--- /dev/null
+BUILD
+BUILDROOT
+RPMS
+SRPMS
+tmp
--- /dev/null
+
+- fail gracefully if links is not installed on target system
+- source sysconfig/httpd for custom env. vars etc.
+- make httpd -t work even in SELinux
+- pass $OPTIONS to all $HTTPD invocation
+
+Upstream-HEAD: vendor
+Upstream-2.0: vendor
+Upstream-Status: Vendor-specific changes for better initscript integration
+
+--- httpd-2.4.1/support/apachectl.in.apctl
++++ httpd-2.4.1/support/apachectl.in
+@@ -44,19 +44,25 @@ ARGV="$@"
+ # the path to your httpd binary, including options if necessary
+ HTTPD='@exp_sbindir@/@progname@'
+ #
+-# pick up any necessary environment variables
+-if test -f @exp_sbindir@/envvars; then
+- . @exp_sbindir@/envvars
+-fi
+ #
+ # a command that outputs a formatted text version of the HTML at the
+ # url given on the command line. Designed for lynx, however other
+ # programs may work.
+-LYNX="@LYNX_PATH@ -dump"
++if [ -x "@LYNX_PATH@" ]; then
++ LYNX="@LYNX_PATH@ -dump"
++else
++ LYNX=none
++fi
+ #
+ # the URL to your server's mod_status status page. If you do not
+ # have one, then status and fullstatus will not work.
+ STATUSURL="http://localhost:@PORT@/server-status"
++
++# Source /etc/sysconfig/httpd for $HTTPD setting, etc.
++if [ -r /etc/sysconfig/httpd ]; then
++ . /etc/sysconfig/httpd
++fi
++
+ #
+ # Set this variable to a command that increases the maximum
+ # number of file descriptors allowed per child process. This is
+@@ -76,9 +82,27 @@ if [ "x$ARGV" = "x" ] ; then
+ ARGV="-h"
+ fi
+
++function checklynx() {
++if [ "$LYNX" = "none" ]; then
++ echo "The 'links' package is required for this functionality."
++ exit 8
++fi
++}
++
++function testconfig() {
++# httpd is denied terminal access in SELinux, so run in the
++# current context to get stdout from $HTTPD -t.
++if test -x /usr/sbin/selinuxenabled && /usr/sbin/selinuxenabled; then
++ runcon -- `id -Z` $HTTPD $OPTIONS -t
++else
++ $HTTPD $OPTIONS -t
++fi
++ERROR=$?
++}
++
+ case $ACMD in
+ start|stop|restart|graceful|graceful-stop)
+- $HTTPD -k $ARGV
++ $HTTPD $OPTIONS -k $ARGV
+ ERROR=$?
+ ;;
+ startssl|sslstart|start-SSL)
+@@ -88,17 +112,18 @@ startssl|sslstart|start-SSL)
+ ERROR=2
+ ;;
+ configtest)
+- $HTTPD -t
+- ERROR=$?
++ testconfig
+ ;;
+ status)
++ checklynx
+ $LYNX $STATUSURL | awk ' /process$/ { print; exit } { print } '
+ ;;
+ fullstatus)
++ checklynx
+ $LYNX $STATUSURL
+ ;;
+ *)
+- $HTTPD "$@"
++ $HTTPD $OPTIONS "$@"
+ ERROR=$?
+ esac
+
--- /dev/null
+
+Bump up the core size limit if CoreDumpDirectory is
+configured.
+
+Upstream-Status: Was discussed but there are competing desires;
+ there are portability oddities here too.
+
+--- httpd-2.4.1/server/core.c.corelimit
++++ httpd-2.4.1/server/core.c
+@@ -4433,6 +4433,25 @@ static int core_post_config(apr_pool_t *
+ }
+ apr_pool_cleanup_register(pconf, NULL, ap_mpm_end_gen_helper,
+ apr_pool_cleanup_null);
++
++#ifdef RLIMIT_CORE
++ if (ap_coredumpdir_configured) {
++ struct rlimit lim;
++
++ if (getrlimit(RLIMIT_CORE, &lim) == 0 && lim.rlim_cur == 0) {
++ lim.rlim_cur = lim.rlim_max;
++ if (setrlimit(RLIMIT_CORE, &lim) == 0) {
++ ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL,
++ "core dump file size limit raised to %lu bytes",
++ lim.rlim_cur);
++ } else {
++ ap_log_error(APLOG_MARK, APLOG_NOTICE, errno, NULL,
++ "core dump file size is zero, setrlimit failed");
++ }
++ }
++ }
++#endif
++
+ return OK;
+ }
+
--- /dev/null
+
+Link straight against .la files.
+
+Upstream-Status: vendor specific
+
+--- httpd-2.4.1/configure.in.deplibs
++++ httpd-2.4.1/configure.in
+@@ -707,9 +707,9 @@ APACHE_HELP_STRING(--with-suexec-umask,u
+
+ dnl APR should go after the other libs, so the right symbols can be picked up
+ if test x${apu_found} != xobsolete; then
+- AP_LIBS="$AP_LIBS `$apu_config --avoid-ldap --link-libtool --libs`"
++ AP_LIBS="$AP_LIBS `$apu_config --avoid-ldap --link-libtool`"
+ fi
+-AP_LIBS="$AP_LIBS `$apr_config --link-libtool --libs`"
++AP_LIBS="$AP_LIBS `$apr_config --link-libtool`"
+ APACHE_SUBST(AP_LIBS)
+ APACHE_SUBST(AP_BUILD_SRCLIB_DIRS)
+ APACHE_SUBST(AP_CLEAN_SRCLIB_DIRS)
--- /dev/null
+diff --git a/acinclude.m4 b/acinclude.m4
+index 580eb4a..bd7e2c9 100644
+--- a/acinclude.m4
++++ b/acinclude.m4
+@@ -594,6 +594,30 @@ AC_DEFUN(APACHE_CHECK_OPENSSL,[
+ fi
+ ])
+
++AC_DEFUN(APACHE_CHECK_SYSTEMD, [
++dnl Check for systemd support for listen.c's socket activation.
++case $host in
++*-linux-*)
++ if test -n "$PKGCONFIG" && $PKGCONFIG --exists libsystemd; then
++ SYSTEMD_LIBS=`$PKGCONFIG --libs libsystemd`
++ elif test -n "$PKGCONFIG" && $PKGCONFIG --exists libsystemd-daemon; then
++ SYSTEMD_LIBS=`$PKGCONFIG --libs libsystemd-daemon`
++ else
++ AC_CHECK_LIB(systemd-daemon, sd_notify, SYSTEMD_LIBS="-lsystemd-daemon")
++ fi
++ if test -n "$SYSTEMD_LIBS"; then
++ AC_CHECK_HEADERS(systemd/sd-daemon.h)
++ if test "${ac_cv_header_systemd_sd_daemon_h}" = "no" || test -z "${SYSTEMD_LIBS}"; then
++ AC_MSG_WARN([Your system does not support systemd.])
++ else
++ APR_ADDTO(LIBS, [$SYSTEMD_LIBS])
++ AC_DEFINE(HAVE_SYSTEMD, 1, [Define if systemd is supported])
++ fi
++ fi
++ ;;
++esac
++])
++
+ dnl
+ dnl APACHE_EXPORT_ARGUMENTS
+ dnl Export (via APACHE_SUBST) the various path-related variables that
+diff --git a/configure.in b/configure.in
+index 19a5f88..f096de3 100644
+--- a/configure.in
++++ b/configure.in
+@@ -509,6 +509,8 @@ if test "$ac_cv_struct_tm_gmtoff" = "yes"; then
+ AC_DEFINE(HAVE_GMTOFF, 1, [Define if struct tm has a tm_gmtoff field])
+ fi
+
++APACHE_CHECK_SYSTEMD
++
+ dnl ## Set up any appropriate OS-specific environment variables for apachectl
+
+ case $host in
--- /dev/null
+From 20656c3b77cc548b59fea3bde5e2b7705d71c427 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20Kalu=C5=BEa?= <jkaluza@apache.org>
+Date: Mon, 18 Aug 2014 07:43:43 +0000
+Subject: [PATCH] prefork: Ignore SIGINT in child. This fixes race-condition in
+ signals handling when httpd is runnning on foreground and user hits ctrl+c.
+ In this case, SIGINT is sent to all children followed by SIGTERM from the
+ main process, which interrupts the SIGINT handler and leads to inconsistency
+ (process freezes or crashes).
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1618555 13f79535-47bb-0310-9956-ffa450edef68
+---
+ server/mpm/prefork/prefork.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/server/mpm/prefork/prefork.c b/server/mpm/prefork/prefork.c
+index 8790ec0..d6c038b 100644
+--- a/server/mpm/prefork/prefork.c
++++ b/server/mpm/prefork/prefork.c
+@@ -222,6 +222,9 @@ static void clean_child_exit(int code)
+ {
+ mpm_state = AP_MPMQ_STOPPING;
+
++ apr_signal(SIGHUP, SIG_IGN);
++ apr_signal(SIGTERM, SIG_IGN);
++
+ if (pchild) {
+ apr_pool_destroy(pchild);
+ }
+@@ -817,6 +820,13 @@ static int make_child(server_rec *s, int slot)
+ */
+ apr_signal(SIGHUP, just_die);
+ apr_signal(SIGTERM, just_die);
++ /* Ignore SIGINT in child. This fixes race-condition in signals
++ * handling when httpd is runnning on foreground and user hits ctrl+c.
++ * In this case, SIGINT is sent to all children followed by SIGTERM
++ * from the main process, which interrupts the SIGINT handler and
++ * leads to inconsistency.
++ */
++ apr_signal(SIGINT, SIG_IGN);
+ /* The child process just closes listeners on AP_SIG_GRACEFUL.
+ * The pod is used for signalling the graceful restart.
+ */
+--
+2.0.4
+
--- /dev/null
+diff --git a/server/listen.c b/server/listen.c
+index 1d9be83..f5f7754 100644
+--- a/server/listen.c
++++ b/server/listen.c
+@@ -34,6 +34,10 @@
+ #include <unistd.h>
+ #endif
+
++#ifdef HAVE_SYSTEMD
++#include <systemd/sd-daemon.h>
++#endif
++
+ /* we know core's module_index is 0 */
+ #undef APLOG_MODULE_INDEX
+ #define APLOG_MODULE_INDEX AP_CORE_MODULE_INDEX
+@@ -59,9 +63,12 @@ static int ap_listenbacklog;
+ static int ap_listencbratio;
+ static int send_buffer_size;
+ static int receive_buffer_size;
++#ifdef HAVE_SYSTEMD
++static int use_systemd = -1;
++#endif
+
+ /* TODO: make_sock is just begging and screaming for APR abstraction */
+-static apr_status_t make_sock(apr_pool_t *p, ap_listen_rec *server)
++static apr_status_t make_sock(apr_pool_t *p, ap_listen_rec *server, int do_bind_listen)
+ {
+ apr_socket_t *s = server->sd;
+ int one = 1;
+@@ -94,20 +101,6 @@ static apr_status_t make_sock(apr_pool_t *p, ap_listen_rec *server)
+ return stat;
+ }
+
+-#if APR_HAVE_IPV6
+- if (server->bind_addr->family == APR_INET6) {
+- stat = apr_socket_opt_set(s, APR_IPV6_V6ONLY, v6only_setting);
+- if (stat != APR_SUCCESS && stat != APR_ENOTIMPL) {
+- ap_log_perror(APLOG_MARK, APLOG_CRIT, stat, p, APLOGNO(00069)
+- "make_sock: for address %pI, apr_socket_opt_set: "
+- "(IPV6_V6ONLY)",
+- server->bind_addr);
+- apr_socket_close(s);
+- return stat;
+- }
+- }
+-#endif
+-
+ /*
+ * To send data over high bandwidth-delay connections at full
+ * speed we must force the TCP window to open wide enough to keep the
+@@ -169,21 +162,37 @@ static apr_status_t make_sock(apr_pool_t *p, ap_listen_rec *server)
+ }
+ #endif
+
+- if ((stat = apr_socket_bind(s, server->bind_addr)) != APR_SUCCESS) {
+- ap_log_perror(APLOG_MARK, APLOG_STARTUP|APLOG_CRIT, stat, p, APLOGNO(00072)
+- "make_sock: could not bind to address %pI",
+- server->bind_addr);
+- apr_socket_close(s);
+- return stat;
+- }
++ if (do_bind_listen) {
++#if APR_HAVE_IPV6
++ if (server->bind_addr->family == APR_INET6) {
++ stat = apr_socket_opt_set(s, APR_IPV6_V6ONLY, v6only_setting);
++ if (stat != APR_SUCCESS && stat != APR_ENOTIMPL) {
++ ap_log_perror(APLOG_MARK, APLOG_CRIT, stat, p, APLOGNO(00069)
++ "make_sock: for address %pI, apr_socket_opt_set: "
++ "(IPV6_V6ONLY)",
++ server->bind_addr);
++ apr_socket_close(s);
++ return stat;
++ }
++ }
++#endif
+
+- if ((stat = apr_socket_listen(s, ap_listenbacklog)) != APR_SUCCESS) {
+- ap_log_perror(APLOG_MARK, APLOG_STARTUP|APLOG_ERR, stat, p, APLOGNO(00073)
+- "make_sock: unable to listen for connections "
+- "on address %pI",
+- server->bind_addr);
+- apr_socket_close(s);
+- return stat;
++ if ((stat = apr_socket_bind(s, server->bind_addr)) != APR_SUCCESS) {
++ ap_log_perror(APLOG_MARK, APLOG_STARTUP|APLOG_CRIT, stat, p, APLOGNO(00072)
++ "make_sock: could not bind to address %pI",
++ server->bind_addr);
++ apr_socket_close(s);
++ return stat;
++ }
++
++ if ((stat = apr_socket_listen(s, ap_listenbacklog)) != APR_SUCCESS) {
++ ap_log_perror(APLOG_MARK, APLOG_STARTUP|APLOG_ERR, stat, p, APLOGNO(00073)
++ "make_sock: unable to listen for connections "
++ "on address %pI",
++ server->bind_addr);
++ apr_socket_close(s);
++ return stat;
++ }
+ }
+
+ #ifdef WIN32
+@@ -277,6 +286,124 @@ static apr_status_t close_listeners_on_exec(void *v)
+ return APR_SUCCESS;
+ }
+
++
++#ifdef HAVE_SYSTEMD
++
++static int find_systemd_socket(process_rec * process, apr_port_t port) {
++ int fdcount, fd;
++ int sdc = sd_listen_fds(0);
++
++ if (sdc < 0) {
++ ap_log_perror(APLOG_MARK, APLOG_CRIT, sdc, process->pool, APLOGNO(02486)
++ "find_systemd_socket: Error parsing enviroment, sd_listen_fds returned %d",
++ sdc);
++ return -1;
++ }
++
++ if (sdc == 0) {
++ ap_log_perror(APLOG_MARK, APLOG_CRIT, sdc, process->pool, APLOGNO(02487)
++ "find_systemd_socket: At least one socket must be set.");
++ return -1;
++ }
++
++ fdcount = atoi(getenv("LISTEN_FDS"));
++ for (fd = SD_LISTEN_FDS_START; fd < SD_LISTEN_FDS_START + fdcount; fd++) {
++ if (sd_is_socket_inet(fd, 0, 0, -1, port) > 0) {
++ return fd;
++ }
++ }
++
++ return -1;
++}
++
++static apr_status_t alloc_systemd_listener(process_rec * process,
++ int fd, const char *proto,
++ ap_listen_rec **out_rec)
++{
++ apr_status_t rv;
++ struct sockaddr sa;
++ socklen_t len = sizeof(struct sockaddr);
++ apr_os_sock_info_t si;
++ ap_listen_rec *rec;
++ *out_rec = NULL;
++
++ memset(&si, 0, sizeof(si));
++
++ rv = getsockname(fd, &sa, &len);
++
++ if (rv != 0) {
++ rv = apr_get_netos_error();
++ ap_log_perror(APLOG_MARK, APLOG_CRIT, rv, process->pool, APLOGNO(02489)
++ "getsockname on %d failed.", fd);
++ return rv;
++ }
++
++ si.os_sock = &fd;
++ si.family = sa.sa_family;
++ si.local = &sa;
++ si.type = SOCK_STREAM;
++ si.protocol = APR_PROTO_TCP;
++
++ rec = apr_palloc(process->pool, sizeof(ap_listen_rec));
++ rec->active = 0;
++ rec->next = 0;
++
++
++ rv = apr_os_sock_make(&rec->sd, &si, process->pool);
++ if (rv != APR_SUCCESS) {
++ ap_log_perror(APLOG_MARK, APLOG_CRIT, rv, process->pool, APLOGNO(02490)
++ "apr_os_sock_make on %d failed.", fd);
++ return rv;
++ }
++
++ rv = apr_socket_addr_get(&rec->bind_addr, APR_LOCAL, rec->sd);
++ if (rv != APR_SUCCESS) {
++ ap_log_perror(APLOG_MARK, APLOG_CRIT, rv, process->pool, APLOGNO(02491)
++ "apr_socket_addr_get on %d failed.", fd);
++ return rv;
++ }
++
++ rec->protocol = apr_pstrdup(process->pool, proto);
++
++ *out_rec = rec;
++
++ return make_sock(process->pool, rec, 0);
++}
++
++static const char *set_systemd_listener(process_rec *process, apr_port_t port,
++ const char *proto)
++{
++ ap_listen_rec *last, *new;
++ apr_status_t rv;
++ int fd = find_systemd_socket(process, port);
++ if (fd < 0) {
++ return "Systemd socket activation is used, but this port is not "
++ "configured in systemd";
++ }
++
++ last = ap_listeners;
++ while (last && last->next) {
++ last = last->next;
++ }
++
++ rv = alloc_systemd_listener(process, fd, proto, &new);
++ if (rv != APR_SUCCESS) {
++ return "Failed to setup socket passed by systemd using socket activation";
++ }
++
++ if (last == NULL) {
++ ap_listeners = last = new;
++ }
++ else {
++ last->next = new;
++ last = new;
++ }
++
++ return NULL;
++}
++
++#endif /* HAVE_SYSTEMD */
++
+ static const char *alloc_listener(process_rec *process, char *addr,
+ apr_port_t port, const char* proto,
+ void *slave)
+@@ -479,7 +606,7 @@ static int open_listeners(apr_pool_t *pool)
+ }
+ }
+ #endif
+- if (make_sock(pool, lr) == APR_SUCCESS) {
++ if (make_sock(pool, lr, 1) == APR_SUCCESS) {
+ ++num_open;
+ }
+ else {
+@@ -591,8 +718,28 @@ AP_DECLARE(int) ap_setup_listeners(server_rec *s)
+ }
+ }
+
+- if (open_listeners(s->process->pool)) {
+- return 0;
++#ifdef HAVE_SYSTEMD
++ if (use_systemd) {
++ const char *userdata_key = "ap_open_systemd_listeners";
++ void *data;
++ /* clear the enviroment on our second run
++ * so that none of our future children get confused.
++ */
++ apr_pool_userdata_get(&data, userdata_key, s->process->pool);
++ if (!data) {
++ apr_pool_userdata_set((const void *)1, userdata_key,
++ apr_pool_cleanup_null, s->process->pool);
++ }
++ else {
++ sd_listen_fds(1);
++ }
++ }
++ else
++#endif
++ {
++ if (open_listeners(s->process->pool)) {
++ return 0;
++ }
+ }
+
+ for (lr = ap_listeners; lr; lr = lr->next) {
+@@ -682,7 +829,7 @@ AP_DECLARE(apr_status_t) ap_duplicate_listeners(apr_pool_t *p, server_rec *s,
+ duplr->bind_addr);
+ return stat;
+ }
+- make_sock(p, duplr);
++ make_sock(p, duplr, 1);
+ #if AP_NONBLOCK_WHEN_MULTI_LISTEN
+ use_nonblock = (ap_listeners && ap_listeners->next);
+ stat = apr_socket_opt_set(duplr->sd, APR_SO_NONBLOCK, use_nonblock);
+@@ -809,6 +956,11 @@ AP_DECLARE_NONSTD(const char *) ap_set_listener(cmd_parms *cmd, void *dummy,
+ if (argc < 1 || argc > 2) {
+ return "Listen requires 1 or 2 arguments.";
+ }
++#ifdef HAVE_SYSTEMD
++ if (use_systemd == -1) {
++ use_systemd = sd_listen_fds(0) > 0;
++ }
++#endif
+
+ rv = apr_parse_addr_port(&host, &scope_id, &port, argv[0], cmd->pool);
+ if (rv != APR_SUCCESS) {
+@@ -840,6 +992,12 @@ AP_DECLARE_NONSTD(const char *) ap_set_listener(cmd_parms *cmd, void *dummy,
+ ap_str_tolower(proto);
+ }
+
++#ifdef HAVE_SYSTEMD
++ if (use_systemd) {
++ return set_systemd_listener(cmd->server->process, port, proto);
++ }
++#endif
++
+ return alloc_listener(cmd->server->process, host, port, proto, NULL);
+ }
+
--- /dev/null
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1109119
+
+Don't prepend !aNULL etc if PROFILE= is used with SSLCipherSuite.
+
+--- httpd-2.4.17/modules/ssl/ssl_engine_config.c.sslciphdefault
++++ httpd-2.4.17/modules/ssl/ssl_engine_config.c
+@@ -708,8 +708,10 @@ const char *ssl_cmd_SSLCipherSuite(cmd_p
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+ SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
+
+- /* always disable null and export ciphers */
+- arg = apr_pstrcat(cmd->pool, arg, ":!aNULL:!eNULL:!EXP", NULL);
++ /* Disable null and export ciphers by default, except for PROFILE=
++ * configs where the parser doesn't cope. */
++ if (strncmp(arg, "PROFILE=", 8) != 0)
++ arg = apr_pstrcat(cmd->pool, arg, ":!aNULL:!eNULL:!EXP", NULL);
+
+ if (cmd->path) {
+ dc->szCipherSuite = arg;
+@@ -1428,8 +1430,10 @@ const char *ssl_cmd_SSLProxyCipherSuite(
+ {
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+
+- /* always disable null and export ciphers */
+- arg = apr_pstrcat(cmd->pool, arg, ":!aNULL:!eNULL:!EXP", NULL);
++ /* Disable null and export ciphers by default, except for PROFILE=
++ * configs where the parser doesn't cope. */
++ if (strncmp(arg, "PROFILE=", 8) != 0)
++ arg = apr_pstrcat(cmd->pool, arg, ":!aNULL:!eNULL:!EXP", NULL);
+
+ sc->proxy->auth.cipher_suite = arg;
+
--- /dev/null
+diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c
+index 717a694..a3ce718 100644
+--- a/modules/ssl/mod_ssl.c
++++ b/modules/ssl/mod_ssl.c
+@@ -395,6 +395,9 @@ static SSLConnRec *ssl_init_connection_ctx(conn_rec *c)
+ return sslconn;
+ }
+
++static typeof(ssl_proxy_enable) *othermod_proxy_enable;
++static typeof(ssl_engine_disable) *othermod_engine_disable;
++
+ int ssl_proxy_enable(conn_rec *c)
+ {
+ SSLSrvConfigRec *sc;
+@@ -403,6 +406,12 @@ int ssl_proxy_enable(conn_rec *c)
+ sc = mySrvConfig(sslconn->server);
+
+ if (!sc->proxy_enabled) {
++ if (othermod_proxy_enable) {
++ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c,
++ "mod_ssl proxy not configured, passing through to other module.");
++ return othermod_proxy_enable(c);
++ }
++
+ ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(01961)
+ "SSL Proxy requested for %s but not enabled "
+ "[Hint: SSLProxyEngine]", sc->vhost_id);
+@@ -422,6 +431,10 @@ int ssl_engine_disable(conn_rec *c)
+
+ SSLConnRec *sslconn = myConnConfig(c);
+
++ if (othermod_engine_disable) {
++ othermod_engine_disable(c);
++ }
++
+ if (sslconn) {
+ sc = mySrvConfig(sslconn->server);
+ }
+@@ -621,6 +634,9 @@ static void ssl_register_hooks(apr_pool_t *p)
+ ap_hook_post_read_request(ssl_hook_ReadReq, pre_prr,NULL, APR_HOOK_MIDDLE);
+
+ ssl_var_register(p);
++
++ othermod_proxy_enable = APR_RETRIEVE_OPTIONAL_FN(ssl_proxy_enable);
++ othermod_engine_disable = APR_RETRIEVE_OPTIONAL_FN(ssl_engine_disable);
+
+ APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable);
+ APR_REGISTER_OPTIONAL_FN(ssl_engine_disable);
+diff --git a/modules/ssl/ssl_engine_vars.c b/modules/ssl/ssl_engine_vars.c
+index a6b0d0d..24fd8c7 100644
+--- a/modules/ssl/ssl_engine_vars.c
++++ b/modules/ssl/ssl_engine_vars.c
+@@ -54,6 +54,8 @@ static char *ssl_var_lookup_ssl_cipher(apr_pool_t *p, SSLConnRec *sslconn, char
+ static void ssl_var_lookup_ssl_cipher_bits(SSL *ssl, int *usekeysize, int *algkeysize);
+ static char *ssl_var_lookup_ssl_version(apr_pool_t *p, char *var);
+ static char *ssl_var_lookup_ssl_compress_meth(SSL *ssl);
++static APR_OPTIONAL_FN_TYPE(ssl_is_https) *othermod_is_https;
++static APR_OPTIONAL_FN_TYPE(ssl_var_lookup) *othermod_var_lookup;
+
+ static SSLConnRec *ssl_get_effective_config(conn_rec *c)
+ {
+@@ -68,7 +70,9 @@ static SSLConnRec *ssl_get_effective_config(conn_rec *c)
+ static int ssl_is_https(conn_rec *c)
+ {
+ SSLConnRec *sslconn = ssl_get_effective_config(c);
+- return sslconn && sslconn->ssl;
++
++ return (sslconn && sslconn->ssl)
++ || (othermod_is_https && othermod_is_https(c));
+ }
+
+ static const char var_interface[] = "mod_ssl/" AP_SERVER_BASEREVISION;
+@@ -137,6 +141,9 @@ void ssl_var_register(apr_pool_t *p)
+ {
+ char *cp, *cp2;
+
++ othermod_is_https = APR_RETRIEVE_OPTIONAL_FN(ssl_is_https);
++ othermod_var_lookup = APR_RETRIEVE_OPTIONAL_FN(ssl_var_lookup);
++
+ APR_REGISTER_OPTIONAL_FN(ssl_is_https);
+ APR_REGISTER_OPTIONAL_FN(ssl_var_lookup);
+ APR_REGISTER_OPTIONAL_FN(ssl_ext_list);
+@@ -272,6 +279,15 @@ char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r,
+ */
+ if (result == NULL && c != NULL) {
+ SSLConnRec *sslconn = ssl_get_effective_config(c);
++
++ if (strlen(var) > 4 && strcEQn(var, "SSL_", 4)
++ && (!sslconn || !sslconn->ssl) && othermod_var_lookup) {
++ /* For an SSL_* variable, if mod_ssl is not enabled for
++ * this connection and another SSL module is present, pass
++ * through to that module. */
++ return othermod_var_lookup(p, s, c, r, var);
++ }
++
+ if (strlen(var) > 4 && strcEQn(var, "SSL_", 4)
+ && sslconn && sslconn->ssl)
+ result = ssl_var_lookup_ssl(p, sslconn, r, var+4);
--- /dev/null
+
+- Fix config for /icons/ dir to allow symlink to poweredby.png.
+
+- Avoid using coredump GIF for a directory called "core"
+
+--- httpd-2.4.2/docs/conf/extra/httpd-autoindex.conf.in.icons
++++ httpd-2.4.2/docs/conf/extra/httpd-autoindex.conf.in
+@@ -21,7 +21,7 @@ IndexOptions FancyIndexing HTMLTable Ver
+ Alias /icons/ "@exp_iconsdir@/"
+
+ <Directory "@exp_iconsdir@">
+- Options Indexes MultiViews
++ Options Indexes MultiViews FollowSymlinks
+ AllowOverride None
+ Require all granted
+ </Directory>
+@@ -53,7 +53,7 @@ AddIcon /icons/dvi.gif .dvi
+ AddIcon /icons/uuencoded.gif .uu
+ AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl
+ AddIcon /icons/tex.gif .tex
+-AddIcon /icons/bomb.gif core
++AddIcon /icons/bomb.gif core.
+
+ AddIcon /icons/back.gif ..
+ AddIcon /icons/hand.right.gif README
--- /dev/null
+
+Upstream-Status: vendor specific patch
+
+diff --git a/support/apachectl.in b/support/apachectl.in
+index c6ac3ea..2599386 100644
+--- a/support/apachectl.in
++++ b/support/apachectl.in
+@@ -100,9 +100,24 @@ fi
+ ERROR=$?
+ }
+
++if [ "x$2" != "x" ] ; then
++ echo Passing arguments to httpd using apachectl is no longer supported.
++ echo You can only start/stop/restart httpd using this script.
++ echo If you want to pass extra arguments to httpd, edit the
++ echo /etc/sysconfig/httpd config file.
++fi
++
+ case $ACMD in
+-start|stop|restart|graceful|graceful-stop)
+- $HTTPD $OPTIONS -k $ARGV
++start|stop|restart|status)
++ /usr/bin/systemctl $ACMD httpd.service
++ ERROR=$?
++ ;;
++graceful)
++ /usr/bin/systemctl reload httpd.service
++ ERROR=$?
++ ;;
++graceful-stop)
++ /usr/bin/systemctl stop httpd.service
+ ERROR=$?
+ ;;
+ startssl|sslstart|start-SSL)
+@@ -114,10 +129,6 @@ startssl|sslstart|start-SSL)
+ configtest)
+ testconfig
+ ;;
+-status)
+- checklynx
+- $LYNX $STATUSURL | awk ' /process$/ { print; exit } { print } '
+- ;;
+ fullstatus)
+ checklynx
+ $LYNX $STATUSURL
--- /dev/null
+
+Upstream-HEAD: vendor
+Upstream-2.0: vendor
+Upstream-Status: vendor-specific change
+
+--- httpd-2.4.3/server/core.c.release
++++ httpd-2.4.3/server/core.c
+@@ -3189,7 +3189,7 @@ static void set_banner(apr_pool_t *pconf
+ ap_add_version_component(pconf, AP_SERVER_BASEPRODUCT "/" AP_SERVER_MAJORVERSION);
+ }
+ else {
+- ap_add_version_component(pconf, AP_SERVER_BASEVERSION " (" PLATFORM ")");
++ ap_add_version_component(pconf, AP_SERVER_BASEVERSION " (@RELEASE@)");
+ }
+
+ /*
--- /dev/null
+diff --git a/modules/cache/cache_util.h b/modules/cache/cache_util.h
+index eec38f3..1a2d5ee 100644
+--- a/modules/cache/cache_util.h
++++ b/modules/cache/cache_util.h
+@@ -194,6 +194,9 @@ typedef struct {
+ unsigned int store_nostore_set:1;
+ unsigned int enable_set:1;
+ unsigned int disable_set:1;
++ /* treat maxex as hard limit */
++ unsigned int hardmaxex:1;
++ unsigned int hardmaxex_set:1;
+ } cache_dir_conf;
+
+ /* A linked-list of authn providers. */
+diff --git a/modules/cache/mod_cache.c b/modules/cache/mod_cache.c
+index 4f2d3e0..30c88f4 100644
+--- a/modules/cache/mod_cache.c
++++ b/modules/cache/mod_cache.c
+@@ -1299,6 +1299,11 @@ static apr_status_t cache_save_filter(ap_filter_t *f, apr_bucket_brigade *in)
+ exp = date + dconf->defex;
+ }
+ }
++ /* else, forcibly cap the expiry date if required */
++ else if (dconf->hardmaxex && (date + dconf->maxex) < exp) {
++ exp = date + dconf->maxex;
++ }
++
+ info->expire = exp;
+
+ /* We found a stale entry which wasn't really stale. */
+@@ -1717,7 +1722,9 @@ static void *create_dir_config(apr_pool_t *p, char *dummy)
+
+ /* array of providers for this URL space */
+ dconf->cacheenable = apr_array_make(p, 10, sizeof(struct cache_enable));
+-
++ /* flag; treat maxex as hard limit */
++ dconf->hardmaxex = 0;
++ dconf->hardmaxex_set = 0;
+ return dconf;
+ }
+
+@@ -1767,7 +1774,10 @@ static void *merge_dir_config(apr_pool_t *p, void *basev, void *addv) {
+ new->enable_set = add->enable_set || base->enable_set;
+ new->disable = (add->disable_set == 0) ? base->disable : add->disable;
+ new->disable_set = add->disable_set || base->disable_set;
+-
++ new->hardmaxex =
++ (add->hardmaxex_set == 0)
++ ? base->hardmaxex
++ : add->hardmaxex;
+ return new;
+ }
+
+@@ -2096,12 +2106,18 @@ static const char *add_cache_disable(cmd_parms *parms, void *dummy,
+ }
+
+ static const char *set_cache_maxex(cmd_parms *parms, void *dummy,
+- const char *arg)
++ const char *arg, const char *hard)
+ {
+ cache_dir_conf *dconf = (cache_dir_conf *)dummy;
+
+ dconf->maxex = (apr_time_t) (atol(arg) * MSEC_ONE_SEC);
+ dconf->maxex_set = 1;
++
++ if (hard && strcasecmp(hard, "hard") == 0) {
++ dconf->hardmaxex = 1;
++ dconf->hardmaxex_set = 1;
++ }
++
+ return NULL;
+ }
+
+@@ -2309,7 +2325,7 @@ static const command_rec cache_cmds[] =
+ "caching is enabled"),
+ AP_INIT_TAKE1("CacheDisable", add_cache_disable, NULL, RSRC_CONF|ACCESS_CONF,
+ "A partial URL prefix below which caching is disabled"),
+- AP_INIT_TAKE1("CacheMaxExpire", set_cache_maxex, NULL, RSRC_CONF|ACCESS_CONF,
++ AP_INIT_TAKE12("CacheMaxExpire", set_cache_maxex, NULL, RSRC_CONF|ACCESS_CONF,
+ "The maximum time in seconds to cache a document"),
+ AP_INIT_TAKE1("CacheMinExpire", set_cache_minex, NULL, RSRC_CONF|ACCESS_CONF,
+ "The minimum time in seconds to cache a document"),
--- /dev/null
+
+There is no need to "suck in" the apr/apr-util symbols when using
+a shared libapr{,util}, it just bloats the symbol table; so don't.
+
+Upstream-HEAD: needed
+Upstream-2.0: omit
+Upstream-Status: EXPORT_DIRS change is conditional on using shared apr
+
+--- httpd-2.4.4/server/Makefile.in.export
++++ httpd-2.4.4/server/Makefile.in
+@@ -57,9 +57,6 @@ export_files:
+ ( for dir in $(EXPORT_DIRS); do \
+ ls $$dir/*.h ; \
+ done; \
+- for dir in $(EXPORT_DIRS_APR); do \
+- ls $$dir/ap[ru].h $$dir/ap[ru]_*.h 2>/dev/null; \
+- done; \
+ ) | sed -e s,//,/,g | sort -u > $@
+
+ exports.c: export_files
--- /dev/null
+diff --git a/server/protocol.c b/server/protocol.c
+index e1ef204..d6d9165 100644
+--- a/server/protocol.c
++++ b/server/protocol.c
+@@ -1049,6 +1049,7 @@ request_rec *ap_read_request(conn_rec *conn)
+ * now read. may update status.
+ */
+ ap_update_vhost_from_headers(r);
++ access_status = r->status;
+
+ /* Toggle to the Host:-based vhost's timeout mode to fetch the
+ * request body and send the response body, if needed.
--- /dev/null
+--- trunk/modules/metadata/mod_unique_id.c 2011/12/02 23:02:04 1209766
++++ trunk/modules/metadata/mod_unique_id.c 2013/07/10 16:20:31 1501827
+@@ -31,14 +31,11 @@
+ #include "http_log.h"
+ #include "http_protocol.h" /* for ap_hook_post_read_request */
+
+-#if APR_HAVE_UNISTD_H
+-#include <unistd.h> /* for getpid() */
+-#endif
++#define ROOT_SIZE 10
+
+ typedef struct {
+ unsigned int stamp;
+- unsigned int in_addr;
+- unsigned int pid;
++ char root[ROOT_SIZE];
+ unsigned short counter;
+ unsigned int thread_index;
+ } unique_id_rec;
+@@ -64,20 +61,15 @@
+ * gethostbyname (gethostname()) is unique across all the machines at the
+ * "site".
+ *
+- * We also further assume that pids fit in 32-bits. If something uses more
+- * than 32-bits, the fix is trivial, but it requires the unrolled uuencoding
+- * loop to be extended. * A similar fix is needed to support multithreaded
+- * servers, using a pid/tid combo.
+- *
+- * Together, the in_addr and pid are assumed to absolutely uniquely identify
+- * this one child from all other currently running children on all servers
+- * (including this physical server if it is running multiple httpds) from each
++ * The root is assumed to absolutely uniquely identify this one child
++ * from all other currently running children on all servers (including
++ * this physical server if it is running multiple httpds) from each
+ * other.
+ *
+- * The stamp and counter are used to distinguish all hits for a particular
+- * (in_addr,pid) pair. The stamp is updated using r->request_time,
+- * saving cpu cycles. The counter is never reset, and is used to permit up to
+- * 64k requests in a single second by a single child.
++ * The stamp and counter are used to distinguish all hits for a
++ * particular root. The stamp is updated using r->request_time,
++ * saving cpu cycles. The counter is never reset, and is used to
++ * permit up to 64k requests in a single second by a single child.
+ *
+ * The 144-bits of unique_id_rec are encoded using the alphabet
+ * [A-Za-z0-9@-], resulting in 24 bytes of printable characters. That is then
+@@ -92,7 +84,7 @@
+ * module change.
+ *
+ * It is highly desirable that identifiers exist for "eternity". But future
+- * needs (such as much faster webservers, moving to 64-bit pids, or moving to a
++ * needs (such as much faster webservers, or moving to a
+ * multithreaded server) may dictate a need to change the contents of
+ * unique_id_rec. Such a future implementation should ensure that the first
+ * field is still a time_t stamp. By doing that, it is possible for a site to
+@@ -100,7 +92,15 @@
+ * wait one entire second, and then start all of their new-servers. This
+ * procedure will ensure that the new space of identifiers is completely unique
+ * from the old space. (Since the first four unencoded bytes always differ.)
++ *
++ * Note: previous implementations used 32-bits of IP address plus pid
++ * in place of the PRNG output in the "root" field. This was
++ * insufficient for IPv6-only hosts, required working DNS to determine
++ * a unique IP address (fragile), and needed a [0, 1) second sleep
++ * call at startup to avoid pid reuse. Use of the PRNG avoids all
++ * these issues.
+ */
++
+ /*
+ * Sun Jun 7 05:43:49 CEST 1998 -- Alvaro
+ * More comments:
+@@ -116,8 +116,6 @@
+ * htonl/ntohl. Well, this shouldn't be a problem till year 2106.
+ */
+
+-static unsigned global_in_addr;
+-
+ /*
+ * XXX: We should have a per-thread counter and not use cur_unique_id.counter
+ * XXX: in all threads, because this is bad for performance on multi-processor
+@@ -129,7 +127,7 @@
+ /*
+ * Number of elements in the structure unique_id_rec.
+ */
+-#define UNIQUE_ID_REC_MAX 5
++#define UNIQUE_ID_REC_MAX 4
+
+ static unsigned short unique_id_rec_offset[UNIQUE_ID_REC_MAX],
+ unique_id_rec_size[UNIQUE_ID_REC_MAX],
+@@ -138,113 +136,32 @@
+
+ static int unique_id_global_init(apr_pool_t *p, apr_pool_t *plog, apr_pool_t *ptemp, server_rec *main_server)
+ {
+- char str[APRMAXHOSTLEN + 1];
+- apr_status_t rv;
+- char *ipaddrstr;
+- apr_sockaddr_t *sockaddr;
+-
+ /*
+ * Calculate the sizes and offsets in cur_unique_id.
+ */
+ unique_id_rec_offset[0] = APR_OFFSETOF(unique_id_rec, stamp);
+ unique_id_rec_size[0] = sizeof(cur_unique_id.stamp);
+- unique_id_rec_offset[1] = APR_OFFSETOF(unique_id_rec, in_addr);
+- unique_id_rec_size[1] = sizeof(cur_unique_id.in_addr);
+- unique_id_rec_offset[2] = APR_OFFSETOF(unique_id_rec, pid);
+- unique_id_rec_size[2] = sizeof(cur_unique_id.pid);
+- unique_id_rec_offset[3] = APR_OFFSETOF(unique_id_rec, counter);
+- unique_id_rec_size[3] = sizeof(cur_unique_id.counter);
+- unique_id_rec_offset[4] = APR_OFFSETOF(unique_id_rec, thread_index);
+- unique_id_rec_size[4] = sizeof(cur_unique_id.thread_index);
++ unique_id_rec_offset[1] = APR_OFFSETOF(unique_id_rec, root);
++ unique_id_rec_size[1] = sizeof(cur_unique_id.root);
++ unique_id_rec_offset[2] = APR_OFFSETOF(unique_id_rec, counter);
++ unique_id_rec_size[2] = sizeof(cur_unique_id.counter);
++ unique_id_rec_offset[3] = APR_OFFSETOF(unique_id_rec, thread_index);
++ unique_id_rec_size[3] = sizeof(cur_unique_id.thread_index);
+ unique_id_rec_total_size = unique_id_rec_size[0] + unique_id_rec_size[1] +
+- unique_id_rec_size[2] + unique_id_rec_size[3] +
+- unique_id_rec_size[4];
++ unique_id_rec_size[2] + unique_id_rec_size[3];
+
+ /*
+ * Calculate the size of the structure when encoded.
+ */
+ unique_id_rec_size_uu = (unique_id_rec_total_size*8+5)/6;
+
+- /*
+- * Now get the global in_addr. Note that it is not sufficient to use one
+- * of the addresses from the main_server, since those aren't as likely to
+- * be unique as the physical address of the machine
+- */
+- if ((rv = apr_gethostname(str, sizeof(str) - 1, p)) != APR_SUCCESS) {
+- ap_log_error(APLOG_MARK, APLOG_ALERT, rv, main_server, APLOGNO(01563)
+- "unable to find hostname of the server");
+- return HTTP_INTERNAL_SERVER_ERROR;
+- }
+-
+- if ((rv = apr_sockaddr_info_get(&sockaddr, str, AF_INET, 0, 0, p)) == APR_SUCCESS) {
+- global_in_addr = sockaddr->sa.sin.sin_addr.s_addr;
+- }
+- else {
+- ap_log_error(APLOG_MARK, APLOG_ALERT, rv, main_server, APLOGNO(01564)
+- "unable to find IPv4 address of \"%s\"", str);
+-#if APR_HAVE_IPV6
+- if ((rv = apr_sockaddr_info_get(&sockaddr, str, AF_INET6, 0, 0, p)) == APR_SUCCESS) {
+- memcpy(&global_in_addr,
+- (char *)sockaddr->ipaddr_ptr + sockaddr->ipaddr_len - sizeof(global_in_addr),
+- sizeof(global_in_addr));
+- ap_log_error(APLOG_MARK, APLOG_ALERT, rv, main_server, APLOGNO(01565)
+- "using low-order bits of IPv6 address "
+- "as if they were unique");
+- }
+- else
+-#endif
+- return HTTP_INTERNAL_SERVER_ERROR;
+- }
+-
+- apr_sockaddr_ip_get(&ipaddrstr, sockaddr);
+- ap_log_error(APLOG_MARK, APLOG_INFO, 0, main_server, APLOGNO(01566) "using ip addr %s",
+- ipaddrstr);
+-
+- /*
+- * If the server is pummelled with restart requests we could possibly end
+- * up in a situation where we're starting again during the same second
+- * that has been used in previous identifiers. Avoid that situation.
+- *
+- * In truth, for this to actually happen not only would it have to restart
+- * in the same second, but it would have to somehow get the same pids as
+- * one of the other servers that was running in that second. Which would
+- * mean a 64k wraparound on pids ... not very likely at all.
+- *
+- * But protecting against it is relatively cheap. We just sleep into the
+- * next second.
+- */
+- apr_sleep(apr_time_from_sec(1) - apr_time_usec(apr_time_now()));
+ return OK;
+ }
+
+ static void unique_id_child_init(apr_pool_t *p, server_rec *s)
+ {
+- pid_t pid;
+-
+- /*
+- * Note that we use the pid because it's possible that on the same
+- * physical machine there are multiple servers (i.e. using Listen). But
+- * it's guaranteed that none of them will share the same pids between
+- * children.
+- *
+- * XXX: for multithread this needs to use a pid/tid combo and probably
+- * needs to be expanded to 32 bits
+- */
+- pid = getpid();
+- cur_unique_id.pid = pid;
+-
+- /*
+- * Test our assumption that the pid is 32-bits. It's possible that
+- * 64-bit machines will declare pid_t to be 64 bits but only use 32
+- * of them. It would have been really nice to test this during
+- * global_init ... but oh well.
+- */
+- if ((pid_t)cur_unique_id.pid != pid) {
+- ap_log_error(APLOG_MARK, APLOG_CRIT, 0, s, APLOGNO(01567)
+- "oh no! pids are greater than 32-bits! I'm broken!");
+- }
+-
+- cur_unique_id.in_addr = global_in_addr;
++ ap_random_insecure_bytes(&cur_unique_id.root,
++ sizeof(cur_unique_id.root));
+
+ /*
+ * If we use 0 as the initial counter we have a little less protection
+@@ -253,13 +170,6 @@
+ */
+ ap_random_insecure_bytes(&cur_unique_id.counter,
+ sizeof(cur_unique_id.counter));
+-
+- /*
+- * We must always use network ordering for these bytes, so that
+- * identifiers are comparable between machines of different byte
+- * orderings. Note in_addr is already in network order.
+- */
+- cur_unique_id.pid = htonl(cur_unique_id.pid);
+ }
+
+ /* NOTE: This is *NOT* the same encoding used by base64encode ... the last two
+@@ -291,10 +201,8 @@
+ unsigned short counter;
+ int i,j,k;
+
+- new_unique_id.in_addr = cur_unique_id.in_addr;
+- new_unique_id.pid = cur_unique_id.pid;
++ memcpy(&new_unique_id.root, &cur_unique_id.root, ROOT_SIZE);
+ new_unique_id.counter = cur_unique_id.counter;
+-
+ new_unique_id.stamp = htonl((unsigned int)apr_time_sec(r->request_time));
+ new_unique_id.thread_index = htonl((unsigned int)r->connection->id);
+
--- /dev/null
+# ./pullrev.sh 1332643 1345599
+
+https://bugzilla.redhat.com//show_bug.cgi?id=809599
+
+http://svn.apache.org/viewvc?view=revision&revision=1332643
+
+http://svn.apache.org/viewvc?view=revision&revision=1345599
+
+--- httpd-2.4.4/modules/ssl/mod_ssl.c.r1332643+
++++ httpd-2.4.4/modules/ssl/mod_ssl.c
+@@ -272,6 +272,18 @@ static const command_rec ssl_config_cmds
+ AP_END_CMD
+ };
+
++/* Implement 'modssl_run_npn_advertise_protos_hook'. */
++APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(
++ modssl, AP, int, npn_advertise_protos_hook,
++ (conn_rec *connection, apr_array_header_t *protos),
++ (connection, protos), OK, DECLINED);
++
++/* Implement 'modssl_run_npn_proto_negotiated_hook'. */
++APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(
++ modssl, AP, int, npn_proto_negotiated_hook,
++ (conn_rec *connection, const char *proto_name, apr_size_t proto_name_len),
++ (connection, proto_name, proto_name_len), OK, DECLINED);
++
+ /*
+ * the various processing hooks
+ */
+--- httpd-2.4.4/modules/ssl/mod_ssl.h.r1332643+
++++ httpd-2.4.4/modules/ssl/mod_ssl.h
+@@ -63,5 +63,26 @@ APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_e
+
+ APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
+
++/** The npn_advertise_protos optional hook allows other modules to add entries
++ * to the list of protocol names advertised by the server during the Next
++ * Protocol Negotiation (NPN) portion of the SSL handshake. The hook callee is
++ * given the connection and an APR array; it should push one or more char*'s
++ * pointing to null-terminated strings (such as "http/1.1" or "spdy/2") onto
++ * the array and return OK, or do nothing and return DECLINED. */
++APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_advertise_protos_hook,
++ (conn_rec *connection, apr_array_header_t *protos));
++
++/** The npn_proto_negotiated optional hook allows other modules to discover the
++ * name of the protocol that was chosen during the Next Protocol Negotiation
++ * (NPN) portion of the SSL handshake. Note that this may be the empty string
++ * (in which case modules should probably assume HTTP), or it may be a protocol
++ * that was never even advertised by the server. The hook callee is given the
++ * connection, a non-null-terminated string containing the protocol name, and
++ * the length of the string; it should do something appropriate (i.e. insert or
++ * remove filters) and return OK, or do nothing and return DECLINED. */
++APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_proto_negotiated_hook,
++ (conn_rec *connection, const char *proto_name,
++ apr_size_t proto_name_len));
++
+ #endif /* __MOD_SSL_H__ */
+ /** @} */
+--- httpd-2.4.4/modules/ssl/ssl_engine_init.c.r1332643+
++++ httpd-2.4.4/modules/ssl/ssl_engine_init.c
+@@ -725,6 +725,11 @@ static void ssl_init_ctx_callbacks(serve
+ #endif
+
+ SSL_CTX_set_info_callback(ctx, ssl_callback_Info);
++
++#ifdef HAVE_TLS_NPN
++ SSL_CTX_set_next_protos_advertised_cb(
++ ctx, ssl_callback_AdvertiseNextProtos, NULL);
++#endif
+ }
+
+ static void ssl_init_ctx_verify(server_rec *s,
+--- httpd-2.4.4/modules/ssl/ssl_engine_io.c.r1332643+
++++ httpd-2.4.4/modules/ssl/ssl_engine_io.c
+@@ -28,6 +28,7 @@
+ core keeps dumping.''
+ -- Unknown */
+ #include "ssl_private.h"
++#include "mod_ssl.h"
+ #include "apr_date.h"
+
+ /* _________________________________________________________________
+@@ -297,6 +298,7 @@ typedef struct {
+ apr_pool_t *pool;
+ char buffer[AP_IOBUFSIZE];
+ ssl_filter_ctx_t *filter_ctx;
++ int npn_finished; /* 1 if NPN has finished, 0 otherwise */
+ } bio_filter_in_ctx_t;
+
+ /*
+@@ -1385,6 +1387,26 @@ static apr_status_t ssl_io_filter_input(
+ APR_BRIGADE_INSERT_TAIL(bb, bucket);
+ }
+
++#ifdef HAVE_TLS_NPN
++ /* By this point, Next Protocol Negotiation (NPN) should be completed (if
++ * our version of OpenSSL supports it). If we haven't already, find out
++ * which protocol was decided upon and inform other modules by calling
++ * npn_proto_negotiated_hook. */
++ if (!inctx->npn_finished) {
++ const unsigned char *next_proto = NULL;
++ unsigned next_proto_len = 0;
++
++ SSL_get0_next_proto_negotiated(
++ inctx->ssl, &next_proto, &next_proto_len);
++ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, f->c,
++ APLOGNO(02306) "SSL NPN negotiated protocol: '%*s'",
++ next_proto_len, (const char*)next_proto);
++ modssl_run_npn_proto_negotiated_hook(
++ f->c, (const char*)next_proto, next_proto_len);
++ inctx->npn_finished = 1;
++ }
++#endif
++
+ return APR_SUCCESS;
+ }
+
+@@ -1866,6 +1888,7 @@ static void ssl_io_input_add_filter(ssl_
+ inctx->block = APR_BLOCK_READ;
+ inctx->pool = c->pool;
+ inctx->filter_ctx = filter_ctx;
++ inctx->npn_finished = 0;
+ }
+
+ /* The request_rec pointer is passed in here only to ensure that the
+--- httpd-2.4.4/modules/ssl/ssl_engine_kernel.c.r1332643+
++++ httpd-2.4.4/modules/ssl/ssl_engine_kernel.c
+@@ -29,6 +29,7 @@
+ time I was too famous.''
+ -- Unknown */
+ #include "ssl_private.h"
++#include "mod_ssl.h"
+ #include "util_md5.h"
+
+ static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn);
+@@ -2161,6 +2162,90 @@ int ssl_callback_SessionTicket(SSL *ssl,
+ }
+ #endif /* HAVE_TLS_SESSION_TICKETS */
+
++#ifdef HAVE_TLS_NPN
++/*
++ * This callback function is executed when SSL needs to decide what protocols
++ * to advertise during Next Protocol Negotiation (NPN). It must produce a
++ * string in wire format -- a sequence of length-prefixed strings -- indicating
++ * the advertised protocols. Refer to SSL_CTX_set_next_protos_advertised_cb
++ * in OpenSSL for reference.
++ */
++int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data_out,
++ unsigned int *size_out, void *arg)
++{
++ conn_rec *c = (conn_rec*)SSL_get_app_data(ssl);
++ apr_array_header_t *protos;
++ int num_protos;
++ unsigned int size;
++ int i;
++ unsigned char *data;
++ unsigned char *start;
++
++ *data_out = NULL;
++ *size_out = 0;
++
++ /* If the connection object is not available, then there's nothing for us
++ * to do. */
++ if (c == NULL) {
++ return SSL_TLSEXT_ERR_OK;
++ }
++
++ /* Invoke our npn_advertise_protos hook, giving other modules a chance to
++ * add alternate protocol names to advertise. */
++ protos = apr_array_make(c->pool, 0, sizeof(char*));
++ modssl_run_npn_advertise_protos_hook(c, protos);
++ num_protos = protos->nelts;
++
++ /* We now have a list of null-terminated strings; we need to concatenate
++ * them together into a single string, where each protocol name is prefixed
++ * by its length. First, calculate how long that string will be. */
++ size = 0;
++ for (i = 0; i < num_protos; ++i) {
++ const char *string = APR_ARRAY_IDX(protos, i, const char*);
++ unsigned int length = strlen(string);
++ /* If the protocol name is too long (the length must fit in one byte),
++ * then log an error and skip it. */
++ if (length > 255) {
++ ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(02307)
++ "SSL NPN protocol name too long (length=%u): %s",
++ length, string);
++ continue;
++ }
++ /* Leave room for the length prefix (one byte) plus the protocol name
++ * itself. */
++ size += 1 + length;
++ }
++
++ /* If there is nothing to advertise (either because no modules added
++ * anything to the protos array, or because all strings added to the array
++ * were skipped), then we're done. */
++ if (size == 0) {
++ return SSL_TLSEXT_ERR_OK;
++ }
++
++ /* Now we can build the string. Copy each protocol name string into the
++ * larger string, prefixed by its length. */
++ data = apr_palloc(c->pool, size * sizeof(unsigned char));
++ start = data;
++ for (i = 0; i < num_protos; ++i) {
++ const char *string = APR_ARRAY_IDX(protos, i, const char*);
++ apr_size_t length = strlen(string);
++ if (length > 255)
++ continue;
++ *start = (unsigned char)length;
++ ++start;
++ memcpy(start, string, length * sizeof(unsigned char));
++ start += length;
++ }
++
++ /* Success. */
++ *data_out = data;
++ *size_out = size;
++ return SSL_TLSEXT_ERR_OK;
++}
++
++#endif /* HAVE_TLS_NPN */
++
+ #ifndef OPENSSL_NO_SRP
+
+ int ssl_callback_SRPServerParams(SSL *ssl, int *ad, void *arg)
+--- httpd-2.4.4/modules/ssl/ssl_private.h.r1332643+
++++ httpd-2.4.4/modules/ssl/ssl_private.h
+@@ -139,6 +139,11 @@
+ #define HAVE_FIPS
+ #endif
+
++#if OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_NEXTPROTONEG) \
++ && !defined(OPENSSL_NO_TLSEXT)
++#define HAVE_TLS_NPN
++#endif
++
+ #if (OPENSSL_VERSION_NUMBER >= 0x10000000)
+ #define MODSSL_SSL_CIPHER_CONST const
+ #define MODSSL_SSL_METHOD_CONST const
+@@ -840,6 +845,7 @@ int ssl_callback_ServerNameIndi
+ int ssl_callback_SessionTicket(SSL *, unsigned char *, unsigned char *,
+ EVP_CIPHER_CTX *, HMAC_CTX *, int);
+ #endif
++int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data, unsigned int *len, void *arg);
+
+ /** Session Cache Support */
+ void ssl_scache_init(server_rec *, apr_pool_t *);
--- /dev/null
+# ./pullrev.sh 1337344 1341905 1342065 1341930
+
+suexec enhancements:
+
+1) use syslog for logging
+2) use capabilities not setuid/setgid root binary
+
+http://svn.apache.org/viewvc?view=revision&revision=1337344
+http://svn.apache.org/viewvc?view=revision&revision=1341905
+http://svn.apache.org/viewvc?view=revision&revision=1342065
+http://svn.apache.org/viewvc?view=revision&revision=1341930
+
+--- httpd-2.4.4/configure.in.r1337344+
++++ httpd-2.4.4/configure.in
+@@ -734,7 +734,24 @@ APACHE_HELP_STRING(--with-suexec-gidmin,
+
+ AC_ARG_WITH(suexec-logfile,
+ APACHE_HELP_STRING(--with-suexec-logfile,Set the logfile),[
+- AC_DEFINE_UNQUOTED(AP_LOG_EXEC, "$withval", [SuExec log file] ) ] )
++ if test "x$withval" = "xyes"; then
++ AC_DEFINE_UNQUOTED(AP_LOG_EXEC, "$withval", [SuExec log file])
++ fi
++])
++
++AC_ARG_WITH(suexec-syslog,
++APACHE_HELP_STRING(--with-suexec-syslog,Set the logfile),[
++ if test $withval = "yes"; then
++ if test "x${with_suexec_logfile}" != "xno"; then
++ AC_MSG_NOTICE([hint: use "--without-suexec-logfile --with-suexec-syslog"])
++ AC_MSG_ERROR([suexec does not support both logging to file and syslog])
++ fi
++ AC_CHECK_FUNCS([vsyslog], [], [
++ AC_MSG_ERROR([cannot support syslog from suexec without vsyslog()])])
++ AC_DEFINE(AP_LOG_SYSLOG, 1, [SuExec log to syslog])
++ fi
++])
++
+
+ AC_ARG_WITH(suexec-safepath,
+ APACHE_HELP_STRING(--with-suexec-safepath,Set the safepath),[
+@@ -744,6 +761,15 @@ AC_ARG_WITH(suexec-umask,
+ APACHE_HELP_STRING(--with-suexec-umask,umask for suexec'd process),[
+ AC_DEFINE_UNQUOTED(AP_SUEXEC_UMASK, 0$withval, [umask for suexec'd process] ) ] )
+
++INSTALL_SUEXEC=setuid
++AC_ARG_ENABLE([suexec-capabilities],
++APACHE_HELP_STRING(--enable-suexec-capabilities,Use Linux capability bits not setuid root suexec), [
++INSTALL_SUEXEC=caps
++AC_DEFINE(AP_SUEXEC_CAPABILITIES, 1,
++ [Enable if suexec is installed with Linux capabilities, not setuid])
++])
++APACHE_SUBST(INSTALL_SUEXEC)
++
+ dnl APR should go after the other libs, so the right symbols can be picked up
+ if test x${apu_found} != xobsolete; then
+ AP_LIBS="$AP_LIBS `$apu_config --avoid-ldap --link-libtool`"
+--- httpd-2.4.4/docs/manual/suexec.html.en.r1337344+
++++ httpd-2.4.4/docs/manual/suexec.html.en
+@@ -372,6 +372,21 @@
+ together with the <code>--enable-suexec</code> option to let
+ APACI accept your request for using the suEXEC feature.</dd>
+
++ <dt><code>--enable-suexec-capabilities</code></dt>
++
++ <dd><strong>Linux specific:</strong> Normally,
++ the <code>suexec</code> binary is installed "setuid/setgid
++ root", which allows it to run with the full privileges of the
++ root user. If this option is used, the <code>suexec</code>
++ binary will instead be installed with only the setuid/setgid
++ "capability" bits set, which is the subset of full root
++ priviliges required for suexec operation. Note that
++ the <code>suexec</code> binary may not be able to write to a log
++ file in this mode; it is recommended that the
++ <code>--with-suexec-syslog --without-suexec-logfile</code>
++ options are used in conjunction with this mode, so that syslog
++ logging is used instead.</dd>
++
+ <dt><code>--with-suexec-bin=<em>PATH</em></code></dt>
+
+ <dd>The path to the <code>suexec</code> binary must be hard-coded
+@@ -433,6 +448,12 @@
+ "<code>suexec_log</code>" and located in your standard logfile
+ directory (<code>--logfiledir</code>).</dd>
+
++ <dt><code>--with-suexec-syslog</code></dt>
++
++ <dd>If defined, suexec will log notices and errors to syslog
++ instead of a logfile. This option must be combined
++ with <code>--without-suexec-logfile</code>.</dd>
++
+ <dt><code>--with-suexec-safepath=<em>PATH</em></code></dt>
+
+ <dd>Define a safe PATH environment to pass to CGI
+@@ -550,9 +571,12 @@ Group webgroup
+
+ <p>The suEXEC wrapper will write log information
+ to the file defined with the <code>--with-suexec-logfile</code>
+- option as indicated above. If you feel you have configured and
+- installed the wrapper properly, have a look at this log and the
+- error_log for the server to see where you may have gone astray.</p>
++ option as indicated above, or to syslog if <code>--with-suexec-syslog</code>
++ is used. If you feel you have configured and
++ installed the wrapper properly, have a look at the log and the
++ error_log for the server to see where you may have gone astray.
++ The output of <code>"suexec -V"</code> will show the options
++ used to compile suexec, if using a binary distribution.</p>
+
+ </div><div class="top"><a href="#page-header"><img alt="top" src="./images/up.gif" /></a></div>
+ <div class="section">
+@@ -640,4 +664,4 @@ if (typeof(prettyPrint) !== 'undefined')
+ prettyPrint();
+ }
+ //--><!]]></script>
+-</body></html>
+\ No newline at end of file
++</body></html>
+--- httpd-2.4.4/Makefile.in.r1337344+
++++ httpd-2.4.4/Makefile.in
+@@ -238,11 +238,22 @@ install-man:
+ cd $(DESTDIR)$(manualdir) && find . -name ".svn" -type d -print | xargs rm -rf 2>/dev/null || true; \
+ fi
+
+-install-suexec:
++install-suexec: install-suexec-binary install-suexec-$(INSTALL_SUEXEC)
++
++install-suexec-binary:
+ @if test -f $(builddir)/support/suexec; then \
+ test -d $(DESTDIR)$(sbindir) || $(MKINSTALLDIRS) $(DESTDIR)$(sbindir); \
+ $(INSTALL_PROGRAM) $(top_builddir)/support/suexec $(DESTDIR)$(sbindir); \
+- chmod 4755 $(DESTDIR)$(sbindir)/suexec; \
++ fi
++
++install-suexec-setuid:
++ @if test -f $(builddir)/support/suexec; then \
++ chmod 4755 $(DESTDIR)$(sbindir)/suexec; \
++ fi
++
++install-suexec-caps:
++ @if test -f $(builddir)/support/suexec; then \
++ setcap 'cap_setuid,cap_setgid+pe' $(DESTDIR)$(sbindir)/suexec; \
+ fi
+
+ suexec:
+--- httpd-2.4.4/modules/arch/unix/mod_unixd.c.r1337344+
++++ httpd-2.4.4/modules/arch/unix/mod_unixd.c
+@@ -284,6 +284,13 @@ unixd_set_suexec(cmd_parms *cmd, void *d
+ return NULL;
+ }
+
++#ifdef AP_SUEXEC_CAPABILITIES
++/* If suexec is using capabilities, don't test for the setuid bit. */
++#define SETUID_TEST(finfo) (1)
++#else
++#define SETUID_TEST(finfo) (finfo.protection & APR_USETID)
++#endif
++
+ static int
+ unixd_pre_config(apr_pool_t *pconf, apr_pool_t *plog,
+ apr_pool_t *ptemp)
+@@ -300,7 +307,7 @@ unixd_pre_config(apr_pool_t *pconf, apr_
+ ap_unixd_config.suexec_enabled = 0;
+ if ((apr_stat(&wrapper, SUEXEC_BIN, APR_FINFO_NORM, ptemp))
+ == APR_SUCCESS) {
+- if ((wrapper.protection & APR_USETID) && wrapper.user == 0
++ if (SETUID_TEST(wrapper) && wrapper.user == 0
+ && (access(SUEXEC_BIN, R_OK|X_OK) == 0)) {
+ ap_unixd_config.suexec_enabled = 1;
+ ap_unixd_config.suexec_disabled_reason = "";
+--- httpd-2.4.4/support/suexec.c.r1337344+
++++ httpd-2.4.4/support/suexec.c
+@@ -58,6 +58,10 @@
+ #include <grp.h>
+ #endif
+
++#ifdef AP_LOG_SYSLOG
++#include <syslog.h>
++#endif
++
+ #if defined(PATH_MAX)
+ #define AP_MAXPATH PATH_MAX
+ #elif defined(MAXPATHLEN)
+@@ -69,7 +73,20 @@
+ #define AP_ENVBUF 256
+
+ extern char **environ;
++
++#ifdef AP_LOG_SYSLOG
++/* Syslog support. */
++#if !defined(AP_LOG_FACILITY) && defined(LOG_AUTHPRIV)
++#define AP_LOG_FACILITY LOG_AUTHPRIV
++#elif !defined(AP_LOG_FACILITY)
++#define AP_LOG_FACILITY LOG_AUTH
++#endif
++
++static int log_open;
++#else
++/* Non-syslog support. */
+ static FILE *log = NULL;
++#endif
+
+ static const char *const safe_env_lst[] =
+ {
+@@ -137,7 +154,14 @@ static void err_output(int is_error, con
+
+ static void err_output(int is_error, const char *fmt, va_list ap)
+ {
+-#ifdef AP_LOG_EXEC
++#if defined(AP_LOG_SYSLOG)
++ if (!log_open) {
++ openlog("suexec", LOG_PID, AP_LOG_FACILITY);
++ log_open = 1;
++ }
++
++ vsyslog(is_error ? LOG_ERR : LOG_INFO, fmt, ap);
++#elif defined(AP_LOG_EXEC)
+ time_t timevar;
+ struct tm *lt;
+
+@@ -295,7 +319,9 @@ int main(int argc, char *argv[])
+ #ifdef AP_HTTPD_USER
+ fprintf(stderr, " -D AP_HTTPD_USER=\"%s\"\n", AP_HTTPD_USER);
+ #endif
+-#ifdef AP_LOG_EXEC
++#if defined(AP_LOG_SYSLOG)
++ fprintf(stderr, " -D AP_LOG_SYSLOG\n");
++#elif defined(AP_LOG_EXEC)
+ fprintf(stderr, " -D AP_LOG_EXEC=\"%s\"\n", AP_LOG_EXEC);
+ #endif
+ #ifdef AP_SAFE_PATH
+@@ -591,6 +617,12 @@ int main(int argc, char *argv[])
+ #endif /* AP_SUEXEC_UMASK */
+
+ /* Be sure to close the log file so the CGI can't mess with it. */
++#ifdef AP_LOG_SYSLOG
++ if (log_open) {
++ closelog();
++ log_open = 0;
++ }
++#else
+ if (log != NULL) {
+ #if APR_HAVE_FCNTL_H
+ /*
+@@ -612,6 +644,7 @@ int main(int argc, char *argv[])
+ log = NULL;
+ #endif
+ }
++#endif
+
+ /*
+ * Execute the command, replacing our image with its own.
--- /dev/null
+diff --git a/support/apxs.in b/support/apxs.in
+index ad1287f..efcfcf6 100644
+--- a/support/apxs.in
++++ b/support/apxs.in
+@@ -25,7 +25,18 @@ package apxs;
+
+ my %config_vars = ();
+
+-my $installbuilddir = "@exp_installbuilddir@";
++# Awful hack to make apxs libdir-agnostic:
++my $pkg_config = "/usr/bin/pkg-config";
++if (! -x "$pkg_config") {
++ error("$pkg_config not found!");
++ exit(1);
++}
++
++my $libdir = `pkg-config --variable=libdir apr-1`;
++chomp $libdir;
++
++my $installbuilddir = $libdir . "/httpd/build";
++
+ get_config_vars("$installbuilddir/config_vars.mk",\%config_vars);
+
+ # read the configuration variables once
+@@ -275,7 +286,7 @@ if ($opt_g) {
+ $data =~ s|%NAME%|$name|sg;
+ $data =~ s|%TARGET%|$CFG_TARGET|sg;
+ $data =~ s|%PREFIX%|$prefix|sg;
+- $data =~ s|%INSTALLBUILDDIR%|$installbuilddir|sg;
++ $data =~ s|%LIBDIR%|$libdir|sg;
+
+ my ($mkf, $mods, $src) = ($data =~ m|^(.+)-=#=-\n(.+)-=#=-\n(.+)|s);
+
+@@ -453,11 +464,11 @@ if ($opt_c) {
+ my $ldflags = "$CFG_LDFLAGS";
+ if ($opt_p == 1) {
+
+- my $apr_libs=`$apr_config --cflags --ldflags --link-libtool --libs`;
++ my $apr_libs=`$apr_config --cflags --ldflags --link-libtool`;
+ chomp($apr_libs);
+ my $apu_libs="";
+ if ($apr_major_version < 2) {
+- $apu_libs=`$apu_config --ldflags --link-libtool --libs`;
++ $apu_libs=`$apu_config --ldflags --link-libtool`;
+ chomp($apu_libs);
+ }
+
+@@ -672,8 +683,8 @@ __DATA__
+
+ builddir=.
+ top_srcdir=%PREFIX%
+-top_builddir=%PREFIX%
+-include %INSTALLBUILDDIR%/special.mk
++top_builddir=%LIBDIR%/httpd
++include %LIBDIR%/httpd/build/special.mk
+
+ # the used tools
+ APACHECTL=apachectl
--- /dev/null
+
+Add layout for IHttpd.
+
+--- httpd-2.4.20/config.layout.orig
++++ httpd-2.4.20/config.layout
+@@ -370,3 +370,27 @@
+ logfiledir: ${localstatedir}/log/httpd
+ proxycachedir: ${localstatedir}/cache/httpd
+ </Layout>
++
++# IHttpd layout
++<Layout IHttpd>
++ prefix: /usr
++ exec_prefix: ${prefix}
++ bindir: ${prefix}/bin
++ sbindir: ${prefix}/sbin
++ libdir: ${prefix}/lib
++ libexecdir: ${prefix}/libexec
++ mandir: ${prefix}/man
++ sysconfdir: /etc
++ datadir: ${prefix}/share/ihttpd
++ installbuilddir: ${libdir}/ihttpd/build
++ errordir: ${datadir}/error
++ iconsdir: ${datadir}/icons
++ htdocsdir: /var/www/html
++ manualdir: ${datadir}/manual
++ cgidir: /var/www/cgi-bin
++ includedir: ${prefix}/include/ihttpd
++ localstatedir: /var
++ runtimedir: /run/ihttpd
++ logfiledir: ${localstatedir}/log/ihttpd
++ proxycachedir: ${localstatedir}/cache/ihttpd/proxy
++</Layout>
--- /dev/null
+# Fix server root
+#XXX: useless now ???
+ServerRoot "/etc"
+
+# Listen on port 80 and 443
+Listen 80
+Listen 443
+
+# Server admin
+ServerAdmin root@localhost
+
+# Fix user
+User root
+Group root
+
+# Send charset
+AddDefaultCharset UTF-8
+
+# Allow file send
+EnableSendfile on
+
+# Set document root
+DocumentRoot "/var/www/html"
+
+<Directory />
+ AllowOverride None
+</Directory>
+<Directory "/run/ihttpd/log">
+ AllowOverride None
+ Require all granted
+</Directory>
+<Directory "/var/www/html">
+ AllowOverride None
+ Options Indexes FollowSymLinks ExecCGI
+ Require all granted
+ DirectoryIndex index.bin
+ AddHandler cgi-script .bin
+</Directory>
+
+# Fix mime type file location
+TypesConfig /etc/mime.types
+
+# Fix pid location
+PidFile /run/ihttpd/ihttpd.pid
+
+# Fix dir for rewrite map lock files
+Mutex file:/run/ihttpd rewrite-map
+Mutex file:/run/ihttpd mpm-accept
+
+# Disable version info
+ServerSignature Off
+ServerTokens Prod
+
+# SSL configuration
+SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
+SSLSessionCache shmcb:/run/ihttpd/ssl_scache(512000)
+SSLProtocol all -SSLv3
+
+# Redirect to https
+RewriteEngine On
+RewriteCond %{HTTPS} !=on
+RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
+
+# SSL vhost
+<VirtualHost *:443>
+ ServerName localhost
+ SSLEngine on
+ SSLCertificateFile /etc/pki/tls/certs/ihttpd.pem
+ SSLCertificateKeyFile /etc/pki/tls/private/ihttpd.pem
+ CustomLog "/run/ihttpd/log/https.log" "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
+</VirtualHost>
+
+# Log section
+ErrorLog "/run/ihttpd/log/error.log"
+LogLevel warn
+
+<IfModule log_config_module>
+ CustomLog "/run/ihttpd/log/http.log" "%h %l %u %t \"%r\" %>s %b"
+</IfModule>
--- /dev/null
+# Unomit mageia's omited network and systemd modules
+omit_dracutmodules=" network "
+# Force dhcp and net in initramfs
+#kernel_cmdline+=" ip=dhcp rd.neednet=1 "
--- /dev/null
+#!/bin/bash
+
+# called by dracut
+check() {
+ local fs
+
+ # Fix tmpfiledir
+ #XXX: fix installation of /usr/lib/tmpfileS.d/{dracut-tmpfiles,systemd}.conf
+ #XXX: should be removed when bug 18642 (mageia) or 1343230 (fedora) will be fixed in /usr/bin/dracut +1262-1282
+ [ -z "$tmpfilesdir" -o ! -d "$tmpfilesdir" -a -d /usr/lib/tmpfiles.d ] && tmpfilesdir=/usr/lib/tmpfiles.d
+ [ -z "$tmpfilesdir" -o ! -d "$tmpfilesdir" -a -d /etc/tmpfiles.d ] && tmpfilesdir=/etc/tmpfiles.d
+ [ -z "$tmpfilesdir" -o ! -d "$tmpfilesdir" -a -d /lib/tmpfiles.d ] && tmpfilesdir=/lib/tmpfiles.d
+
+ # if cryptsetup is not installed, then we cannot support encrypted devices.
+ require_binaries cryptsetup || return 1
+
+ # if hostonly or mount_needs include if required by other module
+ # if one of fs types is crypto_LUKS include it
+ [[ $hostonly ]] || [[ $mount_needs ]] && {
+ for fs in "${host_fs_types[@]}"; do
+ [[ $fs = "crypto_LUKS" ]] && return 0
+ done
+ return 255
+ }
+
+ return 0
+}
+
+# called by dracut
+depends() {
+ # depend on crypt for /etc/crypttab
+ # depend on systemd-networkd for ip=dhcp and rd.neednet=1
+ # depend on dracut-systemd for appending to $tmpfilesdir/dracut-tmpfiles.conf
+ echo crypt systemd-networkd dracut-systemd
+ return 0
+}
+
+# called by dracut
+cmdline() {
+ local fs
+ for fs in "${host_fs_types[@]}"; do
+ if [[ "$fs" == "crypto_LUKS" ]]; then
+ printf "%s" " ip=dhcp rd.neednet=1"
+ break
+ fi
+ done
+}
+
+# called by dracut
+install() {
+ local _ihttpdconf=$(cmdline)
+ local fs
+ [[ $_ihttpdconf ]] && printf "%s\n" "$_ihttpdconf" >> "${initdir}/etc/cmdline.d/99ihttpd.conf"
+
+ # Install cert dirs
+ inst_dir /etc/pki/tls/certs
+ inst_dir /etc/pki/tls/private
+ inst_dir /etc/systemd/network
+ inst_dir /var/www/html
+ inst_dir $systemdsystemunitdir/ihttpd.service.wants
+
+ # Install favicon
+ inst_simple -o /var/www/html/favicon.ico
+
+ # Install network
+ for nc in `ls /etc/systemd/network/`; do
+ inst_simple /etc/systemd/network/$nc
+ done
+
+ # Install index.bin
+ inst_simple /usr/lib/ihttpd/index.bin /var/www/html/index.bin
+
+ # Install reboot.bin
+ inst_simple /usr/lib/ihttpd/reboot.bin /var/www/html/reboot.bin
+
+ # Install all files
+ inst_multiple \
+ /etc/hosts \
+ /etc/mime.types \
+ /etc/localtime \
+ /etc/nsswitch.conf \
+ /etc/ihttpd.conf \
+ /etc/pki/tls/certs/ihttpd.pem \
+ /etc/pki/tls/private/ihttpd.pem \
+ $tmpfilesdir/ihttpd.conf \
+ $systemdsystemunitdir/ihttpd.path \
+ $systemdsystemunitdir/ihttpd.service \
+ $systemdsystemunitdir/systemd-networkd.service \
+ $systemdsystemunitdir/systemd-tmpfiles-setup.service \
+ '/usr/bin/false' \
+ '/usr/bin/reboot' \
+ /usr/sbin/ihttpd
+
+ # Install ihttpd.path
+ ln -fs ../ihttpd.path $initdir$systemdsystemunitdir/sysinit.target.wants/
+
+ # Install resolv.conf as resolved service
+ #TODO: change this to have a content or depend on systemd-resolved
+ if [ -L /etc/resolv.conf ]; then
+
+ # Install systemd-resolved
+ if [ `readlink /etc/resolv.conf` = '/run/systemd/resolve/resolv.conf' ]; then
+
+ # Install resolv.conf as symlink
+ ln -fs '/run/systemd/resolve/resolv.conf' $initdir/etc/resolv.conf
+
+ # Install systemd-resolved
+ inst_multiple \
+ $systemdsystemunitdir/systemd-resolved.service \
+ $systemdutildir/systemd-resolved \
+ /etc/systemd/resolved.conf
+
+ # Require systemd-resolve user and group for our ihttpd process
+ `egrep -q '^systemd-resolve:' $initdir/etc/group` || egrep '^systemd-resolve:' /etc/group >> "$initdir/etc/group"
+ `egrep -q '^systemd-resolve:' $initdir/etc/passwd` || egrep '^systemd-resolve:' /etc/passwd >> "$initdir/etc/passwd"
+
+ # Install in ihttpd.service.wants
+ ln -fs ../systemd-resolved.service $initdir$systemdsystemunitdir/ihttpd.service.wants/
+
+ # Cleanup resolved.conf
+ perl -pne 'undef $_ if /^(?:#.*|Domains=|FallbackDNS=|DNS=(?:127.0.0.1|::1)$|$)/;/^DNS=/ && $_ =~ s/(?:127.0.0.1|::1)[ \t]*//g' \
+ -i "$initdir/etc/systemd/resolved.conf"
+
+ # Cleanup systemd-resolved.service
+ perl -pne 'undef $_ if /^(?:#|(?:Wants|After)=org\.freedesktop\.resolve1\.busname)/' \
+ -i "$initdir$systemdsystemunitdir/systemd-resolved.service"
+
+ # Try install the target file
+ else
+ inst_simple /etc/resolv.conf
+ fi
+
+ # Install resolv.conf as file
+ elif [ -e /etc/resolv.conf ]; then
+
+ # Install resolv.conf as file
+ inst_simple /etc/resolv.conf
+
+ # Cleanup resolv.conf
+ #XXX: strip search, localhost and ipv6
+ perl -pne 'undef $_ if /^(?:#.*|search\s+|nameserver\s+127.0.0.1|nameserver\s+[^:\s]+:[^\s]+|$)/' \
+ -i "$initdir/etc/resolv.conf"
+
+ # Touch resolv.conf file
+ else
+ # We did what we could
+ touch "$initdir/etc/resolv.conf"
+ fi
+
+ # Install ihttpd log
+ ln -fs ../../../run/ihttpd/log/{http,https,child.{askpassword,ihttpd},error}.log $initdir/var/www/html/
+
+ # Install in ihttpd.service.wants
+ ln -fs ../systemd-networkd.service $initdir$systemdsystemunitdir/ihttpd.service.wants/
+ ln -fs ../systemd-tmpfiles-setup.service $initdir$systemdsystemunitdir/ihttpd.service.wants/
+
+ # Include all ihttpd deps
+ inst_libdir_file \
+ "ld-linux-*.so.*" \
+ "libapr-1.so.*" \
+ "libaprutil-1.so.*" \
+ "libcrypto.so.*" \
+ "libcrypt.so.*" \
+ "libc.so.*" \
+ "libdb-*.so" \
+ "libdl.so.*" \
+ "libexpat.so.*" \
+ "libnsl.so.*" \
+ "libpcre.so.*" \
+ "libpthread.so.*" \
+ "libresolv.so.*" \
+ "librt.so.*" \
+ "libuuid.so.*" \
+ "libz.so.*" \
+ "libnss_files.so.*" \
+ "libnss_dns.so.*" \
+ "libnss_myhostname.so.*" \
+ {"tls/$_arch/",tls/,"$_arch/",}"libssl.so.*"
+
+ # Cleanup nsswitch.conf
+ if [ -f "$initdir/etc/nsswitch.conf" ]; then
+ perl -pne 'undef $_ if /^(?:#|$)/;s/compat/files/;s/ ?(?:nis|wins|mdns4_minimal |mdns4)( )?/\1/g' \
+ -i "$initdir/etc/nsswitch.conf"
+ fi
+
+ # Cleanup systemd-networkd.service
+ if [ -f "$initdir$systemdsystemunitdir/systemd-networkd.service" ]; then
+ perl -pne 'undef $_ if /^(?:#|(?:Wants|After)=org\.freedesktop\.network1\.busname)/;s/^After=(systemd-udevd.service )dbus.service network-pre.target systemd-sysusers.service /After=\1/' \
+ -i "$initdir$systemdsystemunitdir/systemd-networkd.service"
+ fi
+
+ # Cleanup systemd-tmpfiles-setup.service
+ if [ -f "$initdir$systemdsystemunitdir/systemd-tmpfiles-setup.service" ]; then
+ perl -pne 'undef $_ if /^#/;s/After=(.*) systemd-sysusers.service/After=\1/' \
+ -i "$initdir$systemdsystemunitdir/systemd-tmpfiles-setup.service"
+ fi
+
+ #XXX: bug: fix /usr/lib/tmpfiles.d/{systemd,dracut-tmpfiles}.conf missing user and group
+ `egrep -q '^utmp:' $initdir/etc/group` || egrep '^utmp:' /etc/group >> "$initdir/etc/group"
+ # Require root user and group for our ihttpd process
+ `egrep -q '^root:' $initdir/etc/group` || egrep '^root:' /etc/group >> "$initdir/etc/group"
+ `egrep -q '^root:' $initdir/etc/passwd` || egrep '^root:' /etc/passwd >> "$initdir/etc/passwd"
+}
--- /dev/null
+# Path unit starting ihttpd.service on password request
+[Unit]
+Description=The Apache IHTTP Server that will unlock crypttab device
+DefaultDependencies=no
+Conflicts=shutdown.target multi-user.target graphical.target
+After=plymouth-start.service
+Before=paths.target shutdown.target
+ConditionPathExists=!/run/plymouth/pid
+
+[Path]
+DirectoryNotEmpty=/run/systemd/ask-password
+MakeDirectory=yes
--- /dev/null
+# Service unit starting ihttpd.service on password request
+[Unit]
+Description=Answer Password Requests from the Apache IHTTP Server
+DefaultDependencies=no
+Conflicts=shutdown.target multi-user.target graphical.target
+After=plymouth-start.service
+Before=paths.target shutdown.target
+ConditionPathExists=!/run/plymouth/pid
+
+[Service]
+Type=simple
+Environment=LANG=C
+ExecStart=/usr/sbin/ihttpd $OPTIONS -DFOREGROUND
+ExecReload=/usr/sbin/ihttpd $OPTIONS -k graceful
+KillSignal=SIGWINCH
+KillMode=mixed
+PIDFile=/run/ihttpd/ihttpd.pid
--- /dev/null
+d /run/ihttpd 755 root root
+d /run/ihttpd/log 755 root root
--- /dev/null
+/**
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ *
+ * Written by Raphaël Gertz <rapsys@rapsys.eu>
+ */
+
+//Required for mkostemp, O_CLOEXEC, strdup, memmem
+#define _GNU_SOURCE
+
+//Required for SSIZE_MAX, LONG_MAX
+#include <limits.h>
+
+//Required for pid_t, kill, waitpid
+#include <sys/wait.h>
+#include <signal.h>
+
+//Required for printf, sscanf, sprintf
+#include <stdio.h>
+
+//Required for struct stat, fstat
+#include <sys/stat.h>
+
+//Required for closedir, DIR, opendir, readdir, struct dirent
+#include <dirent.h>
+
+//Required for close, dup2, execve, fork, read, STDERR_FILENO, STDOUT_FILENO, STDIN_FILENO, write
+#include <unistd.h>
+
+//Required for open, O_CLOEXEC, O_NOATIME, O_NOFOLLOW
+#include <fcntl.h>
+
+//Required for atoi, calloc, exit, EXIT_FAILURE, EXIT_SUCCESS, free, getenv, malloc, realloc
+#include <stdlib.h>
+
+//Required for memchr, memcpy, memmem, strdup, strlen, strncmp
+#include <string.h>
+
+//Required for bool
+#include <stdbool.h>
+
+//Required for nanosleep
+#include <time.h>
+
+//Default passphrase max size
+#define DEFAULT_PASSPHRASE_SIZE_MAX 512
+
+//Default keyfile max size
+//XXX: file should be maximum 8192*1024-1 character long
+#define DEFAULT_KEYFILE_SIZE_MAX (8192 * 1024)
+
+//Default crypttab
+#define CRYPTTAB "/etc/crypttab"
+
+//Default cryptsetup
+#define CRYPTSETUP "/sbin/cryptsetup"
+
+//Default pid file
+#define IHTTPDPID "/run/ihttpd/ihttpd.pid"
+
+//Default systemd ask-password dir
+#define ASKPASSWORDDIR "/run/systemd/ask-password"
+
+//Define child log
+#define ASKPASSWORDLOG "/run/ihttpd/log/child.askpassword.log"
+#define IHTTPDLOG "/run/ihttpd/log/child.ihttpd.log"
+
+//Create struct for http error status
+struct httpStatusStruct {
+ int value;
+ char *description;
+};
+
+//Declare http error status array
+const struct httpStatusStruct httpStatuses[] = {
+ {200, "OK"},
+ {400, "Bad Request"},
+ {405, "Method Not Allowed"},
+ {411, "Length Required"},
+ {500, "Internal Server Error"}
+};
+
+/**
+ * Prototype
+ */
+void die(const int, const char*);
+void header(const int, const char*);
+void showForm(const char*, const int, const int);
+int extractValue(char**, int*, char*, int);
+int extractLuksDevice(char**, char**);
+int extractIHttpdPid(pid_t *);
+int extractAskPasswordPid(pid_t *);
+
+/**
+ * Die with error
+ */
+void die(const int code, const char *err) {
+ //TODO: see if we add a nice text/html template ?
+ //Send content as text
+ header(code, "text/plain");
+ //Print error line if available
+ if (err != NULL)
+ printf("%s", err);
+ //Flush all
+ if (fflush(NULL) == -1) {
+ perror("fflush");
+ }
+ //Exit with failure code
+ exit(EXIT_FAILURE);
+}
+
+/**
+ * Send header
+ */
+void header(const int code, const char *ctype) {
+ int k;
+ switch(code) {
+ case 400:
+ k = 1;
+ break;
+ case 405:
+ k = 2;
+ break;
+ case 411:
+ k = 3;
+ break;
+ case 500:
+ k = 4;
+ break;
+ default:
+ k = 0;
+ }
+ //Send http status
+ printf("Status: %d %s\r\n", httpStatuses[k].value, httpStatuses[k].description);
+ //Make sure no cache
+ printf("Cache-Control: no-cache, no-store, must-revalidate\r\n");
+ printf("Pragma: no-cache\r\n");
+ printf("Expires: 0\r\n");
+ printf("X-Robots-Tag: noindex, nofollow, noarchive, nosnippet, noodp\r\n");
+ printf("Content-type: %s\r\n\r\n", ctype);
+}
+
+/**
+ * Show form
+ */
+void showForm(const char *requestUri, const int keyfileSizeMax, const int passphraseSizeMax) {
+ header(200, "text/html");
+ printf("<!DOCTYPE HTML>\r\n");
+ printf("<html>\r\n");
+ printf("<head><title>Key upload form</title></head>\r\n");
+ printf("<body>\r\n");
+ printf("<div id=\"wrapper\">\r\n");
+ printf("<form enctype=\"multipart/form-data\" action=\"%s\" method=\"post\"><fieldset><legend>Upload key</legend><label for=\"file\"></label><input type=\"hidden\" name=\"MAX_FILE_SIZE\" value=\"%d\" /><input id=\"file\" type=\"file\" name=\"key\" /><input type=\"submit\" value=\"Send\" /></fieldset></form>\r\n", requestUri, keyfileSizeMax);
+ printf("<form action=\"%s\" method=\"post\"><fieldset><legend>Type key</legend><label for=\"password\"></label><input id=\"password\" type=\"password\" name=\"key\" maxlength=\"%d\" /><input type=\"submit\" value=\"Send\" /></fieldset></form>\r\n", requestUri, passphraseSizeMax);
+ printf("</div>\r\n");
+ printf("</body>\r\n");
+ printf("</html>\r\n");
+}
+
+/**
+ * Extract value
+ */
+int extractValue(char **value, int *valueLength, char *contentType, int contentLength) {
+ //Handle application/x-www-form-urlencoded request
+ if (contentType != NULL && !strncmp(contentType, "application/x-www-form-urlencoded", 33)) {
+ //Indexes and return
+ int i, k, v, r;
+ //Declare key and buf
+ char *key, *buf;
+ //Allocate key
+ if ((key = malloc(4*sizeof(char))) == NULL) {
+ //Unable to allocate key
+ return -1;
+ }
+ //Allocate buf to maximum possible value size + 1 for trailing \0
+ if ((buf = calloc(1, (DEFAULT_PASSPHRASE_SIZE_MAX+1)*sizeof(char))) == NULL) {
+ //Unable to allocate value
+ free(key);
+ return -2;
+ }
+ //Char buffer
+ char d = '\0';
+ //Char delimiter
+ //XXX: initialised as & for new key, becomes = when fetching value
+ char delim = '&';
+ for (i = 0, k = 0, v = 0; i < contentLength; i++) {
+ //Safeguard against a value greater than DEFAULT_PASSPHRASE_SIZE_MAX
+ //XXX: this should never happen because we should be protected by contentLength already
+ if (v == DEFAULT_PASSPHRASE_SIZE_MAX+1) {
+ //Invalid value
+ free(key);
+ free(buf);
+ return -3;
+ }
+ //Read one character from stdin
+ r = read(STDIN_FILENO, &d, 1);
+ //Handle errors
+ if (r < 0) {
+ //Error while parsing post data
+ free(key);
+ free(buf);
+ return -4;
+ } else if (r == 0) {
+ //Partial receive
+ free(key);
+ free(buf);
+ return -5;
+ }
+ //Handle case where key has an other name
+ if (i == 3) {
+ //Check key is "key" and we get '=' as new char and assign delim to =
+ if (strncmp(key, "key", 3) || (delim = d) != '=') {
+ //Invalid key
+ free(key);
+ free(buf);
+ return -6;
+ }
+ //Handle key or value separator in query string
+ } else if (d == '&' || d == '=') {
+ //Invalid query string
+ free(key);
+ free(buf);
+ return -7;
+ //Handle a value
+ } else {
+ //Save key char
+ if (delim == '&') {
+ key[k] = d;
+ k++;
+ //Save buf char
+ } else {
+ buf[v] = d;
+ v++;
+ }
+ }
+ }
+ //Free key
+ free(key);
+ //Unescape and reduce value if not empty
+ if (v > 0) {
+ //Declare iterators
+ int l,m, s = v;
+ //Loop on value and reduce length on the fly
+ for(l=0,m=0; m < v; l++,m++) {
+ //Replace + with space
+ if (buf[m] == '+') {
+ buf[l] = ' ';
+ //Skip partial present %XX
+ } else if (
+ //Assign char
+ (buf[l] = buf[m]) == '%' &&
+ //Check we didn't reach valueStrLength
+ (m+2 < v) &&
+ //Check next two digits are valid
+ ((buf[m+1] >= 'A' && buf[m+1] <= 'F') || (buf[m+1] >= 'a' && buf[m+1] <= 'f') || (buf[m+1] >= '0' && buf[m+1] <= '9')) &&
+ ((buf[m+2] >= 'A' && buf[m+2] <= 'F') || (buf[m+2] >= 'a' && buf[m+2] <= 'f') || (buf[m+2] >= '0' && buf[m+2] <= '9'))
+ ) {
+ buf[l] = (buf[m+1] >= 'A' ? (buf[m+1] & 0xdf) - 'A' + 10 : buf[m+1] - '0') * 16 + (buf[m+2] >= 'A' ? (buf[m+2] & 0xdf) - 'A' + 10 : buf[m+2] - '0');
+ m += 2;
+ s -= 2;
+ }
+ }
+ //Set value length
+ *valueLength = s;
+ //Alloc value
+ if ((*value = malloc((*valueLength)*sizeof(char))) == NULL) {
+ //Unable to alloc value
+ free(key);
+ free(buf);
+ return -8;
+ }
+ //Copy value
+ memcpy(*value, buf, *valueLength);
+ }
+ //Free buf
+ free(buf);
+ //Handle multipart/form-data request
+ } else if (contentType != NULL && !strncmp(contentType, "multipart/form-data", 19)) {
+ //Indexes and return
+ int b, s, r;
+ //Boundary length
+ int boundaryLength = strlen(contentType) - 30 + 1;
+ //Client send LF ending without CR
+ int lfstyle = 0;
+ //Declare boundary
+ char *boundary;
+ //Allocate boundary
+ if ((boundary = calloc(1, boundaryLength*sizeof(char))) == NULL) {
+ //Unable to allocate boundary
+ return -9;
+ }
+ //Extract boundary
+ memcpy(boundary, contentType + 30, boundaryLength - 1);
+
+ //Declare buffers
+ char *start, *buf;
+ //Allocate buffer
+ if ((buf = malloc(contentLength*sizeof(char))) == NULL) {
+ //Unable to allocate buffer
+ free(boundary);
+ return -10;
+ }
+ //Char buffer
+ char d = '\0';
+
+ //Loop
+ for (b = 0, s = 0; b < contentLength; b++) {
+ //Detect possible boundary
+ //XXX: b is boundaryLength-1 + 2 after s
+ //XXX: d will be a CR(CRLF line ending) or LF(LF line ending) or -(of final --)
+ if (b == s + 2 + boundaryLength - 1 && !strncmp(boundary, buf + b - boundaryLength + 1, boundaryLength - 1)) {
+ //Only after first boundary match
+ if (s > 0) {
+ //Trim line jump
+ if (start[0] == '\r' && start[1] == '\n') {
+ start += 2;
+ lfstyle = 1;
+ } else if (start[0] == '\n') {
+ start++;
+ }
+ //Found flag
+ bool found = false;
+ //Allocate pointers
+ char *new = start, *prev = start, *name = NULL;
+ //Search for a new line
+ while ((new = memchr(new, '\n', b - (new - buf)))) {
+ //Jump to first character after new line
+ new++;
+ //Init line length
+ int lineLength = new - prev - 1;
+ //Remove chariage return if necessary
+ if (prev[lineLength] == '\r') {
+ lineLength--;
+ lfstyle = 1;
+ }
+ //Break loop after headers end
+ if (lineLength == 1) {
+ break;
+ }
+ //Allocate a name buf of maximum line length
+ //XXX: need to be filled with zero as we don't know what will comes with sscanf call and we rely on strlen
+ if ((name = calloc(1, lineLength*sizeof(char))) == NULL) {
+ //Unable to allocate name
+ free(boundary);
+ free(buf);
+ return -11;
+ }
+ //Search for name
+ if (sscanf(prev, "Content-Disposition: form-data; name=\"%[^\"]\"", name)) {
+ //Realloc name
+ if ((name = realloc(name, (strlen(name)+1)*sizeof(char))) == NULL) {
+ //Unable to reduce name
+ free(boundary);
+ free(buf);
+ free(name);
+ return -12;
+ }
+ if (!strncmp(name, "key", 3)) {
+ found = true;
+ }
+ }
+ //Free name
+ free(name);
+ //Jump to next one
+ prev = new;
+ }
+ //Init value if found
+ if (found) {
+ //Declare end
+ char *end = buf + b - boundaryLength - 3;
+ //Remove CR at end if provided
+ //XXX: only remove CR at end if we encountered one before
+ if (lfstyle) {
+ end++;
+ }
+ //On too big keyfile
+ if (end - new - 1 >= DEFAULT_KEYFILE_SIZE_MAX) {
+ //Keyfile too large
+ free(boundary);
+ free(buf);
+ return -13;
+ }
+ //On non empty value
+ if (end - new > 1) {
+ //Set value length
+ *valueLength = end - new - 1;
+ //Allocate value
+ if ((*value = malloc((*valueLength)*sizeof(char))) == NULL) {
+ //Unable to allocate value
+ free(boundary);
+ free(buf);
+ return -14;
+ }
+ //Copy value
+ memcpy(*value, new, *valueLength);
+ }
+ }
+ }
+ //Set start to matched boundary
+ start = buf + b;
+ }
+ //Read one character from stdin
+ r = read(STDIN_FILENO, &d, 1);
+ //Handle errors
+ if (r < 0) {
+ //Error while parsing post data
+ free(boundary);
+ free(buf);
+ return -15;
+ } else if (r == 0) {
+ //Partial receive
+ free(boundary);
+ free(buf);
+ return -16;
+ }
+ //New line case
+ if (d == '\n') {
+ //Store new possible boundary start
+ s = b + 1;
+ }
+ buf[b] = d;
+ }
+
+ //Free buffers
+ free(boundary);
+ free(buf);
+ //Unhandled request
+ } else {
+ return -17;
+ }
+
+ //Send value
+ return 0;
+}
+
+/**
+ * Extract luks and device
+ */
+int extractLuksDevice(char **luks, char **device) {
+ //Declare file descriptor
+ int fd, bufLength;
+ //Declare buf, device and luks pointer
+ char *buf, *d, *l;
+ //Declare stat struct
+ struct stat *stats;
+ //Open file
+ if ((fd = open(CRYPTTAB, O_RDONLY|O_NOATIME|O_NOFOLLOW|O_CLOEXEC)) == -1) {
+ //Can't open crypttab file
+ return -1;
+ }
+ //Allocate stats
+ if ((stats = calloc(1, sizeof(struct stat))) == NULL) {
+ //Unable to allocate stats
+ return -2;
+ }
+ //Stat file
+ if (fstat(fd, stats) == -1) {
+ //Can't stat crypttab
+ return -3;
+ }
+ //Check file size
+ if ((bufLength = stats->st_size) > SSIZE_MAX) {
+ //Crypttab too big
+ return -4;
+ }
+ //Allocate buf
+ if ((buf = malloc(bufLength*sizeof(char))) == NULL) {
+ //Unable to allocate buf
+ return -5;
+ }
+ //Read file
+ if ((read(fd, buf, bufLength)) < bufLength) {
+ //Fail to read crypttab file
+ return -6;
+ }
+ //Close file
+ close(fd);
+ //Free stats buffer
+ free(stats);
+
+ //Search first separator (\s|\t) after luks
+ if ((l = memchr(buf, ' ', bufLength)) == NULL && (l = memchr(buf, ' ', bufLength)) == NULL) {
+ return -7;
+ }
+ //Jump to next char
+ l++;
+ //Search first separator (\s|\t) after device
+ if ((d = memchr(l, ' ', bufLength - (l - buf))) == NULL && (d = memchr(l, ' ', bufLength - (l - buf))) == NULL && (d = memchr(l, '\n', bufLength - (l - buf))) == NULL) {
+ return -8;
+ }
+ //Jump to next char
+ d++;
+
+ //Alloc luks
+ if ((*luks = malloc((l - buf - 1)*sizeof(char))) == NULL) {
+ return -9;
+ }
+ //Allocate device
+ if ((*device = malloc((d - l - 1)*sizeof(char))) == NULL) {
+ //Free and reset luks
+ free(luks);
+ luks=NULL;
+ return -10;
+ }
+
+ //Copy luks
+ memcpy(*luks, buf, l - buf - 1);
+ //Terminate luks
+ (*luks)[l - buf - 1] = '\0';
+
+ //Copy device
+ memcpy(*device, l, d - l - 1);
+ //Terminate device
+ (*device)[d - l - 1] = '\0';
+
+ //Free buffer
+ free(buf);
+
+ //Success
+ return 0;
+}
+
+/**
+ * Extract ask-password pid
+ */
+int extractAskPasswordPid(pid_t *pid) {
+ //Declare stuct dirent
+ struct dirent *entry;
+ //Declare askdir
+ DIR *askdir;
+ //Declare found
+ int found = 0;
+
+ //Allocate dirent struct
+ if ((entry = calloc(1, sizeof(struct dirent))) == NULL) {
+ //Unable to allocate entry
+ return -1;
+ }
+
+ //Open systemd ask-password dir
+ if ((askdir = opendir(ASKPASSWORDDIR)) == NULL) {
+ //Can't open ask dir
+ return -2;
+ }
+
+ //Change dir
+ if (chdir(ASKPASSWORDDIR) == -1) {
+ //Can't change to ask dir
+ return -3;
+ }
+
+ //Loop on dir content
+ while((entry = readdir(askdir))) {
+ //Handle each ask.XXXXXX file
+ if (!strncmp(entry->d_name, "ask.", 4) && strlen(entry->d_name) == 10) {
+ //Declare file descriptor
+ int fd, bufLength;
+ //Declare buf
+ char *buf;
+ //Declare stat struct
+ struct stat *stats;
+ //Open file
+ if ((fd = open(entry->d_name, O_RDONLY|O_NOATIME|O_NOFOLLOW|O_CLOEXEC)) == -1) {
+ //Can't open ask file
+ return -4;
+ }
+ //Allocate stats
+ if ((stats = calloc(1, sizeof(struct stat))) == NULL) {
+ //Unable to allocate stats
+ return -5;
+ }
+ //Stat file
+ if (fstat(fd, stats) == -1) {
+ //Can't stat ask file
+ return -6;
+ }
+ //Check file size
+ if ((bufLength = stats->st_size) > SSIZE_MAX) {
+ //Ask file too big
+ return -7;
+ }
+ //Allocate buf
+ if ((buf = malloc(bufLength*sizeof(char))) == NULL) {
+ //Unable to allocate buf
+ return -8;
+ }
+ //Read file
+ if ((read(fd, buf, bufLength)) < bufLength) {
+ //Fail to read ask file
+ return -9;
+ }
+ //Close file
+ close(fd);
+ //Free stats buffer
+ free(stats);
+
+ //Allocate pointers
+ char *nl = buf, *pl = buf, *e;
+ //Allocate pid
+ *pid = 0;
+
+ //Search for a new line
+ while ((nl = memmem(nl, bufLength - (nl - buf), "\n", strlen("\n")))) {
+ //Jump to next char
+ nl++;
+
+ //Check if we have a = in line but not empty value ("=\n")
+ if ((e = memmem(pl, bufLength - (pl - buf), "=", strlen("="))) && e < nl - 2) {
+ //Jump to next char
+ e++;
+ //Look for PID
+ if (!strncmp(pl, "PID", 3)) {
+ //Declade pid string
+ char *pidStr;
+ //Allocate pid string
+ if ((pidStr = malloc((nl - e)*sizeof(char))) == NULL) {
+ //Unable to allocate pid string
+ return -10;
+ }
+ //Copy pid
+ memcpy(pidStr, e, nl - e - 1);
+ //Terminate pid string
+ pidStr[nl - e] = '\0';
+ //Check pid value
+ if ((*pid = atoi(pidStr)) <= 1) {
+ //Invalid pid
+ return -11;
+ }
+ //Free pid string
+ free(pidStr);
+ //Found a valid process
+ found++;
+ }
+ }
+
+ //Jump prev line to new line
+ pl = nl;
+ }
+
+ //Free buffers
+ free(buf);
+ }
+ }
+
+ //Close systemd ask-password dir
+ if (closedir(askdir) == -1) {
+ //Can't close ask dir
+ return -13;
+ }
+
+ //Free entry
+ free(entry);
+
+ //Found no valid pid
+ if (found == 0) {
+ //No pid found
+ return -14;
+ //Found more than one pid
+ } else if (found > 1) {
+ //No pid found
+ return -15;
+ }
+
+ //Success
+ return 0;
+}
+
+/**
+ * Extract ihttpd pid
+ */
+int extractIHttpdPid(pid_t *pid) {
+ //Declare file descriptor
+ int fd, bufLength;
+ //Declare buf, device and luks pointer
+ char *buf, *l, *pidStr;
+ //Declare stat struct
+ struct stat *stats;
+ //Open file
+ if ((fd = open(IHTTPDPID, O_RDONLY|O_NOATIME|O_NOFOLLOW|O_CLOEXEC)) == -1) {
+ //Can't open crypttab file
+ return -1;
+ }
+ //Allocate stats
+ if ((stats = calloc(1, sizeof(struct stat))) == NULL) {
+ //Unable to allocate stats
+ return -2;
+ }
+ //Stat file
+ if (fstat(fd, stats) == -1) {
+ //Can't stat crypttab
+ return -3;
+ }
+ //Check file size
+ if ((bufLength = stats->st_size) > SSIZE_MAX) {
+ //Crypttab too big
+ return -4;
+ }
+ //Allocate buf
+ if ((buf = malloc(bufLength*sizeof(char))) == NULL) {
+ //Unable to allocate buf
+ return -5;
+ }
+ //Read file
+ if ((read(fd, buf, bufLength)) < bufLength) {
+ //Fail to read crypttab file
+ return -6;
+ }
+ //Close file
+ close(fd);
+ //Free stats buffer
+ free(stats);
+
+ //Search first separator (\s|\t|\n) after pid
+ if ((l = memchr(buf, ' ', bufLength)) == NULL && (l = memchr(buf, ' ', bufLength)) == NULL && (l = memchr(buf, '\n', bufLength)) == NULL) {
+ return -7;
+ }
+ //Jump to next char
+ l++;
+
+ //Alloc pid string
+ if ((pidStr = malloc((l - buf - 1)*sizeof(char))) == NULL) {
+ return -9;
+ }
+
+ //Copy luks
+ memcpy(pidStr, buf, l - buf - 1);
+ //Terminate luks
+ pidStr[l - buf - 1] = '\0';
+
+ //Free buffer
+ free(buf);
+
+ //Store pid
+ if ((*pid = atoi(pidStr)) <= 1) {
+ //Invalid pid
+ return -10;
+ }
+
+ //Free pid string
+ free(pidStr);
+
+ //Success
+ return 0;
+}
+
+/**
+ * Main function
+ */
+int main(int argc, char **argv) {
+
+ //Get request method
+ char *requestMethod = getenv("REQUEST_METHOD");
+
+ //Handle unknown requests
+ if (requestMethod == NULL || (strncmp(requestMethod, "GET", 3) && strncmp(requestMethod, "HEAD", 4) && strncmp(requestMethod, "POST", 4))) {
+ //Send method not allowed
+ die(405, "Unsupported request method");
+ //Handle get and head
+ } else if (!strncmp(requestMethod, "GET", 3) || !strncmp(requestMethod, "HEAD", 4)) {
+ //Send form
+ showForm(getenv("REQUEST_URI")?getenv("REQUEST_URI"):"/", DEFAULT_KEYFILE_SIZE_MAX, DEFAULT_PASSPHRASE_SIZE_MAX);
+ //Handle post
+ } else /*if (!strncmp(requestMethod, "POST", 4))*/ {
+ //Return value
+ int ret;
+
+ //Child pid
+ pid_t pid;
+
+ //Value length
+ //XXX: will contain number of char in value without trailing \0
+ int valueLength;
+ //Value string
+ //XXX: will contain value without a tailing \0
+ char *value = NULL;
+
+ //Content length
+ int contentLength;
+ //Content length string from env
+ char *contentLengthStr = getenv("CONTENT_LENGTH");
+ //Content type
+ char *contentType = getenv("CONTENT_TYPE");
+
+ //Declare luks and device
+ char *luks = NULL, *device = NULL;
+
+ //Pairs of pipe for stdin, stdout and stderr
+ int inPipe[2], errPipe[2];
+
+ //Handle unknown content type
+ if (contentType == NULL || (strncmp(contentType, "application/x-www-form-urlencoded", 33) && strncmp(contentType, "multipart/form-data", 19))) {
+ die(400, "Unknown content type");
+ }
+
+ //Handle invalid multipart/form-data content type
+ //XXX: max boundary length is 70 as per rfc1521 & rfc2046
+ if (!strncmp(contentType, "multipart/form-data", 19) && (strncmp(contentType, "multipart/form-data; boundary=", 30) || strlen(contentType) <= 30 || strlen(contentType) > 100)) {
+ die(400, "Malformed boundary in multipart/form-data request");
+ }
+
+ //Handle invalid content length
+ //XXX: deny empty contentLength as chrome send a contentLength even for a device
+ if (contentLengthStr == NULL || (contentLength = atoi(contentLengthStr)) <= 0) {
+ die(411, "Invalid content length");
+ }
+
+ //Handle application/x-www-form-urlencoded request length
+ //XXX: limit to key=xyz where xyz can be all encoded in %XX
+ if (!strncmp(contentType, "application/x-www-form-urlencoded", 33) && contentLength > (DEFAULT_PASSPHRASE_SIZE_MAX * 3 + 4)) {
+ die(400, "Invalid application/x-www-form-urlencoded request length");
+ }
+
+ //Handle multipart/form-data request length
+ //XXX: limit to arbitrary 3 times the keyfile max size
+ if (!strncmp(contentType, "multipart/form-data", 19) && contentLength > (DEFAULT_KEYFILE_SIZE_MAX * 3)) {
+ die(400, "Invalid multipart/form-data request length");
+ }
+
+ //Extract value
+ if ((ret = extractValue(&value, &valueLength, contentType, contentLength)) < 0) {
+ die(500, "Failed to extract value");
+ }
+
+
+ //Extract luks and device
+ if ((ret = extractLuksDevice(&luks, &device)) < 0) {
+ die(500, "Failed to extract luks and device");
+ }
+
+ //Create stdin pipe
+ if (pipe(inPipe) == -1) {
+ die(500, "Failed to create in pipe");
+ }
+
+ //Create stderr pipe
+ if (pipe(errPipe) == -1) {
+ die(500, "Failed to create err pipe");
+ }
+
+ //Fork process
+ if ((pid = fork()) == -1) {
+ die(500, "Failed to fork");
+ }
+
+ //Child process
+ if (pid == 0) {
+ //Child argv
+ char *cargv[] = { CRYPTSETUP, "-d", "-", "luksOpen", device, luks, NULL };
+ char *carge[] = { NULL };
+ //Free value
+ free(value);
+ //Redirect stdin to pipe
+ if (dup2(inPipe[0], STDIN_FILENO) == -1) {
+ die(500, "Failed to redirect in pipe");
+ }
+ //Close inPipe
+ close(inPipe[0]);
+ close(inPipe[1]);
+ //Redirect stderr to pipe
+ if (dup2(errPipe[1], STDERR_FILENO) == -1) {
+ die(500, "Failed to redirect err pipe");
+ }
+ //Close errPipe
+ close(errPipe[0]);
+ close(errPipe[1]);
+ //Call cryptsetup
+ if (execve(CRYPTSETUP, cargv, carge) == -1) {
+ die(500, "Failed to call cryptsetup");
+ }
+ //Parent process
+ } else {
+ //Free luks
+ free(luks);
+ //Free device
+ free(device);
+
+ //Close unused inPipe end
+ close(inPipe[0]);
+ //Close unused errPipe end
+ close(errPipe[1]);
+
+ //Send password on stdin anyway
+ //XXX: this fail if device is already unlocked for example
+ write(inPipe[1], value, valueLength);
+
+ //Free value
+ free(value);
+
+ //Close stdin with EOF
+ close(inPipe[1]);
+
+ //Wait child
+ if (waitpid(pid, &ret, 0) == -1) {
+ die(500, "Failed to wait child");
+ }
+
+ //Handle already unlocked device
+ if (ret == 1280) {
+ die(200, "Device already unlocked");
+ //Handle already in use device
+ } else if (ret == 5) {
+ die(500, "Device already in use");
+ //Handle invalid luks device
+ } else if (ret == 256) {
+ die(500, "Device is now a valid device");
+ //Handle no key available with this passphrase
+ } else if (ret == 512) {
+ die(500, "No slot for this value");
+ //Handle unexisting device or permission denied
+ } else if (ret == 1014) {
+ die(500, "Device doesn't exist or access denied");
+ //Unknown error
+ } else if (ret != 0) {
+ //Err length and counter
+ int errLength = 2048, e = 0;
+ //Declare err buffer
+ char *err;
+ //Buffer char
+ char c;
+ //Alloc err buffer
+ if ((err = malloc(errLength*sizeof(char))) == NULL) {
+ die(500, "Couldn't alloc err buffer");
+ }
+ //Advance after ret code
+ e = sprintf(err, "%d:", ret);
+ //Fetch stderr and store in err buffer
+ while(read(errPipe[0], &c, 1) > 0) {
+ //Grow buffer if we reach end
+ if (e == errLength) {
+ if ((err = realloc(err, (errLength+2048)*sizeof(char))) == NULL) {
+ die(500, "Couldn't grow err buffer");
+ }
+ errLength += 2048;
+ }
+ //Store character
+ err[e] = c;
+ //Pass to next
+ e++;
+ }
+ //Terminate err buffer
+ err[e] = '\0';
+ //Realloc err buffer
+ if ((err = realloc(err, (e+1)*sizeof(char))) == NULL) {
+ die(500, "Couldn't ungrow err buffer");
+ }
+ //Die with luks error
+ die(500, err);
+ }
+ //Close errPipe
+ close(errPipe[0]);
+ }
+
+ //Fork process
+ if ((pid = fork()) == -1) {
+ die(500, "Failed to fork");
+ }
+
+ //IHttpd killing child process
+ if (pid == 0) {
+ //File descriptor
+ int fd;
+
+ //Declare ihttpd pid
+ pid_t ihttpdPid;
+
+ //Close stdin
+ close(STDIN_FILENO);
+
+ //Disable line buffering on stdout and stderr
+ setvbuf(stdout, NULL, _IONBF, 0);
+ setvbuf(stderr, NULL, _IONBF, 0);
+
+ //Redirect output to log
+ if ((fd = open(IHTTPDLOG, O_CREAT | O_TRUNC | O_WRONLY, S_IRUSR | S_IWUSR)) == -1) {
+ fprintf(stderr, "Open ihttpd child log failed\n");
+ } else {
+ //Close stdout
+ close(STDOUT_FILENO);
+ //Redirect stdout on childlog
+ if (dup2(fd, STDOUT_FILENO) == -1) {
+ fprintf(stderr, "Redirect stdout to ihttpd child log failed\n");
+ }
+ //Close stderr
+ close(STDERR_FILENO);
+ //Redirect stderr on childlog
+ if (dup2(fd, STDERR_FILENO) == -1) {
+ fprintf(stderr, "Redirect stderr to ihttpd child log failed\n");
+ }
+ //Close childlog fd
+ close(fd);
+ }
+
+ //Extract ihttpd pid
+ if (extractIHttpdPid(&ihttpdPid) < 0) {
+ fprintf(stderr, "Failed to extract ihttpd pid");
+ exit(EXIT_FAILURE);
+ }
+
+ //Close stdout and stderr without childlog
+ if (fd == -1) {
+ close(STDOUT_FILENO);
+ close(STDERR_FILENO);
+ }
+
+ //Wait until get rattached to init(getppid()==1)
+ //XXX: we are really blind here
+ while(getppid() != 1) {
+ //Sleep half a second
+ if (usleep(500000) == -1 && fd != -1) {
+ printf("Usleep failed\n");
+ }
+ }
+
+ //Termiate ihttpd
+ if (kill(ihttpdPid, 0) == 0 && kill(ihttpdPid, SIGTERM) == -1 && fd != -1) {
+ printf("Termiate ihttpd failed\n");
+ }
+
+ //Sleep half a second
+ if (usleep(500000) == -1 && fd != -1) {
+ printf("Usleep failed\n");
+ }
+
+ //Kill ihttpd
+ if (kill(ihttpdPid, 0) == 0 && kill(ihttpdPid, SIGKILL) == -1) {
+ printf("Kill ihttpd failed\n");
+ }
+
+ //Parent process
+ } else {
+
+ //Fork process
+ if ((pid = fork()) == -1) {
+ die(500, "Failed to fork");
+ }
+
+ //Ask password killing child process
+ //XXX: we are blind here
+ if (pid == 0) {
+ //File descriptor
+ int fd;
+
+ //Declare ask password pid
+ pid_t askPasswordPid;
+
+ //Close stdin
+ close(STDIN_FILENO);
+
+ //Disable line buffering on stdout and stderr
+ setvbuf(stdout, NULL, _IONBF, 0);
+ setvbuf(stderr, NULL, _IONBF, 0);
+
+ //Redirect output to log
+ if ((fd = open(ASKPASSWORDLOG, O_CREAT | O_TRUNC | O_WRONLY, S_IRUSR | S_IWUSR)) == -1) {
+ fprintf(stderr, "Open ask password child log failed\n");
+ } else {
+ //Close stdout
+ close(STDOUT_FILENO);
+ //Redirect stdout on childlog
+ if (dup2(fd, STDOUT_FILENO) == -1) {
+ fprintf(stderr, "Redirect stdout to ask password child log failed\n");
+ }
+ //Close stderr
+ close(STDERR_FILENO);
+ //Redirect stderr on childlog
+ if (dup2(fd, STDERR_FILENO) == -1) {
+ fprintf(stderr, "Redirect stderr to ask password child log failed\n");
+ }
+ //Close childlog fd
+ close(fd);
+ }
+
+ //Extract ask password pid
+ if (extractAskPasswordPid(&askPasswordPid) < 0) {
+ fprintf(stderr, "Failed to extract ask password pid");
+ exit(EXIT_FAILURE);
+ }
+
+ //Close stdout and stderr without childlog
+ if (fd == -1) {
+ close(STDOUT_FILENO);
+ close(STDERR_FILENO);
+ }
+
+ //Wait until get rattached to init(getppid()==1)
+ //XXX: we are really blind here
+ while(getppid() != 1) {
+ //Sleep half a second
+ if (usleep(500000) == -1 && fd != -1) {
+ printf("Usleep failed\n");
+ }
+ }
+
+ //Termitate ask password
+ if (kill(askPasswordPid, 0) == 0 && kill(askPasswordPid, SIGTERM) == -1 && fd != -1) {
+ printf("Termiate ask password failed\n");
+ }
+
+
+ //Sleep half a second
+ if (usleep(500000) == -1 && fd != -1) {
+ printf("Usleep failed\n");
+ }
+
+ //Kill ask password
+ if (kill(askPasswordPid, 0) == 0 && kill(askPasswordPid, SIGKILL) == -1) {
+ printf("Kill ask password failed\n");
+ }
+
+ //Parent process
+ } else {
+
+ //Process success
+ header(200, "text/plain");
+ printf("Sent value, boot should resume now");
+ fflush(NULL);
+
+ }
+
+ }
+
+ }
+
+ exit(EXIT_SUCCESS);
+}
--- /dev/null
+#! /bin/sh
+/usr/bin/reboot -f -i -h
--- /dev/null
+%define contentdir %{_datadir}/httpd
+%define docroot /var/www
+
+%{?!maxmodules:%global maxmodules 128}
+%{?!serverlimit:%global serverlimit 1024}
+
+Name: ihttpd
+Version: 2.4.20
+Release: %mkrel 1
+Summary: The most widely used Web server on the Internet
+License: Apache License
+Group: System/Servers
+URL: http://httpd.apache.org/
+Source0: http://www.apache.org/dist/httpd/httpd-%version.tar.bz2
+Source1: index.bin.c
+Source2: reboot.sh
+Source14: ihttpd.tmpfiles
+Source15: ihttpd.service
+Source17: ihttpd.path
+Source18: ihttpd.dracut
+Source19: ihttpd.module-setup
+Source20: ihttpd.conf
+# build/scripts patches
+Patch1: httpd-2.4.1-apctl.patch
+Patch2: httpd-2.4.9-apxs.patch
+Patch3: httpd-2.4.1-deplibs.patch
+Patch5: ihttpd-2.4.20-layout.patch
+Patch6: httpd-2.4.3-apctl-systemd.patch
+Patch7: httpd-2.4.10-detect-systemd.patch
+# Features/functional changes
+Patch20: httpd-2.4.3-release.patch
+Patch23: httpd-2.4.4-export.patch
+Patch24: httpd-2.4.1-corelimit.patch
+Patch26: httpd-2.4.4-r1337344+.patch
+Patch27: httpd-2.4.2-icons.patch
+Patch28: httpd-2.4.4-r1332643+.patch
+Patch30: httpd-2.4.4-cachehardmax.patch
+Patch31: httpd-2.4.18-sslmultiproxy.patch
+Patch34: httpd-2.4.17-socket-activation.patch
+Patch35: httpd-2.4.17-sslciphdefault.patch
+# Bug fixes
+Patch55: httpd-2.4.4-malformed-host.patch
+Patch56: httpd-2.4.4-mod_unique_id.patch
+Patch57: httpd-2.4.10-sigint.patch
+
+# For /var/www/html
+Requires: webserver-base
+# For /etc/mime.types
+Requires: mailcap
+
+Requires(post): systemd >= %{systemd_required_version}
+Requires(post): rpm-helper >= 0.24.8-1
+Requires(post): openssl makedev
+Requires(preun): rpm-helper >= 0.24.8-1
+
+%description
+This package contains the main binary of apache, a powerful, full-featured,
+efficient and freely-available Web server. Apache is also the most popular Web
+server on the Internet.
+
+This version of apache is fully static, and few modules are available built-in.
+
+%prep
+%setup -q -n httpd-%{version}
+
+%patch1 -p1 -b .apctl
+%patch2 -p1 -b .apxs
+%patch3 -p1 -b .deplibs
+%patch5 -p1 -b .layout
+%patch6 -p1 -b .apctlsystemd
+%patch7 -p1 -b .detectsystemd
+
+%patch23 -p1 -b .export
+%patch24 -p1 -b .corelimit
+%patch26 -p1 -b .r1337344+
+%patch27 -p1 -b .icons
+%patch30 -p1 -b .cachehardmax
+%patch31 -p1 -b .sslmultiproxy
+%patch34 -p1 -b .socketactivation
+%patch35 -p1 -b .sslciphdefault
+
+%patch55 -p1 -b .malformedhost
+%patch56 -p1 -b .uniqueid
+%patch57 -p1 -b .sigint
+
+# Patch in vendor/release string
+sed "s/@RELEASE@/%{product_distribution}/" < %{PATCH20} | patch -p1
+
+# forcibly prevent use of bundled apr, apr-util, pcre
+rm -rf srclib/{apr,apr-util,pcre}
+
+# fix apxs
+perl -pi \
+ -e 's|\@exp_installbuilddir\@|%{_libdir}/httpd/build|;' \
+ -e 's|get_vars\("prefix"\)|"%{_libdir}/httpd/build"|;' \
+ -e 's|get_vars\("sbindir"\) . "/envvars"|"\$installbuilddir/envvars"|;' \
+ support/apxs.in
+
+# correct perl paths
+find -type f -print0 | xargs -0 perl -pi \
+ -e 's|/usr/local/bin/perl|perl|g;' \
+ -e 's|/usr/local/bin/perl5|perl|g;' \
+ -e 's|/path/to/bin/perl|perl|g;'
+
+# bump max modules
+perl -pi \
+ -e 's/DYNAMIC_MODULE_LIMIT \d+/DYNAMIC_MODULE_LIMIT %{maxmodules}/;' \
+ include/httpd.h
+
+# bump server limit
+perl -pi \
+ -e 's/DEFAULT_SERVER_LIMIT \d+/DEFAULT_SERVER_LIMIT %{serverlimit}/' \
+ server/mpm/prefork/prefork.c \
+ server/mpm/worker/worker.c \
+ server/mpm/event/event.c
+
+# don't try to touch srclib
+perl -pi -e "s|^SUBDIRS = .*|SUBDIRS = os server modules support|g" Makefile.in
+
+# this will only work if configured correctly in the config (FullOs)...
+cp server/core.c server/core.c.untagged
+
+# Install index.bin source
+install -m 644 %{SOURCE1} index.bin.c
+
+%build
+%serverbuild
+# regenerate configure scripts
+autoheader && autoconf || exit 1
+
+export CFLAGS="$RPM_OPT_FLAGS -DBIG_SECURITY_HOLE"
+export LDFLAGS="-Wl,-z,relro,-z,now"
+
+# Hard-code path to links to avoid unnecessary builddep
+export LYNX_PATH=/usr/bin/links
+
+%configure2_5x \
+ --enable-layout=IHttpd \
+ --sysconfdir='/etc' \
+ --includedir='/usr/include/ihttpd' \
+ --libexecdir='/usr/lib64/ihttpd/modules' \
+ --datadir='/usr/share/ihttpd' \
+ --with-ssl \
+ --with-mpm=prefork \
+ --with-cgi \
+ --with-program-name='%name' \
+ --disable-suexec \
+ --without-suexec \
+ --disable-distcache \
+ --enable-unixd \
+ --enable-auth-basic \
+ --enable-authn-core \
+ --enable-authn-file \
+ --enable-authz-core \
+ --enable-authz-host \
+ --enable-authz-user \
+ --enable-rewrite \
+ --enable-socache-shmcb \
+ --enable-mime \
+ --enable-dir \
+ --enable-ssl \
+ --enable-log-config \
+ --enable-cgi \
+ --enable-pie \
+ --enable-modules=none \
+ --enable-mods-static='unixd auth_basic authn_core authn_file authz_core authz_host authz_user rewrite socache_shmcb dir mime log_config cgi ssl'
+
+%make
+
+export CFLAGS="$RPM_OPT_FLAGS"
+# -m64 -std=c99 -pedantic -Wall -Wshadow -Wpointer-arith -Wcast-qual -Wstrict-prototypes -Wmissing-prototypes
+gcc index.bin.c -o index.bin
+
+%install
+
+#IHttpd sbin
+install -D -p -m 755 ihttpd %{buildroot}%{_sbindir}/ihttpd
+
+#IHttpd config
+install -D -p -m 644 %{SOURCE20} %{buildroot}%{_sysconfdir}/ihttpd.conf
+
+#Tmpfiles.d config
+install -D -p -m 644 %{SOURCE14} %{buildroot}%{_tmpfilesdir}/ihttpd.conf
+
+#IHttpd service
+install -D -p -m 644 %{SOURCE15} %{buildroot}%{_unitdir}/ihttpd.service
+
+#IHttpd path
+install -D -p -m 644 %{SOURCE17} %{buildroot}%{_unitdir}/ihttpd.path
+
+#IHttpd dracut config
+install -D -p -m 644 %{SOURCE18} %{buildroot}%{_sysconfdir}/dracut.conf.d/99-%{name}.conf
+
+#IHttpd dracut module
+install -d -m 755 %{buildroot}%{_prefix}/lib/dracut/modules.d/99ihttpd
+install -D -p -m 755 %{SOURCE19} %{buildroot}%{_prefix}/lib/dracut/modules.d/99ihttpd/module-setup.sh
+
+#Ihttpd index.bin
+install -d -m 755 %{buildroot}%{_prefix}/lib/%{name}
+install -D -p -m 755 index.bin %{buildroot}%{_prefix}/lib/%{name}/index.bin
+install -D -p -m 755 %{SOURCE2} %{buildroot}%{_prefix}/lib/%{name}/reboot.bin
+
+%find_lang %name
+
+%post
+%_tmpfilescreate %{name}
+%_post_service %{name}
+%_create_ssl_certificate %{name}
+
+%preun
+%_preun_service %{name}
+
+%files -n %name
+%config(noreplace) %{_sysconfdir}/%{name}.conf
+%config(noreplace) %{_sysconfdir}/dracut.conf.d/99-%{name}.conf
+%{_sbindir}/%{name}
+%{_tmpfilesdir}/%{name}.conf
+%{_unitdir}/%{name}.path
+%dir %{_prefix}/lib/dracut/modules.d/99ihttpd
+%{_prefix}/lib/dracut/modules.d/99ihttpd/module-setup.sh
+%{_unitdir}/%{name}.service
+%{_prefix}/lib/%{name}/index.bin
+%{_prefix}/lib/%{name}/reboot.bin
Rapsys Git / ihttpd / commitdiff