On Wed, Nov 22, 2017 at 07:24:08PM +0000, David CARLIER wrote: > On 22 November 2017 at 16:28, Giovanni Bechis <[email protected]> wrote: > > > On Sat, Nov 04, 2017 at 09:13:43AM +0000, David CARLIER wrote: > > > Hi, > > > > > > here a proposal to update to 2.4.29, removing some patches LIBRESSL's > > > related pushed upstream in the process. > > > > > not all of them has been pushed, ad least mod_ssl.c is missing one, > > I haven't looked at all patches yet. > > > > > You sure ? For example in this version > yep: ---------------------------------------------------------------------- $ cd $(make show=WRKSRC) $ grep -nHA4 OPENSSL_VERSION_NUMBER modules/ssl/mod_ssl.c modules/ssl/mod_ssl.c:340:#if OPENSSL_VERSION_NUMBER >= 0x1000200fL modules/ssl/mod_ssl.c-341-#ifndef OPENSSL_NO_COMP modules/ssl/mod_ssl.c-342- SSL_COMP_free_compression_methods(); modules/ssl/mod_ssl.c-343-#endif modules/ssl/mod_ssl.c-344-#endif modules/ssl/mod_ssl.c:348:#if OPENSSL_VERSION_NUMBER >= 0x1000000fL modules/ssl/mod_ssl.c-349- ERR_remove_thread_state(NULL); modules/ssl/mod_ssl.c-350-#else modules/ssl/mod_ssl.c-351- ERR_remove_state(0); modules/ssl/mod_ssl.c-352-#endif modules/ssl/mod_ssl.c:358:#if (OPENSSL_VERSION_NUMBER >= 0x00090805f) modules/ssl/mod_ssl.c-359- ERR_free_strings(); modules/ssl/mod_ssl.c-360-#endif modules/ssl/mod_ssl.c-361- modules/ssl/mod_ssl.c-362- /* Also don't call CRYPTO_cleanup_all_ex_data when linked statically here; ---------------------------------------------------------------------- At least the first part of mod_ssl patch is needed.
Cheers
Giovanni
> mod_ssl.c
>
> #if MODSSL_USE_OPENSSL_PRE_1_1_API
>
> (void)CRYPTO_malloc_init();
>
> #else
>
> OPENSSL_malloc_init();
>
> #endif
>
>
>
> e.g. in ssl_private.h is
>
> ...
>
> #if defined(LIBRESSL_VERSION_NUMBER)
>
> /* Missing from LibreSSL */
>
> #if LIBRESSL_VERSION_NUMBER < 0x2060000f
>
> #define SSL_CTRL_SET_MIN_PROTO_VERSION 123
>
> #define SSL_CTRL_SET_MAX_PROTO_VERSION 124
>
> #define SSL_CTX_set_min_proto_version(ctx, version) \
>
> SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MIN_PROTO_VERSION, version, NULL)
>
> #define SSL_CTX_set_max_proto_version(ctx, version) \
>
> SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, version, NULL)
>
> #endif
>
> /* LibreSSL declares OPENSSL_VERSION_NUMBER == 2.0 but does not include most
>
> * changes from OpenSSL >= 1.1 (new functions, macros, deprecations, ...),
> so
>
> * we have to work around this...
>
> */
>
> #define MODSSL_USE_OPENSSL_PRE_1_1_API (1)
>
> #else
>
> #define MODSSL_USE_OPENSSL_PRE_1_1_API (OPENSSL_VERSION_NUMBER < 0x10100000L
> )
>
> #endif
>
> ...
>
>
>
> > > Hope it is good.
> > >
> > > Kind regards.
> >
> > > Index: Makefile
> > > ===================================================================
> > > RCS file: /cvs/ports/www/apache-httpd/Makefile,v
> > > retrieving revision 1.85
> > > diff -u -p -r1.85 Makefile
> > > --- Makefile 18 Sep 2017 19:25:38 -0000 1.85
> > > +++ Makefile 4 Nov 2017 09:10:58 -0000
> > > @@ -3,8 +3,7 @@
> > > COMMENT-main= apache HTTP server
> > [...]
> > > share/doc/apache2/mod/prefork.html.en
> > > @@ -1453,4 +1455,3 @@ share/examples/apache2/htdocs/
> > > share/examples/apache2/htdocs/index.html
> > > @sample /var/www/htdocs/index.html
> > > %%ldap%%
> > > -@rcscript ${RCDIR}/apache2
> > you should not remove the rcscript
> >
> >
> Good point . Corrected.
>
>
>
> > Cheers
> > Giovanni
> >
> Index: Makefile
> ===================================================================
> RCS file: /cvs/ports/www/apache-httpd/Makefile,v
> retrieving revision 1.85
> diff -u -p -r1.85 Makefile
> --- Makefile 18 Sep 2017 19:25:38 -0000 1.85
> +++ Makefile 22 Nov 2017 19:15:11 -0000
> @@ -3,8 +3,7 @@
> COMMENT-main= apache HTTP server
> COMMENT-common= /var/www files for Apache HTTPd
>
> -V= 2.4.27
> -REVISION-main= 0
> +V= 2.4.29
> DISTNAME= httpd-${V}
> PKGNAME= apache-httpd-${V}
>
> Index: distinfo
> ===================================================================
> RCS file: /cvs/ports/www/apache-httpd/distinfo,v
> retrieving revision 1.26
> diff -u -p -r1.26 distinfo
> --- distinfo 14 Jul 2017 17:14:33 -0000 1.26
> +++ distinfo 22 Nov 2017 19:15:11 -0000
> @@ -1,2 +1,2 @@
> -SHA256 (httpd-2.4.27.tar.gz) = NG3T0BauXXEBAW5ogFFQvc6QQKjSRsKJqnDminzYa2Y=
> -SIZE (httpd-2.4.27.tar.gz) = 8603417
> +SHA256 (httpd-2.4.29.tar.gz) = lI5KESeKWVRpi4gLMPQBsemrdDcT7ixygKVN1N3YcIU=
> +SIZE (httpd-2.4.29.tar.gz) = 8638793
> Index: patches/patch-modules_ssl_mod_ssl_c
> ===================================================================
> RCS file: patches/patch-modules_ssl_mod_ssl_c
> diff -N patches/patch-modules_ssl_mod_ssl_c
> --- patches/patch-modules_ssl_mod_ssl_c 14 Jul 2017 17:04:12 -0000
> 1.3
> +++ /dev/null 1 Jan 1970 00:00:00 -0000
> @@ -1,23 +0,0 @@
> -$OpenBSD: patch-modules_ssl_mod_ssl_c,v 1.3 2017/07/14 17:04:12 sthen Exp $
> -
> -Index: modules/ssl/mod_ssl.c
> ---- modules/ssl/mod_ssl.c.orig
> -+++ modules/ssl/mod_ssl.c
> -@@ -337,7 +337,7 @@ static apr_status_t ssl_cleanup_pre_config(void *data)
> - #if HAVE_ENGINE_LOAD_BUILTIN_ENGINES
> - ENGINE_cleanup();
> - #endif
> --#if OPENSSL_VERSION_NUMBER >= 0x1000200fL
> -+#if OPENSSL_VERSION_NUMBER >= 0x1000200fL &&
> !defined(LIBRESSL_VERSION_NUMBER)
> - SSL_COMP_free_compression_methods();
> - #endif
> -
> -@@ -390,7 +390,7 @@ static int ssl_hook_pre_config(apr_pool_t *pconf,
> - /* We must register the library in full, to ensure our configuration
> - * code can successfully test the SSL environment.
> - */
> --#if OPENSSL_VERSION_NUMBER < 0x10100000L
> -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
> - CRYPTO_malloc_init();
> - #else
> - OPENSSL_malloc_init();
> Index: patches/patch-modules_ssl_ssl_engine_init_c
> ===================================================================
> RCS file: patches/patch-modules_ssl_ssl_engine_init_c
> diff -N patches/patch-modules_ssl_ssl_engine_init_c
> --- patches/patch-modules_ssl_ssl_engine_init_c 14 Jul 2017 17:04:12
> -0000 1.9
> +++ /dev/null 1 Jan 1970 00:00:00 -0000
> @@ -1,50 +0,0 @@
> -$OpenBSD: patch-modules_ssl_ssl_engine_init_c,v 1.9 2017/07/14 17:04:12
> sthen Exp $
> -
> -Index: modules/ssl/ssl_engine_init.c
> ---- modules/ssl/ssl_engine_init.c.orig
> -+++ modules/ssl/ssl_engine_init.c
> -@@ -47,7 +47,7 @@ APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, SSL, int, ini
> - #define KEYTYPES "RSA or DSA"
> - #endif
> -
> --#if OPENSSL_VERSION_NUMBER < 0x10100000L
> -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
> - /* OpenSSL Pre-1.1.0 compatibility */
> - /* Taken from OpenSSL 1.1.0 snapshot 20160410 */
> - static int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
> -@@ -380,7 +380,7 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t
> - modssl_init_app_data2_idx(); /* for modssl_get_app_data2() at request
> time */
> -
> - init_dh_params();
> --#if OPENSSL_VERSION_NUMBER >= 0x10100000L
> -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L &&
> !defined(LIBRESSL_VERSION_NUMBER)
> - init_bio_methods();
> - #endif
> -
> -@@ -513,7 +513,7 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *
> - char *cp;
> - int protocol = mctx->protocol;
> - SSLSrvConfigRec *sc = mySrvConfig(s);
> --#if OPENSSL_VERSION_NUMBER >= 0x10100000L
> -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L &&
> !defined(LIBRESSL_VERSION_NUMBER)
> - int prot;
> - #endif
> -
> -@@ -583,7 +583,7 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *
> -
> - SSL_CTX_set_options(ctx, SSL_OP_ALL);
> -
> --#if OPENSSL_VERSION_NUMBER < 0x10100000L
> -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
> - /* always disable SSLv2, as per RFC 6176 */
> - SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
> -
> -@@ -2011,7 +2011,7 @@ apr_status_t ssl_init_ModuleKill(void *data)
> -
> - }
> -
> --#if OPENSSL_VERSION_NUMBER >= 0x10100000L
> -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L &&
> !defined(LIBRESSL_VERSION_NUMBER)
> - free_bio_methods();
> - #endif
> - free_dh_params();
> Index: patches/patch-modules_ssl_ssl_engine_io_c
> ===================================================================
> RCS file: patches/patch-modules_ssl_ssl_engine_io_c
> diff -N patches/patch-modules_ssl_ssl_engine_io_c
> --- patches/patch-modules_ssl_ssl_engine_io_c 14 Jul 2017 17:04:12 -0000
> 1.5
> +++ /dev/null 1 Jan 1970 00:00:00 -0000
> @@ -1,32 +0,0 @@
> -$OpenBSD: patch-modules_ssl_ssl_engine_io_c,v 1.5 2017/07/14 17:04:12 sthen
> Exp $
> -
> -Index: modules/ssl/ssl_engine_io.c
> ---- modules/ssl/ssl_engine_io.c.orig
> -+++ modules/ssl/ssl_engine_io.c
> -@@ -549,7 +549,7 @@ static long bio_filter_in_ctrl(BIO *bio, int cmd, long
> - return -1;
> - }
> -
> --#if OPENSSL_VERSION_NUMBER < 0x10100000L
> -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
> -
> - static BIO_METHOD bio_filter_out_method = {
> - BIO_TYPE_MEM,
> -@@ -2024,7 +2024,7 @@ static void ssl_io_input_add_filter(ssl_filter_ctx_t *
> -
> - filter_ctx->pInputFilter = ap_add_input_filter(ssl_io_filter, inctx, r,
> c);
> -
> --#if OPENSSL_VERSION_NUMBER < 0x10100000L
> -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
> - filter_ctx->pbioRead = BIO_new(&bio_filter_in_method);
> - #else
> - filter_ctx->pbioRead = BIO_new(bio_filter_in_method);
> -@@ -2059,7 +2059,7 @@ void ssl_io_filter_init(conn_rec *c, request_rec *r, S
> - filter_ctx->pOutputFilter = ap_add_output_filter(ssl_io_filter,
> - filter_ctx, r, c);
> -
> --#if OPENSSL_VERSION_NUMBER < 0x10100000L
> -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
> - filter_ctx->pbioWrite = BIO_new(&bio_filter_out_method);
> - #else
> - filter_ctx->pbioWrite = BIO_new(bio_filter_out_method);
> Index: patches/patch-modules_ssl_ssl_engine_kernel_c
> ===================================================================
> RCS file: patches/patch-modules_ssl_ssl_engine_kernel_c
> diff -N patches/patch-modules_ssl_ssl_engine_kernel_c
> --- patches/patch-modules_ssl_ssl_engine_kernel_c 14 Jul 2017 17:04:12
> -0000 1.1
> +++ /dev/null 1 Jan 1970 00:00:00 -0000
> @@ -1,23 +0,0 @@
> -$OpenBSD: patch-modules_ssl_ssl_engine_kernel_c,v 1.1 2017/07/14 17:04:12
> sthen Exp $
> -
> -Index: modules/ssl/ssl_engine_kernel.c
> ---- modules/ssl/ssl_engine_kernel.c.orig
> -+++ modules/ssl/ssl_engine_kernel.c
> -@@ -1733,7 +1733,7 @@ static void modssl_proxy_info_log(conn_rec *c,
> - * so we need to increment here to prevent them from
> - * being freed.
> - */
> --#if OPENSSL_VERSION_NUMBER < 0x10100000L
> -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
> - #define modssl_set_cert_info(info, cert, pkey) \
> - *cert = info->x509; \
> - CRYPTO_add(&(*cert)->references, +1, CRYPTO_LOCK_X509); \
> -@@ -1923,7 +1923,7 @@ int ssl_callback_NewSessionCacheEntry(SSL *ssl, SSL_SE
> - * of our other Apache pre-forked server processes.
> - */
> - SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *ssl,
> -- IDCONST unsigned char *id,
> -+ unsigned char *id,
> - int idlen, int *do_copy)
> - {
> - /* Get Apache context back through OpenSSL context */
> Index: patches/patch-modules_ssl_ssl_engine_vars_c
> ===================================================================
> RCS file: patches/patch-modules_ssl_ssl_engine_vars_c
> diff -N patches/patch-modules_ssl_ssl_engine_vars_c
> --- patches/patch-modules_ssl_ssl_engine_vars_c 14 Jul 2017 17:04:12
> -0000 1.3
> +++ /dev/null 1 Jan 1970 00:00:00 -0000
> @@ -1,23 +0,0 @@
> -$OpenBSD: patch-modules_ssl_ssl_engine_vars_c,v 1.3 2017/07/14 17:04:12
> sthen Exp $
> -
> -Index: modules/ssl/ssl_engine_vars.c
> ---- modules/ssl/ssl_engine_vars.c.orig
> -+++ modules/ssl/ssl_engine_vars.c
> -@@ -529,7 +529,7 @@ static char *ssl_var_lookup_ssl_cert(apr_pool_t *p, re
> - resdup = FALSE;
> - }
> - else if (strcEQ(var, "A_SIG")) {
> --#if OPENSSL_VERSION_NUMBER < 0x10100000L
> -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
> - nid = OBJ_obj2nid((ASN1_OBJECT
> *)(xs->cert_info->signature->algorithm));
> - #else
> - const ASN1_OBJECT *paobj;
> -@@ -541,7 +541,7 @@ static char *ssl_var_lookup_ssl_cert(apr_pool_t *p, re
> - resdup = FALSE;
> - }
> - else if (strcEQ(var, "A_KEY")) {
> --#if OPENSSL_VERSION_NUMBER < 0x10100000L
> -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
> - nid = OBJ_obj2nid((ASN1_OBJECT
> *)(xs->cert_info->key->algor->algorithm));
> - #else
> - ASN1_OBJECT *paobj;
> Index: patches/patch-modules_ssl_ssl_private_h
> ===================================================================
> RCS file: patches/patch-modules_ssl_ssl_private_h
> diff -N patches/patch-modules_ssl_ssl_private_h
> --- patches/patch-modules_ssl_ssl_private_h 14 Jul 2017 17:04:12 -0000
> 1.3
> +++ /dev/null 1 Jan 1970 00:00:00 -0000
> @@ -1,32 +0,0 @@
> -$OpenBSD: patch-modules_ssl_ssl_private_h,v 1.3 2017/07/14 17:04:12 sthen
> Exp $
> -
> -Index: modules/ssl/ssl_private.h
> ---- modules/ssl/ssl_private.h.orig
> -+++ modules/ssl/ssl_private.h
> -@@ -199,7 +199,7 @@
> -
> - #endif /* !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name)
> */
> -
> --#if OPENSSL_VERSION_NUMBER < 0x10100000L
> -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
> - #define BN_get_rfc2409_prime_768 get_rfc2409_prime_768
> - #define BN_get_rfc2409_prime_1024 get_rfc2409_prime_1024
> - #define BN_get_rfc3526_prime_1536 get_rfc3526_prime_1536
> -@@ -219,7 +219,7 @@ void init_bio_methods(void);
> - void free_bio_methods(void);
> - #endif
> -
> --#if OPENSSL_VERSION_NUMBER < 0x10002000L
> -+#if OPENSSL_VERSION_NUMBER < 0x10002000L || defined(LIBRESSL_VERSION_NUMBER)
> - #define X509_STORE_CTX_get0_store(x) (x->ctx)
> - #endif
> -
> -@@ -861,7 +861,7 @@ int ssl_callback_SSLVerify(int, X509_STORE_CT
> - int ssl_callback_SSLVerify_CRL(int, X509_STORE_CTX *, conn_rec *);
> - int ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY
> **pkey);
> - int ssl_callback_NewSessionCacheEntry(SSL *, SSL_SESSION *);
> --SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, IDCONST unsigned char
> *, int, int *);
> -+SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, unsigned char *, int,
> int *);
> - void ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *);
> - void ssl_callback_Info(const SSL *, int, int);
> - #ifdef HAVE_TLSEXT
> Index: patches/patch-modules_ssl_ssl_util_ssl_h
> ===================================================================
> RCS file: patches/patch-modules_ssl_ssl_util_ssl_h
> diff -N patches/patch-modules_ssl_ssl_util_ssl_h
> --- patches/patch-modules_ssl_ssl_util_ssl_h 14 Jul 2017 17:04:12 -0000
> 1.3
> +++ /dev/null 1 Jan 1970 00:00:00 -0000
> @@ -1,14 +0,0 @@
> -$OpenBSD: patch-modules_ssl_ssl_util_ssl_h,v 1.3 2017/07/14 17:04:12 sthen
> Exp $
> -
> -Index: modules/ssl/ssl_util_ssl.h
> ---- modules/ssl/ssl_util_ssl.h.orig
> -+++ modules/ssl/ssl_util_ssl.h
> -@@ -41,7 +41,7 @@
> - #define MODSSL_LIBRARY_VERSION OPENSSL_VERSION_NUMBER
> - #define MODSSL_LIBRARY_NAME "OpenSSL"
> - #define MODSSL_LIBRARY_TEXT OPENSSL_VERSION_TEXT
> --#if OPENSSL_VERSION_NUMBER < 0x10100000L
> -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
> - #define MODSSL_LIBRARY_DYNTEXT SSLeay_version(SSLEAY_VERSION)
> - #else
> - #define MODSSL_LIBRARY_DYNTEXT OpenSSL_version(OPENSSL_VERSION)
> Index: patches/patch-server_core_c
> ===================================================================
> RCS file: patches/patch-server_core_c
> diff -N patches/patch-server_core_c
> --- patches/patch-server_core_c 18 Sep 2017 19:25:38 -0000 1.1
> +++ /dev/null 1 Jan 1970 00:00:00 -0000
> @@ -1,30 +0,0 @@
> -$OpenBSD: patch-server_core_c,v 1.1 2017/09/18 19:25:38 sthen Exp $
> -
> -Revision 1807754
> -Fri Sep 8 13:13:11 2017 UTC by ylavic
> -Merge r1807655 from trunk:
> -
> -core: Disallow Methods' registration at run time (.htaccess), they may be
> -used only if registered at init time (httpd.conf).
> -
> -Calling ap_method_register() in children processes is not the right scope
> -since it won't be shared for all requests.
> -
> -Reviewed by: ylavic, covener, icing
> -
> -Index: server/core.c
> ---- server/core.c.orig
> -+++ server/core.c
> -@@ -2262,6 +2262,12 @@ AP_CORE_DECLARE_NONSTD(const char *) ap_limit_section(
> - /* method has not been registered yet, but resource restriction
> - * is always checked before method handling, so register it.
> - */
> -+ if (cmd->pool == cmd->temp_pool) {
> -+ /* In .htaccess, we can't globally register new methods. */
> -+ return apr_psprintf(cmd->pool, "Could not register method
> '%s' "
> -+ "for %s from .htaccess configuration",
> -+ method, cmd->cmd->name);
> -+ }
> - methnum = ap_method_register(cmd->pool,
> - apr_pstrdup(cmd->pool, method));
> - }
> Index: pkg/PLIST-main
> ===================================================================
> RCS file: /cvs/ports/www/apache-httpd/pkg/PLIST-main,v
> retrieving revision 1.16
> diff -u -p -r1.16 PLIST-main
> --- pkg/PLIST-main 14 Jul 2017 17:04:12 -0000 1.16
> +++ pkg/PLIST-main 22 Nov 2017 19:15:11 -0000
> @@ -1008,6 +1008,8 @@ share/doc/apache2/mod/mpm_winnt.html.ja.
> share/doc/apache2/mod/mpmt_os2.html
> share/doc/apache2/mod/mpmt_os2.html.en
> share/doc/apache2/mod/mpmt_os2.html.fr
> +share/doc/apache2/mod/overrides.html
> +share/doc/apache2/mod/overrides.html.en
> share/doc/apache2/mod/prefork.html
> share/doc/apache2/mod/prefork.html.de
> share/doc/apache2/mod/prefork.html.en
signature.asc
Description: PGP signature
