diff options
| author | adam <adam@pkgsrc.org> | 2014-02-17 17:32:55 +0000 |
|---|---|---|
| committer | adam <adam@pkgsrc.org> | 2014-02-17 17:32:55 +0000 |
| commit | 28aacc6f3f066c89270782e93ddc3ffba311ea04 (patch) | |
| tree | fe8fc98c68cc5a3d206a28dede5343575f6e353b | |
| parent | 0b987bf1c94e6e5ce6702c476e257e7be78f3b16 (diff) | |
| download | pkgsrc-28aacc6f3f066c89270782e93ddc3ffba311ea04.tar.gz | |
Changes with Apache 2.2.26
*) mod_dav: dav_resource->uri treated as unencoded. This was an
unnecessary ABI changed introduced in 2.2.25.
*) mod_dav: Do not validate locks against parent collection of COPY
source URI.
*) mod_ssl: Check SNI hostname against Host header case-insensitively.
*) mod_ssl: enable support for ECC keys and ECDH ciphers. Tested against
OpenSSL 1.0.0b3.
*) mod_ssl: Change default for SSLCompression to off, as compression
causes security issues in most setups. (The so called "CRIME" attack).
*) mod_ssl: Fix compilation error when OpenSSL does not contain
support for SSLv2. Problem was introduced in 2.2.25.
*) mod_dav: Fix double encoding of URIs in XML and Location header (caused
by unintential ABI change in 2.2.25).
| -rw-r--r-- | www/apache22/Makefile | 5 | ||||
| -rw-r--r-- | www/apache22/distinfo | 11 | ||||
| -rw-r--r-- | www/apache22/files/ecc2224.patch | 307 | ||||
| -rw-r--r-- | www/apache22/options.mk | 14 | ||||
| -rw-r--r-- | www/apache22/patches/patch-modules_proxy_mod_proxy_connect.c | 2 | ||||
| -rw-r--r-- | www/apache22/patches/patch-modules_ssl_ssl__engine__kernel.c | 15 |
6 files changed, 12 insertions, 342 deletions
diff --git a/www/apache22/Makefile b/www/apache22/Makefile index 51a99ea0da6..7f75641fa3c 100644 --- a/www/apache22/Makefile +++ b/www/apache22/Makefile @@ -1,8 +1,7 @@ -# $NetBSD: Makefile,v 1.98 2014/02/12 23:18:43 tron Exp $ +# $NetBSD: Makefile,v 1.99 2014/02/17 17:32:55 adam Exp $ -DISTNAME= httpd-2.2.25 +DISTNAME= httpd-2.2.26 PKGNAME= ${DISTNAME:S/httpd/apache/} -PKGREVISION= 3 CATEGORIES= www MASTER_SITES= ${MASTER_SITE_APACHE:=httpd/} \ http://archive.apache.org/dist/httpd/ \ diff --git a/www/apache22/distinfo b/www/apache22/distinfo index 7fbea9f3261..5fc937180e6 100644 --- a/www/apache22/distinfo +++ b/www/apache22/distinfo @@ -1,8 +1,8 @@ -$NetBSD: distinfo,v 1.57 2013/07/15 18:15:49 tron Exp $ +$NetBSD: distinfo,v 1.58 2014/02/17 17:32:55 adam Exp $ -SHA1 (httpd-2.2.25.tar.bz2) = e34222d1a8de38825397a1c70949bcc5836a1236 -RMD160 (httpd-2.2.25.tar.bz2) = 8a7745a5f6acb84adaac5cbd94f0e842c3cd7edc -Size (httpd-2.2.25.tar.bz2) = 5524905 bytes +SHA1 (httpd-2.2.26.tar.bz2) = ecfa7dab239ef177668ad1d5cf9d03c4602607b8 +RMD160 (httpd-2.2.26.tar.bz2) = 18a5ed7bae8d9ac7e842b3f4acf2952aca3736d1 +Size (httpd-2.2.26.tar.bz2) = 5390190 bytes SHA1 (patch-aa) = e0bfdf6bc9cb034bea46a390a12a5508e363c9a7 SHA1 (patch-ab) = 365cc3b0ac2d9d68ccb94f5699fe168a1c9b0150 SHA1 (patch-ac) = 515043b5c215d49fe8f6d3191b502c978e2a2dad @@ -15,6 +15,5 @@ SHA1 (patch-am) = ab4a2f7e5a1a3064e908b61157e7fd349c0b0c08 SHA1 (patch-aw) = ca53d67beeb2c2c4d9adb04d3d79e24a8c427fd4 SHA1 (patch-docs_man_apxs.8) = 70797ea73ae6379492971bec1106a8427ae7fdaa SHA1 (patch-lock.c) = 770ca03f1cb4421879bd5baa5a7c30cc91acb6e1 -SHA1 (patch-modules_proxy_mod_proxy_connect.c) = 6d5ed1e075bc3d727c4940078a3a8b2abeb4b324 -SHA1 (patch-modules_ssl_ssl__engine__kernel.c) = fd6f425d18231f0daca9fc2553638891a7241a4a +SHA1 (patch-modules_proxy_mod_proxy_connect.c) = b2b5d0242a92c7bf20b14c16d8cd3abae42f3746 SHA1 (patch-repos.c) = 0e0361b91d4b0fe6c7c55a12fdfd2e6aacc710e1 diff --git a/www/apache22/files/ecc2224.patch b/www/apache22/files/ecc2224.patch deleted file mode 100644 index 654952f4c2c..00000000000 --- a/www/apache22/files/ecc2224.patch +++ /dev/null @@ -1,307 +0,0 @@ -Backport of ECC support -https://issues.apache.org/bugzilla/show_bug.cgi?id=40132 - ---- ./docs/conf/extra/httpd-ssl.conf.in.orig 2012-01-04 21:10:40.000000000 +0100 -+++ ./docs/conf/extra/httpd-ssl.conf.in 2013-09-07 05:44:49.000000000 +0200 -@@ -91,8 +91,11 @@ - - # SSL Cipher Suite: - # List the ciphers that the client is permitted to negotiate. - # See the mod_ssl documentation for a complete list. -+# Recent OpenSSL snapshots include Elliptic Curve Cryptograhpy (ECC) -+# cipher suites (see RFC 4492) as part of "ALL". Edit this line -+# if you need to disable any of those ciphers. - SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 - - # Speed-optimized SSL Cipher configuration: - # If speed is your main concern (on busy HTTPS servers e.g.), -@@ -113,18 +116,24 @@ - # pass phrase. Note that a kill -HUP will prompt again. Keep - # in mind that if you have both an RSA and a DSA certificate you - # can configure both in parallel (to also allow the use of DSA - # ciphers, etc.) -+# Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt) -+# require an ECC certificate which can also be configured in -+# parallel. - SSLCertificateFile "@exp_sysconfdir@/server.crt" - #SSLCertificateFile "@exp_sysconfdir@/server-dsa.crt" -+#SSLCertificateFile "@exp_sysconfdir@/server-ecc.crt" - - # Server Private Key: - # If the key is not combined with the certificate, use this - # directive to point at the key file. Keep in mind that if - # you've both a RSA and a DSA private key you can configure - # both in parallel (to also allow the use of DSA ciphers, etc.) -+# ECC keys, when in use, can also be configured in parallel - SSLCertificateKeyFile "@exp_sysconfdir@/server.key" - #SSLCertificateKeyFile "@exp_sysconfdir@/server-dsa.key" -+#SSLCertificateKeyFile "@exp_sysconfdir@/server-ecc.key" - - # Server Certificate Chain: - # Point SSLCertificateChainFile at a file containing the - # concatenation of PEM encoded CA certificates which form the ---- ./modules/ssl/ssl_private.h.orig 2013-02-15 16:50:37.000000000 +0100 -+++ ./modules/ssl/ssl_private.h 2013-09-07 05:43:20.000000000 +0200 -@@ -190,13 +190,23 @@ - - #define SSL_ALGO_UNKNOWN (0) - #define SSL_ALGO_RSA (1<<0) - #define SSL_ALGO_DSA (1<<1) -+#ifndef OPENSSL_NO_EC -+#define SSL_ALGO_ECC (1<<2) -+#define SSL_ALGO_ALL (SSL_ALGO_RSA|SSL_ALGO_DSA|SSL_ALGO_ECC) -+#else - #define SSL_ALGO_ALL (SSL_ALGO_RSA|SSL_ALGO_DSA) -+#endif /* SSL_LIBRARY_VERSION */ - - #define SSL_AIDX_RSA (0) - #define SSL_AIDX_DSA (1) -+#ifndef OPENSSL_NO_EC -+#define SSL_AIDX_ECC (2) -+#define SSL_AIDX_MAX (3) -+#else - #define SSL_AIDX_MAX (2) -+#endif /* SSL_LIBRARY_VERSION */ - - - /** - * Define IDs for the temporary RSA keys and DH params -@@ -624,8 +634,11 @@ - - /** OpenSSL callbacks */ - RSA *ssl_callback_TmpRSA(SSL *, int, int); - DH *ssl_callback_TmpDH(SSL *, int, int); -+#ifndef OPENSSL_NO_EC -+EC_KEY *ssl_callback_TmpECDH(SSL *, int, int); -+#endif /* SSL_LIBRARY_VERSION */ - int ssl_callback_SSLVerify(int, X509_STORE_CTX *); - int ssl_callback_SSLVerify_CRL(int, X509_STORE_CTX *, conn_rec *); - int ssl_callback_proxy_cert(SSL *ssl, MODSSL_CLIENT_CERT_CB_ARG_TYPE **x509, EVP_PKEY **pkey); - int ssl_callback_NewSessionCacheEntry(SSL *, SSL_SESSION *); ---- ./modules/ssl/ssl_util.c.orig 2008-09-18 16:34:51.000000000 +0200 -+++ ./modules/ssl/ssl_util.c 2013-09-07 05:43:20.000000000 +0200 -@@ -149,8 +149,13 @@ - break; - case EVP_PKEY_DSA: - t = SSL_ALGO_DSA; - break; -+#ifndef OPENSSL_NO_EC -+ case EVP_PKEY_EC: -+ t = SSL_ALGO_ECC; -+ break; -+#endif - default: - break; - } - } -@@ -173,8 +178,13 @@ - break; - case SSL_ALGO_DSA: - cp = "DSA"; - break; -+#ifndef OPENSSL_NO_EC -+ case SSL_ALGO_ECC: -+ cp = "ECC"; -+ break; -+#endif - default: - break; - } - return cp; -@@ -244,9 +254,13 @@ - - apr_hash_set(table, key, klen, NULL); - } - -+#ifndef OPENSSL_NO_EC -+static const char *ssl_asn1_key_types[] = {"RSA", "DSA", "ECC"}; -+#else - static const char *ssl_asn1_key_types[] = {"RSA", "DSA"}; -+#endif - - const char *ssl_asn1_keystr(int keytype) - { - if (keytype >= SSL_AIDX_MAX) { ---- ./modules/ssl/ssl_engine_init.c.orig 2012-10-07 08:39:16.000000000 +0200 -+++ ./modules/ssl/ssl_engine_init.c 2013-09-07 05:43:20.000000000 +0200 -@@ -398,9 +398,13 @@ - /* - * Check for problematic re-initializations - */ - if (mctx->pks->certs[SSL_AIDX_RSA] || -- mctx->pks->certs[SSL_AIDX_DSA]) -+ mctx->pks->certs[SSL_AIDX_DSA] -+#ifndef OPENSSL_NO_EC -+ || mctx->pks->certs[SSL_AIDX_ECC] -+#endif -+ ) - { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, - "Illegal attempt to re-initialise SSL for server " - "(SSLEngine On should go in the VirtualHost, not in global scope.)"); -@@ -598,8 +602,11 @@ - SSL_CTX *ctx = mctx->ssl_ctx; - - SSL_CTX_set_tmp_rsa_callback(ctx, ssl_callback_TmpRSA); - SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH); -+#ifndef OPENSSL_NO_EC -+ SSL_CTX_set_tmp_ecdh_callback(ctx,ssl_callback_TmpECDH); -+#endif - - SSL_CTX_set_info_callback(ctx, ssl_callback_Info); - } - -@@ -865,11 +872,18 @@ - SSLModConfigRec *mc = myModConfig(s); - ssl_asn1_t *asn1; - MODSSL_D2I_PrivateKey_CONST unsigned char *ptr; - const char *type = ssl_asn1_keystr(idx); -- int pkey_type = (idx == SSL_AIDX_RSA) ? EVP_PKEY_RSA : EVP_PKEY_DSA; -+ int pkey_type; - EVP_PKEY *pkey; - -+#ifndef OPENSSL_NO_EC -+ if (idx == SSL_AIDX_ECC) -+ pkey_type = EVP_PKEY_EC; -+ else -+#endif /* SSL_LIBRARY_VERSION */ -+ pkey_type = (idx == SSL_AIDX_RSA) ? EVP_PKEY_RSA : EVP_PKEY_DSA; -+ - if (!(asn1 = ssl_asn1_table_get(mc->tPrivateKey, id))) { - return FALSE; - } - -@@ -977,22 +991,36 @@ - apr_pool_t *p, - apr_pool_t *ptemp, - modssl_ctx_t *mctx) - { -- const char *rsa_id, *dsa_id; -+ const char *rsa_id, *dsa_id, *ecc_id; - const char *vhost_id = mctx->sc->vhost_id; - int i; -- int have_rsa, have_dsa; -+ int have_rsa, have_dsa, have_ecc; - - rsa_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_RSA); - dsa_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_DSA); -+#ifndef OPENSSL_NO_EC -+ ecc_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_ECC); -+#endif - - have_rsa = ssl_server_import_cert(s, mctx, rsa_id, SSL_AIDX_RSA); - have_dsa = ssl_server_import_cert(s, mctx, dsa_id, SSL_AIDX_DSA); -+#ifndef OPENSSL_NO_EC -+ have_ecc = ssl_server_import_cert(s, mctx, ecc_id, SSL_AIDX_ECC); -+#endif - -- if (!(have_rsa || have_dsa)) { -+ if (!(have_rsa || have_dsa -+#ifndef OPENSSL_NO_EC -+ || have_ecc -+#endif -+)) { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, -+#ifndef OPENSSL_NO_EC -+ "Oops, no RSA, DSA or ECC server certificate found " -+#else - "Oops, no RSA or DSA server certificate found " -+#endif - "for '%s:%d'?!", s->server_hostname, s->port); - ssl_die(); - } - -@@ -1001,12 +1029,23 @@ - } - - have_rsa = ssl_server_import_key(s, mctx, rsa_id, SSL_AIDX_RSA); - have_dsa = ssl_server_import_key(s, mctx, dsa_id, SSL_AIDX_DSA); -+#if SSL_LIBRARY_VERSION >= 0x00908000 -+ have_ecc = ssl_server_import_key(s, mctx, ecc_id, SSL_AIDX_ECC); -+#endif - -- if (!(have_rsa || have_dsa)) { -+ if (!(have_rsa || have_dsa -+#if SSL_LIBRARY_VERSION >= 0x00908000 -+ || have_ecc -+#endif -+ )) { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, -+#if SSL_LIBRARY_VERSION >= 0x00908000 -+ "Oops, no RSA, DSA or ECC server private key found?!"); -+#else - "Oops, no RSA or DSA server private key found?!"); -+#endif - ssl_die(); - } - } - ---- ./modules/ssl/ssl_engine_kernel.c.orig 2013-02-15 16:50:37.000000000 +0100 -+++ ./modules/ssl/ssl_engine_kernel.c 2013-09-07 05:43:20.000000000 +0200 -@@ -1266,8 +1266,35 @@ - - return (DH *)mc->pTmpKeys[idx]; - } - -+#ifndef OPENSSL_NO_EC -+EC_KEY *ssl_callback_TmpECDH(SSL *ssl, int export, int keylen) -+{ -+ conn_rec *c = (conn_rec *)SSL_get_app_data(ssl); -+ SSLModConfigRec *mc = myModConfig(c->base_server); -+ int idx; -+ static EC_KEY *ecdh = NULL; -+ static init = 0; -+ -+ /* XXX Uses 256-bit key for now. TODO: support other sizes. */ -+ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, -+ "handing out temporary 256 bit ECC key"); -+ -+ if (init == 0) { -+ ecdh = EC_KEY_new(); -+ if (ecdh != NULL) { -+ /* ecdh->group = EC_GROUP_new_by_nid(NID_secp160r2); */ -+ EC_KEY_set_group(ecdh, -+ EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1)); -+ } -+ init = 1; -+ } -+ -+ return ecdh; -+} -+#endif -+ - /* - * This OpenSSL callback function is called when OpenSSL - * does client authentication and verifies the certificate chain. - */ ---- ./modules/ssl/mod_ssl.c.orig 2012-10-07 08:39:16.000000000 +0200 -+++ ./modules/ssl/mod_ssl.c 2013-09-07 05:43:20.000000000 +0200 -@@ -440,8 +440,11 @@ - * Configure callbacks for SSL connection - */ - SSL_set_tmp_rsa_callback(ssl, ssl_callback_TmpRSA); - SSL_set_tmp_dh_callback(ssl, ssl_callback_TmpDH); -+#ifndef OPENSSL_NO_EC -+ SSL_set_tmp_ecdh_callback(ssl, ssl_callback_TmpECDH); -+#endif - - SSL_set_verify_result(ssl, X509_V_OK); - - ssl_io_filter_init(c, ssl); ---- ./modules/ssl/ssl_toolkit_compat.h.orig 2012-08-17 19:30:46.000000000 +0200 -+++ ./modules/ssl/ssl_toolkit_compat.h 2013-09-07 05:45:26.000000000 +0200 -@@ -37,8 +37,14 @@ - #include <openssl/crypto.h> - #include <openssl/evp.h> - #include <openssl/rand.h> - #include <openssl/x509v3.h> -+ -+/* ECC support came along in OpenSSL 0.9.8 */ -+#if (OPENSSL_VERSION_NUMBER < 0x00908000) -+#define OPENSSL_NO_EC -+#endif -+ - /** Avoid tripping over an engine build installed globally and detected - * when the user points at an explicit non-engine flavor of OpenSSL - */ - #if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT) diff --git a/www/apache22/options.mk b/www/apache22/options.mk index 0bec1554844..6b4457b4bbb 100644 --- a/www/apache22/options.mk +++ b/www/apache22/options.mk @@ -1,10 +1,10 @@ -# $NetBSD: options.mk,v 1.11 2014/01/21 23:28:46 tron Exp $ +# $NetBSD: options.mk,v 1.12 2014/02/17 17:32:55 adam Exp $ PKG_OPTIONS_VAR= PKG_OPTIONS.apache PKG_OPTIONS_REQUIRED_GROUPS= mpm PKG_OPTIONS_GROUP.mpm= apache-mpm-event apache-mpm-prefork apache-mpm-worker -PKG_SUPPORTED_OPTIONS= apache-shared-modules suexec ecc -PKG_SUGGESTED_OPTIONS= apache-shared-modules apache-mpm-prefork ecc +PKG_SUPPORTED_OPTIONS= apache-shared-modules suexec +PKG_SUGGESTED_OPTIONS= apache-shared-modules apache-mpm-prefork .include "../../mk/bsd.options.mk" @@ -67,11 +67,3 @@ BUILD_TARGET= all suexec PLIST.suexec= yes SPECIAL_PERMS+= sbin/suexec ${REAL_ROOT_USER} ${APACHE_GROUP} 4510 .endif - -PLIST_VARS+= ecc -.if !empty(PKG_OPTIONS:Mecc) -USE_TOOLS+= patch -ECC_PATCH= ${FILESDIR}/ecc2224.patch -post-patch: - ${PATCH} -d ${WRKSRC} --forward --quiet < ${ECC_PATCH} -.endif diff --git a/www/apache22/patches/patch-modules_proxy_mod_proxy_connect.c b/www/apache22/patches/patch-modules_proxy_mod_proxy_connect.c index bd21f88cf34..38714dac692 100644 --- a/www/apache22/patches/patch-modules_proxy_mod_proxy_connect.c +++ b/www/apache22/patches/patch-modules_proxy_mod_proxy_connect.c @@ -1,3 +1,5 @@ +$NetBSD: patch-modules_proxy_mod_proxy_connect.c,v 1.2 2014/02/17 17:32:56 adam Exp $ + --- modules/proxy/mod_proxy_connect.c +++ modules/proxy/mod_proxy_connect.c @@ -21,6 +21,8 @@ diff --git a/www/apache22/patches/patch-modules_ssl_ssl__engine__kernel.c b/www/apache22/patches/patch-modules_ssl_ssl__engine__kernel.c deleted file mode 100644 index dff3d1ce26c..00000000000 --- a/www/apache22/patches/patch-modules_ssl_ssl__engine__kernel.c +++ /dev/null @@ -1,15 +0,0 @@ -$NetBSD: patch-modules_ssl_ssl__engine__kernel.c,v 1.1 2012/12/23 21:32:42 spz Exp $ - -https://issues.apache.org/bugzilla/show_bug.cgi?id=49491 - ---- ./modules/ssl/ssl_engine_kernel.c.orig 2012-08-20 15:53:11.000000000 +0000 -+++ ./modules/ssl/ssl_engine_kernel.c 2012-12-21 08:18:57.000000000 +0000 -@@ -136,7 +136,7 @@ int ssl_hook_ReadReq(request_rec *r) - if (rv != APR_SUCCESS || scope_id) { - return HTTP_BAD_REQUEST; - } -- if (strcmp(host, servername)) { -+ if (strcasecmp(host, servername)) { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, - "Hostname %s provided via SNI and hostname %s provided" - " via HTTP are different", servername, host); |