Upstream tarball 2.2.22upstream/2.2.22

13 files changed, 1151 insertions, 62 deletions

diff --git a/srclib/apr-util/include/apr_buckets.h b/srclib/apr-util/include/apr_buckets.h
index 7434864c..b1d18613 100644
--- a/srclib/apr-util/include/apr_buckets.h
+++ b/srclib/apr-util/include/apr_buckets.h
@@ -801,6 +801,20 @@ APU_DECLARE(apr_status_t) apr_brigade_vputstrs(apr_bucket_brigade *b,
 
 /**
  * This function writes a string into a bucket brigade.
+ *
+ * The apr_brigade_write function attempts to be efficient with the
+ * handling of heap buckets. Regardless of the amount of data stored
+ * inside a heap bucket, heap buckets are a fixed size to promote their
+ * reuse.
+ *
+ * If an attempt is made to write a string to a brigade that already 
+ * ends with a heap bucket, this function will attempt to pack the
+ * string into the remaining space in the previous heap bucket, before
+ * allocating a new heap bucket.
+ *
+ * This function always returns APR_SUCCESS, unless a flush function is
+ * passed, in which case the return value of the flush function will be
+ * returned if used.
  * @param b The bucket brigade to add to
  * @param flush The flush function to use if the brigade is full
  * @param ctx The structure to pass to the flush function
@@ -989,19 +1003,70 @@ APU_DECLARE_NONSTD(void) apr_bucket_free(void *block);
     } while (0)
 
 /**
- * Read the data from the bucket.
- * 
- * If it is not practical to return all
- * the data in the bucket, the current bucket is split and replaced by
- * two buckets, the first representing the data returned in this call,
- * and the second representing the rest of the data as yet unread. The
- * original bucket will become the first bucket after this call.
- * 
- * (It is assumed that the bucket is a member of a brigade when this
- * function is called).
+ * Read some data from the bucket.
+ *
+ * The apr_bucket_read function returns a convenient amount of data
+ * from the bucket provided, writing the address and length of the
+ * data to the pointers provided by the caller. The function tries
+ * as hard as possible to avoid a memory copy.
+ *
+ * Buckets are expected to be a member of a brigade at the time they
+ * are read.
+ *
+ * In typical application code, buckets are read in a loop, and after
+ * each bucket is read and processed, it is moved or deleted from the
+ * brigade and the next bucket read.
+ *
+ * The definition of "convenient" depends on the type of bucket that
+ * is being read, and is decided by APR. In the case of memory based
+ * buckets such as heap and immortal buckets, a pointer will be
+ * returned to the location of the buffer containing the complete
+ * contents of the bucket.
+ *
+ * Some buckets, such as the socket bucket, might have no concept
+ * of length. If an attempt is made to read such a bucket, the
+ * apr_bucket_read function will read a convenient amount of data
+ * from the socket. The socket bucket is magically morphed into a
+ * heap bucket containing the just-read data, and a new socket bucket
+ * is inserted just after this heap bucket.
+ *
+ * To understand why apr_bucket_read might do this, consider the loop
+ * described above to read and process buckets. The current bucket
+ * is magically morphed into a heap bucket and returned to the caller.
+ * The caller processes the data, and deletes the heap bucket, moving
+ * onto the next bucket, the new socket bucket. This process repeats,
+ * giving the illusion of a bucket brigade that contains potentially
+ * infinite amounts of data. It is up to the caller to decide at what
+ * point to stop reading buckets.
+ *
+ * Some buckets, such as the file bucket, might have a fixed size,
+ * but be significantly larger than is practical to store in RAM in
+ * one go. As with the socket bucket, if an attempt is made to read
+ * from a file bucket, the file bucket is magically morphed into a
+ * heap bucket containing a convenient amount of data read from the
+ * current offset in the file. During the read, the offset will be
+ * moved forward on the file, and a new file bucket will be inserted
+ * directly after the current bucket representing the remainder of the
+ * file. If the heap bucket was large enough to store the whole
+ * remainder of the file, no more file buckets are inserted, and the
+ * file bucket will disappear completely.
+ *
+ * The pattern for reading buckets described above does create the
+ * illusion that the code is willing to swallow buckets that might be
+ * too large for the system to handle in one go. This however is just
+ * an illusion: APR will always ensure that large (file) or infinite
+ * (socket) buckets are broken into convenient bite sized heap buckets
+ * before data is returned to the caller.
+ *
+ * There is a potential gotcha to watch for: if buckets are read in a
+ * loop, and aren't deleted after being processed, the potentially large
+ * bucket will slowly be converted into RAM resident heap buckets. If
+ * the file is larger than available RAM, an out of memory condition
+ * could be caused if the application is not careful to manage this.
+ *
  * @param e The bucket to read from
- * @param str The location to store the data in
- * @param len The amount of data read
+ * @param str The location to store a pointer to the data in
+ * @param len The location to store the amount of data read
  * @param block Whether the read function blocks
  */
 #define apr_bucket_read(e,str,len,block) (e)->type->read(e, str, len, block)
diff --git a/srclib/apr-util/include/apr_crypto.h b/srclib/apr-util/include/apr_crypto.h
new file mode 100644
index 00000000..ed0982db
--- /dev/null
+++ b/srclib/apr-util/include/apr_crypto.h
@@ -0,0 +1,419 @@
+/* Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef APR_CRYPTO_H
+#define APR_CRYPTO_H
+
+#include "apu.h"
+#include "apr_pools.h"
+#include "apr_tables.h"
+#include "apr_hash.h"
+#include "apu_errno.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * @file apr_crypto.h
+ * @brief APR-UTIL Crypto library
+ */
+/**
+ * @defgroup APR_Util_Crypto Crypto routines
+ * @ingroup APR_Util
+ * @{
+ */
+
+#if APU_HAVE_CRYPTO
+
+#ifndef APU_CRYPTO_RECOMMENDED_DRIVER
+#if APU_HAVE_OPENSSL
+#define APU_CRYPTO_RECOMMENDED_DRIVER "openssl"
+#else
+#if APU_HAVE_NSS
+#define APU_CRYPTO_RECOMMENDED_DRIVER "nss"
+#else
+#if APU_HAVE_MSCNG
+#define APU_CRYPTO_RECOMMENDED_DRIVER "mscng"
+#else
+#if APU_HAVE_MSCAPI
+#define APU_CRYPTO_RECOMMENDED_DRIVER "mscapi"
+#else
+#endif
+#endif
+#endif
+#endif
+#endif
+
+/**
+ * Symmetric Key types understood by the library.
+ *
+ * NOTE: It is expected that this list will grow over time.
+ *
+ * Interoperability Matrix:
+ *
+ * The matrix is based on the testcrypto.c unit test, which attempts to
+ * test whether a simple encrypt/decrypt will succeed, as well as testing
+ * whether an encrypted string by one library can be decrypted by the
+ * others.
+ *
+ * Some libraries will successfully encrypt and decrypt their own data,
+ * but won't decrypt data from another library. It is hoped that over
+ * time these anomalies will be found and fixed, but until then it is
+ * recommended that ciphers are chosen that interoperate across platform.
+ *
+ * An X below means the test passes, it does not necessarily mean that
+ * encryption performed is correct or secure. Applications should stick
+ * to ciphers that pass the interoperablity tests on the right hand side
+ * of the table.
+ *
+ * Aligned data is data whose length is a multiple of the block size for
+ * the chosen cipher. Padded data is data that is not aligned by block
+ * size and must be padded by the crypto library.
+ *
+ *                  OpenSSL      NSS      Interop
+ *                 Align Pad  Align Pad  Align Pad
+ * 3DES_192/CBC    X     X    X     X    X     X
+ * 3DES_192/ECB    X     X
+ * AES_256/CBC     X     X    X     X    X     X
+ * AES_256/ECB     X     X    X          X
+ * AES_192/CBC     X     X    X     X
+ * AES_192/ECB     X     X    X
+ * AES_128/CBC     X     X    X     X
+ * AES_128/ECB     X     X    X
+ *
+ * Conclusion: for padded data, use 3DES_192/CBC or AES_256/CBC. For
+ * aligned data, use 3DES_192/CBC, AES_256/CBC or AES_256/ECB.
+ */
+
+typedef enum
+{
+    APR_KEY_NONE, APR_KEY_3DES_192, /** 192 bit (3-Key) 3DES */
+    APR_KEY_AES_128, /** 128 bit AES */
+    APR_KEY_AES_192, /** 192 bit AES */
+    APR_KEY_AES_256
+/** 256 bit AES */
+} apr_crypto_block_key_type_e;
+
+typedef enum
+{
+    APR_MODE_NONE, /** An error condition */
+    APR_MODE_ECB, /** Electronic Code Book */
+    APR_MODE_CBC
+/** Cipher Block Chaining */
+} apr_crypto_block_key_mode_e;
+
+/* These are opaque structs.  Instantiation is up to each backend */
+typedef struct apr_crypto_driver_t apr_crypto_driver_t;
+typedef struct apr_crypto_t apr_crypto_t;
+typedef struct apr_crypto_config_t apr_crypto_config_t;
+typedef struct apr_crypto_key_t apr_crypto_key_t;
+typedef struct apr_crypto_block_t apr_crypto_block_t;
+
+/**
+ * @brief Perform once-only initialisation. Call once only.
+ *
+ * @param pool - pool to register any shutdown cleanups, etc
+ * @return APR_NOTIMPL in case of no crypto support.
+ */
+APU_DECLARE(apr_status_t) apr_crypto_init(apr_pool_t *pool);
+
+/**
+ * @brief Register a cleanup to zero out the buffer provided
+ * when the pool is cleaned up.
+ *
+ * @param pool - pool to register the cleanup
+ * @param buffer - buffer to zero out
+ * @param size - size of the buffer to zero out
+ */
+APU_DECLARE(apr_status_t) apr_crypto_clear(apr_pool_t *pool, void *buffer,
+        apr_size_t size);
+
+/**
+ * @brief Get the driver struct for a name
+ *
+ * @param driver - pointer to driver struct.
+ * @param name - driver name
+ * @param params - array of initialisation parameters
+ * @param result - result and error message on failure
+ * @param pool - (process) pool to register cleanup
+ * @return APR_SUCCESS for success
+ * @return APR_ENOTIMPL for no driver (when DSO not enabled)
+ * @return APR_EDSOOPEN if DSO driver file can't be opened
+ * @return APR_ESYMNOTFOUND if the driver file doesn't contain a driver
+ * @remarks NSS: the params can have "dir", "key3", "cert7" and "secmod"
+ *  keys, each followed by an equal sign and a value. Such key/value pairs can
+ *  be delimited by space or tab. If the value contains a space, surround the
+ *  whole key value pair in quotes: "dir=My Directory".
+ * @remarks OpenSSL: currently no params are supported.
+ */
+APU_DECLARE(apr_status_t) apr_crypto_get_driver(
+        const apr_crypto_driver_t **driver,
+        const char *name, const char *params, const apu_err_t **result,
+        apr_pool_t *pool);
+
+/**
+ * @brief Return the name of the driver.
+ *
+ * @param driver - The driver in use.
+ * @return The name of the driver.
+ */
+APU_DECLARE(const char *) apr_crypto_driver_name(
+        const apr_crypto_driver_t *driver);
+
+/**
+ * @brief Get the result of the last operation on a context. If the result
+ *        is NULL, the operation was successful.
+ * @param result - the result structure
+ * @param f - context pointer
+ * @return APR_SUCCESS for success
+ */
+APU_DECLARE(apr_status_t) apr_crypto_error(const apu_err_t **result,
+        const apr_crypto_t *f);
+
+/**
+ * @brief Create a context for supporting encryption. Keys, certificates,
+ *        algorithms and other parameters will be set per context. More than
+ *        one context can be created at one time. A cleanup will be automatically
+ *        registered with the given pool to guarantee a graceful shutdown.
+ * @param f - context pointer will be written here
+ * @param driver - driver to use
+ * @param params - array of key parameters
+ * @param pool - process pool
+ * @return APR_ENOENGINE when the engine specified does not exist. APR_EINITENGINE
+ * if the engine cannot be initialised.
+ * @remarks NSS: currently no params are supported.
+ * @remarks OpenSSL: the params can have "engine" as a key, followed by an equal
+ *  sign and a value.
+ */
+APU_DECLARE(apr_status_t) apr_crypto_make(apr_crypto_t **f,
+        const apr_crypto_driver_t *driver, const char *params,
+        apr_pool_t *pool);
+
+/**
+ * @brief Get a hash table of key types, keyed by the name of the type against
+ * an integer pointer constant.
+ *
+ * @param types - hashtable of key types keyed to constants.
+ * @param f - encryption context
+ * @return APR_SUCCESS for success
+ */
+APU_DECLARE(apr_status_t) apr_crypto_get_block_key_types(apr_hash_t **types,
+        const apr_crypto_t *f);
+
+/**
+ * @brief Get a hash table of key modes, keyed by the name of the mode against
+ * an integer pointer constant.
+ *
+ * @param modes - hashtable of key modes keyed to constants.
+ * @param f - encryption context
+ * @return APR_SUCCESS for success
+ */
+APU_DECLARE(apr_status_t) apr_crypto_get_block_key_modes(apr_hash_t **modes,
+        const apr_crypto_t *f);
+
+/**
+ * @brief Create a key from the given passphrase. By default, the PBKDF2
+ *        algorithm is used to generate the key from the passphrase. It is expected
+ *        that the same pass phrase will generate the same key, regardless of the
+ *        backend crypto platform used. The key is cleaned up when the context
+ *        is cleaned, and may be reused with multiple encryption or decryption
+ *        operations.
+ * @note If *key is NULL, a apr_crypto_key_t will be created from a pool. If
+ *       *key is not NULL, *key must point at a previously created structure.
+ * @param key The key returned, see note.
+ * @param ivSize The size of the initialisation vector will be returned, based
+ *               on whether an IV is relevant for this type of crypto.
+ * @param pass The passphrase to use.
+ * @param passLen The passphrase length in bytes
+ * @param salt The salt to use.
+ * @param saltLen The salt length in bytes
+ * @param type 3DES_192, AES_128, AES_192, AES_256.
+ * @param mode Electronic Code Book / Cipher Block Chaining.
+ * @param doPad Pad if necessary.
+ * @param iterations Number of iterations to use in algorithm
+ * @param f The context to use.
+ * @param p The pool to use.
+ * @return Returns APR_ENOKEY if the pass phrase is missing or empty, or if a backend
+ *         error occurred while generating the key. APR_ENOCIPHER if the type or mode
+ *         is not supported by the particular backend. APR_EKEYTYPE if the key type is
+ *         not known. APR_EPADDING if padding was requested but is not supported.
+ *         APR_ENOTIMPL if not implemented.
+ */
+APU_DECLARE(apr_status_t) apr_crypto_passphrase(apr_crypto_key_t **key,
+        apr_size_t *ivSize, const char *pass, apr_size_t passLen,
+        const unsigned char * salt, apr_size_t saltLen,
+        const apr_crypto_block_key_type_e type,
+        const apr_crypto_block_key_mode_e mode, const int doPad,
+        const int iterations, const apr_crypto_t *f, apr_pool_t *p);
+
+/**
+ * @brief Initialise a context for encrypting arbitrary data using the given key.
+ * @note If *ctx is NULL, a apr_crypto_block_t will be created from a pool. If
+ *       *ctx is not NULL, *ctx must point at a previously created structure.
+ * @param ctx The block context returned, see note.
+ * @param iv Optional initialisation vector. If the buffer pointed to is NULL,
+ *           an IV will be created at random, in space allocated from the pool.
+ *           If the buffer pointed to is not NULL, the IV in the buffer will be
+ *           used.
+ * @param key The key structure to use.
+ * @param blockSize The block size of the cipher.
+ * @param p The pool to use.
+ * @return Returns APR_ENOIV if an initialisation vector is required but not specified.
+ *         Returns APR_EINIT if the backend failed to initialise the context. Returns
+ *         APR_ENOTIMPL if not implemented.
+ */
+APU_DECLARE(apr_status_t) apr_crypto_block_encrypt_init(
+        apr_crypto_block_t **ctx, const unsigned char **iv,
+        const apr_crypto_key_t *key, apr_size_t *blockSize, apr_pool_t *p);
+
+/**
+ * @brief Encrypt data provided by in, write it to out.
+ * @note The number of bytes written will be written to outlen. If
+ *       out is NULL, outlen will contain the maximum size of the
+ *       buffer needed to hold the data, including any data
+ *       generated by apr_crypto_block_encrypt_finish below. If *out points
+ *       to NULL, a buffer sufficiently large will be created from
+ *       the pool provided. If *out points to a not-NULL value, this
+ *       value will be used as a buffer instead.
+ * @param out Address of a buffer to which data will be written,
+ *        see note.
+ * @param outlen Length of the output will be written here.
+ * @param in Address of the buffer to read.
+ * @param inlen Length of the buffer to read.
+ * @param ctx The block context to use.
+ * @return APR_ECRYPT if an error occurred. Returns APR_ENOTIMPL if
+ *         not implemented.
+ */
+APU_DECLARE(apr_status_t) apr_crypto_block_encrypt(unsigned char **out,
+        apr_size_t *outlen, const unsigned char *in, apr_size_t inlen,
+        apr_crypto_block_t *ctx);
+
+/**
+ * @brief Encrypt final data block, write it to out.
+ * @note If necessary the final block will be written out after being
+ *       padded. Typically the final block will be written to the
+ *       same buffer used by apr_crypto_block_encrypt, offset by the
+ *       number of bytes returned as actually written by the
+ *       apr_crypto_block_encrypt() call. After this call, the context
+ *       is cleaned and can be reused by apr_crypto_block_encrypt_init().
+ * @param out Address of a buffer to which data will be written. This
+ *            buffer must already exist, and is usually the same
+ *            buffer used by apr_evp_crypt(). See note.
+ * @param outlen Length of the output will be written here.
+ * @param ctx The block context to use.
+ * @return APR_ECRYPT if an error occurred.
+ * @return APR_EPADDING if padding was enabled and the block was incorrectly
+ *         formatted.
+ * @return APR_ENOTIMPL if not implemented.
+ */
+APU_DECLARE(apr_status_t) apr_crypto_block_encrypt_finish(unsigned char *out,
+        apr_size_t *outlen, apr_crypto_block_t *ctx);
+
+/**
+ * @brief Initialise a context for decrypting arbitrary data using the given key.
+ * @note If *ctx is NULL, a apr_crypto_block_t will be created from a pool. If
+ *       *ctx is not NULL, *ctx must point at a previously created structure.
+ * @param ctx The block context returned, see note.
+ * @param blockSize The block size of the cipher.
+ * @param iv Optional initialisation vector.
+ * @param key The key structure to use.
+ * @param p The pool to use.
+ * @return Returns APR_ENOIV if an initialisation vector is required but not specified.
+ *         Returns APR_EINIT if the backend failed to initialise the context. Returns
+ *         APR_ENOTIMPL if not implemented.
+ */
+APU_DECLARE(apr_status_t) apr_crypto_block_decrypt_init(
+        apr_crypto_block_t **ctx, apr_size_t *blockSize,
+        const unsigned char *iv, const apr_crypto_key_t *key, apr_pool_t *p);
+
+/**
+ * @brief Decrypt data provided by in, write it to out.
+ * @note The number of bytes written will be written to outlen. If
+ *       out is NULL, outlen will contain the maximum size of the
+ *       buffer needed to hold the data, including any data
+ *       generated by apr_crypto_block_decrypt_finish below. If *out points
+ *       to NULL, a buffer sufficiently large will be created from
+ *       the pool provided. If *out points to a not-NULL value, this
+ *       value will be used as a buffer instead.
+ * @param out Address of a buffer to which data will be written,
+ *        see note.
+ * @param outlen Length of the output will be written here.
+ * @param in Address of the buffer to read.
+ * @param inlen Length of the buffer to read.
+ * @param ctx The block context to use.
+ * @return APR_ECRYPT if an error occurred. Returns APR_ENOTIMPL if
+ *         not implemented.
+ */
+APU_DECLARE(apr_status_t) apr_crypto_block_decrypt(unsigned char **out,
+        apr_size_t *outlen, const unsigned char *in, apr_size_t inlen,
+        apr_crypto_block_t *ctx);
+
+/**
+ * @brief Decrypt final data block, write it to out.
+ * @note If necessary the final block will be written out after being
+ *       padded. Typically the final block will be written to the
+ *       same buffer used by apr_crypto_block_decrypt, offset by the
+ *       number of bytes returned as actually written by the
+ *       apr_crypto_block_decrypt() call. After this call, the context
+ *       is cleaned and can be reused by apr_crypto_block_decrypt_init().
+ * @param out Address of a buffer to which data will be written. This
+ *            buffer must already exist, and is usually the same
+ *            buffer used by apr_evp_crypt(). See note.
+ * @param outlen Length of the output will be written here.
+ * @param ctx The block context to use.
+ * @return APR_ECRYPT if an error occurred.
+ * @return APR_EPADDING if padding was enabled and the block was incorrectly
+ *         formatted.
+ * @return APR_ENOTIMPL if not implemented.
+ */
+APU_DECLARE(apr_status_t) apr_crypto_block_decrypt_finish(unsigned char *out,
+        apr_size_t *outlen, apr_crypto_block_t *ctx);
+
+/**
+ * @brief Clean encryption / decryption context.
+ * @note After cleanup, a context is free to be reused if necessary.
+ * @param ctx The block context to use.
+ * @return Returns APR_ENOTIMPL if not supported.
+ */
+APU_DECLARE(apr_status_t) apr_crypto_block_cleanup(apr_crypto_block_t *ctx);
+
+/**
+ * @brief Clean encryption / decryption context.
+ * @note After cleanup, a context is free to be reused if necessary.
+ * @param f The context to use.
+ * @return Returns APR_ENOTIMPL if not supported.
+ */
+APU_DECLARE(apr_status_t) apr_crypto_cleanup(apr_crypto_t *f);
+
+/**
+ * @brief Shutdown the crypto library.
+ * @note After shutdown, it is expected that the init function can be called again.
+ * @param driver - driver to use
+ * @return Returns APR_ENOTIMPL if not supported.
+ */
+APU_DECLARE(apr_status_t) apr_crypto_shutdown(
+        const apr_crypto_driver_t *driver);
+
+#endif /* APU_HAVE_CRYPTO */
+
+/** @} */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
diff --git a/srclib/apr-util/include/apr_hooks.h b/srclib/apr-util/include/apr_hooks.h
index 1a528332..b675711e 100644
--- a/srclib/apr-util/include/apr_hooks.h
+++ b/srclib/apr-util/include/apr_hooks.h
@@ -34,6 +34,82 @@ extern "C" {
  * @ingroup APR_Util
  * @{
  */
+
+/**
+ * @defgroup apr_hook_probes Hook probe capability
+ * APR hooks provide a trace probe capability for capturing
+ * the flow of control and return values with hooks.
+ *
+ * In order to use this facility, the application must define
+ * the symbol APR_HOOK_PROBES_ENABLED and the four APR_HOOK_PROBE_
+ * macros described below before including apr_hooks.h in files
+ * that use the APR_IMPLEMENT_EXTERNAL_HOOK_* macros.
+ *
+ * This probe facility is not provided for APR optional hooks.
+ * @{
+ */
+
+#ifdef APR_HOOK_PROBES_ENABLED
+#define APR_HOOK_INT_DCL_UD void *ud = NULL
+#else
+/** internal implementation detail to avoid the ud declaration when
+ * hook probes are not used
+ */
+#define APR_HOOK_INT_DCL_UD
+/**
+ * User-defined hook probe macro that is invoked when the hook
+ * is run, before calling any hook functions.
+ * @param ud A void * user data field that should be filled in by
+ * this macro, and will be provided to the other hook probe macros.
+ * @param ns The namespace prefix of the hook functions
+ * @param name The name of the hook
+ * @param args The argument list to the hook functions, with enclosing
+ * parens.
+ */
+#define APR_HOOK_PROBE_ENTRY(ud,ns,name,args)
+/**
+ * User-defined hook probe macro that is invoked after the hook
+ * has run.
+ * @param ud A void * user data field that was filled in by the user-
+ * provided APR_HOOK_PROBE_ENTRY().
+ * @param ns The namespace prefix of the hook functions
+ * @param name The name of the hook
+ * @param rv The return value of the hook, or 0 if the hook is void.
+ * @param args The argument list to the hook functions, with enclosing
+ * parens.
+ */
+#define APR_HOOK_PROBE_RETURN(ud,ns,name,rv,args)
+/**
+ * User-defined hook probe macro that is invoked before calling a
+ * hook function.
+ * @param ud A void * user data field that was filled in by the user-
+ * provided APR_HOOK_PROBE_ENTRY().
+ * @param ns The namespace prefix of the hook functions
+ * @param name The name of the hook
+ * @param src The value of apr_hook_debug_current at the time the function
+ * was hooked (usually the source file implementing the hook function).
+ * @param args The argument list to the hook functions, with enclosing
+ * parens.
+ */
+#define APR_HOOK_PROBE_INVOKE(ud,ns,name,src,args)
+/**
+ * User-defined hook probe macro that is invoked after calling a
+ * hook function.
+ * @param ud A void * user data field that was filled in by the user-
+ * provided APR_HOOK_PROBE_ENTRY().
+ * @param ns The namespace prefix of the hook functions
+ * @param name The name of the hook
+ * @param src The value of apr_hook_debug_current at the time the function
+ * was hooked (usually the source file implementing the hook function).
+ * @param rv The return value of the hook function, or 0 if the hook is void.
+ * @param args The argument list to the hook functions, with enclosing
+ * parens.
+ */
+#define APR_HOOK_PROBE_COMPLETE(ud,ns,name,src,rv,args)
+#endif
+
+/** @} */
+
 /** macro to return the prototype of the hook function */    
 #define APR_IMPLEMENT_HOOK_GET_PROTO(ns,link,name) \
 link##_DECLARE(apr_array_header_t *) ns##_hook_get_##name(void)
@@ -106,13 +182,23 @@ link##_DECLARE(void) ns##_run_##name args_decl \
     { \
     ns##_LINK_##name##_t *pHook; \
     int n; \
+    APR_HOOK_INT_DCL_UD; \
 \
-    if(!_hooks.link_##name) \
-	return; \
+    APR_HOOK_PROBE_ENTRY(ud, ns, name, args_use); \
+\
+    if(_hooks.link_##name) \
+        { \
+        pHook=(ns##_LINK_##name##_t *)_hooks.link_##name->elts; \
+        for(n=0 ; n < _hooks.link_##name->nelts ; ++n) \
+            { \
+            APR_HOOK_PROBE_INVOKE(ud, ns, name, (char *)pHook[n].szName, args_use); \
+	    pHook[n].pFunc args_use; \
+            APR_HOOK_PROBE_COMPLETE(ud, ns, name, (char *)pHook[n].szName, 0, args_use); \
+            } \
+        } \
+\
+    APR_HOOK_PROBE_RETURN(ud, ns, name, 0, args_use); \
 \
-    pHook=(ns##_LINK_##name##_t *)_hooks.link_##name->elts; \
-    for(n=0 ; n < _hooks.link_##name->nelts ; ++n) \
-	pHook[n].pFunc args_use; \
     }
 
 /* FIXME: note that this returns ok when nothing is run. I suspect it should
@@ -139,20 +225,28 @@ link##_DECLARE(ret) ns##_run_##name args_decl \
     { \
     ns##_LINK_##name##_t *pHook; \
     int n; \
-    ret rv; \
+    ret rv = ok; \
+    APR_HOOK_INT_DCL_UD; \
 \
-    if(!_hooks.link_##name) \
-	return ok; \
+    APR_HOOK_PROBE_ENTRY(ud, ns, name, args_use); \
 \
-    pHook=(ns##_LINK_##name##_t *)_hooks.link_##name->elts; \
-    for(n=0 ; n < _hooks.link_##name->nelts ; ++n) \
-	{ \
-	rv=pHook[n].pFunc args_use; \
+    if(_hooks.link_##name) \
+        { \
+        pHook=(ns##_LINK_##name##_t *)_hooks.link_##name->elts; \
+        for(n=0 ; n < _hooks.link_##name->nelts ; ++n) \
+            { \
+            APR_HOOK_PROBE_INVOKE(ud, ns, name, (char *)pHook[n].szName, args_use); \
+            rv=pHook[n].pFunc args_use; \
+            APR_HOOK_PROBE_COMPLETE(ud, ns, name, (char *)pHook[n].szName, rv, args_use); \
+            if(rv != ok && rv != decline) \
+                break; \
+            rv = ok; \
+            } \
+        } \
 \
-	if(rv != ok && rv != decline) \
-	    return rv; \
-	} \
-    return ok; \
+    APR_HOOK_PROBE_RETURN(ud, ns, name, rv, args_use); \
+\
+    return rv; \
     }
 
 
@@ -176,20 +270,28 @@ link##_DECLARE(ret) ns##_run_##name args_decl \
     { \
     ns##_LINK_##name##_t *pHook; \
     int n; \
-    ret rv; \
+    ret rv = decline; \
+    APR_HOOK_INT_DCL_UD; \
 \
-    if(!_hooks.link_##name) \
-	return decline; \
+    APR_HOOK_PROBE_ENTRY(ud, ns, name, args_use); \
 \
-    pHook=(ns##_LINK_##name##_t *)_hooks.link_##name->elts; \
-    for(n=0 ; n < _hooks.link_##name->nelts ; ++n) \
-	{ \
-	rv=pHook[n].pFunc args_use; \
+    if(_hooks.link_##name) \
+        { \
+        pHook=(ns##_LINK_##name##_t *)_hooks.link_##name->elts; \
+        for(n=0 ; n < _hooks.link_##name->nelts ; ++n) \
+            { \
+            APR_HOOK_PROBE_INVOKE(ud, ns, name, (char *)pHook[n].szName, args_use); \
+            rv=pHook[n].pFunc args_use; \
+            APR_HOOK_PROBE_COMPLETE(ud, ns, name, (char *)pHook[n].szName, rv, args_use); \
 \
-	if(rv != decline) \
-	    return rv; \
-	} \
-    return decline; \
+            if(rv != decline) \
+                break; \
+            } \
+        } \
+\
+    APR_HOOK_PROBE_RETURN(ud, ns, name, rv, args_use); \
+\
+    return rv; \
     }
 
     /* Hook orderings */
diff --git a/srclib/apr-util/include/apr_memcache.h b/srclib/apr-util/include/apr_memcache.h
index 766c0f01..82878825 100644
--- a/srclib/apr-util/include/apr_memcache.h
+++ b/srclib/apr-util/include/apr_memcache.h
@@ -287,9 +287,6 @@ APU_DECLARE(apr_status_t) apr_memcache_multgetp(apr_memcache_t *mc,
  * @param data_size   length of data at baton
  * @param timeout time in seconds for the data to live on the server
  * @param flags any flags set by the client for this key
- * @bug timeout is not implemented
- * @bug timeouts for apr must be prototyped in apr_interval_time_t;
- * this changes in 2.0
  */
 APU_DECLARE(apr_status_t) apr_memcache_set(apr_memcache_t *mc,
                                            const char *key,
diff --git a/srclib/apr-util/include/apr_reslist.h b/srclib/apr-util/include/apr_reslist.h
index 273f7dd1..1e30a538 100644
--- a/srclib/apr-util/include/apr_reslist.h
+++ b/srclib/apr-util/include/apr_reslist.h
@@ -28,15 +28,10 @@
 #include "apr_errno.h"
 #include "apr_time.h"
 
-#if APR_HAS_THREADS
-
 /**
  * @defgroup APR_Util_RL Resource List Routines
  * @ingroup APR_Util
  * @{
- * @warning
- * <strong><em>Resource list data types and routines are only available when
- * threads are enabled (i.e. APR_HAS_THREADS is not zero).</em></strong>
  */
 
 #ifdef __cplusplus
@@ -64,6 +59,10 @@ typedef apr_status_t (*apr_reslist_constructor)(void **resource, void *params,
 typedef apr_status_t (*apr_reslist_destructor)(void *resource, void *params,
                                                apr_pool_t *pool);
 
+/* Cleanup order modes */
+#define APR_RESLIST_CLEANUP_DEFAULT  0       /**< default pool cleanup */
+#define APR_RESLIST_CLEANUP_FIRST    1       /**< use pool pre cleanup */
+
 /**
  * Create a new resource list with the following parameters:
  * @param reslist An address where the pointer to the new resource
@@ -83,15 +82,9 @@ typedef apr_status_t (*apr_reslist_destructor)(void *resource, void *params,
  * @param pool The pool from which to create this resource list. Also the
  *             same pool that is passed to the constructor and destructor
  *             routines.
- * @warning If you're creating a sub-pool of the pool passed into this
- *          function in your constructor, you will need to follow some rules
- *          when it comes to destruction of that sub-pool, as calling
- *          apr_pool_destroy() outright on it in your destructor may create
- *          double free situations. That is because by the time destructor is
- *          called, the sub-pool may have already been destroyed. This also
- *          means that in the destructor, memory from the sub-pool should be
- *          treated as invalid. For examples of how to do this correctly, see
- *          mod_dbd of Apache 2.2 and memcache support in APR Util 1.3.
+ * @remark If APR has been compiled without thread support, hmax will be
+ *         automatically set to 1 and values of min and smax will be forced to
+ *         1 for any non-zero value.
  */
 APU_DECLARE(apr_status_t) apr_reslist_create(apr_reslist_t **reslist,
                                              int min, int smax, int hmax,
@@ -151,6 +144,28 @@ APU_DECLARE(apr_uint32_t) apr_reslist_acquired_count(apr_reslist_t *reslist);
 APU_DECLARE(apr_status_t) apr_reslist_invalidate(apr_reslist_t *reslist,
                                                  void *resource);
 
+/**
+ * Perform routine maintenance on the resource list. This call
+ * may instantiate new resources or expire old resources.
+ * @param reslist The resource list.
+ */
+APU_DECLARE(apr_status_t) apr_reslist_maintain(apr_reslist_t *reslist);
+
+/**
+ * Set reslist cleanup order.
+ * @param reslist The resource list.
+ * @param mode Cleanup order mode
+ * <PRE>
+ *           APR_RESLIST_CLEANUP_DEFAULT  default pool cleanup order
+ *           APR_RESLIST_CLEANUP_FIRST    use pool pre cleanup
+ * </PRE>
+ * @remark If APR_RESLIST_CLEANUP_FIRST is used the destructors will
+ * be called before child pools of the pool used to create the reslist
+ * are destroyed. This allows to explicitly destroy the child pools
+ * inside reslist destructors.
+ */
+APU_DECLARE(void) apr_reslist_cleanup_order_set(apr_reslist_t *reslist,
+                                                apr_uint32_t mode);
 
 #ifdef __cplusplus
 }
@@ -158,6 +173,4 @@ APU_DECLARE(apr_status_t) apr_reslist_invalidate(apr_reslist_t *reslist,
 
 /** @} */
 
-#endif  /* APR_HAS_THREADS */
-
 #endif  /* ! APR_RESLIST_H */
diff --git a/srclib/apr-util/include/apu.h.in b/srclib/apr-util/include/apu.h.in
index 64c6c18b..4037094d 100644
--- a/srclib/apr-util/include/apu.h.in
+++ b/srclib/apr-util/include/apu.h.in
@@ -102,6 +102,10 @@
 #define APU_HAVE_FREETDS       @apu_have_freetds@
 #define APU_HAVE_ODBC          @apu_have_odbc@
 
+#define APU_HAVE_CRYPTO        @apu_have_crypto@
+#define APU_HAVE_OPENSSL       @apu_have_openssl@
+#define APU_HAVE_NSS           @apu_have_nss@
+
 #define APU_HAVE_APR_ICONV     @have_apr_iconv@
 #define APU_HAVE_ICONV         @have_iconv@
 #define APR_HAS_XLATE          (APU_HAVE_APR_ICONV || APU_HAVE_ICONV)
diff --git a/srclib/apr-util/include/apu.hnw b/srclib/apr-util/include/apu.hnw
index 1b8b8cf0..31c0dfb4 100644
--- a/srclib/apr-util/include/apu.hnw
+++ b/srclib/apr-util/include/apu.hnw
@@ -108,6 +108,13 @@
 #define APU_HAVE_ODBC           0
 #endif
 
+#define APU_HAVE_CRYPTO         0
+
+#ifndef APU_DSO_MODULE_BUILD
+#define APU_HAVE_OPENSSL        0
+#define APU_HAVE_NSS            0
+#endif
+
 #define APU_HAVE_APR_ICONV      0
 #define APU_HAVE_ICONV          1
 #define APR_HAS_XLATE           (APU_HAVE_APR_ICONV || APU_HAVE_ICONV)
diff --git a/srclib/apr-util/include/apu.hw b/srclib/apr-util/include/apu.hw
index febc5420..5be70de6 100644
--- a/srclib/apr-util/include/apu.hw
+++ b/srclib/apr-util/include/apu.hw
@@ -125,6 +125,13 @@
 #define APU_HAVE_ODBC           1
 #endif
 
+#define APU_HAVE_CRYPTO         0
+
+#ifndef APU_DSO_MODULE_BUILD
+#define APU_HAVE_OPENSSL        0
+#define APU_HAVE_NSS            0
+#endif
+
 #define APU_HAVE_APR_ICONV      1
 #define APU_HAVE_ICONV          0
 #define APR_HAS_XLATE           (APU_HAVE_APR_ICONV || APU_HAVE_ICONV)
diff --git a/srclib/apr-util/include/apu_errno.h b/srclib/apr-util/include/apu_errno.h
new file mode 100644
index 00000000..c0a8ec7d
--- /dev/null
+++ b/srclib/apr-util/include/apu_errno.h
@@ -0,0 +1,173 @@
+/* Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef APU_ERRNO_H
+#define APU_ERRNO_H
+
+/**
+ * @file apu_errno.h
+ * @brief APR-Util Error Codes
+ */
+
+#include "apr.h"
+#include "apr_errno.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif /* __cplusplus */
+
+/**
+ * @defgroup apu_errno Error Codes
+ * @ingroup APR_Util
+ * @{
+ */
+
+/**
+ * @defgroup APR_Util_Error APR_Util Error Values
+ * <PRE>
+ * <b>APU ERROR VALUES</b>
+ * APR_ENOKEY         The key provided was empty or NULL
+ * APR_ENOIV          The initialisation vector provided was NULL
+ * APR_EKEYTYPE       The key type was not recognised
+ * APR_ENOSPACE       The buffer supplied was not big enough
+ * APR_ECRYPT         An error occurred while encrypting or decrypting
+ * APR_EPADDING       Padding was not supported
+ * APR_EKEYLENGTH     The key length was incorrect
+ * APR_ENOCIPHER      The cipher provided was not recognised
+ * APR_ENODIGEST      The digest provided was not recognised
+ * APR_ENOENGINE      The engine provided was not recognised
+ * APR_EINITENGINE    The engine could not be initialised
+ * APR_EREINIT        Underlying crypto has already been initialised
+ * </PRE>
+ *
+ * <PRE>
+ * <b>APR STATUS VALUES</b>
+ * APR_INCHILD        Program is currently executing in the child
+ * </PRE>
+ * @{
+ */
+/** @see APR_STATUS_IS_ENOKEY */
+#define APR_ENOKEY           (APR_UTIL_START_STATUS + 1)
+/** @see APR_STATUS_IS_ENOIV */
+#define APR_ENOIV            (APR_UTIL_START_STATUS + 2)
+/** @see APR_STATUS_IS_EKEYTYPE */
+#define APR_EKEYTYPE         (APR_UTIL_START_STATUS + 3)
+/** @see APR_STATUS_IS_ENOSPACE */
+#define APR_ENOSPACE         (APR_UTIL_START_STATUS + 4)
+/** @see APR_STATUS_IS_ECRYPT */
+#define APR_ECRYPT           (APR_UTIL_START_STATUS + 5)
+/** @see APR_STATUS_IS_EPADDING */
+#define APR_EPADDING         (APR_UTIL_START_STATUS + 6)
+/** @see APR_STATUS_IS_EKEYLENGTH */
+#define APR_EKEYLENGTH       (APR_UTIL_START_STATUS + 7)
+/** @see APR_STATUS_IS_ENOCIPHER */
+#define APR_ENOCIPHER        (APR_UTIL_START_STATUS + 8)
+/** @see APR_STATUS_IS_ENODIGEST */
+#define APR_ENODIGEST        (APR_UTIL_START_STATUS + 9)
+/** @see APR_STATUS_IS_ENOENGINE */
+#define APR_ENOENGINE        (APR_UTIL_START_STATUS + 10)
+/** @see APR_STATUS_IS_EINITENGINE */
+#define APR_EINITENGINE      (APR_UTIL_START_STATUS + 11)
+/** @see APR_STATUS_IS_EREINIT */
+#define APR_EREINIT          (APR_UTIL_START_STATUS + 12)
+/** @} */
+
+/**
+ * @defgroup APU_STATUS_IS Status Value Tests
+ * @warning For any particular error condition, more than one of these tests
+ *      may match. This is because platform-specific error codes may not
+ *      always match the semantics of the POSIX codes these tests (and the
+ *      corresponding APR error codes) are named after. A notable example
+ *      are the APR_STATUS_IS_ENOENT and APR_STATUS_IS_ENOTDIR tests on
+ *      Win32 platforms. The programmer should always be aware of this and
+ *      adjust the order of the tests accordingly.
+ * @{
+ */
+
+/** @} */
+
+/**
+ * @addtogroup APR_Util_Error
+ * @{
+ */
+/**
+ * The key was empty or not provided
+ */
+#define APR_STATUS_IS_ENOKEY(s)        ((s) == APR_ENOKEY)
+/**
+ * The initialisation vector was not provided
+ */
+#define APR_STATUS_IS_ENOIV(s)        ((s) == APR_ENOIV)
+/**
+ * The key type was not recognised
+ */
+#define APR_STATUS_IS_EKEYTYPE(s)        ((s) == APR_EKEYTYPE)
+/**
+ * The buffer provided was not big enough
+ */
+#define APR_STATUS_IS_ENOSPACE(s)        ((s) == APR_ENOSPACE)
+/**
+ * An error occurred while encrypting or decrypting
+ */
+#define APR_STATUS_IS_ECRYPT(s)        ((s) == APR_ECRYPT)
+/**
+ * An error occurred while padding
+ */
+#define APR_STATUS_IS_EPADDING(s)        ((s) == APR_EPADDING)
+/**
+ * An error occurred with the key length
+ */
+#define APR_STATUS_IS_EKEYLENGTH(s)        ((s) == APR_EKEYLENGTH)
+/**
+ * The cipher provided was not recognised
+ */
+#define APR_STATUS_IS_ENOCIPHER(s)        ((s) == APR_ENOCIPHER)
+/**
+ * The digest provided was not recognised
+ */
+#define APR_STATUS_IS_ENODIGEST(s)        ((s) == APR_ENODIGEST)
+/**
+ * The engine provided was not recognised
+ */
+#define APR_STATUS_IS_ENOENGINE(s)        ((s) == APR_ENOENGINE)
+/**
+ * The engine could not be initialised
+ */
+#define APR_STATUS_IS_EINITENGINE(s)        ((s) == APR_EINITENGINE)
+/**
+ * Crypto has already been initialised
+ */
+#define APR_STATUS_IS_EREINIT(s)        ((s) == APR_EREINIT)
+/** @} */
+
+/**
+ * This structure allows the underlying API error codes to be returned
+ * along with plain text error messages that explain to us mere mortals
+ * what really happened.
+ */
+typedef struct apu_err_t {
+    const char *reason;
+    const char *msg;
+    int rc;
+} apu_err_t;
+
+/** @} */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif  /* ! APU_ERRNO_H */
diff --git a/srclib/apr-util/include/apu_version.h b/srclib/apr-util/include/apu_version.h
index a11b8130..3f263fe9 100644
--- a/srclib/apr-util/include/apu_version.h
+++ b/srclib/apr-util/include/apu_version.h
@@ -53,13 +53,13 @@
  * Minor API changes that do not cause binary compatibility problems.
  * Reset to 0 when upgrading APU_MAJOR_VERSION
  */
-#define APU_MINOR_VERSION       3
+#define APU_MINOR_VERSION       4
 
 /** patch level 
  * The Patch Level never includes API changes, simply bug fixes.
  * Reset to 0 when upgrading APR_MINOR_VERSION
  */
-#define APU_PATCH_VERSION       12
+#define APU_PATCH_VERSION       1
 
 /** 
  * The symbol APU_IS_DEV_VERSION is only defined for internal,
diff --git a/srclib/apr-util/include/private/apr_crypto_internal.h b/srclib/apr-util/include/private/apr_crypto_internal.h
new file mode 100644
index 00000000..b571451a
--- /dev/null
+++ b/srclib/apr-util/include/private/apr_crypto_internal.h
@@ -0,0 +1,277 @@
+/* Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef APR_CRYPTO_INTERNAL_H
+#define APR_CRYPTO_INTERNAL_H
+
+#include <stdarg.h>
+
+#include "apr_crypto.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if APU_HAVE_CRYPTO
+
+struct apr_crypto_driver_t {
+
+    /** name */
+    const char *name;
+
+    /**
+     * @brief: allow driver to perform once-only initialisation.
+     * Called once only.
+     * @param pool The pool to register the cleanup in.
+     * @param params Optional init parameter string.
+     * @param rc Driver-specific additional error code
+     */
+    apr_status_t (*init)(apr_pool_t *pool, const char *params, int *rc);
+
+    /**
+     * @brief Create a context for supporting encryption. Keys, certificates,
+     *        algorithms and other parameters will be set per context. More than
+     *        one context can be created at one time. A cleanup will be automatically
+     *        registered with the given pool to guarantee a graceful shutdown.
+     * @param f - context pointer will be written here
+     * @param provider - provider to use
+     * @param params - array of key parameters
+     * @param pool - process pool
+     * @return APR_ENOENGINE when the engine specified does not exist. APR_EINITENGINE
+     * if the engine cannot be initialised.
+     */
+    apr_status_t (*make)(apr_crypto_t **f, const apr_crypto_driver_t *provider,
+            const char *params, apr_pool_t *pool);
+
+    /**
+     * @brief Get a hash table of key types, keyed by the name of the type against
+     * an integer pointer constant.
+     *
+     * @param types - hashtable of key types keyed to constants.
+     * @param f - encryption context
+     * @return APR_SUCCESS for success
+     */
+    apr_status_t (*get_block_key_types)(apr_hash_t **types,
+            const apr_crypto_t *f);
+
+    /**
+     * @brief Get a hash table of key modes, keyed by the name of the mode against
+     * an integer pointer constant.
+     *
+     * @param modes - hashtable of key modes keyed to constants.
+     * @param f - encryption context
+     * @return APR_SUCCESS for success
+     */
+    apr_status_t (*get_block_key_modes)(apr_hash_t **modes,
+            const apr_crypto_t *f);
+
+    /**
+     * @brief Create a key from the given passphrase. By default, the PBKDF2
+     *        algorithm is used to generate the key from the passphrase. It is expected
+     *        that the same pass phrase will generate the same key, regardless of the
+     *        backend crypto platform used. The key is cleaned up when the context
+     *        is cleaned, and may be reused with multiple encryption or decryption
+     *        operations.
+     * @note If *key is NULL, a apr_crypto_key_t will be created from a pool. If
+     *       *key is not NULL, *key must point at a previously created structure.
+     * @param key The key returned, see note.
+     * @param ivSize The size of the initialisation vector will be returned, based
+     *               on whether an IV is relevant for this type of crypto.
+     * @param pass The passphrase to use.
+     * @param passLen The passphrase length in bytes
+     * @param salt The salt to use.
+     * @param saltLen The salt length in bytes
+     * @param type 3DES_192, AES_128, AES_192, AES_256.
+     * @param mode Electronic Code Book / Cipher Block Chaining.
+     * @param doPad Pad if necessary.
+     * @param iterations Iteration count
+     * @param f The context to use.
+     * @param p The pool to use.
+     * @return Returns APR_ENOKEY if the pass phrase is missing or empty, or if a backend
+     *         error occurred while generating the key. APR_ENOCIPHER if the type or mode
+     *         is not supported by the particular backend. APR_EKEYTYPE if the key type is
+     *         not known. APR_EPADDING if padding was requested but is not supported.
+     *         APR_ENOTIMPL if not implemented.
+     */
+    apr_status_t (*passphrase)(apr_crypto_key_t **key, apr_size_t *ivSize,
+            const char *pass, apr_size_t passLen, const unsigned char * salt,
+            apr_size_t saltLen, const apr_crypto_block_key_type_e type,
+            const apr_crypto_block_key_mode_e mode, const int doPad,
+            const int iterations, const apr_crypto_t *f, apr_pool_t *p);
+
+    /**
+     * @brief Initialise a context for encrypting arbitrary data using the given key.
+     * @note If *ctx is NULL, a apr_crypto_block_t will be created from a pool. If
+     *       *ctx is not NULL, *ctx must point at a previously created structure.
+     * @param ctx The block context returned, see note.
+     * @param iv Optional initialisation vector. If the buffer pointed to is NULL,
+     *           an IV will be created at random, in space allocated from the pool.
+     *           If the buffer pointed to is not NULL, the IV in the buffer will be
+     *           used.
+     * @param key The key structure.
+     * @param blockSize The block size of the cipher.
+     * @param p The pool to use.
+     * @return Returns APR_ENOIV if an initialisation vector is required but not specified.
+     *         Returns APR_EINIT if the backend failed to initialise the context. Returns
+     *         APR_ENOTIMPL if not implemented.
+     */
+    apr_status_t (*block_encrypt_init)(apr_crypto_block_t **ctx,
+            const unsigned char **iv, const apr_crypto_key_t *key,
+            apr_size_t *blockSize, apr_pool_t *p);
+
+    /**
+     * @brief Encrypt data provided by in, write it to out.
+     * @note The number of bytes written will be written to outlen. If
+     *       out is NULL, outlen will contain the maximum size of the
+     *       buffer needed to hold the data, including any data
+     *       generated by apr_crypto_block_encrypt_finish below. If *out points
+     *       to NULL, a buffer sufficiently large will be created from
+     *       the pool provided. If *out points to a not-NULL value, this
+     *       value will be used as a buffer instead.
+     * @param out Address of a buffer to which data will be written,
+     *        see note.
+     * @param outlen Length of the output will be written here.
+     * @param in Address of the buffer to read.
+     * @param inlen Length of the buffer to read.
+     * @param ctx The block context to use.
+     * @return APR_ECRYPT if an error occurred. Returns APR_ENOTIMPL if
+     *         not implemented.
+     */
+    apr_status_t (*block_encrypt)(unsigned char **out, apr_size_t *outlen,
+            const unsigned char *in, apr_size_t inlen, apr_crypto_block_t *ctx);
+
+    /**
+     * @brief Encrypt final data block, write it to out.
+     * @note If necessary the final block will be written out after being
+     *       padded. Typically the final block will be written to the
+     *       same buffer used by apr_crypto_block_encrypt, offset by the
+     *       number of bytes returned as actually written by the
+     *       apr_crypto_block_encrypt() call. After this call, the context
+     *       is cleaned and can be reused by apr_crypto_block_encrypt_init().
+     * @param out Address of a buffer to which data will be written. This
+     *            buffer must already exist, and is usually the same
+     *            buffer used by apr_evp_crypt(). See note.
+     * @param outlen Length of the output will be written here.
+     * @param ctx The block context to use.
+     * @return APR_ECRYPT if an error occurred.
+     * @return APR_EPADDING if padding was enabled and the block was incorrectly
+     *         formatted.
+     * @return APR_ENOTIMPL if not implemented.
+     */
+    apr_status_t (*block_encrypt_finish)(unsigned char *out,
+            apr_size_t *outlen, apr_crypto_block_t *ctx);
+
+    /**
+     * @brief Initialise a context for decrypting arbitrary data using the given key.
+     * @note If *ctx is NULL, a apr_crypto_block_t will be created from a pool. If
+     *       *ctx is not NULL, *ctx must point at a previously created structure.
+     * @param ctx The block context returned, see note.
+     * @param blockSize The block size of the cipher.
+     * @param iv Optional initialisation vector. If the buffer pointed to is NULL,
+     *           an IV will be created at random, in space allocated from the pool.
+     *           If the buffer is not NULL, the IV in the buffer will be used.
+     * @param key The key structure.
+     * @param p The pool to use.
+     * @return Returns APR_ENOIV if an initialisation vector is required but not specified.
+     *         Returns APR_EINIT if the backend failed to initialise the context. Returns
+     *         APR_ENOTIMPL if not implemented.
+     */
+    apr_status_t (*block_decrypt_init)(apr_crypto_block_t **ctx,
+            apr_size_t *blockSize, const unsigned char *iv,
+            const apr_crypto_key_t *key, apr_pool_t *p);
+
+    /**
+     * @brief Decrypt data provided by in, write it to out.
+     * @note The number of bytes written will be written to outlen. If
+     *       out is NULL, outlen will contain the maximum size of the
+     *       buffer needed to hold the data, including any data
+     *       generated by apr_crypto_block_decrypt_finish below. If *out points
+     *       to NULL, a buffer sufficiently large will be created from
+     *       the pool provided. If *out points to a not-NULL value, this
+     *       value will be used as a buffer instead.
+     * @param out Address of a buffer to which data will be written,
+     *        see note.
+     * @param outlen Length of the output will be written here.
+     * @param in Address of the buffer to read.
+     * @param inlen Length of the buffer to read.
+     * @param ctx The block context to use.
+     * @return APR_ECRYPT if an error occurred. Returns APR_ENOTIMPL if
+     *         not implemented.
+     */
+    apr_status_t (*block_decrypt)(unsigned char **out, apr_size_t *outlen,
+            const unsigned char *in, apr_size_t inlen, apr_crypto_block_t *ctx);
+
+    /**
+     * @brief Decrypt final data block, write it to out.
+     * @note If necessary the final block will be written out after being
+     *       padded. Typically the final block will be written to the
+     *       same buffer used by apr_crypto_block_decrypt, offset by the
+     *       number of bytes returned as actually written by the
+     *       apr_crypto_block_decrypt() call. After this call, the context
+     *       is cleaned and can be reused by apr_crypto_block_decrypt_init().
+     * @param out Address of a buffer to which data will be written. This
+     *            buffer must already exist, and is usually the same
+     *            buffer used by apr_evp_crypt(). See note.
+     * @param outlen Length of the output will be written here.
+     * @param ctx The block context to use.
+     * @return APR_ECRYPT if an error occurred.
+     * @return APR_EPADDING if padding was enabled and the block was incorrectly
+     *         formatted.
+     * @return APR_ENOTIMPL if not implemented.
+     */
+    apr_status_t (*block_decrypt_finish)(unsigned char *out,
+            apr_size_t *outlen, apr_crypto_block_t *ctx);
+
+    /**
+     * @brief Clean encryption / decryption context.
+     * @note After cleanup, a context is free to be reused if necessary.
+     * @param ctx The block context to use.
+     * @return Returns APR_ENOTIMPL if not supported.
+     */
+    apr_status_t (*block_cleanup)(apr_crypto_block_t *ctx);
+
+    /**
+     * @brief Clean encryption / decryption context.
+     * @note After cleanup, a context is free to be reused if necessary.
+     * @param f The context to use.
+     * @return Returns APR_ENOTIMPL if not supported.
+     */
+    apr_status_t (*cleanup)(apr_crypto_t *f);
+
+    /**
+     * @brief Clean encryption / decryption context.
+     * @note After cleanup, a context is free to be reused if necessary.
+     * @return Returns APR_ENOTIMPL if not supported.
+     */
+    apr_status_t (*shutdown)(void);
+
+    /**
+     * @brief: fetch the most recent error from this driver.
+     * @param result - the result structure
+     * @param f - context pointer
+     * @return APR_SUCCESS for success.
+     */
+    apr_status_t (*error)(const apu_err_t **result, const apr_crypto_t *f);
+
+};
+
+#endif
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
diff --git a/srclib/apr-util/include/private/apu_config.h.in b/srclib/apr-util/include/private/apu_config.h.in
index 59274174..4d39f8a0 100644
--- a/srclib/apr-util/include/private/apu_config.h.in
+++ b/srclib/apr-util/include/private/apu_config.h.in
@@ -12,6 +12,9 @@
 /* Define if the inbuf parm to iconv() is const char ** */
 #undef APU_ICONV_INBUF_CONST
 
+/* Define that OpenSSL uses const buffers */
+#undef CRYPTO_OPENSSL_CONST_BUFFERS
+
 /* Define if crypt_r has uses CRYPTD */
 #undef CRYPT_R_CRYPTD
 
@@ -24,6 +27,10 @@
 /* Define to 1 if you have the `crypt_r' function. */
 #undef HAVE_CRYPT_R
 
+/* Define to 1 if you have the declaration of `EVP_PKEY_CTX_new', and to 0 if
+   you don't. */
+#undef HAVE_DECL_EVP_PKEY_CTX_NEW
+
 /* Define if expat.h is available */
 #undef HAVE_EXPAT_H
 
@@ -75,15 +82,33 @@
 /* Define to 1 if you have the `nl_langinfo' function. */
 #undef HAVE_NL_LANGINFO
 
+/* Define to 1 if you have the <nss.h> header file. */
+#undef HAVE_NSS_H
+
+/* Define to 1 if you have the <nss/nss.h> header file. */
+#undef HAVE_NSS_NSS_H
+
+/* Define to 1 if you have the <nss/pk11pub.h> header file. */
+#undef HAVE_NSS_PK11PUB_H
+
 /* Define to 1 if you have the <oci.h> header file. */
 #undef HAVE_OCI_H
 
 /* Define to 1 if you have the <odbc/sql.h> header file. */
 #undef HAVE_ODBC_SQL_H
 
+/* Define to 1 if you have the <openssl/x509.h> header file. */
+#undef HAVE_OPENSSL_X509_H
+
+/* Define to 1 if you have the <pk11pub.h> header file. */
+#undef HAVE_PK11PUB_H
+
 /* Define to 1 if you have the <postgresql/libpq-fe.h> header file. */
 #undef HAVE_POSTGRESQL_LIBPQ_FE_H
 
+/* Define to 1 if you have the <prerror.h> header file. */
+#undef HAVE_PRERROR_H
+
 /* Define to 1 if you have the <sqlite3.h> header file. */
 #undef HAVE_SQLITE3_H
 
diff --git a/srclib/apr-util/include/private/apu_internal.h b/srclib/apr-util/include/private/apu_internal.h
index c23498e1..c95c9d50 100644
--- a/srclib/apr-util/include/private/apu_internal.h
+++ b/srclib/apr-util/include/private/apu_internal.h
@@ -31,13 +31,13 @@ extern "C" {
  * continue to initialize modules by multiple threads, the caller
  * of apu_dso_load must lock first, and not unlock until any init
  * finalization is complete.
- */ 
+ */
 apr_status_t apu_dso_init(apr_pool_t *pool);
 
 apr_status_t apu_dso_mutex_lock(void);
 apr_status_t apu_dso_mutex_unlock(void);
 
-apr_status_t apu_dso_load(apr_dso_handle_sym_t *dsoptr, const char *module,
+apr_status_t apu_dso_load(apr_dso_handle_t **dso, apr_dso_handle_sym_t *dsoptr, const char *module,
                           const char *modsym, apr_pool_t *pool);
 
 #if APR_HAS_LDAP