* [PATCH V2 0/4][meta-webserver] Apache / PHP upgrades
@ 2014-02-27 3:22 Hongxu Jia
2014-02-27 3:22 ` [PATCH 1/4][meta-webserver] apache2: update to 2.4.7 Hongxu Jia
` (4 more replies)
0 siblings, 5 replies; 10+ messages in thread
From: Hongxu Jia @ 2014-02-27 3:22 UTC (permalink / raw)
To: openembedded-devel; +Cc: paul.eggleton
Change in V2:
apache2-2.4.7: added support for TLS Next Protocol Negotiation
The previous npn support patch (httpd-2.4.4-r1332643.patch) worked on
apache2-2.4.6 and conflicted with apache2-2.4.7, 4/4 patch fixed the
confliction with 2.4.7.
//Hongxu
The following changes since commit 8089aa451827cb791c7d795b9899dc152d1ceb66:
vlc: Fix build with flac-1.3.0 (2014-02-24 10:10:25 +0100)
are available in the git repository at:
git://git.pokylinux.org/poky-contrib hongxu/upgrade-apache2
http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=hongxu/upgrade-apache2
Hongxu Jia (1):
apache2-2.4.7: added support for TLS Next Protocol Negotiation
Paul Eggleton (3):
apache2: update to 2.4.7
modphp: upgrade to 5.5.8
phpmyadmin: update to 4.1.4
...he2-native_2.4.6.bb => apache2-native_2.4.7.bb} | 6 +-
.../apache-configure_perlbin.patch | 0
.../apache-ssl-ltmain-rpath.patch | 0
.../fix-libtool-name.patch | 0
.../httpd-2.4.1-corelimit.patch | 0
.../httpd-2.4.1-selinux.patch | 0
.../httpd-2.4.4-export.patch | 0
.../npn-patch-2.4.7.patch} | 111 +++++++++++++--------
.../replace-lynx-to-curl-in-apachectl-script.patch | 0
.../server-makefile.patch | 0
.../apache2/{apache2_2.4.6.bb => apache2_2.4.7.bb} | 8 +-
meta-webserver/recipes-php/modphp/modphp_5.5.2.bb | 7 --
meta-webserver/recipes-php/modphp/modphp_5.5.8.bb | 7 ++
.../{phpmyadmin_4.0.5.bb => phpmyadmin_4.1.4.bb} | 4 +-
14 files changed, 86 insertions(+), 57 deletions(-)
rename meta-webserver/recipes-httpd/apache2/{apache2-native_2.4.6.bb => apache2-native_2.4.7.bb} (84%)
rename meta-webserver/recipes-httpd/apache2/{apache2-2.4.6 => apache2}/apache-configure_perlbin.patch (100%)
rename meta-webserver/recipes-httpd/apache2/{apache2-2.4.6 => apache2}/apache-ssl-ltmain-rpath.patch (100%)
rename meta-webserver/recipes-httpd/apache2/{apache2-2.4.6 => apache2}/fix-libtool-name.patch (100%)
rename meta-webserver/recipes-httpd/apache2/{apache2-2.4.6 => apache2}/httpd-2.4.1-corelimit.patch (100%)
rename meta-webserver/recipes-httpd/apache2/{apache2-2.4.6 => apache2}/httpd-2.4.1-selinux.patch (100%)
rename meta-webserver/recipes-httpd/apache2/{apache2-2.4.6 => apache2}/httpd-2.4.4-export.patch (100%)
rename meta-webserver/recipes-httpd/apache2/{apache2-2.4.6/httpd-2.4.4-r1332643.patch => apache2/npn-patch-2.4.7.patch} (80%)
rename meta-webserver/recipes-httpd/apache2/{apache2-2.4.6 => apache2}/replace-lynx-to-curl-in-apachectl-script.patch (100%)
rename meta-webserver/recipes-httpd/apache2/{apache2-2.4.6 => apache2}/server-makefile.patch (100%)
rename meta-webserver/recipes-httpd/apache2/{apache2_2.4.6.bb => apache2_2.4.7.bb} (95%)
delete mode 100644 meta-webserver/recipes-php/modphp/modphp_5.5.2.bb
create mode 100644 meta-webserver/recipes-php/modphp/modphp_5.5.8.bb
rename meta-webserver/recipes-php/phpmyadmin/{phpmyadmin_4.0.5.bb => phpmyadmin_4.1.4.bb} (87%)
--
1.8.1.2
^ permalink raw reply [flat|nested] 10+ messages in thread
* [PATCH 1/4][meta-webserver] apache2: update to 2.4.7
2014-02-27 3:22 [PATCH V2 0/4][meta-webserver] Apache / PHP upgrades Hongxu Jia
@ 2014-02-27 3:22 ` Hongxu Jia
2014-02-27 3:22 ` [PATCH 2/4][meta-webserver] modphp: upgrade to 5.5.8 Hongxu Jia
` (3 subsequent siblings)
4 siblings, 0 replies; 10+ messages in thread
From: Hongxu Jia @ 2014-02-27 3:22 UTC (permalink / raw)
To: openembedded-devel; +Cc: paul.eggleton
From: Paul Eggleton <paul.eggleton@linux.intel.com>
* LIC_FILES_CHKSUM changed because of the introduction of an extra blank
line in the LICENSE file (!)
* Drop httpd-2.4.4-r1332643.patch - it no longer applies and was dropped
in Fedora on the 2.4.7 upgrade.
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
---
.../apache2-2.4.6/httpd-2.4.4-r1332643.patch | 260 ---------------------
...he2-native_2.4.6.bb => apache2-native_2.4.7.bb} | 6 +-
.../apache-configure_perlbin.patch | 0
.../apache-ssl-ltmain-rpath.patch | 0
.../fix-libtool-name.patch | 0
.../httpd-2.4.1-corelimit.patch | 0
.../httpd-2.4.1-selinux.patch | 0
.../httpd-2.4.4-export.patch | 0
.../replace-lynx-to-curl-in-apachectl-script.patch | 0
.../server-makefile.patch | 0
.../apache2/{apache2_2.4.6.bb => apache2_2.4.7.bb} | 7 +-
11 files changed, 6 insertions(+), 267 deletions(-)
delete mode 100644 meta-webserver/recipes-httpd/apache2/apache2-2.4.6/httpd-2.4.4-r1332643.patch
rename meta-webserver/recipes-httpd/apache2/{apache2-native_2.4.6.bb => apache2-native_2.4.7.bb} (84%)
rename meta-webserver/recipes-httpd/apache2/{apache2-2.4.6 => apache2}/apache-configure_perlbin.patch (100%)
rename meta-webserver/recipes-httpd/apache2/{apache2-2.4.6 => apache2}/apache-ssl-ltmain-rpath.patch (100%)
rename meta-webserver/recipes-httpd/apache2/{apache2-2.4.6 => apache2}/fix-libtool-name.patch (100%)
rename meta-webserver/recipes-httpd/apache2/{apache2-2.4.6 => apache2}/httpd-2.4.1-corelimit.patch (100%)
rename meta-webserver/recipes-httpd/apache2/{apache2-2.4.6 => apache2}/httpd-2.4.1-selinux.patch (100%)
rename meta-webserver/recipes-httpd/apache2/{apache2-2.4.6 => apache2}/httpd-2.4.4-export.patch (100%)
rename meta-webserver/recipes-httpd/apache2/{apache2-2.4.6 => apache2}/replace-lynx-to-curl-in-apachectl-script.patch (100%)
rename meta-webserver/recipes-httpd/apache2/{apache2-2.4.6 => apache2}/server-makefile.patch (100%)
rename meta-webserver/recipes-httpd/apache2/{apache2_2.4.6.bb => apache2_2.4.7.bb} (95%)
diff --git a/meta-webserver/recipes-httpd/apache2/apache2-2.4.6/httpd-2.4.4-r1332643.patch b/meta-webserver/recipes-httpd/apache2/apache2-2.4.6/httpd-2.4.4-r1332643.patch
deleted file mode 100644
index ba28231..0000000
--- a/meta-webserver/recipes-httpd/apache2/apache2-2.4.6/httpd-2.4.4-r1332643.patch
+++ /dev/null
@@ -1,260 +0,0 @@
-Add support for TLS Next Protocol Negotiation:
-
-* modules/ssl/mod_ssl.c, modules/ssl/mod_ssl.h: Add and implement new
- hooks for next protocol advertisement/discovery.
-
-* modules/ssl/ssl_engine_init.c (ssl_init_ctx_callbacks): Enable
- NPN advertisement callback in handshake.
-
-* modules/ssl/ssl_engine_io.c (ssl_io_filter_input): Invoke
- next-protocol discovery hook.
-
-* modules/ssl/ssl_engine_kernel.c (ssl_callback_AdvertiseNextProtos):
- New callback.
-
-* modules/ssl/ssl_private.h: Add prototype.
-
-Submitted by: Matthew Steele <mdsteele google.com>
- with slight tweaks by jorton
-
-https://bugzilla.redhat.com//show_bug.cgi?id=809599
-
-http://svn.apache.org/viewvc?view=revision&revision=1332643
-
-Upstream-Status: Backport
-
---- httpd-2.4.4/modules/ssl/ssl_private.h
-+++ httpd-2.4.4/modules/ssl/ssl_private.h
-@@ -139,6 +139,11 @@
- #define HAVE_FIPS
- #endif
-
-+#if OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_NEXTPROTONEG) \
-+ && !defined(OPENSSL_NO_TLSEXT)
-+#define HAVE_TLS_NPN
-+#endif
-+
- #if (OPENSSL_VERSION_NUMBER >= 0x10000000)
- #define MODSSL_SSL_CIPHER_CONST const
- #define MODSSL_SSL_METHOD_CONST const
-@@ -840,6 +845,7 @@ int ssl_callback_ServerNameIndication(SSL *, int *, modssl_ctx_t *);
- int ssl_callback_SessionTicket(SSL *, unsigned char *, unsigned char *,
- EVP_CIPHER_CTX *, HMAC_CTX *, int);
- #endif
-+int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data, unsigned int *len, void *arg);
-
- /** Session Cache Support */
- void ssl_scache_init(server_rec *, apr_pool_t *);
---- httpd-2.4.4/modules/ssl/mod_ssl.c
-+++ httpd-2.4.4/modules/ssl/mod_ssl.c
-@@ -272,6 +272,18 @@ static const command_rec ssl_config_cmds[] = {
- AP_END_CMD
- };
-
-+/* Implement 'modssl_run_npn_advertise_protos_hook'. */
-+APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(
-+ modssl, AP, int, npn_advertise_protos_hook,
-+ (conn_rec *connection, apr_array_header_t *protos),
-+ (connection, protos), OK, DECLINED);
-+
-+/* Implement 'modssl_run_npn_proto_negotiated_hook'. */
-+APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(
-+ modssl, AP, int, npn_proto_negotiated_hook,
-+ (conn_rec *connection, const char *proto_name, apr_size_t proto_name_len),
-+ (connection, proto_name, proto_name_len), OK, DECLINED);
-+
- /*
- * the various processing hooks
- */
---- httpd-2.4.4/modules/ssl/mod_ssl.h
-+++ httpd-2.4.4/modules/ssl/mod_ssl.h
-@@ -63,5 +63,26 @@ APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *));
-
- APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
-
-+/** The npn_advertise_protos optional hook allows other modules to add entries
-+ * to the list of protocol names advertised by the server during the Next
-+ * Protocol Negotiation (NPN) portion of the SSL handshake. The hook callee is
-+ * given the connection and an APR array; it should push one or more char*'s
-+ * pointing to null-terminated strings (such as "http/1.1" or "spdy/2") onto
-+ * the array and return OK, or do nothing and return DECLINED. */
-+APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_advertise_protos_hook,
-+ (conn_rec *connection, apr_array_header_t *protos));
-+
-+/** The npn_proto_negotiated optional hook allows other modules to discover the
-+ * name of the protocol that was chosen during the Next Protocol Negotiation
-+ * (NPN) portion of the SSL handshake. Note that this may be the empty string
-+ * (in which case modules should probably assume HTTP), or it may be a protocol
-+ * that was never even advertised by the server. The hook callee is given the
-+ * connection, a non-null-terminated string containing the protocol name, and
-+ * the length of the string; it should do something appropriate (i.e. insert or
-+ * remove filters) and return OK, or do nothing and return DECLINED. */
-+APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_proto_negotiated_hook,
-+ (conn_rec *connection, const char *proto_name,
-+ apr_size_t proto_name_len));
-+
- #endif /* __MOD_SSL_H__ */
- /** @} */
---- httpd-2.4.4/modules/ssl/ssl_engine_init.c
-+++ httpd-2.4.4/modules/ssl/ssl_engine_init.c
-@@ -725,6 +725,11 @@ static void ssl_init_ctx_callbacks(server_rec *s,
- #endif
-
- SSL_CTX_set_info_callback(ctx, ssl_callback_Info);
-+
-+#ifdef HAVE_TLS_NPN
-+ SSL_CTX_set_next_protos_advertised_cb(
-+ ctx, ssl_callback_AdvertiseNextProtos, NULL);
-+#endif
- }
-
- static void ssl_init_ctx_verify(server_rec *s,
---- httpd-2.4.4/modules/ssl/ssl_engine_io.c
-+++ httpd-2.4.4/modules/ssl/ssl_engine_io.c
-@@ -28,6 +28,7 @@
- core keeps dumping.''
- -- Unknown */
- #include "ssl_private.h"
-+#include "mod_ssl.h"
- #include "apr_date.h"
-
- /* _________________________________________________________________
-@@ -297,6 +298,7 @@ typedef struct {
- apr_pool_t *pool;
- char buffer[AP_IOBUFSIZE];
- ssl_filter_ctx_t *filter_ctx;
-+ int npn_finished; /* 1 if NPN has finished, 0 otherwise */
- } bio_filter_in_ctx_t;
-
- /*
-@@ -1385,6 +1387,27 @@ static apr_status_t ssl_io_filter_input(ap_filter_t *f,
- APR_BRIGADE_INSERT_TAIL(bb, bucket);
- }
-
-+#ifdef HAVE_TLS_NPN
-+ /* By this point, Next Protocol Negotiation (NPN) should be completed (if
-+ * our version of OpenSSL supports it). If we haven't already, find out
-+ * which protocol was decided upon and inform other modules by calling
-+ * npn_proto_negotiated_hook. */
-+ if (!inctx->npn_finished) {
-+ const unsigned char *next_proto = NULL;
-+ unsigned next_proto_len = 0;
-+
-+ SSL_get0_next_proto_negotiated(
-+ inctx->ssl, &next_proto, &next_proto_len);
-+ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, f->c,
-+ "SSL NPN negotiated protocol: '%s'",
-+ apr_pstrmemdup(f->c->pool, (const char*)next_proto,
-+ next_proto_len));
-+ modssl_run_npn_proto_negotiated_hook(
-+ f->c, (const char*)next_proto, next_proto_len);
-+ inctx->npn_finished = 1;
-+ }
-+#endif
-+
- return APR_SUCCESS;
- }
-
-@@ -1866,6 +1889,7 @@ static void ssl_io_input_add_filter(ssl_filter_ctx_t *filter_ctx, conn_rec *c,
- inctx->block = APR_BLOCK_READ;
- inctx->pool = c->pool;
- inctx->filter_ctx = filter_ctx;
-+ inctx->npn_finished = 0;
- }
-
- /* The request_rec pointer is passed in here only to ensure that the
---- httpd-2.4.4/modules/ssl/ssl_engine_kernel.c
-+++ httpd-2.4.4/modules/ssl/ssl_engine_kernel.c
-@@ -29,6 +29,7 @@
- time I was too famous.''
- -- Unknown */
- #include "ssl_private.h"
-+#include "mod_ssl.h"
- #include "util_md5.h"
-
- static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn);
-@@ -2186,3 +2187,84 @@ int ssl_callback_SRPServerParams(SSL *ssl, int *ad, void *arg)
- }
-
- #endif /* OPENSSL_NO_SRP */
-+
-+#ifdef HAVE_TLS_NPN
-+/*
-+ * This callback function is executed when SSL needs to decide what protocols
-+ * to advertise during Next Protocol Negotiation (NPN). It must produce a
-+ * string in wire format -- a sequence of length-prefixed strings -- indicating
-+ * the advertised protocols. Refer to SSL_CTX_set_next_protos_advertised_cb
-+ * in OpenSSL for reference.
-+ */
-+int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data_out,
-+ unsigned int *size_out, void *arg)
-+{
-+ conn_rec *c = (conn_rec*)SSL_get_app_data(ssl);
-+ apr_array_header_t *protos;
-+ int num_protos;
-+ unsigned int size;
-+ int i;
-+ unsigned char *data;
-+ unsigned char *start;
-+
-+ *data_out = NULL;
-+ *size_out = 0;
-+
-+ /* If the connection object is not available, then there's nothing for us
-+ * to do. */
-+ if (c == NULL) {
-+ return SSL_TLSEXT_ERR_OK;
-+ }
-+
-+ /* Invoke our npn_advertise_protos hook, giving other modules a chance to
-+ * add alternate protocol names to advertise. */
-+ protos = apr_array_make(c->pool, 0, sizeof(char*));
-+ modssl_run_npn_advertise_protos_hook(c, protos);
-+ num_protos = protos->nelts;
-+
-+ /* We now have a list of null-terminated strings; we need to concatenate
-+ * them together into a single string, where each protocol name is prefixed
-+ * by its length. First, calculate how long that string will be. */
-+ size = 0;
-+ for (i = 0; i < num_protos; ++i) {
-+ const char *string = APR_ARRAY_IDX(protos, i, const char*);
-+ unsigned int length = strlen(string);
-+ /* If the protocol name is too long (the length must fit in one byte),
-+ * then log an error and skip it. */
-+ if (length > 255) {
-+ ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
-+ "SSL NPN protocol name too long (length=%u): %s",
-+ length, string);
-+ continue;
-+ }
-+ /* Leave room for the length prefix (one byte) plus the protocol name
-+ * itself. */
-+ size += 1 + length;
-+ }
-+
-+ /* If there is nothing to advertise (either because no modules added
-+ * anything to the protos array, or because all strings added to the array
-+ * were skipped), then we're done. */
-+ if (size == 0) {
-+ return SSL_TLSEXT_ERR_OK;
-+ }
-+
-+ /* Now we can build the string. Copy each protocol name string into the
-+ * larger string, prefixed by its length. */
-+ data = apr_palloc(c->pool, size * sizeof(unsigned char));
-+ start = data;
-+ for (i = 0; i < num_protos; ++i) {
-+ const char *string = APR_ARRAY_IDX(protos, i, const char*);
-+ apr_size_t length = strlen(string);
-+ *start = (unsigned char)length;
-+ ++start;
-+ memcpy(start, string, length * sizeof(unsigned char));
-+ start += length;
-+ }
-+
-+ /* Success. */
-+ *data_out = data;
-+ *size_out = size;
-+ return SSL_TLSEXT_ERR_OK;
-+}
-+#endif
diff --git a/meta-webserver/recipes-httpd/apache2/apache2-native_2.4.6.bb b/meta-webserver/recipes-httpd/apache2/apache2-native_2.4.7.bb
similarity index 84%
rename from meta-webserver/recipes-httpd/apache2/apache2-native_2.4.6.bb
rename to meta-webserver/recipes-httpd/apache2/apache2-native_2.4.7.bb
index 6efd469..bd935eb 100644
--- a/meta-webserver/recipes-httpd/apache2/apache2-native_2.4.6.bb
+++ b/meta-webserver/recipes-httpd/apache2/apache2-native_2.4.7.bb
@@ -12,9 +12,9 @@ SRC_URI = "http://www.apache.org/dist/httpd/httpd-${PV}.tar.bz2"
S = "${WORKDIR}/httpd-${PV}"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=eff226ae95d0516d6210ed77dfdf2dcc"
-SRC_URI[md5sum] = "ea5e361ca37b8d7853404419dd502efe"
-SRC_URI[sha256sum] = "dc9f3625ebc08bea55eeb0d16e71fba656f252e6cd0aa244ee7806dc3b022fea"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=dbff5a2b542fa58854455bf1a0b94b83"
+SRC_URI[md5sum] = "170d7fb6fe5f28b87d1878020a9ab94e"
+SRC_URI[sha256sum] = "64368d8301836815ae237f2b62d909711c896c1bd34573771e0ee5ad808ce71b"
do_configure () {
./configure --with-apr=${STAGING_BINDIR_CROSS}/apr-1-config \
diff --git a/meta-webserver/recipes-httpd/apache2/apache2-2.4.6/apache-configure_perlbin.patch b/meta-webserver/recipes-httpd/apache2/apache2/apache-configure_perlbin.patch
similarity index 100%
rename from meta-webserver/recipes-httpd/apache2/apache2-2.4.6/apache-configure_perlbin.patch
rename to meta-webserver/recipes-httpd/apache2/apache2/apache-configure_perlbin.patch
diff --git a/meta-webserver/recipes-httpd/apache2/apache2-2.4.6/apache-ssl-ltmain-rpath.patch b/meta-webserver/recipes-httpd/apache2/apache2/apache-ssl-ltmain-rpath.patch
similarity index 100%
rename from meta-webserver/recipes-httpd/apache2/apache2-2.4.6/apache-ssl-ltmain-rpath.patch
rename to meta-webserver/recipes-httpd/apache2/apache2/apache-ssl-ltmain-rpath.patch
diff --git a/meta-webserver/recipes-httpd/apache2/apache2-2.4.6/fix-libtool-name.patch b/meta-webserver/recipes-httpd/apache2/apache2/fix-libtool-name.patch
similarity index 100%
rename from meta-webserver/recipes-httpd/apache2/apache2-2.4.6/fix-libtool-name.patch
rename to meta-webserver/recipes-httpd/apache2/apache2/fix-libtool-name.patch
diff --git a/meta-webserver/recipes-httpd/apache2/apache2-2.4.6/httpd-2.4.1-corelimit.patch b/meta-webserver/recipes-httpd/apache2/apache2/httpd-2.4.1-corelimit.patch
similarity index 100%
rename from meta-webserver/recipes-httpd/apache2/apache2-2.4.6/httpd-2.4.1-corelimit.patch
rename to meta-webserver/recipes-httpd/apache2/apache2/httpd-2.4.1-corelimit.patch
diff --git a/meta-webserver/recipes-httpd/apache2/apache2-2.4.6/httpd-2.4.1-selinux.patch b/meta-webserver/recipes-httpd/apache2/apache2/httpd-2.4.1-selinux.patch
similarity index 100%
rename from meta-webserver/recipes-httpd/apache2/apache2-2.4.6/httpd-2.4.1-selinux.patch
rename to meta-webserver/recipes-httpd/apache2/apache2/httpd-2.4.1-selinux.patch
diff --git a/meta-webserver/recipes-httpd/apache2/apache2-2.4.6/httpd-2.4.4-export.patch b/meta-webserver/recipes-httpd/apache2/apache2/httpd-2.4.4-export.patch
similarity index 100%
rename from meta-webserver/recipes-httpd/apache2/apache2-2.4.6/httpd-2.4.4-export.patch
rename to meta-webserver/recipes-httpd/apache2/apache2/httpd-2.4.4-export.patch
diff --git a/meta-webserver/recipes-httpd/apache2/apache2-2.4.6/replace-lynx-to-curl-in-apachectl-script.patch b/meta-webserver/recipes-httpd/apache2/apache2/replace-lynx-to-curl-in-apachectl-script.patch
similarity index 100%
rename from meta-webserver/recipes-httpd/apache2/apache2-2.4.6/replace-lynx-to-curl-in-apachectl-script.patch
rename to meta-webserver/recipes-httpd/apache2/apache2/replace-lynx-to-curl-in-apachectl-script.patch
diff --git a/meta-webserver/recipes-httpd/apache2/apache2-2.4.6/server-makefile.patch b/meta-webserver/recipes-httpd/apache2/apache2/server-makefile.patch
similarity index 100%
rename from meta-webserver/recipes-httpd/apache2/apache2-2.4.6/server-makefile.patch
rename to meta-webserver/recipes-httpd/apache2/apache2/server-makefile.patch
diff --git a/meta-webserver/recipes-httpd/apache2/apache2_2.4.6.bb b/meta-webserver/recipes-httpd/apache2/apache2_2.4.7.bb
similarity index 95%
rename from meta-webserver/recipes-httpd/apache2/apache2_2.4.6.bb
rename to meta-webserver/recipes-httpd/apache2/apache2_2.4.7.bb
index cc88fac..f23776f 100644
--- a/meta-webserver/recipes-httpd/apache2/apache2_2.4.6.bb
+++ b/meta-webserver/recipes-httpd/apache2/apache2_2.4.7.bb
@@ -11,7 +11,6 @@ SRC_URI = "http://www.apache.org/dist/httpd/httpd-${PV}.tar.bz2 \
file://httpd-2.4.1-corelimit.patch \
file://httpd-2.4.4-export.patch \
file://httpd-2.4.1-selinux.patch \
- file://httpd-2.4.4-r1332643.patch \
file://apache-configure_perlbin.patch \
file://replace-lynx-to-curl-in-apachectl-script.patch \
file://apache-ssl-ltmain-rpath.patch \
@@ -19,9 +18,9 @@ SRC_URI = "http://www.apache.org/dist/httpd/httpd-${PV}.tar.bz2 \
file://init \
file://apache2-volatile.conf"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=eff226ae95d0516d6210ed77dfdf2dcc"
-SRC_URI[md5sum] = "ea5e361ca37b8d7853404419dd502efe"
-SRC_URI[sha256sum] = "dc9f3625ebc08bea55eeb0d16e71fba656f252e6cd0aa244ee7806dc3b022fea"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=dbff5a2b542fa58854455bf1a0b94b83"
+SRC_URI[md5sum] = "170d7fb6fe5f28b87d1878020a9ab94e"
+SRC_URI[sha256sum] = "64368d8301836815ae237f2b62d909711c896c1bd34573771e0ee5ad808ce71b"
S = "${WORKDIR}/httpd-${PV}"
--
1.8.1.2
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH 2/4][meta-webserver] modphp: upgrade to 5.5.8
2014-02-27 3:22 [PATCH V2 0/4][meta-webserver] Apache / PHP upgrades Hongxu Jia
2014-02-27 3:22 ` [PATCH 1/4][meta-webserver] apache2: update to 2.4.7 Hongxu Jia
@ 2014-02-27 3:22 ` Hongxu Jia
2014-02-27 3:22 ` [PATCH 3/4][meta-webserver] phpmyadmin: update to 4.1.4 Hongxu Jia
` (2 subsequent siblings)
4 siblings, 0 replies; 10+ messages in thread
From: Hongxu Jia @ 2014-02-27 3:22 UTC (permalink / raw)
To: openembedded-devel; +Cc: paul.eggleton
From: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
---
meta-webserver/recipes-php/modphp/modphp_5.5.2.bb | 7 -------
meta-webserver/recipes-php/modphp/modphp_5.5.8.bb | 7 +++++++
2 files changed, 7 insertions(+), 7 deletions(-)
delete mode 100644 meta-webserver/recipes-php/modphp/modphp_5.5.2.bb
create mode 100644 meta-webserver/recipes-php/modphp/modphp_5.5.8.bb
diff --git a/meta-webserver/recipes-php/modphp/modphp_5.5.2.bb b/meta-webserver/recipes-php/modphp/modphp_5.5.2.bb
deleted file mode 100644
index 3c23242..0000000
--- a/meta-webserver/recipes-php/modphp/modphp_5.5.2.bb
+++ /dev/null
@@ -1,7 +0,0 @@
-include modphp5.inc
-
-EXTRA_OECONF += "--disable-opcache"
-
-SRC_URI[md5sum] = "caf7f4d86514a568fb3c8021b096a9f0"
-SRC_URI[sha256sum] = "e72aaf1fa96eac0bff127bfc74c174d1de50cd3f66d7e0e1ee919674ab463bb7"
-
diff --git a/meta-webserver/recipes-php/modphp/modphp_5.5.8.bb b/meta-webserver/recipes-php/modphp/modphp_5.5.8.bb
new file mode 100644
index 0000000..04925fb
--- /dev/null
+++ b/meta-webserver/recipes-php/modphp/modphp_5.5.8.bb
@@ -0,0 +1,7 @@
+include modphp5.inc
+
+EXTRA_OECONF += "--disable-opcache"
+
+SRC_URI[md5sum] = "42fe814a3cbbf34b21a2c39f66ee0001"
+SRC_URI[sha256sum] = "6d5f45659d13383fc8429f185cc9da0b30c7bb72dcae9baf568f0511eb7f8b68"
+
--
1.8.1.2
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH 3/4][meta-webserver] phpmyadmin: update to 4.1.4
2014-02-27 3:22 [PATCH V2 0/4][meta-webserver] Apache / PHP upgrades Hongxu Jia
2014-02-27 3:22 ` [PATCH 1/4][meta-webserver] apache2: update to 2.4.7 Hongxu Jia
2014-02-27 3:22 ` [PATCH 2/4][meta-webserver] modphp: upgrade to 5.5.8 Hongxu Jia
@ 2014-02-27 3:22 ` Hongxu Jia
2014-02-27 3:22 ` [PATCH 4/4][meta-webserver] apache2-2.4.7: added support for TLS Next Protocol Negotiation Hongxu Jia
2014-02-27 9:47 ` [PATCH V2 0/4][meta-webserver] Apache / PHP upgrades Paul Eggleton
4 siblings, 0 replies; 10+ messages in thread
From: Hongxu Jia @ 2014-02-27 3:22 UTC (permalink / raw)
To: openembedded-devel; +Cc: paul.eggleton
From: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
---
.../phpmyadmin/{phpmyadmin_4.0.5.bb => phpmyadmin_4.1.4.bb} | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
rename meta-webserver/recipes-php/phpmyadmin/{phpmyadmin_4.0.5.bb => phpmyadmin_4.1.4.bb} (87%)
diff --git a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_4.0.5.bb b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_4.1.4.bb
similarity index 87%
rename from meta-webserver/recipes-php/phpmyadmin/phpmyadmin_4.0.5.bb
rename to meta-webserver/recipes-php/phpmyadmin/phpmyadmin_4.1.4.bb
index f97dc91..c2bc8bb 100644
--- a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_4.0.5.bb
+++ b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_4.1.4.bb
@@ -8,8 +8,8 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=eb723b61539feef013de476e68b5c50a \
SRC_URI = "${SOURCEFORGE_MIRROR}/phpmyadmin/phpMyAdmin/${PV}/phpMyAdmin-${PV}-all-languages.tar.xz \
file://apache.conf"
-SRC_URI[md5sum] = "5cc493908d09df1760c7cdcd1622ebf7"
-SRC_URI[sha256sum] = "f4df1190441ce5e094183cfadf8aec4af3a4f131339599e6380a1c6ac0a11fe4"
+SRC_URI[md5sum] = "9802ba0a7ee6afd8941dc8d0af589913"
+SRC_URI[sha256sum] = "4bd23cda85b3ac4e44a1e472a461638230020af78bd03d7178f60d55b8bb1331"
S = "${WORKDIR}/phpMyAdmin-${PV}-all-languages"
--
1.8.1.2
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH 4/4][meta-webserver] apache2-2.4.7: added support for TLS Next Protocol Negotiation
2014-02-27 3:22 [PATCH V2 0/4][meta-webserver] Apache / PHP upgrades Hongxu Jia
` (2 preceding siblings ...)
2014-02-27 3:22 ` [PATCH 3/4][meta-webserver] phpmyadmin: update to 4.1.4 Hongxu Jia
@ 2014-02-27 3:22 ` Hongxu Jia
2014-02-27 19:08 ` Randy MacLeod
2014-02-27 9:47 ` [PATCH V2 0/4][meta-webserver] Apache / PHP upgrades Paul Eggleton
4 siblings, 1 reply; 10+ messages in thread
From: Hongxu Jia @ 2014-02-27 3:22 UTC (permalink / raw)
To: openembedded-devel; +Cc: paul.eggleton
The previous npn support patch (httpd-2.4.4-r1332643.patch) worked on
apache2-2.4.6 and conflicted with apache2-2.4.7, this patch fixed the
confliction with 2.4.7.
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
---
.../apache2/apache2/npn-patch-2.4.7.patch | 289 +++++++++++++++++++++
.../recipes-httpd/apache2/apache2_2.4.7.bb | 1 +
2 files changed, 290 insertions(+)
create mode 100644 meta-webserver/recipes-httpd/apache2/apache2/npn-patch-2.4.7.patch
diff --git a/meta-webserver/recipes-httpd/apache2/apache2/npn-patch-2.4.7.patch b/meta-webserver/recipes-httpd/apache2/apache2/npn-patch-2.4.7.patch
new file mode 100644
index 0000000..a4f1855
--- /dev/null
+++ b/meta-webserver/recipes-httpd/apache2/apache2/npn-patch-2.4.7.patch
@@ -0,0 +1,289 @@
+Add support for TLS Next Protocol Negotiation:
+
+* modules/ssl/mod_ssl.c, modules/ssl/mod_ssl.h: Add and implement new
+ hooks for next protocol advertisement/discovery.
+
+* modules/ssl/ssl_engine_init.c (ssl_init_ctx_callbacks): Enable
+ NPN advertisement callback in handshake.
+
+* modules/ssl/ssl_engine_io.c (ssl_io_filter_input): Invoke
+ next-protocol discovery hook.
+
+* modules/ssl/ssl_engine_kernel.c (ssl_callback_AdvertiseNextProtos):
+ New callback.
+
+* modules/ssl/ssl_private.h: Add prototype.
+
+Submitted by: Matthew Steele <mdsteele google.com>
+ with slight tweaks by jorton
+
+http://svn.apache.org/viewvc?view=revision&revision=1332643
+https://bugzilla.redhat.com//show_bug.cgi?id=809599
+Upstream-Status: Backport
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ CHANGES | 2 +
+ modules/ssl/mod_ssl.c | 12 ++++++
+ modules/ssl/mod_ssl.h | 21 +++++++++++
+ modules/ssl/ssl_engine_init.c | 5 +++
+ modules/ssl/ssl_engine_io.c | 24 ++++++++++++
+ modules/ssl/ssl_engine_kernel.c | 82 +++++++++++++++++++++++++++++++++++++++++
+ modules/ssl/ssl_private.h | 6 +++
+ 7 files changed, 152 insertions(+)
+
+diff --git a/CHANGES b/CHANGES
+--- a/CHANGES
++++ b/CHANGES
+@@ -1,6 +1,8 @@
+ -*- coding: utf-8 -*-
+
+ Changes with Apache 2.4.7
++ *) mod_ssl: Add support for TLS Next Protocol Negotiation. PR 52210.
++ [Matthew Steele <mdsteele google.com>]
+
+ *) APR 1.5.0 or later is now required for the event MPM.
+
+diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c
+--- a/modules/ssl/mod_ssl.c
++++ b/modules/ssl/mod_ssl.c
+@@ -275,6 +275,18 @@ static const command_rec ssl_config_cmds[] = {
+ AP_END_CMD
+ };
+
++/* Implement 'modssl_run_npn_advertise_protos_hook'. */
++APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(
++ modssl, AP, int, npn_advertise_protos_hook,
++ (conn_rec *connection, apr_array_header_t *protos),
++ (connection, protos), OK, DECLINED);
++
++/* Implement 'modssl_run_npn_proto_negotiated_hook'. */
++APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(
++ modssl, AP, int, npn_proto_negotiated_hook,
++ (conn_rec *connection, const char *proto_name, apr_size_t proto_name_len),
++ (connection, proto_name, proto_name_len), OK, DECLINED);
++
+ /*
+ * the various processing hooks
+ */
+diff --git a/modules/ssl/mod_ssl.h b/modules/ssl/mod_ssl.h
+--- a/modules/ssl/mod_ssl.h
++++ b/modules/ssl/mod_ssl.h
+@@ -63,5 +63,26 @@ APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *));
+
+ APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
+
++/** The npn_advertise_protos optional hook allows other modules to add entries
++ * to the list of protocol names advertised by the server during the Next
++ * Protocol Negotiation (NPN) portion of the SSL handshake. The hook callee is
++ * given the connection and an APR array; it should push one or more char*'s
++ * pointing to null-terminated strings (such as "http/1.1" or "spdy/2") onto
++ * the array and return OK, or do nothing and return DECLINED. */
++APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_advertise_protos_hook,
++ (conn_rec *connection, apr_array_header_t *protos));
++
++/** The npn_proto_negotiated optional hook allows other modules to discover the
++ * name of the protocol that was chosen during the Next Protocol Negotiation
++ * (NPN) portion of the SSL handshake. Note that this may be the empty string
++ * (in which case modules should probably assume HTTP), or it may be a protocol
++ * that was never even advertised by the server. The hook callee is given the
++ * connection, a non-null-terminated string containing the protocol name, and
++ * the length of the string; it should do something appropriate (i.e. insert or
++ * remove filters) and return OK, or do nothing and return DECLINED. */
++APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_proto_negotiated_hook,
++ (conn_rec *connection, const char *proto_name,
++ apr_size_t proto_name_len));
++
+ #endif /* __MOD_SSL_H__ */
+ /** @} */
+diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
+--- a/modules/ssl/ssl_engine_init.c
++++ b/modules/ssl/ssl_engine_init.c
+@@ -546,6 +546,11 @@ static void ssl_init_ctx_callbacks(server_rec *s,
+ SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH);
+
+ SSL_CTX_set_info_callback(ctx, ssl_callback_Info);
++
++#ifdef HAVE_TLS_NPN
++ SSL_CTX_set_next_protos_advertised_cb(
++ ctx, ssl_callback_AdvertiseNextProtos, NULL);
++#endif
+ }
+
+ static void ssl_init_ctx_verify(server_rec *s,
+diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c
+--- a/modules/ssl/ssl_engine_io.c
++++ b/modules/ssl/ssl_engine_io.c
+@@ -28,6 +28,7 @@
+ core keeps dumping.''
+ -- Unknown */
+ #include "ssl_private.h"
++#include "mod_ssl.h"
+ #include "apr_date.h"
+
+ /* _________________________________________________________________
+@@ -297,6 +298,7 @@ typedef struct {
+ apr_pool_t *pool;
+ char buffer[AP_IOBUFSIZE];
+ ssl_filter_ctx_t *filter_ctx;
++ int npn_finished; /* 1 if NPN has finished, 0 otherwise */
+ } bio_filter_in_ctx_t;
+
+ /*
+@@ -1412,6 +1414,27 @@ static apr_status_t ssl_io_filter_input(ap_filter_t *f,
+ APR_BRIGADE_INSERT_TAIL(bb, bucket);
+ }
+
++#ifdef HAVE_TLS_NPN
++ /* By this point, Next Protocol Negotiation (NPN) should be completed (if
++ * our version of OpenSSL supports it). If we haven't already, find out
++ * which protocol was decided upon and inform other modules by calling
++ * npn_proto_negotiated_hook. */
++ if (!inctx->npn_finished) {
++ const unsigned char *next_proto = NULL;
++ unsigned next_proto_len = 0;
++
++ SSL_get0_next_proto_negotiated(
++ inctx->ssl, &next_proto, &next_proto_len);
++ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, f->c,
++ "SSL NPN negotiated protocol: '%s'",
++ apr_pstrmemdup(f->c->pool, (const char*)next_proto,
++ next_proto_len));
++ modssl_run_npn_proto_negotiated_hook(
++ f->c, (const char*)next_proto, next_proto_len);
++ inctx->npn_finished = 1;
++ }
++#endif
++
+ return APR_SUCCESS;
+ }
+
+@@ -1893,6 +1916,7 @@ static void ssl_io_input_add_filter(ssl_filter_ctx_t *filter_ctx, conn_rec *c,
+ inctx->block = APR_BLOCK_READ;
+ inctx->pool = c->pool;
+ inctx->filter_ctx = filter_ctx;
++ inctx->npn_finished = 0;
+ }
+
+ /* The request_rec pointer is passed in here only to ensure that the
+diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
+--- a/modules/ssl/ssl_engine_kernel.c
++++ b/modules/ssl/ssl_engine_kernel.c
+@@ -29,6 +29,7 @@
+ time I was too famous.''
+ -- Unknown */
+ #include "ssl_private.h"
++#include "mod_ssl.h"
+ #include "util_md5.h"
+
+ static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn);
+@@ -2139,3 +2140,84 @@ int ssl_callback_SRPServerParams(SSL *ssl, int *ad, void *arg)
+ }
+
+ #endif /* HAVE_SRP */
++
++#ifdef HAVE_TLS_NPN
++/*
++ * This callback function is executed when SSL needs to decide what protocols
++ * to advertise during Next Protocol Negotiation (NPN). It must produce a
++ * string in wire format -- a sequence of length-prefixed strings -- indicating
++ * the advertised protocols. Refer to SSL_CTX_set_next_protos_advertised_cb
++ * in OpenSSL for reference.
++ */
++int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data_out,
++ unsigned int *size_out, void *arg)
++{
++ conn_rec *c = (conn_rec*)SSL_get_app_data(ssl);
++ apr_array_header_t *protos;
++ int num_protos;
++ unsigned int size;
++ int i;
++ unsigned char *data;
++ unsigned char *start;
++
++ *data_out = NULL;
++ *size_out = 0;
++
++ /* If the connection object is not available, then there's nothing for us
++ * to do. */
++ if (c == NULL) {
++ return SSL_TLSEXT_ERR_OK;
++ }
++
++ /* Invoke our npn_advertise_protos hook, giving other modules a chance to
++ * add alternate protocol names to advertise. */
++ protos = apr_array_make(c->pool, 0, sizeof(char*));
++ modssl_run_npn_advertise_protos_hook(c, protos);
++ num_protos = protos->nelts;
++
++ /* We now have a list of null-terminated strings; we need to concatenate
++ * them together into a single string, where each protocol name is prefixed
++ * by its length. First, calculate how long that string will be. */
++ size = 0;
++ for (i = 0; i < num_protos; ++i) {
++ const char *string = APR_ARRAY_IDX(protos, i, const char*);
++ unsigned int length = strlen(string);
++ /* If the protocol name is too long (the length must fit in one byte),
++ * then log an error and skip it. */
++ if (length > 255) {
++ ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
++ "SSL NPN protocol name too long (length=%u): %s",
++ length, string);
++ continue;
++ }
++ /* Leave room for the length prefix (one byte) plus the protocol name
++ * itself. */
++ size += 1 + length;
++ }
++
++ /* If there is nothing to advertise (either because no modules added
++ * anything to the protos array, or because all strings added to the array
++ * were skipped), then we're done. */
++ if (size == 0) {
++ return SSL_TLSEXT_ERR_OK;
++ }
++
++ /* Now we can build the string. Copy each protocol name string into the
++ * larger string, prefixed by its length. */
++ data = apr_palloc(c->pool, size * sizeof(unsigned char));
++ start = data;
++ for (i = 0; i < num_protos; ++i) {
++ const char *string = APR_ARRAY_IDX(protos, i, const char*);
++ apr_size_t length = strlen(string);
++ *start = (unsigned char)length;
++ ++start;
++ memcpy(start, string, length * sizeof(unsigned char));
++ start += length;
++ }
++
++ /* Success. */
++ *data_out = data;
++ *size_out = size;
++ return SSL_TLSEXT_ERR_OK;
++}
++#endif /* HAVE_TLS_NPN */
+diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
+--- a/modules/ssl/ssl_private.h
++++ b/modules/ssl/ssl_private.h
+@@ -123,6 +123,11 @@
+ #define MODSSL_SSL_METHOD_CONST
+ #endif
+
++#if OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_NEXTPROTONEG) \
++ && !defined(OPENSSL_NO_TLSEXT)
++#define HAVE_TLS_NPN
++#endif
++
+ #if defined(OPENSSL_FIPS)
+ #define HAVE_FIPS
+ #endif
+@@ -800,6 +805,7 @@ int ssl_callback_ServerNameIndication(SSL *, int *, modssl_ctx_t *);
+ int ssl_callback_SessionTicket(SSL *, unsigned char *, unsigned char *,
+ EVP_CIPHER_CTX *, HMAC_CTX *, int);
+ #endif
++int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data, unsigned int *len, void *arg);
+
+ /** Session Cache Support */
+ void ssl_scache_init(server_rec *, apr_pool_t *);
+--
+1.8.1.2
+
diff --git a/meta-webserver/recipes-httpd/apache2/apache2_2.4.7.bb b/meta-webserver/recipes-httpd/apache2/apache2_2.4.7.bb
index f23776f..3c038a9 100644
--- a/meta-webserver/recipes-httpd/apache2/apache2_2.4.7.bb
+++ b/meta-webserver/recipes-httpd/apache2/apache2_2.4.7.bb
@@ -15,6 +15,7 @@ SRC_URI = "http://www.apache.org/dist/httpd/httpd-${PV}.tar.bz2 \
file://replace-lynx-to-curl-in-apachectl-script.patch \
file://apache-ssl-ltmain-rpath.patch \
file://httpd-2.4.3-fix-race-issue-of-dir-install.patch \
+ file://npn-patch-2.4.7.patch \
file://init \
file://apache2-volatile.conf"
--
1.8.1.2
^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: [PATCH V2 0/4][meta-webserver] Apache / PHP upgrades
2014-02-27 3:22 [PATCH V2 0/4][meta-webserver] Apache / PHP upgrades Hongxu Jia
` (3 preceding siblings ...)
2014-02-27 3:22 ` [PATCH 4/4][meta-webserver] apache2-2.4.7: added support for TLS Next Protocol Negotiation Hongxu Jia
@ 2014-02-27 9:47 ` Paul Eggleton
4 siblings, 0 replies; 10+ messages in thread
From: Paul Eggleton @ 2014-02-27 9:47 UTC (permalink / raw)
To: Hongxu Jia; +Cc: openembedded-devel
Hi Hongxu,
On Thursday 27 February 2014 11:22:06 Hongxu Jia wrote:
> Change in V2:
> apache2-2.4.7: added support for TLS Next Protocol Negotiation
>
> The previous npn support patch (httpd-2.4.4-r1332643.patch) worked on
> apache2-2.4.6 and conflicted with apache2-2.4.7, 4/4 patch fixed the
> confliction with 2.4.7.
> //Hongxu
Thanks for doing this. For the modphp and phpmyadmin upgrades, I actually have
5.5.9 and 4.1.8 build-tested here; once I've tested them at runtime I'll send
a v3 (should be today).
Cheers,
Paul
--
Paul Eggleton
Intel Open Source Technology Centre
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 4/4][meta-webserver] apache2-2.4.7: added support for TLS Next Protocol Negotiation
2014-02-27 3:22 ` [PATCH 4/4][meta-webserver] apache2-2.4.7: added support for TLS Next Protocol Negotiation Hongxu Jia
@ 2014-02-27 19:08 ` Randy MacLeod
2014-02-28 10:21 ` Hongxu Jia
0 siblings, 1 reply; 10+ messages in thread
From: Randy MacLeod @ 2014-02-27 19:08 UTC (permalink / raw)
To: Hongxu Jia, openembedded-devel; +Cc: paul.eggleton
On 14-02-26 10:22 PM, Hongxu Jia wrote:
> The previous npn support patch (httpd-2.4.4-r1332643.patch) worked on
> apache2-2.4.6 and conflicted with apache2-2.4.7, this patch fixed the
> confliction with 2.4.7.
Hongxu,
Thanks, that's a good step. Even better would be to add the
apache module that supports SPDY and confirm that it works
with your desktop (google-chrome) browser.
See:
http://lists.openembedded.org/pipermail/openembedded-devel/2014-January/093772.html
and
https://code.google.com/p/mod-spdy/wiki/GettingStarted
It doesn't seem to be a huge task but let us know what you find out.
../Randy
>
> Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
> ---
> .../apache2/apache2/npn-patch-2.4.7.patch | 289 +++++++++++++++++++++
> .../recipes-httpd/apache2/apache2_2.4.7.bb | 1 +
> 2 files changed, 290 insertions(+)
> create mode 100644 meta-webserver/recipes-httpd/apache2/apache2/npn-patch-2.4.7.patch
>
> diff --git a/meta-webserver/recipes-httpd/apache2/apache2/npn-patch-2.4.7.patch b/meta-webserver/recipes-httpd/apache2/apache2/npn-patch-2.4.7.patch
> new file mode 100644
> index 0000000..a4f1855
> --- /dev/null
> +++ b/meta-webserver/recipes-httpd/apache2/apache2/npn-patch-2.4.7.patch
> @@ -0,0 +1,289 @@
> +Add support for TLS Next Protocol Negotiation:
> +
> +* modules/ssl/mod_ssl.c, modules/ssl/mod_ssl.h: Add and implement new
> + hooks for next protocol advertisement/discovery.
> +
> +* modules/ssl/ssl_engine_init.c (ssl_init_ctx_callbacks): Enable
> + NPN advertisement callback in handshake.
> +
> +* modules/ssl/ssl_engine_io.c (ssl_io_filter_input): Invoke
> + next-protocol discovery hook.
> +
> +* modules/ssl/ssl_engine_kernel.c (ssl_callback_AdvertiseNextProtos):
> + New callback.
> +
> +* modules/ssl/ssl_private.h: Add prototype.
> +
> +Submitted by: Matthew Steele <mdsteele google.com>
> + with slight tweaks by jorton
> +
> +http://svn.apache.org/viewvc?view=revision&revision=1332643
> +https://bugzilla.redhat.com//show_bug.cgi?id=809599
> +Upstream-Status: Backport
> +Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
> +---
> + CHANGES | 2 +
> + modules/ssl/mod_ssl.c | 12 ++++++
> + modules/ssl/mod_ssl.h | 21 +++++++++++
> + modules/ssl/ssl_engine_init.c | 5 +++
> + modules/ssl/ssl_engine_io.c | 24 ++++++++++++
> + modules/ssl/ssl_engine_kernel.c | 82 +++++++++++++++++++++++++++++++++++++++++
> + modules/ssl/ssl_private.h | 6 +++
> + 7 files changed, 152 insertions(+)
> +
> +diff --git a/CHANGES b/CHANGES
> +--- a/CHANGES
> ++++ b/CHANGES
> +@@ -1,6 +1,8 @@
> + -*- coding: utf-8 -*-
> +
> + Changes with Apache 2.4.7
> ++ *) mod_ssl: Add support for TLS Next Protocol Negotiation. PR 52210.
> ++ [Matthew Steele <mdsteele google.com>]
> +
> + *) APR 1.5.0 or later is now required for the event MPM.
> +
> +diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c
> +--- a/modules/ssl/mod_ssl.c
> ++++ b/modules/ssl/mod_ssl.c
> +@@ -275,6 +275,18 @@ static const command_rec ssl_config_cmds[] = {
> + AP_END_CMD
> + };
> +
> ++/* Implement 'modssl_run_npn_advertise_protos_hook'. */
> ++APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(
> ++ modssl, AP, int, npn_advertise_protos_hook,
> ++ (conn_rec *connection, apr_array_header_t *protos),
> ++ (connection, protos), OK, DECLINED);
> ++
> ++/* Implement 'modssl_run_npn_proto_negotiated_hook'. */
> ++APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(
> ++ modssl, AP, int, npn_proto_negotiated_hook,
> ++ (conn_rec *connection, const char *proto_name, apr_size_t proto_name_len),
> ++ (connection, proto_name, proto_name_len), OK, DECLINED);
> ++
> + /*
> + * the various processing hooks
> + */
> +diff --git a/modules/ssl/mod_ssl.h b/modules/ssl/mod_ssl.h
> +--- a/modules/ssl/mod_ssl.h
> ++++ b/modules/ssl/mod_ssl.h
> +@@ -63,5 +63,26 @@ APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *));
> +
> + APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
> +
> ++/** The npn_advertise_protos optional hook allows other modules to add entries
> ++ * to the list of protocol names advertised by the server during the Next
> ++ * Protocol Negotiation (NPN) portion of the SSL handshake. The hook callee is
> ++ * given the connection and an APR array; it should push one or more char*'s
> ++ * pointing to null-terminated strings (such as "http/1.1" or "spdy/2") onto
> ++ * the array and return OK, or do nothing and return DECLINED. */
> ++APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_advertise_protos_hook,
> ++ (conn_rec *connection, apr_array_header_t *protos));
> ++
> ++/** The npn_proto_negotiated optional hook allows other modules to discover the
> ++ * name of the protocol that was chosen during the Next Protocol Negotiation
> ++ * (NPN) portion of the SSL handshake. Note that this may be the empty string
> ++ * (in which case modules should probably assume HTTP), or it may be a protocol
> ++ * that was never even advertised by the server. The hook callee is given the
> ++ * connection, a non-null-terminated string containing the protocol name, and
> ++ * the length of the string; it should do something appropriate (i.e. insert or
> ++ * remove filters) and return OK, or do nothing and return DECLINED. */
> ++APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_proto_negotiated_hook,
> ++ (conn_rec *connection, const char *proto_name,
> ++ apr_size_t proto_name_len));
> ++
> + #endif /* __MOD_SSL_H__ */
> + /** @} */
> +diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
> +--- a/modules/ssl/ssl_engine_init.c
> ++++ b/modules/ssl/ssl_engine_init.c
> +@@ -546,6 +546,11 @@ static void ssl_init_ctx_callbacks(server_rec *s,
> + SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH);
> +
> + SSL_CTX_set_info_callback(ctx, ssl_callback_Info);
> ++
> ++#ifdef HAVE_TLS_NPN
> ++ SSL_CTX_set_next_protos_advertised_cb(
> ++ ctx, ssl_callback_AdvertiseNextProtos, NULL);
> ++#endif
> + }
> +
> + static void ssl_init_ctx_verify(server_rec *s,
> +diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c
> +--- a/modules/ssl/ssl_engine_io.c
> ++++ b/modules/ssl/ssl_engine_io.c
> +@@ -28,6 +28,7 @@
> + core keeps dumping.''
> + -- Unknown */
> + #include "ssl_private.h"
> ++#include "mod_ssl.h"
> + #include "apr_date.h"
> +
> + /* _________________________________________________________________
> +@@ -297,6 +298,7 @@ typedef struct {
> + apr_pool_t *pool;
> + char buffer[AP_IOBUFSIZE];
> + ssl_filter_ctx_t *filter_ctx;
> ++ int npn_finished; /* 1 if NPN has finished, 0 otherwise */
> + } bio_filter_in_ctx_t;
> +
> + /*
> +@@ -1412,6 +1414,27 @@ static apr_status_t ssl_io_filter_input(ap_filter_t *f,
> + APR_BRIGADE_INSERT_TAIL(bb, bucket);
> + }
> +
> ++#ifdef HAVE_TLS_NPN
> ++ /* By this point, Next Protocol Negotiation (NPN) should be completed (if
> ++ * our version of OpenSSL supports it). If we haven't already, find out
> ++ * which protocol was decided upon and inform other modules by calling
> ++ * npn_proto_negotiated_hook. */
> ++ if (!inctx->npn_finished) {
> ++ const unsigned char *next_proto = NULL;
> ++ unsigned next_proto_len = 0;
> ++
> ++ SSL_get0_next_proto_negotiated(
> ++ inctx->ssl, &next_proto, &next_proto_len);
> ++ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, f->c,
> ++ "SSL NPN negotiated protocol: '%s'",
> ++ apr_pstrmemdup(f->c->pool, (const char*)next_proto,
> ++ next_proto_len));
> ++ modssl_run_npn_proto_negotiated_hook(
> ++ f->c, (const char*)next_proto, next_proto_len);
> ++ inctx->npn_finished = 1;
> ++ }
> ++#endif
> ++
> + return APR_SUCCESS;
> + }
> +
> +@@ -1893,6 +1916,7 @@ static void ssl_io_input_add_filter(ssl_filter_ctx_t *filter_ctx, conn_rec *c,
> + inctx->block = APR_BLOCK_READ;
> + inctx->pool = c->pool;
> + inctx->filter_ctx = filter_ctx;
> ++ inctx->npn_finished = 0;
> + }
> +
> + /* The request_rec pointer is passed in here only to ensure that the
> +diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
> +--- a/modules/ssl/ssl_engine_kernel.c
> ++++ b/modules/ssl/ssl_engine_kernel.c
> +@@ -29,6 +29,7 @@
> + time I was too famous.''
> + -- Unknown */
> + #include "ssl_private.h"
> ++#include "mod_ssl.h"
> + #include "util_md5.h"
> +
> + static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn);
> +@@ -2139,3 +2140,84 @@ int ssl_callback_SRPServerParams(SSL *ssl, int *ad, void *arg)
> + }
> +
> + #endif /* HAVE_SRP */
> ++
> ++#ifdef HAVE_TLS_NPN
> ++/*
> ++ * This callback function is executed when SSL needs to decide what protocols
> ++ * to advertise during Next Protocol Negotiation (NPN). It must produce a
> ++ * string in wire format -- a sequence of length-prefixed strings -- indicating
> ++ * the advertised protocols. Refer to SSL_CTX_set_next_protos_advertised_cb
> ++ * in OpenSSL for reference.
> ++ */
> ++int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data_out,
> ++ unsigned int *size_out, void *arg)
> ++{
> ++ conn_rec *c = (conn_rec*)SSL_get_app_data(ssl);
> ++ apr_array_header_t *protos;
> ++ int num_protos;
> ++ unsigned int size;
> ++ int i;
> ++ unsigned char *data;
> ++ unsigned char *start;
> ++
> ++ *data_out = NULL;
> ++ *size_out = 0;
> ++
> ++ /* If the connection object is not available, then there's nothing for us
> ++ * to do. */
> ++ if (c == NULL) {
> ++ return SSL_TLSEXT_ERR_OK;
> ++ }
> ++
> ++ /* Invoke our npn_advertise_protos hook, giving other modules a chance to
> ++ * add alternate protocol names to advertise. */
> ++ protos = apr_array_make(c->pool, 0, sizeof(char*));
> ++ modssl_run_npn_advertise_protos_hook(c, protos);
> ++ num_protos = protos->nelts;
> ++
> ++ /* We now have a list of null-terminated strings; we need to concatenate
> ++ * them together into a single string, where each protocol name is prefixed
> ++ * by its length. First, calculate how long that string will be. */
> ++ size = 0;
> ++ for (i = 0; i < num_protos; ++i) {
> ++ const char *string = APR_ARRAY_IDX(protos, i, const char*);
> ++ unsigned int length = strlen(string);
> ++ /* If the protocol name is too long (the length must fit in one byte),
> ++ * then log an error and skip it. */
> ++ if (length > 255) {
> ++ ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
> ++ "SSL NPN protocol name too long (length=%u): %s",
> ++ length, string);
> ++ continue;
> ++ }
> ++ /* Leave room for the length prefix (one byte) plus the protocol name
> ++ * itself. */
> ++ size += 1 + length;
> ++ }
> ++
> ++ /* If there is nothing to advertise (either because no modules added
> ++ * anything to the protos array, or because all strings added to the array
> ++ * were skipped), then we're done. */
> ++ if (size == 0) {
> ++ return SSL_TLSEXT_ERR_OK;
> ++ }
> ++
> ++ /* Now we can build the string. Copy each protocol name string into the
> ++ * larger string, prefixed by its length. */
> ++ data = apr_palloc(c->pool, size * sizeof(unsigned char));
> ++ start = data;
> ++ for (i = 0; i < num_protos; ++i) {
> ++ const char *string = APR_ARRAY_IDX(protos, i, const char*);
> ++ apr_size_t length = strlen(string);
> ++ *start = (unsigned char)length;
> ++ ++start;
> ++ memcpy(start, string, length * sizeof(unsigned char));
> ++ start += length;
> ++ }
> ++
> ++ /* Success. */
> ++ *data_out = data;
> ++ *size_out = size;
> ++ return SSL_TLSEXT_ERR_OK;
> ++}
> ++#endif /* HAVE_TLS_NPN */
> +diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
> +--- a/modules/ssl/ssl_private.h
> ++++ b/modules/ssl/ssl_private.h
> +@@ -123,6 +123,11 @@
> + #define MODSSL_SSL_METHOD_CONST
> + #endif
> +
> ++#if OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_NEXTPROTONEG) \
> ++ && !defined(OPENSSL_NO_TLSEXT)
> ++#define HAVE_TLS_NPN
> ++#endif
> ++
> + #if defined(OPENSSL_FIPS)
> + #define HAVE_FIPS
> + #endif
> +@@ -800,6 +805,7 @@ int ssl_callback_ServerNameIndication(SSL *, int *, modssl_ctx_t *);
> + int ssl_callback_SessionTicket(SSL *, unsigned char *, unsigned char *,
> + EVP_CIPHER_CTX *, HMAC_CTX *, int);
> + #endif
> ++int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data, unsigned int *len, void *arg);
> +
> + /** Session Cache Support */
> + void ssl_scache_init(server_rec *, apr_pool_t *);
> +--
> +1.8.1.2
> +
> diff --git a/meta-webserver/recipes-httpd/apache2/apache2_2.4.7.bb b/meta-webserver/recipes-httpd/apache2/apache2_2.4.7.bb
> index f23776f..3c038a9 100644
> --- a/meta-webserver/recipes-httpd/apache2/apache2_2.4.7.bb
> +++ b/meta-webserver/recipes-httpd/apache2/apache2_2.4.7.bb
> @@ -15,6 +15,7 @@ SRC_URI = "http://www.apache.org/dist/httpd/httpd-${PV}.tar.bz2 \
> file://replace-lynx-to-curl-in-apachectl-script.patch \
> file://apache-ssl-ltmain-rpath.patch \
> file://httpd-2.4.3-fix-race-issue-of-dir-install.patch \
> + file://npn-patch-2.4.7.patch \
> file://init \
> file://apache2-volatile.conf"
>
>
--
# Randy MacLeod. SMTS, Linux, Wind River
Direct: 613.963.1350
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 4/4][meta-webserver] apache2-2.4.7: added support for TLS Next Protocol Negotiation
2014-02-27 19:08 ` Randy MacLeod
@ 2014-02-28 10:21 ` Hongxu Jia
2014-02-28 17:17 ` Khem Raj
0 siblings, 1 reply; 10+ messages in thread
From: Hongxu Jia @ 2014-02-28 10:21 UTC (permalink / raw)
To: Randy MacLeod, openembedded-devel; +Cc: paul.eggleton
On 02/28/2014 03:08 AM, Randy MacLeod wrote:
> On 14-02-26 10:22 PM, Hongxu Jia wrote:
>> The previous npn support patch (httpd-2.4.4-r1332643.patch) worked on
>> apache2-2.4.6 and conflicted with apache2-2.4.7, this patch fixed the
>> confliction with 2.4.7.
>
> Hongxu,
>
> Thanks, that's a good step. Even better would be to add the
> apache module that supports SPDY and confirm that it works
> with your desktop (google-chrome) browser.
>
> See:
> http://lists.openembedded.org/pipermail/openembedded-devel/2014-January/093772.html
>
>
> and
>
> https://code.google.com/p/mod-spdy/wiki/GettingStarted
Hi Randy,
I have tested, the ssl worked well with the new patch,
but the mod_spdy doesn't support 2.4.7 for now, and the
spdy test failed.
http://code.google.com/p/mod-spdy/issues/detail?id=63
http://code.google.com/p/mod-spdy/issues/detail?id=64
http://code.google.com/p/mod-spdy/issues/detail?id=65
...
root@qemux86-64:/etc/apache2# /etc/init.d/apache2 restart
httpd: Syntax error on line 151 of /etc/apache2/httpd.conf: Cannot load
lib64/apache2/modules/mod_spdy.so into server:
/usr/lib64/apache2/modules/mod_spdy.so: undefined symbol: ap_log_cerror
...
//Hongxu
>
> It doesn't seem to be a huge task but let us know what you find out.
>
> ../Randy
>
>>
>> Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
>> ---
>> .../apache2/apache2/npn-patch-2.4.7.patch | 289
>> +++++++++++++++++++++
>> .../recipes-httpd/apache2/apache2_2.4.7.bb | 1 +
>> 2 files changed, 290 insertions(+)
>> create mode 100644
>> meta-webserver/recipes-httpd/apache2/apache2/npn-patch-2.4.7.patch
>>
>> diff --git
>> a/meta-webserver/recipes-httpd/apache2/apache2/npn-patch-2.4.7.patch
>> b/meta-webserver/recipes-httpd/apache2/apache2/npn-patch-2.4.7.patch
>> new file mode 100644
>> index 0000000..a4f1855
>> --- /dev/null
>> +++ b/meta-webserver/recipes-httpd/apache2/apache2/npn-patch-2.4.7.patch
>> @@ -0,0 +1,289 @@
>> +Add support for TLS Next Protocol Negotiation:
>> +
>> +* modules/ssl/mod_ssl.c, modules/ssl/mod_ssl.h: Add and implement new
>> + hooks for next protocol advertisement/discovery.
>> +
>> +* modules/ssl/ssl_engine_init.c (ssl_init_ctx_callbacks): Enable
>> + NPN advertisement callback in handshake.
>> +
>> +* modules/ssl/ssl_engine_io.c (ssl_io_filter_input): Invoke
>> + next-protocol discovery hook.
>> +
>> +* modules/ssl/ssl_engine_kernel.c (ssl_callback_AdvertiseNextProtos):
>> + New callback.
>> +
>> +* modules/ssl/ssl_private.h: Add prototype.
>> +
>> +Submitted by: Matthew Steele <mdsteele google.com>
>> + with slight tweaks by jorton
>> +
>> +http://svn.apache.org/viewvc?view=revision&revision=1332643
>> +https://bugzilla.redhat.com//show_bug.cgi?id=809599
>> +Upstream-Status: Backport
>> +Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
>> +---
>> + CHANGES | 2 +
>> + modules/ssl/mod_ssl.c | 12 ++++++
>> + modules/ssl/mod_ssl.h | 21 +++++++++++
>> + modules/ssl/ssl_engine_init.c | 5 +++
>> + modules/ssl/ssl_engine_io.c | 24 ++++++++++++
>> + modules/ssl/ssl_engine_kernel.c | 82
>> +++++++++++++++++++++++++++++++++++++++++
>> + modules/ssl/ssl_private.h | 6 +++
>> + 7 files changed, 152 insertions(+)
>> +
>> +diff --git a/CHANGES b/CHANGES
>> +--- a/CHANGES
>> ++++ b/CHANGES
>> +@@ -1,6 +1,8 @@
>> + -*-
>> coding: utf-8 -*-
>> +
>> + Changes with Apache 2.4.7
>> ++ *) mod_ssl: Add support for TLS Next Protocol Negotiation. PR 52210.
>> ++ [Matthew Steele <mdsteele google.com>]
>> +
>> + *) APR 1.5.0 or later is now required for the event MPM.
>> +
>> +diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c
>> +--- a/modules/ssl/mod_ssl.c
>> ++++ b/modules/ssl/mod_ssl.c
>> +@@ -275,6 +275,18 @@ static const command_rec ssl_config_cmds[] = {
>> + AP_END_CMD
>> + };
>> +
>> ++/* Implement 'modssl_run_npn_advertise_protos_hook'. */
>> ++APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(
>> ++ modssl, AP, int, npn_advertise_protos_hook,
>> ++ (conn_rec *connection, apr_array_header_t *protos),
>> ++ (connection, protos), OK, DECLINED);
>> ++
>> ++/* Implement 'modssl_run_npn_proto_negotiated_hook'. */
>> ++APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(
>> ++ modssl, AP, int, npn_proto_negotiated_hook,
>> ++ (conn_rec *connection, const char *proto_name, apr_size_t
>> proto_name_len),
>> ++ (connection, proto_name, proto_name_len), OK, DECLINED);
>> ++
>> + /*
>> + * the various processing hooks
>> + */
>> +diff --git a/modules/ssl/mod_ssl.h b/modules/ssl/mod_ssl.h
>> +--- a/modules/ssl/mod_ssl.h
>> ++++ b/modules/ssl/mod_ssl.h
>> +@@ -63,5 +63,26 @@ APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable,
>> (conn_rec *));
>> +
>> + APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
>> +
>> ++/** The npn_advertise_protos optional hook allows other modules to
>> add entries
>> ++ * to the list of protocol names advertised by the server during
>> the Next
>> ++ * Protocol Negotiation (NPN) portion of the SSL handshake. The
>> hook callee is
>> ++ * given the connection and an APR array; it should push one or
>> more char*'s
>> ++ * pointing to null-terminated strings (such as "http/1.1" or
>> "spdy/2") onto
>> ++ * the array and return OK, or do nothing and return DECLINED. */
>> ++APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_advertise_protos_hook,
>> ++ (conn_rec *connection, apr_array_header_t
>> *protos));
>> ++
>> ++/** The npn_proto_negotiated optional hook allows other modules to
>> discover the
>> ++ * name of the protocol that was chosen during the Next Protocol
>> Negotiation
>> ++ * (NPN) portion of the SSL handshake. Note that this may be the
>> empty string
>> ++ * (in which case modules should probably assume HTTP), or it may
>> be a protocol
>> ++ * that was never even advertised by the server. The hook callee
>> is given the
>> ++ * connection, a non-null-terminated string containing the protocol
>> name, and
>> ++ * the length of the string; it should do something appropriate
>> (i.e. insert or
>> ++ * remove filters) and return OK, or do nothing and return
>> DECLINED. */
>> ++APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_proto_negotiated_hook,
>> ++ (conn_rec *connection, const char
>> *proto_name,
>> ++ apr_size_t proto_name_len));
>> ++
>> + #endif /* __MOD_SSL_H__ */
>> + /** @} */
>> +diff --git a/modules/ssl/ssl_engine_init.c
>> b/modules/ssl/ssl_engine_init.c
>> +--- a/modules/ssl/ssl_engine_init.c
>> ++++ b/modules/ssl/ssl_engine_init.c
>> +@@ -546,6 +546,11 @@ static void ssl_init_ctx_callbacks(server_rec *s,
>> + SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH);
>> +
>> + SSL_CTX_set_info_callback(ctx, ssl_callback_Info);
>> ++
>> ++#ifdef HAVE_TLS_NPN
>> ++ SSL_CTX_set_next_protos_advertised_cb(
>> ++ ctx, ssl_callback_AdvertiseNextProtos, NULL);
>> ++#endif
>> + }
>> +
>> + static void ssl_init_ctx_verify(server_rec *s,
>> +diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c
>> +--- a/modules/ssl/ssl_engine_io.c
>> ++++ b/modules/ssl/ssl_engine_io.c
>> +@@ -28,6 +28,7 @@
>> + core keeps dumping.''
>> + -- Unknown */
>> + #include "ssl_private.h"
>> ++#include "mod_ssl.h"
>> + #include "apr_date.h"
>> +
>> + /* _________________________________________________________________
>> +@@ -297,6 +298,7 @@ typedef struct {
>> + apr_pool_t *pool;
>> + char buffer[AP_IOBUFSIZE];
>> + ssl_filter_ctx_t *filter_ctx;
>> ++ int npn_finished; /* 1 if NPN has finished, 0 otherwise */
>> + } bio_filter_in_ctx_t;
>> +
>> + /*
>> +@@ -1412,6 +1414,27 @@ static apr_status_t
>> ssl_io_filter_input(ap_filter_t *f,
>> + APR_BRIGADE_INSERT_TAIL(bb, bucket);
>> + }
>> +
>> ++#ifdef HAVE_TLS_NPN
>> ++ /* By this point, Next Protocol Negotiation (NPN) should be
>> completed (if
>> ++ * our version of OpenSSL supports it). If we haven't already,
>> find out
>> ++ * which protocol was decided upon and inform other modules by
>> calling
>> ++ * npn_proto_negotiated_hook. */
>> ++ if (!inctx->npn_finished) {
>> ++ const unsigned char *next_proto = NULL;
>> ++ unsigned next_proto_len = 0;
>> ++
>> ++ SSL_get0_next_proto_negotiated(
>> ++ inctx->ssl, &next_proto, &next_proto_len);
>> ++ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, f->c,
>> ++ "SSL NPN negotiated protocol: '%s'",
>> ++ apr_pstrmemdup(f->c->pool, (const
>> char*)next_proto,
>> ++ next_proto_len));
>> ++ modssl_run_npn_proto_negotiated_hook(
>> ++ f->c, (const char*)next_proto, next_proto_len);
>> ++ inctx->npn_finished = 1;
>> ++ }
>> ++#endif
>> ++
>> + return APR_SUCCESS;
>> + }
>> +
>> +@@ -1893,6 +1916,7 @@ static void
>> ssl_io_input_add_filter(ssl_filter_ctx_t *filter_ctx, conn_rec *c,
>> + inctx->block = APR_BLOCK_READ;
>> + inctx->pool = c->pool;
>> + inctx->filter_ctx = filter_ctx;
>> ++ inctx->npn_finished = 0;
>> + }
>> +
>> + /* The request_rec pointer is passed in here only to ensure that the
>> +diff --git a/modules/ssl/ssl_engine_kernel.c
>> b/modules/ssl/ssl_engine_kernel.c
>> +--- a/modules/ssl/ssl_engine_kernel.c
>> ++++ b/modules/ssl/ssl_engine_kernel.c
>> +@@ -29,6 +29,7 @@
>> + time I was too famous.''
>> + --
>> Unknown */
>> + #include "ssl_private.h"
>> ++#include "mod_ssl.h"
>> + #include "util_md5.h"
>> +
>> + static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn);
>> +@@ -2139,3 +2140,84 @@ int ssl_callback_SRPServerParams(SSL *ssl,
>> int *ad, void *arg)
>> + }
>> +
>> + #endif /* HAVE_SRP */
>> ++
>> ++#ifdef HAVE_TLS_NPN
>> ++/*
>> ++ * This callback function is executed when SSL needs to decide what
>> protocols
>> ++ * to advertise during Next Protocol Negotiation (NPN). It must
>> produce a
>> ++ * string in wire format -- a sequence of length-prefixed strings
>> -- indicating
>> ++ * the advertised protocols. Refer to
>> SSL_CTX_set_next_protos_advertised_cb
>> ++ * in OpenSSL for reference.
>> ++ */
>> ++int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char
>> **data_out,
>> ++ unsigned int *size_out, void
>> *arg)
>> ++{
>> ++ conn_rec *c = (conn_rec*)SSL_get_app_data(ssl);
>> ++ apr_array_header_t *protos;
>> ++ int num_protos;
>> ++ unsigned int size;
>> ++ int i;
>> ++ unsigned char *data;
>> ++ unsigned char *start;
>> ++
>> ++ *data_out = NULL;
>> ++ *size_out = 0;
>> ++
>> ++ /* If the connection object is not available, then there's
>> nothing for us
>> ++ * to do. */
>> ++ if (c == NULL) {
>> ++ return SSL_TLSEXT_ERR_OK;
>> ++ }
>> ++
>> ++ /* Invoke our npn_advertise_protos hook, giving other modules a
>> chance to
>> ++ * add alternate protocol names to advertise. */
>> ++ protos = apr_array_make(c->pool, 0, sizeof(char*));
>> ++ modssl_run_npn_advertise_protos_hook(c, protos);
>> ++ num_protos = protos->nelts;
>> ++
>> ++ /* We now have a list of null-terminated strings; we need to
>> concatenate
>> ++ * them together into a single string, where each protocol name
>> is prefixed
>> ++ * by its length. First, calculate how long that string will
>> be. */
>> ++ size = 0;
>> ++ for (i = 0; i < num_protos; ++i) {
>> ++ const char *string = APR_ARRAY_IDX(protos, i, const char*);
>> ++ unsigned int length = strlen(string);
>> ++ /* If the protocol name is too long (the length must fit in
>> one byte),
>> ++ * then log an error and skip it. */
>> ++ if (length > 255) {
>> ++ ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
>> ++ "SSL NPN protocol name too long
>> (length=%u): %s",
>> ++ length, string);
>> ++ continue;
>> ++ }
>> ++ /* Leave room for the length prefix (one byte) plus the
>> protocol name
>> ++ * itself. */
>> ++ size += 1 + length;
>> ++ }
>> ++
>> ++ /* If there is nothing to advertise (either because no modules
>> added
>> ++ * anything to the protos array, or because all strings added
>> to the array
>> ++ * were skipped), then we're done. */
>> ++ if (size == 0) {
>> ++ return SSL_TLSEXT_ERR_OK;
>> ++ }
>> ++
>> ++ /* Now we can build the string. Copy each protocol name string
>> into the
>> ++ * larger string, prefixed by its length. */
>> ++ data = apr_palloc(c->pool, size * sizeof(unsigned char));
>> ++ start = data;
>> ++ for (i = 0; i < num_protos; ++i) {
>> ++ const char *string = APR_ARRAY_IDX(protos, i, const char*);
>> ++ apr_size_t length = strlen(string);
>> ++ *start = (unsigned char)length;
>> ++ ++start;
>> ++ memcpy(start, string, length * sizeof(unsigned char));
>> ++ start += length;
>> ++ }
>> ++
>> ++ /* Success. */
>> ++ *data_out = data;
>> ++ *size_out = size;
>> ++ return SSL_TLSEXT_ERR_OK;
>> ++}
>> ++#endif /* HAVE_TLS_NPN */
>> +diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
>> +--- a/modules/ssl/ssl_private.h
>> ++++ b/modules/ssl/ssl_private.h
>> +@@ -123,6 +123,11 @@
>> + #define MODSSL_SSL_METHOD_CONST
>> + #endif
>> +
>> ++#if OPENSSL_VERSION_NUMBER >= 0x10001000L &&
>> !defined(OPENSSL_NO_NEXTPROTONEG) \
>> ++ && !defined(OPENSSL_NO_TLSEXT)
>> ++#define HAVE_TLS_NPN
>> ++#endif
>> ++
>> + #if defined(OPENSSL_FIPS)
>> + #define HAVE_FIPS
>> + #endif
>> +@@ -800,6 +805,7 @@ int ssl_callback_ServerNameIndication(SSL *, int
>> *, modssl_ctx_t *);
>> + int ssl_callback_SessionTicket(SSL *, unsigned char *,
>> unsigned char *,
>> + EVP_CIPHER_CTX *, HMAC_CTX
>> *, int);
>> + #endif
>> ++int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char
>> **data, unsigned int *len, void *arg);
>> +
>> + /** Session Cache Support */
>> + void ssl_scache_init(server_rec *, apr_pool_t *);
>> +--
>> +1.8.1.2
>> +
>> diff --git a/meta-webserver/recipes-httpd/apache2/apache2_2.4.7.bb
>> b/meta-webserver/recipes-httpd/apache2/apache2_2.4.7.bb
>> index f23776f..3c038a9 100644
>> --- a/meta-webserver/recipes-httpd/apache2/apache2_2.4.7.bb
>> +++ b/meta-webserver/recipes-httpd/apache2/apache2_2.4.7.bb
>> @@ -15,6 +15,7 @@ SRC_URI =
>> "http://www.apache.org/dist/httpd/httpd-${PV}.tar.bz2 \
>> file://replace-lynx-to-curl-in-apachectl-script.patch \
>> file://apache-ssl-ltmain-rpath.patch \
>> file://httpd-2.4.3-fix-race-issue-of-dir-install.patch \
>> + file://npn-patch-2.4.7.patch \
>> file://init \
>> file://apache2-volatile.conf"
>>
>>
>
>
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 4/4][meta-webserver] apache2-2.4.7: added support for TLS Next Protocol Negotiation
2014-02-28 10:21 ` Hongxu Jia
@ 2014-02-28 17:17 ` Khem Raj
2014-03-03 1:25 ` Hongxu Jia
0 siblings, 1 reply; 10+ messages in thread
From: Khem Raj @ 2014-02-28 17:17 UTC (permalink / raw)
To: openembeded-devel; +Cc: Paul Eggleton
[-- Attachment #1: Type: text/plain, Size: 15997 bytes --]
On Feb 28, 2014, at 2:21 AM, Hongxu Jia <hongxu.jia@windriver.com> wrote:
> On 02/28/2014 03:08 AM, Randy MacLeod wrote:
>> On 14-02-26 10:22 PM, Hongxu Jia wrote:
>>> The previous npn support patch (httpd-2.4.4-r1332643.patch) worked on
>>> apache2-2.4.6 and conflicted with apache2-2.4.7, this patch fixed the
>>> confliction with 2.4.7.
>>
>> Hongxu,
>>
>> Thanks, that's a good step. Even better would be to add the
>> apache module that supports SPDY and confirm that it works
>> with your desktop (google-chrome) browser.
>>
>> See:
>> http://lists.openembedded.org/pipermail/openembedded-devel/2014-January/093772.html
>>
>> and
>>
>> https://code.google.com/p/mod-spdy/wiki/GettingStarted
>
> Hi Randy,
>
> I have tested, the ssl worked well with the new patch,
> but the mod_spdy doesn't support 2.4.7 for now, and the
> spdy test failed.
> http://code.google.com/p/mod-spdy/issues/detail?id=63
> http://code.google.com/p/mod-spdy/issues/detail?id=64
> http://code.google.com/p/mod-spdy/issues/detail?id=65
> ...
> root@qemux86-64:/etc/apache2# /etc/init.d/apache2 restart
> httpd: Syntax error on line 151 of /etc/apache2/httpd.conf: Cannot load lib64/apache2/modules/mod_spdy.so into server: /usr/lib64/apache2/modules/mod_spdy.so: undefined symbol: ap_log_cerror
> …
>
spdy does not work with apache 2.4 but there is port see
https://github.com/eousphoros/mod-spdy
Try to back port the needed.
> //Hongxu
>
>>
>> It doesn't seem to be a huge task but let us know what you find out.
>>
>> ../Randy
>>
>>>
>>> Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
>>> ---
>>> .../apache2/apache2/npn-patch-2.4.7.patch | 289 +++++++++++++++++++++
>>> .../recipes-httpd/apache2/apache2_2.4.7.bb | 1 +
>>> 2 files changed, 290 insertions(+)
>>> create mode 100644 meta-webserver/recipes-httpd/apache2/apache2/npn-patch-2.4.7.patch
>>>
>>> diff --git a/meta-webserver/recipes-httpd/apache2/apache2/npn-patch-2.4.7.patch b/meta-webserver/recipes-httpd/apache2/apache2/npn-patch-2.4.7.patch
>>> new file mode 100644
>>> index 0000000..a4f1855
>>> --- /dev/null
>>> +++ b/meta-webserver/recipes-httpd/apache2/apache2/npn-patch-2.4.7.patch
>>> @@ -0,0 +1,289 @@
>>> +Add support for TLS Next Protocol Negotiation:
>>> +
>>> +* modules/ssl/mod_ssl.c, modules/ssl/mod_ssl.h: Add and implement new
>>> + hooks for next protocol advertisement/discovery.
>>> +
>>> +* modules/ssl/ssl_engine_init.c (ssl_init_ctx_callbacks): Enable
>>> + NPN advertisement callback in handshake.
>>> +
>>> +* modules/ssl/ssl_engine_io.c (ssl_io_filter_input): Invoke
>>> + next-protocol discovery hook.
>>> +
>>> +* modules/ssl/ssl_engine_kernel.c (ssl_callback_AdvertiseNextProtos):
>>> + New callback.
>>> +
>>> +* modules/ssl/ssl_private.h: Add prototype.
>>> +
>>> +Submitted by: Matthew Steele <mdsteele google.com>
>>> + with slight tweaks by jorton
>>> +
>>> +http://svn.apache.org/viewvc?view=revision&revision=1332643
>>> +https://bugzilla.redhat.com//show_bug.cgi?id=809599
>>> +Upstream-Status: Backport
>>> +Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
>>> +---
>>> + CHANGES | 2 +
>>> + modules/ssl/mod_ssl.c | 12 ++++++
>>> + modules/ssl/mod_ssl.h | 21 +++++++++++
>>> + modules/ssl/ssl_engine_init.c | 5 +++
>>> + modules/ssl/ssl_engine_io.c | 24 ++++++++++++
>>> + modules/ssl/ssl_engine_kernel.c | 82 +++++++++++++++++++++++++++++++++++++++++
>>> + modules/ssl/ssl_private.h | 6 +++
>>> + 7 files changed, 152 insertions(+)
>>> +
>>> +diff --git a/CHANGES b/CHANGES
>>> +--- a/CHANGES
>>> ++++ b/CHANGES
>>> +@@ -1,6 +1,8 @@
>>> + -*- coding: utf-8 -*-
>>> +
>>> + Changes with Apache 2.4.7
>>> ++ *) mod_ssl: Add support for TLS Next Protocol Negotiation. PR 52210.
>>> ++ [Matthew Steele <mdsteele google.com>]
>>> +
>>> + *) APR 1.5.0 or later is now required for the event MPM.
>>> +
>>> +diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c
>>> +--- a/modules/ssl/mod_ssl.c
>>> ++++ b/modules/ssl/mod_ssl.c
>>> +@@ -275,6 +275,18 @@ static const command_rec ssl_config_cmds[] = {
>>> + AP_END_CMD
>>> + };
>>> +
>>> ++/* Implement 'modssl_run_npn_advertise_protos_hook'. */
>>> ++APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(
>>> ++ modssl, AP, int, npn_advertise_protos_hook,
>>> ++ (conn_rec *connection, apr_array_header_t *protos),
>>> ++ (connection, protos), OK, DECLINED);
>>> ++
>>> ++/* Implement 'modssl_run_npn_proto_negotiated_hook'. */
>>> ++APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(
>>> ++ modssl, AP, int, npn_proto_negotiated_hook,
>>> ++ (conn_rec *connection, const char *proto_name, apr_size_t proto_name_len),
>>> ++ (connection, proto_name, proto_name_len), OK, DECLINED);
>>> ++
>>> + /*
>>> + * the various processing hooks
>>> + */
>>> +diff --git a/modules/ssl/mod_ssl.h b/modules/ssl/mod_ssl.h
>>> +--- a/modules/ssl/mod_ssl.h
>>> ++++ b/modules/ssl/mod_ssl.h
>>> +@@ -63,5 +63,26 @@ APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *));
>>> +
>>> + APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
>>> +
>>> ++/** The npn_advertise_protos optional hook allows other modules to add entries
>>> ++ * to the list of protocol names advertised by the server during the Next
>>> ++ * Protocol Negotiation (NPN) portion of the SSL handshake. The hook callee is
>>> ++ * given the connection and an APR array; it should push one or more char*'s
>>> ++ * pointing to null-terminated strings (such as "http/1.1" or "spdy/2") onto
>>> ++ * the array and return OK, or do nothing and return DECLINED. */
>>> ++APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_advertise_protos_hook,
>>> ++ (conn_rec *connection, apr_array_header_t *protos));
>>> ++
>>> ++/** The npn_proto_negotiated optional hook allows other modules to discover the
>>> ++ * name of the protocol that was chosen during the Next Protocol Negotiation
>>> ++ * (NPN) portion of the SSL handshake. Note that this may be the empty string
>>> ++ * (in which case modules should probably assume HTTP), or it may be a protocol
>>> ++ * that was never even advertised by the server. The hook callee is given the
>>> ++ * connection, a non-null-terminated string containing the protocol name, and
>>> ++ * the length of the string; it should do something appropriate (i.e. insert or
>>> ++ * remove filters) and return OK, or do nothing and return DECLINED. */
>>> ++APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_proto_negotiated_hook,
>>> ++ (conn_rec *connection, const char *proto_name,
>>> ++ apr_size_t proto_name_len));
>>> ++
>>> + #endif /* __MOD_SSL_H__ */
>>> + /** @} */
>>> +diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
>>> +--- a/modules/ssl/ssl_engine_init.c
>>> ++++ b/modules/ssl/ssl_engine_init.c
>>> +@@ -546,6 +546,11 @@ static void ssl_init_ctx_callbacks(server_rec *s,
>>> + SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH);
>>> +
>>> + SSL_CTX_set_info_callback(ctx, ssl_callback_Info);
>>> ++
>>> ++#ifdef HAVE_TLS_NPN
>>> ++ SSL_CTX_set_next_protos_advertised_cb(
>>> ++ ctx, ssl_callback_AdvertiseNextProtos, NULL);
>>> ++#endif
>>> + }
>>> +
>>> + static void ssl_init_ctx_verify(server_rec *s,
>>> +diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c
>>> +--- a/modules/ssl/ssl_engine_io.c
>>> ++++ b/modules/ssl/ssl_engine_io.c
>>> +@@ -28,6 +28,7 @@
>>> + core keeps dumping.''
>>> + -- Unknown */
>>> + #include "ssl_private.h"
>>> ++#include "mod_ssl.h"
>>> + #include "apr_date.h"
>>> +
>>> + /* _________________________________________________________________
>>> +@@ -297,6 +298,7 @@ typedef struct {
>>> + apr_pool_t *pool;
>>> + char buffer[AP_IOBUFSIZE];
>>> + ssl_filter_ctx_t *filter_ctx;
>>> ++ int npn_finished; /* 1 if NPN has finished, 0 otherwise */
>>> + } bio_filter_in_ctx_t;
>>> +
>>> + /*
>>> +@@ -1412,6 +1414,27 @@ static apr_status_t ssl_io_filter_input(ap_filter_t *f,
>>> + APR_BRIGADE_INSERT_TAIL(bb, bucket);
>>> + }
>>> +
>>> ++#ifdef HAVE_TLS_NPN
>>> ++ /* By this point, Next Protocol Negotiation (NPN) should be completed (if
>>> ++ * our version of OpenSSL supports it). If we haven't already, find out
>>> ++ * which protocol was decided upon and inform other modules by calling
>>> ++ * npn_proto_negotiated_hook. */
>>> ++ if (!inctx->npn_finished) {
>>> ++ const unsigned char *next_proto = NULL;
>>> ++ unsigned next_proto_len = 0;
>>> ++
>>> ++ SSL_get0_next_proto_negotiated(
>>> ++ inctx->ssl, &next_proto, &next_proto_len);
>>> ++ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, f->c,
>>> ++ "SSL NPN negotiated protocol: '%s'",
>>> ++ apr_pstrmemdup(f->c->pool, (const char*)next_proto,
>>> ++ next_proto_len));
>>> ++ modssl_run_npn_proto_negotiated_hook(
>>> ++ f->c, (const char*)next_proto, next_proto_len);
>>> ++ inctx->npn_finished = 1;
>>> ++ }
>>> ++#endif
>>> ++
>>> + return APR_SUCCESS;
>>> + }
>>> +
>>> +@@ -1893,6 +1916,7 @@ static void ssl_io_input_add_filter(ssl_filter_ctx_t *filter_ctx, conn_rec *c,
>>> + inctx->block = APR_BLOCK_READ;
>>> + inctx->pool = c->pool;
>>> + inctx->filter_ctx = filter_ctx;
>>> ++ inctx->npn_finished = 0;
>>> + }
>>> +
>>> + /* The request_rec pointer is passed in here only to ensure that the
>>> +diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
>>> +--- a/modules/ssl/ssl_engine_kernel.c
>>> ++++ b/modules/ssl/ssl_engine_kernel.c
>>> +@@ -29,6 +29,7 @@
>>> + time I was too famous.''
>>> + -- Unknown */
>>> + #include "ssl_private.h"
>>> ++#include "mod_ssl.h"
>>> + #include "util_md5.h"
>>> +
>>> + static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn);
>>> +@@ -2139,3 +2140,84 @@ int ssl_callback_SRPServerParams(SSL *ssl, int *ad, void *arg)
>>> + }
>>> +
>>> + #endif /* HAVE_SRP */
>>> ++
>>> ++#ifdef HAVE_TLS_NPN
>>> ++/*
>>> ++ * This callback function is executed when SSL needs to decide what protocols
>>> ++ * to advertise during Next Protocol Negotiation (NPN). It must produce a
>>> ++ * string in wire format -- a sequence of length-prefixed strings -- indicating
>>> ++ * the advertised protocols. Refer to SSL_CTX_set_next_protos_advertised_cb
>>> ++ * in OpenSSL for reference.
>>> ++ */
>>> ++int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data_out,
>>> ++ unsigned int *size_out, void *arg)
>>> ++{
>>> ++ conn_rec *c = (conn_rec*)SSL_get_app_data(ssl);
>>> ++ apr_array_header_t *protos;
>>> ++ int num_protos;
>>> ++ unsigned int size;
>>> ++ int i;
>>> ++ unsigned char *data;
>>> ++ unsigned char *start;
>>> ++
>>> ++ *data_out = NULL;
>>> ++ *size_out = 0;
>>> ++
>>> ++ /* If the connection object is not available, then there's nothing for us
>>> ++ * to do. */
>>> ++ if (c == NULL) {
>>> ++ return SSL_TLSEXT_ERR_OK;
>>> ++ }
>>> ++
>>> ++ /* Invoke our npn_advertise_protos hook, giving other modules a chance to
>>> ++ * add alternate protocol names to advertise. */
>>> ++ protos = apr_array_make(c->pool, 0, sizeof(char*));
>>> ++ modssl_run_npn_advertise_protos_hook(c, protos);
>>> ++ num_protos = protos->nelts;
>>> ++
>>> ++ /* We now have a list of null-terminated strings; we need to concatenate
>>> ++ * them together into a single string, where each protocol name is prefixed
>>> ++ * by its length. First, calculate how long that string will be. */
>>> ++ size = 0;
>>> ++ for (i = 0; i < num_protos; ++i) {
>>> ++ const char *string = APR_ARRAY_IDX(protos, i, const char*);
>>> ++ unsigned int length = strlen(string);
>>> ++ /* If the protocol name is too long (the length must fit in one byte),
>>> ++ * then log an error and skip it. */
>>> ++ if (length > 255) {
>>> ++ ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
>>> ++ "SSL NPN protocol name too long (length=%u): %s",
>>> ++ length, string);
>>> ++ continue;
>>> ++ }
>>> ++ /* Leave room for the length prefix (one byte) plus the protocol name
>>> ++ * itself. */
>>> ++ size += 1 + length;
>>> ++ }
>>> ++
>>> ++ /* If there is nothing to advertise (either because no modules added
>>> ++ * anything to the protos array, or because all strings added to the array
>>> ++ * were skipped), then we're done. */
>>> ++ if (size == 0) {
>>> ++ return SSL_TLSEXT_ERR_OK;
>>> ++ }
>>> ++
>>> ++ /* Now we can build the string. Copy each protocol name string into the
>>> ++ * larger string, prefixed by its length. */
>>> ++ data = apr_palloc(c->pool, size * sizeof(unsigned char));
>>> ++ start = data;
>>> ++ for (i = 0; i < num_protos; ++i) {
>>> ++ const char *string = APR_ARRAY_IDX(protos, i, const char*);
>>> ++ apr_size_t length = strlen(string);
>>> ++ *start = (unsigned char)length;
>>> ++ ++start;
>>> ++ memcpy(start, string, length * sizeof(unsigned char));
>>> ++ start += length;
>>> ++ }
>>> ++
>>> ++ /* Success. */
>>> ++ *data_out = data;
>>> ++ *size_out = size;
>>> ++ return SSL_TLSEXT_ERR_OK;
>>> ++}
>>> ++#endif /* HAVE_TLS_NPN */
>>> +diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
>>> +--- a/modules/ssl/ssl_private.h
>>> ++++ b/modules/ssl/ssl_private.h
>>> +@@ -123,6 +123,11 @@
>>> + #define MODSSL_SSL_METHOD_CONST
>>> + #endif
>>> +
>>> ++#if OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_NEXTPROTONEG) \
>>> ++ && !defined(OPENSSL_NO_TLSEXT)
>>> ++#define HAVE_TLS_NPN
>>> ++#endif
>>> ++
>>> + #if defined(OPENSSL_FIPS)
>>> + #define HAVE_FIPS
>>> + #endif
>>> +@@ -800,6 +805,7 @@ int ssl_callback_ServerNameIndication(SSL *, int *, modssl_ctx_t *);
>>> + int ssl_callback_SessionTicket(SSL *, unsigned char *, unsigned char *,
>>> + EVP_CIPHER_CTX *, HMAC_CTX *, int);
>>> + #endif
>>> ++int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data, unsigned int *len, void *arg);
>>> +
>>> + /** Session Cache Support */
>>> + void ssl_scache_init(server_rec *, apr_pool_t *);
>>> +--
>>> +1.8.1.2
>>> +
>>> diff --git a/meta-webserver/recipes-httpd/apache2/apache2_2.4.7.bb b/meta-webserver/recipes-httpd/apache2/apache2_2.4.7.bb
>>> index f23776f..3c038a9 100644
>>> --- a/meta-webserver/recipes-httpd/apache2/apache2_2.4.7.bb
>>> +++ b/meta-webserver/recipes-httpd/apache2/apache2_2.4.7.bb
>>> @@ -15,6 +15,7 @@ SRC_URI = "http://www.apache.org/dist/httpd/httpd-${PV}.tar.bz2 \
>>> file://replace-lynx-to-curl-in-apachectl-script.patch \
>>> file://apache-ssl-ltmain-rpath.patch \
>>> file://httpd-2.4.3-fix-race-issue-of-dir-install.patch \
>>> + file://npn-patch-2.4.7.patch \
>>> file://init \
>>> file://apache2-volatile.conf"
>>>
>>>
>>
>>
>
> _______________________________________________
> Openembedded-devel mailing list
> Openembedded-devel@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-devel
[-- Attachment #2: Message signed with OpenPGP using GPGMail --]
[-- Type: application/pgp-signature, Size: 211 bytes --]
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 4/4][meta-webserver] apache2-2.4.7: added support for TLS Next Protocol Negotiation
2014-02-28 17:17 ` Khem Raj
@ 2014-03-03 1:25 ` Hongxu Jia
0 siblings, 0 replies; 10+ messages in thread
From: Hongxu Jia @ 2014-03-03 1:25 UTC (permalink / raw)
To: openembedded-devel; +Cc: Paul Eggleton
On 03/01/2014 01:17 AM, Khem Raj wrote:
> On Feb 28, 2014, at 2:21 AM, Hongxu Jia <hongxu.jia@windriver.com> wrote:
>
>> On 02/28/2014 03:08 AM, Randy MacLeod wrote:
>>> On 14-02-26 10:22 PM, Hongxu Jia wrote:
>>>> The previous npn support patch (httpd-2.4.4-r1332643.patch) worked on
>>>> apache2-2.4.6 and conflicted with apache2-2.4.7, this patch fixed the
>>>> confliction with 2.4.7.
>>> Hongxu,
>>>
>>> Thanks, that's a good step. Even better would be to add the
>>> apache module that supports SPDY and confirm that it works
>>> with your desktop (google-chrome) browser.
>>>
>>> See:
>>> http://lists.openembedded.org/pipermail/openembedded-devel/2014-January/093772.html
>>>
>>> and
>>>
>>> https://code.google.com/p/mod-spdy/wiki/GettingStarted
>> Hi Randy,
>>
>> I have tested, the ssl worked well with the new patch,
>> but the mod_spdy doesn't support 2.4.7 for now, and the
>> spdy test failed.
>> http://code.google.com/p/mod-spdy/issues/detail?id=63
>> http://code.google.com/p/mod-spdy/issues/detail?id=64
>> http://code.google.com/p/mod-spdy/issues/detail?id=65
>> ...
>> root@qemux86-64:/etc/apache2# /etc/init.d/apache2 restart
>> httpd: Syntax error on line 151 of /etc/apache2/httpd.conf: Cannot load lib64/apache2/modules/mod_spdy.so into server: /usr/lib64/apache2/modules/mod_spdy.so: undefined symbol: ap_log_cerror
>> ...
>>
> spdy does not work with apache 2.4 but there is port see
>
> https://github.com/eousphoros/mod-spdy
>
> Try to back port the needed.
Yes, I have tried, but there are plenty of errors:
...
jiahongxu:src$ make BUILDTYPE=Release
ACTION Regenerating Makefile
Updating projects from gyp files...
Traceback (most recent call last):
File "./build/gyp_chromium", line 24, in <module>
execfile(os.path.join(chrome_src, 'build', 'gyp_chromium'))
File "third_party/chromium/src/build/gyp_chromium", line 173, in <module>
sys.exit(gyp.main(args))
File
"/home/jiahongxu/mod_spdy/mod-spdy/src/tools/gyp/pylib/gyp/__init__.py",
line 471, in main
options.circular_check)
File
"/home/jiahongxu/mod_spdy/mod-spdy/src/tools/gyp/pylib/gyp/__init__.py",
line 111, in Load
depth, generator_input_info, check, circular_check)
File
"/home/jiahongxu/mod_spdy/mod-spdy/src/tools/gyp/pylib/gyp/input.py",
line 2378, in Load
depth, check)
File
"/home/jiahongxu/mod_spdy/mod-spdy/src/tools/gyp/pylib/gyp/input.py",
line 358, in LoadTargetBuildFile
includes, True, check)
File
"/home/jiahongxu/mod_spdy/mod-spdy/src/tools/gyp/pylib/gyp/input.py",
line 231, in LoadOneBuildFile
aux_data, variables, includes, check)
File
"/home/jiahongxu/mod_spdy/mod-spdy/src/tools/gyp/pylib/gyp/input.py",
line 269, in LoadBuildFileIncludesIntoDict
False, check),
File
"/home/jiahongxu/mod_spdy/mod-spdy/src/tools/gyp/pylib/gyp/input.py",
line 208, in LoadOneBuildFile
raise Exception("%s not found (cwd: %s)" % (build_file_path,
os.getcwd()))
Exception: /root/mod_spdy/src/build/common.gypi not found (cwd:
/home/jiahongxu/mod_spdy/mod-spdy/src) while reading includes of
build/all.gyp while trying to load build/all.gyp
make: *** [Makefile] Error 1
...
//Hongxu
>
>> //Hongxu
>>
>>> It doesn't seem to be a huge task but let us know what you find out.
>>>
>>> ../Randy
>>>
>>>> Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
>>>> ---
>>>> .../apache2/apache2/npn-patch-2.4.7.patch | 289 +++++++++++++++++++++
>>>> .../recipes-httpd/apache2/apache2_2.4.7.bb | 1 +
>>>> 2 files changed, 290 insertions(+)
>>>> create mode 100644 meta-webserver/recipes-httpd/apache2/apache2/npn-patch-2.4.7.patch
>>>>
>>>> diff --git a/meta-webserver/recipes-httpd/apache2/apache2/npn-patch-2.4.7.patch b/meta-webserver/recipes-httpd/apache2/apache2/npn-patch-2.4.7.patch
>>>> new file mode 100644
>>>> index 0000000..a4f1855
>>>> --- /dev/null
>>>> +++ b/meta-webserver/recipes-httpd/apache2/apache2/npn-patch-2.4.7.patch
>>>> @@ -0,0 +1,289 @@
>>>> +Add support for TLS Next Protocol Negotiation:
>>>> +
>>>> +* modules/ssl/mod_ssl.c, modules/ssl/mod_ssl.h: Add and implement new
>>>> + hooks for next protocol advertisement/discovery.
>>>> +
>>>> +* modules/ssl/ssl_engine_init.c (ssl_init_ctx_callbacks): Enable
>>>> + NPN advertisement callback in handshake.
>>>> +
>>>> +* modules/ssl/ssl_engine_io.c (ssl_io_filter_input): Invoke
>>>> + next-protocol discovery hook.
>>>> +
>>>> +* modules/ssl/ssl_engine_kernel.c (ssl_callback_AdvertiseNextProtos):
>>>> + New callback.
>>>> +
>>>> +* modules/ssl/ssl_private.h: Add prototype.
>>>> +
>>>> +Submitted by: Matthew Steele <mdsteele google.com>
>>>> + with slight tweaks by jorton
>>>> +
>>>> +http://svn.apache.org/viewvc?view=revision&revision=1332643
>>>> +https://bugzilla.redhat.com//show_bug.cgi?id=809599
>>>> +Upstream-Status: Backport
>>>> +Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
>>>> +---
>>>> + CHANGES | 2 +
>>>> + modules/ssl/mod_ssl.c | 12 ++++++
>>>> + modules/ssl/mod_ssl.h | 21 +++++++++++
>>>> + modules/ssl/ssl_engine_init.c | 5 +++
>>>> + modules/ssl/ssl_engine_io.c | 24 ++++++++++++
>>>> + modules/ssl/ssl_engine_kernel.c | 82 +++++++++++++++++++++++++++++++++++++++++
>>>> + modules/ssl/ssl_private.h | 6 +++
>>>> + 7 files changed, 152 insertions(+)
>>>> +
>>>> +diff --git a/CHANGES b/CHANGES
>>>> +--- a/CHANGES
>>>> ++++ b/CHANGES
>>>> +@@ -1,6 +1,8 @@
>>>> + -*- coding: utf-8 -*-
>>>> +
>>>> + Changes with Apache 2.4.7
>>>> ++ *) mod_ssl: Add support for TLS Next Protocol Negotiation. PR 52210.
>>>> ++ [Matthew Steele <mdsteele google.com>]
>>>> +
>>>> + *) APR 1.5.0 or later is now required for the event MPM.
>>>> +
>>>> +diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c
>>>> +--- a/modules/ssl/mod_ssl.c
>>>> ++++ b/modules/ssl/mod_ssl.c
>>>> +@@ -275,6 +275,18 @@ static const command_rec ssl_config_cmds[] = {
>>>> + AP_END_CMD
>>>> + };
>>>> +
>>>> ++/* Implement 'modssl_run_npn_advertise_protos_hook'. */
>>>> ++APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(
>>>> ++ modssl, AP, int, npn_advertise_protos_hook,
>>>> ++ (conn_rec *connection, apr_array_header_t *protos),
>>>> ++ (connection, protos), OK, DECLINED);
>>>> ++
>>>> ++/* Implement 'modssl_run_npn_proto_negotiated_hook'. */
>>>> ++APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(
>>>> ++ modssl, AP, int, npn_proto_negotiated_hook,
>>>> ++ (conn_rec *connection, const char *proto_name, apr_size_t proto_name_len),
>>>> ++ (connection, proto_name, proto_name_len), OK, DECLINED);
>>>> ++
>>>> + /*
>>>> + * the various processing hooks
>>>> + */
>>>> +diff --git a/modules/ssl/mod_ssl.h b/modules/ssl/mod_ssl.h
>>>> +--- a/modules/ssl/mod_ssl.h
>>>> ++++ b/modules/ssl/mod_ssl.h
>>>> +@@ -63,5 +63,26 @@ APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *));
>>>> +
>>>> + APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
>>>> +
>>>> ++/** The npn_advertise_protos optional hook allows other modules to add entries
>>>> ++ * to the list of protocol names advertised by the server during the Next
>>>> ++ * Protocol Negotiation (NPN) portion of the SSL handshake. The hook callee is
>>>> ++ * given the connection and an APR array; it should push one or more char*'s
>>>> ++ * pointing to null-terminated strings (such as "http/1.1" or "spdy/2") onto
>>>> ++ * the array and return OK, or do nothing and return DECLINED. */
>>>> ++APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_advertise_protos_hook,
>>>> ++ (conn_rec *connection, apr_array_header_t *protos));
>>>> ++
>>>> ++/** The npn_proto_negotiated optional hook allows other modules to discover the
>>>> ++ * name of the protocol that was chosen during the Next Protocol Negotiation
>>>> ++ * (NPN) portion of the SSL handshake. Note that this may be the empty string
>>>> ++ * (in which case modules should probably assume HTTP), or it may be a protocol
>>>> ++ * that was never even advertised by the server. The hook callee is given the
>>>> ++ * connection, a non-null-terminated string containing the protocol name, and
>>>> ++ * the length of the string; it should do something appropriate (i.e. insert or
>>>> ++ * remove filters) and return OK, or do nothing and return DECLINED. */
>>>> ++APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_proto_negotiated_hook,
>>>> ++ (conn_rec *connection, const char *proto_name,
>>>> ++ apr_size_t proto_name_len));
>>>> ++
>>>> + #endif /* __MOD_SSL_H__ */
>>>> + /** @} */
>>>> +diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
>>>> +--- a/modules/ssl/ssl_engine_init.c
>>>> ++++ b/modules/ssl/ssl_engine_init.c
>>>> +@@ -546,6 +546,11 @@ static void ssl_init_ctx_callbacks(server_rec *s,
>>>> + SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH);
>>>> +
>>>> + SSL_CTX_set_info_callback(ctx, ssl_callback_Info);
>>>> ++
>>>> ++#ifdef HAVE_TLS_NPN
>>>> ++ SSL_CTX_set_next_protos_advertised_cb(
>>>> ++ ctx, ssl_callback_AdvertiseNextProtos, NULL);
>>>> ++#endif
>>>> + }
>>>> +
>>>> + static void ssl_init_ctx_verify(server_rec *s,
>>>> +diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c
>>>> +--- a/modules/ssl/ssl_engine_io.c
>>>> ++++ b/modules/ssl/ssl_engine_io.c
>>>> +@@ -28,6 +28,7 @@
>>>> + core keeps dumping.''
>>>> + -- Unknown */
>>>> + #include "ssl_private.h"
>>>> ++#include "mod_ssl.h"
>>>> + #include "apr_date.h"
>>>> +
>>>> + /* _________________________________________________________________
>>>> +@@ -297,6 +298,7 @@ typedef struct {
>>>> + apr_pool_t *pool;
>>>> + char buffer[AP_IOBUFSIZE];
>>>> + ssl_filter_ctx_t *filter_ctx;
>>>> ++ int npn_finished; /* 1 if NPN has finished, 0 otherwise */
>>>> + } bio_filter_in_ctx_t;
>>>> +
>>>> + /*
>>>> +@@ -1412,6 +1414,27 @@ static apr_status_t ssl_io_filter_input(ap_filter_t *f,
>>>> + APR_BRIGADE_INSERT_TAIL(bb, bucket);
>>>> + }
>>>> +
>>>> ++#ifdef HAVE_TLS_NPN
>>>> ++ /* By this point, Next Protocol Negotiation (NPN) should be completed (if
>>>> ++ * our version of OpenSSL supports it). If we haven't already, find out
>>>> ++ * which protocol was decided upon and inform other modules by calling
>>>> ++ * npn_proto_negotiated_hook. */
>>>> ++ if (!inctx->npn_finished) {
>>>> ++ const unsigned char *next_proto = NULL;
>>>> ++ unsigned next_proto_len = 0;
>>>> ++
>>>> ++ SSL_get0_next_proto_negotiated(
>>>> ++ inctx->ssl, &next_proto, &next_proto_len);
>>>> ++ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, f->c,
>>>> ++ "SSL NPN negotiated protocol: '%s'",
>>>> ++ apr_pstrmemdup(f->c->pool, (const char*)next_proto,
>>>> ++ next_proto_len));
>>>> ++ modssl_run_npn_proto_negotiated_hook(
>>>> ++ f->c, (const char*)next_proto, next_proto_len);
>>>> ++ inctx->npn_finished = 1;
>>>> ++ }
>>>> ++#endif
>>>> ++
>>>> + return APR_SUCCESS;
>>>> + }
>>>> +
>>>> +@@ -1893,6 +1916,7 @@ static void ssl_io_input_add_filter(ssl_filter_ctx_t *filter_ctx, conn_rec *c,
>>>> + inctx->block = APR_BLOCK_READ;
>>>> + inctx->pool = c->pool;
>>>> + inctx->filter_ctx = filter_ctx;
>>>> ++ inctx->npn_finished = 0;
>>>> + }
>>>> +
>>>> + /* The request_rec pointer is passed in here only to ensure that the
>>>> +diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
>>>> +--- a/modules/ssl/ssl_engine_kernel.c
>>>> ++++ b/modules/ssl/ssl_engine_kernel.c
>>>> +@@ -29,6 +29,7 @@
>>>> + time I was too famous.''
>>>> + -- Unknown */
>>>> + #include "ssl_private.h"
>>>> ++#include "mod_ssl.h"
>>>> + #include "util_md5.h"
>>>> +
>>>> + static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn);
>>>> +@@ -2139,3 +2140,84 @@ int ssl_callback_SRPServerParams(SSL *ssl, int *ad, void *arg)
>>>> + }
>>>> +
>>>> + #endif /* HAVE_SRP */
>>>> ++
>>>> ++#ifdef HAVE_TLS_NPN
>>>> ++/*
>>>> ++ * This callback function is executed when SSL needs to decide what protocols
>>>> ++ * to advertise during Next Protocol Negotiation (NPN). It must produce a
>>>> ++ * string in wire format -- a sequence of length-prefixed strings -- indicating
>>>> ++ * the advertised protocols. Refer to SSL_CTX_set_next_protos_advertised_cb
>>>> ++ * in OpenSSL for reference.
>>>> ++ */
>>>> ++int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data_out,
>>>> ++ unsigned int *size_out, void *arg)
>>>> ++{
>>>> ++ conn_rec *c = (conn_rec*)SSL_get_app_data(ssl);
>>>> ++ apr_array_header_t *protos;
>>>> ++ int num_protos;
>>>> ++ unsigned int size;
>>>> ++ int i;
>>>> ++ unsigned char *data;
>>>> ++ unsigned char *start;
>>>> ++
>>>> ++ *data_out = NULL;
>>>> ++ *size_out = 0;
>>>> ++
>>>> ++ /* If the connection object is not available, then there's nothing for us
>>>> ++ * to do. */
>>>> ++ if (c == NULL) {
>>>> ++ return SSL_TLSEXT_ERR_OK;
>>>> ++ }
>>>> ++
>>>> ++ /* Invoke our npn_advertise_protos hook, giving other modules a chance to
>>>> ++ * add alternate protocol names to advertise. */
>>>> ++ protos = apr_array_make(c->pool, 0, sizeof(char*));
>>>> ++ modssl_run_npn_advertise_protos_hook(c, protos);
>>>> ++ num_protos = protos->nelts;
>>>> ++
>>>> ++ /* We now have a list of null-terminated strings; we need to concatenate
>>>> ++ * them together into a single string, where each protocol name is prefixed
>>>> ++ * by its length. First, calculate how long that string will be. */
>>>> ++ size = 0;
>>>> ++ for (i = 0; i < num_protos; ++i) {
>>>> ++ const char *string = APR_ARRAY_IDX(protos, i, const char*);
>>>> ++ unsigned int length = strlen(string);
>>>> ++ /* If the protocol name is too long (the length must fit in one byte),
>>>> ++ * then log an error and skip it. */
>>>> ++ if (length > 255) {
>>>> ++ ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
>>>> ++ "SSL NPN protocol name too long (length=%u): %s",
>>>> ++ length, string);
>>>> ++ continue;
>>>> ++ }
>>>> ++ /* Leave room for the length prefix (one byte) plus the protocol name
>>>> ++ * itself. */
>>>> ++ size += 1 + length;
>>>> ++ }
>>>> ++
>>>> ++ /* If there is nothing to advertise (either because no modules added
>>>> ++ * anything to the protos array, or because all strings added to the array
>>>> ++ * were skipped), then we're done. */
>>>> ++ if (size == 0) {
>>>> ++ return SSL_TLSEXT_ERR_OK;
>>>> ++ }
>>>> ++
>>>> ++ /* Now we can build the string. Copy each protocol name string into the
>>>> ++ * larger string, prefixed by its length. */
>>>> ++ data = apr_palloc(c->pool, size * sizeof(unsigned char));
>>>> ++ start = data;
>>>> ++ for (i = 0; i < num_protos; ++i) {
>>>> ++ const char *string = APR_ARRAY_IDX(protos, i, const char*);
>>>> ++ apr_size_t length = strlen(string);
>>>> ++ *start = (unsigned char)length;
>>>> ++ ++start;
>>>> ++ memcpy(start, string, length * sizeof(unsigned char));
>>>> ++ start += length;
>>>> ++ }
>>>> ++
>>>> ++ /* Success. */
>>>> ++ *data_out = data;
>>>> ++ *size_out = size;
>>>> ++ return SSL_TLSEXT_ERR_OK;
>>>> ++}
>>>> ++#endif /* HAVE_TLS_NPN */
>>>> +diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
>>>> +--- a/modules/ssl/ssl_private.h
>>>> ++++ b/modules/ssl/ssl_private.h
>>>> +@@ -123,6 +123,11 @@
>>>> + #define MODSSL_SSL_METHOD_CONST
>>>> + #endif
>>>> +
>>>> ++#if OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_NEXTPROTONEG) \
>>>> ++ && !defined(OPENSSL_NO_TLSEXT)
>>>> ++#define HAVE_TLS_NPN
>>>> ++#endif
>>>> ++
>>>> + #if defined(OPENSSL_FIPS)
>>>> + #define HAVE_FIPS
>>>> + #endif
>>>> +@@ -800,6 +805,7 @@ int ssl_callback_ServerNameIndication(SSL *, int *, modssl_ctx_t *);
>>>> + int ssl_callback_SessionTicket(SSL *, unsigned char *, unsigned char *,
>>>> + EVP_CIPHER_CTX *, HMAC_CTX *, int);
>>>> + #endif
>>>> ++int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data, unsigned int *len, void *arg);
>>>> +
>>>> + /** Session Cache Support */
>>>> + void ssl_scache_init(server_rec *, apr_pool_t *);
>>>> +--
>>>> +1.8.1.2
>>>> +
>>>> diff --git a/meta-webserver/recipes-httpd/apache2/apache2_2.4.7.bb b/meta-webserver/recipes-httpd/apache2/apache2_2.4.7.bb
>>>> index f23776f..3c038a9 100644
>>>> --- a/meta-webserver/recipes-httpd/apache2/apache2_2.4.7.bb
>>>> +++ b/meta-webserver/recipes-httpd/apache2/apache2_2.4.7.bb
>>>> @@ -15,6 +15,7 @@ SRC_URI = "http://www.apache.org/dist/httpd/httpd-${PV}.tar.bz2 \
>>>> file://replace-lynx-to-curl-in-apachectl-script.patch \
>>>> file://apache-ssl-ltmain-rpath.patch \
>>>> file://httpd-2.4.3-fix-race-issue-of-dir-install.patch \
>>>> + file://npn-patch-2.4.7.patch \
>>>> file://init \
>>>> file://apache2-volatile.conf"
>>>>
>>>>
>>>
>> _______________________________________________
>> Openembedded-devel mailing list
>> Openembedded-devel@lists.openembedded.org
>> http://lists.openembedded.org/mailman/listinfo/openembedded-devel
>
>
> _______________________________________________
> Openembedded-devel mailing list
> Openembedded-devel@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-devel
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2014-03-03 1:26 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-02-27 3:22 [PATCH V2 0/4][meta-webserver] Apache / PHP upgrades Hongxu Jia
2014-02-27 3:22 ` [PATCH 1/4][meta-webserver] apache2: update to 2.4.7 Hongxu Jia
2014-02-27 3:22 ` [PATCH 2/4][meta-webserver] modphp: upgrade to 5.5.8 Hongxu Jia
2014-02-27 3:22 ` [PATCH 3/4][meta-webserver] phpmyadmin: update to 4.1.4 Hongxu Jia
2014-02-27 3:22 ` [PATCH 4/4][meta-webserver] apache2-2.4.7: added support for TLS Next Protocol Negotiation Hongxu Jia
2014-02-27 19:08 ` Randy MacLeod
2014-02-28 10:21 ` Hongxu Jia
2014-02-28 17:17 ` Khem Raj
2014-03-03 1:25 ` Hongxu Jia
2014-02-27 9:47 ` [PATCH V2 0/4][meta-webserver] Apache / PHP upgrades Paul Eggleton
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.