From fbe213f61fdc359d8301f5d7d672c875b2c08e91 Mon Sep 17 00:00:00 2001
From: Sebastian Kemper <sebastian_ml@gmx.net>
Date: Sun, 5 Apr 2020 18:20:01 +0200
Subject: [PATCH] apache: security bump to 2.4.43

This minor version bump fixes:

CVE-2020-1934
CVE-2020-1927

Upstream added cross-compile compatibility to apxs, so we can drop a sed
script. Upstream also added the OpenWrt layout, so we can drop our local
copy.

The OpenSSL patch to remove deprecated symbols doesn't apply anymore and
gets removed.

Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
---
 net/apache/Makefile                           |  13 +-
 net/apache/files/openwrt.layout               |  24 ---
 .../patches/020-openssl-deprecated.patch      | 177 ------------------
 3 files changed, 3 insertions(+), 211 deletions(-)
 delete mode 100644 net/apache/files/openwrt.layout
 delete mode 100644 net/apache/patches/020-openssl-deprecated.patch

diff --git a/net/apache/Makefile b/net/apache/Makefile
index 6fcb2cc61..4547002a9 100644
--- a/net/apache/Makefile
+++ b/net/apache/Makefile
@@ -8,13 +8,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=apache
-PKG_VERSION:=2.4.41
-PKG_RELEASE:=6
+PKG_VERSION:=2.4.43
+PKG_RELEASE:=1
 PKG_SOURCE_NAME:=httpd
 
 PKG_SOURCE:=$(PKG_SOURCE_NAME)-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:=@APACHE/httpd/
-PKG_HASH:=133d48298fe5315ae9366a0ec66282fa4040efa5d566174481077ade7d18ea40
+PKG_HASH:=a497652ab3fc81318cdc2a203090a999150d86461acff97c1065dc910fe10f43
 
 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_SOURCE_NAME)-$(PKG_VERSION)
 
@@ -271,11 +271,6 @@ CONFIGURE_VARS += \
 	ac_cv_gettid=yes \
 	ap_cv_void_ptr_lt_long=no
 
-define Build/Prepare
-	$(call Build/Prepare/Default)
-	$(INSTALL_DATA) ./files/openwrt.layout $(PKG_BUILD_DIR)/config.layout
-endef
-
 define Build/InstallDev
 	$(INSTALL_DIR) $(1)/usr/bin
 	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/apxs $(1)/usr/bin
@@ -286,8 +281,6 @@ define Build/InstallDev
 	$(INSTALL_DIR) $(1)/usr/share/apache2/build
 	$(CP) $(PKG_INSTALL_DIR)/usr/share/apache2/build/* \
 				$(1)/usr/share/apache2/build
-	$(SED) 's%/usr/share/apache2/build%$(STAGING_DIR)/usr/share/apache2/build%' \
-		$(1)/usr/bin/apxs
 	$(SED) 's%^prefix =.*%prefix = $(STAGING_DIR)/usr%' \
 		$(1)/usr/share/apache2/build/config_vars.mk
 endef
diff --git a/net/apache/files/openwrt.layout b/net/apache/files/openwrt.layout
deleted file mode 100644
index 844c4f627..000000000
--- a/net/apache/files/openwrt.layout
+++ /dev/null
@@ -1,24 +0,0 @@
-
-<Layout OpenWrt>
-    prefix:          /usr
-    exec_prefix:     ${prefix}
-    bindir:          ${prefix}/bin
-    sbindir:         ${prefix}/sbin
-    libdir:          ${prefix}/lib
-    libexecdir:      ${prefix}/lib+
-    mandir:          ${prefix}/share/man
-    sysconfdir:      /etc+
-    datadir:         ${prefix}/share+
-    installbuilddir: ${datadir}/build
-    errordir:        ${datadir}/error
-    iconsdir:        ${datadir}/icons
-    htdocsdir:       ${datadir}/htdocs
-    manualdir:       /usr/share/doc/apache2/manual
-    cgidir:          ${datadir}/cgi-bin
-    includedir:      ${prefix}/include+
-    localstatedir:   /var
-    runtimedir:      ${localstatedir}/run+
-    logfiledir:      ${localstatedir}/log+
-    proxycachedir:   ${localstatedir}/cache/apache2
-</Layout>
-
diff --git a/net/apache/patches/020-openssl-deprecated.patch b/net/apache/patches/020-openssl-deprecated.patch
deleted file mode 100644
index e583cde19..000000000
--- a/net/apache/patches/020-openssl-deprecated.patch
+++ /dev/null
@@ -1,177 +0,0 @@
---- a/modules/ssl/mod_ssl.c
-+++ b/modules/ssl/mod_ssl.c
-@@ -328,6 +328,7 @@ static int modssl_is_prelinked(void)
- 
- static apr_status_t ssl_cleanup_pre_config(void *data)
- {
-+#if MODSSL_USE_OPENSSL_PRE_1_1_API
-     /*
-      * Try to kill the internals of the SSL library.
-      */
-@@ -343,11 +344,9 @@ static apr_status_t ssl_cleanup_pre_config(void *data)
- #if OPENSSL_VERSION_NUMBER >= 0x1000200fL
- #ifndef OPENSSL_NO_COMP
-     SSL_COMP_free_compression_methods();
--#endif
- #endif
- 
-     /* Usually needed per thread, but this parent process is single-threaded */
--#if MODSSL_USE_OPENSSL_PRE_1_1_API
- #if OPENSSL_VERSION_NUMBER >= 0x1000000fL
-     ERR_remove_thread_state(NULL);
- #else
-@@ -376,6 +375,7 @@ static apr_status_t ssl_cleanup_pre_config(void *data)
-      *       (when enabled) at this late stage in the game:
-      * CRYPTO_mem_leaks_fp(stderr);
-      */
-+#endif
-     return APR_SUCCESS;
- }
- 
-@@ -400,14 +400,16 @@ static int ssl_hook_pre_config(apr_pool_t *pconf,
- #else
-     OPENSSL_malloc_init();
- #endif
-+#if MODSSL_USE_OPENSSL_PRE_1_1_API
-     ERR_load_crypto_strings();
-     SSL_load_error_strings();
-     SSL_library_init();
-+    OpenSSL_add_all_algorithms();
-+    OPENSSL_load_builtin_modules();
-+#endif
- #if HAVE_ENGINE_LOAD_BUILTIN_ENGINES
-     ENGINE_load_builtin_engines();
- #endif
--    OpenSSL_add_all_algorithms();
--    OPENSSL_load_builtin_modules();
- 
-     if (OBJ_txt2nid("id-on-dnsSRV") == NID_undef) {
-         (void)OBJ_create("1.3.6.1.5.5.7.8.7", "id-on-dnsSRV",
---- a/modules/ssl/ssl_engine_init.c
-+++ b/modules/ssl/ssl_engine_init.c
-@@ -88,6 +88,8 @@ static int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
- 
-     return 1;
- }
-+
-+#define OpenSSL_version_num	SSLeay
- #endif
- 
- /*
-@@ -223,7 +225,7 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog,
-     apr_status_t rv;
-     apr_array_header_t *pphrases;
- 
--    if (SSLeay() < MODSSL_LIBRARY_VERSION) {
-+    if (OpenSSL_version_num() < MODSSL_LIBRARY_VERSION) {
-         ap_log_error(APLOG_MARK, APLOG_WARNING, 0, base_server, APLOGNO(01882)
-                      "Init: this version of mod_ssl was compiled against "
-                      "a newer library (%s, version currently loaded is %s)"
---- a/modules/ssl/ssl_engine_io.c
-+++ b/modules/ssl/ssl_engine_io.c
-@@ -1255,9 +1255,9 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx)
-         if (dc->proxy->ssl_check_peer_expire != FALSE) {
-             if (!cert
-                 || (X509_cmp_current_time(
--                     X509_get_notBefore(cert)) >= 0)
-+                     X509_get0_notBefore(cert)) >= 0)
-                 || (X509_cmp_current_time(
--                     X509_get_notAfter(cert)) <= 0)) {
-+                     X509_get0_notAfter(cert)) <= 0)) {
-                 proxy_ssl_check_peer_ok = FALSE;
-                 ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, APLOGNO(02004)
-                               "SSL Proxy: Peer certificate is expired");
---- a/modules/ssl/ssl_engine_log.c
-+++ b/modules/ssl/ssl_engine_log.c
-@@ -163,10 +163,10 @@ static void ssl_log_cert_error(const char *file, int line, int level,
-                 BIO_puts(bio, "(ERROR)");
- 
-             BIO_puts(bio, " / notbefore: ");
--            ASN1_TIME_print(bio, X509_get_notBefore(cert));
-+            ASN1_TIME_print(bio, X509_get0_notBefore(cert));
- 
-             BIO_puts(bio, " / notafter: ");
--            ASN1_TIME_print(bio, X509_get_notAfter(cert));
-+            ASN1_TIME_print(bio, X509_get0_notAfter(cert));
- 
-             BIO_puts(bio, "]");
- 
---- a/modules/ssl/ssl_engine_vars.c
-+++ b/modules/ssl/ssl_engine_vars.c
-@@ -495,13 +495,13 @@ static char *ssl_var_lookup_ssl_cert(apr_pool_t *p, request_rec *r, X509 *xs,
-         result = ssl_var_lookup_ssl_cert_serial(p, xs);
-     }
-     else if (strcEQ(var, "V_START")) {
--        result = ssl_var_lookup_ssl_cert_valid(p, X509_get_notBefore(xs));
-+        result = ssl_var_lookup_ssl_cert_valid(p, X509_getm_notBefore(xs));
-     }
-     else if (strcEQ(var, "V_END")) {
--        result = ssl_var_lookup_ssl_cert_valid(p, X509_get_notAfter(xs));
-+        result = ssl_var_lookup_ssl_cert_valid(p, X509_getm_notAfter(xs));
-     }
-     else if (strcEQ(var, "V_REMAIN")) {
--        result = ssl_var_lookup_ssl_cert_remain(p, X509_get_notAfter(xs));
-+        result = ssl_var_lookup_ssl_cert_remain(p, X509_getm_notAfter(xs));
-         resdup = FALSE;
-     }
-     else if (*var && strcEQ(var+1, "_DN")) {
---- a/modules/ssl/ssl_private.h
-+++ b/modules/ssl/ssl_private.h
-@@ -92,6 +92,8 @@
- #include <openssl/x509.h>
- #include <openssl/pem.h>
- #include <openssl/crypto.h>
-+#include <openssl/bn.h>
-+#include <openssl/dh.h>
- #include <openssl/evp.h>
- #include <openssl/rand.h>
- #include <openssl/x509v3.h>
-@@ -234,6 +236,10 @@
- #define BIO_get_shutdown(x)        (x->shutdown)
- #define BIO_set_shutdown(x,v)      (x->shutdown=v)
- #define DH_bits(x)                 (BN_num_bits(x->p))
-+#define X509_get0_notBefore        X509_get_notBefore
-+#define X509_get0_notAfter         X509_get_notAfter
-+#define X509_getm_notBefore        X509_get_notBefore
-+#define X509_getm_notAfter         X509_get_notAfter
- #else
- void init_bio_methods(void);
- void free_bio_methods(void);
---- a/support/ab.c
-+++ b/support/ab.c
-@@ -205,6 +205,10 @@ typedef STACK_OF(X509) X509_STACK_TYPE;
- #define SSL_CTX_set_max_proto_version(ctx, version) \
-    SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, version, NULL)
- #endif
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#define X509_get0_notBefore X509_get_notBefore
-+#define X509_get0_notAfter  X509_get_notAfter
-+#endif
- #endif
- 
- #include <math.h>
-@@ -652,11 +656,11 @@ static void ssl_print_cert_info(BIO *bio, X509 *cert)
- 
-     BIO_printf(bio, "Certificate version: %ld\n", X509_get_version(cert)+1);
-     BIO_printf(bio,"Valid from: ");
--    ASN1_UTCTIME_print(bio, X509_get_notBefore(cert));
-+    ASN1_UTCTIME_print(bio, X509_get0_notBefore(cert));
-     BIO_printf(bio,"\n");
- 
-     BIO_printf(bio,"Valid to  : ");
--    ASN1_UTCTIME_print(bio, X509_get_notAfter(cert));
-+    ASN1_UTCTIME_print(bio, X509_get0_notAfter(cert));
-     BIO_printf(bio,"\n");
- 
-     pk = X509_get_pubkey(cert);
-@@ -2634,8 +2638,10 @@ int main(int argc, const char * const argv[])
-     CRYPTO_malloc_init();
- #endif
- #endif
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
-     SSL_load_error_strings();
-     SSL_library_init();
-+#endif
-     bio_out=BIO_new_fp(stdout,BIO_NOCLOSE);
-     bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
-