- Sync with www/apache2

5 files changed, 170 insertions, 2 deletions

diff --git a/www/apache20/Makefile b/www/apache20/Makefile
index 3243c6f09a97..3d78739b5f57 100644
--- a/www/apache20/Makefile
+++ b/www/apache20/Makefile
@@ -9,7 +9,7 @@
 
 PORTNAME=	apache
 PORTVERSION=	2.0.54
-PORTREVISION=	2
+PORTREVISION=	4
 CATEGORIES=	www
 MASTER_SITES=	${MASTER_SITE_APACHE_HTTPD} \
 		${MASTER_SITE_LOCAL:S/%SUBDIR%/clement/}:powerlogo
@@ -45,6 +45,10 @@ IGNORE=		: Please define WITH_KQUEUE_SUPPORT instead
 EXTRA_PATCHES+=		${FILESDIR}/exp-apr-kqueue.patch
 .endif
 
+.if defined(WITH_OPENSSL_BETA)
+EXTRA_PATCHES+=		${FILESDIR}/build-fix-openssl_beta
+.endif
+
 SCRIPTS_ENV+=		LIBTOOL=${LIBTOOL} LIBTOOLIZE=${LIBTOOLIZE} \
 			LIBTOOL_VERSION=${LIBTOOL_VERSION} AUTOCONF=${AUTOCONF} \
 			LIBTOOL_M4=${LOCALBASE}/share/aclocal/libtool${LIBTOOL_VERSION}.m4 \
@@ -95,7 +99,7 @@ CONFIGURE_ARGS+=	--enable-v4-mapped
 .endif
 
 #backward compatibility
-.if defined(WITHOUT_SSL) 
+.if defined(WITHOUT_SSL)
 WITHOUT_SSL_MODULES=	YES
 .endif
 
diff --git a/www/apache20/files/build-fix-openssl_beta b/www/apache20/files/build-fix-openssl_beta
new file mode 100644
index 000000000000..04f018790793
--- /dev/null
+++ b/www/apache20/files/build-fix-openssl_beta
@@ -0,0 +1,16 @@
+--- modules/ssl/ssl_toolkit_compat.h.orig	Fri Feb  4 21:21:18 2005
++++ modules/ssl/ssl_toolkit_compat.h	Tue Aug 30 01:42:51 2005
+@@ -99,6 +99,13 @@
+ #define HAVE_SSL_X509V3_EXT_d2i
+ #endif
+ 
++#ifndef PEM_F_DEF_CALLBACK
++#ifdef PEM_F_PEM_DEF_CALLBACK
++/* In OpenSSL 0.9.8 PEM_F_DEF_CALLBACK was renamed */
++#define PEM_F_DEF_CALLBACK PEM_F_PEM_DEF_CALLBACK
++#endif
++#endif
++
+ #elif defined (SSLC_VERSION_NUMBER) /* RSA */
+ 
+ /* sslc does not support this function, OpenSSL has since 9.5.1 */
diff --git a/www/apache20/files/patch-fix-byterange b/www/apache20/files/patch-fix-byterange
new file mode 100644
index 000000000000..1cf190a31e79
--- /dev/null
+++ b/www/apache20/files/patch-fix-byterange
@@ -0,0 +1,80 @@
+--- modules/http/http_protocol.c (original)
++++ modules/http/http_protocol.c Tue Aug 23 01:36:16 2005
+@@ -2856,18 +2856,35 @@
+ #define MIN_LENGTH(len1, len2) ((len1 > len2) ? len2 : len1)
+     request_rec *r = f->r;
+     conn_rec *c = r->connection;
+-    byterange_ctx *ctx = f->ctx;
++    byterange_ctx *ctx;
+     apr_bucket *e;
+     apr_bucket_brigade *bsend;
+     apr_off_t range_start;
+     apr_off_t range_end;
+     char *current;
+-    apr_off_t bb_length;
+     apr_off_t clength = 0;
+     apr_status_t rv;
+     int found = 0;
+ 
+-    if (!ctx) {
++    /* Iterate through the brigade until reaching EOS or a bucket with
++     * unknown length. */
++    for (e = APR_BRIGADE_FIRST(bb);
++         (e != APR_BRIGADE_SENTINEL(bb) && !APR_BUCKET_IS_EOS(e)
++          && e->length != (apr_size_t)-1);
++         e = APR_BUCKET_NEXT(e)) {
++        clength += e->length;
++    }
++
++    /* Don't attempt to do byte range work if this brigade doesn't
++     * contain an EOS, or if any of the buckets has an unknown length;
++     * this avoids the cases where it is expensive to perform
++     * byteranging (i.e. may require arbitrary amounts of memory). */
++    if (!APR_BUCKET_IS_EOS(e) || clength <= 0) {
++        ap_remove_output_filter(f);
++        return ap_pass_brigade(f->next, bb);
++    }
++
++    {
+         int num_ranges = ap_set_byterange(r);
+ 
+         /* We have nothing to do, get out of the way. */
+@@ -2876,7 +2893,7 @@
+             return ap_pass_brigade(f->next, bb);
+         }
+ 
+-        ctx = f->ctx = apr_pcalloc(r->pool, sizeof(*ctx));
++        ctx = apr_pcalloc(r->pool, sizeof(*ctx));
+         ctx->num_ranges = num_ranges;
+         /* create a brigade in case we never call ap_save_brigade() */
+         ctx->bb = apr_brigade_create(r->pool, c->bucket_alloc);
+@@ -2902,29 +2919,6 @@
+             ap_xlate_proto_to_ascii(ctx->bound_head, strlen(ctx->bound_head));
+         }
+     }
+-
+-    /* We can't actually deal with byte-ranges until we have the whole brigade
+-     * because the byte-ranges can be in any order, and according to the RFC,
+-     * we SHOULD return the data in the same order it was requested.
+-     *
+-     * XXX: We really need to dump all bytes prior to the start of the earliest
+-     * range, and only slurp up to the end of the latest range.  By this we
+-     * mean that we should peek-ahead at the lowest first byte of any range,
+-     * and the highest last byte of any range.
+-     */
+-    if (!APR_BUCKET_IS_EOS(APR_BRIGADE_LAST(bb))) {
+-        ap_save_brigade(f, &ctx->bb, &bb, r->pool);
+-        return APR_SUCCESS;
+-    }
+-
+-    /* Prepend any earlier saved brigades. */
+-    APR_BRIGADE_PREPEND(bb, ctx->bb);
+-
+-    /* It is possible that we won't have a content length yet, so we have to
+-     * compute the length before we can actually do the byterange work.
+-     */
+-    apr_brigade_length(bb, 1, &bb_length);
+-    clength = (apr_off_t)bb_length;
+ 
+     /* this brigade holds what we will be sending */
+     bsend = apr_brigade_create(r->pool, c->bucket_alloc);
diff --git a/www/apache20/files/patch-secfix-CAN-2005-2491 b/www/apache20/files/patch-secfix-CAN-2005-2491
new file mode 100644
index 000000000000..07d2734b58a8
--- /dev/null
+++ b/www/apache20/files/patch-secfix-CAN-2005-2491
@@ -0,0 +1,54 @@
+--- srclib/pcre/pcre.c.orig	Wed Nov 24 20:31:09 2004
++++ srclib/pcre/pcre.c	Thu Aug 25 22:14:56 2005
+@@ -714,7 +714,18 @@
+ int min = 0;
+ int max = -1;
+ 
++/* Read the minimum value and do a paranoid check: a negative value indicates
++an integer overflow. */
++
+ while ((cd->ctypes[*p] & ctype_digit) != 0) min = min * 10 + *p++ - '0';
++if (min < 0 || min > 65535)
++  {
++  *errorptr = ERR5;
++  return p;
++  }
++ 
++/* Read the maximum value if there is one, and again do a paranoid on its size.
++Also, max must not be less than min. */
+ 
+ if (*p == '}') max = min; else
+   {
+@@ -722,6 +733,11 @@
+     {
+     max = 0;
+     while((cd->ctypes[*p] & ctype_digit) != 0) max = max * 10 + *p++ - '0';
++    if (max < 0 || max > 65535)
++      {
++      *errorptr = ERR5;
++      return p;
++      }
+     if (max < min)
+       {
+       *errorptr = ERR4;
+@@ -730,16 +746,11 @@
+     }
+   }
+ 
+-/* Do paranoid checks, then fill in the required variables, and pass back the
+-pointer to the terminating '}'. */
++/* Fill in the required variables, and pass back the pointer to the terminating
++'}'. */
+ 
+-if (min > 65535 || max > 65535)
+-  *errorptr = ERR5;
+-else
+-  {
+-  *minp = min;
+-  *maxp = max;
+-  }
++*minp = min;
++*maxp = max;
+ return p;
+ }
+ 
diff --git a/www/apache20/files/patch-secfix-CAN-2005-2700 b/www/apache20/files/patch-secfix-CAN-2005-2700
new file mode 100644
index 000000000000..d720084ed8f9
--- /dev/null
+++ b/www/apache20/files/patch-secfix-CAN-2005-2700
@@ -0,0 +1,14 @@
+--- modules/ssl/ssl_engine_kernel.c	2005/08/30 15:54:34	264799
++++ modules/ssl/ssl_engine_kernel.c	2005/08/30 
+15:57:38	264800
+@@ -406,8 +406,8 @@
+                 (!(verify_old & SSL_VERIFY_PEER) &&
+                   (verify     & SSL_VERIFY_PEER)) ||
+ 
+-                (!(verify_old & SSL_VERIFY_PEER_STRICT) &&
+-                  (verify     & SSL_VERIFY_PEER_STRICT)))
++                (!(verify_old & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) &&
++                  (verify     & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)))
+             {
+                 renegotiate = TRUE;
+                 /* optimization */