On Wed, Nov 22, 2017 at 07:24:08PM +0000, David CARLIER wrote: > On 22 November 2017 at 16:28, Giovanni Bechis <giova...@paclan.it> wrote: > > > On Sat, Nov 04, 2017 at 09:13:43AM +0000, David CARLIER wrote: > > > Hi, > > > > > > here a proposal to update to 2.4.29, removing some patches LIBRESSL's > > > related pushed upstream in the process. > > > > > not all of them has been pushed, ad least mod_ssl.c is missing one, > > I haven't looked at all patches yet. > > > > > You sure ? For example in this version > yep: ---------------------------------------------------------------------- $ cd $(make show=WRKSRC) $ grep -nHA4 OPENSSL_VERSION_NUMBER modules/ssl/mod_ssl.c modules/ssl/mod_ssl.c:340:#if OPENSSL_VERSION_NUMBER >= 0x1000200fL modules/ssl/mod_ssl.c-341-#ifndef OPENSSL_NO_COMP modules/ssl/mod_ssl.c-342- SSL_COMP_free_compression_methods(); modules/ssl/mod_ssl.c-343-#endif modules/ssl/mod_ssl.c-344-#endif modules/ssl/mod_ssl.c:348:#if OPENSSL_VERSION_NUMBER >= 0x1000000fL modules/ssl/mod_ssl.c-349- ERR_remove_thread_state(NULL); modules/ssl/mod_ssl.c-350-#else modules/ssl/mod_ssl.c-351- ERR_remove_state(0); modules/ssl/mod_ssl.c-352-#endif modules/ssl/mod_ssl.c:358:#if (OPENSSL_VERSION_NUMBER >= 0x00090805f) modules/ssl/mod_ssl.c-359- ERR_free_strings(); modules/ssl/mod_ssl.c-360-#endif modules/ssl/mod_ssl.c-361- modules/ssl/mod_ssl.c-362- /* Also don't call CRYPTO_cleanup_all_ex_data when linked statically here; ---------------------------------------------------------------------- At least the first part of mod_ssl patch is needed.
Cheers Giovanni > mod_ssl.c > > #if MODSSL_USE_OPENSSL_PRE_1_1_API > > (void)CRYPTO_malloc_init(); > > #else > > OPENSSL_malloc_init(); > > #endif > > > > e.g. in ssl_private.h is > > ... > > #if defined(LIBRESSL_VERSION_NUMBER) > > /* Missing from LibreSSL */ > > #if LIBRESSL_VERSION_NUMBER < 0x2060000f > > #define SSL_CTRL_SET_MIN_PROTO_VERSION 123 > > #define SSL_CTRL_SET_MAX_PROTO_VERSION 124 > > #define SSL_CTX_set_min_proto_version(ctx, version) \ > > SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MIN_PROTO_VERSION, version, NULL) > > #define SSL_CTX_set_max_proto_version(ctx, version) \ > > SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, version, NULL) > > #endif > > /* LibreSSL declares OPENSSL_VERSION_NUMBER == 2.0 but does not include most > > * changes from OpenSSL >= 1.1 (new functions, macros, deprecations, ...), > so > > * we have to work around this... > > */ > > #define MODSSL_USE_OPENSSL_PRE_1_1_API (1) > > #else > > #define MODSSL_USE_OPENSSL_PRE_1_1_API (OPENSSL_VERSION_NUMBER < 0x10100000L > ) > > #endif > > ... > > > > > > Hope it is good. > > > > > > Kind regards. > > > > > Index: Makefile > > > =================================================================== > > > RCS file: /cvs/ports/www/apache-httpd/Makefile,v > > > retrieving revision 1.85 > > > diff -u -p -r1.85 Makefile > > > --- Makefile 18 Sep 2017 19:25:38 -0000 1.85 > > > +++ Makefile 4 Nov 2017 09:10:58 -0000 > > > @@ -3,8 +3,7 @@ > > > COMMENT-main= apache HTTP server > > [...] > > > share/doc/apache2/mod/prefork.html.en > > > @@ -1453,4 +1455,3 @@ share/examples/apache2/htdocs/ > > > share/examples/apache2/htdocs/index.html > > > @sample /var/www/htdocs/index.html > > > %%ldap%% > > > -@rcscript ${RCDIR}/apache2 > > you should not remove the rcscript > > > > > Good point . Corrected. > > > > > Cheers > > Giovanni > > > Index: Makefile > =================================================================== > RCS file: /cvs/ports/www/apache-httpd/Makefile,v > retrieving revision 1.85 > diff -u -p -r1.85 Makefile > --- Makefile 18 Sep 2017 19:25:38 -0000 1.85 > +++ Makefile 22 Nov 2017 19:15:11 -0000 > @@ -3,8 +3,7 @@ > COMMENT-main= apache HTTP server > COMMENT-common= /var/www files for Apache HTTPd > > -V= 2.4.27 > -REVISION-main= 0 > +V= 2.4.29 > DISTNAME= httpd-${V} > PKGNAME= apache-httpd-${V} > > Index: distinfo > =================================================================== > RCS file: /cvs/ports/www/apache-httpd/distinfo,v > retrieving revision 1.26 > diff -u -p -r1.26 distinfo > --- distinfo 14 Jul 2017 17:14:33 -0000 1.26 > +++ distinfo 22 Nov 2017 19:15:11 -0000 > @@ -1,2 +1,2 @@ > -SHA256 (httpd-2.4.27.tar.gz) = NG3T0BauXXEBAW5ogFFQvc6QQKjSRsKJqnDminzYa2Y= > -SIZE (httpd-2.4.27.tar.gz) = 8603417 > +SHA256 (httpd-2.4.29.tar.gz) = lI5KESeKWVRpi4gLMPQBsemrdDcT7ixygKVN1N3YcIU= > +SIZE (httpd-2.4.29.tar.gz) = 8638793 > Index: patches/patch-modules_ssl_mod_ssl_c > =================================================================== > RCS file: patches/patch-modules_ssl_mod_ssl_c > diff -N patches/patch-modules_ssl_mod_ssl_c > --- patches/patch-modules_ssl_mod_ssl_c 14 Jul 2017 17:04:12 -0000 > 1.3 > +++ /dev/null 1 Jan 1970 00:00:00 -0000 > @@ -1,23 +0,0 @@ > -$OpenBSD: patch-modules_ssl_mod_ssl_c,v 1.3 2017/07/14 17:04:12 sthen Exp $ > - > -Index: modules/ssl/mod_ssl.c > ---- modules/ssl/mod_ssl.c.orig > -+++ modules/ssl/mod_ssl.c > -@@ -337,7 +337,7 @@ static apr_status_t ssl_cleanup_pre_config(void *data) > - #if HAVE_ENGINE_LOAD_BUILTIN_ENGINES > - ENGINE_cleanup(); > - #endif > --#if OPENSSL_VERSION_NUMBER >= 0x1000200fL > -+#if OPENSSL_VERSION_NUMBER >= 0x1000200fL && > !defined(LIBRESSL_VERSION_NUMBER) > - SSL_COMP_free_compression_methods(); > - #endif > - > -@@ -390,7 +390,7 @@ static int ssl_hook_pre_config(apr_pool_t *pconf, > - /* We must register the library in full, to ensure our configuration > - * code can successfully test the SSL environment. > - */ > --#if OPENSSL_VERSION_NUMBER < 0x10100000L > -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) > - CRYPTO_malloc_init(); > - #else > - OPENSSL_malloc_init(); > Index: patches/patch-modules_ssl_ssl_engine_init_c > =================================================================== > RCS file: patches/patch-modules_ssl_ssl_engine_init_c > diff -N patches/patch-modules_ssl_ssl_engine_init_c > --- patches/patch-modules_ssl_ssl_engine_init_c 14 Jul 2017 17:04:12 > -0000 1.9 > +++ /dev/null 1 Jan 1970 00:00:00 -0000 > @@ -1,50 +0,0 @@ > -$OpenBSD: patch-modules_ssl_ssl_engine_init_c,v 1.9 2017/07/14 17:04:12 > sthen Exp $ > - > -Index: modules/ssl/ssl_engine_init.c > ---- modules/ssl/ssl_engine_init.c.orig > -+++ modules/ssl/ssl_engine_init.c > -@@ -47,7 +47,7 @@ APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, SSL, int, ini > - #define KEYTYPES "RSA or DSA" > - #endif > - > --#if OPENSSL_VERSION_NUMBER < 0x10100000L > -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) > - /* OpenSSL Pre-1.1.0 compatibility */ > - /* Taken from OpenSSL 1.1.0 snapshot 20160410 */ > - static int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) > -@@ -380,7 +380,7 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t > - modssl_init_app_data2_idx(); /* for modssl_get_app_data2() at request > time */ > - > - init_dh_params(); > --#if OPENSSL_VERSION_NUMBER >= 0x10100000L > -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && > !defined(LIBRESSL_VERSION_NUMBER) > - init_bio_methods(); > - #endif > - > -@@ -513,7 +513,7 @@ static apr_status_t ssl_init_ctx_protocol(server_rec * > - char *cp; > - int protocol = mctx->protocol; > - SSLSrvConfigRec *sc = mySrvConfig(s); > --#if OPENSSL_VERSION_NUMBER >= 0x10100000L > -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && > !defined(LIBRESSL_VERSION_NUMBER) > - int prot; > - #endif > - > -@@ -583,7 +583,7 @@ static apr_status_t ssl_init_ctx_protocol(server_rec * > - > - SSL_CTX_set_options(ctx, SSL_OP_ALL); > - > --#if OPENSSL_VERSION_NUMBER < 0x10100000L > -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) > - /* always disable SSLv2, as per RFC 6176 */ > - SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2); > - > -@@ -2011,7 +2011,7 @@ apr_status_t ssl_init_ModuleKill(void *data) > - > - } > - > --#if OPENSSL_VERSION_NUMBER >= 0x10100000L > -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && > !defined(LIBRESSL_VERSION_NUMBER) > - free_bio_methods(); > - #endif > - free_dh_params(); > Index: patches/patch-modules_ssl_ssl_engine_io_c > =================================================================== > RCS file: patches/patch-modules_ssl_ssl_engine_io_c > diff -N patches/patch-modules_ssl_ssl_engine_io_c > --- patches/patch-modules_ssl_ssl_engine_io_c 14 Jul 2017 17:04:12 -0000 > 1.5 > +++ /dev/null 1 Jan 1970 00:00:00 -0000 > @@ -1,32 +0,0 @@ > -$OpenBSD: patch-modules_ssl_ssl_engine_io_c,v 1.5 2017/07/14 17:04:12 sthen > Exp $ > - > -Index: modules/ssl/ssl_engine_io.c > ---- modules/ssl/ssl_engine_io.c.orig > -+++ modules/ssl/ssl_engine_io.c > -@@ -549,7 +549,7 @@ static long bio_filter_in_ctrl(BIO *bio, int cmd, long > - return -1; > - } > - > --#if OPENSSL_VERSION_NUMBER < 0x10100000L > -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) > - > - static BIO_METHOD bio_filter_out_method = { > - BIO_TYPE_MEM, > -@@ -2024,7 +2024,7 @@ static void ssl_io_input_add_filter(ssl_filter_ctx_t * > - > - filter_ctx->pInputFilter = ap_add_input_filter(ssl_io_filter, inctx, r, > c); > - > --#if OPENSSL_VERSION_NUMBER < 0x10100000L > -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) > - filter_ctx->pbioRead = BIO_new(&bio_filter_in_method); > - #else > - filter_ctx->pbioRead = BIO_new(bio_filter_in_method); > -@@ -2059,7 +2059,7 @@ void ssl_io_filter_init(conn_rec *c, request_rec *r, S > - filter_ctx->pOutputFilter = ap_add_output_filter(ssl_io_filter, > - filter_ctx, r, c); > - > --#if OPENSSL_VERSION_NUMBER < 0x10100000L > -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) > - filter_ctx->pbioWrite = BIO_new(&bio_filter_out_method); > - #else > - filter_ctx->pbioWrite = BIO_new(bio_filter_out_method); > Index: patches/patch-modules_ssl_ssl_engine_kernel_c > =================================================================== > RCS file: patches/patch-modules_ssl_ssl_engine_kernel_c > diff -N patches/patch-modules_ssl_ssl_engine_kernel_c > --- patches/patch-modules_ssl_ssl_engine_kernel_c 14 Jul 2017 17:04:12 > -0000 1.1 > +++ /dev/null 1 Jan 1970 00:00:00 -0000 > @@ -1,23 +0,0 @@ > -$OpenBSD: patch-modules_ssl_ssl_engine_kernel_c,v 1.1 2017/07/14 17:04:12 > sthen Exp $ > - > -Index: modules/ssl/ssl_engine_kernel.c > ---- modules/ssl/ssl_engine_kernel.c.orig > -+++ modules/ssl/ssl_engine_kernel.c > -@@ -1733,7 +1733,7 @@ static void modssl_proxy_info_log(conn_rec *c, > - * so we need to increment here to prevent them from > - * being freed. > - */ > --#if OPENSSL_VERSION_NUMBER < 0x10100000L > -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) > - #define modssl_set_cert_info(info, cert, pkey) \ > - *cert = info->x509; \ > - CRYPTO_add(&(*cert)->references, +1, CRYPTO_LOCK_X509); \ > -@@ -1923,7 +1923,7 @@ int ssl_callback_NewSessionCacheEntry(SSL *ssl, SSL_SE > - * of our other Apache pre-forked server processes. > - */ > - SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *ssl, > -- IDCONST unsigned char *id, > -+ unsigned char *id, > - int idlen, int *do_copy) > - { > - /* Get Apache context back through OpenSSL context */ > Index: patches/patch-modules_ssl_ssl_engine_vars_c > =================================================================== > RCS file: patches/patch-modules_ssl_ssl_engine_vars_c > diff -N patches/patch-modules_ssl_ssl_engine_vars_c > --- patches/patch-modules_ssl_ssl_engine_vars_c 14 Jul 2017 17:04:12 > -0000 1.3 > +++ /dev/null 1 Jan 1970 00:00:00 -0000 > @@ -1,23 +0,0 @@ > -$OpenBSD: patch-modules_ssl_ssl_engine_vars_c,v 1.3 2017/07/14 17:04:12 > sthen Exp $ > - > -Index: modules/ssl/ssl_engine_vars.c > ---- modules/ssl/ssl_engine_vars.c.orig > -+++ modules/ssl/ssl_engine_vars.c > -@@ -529,7 +529,7 @@ static char *ssl_var_lookup_ssl_cert(apr_pool_t *p, re > - resdup = FALSE; > - } > - else if (strcEQ(var, "A_SIG")) { > --#if OPENSSL_VERSION_NUMBER < 0x10100000L > -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) > - nid = OBJ_obj2nid((ASN1_OBJECT > *)(xs->cert_info->signature->algorithm)); > - #else > - const ASN1_OBJECT *paobj; > -@@ -541,7 +541,7 @@ static char *ssl_var_lookup_ssl_cert(apr_pool_t *p, re > - resdup = FALSE; > - } > - else if (strcEQ(var, "A_KEY")) { > --#if OPENSSL_VERSION_NUMBER < 0x10100000L > -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) > - nid = OBJ_obj2nid((ASN1_OBJECT > *)(xs->cert_info->key->algor->algorithm)); > - #else > - ASN1_OBJECT *paobj; > Index: patches/patch-modules_ssl_ssl_private_h > =================================================================== > RCS file: patches/patch-modules_ssl_ssl_private_h > diff -N patches/patch-modules_ssl_ssl_private_h > --- patches/patch-modules_ssl_ssl_private_h 14 Jul 2017 17:04:12 -0000 > 1.3 > +++ /dev/null 1 Jan 1970 00:00:00 -0000 > @@ -1,32 +0,0 @@ > -$OpenBSD: patch-modules_ssl_ssl_private_h,v 1.3 2017/07/14 17:04:12 sthen > Exp $ > - > -Index: modules/ssl/ssl_private.h > ---- modules/ssl/ssl_private.h.orig > -+++ modules/ssl/ssl_private.h > -@@ -199,7 +199,7 @@ > - > - #endif /* !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name) > */ > - > --#if OPENSSL_VERSION_NUMBER < 0x10100000L > -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) > - #define BN_get_rfc2409_prime_768 get_rfc2409_prime_768 > - #define BN_get_rfc2409_prime_1024 get_rfc2409_prime_1024 > - #define BN_get_rfc3526_prime_1536 get_rfc3526_prime_1536 > -@@ -219,7 +219,7 @@ void init_bio_methods(void); > - void free_bio_methods(void); > - #endif > - > --#if OPENSSL_VERSION_NUMBER < 0x10002000L > -+#if OPENSSL_VERSION_NUMBER < 0x10002000L || defined(LIBRESSL_VERSION_NUMBER) > - #define X509_STORE_CTX_get0_store(x) (x->ctx) > - #endif > - > -@@ -861,7 +861,7 @@ int ssl_callback_SSLVerify(int, X509_STORE_CT > - int ssl_callback_SSLVerify_CRL(int, X509_STORE_CTX *, conn_rec *); > - int ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY > **pkey); > - int ssl_callback_NewSessionCacheEntry(SSL *, SSL_SESSION *); > --SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, IDCONST unsigned char > *, int, int *); > -+SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, unsigned char *, int, > int *); > - void ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *); > - void ssl_callback_Info(const SSL *, int, int); > - #ifdef HAVE_TLSEXT > Index: patches/patch-modules_ssl_ssl_util_ssl_h > =================================================================== > RCS file: patches/patch-modules_ssl_ssl_util_ssl_h > diff -N patches/patch-modules_ssl_ssl_util_ssl_h > --- patches/patch-modules_ssl_ssl_util_ssl_h 14 Jul 2017 17:04:12 -0000 > 1.3 > +++ /dev/null 1 Jan 1970 00:00:00 -0000 > @@ -1,14 +0,0 @@ > -$OpenBSD: patch-modules_ssl_ssl_util_ssl_h,v 1.3 2017/07/14 17:04:12 sthen > Exp $ > - > -Index: modules/ssl/ssl_util_ssl.h > ---- modules/ssl/ssl_util_ssl.h.orig > -+++ modules/ssl/ssl_util_ssl.h > -@@ -41,7 +41,7 @@ > - #define MODSSL_LIBRARY_VERSION OPENSSL_VERSION_NUMBER > - #define MODSSL_LIBRARY_NAME "OpenSSL" > - #define MODSSL_LIBRARY_TEXT OPENSSL_VERSION_TEXT > --#if OPENSSL_VERSION_NUMBER < 0x10100000L > -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) > - #define MODSSL_LIBRARY_DYNTEXT SSLeay_version(SSLEAY_VERSION) > - #else > - #define MODSSL_LIBRARY_DYNTEXT OpenSSL_version(OPENSSL_VERSION) > Index: patches/patch-server_core_c > =================================================================== > RCS file: patches/patch-server_core_c > diff -N patches/patch-server_core_c > --- patches/patch-server_core_c 18 Sep 2017 19:25:38 -0000 1.1 > +++ /dev/null 1 Jan 1970 00:00:00 -0000 > @@ -1,30 +0,0 @@ > -$OpenBSD: patch-server_core_c,v 1.1 2017/09/18 19:25:38 sthen Exp $ > - > -Revision 1807754 > -Fri Sep 8 13:13:11 2017 UTC by ylavic > -Merge r1807655 from trunk: > - > -core: Disallow Methods' registration at run time (.htaccess), they may be > -used only if registered at init time (httpd.conf). > - > -Calling ap_method_register() in children processes is not the right scope > -since it won't be shared for all requests. > - > -Reviewed by: ylavic, covener, icing > - > -Index: server/core.c > ---- server/core.c.orig > -+++ server/core.c > -@@ -2262,6 +2262,12 @@ AP_CORE_DECLARE_NONSTD(const char *) ap_limit_section( > - /* method has not been registered yet, but resource restriction > - * is always checked before method handling, so register it. > - */ > -+ if (cmd->pool == cmd->temp_pool) { > -+ /* In .htaccess, we can't globally register new methods. */ > -+ return apr_psprintf(cmd->pool, "Could not register method > '%s' " > -+ "for %s from .htaccess configuration", > -+ method, cmd->cmd->name); > -+ } > - methnum = ap_method_register(cmd->pool, > - apr_pstrdup(cmd->pool, method)); > - } > Index: pkg/PLIST-main > =================================================================== > RCS file: /cvs/ports/www/apache-httpd/pkg/PLIST-main,v > retrieving revision 1.16 > diff -u -p -r1.16 PLIST-main > --- pkg/PLIST-main 14 Jul 2017 17:04:12 -0000 1.16 > +++ pkg/PLIST-main 22 Nov 2017 19:15:11 -0000 > @@ -1008,6 +1008,8 @@ share/doc/apache2/mod/mpm_winnt.html.ja. > share/doc/apache2/mod/mpmt_os2.html > share/doc/apache2/mod/mpmt_os2.html.en > share/doc/apache2/mod/mpmt_os2.html.fr > +share/doc/apache2/mod/overrides.html > +share/doc/apache2/mod/overrides.html.en > share/doc/apache2/mod/prefork.html > share/doc/apache2/mod/prefork.html.de > share/doc/apache2/mod/prefork.html.en
signature.asc
Description: PGP signature