Hello community, here is the log from the commit of package apache2 for openSUSE:Factory checked in at 2012-05-31 17:02:26 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/apache2 (Old) and /work/SRC/openSUSE:Factory/.apache2.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "apache2", Maintainer is "draht@suse.com" Changes: -------- --- /work/SRC/openSUSE:Factory/apache2/apache2.changes 2012-04-02 10:50:37.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.apache2.new/apache2.changes 2012-05-31 17:02:44.000000000 +0200 @@ -1,0 +2,9 @@ +Sun Apr 22 20:14:22 UTC 2012 - dimstar@opensuse.org + +- Add apache2-mod_ssl_npn.patch: Add npn support to mod_ssl, which + is needed by spdy. +- Provide apache2(mod_ssl+npn), indicating that our mod_ssl does + have the npn patch. This can be used by mod_spdy to ensure a + compatible apache/mod_ssl is installed. + +------------------------------------------------------------------- New: ---- apache2-mod_ssl_npn.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ apache2.spec ++++++ --- /var/tmp/diff_new_pack.RdfhGE/_old 2012-05-31 17:02:46.000000000 +0200 +++ /var/tmp/diff_new_pack.RdfhGE/_new 2012-05-31 17:02:46.000000000 +0200 @@ -147,6 +147,9 @@ Patch106: httpd-2.2.x-CVE-2011-3368-server_protocl_c.diff # PATCH-FIX-UPSTREAM https://issues.apache.org/bugzilla/show_bug.cgi?id=52623 Patch107: httpd-new_pcre.patch +# PATCH-FEATURE-UPSTREAM apache2-mod_ssl_npn.patch dimstar@opensuse.org -- Add npn support to mod_ssl (needed for spdy) +Patch108: apache2-mod_ssl_npn.patch +Provides: apache2(mod_ssl+npn) Url: http://httpd.apache.org/ Icon: Apache.xpm Summary: The Apache Web Server Version 2.2 @@ -374,6 +377,7 @@ %if 0%{?suse_version} >= 1220 %patch107 %endif +%patch108 # cat $RPM_SOURCE_DIR/SUSE-NOTICE >> NOTICE ++++++ apache2-mod_ssl_npn.patch ++++++ # This patch adds hooks for Next Protocol Negotiation (NPN) into mod_ssl. This # change is under review to be included in Apache trunk: # https://issues.apache.org/bugzilla/show_bug.cgi?id=52210 # But until it becomes part of an Apache 2.2 release, we need to apply the patch # ourselves. Index: modules/ssl/ssl_private.h =================================================================== --- modules/ssl/ssl_private.h (revision 1202283) +++ modules/ssl/ssl_private.h (working copy) @@ -603,6 +603,7 @@ #ifndef OPENSSL_NO_TLSEXT int ssl_callback_ServerNameIndication(SSL *, int *, modssl_ctx_t *); #endif +int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data, unsigned int *len, void *arg); /** Session Cache Support */ void ssl_scache_init(server_rec *, apr_pool_t *); @@ -714,4 +715,3 @@ #endif /* SSL_PRIVATE_H */ /** @} */ - Index: modules/ssl/ssl_engine_init.c =================================================================== --- modules/ssl/ssl_engine_init.c (revision 1202283) +++ modules/ssl/ssl_engine_init.c (working copy) @@ -559,6 +559,11 @@ SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH); SSL_CTX_set_info_callback(ctx, ssl_callback_Info); + +#if OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) + SSL_CTX_set_next_protos_advertised_cb( + ctx, ssl_callback_AdvertiseNextProtos, NULL); +#endif } static void ssl_init_ctx_verify(server_rec *s, @@ -1352,4 +1357,3 @@ return APR_SUCCESS; } - Index: modules/ssl/ssl_engine_io.c =================================================================== --- modules/ssl/ssl_engine_io.c (revision 1202283) +++ modules/ssl/ssl_engine_io.c (working copy) @@ -338,6 +338,7 @@ apr_pool_t *pool; char buffer[AP_IOBUFSIZE]; ssl_filter_ctx_t *filter_ctx; + int npn_finished; /* 1 if NPN has finished, 0 otherwise */ } bio_filter_in_ctx_t; /* @@ -1409,6 +1410,21 @@ APR_BRIGADE_INSERT_TAIL(bb, bucket); } + /* By this point, Next Protocol Negotiation (NPN) should be completed (if + * our version of OpenSSL supports it). If we haven't already, find out + * which protocol was decided upon and inform other modules by calling + * npn_proto_negotiated_hook. */ + if (!inctx->npn_finished) { + inctx->npn_finished = 1; +#if OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) + const unsigned char *next_proto = NULL; + unsigned next_proto_len = 0; + SSL_get0_next_proto_negotiated(inctx->ssl, &next_proto, + &next_proto_len); + ssl_run_npn_proto_negotiated_hook(f->c, next_proto, next_proto_len); +#endif + } + return APR_SUCCESS; } @@ -1753,6 +1769,7 @@ inctx->block = APR_BLOCK_READ; inctx->pool = c->pool; inctx->filter_ctx = filter_ctx; + inctx->npn_finished = 0; } void ssl_io_filter_init(conn_rec *c, SSL *ssl) Index: modules/ssl/ssl_engine_kernel.c =================================================================== --- modules/ssl/ssl_engine_kernel.c (revision 1202283) +++ modules/ssl/ssl_engine_kernel.c (working copy) @@ -1969,6 +1969,77 @@ } } +/* + * This callback function is executed when SSL needs to decide what protocols + * to advertise during Next Protocol Negotiation (NPN). It must produce a + * string in wire format -- a sequence of length-prefixed strings -- indicating + * the advertised protocols. Refer to SSL_CTX_set_next_protos_advertised_cb + * in OpenSSL for reference. + */ +int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data_out, + unsigned int *size_out, void *arg) +{ + *data_out = NULL; + *size_out = 0; + + /* Get the connection object. If it's not available, then there's nothing + * for us to do. */ + conn_rec *c = (conn_rec*)SSL_get_app_data(ssl); + if (c == NULL) { + return SSL_TLSEXT_ERR_OK; + } + + /* Invoke our npn_advertise_protos hook, giving other modules a chance to + * add alternate protocol names to advertise. */ + apr_array_header_t *protos = apr_array_make(c->pool, 0, sizeof(char*)); + ssl_run_npn_advertise_protos_hook(c, protos); + int num_protos = protos->nelts; + + /* If no other modules added any alternate protocols, then we're done. */ + if (num_protos == 0) { + return SSL_TLSEXT_ERR_OK; + } + + /* We now have a list of null-terminated strings; we need to concatenate + * them together into a single string, where each protocol name is prefixed + * by its length. First, calculate how long that string will be. */ + unsigned int size = 0; + int i; + for (i = 0; i < num_protos; ++i) { + const char* string = APR_ARRAY_IDX(protos, i, const char*); + unsigned int length = strlen(string); + /* If the protocol name is too long (the length must fit in one byte), + * then log an error and quit. */ + if (length > 255) { + ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, + "SSL NPN protocol name too long (length=%u): %s", + length, string); + return SSL_TLSEXT_ERR_OK; + } + /* Leave room for the length prefix (one byte) plus the protocol name + * itself. */ + size += 1 + length; + } + + /* Now we can build the string. Copy each protocol name string into the + * larger string, prefixed by its length. */ + unsigned char* data = apr_palloc(c->pool, size * sizeof(unsigned char)); + unsigned char* start = data; + for (i = 0; i < num_protos; ++i) { + const char* string = APR_ARRAY_IDX(protos, i, const char*); + size_t length = strlen(string); + *start = (unsigned char)length; + ++start; + memcpy(start, string, length * sizeof(unsigned char)); + start += length; + } + + /* Success. */ + *data_out = data; + *size_out = size; + return SSL_TLSEXT_ERR_OK; +} + #ifndef OPENSSL_NO_TLSEXT /* * This callback function is executed when OpenSSL encounters an extended Index: modules/ssl/mod_ssl.c =================================================================== --- modules/ssl/mod_ssl.c (revision 1202283) +++ modules/ssl/mod_ssl.c (working copy) @@ -220,6 +220,18 @@ AP_END_CMD }; +/* Implement 'ssl_run_npn_advertise_protos_hook'. */ +APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL( + ssl, AP, int, npn_advertise_protos_hook, + (conn_rec* connection, apr_array_header_t* protos), + (connection, protos), OK, DECLINED); + +/* Implement 'ssl_run_npn_proto_negotiated_hook'. */ +APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL( + ssl, AP, int, npn_proto_negotiated_hook, + (conn_rec* connection, char* proto_name, apr_size_t proto_name_len), + (connection, proto_name, proto_name_len), OK, DECLINED); + /* * the various processing hooks */ Index: modules/ssl/mod_ssl.h =================================================================== --- modules/ssl/mod_ssl.h (revision 1202283) +++ modules/ssl/mod_ssl.h (working copy) @@ -60,5 +60,26 @@ APR_DECLARE_OPTIONAL_FN(apr_array_header_t *, ssl_extlist_by_oid, (request_rec *r, const char *oidstr)); +/** The npn_advertise_protos optional hook allows other modules to add entries + * to the list of protocol names advertised by the server during the Next + * Protocol Negotiation (NPN) portion of the SSL handshake. The hook callee is + * given the connection and an APR array; it should push one or more char*'s + * pointing to null-terminated strings (such as "http/1.1" or "spdy/2") onto + * the array and return OK, or do nothing and return DECLINED. */ +APR_DECLARE_EXTERNAL_HOOK(ssl, AP, int, npn_advertise_protos_hook, + (conn_rec* connection, apr_array_header_t* protos)); + +/** The npn_proto_negotiated optional hook allows other modules to discover the + * name of the protocol that was chosen during the Next Protocol Negotiation + * (NPN) portion of the SSL handshake. Note that this may be the empty string + * (in which case modules should probably assume HTTP), or it may be a protocol + * that was never even advertised by the server. The hook callee is given the + * connection, a non-null-terminated string containing the protocol name, and + * the length of the string; it should do something appropriate (i.e. insert or + * remove filters) and return OK, or do nothing and return DECLINED. */ +APR_DECLARE_EXTERNAL_HOOK(ssl, AP, int, npn_proto_negotiated_hook, + (conn_rec* connection, char* proto_name, + apr_size_t proto_name_len)); + #endif /* __MOD_SSL_H__ */ /** @} */ -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org