rpms/httpd
7
0
Fork 0
Code Issues Pull Requests Releases Activity

update to 2.4.59

Browse Source 
Resolves: RHEL-33446
Resolves: RHEL-31930
Resolves: RHEL-31917
This commit is contained in:
Joe Orton 2024-04-05 09:22:35 +01:00
parent 17b0b4e042
commit dbbe9d570e
11 changed files with 168 additions and 1444 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -49,3 +49,4 @@ x86_64
/httpd-2.4.56.tar.bz2.asc
/httpd-2.4.57.tar.bz2.asc
/httpd-2.4.58.tar.bz2.asc
/httpd-2.4.59.tar.bz2.asc

272
httpd-2.4.43-r1861793+.patch
View File

@ -1,272 +0,0 @@
Upstream-Status: proposed for 2.4.59
--- httpd-2.4.43/configure.in.r1861793+
+++ httpd-2.4.43/configure.in
@@ -465,6 +465,28 @@
AC_SEARCH_LIBS(crypt, crypt)
CRYPT_LIBS="$LIBS"
APACHE_SUBST(CRYPT_LIBS)
+
+if test "$ac_cv_search_crypt" != "no"; then
+ # Test crypt() with the SHA-512 test vector from https://akkadia.org/drepper/SHA-crypt.txt
+ AC_CACHE_CHECK([whether crypt() supports SHA-2], [ap_cv_crypt_sha2], [
+ AC_RUN_IFELSE([AC_LANG_PROGRAM([[
+#include <crypt.h>
+#include <stdlib.h>
+#include <string.h>
+
+#define PASSWD_0 "Hello world!"
+#define SALT_0 "\$6\$saltstring"
+#define EXPECT_0 "\$6\$saltstring\$svn8UoSVapNtMuq1ukKS4tPQd8iKwSMHWjl/O817G3uBnIFNjnQJu" \
+ "esI68u4OTLiBFdcbYEdFCoEOfaS35inz1"
+]], [char *result = crypt(PASSWD_0, SALT_0);
+ if (!result) return 1;
+ if (strcmp(result, EXPECT_0)) return 2;
+])], [ap_cv_crypt_sha2=yes], [ap_cv_crypt_sha2=no])])
+ if test "$ap_cv_crypt_sha2" = yes; then
+ AC_DEFINE([HAVE_CRYPT_SHA2], 1, [Define if crypt() supports SHA-2 hashes])
+ fi
+fi
+
LIBS="$saved_LIBS"
dnl See Comment #Spoon
--- httpd-2.4.43/docs/man/htpasswd.1.r1861793+
+++ httpd-2.4.43/docs/man/htpasswd.1
@@ -27,16 +27,16 @@
.SH "SYNOPSIS"
.PP
-\fB\fBhtpasswd\fR [ -\fBc\fR ] [ -\fBi\fR ] [ -\fBm\fR | -\fBB\fR | -\fBd\fR | -\fBs\fR | -\fBp\fR ] [ -\fBC\fR \fIcost\fR ] [ -\fBD\fR ] [ -\fBv\fR ] \fIpasswdfile\fR \fIusername\fR\fR
+\fB\fBhtpasswd\fR [ -\fBc\fR ] [ -\fBi\fR ] [ -\fBm\fR | -\fBB\fR | -\fB2\fR | -\fB5\fR | -\fBd\fR | -\fBs\fR | -\fBp\fR ] [ -\fBr\fR \fIrounds\fR ] [ -\fBC\fR \fIcost\fR ] [ -\fBD\fR ] [ -\fBv\fR ] \fIpasswdfile\fR \fIusername\fR\fR
.PP
-\fB\fBhtpasswd\fR -\fBb\fR [ -\fBc\fR ] [ -\fBm\fR | -\fBB\fR | -\fBd\fR | -\fBs\fR | -\fBp\fR ] [ -\fBC\fR \fIcost\fR ] [ -\fBD\fR ] [ -\fBv\fR ] \fIpasswdfile\fR \fIusername\fR \fIpassword\fR\fR
+\fB\fBhtpasswd\fR -\fBb\fR [ -\fBc\fR ] [ -\fBm\fR | -\fBB\fR | -\fB2\fR | -\fB5\fR | -\fBd\fR | -\fBs\fR | -\fBp\fR ] [ -\fBr\fR \fIrounds\fR ] [ -\fBC\fR \fIcost\fR ] [ -\fBD\fR ] [ -\fBv\fR ] \fIpasswdfile\fR \fIusername\fR \fIpassword\fR\fR
.PP
-\fB\fBhtpasswd\fR -\fBn\fR [ -\fBi\fR ] [ -\fBm\fR | -\fBB\fR | -\fBd\fR | -\fBs\fR | -\fBp\fR ] [ -\fBC\fR \fIcost\fR ] \fIusername\fR\fR
+\fB\fBhtpasswd\fR -\fBn\fR [ -\fBi\fR ] [ -\fBm\fR | -\fBB\fR | -\fB2\fR | -\fB5\fR | -\fBd\fR | -\fBs\fR | -\fBp\fR ] [ -\fBr\fR \fIrounds\fR ] [ -\fBC\fR \fIcost\fR ] \fIusername\fR\fR
.PP
-\fB\fBhtpasswd\fR -\fBnb\fR [ -\fBm\fR | -\fBB\fR | -\fBd\fR | -\fBs\fR | -\fBp\fR ] [ -\fBC\fR \fIcost\fR ] \fIusername\fR \fIpassword\fR\fR
+\fB\fBhtpasswd\fR -\fBnb\fR [ -\fBm\fR | -\fBB\fR | -\fB2\fR | -\fB5\fR | -\fBd\fR | -\fBs\fR | -\fBp\fR ] [ -\fBr\fR \fIrounds\fR ] [ -\fBC\fR \fIcost\fR ] \fIusername\fR \fIpassword\fR\fR
.SH "SUMMARY"
@@ -48,7 +48,7 @@
Resources available from the Apache HTTP server can be restricted to just the users listed in the files created by \fBhtpasswd\fR\&. This program can only manage usernames and passwords stored in a flat-file\&. It can encrypt and display password information for use in other types of data stores, though\&. To use a DBM database see dbmmanage or htdbm\&.
.PP
-\fBhtpasswd\fR encrypts passwords using either bcrypt, a version of MD5 modified for Apache, SHA1, or the system's \fBcrypt()\fR routine\&. Files managed by \fBhtpasswd\fR may contain a mixture of different encoding types of passwords; some user records may have bcrypt or MD5-encrypted passwords while others in the same file may have passwords encrypted with \fBcrypt()\fR\&.
+\fBhtpasswd\fR encrypts passwords using either bcrypt, a version of MD5 modified for Apache, SHA-1, or the system's \fBcrypt()\fR routine\&. SHA-2-based hashes (SHA-256 and SHA-512) are supported for \fBcrypt()\fR\&. Files managed by \fBhtpasswd\fR may contain a mixture of different encoding types of passwords; some user records may have bcrypt or MD5-encrypted passwords while others in the same file may have passwords encrypted with \fBcrypt()\fR\&.
.PP
This manual page only lists the command line arguments\&. For details of the directives necessary to configure user authentication in httpd see the Apache manual, which is part of the Apache distribution or can be found at http://httpd\&.apache\&.org/\&.
@@ -73,17 +73,26 @@
\fB-m\fR
Use MD5 encryption for passwords\&. This is the default (since version 2\&.2\&.18)\&.
.TP
+\fB-2\fR
+Use SHA-256 \fBcrypt()\fR based hashes for passwords\&. This is supported on most Unix platforms\&.
+.TP
+\fB-5\fR
+Use SHA-512 \fBcrypt()\fR based hashes for passwords\&. This is supported on most Unix platforms\&.
+.TP
\fB-B\fR
Use bcrypt encryption for passwords\&. This is currently considered to be very secure\&.
.TP
\fB-C\fR
This flag is only allowed in combination with \fB-B\fR (bcrypt encryption)\&. It sets the computing time used for the bcrypt algorithm (higher is more secure but slower, default: 5, valid: 4 to 17)\&.
.TP
+\fB-r\fR
+This flag is only allowed in combination with \fB-2\fR or \fB-5\fR\&. It sets the number of hash rounds used for the SHA-2 algorithms (higher is more secure but slower; the default is 5,000)\&.
+.TP
\fB-d\fR
Use \fBcrypt()\fR encryption for passwords\&. This is not supported by the httpd server on Windows and Netware\&. This algorithm limits the password length to 8 characters\&. This algorithm is \fBinsecure\fR by today's standards\&. It used to be the default algorithm until version 2\&.2\&.17\&.
.TP
\fB-s\fR
-Use SHA encryption for passwords\&. Facilitates migration from/to Netscape servers using the LDAP Directory Interchange Format (ldif)\&. This algorithm is \fBinsecure\fR by today's standards\&.
+Use SHA-1 (160-bit) encryption for passwords\&. Facilitates migration from/to Netscape servers using the LDAP Directory Interchange Format (ldif)\&. This algorithm is \fBinsecure\fR by today's standards\&.
.TP
\fB-p\fR
Use plaintext passwords\&. Though \fBhtpasswd\fR will support creation on all platforms, the httpd daemon will only accept plain text passwords on Windows and Netware\&.
@@ -152,10 +161,13 @@
When using the \fBcrypt()\fR algorithm, note that only the first 8 characters of the password are used to form the password\&. If the supplied password is longer, the extra characters will be silently discarded\&.
.PP
-The SHA encryption format does not use salting: for a given password, there is only one encrypted representation\&. The \fBcrypt()\fR and MD5 formats permute the representation by prepending a random salt string, to make dictionary attacks against the passwords more difficult\&.
+The SHA-1 encryption format does not use salting: for a given password, there is only one encrypted representation\&. The \fBcrypt()\fR and MD5 formats permute the representation by prepending a random salt string, to make dictionary attacks against the passwords more difficult\&.
+
+.PP
+The SHA-1 and \fBcrypt()\fR formats are insecure by today's standards\&.
.PP
-The SHA and \fBcrypt()\fR formats are insecure by today's standards\&.
+The SHA-2-based \fBcrypt()\fR formats (SHA-256 and SHA-512) are supported on most modern Unix systems, and follow the specification at https://www\&.akkadia\&.org/drepper/SHA-crypt\&.txt\&.
.SH "RESTRICTIONS"
--- httpd-2.4.43/support/htpasswd.c.r1861793+
+++ httpd-2.4.43/support/htpasswd.c
@@ -109,17 +109,21 @@
"for it." NL
" -i Read password from stdin without verification (for script usage)." NL
" -m Force MD5 encryption of the password (default)." NL
- " -B Force bcrypt encryption of the password (very secure)." NL
+ " -2 Force SHA-256 crypt() hash of the password (very secure)." NL
+ " -5 Force SHA-512 crypt() hash of the password (very secure)." NL
+ " -B Force bcrypt encryption of the password (very secure)." NL
" -C Set the computing time used for the bcrypt algorithm" NL
" (higher is more secure but slower, default: %d, valid: 4 to 17)." NL
+ " -r Set the number of rounds used for the SHA-256, SHA-512 algorithms" NL
+ " (higher is more secure but slower, default: 5000)." NL
" -d Force CRYPT encryption of the password (8 chars max, insecure)." NL
- " -s Force SHA encryption of the password (insecure)." NL
+ " -s Force SHA-1 encryption of the password (insecure)." NL
" -p Do not encrypt the password (plaintext, insecure)." NL
" -D Delete the specified user." NL
" -v Verify password for the specified user." NL
"On other systems than Windows and NetWare the '-p' flag will "
"probably not work." NL
- "The SHA algorithm does not use a salt and is less secure than the "
+ "The SHA-1 algorithm does not use a salt and is less secure than the "
"MD5 algorithm." NL,
BCRYPT_DEFAULT_COST
);
@@ -178,7 +182,7 @@
if (rv != APR_SUCCESS)
exit(ERR_SYNTAX);
- while ((rv = apr_getopt(state, "cnmspdBbDiC:v", &opt, &opt_arg)) == APR_SUCCESS) {
+ while ((rv = apr_getopt(state, "cnmspdBbDi25C:r:v", &opt, &opt_arg)) == APR_SUCCESS) {
switch (opt) {
case 'c':
*mask |= APHTP_NEWFILE;
--- httpd-2.4.43/support/passwd_common.c.r1861793+
+++ httpd-2.4.43/support/passwd_common.c
@@ -179,16 +179,21 @@
int mkhash(struct passwd_ctx *ctx)
{
char *pw;
- char salt[16];
+ char salt[17];
apr_status_t rv;
int ret = 0;
#if CRYPT_ALGO_SUPPORTED
char *cbuf;
#endif
+#ifdef HAVE_CRYPT_SHA2
+ const char *setting;
+ char method;
+#endif
- if (ctx->cost != 0 && ctx->alg != ALG_BCRYPT) {
+ if (ctx->cost != 0 && ctx->alg != ALG_BCRYPT
+ && ctx->alg != ALG_CRYPT_SHA256 && ctx->alg != ALG_CRYPT_SHA512 ) {
apr_file_printf(errfile,
- "Warning: Ignoring -C argument for this algorithm." NL);
+ "Warning: Ignoring -C/-r argument for this algorithm." NL);
}
if (ctx->passwd == NULL) {
@@ -246,6 +251,34 @@
break;
#endif /* CRYPT_ALGO_SUPPORTED */
+#ifdef HAVE_CRYPT_SHA2
+ case ALG_CRYPT_SHA256:
+ case ALG_CRYPT_SHA512:
+ ret = generate_salt(salt, 16, &ctx->errstr, ctx->pool);
+ if (ret != 0)
+ break;
+
+ method = ctx->alg == ALG_CRYPT_SHA256 ? '5': '6';
+
+ if (ctx->cost)
+ setting = apr_psprintf(ctx->pool, "$%c$rounds=%d$%s",
+ method, ctx->cost, salt);
+ else
+ setting = apr_psprintf(ctx->pool, "$%c$%s",
+ method, salt);
+
+ cbuf = crypt(pw, setting);
+ if (cbuf == NULL) {
+ rv = APR_FROM_OS_ERROR(errno);
+ ctx->errstr = apr_psprintf(ctx->pool, "crypt() failed: %pm", &rv);
+ ret = ERR_PWMISMATCH;
+ break;
+ }
+
+ apr_cpystrn(ctx->out, cbuf, ctx->out_len - 1);
+ break;
+#endif /* HAVE_CRYPT_SHA2 */
+
#if BCRYPT_ALGO_SUPPORTED
case ALG_BCRYPT:
rv = apr_generate_random_bytes((unsigned char*)salt, 16);
@@ -294,6 +327,19 @@
case 's':
ctx->alg = ALG_APSHA;
break;
+#ifdef HAVE_CRYPT_SHA2
+ case '2':
+ ctx->alg = ALG_CRYPT_SHA256;
+ break;
+ case '5':
+ ctx->alg = ALG_CRYPT_SHA512;
+ break;
+#else
+ case '2':
+ case '5':
+ ctx->errstr = "SHA-2 crypt() algorithms are not supported on this platform.";
+ return ERR_ALG_NOT_SUPP;
+#endif
case 'p':
ctx->alg = ALG_PLAIN;
#if !PLAIN_ALGO_SUPPORTED
@@ -324,11 +370,12 @@
return ERR_ALG_NOT_SUPP;
#endif
break;
- case 'C': {
+ case 'C':
+ case 'r': {
char *endptr;
long num = strtol(opt_arg, &endptr, 10);
if (*endptr != '\0' || num <= 0) {
- ctx->errstr = "argument to -C must be a positive integer";
+ ctx->errstr = "argument to -C/-r must be a positive integer";
return ERR_SYNTAX;
}
ctx->cost = num;
--- httpd-2.4.43/support/passwd_common.h.r1861793+
+++ httpd-2.4.43/support/passwd_common.h
@@ -28,6 +28,8 @@
#include "apu_version.h"
#endif
+#include "ap_config_auto.h"
+
#define MAX_STRING_LEN 256
#define ALG_PLAIN 0
@@ -35,6 +37,8 @@
#define ALG_APMD5 2
#define ALG_APSHA 3
#define ALG_BCRYPT 4
+#define ALG_CRYPT_SHA256 5
+#define ALG_CRYPT_SHA512 6
#define BCRYPT_DEFAULT_COST 5
@@ -84,7 +88,7 @@
apr_size_t out_len;
char *passwd;
int alg;
- int cost;
+ int cost; /* cost for bcrypt, rounds for SHA-2 */
enum {
PW_PROMPT = 0,
PW_ARG,

16
httpd-2.4.46-htcacheclean-dont-break.patch
View File

@ -1,16 +0,0 @@
Upstream-Status: r1915508, proposed for 2.4.59
diff --git a/support/htcacheclean.c b/support/htcacheclean.c
index 958ba6d..0a7fe3c 100644
--- a/support/htcacheclean.c
+++ b/support/htcacheclean.c
@@ -557,8 +557,6 @@ static int list_urls(char *path, apr_pool_t *pool, apr_off_t round)
}
}
}
-
- break;
}
}
}

38
httpd-2.4.51-r1894152.patch
View File

@ -1,38 +0,0 @@
# ./pullrev.sh 1894152
http://svn.apache.org/viewvc?view=revision&revision=1894152
Upstream-Status: merged for 2.4.59
--- httpd-2.4.51/modules/filters/mod_deflate.c.r1894152
+++ httpd-2.4.51/modules/filters/mod_deflate.c
@@ -835,6 +835,7 @@
while (!APR_BRIGADE_EMPTY(bb))
{
apr_bucket *b;
+ apr_status_t rv;
/*
* Optimization: If we are a HEAD request and bytes_sent is not zero
@@ -914,8 +915,6 @@
}
if (APR_BUCKET_IS_FLUSH(e)) {
- apr_status_t rv;
-
/* flush the remaining data from the zlib buffers */
zRC = flush_libz_buffer(ctx, c, f->c->bucket_alloc, deflate,
Z_SYNC_FLUSH, NO_UPDATE_CRC);
@@ -947,7 +946,12 @@
}
/* read */
- apr_bucket_read(e, &data, &len, APR_BLOCK_READ);
+ rv = apr_bucket_read(e, &data, &len, APR_BLOCK_READ);
+ if (rv) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(10298)
+ "failed reading from %s bucket", e->type->name);
+ return rv;
+ }
if (!len) {
apr_bucket_delete(e);
continue;

94
httpd-2.4.54-gettid.patch
View File

@ -1,94 +0,0 @@
Upstream-Status: everything but last hunk merged for 2.4.59
From d4e5b6e1e5585d341d1e51f1ddc637c099111076 Mon Sep 17 00:00:00 2001
From: Joe Orton <jorton@redhat.com>
Date: Tue, 7 Jul 2020 09:48:01 +0100
Subject: [PATCH] Check and use gettid() directly with glibc 2.30+.
* configure.in: Check for gettid() and define HAVE_SYS_GETTID if
gettid() is only usable via syscall().
* server/log.c (log_tid): Use gettid() directly if available.
---
configure.in | 14 +++++++++-----
server/log.c | 8 ++++++--
2 files changed, 15 insertions(+), 7 deletions(-)
diff --git a/configure.in b/configure.in
index 423d58d4b9a..60cbf7b7f81 100644
--- httpd-2.4.54/configure.in.gettid
+++ httpd-2.4.54/configure.in
@@ -502,22 +502,26 @@
timegm \
getpgid \
fopen64 \
-getloadavg
+getloadavg \
+gettid
)
dnl confirm that a void pointer is large enough to store a long integer
APACHE_CHECK_VOID_PTR_LEN
-AC_CACHE_CHECK([for gettid()], ac_cv_gettid,
+if test $ac_cv_func_gettid = no; then
+ # On Linux before glibc 2.30, gettid() is only usable via syscall()
+ AC_CACHE_CHECK([for gettid() via syscall], ap_cv_gettid,
[AC_TRY_RUN(#define _GNU_SOURCE
#include <unistd.h>
#include <sys/syscall.h>
#include <sys/types.h>
int main(int argc, char **argv) {
pid_t t = syscall(SYS_gettid); return t == -1 ? 1 : 0; },
-[ac_cv_gettid=yes], [ac_cv_gettid=no], [ac_cv_gettid=no])])
-if test "$ac_cv_gettid" = "yes"; then
- AC_DEFINE(HAVE_GETTID, 1, [Define if you have gettid()])
+ [ap_cv_gettid=yes], [ap_cv_gettid=no], [ap_cv_gettid=no])])
+ if test "$ap_cv_gettid" = "yes"; then
+ AC_DEFINE(HAVE_SYS_GETTID, 1, [Define if you have gettid() via syscall()])
+ fi
fi
dnl ## Check for the tm_gmtoff field in struct tm to get the timezone diffs
--- httpd-2.4.54/server/log.c.gettid
+++ httpd-2.4.54/server/log.c
@@ -55,7 +55,7 @@
#include "ap_mpm.h"
#include "ap_listen.h"
-#if HAVE_GETTID
+#if HAVE_SYS_GETTID
#include <sys/syscall.h>
#include <sys/types.h>
#endif
@@ -627,14 +627,18 @@
#if APR_HAS_THREADS
int result;
#endif
-#if HAVE_GETTID
+#if defined(HAVE_GETTID) || defined(HAVE_SYS_GETTID)
if (arg && *arg == 'g') {
+#ifdef HAVE_GETTID
+ pid_t tid = gettid();
+#else
pid_t tid = syscall(SYS_gettid);
+#endif
if (tid == -1)
return 0;
return apr_snprintf(buf, buflen, "%"APR_PID_T_FMT, tid);
}
-#endif
+#endif /* HAVE_GETTID || HAVE_SYS_GETTID */
#if APR_HAS_THREADS
if (ap_mpm_query(AP_MPMQ_IS_THREADED, &result) == APR_SUCCESS
&& result != AP_MPMQ_NOT_SUPPORTED)
@@ -968,7 +972,7 @@
#if APR_HAS_THREADS
field_start = len;
len += cpystrn(buf + len, ":tid ", buflen - len);
- item_len = log_tid(info, NULL, buf + len, buflen - len);
+ item_len = log_tid(info, "g", buf + len, buflen - len);
if (!item_len)
len = field_start;
else

849
httpd-2.4.58-r1913912+.patch
View File

@ -1,849 +0,0 @@
# ./pullrev.sh 1913912 1915067
http://svn.apache.org/viewvc?view=revision&revision=1913912
http://svn.apache.org/viewvc?view=revision&revision=1915067
Upstream-Status: merged for 2.4.59
--- httpd-2.4.58/modules/ssl/mod_ssl.c.r1913912
+++ httpd-2.4.58/modules/ssl/mod_ssl.c
@@ -25,8 +25,7 @@
*/
#include "ssl_private.h"
-#include "mod_ssl.h"
-#include "mod_ssl_openssl.h"
+
#include "util_md5.h"
#include "util_mutex.h"
#include "ap_provider.h"
@@ -75,11 +74,9 @@
SSL_CMD_SRV(SessionCache, TAKE1,
"SSL Session Cache storage "
"('none', 'nonenotnull', 'dbm:/path/to/file')")
-#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
SSL_CMD_SRV(CryptoDevice, TAKE1,
"SSL external Crypto Device usage "
"('builtin', '...')")
-#endif
SSL_CMD_SRV(RandomSeed, TAKE23,
"SSL Pseudo Random Number Generator (PRNG) seeding source "
"('startup|connect builtin|file:/path|exec:/path [bytes]')")
--- httpd-2.4.58/modules/ssl/mod_ssl_openssl.h.r1913912
+++ httpd-2.4.58/modules/ssl/mod_ssl_openssl.h
@@ -30,14 +30,17 @@
/* OpenSSL headers */
-#ifndef SSL_PRIVATE_H
#include <openssl/opensslv.h>
-#if (OPENSSL_VERSION_NUMBER >= 0x10001000)
+#if OPENSSL_VERSION_NUMBER >= 0x30000000
+#include <openssl/macros.h> /* for OPENSSL_API_LEVEL */
+#endif
+#if OPENSSL_VERSION_NUMBER >= 0x10001000
/* must be defined before including ssl.h */
#define OPENSSL_NO_SSL_INTERN
#endif
#include <openssl/ssl.h>
-#endif
+#include <openssl/evp.h>
+#include <openssl/x509.h>
/**
* init_server hook -- allow SSL_CTX-specific initialization to be performed by
--- httpd-2.4.58/modules/ssl/ssl_engine_config.c.r1913912
+++ httpd-2.4.58/modules/ssl/ssl_engine_config.c
@@ -27,6 +27,7 @@
damned if you don't.''
-- Unknown */
#include "ssl_private.h"
+
#include "util_mutex.h"
#include "ap_provider.h"
@@ -593,14 +594,15 @@
return NULL;
}
-#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
const char *ssl_cmd_SSLCryptoDevice(cmd_parms *cmd,
void *dcfg,
const char *arg)
{
SSLModConfigRec *mc = myModConfig(cmd->server);
const char *err;
+#if MODSSL_HAVE_ENGINE_API
ENGINE *e;
+#endif
if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
return err;
@@ -609,13 +611,16 @@
if (strcEQ(arg, "builtin")) {
mc->szCryptoDevice = NULL;
}
+#if MODSSL_HAVE_ENGINE_API
else if ((e = ENGINE_by_id(arg))) {
mc->szCryptoDevice = arg;
ENGINE_free(e);
}
+#endif
else {
err = "SSLCryptoDevice: Invalid argument; must be one of: "
"'builtin' (none)";
+#if MODSSL_HAVE_ENGINE_API
e = ENGINE_get_first();
while (e) {
err = apr_pstrcat(cmd->pool, err, ", '", ENGINE_get_id(e),
@@ -624,12 +629,12 @@
* on the 'old' e, per the docs in engine.h. */
e = ENGINE_get_next(e);
}
+#endif
return err;
}
return NULL;
}
-#endif
const char *ssl_cmd_SSLRandomSeed(cmd_parms *cmd,
void *dcfg,
--- httpd-2.4.58/modules/ssl/ssl_engine_init.c.r1913912
+++ httpd-2.4.58/modules/ssl/ssl_engine_init.c
@@ -27,8 +27,7 @@
see Recursive.''
-- Unknown */
#include "ssl_private.h"
-#include "mod_ssl.h"
-#include "mod_ssl_openssl.h"
+
#include "mpm_common.h"
#include "mod_md.h"
@@ -218,6 +217,16 @@
}
#endif
+static APR_INLINE unsigned long modssl_runtime_lib_version(void)
+{
+#if MODSSL_USE_OPENSSL_PRE_1_1_API
+ return SSLeay();
+#else
+ return OpenSSL_version_num();
+#endif
+}
+
+
/*
* Per-module initialization
*/
@@ -225,18 +234,22 @@
apr_pool_t *ptemp,
server_rec *base_server)
{
+ unsigned long runtime_lib_version = modssl_runtime_lib_version();
SSLModConfigRec *mc = myModConfig(base_server);
SSLSrvConfigRec *sc;
server_rec *s;
apr_status_t rv;
apr_array_header_t *pphrases;
- if (SSLeay() < MODSSL_LIBRARY_VERSION) {
+ AP_DEBUG_ASSERT(mc);
+
+ if (runtime_lib_version < MODSSL_LIBRARY_VERSION) {
ap_log_error(APLOG_MARK, APLOG_WARNING, 0, base_server, APLOGNO(01882)
"Init: this version of mod_ssl was compiled against "
- "a newer library (%s, version currently loaded is %s)"
+ "a newer library (%s (%s), version currently loaded is 0x%lX)"
" - may result in undefined or erroneous behavior",
- MODSSL_LIBRARY_TEXT, MODSSL_LIBRARY_DYNTEXT);
+ MODSSL_LIBRARY_TEXT, MODSSL_LIBRARY_DYNTEXT,
+ runtime_lib_version);
}
/* We initialize mc->pid per-process in the child init,
@@ -313,11 +326,9 @@
/*
* SSL external crypto device ("engine") support
*/
-#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
if ((rv = ssl_init_Engine(base_server, p)) != APR_SUCCESS) {
return rv;
}
-#endif
ap_log_error(APLOG_MARK, APLOG_INFO, 0, base_server, APLOGNO(01883)
"Init: Initialized %s library", MODSSL_LIBRARY_NAME);
@@ -473,9 +484,9 @@
* Support for external a Crypto Device ("engine"), usually
* a hardware accelerator card for crypto operations.
*/
-#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
apr_status_t ssl_init_Engine(server_rec *s, apr_pool_t *p)
{
+#if MODSSL_HAVE_ENGINE_API
SSLModConfigRec *mc = myModConfig(s);
ENGINE *e;
@@ -507,10 +518,9 @@
ENGINE_free(e);
}
-
+#endif
return APR_SUCCESS;
}
-#endif
#ifdef HAVE_TLSEXT
static apr_status_t ssl_init_ctx_tls_extensions(server_rec *s,
@@ -1320,15 +1330,6 @@
return 0;
}
-static APR_INLINE int modssl_DH_bits(DH *dh)
-{
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
- return DH_bits(dh);
-#else
- return BN_num_bits(DH_get0_p(dh));
-#endif
-}
-
/* SSL_CTX_use_PrivateKey_file() can fail either because the private
* key was encrypted, or due to a mismatch between an already-loaded
* cert and the key - a common misconfiguration - from calling
@@ -1354,15 +1355,10 @@
SSLModConfigRec *mc = myModConfig(s);
const char *vhost_id = mctx->sc->vhost_id, *key_id, *certfile, *keyfile;
int i;
- X509 *cert;
- DH *dh;
+ EVP_PKEY *pkey;
#ifdef HAVE_ECC
- EC_GROUP *ecparams = NULL;
- int nid;
- EC_KEY *eckey = NULL;
-#endif
-#ifndef HAVE_SSL_CONF_CMD
- SSL *ssl;
+ EC_GROUP *ecgroup = NULL;
+ int curve_nid = 0;
#endif
/* no OpenSSL default prompts for any of the SSL_CTX_use_* calls, please */
@@ -1373,7 +1369,7 @@
(certfile = APR_ARRAY_IDX(mctx->pks->cert_files, i,
const char *));
i++) {
- EVP_PKEY *pkey;
+ X509 *cert = NULL;
const char *engine_certfile = NULL;
key_id = apr_psprintf(ptemp, "%s:%d", vhost_id, i);
@@ -1416,8 +1412,6 @@
if (modssl_is_engine_id(keyfile)) {
apr_status_t rv;
- cert = NULL;
-
if ((rv = modssl_load_engine_keypair(s, ptemp, vhost_id,
engine_certfile, keyfile,
&cert, &pkey))) {
@@ -1488,22 +1482,21 @@
* assume that if SSL_CONF is available, it's OpenSSL 1.0.2 or later,
* and SSL_CTX_get0_certificate is implemented.)
*/
- if (!(cert = SSL_CTX_get0_certificate(mctx->ssl_ctx))) {
+ cert = SSL_CTX_get0_certificate(mctx->ssl_ctx);
#else
- ssl = SSL_new(mctx->ssl_ctx);
+ {
+ SSL *ssl = SSL_new(mctx->ssl_ctx);
if (ssl) {
/* Workaround bug in SSL_get_certificate in OpenSSL 0.9.8y */
SSL_set_connect_state(ssl);
cert = SSL_get_certificate(ssl);
+ SSL_free(ssl);
+ }
}
- if (!ssl || !cert) {
#endif
+ if (!cert) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02566)
"Unable to retrieve certificate %s", key_id);
-#ifndef HAVE_SSL_CONF_CMD
- if (ssl)
- SSL_free(ssl);
-#endif
return APR_EGENERAL;
}
@@ -1525,10 +1518,6 @@
}
#endif
-#ifndef HAVE_SSL_CONF_CMD
- SSL_free(ssl);
-#endif
-
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, APLOGNO(02568)
"Certificate and private key %s configured from %s and %s",
key_id, certfile, keyfile);
@@ -1538,15 +1527,33 @@
* Try to read DH parameters from the (first) SSLCertificateFile
*/
certfile = APR_ARRAY_IDX(mctx->pks->cert_files, 0, const char *);
- if (certfile && !modssl_is_engine_id(certfile)
- && (dh = ssl_dh_GetParamFromFile(certfile))) {
- /* ### This should be replaced with SSL_CTX_set0_tmp_dh_pkey()
- * for OpenSSL 3.0+. */
+ if (certfile && !modssl_is_engine_id(certfile)) {
+ int done = 0, num_bits = 0;
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
+ DH *dh = modssl_dh_from_file(certfile);
+ if (dh) {
+ num_bits = DH_bits(dh);
SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dh);
+ DH_free(dh);
+ done = 1;
+ }
+#else
+ pkey = modssl_dh_pkey_from_file(certfile);
+ if (pkey) {
+ num_bits = EVP_PKEY_get_bits(pkey);
+ if (!SSL_CTX_set0_tmp_dh_pkey(mctx->ssl_ctx, pkey)) {
+ EVP_PKEY_free(pkey);
+ }
+ else {
+ done = 1;
+ }
+ }
+#endif
+ if (done) {
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02540)
"Custom DH parameters (%d bits) for %s loaded from %s",
- modssl_DH_bits(dh), vhost_id, certfile);
- DH_free(dh);
+ num_bits, vhost_id, certfile);
+ }
}
#if !MODSSL_USE_OPENSSL_PRE_1_1_API
else {
@@ -1561,13 +1568,27 @@
* Similarly, try to read the ECDH curve name from SSLCertificateFile...
*/
if (certfile && !modssl_is_engine_id(certfile)
- && (ecparams = ssl_ec_GetParamFromFile(certfile))
- && (nid = EC_GROUP_get_curve_name(ecparams))
- && (eckey = EC_KEY_new_by_curve_name(nid))) {
+ && (ecgroup = modssl_ec_group_from_file(certfile))
+ && (curve_nid = EC_GROUP_get_curve_name(ecgroup))) {
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
+ EC_KEY *eckey = EC_KEY_new_by_curve_name(curve_nid);
+ if (eckey) {
SSL_CTX_set_tmp_ecdh(mctx->ssl_ctx, eckey);
+ EC_KEY_free(eckey);
+ }
+ else {
+ curve_nid = 0;
+ }
+#else
+ if (!SSL_CTX_set1_curves(mctx->ssl_ctx, &curve_nid, 1)) {
+ curve_nid = 0;
+ }
+#endif
+ if (curve_nid) {
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02541)
"ECDH curve %s for %s specified in %s",
- OBJ_nid2sn(nid), vhost_id, certfile);
+ OBJ_nid2sn(curve_nid), vhost_id, certfile);
+ }
}
/*
* ...otherwise, enable auto curve selection (OpenSSL 1.0.2)
@@ -1575,18 +1596,20 @@
* ECDH is always enabled in 1.1.0 unless excluded from SSLCipherList
*/
#if MODSSL_USE_OPENSSL_PRE_1_1_API
- else {
+ if (!curve_nid) {
#if defined(SSL_CTX_set_ecdh_auto)
SSL_CTX_set_ecdh_auto(mctx->ssl_ctx, 1);
#else
- eckey = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
+ EC_KEY *eckey = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
+ if (eckey) {
SSL_CTX_set_tmp_ecdh(mctx->ssl_ctx, eckey);
+ EC_KEY_free(eckey);
+ }
#endif
}
#endif
/* OpenSSL assures us that _free() is NULL-safe */
- EC_KEY_free(eckey);
- EC_GROUP_free(ecparams);
+ EC_GROUP_free(ecgroup);
#endif
return APR_SUCCESS;
--- httpd-2.4.58/modules/ssl/ssl_engine_io.c.r1913912
+++ httpd-2.4.58/modules/ssl/ssl_engine_io.c
@@ -28,8 +28,7 @@
core keeps dumping.''
-- Unknown */
#include "ssl_private.h"
-#include "mod_ssl.h"
-#include "mod_ssl_openssl.h"
+
#include "apr_date.h"
APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, SSL, int, proxy_post_handshake,
@@ -2283,14 +2282,7 @@
ssl_io_filter_cleanup, apr_pool_cleanup_null);
if (APLOG_CS_IS_LEVEL(c, mySrvFromConn(c), APLOG_TRACE4)) {
- BIO *rbio = SSL_get_rbio(ssl),
- *wbio = SSL_get_wbio(ssl);
- BIO_set_callback(rbio, ssl_io_data_cb);
- BIO_set_callback_arg(rbio, (void *)ssl);
- if (wbio && wbio != rbio) {
- BIO_set_callback(wbio, ssl_io_data_cb);
- BIO_set_callback_arg(wbio, (void *)ssl);
- }
+ modssl_set_io_callbacks(ssl);
}
return;
@@ -2374,13 +2366,22 @@
"+-------------------------------------------------------------------------+");
}
-long ssl_io_data_cb(BIO *bio, int cmd,
- const char *argp,
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+static long modssl_io_cb(BIO *bio, int cmd, const char *argp,
+ size_t len, int argi, long argl, int rc,
+ size_t *processed)
+#else
+static long modssl_io_cb(BIO *bio, int cmd, const char *argp,
int argi, long argl, long rc)
+#endif
{
SSL *ssl;
conn_rec *c;
server_rec *s;
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ (void)len;
+ (void)processed;
+#endif
if ((ssl = (SSL *)BIO_get_callback_arg(bio)) == NULL)
return rc;
@@ -2402,7 +2403,7 @@
"%s: %s %ld/%d bytes %s BIO#%pp [mem: %pp] %s",
MODSSL_LIBRARY_NAME,
(cmd == (BIO_CB_WRITE|BIO_CB_RETURN) ? "write" : "read"),
- rc, argi, (cmd == (BIO_CB_WRITE|BIO_CB_RETURN) ? "to" : "from"),
+ (long)rc, argi, (cmd == (BIO_CB_WRITE|BIO_CB_RETURN) ? "to" : "from"),
bio, argp, dump);
if (*dump != '\0' && argp != NULL)
ssl_io_data_dump(c, s, argp, rc);
@@ -2417,3 +2418,25 @@
}
return rc;
}
+
+static APR_INLINE void set_bio_callback(BIO *bio, void *arg)
+{
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ BIO_set_callback_ex(bio, modssl_io_cb);
+#else
+ BIO_set_callback(bio, modssl_io_cb);
+#endif
+ BIO_set_callback_arg(bio, arg);
+}
+
+void modssl_set_io_callbacks(SSL *ssl)
+{
+ BIO *rbio = SSL_get_rbio(ssl),
+ *wbio = SSL_get_wbio(ssl);
+ if (rbio) {
+ set_bio_callback(rbio, ssl);
+ }
+ if (wbio && wbio != rbio) {
+ set_bio_callback(wbio, ssl);
+ }
+}
--- httpd-2.4.58/modules/ssl/ssl_engine_kernel.c.r1913912
+++ httpd-2.4.58/modules/ssl/ssl_engine_kernel.c
@@ -2581,6 +2581,7 @@
sc->server->pks->service_unavailable : 0;
ap_update_child_status_from_server(c->sbh, SERVER_BUSY_READ, c, s);
+
/*
* There is one special filter callback, which is set
* very early depending on the base_server's log level.
@@ -2589,14 +2590,7 @@
* we need to set that callback here.
*/
if (APLOGtrace4(s)) {
- BIO *rbio = SSL_get_rbio(ssl),
- *wbio = SSL_get_wbio(ssl);
- BIO_set_callback(rbio, ssl_io_data_cb);
- BIO_set_callback_arg(rbio, (void *)ssl);
- if (wbio && wbio != rbio) {
- BIO_set_callback(wbio, ssl_io_data_cb);
- BIO_set_callback_arg(wbio, (void *)ssl);
- }
+ modssl_set_io_callbacks(ssl);
}
return 1;
--- httpd-2.4.58/modules/ssl/ssl_engine_pphrase.c.r1913912
+++ httpd-2.4.58/modules/ssl/ssl_engine_pphrase.c
@@ -30,6 +30,8 @@
-- Clifford Stoll */
#include "ssl_private.h"
+#include <openssl/ui.h>
+
typedef struct {
server_rec *s;
apr_pool_t *p;
@@ -606,8 +608,7 @@
return (len);
}
-
-#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
+#if MODSSL_HAVE_ENGINE_API
/* OpenSSL UI implementation for passphrase entry; largely duplicated
* from ssl_pphrase_Handle_CB but adjusted for UI API. TODO: Might be
@@ -831,7 +832,7 @@
const char *certid, const char *keyid,
X509 **pubkey, EVP_PKEY **privkey)
{
-#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
+#if MODSSL_HAVE_ENGINE_API
const char *c, *scheme;
ENGINE *e;
UI_METHOD *ui_method = get_passphrase_ui(p);
--- httpd-2.4.58/modules/ssl/ssl_private.h.r1913912
+++ httpd-2.4.58/modules/ssl/ssl_private.h
@@ -83,16 +83,13 @@
#include "ap_expr.h"
-/* OpenSSL headers */
-#include <openssl/opensslv.h>
-#if (OPENSSL_VERSION_NUMBER >= 0x10001000)
-/* must be defined before including ssl.h */
-#define OPENSSL_NO_SSL_INTERN
-#endif
-#if OPENSSL_VERSION_NUMBER >= 0x30000000
-#include <openssl/core_names.h>
+/* keep first for compat API */
+#ifndef OPENSSL_API_COMPAT
+#define OPENSSL_API_COMPAT 0x10101000 /* for ENGINE_ API */
#endif
-#include <openssl/ssl.h>
+#include "mod_ssl_openssl.h"
+
+/* OpenSSL headers */
#include <openssl/err.h>
#include <openssl/x509.h>
#include <openssl/pem.h>
@@ -102,12 +99,23 @@
#include <openssl/x509v3.h>
#include <openssl/x509_vfy.h>
#include <openssl/ocsp.h>
+#include <openssl/dh.h>
+#if OPENSSL_VERSION_NUMBER >= 0x30000000
+#include <openssl/core_names.h>
+#endif
/* Avoid tripping over an engine build installed globally and detected
* when the user points at an explicit non-engine flavor of OpenSSL
*/
-#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
+#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT) \
+ && (OPENSSL_VERSION_NUMBER < 0x30000000 \
+ || (defined(OPENSSL_API_LEVEL) && OPENSSL_API_LEVEL < 30000)) \
+ && !defined(OPENSSL_NO_ENGINE)
#include <openssl/engine.h>
+#define MODSSL_HAVE_ENGINE_API 1
+#endif
+#ifndef MODSSL_HAVE_ENGINE_API
+#define MODSSL_HAVE_ENGINE_API 0
#endif
#if (OPENSSL_VERSION_NUMBER < 0x0090801f)
@@ -142,10 +150,18 @@
* include most changes from OpenSSL >= 1.1 (new functions, macros,
* deprecations, ...), so we have to work around this...
*/
-#define MODSSL_USE_OPENSSL_PRE_1_1_API (LIBRESSL_VERSION_NUMBER < 0x2070000f)
+#if LIBRESSL_VERSION_NUMBER < 0x2070000f
+#define MODSSL_USE_OPENSSL_PRE_1_1_API 1
+#else
+#define MODSSL_USE_OPENSSL_PRE_1_1_API 0
+#endif
#else /* defined(LIBRESSL_VERSION_NUMBER) */
-#define MODSSL_USE_OPENSSL_PRE_1_1_API (OPENSSL_VERSION_NUMBER < 0x10100000L)
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#define MODSSL_USE_OPENSSL_PRE_1_1_API 1
+#else
+#define MODSSL_USE_OPENSSL_PRE_1_1_API 0
#endif
+#endif /* defined(LIBRESSL_VERSION_NUMBER) */
#if defined(OPENSSL_FIPS) || OPENSSL_VERSION_NUMBER >= 0x30000000L
#define HAVE_FIPS
@@ -211,7 +227,10 @@
#endif
/* Secure Remote Password */
-#if !defined(OPENSSL_NO_SRP) && defined(SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB)
+#if !defined(OPENSSL_NO_SRP) \
+ && (OPENSSL_VERSION_NUMBER < 0x30000000L \
+ || (defined(OPENSSL_API_LEVEL) && OPENSSL_API_LEVEL < 30000)) \
+ && defined(SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB)
#define HAVE_SRP
#include <openssl/srp.h>
#endif
@@ -254,6 +273,14 @@
#endif
#endif
+/* those may be deprecated */
+#ifndef X509_get_notBefore
+#define X509_get_notBefore X509_getm_notBefore
+#endif
+#ifndef X509_get_notAfter
+#define X509_get_notAfter X509_getm_notAfter
+#endif
+
#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
#define HAVE_OPENSSL_KEYLOG
#endif
@@ -1019,7 +1046,7 @@
/** I/O */
void ssl_io_filter_init(conn_rec *, request_rec *r, SSL *);
void ssl_io_filter_register(apr_pool_t *);
-long ssl_io_data_cb(BIO *, int, const char *, int, long, long);
+void modssl_set_io_callbacks(SSL *ssl);
/* ssl_io_buffer_fill fills the setaside buffering of the HTTP request
* to allow an SSL renegotiation to take place. */
@@ -1057,9 +1084,13 @@
X509 **pubkey, EVP_PKEY **privkey);
/** Diffie-Hellman Parameter Support */
-DH *ssl_dh_GetParamFromFile(const char *);
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
+DH *modssl_dh_from_file(const char *);
+#else
+EVP_PKEY *modssl_dh_pkey_from_file(const char *);
+#endif
#ifdef HAVE_ECC
-EC_GROUP *ssl_ec_GetParamFromFile(const char *);
+EC_GROUP *modssl_ec_group_from_file(const char *);
#endif
/* Store the EVP_PKEY key (serialized into DER) in the hash table with
--- httpd-2.4.58/modules/ssl/ssl_util.c.r1913912
+++ httpd-2.4.58/modules/ssl/ssl_util.c
@@ -476,7 +476,7 @@
int modssl_is_engine_id(const char *name)
{
-#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
+#if MODSSL_HAVE_ENGINE_API
/* ### Can handle any other special ENGINE key names here? */
return strncmp(name, "pkcs11:", 7) == 0;
#else
--- httpd-2.4.58/modules/ssl/ssl_util_ssl.c.r1913912
+++ httpd-2.4.58/modules/ssl/ssl_util_ssl.c
@@ -464,29 +464,52 @@
** _________________________________________________________________
*/
-DH *ssl_dh_GetParamFromFile(const char *file)
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
+DH *modssl_dh_from_file(const char *file)
{
- DH *dh = NULL;
+ DH *dh;
BIO *bio;
if ((bio = BIO_new_file(file, "r")) == NULL)
return NULL;
dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
BIO_free(bio);
- return (dh);
+
+ return dh;
+}
+#else
+EVP_PKEY *modssl_dh_pkey_from_file(const char *file)
+{
+ EVP_PKEY *pkey;
+ BIO *bio;
+
+ if ((bio = BIO_new_file(file, "r")) == NULL)
+ return NULL;
+ pkey = PEM_read_bio_Parameters(bio, NULL);
+ BIO_free(bio);
+
+ return pkey;
}
+#endif
#ifdef HAVE_ECC
-EC_GROUP *ssl_ec_GetParamFromFile(const char *file)
+EC_GROUP *modssl_ec_group_from_file(const char *file)
{
- EC_GROUP *group = NULL;
+ EC_GROUP *group;
BIO *bio;
if ((bio = BIO_new_file(file, "r")) == NULL)
return NULL;
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
group = PEM_read_bio_ECPKParameters(bio, NULL, NULL, NULL);
+#else
+ group = PEM_ASN1_read_bio((void *)d2i_ECPKParameters,
+ PEM_STRING_ECPARAMETERS, bio,
+ NULL, NULL, NULL);
+#endif
BIO_free(bio);
- return (group);
+
+ return group;
}
#endif
--- httpd-2.4.58/modules/ssl/ssl_util_stapling.c.r1913912
+++ httpd-2.4.58/modules/ssl/ssl_util_stapling.c
@@ -29,9 +29,9 @@
-- Alexei Sayle */
#include "ssl_private.h"
+
#include "ap_mpm.h"
#include "apr_thread_mutex.h"
-#include "mod_ssl_openssl.h"
APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, SSL, int, init_stapling_status,
(server_rec *s, apr_pool_t *p,
--- httpd-2.4.58/support/ab.c.r1913912
+++ httpd-2.4.58/support/ab.c
@@ -166,13 +166,18 @@
#if defined(HAVE_OPENSSL)
-#include <openssl/rsa.h>
+#include <openssl/evp.h>
#include <openssl/crypto.h>
#include <openssl/x509.h>
#include <openssl/pem.h>
#include <openssl/err.h>
#include <openssl/ssl.h>
#include <openssl/rand.h>
+#include <openssl/opensslv.h>
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+#include <openssl/core_names.h>
+#endif
+
#define USE_SSL
#define SK_NUM(x) sk_X509_num(x)
@@ -555,22 +560,33 @@
*
*/
#ifdef USE_SSL
-static long ssl_print_cb(BIO *bio,int cmd,const char *argp,int argi,long argl,long ret)
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+static long ssl_print_cb(BIO *bio, int cmd, const char *argp,
+ size_t len, int argi, long argl, int ret,
+ size_t *processed)
+#else
+static long ssl_print_cb(BIO *bio, int cmd, const char *argp,
+ int argi, long argl, long ret)
+#endif
{
BIO *out;
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ (void)len;
+ (void)processed;
+#endif
out=(BIO *)BIO_get_callback_arg(bio);
if (out == NULL) return(ret);
if (cmd == (BIO_CB_READ|BIO_CB_RETURN)) {
BIO_printf(out,"read from %p [%p] (%d bytes => %ld (0x%lX))\n",
- bio, argp, argi, ret, ret);
+ bio, argp, argi, (long)ret, (long)ret);
BIO_dump(out,(char *)argp,(int)ret);
return(ret);
}
else if (cmd == (BIO_CB_WRITE|BIO_CB_RETURN)) {
BIO_printf(out,"write to %p [%p] (%d bytes => %ld (0x%lX))\n",
- bio, argp, argi, ret, ret);
+ bio, argp, argi, (long)ret, (long)ret);
BIO_dump(out,(char *)argp,(int)ret);
}
return ret;
@@ -765,17 +781,29 @@
break;
#ifndef OPENSSL_NO_EC
case EVP_PKEY_EC: {
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ size_t len;
+ char cname[80];
+ if (!EVP_PKEY_get_utf8_string_param(key, OSSL_PKEY_PARAM_GROUP_NAME,
+ cname, sizeof(cname), &len)) {
+ cname[0] = '?';
+ len = 1;
+ }
+ cname[len] = '\0';
+#else
const char *cname = NULL;
EC_KEY *ec = EVP_PKEY_get1_EC_KEY(key);
int nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
EC_KEY_free(ec);
cname = EC_curve_nid2nist(nid);
- if (!cname)
+ if (!cname) {
cname = OBJ_nid2sn(nid);
-
+ if (!cname)
+ cname = "?";
+ }
+#endif
apr_snprintf(ssl_tmp_key, 128, "ECDH %s %d bits",
- cname,
- EVP_PKEY_bits(key));
+ cname, EVP_PKEY_bits(key));
break;
}
#endif
@@ -1428,7 +1456,11 @@
SSL_set_bio(c->ssl, bio, bio);
SSL_set_connect_state(c->ssl);
if (verbosity >= 4) {
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ BIO_set_callback_ex(bio, ssl_print_cb);
+#else
BIO_set_callback(bio, ssl_print_cb);
+#endif
BIO_set_callback_arg(bio, (void *)bio_err);
}
#ifdef HAVE_TLSEXT

16
httpd-2.4.58-r1914013.patch
View File

@ -1,16 +0,0 @@
# ./pullrev.sh 1914013
http://svn.apache.org/viewvc?view=revision&revision=1914013
Upstream-Status: merged for 2.4.59
--- httpd-2.4.58/modules/filters/mod_xml2enc.c
+++ httpd-2.4.58/modules/filters/mod_xml2enc.c
@@ -209,7 +209,7 @@
/* to sniff, first we look for BOM */
if (ctx->xml2enc == XML_CHAR_ENCODING_NONE) {
- ctx->xml2enc = xmlDetectCharEncoding((const xmlChar*)ctx->buf,
+ ctx->xml2enc = xmlDetectCharEncoding((const unsigned char*)ctx->buf,
ctx->bytes);
if (HAVE_ENCODING(ctx->xml2enc)) {
ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(01432)

14
httpd-2.4.59-gettid.patch Normal file
View File

@ -0,0 +1,14 @@
Upstream-Status: not pushed upstream
--- httpd-2.4.54/server/log.c.gettid
+++ httpd-2.4.54/server/log.c
@@ -968,7 +972,7 @@
#if APR_HAS_THREADS
field_start = len;
len += cpystrn(buf + len, ":tid ", buflen - len);
- item_len = log_tid(info, NULL, buf + len, buflen - len);
+ item_len = log_tid(info, "g", buf + len, buflen - len);
if (!item_len)
len = field_start;
else

292
httpd-2.4.48-r1828172+.patch → httpd-2.4.59-unifycgid.patch
View File

@ -1,14 +1,41 @@
https://github.com/apache/httpd/pull/209
Upstream-Status: in trunk, not proposed for 2.4.x
diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml
index ddacd4af19..6d4379d165 100644
--- a/.github/workflows/linux.yml
+++ b/.github/workflows/linux.yml
@@ -48,11 +48,11 @@ jobs:
- name: Shared MPMs, all-modules
config: --enable-mods-shared=reallyall --enable-mpms-shared=all
# -------------------------------------------------------------------------
- - name: Event MPM, all-modules, mod_cgid only
- config: --enable-mods-shared=reallyall --with-mpm=event --disable-cgi
+ - name: Event MPM, all-modules, mod_cgid fdpassing
+ config: --enable-mods-shared=reallyall --with-mpm=event --disable-cgi --enable-cgid-fdpassing
# -------------------------------------------------------------------------
- - name: Event MPM, all-modules, no CMSG_DATA
- config: --enable-mods-shared=reallyall --with-mpm=event ac_cv_have_decl_CMSG_DATA=no
+ - name: Event MPM, all-modules, mod_cgid w/o fdpassing
+ config: --enable-mods-shared=reallyall --with-mpm=event --disable-cgi
# -------------------------------------------------------------------------
- name: Default, all-modules + install
config: --enable-mods-shared=reallyall
diff --git a/changes-entries/pr54221.txt b/changes-entries/pr54221.txt
new file mode 100644
index 0000000000..62b75ea4dd
--- /dev/null
+++ b/changes-entries/pr54221.txt
@@ -0,0 +1,3 @@
+ *) mod_cgid: Optional support for file descriptor passing, fixing
+ error log handling (configure --enable-cgid-fdpassing) on Unix
+ platforms. PR 54221. [Joe Orton]
diff --git a/modules/generators/cgi_common.h b/modules/generators/cgi_common.h
new file mode 100644
index 0000000000..69df73ce68
index 0000000000..66f9418f21
--- /dev/null
+++ b/modules/generators/cgi_common.h
@@ -0,0 +1,629 @@
@@ -0,0 +1,639 @@
+/* Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
@ -37,6 +64,7 @@ index 0000000000..69df73ce68
+
+#include "httpd.h"
+#include "util_filter.h"
+#include "util_script.h"
+
+static APR_OPTIONAL_FN_TYPE(ap_ssi_get_tag_and_value) *cgi_pfn_gtv;
+static APR_OPTIONAL_FN_TYPE(ap_ssi_parse_string) *cgi_pfn_ps;
@ -439,9 +467,18 @@ index 0000000000..69df73ce68
+ char sbuf[MAX_STRING_LEN];
+ int ret;
+
+ if ((ret = ap_scan_script_header_err_brigade_ex(r, bb, sbuf,
+ APLOG_MODULE_INDEX)))
+ {
+ ret = ap_scan_script_header_err_brigade_ex(r, bb, sbuf,
+ APLOG_MODULE_INDEX);
+
+ /* xCGI has its own body framing mechanism which we don't
+ * match against any provided Content-Length, so let the
+ * core determine C-L vs T-E based on what's actually sent.
+ */
+ if (!apr_table_get(r->subprocess_env, AP_TRUST_CGILIKE_CL_ENVVAR))
+ apr_table_unset(r->headers_out, "Content-Length");
+ apr_table_unset(r->headers_out, "Transfer-Encoding");
+
+ if (ret != OK) {
+ /* In the case of a timeout reading script output, clear
+ * the brigade to avoid a second attempt to read the
+ * output. */
@ -659,10 +696,18 @@ index bf295217e0..086355353b 100644
+
APACHE_MODPATH_FINISH
diff --git a/modules/generators/mod_cgi.c b/modules/generators/mod_cgi.c
index 7e4b126c10..421124a0cb 100644
index 1f7778617e..3799b06ce3 100644
--- a/modules/generators/mod_cgi.c
+++ b/modules/generators/mod_cgi.c
@@ -61,9 +61,6 @@
@@ -48,7 +48,6 @@
#include "http_protocol.h"
#include "http_main.h"
#include "http_log.h"
-#include "util_script.h"
#include "ap_mpm.h"
#include "mod_core.h"
#include "mod_cgi.h"
@@ -61,9 +60,6 @@
module AP_MODULE_DECLARE_DATA cgi_module;
@ -672,14 +717,10 @@ index 7e4b126c10..421124a0cb 100644
static APR_OPTIONAL_FN_TYPE(ap_cgi_build_command) *cgi_build_command;
/* Read and discard the data in the brigade produced by a CGI script */
@@ -92,6 +89,15 @@ typedef struct {
apr_size_t bufbytes;
} cgi_server_conf;
@@ -96,6 +92,11 @@ typedef struct {
apr_interval_time_t timeout;
} cgi_dirconf;
+typedef struct {
+ apr_interval_time_t timeout;
+} cgi_dirconf;
+
+#if APR_FILES_AS_SOCKETS
+#define WANT_CGI_BUCKET
+#endif
@ -688,44 +729,7 @@ index 7e4b126c10..421124a0cb 100644
static void *create_cgi_config(apr_pool_t *p, server_rec *s)
{
cgi_server_conf *c =
@@ -112,6 +118,12 @@ static void *merge_cgi_config(apr_pool_t *p, void *basev, void *overridesv)
return overrides->logname ? overrides : base;
}
+static void *create_cgi_dirconf(apr_pool_t *p, char *dummy)
+{
+ cgi_dirconf *c = (cgi_dirconf *) apr_pcalloc(p, sizeof(cgi_dirconf));
+ return c;
+}
+
static const char *set_scriptlog(cmd_parms *cmd, void *dummy, const char *arg)
{
server_rec *s = cmd->server;
@@ -150,6 +162,17 @@ static const char *set_scriptlog_buffer(cmd_parms *cmd, void *dummy,
return NULL;
}
+static const char *set_script_timeout(cmd_parms *cmd, void *dummy, const char *arg)
+{
+ cgi_dirconf *dc = dummy;
+
+ if (ap_timeout_parameter_parse(arg, &dc->timeout, "s") != APR_SUCCESS) {
+ return "CGIScriptTimeout has wrong format";
+ }
+
+ return NULL;
+}
+
static const command_rec cgi_cmds[] =
{
AP_INIT_TAKE1("ScriptLog", set_scriptlog, NULL, RSRC_CONF,
@@ -158,67 +181,12 @@ AP_INIT_TAKE1("ScriptLogLength", set_scriptlog_length, NULL, RSRC_CONF,
"the maximum length (in bytes) of the script debug log"),
AP_INIT_TAKE1("ScriptLogBuffer", set_scriptlog_buffer, NULL, RSRC_CONF,
"the maximum size (in bytes) to record of a POST request"),
+AP_INIT_TAKE1("CGIScriptTimeout", set_script_timeout, NULL, RSRC_CONF | ACCESS_CONF,
+ "The amount of time to wait between successful reads from "
+ "the CGI script, in seconds."),
@@ -185,64 +186,6 @@ AP_INIT_TAKE1("CGIScriptTimeout", set_script_timeout, NULL, RSRC_CONF | ACCESS_C
{NULL}
};
@ -790,37 +794,7 @@ index 7e4b126c10..421124a0cb 100644
static int log_script(request_rec *r, cgi_server_conf * conf, int ret,
char *dbuf, const char *sbuf, apr_bucket_brigade *bb,
apr_file_t *script_err)
@@ -466,23 +434,26 @@ static apr_status_t run_cgi_child(apr_file_t **script_out,
apr_filepath_name_get(r->filename));
}
else {
+ cgi_dirconf *dc = ap_get_module_config(r->per_dir_config, &cgi_module);
+ apr_interval_time_t timeout = dc->timeout > 0 ? dc->timeout : r->server->timeout;
+
apr_pool_note_subprocess(p, procnew, APR_KILL_AFTER_TIMEOUT);
*script_in = procnew->out;
if (!*script_in)
return APR_EBADF;
- apr_file_pipe_timeout_set(*script_in, r->server->timeout);
+ apr_file_pipe_timeout_set(*script_in, timeout);
if (e_info->prog_type == RUN_AS_CGI) {
*script_out = procnew->in;
if (!*script_out)
return APR_EBADF;
- apr_file_pipe_timeout_set(*script_out, r->server->timeout);
+ apr_file_pipe_timeout_set(*script_out, timeout);
*script_err = procnew->err;
if (!*script_err)
return APR_EBADF;
- apr_file_pipe_timeout_set(*script_err, r->server->timeout);
+ apr_file_pipe_timeout_set(*script_err, timeout);
}
}
}
@@ -536,234 +507,30 @@ static apr_status_t default_build_command(const char **cmd, const char ***argv,
@@ -563,230 +506,23 @@ static apr_status_t default_build_command(const char **cmd, const char ***argv,
return APR_SUCCESS;
}
@ -963,11 +937,14 @@ index 7e4b126c10..421124a0cb 100644
- apr_size_t *len, apr_read_type_e block)
-{
- struct cgi_bucket_data *data = b->data;
- apr_interval_time_t timeout;
- apr_interval_time_t timeout = 0;
- apr_status_t rv;
- int gotdata = 0;
- cgi_dirconf *dc = ap_get_module_config(data->r->per_dir_config, &cgi_module);
-
- timeout = block == APR_NONBLOCK_READ ? 0 : data->r->server->timeout;
- if (block != APR_NONBLOCK_READ) {
- timeout = dc->timeout > 0 ? dc->timeout : data->r->server->timeout;
- }
-
- do {
- const apr_pollfd_t *results;
@ -1048,10 +1025,10 @@ index 7e4b126c10..421124a0cb 100644
apr_status_t rv;
cgi_exec_info_t e_info;
- conn_rec *c;
+ cgi_dirconf *dc = ap_get_module_config(r->per_dir_config, &cgi_module);
+ apr_interval_time_t timeout = dc->timeout > 0 ? dc->timeout : r->server->timeout;
cgi_dirconf *dc = ap_get_module_config(r->per_dir_config, &cgi_module);
apr_interval_time_t timeout = dc->timeout > 0 ? dc->timeout : r->server->timeout;
if (strcmp(r->handler, CGI_MAGIC_TYPE) && strcmp(r->handler, "cgi-script")) {
@@ -794,8 +530,6 @@ static int cgi_handler(request_rec *r)
return DECLINED;
}
@ -1060,7 +1037,7 @@ index 7e4b126c10..421124a0cb 100644
is_included = !strcmp(r->protocol, "INCLUDED");
p = r->main ? r->main->pool : r->pool;
@@ -832,83 +599,24 @@ static int cgi_handler(request_rec *r)
@@ -864,83 +598,24 @@ static int cgi_handler(request_rec *r)
return HTTP_INTERNAL_SERVER_ERROR;
}
@ -1157,7 +1134,7 @@ index 7e4b126c10..421124a0cb 100644
/* Is this flush really needed? */
apr_file_flush(script_out);
apr_file_close(script_out);
@@ -916,10 +624,7 @@ static int cgi_handler(request_rec *r)
@@ -948,10 +623,7 @@ static int cgi_handler(request_rec *r)
AP_DEBUG_ASSERT(script_in != NULL);
#if APR_FILES_AS_SOCKETS
@ -1169,7 +1146,7 @@ index 7e4b126c10..421124a0cb 100644
if (b == NULL)
return HTTP_INTERNAL_SERVER_ERROR;
#else
@@ -929,111 +634,7 @@ static int cgi_handler(request_rec *r)
@@ -961,120 +633,7 @@ static int cgi_handler(request_rec *r)
b = apr_bucket_eos_create(c->bucket_alloc);
APR_BRIGADE_INSERT_TAIL(bb, b);
@ -1179,9 +1156,18 @@ index 7e4b126c10..421124a0cb 100644
- char sbuf[MAX_STRING_LEN];
- int ret;
-
- if ((ret = ap_scan_script_header_err_brigade_ex(r, bb, sbuf,
- APLOG_MODULE_INDEX)))
- {
- ret = ap_scan_script_header_err_brigade_ex(r, bb, sbuf,
- APLOG_MODULE_INDEX);
-
- /* xCGI has its own body framing mechanism which we don't
- * match against any provided Content-Length, so let the
- * core determine C-L vs T-E based on what's actually sent.
- */
- if (!apr_table_get(r->subprocess_env, AP_TRUST_CGILIKE_CL_ENVVAR))
- apr_table_unset(r->headers_out, "Content-Length");
- apr_table_unset(r->headers_out, "Transfer-Encoding");
-
- if (ret != OK) {
- ret = log_script(r, conf, ret, dbuf, sbuf, bb, script_err);
-
- /*
@ -1220,7 +1206,7 @@ index 7e4b126c10..421124a0cb 100644
- * stderr output, as normal. */
- discard_script_output(bb);
- apr_brigade_destroy(bb);
- apr_file_pipe_timeout_set(script_err, r->server->timeout);
- apr_file_pipe_timeout_set(script_err, timeout);
- log_script_err(r, script_err);
- }
-
@ -1271,7 +1257,7 @@ index 7e4b126c10..421124a0cb 100644
- * connection drops or we stopped sending output for some other
- * reason */
- if (rv == APR_SUCCESS && !r->connection->aborted) {
- apr_file_pipe_timeout_set(script_err, r->server->timeout);
- apr_file_pipe_timeout_set(script_err, timeout);
- log_script_err(r, script_err);
- }
-
@ -1282,7 +1268,7 @@ index 7e4b126c10..421124a0cb 100644
}
/*============================================================================
@@ -1147,107 +748,9 @@ static apr_status_t include_cmd(include_ctx_t *ctx, ap_filter_t *f,
@@ -1188,107 +747,9 @@ static apr_status_t include_cmd(include_ctx_t *ctx, ap_filter_t *f,
return APR_SUCCESS;
}
@ -1390,7 +1376,7 @@ index 7e4b126c10..421124a0cb 100644
/* This is the means by which unusual (non-unix) os's may find alternate
* means to run a given command (e.g. shebang/registry parsing on Win32)
*/
@@ -1263,12 +766,13 @@ static void register_hooks(apr_pool_t *p)
@@ -1304,6 +765,7 @@ static void register_hooks(apr_pool_t *p)
static const char * const aszPre[] = { "mod_include.c", NULL };
ap_hook_handler(cgi_handler, NULL, NULL, APR_HOOK_MIDDLE);
ap_hook_post_config(cgi_post_config, aszPre, NULL, APR_HOOK_REALLY_FIRST);
@ -1398,18 +1384,19 @@ index 7e4b126c10..421124a0cb 100644
}
AP_DECLARE_MODULE(cgi) =
{
STANDARD20_MODULE_STUFF,
- NULL, /* dir config creater */
+ create_cgi_dirconf, /* dir config creater */
NULL, /* dir merger --- default is to override */
create_cgi_config, /* server config */
merge_cgi_config, /* merge server config */
diff --git a/modules/generators/mod_cgid.c b/modules/generators/mod_cgid.c
index 2258a683b7..dddfb25254 100644
index 4bab59f932..1d55b8dc48 100644
--- a/modules/generators/mod_cgid.c
+++ b/modules/generators/mod_cgid.c
@@ -80,11 +80,6 @@ module AP_MODULE_DECLARE_DATA cgid_module;
@@ -57,7 +57,6 @@
#include "http_protocol.h"
#include "http_main.h"
#include "http_log.h"
-#include "util_script.h"
#include "ap_mpm.h"
#include "mpm_common.h"
#include "mod_suexec.h"
@@ -80,11 +79,6 @@ module AP_MODULE_DECLARE_DATA cgid_module;
static int cgid_start(apr_pool_t *p, server_rec *main_server, apr_proc_t *procnew);
static int cgid_init(apr_pool_t *p, apr_pool_t *plog, apr_pool_t *ptemp, server_rec *main_server);
@ -1421,7 +1408,7 @@ index 2258a683b7..dddfb25254 100644
static apr_pool_t *pcgi = NULL;
static pid_t daemon_pid;
@@ -220,6 +215,15 @@ typedef struct {
@@ -220,6 +214,15 @@ typedef struct {
#endif
} cgid_req_t;
@ -1437,7 +1424,7 @@ index 2258a683b7..dddfb25254 100644
/* This routine is called to create the argument list to be passed
* to the CGI script. When suexec is enabled, the suexec path, user, and
* group are the first three arguments to be passed; if not, all three
@@ -342,15 +346,19 @@ static apr_status_t close_unix_socket(void *thefd)
@@ -342,15 +345,19 @@ static apr_status_t close_unix_socket(void *thefd)
return close(fd);
}
@ -1462,7 +1449,7 @@ index 2258a683b7..dddfb25254 100644
do {
do {
rc = read(fd, buf + bytes_read, buf_size - bytes_read);
@@ -365,9 +373,60 @@ static apr_status_t sock_read(int fd, void *vbuf, size_t buf_size)
@@ -365,9 +372,60 @@ static apr_status_t sock_read(int fd, void *vbuf, size_t buf_size)
}
} while (bytes_read < buf_size);
@ -1523,7 +1510,7 @@ index 2258a683b7..dddfb25254 100644
/* deal with signals
*/
static apr_status_t sock_write(int fd, const void *buf, size_t buf_size)
@@ -384,7 +443,7 @@ static apr_status_t sock_write(int fd, const void *buf, size_t buf_size)
@@ -384,7 +442,7 @@ static apr_status_t sock_write(int fd, const void *buf, size_t buf_size)
return APR_SUCCESS;
}
@ -1532,7 +1519,7 @@ index 2258a683b7..dddfb25254 100644
{
va_list ap;
int rc;
@@ -399,9 +458,39 @@ static apr_status_t sock_writev(int fd, request_rec *r, int count, ...)
@@ -399,9 +457,39 @@ static apr_status_t sock_writev(int fd, request_rec *r, int count, ...)
}
va_end(ap);
@ -1572,7 +1559,7 @@ index 2258a683b7..dddfb25254 100644
if (rc < 0) {
return errno;
}
@@ -410,7 +499,7 @@ static apr_status_t sock_writev(int fd, request_rec *r, int count, ...)
@@ -410,7 +498,7 @@ static apr_status_t sock_writev(int fd, request_rec *r, int count, ...)
}
static apr_status_t get_req(int fd, request_rec *r, char **argv0, char ***env,
@ -1581,7 +1568,7 @@ index 2258a683b7..dddfb25254 100644
{
int i;
char **environ;
@@ -421,7 +510,7 @@ static apr_status_t get_req(int fd, request_rec *r, char **argv0, char ***env,
@@ -421,7 +509,7 @@ static apr_status_t get_req(int fd, request_rec *r, char **argv0, char ***env,
r->server = apr_pcalloc(r->pool, sizeof(server_rec));
/* read the request header */
@ -1590,7 +1577,7 @@ index 2258a683b7..dddfb25254 100644
if (stat != APR_SUCCESS) {
return stat;
}
@@ -431,6 +520,14 @@ static apr_status_t get_req(int fd, request_rec *r, char **argv0, char ***env,
@@ -431,6 +519,14 @@ static apr_status_t get_req(int fd, request_rec *r, char **argv0, char ***env,
return APR_SUCCESS;
}
@ -1605,7 +1592,7 @@ index 2258a683b7..dddfb25254 100644
/* handle module indexes and such */
rconf = (void **)ap_create_request_config(r->pool);
@@ -479,14 +576,15 @@ static apr_status_t get_req(int fd, request_rec *r, char **argv0, char ***env,
@@ -479,14 +575,15 @@ static apr_status_t get_req(int fd, request_rec *r, char **argv0, char ***env,
return APR_SUCCESS;
}
@ -1623,7 +1610,7 @@ index 2258a683b7..dddfb25254 100644
if (ugid == NULL) {
@@ -507,16 +605,21 @@ static apr_status_t send_req(int fd, request_rec *r, char *argv0, char **env,
@@ -507,16 +604,21 @@ static apr_status_t send_req(int fd, request_rec *r, char *argv0, char **env,
req.args_len = r->args ? strlen(r->args) : 0;
req.loglevel = r->server->log.level;
@ -1647,7 +1634,7 @@ index 2258a683b7..dddfb25254 100644
&req, sizeof(req),
r->filename, req.filename_len,
argv0, req.argv0_len,
@@ -531,7 +634,7 @@ static apr_status_t send_req(int fd, request_rec *r, char *argv0, char **env,
@@ -531,7 +633,7 @@ static apr_status_t send_req(int fd, request_rec *r, char *argv0, char **env,
for (i = 0; i < req.env_count; i++) {
apr_size_t curlen = strlen(env[i]);
@ -1656,7 +1643,7 @@ index 2258a683b7..dddfb25254 100644
env[i], curlen)) != APR_SUCCESS) {
return stat;
}
@@ -582,20 +685,34 @@ static void daemon_signal_handler(int sig)
@@ -582,20 +684,34 @@ static void daemon_signal_handler(int sig)
}
}
@ -1699,7 +1686,7 @@ index 2258a683b7..dddfb25254 100644
}
static int cgid_server(void *data)
@@ -670,7 +787,7 @@ static int cgid_server(void *data)
@@ -670,7 +786,7 @@ static int cgid_server(void *data)
}
while (!daemon_should_exit) {
@ -1708,7 +1695,7 @@ index 2258a683b7..dddfb25254 100644
char *argv0 = NULL;
char **env = NULL;
const char * const *argv;
@@ -710,7 +827,7 @@ static int cgid_server(void *data)
@@ -710,7 +826,7 @@ static int cgid_server(void *data)
r = apr_pcalloc(ptrans, sizeof(request_rec));
procnew = apr_pcalloc(ptrans, sizeof(*procnew));
r->pool = ptrans;
@ -1717,7 +1704,7 @@ index 2258a683b7..dddfb25254 100644
if (stat != APR_SUCCESS) {
ap_log_error(APLOG_MARK, APLOG_ERR, stat,
main_server, APLOGNO(01248)
@@ -742,6 +859,16 @@ static int cgid_server(void *data)
@@ -742,6 +858,16 @@ static int cgid_server(void *data)
continue;
}
@ -1734,7 +1721,7 @@ index 2258a683b7..dddfb25254 100644
apr_os_file_put(&r->server->error_log, &errfileno, 0, r->pool);
apr_os_file_put(&inout, &sd2, 0, r->pool);
@@ -801,7 +928,10 @@ static int cgid_server(void *data)
@@ -801,7 +927,10 @@ static int cgid_server(void *data)
close(sd2);
}
else {
@ -1746,7 +1733,7 @@ index 2258a683b7..dddfb25254 100644
argv = (const char * const *)create_argv(r->pool, NULL, NULL, NULL, argv0, r->args);
@@ -946,16 +1076,6 @@ static int cgid_init(apr_pool_t *p, apr_pool_t *plog, apr_pool_t *ptemp,
@@ -946,16 +1075,6 @@ static int cgid_init(apr_pool_t *p, apr_pool_t *plog, apr_pool_t *ptemp,
if (ret != OK ) {
return ret;
}
@ -1763,7 +1750,7 @@ index 2258a683b7..dddfb25254 100644
}
return ret;
}
@@ -1066,41 +1186,6 @@ static const command_rec cgid_cmds[] =
@@ -1066,41 +1185,6 @@ static const command_rec cgid_cmds[] =
{NULL}
};
@ -1805,7 +1792,7 @@ index 2258a683b7..dddfb25254 100644
static int log_script(request_rec *r, cgid_server_conf * conf, int ret,
char *dbuf, const char *sbuf, apr_bucket_brigade *bb,
apr_file_t *script_err)
@@ -1221,7 +1306,7 @@ static int connect_to_daemon(int *sdptr, request_rec *r,
@@ -1221,7 +1305,7 @@ static int connect_to_daemon(int *sdptr, request_rec *r,
++connect_tries;
if ((sd = socket(AF_UNIX, SOCK_STREAM, 0)) < 0) {
return log_scripterror(r, conf, HTTP_INTERNAL_SERVER_ERROR, errno,
@ -1814,7 +1801,7 @@ index 2258a683b7..dddfb25254 100644
}
if (connect(sd, (struct sockaddr *)server_addr, server_addr_len) < 0) {
/* Save errno for later */
@@ -1242,7 +1327,7 @@ static int connect_to_daemon(int *sdptr, request_rec *r,
@@ -1242,7 +1326,7 @@ static int connect_to_daemon(int *sdptr, request_rec *r,
}
else {
close(sd);
@ -1823,7 +1810,7 @@ index 2258a683b7..dddfb25254 100644
"unable to connect to cgi daemon after multiple tries");
}
}
@@ -1258,13 +1343,15 @@ static int connect_to_daemon(int *sdptr, request_rec *r,
@@ -1258,13 +1342,15 @@ static int connect_to_daemon(int *sdptr, request_rec *r,
if (connect_errno == ENOENT &&
apr_time_sec(apr_time_now() - ap_scoreboard_image->global->restart_time) >
DEFAULT_CONNECT_STARTUP_DELAY) {
@ -1842,7 +1829,7 @@ index 2258a683b7..dddfb25254 100644
"cgid daemon is gone; is Apache terminating?");
}
}
@@ -1272,23 +1359,6 @@ static int connect_to_daemon(int *sdptr, request_rec *r,
@@ -1272,23 +1358,6 @@ static int connect_to_daemon(int *sdptr, request_rec *r,
return OK;
}
@ -1866,7 +1853,7 @@ index 2258a683b7..dddfb25254 100644
/****************************************************************
*
* Actual cgid handling...
@@ -1374,7 +1444,9 @@ static apr_status_t get_cgi_pid(request_rec *r, cgid_server_conf *conf, pid_t *
@@ -1374,7 +1443,9 @@ static apr_status_t get_cgi_pid(request_rec *r, cgid_server_conf *conf, pid_t *
return stat;
}
@ -1877,7 +1864,7 @@ index 2258a683b7..dddfb25254 100644
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01261)
"daemon couldn't find CGI process for connection %lu",
r->connection->id);
@@ -1393,19 +1465,21 @@ static apr_status_t cleanup_script(void *vptr)
@@ -1393,19 +1464,21 @@ static apr_status_t cleanup_script(void *vptr)
static int cgid_handler(request_rec *r)
{
@ -1903,7 +1890,7 @@ index 2258a683b7..dddfb25254 100644
if (strcmp(r->handler, CGI_MAGIC_TYPE) && strcmp(r->handler, "cgi-script")) {
return DECLINED;
@@ -1414,7 +1488,7 @@ static int cgid_handler(request_rec *r)
@@ -1414,7 +1487,7 @@ static int cgid_handler(request_rec *r)
conf = ap_get_module_config(r->server->module_config, &cgid_module);
dc = ap_get_module_config(r->per_dir_config, &cgid_module);
@ -1912,7 +1899,7 @@ index 2258a683b7..dddfb25254 100644
is_included = !strcmp(r->protocol, "INCLUDED");
if ((argv0 = strrchr(r->filename, '/')) != NULL) {
@@ -1429,12 +1503,12 @@ static int cgid_handler(request_rec *r)
@@ -1429,12 +1502,12 @@ static int cgid_handler(request_rec *r)
argv0 = r->filename;
if (!(ap_allow_options(r) & OPT_EXECCGI) && !is_scriptaliased(r)) {
@ -1927,7 +1914,7 @@ index 2258a683b7..dddfb25254 100644
"attempt to include NPH CGI script");
}
@@ -1443,12 +1517,12 @@ static int cgid_handler(request_rec *r)
@@ -1443,12 +1516,12 @@ static int cgid_handler(request_rec *r)
#error at mod_cgi.c for required code in this path.
#else
if (r->finfo.filetype == APR_NOFILE) {
@ -1942,7 +1929,7 @@ index 2258a683b7..dddfb25254 100644
"attempt to invoke directory as script");
}
@@ -1456,7 +1530,7 @@ static int cgid_handler(request_rec *r)
@@ -1456,7 +1529,7 @@ static int cgid_handler(request_rec *r)
r->path_info && *r->path_info)
{
/* default to accept */
@ -1951,7 +1938,7 @@ index 2258a683b7..dddfb25254 100644
"AcceptPathInfo off disallows user's path");
}
/*
@@ -1467,6 +1541,17 @@ static int cgid_handler(request_rec *r)
@@ -1467,6 +1540,17 @@ static int cgid_handler(request_rec *r)
}
*/
@ -1969,7 +1956,7 @@ index 2258a683b7..dddfb25254 100644
/*
* httpd core function used to add common environment variables like
* DOCUMENT_ROOT.
@@ -1479,24 +1564,28 @@ static int cgid_handler(request_rec *r)
@@ -1479,24 +1563,28 @@ static int cgid_handler(request_rec *r)
return retval;
}
@ -2005,7 +1992,7 @@ index 2258a683b7..dddfb25254 100644
}
/* We are putting the socket discriptor into an apr_file_t so that we can
@@ -1506,95 +1595,25 @@ static int cgid_handler(request_rec *r)
@@ -1506,95 +1594,25 @@ static int cgid_handler(request_rec *r)
*/
apr_os_pipe_put_ex(&tempsock, &sd, 1, r->pool);
@ -2114,7 +2101,7 @@ index 2258a683b7..dddfb25254 100644
}
/* we're done writing, or maybe we didn't write at all;
@@ -1603,125 +1622,22 @@ static int cgid_handler(request_rec *r)
@@ -1603,134 +1621,22 @@ static int cgid_handler(request_rec *r)
*/
shutdown(sd, 1);
@ -2131,9 +2118,18 @@ index 2258a683b7..dddfb25254 100644
- b = apr_bucket_eos_create(c->bucket_alloc);
- APR_BRIGADE_INSERT_TAIL(bb, b);
-
- if ((ret = ap_scan_script_header_err_brigade_ex(r, bb, sbuf,
- APLOG_MODULE_INDEX)))
- {
- ret = ap_scan_script_header_err_brigade_ex(r, bb, sbuf,
- APLOG_MODULE_INDEX);
-
- /* xCGI has its own body framing mechanism which we don't
- * match against any provided Content-Length, so let the
- * core determine C-L vs T-E based on what's actually sent.
- */
- if (!apr_table_get(r->subprocess_env, AP_TRUST_CGILIKE_CL_ENVVAR))
- apr_table_unset(r->headers_out, "Content-Length");
- apr_table_unset(r->headers_out, "Transfer-Encoding");
-
- if (ret != OK) {
- ret = log_script(r, conf, ret, dbuf, sbuf, bb, NULL);
-
- /*
@ -2253,7 +2249,7 @@ index 2258a683b7..dddfb25254 100644
static apr_status_t include_cgi(include_ctx_t *ctx, ap_filter_t *f,
apr_bucket_brigade *bb, char *s)
{
@@ -1806,7 +1722,7 @@ static void add_ssi_vars(request_rec *r)
@@ -1815,7 +1721,7 @@ static void add_ssi_vars(request_rec *r)
}
static int include_cmd(include_ctx_t *ctx, ap_filter_t *f,
@ -2262,7 +2258,7 @@ index 2258a683b7..dddfb25254 100644
{
char **env;
int sd;
@@ -1827,7 +1743,7 @@ static int include_cmd(include_ctx_t *ctx, ap_filter_t *f,
@@ -1836,7 +1742,7 @@ static int include_cmd(include_ctx_t *ctx, ap_filter_t *f,
return retval;
}
@ -2271,7 +2267,7 @@ index 2258a683b7..dddfb25254 100644
info = apr_palloc(r->pool, sizeof(struct cleanup_script_info));
info->conf = conf;
@@ -1872,91 +1788,6 @@ static int include_cmd(include_ctx_t *ctx, ap_filter_t *f,
@@ -1881,91 +1787,6 @@ static int include_cmd(include_ctx_t *ctx, ap_filter_t *f,
return APR_SUCCESS;
}
@ -2363,7 +2359,7 @@ index 2258a683b7..dddfb25254 100644
static void register_hook(apr_pool_t *p)
{
static const char * const aszPre[] = { "mod_include.c", NULL };
@@ -1964,6 +1795,7 @@ static void register_hook(apr_pool_t *p)
@@ -1973,6 +1794,7 @@ static void register_hook(apr_pool_t *p)
ap_hook_pre_config(cgid_pre_config, NULL, NULL, APR_HOOK_MIDDLE);
ap_hook_post_config(cgid_init, aszPre, NULL, APR_HOOK_MIDDLE);
ap_hook_handler(cgid_handler, NULL, NULL, APR_HOOK_MIDDLE);

16
httpd.spec
View File

@ -23,8 +23,8 @@
Summary: Apache HTTP Server
Name: httpd
Version: 2.4.58
Release: 8%{?dist}
Version: 2.4.59
Release: 1%{?dist}
URL: https://httpd.apache.org/
Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
Source1: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2.asc
@ -85,27 +85,22 @@ Patch20: httpd-2.4.48-r1842929+.patch
Patch21: httpd-2.4.43-mod_systemd.patch
Patch22: httpd-2.4.53-export.patch
Patch23: httpd-2.4.43-corelimit.patch
Patch24: httpd-2.4.54-gettid.patch
Patch24: httpd-2.4.59-gettid.patch
Patch25: httpd-2.4.54-icons.patch
Patch26: httpd-2.4.43-cachehardmax.patch
Patch27: httpd-2.4.43-socket-activation.patch
Patch28: httpd-2.4.43-sslciphdefault.patch
Patch29: httpd-2.4.43-sslprotdefault.patch
Patch30: httpd-2.4.43-r1861793+.patch
Patch31: httpd-2.4.48-r1828172+.patch
Patch31: httpd-2.4.59-unifycgid.patch
Patch32: httpd-2.4.43-logjournal.patch
Patch33: httpd-2.4.53-separate-systemd-fns.patch
Patch34: httpd-2.4.58-r1912477+.patch
Patch35: httpd-2.4.58-r1913912+.patch
Patch36: httpd-2.4.58-r1914365.patch
Patch37: httpd-2.4.54-selinux.patch
# Bug fixes
# https://bugzilla.redhat.com/show_bug.cgi?id=1397243
Patch60: httpd-2.4.43-enable-sslv3.patch
Patch61: httpd-2.4.58-r1914013.patch
Patch62: httpd-2.4.46-htcacheclean-dont-break.patch
Patch63: httpd-2.4.51-r1894152.patch
# Security fixes
# Patch200: ...
@ -829,6 +824,9 @@ exit $rv
%{_rpmconfigdir}/macros.d/macros.httpd
%changelog
* Fri Apr 5 2024 Joe Orton <jorton@redhat.com> - 2.4.59-1
- update to 2.4.59
* Thu Mar 28 2024 Joe Orton <jorton@redhat.com> - 2.4.58-8
- rebuild to fix changelog ordering

4
sources
View File

@ -1,3 +1,3 @@
SHA512 (httpd-2.4.58.tar.bz2) = d6e73bf413a507ec16b621ff635e178206207a9e9810ce3944b3dc98d39cde8f225307110167fc9da5822175796c8cb66f98be5b9f0d8b76dcd83a401d39b2c1
SHA512 (httpd-2.4.58.tar.bz2.asc) = aa021b067fc84ae6a09d5ce321207622c6c08f22632ac7362318ca0505b84357d77d4ebc1f17fa2c3030ed9d9fd177e8fb989932caeef695e76936e010b63aa0
SHA512 (KEYS) = 88c848b7ab9e4915d6625dcad3e8328673b0448f2ce76f2c44eecc612cf6afbce3287a4ee7219a44c6fcc61d5ecb2a1a8545456a4a16b90400263d7249cbf192
SHA512 (httpd-2.4.59.tar.bz2) = 209da0bbac5e2564d4590302515b35495be6402273ff4024aa93e85e44554c95e053201d606383936425a41e1b5b97e6b40055dcbb385eb691a5029a6f3158c2
SHA512 (httpd-2.4.59.tar.bz2.asc) = 85237e204e57d930e2b7a85a21f8d593e81895f96350c3a345978538a536f3c0614ba89256905c0aa558880fc6fb10608b8dd7cbd026af326b1d83601c267f2d