENGINE based certs. */
+ if (!modssl_is_engine_id(arg)
+ && (err = ssl_cmd_check_file(cmd, &arg))) {
return err;
}
@@ -932,7 +934,9 @@
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
const char *err;
- if ((err = ssl_cmd_check_file(cmd, &arg))) {
+ /* Check keyfile exists for non-ENGINE keys. */
+ if (!modssl_is_engine_id(arg)
+ && (err = ssl_cmd_check_file(cmd, &arg))) {
return err;
}
--- httpd-2.4.38/modules/ssl/ssl_engine_init.c.r1830819+
+++ httpd-2.4.38/modules/ssl/ssl_engine_init.c
@@ -1228,12 +1228,18 @@
(certfile = APR_ARRAY_IDX(mctx->pks->cert_files, i,
const char *));
i++) {
+ EVP_PKEY *pkey;
+ const char *engine_certfile = NULL;
+
key_id = apr_psprintf(ptemp, "%s:%d", vhost_id, i);
ERR_clear_error();
/* first the certificate (public key) */
- if (mctx->cert_chain) {
+ if (modssl_is_engine_id(certfile)) {
+ engine_certfile = certfile;
+ }
+ else if (mctx->cert_chain) {
if ((SSL_CTX_use_certificate_file(mctx->ssl_ctx, certfile,
SSL_FILETYPE_PEM) < 1)) {
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02561)
@@ -1262,12 +1268,46 @@
ERR_clear_error();
- if ((SSL_CTX_use_PrivateKey_file(mctx->ssl_ctx, keyfile,
- SSL_FILETYPE_PEM) < 1) &&
- (ERR_GET_FUNC(ERR_peek_last_error())
- != X509_F_X509_CHECK_PRIVATE_KEY)) {
+ if (modssl_is_engine_id(keyfile)) {
+ apr_status_t rv;
+
+ cert = NULL;
+
+ if ((rv = modssl_load_engine_keypair(s, ptemp, vhost_id,
+ engine_certfile, keyfile,
+ &cert, &pkey))) {
+ return rv;
+ }
+
+ if (cert) {
+ if (SSL_CTX_use_certificate(mctx->ssl_ctx, cert) < 1) {
+ ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10137)
+ "Failed to configure engine certificate %s, check %s",
+ key_id, certfile);
+ ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
+ return APR_EGENERAL;
+ }
+
+ /* SSL_CTX now owns the cert. */
+ X509_free(cert);
+ }
+
+ if (SSL_CTX_use_PrivateKey(mctx->ssl_ctx, pkey) < 1) {
+ ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10130)
+ "Failed to configure private key %s from engine",
+ keyfile);
+ ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
+ return APR_EGENERAL;
+ }
+
+ /* SSL_CTX now owns the key */
+ EVP_PKEY_free(pkey);
+ }
+ else if ((SSL_CTX_use_PrivateKey_file(mctx->ssl_ctx, keyfile,
+ SSL_FILETYPE_PEM) < 1)
+ && (ERR_GET_FUNC(ERR_peek_last_error())
+ != X509_F_X509_CHECK_PRIVATE_KEY)) {
ssl_asn1_t *asn1;
- EVP_PKEY *pkey;
const unsigned char *ptr;
ERR_clear_error();
@@ -1354,8 +1394,9 @@
/*
* Try to read DH parameters from the (first) SSLCertificateFile
*/
- if ((certfile = APR_ARRAY_IDX(mctx->pks->cert_files, 0, const char *)) &&
- (dhparams = ssl_dh_GetParamFromFile(certfile))) {
+ certfile = APR_ARRAY_IDX(mctx->pks->cert_files, 0, const char *);
+ if (certfile && !modssl_is_engine_id(certfile)
+ && (dhparams = ssl_dh_GetParamFromFile(certfile))) {
SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dhparams);
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02540)
"Custom DH parameters (%d bits) for %s loaded from %s",
@@ -1367,10 +1408,10 @@
/*
* Similarly, try to read the ECDH curve name from SSLCertificateFile...
*/
- if ((certfile != NULL) &&
- (ecparams = ssl_ec_GetParamFromFile(certfile)) &&
- (nid = EC_GROUP_get_curve_name(ecparams)) &&
- (eckey = EC_KEY_new_by_curve_name(nid))) {
+ if (certfile && !modssl_is_engine_id(certfile)
+ && (ecparams = ssl_ec_GetParamFromFile(certfile))
+ && (nid = EC_GROUP_get_curve_name(ecparams))
+ && (eckey = EC_KEY_new_by_curve_name(nid))) {
SSL_CTX_set_tmp_ecdh(mctx->ssl_ctx, eckey);
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02541)
"ECDH curve %s for %s specified in %s",
--- httpd-2.4.38/modules/ssl/ssl_engine_pphrase.c.r1830819+
+++ httpd-2.4.38/modules/ssl/ssl_engine_pphrase.c
@@ -143,8 +143,6 @@
const char *key_id = asn1_table_vhost_key(mc, p, sc->vhost_id, idx);
EVP_PKEY *pPrivateKey = NULL;
ssl_asn1_t *asn1;
- unsigned char *ucp;
- long int length;
int nPassPhrase = (*pphrases)->nelts;
int nPassPhraseRetry = 0;
apr_time_t pkey_mtime = 0;
@@ -221,7 +219,7 @@
* is not empty. */
ERR_clear_error();
- pPrivateKey = modssl_read_privatekey(ppcb_arg.pkey_file, NULL,
+ pPrivateKey = modssl_read_privatekey(ppcb_arg.pkey_file,
ssl_pphrase_Handle_CB, &ppcb_arg);
/* If the private key was successfully read, nothing more to
do here. */
@@ -351,19 +349,12 @@
nPassPhrase++;
}
- /*
- * Insert private key into the global module configuration
- * (we convert it to a stand-alone DER byte sequence
- * because the SSL library uses static variables inside a
- * RSA structure which do not survive DSO reloads!)
- */
- length = i2d_PrivateKey(pPrivateKey, NULL);
- ucp = ssl_asn1_table_set(mc->tPrivateKey, key_id, length);
- (void)i2d_PrivateKey(pPrivateKey, &ucp); /* 2nd arg increments */
+ /* Cache the private key in the global module configuration so it
+ * can be used after subsequent reloads. */
+ asn1 = ssl_asn1_table_set(mc->tPrivateKey, key_id, pPrivateKey);
if (ppcb_arg.nPassPhraseDialogCur != 0) {
/* remember mtime of encrypted keys */
- asn1 = ssl_asn1_table_get(mc->tPrivateKey, key_id);
asn1->source_mtime = pkey_mtime;
}
@@ -614,3 +605,288 @@
*/
return (len);
}
+
+
+#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
+
+/* OpenSSL UI implementation for passphrase entry; largely duplicated
+ * from ssl_pphrase_Handle_CB but adjusted for UI API. TODO: Might be
+ * worth trying to shift pphrase handling over to the UI API
+ * completely. */
+static int passphrase_ui_open(UI *ui)
+{
+ pphrase_cb_arg_t *ppcb = UI_get0_user_data(ui);
+ SSLSrvConfigRec *sc = mySrvConfig(ppcb->s);
+
+ ppcb->nPassPhraseDialog++;
+ ppcb->nPassPhraseDialogCur++;
+
+ /*
+ * Builtin or Pipe dialog
+ */
+ if (sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN
+ || sc->server->pphrase_dialog_type == SSL_PPTYPE_PIPE) {
+ if (sc->server->pphrase_dialog_type == SSL_PPTYPE_PIPE) {
+ if (!readtty) {
+ ap_log_error(APLOG_MARK, APLOG_INFO, 0, ppcb->s,
+ APLOGNO(10143)
+ "Init: Creating pass phrase dialog pipe child "
+ "'%s'", sc->server->pphrase_dialog_path);
+ if (ssl_pipe_child_create(ppcb->p,
+ sc->server->pphrase_dialog_path)
+ != APR_SUCCESS) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, ppcb->s,
+ APLOGNO(10144)
+ "Init: Failed to create pass phrase pipe '%s'",
+ sc->server->pphrase_dialog_path);
+ return 0;
+ }
+ }
+ ap_log_error(APLOG_MARK, APLOG_INFO, 0, ppcb->s, APLOGNO(10145)
+ "Init: Requesting pass phrase via piped dialog");
+ }
+ else { /* sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN */
+#ifdef WIN32
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, ppcb->s, APLOGNO(10146)
+ "Init: Failed to create pass phrase pipe '%s'",
+ sc->server->pphrase_dialog_path);
+ return 0;
+#else
+ /*
+ * stderr has already been redirected to the error_log.
+ * rather than attempting to temporarily rehook it to the terminal,
+ * we print the prompt to stdout before EVP_read_pw_string turns
+ * off tty echo
+ */
+ apr_file_open_stdout(&writetty, ppcb->p);
+
+ ap_log_error(APLOG_MARK, APLOG_INFO, 0, ppcb->s, APLOGNO(10147)
+ "Init: Requesting pass phrase via builtin terminal "
+ "dialog");
+#endif
+ }
+
+ /*
+ * The first time display a header to inform the user about what
+ * program he actually speaks to, which module is responsible for
+ * this terminal dialog and why to the hell he has to enter
+ * something...
+ */
+ if (ppcb->nPassPhraseDialog == 1) {
+ apr_file_printf(writetty, "%s mod_ssl (Pass Phrase Dialog)\n",
+ AP_SERVER_BASEVERSION);
+ apr_file_printf(writetty,
+ "A pass phrase is required to access the private key.\n");
+ }
+ if (ppcb->bPassPhraseDialogOnce) {
+ ppcb->bPassPhraseDialogOnce = FALSE;
+ apr_file_printf(writetty, "\n");
+ apr_file_printf(writetty, "Private key %s (%s)\n",
+ ppcb->key_id, ppcb->pkey_file);
+ }
+ }
+
+ return 1;
+}
+
+static int passphrase_ui_read(UI *ui, UI_STRING *uis)
+{
+ pphrase_cb_arg_t *ppcb = UI_get0_user_data(ui);
+ SSLSrvConfigRec *sc = mySrvConfig(ppcb->s);
+ const char *prompt;
+ int i;
+ int bufsize;
+ int len;
+ char *buf;
+
+ prompt = UI_get0_output_string(uis);
+ if (prompt == NULL) {
+ prompt = "Enter pass phrase:";
+ }
+
+ /*
+ * Get the maximum expected size and allocate the buffer
+ */
+ bufsize = UI_get_result_maxsize(uis);
+ buf = apr_pcalloc(ppcb->p, bufsize);
+
+ if (sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN
+ || sc->server->pphrase_dialog_type == SSL_PPTYPE_PIPE) {
+ /*
+ * Get the pass phrase through a callback.
+ * Empty input is not accepted.
+ */
+ for (;;) {
+ if (sc->server->pphrase_dialog_type == SSL_PPTYPE_PIPE) {
+ i = pipe_get_passwd_cb(buf, bufsize, "", FALSE);
+ }
+ else { /* sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN */
+ i = EVP_read_pw_string(buf, bufsize, "", FALSE);
+ }
+ if (i != 0) {
+ OPENSSL_cleanse(buf, bufsize);
+ return 0;
+ }
+ len = strlen(buf);
+ if (len < 1){
+ apr_file_printf(writetty, "Apache:mod_ssl:Error: Pass phrase"
+ "empty (needs to be at least 1 character).\n");
+ apr_file_puts(prompt, writetty);
+ }
+ else {
+ break;
+ }
+ }
+ }
+ /*
+ * Filter program
+ */
+ else if (sc->server->pphrase_dialog_type == SSL_PPTYPE_FILTER) {
+ const char *cmd = sc->server->pphrase_dialog_path;
+ const char **argv = apr_palloc(ppcb->p, sizeof(char *) * 3);
+ char *result;
+
+ ap_log_error(APLOG_MARK, APLOG_INFO, 0, ppcb->s, APLOGNO(10148)
+ "Init: Requesting pass phrase from dialog filter "
+ "program (%s)", cmd);
+
+ argv[0] = cmd;
+ argv[1] = ppcb->key_id;
+ argv[2] = NULL;
+
+ result = ssl_util_readfilter(ppcb->s, ppcb->p, cmd, argv);
+ apr_cpystrn(buf, result, bufsize);
+ len = strlen(buf);
+ }
+
+ /*
+ * Ok, we now have the pass phrase, so give it back
+ */
+ ppcb->cpPassPhraseCur = apr_pstrdup(ppcb->p, buf);
+ UI_set_result(ui, uis, buf);
+
+ /* Clear sensitive data. */
+ OPENSSL_cleanse(buf, bufsize);
+ return 1;
+}
+
+static int passphrase_ui_write(UI *ui, UI_STRING *uis)
+{
+ pphrase_cb_arg_t *ppcb = UI_get0_user_data(ui);
+ SSLSrvConfigRec *sc;
+ const char *prompt;
+
+ sc = mySrvConfig(ppcb->s);
+
+ if (sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN
+ || sc->server->pphrase_dialog_type == SSL_PPTYPE_PIPE) {
+ prompt = UI_get0_output_string(uis);
+ apr_file_puts(prompt, writetty);
+ }
+
+ return 1;
+}
+
+static int passphrase_ui_close(UI *ui)
+{
+ /*
+ * Close the pipes if they were opened
+ */
+ if (readtty) {
+ apr_file_close(readtty);
+ apr_file_close(writetty);
+ readtty = writetty = NULL;
+ }
+ return 1;
+}
+
+static apr_status_t pp_ui_method_cleanup(void *uip)
+{
+ UI_METHOD *uim = uip;
+
+ UI_destroy_method(uim);
+
+ return APR_SUCCESS;
+}
+
+static UI_METHOD *get_passphrase_ui(apr_pool_t *p)
+{
+ UI_METHOD *ui_method = UI_create_method("Passphrase UI");
+
+ UI_method_set_opener(ui_method, passphrase_ui_open);
+ UI_method_set_reader(ui_method, passphrase_ui_read);
+ UI_method_set_writer(ui_method, passphrase_ui_write);
+ UI_method_set_closer(ui_method, passphrase_ui_close);
+
+ apr_pool_cleanup_register(p, ui_method, pp_ui_method_cleanup,
+ pp_ui_method_cleanup);
+
+ return ui_method;
+}
+
+
+apr_status_t modssl_load_engine_keypair(server_rec *s, apr_pool_t *p,
+ const char *vhostid,
+ const char *certid, const char *keyid,
+ X509 **pubkey, EVP_PKEY **privkey)
+{
+ SSLModConfigRec *mc = myModConfig(s);
+ ENGINE *e;
+ UI_METHOD *ui_method = get_passphrase_ui(p);
+ pphrase_cb_arg_t ppcb;
+
+ memset(&ppcb, 0, sizeof ppcb);
+ ppcb.s = s;
+ ppcb.p = p;
+ ppcb.bPassPhraseDialogOnce = TRUE;
+ ppcb.key_id = vhostid;
+ ppcb.pkey_file = keyid;
+
+ if (!mc->szCryptoDevice) {
+ ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10131)
+ "Init: Cannot load private key `%s' without engine",
+ keyid);
+ return ssl_die(s);
+ }
+
+ if (!(e = ENGINE_by_id(mc->szCryptoDevice))) {
+ ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10132)
+ "Init: Failed to load Crypto Device API `%s'",
+ mc->szCryptoDevice);
+ ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
+ return ssl_die(s);
+ }
+
+ if (APLOGdebug(s)) {
+ ENGINE_ctrl_cmd_string(e, "VERBOSE", NULL, 0);
+ }
+
+ if (certid) {
+ struct {
+ const char *cert_id;
+ X509 *cert;
+ } params = { certid, NULL };
+
+ if (!ENGINE_ctrl_cmd(e, "LOAD_CERT_CTRL", 0, &params, NULL, 1)) {
+ ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10136)
+ "Init: Unable to get the certificate");
+ ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
+ return ssl_die(s);
+ }
+
+ *pubkey = params.cert;
+ }
+
+ *privkey = ENGINE_load_private_key(e, keyid, ui_method, &ppcb);
+ if (*privkey == NULL) {
+ ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10133)
+ "Init: Unable to get the private key");
+ ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
+ return ssl_die(s);
+ }
+
+ ENGINE_free(e);
+
+ return APR_SUCCESS;
+}
+#endif
--- httpd-2.4.38/modules/ssl/ssl_private.h.r1830819+
+++ httpd-2.4.38/modules/ssl/ssl_private.h
@@ -1002,21 +1002,28 @@
apr_status_t ssl_load_encrypted_pkey(server_rec *, apr_pool_t *, int,
const char *, apr_array_header_t **);
+/* Load public and/or private key from the configured ENGINE. Private
+ * key returned as *pkey. certid can be NULL, in which case *pubkey
+ * is not altered. Errors logged on failure. */
+apr_status_t modssl_load_engine_keypair(server_rec *s, apr_pool_t *p,
+ const char *vhostid,
+ const char *certid, const char *keyid,
+ X509 **pubkey, EVP_PKEY **privkey);
+
/** Diffie-Hellman Parameter Support */
DH *ssl_dh_GetParamFromFile(const char *);
#ifdef HAVE_ECC
EC_GROUP *ssl_ec_GetParamFromFile(const char *);
#endif
-unsigned char *ssl_asn1_table_set(apr_hash_t *table,
- const char *key,
- long int length);
-
-ssl_asn1_t *ssl_asn1_table_get(apr_hash_t *table,
- const char *key);
-
-void ssl_asn1_table_unset(apr_hash_t *table,
- const char *key);
+/* Store the EVP_PKEY key (serialized into DER) in the hash table with
+ * key, returning the ssl_asn1_t structure pointer. */
+ssl_asn1_t *ssl_asn1_table_set(apr_hash_t *table, const char *key,
+ EVP_PKEY *pkey);
+/* Retrieve the ssl_asn1_t structure with given key from the hash. */
+ssl_asn1_t *ssl_asn1_table_get(apr_hash_t *table, const char *key);
+/* Remove and free the ssl_asn1_t structure with given key. */
+void ssl_asn1_table_unset(apr_hash_t *table, const char *key);
/** Mutex Support */
int ssl_mutex_init(server_rec *, apr_pool_t *);
@@ -1109,6 +1116,10 @@
int ssl_is_challenge(conn_rec *c, const char *servername,
X509 **pcert, EVP_PKEY **pkey);
+/* Returns non-zero if the cert/key filename should be handled through
+ * the configured ENGINE. */
+int modssl_is_engine_id(const char *name);
+
#endif /* SSL_PRIVATE_H */
/** @} */
--- httpd-2.4.38/modules/ssl/ssl_util.c.r1830819+
+++ httpd-2.4.38/modules/ssl/ssl_util.c
@@ -192,45 +192,37 @@
return TRUE;
}
-/*
- * certain key data needs to survive restarts,
- * which are stored in the user data table of s->process->pool.
- * to prevent "leaking" of this data, we use malloc/free
- * rather than apr_palloc and these wrappers to help make sure
- * we do not leak the malloc-ed data.
- */
-unsigned char *ssl_asn1_table_set(apr_hash_t *table,
- const char *key,
- long int length)
+/* Decrypted private keys are cached to survive restarts. The cached
+ * data must have lifetime of the process (hence malloc/free rather
+ * than pools), and uses raw DER since the EVP_PKEY structure
+ * internals may not survive across a module reload. */
+ssl_asn1_t *ssl_asn1_table_set(apr_hash_t *table, const char *key,
+ EVP_PKEY *pkey)
{
apr_ssize_t klen = strlen(key);
ssl_asn1_t *asn1 = apr_hash_get(table, key, klen);
+ apr_size_t length = i2d_PrivateKey(pkey, NULL);
+ unsigned char *p;
- /*
- * if a value for this key already exists,
- * reuse as much of the already malloc-ed data
- * as possible.
- */
+ /* Re-use structure if cached previously. */
if (asn1) {
if (asn1->nData != length) {
- free(asn1->cpData); /* XXX: realloc? */
- asn1->cpData = NULL;
+ asn1->cpData = ap_realloc(asn1->cpData, length);
}
}
else {
asn1 = ap_malloc(sizeof(*asn1));
asn1->source_mtime = 0; /* used as a note for encrypted private keys */
- asn1->cpData = NULL;
- }
-
- asn1->nData = length;
- if (!asn1->cpData) {
asn1->cpData = ap_malloc(length);
+
+ apr_hash_set(table, key, klen, asn1);
}
- apr_hash_set(table, key, klen, asn1);
+ asn1->nData = length;
+ p = asn1->cpData;
+ i2d_PrivateKey(pkey, &p); /* increases p by length */
- return asn1->cpData; /* caller will assign a value to this */
+ return asn1;
}
ssl_asn1_t *ssl_asn1_table_get(apr_hash_t *table,
@@ -480,3 +472,13 @@
}
#endif /* #if APR_HAS_THREADS && MODSSL_USE_OPENSSL_PRE_1_1_API */
+
+int modssl_is_engine_id(const char *name)
+{
+#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
+ /* ### Can handle any other special ENGINE key names here? */
+ return strncmp(name, "pkcs11:", 7) == 0;
+#else
+ return 0;
+#endif
+}
--- httpd-2.4.38/modules/ssl/ssl_util_ssl.c.r1830819+
+++ httpd-2.4.38/modules/ssl/ssl_util_ssl.c
@@ -74,7 +74,7 @@
** _________________________________________________________________
*/
-EVP_PKEY *modssl_read_privatekey(const char* filename, EVP_PKEY **key, pem_password_cb *cb, void *s)
+EVP_PKEY *modssl_read_privatekey(const char *filename, pem_password_cb *cb, void *s)
{
EVP_PKEY *rc;
BIO *bioS;
@@ -83,7 +83,7 @@
/* 1. try PEM (= DER+Base64+headers) */
if ((bioS=BIO_new_file(filename, "r")) == NULL)
return NULL;
- rc = PEM_read_bio_PrivateKey(bioS, key, cb, s);
+ rc = PEM_read_bio_PrivateKey(bioS, NULL, cb, s);
BIO_free(bioS);
if (rc == NULL) {
@@ -107,41 +107,9 @@
BIO_free(bioS);
}
}
- if (rc != NULL && key != NULL) {
- if (*key != NULL)
- EVP_PKEY_free(*key);
- *key = rc;
- }
return rc;
}
-typedef struct {
- const char *pass;
- int pass_len;
-} pass_ctx;
-
-static int provide_pass(char *buf, int size, int rwflag, void *baton)
-{
- pass_ctx *ctx = baton;
- if (ctx->pass_len > 0) {
- if (ctx->pass_len < size) {
- size = (int)ctx->pass_len;
- }
- memcpy(buf, ctx->pass, size);
- }
- return ctx->pass_len;
-}
-
-EVP_PKEY *modssl_read_encrypted_pkey(const char *filename, EVP_PKEY **key,
- const char *pass, apr_size_t pass_len)
-{
- pass_ctx ctx;
-
- ctx.pass = pass;
- ctx.pass_len = pass_len;
- return modssl_read_privatekey(filename, key, provide_pass, &ctx);
-}
-
/* _________________________________________________________________
**
** Smart shutdown
--- httpd-2.4.38/modules/ssl/ssl_util_ssl.h.r1830819+
+++ httpd-2.4.38/modules/ssl/ssl_util_ssl.h
@@ -64,8 +64,11 @@
void modssl_init_app_data2_idx(void);
void *modssl_get_app_data2(SSL *);
void modssl_set_app_data2(SSL *, void *);
-EVP_PKEY *modssl_read_privatekey(const char *, EVP_PKEY **, pem_password_cb *, void *);
-EVP_PKEY *modssl_read_encrypted_pkey(const char *, EVP_PKEY **, const char *, apr_size_t);
+
+/* Read private key from filename in either PEM or raw base64(DER)
+ * format, using password entry callback cb and userdata. */
+EVP_PKEY *modssl_read_privatekey(const char *filename, pem_password_cb *cb, void *ud);
+
int modssl_smart_shutdown(SSL *ssl);
BOOL modssl_X509_getBC(X509 *, int *, int *);
char *modssl_X509_NAME_ENTRY_to_string(apr_pool_t *p, X509_NAME_ENTRY *xsne,

14
httpd-2.4.41-r1865749.patch
View File

@ -1,14 +0,0 @@
# ./pullrev.sh 1865749
http://svn.apache.org/viewvc?view=revision&revision=1865749
--- httpd-2.4.41/modules/proxy/mod_proxy_balancer.c.r1865749
+++ httpd-2.4.41/modules/proxy/mod_proxy_balancer.c
@@ -1104,7 +1104,7 @@
if (apr_uri_parse(r->pool, ref, &uri) || !uri.hostname)
return 0;
- return strcmp(uri.hostname, ap_get_server_name(r)) == 0;
+ return strcasecmp(uri.hostname, ap_get_server_name(r)) == 0;
}
/* Manages the loadfactors and member status

240
httpd-2.4.41-systemd.patch
View File

@ -1,240 +0,0 @@
--- httpd-2.4.41/modules/arch/unix/config5.m4.systemd
+++ httpd-2.4.41/modules/arch/unix/config5.m4
@@ -18,6 +18,16 @@
fi
])
+APACHE_MODULE(systemd, Systemd support, , , all, [
+ if test "${ac_cv_header_systemd_sd_daemon_h}" = "no" || test -z "${SYSTEMD_LIBS}"; then
+ AC_MSG_WARN([Your system does not support systemd.])
+ enable_systemd="no"
+ else
+ APR_ADDTO(MOD_SYSTEMD_LDADD, [$SYSTEMD_LIBS])
+ enable_systemd="yes"
+ fi
+])
+
APR_ADDTO(INCLUDES, [-I\$(top_srcdir)/$modpath_current])
APACHE_MODPATH_FINISH
--- httpd-2.4.41/modules/arch/unix/mod_systemd.c.systemd
+++ httpd-2.4.41/modules/arch/unix/mod_systemd.c
@@ -0,0 +1,218 @@
+/* Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+#include <stdint.h>
+#include <ap_config.h>
+#include "ap_mpm.h"
+#include <http_core.h>
+#include <httpd.h>
+#include <http_log.h>
+#include <apr_version.h>
+#include <apr_pools.h>
+#include <apr_strings.h>
+#include "unixd.h"
+#include "scoreboard.h"
+#include "mpm_common.h"
+
+#include "systemd/sd-daemon.h"
+#include "systemd/sd-journal.h"
+
+#if APR_HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+
+static int shutdown_timer = 0;
+static int shutdown_counter = 0;
+static unsigned long bytes_served;
+static pid_t mainpid;
+static char describe_listeners[50];
+
+static int systemd_pre_config(apr_pool_t *pconf, apr_pool_t *plog,
+ apr_pool_t *ptemp)
+{
+ sd_notify(0,
+ "RELOADING=1\n"
+ "STATUS=Reading configuration...\n");
+ ap_extended_status = 1;
+ return OK;
+}
+
+static char *dump_listener(ap_listen_rec *lr, apr_pool_t *p)
+{
+ apr_sockaddr_t *sa = lr->bind_addr;
+ char addr[128];
+
+ if (apr_sockaddr_is_wildcard(sa)) {
+ return apr_pstrcat(p, "port ", apr_itoa(p, sa->port), NULL);
+ }
+
+ apr_sockaddr_ip_getbuf(addr, sizeof addr, sa);
+
+ return apr_psprintf(p, "%s port %u", addr, sa->port);
+}
+
+/* Report the service is ready in post_config, which could be during
+ * startup or after a reload. The server could still hit a fatal
+ * startup error after this point during ap_run_mpm(), so this is
+ * perhaps too early, but by post_config listen() has been called on
+ * the TCP ports so new connections will not be rejected. There will
+ * always be a possible async failure event simultaneous to the
+ * service reporting "ready", so this should be good enough. */
+static int systemd_post_config(apr_pool_t *pconf, apr_pool_t *plog,
+ apr_pool_t *ptemp, server_rec *main_server)
+{
+ ap_listen_rec *lr;
+ apr_size_t plen = sizeof describe_listeners;
+ char *p = describe_listeners;
+
+ if (ap_state_query(AP_SQ_MAIN_STATE) == AP_SQ_MS_CREATE_PRE_CONFIG)
+ return OK;
+
+ for (lr = ap_listeners; lr; lr = lr->next) {
+ char *s = dump_listener(lr, ptemp);
+
+ if (strlen(s) + 3 < plen) {
+ char *newp = apr_cpystrn(p, s, plen);
+ if (lr->next)
+ newp = apr_cpystrn(newp, ", ", 3);
+ plen -= newp - p;
+ p = newp;
+ }
+ else {
+ if (plen < 4) {
+ p = describe_listeners + sizeof describe_listeners - 4;
+ plen = 4;
+ }
+ apr_cpystrn(p, "...", plen);
+ break;
+ }
+ }
+
+ sd_notify(0, "READY=1\n"
+ "STATUS=Configuration loaded.\n");
+
+ sd_journal_print(LOG_INFO, "Server configured, listening on: %s",
+ describe_listeners);
+
+ return OK;
+}
+
+static int systemd_pre_mpm(apr_pool_t *p, ap_scoreboard_e sb_type)
+{
+ mainpid = getpid();
+
+ sd_notifyf(0, "READY=1\n"
+ "STATUS=Started, listening on: %s\n"
+ "MAINPID=%" APR_PID_T_FMT,
+ describe_listeners, mainpid);
+
+ return OK;
+}
+
+static int systemd_monitor(apr_pool_t *p, server_rec *s)
+{
+ ap_sload_t sload;
+ apr_interval_time_t up_time;
+ char bps[5];
+
+ if (!ap_extended_status) {
+ /* Nothing useful to report with ExtendedStatus disabled. */
+ return DECLINED;
+ }
+
+ ap_get_sload(&sload);
+
+ if (sload.access_count == 0) {
+ sd_notifyf(0, "READY=1\n"
+ "STATUS=Running, listening on: %s\n",
+ describe_listeners);
+ }
+ else {
+ /* up_time in seconds */
+ up_time = (apr_uint32_t) apr_time_sec(apr_time_now() -
+ ap_scoreboard_image->global->restart_time);
+
+ apr_strfsize((unsigned long)((float) (sload.bytes_served)
+ / (float) up_time), bps);
+
+ sd_notifyf(0, "READY=1\n"
+ "STATUS=Total requests: %lu; Idle/Busy workers %d/%d;"
+ "Requests/sec: %.3g; Bytes served/sec: %sB/sec\n",
+ sload.access_count, sload.idle, sload.busy,
+ ((float) sload.access_count) / (float) up_time, bps);
+ }
+
+ /* Shutdown httpd when nothing is sent for shutdown_timer seconds. */
+ if (sload.bytes_served == bytes_served) {
+ /* mpm_common.c: INTERVAL_OF_WRITABLE_PROBES is 10 */
+ shutdown_counter += 10;
+ if (shutdown_timer > 0 && shutdown_counter >= shutdown_timer) {
+ sd_notifyf(0, "READY=1\n"
+ "STATUS=Stopped as result of IdleShutdown "
+ "timeout.");
+ kill(mainpid, AP_SIG_GRACEFUL);
+ }
+ }
+ else {
+ shutdown_counter = 0;
+ }
+
+ bytes_served = sload.bytes_served;
+
+ return DECLINED;
+}
+
+static void systemd_register_hooks(apr_pool_t *p)
+{
+ /* Enable ap_extended_status. */
+ ap_hook_pre_config(systemd_pre_config, NULL, NULL, APR_HOOK_LAST);
+ /* Grab the listener config. */
+ ap_hook_post_config(systemd_post_config, NULL, NULL, APR_HOOK_REALLY_LAST);
+ /* We know the PID in this hook ... */
+ ap_hook_pre_mpm(systemd_pre_mpm, NULL, NULL, APR_HOOK_LAST);
+ /* Used to update httpd's status line using sd_notifyf */
+ ap_hook_monitor(systemd_monitor, NULL, NULL, APR_HOOK_MIDDLE);
+}
+
+static const char *set_shutdown_timer(cmd_parms *cmd, void *dummy,
+ const char *arg)
+{
+ const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
+ if (err != NULL) {
+ return err;
+ }
+
+ shutdown_timer = atoi(arg);
+ return NULL;
+}
+
+static const command_rec systemd_cmds[] =
+{
+AP_INIT_TAKE1("IdleShutdown", set_shutdown_timer, NULL, RSRC_CONF,
+ "Number of seconds in idle-state after which httpd is shutdown"),
+ {NULL}
+};
+
+AP_DECLARE_MODULE(systemd) = {
+ STANDARD20_MODULE_STUFF,
+ NULL,
+ NULL,
+ NULL,
+ NULL,
+ systemd_cmds,
+ systemd_register_hooks,
+};

12
httpd-2.4.9-apxs.patch → httpd-2.4.43-apxs.patch
View File

@ -1,8 +1,8 @@
diff --git a/support/apxs.in b/support/apxs.in diff --git a/support/apxs.in b/support/apxs.in
index ad1287f..efcfcf6 100644 index b2705fa..c331631 100644
--- a/support/apxs.in --- a/support/apxs.in
+++ b/support/apxs.in +++ b/support/apxs.in
@@ -25,7 +25,18 @@ package apxs; @@ -35,7 +35,18 @@ if ($ddi >= 0) {
my %config_vars = (); my %config_vars = ();
@ -19,10 +19,10 @@ index ad1287f..efcfcf6 100644
+ +
+my $installbuilddir = $libdir . "/httpd/build"; +my $installbuilddir = $libdir . "/httpd/build";
+ +
get_config_vars("$installbuilddir/config_vars.mk",\%config_vars); get_config_vars($destdir . "$installbuilddir/config_vars.mk",\%config_vars);
# read the configuration variables once # read the configuration variables once
@@ -275,7 +286,7 @@ if ($opt_g) { @@ -285,7 +296,7 @@ if ($opt_g) {
$data =~ s|%NAME%|$name|sg; $data =~ s|%NAME%|$name|sg;
$data =~ s|%TARGET%|$CFG_TARGET|sg; $data =~ s|%TARGET%|$CFG_TARGET|sg;
$data =~ s|%PREFIX%|$prefix|sg; $data =~ s|%PREFIX%|$prefix|sg;
@ -31,7 +31,7 @@ index ad1287f..efcfcf6 100644
my ($mkf, $mods, $src) = ($data =~ m|^(.+)-=#=-\n(.+)-=#=-\n(.+)|s); my ($mkf, $mods, $src) = ($data =~ m|^(.+)-=#=-\n(.+)-=#=-\n(.+)|s);
@@ -453,11 +464,11 @@ if ($opt_c) { @@ -463,11 +474,11 @@ if ($opt_c) {
my $ldflags = "$CFG_LDFLAGS"; my $ldflags = "$CFG_LDFLAGS";
if ($opt_p == 1) { if ($opt_p == 1) {
@ -45,7 +45,7 @@ index ad1287f..efcfcf6 100644
chomp($apu_libs); chomp($apu_libs);
} }
@@ -672,8 +683,8 @@ __DATA__ @@ -682,8 +693,8 @@ __DATA__
builddir=. builddir=.
top_srcdir=%PREFIX% top_srcdir=%PREFIX%

16
httpd-2.4.4-cachehardmax.patch → httpd-2.4.43-cachehardmax.patch
View File

@ -1,8 +1,8 @@
diff --git a/modules/cache/cache_util.h b/modules/cache/cache_util.h diff --git a/modules/cache/cache_util.h b/modules/cache/cache_util.h
index eec38f3..1a2d5ee 100644 index 6b92151..4c42a8e 100644
--- a/modules/cache/cache_util.h --- a/modules/cache/cache_util.h
+++ b/modules/cache/cache_util.h +++ b/modules/cache/cache_util.h
@@ -194,6 +194,9 @@ typedef struct { @@ -195,6 +195,9 @@ typedef struct {
unsigned int store_nostore_set:1; unsigned int store_nostore_set:1;
unsigned int enable_set:1; unsigned int enable_set:1;
unsigned int disable_set:1; unsigned int disable_set:1;
@ -13,10 +13,10 @@ index eec38f3..1a2d5ee 100644
/* A linked-list of authn providers. */ /* A linked-list of authn providers. */
diff --git a/modules/cache/mod_cache.c b/modules/cache/mod_cache.c diff --git a/modules/cache/mod_cache.c b/modules/cache/mod_cache.c
index 4f2d3e0..30c88f4 100644 index 3b9aa4f..8268503 100644
--- a/modules/cache/mod_cache.c --- a/modules/cache/mod_cache.c
+++ b/modules/cache/mod_cache.c +++ b/modules/cache/mod_cache.c
@@ -1299,6 +1299,11 @@ static apr_status_t cache_save_filter(ap_filter_t *f, apr_bucket_brigade *in) @@ -1455,6 +1455,11 @@ static apr_status_t cache_save_filter(ap_filter_t *f, apr_bucket_brigade *in)
exp = date + dconf->defex; exp = date + dconf->defex;
} }
} }
@ -28,7 +28,7 @@ index 4f2d3e0..30c88f4 100644
info->expire = exp; info->expire = exp;
/* We found a stale entry which wasn't really stale. */ /* We found a stale entry which wasn't really stale. */
@@ -1717,7 +1722,9 @@ static void *create_dir_config(apr_pool_t *p, char *dummy) @@ -1954,7 +1959,9 @@ static void *create_dir_config(apr_pool_t *p, char *dummy)
/* array of providers for this URL space */ /* array of providers for this URL space */
dconf->cacheenable = apr_array_make(p, 10, sizeof(struct cache_enable)); dconf->cacheenable = apr_array_make(p, 10, sizeof(struct cache_enable));
@ -39,7 +39,7 @@ index 4f2d3e0..30c88f4 100644
return dconf; return dconf;
} }
@@ -1767,7 +1774,10 @@ static void *merge_dir_config(apr_pool_t *p, void *basev, void *addv) { @@ -2004,7 +2011,10 @@ static void *merge_dir_config(apr_pool_t *p, void *basev, void *addv) {
new->enable_set = add->enable_set || base->enable_set; new->enable_set = add->enable_set || base->enable_set;
new->disable = (add->disable_set == 0) ? base->disable : add->disable; new->disable = (add->disable_set == 0) ? base->disable : add->disable;
new->disable_set = add->disable_set || base->disable_set; new->disable_set = add->disable_set || base->disable_set;
@ -51,7 +51,7 @@ index 4f2d3e0..30c88f4 100644
return new; return new;
} }
@@ -2096,12 +2106,18 @@ static const char *add_cache_disable(cmd_parms *parms, void *dummy, @@ -2332,12 +2342,18 @@ static const char *add_cache_disable(cmd_parms *parms, void *dummy,
} }
static const char *set_cache_maxex(cmd_parms *parms, void *dummy, static const char *set_cache_maxex(cmd_parms *parms, void *dummy,
@ -71,7 +71,7 @@ index 4f2d3e0..30c88f4 100644
return NULL; return NULL;
} }
@@ -2309,7 +2325,7 @@ static const command_rec cache_cmds[] = @@ -2545,7 +2561,7 @@ static const command_rec cache_cmds[] =
"caching is enabled"), "caching is enabled"),
AP_INIT_TAKE1("CacheDisable", add_cache_disable, NULL, RSRC_CONF|ACCESS_CONF, AP_INIT_TAKE1("CacheDisable", add_cache_disable, NULL, RSRC_CONF|ACCESS_CONF,
"A partial URL prefix below which caching is disabled"), "A partial URL prefix below which caching is disabled"),

15
httpd-2.4.1-corelimit.patch → httpd-2.4.43-corelimit.patch
View File

@ -1,13 +1,8 @@
diff --git a/server/core.c b/server/core.c
Bump up the core size limit if CoreDumpDirectory is index 79b2a82..dc0f17a 100644
configured. --- a/server/core.c
+++ b/server/core.c
Upstream-Status: Was discussed but there are competing desires; @@ -4996,6 +4996,25 @@ static int core_post_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *pte
there are portability oddities here too.
--- httpd-2.4.1/server/core.c.corelimit
+++ httpd-2.4.1/server/core.c
@@ -4433,6 +4433,25 @@ static int core_post_config(apr_pool_t *
} }
apr_pool_cleanup_register(pconf, NULL, ap_mpm_end_gen_helper, apr_pool_cleanup_register(pconf, NULL, ap_mpm_end_gen_helper,
apr_pool_cleanup_null); apr_pool_cleanup_null);

13
httpd-2.4.1-deplibs.patch → httpd-2.4.43-deplibs.patch
View File

@ -1,11 +1,8 @@
diff --git a/configure.in b/configure.in
Link straight against .la files. index f8f9442..f276550 100644
--- a/configure.in
Upstream-Status: vendor specific +++ b/configure.in
@@ -786,9 +786,9 @@ APACHE_SUBST(INSTALL_SUEXEC)
--- httpd-2.4.1/configure.in.deplibs
+++ httpd-2.4.1/configure.in
@@ -707,9 +707,9 @@ APACHE_HELP_STRING(--with-suexec-umask,u
dnl APR should go after the other libs, so the right symbols can be picked up dnl APR should go after the other libs, so the right symbols can be picked up
if test x${apu_found} != xobsolete; then if test x${apu_found} != xobsolete; then

33
httpd-2.4.43-detect-systemd.patch Normal file
View File

@ -0,0 +1,33 @@
diff --git a/Makefile.in b/Makefile.in
index ea8366e..06b8c5a 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -4,7 +4,7 @@ CLEAN_SUBDIRS = test
PROGRAM_NAME = $(progname)
PROGRAM_SOURCES = modules.c
-PROGRAM_LDADD = buildmark.o $(HTTPD_LDFLAGS) $(PROGRAM_DEPENDENCIES) $(PCRE_LIBS) $(EXTRA_LIBS) $(AP_LIBS) $(LIBS)
+PROGRAM_LDADD = buildmark.o $(HTTPD_LDFLAGS) $(PROGRAM_DEPENDENCIES) $(HTTPD_LIBS) $(EXTRA_LIBS) $(AP_LIBS) $(LIBS)
PROGRAM_PRELINK = $(COMPILE) -c $(top_srcdir)/server/buildmark.c
PROGRAM_DEPENDENCIES = \
server/libmain.la \
diff --git a/configure.in b/configure.in
index f276550..a63eada 100644
--- a/configure.in
+++ b/configure.in
@@ -234,6 +234,7 @@ if test "$PCRE_CONFIG" != "false"; then
AC_MSG_NOTICE([Using external PCRE library from $PCRE_CONFIG])
APR_ADDTO(PCRE_INCLUDES, [`$PCRE_CONFIG --cflags`])
APR_ADDTO(PCRE_LIBS, [`$PCRE_CONFIG --libs`])
+ APR_ADDTO(HTTPD_LIBS, [\$(PCRE_LIBS)])
else
AC_MSG_ERROR([pcre-config for libpcre not found. PCRE is required and available from http://pcre.org/])
fi
@@ -679,6 +682,7 @@ APACHE_SUBST(OS_DIR)
APACHE_SUBST(BUILTIN_LIBS)
APACHE_SUBST(SHLIBPATH_VAR)
APACHE_SUBST(OS_SPECIFIC_VARS)
+APACHE_SUBST(HTTPD_LIBS)
PRE_SHARED_CMDS='echo ""'
POST_SHARED_CMDS='echo ""'

21
httpd-2.4.34-enable-sslv3.patch → httpd-2.4.43-enable-sslv3.patch
View File

@ -1,9 +1,8 @@
diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c
https://bugzilla.redhat.com/show_bug.cgi?id=1623165 index 979489c..3d6443b 100644
--- a/modules/ssl/ssl_engine_config.c
--- httpd-2.4.34/modules/ssl/ssl_engine_config.c.enable-sslv3 +++ b/modules/ssl/ssl_engine_config.c
+++ httpd-2.4.34/modules/ssl/ssl_engine_config.c @@ -1485,6 +1485,10 @@ static const char *ssl_cmd_protocol_parse(cmd_parms *parms,
@@ -1474,6 +1474,10 @@
#endif #endif
else if (strcEQ(w, "all")) { else if (strcEQ(w, "all")) {
thisopt = SSL_PROTOCOL_ALL; thisopt = SSL_PROTOCOL_ALL;
@ -14,9 +13,11 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1623165
} }
else { else {
return apr_pstrcat(parms->temp_pool, return apr_pstrcat(parms->temp_pool,
--- httpd-2.4.34/modules/ssl/ssl_engine_init.c.enable-sslv3 diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
+++ httpd-2.4.34/modules/ssl/ssl_engine_init.c index b0fcf81..ab6f263 100644
@@ -537,6 +537,28 @@ --- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -568,6 +568,28 @@ static apr_status_t ssl_init_ctx_tls_extensions(server_rec *s,
} }
#endif #endif
@ -45,7 +46,7 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1623165
static apr_status_t ssl_init_ctx_protocol(server_rec *s, static apr_status_t ssl_init_ctx_protocol(server_rec *s,
apr_pool_t *p, apr_pool_t *p,
apr_pool_t *ptemp, apr_pool_t *ptemp,
@@ -687,9 +709,13 @@ @@ -735,9 +757,13 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
} }
if (prot == TLS1_1_VERSION && protocol & SSL_PROTOCOL_TLSV1) { if (prot == TLS1_1_VERSION && protocol & SSL_PROTOCOL_TLSV1) {
prot = TLS1_VERSION; prot = TLS1_VERSION;

40
httpd-2.4.39-export.patch → httpd-2.4.43-export.patch
View File

@ -5,9 +5,11 @@ to do so indirectly.
Upstream: https://svn.apache.org/r1861685 (as new default-off configure option) Upstream: https://svn.apache.org/r1861685 (as new default-off configure option)
--- httpd-2.4.39/Makefile.in.export diff --git a/Makefile.in b/Makefile.in
+++ httpd-2.4.39/Makefile.in index 9eeb5c7..8746a10 100644
@@ -4,8 +4,15 @@ --- a/Makefile.in
+++ b/Makefile.in
@@ -4,8 +4,15 @@ CLEAN_SUBDIRS = test
PROGRAM_NAME = $(progname) PROGRAM_NAME = $(progname)
PROGRAM_SOURCES = modules.c PROGRAM_SOURCES = modules.c
@ -24,9 +26,24 @@ Upstream: https://svn.apache.org/r1861685 (as new default-off configure option)
PROGRAM_DEPENDENCIES = \ PROGRAM_DEPENDENCIES = \
server/libmain.la \ server/libmain.la \
$(BUILTIN_LIBS) \ $(BUILTIN_LIBS) \
--- httpd-2.4.39/server/main.c.export diff --git a/server/Makefile.in b/server/Makefile.in
+++ httpd-2.4.39/server/main.c index 1fa3344..116850b 100644
@@ -835,17 +835,3 @@ --- a/server/Makefile.in
+++ b/server/Makefile.in
@@ -12,7 +12,7 @@ LTLIBRARY_SOURCES = \
connection.c listen.c util_mutex.c \
mpm_common.c mpm_unix.c mpm_fdqueue.c \
util_charset.c util_cookies.c util_debug.c util_xml.c \
- util_filter.c util_pcre.c util_regex.c exports.c \
+ util_filter.c util_pcre.c util_regex.c \
scoreboard.c error_bucket.c protocol.c core.c request.c provider.c \
eoc_bucket.c eor_bucket.c core_filters.c \
util_expr_parse.c util_expr_scan.c util_expr_eval.c
diff --git a/server/main.c b/server/main.c
index 62e06df..17c09ee 100644
--- a/server/main.c
+++ b/server/main.c
@@ -835,17 +835,3 @@ int main(int argc, const char * const argv[])
return !OK; return !OK;
} }
@ -44,14 +61,3 @@ Upstream: https://svn.apache.org/r1861685 (as new default-off configure option)
- return ap_ugly_hack; - return ap_ugly_hack;
-} -}
-#endif -#endif
--- httpd-2.4.39/server/Makefile.in.export
+++ httpd-2.4.39/server/Makefile.in
@@ -12,7 +12,7 @@
connection.c listen.c util_mutex.c \
mpm_common.c mpm_unix.c mpm_fdqueue.c \
util_charset.c util_cookies.c util_debug.c util_xml.c \
- util_filter.c util_pcre.c util_regex.c exports.c \
+ util_filter.c util_pcre.c util_regex.c \
scoreboard.c error_bucket.c protocol.c core.c request.c provider.c \
eoc_bucket.c eor_bucket.c core_filters.c \
util_expr_parse.c util_expr_scan.c util_expr_eval.c

14
httpd-2.4.2-icons.patch → httpd-2.4.43-icons.patch
View File

@ -1,12 +1,8 @@
diff --git a/docs/conf/extra/httpd-autoindex.conf.in b/docs/conf/extra/httpd-autoindex.conf.in
- Fix config for /icons/ dir to allow symlink to poweredby.png. index 51b02ed..0e8b626 100644
- Avoid using coredump GIF for a directory called "core" --- a/docs/conf/extra/httpd-autoindex.conf.in
+++ b/docs/conf/extra/httpd-autoindex.conf.in
Upstream-Status: vendor specific patch @@ -21,7 +21,7 @@ IndexOptions FancyIndexing HTMLTable VersionSort
--- httpd-2.4.2/docs/conf/extra/httpd-autoindex.conf.in.icons
+++ httpd-2.4.2/docs/conf/extra/httpd-autoindex.conf.in
@@ -21,7 +21,7 @@ IndexOptions FancyIndexing HTMLTable Ver
Alias /icons/ "@exp_iconsdir@/" Alias /icons/ "@exp_iconsdir@/"
<Directory "@exp_iconsdir@"> <Directory "@exp_iconsdir@">

2113
httpd-2.4.41-r1828172+.patch → httpd-2.4.43-r1828172+.patch
View File

File diff suppressed because it is too large Load Diff

93
httpd-2.4.39-r1842929+.patch → httpd-2.4.43-r1842929+.patch
View File

@ -1,13 +1,20 @@
# ./pullrev.sh 1842929 1842931 1852982 1853631 1857731 diff --git a/Makefile.in b/Makefile.in
http://svn.apache.org/viewvc?view=revision&revision=1842929 index 06b8c5a..9eeb5c7 100644
http://svn.apache.org/viewvc?view=revision&revision=1842931 --- a/Makefile.in
http://svn.apache.org/viewvc?view=revision&revision=1852982 +++ b/Makefile.in
http://svn.apache.org/viewvc?view=revision&revision=1857731 @@ -213,6 +213,7 @@ install-cgi:
http://svn.apache.org/viewvc?view=revision&revision=1853631 install-other:
@test -d $(DESTDIR)$(logfiledir) || $(MKINSTALLDIRS) $(DESTDIR)$(logfiledir)
--- httpd-2.4.39/acinclude.m4.r1842929+ @test -d $(DESTDIR)$(runtimedir) || $(MKINSTALLDIRS) $(DESTDIR)$(runtimedir)
+++ httpd-2.4.39/acinclude.m4 + @test -d $(DESTDIR)$(statedir) || $(MKINSTALLDIRS) $(DESTDIR)$(statedir)
@@ -45,6 +45,7 @@ @for ext in dll x; do \
file=apachecore.$$ext; \
if test -f $$file; then \
diff --git a/acinclude.m4 b/acinclude.m4
index 95232f5..5d9d669 100644
--- a/acinclude.m4
+++ b/acinclude.m4
@@ -45,6 +45,7 @@ AC_DEFUN([APACHE_GEN_CONFIG_VARS],[
APACHE_SUBST(installbuilddir) APACHE_SUBST(installbuilddir)
APACHE_SUBST(runtimedir) APACHE_SUBST(runtimedir)
APACHE_SUBST(proxycachedir) APACHE_SUBST(proxycachedir)
@ -15,7 +22,7 @@ http://svn.apache.org/viewvc?view=revision&revision=1853631
APACHE_SUBST(other_targets) APACHE_SUBST(other_targets)
APACHE_SUBST(progname) APACHE_SUBST(progname)
APACHE_SUBST(prefix) APACHE_SUBST(prefix)
@@ -663,6 +664,7 @@ @@ -688,6 +689,7 @@ AC_DEFUN([APACHE_EXPORT_ARGUMENTS],[
APACHE_SUBST_EXPANDED_ARG(runtimedir) APACHE_SUBST_EXPANDED_ARG(runtimedir)
APACHE_SUBST_EXPANDED_ARG(logfiledir) APACHE_SUBST_EXPANDED_ARG(logfiledir)
APACHE_SUBST_EXPANDED_ARG(proxycachedir) APACHE_SUBST_EXPANDED_ARG(proxycachedir)
@ -23,9 +30,11 @@ http://svn.apache.org/viewvc?view=revision&revision=1853631
]) ])
dnl dnl
--- httpd-2.4.39/configure.in.r1842929+ diff --git a/configure.in b/configure.in
+++ httpd-2.4.39/configure.in index a63eada..c8f9aa2 100644
@@ -41,7 +41,7 @@ --- a/configure.in
+++ b/configure.in
@@ -41,7 +41,7 @@ dnl Something seems broken here.
AC_PREFIX_DEFAULT(/usr/local/apache2) AC_PREFIX_DEFAULT(/usr/local/apache2)
dnl Get the layout here, so we can pass the required variables to apr dnl Get the layout here, so we can pass the required variables to apr
@ -34,8 +43,10 @@ http://svn.apache.org/viewvc?view=revision&revision=1853631
dnl reparse the configure arguments. dnl reparse the configure arguments.
APR_PARSE_ARGUMENTS APR_PARSE_ARGUMENTS
--- httpd-2.4.39/include/ap_config_layout.h.in.r1842929+ diff --git a/include/ap_config_layout.h.in b/include/ap_config_layout.h.in
+++ httpd-2.4.39/include/ap_config_layout.h.in index 2b4a70c..e076f41 100644
--- a/include/ap_config_layout.h.in
+++ b/include/ap_config_layout.h.in
@@ -60,5 +60,7 @@ @@ -60,5 +60,7 @@
#define DEFAULT_REL_LOGFILEDIR "@rel_logfiledir@" #define DEFAULT_REL_LOGFILEDIR "@rel_logfiledir@"
#define DEFAULT_EXP_PROXYCACHEDIR "@exp_proxycachedir@" #define DEFAULT_EXP_PROXYCACHEDIR "@exp_proxycachedir@"
@ -44,9 +55,11 @@ http://svn.apache.org/viewvc?view=revision&revision=1853631
+#define DEFAULT_REL_STATEDIR "@rel_statedir@" +#define DEFAULT_REL_STATEDIR "@rel_statedir@"
#endif /* AP_CONFIG_LAYOUT_H */ #endif /* AP_CONFIG_LAYOUT_H */
--- httpd-2.4.39/include/http_config.h.r1842929+ diff --git a/include/http_config.h b/include/http_config.h
+++ httpd-2.4.39/include/http_config.h index f9c2d77..c229bc9 100644
@@ -757,6 +757,14 @@ --- a/include/http_config.h
+++ b/include/http_config.h
@@ -757,6 +757,14 @@ AP_DECLARE(char *) ap_server_root_relative(apr_pool_t *p, const char *fname);
*/ */
AP_DECLARE(char *) ap_runtime_dir_relative(apr_pool_t *p, const char *fname); AP_DECLARE(char *) ap_runtime_dir_relative(apr_pool_t *p, const char *fname);
@ -61,19 +74,11 @@ http://svn.apache.org/viewvc?view=revision&revision=1853631
/* Finally, the hook for dynamically loading modules in... */ /* Finally, the hook for dynamically loading modules in... */
/** /**
--- httpd-2.4.39/Makefile.in.r1842929+ diff --git a/modules/dav/fs/mod_dav_fs.c b/modules/dav/fs/mod_dav_fs.c
+++ httpd-2.4.39/Makefile.in index addfd7e..2389f8f 100644
@@ -213,6 +213,7 @@ --- a/modules/dav/fs/mod_dav_fs.c
install-other: +++ b/modules/dav/fs/mod_dav_fs.c
@test -d $(DESTDIR)$(logfiledir) || $(MKINSTALLDIRS) $(DESTDIR)$(logfiledir) @@ -29,6 +29,10 @@ typedef struct {
@test -d $(DESTDIR)$(runtimedir) || $(MKINSTALLDIRS) $(DESTDIR)$(runtimedir)
+ @test -d $(DESTDIR)$(statedir) || $(MKINSTALLDIRS) $(DESTDIR)$(statedir)
@for ext in dll x; do \
file=apachecore.$$ext; \
if test -f $$file; then \
--- httpd-2.4.39/modules/dav/fs/mod_dav_fs.c.r1842929+
+++ httpd-2.4.39/modules/dav/fs/mod_dav_fs.c
@@ -29,6 +29,10 @@
extern module AP_MODULE_DECLARE_DATA dav_fs_module; extern module AP_MODULE_DECLARE_DATA dav_fs_module;
@ -84,7 +89,7 @@ http://svn.apache.org/viewvc?view=revision&revision=1853631
const char *dav_get_lockdb_path(const request_rec *r) const char *dav_get_lockdb_path(const request_rec *r)
{ {
dav_fs_server_conf *conf; dav_fs_server_conf *conf;
@@ -57,6 +61,24 @@ @@ -57,6 +61,24 @@ static void *dav_fs_merge_server_config(apr_pool_t *p,
return newconf; return newconf;
} }
@ -109,7 +114,7 @@ http://svn.apache.org/viewvc?view=revision&revision=1853631
/* /*
* Command handler for the DAVLockDB directive, which is TAKE1 * Command handler for the DAVLockDB directive, which is TAKE1
*/ */
@@ -87,6 +109,8 @@ @@ -87,6 +109,8 @@ static const command_rec dav_fs_cmds[] =
static void register_hooks(apr_pool_t *p) static void register_hooks(apr_pool_t *p)
{ {
@ -118,9 +123,11 @@ http://svn.apache.org/viewvc?view=revision&revision=1853631
dav_hook_gather_propsets(dav_fs_gather_propsets, NULL, NULL, dav_hook_gather_propsets(dav_fs_gather_propsets, NULL, NULL,
APR_HOOK_MIDDLE); APR_HOOK_MIDDLE);
dav_hook_find_liveprop(dav_fs_find_liveprop, NULL, NULL, APR_HOOK_MIDDLE); dav_hook_find_liveprop(dav_fs_find_liveprop, NULL, NULL, APR_HOOK_MIDDLE);
--- httpd-2.4.39/server/core.c.r1842929+ diff --git a/server/core.c b/server/core.c
+++ httpd-2.4.39/server/core.c index 3db9d61..79b2a82 100644
@@ -129,6 +129,8 @@ --- a/server/core.c
+++ b/server/core.c
@@ -129,6 +129,8 @@ AP_DECLARE_DATA int ap_main_state = AP_SQ_MS_INITIAL_STARTUP;
AP_DECLARE_DATA int ap_run_mode = AP_SQ_RM_UNKNOWN; AP_DECLARE_DATA int ap_run_mode = AP_SQ_RM_UNKNOWN;
AP_DECLARE_DATA int ap_config_generation = 0; AP_DECLARE_DATA int ap_config_generation = 0;
@ -129,7 +136,7 @@ http://svn.apache.org/viewvc?view=revision&revision=1853631
static void *create_core_dir_config(apr_pool_t *a, char *dir) static void *create_core_dir_config(apr_pool_t *a, char *dir)
{ {
core_dir_config *conf; core_dir_config *conf;
@@ -1409,12 +1411,15 @@ @@ -1409,12 +1411,15 @@ AP_DECLARE(const char *) ap_resolve_env(apr_pool_t *p, const char * word)
return res_buf; return res_buf;
} }
@ -147,7 +154,7 @@ http://svn.apache.org/viewvc?view=revision&revision=1853631
} }
/* /*
@@ -3113,6 +3118,24 @@ @@ -3120,6 +3125,24 @@ static const char *set_runtime_dir(cmd_parms *cmd, void *dummy, const char *arg)
return NULL; return NULL;
} }
@ -172,7 +179,7 @@ http://svn.apache.org/viewvc?view=revision&revision=1853631
static const char *set_timeout(cmd_parms *cmd, void *dummy, const char *arg) static const char *set_timeout(cmd_parms *cmd, void *dummy, const char *arg)
{ {
const char *err = ap_check_cmd_context(cmd, NOT_IN_DIR_CONTEXT); const char *err = ap_check_cmd_context(cmd, NOT_IN_DIR_CONTEXT);
@@ -4407,6 +4430,8 @@ @@ -4414,6 +4437,8 @@ AP_INIT_TAKE1("ServerRoot", set_server_root, NULL, RSRC_CONF | EXEC_ON_READ,
"Common directory of server-related files (logs, confs, etc.)"), "Common directory of server-related files (logs, confs, etc.)"),
AP_INIT_TAKE1("DefaultRuntimeDir", set_runtime_dir, NULL, RSRC_CONF | EXEC_ON_READ, AP_INIT_TAKE1("DefaultRuntimeDir", set_runtime_dir, NULL, RSRC_CONF | EXEC_ON_READ,
"Common directory for run-time files (shared memory, locks, etc.)"), "Common directory for run-time files (shared memory, locks, etc.)"),
@ -181,7 +188,7 @@ http://svn.apache.org/viewvc?view=revision&revision=1853631
AP_INIT_TAKE1("ErrorLog", set_server_string_slot, AP_INIT_TAKE1("ErrorLog", set_server_string_slot,
(void *)APR_OFFSETOF(server_rec, error_fname), RSRC_CONF, (void *)APR_OFFSETOF(server_rec, error_fname), RSRC_CONF,
"The filename of the error log"), "The filename of the error log"),
@@ -4934,8 +4959,7 @@ @@ -4941,8 +4966,7 @@ static int core_pre_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *ptem
if (!saved_server_config_defines) if (!saved_server_config_defines)
init_config_defines(pconf); init_config_defines(pconf);
@ -189,9 +196,9 @@ http://svn.apache.org/viewvc?view=revision&revision=1853631
- apr_pool_cleanup_null); - apr_pool_cleanup_null);
+ apr_pool_cleanup_register(pconf, NULL, reset_config, apr_pool_cleanup_null); + apr_pool_cleanup_register(pconf, NULL, reset_config, apr_pool_cleanup_null);
ap_regcomp_set_default_cflags(AP_REG_DOLLAR_ENDONLY); ap_regcomp_set_default_cflags(AP_REG_DEFAULT);
@@ -5163,6 +5187,27 @@ @@ -5170,6 +5194,27 @@ AP_DECLARE(int) ap_state_query(int query)
} }
} }

14
httpd-2.4.39-r1861269.patch → httpd-2.4.43-r1861269.patch
View File

@ -1,12 +1,8 @@
# ./pullrev.sh r1861269 diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c
http://svn.apache.org/viewvc?view=revision&revision=r1861269 index b53f3f8..979489c 100644
--- a/modules/ssl/ssl_engine_config.c
Allows "httpd -L" etc to work before httpd-init.service has run, +++ b/modules/ssl/ssl_engine_config.c
if mod_ssl is installed. @@ -812,8 +812,14 @@ const char *ssl_cmd_SSLCipherSuite(cmd_parms *cmd,
--- httpd-2.4.37/modules/ssl/ssl_engine_config.c
+++ httpd-2.4.37/modules/ssl/ssl_engine_config.c
@@ -904,8 +904,14 @@
static const char *ssl_cmd_check_file(cmd_parms *parms, static const char *ssl_cmd_check_file(cmd_parms *parms,
const char **file) const char **file)
{ {

202
httpd-2.4.37-r1861793+.patch → httpd-2.4.43-r1861793+.patch
View File

@ -1,12 +1,8 @@
# ./pullrev.sh 1861793 1862611 1862612 diff --git a/configure.in b/configure.in
http://svn.apache.org/viewvc?view=revision&revision=1861793 index cb43246..0bb6b0d 100644
--- a/configure.in
http://svn.apache.org/viewvc?view=revision&revision=1862611 +++ b/configure.in
http://svn.apache.org/viewvc?view=revision&revision=1862612 @@ -465,6 +465,28 @@ LIBS=""
--- httpd-2.4.37/configure.in
+++ httpd-2.4.37/configure.in
@@ -500,6 +500,28 @@
AC_SEARCH_LIBS(crypt, crypt) AC_SEARCH_LIBS(crypt, crypt)
CRYPT_LIBS="$LIBS" CRYPT_LIBS="$LIBS"
APACHE_SUBST(CRYPT_LIBS) APACHE_SUBST(CRYPT_LIBS)
@ -35,9 +31,89 @@ http://svn.apache.org/viewvc?view=revision&revision=1862612
LIBS="$saved_LIBS" LIBS="$saved_LIBS"
dnl See Comment #Spoon dnl See Comment #Spoon
--- httpd-2.4.37/support/htpasswd.c diff --git a/docs/man/htpasswd.1 b/docs/man/htpasswd.1
+++ httpd-2.4.37/support/htpasswd.c index d0ad7e8..2bf8405 100644
@@ -109,17 +109,21 @@ --- a/docs/man/htpasswd.1
+++ b/docs/man/htpasswd.1
@@ -27,16 +27,16 @@ htpasswd \- Manage user files for basic authentication
.SH "SYNOPSIS"
.PP
-\fB\fBhtpasswd\fR [ -\fBc\fR ] [ -\fBi\fR ] [ -\fBm\fR | -\fBB\fR | -\fBd\fR | -\fBs\fR | -\fBp\fR ] [ -\fBC\fR \fIcost\fR ] [ -\fBD\fR ] [ -\fBv\fR ] \fIpasswdfile\fR \fIusername\fR\fR
+\fB\fBhtpasswd\fR [ -\fBc\fR ] [ -\fBi\fR ] [ -\fBm\fR | -\fBB\fR | -\fB2\fR | -\fB5\fR | -\fBd\fR | -\fBs\fR | -\fBp\fR ] [ -\fBr\fR \fIrounds\fR ] [ -\fBC\fR \fIcost\fR ] [ -\fBD\fR ] [ -\fBv\fR ] \fIpasswdfile\fR \fIusername\fR\fR
.PP
-\fB\fBhtpasswd\fR -\fBb\fR [ -\fBc\fR ] [ -\fBm\fR | -\fBB\fR | -\fBd\fR | -\fBs\fR | -\fBp\fR ] [ -\fBC\fR \fIcost\fR ] [ -\fBD\fR ] [ -\fBv\fR ] \fIpasswdfile\fR \fIusername\fR \fIpassword\fR\fR
+\fB\fBhtpasswd\fR -\fBb\fR [ -\fBc\fR ] [ -\fBm\fR | -\fBB\fR | -\fB2\fR | -\fB5\fR | -\fBd\fR | -\fBs\fR | -\fBp\fR ] [ -\fBr\fR \fIrounds\fR ] [ -\fBC\fR \fIcost\fR ] [ -\fBD\fR ] [ -\fBv\fR ] \fIpasswdfile\fR \fIusername\fR \fIpassword\fR\fR
.PP
-\fB\fBhtpasswd\fR -\fBn\fR [ -\fBi\fR ] [ -\fBm\fR | -\fBB\fR | -\fBd\fR | -\fBs\fR | -\fBp\fR ] [ -\fBC\fR \fIcost\fR ] \fIusername\fR\fR
+\fB\fBhtpasswd\fR -\fBn\fR [ -\fBi\fR ] [ -\fBm\fR | -\fBB\fR | -\fB2\fR | -\fB5\fR | -\fBd\fR | -\fBs\fR | -\fBp\fR ] [ -\fBr\fR \fIrounds\fR ] [ -\fBC\fR \fIcost\fR ] \fIusername\fR\fR
.PP
-\fB\fBhtpasswd\fR -\fBnb\fR [ -\fBm\fR | -\fBB\fR | -\fBd\fR | -\fBs\fR | -\fBp\fR ] [ -\fBC\fR \fIcost\fR ] \fIusername\fR \fIpassword\fR\fR
+\fB\fBhtpasswd\fR -\fBnb\fR [ -\fBm\fR | -\fBB\fR | -\fB2\fR | -\fB5\fR | -\fBd\fR | -\fBs\fR | -\fBp\fR ] [ -\fBr\fR \fIrounds\fR ] [ -\fBC\fR \fIcost\fR ] \fIusername\fR \fIpassword\fR\fR
.SH "SUMMARY"
@@ -48,7 +48,7 @@ htpasswd \- Manage user files for basic authentication
Resources available from the Apache HTTP server can be restricted to just the users listed in the files created by \fBhtpasswd\fR\&. This program can only manage usernames and passwords stored in a flat-file\&. It can encrypt and display password information for use in other types of data stores, though\&. To use a DBM database see dbmmanage or htdbm\&.
.PP
-\fBhtpasswd\fR encrypts passwords using either bcrypt, a version of MD5 modified for Apache, SHA1, or the system's \fBcrypt()\fR routine\&. Files managed by \fBhtpasswd\fR may contain a mixture of different encoding types of passwords; some user records may have bcrypt or MD5-encrypted passwords while others in the same file may have passwords encrypted with \fBcrypt()\fR\&.
+\fBhtpasswd\fR encrypts passwords using either bcrypt, a version of MD5 modified for Apache, SHA-1, or the system's \fBcrypt()\fR routine\&. SHA-2-based hashes (SHA-256 and SHA-512) are supported for \fBcrypt()\fR\&. Files managed by \fBhtpasswd\fR may contain a mixture of different encoding types of passwords; some user records may have bcrypt or MD5-encrypted passwords while others in the same file may have passwords encrypted with \fBcrypt()\fR\&.
.PP
This manual page only lists the command line arguments\&. For details of the directives necessary to configure user authentication in httpd see the Apache manual, which is part of the Apache distribution or can be found at http://httpd\&.apache\&.org/\&.
@@ -73,17 +73,26 @@ Display the results on standard output rather than updating a file\&. This is us
\fB-m\fR
Use MD5 encryption for passwords\&. This is the default (since version 2\&.2\&.18)\&.
.TP
+\fB-2\fR
+Use SHA-256 \fBcrypt()\fR based hashes for passwords\&. This is supported on most Unix platforms\&.
+.TP
+\fB-5\fR
+Use SHA-512 \fBcrypt()\fR based hashes for passwords\&. This is supported on most Unix platforms\&.
+.TP
\fB-B\fR
Use bcrypt encryption for passwords\&. This is currently considered to be very secure\&.
.TP
\fB-C\fR
This flag is only allowed in combination with \fB-B\fR (bcrypt encryption)\&. It sets the computing time used for the bcrypt algorithm (higher is more secure but slower, default: 5, valid: 4 to 17)\&.
.TP
+\fB-r\fR
+This flag is only allowed in combination with \fB-2\fR or \fB-5\fR\&. It sets the number of hash rounds used for the SHA-2 algorithms (higher is more secure but slower; the default is 5,000)\&.
+.TP
\fB-d\fR
Use \fBcrypt()\fR encryption for passwords\&. This is not supported by the httpd server on Windows and Netware\&. This algorithm limits the password length to 8 characters\&. This algorithm is \fBinsecure\fR by today's standards\&. It used to be the default algorithm until version 2\&.2\&.17\&.
.TP
\fB-s\fR
-Use SHA encryption for passwords\&. Facilitates migration from/to Netscape servers using the LDAP Directory Interchange Format (ldif)\&. This algorithm is \fBinsecure\fR by today's standards\&.
+Use SHA-1 (160-bit) encryption for passwords\&. Facilitates migration from/to Netscape servers using the LDAP Directory Interchange Format (ldif)\&. This algorithm is \fBinsecure\fR by today's standards\&.
.TP
\fB-p\fR
Use plaintext passwords\&. Though \fBhtpasswd\fR will support creation on all platforms, the httpd daemon will only accept plain text passwords on Windows and Netware\&.
@@ -152,10 +161,13 @@ The use of the \fB-b\fR option is discouraged, since when it is used the unencry
When using the \fBcrypt()\fR algorithm, note that only the first 8 characters of the password are used to form the password\&. If the supplied password is longer, the extra characters will be silently discarded\&.
.PP
-The SHA encryption format does not use salting: for a given password, there is only one encrypted representation\&. The \fBcrypt()\fR and MD5 formats permute the representation by prepending a random salt string, to make dictionary attacks against the passwords more difficult\&.
+The SHA-1 encryption format does not use salting: for a given password, there is only one encrypted representation\&. The \fBcrypt()\fR and MD5 formats permute the representation by prepending a random salt string, to make dictionary attacks against the passwords more difficult\&.
+
+.PP
+The SHA-1 and \fBcrypt()\fR formats are insecure by today's standards\&.
.PP
-The SHA and \fBcrypt()\fR formats are insecure by today's standards\&.
+The SHA-2-based \fBcrypt()\fR formats (SHA-256 and SHA-512) are supported on most modern Unix systems, and follow the specification at https://www\&.akkadia\&.org/drepper/SHA-crypt\&.txt\&.
.SH "RESTRICTIONS"
diff --git a/support/htpasswd.c b/support/htpasswd.c
index 73b291d..7366dcb 100644
--- a/support/htpasswd.c
+++ b/support/htpasswd.c
@@ -109,17 +109,21 @@ static void usage(void)
"for it." NL "for it." NL
" -i Read password from stdin without verification (for script usage)." NL " -i Read password from stdin without verification (for script usage)." NL
" -m Force MD5 encryption of the password (default)." NL " -m Force MD5 encryption of the password (default)." NL
@ -62,7 +138,7 @@ http://svn.apache.org/viewvc?view=revision&revision=1862612
"MD5 algorithm." NL, "MD5 algorithm." NL,
BCRYPT_DEFAULT_COST BCRYPT_DEFAULT_COST
); );
@@ -178,7 +182,7 @@ @@ -178,7 +182,7 @@ static void check_args(int argc, const char *const argv[],
if (rv != APR_SUCCESS) if (rv != APR_SUCCESS)
exit(ERR_SYNTAX); exit(ERR_SYNTAX);
@ -71,9 +147,11 @@ http://svn.apache.org/viewvc?view=revision&revision=1862612
switch (opt) { switch (opt) {
case 'c': case 'c':
*mask |= APHTP_NEWFILE; *mask |= APHTP_NEWFILE;
--- httpd-2.4.37/support/passwd_common.c diff --git a/support/passwd_common.c b/support/passwd_common.c
+++ httpd-2.4.37/support/passwd_common.c index 664e509..d45657c 100644
@@ -185,10 +185,15 @@ --- a/support/passwd_common.c
+++ b/support/passwd_common.c
@@ -185,10 +185,15 @@ int mkhash(struct passwd_ctx *ctx)
#if CRYPT_ALGO_SUPPORTED #if CRYPT_ALGO_SUPPORTED
char *cbuf; char *cbuf;
#endif #endif
@ -91,7 +169,7 @@ http://svn.apache.org/viewvc?view=revision&revision=1862612
} }
if (ctx->passwd == NULL) { if (ctx->passwd == NULL) {
@@ -246,6 +251,34 @@ @@ -246,6 +251,34 @@ int mkhash(struct passwd_ctx *ctx)
break; break;
#endif /* CRYPT_ALGO_SUPPORTED */ #endif /* CRYPT_ALGO_SUPPORTED */
@ -126,7 +204,7 @@ http://svn.apache.org/viewvc?view=revision&revision=1862612
#if BCRYPT_ALGO_SUPPORTED #if BCRYPT_ALGO_SUPPORTED
case ALG_BCRYPT: case ALG_BCRYPT:
rv = apr_generate_random_bytes((unsigned char*)salt, 16); rv = apr_generate_random_bytes((unsigned char*)salt, 16);
@@ -294,6 +327,19 @@ @@ -294,6 +327,19 @@ int parse_common_options(struct passwd_ctx *ctx, char opt,
case 's': case 's':
ctx->alg = ALG_APSHA; ctx->alg = ALG_APSHA;
break; break;
@ -146,7 +224,7 @@ http://svn.apache.org/viewvc?view=revision&revision=1862612
case 'p': case 'p':
ctx->alg = ALG_PLAIN; ctx->alg = ALG_PLAIN;
#if !PLAIN_ALGO_SUPPORTED #if !PLAIN_ALGO_SUPPORTED
@@ -324,11 +370,12 @@ @@ -324,11 +370,12 @@ int parse_common_options(struct passwd_ctx *ctx, char opt,
return ERR_ALG_NOT_SUPP; return ERR_ALG_NOT_SUPP;
#endif #endif
break; break;
@ -161,8 +239,10 @@ http://svn.apache.org/viewvc?view=revision&revision=1862612
return ERR_SYNTAX; return ERR_SYNTAX;
} }
ctx->cost = num; ctx->cost = num;
--- httpd-2.4.37/support/passwd_common.h diff --git a/support/passwd_common.h b/support/passwd_common.h
+++ httpd-2.4.37/support/passwd_common.h index 660081e..f1b3cd7 100644
--- a/support/passwd_common.h
+++ b/support/passwd_common.h
@@ -28,6 +28,8 @@ @@ -28,6 +28,8 @@
#include "apu_version.h" #include "apu_version.h"
#endif #endif
@ -181,7 +261,7 @@ http://svn.apache.org/viewvc?view=revision&revision=1862612
#define BCRYPT_DEFAULT_COST 5 #define BCRYPT_DEFAULT_COST 5
@@ -84,7 +88,7 @@ @@ -84,7 +88,7 @@ struct passwd_ctx {
apr_size_t out_len; apr_size_t out_len;
char *passwd; char *passwd;
int alg; int alg;
@ -190,81 +270,3 @@ http://svn.apache.org/viewvc?view=revision&revision=1862612
enum { enum {
PW_PROMPT = 0, PW_PROMPT = 0,
PW_ARG, PW_ARG,
--- httpd-2.4.37/docs/man/htpasswd.1
+++ httpd-2.4.37/docs/man/htpasswd.1
@@ -27,16 +27,16 @@
.SH "SYNOPSIS"
.PP
-\fB\fBhtpasswd\fR [ -\fBc\fR ] [ -\fBi\fR ] [ -\fBm\fR | -\fBB\fR | -\fBd\fR | -\fBs\fR | -\fBp\fR ] [ -\fBC\fR \fIcost\fR ] [ -\fBD\fR ] [ -\fBv\fR ] \fIpasswdfile\fR \fIusername\fR\fR
+\fB\fBhtpasswd\fR [ -\fBc\fR ] [ -\fBi\fR ] [ -\fBm\fR | -\fBB\fR | -\fB2\fR | -\fB5\fR | -\fBd\fR | -\fBs\fR | -\fBp\fR ] [ -\fBr\fR \fIrounds\fR ] [ -\fBC\fR \fIcost\fR ] [ -\fBD\fR ] [ -\fBv\fR ] \fIpasswdfile\fR \fIusername\fR\fR
.PP
-\fB\fBhtpasswd\fR -\fBb\fR [ -\fBc\fR ] [ -\fBm\fR | -\fBB\fR | -\fBd\fR | -\fBs\fR | -\fBp\fR ] [ -\fBC\fR \fIcost\fR ] [ -\fBD\fR ] [ -\fBv\fR ] \fIpasswdfile\fR \fIusername\fR \fIpassword\fR\fR
+\fB\fBhtpasswd\fR -\fBb\fR [ -\fBc\fR ] [ -\fBm\fR | -\fBB\fR | -\fB2\fR | -\fB5\fR | -\fBd\fR | -\fBs\fR | -\fBp\fR ] [ -\fBr\fR \fIrounds\fR ] [ -\fBC\fR \fIcost\fR ] [ -\fBD\fR ] [ -\fBv\fR ] \fIpasswdfile\fR \fIusername\fR \fIpassword\fR\fR
.PP
-\fB\fBhtpasswd\fR -\fBn\fR [ -\fBi\fR ] [ -\fBm\fR | -\fBB\fR | -\fBd\fR | -\fBs\fR | -\fBp\fR ] [ -\fBC\fR \fIcost\fR ] \fIusername\fR\fR
+\fB\fBhtpasswd\fR -\fBn\fR [ -\fBi\fR ] [ -\fBm\fR | -\fBB\fR | -\fB2\fR | -\fB5\fR | -\fBd\fR | -\fBs\fR | -\fBp\fR ] [ -\fBr\fR \fIrounds\fR ] [ -\fBC\fR \fIcost\fR ] \fIusername\fR\fR
.PP
-\fB\fBhtpasswd\fR -\fBnb\fR [ -\fBm\fR | -\fBB\fR | -\fBd\fR | -\fBs\fR | -\fBp\fR ] [ -\fBC\fR \fIcost\fR ] \fIusername\fR \fIpassword\fR\fR
+\fB\fBhtpasswd\fR -\fBnb\fR [ -\fBm\fR | -\fBB\fR | -\fB2\fR | -\fB5\fR | -\fBd\fR | -\fBs\fR | -\fBp\fR ] [ -\fBr\fR \fIrounds\fR ] [ -\fBC\fR \fIcost\fR ] \fIusername\fR \fIpassword\fR\fR
.SH "SUMMARY"
@@ -48,7 +48,7 @@
Resources available from the Apache HTTP server can be restricted to just the users listed in the files created by \fBhtpasswd\fR\&. This program can only manage usernames and passwords stored in a flat-file\&. It can encrypt and display password information for use in other types of data stores, though\&. To use a DBM database see dbmmanage or htdbm\&.
.PP
-\fBhtpasswd\fR encrypts passwords using either bcrypt, a version of MD5 modified for Apache, SHA1, or the system's \fBcrypt()\fR routine\&. Files managed by \fBhtpasswd\fR may contain a mixture of different encoding types of passwords; some user records may have bcrypt or MD5-encrypted passwords while others in the same file may have passwords encrypted with \fBcrypt()\fR\&.
+\fBhtpasswd\fR encrypts passwords using either bcrypt, a version of MD5 modified for Apache, SHA-1, or the system's \fBcrypt()\fR routine\&. SHA-2-based hashes (SHA-256 and SHA-512) are supported for \fBcrypt()\fR\&. Files managed by \fBhtpasswd\fR may contain a mixture of different encoding types of passwords; some user records may have bcrypt or MD5-encrypted passwords while others in the same file may have passwords encrypted with \fBcrypt()\fR\&.
.PP
This manual page only lists the command line arguments\&. For details of the directives necessary to configure user authentication in httpd see the Apache manual, which is part of the Apache distribution or can be found at http://httpd\&.apache\&.org/\&.
@@ -73,6 +73,12 @@
\fB-m\fR
Use MD5 encryption for passwords\&. This is the default (since version 2\&.2\&.18)\&.
.TP
+\fB-2\fR
+Use SHA-256 \fBcrypt()\fR based hashes for passwords\&. This is supported on most Unix platforms\&.
+.TP
+\fB-5\fR
+Use SHA-512 \fBcrypt()\fR based hashes for passwords\&. This is supported on most Unix platforms\&.
+.TP
\fB-B\fR
Use bcrypt encryption for passwords\&. This is currently considered to be very secure\&.
.TP
@@ -79,11 +85,14 @@
\fB-C\fR
This flag is only allowed in combination with \fB-B\fR (bcrypt encryption)\&. It sets the computing time used for the bcrypt algorithm (higher is more secure but slower, default: 5, valid: 4 to 17)\&.
.TP
+\fB-r\fR
+This flag is only allowed in combination with \fB-2\fR or \fB-5\fR\&. It sets the number of hash rounds used for the SHA-2 algorithms (higher is more secure but slower; the default is 5,000)\&.
+.TP
\fB-d\fR
Use \fBcrypt()\fR encryption for passwords\&. This is not supported by the httpd server on Windows and Netware\&. This algorithm limits the password length to 8 characters\&. This algorithm is \fBinsecure\fR by today's standards\&. It used to be the default algorithm until version 2\&.2\&.17\&.
.TP
\fB-s\fR
-Use SHA encryption for passwords\&. Facilitates migration from/to Netscape servers using the LDAP Directory Interchange Format (ldif)\&. This algorithm is \fBinsecure\fR by today's standards\&.
+Use SHA-1 (160-bit) encryption for passwords\&. Facilitates migration from/to Netscape servers using the LDAP Directory Interchange Format (ldif)\&. This algorithm is \fBinsecure\fR by today's standards\&.
.TP
\fB-p\fR
Use plaintext passwords\&. Though \fBhtpasswd\fR will support creation on all platforms, the httpd daemon will only accept plain text passwords on Windows and Netware\&.
@@ -152,11 +161,14 @@
When using the \fBcrypt()\fR algorithm, note that only the first 8 characters of the password are used to form the password\&. If the supplied password is longer, the extra characters will be silently discarded\&.
.PP
-The SHA encryption format does not use salting: for a given password, there is only one encrypted representation\&. The \fBcrypt()\fR and MD5 formats permute the representation by prepending a random salt string, to make dictionary attacks against the passwords more difficult\&.
+The SHA-1 encryption format does not use salting: for a given password, there is only one encrypted representation\&. The \fBcrypt()\fR and MD5 formats permute the representation by prepending a random salt string, to make dictionary attacks against the passwords more difficult\&.
.PP
-The SHA and \fBcrypt()\fR formats are insecure by today's standards\&.
+The SHA-1 and \fBcrypt()\fR formats are insecure by today's standards\&.
+.PP
+The SHA-2-based \fBcrypt()\fR formats (SHA-256 and SHA-512) are supported on most modern Unix systems, and follow the specification at https://www\&.akkadia\&.org/drepper/SHA-crypt\&.txt\&.
+
.SH "RESTRICTIONS"
.PP

16
httpd-2.4.41-r1870095+.patch → httpd-2.4.43-r1870095+.patch
View File

@ -1,10 +1,8 @@
# ./pullrev.sh 1870095 1870097 diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
http://svn.apache.org/viewvc?view=revision&revision=1870095 index cbab6a3..765aa4b 100644
http://svn.apache.org/viewvc?view=revision&revision=1870097 --- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
--- httpd-2.4.41/modules/ssl/ssl_engine_kernel.c @@ -114,6 +114,45 @@ static int has_buffered_data(request_rec *r)
+++ httpd-2.4.41/modules/ssl/ssl_engine_kernel.c
@@ -114,6 +114,45 @@
return result; return result;
} }
@ -50,7 +48,7 @@ http://svn.apache.org/viewvc?view=revision&revision=1870097
#ifdef HAVE_TLSEXT #ifdef HAVE_TLSEXT
static int ap_array_same_str_set(apr_array_header_t *s1, apr_array_header_t *s2) static int ap_array_same_str_set(apr_array_header_t *s1, apr_array_header_t *s2)
{ {
@@ -814,41 +853,14 @@ @@ -814,41 +853,14 @@ static int ssl_hook_Access_classic(request_rec *r, SSLSrvConfigRec *sc, SSLDirCo
} }
} }
@ -97,7 +95,7 @@ http://svn.apache.org/viewvc?view=revision&revision=1870097
} }
} }
@@ -1132,6 +1144,17 @@ @@ -1132,6 +1144,17 @@ static int ssl_hook_Access_modern(request_rec *r, SSLSrvConfigRec *sc, SSLDirCon
} }
} }

23
httpd-2.4.25-selinux.patch → httpd-2.4.43-selinux.patch
View File

@ -1,11 +1,8 @@
diff --git a/configure.in b/configure.in
Log the SELinux context at startup. index c8f9aa2..cb43246 100644
--- a/configure.in
Upstream-Status: unlikely to be any interest in this upstream +++ b/configure.in
@@ -484,6 +484,11 @@ getloadavg
--- httpd-2.4.1/configure.in.selinux
+++ httpd-2.4.1/configure.in
@@ -458,6 +458,11 @@ fopen64
dnl confirm that a void pointer is large enough to store a long integer dnl confirm that a void pointer is large enough to store a long integer
APACHE_CHECK_VOID_PTR_LEN APACHE_CHECK_VOID_PTR_LEN
@ -17,9 +14,11 @@ Upstream-Status: unlikely to be any interest in this upstream
AC_CACHE_CHECK([for gettid()], ac_cv_gettid, AC_CACHE_CHECK([for gettid()], ac_cv_gettid,
[AC_TRY_RUN(#define _GNU_SOURCE [AC_TRY_RUN(#define _GNU_SOURCE
#include <unistd.h> #include <unistd.h>
--- httpd-2.4.1/server/core.c.selinux diff --git a/server/core.c b/server/core.c
+++ httpd-2.4.1/server/core.c index dc0f17a..7ed9527 100644
@@ -58,6 +58,10 @@ --- a/server/core.c
+++ b/server/core.c
@@ -59,6 +59,10 @@
#include <unistd.h> #include <unistd.h>
#endif #endif
@ -30,7 +29,7 @@ Upstream-Status: unlikely to be any interest in this upstream
/* LimitRequestBody handling */ /* LimitRequestBody handling */
#define AP_LIMIT_REQ_BODY_UNSET ((apr_off_t) -1) #define AP_LIMIT_REQ_BODY_UNSET ((apr_off_t) -1)
#define AP_DEFAULT_LIMIT_REQ_BODY ((apr_off_t) 0) #define AP_DEFAULT_LIMIT_REQ_BODY ((apr_off_t) 0)
@@ -4452,6 +4456,28 @@ static int core_post_config(apr_pool_t * @@ -5015,6 +5019,28 @@ static int core_post_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *pte
} }
#endif #endif

2
httpd-2.4.17-socket-activation.patch → httpd-2.4.43-socket-activation.patch
View File

@ -1,5 +1,5 @@
diff --git a/server/listen.c b/server/listen.c diff --git a/server/listen.c b/server/listen.c
index a8e9e6f..1a6c1d3 100644 index 5242c2a..e2e028a 100644
--- a/server/listen.c --- a/server/listen.c
+++ b/server/listen.c +++ b/server/listen.c
@@ -34,6 +34,10 @@ @@ -34,6 +34,10 @@

15
httpd-2.4.34-sslciphdefault.patch → httpd-2.4.43-sslciphdefault.patch
View File

@ -1,11 +1,8 @@
diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c
https://bugzilla.redhat.com/show_bug.cgi?id=1109119 index 97778a8..27e7a53 100644
--- a/modules/ssl/ssl_engine_config.c
Don't prepend !aNULL etc if PROFILE= is used with SSLCipherSuite. +++ b/modules/ssl/ssl_engine_config.c
@@ -778,9 +778,11 @@ const char *ssl_cmd_SSLCipherSuite(cmd_parms *cmd,
--- httpd-2.4.34/modules/ssl/ssl_engine_config.c.sslciphdefault
+++ httpd-2.4.34/modules/ssl/ssl_engine_config.c
@@ -774,9 +774,11 @@
} }
if (!strcmp("SSL", arg1)) { if (!strcmp("SSL", arg1)) {
@ -19,7 +16,7 @@ Don't prepend !aNULL etc if PROFILE= is used with SSLCipherSuite.
dc->szCipherSuite = arg2; dc->szCipherSuite = arg2;
} }
else { else {
@@ -1540,8 +1542,10 @@ @@ -1544,8 +1546,10 @@ const char *ssl_cmd_SSLProxyCipherSuite(cmd_parms *cmd,
} }
if (!strcmp("SSL", arg1)) { if (!strcmp("SSL", arg1)) {

56
httpd-2.4.33-sslmultiproxy.patch → httpd-2.4.43-sslmultiproxy.patch
View File

@ -1,39 +1,30 @@
From ce2d1d7d4b2bebe34cf37fdeb30d35050092c5b5 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit@cow.greyoak.com>
Date: Thu, 12 Apr 2018 14:36:28 -0400
Subject: [PATCH] httpd-2.4.18-sslmultiproxy.patch
---
modules/ssl/mod_ssl.c | 24 ++++++++++++++++++++++--
modules/ssl/ssl_engine_vars.c | 18 +++++++++++++++++-
2 files changed, 39 insertions(+), 3 deletions(-)
diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c
index 48d64cb..42e85a3 100644 index 12617b2..0fe7464 100644
diff -uap httpd-2.4.33/modules/ssl/mod_ssl.c.sslmultiproxy httpd-2.4.33/modules/ssl/mod_ssl.c --- a/modules/ssl/mod_ssl.c
--- httpd-2.4.33/modules/ssl/mod_ssl.c.sslmultiproxy +++ b/modules/ssl/mod_ssl.c
+++ httpd-2.4.33/modules/ssl/mod_ssl.c @@ -459,6 +459,10 @@ static int ssl_hook_pre_config(apr_pool_t *pconf,
@@ -444,12 +444,19 @@
return OK; return OK;
} }
+static APR_OPTIONAL_FN_TYPE(ssl_engine_disable) *othermod_engine_disable; +static APR_OPTIONAL_FN_TYPE(ssl_engine_disable) *othermod_engine_disable;
+static APR_OPTIONAL_FN_TYPE(ssl_engine_set) *othermod_engine_set; +static APR_OPTIONAL_FN_TYPE(ssl_engine_set) *othermod_engine_set;
+
+ +
static SSLConnRec *ssl_init_connection_ctx(conn_rec *c, static SSLConnRec *ssl_init_connection_ctx(conn_rec *c,
ap_conf_vector_t *per_dir_config) ap_conf_vector_t *per_dir_config,
{ int new_proxy)
@@ -466,6 +470,10 @@ static SSLConnRec *ssl_init_connection_ctx(conn_rec *c,
SSLConnRec *sslconn = myConnConfig(c); SSLConnRec *sslconn = myConnConfig(c);
SSLSrvConfigRec *sc; int need_setup = 0;
+ if (othermod_engine_disable) { + if (othermod_engine_disable) {
+ othermod_engine_disable(c); + othermod_engine_disable(c);
+ } + }
+ +
if (sslconn) { /* mod_proxy's (r->)per_dir_config has the lifetime of the request, thus
return sslconn; * it uses ssl_engine_set() to reset sslconn->dc when reusing SSL backend
} * connections, so we must fall through here. But in the case where we are
@@ -508,6 +515,10 @@ @@ -544,6 +552,10 @@ static int ssl_engine_set(conn_rec *c,
{ {
SSLConnRec *sslconn; SSLConnRec *sslconn;
int status; int status;
@ -43,8 +34,8 @@ diff -uap httpd-2.4.33/modules/ssl/mod_ssl.c.sslmultiproxy httpd-2.4.33/modules/
+ } + }
if (proxy) { if (proxy) {
sslconn = ssl_init_connection_ctx(c, per_dir_config); sslconn = ssl_init_connection_ctx(c, per_dir_config, 1);
@@ -537,12 +548,18 @@ @@ -572,12 +584,18 @@ static int ssl_engine_set(conn_rec *c,
static int ssl_proxy_enable(conn_rec *c) static int ssl_proxy_enable(conn_rec *c)
{ {
@ -65,7 +56,7 @@ diff -uap httpd-2.4.33/modules/ssl/mod_ssl.c.sslmultiproxy httpd-2.4.33/modules/
} }
int ssl_init_ssl_connection(conn_rec *c, request_rec *r) int ssl_init_ssl_connection(conn_rec *c, request_rec *r)
@@ -730,6 +747,9 @@ @@ -753,6 +771,9 @@ static void ssl_register_hooks(apr_pool_t *p)
APR_HOOK_MIDDLE); APR_HOOK_MIDDLE);
ssl_var_register(p); ssl_var_register(p);
@ -75,10 +66,11 @@ diff -uap httpd-2.4.33/modules/ssl/mod_ssl.c.sslmultiproxy httpd-2.4.33/modules/
APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable); APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable);
APR_REGISTER_OPTIONAL_FN(ssl_engine_disable); APR_REGISTER_OPTIONAL_FN(ssl_engine_disable);
diff -uap httpd-2.4.33/modules/ssl/ssl_engine_vars.c.sslmultiproxy httpd-2.4.33/modules/ssl/ssl_engine_vars.c diff --git a/modules/ssl/ssl_engine_vars.c b/modules/ssl/ssl_engine_vars.c
--- httpd-2.4.33/modules/ssl/ssl_engine_vars.c.sslmultiproxy index 5724f18..81c56ba 100644
+++ httpd-2.4.33/modules/ssl/ssl_engine_vars.c --- a/modules/ssl/ssl_engine_vars.c
@@ -54,6 +54,8 @@ +++ b/modules/ssl/ssl_engine_vars.c
@@ -54,6 +54,8 @@ static char *ssl_var_lookup_ssl_cipher(apr_pool_t *p, SSLConnRec *sslconn, char
static void ssl_var_lookup_ssl_cipher_bits(SSL *ssl, int *usekeysize, int *algkeysize); static void ssl_var_lookup_ssl_cipher_bits(SSL *ssl, int *usekeysize, int *algkeysize);
static char *ssl_var_lookup_ssl_version(apr_pool_t *p, char *var); static char *ssl_var_lookup_ssl_version(apr_pool_t *p, char *var);
static char *ssl_var_lookup_ssl_compress_meth(SSL *ssl); static char *ssl_var_lookup_ssl_compress_meth(SSL *ssl);
@ -87,7 +79,7 @@ diff -uap httpd-2.4.33/modules/ssl/ssl_engine_vars.c.sslmultiproxy httpd-2.4.33/
static SSLConnRec *ssl_get_effective_config(conn_rec *c) static SSLConnRec *ssl_get_effective_config(conn_rec *c)
{ {
@@ -68,7 +70,9 @@ @@ -68,7 +70,9 @@ static SSLConnRec *ssl_get_effective_config(conn_rec *c)
static int ssl_is_https(conn_rec *c) static int ssl_is_https(conn_rec *c)
{ {
SSLConnRec *sslconn = ssl_get_effective_config(c); SSLConnRec *sslconn = ssl_get_effective_config(c);
@ -98,7 +90,7 @@ diff -uap httpd-2.4.33/modules/ssl/ssl_engine_vars.c.sslmultiproxy httpd-2.4.33/
} }
static const char var_interface[] = "mod_ssl/" AP_SERVER_BASEREVISION; static const char var_interface[] = "mod_ssl/" AP_SERVER_BASEREVISION;
@@ -137,6 +141,9 @@ @@ -137,6 +141,9 @@ void ssl_var_register(apr_pool_t *p)
{ {
char *cp, *cp2; char *cp, *cp2;
@ -108,7 +100,7 @@ diff -uap httpd-2.4.33/modules/ssl/ssl_engine_vars.c.sslmultiproxy httpd-2.4.33/
APR_REGISTER_OPTIONAL_FN(ssl_is_https); APR_REGISTER_OPTIONAL_FN(ssl_is_https);
APR_REGISTER_OPTIONAL_FN(ssl_var_lookup); APR_REGISTER_OPTIONAL_FN(ssl_var_lookup);
APR_REGISTER_OPTIONAL_FN(ssl_ext_list); APR_REGISTER_OPTIONAL_FN(ssl_ext_list);
@@ -271,6 +278,15 @@ @@ -271,6 +278,15 @@ char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r,
*/ */
if (result == NULL && c != NULL) { if (result == NULL && c != NULL) {
SSLConnRec *sslconn = ssl_get_effective_config(c); SSLConnRec *sslconn = ssl_get_effective_config(c);

21
httpd-2.4.37-sslprotdefault.patch → httpd-2.4.43-sslprotdefault.patch
View File

@ -1,5 +1,5 @@
diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c
index 55c237e..5467d23 100644 index 27e7a53..b53f3f8 100644
--- a/modules/ssl/ssl_engine_config.c --- a/modules/ssl/ssl_engine_config.c
+++ b/modules/ssl/ssl_engine_config.c +++ b/modules/ssl/ssl_engine_config.c
@@ -119,7 +119,7 @@ static void modssl_ctx_init(modssl_ctx_t *mctx, apr_pool_t *p) @@ -119,7 +119,7 @@ static void modssl_ctx_init(modssl_ctx_t *mctx, apr_pool_t *p)
@ -11,19 +11,20 @@ index 55c237e..5467d23 100644
mctx->protocol_set = 0; mctx->protocol_set = 0;
mctx->pphrase_dialog_type = SSL_PPTYPE_UNSET; mctx->pphrase_dialog_type = SSL_PPTYPE_UNSET;
@@ -262,6 +262,7 @@ static void modssl_ctx_cfg_merge(apr_pool_t *p, @@ -263,6 +263,7 @@ static void modssl_ctx_cfg_merge(apr_pool_t *p,
{
if (add->protocol_set) { if (add->protocol_set) {
mrg->protocol_set = 1;
mrg->protocol = add->protocol; mrg->protocol = add->protocol;
+ mrg->protocol_set = 1; + mrg->protocol_set = 1;
} }
else { else {
mrg->protocol = base->protocol; mrg->protocol_set = base->protocol_set;
diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
index e3f62fe..31fc0e6 100644 index bfad47a..b0fcf81 100644
--- a/modules/ssl/ssl_engine_init.c --- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c +++ b/modules/ssl/ssl_engine_init.c
@@ -568,6 +568,7 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s, @@ -577,6 +577,7 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
MODSSL_SSL_METHOD_CONST SSL_METHOD *method = NULL; MODSSL_SSL_METHOD_CONST SSL_METHOD *method = NULL;
char *cp; char *cp;
int protocol = mctx->protocol; int protocol = mctx->protocol;
@ -31,7 +32,7 @@ index e3f62fe..31fc0e6 100644
SSLSrvConfigRec *sc = mySrvConfig(s); SSLSrvConfigRec *sc = mySrvConfig(s);
#if OPENSSL_VERSION_NUMBER >= 0x10100000L #if OPENSSL_VERSION_NUMBER >= 0x10100000L
int prot; int prot;
@@ -577,12 +578,18 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s, @@ -586,12 +587,18 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
* Create the new per-server SSL context * Create the new per-server SSL context
*/ */
if (protocol == SSL_PROTOCOL_NONE) { if (protocol == SSL_PROTOCOL_NONE) {
@ -55,7 +56,7 @@ index e3f62fe..31fc0e6 100644
#ifndef OPENSSL_NO_SSL3 #ifndef OPENSSL_NO_SSL3
(protocol & SSL_PROTOCOL_SSLV3 ? "SSLv3, " : ""), (protocol & SSL_PROTOCOL_SSLV3 ? "SSLv3, " : ""),
#endif #endif
@@ -595,7 +602,8 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s, @@ -604,7 +611,8 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
#endif #endif
#endif #endif
NULL); NULL);
@ -65,7 +66,7 @@ index e3f62fe..31fc0e6 100644
ap_log_error(APLOG_MARK, APLOG_TRACE3, 0, s, ap_log_error(APLOG_MARK, APLOG_TRACE3, 0, s,
"Creating new SSL context (protocols: %s)", cp); "Creating new SSL context (protocols: %s)", cp);
@@ -696,13 +704,15 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s, @@ -705,13 +713,15 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
prot = SSL3_VERSION; prot = SSL3_VERSION;
#endif #endif
} else { } else {
@ -87,7 +88,7 @@ index e3f62fe..31fc0e6 100644
/* Next we scan for the minimal protocol version we should provide, /* Next we scan for the minimal protocol version we should provide,
* but we do not allow holes between max and min */ * but we do not allow holes between max and min */
@@ -726,7 +736,7 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s, @@ -731,7 +741,7 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
prot = SSL3_VERSION; prot = SSL3_VERSION;
} }
#endif #endif

52
httpd.spec
View File

@ -12,8 +12,8 @@
Summary: Apache HTTP Server Summary: Apache HTTP Server
Name: httpd Name: httpd
Version: 2.4.41 Version: 2.4.43
Release: 13%{?dist} Release: 1%{?dist}
URL: https://httpd.apache.org/ URL: https://httpd.apache.org/
Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
Source1: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2.asc Source1: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2.asc
@ -62,33 +62,29 @@ Source46: apachectl.sh
Source47: apachectl.xml Source47: apachectl.xml
# build/scripts patches # build/scripts patches
Patch2: httpd-2.4.9-apxs.patch Patch2: httpd-2.4.43-apxs.patch
Patch3: httpd-2.4.1-deplibs.patch Patch3: httpd-2.4.43-deplibs.patch
# Needed for socket activation and mod_systemd patch # Needed for socket activation and mod_systemd patch
Patch19: httpd-2.4.25-detect-systemd.patch Patch19: httpd-2.4.43-detect-systemd.patch
# Features/functional changes # Features/functional changes
Patch21: httpd-2.4.39-r1842929+.patch Patch21: httpd-2.4.43-r1842929+.patch
Patch23: httpd-2.4.39-export.patch Patch23: httpd-2.4.43-export.patch
Patch24: httpd-2.4.1-corelimit.patch Patch24: httpd-2.4.43-corelimit.patch
Patch25: httpd-2.4.25-selinux.patch Patch25: httpd-2.4.43-selinux.patch
Patch27: httpd-2.4.2-icons.patch Patch27: httpd-2.4.43-icons.patch
Patch29: httpd-2.4.41-systemd.patch Patch30: httpd-2.4.43-cachehardmax.patch
Patch30: httpd-2.4.4-cachehardmax.patch Patch31: httpd-2.4.43-sslmultiproxy.patch
Patch31: httpd-2.4.33-sslmultiproxy.patch Patch34: httpd-2.4.43-socket-activation.patch
Patch34: httpd-2.4.17-socket-activation.patch Patch38: httpd-2.4.43-sslciphdefault.patch
Patch36: httpd-2.4.38-r1830819+.patch Patch39: httpd-2.4.43-sslprotdefault.patch
Patch38: httpd-2.4.34-sslciphdefault.patch Patch40: httpd-2.4.43-r1861269.patch
Patch39: httpd-2.4.37-sslprotdefault.patch Patch41: httpd-2.4.43-r1861793+.patch
Patch40: httpd-2.4.39-r1861269.patch Patch42: httpd-2.4.43-r1828172+.patch
Patch41: httpd-2.4.37-r1861793+.patch
Patch42: httpd-2.4.41-r1828172+.patch
# Bug fixes # Bug fixes
# https://bugzilla.redhat.com/show_bug.cgi?id=1397243 # https://bugzilla.redhat.com/show_bug.cgi?id=1397243
Patch58: httpd-2.4.34-r1738878.patch Patch60: httpd-2.4.43-enable-sslv3.patch
Patch60: httpd-2.4.34-enable-sslv3.patch Patch62: httpd-2.4.43-r1870095+.patch
Patch61: httpd-2.4.41-r1865749.patch
Patch62: httpd-2.4.41-r1870095+.patch
# Security fixes # Security fixes
@ -215,20 +211,16 @@ interface for storing and accessing per-user session data.
%patch24 -p1 -b .corelimit %patch24 -p1 -b .corelimit
%patch25 -p1 -b .selinux %patch25 -p1 -b .selinux
%patch27 -p1 -b .icons %patch27 -p1 -b .icons
%patch29 -p1 -b .systemd
%patch30 -p1 -b .cachehardmax %patch30 -p1 -b .cachehardmax
#patch31 -p1 -b .sslmultiproxy #patch31 -p1 -b .sslmultiproxy
%patch34 -p1 -b .socketactivation %patch34 -p1 -b .socketactivation
%patch36 -p1 -b .r1830819+
%patch38 -p1 -b .sslciphdefault %patch38 -p1 -b .sslciphdefault
%patch39 -p1 -b .sslprotdefault %patch39 -p1 -b .sslprotdefault
%patch40 -p1 -b .r1861269 %patch40 -p1 -b .r1861269
%patch41 -p1 -b .r1861793+ %patch41 -p1 -b .r1861793+
%patch42 -p1 -b .r1828172+ %patch42 -p1 -b .r1828172+
%patch58 -p1 -b .r1738878
%patch60 -p1 -b .enable-sslv3 %patch60 -p1 -b .enable-sslv3
%patch61 -p1 -b .r1865749
%patch62 -p1 -b .r1870095 %patch62 -p1 -b .r1870095
# Patch in the vendor string # Patch in the vendor string
@ -329,6 +321,7 @@ export LYNX_PATH=/usr/bin/links
--enable-cgid --enable-cgi \ --enable-cgid --enable-cgi \
--enable-cgid-fdpassing \ --enable-cgid-fdpassing \
--enable-authn-anon --enable-authn-alias \ --enable-authn-anon --enable-authn-alias \
--enable-systemd \
--disable-imagemap --disable-file-cache \ --disable-imagemap --disable-file-cache \
--disable-http2 \ --disable-http2 \
--disable-md \ --disable-md \
@ -753,6 +746,9 @@ exit $rv
%{_rpmconfigdir}/macros.d/macros.httpd %{_rpmconfigdir}/macros.d/macros.httpd
%changelog %changelog
* Tue Mar 31 2020 Lubos Uhliarik <luhliari@redhat.com> - 2.4.43-1
- new version 2.4.43 (#1819023)
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.41-13 * Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.41-13
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild

5
sources
View File

@ -1,2 +1,3 @@
SHA512 (httpd-2.4.41.tar.bz2) = 350cc7dcd2c439e0590338fa6da3f44df44f9bb885c381e91f91b14c2f48597f6f0bbac0ea118a8a67eaa70ae7edbb769beace368643ed73f6daee44c307b335 SHA512 (httpd-2.4.43.tar.bz2) = 16cfeecc8f6fab6eca478065a384bdf1872f7ac42206b0bc2bcac6c0d9c576f392c07107201f39e0601dec1bbafcb33d66153544de4d87d79b9a52094d334b64
SHA512 (httpd-2.4.41.tar.bz2.asc) = 3c9173dcaf4e170d87f7cca99e6878424b01d009869742b9077421dbae60acbd102d696e03fccd927f9d688e30f07f9d2d78473ce0bbfbb4a3090ae365121c44 SHA512 (httpd-2.4.43.tar.bz2.asc) = 7a1a12d6f58d8235dcf8b23bae3960e99dc99764928752f870f32e654aa5e3cf78a38fb14f3cb84c5a8ab9b05095beec4739a50c6efcf22e3ecbdf0255ac783d
SHA512 (KEYS) = b776ca20863f8d9e4f66e8b56cbe020de34af5b268e93776d482392171f0e0aeee4f8d74477d128dc9fd24b30bbe33b39439964f1bd22a99782f1e4a08c85056