keks-overlay.git

@@ -1,7 +1,11 @@

 AUX apache-noip.diff 417 RMD160 8e16f7ff130cea52449a25aafbbdeb78919d9eae SHA1 7c19a0236e4eff23bee6e69ee6708a24529a974c SHA256 c9ed84fec20e69f711600261a395a3d4b3ae2685318f6354c4d2ebd01c0ec4cc

+AUX httpd-2.2.x-sni.diff 13866 RMD160 ae21ae0ebc2c0d263b5290d67aeefd56b145ed73 SHA1 b8b8dcc56e6a7bb5c07d95fa46683db4170dd7ba SHA256 092aaa998f2b15e6b89b0785c237ce3bb40d4bf188509fcf58470ce5731380e9

+DIST gentoo-apache-2.2.10-20081025.tar.bz2 60296 RMD160 bc6d9e05a5924cf104e0a07b18ab6c9da526a1dc SHA1 f3ea7bda13b57b9f622890b2d9288cb096472a96 SHA256 e7704ac9a645bb722d8063735c7de17a4041d76cc72244fc928a0a5ad1ee1ccd

 DIST gentoo-apache-2.2.8-r3-20080601.tar.bz2 60383 RMD160 f7d662ac9bce6bcc0e0506503be166fdb7a95eba SHA1 1d87d6ed727a8b7074446a472eb46d2b1a9eb532 SHA256 bc1bdc87aab4cfc377e2016e69f715495097bf37c47112ac6d52929adf0fbc40

 DIST gentoo-apache-2.2.9-20080615.tar.bz2 60183 RMD160 924b6268324aa679b5ff624ece159dad323028aa SHA1 6c8e053a33a561df2417e718803b65f7ac55b640 SHA256 c3bb95e339d7bdfdcd3bd71927287843df0d34ad2740ddc7913cbb0200fc8072

+DIST httpd-2.2.10.tar.bz2 5068069 RMD160 30f240222a775efa14b104a2b8df1e1dc65f4b8a SHA1 3a71f4904e359603c3338b07a1178ddfacfaa8c6 SHA256 681d5787288e4e527877f415acce198be96ce7de0dc6e354646b1df4aae21383

 DIST httpd-2.2.8.tar.bz2 4799055 RMD160 0736ea9617bafaa1c8cd34ce4fc1c7a659afea57 SHA1 5074904435d3d942ce2dc96c44b07294b8eaca77 SHA256 2ad8d0db1e478838ba88a0ddaf538c7150027d937b017739fdcb3fabb96ebd39

 DIST httpd-2.2.9.tar.bz2 4943462 RMD160 8fd62ae78271aa0ded6ba2f5bfeea8c63b79060a SHA1 71715d81e7a5ace4499803df7369c78b85251083 SHA256 d76599fbcf8b3bcff2779f880fb10e4a2bc4af60f64232083c06863e40850b61

+EBUILD apache-2.2.10.ebuild 2846 RMD160 eb8e7cfab1c7d8b1645edc89ab06bf953154f0dc SHA1 2d803be5b1c587ac45cfd1c6a538b5054ca47520 SHA256 6132bb63d6e20a6dd67d1ca20caa558e6daf6f90f7c869f0e51eccfe6d140161

 EBUILD apache-2.2.8-r3.ebuild 5288 RMD160 096b8185d25c485fd2bd13c09de9de8b5e11dcc8 SHA1 5aff0c23059bb10346c1b2988f496becc28f3a19 SHA256 2cb835468f5968a42b86924909b50cdbd9e0c4e24f0fe30e8c547d82fe49e97a

 EBUILD apache-2.2.9.ebuild 2812 RMD160 91b5a44a2db30a6d85e3302bfe9dc16bfcbaf045 SHA1 764bb36273e23745f2ba2cb6a36184096c650f12 SHA256 1302cc772b0404fd65eb9ea7a970558ecc8b0861049a07e122dc95387d45b6e4

@@ -0,0 +1,113 @@

+# Copyright 1999-2008 Gentoo Foundation

+# Distributed under the terms of the GNU General Public License v2

+# $Header: /var/cvsroot/gentoo-x86/www-servers/apache/apache-2.2.10.ebuild,v 1.1 2008/10/25 14:42:49 hollow Exp $

+

+# latest gentoo apache files

+GENTOO_PATCHSTAMP="20081025"

+GENTOO_DEVELOPER="hollow"

+

+# IUSE/USE_EXPAND magic

+IUSE_MPMS_FORK="itk peruser prefork"

+IUSE_MPMS_THREAD="event worker"

+

+IUSE_MODULES="actions alias asis auth_basic auth_digest authn_alias authn_anon

+authn_dbd authn_dbm authn_default authn_file authz_dbm authz_default

+authz_groupfile authz_host authz_owner authz_user autoindex cache cern_meta

+charset_lite dav dav_fs dav_lock dbd deflate dir disk_cache dumpio env expires

+ext_filter file_cache filter headers ident imagemap include info log_config

+log_forensic logio mem_cache mime mime_magic negotiation proxy proxy_ajp

+proxy_balancer proxy_connect proxy_ftp proxy_http rewrite setenvif speling

+status substitute unique_id userdir usertrack version vhost_alias"

+

+# inter-module dependencies

+# TODO: this may still be incomplete

+MODULE_DEPENDS="

+	dav_fs:dav

+	dav_lock:dav

+	deflate:filter

+	disk_cache:cache

+	ext_filter:filter

+	file_cache:cache

+	log_forensic:log_config

+	logio:log_config

+	mem_cache:cache

+	mime_magic:mime

+	proxy_ajp:proxy

+	proxy_balancer:proxy

+	proxy_connect:proxy

+	proxy_ftp:proxy

+	proxy_http:proxy

+	substitute:filter

+"

+

+# module<->define mappings

+MODULE_DEFINES="

+	auth_digest:AUTH_DIGEST

+	authnz_ldap:AUTHNZ_LDAP

+	cache:CACHE

+	dav:DAV

+	dav_fs:DAV

+	dav_lock:DAV

+	disk_cache:CACHE

+	file_cache:CACHE

+	info:INFO

+	ldap:LDAP

+	mem_cache:CACHE

+	proxy:PROXY

+	proxy_ajp:PROXY

+	proxy_balancer:PROXY

+	proxy_connect:PROXY

+	proxy_ftp:PROXY

+	proxy_http:PROXY

+	ssl:SSL

+	status:STATUS

+	suexec:SUEXEC

+	userdir:USERDIR

+"

+

+# critical modules for the default config

+MODULE_CRITICAL="

+	authz_host

+	dir

+	mime

+"

+

+inherit apache-2

+

+DESCRIPTION="The Apache Web Server."

+HOMEPAGE="http://httpd.apache.org/"

+

+# some helper scripts are Apache-1.1, thus both are here

+LICENSE="Apache-2.0 Apache-1.1"

+SLOT="2"

+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~sparc-fbsd ~x86 ~x86-fbsd"

+IUSE="sni"

+

+DEPEND="${DEPEND}

+	apache2_modules_deflate? ( sys-libs/zlib )"

+

+RDEPEND="${RDEPEND}

+	apache2_modules_mime? ( app-misc/mime-types )"

+

+src_unpack() {

+	EPATCH_EXCLUDE="04_all_mod_ssl_tls_sni.patch"

+

+	apache-2_src_unpack

+

+	cd "${S}"

+	epatch "${FILESDIR}/apache-noip.diff" || die

+	epatch "${FILESDIR}/httpd-2.2.x-sni.diff" || die

+

+}

+

+pkg_preinst() {

+	# note regarding IfDefine changes

+	if has_version "<${CATEGORY}/${PN}-2.2.6-r1"; then

+		elog

+		elog "When upgrading from versions 2.2.6 or earlier, please be aware"

+		elog "that the define for mod_authnz_ldap has changed from AUTH_LDAP"

+		elog "to AUTHNZ_LDAP. Additionally mod_auth_digest needs to be enabled"

+		elog "with AUTH_DIGEST now."

+		elog

+	fi

+}

@@ -0,0 +1,380 @@

+# httpd-2.2.x-sni.patch - server name indication support for Apache 2.2

+# (see RFC 4366, "Transport Layer Security (TLS) Extensions")

+

+# based on a patch from the EdelKey project

+# (http://www.edelweb.fr/EdelKey/files/apache-2.2.0+0.9.9+servername.patch)

+

+# Needs openssl-SNAP-20060330 / OpenSSL 0.9.8f or later

+# to work properly (ftp://ftp.openssl.org/snapshot/). The 0.9.8 versions

+# must be configured explicitly for TLS extension support at compile time

+# ("./config enable-tlsext").

+

+Index: httpd-2.2.x/modules/ssl/ssl_private.h

+===================================================================

+--- httpd-2.2.x/modules/ssl/ssl_private.h	(revision 663014)

++++ httpd-2.2.x/modules/ssl/ssl_private.h	(working copy)

+@@ -35,6 +35,7 @@

+ #include "http_connection.h"

+ #include "http_request.h"

+ #include "http_protocol.h"

++#include "http_vhost.h"

+ #include "util_script.h"

+ #include "util_filter.h"

+ #include "util_ebcdic.h"

+@@ -555,6 +556,9 @@ int          ssl_callback_NewSessionCach

+ SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, unsigned char *, int, int *);

+ void         ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *);

+ void         ssl_callback_LogTracingState(MODSSL_INFO_CB_ARG_TYPE, int, int);

++#ifndef OPENSSL_NO_TLSEXT

++int          ssl_callback_ServerNameIndication(SSL *, int *, modssl_ctx_t *);

++#endif

+ 

+ /**  Session Cache Support  */

+ void         ssl_scache_init(server_rec *, apr_pool_t *);

+Index: httpd-2.2.x/modules/ssl/ssl_engine_init.c

+===================================================================

+--- httpd-2.2.x/modules/ssl/ssl_engine_init.c	(revision 663014)

++++ httpd-2.2.x/modules/ssl/ssl_engine_init.c	(working copy)

+@@ -355,6 +355,33 @@ static void ssl_init_server_check(server

+     }

+ }

+ 

++#ifndef OPENSSL_NO_TLSEXT

++static void ssl_init_ctx_tls_extensions(server_rec *s,

++                                        apr_pool_t *p,

++                                        apr_pool_t *ptemp,

++                                        modssl_ctx_t *mctx)

++{

++    /*

++     * Configure TLS extensions support

++     */

++    ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,

++                 "Configuring TLS extension handling");

++

++    /*

++     * Server name indication (SNI)

++     */

++    if (!SSL_CTX_set_tlsext_servername_callback(mctx->ssl_ctx,

++                          ssl_callback_ServerNameIndication) ||

++        !SSL_CTX_set_tlsext_servername_arg(mctx->ssl_ctx, mctx)) {

++        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,

++                     "Unable to initialize TLS servername extension "

++                     "callback (incompatible OpenSSL version?)");

++        ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);

++        ssl_die();

++    }

++}

++#endif

++

+ static void ssl_init_ctx_protocol(server_rec *s,

+                                   apr_pool_t *p,

+                                   apr_pool_t *ptemp,

+@@ -687,6 +714,9 @@ static void ssl_init_ctx(server_rec *s,

+     if (mctx->pks) {

+         /* XXX: proxy support? */

+         ssl_init_ctx_cert_chain(s, p, ptemp, mctx);

++#ifndef OPENSSL_NO_TLSEXT

++        ssl_init_ctx_tls_extensions(s, p, ptemp, mctx);

++#endif

+     }

+ }

+ 

+@@ -1036,9 +1066,19 @@ void ssl_init_CheckServers(server_rec *b

+         klen = strlen(key);

+ 

+         if ((ps = (server_rec *)apr_hash_get(table, key, klen))) {

+-            ap_log_error(APLOG_MARK, APLOG_WARNING, 0,

++            ap_log_error(APLOG_MARK, 

++#ifdef OPENSSL_NO_TLSEXT

++                         APLOG_WARNING, 

++#else

++                         APLOG_DEBUG, 

++#endif

++                         0,

+                          base_server,

++#ifdef OPENSSL_NO_TLSEXT

+                          "Init: SSL server IP/port conflict: "

++#else

++                         "Init: SSL server IP/port overlap: "

++#endif

+                          "%s (%s:%d) vs. %s (%s:%d)",

+                          ssl_util_vhostid(p, s),

+                          (s->defn_name ? s->defn_name : "unknown"),

+@@ -1055,8 +1095,14 @@ void ssl_init_CheckServers(server_rec *b

+ 

+     if (conflict) {

+         ap_log_error(APLOG_MARK, APLOG_WARNING, 0, base_server,

++#ifdef OPENSSL_NO_TLSEXT

+                      "Init: You should not use name-based "

+                      "virtual hosts in conjunction with SSL!!");

++#else

++                     "Init: Name-based SSL virtual hosts only "

++                     "work for clients with TLS server name indication "

++                     "support (RFC 4366)");

++#endif

+     }

+ }

+ 

+Index: httpd-2.2.x/modules/ssl/ssl_engine_vars.c

+===================================================================

+--- httpd-2.2.x/modules/ssl/ssl_engine_vars.c	(revision 663014)

++++ httpd-2.2.x/modules/ssl/ssl_engine_vars.c	(working copy)

+@@ -320,6 +320,12 @@ static char *ssl_var_lookup_ssl(apr_pool

+     else if (ssl != NULL && strcEQ(var, "COMPRESS_METHOD")) {

+         result = ssl_var_lookup_ssl_compress_meth(ssl);

+     }

++#ifndef OPENSSL_NO_TLSEXT

++    else if (ssl != NULL && strcEQ(var, "TLS_SNI")) {

++        result = apr_pstrdup(p, SSL_get_servername(ssl,

++                                                   TLSEXT_NAMETYPE_host_name));

++    }

++#endif

+     return result;

+ }

+ 

+Index: httpd-2.2.x/modules/ssl/ssl_engine_kernel.c

+===================================================================

+--- httpd-2.2.x/modules/ssl/ssl_engine_kernel.c	(revision 663014)

++++ httpd-2.2.x/modules/ssl/ssl_engine_kernel.c	(working copy)

+@@ -31,6 +31,9 @@

+ #include "ssl_private.h"

+ 

+ static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn);

++#ifndef OPENSSL_NO_TLSEXT

++static int ssl_find_vhost(void *servername, conn_rec *c, server_rec *s);

++#endif

+ 

+ /*

+  *  Post Read Request Handler

+@@ -39,6 +42,9 @@ int ssl_hook_ReadReq(request_rec *r)

+ {

+     SSLConnRec *sslconn = myConnConfig(r->connection);

+     SSL *ssl;

++#ifndef OPENSSL_NO_TLSEXT

++    const char *servername;

++#endif

+ 

+     if (!sslconn) {

+         return DECLINED;

+@@ -87,6 +93,14 @@ int ssl_hook_ReadReq(request_rec *r)

+     if (!ssl) {

+         return DECLINED;

+     }

++#ifndef OPENSSL_NO_TLSEXT

++    if (!r->hostname &&

++        (servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {

++        /* Use the SNI extension as the hostname if no Host: header was sent */

++        r->hostname = apr_pstrdup(r->pool, servername);

++        ap_update_vhost_from_headers(r);

++    }

++#endif

+     SSL_set_app_data2(ssl, r);

+ 

+     /*

+@@ -353,6 +367,11 @@ int ssl_hook_Access(request_rec *r)

+      * currently active/remembered verify depth (because this means more

+      * restriction on the certificate chain).

+      */

++    if ((sc->server->auth.verify_depth != UNSET) &&

++        (dc->nVerifyDepth == UNSET)) {

++        /* apply per-vhost setting, if per-directory config is not set */

++        dc->nVerifyDepth = sc->server->auth.verify_depth;

++    }

+     if (dc->nVerifyDepth != UNSET) {

+         /* XXX: doesnt look like sslconn->verify_depth is actually used */

+         if (!(n = sslconn->verify_depth)) {

+@@ -382,6 +401,11 @@ int ssl_hook_Access(request_rec *r)

+      * verification but at least skip the I/O-intensive renegotation

+      * handshake.

+      */

++    if ((sc->server->auth.verify_mode != SSL_CVERIFY_UNSET) &&

++        (dc->nVerifyClient == SSL_CVERIFY_UNSET)) {

++        /* apply per-vhost setting, if per-directory config is not set */

++        dc->nVerifyClient = sc->server->auth.verify_mode;

++    }

+     if (dc->nVerifyClient != SSL_CVERIFY_UNSET) {

+         /* remember old state */

+         verify_old = SSL_get_verify_mode(ssl);

+@@ -997,6 +1021,9 @@ int ssl_hook_Fixup(request_rec *r)

+     SSLDirConfigRec *dc = myDirConfig(r);

+     apr_table_t *env = r->subprocess_env;

+     char *var, *val = "";

++#ifndef OPENSSL_NO_TLSEXT

++    const char *servername;

++#endif

+     STACK_OF(X509) *peer_certs;

+     SSL *ssl;

+     int i;

+@@ -1018,6 +1045,13 @@ int ssl_hook_Fixup(request_rec *r)

+     /* the always present HTTPS (=HTTP over SSL) flag! */

+     apr_table_setn(env, "HTTPS", "on");

+ 

++#ifndef OPENSSL_NO_TLSEXT

++    /* add content of SNI TLS extension (if supplied with ClientHello) */

++    if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {

++        apr_table_set(env, "SSL_TLS_SNI", servername);

++    }

++#endif

++

+     /* standard SSL environment variables */

+     if (dc->nOptions & SSL_OPT_STDENVVARS) {

+         for (i = 0; ssl_hook_Fixup_vars[i]; i++) {

+@@ -1810,3 +1844,141 @@ void ssl_callback_LogTracingState(MODSSL

+     }

+ }

+ 

++#ifndef OPENSSL_NO_TLSEXT

++/*

++ * This callback function is executed when OpenSSL encounters an extended

++ * client hello with a server name indication extension ("SNI", cf. RFC 4366).

++ */

++int ssl_callback_ServerNameIndication(SSL *ssl, int *al, modssl_ctx_t *mctx)

++{

++    const char *servername =

++                SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);

++

++    if (servername) {

++        conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);

++        if (c) {

++            if (ap_vhost_iterate_given_conn(c, ssl_find_vhost,

++                                            (void *)servername)) {

++                ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c,

++                              "SSL virtual host for servername %s found",

++                              servername);

++                return SSL_TLSEXT_ERR_OK;

++            }

++            else {

++                ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c,

++                              "No matching SSL virtual host for servername "

++                              "%s found (using default/first virtual host)",

++                              servername);

++                return SSL_TLSEXT_ERR_ALERT_WARNING;

++            }

++        }

++    }

++

++    return SSL_TLSEXT_ERR_NOACK;

++}

++

++/*

++ * Find a (name-based) SSL virtual host where either the ServerName

++ * or one of the ServerAliases matches the supplied name (to be used

++ * with ap_vhost_iterate_given_conn())

++ */

++static int ssl_find_vhost(void *servername, conn_rec *c, server_rec *s) 

++{

++    SSLSrvConfigRec *sc;

++    SSL *ssl;

++    BOOL found = FALSE;

++    apr_array_header_t *names;

++    int i;

++

++    /* check ServerName */

++    if (!strcasecmp(servername, s->server_hostname)) {

++        found = TRUE;

++    }

++

++    /* 

++     * if not matched yet, check ServerAlias entries

++     * (adapted from vhost.c:matches_aliases())

++     */

++    if (!found) {

++        names = s->names;

++        if (names) {

++            char **name = (char **)names->elts;

++            for (i = 0; i < names->nelts; ++i) {

++                if (!name[i])

++                    continue;

++                if (!strcasecmp(servername, name[i])) {

++                    found = TRUE;

++                    break;

++                }

++            }

++        }

++    }

++

++    /* if still no match, check ServerAlias entries with wildcards */

++    if (!found) {

++        names = s->wild_names;

++        if (names) {

++            char **name = (char **)names->elts;

++            for (i = 0; i < names->nelts; ++i) {

++                if (!name[i])

++                    continue;

++                if (!ap_strcasecmp_match(servername, name[i])) {

++                    found = TRUE;

++                    break;

++                }

++            }

++        }

++    }

++

++    /* set SSL_CTX (if matched) */

++    if (found && (ssl = ((SSLConnRec *)myConnConfig(c))->ssl) &&

++        (sc = mySrvConfig(s))) {

++        SSL_set_SSL_CTX(ssl, sc->server->ssl_ctx);

++        /*

++         * SSL_set_SSL_CTX() only deals with the server cert,

++         * so we need to duplicate a few additional settings

++         * from the ctx by hand

++         */

++        SSL_set_options(ssl, SSL_CTX_get_options(ssl->ctx));

++        if ((SSL_get_verify_mode(ssl) == SSL_VERIFY_NONE) ||

++            (SSL_num_renegotiations(ssl) == 0)) {

++           /*

++            * Only initialize the verification settings from the ctx

++            * if they are not yet set, or if we're called when a new

++            * SSL connection is set up (num_renegotiations == 0).

++            * Otherwise, we would possibly reset a per-directory

++            * configuration which was put into effect by ssl_hook_Access.

++            */

++            SSL_set_verify(ssl, SSL_CTX_get_verify_mode(ssl->ctx),

++                           SSL_CTX_get_verify_callback(ssl->ctx));

++        }

++

++        /*

++         * We also need to make sure that the correct mctx

++         * (accessed through the c->base_server->module_config vector)

++         * is assigned to the connection - the CRL callback e.g.

++         * makes use of it for retrieving its store (mctx->crl).

++         * Since logging in callbacks uses c->base_server in many

++         * cases, it also ensures that these messages are routed

++         * to the proper log.

++         */

++        c->base_server = s;

++

++        /*

++         * There is one special filter callback, which is set

++         * very early depending on the base_server's log level.

++         * If this is not the first vhost we're now selecting

++         * (and the first vhost doesn't use APLOG_DEBUG), then

++         * we need to set that callback here.

++         */

++        if (c->base_server->loglevel >= APLOG_DEBUG) {

++            BIO_set_callback(SSL_get_rbio(ssl), ssl_io_data_cb);

++            BIO_set_callback_arg(SSL_get_rbio(ssl), (void *)ssl);

++        }

++

++        return 1;

++    }

++

++    return 0;

++}

++#endif

+Index: httpd-2.2.x/modules/ssl/ssl_toolkit_compat.h

+===================================================================

+--- httpd-2.2.x/modules/ssl/ssl_toolkit_compat.h	(revision 663014)

++++ httpd-2.2.x/modules/ssl/ssl_toolkit_compat.h	(working copy)

+@@ -264,6 +264,12 @@ typedef void (*modssl_popfree_fn)(char *

+ #define SSL_SESS_CACHE_NO_INTERNAL  SSL_SESS_CACHE_NO_INTERNAL_LOOKUP

+ #endif

+ 

++#ifndef OPENSSL_NO_TLSEXT

++#ifndef SSL_CTRL_SET_TLSEXT_HOSTNAME

++#define OPENSSL_NO_TLSEXT

++#endif

++#endif

++

+ #endif /* SSL_TOOLKIT_COMPAT_H */

+ 

+ /** @} */