Initial import
authorRaphaël Gertz <git@rapsys.eu>
Fri, 17 Jun 2016 21:06:34 +0000 (23:06 +0200)
committerRaphaël Gertz <rapsys@rapsys.eu>
Fri, 17 Jun 2016 21:06:34 +0000 (23:06 +0200)
30 files changed:
.gitignore [new file with mode: 0644]
SOURCES/httpd-2.4.1-apctl.patch [new file with mode: 0644]
SOURCES/httpd-2.4.1-corelimit.patch [new file with mode: 0644]
SOURCES/httpd-2.4.1-deplibs.patch [new file with mode: 0644]
SOURCES/httpd-2.4.10-detect-systemd.patch [new file with mode: 0644]
SOURCES/httpd-2.4.10-sigint.patch [new file with mode: 0644]
SOURCES/httpd-2.4.17-socket-activation.patch [new file with mode: 0644]
SOURCES/httpd-2.4.17-sslciphdefault.patch [new file with mode: 0644]
SOURCES/httpd-2.4.18-sslmultiproxy.patch [new file with mode: 0644]
SOURCES/httpd-2.4.2-icons.patch [new file with mode: 0644]
SOURCES/httpd-2.4.20.tar.bz2 [new file with mode: 0644]
SOURCES/httpd-2.4.3-apctl-systemd.patch [new file with mode: 0644]
SOURCES/httpd-2.4.3-release.patch [new file with mode: 0644]
SOURCES/httpd-2.4.4-cachehardmax.patch [new file with mode: 0644]
SOURCES/httpd-2.4.4-export.patch [new file with mode: 0644]
SOURCES/httpd-2.4.4-malformed-host.patch [new file with mode: 0644]
SOURCES/httpd-2.4.4-mod_unique_id.patch [new file with mode: 0644]
SOURCES/httpd-2.4.4-r1332643+.patch [new file with mode: 0644]
SOURCES/httpd-2.4.4-r1337344+.patch [new file with mode: 0644]
SOURCES/httpd-2.4.9-apxs.patch [new file with mode: 0644]
SOURCES/ihttpd-2.4.20-layout.patch [new file with mode: 0644]
SOURCES/ihttpd.conf [new file with mode: 0644]
SOURCES/ihttpd.dracut [new file with mode: 0644]
SOURCES/ihttpd.module-setup [new file with mode: 0644]
SOURCES/ihttpd.path [new file with mode: 0644]
SOURCES/ihttpd.service [new file with mode: 0644]
SOURCES/ihttpd.tmpfiles [new file with mode: 0644]
SOURCES/index.bin.c [new file with mode: 0644]
SOURCES/reboot.sh [new file with mode: 0644]
SPECS/ihttpd.spec [new file with mode: 0644]

diff --git a/.gitignore b/.gitignore
new file mode 100644 (file)
index 0000000..bc67114
--- /dev/null
@@ -0,0 +1,5 @@
+BUILD
+BUILDROOT
+RPMS
+SRPMS
+tmp
diff --git a/SOURCES/httpd-2.4.1-apctl.patch b/SOURCES/httpd-2.4.1-apctl.patch
new file mode 100644 (file)
index 0000000..b31c3c5
--- /dev/null
@@ -0,0 +1,94 @@
+
+- fail gracefully if links is not installed on target system
+- source sysconfig/httpd for custom env. vars etc.
+- make httpd -t work even in SELinux
+- pass $OPTIONS to all $HTTPD invocation
+
+Upstream-HEAD: vendor
+Upstream-2.0: vendor
+Upstream-Status: Vendor-specific changes for better initscript integration
+
+--- httpd-2.4.1/support/apachectl.in.apctl
++++ httpd-2.4.1/support/apachectl.in
+@@ -44,19 +44,25 @@ ARGV="$@"
+ # the path to your httpd binary, including options if necessary
+ HTTPD='@exp_sbindir@/@progname@'
+ #
+-# pick up any necessary environment variables
+-if test -f @exp_sbindir@/envvars; then
+-  . @exp_sbindir@/envvars
+-fi
+ #
+ # a command that outputs a formatted text version of the HTML at the
+ # url given on the command line.  Designed for lynx, however other
+ # programs may work.  
+-LYNX="@LYNX_PATH@ -dump"
++if [ -x "@LYNX_PATH@" ]; then
++  LYNX="@LYNX_PATH@ -dump"
++else
++  LYNX=none
++fi
+ #
+ # the URL to your server's mod_status status page.  If you do not
+ # have one, then status and fullstatus will not work.
+ STATUSURL="http://localhost:@PORT@/server-status"
++
++# Source /etc/sysconfig/httpd for $HTTPD setting, etc.
++if [ -r /etc/sysconfig/httpd ]; then
++   . /etc/sysconfig/httpd
++fi
++
+ #
+ # Set this variable to a command that increases the maximum
+ # number of file descriptors allowed per child process. This is
+@@ -76,9 +82,27 @@ if [ "x$ARGV" = "x" ] ; then 
+     ARGV="-h"
+ fi
++function checklynx() {
++if [ "$LYNX" = "none" ]; then
++   echo "The 'links' package is required for this functionality."
++   exit 8
++fi
++}
++
++function testconfig() {
++# httpd is denied terminal access in SELinux, so run in the
++# current context to get stdout from $HTTPD -t.
++if test -x /usr/sbin/selinuxenabled && /usr/sbin/selinuxenabled; then
++  runcon -- `id -Z` $HTTPD $OPTIONS -t
++else
++  $HTTPD $OPTIONS -t
++fi
++ERROR=$?
++}
++
+ case $ACMD in
+ start|stop|restart|graceful|graceful-stop)
+-    $HTTPD -k $ARGV
++    $HTTPD $OPTIONS -k $ARGV
+     ERROR=$?
+     ;;
+ startssl|sslstart|start-SSL)
+@@ -88,17 +112,18 @@ startssl|sslstart|start-SSL)
+     ERROR=2
+     ;;
+ configtest)
+-    $HTTPD -t
+-    ERROR=$?
++    testconfig
+     ;;
+ status)
++    checklynx
+     $LYNX $STATUSURL | awk ' /process$/ { print; exit } { print } '
+     ;;
+ fullstatus)
++    checklynx
+     $LYNX $STATUSURL
+     ;;
+ *)
+-    $HTTPD "$@"
++    $HTTPD $OPTIONS "$@"
+     ERROR=$?
+ esac
diff --git a/SOURCES/httpd-2.4.1-corelimit.patch b/SOURCES/httpd-2.4.1-corelimit.patch
new file mode 100644 (file)
index 0000000..96f8486
--- /dev/null
@@ -0,0 +1,35 @@
+
+Bump up the core size limit if CoreDumpDirectory is
+configured.
+
+Upstream-Status: Was discussed but there are competing desires;
+       there are portability oddities here too.
+
+--- httpd-2.4.1/server/core.c.corelimit
++++ httpd-2.4.1/server/core.c
+@@ -4433,6 +4433,25 @@ static int core_post_config(apr_pool_t *
+     }
+     apr_pool_cleanup_register(pconf, NULL, ap_mpm_end_gen_helper,
+                               apr_pool_cleanup_null);
++
++#ifdef RLIMIT_CORE
++    if (ap_coredumpdir_configured) {
++        struct rlimit lim;
++
++        if (getrlimit(RLIMIT_CORE, &lim) == 0 && lim.rlim_cur == 0) {
++            lim.rlim_cur = lim.rlim_max;
++            if (setrlimit(RLIMIT_CORE, &lim) == 0) {
++                ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL,
++                             "core dump file size limit raised to %lu bytes",
++                             lim.rlim_cur);
++            } else {
++                ap_log_error(APLOG_MARK, APLOG_NOTICE, errno, NULL,
++                             "core dump file size is zero, setrlimit failed");
++            }
++        }
++    }
++#endif
++
+     return OK;
+ }
diff --git a/SOURCES/httpd-2.4.1-deplibs.patch b/SOURCES/httpd-2.4.1-deplibs.patch
new file mode 100644 (file)
index 0000000..b73c21d
--- /dev/null
@@ -0,0 +1,19 @@
+
+Link straight against .la files.
+
+Upstream-Status: vendor specific
+
+--- httpd-2.4.1/configure.in.deplibs
++++ httpd-2.4.1/configure.in
+@@ -707,9 +707,9 @@ APACHE_HELP_STRING(--with-suexec-umask,u
+ dnl APR should go after the other libs, so the right symbols can be picked up
+ if test x${apu_found} != xobsolete; then
+-  AP_LIBS="$AP_LIBS `$apu_config --avoid-ldap --link-libtool --libs`"
++  AP_LIBS="$AP_LIBS `$apu_config --avoid-ldap --link-libtool`"
+ fi
+-AP_LIBS="$AP_LIBS `$apr_config --link-libtool --libs`" 
++AP_LIBS="$AP_LIBS `$apr_config --link-libtool`" 
+ APACHE_SUBST(AP_LIBS)
+ APACHE_SUBST(AP_BUILD_SRCLIB_DIRS)
+ APACHE_SUBST(AP_CLEAN_SRCLIB_DIRS)
diff --git a/SOURCES/httpd-2.4.10-detect-systemd.patch b/SOURCES/httpd-2.4.10-detect-systemd.patch
new file mode 100644 (file)
index 0000000..a22178b
--- /dev/null
@@ -0,0 +1,48 @@
+diff --git a/acinclude.m4 b/acinclude.m4
+index 580eb4a..bd7e2c9 100644
+--- a/acinclude.m4
++++ b/acinclude.m4
+@@ -594,6 +594,30 @@ AC_DEFUN(APACHE_CHECK_OPENSSL,[
+   fi
+ ])
++AC_DEFUN(APACHE_CHECK_SYSTEMD, [                                                                        
++dnl Check for systemd support for listen.c's socket activation.
++case $host in
++*-linux-*)
++   if test -n "$PKGCONFIG" && $PKGCONFIG --exists libsystemd; then
++      SYSTEMD_LIBS=`$PKGCONFIG --libs libsystemd`
++   elif test -n "$PKGCONFIG" && $PKGCONFIG --exists libsystemd-daemon; then
++      SYSTEMD_LIBS=`$PKGCONFIG --libs libsystemd-daemon`
++   else
++      AC_CHECK_LIB(systemd-daemon, sd_notify, SYSTEMD_LIBS="-lsystemd-daemon")
++   fi
++   if test -n "$SYSTEMD_LIBS"; then
++      AC_CHECK_HEADERS(systemd/sd-daemon.h)
++      if test "${ac_cv_header_systemd_sd_daemon_h}" = "no" || test -z "${SYSTEMD_LIBS}"; then
++        AC_MSG_WARN([Your system does not support systemd.])
++      else
++        APR_ADDTO(LIBS, [$SYSTEMD_LIBS])
++        AC_DEFINE(HAVE_SYSTEMD, 1, [Define if systemd is supported])
++      fi
++   fi
++   ;;
++esac
++])
++
+ dnl
+ dnl APACHE_EXPORT_ARGUMENTS
+ dnl Export (via APACHE_SUBST) the various path-related variables that
+diff --git a/configure.in b/configure.in
+index 19a5f88..f096de3 100644
+--- a/configure.in
++++ b/configure.in
+@@ -509,6 +509,8 @@ if test "$ac_cv_struct_tm_gmtoff" = "yes"; then
+     AC_DEFINE(HAVE_GMTOFF, 1, [Define if struct tm has a tm_gmtoff field])
+ fi
++APACHE_CHECK_SYSTEMD
++
+ dnl ## Set up any appropriate OS-specific environment variables for apachectl
+ case $host in
diff --git a/SOURCES/httpd-2.4.10-sigint.patch b/SOURCES/httpd-2.4.10-sigint.patch
new file mode 100644 (file)
index 0000000..7574a9c
--- /dev/null
@@ -0,0 +1,45 @@
+From 20656c3b77cc548b59fea3bde5e2b7705d71c427 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20Kalu=C5=BEa?= <jkaluza@apache.org>
+Date: Mon, 18 Aug 2014 07:43:43 +0000
+Subject: [PATCH] prefork: Ignore SIGINT in child. This fixes race-condition in
+ signals handling when httpd is runnning on foreground and user hits ctrl+c.
+ In this case, SIGINT is sent to all children followed by SIGTERM from the
+ main process, which interrupts the SIGINT handler and leads to inconsistency
+ (process freezes or crashes).
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1618555 13f79535-47bb-0310-9956-ffa450edef68
+---
+ server/mpm/prefork/prefork.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/server/mpm/prefork/prefork.c b/server/mpm/prefork/prefork.c
+index 8790ec0..d6c038b 100644
+--- a/server/mpm/prefork/prefork.c
++++ b/server/mpm/prefork/prefork.c
+@@ -222,6 +222,9 @@ static void clean_child_exit(int code)
+ {
+     mpm_state = AP_MPMQ_STOPPING;
++    apr_signal(SIGHUP, SIG_IGN);
++    apr_signal(SIGTERM, SIG_IGN);
++
+     if (pchild) {
+         apr_pool_destroy(pchild);
+     }
+@@ -817,6 +820,13 @@ static int make_child(server_rec *s, int slot)
+          */
+         apr_signal(SIGHUP, just_die);
+         apr_signal(SIGTERM, just_die);
++        /* Ignore SIGINT in child. This fixes race-condition in signals
++         * handling when httpd is runnning on foreground and user hits ctrl+c.
++         * In this case, SIGINT is sent to all children followed by SIGTERM
++         * from the main process, which interrupts the SIGINT handler and
++         * leads to inconsistency.
++         */
++        apr_signal(SIGINT, SIG_IGN);
+         /* The child process just closes listeners on AP_SIG_GRACEFUL.
+          * The pod is used for signalling the graceful restart.
+          */
+-- 
+2.0.4
+
diff --git a/SOURCES/httpd-2.4.17-socket-activation.patch b/SOURCES/httpd-2.4.17-socket-activation.patch
new file mode 100644 (file)
index 0000000..d5cbdf2
--- /dev/null
@@ -0,0 +1,301 @@
+diff --git a/server/listen.c b/server/listen.c
+index 1d9be83..f5f7754 100644
+--- a/server/listen.c
++++ b/server/listen.c
+@@ -34,6 +34,10 @@
+ #include <unistd.h>
+ #endif
++#ifdef HAVE_SYSTEMD
++#include <systemd/sd-daemon.h>
++#endif
++
+ /* we know core's module_index is 0 */
+ #undef APLOG_MODULE_INDEX
+ #define APLOG_MODULE_INDEX AP_CORE_MODULE_INDEX
+@@ -59,9 +63,12 @@ static int ap_listenbacklog;
+ static int ap_listencbratio;
+ static int send_buffer_size;
+ static int receive_buffer_size;
++#ifdef HAVE_SYSTEMD
++static int use_systemd = -1;
++#endif
+ /* TODO: make_sock is just begging and screaming for APR abstraction */
+-static apr_status_t make_sock(apr_pool_t *p, ap_listen_rec *server)
++static apr_status_t make_sock(apr_pool_t *p, ap_listen_rec *server, int do_bind_listen)
+ {
+     apr_socket_t *s = server->sd;
+     int one = 1;
+@@ -94,20 +101,6 @@ static apr_status_t make_sock(apr_pool_t *p, ap_listen_rec *server)
+         return stat;
+     }
+-#if APR_HAVE_IPV6
+-    if (server->bind_addr->family == APR_INET6) {
+-        stat = apr_socket_opt_set(s, APR_IPV6_V6ONLY, v6only_setting);
+-        if (stat != APR_SUCCESS && stat != APR_ENOTIMPL) {
+-            ap_log_perror(APLOG_MARK, APLOG_CRIT, stat, p, APLOGNO(00069)
+-                          "make_sock: for address %pI, apr_socket_opt_set: "
+-                          "(IPV6_V6ONLY)",
+-                          server->bind_addr);
+-            apr_socket_close(s);
+-            return stat;
+-        }
+-    }
+-#endif
+-
+     /*
+      * To send data over high bandwidth-delay connections at full
+      * speed we must force the TCP window to open wide enough to keep the
+@@ -169,21 +162,37 @@ static apr_status_t make_sock(apr_pool_t *p, ap_listen_rec *server)
+     }
+ #endif
+-    if ((stat = apr_socket_bind(s, server->bind_addr)) != APR_SUCCESS) {
+-        ap_log_perror(APLOG_MARK, APLOG_STARTUP|APLOG_CRIT, stat, p, APLOGNO(00072)
+-                      "make_sock: could not bind to address %pI",
+-                      server->bind_addr);
+-        apr_socket_close(s);
+-        return stat;
+-    }
++    if (do_bind_listen) {
++#if APR_HAVE_IPV6
++        if (server->bind_addr->family == APR_INET6) {
++            stat = apr_socket_opt_set(s, APR_IPV6_V6ONLY, v6only_setting);
++            if (stat != APR_SUCCESS && stat != APR_ENOTIMPL) {
++                ap_log_perror(APLOG_MARK, APLOG_CRIT, stat, p, APLOGNO(00069)
++                              "make_sock: for address %pI, apr_socket_opt_set: "
++                              "(IPV6_V6ONLY)",
++                              server->bind_addr);
++                apr_socket_close(s);
++                return stat;
++            }
++        }
++#endif
+-    if ((stat = apr_socket_listen(s, ap_listenbacklog)) != APR_SUCCESS) {
+-        ap_log_perror(APLOG_MARK, APLOG_STARTUP|APLOG_ERR, stat, p, APLOGNO(00073)
+-                      "make_sock: unable to listen for connections "
+-                      "on address %pI",
+-                      server->bind_addr);
+-        apr_socket_close(s);
+-        return stat;
++        if ((stat = apr_socket_bind(s, server->bind_addr)) != APR_SUCCESS) {
++            ap_log_perror(APLOG_MARK, APLOG_STARTUP|APLOG_CRIT, stat, p, APLOGNO(00072)
++                          "make_sock: could not bind to address %pI",
++                          server->bind_addr);
++            apr_socket_close(s);
++            return stat;
++        }
++
++        if ((stat = apr_socket_listen(s, ap_listenbacklog)) != APR_SUCCESS) {
++            ap_log_perror(APLOG_MARK, APLOG_STARTUP|APLOG_ERR, stat, p, APLOGNO(00073)
++                          "make_sock: unable to listen for connections "
++                          "on address %pI",
++                          server->bind_addr);
++            apr_socket_close(s);
++            return stat;
++        }
+     }
+ #ifdef WIN32
+@@ -277,6 +286,124 @@ static apr_status_t close_listeners_on_exec(void *v)
+     return APR_SUCCESS;
+ }
++
++#ifdef HAVE_SYSTEMD
++
++static int find_systemd_socket(process_rec * process, apr_port_t port) {
++    int fdcount, fd;
++    int sdc = sd_listen_fds(0);
++
++    if (sdc < 0) {
++        ap_log_perror(APLOG_MARK, APLOG_CRIT, sdc, process->pool, APLOGNO(02486)
++                      "find_systemd_socket: Error parsing enviroment, sd_listen_fds returned %d",
++                      sdc);
++        return -1;
++    }
++
++    if (sdc == 0) {
++        ap_log_perror(APLOG_MARK, APLOG_CRIT, sdc, process->pool, APLOGNO(02487)
++                      "find_systemd_socket: At least one socket must be set.");
++        return -1;
++    }
++
++    fdcount = atoi(getenv("LISTEN_FDS"));
++    for (fd = SD_LISTEN_FDS_START; fd < SD_LISTEN_FDS_START + fdcount; fd++) {
++        if (sd_is_socket_inet(fd, 0, 0, -1, port) > 0) {
++            return fd;
++        }
++    }
++
++    return -1;
++}
++
++static apr_status_t alloc_systemd_listener(process_rec * process,
++                                           int fd, const char *proto,
++                                           ap_listen_rec **out_rec)
++{
++    apr_status_t rv;
++    struct sockaddr sa;
++    socklen_t len = sizeof(struct sockaddr);
++    apr_os_sock_info_t si;
++    ap_listen_rec *rec;
++    *out_rec = NULL;
++
++    memset(&si, 0, sizeof(si));
++
++    rv = getsockname(fd, &sa, &len);
++
++    if (rv != 0) {
++        rv = apr_get_netos_error();
++        ap_log_perror(APLOG_MARK, APLOG_CRIT, rv, process->pool, APLOGNO(02489)
++                      "getsockname on %d failed.", fd);
++        return rv;
++    }
++
++    si.os_sock = &fd;
++    si.family = sa.sa_family;
++    si.local = &sa;
++    si.type = SOCK_STREAM;
++    si.protocol = APR_PROTO_TCP;
++
++    rec = apr_palloc(process->pool, sizeof(ap_listen_rec));
++    rec->active = 0;
++    rec->next = 0;
++
++
++    rv = apr_os_sock_make(&rec->sd, &si, process->pool);
++    if (rv != APR_SUCCESS) {
++        ap_log_perror(APLOG_MARK, APLOG_CRIT, rv, process->pool, APLOGNO(02490)
++                      "apr_os_sock_make on %d failed.", fd);
++        return rv;
++    }
++
++    rv = apr_socket_addr_get(&rec->bind_addr, APR_LOCAL, rec->sd);
++    if (rv != APR_SUCCESS) {
++        ap_log_perror(APLOG_MARK, APLOG_CRIT, rv, process->pool, APLOGNO(02491)
++                      "apr_socket_addr_get on %d failed.", fd);
++        return rv;
++    }
++
++    rec->protocol = apr_pstrdup(process->pool, proto);
++
++    *out_rec = rec;
++
++    return make_sock(process->pool, rec, 0);
++}
++
++static const char *set_systemd_listener(process_rec *process, apr_port_t port,
++                                        const char *proto)
++{
++    ap_listen_rec *last, *new;
++    apr_status_t rv;
++    int fd = find_systemd_socket(process, port);
++    if (fd < 0) {
++        return "Systemd socket activation is used, but this port is not "
++                "configured in systemd";
++    }
++
++    last = ap_listeners;
++    while (last && last->next) {
++        last = last->next;
++    }
++
++    rv = alloc_systemd_listener(process, fd, proto, &new);
++    if (rv != APR_SUCCESS) {
++        return "Failed to setup socket passed by systemd using socket activation";
++    }
++
++    if (last == NULL) {
++        ap_listeners = last = new;
++    }
++    else {
++        last->next = new;
++        last = new;
++    }
++
++    return NULL;
++}
++
++#endif /* HAVE_SYSTEMD */
++
+ static const char *alloc_listener(process_rec *process, char *addr,
+                                   apr_port_t port, const char* proto,
+                                   void *slave)
+@@ -479,7 +606,7 @@ static int open_listeners(apr_pool_t *pool)
+                 }
+             }
+ #endif
+-            if (make_sock(pool, lr) == APR_SUCCESS) {
++            if (make_sock(pool, lr, 1) == APR_SUCCESS) {
+                 ++num_open;
+             }
+             else {
+@@ -591,8 +718,28 @@ AP_DECLARE(int) ap_setup_listeners(server_rec *s)
+         }
+     }
+-    if (open_listeners(s->process->pool)) {
+-        return 0;
++#ifdef HAVE_SYSTEMD
++    if (use_systemd) {
++        const char *userdata_key = "ap_open_systemd_listeners";
++        void *data;
++        /* clear the enviroment on our second run
++        * so that none of our future children get confused.
++        */
++        apr_pool_userdata_get(&data, userdata_key, s->process->pool);
++        if (!data) {
++            apr_pool_userdata_set((const void *)1, userdata_key,
++                                apr_pool_cleanup_null, s->process->pool);
++        }
++        else {
++            sd_listen_fds(1);
++        }
++    }
++    else
++#endif
++    {
++        if (open_listeners(s->process->pool)) {
++            return 0;
++        }
+     }
+     for (lr = ap_listeners; lr; lr = lr->next) {
+@@ -682,7 +829,7 @@ AP_DECLARE(apr_status_t) ap_duplicate_listeners(apr_pool_t *p, server_rec *s,
+                             duplr->bind_addr);
+                 return stat;
+             }
+-            make_sock(p, duplr);
++            make_sock(p, duplr, 1);
+ #if AP_NONBLOCK_WHEN_MULTI_LISTEN
+             use_nonblock = (ap_listeners && ap_listeners->next);
+             stat = apr_socket_opt_set(duplr->sd, APR_SO_NONBLOCK, use_nonblock);
+@@ -809,6 +956,11 @@ AP_DECLARE_NONSTD(const char *) ap_set_listener(cmd_parms *cmd, void *dummy,
+     if (argc < 1 || argc > 2) {
+         return "Listen requires 1 or 2 arguments.";
+     }
++#ifdef HAVE_SYSTEMD
++    if (use_systemd == -1) {
++        use_systemd = sd_listen_fds(0) > 0;
++    }
++#endif
+     rv = apr_parse_addr_port(&host, &scope_id, &port, argv[0], cmd->pool);
+     if (rv != APR_SUCCESS) {
+@@ -840,6 +992,12 @@ AP_DECLARE_NONSTD(const char *) ap_set_listener(cmd_parms *cmd, void *dummy,
+         ap_str_tolower(proto);
+     }
++#ifdef HAVE_SYSTEMD
++    if (use_systemd) {
++        return set_systemd_listener(cmd->server->process, port, proto);
++    }
++#endif
++
+     return alloc_listener(cmd->server->process, host, port, proto, NULL);
+ }
diff --git a/SOURCES/httpd-2.4.17-sslciphdefault.patch b/SOURCES/httpd-2.4.17-sslciphdefault.patch
new file mode 100644 (file)
index 0000000..8efc461
--- /dev/null
@@ -0,0 +1,33 @@
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1109119
+
+Don't prepend !aNULL etc if PROFILE= is used with SSLCipherSuite.
+
+--- httpd-2.4.17/modules/ssl/ssl_engine_config.c.sslciphdefault
++++ httpd-2.4.17/modules/ssl/ssl_engine_config.c
+@@ -708,8 +708,10 @@ const char *ssl_cmd_SSLCipherSuite(cmd_p
+     SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+     SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
+-    /* always disable null and export ciphers */
+-    arg = apr_pstrcat(cmd->pool, arg, ":!aNULL:!eNULL:!EXP", NULL);
++    /* Disable null and export ciphers by default, except for PROFILE=
++     * configs where the parser doesn't cope. */
++    if (strncmp(arg, "PROFILE=", 8) != 0)
++        arg = apr_pstrcat(cmd->pool, arg, ":!aNULL:!eNULL:!EXP", NULL);
+     if (cmd->path) {
+         dc->szCipherSuite = arg;
+@@ -1428,8 +1430,10 @@ const char *ssl_cmd_SSLProxyCipherSuite(
+ {
+     SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+-    /* always disable null and export ciphers */
+-    arg = apr_pstrcat(cmd->pool, arg, ":!aNULL:!eNULL:!EXP", NULL);
++    /* Disable null and export ciphers by default, except for PROFILE=
++     * configs where the parser doesn't cope. */
++    if (strncmp(arg, "PROFILE=", 8) != 0)
++        arg = apr_pstrcat(cmd->pool, arg, ":!aNULL:!eNULL:!EXP", NULL);
+     sc->proxy->auth.cipher_suite = arg;
diff --git a/SOURCES/httpd-2.4.18-sslmultiproxy.patch b/SOURCES/httpd-2.4.18-sslmultiproxy.patch
new file mode 100644 (file)
index 0000000..3f00f3f
--- /dev/null
@@ -0,0 +1,98 @@
+diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c
+index 717a694..a3ce718 100644
+--- a/modules/ssl/mod_ssl.c
++++ b/modules/ssl/mod_ssl.c
+@@ -395,6 +395,9 @@ static SSLConnRec *ssl_init_connection_ctx(conn_rec *c)
+     return sslconn;
+ }
++static typeof(ssl_proxy_enable) *othermod_proxy_enable;
++static typeof(ssl_engine_disable) *othermod_engine_disable;
++
+ int ssl_proxy_enable(conn_rec *c)
+ {
+     SSLSrvConfigRec *sc;
+@@ -403,6 +406,12 @@ int ssl_proxy_enable(conn_rec *c)
+     sc = mySrvConfig(sslconn->server);
+     if (!sc->proxy_enabled) {
++        if (othermod_proxy_enable) {
++            ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c,
++                          "mod_ssl proxy not configured, passing through to other module.");
++            return othermod_proxy_enable(c);
++        }
++
+         ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(01961)
+                       "SSL Proxy requested for %s but not enabled "
+                       "[Hint: SSLProxyEngine]", sc->vhost_id);
+@@ -422,6 +431,10 @@ int ssl_engine_disable(conn_rec *c)
+     SSLConnRec *sslconn = myConnConfig(c);
++    if (othermod_engine_disable) {
++        othermod_engine_disable(c);
++    }
++
+     if (sslconn) {
+         sc = mySrvConfig(sslconn->server);
+     }
+@@ -621,6 +634,9 @@ static void ssl_register_hooks(apr_pool_t *p)
+     ap_hook_post_read_request(ssl_hook_ReadReq, pre_prr,NULL, APR_HOOK_MIDDLE);
+     ssl_var_register(p);
++    
++    othermod_proxy_enable = APR_RETRIEVE_OPTIONAL_FN(ssl_proxy_enable);
++    othermod_engine_disable = APR_RETRIEVE_OPTIONAL_FN(ssl_engine_disable);
+     APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable);
+     APR_REGISTER_OPTIONAL_FN(ssl_engine_disable);
+diff --git a/modules/ssl/ssl_engine_vars.c b/modules/ssl/ssl_engine_vars.c
+index a6b0d0d..24fd8c7 100644
+--- a/modules/ssl/ssl_engine_vars.c
++++ b/modules/ssl/ssl_engine_vars.c
+@@ -54,6 +54,8 @@ static char *ssl_var_lookup_ssl_cipher(apr_pool_t *p, SSLConnRec *sslconn, char
+ static void  ssl_var_lookup_ssl_cipher_bits(SSL *ssl, int *usekeysize, int *algkeysize);
+ static char *ssl_var_lookup_ssl_version(apr_pool_t *p, char *var);
+ static char *ssl_var_lookup_ssl_compress_meth(SSL *ssl);
++static APR_OPTIONAL_FN_TYPE(ssl_is_https) *othermod_is_https;
++static APR_OPTIONAL_FN_TYPE(ssl_var_lookup) *othermod_var_lookup;
+ static SSLConnRec *ssl_get_effective_config(conn_rec *c)
+ {
+@@ -68,7 +70,9 @@ static SSLConnRec *ssl_get_effective_config(conn_rec *c)
+ static int ssl_is_https(conn_rec *c)
+ {
+     SSLConnRec *sslconn = ssl_get_effective_config(c);
+-    return sslconn && sslconn->ssl;
++
++    return (sslconn && sslconn->ssl)
++        || (othermod_is_https && othermod_is_https(c));
+ }
+ static const char var_interface[] = "mod_ssl/" AP_SERVER_BASEREVISION;
+@@ -137,6 +141,9 @@ void ssl_var_register(apr_pool_t *p)
+ {
+     char *cp, *cp2;
++    othermod_is_https = APR_RETRIEVE_OPTIONAL_FN(ssl_is_https);
++    othermod_var_lookup = APR_RETRIEVE_OPTIONAL_FN(ssl_var_lookup);
++
+     APR_REGISTER_OPTIONAL_FN(ssl_is_https);
+     APR_REGISTER_OPTIONAL_FN(ssl_var_lookup);
+     APR_REGISTER_OPTIONAL_FN(ssl_ext_list);
+@@ -272,6 +279,15 @@ char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r,
+      */
+     if (result == NULL && c != NULL) {
+         SSLConnRec *sslconn = ssl_get_effective_config(c);
++
++        if (strlen(var) > 4 && strcEQn(var, "SSL_", 4)
++            && (!sslconn || !sslconn->ssl) && othermod_var_lookup) {
++            /* For an SSL_* variable, if mod_ssl is not enabled for
++             * this connection and another SSL module is present, pass
++             * through to that module. */
++            return othermod_var_lookup(p, s, c, r, var);
++        }
++
+         if (strlen(var) > 4 && strcEQn(var, "SSL_", 4)
+             && sslconn && sslconn->ssl)
+             result = ssl_var_lookup_ssl(p, sslconn, r, var+4);
diff --git a/SOURCES/httpd-2.4.2-icons.patch b/SOURCES/httpd-2.4.2-icons.patch
new file mode 100644 (file)
index 0000000..9f26494
--- /dev/null
@@ -0,0 +1,25 @@
+
+- Fix config for /icons/ dir to allow symlink to poweredby.png.
+
+- Avoid using coredump GIF for a directory called "core"
+
+--- httpd-2.4.2/docs/conf/extra/httpd-autoindex.conf.in.icons
++++ httpd-2.4.2/docs/conf/extra/httpd-autoindex.conf.in
+@@ -21,7 +21,7 @@ IndexOptions FancyIndexing HTMLTable Ver
+ Alias /icons/ "@exp_iconsdir@/"
+ <Directory "@exp_iconsdir@">
+-    Options Indexes MultiViews
++    Options Indexes MultiViews FollowSymlinks
+     AllowOverride None
+     Require all granted
+ </Directory>
+@@ -53,7 +53,7 @@ AddIcon /icons/dvi.gif .dvi
+ AddIcon /icons/uuencoded.gif .uu
+ AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl
+ AddIcon /icons/tex.gif .tex
+-AddIcon /icons/bomb.gif core
++AddIcon /icons/bomb.gif core.
+ AddIcon /icons/back.gif ..
+ AddIcon /icons/hand.right.gif README
diff --git a/SOURCES/httpd-2.4.20.tar.bz2 b/SOURCES/httpd-2.4.20.tar.bz2
new file mode 100644 (file)
index 0000000..8d0b460
Binary files /dev/null and b/SOURCES/httpd-2.4.20.tar.bz2 differ
diff --git a/SOURCES/httpd-2.4.3-apctl-systemd.patch b/SOURCES/httpd-2.4.3-apctl-systemd.patch
new file mode 100644 (file)
index 0000000..5823aee
--- /dev/null
@@ -0,0 +1,45 @@
+
+Upstream-Status: vendor specific patch
+
+diff --git a/support/apachectl.in b/support/apachectl.in
+index c6ac3ea..2599386 100644
+--- a/support/apachectl.in
++++ b/support/apachectl.in
+@@ -100,9 +100,24 @@ fi
+ ERROR=$?
+ }
++if [ "x$2" != "x" ] ; then
++    echo Passing arguments to httpd using apachectl is no longer supported.
++    echo You can only start/stop/restart httpd using this script.
++    echo If you want to pass extra arguments to httpd, edit the
++    echo /etc/sysconfig/httpd config file.
++fi
++
+ case $ACMD in
+-start|stop|restart|graceful|graceful-stop)
+-    $HTTPD $OPTIONS -k $ARGV
++start|stop|restart|status)
++    /usr/bin/systemctl $ACMD httpd.service
++    ERROR=$?
++    ;;
++graceful)
++    /usr/bin/systemctl reload httpd.service
++    ERROR=$?
++    ;;
++graceful-stop)
++    /usr/bin/systemctl stop httpd.service
+     ERROR=$?
+     ;;
+ startssl|sslstart|start-SSL)
+@@ -114,10 +129,6 @@ startssl|sslstart|start-SSL)
+ configtest)
+     testconfig
+     ;;
+-status)
+-    checklynx
+-    $LYNX $STATUSURL | awk ' /process$/ { print; exit } { print } '
+-    ;;
+ fullstatus)
+     checklynx
+     $LYNX $STATUSURL
diff --git a/SOURCES/httpd-2.4.3-release.patch b/SOURCES/httpd-2.4.3-release.patch
new file mode 100644 (file)
index 0000000..0b2fb77
--- /dev/null
@@ -0,0 +1,16 @@
+
+Upstream-HEAD: vendor
+Upstream-2.0: vendor
+Upstream-Status: vendor-specific change
+
+--- httpd-2.4.3/server/core.c.release
++++ httpd-2.4.3/server/core.c
+@@ -3189,7 +3189,7 @@ static void set_banner(apr_pool_t *pconf
+         ap_add_version_component(pconf, AP_SERVER_BASEPRODUCT "/" AP_SERVER_MAJORVERSION);
+     }
+     else {
+-        ap_add_version_component(pconf, AP_SERVER_BASEVERSION " (" PLATFORM ")");
++        ap_add_version_component(pconf, AP_SERVER_BASEVERSION " (@RELEASE@)");
+     }
+     /*
diff --git a/SOURCES/httpd-2.4.4-cachehardmax.patch b/SOURCES/httpd-2.4.4-cachehardmax.patch
new file mode 100644 (file)
index 0000000..de360ce
--- /dev/null
@@ -0,0 +1,82 @@
+diff --git a/modules/cache/cache_util.h b/modules/cache/cache_util.h
+index eec38f3..1a2d5ee 100644
+--- a/modules/cache/cache_util.h
++++ b/modules/cache/cache_util.h
+@@ -194,6 +194,9 @@ typedef struct {
+     unsigned int store_nostore_set:1;
+     unsigned int enable_set:1;
+     unsigned int disable_set:1;
++    /* treat maxex as hard limit */
++    unsigned int hardmaxex:1;
++    unsigned int hardmaxex_set:1;
+ } cache_dir_conf;
+ /* A linked-list of authn providers. */
+diff --git a/modules/cache/mod_cache.c b/modules/cache/mod_cache.c
+index 4f2d3e0..30c88f4 100644
+--- a/modules/cache/mod_cache.c
++++ b/modules/cache/mod_cache.c
+@@ -1299,6 +1299,11 @@ static apr_status_t cache_save_filter(ap_filter_t *f, apr_bucket_brigade *in)
+             exp = date + dconf->defex;
+         }
+     }
++    /* else, forcibly cap the expiry date if required */
++    else if (dconf->hardmaxex && (date + dconf->maxex) < exp) {
++        exp = date + dconf->maxex;
++    }        
++
+     info->expire = exp;
+     /* We found a stale entry which wasn't really stale. */
+@@ -1717,7 +1722,9 @@ static void *create_dir_config(apr_pool_t *p, char *dummy)
+     /* array of providers for this URL space */
+     dconf->cacheenable = apr_array_make(p, 10, sizeof(struct cache_enable));
+-
++    /* flag; treat maxex as hard limit */
++    dconf->hardmaxex = 0;
++    dconf->hardmaxex_set = 0;
+     return dconf;
+ }
+@@ -1767,7 +1774,10 @@ static void *merge_dir_config(apr_pool_t *p, void *basev, void *addv) {
+     new->enable_set = add->enable_set || base->enable_set;
+     new->disable = (add->disable_set == 0) ? base->disable : add->disable;
+     new->disable_set = add->disable_set || base->disable_set;
+-
++    new->hardmaxex = 
++        (add->hardmaxex_set == 0)
++        ? base->hardmaxex
++        : add->hardmaxex;
+     return new;
+ }
+@@ -2096,12 +2106,18 @@ static const char *add_cache_disable(cmd_parms *parms, void *dummy,
+ }
+ static const char *set_cache_maxex(cmd_parms *parms, void *dummy,
+-                                   const char *arg)
++                                   const char *arg, const char *hard)
+ {
+     cache_dir_conf *dconf = (cache_dir_conf *)dummy;
+     dconf->maxex = (apr_time_t) (atol(arg) * MSEC_ONE_SEC);
+     dconf->maxex_set = 1;
++    
++    if (hard && strcasecmp(hard, "hard") == 0) {
++        dconf->hardmaxex = 1;
++        dconf->hardmaxex_set = 1;
++    }
++
+     return NULL;
+ }
+@@ -2309,7 +2325,7 @@ static const command_rec cache_cmds[] =
+                    "caching is enabled"),
+     AP_INIT_TAKE1("CacheDisable", add_cache_disable, NULL, RSRC_CONF|ACCESS_CONF,
+                   "A partial URL prefix below which caching is disabled"),
+-    AP_INIT_TAKE1("CacheMaxExpire", set_cache_maxex, NULL, RSRC_CONF|ACCESS_CONF,
++    AP_INIT_TAKE12("CacheMaxExpire", set_cache_maxex, NULL, RSRC_CONF|ACCESS_CONF,
+                   "The maximum time in seconds to cache a document"),
+     AP_INIT_TAKE1("CacheMinExpire", set_cache_minex, NULL, RSRC_CONF|ACCESS_CONF,
+                   "The minimum time in seconds to cache a document"),
diff --git a/SOURCES/httpd-2.4.4-export.patch b/SOURCES/httpd-2.4.4-export.patch
new file mode 100644 (file)
index 0000000..eb670c6
--- /dev/null
@@ -0,0 +1,20 @@
+
+There is no need to "suck in" the apr/apr-util symbols when using
+a shared libapr{,util}, it just bloats the symbol table; so don't.
+
+Upstream-HEAD: needed
+Upstream-2.0: omit
+Upstream-Status: EXPORT_DIRS change is conditional on using shared apr
+
+--- httpd-2.4.4/server/Makefile.in.export
++++ httpd-2.4.4/server/Makefile.in
+@@ -57,9 +57,6 @@ export_files:
+       ( for dir in $(EXPORT_DIRS); do \
+             ls $$dir/*.h ; \
+         done; \
+-        for dir in $(EXPORT_DIRS_APR); do \
+-            ls $$dir/ap[ru].h $$dir/ap[ru]_*.h 2>/dev/null; \
+-        done; \
+       ) | sed -e s,//,/,g | sort -u > $@
+ exports.c: export_files
diff --git a/SOURCES/httpd-2.4.4-malformed-host.patch b/SOURCES/httpd-2.4.4-malformed-host.patch
new file mode 100644 (file)
index 0000000..57975e5
--- /dev/null
@@ -0,0 +1,12 @@
+diff --git a/server/protocol.c b/server/protocol.c
+index e1ef204..d6d9165 100644
+--- a/server/protocol.c
++++ b/server/protocol.c
+@@ -1049,6 +1049,7 @@ request_rec *ap_read_request(conn_rec *conn)
+      * now read. may update status.
+      */
+     ap_update_vhost_from_headers(r);
++    access_status = r->status;
+     /* Toggle to the Host:-based vhost's timeout mode to fetch the
+      * request body and send the response body, if needed.
diff --git a/SOURCES/httpd-2.4.4-mod_unique_id.patch b/SOURCES/httpd-2.4.4-mod_unique_id.patch
new file mode 100644 (file)
index 0000000..30bdfe0
--- /dev/null
@@ -0,0 +1,239 @@
+--- trunk/modules/metadata/mod_unique_id.c     2011/12/02 23:02:04     1209766
++++ trunk/modules/metadata/mod_unique_id.c     2013/07/10 16:20:31     1501827
+@@ -31,14 +31,11 @@
+ #include "http_log.h"
+ #include "http_protocol.h"  /* for ap_hook_post_read_request */
+-#if APR_HAVE_UNISTD_H
+-#include <unistd.h>         /* for getpid() */
+-#endif
++#define ROOT_SIZE 10
+ typedef struct {
+     unsigned int stamp;
+-    unsigned int in_addr;
+-    unsigned int pid;
++    char root[ROOT_SIZE];
+     unsigned short counter;
+     unsigned int thread_index;
+ } unique_id_rec;
+@@ -64,20 +61,15 @@
+  * gethostbyname (gethostname()) is unique across all the machines at the
+  * "site".
+  *
+- * We also further assume that pids fit in 32-bits.  If something uses more
+- * than 32-bits, the fix is trivial, but it requires the unrolled uuencoding
+- * loop to be extended.  * A similar fix is needed to support multithreaded
+- * servers, using a pid/tid combo.
+- *
+- * Together, the in_addr and pid are assumed to absolutely uniquely identify
+- * this one child from all other currently running children on all servers
+- * (including this physical server if it is running multiple httpds) from each
++ * The root is assumed to absolutely uniquely identify this one child
++ * from all other currently running children on all servers (including
++ * this physical server if it is running multiple httpds) from each
+  * other.
+  *
+- * The stamp and counter are used to distinguish all hits for a particular
+- * (in_addr,pid) pair.  The stamp is updated using r->request_time,
+- * saving cpu cycles.  The counter is never reset, and is used to permit up to
+- * 64k requests in a single second by a single child.
++ * The stamp and counter are used to distinguish all hits for a
++ * particular root.  The stamp is updated using r->request_time,
++ * saving cpu cycles.  The counter is never reset, and is used to
++ * permit up to 64k requests in a single second by a single child.
+  *
+  * The 144-bits of unique_id_rec are encoded using the alphabet
+  * [A-Za-z0-9@-], resulting in 24 bytes of printable characters.  That is then
+@@ -92,7 +84,7 @@
+  * module change.
+  *
+  * It is highly desirable that identifiers exist for "eternity".  But future
+- * needs (such as much faster webservers, moving to 64-bit pids, or moving to a
++ * needs (such as much faster webservers, or moving to a
+  * multithreaded server) may dictate a need to change the contents of
+  * unique_id_rec.  Such a future implementation should ensure that the first
+  * field is still a time_t stamp.  By doing that, it is possible for a site to
+@@ -100,7 +92,15 @@
+  * wait one entire second, and then start all of their new-servers.  This
+  * procedure will ensure that the new space of identifiers is completely unique
+  * from the old space.  (Since the first four unencoded bytes always differ.)
++ *
++ * Note: previous implementations used 32-bits of IP address plus pid
++ * in place of the PRNG output in the "root" field.  This was
++ * insufficient for IPv6-only hosts, required working DNS to determine
++ * a unique IP address (fragile), and needed a [0, 1) second sleep
++ * call at startup to avoid pid reuse.  Use of the PRNG avoids all
++ * these issues.
+  */
++
+ /*
+  * Sun Jun  7 05:43:49 CEST 1998 -- Alvaro
+  * More comments:
+@@ -116,8 +116,6 @@
+  * htonl/ntohl. Well, this shouldn't be a problem till year 2106.
+  */
+-static unsigned global_in_addr;
+-
+ /*
+  * XXX: We should have a per-thread counter and not use cur_unique_id.counter
+  * XXX: in all threads, because this is bad for performance on multi-processor
+@@ -129,7 +127,7 @@
+ /*
+  * Number of elements in the structure unique_id_rec.
+  */
+-#define UNIQUE_ID_REC_MAX 5
++#define UNIQUE_ID_REC_MAX 4
+ static unsigned short unique_id_rec_offset[UNIQUE_ID_REC_MAX],
+                       unique_id_rec_size[UNIQUE_ID_REC_MAX],
+@@ -138,113 +136,32 @@
+ static int unique_id_global_init(apr_pool_t *p, apr_pool_t *plog, apr_pool_t *ptemp, server_rec *main_server)
+ {
+-    char str[APRMAXHOSTLEN + 1];
+-    apr_status_t rv;
+-    char *ipaddrstr;
+-    apr_sockaddr_t *sockaddr;
+-
+     /*
+      * Calculate the sizes and offsets in cur_unique_id.
+      */
+     unique_id_rec_offset[0] = APR_OFFSETOF(unique_id_rec, stamp);
+     unique_id_rec_size[0] = sizeof(cur_unique_id.stamp);
+-    unique_id_rec_offset[1] = APR_OFFSETOF(unique_id_rec, in_addr);
+-    unique_id_rec_size[1] = sizeof(cur_unique_id.in_addr);
+-    unique_id_rec_offset[2] = APR_OFFSETOF(unique_id_rec, pid);
+-    unique_id_rec_size[2] = sizeof(cur_unique_id.pid);
+-    unique_id_rec_offset[3] = APR_OFFSETOF(unique_id_rec, counter);
+-    unique_id_rec_size[3] = sizeof(cur_unique_id.counter);
+-    unique_id_rec_offset[4] = APR_OFFSETOF(unique_id_rec, thread_index);
+-    unique_id_rec_size[4] = sizeof(cur_unique_id.thread_index);
++    unique_id_rec_offset[1] = APR_OFFSETOF(unique_id_rec, root);
++    unique_id_rec_size[1] = sizeof(cur_unique_id.root);
++    unique_id_rec_offset[2] = APR_OFFSETOF(unique_id_rec, counter);
++    unique_id_rec_size[2] = sizeof(cur_unique_id.counter);
++    unique_id_rec_offset[3] = APR_OFFSETOF(unique_id_rec, thread_index);
++    unique_id_rec_size[3] = sizeof(cur_unique_id.thread_index);
+     unique_id_rec_total_size = unique_id_rec_size[0] + unique_id_rec_size[1] +
+-                               unique_id_rec_size[2] + unique_id_rec_size[3] +
+-                               unique_id_rec_size[4];
++                               unique_id_rec_size[2] + unique_id_rec_size[3];
+     /*
+      * Calculate the size of the structure when encoded.
+      */
+     unique_id_rec_size_uu = (unique_id_rec_total_size*8+5)/6;
+-    /*
+-     * Now get the global in_addr.  Note that it is not sufficient to use one
+-     * of the addresses from the main_server, since those aren't as likely to
+-     * be unique as the physical address of the machine
+-     */
+-    if ((rv = apr_gethostname(str, sizeof(str) - 1, p)) != APR_SUCCESS) {
+-        ap_log_error(APLOG_MARK, APLOG_ALERT, rv, main_server, APLOGNO(01563)
+-          "unable to find hostname of the server");
+-        return HTTP_INTERNAL_SERVER_ERROR;
+-    }
+-
+-    if ((rv = apr_sockaddr_info_get(&sockaddr, str, AF_INET, 0, 0, p)) == APR_SUCCESS) {
+-        global_in_addr = sockaddr->sa.sin.sin_addr.s_addr;
+-    }
+-    else {
+-        ap_log_error(APLOG_MARK, APLOG_ALERT, rv, main_server, APLOGNO(01564)
+-                    "unable to find IPv4 address of \"%s\"", str);
+-#if APR_HAVE_IPV6
+-        if ((rv = apr_sockaddr_info_get(&sockaddr, str, AF_INET6, 0, 0, p)) == APR_SUCCESS) {
+-            memcpy(&global_in_addr,
+-                   (char *)sockaddr->ipaddr_ptr + sockaddr->ipaddr_len - sizeof(global_in_addr),
+-                   sizeof(global_in_addr));
+-            ap_log_error(APLOG_MARK, APLOG_ALERT, rv, main_server, APLOGNO(01565)
+-                         "using low-order bits of IPv6 address "
+-                         "as if they were unique");
+-        }
+-        else
+-#endif
+-        return HTTP_INTERNAL_SERVER_ERROR;
+-    }
+-
+-    apr_sockaddr_ip_get(&ipaddrstr, sockaddr);
+-    ap_log_error(APLOG_MARK, APLOG_INFO, 0, main_server, APLOGNO(01566) "using ip addr %s",
+-                 ipaddrstr);
+-
+-    /*
+-     * If the server is pummelled with restart requests we could possibly end
+-     * up in a situation where we're starting again during the same second
+-     * that has been used in previous identifiers.  Avoid that situation.
+-     *
+-     * In truth, for this to actually happen not only would it have to restart
+-     * in the same second, but it would have to somehow get the same pids as
+-     * one of the other servers that was running in that second. Which would
+-     * mean a 64k wraparound on pids ... not very likely at all.
+-     *
+-     * But protecting against it is relatively cheap.  We just sleep into the
+-     * next second.
+-     */
+-    apr_sleep(apr_time_from_sec(1) - apr_time_usec(apr_time_now()));
+     return OK;
+ }
+ static void unique_id_child_init(apr_pool_t *p, server_rec *s)
+ {
+-    pid_t pid;
+-
+-    /*
+-     * Note that we use the pid because it's possible that on the same
+-     * physical machine there are multiple servers (i.e. using Listen). But
+-     * it's guaranteed that none of them will share the same pids between
+-     * children.
+-     *
+-     * XXX: for multithread this needs to use a pid/tid combo and probably
+-     * needs to be expanded to 32 bits
+-     */
+-    pid = getpid();
+-    cur_unique_id.pid = pid;
+-
+-    /*
+-     * Test our assumption that the pid is 32-bits.  It's possible that
+-     * 64-bit machines will declare pid_t to be 64 bits but only use 32
+-     * of them.  It would have been really nice to test this during
+-     * global_init ... but oh well.
+-     */
+-    if ((pid_t)cur_unique_id.pid != pid) {
+-        ap_log_error(APLOG_MARK, APLOG_CRIT, 0, s, APLOGNO(01567)
+-                    "oh no! pids are greater than 32-bits!  I'm broken!");
+-    }
+-
+-    cur_unique_id.in_addr = global_in_addr;
++    ap_random_insecure_bytes(&cur_unique_id.root,
++                             sizeof(cur_unique_id.root));
+     /*
+      * If we use 0 as the initial counter we have a little less protection
+@@ -253,13 +170,6 @@
+      */
+     ap_random_insecure_bytes(&cur_unique_id.counter,
+                              sizeof(cur_unique_id.counter));
+-
+-    /*
+-     * We must always use network ordering for these bytes, so that
+-     * identifiers are comparable between machines of different byte
+-     * orderings.  Note in_addr is already in network order.
+-     */
+-    cur_unique_id.pid = htonl(cur_unique_id.pid);
+ }
+ /* NOTE: This is *NOT* the same encoding used by base64encode ... the last two
+@@ -291,10 +201,8 @@
+     unsigned short counter;
+     int i,j,k;
+-    new_unique_id.in_addr = cur_unique_id.in_addr;
+-    new_unique_id.pid = cur_unique_id.pid;
++    memcpy(&new_unique_id.root, &cur_unique_id.root, ROOT_SIZE);
+     new_unique_id.counter = cur_unique_id.counter;
+-
+     new_unique_id.stamp = htonl((unsigned int)apr_time_sec(r->request_time));
+     new_unique_id.thread_index = htonl((unsigned int)r->connection->id);
diff --git a/SOURCES/httpd-2.4.4-r1332643+.patch b/SOURCES/httpd-2.4.4-r1332643+.patch
new file mode 100644 (file)
index 0000000..849f6d0
--- /dev/null
@@ -0,0 +1,248 @@
+# ./pullrev.sh 1332643 1345599
+
+https://bugzilla.redhat.com//show_bug.cgi?id=809599
+
+http://svn.apache.org/viewvc?view=revision&revision=1332643
+
+http://svn.apache.org/viewvc?view=revision&revision=1345599
+
+--- httpd-2.4.4/modules/ssl/mod_ssl.c.r1332643+
++++ httpd-2.4.4/modules/ssl/mod_ssl.c
+@@ -272,6 +272,18 @@ static const command_rec ssl_config_cmds
+     AP_END_CMD
+ };
++/* Implement 'modssl_run_npn_advertise_protos_hook'. */
++APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(
++    modssl, AP, int, npn_advertise_protos_hook,
++    (conn_rec *connection, apr_array_header_t *protos),
++    (connection, protos), OK, DECLINED);
++
++/* Implement 'modssl_run_npn_proto_negotiated_hook'. */
++APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(
++    modssl, AP, int, npn_proto_negotiated_hook,
++    (conn_rec *connection, const char *proto_name, apr_size_t proto_name_len),
++    (connection, proto_name, proto_name_len), OK, DECLINED);
++
+ /*
+  *  the various processing hooks
+  */
+--- httpd-2.4.4/modules/ssl/mod_ssl.h.r1332643+
++++ httpd-2.4.4/modules/ssl/mod_ssl.h
+@@ -63,5 +63,26 @@ APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_e
+ APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
++/** The npn_advertise_protos optional hook allows other modules to add entries
++ * to the list of protocol names advertised by the server during the Next
++ * Protocol Negotiation (NPN) portion of the SSL handshake.  The hook callee is
++ * given the connection and an APR array; it should push one or more char*'s
++ * pointing to null-terminated strings (such as "http/1.1" or "spdy/2") onto
++ * the array and return OK, or do nothing and return DECLINED. */
++APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_advertise_protos_hook,
++                          (conn_rec *connection, apr_array_header_t *protos));
++
++/** The npn_proto_negotiated optional hook allows other modules to discover the
++ * name of the protocol that was chosen during the Next Protocol Negotiation
++ * (NPN) portion of the SSL handshake.  Note that this may be the empty string
++ * (in which case modules should probably assume HTTP), or it may be a protocol
++ * that was never even advertised by the server.  The hook callee is given the
++ * connection, a non-null-terminated string containing the protocol name, and
++ * the length of the string; it should do something appropriate (i.e. insert or
++ * remove filters) and return OK, or do nothing and return DECLINED. */
++APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_proto_negotiated_hook,
++                          (conn_rec *connection, const char *proto_name,
++                           apr_size_t proto_name_len));
++
+ #endif /* __MOD_SSL_H__ */
+ /** @} */
+--- httpd-2.4.4/modules/ssl/ssl_engine_init.c.r1332643+
++++ httpd-2.4.4/modules/ssl/ssl_engine_init.c
+@@ -725,6 +725,11 @@ static void ssl_init_ctx_callbacks(serve
+ #endif
+     SSL_CTX_set_info_callback(ctx, ssl_callback_Info);
++
++#ifdef HAVE_TLS_NPN
++    SSL_CTX_set_next_protos_advertised_cb(
++        ctx, ssl_callback_AdvertiseNextProtos, NULL);
++#endif
+ }
+ static void ssl_init_ctx_verify(server_rec *s,
+--- httpd-2.4.4/modules/ssl/ssl_engine_io.c.r1332643+
++++ httpd-2.4.4/modules/ssl/ssl_engine_io.c
+@@ -28,6 +28,7 @@
+                                   core keeps dumping.''
+                                             -- Unknown    */
+ #include "ssl_private.h"
++#include "mod_ssl.h"
+ #include "apr_date.h"
+ /*  _________________________________________________________________
+@@ -297,6 +298,7 @@ typedef struct {
+     apr_pool_t *pool;
+     char buffer[AP_IOBUFSIZE];
+     ssl_filter_ctx_t *filter_ctx;
++    int npn_finished;  /* 1 if NPN has finished, 0 otherwise */
+ } bio_filter_in_ctx_t;
+ /*
+@@ -1385,6 +1387,26 @@ static apr_status_t ssl_io_filter_input(
+         APR_BRIGADE_INSERT_TAIL(bb, bucket);
+     }
++#ifdef HAVE_TLS_NPN
++    /* By this point, Next Protocol Negotiation (NPN) should be completed (if
++     * our version of OpenSSL supports it).  If we haven't already, find out
++     * which protocol was decided upon and inform other modules by calling
++     * npn_proto_negotiated_hook. */
++    if (!inctx->npn_finished) {
++        const unsigned char *next_proto = NULL;
++        unsigned next_proto_len = 0;
++
++        SSL_get0_next_proto_negotiated(
++            inctx->ssl, &next_proto, &next_proto_len);
++        ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, f->c,
++                      APLOGNO(02306) "SSL NPN negotiated protocol: '%*s'",
++                      next_proto_len, (const char*)next_proto);
++        modssl_run_npn_proto_negotiated_hook(
++            f->c, (const char*)next_proto, next_proto_len);
++        inctx->npn_finished = 1;
++    }
++#endif
++
+     return APR_SUCCESS;
+ }
+@@ -1866,6 +1888,7 @@ static void ssl_io_input_add_filter(ssl_
+     inctx->block = APR_BLOCK_READ;
+     inctx->pool = c->pool;
+     inctx->filter_ctx = filter_ctx;
++    inctx->npn_finished = 0;
+ }
+ /* The request_rec pointer is passed in here only to ensure that the
+--- httpd-2.4.4/modules/ssl/ssl_engine_kernel.c.r1332643+
++++ httpd-2.4.4/modules/ssl/ssl_engine_kernel.c
+@@ -29,6 +29,7 @@
+                                   time I was too famous.''
+                                             -- Unknown                */
+ #include "ssl_private.h"
++#include "mod_ssl.h"
+ #include "util_md5.h"
+ static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn);
+@@ -2161,6 +2162,90 @@ int ssl_callback_SessionTicket(SSL *ssl,
+ }
+ #endif /* HAVE_TLS_SESSION_TICKETS */
++#ifdef HAVE_TLS_NPN
++/*
++ * This callback function is executed when SSL needs to decide what protocols
++ * to advertise during Next Protocol Negotiation (NPN).  It must produce a
++ * string in wire format -- a sequence of length-prefixed strings -- indicating
++ * the advertised protocols.  Refer to SSL_CTX_set_next_protos_advertised_cb
++ * in OpenSSL for reference.
++ */
++int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data_out,
++                                     unsigned int *size_out, void *arg)
++{
++    conn_rec *c = (conn_rec*)SSL_get_app_data(ssl);
++    apr_array_header_t *protos;
++    int num_protos;
++    unsigned int size;
++    int i;
++    unsigned char *data;
++    unsigned char *start;
++
++    *data_out = NULL;
++    *size_out = 0;
++
++    /* If the connection object is not available, then there's nothing for us
++     * to do. */
++    if (c == NULL) {
++        return SSL_TLSEXT_ERR_OK;
++    }
++
++    /* Invoke our npn_advertise_protos hook, giving other modules a chance to
++     * add alternate protocol names to advertise. */
++    protos = apr_array_make(c->pool, 0, sizeof(char*));
++    modssl_run_npn_advertise_protos_hook(c, protos);
++    num_protos = protos->nelts;
++
++    /* We now have a list of null-terminated strings; we need to concatenate
++     * them together into a single string, where each protocol name is prefixed
++     * by its length.  First, calculate how long that string will be. */
++    size = 0;
++    for (i = 0; i < num_protos; ++i) {
++        const char *string = APR_ARRAY_IDX(protos, i, const char*);
++        unsigned int length = strlen(string);
++        /* If the protocol name is too long (the length must fit in one byte),
++         * then log an error and skip it. */
++        if (length > 255) {
++            ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(02307)
++                          "SSL NPN protocol name too long (length=%u): %s",
++                          length, string);
++            continue;
++        }
++        /* Leave room for the length prefix (one byte) plus the protocol name
++         * itself. */
++        size += 1 + length;
++    }
++
++    /* If there is nothing to advertise (either because no modules added
++     * anything to the protos array, or because all strings added to the array
++     * were skipped), then we're done. */
++    if (size == 0) {
++        return SSL_TLSEXT_ERR_OK;
++    }
++
++    /* Now we can build the string.  Copy each protocol name string into the
++     * larger string, prefixed by its length. */
++    data = apr_palloc(c->pool, size * sizeof(unsigned char));
++    start = data;
++    for (i = 0; i < num_protos; ++i) {
++        const char *string = APR_ARRAY_IDX(protos, i, const char*);
++        apr_size_t length = strlen(string);
++        if (length > 255)
++            continue;
++        *start = (unsigned char)length;
++        ++start;
++        memcpy(start, string, length * sizeof(unsigned char));
++        start += length;
++    }
++
++    /* Success. */
++    *data_out = data;
++    *size_out = size;
++    return SSL_TLSEXT_ERR_OK;
++}
++
++#endif /* HAVE_TLS_NPN */
++
+ #ifndef OPENSSL_NO_SRP
+ int ssl_callback_SRPServerParams(SSL *ssl, int *ad, void *arg)
+--- httpd-2.4.4/modules/ssl/ssl_private.h.r1332643+
++++ httpd-2.4.4/modules/ssl/ssl_private.h
+@@ -139,6 +139,11 @@
+ #define HAVE_FIPS
+ #endif
++#if OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_NEXTPROTONEG) \
++    && !defined(OPENSSL_NO_TLSEXT)
++#define HAVE_TLS_NPN
++#endif
++
+ #if (OPENSSL_VERSION_NUMBER >= 0x10000000)
+ #define MODSSL_SSL_CIPHER_CONST const
+ #define MODSSL_SSL_METHOD_CONST const
+@@ -840,6 +845,7 @@ int          ssl_callback_ServerNameIndi
+ int         ssl_callback_SessionTicket(SSL *, unsigned char *, unsigned char *,
+                                        EVP_CIPHER_CTX *, HMAC_CTX *, int);
+ #endif
++int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data, unsigned int *len, void *arg);
+ /**  Session Cache Support  */
+ void         ssl_scache_init(server_rec *, apr_pool_t *);
diff --git a/SOURCES/httpd-2.4.4-r1337344+.patch b/SOURCES/httpd-2.4.4-r1337344+.patch
new file mode 100644 (file)
index 0000000..6e5c3e7
--- /dev/null
@@ -0,0 +1,250 @@
+# ./pullrev.sh 1337344 1341905 1342065 1341930
+
+suexec enhancements:
+
+1) use syslog for logging
+2) use capabilities not setuid/setgid root binary
+
+http://svn.apache.org/viewvc?view=revision&revision=1337344
+http://svn.apache.org/viewvc?view=revision&revision=1341905
+http://svn.apache.org/viewvc?view=revision&revision=1342065
+http://svn.apache.org/viewvc?view=revision&revision=1341930
+
+--- httpd-2.4.4/configure.in.r1337344+
++++ httpd-2.4.4/configure.in
+@@ -734,7 +734,24 @@ APACHE_HELP_STRING(--with-suexec-gidmin,
+ AC_ARG_WITH(suexec-logfile,
+ APACHE_HELP_STRING(--with-suexec-logfile,Set the logfile),[
+-  AC_DEFINE_UNQUOTED(AP_LOG_EXEC, "$withval", [SuExec log file] ) ] )
++  if test "x$withval" = "xyes"; then
++    AC_DEFINE_UNQUOTED(AP_LOG_EXEC, "$withval", [SuExec log file])
++  fi
++])
++
++AC_ARG_WITH(suexec-syslog,
++APACHE_HELP_STRING(--with-suexec-syslog,Set the logfile),[
++  if test $withval = "yes"; then
++    if test "x${with_suexec_logfile}" != "xno"; then
++      AC_MSG_NOTICE([hint: use "--without-suexec-logfile --with-suexec-syslog"])
++      AC_MSG_ERROR([suexec does not support both logging to file and syslog])
++    fi
++    AC_CHECK_FUNCS([vsyslog], [], [
++       AC_MSG_ERROR([cannot support syslog from suexec without vsyslog()])])
++    AC_DEFINE(AP_LOG_SYSLOG, 1, [SuExec log to syslog])
++  fi    
++])
++
+ AC_ARG_WITH(suexec-safepath,
+ APACHE_HELP_STRING(--with-suexec-safepath,Set the safepath),[
+@@ -744,6 +761,15 @@ AC_ARG_WITH(suexec-umask,
+ APACHE_HELP_STRING(--with-suexec-umask,umask for suexec'd process),[
+   AC_DEFINE_UNQUOTED(AP_SUEXEC_UMASK, 0$withval, [umask for suexec'd process] ) ] )
++INSTALL_SUEXEC=setuid
++AC_ARG_ENABLE([suexec-capabilities], 
++APACHE_HELP_STRING(--enable-suexec-capabilities,Use Linux capability bits not setuid root suexec), [
++INSTALL_SUEXEC=caps
++AC_DEFINE(AP_SUEXEC_CAPABILITIES, 1, 
++          [Enable if suexec is installed with Linux capabilities, not setuid])
++])
++APACHE_SUBST(INSTALL_SUEXEC)
++
+ dnl APR should go after the other libs, so the right symbols can be picked up
+ if test x${apu_found} != xobsolete; then
+   AP_LIBS="$AP_LIBS `$apu_config --avoid-ldap --link-libtool`"
+--- httpd-2.4.4/docs/manual/suexec.html.en.r1337344+
++++ httpd-2.4.4/docs/manual/suexec.html.en
+@@ -372,6 +372,21 @@
+       together with the <code>--enable-suexec</code> option to let
+       APACI accept your request for using the suEXEC feature.</dd>
++      <dt><code>--enable-suexec-capabilities</code></dt>
++
++      <dd><strong>Linux specific:</strong> Normally,
++      the <code>suexec</code> binary is installed "setuid/setgid
++      root", which allows it to run with the full privileges of the
++      root user.  If this option is used, the <code>suexec</code>
++      binary will instead be installed with only the setuid/setgid
++      "capability" bits set, which is the subset of full root
++      priviliges required for suexec operation.  Note that
++      the <code>suexec</code> binary may not be able to write to a log
++      file in this mode; it is recommended that the
++      <code>--with-suexec-syslog --without-suexec-logfile</code>
++      options are used in conjunction with this mode, so that syslog
++      logging is used instead.</dd>
++
+       <dt><code>--with-suexec-bin=<em>PATH</em></code></dt>
+       <dd>The path to the <code>suexec</code> binary must be hard-coded
+@@ -433,6 +448,12 @@
+       "<code>suexec_log</code>" and located in your standard logfile
+       directory (<code>--logfiledir</code>).</dd>
++      <dt><code>--with-suexec-syslog</code></dt>
++
++      <dd>If defined, suexec will log notices and errors to syslog
++      instead of a logfile.  This option must be combined
++      with <code>--without-suexec-logfile</code>.</dd>
++
+       <dt><code>--with-suexec-safepath=<em>PATH</em></code></dt>
+       <dd>Define a safe PATH environment to pass to CGI
+@@ -550,9 +571,12 @@ Group webgroup
+     <p>The suEXEC wrapper will write log information
+     to the file defined with the <code>--with-suexec-logfile</code>
+-    option as indicated above. If you feel you have configured and
+-    installed the wrapper properly, have a look at this log and the
+-    error_log for the server to see where you may have gone astray.</p>
++    option as indicated above, or to syslog if <code>--with-suexec-syslog</code>
++    is used. If you feel you have configured and
++    installed the wrapper properly, have a look at the log and the
++    error_log for the server to see where you may have gone astray. 
++    The output of <code>"suexec -V"</code> will show the options
++    used to compile suexec, if using a binary distribution.</p>
+ </div><div class="top"><a href="#page-header"><img alt="top" src="./images/up.gif" /></a></div>
+ <div class="section">
+@@ -640,4 +664,4 @@ if (typeof(prettyPrint) !== 'undefined')
+     prettyPrint();
+ }
+ //--><!]]></script>
+-</body></html>
+\ No newline at end of file
++</body></html>
+--- httpd-2.4.4/Makefile.in.r1337344+
++++ httpd-2.4.4/Makefile.in
+@@ -238,11 +238,22 @@ install-man:
+         cd $(DESTDIR)$(manualdir) && find . -name ".svn" -type d -print | xargs rm -rf 2>/dev/null || true; \
+       fi
+-install-suexec:
++install-suexec: install-suexec-binary install-suexec-$(INSTALL_SUEXEC)
++
++install-suexec-binary:
+       @if test -f $(builddir)/support/suexec; then \
+             test -d $(DESTDIR)$(sbindir) || $(MKINSTALLDIRS) $(DESTDIR)$(sbindir); \
+             $(INSTALL_PROGRAM) $(top_builddir)/support/suexec $(DESTDIR)$(sbindir); \
+-            chmod 4755 $(DESTDIR)$(sbindir)/suexec; \
++      fi
++
++install-suexec-setuid:
++      @if test -f $(builddir)/support/suexec; then \
++          chmod 4755 $(DESTDIR)$(sbindir)/suexec; \
++      fi
++
++install-suexec-caps:
++      @if test -f $(builddir)/support/suexec; then \
++            setcap 'cap_setuid,cap_setgid+pe' $(DESTDIR)$(sbindir)/suexec; \
+       fi
+ suexec:
+--- httpd-2.4.4/modules/arch/unix/mod_unixd.c.r1337344+
++++ httpd-2.4.4/modules/arch/unix/mod_unixd.c
+@@ -284,6 +284,13 @@ unixd_set_suexec(cmd_parms *cmd, void *d
+     return NULL;
+ }
++#ifdef AP_SUEXEC_CAPABILITIES
++/* If suexec is using capabilities, don't test for the setuid bit. */
++#define SETUID_TEST(finfo) (1)
++#else
++#define SETUID_TEST(finfo) (finfo.protection & APR_USETID)
++#endif
++
+ static int
+ unixd_pre_config(apr_pool_t *pconf, apr_pool_t *plog,
+                  apr_pool_t *ptemp)
+@@ -300,7 +307,7 @@ unixd_pre_config(apr_pool_t *pconf, apr_
+     ap_unixd_config.suexec_enabled = 0;
+     if ((apr_stat(&wrapper, SUEXEC_BIN, APR_FINFO_NORM, ptemp))
+          == APR_SUCCESS) {
+-        if ((wrapper.protection & APR_USETID) && wrapper.user == 0
++        if (SETUID_TEST(wrapper) && wrapper.user == 0
+             && (access(SUEXEC_BIN, R_OK|X_OK) == 0)) {
+             ap_unixd_config.suexec_enabled = 1;
+             ap_unixd_config.suexec_disabled_reason = "";
+--- httpd-2.4.4/support/suexec.c.r1337344+
++++ httpd-2.4.4/support/suexec.c
+@@ -58,6 +58,10 @@
+ #include <grp.h>
+ #endif
++#ifdef AP_LOG_SYSLOG
++#include <syslog.h>
++#endif
++
+ #if defined(PATH_MAX)
+ #define AP_MAXPATH PATH_MAX
+ #elif defined(MAXPATHLEN)
+@@ -69,7 +73,20 @@
+ #define AP_ENVBUF 256
+ extern char **environ;
++
++#ifdef AP_LOG_SYSLOG
++/* Syslog support. */
++#if !defined(AP_LOG_FACILITY) && defined(LOG_AUTHPRIV)
++#define AP_LOG_FACILITY LOG_AUTHPRIV
++#elif !defined(AP_LOG_FACILITY)
++#define AP_LOG_FACILITY LOG_AUTH
++#endif
++
++static int log_open;
++#else
++/* Non-syslog support. */
+ static FILE *log = NULL;
++#endif
+ static const char *const safe_env_lst[] =
+ {
+@@ -137,7 +154,14 @@ static void err_output(int is_error, con
+ static void err_output(int is_error, const char *fmt, va_list ap)
+ {
+-#ifdef AP_LOG_EXEC
++#if defined(AP_LOG_SYSLOG)
++    if (!log_open) {
++        openlog("suexec", LOG_PID, AP_LOG_FACILITY);
++        log_open = 1;
++    }
++
++    vsyslog(is_error ? LOG_ERR : LOG_INFO, fmt, ap);
++#elif defined(AP_LOG_EXEC)
+     time_t timevar;
+     struct tm *lt;
+@@ -295,7 +319,9 @@ int main(int argc, char *argv[])
+ #ifdef AP_HTTPD_USER
+         fprintf(stderr, " -D AP_HTTPD_USER=\"%s\"\n", AP_HTTPD_USER);
+ #endif
+-#ifdef AP_LOG_EXEC
++#if defined(AP_LOG_SYSLOG)
++        fprintf(stderr, " -D AP_LOG_SYSLOG\n");
++#elif defined(AP_LOG_EXEC)
+         fprintf(stderr, " -D AP_LOG_EXEC=\"%s\"\n", AP_LOG_EXEC);
+ #endif
+ #ifdef AP_SAFE_PATH
+@@ -591,6 +617,12 @@ int main(int argc, char *argv[])
+ #endif /* AP_SUEXEC_UMASK */
+     /* Be sure to close the log file so the CGI can't mess with it. */
++#ifdef AP_LOG_SYSLOG
++    if (log_open) {
++        closelog();
++        log_open = 0;
++    }
++#else
+     if (log != NULL) {
+ #if APR_HAVE_FCNTL_H
+         /*
+@@ -612,6 +644,7 @@ int main(int argc, char *argv[])
+         log = NULL;
+ #endif
+     }
++#endif
+     /*
+      * Execute the command, replacing our image with its own.
diff --git a/SOURCES/httpd-2.4.9-apxs.patch b/SOURCES/httpd-2.4.9-apxs.patch
new file mode 100644 (file)
index 0000000..7016dec
--- /dev/null
@@ -0,0 +1,58 @@
+diff --git a/support/apxs.in b/support/apxs.in
+index ad1287f..efcfcf6 100644
+--- a/support/apxs.in
++++ b/support/apxs.in
+@@ -25,7 +25,18 @@ package apxs;
+ my %config_vars = ();
+-my $installbuilddir = "@exp_installbuilddir@";
++# Awful hack to make apxs libdir-agnostic:
++my $pkg_config = "/usr/bin/pkg-config";
++if (! -x "$pkg_config") {
++    error("$pkg_config not found!");
++    exit(1);
++}
++
++my $libdir = `pkg-config --variable=libdir apr-1`;
++chomp $libdir;
++
++my $installbuilddir = $libdir . "/httpd/build";
++
+ get_config_vars("$installbuilddir/config_vars.mk",\%config_vars);
+ # read the configuration variables once
+@@ -275,7 +286,7 @@ if ($opt_g) {
+     $data =~ s|%NAME%|$name|sg;
+     $data =~ s|%TARGET%|$CFG_TARGET|sg;
+     $data =~ s|%PREFIX%|$prefix|sg;
+-    $data =~ s|%INSTALLBUILDDIR%|$installbuilddir|sg;
++    $data =~ s|%LIBDIR%|$libdir|sg;
+     my ($mkf, $mods, $src) = ($data =~ m|^(.+)-=#=-\n(.+)-=#=-\n(.+)|s);
+@@ -453,11 +464,11 @@ if ($opt_c) {
+     my $ldflags = "$CFG_LDFLAGS";
+     if ($opt_p == 1) {
+         
+-        my $apr_libs=`$apr_config --cflags --ldflags --link-libtool --libs`;
++        my $apr_libs=`$apr_config --cflags --ldflags --link-libtool`;
+         chomp($apr_libs);
+         my $apu_libs="";
+         if ($apr_major_version < 2) {
+-            $apu_libs=`$apu_config --ldflags --link-libtool --libs`;
++            $apu_libs=`$apu_config --ldflags --link-libtool`;
+             chomp($apu_libs);
+         }
+         
+@@ -672,8 +683,8 @@ __DATA__
+ builddir=.
+ top_srcdir=%PREFIX%
+-top_builddir=%PREFIX%
+-include %INSTALLBUILDDIR%/special.mk
++top_builddir=%LIBDIR%/httpd
++include %LIBDIR%/httpd/build/special.mk
+ #   the used tools
+ APACHECTL=apachectl
diff --git a/SOURCES/ihttpd-2.4.20-layout.patch b/SOURCES/ihttpd-2.4.20-layout.patch
new file mode 100644 (file)
index 0000000..8afcfdd
--- /dev/null
@@ -0,0 +1,33 @@
+
+Add layout for IHttpd.
+
+--- httpd-2.4.20/config.layout.orig
++++ httpd-2.4.20/config.layout
+@@ -370,3 +370,27 @@
+     logfiledir:      ${localstatedir}/log/httpd
+     proxycachedir:   ${localstatedir}/cache/httpd
+ </Layout>
++
++# IHttpd layout
++<Layout IHttpd>
++    prefix:        /usr
++    exec_prefix:   ${prefix}
++    bindir:        ${prefix}/bin
++    sbindir:       ${prefix}/sbin
++    libdir:        ${prefix}/lib
++    libexecdir:    ${prefix}/libexec
++    mandir:        ${prefix}/man
++    sysconfdir:    /etc
++    datadir:       ${prefix}/share/ihttpd
++    installbuilddir: ${libdir}/ihttpd/build
++    errordir:      ${datadir}/error
++    iconsdir:      ${datadir}/icons
++    htdocsdir:     /var/www/html
++    manualdir:     ${datadir}/manual
++    cgidir:        /var/www/cgi-bin
++    includedir:    ${prefix}/include/ihttpd
++    localstatedir: /var
++    runtimedir:    /run/ihttpd
++    logfiledir:    ${localstatedir}/log/ihttpd
++    proxycachedir: ${localstatedir}/cache/ihttpd/proxy
++</Layout>     
diff --git a/SOURCES/ihttpd.conf b/SOURCES/ihttpd.conf
new file mode 100644 (file)
index 0000000..02a62b2
--- /dev/null
@@ -0,0 +1,79 @@
+# Fix server root
+#XXX: useless now ???
+ServerRoot "/etc"
+
+# Listen on port 80 and 443
+Listen 80
+Listen 443
+
+# Server admin
+ServerAdmin root@localhost
+
+# Fix user
+User root
+Group root
+
+# Send charset
+AddDefaultCharset UTF-8
+
+# Allow file send
+EnableSendfile on
+
+# Set document root
+DocumentRoot "/var/www/html"
+
+<Directory />
+       AllowOverride None
+</Directory>
+<Directory "/run/ihttpd/log">
+       AllowOverride None
+       Require all granted
+</Directory>
+<Directory "/var/www/html">
+       AllowOverride None
+       Options Indexes FollowSymLinks ExecCGI
+       Require all granted
+       DirectoryIndex index.bin
+       AddHandler cgi-script .bin
+</Directory>
+
+# Fix mime type file location
+TypesConfig /etc/mime.types
+
+# Fix pid location
+PidFile /run/ihttpd/ihttpd.pid
+
+# Fix dir for rewrite map lock files
+Mutex file:/run/ihttpd rewrite-map
+Mutex file:/run/ihttpd mpm-accept
+
+# Disable version info
+ServerSignature Off
+ServerTokens Prod
+
+# SSL configuration
+SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
+SSLSessionCache shmcb:/run/ihttpd/ssl_scache(512000)
+SSLProtocol all -SSLv3
+
+# Redirect to https
+RewriteEngine On
+RewriteCond %{HTTPS} !=on
+RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
+
+# SSL vhost
+<VirtualHost *:443>
+       ServerName localhost
+       SSLEngine on
+       SSLCertificateFile /etc/pki/tls/certs/ihttpd.pem
+       SSLCertificateKeyFile /etc/pki/tls/private/ihttpd.pem
+       CustomLog "/run/ihttpd/log/https.log" "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
+</VirtualHost>
+
+# Log section
+ErrorLog "/run/ihttpd/log/error.log"
+LogLevel warn
+
+<IfModule log_config_module>
+       CustomLog "/run/ihttpd/log/http.log" "%h %l %u %t \"%r\" %>s %b"
+</IfModule>
diff --git a/SOURCES/ihttpd.dracut b/SOURCES/ihttpd.dracut
new file mode 100644 (file)
index 0000000..abcafd1
--- /dev/null
@@ -0,0 +1,4 @@
+# Unomit mageia's omited network and systemd modules
+omit_dracutmodules=" network "
+# Force dhcp and net in initramfs
+#kernel_cmdline+=" ip=dhcp rd.neednet=1 "
diff --git a/SOURCES/ihttpd.module-setup b/SOURCES/ihttpd.module-setup
new file mode 100644 (file)
index 0000000..c5ba6d2
--- /dev/null
@@ -0,0 +1,203 @@
+#!/bin/bash
+
+# called by dracut
+check() {
+       local fs
+
+       # Fix tmpfiledir
+       #XXX: fix installation of /usr/lib/tmpfileS.d/{dracut-tmpfiles,systemd}.conf
+       #XXX: should be removed when bug 18642 (mageia) or 1343230 (fedora) will be fixed in /usr/bin/dracut +1262-1282
+       [ -z "$tmpfilesdir" -o ! -d "$tmpfilesdir" -a -d /usr/lib/tmpfiles.d ] && tmpfilesdir=/usr/lib/tmpfiles.d
+       [ -z "$tmpfilesdir" -o ! -d "$tmpfilesdir" -a -d /etc/tmpfiles.d ] && tmpfilesdir=/etc/tmpfiles.d
+       [ -z "$tmpfilesdir" -o ! -d "$tmpfilesdir" -a -d /lib/tmpfiles.d ] && tmpfilesdir=/lib/tmpfiles.d
+
+       # if cryptsetup is not installed, then we cannot support encrypted devices.
+       require_binaries cryptsetup || return 1
+
+       # if hostonly or mount_needs include if required by other module
+       # if one of fs types is crypto_LUKS include it
+       [[ $hostonly ]] || [[ $mount_needs ]] && {
+               for fs in "${host_fs_types[@]}"; do
+                       [[ $fs = "crypto_LUKS" ]] && return 0
+               done
+               return 255
+       }
+
+       return 0
+}
+
+# called by dracut
+depends() {
+       # depend on crypt for /etc/crypttab
+       # depend on systemd-networkd for ip=dhcp and rd.neednet=1
+       # depend on dracut-systemd for appending to $tmpfilesdir/dracut-tmpfiles.conf
+       echo crypt systemd-networkd dracut-systemd
+       return 0
+}
+
+# called by dracut
+cmdline() {
+       local fs
+       for fs in "${host_fs_types[@]}"; do
+               if [[ "$fs" == "crypto_LUKS" ]]; then
+                       printf "%s" " ip=dhcp rd.neednet=1"
+                       break
+               fi
+       done
+}
+
+# called by dracut
+install() {
+       local _ihttpdconf=$(cmdline)
+       local fs
+       [[ $_ihttpdconf ]] && printf "%s\n" "$_ihttpdconf" >> "${initdir}/etc/cmdline.d/99ihttpd.conf"
+
+       # Install cert dirs
+       inst_dir /etc/pki/tls/certs
+       inst_dir /etc/pki/tls/private
+       inst_dir /etc/systemd/network
+       inst_dir /var/www/html
+       inst_dir $systemdsystemunitdir/ihttpd.service.wants
+
+       # Install favicon
+       inst_simple -o /var/www/html/favicon.ico
+
+       # Install network
+       for nc in `ls /etc/systemd/network/`; do
+               inst_simple /etc/systemd/network/$nc
+       done
+
+       # Install index.bin
+       inst_simple /usr/lib/ihttpd/index.bin /var/www/html/index.bin
+
+       # Install reboot.bin
+       inst_simple /usr/lib/ihttpd/reboot.bin /var/www/html/reboot.bin
+
+       # Install all files
+       inst_multiple \
+               /etc/hosts \
+               /etc/mime.types \
+               /etc/localtime \
+               /etc/nsswitch.conf \
+               /etc/ihttpd.conf \
+               /etc/pki/tls/certs/ihttpd.pem \
+               /etc/pki/tls/private/ihttpd.pem \
+               $tmpfilesdir/ihttpd.conf \
+               $systemdsystemunitdir/ihttpd.path \
+               $systemdsystemunitdir/ihttpd.service \
+               $systemdsystemunitdir/systemd-networkd.service \
+               $systemdsystemunitdir/systemd-tmpfiles-setup.service \
+               '/usr/bin/false' \
+               '/usr/bin/reboot' \
+               /usr/sbin/ihttpd
+
+       # Install ihttpd.path
+       ln -fs ../ihttpd.path $initdir$systemdsystemunitdir/sysinit.target.wants/
+
+       # Install resolv.conf as resolved service
+       #TODO: change this to have a content or depend on systemd-resolved
+       if [ -L /etc/resolv.conf ]; then
+
+               # Install systemd-resolved
+               if [ `readlink /etc/resolv.conf` = '/run/systemd/resolve/resolv.conf' ]; then
+
+                       # Install resolv.conf as symlink
+                       ln -fs '/run/systemd/resolve/resolv.conf' $initdir/etc/resolv.conf
+
+                       # Install systemd-resolved
+                       inst_multiple \
+                               $systemdsystemunitdir/systemd-resolved.service \
+                               $systemdutildir/systemd-resolved \
+                               /etc/systemd/resolved.conf
+
+                       # Require systemd-resolve user and group for our ihttpd process
+                       `egrep -q '^systemd-resolve:' $initdir/etc/group` || egrep '^systemd-resolve:' /etc/group >> "$initdir/etc/group"
+                       `egrep -q '^systemd-resolve:' $initdir/etc/passwd` || egrep '^systemd-resolve:' /etc/passwd >> "$initdir/etc/passwd"
+
+                       # Install in ihttpd.service.wants
+                       ln -fs ../systemd-resolved.service $initdir$systemdsystemunitdir/ihttpd.service.wants/
+
+                       # Cleanup resolved.conf
+                       perl -pne 'undef $_ if /^(?:#.*|Domains=|FallbackDNS=|DNS=(?:127.0.0.1|::1)$|$)/;/^DNS=/ && $_ =~ s/(?:127.0.0.1|::1)[ \t]*//g' \
+                               -i "$initdir/etc/systemd/resolved.conf"
+
+                       # Cleanup systemd-resolved.service
+                       perl -pne 'undef $_ if /^(?:#|(?:Wants|After)=org\.freedesktop\.resolve1\.busname)/' \
+                               -i "$initdir$systemdsystemunitdir/systemd-resolved.service"
+
+               # Try install the target file
+               else
+                       inst_simple /etc/resolv.conf
+               fi
+
+       # Install resolv.conf as file
+       elif [ -e /etc/resolv.conf ]; then
+
+               # Install resolv.conf as file
+               inst_simple /etc/resolv.conf
+
+               # Cleanup resolv.conf
+               #XXX: strip search, localhost and ipv6
+               perl -pne 'undef $_ if /^(?:#.*|search\s+|nameserver\s+127.0.0.1|nameserver\s+[^:\s]+:[^\s]+|$)/' \
+                       -i "$initdir/etc/resolv.conf"
+
+       # Touch resolv.conf file
+       else
+               # We did what we could
+               touch "$initdir/etc/resolv.conf"
+       fi
+
+       # Install ihttpd log
+       ln -fs ../../../run/ihttpd/log/{http,https,child.{askpassword,ihttpd},error}.log $initdir/var/www/html/
+
+       # Install in ihttpd.service.wants
+       ln -fs ../systemd-networkd.service $initdir$systemdsystemunitdir/ihttpd.service.wants/
+       ln -fs ../systemd-tmpfiles-setup.service $initdir$systemdsystemunitdir/ihttpd.service.wants/
+
+       # Include all ihttpd deps
+       inst_libdir_file \
+               "ld-linux-*.so.*" \
+               "libapr-1.so.*" \
+               "libaprutil-1.so.*" \
+               "libcrypto.so.*" \
+               "libcrypt.so.*" \
+               "libc.so.*" \
+               "libdb-*.so" \
+               "libdl.so.*" \
+               "libexpat.so.*" \
+               "libnsl.so.*" \
+               "libpcre.so.*" \
+               "libpthread.so.*" \
+               "libresolv.so.*" \
+               "librt.so.*" \
+               "libuuid.so.*" \
+               "libz.so.*" \
+               "libnss_files.so.*" \
+               "libnss_dns.so.*" \
+               "libnss_myhostname.so.*" \
+               {"tls/$_arch/",tls/,"$_arch/",}"libssl.so.*" 
+
+       # Cleanup nsswitch.conf
+       if [ -f "$initdir/etc/nsswitch.conf" ]; then
+               perl -pne 'undef $_ if /^(?:#|$)/;s/compat/files/;s/ ?(?:nis|wins|mdns4_minimal |mdns4)( )?/\1/g' \
+                       -i "$initdir/etc/nsswitch.conf"
+       fi
+
+       # Cleanup systemd-networkd.service
+       if [ -f "$initdir$systemdsystemunitdir/systemd-networkd.service" ]; then
+               perl -pne 'undef $_ if /^(?:#|(?:Wants|After)=org\.freedesktop\.network1\.busname)/;s/^After=(systemd-udevd.service )dbus.service network-pre.target systemd-sysusers.service /After=\1/' \
+                       -i "$initdir$systemdsystemunitdir/systemd-networkd.service"
+       fi
+
+       # Cleanup systemd-tmpfiles-setup.service
+       if [ -f "$initdir$systemdsystemunitdir/systemd-tmpfiles-setup.service" ]; then
+               perl -pne 'undef $_ if /^#/;s/After=(.*) systemd-sysusers.service/After=\1/' \
+                       -i "$initdir$systemdsystemunitdir/systemd-tmpfiles-setup.service"
+       fi
+
+       #XXX: bug: fix /usr/lib/tmpfiles.d/{systemd,dracut-tmpfiles}.conf missing user and group
+       `egrep -q '^utmp:' $initdir/etc/group` || egrep '^utmp:' /etc/group >> "$initdir/etc/group"
+       # Require root user and group for our ihttpd process
+       `egrep -q '^root:' $initdir/etc/group` || egrep '^root:' /etc/group >> "$initdir/etc/group"
+       `egrep -q '^root:' $initdir/etc/passwd` || egrep '^root:' /etc/passwd >> "$initdir/etc/passwd"
+}
diff --git a/SOURCES/ihttpd.path b/SOURCES/ihttpd.path
new file mode 100644 (file)
index 0000000..a258268
--- /dev/null
@@ -0,0 +1,12 @@
+# Path unit starting ihttpd.service on password request
+[Unit]
+Description=The Apache IHTTP Server that will unlock crypttab device
+DefaultDependencies=no
+Conflicts=shutdown.target multi-user.target graphical.target
+After=plymouth-start.service
+Before=paths.target shutdown.target
+ConditionPathExists=!/run/plymouth/pid
+
+[Path]
+DirectoryNotEmpty=/run/systemd/ask-password
+MakeDirectory=yes
diff --git a/SOURCES/ihttpd.service b/SOURCES/ihttpd.service
new file mode 100644 (file)
index 0000000..9961633
--- /dev/null
@@ -0,0 +1,17 @@
+# Service unit starting ihttpd.service on password request
+[Unit]
+Description=Answer Password Requests from the Apache IHTTP Server
+DefaultDependencies=no
+Conflicts=shutdown.target multi-user.target graphical.target
+After=plymouth-start.service
+Before=paths.target shutdown.target
+ConditionPathExists=!/run/plymouth/pid
+
+[Service]
+Type=simple
+Environment=LANG=C
+ExecStart=/usr/sbin/ihttpd $OPTIONS -DFOREGROUND
+ExecReload=/usr/sbin/ihttpd $OPTIONS -k graceful
+KillSignal=SIGWINCH
+KillMode=mixed
+PIDFile=/run/ihttpd/ihttpd.pid
diff --git a/SOURCES/ihttpd.tmpfiles b/SOURCES/ihttpd.tmpfiles
new file mode 100644 (file)
index 0000000..b422ac9
--- /dev/null
@@ -0,0 +1,2 @@
+d /run/ihttpd   755 root root
+d /run/ihttpd/log   755 root root
diff --git a/SOURCES/index.bin.c b/SOURCES/index.bin.c
new file mode 100644 (file)
index 0000000..e6780a1
--- /dev/null
@@ -0,0 +1,1135 @@
+/**
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ * Written by Raphaël Gertz <rapsys@rapsys.eu>
+ */
+
+//Required for mkostemp, O_CLOEXEC, strdup, memmem
+#define _GNU_SOURCE
+
+//Required for SSIZE_MAX, LONG_MAX
+#include <limits.h>
+
+//Required for pid_t, kill, waitpid
+#include <sys/wait.h>
+#include <signal.h>
+
+//Required for printf, sscanf, sprintf
+#include <stdio.h>
+
+//Required for struct stat, fstat
+#include <sys/stat.h>
+
+//Required for closedir, DIR, opendir, readdir, struct dirent
+#include <dirent.h>
+
+//Required for close, dup2, execve, fork, read, STDERR_FILENO, STDOUT_FILENO, STDIN_FILENO, write
+#include <unistd.h>
+
+//Required for open, O_CLOEXEC, O_NOATIME, O_NOFOLLOW
+#include <fcntl.h>
+
+//Required for atoi, calloc, exit, EXIT_FAILURE, EXIT_SUCCESS, free, getenv, malloc, realloc
+#include <stdlib.h>
+
+//Required for memchr, memcpy, memmem, strdup, strlen, strncmp
+#include <string.h>
+
+//Required for bool
+#include <stdbool.h>
+
+//Required for nanosleep
+#include <time.h>
+
+//Default passphrase max size
+#define DEFAULT_PASSPHRASE_SIZE_MAX 512
+
+//Default keyfile max size
+//XXX: file should be maximum 8192*1024-1 character long
+#define DEFAULT_KEYFILE_SIZE_MAX (8192 * 1024)
+
+//Default crypttab
+#define CRYPTTAB "/etc/crypttab"
+
+//Default cryptsetup
+#define CRYPTSETUP "/sbin/cryptsetup"
+
+//Default pid file
+#define IHTTPDPID "/run/ihttpd/ihttpd.pid"
+
+//Default systemd ask-password dir
+#define ASKPASSWORDDIR "/run/systemd/ask-password"
+
+//Define child log
+#define ASKPASSWORDLOG "/run/ihttpd/log/child.askpassword.log"
+#define IHTTPDLOG "/run/ihttpd/log/child.ihttpd.log"
+
+//Create struct for http error status
+struct httpStatusStruct {
+       int value;
+       char *description;
+};
+
+//Declare http error status array
+const struct httpStatusStruct httpStatuses[] = {
+       {200, "OK"},
+       {400, "Bad Request"},
+       {405, "Method Not Allowed"},
+       {411, "Length Required"},
+       {500, "Internal Server Error"}
+};
+
+/**
+ * Prototype
+ */
+void die(const int, const char*);
+void header(const int, const char*);
+void showForm(const char*, const int, const int);
+int extractValue(char**, int*, char*, int);
+int extractLuksDevice(char**, char**);
+int extractIHttpdPid(pid_t *);
+int extractAskPasswordPid(pid_t *);
+
+/**
+ * Die with error
+ */
+void die(const int code, const char *err) {
+       //TODO: see if we add a nice text/html template ?
+       //Send content as text
+       header(code, "text/plain");
+       //Print error line if available
+       if (err != NULL)
+               printf("%s", err);
+       //Flush all
+       if (fflush(NULL) == -1) {
+               perror("fflush");
+       }
+       //Exit with failure code
+       exit(EXIT_FAILURE);
+}
+
+/**
+ * Send header
+ */
+void header(const int code, const char *ctype) {
+       int k;
+       switch(code) {
+               case 400:
+                       k = 1;
+                       break;
+               case 405:
+                       k = 2;
+                       break;
+               case 411:
+                       k = 3;
+                       break;
+               case 500:
+                       k = 4;
+                       break;
+               default:
+                       k = 0;
+       }
+       //Send http status
+       printf("Status: %d %s\r\n", httpStatuses[k].value, httpStatuses[k].description);
+       //Make sure no cache
+       printf("Cache-Control: no-cache, no-store, must-revalidate\r\n");
+       printf("Pragma: no-cache\r\n");
+       printf("Expires: 0\r\n");
+       printf("X-Robots-Tag: noindex, nofollow, noarchive, nosnippet, noodp\r\n");
+       printf("Content-type: %s\r\n\r\n", ctype);
+}
+
+/**
+ * Show form
+ */
+void showForm(const char *requestUri, const int keyfileSizeMax, const int passphraseSizeMax) {
+       header(200, "text/html");
+       printf("<!DOCTYPE HTML>\r\n");
+       printf("<html>\r\n");
+       printf("<head><title>Key upload form</title></head>\r\n");
+       printf("<body>\r\n");
+       printf("<div id=\"wrapper\">\r\n");
+       printf("<form enctype=\"multipart/form-data\" action=\"%s\" method=\"post\"><fieldset><legend>Upload key</legend><label for=\"file\"></label><input type=\"hidden\" name=\"MAX_FILE_SIZE\" value=\"%d\" /><input id=\"file\" type=\"file\" name=\"key\" /><input type=\"submit\" value=\"Send\" /></fieldset></form>\r\n", requestUri, keyfileSizeMax);
+       printf("<form action=\"%s\" method=\"post\"><fieldset><legend>Type key</legend><label for=\"password\"></label><input id=\"password\" type=\"password\" name=\"key\" maxlength=\"%d\" /><input type=\"submit\" value=\"Send\" /></fieldset></form>\r\n", requestUri, passphraseSizeMax);
+       printf("</div>\r\n");
+       printf("</body>\r\n");
+       printf("</html>\r\n");
+}
+
+/**
+ * Extract value
+ */
+int extractValue(char **value, int *valueLength, char *contentType, int contentLength) {
+       //Handle application/x-www-form-urlencoded request
+       if (contentType != NULL && !strncmp(contentType, "application/x-www-form-urlencoded", 33)) {
+               //Indexes and return
+               int i, k, v, r;
+               //Declare key and buf
+               char *key, *buf;
+               //Allocate key
+               if ((key = malloc(4*sizeof(char))) == NULL) {
+                       //Unable to allocate key
+                       return -1;
+               }
+               //Allocate buf to maximum possible value size + 1 for trailing \0
+               if ((buf = calloc(1, (DEFAULT_PASSPHRASE_SIZE_MAX+1)*sizeof(char))) == NULL) {
+                       //Unable to allocate value
+                       free(key);
+                       return -2;
+               }
+               //Char buffer
+               char d = '\0';
+               //Char delimiter
+               //XXX: initialised as & for new key, becomes = when fetching value
+               char delim = '&';
+               for (i = 0, k = 0, v = 0; i < contentLength; i++) {
+                       //Safeguard against a value greater than DEFAULT_PASSPHRASE_SIZE_MAX
+                       //XXX: this should never happen because we should be protected by contentLength already
+                       if (v == DEFAULT_PASSPHRASE_SIZE_MAX+1) {
+                               //Invalid value
+                               free(key);
+                               free(buf);
+                               return -3;
+                       }
+                       //Read one character from stdin
+                       r = read(STDIN_FILENO, &d, 1);
+                       //Handle errors
+                       if (r < 0) {
+                               //Error while parsing post data
+                               free(key);
+                               free(buf);
+                               return -4;
+                       } else if (r == 0) {
+                               //Partial receive
+                               free(key);
+                               free(buf);
+                               return -5;
+                       }
+                       //Handle case where key has an other name
+                       if (i == 3) {
+                               //Check key is "key" and we get '=' as new char and assign delim to =
+                               if (strncmp(key, "key", 3) || (delim = d) != '=') {
+                                       //Invalid key
+                                       free(key);
+                                       free(buf);
+                                       return -6;
+                               }
+                       //Handle key or value separator in query string
+                       } else if (d == '&' || d == '=') {
+                               //Invalid query string
+                               free(key);
+                               free(buf);
+                               return -7;
+                       //Handle a value
+                       } else {
+                               //Save key char
+                               if (delim == '&') {
+                                       key[k] = d;
+                                       k++;
+                               //Save buf char
+                               } else {
+                                       buf[v] = d;
+                                       v++;
+                               }
+                       }
+               }
+               //Free key
+               free(key);
+               //Unescape and reduce value if not empty
+               if (v > 0) {
+                       //Declare iterators
+                       int l,m, s = v;
+                       //Loop on value and reduce length on the fly
+                       for(l=0,m=0; m < v; l++,m++) {
+                               //Replace + with space
+                               if (buf[m] == '+') {
+                                       buf[l] = ' ';
+                               //Skip partial present %XX
+                               } else if (
+                                       //Assign char
+                                       (buf[l] = buf[m]) == '%' &&
+                                       //Check we didn't reach valueStrLength
+                                       (m+2 < v) &&
+                                       //Check next two digits are valid
+                                       ((buf[m+1] >= 'A' && buf[m+1] <= 'F') || (buf[m+1] >= 'a' && buf[m+1] <= 'f') || (buf[m+1] >= '0' && buf[m+1] <= '9')) &&
+                                       ((buf[m+2] >= 'A' && buf[m+2] <= 'F') || (buf[m+2] >= 'a' && buf[m+2] <= 'f') || (buf[m+2] >= '0' && buf[m+2] <= '9'))
+                               ) {
+                                       buf[l] = (buf[m+1] >= 'A' ? (buf[m+1] & 0xdf) - 'A' + 10 : buf[m+1] - '0') * 16 + (buf[m+2] >= 'A' ? (buf[m+2] & 0xdf) - 'A' + 10 : buf[m+2] - '0');
+                                       m += 2;
+                                       s -= 2;
+                               }
+                       }
+                       //Set value length
+                       *valueLength = s;
+                       //Alloc value
+                       if ((*value = malloc((*valueLength)*sizeof(char))) == NULL) {
+                               //Unable to alloc value
+                               free(key);
+                               free(buf);
+                               return -8;
+                       }
+                       //Copy value
+                       memcpy(*value, buf, *valueLength);
+               }
+               //Free buf
+               free(buf);
+       //Handle multipart/form-data request
+       } else if (contentType != NULL && !strncmp(contentType, "multipart/form-data", 19)) {
+               //Indexes and return
+               int b, s, r;
+               //Boundary length
+               int boundaryLength = strlen(contentType) - 30 + 1;
+               //Client send LF ending without CR
+               int lfstyle = 0;
+               //Declare boundary
+               char *boundary;
+               //Allocate boundary
+               if ((boundary = calloc(1, boundaryLength*sizeof(char))) == NULL) {
+                       //Unable to allocate boundary
+                       return -9;
+               }
+               //Extract boundary
+               memcpy(boundary, contentType + 30, boundaryLength - 1);
+
+               //Declare buffers
+               char *start, *buf;
+               //Allocate buffer
+               if ((buf = malloc(contentLength*sizeof(char))) == NULL) {
+                       //Unable to allocate buffer
+                       free(boundary);
+                       return -10;
+               }
+               //Char buffer
+               char d = '\0';
+
+               //Loop
+               for (b = 0, s = 0; b < contentLength; b++) {
+                       //Detect possible boundary
+                       //XXX: b is boundaryLength-1 + 2 after s
+                       //XXX: d will be a CR(CRLF line ending) or LF(LF line ending) or -(of final --)
+                       if (b == s + 2 + boundaryLength - 1 && !strncmp(boundary, buf + b - boundaryLength + 1, boundaryLength - 1)) {
+                               //Only after first boundary match
+                               if (s > 0) {
+                                       //Trim line jump
+                                       if (start[0] == '\r' && start[1] == '\n') {
+                                               start += 2;
+                                               lfstyle = 1;
+                                       } else if (start[0] == '\n') {
+                                               start++;
+                                       }
+                                       //Found flag
+                                       bool found = false;
+                                       //Allocate pointers
+                                       char *new = start, *prev = start, *name = NULL;
+                                       //Search for a new line
+                                       while ((new = memchr(new, '\n', b - (new - buf)))) {
+                                               //Jump to first character after new line
+                                               new++;
+                                               //Init line length
+                                               int lineLength = new - prev - 1;
+                                               //Remove chariage return if necessary
+                                               if (prev[lineLength] == '\r') {
+                                                       lineLength--;
+                                                       lfstyle = 1;
+                                               }
+                                               //Break loop after headers end
+                                               if (lineLength == 1) {
+                                                       break;
+                                               }
+                                               //Allocate a name buf of maximum line length
+                                               //XXX: need to be filled with zero as we don't know what will comes with sscanf call and we rely on strlen
+                                               if ((name = calloc(1, lineLength*sizeof(char))) == NULL) {
+                                                       //Unable to allocate name
+                                                       free(boundary);
+                                                       free(buf);
+                                                       return -11;
+                                               }
+                                               //Search for name
+                                               if (sscanf(prev, "Content-Disposition: form-data; name=\"%[^\"]\"", name)) {
+                                                       //Realloc name
+                                                       if ((name = realloc(name, (strlen(name)+1)*sizeof(char))) == NULL) {
+                                                               //Unable to reduce name
+                                                               free(boundary);
+                                                               free(buf);
+                                                               free(name);
+                                                               return -12;
+                                                       }
+                                                       if (!strncmp(name, "key", 3)) {
+                                                               found = true;
+                                                       }
+                                               }
+                                               //Free name
+                                               free(name);
+                                               //Jump to next one
+                                               prev = new;
+                                       }
+                                       //Init value if found
+                                       if (found) {
+                                               //Declare end
+                                               char *end = buf + b - boundaryLength - 3;
+                                               //Remove CR at end if provided
+                                               //XXX: only remove CR at end if we encountered one before
+                                               if (lfstyle) {
+                                                       end++;
+                                               }
+                                               //On too big keyfile
+                                               if (end - new - 1 >= DEFAULT_KEYFILE_SIZE_MAX) {
+                                                       //Keyfile too large
+                                                       free(boundary);
+                                                       free(buf);
+                                                       return -13;
+                                               }
+                                               //On non empty value
+                                               if (end - new > 1) {
+                                                       //Set value length
+                                                       *valueLength = end - new - 1;
+                                                       //Allocate value
+                                                       if ((*value = malloc((*valueLength)*sizeof(char))) == NULL) {
+                                                               //Unable to allocate value
+                                                               free(boundary);
+                                                               free(buf);
+                                                               return -14;
+                                                       }
+                                                       //Copy value
+                                                       memcpy(*value, new, *valueLength);
+                                               }
+                                       }
+                               }
+                               //Set start to matched boundary
+                               start = buf + b;
+                       }
+                       //Read one character from stdin
+                       r = read(STDIN_FILENO, &d, 1);
+                       //Handle errors
+                       if (r < 0) {
+                               //Error while parsing post data
+                               free(boundary);
+                               free(buf);
+                               return -15;
+                       } else if (r == 0) {
+                               //Partial receive
+                               free(boundary);
+                               free(buf);
+                               return -16;
+                       }
+                       //New line case
+                       if (d == '\n') {
+                               //Store new possible boundary start
+                               s = b + 1;
+                       }
+                       buf[b] = d;
+               }
+
+               //Free buffers
+               free(boundary);
+               free(buf);
+       //Unhandled request
+       } else {
+               return -17;
+       }
+
+       //Send value
+       return 0;
+}
+
+/**
+ * Extract luks and device
+ */
+int extractLuksDevice(char **luks, char **device) {
+       //Declare file descriptor
+       int fd, bufLength;
+       //Declare buf, device and luks pointer
+       char *buf, *d, *l;
+       //Declare stat struct
+       struct stat *stats;
+       //Open file
+       if ((fd = open(CRYPTTAB, O_RDONLY|O_NOATIME|O_NOFOLLOW|O_CLOEXEC)) == -1) {
+               //Can't open crypttab file
+               return -1;
+       }
+       //Allocate stats
+       if ((stats = calloc(1, sizeof(struct stat))) == NULL) {
+               //Unable to allocate stats
+               return -2;
+       }
+       //Stat file
+       if (fstat(fd, stats) == -1) {
+               //Can't stat crypttab
+               return -3;
+       }
+       //Check file size
+       if ((bufLength = stats->st_size) > SSIZE_MAX) {
+               //Crypttab too big
+               return -4;
+       }
+       //Allocate buf
+       if ((buf = malloc(bufLength*sizeof(char))) == NULL) {
+               //Unable to allocate buf
+               return -5;
+       }
+       //Read file
+       if ((read(fd, buf, bufLength)) < bufLength) {
+               //Fail to read crypttab file
+               return -6;
+       }
+       //Close file
+       close(fd);
+       //Free stats buffer
+       free(stats);
+
+       //Search first separator (\s|\t) after luks
+       if ((l = memchr(buf, ' ', bufLength)) == NULL && (l = memchr(buf, '     ', bufLength)) == NULL) {
+               return -7;
+       }
+       //Jump to next char
+       l++;
+       //Search first separator (\s|\t) after device
+       if ((d = memchr(l, ' ', bufLength - (l - buf))) == NULL && (d = memchr(l, '     ', bufLength - (l - buf))) == NULL && (d = memchr(l, '\n', bufLength - (l - buf))) == NULL) {
+               return -8;
+       }
+       //Jump to next char
+       d++;
+
+       //Alloc luks
+       if ((*luks = malloc((l - buf - 1)*sizeof(char))) == NULL) {
+               return -9;
+       }
+       //Allocate device
+       if ((*device = malloc((d  - l - 1)*sizeof(char))) == NULL) {
+               //Free and reset luks
+               free(luks);
+               luks=NULL;
+               return -10;
+       }
+
+       //Copy luks
+       memcpy(*luks, buf, l  - buf - 1);
+       //Terminate luks
+       (*luks)[l - buf - 1] = '\0';
+
+       //Copy device
+       memcpy(*device, l, d  - l - 1);
+       //Terminate device
+       (*device)[d - l - 1] = '\0';
+
+       //Free buffer
+       free(buf);
+
+       //Success
+       return 0;
+}
+
+/**
+ * Extract ask-password pid
+ */
+int extractAskPasswordPid(pid_t *pid) {
+       //Declare stuct dirent
+       struct dirent *entry;
+       //Declare askdir
+       DIR *askdir;
+       //Declare found
+       int found = 0;
+
+       //Allocate dirent struct
+       if ((entry = calloc(1, sizeof(struct dirent))) == NULL) {
+               //Unable to allocate entry
+               return -1;
+       }
+
+       //Open systemd ask-password dir
+       if ((askdir = opendir(ASKPASSWORDDIR)) == NULL) {
+               //Can't open ask dir
+               return -2;
+       }
+
+       //Change dir
+       if (chdir(ASKPASSWORDDIR) == -1) {
+               //Can't change to ask dir
+               return -3;
+       }
+
+       //Loop on dir content
+       while((entry = readdir(askdir))) {
+               //Handle each ask.XXXXXX file
+               if (!strncmp(entry->d_name, "ask.", 4) && strlen(entry->d_name) == 10) {
+                       //Declare file descriptor
+                       int fd, bufLength;
+                       //Declare buf
+                       char *buf;
+                       //Declare stat struct
+                       struct stat *stats;
+                       //Open file
+                       if ((fd = open(entry->d_name, O_RDONLY|O_NOATIME|O_NOFOLLOW|O_CLOEXEC)) == -1) {
+                               //Can't open ask file
+                               return -4;
+                       }
+                       //Allocate stats
+                       if ((stats = calloc(1, sizeof(struct stat))) == NULL) {
+                               //Unable to allocate stats
+                               return -5;
+                       }
+                       //Stat file
+                       if (fstat(fd, stats) == -1) {
+                               //Can't stat ask file
+                               return -6;
+                       }
+                       //Check file size
+                       if ((bufLength = stats->st_size) > SSIZE_MAX) {
+                               //Ask file too big
+                               return -7;
+                       }
+                       //Allocate buf
+                       if ((buf = malloc(bufLength*sizeof(char))) == NULL) {
+                               //Unable to allocate buf
+                               return -8;
+                       }
+                       //Read file
+                       if ((read(fd, buf, bufLength)) < bufLength) {
+                               //Fail to read ask file
+                               return -9;
+                       }
+                       //Close file
+                       close(fd);
+                       //Free stats buffer
+                       free(stats);
+
+                       //Allocate pointers
+                       char *nl = buf, *pl = buf, *e;
+                       //Allocate pid
+                       *pid = 0;
+
+                       //Search for a new line
+                       while ((nl = memmem(nl, bufLength - (nl - buf), "\n", strlen("\n")))) {
+                               //Jump to next char
+                               nl++;
+
+                               //Check if we have a = in line but not empty value ("=\n")
+                               if ((e = memmem(pl, bufLength - (pl - buf), "=", strlen("="))) && e < nl - 2) {
+                                       //Jump to next char
+                                       e++;
+                                       //Look for PID
+                                       if (!strncmp(pl, "PID", 3)) {
+                                               //Declade pid string
+                                               char *pidStr;
+                                               //Allocate pid string
+                                               if ((pidStr = malloc((nl - e)*sizeof(char))) == NULL) {
+                                                       //Unable to allocate pid string
+                                                       return -10;
+                                               }
+                                               //Copy pid
+                                               memcpy(pidStr, e, nl - e - 1);
+                                               //Terminate pid string
+                                               pidStr[nl - e] = '\0';
+                                               //Check pid value
+                                               if ((*pid = atoi(pidStr)) <= 1) {
+                                                       //Invalid pid
+                                                       return -11;
+                                               }
+                                               //Free pid string
+                                               free(pidStr);
+                                               //Found a valid process
+                                               found++;
+                                       }
+                               }
+
+                               //Jump prev line to new line
+                               pl = nl;
+                       }
+
+                       //Free buffers
+                       free(buf);
+               }
+       }
+
+       //Close systemd ask-password dir
+       if (closedir(askdir) == -1) {
+               //Can't close ask dir
+               return -13;
+       }
+
+       //Free entry
+       free(entry);
+
+       //Found no valid pid
+       if (found == 0) {
+               //No pid found
+               return -14;
+       //Found more than one pid
+       } else if (found > 1) {
+               //No pid found
+               return -15;
+       }
+
+       //Success
+       return 0;
+}
+
+/**
+ * Extract ihttpd pid
+ */
+int extractIHttpdPid(pid_t *pid) {
+       //Declare file descriptor
+       int fd, bufLength;
+       //Declare buf, device and luks pointer
+       char *buf, *l, *pidStr;
+       //Declare stat struct
+       struct stat *stats;
+       //Open file
+       if ((fd = open(IHTTPDPID, O_RDONLY|O_NOATIME|O_NOFOLLOW|O_CLOEXEC)) == -1) {
+               //Can't open crypttab file
+               return -1;
+       }
+       //Allocate stats
+       if ((stats = calloc(1, sizeof(struct stat))) == NULL) {
+               //Unable to allocate stats
+               return -2;
+       }
+       //Stat file
+       if (fstat(fd, stats) == -1) {
+               //Can't stat crypttab
+               return -3;
+       }
+       //Check file size
+       if ((bufLength = stats->st_size) > SSIZE_MAX) {
+               //Crypttab too big
+               return -4;
+       }
+       //Allocate buf
+       if ((buf = malloc(bufLength*sizeof(char))) == NULL) {
+               //Unable to allocate buf
+               return -5;
+       }
+       //Read file
+       if ((read(fd, buf, bufLength)) < bufLength) {
+               //Fail to read crypttab file
+               return -6;
+       }
+       //Close file
+       close(fd);
+       //Free stats buffer
+       free(stats);
+
+       //Search first separator (\s|\t|\n) after pid
+       if ((l = memchr(buf, ' ', bufLength)) == NULL && (l = memchr(buf, '     ', bufLength)) == NULL && (l = memchr(buf, '\n', bufLength)) == NULL) {
+               return -7;
+       }
+       //Jump to next char
+       l++;
+
+       //Alloc pid string
+       if ((pidStr = malloc((l - buf - 1)*sizeof(char))) == NULL) {
+               return -9;
+       }
+
+       //Copy luks
+       memcpy(pidStr, buf, l  - buf - 1);
+       //Terminate luks
+       pidStr[l - buf - 1] = '\0';
+
+       //Free buffer
+       free(buf);
+
+       //Store pid
+       if ((*pid = atoi(pidStr)) <= 1) {
+               //Invalid pid
+               return -10;
+       }
+
+       //Free pid string
+       free(pidStr);
+
+       //Success
+       return 0;
+}
+
+/**
+ * Main function
+ */
+int main(int argc, char **argv) {
+
+       //Get request method
+       char *requestMethod = getenv("REQUEST_METHOD");
+
+       //Handle unknown requests
+       if (requestMethod == NULL || (strncmp(requestMethod, "GET", 3) && strncmp(requestMethod, "HEAD", 4) && strncmp(requestMethod, "POST", 4))) {
+               //Send method not allowed
+               die(405, "Unsupported request method");
+       //Handle get and head
+       } else if (!strncmp(requestMethod, "GET", 3) || !strncmp(requestMethod, "HEAD", 4)) {
+               //Send form
+               showForm(getenv("REQUEST_URI")?getenv("REQUEST_URI"):"/", DEFAULT_KEYFILE_SIZE_MAX, DEFAULT_PASSPHRASE_SIZE_MAX);
+       //Handle post
+       } else /*if (!strncmp(requestMethod, "POST", 4))*/ {
+               //Return value
+               int ret;
+
+               //Child pid
+               pid_t pid;
+
+               //Value length
+               //XXX: will contain number of char in value without trailing \0
+               int valueLength;
+               //Value string
+               //XXX: will contain value without a tailing \0
+               char *value = NULL;
+
+               //Content length
+               int contentLength;
+               //Content length string from env
+               char *contentLengthStr = getenv("CONTENT_LENGTH");
+               //Content type
+               char *contentType = getenv("CONTENT_TYPE");
+
+               //Declare luks and device
+               char *luks = NULL, *device = NULL;
+
+               //Pairs of pipe for stdin, stdout and stderr
+               int inPipe[2], errPipe[2];
+
+               //Handle unknown content type
+               if (contentType == NULL || (strncmp(contentType, "application/x-www-form-urlencoded", 33) && strncmp(contentType, "multipart/form-data", 19))) {
+                       die(400, "Unknown content type");
+               }
+
+               //Handle invalid multipart/form-data content type
+               //XXX: max boundary length is 70 as per rfc1521 & rfc2046
+               if (!strncmp(contentType, "multipart/form-data", 19) && (strncmp(contentType, "multipart/form-data; boundary=", 30) || strlen(contentType) <= 30 || strlen(contentType) > 100)) {
+                       die(400, "Malformed boundary in multipart/form-data request");
+               }
+
+               //Handle invalid content length
+               //XXX: deny empty contentLength as chrome send a contentLength even for a device
+               if (contentLengthStr == NULL || (contentLength = atoi(contentLengthStr)) <= 0) {
+                       die(411, "Invalid content length");
+               }
+
+               //Handle application/x-www-form-urlencoded request length
+               //XXX: limit to key=xyz where xyz can be all encoded in %XX
+               if (!strncmp(contentType, "application/x-www-form-urlencoded", 33) && contentLength > (DEFAULT_PASSPHRASE_SIZE_MAX * 3 + 4)) {
+                       die(400, "Invalid application/x-www-form-urlencoded request length");
+               }
+
+               //Handle multipart/form-data request length
+               //XXX: limit to arbitrary 3 times the keyfile max size
+               if (!strncmp(contentType, "multipart/form-data", 19) && contentLength > (DEFAULT_KEYFILE_SIZE_MAX * 3)) {
+                       die(400, "Invalid multipart/form-data request length");
+               }
+
+               //Extract value
+               if ((ret = extractValue(&value, &valueLength, contentType, contentLength)) < 0) {
+                       die(500, "Failed to extract value");
+               }
+
+
+               //Extract luks and device
+               if ((ret = extractLuksDevice(&luks, &device)) < 0) {
+                       die(500, "Failed to extract luks and device");
+               }
+
+               //Create stdin pipe
+               if (pipe(inPipe) == -1) {
+                       die(500, "Failed to create in pipe");
+               }
+
+               //Create stderr pipe
+               if (pipe(errPipe) == -1) {
+                       die(500, "Failed to create err pipe");
+               }
+
+               //Fork process
+               if ((pid = fork()) == -1) {
+                       die(500, "Failed to fork");
+               }
+
+               //Child process
+               if (pid == 0) {
+                       //Child argv
+                       char *cargv[] = { CRYPTSETUP, "-d", "-", "luksOpen", device, luks, NULL };
+                       char *carge[] = { NULL };
+                       //Free value
+                       free(value);
+                       //Redirect stdin to pipe
+                       if (dup2(inPipe[0], STDIN_FILENO) == -1) {
+                               die(500, "Failed to redirect in pipe");
+                       }
+                       //Close inPipe
+                       close(inPipe[0]);
+                       close(inPipe[1]);
+                       //Redirect stderr to pipe
+                       if (dup2(errPipe[1], STDERR_FILENO) == -1) {
+                               die(500, "Failed to redirect err pipe");
+                       }
+                       //Close errPipe
+                       close(errPipe[0]);
+                       close(errPipe[1]);
+                       //Call cryptsetup
+                       if (execve(CRYPTSETUP, cargv, carge) == -1) {
+                               die(500, "Failed to call cryptsetup");
+                       }
+               //Parent process
+               } else {
+                       //Free luks
+                       free(luks);
+                       //Free device
+                       free(device);
+
+                       //Close unused inPipe end
+                       close(inPipe[0]);
+                       //Close unused errPipe end
+                       close(errPipe[1]);
+
+                       //Send password on stdin anyway
+                       //XXX: this fail if device is already unlocked for example
+                       write(inPipe[1], value, valueLength);
+
+                       //Free value
+                       free(value);
+
+                       //Close stdin with EOF
+                       close(inPipe[1]);
+
+                       //Wait child
+                       if (waitpid(pid, &ret, 0) == -1) {
+                               die(500, "Failed to wait child");
+                       }
+
+                       //Handle already unlocked device
+                       if (ret == 1280) {
+                               die(200, "Device already unlocked");
+                       //Handle already in use device
+                       } else if (ret == 5) {
+                               die(500, "Device already in use");
+                       //Handle invalid luks device
+                       } else if (ret == 256) {
+                               die(500, "Device is now a valid device");
+                       //Handle no key available with this passphrase
+                       } else if (ret == 512) {
+                               die(500, "No slot for this value");
+                       //Handle unexisting device or permission denied
+                       } else if (ret == 1014) {
+                               die(500, "Device doesn't exist or access denied");
+                       //Unknown error
+                       } else if (ret != 0) {
+                               //Err length and counter
+                               int errLength = 2048, e = 0;
+                               //Declare err buffer
+                               char *err;
+                               //Buffer char
+                               char c;
+                               //Alloc err buffer
+                               if ((err = malloc(errLength*sizeof(char))) == NULL) {
+                                       die(500, "Couldn't alloc err buffer");
+                               }
+                               //Advance after ret code
+                               e = sprintf(err, "%d:", ret);
+                               //Fetch stderr and store in err buffer
+                               while(read(errPipe[0], &c, 1) > 0) {
+                                       //Grow buffer if we reach end
+                                       if (e == errLength) {
+                                               if ((err = realloc(err, (errLength+2048)*sizeof(char))) == NULL) {
+                                                       die(500, "Couldn't grow err buffer");
+                                               }
+                                               errLength += 2048;
+                                       }
+                                       //Store character
+                                       err[e] = c;
+                                       //Pass to next
+                                       e++;
+                               }
+                               //Terminate err buffer
+                               err[e] = '\0';
+                               //Realloc err buffer
+                               if ((err = realloc(err, (e+1)*sizeof(char))) == NULL) {
+                                       die(500, "Couldn't ungrow err buffer");
+                               }
+                               //Die with luks error
+                               die(500, err);
+                       }
+                       //Close errPipe
+                       close(errPipe[0]);
+               }
+
+               //Fork process
+               if ((pid = fork()) == -1) {
+                       die(500, "Failed to fork");
+               }
+
+               //IHttpd killing child process
+               if (pid == 0) {
+                       //File descriptor
+                       int fd;
+
+                       //Declare ihttpd pid
+                       pid_t ihttpdPid;
+
+                       //Close stdin
+                       close(STDIN_FILENO);
+
+                       //Disable line buffering on stdout and stderr
+                       setvbuf(stdout, NULL, _IONBF, 0);
+                       setvbuf(stderr, NULL, _IONBF, 0);
+
+                       //Redirect output to log
+                       if ((fd = open(IHTTPDLOG, O_CREAT | O_TRUNC | O_WRONLY, S_IRUSR | S_IWUSR)) == -1) {
+                               fprintf(stderr, "Open ihttpd child log failed\n");
+                       } else {
+                               //Close stdout
+                               close(STDOUT_FILENO);
+                               //Redirect stdout on childlog
+                               if (dup2(fd, STDOUT_FILENO) == -1) {
+                                       fprintf(stderr, "Redirect stdout to ihttpd child log failed\n");
+                               }
+                               //Close stderr
+                               close(STDERR_FILENO);
+                               //Redirect stderr on childlog
+                               if (dup2(fd, STDERR_FILENO) == -1) {
+                                       fprintf(stderr, "Redirect stderr to ihttpd child log failed\n");
+                               }
+                               //Close childlog fd
+                               close(fd);
+                       }
+
+                       //Extract ihttpd pid
+                       if (extractIHttpdPid(&ihttpdPid) < 0) {
+                               fprintf(stderr, "Failed to extract ihttpd pid");
+                               exit(EXIT_FAILURE);
+                       }
+
+                       //Close stdout and stderr without childlog
+                       if (fd == -1) {
+                               close(STDOUT_FILENO);
+                               close(STDERR_FILENO);
+                       }
+
+                       //Wait until get rattached to init(getppid()==1)
+                       //XXX: we are really blind here
+                       while(getppid() != 1) {
+                               //Sleep half a second
+                               if (usleep(500000) == -1 && fd != -1) {
+                                       printf("Usleep failed\n");
+                               }
+                       }
+
+                       //Termiate ihttpd
+                       if (kill(ihttpdPid, 0) == 0 && kill(ihttpdPid, SIGTERM) == -1 && fd != -1) {
+                               printf("Termiate ihttpd failed\n");
+                       }
+
+                       //Sleep half a second
+                       if (usleep(500000) == -1 && fd != -1) {
+                               printf("Usleep failed\n");
+                       }
+
+                       //Kill ihttpd
+                       if (kill(ihttpdPid, 0) == 0 && kill(ihttpdPid, SIGKILL) == -1) {
+                               printf("Kill ihttpd failed\n");
+                       }
+
+               //Parent process
+               } else {
+
+                       //Fork process
+                       if ((pid = fork()) == -1) {
+                               die(500, "Failed to fork");
+                       }
+
+                       //Ask password killing child process
+                       //XXX: we are blind here
+                       if (pid == 0) {
+                               //File descriptor
+                               int fd;
+
+                               //Declare ask password pid
+                               pid_t askPasswordPid;
+
+                               //Close stdin
+                               close(STDIN_FILENO);
+
+                               //Disable line buffering on stdout and stderr
+                               setvbuf(stdout, NULL, _IONBF, 0);
+                               setvbuf(stderr, NULL, _IONBF, 0);
+
+                               //Redirect output to log
+                               if ((fd = open(ASKPASSWORDLOG, O_CREAT | O_TRUNC | O_WRONLY, S_IRUSR | S_IWUSR)) == -1) {
+                                       fprintf(stderr, "Open ask password child log failed\n");
+                               } else {
+                                       //Close stdout
+                                       close(STDOUT_FILENO);
+                                       //Redirect stdout on childlog
+                                       if (dup2(fd, STDOUT_FILENO) == -1) {
+                                               fprintf(stderr, "Redirect stdout to ask password child log failed\n");
+                                       }
+                                       //Close stderr
+                                       close(STDERR_FILENO);
+                                       //Redirect stderr on childlog
+                                       if (dup2(fd, STDERR_FILENO) == -1) {
+                                               fprintf(stderr, "Redirect stderr to ask password child log failed\n");
+                                       }
+                                       //Close childlog fd
+                                       close(fd);
+                               }
+
+                               //Extract ask password pid
+                               if (extractAskPasswordPid(&askPasswordPid) < 0) {
+                                       fprintf(stderr, "Failed to extract ask password pid");
+                                       exit(EXIT_FAILURE);
+                               }
+
+                               //Close stdout and stderr without childlog
+                               if (fd == -1) {
+                                       close(STDOUT_FILENO);
+                                       close(STDERR_FILENO);
+                               }
+
+                               //Wait until get rattached to init(getppid()==1)
+                               //XXX: we are really blind here
+                               while(getppid() != 1) {
+                                       //Sleep half a second
+                                       if (usleep(500000) == -1 && fd != -1) {
+                                               printf("Usleep failed\n");
+                                       }
+                               }
+
+                               //Termitate ask password
+                               if (kill(askPasswordPid, 0) == 0 && kill(askPasswordPid, SIGTERM) == -1 && fd != -1) {
+                                       printf("Termiate ask password failed\n");
+                               }
+
+
+                               //Sleep half a second
+                               if (usleep(500000) == -1 && fd != -1) {
+                                       printf("Usleep failed\n");
+                               }
+
+                               //Kill ask password
+                               if (kill(askPasswordPid, 0) == 0 && kill(askPasswordPid, SIGKILL) == -1) {
+                                       printf("Kill ask password failed\n");
+                               }
+
+                       //Parent process
+                       } else {
+
+                               //Process success
+                               header(200, "text/plain");
+                               printf("Sent value, boot should resume now");
+                               fflush(NULL);
+
+                       }
+
+               }
+
+       }
+
+       exit(EXIT_SUCCESS);
+}
diff --git a/SOURCES/reboot.sh b/SOURCES/reboot.sh
new file mode 100644 (file)
index 0000000..5184469
--- /dev/null
@@ -0,0 +1,2 @@
+#! /bin/sh
+/usr/bin/reboot -f -i -h
diff --git a/SPECS/ihttpd.spec b/SPECS/ihttpd.spec
new file mode 100644 (file)
index 0000000..8de2616
--- /dev/null
@@ -0,0 +1,223 @@
+%define contentdir %{_datadir}/httpd
+%define docroot /var/www
+
+%{?!maxmodules:%global maxmodules 128}
+%{?!serverlimit:%global serverlimit 1024}
+
+Name:          ihttpd
+Version:       2.4.20
+Release:       %mkrel 1
+Summary:       The most widely used Web server on the Internet
+License:       Apache License
+Group:         System/Servers
+URL:           http://httpd.apache.org/
+Source0:       http://www.apache.org/dist/httpd/httpd-%version.tar.bz2
+Source1:       index.bin.c
+Source2:       reboot.sh
+Source14:      ihttpd.tmpfiles
+Source15:      ihttpd.service
+Source17:      ihttpd.path
+Source18:      ihttpd.dracut
+Source19:      ihttpd.module-setup
+Source20:      ihttpd.conf
+# build/scripts patches
+Patch1:                httpd-2.4.1-apctl.patch
+Patch2:                httpd-2.4.9-apxs.patch
+Patch3:                httpd-2.4.1-deplibs.patch
+Patch5:                ihttpd-2.4.20-layout.patch
+Patch6:                httpd-2.4.3-apctl-systemd.patch
+Patch7:                httpd-2.4.10-detect-systemd.patch
+# Features/functional changes
+Patch20:       httpd-2.4.3-release.patch
+Patch23:       httpd-2.4.4-export.patch
+Patch24:       httpd-2.4.1-corelimit.patch
+Patch26:       httpd-2.4.4-r1337344+.patch
+Patch27:       httpd-2.4.2-icons.patch
+Patch28:       httpd-2.4.4-r1332643+.patch
+Patch30:       httpd-2.4.4-cachehardmax.patch
+Patch31:       httpd-2.4.18-sslmultiproxy.patch
+Patch34:       httpd-2.4.17-socket-activation.patch
+Patch35:       httpd-2.4.17-sslciphdefault.patch
+# Bug fixes
+Patch55:       httpd-2.4.4-malformed-host.patch
+Patch56:       httpd-2.4.4-mod_unique_id.patch
+Patch57:       httpd-2.4.10-sigint.patch
+
+# For /var/www/html
+Requires:      webserver-base
+# For /etc/mime.types
+Requires:      mailcap
+
+Requires(post):        systemd >= %{systemd_required_version}
+Requires(post):        rpm-helper >= 0.24.8-1
+Requires(post):        openssl makedev
+Requires(preun):       rpm-helper >= 0.24.8-1
+
+%description
+This package contains the main binary of apache, a powerful, full-featured,
+efficient and freely-available Web server. Apache is also the most popular Web
+server on the Internet.
+
+This version of apache is fully static, and few modules are available built-in.
+
+%prep
+%setup -q -n httpd-%{version}
+
+%patch1 -p1 -b .apctl
+%patch2 -p1 -b .apxs
+%patch3 -p1 -b .deplibs
+%patch5 -p1 -b .layout
+%patch6 -p1 -b .apctlsystemd
+%patch7 -p1 -b .detectsystemd
+
+%patch23 -p1 -b .export
+%patch24 -p1 -b .corelimit
+%patch26 -p1 -b .r1337344+
+%patch27 -p1 -b .icons
+%patch30 -p1 -b .cachehardmax
+%patch31 -p1 -b .sslmultiproxy
+%patch34 -p1 -b .socketactivation
+%patch35 -p1 -b .sslciphdefault
+
+%patch55 -p1 -b .malformedhost
+%patch56 -p1 -b .uniqueid
+%patch57 -p1 -b .sigint
+
+# Patch in vendor/release string
+sed "s/@RELEASE@/%{product_distribution}/" < %{PATCH20} | patch -p1
+
+# forcibly prevent use of bundled apr, apr-util, pcre
+rm -rf srclib/{apr,apr-util,pcre}
+
+# fix apxs
+perl -pi \
+       -e 's|\@exp_installbuilddir\@|%{_libdir}/httpd/build|;' \
+       -e 's|get_vars\("prefix"\)|"%{_libdir}/httpd/build"|;' \
+       -e 's|get_vars\("sbindir"\) . "/envvars"|"\$installbuilddir/envvars"|;' \
+       support/apxs.in
+
+# correct perl paths
+find -type f -print0 | xargs -0 perl -pi \
+       -e 's|/usr/local/bin/perl|perl|g;' \
+       -e 's|/usr/local/bin/perl5|perl|g;' \
+       -e 's|/path/to/bin/perl|perl|g;'
+
+# bump max modules
+perl -pi \
+       -e 's/DYNAMIC_MODULE_LIMIT \d+/DYNAMIC_MODULE_LIMIT %{maxmodules}/;' \
+       include/httpd.h
+
+# bump server limit
+perl -pi \
+       -e 's/DEFAULT_SERVER_LIMIT \d+/DEFAULT_SERVER_LIMIT %{serverlimit}/' \
+       server/mpm/prefork/prefork.c \
+       server/mpm/worker/worker.c \
+       server/mpm/event/event.c
+
+# don't try to touch srclib
+perl -pi -e "s|^SUBDIRS = .*|SUBDIRS = os server modules support|g" Makefile.in
+
+# this will only work if configured correctly in the config (FullOs)...
+cp server/core.c server/core.c.untagged
+
+# Install index.bin source
+install -m 644 %{SOURCE1} index.bin.c 
+
+%build
+%serverbuild
+# regenerate configure scripts
+autoheader && autoconf || exit 1
+
+export CFLAGS="$RPM_OPT_FLAGS -DBIG_SECURITY_HOLE"
+export LDFLAGS="-Wl,-z,relro,-z,now"
+
+# Hard-code path to links to avoid unnecessary builddep
+export LYNX_PATH=/usr/bin/links
+
+%configure2_5x \
+       --enable-layout=IHttpd \
+       --sysconfdir='/etc' \
+       --includedir='/usr/include/ihttpd' \
+       --libexecdir='/usr/lib64/ihttpd/modules' \
+       --datadir='/usr/share/ihttpd' \
+       --with-ssl \
+       --with-mpm=prefork \
+       --with-cgi \
+       --with-program-name='%name' \
+       --disable-suexec \
+       --without-suexec \
+       --disable-distcache \
+       --enable-unixd \
+       --enable-auth-basic \
+       --enable-authn-core \
+       --enable-authn-file \
+       --enable-authz-core \
+       --enable-authz-host \
+       --enable-authz-user \
+       --enable-rewrite \
+       --enable-socache-shmcb \
+       --enable-mime \
+       --enable-dir \
+       --enable-ssl \
+       --enable-log-config \
+       --enable-cgi \
+       --enable-pie \
+       --enable-modules=none \
+       --enable-mods-static='unixd auth_basic authn_core authn_file authz_core authz_host authz_user rewrite socache_shmcb dir mime log_config cgi ssl'
+
+%make
+
+export CFLAGS="$RPM_OPT_FLAGS"
+# -m64 -std=c99 -pedantic -Wall -Wshadow -Wpointer-arith -Wcast-qual -Wstrict-prototypes -Wmissing-prototypes
+gcc index.bin.c -o index.bin
+
+%install
+
+#IHttpd sbin
+install -D -p -m 755 ihttpd %{buildroot}%{_sbindir}/ihttpd
+
+#IHttpd config
+install -D -p -m 644 %{SOURCE20} %{buildroot}%{_sysconfdir}/ihttpd.conf
+
+#Tmpfiles.d config
+install -D -p -m 644 %{SOURCE14} %{buildroot}%{_tmpfilesdir}/ihttpd.conf
+
+#IHttpd service
+install -D -p -m 644 %{SOURCE15} %{buildroot}%{_unitdir}/ihttpd.service
+
+#IHttpd path
+install -D -p -m 644 %{SOURCE17} %{buildroot}%{_unitdir}/ihttpd.path
+
+#IHttpd dracut config
+install -D -p -m 644 %{SOURCE18} %{buildroot}%{_sysconfdir}/dracut.conf.d/99-%{name}.conf
+
+#IHttpd dracut module
+install -d -m 755 %{buildroot}%{_prefix}/lib/dracut/modules.d/99ihttpd
+install -D -p -m 755 %{SOURCE19} %{buildroot}%{_prefix}/lib/dracut/modules.d/99ihttpd/module-setup.sh
+
+#Ihttpd index.bin
+install -d -m 755 %{buildroot}%{_prefix}/lib/%{name}
+install -D -p -m 755 index.bin %{buildroot}%{_prefix}/lib/%{name}/index.bin
+install -D -p -m 755 %{SOURCE2} %{buildroot}%{_prefix}/lib/%{name}/reboot.bin
+
+%find_lang %name
+
+%post
+%_tmpfilescreate %{name}
+%_post_service %{name}
+%_create_ssl_certificate %{name}
+
+%preun
+%_preun_service %{name}
+
+%files -n %name
+%config(noreplace) %{_sysconfdir}/%{name}.conf
+%config(noreplace) %{_sysconfdir}/dracut.conf.d/99-%{name}.conf
+%{_sbindir}/%{name}
+%{_tmpfilesdir}/%{name}.conf
+%{_unitdir}/%{name}.path
+%dir %{_prefix}/lib/dracut/modules.d/99ihttpd
+%{_prefix}/lib/dracut/modules.d/99ihttpd/module-setup.sh
+%{_unitdir}/%{name}.service
+%{_prefix}/lib/%{name}/index.bin
+%{_prefix}/lib/%{name}/reboot.bin