apache2: Upgrade 2.4.16 -> 2.4.18

1. Upgrade apache2 from 2.4.16 to 2.4.18 The changes in 2.4.18 is shown in following URL. http://ftp.meisei-u.ac.jp/mirror/apache/dist//httpd/CHANGES_2.4.18 2. Delete patch file npn-patch-2.4.7.patch due to this patch file can not be applied to the apache2 2.4.18's source code. The NPN support was removed with r1676004. NPN is now quite unlikely to find its way into a stable release. https://bz.apache.org/bugzilla/show_bug.cgi?id=52210 Signed-off-by: Fan Xin <fan.xin@jp.fujitsu.com> Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
author: fan.xin <fan.xin@jp.fujitsu.com> 2015-12-15 11:02:51 +0900
committer: Martin Jansa <Martin.Jansa@gmail.com> 2016-01-04 14:54:00 +0100
commit: c54361fc1e7c3f021a4544fc9df3c7896afdf61c (patch)
tree: bfa33d981243a789427ace860389fe7f11cda276 /meta-webserver
parent: 28ac147f3582ac006772592fcf31cdae1b927e91 (diff)
download: meta-openembedded-c54361fc1e7c3f021a4544fc9df3c7896afdf61c.tar.gz
3 files changed, 4 insertions, 294 deletions
diff --git a/meta-webserver/recipes-httpd/apache2/apache2-native_2.4.16.bb b/meta-webserver/recipes-httpd/apache2/apache2-native_2.4.18.bb
index 59109dd1c..201efa6fd 100644
--- a/meta-webserver/recipes-httpd/apache2/apache2-native_2.4.16.bb
+++ b/meta-webserver/recipes-httpd/apache2/apache2-native_2.4.18.bb
@@ -15,8 +15,8 @@ SRC_URI = "http://www.apache.org/dist/httpd/httpd-${PV}.tar.bz2 \
 S = "${WORKDIR}/httpd-${PV}"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=dbff5a2b542fa58854455bf1a0b94b83"
-SRC_URI[md5sum] = "2b19cd338fd526dd5a63c57b1e9bfee2"
+SRC_URI[md5sum] = "3690b3cc991b7dfd22aea9e1264a11b9"
-SRC_URI[sha256sum] = "ac660b47aaa7887779a6430404dcb40c0b04f90ea69e7bd49a40552e9ff13743"
+SRC_URI[sha256sum] = "0644b050de41f5c9f67c825285049b144690421acb709b06fe53eddfa8a9fd4c"
 EXTRA_OECONF = "--with-apr=${STAGING_BINDIR_CROSS}/apr-1-config \
                --with-apr-util=${STAGING_BINDIR_CROSS}/apu-1-config \
diff --git a/meta-webserver/recipes-httpd/apache2/apache2/npn-patch-2.4.7.patch b/meta-webserver/recipes-httpd/apache2/apache2/npn-patch-2.4.7.patch
deleted file mode 100644
index a4f185501..000000000
--- a/meta-webserver/recipes-httpd/apache2/apache2/npn-patch-2.4.7.patch
+++ /dev/null
@@ -1,289 +0,0 @@
-Add support for TLS Next Protocol Negotiation:
-* modules/ssl/mod_ssl.c, modules/ssl/mod_ssl.h: Add and implement new
-  hooks for next protocol advertisement/discovery.
-* modules/ssl/ssl_engine_init.c (ssl_init_ctx_callbacks): Enable
-  NPN advertisement callback in handshake.
-* modules/ssl/ssl_engine_io.c (ssl_io_filter_input): Invoke
-  next-protocol discovery hook.
-* modules/ssl/ssl_engine_kernel.c (ssl_callback_AdvertiseNextProtos):
-  New callback.
-* modules/ssl/ssl_private.h: Add prototype.
-Submitted by: Matthew Steele <mdsteele google.com>
-  with slight tweaks by jorton
-http://svn.apache.org/viewvc?view=revision&revision=1332643
-https://bugzilla.redhat.com//show_bug.cgi?id=809599
-Upstream-Status: Backport
-Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
---
- CHANGES                         |  2 +
- modules/ssl/mod_ssl.c           | 12 ++++++
- modules/ssl/mod_ssl.h           | 21 +++++++++++
- modules/ssl/ssl_engine_init.c   |  5 +++
- modules/ssl/ssl_engine_io.c     | 24 ++++++++++++
- modules/ssl/ssl_engine_kernel.c | 82 +++++++++++++++++++++++++++++++++++++++++
- modules/ssl/ssl_private.h       |  6 +++
- 7 files changed, 152 insertions(+)
-diff --git a/CHANGES b/CHANGES
--- a/CHANGES
-+++ b/CHANGES
-@@ -1,6 +1,8 @@
-                                                          -*- coding: utf-8 -*-
- 
- Changes with Apache 2.4.7
-+  *) mod_ssl: Add support for TLS Next Protocol Negotiation.  PR 52210.
-+     [Matthew Steele <mdsteele google.com>]
- 
-   *) APR 1.5.0 or later is now required for the event MPM.
-   
-diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c
--- a/modules/ssl/mod_ssl.c
-+++ b/modules/ssl/mod_ssl.c
-@@ -275,6 +275,18 @@ static const command_rec ssl_config_cmds[] = {
-     AP_END_CMD
- };
- 
-+/* Implement 'modssl_run_npn_advertise_protos_hook'. */
-+APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(
-+    modssl, AP, int, npn_advertise_protos_hook,
-+    (conn_rec *connection, apr_array_header_t *protos),
-+    (connection, protos), OK, DECLINED);
-+
-+/* Implement 'modssl_run_npn_proto_negotiated_hook'. */
-+APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(
-+    modssl, AP, int, npn_proto_negotiated_hook,
-+    (conn_rec *connection, const char *proto_name, apr_size_t proto_name_len),
-+    (connection, proto_name, proto_name_len), OK, DECLINED);
-+
- /*
-  *  the various processing hooks
-  */
-diff --git a/modules/ssl/mod_ssl.h b/modules/ssl/mod_ssl.h
--- a/modules/ssl/mod_ssl.h
-+++ b/modules/ssl/mod_ssl.h
-@@ -63,5 +63,26 @@ APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *));
- 
- APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
- 
-+/** The npn_advertise_protos optional hook allows other modules to add entries
-+ * to the list of protocol names advertised by the server during the Next
-+ * Protocol Negotiation (NPN) portion of the SSL handshake.  The hook callee is
-+ * given the connection and an APR array; it should push one or more char*'s
-+ * pointing to null-terminated strings (such as "http/1.1" or "spdy/2") onto
-+ * the array and return OK, or do nothing and return DECLINED. */
-+APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_advertise_protos_hook,
-+                          (conn_rec *connection, apr_array_header_t *protos));
-+
-+/** The npn_proto_negotiated optional hook allows other modules to discover the
-+ * name of the protocol that was chosen during the Next Protocol Negotiation
-+ * (NPN) portion of the SSL handshake.  Note that this may be the empty string
-+ * (in which case modules should probably assume HTTP), or it may be a protocol
-+ * that was never even advertised by the server.  The hook callee is given the
-+ * connection, a non-null-terminated string containing the protocol name, and
-+ * the length of the string; it should do something appropriate (i.e. insert or
-+ * remove filters) and return OK, or do nothing and return DECLINED. */
-+APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_proto_negotiated_hook,
-+                          (conn_rec *connection, const char *proto_name,
-+                           apr_size_t proto_name_len));
-+
- #endif /* __MOD_SSL_H__ */
- /** @} */
-diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
--- a/modules/ssl/ssl_engine_init.c
-+++ b/modules/ssl/ssl_engine_init.c
-@@ -546,6 +546,11 @@ static void ssl_init_ctx_callbacks(server_rec *s,
-     SSL_CTX_set_tmp_dh_callback(ctx,  ssl_callback_TmpDH);
- 
-     SSL_CTX_set_info_callback(ctx, ssl_callback_Info);
-+
-+#ifdef HAVE_TLS_NPN
-+    SSL_CTX_set_next_protos_advertised_cb(
-+        ctx, ssl_callback_AdvertiseNextProtos, NULL);
-+#endif
- }
- 
- static void ssl_init_ctx_verify(server_rec *s,
-diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c
--- a/modules/ssl/ssl_engine_io.c
-+++ b/modules/ssl/ssl_engine_io.c
-@@ -28,6 +28,7 @@
-                                   core keeps dumping.''
-                                             -- Unknown    */
- #include "ssl_private.h"
-+#include "mod_ssl.h"
- #include "apr_date.h"
- 
- /*  _________________________________________________________________
-@@ -297,6 +298,7 @@ typedef struct {
-     apr_pool_t *pool;
-     char buffer[AP_IOBUFSIZE];
-     ssl_filter_ctx_t *filter_ctx;
-+    int npn_finished;  /* 1 if NPN has finished, 0 otherwise */
- } bio_filter_in_ctx_t;
- 
- /*
-@@ -1412,6 +1414,27 @@ static apr_status_t ssl_io_filter_input(ap_filter_t *f,
-         APR_BRIGADE_INSERT_TAIL(bb, bucket);
-     }
- 
-+#ifdef HAVE_TLS_NPN
-+    /* By this point, Next Protocol Negotiation (NPN) should be completed (if
-+     * our version of OpenSSL supports it).  If we haven't already, find out
-+     * which protocol was decided upon and inform other modules by calling
-+     * npn_proto_negotiated_hook. */
-+    if (!inctx->npn_finished) {
-+        const unsigned char *next_proto = NULL;
-+        unsigned next_proto_len = 0;
-+
-+        SSL_get0_next_proto_negotiated(
-+            inctx->ssl, &next_proto, &next_proto_len);
-+        ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, f->c,
-+                      "SSL NPN negotiated protocol: '%s'",
-+                      apr_pstrmemdup(f->c->pool, (const char*)next_proto,
-+                                     next_proto_len));
-+        modssl_run_npn_proto_negotiated_hook(
-+            f->c, (const char*)next_proto, next_proto_len);
-+        inctx->npn_finished = 1;
-+    }
-+#endif
-+
-     return APR_SUCCESS;
- }
- 
-@@ -1893,6 +1916,7 @@ static void ssl_io_input_add_filter(ssl_filter_ctx_t *filter_ctx, conn_rec *c,
-     inctx->block = APR_BLOCK_READ;
-     inctx->pool = c->pool;
-     inctx->filter_ctx = filter_ctx;
-+    inctx->npn_finished = 0;
- }
- 
- /* The request_rec pointer is passed in here only to ensure that the
-diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
--- a/modules/ssl/ssl_engine_kernel.c
-+++ b/modules/ssl/ssl_engine_kernel.c
-@@ -29,6 +29,7 @@
-                                   time I was too famous.''
-                                             -- Unknown                */
- #include "ssl_private.h"
-+#include "mod_ssl.h"
- #include "util_md5.h"
- 
- static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn);
-@@ -2139,3 +2140,84 @@ int ssl_callback_SRPServerParams(SSL *ssl, int *ad, void *arg)
- }
- 
- #endif /* HAVE_SRP */
-+
-+#ifdef HAVE_TLS_NPN
-+/*
-+ * This callback function is executed when SSL needs to decide what protocols
-+ * to advertise during Next Protocol Negotiation (NPN).  It must produce a
-+ * string in wire format -- a sequence of length-prefixed strings -- indicating
-+ * the advertised protocols.  Refer to SSL_CTX_set_next_protos_advertised_cb
-+ * in OpenSSL for reference.
-+ */
-+int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data_out,
-+                                     unsigned int *size_out, void *arg)
-+{
-+    conn_rec *c = (conn_rec*)SSL_get_app_data(ssl);
-+    apr_array_header_t *protos;
-+    int num_protos;
-+    unsigned int size;
-+    int i;
-+    unsigned char *data;
-+    unsigned char *start;
-+
-+    *data_out = NULL;
-+    *size_out = 0;
-+
-+    /* If the connection object is not available, then there's nothing for us
-+     * to do. */
-+    if (c == NULL) {
-+        return SSL_TLSEXT_ERR_OK;
-+    }
-+
-+    /* Invoke our npn_advertise_protos hook, giving other modules a chance to
-+     * add alternate protocol names to advertise. */
-+    protos = apr_array_make(c->pool, 0, sizeof(char*));
-+    modssl_run_npn_advertise_protos_hook(c, protos);
-+    num_protos = protos->nelts;
-+
-+    /* We now have a list of null-terminated strings; we need to concatenate
-+     * them together into a single string, where each protocol name is prefixed
-+     * by its length.  First, calculate how long that string will be. */
-+    size = 0;
-+    for (i = 0; i < num_protos; ++i) {
-+        const char *string = APR_ARRAY_IDX(protos, i, const char*);
-+        unsigned int length = strlen(string);
-+        /* If the protocol name is too long (the length must fit in one byte),
-+         * then log an error and skip it. */
-+        if (length > 255) {
-+            ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
-+                          "SSL NPN protocol name too long (length=%u): %s",
-+                          length, string);
-+            continue;
-+        }
-+        /* Leave room for the length prefix (one byte) plus the protocol name
-+         * itself. */
-+        size += 1 + length;
-+    }
-+
-+    /* If there is nothing to advertise (either because no modules added
-+     * anything to the protos array, or because all strings added to the array
-+     * were skipped), then we're done. */
-+    if (size == 0) {
-+        return SSL_TLSEXT_ERR_OK;
-+    }
-+
-+    /* Now we can build the string.  Copy each protocol name string into the
-+     * larger string, prefixed by its length. */
-+    data = apr_palloc(c->pool, size * sizeof(unsigned char));
-+    start = data;
-+    for (i = 0; i < num_protos; ++i) {
-+        const char *string = APR_ARRAY_IDX(protos, i, const char*);
-+        apr_size_t length = strlen(string);
-+        *start = (unsigned char)length;
-+        ++start;
-+        memcpy(start, string, length * sizeof(unsigned char));
-+        start += length;
-+    }
-+
-+    /* Success. */
-+    *data_out = data;
-+    *size_out = size;
-+    return SSL_TLSEXT_ERR_OK;
-+}
-+#endif /* HAVE_TLS_NPN */
-diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
--- a/modules/ssl/ssl_private.h
-+++ b/modules/ssl/ssl_private.h
-@@ -123,6 +123,11 @@
- #define MODSSL_SSL_METHOD_CONST
- #endif
- 
-+#if OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_NEXTPROTONEG) \
-+    && !defined(OPENSSL_NO_TLSEXT)
-+#define HAVE_TLS_NPN
-+#endif
-+
- #if defined(OPENSSL_FIPS)
- #define HAVE_FIPS
- #endif
-@@ -800,6 +805,7 @@ int          ssl_callback_ServerNameIndication(SSL *, int *, modssl_ctx_t *);
- int         ssl_callback_SessionTicket(SSL *, unsigned char *, unsigned char *,
-                                        EVP_CIPHER_CTX *, HMAC_CTX *, int);
- #endif
-+int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data, unsigned int *len, void *arg);
- 
- /**  Session Cache Support  */
- void         ssl_scache_init(server_rec *, apr_pool_t *);
-- 
-1.8.1.2
diff --git a/meta-webserver/recipes-httpd/apache2/apache2_2.4.16.bb b/meta-webserver/recipes-httpd/apache2/apache2_2.4.18.bb
index 48c448ebd..8ca6d000c 100644
--- a/meta-webserver/recipes-httpd/apache2/apache2_2.4.16.bb
+++ b/meta-webserver/recipes-httpd/apache2/apache2_2.4.18.bb
@@ -15,7 +15,6 @@ SRC_URI = "http://www.apache.org/dist/httpd/httpd-${PV}.tar.bz2 \
           file://replace-lynx-to-curl-in-apachectl-script.patch \
           file://apache-ssl-ltmain-rpath.patch \
           file://httpd-2.4.3-fix-race-issue-of-dir-install.patch \
-           file://npn-patch-2.4.7.patch \
           file://0001-configure-use-pkg-config-for-PCRE-detection.patch \
           file://configure-allow-to-disable-selinux-support.patch \
           file://init \
@@ -24,8 +23,8 @@ SRC_URI = "http://www.apache.org/dist/httpd/httpd-${PV}.tar.bz2 \
          "
 LIC_FILES_CHKSUM = "file://LICENSE;md5=dbff5a2b542fa58854455bf1a0b94b83"
-SRC_URI[md5sum] = "2b19cd338fd526dd5a63c57b1e9bfee2"
+SRC_URI[md5sum] = "3690b3cc991b7dfd22aea9e1264a11b9"
-SRC_URI[sha256sum] = "ac660b47aaa7887779a6430404dcb40c0b04f90ea69e7bd49a40552e9ff13743"
+SRC_URI[sha256sum] = "0644b050de41f5c9f67c825285049b144690421acb709b06fe53eddfa8a9fd4c"
 S = "${WORKDIR}/httpd-${PV}"
author	fan.xin <fan.xin@jp.fujitsu.com>	2015-12-15 11:02:51 +0900
committer	Martin Jansa <Martin.Jansa@gmail.com>	2016-01-04 14:54:00 +0100
commit	c54361fc1e7c3f021a4544fc9df3c7896afdf61c (patch)
tree	bfa33d981243a789427ace860389fe7f11cda276 /meta-webserver
parent	28ac147f3582ac006772592fcf31cdae1b927e91 (diff)
download	meta-openembedded-c54361fc1e7c3f021a4544fc9df3c7896afdf61c.tar.gz

diff --git a/meta-webserver/recipes-httpd/apache2/apache2-native_2.4.16.bb b/meta-webserver/recipes-httpd/apache2/apache2-native_2.4.18.bb index 59109dd1c..201efa6fd 100644 --- a/meta-webserver/recipes-httpd/apache2/apache2-native_2.4.16.bb +++ b/meta-webserver/recipes-httpd/apache2/apache2-native_2.4.18.bb
@@ -15,8 +15,8 @@ SRC_URI = "http://www.apache.org/dist/httpd/httpd-${PV}.tar.bz2 \
15	S = "${WORKDIR}/httpd-${PV}"	15	S = "${WORKDIR}/httpd-${PV}"
16		16
17	LIC_FILES_CHKSUM = "file://LICENSE;md5=dbff5a2b542fa58854455bf1a0b94b83"	17	LIC_FILES_CHKSUM = "file://LICENSE;md5=dbff5a2b542fa58854455bf1a0b94b83"
18	SRC_URI[md5sum] = "2b19cd338fd526dd5a63c57b1e9bfee2"	18	SRC_URI[md5sum] = "3690b3cc991b7dfd22aea9e1264a11b9"
19	SRC_URI[sha256sum] = "ac660b47aaa7887779a6430404dcb40c0b04f90ea69e7bd49a40552e9ff13743"	19	SRC_URI[sha256sum] = "0644b050de41f5c9f67c825285049b144690421acb709b06fe53eddfa8a9fd4c"
20		20
21	EXTRA_OECONF = "--with-apr=${STAGING_BINDIR_CROSS}/apr-1-config \	21	EXTRA_OECONF = "--with-apr=${STAGING_BINDIR_CROSS}/apr-1-config \
22	--with-apr-util=${STAGING_BINDIR_CROSS}/apu-1-config \	22	--with-apr-util=${STAGING_BINDIR_CROSS}/apu-1-config \


diff --git a/meta-webserver/recipes-httpd/apache2/apache2/npn-patch-2.4.7.patch b/meta-webserver/recipes-httpd/apache2/apache2/npn-patch-2.4.7.patch deleted file mode 100644 index a4f185501..000000000 --- a/meta-webserver/recipes-httpd/apache2/apache2/npn-patch-2.4.7.patch +++ /dev/null
@@ -1,289 +0,0 @@
1	Add support for TLS Next Protocol Negotiation:
2
3	* modules/ssl/mod_ssl.c, modules/ssl/mod_ssl.h: Add and implement new
4	hooks for next protocol advertisement/discovery.
5
6	* modules/ssl/ssl_engine_init.c (ssl_init_ctx_callbacks): Enable
7	NPN advertisement callback in handshake.
8
9	* modules/ssl/ssl_engine_io.c (ssl_io_filter_input): Invoke
10	next-protocol discovery hook.
11
12	* modules/ssl/ssl_engine_kernel.c (ssl_callback_AdvertiseNextProtos):
13	New callback.
14
15	* modules/ssl/ssl_private.h: Add prototype.
16
17	Submitted by: Matthew Steele <mdsteele google.com>
18	with slight tweaks by jorton
19
20	http://svn.apache.org/viewvc?view=revision&revision=1332643
21	https://bugzilla.redhat.com//show_bug.cgi?id=809599
22	Upstream-Status: Backport
23	Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
24	---
25	CHANGES \| 2 +
26	modules/ssl/mod_ssl.c \| 12 ++++++
27	modules/ssl/mod_ssl.h \| 21 +++++++++++
28	modules/ssl/ssl_engine_init.c \| 5 +++
29	modules/ssl/ssl_engine_io.c \| 24 ++++++++++++
30	modules/ssl/ssl_engine_kernel.c \| 82 +++++++++++++++++++++++++++++++++++++++++
31	modules/ssl/ssl_private.h \| 6 +++
32	7 files changed, 152 insertions(+)
33
34	diff --git a/CHANGES b/CHANGES
35	--- a/CHANGES
36	+++ b/CHANGES
37	@@ -1,6 +1,8 @@
38	-- coding: utf-8 --
39
40	Changes with Apache 2.4.7
41	+ *) mod_ssl: Add support for TLS Next Protocol Negotiation. PR 52210.
42	+ [Matthew Steele <mdsteele google.com>]
43
44	*) APR 1.5.0 or later is now required for the event MPM.
45
46	diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c
47	--- a/modules/ssl/mod_ssl.c
48	+++ b/modules/ssl/mod_ssl.c
49	@@ -275,6 +275,18 @@ static const command_rec ssl_config_cmds[] = {
50	AP_END_CMD
51	};
52
53	+/* Implement 'modssl_run_npn_advertise_protos_hook'. */
54	+APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(
55	+ modssl, AP, int, npn_advertise_protos_hook,
56	+ (conn_rec connection, apr_array_header_t protos),
57	+ (connection, protos), OK, DECLINED);
58	+
59	+/* Implement 'modssl_run_npn_proto_negotiated_hook'. */
60	+APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(
61	+ modssl, AP, int, npn_proto_negotiated_hook,
62	+ (conn_rec connection, const char proto_name, apr_size_t proto_name_len),
63	+ (connection, proto_name, proto_name_len), OK, DECLINED);
64	+
65	/*
66	* the various processing hooks
67	*/
68	diff --git a/modules/ssl/mod_ssl.h b/modules/ssl/mod_ssl.h
69	--- a/modules/ssl/mod_ssl.h
70	+++ b/modules/ssl/mod_ssl.h
71	@@ -63,5 +63,26 @@ APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *));
72
73	APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
74
75	+/** The npn_advertise_protos optional hook allows other modules to add entries
76	+ * to the list of protocol names advertised by the server during the Next
77	+ * Protocol Negotiation (NPN) portion of the SSL handshake. The hook callee is
78	+ * given the connection and an APR array; it should push one or more char*'s
79	+ * pointing to null-terminated strings (such as "http/1.1" or "spdy/2") onto
80	+ * the array and return OK, or do nothing and return DECLINED. */
81	+APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_advertise_protos_hook,
82	+ (conn_rec connection, apr_array_header_t protos));
83	+
84	+/** The npn_proto_negotiated optional hook allows other modules to discover the
85	+ * name of the protocol that was chosen during the Next Protocol Negotiation
86	+ * (NPN) portion of the SSL handshake. Note that this may be the empty string
87	+ * (in which case modules should probably assume HTTP), or it may be a protocol
88	+ * that was never even advertised by the server. The hook callee is given the
89	+ * connection, a non-null-terminated string containing the protocol name, and
90	+ * the length of the string; it should do something appropriate (i.e. insert or
91	+ * remove filters) and return OK, or do nothing and return DECLINED. */
92	+APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_proto_negotiated_hook,
93	+ (conn_rec connection, const char proto_name,
94	+ apr_size_t proto_name_len));
95	+
96	#endif /* __MOD_SSL_H__ */
97	/** @} */
98	diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
99	--- a/modules/ssl/ssl_engine_init.c
100	+++ b/modules/ssl/ssl_engine_init.c
101	@@ -546,6 +546,11 @@ static void ssl_init_ctx_callbacks(server_rec *s,
102	SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH);
103
104	SSL_CTX_set_info_callback(ctx, ssl_callback_Info);
105	+
106	+#ifdef HAVE_TLS_NPN
107	+ SSL_CTX_set_next_protos_advertised_cb(
108	+ ctx, ssl_callback_AdvertiseNextProtos, NULL);
109	+#endif
110	}
111
112	static void ssl_init_ctx_verify(server_rec *s,
113	diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c
114	--- a/modules/ssl/ssl_engine_io.c
115	+++ b/modules/ssl/ssl_engine_io.c
116	@@ -28,6 +28,7 @@
117	core keeps dumping.''
118	-- Unknown */
119	#include "ssl_private.h"
120	+#include "mod_ssl.h"
121	#include "apr_date.h"
122
123	/* _________________________________________________________________
124	@@ -297,6 +298,7 @@ typedef struct {
125	apr_pool_t *pool;
126	char buffer[AP_IOBUFSIZE];
127	ssl_filter_ctx_t *filter_ctx;
128	+ int npn_finished; /* 1 if NPN has finished, 0 otherwise */
129	} bio_filter_in_ctx_t;
130
131	/*
132	@@ -1412,6 +1414,27 @@ static apr_status_t ssl_io_filter_input(ap_filter_t *f,
133	APR_BRIGADE_INSERT_TAIL(bb, bucket);
134	}
135
136	+#ifdef HAVE_TLS_NPN
137	+ /* By this point, Next Protocol Negotiation (NPN) should be completed (if
138	+ * our version of OpenSSL supports it). If we haven't already, find out
139	+ * which protocol was decided upon and inform other modules by calling
140	+ * npn_proto_negotiated_hook. */
141	+ if (!inctx->npn_finished) {
142	+ const unsigned char *next_proto = NULL;
143	+ unsigned next_proto_len = 0;
144	+
145	+ SSL_get0_next_proto_negotiated(
146	+ inctx->ssl, &next_proto, &next_proto_len);
147	+ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, f->c,
148	+ "SSL NPN negotiated protocol: '%s'",
149	+ apr_pstrmemdup(f->c->pool, (const char*)next_proto,
150	+ next_proto_len));
151	+ modssl_run_npn_proto_negotiated_hook(
152	+ f->c, (const char*)next_proto, next_proto_len);
153	+ inctx->npn_finished = 1;
154	+ }
155	+#endif
156	+
157	return APR_SUCCESS;
158	}
159
160	@@ -1893,6 +1916,7 @@ static void ssl_io_input_add_filter(ssl_filter_ctx_t filter_ctx, conn_rec c,
161	inctx->block = APR_BLOCK_READ;
162	inctx->pool = c->pool;
163	inctx->filter_ctx = filter_ctx;
164	+ inctx->npn_finished = 0;
165	}
166
167	/* The request_rec pointer is passed in here only to ensure that the
168	diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
169	--- a/modules/ssl/ssl_engine_kernel.c
170	+++ b/modules/ssl/ssl_engine_kernel.c
171	@@ -29,6 +29,7 @@
172	time I was too famous.''
173	-- Unknown */
174	#include "ssl_private.h"
175	+#include "mod_ssl.h"
176	#include "util_md5.h"
177
178	static void ssl_configure_env(request_rec r, SSLConnRec sslconn);
179	@@ -2139,3 +2140,84 @@ int ssl_callback_SRPServerParams(SSL ssl, int ad, void *arg)
180	}
181
182	#endif /* HAVE_SRP */
183	+
184	+#ifdef HAVE_TLS_NPN
185	+/*
186	+ * This callback function is executed when SSL needs to decide what protocols
187	+ * to advertise during Next Protocol Negotiation (NPN). It must produce a
188	+ * string in wire format -- a sequence of length-prefixed strings -- indicating
189	+ * the advertised protocols. Refer to SSL_CTX_set_next_protos_advertised_cb
190	+ * in OpenSSL for reference.
191	+ */
192	+int ssl_callback_AdvertiseNextProtos(SSL ssl, const unsigned char *data_out,
193	+ unsigned int size_out, void arg)
194	+{
195	+ conn_rec c = (conn_rec)SSL_get_app_data(ssl);
196	+ apr_array_header_t *protos;
197	+ int num_protos;
198	+ unsigned int size;
199	+ int i;
200	+ unsigned char *data;
201	+ unsigned char *start;
202	+
203	+ *data_out = NULL;
204	+ *size_out = 0;
205	+
206	+ /* If the connection object is not available, then there's nothing for us
207	+ * to do. */
208	+ if (c == NULL) {
209	+ return SSL_TLSEXT_ERR_OK;
210	+ }
211	+
212	+ /* Invoke our npn_advertise_protos hook, giving other modules a chance to
213	+ * add alternate protocol names to advertise. */
214	+ protos = apr_array_make(c->pool, 0, sizeof(char*));
215	+ modssl_run_npn_advertise_protos_hook(c, protos);
216	+ num_protos = protos->nelts;
217	+
218	+ /* We now have a list of null-terminated strings; we need to concatenate
219	+ * them together into a single string, where each protocol name is prefixed
220	+ * by its length. First, calculate how long that string will be. */
221	+ size = 0;
222	+ for (i = 0; i < num_protos; ++i) {
223	+ const char string = APR_ARRAY_IDX(protos, i, const char);
224	+ unsigned int length = strlen(string);
225	+ /* If the protocol name is too long (the length must fit in one byte),
226	+ * then log an error and skip it. */
227	+ if (length > 255) {
228	+ ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
229	+ "SSL NPN protocol name too long (length=%u): %s",
230	+ length, string);
231	+ continue;
232	+ }
233	+ /* Leave room for the length prefix (one byte) plus the protocol name
234	+ * itself. */
235	+ size += 1 + length;
236	+ }
237	+
238	+ /* If there is nothing to advertise (either because no modules added
239	+ * anything to the protos array, or because all strings added to the array
240	+ * were skipped), then we're done. */
241	+ if (size == 0) {
242	+ return SSL_TLSEXT_ERR_OK;
243	+ }
244	+
245	+ /* Now we can build the string. Copy each protocol name string into the
246	+ * larger string, prefixed by its length. */
247	+ data = apr_palloc(c->pool, size * sizeof(unsigned char));
248	+ start = data;
249	+ for (i = 0; i < num_protos; ++i) {
250	+ const char string = APR_ARRAY_IDX(protos, i, const char);
251	+ apr_size_t length = strlen(string);
252	+ *start = (unsigned char)length;
253	+ ++start;
254	+ memcpy(start, string, length * sizeof(unsigned char));
255	+ start += length;
256	+ }
257	+
258	+ /* Success. */
259	+ *data_out = data;
260	+ *size_out = size;
261	+ return SSL_TLSEXT_ERR_OK;
262	+}
263	+#endif /* HAVE_TLS_NPN */
264	diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
265	--- a/modules/ssl/ssl_private.h
266	+++ b/modules/ssl/ssl_private.h
267	@@ -123,6 +123,11 @@
268	#define MODSSL_SSL_METHOD_CONST
269	#endif
270
271	+#if OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_NEXTPROTONEG) \
272	+ && !defined(OPENSSL_NO_TLSEXT)
273	+#define HAVE_TLS_NPN
274	+#endif
275	+
276	#if defined(OPENSSL_FIPS)
277	#define HAVE_FIPS
278	#endif
279	@@ -800,6 +805,7 @@ int ssl_callback_ServerNameIndication(SSL , int , modssl_ctx_t *);
280	int ssl_callback_SessionTicket(SSL , unsigned char , unsigned char *,
281	EVP_CIPHER_CTX , HMAC_CTX , int);
282	#endif
283	+int ssl_callback_AdvertiseNextProtos(SSL ssl, const unsigned char data, unsigned int len, void *arg);
284
285	/** Session Cache Support */
286	void ssl_scache_init(server_rec , apr_pool_t );
287	--
288	1.8.1.2
289


diff --git a/meta-webserver/recipes-httpd/apache2/apache2_2.4.16.bb b/meta-webserver/recipes-httpd/apache2/apache2_2.4.18.bb index 48c448ebd..8ca6d000c 100644 --- a/meta-webserver/recipes-httpd/apache2/apache2_2.4.16.bb +++ b/meta-webserver/recipes-httpd/apache2/apache2_2.4.18.bb
@@ -15,7 +15,6 @@ SRC_URI = "http://www.apache.org/dist/httpd/httpd-${PV}.tar.bz2 \
15	file://replace-lynx-to-curl-in-apachectl-script.patch \	15	file://replace-lynx-to-curl-in-apachectl-script.patch \
16	file://apache-ssl-ltmain-rpath.patch \	16	file://apache-ssl-ltmain-rpath.patch \
17	file://httpd-2.4.3-fix-race-issue-of-dir-install.patch \	17	file://httpd-2.4.3-fix-race-issue-of-dir-install.patch \
18	file://npn-patch-2.4.7.patch \
19	file://0001-configure-use-pkg-config-for-PCRE-detection.patch \	18	file://0001-configure-use-pkg-config-for-PCRE-detection.patch \
20	file://configure-allow-to-disable-selinux-support.patch \	19	file://configure-allow-to-disable-selinux-support.patch \
21	file://init \	20	file://init \
@@ -24,8 +23,8 @@ SRC_URI = "http://www.apache.org/dist/httpd/httpd-${PV}.tar.bz2 \
24	"	23	"
25		24
26	LIC_FILES_CHKSUM = "file://LICENSE;md5=dbff5a2b542fa58854455bf1a0b94b83"	25	LIC_FILES_CHKSUM = "file://LICENSE;md5=dbff5a2b542fa58854455bf1a0b94b83"
27	SRC_URI[md5sum] = "2b19cd338fd526dd5a63c57b1e9bfee2"	26	SRC_URI[md5sum] = "3690b3cc991b7dfd22aea9e1264a11b9"
28	SRC_URI[sha256sum] = "ac660b47aaa7887779a6430404dcb40c0b04f90ea69e7bd49a40552e9ff13743"	27	SRC_URI[sha256sum] = "0644b050de41f5c9f67c825285049b144690421acb709b06fe53eddfa8a9fd4c"
29		28
30	S = "${WORKDIR}/httpd-${PV}"	29	S = "${WORKDIR}/httpd-${PV}"
31		30