From e26c4bfaba5c888e3fe9a227c6ee805c4e3379f1 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Sat, 9 Jun 2012 10:58:17 +0200 Subject: httpd: sync with rawhide, backport for remi-dev --- httpd-2.4.1-layout.patch | 2 +- httpd-2.4.2-iconlink.patch | 14 --- httpd-2.4.2-icons.patch | 25 +++++ httpd-2.4.2-r1332643+.patch | 244 ++++++++++++++++++++++++++++++++++++++++++++ httpd-2.4.2-r1332643.patch | 240 ------------------------------------------- httpd-2.4.2-r1346905.patch | 65 ++++++++++++ httpd.service | 4 +- httpd.spec | 55 +++++++--- httpd.tmpfiles | 2 +- pullrev.sh | 2 +- ssl.conf | 2 +- 11 files changed, 381 insertions(+), 274 deletions(-) delete mode 100644 httpd-2.4.2-iconlink.patch create mode 100644 httpd-2.4.2-icons.patch create mode 100644 httpd-2.4.2-r1332643+.patch delete mode 100644 httpd-2.4.2-r1332643.patch create mode 100644 httpd-2.4.2-r1346905.patch diff --git a/httpd-2.4.1-layout.patch b/httpd-2.4.1-layout.patch index b1dcf5c..57cf13b 100644 --- a/httpd-2.4.1-layout.patch +++ b/httpd-2.4.1-layout.patch @@ -23,7 +23,7 @@ + cgidir: /var/www/cgi-bin + includedir: ${prefix}/include/httpd + localstatedir: /var -+ runtimedir: ${localstatedir}/run/httpd ++ runtimedir: /run/httpd + logfiledir: ${localstatedir}/log/httpd + proxycachedir: ${localstatedir}/cache/httpd + diff --git a/httpd-2.4.2-iconlink.patch b/httpd-2.4.2-iconlink.patch deleted file mode 100644 index 4ef8dd9..0000000 --- a/httpd-2.4.2-iconlink.patch +++ /dev/null @@ -1,14 +0,0 @@ - -Fix config for /icons/ dir to allow symlink to poweredby.png. - ---- httpd-2.4.2/docs/conf/extra/httpd-autoindex.conf.in.iconlink -+++ httpd-2.4.2/docs/conf/extra/httpd-autoindex.conf.in -@@ -21,7 +21,7 @@ IndexOptions FancyIndexing HTMLTable Ver - Alias /icons/ "@exp_iconsdir@/" - - -- Options Indexes MultiViews -+ Options Indexes MultiViews FollowSymlinks - AllowOverride None - Require all granted - diff --git a/httpd-2.4.2-icons.patch b/httpd-2.4.2-icons.patch new file mode 100644 index 0000000..9f26494 --- /dev/null +++ b/httpd-2.4.2-icons.patch @@ -0,0 +1,25 @@ + +- Fix config for /icons/ dir to allow symlink to poweredby.png. + +- Avoid using coredump GIF for a directory called "core" + +--- httpd-2.4.2/docs/conf/extra/httpd-autoindex.conf.in.icons ++++ httpd-2.4.2/docs/conf/extra/httpd-autoindex.conf.in +@@ -21,7 +21,7 @@ IndexOptions FancyIndexing HTMLTable Ver + Alias /icons/ "@exp_iconsdir@/" + + +- Options Indexes MultiViews ++ Options Indexes MultiViews FollowSymlinks + AllowOverride None + Require all granted + +@@ -53,7 +53,7 @@ AddIcon /icons/dvi.gif .dvi + AddIcon /icons/uuencoded.gif .uu + AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl + AddIcon /icons/tex.gif .tex +-AddIcon /icons/bomb.gif core ++AddIcon /icons/bomb.gif core. + + AddIcon /icons/back.gif .. + AddIcon /icons/hand.right.gif README diff --git a/httpd-2.4.2-r1332643+.patch b/httpd-2.4.2-r1332643+.patch new file mode 100644 index 0000000..be9b984 --- /dev/null +++ b/httpd-2.4.2-r1332643+.patch @@ -0,0 +1,244 @@ +# ./pullrev.sh 1332643 1345599 + +https://bugzilla.redhat.com//show_bug.cgi?id=809599 + +http://svn.apache.org/viewvc?view=revision&revision=1332643 + +http://svn.apache.org/viewvc?view=revision&revision=1345599 + +--- httpd-2.4.2/modules/ssl/mod_ssl.c.r1332643+ ++++ httpd-2.4.2/modules/ssl/mod_ssl.c +@@ -260,6 +260,18 @@ static const command_rec ssl_config_cmds + AP_END_CMD + }; + ++/* Implement 'modssl_run_npn_advertise_protos_hook'. */ ++APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL( ++ modssl, AP, int, npn_advertise_protos_hook, ++ (conn_rec *connection, apr_array_header_t *protos), ++ (connection, protos), OK, DECLINED); ++ ++/* Implement 'modssl_run_npn_proto_negotiated_hook'. */ ++APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL( ++ modssl, AP, int, npn_proto_negotiated_hook, ++ (conn_rec *connection, const char *proto_name, apr_size_t proto_name_len), ++ (connection, proto_name, proto_name_len), OK, DECLINED); ++ + /* + * the various processing hooks + */ +--- httpd-2.4.2/modules/ssl/mod_ssl.h.r1332643+ ++++ httpd-2.4.2/modules/ssl/mod_ssl.h +@@ -63,5 +63,26 @@ APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_e + + APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *)); + ++/** The npn_advertise_protos optional hook allows other modules to add entries ++ * to the list of protocol names advertised by the server during the Next ++ * Protocol Negotiation (NPN) portion of the SSL handshake. The hook callee is ++ * given the connection and an APR array; it should push one or more char*'s ++ * pointing to null-terminated strings (such as "http/1.1" or "spdy/2") onto ++ * the array and return OK, or do nothing and return DECLINED. */ ++APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_advertise_protos_hook, ++ (conn_rec *connection, apr_array_header_t *protos)); ++ ++/** The npn_proto_negotiated optional hook allows other modules to discover the ++ * name of the protocol that was chosen during the Next Protocol Negotiation ++ * (NPN) portion of the SSL handshake. Note that this may be the empty string ++ * (in which case modules should probably assume HTTP), or it may be a protocol ++ * that was never even advertised by the server. The hook callee is given the ++ * connection, a non-null-terminated string containing the protocol name, and ++ * the length of the string; it should do something appropriate (i.e. insert or ++ * remove filters) and return OK, or do nothing and return DECLINED. */ ++APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_proto_negotiated_hook, ++ (conn_rec *connection, const char *proto_name, ++ apr_size_t proto_name_len)); ++ + #endif /* __MOD_SSL_H__ */ + /** @} */ +--- httpd-2.4.2/modules/ssl/ssl_engine_init.c.r1332643+ ++++ httpd-2.4.2/modules/ssl/ssl_engine_init.c +@@ -681,6 +681,11 @@ static void ssl_init_ctx_callbacks(serve + #endif + + SSL_CTX_set_info_callback(ctx, ssl_callback_Info); ++ ++#ifdef HAVE_TLS_NPN ++ SSL_CTX_set_next_protos_advertised_cb( ++ ctx, ssl_callback_AdvertiseNextProtos, NULL); ++#endif + } + + static void ssl_init_ctx_verify(server_rec *s, +--- httpd-2.4.2/modules/ssl/ssl_engine_io.c.r1332643+ ++++ httpd-2.4.2/modules/ssl/ssl_engine_io.c +@@ -28,6 +28,7 @@ + core keeps dumping.'' + -- Unknown */ + #include "ssl_private.h" ++#include "mod_ssl.h" + #include "apr_date.h" + + /* _________________________________________________________________ +@@ -297,6 +298,7 @@ typedef struct { + apr_pool_t *pool; + char buffer[AP_IOBUFSIZE]; + ssl_filter_ctx_t *filter_ctx; ++ int npn_finished; /* 1 if NPN has finished, 0 otherwise */ + } bio_filter_in_ctx_t; + + /* +@@ -1364,6 +1366,26 @@ static apr_status_t ssl_io_filter_input( + APR_BRIGADE_INSERT_TAIL(bb, bucket); + } + ++#ifdef HAVE_TLS_NPN ++ /* By this point, Next Protocol Negotiation (NPN) should be completed (if ++ * our version of OpenSSL supports it). If we haven't already, find out ++ * which protocol was decided upon and inform other modules by calling ++ * npn_proto_negotiated_hook. */ ++ if (!inctx->npn_finished) { ++ const unsigned char *next_proto = NULL; ++ unsigned next_proto_len = 0; ++ ++ SSL_get0_next_proto_negotiated( ++ inctx->ssl, &next_proto, &next_proto_len); ++ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, f->c, ++ APLOGNO(02306) "SSL NPN negotiated protocol: '%*s'", ++ next_proto_len, (const char*)next_proto); ++ modssl_run_npn_proto_negotiated_hook( ++ f->c, (const char*)next_proto, next_proto_len); ++ inctx->npn_finished = 1; ++ } ++#endif ++ + return APR_SUCCESS; + } + +@@ -1845,6 +1867,7 @@ static void ssl_io_input_add_filter(ssl_ + inctx->block = APR_BLOCK_READ; + inctx->pool = c->pool; + inctx->filter_ctx = filter_ctx; ++ inctx->npn_finished = 0; + } + + /* The request_rec pointer is passed in here only to ensure that the +--- httpd-2.4.2/modules/ssl/ssl_engine_kernel.c.r1332643+ ++++ httpd-2.4.2/modules/ssl/ssl_engine_kernel.c +@@ -29,6 +29,7 @@ + time I was too famous.'' + -- Unknown */ + #include "ssl_private.h" ++#include "mod_ssl.h" + #include "util_md5.h" + + static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn); +@@ -2164,3 +2165,86 @@ int ssl_callback_SessionTicket(SSL *ssl, + return -1; + } + #endif ++ ++#ifdef HAVE_TLS_NPN ++/* ++ * This callback function is executed when SSL needs to decide what protocols ++ * to advertise during Next Protocol Negotiation (NPN). It must produce a ++ * string in wire format -- a sequence of length-prefixed strings -- indicating ++ * the advertised protocols. Refer to SSL_CTX_set_next_protos_advertised_cb ++ * in OpenSSL for reference. ++ */ ++int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data_out, ++ unsigned int *size_out, void *arg) ++{ ++ conn_rec *c = (conn_rec*)SSL_get_app_data(ssl); ++ apr_array_header_t *protos; ++ int num_protos; ++ unsigned int size; ++ int i; ++ unsigned char *data; ++ unsigned char *start; ++ ++ *data_out = NULL; ++ *size_out = 0; ++ ++ /* If the connection object is not available, then there's nothing for us ++ * to do. */ ++ if (c == NULL) { ++ return SSL_TLSEXT_ERR_OK; ++ } ++ ++ /* Invoke our npn_advertise_protos hook, giving other modules a chance to ++ * add alternate protocol names to advertise. */ ++ protos = apr_array_make(c->pool, 0, sizeof(char*)); ++ modssl_run_npn_advertise_protos_hook(c, protos); ++ num_protos = protos->nelts; ++ ++ /* We now have a list of null-terminated strings; we need to concatenate ++ * them together into a single string, where each protocol name is prefixed ++ * by its length. First, calculate how long that string will be. */ ++ size = 0; ++ for (i = 0; i < num_protos; ++i) { ++ const char *string = APR_ARRAY_IDX(protos, i, const char*); ++ unsigned int length = strlen(string); ++ /* If the protocol name is too long (the length must fit in one byte), ++ * then log an error and skip it. */ ++ if (length > 255) { ++ ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(02307) ++ "SSL NPN protocol name too long (length=%u): %s", ++ length, string); ++ continue; ++ } ++ /* Leave room for the length prefix (one byte) plus the protocol name ++ * itself. */ ++ size += 1 + length; ++ } ++ ++ /* If there is nothing to advertise (either because no modules added ++ * anything to the protos array, or because all strings added to the array ++ * were skipped), then we're done. */ ++ if (size == 0) { ++ return SSL_TLSEXT_ERR_OK; ++ } ++ ++ /* Now we can build the string. Copy each protocol name string into the ++ * larger string, prefixed by its length. */ ++ data = apr_palloc(c->pool, size * sizeof(unsigned char)); ++ start = data; ++ for (i = 0; i < num_protos; ++i) { ++ const char *string = APR_ARRAY_IDX(protos, i, const char*); ++ apr_size_t length = strlen(string); ++ if (length > 255) ++ continue; ++ *start = (unsigned char)length; ++ ++start; ++ memcpy(start, string, length * sizeof(unsigned char)); ++ start += length; ++ } ++ ++ /* Success. */ ++ *data_out = data; ++ *size_out = size; ++ return SSL_TLSEXT_ERR_OK; ++} ++#endif +--- httpd-2.4.2/modules/ssl/ssl_private.h.r1332643+ ++++ httpd-2.4.2/modules/ssl/ssl_private.h +@@ -139,6 +139,11 @@ + #define HAVE_FIPS + #endif + ++#if OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_NEXTPROTONEG) \ ++ && !defined(OPENSSL_NO_TLSEXT) ++#define HAVE_TLS_NPN ++#endif ++ + #if (OPENSSL_VERSION_NUMBER >= 0x10000000) + #define MODSSL_SSL_CIPHER_CONST const + #define MODSSL_SSL_METHOD_CONST const +@@ -807,6 +812,7 @@ int ssl_callback_ServerNameIndi + int ssl_callback_SessionTicket(SSL *, unsigned char *, unsigned char *, + EVP_CIPHER_CTX *, HMAC_CTX *, int); + #endif ++int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data, unsigned int *len, void *arg); + + /** Session Cache Support */ + void ssl_scache_init(server_rec *, apr_pool_t *); diff --git a/httpd-2.4.2-r1332643.patch b/httpd-2.4.2-r1332643.patch deleted file mode 100644 index c408d29..0000000 --- a/httpd-2.4.2-r1332643.patch +++ /dev/null @@ -1,240 +0,0 @@ - -https://bugzilla.redhat.com//show_bug.cgi?id=809599 - -http://svn.apache.org/viewvc?view=revision&revision=1332643 - ---- httpd-2.4.2/modules/ssl/ssl_private.h -+++ httpd-2.4.2/modules/ssl/ssl_private.h -@@ -139,6 +139,11 @@ - #define HAVE_FIPS - #endif - -+#if OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_NEXTPROTONEG) \ -+ && !defined(OPENSSL_NO_TLSEXT) -+#define HAVE_TLS_NPN -+#endif -+ - #if (OPENSSL_VERSION_NUMBER >= 0x10000000) - #define MODSSL_SSL_CIPHER_CONST const - #define MODSSL_SSL_METHOD_CONST const -@@ -811,6 +816,7 @@ - int ssl_callback_SessionTicket(SSL *, unsigned char *, unsigned char *, - EVP_CIPHER_CTX *, HMAC_CTX *, int); - #endif -+int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data, unsigned int *len, void *arg); - - /** Session Cache Support */ - void ssl_scache_init(server_rec *, apr_pool_t *); ---- httpd-2.4.2/modules/ssl/mod_ssl.c -+++ httpd-2.4.2/modules/ssl/mod_ssl.c -@@ -260,6 +260,18 @@ - AP_END_CMD - }; - -+/* Implement 'modssl_run_npn_advertise_protos_hook'. */ -+APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL( -+ modssl, AP, int, npn_advertise_protos_hook, -+ (conn_rec *connection, apr_array_header_t *protos), -+ (connection, protos), OK, DECLINED); -+ -+/* Implement 'modssl_run_npn_proto_negotiated_hook'. */ -+APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL( -+ modssl, AP, int, npn_proto_negotiated_hook, -+ (conn_rec *connection, const char *proto_name, apr_size_t proto_name_len), -+ (connection, proto_name, proto_name_len), OK, DECLINED); -+ - /* - * the various processing hooks - */ ---- httpd-2.4.2/modules/ssl/mod_ssl.h -+++ httpd-2.4.2/modules/ssl/mod_ssl.h -@@ -63,5 +63,26 @@ - - APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *)); - -+/** The npn_advertise_protos optional hook allows other modules to add entries -+ * to the list of protocol names advertised by the server during the Next -+ * Protocol Negotiation (NPN) portion of the SSL handshake. The hook callee is -+ * given the connection and an APR array; it should push one or more char*'s -+ * pointing to null-terminated strings (such as "http/1.1" or "spdy/2") onto -+ * the array and return OK, or do nothing and return DECLINED. */ -+APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_advertise_protos_hook, -+ (conn_rec *connection, apr_array_header_t *protos)); -+ -+/** The npn_proto_negotiated optional hook allows other modules to discover the -+ * name of the protocol that was chosen during the Next Protocol Negotiation -+ * (NPN) portion of the SSL handshake. Note that this may be the empty string -+ * (in which case modules should probably assume HTTP), or it may be a protocol -+ * that was never even advertised by the server. The hook callee is given the -+ * connection, a non-null-terminated string containing the protocol name, and -+ * the length of the string; it should do something appropriate (i.e. insert or -+ * remove filters) and return OK, or do nothing and return DECLINED. */ -+APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_proto_negotiated_hook, -+ (conn_rec *connection, const char *proto_name, -+ apr_size_t proto_name_len)); -+ - #endif /* __MOD_SSL_H__ */ - /** @} */ ---- httpd-2.4.2/modules/ssl/ssl_engine_init.c -+++ httpd-2.4.2/modules/ssl/ssl_engine_init.c -@@ -681,6 +681,11 @@ - #endif - - SSL_CTX_set_info_callback(ctx, ssl_callback_Info); -+ -+#ifdef HAVE_TLS_NPN -+ SSL_CTX_set_next_protos_advertised_cb( -+ ctx, ssl_callback_AdvertiseNextProtos, NULL); -+#endif - } - - static void ssl_init_ctx_verify(server_rec *s, ---- httpd-2.4.2/modules/ssl/ssl_engine_io.c -+++ httpd-2.4.2/modules/ssl/ssl_engine_io.c -@@ -28,6 +28,7 @@ - core keeps dumping.'' - -- Unknown */ - #include "ssl_private.h" -+#include "mod_ssl.h" - #include "apr_date.h" - - /* _________________________________________________________________ -@@ -297,6 +298,7 @@ - apr_pool_t *pool; - char buffer[AP_IOBUFSIZE]; - ssl_filter_ctx_t *filter_ctx; -+ int npn_finished; /* 1 if NPN has finished, 0 otherwise */ - } bio_filter_in_ctx_t; - - /* -@@ -1374,6 +1376,27 @@ - APR_BRIGADE_INSERT_TAIL(bb, bucket); - } - -+#ifdef HAVE_TLS_NPN -+ /* By this point, Next Protocol Negotiation (NPN) should be completed (if -+ * our version of OpenSSL supports it). If we haven't already, find out -+ * which protocol was decided upon and inform other modules by calling -+ * npn_proto_negotiated_hook. */ -+ if (!inctx->npn_finished) { -+ const unsigned char *next_proto = NULL; -+ unsigned next_proto_len = 0; -+ -+ SSL_get0_next_proto_negotiated( -+ inctx->ssl, &next_proto, &next_proto_len); -+ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, f->c, -+ "SSL NPN negotiated protocol: '%s'", -+ apr_pstrmemdup(f->c->pool, (const char*)next_proto, -+ next_proto_len)); -+ modssl_run_npn_proto_negotiated_hook( -+ f->c, (const char*)next_proto, next_proto_len); -+ inctx->npn_finished = 1; -+ } -+#endif -+ - return APR_SUCCESS; - } - -@@ -1855,6 +1878,7 @@ - inctx->block = APR_BLOCK_READ; - inctx->pool = c->pool; - inctx->filter_ctx = filter_ctx; -+ inctx->npn_finished = 0; - } - - /* The request_rec pointer is passed in here only to ensure that the ---- httpd-2.4.2/modules/ssl/ssl_engine_kernel.c -+++ httpd-2.4.2/modules/ssl/ssl_engine_kernel.c -@@ -29,6 +29,7 @@ - time I was too famous.'' - -- Unknown */ - #include "ssl_private.h" -+#include "mod_ssl.h" - #include "util_md5.h" - - static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn); -@@ -2143,3 +2144,84 @@ - return -1; - } - #endif -+ -+#ifdef HAVE_TLS_NPN -+/* -+ * This callback function is executed when SSL needs to decide what protocols -+ * to advertise during Next Protocol Negotiation (NPN). It must produce a -+ * string in wire format -- a sequence of length-prefixed strings -- indicating -+ * the advertised protocols. Refer to SSL_CTX_set_next_protos_advertised_cb -+ * in OpenSSL for reference. -+ */ -+int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data_out, -+ unsigned int *size_out, void *arg) -+{ -+ conn_rec *c = (conn_rec*)SSL_get_app_data(ssl); -+ apr_array_header_t *protos; -+ int num_protos; -+ unsigned int size; -+ int i; -+ unsigned char *data; -+ unsigned char *start; -+ -+ *data_out = NULL; -+ *size_out = 0; -+ -+ /* If the connection object is not available, then there's nothing for us -+ * to do. */ -+ if (c == NULL) { -+ return SSL_TLSEXT_ERR_OK; -+ } -+ -+ /* Invoke our npn_advertise_protos hook, giving other modules a chance to -+ * add alternate protocol names to advertise. */ -+ protos = apr_array_make(c->pool, 0, sizeof(char*)); -+ modssl_run_npn_advertise_protos_hook(c, protos); -+ num_protos = protos->nelts; -+ -+ /* We now have a list of null-terminated strings; we need to concatenate -+ * them together into a single string, where each protocol name is prefixed -+ * by its length. First, calculate how long that string will be. */ -+ size = 0; -+ for (i = 0; i < num_protos; ++i) { -+ const char *string = APR_ARRAY_IDX(protos, i, const char*); -+ unsigned int length = strlen(string); -+ /* If the protocol name is too long (the length must fit in one byte), -+ * then log an error and skip it. */ -+ if (length > 255) { -+ ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, -+ "SSL NPN protocol name too long (length=%u): %s", -+ length, string); -+ continue; -+ } -+ /* Leave room for the length prefix (one byte) plus the protocol name -+ * itself. */ -+ size += 1 + length; -+ } -+ -+ /* If there is nothing to advertise (either because no modules added -+ * anything to the protos array, or because all strings added to the array -+ * were skipped), then we're done. */ -+ if (size == 0) { -+ return SSL_TLSEXT_ERR_OK; -+ } -+ -+ /* Now we can build the string. Copy each protocol name string into the -+ * larger string, prefixed by its length. */ -+ data = apr_palloc(c->pool, size * sizeof(unsigned char)); -+ start = data; -+ for (i = 0; i < num_protos; ++i) { -+ const char *string = APR_ARRAY_IDX(protos, i, const char*); -+ apr_size_t length = strlen(string); -+ *start = (unsigned char)length; -+ ++start; -+ memcpy(start, string, length * sizeof(unsigned char)); -+ start += length; -+ } -+ -+ /* Success. */ -+ *data_out = data; -+ *size_out = size; -+ return SSL_TLSEXT_ERR_OK; -+} -+#endif diff --git a/httpd-2.4.2-r1346905.patch b/httpd-2.4.2-r1346905.patch new file mode 100644 index 0000000..e94558e --- /dev/null +++ b/httpd-2.4.2-r1346905.patch @@ -0,0 +1,65 @@ +# ./pullrev.sh 1346905 + +https://bugzilla.redhat.com/show_bug.cgi?id=818684 + +http://svn.apache.org/viewvc?view=revision&revision=1346905 + +--- httpd-2.4.2/support/htdbm.c ++++ httpd-2.4.2/support/htdbm.c +@@ -288,6 +288,9 @@ + { + char cpw[MAX_STRING_LEN]; + char salt[9]; ++#if (!(defined(WIN32) || defined(NETWARE))) ++ char *cbuf; ++#endif + + switch (htdbm->alg) { + case ALG_APSHA: +@@ -315,7 +318,15 @@ + (void) srand((int) time((time_t *) NULL)); + to64(&salt[0], rand(), 8); + salt[8] = '\0'; +- apr_cpystrn(cpw, crypt(htdbm->userpass, salt), sizeof(cpw) - 1); ++ cbuf = crypt(htdbm->userpass, salt); ++ if (cbuf == NULL) { ++ char errbuf[128]; ++ ++ fprintf(stderr, "crypt() failed: %s\n", ++ apr_strerror(errno, errbuf, sizeof errbuf)); ++ exit(ERR_PWMISMATCH); ++ } ++ apr_cpystrn(cpw, cbuf, sizeof(cpw) - 1); + fprintf(stderr, "CRYPT is now deprecated, use MD5 instead!\n"); + #endif + default: +--- httpd-2.4.2/support/htpasswd.c ++++ httpd-2.4.2/support/htpasswd.c +@@ -174,6 +174,9 @@ + char pwv[MAX_STRING_LEN]; + char salt[9]; + apr_size_t bufsize; ++#if CRYPT_ALGO_SUPPORTED ++ char *cbuf; ++#endif + + if (passwd != NULL) { + pw = passwd; +@@ -226,7 +229,16 @@ + to64(&salt[0], rand(), 8); + salt[8] = '\0'; + +- apr_cpystrn(cpw, crypt(pw, salt), sizeof(cpw) - 1); ++ cbuf = crypt(pw, salt); ++ if (cbuf == NULL) { ++ char errbuf[128]; ++ ++ apr_snprintf(record, rlen-1, "crypt() failed: %s", ++ apr_strerror(errno, errbuf, sizeof errbuf)); ++ return ERR_PWMISMATCH; ++ } ++ ++ apr_cpystrn(cpw, cbuf, sizeof(cpw) - 1); + if (strlen(pw) > 8) { + char *truncpw = strdup(pw); + truncpw[8] = '\0'; diff --git a/httpd.service b/httpd.service index c1172b4..0e9f0c0 100644 --- a/httpd.service +++ b/httpd.service @@ -1,10 +1,10 @@ [Unit] Description=The Apache HTTP Server -After=syslog.target network.target remote-fs.target nss-lookup.target +After=network.target remote-fs.target nss-lookup.target [Service] Type=forking -PIDFile=/var/run/httpd/httpd.pid +PIDFile=/run/httpd/httpd.pid EnvironmentFile=/etc/sysconfig/httpd ExecStart=/usr/sbin/httpd $OPTIONS ExecReload=/usr/sbin/httpd $OPTIONS -k graceful diff --git a/httpd.spec b/httpd.spec index 62b6737..e46007f 100644 --- a/httpd.spec +++ b/httpd.spec @@ -8,7 +8,7 @@ Summary: Apache HTTP Server Name: httpd Version: 2.4.2 -Release: 12%{?dist} +Release: 18%{?dist} URL: http://httpd.apache.org/ Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 Source1: index.html @@ -44,12 +44,13 @@ Patch23: httpd-2.4.1-export.patch Patch24: httpd-2.4.1-corelimit.patch Patch25: httpd-2.4.1-selinux.patch Patch26: httpd-2.4.2-r1337344+.patch -Patch27: httpd-2.4.2-iconlink.patch +Patch27: httpd-2.4.2-icons.patch # Bug fixes Patch40: httpd-2.4.2-restart.patch Patch41: httpd-2.4.2-r1327036+.patch Patch42: httpd-2.4.2-r1326980+.patch -Patch43: httpd-2.4.2-r1332643.patch +Patch43: httpd-2.4.2-r1332643+.patch +Patch44: httpd-2.4.2-r1346905.patch License: ASL 2.0 Group: System Environment/Daemons BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root @@ -155,12 +156,13 @@ authentication to the Apache HTTP Server. %patch24 -p1 -b .corelimit %patch25 -p1 -b .selinux %patch26 -p1 -b .r1337344+ -%patch27 -p1 -b .iconlink +%patch27 -p1 -b .icons %patch40 -p1 -b .restart %patch41 -p1 -b .r1327036+ %patch42 -p1 -b .r1326980+ -%patch43 -p1 -b .r1332643 +%patch43 -p1 -b .r1332643+ +%patch44 -p1 -b .r1346905 # Patch in vendor/release string sed "s/@RELEASE@/%{vstring}/" < %{PATCH20} | patch -p1 @@ -240,9 +242,9 @@ rm -rf $RPM_BUILD_ROOT make DESTDIR=$RPM_BUILD_ROOT install # Install systemd service files -mkdir -p $RPM_BUILD_ROOT/lib/systemd/system +mkdir -p $RPM_BUILD_ROOT%{_unitdir} install -p -m 644 $RPM_SOURCE_DIR/httpd.service \ - $RPM_BUILD_ROOT/lib/systemd/system/httpd.service + $RPM_BUILD_ROOT%{_unitdir}/httpd.service # install conf file/directory mkdir $RPM_BUILD_ROOT%{_sysconfdir}/httpd/conf.d \ @@ -279,9 +281,9 @@ install -m 644 -p $RPM_SOURCE_DIR/httpd.sysconf \ $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/httpd # tmpfiles.d configuration -mkdir $RPM_BUILD_ROOT%{_sysconfdir}/tmpfiles.d +mkdir -p $RPM_BUILD_ROOT%{_prefix}/lib/tmpfiles.d install -m 644 -p $RPM_SOURCE_DIR/httpd.tmpfiles \ - $RPM_BUILD_ROOT%{_sysconfdir}/tmpfiles.d/httpd.conf + $RPM_BUILD_ROOT%{_prefix}/lib/tmpfiles.d/httpd.conf # for holding mod_dav lock database mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/lib/dav @@ -334,7 +336,7 @@ ln -s ../../pixmaps/poweredby.png \ # symlinks for /etc/httpd ln -s ../..%{_localstatedir}/log/httpd $RPM_BUILD_ROOT/etc/httpd/logs -ln -s ../..%{_localstatedir}/run/httpd $RPM_BUILD_ROOT/etc/httpd/run +ln -s /run/httpd $RPM_BUILD_ROOT/etc/httpd/run ln -s ../..%{_libdir}/httpd/modules $RPM_BUILD_ROOT/etc/httpd/modules # install http-ssl-pass-dialog @@ -353,7 +355,7 @@ sed -e "s|/usr/local/apache2/conf/httpd.conf|/etc/httpd/conf/httpd.conf|" \ -e "s|/usr/local/apache2/conf/magic|/etc/httpd/conf/magic|" \ -e "s|/usr/local/apache2/logs/error_log|/var/log/httpd/error_log|" \ -e "s|/usr/local/apache2/logs/access_log|/var/log/httpd/access_log|" \ - -e "s|/usr/local/apache2/logs/httpd.pid|/var/run/httpd/httpd.pid|" \ + -e "s|/usr/local/apache2/logs/httpd.pid|/run/httpd/httpd.pid|" \ -e "s|/usr/local/apache2|/etc/httpd|" < docs/man/httpd.8 \ > $RPM_BUILD_ROOT%{_mandir}/man8/httpd.8 @@ -483,7 +485,7 @@ rm -rf $RPM_BUILD_ROOT %exclude %{_sysconfdir}/httpd/conf.modules.d/01-ldap.conf %config(noreplace) %{_sysconfdir}/sysconfig/httpd -%config %{_sysconfdir}/tmpfiles.d/httpd.conf +%{_prefix}/lib/tmpfiles.d/httpd.conf %{_sbindir}/ht* %{_sbindir}/fcgistarter @@ -513,7 +515,7 @@ rm -rf $RPM_BUILD_ROOT %dir %{docroot}/cgi-bin %dir %{docroot}/html -%attr(0710,root,apache) %dir %{_localstatedir}/run/httpd +%attr(0710,root,apache) %dir /run/httpd %attr(0700,root,root) %dir %{_localstatedir}/log/httpd %attr(0700,apache,apache) %dir %{_localstatedir}/lib/dav %attr(0700,apache,apache) %dir %{_localstatedir}/cache/httpd @@ -521,7 +523,7 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/* -/lib/systemd/system/*.service +%{_unitdir}/*.service %files tools %defattr(-,root,root) @@ -565,6 +567,31 @@ rm -rf $RPM_BUILD_ROOT %{_sysconfdir}/rpm/macros.httpd %changelog +* Sat Jun 09 2012 Remi Collet - 2.4.2-18 +- sync with rawhide, rebuild for remi repo + +* Fri Jun 8 2012 Joe Orton - 2.4.2-18 +- avoid use of "core" GIF for a "core" directory (#168776) +- drop use of "syslog.target" in systemd unit file + +* Thu Jun 7 2012 Joe Orton - 2.4.2-17 +- use _unitdir for systemd unit file +- use /run in unit file, ssl.conf + +* Thu Jun 7 2012 Joe Orton - 2.4.2-16 +- mod_ssl: fix NPN patch merge + +* Wed Jun 6 2012 Joe Orton - 2.4.2-15 +- move tmpfiles.d fragment into /usr/lib per new guidelines +- package /run/httpd not /var/run/httpd +- set runtimedir to /run/httpd likewise + +* Wed Jun 6 2012 Joe Orton - 2.4.2-14 +- fix htdbm/htpasswd crash on crypt() failure (#818684) + +* Wed Jun 6 2012 Joe Orton - 2.4.2-13 +- pull fix for NPN patch from upstream (r1345599) + * Sat Jun 02 2012 Remi Collet - 2.4.2-12 - sync with rawhide, rebuild for remi repo diff --git a/httpd.tmpfiles b/httpd.tmpfiles index 0cad373..49be6b8 100644 --- a/httpd.tmpfiles +++ b/httpd.tmpfiles @@ -1 +1 @@ -d /var/run/httpd 710 root apache +d /run/httpd 710 root apache diff --git a/pullrev.sh b/pullrev.sh index 9968fa3..7ee601e 100755 --- a/pullrev.sh +++ b/pullrev.sh @@ -34,7 +34,7 @@ prev=/dev/null for r in $*; do echo "+ fetching ${r}" this=`mktemp /tmp/pullrevXXXXXX` - svn diff -c ${r} ${repo} | filterdiff --remove-timestamps -x 'CHANGES' \ + svn diff -c ${r} ${repo} | filterdiff --remove-timestamps -x 'CHANGES' -x 'next-number' \ --addprefix="${prefix}/" > ${this} next=`mktemp /tmp/pullrevXXXXXX` combinediff --quiet ${prev} ${this} > ${next} diff --git a/ssl.conf b/ssl.conf index c6b89e3..ff60307 100644 --- a/ssl.conf +++ b/ssl.conf @@ -20,7 +20,7 @@ SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog # Inter-Process Session Cache: # Configure the SSL Session Cache: First the mechanism # to use and second the expiring timeout (in seconds). -SSLSessionCache shmcb:/var/run/httpd/sslcache(512000) +SSLSessionCache shmcb:/run/httpd/sslcache(512000) SSLSessionCacheTimeout 300 # Pseudo Random Number Generator (PRNG): -- cgit