keks-overlay.git

@@ -1,8 +1,11 @@

 AUX 41_mod_http2.conf 189 BLAKE2B 70f006ead657b250bb4c30a332484baf698541d44d922453bae6133e2458a7009035156f47c1dbba42bd6830ab5bef8c56d151821b0b56e9b41ef9b3db885411 SHA512 3d56a24ea98bc3188e5d6f8e2e0148e4b718e04f23452e77750bca984c44fc7c3acd4521a945b4c415284d0a5dac0f7e846bb60daf70fe61ce2632e8fa201ed6

+AUX apache-2.4.49-fix-ocsp.diff 5702 BLAKE2B 108da1e90e205a8d7661dbfb1afdc25630b83e36912a3000d36ba685db5bc3b49288bb53a1bbff56dd7874821d3caee242757a8f4b28948a67aee624d8e9472c SHA512 13c2ec72ec4611dcfdb73d0070ae2ecdee071f3eabfa413397a0082ab125701091deb7820b38234a89e81a9af9b9e120f1fea9728b28cbbe59f2561a02c5512d

 AUX apache-fix-ocsp.diff 3739 BLAKE2B 9ed68ebdf89b7e7001c80b6a94656e113d46129001042bb7eefcb850fbf909935bfec46e536a29cedbc15e4697acf636f4f787f2c749163b64ed058644b20100 SHA512 b388206d6ab01ad783f800448a5a8ebf7ff5de3d3c931c7c9696e96c84d31525f965fd7da00c45441b1adee8a63af400289559bf709dd9ab29cb3bf275cf204f

 AUX apache.conf 55 BLAKE2B 05ab58ac12e51c7aa548a71a2da43bbf80e53ef8ebe7d143f698b118621f2af1498a1362e7f30b82dc12a96485652cb0c34248c290f6a1aab6a3f378d9843c2a SHA512 3a53beb7a283d17c14383f16ad14c0602681ac1b193cce8f5aca50ae9d9af3a71054ce4a9ab11cbcb72fe913459e1b306fd54660154e66afe10272f8c0f149f3

 AUX apache2.2-hardened.service 970 BLAKE2B 77bf52cd0e5793aa81ad2b16267c1339e10fc4875704add053fd9ec67db60d2e175cb7a271c8d36b5e675a9cddd431062a6c31730510a921357b472383b502e4 SHA512 c206e7103d592dcf4f2d62979a20f7ab3cc7ce357ffe3c06ae8137064c812b9727e01a53fd602a0a55a64ed609664061de680ff42329381db787e2dae9310c48

 DIST gentoo-apache-2.4.46-r6-20210212.tar.bz2 25854 BLAKE2B 001f16c1beac8c90fd407bb2f77417f886296baf02acf0f6d81dc0f10c209270db7005f58d845d309dec8332773556da88db41a57c6ecc86f24b8a5141ba07d0 SHA512 976dde952277542efca70831b67da32b8bf636a346adeeb6e0bc5a65b3543a7ca4fb182bc01204f747b583dd753607d184d91ef46a93d5e2f3ab55ed787860a2

 DIST httpd-2.4.48.tar.bz2 7194385 BLAKE2B 5006535dc15b703b4388d90d57559bd882f16210c2f38f4d773312ed8322803629deee18709ca4446000c20c94ff8b0037acbe4dddab9cdbe45417079f708039 SHA512 6c250626f1e7d10428a92d984fd48ff841effcc8705f7816ab71b681bbd51d0012ad158dcd13763fe7d630311f2de258b27574603140d648be42796ab8326724

+DIST httpd-2.4.49.tar.bz2 7199599 BLAKE2B 78614647335a2351ce3ffb67f79bffd4aa0f42080a46de1f8d8a75c2ccae24998f5d505e60e9d4a710ff763e6a8cb3abee3da34ff6a7f2e18b68029a8abe80b7 SHA512 418e277232cf30a81d02b8554e31aaae6433bbea842bdb81e47a609469395cc4891183fb6ee02bd669edb2392c2007869b19da29f5998b8fd5c7d3142db310dd

 EBUILD apache-2.4.48-r3.ebuild 8404 BLAKE2B 234a64240b18730ec93e32e88a9ba2dad2181216d9c507da07f8298e514795464ac2c961e30250541c4bf69475eb2ccd1816bd5a4444146d7a61090e90effc8f SHA512 eecaacd6decc9b6b83d4cbb0b54c730b3c0d657c23a3f58e474c4e595a3c79201f96fbb97f275f9990f1f5a426918c34da6e62dd34d178c8b6b76c43e1d088d8

+EBUILD apache-2.4.49.ebuild 8421 BLAKE2B 62a861f1f4677aec2c969050492d0cc5ac31209880b1d79e07835b41238311dabcd9f425169c04eac9d5f785a432d99d8353ab456e4b81a9d33d3b4568532677 SHA512 c30773c61de2d20c1d1e1945c9c0a4a5a2ad22b8193133eaa4b1648599249fa83203d5697d62ba1cefaa9184b7b59c7a1a630c05aeabe7522b4a85d05d223deb

 MISC metadata.xml 900 BLAKE2B bc278df7a16090cb248b55179c0228b3c9ab846d918799e7b74b21d55f6410556909016ba6960cc77909fd4f8f85b8ebf25ba261553b8c5d42803d750a462cac SHA512 f98af69b59e4403ff194387781e92fe825df71a5d2f8d1c8a960b222eb548e1723335e13479b6e225e62b92b9af09cbd418fa95ddb676a5f039445945d5ae686

@@ -0,0 +1,266 @@

+# Copyright 1999-2021 Gentoo Authors

+# Distributed under the terms of the GNU General Public License v2

+

+EAPI=7

+

+# Bug in OCSP stapling, should be fixed in next version

+# https://bz.apache.org/bugzilla/show_bug.cgi?id=65567

+PATCHES="${FILESDIR}/apache-2.4.49-fix-ocsp.diff"

+

+# latest gentoo apache files

+GENTOO_PATCHSTAMP="20210212"

+GENTOO_DEVELOPER="polynomial-c"

+GENTOO_PATCHNAME="gentoo-apache-2.4.46-r6"

+

+# IUSE/USE_EXPAND magic

+IUSE_MPMS_FORK="prefork"

+IUSE_MPMS_THREAD="event worker"

+

+# << obsolete modules:

+# authn_default authz_default mem_cache

+# mem_cache is replaced by cache_disk

+# ?? buggy modules

+# proxy_scgi: startup error: undefined symbol "ap_proxy_release_connection", no fix found

+# >> added modules for reason:

+# compat: compatibility with 2.2 access control

+# authz_host: new module for access control

+# authn_core: functionality provided by authn_alias in previous versions

+# authz_core: new module, provides core authorization capabilities

+# cache_disk: replacement for mem_cache

+# lbmethod_byrequests: Split off from mod_proxy_balancer in 2.3

+# lbmethod_bytraffic: Split off from mod_proxy_balancer in 2.3

+# lbmethod_bybusyness: Split off from mod_proxy_balancer in 2.3

+# lbmethod_heartbeat: Split off from mod_proxy_balancer in 2.3

+# slotmem_shm: Slot-based shared memory provider (for lbmethod_byrequests).

+# socache_shmcb: shared object cache provider. Default config with ssl needs it

+# unixd: fixes startup error: Invalid command 'User'

+IUSE_MODULES="access_compat actions alias asis auth_basic auth_digest auth_form

+authn_alias authn_anon authn_core authn_dbd authn_dbm authn_file authn_socache authz_core

+authz_dbd authz_dbm authz_groupfile authz_host authz_owner authz_user autoindex

+brotli cache cache_disk cache_socache cern_meta charset_lite cgi cgid dav dav_fs dav_lock

+dbd deflate dir dumpio env expires ext_filter file_cache filter headers http2

+ident imagemap include info lbmethod_byrequests lbmethod_bytraffic lbmethod_bybusyness

+lbmethod_heartbeat log_config log_forensic logio lua macro md mime mime_magic negotiation

+proxy proxy_ajp proxy_balancer proxy_connect proxy_ftp proxy_html proxy_http proxy_scgi

+proxy_http2 proxy_fcgi proxy_uwsgi proxy_wstunnel rewrite ratelimit remoteip reqtimeout

+session session_cookie session_crypto session_dbd setenvif slotmem_shm speling

+socache_memcache socache_shmcb status substitute unique_id userdir usertrack

+unixd version vhost_alias watchdog xml2enc"

+# The following are also in the source as of this version, but are not available

+# for user selection:

+# bucketeer case_filter case_filter_in echo http isapi optional_fn_export

+# optional_fn_import optional_hook_export optional_hook_import

+

+# inter-module dependencies

+# TODO: this may still be incomplete

+MODULE_DEPENDS="

+	auth_form:session

+	brotli:filter

+	dav_fs:dav

+	dav_lock:dav

+	deflate:filter

+	cache_disk:cache

+	ext_filter:filter

+	file_cache:cache

+	lbmethod_byrequests:proxy_balancer

+	lbmethod_byrequests:slotmem_shm

+	lbmethod_bytraffic:proxy_balancer

+	lbmethod_bybusyness:proxy_balancer

+	lbmethod_heartbeat:proxy_balancer

+	log_forensic:log_config

+	logio:log_config

+	cache_disk:cache

+	cache_socache:cache

+	md:watchdog

+	mime_magic:mime

+	proxy_ajp:proxy

+	proxy_balancer:proxy

+	proxy_balancer:slotmem_shm

+	proxy_connect:proxy

+	proxy_ftp:proxy

+	proxy_html:proxy

+	proxy_html:xml2enc

+	proxy_http:proxy

+	proxy_http2:proxy

+	proxy_scgi:proxy

+	proxy_uwsgi:proxy

+	proxy_fcgi:proxy

+	proxy_wstunnel:proxy

+	session_cookie:session

+	session_dbd:dbd

+	session_dbd:session

+	socache_memcache:cache

+	substitute:filter

+"

+

+# module<->define mappings

+MODULE_DEFINES="

+	auth_digest:AUTH_DIGEST

+	authnz_ldap:AUTHNZ_LDAP

+	cache:CACHE

+	cache_disk:CACHE

+	cache_socache:CACHE

+	dav:DAV

+	dav_fs:DAV

+	dav_lock:DAV

+	file_cache:CACHE

+	http2:HTTP2

+	info:INFO

+	ldap:LDAP

+	lua:LUA

+	md:SSL

+	proxy:PROXY

+	proxy_ajp:PROXY

+	proxy_balancer:PROXY

+	proxy_connect:PROXY

+	proxy_ftp:PROXY

+	proxy_html:PROXY

+	proxy_http:PROXY

+	proxy_fcgi:PROXY

+	proxy_scgi:PROXY

+	proxy_wstunnel:PROXY

+	socache_shmcb:SSL

+	socache_memcache:CACHE

+	ssl:SSL

+	status:STATUS

+	suexec:SUEXEC

+	userdir:USERDIR

+"

+

+# critical modules for the default config

+MODULE_CRITICAL="

+	authn_core

+	authz_core

+	authz_host

+	dir

+	mime

+	unixd

+"

+inherit apache-2 systemd tmpfiles toolchain-funcs

+

+DESCRIPTION="The Apache Web Server"

+HOMEPAGE="https://httpd.apache.org/"

+

+# some helper scripts are Apache-1.1, thus both are here

+LICENSE="Apache-2.0 Apache-1.1"

+SLOT="2"

+KEYWORDS="~alpha amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x64-macos ~sparc64-solaris ~x64-solaris"

+

+# FIXME! Move this to eclass once all ebuilds are EAPI-7

+RDEPEND+=" apache2_modules_lua? ( ${LUA_DEPS} )"

+REQUIRED_USE+=" apache2_modules_lua? ( ${LUA_REQUIRED_USE} )"

+

+pkg_setup() {

+	# dependend critical modules which are not allowed in global scope due

+	# to USE flag conditionals (bug #499260)

+	use ssl && MODULE_CRITICAL+=" socache_shmcb"

+	use doc && MODULE_CRITICAL+=" alias negotiation setenvif"

+	apache-2_pkg_setup

+}

+

+src_configure() {

+	# Brain dead check.

+	tc-is-cross-compiler && export ap_cv_void_ptr_lt_long="no"

+

+	apache-2_src_configure

+}

+

+src_compile() {

+	if tc-is-cross-compiler; then

+		# This header is the same across targets, so use the build compiler.

+		pushd server >/dev/null

+		emake gen_test_char

+		tc-export_build_env BUILD_CC

+		${BUILD_CC} ${BUILD_CFLAGS} ${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} \

+			gen_test_char.c -o gen_test_char $(apr-1-config --includes) || die

+		popd >/dev/null

+	fi

+

+	default

+}

+

+src_install() {

+	apache-2_src_install

+	local i

+	local apache_tools_prune_list=(

+		/usr/bin/{htdigest,logresolve,htpasswd,htdbm,ab,httxt2dbm}

+		/usr/sbin/{checkgid,fcgistarter,htcacheclean,rotatelogs}

+		/usr/share/man/man1/{logresolve.1,htdbm.1,htdigest.1,htpasswd.1,dbmmanage.1,ab.1}

+		/usr/share/man/man8/{rotatelogs.8,htcacheclean.8}

+	)

+	for i in ${apache_tools_prune_list[@]} ; do

+		rm "${ED}"/${i} || die "Failed to prune apache-tools bits"

+	done

+

+	# install apxs in /usr/bin (bug #502384) and put a symlink into the

+	# old location until all ebuilds and eclasses have been modified to

+	# use the new location.

+	dobin support/apxs

+	use split-usr && dosym ../bin/apxs /usr/sbin/apxs

+

+	# Note: wait for mod_systemd to be included in some forthcoming release,

+	# Then apache2.4.service can be used and systemd support controlled

+	# through --enable-systemd

+	systemd_newunit "${FILESDIR}/apache2.2-hardened.service" "apache2.service"

+	dotmpfiles "${FILESDIR}/apache.conf"

+	#insinto /etc/apache2/modules.d

+	#doins "${FILESDIR}/00_systemd.conf"

+

+	# Install http2 module config

+	insinto /etc/apache2/modules.d

+	doins "${FILESDIR}"/41_mod_http2.conf

+

+	# Fix path to apache libdir

+	sed "s|@LIBDIR@|$(get_libdir)|" -i "${ED}"/usr/sbin/apache2ctl || die

+}

+

+pkg_postinst() {

+	echo

+	ewarn "Downgrading to pre-GLEP 81 user for now."

+	ewarn "See bug #802495 and bug #803500 for more information."

+	ewarn ""

+	ewarn "You will need to run the following command to unlock the user:"

+	ewarn "usermod -e '' -U apache 2>/dev/null"

+	echo

+

+	apache-2_pkg_postinst || die "apache-2_pkg_postinst failed"

+

+	tmpfiles_process apache.conf #662544

+

+	# warnings that default config might not work out of the box

+	local mod cmod

+	for mod in ${MODULE_CRITICAL} ; do

+		if ! use "apache2_modules_${mod}"; then

+			echo

+			ewarn "Warning: Critical module not installed!"

+			ewarn "Modules 'authn_core', 'authz_core' and 'unixd'"

+			ewarn "are highly recomended but might not be in the base profile yet."

+			ewarn "Default config for ssl needs module 'socache_shmcb'."

+			ewarn "Enabling the following flags is highly recommended:"

+			for cmod in ${MODULE_CRITICAL} ; do

+				use "apache2_modules_${cmod}" || \

+					ewarn "+ apache2_modules_${cmod}"

+			done

+			echo

+			break

+		fi

+	done

+	# warning for proxy_balancer and missing load balancing scheduler

+	if use apache2_modules_proxy_balancer; then

+		local lbset=

+		for mod in lbmethod_byrequests lbmethod_bytraffic lbmethod_bybusyness lbmethod_heartbeat; do

+			if use "apache2_modules_${mod}"; then

+				lbset=1 && break

+			fi

+		done

+		if [ ! ${lbset} ] ; then

+			echo

+			ewarn "Info: Missing load balancing scheduler algorithm module"

+			ewarn "(They were split off from proxy_balancer in 2.3)"

+			ewarn "In order to get the ability of load balancing, at least"

+			ewarn "one of these modules has to be present:"

+			ewarn "lbmethod_byrequests lbmethod_bytraffic lbmethod_bybusyness lbmethod_heartbeat"

+			echo

+		fi

+	fi

+}

@@ -0,0 +1,133 @@

+diff -Naur a/modules/md/md_curl.c b/modules/md/md_curl.c

+--- a/modules/md/md_curl.c	2021-07-12 10:04:51.000000000 +0200

++++ b/modules/md/md_curl.c	2021-09-19 19:14:35.987795057 +0200

+@@ -491,7 +491,7 @@

+             else if (APR_STATUS_IS_ENOENT(rv)) {

+                 md_log_perror(MD_LOG_MARK, MD_LOG_TRACE3, 0, p, 

+                               "multi_perform[%d reqs]: no more requests", requests->nelts);

+-                if (!running) {

++                if (!requests->nelts) {

+                     goto leave;

+                 }

+                 break;

+@@ -524,13 +524,13 @@

+         }

+ 

+         /* process status messages, e.g. that a request is done */

+-        while (1) {

++        while (running < requests->nelts) {

+             curlmsg = curl_multi_info_read(curlm, &msgcount);

+             if (!curlmsg) break;

+             if (curlmsg->msg == CURLMSG_DONE) {

+                 req = find_curl_request(requests, curlmsg->easy_handle);

+                 if (req) {

+-                    md_log_perror(MD_LOG_MARK, MD_LOG_TRACE3, 0, p, 

++                    md_log_perror(MD_LOG_MARK, MD_LOG_TRACE2, 0, p,

+                                   "multi_perform[%d reqs]: req[%d] done", 

+                                   requests->nelts, req->id);

+                     update_status(req);

+@@ -546,7 +546,6 @@

+                 }

+             }

+         }

+-        assert(running == requests->nelts);

+     };

+ 

+ leave:

+diff -Naur a/modules/md/md_ocsp.c b/modules/md/md_ocsp.c

+--- a/modules/md/md_ocsp.c	2021-07-12 10:04:51.000000000 +0200

++++ b/modules/md/md_ocsp.c	2021-09-19 19:14:35.987795057 +0200

+@@ -339,7 +339,7 @@

+     rv = md_cert_get_ocsp_responder_url(&ostat->responder_url, reg->p, cert);

+     if (APR_SUCCESS != rv) {

+         md_log_perror(MD_LOG_MARK, MD_LOG_ERR, rv, reg->p,

+-                      "md[%s]: certificate with serial %s has not OCSP responder URL",

++                      "md[%s]: certificate with serial %s has no OCSP responder URL",

+                       name, md_cert_get_serial_number(cert, reg->p));

+         goto cleanup;

+     }

+@@ -609,7 +609,11 @@

+     if (NULL == (ocsp_resp = d2i_OCSP_RESPONSE(NULL, (const unsigned char**)&der.data, 

+                                                (long)der.len))) {

+         rv = APR_EINVAL;

+-        md_result_set(update->result, rv, "response body does not parse as OCSP response");

++

++        md_result_set(update->result, rv,

++                      apr_psprintf(req->pool, "req[%d] response body does not parse as "

++                                   "OCSP response, status=%d, body brigade length=%ld",

++                                   resp->req->id, resp->status, (long)der.len));

+         md_result_log(update->result, MD_LOG_DEBUG);

+         goto cleanup;

+     }

+@@ -635,7 +639,7 @@

+      * to accept it. */

+     switch ((n = OCSP_check_nonce(ostat->ocsp_req, basic_resp))) {

+         case 1:

+-            md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, 0, req->pool, 

++            md_log_perror(MD_LOG_MARK, MD_LOG_TRACE3, 0, req->pool,

+                           "req[%d]: OCSP respoonse nonce does match", req->id);

+             break;

+         case 0:

+@@ -645,7 +649,7 @@

+             goto cleanup;

+             

+         case -1:

+-            md_log_perror(MD_LOG_MARK, MD_LOG_TRACE1, 0, req->pool, 

++            md_log_perror(MD_LOG_MARK, MD_LOG_TRACE3, 0, req->pool,

+                           "req[%d]: OCSP respoonse did not return the nonce", req->id);

+             break;

+         default:

+@@ -832,6 +836,9 @@

+             md_http_set_on_status_cb(req, ostat_on_req_status, update);

+             md_http_set_on_response_cb(req, ostat_on_resp, update);

+             rv = APR_SUCCESS;

++            md_log_perror(MD_LOG_MARK, MD_LOG_TRACE2, 0, req->pool,

++                          "scheduling OCSP request for %s, %d request in flight",

++                          ostat->md_name, in_flight);

+         }

+     }

+ cleanup:

+diff -Naur a/modules/md/md_reg.c b/modules/md/md_reg.c

+--- a/modules/md/md_reg.c	2021-05-12 12:14:42.000000000 +0200

++++ b/modules/md/md_reg.c	2021-09-19 19:14:35.988795057 +0200

+@@ -549,7 +549,11 @@

+         rv = md_pubcert_load(reg->store, group, md->name, spec, &certs, p);

+     }

+     if (APR_SUCCESS != rv) goto leave;

+-            

++    if (certs->nelts == 0) {

++        rv = APR_ENOENT;

++        goto leave;

++    }

++

+     pubcert = apr_pcalloc(p, sizeof(*pubcert));

+     pubcert->certs = certs;

+     cert = APR_ARRAY_IDX(certs, 0, const md_cert_t *);

+diff -Naur a/modules/md/md_store_fs.c b/modules/md/md_store_fs.c

+--- a/modules/md/md_store_fs.c	2021-07-12 10:04:51.000000000 +0200

++++ b/modules/md/md_store_fs.c	2021-09-19 19:14:35.988795057 +0200

+@@ -508,19 +508,21 @@

+ 

+     rv = md_util_is_dir(*pdir, p);

+     if (APR_STATUS_IS_ENOENT(rv)) {

+-        md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, rv, p, "not a directory, creating %s", *pdir);

++        md_log_perror(MD_LOG_MARK, MD_LOG_TRACE3, rv, p, "not a directory, creating %s", *pdir);

+         rv = apr_dir_make_recursive(*pdir, perms->dir, p);

+         if (APR_SUCCESS != rv) goto cleanup;

+         dispatch(s_fs, MD_S_FS_EV_CREATED, group, *pdir, APR_DIR, p);

+     }

+ 

+     rv = apr_file_perms_set(*pdir, perms->dir);

+-    md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, rv, p, "mk_group_dir %s perm set", *pdir);

++    md_log_perror(MD_LOG_MARK, MD_LOG_TRACE3, rv, p, "mk_group_dir %s perm set", *pdir);

+     if (APR_STATUS_IS_ENOTIMPL(rv)) {

+         rv = APR_SUCCESS;

+     }

+ cleanup:

+-    md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, rv, p, "mk_group_dir %d %s", group, name);

++    if (APR_SUCCESS != rv) {

++        md_log_perror(MD_LOG_MARK, MD_LOG_ERR, rv, p, "mk_group_dir %d %s", group, name);

++    }

+     return rv;

+ }

+