keks-overlay.git

@@ -2,10 +2,13 @@ AUX apache-2.4.9-libressl.diff 542 SHA256 d1ce461d5abdc131a80fbc694d574d52d51cba

 AUX apache-libressl2.diff 784 SHA256 15b6339b10289eeb26863dda1e3b10e745aa981544b202c46c13985182b35216 SHA512 2041b122237f2cb9bd0d32c31e00f43f30f86b167ce47648b337e199e780735bfa79feb236e0e38cf1930c19bd75eaddf4a5118dc360cbb93c02eb27bcc34a7e WHIRLPOOL 668ca1018c5262dd6bdd3185ebddbffec9c6b8e44baf99f0b6d95fb9e9dac35de2586605bc2d9e2b77837450bf827d4a00a4c8dc8d7847309913bb9c627da82b

 AUX apache.conf 55 SHA256 ea616c5cc37979a006d69c51bda43fca15a4327d33175762652b29f5cdea1c7b SHA512 3a53beb7a283d17c14383f16ad14c0602681ac1b193cce8f5aca50ae9d9af3a71054ce4a9ab11cbcb72fe913459e1b306fd54660154e66afe10272f8c0f149f3 WHIRLPOOL fa348414f320a9f70001386dfb77d57ca4836c3ef3d251976077b7ad545d7f6752e534efadbf28c7dcb777388e3d844eba84b939dcf48881983388daf6ac23f0

 AUX apache2.2.service 716 SHA256 e850ad73585fbba52ade58a39ca91adbfd52f56a0bbd426ebcadb340a7dcb62b SHA512 5f736c803772077598248bbb41f76dff396dfd2f11a60d1ba929a619275efb8c1b4c0dab78cbcdf83b9ec94db67b958b3333b01f67d71eb3b2e07dba4bca2a7c WHIRLPOOL 776a928422b8f37a12099111a1503674ca901934b60dca8596dc8bc287390be9a0e912d7ba6226dcb22eb7c669fa298ddc20fd7bf5c275b0cf019bae0d594839

+AUX apache24-alpn.diff 21499 SHA256 5dc1a6c8f5a395a1a24b9d846a30d73a75e8b9b907acff5d06bacbf17ef82a1b SHA512 f0e01a94f0886de530d689a29811432a5f45a6c935e39d9683915718b3eb57e63cafe1db6c3015179b2f50610e19f0569f95c557f716b0a65a48331195bff1f9 WHIRLPOOL dca29eb0c00b0cff80fdd1fe95b06e832d2b1d18def9e5689fae4fafc11c395d402f3303ebe1ea1be1ad24d4a9f30b5f0ce2464c84556b830093b489cfaabe8c

 AUX mod_ssl_with_npn.patch 12614 SHA256 165d651fb536e0878b6f841f1031ac121c6061362cf5fc7d657f7be292ae7ff4 SHA512 7968ec245b8324269ce75e98eeca659f672cbfdb759a9e6c0f8e7dd72bdf442cda23fd57490fccd2bcd44fb9eaff452810440b3e5f72a63550601bc706c35e98 WHIRLPOOL 63f5ab18ca7fe1580833f2ac51b4678340883cd6bffa405010ccdd7f132aed29c9ab7db465ab86fa582df43a5e2bc55bd078e75b0e3371bbd72abfd8190ded45

 DIST gentoo-apache-2.4.10-r1-20140731.tar.bz2 24531 SHA256 8e093a18582c3a20283ed1c09de9acc6832a80b1d5a02962599db0535d38af19 SHA512 c54239df36d7ab30bd14a41241d94b4b49b92c5e50e64857da3e7cde7575d5c0a634d51710bdf75807a57932bf9447906407ae4ef6cb333d7197e82ba5052cd9 WHIRLPOOL 0d184763a033209eaa3c91f7050b24c2a2da24d930ed280a8aa99e32461ac31402e6fd8f57e2122a96e45a8308c4a332144ede7b511ceee352be2f38a6ef7839

 DIST httpd-2.4.10.tar.bz2 5031834 SHA256 176c4dac1a745f07b7b91e7f4fd48f9c48049fa6f088efe758d61d9738669c6a SHA512 e251f5b330da17a8920c589b9e0326d6dd45db28923167718db27b0af2edf769607e9ae6fbb859afbf0c345937fd59053423a2d74bd18ff2272a0f6a19a6496f WHIRLPOOL c9f81296052a61483ceef4ae4b4c467cf64a4035030472dc8c17355f572a4887ddc6179ade2a764a4e3f0cd4ab7cc34a3fa36577a148c3df7b8d44a5f1f0424d

+DIST httpd-2.4.12.tar.bz2 5054838 SHA256 ad6d39edfe4621d8cc9a2791f6f8d6876943a9da41ac8533d77407a2e630eae4 SHA512 f69db14b421f0e1e4861fe4d8b652688d50ca9eb41c622242d11ae55687eb6c2142a8505a8c3fb6f2bd53167be535bc0a77ca1af97e0720930fc7f20f4c1f8e8 WHIRLPOOL 56512066e8978c4a3d47d0cc2bb92093fd468a9b2f46b8b07fe4db366f55fa5e74ae58bbebe2377cbe0c66f1585759115c786f62f18ac1abc534fb257689d250

 EBUILD apache-2.4.10-r1.ebuild 7683 SHA256 b712e57de7c6db718d659cf6f7ae5ae65d29a002c685118f7d1eeb8fa79ce4e1 SHA512 feed9e3d3a8cadd719a8284a8e49d6e311fa3fa2685af4d6fd67a4a525948bebea573e224001d731a9b8cf1377617145e7e851ae75486c692d99b38858f235fc WHIRLPOOL f40d9cde400cb230df82c44b5bd8a57fce399386974f09d93414f4015fea8391a61c1c995da0f0f649f375c0ea689f826fb075b2b8ddf6629f0a3f1cf5a3eccd

+EBUILD apache-2.4.12.ebuild 7682 SHA256 11db379e17343925764e2702c0262acff776af3d19b996ca728688268964e5ea SHA512 98b2c82329de5946b25484886152bcef6b6245895c79bf2722616965b9534eeaa3786c3a27e28e36b4d9a0208c514d5f38b6cff21a1d4d0479387a5f28edc7f6 WHIRLPOOL b72024db65c930b4eebf8039af27e96a526111972690eda7a8d0071d168fe766c9c08ac88fcb32bb5ad17f7029e69160116fd7b2f3502f71ce1cb97c11e0311d

 MISC ChangeLog 28375 SHA256 2fb3488641d831af6d172be612422c331ae572f6c739a2f86ac26b362c13ece5 SHA512 e2e6d28eae8f996b1d8e66ab7f97c2bdb9a038949f7b92d610e12791e0b700e4a3fc0b35aaacb57049b935d24a7987ae1fe22f1a28b1ab1f3a61c55604e12a68 WHIRLPOOL 409b5d569d05c9e0cb33fb450e62f36001da56e0c6c2c8221df926fe8e3a3bb9375315708d94194e557928eda3e11a585232858f32edf41b4af3f32c4cbc4bdb

 MISC ChangeLog-2008 105137 SHA256 4afec18ad3c76df40314edb37b5512f81ca6223c38a899534d9d15342481accf SHA512 92dfd339b1c4ddec29222076a597220dc7faa504e2ee770339892f155febbf34004e60395f9eb21b43d3b1feb5f362c2946b69cc65151b5ba00fb53b35ccb9c6 WHIRLPOOL 89d77300aafb53ae0632904118064de19313fe51f635512314471e845574e7a624a770ae4ca4e335cff67d4fee92e062d28ef985a54c577a1b8b3ea0f621c0f8

 MISC metadata.xml 2882 SHA256 bb1c73d9b53a1049c14b477d4441b09670ecafcf46a0ad114c24bb284d0d194a SHA512 bd9a0a5f26e1420aa6023160208d177e233f97f2265b8fad68772a084cbc9fabb2a186f14916a5a664b5590a6052fe039874ff96b1bd9d3dc530c3750561c7ce WHIRLPOOL 0e92d1cd3fbbf3f75ebd38e356a736061c9ea19afd40b06f58abe0ed86219223cafab188bbfa4ce9c91a8cc6619de47dfc3a68edc2c39e6a38476915ad8d48ba

@@ -0,0 +1,234 @@

+# Copyright 1999-2015 Gentoo Foundation

+# Distributed under the terms of the GNU General Public License v2

+# $Header: /var/cvsroot/gentoo-x86/www-servers/apache/apache-2.4.12.ebuild,v 1.1 2015/02/04 18:16:00 polynomial-c Exp $

+

+EAPI=5

+

+# latest gentoo apache files

+GENTOO_PATCHSTAMP="20140731"

+GENTOO_DEVELOPER="polynomial-c"

+GENTOO_PATCHNAME="gentoo-apache-2.4.10-r1"

+

+# IUSE/USE_EXPAND magic

+IUSE_MPMS_FORK="peruser prefork"

+IUSE_MPMS_THREAD="event worker"

+

+# << obsolete modules:

+# authn_default authz_default mem_cache

+# mem_cache is replaced by cache_disk

+# ?? buggy modules

+# proxy_scgi: startup error: undefined symbol "ap_proxy_release_connection", no fix found

+# >> added modules for reason:

+# compat: compatibility with 2.2 access control

+# authz_host: new module for access control

+# authn_core: functionality provided by authn_alias in previous versions

+# authz_core: new module, provides core authorization capabilities

+# cache_disk: replacement for mem_cache

+# lbmethod_byrequests: Split off from mod_proxy_balancer in 2.3

+# lbmethod_bytraffic: Split off from mod_proxy_balancer in 2.3

+# lbmethod_bybusyness: Split off from mod_proxy_balancer in 2.3

+# lbmethod_heartbeat: Split off from mod_proxy_balancer in 2.3

+# slotmem_shm: Slot-based shared memory provider (for lbmethod_byrequests).

+# socache_shmcb: shared object cache provider. Default config with ssl needs it

+# unixd: fixes startup error: Invalid command 'User'

+IUSE_MODULES="access_compat actions alias asis auth_basic auth_digest

+authn_alias authn_anon authn_core authn_dbd authn_dbm authn_file authz_core

+authz_dbd authz_dbm authz_groupfile authz_host authz_owner authz_user autoindex

+cache cache_disk cern_meta charset_lite cgi cgid dav dav_fs dav_lock dbd deflate

+dir dumpio env expires ext_filter file_cache filter headers ident imagemap

+include info lbmethod_byrequests lbmethod_bytraffic lbmethod_bybusyness

+lbmethod_heartbeat log_config log_forensic logio mime mime_magic negotiation

+proxy proxy_ajp proxy_balancer proxy_connect proxy_ftp proxy_http proxy_scgi

+proxy_fcgi  proxy_wstunnel rewrite ratelimit remoteip reqtimeout setenvif

+slotmem_shm speling socache_shmcb status substitute unique_id userdir usertrack

+unixd version vhost_alias"

+# The following are also in the source as of this version, but are not available

+# for user selection:

+# bucketeer case_filter case_filter_in echo http isapi optional_fn_export

+# optional_fn_import optional_hook_export optional_hook_import

+

+# inter-module dependencies

+# TODO: this may still be incomplete

+MODULE_DEPENDS="

+	dav_fs:dav

+	dav_lock:dav

+	deflate:filter

+	cache_disk:cache

+	ext_filter:filter

+	file_cache:cache

+	lbmethod_byrequests:proxy_balancer

+	lbmethod_byrequests:slotmem_shm

+	lbmethod_bytraffic:proxy_balancer

+	lbmethod_bybusyness:proxy_balancer

+	lbmethod_heartbeat:proxy_balancer

+	log_forensic:log_config

+	logio:log_config

+	cache_disk:cache

+	mime_magic:mime

+	proxy_ajp:proxy

+	proxy_balancer:proxy

+	proxy_balancer:slotmem_shm

+	proxy_connect:proxy

+	proxy_ftp:proxy

+	proxy_http:proxy

+	proxy_scgi:proxy

+	proxy_fcgi:proxy

+	proxy_wstunnel:proxy

+	substitute:filter

+"

+

+# module<->define mappings

+MODULE_DEFINES="

+	auth_digest:AUTH_DIGEST

+	authnz_ldap:AUTHNZ_LDAP

+	cache:CACHE

+	cache_disk:CACHE

+	dav:DAV

+	dav_fs:DAV

+	dav_lock:DAV

+	file_cache:CACHE

+	info:INFO

+	ldap:LDAP

+	proxy:PROXY

+	proxy_ajp:PROXY

+	proxy_balancer:PROXY

+	proxy_connect:PROXY

+	proxy_ftp:PROXY

+	proxy_http:PROXY

+	proxy_fcgi:PROXY

+	proxy_scgi:PROXY

+	proxy_wstunnel:PROXY

+	socache_shmcb:SSL

+	ssl:SSL

+	status:STATUS

+	suexec:SUEXEC

+	userdir:USERDIR

+"

+

+# critical modules for the default config

+MODULE_CRITICAL="

+	authn_core

+	authz_core

+	authz_host

+	dir

+	mime

+	unixd

+"

+inherit eutils apache-2 systemd toolchain-funcs

+

+DESCRIPTION="The Apache Web Server"

+HOMEPAGE="http://httpd.apache.org/"

+

+# some helper scripts are Apache-1.1, thus both are here

+LICENSE="Apache-2.0 Apache-1.1"

+SLOT="2"

+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~amd64-linux ~x64-macos ~x86-macos ~m68k-mint ~sparc64-solaris ~x64-solaris"

+IUSE=""

+

+pkg_setup() {

+	# dependend critical modules which are not allowed in global scope due

+	# to USE flag conditionals (bug #499260)

+	use ssl && MODULE_CRITICAL+=" socache_shmcb"

+	use doc && MODULE_CRITICAL+=" alias negotiation setenvif"

+	apache-2_pkg_setup

+}

+

+src_prepare() {

+	epatch "${FILESDIR}"/apache-2.4.9-libressl.diff

+	epatch "${FILESDIR}"/apache-libressl2.diff

+	epatch "${FILESDIR}"/apache24-alpn.diff

+	apache-2_src_prepare

+}

+

+src_configure() {

+	# Brain dead check.

+	tc-is-cross-compiler && export ap_cv_void_ptr_lt_long="no"

+

+	apache-2_src_configure

+}

+

+src_compile() {

+	if tc-is-cross-compiler; then

+		# This header is the same across targets, so use the build compiler.

+		pushd server >/dev/null

+		emake gen_test_char

+		tc-export_build_env BUILD_CC

+		${BUILD_CC} ${BUILD_CFLAGS} ${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} \

+			gen_test_char.c -o gen_test_char $(apr-1-config --includes) || die

+		popd >/dev/null

+	fi

+

+	default

+}

+

+src_install() {

+	apache-2_src_install

+	for i in /usr/bin/{htdigest,logresolve,htpasswd,htdbm,ab,httxt2dbm}; do

+		rm "${ED}"/$i || die "Failed to prune apache-tools bits"

+	done

+	for i in /usr/share/man/man8/{rotatelogs.8,htcacheclean.8}; do

+		rm "${ED}"/$i || die "Failed to prune apache-tools bits"

+	done

+	for i in /usr/share/man/man1/{logresolve.1,htdbm.1,htdigest.1,htpasswd.1,dbmmanage.1,ab.1}; do

+		rm "${ED}"/$i || die "Failed to prune apache-tools bits"

+	done

+	for i in /usr/sbin/{checkgid,fcgistarter,htcacheclean,rotatelogs}; do

+		rm "${ED}/"$i || die "Failed to prune apache-tools bits"

+	done

+

+	# install apxs in /usr/bin (bug #502384) and put a symlink into the 

+	# old location until all ebuilds and eclasses have been modified to

+	# use the new location.

+	local apxs="/usr/bin/apxs"

+	cp "${S}"/support/apxs "${ED}"${apxs} || die "Failed to install apxs"

+	ln -s ../bin/apxs "${ED}"/usr/sbin/apxs || die

+	chmod 0755 "${ED}"${apxs} || die

+

+	# Note: wait for mod_systemd to be included in the next release,

+	# then apache2.4.service can be used and systemd support controlled

+	# through --enable-systemd

+	systemd_newunit "${FILESDIR}/apache2.2.service" "apache2.service"

+	systemd_dotmpfilesd "${FILESDIR}/apache.conf"

+	#insinto /etc/apache2/modules.d

+	#doins "${FILESDIR}/00_systemd.conf"

+}

+

+pkg_postinst()

+{

+	apache-2_pkg_postinst || die "apache-2_pkg_postinst failed"

+	# warnings that default config might not work out of the box

+	for mod in $MODULE_CRITICAL; do

+		if ! use "apache2_modules_${mod}"; then

+			echo

+			ewarn "Warning: Critical module not installed!"

+			ewarn "Modules 'authn_core', 'authz_core' and 'unixd'"

+			ewarn "are highly recomended but might not be in the base profile yet."

+			ewarn "Default config for ssl needs module 'socache_shmcb'."

+			ewarn "Enabling the following flags is highly recommended:"

+			for cmod in $MODULE_CRITICAL; do

+				use "apache2_modules_${cmod}" || \

+					ewarn "+ apache2_modules_${cmod}"

+			done

+			echo

+			break

+		fi

+	done

+	# warning for proxy_balancer and missing load balancing scheduler

+	if use apache2_modules_proxy_balancer; then

+		local lbset=

+		for mod in lbmethod_byrequests lbmethod_bytraffic lbmethod_bybusyness lbmethod_heartbeat; do

+			if use "apache2_modules_${mod}"; then

+				lbset=1 && break

+			fi

+		done

+		if [ ! $lbset ]; then

+			echo

+			ewarn "Info: Missing load balancing scheduler algorithm module"

+			ewarn "(They were split off from proxy_balancer in 2.3)"

+			ewarn "In order to get the ability of load balancing, at least"

+			ewarn "one of these modules has to be present:"

+			ewarn "lbmethod_byrequests lbmethod_bytraffic lbmethod_bybusyness lbmethod_heartbeat"

+			echo

+		fi

+	fi

+}

@@ -0,0 +1,586 @@

+--- gen/httpd-2.4.x/modules/ssl/mod_ssl.c	2015-01-19 16:52:30.000000000 +0100

++++ gen/httpd-2.4.x/modules/ssl/mod_ssl.c	2015-01-19 15:42:53.904000000 +0100

+@@ -273,6 +270,12 @@ 

+ 		"OpenSSL configuration command")

+ #endif

+ 

++#if defined(HAVE_ALPN_NPN) || defined(HAVE_TLS_NPN)

++    SSL_CMD_SRV(AlpnPreference, ITERATE,

++                "Preference in Application-Layer Protocol Negotiation (ALPN), "

++                "protocols are chosed in the specified order")

++#endif

++    

+     /* Deprecated directives. */

+     AP_INIT_RAW_ARGS("SSLLog", ap_set_deprecated, NULL, OR_ALL,

+       "SSLLog directive is no longer supported - use ErrorLog."),

+@@ -423,6 +423,37 @@ 

+     return 1;

+ }

+ 

++static int modssl_register_alpn(conn_rec *c,

++                               ssl_alpn_propose_protos advertisefn,

++                               ssl_alpn_proto_negotiated negotiatedfn)

++{

++#if defined(HAVE_ALPN_NPN) || defined(HAVE_TLS_NPN)

++	SSLConnRec *sslconn = myConnConfig(c);

++	

++	if (!sslconn) {

++		return DECLINED;

++	}

++	

++	if (!sslconn->alpn_proposefns) {

++		sslconn->alpn_proposefns =

++		apr_array_make(c->pool, 5, sizeof(ssl_alpn_propose_protos));

++		sslconn->alpn_negofns =

++		apr_array_make(c->pool, 5, sizeof(ssl_alpn_proto_negotiated));

++	}

++	

++	if (advertisefn)

++		APR_ARRAY_PUSH(sslconn->alpn_proposefns, ssl_alpn_propose_protos) =

++			advertisefn;

++	if (negotiatedfn)

++		APR_ARRAY_PUSH(sslconn->alpn_negofns, ssl_alpn_proto_negotiated) =

++			negotiatedfn;

++	

++	return OK;

++#else

++    return DECLINED;

++#endif

++}

++

+ int ssl_init_ssl_connection(conn_rec *c, request_rec *r)

+ {

+     SSLSrvConfigRec *sc;

+@@ -585,6 +616,7 @@ 

+ 

+     APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable);

+     APR_REGISTER_OPTIONAL_FN(ssl_engine_disable);

++    APR_REGISTER_OPTIONAL_FN(modssl_register_alpn);

+ 

+     ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "ssl",

+                               AUTHZ_PROVIDER_VERSION,

+--- gen/httpd-2.4.x/modules/ssl/mod_ssl.h	2015-01-07 17:03:34.000000000 +0100

++++ gen/httpd-2.4.x/modules/ssl/mod_ssl.h	2015-01-19 15:42:53.904000000 +0100

+@@ -63,5 +63,46 @@ 

+ 

+ APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));

+ 

++/** The alpn_propose_proto callback allows other modules to propose

++ * the name of the protocol that will be chosen during the

++ * Application-Layer Protocol Negotiation (ALPN) portion of the SSL handshake.

++ * The callback is given the connection and a list of NULL-terminated

++ * protocol strings as supported by the client.  If this client_protos is 

++ * non-empty, it must pick its preferred protocol from that list. Otherwise

++ * it should add its supported protocols in order of precedence.

++ * The callback should not yet modify the connection or install any filters

++ * as its proposal(s) may be overridden by another callback or server 

++ * configuration. 

++ * It should return OK or, to prevent further processing of (other modules') 

++ * callbacks, return DONE.

++ */

++typedef int (*ssl_alpn_propose_protos)(conn_rec *connection,

++									apr_array_header_t *client_protos,

++									apr_array_header_t *proposed_protos);

++

++/** The alpn_proto_negotiated callback allows other modules to discover

++ * the name of the protocol that was chosen during the Application-Layer

++ * Protocol Negotiation (ALPN) portion of the SSL handshake.  

++ * The callback is given the connection, a

++ * non-NUL-terminated string containing the protocol name, and the

++ * length of the string; it should do something appropriate

++ * (i.e. insert or remove filters) and return OK. To prevent further

++ * processing of (other modules') callbacks, return DONE. */

++typedef int (*ssl_alpn_proto_negotiated)(conn_rec *connection,

++                                        const char *proto_name,

++                                        apr_size_t proto_name_len);

++

++/* An optional function which can be used to register a pair of callbacks 

++ * for ALPN handling.

++ * This optional function should be invoked from a pre_connection hook 

++ * which runs *after* mod_ssl.c's pre_connection hook.  The function returns 

++ * OK if the callbacks are registered, or DECLINED otherwise (for example if 

++ * mod_ssl does not support ALPN).

++ */

++APR_DECLARE_OPTIONAL_FN(int, modssl_register_alpn,

++						(conn_rec *conn,

++						 ssl_alpn_propose_protos proposefn,

++						 ssl_alpn_proto_negotiated negotiatedfn));

++

+ #endif /* __MOD_SSL_H__ */

+ /** @} */

+--- gen/httpd-2.4.x/modules/ssl/ssl_engine_config.c	2015-01-19 16:52:30.000000000 +0100

++++ gen/httpd-2.4.x/modules/ssl/ssl_engine_config.c	2015-01-19 16:34:55.944000000 +0100

+@@ -159,6 +159,9 @@ 

+     SSL_CONF_CTX_set_flags(mctx->ssl_ctx_config, SSL_CONF_FLAG_CERTIFICATE);

+     mctx->ssl_ctx_param = apr_array_make(p, 5, sizeof(ssl_ctx_param_t));

+ #endif

++#if defined(HAVE_ALPN_NPN) || defined(HAVE_TLS_NPN)

++    mctx->ssl_alpn_pref = apr_array_make(p, 5, sizeof(const char *));

++#endif

+ }

+ 

+ static void modssl_ctx_init_proxy(SSLSrvConfigRec *sc,

+@@ -298,6 +300,9 @@ 

+ #ifdef HAVE_SSL_CONF_CMD

+     cfgMergeArray(ssl_ctx_param);

+ #endif

++#if defined(HAVE_ALPN_NPN) || defined(HAVE_TLS_NPN)

++    cfgMergeArray(ssl_alpn_pref);

++#endif

+ }

+ 

+ static void modssl_ctx_cfg_merge_proxy(apr_pool_t *p,

+@@ -1868,6 +1861,16 @@ 

+     return NULL;

+ }

+ #endif

++

++#if defined(HAVE_ALPN_NPN) || defined(HAVE_TLS_NPN)

++const char *ssl_cmd_SSLAlpnPreference(cmd_parms *cmd, void *dcfg,

++                                      const char *protocol)

++{

++    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);

++    APR_ARRAY_PUSH(sc->server->ssl_alpn_pref, const char *) = protocol;

++    return NULL;

++}

++#endif

+ 

+ #ifdef HAVE_SRP

+ 

+--- gen/httpd-2.4.x/modules/ssl/ssl_engine_init.c	2015-01-19 16:52:30.000000000 +0100

++++ gen/httpd-2.4.x/modules/ssl/ssl_engine_init.c	2015-01-19 15:42:53.908000000 +0100

+@@ -623,6 +613,14 @@ 

+     SSL_CTX_set_tmp_dh_callback(ctx,  ssl_callback_TmpDH);

+ 

+     SSL_CTX_set_info_callback(ctx, ssl_callback_Info);

++

++#if defined(HAVE_TLS_ALPN)

++	SSL_CTX_set_alpn_select_cb(

++	   ctx, ssl_callback_alpn_select, NULL);

++#elif defined(HAVE_TLS_NPN)

++    SSL_CTX_set_next_protos_advertised_cb(

++        ctx, ssl_callback_AdvertiseNextProtos, NULL);

++#endif

+ }

+ 

+ static apr_status_t ssl_init_ctx_verify(server_rec *s,

+--- gen/httpd-2.4.x/modules/ssl/ssl_engine_io.c	2015-01-19 16:52:30.000000000 +0100

++++ gen/httpd-2.4.x/modules/ssl/ssl_engine_io.c	2015-01-19 15:42:53.908000000 +0100

+@@ -28,6 +28,7 @@ 

+                                   core keeps dumping.''

+                                             -- Unknown    */

+ #include "ssl_private.h"

++#include "mod_ssl.h"

+ #include "apr_date.h"

+ 

+ /*  _________________________________________________________________

+@@ -297,6 +298,7 @@ 

+     apr_pool_t *pool;

+     char buffer[AP_IOBUFSIZE];

+     ssl_filter_ctx_t *filter_ctx;

++    int alpn_finished;  /* 1 if ALPN has finished, 0 otherwise */

+ } bio_filter_in_ctx_t;

+ 

+ /*

+@@ -1412,6 +1414,43 @@ 

+         APR_BRIGADE_INSERT_TAIL(bb, bucket);

+     }

+ 

++#if defined(HAVE_TLS_ALPN) || defined(HAVE_TLS_NPN)

++	/* By this point, Application-Layer Protocol Negotiation (ALPN) should be 

++	 * completed (if our version of OpenSSL supports it). If we haven't already, 

++	 * find out which protocol was decided upon and inform other modules 

++	 * by calling alpn_proto_negotiated_hook. 

++	 */

++	if (!inctx->alpn_finished) {

++		SSLConnRec *sslconn = myConnConfig(f->c);

++		const unsigned char *next_proto = NULL;

++		unsigned next_proto_len = 0;

++		int n;

++		

++		if (sslconn->alpn_negofns) {

++	#ifdef HAVE_TLS_ALPN

++			SSL_get0_alpn_selected(inctx->ssl, &next_proto, &next_proto_len);

++			ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, f->c,

++						  APLOGNO(02306) "SSL ALPN negotiated protocol: '%*s'",

++						  next_proto_len, (const char*)next_proto);

++	#else

++			SSL_get0_next_proto_negotiated(

++										   inctx->ssl, &next_proto, &next_proto_len);

++			ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, f->c,

++						  APLOGNO(02306) "SSL NPN negotiated protocol: '%*s'",

++						  next_proto_len, (const char*)next_proto);

++	#endif

++			for (n = 0; n < sslconn->alpn_negofns->nelts; n++) {

++				ssl_alpn_proto_negotiated fn =

++				APR_ARRAY_IDX(sslconn->alpn_negofns, n, ssl_alpn_proto_negotiated);

++				

++				if (fn(f->c, (const char *)next_proto, next_proto_len) == DONE)

++				break;

++			}

++		}

++		inctx->alpn_finished = 1;

++	}

++#endif

++

+     return APR_SUCCESS;

+ }

+ 

+@@ -1893,6 +1932,7 @@ 

+     inctx->block = APR_BLOCK_READ;

+     inctx->pool = c->pool;

+     inctx->filter_ctx = filter_ctx;

++    inctx->alpn_finished = 0;

+ }

+ 

+ /* The request_rec pointer is passed in here only to ensure that the

+--- gen/httpd-2.4.x/modules/ssl/ssl_engine_kernel.c	2015-01-19 16:52:30.000000000 +0100

++++ gen/httpd-2.4.x/modules/ssl/ssl_engine_kernel.c	2015-01-19 16:37:09.536000000 +0100

+@@ -29,6 +29,7 @@ 

+                                   time I was too famous.''

+                                             -- Unknown                */

+ #include "ssl_private.h"

++#include "mod_ssl.h"

+ #include "util_md5.h"

+ 

+ static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn);

+@@ -2136,6 +2131,270 @@ 

+ }

+ #endif /* HAVE_TLS_SESSION_TICKETS */

+ 

++static int ssl_array_index(apr_array_header_t *array,

++                           const unsigned char *s)

++{

++    int i;

++    for (i = 0; i < array->nelts; i++) {

++        const unsigned char *p = APR_ARRAY_IDX(array, i, const unsigned char*);

++        if (!strcmp((const char *)p, (const char *)s)) {

++            return i;

++        }

++    }

++    return -1;

++}

++

++#ifdef HAVE_TLS_ALPN

++/*

++ * Compare to ALPN protocol proposal. Result is similar to strcmp():

++ * 0 gives same precedence, >0 means proto1 is prefered.

++ */

++static int ssl_cmp_alpn_protos(modssl_ctx_t *ctx,

++							   const unsigned char *proto1,

++							   const unsigned char *proto2)

++{

++	/* TODO: we should have a mod_ssl configuration parameter. */

++    if (ctx && ctx->ssl_alpn_pref) {

++        int index1 = ssl_array_index(ctx->ssl_alpn_pref, proto1);

++        int index2 = ssl_array_index(ctx->ssl_alpn_pref, proto2);

++        if (index2 > index1) {

++            return (index1 >= 0)? 1 : -1;

++        }

++        else if (index1 > index2) {

++            return (index2 >= 0)? -1 : 1;

++        }

++    }

++    /* both have the same index (mabye -1 or no pref configured) and we compare

++     * the names so that spdy3 gets precedence over spdy2. That makes

++     * the outcome at least deterministic. */

++	return strcmp((const char *)proto1, (const char *)proto2);

++}

++

++/*

++ * This callback function is executed when the TLS Application Layer

++ * Protocol Negotiate Extension (ALPN, RFC 7301) is triggered by the client 

++ * hello, giving a list of desired protocol names (in descending preference) 

++ * to the server.

++ * The callback has to select a protocol name or return an error if none of

++ * the clients preferences is supported. 

++ * The selected protocol does not have to be on the client list, according

++ * to RFC 7301, so no checks are performed.

++ * The client protocol list is serialized as length byte followed by ascii

++ * characters (not null-terminated), followed by the next protocol name.

++ */

++int ssl_callback_alpn_select(SSL *ssl,

++							 const unsigned char **out, unsigned char *outlen,

++							 const unsigned char *in, unsigned int inlen, void *arg)

++{

++	conn_rec *c = (conn_rec*)SSL_get_app_data(ssl);

++	SSLConnRec *sslconn = myConnConfig(c);

++    server_rec *s       = mySrvFromConn(c);

++    SSLSrvConfigRec *sc = mySrvConfig(s);

++    modssl_ctx_t *mctx  = myCtxConfig(sslconn, sc);

++	const unsigned char *alpn_http1 = (const unsigned char*)"http/1.1";

++	apr_array_header_t *client_protos;

++	apr_array_header_t *proposed_protos;

++	int i;

++

++	/* If the connection object is not available,

++	 * then there's nothing for us to do. */

++	if (c == NULL) {

++		return SSL_TLSEXT_ERR_OK;

++	}

++	

++	if (inlen == 0) {

++		// someone tries to trick us?

++		ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(02306)

++					  "alpn client protocol list empty");

++		return SSL_TLSEXT_ERR_ALERT_FATAL;

++	}

++	

++	client_protos = apr_array_make(c->pool, 0, sizeof(char *));

++	for (i = 0; i < inlen; /**/) {

++		unsigned int plen = in[i++];

++		if (plen + i > inlen) {

++			// someone tries to trick us?

++			ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(02306)

++						  "alpn protocol identier too long");

++			return SSL_TLSEXT_ERR_ALERT_FATAL;

++		}

++		APR_ARRAY_PUSH(client_protos, char*) =

++			apr_pstrndup(c->pool, (const char *)in+i, plen);

++		i += plen;

++	}

++	

++	/* Regardless of installed hooks, the http/1.1 protocol is always

++	 * supported by us. Add it to the proposals if the client also

++	 * offers it. */

++	proposed_protos = apr_array_make(c->pool, client_protos->nelts+1,

++									 sizeof(char *));

++	if (ssl_array_index(client_protos, alpn_http1) >= 0) {

++		APR_ARRAY_PUSH(proposed_protos, const unsigned char*) = alpn_http1;

++	}

++	

++	if (sslconn->alpn_proposefns != NULL) {

++		/* Invoke our alpn_propos_proto hooks, giving other modules a chance to

++		 * propose protocol names for selection. We might have several such

++		 * hooks installed and if two make a proposal, we need to give 

++		 * preference to one.

++		 */

++		for (i = 0; i < sslconn->alpn_proposefns->nelts; i++) {

++			ssl_alpn_propose_protos fn =

++				APR_ARRAY_IDX(sslconn->alpn_proposefns, i,

++							  ssl_alpn_propose_protos);

++			

++			if (fn(c, client_protos, proposed_protos) == DONE)

++				break;

++		}

++	}

++

++	if (proposed_protos->nelts <= 0) {

++		ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(02306)

++					  "none of the client alpn protocols are supported");

++		return SSL_TLSEXT_ERR_ALERT_FATAL;

++	}

++	

++	/* Now select the most preferred protocol from the proposals. */

++	*out = APR_ARRAY_IDX(proposed_protos, 0, const unsigned char *);

++	for (i = 1; i < proposed_protos->nelts; ++i) {

++		const unsigned char *proto = APR_ARRAY_IDX(proposed_protos, i,

++												   const unsigned char*);

++		/* Do we prefer it over existing candidate? */

++		if (ssl_cmp_alpn_protos(mctx, *out, proto) < 0) {

++			*out = proto;

++		}

++	}

++	

++	size_t len = strlen((const char*)*out);

++	if (len > 255) {

++		ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(02306)

++					  "alpn negotiated protocol name too long");

++		return SSL_TLSEXT_ERR_ALERT_FATAL;

++	}

++	*outlen = (unsigned char)len;

++

++	return SSL_TLSEXT_ERR_OK;

++}

++

++#elif defined(HAVE_TLS_NPN)

++/*

++ * This callback function is executed when SSL needs to decide what protocols

++ * to advertise during Next Protocol Negotiation (NPN).  It must produce a

++ * string in wire format -- a sequence of length-prefixed strings -- indicating

++ * the advertised protocols.  Refer to SSL_CTX_set_next_protos_advertised_cb

++ * in OpenSSL for reference.

++ */

++int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data_out,

++                                     unsigned int *size_out, void *arg)

++{

++    conn_rec *c = (conn_rec*)SSL_get_app_data(ssl);

++    SSLConnRec *sslconn = myConnConfig(c);

++    server_rec *s       = mySrvFromConn(c);

++    SSLSrvConfigRec *sc = mySrvConfig(s);

++    modssl_ctx_t *mctx  = myCtxConfig(sslconn, sc);

++    apr_array_header_t *protos;

++    int num_protos;

++    unsigned int size;

++    int i, j;

++    unsigned char *data;

++    unsigned char *start;

++

++    *data_out = NULL;

++    *size_out = 0;

++

++    ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, APLOGNO(02306)

++                  "advertisingNextProtos");

++

++    /* If the connection object is not available, or there are no NPN

++     * hooks registered, then there's nothing for us to do. */

++    if (c == NULL || sslconn->alpn_proposefns == NULL) {

++        return SSL_TLSEXT_ERR_OK;

++    }

++

++    /* Invoke our alpn_propose_proto hook, giving other modules a chance to

++     * add alternate protocol names to advertise. */

++    protos = apr_array_make(c->pool, 0, sizeof(char *));

++    for (i = 0; i < sslconn->alpn_proposefns->nelts; i++) {

++        ssl_alpn_propose_protos fn =

++            APR_ARRAY_IDX(sslconn->alpn_proposefns, i, ssl_alpn_propose_protos);

++        

++        if (fn(c, NULL, protos) == DONE)

++            break;

++    }

++    if (ssl_array_index(ssl_alpn_propose_protos, "http/1.1") < 0) {

++		APR_ARRAY_PUSH(ssl_alpn_propose_protos, const unsigned char*) = "http/1.1";

++    }

++    num_protos = protos->nelts;

++

++    ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, APLOGNO(02306)

++                  "alpn protos %d to advertise, %d in pref config", num_protos, mctx->ssl_alpn_pref->nelts );

++	if (num_protos > 1 && mctx->ssl_alpn_pref && mctx->ssl_alpn_pref->nelts > 0) {

++		/* Sort the protocol names according to our configured preferences. */

++		int insert_idx = 0;

++		for (i = 0; i < mctx->ssl_alpn_pref->nelts; ++i) {

++			const char *proto = APR_ARRAY_IDX(mctx->ssl_alpn_pref, i, const char*);

++			int idx = ssl_array_index(protos, proto);

++			if (idx > insert_idx) {

++				/* bubble found protocol up */

++				for (j = idx; j > insert_idx; --j) {

++       ((const char **)protos->elts)[j] = ((const char **)protos->elts)[j-1];

++				}

++				((const char **)protos->elts)[insert_idx] = proto;

++				++insert_idx;

++			}

++		}

++	}

++    

++    /* We now have a list of null-terminated strings; we need to concatenate

++     * them together into a single string, where each protocol name is prefixed

++     * by its length.  First, calculate how long that string will be. */

++    size = 0;

++    for (i = 0; i < num_protos; ++i) {

++        const char *string = APR_ARRAY_IDX(protos, i, const char*);

++        unsigned int length = strlen(string);

++        /* If the protocol name is too long (the length must fit in one byte),

++         * then log an error and skip it. */

++        if (length > 255) {

++            ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(02307)

++                          "SSL NPN protocol name too long (length=%u): %s",

++                          length, string);

++            continue;

++        }

++        /* Leave room for the length prefix (one byte) plus the protocol name

++         * itself. */

++        size += 1 + length;

++    }

++

++    /* If there is nothing to advertise (either because no modules added

++     * anything to the protos array, or because all strings added to the array

++     * were skipped), then we're done. */

++    if (size == 0) {

++        return SSL_TLSEXT_ERR_OK;

++    }

++

++    /* Now we can build the string.  Copy each protocol name string into the

++     * larger string, prefixed by its length. */

++    data = apr_palloc(c->pool, size * sizeof(unsigned char));

++    start = data;

++    for (i = 0; i < num_protos; ++i) {

++        const char *string = APR_ARRAY_IDX(protos, i, const char*);

++        apr_size_t length = strlen(string);

++        if (length > 255)

++            continue;

++        *start = (unsigned char)length;

++        ++start;

++        memcpy(start, string, length * sizeof(unsigned char));

++        start += length;

++    }

++

++    /* Success. */

++    *data_out = data;

++    *size_out = size;

++    return SSL_TLSEXT_ERR_OK;

++}

++

++#endif /* HAVE_TLS_NPN */

++

+ #ifdef HAVE_SRP

+ 

+ int ssl_callback_SRPServerParams(SSL *ssl, int *ad, void *arg)

+--- gen/httpd-2.4.x/modules/ssl/ssl_private.h	2015-01-19 16:52:30.000000000 +0100

++++ gen/httpd-2.4.x/modules/ssl/ssl_private.h	2015-01-19 15:42:53.908000000 +0100

+@@ -176,6 +169,16 @@ 

+ #endif

+ #endif

+ 

++/* ALPN Protocol Negotiation */

++#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(OPENSSL_NO_TLSEXT)

++#define HAVE_TLS_ALPN

++#endif

++

++/* Next Protocol Negotiation */

++#if !defined(OPENSSL_NO_NEXTPROTONEG) && defined(OPENSSL_NPN_NEGOTIATED)

++#define HAVE_TLS_NPN

++#endif

++

+ /* Secure Remote Password */

+ #if !defined(OPENSSL_NO_SRP) && defined(SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB)

+ #define HAVE_SRP

+@@ -443,6 +446,12 @@ 

+                      * connection */

+     } reneg_state;

+ 

++#ifdef HAVE_TLS_NPN

++    /* Poor man's inter-module optional hooks for NPN. */

++    apr_array_header_t *alpn_proposefns; /* list of ssl_alpn_propose_protos callbacks */

++    apr_array_header_t *alpn_negofns; /* list of ssl_alpn_proto_negotiated callbacks. */

++#endif

++

+     server_rec *server;

+ } SSLConnRec;

+ 

+@@ -622,6 +631,10 @@ 

+     SSL_CONF_CTX *ssl_ctx_config; /* Configuration context */

+     apr_array_header_t *ssl_ctx_param; /* parameters to pass to SSL_CTX */

+ #endif

++  

++#if defined(HAVE_ALPN_NPN) || defined(HAVE_TLS_NPN)

++  apr_array_header_t *ssl_alpn_pref; /* protocol names in order of preference */

++#endif

+ } modssl_ctx_t;

+ 

+ struct SSLSrvConfigRec {

+@@ -748,6 +759,10 @@ 

+ const char *ssl_cmd_SSLOpenSSLConfCmd(cmd_parms *cmd, void *dcfg, const char *arg1, const char *arg2);

+ #endif

+ 

++#if defined(HAVE_ALPN_NPN) || defined(HAVE_TLS_NPN)

++const char *ssl_cmd_SSLAlpnPreference(cmd_parms *cmd, void *dcfg, const char *protocol);

++#endif

++

+ #ifdef HAVE_SRP

+ const char *ssl_cmd_SSLSRPVerifierFile(cmd_parms *cmd, void *dcfg, const char *arg);

+ const char *ssl_cmd_SSLSRPUnknownUserSeed(cmd_parms *cmd, void *dcfg, const char *arg);

+@@ -796,6 +811,14 @@ 

+                                        EVP_CIPHER_CTX *, HMAC_CTX *, int);

+ #endif

+ 

++#ifdef HAVE_TLS_ALPN

++int ssl_callback_alpn_select(SSL *ssl, const unsigned char **out,

++							 unsigned char *outlen, const unsigned char *in,

++							 unsigned int inlen, void *arg);

++#elif defined(HAVE_TLS_NPN)

++int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data, unsigned int *len, void *arg);

++#endif

++

+ /**  Session Cache Support  */

+ apr_status_t ssl_scache_init(server_rec *, apr_pool_t *);

+ void         ssl_scache_status_register(apr_pool_t *p);