Browse code

add tls compression disabling option

Hanno Böck authored on 17/10/2012 12:05:50
Showing 3 changed files
... ...
@@ -1,5 +1,6 @@
1 1
 AUX 2.2.22-envvars-std.in 1071 SHA256 1721b424f2335640e49d71e671a4be15424d29fe90f55fe4f52bd241a998d3ee SHA512 c18fd461f02ab79fc456a1ad99bf91c8891ecdabd90f41437ebf87e20b3d28d2006a10d6726164c2f0333e7aee350bd125838abaff3a188d8ab2f5f34d3e5466 WHIRLPOOL 59cbee68fc8012df01229b8d5e38045eb974bab3f08ebf5b01097dabb5275bb83e28cd09a058ce71949ca4a2439811cff457d4c7df88d7b3fc5318c6b7ef0075
2 2
 AUX apache-2.2.14-staticdhparameters.diff 11745 SHA256 1fecd496f7df6438cf44b331a0b15d6ceaa0522fcb20d7246772f10f7c3c41df SHA512 5c7fa11b29efd430ddc7144ed8d656c82d9609c9da720cd5d217626505b2257c074bea1ef0f4f2c50b123be58d82fbefac3240b71c3b8c3b9b087c30b090bcf9 WHIRLPOOL ced66883bd7fc4ec868a5d6091cdc765424541c183e53283749d73d4f4b53d0c9221950df816625de9bd115f610931e91b1fac819530294fcb12a0a39b7f6f2c
3
+AUX apache-2.2.23-tls-compression-option.diff 4211 SHA256 6ccc0003f486734e660292ac2640d99af830443c09a2d5c9d6aaf371b636d9bd SHA512 915044023b10afca9a67ca90fa4d1175d4d3ef7274308df74c78b0972fd7ec54e3fdb3f4b03ecbfc543b64153b232a140cc8e095b2f74abfcfa0cb86e21fb612 WHIRLPOOL 028be436ac78adcb631b109a23ab7f4b5c2349a95202f8ed33a111b9b2048675892b160ac737875ebe7a73937f8868d665d016a61bdbaec301eacbbad0d1cc05
3 4
 AUX apache-noip.diff 417 SHA256 c9ed84fec20e69f711600261a395a3d4b3ae2685318f6354c4d2ebd01c0ec4cc SHA512 fa684688e707f5fb511b228b8fa9b0f996dbf615f2f9b6478ab478e801f14c65a7381137cdbda648d68f7818891085c744da3a8249843e73bdf5ef247a90d3fe WHIRLPOOL d2636a34b0d48139adef125e76ef477d84bf7cd9785f094fe57c1d81b45e7392622d232bee5f53896d8b48eb9b3241cd48cbb585ea70d97a872c5cd3f6bfe420
4 5
 AUX httpd-2.2.16-ecc.diff 8236 SHA256 e7fe97852875de06372d8413248fa20419946e2ab7de5198c93bffa6b5a68461 SHA512 8b54c30f9edc76bd8969ee894038f267d722d1ab8c7332a84fe21704bde0451e1a27503252fa87bd0f749dac3281eb266cda36aa7faec1a36ee6e67a8f9ae6c7 WHIRLPOOL 2d8ad3cd12b27937dcafef31df8c9fa048fb4e1ed06109e745fbe12dc869ceaa21fa2e62aa9bcb729d7fb426c1ee0a82171b5038cac56f8b8ebbc3cd3569daa9
5 6
 DIST gentoo-apache-2.2.22-20120213.tar.bz2 64507 SHA256 737730dabf1e1ccfe9d409067dc3c4d37d16f7fa1e792f5bf39268d904ce1c31 SHA512 f364bdbee967b3bc797d2053b9eb347af963f99275441093930d0057465e1a12567106f5c5ac21a45a4bbd4b353ce67553038d6146f469a7bf980a9148471170 WHIRLPOOL f5a3ab44fc14ddf67ccf0785006b1d9f5c49b915114f9d7e97858fba447a5ee872c741e73c17e121b61cc0aa678b42dc154616cd64054461c552d3a8c29f4f17
... ...
@@ -8,4 +9,4 @@ DIST httpd-2.2.22.tar.bz2 5378934 SHA256 dcdc9f1dc722f84798caf69d69dca78daa5e09a
8 9
 DIST httpd-2.2.23.tar.bz2 5485205 SHA256 14fe79bd6edd957c02cb41f4175e132c08e6ff74a7d08dc1858dd8224e351c34 SHA512 69b3bc942b2a91cdb57356a5c57078794db2d8404a23080a2621cdf33ae2d9bdbbacd0f6e95fd6e71fbfa87e94942be0a014c3e8709148f991e391d03aa6dee2 WHIRLPOOL 8d00184aff654b2d7f1c5ebd471f19ffcb57107ea37179fa05c424424d7b70ff0c9abf3be68ed9f0d091b3c057f1ba24cb989937e35087c3199f82e3dddbbd4f
9 10
 EBUILD apache-2.2.22-r1.ebuild 3206 SHA256 4c72b2164c32c34e85c6a8e99c68464e5505eeb79bf94eed7ad1d62ba2045c0e SHA512 bafab5ef6f8d8675614473c01ae71655b1cd94b75658353e8351df1cb8b9667b2164d501f98b4492810a2ec2d3415db6c5df416bc51aed4fc4ec6fc4a155288b WHIRLPOOL d6f4c9b06b3cfcad613084bb7902c7ba942848a8233b50ff48474e7407c3e1d4523f44a0ca9f0790510122719609ec767afbaf3fdd60b6dd7918fe409e9b08a2
10 11
 EBUILD apache-2.2.22.ebuild 3001 SHA256 cf930cea2f7e8a8bd2f7cabe7de9ecf56efb33d10bd3fe2d70acaa6e86cebb0c SHA512 1de2c503698334b00c3b44cad9680d8699e7ad21c80a746af4154d03433da4bcc072cf572d2ce9dbf478f6c97423ee2650521d877f2c62a27ec0189d5c66c045 WHIRLPOOL aadae0ae48a37cdd5ed3995c92fa5bf925fd2c12792cdcce08305191c09703a80bd7bc264c61165e8c26687bde97ad543722d04e090620cd7fe473c76688e233
11
-EBUILD apache-2.2.23.ebuild 3117 SHA256 a6bac3fd35f4e4f46c5002a174f93fad298e20d5d7062d43d67bdad6e3265d43 SHA512 0e779d36a4101b6ec0c8a5c4ea617d1a6e27966633fa8685adf5bbdea86401d519b027b8353ae4c4769d7b5c870998c226e718dbab5f44b15b5cc1c09937a32b WHIRLPOOL 89fa649375ec0f7552e8318c77c91f4f98e38824d00d964f2f8a6a9889ccfd90491e6a628c5896bff2e99f326353917c7fc76d7e378050f058591d1777e892a1
12
+EBUILD apache-2.2.23.ebuild 3181 SHA256 b6502801683bcd8708e247fd11e8d7a639a7412f77d3a631827705f20e43c878 SHA512 860dce68ab969c4bacdedc3fec4d48937d7a331921e86fe02d6b1481a59cd8997d336b9c9bbc6cf9a69dd3719acc411abae1809e7770b42d31adb1cefd5dc560 WHIRLPOOL e2e128e74236c6a306d511cdc8d1e9799e9818fc842a1884eb48a8ef8683669ba321ca228ec780015e1c88044cff2904652c4a1c93a2f3af84e3552c8e7d3363
... ...
@@ -106,6 +106,7 @@ RDEPEND="${RDEPEND}
106 106
 src_prepare() {
107 107
 
108 108
 	epatch "${FILESDIR}"/apache-noip.diff
109
+	epatch "${FILESDIR}"/apache-2.2.23-tls-compression-option.diff
109 110
 
110 111
 	apache-2_src_prepare
111 112
 	sed -i -e 's/! test -f/test -f/' "${GENTOO_PATCHDIR}"/init/apache2.initd || die "Failed to fix init script"
112 113
new file mode 100644
... ...
@@ -0,0 +1,128 @@
1
+Index: modules/ssl/ssl_private.h
2
+===================================================================
3
+--- modules/ssl/ssl_private.h	(revision 1395230)
4
+@@ -64,6 +64,11 @@
5
+ #define HAVE_TLSV1_X
6
+ #endif
7
+ 
8
++#if !defined(OPENSSL_NO_COMP) && !defined(SSL_OP_NO_COMPRESSION) \
9
++    && OPENSSL_VERSION_NUMBER < 0x00908000L
10
++#define OPENSSL_NO_COMP
11
++#endif
12
++
13
+ #include "ssl_util_ssl.h"
14
+ 
15
+ /** The #ifdef macros are only defined AFTER including the above
16
+@@ -504,6 +509,9 @@
17
+ #ifdef HAVE_FIPS
18
+     BOOL             fips;
19
+ #endif
20
++#ifndef OPENSSL_NO_COMP
21
++    BOOL             compression;
22
++#endif
23
+ };
24
+ 
25
+ /**
26
+@@ -560,6 +568,7 @@
27
+ const char  *ssl_cmd_SSLCARevocationPath(cmd_parms *, void *, const char *);
28
+ const char  *ssl_cmd_SSLCARevocationFile(cmd_parms *, void *, const char *);
29
+ const char  *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag);
30
++const char  *ssl_cmd_SSLCompression(cmd_parms *, void *, int flag);
31
+ const char  *ssl_cmd_SSLVerifyClient(cmd_parms *, void *, const char *);
32
+ const char  *ssl_cmd_SSLVerifyDepth(cmd_parms *, void *, const char *);
33
+ const char  *ssl_cmd_SSLSessionCache(cmd_parms *, void *, const char *);
34
+Index: modules/ssl/ssl_engine_init.c
35
+===================================================================
36
+--- modules/ssl/ssl_engine_init.c	(revision 1395230)
37
+@@ -533,6 +533,18 @@
38
+     }
39
+ #endif
40
+ 
41
++
42
++#ifndef OPENSSL_NO_COMP
43
++    if (sc->compression == FALSE) {
44
++#ifdef SSL_OP_NO_COMPRESSION
45
++        /* OpenSSL >= 1.0 only */
46
++        SSL_CTX_set_options(ctx, SSL_OP_NO_COMPRESSION);
47
++#elif OPENSSL_VERSION_NUMBER >= 0x00908000L
48
++        sk_SSL_COMP_zero(SSL_COMP_get_compression_methods());
49
++#endif
50
++    }
51
++#endif
52
++
53
+ #ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
54
+     if (sc->insecure_reneg == TRUE) {
55
+         SSL_CTX_set_options(ctx, SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
56
+Index: modules/ssl/ssl_engine_config.c
57
+===================================================================
58
+--- modules/ssl/ssl_engine_config.c	(revision 1395230)
59
+@@ -180,6 +180,9 @@
60
+ #ifdef HAVE_FIPS
61
+     sc->fips                   = UNSET;
62
+ #endif
63
++#ifndef OPENSSL_NO_COMP
64
++    sc->compression            = UNSET;
65
++#endif
66
+ 
67
+     modssl_ctx_init_proxy(sc, p);
68
+ 
69
+@@ -278,6 +281,9 @@
70
+ #ifdef HAVE_FIPS
71
+     cfgMergeBool(fips);
72
+ #endif
73
++#ifndef OPENSSL_NO_COMP
74
++    cfgMergeBool(compression);
75
++#endif
76
+ 
77
+     modssl_ctx_cfg_merge_proxy(base->proxy, add->proxy, mrg->proxy);
78
+ 
79
+@@ -711,6 +717,23 @@
80
+ 
81
+ }
82
+ 
83
++const char *ssl_cmd_SSLCompression(cmd_parms *cmd, void *dcfg, int flag)
84
++{
85
++#if !defined(OPENSSL_NO_COMP)
86
++    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
87
++#ifndef SSL_OP_NO_COMPRESSION
88
++    const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
89
++    if (err)
90
++        return "This version of openssl does not support configuring "
91
++               "compression within <VirtualHost> sections.";
92
++#endif
93
++    sc->compression = flag ? TRUE : FALSE;
94
++    return NULL;
95
++#else
96
++    return "Setting Compression mode unsupported; not implemented by the SSL library";
97
++#endif
98
++}
99
++
100
+ const char *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag)
101
+ {
102
+ #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
103
+Index: modules/ssl/mod_ssl.c
104
+===================================================================
105
+--- modules/ssl/mod_ssl.c	(revision 1395230)
106
+@@ -156,6 +156,9 @@
107
+                 "('[+-][" SSL_PROTOCOLS "] ...' - see manual)")
108
+     SSL_CMD_SRV(HonorCipherOrder, FLAG,
109
+                 "Use the server's cipher ordering preference")
110
++    SSL_CMD_SRV(Compression, FLAG,
111
++                "Enable SSL level compression"
112
++                "(`on', `off')")
113
+     SSL_CMD_SRV(InsecureRenegotiation, FLAG,
114
+                 "Enable support for insecure renegotiation")
115
+     SSL_CMD_ALL(UserName, TAKE1,
116
+Index: .
117
+===================================================================
118
+--- .	(revision 1395230)
119
+
120
+Property changes on: .
121
+___________________________________________________________________
122
+Modified: svn:mergeinfo
123
+   Merged /httpd/httpd/trunk:r1345319,1348656