]> Raphaƫl G. Git Repositories - ihttpd/blob - SOURCES/httpd-2.4.4-r1332643+.patch
Version 2.4.62
[ihttpd] / SOURCES / httpd-2.4.4-r1332643+.patch
1 # ./pullrev.sh 1332643 1345599
2
3 https://bugzilla.redhat.com//show_bug.cgi?id=809599
4
5 http://svn.apache.org/viewvc?view=revision&revision=1332643
6
7 http://svn.apache.org/viewvc?view=revision&revision=1345599
8
9 --- httpd-2.4.4/modules/ssl/mod_ssl.c.r1332643+
10 +++ httpd-2.4.4/modules/ssl/mod_ssl.c
11 @@ -272,6 +272,18 @@ static const command_rec ssl_config_cmds
12 AP_END_CMD
13 };
14
15 +/* Implement 'modssl_run_npn_advertise_protos_hook'. */
16 +APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(
17 + modssl, AP, int, npn_advertise_protos_hook,
18 + (conn_rec *connection, apr_array_header_t *protos),
19 + (connection, protos), OK, DECLINED);
20 +
21 +/* Implement 'modssl_run_npn_proto_negotiated_hook'. */
22 +APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(
23 + modssl, AP, int, npn_proto_negotiated_hook,
24 + (conn_rec *connection, const char *proto_name, apr_size_t proto_name_len),
25 + (connection, proto_name, proto_name_len), OK, DECLINED);
26 +
27 /*
28 * the various processing hooks
29 */
30 --- httpd-2.4.4/modules/ssl/mod_ssl.h.r1332643+
31 +++ httpd-2.4.4/modules/ssl/mod_ssl.h
32 @@ -63,5 +63,26 @@ APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_e
33
34 APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
35
36 +/** The npn_advertise_protos optional hook allows other modules to add entries
37 + * to the list of protocol names advertised by the server during the Next
38 + * Protocol Negotiation (NPN) portion of the SSL handshake. The hook callee is
39 + * given the connection and an APR array; it should push one or more char*'s
40 + * pointing to null-terminated strings (such as "http/1.1" or "spdy/2") onto
41 + * the array and return OK, or do nothing and return DECLINED. */
42 +APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_advertise_protos_hook,
43 + (conn_rec *connection, apr_array_header_t *protos));
44 +
45 +/** The npn_proto_negotiated optional hook allows other modules to discover the
46 + * name of the protocol that was chosen during the Next Protocol Negotiation
47 + * (NPN) portion of the SSL handshake. Note that this may be the empty string
48 + * (in which case modules should probably assume HTTP), or it may be a protocol
49 + * that was never even advertised by the server. The hook callee is given the
50 + * connection, a non-null-terminated string containing the protocol name, and
51 + * the length of the string; it should do something appropriate (i.e. insert or
52 + * remove filters) and return OK, or do nothing and return DECLINED. */
53 +APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_proto_negotiated_hook,
54 + (conn_rec *connection, const char *proto_name,
55 + apr_size_t proto_name_len));
56 +
57 #endif /* __MOD_SSL_H__ */
58 /** @} */
59 --- httpd-2.4.4/modules/ssl/ssl_engine_init.c.r1332643+
60 +++ httpd-2.4.4/modules/ssl/ssl_engine_init.c
61 @@ -725,6 +725,11 @@ static void ssl_init_ctx_callbacks(serve
62 #endif
63
64 SSL_CTX_set_info_callback(ctx, ssl_callback_Info);
65 +
66 +#ifdef HAVE_TLS_NPN
67 + SSL_CTX_set_next_protos_advertised_cb(
68 + ctx, ssl_callback_AdvertiseNextProtos, NULL);
69 +#endif
70 }
71
72 static void ssl_init_ctx_verify(server_rec *s,
73 --- httpd-2.4.4/modules/ssl/ssl_engine_io.c.r1332643+
74 +++ httpd-2.4.4/modules/ssl/ssl_engine_io.c
75 @@ -28,6 +28,7 @@
76 core keeps dumping.''
77 -- Unknown */
78 #include "ssl_private.h"
79 +#include "mod_ssl.h"
80 #include "apr_date.h"
81
82 /* _________________________________________________________________
83 @@ -297,6 +298,7 @@ typedef struct {
84 apr_pool_t *pool;
85 char buffer[AP_IOBUFSIZE];
86 ssl_filter_ctx_t *filter_ctx;
87 + int npn_finished; /* 1 if NPN has finished, 0 otherwise */
88 } bio_filter_in_ctx_t;
89
90 /*
91 @@ -1385,6 +1387,26 @@ static apr_status_t ssl_io_filter_input(
92 APR_BRIGADE_INSERT_TAIL(bb, bucket);
93 }
94
95 +#ifdef HAVE_TLS_NPN
96 + /* By this point, Next Protocol Negotiation (NPN) should be completed (if
97 + * our version of OpenSSL supports it). If we haven't already, find out
98 + * which protocol was decided upon and inform other modules by calling
99 + * npn_proto_negotiated_hook. */
100 + if (!inctx->npn_finished) {
101 + const unsigned char *next_proto = NULL;
102 + unsigned next_proto_len = 0;
103 +
104 + SSL_get0_next_proto_negotiated(
105 + inctx->ssl, &next_proto, &next_proto_len);
106 + ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, f->c,
107 + APLOGNO(02306) "SSL NPN negotiated protocol: '%*s'",
108 + next_proto_len, (const char*)next_proto);
109 + modssl_run_npn_proto_negotiated_hook(
110 + f->c, (const char*)next_proto, next_proto_len);
111 + inctx->npn_finished = 1;
112 + }
113 +#endif
114 +
115 return APR_SUCCESS;
116 }
117
118 @@ -1866,6 +1888,7 @@ static void ssl_io_input_add_filter(ssl_
119 inctx->block = APR_BLOCK_READ;
120 inctx->pool = c->pool;
121 inctx->filter_ctx = filter_ctx;
122 + inctx->npn_finished = 0;
123 }
124
125 /* The request_rec pointer is passed in here only to ensure that the
126 --- httpd-2.4.4/modules/ssl/ssl_engine_kernel.c.r1332643+
127 +++ httpd-2.4.4/modules/ssl/ssl_engine_kernel.c
128 @@ -29,6 +29,7 @@
129 time I was too famous.''
130 -- Unknown */
131 #include "ssl_private.h"
132 +#include "mod_ssl.h"
133 #include "util_md5.h"
134
135 static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn);
136 @@ -2161,6 +2162,90 @@ int ssl_callback_SessionTicket(SSL *ssl,
137 }
138 #endif /* HAVE_TLS_SESSION_TICKETS */
139
140 +#ifdef HAVE_TLS_NPN
141 +/*
142 + * This callback function is executed when SSL needs to decide what protocols
143 + * to advertise during Next Protocol Negotiation (NPN). It must produce a
144 + * string in wire format -- a sequence of length-prefixed strings -- indicating
145 + * the advertised protocols. Refer to SSL_CTX_set_next_protos_advertised_cb
146 + * in OpenSSL for reference.
147 + */
148 +int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data_out,
149 + unsigned int *size_out, void *arg)
150 +{
151 + conn_rec *c = (conn_rec*)SSL_get_app_data(ssl);
152 + apr_array_header_t *protos;
153 + int num_protos;
154 + unsigned int size;
155 + int i;
156 + unsigned char *data;
157 + unsigned char *start;
158 +
159 + *data_out = NULL;
160 + *size_out = 0;
161 +
162 + /* If the connection object is not available, then there's nothing for us
163 + * to do. */
164 + if (c == NULL) {
165 + return SSL_TLSEXT_ERR_OK;
166 + }
167 +
168 + /* Invoke our npn_advertise_protos hook, giving other modules a chance to
169 + * add alternate protocol names to advertise. */
170 + protos = apr_array_make(c->pool, 0, sizeof(char*));
171 + modssl_run_npn_advertise_protos_hook(c, protos);
172 + num_protos = protos->nelts;
173 +
174 + /* We now have a list of null-terminated strings; we need to concatenate
175 + * them together into a single string, where each protocol name is prefixed
176 + * by its length. First, calculate how long that string will be. */
177 + size = 0;
178 + for (i = 0; i < num_protos; ++i) {
179 + const char *string = APR_ARRAY_IDX(protos, i, const char*);
180 + unsigned int length = strlen(string);
181 + /* If the protocol name is too long (the length must fit in one byte),
182 + * then log an error and skip it. */
183 + if (length > 255) {
184 + ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(02307)
185 + "SSL NPN protocol name too long (length=%u): %s",
186 + length, string);
187 + continue;
188 + }
189 + /* Leave room for the length prefix (one byte) plus the protocol name
190 + * itself. */
191 + size += 1 + length;
192 + }
193 +
194 + /* If there is nothing to advertise (either because no modules added
195 + * anything to the protos array, or because all strings added to the array
196 + * were skipped), then we're done. */
197 + if (size == 0) {
198 + return SSL_TLSEXT_ERR_OK;
199 + }
200 +
201 + /* Now we can build the string. Copy each protocol name string into the
202 + * larger string, prefixed by its length. */
203 + data = apr_palloc(c->pool, size * sizeof(unsigned char));
204 + start = data;
205 + for (i = 0; i < num_protos; ++i) {
206 + const char *string = APR_ARRAY_IDX(protos, i, const char*);
207 + apr_size_t length = strlen(string);
208 + if (length > 255)
209 + continue;
210 + *start = (unsigned char)length;
211 + ++start;
212 + memcpy(start, string, length * sizeof(unsigned char));
213 + start += length;
214 + }
215 +
216 + /* Success. */
217 + *data_out = data;
218 + *size_out = size;
219 + return SSL_TLSEXT_ERR_OK;
220 +}
221 +
222 +#endif /* HAVE_TLS_NPN */
223 +
224 #ifndef OPENSSL_NO_SRP
225
226 int ssl_callback_SRPServerParams(SSL *ssl, int *ad, void *arg)
227 --- httpd-2.4.4/modules/ssl/ssl_private.h.r1332643+
228 +++ httpd-2.4.4/modules/ssl/ssl_private.h
229 @@ -139,6 +139,11 @@
230 #define HAVE_FIPS
231 #endif
232
233 +#if OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_NEXTPROTONEG) \
234 + && !defined(OPENSSL_NO_TLSEXT)
235 +#define HAVE_TLS_NPN
236 +#endif
237 +
238 #if (OPENSSL_VERSION_NUMBER >= 0x10000000)
239 #define MODSSL_SSL_CIPHER_CONST const
240 #define MODSSL_SSL_METHOD_CONST const
241 @@ -840,6 +845,7 @@ int ssl_callback_ServerNameIndi
242 int ssl_callback_SessionTicket(SSL *, unsigned char *, unsigned char *,
243 EVP_CIPHER_CTX *, HMAC_CTX *, int);
244 #endif
245 +int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data, unsigned int *len, void *arg);
246
247 /** Session Cache Support */
248 void ssl_scache_init(server_rec *, apr_pool_t *);