1
0
mirror of https://git.FreeBSD.org/ports.git synced 2024-12-04 01:48:54 +00:00

- update to 2.2.31

- remove backports
- minor cleanups
- always rebuild configure script
- add patch for acinclude.m4 [1]

Changes with Apache 2.2.31 [2]

  *) Correct win32 build issues for mod_proxy exports, OpenSSL 1.0.x headers.
     [Yann Ylavic, Gregg Smith]

Changes with Apache 2.2.30 (not released)

  *) SECURITY: CVE-2015-3183 (cve.mitre.org)
     core: Fix chunk header parsing defect.
     Remove apr_brigade_flatten(), buffering and duplicated code from
     the HTTP_IN filter, parse chunks in a single pass with zero copy.
     Limit accepted chunk-size to 2^63-1 and be strict about chunk-ext
     authorized characters.  [Graham Leggett, Yann Ylavic]

  *) http: Fix LimitRequestBody checks when there is no more bytes to read.
     [Michael Kaufmann <mail michael-kaufmann.ch>]

  *) core: Allow spaces after chunk-size for compatibility with implementations
     using a pre-filled buffer.  [Yann Ylavic, Jeff Trawick]

  *) mod_ssl: bring SNI behavior into better conformance with RFC 6066:
     no longer send warning-level unrecognized_name(112) alerts. PR 56241.
     [Kaspar Brand]

  *) http: Make ap_die() robust against any HTTP error code and not modify
     response status (finally logged) when nothing is to be done. PR 56035.
     [Yann Ylavic]

  *) core, modules: Avoid error response/document handling by the core if some
     handler or input filter already did it while reading the request (causing
     a double response body).  [Yann Ylavic]

  *) FreeBSD: Disable IPv4-mapped listening sockets by default for versions
     5+ instead of just for FreeBSD 5. PR 53824.  [Jeff Trawick,
     Olli Hauer <ohauer gmx de>]

  *) mod_proxy: use the original (non absolute) form of the request-line's URI
     for requests embedded in CONNECT payloads used to connect SSL backends via
     a ProxyRemote forward-proxy.  PR 55892.  [Hendrik Harms <hendrik.harms
     gmail com>, William Rowe, Yann Ylavic]

  *) mpm_winnt: Accept utf-8 (Unicode) service names and descriptions for
     internationalization.  [William Rowe]

  *) mod_log_config: Implement logging for sub second timestamps and
     request end time.  [Rainer Jung]

  *) mod_log_config: Ensure that time data is consistent if multiple
     duration patterns are used in combination, e.g. %D and %{ms}T.
     [Rainer Jung]

  *) mod_log_config: Add "%{UNIT}T" format to output request duration in
     seconds, milliseconds or microseconds depending on UNIT ("s", "ms", "us").
     [Ben Reser, Rainer Jung]

  *) In alignment with RFC 7525, the default recommended SSLCipherSuite
     and SSLProxyCipherSuite now exclude RC4 as well as MD5. Also, the
     default recommended SSLProtocol and SSLProxyProtocol directives now
     exclude SSLv3. Existing configurations must be adjusted by the
     administrator. [William Rowe]

  *) core: Avoid potential use of uninitialized (NULL) request data in
     request line error path. [Yann Ylavic]

  *) mod_proxy_http: Use the "Connection: close" header for requests to
     backends not recycling connections (disablereuse), including the default
     reverse and forward proxies.  [Yann Ylavic]

  *) mod_proxy: Add ap_connection_reusable() for checking if a connection
     is reusable as of this point in processing.  [Jeff Trawick]

  *) mod_proxy: Reuse proxy/balancer workers' parameters and scores across
     graceful restarts, even if new workers are added, old ones removed, or
     the order changes.  [Jan Kaluza, Yann Ylavic]

  *) mod_ssl: 'SSLProtocol ALL' was being ignored in virtual host context.
     PR 57100.  [Michael Kaufmann <apache-bugzilla michael-kaufmann.ch>,
     Yann Ylavic]

  *) mod_ssl: Improve handling of ephemeral DH and ECDH keys by
     allowing custom parameters to be configured via SSLCertificateFile,
     and by adding standardized DH parameters for 1024/2048/3072/4096 bits.
     Unless custom parameters are configured, the standardized parameters
     are applied based on the certificate's RSA/DSA key size. [Kaspar Brand]

  *) mod_ssl: drop support for export-grade ciphers with ephemeral RSA
     keys, and unconditionally disable aNULL, eNULL and EXP ciphers
     (not overridable via SSLCipherSuite). [Kaspar Brand]

  *) mod_ssl: Add support for configuring persistent TLS session ticket
     encryption/decryption keys (useful for clustered environments).
     [Paul Querna, Kaspar Brand]

  *) SSLProtocol and SSLCipherSuite recommendations in the example/default
     conf/extra/httpd-ssl.conf file are now global in scope, affecting all
     VirtualHosts (matching 2.4 default configuration). [William Rowe]

  *) mod_authn_dbd: Fix lifetime of DB lookup entries independently of the
     selected DB engine.  PR 46421.  [Jan Kaluza].

  *) Turn static function get_server_name_for_url() into public
     ap_get_server_name_for_url() and use it where appropriate. This
     fixes mod_rewrite generating invalid URLs for redirects to IPv6
     literal addresses. PR 52831 [Stefan Fritsch]

  *) dav_validate_request: avoid validating locks and ETags when there are
     no If headers providing them on a resource we aren't modifying.
     [Ben Reser]

  *) mod_ssl: New directive SSLSessionTickets (On|Off).
     The directive controls the use of TLS session tickets (RFC 5077),
     default value is "On" (unchanged behavior).
     Session ticket creation uses a random key created during web
     server startup and recreated during restarts. No other key
     recreation mechanism is available currently. Therefore using session
     tickets without restarting the web server with an appropriate frequency
     (e.g. daily) compromises perfect forward secrecy. [Rainer Jung]

  *) mod_deflate: Define APR_INT32_MAX when it is missing so to be able to
     compile against APR-1.2.x (minimum required version). [Yann Ylavic]

  *) mod_reqtimeout: Don't let pipelining checks interfere with the timeouts
     computed for subsequent requests.  PR 56729.  [Eric Covener]

[1]	https://issues.apache.org/bugzilla/show_bug.cgi?id=58126
[2]	http://www.apache.org/dist/httpd/CHANGES_2.2.31

With Head apache@

MFH:		2015Q3 ( in case no new issues are reported during the next 7 days )
This commit is contained in:
Olli Hauer 2015-08-02 19:39:09 +00:00
parent d16c728503
commit 77d2213764
Notes: svn2git 2021-03-31 03:12:20 +00:00
svn path=/head/; revision=393440
12 changed files with 167 additions and 1162 deletions

View File

@ -1,8 +1,8 @@
# $FreeBSD$
PORTNAME= apache22
PORTVERSION= 2.2.29
PORTREVISION?= 7
PORTVERSION= 2.2.31
PORTREVISION?= 0
CATEGORIES= www ipv6
MASTER_SITES= APACHE_HTTPD
DISTNAME= httpd-${PORTVERSION}
@ -20,10 +20,10 @@ CONFLICTS_INSTALL= caudium14-1.* \
apache-*-2.4.* apache24-*-2.4.*
USE_APACHE= common22
USES= tar:bzip2 iconv perl5 libtool cpe autoreconf
USES= autoreconf cpe iconv libtool perl5 tar:bzip2
USE_PERL5= run
GNU_CONFIGURE= yes
USE_RC_SUBR= apache22 htcacheclean
GNU_CONFIGURE= yes
CPE_VENDOR= apache
CPE_PRODUCT= http_server
@ -33,6 +33,10 @@ PORTDOCS= *
USERS= www
GROUPS= www
# XXX: before running makepatch please run the command
# `$SED -e 's/PATCH_PATH_SEPARATOR=/PATCH_PATH_SEPARATOR?=/' Mk/bsd.port.mk
PATCH_PATH_SEPARATOR= __
# for slave ports
.if !defined(MASTERDIR)
APACHEDIR= ${.CURDIR}
@ -130,27 +134,30 @@ pre-everything::
post-extract:
# remove possible leftover .svn directories in the sources
@${FIND} ${WRKSRC} -type d -name .svn -print | ${XARGS} ${RM} -rf
@${FIND} ${WRKSRC} -type d -name .svn -print | ${XARGS} ${RM} -r
# limit grep results ...
${FIND} ${WRKSRC} -type f \( -name 'NWGNU*' -o -name '*.ds?' -o -name '*.dep' -o -name '*.mak' -o -name '*.win' -o -name '*.vbs' -o -name '*.wsf' \) -delete
# make sure the configure script contains our patches,
# preserve the original script for comparsion
-${MV} ${WRKSRC}/configure ${WRKSRC}/configure.upstream
# make qa script happy, it complains on empty dirs even 'PORTDOCS=*' is set
# use RMDIR in case upstream ever place some files into this dirs
# make stage-qa script happy, it complains on empty dirs even 'PORTDOCS=*' is set
# use RMDIR in case upstream ever place some files into this directories
.for d in xsl/util xsl lang
-${RMDIR} ${WRKSRC}/docs/manual/style/${d}
.endfor
post-patch:
@${REINPLACE_CMD} -e 's," PLATFORM ",FreeBSD,' ${WRKSRC}/server/core.c
# IPv4_mapping fix: https://issues.apache.org/bugzilla/show_bug.cgi?id=53824
@${REINPLACE_CMD} -e 's|freebsd5|freebsd|' \
-e 's|^perlbin=.*|perlbin=${PERL}|' \
${WRKSRC}/configure.in ${WRKSRC}/configure
@${RM} -f ${WRKSRC}/docs/docroot/*.bak
${REINPLACE_CMD} -e 's," PLATFORM ",FreeBSD,' ${WRKSRC}/server/core.c
${REINPLACE_CMD} -e 's|logs/error_log|/var/log/httpd-error.log|' \
${WRKSRC}/include/httpd.h
${REINPLACE_CMD} -e 's|perlbin=.*|perlbin=${PERL}|' \
${WRKSRC}/configure.in
${RM} ${WRKSRC}/docs/docroot/*.bak
${INSTALL_DATA} ${WRKSRC}/NOTICE ${WRKSRC}/docs/manual
# we use devel/apr and devel/pcre
@${RM} -rf ${WRKSRC}/srclib
@${REINPLACE_CMD} -e 's/srclib//' ${WRKSRC}/Makefile.in
${RM} -r ${WRKSRC}/srclib
${REINPLACE_CMD} -e 's/srclib//' ${WRKSRC}/Makefile.in
pre-configure::
@${ECHO_MSG} ""
@ -171,14 +178,8 @@ pre-configure::
post-configure:
@FTPUSERS=`${EGREP} -v '^#' /etc/ftpusers| ${TR} -s "\n" " "` ;\
${REINPLACE_CMD} -e "s,%%FTPUSERS%%,$${FTPUSERS}," ${WRKSRC}/docs/conf/extra/httpd-userdir.conf
@${REINPLACE_CMD} -e "s,%%WWWOWN%%,${WWWOWN}," -e "s,%%WWWGRP%%,${WWWGRP}," ${WRKSRC}/docs/conf/httpd.conf
@${REINPLACE_CMD} -e "s,%%PREFIX%%,${PREFIX}," ${WRKSRC}/support/envvars-std
pre-build:
.if ${PORT_OPTIONS:MSSL}
@${ECHO_MSG} "===> Generating unique DH group to mitigate Logjam attack (this will take a while)"
(cd ${WRKSRC}/modules/ssl && ${SETENV} HOME=${WRKDIR} ${PERL} ssl_engine_dh.c)
.endif
${REINPLACE_CMD} -e "s,%%WWWOWN%%,${WWWOWN}," -e "s,%%WWWGRP%%,${WWWGRP}," ${WRKSRC}/docs/conf/httpd.conf
${REINPLACE_CMD} -e "s,%%PREFIX%%,${PREFIX}," ${WRKSRC}/support/envvars-std
post-install:
@${MKDIR} ${ETC_SUBDIRS:S|^|${STAGEDIR}${ETCDIR}/|}

View File

@ -1,2 +1,2 @@
SHA256 (apache22/httpd-2.2.29.tar.bz2) = 574b4f994b99178dfd5160bcb14025402e2ce381be9889b83e4be0ffbf5839a4
SIZE (apache22/httpd-2.2.29.tar.bz2) = 5625498
SHA256 (apache22/httpd-2.2.31.tar.bz2) = f32f9d19f535dac63b06cb55dfc023b40dcd28196b785f79f9346779e22f26ac
SIZE (apache22/httpd-2.2.31.tar.bz2) = 5610489

View File

@ -1,777 +0,0 @@
diff --git a/modules/http/http_filters.c b/modules/http/http_filters.c
index 347df85..5e190cb 100644
--- modules/http/http_filters.c
+++ modules/http/http_filters.c
@@ -56,27 +56,31 @@
#include <unistd.h>
#endif
-#define INVALID_CHAR -2
-
-static long get_chunk_size(char *);
-
-typedef struct http_filter_ctx {
+typedef struct http_filter_ctx
+{
apr_off_t remaining;
apr_off_t limit;
apr_off_t limit_used;
- enum {
- BODY_NONE,
- BODY_LENGTH,
- BODY_CHUNK,
- BODY_CHUNK_PART
+ apr_int32_t chunk_used;
+ apr_int32_t chunkbits;
+ enum
+ {
+ BODY_NONE, /* streamed data */
+ BODY_LENGTH, /* data constrained by content length */
+ BODY_CHUNK, /* chunk expected */
+ BODY_CHUNK_PART, /* chunk digits */
+ BODY_CHUNK_EXT, /* chunk extension */
+ BODY_CHUNK_LF, /* got CR, expect LF after digits/extension */
+ BODY_CHUNK_DATA, /* data constrained by chunked encoding */
+ BODY_CHUNK_END, /* chunked data terminating CRLF */
+ BODY_CHUNK_END_LF, /* got CR, expect LF after data */
+ BODY_CHUNK_TRAILER /* trailers */
} state;
- int eos_sent;
- char chunk_ln[32];
- char *pos;
- apr_off_t linesize;
+ unsigned int eos_sent :1;
apr_bucket_brigade *bb;
} http_ctx_t;
+/* bail out if some error in the HTTP input filter happens */
static apr_status_t bail_out_on_error(http_ctx_t *ctx,
ap_filter_t *f,
int http_error)
@@ -109,119 +113,147 @@ static apr_status_t bail_out_on_error(http_ctx_t *ctx,
e = apr_bucket_eos_create(f->c->bucket_alloc);
APR_BRIGADE_INSERT_TAIL(bb, e);
ctx->eos_sent = 1;
+ /* If chunked encoding / content-length are corrupt, we may treat parts
+ * of this request's body as the next one's headers.
+ * To be safe, disable keep-alive.
+ */
+ f->r->connection->keepalive = AP_CONN_CLOSE;
return ap_pass_brigade(f->r->output_filters, bb);
}
-static apr_status_t get_remaining_chunk_line(http_ctx_t *ctx,
- apr_bucket_brigade *b,
- int linelimit)
+/**
+ * Parse a chunk line with optional extension, detect overflow.
+ * There are two error cases:
+ * 1) If the conversion would require too many bits, APR_EGENERAL is returned.
+ * 2) If the conversion used the correct number of bits, but an overflow
+ * caused only the sign bit to flip, then APR_ENOSPC is returned.
+ * In general, any negative number can be considered an overflow error.
+ */
+static apr_status_t parse_chunk_size(http_ctx_t *ctx, const char *buffer,
+ apr_size_t len, int linelimit)
{
- apr_status_t rv;
- apr_off_t brigade_length;
- apr_bucket *e;
- const char *lineend;
- apr_size_t len;
+ apr_size_t i = 0;
- /*
- * As the brigade b should have been requested in mode AP_MODE_GETLINE
- * all buckets in this brigade are already some type of memory
- * buckets (due to the needed scanning for LF in mode AP_MODE_GETLINE)
- * or META buckets.
- */
- rv = apr_brigade_length(b, 0, &brigade_length);
- if (rv != APR_SUCCESS) {
- return rv;
- }
- /* Sanity check. Should never happen. See above. */
- if (brigade_length == -1) {
- return APR_EGENERAL;
- }
- if (!brigade_length) {
- return APR_EAGAIN;
- }
- ctx->linesize += brigade_length;
- if (ctx->linesize > linelimit) {
- return APR_ENOSPC;
- }
- /*
- * As all buckets are already some type of memory buckets or META buckets
- * (see above), we only need to check the last byte in the last data bucket.
- */
- for (e = APR_BRIGADE_LAST(b);
- e != APR_BRIGADE_SENTINEL(b);
- e = APR_BUCKET_PREV(e)) {
+ while (i < len) {
+ char c = buffer[i];
- if (APR_BUCKET_IS_METADATA(e)) {
+ ap_xlate_proto_from_ascii(&c, 1);
+
+ /* handle CRLF after the chunk */
+ if (ctx->state == BODY_CHUNK_END
+ || ctx->state == BODY_CHUNK_END_LF) {
+ if (c == LF) {
+ ctx->state = BODY_CHUNK;
+ }
+ else if (c == CR && ctx->state == BODY_CHUNK_END) {
+ ctx->state = BODY_CHUNK_END_LF;
+ }
+ else {
+ /*
+ * LF expected.
+ */
+ return APR_EINVAL;
+ }
+ i++;
continue;
}
- rv = apr_bucket_read(e, &lineend, &len, APR_BLOCK_READ);
- if (rv != APR_SUCCESS) {
- return rv;
+
+ /* handle start of the chunk */
+ if (ctx->state == BODY_CHUNK) {
+ if (!apr_isxdigit(c)) {
+ /*
+ * Detect invalid character at beginning. This also works for
+ * empty chunk size lines.
+ */
+ return APR_EINVAL;
+ }
+ else {
+ ctx->state = BODY_CHUNK_PART;
+ }
+ ctx->remaining = 0;
+ ctx->chunkbits = sizeof(apr_off_t) * 8;
+ ctx->chunk_used = 0;
+ }
+
+ if (c == LF) {
+ if (ctx->remaining) {
+ ctx->state = BODY_CHUNK_DATA;
+ }
+ else {
+ ctx->state = BODY_CHUNK_TRAILER;
+ }
}
- if (len > 0) {
- break; /* we got the data we want */
+ else if (ctx->state == BODY_CHUNK_LF) {
+ /*
+ * LF expected.
+ */
+ return APR_EINVAL;
}
- /* If we got a zero-length data bucket, we try the next one */
- }
- /* We had no data in this brigade */
- if (!len || e == APR_BRIGADE_SENTINEL(b)) {
- return APR_EAGAIN;
- }
- if (lineend[len - 1] != APR_ASCII_LF) {
- return APR_EAGAIN;
- }
- /* Line is complete. So reset ctx->linesize for next round. */
- ctx->linesize = 0;
- return APR_SUCCESS;
-}
+ else if (c == CR) {
+ ctx->state = BODY_CHUNK_LF;
+ }
+ else if (c == ';') {
+ ctx->state = BODY_CHUNK_EXT;
+ }
+ else if (ctx->state == BODY_CHUNK_EXT) {
+ /*
+ * Control chars (but tabs) are invalid.
+ */
+ if (c != '\t' && apr_iscntrl(c)) {
+ return APR_EINVAL;
+ }
+ }
+ else if (ctx->state == BODY_CHUNK_PART) {
+ int xvalue;
-static apr_status_t get_chunk_line(http_ctx_t *ctx, apr_bucket_brigade *b,
- int linelimit)
-{
- apr_size_t len;
- int tmp_len;
- apr_status_t rv;
+ /* ignore leading zeros */
+ if (!ctx->remaining && c == '0') {
+ i++;
+ continue;
+ }
- tmp_len = sizeof(ctx->chunk_ln) - (ctx->pos - ctx->chunk_ln) - 1;
- /* Saveguard ourselves against underflows */
- if (tmp_len < 0) {
- len = 0;
- }
- else {
- len = (apr_size_t) tmp_len;
- }
- /*
- * Check if there is space left in ctx->chunk_ln. If not, then either
- * the chunk size is insane or we have chunk-extensions. Ignore both
- * by discarding the remaining part of the line via
- * get_remaining_chunk_line. Only bail out if the line is too long.
- */
- if (len > 0) {
- rv = apr_brigade_flatten(b, ctx->pos, &len);
- if (rv != APR_SUCCESS) {
- return rv;
+ ctx->chunkbits -= 4;
+ if (ctx->chunkbits < 0) {
+ /* overflow */
+ return APR_ENOSPC;
+ }
+
+ if (c >= '0' && c <= '9') {
+ xvalue = c - '0';
+ }
+ else if (c >= 'A' && c <= 'F') {
+ xvalue = c - 'A' + 0xa;
+ }
+ else if (c >= 'a' && c <= 'f') {
+ xvalue = c - 'a' + 0xa;
+ }
+ else {
+ /* bogus character */
+ return APR_EINVAL;
+ }
+
+ ctx->remaining = (ctx->remaining << 4) | xvalue;
+ if (ctx->remaining < 0) {
+ /* overflow */
+ return APR_ENOSPC;
+ }
}
- ctx->pos += len;
- ctx->linesize += len;
- *(ctx->pos) = '\0';
- /*
- * Check if we really got a full line. If yes the
- * last char in the just read buffer must be LF.
- * If not advance the buffer and return APR_EAGAIN.
- * We do not start processing until we have the
- * full line.
- */
- if (ctx->pos[-1] != APR_ASCII_LF) {
- /* Check if the remaining data in the brigade has the LF */
- return get_remaining_chunk_line(ctx, b, linelimit);
+ else {
+ /* Should not happen */
+ return APR_EGENERAL;
}
- /* Line is complete. So reset ctx->pos for next round. */
- ctx->pos = ctx->chunk_ln;
- return APR_SUCCESS;
+
+ i++;
}
- return get_remaining_chunk_line(ctx, b, linelimit);
-}
+ /* sanity check */
+ ctx->chunk_used += len;
+ if (ctx->chunk_used < 0 || ctx->chunk_used > linelimit) {
+ return APR_ENOSPC;
+ }
+
+ return APR_SUCCESS;
+}
static apr_status_t read_chunked_trailers(http_ctx_t *ctx, ap_filter_t *f,
apr_bucket_brigade *b, int merge)
@@ -235,7 +267,6 @@ static apr_status_t read_chunked_trailers(http_ctx_t *ctx, ap_filter_t *f,
r->status = HTTP_OK;
r->headers_in = r->trailers_in;
apr_table_clear(r->headers_in);
- ctx->state = BODY_NONE;
ap_get_mime_headers(r);
if(r->status == HTTP_OK) {
@@ -282,6 +313,7 @@ apr_status_t ap_http_filter(ap_filter_t *f, apr_bucket_brigade *b,
apr_off_t totalread;
int http_error = HTTP_REQUEST_ENTITY_TOO_LARGE;
apr_bucket_brigade *bb;
+ int again;
conf = (core_server_config *)
ap_get_module_config(f->r->server->module_config, &core_module);
@@ -295,7 +327,6 @@ apr_status_t ap_http_filter(ap_filter_t *f, apr_bucket_brigade *b,
const char *tenc, *lenp;
f->ctx = ctx = apr_pcalloc(f->r->pool, sizeof(*ctx));
ctx->state = BODY_NONE;
- ctx->pos = ctx->chunk_ln;
ctx->bb = apr_brigade_create(f->r->pool, f->c->bucket_alloc);
bb = ctx->bb;
@@ -337,7 +368,7 @@ apr_status_t ap_http_filter(ap_filter_t *f, apr_bucket_brigade *b,
*/
ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, f->r,
"Unknown Transfer-Encoding: %s", tenc);
- return bail_out_on_error(ctx, f, HTTP_NOT_IMPLEMENTED);
+ return bail_out_on_error(ctx, f, HTTP_BAD_REQUEST);
}
lenp = NULL;
}
@@ -357,7 +388,7 @@ apr_status_t ap_http_filter(ap_filter_t *f, apr_bucket_brigade *b,
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, f->r,
"Invalid Content-Length");
- return bail_out_on_error(ctx, f, HTTP_REQUEST_ENTITY_TOO_LARGE);
+ return bail_out_on_error(ctx, f, HTTP_BAD_REQUEST);
}
/* If we have a limit in effect and we know the C-L ahead of
@@ -399,7 +430,8 @@ apr_status_t ap_http_filter(ap_filter_t *f, apr_bucket_brigade *b,
if (!ap_is_HTTP_SUCCESS(f->r->status)) {
ctx->state = BODY_NONE;
ctx->eos_sent = 1;
- } else {
+ }
+ else {
char *tmp;
int len;
@@ -424,285 +456,194 @@ apr_status_t ap_http_filter(ap_filter_t *f, apr_bucket_brigade *b,
}
}
}
+ }
- /* We can't read the chunk until after sending 100 if required. */
- if (ctx->state == BODY_CHUNK) {
- apr_brigade_cleanup(bb);
+ /* sanity check in case we're read twice */
+ if (ctx->eos_sent) {
+ e = apr_bucket_eos_create(f->c->bucket_alloc);
+ APR_BRIGADE_INSERT_TAIL(b, e);
+ return APR_SUCCESS;
+ }
+
+ do {
+ apr_brigade_cleanup(b);
+ again = 0; /* until further notice */
+
+ /* read and handle the brigade */
+ switch (ctx->state) {
+ case BODY_CHUNK:
+ case BODY_CHUNK_PART:
+ case BODY_CHUNK_EXT:
+ case BODY_CHUNK_LF:
+ case BODY_CHUNK_END:
+ case BODY_CHUNK_END_LF: {
- rv = ap_get_brigade(f->next, bb, AP_MODE_GETLINE,
- block, 0);
+ rv = ap_get_brigade(f->next, b, AP_MODE_GETLINE, block, 0);
/* for timeout */
- if (block == APR_NONBLOCK_READ &&
- ( (rv == APR_SUCCESS && APR_BRIGADE_EMPTY(bb)) ||
- (APR_STATUS_IS_EAGAIN(rv)) )) {
- ctx->state = BODY_CHUNK_PART;
+ if (block == APR_NONBLOCK_READ
+ && ((rv == APR_SUCCESS && APR_BRIGADE_EMPTY(b))
+ || (APR_STATUS_IS_EAGAIN(rv)))) {
return APR_EAGAIN;
}
- if (rv == APR_SUCCESS) {
- rv = get_chunk_line(ctx, bb, f->r->server->limit_req_line);
- if (APR_STATUS_IS_EAGAIN(rv)) {
- apr_brigade_cleanup(bb);
- ctx->state = BODY_CHUNK_PART;
- return rv;
- }
- if (rv == APR_SUCCESS) {
- ctx->remaining = get_chunk_size(ctx->chunk_ln);
- if (ctx->remaining == INVALID_CHAR) {
- rv = APR_EGENERAL;
- http_error = HTTP_SERVICE_UNAVAILABLE;
- }
- }
- }
- apr_brigade_cleanup(bb);
-
- /* Detect chunksize error (such as overflow) */
- if (rv != APR_SUCCESS || ctx->remaining < 0) {
- ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, f->r, "Error reading first chunk %s ",
- (ctx->remaining < 0) ? "(overflow)" : "");
- if (APR_STATUS_IS_TIMEUP(rv) || ctx->remaining > 0) {
- http_error = HTTP_REQUEST_TIME_OUT;
- }
- ctx->remaining = 0; /* Reset it in case we have to
- * come back here later */
- return bail_out_on_error(ctx, f, http_error);
+ if (rv == APR_EOF) {
+ return APR_INCOMPLETE;
}
- if (!ctx->remaining) {
- return read_chunked_trailers(ctx, f, b,
- conf->merge_trailers == AP_MERGE_TRAILERS_ENABLE);
+ if (rv != APR_SUCCESS) {
+ return rv;
}
- }
- }
- else {
- bb = ctx->bb;
- }
- if (ctx->eos_sent) {
- e = apr_bucket_eos_create(f->c->bucket_alloc);
- APR_BRIGADE_INSERT_TAIL(b, e);
- return APR_SUCCESS;
- }
+ e = APR_BRIGADE_FIRST(b);
+ while (e != APR_BRIGADE_SENTINEL(b)) {
+ const char *buffer;
+ apr_size_t len;
- if (!ctx->remaining) {
- switch (ctx->state) {
- case BODY_NONE:
- break;
- case BODY_LENGTH:
- e = apr_bucket_eos_create(f->c->bucket_alloc);
- APR_BRIGADE_INSERT_TAIL(b, e);
- ctx->eos_sent = 1;
- return APR_SUCCESS;
- case BODY_CHUNK:
- case BODY_CHUNK_PART:
- {
- apr_brigade_cleanup(bb);
+ if (!APR_BUCKET_IS_METADATA(e)) {
+ int parsing = 0;
- /* We need to read the CRLF after the chunk. */
- if (ctx->state == BODY_CHUNK) {
- rv = ap_get_brigade(f->next, bb, AP_MODE_GETLINE,
- block, 0);
- if (block == APR_NONBLOCK_READ &&
- ( (rv == APR_SUCCESS && APR_BRIGADE_EMPTY(bb)) ||
- (APR_STATUS_IS_EAGAIN(rv)) )) {
- return APR_EAGAIN;
- }
- /* If we get an error, then leave */
- if (rv == APR_EOF) {
- return APR_INCOMPLETE;
- }
- if (rv != APR_SUCCESS) {
- return rv;
- }
- /*
- * We really don't care whats on this line. If it is RFC
- * compliant it should be only \r\n. If there is more
- * before we just ignore it as long as we do not get over
- * the limit for request lines.
- */
- rv = get_remaining_chunk_line(ctx, bb,
- f->r->server->limit_req_line);
- apr_brigade_cleanup(bb);
- if (APR_STATUS_IS_EAGAIN(rv)) {
- return rv;
- }
- } else {
- rv = APR_SUCCESS;
- }
+ rv = apr_bucket_read(e, &buffer, &len, APR_BLOCK_READ);
- if (rv == APR_SUCCESS) {
- /* Read the real chunk line. */
- rv = ap_get_brigade(f->next, bb, AP_MODE_GETLINE,
- block, 0);
- /* Test timeout */
- if (block == APR_NONBLOCK_READ &&
- ( (rv == APR_SUCCESS && APR_BRIGADE_EMPTY(bb)) ||
- (APR_STATUS_IS_EAGAIN(rv)) )) {
- ctx->state = BODY_CHUNK_PART;
- return APR_EAGAIN;
- }
- ctx->state = BODY_CHUNK;
if (rv == APR_SUCCESS) {
- rv = get_chunk_line(ctx, bb, f->r->server->limit_req_line);
- if (APR_STATUS_IS_EAGAIN(rv)) {
- ctx->state = BODY_CHUNK_PART;
- apr_brigade_cleanup(bb);
- return rv;
- }
- if (rv == APR_SUCCESS) {
- ctx->remaining = get_chunk_size(ctx->chunk_ln);
- if (ctx->remaining == INVALID_CHAR) {
- rv = APR_EGENERAL;
- http_error = HTTP_SERVICE_UNAVAILABLE;
+ parsing = 1;
+ rv = parse_chunk_size(ctx, buffer, len,
+ f->r->server->limit_req_fieldsize);
+ }
+ if (rv != APR_SUCCESS) {
+ ap_log_rerror(APLOG_MARK, APLOG_INFO, rv, f->r,
+ "Error reading/parsing chunk %s ",
+ (APR_ENOSPC == rv) ? "(overflow)" : "");
+ if (parsing) {
+ if (rv != APR_ENOSPC) {
+ http_error = HTTP_BAD_REQUEST;
}
+ return bail_out_on_error(ctx, f, http_error);
}
+ return rv;
}
- apr_brigade_cleanup(bb);
}
- /* Detect chunksize error (such as overflow) */
- if (rv != APR_SUCCESS || ctx->remaining < 0) {
- ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, f->r, "Error reading chunk %s ",
- (ctx->remaining < 0) ? "(overflow)" : "");
- if (APR_STATUS_IS_TIMEUP(rv) || ctx->remaining > 0) {
- http_error = HTTP_REQUEST_TIME_OUT;
- }
- ctx->remaining = 0; /* Reset it in case we have to
- * come back here later */
- return bail_out_on_error(ctx, f, http_error);
- }
+ apr_bucket_delete(e);
+ e = APR_BRIGADE_FIRST(b);
+ }
+ again = 1; /* come around again */
- if (!ctx->remaining) {
- return read_chunked_trailers(ctx, f, b,
+ if (ctx->state == BODY_CHUNK_TRAILER) {
+ /* Treat UNSET as DISABLE - trailers aren't merged by default */
+ return read_chunked_trailers(ctx, f, b,
conf->merge_trailers == AP_MERGE_TRAILERS_ENABLE);
- }
}
+
break;
}
- }
+ case BODY_NONE:
+ case BODY_LENGTH:
+ case BODY_CHUNK_DATA: {
- /* Ensure that the caller can not go over our boundary point. */
- if (ctx->state == BODY_LENGTH || ctx->state == BODY_CHUNK) {
- if (ctx->remaining < readbytes) {
- readbytes = ctx->remaining;
- }
- AP_DEBUG_ASSERT(readbytes > 0);
- }
+ /* Ensure that the caller can not go over our boundary point. */
+ if (ctx->state != BODY_NONE && ctx->remaining < readbytes) {
+ readbytes = ctx->remaining;
+ }
+ if (readbytes > 0) {
- rv = ap_get_brigade(f->next, b, mode, block, readbytes);
+ rv = ap_get_brigade(f->next, b, mode, block, readbytes);
- if (rv == APR_EOF && ctx->state != BODY_NONE &&
- ctx->remaining > 0) {
- return APR_INCOMPLETE;
- }
- if (rv != APR_SUCCESS) {
- return rv;
- }
+ /* for timeout */
+ if (block == APR_NONBLOCK_READ
+ && ((rv == APR_SUCCESS && APR_BRIGADE_EMPTY(b))
+ || (APR_STATUS_IS_EAGAIN(rv)))) {
+ return APR_EAGAIN;
+ }
- /* How many bytes did we just read? */
- apr_brigade_length(b, 0, &totalread);
+ if (rv == APR_EOF && ctx->state != BODY_NONE
+ && ctx->remaining > 0) {
+ return APR_INCOMPLETE;
+ }
- /* If this happens, we have a bucket of unknown length. Die because
- * it means our assumptions have changed. */
- AP_DEBUG_ASSERT(totalread >= 0);
+ if (rv != APR_SUCCESS) {
+ return rv;
+ }
- if (ctx->state != BODY_NONE) {
- ctx->remaining -= totalread;
- if (ctx->remaining > 0) {
- e = APR_BRIGADE_LAST(b);
- if (APR_BUCKET_IS_EOS(e)) {
- apr_bucket_delete(e);
- return APR_INCOMPLETE;
- }
- }
- }
+ /* How many bytes did we just read? */
+ apr_brigade_length(b, 0, &totalread);
- /* If we have no more bytes remaining on a C-L request,
- * save the callter a roundtrip to discover EOS.
- */
- if (ctx->state == BODY_LENGTH && ctx->remaining == 0) {
- e = apr_bucket_eos_create(f->c->bucket_alloc);
- APR_BRIGADE_INSERT_TAIL(b, e);
- }
+ /* If this happens, we have a bucket of unknown length. Die because
+ * it means our assumptions have changed. */
+ AP_DEBUG_ASSERT(totalread >= 0);
- /* We have a limit in effect. */
- if (ctx->limit) {
- /* FIXME: Note that we might get slightly confused on chunked inputs
- * as we'd need to compensate for the chunk lengths which may not
- * really count. This seems to be up for interpretation. */
- ctx->limit_used += totalread;
- if (ctx->limit < ctx->limit_used) {
- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, f->r,
- "Read content-length of %" APR_OFF_T_FMT
- " is larger than the configured limit"
- " of %" APR_OFF_T_FMT, ctx->limit_used, ctx->limit);
- apr_brigade_cleanup(bb);
- e = ap_bucket_error_create(HTTP_REQUEST_ENTITY_TOO_LARGE, NULL,
- f->r->pool,
- f->c->bucket_alloc);
- APR_BRIGADE_INSERT_TAIL(bb, e);
- e = apr_bucket_eos_create(f->c->bucket_alloc);
- APR_BRIGADE_INSERT_TAIL(bb, e);
- ctx->eos_sent = 1;
- return ap_pass_brigade(f->r->output_filters, bb);
- }
- }
+ if (ctx->state != BODY_NONE) {
+ ctx->remaining -= totalread;
+ if (ctx->remaining > 0) {
+ e = APR_BRIGADE_LAST(b);
+ if (APR_BUCKET_IS_EOS(e)) {
+ apr_bucket_delete(e);
+ return APR_INCOMPLETE;
+ }
+ }
+ else if (ctx->state == BODY_CHUNK_DATA) {
+ /* next chunk please */
+ ctx->state = BODY_CHUNK_END;
+ ctx->chunk_used = 0;
+ }
+ }
- return APR_SUCCESS;
-}
+ }
-/**
- * Parse a chunk extension, detect overflow.
- * There are two error cases:
- * 1) If the conversion would require too many bits, a -1 is returned.
- * 2) If the conversion used the correct number of bits, but an overflow
- * caused only the sign bit to flip, then that negative number is
- * returned.
- * In general, any negative number can be considered an overflow error.
- */
-static long get_chunk_size(char *b)
-{
- long chunksize = 0;
- size_t chunkbits = sizeof(long) * 8;
+ /* If we have no more bytes remaining on a C-L request,
+ * save the caller a round trip to discover EOS.
+ */
+ if (ctx->state == BODY_LENGTH && ctx->remaining == 0) {
+ e = apr_bucket_eos_create(f->c->bucket_alloc);
+ APR_BRIGADE_INSERT_TAIL(b, e);
+ ctx->eos_sent = 1;
+ }
- ap_xlate_proto_from_ascii(b, strlen(b));
+ /* We have a limit in effect. */
+ if (ctx->limit) {
+ /* FIXME: Note that we might get slightly confused on chunked inputs
+ * as we'd need to compensate for the chunk lengths which may not
+ * really count. This seems to be up for interpretation. */
+ ctx->limit_used += totalread;
+ if (ctx->limit < ctx->limit_used) {
+ ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, f->r,
+ "Read content-length of %" APR_OFF_T_FMT
+ " is larger than the configured limit"
+ " of %" APR_OFF_T_FMT, ctx->limit_used, ctx->limit);
+ return bail_out_on_error(ctx, f, HTTP_REQUEST_ENTITY_TOO_LARGE);
+ }
+ }
- if (!apr_isxdigit(*b)) {
- /*
- * Detect invalid character at beginning. This also works for empty
- * chunk size lines.
- */
- return INVALID_CHAR;
- }
- /* Skip leading zeros */
- while (*b == '0') {
- ++b;
- }
+ break;
+ }
+ case BODY_CHUNK_TRAILER: {
+
+ rv = ap_get_brigade(f->next, b, mode, block, readbytes);
- while (apr_isxdigit(*b) && (chunkbits > 0)) {
- int xvalue = 0;
+ /* for timeout */
+ if (block == APR_NONBLOCK_READ
+ && ((rv == APR_SUCCESS && APR_BRIGADE_EMPTY(b))
+ || (APR_STATUS_IS_EAGAIN(rv)))) {
+ return APR_EAGAIN;
+ }
+
+ if (rv != APR_SUCCESS) {
+ return rv;
+ }
- if (*b >= '0' && *b <= '9') {
- xvalue = *b - '0';
+ break;
}
- else if (*b >= 'A' && *b <= 'F') {
- xvalue = *b - 'A' + 0xa;
+ default: {
+ /* Should not happen */
+ ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, f->r,
+ "Unexpected body state (%i)", (int)ctx->state);
+ return APR_EGENERAL;
}
- else if (*b >= 'a' && *b <= 'f') {
- xvalue = *b - 'a' + 0xa;
}
- chunksize = (chunksize << 4) | xvalue;
- chunkbits -= 4;
- ++b;
- }
- if (apr_isxdigit(*b) && (chunkbits <= 0)) {
- /* overflow */
- return -1;
- }
+ } while (again);
- return chunksize;
+ return APR_SUCCESS;
}
typedef struct header_struct {

View File

@ -1,12 +1,140 @@
--- acinclude.m4.orig 2012-07-06 15:23:21 UTC
https://issues.apache.org/bugzilla/show_bug.cgi?id=58126
==============================================================
--- acinclude.m4.orig 2015-07-11 23:38:52 UTC
+++ acinclude.m4
@@ -455,6 +455,9 @@ if test "x$ap_ssltk_configured" = "x"; t
AC_CHECK_HEADERS([openssl/engine.h])
AC_CHECK_FUNCS([SSLeay_version SSL_CTX_new], [], [liberrors="yes"])
AC_CHECK_FUNCS([ENGINE_init ENGINE_load_builtin_engines])
+ dnl PR 196256, https://issues.apache.org/bugzilla/show_bug.cgi?id=57395
+ AC_CHECK_FUNCS([SSL_CTX_use_certificate_chain])
+ AC_CHECK_LIB(crypto, RAND_egd, AC_DEFINE(HAVE_SSL_RAND_EGD, 1, [Define if the libcrypto has RAND_egd]))
@@ -4,25 +4,25 @@ dnl Autoconf 2.50 can not handle substr
dnl AC_HELP_STRING, so let's try to call it if we can.
dnl Note: this define must be on one line so that it can be properly returned
dnl as the help string.
-AC_DEFUN(APACHE_HELP_STRING,[ifelse(regexp(AC_ACVERSION, 2\.1), -1, AC_HELP_STRING($1,$2),[ ]$1 substr([ ],len($1))$2)])dnl
+AC_DEFUN([APACHE_HELP_STRING],[ifelse(regexp(AC_ACVERSION, 2\.1), -1, AC_HELP_STRING($1,$2),[ ]$1 substr([ ],len($1))$2)])dnl
dnl APACHE_SUBST(VARIABLE)
dnl Makes VARIABLE available in generated files
dnl (do not use @variable@ in Makefiles, but $(variable))
-AC_DEFUN(APACHE_SUBST,[
+AC_DEFUN([APACHE_SUBST],[
APACHE_VAR_SUBST="$APACHE_VAR_SUBST $1"
AC_SUBST($1)
])
dnl APACHE_FAST_OUTPUT(FILENAME)
dnl Perform substitutions on FILENAME (Makefiles only)
-AC_DEFUN(APACHE_FAST_OUTPUT,[
+AC_DEFUN([APACHE_FAST_OUTPUT],[
APACHE_FAST_OUTPUT_FILES="$APACHE_FAST_OUTPUT_FILES $1"
])
dnl APACHE_GEN_CONFIG_VARS
dnl Creates config_vars.mk
-AC_DEFUN(APACHE_GEN_CONFIG_VARS,[
+AC_DEFUN([APACHE_GEN_CONFIG_VARS],[
APACHE_SUBST(abs_srcdir)
APACHE_SUBST(bindir)
APACHE_SUBST(sbindir)
@@ -111,14 +111,14 @@ AC_DEFUN(APACHE_GEN_CONFIG_VARS,[
dnl APACHE_GEN_MAKEFILES
dnl Creates Makefiles
-AC_DEFUN(APACHE_GEN_MAKEFILES,[
+AC_DEFUN([APACHE_GEN_MAKEFILES],[
$SHELL $srcdir/build/fastgen.sh $srcdir $ac_cv_mkdir_p $BSD_MAKEFILE $APACHE_FAST_OUTPUT_FILES
])
dnl ## APACHE_OUTPUT(file)
dnl ## adds "file" to the list of files generated by AC_OUTPUT
dnl ## This macro can be used several times.
-AC_DEFUN(APACHE_OUTPUT, [
+AC_DEFUN([APACHE_OUTPUT], [
APACHE_OUTPUT_FILES="$APACHE_OUTPUT_FILES $1"
])
@@ -127,7 +127,7 @@ dnl APACHE_TYPE_RLIM_T
dnl
dnl If rlim_t is not defined, define it to int
dnl
-AC_DEFUN(APACHE_TYPE_RLIM_T, [
+AC_DEFUN([APACHE_TYPE_RLIM_T], [
AC_CACHE_CHECK([for rlim_t], ac_cv_type_rlim_t, [
AC_TRY_COMPILE([
#include <sys/types.h>
@@ -145,7 +145,7 @@ AC_DEFUN(APACHE_TYPE_RLIM_T, [
])
dnl APACHE_MODPATH_INIT(modpath)
-AC_DEFUN(APACHE_MODPATH_INIT,[
+AC_DEFUN([APACHE_MODPATH_INIT],[
current_dir=$1
modpath_current=modules/$1
modpath_static=
@@ -154,7 +154,7 @@ AC_DEFUN(APACHE_MODPATH_INIT,[
> $modpath_current/modules.mk
])dnl
dnl
-AC_DEFUN(APACHE_MODPATH_FINISH,[
+AC_DEFUN([APACHE_MODPATH_FINISH],[
echo "DISTCLEAN_TARGETS = modules.mk" >> $modpath_current/modules.mk
echo "static = $modpath_static" >> $modpath_current/modules.mk
echo "shared = $modpath_shared" >> $modpath_current/modules.mk
@@ -167,7 +167,7 @@ AC_DEFUN(APACHE_MODPATH_FINISH,[
])dnl
dnl
dnl APACHE_MODPATH_ADD(name[, shared[, objects [, ldflags[, libs]]]])
-AC_DEFUN(APACHE_MODPATH_ADD,[
+AC_DEFUN([APACHE_MODPATH_ADD],[
if test -z "$3"; then
objects="mod_$1.lo"
else
AC_CHECK_FUNCS([SSLC_library_version SSL_CTX_new], [], [liberrors="yes"])
AC_CHECK_FUNCS(SSL_set_state)
@@ -211,7 +211,7 @@ dnl basically: yes/no is a hard setting.
dnl setting. otherwise, fall under the "all" setting.
dnl explicit yes/no always overrides.
dnl
-AC_DEFUN(APACHE_MODULE,[
+AC_DEFUN([APACHE_MODULE],[
AC_MSG_CHECKING(whether to enable mod_$1)
define([optname],[--]ifelse($5,yes,disable,enable)[-]translit($1,_,-))dnl
AC_ARG_ENABLE(translit($1,_,-),APACHE_HELP_STRING(optname(),$2),,enable_$1=ifelse($5,,maybe-all,$5))
@@ -284,7 +284,7 @@ AC_DEFUN(APACHE_MODULE,[
dnl
dnl APACHE_ENABLE_MODULES
dnl
-AC_DEFUN(APACHE_ENABLE_MODULES,[
+AC_DEFUN([APACHE_ENABLE_MODULES],[
module_selection=default
module_default=yes
@@ -314,7 +314,7 @@ AC_DEFUN(APACHE_ENABLE_MODULES,[
])
])
-AC_DEFUN(APACHE_REQUIRE_CXX,[
+AC_DEFUN([APACHE_REQUIRE_CXX],[
if test -z "$apache_cxx_done"; then
AC_PROG_CXX
AC_PROG_CXXCPP
@@ -328,7 +328,7 @@ dnl
dnl Configure for the detected openssl/ssl-c toolkit installation, giving
dnl preference to "--with-ssl=<path>" if it was specified.
dnl
-AC_DEFUN(APACHE_CHECK_SSL_TOOLKIT,[
+AC_DEFUN([APACHE_CHECK_SSL_TOOLKIT],[
if test "x$ap_ssltk_configured" = "x"; then
dnl initialise the variables we use
ap_ssltk_base=""
@@ -486,14 +486,14 @@ dnl Export (via APACHE_SUBST) the variou
dnl apache will use while generating scripts like autoconf and apxs and
dnl the default config file.
-AC_DEFUN(APACHE_SUBST_EXPANDED_ARG,[
+AC_DEFUN([APACHE_SUBST_EXPANDED_ARG],[
APR_EXPAND_VAR(exp_$1, [$]$1)
APACHE_SUBST(exp_$1)
APR_PATH_RELATIVE(rel_$1, [$]exp_$1, ${prefix})
APACHE_SUBST(rel_$1)
])
-AC_DEFUN(APACHE_EXPORT_ARGUMENTS,[
+AC_DEFUN([APACHE_EXPORT_ARGUMENTS],[
APACHE_SUBST_EXPANDED_ARG(exec_prefix)
APACHE_SUBST_EXPANDED_ARG(bindir)
APACHE_SUBST_EXPANDED_ARG(sbindir)

View File

@ -1,62 +0,0 @@
--- configure.orig 2014-08-22 19:54:19.000000000 +0200
+++ configure 2015-02-28 10:22:46.822052140 +0100
@@ -13853,6 +13922,59 @@
fi
done
+ for ac_func in SSL_CTX_use_certificate_chain
+do :
+ ac_fn_c_check_func "$LINENO" "SSL_CTX_use_certificate_chain" "ac_cv_func_SSL_CTX_use_certificate_chain"
+if test "x$ac_cv_func_SSL_CTX_use_certificate_chain" = xyes; then :
+ cat >>confdefs.h <<_ACEOF
+#define HAVE_SSL_CTX_USE_CERTIFICATE_CHAIN 1
+_ACEOF
+
+fi
+done
+
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for RAND_egd in -lcrypto" >&5
+$as_echo_n "checking for RAND_egd in -lcrypto... " >&6; }
+if ${ac_cv_lib_crypto_RAND_egd+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+ ac_check_lib_save_LIBS=$LIBS
+LIBS="-lcrypto $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+
+/* Override any GCC internal prototype to avoid an error.
+ Use char because int might match the return type of a GCC
+ builtin and then its argument prototype would still apply. */
+#ifdef __cplusplus
+extern "C"
+#endif
+char RAND_egd ();
+int
+main ()
+{
+return RAND_egd ();
+ ;
+ return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+ ac_cv_lib_crypto_RAND_egd=yes
+else
+ ac_cv_lib_crypto_RAND_egd=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+ conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_crypto_RAND_egd" >&5
+$as_echo "$ac_cv_lib_crypto_RAND_egd" >&6; }
+if test "x$ac_cv_lib_crypto_RAND_egd" = xyes; then :
+
+$as_echo "#define HAVE_SSL_RAND_EGD 1" >>confdefs.h
+
+fi
+
else
for ac_func in SSLC_library_version SSL_CTX_new
do :

View File

@ -37,18 +37,6 @@
[--enable-layout=*|\'--enable-layout=*])
dnl We must be the last to build and the first to be cleaned
AP_BUILD_SRCLIB_DIRS="$AP_BUILD_SRCLIB_DIRS apr-util"
@@ -480,7 +490,10 @@ AC_ARG_ENABLE(v4-mapped,APACHE_HELP_STRI
],
[
case $host in
- *freebsd5*|*netbsd*|*openbsd*)
+ *freebsd[[1234]].*)
+ v4mapped=yes
+ ;;
+ *freebsd*|*netbsd*|*openbsd*)
v4mapped=no
;;
*mingw*)
@@ -678,8 +691,14 @@ AC_DEFINE_UNQUOTED(HTTPD_ROOT, "${ap_pre
[Root directory of the Apache install area])
AC_DEFINE_UNQUOTED(SERVER_CONFIG_FILE, "${rel_sysconfdir}/${progname}.conf",

View File

@ -1,50 +1,6 @@
--- docs/conf/extra/httpd-ssl.conf.in.orig 2013-11-11 14:00:57 UTC
--- docs/conf/extra/httpd-ssl.conf.in.orig 2015-05-27 18:59:59 UTC
+++ docs/conf/extra/httpd-ssl.conf.in
@@ -49,6 +49,43 @@ Listen @@SSLPort@@
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
+# SSL Cipher Suite:
+# List the ciphers that the client is permitted to negotiate,
+# and that httpd will negotiate as the client of a proxied server.
+# See the OpenSSL documentation for a complete list of ciphers, and
+# ensure these follow appropriate best practices for this deployment.
+# httpd 2.2.30, 2.4.13 and later force-disable aNULL, eNULL and EXP ciphers,
+# while OpenSSL disabled these by default in 0.9.8zf/1.0.0r/1.0.1m/1.0.2a.
+SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4
+SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4
+
+# By the end of 2016, only TLSv1.2 ciphers should remain in use.
+# Older ciphers should be disallowed as soon as possible, while the
+# kRSA ciphers do not offer forward secrecy. These changes inhibit
+# older clients (such as IE6 SP2 or IE8 on Windows XP, or other legacy
+# non-browser tooling) from successfully connecting.
+#
+# To restrict mod_ssl to use only TLSv1.2 ciphers, and disable
+# those protocols which do not support forward secrecy, replace
+# the SSLCipherSuite and SSLProxyCipherSuite directives above with
+# the following two directives, as soon as practical.
+# SSLCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA
+# SSLProxyCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA
+
+# User agents such as web browsers are not configured for the user's
+# own preference of either security or performance, therefore this
+# must be the prerogative of the web server administrator who manages
+# cpu load versus confidentiality, so enforce the server's cipher order.
+SSLHonorCipherOrder on
+
+# SSL Protocol support:
+# List the protocol versions which clients are allowed to connect with.
+# Disable SSLv2 and SSLv3 by default (cf. RFC 7525 3.1.1). TLSv1 (1.0)
+# should be disabled as quickly as practical. By the end of 2016, only
+# the TLSv1.2 protocol or later should remain in use.
+SSLProtocol all -SSLv2 -SSLv3
+SSLProxyProtocol all -SSLv2 -SSLv3
+
# Pass Phrase Dialog:
# Configure the pass phrase gathering process.
# The filtering dialog program (`builtin' is a internal
@@ -77,36 +114,13 @@ SSLMutex "file:@exp_runtimedir@/ssl_mut
@@ -114,8 +114,8 @@ SSLMutex "file:@exp_runtimedir@/ssl_mut
DocumentRoot "@exp_htdocsdir@"
ServerName www.example.com:@@SSLPort@@
ServerAdmin you@example.com
@ -55,35 +11,7 @@
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
-# SSL Protocol support:
-# List the protocol versions which clients are allowed to
-# connect with. Disable SSLv2 by default (cf. RFC 6176).
-SSLProtocol all -SSLv2
-
-# SSL Cipher Suite:
-# List the ciphers that the client is permitted to negotiate.
-# See the mod_ssl documentation for a complete list.
-SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
-
-# Speed-optimized SSL Cipher configuration:
-# If speed is your main concern (on busy HTTPS servers e.g.),
-# you might want to force clients to specific, performance
-# optimized ciphers. In this case, prepend those ciphers
-# to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
-# Caveat: by giving precedence to RC4-SHA and AES128-SHA
-# (as in the example below), most connections will no longer
-# have perfect forward secrecy - if the server's key is
-# compromised, captures of past or future traffic must be
-# considered compromised, too.
-#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
-#SSLHonorCipherOrder on
-
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
@@ -249,7 +263,7 @@ BrowserMatch "MSIE [2-5]" \
@@ -263,7 +263,7 @@ BrowserMatch "MSIE [2-5]" \
# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.

View File

@ -1,20 +0,0 @@
--- modules/ssl/ssl_engine_rand.c.orig 2006-07-12 03:38:44 UTC
+++ modules/ssl/ssl_engine_rand.c
@@ -83,17 +83,6 @@ int ssl_rand_seed(server_rec *s, apr_poo
nDone += ssl_rand_feedfp(p, fp, pRandSeed->nBytes);
ssl_util_ppclose(s, p, fp);
}
-#ifdef HAVE_SSL_RAND_EGD
- else if (pRandSeed->nSrc == SSL_RSSRC_EGD) {
- /*
- * seed in contents provided by the external
- * Entropy Gathering Daemon (EGD)
- */
- if ((n = RAND_egd(pRandSeed->cpPath)) == -1)
- continue;
- nDone += n;
- }
-#endif
else if (pRandSeed->nSrc == SSL_RSSRC_BUILTIN) {
struct {
time_t t;

View File

@ -1,11 +0,0 @@
--- modules/ssl/ssl_engine_vars.c.orig 2013-02-12 11:51:17 UTC
+++ modules/ssl/ssl_engine_vars.c
@@ -832,7 +832,7 @@ static char *ssl_var_lookup_ssl_compress
{
char *result = "NULL";
#ifdef OPENSSL_VERSION_NUMBER
-#if (OPENSSL_VERSION_NUMBER >= 0x00908000)
+#if (OPENSSL_VERSION_NUMBER >= 0x00908000) && !defined(OPENSSL_NO_COMP)
SSL_SESSION *pSession = SSL_get_session(ssl);
if (pSession) {

View File

@ -1,14 +0,0 @@
--- modules/ssl/ssl_util_ssl.c.orig 2012-08-17 17:30:46 UTC
+++ modules/ssl/ssl_util_ssl.c
@@ -492,7 +492,11 @@ BOOL SSL_X509_INFO_load_path(apr_pool_t
* format, possibly followed by a sequence of CA certificates that
* should be sent to the peer in the SSL Certificate message.
*/
+#ifndef HAVE_SSL_CTX_USE_CERTIFICATE_CHAIN
int SSL_CTX_use_certificate_chain(
+#else
+int _SSL_CTX_use_certificate_chain(
+#endif
SSL_CTX *ctx, char *file, int skipfirst, modssl_read_bio_cb_fn *cb)
{
BIO *bio;

View File

@ -1,14 +0,0 @@
--- modules/ssl/ssl_util_ssl.h.orig 2012-08-17 17:30:46 UTC
+++ modules/ssl/ssl_util_ssl.h
@@ -89,7 +89,11 @@ char *SSL_X509_NAME_to_string(apr_
BOOL SSL_X509_getCN(apr_pool_t *, X509 *, char **);
BOOL SSL_X509_INFO_load_file(apr_pool_t *, STACK_OF(X509_INFO) *, const char *);
BOOL SSL_X509_INFO_load_path(apr_pool_t *, STACK_OF(X509_INFO) *, const char *);
+#ifndef HAVE_SSL_CTX_USE_CERTIFICATE_CHAIN
int SSL_CTX_use_certificate_chain(SSL_CTX *, char *, int, modssl_read_bio_cb_fn *);
+#else
+int _SSL_CTX_use_certificate_chain(SSL_CTX *, char *, int, modssl_read_bio_cb_fn *);
+#endif
char *SSL_SESSION_id2sz(unsigned char *, int, char *, int);
/** util functions for OpenSSL+sslc compat */

View File

@ -1,142 +0,0 @@
--- modules/ssl/ssl_engine_dh.c.orig 2006-07-12 03:38:44 UTC
+++ modules/ssl/ssl_engine_dh.c
@@ -33,7 +33,7 @@
/* ----BEGIN GENERATED SECTION-------- */
/*
-** Diffie-Hellman-Parameters: (512 bit)
+** Diffie-Hellman-Parameters: (2048 bit)
** prime:
** 00:9f:db:8b:8a:00:45:44:f0:04:5f:17:37:d0:ba:
** 2e:0b:27:4c:df:1a:9f:58:82:18:fb:43:53:16:a1:
@@ -41,7 +41,7 @@
** 0e:3e:30:06:80:a3:03:0c:6e:4c:37:57:d0:8f:70:
** e6:aa:87:10:33
** generator: 2 (0x2)
-** Diffie-Hellman-Parameters: (1024 bit)
+** Diffie-Hellman-Parameters: (3072 bit)
** prime:
** 00:d6:7d:e4:40:cb:bb:dc:19:36:d6:93:d3:4a:fd:
** 0a:d5:0c:84:d2:39:a4:5f:52:0b:b8:81:74:cb:98:
@@ -55,7 +55,7 @@
** generator: 2 (0x2)
*/
-static unsigned char dh512_p[] = {
+static unsigned char dh2048_p[] = {
0x9F, 0xDB, 0x8B, 0x8A, 0x00, 0x45, 0x44, 0xF0, 0x04, 0x5F, 0x17, 0x37,
0xD0, 0xBA, 0x2E, 0x0B, 0x27, 0x4C, 0xDF, 0x1A, 0x9F, 0x58, 0x82, 0x18,
0xFB, 0x43, 0x53, 0x16, 0xA1, 0x6E, 0x37, 0x41, 0x71, 0xFD, 0x19, 0xD8,
@@ -63,17 +63,17 @@ static unsigned char dh512_p[] = {
0x80, 0xA3, 0x03, 0x0C, 0x6E, 0x4C, 0x37, 0x57, 0xD0, 0x8F, 0x70, 0xE6,
0xAA, 0x87, 0x10, 0x33,
};
-static unsigned char dh512_g[] = {
+static unsigned char dh2048_g[] = {
0x02,
};
-static DH *get_dh512(void)
+static DH *get_dh2048(void)
{
- return modssl_dh_configure(dh512_p, sizeof(dh512_p),
- dh512_g, sizeof(dh512_g));
+ return modssl_dh_configure(dh2048_p, sizeof(dh2048_p),
+ dh2048_g, sizeof(dh2048_g));
}
-static unsigned char dh1024_p[] = {
+static unsigned char dh3072_p[] = {
0xD6, 0x7D, 0xE4, 0x40, 0xCB, 0xBB, 0xDC, 0x19, 0x36, 0xD6, 0x93, 0xD3,
0x4A, 0xFD, 0x0A, 0xD5, 0x0C, 0x84, 0xD2, 0x39, 0xA4, 0x5F, 0x52, 0x0B,
0xB8, 0x81, 0x74, 0xCB, 0x98, 0xBC, 0xE9, 0x51, 0x84, 0x9F, 0x91, 0x2E,
@@ -86,14 +86,14 @@ static unsigned char dh1024_p[] = {
0x88, 0xAE, 0xAA, 0x74, 0x7D, 0xE0, 0xF4, 0xD6, 0xE2, 0xBD, 0x68, 0xB0,
0xE7, 0x39, 0x3E, 0x0F, 0x24, 0x21, 0x8E, 0xB3,
};
-static unsigned char dh1024_g[] = {
+static unsigned char dh3072_g[] = {
0x02,
};
-static DH *get_dh1024(void)
+static DH *get_dh3072(void)
{
- return modssl_dh_configure(dh1024_p, sizeof(dh1024_p),
- dh1024_g, sizeof(dh1024_g));
+ return modssl_dh_configure(dh3072_p, sizeof(dh3072_p),
+ dh3072_g, sizeof(dh3072_g));
}
/* ----END GENERATED SECTION---------- */
@@ -102,12 +102,12 @@ DH *ssl_dh_GetTmpParam(int nKeyLen)
{
DH *dh;
- if (nKeyLen == 512)
- dh = get_dh512();
- else if (nKeyLen == 1024)
- dh = get_dh1024();
+ if (nKeyLen == 2048)
+ dh = get_dh2048();
+ else if (nKeyLen == 3072)
+ dh = get_dh3072();
else
- dh = get_dh1024();
+ dh = get_dh3072();
return dh;
}
@@ -151,7 +151,7 @@ print FP $source;
close(FP);
# generate the DH parameters
-print "1. Generate 512 and 1024 bit Diffie-Hellman parameters (p, g)\n";
+print "1. Generate 2048 and 3072 bit Diffie-Hellman parameters (p, g)\n";
my $rand = '';
foreach $file (qw(/var/log/messages /var/adm/messages
/kernel /vmunix /vmlinuz /etc/hosts /etc/resolv.conf)) {
@@ -161,15 +161,15 @@ foreach $file (qw(/var/log/messages /var
}
}
$rand = "-rand $rand" if ($rand ne '');
-system("openssl gendh $rand -out dh512.pem 512");
-system("openssl gendh $rand -out dh1024.pem 1024");
+system("openssl gendh -out dh2048.pem 2048");
+system("openssl gendh -out dh3072.pem 3072");
# generate DH param info
my $dhinfo = '';
-open(FP, "openssl dh -noout -text -in dh512.pem |") || die;
+open(FP, "openssl dh -noout -text -in dh2048.pem |") || die;
$dhinfo .= $_ while (<FP>);
close(FP);
-open(FP, "openssl dh -noout -text -in dh1024.pem |") || die;
+open(FP, "openssl dh -noout -text -in dh3072.pem |") || die;
$dhinfo .= $_ while (<FP>);
close(FP);
$dhinfo =~ s|^|** |mg;
@@ -177,10 +177,10 @@ $dhinfo = "\n\/\*\n$dhinfo\*\/\n\n";
# generate C source from DH params
my $dhsource = '';
-open(FP, "openssl dh -noout -C -in dh512.pem | indent | expand |") || die;
+open(FP, "openssl dh -noout -C -in dh2048.pem | indent | expand |") || die;
$dhsource .= $_ while (<FP>);
close(FP);
-open(FP, "openssl dh -noout -C -in dh1024.pem | indent | expand |") || die;
+open(FP, "openssl dh -noout -C -in dh3072.pem | indent | expand |") || die;
$dhsource .= $_ while (<FP>);
close(FP);
$dhsource =~ s|(DH\s+\*get_dh)(\d+)[^}]*\n}|static $1$2(void)
@@ -203,8 +203,8 @@ print FP $source;
close(FP);
# cleanup
-unlink("dh512.pem");
-unlink("dh1024.pem");
+unlink("dh2048.pem");
+unlink("dh3072.pem");
=pod
*/