Add ALPN support via USE=alpn #471512.

Package-Manager: portage-2.2.20/cvs/Linux x86_64 Manifest-Sign-Key: 0xD2E96200
author: Mike Frysinger <vapier@gentoo.org> 2015-06-01 06:08:37 +0000
committer: Mike Frysinger <vapier@gentoo.org> 2015-06-01 06:08:37 +0000
commit: 634c3a3fde38def44591695ae17e12d86a8c2591 (patch)
tree: e559b7d18ee413d8d5d945e3064b69b6c93fe657 /www-servers
parent: Mark ~ppc64 (bug #550798). (diff)
download: historical-634c3a3fde38def44591695ae17e12d86a8c2591.tar.gz
historical-634c3a3fde38def44591695ae17e12d86a8c2591.tar.bz2
historical-634c3a3fde38def44591695ae17e12d86a8c2591.zip
5 files changed, 741 insertions, 3 deletions
diff --git a/www-servers/apache/ChangeLog b/www-servers/apache/ChangeLog
index a1fca6aefb35..f5ab14971ab7 100644
--- a/www-servers/apache/ChangeLog
+++ b/www-servers/apache/ChangeLog
@@ -1,6 +1,12 @@
 # ChangeLog for www-servers/apache
 # Copyright 1999-2015 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/www-servers/apache/ChangeLog,v 1.302 2015/03/16 21:53:50 polynomial-c Exp $
+# $Header: /var/cvsroot/gentoo-x86/www-servers/apache/ChangeLog,v 1.303 2015/06/01 06:08:35 vapier Exp $
+
+*apache-2.4.12-r1 (01 Jun 2015)
+
+  01 Jun 2015; Mike Frysinger <vapier@gentoo.org> +apache-2.4.12-r1.ebuild,
+  +files/apache-2.4.12-alpn.patch, metadata.xml:
+  Add ALPN support via USE=alpn #471512.
 
   16 Mar 2015; Lars Wendler <polynomial-c@gentoo.org> -apache-2.2.27-r4.ebuild,
   -apache-2.4.10-r1.ebuild:
diff --git a/www-servers/apache/Manifest b/www-servers/apache/Manifest
index 25341b3e8634..6c7dd9beca6b 100644
--- a/www-servers/apache/Manifest
+++ b/www-servers/apache/Manifest
@@ -1,3 +1,7 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA256
+
+AUX apache-2.4.12-alpn.patch 16871 SHA256 ead1bd4914c52e11172ff7457f77fb119dc1d735176ae149e6410fb96f3d67fa SHA512 f4ffa98d1ad6c7150f759470f74091b8e246de8b7c8a32fbda18d5bd3eb3f119e6175c0e649e33d664e5719405fd725f5d79548573abeaffaf42de68b2032e5c WHIRLPOOL b57db8087e5fed89223c56cba9a48dfa342427a960579881f29fa51e0e3f19b489041764f03675d46bfa1ca2b6a0877cf9b9a4cc008048c148219a96a65d5e6e
 AUX apache.conf 55 SHA256 ea616c5cc37979a006d69c51bda43fca15a4327d33175762652b29f5cdea1c7b SHA512 3a53beb7a283d17c14383f16ad14c0602681ac1b193cce8f5aca50ae9d9af3a71054ce4a9ab11cbcb72fe913459e1b306fd54660154e66afe10272f8c0f149f3 WHIRLPOOL fa348414f320a9f70001386dfb77d57ca4836c3ef3d251976077b7ad545d7f6752e534efadbf28c7dcb777388e3d844eba84b939dcf48881983388daf6ac23f0
 AUX apache2.2.service 716 SHA256 e850ad73585fbba52ade58a39ca91adbfd52f56a0bbd426ebcadb340a7dcb62b SHA512 5f736c803772077598248bbb41f76dff396dfd2f11a60d1ba929a619275efb8c1b4c0dab78cbcdf83b9ec94db67b958b3333b01f67d71eb3b2e07dba4bca2a7c WHIRLPOOL 776a928422b8f37a12099111a1503674ca901934b60dca8596dc8bc287390be9a0e912d7ba6226dcb22eb7c669fa298ddc20fd7bf5c275b0cf019bae0d594839
 DIST gentoo-apache-2.2.29-20140922.tar.bz2 64135 SHA256 8c69c36c2f40fb81ee905b4dd72ab74aab4563c75149d302f372a451498e2678 SHA512 1d9aa12aa3ab79b5f80ee3fda020b33ff6798e5b1abbcbc138acea06a1ab9968ad240d2bdf9c5dbb9640fa9fb6718eec7175df7cc0fb8574cc4d7d5cdfb5bcc4 WHIRLPOOL f655300f0dcd2f4503cbdb25983fed902e4b717ff57e06f66486bebd0ed7cb8df56387be74b4259bfffad949bb446c5ec28f89065b6d5239585324b610be7b88
@@ -5,7 +9,25 @@ DIST gentoo-apache-2.4.10-r1-20140731.tar.bz2 24531 SHA256 8e093a18582c3a20283ed
 DIST httpd-2.2.29.tar.bz2 5625498 SHA256 574b4f994b99178dfd5160bcb14025402e2ce381be9889b83e4be0ffbf5839a4 SHA512 0b953c97d79dfaaedaee72c6260e7a8e2e1711d47b19f9ace961b33f1226eeb58e37e04694a3e1207e0cf151a9ffbebf379d2bb81306bbf5111ec6db621a68b8 WHIRLPOOL d161104824c5bd6a42675489facf528a8ac2e727a8d2a295111b182e73bb17e7e8a52b720e74a37371e8bd3ddf5745afea32b32171831d95870daa440e7ac2a7
 DIST httpd-2.4.12.tar.bz2 5054838 SHA256 ad6d39edfe4621d8cc9a2791f6f8d6876943a9da41ac8533d77407a2e630eae4 SHA512 f69db14b421f0e1e4861fe4d8b652688d50ca9eb41c622242d11ae55687eb6c2142a8505a8c3fb6f2bd53167be535bc0a77ca1af97e0720930fc7f20f4c1f8e8 WHIRLPOOL 56512066e8978c4a3d47d0cc2bb92093fd468a9b2f46b8b07fe4db366f55fa5e74ae58bbebe2377cbe0c66f1585759115c786f62f18ac1abc534fb257689d250
 EBUILD apache-2.2.29.ebuild 3105 SHA256 db3e7e9fd9663ca383e414acf04c964ab3971faf891a740285e4269332c74a45 SHA512 3a6b89e825f46c4a545c7a77840f7ebb6e1276d520789cd997cc5f43500ff1bdb8cce8aeb0ab2e4cd773c598ea3a30a21293d04757796ab495dbc088705cd76b WHIRLPOOL 16a2423411d9966bf40c259af251ddc639e9d11ab718193397ebd1b93ea00d27bb3178193531cadb0fc77f00842f6c9c9a7f3d5e41d2118006dc4bd34115f2f3
+EBUILD apache-2.4.12-r1.ebuild 7643 SHA256 289f6fd55c86aef607910afe115635bb9734a2b8b32be384150c52363f220334 SHA512 6b5d2f428dfcdf0927a20c670a98595f5e3db2c46de8bf46949996a72b7ad6e70322c5d4f12e48eceb374f607dba855cef3e1663995cd7cc8df634dfe21ea106 WHIRLPOOL eb1d92e1853c03af18bf45bef8ac2e4157f2536c3e4f18ebaac80de318af927db6962ac88c57e82d44d9c5d6745c64d3e047263fd87c1727d6d676ccc18e1120
 EBUILD apache-2.4.12.ebuild 7503 SHA256 c6f28b977d195170415b62b35ca333eb35d375737ba520e2d467e709d97f031b SHA512 046b065da89df8476fb25fa967ad38ef809545ff63386447323694c37376348b980da726eeb407eb356c69b31b0f66561f6f70d17f9cdaf1511f94281d7602c9 WHIRLPOOL 8f9100821cc4af6218fa10f08c3543222359b5543b558f53a1eed7c6eeb1fac1cd2aab5be5e43b45b2d1a13c56f413961c2c7e1ad74f43ab834c6bdbba4066b6
-MISC ChangeLog 29729 SHA256 7c51fea1413ff912c903ab957870628897134955dcc0b7020a89312d99b0dcbb SHA512 f788953f761f53850b601a891a6db6f5f56631bfd371a7ce1aef2dee3e0bbd4b1b4cb4243448f2cc79fea45175a27cd41fc224f68fe7f4949be446370a72d3e3 WHIRLPOOL 8c9cc560395ee479267ff17b875a1360a1927f255a22a1fb2ba42367c97d25fcaf4e4f2ecc07780266af9b2ce1d1e5bb8484ef1cff0a47fadc96be6e4fd84d9d
+MISC ChangeLog 29923 SHA256 df3cc20451db1984b471ad9dd1e16e44ccdd8719daf73ef357928c7d428fcbad SHA512 2036beb3ac92ea443e4ffdba988f4dc143b4ba2f8eaf832e55fe7209631569d1334545b2d6cec626eab747795c3b9c82ef18fd56f077ccf83097e12cf4935cd4 WHIRLPOOL 216927d8c6ac1f7dc92a97eaa4fb3641fdeebeedf9a2c2cd9b3c4b41d3273e7e46cc5d89117a54e313670d33c829f9e47475c3fae6aad601c8f10fc6e0be5566
 MISC ChangeLog-2008 105137 SHA256 4afec18ad3c76df40314edb37b5512f81ca6223c38a899534d9d15342481accf SHA512 92dfd339b1c4ddec29222076a597220dc7faa504e2ee770339892f155febbf34004e60395f9eb21b43d3b1feb5f362c2946b69cc65151b5ba00fb53b35ccb9c6 WHIRLPOOL 89d77300aafb53ae0632904118064de19313fe51f635512314471e845574e7a624a770ae4ca4e335cff67d4fee92e062d28ef985a54c577a1b8b3ea0f621c0f8
-MISC metadata.xml 2882 SHA256 bb1c73d9b53a1049c14b477d4441b09670ecafcf46a0ad114c24bb284d0d194a SHA512 bd9a0a5f26e1420aa6023160208d177e233f97f2265b8fad68772a084cbc9fabb2a186f14916a5a664b5590a6052fe039874ff96b1bd9d3dc530c3750561c7ce WHIRLPOOL 0e92d1cd3fbbf3f75ebd38e356a736061c9ea19afd40b06f58abe0ed86219223cafab188bbfa4ce9c91a8cc6619de47dfc3a68edc2c39e6a38476915ad8d48ba
+MISC metadata.xml 3003 SHA256 ade80af8a28c33f608299e6866e934c45314904423564ab43c8255b8b76086a4 SHA512 5bafdd07d8e9dc34450706b4cd8c9eb7630737cf87f404369b5eadd4aaf73b108cf32b96c1e6119f2abe316e37688d343302a31a899548329d0e6ebaa6962554 WHIRLPOOL 671989d9ef4ce2ff81fb635ff16a55922435497647ae46d6fb08014060e1ca3ca0be5b187f5401dfb5bec7547b378e64748706b64546a79fa615e91e7eaa4726
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2
+
+iQIcBAEBCAAGBQJVa/blAAoJEPGu1DbS6WIAFLMP/3XQ0x6vw9IezbYnVAn0NSXx
+AMFHb5L60YIMjMsADwWOgK7EU3lY0QAYbrkUfv+GnomOK7crcEa7zhgzSealVqjL
+tkPimRrLiOI/SFA+R0P6yEllyDaYne59VHZtBjku8s8Q/q/tdsFrMJuooPMZZsQ5
+9ER0YNXLQ0DYAmdnYjbrsQOnUJx1RMI/IRsuTvCNN/q3sG/LPW252IHZvuWHXMh2
+8+16xBFJdyx6MxStSbghfxnCPAAwLt1znGOxE0z3+74OCFQddBlcJ91dhtv/ta8i
+ACysM87CcVzQvAFUPt4fpcsUVqsPAhdw2GxYvDw54/LMFQOCu/gvI0ZQ9+nEs9eB
+lWSuK90QITynlIppG/4jhALIY11PwfOjvlwN+g/5/9mejrDNj/9cluQAwKoz4sfY
+dILuCdQE2g/oG4VIfSDf9dSKe4PO6H1vxbBf/5sex8zkfSEtKy5uE5Iaz9gHY4yt
+6IHU90pfmr5ZJpukbDKFxjFDmv/fGxSgTFpty7XQkC2y9G6O37nGjls2aaRlB8oD
+DGbE4Mpwcnlbw630zoXCHk90KOiNEHiEiZ3dMzVJT5zlNiD2zHi36mfJZKSfMesb
+NGYvXFTppWn8wWfoW8P2nmUaPKMMxN0lQ6GWUNVcHuq1mDouOhmcIwiAH9KuJOhW
+biZBDM1QwzpPKPiA70H3
+=9KhC
+-----END PGP SIGNATURE-----
diff --git a/www-servers/apache/apache-2.4.12-r1.ebuild b/www-servers/apache/apache-2.4.12-r1.ebuild
new file mode 100644
index 000000000000..337665a183c5
--- /dev/null
+++ b/www-servers/apache/apache-2.4.12-r1.ebuild
@@ -0,0 +1,233 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/www-servers/apache/apache-2.4.12-r1.ebuild,v 1.1 2015/06/01 06:08:35 vapier Exp $
+
+EAPI=5
+
+# latest gentoo apache files
+GENTOO_PATCHSTAMP="20140731"
+GENTOO_DEVELOPER="polynomial-c"
+GENTOO_PATCHNAME="gentoo-apache-2.4.10-r1"
+
+# IUSE/USE_EXPAND magic
+IUSE_MPMS_FORK="peruser prefork"
+IUSE_MPMS_THREAD="event worker"
+
+# << obsolete modules:
+# authn_default authz_default mem_cache
+# mem_cache is replaced by cache_disk
+# ?? buggy modules
+# proxy_scgi: startup error: undefined symbol "ap_proxy_release_connection", no fix found
+# >> added modules for reason:
+# compat: compatibility with 2.2 access control
+# authz_host: new module for access control
+# authn_core: functionality provided by authn_alias in previous versions
+# authz_core: new module, provides core authorization capabilities
+# cache_disk: replacement for mem_cache
+# lbmethod_byrequests: Split off from mod_proxy_balancer in 2.3
+# lbmethod_bytraffic: Split off from mod_proxy_balancer in 2.3
+# lbmethod_bybusyness: Split off from mod_proxy_balancer in 2.3
+# lbmethod_heartbeat: Split off from mod_proxy_balancer in 2.3
+# slotmem_shm: Slot-based shared memory provider (for lbmethod_byrequests).
+# socache_shmcb: shared object cache provider. Default config with ssl needs it
+# unixd: fixes startup error: Invalid command 'User'
+IUSE_MODULES="access_compat actions alias asis auth_basic auth_digest
+authn_alias authn_anon authn_core authn_dbd authn_dbm authn_file authz_core
+authz_dbd authz_dbm authz_groupfile authz_host authz_owner authz_user autoindex
+cache cache_disk cern_meta charset_lite cgi cgid dav dav_fs dav_lock dbd deflate
+dir dumpio env expires ext_filter file_cache filter headers ident imagemap
+include info lbmethod_byrequests lbmethod_bytraffic lbmethod_bybusyness
+lbmethod_heartbeat log_config log_forensic logio mime mime_magic negotiation
+proxy proxy_ajp proxy_balancer proxy_connect proxy_ftp proxy_http proxy_scgi
+proxy_fcgi  proxy_wstunnel rewrite ratelimit remoteip reqtimeout setenvif
+slotmem_shm speling socache_shmcb status substitute unique_id userdir usertrack
+unixd version vhost_alias"
+# The following are also in the source as of this version, but are not available
+# for user selection:
+# bucketeer case_filter case_filter_in echo http isapi optional_fn_export
+# optional_fn_import optional_hook_export optional_hook_import
+
+# inter-module dependencies
+# TODO: this may still be incomplete
+MODULE_DEPENDS="
+	dav_fs:dav
+	dav_lock:dav
+	deflate:filter
+	cache_disk:cache
+	ext_filter:filter
+	file_cache:cache
+	lbmethod_byrequests:proxy_balancer
+	lbmethod_byrequests:slotmem_shm
+	lbmethod_bytraffic:proxy_balancer
+	lbmethod_bybusyness:proxy_balancer
+	lbmethod_heartbeat:proxy_balancer
+	log_forensic:log_config
+	logio:log_config
+	cache_disk:cache
+	mime_magic:mime
+	proxy_ajp:proxy
+	proxy_balancer:proxy
+	proxy_balancer:slotmem_shm
+	proxy_connect:proxy
+	proxy_ftp:proxy
+	proxy_http:proxy
+	proxy_scgi:proxy
+	proxy_fcgi:proxy
+	proxy_wstunnel:proxy
+	substitute:filter
+"
+
+# module<->define mappings
+MODULE_DEFINES="
+	auth_digest:AUTH_DIGEST
+	authnz_ldap:AUTHNZ_LDAP
+	cache:CACHE
+	cache_disk:CACHE
+	dav:DAV
+	dav_fs:DAV
+	dav_lock:DAV
+	file_cache:CACHE
+	info:INFO
+	ldap:LDAP
+	proxy:PROXY
+	proxy_ajp:PROXY
+	proxy_balancer:PROXY
+	proxy_connect:PROXY
+	proxy_ftp:PROXY
+	proxy_http:PROXY
+	proxy_fcgi:PROXY
+	proxy_scgi:PROXY
+	proxy_wstunnel:PROXY
+	socache_shmcb:SSL
+	ssl:SSL
+	status:STATUS
+	suexec:SUEXEC
+	userdir:USERDIR
+"
+
+# critical modules for the default config
+MODULE_CRITICAL="
+	authn_core
+	authz_core
+	authz_host
+	dir
+	mime
+	unixd
+"
+inherit eutils apache-2 systemd toolchain-funcs
+
+DESCRIPTION="The Apache Web Server"
+HOMEPAGE="http://httpd.apache.org/"
+
+# some helper scripts are Apache-1.1, thus both are here
+LICENSE="Apache-2.0 Apache-1.1"
+SLOT="2"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~amd64-linux ~x64-macos ~x86-macos ~m68k-mint ~sparc64-solaris ~x64-solaris"
+IUSE="alpn"
+REQUIRED_USE="alpn? ( ssl )"
+
+pkg_setup() {
+	# dependend critical modules which are not allowed in global scope due
+	# to USE flag conditionals (bug #499260)
+	use ssl && MODULE_CRITICAL+=" socache_shmcb"
+	use doc && MODULE_CRITICAL+=" alias negotiation setenvif"
+	apache-2_pkg_setup
+}
+
+src_prepare() {
+	use alpn && epatch "${FILESDIR}"/${PN}-2.4.12-alpn.patch #471512
+	apache-2_src_prepare
+}
+
+src_configure() {
+	# Brain dead check.
+	tc-is-cross-compiler && export ap_cv_void_ptr_lt_long="no"
+
+	apache-2_src_configure
+}
+
+src_compile() {
+	if tc-is-cross-compiler; then
+		# This header is the same across targets, so use the build compiler.
+		pushd server >/dev/null
+		emake gen_test_char
+		tc-export_build_env BUILD_CC
+		${BUILD_CC} ${BUILD_CFLAGS} ${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} \
+			gen_test_char.c -o gen_test_char $(apr-1-config --includes) || die
+		popd >/dev/null
+	fi
+
+	default
+}
+
+src_install() {
+	apache-2_src_install
+	for i in /usr/bin/{htdigest,logresolve,htpasswd,htdbm,ab,httxt2dbm}; do
+		rm "${ED}"/$i || die "Failed to prune apache-tools bits"
+	done
+	for i in /usr/share/man/man8/{rotatelogs.8,htcacheclean.8}; do
+		rm "${ED}"/$i || die "Failed to prune apache-tools bits"
+	done
+	for i in /usr/share/man/man1/{logresolve.1,htdbm.1,htdigest.1,htpasswd.1,dbmmanage.1,ab.1}; do
+		rm "${ED}"/$i || die "Failed to prune apache-tools bits"
+	done
+	for i in /usr/sbin/{checkgid,fcgistarter,htcacheclean,rotatelogs}; do
+		rm "${ED}/"$i || die "Failed to prune apache-tools bits"
+	done
+
+	# install apxs in /usr/bin (bug #502384) and put a symlink into the
+	# old location until all ebuilds and eclasses have been modified to
+	# use the new location.
+	local apxs="/usr/bin/apxs"
+	cp "${S}"/support/apxs "${ED}"${apxs} || die "Failed to install apxs"
+	ln -s ../bin/apxs "${ED}"/usr/sbin/apxs || die
+	chmod 0755 "${ED}"${apxs} || die
+
+	# Note: wait for mod_systemd to be included in the next release,
+	# then apache2.4.service can be used and systemd support controlled
+	# through --enable-systemd
+	systemd_newunit "${FILESDIR}/apache2.2.service" "apache2.service"
+	systemd_dotmpfilesd "${FILESDIR}/apache.conf"
+	#insinto /etc/apache2/modules.d
+	#doins "${FILESDIR}/00_systemd.conf"
+}
+
+pkg_postinst()
+{
+	apache-2_pkg_postinst || die "apache-2_pkg_postinst failed"
+	# warnings that default config might not work out of the box
+	for mod in $MODULE_CRITICAL; do
+		if ! use "apache2_modules_${mod}"; then
+			echo
+			ewarn "Warning: Critical module not installed!"
+			ewarn "Modules 'authn_core', 'authz_core' and 'unixd'"
+			ewarn "are highly recomended but might not be in the base profile yet."
+			ewarn "Default config for ssl needs module 'socache_shmcb'."
+			ewarn "Enabling the following flags is highly recommended:"
+			for cmod in $MODULE_CRITICAL; do
+				use "apache2_modules_${cmod}" || \
+					ewarn "+ apache2_modules_${cmod}"
+			done
+			echo
+			break
+		fi
+	done
+	# warning for proxy_balancer and missing load balancing scheduler
+	if use apache2_modules_proxy_balancer; then
+		local lbset=
+		for mod in lbmethod_byrequests lbmethod_bytraffic lbmethod_bybusyness lbmethod_heartbeat; do
+			if use "apache2_modules_${mod}"; then
+				lbset=1 && break
+			fi
+		done
+		if [ ! $lbset ]; then
+			echo
+			ewarn "Info: Missing load balancing scheduler algorithm module"
+			ewarn "(They were split off from proxy_balancer in 2.3)"
+			ewarn "In order to get the ability of load balancing, at least"
+			ewarn "one of these modules has to be present:"
+			ewarn "lbmethod_byrequests lbmethod_bytraffic lbmethod_bybusyness lbmethod_heartbeat"
+			echo
+		fi
+	fi
+}
diff --git a/www-servers/apache/files/apache-2.4.12-alpn.patch b/www-servers/apache/files/apache-2.4.12-alpn.patch
new file mode 100644
index 000000000000..25bb6e1b5145
--- /dev/null
+++ b/www-servers/apache/files/apache-2.4.12-alpn.patch
@@ -0,0 +1,476 @@
+https://bugs.gentoo.org/471512
+
+upstream apache has merged alpn into trunk:
+https://issues.apache.org/bugzilla/show_bug.cgi?id=52210
+note: the bug is closed INVALID due to the npn discussion; go to the bottom to
+see alpn merged into it trunk.  unfortunately, it wasn't merged into the 2.4
+branch.
+
+the mod_h2 project has backported it to the 2.4 branch:
+https://github.com/icing/mod_h2/tree/master/sandbox/httpd/patches
+commit 73e4d0e9c813b58581a32a6948780fa948094cc1
+
+--- modules/ssl/mod_ssl.c
++++ modules/ssl/mod_ssl.c
+@@ -273,6 +273,12 @@
+                 "OpenSSL configuration command")
+ #endif
+ 
++#ifdef HAVE_TLS_ALPN
++    SSL_CMD_SRV(ALPNPreference, ITERATE,
++                "Preference in Application-Layer Protocol Negotiation (ALPN), "
++                "protocols are chosen in the specified order")
++#endif
++
+     /* Deprecated directives. */
+     AP_INIT_RAW_ARGS("SSLLog", ap_set_deprecated, NULL, OR_ALL,
+       "SSLLog directive is no longer supported - use ErrorLog."),
+@@ -423,12 +448,44 @@
+     return 1;
+ }
+ 
++static int modssl_register_alpn(conn_rec *c,
++                               ssl_alpn_propose_protos advertisefn,
++                               ssl_alpn_proto_negotiated negotiatedfn)
++{
++#ifdef HAVE_TLS_ALPN
++    SSLConnRec *sslconn = myConnConfig(c);
++
++    if (!sslconn) {
++        return DECLINED;
++    }
++
++    if (!sslconn->alpn_proposefns) {
++        sslconn->alpn_proposefns =
++        apr_array_make(c->pool, 5, sizeof(ssl_alpn_propose_protos));
++        sslconn->alpn_negofns =
++        apr_array_make(c->pool, 5, sizeof(ssl_alpn_proto_negotiated));
++    }
++
++    if (advertisefn)
++        APR_ARRAY_PUSH(sslconn->alpn_proposefns, ssl_alpn_propose_protos) =
++            advertisefn;
++    if (negotiatedfn)
++        APR_ARRAY_PUSH(sslconn->alpn_negofns, ssl_alpn_proto_negotiated) =
++            negotiatedfn;
++
++    return OK;
++#else
++    return DECLINED;
++#endif
++}
++
+ int ssl_init_ssl_connection(conn_rec *c, request_rec *r)
+ {
+     SSLSrvConfigRec *sc;
+     SSL *ssl;
+     SSLConnRec *sslconn = myConnConfig(c);
+     char *vhost_md5;
++    int rc;
+     modssl_ctx_t *mctx;
+     server_rec *server;
+ 
+@@ -585,6 +647,7 @@
+ 
+     APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable);
+     APR_REGISTER_OPTIONAL_FN(ssl_engine_disable);
++    APR_REGISTER_OPTIONAL_FN(modssl_register_alpn);
+ 
+     ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "ssl",
+                               AUTHZ_PROVIDER_VERSION,
+--- modules/ssl/mod_ssl.h
++++ modules/ssl/mod_ssl.h
+@@ -63,5 +93,46 @@
+ 
+ APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
+ 
++/** The alpn_propose_proto callback allows other modules to propose
++ * the name of the protocol that will be chosen during the
++ * Application-Layer Protocol Negotiation (ALPN) portion of the SSL handshake.
++ * The callback is given the connection and a list of NULL-terminated
++ * protocol strings as supported by the client.  If this client_protos is
++ * non-empty, it must pick its preferred protocol from that list. Otherwise
++ * it should add its supported protocols in order of precedence.
++ * The callback should not yet modify the connection or install any filters
++ * as its proposal(s) may be overridden by another callback or server
++ * configuration.
++ * It should return OK or, to prevent further processing of (other modules')
++ * callbacks, return DONE.
++ */
++typedef int (*ssl_alpn_propose_protos)(conn_rec *connection,
++                                    apr_array_header_t *client_protos,
++                                    apr_array_header_t *proposed_protos);
++
++/** The alpn_proto_negotiated callback allows other modules to discover
++ * the name of the protocol that was chosen during the Application-Layer
++ * Protocol Negotiation (ALPN) portion of the SSL handshake.
++ * The callback is given the connection, a
++ * non-NUL-terminated string containing the protocol name, and the
++ * length of the string; it should do something appropriate
++ * (i.e. insert or remove filters) and return OK. To prevent further
++ * processing of (other modules') callbacks, return DONE. */
++typedef int (*ssl_alpn_proto_negotiated)(conn_rec *connection,
++                                        const char *proto_name,
++                                        apr_size_t proto_name_len);
++
++/* An optional function which can be used to register a pair of callbacks
++ * for ALPN handling.
++ * This optional function should be invoked from a pre_connection hook
++ * which runs *after* mod_ssl.c's pre_connection hook.  The function returns
++ * OK if the callbacks are registered, or DECLINED otherwise (for example if
++ * mod_ssl does not support ALPN).
++ */
++APR_DECLARE_OPTIONAL_FN(int, modssl_register_alpn,
++                        (conn_rec *conn,
++                         ssl_alpn_propose_protos proposefn,
++                         ssl_alpn_proto_negotiated negotiatedfn));
++
+ #endif /* __MOD_SSL_H__ */
+ /** @} */
+--- modules/ssl/ssl_engine_config.c
++++ modules/ssl/ssl_engine_config.c
+@@ -159,6 +160,9 @@
+     SSL_CONF_CTX_set_flags(mctx->ssl_ctx_config, SSL_CONF_FLAG_CERTIFICATE);
+     mctx->ssl_ctx_param = apr_array_make(p, 5, sizeof(ssl_ctx_param_t));
+ #endif
++#ifdef HAVE_TLS_ALPN
++    mctx->ssl_alpn_pref = apr_array_make(p, 5, sizeof(const char *));
++#endif
+ }
+ 
+ static void modssl_ctx_init_proxy(SSLSrvConfigRec *sc,
+@@ -301,6 +307,9 @@
+ #ifdef HAVE_SSL_CONF_CMD
+     cfgMergeArray(ssl_ctx_param);
+ #endif
++#ifdef HAVE_TLS_ALPN
++    cfgMergeArray(ssl_alpn_pref);
++#endif
+ }
+ 
+ static void modssl_ctx_cfg_merge_proxy(apr_pool_t *p,
+@@ -1875,6 +1868,16 @@
+ }
+ #endif
+ 
++#ifdef HAVE_TLS_ALPN
++const char *ssl_cmd_SSLALPNPreference(cmd_parms *cmd, void *dcfg,
++                                      const char *protocol)
++{
++    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
++    APR_ARRAY_PUSH(sc->server->ssl_alpn_pref, const char *) = protocol;
++    return NULL;
++}
++#endif
++
+ #ifdef HAVE_SRP
+ 
+ const char *ssl_cmd_SSLSRPVerifierFile(cmd_parms *cmd, void *dcfg,
+--- modules/ssl/ssl_engine_init.c
++++ modules/ssl/ssl_engine_init.c
+@@ -623,6 +646,11 @@
+     SSL_CTX_set_tmp_dh_callback(ctx,  ssl_callback_TmpDH);
+ 
+     SSL_CTX_set_info_callback(ctx, ssl_callback_Info);
++
++#ifdef HAVE_TLS_ALPN
++    SSL_CTX_set_alpn_select_cb(
++       ctx, ssl_callback_alpn_select, NULL);
++#endif
+ }
+ 
+ static apr_status_t ssl_init_ctx_verify(server_rec *s,
+--- modules/ssl/ssl_engine_io.c
++++ modules/ssl/ssl_engine_io.c
+@@ -28,6 +28,7 @@
+                                   core keeps dumping.''
+                                             -- Unknown    */
+ #include "ssl_private.h"
++#include "mod_ssl.h"
+ #include "apr_date.h"
+ 
+ /*  _________________________________________________________________
+@@ -297,6 +315,9 @@
+     apr_pool_t *pool;
+     char buffer[AP_IOBUFSIZE];
+     ssl_filter_ctx_t *filter_ctx;
++#ifdef HAVE_TLS_ALPN
++    int alpn_finished;  /* 1 if ALPN has finished, 0 otherwise */
++#endif
+ } bio_filter_in_ctx_t;
+ 
+ /*
+@@ -1412,6 +1485,37 @@
+         APR_BRIGADE_INSERT_TAIL(bb, bucket);
+     }
+ 
++#ifdef HAVE_TLS_ALPN
++    /* By this point, Application-Layer Protocol Negotiation (ALPN) should be
++     * completed (if our version of OpenSSL supports it). If we haven't already,
++     * find out which protocol was decided upon and inform other modules
++     * by calling alpn_proto_negotiated_hook.
++     */
++    if (!inctx->alpn_finished) {
++        SSLConnRec *sslconn = myConnConfig(f->c);
++        const unsigned char *next_proto = NULL;
++        unsigned next_proto_len = 0;
++        int n;
++
++        if (sslconn->alpn_negofns) {
++            SSL_get0_alpn_selected(inctx->ssl, &next_proto, &next_proto_len);
++            ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, f->c,
++                          APLOGNO(02836) "SSL negotiated protocol: '%s'",
++                          (next_proto && next_proto_len)?
++                         apr_pstrmemdup(f->c->pool, (const char *)next_proto,
++                              next_proto_len) : "(null)");
++            for (n = 0; n < sslconn->alpn_negofns->nelts; n++) {
++                ssl_alpn_proto_negotiated fn =
++                APR_ARRAY_IDX(sslconn->alpn_negofns, n, ssl_alpn_proto_negotiated);
++
++                if (fn(f->c, (const char *)next_proto, next_proto_len) == DONE)
++                break;
++            }
++        }
++        inctx->alpn_finished = 1;
++    }
++#endif
++
+     return APR_SUCCESS;
+ }
+ 
+@@ -1893,6 +1996,9 @@
+     inctx->block = APR_BLOCK_READ;
+     inctx->pool = c->pool;
+     inctx->filter_ctx = filter_ctx;
++#ifdef HAVE_TLS_ALPN
++    inctx->alpn_finished = 0;
++#endif
+ }
+ 
+ /* The request_rec pointer is passed in here only to ensure that the
+--- modules/ssl/ssl_engine_kernel.c
++++ modules/ssl/ssl_engine_kernel.c
+@@ -29,6 +29,7 @@
+                                   time I was too famous.''
+                                             -- Unknown                */
+ #include "ssl_private.h"
++#include "mod_ssl.h"
+ #include "util_md5.h"
+ 
+ static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn);
+@@ -2137,6 +2162,153 @@
+ }
+ #endif /* HAVE_TLS_SESSION_TICKETS */
+ 
++#ifdef HAVE_TLS_ALPN
++static int ssl_array_index(apr_array_header_t *array,
++                           const char *s)
++{
++    int i;
++    for (i = 0; i < array->nelts; i++) {
++        const char *p = APR_ARRAY_IDX(array, i, const char*);
++        if (!strcmp(p, s)) {
++            return i;
++        }
++    }
++    return -1;
++}
++
++/*
++ * Compare two ALPN protocol proposal. Result is similar to strcmp():
++ * 0 gives same precedence, >0 means proto1 is prefered.
++ */
++static int ssl_cmp_alpn_protos(modssl_ctx_t *ctx,
++                               const char *proto1,
++                               const char *proto2)
++{
++    /* TODO: we should have a mod_ssl configuration parameter. */
++    if (ctx && ctx->ssl_alpn_pref) {
++        int index1 = ssl_array_index(ctx->ssl_alpn_pref, proto1);
++        int index2 = ssl_array_index(ctx->ssl_alpn_pref, proto2);
++        if (index2 > index1) {
++            return (index1 >= 0)? 1 : -1;
++        }
++        else if (index1 > index2) {
++            return (index2 >= 0)? -1 : 1;
++        }
++    }
++    /* both have the same index (mabye -1 or no pref configured) and we compare
++     * the names so that spdy3 gets precedence over spdy2. That makes
++     * the outcome at least deterministic. */
++    return strcmp((const char *)proto1, (const char *)proto2);
++}
++
++/*
++ * This callback function is executed when the TLS Application Layer
++ * Protocol Negotiate Extension (ALPN, RFC 7301) is triggered by the client
++ * hello, giving a list of desired protocol names (in descending preference)
++ * to the server.
++ * The callback has to select a protocol name or return an error if none of
++ * the clients preferences is supported.
++ * The selected protocol does not have to be on the client list, according
++ * to RFC 7301, so no checks are performed.
++ * The client protocol list is serialized as length byte followed by ascii
++ * characters (not null-terminated), followed by the next protocol name.
++ */
++int ssl_callback_alpn_select(SSL *ssl,
++                             const unsigned char **out, unsigned char *outlen,
++                             const unsigned char *in, unsigned int inlen, void *arg)
++{
++    conn_rec *c = (conn_rec*)SSL_get_app_data(ssl);
++    SSLConnRec *sslconn = myConnConfig(c);
++    server_rec *s       = mySrvFromConn(c);
++    SSLSrvConfigRec *sc = mySrvConfig(s);
++    modssl_ctx_t *mctx  = myCtxConfig(sslconn, sc);
++    const char *alpn_http1 = "http/1.1";
++    apr_array_header_t *client_protos;
++    apr_array_header_t *proposed_protos;
++    int i;
++    size_t len;
++
++    /* If the connection object is not available,
++     * then there's nothing for us to do. */
++    if (c == NULL) {
++        return SSL_TLSEXT_ERR_OK;
++    }
++
++    if (inlen == 0) {
++        // someone tries to trick us?
++        ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(02837)
++                      "ALPN client protocol list empty");
++        return SSL_TLSEXT_ERR_ALERT_FATAL;
++    }
++
++    client_protos = apr_array_make(c->pool, 0, sizeof(char *));
++    for (i = 0; i < inlen; /**/) {
++        unsigned int plen = in[i++];
++        if (plen + i > inlen) {
++            // someone tries to trick us?
++            ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(02838)
++                          "ALPN protocol identier too long");
++            return SSL_TLSEXT_ERR_ALERT_FATAL;
++        }
++        APR_ARRAY_PUSH(client_protos, char*) =
++            apr_pstrndup(c->pool, (const char *)in+i, plen);
++        i += plen;
++    }
++
++    proposed_protos = apr_array_make(c->pool, client_protos->nelts+1,
++                                     sizeof(char *));
++
++    if (sslconn->alpn_proposefns != NULL) {
++        /* Invoke our alpn_propos_proto hooks, giving other modules a chance to
++         * propose protocol names for selection. We might have several such
++         * hooks installed and if two make a proposal, we need to give
++         * preference to one.
++         */
++        for (i = 0; i < sslconn->alpn_proposefns->nelts; i++) {
++            ssl_alpn_propose_protos fn =
++                APR_ARRAY_IDX(sslconn->alpn_proposefns, i,
++                              ssl_alpn_propose_protos);
++
++            if (fn(c, client_protos, proposed_protos) == DONE)
++                break;
++        }
++    }
++
++    if (proposed_protos->nelts <= 0) {
++        /* Regardless of installed hooks, the http/1.1 protocol is always
++         * supported by us. Choose it if none other matches. */
++        if (ssl_array_index(client_protos, alpn_http1) < 0) {
++            ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(02839)
++                          "none of the client ALPN protocols are supported");
++            return SSL_TLSEXT_ERR_ALERT_FATAL;
++        }
++        *out = (const unsigned char*)alpn_http1;
++        *outlen = (unsigned char)strlen(alpn_http1);
++        return SSL_TLSEXT_ERR_OK;
++    }
++
++    /* Now select the most preferred protocol from the proposals. */
++    *out = APR_ARRAY_IDX(proposed_protos, 0, const unsigned char *);
++    for (i = 1; i < proposed_protos->nelts; ++i) {
++        const char *proto = APR_ARRAY_IDX(proposed_protos, i, const char*);
++        /* Do we prefer it over existing candidate? */
++        if (ssl_cmp_alpn_protos(mctx, (const char *)*out, proto) < 0) {
++            *out = (const unsigned char*)proto;
++        }
++    }
++
++    len = strlen((const char*)*out);
++    if (len > 255) {
++        ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(02840)
++                      "ALPN negotiated protocol name too long");
++        return SSL_TLSEXT_ERR_ALERT_FATAL;
++    }
++    *outlen = (unsigned char)len;
++
++    return SSL_TLSEXT_ERR_OK;
++}
++#endif
++
+ #ifdef HAVE_SRP
+ 
+ int ssl_callback_SRPServerParams(SSL *ssl, int *ad, void *arg)
+--- modules/ssl/ssl_private.h
++++ modules/ssl/ssl_private.h
+@@ -182,6 +182,11 @@
+ #include <openssl/srp.h>
+ #endif
+ 
++/* ALPN Protocol Negotiation */
++#if defined(TLSEXT_TYPE_application_layer_protocol_negotiation)
++#define HAVE_TLS_ALPN
++#endif
++
+ #endif /* !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name) */
+ 
+ /* mod_ssl headers */
+@@ -443,6 +438,12 @@
+                      * connection */
+     } reneg_state;
+ 
++#ifdef HAVE_TLS_ALPN
++    /* Poor man's inter-module optional hooks for ALPN. */
++    apr_array_header_t *alpn_proposefns; /* list of ssl_alpn_propose_protos callbacks */
++    apr_array_header_t *alpn_negofns; /* list of ssl_alpn_proto_negotiated callbacks. */
++#endif
++
+     server_rec *server;
+ } SSLConnRec;
+ 
+@@ -633,6 +633,10 @@
+     SSL_CONF_CTX *ssl_ctx_config; /* Configuration context */
+     apr_array_header_t *ssl_ctx_param; /* parameters to pass to SSL_CTX */
+ #endif
++
++#ifdef HAVE_TLS_ALPN
++  apr_array_header_t *ssl_alpn_pref; /* protocol names in order of preference */
++#endif
+ } modssl_ctx_t;
+ 
+ struct SSLSrvConfigRec {
+@@ -763,6 +763,10 @@
+ const char *ssl_cmd_SSLOpenSSLConfCmd(cmd_parms *cmd, void *dcfg, const char *arg1, const char *arg2);
+ #endif
+ 
++#ifdef HAVE_TLS_ALPN
++const char *ssl_cmd_SSLALPNPreference(cmd_parms *cmd, void *dcfg, const char *protocol);
++#endif
++
+ #ifdef HAVE_SRP
+ const char *ssl_cmd_SSLSRPVerifierFile(cmd_parms *cmd, void *dcfg, const char *arg);
+ const char *ssl_cmd_SSLSRPUnknownUserSeed(cmd_parms *cmd, void *dcfg, const char *arg);
+@@ -815,6 +815,12 @@
+                                        EVP_CIPHER_CTX *, HMAC_CTX *, int);
+ #endif
+ 
++#ifdef HAVE_TLS_ALPN
++int ssl_callback_alpn_select(SSL *ssl, const unsigned char **out,
++                             unsigned char *outlen, const unsigned char *in,
++                             unsigned int inlen, void *arg);
++#endif
++
+ /**  Session Cache Support  */
+ apr_status_t ssl_scache_init(server_rec *, apr_pool_t *);
+ void         ssl_scache_status_register(apr_pool_t *p);
diff --git a/www-servers/apache/metadata.xml b/www-servers/apache/metadata.xml
index d7b1a48889b0..90af7f43ad29 100644
--- a/www-servers/apache/metadata.xml
+++ b/www-servers/apache/metadata.xml
@@ -12,6 +12,7 @@
 		provides HTTP services in sync with the current HTTP standards.
 	</longdescription>
 	<use>
+		<flag name='alpn'>Enable support for Application-Layer Protocol Negotiation (ALPN) in TLS.  Needed by HTTP/2.0.</flag>
 		<flag name='suexec'>Install suexec with apache</flag>
 		<flag name='static'>Link in apache2 modules statically rather then plugins</flag>
 		<flag name='apache2_modules_access_compat'>Group authorizations based on host (name or IP address). Available as a compatibility module with previous versions.</flag>
author	Mike Frysinger <vapier@gentoo.org>	2015-06-01 06:08:37 +0000
committer	Mike Frysinger <vapier@gentoo.org>	2015-06-01 06:08:37 +0000
commit	634c3a3fde38def44591695ae17e12d86a8c2591 (patch)
tree	e559b7d18ee413d8d5d945e3064b69b6c93fe657 /www-servers
parent	Mark ~ppc64 (bug #550798). (diff)
download	historical-634c3a3fde38def44591695ae17e12d86a8c2591.tar.gz historical-634c3a3fde38def44591695ae17e12d86a8c2591.tar.bz2 historical-634c3a3fde38def44591695ae17e12d86a8c2591.zip