Browse code

new apache, new alpn patch

Hanno Böck authored on 07/02/2015 17:59:25
Showing 3 changed files
... ...
@@ -2,10 +2,13 @@ AUX apache-2.4.9-libressl.diff 542 SHA256 d1ce461d5abdc131a80fbc694d574d52d51cba
2 2
 AUX apache-libressl2.diff 784 SHA256 15b6339b10289eeb26863dda1e3b10e745aa981544b202c46c13985182b35216 SHA512 2041b122237f2cb9bd0d32c31e00f43f30f86b167ce47648b337e199e780735bfa79feb236e0e38cf1930c19bd75eaddf4a5118dc360cbb93c02eb27bcc34a7e WHIRLPOOL 668ca1018c5262dd6bdd3185ebddbffec9c6b8e44baf99f0b6d95fb9e9dac35de2586605bc2d9e2b77837450bf827d4a00a4c8dc8d7847309913bb9c627da82b
3 3
 AUX apache.conf 55 SHA256 ea616c5cc37979a006d69c51bda43fca15a4327d33175762652b29f5cdea1c7b SHA512 3a53beb7a283d17c14383f16ad14c0602681ac1b193cce8f5aca50ae9d9af3a71054ce4a9ab11cbcb72fe913459e1b306fd54660154e66afe10272f8c0f149f3 WHIRLPOOL fa348414f320a9f70001386dfb77d57ca4836c3ef3d251976077b7ad545d7f6752e534efadbf28c7dcb777388e3d844eba84b939dcf48881983388daf6ac23f0
4 4
 AUX apache2.2.service 716 SHA256 e850ad73585fbba52ade58a39ca91adbfd52f56a0bbd426ebcadb340a7dcb62b SHA512 5f736c803772077598248bbb41f76dff396dfd2f11a60d1ba929a619275efb8c1b4c0dab78cbcdf83b9ec94db67b958b3333b01f67d71eb3b2e07dba4bca2a7c WHIRLPOOL 776a928422b8f37a12099111a1503674ca901934b60dca8596dc8bc287390be9a0e912d7ba6226dcb22eb7c669fa298ddc20fd7bf5c275b0cf019bae0d594839
5
+AUX apache24-alpn.diff 21499 SHA256 5dc1a6c8f5a395a1a24b9d846a30d73a75e8b9b907acff5d06bacbf17ef82a1b SHA512 f0e01a94f0886de530d689a29811432a5f45a6c935e39d9683915718b3eb57e63cafe1db6c3015179b2f50610e19f0569f95c557f716b0a65a48331195bff1f9 WHIRLPOOL dca29eb0c00b0cff80fdd1fe95b06e832d2b1d18def9e5689fae4fafc11c395d402f3303ebe1ea1be1ad24d4a9f30b5f0ce2464c84556b830093b489cfaabe8c
5 6
 AUX mod_ssl_with_npn.patch 12614 SHA256 165d651fb536e0878b6f841f1031ac121c6061362cf5fc7d657f7be292ae7ff4 SHA512 7968ec245b8324269ce75e98eeca659f672cbfdb759a9e6c0f8e7dd72bdf442cda23fd57490fccd2bcd44fb9eaff452810440b3e5f72a63550601bc706c35e98 WHIRLPOOL 63f5ab18ca7fe1580833f2ac51b4678340883cd6bffa405010ccdd7f132aed29c9ab7db465ab86fa582df43a5e2bc55bd078e75b0e3371bbd72abfd8190ded45
6 7
 DIST gentoo-apache-2.4.10-r1-20140731.tar.bz2 24531 SHA256 8e093a18582c3a20283ed1c09de9acc6832a80b1d5a02962599db0535d38af19 SHA512 c54239df36d7ab30bd14a41241d94b4b49b92c5e50e64857da3e7cde7575d5c0a634d51710bdf75807a57932bf9447906407ae4ef6cb333d7197e82ba5052cd9 WHIRLPOOL 0d184763a033209eaa3c91f7050b24c2a2da24d930ed280a8aa99e32461ac31402e6fd8f57e2122a96e45a8308c4a332144ede7b511ceee352be2f38a6ef7839
7 8
 DIST httpd-2.4.10.tar.bz2 5031834 SHA256 176c4dac1a745f07b7b91e7f4fd48f9c48049fa6f088efe758d61d9738669c6a SHA512 e251f5b330da17a8920c589b9e0326d6dd45db28923167718db27b0af2edf769607e9ae6fbb859afbf0c345937fd59053423a2d74bd18ff2272a0f6a19a6496f WHIRLPOOL c9f81296052a61483ceef4ae4b4c467cf64a4035030472dc8c17355f572a4887ddc6179ade2a764a4e3f0cd4ab7cc34a3fa36577a148c3df7b8d44a5f1f0424d
9
+DIST httpd-2.4.12.tar.bz2 5054838 SHA256 ad6d39edfe4621d8cc9a2791f6f8d6876943a9da41ac8533d77407a2e630eae4 SHA512 f69db14b421f0e1e4861fe4d8b652688d50ca9eb41c622242d11ae55687eb6c2142a8505a8c3fb6f2bd53167be535bc0a77ca1af97e0720930fc7f20f4c1f8e8 WHIRLPOOL 56512066e8978c4a3d47d0cc2bb92093fd468a9b2f46b8b07fe4db366f55fa5e74ae58bbebe2377cbe0c66f1585759115c786f62f18ac1abc534fb257689d250
8 10
 EBUILD apache-2.4.10-r1.ebuild 7683 SHA256 b712e57de7c6db718d659cf6f7ae5ae65d29a002c685118f7d1eeb8fa79ce4e1 SHA512 feed9e3d3a8cadd719a8284a8e49d6e311fa3fa2685af4d6fd67a4a525948bebea573e224001d731a9b8cf1377617145e7e851ae75486c692d99b38858f235fc WHIRLPOOL f40d9cde400cb230df82c44b5bd8a57fce399386974f09d93414f4015fea8391a61c1c995da0f0f649f375c0ea689f826fb075b2b8ddf6629f0a3f1cf5a3eccd
11
+EBUILD apache-2.4.12.ebuild 7682 SHA256 11db379e17343925764e2702c0262acff776af3d19b996ca728688268964e5ea SHA512 98b2c82329de5946b25484886152bcef6b6245895c79bf2722616965b9534eeaa3786c3a27e28e36b4d9a0208c514d5f38b6cff21a1d4d0479387a5f28edc7f6 WHIRLPOOL b72024db65c930b4eebf8039af27e96a526111972690eda7a8d0071d168fe766c9c08ac88fcb32bb5ad17f7029e69160116fd7b2f3502f71ce1cb97c11e0311d
9 12
 MISC ChangeLog 28375 SHA256 2fb3488641d831af6d172be612422c331ae572f6c739a2f86ac26b362c13ece5 SHA512 e2e6d28eae8f996b1d8e66ab7f97c2bdb9a038949f7b92d610e12791e0b700e4a3fc0b35aaacb57049b935d24a7987ae1fe22f1a28b1ab1f3a61c55604e12a68 WHIRLPOOL 409b5d569d05c9e0cb33fb450e62f36001da56e0c6c2c8221df926fe8e3a3bb9375315708d94194e557928eda3e11a585232858f32edf41b4af3f32c4cbc4bdb
10 13
 MISC ChangeLog-2008 105137 SHA256 4afec18ad3c76df40314edb37b5512f81ca6223c38a899534d9d15342481accf SHA512 92dfd339b1c4ddec29222076a597220dc7faa504e2ee770339892f155febbf34004e60395f9eb21b43d3b1feb5f362c2946b69cc65151b5ba00fb53b35ccb9c6 WHIRLPOOL 89d77300aafb53ae0632904118064de19313fe51f635512314471e845574e7a624a770ae4ca4e335cff67d4fee92e062d28ef985a54c577a1b8b3ea0f621c0f8
11 14
 MISC metadata.xml 2882 SHA256 bb1c73d9b53a1049c14b477d4441b09670ecafcf46a0ad114c24bb284d0d194a SHA512 bd9a0a5f26e1420aa6023160208d177e233f97f2265b8fad68772a084cbc9fabb2a186f14916a5a664b5590a6052fe039874ff96b1bd9d3dc530c3750561c7ce WHIRLPOOL 0e92d1cd3fbbf3f75ebd38e356a736061c9ea19afd40b06f58abe0ed86219223cafab188bbfa4ce9c91a8cc6619de47dfc3a68edc2c39e6a38476915ad8d48ba
12 15
new file mode 100644
... ...
@@ -0,0 +1,234 @@
1
+# Copyright 1999-2015 Gentoo Foundation
2
+# Distributed under the terms of the GNU General Public License v2
3
+# $Header: /var/cvsroot/gentoo-x86/www-servers/apache/apache-2.4.12.ebuild,v 1.1 2015/02/04 18:16:00 polynomial-c Exp $
4
+
5
+EAPI=5
6
+
7
+# latest gentoo apache files
8
+GENTOO_PATCHSTAMP="20140731"
9
+GENTOO_DEVELOPER="polynomial-c"
10
+GENTOO_PATCHNAME="gentoo-apache-2.4.10-r1"
11
+
12
+# IUSE/USE_EXPAND magic
13
+IUSE_MPMS_FORK="peruser prefork"
14
+IUSE_MPMS_THREAD="event worker"
15
+
16
+# << obsolete modules:
17
+# authn_default authz_default mem_cache
18
+# mem_cache is replaced by cache_disk
19
+# ?? buggy modules
20
+# proxy_scgi: startup error: undefined symbol "ap_proxy_release_connection", no fix found
21
+# >> added modules for reason:
22
+# compat: compatibility with 2.2 access control
23
+# authz_host: new module for access control
24
+# authn_core: functionality provided by authn_alias in previous versions
25
+# authz_core: new module, provides core authorization capabilities
26
+# cache_disk: replacement for mem_cache
27
+# lbmethod_byrequests: Split off from mod_proxy_balancer in 2.3
28
+# lbmethod_bytraffic: Split off from mod_proxy_balancer in 2.3
29
+# lbmethod_bybusyness: Split off from mod_proxy_balancer in 2.3
30
+# lbmethod_heartbeat: Split off from mod_proxy_balancer in 2.3
31
+# slotmem_shm: Slot-based shared memory provider (for lbmethod_byrequests).
32
+# socache_shmcb: shared object cache provider. Default config with ssl needs it
33
+# unixd: fixes startup error: Invalid command 'User'
34
+IUSE_MODULES="access_compat actions alias asis auth_basic auth_digest
35
+authn_alias authn_anon authn_core authn_dbd authn_dbm authn_file authz_core
36
+authz_dbd authz_dbm authz_groupfile authz_host authz_owner authz_user autoindex
37
+cache cache_disk cern_meta charset_lite cgi cgid dav dav_fs dav_lock dbd deflate
38
+dir dumpio env expires ext_filter file_cache filter headers ident imagemap
39
+include info lbmethod_byrequests lbmethod_bytraffic lbmethod_bybusyness
40
+lbmethod_heartbeat log_config log_forensic logio mime mime_magic negotiation
41
+proxy proxy_ajp proxy_balancer proxy_connect proxy_ftp proxy_http proxy_scgi
42
+proxy_fcgi  proxy_wstunnel rewrite ratelimit remoteip reqtimeout setenvif
43
+slotmem_shm speling socache_shmcb status substitute unique_id userdir usertrack
44
+unixd version vhost_alias"
45
+# The following are also in the source as of this version, but are not available
46
+# for user selection:
47
+# bucketeer case_filter case_filter_in echo http isapi optional_fn_export
48
+# optional_fn_import optional_hook_export optional_hook_import
49
+
50
+# inter-module dependencies
51
+# TODO: this may still be incomplete
52
+MODULE_DEPENDS="
53
+	dav_fs:dav
54
+	dav_lock:dav
55
+	deflate:filter
56
+	cache_disk:cache
57
+	ext_filter:filter
58
+	file_cache:cache
59
+	lbmethod_byrequests:proxy_balancer
60
+	lbmethod_byrequests:slotmem_shm
61
+	lbmethod_bytraffic:proxy_balancer
62
+	lbmethod_bybusyness:proxy_balancer
63
+	lbmethod_heartbeat:proxy_balancer
64
+	log_forensic:log_config
65
+	logio:log_config
66
+	cache_disk:cache
67
+	mime_magic:mime
68
+	proxy_ajp:proxy
69
+	proxy_balancer:proxy
70
+	proxy_balancer:slotmem_shm
71
+	proxy_connect:proxy
72
+	proxy_ftp:proxy
73
+	proxy_http:proxy
74
+	proxy_scgi:proxy
75
+	proxy_fcgi:proxy
76
+	proxy_wstunnel:proxy
77
+	substitute:filter
78
+"
79
+
80
+# module<->define mappings
81
+MODULE_DEFINES="
82
+	auth_digest:AUTH_DIGEST
83
+	authnz_ldap:AUTHNZ_LDAP
84
+	cache:CACHE
85
+	cache_disk:CACHE
86
+	dav:DAV
87
+	dav_fs:DAV
88
+	dav_lock:DAV
89
+	file_cache:CACHE
90
+	info:INFO
91
+	ldap:LDAP
92
+	proxy:PROXY
93
+	proxy_ajp:PROXY
94
+	proxy_balancer:PROXY
95
+	proxy_connect:PROXY
96
+	proxy_ftp:PROXY
97
+	proxy_http:PROXY
98
+	proxy_fcgi:PROXY
99
+	proxy_scgi:PROXY
100
+	proxy_wstunnel:PROXY
101
+	socache_shmcb:SSL
102
+	ssl:SSL
103
+	status:STATUS
104
+	suexec:SUEXEC
105
+	userdir:USERDIR
106
+"
107
+
108
+# critical modules for the default config
109
+MODULE_CRITICAL="
110
+	authn_core
111
+	authz_core
112
+	authz_host
113
+	dir
114
+	mime
115
+	unixd
116
+"
117
+inherit eutils apache-2 systemd toolchain-funcs
118
+
119
+DESCRIPTION="The Apache Web Server"
120
+HOMEPAGE="http://httpd.apache.org/"
121
+
122
+# some helper scripts are Apache-1.1, thus both are here
123
+LICENSE="Apache-2.0 Apache-1.1"
124
+SLOT="2"
125
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~amd64-linux ~x64-macos ~x86-macos ~m68k-mint ~sparc64-solaris ~x64-solaris"
126
+IUSE=""
127
+
128
+pkg_setup() {
129
+	# dependend critical modules which are not allowed in global scope due
130
+	# to USE flag conditionals (bug #499260)
131
+	use ssl && MODULE_CRITICAL+=" socache_shmcb"
132
+	use doc && MODULE_CRITICAL+=" alias negotiation setenvif"
133
+	apache-2_pkg_setup
134
+}
135
+
136
+src_prepare() {
137
+	epatch "${FILESDIR}"/apache-2.4.9-libressl.diff
138
+	epatch "${FILESDIR}"/apache-libressl2.diff
139
+	epatch "${FILESDIR}"/apache24-alpn.diff
140
+	apache-2_src_prepare
141
+}
142
+
143
+src_configure() {
144
+	# Brain dead check.
145
+	tc-is-cross-compiler && export ap_cv_void_ptr_lt_long="no"
146
+
147
+	apache-2_src_configure
148
+}
149
+
150
+src_compile() {
151
+	if tc-is-cross-compiler; then
152
+		# This header is the same across targets, so use the build compiler.
153
+		pushd server >/dev/null
154
+		emake gen_test_char
155
+		tc-export_build_env BUILD_CC
156
+		${BUILD_CC} ${BUILD_CFLAGS} ${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} \
157
+			gen_test_char.c -o gen_test_char $(apr-1-config --includes) || die
158
+		popd >/dev/null
159
+	fi
160
+
161
+	default
162
+}
163
+
164
+src_install() {
165
+	apache-2_src_install
166
+	for i in /usr/bin/{htdigest,logresolve,htpasswd,htdbm,ab,httxt2dbm}; do
167
+		rm "${ED}"/$i || die "Failed to prune apache-tools bits"
168
+	done
169
+	for i in /usr/share/man/man8/{rotatelogs.8,htcacheclean.8}; do
170
+		rm "${ED}"/$i || die "Failed to prune apache-tools bits"
171
+	done
172
+	for i in /usr/share/man/man1/{logresolve.1,htdbm.1,htdigest.1,htpasswd.1,dbmmanage.1,ab.1}; do
173
+		rm "${ED}"/$i || die "Failed to prune apache-tools bits"
174
+	done
175
+	for i in /usr/sbin/{checkgid,fcgistarter,htcacheclean,rotatelogs}; do
176
+		rm "${ED}/"$i || die "Failed to prune apache-tools bits"
177
+	done
178
+
179
+	# install apxs in /usr/bin (bug #502384) and put a symlink into the 
180
+	# old location until all ebuilds and eclasses have been modified to
181
+	# use the new location.
182
+	local apxs="/usr/bin/apxs"
183
+	cp "${S}"/support/apxs "${ED}"${apxs} || die "Failed to install apxs"
184
+	ln -s ../bin/apxs "${ED}"/usr/sbin/apxs || die
185
+	chmod 0755 "${ED}"${apxs} || die
186
+
187
+	# Note: wait for mod_systemd to be included in the next release,
188
+	# then apache2.4.service can be used and systemd support controlled
189
+	# through --enable-systemd
190
+	systemd_newunit "${FILESDIR}/apache2.2.service" "apache2.service"
191
+	systemd_dotmpfilesd "${FILESDIR}/apache.conf"
192
+	#insinto /etc/apache2/modules.d
193
+	#doins "${FILESDIR}/00_systemd.conf"
194
+}
195
+
196
+pkg_postinst()
197
+{
198
+	apache-2_pkg_postinst || die "apache-2_pkg_postinst failed"
199
+	# warnings that default config might not work out of the box
200
+	for mod in $MODULE_CRITICAL; do
201
+		if ! use "apache2_modules_${mod}"; then
202
+			echo
203
+			ewarn "Warning: Critical module not installed!"
204
+			ewarn "Modules 'authn_core', 'authz_core' and 'unixd'"
205
+			ewarn "are highly recomended but might not be in the base profile yet."
206
+			ewarn "Default config for ssl needs module 'socache_shmcb'."
207
+			ewarn "Enabling the following flags is highly recommended:"
208
+			for cmod in $MODULE_CRITICAL; do
209
+				use "apache2_modules_${cmod}" || \
210
+					ewarn "+ apache2_modules_${cmod}"
211
+			done
212
+			echo
213
+			break
214
+		fi
215
+	done
216
+	# warning for proxy_balancer and missing load balancing scheduler
217
+	if use apache2_modules_proxy_balancer; then
218
+		local lbset=
219
+		for mod in lbmethod_byrequests lbmethod_bytraffic lbmethod_bybusyness lbmethod_heartbeat; do
220
+			if use "apache2_modules_${mod}"; then
221
+				lbset=1 && break
222
+			fi
223
+		done
224
+		if [ ! $lbset ]; then
225
+			echo
226
+			ewarn "Info: Missing load balancing scheduler algorithm module"
227
+			ewarn "(They were split off from proxy_balancer in 2.3)"
228
+			ewarn "In order to get the ability of load balancing, at least"
229
+			ewarn "one of these modules has to be present:"
230
+			ewarn "lbmethod_byrequests lbmethod_bytraffic lbmethod_bybusyness lbmethod_heartbeat"
231
+			echo
232
+		fi
233
+	fi
234
+}
0 235
new file mode 100644
... ...
@@ -0,0 +1,586 @@
1
+--- gen/httpd-2.4.x/modules/ssl/mod_ssl.c	2015-01-19 16:52:30.000000000 +0100
2
+@@ -273,6 +270,12 @@ 
3
+ 		"OpenSSL configuration command")
4
+ #endif
5
+ 
6
++#if defined(HAVE_ALPN_NPN) || defined(HAVE_TLS_NPN)
7
++    SSL_CMD_SRV(AlpnPreference, ITERATE,
8
++                "Preference in Application-Layer Protocol Negotiation (ALPN), "
9
++                "protocols are chosed in the specified order")
10
++#endif
11
++    
12
+     /* Deprecated directives. */
13
+     AP_INIT_RAW_ARGS("SSLLog", ap_set_deprecated, NULL, OR_ALL,
14
+       "SSLLog directive is no longer supported - use ErrorLog."),
15
+@@ -423,6 +423,37 @@ 
16
+     return 1;
17
+ }
18
+ 
19
++static int modssl_register_alpn(conn_rec *c,
20
++                               ssl_alpn_propose_protos advertisefn,
21
++                               ssl_alpn_proto_negotiated negotiatedfn)
22
++{
23
++#if defined(HAVE_ALPN_NPN) || defined(HAVE_TLS_NPN)
24
++	SSLConnRec *sslconn = myConnConfig(c);
25
++	
26
++	if (!sslconn) {
27
++		return DECLINED;
28
++	}
29
++	
30
++	if (!sslconn->alpn_proposefns) {
31
++		sslconn->alpn_proposefns =
32
++		apr_array_make(c->pool, 5, sizeof(ssl_alpn_propose_protos));
33
++		sslconn->alpn_negofns =
34
++		apr_array_make(c->pool, 5, sizeof(ssl_alpn_proto_negotiated));
35
++	}
36
++	
37
++	if (advertisefn)
38
++		APR_ARRAY_PUSH(sslconn->alpn_proposefns, ssl_alpn_propose_protos) =
39
++			advertisefn;
40
++	if (negotiatedfn)
41
++		APR_ARRAY_PUSH(sslconn->alpn_negofns, ssl_alpn_proto_negotiated) =
42
++			negotiatedfn;
43
++	
44
++	return OK;
45
++#else
46
++    return DECLINED;
47
++#endif
48
++}
49
++
50
+ int ssl_init_ssl_connection(conn_rec *c, request_rec *r)
51
+ {
52
+     SSLSrvConfigRec *sc;
53
+@@ -585,6 +616,7 @@ 
54
+ 
55
+     APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable);
56
+     APR_REGISTER_OPTIONAL_FN(ssl_engine_disable);
57
++    APR_REGISTER_OPTIONAL_FN(modssl_register_alpn);
58
+ 
59
+     ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "ssl",
60
+                               AUTHZ_PROVIDER_VERSION,
61
+--- gen/httpd-2.4.x/modules/ssl/mod_ssl.h	2015-01-07 17:03:34.000000000 +0100
62
+@@ -63,5 +63,46 @@ 
63
+ 
64
+ APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
65
+ 
66
++/** The alpn_propose_proto callback allows other modules to propose
67
++ * the name of the protocol that will be chosen during the
68
++ * Application-Layer Protocol Negotiation (ALPN) portion of the SSL handshake.
69
++ * The callback is given the connection and a list of NULL-terminated
70
++ * protocol strings as supported by the client.  If this client_protos is 
71
++ * non-empty, it must pick its preferred protocol from that list. Otherwise
72
++ * it should add its supported protocols in order of precedence.
73
++ * The callback should not yet modify the connection or install any filters
74
++ * as its proposal(s) may be overridden by another callback or server 
75
++ * configuration. 
76
++ * It should return OK or, to prevent further processing of (other modules') 
77
++ * callbacks, return DONE.
78
++ */
79
++typedef int (*ssl_alpn_propose_protos)(conn_rec *connection,
80
++									apr_array_header_t *client_protos,
81
++									apr_array_header_t *proposed_protos);
82
++
83
++/** The alpn_proto_negotiated callback allows other modules to discover
84
++ * the name of the protocol that was chosen during the Application-Layer
85
++ * Protocol Negotiation (ALPN) portion of the SSL handshake.  
86
++ * The callback is given the connection, a
87
++ * non-NUL-terminated string containing the protocol name, and the
88
++ * length of the string; it should do something appropriate
89
++ * (i.e. insert or remove filters) and return OK. To prevent further
90
++ * processing of (other modules') callbacks, return DONE. */
91
++typedef int (*ssl_alpn_proto_negotiated)(conn_rec *connection,
92
++                                        const char *proto_name,
93
++                                        apr_size_t proto_name_len);
94
++
95
++/* An optional function which can be used to register a pair of callbacks 
96
++ * for ALPN handling.
97
++ * This optional function should be invoked from a pre_connection hook 
98
++ * which runs *after* mod_ssl.c's pre_connection hook.  The function returns 
99
++ * OK if the callbacks are registered, or DECLINED otherwise (for example if 
100
++ * mod_ssl does not support ALPN).
101
++ */
102
++APR_DECLARE_OPTIONAL_FN(int, modssl_register_alpn,
103
++						(conn_rec *conn,
104
++						 ssl_alpn_propose_protos proposefn,
105
++						 ssl_alpn_proto_negotiated negotiatedfn));
106
++
107
+ #endif /* __MOD_SSL_H__ */
108
+ /** @} */
109
+--- gen/httpd-2.4.x/modules/ssl/ssl_engine_config.c	2015-01-19 16:52:30.000000000 +0100
110
+@@ -159,6 +159,9 @@ 
111
+     SSL_CONF_CTX_set_flags(mctx->ssl_ctx_config, SSL_CONF_FLAG_CERTIFICATE);
112
+     mctx->ssl_ctx_param = apr_array_make(p, 5, sizeof(ssl_ctx_param_t));
113
+ #endif
114
++#if defined(HAVE_ALPN_NPN) || defined(HAVE_TLS_NPN)
115
++    mctx->ssl_alpn_pref = apr_array_make(p, 5, sizeof(const char *));
116
++#endif
117
+ }
118
+ 
119
+ static void modssl_ctx_init_proxy(SSLSrvConfigRec *sc,
120
+@@ -298,6 +300,9 @@ 
121
+ #ifdef HAVE_SSL_CONF_CMD
122
+     cfgMergeArray(ssl_ctx_param);
123
+ #endif
124
++#if defined(HAVE_ALPN_NPN) || defined(HAVE_TLS_NPN)
125
++    cfgMergeArray(ssl_alpn_pref);
126
++#endif
127
+ }
128
+ 
129
+ static void modssl_ctx_cfg_merge_proxy(apr_pool_t *p,
130
+@@ -1868,6 +1861,16 @@ 
131
+     return NULL;
132
+ }
133
+ #endif
134
++
135
++#if defined(HAVE_ALPN_NPN) || defined(HAVE_TLS_NPN)
136
++const char *ssl_cmd_SSLAlpnPreference(cmd_parms *cmd, void *dcfg,
137
++                                      const char *protocol)
138
++{
139
++    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
140
++    APR_ARRAY_PUSH(sc->server->ssl_alpn_pref, const char *) = protocol;
141
++    return NULL;
142
++}
143
++#endif
144
+ 
145
+ #ifdef HAVE_SRP
146
+ 
147
+--- gen/httpd-2.4.x/modules/ssl/ssl_engine_init.c	2015-01-19 16:52:30.000000000 +0100
148
+@@ -623,6 +613,14 @@ 
149
+     SSL_CTX_set_tmp_dh_callback(ctx,  ssl_callback_TmpDH);
150
+ 
151
+     SSL_CTX_set_info_callback(ctx, ssl_callback_Info);
152
++
153
++#if defined(HAVE_TLS_ALPN)
154
++	SSL_CTX_set_alpn_select_cb(
155
++	   ctx, ssl_callback_alpn_select, NULL);
156
++#elif defined(HAVE_TLS_NPN)
157
++    SSL_CTX_set_next_protos_advertised_cb(
158
++        ctx, ssl_callback_AdvertiseNextProtos, NULL);
159
++#endif
160
+ }
161
+ 
162
+ static apr_status_t ssl_init_ctx_verify(server_rec *s,
163
+--- gen/httpd-2.4.x/modules/ssl/ssl_engine_io.c	2015-01-19 16:52:30.000000000 +0100
164
+@@ -28,6 +28,7 @@ 
165
+                                   core keeps dumping.''
166
+                                             -- Unknown    */
167
+ #include "ssl_private.h"
168
++#include "mod_ssl.h"
169
+ #include "apr_date.h"
170
+ 
171
+ /*  _________________________________________________________________
172
+@@ -297,6 +298,7 @@ 
173
+     apr_pool_t *pool;
174
+     char buffer[AP_IOBUFSIZE];
175
+     ssl_filter_ctx_t *filter_ctx;
176
++    int alpn_finished;  /* 1 if ALPN has finished, 0 otherwise */
177
+ } bio_filter_in_ctx_t;
178
+ 
179
+ /*
180
+@@ -1412,6 +1414,43 @@ 
181
+         APR_BRIGADE_INSERT_TAIL(bb, bucket);
182
+     }
183
+ 
184
++#if defined(HAVE_TLS_ALPN) || defined(HAVE_TLS_NPN)
185
++	/* By this point, Application-Layer Protocol Negotiation (ALPN) should be 
186
++	 * completed (if our version of OpenSSL supports it). If we haven't already, 
187
++	 * find out which protocol was decided upon and inform other modules 
188
++	 * by calling alpn_proto_negotiated_hook. 
189
++	 */
190
++	if (!inctx->alpn_finished) {
191
++		SSLConnRec *sslconn = myConnConfig(f->c);
192
++		const unsigned char *next_proto = NULL;
193
++		unsigned next_proto_len = 0;
194
++		int n;
195
++		
196
++		if (sslconn->alpn_negofns) {
197
++	#ifdef HAVE_TLS_ALPN
198
++			SSL_get0_alpn_selected(inctx->ssl, &next_proto, &next_proto_len);
199
++			ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, f->c,
200
++						  APLOGNO(02306) "SSL ALPN negotiated protocol: '%*s'",
201
++						  next_proto_len, (const char*)next_proto);
202
++	#else
203
++			SSL_get0_next_proto_negotiated(
204
++										   inctx->ssl, &next_proto, &next_proto_len);
205
++			ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, f->c,
206
++						  APLOGNO(02306) "SSL NPN negotiated protocol: '%*s'",
207
++						  next_proto_len, (const char*)next_proto);
208
++	#endif
209
++			for (n = 0; n < sslconn->alpn_negofns->nelts; n++) {
210
++				ssl_alpn_proto_negotiated fn =
211
++				APR_ARRAY_IDX(sslconn->alpn_negofns, n, ssl_alpn_proto_negotiated);
212
++				
213
++				if (fn(f->c, (const char *)next_proto, next_proto_len) == DONE)
214
++				break;
215
++			}
216
++		}
217
++		inctx->alpn_finished = 1;
218
++	}
219
++#endif
220
++
221
+     return APR_SUCCESS;
222
+ }
223
+ 
224
+@@ -1893,6 +1932,7 @@ 
225
+     inctx->block = APR_BLOCK_READ;
226
+     inctx->pool = c->pool;
227
+     inctx->filter_ctx = filter_ctx;
228
++    inctx->alpn_finished = 0;
229
+ }
230
+ 
231
+ /* The request_rec pointer is passed in here only to ensure that the
232
+--- gen/httpd-2.4.x/modules/ssl/ssl_engine_kernel.c	2015-01-19 16:52:30.000000000 +0100
233
+@@ -29,6 +29,7 @@ 
234
+                                   time I was too famous.''
235
+                                             -- Unknown                */
236
+ #include "ssl_private.h"
237
++#include "mod_ssl.h"
238
+ #include "util_md5.h"
239
+ 
240
+ static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn);
241
+@@ -2136,6 +2131,270 @@ 
242
+ }
243
+ #endif /* HAVE_TLS_SESSION_TICKETS */
244
+ 
245
++static int ssl_array_index(apr_array_header_t *array,
246
++                           const unsigned char *s)
247
++{
248
++    int i;
249
++    for (i = 0; i < array->nelts; i++) {
250
++        const unsigned char *p = APR_ARRAY_IDX(array, i, const unsigned char*);
251
++        if (!strcmp((const char *)p, (const char *)s)) {
252
++            return i;
253
++        }
254
++    }
255
++    return -1;
256
++}
257
++
258
++#ifdef HAVE_TLS_ALPN
259
++/*
260
++ * Compare to ALPN protocol proposal. Result is similar to strcmp():
261
++ * 0 gives same precedence, >0 means proto1 is prefered.
262
++ */
263
++static int ssl_cmp_alpn_protos(modssl_ctx_t *ctx,
264
++							   const unsigned char *proto1,
265
++							   const unsigned char *proto2)
266
++{
267
++	/* TODO: we should have a mod_ssl configuration parameter. */
268
++    if (ctx && ctx->ssl_alpn_pref) {
269
++        int index1 = ssl_array_index(ctx->ssl_alpn_pref, proto1);
270
++        int index2 = ssl_array_index(ctx->ssl_alpn_pref, proto2);
271
++        if (index2 > index1) {
272
++            return (index1 >= 0)? 1 : -1;
273
++        }
274
++        else if (index1 > index2) {
275
++            return (index2 >= 0)? -1 : 1;
276
++        }
277
++    }
278
++    /* both have the same index (mabye -1 or no pref configured) and we compare
279
++     * the names so that spdy3 gets precedence over spdy2. That makes
280
++     * the outcome at least deterministic. */
281
++	return strcmp((const char *)proto1, (const char *)proto2);
282
++}
283
++
284
++/*
285
++ * This callback function is executed when the TLS Application Layer
286
++ * Protocol Negotiate Extension (ALPN, RFC 7301) is triggered by the client 
287
++ * hello, giving a list of desired protocol names (in descending preference) 
288
++ * to the server.
289
++ * The callback has to select a protocol name or return an error if none of
290
++ * the clients preferences is supported. 
291
++ * The selected protocol does not have to be on the client list, according
292
++ * to RFC 7301, so no checks are performed.
293
++ * The client protocol list is serialized as length byte followed by ascii
294
++ * characters (not null-terminated), followed by the next protocol name.
295
++ */
296
++int ssl_callback_alpn_select(SSL *ssl,
297
++							 const unsigned char **out, unsigned char *outlen,
298
++							 const unsigned char *in, unsigned int inlen, void *arg)
299
++{
300
++	conn_rec *c = (conn_rec*)SSL_get_app_data(ssl);
301
++	SSLConnRec *sslconn = myConnConfig(c);
302
++    server_rec *s       = mySrvFromConn(c);
303
++    SSLSrvConfigRec *sc = mySrvConfig(s);
304
++    modssl_ctx_t *mctx  = myCtxConfig(sslconn, sc);
305
++	const unsigned char *alpn_http1 = (const unsigned char*)"http/1.1";
306
++	apr_array_header_t *client_protos;
307
++	apr_array_header_t *proposed_protos;
308
++	int i;
309
++
310
++	/* If the connection object is not available,
311
++	 * then there's nothing for us to do. */
312
++	if (c == NULL) {
313
++		return SSL_TLSEXT_ERR_OK;
314
++	}
315
++	
316
++	if (inlen == 0) {
317
++		// someone tries to trick us?
318
++		ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(02306)
319
++					  "alpn client protocol list empty");
320
++		return SSL_TLSEXT_ERR_ALERT_FATAL;
321
++	}
322
++	
323
++	client_protos = apr_array_make(c->pool, 0, sizeof(char *));
324
++	for (i = 0; i < inlen; /**/) {
325
++		unsigned int plen = in[i++];
326
++		if (plen + i > inlen) {
327
++			// someone tries to trick us?
328
++			ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(02306)
329
++						  "alpn protocol identier too long");
330
++			return SSL_TLSEXT_ERR_ALERT_FATAL;
331
++		}
332
++		APR_ARRAY_PUSH(client_protos, char*) =
333
++			apr_pstrndup(c->pool, (const char *)in+i, plen);
334
++		i += plen;
335
++	}
336
++	
337
++	/* Regardless of installed hooks, the http/1.1 protocol is always
338
++	 * supported by us. Add it to the proposals if the client also
339
++	 * offers it. */
340
++	proposed_protos = apr_array_make(c->pool, client_protos->nelts+1,
341
++									 sizeof(char *));
342
++	if (ssl_array_index(client_protos, alpn_http1) >= 0) {
343
++		APR_ARRAY_PUSH(proposed_protos, const unsigned char*) = alpn_http1;
344
++	}
345
++	
346
++	if (sslconn->alpn_proposefns != NULL) {
347
++		/* Invoke our alpn_propos_proto hooks, giving other modules a chance to
348
++		 * propose protocol names for selection. We might have several such
349
++		 * hooks installed and if two make a proposal, we need to give 
350
++		 * preference to one.
351
++		 */
352
++		for (i = 0; i < sslconn->alpn_proposefns->nelts; i++) {
353
++			ssl_alpn_propose_protos fn =
354
++				APR_ARRAY_IDX(sslconn->alpn_proposefns, i,
355
++							  ssl_alpn_propose_protos);
356
++			
357
++			if (fn(c, client_protos, proposed_protos) == DONE)
358
++				break;
359
++		}
360
++	}
361
++
362
++	if (proposed_protos->nelts <= 0) {
363
++		ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(02306)
364
++					  "none of the client alpn protocols are supported");
365
++		return SSL_TLSEXT_ERR_ALERT_FATAL;
366
++	}
367
++	
368
++	/* Now select the most preferred protocol from the proposals. */
369
++	*out = APR_ARRAY_IDX(proposed_protos, 0, const unsigned char *);
370
++	for (i = 1; i < proposed_protos->nelts; ++i) {
371
++		const unsigned char *proto = APR_ARRAY_IDX(proposed_protos, i,
372
++												   const unsigned char*);
373
++		/* Do we prefer it over existing candidate? */
374
++		if (ssl_cmp_alpn_protos(mctx, *out, proto) < 0) {
375
++			*out = proto;
376
++		}
377
++	}
378
++	
379
++	size_t len = strlen((const char*)*out);
380
++	if (len > 255) {
381
++		ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(02306)
382
++					  "alpn negotiated protocol name too long");
383
++		return SSL_TLSEXT_ERR_ALERT_FATAL;
384
++	}
385
++	*outlen = (unsigned char)len;
386
++
387
++	return SSL_TLSEXT_ERR_OK;
388
++}
389
++
390
++#elif defined(HAVE_TLS_NPN)
391
++/*
392
++ * This callback function is executed when SSL needs to decide what protocols
393
++ * to advertise during Next Protocol Negotiation (NPN).  It must produce a
394
++ * string in wire format -- a sequence of length-prefixed strings -- indicating
395
++ * the advertised protocols.  Refer to SSL_CTX_set_next_protos_advertised_cb
396
++ * in OpenSSL for reference.
397
++ */
398
++int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data_out,
399
++                                     unsigned int *size_out, void *arg)
400
++{
401
++    conn_rec *c = (conn_rec*)SSL_get_app_data(ssl);
402
++    SSLConnRec *sslconn = myConnConfig(c);
403
++    server_rec *s       = mySrvFromConn(c);
404
++    SSLSrvConfigRec *sc = mySrvConfig(s);
405
++    modssl_ctx_t *mctx  = myCtxConfig(sslconn, sc);
406
++    apr_array_header_t *protos;
407
++    int num_protos;
408
++    unsigned int size;
409
++    int i, j;
410
++    unsigned char *data;
411
++    unsigned char *start;
412
++
413
++    *data_out = NULL;
414
++    *size_out = 0;
415
++
416
++    ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, APLOGNO(02306)
417
++                  "advertisingNextProtos");
418
++
419
++    /* If the connection object is not available, or there are no NPN
420
++     * hooks registered, then there's nothing for us to do. */
421
++    if (c == NULL || sslconn->alpn_proposefns == NULL) {
422
++        return SSL_TLSEXT_ERR_OK;
423
++    }
424
++
425
++    /* Invoke our alpn_propose_proto hook, giving other modules a chance to
426
++     * add alternate protocol names to advertise. */
427
++    protos = apr_array_make(c->pool, 0, sizeof(char *));
428
++    for (i = 0; i < sslconn->alpn_proposefns->nelts; i++) {
429
++        ssl_alpn_propose_protos fn =
430
++            APR_ARRAY_IDX(sslconn->alpn_proposefns, i, ssl_alpn_propose_protos);
431
++        
432
++        if (fn(c, NULL, protos) == DONE)
433
++            break;
434
++    }
435
++    if (ssl_array_index(ssl_alpn_propose_protos, "http/1.1") < 0) {
436
++		APR_ARRAY_PUSH(ssl_alpn_propose_protos, const unsigned char*) = "http/1.1";
437
++    }
438
++    num_protos = protos->nelts;
439
++
440
++    ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, APLOGNO(02306)
441
++                  "alpn protos %d to advertise, %d in pref config", num_protos, mctx->ssl_alpn_pref->nelts );
442
++	if (num_protos > 1 && mctx->ssl_alpn_pref && mctx->ssl_alpn_pref->nelts > 0) {
443
++		/* Sort the protocol names according to our configured preferences. */
444
++		int insert_idx = 0;
445
++		for (i = 0; i < mctx->ssl_alpn_pref->nelts; ++i) {
446
++			const char *proto = APR_ARRAY_IDX(mctx->ssl_alpn_pref, i, const char*);
447
++			int idx = ssl_array_index(protos, proto);
448
++			if (idx > insert_idx) {
449
++				/* bubble found protocol up */
450
++				for (j = idx; j > insert_idx; --j) {
451
++       ((const char **)protos->elts)[j] = ((const char **)protos->elts)[j-1];
452
++				}
453
++				((const char **)protos->elts)[insert_idx] = proto;
454
++				++insert_idx;
455
++			}
456
++		}
457
++	}
458
++    
459
++    /* We now have a list of null-terminated strings; we need to concatenate
460
++     * them together into a single string, where each protocol name is prefixed
461
++     * by its length.  First, calculate how long that string will be. */
462
++    size = 0;
463
++    for (i = 0; i < num_protos; ++i) {
464
++        const char *string = APR_ARRAY_IDX(protos, i, const char*);
465
++        unsigned int length = strlen(string);
466
++        /* If the protocol name is too long (the length must fit in one byte),
467
++         * then log an error and skip it. */
468
++        if (length > 255) {
469
++            ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(02307)
470
++                          "SSL NPN protocol name too long (length=%u): %s",
471
++                          length, string);
472
++            continue;
473
++        }
474
++        /* Leave room for the length prefix (one byte) plus the protocol name
475
++         * itself. */
476
++        size += 1 + length;
477
++    }
478
++
479
++    /* If there is nothing to advertise (either because no modules added
480
++     * anything to the protos array, or because all strings added to the array
481
++     * were skipped), then we're done. */
482
++    if (size == 0) {
483
++        return SSL_TLSEXT_ERR_OK;
484
++    }
485
++
486
++    /* Now we can build the string.  Copy each protocol name string into the
487
++     * larger string, prefixed by its length. */
488
++    data = apr_palloc(c->pool, size * sizeof(unsigned char));
489
++    start = data;
490
++    for (i = 0; i < num_protos; ++i) {
491
++        const char *string = APR_ARRAY_IDX(protos, i, const char*);
492
++        apr_size_t length = strlen(string);
493
++        if (length > 255)
494
++            continue;
495
++        *start = (unsigned char)length;
496
++        ++start;
497
++        memcpy(start, string, length * sizeof(unsigned char));
498
++        start += length;
499
++    }
500
++
501
++    /* Success. */
502
++    *data_out = data;
503
++    *size_out = size;
504
++    return SSL_TLSEXT_ERR_OK;
505
++}
506
++
507
++#endif /* HAVE_TLS_NPN */
508
++
509
+ #ifdef HAVE_SRP
510
+ 
511
+ int ssl_callback_SRPServerParams(SSL *ssl, int *ad, void *arg)
512
+--- gen/httpd-2.4.x/modules/ssl/ssl_private.h	2015-01-19 16:52:30.000000000 +0100
513
+@@ -176,6 +169,16 @@ 
514
+ #endif
515
+ #endif
516
+ 
517
++/* ALPN Protocol Negotiation */
518
++#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(OPENSSL_NO_TLSEXT)
519
++#define HAVE_TLS_ALPN
520
++#endif
521
++
522
++/* Next Protocol Negotiation */
523
++#if !defined(OPENSSL_NO_NEXTPROTONEG) && defined(OPENSSL_NPN_NEGOTIATED)
524
++#define HAVE_TLS_NPN
525
++#endif
526
++
527
+ /* Secure Remote Password */
528
+ #if !defined(OPENSSL_NO_SRP) && defined(SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB)
529
+ #define HAVE_SRP
530
+@@ -443,6 +446,12 @@ 
531
+                      * connection */
532
+     } reneg_state;
533
+ 
534
++#ifdef HAVE_TLS_NPN
535
++    /* Poor man's inter-module optional hooks for NPN. */
536
++    apr_array_header_t *alpn_proposefns; /* list of ssl_alpn_propose_protos callbacks */
537
++    apr_array_header_t *alpn_negofns; /* list of ssl_alpn_proto_negotiated callbacks. */
538
++#endif
539
++
540
+     server_rec *server;
541
+ } SSLConnRec;
542
+ 
543
+@@ -622,6 +631,10 @@ 
544
+     SSL_CONF_CTX *ssl_ctx_config; /* Configuration context */
545
+     apr_array_header_t *ssl_ctx_param; /* parameters to pass to SSL_CTX */
546
+ #endif
547
++  
548
++#if defined(HAVE_ALPN_NPN) || defined(HAVE_TLS_NPN)
549
++  apr_array_header_t *ssl_alpn_pref; /* protocol names in order of preference */
550
++#endif
551
+ } modssl_ctx_t;
552
+ 
553
+ struct SSLSrvConfigRec {
554
+@@ -748,6 +759,10 @@ 
555
+ const char *ssl_cmd_SSLOpenSSLConfCmd(cmd_parms *cmd, void *dcfg, const char *arg1, const char *arg2);
556
+ #endif
557
+ 
558
++#if defined(HAVE_ALPN_NPN) || defined(HAVE_TLS_NPN)
559
++const char *ssl_cmd_SSLAlpnPreference(cmd_parms *cmd, void *dcfg, const char *protocol);
560
++#endif
561
++
562
+ #ifdef HAVE_SRP
563
+ const char *ssl_cmd_SSLSRPVerifierFile(cmd_parms *cmd, void *dcfg, const char *arg);
564
+ const char *ssl_cmd_SSLSRPUnknownUserSeed(cmd_parms *cmd, void *dcfg, const char *arg);
565
+@@ -796,6 +811,14 @@ 
566
+                                        EVP_CIPHER_CTX *, HMAC_CTX *, int);
567
+ #endif
568
+ 
569
++#ifdef HAVE_TLS_ALPN
570
++int ssl_callback_alpn_select(SSL *ssl, const unsigned char **out,
571
++							 unsigned char *outlen, const unsigned char *in,
572
++							 unsigned int inlen, void *arg);
573
++#elif defined(HAVE_TLS_NPN)
574
++int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data, unsigned int *len, void *arg);
575
++#endif
576
++
577
+ /**  Session Cache Support  */
578
+ apr_status_t ssl_scache_init(server_rec *, apr_pool_t *);
579
+ void         ssl_scache_status_register(apr_pool_t *p);