From 933cdbb71e6d0e6208bc86aebe8706b1d880c3c1 Mon Sep 17 00:00:00 2001 From: Kaarle Ritvanen Date: Tue, 10 Oct 2017 11:40:39 +0300 Subject: main/apache2: upgrade to 2.4.28 --- main/apache2/APKBUILD | 10 +- main/apache2/libressl.patch | 235 ---------------------------------------- main/apache2/optionsbleed.patch | 15 --- 3 files changed, 3 insertions(+), 257 deletions(-) delete mode 100644 main/apache2/libressl.patch delete mode 100644 main/apache2/optionsbleed.patch diff --git a/main/apache2/APKBUILD b/main/apache2/APKBUILD index a4f60d4ceb..ddaa1450d6 100644 --- a/main/apache2/APKBUILD +++ b/main/apache2/APKBUILD @@ -2,8 +2,8 @@ # Contributor: Valery Kartel pkgname=apache2 _pkgreal=httpd -pkgver=2.4.27 -pkgrel=2 +pkgver=2.4.28 +pkgrel=0 pkgdesc="A high performance Unix-based HTTP server" url="http://httpd.apache.org/" arch="all" @@ -28,8 +28,6 @@ subpackages="$pkgname-ctl $pkgname-utils $pkgname-webdav" source="http://archive.apache.org/dist/$_pkgreal/$_pkgreal-$pkgver.tar.bz2 - libressl.patch - optionsbleed.patch apache2.confd apache2.logrotate apache2.initd @@ -313,9 +311,7 @@ _lua() { "$subpkgdir"/usr/lib/apache2/ || return 1 _load_mods } -sha512sums="7e7e8070715b74cb6890096a74e194f4c6a49c14bda685b1ad832e84312f1ac4316ea03a430e679502bfd8e1853aefa544ee002a20d0f7e994b9a590c74bc42c httpd-2.4.27.tar.bz2 -7ccd6ba80836e5d8481779855e5b5618f10f20fb00c765e94a3788e746e99311d687c20053ed348fc1a31532fc8900c24915c7b0aff83418f2f40dc7b94944cc libressl.patch -11582354ef82be7c1f71b44f135dd15d99c3945a2aa52e9d3213119024a9cf83a137251a730c186a416ecfd57cc4acfc166ce2c27023988b22b31b24222d1632 optionsbleed.patch +sha512sums="8de8e32b87e6de220e492e74db9df0882fae11c3b9732f3d3316da048c04767ac4429c0433c36f87d8705263e3376f97a7e1f66a9d7a518632a67b6fe617590a httpd-2.4.28.tar.bz2 8e62b101f90c67babe864bcb74f711656180b011df3fd4b541dc766b980b72aa409e86debf3559a55be359471c1cad81b8779ef3a55add8d368229fc7e9544fc apache2.confd 18e8859c7d99c4483792a5fd20127873aad8fa396cafbdb6f2c4253451ffe7a1093a3859ce719375e0769739c93704c88897bd087c63e1ef585e26dcc1f5dd9b apache2.logrotate 81a2d2a297d8049ba1b021b879ec863767149e056d9bdb2ac8acf63572b254935ec96c2e1580eba86639ea56433eec5c41341e4f1501f9072745dccdb3602701 apache2.initd diff --git a/main/apache2/libressl.patch b/main/apache2/libressl.patch deleted file mode 100644 index e4b6176911..0000000000 --- a/main/apache2/libressl.patch +++ /dev/null @@ -1,235 +0,0 @@ ---- httpd-2.4.26/modules/ssl/mod_ssl.c -+++ httpd-2.4.26.libressl/modules/ssl/mod_ssl.c -@@ -337,12 +337,12 @@ - #if HAVE_ENGINE_LOAD_BUILTIN_ENGINES - ENGINE_cleanup(); - #endif --#if OPENSSL_VERSION_NUMBER >= 0x1000200fL -+#if OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined(OPENSSL_NO_COMP) - SSL_COMP_free_compression_methods(); - #endif - - /* Usually needed per thread, but this parent process is single-threaded */ --#if OPENSSL_VERSION_NUMBER < 0x10100000L -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) - #if OPENSSL_VERSION_NUMBER >= 0x1000000fL - ERR_remove_thread_state(NULL); - #else -@@ -383,14 +383,14 @@ - /* Some OpenSSL internals are allocated per-thread, make sure they - * are associated to the/our same thread-id until cleaned up. - */ --#if APR_HAS_THREADS && OPENSSL_VERSION_NUMBER < 0x10100000L -+#if APR_HAS_THREADS && OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) - ssl_util_thread_id_setup(pconf); - #endif - - /* We must register the library in full, to ensure our configuration - * code can successfully test the SSL environment. - */ --#if OPENSSL_VERSION_NUMBER < 0x10100000L -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) - CRYPTO_malloc_init(); - #else - OPENSSL_malloc_init(); ---- httpd-2.4.26/modules/ssl/ssl_engine_init.c -+++ httpd-2.4.26.libressl/modules/ssl/ssl_engine_init.c -@@ -47,7 +47,7 @@ - #define KEYTYPES "RSA or DSA" - #endif - --#if OPENSSL_VERSION_NUMBER < 0x10100000L -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) - /* OpenSSL Pre-1.1.0 compatibility */ - /* Taken from OpenSSL 1.1.0 snapshot 20160410 */ - static int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) -@@ -257,7 +257,7 @@ - #endif - } - --#if APR_HAS_THREADS && OPENSSL_VERSION_NUMBER < 0x10100000L -+#if APR_HAS_THREADS && ( OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) ) - ssl_util_thread_setup(p); - #endif - -@@ -380,7 +380,7 @@ - modssl_init_app_data2_idx(); /* for modssl_get_app_data2() at request time */ - - init_dh_params(); --#if OPENSSL_VERSION_NUMBER >= 0x10100000L -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) - init_bio_methods(); - #endif - -@@ -1301,7 +1301,7 @@ - * or configure NIST P-256 (required to enable ECDHE for earlier versions) - * ECDH is always enabled in 1.1.0 unless excluded from SSLCipherList - */ --#if (OPENSSL_VERSION_NUMBER < 0x10100000L) -+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER) - else { - #if defined(SSL_CTX_set_ecdh_auto) - SSL_CTX_set_ecdh_auto(mctx->ssl_ctx, 1); -@@ -2011,7 +2011,7 @@ - - } - --#if OPENSSL_VERSION_NUMBER >= 0x10100000L -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) - free_bio_methods(); - #endif - free_dh_params(); ---- httpd-2.4.26/modules/ssl/ssl_engine_io.c -+++ httpd-2.4.26.libressl/modules/ssl/ssl_engine_io.c -@@ -164,7 +164,7 @@ - { - BIO_set_shutdown(bio, 1); - BIO_set_init(bio, 1); --#if OPENSSL_VERSION_NUMBER < 0x10100000L -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) - /* No setter method for OpenSSL 1.1.0 available, - * but I can't find any functional use of the - * "num" field there either. -@@ -549,7 +549,7 @@ - return -1; - } - --#if OPENSSL_VERSION_NUMBER < 0x10100000L -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) - - static BIO_METHOD bio_filter_out_method = { - BIO_TYPE_MEM, -@@ -2024,7 +2024,7 @@ - - filter_ctx->pInputFilter = ap_add_input_filter(ssl_io_filter, inctx, r, c); - --#if OPENSSL_VERSION_NUMBER < 0x10100000L -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) - filter_ctx->pbioRead = BIO_new(&bio_filter_in_method); - #else - filter_ctx->pbioRead = BIO_new(bio_filter_in_method); -@@ -2059,7 +2059,7 @@ - filter_ctx->pOutputFilter = ap_add_output_filter(ssl_io_filter, - filter_ctx, r, c); - --#if OPENSSL_VERSION_NUMBER < 0x10100000L -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) - filter_ctx->pbioWrite = BIO_new(&bio_filter_out_method); - #else - filter_ctx->pbioWrite = BIO_new(bio_filter_out_method); ---- httpd-2.4.26/modules/ssl/ssl_engine_kernel.c -+++ httpd-2.4.26.libressl/modules/ssl/ssl_engine_kernel.c -@@ -1733,7 +1733,7 @@ - * so we need to increment here to prevent them from - * being freed. - */ --#if OPENSSL_VERSION_NUMBER < 0x10100000L -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) - #define modssl_set_cert_info(info, cert, pkey) \ - *cert = info->x509; \ - CRYPTO_add(&(*cert)->references, +1, CRYPTO_LOCK_X509); \ ---- httpd-2.4.26/modules/ssl/ssl_engine_vars.c -+++ httpd-2.4.26.libressl/modules/ssl/ssl_engine_vars.c -@@ -529,7 +529,7 @@ - resdup = FALSE; - } - else if (strcEQ(var, "A_SIG")) { --#if OPENSSL_VERSION_NUMBER < 0x10100000L -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) - nid = OBJ_obj2nid((ASN1_OBJECT *)(xs->cert_info->signature->algorithm)); - #else - const ASN1_OBJECT *paobj; ---- httpd-2.4.26/modules/ssl/ssl_private.h -+++ httpd-2.4.26.libressl/modules/ssl/ssl_private.h -@@ -123,6 +123,16 @@ - #define MODSSL_SSL_METHOD_CONST - #endif - -+#if defined(LIBRESSL_VERSION_NUMBER) -+/* Missing from LibreSSL */ -+#define SSL_CTRL_SET_MIN_PROTO_VERSION 123 -+#define SSL_CTRL_SET_MAX_PROTO_VERSION 124 -+#define SSL_CTX_set_min_proto_version(ctx, version) \ -+ SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MIN_PROTO_VERSION, version, NULL) -+#define SSL_CTX_set_max_proto_version(ctx, version) \ -+ SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, version, NULL) -+#endif -+ - #if defined(OPENSSL_FIPS) - #define HAVE_FIPS - #endif -@@ -136,7 +146,7 @@ - #endif - - /* session id constness */ --#if OPENSSL_VERSION_NUMBER < 0x10100000L -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) - #define IDCONST - #else - #define IDCONST const -@@ -199,7 +209,7 @@ - - #endif /* !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name) */ - --#if OPENSSL_VERSION_NUMBER < 0x10100000L -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) - #define BN_get_rfc2409_prime_768 get_rfc2409_prime_768 - #define BN_get_rfc2409_prime_1024 get_rfc2409_prime_1024 - #define BN_get_rfc3526_prime_1536 get_rfc3526_prime_1536 -@@ -219,7 +229,7 @@ - void free_bio_methods(void); - #endif - --#if OPENSSL_VERSION_NUMBER < 0x10002000L -+#if OPENSSL_VERSION_NUMBER < 0x10002000L || defined(LIBRESSL_VERSION_NUMBER) - #define X509_STORE_CTX_get0_store(x) (x->ctx) - #endif - -@@ -934,7 +944,7 @@ - const char * const *); - BOOL ssl_util_path_check(ssl_pathcheck_t, const char *, apr_pool_t *); - #if APR_HAS_THREADS --#if OPENSSL_VERSION_NUMBER < 0x10100000L -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) - void ssl_util_thread_setup(apr_pool_t *); - #endif - void ssl_util_thread_id_setup(apr_pool_t *); ---- httpd-2.4.26/modules/ssl/ssl_util.c -+++ httpd-2.4.26.libressl/modules/ssl/ssl_util.c -@@ -247,7 +247,7 @@ - } - - #if APR_HAS_THREADS --#if OPENSSL_VERSION_NUMBER < 0x10100000L -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) - /* - * To ensure thread-safetyness in OpenSSL - work in progress - */ ---- httpd-2.4.26/modules/ssl/ssl_util_ssl.h -+++ httpd-2.4.26.libressl/modules/ssl/ssl_util_ssl.h -@@ -41,7 +41,7 @@ - #define MODSSL_LIBRARY_VERSION OPENSSL_VERSION_NUMBER - #define MODSSL_LIBRARY_NAME "OpenSSL" - #define MODSSL_LIBRARY_TEXT OPENSSL_VERSION_TEXT --#if OPENSSL_VERSION_NUMBER < 0x10100000L -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) - #define MODSSL_LIBRARY_DYNTEXT SSLeay_version(SSLEAY_VERSION) - #else - #define MODSSL_LIBRARY_DYNTEXT OpenSSL_version(OPENSSL_VERSION) ---- httpd-2.4.26/support/ab.c -+++ httpd-2.4.26.libressl/support/ab.c -@@ -197,6 +197,14 @@ - #if !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name) - #define HAVE_TLSEXT - #endif -+#if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2060000f -+# define SSL_CTRL_SET_MIN_PROTO_VERSION 123 -+# define SSL_CTRL_SET_MAX_PROTO_VERSION 124 -+#define SSL_CTX_set_min_proto_version(ctx, version) \ -+ SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MIN_PROTO_VERSION, version, NULL) -+#define SSL_CTX_set_max_proto_version(ctx, version) \ -+ SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, version, NULL) -+#endif - #endif - - #include diff --git a/main/apache2/optionsbleed.patch b/main/apache2/optionsbleed.patch deleted file mode 100644 index be0afee60a..0000000000 --- a/main/apache2/optionsbleed.patch +++ /dev/null @@ -1,15 +0,0 @@ ---- httpd-2.4.2//server/core.c 2017/08/16 16:50:29 1805223 -+++ httpd-2.4.2//server/core.c 2017/09/08 13:13:11 1807754 -@@ -2266,6 +2266,12 @@ - /* method has not been registered yet, but resource restriction - * is always checked before method handling, so register it. - */ -+ if (cmd->pool == cmd->temp_pool) { -+ /* In .htaccess, we can't globally register new methods. */ -+ return apr_psprintf(cmd->pool, "Could not register method '%s' " -+ "for %s from .htaccess configuration", -+ method, cmd->cmd->name); -+ } - methnum = ap_method_register(cmd->pool, - apr_pstrdup(cmd->pool, method)); - } -- cgit v1.2.3