diff --git a/.gitignore b/.gitignore index 260a2d6..9969f1d 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1 @@ SOURCES/httpd-2.4.6.tar.bz2 -SOURCES/centos-noindex.tar.gz diff --git a/.httpd.metadata b/.httpd.metadata index 17ede1b..d335a99 100644 --- a/.httpd.metadata +++ b/.httpd.metadata @@ -1,2 +1 @@ 16d8ec72535ded65d035122b0d944b0e64eaa2a2 SOURCES/httpd-2.4.6.tar.bz2 -6ce5ab3c765b9efeceb2e636e32373bc6e6ed489 SOURCES/centos-noindex.tar.gz diff --git a/SOURCES/httpd-2.4.6-default-port-worker.patch b/SOURCES/httpd-2.4.6-default-port-worker.patch new file mode 100644 index 0000000..25315e2 --- /dev/null +++ b/SOURCES/httpd-2.4.6-default-port-worker.patch @@ -0,0 +1,13 @@ +diff --git a/modules/proxy/proxy_util.c b/modules/proxy/proxy_util.c +index e672e4a..8be833a 100644 +--- a/modules/proxy/proxy_util.c ++++ b/modules/proxy/proxy_util.c +@@ -3557,6 +3557,8 @@ static proxy_schemes_t pschemes[] = + {"fcgi", 8000}, + {"ajp", AJP13_DEF_PORT}, + {"scgi", 4000}, ++ {"ws", 80}, ++ {"wss", 443}, + { NULL, 0xFFFF } /* unknown port */ + }; + diff --git a/SOURCES/httpd-2.4.6-mpm-segfault.patch b/SOURCES/httpd-2.4.6-mpm-segfault.patch index d42be44..55a6d08 100644 --- a/SOURCES/httpd-2.4.6-mpm-segfault.patch +++ b/SOURCES/httpd-2.4.6-mpm-segfault.patch @@ -8,3 +8,14 @@ if (one_process) { /* not worth thinking about */ + +--- a/server/mpm/worker/worker.c ++++ b/server/mpm/worker/worker.c +@@ -1902,6 +1902,7 @@ static int worker_run(apr_pool_t *_pconf, apr_pool_t *plog, server_rec *s) + + /* we've been told to restart */ + apr_signal(SIGHUP, SIG_IGN); ++ apr_signal(AP_SIG_GRACEFUL, SIG_IGN); + + if (one_process) { + /* not worth thinking about */ diff --git a/SOURCES/httpd-2.4.6-r1515372.patch b/SOURCES/httpd-2.4.6-r1515372.patch new file mode 100644 index 0000000..dc782ac --- /dev/null +++ b/SOURCES/httpd-2.4.6-r1515372.patch @@ -0,0 +1,11 @@ +--- a/modules/ldap/util_ldap_cache.c 2013/08/19 11:41:29 1515371 ++++ b/modules/ldap/util_ldap_cache.c 2013/08/19 11:45:19 1515372 +@@ -52,7 +52,7 @@ + + if (node) { + if (!(node->url = util_ald_strdup(cache, n->url))) { +- util_ald_free(cache, node->url); ++ util_ald_free(cache, node); + return NULL; + } + node->search_cache = n->search_cache; diff --git a/SOURCES/httpd-2.4.6-r1555539.patch b/SOURCES/httpd-2.4.6-r1555539.patch new file mode 100644 index 0000000..414d127 --- /dev/null +++ b/SOURCES/httpd-2.4.6-r1555539.patch @@ -0,0 +1,265 @@ +diff --git a/docs/manual/expr.html.en b/docs/manual/expr.html.en +index 5c3ae45..8bd941a 100644 +--- a/docs/manual/expr.html.en ++++ b/docs/manual/expr.html.en +@@ -46,7 +46,7 @@ +
  • Other
    • +
  • Comparison with SSLRequire
    • +
  • Version History
    • +-

    See also

    ++

    See also

    +
    top
    +
    +

    Grammar in Backus-Naur Form notation

    +diff --git a/docs/manual/mod/mod_authnz_ldap.html.en b/docs/manual/mod/mod_authnz_ldap.html.en +index 7199052..c86dc8a 100644 +--- a/docs/manual/mod/mod_authnz_ldap.html.en ++++ b/docs/manual/mod/mod_authnz_ldap.html.en +@@ -350,6 +350,9 @@ for HTTP Basic authentication. + ldap-filter. Other authorization types may also be + used but may require that additional authorization modules be loaded.

    + ++

    Since v2.5.0, expressions are supported ++ within the LDAP require directives.

    ++ +

    Require ldap-user

    + +

    The Require ldap-user directive specifies what +@@ -576,6 +579,16 @@ Require ldap-group cn=Administrators, o=Example + + +

  • ++ Grant access to anybody in the group whose name matches the ++ hostname of the virtual host. In this example an ++ expression is used to build the filter. ++ ++AuthLDAPURL ldap://ldap.example.com/o=Example?uid ++Require ldap-group cn=%{SERVER_NAME}, o=Example ++ ++
    • ++ ++
  • + The next example assumes that everyone at Example who + carries an alphanumeric pager will have an LDAP attribute + of qpagePagerID. The example will grant access +diff --git a/modules/aaa/mod_authnz_ldap.c b/modules/aaa/mod_authnz_ldap.c +index 2c25dbc..063debe 100644 +--- a/modules/aaa/mod_authnz_ldap.c ++++ b/modules/aaa/mod_authnz_ldap.c +@@ -607,6 +607,10 @@ static authz_status ldapuser_check_authorization(request_rec *r, + + util_ldap_connection_t *ldc = NULL; + ++ const char *err = NULL; ++ const ap_expr_info_t *expr = parsed_require_args; ++ const char *require; ++ + const char *t; + char *w; + +@@ -680,11 +684,19 @@ static authz_status ldapuser_check_authorization(request_rec *r, + return AUTHZ_DENIED; + } + ++ require = ap_expr_str_exec(r, expr, &err); ++ if (err) { ++ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02585) ++ "auth_ldap authorize: require user: Can't evaluate expression: %s", ++ err); ++ return AUTHZ_DENIED; ++ } ++ + /* + * First do a whole-line compare, in case it's something like + * require user Babs Jensen + */ +- result = util_ldap_cache_compare(r, ldc, sec->url, req->dn, sec->attribute, require_args); ++ result = util_ldap_cache_compare(r, ldc, sec->url, req->dn, sec->attribute, require); + switch(result) { + case LDAP_COMPARE_TRUE: { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01703) +@@ -704,7 +716,7 @@ static authz_status ldapuser_check_authorization(request_rec *r, + /* + * Now break apart the line and compare each word on it + */ +- t = require_args; ++ t = require; + while ((w = ap_getword_conf(r->pool, &t)) && w[0]) { + result = util_ldap_cache_compare(r, ldc, sec->url, req->dn, sec->attribute, w); + switch(result) { +@@ -744,6 +756,10 @@ static authz_status ldapgroup_check_authorization(request_rec *r, + + util_ldap_connection_t *ldc = NULL; + ++ const char *err = NULL; ++ const ap_expr_info_t *expr = parsed_require_args; ++ const char *require; ++ + const char *t; + + char filtbuf[FILTER_LENGTH]; +@@ -863,7 +879,15 @@ static authz_status ldapgroup_check_authorization(request_rec *r, + } + } + +- t = require_args; ++ require = ap_expr_str_exec(r, expr, &err); ++ if (err) { ++ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02586) ++ "auth_ldap authorize: require group: Can't evaluate expression: %s", ++ err); ++ return AUTHZ_DENIED; ++ } ++ ++ t = require; + + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01713) + "auth_ldap authorize: require group: testing for group " +@@ -959,6 +983,10 @@ static authz_status ldapdn_check_authorization(request_rec *r, + + util_ldap_connection_t *ldc = NULL; + ++ const char *err = NULL; ++ const ap_expr_info_t *expr = parsed_require_args; ++ const char *require; ++ + const char *t; + + char filtbuf[FILTER_LENGTH]; +@@ -1021,7 +1049,15 @@ static authz_status ldapdn_check_authorization(request_rec *r, + req->user = r->user; + } + +- t = require_args; ++ require = ap_expr_str_exec(r, expr, &err); ++ if (err) { ++ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02587) ++ "auth_ldap authorize: require dn: Can't evaluate expression: %s", ++ err); ++ return AUTHZ_DENIED; ++ } ++ ++ t = require; + + if (req->dn == NULL || strlen(req->dn) == 0) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01725) +@@ -1068,6 +1104,10 @@ static authz_status ldapattribute_check_authorization(request_rec *r, + + util_ldap_connection_t *ldc = NULL; + ++ const char *err = NULL; ++ const ap_expr_info_t *expr = parsed_require_args; ++ const char *require; ++ + const char *t; + char *w, *value; + +@@ -1138,7 +1178,16 @@ static authz_status ldapattribute_check_authorization(request_rec *r, + return AUTHZ_DENIED; + } + +- t = require_args; ++ require = ap_expr_str_exec(r, expr, &err); ++ if (err) { ++ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02588) ++ "auth_ldap authorize: require ldap-attribute: Can't " ++ "evaluate expression: %s", err); ++ return AUTHZ_DENIED; ++ } ++ ++ t = require; ++ + while (t[0]) { + w = ap_getword(r->pool, &t, '='); + value = ap_getword_conf(r->pool, &t); +@@ -1183,6 +1232,11 @@ static authz_status ldapfilter_check_authorization(request_rec *r, + (authn_ldap_config_t *)ap_get_module_config(r->per_dir_config, &authnz_ldap_module); + + util_ldap_connection_t *ldc = NULL; ++ ++ const char *err = NULL; ++ const ap_expr_info_t *expr = parsed_require_args; ++ const char *require; ++ + const char *t; + + char filtbuf[FILTER_LENGTH]; +@@ -1252,7 +1306,15 @@ static authz_status ldapfilter_check_authorization(request_rec *r, + return AUTHZ_DENIED; + } + +- t = require_args; ++ require = ap_expr_str_exec(r, expr, &err); ++ if (err) { ++ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02589) ++ "auth_ldap authorize: require ldap-filter: Can't " ++ "evaluate require expression: %s", err); ++ return AUTHZ_DENIED; ++ } ++ ++ t = require; + + if (t[0]) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01743) +@@ -1311,6 +1373,25 @@ static authz_status ldapfilter_check_authorization(request_rec *r, + return AUTHZ_DENIED; + } + ++static const char *ldap_parse_config(cmd_parms *cmd, const char *require_line, ++ const void **parsed_require_line) ++{ ++ const char *expr_err = NULL; ++ ap_expr_info_t *expr; ++ ++ expr = ap_expr_parse_cmd(cmd, require_line, AP_EXPR_FLAG_STRING_RESULT, ++ &expr_err, NULL); ++ ++ if (expr_err) ++ return apr_pstrcat(cmd->temp_pool, ++ "Cannot parse expression in require line: ", ++ expr_err, NULL); ++ ++ *parsed_require_line = expr; ++ ++ return NULL; ++} ++ + + /* + * Use the ldap url parsing routines to break up the ldap url into +@@ -1769,30 +1850,30 @@ static const authn_provider authn_ldap_provider = + static const authz_provider authz_ldapuser_provider = + { + &ldapuser_check_authorization, +- NULL, ++ &ldap_parse_config, + }; + static const authz_provider authz_ldapgroup_provider = + { + &ldapgroup_check_authorization, +- NULL, ++ &ldap_parse_config, + }; + + static const authz_provider authz_ldapdn_provider = + { + &ldapdn_check_authorization, +- NULL, ++ &ldap_parse_config, + }; + + static const authz_provider authz_ldapattribute_provider = + { + &ldapattribute_check_authorization, +- NULL, ++ &ldap_parse_config, + }; + + static const authz_provider authz_ldapfilter_provider = + { + &ldapfilter_check_authorization, +- NULL, ++ &ldap_parse_config, + }; + + static void ImportULDAPOptFn(void) diff --git a/SOURCES/httpd-2.4.6-r1737363.patch b/SOURCES/httpd-2.4.6-r1737363.patch new file mode 100644 index 0000000..90d3101 --- /dev/null +++ b/SOURCES/httpd-2.4.6-r1737363.patch @@ -0,0 +1,26 @@ +# ./pullrev.sh 1737363 +http://svn.apache.org/viewvc?view=revision&revision=1737363 + +--- httpd-2.4.6/modules/proxy/mod_proxy_express.c ++++ httpd-2.4.6/modules/proxy/mod_proxy_express.c +@@ -145,16 +145,14 @@ + key.dsize = strlen(key.dptr); + + rv = apr_dbm_fetch(db, key, &val); ++ if (rv == APR_SUCCESS) { ++ backend = apr_pstrmemdup(r->pool, val.dptr, val.dsize); ++ } + apr_dbm_close(db); +- if (rv != APR_SUCCESS) { ++ if (rv != APR_SUCCESS || !backend) { + return DECLINED; + } + +- backend = apr_pstrmemdup(r->pool, val.dptr, val.dsize); +- if (!backend) { +- return DECLINED; +- } +- + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01004) + "proxy_express: found %s -> %s", name, backend); + r->filename = apr_pstrcat(r->pool, "proxy:", backend, r->uri, NULL); diff --git a/SOURCES/httpd-2.4.6-r1824872.patch b/SOURCES/httpd-2.4.6-r1824872.patch new file mode 100644 index 0000000..2cec77f --- /dev/null +++ b/SOURCES/httpd-2.4.6-r1824872.patch @@ -0,0 +1,25 @@ +--- a/modules/ldap/util_ldap.c 2018/02/20 13:00:39 1824871 ++++ b/modules/ldap/util_ldap.c 2018/02/20 13:02:54 1824872 +@@ -2858,7 +2858,6 @@ + st->search_cache_size = base->search_cache_size; + st->compare_cache_ttl = base->compare_cache_ttl; + st->compare_cache_size = base->compare_cache_size; +- st->util_ldap_cache_lock = base->util_ldap_cache_lock; + + st->connections = NULL; + st->ssl_supported = 0; /* not known until post-config and re-merged */ +@@ -2977,12 +2976,12 @@ + st_vhost = (util_ldap_state_t *) + ap_get_module_config(s_vhost->module_config, + &ldap_module); +- ++ st_vhost->util_ldap_cache = st->util_ldap_cache; ++ st_vhost->util_ldap_cache_lock = st->util_ldap_cache_lock; + #if APR_HAS_SHARED_MEMORY + st_vhost->cache_shm = st->cache_shm; + st_vhost->cache_rmm = st->cache_rmm; + st_vhost->cache_file = st->cache_file; +- st_vhost->util_ldap_cache = st->util_ldap_cache; + ap_log_error(APLOG_MARK, APLOG_DEBUG, result, s, APLOGNO(01316) + "LDAP merging Shared Cache conf: shm=0x%pp rmm=0x%pp " + "for VHOST: %s", st->cache_shm, st->cache_rmm, diff --git a/SOURCES/httpd-2.4.6-r1825120.patch b/SOURCES/httpd-2.4.6-r1825120.patch new file mode 100644 index 0000000..f490839 --- /dev/null +++ b/SOURCES/httpd-2.4.6-r1825120.patch @@ -0,0 +1,96 @@ +diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c +index 57b76c0..814ec4f 100644 +--- a/modules/ssl/ssl_engine_init.c ++++ b/modules/ssl/ssl_engine_init.c +@@ -1522,70 +1522,18 @@ void ssl_init_CheckServers(SSLModConfigRec *mc, server_rec *base_server, apr_poo + } + } + +-static int ssl_init_FindCAList_X509NameCmp(const X509_NAME * const *a, +- const X509_NAME * const *b) +-{ +- return(X509_NAME_cmp(*a, *b)); +-} +- +-static void ssl_init_PushCAList(STACK_OF(X509_NAME) *ca_list, +- server_rec *s, apr_pool_t *ptemp, +- const char *file) +-{ +- int n; +- STACK_OF(X509_NAME) *sk; +- +- sk = (STACK_OF(X509_NAME) *) +- SSL_load_client_CA_file(file); +- +- if (!sk) { +- return; +- } +- +- for (n = 0; n < sk_X509_NAME_num(sk); n++) { +- X509_NAME *name = sk_X509_NAME_value(sk, n); +- +- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02209) +- "CA certificate: %s", +- SSL_X509_NAME_to_string(ptemp, name, 0)); +- +- /* +- * note that SSL_load_client_CA_file() checks for duplicates, +- * but since we call it multiple times when reading a directory +- * we must also check for duplicates ourselves. +- */ +- +- if (sk_X509_NAME_find(ca_list, name) < 0) { +- /* this will be freed when ca_list is */ +- sk_X509_NAME_push(ca_list, name); +- } +- else { +- /* need to free this ourselves, else it will leak */ +- X509_NAME_free(name); +- } +- } +- +- sk_X509_NAME_free(sk); +-} +- + STACK_OF(X509_NAME) *ssl_init_FindCAList(server_rec *s, + apr_pool_t *ptemp, + const char *ca_file, + const char *ca_path) + { +- STACK_OF(X509_NAME) *ca_list; +- +- /* +- * Start with a empty stack/list where new +- * entries get added in sorted order. +- */ +- ca_list = sk_X509_NAME_new(ssl_init_FindCAList_X509NameCmp); ++ STACK_OF(X509_NAME) *ca_list = sk_X509_NAME_new_null();; + + /* + * Process CA certificate bundle file + */ + if (ca_file) { +- ssl_init_PushCAList(ca_list, s, ptemp, ca_file); ++ SSL_add_file_cert_subjects_to_stack(ca_list, ca_file); + /* + * If ca_list is still empty after trying to load ca_file + * then the file failed to load, and users should hear about that. +@@ -1619,17 +1567,12 @@ STACK_OF(X509_NAME) *ssl_init_FindCAList(server_rec *s, + continue; /* don't try to load directories */ + } + file = apr_pstrcat(ptemp, ca_path, "/", direntry.name, NULL); +- ssl_init_PushCAList(ca_list, s, ptemp, file); ++ SSL_add_file_cert_subjects_to_stack(ca_list, file); + } + + apr_dir_close(dir); + } + +- /* +- * Cleanup +- */ +- (void) sk_X509_NAME_set_cmp_func(ca_list, NULL); +- + return ca_list; + } + diff --git a/SOURCES/httpd-2.4.6-r1826995.patch b/SOURCES/httpd-2.4.6-r1826995.patch new file mode 100644 index 0000000..abbcb33 --- /dev/null +++ b/SOURCES/httpd-2.4.6-r1826995.patch @@ -0,0 +1,198 @@ +diff --git a/docs/manual/mod/mod_ssl.html.en b/docs/manual/mod/mod_ssl.html.en +index 4580f1c..fb8202e 100644 +--- a/docs/manual/mod/mod_ssl.html.en ++++ b/docs/manual/mod/mod_ssl.html.en +@@ -991,7 +991,8 @@ the certificate being verified.

    +

    This option enables OCSP validation of the client certificate + chain. If this option is enabled, certificates in the client's + certificate chain will be validated against an OCSP responder after +-normal verification (including CRL checks) have taken place.

    ++normal verification (including CRL checks) have taken place. In ++mode 'leaf', only the client certificate itself will be validated.

    + +

    The OCSP responder used is either extracted from the certificate + itself, or derived by configuration; see the +diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c +index 4a8b661..e637a9d 100644 +--- a/modules/ssl/mod_ssl.c ++++ b/modules/ssl/mod_ssl.c +@@ -227,8 +227,8 @@ static const command_rec ssl_config_cmds[] = { + "request body if a per-location SSL renegotiation is required due to " + "changed access control requirements") + +- SSL_CMD_SRV(OCSPEnable, FLAG, +- "Enable use of OCSP to verify certificate revocation ('on', 'off')") ++ SSL_CMD_SRV(OCSPEnable, RAW_ARGS, ++ "Enable use of OCSP to verify certificate revocation mode ('on', 'leaf', 'off')") + SSL_CMD_SRV(OCSPDefaultResponder, TAKE1, + "URL of the default OCSP Responder") + SSL_CMD_SRV(OCSPOverrideResponder, FLAG, +diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c +index 86a7f0f..714aee9 100644 +--- a/modules/ssl/ssl_engine_config.c ++++ b/modules/ssl/ssl_engine_config.c +@@ -130,7 +130,7 @@ static void modssl_ctx_init(modssl_ctx_t *mctx) + mctx->auth.verify_depth = UNSET; + mctx->auth.verify_mode = SSL_CVERIFY_UNSET; + +- mctx->ocsp_enabled = FALSE; ++ mctx->ocsp_mask = UNSET; + mctx->ocsp_force_default = FALSE; + mctx->ocsp_responder = NULL; + mctx->ocsp_resptime_skew = UNSET; +@@ -264,7 +264,7 @@ static void modssl_ctx_cfg_merge(modssl_ctx_t *base, + cfgMergeInt(auth.verify_depth); + cfgMerge(auth.verify_mode, SSL_CVERIFY_UNSET); + +- cfgMergeBool(ocsp_enabled); ++ cfgMergeInt(ocsp_mask); + cfgMergeBool(ocsp_force_default); + cfgMerge(ocsp_responder, NULL); + cfgMergeInt(ocsp_resptime_skew); +@@ -1575,11 +1575,46 @@ const char *ssl_cmd_SSLUserName(cmd_parms *cmd, void *dcfg, + return NULL; + } + +-const char *ssl_cmd_SSLOCSPEnable(cmd_parms *cmd, void *dcfg, int flag) ++static const char *ssl_cmd_ocspcheck_parse(cmd_parms *parms, ++ const char *arg, ++ int *mask) + { +- SSLSrvConfigRec *sc = mySrvConfig(cmd->server); ++ const char *w; ++ ++ w = ap_getword_conf(parms->temp_pool, &arg); ++ if (strcEQ(w, "off")) { ++ *mask = SSL_OCSPCHECK_NONE; ++ } ++ else if (strcEQ(w, "leaf")) { ++ *mask = SSL_OCSPCHECK_LEAF; ++ } ++ else if (strcEQ(w, "on")) { ++ *mask = SSL_OCSPCHECK_CHAIN; ++ } ++ else { ++ return apr_pstrcat(parms->temp_pool, parms->cmd->name, ++ ": Invalid argument '", w, "'", ++ NULL); ++ } ++ ++ while (*arg) { ++ w = ap_getword_conf(parms->temp_pool, &arg); ++ if (strcEQ(w, "no_ocsp_for_cert_ok")) { ++ *mask |= SSL_OCSPCHECK_NO_OCSP_FOR_CERT_OK; ++ } ++ else { ++ return apr_pstrcat(parms->temp_pool, parms->cmd->name, ++ ": Invalid argument '", w, "'", ++ NULL); ++ } ++ } + +- sc->server->ocsp_enabled = flag ? TRUE : FALSE; ++ return NULL; ++} ++ ++const char *ssl_cmd_SSLOCSPEnable(cmd_parms *cmd, void *dcfg, const char *arg) ++{ ++ SSLSrvConfigRec *sc = mySrvConfig(cmd->server); + + #ifdef OPENSSL_NO_OCSP + if (flag) { +@@ -1588,7 +1623,7 @@ const char *ssl_cmd_SSLOCSPEnable(cmd_parms *cmd, void *dcfg, int flag) + } + #endif + +- return NULL; ++ return ssl_cmd_ocspcheck_parse(cmd, arg, &sc->server->ocsp_mask); + } + + const char *ssl_cmd_SSLOCSPOverrideResponder(cmd_parms *cmd, void *dcfg, int flag) +diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c +index 672760c..57b76c0 100644 +--- a/modules/ssl/ssl_engine_init.c ++++ b/modules/ssl/ssl_engine_init.c +@@ -762,6 +762,10 @@ static void ssl_init_ctx_crl(server_rec *s, + unsigned long crlflags = 0; + char *cfgp = mctx->pkp ? "SSLProxy" : "SSL"; + ++ if (mctx->ocsp_mask == UNSET) { ++ mctx->ocsp_mask = SSL_OCSPCHECK_NONE; ++ } ++ + /* + * Configure Certificate Revocation List (CRL) Details + */ +diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c +index 5ff35f5..9dc236c 100644 +--- a/modules/ssl/ssl_engine_kernel.c ++++ b/modules/ssl/ssl_engine_kernel.c +@@ -1416,7 +1416,8 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx) + /* + * Perform OCSP-based revocation checks + */ +- if (ok && sc->server->ocsp_enabled) { ++ if (ok && ((sc->server->ocsp_mask & SSL_OCSPCHECK_CHAIN) || ++ (errdepth == 0 && (sc->server->ocsp_mask & SSL_OCSPCHECK_LEAF)))) { + /* If there was an optional verification error, it's not + * possible to perform OCSP validation since the issuer may be + * missing/untrusted. Fail in that case. */ +diff --git a/modules/ssl/ssl_engine_ocsp.c b/modules/ssl/ssl_engine_ocsp.c +index 90da5c2..58d267b 100644 +--- a/modules/ssl/ssl_engine_ocsp.c ++++ b/modules/ssl/ssl_engine_ocsp.c +@@ -136,7 +136,14 @@ static int verify_ocsp_status(X509 *cert, X509_STORE_CTX *ctx, conn_rec *c, + + ruri = determine_responder_uri(sc, cert, c, pool); + if (!ruri) { +- return V_OCSP_CERTSTATUS_UNKNOWN; ++ if (sc->server->ocsp_mask & SSL_OCSPCHECK_NO_OCSP_FOR_CERT_OK) { ++ ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c, ++ "Skipping OCSP check for certificate cos no OCSP URL" ++ " found and no_ocsp_for_cert_ok is set"); ++ return V_OCSP_CERTSTATUS_GOOD; ++ } else { ++ return V_OCSP_CERTSTATUS_UNKNOWN; ++ } + } + + request = create_request(ctx, cert, &certID, s, pool); +diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h +index b601316..2d505f9 100644 +--- a/modules/ssl/ssl_private.h ++++ b/modules/ssl/ssl_private.h +@@ -379,6 +379,16 @@ typedef enum { + } ssl_crlcheck_t; + + /** ++ * OCSP checking mask (mode | flags) ++ */ ++typedef enum { ++ SSL_OCSPCHECK_NONE = (0), ++ SSL_OCSPCHECK_LEAF = (1 << 0), ++ SSL_OCSPCHECK_CHAIN = (1 << 1), ++ SSL_OCSPCHECK_NO_OCSP_FOR_CERT_OK = (1 << 2) ++} ssl_ocspcheck_t; ++ ++/** + * Define the SSL pass phrase dialog types + */ + typedef enum { +@@ -668,7 +678,7 @@ typedef struct { + + modssl_auth_ctx_t auth; + +- BOOL ocsp_enabled; /* true if OCSP verification enabled */ ++ int ocsp_mask; + BOOL ocsp_force_default; /* true if the default responder URL is + * used regardless of per-cert URL */ + const char *ocsp_responder; /* default responder URL */ +@@ -796,7 +806,7 @@ const char *ssl_cmd_SSLOCSPDefaultResponder(cmd_parms *cmd, void *dcfg, const ch + const char *ssl_cmd_SSLOCSPResponseTimeSkew(cmd_parms *cmd, void *dcfg, const char *arg); + const char *ssl_cmd_SSLOCSPResponseMaxAge(cmd_parms *cmd, void *dcfg, const char *arg); + const char *ssl_cmd_SSLOCSPResponderTimeout(cmd_parms *cmd, void *dcfg, const char *arg); +-const char *ssl_cmd_SSLOCSPEnable(cmd_parms *cmd, void *dcfg, int flag); ++const char *ssl_cmd_SSLOCSPEnable(cmd_parms *cmd, void *dcfg, const char *flag); + + #ifndef OPENSSL_NO_SRP + const char *ssl_cmd_SSLSRPVerifierFile(cmd_parms *cmd, void *dcfg, const char *arg); diff --git a/SOURCES/welcome.conf b/SOURCES/welcome.conf index c1b6c11..5d1e452 100644 --- a/SOURCES/welcome.conf +++ b/SOURCES/welcome.conf @@ -16,7 +16,3 @@ Alias /.noindex.html /usr/share/httpd/noindex/index.html -Alias /noindex/css/bootstrap.min.css /usr/share/httpd/noindex/css/bootstrap.min.css -Alias /noindex/css/open-sans.css /usr/share/httpd/noindex/css/open-sans.css -Alias /images/apache_pb.gif /usr/share/httpd/noindex/images/apache_pb.gif -Alias /images/poweredby.png /usr/share/httpd/noindex/images/poweredby.png diff --git a/SPECS/httpd.spec b/SPECS/httpd.spec index 9555865..296bca2 100644 --- a/SPECS/httpd.spec +++ b/SPECS/httpd.spec @@ -4,7 +4,7 @@ %define mmn 20120211 %define oldmmnisa %{mmn}-%{__isa_name}-%{__isa_bits} %define mmnisa %{mmn}%{__isa_name}%{__isa_bits} -%define vstring CentOS +%define vstring %(source /etc/os-release; echo ${REDHAT_SUPPORT_PRODUCT}) # Drop automatic provides for module DSOs %{?filter_setup: @@ -15,10 +15,10 @@ Summary: Apache HTTP Server Name: httpd Version: 2.4.6 -Release: 80%{?dist}.1 +Release: 88%{?dist} URL: http://httpd.apache.org/ Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 -Source1: centos-noindex.tar.gz +Source1: index.html Source2: httpd.logrotate Source3: httpd.sysconf Source4: httpd-ssl-pass-dialog @@ -135,6 +135,7 @@ Patch111: httpd-2.4.6-r1348019.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1396197 Patch112: httpd-2.4.6-r1587053.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1376835 +# https://bugzilla.redhat.com/show_bug.cgi?id=1527295 Patch113: httpd-2.4.6-mpm-segfault.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1372692 Patch114: httpd-2.4.6-r1681114.patch @@ -174,6 +175,20 @@ Patch130: httpd-2.4.6-r1811976.patch Patch131: httpd-2.4.6-r1650310.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1557785 Patch132: httpd-2.4.6-r1530999.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1533793 +Patch133: httpd-2.4.6-r1555539.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1523536 +Patch134: httpd-2.4.6-r1737363.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1548501 +Patch135: httpd-2.4.6-r1826995.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1556761 +Patch136: httpd-2.4.6-default-port-worker.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1493181 +Patch137: httpd-2.4.6-r1825120.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1458364 +Patch138: httpd-2.4.6-r1515372.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1458364 +Patch139: httpd-2.4.6-r1824872.patch # Security fixes Patch200: httpd-2.4.6-CVE-2013-6438.patch @@ -410,6 +425,14 @@ rm modules/ssl/ssl_engine_dh.c %patch130 -p1 -b .r1811976 %patch131 -p1 -b .r1650310 %patch132 -p1 -b .r1530999 +%patch133 -p1 -b .r1555539 +%patch134 -p1 -b .r1523536 +%patch135 -p1 -b .r1826995 +%patch136 -p1 -b .defaultport-proxy +%patch137 -p1 -b .r1825120 +%patch138 -p1 -b .r1515372 +%patch139 -p1 -b .r1824872 + %patch200 -p1 -b .cve6438 %patch201 -p1 -b .cve0098 @@ -585,10 +608,8 @@ EOF # Handle contentdir mkdir $RPM_BUILD_ROOT%{contentdir}/noindex -tar xzf $RPM_SOURCE_DIR/centos-noindex.tar.gz \ - -C $RPM_BUILD_ROOT%{contentdir}/noindex/ \ - --strip-components=1 - +install -m 644 -p $RPM_SOURCE_DIR/index.html \ + $RPM_BUILD_ROOT%{contentdir}/noindex/index.html rm -rf %{contentdir}/htdocs # remove manual sources @@ -611,7 +632,7 @@ rm -v $RPM_BUILD_ROOT%{docroot}/html/*.html \ $RPM_BUILD_ROOT%{docroot}/cgi-bin/* # Symlink for the powered-by-$DISTRO image: -ln -s ../noindex/images/poweredby.png \ +ln -s ../../pixmaps/poweredby.png \ $RPM_BUILD_ROOT%{contentdir}/icons/poweredby.png # symlinks for /etc/httpd @@ -797,7 +818,7 @@ rm -rf $RPM_BUILD_ROOT %{contentdir}/error/README %{contentdir}/error/*.var %{contentdir}/error/include/*.html -%{contentdir}/noindex/* +%{contentdir}/noindex/index.html %dir %{docroot} %dir %{docroot}/cgi-bin @@ -863,16 +884,32 @@ rm -rf $RPM_BUILD_ROOT %{_sysconfdir}/rpm/macros.httpd %changelog -* Tue Jun 26 2018 CentOS Sources - 2.4.6-80.el7.centos.1 -- Remove index.html, add centos-noindex.tar.gz -- change vstring -- change symlink for poweredby.png -- update welcome.conf with proper aliases - -* Mon May 28 2018 Luboš Uhliarik - 2.4.6-80.1 -- Resolves: #1560609 - httpd: active connections being terminated when httpd - gets gracefully stopped/restarted, GracefulShutdownTimeout is not being - honored +* Thu Jun 21 2018 Luboš Uhliarik - 2.4.6-88 +- Resolves: #1527295 - httpd with worker/event mpm segfaults after multiple + SIGUSR1 + +* Thu Jun 21 2018 Luboš Uhliarik - 2.4.6-87 +- Resolves: #1458364 - RMM list corruption in ldap module results in server hang + +* Thu Jun 21 2018 Luboš Uhliarik - 2.4.6-86 +- Resolves: #1493181 - RFE: mod_ssl: allow sending multiple CA names which + differ only in case + +* Wed Jun 20 2018 Luboš Uhliarik - 2.4.6-85 +- Resolves: #1556761 - mod_proxy_wstunned config needs the default port number + +* Mon Jun 18 2018 Luboš Uhliarik - 2.4.6-84 +- Resolves: #1548501 - Make OCSP more configurable (like CRL) + +* Mon Jun 11 2018 Luboš Uhliarik - 2.4.6-83 +- Resolves: #1523536 - Backport Apache BZ#59230 mod_proxy_express uses db + after close + +* Mon Jun 11 2018 Luboš Uhliarik - 2.4.6-82 +- Resolves: #1533793 - Use Variable with mod_authnz_ldap + +* Mon Mar 26 2018 Joe Orton - 2.4.6-81 +- don't terminate connections during graceful stop/restart (#1557785) * Mon Jan 08 2018 Luboš Uhliarik - 2.4.6-80 - Related: #1288395 - httpd segfault when logrotate invoked