Attachment #187386 for bug #222814

Lines 1-8 Link Here

(-)www/apache24/Makefile (-2 / +1 lines)
1	# $FreeBSD$	1	# $FreeBSD$
2		2
3	PORTNAME= apache24	3	PORTNAME= apache24
4	PORTVERSION= 2.4.27	4	PORTVERSION= 2.4.29
5	PORTREVISION= 1
6	CATEGORIES= www ipv6	5	CATEGORIES= www ipv6
7	MASTER_SITES= APACHE_HTTPD	6	MASTER_SITES= APACHE_HTTPD
8	DISTNAME= httpd-${PORTVERSION}	7	DISTNAME= httpd-${PORTVERSION}

Lines 87-93 Link Here

(-)www/apache24/Makefile.modules (-1 / +1 lines)
87	.endif	87	.endif
88		88
89	.if ${PORT_OPTIONS:MPROXY_HTTP2} && !${PORT_OPTIONS:MPROXY_BALANCER}	89	.if ${PORT_OPTIONS:MPROXY_HTTP2} && !${PORT_OPTIONS:MPROXY_BALANCER}
90	IGNORE= PROXY_HTTP2 needs PROXY_BALANCER	90	IGNORE= PROXY_HTTP2 requires PROXY_BALANCER
91	.endif	91	.endif
92		92
93	.endif # _PREMKINCLUDED	93	.endif # _PREMKINCLUDED

Lines 140-146 Link Here

(-)www/apache24/Makefile.options.desc (-1 / +1 lines)
140	PROXY_HCHECK_DESC= Dynamic health check of Balancer members (workers) for mod_proxy	140	PROXY_HCHECK_DESC= Dynamic health check of Balancer members (workers) for mod_proxy
141	PROXY_HTML_DESC= Fix HTML Links in a Reverse Proxy	141	PROXY_HTML_DESC= Fix HTML Links in a Reverse Proxy
142	PROXY_HTTP_DESC= HTTP support module for mod_proxy	142	PROXY_HTTP_DESC= HTTP support module for mod_proxy
143	PROXY_HTTP2_DESC= Experimental http2 proxy module for h2 and h2c	143	PROXY_HTTP2_DESC= HTTP/2 support module for h2 and h2c
144	PROXY_SCGI_DESC= SCGI gateway module for mod_proxy	144	PROXY_SCGI_DESC= SCGI gateway module for mod_proxy
145	PROXY_WSTUNNEL_DESC= Websockets Tunnel module for mod_proxy	145	PROXY_WSTUNNEL_DESC= Websockets Tunnel module for mod_proxy
146		146

Lines 1-3 Link Here

(-)www/apache24/distinfo (-3 / +3 lines)
1	TIMESTAMP = 1499686775	1	TIMESTAMP = 1508321657
2	SHA256 (apache24/httpd-2.4.27.tar.bz2) = 71fcc128238a690515bd8174d5330a5309161ef314a326ae45c7c15ed139c13a	2	SHA256 (apache24/httpd-2.4.29.tar.bz2) = 777753a5a25568a2a27428b2214980564bc1c38c1abf9ccc7630b639991f7f00
3	SIZE (apache24/httpd-2.4.27.tar.bz2) = 6527394	3	SIZE (apache24/httpd-2.4.29.tar.bz2) = 6567926




--- server/core.c	2017/08/16 16:50:29	1805223
+++ server/core.c	2017/09/08 13:13:11	1807754
@@ -2266,6 +2266,12 @@
             /* method has not been registered yet, but resource restriction
              * is always checked before method handling, so register it.
              */
+            if (cmd->pool == cmd->temp_pool) {
+                /* In .htaccess, we can't globally register new methods. */
+                return apr_psprintf(cmd->pool, "Could not register method '%s' "
+                                   "for %s from .htaccess configuration",
+                                    method, cmd->cmd->name);
+            }
             methnum = ap_method_register(cmd->pool,
                                          apr_pstrdup(cmd->pool, method));
         }




                     [--enable-layout=*|\'--enable-layout=*])
   dnl We must be the last to build and the first to be cleaned
   AP_BUILD_SRCLIB_DIRS="$AP_BUILD_SRCLIB_DIRS apr-util"
@@ -597,7 +597,6 @@ AC_ARG_ENABLE(maintainer-mode,APACHE_HEL
     if test "$GCC" = "yes"; then
       APR_ADDTO(CFLAGS,[-Wall -Wmissing-prototypes -Wstrict-prototypes -Wmissing-declarations -Wpointer-arith])
       APACHE_ADD_GCC_CFLAG([-std=c89])
-      APACHE_ADD_GCC_CFLAG([-Werror])
       APACHE_ADD_GCC_CFLAG([-Wdeclaration-after-statement])
       APACHE_ADD_GCC_CFLAG([-Wformat])
       APACHE_ADD_GCC_CFLAG([-Wformat-security])
@@ -838,8 +837,14 @@ AC_DEFINE_UNQUOTED(HTTPD_ROOT, "${ap_pre
 	[Root directory of the Apache install area])
 AC_DEFINE_UNQUOTED(SERVER_CONFIG_FILE, "${rel_sysconfdir}/${progname}.conf",




--- modules/ssl/mod_ssl.c.orig	2017-04-03 11:39:20 UTC
+++ modules/ssl/mod_ssl.c
@@ -337,12 +337,12 @@ static apr_status_t ssl_cleanup_pre_conf
 #if HAVE_ENGINE_LOAD_BUILTIN_ENGINES
     ENGINE_cleanup();
 #endif
-#if OPENSSL_VERSION_NUMBER >= 0x1000200fL
+#if OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined(OPENSSL_NO_COMP)
     SSL_COMP_free_compression_methods();
 #endif
 
     /* Usually needed per thread, but this parent process is single-threaded */
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 #if OPENSSL_VERSION_NUMBER >= 0x1000000fL
     ERR_remove_thread_state(NULL);
 #else
@@ -383,14 +383,14 @@ static int ssl_hook_pre_config(apr_pool_
     /* Some OpenSSL internals are allocated per-thread, make sure they
      * are associated to the/our same thread-id until cleaned up.
      */
-#if APR_HAS_THREADS && OPENSSL_VERSION_NUMBER < 0x10100000L
+#if APR_HAS_THREADS && OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
     ssl_util_thread_id_setup(pconf);
 #endif
 
     /* We must register the library in full, to ensure our configuration
      * code can successfully test the SSL environment.
      */
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
     CRYPTO_malloc_init();
 #else
     OPENSSL_malloc_init();




--- modules/ssl/ssl_engine_init.c.orig	2017-04-03 11:39:20 UTC
+++ modules/ssl/ssl_engine_init.c
@@ -47,7 +47,7 @@ APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl,
 #define KEYTYPES "RSA or DSA"
 #endif
 
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 /* OpenSSL Pre-1.1.0 compatibility */
 /* Taken from OpenSSL 1.1.0 snapshot 20160410 */
 static int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
@@ -257,7 +257,7 @@ apr_status_t ssl_init_Module(apr_pool_t 
 #endif
     }
 
-#if APR_HAS_THREADS && OPENSSL_VERSION_NUMBER < 0x10100000L
+#if APR_HAS_THREADS && ( OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) )
     ssl_util_thread_setup(p);
 #endif
 
@@ -380,7 +380,7 @@ apr_status_t ssl_init_Module(apr_pool_t 
     modssl_init_app_data2_idx(); /* for modssl_get_app_data2() at request time */
 
     init_dh_params();
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
     init_bio_methods();
 #endif
 
@@ -1301,7 +1301,7 @@ static apr_status_t ssl_init_server_cert
      * or configure NIST P-256 (required to enable ECDHE for earlier versions)
      * ECDH is always enabled in 1.1.0 unless excluded from SSLCipherList
      */
-#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
     else {
 #if defined(SSL_CTX_set_ecdh_auto)
         SSL_CTX_set_ecdh_auto(mctx->ssl_ctx, 1);
@@ -2011,7 +2011,7 @@ apr_status_t ssl_init_ModuleKill(void *d
 
     }
 
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
     free_bio_methods();
 #endif
     free_dh_params();




--- modules/ssl/ssl_engine_io.c.orig	2017-05-30 12:26:05 UTC
+++ modules/ssl/ssl_engine_io.c
@@ -164,7 +164,7 @@ static int bio_filter_create(BIO *bio)
 {
     BIO_set_shutdown(bio, 1);
     BIO_set_init(bio, 1);
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
     /* No setter method for OpenSSL 1.1.0 available,
      * but I can't find any functional use of the
      * "num" field there either.
@@ -549,7 +549,7 @@ static long bio_filter_in_ctrl(BIO *bio,
     return -1;
 }
 
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
         
 static BIO_METHOD bio_filter_out_method = {
     BIO_TYPE_MEM,
@@ -2024,7 +2024,7 @@ static void ssl_io_input_add_filter(ssl_
 
     filter_ctx->pInputFilter = ap_add_input_filter(ssl_io_filter, inctx, r, c);
 
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
     filter_ctx->pbioRead = BIO_new(&bio_filter_in_method);
 #else
     filter_ctx->pbioRead = BIO_new(bio_filter_in_method);
@@ -2059,7 +2059,7 @@ void ssl_io_filter_init(conn_rec *c, req
     filter_ctx->pOutputFilter   = ap_add_output_filter(ssl_io_filter,
                                                        filter_ctx, r, c);
 
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
     filter_ctx->pbioWrite       = BIO_new(&bio_filter_out_method);
 #else
     filter_ctx->pbioWrite       = BIO_new(bio_filter_out_method);

Lines 1-11 Link Here

(-)www/apache24/files/patch-modules_ssl_ssl__engine__kernel.c (-11 lines)
1	--- modules/ssl/ssl_engine_kernel.c.orig 2017-05-02 11:01:17 UTC
2	+++ modules/ssl/ssl_engine_kernel.c
3	@@ -1733,7 +1733,7 @@ static void modssl_proxy_info_log(conn_r
4	* so we need to increment here to prevent them from
5	* being freed.
6	*/
7	-#if OPENSSL_VERSION_NUMBER < 0x10100000L
8	+#if OPENSSL_VERSION_NUMBER < 0x10100000L \|\| defined(LIBRESSL_VERSION_NUMBER)
9	#define modssl_set_cert_info(info, cert, pkey) \
10	*cert = info->x509; \
11	CRYPTO_add(&(*cert)->references, +1, CRYPTO_LOCK_X509); \

Lines 1-11 Link Here

(-)www/apache24/files/patch-modules_ssl_ssl__engine__vars.c (-11 lines)
1	--- modules/ssl/ssl_engine_vars.c.orig 2017-03-20 12:01:16 UTC
2	+++ modules/ssl/ssl_engine_vars.c
3	@@ -529,7 +529,7 @@ static char *ssl_var_lookup_ssl_cert(apr
4	resdup = FALSE;
5	}
6	else if (strcEQ(var, "A_SIG")) {
7	-#if OPENSSL_VERSION_NUMBER < 0x10100000L
8	+#if OPENSSL_VERSION_NUMBER < 0x10100000L \|\| defined(LIBRESSL_VERSION_NUMBER)
9	nid = OBJ_obj2nid((ASN1_OBJECT *)(xs->cert_info->signature->algorithm));
10	#else
11	const ASN1_OBJECT *paobj;




--- modules/ssl/ssl_private.h.orig	2017-04-03 11:39:20 UTC
+++ modules/ssl/ssl_private.h
@@ -123,6 +123,16 @@
 #define MODSSL_SSL_METHOD_CONST
 #endif
 
+#if defined(LIBRESSL_VERSION_NUMBER)
+/* Missing from LibreSSL */
+#define SSL_CTRL_SET_MIN_PROTO_VERSION          123
+#define SSL_CTRL_SET_MAX_PROTO_VERSION          124
+#define SSL_CTX_set_min_proto_version(ctx, version) \
+        SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MIN_PROTO_VERSION, version, NULL)
+#define SSL_CTX_set_max_proto_version(ctx, version) \
+        SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, version, NULL)
+#endif
+
 #if defined(OPENSSL_FIPS)
 #define HAVE_FIPS
 #endif
@@ -136,7 +146,7 @@
 #endif
 
 /* session id constness */
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 #define IDCONST
 #else
 #define IDCONST const
@@ -199,7 +209,7 @@
 
 #endif /* !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name) */
 
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 #define BN_get_rfc2409_prime_768   get_rfc2409_prime_768
 #define BN_get_rfc2409_prime_1024  get_rfc2409_prime_1024
 #define BN_get_rfc3526_prime_1536  get_rfc3526_prime_1536
@@ -219,7 +229,7 @@ void init_bio_methods(void);
 void free_bio_methods(void);
 #endif
 
-#if OPENSSL_VERSION_NUMBER < 0x10002000L
+#if OPENSSL_VERSION_NUMBER < 0x10002000L || defined(LIBRESSL_VERSION_NUMBER)
 #define X509_STORE_CTX_get0_store(x) (x->ctx)
 #endif
 
@@ -934,7 +944,7 @@ char        *ssl_util_readfilter(server_
                                  const char * const *);
 BOOL         ssl_util_path_check(ssl_pathcheck_t, const char *, apr_pool_t *);
 #if APR_HAS_THREADS
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 void         ssl_util_thread_setup(apr_pool_t *);
 #endif
 void         ssl_util_thread_id_setup(apr_pool_t *);

Lines 1-11 Link Here

(-)www/apache24/files/patch-modules_ssl_ssl__util.c (-11 lines)
1	--- modules/ssl/ssl_util.c.orig 2017-03-24 13:31:03 UTC
2	+++ modules/ssl/ssl_util.c
3	@@ -247,7 +247,7 @@ void ssl_asn1_table_unset(apr_hash_t *ta
4	}
5
6	#if APR_HAS_THREADS
7	-#if OPENSSL_VERSION_NUMBER < 0x10100000L
8	+#if OPENSSL_VERSION_NUMBER < 0x10100000L \|\| defined(LIBRESSL_VERSION_NUMBER)
9	/*
10	* To ensure thread-safetyness in OpenSSL - work in progress
11	*/

Lines 1-11 Link Here

(-)www/apache24/files/patch-modules_ssl_ssl__util__ssl.h (-11 lines)
1	--- modules/ssl/ssl_util_ssl.h.orig 2017-03-20 12:01:16 UTC
2	+++ modules/ssl/ssl_util_ssl.h
3	@@ -41,7 +41,7 @@
4	#define MODSSL_LIBRARY_VERSION OPENSSL_VERSION_NUMBER
5	#define MODSSL_LIBRARY_NAME "OpenSSL"
6	#define MODSSL_LIBRARY_TEXT OPENSSL_VERSION_TEXT
7	-#if OPENSSL_VERSION_NUMBER < 0x10100000L
8	+#if OPENSSL_VERSION_NUMBER < 0x10100000L \|\| defined(LIBRESSL_VERSION_NUMBER)
9	#define MODSSL_LIBRARY_DYNTEXT SSLeay_version(SSLEAY_VERSION)
10	#else
11	#define MODSSL_LIBRARY_DYNTEXT OpenSSL_version(OPENSSL_VERSION)

Lines 5-11 Link Here

(-)www/apache24/files/patch-modules_ssl_ssl__util__stapling.c (-1 / +1 lines)
5	issuer = sk_X509_value(extra_certs, i);	5	issuer = sk_X509_value(extra_certs, i);
6	if (X509_check_issued(issuer, x) == X509_V_OK) {	6	if (X509_check_issued(issuer, x) == X509_V_OK) {
7	-#if OPENSSL_VERSION_NUMBER < 0x10100000L	7	-#if OPENSSL_VERSION_NUMBER < 0x10100000L
8	+#if OPENSSL_VERSION_NUMBER < 0x10100000L \|\| LIBRESSL_VERSION_NUMBER < 0x2050000fL	8	+#if OPENSSL_VERSION_NUMBER < 0x10100000L \|\| (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2050000fL)
9	CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509);	9	CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509);
10	#else	10	#else
11	X509_up_ref(issuer);	11	X509_up_ref(issuer);

Return to bug 222814

Lines 1-15 Link Here

(-)www/apache24/files/patch-CVE-2017-9798 (-15 lines)
1	--- server/core.c 2017/08/16 16:50:29 1805223
2	+++ server/core.c 2017/09/08 13:13:11 1807754
3	@@ -2266,6 +2266,12 @@
4	/* method has not been registered yet, but resource restriction
5	* is always checked before method handling, so register it.
6	*/
7	+ if (cmd->pool == cmd->temp_pool) {
8	+ /* In .htaccess, we can't globally register new methods. */
9	+ return apr_psprintf(cmd->pool, "Could not register method '%s' "
10	+ "for %s from .htaccess configuration",
11	+ method, cmd->cmd->name);
12	+ }
13	methnum = ap_method_register(cmd->pool,
14	apr_pstrdup(cmd->pool, method));
15	}

Lines 18-31 Link Here

(-)www/apache24/files/patch-configure.in (-8 lines)
18	[--enable-layout=\|\'--enable-layout=])	18	[--enable-layout=\|\'--enable-layout=])
19	dnl We must be the last to build and the first to be cleaned	19	dnl We must be the last to build and the first to be cleaned
20	AP_BUILD_SRCLIB_DIRS="$AP_BUILD_SRCLIB_DIRS apr-util"	20	AP_BUILD_SRCLIB_DIRS="$AP_BUILD_SRCLIB_DIRS apr-util"
21	@@ -597,7 +597,6 @@ AC_ARG_ENABLE(maintainer-mode,APACHE_HEL
22	if test "$GCC" = "yes"; then
23	APR_ADDTO(CFLAGS,[-Wall -Wmissing-prototypes -Wstrict-prototypes -Wmissing-declarations -Wpointer-arith])
24	APACHE_ADD_GCC_CFLAG([-std=c89])
25	- APACHE_ADD_GCC_CFLAG([-Werror])
26	APACHE_ADD_GCC_CFLAG([-Wdeclaration-after-statement])
27	APACHE_ADD_GCC_CFLAG([-Wformat])
28	APACHE_ADD_GCC_CFLAG([-Wformat-security])
29	@@ -838,8 +837,14 @@ AC_DEFINE_UNQUOTED(HTTPD_ROOT, "${ap_pre	21	@@ -838,8 +837,14 @@ AC_DEFINE_UNQUOTED(HTTPD_ROOT, "${ap_pre
30	[Root directory of the Apache install area])	22	[Root directory of the Apache install area])
31	AC_DEFINE_UNQUOTED(SERVER_CONFIG_FILE, "${rel_sysconfdir}/${progname}.conf",	23	AC_DEFINE_UNQUOTED(SERVER_CONFIG_FILE, "${rel_sysconfdir}/${progname}.conf",

Lines 1-34 Link Here

(-)www/apache24/files/patch-modules_ssl_mod__ssl.c (-34 lines)
1	--- modules/ssl/mod_ssl.c.orig 2017-04-03 11:39:20 UTC
2	+++ modules/ssl/mod_ssl.c
3	@@ -337,12 +337,12 @@ static apr_status_t ssl_cleanup_pre_conf
4	#if HAVE_ENGINE_LOAD_BUILTIN_ENGINES
5	ENGINE_cleanup();
6	#endif
7	-#if OPENSSL_VERSION_NUMBER >= 0x1000200fL
8	+#if OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined(OPENSSL_NO_COMP)
9	SSL_COMP_free_compression_methods();
10	#endif
11
12	/* Usually needed per thread, but this parent process is single-threaded */
13	-#if OPENSSL_VERSION_NUMBER < 0x10100000L
14	+#if OPENSSL_VERSION_NUMBER < 0x10100000L \|\| defined(LIBRESSL_VERSION_NUMBER)
15	#if OPENSSL_VERSION_NUMBER >= 0x1000000fL
16	ERR_remove_thread_state(NULL);
17	#else
18	@@ -383,14 +383,14 @@ static int ssl_hook_pre_config(apr_pool_
19	/* Some OpenSSL internals are allocated per-thread, make sure they
20	* are associated to the/our same thread-id until cleaned up.
21	*/
22	-#if APR_HAS_THREADS && OPENSSL_VERSION_NUMBER < 0x10100000L
23	+#if APR_HAS_THREADS && OPENSSL_VERSION_NUMBER < 0x10100000L \|\| defined(LIBRESSL_VERSION_NUMBER)
24	ssl_util_thread_id_setup(pconf);
25	#endif
26
27	/* We must register the library in full, to ensure our configuration
28	* code can successfully test the SSL environment.
29	*/
30	-#if OPENSSL_VERSION_NUMBER < 0x10100000L
31	+#if OPENSSL_VERSION_NUMBER < 0x10100000L \|\| defined(LIBRESSL_VERSION_NUMBER)
32	CRYPTO_malloc_init();
33	#else
34	OPENSSL_malloc_init();

Lines 1-47 Link Here

(-)www/apache24/files/patch-modules_ssl_ssl__engine__init.c (-47 lines)
1	--- modules/ssl/ssl_engine_init.c.orig 2017-04-03 11:39:20 UTC
2	+++ modules/ssl/ssl_engine_init.c
3	@@ -47,7 +47,7 @@ APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl,
4	#define KEYTYPES "RSA or DSA"
5	#endif
6
7	-#if OPENSSL_VERSION_NUMBER < 0x10100000L
8	+#if OPENSSL_VERSION_NUMBER < 0x10100000L \|\| defined(LIBRESSL_VERSION_NUMBER)
9	/* OpenSSL Pre-1.1.0 compatibility */
10	/* Taken from OpenSSL 1.1.0 snapshot 20160410 */
11	static int DH_set0_pqg(DH dh, BIGNUM p, BIGNUM q, BIGNUM g)
12	@@ -257,7 +257,7 @@ apr_status_t ssl_init_Module(apr_pool_t
13	#endif
14	}
15
16	-#if APR_HAS_THREADS && OPENSSL_VERSION_NUMBER < 0x10100000L
17	+#if APR_HAS_THREADS && ( OPENSSL_VERSION_NUMBER < 0x10100000L \|\| defined(LIBRESSL_VERSION_NUMBER) )
18	ssl_util_thread_setup(p);
19	#endif
20
21	@@ -380,7 +380,7 @@ apr_status_t ssl_init_Module(apr_pool_t
22	modssl_init_app_data2_idx(); /* for modssl_get_app_data2() at request time */
23
24	init_dh_params();
25	-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
26	+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
27	init_bio_methods();
28	#endif
29
30	@@ -1301,7 +1301,7 @@ static apr_status_t ssl_init_server_cert
31	* or configure NIST P-256 (required to enable ECDHE for earlier versions)
32	* ECDH is always enabled in 1.1.0 unless excluded from SSLCipherList
33	*/
34	-#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
35	+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) \|\| defined(LIBRESSL_VERSION_NUMBER)
36	else {
37	#if defined(SSL_CTX_set_ecdh_auto)
38	SSL_CTX_set_ecdh_auto(mctx->ssl_ctx, 1);
39	@@ -2011,7 +2011,7 @@ apr_status_t ssl_init_ModuleKill(void *d
40
41	}
42
43	-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
44	+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
45	free_bio_methods();
46	#endif
47	free_dh_params();

Lines 1-38 Link Here

(-)www/apache24/files/patch-modules_ssl_ssl__engine__io.c (-38 lines)
1	--- modules/ssl/ssl_engine_io.c.orig 2017-05-30 12:26:05 UTC
2	+++ modules/ssl/ssl_engine_io.c
3	@@ -164,7 +164,7 @@ static int bio_filter_create(BIO *bio)
4	{
5	BIO_set_shutdown(bio, 1);
6	BIO_set_init(bio, 1);
7	-#if OPENSSL_VERSION_NUMBER < 0x10100000L
8	+#if OPENSSL_VERSION_NUMBER < 0x10100000L \|\| defined(LIBRESSL_VERSION_NUMBER)
9	/* No setter method for OpenSSL 1.1.0 available,
10	* but I can't find any functional use of the
11	* "num" field there either.
12	@@ -549,7 +549,7 @@ static long bio_filter_in_ctrl(BIO *bio,
13	return -1;
14	}
15
16	-#if OPENSSL_VERSION_NUMBER < 0x10100000L
17	+#if OPENSSL_VERSION_NUMBER < 0x10100000L \|\| defined(LIBRESSL_VERSION_NUMBER)
18
19	static BIO_METHOD bio_filter_out_method = {
20	BIO_TYPE_MEM,
21	@@ -2024,7 +2024,7 @@ static void ssl_io_input_add_filter(ssl_
22
23	filter_ctx->pInputFilter = ap_add_input_filter(ssl_io_filter, inctx, r, c);
24
25	-#if OPENSSL_VERSION_NUMBER < 0x10100000L
26	+#if OPENSSL_VERSION_NUMBER < 0x10100000L \|\| defined(LIBRESSL_VERSION_NUMBER)
27	filter_ctx->pbioRead = BIO_new(&bio_filter_in_method);
28	#else
29	filter_ctx->pbioRead = BIO_new(bio_filter_in_method);
30	@@ -2059,7 +2059,7 @@ void ssl_io_filter_init(conn_rec *c, req
31	filter_ctx->pOutputFilter = ap_add_output_filter(ssl_io_filter,
32	filter_ctx, r, c);
33
34	-#if OPENSSL_VERSION_NUMBER < 0x10100000L
35	+#if OPENSSL_VERSION_NUMBER < 0x10100000L \|\| defined(LIBRESSL_VERSION_NUMBER)
36	filter_ctx->pbioWrite = BIO_new(&bio_filter_out_method);
37	#else
38	filter_ctx->pbioWrite = BIO_new(bio_filter_out_method);

Lines 1-55 Link Here

(-)www/apache24/files/patch-modules_ssl_ssl__private.h (-55 lines)
1	--- modules/ssl/ssl_private.h.orig 2017-04-03 11:39:20 UTC
2	+++ modules/ssl/ssl_private.h
3	@@ -123,6 +123,16 @@
4	#define MODSSL_SSL_METHOD_CONST
5	#endif
6
7	+#if defined(LIBRESSL_VERSION_NUMBER)
8	+/* Missing from LibreSSL */
9	+#define SSL_CTRL_SET_MIN_PROTO_VERSION 123
10	+#define SSL_CTRL_SET_MAX_PROTO_VERSION 124
11	+#define SSL_CTX_set_min_proto_version(ctx, version) \
12	+ SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MIN_PROTO_VERSION, version, NULL)
13	+#define SSL_CTX_set_max_proto_version(ctx, version) \
14	+ SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, version, NULL)
15	+#endif
16	+
17	#if defined(OPENSSL_FIPS)
18	#define HAVE_FIPS
19	#endif
20	@@ -136,7 +146,7 @@
21	#endif
22
23	/* session id constness */
24	-#if OPENSSL_VERSION_NUMBER < 0x10100000L
25	+#if OPENSSL_VERSION_NUMBER < 0x10100000L \|\| defined(LIBRESSL_VERSION_NUMBER)
26	#define IDCONST
27	#else
28	#define IDCONST const
29	@@ -199,7 +209,7 @@
30
31	#endif /* !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name) */
32
33	-#if OPENSSL_VERSION_NUMBER < 0x10100000L
34	+#if OPENSSL_VERSION_NUMBER < 0x10100000L \|\| defined(LIBRESSL_VERSION_NUMBER)
35	#define BN_get_rfc2409_prime_768 get_rfc2409_prime_768
36	#define BN_get_rfc2409_prime_1024 get_rfc2409_prime_1024
37	#define BN_get_rfc3526_prime_1536 get_rfc3526_prime_1536
38	@@ -219,7 +229,7 @@ void init_bio_methods(void);
39	void free_bio_methods(void);
40	#endif
41
42	-#if OPENSSL_VERSION_NUMBER < 0x10002000L
43	+#if OPENSSL_VERSION_NUMBER < 0x10002000L \|\| defined(LIBRESSL_VERSION_NUMBER)
44	#define X509_STORE_CTX_get0_store(x) (x->ctx)
45	#endif
46
47	@@ -934,7 +944,7 @@ char *ssl_util_readfilter(server_
48	const char * const *);
49	BOOL ssl_util_path_check(ssl_pathcheck_t, const char , apr_pool_t );
50	#if APR_HAS_THREADS
51	-#if OPENSSL_VERSION_NUMBER < 0x10100000L
52	+#if OPENSSL_VERSION_NUMBER < 0x10100000L \|\| defined(LIBRESSL_VERSION_NUMBER)
53	void ssl_util_thread_setup(apr_pool_t *);
54	#endif
55	void ssl_util_thread_id_setup(apr_pool_t *);