1 files changed, 289 insertions, 0 deletions
diff --git a/meta-webserver/recipes-httpd/apache2/apache2/npn-patch-2.4.7.patch b/meta-webserver/recipes-httpd/apache2/apache2/npn-patch-2.4.7.patch
new file mode 100644
index 000000000..a4f185501
--- /dev/null
+++ b/meta-webserver/recipes-httpd/apache2/apache2/npn-patch-2.4.7.patch
@@ -0,0 +1,289 @@
+Add support for TLS Next Protocol Negotiation:
+* modules/ssl/mod_ssl.c, modules/ssl/mod_ssl.h: Add and implement new
+  hooks for next protocol advertisement/discovery.
+* modules/ssl/ssl_engine_init.c (ssl_init_ctx_callbacks): Enable
+  NPN advertisement callback in handshake.
+* modules/ssl/ssl_engine_io.c (ssl_io_filter_input): Invoke
+  next-protocol discovery hook.
+* modules/ssl/ssl_engine_kernel.c (ssl_callback_AdvertiseNextProtos):
+  New callback.
+* modules/ssl/ssl_private.h: Add prototype.
+Submitted by: Matthew Steele <mdsteele google.com>
+  with slight tweaks by jorton
+http://svn.apache.org/viewvc?view=revision&revision=1332643
+https://bugzilla.redhat.com//show_bug.cgi?id=809599
+Upstream-Status: Backport
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ CHANGES                         |  2 +
+ modules/ssl/mod_ssl.c           | 12 ++++++
+ modules/ssl/mod_ssl.h           | 21 +++++++++++
+ modules/ssl/ssl_engine_init.c   |  5 +++
+ modules/ssl/ssl_engine_io.c     | 24 ++++++++++++
+ modules/ssl/ssl_engine_kernel.c | 82 +++++++++++++++++++++++++++++++++++++++++
+ modules/ssl/ssl_private.h       |  6 +++
+ 7 files changed, 152 insertions(+)
+diff --git a/CHANGES b/CHANGES
+--- a/CHANGES
+++ b/CHANGES
+@@ -1,6 +1,8 @@
+                                                          -*- coding: utf-8 -*-
+ 
+ Changes with Apache 2.4.7
+  *) mod_ssl: Add support for TLS Next Protocol Negotiation.  PR 52210.
+     [Matthew Steele <mdsteele google.com>]
+ 
+   *) APR 1.5.0 or later is now required for the event MPM.
+   
+diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c
+--- a/modules/ssl/mod_ssl.c
+++ b/modules/ssl/mod_ssl.c
+@@ -275,6 +275,18 @@ static const command_rec ssl_config_cmds[] = {
+     AP_END_CMD
+ };
+ 
+/* Implement 'modssl_run_npn_advertise_protos_hook'. */
+APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(
+    modssl, AP, int, npn_advertise_protos_hook,
+    (conn_rec *connection, apr_array_header_t *protos),
+    (connection, protos), OK, DECLINED);
+
+/* Implement 'modssl_run_npn_proto_negotiated_hook'. */
+APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(
+    modssl, AP, int, npn_proto_negotiated_hook,
+    (conn_rec *connection, const char *proto_name, apr_size_t proto_name_len),
+    (connection, proto_name, proto_name_len), OK, DECLINED);
+
+ /*
+  *  the various processing hooks
+  */
+diff --git a/modules/ssl/mod_ssl.h b/modules/ssl/mod_ssl.h
+--- a/modules/ssl/mod_ssl.h
+++ b/modules/ssl/mod_ssl.h
+@@ -63,5 +63,26 @@ APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *));
+ 
+ APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
+ 
+/** The npn_advertise_protos optional hook allows other modules to add entries
+ * to the list of protocol names advertised by the server during the Next
+ * Protocol Negotiation (NPN) portion of the SSL handshake.  The hook callee is
+ * given the connection and an APR array; it should push one or more char*'s
+ * pointing to null-terminated strings (such as "http/1.1" or "spdy/2") onto
+ * the array and return OK, or do nothing and return DECLINED. */
+APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_advertise_protos_hook,
+                          (conn_rec *connection, apr_array_header_t *protos));
+
+/** The npn_proto_negotiated optional hook allows other modules to discover the
+ * name of the protocol that was chosen during the Next Protocol Negotiation
+ * (NPN) portion of the SSL handshake.  Note that this may be the empty string
+ * (in which case modules should probably assume HTTP), or it may be a protocol
+ * that was never even advertised by the server.  The hook callee is given the
+ * connection, a non-null-terminated string containing the protocol name, and
+ * the length of the string; it should do something appropriate (i.e. insert or
+ * remove filters) and return OK, or do nothing and return DECLINED. */
+APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_proto_negotiated_hook,
+                          (conn_rec *connection, const char *proto_name,
+                           apr_size_t proto_name_len));
+
+ #endif /* __MOD_SSL_H__ */
+ /** @} */
+diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
+--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
+@@ -546,6 +546,11 @@ static void ssl_init_ctx_callbacks(server_rec *s,
+     SSL_CTX_set_tmp_dh_callback(ctx,  ssl_callback_TmpDH);
+ 
+     SSL_CTX_set_info_callback(ctx, ssl_callback_Info);
+
+#ifdef HAVE_TLS_NPN
+    SSL_CTX_set_next_protos_advertised_cb(
+        ctx, ssl_callback_AdvertiseNextProtos, NULL);
+#endif
+ }
+ 
+ static void ssl_init_ctx_verify(server_rec *s,
+diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c
+--- a/modules/ssl/ssl_engine_io.c
+++ b/modules/ssl/ssl_engine_io.c
+@@ -28,6 +28,7 @@
+                                   core keeps dumping.''
+                                             -- Unknown    */
+ #include "ssl_private.h"
+#include "mod_ssl.h"
+ #include "apr_date.h"
+ 
+ /*  _________________________________________________________________
+@@ -297,6 +298,7 @@ typedef struct {
+     apr_pool_t *pool;
+     char buffer[AP_IOBUFSIZE];
+     ssl_filter_ctx_t *filter_ctx;
+    int npn_finished;  /* 1 if NPN has finished, 0 otherwise */
+ } bio_filter_in_ctx_t;
+ 
+ /*
+@@ -1412,6 +1414,27 @@ static apr_status_t ssl_io_filter_input(ap_filter_t *f,
+         APR_BRIGADE_INSERT_TAIL(bb, bucket);
+     }
+ 
+#ifdef HAVE_TLS_NPN
+    /* By this point, Next Protocol Negotiation (NPN) should be completed (if
+     * our version of OpenSSL supports it).  If we haven't already, find out
+     * which protocol was decided upon and inform other modules by calling
+     * npn_proto_negotiated_hook. */
+    if (!inctx->npn_finished) {
+        const unsigned char *next_proto = NULL;
+        unsigned next_proto_len = 0;
+
+        SSL_get0_next_proto_negotiated(
+            inctx->ssl, &next_proto, &next_proto_len);
+        ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, f->c,
+                      "SSL NPN negotiated protocol: '%s'",
+                      apr_pstrmemdup(f->c->pool, (const char*)next_proto,
+                                     next_proto_len));
+        modssl_run_npn_proto_negotiated_hook(
+            f->c, (const char*)next_proto, next_proto_len);
+        inctx->npn_finished = 1;
+    }
+#endif
+
+     return APR_SUCCESS;
+ }
+ 
+@@ -1893,6 +1916,7 @@ static void ssl_io_input_add_filter(ssl_filter_ctx_t *filter_ctx, conn_rec *c,
+     inctx->block = APR_BLOCK_READ;
+     inctx->pool = c->pool;
+     inctx->filter_ctx = filter_ctx;
+    inctx->npn_finished = 0;
+ }
+ 
+ /* The request_rec pointer is passed in here only to ensure that the
+diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
+--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
+@@ -29,6 +29,7 @@
+                                   time I was too famous.''
+                                             -- Unknown                */
+ #include "ssl_private.h"
+#include "mod_ssl.h"
+ #include "util_md5.h"
+ 
+ static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn);
+@@ -2139,3 +2140,84 @@ int ssl_callback_SRPServerParams(SSL *ssl, int *ad, void *arg)
+ }
+ 
+ #endif /* HAVE_SRP */
+
+#ifdef HAVE_TLS_NPN
+/*
+ * This callback function is executed when SSL needs to decide what protocols
+ * to advertise during Next Protocol Negotiation (NPN).  It must produce a
+ * string in wire format -- a sequence of length-prefixed strings -- indicating
+ * the advertised protocols.  Refer to SSL_CTX_set_next_protos_advertised_cb
+ * in OpenSSL for reference.
+ */
+int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data_out,
+                                     unsigned int *size_out, void *arg)
+{
+    conn_rec *c = (conn_rec*)SSL_get_app_data(ssl);
+    apr_array_header_t *protos;
+    int num_protos;
+    unsigned int size;
+    int i;
+    unsigned char *data;
+    unsigned char *start;
+
+    *data_out = NULL;
+    *size_out = 0;
+
+    /* If the connection object is not available, then there's nothing for us
+     * to do. */
+    if (c == NULL) {
+        return SSL_TLSEXT_ERR_OK;
+    }
+
+    /* Invoke our npn_advertise_protos hook, giving other modules a chance to
+     * add alternate protocol names to advertise. */
+    protos = apr_array_make(c->pool, 0, sizeof(char*));
+    modssl_run_npn_advertise_protos_hook(c, protos);
+    num_protos = protos->nelts;
+
+    /* We now have a list of null-terminated strings; we need to concatenate
+     * them together into a single string, where each protocol name is prefixed
+     * by its length.  First, calculate how long that string will be. */
+    size = 0;
+    for (i = 0; i < num_protos; ++i) {
+        const char *string = APR_ARRAY_IDX(protos, i, const char*);
+        unsigned int length = strlen(string);
+        /* If the protocol name is too long (the length must fit in one byte),
+         * then log an error and skip it. */
+        if (length > 255) {
+            ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
+                          "SSL NPN protocol name too long (length=%u): %s",
+                          length, string);
+            continue;
+        }
+        /* Leave room for the length prefix (one byte) plus the protocol name
+         * itself. */
+        size += 1 + length;
+    }
+
+    /* If there is nothing to advertise (either because no modules added
+     * anything to the protos array, or because all strings added to the array
+     * were skipped), then we're done. */
+    if (size == 0) {
+        return SSL_TLSEXT_ERR_OK;
+    }
+
+    /* Now we can build the string.  Copy each protocol name string into the
+     * larger string, prefixed by its length. */
+    data = apr_palloc(c->pool, size * sizeof(unsigned char));
+    start = data;
+    for (i = 0; i < num_protos; ++i) {
+        const char *string = APR_ARRAY_IDX(protos, i, const char*);
+        apr_size_t length = strlen(string);
+        *start = (unsigned char)length;
+        ++start;
+        memcpy(start, string, length * sizeof(unsigned char));
+        start += length;
+    }
+
+    /* Success. */
+    *data_out = data;
+    *size_out = size;
+    return SSL_TLSEXT_ERR_OK;
+}
+#endif /* HAVE_TLS_NPN */
+diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
+--- a/modules/ssl/ssl_private.h
+++ b/modules/ssl/ssl_private.h
+@@ -123,6 +123,11 @@
+ #define MODSSL_SSL_METHOD_CONST
+ #endif
+ 
+#if OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_NEXTPROTONEG) \
+    && !defined(OPENSSL_NO_TLSEXT)
+#define HAVE_TLS_NPN
+#endif
+
+ #if defined(OPENSSL_FIPS)
+ #define HAVE_FIPS
+ #endif
+@@ -800,6 +805,7 @@ int          ssl_callback_ServerNameIndication(SSL *, int *, modssl_ctx_t *);
+ int         ssl_callback_SessionTicket(SSL *, unsigned char *, unsigned char *,
+                                        EVP_CIPHER_CTX *, HMAC_CTX *, int);
+ #endif
+int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data, unsigned int *len, void *arg);
+ 
+ /**  Session Cache Support  */
+ void         ssl_scache_init(server_rec *, apr_pool_t *);
+-- 
+1.8.1.2

diff --git a/meta-webserver/recipes-httpd/apache2/apache2/npn-patch-2.4.7.patch b/meta-webserver/recipes-httpd/apache2/apache2/npn-patch-2.4.7.patch new file mode 100644 index 000000000..a4f185501 --- /dev/null +++ b/meta-webserver/recipes-httpd/apache2/apache2/npn-patch-2.4.7.patch
@@ -0,0 +1,289 @@
	1	Add support for TLS Next Protocol Negotiation:
	2
	3	* modules/ssl/mod_ssl.c, modules/ssl/mod_ssl.h: Add and implement new
	4	hooks for next protocol advertisement/discovery.
	5
	6	* modules/ssl/ssl_engine_init.c (ssl_init_ctx_callbacks): Enable
	7	NPN advertisement callback in handshake.
	8
	9	* modules/ssl/ssl_engine_io.c (ssl_io_filter_input): Invoke
	10	next-protocol discovery hook.
	11
	12	* modules/ssl/ssl_engine_kernel.c (ssl_callback_AdvertiseNextProtos):
	13	New callback.
	14
	15	* modules/ssl/ssl_private.h: Add prototype.
	16
	17	Submitted by: Matthew Steele <mdsteele google.com>
	18	with slight tweaks by jorton
	19
	20	http://svn.apache.org/viewvc?view=revision&revision=1332643
	21	https://bugzilla.redhat.com//show_bug.cgi?id=809599
	22	Upstream-Status: Backport
	23	Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
	24	---
	25	CHANGES \| 2 +
	26	modules/ssl/mod_ssl.c \| 12 ++++++
	27	modules/ssl/mod_ssl.h \| 21 +++++++++++
	28	modules/ssl/ssl_engine_init.c \| 5 +++
	29	modules/ssl/ssl_engine_io.c \| 24 ++++++++++++
	30	modules/ssl/ssl_engine_kernel.c \| 82 +++++++++++++++++++++++++++++++++++++++++
	31	modules/ssl/ssl_private.h \| 6 +++
	32	7 files changed, 152 insertions(+)
	33
	34	diff --git a/CHANGES b/CHANGES
	35	--- a/CHANGES
	36	+++ b/CHANGES
	37	@@ -1,6 +1,8 @@
	38	-- coding: utf-8 --
	39
	40	Changes with Apache 2.4.7
	41	+ *) mod_ssl: Add support for TLS Next Protocol Negotiation. PR 52210.
	42	+ [Matthew Steele <mdsteele google.com>]
	43
	44	*) APR 1.5.0 or later is now required for the event MPM.
	45
	46	diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c
	47	--- a/modules/ssl/mod_ssl.c
	48	+++ b/modules/ssl/mod_ssl.c
	49	@@ -275,6 +275,18 @@ static const command_rec ssl_config_cmds[] = {
	50	AP_END_CMD
	51	};
	52
	53	+/* Implement 'modssl_run_npn_advertise_protos_hook'. */
	54	+APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(
	55	+ modssl, AP, int, npn_advertise_protos_hook,
	56	+ (conn_rec connection, apr_array_header_t protos),
	57	+ (connection, protos), OK, DECLINED);
	58	+
	59	+/* Implement 'modssl_run_npn_proto_negotiated_hook'. */
	60	+APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(
	61	+ modssl, AP, int, npn_proto_negotiated_hook,
	62	+ (conn_rec connection, const char proto_name, apr_size_t proto_name_len),
	63	+ (connection, proto_name, proto_name_len), OK, DECLINED);
	64	+
	65	/*
	66	* the various processing hooks
	67	*/
	68	diff --git a/modules/ssl/mod_ssl.h b/modules/ssl/mod_ssl.h
	69	--- a/modules/ssl/mod_ssl.h
	70	+++ b/modules/ssl/mod_ssl.h
	71	@@ -63,5 +63,26 @@ APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *));
	72
	73	APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
	74
	75	+/** The npn_advertise_protos optional hook allows other modules to add entries
	76	+ * to the list of protocol names advertised by the server during the Next
	77	+ * Protocol Negotiation (NPN) portion of the SSL handshake. The hook callee is
	78	+ * given the connection and an APR array; it should push one or more char*'s
	79	+ * pointing to null-terminated strings (such as "http/1.1" or "spdy/2") onto
	80	+ * the array and return OK, or do nothing and return DECLINED. */
	81	+APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_advertise_protos_hook,
	82	+ (conn_rec connection, apr_array_header_t protos));
	83	+
	84	+/** The npn_proto_negotiated optional hook allows other modules to discover the
	85	+ * name of the protocol that was chosen during the Next Protocol Negotiation
	86	+ * (NPN) portion of the SSL handshake. Note that this may be the empty string
	87	+ * (in which case modules should probably assume HTTP), or it may be a protocol
	88	+ * that was never even advertised by the server. The hook callee is given the
	89	+ * connection, a non-null-terminated string containing the protocol name, and
	90	+ * the length of the string; it should do something appropriate (i.e. insert or
	91	+ * remove filters) and return OK, or do nothing and return DECLINED. */
	92	+APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_proto_negotiated_hook,
	93	+ (conn_rec connection, const char proto_name,
	94	+ apr_size_t proto_name_len));
	95	+
	96	#endif /* __MOD_SSL_H__ */
	97	/** @} */
	98	diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
	99	--- a/modules/ssl/ssl_engine_init.c
	100	+++ b/modules/ssl/ssl_engine_init.c
	101	@@ -546,6 +546,11 @@ static void ssl_init_ctx_callbacks(server_rec *s,
	102	SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH);
	103
	104	SSL_CTX_set_info_callback(ctx, ssl_callback_Info);
	105	+
	106	+#ifdef HAVE_TLS_NPN
	107	+ SSL_CTX_set_next_protos_advertised_cb(
	108	+ ctx, ssl_callback_AdvertiseNextProtos, NULL);
	109	+#endif
	110	}
	111
	112	static void ssl_init_ctx_verify(server_rec *s,
	113	diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c
	114	--- a/modules/ssl/ssl_engine_io.c
	115	+++ b/modules/ssl/ssl_engine_io.c
	116	@@ -28,6 +28,7 @@
	117	core keeps dumping.''
	118	-- Unknown */
	119	#include "ssl_private.h"
	120	+#include "mod_ssl.h"
	121	#include "apr_date.h"
	122
	123	/* _________________________________________________________________
	124	@@ -297,6 +298,7 @@ typedef struct {
	125	apr_pool_t *pool;
	126	char buffer[AP_IOBUFSIZE];
	127	ssl_filter_ctx_t *filter_ctx;
	128	+ int npn_finished; /* 1 if NPN has finished, 0 otherwise */
	129	} bio_filter_in_ctx_t;
	130
	131	/*
	132	@@ -1412,6 +1414,27 @@ static apr_status_t ssl_io_filter_input(ap_filter_t *f,
	133	APR_BRIGADE_INSERT_TAIL(bb, bucket);
	134	}
	135
	136	+#ifdef HAVE_TLS_NPN
	137	+ /* By this point, Next Protocol Negotiation (NPN) should be completed (if
	138	+ * our version of OpenSSL supports it). If we haven't already, find out
	139	+ * which protocol was decided upon and inform other modules by calling
	140	+ * npn_proto_negotiated_hook. */
	141	+ if (!inctx->npn_finished) {
	142	+ const unsigned char *next_proto = NULL;
	143	+ unsigned next_proto_len = 0;
	144	+
	145	+ SSL_get0_next_proto_negotiated(
	146	+ inctx->ssl, &next_proto, &next_proto_len);
	147	+ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, f->c,
	148	+ "SSL NPN negotiated protocol: '%s'",
	149	+ apr_pstrmemdup(f->c->pool, (const char*)next_proto,
	150	+ next_proto_len));
	151	+ modssl_run_npn_proto_negotiated_hook(
	152	+ f->c, (const char*)next_proto, next_proto_len);
	153	+ inctx->npn_finished = 1;
	154	+ }
	155	+#endif
	156	+
	157	return APR_SUCCESS;
	158	}
	159
	160	@@ -1893,6 +1916,7 @@ static void ssl_io_input_add_filter(ssl_filter_ctx_t filter_ctx, conn_rec c,
	161	inctx->block = APR_BLOCK_READ;
	162	inctx->pool = c->pool;
	163	inctx->filter_ctx = filter_ctx;
	164	+ inctx->npn_finished = 0;
	165	}
	166
	167	/* The request_rec pointer is passed in here only to ensure that the
	168	diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
	169	--- a/modules/ssl/ssl_engine_kernel.c
	170	+++ b/modules/ssl/ssl_engine_kernel.c
	171	@@ -29,6 +29,7 @@
	172	time I was too famous.''
	173	-- Unknown */
	174	#include "ssl_private.h"
	175	+#include "mod_ssl.h"
	176	#include "util_md5.h"
	177
	178	static void ssl_configure_env(request_rec r, SSLConnRec sslconn);
	179	@@ -2139,3 +2140,84 @@ int ssl_callback_SRPServerParams(SSL ssl, int ad, void *arg)
	180	}
	181
	182	#endif /* HAVE_SRP */
	183	+
	184	+#ifdef HAVE_TLS_NPN
	185	+/*
	186	+ * This callback function is executed when SSL needs to decide what protocols
	187	+ * to advertise during Next Protocol Negotiation (NPN). It must produce a
	188	+ * string in wire format -- a sequence of length-prefixed strings -- indicating
	189	+ * the advertised protocols. Refer to SSL_CTX_set_next_protos_advertised_cb
	190	+ * in OpenSSL for reference.
	191	+ */
	192	+int ssl_callback_AdvertiseNextProtos(SSL ssl, const unsigned char *data_out,
	193	+ unsigned int size_out, void arg)
	194	+{
	195	+ conn_rec c = (conn_rec)SSL_get_app_data(ssl);
	196	+ apr_array_header_t *protos;
	197	+ int num_protos;
	198	+ unsigned int size;
	199	+ int i;
	200	+ unsigned char *data;
	201	+ unsigned char *start;
	202	+
	203	+ *data_out = NULL;
	204	+ *size_out = 0;
	205	+
	206	+ /* If the connection object is not available, then there's nothing for us
	207	+ * to do. */
	208	+ if (c == NULL) {
	209	+ return SSL_TLSEXT_ERR_OK;
	210	+ }
	211	+
	212	+ /* Invoke our npn_advertise_protos hook, giving other modules a chance to
	213	+ * add alternate protocol names to advertise. */
	214	+ protos = apr_array_make(c->pool, 0, sizeof(char*));
	215	+ modssl_run_npn_advertise_protos_hook(c, protos);
	216	+ num_protos = protos->nelts;
	217	+
	218	+ /* We now have a list of null-terminated strings; we need to concatenate
	219	+ * them together into a single string, where each protocol name is prefixed
	220	+ * by its length. First, calculate how long that string will be. */
	221	+ size = 0;
	222	+ for (i = 0; i < num_protos; ++i) {
	223	+ const char string = APR_ARRAY_IDX(protos, i, const char);
	224	+ unsigned int length = strlen(string);
	225	+ /* If the protocol name is too long (the length must fit in one byte),
	226	+ * then log an error and skip it. */
	227	+ if (length > 255) {
	228	+ ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
	229	+ "SSL NPN protocol name too long (length=%u): %s",
	230	+ length, string);
	231	+ continue;
	232	+ }
	233	+ /* Leave room for the length prefix (one byte) plus the protocol name
	234	+ * itself. */
	235	+ size += 1 + length;
	236	+ }
	237	+
	238	+ /* If there is nothing to advertise (either because no modules added
	239	+ * anything to the protos array, or because all strings added to the array
	240	+ * were skipped), then we're done. */
	241	+ if (size == 0) {
	242	+ return SSL_TLSEXT_ERR_OK;
	243	+ }
	244	+
	245	+ /* Now we can build the string. Copy each protocol name string into the
	246	+ * larger string, prefixed by its length. */
	247	+ data = apr_palloc(c->pool, size * sizeof(unsigned char));
	248	+ start = data;
	249	+ for (i = 0; i < num_protos; ++i) {
	250	+ const char string = APR_ARRAY_IDX(protos, i, const char);
	251	+ apr_size_t length = strlen(string);
	252	+ *start = (unsigned char)length;
	253	+ ++start;
	254	+ memcpy(start, string, length * sizeof(unsigned char));
	255	+ start += length;
	256	+ }
	257	+
	258	+ /* Success. */
	259	+ *data_out = data;
	260	+ *size_out = size;
	261	+ return SSL_TLSEXT_ERR_OK;
	262	+}
	263	+#endif /* HAVE_TLS_NPN */
	264	diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
	265	--- a/modules/ssl/ssl_private.h
	266	+++ b/modules/ssl/ssl_private.h
	267	@@ -123,6 +123,11 @@
	268	#define MODSSL_SSL_METHOD_CONST
	269	#endif
	270
	271	+#if OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_NEXTPROTONEG) \
	272	+ && !defined(OPENSSL_NO_TLSEXT)
	273	+#define HAVE_TLS_NPN
	274	+#endif
	275	+
	276	#if defined(OPENSSL_FIPS)
	277	#define HAVE_FIPS
	278	#endif
	279	@@ -800,6 +805,7 @@ int ssl_callback_ServerNameIndication(SSL , int , modssl_ctx_t *);
	280	int ssl_callback_SessionTicket(SSL , unsigned char , unsigned char *,
	281	EVP_CIPHER_CTX , HMAC_CTX , int);
	282	#endif
	283	+int ssl_callback_AdvertiseNextProtos(SSL ssl, const unsigned char data, unsigned int len, void *arg);
	284
	285	/** Session Cache Support */
	286	void ssl_scache_init(server_rec , apr_pool_t );
	287	--
	288	1.8.1.2
	289