On 22 November 2017 at 16:28, Giovanni Bechis <[email protected]> wrote:
> On Sat, Nov 04, 2017 at 09:13:43AM +0000, David CARLIER wrote:
> > Hi,
> >
> > here a proposal to update to 2.4.29, removing some patches LIBRESSL's
> > related pushed upstream in the process.
> >
> not all of them has been pushed, ad least mod_ssl.c is missing one,
> I haven't looked at all patches yet.
>
>
You sure ? For example in this version
mod_ssl.c
#if MODSSL_USE_OPENSSL_PRE_1_1_API
(void)CRYPTO_malloc_init();
#else
OPENSSL_malloc_init();
#endif
e.g. in ssl_private.h is
...
#if defined(LIBRESSL_VERSION_NUMBER)
/* Missing from LibreSSL */
#if LIBRESSL_VERSION_NUMBER < 0x2060000f
#define SSL_CTRL_SET_MIN_PROTO_VERSION 123
#define SSL_CTRL_SET_MAX_PROTO_VERSION 124
#define SSL_CTX_set_min_proto_version(ctx, version) \
SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MIN_PROTO_VERSION, version, NULL)
#define SSL_CTX_set_max_proto_version(ctx, version) \
SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, version, NULL)
#endif
/* LibreSSL declares OPENSSL_VERSION_NUMBER == 2.0 but does not include most
* changes from OpenSSL >= 1.1 (new functions, macros, deprecations, ...),
so
* we have to work around this...
*/
#define MODSSL_USE_OPENSSL_PRE_1_1_API (1)
#else
#define MODSSL_USE_OPENSSL_PRE_1_1_API (OPENSSL_VERSION_NUMBER < 0x10100000L
)
#endif
...
> > Hope it is good.
> >
> > Kind regards.
>
> > Index: Makefile
> > ===================================================================
> > RCS file: /cvs/ports/www/apache-httpd/Makefile,v
> > retrieving revision 1.85
> > diff -u -p -r1.85 Makefile
> > --- Makefile 18 Sep 2017 19:25:38 -0000 1.85
> > +++ Makefile 4 Nov 2017 09:10:58 -0000
> > @@ -3,8 +3,7 @@
> > COMMENT-main= apache HTTP server
> [...]
> > share/doc/apache2/mod/prefork.html.en
> > @@ -1453,4 +1455,3 @@ share/examples/apache2/htdocs/
> > share/examples/apache2/htdocs/index.html
> > @sample /var/www/htdocs/index.html
> > %%ldap%%
> > -@rcscript ${RCDIR}/apache2
> you should not remove the rcscript
>
>
Good point . Corrected.
> Cheers
> Giovanni
>
Index: Makefile
===================================================================
RCS file: /cvs/ports/www/apache-httpd/Makefile,v
retrieving revision 1.85
diff -u -p -r1.85 Makefile
--- Makefile 18 Sep 2017 19:25:38 -0000 1.85
+++ Makefile 22 Nov 2017 19:15:11 -0000
@@ -3,8 +3,7 @@
COMMENT-main= apache HTTP server
COMMENT-common= /var/www files for Apache HTTPd
-V= 2.4.27
-REVISION-main= 0
+V= 2.4.29
DISTNAME= httpd-${V}
PKGNAME= apache-httpd-${V}
Index: distinfo
===================================================================
RCS file: /cvs/ports/www/apache-httpd/distinfo,v
retrieving revision 1.26
diff -u -p -r1.26 distinfo
--- distinfo 14 Jul 2017 17:14:33 -0000 1.26
+++ distinfo 22 Nov 2017 19:15:11 -0000
@@ -1,2 +1,2 @@
-SHA256 (httpd-2.4.27.tar.gz) = NG3T0BauXXEBAW5ogFFQvc6QQKjSRsKJqnDminzYa2Y=
-SIZE (httpd-2.4.27.tar.gz) = 8603417
+SHA256 (httpd-2.4.29.tar.gz) = lI5KESeKWVRpi4gLMPQBsemrdDcT7ixygKVN1N3YcIU=
+SIZE (httpd-2.4.29.tar.gz) = 8638793
Index: patches/patch-modules_ssl_mod_ssl_c
===================================================================
RCS file: patches/patch-modules_ssl_mod_ssl_c
diff -N patches/patch-modules_ssl_mod_ssl_c
--- patches/patch-modules_ssl_mod_ssl_c 14 Jul 2017 17:04:12 -0000 1.3
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,23 +0,0 @@
-$OpenBSD: patch-modules_ssl_mod_ssl_c,v 1.3 2017/07/14 17:04:12 sthen Exp $
-
-Index: modules/ssl/mod_ssl.c
---- modules/ssl/mod_ssl.c.orig
-+++ modules/ssl/mod_ssl.c
-@@ -337,7 +337,7 @@ static apr_status_t ssl_cleanup_pre_config(void *data)
- #if HAVE_ENGINE_LOAD_BUILTIN_ENGINES
- ENGINE_cleanup();
- #endif
--#if OPENSSL_VERSION_NUMBER >= 0x1000200fL
-+#if OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined(LIBRESSL_VERSION_NUMBER)
- SSL_COMP_free_compression_methods();
- #endif
-
-@@ -390,7 +390,7 @@ static int ssl_hook_pre_config(apr_pool_t *pconf,
- /* We must register the library in full, to ensure our configuration
- * code can successfully test the SSL environment.
- */
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
- CRYPTO_malloc_init();
- #else
- OPENSSL_malloc_init();
Index: patches/patch-modules_ssl_ssl_engine_init_c
===================================================================
RCS file: patches/patch-modules_ssl_ssl_engine_init_c
diff -N patches/patch-modules_ssl_ssl_engine_init_c
--- patches/patch-modules_ssl_ssl_engine_init_c 14 Jul 2017 17:04:12 -0000
1.9
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,50 +0,0 @@
-$OpenBSD: patch-modules_ssl_ssl_engine_init_c,v 1.9 2017/07/14 17:04:12 sthen
Exp $
-
-Index: modules/ssl/ssl_engine_init.c
---- modules/ssl/ssl_engine_init.c.orig
-+++ modules/ssl/ssl_engine_init.c
-@@ -47,7 +47,7 @@ APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, SSL, int, ini
- #define KEYTYPES "RSA or DSA"
- #endif
-
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
- /* OpenSSL Pre-1.1.0 compatibility */
- /* Taken from OpenSSL 1.1.0 snapshot 20160410 */
- static int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
-@@ -380,7 +380,7 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t
- modssl_init_app_data2_idx(); /* for modssl_get_app_data2() at request
time */
-
- init_dh_params();
--#if OPENSSL_VERSION_NUMBER >= 0x10100000L
-+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
- init_bio_methods();
- #endif
-
-@@ -513,7 +513,7 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *
- char *cp;
- int protocol = mctx->protocol;
- SSLSrvConfigRec *sc = mySrvConfig(s);
--#if OPENSSL_VERSION_NUMBER >= 0x10100000L
-+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
- int prot;
- #endif
-
-@@ -583,7 +583,7 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *
-
- SSL_CTX_set_options(ctx, SSL_OP_ALL);
-
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
- /* always disable SSLv2, as per RFC 6176 */
- SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
-
-@@ -2011,7 +2011,7 @@ apr_status_t ssl_init_ModuleKill(void *data)
-
- }
-
--#if OPENSSL_VERSION_NUMBER >= 0x10100000L
-+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
- free_bio_methods();
- #endif
- free_dh_params();
Index: patches/patch-modules_ssl_ssl_engine_io_c
===================================================================
RCS file: patches/patch-modules_ssl_ssl_engine_io_c
diff -N patches/patch-modules_ssl_ssl_engine_io_c
--- patches/patch-modules_ssl_ssl_engine_io_c 14 Jul 2017 17:04:12 -0000
1.5
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,32 +0,0 @@
-$OpenBSD: patch-modules_ssl_ssl_engine_io_c,v 1.5 2017/07/14 17:04:12 sthen
Exp $
-
-Index: modules/ssl/ssl_engine_io.c
---- modules/ssl/ssl_engine_io.c.orig
-+++ modules/ssl/ssl_engine_io.c
-@@ -549,7 +549,7 @@ static long bio_filter_in_ctrl(BIO *bio, int cmd, long
- return -1;
- }
-
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
-
- static BIO_METHOD bio_filter_out_method = {
- BIO_TYPE_MEM,
-@@ -2024,7 +2024,7 @@ static void ssl_io_input_add_filter(ssl_filter_ctx_t *
-
- filter_ctx->pInputFilter = ap_add_input_filter(ssl_io_filter, inctx, r,
c);
-
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
- filter_ctx->pbioRead = BIO_new(&bio_filter_in_method);
- #else
- filter_ctx->pbioRead = BIO_new(bio_filter_in_method);
-@@ -2059,7 +2059,7 @@ void ssl_io_filter_init(conn_rec *c, request_rec *r, S
- filter_ctx->pOutputFilter = ap_add_output_filter(ssl_io_filter,
- filter_ctx, r, c);
-
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
- filter_ctx->pbioWrite = BIO_new(&bio_filter_out_method);
- #else
- filter_ctx->pbioWrite = BIO_new(bio_filter_out_method);
Index: patches/patch-modules_ssl_ssl_engine_kernel_c
===================================================================
RCS file: patches/patch-modules_ssl_ssl_engine_kernel_c
diff -N patches/patch-modules_ssl_ssl_engine_kernel_c
--- patches/patch-modules_ssl_ssl_engine_kernel_c 14 Jul 2017 17:04:12
-0000 1.1
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,23 +0,0 @@
-$OpenBSD: patch-modules_ssl_ssl_engine_kernel_c,v 1.1 2017/07/14 17:04:12
sthen Exp $
-
-Index: modules/ssl/ssl_engine_kernel.c
---- modules/ssl/ssl_engine_kernel.c.orig
-+++ modules/ssl/ssl_engine_kernel.c
-@@ -1733,7 +1733,7 @@ static void modssl_proxy_info_log(conn_rec *c,
- * so we need to increment here to prevent them from
- * being freed.
- */
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
- #define modssl_set_cert_info(info, cert, pkey) \
- *cert = info->x509; \
- CRYPTO_add(&(*cert)->references, +1, CRYPTO_LOCK_X509); \
-@@ -1923,7 +1923,7 @@ int ssl_callback_NewSessionCacheEntry(SSL *ssl, SSL_SE
- * of our other Apache pre-forked server processes.
- */
- SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *ssl,
-- IDCONST unsigned char *id,
-+ unsigned char *id,
- int idlen, int *do_copy)
- {
- /* Get Apache context back through OpenSSL context */
Index: patches/patch-modules_ssl_ssl_engine_vars_c
===================================================================
RCS file: patches/patch-modules_ssl_ssl_engine_vars_c
diff -N patches/patch-modules_ssl_ssl_engine_vars_c
--- patches/patch-modules_ssl_ssl_engine_vars_c 14 Jul 2017 17:04:12 -0000
1.3
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,23 +0,0 @@
-$OpenBSD: patch-modules_ssl_ssl_engine_vars_c,v 1.3 2017/07/14 17:04:12 sthen
Exp $
-
-Index: modules/ssl/ssl_engine_vars.c
---- modules/ssl/ssl_engine_vars.c.orig
-+++ modules/ssl/ssl_engine_vars.c
-@@ -529,7 +529,7 @@ static char *ssl_var_lookup_ssl_cert(apr_pool_t *p, re
- resdup = FALSE;
- }
- else if (strcEQ(var, "A_SIG")) {
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
- nid = OBJ_obj2nid((ASN1_OBJECT
*)(xs->cert_info->signature->algorithm));
- #else
- const ASN1_OBJECT *paobj;
-@@ -541,7 +541,7 @@ static char *ssl_var_lookup_ssl_cert(apr_pool_t *p, re
- resdup = FALSE;
- }
- else if (strcEQ(var, "A_KEY")) {
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
- nid = OBJ_obj2nid((ASN1_OBJECT
*)(xs->cert_info->key->algor->algorithm));
- #else
- ASN1_OBJECT *paobj;
Index: patches/patch-modules_ssl_ssl_private_h
===================================================================
RCS file: patches/patch-modules_ssl_ssl_private_h
diff -N patches/patch-modules_ssl_ssl_private_h
--- patches/patch-modules_ssl_ssl_private_h 14 Jul 2017 17:04:12 -0000
1.3
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,32 +0,0 @@
-$OpenBSD: patch-modules_ssl_ssl_private_h,v 1.3 2017/07/14 17:04:12 sthen Exp $
-
-Index: modules/ssl/ssl_private.h
---- modules/ssl/ssl_private.h.orig
-+++ modules/ssl/ssl_private.h
-@@ -199,7 +199,7 @@
-
- #endif /* !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name) */
-
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
- #define BN_get_rfc2409_prime_768 get_rfc2409_prime_768
- #define BN_get_rfc2409_prime_1024 get_rfc2409_prime_1024
- #define BN_get_rfc3526_prime_1536 get_rfc3526_prime_1536
-@@ -219,7 +219,7 @@ void init_bio_methods(void);
- void free_bio_methods(void);
- #endif
-
--#if OPENSSL_VERSION_NUMBER < 0x10002000L
-+#if OPENSSL_VERSION_NUMBER < 0x10002000L || defined(LIBRESSL_VERSION_NUMBER)
- #define X509_STORE_CTX_get0_store(x) (x->ctx)
- #endif
-
-@@ -861,7 +861,7 @@ int ssl_callback_SSLVerify(int, X509_STORE_CT
- int ssl_callback_SSLVerify_CRL(int, X509_STORE_CTX *, conn_rec *);
- int ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey);
- int ssl_callback_NewSessionCacheEntry(SSL *, SSL_SESSION *);
--SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, IDCONST unsigned char
*, int, int *);
-+SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, unsigned char *, int,
int *);
- void ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *);
- void ssl_callback_Info(const SSL *, int, int);
- #ifdef HAVE_TLSEXT
Index: patches/patch-modules_ssl_ssl_util_ssl_h
===================================================================
RCS file: patches/patch-modules_ssl_ssl_util_ssl_h
diff -N patches/patch-modules_ssl_ssl_util_ssl_h
--- patches/patch-modules_ssl_ssl_util_ssl_h 14 Jul 2017 17:04:12 -0000
1.3
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,14 +0,0 @@
-$OpenBSD: patch-modules_ssl_ssl_util_ssl_h,v 1.3 2017/07/14 17:04:12 sthen Exp
$
-
-Index: modules/ssl/ssl_util_ssl.h
---- modules/ssl/ssl_util_ssl.h.orig
-+++ modules/ssl/ssl_util_ssl.h
-@@ -41,7 +41,7 @@
- #define MODSSL_LIBRARY_VERSION OPENSSL_VERSION_NUMBER
- #define MODSSL_LIBRARY_NAME "OpenSSL"
- #define MODSSL_LIBRARY_TEXT OPENSSL_VERSION_TEXT
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
- #define MODSSL_LIBRARY_DYNTEXT SSLeay_version(SSLEAY_VERSION)
- #else
- #define MODSSL_LIBRARY_DYNTEXT OpenSSL_version(OPENSSL_VERSION)
Index: patches/patch-server_core_c
===================================================================
RCS file: patches/patch-server_core_c
diff -N patches/patch-server_core_c
--- patches/patch-server_core_c 18 Sep 2017 19:25:38 -0000 1.1
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,30 +0,0 @@
-$OpenBSD: patch-server_core_c,v 1.1 2017/09/18 19:25:38 sthen Exp $
-
-Revision 1807754
-Fri Sep 8 13:13:11 2017 UTC by ylavic
-Merge r1807655 from trunk:
-
-core: Disallow Methods' registration at run time (.htaccess), they may be
-used only if registered at init time (httpd.conf).
-
-Calling ap_method_register() in children processes is not the right scope
-since it won't be shared for all requests.
-
-Reviewed by: ylavic, covener, icing
-
-Index: server/core.c
---- server/core.c.orig
-+++ server/core.c
-@@ -2262,6 +2262,12 @@ AP_CORE_DECLARE_NONSTD(const char *) ap_limit_section(
- /* method has not been registered yet, but resource restriction
- * is always checked before method handling, so register it.
- */
-+ if (cmd->pool == cmd->temp_pool) {
-+ /* In .htaccess, we can't globally register new methods. */
-+ return apr_psprintf(cmd->pool, "Could not register method
'%s' "
-+ "for %s from .htaccess configuration",
-+ method, cmd->cmd->name);
-+ }
- methnum = ap_method_register(cmd->pool,
- apr_pstrdup(cmd->pool, method));
- }
Index: pkg/PLIST-main
===================================================================
RCS file: /cvs/ports/www/apache-httpd/pkg/PLIST-main,v
retrieving revision 1.16
diff -u -p -r1.16 PLIST-main
--- pkg/PLIST-main 14 Jul 2017 17:04:12 -0000 1.16
+++ pkg/PLIST-main 22 Nov 2017 19:15:11 -0000
@@ -1008,6 +1008,8 @@ share/doc/apache2/mod/mpm_winnt.html.ja.
share/doc/apache2/mod/mpmt_os2.html
share/doc/apache2/mod/mpmt_os2.html.en
share/doc/apache2/mod/mpmt_os2.html.fr
+share/doc/apache2/mod/overrides.html
+share/doc/apache2/mod/overrides.html.en
share/doc/apache2/mod/prefork.html
share/doc/apache2/mod/prefork.html.de
share/doc/apache2/mod/prefork.html.en
