diff options
| author | Olli Hauer <ohauer@FreeBSD.org> | 2015-08-02 19:39:09 +0000 |
|---|---|---|
| committer | Olli Hauer <ohauer@FreeBSD.org> | 2015-08-02 19:39:09 +0000 |
| commit | 77d22137649d7dc59e491f65474e82e9f3687897 (patch) | |
| tree | 37ea1b8e1767060aee2d1ca17b13383dd7be1c46 /www/apache22 | |
| parent | d16c728503ea649e2c3092b5a06fe38102f9f91d (diff) | |
| download | ports-77d22137649d7dc59e491f65474e82e9f3687897.tar.gz ports-77d22137649d7dc59e491f65474e82e9f3687897.zip | |
Notes
Diffstat (limited to 'www/apache22')
| -rw-r--r-- | www/apache22/Makefile | 47 | ||||
| -rw-r--r-- | www/apache22/distinfo | 4 | ||||
| -rw-r--r-- | www/apache22/files/patch-CVE-2015-3183 | 777 | ||||
| -rw-r--r-- | www/apache22/files/patch-acinclude.m4 | 148 | ||||
| -rw-r--r-- | www/apache22/files/patch-configure | 62 | ||||
| -rw-r--r-- | www/apache22/files/patch-configure.in | 12 | ||||
| -rw-r--r-- | www/apache22/files/patch-docs__conf__extra__httpd-ssl.conf.in | 78 | ||||
| -rw-r--r-- | www/apache22/files/patch-modules__ssl__ssl_engine_rand.c | 20 | ||||
| -rw-r--r-- | www/apache22/files/patch-modules__ssl__ssl_engine_vars.c | 11 | ||||
| -rw-r--r-- | www/apache22/files/patch-modules__ssl__ssl_util_ssl.c | 14 | ||||
| -rw-r--r-- | www/apache22/files/patch-modules__ssl__ssl_util_ssl.h | 14 | ||||
| -rw-r--r-- | www/apache22/files/patch-modules_ssl_ssl__engine__dh.c | 142 |
12 files changed, 167 insertions, 1162 deletions
diff --git a/www/apache22/Makefile b/www/apache22/Makefile index 2347c23c90d5..a3b22638a872 100644 --- a/www/apache22/Makefile +++ b/www/apache22/Makefile @@ -1,8 +1,8 @@ # $FreeBSD$ PORTNAME= apache22 -PORTVERSION= 2.2.29 -PORTREVISION?= 7 +PORTVERSION= 2.2.31 +PORTREVISION?= 0 CATEGORIES= www ipv6 MASTER_SITES= APACHE_HTTPD DISTNAME= httpd-${PORTVERSION} @@ -20,10 +20,10 @@ CONFLICTS_INSTALL= caudium14-1.* \ apache-*-2.4.* apache24-*-2.4.* USE_APACHE= common22 -USES= tar:bzip2 iconv perl5 libtool cpe autoreconf +USES= autoreconf cpe iconv libtool perl5 tar:bzip2 USE_PERL5= run -GNU_CONFIGURE= yes USE_RC_SUBR= apache22 htcacheclean +GNU_CONFIGURE= yes CPE_VENDOR= apache CPE_PRODUCT= http_server @@ -33,6 +33,10 @@ PORTDOCS= * USERS= www GROUPS= www +# XXX: before running makepatch please run the command +# `$SED -e 's/PATCH_PATH_SEPARATOR=/PATCH_PATH_SEPARATOR?=/' Mk/bsd.port.mk +PATCH_PATH_SEPARATOR= __ + # for slave ports .if !defined(MASTERDIR) APACHEDIR= ${.CURDIR} @@ -130,27 +134,30 @@ pre-everything:: post-extract: # remove possible leftover .svn directories in the sources - @${FIND} ${WRKSRC} -type d -name .svn -print | ${XARGS} ${RM} -rf + @${FIND} ${WRKSRC} -type d -name .svn -print | ${XARGS} ${RM} -r # limit grep results ... ${FIND} ${WRKSRC} -type f \( -name 'NWGNU*' -o -name '*.ds?' -o -name '*.dep' -o -name '*.mak' -o -name '*.win' -o -name '*.vbs' -o -name '*.wsf' \) -delete +# make sure the configure script contains our patches, +# preserve the original script for comparsion + -${MV} ${WRKSRC}/configure ${WRKSRC}/configure.upstream -# make qa script happy, it complains on empty dirs even 'PORTDOCS=*' is set -# use RMDIR in case upstream ever place some files into this dirs +# make stage-qa script happy, it complains on empty dirs even 'PORTDOCS=*' is set +# use RMDIR in case upstream ever place some files into this directories .for d in xsl/util xsl lang -${RMDIR} ${WRKSRC}/docs/manual/style/${d} .endfor post-patch: - @${REINPLACE_CMD} -e 's," PLATFORM ",FreeBSD,' ${WRKSRC}/server/core.c -# IPv4_mapping fix: https://issues.apache.org/bugzilla/show_bug.cgi?id=53824 - @${REINPLACE_CMD} -e 's|freebsd5|freebsd|' \ - -e 's|^perlbin=.*|perlbin=${PERL}|' \ - ${WRKSRC}/configure.in ${WRKSRC}/configure - @${RM} -f ${WRKSRC}/docs/docroot/*.bak + ${REINPLACE_CMD} -e 's," PLATFORM ",FreeBSD,' ${WRKSRC}/server/core.c + ${REINPLACE_CMD} -e 's|logs/error_log|/var/log/httpd-error.log|' \ + ${WRKSRC}/include/httpd.h + ${REINPLACE_CMD} -e 's|perlbin=.*|perlbin=${PERL}|' \ + ${WRKSRC}/configure.in + ${RM} ${WRKSRC}/docs/docroot/*.bak ${INSTALL_DATA} ${WRKSRC}/NOTICE ${WRKSRC}/docs/manual # we use devel/apr and devel/pcre - @${RM} -rf ${WRKSRC}/srclib - @${REINPLACE_CMD} -e 's/srclib//' ${WRKSRC}/Makefile.in + ${RM} -r ${WRKSRC}/srclib + ${REINPLACE_CMD} -e 's/srclib//' ${WRKSRC}/Makefile.in pre-configure:: @${ECHO_MSG} "" @@ -171,14 +178,8 @@ pre-configure:: post-configure: @FTPUSERS=`${EGREP} -v '^#' /etc/ftpusers| ${TR} -s "\n" " "` ;\ ${REINPLACE_CMD} -e "s,%%FTPUSERS%%,$${FTPUSERS}," ${WRKSRC}/docs/conf/extra/httpd-userdir.conf - @${REINPLACE_CMD} -e "s,%%WWWOWN%%,${WWWOWN}," -e "s,%%WWWGRP%%,${WWWGRP}," ${WRKSRC}/docs/conf/httpd.conf - @${REINPLACE_CMD} -e "s,%%PREFIX%%,${PREFIX}," ${WRKSRC}/support/envvars-std - -pre-build: -.if ${PORT_OPTIONS:MSSL} - @${ECHO_MSG} "===> Generating unique DH group to mitigate Logjam attack (this will take a while)" - (cd ${WRKSRC}/modules/ssl && ${SETENV} HOME=${WRKDIR} ${PERL} ssl_engine_dh.c) -.endif + ${REINPLACE_CMD} -e "s,%%WWWOWN%%,${WWWOWN}," -e "s,%%WWWGRP%%,${WWWGRP}," ${WRKSRC}/docs/conf/httpd.conf + ${REINPLACE_CMD} -e "s,%%PREFIX%%,${PREFIX}," ${WRKSRC}/support/envvars-std post-install: @${MKDIR} ${ETC_SUBDIRS:S|^|${STAGEDIR}${ETCDIR}/|} diff --git a/www/apache22/distinfo b/www/apache22/distinfo index d216509fe27b..08daf0f54156 100644 --- a/www/apache22/distinfo +++ b/www/apache22/distinfo @@ -1,2 +1,2 @@ -SHA256 (apache22/httpd-2.2.29.tar.bz2) = 574b4f994b99178dfd5160bcb14025402e2ce381be9889b83e4be0ffbf5839a4 -SIZE (apache22/httpd-2.2.29.tar.bz2) = 5625498 +SHA256 (apache22/httpd-2.2.31.tar.bz2) = f32f9d19f535dac63b06cb55dfc023b40dcd28196b785f79f9346779e22f26ac +SIZE (apache22/httpd-2.2.31.tar.bz2) = 5610489 diff --git a/www/apache22/files/patch-CVE-2015-3183 b/www/apache22/files/patch-CVE-2015-3183 deleted file mode 100644 index 899592db1643..000000000000 --- a/www/apache22/files/patch-CVE-2015-3183 +++ /dev/null @@ -1,777 +0,0 @@ -diff --git a/modules/http/http_filters.c b/modules/http/http_filters.c -index 347df85..5e190cb 100644 ---- modules/http/http_filters.c -+++ modules/http/http_filters.c -@@ -56,27 +56,31 @@ - #include <unistd.h> - #endif - --#define INVALID_CHAR -2 -- --static long get_chunk_size(char *); -- --typedef struct http_filter_ctx { -+typedef struct http_filter_ctx -+{ - apr_off_t remaining; - apr_off_t limit; - apr_off_t limit_used; -- enum { -- BODY_NONE, -- BODY_LENGTH, -- BODY_CHUNK, -- BODY_CHUNK_PART -+ apr_int32_t chunk_used; -+ apr_int32_t chunkbits; -+ enum -+ { -+ BODY_NONE, /* streamed data */ -+ BODY_LENGTH, /* data constrained by content length */ -+ BODY_CHUNK, /* chunk expected */ -+ BODY_CHUNK_PART, /* chunk digits */ -+ BODY_CHUNK_EXT, /* chunk extension */ -+ BODY_CHUNK_LF, /* got CR, expect LF after digits/extension */ -+ BODY_CHUNK_DATA, /* data constrained by chunked encoding */ -+ BODY_CHUNK_END, /* chunked data terminating CRLF */ -+ BODY_CHUNK_END_LF, /* got CR, expect LF after data */ -+ BODY_CHUNK_TRAILER /* trailers */ - } state; -- int eos_sent; -- char chunk_ln[32]; -- char *pos; -- apr_off_t linesize; -+ unsigned int eos_sent :1; - apr_bucket_brigade *bb; - } http_ctx_t; - -+/* bail out if some error in the HTTP input filter happens */ - static apr_status_t bail_out_on_error(http_ctx_t *ctx, - ap_filter_t *f, - int http_error) -@@ -109,119 +113,147 @@ static apr_status_t bail_out_on_error(http_ctx_t *ctx, - e = apr_bucket_eos_create(f->c->bucket_alloc); - APR_BRIGADE_INSERT_TAIL(bb, e); - ctx->eos_sent = 1; -+ /* If chunked encoding / content-length are corrupt, we may treat parts -+ * of this request's body as the next one's headers. -+ * To be safe, disable keep-alive. -+ */ -+ f->r->connection->keepalive = AP_CONN_CLOSE; - return ap_pass_brigade(f->r->output_filters, bb); - } - --static apr_status_t get_remaining_chunk_line(http_ctx_t *ctx, -- apr_bucket_brigade *b, -- int linelimit) -+/** -+ * Parse a chunk line with optional extension, detect overflow. -+ * There are two error cases: -+ * 1) If the conversion would require too many bits, APR_EGENERAL is returned. -+ * 2) If the conversion used the correct number of bits, but an overflow -+ * caused only the sign bit to flip, then APR_ENOSPC is returned. -+ * In general, any negative number can be considered an overflow error. -+ */ -+static apr_status_t parse_chunk_size(http_ctx_t *ctx, const char *buffer, -+ apr_size_t len, int linelimit) - { -- apr_status_t rv; -- apr_off_t brigade_length; -- apr_bucket *e; -- const char *lineend; -- apr_size_t len; -+ apr_size_t i = 0; - -- /* -- * As the brigade b should have been requested in mode AP_MODE_GETLINE -- * all buckets in this brigade are already some type of memory -- * buckets (due to the needed scanning for LF in mode AP_MODE_GETLINE) -- * or META buckets. -- */ -- rv = apr_brigade_length(b, 0, &brigade_length); -- if (rv != APR_SUCCESS) { -- return rv; -- } -- /* Sanity check. Should never happen. See above. */ -- if (brigade_length == -1) { -- return APR_EGENERAL; -- } -- if (!brigade_length) { -- return APR_EAGAIN; -- } -- ctx->linesize += brigade_length; -- if (ctx->linesize > linelimit) { -- return APR_ENOSPC; -- } -- /* -- * As all buckets are already some type of memory buckets or META buckets -- * (see above), we only need to check the last byte in the last data bucket. -- */ -- for (e = APR_BRIGADE_LAST(b); -- e != APR_BRIGADE_SENTINEL(b); -- e = APR_BUCKET_PREV(e)) { -+ while (i < len) { -+ char c = buffer[i]; - -- if (APR_BUCKET_IS_METADATA(e)) { -+ ap_xlate_proto_from_ascii(&c, 1); -+ -+ /* handle CRLF after the chunk */ -+ if (ctx->state == BODY_CHUNK_END -+ || ctx->state == BODY_CHUNK_END_LF) { -+ if (c == LF) { -+ ctx->state = BODY_CHUNK; -+ } -+ else if (c == CR && ctx->state == BODY_CHUNK_END) { -+ ctx->state = BODY_CHUNK_END_LF; -+ } -+ else { -+ /* -+ * LF expected. -+ */ -+ return APR_EINVAL; -+ } -+ i++; - continue; - } -- rv = apr_bucket_read(e, &lineend, &len, APR_BLOCK_READ); -- if (rv != APR_SUCCESS) { -- return rv; -+ -+ /* handle start of the chunk */ -+ if (ctx->state == BODY_CHUNK) { -+ if (!apr_isxdigit(c)) { -+ /* -+ * Detect invalid character at beginning. This also works for -+ * empty chunk size lines. -+ */ -+ return APR_EINVAL; -+ } -+ else { -+ ctx->state = BODY_CHUNK_PART; -+ } -+ ctx->remaining = 0; -+ ctx->chunkbits = sizeof(apr_off_t) * 8; -+ ctx->chunk_used = 0; -+ } -+ -+ if (c == LF) { -+ if (ctx->remaining) { -+ ctx->state = BODY_CHUNK_DATA; -+ } -+ else { -+ ctx->state = BODY_CHUNK_TRAILER; -+ } - } -- if (len > 0) { -- break; /* we got the data we want */ -+ else if (ctx->state == BODY_CHUNK_LF) { -+ /* -+ * LF expected. -+ */ -+ return APR_EINVAL; - } -- /* If we got a zero-length data bucket, we try the next one */ -- } -- /* We had no data in this brigade */ -- if (!len || e == APR_BRIGADE_SENTINEL(b)) { -- return APR_EAGAIN; -- } -- if (lineend[len - 1] != APR_ASCII_LF) { -- return APR_EAGAIN; -- } -- /* Line is complete. So reset ctx->linesize for next round. */ -- ctx->linesize = 0; -- return APR_SUCCESS; --} -+ else if (c == CR) { -+ ctx->state = BODY_CHUNK_LF; -+ } -+ else if (c == ';') { -+ ctx->state = BODY_CHUNK_EXT; -+ } -+ else if (ctx->state == BODY_CHUNK_EXT) { -+ /* -+ * Control chars (but tabs) are invalid. -+ */ -+ if (c != '\t' && apr_iscntrl(c)) { -+ return APR_EINVAL; -+ } -+ } -+ else if (ctx->state == BODY_CHUNK_PART) { -+ int xvalue; - --static apr_status_t get_chunk_line(http_ctx_t *ctx, apr_bucket_brigade *b, -- int linelimit) --{ -- apr_size_t len; -- int tmp_len; -- apr_status_t rv; -+ /* ignore leading zeros */ -+ if (!ctx->remaining && c == '0') { -+ i++; -+ continue; -+ } - -- tmp_len = sizeof(ctx->chunk_ln) - (ctx->pos - ctx->chunk_ln) - 1; -- /* Saveguard ourselves against underflows */ -- if (tmp_len < 0) { -- len = 0; -- } -- else { -- len = (apr_size_t) tmp_len; -- } -- /* -- * Check if there is space left in ctx->chunk_ln. If not, then either -- * the chunk size is insane or we have chunk-extensions. Ignore both -- * by discarding the remaining part of the line via -- * get_remaining_chunk_line. Only bail out if the line is too long. -- */ -- if (len > 0) { -- rv = apr_brigade_flatten(b, ctx->pos, &len); -- if (rv != APR_SUCCESS) { -- return rv; -+ ctx->chunkbits -= 4; -+ if (ctx->chunkbits < 0) { -+ /* overflow */ -+ return APR_ENOSPC; -+ } -+ -+ if (c >= '0' && c <= '9') { -+ xvalue = c - '0'; -+ } -+ else if (c >= 'A' && c <= 'F') { -+ xvalue = c - 'A' + 0xa; -+ } -+ else if (c >= 'a' && c <= 'f') { -+ xvalue = c - 'a' + 0xa; -+ } -+ else { -+ /* bogus character */ -+ return APR_EINVAL; -+ } -+ -+ ctx->remaining = (ctx->remaining << 4) | xvalue; -+ if (ctx->remaining < 0) { -+ /* overflow */ -+ return APR_ENOSPC; -+ } - } -- ctx->pos += len; -- ctx->linesize += len; -- *(ctx->pos) = '\0'; -- /* -- * Check if we really got a full line. If yes the -- * last char in the just read buffer must be LF. -- * If not advance the buffer and return APR_EAGAIN. -- * We do not start processing until we have the -- * full line. -- */ -- if (ctx->pos[-1] != APR_ASCII_LF) { -- /* Check if the remaining data in the brigade has the LF */ -- return get_remaining_chunk_line(ctx, b, linelimit); -+ else { -+ /* Should not happen */ -+ return APR_EGENERAL; - } -- /* Line is complete. So reset ctx->pos for next round. */ -- ctx->pos = ctx->chunk_ln; -- return APR_SUCCESS; -+ -+ i++; - } -- return get_remaining_chunk_line(ctx, b, linelimit); --} - -+ /* sanity check */ -+ ctx->chunk_used += len; -+ if (ctx->chunk_used < 0 || ctx->chunk_used > linelimit) { -+ return APR_ENOSPC; -+ } -+ -+ return APR_SUCCESS; -+} - - static apr_status_t read_chunked_trailers(http_ctx_t *ctx, ap_filter_t *f, - apr_bucket_brigade *b, int merge) -@@ -235,7 +267,6 @@ static apr_status_t read_chunked_trailers(http_ctx_t *ctx, ap_filter_t *f, - r->status = HTTP_OK; - r->headers_in = r->trailers_in; - apr_table_clear(r->headers_in); -- ctx->state = BODY_NONE; - ap_get_mime_headers(r); - - if(r->status == HTTP_OK) { -@@ -282,6 +313,7 @@ apr_status_t ap_http_filter(ap_filter_t *f, apr_bucket_brigade *b, - apr_off_t totalread; - int http_error = HTTP_REQUEST_ENTITY_TOO_LARGE; - apr_bucket_brigade *bb; -+ int again; - - conf = (core_server_config *) - ap_get_module_config(f->r->server->module_config, &core_module); -@@ -295,7 +327,6 @@ apr_status_t ap_http_filter(ap_filter_t *f, apr_bucket_brigade *b, - const char *tenc, *lenp; - f->ctx = ctx = apr_pcalloc(f->r->pool, sizeof(*ctx)); - ctx->state = BODY_NONE; -- ctx->pos = ctx->chunk_ln; - ctx->bb = apr_brigade_create(f->r->pool, f->c->bucket_alloc); - bb = ctx->bb; - -@@ -337,7 +368,7 @@ apr_status_t ap_http_filter(ap_filter_t *f, apr_bucket_brigade *b, - */ - ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, f->r, - "Unknown Transfer-Encoding: %s", tenc); -- return bail_out_on_error(ctx, f, HTTP_NOT_IMPLEMENTED); -+ return bail_out_on_error(ctx, f, HTTP_BAD_REQUEST); - } - lenp = NULL; - } -@@ -357,7 +388,7 @@ apr_status_t ap_http_filter(ap_filter_t *f, apr_bucket_brigade *b, - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, f->r, - "Invalid Content-Length"); - -- return bail_out_on_error(ctx, f, HTTP_REQUEST_ENTITY_TOO_LARGE); -+ return bail_out_on_error(ctx, f, HTTP_BAD_REQUEST); - } - - /* If we have a limit in effect and we know the C-L ahead of -@@ -399,7 +430,8 @@ apr_status_t ap_http_filter(ap_filter_t *f, apr_bucket_brigade *b, - if (!ap_is_HTTP_SUCCESS(f->r->status)) { - ctx->state = BODY_NONE; - ctx->eos_sent = 1; -- } else { -+ } -+ else { - char *tmp; - int len; - -@@ -424,285 +456,194 @@ apr_status_t ap_http_filter(ap_filter_t *f, apr_bucket_brigade *b, - } - } - } -+ } - -- /* We can't read the chunk until after sending 100 if required. */ -- if (ctx->state == BODY_CHUNK) { -- apr_brigade_cleanup(bb); -+ /* sanity check in case we're read twice */ -+ if (ctx->eos_sent) { -+ e = apr_bucket_eos_create(f->c->bucket_alloc); -+ APR_BRIGADE_INSERT_TAIL(b, e); -+ return APR_SUCCESS; -+ } -+ -+ do { -+ apr_brigade_cleanup(b); -+ again = 0; /* until further notice */ -+ -+ /* read and handle the brigade */ -+ switch (ctx->state) { -+ case BODY_CHUNK: -+ case BODY_CHUNK_PART: -+ case BODY_CHUNK_EXT: -+ case BODY_CHUNK_LF: -+ case BODY_CHUNK_END: -+ case BODY_CHUNK_END_LF: { - -- rv = ap_get_brigade(f->next, bb, AP_MODE_GETLINE, -- block, 0); -+ rv = ap_get_brigade(f->next, b, AP_MODE_GETLINE, block, 0); - - /* for timeout */ -- if (block == APR_NONBLOCK_READ && -- ( (rv == APR_SUCCESS && APR_BRIGADE_EMPTY(bb)) || -- (APR_STATUS_IS_EAGAIN(rv)) )) { -- ctx->state = BODY_CHUNK_PART; -+ if (block == APR_NONBLOCK_READ -+ && ((rv == APR_SUCCESS && APR_BRIGADE_EMPTY(b)) -+ || (APR_STATUS_IS_EAGAIN(rv)))) { - return APR_EAGAIN; - } - -- if (rv == APR_SUCCESS) { -- rv = get_chunk_line(ctx, bb, f->r->server->limit_req_line); -- if (APR_STATUS_IS_EAGAIN(rv)) { -- apr_brigade_cleanup(bb); -- ctx->state = BODY_CHUNK_PART; -- return rv; -- } -- if (rv == APR_SUCCESS) { -- ctx->remaining = get_chunk_size(ctx->chunk_ln); -- if (ctx->remaining == INVALID_CHAR) { -- rv = APR_EGENERAL; -- http_error = HTTP_SERVICE_UNAVAILABLE; -- } -- } -- } -- apr_brigade_cleanup(bb); -- -- /* Detect chunksize error (such as overflow) */ -- if (rv != APR_SUCCESS || ctx->remaining < 0) { -- ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, f->r, "Error reading first chunk %s ", -- (ctx->remaining < 0) ? "(overflow)" : ""); -- if (APR_STATUS_IS_TIMEUP(rv) || ctx->remaining > 0) { -- http_error = HTTP_REQUEST_TIME_OUT; -- } -- ctx->remaining = 0; /* Reset it in case we have to -- * come back here later */ -- return bail_out_on_error(ctx, f, http_error); -+ if (rv == APR_EOF) { -+ return APR_INCOMPLETE; - } - -- if (!ctx->remaining) { -- return read_chunked_trailers(ctx, f, b, -- conf->merge_trailers == AP_MERGE_TRAILERS_ENABLE); -+ if (rv != APR_SUCCESS) { -+ return rv; - } -- } -- } -- else { -- bb = ctx->bb; -- } - -- if (ctx->eos_sent) { -- e = apr_bucket_eos_create(f->c->bucket_alloc); -- APR_BRIGADE_INSERT_TAIL(b, e); -- return APR_SUCCESS; -- } -+ e = APR_BRIGADE_FIRST(b); -+ while (e != APR_BRIGADE_SENTINEL(b)) { -+ const char *buffer; -+ apr_size_t len; - -- if (!ctx->remaining) { -- switch (ctx->state) { -- case BODY_NONE: -- break; -- case BODY_LENGTH: -- e = apr_bucket_eos_create(f->c->bucket_alloc); -- APR_BRIGADE_INSERT_TAIL(b, e); -- ctx->eos_sent = 1; -- return APR_SUCCESS; -- case BODY_CHUNK: -- case BODY_CHUNK_PART: -- { -- apr_brigade_cleanup(bb); -+ if (!APR_BUCKET_IS_METADATA(e)) { -+ int parsing = 0; - -- /* We need to read the CRLF after the chunk. */ -- if (ctx->state == BODY_CHUNK) { -- rv = ap_get_brigade(f->next, bb, AP_MODE_GETLINE, -- block, 0); -- if (block == APR_NONBLOCK_READ && -- ( (rv == APR_SUCCESS && APR_BRIGADE_EMPTY(bb)) || -- (APR_STATUS_IS_EAGAIN(rv)) )) { -- return APR_EAGAIN; -- } -- /* If we get an error, then leave */ -- if (rv == APR_EOF) { -- return APR_INCOMPLETE; -- } -- if (rv != APR_SUCCESS) { -- return rv; -- } -- /* -- * We really don't care whats on this line. If it is RFC -- * compliant it should be only \r\n. If there is more -- * before we just ignore it as long as we do not get over -- * the limit for request lines. -- */ -- rv = get_remaining_chunk_line(ctx, bb, -- f->r->server->limit_req_line); -- apr_brigade_cleanup(bb); -- if (APR_STATUS_IS_EAGAIN(rv)) { -- return rv; -- } -- } else { -- rv = APR_SUCCESS; -- } -+ rv = apr_bucket_read(e, &buffer, &len, APR_BLOCK_READ); - -- if (rv == APR_SUCCESS) { -- /* Read the real chunk line. */ -- rv = ap_get_brigade(f->next, bb, AP_MODE_GETLINE, -- block, 0); -- /* Test timeout */ -- if (block == APR_NONBLOCK_READ && -- ( (rv == APR_SUCCESS && APR_BRIGADE_EMPTY(bb)) || -- (APR_STATUS_IS_EAGAIN(rv)) )) { -- ctx->state = BODY_CHUNK_PART; -- return APR_EAGAIN; -- } -- ctx->state = BODY_CHUNK; - if (rv == APR_SUCCESS) { -- rv = get_chunk_line(ctx, bb, f->r->server->limit_req_line); -- if (APR_STATUS_IS_EAGAIN(rv)) { -- ctx->state = BODY_CHUNK_PART; -- apr_brigade_cleanup(bb); -- return rv; -- } -- if (rv == APR_SUCCESS) { -- ctx->remaining = get_chunk_size(ctx->chunk_ln); -- if (ctx->remaining == INVALID_CHAR) { -- rv = APR_EGENERAL; -- http_error = HTTP_SERVICE_UNAVAILABLE; -+ parsing = 1; -+ rv = parse_chunk_size(ctx, buffer, len, -+ f->r->server->limit_req_fieldsize); -+ } -+ if (rv != APR_SUCCESS) { -+ ap_log_rerror(APLOG_MARK, APLOG_INFO, rv, f->r, -+ "Error reading/parsing chunk %s ", -+ (APR_ENOSPC == rv) ? "(overflow)" : ""); -+ if (parsing) { -+ if (rv != APR_ENOSPC) { -+ http_error = HTTP_BAD_REQUEST; - } -+ return bail_out_on_error(ctx, f, http_error); - } -+ return rv; - } -- apr_brigade_cleanup(bb); - } - -- /* Detect chunksize error (such as overflow) */ -- if (rv != APR_SUCCESS || ctx->remaining < 0) { -- ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, f->r, "Error reading chunk %s ", -- (ctx->remaining < 0) ? "(overflow)" : ""); -- if (APR_STATUS_IS_TIMEUP(rv) || ctx->remaining > 0) { -- http_error = HTTP_REQUEST_TIME_OUT; -- } -- ctx->remaining = 0; /* Reset it in case we have to -- * come back here later */ -- return bail_out_on_error(ctx, f, http_error); -- } -+ apr_bucket_delete(e); -+ e = APR_BRIGADE_FIRST(b); -+ } -+ again = 1; /* come around again */ - -- if (!ctx->remaining) { -- return read_chunked_trailers(ctx, f, b, -+ if (ctx->state == BODY_CHUNK_TRAILER) { -+ /* Treat UNSET as DISABLE - trailers aren't merged by default */ -+ return read_chunked_trailers(ctx, f, b, - conf->merge_trailers == AP_MERGE_TRAILERS_ENABLE); -- } - } -+ - break; - } -- } -+ case BODY_NONE: -+ case BODY_LENGTH: -+ case BODY_CHUNK_DATA: { - -- /* Ensure that the caller can not go over our boundary point. */ -- if (ctx->state == BODY_LENGTH || ctx->state == BODY_CHUNK) { -- if (ctx->remaining < readbytes) { -- readbytes = ctx->remaining; -- } -- AP_DEBUG_ASSERT(readbytes > 0); -- } -+ /* Ensure that the caller can not go over our boundary point. */ -+ if (ctx->state != BODY_NONE && ctx->remaining < readbytes) { -+ readbytes = ctx->remaining; -+ } -+ if (readbytes > 0) { - -- rv = ap_get_brigade(f->next, b, mode, block, readbytes); -+ rv = ap_get_brigade(f->next, b, mode, block, readbytes); - -- if (rv == APR_EOF && ctx->state != BODY_NONE && -- ctx->remaining > 0) { -- return APR_INCOMPLETE; -- } -- if (rv != APR_SUCCESS) { -- return rv; -- } -+ /* for timeout */ -+ if (block == APR_NONBLOCK_READ -+ && ((rv == APR_SUCCESS && APR_BRIGADE_EMPTY(b)) -+ || (APR_STATUS_IS_EAGAIN(rv)))) { -+ return APR_EAGAIN; -+ } - -- /* How many bytes did we just read? */ -- apr_brigade_length(b, 0, &totalread); -+ if (rv == APR_EOF && ctx->state != BODY_NONE -+ && ctx->remaining > 0) { -+ return APR_INCOMPLETE; -+ } - -- /* If this happens, we have a bucket of unknown length. Die because -- * it means our assumptions have changed. */ -- AP_DEBUG_ASSERT(totalread >= 0); -+ if (rv != APR_SUCCESS) { -+ return rv; -+ } - -- if (ctx->state != BODY_NONE) { -- ctx->remaining -= totalread; -- if (ctx->remaining > 0) { -- e = APR_BRIGADE_LAST(b); -- if (APR_BUCKET_IS_EOS(e)) { -- apr_bucket_delete(e); -- return APR_INCOMPLETE; -- } -- } -- } -+ /* How many bytes did we just read? */ -+ apr_brigade_length(b, 0, &totalread); - -- /* If we have no more bytes remaining on a C-L request, -- * save the callter a roundtrip to discover EOS. -- */ -- if (ctx->state == BODY_LENGTH && ctx->remaining == 0) { -- e = apr_bucket_eos_create(f->c->bucket_alloc); -- APR_BRIGADE_INSERT_TAIL(b, e); -- } -+ /* If this happens, we have a bucket of unknown length. Die because -+ * it means our assumptions have changed. */ -+ AP_DEBUG_ASSERT(totalread >= 0); - -- /* We have a limit in effect. */ -- if (ctx->limit) { -- /* FIXME: Note that we might get slightly confused on chunked inputs -- * as we'd need to compensate for the chunk lengths which may not -- * really count. This seems to be up for interpretation. */ -- ctx->limit_used += totalread; -- if (ctx->limit < ctx->limit_used) { -- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, f->r, -- "Read content-length of %" APR_OFF_T_FMT -- " is larger than the configured limit" -- " of %" APR_OFF_T_FMT, ctx->limit_used, ctx->limit); -- apr_brigade_cleanup(bb); -- e = ap_bucket_error_create(HTTP_REQUEST_ENTITY_TOO_LARGE, NULL, -- f->r->pool, -- f->c->bucket_alloc); -- APR_BRIGADE_INSERT_TAIL(bb, e); -- e = apr_bucket_eos_create(f->c->bucket_alloc); -- APR_BRIGADE_INSERT_TAIL(bb, e); -- ctx->eos_sent = 1; -- return ap_pass_brigade(f->r->output_filters, bb); -- } -- } -+ if (ctx->state != BODY_NONE) { -+ ctx->remaining -= totalread; -+ if (ctx->remaining > 0) { -+ e = APR_BRIGADE_LAST(b); -+ if (APR_BUCKET_IS_EOS(e)) { -+ apr_bucket_delete(e); -+ return APR_INCOMPLETE; -+ } -+ } -+ else if (ctx->state == BODY_CHUNK_DATA) { -+ /* next chunk please */ -+ ctx->state = BODY_CHUNK_END; -+ ctx->chunk_used = 0; -+ } -+ } - -- return APR_SUCCESS; --} -+ } - --/** -- * Parse a chunk extension, detect overflow. -- * There are two error cases: -- * 1) If the conversion would require too many bits, a -1 is returned. -- * 2) If the conversion used the correct number of bits, but an overflow -- * caused only the sign bit to flip, then that negative number is -- * returned. -- * In general, any negative number can be considered an overflow error. -- */ --static long get_chunk_size(char *b) --{ -- long chunksize = 0; -- size_t chunkbits = sizeof(long) * 8; -+ /* If we have no more bytes remaining on a C-L request, -+ * save the caller a round trip to discover EOS. -+ */ -+ if (ctx->state == BODY_LENGTH && ctx->remaining == 0) { -+ e = apr_bucket_eos_create(f->c->bucket_alloc); -+ APR_BRIGADE_INSERT_TAIL(b, e); -+ ctx->eos_sent = 1; -+ } - -- ap_xlate_proto_from_ascii(b, strlen(b)); -+ /* We have a limit in effect. */ -+ if (ctx->limit) { -+ /* FIXME: Note that we might get slightly confused on chunked inputs -+ * as we'd need to compensate for the chunk lengths which may not -+ * really count. This seems to be up for interpretation. */ -+ ctx->limit_used += totalread; -+ if (ctx->limit < ctx->limit_used) { -+ ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, f->r, -+ "Read content-length of %" APR_OFF_T_FMT -+ " is larger than the configured limit" -+ " of %" APR_OFF_T_FMT, ctx->limit_used, ctx->limit); -+ return bail_out_on_error(ctx, f, HTTP_REQUEST_ENTITY_TOO_LARGE); -+ } -+ } - -- if (!apr_isxdigit(*b)) { -- /* -- * Detect invalid character at beginning. This also works for empty -- * chunk size lines. -- */ -- return INVALID_CHAR; -- } -- /* Skip leading zeros */ -- while (*b == '0') { -- ++b; -- } -+ break; -+ } -+ case BODY_CHUNK_TRAILER: { -+ -+ rv = ap_get_brigade(f->next, b, mode, block, readbytes); - -- while (apr_isxdigit(*b) && (chunkbits > 0)) { -- int xvalue = 0; -+ /* for timeout */ -+ if (block == APR_NONBLOCK_READ -+ && ((rv == APR_SUCCESS && APR_BRIGADE_EMPTY(b)) -+ || (APR_STATUS_IS_EAGAIN(rv)))) { -+ return APR_EAGAIN; -+ } -+ -+ if (rv != APR_SUCCESS) { -+ return rv; -+ } - -- if (*b >= '0' && *b <= '9') { -- xvalue = *b - '0'; -+ break; - } -- else if (*b >= 'A' && *b <= 'F') { -- xvalue = *b - 'A' + 0xa; -+ default: { -+ /* Should not happen */ -+ ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, f->r, -+ "Unexpected body state (%i)", (int)ctx->state); -+ return APR_EGENERAL; - } -- else if (*b >= 'a' && *b <= 'f') { -- xvalue = *b - 'a' + 0xa; - } - -- chunksize = (chunksize << 4) | xvalue; -- chunkbits -= 4; -- ++b; -- } -- if (apr_isxdigit(*b) && (chunkbits <= 0)) { -- /* overflow */ -- return -1; -- } -+ } while (again); - -- return chunksize; -+ return APR_SUCCESS; - } - - typedef struct header_struct { diff --git a/www/apache22/files/patch-acinclude.m4 b/www/apache22/files/patch-acinclude.m4 index ac2f04bafe1b..1353a68c379a 100644 --- a/www/apache22/files/patch-acinclude.m4 +++ b/www/apache22/files/patch-acinclude.m4 @@ -1,12 +1,140 @@ ---- acinclude.m4.orig 2012-07-06 15:23:21 UTC +https://issues.apache.org/bugzilla/show_bug.cgi?id=58126 +============================================================== +--- acinclude.m4.orig 2015-07-11 23:38:52 UTC +++ acinclude.m4 -@@ -455,6 +455,9 @@ if test "x$ap_ssltk_configured" = "x"; t - AC_CHECK_HEADERS([openssl/engine.h]) - AC_CHECK_FUNCS([SSLeay_version SSL_CTX_new], [], [liberrors="yes"]) - AC_CHECK_FUNCS([ENGINE_init ENGINE_load_builtin_engines]) -+ dnl PR 196256, https://issues.apache.org/bugzilla/show_bug.cgi?id=57395 -+ AC_CHECK_FUNCS([SSL_CTX_use_certificate_chain]) -+ AC_CHECK_LIB(crypto, RAND_egd, AC_DEFINE(HAVE_SSL_RAND_EGD, 1, [Define if the libcrypto has RAND_egd])) +@@ -4,25 +4,25 @@ dnl Autoconf 2.50 can not handle substr + dnl AC_HELP_STRING, so let's try to call it if we can. + dnl Note: this define must be on one line so that it can be properly returned + dnl as the help string. +-AC_DEFUN(APACHE_HELP_STRING,[ifelse(regexp(AC_ACVERSION, 2\.1), -1, AC_HELP_STRING($1,$2),[ ]$1 substr([ ],len($1))$2)])dnl ++AC_DEFUN([APACHE_HELP_STRING],[ifelse(regexp(AC_ACVERSION, 2\.1), -1, AC_HELP_STRING($1,$2),[ ]$1 substr([ ],len($1))$2)])dnl + + dnl APACHE_SUBST(VARIABLE) + dnl Makes VARIABLE available in generated files + dnl (do not use @variable@ in Makefiles, but $(variable)) +-AC_DEFUN(APACHE_SUBST,[ ++AC_DEFUN([APACHE_SUBST],[ + APACHE_VAR_SUBST="$APACHE_VAR_SUBST $1" + AC_SUBST($1) + ]) + + dnl APACHE_FAST_OUTPUT(FILENAME) + dnl Perform substitutions on FILENAME (Makefiles only) +-AC_DEFUN(APACHE_FAST_OUTPUT,[ ++AC_DEFUN([APACHE_FAST_OUTPUT],[ + APACHE_FAST_OUTPUT_FILES="$APACHE_FAST_OUTPUT_FILES $1" + ]) + + dnl APACHE_GEN_CONFIG_VARS + dnl Creates config_vars.mk +-AC_DEFUN(APACHE_GEN_CONFIG_VARS,[ ++AC_DEFUN([APACHE_GEN_CONFIG_VARS],[ + APACHE_SUBST(abs_srcdir) + APACHE_SUBST(bindir) + APACHE_SUBST(sbindir) +@@ -111,14 +111,14 @@ AC_DEFUN(APACHE_GEN_CONFIG_VARS,[ + + dnl APACHE_GEN_MAKEFILES + dnl Creates Makefiles +-AC_DEFUN(APACHE_GEN_MAKEFILES,[ ++AC_DEFUN([APACHE_GEN_MAKEFILES],[ + $SHELL $srcdir/build/fastgen.sh $srcdir $ac_cv_mkdir_p $BSD_MAKEFILE $APACHE_FAST_OUTPUT_FILES + ]) + + dnl ## APACHE_OUTPUT(file) + dnl ## adds "file" to the list of files generated by AC_OUTPUT + dnl ## This macro can be used several times. +-AC_DEFUN(APACHE_OUTPUT, [ ++AC_DEFUN([APACHE_OUTPUT], [ + APACHE_OUTPUT_FILES="$APACHE_OUTPUT_FILES $1" + ]) + +@@ -127,7 +127,7 @@ dnl APACHE_TYPE_RLIM_T + dnl + dnl If rlim_t is not defined, define it to int + dnl +-AC_DEFUN(APACHE_TYPE_RLIM_T, [ ++AC_DEFUN([APACHE_TYPE_RLIM_T], [ + AC_CACHE_CHECK([for rlim_t], ac_cv_type_rlim_t, [ + AC_TRY_COMPILE([ + #include <sys/types.h> +@@ -145,7 +145,7 @@ AC_DEFUN(APACHE_TYPE_RLIM_T, [ + ]) + + dnl APACHE_MODPATH_INIT(modpath) +-AC_DEFUN(APACHE_MODPATH_INIT,[ ++AC_DEFUN([APACHE_MODPATH_INIT],[ + current_dir=$1 + modpath_current=modules/$1 + modpath_static= +@@ -154,7 +154,7 @@ AC_DEFUN(APACHE_MODPATH_INIT,[ + > $modpath_current/modules.mk + ])dnl + dnl +-AC_DEFUN(APACHE_MODPATH_FINISH,[ ++AC_DEFUN([APACHE_MODPATH_FINISH],[ + echo "DISTCLEAN_TARGETS = modules.mk" >> $modpath_current/modules.mk + echo "static = $modpath_static" >> $modpath_current/modules.mk + echo "shared = $modpath_shared" >> $modpath_current/modules.mk +@@ -167,7 +167,7 @@ AC_DEFUN(APACHE_MODPATH_FINISH,[ + ])dnl + dnl + dnl APACHE_MODPATH_ADD(name[, shared[, objects [, ldflags[, libs]]]]) +-AC_DEFUN(APACHE_MODPATH_ADD,[ ++AC_DEFUN([APACHE_MODPATH_ADD],[ + if test -z "$3"; then + objects="mod_$1.lo" else - AC_CHECK_FUNCS([SSLC_library_version SSL_CTX_new], [], [liberrors="yes"]) - AC_CHECK_FUNCS(SSL_set_state) +@@ -211,7 +211,7 @@ dnl basically: yes/no is a hard setting. + dnl setting. otherwise, fall under the "all" setting. + dnl explicit yes/no always overrides. + dnl +-AC_DEFUN(APACHE_MODULE,[ ++AC_DEFUN([APACHE_MODULE],[ + AC_MSG_CHECKING(whether to enable mod_$1) + define([optname],[--]ifelse($5,yes,disable,enable)[-]translit($1,_,-))dnl + AC_ARG_ENABLE(translit($1,_,-),APACHE_HELP_STRING(optname(),$2),,enable_$1=ifelse($5,,maybe-all,$5)) +@@ -284,7 +284,7 @@ AC_DEFUN(APACHE_MODULE,[ + dnl + dnl APACHE_ENABLE_MODULES + dnl +-AC_DEFUN(APACHE_ENABLE_MODULES,[ ++AC_DEFUN([APACHE_ENABLE_MODULES],[ + module_selection=default + module_default=yes + +@@ -314,7 +314,7 @@ AC_DEFUN(APACHE_ENABLE_MODULES,[ + ]) + ]) + +-AC_DEFUN(APACHE_REQUIRE_CXX,[ ++AC_DEFUN([APACHE_REQUIRE_CXX],[ + if test -z "$apache_cxx_done"; then + AC_PROG_CXX + AC_PROG_CXXCPP +@@ -328,7 +328,7 @@ dnl + dnl Configure for the detected openssl/ssl-c toolkit installation, giving + dnl preference to "--with-ssl=<path>" if it was specified. + dnl +-AC_DEFUN(APACHE_CHECK_SSL_TOOLKIT,[ ++AC_DEFUN([APACHE_CHECK_SSL_TOOLKIT],[ + if test "x$ap_ssltk_configured" = "x"; then + dnl initialise the variables we use + ap_ssltk_base="" +@@ -486,14 +486,14 @@ dnl Export (via APACHE_SUBST) the variou + dnl apache will use while generating scripts like autoconf and apxs and + dnl the default config file. + +-AC_DEFUN(APACHE_SUBST_EXPANDED_ARG,[ ++AC_DEFUN([APACHE_SUBST_EXPANDED_ARG],[ + APR_EXPAND_VAR(exp_$1, [$]$1) + APACHE_SUBST(exp_$1) + APR_PATH_RELATIVE(rel_$1, [$]exp_$1, ${prefix}) + APACHE_SUBST(rel_$1) + ]) + +-AC_DEFUN(APACHE_EXPORT_ARGUMENTS,[ ++AC_DEFUN([APACHE_EXPORT_ARGUMENTS],[ + APACHE_SUBST_EXPANDED_ARG(exec_prefix) + APACHE_SUBST_EXPANDED_ARG(bindir) + APACHE_SUBST_EXPANDED_ARG(sbindir) diff --git a/www/apache22/files/patch-configure b/www/apache22/files/patch-configure deleted file mode 100644 index e3d58e7d032e..000000000000 --- a/www/apache22/files/patch-configure +++ /dev/null @@ -1,62 +0,0 @@ ---- configure.orig 2014-08-22 19:54:19.000000000 +0200 -+++ configure 2015-02-28 10:22:46.822052140 +0100 -@@ -13853,6 +13922,59 @@ - fi - done - -+ for ac_func in SSL_CTX_use_certificate_chain -+do : -+ ac_fn_c_check_func "$LINENO" "SSL_CTX_use_certificate_chain" "ac_cv_func_SSL_CTX_use_certificate_chain" -+if test "x$ac_cv_func_SSL_CTX_use_certificate_chain" = xyes; then : -+ cat >>confdefs.h <<_ACEOF -+#define HAVE_SSL_CTX_USE_CERTIFICATE_CHAIN 1 -+_ACEOF -+ -+fi -+done -+ -+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for RAND_egd in -lcrypto" >&5 -+$as_echo_n "checking for RAND_egd in -lcrypto... " >&6; } -+if ${ac_cv_lib_crypto_RAND_egd+:} false; then : -+ $as_echo_n "(cached) " >&6 -+else -+ ac_check_lib_save_LIBS=$LIBS -+LIBS="-lcrypto $LIBS" -+cat confdefs.h - <<_ACEOF >conftest.$ac_ext -+/* end confdefs.h. */ -+ -+/* Override any GCC internal prototype to avoid an error. -+ Use char because int might match the return type of a GCC -+ builtin and then its argument prototype would still apply. */ -+#ifdef __cplusplus -+extern "C" -+#endif -+char RAND_egd (); -+int -+main () -+{ -+return RAND_egd (); -+ ; -+ return 0; -+} -+_ACEOF -+if ac_fn_c_try_link "$LINENO"; then : -+ ac_cv_lib_crypto_RAND_egd=yes -+else -+ ac_cv_lib_crypto_RAND_egd=no -+fi -+rm -f core conftest.err conftest.$ac_objext \ -+ conftest$ac_exeext conftest.$ac_ext -+LIBS=$ac_check_lib_save_LIBS -+fi -+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_crypto_RAND_egd" >&5 -+$as_echo "$ac_cv_lib_crypto_RAND_egd" >&6; } -+if test "x$ac_cv_lib_crypto_RAND_egd" = xyes; then : -+ -+$as_echo "#define HAVE_SSL_RAND_EGD 1" >>confdefs.h -+ -+fi -+ - else - for ac_func in SSLC_library_version SSL_CTX_new - do : diff --git a/www/apache22/files/patch-configure.in b/www/apache22/files/patch-configure.in index eb1835e91f58..5d751b5bbea1 100644 --- a/www/apache22/files/patch-configure.in +++ b/www/apache22/files/patch-configure.in @@ -37,18 +37,6 @@ [--enable-layout=*|\'--enable-layout=*]) dnl We must be the last to build and the first to be cleaned AP_BUILD_SRCLIB_DIRS="$AP_BUILD_SRCLIB_DIRS apr-util" -@@ -480,7 +490,10 @@ AC_ARG_ENABLE(v4-mapped,APACHE_HELP_STRI - ], - [ - case $host in -- *freebsd5*|*netbsd*|*openbsd*) -+ *freebsd[[1234]].*) -+ v4mapped=yes -+ ;; -+ *freebsd*|*netbsd*|*openbsd*) - v4mapped=no - ;; - *mingw*) @@ -678,8 +691,14 @@ AC_DEFINE_UNQUOTED(HTTPD_ROOT, "${ap_pre [Root directory of the Apache install area]) AC_DEFINE_UNQUOTED(SERVER_CONFIG_FILE, "${rel_sysconfdir}/${progname}.conf", diff --git a/www/apache22/files/patch-docs__conf__extra__httpd-ssl.conf.in b/www/apache22/files/patch-docs__conf__extra__httpd-ssl.conf.in index c3b16ba64734..0f95b9d1b83d 100644 --- a/www/apache22/files/patch-docs__conf__extra__httpd-ssl.conf.in +++ b/www/apache22/files/patch-docs__conf__extra__httpd-ssl.conf.in @@ -1,50 +1,6 @@ ---- docs/conf/extra/httpd-ssl.conf.in.orig 2013-11-11 14:00:57 UTC +--- docs/conf/extra/httpd-ssl.conf.in.orig 2015-05-27 18:59:59 UTC +++ docs/conf/extra/httpd-ssl.conf.in -@@ -49,6 +49,43 @@ Listen @@SSLPort@@ - AddType application/x-x509-ca-cert .crt - AddType application/x-pkcs7-crl .crl - -+# SSL Cipher Suite: -+# List the ciphers that the client is permitted to negotiate, -+# and that httpd will negotiate as the client of a proxied server. -+# See the OpenSSL documentation for a complete list of ciphers, and -+# ensure these follow appropriate best practices for this deployment. -+# httpd 2.2.30, 2.4.13 and later force-disable aNULL, eNULL and EXP ciphers, -+# while OpenSSL disabled these by default in 0.9.8zf/1.0.0r/1.0.1m/1.0.2a. -+SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4 -+SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4 -+ -+# By the end of 2016, only TLSv1.2 ciphers should remain in use. -+# Older ciphers should be disallowed as soon as possible, while the -+# kRSA ciphers do not offer forward secrecy. These changes inhibit -+# older clients (such as IE6 SP2 or IE8 on Windows XP, or other legacy -+# non-browser tooling) from successfully connecting. -+# -+# To restrict mod_ssl to use only TLSv1.2 ciphers, and disable -+# those protocols which do not support forward secrecy, replace -+# the SSLCipherSuite and SSLProxyCipherSuite directives above with -+# the following two directives, as soon as practical. -+# SSLCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA -+# SSLProxyCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA -+ -+# User agents such as web browsers are not configured for the user's -+# own preference of either security or performance, therefore this -+# must be the prerogative of the web server administrator who manages -+# cpu load versus confidentiality, so enforce the server's cipher order. -+SSLHonorCipherOrder on -+ -+# SSL Protocol support: -+# List the protocol versions which clients are allowed to connect with. -+# Disable SSLv2 and SSLv3 by default (cf. RFC 7525 3.1.1). TLSv1 (1.0) -+# should be disabled as quickly as practical. By the end of 2016, only -+# the TLSv1.2 protocol or later should remain in use. -+SSLProtocol all -SSLv2 -SSLv3 -+SSLProxyProtocol all -SSLv2 -SSLv3 -+ - # Pass Phrase Dialog: - # Configure the pass phrase gathering process. - # The filtering dialog program (`builtin' is a internal -@@ -77,36 +114,13 @@ SSLMutex "file:@exp_runtimedir@/ssl_mut +@@ -114,8 +114,8 @@ SSLMutex "file:@exp_runtimedir@/ssl_mut DocumentRoot "@exp_htdocsdir@" ServerName www.example.com:@@SSLPort@@ ServerAdmin you@example.com @@ -55,35 +11,7 @@ # SSL Engine Switch: # Enable/Disable SSL for this virtual host. - SSLEngine on - --# SSL Protocol support: --# List the protocol versions which clients are allowed to --# connect with. Disable SSLv2 by default (cf. RFC 6176). --SSLProtocol all -SSLv2 -- --# SSL Cipher Suite: --# List the ciphers that the client is permitted to negotiate. --# See the mod_ssl documentation for a complete list. --SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 -- --# Speed-optimized SSL Cipher configuration: --# If speed is your main concern (on busy HTTPS servers e.g.), --# you might want to force clients to specific, performance --# optimized ciphers. In this case, prepend those ciphers --# to the SSLCipherSuite list, and enable SSLHonorCipherOrder. --# Caveat: by giving precedence to RC4-SHA and AES128-SHA --# (as in the example below), most connections will no longer --# have perfect forward secrecy - if the server's key is --# compromised, captures of past or future traffic must be --# considered compromised, too. --#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5 --#SSLHonorCipherOrder on -- - # Server Certificate: - # Point SSLCertificateFile at a PEM encoded certificate. If - # the certificate is encrypted, then you will be prompted for a -@@ -249,7 +263,7 @@ BrowserMatch "MSIE [2-5]" \ +@@ -263,7 +263,7 @@ BrowserMatch "MSIE [2-5]" \ # Per-Server Logging: # The home of a custom SSL log file. Use this when you want a # compact non-error SSL logfile on a virtual host basis. diff --git a/www/apache22/files/patch-modules__ssl__ssl_engine_rand.c b/www/apache22/files/patch-modules__ssl__ssl_engine_rand.c deleted file mode 100644 index 44ad4f7df520..000000000000 --- a/www/apache22/files/patch-modules__ssl__ssl_engine_rand.c +++ /dev/null @@ -1,20 +0,0 @@ ---- modules/ssl/ssl_engine_rand.c.orig 2006-07-12 03:38:44 UTC -+++ modules/ssl/ssl_engine_rand.c -@@ -83,17 +83,6 @@ int ssl_rand_seed(server_rec *s, apr_poo - nDone += ssl_rand_feedfp(p, fp, pRandSeed->nBytes); - ssl_util_ppclose(s, p, fp); - } --#ifdef HAVE_SSL_RAND_EGD -- else if (pRandSeed->nSrc == SSL_RSSRC_EGD) { -- /* -- * seed in contents provided by the external -- * Entropy Gathering Daemon (EGD) -- */ -- if ((n = RAND_egd(pRandSeed->cpPath)) == -1) -- continue; -- nDone += n; -- } --#endif - else if (pRandSeed->nSrc == SSL_RSSRC_BUILTIN) { - struct { - time_t t; diff --git a/www/apache22/files/patch-modules__ssl__ssl_engine_vars.c b/www/apache22/files/patch-modules__ssl__ssl_engine_vars.c deleted file mode 100644 index 673665651e7e..000000000000 --- a/www/apache22/files/patch-modules__ssl__ssl_engine_vars.c +++ /dev/null @@ -1,11 +0,0 @@ ---- modules/ssl/ssl_engine_vars.c.orig 2013-02-12 11:51:17 UTC -+++ modules/ssl/ssl_engine_vars.c -@@ -832,7 +832,7 @@ static char *ssl_var_lookup_ssl_compress - { - char *result = "NULL"; - #ifdef OPENSSL_VERSION_NUMBER --#if (OPENSSL_VERSION_NUMBER >= 0x00908000) -+#if (OPENSSL_VERSION_NUMBER >= 0x00908000) && !defined(OPENSSL_NO_COMP) - SSL_SESSION *pSession = SSL_get_session(ssl); - - if (pSession) { diff --git a/www/apache22/files/patch-modules__ssl__ssl_util_ssl.c b/www/apache22/files/patch-modules__ssl__ssl_util_ssl.c deleted file mode 100644 index b3cdaea0f64e..000000000000 --- a/www/apache22/files/patch-modules__ssl__ssl_util_ssl.c +++ /dev/null @@ -1,14 +0,0 @@ ---- modules/ssl/ssl_util_ssl.c.orig 2012-08-17 17:30:46 UTC -+++ modules/ssl/ssl_util_ssl.c -@@ -492,7 +492,11 @@ BOOL SSL_X509_INFO_load_path(apr_pool_t - * format, possibly followed by a sequence of CA certificates that - * should be sent to the peer in the SSL Certificate message. - */ -+#ifndef HAVE_SSL_CTX_USE_CERTIFICATE_CHAIN - int SSL_CTX_use_certificate_chain( -+#else -+int _SSL_CTX_use_certificate_chain( -+#endif - SSL_CTX *ctx, char *file, int skipfirst, modssl_read_bio_cb_fn *cb) - { - BIO *bio; diff --git a/www/apache22/files/patch-modules__ssl__ssl_util_ssl.h b/www/apache22/files/patch-modules__ssl__ssl_util_ssl.h deleted file mode 100644 index 9a36ee784a6f..000000000000 --- a/www/apache22/files/patch-modules__ssl__ssl_util_ssl.h +++ /dev/null @@ -1,14 +0,0 @@ ---- modules/ssl/ssl_util_ssl.h.orig 2012-08-17 17:30:46 UTC -+++ modules/ssl/ssl_util_ssl.h -@@ -89,7 +89,11 @@ char *SSL_X509_NAME_to_string(apr_ - BOOL SSL_X509_getCN(apr_pool_t *, X509 *, char **); - BOOL SSL_X509_INFO_load_file(apr_pool_t *, STACK_OF(X509_INFO) *, const char *); - BOOL SSL_X509_INFO_load_path(apr_pool_t *, STACK_OF(X509_INFO) *, const char *); -+#ifndef HAVE_SSL_CTX_USE_CERTIFICATE_CHAIN - int SSL_CTX_use_certificate_chain(SSL_CTX *, char *, int, modssl_read_bio_cb_fn *); -+#else -+int _SSL_CTX_use_certificate_chain(SSL_CTX *, char *, int, modssl_read_bio_cb_fn *); -+#endif - char *SSL_SESSION_id2sz(unsigned char *, int, char *, int); - - /** util functions for OpenSSL+sslc compat */ diff --git a/www/apache22/files/patch-modules_ssl_ssl__engine__dh.c b/www/apache22/files/patch-modules_ssl_ssl__engine__dh.c deleted file mode 100644 index a3b77a684cdc..000000000000 --- a/www/apache22/files/patch-modules_ssl_ssl__engine__dh.c +++ /dev/null @@ -1,142 +0,0 @@ ---- modules/ssl/ssl_engine_dh.c.orig 2006-07-12 03:38:44 UTC -+++ modules/ssl/ssl_engine_dh.c -@@ -33,7 +33,7 @@ - /* ----BEGIN GENERATED SECTION-------- */ - - /* --** Diffie-Hellman-Parameters: (512 bit) -+** Diffie-Hellman-Parameters: (2048 bit) - ** prime: - ** 00:9f:db:8b:8a:00:45:44:f0:04:5f:17:37:d0:ba: - ** 2e:0b:27:4c:df:1a:9f:58:82:18:fb:43:53:16:a1: -@@ -41,7 +41,7 @@ - ** 0e:3e:30:06:80:a3:03:0c:6e:4c:37:57:d0:8f:70: - ** e6:aa:87:10:33 - ** generator: 2 (0x2) --** Diffie-Hellman-Parameters: (1024 bit) -+** Diffie-Hellman-Parameters: (3072 bit) - ** prime: - ** 00:d6:7d:e4:40:cb:bb:dc:19:36:d6:93:d3:4a:fd: - ** 0a:d5:0c:84:d2:39:a4:5f:52:0b:b8:81:74:cb:98: -@@ -55,7 +55,7 @@ - ** generator: 2 (0x2) - */ - --static unsigned char dh512_p[] = { -+static unsigned char dh2048_p[] = { - 0x9F, 0xDB, 0x8B, 0x8A, 0x00, 0x45, 0x44, 0xF0, 0x04, 0x5F, 0x17, 0x37, - 0xD0, 0xBA, 0x2E, 0x0B, 0x27, 0x4C, 0xDF, 0x1A, 0x9F, 0x58, 0x82, 0x18, - 0xFB, 0x43, 0x53, 0x16, 0xA1, 0x6E, 0x37, 0x41, 0x71, 0xFD, 0x19, 0xD8, -@@ -63,17 +63,17 @@ static unsigned char dh512_p[] = { - 0x80, 0xA3, 0x03, 0x0C, 0x6E, 0x4C, 0x37, 0x57, 0xD0, 0x8F, 0x70, 0xE6, - 0xAA, 0x87, 0x10, 0x33, - }; --static unsigned char dh512_g[] = { -+static unsigned char dh2048_g[] = { - 0x02, - }; - --static DH *get_dh512(void) -+static DH *get_dh2048(void) - { -- return modssl_dh_configure(dh512_p, sizeof(dh512_p), -- dh512_g, sizeof(dh512_g)); -+ return modssl_dh_configure(dh2048_p, sizeof(dh2048_p), -+ dh2048_g, sizeof(dh2048_g)); - } - --static unsigned char dh1024_p[] = { -+static unsigned char dh3072_p[] = { - 0xD6, 0x7D, 0xE4, 0x40, 0xCB, 0xBB, 0xDC, 0x19, 0x36, 0xD6, 0x93, 0xD3, - 0x4A, 0xFD, 0x0A, 0xD5, 0x0C, 0x84, 0xD2, 0x39, 0xA4, 0x5F, 0x52, 0x0B, - 0xB8, 0x81, 0x74, 0xCB, 0x98, 0xBC, 0xE9, 0x51, 0x84, 0x9F, 0x91, 0x2E, -@@ -86,14 +86,14 @@ static unsigned char dh1024_p[] = { - 0x88, 0xAE, 0xAA, 0x74, 0x7D, 0xE0, 0xF4, 0xD6, 0xE2, 0xBD, 0x68, 0xB0, - 0xE7, 0x39, 0x3E, 0x0F, 0x24, 0x21, 0x8E, 0xB3, - }; --static unsigned char dh1024_g[] = { -+static unsigned char dh3072_g[] = { - 0x02, - }; - --static DH *get_dh1024(void) -+static DH *get_dh3072(void) - { -- return modssl_dh_configure(dh1024_p, sizeof(dh1024_p), -- dh1024_g, sizeof(dh1024_g)); -+ return modssl_dh_configure(dh3072_p, sizeof(dh3072_p), -+ dh3072_g, sizeof(dh3072_g)); - } - - /* ----END GENERATED SECTION---------- */ -@@ -102,12 +102,12 @@ DH *ssl_dh_GetTmpParam(int nKeyLen) - { - DH *dh; - -- if (nKeyLen == 512) -- dh = get_dh512(); -- else if (nKeyLen == 1024) -- dh = get_dh1024(); -+ if (nKeyLen == 2048) -+ dh = get_dh2048(); -+ else if (nKeyLen == 3072) -+ dh = get_dh3072(); - else -- dh = get_dh1024(); -+ dh = get_dh3072(); - return dh; - } - -@@ -151,7 +151,7 @@ print FP $source; - close(FP); - - # generate the DH parameters --print "1. Generate 512 and 1024 bit Diffie-Hellman parameters (p, g)\n"; -+print "1. Generate 2048 and 3072 bit Diffie-Hellman parameters (p, g)\n"; - my $rand = ''; - foreach $file (qw(/var/log/messages /var/adm/messages - /kernel /vmunix /vmlinuz /etc/hosts /etc/resolv.conf)) { -@@ -161,15 +161,15 @@ foreach $file (qw(/var/log/messages /var - } - } - $rand = "-rand $rand" if ($rand ne ''); --system("openssl gendh $rand -out dh512.pem 512"); --system("openssl gendh $rand -out dh1024.pem 1024"); -+system("openssl gendh -out dh2048.pem 2048"); -+system("openssl gendh -out dh3072.pem 3072"); - - # generate DH param info - my $dhinfo = ''; --open(FP, "openssl dh -noout -text -in dh512.pem |") || die; -+open(FP, "openssl dh -noout -text -in dh2048.pem |") || die; - $dhinfo .= $_ while (<FP>); - close(FP); --open(FP, "openssl dh -noout -text -in dh1024.pem |") || die; -+open(FP, "openssl dh -noout -text -in dh3072.pem |") || die; - $dhinfo .= $_ while (<FP>); - close(FP); - $dhinfo =~ s|^|** |mg; -@@ -177,10 +177,10 @@ $dhinfo = "\n\/\*\n$dhinfo\*\/\n\n"; - - # generate C source from DH params - my $dhsource = ''; --open(FP, "openssl dh -noout -C -in dh512.pem | indent | expand |") || die; -+open(FP, "openssl dh -noout -C -in dh2048.pem | indent | expand |") || die; - $dhsource .= $_ while (<FP>); - close(FP); --open(FP, "openssl dh -noout -C -in dh1024.pem | indent | expand |") || die; -+open(FP, "openssl dh -noout -C -in dh3072.pem | indent | expand |") || die; - $dhsource .= $_ while (<FP>); - close(FP); - $dhsource =~ s|(DH\s+\*get_dh)(\d+)[^}]*\n}|static $1$2(void) -@@ -203,8 +203,8 @@ print FP $source; - close(FP); - - # cleanup --unlink("dh512.pem"); --unlink("dh1024.pem"); -+unlink("dh2048.pem"); -+unlink("dh3072.pem"); - - =pod - */ |