use new upstream dh patch
Hanno Böck

Hanno Böck commited on 2013-10-01 12:53:21
Zeige 3 geänderte Dateien mit 1560 Einfügungen und 2 Löschungen.

... ...
@@ -1,10 +1,16 @@
1
+AUX 00_systemd.conf 88 SHA256 487e7451ce2d834d8af09a1db09bfe235fbc87b17b13a88bf849f0739b023ce3 SHA512 c510b77450f45d8ca5b8f00ebae5de9e3dc0ecb45f9857e391ac923dadb6b5193b13e9bc372790de20bb8829f2bee5bfc0e85ad03b3a72818c5dd6a0d7f45353 WHIRLPOOL 35ff7234f1ac513a522481ed08d2281dc331835cccd1049dbbadd9f2dff7fce1700a3ae9fd8f2f490f09d82edd960f4a0b4f00a91db2bafb7c647e3b54733cef
1 2
 AUX 2.2.22-envvars-std.in 1071 SHA256 1721b424f2335640e49d71e671a4be15424d29fe90f55fe4f52bd241a998d3ee SHA512 c18fd461f02ab79fc456a1ad99bf91c8891ecdabd90f41437ebf87e20b3d28d2006a10d6726164c2f0333e7aee350bd125838abaff3a188d8ab2f5f34d3e5466 WHIRLPOOL 59cbee68fc8012df01229b8d5e38045eb974bab3f08ebf5b01097dabb5275bb83e28cd09a058ce71949ca4a2439811cff457d4c7df88d7b3fc5318c6b7ef0075
2 3
 AUX apache-2.2.14-staticdhparameters.diff 11745 SHA256 1fecd496f7df6438cf44b331a0b15d6ceaa0522fcb20d7246772f10f7c3c41df SHA512 5c7fa11b29efd430ddc7144ed8d656c82d9609c9da720cd5d217626505b2257c074bea1ef0f4f2c50b123be58d82fbefac3240b71c3b8c3b9b087c30b090bcf9 WHIRLPOOL ced66883bd7fc4ec868a5d6091cdc765424541c183e53283749d73d4f4b53d0c9221950df816625de9bd115f610931e91b1fac819530294fcb12a0a39b7f6f2c
3 4
 AUX apache-2.2.23-tls-compression-option.diff 4211 SHA256 6ccc0003f486734e660292ac2640d99af830443c09a2d5c9d6aaf371b636d9bd SHA512 915044023b10afca9a67ca90fa4d1175d4d3ef7274308df74c78b0972fd7ec54e3fdb3f4b03ecbfc543b64153b232a140cc8e095b2f74abfcfa0cb86e21fb612 WHIRLPOOL 028be436ac78adcb631b109a23ab7f4b5c2349a95202f8ed33a111b9b2048675892b160ac737875ebe7a73937f8868d665d016a61bdbaec301eacbbad0d1cc05
4 5
 AUX apache-2.4.3-dhparam.diff 12684 SHA256 5185da7eecf04f26cc496a25fabe420db065e59dd088eca51b8c08f0238d12ad SHA512 c49e4c6e607cf5bf11e59c929791d806b15ff30d11e8473e633f2ef406e5d926a2ced1910672e5263f8ea45de6f30eb37048065c1d9fbd11fb7c52603e93bd4b WHIRLPOOL 41e2ac7c8c0734e3132639db7222e488b8ffd18a6c2f2e76b401fdc0b71fc528f3d80eb3d95710084b9fa88e29ce916df215c79b47d80c3ae25188f4cea79e9c
6
+AUX apache-2.4.6-modssl-dhparams.diff 48302 SHA256 529b747ab1858966011ed4ffab14bb8c1f015c98ecbdf72cd3a53c70a6a8f220 SHA512 9f8b0710c9b5134213415dc6dceaaad17536072250d403794b074fb690ad1168b9b408996a192017f988728b656d1cff2e18a66c5a9792580870970a6026a3f2 WHIRLPOOL 2252302acb1366c064a7f304282d480b7920989f2b0022ce8487a1da28b86164759f28fa57bd4d9ff0abf65550290e8feea4de4125bcd75cac35b7269d43a868
5 7
 AUX apache-noip.diff 417 SHA256 c9ed84fec20e69f711600261a395a3d4b3ae2685318f6354c4d2ebd01c0ec4cc SHA512 fa684688e707f5fb511b228b8fa9b0f996dbf615f2f9b6478ab478e801f14c65a7381137cdbda648d68f7818891085c744da3a8249843e73bdf5ef247a90d3fe WHIRLPOOL d2636a34b0d48139adef125e76ef477d84bf7cd9785f094fe57c1d81b45e7392622d232bee5f53896d8b48eb9b3241cd48cbb585ea70d97a872c5cd3f6bfe420
6 8
 AUX apache-npn 9799 SHA256 6e41b59680832b074246dd24a41aec56f9bb35ab4f34674cd20e32f1289c21ab SHA512 60d9c6f750562f087b607edf7939195f31b7e0101b9c8d1c883e3b01da192d354fc291d45832757ab50c029f99ac4ad06fa9b7ce4e5928367d1f89278fa79fa3 WHIRLPOOL 162dba8354efeccbb100a86cb61e47c0a96be11a057cfffccc194abd31721b99f4ef3e5fc9b4a7e82a7495d1369af1be3f7b3d4339ec33af24858a0049474331
9
+AUX apache.conf 55 SHA256 ea616c5cc37979a006d69c51bda43fca15a4327d33175762652b29f5cdea1c7b SHA512 3a53beb7a283d17c14383f16ad14c0602681ac1b193cce8f5aca50ae9d9af3a71054ce4a9ab11cbcb72fe913459e1b306fd54660154e66afe10272f8c0f149f3 WHIRLPOOL fa348414f320a9f70001386dfb77d57ca4836c3ef3d251976077b7ad545d7f6752e534efadbf28c7dcb777388e3d844eba84b939dcf48881983388daf6ac23f0
10
+AUX apache2.2.service 716 SHA256 e850ad73585fbba52ade58a39ca91adbfd52f56a0bbd426ebcadb340a7dcb62b SHA512 5f736c803772077598248bbb41f76dff396dfd2f11a60d1ba929a619275efb8c1b4c0dab78cbcdf83b9ec94db67b958b3333b01f67d71eb3b2e07dba4bca2a7c WHIRLPOOL 776a928422b8f37a12099111a1503674ca901934b60dca8596dc8bc287390be9a0e912d7ba6226dcb22eb7c669fa298ddc20fd7bf5c275b0cf019bae0d594839
11
+AUX apache2.4.service 728 SHA256 4420af10d1237f90ae519e56e75f1cc84e9f7c7b63aca9decf91a77f88ae0390 SHA512 6b43e5638d5da68a5408d45befd10a9e42197c1a393764e945ba22d47d0736e2b28bad36a96f4f4ad4ff928db6f2c1377bd22ce401056b2f21fb38933a3cd972 WHIRLPOOL 5526995c5f4772353fcccbd83ed93c8186cb47f80f5d1244dc454ca886189ac92539572c43978d2868b77002a2397ff4794b3c8f6c655fecb432b8013afaf38e
7 12
 AUX httpd-2.2.16-ecc.diff 8236 SHA256 e7fe97852875de06372d8413248fa20419946e2ab7de5198c93bffa6b5a68461 SHA512 8b54c30f9edc76bd8969ee894038f267d722d1ab8c7332a84fe21704bde0451e1a27503252fa87bd0f749dac3281eb266cda36aa7faec1a36ee6e67a8f9ae6c7 WHIRLPOOL 2d8ad3cd12b27937dcafef31df8c9fa048fb4e1ed06109e745fbe12dc869ceaa21fa2e62aa9bcb729d7fb426c1ee0a82171b5038cac56f8b8ebbc3cd3569daa9
13
+AUX httpd-2.4.3-mod_systemd.patch 5396 SHA256 d8f5c76dd5eb0edc9759ea300d3b320ee96b6e6f9fabb8a4043f8d1b77b646a2 SHA512 0db785fac6034aa431e9d816bd06020a5b287dbdae794f8b94eb267805981a1d2a97fdb92bd13e32d35329e6db3f799a03e98456329f6a80c5863e72a26e5c59 WHIRLPOOL 4016b9626af1a8ca001518e8a45262ca4dd27a998727db988a8f1234aa7c5d56d439f4ecfdc6219510f57c97991884a7f57eaa83535988cb72e9fd8ffdee7b6e
8 14
 DIST gentoo-apache-2.2.22-20120213.tar.bz2 64507 SHA256 737730dabf1e1ccfe9d409067dc3c4d37d16f7fa1e792f5bf39268d904ce1c31 SHA512 f364bdbee967b3bc797d2053b9eb347af963f99275441093930d0057465e1a12567106f5c5ac21a45a4bbd4b353ce67553038d6146f469a7bf980a9148471170 WHIRLPOOL f5a3ab44fc14ddf67ccf0785006b1d9f5c49b915114f9d7e97858fba447a5ee872c741e73c17e121b61cc0aa678b42dc154616cd64054461c552d3a8c29f4f17
9 15
 DIST gentoo-apache-2.2.23-20121012.tar.bz2 64135 SHA256 711a88f26c58b10b082f7ff411366cd768f9450101da050438a2f77abeab7333 SHA512 92a49f954b82d4427862f41977625a60641731cc25ab3efdd666be8db839038e7b1c2ef2f878d5efed243eaa63237e88ee4993cd25cca1dfbb0f56a6b2093d57 WHIRLPOOL 221d9c0cf999430afc11a8e48ae67019c7f31daca827a5db7615aca24859788743e5da00e4c99b7b7b375e58fafd6c148339e5671be939dbc30735031e12c49f
10 16
 DIST gentoo-apache-2.4.3-20121012.tar.bz2 24541 SHA256 aeed23c716f05d7430a6d905fb75c192418c9ba90feb96fcc474138c4addfd69 SHA512 fe37c91328bf090aacd4012030845b2e4461a116b9b60d95108c4a4749729bef5ac526d4bd3570406f3d7afe41b0f634c2e9a167ee416a56f5f82f46eb27cc26 WHIRLPOOL 421efb4a7940b52cbc2e054c5ef2f79ff19c13a3140941ec659da3ff61a70491485c1c375db29b1fa6c4dc45761df1f0fc63bd3d867c8937d33f5b6c948bade0
... ...
@@ -26,4 +32,4 @@ EBUILD apache-2.2.25.ebuild 3297 SHA256 f2a97144d474359d89e67248fa1f7a58c22e1268
26 32
 EBUILD apache-2.4.3.ebuild 7203 SHA256 082ee4bc36fe78621a32ad8ae3f3117943b5572e1456618d1b547cf344c4d687 SHA512 56786dc2e5f835e1894760ad85bfba6ffd531b50e7e9f782240ac2deb7464a2aa222cd04495ab7bd81f0e30c91972f417857c9fd4ee53587ebc91ba6a542c41e WHIRLPOOL 4e8e22861a21d8defd9c8eb57fc5548ba38a911db640fc63b6a15fdcfcf86c8fbf50b09f78321ea784bf81340718242d5a7fa6c6ed1c4e0c31a4e79affc64d24
27 33
 EBUILD apache-2.4.4-r1.ebuild 7252 SHA256 64b4537ade811698d002a19da3b32dc54fc590c76cab613095f7086502b34dca SHA512 30f72175c5093f6fcee56892b79e3c72106c7f160a5dff3f7f29c0be376ed94271b35f536ec4d3d539f352a90c9d741b368eb8aaeada501da8a22f1f8cfa67dc WHIRLPOOL 0bd24504dcbab1e364209e622f93a5baf78976761f9e4de7a85686417e6077829f8ca1ab7a87724f3c03362249de3fada01c06e9f553ec8bd24cf1bead516a4b
28 34
 EBUILD apache-2.4.6-r1.ebuild 7476 SHA256 6d6b9331dce777b11cfef9bd8b5e9ac006e93728f549225ab6945cb81037a1a9 SHA512 c5ceb713601e2372bb36bdb705d9a7d7dd8c76ffa09339124b11b0054c180606243b21e2c1e95346a7ac0d0ab302ff88e238a8447b553abf08b8a42b390d9e42 WHIRLPOOL 974cf7113269dfb87c138635abd610aaddf92aa94d9dad508b1c11c3636715d9dcce969e0d7e13db1bf854b0f9c2100c428c351795987708659d3ad3ab9ca9b1
29
-EBUILD apache-2.4.6-r2.ebuild 7479 SHA256 f03c11e0c4faf54b368158249ab5591d92d9a215ced2f345940c65d462843fac SHA512 16a1f8dbb234feb054b05146f190dab26df1f6b325b0dc4fae429d4864087df915e8a2cffb38395aebe121ff2028c7b7edbb302ce19f2d0781a57e00a59bae03 WHIRLPOOL a386b5572216edffbf829fa51ed65d3896204d0a6562b06bb89d33ffda74c5bc5eb9201ad449a3567f47232f1a5881fb9b84a233cb72ba888f7ceb28042fdd2c
35
+EBUILD apache-2.4.6-r2.ebuild 7487 SHA256 6d15eef1bc7ca1b70be5f61e2dfed5f8ae9feb5c3b42142c06ffc1c3a132c2cb SHA512 84d0cb9cf92a09775116702b65fc87cae08cdf0316602f9e1f05278414a9e3a9ebbbd05e4a6c2e61d7100dfb25db9b5535d3e6cc51f7294889ba370166c58be7 WHIRLPOOL 68b4c5223776d6e08c1da9e4caa93245fcf0a6f83327d6a719c0f202eb14b4a339e7105f872ca062e5f4f1f6fced87e6ddab6fc3c3f412fa6117d545e27a3dc2
... ...
@@ -136,7 +136,7 @@ RDEPEND="${RDEPEND}
136 136
 
137 137
 # init script fixup - should be rolled into next tarball #389965
138 138
 src_prepare() {
139
-	epatch "${FILESDIR}/apache-2.4.3-dhparam.diff"
139
+	epatch "${FILESDIR}/apache-2.4.6-modssl-dhparams.diff"
140 140
 
141 141
 	# the following patch can be removed once it is included in
142 142
 	# GENTOO_PATCHNAME="gentoo-apache-2.4.1" ...
... ...
@@ -0,0 +1,1552 @@
1
+diff -Naur httpd-2.4.6-orig/LAYOUT httpd-2.4.6/LAYOUT
2
+--- httpd-2.4.6-orig/LAYOUT	2013-10-01 12:20:45.706812951 +0200
3
++++ httpd-2.4.6/LAYOUT	2013-10-01 12:20:50.988746918 +0200
4
+@@ -108,7 +108,6 @@
5
+     mod_ssl.c ............... main source file containing API structures
6
+     mod_ssl.h ............... common header file of mod_ssl
7
+     ssl_engine_config.c ..... module configuration handling
8
+-    ssl_engine_dh.c ......... DSA/DH support
9
+     ssl_engine_init.c ....... module initialization
10
+     ssl_engine_io.c ......... I/O support
11
+     ssl_engine_kernel.c ..... SSL engine kernel
12
+diff -Naur httpd-2.4.6-orig/modules/ssl/config.m4 httpd-2.4.6/modules/ssl/config.m4
13
+--- httpd-2.4.6-orig/modules/ssl/config.m4	2013-10-01 12:20:45.774812101 +0200
14
++++ httpd-2.4.6/modules/ssl/config.m4	2013-10-01 12:20:50.989746905 +0200
15
+@@ -20,7 +20,6 @@
16
+ ssl_objs="dnl
17
+ mod_ssl.lo dnl
18
+ ssl_engine_config.lo dnl
19
+-ssl_engine_dh.lo dnl
20
+ ssl_engine_init.lo dnl
21
+ ssl_engine_io.lo dnl
22
+ ssl_engine_kernel.lo dnl
23
+diff -Naur httpd-2.4.6-orig/modules/ssl/mod_ssl.c httpd-2.4.6/modules/ssl/mod_ssl.c
24
+--- httpd-2.4.6-orig/modules/ssl/mod_ssl.c	2013-10-01 12:20:45.775812088 +0200
25
++++ httpd-2.4.6/modules/ssl/mod_ssl.c	2013-10-01 12:20:50.989746905 +0200
26
+@@ -148,7 +148,7 @@
27
+     SSL_CMD_SRV(StrictSNIVHostCheck, FLAG,
28
+                 "Strict SNI virtual host checking")
29
+ 
30
+-#ifndef OPENSSL_NO_SRP
31
++#ifdef HAVE_SRP
32
+     SSL_CMD_SRV(SRPVerifierFile, TAKE1,
33
+                 "SRP verifier file "
34
+                 "('/path/to/file' - created by srptool)")
35
+@@ -471,15 +471,6 @@
36
+ 
37
+     sslconn->ssl = ssl;
38
+ 
39
+-    /*
40
+-     *  Configure callbacks for SSL connection
41
+-     */
42
+-    SSL_set_tmp_rsa_callback(ssl, ssl_callback_TmpRSA);
43
+-    SSL_set_tmp_dh_callback(ssl,  ssl_callback_TmpDH);
44
+-#ifndef OPENSSL_NO_EC
45
+-    SSL_set_tmp_ecdh_callback(ssl, ssl_callback_TmpECDH);
46
+-#endif
47
+-
48
+     SSL_set_verify_result(ssl, X509_V_OK);
49
+ 
50
+     ssl_io_filter_init(c, r, ssl);
51
+diff -Naur httpd-2.4.6-orig/modules/ssl/mod_ssl.dsp httpd-2.4.6/modules/ssl/mod_ssl.dsp
52
+--- httpd-2.4.6-orig/modules/ssl/mod_ssl.dsp	2013-10-01 12:20:45.775812088 +0200
53
++++ httpd-2.4.6/modules/ssl/mod_ssl.dsp	2013-10-01 12:20:50.989746905 +0200
54
+@@ -112,10 +112,6 @@
55
+ # End Source File
56
+ # Begin Source File
57
+ 
58
+-SOURCE=.\ssl_engine_dh.c
59
+-# End Source File
60
+-# Begin Source File
61
+-
62
+ SOURCE=.\ssl_engine_init.c
63
+ # End Source File
64
+ # Begin Source File
65
+diff -Naur httpd-2.4.6-orig/modules/ssl/ssl_engine_config.c httpd-2.4.6/modules/ssl/ssl_engine_config.c
66
+--- httpd-2.4.6-orig/modules/ssl/ssl_engine_config.c	2013-10-01 12:20:45.776812076 +0200
67
++++ httpd-2.4.6/modules/ssl/ssl_engine_config.c	2013-10-01 12:20:50.989746905 +0200
68
+@@ -75,8 +75,6 @@
69
+     mc->stapling_mutex         = NULL;
70
+ #endif
71
+ 
72
+-    memset(mc->pTmpKeys, 0, sizeof(mc->pTmpKeys));
73
+-
74
+     apr_pool_userdata_set(mc, SSL_MOD_CONFIG_KEY,
75
+                           apr_pool_cleanup_null,
76
+                           pool);
77
+@@ -150,7 +148,7 @@
78
+     mctx->stapling_force_url         = NULL;
79
+ #endif
80
+ 
81
+-#ifndef OPENSSL_NO_SRP
82
++#ifdef HAVE_SRP
83
+     mctx->srp_vfile =             NULL;
84
+     mctx->srp_unknown_user_seed = NULL;
85
+     mctx->srp_vbase =             NULL;
86
+@@ -208,7 +206,7 @@
87
+     sc->proxy_ssl_check_peer_expire = SSL_ENABLED_UNSET;
88
+     sc->proxy_ssl_check_peer_cn     = SSL_ENABLED_UNSET;
89
+     sc->proxy_ssl_check_peer_name   = SSL_ENABLED_UNSET;
90
+-#ifndef OPENSSL_NO_TLSEXT
91
++#ifdef HAVE_TLSEXT
92
+     sc->strict_sni_vhost_check = SSL_ENABLED_UNSET;
93
+ #endif
94
+ #ifdef HAVE_FIPS
95
+@@ -282,7 +280,7 @@
96
+     cfgMerge(stapling_force_url, NULL);
97
+ #endif
98
+ 
99
+-#ifndef OPENSSL_NO_SRP
100
++#ifdef HAVE_SRP
101
+     cfgMergeString(srp_vfile);
102
+     cfgMergeString(srp_unknown_user_seed);
103
+ #endif
104
+@@ -338,7 +336,7 @@
105
+     cfgMerge(proxy_ssl_check_peer_expire, SSL_ENABLED_UNSET);
106
+     cfgMerge(proxy_ssl_check_peer_cn, SSL_ENABLED_UNSET);
107
+     cfgMerge(proxy_ssl_check_peer_name, SSL_ENABLED_UNSET);
108
+-#ifndef OPENSSL_NO_TLSEXT
109
++#ifdef HAVE_TLSEXT
110
+     cfgMerge(strict_sni_vhost_check, SSL_ENABLED_UNSET);
111
+ #endif
112
+ #ifdef HAVE_FIPS
113
+@@ -645,6 +643,9 @@
114
+     SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
115
+     SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
116
+ 
117
++    /* always disable null and export ciphers */
118
++    arg = apr_pstrcat(cmd->pool, "!aNULL:!eNULL:!EXP:", arg, NULL);
119
++
120
+     if (cmd->path) {
121
+         dc->szCipherSuite = arg;
122
+     }
123
+@@ -1384,6 +1385,9 @@
124
+ {
125
+     SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
126
+ 
127
++    /* always disable null and export ciphers */
128
++    arg = apr_pstrcat(cmd->pool, "!aNULL:!eNULL:!EXP:", arg, NULL);
129
++
130
+     sc->proxy->auth.cipher_suite = arg;
131
+ 
132
+     return NULL;
133
+@@ -1645,7 +1649,7 @@
134
+ 
135
+ const char  *ssl_cmd_SSLStrictSNIVHostCheck(cmd_parms *cmd, void *dcfg, int flag)
136
+ {
137
+-#ifndef OPENSSL_NO_TLSEXT
138
++#ifdef HAVE_TLSEXT
139
+     SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
140
+ 
141
+     sc->strict_sni_vhost_check = flag ? SSL_ENABLED_TRUE : SSL_ENABLED_FALSE;
142
+@@ -1804,7 +1808,7 @@
143
+ 
144
+ #endif /* HAVE_OCSP_STAPLING */
145
+ 
146
+-#ifndef OPENSSL_NO_SRP
147
++#ifdef HAVE_SRP
148
+ 
149
+ const char *ssl_cmd_SSLSRPVerifierFile(cmd_parms *cmd, void *dcfg,
150
+                                        const char *arg)
151
+@@ -1828,7 +1832,7 @@
152
+     return NULL;
153
+ }
154
+ 
155
+-#endif /* OPENSSL_NO_SRP */
156
++#endif /* HAVE_SRP */
157
+ 
158
+ void ssl_hook_ConfigTest(apr_pool_t *pconf, server_rec *s)
159
+ {
160
+diff -Naur httpd-2.4.6-orig/modules/ssl/ssl_engine_dh.c httpd-2.4.6/modules/ssl/ssl_engine_dh.c
161
+--- httpd-2.4.6-orig/modules/ssl/ssl_engine_dh.c	2013-10-01 12:20:45.777812063 +0200
162
++++ httpd-2.4.6/modules/ssl/ssl_engine_dh.c	2013-10-01 12:20:50.990746893 +0200
163
+@@ -1,244 +0,0 @@
164
+-#if 0
165
+-=pod
166
+-#endif
167
+-
168
+-/* Licensed to the Apache Software Foundation (ASF) under one or more
169
+- * contributor license agreements.  See the NOTICE file distributed with
170
+- * this work for additional information regarding copyright ownership.
171
+- * The ASF licenses this file to You under the Apache License, Version 2.0
172
+- * (the "License"); you may not use this file except in compliance with
173
+- * the License.  You may obtain a copy of the License at
174
+- *
175
+- *     http://www.apache.org/licenses/LICENSE-2.0
176
+- *
177
+- * Unless required by applicable law or agreed to in writing, software
178
+- * distributed under the License is distributed on an "AS IS" BASIS,
179
+- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
180
+- * See the License for the specific language governing permissions and
181
+- * limitations under the License.
182
+- */
183
+-
184
+-/*                      _             _
185
+- *  _ __ ___   ___   __| |    ___ ___| |  mod_ssl
186
+- * | '_ ` _ \ / _ \ / _` |   / __/ __| |  Apache Interface to OpenSSL
187
+- * | | | | | | (_) | (_| |   \__ \__ \ |
188
+- * |_| |_| |_|\___/ \__,_|___|___/___/_|
189
+- *                      |_____|
190
+- * ssl_engine_dh.c
191
+- * Diffie-Hellman Built-in Temporary Parameters
192
+- */
193
+-
194
+-#include "ssl_private.h"
195
+-
196
+-/* ----BEGIN GENERATED SECTION-------- */
197
+-
198
+-/*
199
+-** Diffie-Hellman-Parameters: (512 bit)
200
+-**     prime:
201
+-**         00:9f:db:8b:8a:00:45:44:f0:04:5f:17:37:d0:ba:
202
+-**         2e:0b:27:4c:df:1a:9f:58:82:18:fb:43:53:16:a1:
203
+-**         6e:37:41:71:fd:19:d8:d8:f3:7c:39:bf:86:3f:d6:
204
+-**         0e:3e:30:06:80:a3:03:0c:6e:4c:37:57:d0:8f:70:
205
+-**         e6:aa:87:10:33
206
+-**     generator: 2 (0x2)
207
+-** Diffie-Hellman-Parameters: (1024 bit)
208
+-**     prime:
209
+-**         00:d6:7d:e4:40:cb:bb:dc:19:36:d6:93:d3:4a:fd:
210
+-**         0a:d5:0c:84:d2:39:a4:5f:52:0b:b8:81:74:cb:98:
211
+-**         bc:e9:51:84:9f:91:2e:63:9c:72:fb:13:b4:b4:d7:
212
+-**         17:7e:16:d5:5a:c1:79:ba:42:0b:2a:29:fe:32:4a:
213
+-**         46:7a:63:5e:81:ff:59:01:37:7b:ed:dc:fd:33:16:
214
+-**         8a:46:1a:ad:3b:72:da:e8:86:00:78:04:5b:07:a7:
215
+-**         db:ca:78:74:08:7d:15:10:ea:9f:cc:9d:dd:33:05:
216
+-**         07:dd:62:db:88:ae:aa:74:7d:e0:f4:d6:e2:bd:68:
217
+-**         b0:e7:39:3e:0f:24:21:8e:b3
218
+-**     generator: 2 (0x2)
219
+-*/
220
+-
221
+-static unsigned char dh512_p[] = {
222
+-    0x9F, 0xDB, 0x8B, 0x8A, 0x00, 0x45, 0x44, 0xF0, 0x04, 0x5F, 0x17, 0x37,
223
+-    0xD0, 0xBA, 0x2E, 0x0B, 0x27, 0x4C, 0xDF, 0x1A, 0x9F, 0x58, 0x82, 0x18,
224
+-    0xFB, 0x43, 0x53, 0x16, 0xA1, 0x6E, 0x37, 0x41, 0x71, 0xFD, 0x19, 0xD8,
225
+-    0xD8, 0xF3, 0x7C, 0x39, 0xBF, 0x86, 0x3F, 0xD6, 0x0E, 0x3E, 0x30, 0x06,
226
+-    0x80, 0xA3, 0x03, 0x0C, 0x6E, 0x4C, 0x37, 0x57, 0xD0, 0x8F, 0x70, 0xE6,
227
+-    0xAA, 0x87, 0x10, 0x33,
228
+-};
229
+-static unsigned char dh512_g[] = {
230
+-    0x02,
231
+-};
232
+-
233
+-static DH *get_dh512(void)
234
+-{
235
+-    DH *dh;
236
+-
237
+-    if (!(dh = DH_new())) {
238
+-        return NULL;
239
+-    }
240
+-
241
+-    dh->p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL);
242
+-    dh->g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL);
243
+-    if (!(dh->p && dh->g)) {
244
+-        DH_free(dh);
245
+-        return NULL;
246
+-    }
247
+-
248
+-    return dh;
249
+-}
250
+-
251
+-static unsigned char dh1024_p[] = {
252
+-    0xD6, 0x7D, 0xE4, 0x40, 0xCB, 0xBB, 0xDC, 0x19, 0x36, 0xD6, 0x93, 0xD3,
253
+-    0x4A, 0xFD, 0x0A, 0xD5, 0x0C, 0x84, 0xD2, 0x39, 0xA4, 0x5F, 0x52, 0x0B,
254
+-    0xB8, 0x81, 0x74, 0xCB, 0x98, 0xBC, 0xE9, 0x51, 0x84, 0x9F, 0x91, 0x2E,
255
+-    0x63, 0x9C, 0x72, 0xFB, 0x13, 0xB4, 0xB4, 0xD7, 0x17, 0x7E, 0x16, 0xD5,
256
+-    0x5A, 0xC1, 0x79, 0xBA, 0x42, 0x0B, 0x2A, 0x29, 0xFE, 0x32, 0x4A, 0x46,
257
+-    0x7A, 0x63, 0x5E, 0x81, 0xFF, 0x59, 0x01, 0x37, 0x7B, 0xED, 0xDC, 0xFD,
258
+-    0x33, 0x16, 0x8A, 0x46, 0x1A, 0xAD, 0x3B, 0x72, 0xDA, 0xE8, 0x86, 0x00,
259
+-    0x78, 0x04, 0x5B, 0x07, 0xA7, 0xDB, 0xCA, 0x78, 0x74, 0x08, 0x7D, 0x15,
260
+-    0x10, 0xEA, 0x9F, 0xCC, 0x9D, 0xDD, 0x33, 0x05, 0x07, 0xDD, 0x62, 0xDB,
261
+-    0x88, 0xAE, 0xAA, 0x74, 0x7D, 0xE0, 0xF4, 0xD6, 0xE2, 0xBD, 0x68, 0xB0,
262
+-    0xE7, 0x39, 0x3E, 0x0F, 0x24, 0x21, 0x8E, 0xB3,
263
+-};
264
+-static unsigned char dh1024_g[] = {
265
+-    0x02,
266
+-};
267
+-
268
+-static DH *get_dh1024(void)
269
+-{
270
+-    DH *dh;
271
+-
272
+-    if (!(dh = DH_new())) {
273
+-        return NULL;
274
+-    }
275
+-
276
+-    dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL);
277
+-    dh->g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL);
278
+-    if (!(dh->p && dh->g)) {
279
+-        DH_free(dh);
280
+-        return NULL;
281
+-    }
282
+-
283
+-    return dh;
284
+-}
285
+-
286
+-/* ----END GENERATED SECTION---------- */
287
+-
288
+-DH *ssl_dh_GetTmpParam(int nKeyLen)
289
+-{
290
+-    DH *dh;
291
+-
292
+-    if (nKeyLen == 512)
293
+-        dh = get_dh512();
294
+-    else if (nKeyLen == 1024)
295
+-        dh = get_dh1024();
296
+-    else
297
+-        dh = get_dh1024();
298
+-    return dh;
299
+-}
300
+-
301
+-DH *ssl_dh_GetParamFromFile(char *file)
302
+-{
303
+-    DH *dh = NULL;
304
+-    BIO *bio;
305
+-
306
+-    if ((bio = BIO_new_file(file, "r")) == NULL)
307
+-        return NULL;
308
+-    dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
309
+-    BIO_free(bio);
310
+-    return (dh);
311
+-}
312
+-
313
+-/*
314
+-=cut
315
+-##
316
+-##  Embedded Perl script for generating the temporary DH parameters
317
+-##
318
+-
319
+-require 5.003;
320
+-use strict;
321
+-
322
+-#   configuration
323
+-my $file  = $0;
324
+-my $begin = '----BEGIN GENERATED SECTION--------';
325
+-my $end   = '----END GENERATED SECTION----------';
326
+-
327
+-#   read ourself and keep a backup
328
+-open(FP, "<$file") || die;
329
+-my $source = '';
330
+-$source .= $_ while (<FP>);
331
+-close(FP);
332
+-open(FP, ">$file.bak") || die;
333
+-print FP $source;
334
+-close(FP);
335
+-
336
+-#   generate the DH parameters
337
+-print "1. Generate 512 and 1024 bit Diffie-Hellman parameters (p, g)\n";
338
+-my $rand = '';
339
+-foreach $file (qw(/var/log/messages /var/adm/messages
340
+-                  /kernel /vmunix /vmlinuz /etc/hosts /etc/resolv.conf)) {
341
+-    if (-f $file) {
342
+-        $rand = $file     if ($rand eq '');
343
+-        $rand .= ":$file" if ($rand ne '');
344
+-    }
345
+-}
346
+-$rand = "-rand $rand" if ($rand ne '');
347
+-system("openssl gendh $rand -out dh512.pem 512");
348
+-system("openssl gendh $rand -out dh1024.pem 1024");
349
+-
350
+-#   generate DH param info
351
+-my $dhinfo = '';
352
+-open(FP, "openssl dh -noout -text -in dh512.pem |") || die;
353
+-$dhinfo .= $_ while (<FP>);
354
+-close(FP);
355
+-open(FP, "openssl dh -noout -text -in dh1024.pem |") || die;
356
+-$dhinfo .= $_ while (<FP>);
357
+-close(FP);
358
+-$dhinfo =~ s|^|** |mg;
359
+-$dhinfo = "\n\/\*\n$dhinfo\*\/\n\n";
360
+-
361
+-my $indent_args = "-i4 -npsl -di0 -br -nce -d0 -cli0 -npcs -nfc1";
362
+-
363
+-#   generate C source from DH params
364
+-my $dhsource = '';
365
+-open(FP, "openssl dh -noout -C -in dh512.pem | indent $indent_args | expand |") || die;
366
+-$dhsource .= $_ while (<FP>);
367
+-close(FP);
368
+-open(FP, "openssl dh -noout -C -in dh1024.pem | indent $indent_args | expand |") || die;
369
+-$dhsource .= $_ while (<FP>);
370
+-close(FP);
371
+-$dhsource =~ s|(DH\s+\*get_dh)(\d+)[^}]*\n}|static $1$2(void)
372
+-{
373
+-    DH *dh;
374
+-
375
+-    if (!(dh = DH_new())) {
376
+-        return NULL;
377
+-    }
378
+-
379
+-    dh->p = BN_bin2bn(dh$2_p, sizeof(dh$2_p), NULL);
380
+-    dh->g = BN_bin2bn(dh$2_g, sizeof(dh$2_g), NULL);
381
+-    if (!(dh->p && dh->g)) {
382
+-        DH_free(dh);
383
+-        return NULL;
384
+-    }
385
+-
386
+-    return dh;
387
+-}
388
+-|sg;
389
+-
390
+-#   generate output
391
+-my $o = $dhinfo . $dhsource;
392
+-
393
+-#   insert the generated code at the target location
394
+-$source =~ s|(\/\* $begin.+?\n).*\n(.*?\/\* $end)|$1$o$2|s;
395
+-
396
+-#   and update the source on disk
397
+-print "Updating file `$file'\n";
398
+-open(FP, ">$file") || die;
399
+-print FP $source;
400
+-close(FP);
401
+-
402
+-#   cleanup
403
+-unlink("dh512.pem");
404
+-unlink("dh1024.pem");
405
+-
406
+-=pod
407
+-*/
408
+diff -Naur httpd-2.4.6-orig/modules/ssl/ssl_engine_init.c httpd-2.4.6/modules/ssl/ssl_engine_init.c
409
+--- httpd-2.4.6-orig/modules/ssl/ssl_engine_init.c	2013-10-01 12:20:45.777812063 +0200
410
++++ httpd-2.4.6/modules/ssl/ssl_engine_init.c	2013-10-01 12:20:50.990746893 +0200
411
+@@ -35,7 +35,7 @@
412
+ **  _________________________________________________________________
413
+ */
414
+ 
415
+-#ifndef OPENSSL_NO_EC
416
++#ifdef HAVE_ECC
417
+ #define KEYTYPES "RSA, DSA or ECC"
418
+ #else 
419
+ #define KEYTYPES "RSA or DSA"
420
+@@ -56,180 +56,6 @@
421
+                  modver, AP_SERVER_BASEVERSION, incver);
422
+ }
423
+ 
424
+-
425
+-/*
426
+- * Handle the Temporary RSA Keys and DH Params
427
+- */
428
+-
429
+-#define MODSSL_TMP_KEY_FREE(mc, type, idx) \
430
+-    if (mc->pTmpKeys[idx]) { \
431
+-        type##_free((type *)mc->pTmpKeys[idx]); \
432
+-        mc->pTmpKeys[idx] = NULL; \
433
+-    }
434
+-
435
+-#define MODSSL_TMP_KEYS_FREE(mc, type) \
436
+-    MODSSL_TMP_KEY_FREE(mc, type, SSL_TMP_KEY_##type##_512); \
437
+-    MODSSL_TMP_KEY_FREE(mc, type, SSL_TMP_KEY_##type##_1024)
438
+-
439
+-static void ssl_tmp_keys_free(server_rec *s)
440
+-{
441
+-    SSLModConfigRec *mc = myModConfig(s);
442
+-
443
+-    MODSSL_TMP_KEYS_FREE(mc, RSA);
444
+-    MODSSL_TMP_KEYS_FREE(mc, DH);
445
+-#ifndef OPENSSL_NO_EC
446
+-    MODSSL_TMP_KEY_FREE(mc, EC_KEY, SSL_TMP_KEY_EC_256);
447
+-#endif
448
+-}
449
+-
450
+-static int ssl_tmp_key_init_rsa(server_rec *s,
451
+-                                int bits, int idx)
452
+-{
453
+-    SSLModConfigRec *mc = myModConfig(s);
454
+-
455
+-#ifdef HAVE_FIPS
456
+-
457
+-    if (FIPS_mode() && bits < 1024) {
458
+-        mc->pTmpKeys[idx] = NULL;
459
+-        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01877)
460
+-                     "Init: Skipping generating temporary "
461
+-                     "%d bit RSA private key in FIPS mode", bits);
462
+-        return OK;
463
+-    }
464
+-
465
+-#endif
466
+-#ifdef HAVE_GENERATE_EX
467
+-    {
468
+-        RSA *tkey;
469
+-        BIGNUM *bn_f4;
470
+-        if (!(tkey = RSA_new())
471
+-          || !(bn_f4 = BN_new())
472
+-          || !BN_set_word(bn_f4, RSA_F4)
473
+-          || !RSA_generate_key_ex(tkey, bits, bn_f4, NULL))
474
+-        {
475
+-            ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01878)
476
+-                         "Init: Failed to generate temporary "
477
+-                         "%d bit RSA private key", bits);
478
+-            ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s);
479
+-            return !OK;
480
+-        }
481
+-        BN_free(bn_f4);
482
+-        mc->pTmpKeys[idx] = tkey;
483
+-    }
484
+-#else
485
+-    if (!(mc->pTmpKeys[idx] =
486
+-          RSA_generate_key(bits, RSA_F4, NULL, NULL)))
487
+-    {
488
+-        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01879)
489
+-                     "Init: Failed to generate temporary "
490
+-                     "%d bit RSA private key", bits);
491
+-        ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s);
492
+-        return !OK;
493
+-    }
494
+-#endif
495
+-
496
+-    return OK;
497
+-}
498
+-
499
+-static int ssl_tmp_key_init_dh(server_rec *s,
500
+-                               int bits, int idx)
501
+-{
502
+-    SSLModConfigRec *mc = myModConfig(s);
503
+-
504
+-#ifdef HAVE_FIPS
505
+-
506
+-    if (FIPS_mode() && bits < 1024) {
507
+-        mc->pTmpKeys[idx] = NULL;
508
+-        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01880)
509
+-                     "Init: Skipping generating temporary "
510
+-                     "%d bit DH parameters in FIPS mode", bits);
511
+-        return OK;
512
+-    }
513
+-
514
+-#endif
515
+-
516
+-    if (!(mc->pTmpKeys[idx] =
517
+-          ssl_dh_GetTmpParam(bits)))
518
+-    {
519
+-        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01881)
520
+-                     "Init: Failed to generate temporary "
521
+-                     "%d bit DH parameters", bits);
522
+-        return !OK;
523
+-    }
524
+-
525
+-    return OK;
526
+-}
527
+-
528
+-#ifndef OPENSSL_NO_EC
529
+-static int ssl_tmp_key_init_ec(server_rec *s,
530
+-                               int bits, int idx)
531
+-{
532
+-    SSLModConfigRec *mc = myModConfig(s);
533
+-    EC_KEY *ecdh = NULL;
534
+-
535
+-    /* XXX: Are there any FIPS constraints we should enforce? */
536
+-
537
+-    if (bits != 256) {
538
+-        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02298)
539
+-                     "Init: Failed to generate temporary "
540
+-                     "%d bit EC parameters, only 256 bits supported", bits);
541
+-        return !OK;
542
+-    }
543
+-
544
+-    if ((ecdh = EC_KEY_new()) == NULL ||
545
+-        EC_KEY_set_group(ecdh, EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1)) != 1)
546
+-    {
547
+-        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02299)
548
+-                     "Init: Failed to generate temporary "
549
+-                     "%d bit EC parameters", bits);
550
+-        return !OK;
551
+-    }
552
+-
553
+-    mc->pTmpKeys[idx] = ecdh;
554
+-    return OK;
555
+-}
556
+-
557
+-#define MODSSL_TMP_KEY_INIT_EC(s, bits) \
558
+-    ssl_tmp_key_init_ec(s, bits, SSL_TMP_KEY_EC_##bits)
559
+-
560
+-#endif
561
+-
562
+-#define MODSSL_TMP_KEY_INIT_RSA(s, bits) \
563
+-    ssl_tmp_key_init_rsa(s, bits, SSL_TMP_KEY_RSA_##bits)
564
+-
565
+-#define MODSSL_TMP_KEY_INIT_DH(s, bits) \
566
+-    ssl_tmp_key_init_dh(s, bits, SSL_TMP_KEY_DH_##bits)
567
+-
568
+-static int ssl_tmp_keys_init(server_rec *s)
569
+-{
570
+-    ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, s,
571
+-                 "Init: Generating temporary RSA private keys (512/1024 bits)");
572
+-
573
+-    if (MODSSL_TMP_KEY_INIT_RSA(s, 512) ||
574
+-        MODSSL_TMP_KEY_INIT_RSA(s, 1024)) {
575
+-        return !OK;
576
+-    }
577
+-
578
+-    ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, s,
579
+-                 "Init: Generating temporary DH parameters (512/1024 bits)");
580
+-
581
+-    if (MODSSL_TMP_KEY_INIT_DH(s, 512) ||
582
+-        MODSSL_TMP_KEY_INIT_DH(s, 1024)) {
583
+-        return !OK;
584
+-    }
585
+-
586
+-#ifndef OPENSSL_NO_EC
587
+-    ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, s,
588
+-                 "Init: Generating temporary EC parameters (256 bits)");
589
+-
590
+-    if (MODSSL_TMP_KEY_INIT_EC(s, 256)) {
591
+-        return !OK;
592
+-    }
593
+-#endif
594
+-
595
+-    return OK;
596
+-}
597
+-
598
+ /*
599
+  *  Per-module initialization
600
+  */
601
+@@ -367,10 +193,6 @@
602
+      */
603
+     ssl_pphrase_Handle(base_server, ptemp);
604
+ 
605
+-    if (ssl_tmp_keys_init(base_server)) {
606
+-        return !OK;
607
+-    }
608
+-
609
+     /*
610
+      * initialize the mutex handling
611
+      */
612
+@@ -481,7 +303,7 @@
613
+      */
614
+     if (mctx->pks->certs[SSL_AIDX_RSA] ||
615
+         mctx->pks->certs[SSL_AIDX_DSA]
616
+-#ifndef OPENSSL_NO_EC
617
++#ifdef HAVE_ECC
618
+       || mctx->pks->certs[SSL_AIDX_ECC]
619
+ #endif
620
+         )
621
+@@ -493,7 +315,7 @@
622
+     }
623
+ }
624
+ 
625
+-#ifndef OPENSSL_NO_TLSEXT
626
++#ifdef HAVE_TLSEXT
627
+ static void ssl_init_ctx_tls_extensions(server_rec *s,
628
+                                         apr_pool_t *p,
629
+                                         apr_pool_t *ptemp,
630
+@@ -527,7 +349,7 @@
631
+     }
632
+ #endif
633
+ 
634
+-#ifndef OPENSSL_NO_SRP
635
++#ifdef HAVE_SRP
636
+     /*
637
+      * TLS-SRP support
638
+      */
639
+@@ -660,7 +482,7 @@
640
+ #ifdef SSL_OP_NO_COMPRESSION
641
+         /* OpenSSL >= 1.0 only */
642
+         SSL_CTX_set_options(ctx, SSL_OP_NO_COMPRESSION);
643
+-#elif OPENSSL_VERSION_NUMBER >= 0x00908000L
644
++#else
645
+         sk_SSL_COMP_zero(SSL_COMP_get_compression_methods());
646
+ #endif
647
+     }
648
+@@ -678,6 +500,9 @@
649
+      * Configure additional context ingredients
650
+      */
651
+     SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE);
652
++#ifdef HAVE_ECC
653
++    SSL_CTX_set_options(ctx, SSL_OP_SINGLE_ECDH_USE);
654
++#endif
655
+ 
656
+ #ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
657
+     /*
658
+@@ -718,11 +543,7 @@
659
+ {
660
+     SSL_CTX *ctx = mctx->ssl_ctx;
661
+ 
662
+-    SSL_CTX_set_tmp_rsa_callback(ctx, ssl_callback_TmpRSA);
663
+     SSL_CTX_set_tmp_dh_callback(ctx,  ssl_callback_TmpDH);
664
+-#ifndef OPENSSL_NO_EC
665
+-    SSL_CTX_set_tmp_ecdh_callback(ctx,ssl_callback_TmpECDH);
666
+-#endif
667
+ 
668
+     SSL_CTX_set_info_callback(ctx, ssl_callback_Info);
669
+ }
670
+@@ -818,14 +639,16 @@
671
+                                       modssl_ctx_t *mctx)
672
+ {
673
+     SSL_CTX *ctx = mctx->ssl_ctx;
674
+-    const char *suite = mctx->auth.cipher_suite;
675
++    const char *suite;
676
+ 
677
+     /*
678
+-     *  Configure SSL Cipher Suite
679
++     *  Configure SSL Cipher Suite. Always disable NULL and export ciphers,
680
++     *  see also ssl_engine_config.c:ssl_cmd_SSLCipherSuite().
681
++     *  OpenSSL's SSL_DEFAULT_CIPHER_LIST already includes !aNULL:!eNULL,
682
++     *  so only prepend !EXP in this case.
683
+      */
684
+-    if (!suite) {
685
+-        return;
686
+-    }
687
++    suite = mctx->auth.cipher_suite ? mctx->auth.cipher_suite :
688
++            apr_pstrcat(ptemp, "!EXP:", SSL_DEFAULT_CIPHER_LIST, NULL);
689
+ 
690
+     ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, s,
691
+                  "Configuring permitted SSL ciphers [%s]",
692
+@@ -988,7 +811,7 @@
693
+     if (mctx->pks) {
694
+         /* XXX: proxy support? */
695
+         ssl_init_ctx_cert_chain(s, p, ptemp, mctx);
696
+-#ifndef OPENSSL_NO_TLSEXT
697
++#ifdef HAVE_TLSEXT
698
+         ssl_init_ctx_tls_extensions(s, p, ptemp, mctx);
699
+ #endif
700
+     }
701
+@@ -1001,7 +824,7 @@
702
+ {
703
+     SSLModConfigRec *mc = myModConfig(s);
704
+     ssl_asn1_t *asn1;
705
+-    MODSSL_D2I_X509_CONST unsigned char *ptr;
706
++    const unsigned char *ptr;
707
+     const char *type = ssl_asn1_keystr(idx);
708
+     X509 *cert;
709
+ 
710
+@@ -1048,12 +871,12 @@
711
+ {
712
+     SSLModConfigRec *mc = myModConfig(s);
713
+     ssl_asn1_t *asn1;
714
+-    MODSSL_D2I_PrivateKey_CONST unsigned char *ptr;
715
++    const unsigned char *ptr;
716
+     const char *type = ssl_asn1_keystr(idx);
717
+     int pkey_type;
718
+     EVP_PKEY *pkey;
719
+ 
720
+-#ifndef OPENSSL_NO_EC
721
++#ifdef HAVE_ECC
722
+     if (idx == SSL_AIDX_ECC)
723
+       pkey_type = EVP_PKEY_EC;
724
+     else
725
+@@ -1157,30 +980,34 @@
726
+                                   modssl_ctx_t *mctx)
727
+ {
728
+     const char *rsa_id, *dsa_id;
729
+-#ifndef OPENSSL_NO_EC
730
++#ifdef HAVE_ECC
731
+     const char *ecc_id;
732
++    EC_GROUP *ecparams;
733
++    int nid;
734
++    EC_KEY *eckey;
735
+ #endif
736
+     const char *vhost_id = mctx->sc->vhost_id;
737
+     int i;
738
+     int have_rsa, have_dsa;
739
+-#ifndef OPENSSL_NO_EC
740
++    DH *dhparams;
741
++#ifdef HAVE_ECC
742
+     int have_ecc;
743
+ #endif
744
+ 
745
+     rsa_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_RSA);
746
+     dsa_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_DSA);
747
+-#ifndef OPENSSL_NO_EC
748
++#ifdef HAVE_ECC
749
+     ecc_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_ECC);
750
+ #endif
751
+ 
752
+     have_rsa = ssl_server_import_cert(s, mctx, rsa_id, SSL_AIDX_RSA);
753
+     have_dsa = ssl_server_import_cert(s, mctx, dsa_id, SSL_AIDX_DSA);
754
+-#ifndef OPENSSL_NO_EC
755
++#ifdef HAVE_ECC
756
+     have_ecc = ssl_server_import_cert(s, mctx, ecc_id, SSL_AIDX_ECC);
757
+ #endif
758
+ 
759
+     if (!(have_rsa || have_dsa
760
+-#ifndef OPENSSL_NO_EC
761
++#ifdef HAVE_ECC
762
+         || have_ecc
763
+ #endif
764
+ )) {
765
+@@ -1196,12 +1023,12 @@
766
+ 
767
+     have_rsa = ssl_server_import_key(s, mctx, rsa_id, SSL_AIDX_RSA);
768
+     have_dsa = ssl_server_import_key(s, mctx, dsa_id, SSL_AIDX_DSA);
769
+-#ifndef OPENSSL_NO_EC
770
++#ifdef HAVE_ECC
771
+     have_ecc = ssl_server_import_key(s, mctx, ecc_id, SSL_AIDX_ECC);
772
+ #endif
773
+ 
774
+     if (!(have_rsa || have_dsa
775
+-#ifndef OPENSSL_NO_EC
776
++#ifdef HAVE_ECC
777
+         || have_ecc
778
+ #endif
779
+           )) {
780
+@@ -1209,6 +1036,40 @@
781
+                 "Oops, no " KEYTYPES " server private key found?!");
782
+         ssl_die(s);
783
+     }
784
++
785
++    /*
786
++     * Try to read DH parameters from the (first) SSLCertificateFile
787
++     */
788
++    if ((mctx->pks->cert_files[0] != NULL) &&
789
++        (dhparams = ssl_dh_GetParamFromFile(mctx->pks->cert_files[0]))) {
790
++        SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dhparams);
791
++        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02540)
792
++                     "Custom DH parameters (%d bits) for %s loaded from %s",
793
++                     BN_num_bits(dhparams->p), vhost_id,
794
++                     mctx->pks->cert_files[0]);
795
++    }
796
++
797
++#ifdef HAVE_ECC
798
++    /*
799
++     * Similarly, try to read the ECDH curve name from SSLCertificateFile...
800
++     */
801
++    if ((mctx->pks->cert_files[0] != NULL) &&
802
++        (ecparams = ssl_ec_GetParamFromFile(mctx->pks->cert_files[0])) &&
803
++        (nid = EC_GROUP_get_curve_name(ecparams)) &&
804
++        (eckey = EC_KEY_new_by_curve_name(nid))) {
805
++        SSL_CTX_set_tmp_ecdh(mctx->ssl_ctx, eckey);
806
++        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02541)
807
++                     "ECDH curve %s for %s specified in %s",
808
++                     OBJ_nid2sn(nid), vhost_id, mctx->pks->cert_files[0]);
809
++    }
810
++    /*
811
++     * ...otherwise, configure NIST P-256 (required to enable ECDHE)
812
++     */
813
++    else {
814
++        SSL_CTX_set_tmp_ecdh(mctx->ssl_ctx,
815
++                             EC_KEY_new_by_curve_name(NID_X9_62_prime256v1));
816
++    }
817
++#endif
818
+ }
819
+ 
820
+ #ifdef HAVE_TLS_SESSION_TICKETS
821
+@@ -1516,7 +1377,7 @@
822
+         klen = strlen(key);
823
+ 
824
+         if ((ps = (server_rec *)apr_hash_get(table, key, klen))) {
825
+-#ifdef OPENSSL_NO_TLSEXT
826
++#ifndef HAVE_TLSEXT
827
+             int level = APLOG_WARNING;
828
+             const char *problem = "conflict";
829
+ #else
830
+@@ -1540,7 +1401,7 @@
831
+     }
832
+ 
833
+     if (conflict) {
834
+-#ifdef OPENSSL_NO_TLSEXT
835
++#ifndef HAVE_TLSEXT
836
+         ap_log_error(APLOG_MARK, APLOG_WARNING, 0, base_server, APLOGNO(01917)
837
+                      "Init: You should not use name-based "
838
+                      "virtual hosts in conjunction with SSL!!");
839
+@@ -1689,7 +1550,7 @@
840
+ {
841
+     MODSSL_CFG_ITEM_FREE(SSL_CTX_free, mctx->ssl_ctx);
842
+ 
843
+-#ifndef OPENSSL_NO_SRP
844
++#ifdef HAVE_SRP
845
+     if (mctx->srp_vbase != NULL) {
846
+         SRP_VBASE_free(mctx->srp_vbase);
847
+         mctx->srp_vbase = NULL;
848
+@@ -1745,11 +1606,6 @@
849
+     ssl_scache_kill(base_server);
850
+ 
851
+     /*
852
+-     * Destroy the temporary keys and params
853
+-     */
854
+-    ssl_tmp_keys_free(base_server);
855
+-
856
+-    /*
857
+      * Free the non-pool allocated structures
858
+      * in the per-server configurations
859
+      */
860
+diff -Naur httpd-2.4.6-orig/modules/ssl/ssl_engine_io.c httpd-2.4.6/modules/ssl/ssl_engine_io.c
861
+--- httpd-2.4.6-orig/modules/ssl/ssl_engine_io.c	2013-10-01 12:20:45.775812088 +0200
862
++++ httpd-2.4.6/modules/ssl/ssl_engine_io.c	2013-10-01 12:20:50.991746880 +0200
863
+@@ -1048,7 +1048,7 @@
864
+ 
865
+     server = sslconn->server;
866
+     if (sslconn->is_proxy) {
867
+-#ifndef OPENSSL_NO_TLSEXT
868
++#ifdef HAVE_TLSEXT
869
+         apr_ipsubnet_t *ip;
870
+ #endif
871
+         const char *hostname_note = apr_table_get(c->notes,
872
+@@ -1056,7 +1056,7 @@
873
+         BOOL proxy_ssl_check_peer_ok = TRUE;
874
+         sc = mySrvConfig(server);
875
+ 
876
+-#ifndef OPENSSL_NO_TLSEXT
877
++#ifdef HAVE_TLSEXT
878
+         /*
879
+          * Enable SNI for backend requests. Make sure we don't do it for
880
+          * pure SSLv3 connections, and also prevent IP addresses
881
+diff -Naur httpd-2.4.6-orig/modules/ssl/ssl_engine_kernel.c httpd-2.4.6/modules/ssl/ssl_engine_kernel.c
882
+--- httpd-2.4.6-orig/modules/ssl/ssl_engine_kernel.c	2013-10-01 12:20:45.776812076 +0200
883
++++ httpd-2.4.6/modules/ssl/ssl_engine_kernel.c	2013-10-01 12:20:50.992746868 +0200
884
+@@ -32,7 +32,7 @@
885
+ #include "util_md5.h"
886
+ 
887
+ static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn);
888
+-#ifndef OPENSSL_NO_TLSEXT
889
++#ifdef HAVE_TLSEXT
890
+ static int ssl_find_vhost(void *servername, conn_rec *c, server_rec *s);
891
+ #endif
892
+ 
893
+@@ -119,7 +119,7 @@
894
+     SSLSrvConfigRec *sc = mySrvConfig(r->server);
895
+     SSLConnRec *sslconn;
896
+     const char *upgrade;
897
+-#ifndef OPENSSL_NO_TLSEXT
898
++#ifdef HAVE_TLSEXT
899
+     const char *servername;
900
+ #endif
901
+     SSL *ssl;
902
+@@ -162,7 +162,7 @@
903
+     if (!ssl) {
904
+         return DECLINED;
905
+     }
906
+-#ifndef OPENSSL_NO_TLSEXT
907
++#ifdef HAVE_TLSEXT
908
+     if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
909
+         char *host, *scope_id;
910
+         apr_port_t port;
911
+@@ -329,7 +329,7 @@
912
+         return DECLINED;
913
+     }
914
+ 
915
+-#ifndef OPENSSL_NO_SRP
916
++#ifdef HAVE_SRP
917
+     /*
918
+      * Support for per-directory reconfigured SSL connection parameters
919
+      *
920
+@@ -1101,7 +1101,7 @@
921
+     "SSL_SERVER_A_SIG",
922
+     "SSL_SESSION_ID",
923
+     "SSL_SESSION_RESUMED",
924
+-#ifndef OPENSSL_NO_SRP
925
++#ifdef HAVE_SRP
926
+     "SSL_SRP_USER",
927
+     "SSL_SRP_USERINFO",
928
+ #endif
929
+@@ -1115,7 +1115,7 @@
930
+     SSLDirConfigRec *dc = myDirConfig(r);
931
+     apr_table_t *env = r->subprocess_env;
932
+     char *var, *val = "";
933
+-#ifndef OPENSSL_NO_TLSEXT
934
++#ifdef HAVE_TLSEXT
935
+     const char *servername;
936
+ #endif
937
+     STACK_OF(X509) *peer_certs;
938
+@@ -1144,7 +1144,7 @@
939
+     /* the always present HTTPS (=HTTP over SSL) flag! */
940
+     apr_table_setn(env, "HTTPS", "on");
941
+ 
942
+-#ifndef OPENSSL_NO_TLSEXT
943
++#ifdef HAVE_TLSEXT
944
+     /* add content of SNI TLS extension (if supplied with ClientHello) */
945
+     if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
946
+         apr_table_set(env, "SSL_TLS_SNI", servername);
947
+@@ -1287,117 +1287,70 @@
948
+ */
949
+ 
950
+ /*
951
+- * Handle out temporary RSA private keys on demand
952
+- *
953
+- * The background of this as the TLSv1 standard explains it:
954
+- *
955
+- * | D.1. Temporary RSA keys
956
+- * |
957
+- * |    US Export restrictions limit RSA keys used for encryption to 512
958
+- * |    bits, but do not place any limit on lengths of RSA keys used for
959
+- * |    signing operations. Certificates often need to be larger than 512
960
+- * |    bits, since 512-bit RSA keys are not secure enough for high-value
961
+- * |    transactions or for applications requiring long-term security. Some
962
+- * |    certificates are also designated signing-only, in which case they
963
+- * |    cannot be used for key exchange.
964
+- * |
965
+- * |    When the public key in the certificate cannot be used for encryption,
966
+- * |    the server signs a temporary RSA key, which is then exchanged. In
967
+- * |    exportable applications, the temporary RSA key should be the maximum
968
+- * |    allowable length (i.e., 512 bits). Because 512-bit RSA keys are
969
+- * |    relatively insecure, they should be changed often. For typical
970
+- * |    electronic commerce applications, it is suggested that keys be
971
+- * |    changed daily or every 500 transactions, and more often if possible.
972
+- * |    Note that while it is acceptable to use the same temporary key for
973
+- * |    multiple transactions, it must be signed each time it is used.
974
+- * |
975
+- * |    RSA key generation is a time-consuming process. In many cases, a
976
+- * |    low-priority process can be assigned the task of key generation.
977
+- * |    Whenever a new key is completed, the existing temporary key can be
978
+- * |    replaced with the new one.
979
+- *
980
+- * XXX: base on comment above, if thread support is enabled,
981
+- * we should spawn a low-priority thread to generate new keys
982
+- * on the fly.
983
+- *
984
+- * So we generated 512 and 1024 bit temporary keys on startup
985
+- * which we now just hand out on demand....
986
++ * Grab well-defined DH parameters from OpenSSL, see <openssl/bn.h>
987
++ * (get_rfc*) for all available primes.
988
+  */
989
+-
990
+-RSA *ssl_callback_TmpRSA(SSL *ssl, int export, int keylen)
991
+-{
992
+-    conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
993
+-    SSLModConfigRec *mc = myModConfigFromConn(c);
994
+-    int idx;
995
+-
996
+-    ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c,
997
+-                  "handing out temporary %d bit RSA key", keylen);
998
+-
999
+-    /* doesn't matter if export flag is on,
1000
+-     * we won't be asked for keylen > 512 in that case.
1001
+-     * if we are asked for a keylen > 1024, it is too expensive
1002
+-     * to generate on the fly.
1003
+-     * XXX: any reason not to generate 2048 bit keys at startup?
1004
+-     */
1005
+-
1006
+-    switch (keylen) {
1007
+-      case 512:
1008
+-        idx = SSL_TMP_KEY_RSA_512;
1009
+-        break;
1010
+-
1011
+-      case 1024:
1012
+-      default:
1013
+-        idx = SSL_TMP_KEY_RSA_1024;
1014
+-    }
1015
+-
1016
+-    return (RSA *)mc->pTmpKeys[idx];
1017
++#define make_get_dh(rfc,size,gen) \
1018
++static DH *get_dh##size(void) \
1019
++{ \
1020
++    DH *dh; \
1021
++    if (!(dh = DH_new())) { \
1022
++        return NULL; \
1023
++    } \
1024
++    dh->p = get_##rfc##_prime_##size(NULL); \
1025
++    BN_dec2bn(&dh->g, #gen); \
1026
++    if (!dh->p || !dh->g) { \
1027
++        DH_free(dh); \
1028
++        return NULL; \
1029
++    } \
1030
++    return dh; \
1031
+ }
1032
+ 
1033
+ /*
1034
+- * Hand out the already generated DH parameters...
1035
++ * Prepare DH parameters from 1024 to 4096 bits, in 1024-bit increments
1036
++ */
1037
++make_get_dh(rfc2409, 1024, 2)
1038
++make_get_dh(rfc3526, 2048, 2)
1039
++make_get_dh(rfc3526, 3072, 2)
1040
++make_get_dh(rfc3526, 4096, 2)
1041
++
1042
++/*
1043
++ * Hand out standard DH parameters, based on the authentication strength
1044
+  */
1045
+ DH *ssl_callback_TmpDH(SSL *ssl, int export, int keylen)
1046
+ {
1047
+     conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
1048
+-    SSLModConfigRec *mc = myModConfigFromConn(c);
1049
+-    int idx;
1050
+-
1051
+-    ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c,
1052
+-                  "handing out temporary %d bit DH key", keylen);
1053
++    EVP_PKEY *pkey = SSL_get_privatekey(ssl);
1054
++    int type = pkey ? EVP_PKEY_type(pkey->type) : EVP_PKEY_NONE;
1055
+ 
1056
+-    switch (keylen) {
1057
+-      case 512:
1058
+-        idx = SSL_TMP_KEY_DH_512;
1059
+-        break;
1060
+-
1061
+-      case 1024:
1062
+-      default:
1063
+-        idx = SSL_TMP_KEY_DH_1024;
1064
++    /*
1065
++     * OpenSSL will call us with either keylen == 512 or keylen == 1024
1066
++     * (see the definition of SSL_EXPORT_PKEYLENGTH in ssl_locl.h).
1067
++     * Adjust the DH parameter length according to the size of the
1068
++     * RSA/DSA private key used for the current connection, and always
1069
++     * use at least 1024-bit parameters.
1070
++     * Note: This may cause interoperability issues with implementations
1071
++     * which limit their DH support to 1024 bit - e.g. Java 7 and earlier.
1072
++     * In this case, SSLCertificateFile can be used to specify fixed
1073
++     * 1024-bit DH parameters (with the effect that OpenSSL skips this
1074
++     * callback).
1075
++     */
1076
++    if ((type == EVP_PKEY_RSA) || (type == EVP_PKEY_DSA)) {
1077
++        keylen = EVP_PKEY_bits(pkey);
1078
+     }
1079
+ 
1080
+-    return (DH *)mc->pTmpKeys[idx];
1081
+-}
1082
+-
1083
+-#ifndef OPENSSL_NO_EC
1084
+-EC_KEY *ssl_callback_TmpECDH(SSL *ssl, int export, int keylen)
1085
+-{
1086
+-    conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
1087
+-    SSLModConfigRec *mc = myModConfigFromConn(c);
1088
+-    int idx;
1089
+-
1090
+-    /* XXX Uses 256-bit key for now. TODO: support other sizes. */
1091
+     ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c,
1092
+-                  "handing out temporary 256 bit ECC key");
1093
++                  "handing out built-in DH parameters for %d-bit authenticated connection", keylen);
1094
+ 
1095
+-    switch (keylen) {
1096
+-      case 256:
1097
+-      default:
1098
+-        idx = SSL_TMP_KEY_EC_256;
1099
+-    }
1100
+-
1101
+-    return (EC_KEY *)mc->pTmpKeys[idx];
1102
++    if (keylen >= 4096)
1103
++        return get_dh4096();
1104
++    else if (keylen >= 3072)
1105
++        return get_dh3072();
1106
++    else if (keylen >= 2048)
1107
++        return get_dh2048();
1108
++    else
1109
++        return get_dh1024();
1110
+ }
1111
+-#endif
1112
+ 
1113
+ /*
1114
+  * This OpenSSL callback function is called when OpenSSL
1115
+@@ -1938,7 +1891,7 @@
1116
+     }
1117
+ }
1118
+ 
1119
+-#ifndef OPENSSL_NO_TLSEXT
1120
++#ifdef HAVE_TLSEXT
1121
+ /*
1122
+  * This callback function is executed when OpenSSL encounters an extended
1123
+  * client hello with a server name indication extension ("SNI", cf. RFC 4366).
1124
+@@ -2089,7 +2042,7 @@
1125
+ 
1126
+     return 0;
1127
+ }
1128
+-#endif /* OPENSSL_NO_TLSEXT */
1129
++#endif /* HAVE_TLSEXT */
1130
+ 
1131
+ #ifdef HAVE_TLS_SESSION_TICKETS
1132
+ /*
1133
+@@ -2161,7 +2114,7 @@
1134
+ }
1135
+ #endif /* HAVE_TLS_SESSION_TICKETS */
1136
+ 
1137
+-#ifndef OPENSSL_NO_SRP
1138
++#ifdef HAVE_SRP
1139
+ 
1140
+ int ssl_callback_SRPServerParams(SSL *ssl, int *ad, void *arg)
1141
+ {
1142
+@@ -2185,4 +2138,4 @@
1143
+     return SSL_ERROR_NONE;
1144
+ }
1145
+ 
1146
+-#endif /* OPENSSL_NO_SRP */
1147
++#endif /* HAVE_SRP */
1148
+diff -Naur httpd-2.4.6-orig/modules/ssl/ssl_engine_pphrase.c httpd-2.4.6/modules/ssl/ssl_engine_pphrase.c
1149
+--- httpd-2.4.6-orig/modules/ssl/ssl_engine_pphrase.c	2013-10-01 12:20:45.777812063 +0200
1150
++++ httpd-2.4.6/modules/ssl/ssl_engine_pphrase.c	2013-10-01 12:20:50.992746868 +0200
1151
+@@ -708,7 +708,7 @@
1152
+                     ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01966)
1153
+                                  "Init: Failed to create pass phrase pipe '%s'",
1154
+                                  sc->server->pphrase_dialog_path);
1155
+-                    PEMerr(PEM_F_DEF_CALLBACK,PEM_R_PROBLEMS_GETTING_PASSWORD);
1156
++                    PEMerr(PEM_F_PEM_DEF_CALLBACK,PEM_R_PROBLEMS_GETTING_PASSWORD);
1157
+                     memset(buf, 0, (unsigned int)bufsize);
1158
+                     return (-1);
1159
+                 }
1160
+@@ -718,7 +718,7 @@
1161
+         }
1162
+         else { /* sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN */
1163
+ #ifdef WIN32
1164
+-            PEMerr(PEM_F_DEF_CALLBACK,PEM_R_PROBLEMS_GETTING_PASSWORD);
1165
++            PEMerr(PEM_F_PEM_DEF_CALLBACK,PEM_R_PROBLEMS_GETTING_PASSWORD);
1166
+             memset(buf, 0, (unsigned int)bufsize);
1167
+             return (-1);
1168
+ #else
1169
+@@ -769,7 +769,7 @@
1170
+                 i = EVP_read_pw_string(buf, bufsize, "", FALSE);
1171
+             }
1172
+             if (i != 0) {
1173
+-                PEMerr(PEM_F_DEF_CALLBACK,PEM_R_PROBLEMS_GETTING_PASSWORD);
1174
++                PEMerr(PEM_F_PEM_DEF_CALLBACK,PEM_R_PROBLEMS_GETTING_PASSWORD);
1175
+                 memset(buf, 0, (unsigned int)bufsize);
1176
+                 return (-1);
1177
+             }
1178
+diff -Naur httpd-2.4.6-orig/modules/ssl/ssl_engine_vars.c httpd-2.4.6/modules/ssl/ssl_engine_vars.c
1179
+--- httpd-2.4.6-orig/modules/ssl/ssl_engine_vars.c	2013-10-01 12:20:45.775812088 +0200
1180
++++ httpd-2.4.6/modules/ssl/ssl_engine_vars.c	2013-10-01 12:20:50.992746868 +0200
1181
+@@ -382,7 +382,7 @@
1182
+     else if (ssl != NULL && strcEQ(var, "COMPRESS_METHOD")) {
1183
+         result = ssl_var_lookup_ssl_compress_meth(ssl);
1184
+     }
1185
+-#ifndef OPENSSL_NO_TLSEXT
1186
++#ifdef HAVE_TLSEXT
1187
+     else if (ssl != NULL && strcEQ(var, "TLS_SNI")) {
1188
+         result = apr_pstrdup(p, SSL_get_servername(ssl,
1189
+                                                    TLSEXT_NAMETYPE_host_name));
1190
+@@ -395,7 +395,7 @@
1191
+ #endif
1192
+         result = apr_pstrdup(p, flag ? "true" : "false");
1193
+     }
1194
+-#ifndef OPENSSL_NO_SRP
1195
++#ifdef HAVE_SRP
1196
+     else if (ssl != NULL && strcEQ(var, "SRP_USER")) {
1197
+         if ((result = SSL_get_srp_username(ssl)) != NULL) {
1198
+             result = apr_pstrdup(p, result);
1199
+@@ -879,7 +879,7 @@
1200
+  * success and writes the string to the given bio. */
1201
+ static int dump_extn_value(BIO *bio, ASN1_OCTET_STRING *str)
1202
+ {
1203
+-    MODSSL_D2I_ASN1_type_bytes_CONST unsigned char *pp = str->data;
1204
++    const unsigned char *pp = str->data;
1205
+     ASN1_STRING *ret = ASN1_STRING_new();
1206
+     int rv = 0;
1207
+ 
1208
+@@ -975,7 +975,7 @@
1209
+ static char *ssl_var_lookup_ssl_compress_meth(SSL *ssl)
1210
+ {
1211
+     char *result = "NULL";
1212
+-#if (OPENSSL_VERSION_NUMBER >= 0x00908000) && !defined(OPENSSL_NO_COMP)
1213
++#ifndef OPENSSL_NO_COMP
1214
+     SSL_SESSION *pSession = SSL_get_session(ssl);
1215
+ 
1216
+     if (pSession) {
1217
+diff -Naur httpd-2.4.6-orig/modules/ssl/ssl_private.h httpd-2.4.6/modules/ssl/ssl_private.h
1218
+--- httpd-2.4.6-orig/modules/ssl/ssl_private.h	2013-10-01 12:20:45.774812101 +0200
1219
++++ httpd-2.4.6/modules/ssl/ssl_private.h	2013-10-01 12:20:50.993746855 +0200
1220
+@@ -105,65 +105,55 @@
1221
+ #include <openssl/engine.h>
1222
+ #endif
1223
+ 
1224
+-#if (OPENSSL_VERSION_NUMBER < 0x0090700f)
1225
+-#error mod_ssl requires OpenSSL 0.9.7 or later
1226
+-#endif
1227
+-
1228
+-/* ...shifting sands of OpenSSL... */
1229
+-#if (OPENSSL_VERSION_NUMBER >= 0x0090707f)
1230
+-#define MODSSL_D2I_SSL_SESSION_CONST const
1231
+-#else
1232
+-#define MODSSL_D2I_SSL_SESSION_CONST
1233
+-#endif
1234
+-
1235
+-#if (OPENSSL_VERSION_NUMBER >= 0x00908000)
1236
+-#define HAVE_GENERATE_EX
1237
+-#define MODSSL_D2I_ASN1_type_bytes_CONST const
1238
+-#define MODSSL_D2I_PrivateKey_CONST const
1239
+-#define MODSSL_D2I_X509_CONST const
1240
+-#else
1241
+-#define MODSSL_D2I_ASN1_type_bytes_CONST
1242
+-#define MODSSL_D2I_PrivateKey_CONST
1243
+-#define MODSSL_D2I_X509_CONST
1244
+-#endif
1245
+-
1246
+-#if OPENSSL_VERSION_NUMBER >= 0x00908080 && !defined(OPENSSL_NO_OCSP) \
1247
+-    && !defined(OPENSSL_NO_TLSEXT)
1248
+-#define HAVE_OCSP_STAPLING
1249
+-#if (OPENSSL_VERSION_NUMBER < 0x10000000)
1250
+-#define sk_OPENSSL_STRING_pop sk_pop
1251
+-#endif
1252
+-#endif
1253
+-
1254
+-#if (OPENSSL_VERSION_NUMBER >= 0x009080a0) && defined(OPENSSL_FIPS)
1255
+-#define HAVE_FIPS
1256
++#if (OPENSSL_VERSION_NUMBER < 0x0090801f)
1257
++#error mod_ssl requires OpenSSL 0.9.8a or later
1258
+ #endif
1259
+ 
1260
++/**
1261
++ * ...shifting sands of OpenSSL...
1262
++ * Note: when adding support for new OpenSSL features, avoid explicit
1263
++ * version number checks whenever possible, and use "feature-based"
1264
++ * detection instead (check for definitions of constants or functions)
1265
++ */
1266
+ #if (OPENSSL_VERSION_NUMBER >= 0x10000000)
1267
+ #define MODSSL_SSL_CIPHER_CONST const
1268
+ #define MODSSL_SSL_METHOD_CONST const
1269
+ #else
1270
+ #define MODSSL_SSL_CIPHER_CONST
1271
+ #define MODSSL_SSL_METHOD_CONST
1272
+-/* ECC support came along in OpenSSL 1.0.0 */
1273
+-#define OPENSSL_NO_EC
1274
+ #endif
1275
+ 
1276
+-#ifndef PEM_F_DEF_CALLBACK
1277
+-#ifdef PEM_F_PEM_DEF_CALLBACK
1278
+-/** In OpenSSL 0.9.8 PEM_F_DEF_CALLBACK was renamed */
1279
+-#define PEM_F_DEF_CALLBACK PEM_F_PEM_DEF_CALLBACK
1280
++#if defined(OPENSSL_FIPS)
1281
++#define HAVE_FIPS
1282
+ #endif
1283
++
1284
++#if defined(SSL_OP_NO_TLSv1_2)
1285
++#define HAVE_TLSV1_X
1286
+ #endif
1287
+ 
1288
+-#ifndef OPENSSL_NO_TLSEXT
1289
+-#ifndef SSL_CTRL_SET_TLSEXT_HOSTNAME
1290
+-#define OPENSSL_NO_TLSEXT
1291
++/**
1292
++  * The following features all depend on TLS extension support.
1293
++  * Within this block, check again for features (not version numbers).
1294
++  */
1295
++#if !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name)
1296
++
1297
++#define HAVE_TLSEXT
1298
++
1299
++/* ECC: make sure we have at least 1.0.0 */
1300
++#if !defined(OPENSSL_NO_EC) && defined(TLSEXT_ECPOINTFORMAT_uncompressed)
1301
++#define HAVE_ECC
1302
++#endif
1303
++
1304
++/* OCSP stapling */
1305
++#if !defined(OPENSSL_NO_OCSP) && defined(SSL_CTX_set_tlsext_status_cb)
1306
++#define HAVE_OCSP_STAPLING
1307
++#ifndef sk_OPENSSL_STRING_pop
1308
++#define sk_OPENSSL_STRING_pop sk_pop
1309
+ #endif
1310
+ #endif
1311
+ 
1312
+-#ifndef OPENSSL_NO_TLSEXT
1313
+-#ifdef SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB
1314
++/* TLS session tickets */
1315
++#if defined(SSL_CTX_set_tlsext_ticket_key_cb)
1316
+ #define HAVE_TLS_SESSION_TICKETS
1317
+ #define TLSEXT_TICKET_KEY_LEN 48
1318
+ #ifndef tlsext_tick_md
1319
+@@ -174,26 +164,15 @@
1320
+ #endif
1321
+ #endif
1322
+ #endif
1323
+-#endif
1324
+ 
1325
+-#ifdef SSL_OP_NO_TLSv1_2
1326
+-#define HAVE_TLSV1_X
1327
+-#endif
1328
+-
1329
+-#if !defined(OPENSSL_NO_COMP) && !defined(SSL_OP_NO_COMPRESSION) \
1330
+-    && OPENSSL_VERSION_NUMBER < 0x00908000L
1331
+-#define OPENSSL_NO_COMP
1332
+-#endif
1333
+-
1334
+-/* SRP support came in OpenSSL 1.0.1 */
1335
+-#ifndef OPENSSL_NO_SRP
1336
+-#ifdef SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB
1337
++/* Secure Remote Password */
1338
++#if !defined(OPENSSL_NO_SRP) && defined(SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB)
1339
++#define HAVE_SRP
1340
+ #include <openssl/srp.h>
1341
+-#else
1342
+-#define OPENSSL_NO_SRP
1343
+-#endif
1344
+ #endif
1345
+ 
1346
++#endif /* !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name) */
1347
++
1348
+ /* mod_ssl headers */
1349
+ #include "ssl_util_ssl.h"
1350
+ 
1351
+@@ -287,7 +266,7 @@
1352
+ #define SSL_ALGO_UNKNOWN (0)
1353
+ #define SSL_ALGO_RSA     (1<<0)
1354
+ #define SSL_ALGO_DSA     (1<<1)
1355
+-#ifndef OPENSSL_NO_EC
1356
++#ifdef HAVE_ECC
1357
+ #define SSL_ALGO_ECC     (1<<2)
1358
+ #define SSL_ALGO_ALL     (SSL_ALGO_RSA|SSL_ALGO_DSA|SSL_ALGO_ECC)
1359
+ #else
1360
+@@ -296,29 +275,13 @@
1361
+ 
1362
+ #define SSL_AIDX_RSA     (0)
1363
+ #define SSL_AIDX_DSA     (1)
1364
+-#ifndef OPENSSL_NO_EC
1365
++#ifdef HAVE_ECC
1366
+ #define SSL_AIDX_ECC     (2)
1367
+ #define SSL_AIDX_MAX     (3)
1368
+ #else
1369
+ #define SSL_AIDX_MAX     (2)
1370
+ #endif
1371
+ 
1372
+-
1373
+-/**
1374
+- * Define IDs for the temporary RSA keys and DH params
1375
+- */
1376
+-
1377
+-#define SSL_TMP_KEY_RSA_512  (0)
1378
+-#define SSL_TMP_KEY_RSA_1024 (1)
1379
+-#define SSL_TMP_KEY_DH_512   (2)
1380
+-#define SSL_TMP_KEY_DH_1024  (3)
1381
+-#ifndef OPENSSL_NO_EC
1382
+-#define SSL_TMP_KEY_EC_256   (4)
1383
+-#define SSL_TMP_KEY_MAX      (5)
1384
+-#else
1385
+-#define SSL_TMP_KEY_MAX      (4)
1386
+-#endif
1387
+-
1388
+ /**
1389
+  * Define the SSL options
1390
+  */
1391
+@@ -534,7 +497,6 @@
1392
+     apr_global_mutex_t   *pMutex;
1393
+     apr_array_header_t   *aRandSeed;
1394
+     apr_hash_t     *tVHostKeys;
1395
+-    void           *pTmpKeys[SSL_TMP_KEY_MAX];
1396
+ 
1397
+     /* Two hash tables of pointers to ssl_asn1_t structures.  The
1398
+      * structures are used to store certificates and private keys
1399
+@@ -656,7 +618,7 @@
1400
+     const char *stapling_force_url;
1401
+ #endif
1402
+ 
1403
+-#ifndef OPENSSL_NO_SRP
1404
++#ifdef HAVE_SRP
1405
+     char *srp_vfile;
1406
+     char *srp_unknown_user_seed;
1407
+     SRP_VBASE  *srp_vbase;
1408
+@@ -688,7 +650,7 @@
1409
+     ssl_enabled_t    proxy_ssl_check_peer_expire;
1410
+     ssl_enabled_t    proxy_ssl_check_peer_cn;
1411
+     ssl_enabled_t    proxy_ssl_check_peer_name;
1412
+-#ifndef OPENSSL_NO_TLSEXT
1413
++#ifdef HAVE_TLSEXT
1414
+     ssl_enabled_t    strict_sni_vhost_check;
1415
+ #endif
1416
+ #ifdef HAVE_FIPS
1417
+@@ -792,7 +754,7 @@
1418
+ const char *ssl_cmd_SSLOCSPResponderTimeout(cmd_parms *cmd, void *dcfg, const char *arg);
1419
+ const char *ssl_cmd_SSLOCSPEnable(cmd_parms *cmd, void *dcfg, int flag);
1420
+ 
1421
+-#ifndef OPENSSL_NO_SRP
1422
++#ifdef HAVE_SRP
1423
+ const char *ssl_cmd_SSLSRPVerifierFile(cmd_parms *cmd, void *dcfg, const char *arg);
1424
+ const char *ssl_cmd_SSLSRPUnknownUserSeed(cmd_parms *cmd, void *dcfg, const char *arg);
1425
+ #endif
1426
+@@ -823,11 +785,7 @@
1427
+ extern const authz_provider ssl_authz_provider_verify_client;
1428
+ 
1429
+ /**  OpenSSL callbacks */
1430
+-RSA         *ssl_callback_TmpRSA(SSL *, int, int);
1431
+ DH          *ssl_callback_TmpDH(SSL *, int, int);
1432
+-#ifndef OPENSSL_NO_EC
1433
+-EC_KEY      *ssl_callback_TmpECDH(SSL *, int, int);
1434
+-#endif
1435
+ int          ssl_callback_SSLVerify(int, X509_STORE_CTX *);
1436
+ int          ssl_callback_SSLVerify_CRL(int, X509_STORE_CTX *, conn_rec *);
1437
+ int          ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey);
1438
+@@ -835,7 +793,7 @@
1439
+ SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, unsigned char *, int, int *);
1440
+ void         ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *);
1441
+ void         ssl_callback_Info(const SSL *, int, int);
1442
+-#ifndef OPENSSL_NO_TLSEXT
1443
++#ifdef HAVE_TLSEXT
1444
+ int          ssl_callback_ServerNameIndication(SSL *, int *, modssl_ctx_t *);
1445
+ #endif
1446
+ #ifdef HAVE_TLS_SESSION_TICKETS
1447
+@@ -873,7 +831,7 @@
1448
+ void         ssl_stapling_ex_init(void);
1449
+ int          ssl_stapling_init_cert(server_rec *s, modssl_ctx_t *mctx, X509 *x);
1450
+ #endif
1451
+-#ifndef OPENSSL_NO_SRP
1452
++#ifdef HAVE_SRP
1453
+ int          ssl_callback_SRPServerParams(SSL *, int *, void *);
1454
+ #endif
1455
+ 
1456
+@@ -906,8 +864,10 @@
1457
+ void         ssl_pphrase_Handle(server_rec *, apr_pool_t *);
1458
+ 
1459
+ /**  Diffie-Hellman Parameter Support  */
1460
+-DH           *ssl_dh_GetTmpParam(int);
1461
+-DH           *ssl_dh_GetParamFromFile(char *);
1462
++DH           *ssl_dh_GetParamFromFile(const char *);
1463
++#ifdef HAVE_ECC
1464
++EC_GROUP     *ssl_ec_GetParamFromFile(const char *);
1465
++#endif
1466
+ 
1467
+ unsigned char *ssl_asn1_table_set(apr_hash_t *table,
1468
+                                   const char *key,
1469
+diff -Naur httpd-2.4.6-orig/modules/ssl/ssl_scache.c httpd-2.4.6/modules/ssl/ssl_scache.c
1470
+--- httpd-2.4.6-orig/modules/ssl/ssl_scache.c	2013-10-01 12:20:45.776812076 +0200
1471
++++ httpd-2.4.6/modules/ssl/ssl_scache.c	2013-10-01 12:20:50.993746855 +0200
1472
+@@ -148,7 +148,7 @@
1473
+     SSLModConfigRec *mc = myModConfig(s);
1474
+     unsigned char dest[SSL_SESSION_MAX_DER];
1475
+     unsigned int destlen = SSL_SESSION_MAX_DER;
1476
+-    MODSSL_D2I_SSL_SESSION_CONST unsigned char *ptr;
1477
++    const unsigned char *ptr;
1478
+     apr_status_t rv;
1479
+ 
1480
+     if (mc->sesscache->flags & AP_SOCACHE_FLAG_NOTMPSAFE) {
1481
+diff -Naur httpd-2.4.6-orig/modules/ssl/ssl_util.c httpd-2.4.6/modules/ssl/ssl_util.c
1482
+--- httpd-2.4.6-orig/modules/ssl/ssl_util.c	2013-10-01 12:20:45.775812088 +0200
1483
++++ httpd-2.4.6/modules/ssl/ssl_util.c	2013-10-01 12:20:50.993746855 +0200
1484
+@@ -151,7 +151,7 @@
1485
+             case EVP_PKEY_DSA:
1486
+                 t = SSL_ALGO_DSA;
1487
+                 break;
1488
+-#ifndef OPENSSL_NO_EC
1489
++#ifdef HAVE_ECC
1490
+             case EVP_PKEY_EC:
1491
+                 t = SSL_ALGO_ECC;
1492
+                 break;
1493
+@@ -177,7 +177,7 @@
1494
+         case SSL_ALGO_DSA:
1495
+             cp = "DSA";
1496
+             break;
1497
+-#ifndef OPENSSL_NO_EC
1498
++#ifdef HAVE_ECC
1499
+         case SSL_ALGO_ECC:
1500
+             cp = "ECC";
1501
+             break;
1502
+@@ -253,7 +253,7 @@
1503
+     apr_hash_set(table, key, klen, NULL);
1504
+ }
1505
+ 
1506
+-#ifndef OPENSSL_NO_EC
1507
++#ifdef HAVE_ECC
1508
+ static const char *ssl_asn1_key_types[] = {"RSA", "DSA", "ECC"};
1509
+ #else
1510
+ static const char *ssl_asn1_key_types[] = {"RSA", "DSA"};
1511
+diff -Naur httpd-2.4.6-orig/modules/ssl/ssl_util_ssl.c httpd-2.4.6/modules/ssl/ssl_util_ssl.c
1512
+--- httpd-2.4.6-orig/modules/ssl/ssl_util_ssl.c	2013-10-01 12:20:45.777812063 +0200
1513
++++ httpd-2.4.6/modules/ssl/ssl_util_ssl.c	2013-10-01 12:20:50.993746855 +0200
1514
+@@ -483,6 +483,38 @@
1515
+ 
1516
+ /*  _________________________________________________________________
1517
+ **
1518
++**  Custom (EC)DH parameter support
1519
++**  _________________________________________________________________
1520
++*/
1521
++
1522
++DH *ssl_dh_GetParamFromFile(const char *file)
1523
++{
1524
++    DH *dh = NULL;
1525
++    BIO *bio;
1526
++
1527
++    if ((bio = BIO_new_file(file, "r")) == NULL)
1528
++        return NULL;
1529
++    dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
1530
++    BIO_free(bio);
1531
++    return (dh);
1532
++}
1533
++
1534
++#ifdef HAVE_ECC
1535
++EC_GROUP *ssl_ec_GetParamFromFile(const char *file)
1536
++{
1537
++    EC_GROUP *group = NULL;
1538
++    BIO *bio;
1539
++
1540
++    if ((bio = BIO_new_file(file, "r")) == NULL)
1541
++        return NULL;
1542
++    group = PEM_read_bio_ECPKParameters(bio, NULL, NULL, NULL);
1543
++    BIO_free(bio);
1544
++    return (group);
1545
++}
1546
++#endif
1547
++
1548
++/*  _________________________________________________________________
1549
++**
1550
+ **  Extra Server Certificate Chain Support
1551
+ **  _________________________________________________________________
1552
+ */
0 1553