diff options
Diffstat (limited to 'meta-webserver/recipes-httpd/apache2/apache2/npn-patch-2.4.7.patch')
-rw-r--r-- | meta-webserver/recipes-httpd/apache2/apache2/npn-patch-2.4.7.patch | 289 |
1 files changed, 289 insertions, 0 deletions
diff --git a/meta-webserver/recipes-httpd/apache2/apache2/npn-patch-2.4.7.patch b/meta-webserver/recipes-httpd/apache2/apache2/npn-patch-2.4.7.patch new file mode 100644 index 000000000..a4f185501 --- /dev/null +++ b/meta-webserver/recipes-httpd/apache2/apache2/npn-patch-2.4.7.patch | |||
@@ -0,0 +1,289 @@ | |||
1 | Add support for TLS Next Protocol Negotiation: | ||
2 | |||
3 | * modules/ssl/mod_ssl.c, modules/ssl/mod_ssl.h: Add and implement new | ||
4 | hooks for next protocol advertisement/discovery. | ||
5 | |||
6 | * modules/ssl/ssl_engine_init.c (ssl_init_ctx_callbacks): Enable | ||
7 | NPN advertisement callback in handshake. | ||
8 | |||
9 | * modules/ssl/ssl_engine_io.c (ssl_io_filter_input): Invoke | ||
10 | next-protocol discovery hook. | ||
11 | |||
12 | * modules/ssl/ssl_engine_kernel.c (ssl_callback_AdvertiseNextProtos): | ||
13 | New callback. | ||
14 | |||
15 | * modules/ssl/ssl_private.h: Add prototype. | ||
16 | |||
17 | Submitted by: Matthew Steele <mdsteele google.com> | ||
18 | with slight tweaks by jorton | ||
19 | |||
20 | http://svn.apache.org/viewvc?view=revision&revision=1332643 | ||
21 | https://bugzilla.redhat.com//show_bug.cgi?id=809599 | ||
22 | Upstream-Status: Backport | ||
23 | Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> | ||
24 | --- | ||
25 | CHANGES | 2 + | ||
26 | modules/ssl/mod_ssl.c | 12 ++++++ | ||
27 | modules/ssl/mod_ssl.h | 21 +++++++++++ | ||
28 | modules/ssl/ssl_engine_init.c | 5 +++ | ||
29 | modules/ssl/ssl_engine_io.c | 24 ++++++++++++ | ||
30 | modules/ssl/ssl_engine_kernel.c | 82 +++++++++++++++++++++++++++++++++++++++++ | ||
31 | modules/ssl/ssl_private.h | 6 +++ | ||
32 | 7 files changed, 152 insertions(+) | ||
33 | |||
34 | diff --git a/CHANGES b/CHANGES | ||
35 | --- a/CHANGES | ||
36 | +++ b/CHANGES | ||
37 | @@ -1,6 +1,8 @@ | ||
38 | -*- coding: utf-8 -*- | ||
39 | |||
40 | Changes with Apache 2.4.7 | ||
41 | + *) mod_ssl: Add support for TLS Next Protocol Negotiation. PR 52210. | ||
42 | + [Matthew Steele <mdsteele google.com>] | ||
43 | |||
44 | *) APR 1.5.0 or later is now required for the event MPM. | ||
45 | |||
46 | diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c | ||
47 | --- a/modules/ssl/mod_ssl.c | ||
48 | +++ b/modules/ssl/mod_ssl.c | ||
49 | @@ -275,6 +275,18 @@ static const command_rec ssl_config_cmds[] = { | ||
50 | AP_END_CMD | ||
51 | }; | ||
52 | |||
53 | +/* Implement 'modssl_run_npn_advertise_protos_hook'. */ | ||
54 | +APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL( | ||
55 | + modssl, AP, int, npn_advertise_protos_hook, | ||
56 | + (conn_rec *connection, apr_array_header_t *protos), | ||
57 | + (connection, protos), OK, DECLINED); | ||
58 | + | ||
59 | +/* Implement 'modssl_run_npn_proto_negotiated_hook'. */ | ||
60 | +APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL( | ||
61 | + modssl, AP, int, npn_proto_negotiated_hook, | ||
62 | + (conn_rec *connection, const char *proto_name, apr_size_t proto_name_len), | ||
63 | + (connection, proto_name, proto_name_len), OK, DECLINED); | ||
64 | + | ||
65 | /* | ||
66 | * the various processing hooks | ||
67 | */ | ||
68 | diff --git a/modules/ssl/mod_ssl.h b/modules/ssl/mod_ssl.h | ||
69 | --- a/modules/ssl/mod_ssl.h | ||
70 | +++ b/modules/ssl/mod_ssl.h | ||
71 | @@ -63,5 +63,26 @@ APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *)); | ||
72 | |||
73 | APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *)); | ||
74 | |||
75 | +/** The npn_advertise_protos optional hook allows other modules to add entries | ||
76 | + * to the list of protocol names advertised by the server during the Next | ||
77 | + * Protocol Negotiation (NPN) portion of the SSL handshake. The hook callee is | ||
78 | + * given the connection and an APR array; it should push one or more char*'s | ||
79 | + * pointing to null-terminated strings (such as "http/1.1" or "spdy/2") onto | ||
80 | + * the array and return OK, or do nothing and return DECLINED. */ | ||
81 | +APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_advertise_protos_hook, | ||
82 | + (conn_rec *connection, apr_array_header_t *protos)); | ||
83 | + | ||
84 | +/** The npn_proto_negotiated optional hook allows other modules to discover the | ||
85 | + * name of the protocol that was chosen during the Next Protocol Negotiation | ||
86 | + * (NPN) portion of the SSL handshake. Note that this may be the empty string | ||
87 | + * (in which case modules should probably assume HTTP), or it may be a protocol | ||
88 | + * that was never even advertised by the server. The hook callee is given the | ||
89 | + * connection, a non-null-terminated string containing the protocol name, and | ||
90 | + * the length of the string; it should do something appropriate (i.e. insert or | ||
91 | + * remove filters) and return OK, or do nothing and return DECLINED. */ | ||
92 | +APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_proto_negotiated_hook, | ||
93 | + (conn_rec *connection, const char *proto_name, | ||
94 | + apr_size_t proto_name_len)); | ||
95 | + | ||
96 | #endif /* __MOD_SSL_H__ */ | ||
97 | /** @} */ | ||
98 | diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c | ||
99 | --- a/modules/ssl/ssl_engine_init.c | ||
100 | +++ b/modules/ssl/ssl_engine_init.c | ||
101 | @@ -546,6 +546,11 @@ static void ssl_init_ctx_callbacks(server_rec *s, | ||
102 | SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH); | ||
103 | |||
104 | SSL_CTX_set_info_callback(ctx, ssl_callback_Info); | ||
105 | + | ||
106 | +#ifdef HAVE_TLS_NPN | ||
107 | + SSL_CTX_set_next_protos_advertised_cb( | ||
108 | + ctx, ssl_callback_AdvertiseNextProtos, NULL); | ||
109 | +#endif | ||
110 | } | ||
111 | |||
112 | static void ssl_init_ctx_verify(server_rec *s, | ||
113 | diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c | ||
114 | --- a/modules/ssl/ssl_engine_io.c | ||
115 | +++ b/modules/ssl/ssl_engine_io.c | ||
116 | @@ -28,6 +28,7 @@ | ||
117 | core keeps dumping.'' | ||
118 | -- Unknown */ | ||
119 | #include "ssl_private.h" | ||
120 | +#include "mod_ssl.h" | ||
121 | #include "apr_date.h" | ||
122 | |||
123 | /* _________________________________________________________________ | ||
124 | @@ -297,6 +298,7 @@ typedef struct { | ||
125 | apr_pool_t *pool; | ||
126 | char buffer[AP_IOBUFSIZE]; | ||
127 | ssl_filter_ctx_t *filter_ctx; | ||
128 | + int npn_finished; /* 1 if NPN has finished, 0 otherwise */ | ||
129 | } bio_filter_in_ctx_t; | ||
130 | |||
131 | /* | ||
132 | @@ -1412,6 +1414,27 @@ static apr_status_t ssl_io_filter_input(ap_filter_t *f, | ||
133 | APR_BRIGADE_INSERT_TAIL(bb, bucket); | ||
134 | } | ||
135 | |||
136 | +#ifdef HAVE_TLS_NPN | ||
137 | + /* By this point, Next Protocol Negotiation (NPN) should be completed (if | ||
138 | + * our version of OpenSSL supports it). If we haven't already, find out | ||
139 | + * which protocol was decided upon and inform other modules by calling | ||
140 | + * npn_proto_negotiated_hook. */ | ||
141 | + if (!inctx->npn_finished) { | ||
142 | + const unsigned char *next_proto = NULL; | ||
143 | + unsigned next_proto_len = 0; | ||
144 | + | ||
145 | + SSL_get0_next_proto_negotiated( | ||
146 | + inctx->ssl, &next_proto, &next_proto_len); | ||
147 | + ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, f->c, | ||
148 | + "SSL NPN negotiated protocol: '%s'", | ||
149 | + apr_pstrmemdup(f->c->pool, (const char*)next_proto, | ||
150 | + next_proto_len)); | ||
151 | + modssl_run_npn_proto_negotiated_hook( | ||
152 | + f->c, (const char*)next_proto, next_proto_len); | ||
153 | + inctx->npn_finished = 1; | ||
154 | + } | ||
155 | +#endif | ||
156 | + | ||
157 | return APR_SUCCESS; | ||
158 | } | ||
159 | |||
160 | @@ -1893,6 +1916,7 @@ static void ssl_io_input_add_filter(ssl_filter_ctx_t *filter_ctx, conn_rec *c, | ||
161 | inctx->block = APR_BLOCK_READ; | ||
162 | inctx->pool = c->pool; | ||
163 | inctx->filter_ctx = filter_ctx; | ||
164 | + inctx->npn_finished = 0; | ||
165 | } | ||
166 | |||
167 | /* The request_rec pointer is passed in here only to ensure that the | ||
168 | diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c | ||
169 | --- a/modules/ssl/ssl_engine_kernel.c | ||
170 | +++ b/modules/ssl/ssl_engine_kernel.c | ||
171 | @@ -29,6 +29,7 @@ | ||
172 | time I was too famous.'' | ||
173 | -- Unknown */ | ||
174 | #include "ssl_private.h" | ||
175 | +#include "mod_ssl.h" | ||
176 | #include "util_md5.h" | ||
177 | |||
178 | static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn); | ||
179 | @@ -2139,3 +2140,84 @@ int ssl_callback_SRPServerParams(SSL *ssl, int *ad, void *arg) | ||
180 | } | ||
181 | |||
182 | #endif /* HAVE_SRP */ | ||
183 | + | ||
184 | +#ifdef HAVE_TLS_NPN | ||
185 | +/* | ||
186 | + * This callback function is executed when SSL needs to decide what protocols | ||
187 | + * to advertise during Next Protocol Negotiation (NPN). It must produce a | ||
188 | + * string in wire format -- a sequence of length-prefixed strings -- indicating | ||
189 | + * the advertised protocols. Refer to SSL_CTX_set_next_protos_advertised_cb | ||
190 | + * in OpenSSL for reference. | ||
191 | + */ | ||
192 | +int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data_out, | ||
193 | + unsigned int *size_out, void *arg) | ||
194 | +{ | ||
195 | + conn_rec *c = (conn_rec*)SSL_get_app_data(ssl); | ||
196 | + apr_array_header_t *protos; | ||
197 | + int num_protos; | ||
198 | + unsigned int size; | ||
199 | + int i; | ||
200 | + unsigned char *data; | ||
201 | + unsigned char *start; | ||
202 | + | ||
203 | + *data_out = NULL; | ||
204 | + *size_out = 0; | ||
205 | + | ||
206 | + /* If the connection object is not available, then there's nothing for us | ||
207 | + * to do. */ | ||
208 | + if (c == NULL) { | ||
209 | + return SSL_TLSEXT_ERR_OK; | ||
210 | + } | ||
211 | + | ||
212 | + /* Invoke our npn_advertise_protos hook, giving other modules a chance to | ||
213 | + * add alternate protocol names to advertise. */ | ||
214 | + protos = apr_array_make(c->pool, 0, sizeof(char*)); | ||
215 | + modssl_run_npn_advertise_protos_hook(c, protos); | ||
216 | + num_protos = protos->nelts; | ||
217 | + | ||
218 | + /* We now have a list of null-terminated strings; we need to concatenate | ||
219 | + * them together into a single string, where each protocol name is prefixed | ||
220 | + * by its length. First, calculate how long that string will be. */ | ||
221 | + size = 0; | ||
222 | + for (i = 0; i < num_protos; ++i) { | ||
223 | + const char *string = APR_ARRAY_IDX(protos, i, const char*); | ||
224 | + unsigned int length = strlen(string); | ||
225 | + /* If the protocol name is too long (the length must fit in one byte), | ||
226 | + * then log an error and skip it. */ | ||
227 | + if (length > 255) { | ||
228 | + ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, | ||
229 | + "SSL NPN protocol name too long (length=%u): %s", | ||
230 | + length, string); | ||
231 | + continue; | ||
232 | + } | ||
233 | + /* Leave room for the length prefix (one byte) plus the protocol name | ||
234 | + * itself. */ | ||
235 | + size += 1 + length; | ||
236 | + } | ||
237 | + | ||
238 | + /* If there is nothing to advertise (either because no modules added | ||
239 | + * anything to the protos array, or because all strings added to the array | ||
240 | + * were skipped), then we're done. */ | ||
241 | + if (size == 0) { | ||
242 | + return SSL_TLSEXT_ERR_OK; | ||
243 | + } | ||
244 | + | ||
245 | + /* Now we can build the string. Copy each protocol name string into the | ||
246 | + * larger string, prefixed by its length. */ | ||
247 | + data = apr_palloc(c->pool, size * sizeof(unsigned char)); | ||
248 | + start = data; | ||
249 | + for (i = 0; i < num_protos; ++i) { | ||
250 | + const char *string = APR_ARRAY_IDX(protos, i, const char*); | ||
251 | + apr_size_t length = strlen(string); | ||
252 | + *start = (unsigned char)length; | ||
253 | + ++start; | ||
254 | + memcpy(start, string, length * sizeof(unsigned char)); | ||
255 | + start += length; | ||
256 | + } | ||
257 | + | ||
258 | + /* Success. */ | ||
259 | + *data_out = data; | ||
260 | + *size_out = size; | ||
261 | + return SSL_TLSEXT_ERR_OK; | ||
262 | +} | ||
263 | +#endif /* HAVE_TLS_NPN */ | ||
264 | diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h | ||
265 | --- a/modules/ssl/ssl_private.h | ||
266 | +++ b/modules/ssl/ssl_private.h | ||
267 | @@ -123,6 +123,11 @@ | ||
268 | #define MODSSL_SSL_METHOD_CONST | ||
269 | #endif | ||
270 | |||
271 | +#if OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_NEXTPROTONEG) \ | ||
272 | + && !defined(OPENSSL_NO_TLSEXT) | ||
273 | +#define HAVE_TLS_NPN | ||
274 | +#endif | ||
275 | + | ||
276 | #if defined(OPENSSL_FIPS) | ||
277 | #define HAVE_FIPS | ||
278 | #endif | ||
279 | @@ -800,6 +805,7 @@ int ssl_callback_ServerNameIndication(SSL *, int *, modssl_ctx_t *); | ||
280 | int ssl_callback_SessionTicket(SSL *, unsigned char *, unsigned char *, | ||
281 | EVP_CIPHER_CTX *, HMAC_CTX *, int); | ||
282 | #endif | ||
283 | +int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data, unsigned int *len, void *arg); | ||
284 | |||
285 | /** Session Cache Support */ | ||
286 | void ssl_scache_init(server_rec *, apr_pool_t *); | ||
287 | -- | ||
288 | 1.8.1.2 | ||
289 | |||