httpd

Checkout Tools
  • last updated 7 hours ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates

Changeset 1874264 is being indexed.

fr doc XML file update.

Add gcc 9 job, enable enhanced malloc debugging for pool-debug job.

Transforms. [skip ci]

Merge r1874243 from trunk:

PKCS#11 URIs usable from 2.4.42 and later now. [skip ci]

PKCS#11 URIs usable from 2.4.42 and later now. [skip ci]

* Backported in r1874196, r1874201, r1874202 [skip ci]
Update mergeinfo. [skip ci]

Sync PKCS#11 docs from trunk. [skip ci]

Merge r1830819, r1830912, r1830913, r1830927, r1831168, r1831173, r1835240, r1835242, r1835615, r1836547 from trunk:

mod_ssl: Add support for loading private keys from ENGINEs. Support

for PKCS#11 URIs only, and PIN entry is not threaded through

SSLPassPhraseDialog config yet.

* modules/ssl/ssl_util.c (modssl_is_engine_key): New function.

* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLCertificateKeyFile):

Use it, skip check for file existence for engine keys.

* modules/ssl/ssl_engine_pphrase.c (modssl_load_engine_pkey):

New function.

* modules/ssl/ssl_engine_init.c (ssl_init_server_certs):

For engine keys, load via modssl_load_engine_pkey.

* modules/ssl/ssl_util_ssl.c, modules/ssl/ssl_util_ssl.h:

Remove modssl_read_encrypted_pkey() and helpers, added in r1804087

but never used.

* modules/ssl/ssl_util_ssl.c (modssl_read_privatekey): Remove unused

second argument.

* modules/ssl/ssl_engine_pphrase.c (ssl_load_encrypted_pkey): Adjust

accordingly.

Simplify the ssl_asn1_table API, remove abstraction (it is used only

to cache serialized EVP_PKEYs not any char * blobs), and document.

* modules/ssl/ssl_util.c (ssl_asn1_table_set): Take the EVP_PKEY and

serialize internally. Use ap_realloc. Return the ssl_asn1_t *

pointer. Don't call apr_hash_set() for unchanged pointer case.

* modules/ssl/ssl_engine_pphrase.c (ssl_load_encrypted_pkey):

Adjust for the above.

* modules/ssl/ssl_private.h: Adjust as above, add docs.

mod_ssl: Add support for loading TLS certificates through the PKCS#11

engine.

* modules/ssl/ssl_util.c (modssl_is_engine_id): Renamed

from modssl_is_engine_key.

* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLCertificateKeyFile):

Adjust accordingly.

(ssl_cmd_SSLCertificateFile): Also allow ENGINE cert ids.

* modules/ssl/ssl_engine_pphrase.c (modssl_load_engine_keypair):

Rename from modssl_load_engine_key; load certificate if

cert id is passed.

* modules/ssl/ssl_engine_init.c (ssl_init_server_certs): Optionally

load the certificate from the engine as well.

* docs/manual/: Update manual.

* modules/ssl/ssl_engine_init.c (ssl_init_server_certs): Add error

logno. Free EVP_PKEY in engine case. Never try reading ECDH/DH

parameters from engine ids.

Hook up PKCS#11 PIN entry through configured passphrase entry method.

* modules/ssl/ssl_engine_pphrase.c: Add wrappers for OpenSSL UI * API

around passphrase entry.

(modssl_load_engine_keypair): Take vhost ID and use above rather than

default OpenSSL UI.

* modules/ssl/ssl_engine_init.c (ssl_init_server_certs): Pass vhost ID.

Submitted by: Anderson Sasaki<ansaski redhat.com>, jorton

* modules/ssl/ssl_engine_pphrase.c: Add logno tags.

* modules/ssl/ssl_engine_pphrase.c (modssl_load_engine_keypair): Load

the engine associated with the private key (&cert) explicitly

rather than requiring the engine to be set as the default method

for all operations (with "SSLCryptoDevice <engine>").

(Thanks to Anderson Sasaki <ansasaki redhat.com> for suggested

improvement and guidance)

* modules/ssl/ssl_engine_pphrase.c: Fix linking against OpenSSL without

ENGINE support.

Submitted by: Anderson Sasaki <ansasaki redhat.com>, jorton

Reviewed by: jorton, jim, ylavic

Github: closes #92

add a test for mod_substitute vs. DOTALL

the show goes on

add AP_REG_NO_DEFAULT to allow opt-out of pcre defaults

... and use it in mod_substitute to avoid DOTALL

Add Travis job which runs under UBSan ("Undefined Behaviour Sanitizer").

mod_http2 disabled for now until https://github.com/icing/mod_h2/pull/194

is merged.

Github: closes #96

Merge of r1874188 from trunk:

* mod_md: fix of version string

mod_md: fixed version string by removing -git, thanks for spotting @steffenal.

Warn against using "nobody" for User/Group since it's bad practice.

Add note on supplementary groups. [skip ci]

Fix spelling errors in docs found by codespell. [skip ci]

  1. … 15 more files in changeset.
* support/suexec.c (clean_env): Revert use of ap_calloc in

r1874156 which broke the build.

https://travis-ci.org/apache/httpd/builds/651858409

convert malloc(3) into ap_malloc

bz 64049

Fix spelling errors in docs found by codespell. [skip ci]

  1. … 20 more files in changeset.
* module/dav/main/util.c (dav_check_bufsize): Don't call

memcpy(,NULL,0) if the buffer is uninitialized, to avoid tripping

UBSan. (Unclear if this is valid for this API.)

Cleanup of backported entries in CHANGES.

Merged /httpd/httpd/trunk:r1870020,1874133

*) mod_md:

- Prefer MDContactEmail directive to ServerAdmin for registration. New directive

thanks to Timothe Litt (@tlhackque).

- protocol check for pre-configured "tls-alpn-01" challenge has been improved. It will now

check all matching virtual hosts for protocol support. Thanks to @mkauf.

- Corrected a check when OCSP stapling was configured for hosts

where the responsible MDomain is not clear, by Michal Karm Babacek (@Karm).

- Softening the restrictions where mod_md configuration directives may appear. This should

allow for use in <If> and <Macro> sections. If all possible variations lead to the configuration

you wanted in the first place, is another matter.

[Michael Kaufmann <mail michael-kaufmann.ch>, Timothe Litt (@tlhackque),

Michal Karm Babacek (@Karm), Stefan Eissing (@icing)]

mod_md: adding documentation for new MDContactEmail directive.

*) mod_md:

- Prefer MDContactEmail directive to ServerAdmin for registration. New directive

thanks to Timothe Litt (@tlhackque).

- protocol check for pre-configured "tls-alpn-01" challenge has been improved. It will now

check all matching virtual hosts for protocol support. Thanks to @mkauf.

- Corrected a check when OCSP stapling was configured for hosts

where the responsible MDomain is not clear, by Michal Karm Babacek (@Karm).

- Softening the restrictions where mod_md configuration directives may appear. This should

allow for use in <If> and <Macro> sections. If all possible variations lead to the configuration

you wanted in the first place, is another matter.

[Michael Kaufmann <mail michael-kaufmann.ch>, Timothe Litt (@tlhackque),

Michal Karm Babacek (@Karm), Stefan Eissing (@icing)]

  1. … 3 more files in changeset.
Back off a little when svn export is timing out.

Define ap_method_mask_t (typedef for apr_uint64_t) and use for method

bitmasks rather than apr_int64_t. Fixes UBSan errors shifting to the

top bit of a signed integer.

* include/httpd.h: Add ap_method_mask_t, use it for AP_METHOD_BIT.

(struct ap_method_mask_t): Likewise for method_mask field.

(struct request_rec): Likewise for allowed field.

* include/http_config.h (struct cmd_parms): Likewise for limited field.

* include/ap_mmn.h: Bump MMN major.

* modules/*/*.c: Adjust all method masks to use ap_method_mask_t.

* If dh is not set AnyEvent 7.14 chooses schmorp1539 by default which seems

to conflict with my OpenSSL. So set schmorp2048 explicitly which works.

See also:

https://blog.kutej.net/2019/09/failed-to-set-DH-parameters

* Vote
* modules/http/http_filters.c (parse_chunk_size): Reduce by four the

limit to the number of bits that can be handled in a chunk size, to

avoid undefined behaviour bitshifting a signed integer left. Max

chunk size on 32-bit arch is now 256MiB. Avoids UBSan error in:

http_filters.c:227:46: runtime error: left shift of 768614336404564650 by 4 places cannot be represented in type 'long int'