* Ensure that we set the default DH parameters for the key
Replace else with an if as the if branch no longer ensures that
custome DH parameters have been loaded.
This fixes a regression that causes the default DH parameters for a key
no longer set and thus effectively disabling DH ciphers when no explicit
DH parameters are set.
Stefan Eissing [Mon, 8 Apr 2024 11:24:18 +0000 (11:24 +0000)]
mod_md: update to v2.4.26
- Using OCSP stapling information to trigger certificate renewals. Proposed
by @frasertweedale.
- Added directive `MDCheckInterval` to control how often the server checks
for detected revocations. Added proposals for configurations in the
README.md chapter "Revocations".
- OCSP stapling: accept OCSP responses without a `nextUpdate` entry which is
allowed in RFC 6960. Treat those as having an update interval of 12 hours.
Added by @frasertweedale.
- Adapt OpenSSL usage to changes in their API. By Yann Ylavic.
Test Updates
- workarounds for using Pebble v2.5
- disable EAB tests for Pebble since v2.5 no longer
supports HS256 FWT for EAB keys
- some stability improvemnets in error/warning checks
Fix occasional pytest failures
in modules/http2/test_800_websockets.py
(test_h2_800_03_not_found and
test_h2_800_05_non_ws_delay_resource) due to
additional RST messages.
Maybe we should allow RST after EOF in all websocket tests?
Fix occasional pytest failures
in modules/http2/test_800_websockets.py
(test_h2_800_04_non_ws_resource and
test_h2_800_09b_unsupported) due to
additional RST messages.
Joe Orton [Fri, 15 Mar 2024 15:26:11 +0000 (15:26 +0000)]
mod_systemd: if SELinux is available and enabled, log the SELinux
context at startup, since this may vary when httpd is started via
systemd vs being started directly.
* modules/arch/unix/mod_systemd.c (systemd_post_config):
Do nothing for the pre-config iteration.
Log the SELinux context if available.
Yann Ylavic [Thu, 14 Mar 2024 14:54:59 +0000 (14:54 +0000)]
mod_crypto: Fix warnings about signed bit fields.
The non-zero value for one bit field is -1:
mod_crypto.c|565 col 18| error: implicit truncation from 'int' to a one-bit wide bit-field changes value from 1 to -1 [-Werror,-Wsingle-bit-bitfield-constant-conversion]
|| ctx->encrypt = 1;
|| ^ ~
mod_crypto.c|746 col 22| error: implicit truncation from 'int' to a one-bit wide bit-field changes value from 1 to -1 [-Werror,-Wsingle-bit-bitfield-constant-conversion]
|| ctx->clength = 1;
|| ^ ~
mod_crypto.c|903 col 35| error: implicit truncation from 'int' to a one-bit wide bit-field changes value from 1 to -1 [-Werror,-Wsingle-bit-bitfield-constant-conversion]
|| ctx->seen_eos = 1;
|| ^ ~
mod_crypto.c|960 col 22| error: implicit truncation from 'int' to a one-bit wide bit-field changes value from 1 to -1 [-Werror,-Wsingle-bit-bitfield-constant-conversion]
|| ctx->clength = 1;
|| ^ ~
Use unsigned bit fields for struct crypto_ctx's members seen_eos, encrypt and clength.
Eric Covener [Mon, 11 Mar 2024 20:35:27 +0000 (20:35 +0000)]
event: avoid possible hang in clean_child_exit
If the pthread_create failure isn't on the first worker thread,
another one is likely to hold the queue mutex already. The cleanup
of pchild will try to cleanup the queue and block on destroying
the condition.
Joe Orton [Thu, 29 Feb 2024 15:28:36 +0000 (15:28 +0000)]
* modules/ssl/ssl_engine_pphrase.c (modssl_load_engine_keypair):
Update to avoid GCC warning for no-engine builds where the
SSLModConfigRec is not used. Also log an error for the ENOTIMPL
path.
Joe Orton [Thu, 29 Feb 2024 14:00:55 +0000 (14:00 +0000)]
CI tweaks:
- don't install CPAN modules if NO_TEST_FRAMEWORK is set
- remove the workaround for mod_h2 APR build caching which
should no longer be necessary now caching is fixed
- fix capturing specific perl-framework failures with "TEST -v" mode
Joe Orton [Thu, 29 Feb 2024 13:30:50 +0000 (13:30 +0000)]
CI: Re-enable caching for *fixed* versions of apr/apr-util which
should now work correctly (since the version is in the cache key).
For 1.x branches, CLEAR_CACHE must still be used. [skip ci]
Joe Orton [Thu, 29 Feb 2024 12:11:39 +0000 (12:11 +0000)]
CI: Hopefully fix caching and artifact uploads by creating $JOBID
as a unique key for each job in the matrix, using that as the
cache key and in each artefact upload (otherwise multiple failures
uploading "error_log" overwrite each other).
Yann Ylavic [Tue, 20 Feb 2024 10:37:30 +0000 (10:37 +0000)]
mod_ssl: Follow up to r1913815: szCryptoDevice to NULL when !MODSSL_HAVE_ENGINE_API
Latest OpenSSL versions removed the ENGINE API completely, still provide NULL
SSLModConfigRec::szCryptoDevice since it's used outside MODSSL_HAVE_ENGINE_API.
SSLModConfigRec is a private struct, so no MMN change.
* modules/ssl/ssl_private(SSLModConfigRec):
Provide szCryptoDevice (NULL) even if !MODSSL_HAVE_ENGINE_API.
Joe Orton [Thu, 1 Feb 2024 15:34:22 +0000 (15:34 +0000)]
Minor CI changes:
- Add --enable-reduced-exports test.
- test running apachectl -V in the TEST_INSTALL case
- test running httpd -V in the SKIP_TESTING case
- rejig to exit if SKIP_TESTING, un-nest the if block around testing
(no functional change from this part)
Stefan Eissing [Wed, 17 Jan 2024 08:38:02 +0000 (08:38 +0000)]
*) mod_http2: v2.0.26 with the following fixes:
- Fixed `Date` header on requests upgraded from HTTP/1.1 (h2c). Fixes
<https://github.com/icing/mod_h2/issues/272>.
- Fixed small memory leak in h2 header bucket free. Thanks to
Michael Kaufmann for finding this and providing the fix.
Yann Ylavic [Tue, 16 Jan 2024 17:40:36 +0000 (17:40 +0000)]
mod_headers: Avoid infinite recursion with the edit* action and empty matches.
Change the recursion used for edit* to a loop using the new ap_regexec_ex()
function taking the current position (offset) in the subject string.
After an empty match do the same thing as pcre2_substitute() (or Perl's /g),
that is: don't allow for another empty match at the same positition by setting
the AP_REG_NOTEMPTY_ATSTART option. If there is a non-empty match use it,
otherwise skip/consume the first character and continue from there.
* modules/metadata/mod_headers.c:
Rename the hdr_edit_r enum for edit* to hdr_edit_all to better express what
is does (and since the action is not recursive anymore).
* modules/metadata/mod_headers.c(push_string, push_match):
New helpers to consume the subject and substitutions in an array of iovec.
* modules/metadata/mod_headers.c(process_regexp):
Implement the new logic, using push_match() and push_string() to fill the
iovec array finally passed to apr_strcatv() for the resulting string.
Yann Ylavic [Tue, 16 Jan 2024 16:51:03 +0000 (16:51 +0000)]
regex: Add ap_regexec_ex() which can take a starting offset to match from.
* include/ap_mmn.h:
Bump MMN minor.
* include/ap_regex.h:
Declare ap_regexec_ex().
* server/util_pcre.c(ap_regexec, ap_regexec_len, ap_regexec_ex):
Reuse existing ap_regexec_len() code to implement ap_regexec_ex() where the
offset is given instead of zero, then implement ap_regexec{,len}() in terms
of ap_regexec_ex().
Joe Orton [Wed, 20 Dec 2023 15:56:15 +0000 (15:56 +0000)]
* modules/http/chunk_filter.c (ap_http_chunk_filter): For a brigade
containing [FLUSH EOS], insert the last-chunk terminator before the
FLUSH rather than between the FLUSH and the EOS.
Joe Orton [Thu, 7 Dec 2023 18:29:15 +0000 (18:29 +0000)]
* modules/dav/main/util.c (dav_validate_resource_state): Fix error
message formatting if an unauthenticated user tries to use an
authenticated user's lock token (cosmetic fix only).
Joe Orton [Thu, 7 Dec 2023 18:25:35 +0000 (18:25 +0000)]
mod_dav_fs: Add global mutex around use of lockdb use, since
apr_dbm does not provide thread-safe locking:
* modules/dav/fs/mod_dav_fs.c (dav_fs_get_server_conf):
Replaces dav_get_lockdb_path.
(dav_fs_pre_config, dav_fs_child_init): New hooks.
(dav_fs_post_config): Create & store the mutex here.
(register_hooks): Register new hooks.
* modules/dav/fs/repos.h: Expose new dav_fs_server_conf struct.
* modules/dav/fs/lock.c (dav_fs_lockdb_cleanup): New cleanup
which unlocks and closes the dbm handle.
(dav_fs_really_open_lockdb): Lock the mutex here, register a
cleanup.
(dav_fs_open_lockdb): Adjust to use dav_fs_get_server_conf.
(dav_fs_close_lockdb): Run the cleanup here.
Joe Orton [Tue, 5 Dec 2023 15:26:22 +0000 (15:26 +0000)]
mod_ssl: Add support for loading keys from OpenSSL 3.x providers via
the STORE API. Separates compile-time support for the STORE API
(supported in 3.x) from support for the ENGINE API (deprecated in
3.x).
* modules/ssl/ssl_private.h: Define MODSSL_HAVE_OPENSSL_STORE for
OpenSSL 3.0+.
* modules/ssl/ssl_engine_pphrase.c (modssl_load_store_uri,
modssl_load_keypair_store): New functions.
(modssl_load_keypair_engine): Renamed from modssl_load_keypair_engine.
(modssl_load_engine_keypair): Reimplement to use new STORE-based
functions if SSLCryptoDevice was not configured, or else old
ENGINE implementation.
* modules/ssl/ssl_util.c (modssl_is_engine_id): Match pkcs11: URIs
also for the OpenSSL 3.x STORE API.
* modules/ssl/ssl_engine_init.c (ssl_init_server_certs): Tweak log
message on error paths for the provider/STORE case.
projects / thirdparty / apache / httpd.git / log
