* [PATCH V2 0/4][meta-webserver] Apache / PHP upgrades
@ 2014-02-27 3:22 Hongxu Jia
2014-02-27 3:22 ` [PATCH 1/4][meta-webserver] apache2: update to 2.4.7 Hongxu Jia
` (4 more replies)
0 siblings, 5 replies; 10+ messages in thread
From: Hongxu Jia @ 2014-02-27 3:22 UTC (permalink / raw)
To: openembedded-devel; +Cc: paul.eggleton
Change in V2:
apache2-2.4.7: added support for TLS Next Protocol Negotiation
The previous npn support patch (httpd-2.4.4-r1332643.patch) worked on
apache2-2.4.6 and conflicted with apache2-2.4.7, 4/4 patch fixed the
confliction with 2.4.7.
//Hongxu
The following changes since commit 8089aa451827cb791c7d795b9899dc152d1ceb66:
vlc: Fix build with flac-1.3.0 (2014-02-24 10:10:25 +0100)
are available in the git repository at:
git://git.pokylinux.org/poky-contrib hongxu/upgrade-apache2
http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=hongxu/upgrade-apache2
Hongxu Jia (1):
apache2-2.4.7: added support for TLS Next Protocol Negotiation
Paul Eggleton (3):
apache2: update to 2.4.7
modphp: upgrade to 5.5.8
phpmyadmin: update to 4.1.4
...he2-native_2.4.6.bb => apache2-native_2.4.7.bb} | 6 +-
.../apache-configure_perlbin.patch | 0
.../apache-ssl-ltmain-rpath.patch | 0
.../fix-libtool-name.patch | 0
.../httpd-2.4.1-corelimit.patch | 0
.../httpd-2.4.1-selinux.patch | 0
.../httpd-2.4.4-export.patch | 0
.../npn-patch-2.4.7.patch} | 111 +++++++++++++--------
.../replace-lynx-to-curl-in-apachectl-script.patch | 0
.../server-makefile.patch | 0
.../apache2/{apache2_2.4.6.bb => apache2_2.4.7.bb} | 8 +-
meta-webserver/recipes-php/modphp/modphp_5.5.2.bb | 7 --
meta-webserver/recipes-php/modphp/modphp_5.5.8.bb | 7 ++
.../{phpmyadmin_4.0.5.bb => phpmyadmin_4.1.4.bb} | 4 +-
14 files changed, 86 insertions(+), 57 deletions(-)
rename meta-webserver/recipes-httpd/apache2/{apache2-native_2.4.6.bb => apache2-native_2.4.7.bb} (84%)
rename meta-webserver/recipes-httpd/apache2/{apache2-2.4.6 => apache2}/apache-configure_perlbin.patch (100%)
rename meta-webserver/recipes-httpd/apache2/{apache2-2.4.6 => apache2}/apache-ssl-ltmain-rpath.patch (100%)
rename meta-webserver/recipes-httpd/apache2/{apache2-2.4.6 => apache2}/fix-libtool-name.patch (100%)
rename meta-webserver/recipes-httpd/apache2/{apache2-2.4.6 => apache2}/httpd-2.4.1-corelimit.patch (100%)
rename meta-webserver/recipes-httpd/apache2/{apache2-2.4.6 => apache2}/httpd-2.4.1-selinux.patch (100%)
rename meta-webserver/recipes-httpd/apache2/{apache2-2.4.6 => apache2}/httpd-2.4.4-export.patch (100%)
rename meta-webserver/recipes-httpd/apache2/{apache2-2.4.6/httpd-2.4.4-r1332643.patch => apache2/npn-patch-2.4.7.patch} (80%)
rename meta-webserver/recipes-httpd/apache2/{apache2-2.4.6 => apache2}/replace-lynx-to-curl-in-apachectl-script.patch (100%)
rename meta-webserver/recipes-httpd/apache2/{apache2-2.4.6 => apache2}/server-makefile.patch (100%)
rename meta-webserver/recipes-httpd/apache2/{apache2_2.4.6.bb => apache2_2.4.7.bb} (95%)
delete mode 100644 meta-webserver/recipes-php/modphp/modphp_5.5.2.bb
create mode 100644 meta-webserver/recipes-php/modphp/modphp_5.5.8.bb
rename meta-webserver/recipes-php/phpmyadmin/{phpmyadmin_4.0.5.bb => phpmyadmin_4.1.4.bb} (87%)
--
1.8.1.2
^ permalink raw reply [flat|nested] 10+ messages in thread
* [PATCH 1/4][meta-webserver] apache2: update to 2.4.7
2014-02-27 3:22 [PATCH V2 0/4][meta-webserver] Apache / PHP upgrades Hongxu Jia
@ 2014-02-27 3:22 ` Hongxu Jia
2014-02-27 3:22 ` [PATCH 2/4][meta-webserver] modphp: upgrade to 5.5.8 Hongxu Jia
` (3 subsequent siblings)
4 siblings, 0 replies; 10+ messages in thread
From: Hongxu Jia @ 2014-02-27 3:22 UTC (permalink / raw)
To: openembedded-devel; +Cc: paul.eggleton
From: Paul Eggleton <paul.eggleton@linux.intel.com>
* LIC_FILES_CHKSUM changed because of the introduction of an extra blank
line in the LICENSE file (!)
* Drop httpd-2.4.4-r1332643.patch - it no longer applies and was dropped
in Fedora on the 2.4.7 upgrade.
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
---
.../apache2-2.4.6/httpd-2.4.4-r1332643.patch | 260 ---------------------
...he2-native_2.4.6.bb => apache2-native_2.4.7.bb} | 6 +-
.../apache-configure_perlbin.patch | 0
.../apache-ssl-ltmain-rpath.patch | 0
.../fix-libtool-name.patch | 0
.../httpd-2.4.1-corelimit.patch | 0
.../httpd-2.4.1-selinux.patch | 0
.../httpd-2.4.4-export.patch | 0
.../replace-lynx-to-curl-in-apachectl-script.patch | 0
.../server-makefile.patch | 0
.../apache2/{apache2_2.4.6.bb => apache2_2.4.7.bb} | 7 +-
11 files changed, 6 insertions(+), 267 deletions(-)
delete mode 100644 meta-webserver/recipes-httpd/apache2/apache2-2.4.6/httpd-2.4.4-r1332643.patch
rename meta-webserver/recipes-httpd/apache2/{apache2-native_2.4.6.bb => apache2-native_2.4.7.bb} (84%)
rename meta-webserver/recipes-httpd/apache2/{apache2-2.4.6 => apache2}/apache-configure_perlbin.patch (100%)
rename meta-webserver/recipes-httpd/apache2/{apache2-2.4.6 => apache2}/apache-ssl-ltmain-rpath.patch (100%)
rename meta-webserver/recipes-httpd/apache2/{apache2-2.4.6 => apache2}/fix-libtool-name.patch (100%)
rename meta-webserver/recipes-httpd/apache2/{apache2-2.4.6 => apache2}/httpd-2.4.1-corelimit.patch (100%)
rename meta-webserver/recipes-httpd/apache2/{apache2-2.4.6 => apache2}/httpd-2.4.1-selinux.patch (100%)
rename meta-webserver/recipes-httpd/apache2/{apache2-2.4.6 => apache2}/httpd-2.4.4-export.patch (100%)
rename meta-webserver/recipes-httpd/apache2/{apache2-2.4.6 => apache2}/replace-lynx-to-curl-in-apachectl-script.patch (100%)
rename meta-webserver/recipes-httpd/apache2/{apache2-2.4.6 => apache2}/server-makefile.patch (100%)
rename meta-webserver/recipes-httpd/apache2/{apache2_2.4.6.bb => apache2_2.4.7.bb} (95%)
diff --git a/meta-webserver/recipes-httpd/apache2/apache2-2.4.6/httpd-2.4.4-r1332643.patch b/meta-webserver/recipes-httpd/apache2/apache2-2.4.6/httpd-2.4.4-r1332643.patch
deleted file mode 100644
index ba28231..0000000
--- a/meta-webserver/recipes-httpd/apache2/apache2-2.4.6/httpd-2.4.4-r1332643.patch
+++ /dev/null
@@ -1,260 +0,0 @@
-Add support for TLS Next Protocol Negotiation:
-
-* modules/ssl/mod_ssl.c, modules/ssl/mod_ssl.h: Add and implement new
- hooks for next protocol advertisement/discovery.
-
-* modules/ssl/ssl_engine_init.c (ssl_init_ctx_callbacks): Enable
- NPN advertisement callback in handshake.
-
-* modules/ssl/ssl_engine_io.c (ssl_io_filter_input): Invoke
- next-protocol discovery hook.
-
-* modules/ssl/ssl_engine_kernel.c (ssl_callback_AdvertiseNextProtos):
- New callback.
-
-* modules/ssl/ssl_private.h: Add prototype.
-
-Submitted by: Matthew Steele <mdsteele google.com>
- with slight tweaks by jorton
-
-https://bugzilla.redhat.com//show_bug.cgi?id=809599
-
-http://svn.apache.org/viewvc?view=revision&revision=1332643
-
-Upstream-Status: Backport
-
---- httpd-2.4.4/modules/ssl/ssl_private.h
-+++ httpd-2.4.4/modules/ssl/ssl_private.h
-@@ -139,6 +139,11 @@
- #define HAVE_FIPS
- #endif
-
-+#if OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_NEXTPROTONEG) \
-+ && !defined(OPENSSL_NO_TLSEXT)
-+#define HAVE_TLS_NPN
-+#endif
-+
- #if (OPENSSL_VERSION_NUMBER >= 0x10000000)
- #define MODSSL_SSL_CIPHER_CONST const
- #define MODSSL_SSL_METHOD_CONST const
-@@ -840,6 +845,7 @@ int ssl_callback_ServerNameIndication(SSL *, int *, modssl_ctx_t *);
- int ssl_callback_SessionTicket(SSL *, unsigned char *, unsigned char *,
- EVP_CIPHER_CTX *, HMAC_CTX *, int);
- #endif
-+int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data, unsigned int *len, void *arg);
-
- /** Session Cache Support */
- void ssl_scache_init(server_rec *, apr_pool_t *);
---- httpd-2.4.4/modules/ssl/mod_ssl.c
-+++ httpd-2.4.4/modules/ssl/mod_ssl.c
-@@ -272,6 +272,18 @@ static const command_rec ssl_config_cmds[] = {
- AP_END_CMD
- };
-
-+/* Implement 'modssl_run_npn_advertise_protos_hook'. */
-+APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(
-+ modssl, AP, int, npn_advertise_protos_hook,
-+ (conn_rec *connection, apr_array_header_t *protos),
-+ (connection, protos), OK, DECLINED);
-+
-+/* Implement 'modssl_run_npn_proto_negotiated_hook'. */
-+APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(
-+ modssl, AP, int, npn_proto_negotiated_hook,
-+ (conn_rec *connection, const char *proto_name, apr_size_t proto_name_len),
-+ (connection, proto_name, proto_name_len), OK, DECLINED);
-+
- /*
- * the various processing hooks
- */
---- httpd-2.4.4/modules/ssl/mod_ssl.h
-+++ httpd-2.4.4/modules/ssl/mod_ssl.h
-@@ -63,5 +63,26 @@ APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *));
-
- APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
-
-+/** The npn_advertise_protos optional hook allows other modules to add entries
-+ * to the list of protocol names advertised by the server during the Next
-+ * Protocol Negotiation (NPN) portion of the SSL handshake. The hook callee is
-+ * given the connection and an APR array; it should push one or more char*'s
-+ * pointing to null-terminated strings (such as "http/1.1" or "spdy/2") onto
-+ * the array and return OK, or do nothing and return DECLINED. */
-+APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_advertise_protos_hook,
-+ (conn_rec *connection, apr_array_header_t *protos));
-+
-+/** The npn_proto_negotiated optional hook allows other modules to discover the
-+ * name of the protocol that was chosen during the Next Protocol Negotiation
-+ * (NPN) portion of the SSL handshake. Note that this may be the empty string
-+ * (in which case modules should probably assume HTTP), or it may be a protocol
-+ * that was never even advertised by the server. The hook callee is given the
-+ * connection, a non-null-terminated string containing the protocol name, and
-+ * the length of the string; it should do something appropriate (i.e. insert or
-+ * remove filters) and return OK, or do nothing and return DECLINED. */
-+APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_proto_negotiated_hook,
-+ (conn_rec *connection, const char *proto_name,
-+ apr_size_t proto_name_len));
-+
- #endif /* __MOD_SSL_H__ */
- /** @} */
---- httpd-2.4.4/modules/ssl/ssl_engine_init.c
-+++ httpd-2.4.4/modules/ssl/ssl_engine_init.c
-@@ -725,6 +725,11 @@ static void ssl_init_ctx_callbacks(server_rec *s,
- #endif
-
- SSL_CTX_set_info_callback(ctx, ssl_callback_Info);
-+
-+#ifdef HAVE_TLS_NPN
-+ SSL_CTX_set_next_protos_advertised_cb(
-+ ctx, ssl_callback_AdvertiseNextProtos, NULL);
-+#endif
- }
-
- static void ssl_init_ctx_verify(server_rec *s,
---- httpd-2.4.4/modules/ssl/ssl_engine_io.c
-+++ httpd-2.4.4/modules/ssl/ssl_engine_io.c
-@@ -28,6 +28,7 @@
- core keeps dumping.''
- -- Unknown */
- #include "ssl_private.h"
-+#include "mod_ssl.h"
- #include "apr_date.h"
-
- /* _________________________________________________________________
-@@ -297,6 +298,7 @@ typedef struct {
- apr_pool_t *pool;
- char buffer[AP_IOBUFSIZE];
- ssl_filter_ctx_t *filter_ctx;
-+ int npn_finished; /* 1 if NPN has finished, 0 otherwise */
- } bio_filter_in_ctx_t;
-
- /*
-@@ -1385,6 +1387,27 @@ static apr_status_t ssl_io_filter_input(ap_filter_t *f,
- APR_BRIGADE_INSERT_TAIL(bb, bucket);
- }
-
-+#ifdef HAVE_TLS_NPN
-+ /* By this point, Next Protocol Negotiation (NPN) should be completed (if
-+ * our version of OpenSSL supports it). If we haven't already, find out
-+ * which protocol was decided upon and inform other modules by calling
-+ * npn_proto_negotiated_hook. */
-+ if (!inctx->npn_finished) {
-+ const unsigned char *next_proto = NULL;
-+ unsigned next_proto_len = 0;
-+
-+ SSL_get0_next_proto_negotiated(
-+ inctx->ssl, &next_proto, &next_proto_len);
-+ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, f->c,
-+ "SSL NPN negotiated protocol: '%s'",
-+ apr_pstrmemdup(f->c->pool, (const char*)next_proto,
-+ next_proto_len));
-+ modssl_run_npn_proto_negotiated_hook(
-+ f->c, (const char*)next_proto, next_proto_len);
-+ inctx->npn_finished = 1;
-+ }
-+#endif
-+
- return APR_SUCCESS;
- }
-
-@@ -1866,6 +1889,7 @@ static void ssl_io_input_add_filter(ssl_filter_ctx_t *filter_ctx, conn_rec *c,
- inctx->block = APR_BLOCK_READ;
- inctx->pool = c->pool;
- inctx->filter_ctx = filter_ctx;
-+ inctx->npn_finished = 0;
- }
-
- /* The request_rec pointer is passed in here only to ensure that the
---- httpd-2.4.4/modules/ssl/ssl_engine_kernel.c
-+++ httpd-2.4.4/modules/ssl/ssl_engine_kernel.c
-@@ -29,6 +29,7 @@
- time I was too famous.''
- -- Unknown */
- #include "ssl_private.h"
-+#include "mod_ssl.h"
- #include "util_md5.h"
-
- static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn);
-@@ -2186,3 +2187,84 @@ int ssl_callback_SRPServerParams(SSL *ssl, int *ad, void *arg)
- }
-
- #endif /* OPENSSL_NO_SRP */
-+
-+#ifdef HAVE_TLS_NPN
-+/*
-+ * This callback function is executed when SSL needs to decide what protocols
-+ * to advertise during Next Protocol Negotiation (NPN). It must produce a
-+ * string in wire format -- a sequence of length-prefixed strings -- indicating
-+ * the advertised protocols. Refer to SSL_CTX_set_next_protos_advertised_cb
-+ * in OpenSSL for reference.
-+ */
-+int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data_out,
-+ unsigned int *size_out, void *arg)
-+{
-+ conn_rec *c = (conn_rec*)SSL_get_app_data(ssl);
-+ apr_array_header_t *protos;
-+ int num_protos;
-+ unsigned int size;
-+ int i;
-+ unsigned char *data;
-+ unsigned char *start;
-+
-+ *data_out = NULL;
-+ *size_out = 0;
-+
-+ /* If the connection object is not available, then there's nothing for us
-+ * to do. */
-+ if (c == NULL) {
-+ return SSL_TLSEXT_ERR_OK;
-+ }
-+
-+ /* Invoke our npn_advertise_protos hook, giving other modules a chance to
-+ * add alternate protocol names to advertise. */
-+ protos = apr_array_make(c->pool, 0, sizeof(char*));
-+ modssl_run_npn_advertise_protos_hook(c, protos);
-+ num_protos = protos->nelts;
-+
-+ /* We now have a list of null-terminated strings; we need to concatenate
-+ * them together into a single string, where each protocol name is prefixed
-+ * by its length. First, calculate how long that string will be. */
-+ size = 0;
-+ for (i = 0; i < num_protos; ++i) {
-+ const char *string = APR_ARRAY_IDX(protos, i, const char*);
-+ unsigned int length = strlen(string);
-+ /* If the protocol name is too long (the length must fit in one byte),
-+ * then log an error and skip it. */
-+ if (length > 255) {
-+ ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
-+ "SSL NPN protocol name too long (length=%u): %s",
-+ length, string);
-+ continue;
-+ }
-+ /* Leave room for the length prefix (one byte) plus the protocol name
-+ * itself. */
-+ size += 1 + length;
-+ }
-+
-+ /* If there is nothing to advertise (either because no modules added
-+ * anything to the protos array, or because all strings added to the array
-+ * were skipped), then we're done. */
-+ if (size == 0) {
-+ return SSL_TLSEXT_ERR_OK;
-+ }
-+
-+ /* Now we can build the string. Copy each protocol name string into the
-+ * larger string, prefixed by its length. */
-+ data = apr_palloc(c->pool, size * sizeof(unsigned char));
-+ start = data;
-+ for (i = 0; i < num_protos; ++i) {
-+ const char *string = APR_ARRAY_IDX(protos, i, const char*);
-+ apr_size_t length = strlen(string);
-+ *start = (unsigned char)length;
-+ ++start;
-+ memcpy(start, string, length * sizeof(unsigned char));
-+ start += length;
-+ }
-+
-+ /* Success. */
-+ *data_out = data;
-+ *size_out = size;
-+ return SSL_TLSEXT_ERR_OK;
-+}
-+#endif
diff --git a/meta-webserver/recipes-httpd/apache2/apache2-native_2.4.6.bb b/meta-webserver/recipes-httpd/apache2/apache2-native_2.4.7.bb
similarity index 84%
rename from meta-webserver/recipes-httpd/apache2/apache2-native_2.4.6.bb
rename to meta-webserver/recipes-httpd/apache2/apache2-native_2.4.7.bb
index 6efd469..bd935eb 100644
--- a/meta-webserver/recipes-httpd/apache2/apache2-native_2.4.6.bb
+++ b/meta-webserver/recipes-httpd/apache2/apache2-native_2.4.7.bb
@@ -12,9 +12,9 @@ SRC_URI = "http://www.apache.org/dist/httpd/httpd-${PV}.tar.bz2"
S = "${WORKDIR}/httpd-${PV}"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=eff226ae95d0516d6210ed77dfdf2dcc"
-SRC_URI[md5sum] = "ea5e361ca37b8d7853404419dd502efe"
-SRC_URI[sha256sum] = "dc9f3625ebc08bea55eeb0d16e71fba656f252e6cd0aa244ee7806dc3b022fea"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=dbff5a2b542fa58854455bf1a0b94b83"
+SRC_URI[md5sum] = "170d7fb6fe5f28b87d1878020a9ab94e"
+SRC_URI[sha256sum] = "64368d8301836815ae237f2b62d909711c896c1bd34573771e0ee5ad808ce71b"
do_configure () {
./configure --with-apr=${STAGING_BINDIR_CROSS}/apr-1-config \
diff --git a/meta-webserver/recipes-httpd/apache2/apache2-2.4.6/apache-configure_perlbin.patch b/meta-webserver/recipes-httpd/apache2/apache2/apache-configure_perlbin.patch
similarity index 100%
rename from meta-webserver/recipes-httpd/apache2/apache2-2.4.6/apache-configure_perlbin.patch
rename to meta-webserver/recipes-httpd/apache2/apache2/apache-configure_perlbin.patch
diff --git a/meta-webserver/recipes-httpd/apache2/apache2-2.4.6/apache-ssl-ltmain-rpath.patch b/meta-webserver/recipes-httpd/apache2/apache2/apache-ssl-ltmain-rpath.patch
similarity index 100%
rename from meta-webserver/recipes-httpd/apache2/apache2-2.4.6/apache-ssl-ltmain-rpath.patch
rename to meta-webserver/recipes-httpd/apache2/apache2/apache-ssl-ltmain-rpath.patch
diff --git a/meta-webserver/recipes-httpd/apache2/apache2-2.4.6/fix-libtool-name.patch b/meta-webserver/recipes-httpd/apache2/apache2/fix-libtool-name.patch
similarity index 100%
rename from meta-webserver/recipes-httpd/apache2/apache2-2.4.6/fix-libtool-name.patch
rename to meta-webserver/recipes-httpd/apache2/apache2/fix-libtool-name.patch
diff --git a/meta-webserver/recipes-httpd/apache2/apache2-2.4.6/httpd-2.4.1-corelimit.patch b/meta-webserver/recipes-httpd/apache2/apache2/httpd-2.4.1-corelimit.patch
similarity index 100%
rename from meta-webserver/recipes-httpd/apache2/apache2-2.4.6/httpd-2.4.1-corelimit.patch
rename to meta-webserver/recipes-httpd/apache2/apache2/httpd-2.4.1-corelimit.patch
diff --git a/meta-webserver/recipes-httpd/apache2/apache2-2.4.6/httpd-2.4.1-selinux.patch b/meta-webserver/recipes-httpd/apache2/apache2/httpd-2.4.1-selinux.patch
similarity index 100%
rename from meta-webserver/recipes-httpd/apache2/apache2-2.4.6/httpd-2.4.1-selinux.patch
rename to meta-webserver/recipes-httpd/apache2/apache2/httpd-2.4.1-selinux.patch
diff --git a/meta-webserver/recipes-httpd/apache2/apache2-2.4.6/httpd-2.4.4-export.patch b/meta-webserver/recipes-httpd/apache2/apache2/httpd-2.4.4-export.patch
similarity index 100%
rename from meta-webserver/recipes-httpd/apache2/apache2-2.4.6/httpd-2.4.4-export.patch
rename to meta-webserver/recipes-httpd/apache2/apache2/httpd-2.4.4-export.patch
diff --git a/meta-webserver/recipes-httpd/apache2/apache2-2.4.6/replace-lynx-to-curl-in-apachectl-script.patch b/meta-webserver/recipes-httpd/apache2/apache2/replace-lynx-to-curl-in-apachectl-script.patch
similarity index 100%
rename from meta-webserver/recipes-httpd/apache2/apache2-2.4.6/replace-lynx-to-curl-in-apachectl-script.patch
rename to meta-webserver/recipes-httpd/apache2/apache2/replace-lynx-to-curl-in-apachectl-script.patch
diff --git a/meta-webserver/recipes-httpd/apache2/apache2-2.4.6/server-makefile.patch b/meta-webserver/recipes-httpd/apache2/apache2/server-makefile.patch
similarity index 100%
rename from meta-webserver/recipes-httpd/apache2/apache2-2.4.6/server-makefile.patch
rename to meta-webserver/recipes-httpd/apache2/apache2/server-makefile.patch
diff --git a/meta-webserver/recipes-httpd/apache2/apache2_2.4.6.bb b/meta-webserver/recipes-httpd/apache2/apache2_2.4.7.bb
similarity index 95%
rename from meta-webserver/recipes-httpd/apache2/apache2_2.4.6.bb
rename to meta-webserver/recipes-httpd/apache2/apache2_2.4.7.bb
index cc88fac..f23776f 100644
--- a/meta-webserver/recipes-httpd/apache2/apache2_2.4.6.bb
+++ b/meta-webserver/recipes-httpd/apache2/apache2_2.4.7.bb
@@ -11,7 +11,6 @@ SRC_URI = "http://www.apache.org/dist/httpd/httpd-${PV}.tar.bz2 \
file://httpd-2.4.1-corelimit.patch \
file://httpd-2.4.4-export.patch \
file://httpd-2.4.1-selinux.patch \
- file://httpd-2.4.4-r1332643.patch \
file://apache-configure_perlbin.patch \
file://replace-lynx-to-curl-in-apachectl-script.patch \
file://apache-ssl-ltmain-rpath.patch \
@@ -19,9 +18,9 @@ SRC_URI = "http://www.apache.org/dist/httpd/httpd-${PV}.tar.bz2 \
file://init \
file://apache2-volatile.conf"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=eff226ae95d0516d6210ed77dfdf2dcc"
-SRC_URI[md5sum] = "ea5e361ca37b8d7853404419dd502efe"
-SRC_URI[sha256sum] = "dc9f3625ebc08bea55eeb0d16e71fba656f252e6cd0aa244ee7806dc3b022fea"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=dbff5a2b542fa58854455bf1a0b94b83"
+SRC_URI[md5sum] = "170d7fb6fe5f28b87d1878020a9ab94e"
+SRC_URI[sha256sum] = "64368d8301836815ae237f2b62d909711c896c1bd34573771e0ee5ad808ce71b"
S = "${WORKDIR}/httpd-${PV}"
--
1.8.1.2
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH 2/4][meta-webserver] modphp: upgrade to 5.5.8
2014-02-27 3:22 [PATCH V2 0/4][meta-webserver] Apache / PHP upgrades Hongxu Jia
2014-02-27 3:22 ` [PATCH 1/4][meta-webserver] apache2: update to 2.4.7 Hongxu Jia
@ 2014-02-27 3:22 ` Hongxu Jia
2014-02-27 3:22 ` [PATCH 3/4][meta-webserver] phpmyadmin: update to 4.1.4 Hongxu Jia
` (2 subsequent siblings)
4 siblings, 0 replies; 10+ messages in thread
From: Hongxu Jia @ 2014-02-27 3:22 UTC (permalink / raw)
To: openembedded-devel; +Cc: paul.eggleton
From: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
---
meta-webserver/recipes-php/modphp/modphp_5.5.2.bb | 7 -------
meta-webserver/recipes-php/modphp/modphp_5.5.8.bb | 7 +++++++
2 files changed, 7 insertions(+), 7 deletions(-)
delete mode 100644 meta-webserver/recipes-php/modphp/modphp_5.5.2.bb
create mode 100644 meta-webserver/recipes-php/modphp/modphp_5.5.8.bb
diff --git a/meta-webserver/recipes-php/modphp/modphp_5.5.2.bb b/meta-webserver/recipes-php/modphp/modphp_5.5.2.bb
deleted file mode 100644
index 3c23242..0000000
--- a/meta-webserver/recipes-php/modphp/modphp_5.5.2.bb
+++ /dev/null
@@ -1,7 +0,0 @@
-include modphp5.inc
-
-EXTRA_OECONF += "--disable-opcache"
-
-SRC_URI[md5sum] = "caf7f4d86514a568fb3c8021b096a9f0"
-SRC_URI[sha256sum] = "e72aaf1fa96eac0bff127bfc74c174d1de50cd3f66d7e0e1ee919674ab463bb7"
-
diff --git a/meta-webserver/recipes-php/modphp/modphp_5.5.8.bb b/meta-webserver/recipes-php/modphp/modphp_5.5.8.bb
new file mode 100644
index 0000000..04925fb
--- /dev/null
+++ b/meta-webserver/recipes-php/modphp/modphp_5.5.8.bb
@@ -0,0 +1,7 @@
+include modphp5.inc
+
+EXTRA_OECONF += "--disable-opcache"
+
+SRC_URI[md5sum] = "42fe814a3cbbf34b21a2c39f66ee0001"
+SRC_URI[sha256sum] = "6d5f45659d13383fc8429f185cc9da0b30c7bb72dcae9baf568f0511eb7f8b68"
+
--
1.8.1.2
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH 3/4][meta-webserver] phpmyadmin: update to 4.1.4
2014-02-27 3:22 [PATCH V2 0/4][meta-webserver] Apache / PHP upgrades Hongxu Jia
2014-02-27 3:22 ` [PATCH 1/4][meta-webserver] apache2: update to 2.4.7 Hongxu Jia
2014-02-27 3:22 ` [PATCH 2/4][meta-webserver] modphp: upgrade to 5.5.8 Hongxu Jia
@ 2014-02-27 3:22 ` Hongxu Jia
2014-02-27 3:22 ` [PATCH 4/4][meta-webserver] apache2-2.4.7: added support for TLS Next Protocol Negotiation Hongxu Jia
2014-02-27 9:47 ` [PATCH V2 0/4][meta-webserver] Apache / PHP upgrades Paul Eggleton
4 siblings, 0 replies; 10+ messages in thread
From: Hongxu Jia @ 2014-02-27 3:22 UTC (permalink / raw)
To: openembedded-devel; +Cc: paul.eggleton
From: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
---
.../phpmyadmin/{phpmyadmin_4.0.5.bb => phpmyadmin_4.1.4.bb} | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
rename meta-webserver/recipes-php/phpmyadmin/{phpmyadmin_4.0.5.bb => phpmyadmin_4.1.4.bb} (87%)
diff --git a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_4.0.5.bb b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_4.1.4.bb
similarity index 87%
rename from meta-webserver/recipes-php/phpmyadmin/phpmyadmin_4.0.5.bb
rename to meta-webserver/recipes-php/phpmyadmin/phpmyadmin_4.1.4.bb
index f97dc91..c2bc8bb 100644
--- a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_4.0.5.bb
+++ b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_4.1.4.bb
@@ -8,8 +8,8 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=eb723b61539feef013de476e68b5c50a \
SRC_URI = "${SOURCEFORGE_MIRROR}/phpmyadmin/phpMyAdmin/${PV}/phpMyAdmin-${PV}-all-languages.tar.xz \
file://apache.conf"
-SRC_URI[md5sum] = "5cc493908d09df1760c7cdcd1622ebf7"
-SRC_URI[sha256sum] = "f4df1190441ce5e094183cfadf8aec4af3a4f131339599e6380a1c6ac0a11fe4"
+SRC_URI[md5sum] = "9802ba0a7ee6afd8941dc8d0af589913"
+SRC_URI[sha256sum] = "4bd23cda85b3ac4e44a1e472a461638230020af78bd03d7178f60d55b8bb1331"
S = "${WORKDIR}/phpMyAdmin-${PV}-all-languages"
--
1.8.1.2
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH 4/4][meta-webserver] apache2-2.4.7: added support for TLS Next Protocol Negotiation
2014-02-27 3:22 [PATCH V2 0/4][meta-webserver] Apache / PHP upgrades Hongxu Jia
` (2 preceding siblings ...)
2014-02-27 3:22 ` [PATCH 3/4][meta-webserver] phpmyadmin: update to 4.1.4 Hongxu Jia
@ 2014-02-27 3:22 ` Hongxu Jia
2014-02-27 19:08 ` Randy MacLeod
2014-02-27 9:47 ` [PATCH V2 0/4][meta-webserver] Apache / PHP upgrades Paul Eggleton
4 siblings, 1 reply; 10+ messages in thread
From: Hongxu Jia @ 2014-02-27 3:22 UTC (permalink / raw)
To: openembedded-devel; +Cc: paul.eggleton
The previous npn support patch (httpd-2.4.4-r1332643.patch) worked on
apache2-2.4.6 and conflicted with apache2-2.4.7, this patch fixed the
confliction with 2.4.7.
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
---
.../apache2/apache2/npn-patch-2.4.7.patch | 289 +++++++++++++++++++++
.../recipes-httpd/apache2/apache2_2.4.7.bb | 1 +
2 files changed, 290 insertions(+)
create mode 100644 meta-webserver/recipes-httpd/apache2/apache2/npn-patch-2.4.7.patch
diff --git a/meta-webserver/recipes-httpd/apache2/apache2/npn-patch-2.4.7.patch b/meta-webserver/recipes-httpd/apache2/apache2/npn-patch-2.4.7.patch
new file mode 100644
index 0000000..a4f1855
--- /dev/null
+++ b/meta-webserver/recipes-httpd/apache2/apache2/npn-patch-2.4.7.patch
@@ -0,0 +1,289 @@
+Add support for TLS Next Protocol Negotiation:
+
+* modules/ssl/mod_ssl.c, modules/ssl/mod_ssl.h: Add and implement new
+ hooks for next protocol advertisement/discovery.
+
+* modules/ssl/ssl_engine_init.c (ssl_init_ctx_callbacks): Enable
+ NPN advertisement callback in handshake.
+
+* modules/ssl/ssl_engine_io.c (ssl_io_filter_input): Invoke
+ next-protocol discovery hook.
+
+* modules/ssl/ssl_engine_kernel.c (ssl_callback_AdvertiseNextProtos):
+ New callback.
+
+* modules/ssl/ssl_private.h: Add prototype.
+
+Submitted by: Matthew Steele <mdsteele google.com>
+ with slight tweaks by jorton
+
+http://svn.apache.org/viewvc?view=revision&revision=1332643
+https://bugzilla.redhat.com//show_bug.cgi?id=809599
+Upstream-Status: Backport
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ CHANGES | 2 +
+ modules/ssl/mod_ssl.c | 12 ++++++
+ modules/ssl/mod_ssl.h | 21 +++++++++++
+ modules/ssl/ssl_engine_init.c | 5 +++
+ modules/ssl/ssl_engine_io.c | 24 ++++++++++++
+ modules/ssl/ssl_engine_kernel.c | 82 +++++++++++++++++++++++++++++++++++++++++
+ modules/ssl/ssl_private.h | 6 +++
+ 7 files changed, 152 insertions(+)
+
+diff --git a/CHANGES b/CHANGES
+--- a/CHANGES
++++ b/CHANGES
+@@ -1,6 +1,8 @@
+ -*- coding: utf-8 -*-
+
+ Changes with Apache 2.4.7
++ *) mod_ssl: Add support for TLS Next Protocol Negotiation. PR 52210.
++ [Matthew Steele <mdsteele google.com>]
+
+ *) APR 1.5.0 or later is now required for the event MPM.
+
+diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c
+--- a/modules/ssl/mod_ssl.c
++++ b/modules/ssl/mod_ssl.c
+@@ -275,6 +275,18 @@ static const command_rec ssl_config_cmds[] = {
+ AP_END_CMD
+ };
+
++/* Implement 'modssl_run_npn_advertise_protos_hook'. */
++APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(
++ modssl, AP, int, npn_advertise_protos_hook,
++ (conn_rec *connection, apr_array_header_t *protos),
++ (connection, protos), OK, DECLINED);
++
++/* Implement 'modssl_run_npn_proto_negotiated_hook'. */
++APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(
++ modssl, AP, int, npn_proto_negotiated_hook,
++ (conn_rec *connection, const char *proto_name, apr_size_t proto_name_len),
++ (connection, proto_name, proto_name_len), OK, DECLINED);
++
+ /*
+ * the various processing hooks
+ */
+diff --git a/modules/ssl/mod_ssl.h b/modules/ssl/mod_ssl.h
+--- a/modules/ssl/mod_ssl.h
++++ b/modules/ssl/mod_ssl.h
+@@ -63,5 +63,26 @@ APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *));
+
+ APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
+
++/** The npn_advertise_protos optional hook allows other modules to add entries
++ * to the list of protocol names advertised by the server during the Next
++ * Protocol Negotiation (NPN) portion of the SSL handshake. The hook callee is
++ * given the connection and an APR array; it should push one or more char*'s
++ * pointing to null-terminated strings (such as "http/1.1" or "spdy/2") onto
++ * the array and return OK, or do nothing and return DECLINED. */
++APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_advertise_protos_hook,
++ (conn_rec *connection, apr_array_header_t *protos));
++
++/** The npn_proto_negotiated optional hook allows other modules to discover the
++ * name of the protocol that was chosen during the Next Protocol Negotiation
++ * (NPN) portion of the SSL handshake. Note that this may be the empty string
++ * (in which case modules should probably assume HTTP), or it may be a protocol
++ * that was never even advertised by the server. The hook callee is given the
++ * connection, a non-null-terminated string containing the protocol name, and
++ * the length of the string; it should do something appropriate (i.e. insert or
++ * remove filters) and return OK, or do nothing and return DECLINED. */
++APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_proto_negotiated_hook,
++ (conn_rec *connection, const char *proto_name,
++ apr_size_t proto_name_len));
++
+ #endif /* __MOD_SSL_H__ */
+ /** @} */
+diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
+--- a/modules/ssl/ssl_engine_init.c
++++ b/modules/ssl/ssl_engine_init.c
+@@ -546,6 +546,11 @@ static void ssl_init_ctx_callbacks(server_rec *s,
+ SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH);
+
+ SSL_CTX_set_info_callback(ctx, ssl_callback_Info);
++
++#ifdef HAVE_TLS_NPN
++ SSL_CTX_set_next_protos_advertised_cb(
++ ctx, ssl_callback_AdvertiseNextProtos, NULL);
++#endif
+ }
+
+ static void ssl_init_ctx_verify(server_rec *s,
+diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c
+--- a/modules/ssl/ssl_engine_io.c
++++ b/modules/ssl/ssl_engine_io.c
+@@ -28,6 +28,7 @@
+ core keeps dumping.''
+ -- Unknown */
+ #include "ssl_private.h"
++#include "mod_ssl.h"
+ #include "apr_date.h"
+
+ /* _________________________________________________________________
+@@ -297,6 +298,7 @@ typedef struct {
+ apr_pool_t *pool;
+ char buffer[AP_IOBUFSIZE];
+ ssl_filter_ctx_t *filter_ctx;
++ int npn_finished; /* 1 if NPN has finished, 0 otherwise */
+ } bio_filter_in_ctx_t;
+
+ /*
+@@ -1412,6 +1414,27 @@ static apr_status_t ssl_io_filter_input(ap_filter_t *f,
+ APR_BRIGADE_INSERT_TAIL(bb, bucket);
+ }
+
++#ifdef HAVE_TLS_NPN
++ /* By this point, Next Protocol Negotiation (NPN) should be completed (if
++ * our version of OpenSSL supports it). If we haven't already, find out
++ * which protocol was decided upon and inform other modules by calling
++ * npn_proto_negotiated_hook. */
++ if (!inctx->npn_finished) {
++ const unsigned char *next_proto = NULL;
++ unsigned next_proto_len = 0;
++
++ SSL_get0_next_proto_negotiated(
++ inctx->ssl, &next_proto, &next_proto_len);
++ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, f->c,
++ "SSL NPN negotiated protocol: '%s'",
++ apr_pstrmemdup(f->c->pool, (const char*)next_proto,
++ next_proto_len));
++ modssl_run_npn_proto_negotiated_hook(
++ f->c, (const char*)next_proto, next_proto_len);
++ inctx->npn_finished = 1;
++ }
++#endif
++
+ return APR_SUCCESS;
+ }
+
+@@ -1893,6 +1916,7 @@ static void ssl_io_input_add_filter(ssl_filter_ctx_t *filter_ctx, conn_rec *c,
+ inctx->block = APR_BLOCK_READ;
+ inctx->pool = c->pool;
+ inctx->filter_ctx = filter_ctx;
++ inctx->npn_finished = 0;
+ }
+
+ /* The request_rec pointer is passed in here only to ensure that the
+diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
+--- a/modules/ssl/ssl_engine_kernel.c
++++ b/modules/ssl/ssl_engine_kernel.c
+@@ -29,6 +29,7 @@
+ time I was too famous.''
+ -- Unknown */
+ #include "ssl_private.h"
++#include "mod_ssl.h"
+ #include "util_md5.h"
+
+ static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn);
+@@ -2139,3 +2140,84 @@ int ssl_callback_SRPServerParams(SSL *ssl, int *ad, void *arg)
+ }
+
+ #endif /* HAVE_SRP */
++
++#ifdef HAVE_TLS_NPN
++/*
++ * This callback function is executed when SSL needs to decide what protocols
++ * to advertise during Next Protocol Negotiation (NPN). It must produce a
++ * string in wire format -- a sequence of length-prefixed strings -- indicating
++ * the advertised protocols. Refer to SSL_CTX_set_next_protos_advertised_cb
++ * in OpenSSL for reference.
++ */
++int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data_out,
++ unsigned int *size_out, void *arg)
++{
++ conn_rec *c = (conn_rec*)SSL_get_app_data(ssl);
++ apr_array_header_t *protos;
++ int num_protos;
++ unsigned int size;
++ int i;
++ unsigned char *data;
++ unsigned char *start;
++
++ *data_out = NULL;
++ *size_out = 0;
++
++ /* If the connection object is not available, then there's nothing for us
++ * to do. */
++ if (c == NULL) {
++ return SSL_TLSEXT_ERR_OK;
++ }
++
++ /* Invoke our npn_advertise_protos hook, giving other modules a chance to
++ * add alternate protocol names to advertise. */
++ protos = apr_array_make(c->pool, 0, sizeof(char*));
++ modssl_run_npn_advertise_protos_hook(c, protos);
++ num_protos = protos->nelts;
++
++ /* We now have a list of null-terminated strings; we need to concatenate
++ * them together into a single string, where each protocol name is prefixed
++ * by its length. First, calculate how long that string will be. */
++ size = 0;
++ for (i = 0; i < num_protos; ++i) {
++ const char *string = APR_ARRAY_IDX(protos, i, const char*);
++ unsigned int length = strlen(string);
++ /* If the protocol name is too long (the length must fit in one byte),
++ * then log an error and skip it. */
++ if (length > 255) {
++ ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
++ "SSL NPN protocol name too long (length=%u): %s",
++ length, string);
++ continue;
++ }
++ /* Leave room for the length prefix (one byte) plus the protocol name
++ * itself. */
++ size += 1 + length;
++ }
++
++ /* If there is nothing to advertise (either because no modules added
++ * anything to the protos array, or because all strings added to the array
++ * were skipped), then we're done. */
++ if (size == 0) {
++ return SSL_TLSEXT_ERR_OK;
++ }
++
++ /* Now we can build the string. Copy each protocol name string into the
++ * larger string, prefixed by its length. */
++ data = apr_palloc(c->pool, size * sizeof(unsigned char));
++ start = data;
++ for (i = 0; i < num_protos; ++i) {
++ const char *string = APR_ARRAY_IDX(protos, i, const char*);
++ apr_size_t length = strlen(string);
++ *start = (unsigned char)length;
++ ++start;
++ memcpy(start, string, length * sizeof(unsigned char));
++ start += length;
++ }
++
++ /* Success. */
++ *data_out = data;
++ *size_out = size;
++ return SSL_TLSEXT_ERR_OK;
++}
++#endif /* HAVE_TLS_NPN */
+diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
+--- a/modules/ssl/ssl_private.h
++++ b/modules/ssl/ssl_private.h
+@@ -123,6 +123,11 @@
+ #define MODSSL_SSL_METHOD_CONST
+ #endif
+
++#if OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_NEXTPROTONEG) \
++ && !defined(OPENSSL_NO_TLSEXT)
++#define HAVE_TLS_NPN
++#endif
++
+ #if defined(OPENSSL_FIPS)
+ #define HAVE_FIPS
+ #endif
+@@ -800,6 +805,7 @@ int ssl_callback_ServerNameIndication(SSL *, int *, modssl_ctx_t *);
+ int ssl_callback_SessionTicket(SSL *, unsigned char *, unsigned char *,
+ EVP_CIPHER_CTX *, HMAC_CTX *, int);
+ #endif
++int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data, unsigned int *len, void *arg);
+
+ /** Session Cache Support */
+ void ssl_scache_init(server_rec *, apr_pool_t *);
+--
+1.8.1.2
+
diff --git a/meta-webserver/recipes-httpd/apache2/apache2_2.4.7.bb b/meta-webserver/recipes-httpd/apache2/apache2_2.4.7.bb
index f23776f..3c038a9 100644
--- a/meta-webserver/recipes-httpd/apache2/apache2_2.4.7.bb
+++ b/meta-webserver/recipes-httpd/apache2/apache2_2.4.7.bb
@@ -15,6 +15,7 @@ SRC_URI = "http://www.apache.org/dist/httpd/httpd-${PV}.tar.bz2 \
file://replace-lynx-to-curl-in-apachectl-script.patch \
file://apache-ssl-ltmain-rpath.patch \
file://httpd-2.4.3-fix-race-issue-of-dir-install.patch \
+ file://npn-patch-2.4.7.patch \
file://init \
file://apache2-volatile.conf"
--
1.8.1.2
^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: [PATCH V2 0/4][meta-webserver] Apache / PHP upgrades
2014-02-27 3:22 [PATCH V2 0/4][meta-webserver] Apache / PHP upgrades Hongxu Jia
` (3 preceding siblings ...)
2014-02-27 3:22 ` [PATCH 4/4][meta-webserver] apache2-2.4.7: added support for TLS Next Protocol Negotiation Hongxu Jia
@ 2014-02-27 9:47 ` Paul Eggleton
4 siblings, 0 replies; 10+ messages in thread
From: Paul Eggleton @ 2014-02-27 9:47 UTC (permalink / raw)
To: Hongxu Jia; +Cc: openembedded-devel
Hi Hongxu,
On Thursday 27 February 2014 11:22:06 Hongxu Jia wrote:
> Change in V2:
> apache2-2.4.7: added support for TLS Next Protocol Negotiation
>
> The previous npn support patch (httpd-2.4.4-r1332643.patch) worked on
> apache2-2.4.6 and conflicted with apache2-2.4.7, 4/4 patch fixed the
> confliction with 2.4.7.
> //Hongxu
Thanks for doing this. For the modphp and phpmyadmin upgrades, I actually have
5.5.9 and 4.1.8 build-tested here; once I've tested them at runtime I'll send
a v3 (should be today).
Cheers,
Paul
--
Paul Eggleton
Intel Open Source Technology Centre
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 4/4][meta-webserver] apache2-2.4.7: added support for TLS Next Protocol Negotiation
2014-02-27 3:22 ` [PATCH 4/4][meta-webserver] apache2-2.4.7: added support for TLS Next Protocol Negotiation Hongxu Jia
@ 2014-02-27 19:08 ` Randy MacLeod
2014-02-28 10:21 ` Hongxu Jia
0 siblings, 1 reply; 10+ messages in thread
From: Randy MacLeod @ 2014-02-27 19:08 UTC (permalink / raw)
To: Hongxu Jia, openembedded-devel; +Cc: paul.eggleton
On 14-02-26 10:22 PM, Hongxu Jia wrote:
> The previous npn support patch (httpd-2.4.4-r1332643.patch) worked on
> apache2-2.4.6 and conflicted with apache2-2.4.7, this patch fixed the
> confliction with 2.4.7.
Hongxu,
Thanks, that's a good step. Even better would be to add the
apache module that supports SPDY and confirm that it works
with your desktop (google-chrome) browser.
See:
http://lists.openembedded.org/pipermail/openembedded-devel/2014-January/093772.html
and
https://code.google.com/p/mod-spdy/wiki/GettingStarted
It doesn't seem to be a huge task but let us know what you find out.
../Randy
>
> Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
> ---
> .../apache2/apache2/npn-patch-2.4.7.patch | 289 +++++++++++++++++++++
> .../recipes-httpd/apache2/apache2_2.4.7.bb | 1 +
> 2 files changed, 290 insertions(+)
> create mode 100644 meta-webserver/recipes-httpd/apache2/apache2/npn-patch-2.4.7.patch
>
> diff --git a/meta-webserver/recipes-httpd/apache2/apache2/npn-patch-2.4.7.patch b/meta-webserver/recipes-httpd/apache2/apache2/npn-patch-2.4.7.patch
> new file mode 100644
> index 0000000..a4f1855
> --- /dev/null
> +++ b/meta-webserver/recipes-httpd/apache2/apache2/npn-patch-2.4.7.patch
> @@ -0,0 +1,289 @@
> +Add support for TLS Next Protocol Negotiation:
> +
> +* modules/ssl/mod_ssl.c, modules/ssl/mod_ssl.h: Add and implement new
> + hooks for next protocol advertisement/discovery.
> +
> +* modules/ssl/ssl_engine_init.c (ssl_init_ctx_callbacks): Enable
> + NPN advertisement callback in handshake.
> +
> +* modules/ssl/ssl_engine_io.c (ssl_io_filter_input): Invoke
> + next-protocol discovery hook.
> +
> +* modules/ssl/ssl_engine_kernel.c (ssl_callback_AdvertiseNextProtos):
> + New callback.
> +
> +* modules/ssl/ssl_private.h: Add prototype.
> +
> +Submitted by: Matthew Steele <mdsteele google.com>
> + with slight tweaks by jorton
> +
> +http://svn.apache.org/viewvc?view=revision&revision=1332643
> +https://bugzilla.redhat.com//show_bug.cgi?id=809599
> +Upstream-Status: Backport
> +Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
> +---
> + CHANGES | 2 +
> + modules/ssl/mod_ssl.c | 12 ++++++
> + modules/ssl/mod_ssl.h | 21 +++++++++++
> + modules/ssl/ssl_engine_init.c | 5 +++
> + modules/ssl/ssl_engine_io.c | 24 ++++++++++++
> + modules/ssl/ssl_engine_kernel.c | 82 +++++++++++++++++++++++++++++++++++++++++
> + modules/ssl/ssl_private.h | 6 +++
> + 7 files changed, 152 insertions(+)
> +
> +diff --git a/CHANGES b/CHANGES
> +--- a/CHANGES
> ++++ b/CHANGES
> +@@ -1,6 +1,8 @@
> + -*- coding: utf-8 -*-
> +
> + Changes with Apache 2.4.7
> ++ *) mod_ssl: Add support for TLS Next Protocol Negotiation. PR 52210.
> ++ [Matthew Steele <mdsteele google.com>]
> +
> + *) APR 1.5.0 or later is now required for the event MPM.
> +
> +diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c
> +--- a/modules/ssl/mod_ssl.c
> ++++ b/modules/ssl/mod_ssl.c
> +@@ -275,6 +275,18 @@ static const command_rec ssl_config_cmds[] = {
> + AP_END_CMD
> + };
> +
> ++/* Implement 'modssl_run_npn_advertise_protos_hook'. */
> ++APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(
> ++ modssl, AP, int, npn_advertise_protos_hook,
> ++ (conn_rec *connection, apr_array_header_t *protos),
> ++ (connection, protos), OK, DECLINED);
> ++
> ++/* Implement 'modssl_run_npn_proto_negotiated_hook'. */
> ++APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(
> ++ modssl, AP, int, npn_proto_negotiated_hook,
> ++ (conn_rec *connection, const char *proto_name, apr_size_t proto_name_len),
> ++ (connection, proto_name, proto_name_len), OK, DECLINED);
> ++
> + /*
> + * the various processing hooks
> + */
> +diff --git a/modules/ssl/mod_ssl.h b/modules/ssl/mod_ssl.h
> +--- a/modules/ssl/mod_ssl.h
> ++++ b/modules/ssl/mod_ssl.h
> +@@ -63,5 +63,26 @@ APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *));
> +
> + APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
> +
> ++/** The npn_advertise_protos optional hook allows other modules to add entries
> ++ * to the list of protocol names advertised by the server during the Next
> ++ * Protocol Negotiation (NPN) portion of the SSL handshake. The hook callee is
> ++ * given the connection and an APR array; it should push one or more char*'s
> ++ * pointing to null-terminated strings (such as "http/1.1" or "spdy/2") onto
> ++ * the array and return OK, or do nothing and return DECLINED. */
> ++APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_advertise_protos_hook,
> ++ (conn_rec *connection, apr_array_header_t *protos));
> ++
> ++/** The npn_proto_negotiated optional hook allows other modules to discover the
> ++ * name of the protocol that was chosen during the Next Protocol Negotiation
> ++ * (NPN) portion of the SSL handshake. Note that this may be the empty string
> ++ * (in which case modules should probably assume HTTP), or it may be a protocol
> ++ * that was never even advertised by the server. The hook callee is given the
> ++ * connection, a non-null-terminated string containing the protocol name, and
> ++ * the length of the string; it should do something appropriate (i.e. insert or
> ++ * remove filters) and return OK, or do nothing and return DECLINED. */
> ++APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_proto_negotiated_hook,
> ++ (conn_rec *connection, const char *proto_name,
> ++ apr_size_t proto_name_len));
> ++
> + #endif /* __MOD_SSL_H__ */
> + /** @} */
> +diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
> +--- a/modules/ssl/ssl_engine_init.c
> ++++ b/modules/ssl/ssl_engine_init.c
> +@@ -546,6 +546,11 @@ static void ssl_init_ctx_callbacks(server_rec *s,
> + SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH);
> +
> + SSL_CTX_set_info_callback(ctx, ssl_callback_Info);
> ++
> ++#ifdef HAVE_TLS_NPN
> ++ SSL_CTX_set_next_protos_advertised_cb(
> ++ ctx, ssl_callback_AdvertiseNextProtos, NULL);
> ++#endif
> + }
> +
> + static void ssl_init_ctx_verify(server_rec *s,
> +diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c
> +--- a/modules/ssl/ssl_engine_io.c
> ++++ b/modules/ssl/ssl_engine_io.c
> +@@ -28,6 +28,7 @@
> + core keeps dumping.''
> + -- Unknown */
> + #include "ssl_private.h"
> ++#include "mod_ssl.h"
> + #include "apr_date.h"
> +
> + /* _________________________________________________________________
> +@@ -297,6 +298,7 @@ typedef struct {
> + apr_pool_t *pool;
> + char buffer[AP_IOBUFSIZE];
> + ssl_filter_ctx_t *filter_ctx;
> ++ int npn_finished; /* 1 if NPN has finished, 0 otherwise */
> + } bio_filter_in_ctx_t;
> +
> + /*
> +@@ -1412,6 +1414,27 @@ static apr_status_t ssl_io_filter_input(ap_filter_t *f,
> + APR_BRIGADE_INSERT_TAIL(bb, bucket);
> + }
> +
> ++#ifdef HAVE_TLS_NPN
> ++ /* By this point, Next Protocol Negotiation (NPN) should be completed (if
> ++ * our version of OpenSSL supports it). If we haven't already, find out
> ++ * which protocol was decided upon and inform other modules by calling
> ++ * npn_proto_negotiated_hook. */
> ++ if (!inctx->npn_finished) {
> ++ const unsigned char *next_proto = NULL;
> ++ unsigned next_proto_len = 0;
> ++
> ++ SSL_get0_next_proto_negotiated(
> ++ inctx->ssl, &next_proto, &next_proto_len);
> ++ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, f->c,
> ++ "SSL NPN negotiated protocol: '%s'",
> ++ apr_pstrmemdup(f->c->pool, (const char*)next_proto,
> ++ next_proto_len));
> ++ modssl_run_npn_proto_negotiated_hook(
> ++ f->c, (const char*)next_proto, next_proto_len);
> ++ inctx->npn_finished = 1;
> ++ }
> ++#endif
> ++
> + return APR_SUCCESS;
> + }
> +
> +@@ -1893,6 +1916,7 @@ static void ssl_io_input_add_filter(ssl_filter_ctx_t *filter_ctx, conn_rec *c,
> + inctx->block = APR_BLOCK_READ;
> + inctx->pool = c->pool;
> + inctx->filter_ctx = filter_ctx;
> ++ inctx->npn_finished = 0;
> + }
> +
> + /* The request_rec pointer is passed in here only to ensure that the
> +diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
> +--- a/modules/ssl/ssl_engine_kernel.c
> ++++ b/modules/ssl/ssl_engine_kernel.c
> +@@ -29,6 +29,7 @@
> + time I was too famous.''
> + -- Unknown */
> + #include "ssl_private.h"
> ++#include "mod_ssl.h"
> + #include "util_md5.h"
> +
> + static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn);
> +@@ -2139,3 +2140,84 @@ int ssl_callback_SRPServerParams(SSL *ssl, int *ad, void *arg)
> + }
> +
> + #endif /* HAVE_SRP */
> ++
> ++#ifdef HAVE_TLS_NPN
> ++/*
> ++ * This callback function is executed when SSL needs to decide what protocols
> ++ * to advertise during Next Protocol Negotiation (NPN). It must produce a
> ++ * string in wire format -- a sequence of length-prefixed strings -- indicating
> ++ * the advertised protocols. Refer to SSL_CTX_set_next_protos_advertised_cb
> ++ * in OpenSSL for reference.
> ++ */
> ++int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data_out,
> ++ unsigned int *size_out, void *arg)
> ++{
> ++ conn_rec *c = (conn_rec*)SSL_get_app_data(ssl);
> ++ apr_array_header_t *protos;
> ++ int num_protos;
> ++ unsigned int size;
> ++ int i;
> ++ unsigned char *data;
> ++ unsigned char *start;
> ++
> ++ *data_out = NULL;
> ++ *size_out = 0;
> ++
> ++ /* If the connection object is not available, then there's nothing for us
> ++ * to do. */
> ++ if (c == NULL) {
> ++ return SSL_TLSEXT_ERR_OK;
> ++ }
> ++
> ++ /* Invoke our npn_advertise_protos hook, giving other modules a chance to
> ++ * add alternate protocol names to advertise. */
> ++ protos = apr_array_make(c->pool, 0, sizeof(char*));
> ++ modssl_run_npn_advertise_protos_hook(c, protos);
> ++ num_protos = protos->nelts;
> ++
> ++ /* We now have a list of null-terminated strings; we need to concatenate
> ++ * them together into a single string, where each protocol name is prefixed
> ++ * by its length. First, calculate how long that string will be. */
> ++ size = 0;
> ++ for (i = 0; i < num_protos; ++i) {
> ++ const char *string = APR_ARRAY_IDX(protos, i, const char*);
> ++ unsigned int length = strlen(string);
> ++ /* If the protocol name is too long (the length must fit in one byte),
> ++ * then log an error and skip it. */
> ++ if (length > 255) {
> ++ ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
> ++ "SSL NPN protocol name too long (length=%u): %s",
> ++ length, string);
> ++ continue;
> ++ }
> ++ /* Leave room for the length prefix (one byte) plus the protocol name
> ++ * itself. */
> ++ size += 1 + length;
> ++ }
> ++
> ++ /* If there is nothing to advertise (either because no modules added
> ++ * anything to the protos array, or because all strings added to the array
> ++ * were skipped), then we're done. */
> ++ if (size == 0) {
> ++ return SSL_TLSEXT_ERR_OK;
> ++ }
> ++
> ++ /* Now we can build the string. Copy each protocol name string into the
> ++ * larger string, prefixed by its length. */
> ++ data = apr_palloc(c->pool, size * sizeof(unsigned char));
> ++ start = data;
> ++ for (i = 0; i < num_protos; ++i) {
> ++ const char *string = APR_ARRAY_IDX(protos, i, const char*);
> ++ apr_size_t length = strlen(string);
> ++ *start = (unsigned char)length;
> ++ ++start;
> ++ memcpy(start, string, length * sizeof(unsigned char));
> ++ start += length;
> ++ }
> ++
> ++ /* Success. */
> ++ *data_out = data;
> ++ *size_out = size;
> ++ return SSL_TLSEXT_ERR_OK;
> ++}
> ++#endif /* HAVE_TLS_NPN */
> +diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
> +--- a/modules/ssl/ssl_private.h
> ++++ b/modules/ssl/ssl_private.h
> +@@ -123,6 +123,11 @@
> + #define MODSSL_SSL_METHOD_CONST
> + #endif
> +
> ++#if OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_NEXTPROTONEG) \
> ++ && !defined(OPENSSL_NO_TLSEXT)
> ++#define HAVE_TLS_NPN
> ++#endif
> ++
> + #if defined(OPENSSL_FIPS)
> + #define HAVE_FIPS
> + #endif
> +@@ -800,6 +805,7 @@ int ssl_callback_ServerNameIndication(SSL *, int *, modssl_ctx_t *);
> + int ssl_callback_SessionTicket(SSL *, unsigned char *, unsigned char *,
> + EVP_CIPHER_CTX *, HMAC_CTX *, int);
> + #endif
> ++int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data, unsigned int *len, void *arg);
> +
> + /** Session Cache Support */
> + void ssl_scache_init(server_rec *, apr_pool_t *);
> +--
> +1.8.1.2
> +
> diff --git a/meta-webserver/recipes-httpd/apache2/apache2_2.4.7.bb b/meta-webserver/recipes-httpd/apache2/apache2_2.4.7.bb
> index f23776f..3c038a9 100644
> --- a/meta-webserver/recipes-httpd/apache2/apache2_2.4.7.bb
> +++ b/meta-webserver/recipes-httpd/apache2/apache2_2.4.7.bb
> @@ -15,6 +15,7 @@ SRC_URI = "http://www.apache.org/dist/httpd/httpd-${PV}.tar.bz2 \
> file://replace-lynx-to-curl-in-apachectl-script.patch \
> file://apache-ssl-ltmain-rpath.patch \
> file://httpd-2.4.3-fix-race-issue-of-dir-install.patch \
> + file://npn-patch-2.4.7.patch \
> file://init \
> file://apache2-volatile.conf"
>
>
--
# Randy MacLeod. SMTS, Linux, Wind River
Direct: 613.963.1350
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 4/4][meta-webserver] apache2-2.4.7: added support for TLS Next Protocol Negotiation
2014-02-27 19:08 ` Randy MacLeod
@ 2014-02-28 10:21 ` Hongxu Jia
2014-02-28 17:17 ` Khem Raj
0 siblings, 1 reply; 10+ messages in thread
From: Hongxu Jia @ 2014-02-28 10:21 UTC (permalink / raw)
To: Randy MacLeod, openembedded-devel; +Cc: paul.eggleton
On 02/28/2014 03:08 AM, Randy MacLeod wrote:
> On 14-02-26 10:22 PM, Hongxu Jia wrote:
>> The previous npn support patch (httpd-2.4.4-r1332643.patch) worked on
>> apache2-2.4.6 and conflicted with apache2-2.4.7, this patch fixed the
>> confliction with 2.4.7.
>
> Hongxu,
>
> Thanks, that's a good step. Even better would be to add the
> apache module that supports SPDY and confirm that it works
> with your desktop (google-chrome) browser.
>
> See:
> http://lists.openembedded.org/pipermail/openembedded-devel/2014-January/093772.html
>
>
> and
>
> https://code.google.com/p/mod-spdy/wiki/GettingStarted
Hi Randy,
I have tested, the ssl worked well with the new patch,
but the mod_spdy doesn't support 2.4.7 for now, and the
spdy test failed.
http://code.google.com/p/mod-spdy/issues/detail?id=63
http://code.google.com/p/mod-spdy/issues/detail?id=64
http://code.google.com/p/mod-spdy/issues/detail?id=65
...
root@qemux86-64:/etc/apache2# /etc/init.d/apache2 restart
httpd: Syntax error on line 151 of /etc/apache2/httpd.conf: Cannot load
lib64/apache2/modules/mod_spdy.so into server:
/usr/lib64/apache2/modules/mod_spdy.so: undefined symbol: ap_log_cerror
...
//Hongxu
>
> It doesn't seem to be a huge task but let us know what you find out.
>
> ../Randy
>
>>
>> Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
>> ---
>> .../apache2/apache2/npn-patch-2.4.7.patch | 289
>> +++++++++++++++++++++
>> .../recipes-httpd/apache2/apache2_2.4.7.bb | 1 +
>> 2 files changed, 290 insertions(+)
>> create mode 100644
>> meta-webserver/recipes-httpd/apache2/apache2/npn-patch-2.4.7.patch
>>
>> diff --git
>> a/meta-webserver/recipes-httpd/apache2/apache2/npn-patch-2.4.7.patch
>> b/meta-webserver/recipes-httpd/apache2/apache2/npn-patch-2.4.7.patch
>> new file mode 100644
>> index 0000000..a4f1855
>> --- /dev/null
>> +++ b/meta-webserver/recipes-httpd/apache2/apache2/npn-patch-2.4.7.patch
>> @@ -0,0 +1,289 @@
>> +Add support for TLS Next Protocol Negotiation:
>> +
>> +* modules/ssl/mod_ssl.c, modules/ssl/mod_ssl.h: Add and implement new
>> + hooks for next protocol advertisement/discovery.
>> +
>> +* modules/ssl/ssl_engine_init.c (ssl_init_ctx_callbacks): Enable
>> + NPN advertisement callback in handshake.
>> +
>> +* modules/ssl/ssl_engine_io.c (ssl_io_filter_input): Invoke
>> + next-protocol discovery hook.
>> +
>> +* modules/ssl/ssl_engine_kernel.c (ssl_callback_AdvertiseNextProtos):
>> + New callback.
>> +
>> +* modules/ssl/ssl_private.h: Add prototype.
>> +
>> +Submitted by: Matthew Steele <mdsteele google.com>
>> + with slight tweaks by jorton
>> +
>> +http://svn.apache.org/viewvc?view=revision&revision=1332643
>> +https://bugzilla.redhat.com//show_bug.cgi?id=809599
>> +Upstream-Status: Backport
>> +Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
>> +---
>> + CHANGES | 2 +
>> + modules/ssl/mod_ssl.c | 12 ++++++
>> + modules/ssl/mod_ssl.h | 21 +++++++++++
>> + modules/ssl/ssl_engine_init.c | 5 +++
>> + modules/ssl/ssl_engine_io.c | 24 ++++++++++++
>> + modules/ssl/ssl_engine_kernel.c | 82
>> +++++++++++++++++++++++++++++++++++++++++
>> + modules/ssl/ssl_private.h | 6 +++
>> + 7 files changed, 152 insertions(+)
>> +
>> +diff --git a/CHANGES b/CHANGES
>> +--- a/CHANGES
>> ++++ b/CHANGES
>> +@@ -1,6 +1,8 @@
>> + -*-
>> coding: utf-8 -*-
>> +
>> + Changes with Apache 2.4.7
>> ++ *) mod_ssl: Add support for TLS Next Protocol Negotiation. PR 52210.
>> ++ [Matthew Steele <mdsteele google.com>]
>> +
>> + *) APR 1.5.0 or later is now required for the event MPM.
>> +
>> +diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c
>> +--- a/modules/ssl/mod_ssl.c
>> ++++ b/modules/ssl/mod_ssl.c
>> +@@ -275,6 +275,18 @@ static const command_rec ssl_config_cmds[] = {
>> + AP_END_CMD
>> + };
>> +
>> ++/* Implement 'modssl_run_npn_advertise_protos_hook'. */
>> ++APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(
>> ++ modssl, AP, int, npn_advertise_protos_hook,
>> ++ (conn_rec *connection, apr_array_header_t *protos),
>> ++ (connection, protos), OK, DECLINED);
>> ++
>> ++/* Implement 'modssl_run_npn_proto_negotiated_hook'. */
>> ++APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(
>> ++ modssl, AP, int, npn_proto_negotiated_hook,
>> ++ (conn_rec *connection, const char *proto_name, apr_size_t
>> proto_name_len),
>> ++ (connection, proto_name, proto_name_len), OK, DECLINED);
>> ++
>> + /*
>> + * the various processing hooks
>> + */
>> +diff --git a/modules/ssl/mod_ssl.h b/modules/ssl/mod_ssl.h
>> +--- a/modules/ssl/mod_ssl.h
>> ++++ b/modules/ssl/mod_ssl.h
>> +@@ -63,5 +63,26 @@ APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable,
>> (conn_rec *));
>> +
>> + APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
>> +
>> ++/** The npn_advertise_protos optional hook allows other modules to
>> add entries
>> ++ * to the list of protocol names advertised by the server during
>> the Next
>> ++ * Protocol Negotiation (NPN) portion of the SSL handshake. The
>> hook callee is
>> ++ * given the connection and an APR array; it should push one or
>> more char*'s
>> ++ * pointing to null-terminated strings (such as "http/1.1" or
>> "spdy/2") onto
>> ++ * the array and return OK, or do nothing and return DECLINED. */
>> ++APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_advertise_protos_hook,
>> ++ (conn_rec *connection, apr_array_header_t
>> *protos));
>> ++
>> ++/** The npn_proto_negotiated optional hook allows other modules to
>> discover the
>> ++ * name of the protocol that was chosen during the Next Protocol
>> Negotiation
>> ++ * (NPN) portion of the SSL handshake. Note that this may be the
>> empty string
>> ++ * (in which case modules should probably assume HTTP), or it may
>> be a protocol
>> ++ * that was never even advertised by the server. The hook callee
>> is given the
>> ++ * connection, a non-null-terminated string containing the protocol
>> name, and
>> ++ * the length of the string; it should do something appropriate
>> (i.e. insert or
>> ++ * remove filters) and return OK, or do nothing and return
>> DECLINED. */
>> ++APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_proto_negotiated_hook,
>> ++ (conn_rec *connection, const char
>> *proto_name,
>> ++ apr_size_t proto_name_len));
>> ++
>> + #endif /* __MOD_SSL_H__ */
>> + /** @} */
>> +diff --git a/modules/ssl/ssl_engine_init.c
>> b/modules/ssl/ssl_engine_init.c
>> +--- a/modules/ssl/ssl_engine_init.c
>> ++++ b/modules/ssl/ssl_engine_init.c
>> +@@ -546,6 +546,11 @@ static void ssl_init_ctx_callbacks(server_rec *s,
>> + SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH);
>> +
>> + SSL_CTX_set_info_callback(ctx, ssl_callback_Info);
>> ++
>> ++#ifdef HAVE_TLS_NPN
>> ++ SSL_CTX_set_next_protos_advertised_cb(
>> ++ ctx, ssl_callback_AdvertiseNextProtos, NULL);
>> ++#endif
>> + }
>> +
>> + static void ssl_init_ctx_verify(server_rec *s,
>> +diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c
>> +--- a/modules/ssl/ssl_engine_io.c
>> ++++ b/modules/ssl/ssl_engine_io.c
>> +@@ -28,6 +28,7 @@
>> + core keeps dumping.''
>> + -- Unknown */
>> + #include "ssl_private.h"
>> ++#include "mod_ssl.h"
>> + #include "apr_date.h"
>> +
>> + /* _________________________________________________________________
>> +@@ -297,6 +298,7 @@ typedef struct {
>> + apr_pool_t *pool;
>> + char buffer[AP_IOBUFSIZE];
>> + ssl_filter_ctx_t *filter_ctx;
>> ++ int npn_finished; /* 1 if NPN has finished, 0 otherwise */
>> + } bio_filter_in_ctx_t;
>> +
>> + /*
>> +@@ -1412,6 +1414,27 @@ static apr_status_t
>> ssl_io_filter_input(ap_filter_t *f,
>> + APR_BRIGADE_INSERT_TAIL(bb, bucket);
>> + }
>> +
>> ++#ifdef HAVE_TLS_NPN
>> ++ /* By this point, Next Protocol Negotiation (NPN) should be
>> completed (if
>> ++ * our version of OpenSSL supports it). If we haven't already,
>> find out
>> ++ * which protocol was decided upon and inform other modules by
>> calling
>> ++ * npn_proto_negotiated_hook. */
>> ++ if (!inctx->npn_finished) {
>> ++ const unsigned char *next_proto = NULL;
>> ++ unsigned next_proto_len = 0;
>> ++
>> ++ SSL_get0_next_proto_negotiated(
>> ++ inctx->ssl, &next_proto, &next_proto_len);
>> ++ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, f->c,
>> ++ "SSL NPN negotiated protocol: '%s'",
>> ++ apr_pstrmemdup(f->c->pool, (const
>> char*)next_proto,
>> ++ next_proto_len));
>> ++ modssl_run_npn_proto_negotiated_hook(
>> ++ f->c, (const char*)next_proto, next_proto_len);
>> ++ inctx->npn_finished = 1;
>> ++ }
>> ++#endif
>> ++
>> + return APR_SUCCESS;
>> + }
>> +
>> +@@ -1893,6 +1916,7 @@ static void
>> ssl_io_input_add_filter(ssl_filter_ctx_t *filter_ctx, conn_rec *c,
>> + inctx->block = APR_BLOCK_READ;
>> + inctx->pool = c->pool;
>> + inctx->filter_ctx = filter_ctx;
>> ++ inctx->npn_finished = 0;
>> + }
>> +
>> + /* The request_rec pointer is passed in here only to ensure that the
>> +diff --git a/modules/ssl/ssl_engine_kernel.c
>> b/modules/ssl/ssl_engine_kernel.c
>> +--- a/modules/ssl/ssl_engine_kernel.c
>> ++++ b/modules/ssl/ssl_engine_kernel.c
>> +@@ -29,6 +29,7 @@
>> + time I was too famous.''
>> + --
>> Unknown */
>> + #include "ssl_private.h"
>> ++#include "mod_ssl.h"
>> + #include "util_md5.h"
>> +
>> + static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn);
>> +@@ -2139,3 +2140,84 @@ int ssl_callback_SRPServerParams(SSL *ssl,
>> int *ad, void *arg)
>> + }
>> +
>> + #endif /* HAVE_SRP */
>> ++
>> ++#ifdef HAVE_TLS_NPN
>> ++/*
>> ++ * This callback function is executed when SSL needs to decide what
>> protocols
>> ++ * to advertise during Next Protocol Negotiation (NPN). It must
>> produce a
>> ++ * string in wire format -- a sequence of length-prefixed strings
>> -- indicating
>> ++ * the advertised protocols. Refer to
>> SSL_CTX_set_next_protos_advertised_cb
>> ++ * in OpenSSL for reference.
>> ++ */
>> ++int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char
>> **data_out,
>> ++ unsigned int *size_out, void
>> *arg)
>> ++{
>> ++ conn_rec *c = (conn_rec*)SSL_get_app_data(ssl);
>> ++ apr_array_header_t *protos;
>> ++ int num_protos;
>> ++ unsigned int size;
>> ++ int i;
>> ++ unsigned char *data;
>> ++ unsigned char *start;
>> ++
>> ++ *data_out = NULL;
>> ++ *size_out = 0;
>> ++
>> ++ /* If the connection object is not available, then there's
>> nothing for us
>> ++ * to do. */
>> ++ if (c == NULL) {
>> ++ return SSL_TLSEXT_ERR_OK;
>> ++ }
>> ++
>> ++ /* Invoke our npn_advertise_protos hook, giving other modules a
>> chance to
>> ++ * add alternate protocol names to advertise. */
>> ++ protos = apr_array_make(c->pool, 0, sizeof(char*));
>> ++ modssl_run_npn_advertise_protos_hook(c, protos);
>> ++ num_protos = protos->nelts;
>> ++
>> ++ /* We now have a list of null-terminated strings; we need to
>> concatenate
>> ++ * them together into a single string, where each protocol name
>> is prefixed
>> ++ * by its length. First, calculate how long that string will
>> be. */
>> ++ size = 0;
>> ++ for (i = 0; i < num_protos; ++i) {
>> ++ const char *string = APR_ARRAY_IDX(protos, i, const char*);
>> ++ unsigned int length = strlen(string);
>> ++ /* If the protocol name is too long (the length must fit in
>> one byte),
>> ++ * then log an error and skip it. */
>> ++ if (length > 255) {
>> ++ ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
>> ++ "SSL NPN protocol name too long
>> (length=%u): %s",
>> ++ length, string);
>> ++ continue;
>> ++ }
>> ++ /* Leave room for the length prefix (one byte) plus the
>> protocol name
>> ++ * itself. */
>> ++ size += 1 + length;
>> ++ }
>> ++
>> ++ /* If there is nothing to advertise (either because no modules
>> added
>> ++ * anything to the protos array, or because all strings added
>> to the array
>> ++ * were skipped), then we're done. */
>> ++ if (size == 0) {
>> ++ return SSL_TLSEXT_ERR_OK;
>> ++ }
>> ++
>> ++ /* Now we can build the string. Copy each protocol name string
>> into the
>> ++ * larger string, prefixed by its length. */
>> ++ data = apr_palloc(c->pool, size * sizeof(unsigned char));
>> ++ start = data;
>> ++ for (i = 0; i < num_protos; ++i) {
>> ++ const char *string = APR_ARRAY_IDX(protos, i, const char*);
>> ++ apr_size_t length = strlen(string);
>> ++ *start = (unsigned char)length;
>> ++ ++start;
>> ++ memcpy(start, string, length * sizeof(unsigned char));
>> ++ start += length;
>> ++ }
>> ++
>> ++ /* Success. */
>> ++ *data_out = data;
>> ++ *size_out = size;
>> ++ return SSL_TLSEXT_ERR_OK;
>> ++}
>> ++#endif /* HAVE_TLS_NPN */
>> +diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
>> +--- a/modules/ssl/ssl_private.h
>> ++++ b/modules/ssl/ssl_private.h
>> +@@ -123,6 +123,11 @@
>> + #define MODSSL_SSL_METHOD_CONST
>> + #endif
>> +
>> ++#if OPENSSL_VERSION_NUMBER >= 0x10001000L &&
>> !defined(OPENSSL_NO_NEXTPROTONEG) \
>> ++ && !defined(OPENSSL_NO_TLSEXT)
>> ++#define HAVE_TLS_NPN
>> ++#endif
>> ++
>> + #if defined(OPENSSL_FIPS)
>> + #define HAVE_FIPS
>> + #endif
>> +@@ -800,6 +805,7 @@ int ssl_callback_ServerNameIndication(SSL *, int
>> *, modssl_ctx_t *);
>> + int ssl_callback_SessionTicket(SSL *, unsigned char *,
>> unsigned char *,
>> + EVP_CIPHER_CTX *, HMAC_CTX
>> *, int);
>> + #endif
>> ++int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char
>> **data, unsigned int *len, void *arg);
>> +
>> + /** Session Cache Support */
>> + void ssl_scache_init(server_rec *, apr_pool_t *);
>> +--
>> +1.8.1.2
>> +
>> diff --git a/meta-webserver/recipes-httpd/apache2/apache2_2.4.7.bb
>> b/meta-webserver/recipes-httpd/apache2/apache2_2.4.7.bb
>> index f23776f..3c038a9 100644
>> --- a/meta-webserver/recipes-httpd/apache2/apache2_2.4.7.bb
>> +++ b/meta-webserver/recipes-httpd/apache2/apache2_2.4.7.bb
>> @@ -15,6 +15,7 @@ SRC_URI =
>> "http://www.apache.org/dist/httpd/httpd-${PV}.tar.bz2 \
>> file://replace-lynx-to-curl-in-apachectl-script.patch \
>> file://apache-ssl-ltmain-rpath.patch \
>> file://httpd-2.4.3-fix-race-issue-of-dir-install.patch \
>> + file://npn-patch-2.4.7.patch \
>> file://init \
>> file://apache2-volatile.conf"
>>
>>
>
>
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 4/4][meta-webserver] apache2-2.4.7: added support for TLS Next Protocol Negotiation
2014-02-28 10:21 ` Hongxu Jia
@ 2014-02-28 17:17 ` Khem Raj
2014-03-03 1:25 ` Hongxu Jia
0 siblings, 1 reply; 10+ messages in thread
From: Khem Raj @ 2014-02-28 17:17 UTC (permalink / raw)
To: openembeded-devel; +Cc: Paul Eggleton
[-- Attachment #1: Type: text/plain, Size: 15997 bytes --]
On Feb 28, 2014, at 2:21 AM, Hongxu Jia <hongxu.jia@windriver.com> wrote:
> On 02/28/2014 03:08 AM, Randy MacLeod wrote:
>> On 14-02-26 10:22 PM, Hongxu Jia wrote:
>>> The previous npn support patch (httpd-2.4.4-r1332643.patch) worked on
>>> apache2-2.4.6 and conflicted with apache2-2.4.7, this patch fixed the
>>> confliction with 2.4.7.
>>
>> Hongxu,
>>
>> Thanks, that's a good step. Even better would be to add the
>> apache module that supports SPDY and confirm that it works
>> with your desktop (google-chrome) browser.
>>
>> See:
>> http://lists.openembedded.org/pipermail/openembedded-devel/2014-January/093772.html
>>
>> and
>>
>> https://code.google.com/p/mod-spdy/wiki/GettingStarted
>
> Hi Randy,
>
> I have tested, the ssl worked well with the new patch,
> but the mod_spdy doesn't support 2.4.7 for now, and the
> spdy test failed.
> http://code.google.com/p/mod-spdy/issues/detail?id=63
> http://code.google.com/p/mod-spdy/issues/detail?id=64
> http://code.google.com/p/mod-spdy/issues/detail?id=65
> ...
> root@qemux86-64:/etc/apache2# /etc/init.d/apache2 restart
> httpd: Syntax error on line 151 of /etc/apache2/httpd.conf: Cannot load lib64/apache2/modules/mod_spdy.so into server: /usr/lib64/apache2/modules/mod_spdy.so: undefined symbol: ap_log_cerror
> …
>
spdy does not work with apache 2.4 but there is port see
https://github.com/eousphoros/mod-spdy
Try to back port the needed.
> //Hongxu
>
>>
>> It doesn't seem to be a huge task but let us know what you find out.
>>
>> ../Randy
>>
>>>
>>> Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
>>> ---
>>> .../apache2/apache2/npn-patch-2.4.7.patch | 289 +++++++++++++++++++++
>>> .../recipes-httpd/apache2/apache2_2.4.7.bb | 1 +
>>> 2 files changed, 290 insertions(+)
>>> create mode 100644 meta-webserver/recipes-httpd/apache2/apache2/npn-patch-2.4.7.patch
>>>
>>> diff --git a/meta-webserver/recipes-httpd/apache2/apache2/npn-patch-2.4.7.patch b/meta-webserver/recipes-httpd/apache2/apache2/npn-patch-2.4.7.patch
>>> new file mode 100644
>>> index 0000000..a4f1855
>>> --- /dev/null
>>> +++ b/meta-webserver/recipes-httpd/apache2/apache2/npn-patch-2.4.7.patch
>>> @@ -0,0 +1,289 @@
>>> +Add support for TLS Next Protocol Negotiation:
>>> +
>>> +* modules/ssl/mod_ssl.c, modules/ssl/mod_ssl.h: Add and implement new
>>> + hooks for next protocol advertisement/discovery.
>>> +
>>> +* modules/ssl/ssl_engine_init.c (ssl_init_ctx_callbacks): Enable
>>> + NPN advertisement callback in handshake.
>>> +
>>> +* modules/ssl/ssl_engine_io.c (ssl_io_filter_input): Invoke
>>> + next-protocol discovery hook.
>>> +
>>> +* modules/ssl/ssl_engine_kernel.c (ssl_callback_AdvertiseNextProtos):
>>> + New callback.
>>> +
>>> +* modules/ssl/ssl_private.h: Add prototype.
>>> +
>>> +Submitted by: Matthew Steele <mdsteele google.com>
>>> + with slight tweaks by jorton
>>> +
>>> +http://svn.apache.org/viewvc?view=revision&revision=1332643
>>> +https://bugzilla.redhat.com//show_bug.cgi?id=809599
>>> +Upstream-Status: Backport
>>> +Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
>>> +---
>>> + CHANGES | 2 +
>>> + modules/ssl/mod_ssl.c | 12 ++++++
>>> + modules/ssl/mod_ssl.h | 21 +++++++++++
>>> + modules/ssl/ssl_engine_init.c | 5 +++
>>> + modules/ssl/ssl_engine_io.c | 24 ++++++++++++
>>> + modules/ssl/ssl_engine_kernel.c | 82 +++++++++++++++++++++++++++++++++++++++++
>>> + modules/ssl/ssl_private.h | 6 +++
>>> + 7 files changed, 152 insertions(+)
>>> +
>>> +diff --git a/CHANGES b/CHANGES
>>> +--- a/CHANGES
>>> ++++ b/CHANGES
>>> +@@ -1,6 +1,8 @@
>>> + -*- coding: utf-8 -*-
>>> +
>>> + Changes with Apache 2.4.7
>>> ++ *) mod_ssl: Add support for TLS Next Protocol Negotiation. PR 52210.
>>> ++ [Matthew Steele <mdsteele google.com>]
>>> +
>>> + *) APR 1.5.0 or later is now required for the event MPM.
>>> +
>>> +diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c
>>> +--- a/modules/ssl/mod_ssl.c
>>> ++++ b/modules/ssl/mod_ssl.c
>>> +@@ -275,6 +275,18 @@ static const command_rec ssl_config_cmds[] = {
>>> + AP_END_CMD
>>> + };
>>> +
>>> ++/* Implement 'modssl_run_npn_advertise_protos_hook'. */
>>> ++APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(
>>> ++ modssl, AP, int, npn_advertise_protos_hook,
>>> ++ (conn_rec *connection, apr_array_header_t *protos),
>>> ++ (connection, protos), OK, DECLINED);
>>> ++
>>> ++/* Implement 'modssl_run_npn_proto_negotiated_hook'. */
>>> ++APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(
>>> ++ modssl, AP, int, npn_proto_negotiated_hook,
>>> ++ (conn_rec *connection, const char *proto_name, apr_size_t proto_name_len),
>>> ++ (connection, proto_name, proto_name_len), OK, DECLINED);
>>> ++
>>> + /*
>>> + * the various processing hooks
>>> + */
>>> +diff --git a/modules/ssl/mod_ssl.h b/modules/ssl/mod_ssl.h
>>> +--- a/modules/ssl/mod_ssl.h
>>> ++++ b/modules/ssl/mod_ssl.h
>>> +@@ -63,5 +63,26 @@ APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *));
>>> +
>>> + APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
>>> +
>>> ++/** The npn_advertise_protos optional hook allows other modules to add entries
>>> ++ * to the list of protocol names advertised by the server during the Next
>>> ++ * Protocol Negotiation (NPN) portion of the SSL handshake. The hook callee is
>>> ++ * given the connection and an APR array; it should push one or more char*'s
>>> ++ * pointing to null-terminated strings (such as "http/1.1" or "spdy/2") onto
>>> ++ * the array and return OK, or do nothing and return DECLINED. */
>>> ++APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_advertise_protos_hook,
>>> ++ (conn_rec *connection, apr_array_header_t *protos));
>>> ++
>>> ++/** The npn_proto_negotiated optional hook allows other modules to discover the
>>> ++ * name of the protocol that was chosen during the Next Protocol Negotiation
>>> ++ * (NPN) portion of the SSL handshake. Note that this may be the empty string
>>> ++ * (in which case modules should probably assume HTTP), or it may be a protocol
>>> ++ * that was never even advertised by the server. The hook callee is given the
>>> ++ * connection, a non-null-terminated string containing the protocol name, and
>>> ++ * the length of the string; it should do something appropriate (i.e. insert or
>>> ++ * remove filters) and return OK, or do nothing and return DECLINED. */
>>> ++APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_proto_negotiated_hook,
>>> ++ (conn_rec *connection, const char *proto_name,
>>> ++ apr_size_t proto_name_len));
>>> ++
>>> + #endif /* __MOD_SSL_H__ */
>>> + /** @} */
>>> +diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
>>> +--- a/modules/ssl/ssl_engine_init.c
>>> ++++ b/modules/ssl/ssl_engine_init.c
>>> +@@ -546,6 +546,11 @@ static void ssl_init_ctx_callbacks(server_rec *s,
>>> + SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH);
>>> +
>>> + SSL_CTX_set_info_callback(ctx, ssl_callback_Info);
>>> ++
>>> ++#ifdef HAVE_TLS_NPN
>>> ++ SSL_CTX_set_next_protos_advertised_cb(
>>> ++ ctx, ssl_callback_AdvertiseNextProtos, NULL);
>>> ++#endif
>>> + }
>>> +
>>> + static void ssl_init_ctx_verify(server_rec *s,
>>> +diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c
>>> +--- a/modules/ssl/ssl_engine_io.c
>>> ++++ b/modules/ssl/ssl_engine_io.c
>>> +@@ -28,6 +28,7 @@
>>> + core keeps dumping.''
>>> + -- Unknown */
>>> + #include "ssl_private.h"
>>> ++#include "mod_ssl.h"
>>> + #include "apr_date.h"
>>> +
>>> + /* _________________________________________________________________
>>> +@@ -297,6 +298,7 @@ typedef struct {
>>> + apr_pool_t *pool;
>>> + char buffer[AP_IOBUFSIZE];
>>> + ssl_filter_ctx_t *filter_ctx;
>>> ++ int npn_finished; /* 1 if NPN has finished, 0 otherwise */
>>> + } bio_filter_in_ctx_t;
>>> +
>>> + /*
>>> +@@ -1412,6 +1414,27 @@ static apr_status_t ssl_io_filter_input(ap_filter_t *f,
>>> + APR_BRIGADE_INSERT_TAIL(bb, bucket);
>>> + }
>>> +
>>> ++#ifdef HAVE_TLS_NPN
>>> ++ /* By this point, Next Protocol Negotiation (NPN) should be completed (if
>>> ++ * our version of OpenSSL supports it). If we haven't already, find out
>>> ++ * which protocol was decided upon and inform other modules by calling
>>> ++ * npn_proto_negotiated_hook. */
>>> ++ if (!inctx->npn_finished) {
>>> ++ const unsigned char *next_proto = NULL;
>>> ++ unsigned next_proto_len = 0;
>>> ++
>>> ++ SSL_get0_next_proto_negotiated(
>>> ++ inctx->ssl, &next_proto, &next_proto_len);
>>> ++ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, f->c,
>>> ++ "SSL NPN negotiated protocol: '%s'",
>>> ++ apr_pstrmemdup(f->c->pool, (const char*)next_proto,
>>> ++ next_proto_len));
>>> ++ modssl_run_npn_proto_negotiated_hook(
>>> ++ f->c, (const char*)next_proto, next_proto_len);
>>> ++ inctx->npn_finished = 1;
>>> ++ }
>>> ++#endif
>>> ++
>>> + return APR_SUCCESS;
>>> + }
>>> +
>>> +@@ -1893,6 +1916,7 @@ static void ssl_io_input_add_filter(ssl_filter_ctx_t *filter_ctx, conn_rec *c,
>>> + inctx->block = APR_BLOCK_READ;
>>> + inctx->pool = c->pool;
>>> + inctx->filter_ctx = filter_ctx;
>>> ++ inctx->npn_finished = 0;
>>> + }
>>> +
>>> + /* The request_rec pointer is passed in here only to ensure that the
>>> +diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
>>> +--- a/modules/ssl/ssl_engine_kernel.c
>>> ++++ b/modules/ssl/ssl_engine_kernel.c
>>> +@@ -29,6 +29,7 @@
>>> + time I was too famous.''
>>> + -- Unknown */
>>> + #include "ssl_private.h"
>>> ++#include "mod_ssl.h"
>>> + #include "util_md5.h"
>>> +
>>> + static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn);
>>> +@@ -2139,3 +2140,84 @@ int ssl_callback_SRPServerParams(SSL *ssl, int *ad, void *arg)
>>> + }
>>> +
>>> + #endif /* HAVE_SRP */
>>> ++
>>> ++#ifdef HAVE_TLS_NPN
>>> ++/*
>>> ++ * This callback function is executed when SSL needs to decide what protocols
>>> ++ * to advertise during Next Protocol Negotiation (NPN). It must produce a
>>> ++ * string in wire format -- a sequence of length-prefixed strings -- indicating
>>> ++ * the advertised protocols. Refer to SSL_CTX_set_next_protos_advertised_cb
>>> ++ * in OpenSSL for reference.
>>> ++ */
>>> ++int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data_out,
>>> ++ unsigned int *size_out, void *arg)
>>> ++{
>>> ++ conn_rec *c = (conn_rec*)SSL_get_app_data(ssl);
>>> ++ apr_array_header_t *protos;
>>> ++ int num_protos;
>>> ++ unsigned int size;
>>> ++ int i;
>>> ++ unsigned char *data;
>>> ++ unsigned char *start;
>>> ++
>>> ++ *data_out = NULL;
>>> ++ *size_out = 0;
>>> ++
>>> ++ /* If the connection object is not available, then there's nothing for us
>>> ++ * to do. */
>>> ++ if (c == NULL) {
>>> ++ return SSL_TLSEXT_ERR_OK;
>>> ++ }
>>> ++
>>> ++ /* Invoke our npn_advertise_protos hook, giving other modules a chance to
>>> ++ * add alternate protocol names to advertise. */
>>> ++ protos = apr_array_make(c->pool, 0, sizeof(char*));
>>> ++ modssl_run_npn_advertise_protos_hook(c, protos);
>>> ++ num_protos = protos->nelts;
>>> ++
>>> ++ /* We now have a list of null-terminated strings; we need to concatenate
>>> ++ * them together into a single string, where each protocol name is prefixed
>>> ++ * by its length. First, calculate how long that string will be. */
>>> ++ size = 0;
>>> ++ for (i = 0; i < num_protos; ++i) {
>>> ++ const char *string = APR_ARRAY_IDX(protos, i, const char*);
>>> ++ unsigned int length = strlen(string);
>>> ++ /* If the protocol name is too long (the length must fit in one byte),
>>> ++ * then log an error and skip it. */
>>> ++ if (length > 255) {
>>> ++ ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
>>> ++ "SSL NPN protocol name too long (length=%u): %s",
>>> ++ length, string);
>>> ++ continue;
>>> ++ }
>>> ++ /* Leave room for the length prefix (one byte) plus the protocol name
>>> ++ * itself. */
>>> ++ size += 1 + length;
>>> ++ }
>>> ++
>>> ++ /* If there is nothing to advertise (either because no modules added
>>> ++ * anything to the protos array, or because all strings added to the array
>>> ++ * were skipped), then we're done. */
>>> ++ if (size == 0) {
>>> ++ return SSL_TLSEXT_ERR_OK;
>>> ++ }
>>> ++
>>> ++ /* Now we can build the string. Copy each protocol name string into the
>>> ++ * larger string, prefixed by its length. */
>>> ++ data = apr_palloc(c->pool, size * sizeof(unsigned char));
>>> ++ start = data;
>>> ++ for (i = 0; i < num_protos; ++i) {
>>> ++ const char *string = APR_ARRAY_IDX(protos, i, const char*);
>>> ++ apr_size_t length = strlen(string);
>>> ++ *start = (unsigned char)length;
>>> ++ ++start;
>>> ++ memcpy(start, string, length * sizeof(unsigned char));
>>> ++ start += length;
>>> ++ }
>>> ++
>>> ++ /* Success. */
>>> ++ *data_out = data;
>>> ++ *size_out = size;
>>> ++ return SSL_TLSEXT_ERR_OK;
>>> ++}
>>> ++#endif /* HAVE_TLS_NPN */
>>> +diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
>>> +--- a/modules/ssl/ssl_private.h
>>> ++++ b/modules/ssl/ssl_private.h
>>> +@@ -123,6 +123,11 @@
>>> + #define MODSSL_SSL_METHOD_CONST
>>> + #endif
>>> +
>>> ++#if OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_NEXTPROTONEG) \
>>> ++ && !defined(OPENSSL_NO_TLSEXT)
>>> ++#define HAVE_TLS_NPN
>>> ++#endif
>>> ++
>>> + #if defined(OPENSSL_FIPS)
>>> + #define HAVE_FIPS
>>> + #endif
>>> +@@ -800,6 +805,7 @@ int ssl_callback_ServerNameIndication(SSL *, int *, modssl_ctx_t *);
>>> + int ssl_callback_SessionTicket(SSL *, unsigned char *, unsigned char *,
>>> + EVP_CIPHER_CTX *, HMAC_CTX *, int);
>>> + #endif
>>> ++int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data, unsigned int *len, void *arg);
>>> +
>>> + /** Session Cache Support */
>>> + void ssl_scache_init(server_rec *, apr_pool_t *);
>>> +--
>>> +1.8.1.2
>>> +
>>> diff --git a/meta-webserver/recipes-httpd/apache2/apache2_2.4.7.bb b/meta-webserver/recipes-httpd/apache2/apache2_2.4.7.bb
>>> index f23776f..3c038a9 100644
>>> --- a/meta-webserver/recipes-httpd/apache2/apache2_2.4.7.bb
>>> +++ b/meta-webserver/recipes-httpd/apache2/apache2_2.4.7.bb
>>> @@ -15,6 +15,7 @@ SRC_URI = "http://www.apache.org/dist/httpd/httpd-${PV}.tar.bz2 \
>>> file://replace-lynx-to-curl-in-apachectl-script.patch \
>>> file://apache-ssl-ltmain-rpath.patch \
>>> file://httpd-2.4.3-fix-race-issue-of-dir-install.patch \
>>> + file://npn-patch-2.4.7.patch \
>>> file://init \
>>> file://apache2-volatile.conf"
>>>
>>>
>>
>>
>
> _______________________________________________
> Openembedded-devel mailing list
> Openembedded-devel@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-devel
[-- Attachment #2: Message signed with OpenPGP using GPGMail --]
[-- Type: application/pgp-signature, Size: 211 bytes --]
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 4/4][meta-webserver] apache2-2.4.7: added support for TLS Next Protocol Negotiation
2014-02-28 17:17 ` Khem Raj
@ 2014-03-03 1:25 ` Hongxu Jia
0 siblings, 0 replies; 10+ messages in thread
From: Hongxu Jia @ 2014-03-03 1:25 UTC (permalink / raw)
To: openembedded-devel; +Cc: Paul Eggleton
On 03/01/2014 01:17 AM, Khem Raj wrote:
> On Feb 28, 2014, at 2:21 AM, Hongxu Jia <hongxu.jia@windriver.com> wrote:
>
>> On 02/28/2014 03:08 AM, Randy MacLeod wrote:
>>> On 14-02-26 10:22 PM, Hongxu Jia wrote:
>>>> The previous npn support patch (httpd-2.4.4-r1332643.patch) worked on
>>>> apache2-2.4.6 and conflicted with apache2-2.4.7, this patch fixed the
>>>> confliction with 2.4.7.
>>> Hongxu,
>>>
>>> Thanks, that's a good step. Even better would be to add the
>>> apache module that supports SPDY and confirm that it works
>>> with your desktop (google-chrome) browser.
>>>
>>> See:
>>> http://lists.openembedded.org/pipermail/openembedded-devel/2014-January/093772.html
>>>
>>> and
>>>
>>> https://code.google.com/p/mod-spdy/wiki/GettingStarted
>> Hi Randy,
>>
>> I have tested, the ssl worked well with the new patch,
>> but the mod_spdy doesn't support 2.4.7 for now, and the
>> spdy test failed.
>> http://code.google.com/p/mod-spdy/issues/detail?id=63
>> http://code.google.com/p/mod-spdy/issues/detail?id=64
>> http://code.google.com/p/mod-spdy/issues/detail?id=65
>> ...
>> root@qemux86-64:/etc/apache2# /etc/init.d/apache2 restart
>> httpd: Syntax error on line 151 of /etc/apache2/httpd.conf: Cannot load lib64/apache2/modules/mod_spdy.so into server: /usr/lib64/apache2/modules/mod_spdy.so: undefined symbol: ap_log_cerror
>> ...
>>
> spdy does not work with apache 2.4 but there is port see
>
> https://github.com/eousphoros/mod-spdy
>
> Try to back port the needed.
Yes, I have tried, but there are plenty of errors:
...
jiahongxu:src$ make BUILDTYPE=Release
ACTION Regenerating Makefile
Updating projects from gyp files...
Traceback (most recent call last):
File "./build/gyp_chromium", line 24, in <module>
execfile(os.path.join(chrome_src, 'build', 'gyp_chromium'))
File "third_party/chromium/src/build/gyp_chromium", line 173, in <module>
sys.exit(gyp.main(args))
File
"/home/jiahongxu/mod_spdy/mod-spdy/src/tools/gyp/pylib/gyp/__init__.py",
line 471, in main
options.circular_check)
File
"/home/jiahongxu/mod_spdy/mod-spdy/src/tools/gyp/pylib/gyp/__init__.py",
line 111, in Load
depth, generator_input_info, check, circular_check)
File
"/home/jiahongxu/mod_spdy/mod-spdy/src/tools/gyp/pylib/gyp/input.py",
line 2378, in Load
depth, check)
File
"/home/jiahongxu/mod_spdy/mod-spdy/src/tools/gyp/pylib/gyp/input.py",
line 358, in LoadTargetBuildFile
includes, True, check)
File
"/home/jiahongxu/mod_spdy/mod-spdy/src/tools/gyp/pylib/gyp/input.py",
line 231, in LoadOneBuildFile
aux_data, variables, includes, check)
File
"/home/jiahongxu/mod_spdy/mod-spdy/src/tools/gyp/pylib/gyp/input.py",
line 269, in LoadBuildFileIncludesIntoDict
False, check),
File
"/home/jiahongxu/mod_spdy/mod-spdy/src/tools/gyp/pylib/gyp/input.py",
line 208, in LoadOneBuildFile
raise Exception("%s not found (cwd: %s)" % (build_file_path,
os.getcwd()))
Exception: /root/mod_spdy/src/build/common.gypi not found (cwd:
/home/jiahongxu/mod_spdy/mod-spdy/src) while reading includes of
build/all.gyp while trying to load build/all.gyp
make: *** [Makefile] Error 1
...
//Hongxu
>
>> //Hongxu
>>
>>> It doesn't seem to be a huge task but let us know what you find out.
>>>
>>> ../Randy
>>>
>>>> Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
>>>> ---
>>>> .../apache2/apache2/npn-patch-2.4.7.patch | 289 +++++++++++++++++++++
>>>> .../recipes-httpd/apache2/apache2_2.4.7.bb | 1 +
>>>> 2 files changed, 290 insertions(+)
>>>> create mode 100644 meta-webserver/recipes-httpd/apache2/apache2/npn-patch-2.4.7.patch
>>>>
>>>> diff --git a/meta-webserver/recipes-httpd/apache2/apache2/npn-patch-2.4.7.patch b/meta-webserver/recipes-httpd/apache2/apache2/npn-patch-2.4.7.patch
>>>> new file mode 100644
>>>> index 0000000..a4f1855
>>>> --- /dev/null
>>>> +++ b/meta-webserver/recipes-httpd/apache2/apache2/npn-patch-2.4.7.patch
>>>> @@ -0,0 +1,289 @@
>>>> +Add support for TLS Next Protocol Negotiation:
>>>> +
>>>> +* modules/ssl/mod_ssl.c, modules/ssl/mod_ssl.h: Add and implement new
>>>> + hooks for next protocol advertisement/discovery.
>>>> +
>>>> +* modules/ssl/ssl_engine_init.c (ssl_init_ctx_callbacks): Enable
>>>> + NPN advertisement callback in handshake.
>>>> +
>>>> +* modules/ssl/ssl_engine_io.c (ssl_io_filter_input): Invoke
>>>> + next-protocol discovery hook.
>>>> +
>>>> +* modules/ssl/ssl_engine_kernel.c (ssl_callback_AdvertiseNextProtos):
>>>> + New callback.
>>>> +
>>>> +* modules/ssl/ssl_private.h: Add prototype.
>>>> +
>>>> +Submitted by: Matthew Steele <mdsteele google.com>
>>>> + with slight tweaks by jorton
>>>> +
>>>> +http://svn.apache.org/viewvc?view=revision&revision=1332643
>>>> +https://bugzilla.redhat.com//show_bug.cgi?id=809599
>>>> +Upstream-Status: Backport
>>>> +Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
>>>> +---
>>>> + CHANGES | 2 +
>>>> + modules/ssl/mod_ssl.c | 12 ++++++
>>>> + modules/ssl/mod_ssl.h | 21 +++++++++++
>>>> + modules/ssl/ssl_engine_init.c | 5 +++
>>>> + modules/ssl/ssl_engine_io.c | 24 ++++++++++++
>>>> + modules/ssl/ssl_engine_kernel.c | 82 +++++++++++++++++++++++++++++++++++++++++
>>>> + modules/ssl/ssl_private.h | 6 +++
>>>> + 7 files changed, 152 insertions(+)
>>>> +
>>>> +diff --git a/CHANGES b/CHANGES
>>>> +--- a/CHANGES
>>>> ++++ b/CHANGES
>>>> +@@ -1,6 +1,8 @@
>>>> + -*- coding: utf-8 -*-
>>>> +
>>>> + Changes with Apache 2.4.7
>>>> ++ *) mod_ssl: Add support for TLS Next Protocol Negotiation. PR 52210.
>>>> ++ [Matthew Steele <mdsteele google.com>]
>>>> +
>>>> + *) APR 1.5.0 or later is now required for the event MPM.
>>>> +
>>>> +diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c
>>>> +--- a/modules/ssl/mod_ssl.c
>>>> ++++ b/modules/ssl/mod_ssl.c
>>>> +@@ -275,6 +275,18 @@ static const command_rec ssl_config_cmds[] = {
>>>> + AP_END_CMD
>>>> + };
>>>> +
>>>> ++/* Implement 'modssl_run_npn_advertise_protos_hook'. */
>>>> ++APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(
>>>> ++ modssl, AP, int, npn_advertise_protos_hook,
>>>> ++ (conn_rec *connection, apr_array_header_t *protos),
>>>> ++ (connection, protos), OK, DECLINED);
>>>> ++
>>>> ++/* Implement 'modssl_run_npn_proto_negotiated_hook'. */
>>>> ++APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(
>>>> ++ modssl, AP, int, npn_proto_negotiated_hook,
>>>> ++ (conn_rec *connection, const char *proto_name, apr_size_t proto_name_len),
>>>> ++ (connection, proto_name, proto_name_len), OK, DECLINED);
>>>> ++
>>>> + /*
>>>> + * the various processing hooks
>>>> + */
>>>> +diff --git a/modules/ssl/mod_ssl.h b/modules/ssl/mod_ssl.h
>>>> +--- a/modules/ssl/mod_ssl.h
>>>> ++++ b/modules/ssl/mod_ssl.h
>>>> +@@ -63,5 +63,26 @@ APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *));
>>>> +
>>>> + APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
>>>> +
>>>> ++/** The npn_advertise_protos optional hook allows other modules to add entries
>>>> ++ * to the list of protocol names advertised by the server during the Next
>>>> ++ * Protocol Negotiation (NPN) portion of the SSL handshake. The hook callee is
>>>> ++ * given the connection and an APR array; it should push one or more char*'s
>>>> ++ * pointing to null-terminated strings (such as "http/1.1" or "spdy/2") onto
>>>> ++ * the array and return OK, or do nothing and return DECLINED. */
>>>> ++APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_advertise_protos_hook,
>>>> ++ (conn_rec *connection, apr_array_header_t *protos));
>>>> ++
>>>> ++/** The npn_proto_negotiated optional hook allows other modules to discover the
>>>> ++ * name of the protocol that was chosen during the Next Protocol Negotiation
>>>> ++ * (NPN) portion of the SSL handshake. Note that this may be the empty string
>>>> ++ * (in which case modules should probably assume HTTP), or it may be a protocol
>>>> ++ * that was never even advertised by the server. The hook callee is given the
>>>> ++ * connection, a non-null-terminated string containing the protocol name, and
>>>> ++ * the length of the string; it should do something appropriate (i.e. insert or
>>>> ++ * remove filters) and return OK, or do nothing and return DECLINED. */
>>>> ++APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_proto_negotiated_hook,
>>>> ++ (conn_rec *connection, const char *proto_name,
>>>> ++ apr_size_t proto_name_len));
>>>> ++
>>>> + #endif /* __MOD_SSL_H__ */
>>>> + /** @} */
>>>> +diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
>>>> +--- a/modules/ssl/ssl_engine_init.c
>>>> ++++ b/modules/ssl/ssl_engine_init.c
>>>> +@@ -546,6 +546,11 @@ static void ssl_init_ctx_callbacks(server_rec *s,
>>>> + SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH);
>>>> +
>>>> + SSL_CTX_set_info_callback(ctx, ssl_callback_Info);
>>>> ++
>>>> ++#ifdef HAVE_TLS_NPN
>>>> ++ SSL_CTX_set_next_protos_advertised_cb(
>>>> ++ ctx, ssl_callback_AdvertiseNextProtos, NULL);
>>>> ++#endif
>>>> + }
>>>> +
>>>> + static void ssl_init_ctx_verify(server_rec *s,
>>>> +diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c
>>>> +--- a/modules/ssl/ssl_engine_io.c
>>>> ++++ b/modules/ssl/ssl_engine_io.c
>>>> +@@ -28,6 +28,7 @@
>>>> + core keeps dumping.''
>>>> + -- Unknown */
>>>> + #include "ssl_private.h"
>>>> ++#include "mod_ssl.h"
>>>> + #include "apr_date.h"
>>>> +
>>>> + /* _________________________________________________________________
>>>> +@@ -297,6 +298,7 @@ typedef struct {
>>>> + apr_pool_t *pool;
>>>> + char buffer[AP_IOBUFSIZE];
>>>> + ssl_filter_ctx_t *filter_ctx;
>>>> ++ int npn_finished; /* 1 if NPN has finished, 0 otherwise */
>>>> + } bio_filter_in_ctx_t;
>>>> +
>>>> + /*
>>>> +@@ -1412,6 +1414,27 @@ static apr_status_t ssl_io_filter_input(ap_filter_t *f,
>>>> + APR_BRIGADE_INSERT_TAIL(bb, bucket);
>>>> + }
>>>> +
>>>> ++#ifdef HAVE_TLS_NPN
>>>> ++ /* By this point, Next Protocol Negotiation (NPN) should be completed (if
>>>> ++ * our version of OpenSSL supports it). If we haven't already, find out
>>>> ++ * which protocol was decided upon and inform other modules by calling
>>>> ++ * npn_proto_negotiated_hook. */
>>>> ++ if (!inctx->npn_finished) {
>>>> ++ const unsigned char *next_proto = NULL;
>>>> ++ unsigned next_proto_len = 0;
>>>> ++
>>>> ++ SSL_get0_next_proto_negotiated(
>>>> ++ inctx->ssl, &next_proto, &next_proto_len);
>>>> ++ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, f->c,
>>>> ++ "SSL NPN negotiated protocol: '%s'",
>>>> ++ apr_pstrmemdup(f->c->pool, (const char*)next_proto,
>>>> ++ next_proto_len));
>>>> ++ modssl_run_npn_proto_negotiated_hook(
>>>> ++ f->c, (const char*)next_proto, next_proto_len);
>>>> ++ inctx->npn_finished = 1;
>>>> ++ }
>>>> ++#endif
>>>> ++
>>>> + return APR_SUCCESS;
>>>> + }
>>>> +
>>>> +@@ -1893,6 +1916,7 @@ static void ssl_io_input_add_filter(ssl_filter_ctx_t *filter_ctx, conn_rec *c,
>>>> + inctx->block = APR_BLOCK_READ;
>>>> + inctx->pool = c->pool;
>>>> + inctx->filter_ctx = filter_ctx;
>>>> ++ inctx->npn_finished = 0;
>>>> + }
>>>> +
>>>> + /* The request_rec pointer is passed in here only to ensure that the
>>>> +diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
>>>> +--- a/modules/ssl/ssl_engine_kernel.c
>>>> ++++ b/modules/ssl/ssl_engine_kernel.c
>>>> +@@ -29,6 +29,7 @@
>>>> + time I was too famous.''
>>>> + -- Unknown */
>>>> + #include "ssl_private.h"
>>>> ++#include "mod_ssl.h"
>>>> + #include "util_md5.h"
>>>> +
>>>> + static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn);
>>>> +@@ -2139,3 +2140,84 @@ int ssl_callback_SRPServerParams(SSL *ssl, int *ad, void *arg)
>>>> + }
>>>> +
>>>> + #endif /* HAVE_SRP */
>>>> ++
>>>> ++#ifdef HAVE_TLS_NPN
>>>> ++/*
>>>> ++ * This callback function is executed when SSL needs to decide what protocols
>>>> ++ * to advertise during Next Protocol Negotiation (NPN). It must produce a
>>>> ++ * string in wire format -- a sequence of length-prefixed strings -- indicating
>>>> ++ * the advertised protocols. Refer to SSL_CTX_set_next_protos_advertised_cb
>>>> ++ * in OpenSSL for reference.
>>>> ++ */
>>>> ++int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data_out,
>>>> ++ unsigned int *size_out, void *arg)
>>>> ++{
>>>> ++ conn_rec *c = (conn_rec*)SSL_get_app_data(ssl);
>>>> ++ apr_array_header_t *protos;
>>>> ++ int num_protos;
>>>> ++ unsigned int size;
>>>> ++ int i;
>>>> ++ unsigned char *data;
>>>> ++ unsigned char *start;
>>>> ++
>>>> ++ *data_out = NULL;
>>>> ++ *size_out = 0;
>>>> ++
>>>> ++ /* If the connection object is not available, then there's nothing for us
>>>> ++ * to do. */
>>>> ++ if (c == NULL) {
>>>> ++ return SSL_TLSEXT_ERR_OK;
>>>> ++ }
>>>> ++
>>>> ++ /* Invoke our npn_advertise_protos hook, giving other modules a chance to
>>>> ++ * add alternate protocol names to advertise. */
>>>> ++ protos = apr_array_make(c->pool, 0, sizeof(char*));
>>>> ++ modssl_run_npn_advertise_protos_hook(c, protos);
>>>> ++ num_protos = protos->nelts;
>>>> ++
>>>> ++ /* We now have a list of null-terminated strings; we need to concatenate
>>>> ++ * them together into a single string, where each protocol name is prefixed
>>>> ++ * by its length. First, calculate how long that string will be. */
>>>> ++ size = 0;
>>>> ++ for (i = 0; i < num_protos; ++i) {
>>>> ++ const char *string = APR_ARRAY_IDX(protos, i, const char*);
>>>> ++ unsigned int length = strlen(string);
>>>> ++ /* If the protocol name is too long (the length must fit in one byte),
>>>> ++ * then log an error and skip it. */
>>>> ++ if (length > 255) {
>>>> ++ ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
>>>> ++ "SSL NPN protocol name too long (length=%u): %s",
>>>> ++ length, string);
>>>> ++ continue;
>>>> ++ }
>>>> ++ /* Leave room for the length prefix (one byte) plus the protocol name
>>>> ++ * itself. */
>>>> ++ size += 1 + length;
>>>> ++ }
>>>> ++
>>>> ++ /* If there is nothing to advertise (either because no modules added
>>>> ++ * anything to the protos array, or because all strings added to the array
>>>> ++ * were skipped), then we're done. */
>>>> ++ if (size == 0) {
>>>> ++ return SSL_TLSEXT_ERR_OK;
>>>> ++ }
>>>> ++
>>>> ++ /* Now we can build the string. Copy each protocol name string into the
>>>> ++ * larger string, prefixed by its length. */
>>>> ++ data = apr_palloc(c->pool, size * sizeof(unsigned char));
>>>> ++ start = data;
>>>> ++ for (i = 0; i < num_protos; ++i) {
>>>> ++ const char *string = APR_ARRAY_IDX(protos, i, const char*);
>>>> ++ apr_size_t length = strlen(string);
>>>> ++ *start = (unsigned char)length;
>>>> ++ ++start;
>>>> ++ memcpy(start, string, length * sizeof(unsigned char));
>>>> ++ start += length;
>>>> ++ }
>>>> ++
>>>> ++ /* Success. */
>>>> ++ *data_out = data;
>>>> ++ *size_out = size;
>>>> ++ return SSL_TLSEXT_ERR_OK;
>>>> ++}
>>>> ++#endif /* HAVE_TLS_NPN */
>>>> +diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
>>>> +--- a/modules/ssl/ssl_private.h
>>>> ++++ b/modules/ssl/ssl_private.h
>>>> +@@ -123,6 +123,11 @@
>>>> + #define MODSSL_SSL_METHOD_CONST
>>>> + #endif
>>>> +
>>>> ++#if OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_NEXTPROTONEG) \
>>>> ++ && !defined(OPENSSL_NO_TLSEXT)
>>>> ++#define HAVE_TLS_NPN
>>>> ++#endif
>>>> ++
>>>> + #if defined(OPENSSL_FIPS)
>>>> + #define HAVE_FIPS
>>>> + #endif
>>>> +@@ -800,6 +805,7 @@ int ssl_callback_ServerNameIndication(SSL *, int *, modssl_ctx_t *);
>>>> + int ssl_callback_SessionTicket(SSL *, unsigned char *, unsigned char *,
>>>> + EVP_CIPHER_CTX *, HMAC_CTX *, int);
>>>> + #endif
>>>> ++int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data, unsigned int *len, void *arg);
>>>> +
>>>> + /** Session Cache Support */
>>>> + void ssl_scache_init(server_rec *, apr_pool_t *);
>>>> +--
>>>> +1.8.1.2
>>>> +
>>>> diff --git a/meta-webserver/recipes-httpd/apache2/apache2_2.4.7.bb b/meta-webserver/recipes-httpd/apache2/apache2_2.4.7.bb
>>>> index f23776f..3c038a9 100644
>>>> --- a/meta-webserver/recipes-httpd/apache2/apache2_2.4.7.bb
>>>> +++ b/meta-webserver/recipes-httpd/apache2/apache2_2.4.7.bb
>>>> @@ -15,6 +15,7 @@ SRC_URI = "http://www.apache.org/dist/httpd/httpd-${PV}.tar.bz2 \
>>>> file://replace-lynx-to-curl-in-apachectl-script.patch \
>>>> file://apache-ssl-ltmain-rpath.patch \
>>>> file://httpd-2.4.3-fix-race-issue-of-dir-install.patch \
>>>> + file://npn-patch-2.4.7.patch \
>>>> file://init \
>>>> file://apache2-volatile.conf"
>>>>
>>>>
>>>
>> _______________________________________________
>> Openembedded-devel mailing list
>> Openembedded-devel@lists.openembedded.org
>> http://lists.openembedded.org/mailman/listinfo/openembedded-devel
>
>
> _______________________________________________
> Openembedded-devel mailing list
> Openembedded-devel@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-devel
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2014-03-03 1:26 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-02-27 3:22 [PATCH V2 0/4][meta-webserver] Apache / PHP upgrades Hongxu Jia
2014-02-27 3:22 ` [PATCH 1/4][meta-webserver] apache2: update to 2.4.7 Hongxu Jia
2014-02-27 3:22 ` [PATCH 2/4][meta-webserver] modphp: upgrade to 5.5.8 Hongxu Jia
2014-02-27 3:22 ` [PATCH 3/4][meta-webserver] phpmyadmin: update to 4.1.4 Hongxu Jia
2014-02-27 3:22 ` [PATCH 4/4][meta-webserver] apache2-2.4.7: added support for TLS Next Protocol Negotiation Hongxu Jia
2014-02-27 19:08 ` Randy MacLeod
2014-02-28 10:21 ` Hongxu Jia
2014-02-28 17:17 ` Khem Raj
2014-03-03 1:25 ` Hongxu Jia
2014-02-27 9:47 ` [PATCH V2 0/4][meta-webserver] Apache / PHP upgrades Paul Eggleton
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox