summaryrefslogtreecommitdiffstats
path: root/meta-webserver
diff options
context:
space:
mode:
authorfan.xin <fan.xin@jp.fujitsu.com>2015-12-15 11:02:51 +0900
committerMartin Jansa <Martin.Jansa@gmail.com>2016-01-04 14:54:00 +0100
commitc54361fc1e7c3f021a4544fc9df3c7896afdf61c (patch)
treebfa33d981243a789427ace860389fe7f11cda276 /meta-webserver
parent28ac147f3582ac006772592fcf31cdae1b927e91 (diff)
downloadmeta-openembedded-c54361fc1e7c3f021a4544fc9df3c7896afdf61c.tar.gz
apache2: Upgrade 2.4.16 -> 2.4.18
1. Upgrade apache2 from 2.4.16 to 2.4.18 The changes in 2.4.18 is shown in following URL. http://ftp.meisei-u.ac.jp/mirror/apache/dist//httpd/CHANGES_2.4.18 2. Delete patch file npn-patch-2.4.7.patch due to this patch file can not be applied to the apache2 2.4.18's source code. The NPN support was removed with r1676004. NPN is now quite unlikely to find its way into a stable release. https://bz.apache.org/bugzilla/show_bug.cgi?id=52210 Signed-off-by: Fan Xin <fan.xin@jp.fujitsu.com> Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Diffstat (limited to 'meta-webserver')
-rw-r--r--meta-webserver/recipes-httpd/apache2/apache2-native_2.4.18.bb (renamed from meta-webserver/recipes-httpd/apache2/apache2-native_2.4.16.bb)4
-rw-r--r--meta-webserver/recipes-httpd/apache2/apache2/npn-patch-2.4.7.patch289
-rw-r--r--meta-webserver/recipes-httpd/apache2/apache2_2.4.18.bb (renamed from meta-webserver/recipes-httpd/apache2/apache2_2.4.16.bb)5
3 files changed, 4 insertions, 294 deletions
diff --git a/meta-webserver/recipes-httpd/apache2/apache2-native_2.4.16.bb b/meta-webserver/recipes-httpd/apache2/apache2-native_2.4.18.bb
index 59109dd1c..201efa6fd 100644
--- a/meta-webserver/recipes-httpd/apache2/apache2-native_2.4.16.bb
+++ b/meta-webserver/recipes-httpd/apache2/apache2-native_2.4.18.bb
@@ -15,8 +15,8 @@ SRC_URI = "http://www.apache.org/dist/httpd/httpd-${PV}.tar.bz2 \
15S = "${WORKDIR}/httpd-${PV}" 15S = "${WORKDIR}/httpd-${PV}"
16 16
17LIC_FILES_CHKSUM = "file://LICENSE;md5=dbff5a2b542fa58854455bf1a0b94b83" 17LIC_FILES_CHKSUM = "file://LICENSE;md5=dbff5a2b542fa58854455bf1a0b94b83"
18SRC_URI[md5sum] = "2b19cd338fd526dd5a63c57b1e9bfee2" 18SRC_URI[md5sum] = "3690b3cc991b7dfd22aea9e1264a11b9"
19SRC_URI[sha256sum] = "ac660b47aaa7887779a6430404dcb40c0b04f90ea69e7bd49a40552e9ff13743" 19SRC_URI[sha256sum] = "0644b050de41f5c9f67c825285049b144690421acb709b06fe53eddfa8a9fd4c"
20 20
21EXTRA_OECONF = "--with-apr=${STAGING_BINDIR_CROSS}/apr-1-config \ 21EXTRA_OECONF = "--with-apr=${STAGING_BINDIR_CROSS}/apr-1-config \
22 --with-apr-util=${STAGING_BINDIR_CROSS}/apu-1-config \ 22 --with-apr-util=${STAGING_BINDIR_CROSS}/apu-1-config \
diff --git a/meta-webserver/recipes-httpd/apache2/apache2/npn-patch-2.4.7.patch b/meta-webserver/recipes-httpd/apache2/apache2/npn-patch-2.4.7.patch
deleted file mode 100644
index a4f185501..000000000
--- a/meta-webserver/recipes-httpd/apache2/apache2/npn-patch-2.4.7.patch
+++ /dev/null
@@ -1,289 +0,0 @@
1Add support for TLS Next Protocol Negotiation:
2
3* modules/ssl/mod_ssl.c, modules/ssl/mod_ssl.h: Add and implement new
4 hooks for next protocol advertisement/discovery.
5
6* modules/ssl/ssl_engine_init.c (ssl_init_ctx_callbacks): Enable
7 NPN advertisement callback in handshake.
8
9* modules/ssl/ssl_engine_io.c (ssl_io_filter_input): Invoke
10 next-protocol discovery hook.
11
12* modules/ssl/ssl_engine_kernel.c (ssl_callback_AdvertiseNextProtos):
13 New callback.
14
15* modules/ssl/ssl_private.h: Add prototype.
16
17Submitted by: Matthew Steele <mdsteele google.com>
18 with slight tweaks by jorton
19
20http://svn.apache.org/viewvc?view=revision&revision=1332643
21https://bugzilla.redhat.com//show_bug.cgi?id=809599
22Upstream-Status: Backport
23Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
24---
25 CHANGES | 2 +
26 modules/ssl/mod_ssl.c | 12 ++++++
27 modules/ssl/mod_ssl.h | 21 +++++++++++
28 modules/ssl/ssl_engine_init.c | 5 +++
29 modules/ssl/ssl_engine_io.c | 24 ++++++++++++
30 modules/ssl/ssl_engine_kernel.c | 82 +++++++++++++++++++++++++++++++++++++++++
31 modules/ssl/ssl_private.h | 6 +++
32 7 files changed, 152 insertions(+)
33
34diff --git a/CHANGES b/CHANGES
35--- a/CHANGES
36+++ b/CHANGES
37@@ -1,6 +1,8 @@
38 -*- coding: utf-8 -*-
39
40 Changes with Apache 2.4.7
41+ *) mod_ssl: Add support for TLS Next Protocol Negotiation. PR 52210.
42+ [Matthew Steele <mdsteele google.com>]
43
44 *) APR 1.5.0 or later is now required for the event MPM.
45
46diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c
47--- a/modules/ssl/mod_ssl.c
48+++ b/modules/ssl/mod_ssl.c
49@@ -275,6 +275,18 @@ static const command_rec ssl_config_cmds[] = {
50 AP_END_CMD
51 };
52
53+/* Implement 'modssl_run_npn_advertise_protos_hook'. */
54+APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(
55+ modssl, AP, int, npn_advertise_protos_hook,
56+ (conn_rec *connection, apr_array_header_t *protos),
57+ (connection, protos), OK, DECLINED);
58+
59+/* Implement 'modssl_run_npn_proto_negotiated_hook'. */
60+APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(
61+ modssl, AP, int, npn_proto_negotiated_hook,
62+ (conn_rec *connection, const char *proto_name, apr_size_t proto_name_len),
63+ (connection, proto_name, proto_name_len), OK, DECLINED);
64+
65 /*
66 * the various processing hooks
67 */
68diff --git a/modules/ssl/mod_ssl.h b/modules/ssl/mod_ssl.h
69--- a/modules/ssl/mod_ssl.h
70+++ b/modules/ssl/mod_ssl.h
71@@ -63,5 +63,26 @@ APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *));
72
73 APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
74
75+/** The npn_advertise_protos optional hook allows other modules to add entries
76+ * to the list of protocol names advertised by the server during the Next
77+ * Protocol Negotiation (NPN) portion of the SSL handshake. The hook callee is
78+ * given the connection and an APR array; it should push one or more char*'s
79+ * pointing to null-terminated strings (such as "http/1.1" or "spdy/2") onto
80+ * the array and return OK, or do nothing and return DECLINED. */
81+APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_advertise_protos_hook,
82+ (conn_rec *connection, apr_array_header_t *protos));
83+
84+/** The npn_proto_negotiated optional hook allows other modules to discover the
85+ * name of the protocol that was chosen during the Next Protocol Negotiation
86+ * (NPN) portion of the SSL handshake. Note that this may be the empty string
87+ * (in which case modules should probably assume HTTP), or it may be a protocol
88+ * that was never even advertised by the server. The hook callee is given the
89+ * connection, a non-null-terminated string containing the protocol name, and
90+ * the length of the string; it should do something appropriate (i.e. insert or
91+ * remove filters) and return OK, or do nothing and return DECLINED. */
92+APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_proto_negotiated_hook,
93+ (conn_rec *connection, const char *proto_name,
94+ apr_size_t proto_name_len));
95+
96 #endif /* __MOD_SSL_H__ */
97 /** @} */
98diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
99--- a/modules/ssl/ssl_engine_init.c
100+++ b/modules/ssl/ssl_engine_init.c
101@@ -546,6 +546,11 @@ static void ssl_init_ctx_callbacks(server_rec *s,
102 SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH);
103
104 SSL_CTX_set_info_callback(ctx, ssl_callback_Info);
105+
106+#ifdef HAVE_TLS_NPN
107+ SSL_CTX_set_next_protos_advertised_cb(
108+ ctx, ssl_callback_AdvertiseNextProtos, NULL);
109+#endif
110 }
111
112 static void ssl_init_ctx_verify(server_rec *s,
113diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c
114--- a/modules/ssl/ssl_engine_io.c
115+++ b/modules/ssl/ssl_engine_io.c
116@@ -28,6 +28,7 @@
117 core keeps dumping.''
118 -- Unknown */
119 #include "ssl_private.h"
120+#include "mod_ssl.h"
121 #include "apr_date.h"
122
123 /* _________________________________________________________________
124@@ -297,6 +298,7 @@ typedef struct {
125 apr_pool_t *pool;
126 char buffer[AP_IOBUFSIZE];
127 ssl_filter_ctx_t *filter_ctx;
128+ int npn_finished; /* 1 if NPN has finished, 0 otherwise */
129 } bio_filter_in_ctx_t;
130
131 /*
132@@ -1412,6 +1414,27 @@ static apr_status_t ssl_io_filter_input(ap_filter_t *f,
133 APR_BRIGADE_INSERT_TAIL(bb, bucket);
134 }
135
136+#ifdef HAVE_TLS_NPN
137+ /* By this point, Next Protocol Negotiation (NPN) should be completed (if
138+ * our version of OpenSSL supports it). If we haven't already, find out
139+ * which protocol was decided upon and inform other modules by calling
140+ * npn_proto_negotiated_hook. */
141+ if (!inctx->npn_finished) {
142+ const unsigned char *next_proto = NULL;
143+ unsigned next_proto_len = 0;
144+
145+ SSL_get0_next_proto_negotiated(
146+ inctx->ssl, &next_proto, &next_proto_len);
147+ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, f->c,
148+ "SSL NPN negotiated protocol: '%s'",
149+ apr_pstrmemdup(f->c->pool, (const char*)next_proto,
150+ next_proto_len));
151+ modssl_run_npn_proto_negotiated_hook(
152+ f->c, (const char*)next_proto, next_proto_len);
153+ inctx->npn_finished = 1;
154+ }
155+#endif
156+
157 return APR_SUCCESS;
158 }
159
160@@ -1893,6 +1916,7 @@ static void ssl_io_input_add_filter(ssl_filter_ctx_t *filter_ctx, conn_rec *c,
161 inctx->block = APR_BLOCK_READ;
162 inctx->pool = c->pool;
163 inctx->filter_ctx = filter_ctx;
164+ inctx->npn_finished = 0;
165 }
166
167 /* The request_rec pointer is passed in here only to ensure that the
168diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
169--- a/modules/ssl/ssl_engine_kernel.c
170+++ b/modules/ssl/ssl_engine_kernel.c
171@@ -29,6 +29,7 @@
172 time I was too famous.''
173 -- Unknown */
174 #include "ssl_private.h"
175+#include "mod_ssl.h"
176 #include "util_md5.h"
177
178 static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn);
179@@ -2139,3 +2140,84 @@ int ssl_callback_SRPServerParams(SSL *ssl, int *ad, void *arg)
180 }
181
182 #endif /* HAVE_SRP */
183+
184+#ifdef HAVE_TLS_NPN
185+/*
186+ * This callback function is executed when SSL needs to decide what protocols
187+ * to advertise during Next Protocol Negotiation (NPN). It must produce a
188+ * string in wire format -- a sequence of length-prefixed strings -- indicating
189+ * the advertised protocols. Refer to SSL_CTX_set_next_protos_advertised_cb
190+ * in OpenSSL for reference.
191+ */
192+int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data_out,
193+ unsigned int *size_out, void *arg)
194+{
195+ conn_rec *c = (conn_rec*)SSL_get_app_data(ssl);
196+ apr_array_header_t *protos;
197+ int num_protos;
198+ unsigned int size;
199+ int i;
200+ unsigned char *data;
201+ unsigned char *start;
202+
203+ *data_out = NULL;
204+ *size_out = 0;
205+
206+ /* If the connection object is not available, then there's nothing for us
207+ * to do. */
208+ if (c == NULL) {
209+ return SSL_TLSEXT_ERR_OK;
210+ }
211+
212+ /* Invoke our npn_advertise_protos hook, giving other modules a chance to
213+ * add alternate protocol names to advertise. */
214+ protos = apr_array_make(c->pool, 0, sizeof(char*));
215+ modssl_run_npn_advertise_protos_hook(c, protos);
216+ num_protos = protos->nelts;
217+
218+ /* We now have a list of null-terminated strings; we need to concatenate
219+ * them together into a single string, where each protocol name is prefixed
220+ * by its length. First, calculate how long that string will be. */
221+ size = 0;
222+ for (i = 0; i < num_protos; ++i) {
223+ const char *string = APR_ARRAY_IDX(protos, i, const char*);
224+ unsigned int length = strlen(string);
225+ /* If the protocol name is too long (the length must fit in one byte),
226+ * then log an error and skip it. */
227+ if (length > 255) {
228+ ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
229+ "SSL NPN protocol name too long (length=%u): %s",
230+ length, string);
231+ continue;
232+ }
233+ /* Leave room for the length prefix (one byte) plus the protocol name
234+ * itself. */
235+ size += 1 + length;
236+ }
237+
238+ /* If there is nothing to advertise (either because no modules added
239+ * anything to the protos array, or because all strings added to the array
240+ * were skipped), then we're done. */
241+ if (size == 0) {
242+ return SSL_TLSEXT_ERR_OK;
243+ }
244+
245+ /* Now we can build the string. Copy each protocol name string into the
246+ * larger string, prefixed by its length. */
247+ data = apr_palloc(c->pool, size * sizeof(unsigned char));
248+ start = data;
249+ for (i = 0; i < num_protos; ++i) {
250+ const char *string = APR_ARRAY_IDX(protos, i, const char*);
251+ apr_size_t length = strlen(string);
252+ *start = (unsigned char)length;
253+ ++start;
254+ memcpy(start, string, length * sizeof(unsigned char));
255+ start += length;
256+ }
257+
258+ /* Success. */
259+ *data_out = data;
260+ *size_out = size;
261+ return SSL_TLSEXT_ERR_OK;
262+}
263+#endif /* HAVE_TLS_NPN */
264diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
265--- a/modules/ssl/ssl_private.h
266+++ b/modules/ssl/ssl_private.h
267@@ -123,6 +123,11 @@
268 #define MODSSL_SSL_METHOD_CONST
269 #endif
270
271+#if OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_NEXTPROTONEG) \
272+ && !defined(OPENSSL_NO_TLSEXT)
273+#define HAVE_TLS_NPN
274+#endif
275+
276 #if defined(OPENSSL_FIPS)
277 #define HAVE_FIPS
278 #endif
279@@ -800,6 +805,7 @@ int ssl_callback_ServerNameIndication(SSL *, int *, modssl_ctx_t *);
280 int ssl_callback_SessionTicket(SSL *, unsigned char *, unsigned char *,
281 EVP_CIPHER_CTX *, HMAC_CTX *, int);
282 #endif
283+int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data, unsigned int *len, void *arg);
284
285 /** Session Cache Support */
286 void ssl_scache_init(server_rec *, apr_pool_t *);
287--
2881.8.1.2
289
diff --git a/meta-webserver/recipes-httpd/apache2/apache2_2.4.16.bb b/meta-webserver/recipes-httpd/apache2/apache2_2.4.18.bb
index 48c448ebd..8ca6d000c 100644
--- a/meta-webserver/recipes-httpd/apache2/apache2_2.4.16.bb
+++ b/meta-webserver/recipes-httpd/apache2/apache2_2.4.18.bb
@@ -15,7 +15,6 @@ SRC_URI = "http://www.apache.org/dist/httpd/httpd-${PV}.tar.bz2 \
15 file://replace-lynx-to-curl-in-apachectl-script.patch \ 15 file://replace-lynx-to-curl-in-apachectl-script.patch \
16 file://apache-ssl-ltmain-rpath.patch \ 16 file://apache-ssl-ltmain-rpath.patch \
17 file://httpd-2.4.3-fix-race-issue-of-dir-install.patch \ 17 file://httpd-2.4.3-fix-race-issue-of-dir-install.patch \
18 file://npn-patch-2.4.7.patch \
19 file://0001-configure-use-pkg-config-for-PCRE-detection.patch \ 18 file://0001-configure-use-pkg-config-for-PCRE-detection.patch \
20 file://configure-allow-to-disable-selinux-support.patch \ 19 file://configure-allow-to-disable-selinux-support.patch \
21 file://init \ 20 file://init \
@@ -24,8 +23,8 @@ SRC_URI = "http://www.apache.org/dist/httpd/httpd-${PV}.tar.bz2 \
24 " 23 "
25 24
26LIC_FILES_CHKSUM = "file://LICENSE;md5=dbff5a2b542fa58854455bf1a0b94b83" 25LIC_FILES_CHKSUM = "file://LICENSE;md5=dbff5a2b542fa58854455bf1a0b94b83"
27SRC_URI[md5sum] = "2b19cd338fd526dd5a63c57b1e9bfee2" 26SRC_URI[md5sum] = "3690b3cc991b7dfd22aea9e1264a11b9"
28SRC_URI[sha256sum] = "ac660b47aaa7887779a6430404dcb40c0b04f90ea69e7bd49a40552e9ff13743" 27SRC_URI[sha256sum] = "0644b050de41f5c9f67c825285049b144690421acb709b06fe53eddfa8a9fd4c"
29 28
30S = "${WORKDIR}/httpd-${PV}" 29S = "${WORKDIR}/httpd-${PV}"
31 30