www/apache24: Update to 2.4.29

 - Remove patch for CVE-2017-9798 (included upstream)
 - Remove mod_ssl LibreSSL patches (included upstream)
 - Fix SSL stapling patch for LibreSSL
 - mod_http2 no longer experimental

PR:		222814
With hat:	apache

15 files changed, 7 insertions, 249 deletions

diff --git a/www/apache24/Makefile b/www/apache24/Makefile
index 557d8028bf89..581f5256f2ee 100644
--- a/www/apache24/Makefile
+++ b/www/apache24/Makefile
@@ -1,8 +1,7 @@
 # $FreeBSD$
 
 PORTNAME=	apache24
-PORTVERSION=	2.4.27
-PORTREVISION=	1
+PORTVERSION=	2.4.29
 CATEGORIES=	www ipv6
 MASTER_SITES=	APACHE_HTTPD
 DISTNAME=	httpd-${PORTVERSION}
diff --git a/www/apache24/Makefile.modules b/www/apache24/Makefile.modules
index a64e67a0d7ec..c2986cc523fc 100644
--- a/www/apache24/Makefile.modules
+++ b/www/apache24/Makefile.modules
@@ -87,7 +87,7 @@ CONFIGURE_ARGS+=	--without-libxml2
 .endif
 
 .if ${PORT_OPTIONS:MPROXY_HTTP2} && !${PORT_OPTIONS:MPROXY_BALANCER}
-IGNORE=	PROXY_HTTP2 needs PROXY_BALANCER
+IGNORE=	PROXY_HTTP2 requires PROXY_BALANCER
 .endif
 
 .endif	# _PREMKINCLUDED
diff --git a/www/apache24/Makefile.options.desc b/www/apache24/Makefile.options.desc
index 8bc7d13942b8..c7bd6f07aa5d 100644
--- a/www/apache24/Makefile.options.desc
+++ b/www/apache24/Makefile.options.desc
@@ -140,7 +140,7 @@ PROXY_FTP_DESC=			FTP support module for mod_proxy
 PROXY_HCHECK_DESC=		Dynamic health check of Balancer members (workers) for mod_proxy
 PROXY_HTML_DESC=		Fix HTML Links in a Reverse Proxy
 PROXY_HTTP_DESC=		HTTP support module for mod_proxy
-PROXY_HTTP2_DESC=		Experimental http2 proxy module for h2 and h2c
+PROXY_HTTP2_DESC=		HTTP/2 support module for h2 and h2c
 PROXY_SCGI_DESC=		SCGI gateway module for mod_proxy
 PROXY_WSTUNNEL_DESC=		Websockets Tunnel module for mod_proxy
 
diff --git a/www/apache24/distinfo b/www/apache24/distinfo
index aeede2fc479d..4c939fdb50a8 100644
--- a/www/apache24/distinfo
+++ b/www/apache24/distinfo
@@ -1,3 +1,3 @@
-TIMESTAMP = 1499686775
-SHA256 (apache24/httpd-2.4.27.tar.bz2) = 71fcc128238a690515bd8174d5330a5309161ef314a326ae45c7c15ed139c13a
-SIZE (apache24/httpd-2.4.27.tar.bz2) = 6527394
+TIMESTAMP = 1508321657
+SHA256 (apache24/httpd-2.4.29.tar.bz2) = 777753a5a25568a2a27428b2214980564bc1c38c1abf9ccc7630b639991f7f00
+SIZE (apache24/httpd-2.4.29.tar.bz2) = 6567926
diff --git a/www/apache24/files/patch-CVE-2017-9798 b/www/apache24/files/patch-CVE-2017-9798
deleted file mode 100644
index 260012f7277f..000000000000
--- a/www/apache24/files/patch-CVE-2017-9798
+++ /dev/null
@@ -1,15 +0,0 @@
---- server/core.c	2017/08/16 16:50:29	1805223
-+++ server/core.c	2017/09/08 13:13:11	1807754
-@@ -2266,6 +2266,12 @@
-             /* method has not been registered yet, but resource restriction
-              * is always checked before method handling, so register it.
-              */
-+            if (cmd->pool == cmd->temp_pool) {
-+                /* In .htaccess, we can't globally register new methods. */
-+                return apr_psprintf(cmd->pool, "Could not register method '%s' "
-+                                   "for %s from .htaccess configuration",
-+                                    method, cmd->cmd->name);
-+            }
-             methnum = ap_method_register(cmd->pool,
-                                          apr_pstrdup(cmd->pool, method));
-         }
diff --git a/www/apache24/files/patch-configure.in b/www/apache24/files/patch-configure.in
index b1728b22ab28..c4ae71082ad9 100644
--- a/www/apache24/files/patch-configure.in
+++ b/www/apache24/files/patch-configure.in
@@ -18,14 +18,6 @@
                      [--enable-layout=*|\'--enable-layout=*])
    dnl We must be the last to build and the first to be cleaned
    AP_BUILD_SRCLIB_DIRS="$AP_BUILD_SRCLIB_DIRS apr-util"
-@@ -597,7 +597,6 @@ AC_ARG_ENABLE(maintainer-mode,APACHE_HEL
-     if test "$GCC" = "yes"; then
-       APR_ADDTO(CFLAGS,[-Wall -Wmissing-prototypes -Wstrict-prototypes -Wmissing-declarations -Wpointer-arith])
-       APACHE_ADD_GCC_CFLAG([-std=c89])
--      APACHE_ADD_GCC_CFLAG([-Werror])
-       APACHE_ADD_GCC_CFLAG([-Wdeclaration-after-statement])
-       APACHE_ADD_GCC_CFLAG([-Wformat])
-       APACHE_ADD_GCC_CFLAG([-Wformat-security])
 @@ -838,8 +837,14 @@ AC_DEFINE_UNQUOTED(HTTPD_ROOT, "${ap_pre
  	[Root directory of the Apache install area])
  AC_DEFINE_UNQUOTED(SERVER_CONFIG_FILE, "${rel_sysconfdir}/${progname}.conf",
diff --git a/www/apache24/files/patch-modules_ssl_mod__ssl.c b/www/apache24/files/patch-modules_ssl_mod__ssl.c
deleted file mode 100644
index af34e0a1a0e9..000000000000
--- a/www/apache24/files/patch-modules_ssl_mod__ssl.c
+++ /dev/null
@@ -1,34 +0,0 @@
---- modules/ssl/mod_ssl.c.orig	2017-04-03 11:39:20 UTC
-+++ modules/ssl/mod_ssl.c
-@@ -337,12 +337,12 @@ static apr_status_t ssl_cleanup_pre_conf
- #if HAVE_ENGINE_LOAD_BUILTIN_ENGINES
-     ENGINE_cleanup();
- #endif
--#if OPENSSL_VERSION_NUMBER >= 0x1000200fL
-+#if OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined(OPENSSL_NO_COMP)
-     SSL_COMP_free_compression_methods();
- #endif
- 
-     /* Usually needed per thread, but this parent process is single-threaded */
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
- #if OPENSSL_VERSION_NUMBER >= 0x1000000fL
-     ERR_remove_thread_state(NULL);
- #else
-@@ -383,14 +383,14 @@ static int ssl_hook_pre_config(apr_pool_
-     /* Some OpenSSL internals are allocated per-thread, make sure they
-      * are associated to the/our same thread-id until cleaned up.
-      */
--#if APR_HAS_THREADS && OPENSSL_VERSION_NUMBER < 0x10100000L
-+#if APR_HAS_THREADS && OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
-     ssl_util_thread_id_setup(pconf);
- #endif
- 
-     /* We must register the library in full, to ensure our configuration
-      * code can successfully test the SSL environment.
-      */
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
-     CRYPTO_malloc_init();
- #else
-     OPENSSL_malloc_init();
diff --git a/www/apache24/files/patch-modules_ssl_ssl__engine__init.c b/www/apache24/files/patch-modules_ssl_ssl__engine__init.c
deleted file mode 100644
index 31c7f94d6a79..000000000000
--- a/www/apache24/files/patch-modules_ssl_ssl__engine__init.c
+++ /dev/null
@@ -1,47 +0,0 @@
---- modules/ssl/ssl_engine_init.c.orig	2017-04-03 11:39:20 UTC
-+++ modules/ssl/ssl_engine_init.c
-@@ -47,7 +47,7 @@ APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl,
- #define KEYTYPES "RSA or DSA"
- #endif
- 
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
- /* OpenSSL Pre-1.1.0 compatibility */
- /* Taken from OpenSSL 1.1.0 snapshot 20160410 */
- static int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
-@@ -257,7 +257,7 @@ apr_status_t ssl_init_Module(apr_pool_t 
- #endif
-     }
- 
--#if APR_HAS_THREADS && OPENSSL_VERSION_NUMBER < 0x10100000L
-+#if APR_HAS_THREADS && ( OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) )
-     ssl_util_thread_setup(p);
- #endif
- 
-@@ -380,7 +380,7 @@ apr_status_t ssl_init_Module(apr_pool_t 
-     modssl_init_app_data2_idx(); /* for modssl_get_app_data2() at request time */
- 
-     init_dh_params();
--#if OPENSSL_VERSION_NUMBER >= 0x10100000L
-+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
-     init_bio_methods();
- #endif
- 
-@@ -1301,7 +1301,7 @@ static apr_status_t ssl_init_server_cert
-      * or configure NIST P-256 (required to enable ECDHE for earlier versions)
-      * ECDH is always enabled in 1.1.0 unless excluded from SSLCipherList
-      */
--#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
-+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
-     else {
- #if defined(SSL_CTX_set_ecdh_auto)
-         SSL_CTX_set_ecdh_auto(mctx->ssl_ctx, 1);
-@@ -2011,7 +2011,7 @@ apr_status_t ssl_init_ModuleKill(void *d
- 
-     }
- 
--#if OPENSSL_VERSION_NUMBER >= 0x10100000L
-+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
-     free_bio_methods();
- #endif
-     free_dh_params();
diff --git a/www/apache24/files/patch-modules_ssl_ssl__engine__io.c b/www/apache24/files/patch-modules_ssl_ssl__engine__io.c
deleted file mode 100644
index 85787aeb5498..000000000000
--- a/www/apache24/files/patch-modules_ssl_ssl__engine__io.c
+++ /dev/null
@@ -1,38 +0,0 @@
---- modules/ssl/ssl_engine_io.c.orig	2017-05-30 12:26:05 UTC
-+++ modules/ssl/ssl_engine_io.c
-@@ -164,7 +164,7 @@ static int bio_filter_create(BIO *bio)
- {
-     BIO_set_shutdown(bio, 1);
-     BIO_set_init(bio, 1);
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
-     /* No setter method for OpenSSL 1.1.0 available,
-      * but I can't find any functional use of the
-      * "num" field there either.
-@@ -549,7 +549,7 @@ static long bio_filter_in_ctrl(BIO *bio,
-     return -1;
- }
- 
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
-         
- static BIO_METHOD bio_filter_out_method = {
-     BIO_TYPE_MEM,
-@@ -2024,7 +2024,7 @@ static void ssl_io_input_add_filter(ssl_
- 
-     filter_ctx->pInputFilter = ap_add_input_filter(ssl_io_filter, inctx, r, c);
- 
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
-     filter_ctx->pbioRead = BIO_new(&bio_filter_in_method);
- #else
-     filter_ctx->pbioRead = BIO_new(bio_filter_in_method);
-@@ -2059,7 +2059,7 @@ void ssl_io_filter_init(conn_rec *c, req
-     filter_ctx->pOutputFilter   = ap_add_output_filter(ssl_io_filter,
-                                                        filter_ctx, r, c);
- 
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
-     filter_ctx->pbioWrite       = BIO_new(&bio_filter_out_method);
- #else
-     filter_ctx->pbioWrite       = BIO_new(bio_filter_out_method);
diff --git a/www/apache24/files/patch-modules_ssl_ssl__engine__kernel.c b/www/apache24/files/patch-modules_ssl_ssl__engine__kernel.c
deleted file mode 100644
index 4c5f19034716..000000000000
--- a/www/apache24/files/patch-modules_ssl_ssl__engine__kernel.c
+++ /dev/null
@@ -1,11 +0,0 @@
---- modules/ssl/ssl_engine_kernel.c.orig	2017-05-02 11:01:17 UTC
-+++ modules/ssl/ssl_engine_kernel.c
-@@ -1733,7 +1733,7 @@ static void modssl_proxy_info_log(conn_r
-  * so we need to increment here to prevent them from
-  * being freed.
-  */
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
- #define modssl_set_cert_info(info, cert, pkey) \
-     *cert = info->x509; \
-     CRYPTO_add(&(*cert)->references, +1, CRYPTO_LOCK_X509); \
diff --git a/www/apache24/files/patch-modules_ssl_ssl__engine__vars.c b/www/apache24/files/patch-modules_ssl_ssl__engine__vars.c
deleted file mode 100644
index 80ffba08b41c..000000000000
--- a/www/apache24/files/patch-modules_ssl_ssl__engine__vars.c
+++ /dev/null
@@ -1,11 +0,0 @@
---- modules/ssl/ssl_engine_vars.c.orig	2017-03-20 12:01:16 UTC
-+++ modules/ssl/ssl_engine_vars.c
-@@ -529,7 +529,7 @@ static char *ssl_var_lookup_ssl_cert(apr
-         resdup = FALSE;
-     }
-     else if (strcEQ(var, "A_SIG")) {
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
-         nid = OBJ_obj2nid((ASN1_OBJECT *)(xs->cert_info->signature->algorithm));
- #else
-         const ASN1_OBJECT *paobj;
diff --git a/www/apache24/files/patch-modules_ssl_ssl__private.h b/www/apache24/files/patch-modules_ssl_ssl__private.h
deleted file mode 100644
index 0c5a204e7c0b..000000000000
--- a/www/apache24/files/patch-modules_ssl_ssl__private.h
+++ /dev/null
@@ -1,55 +0,0 @@
---- modules/ssl/ssl_private.h.orig	2017-04-03 11:39:20 UTC
-+++ modules/ssl/ssl_private.h
-@@ -123,6 +123,16 @@
- #define MODSSL_SSL_METHOD_CONST
- #endif
- 
-+#if defined(LIBRESSL_VERSION_NUMBER)
-+/* Missing from LibreSSL */
-+#define SSL_CTRL_SET_MIN_PROTO_VERSION          123
-+#define SSL_CTRL_SET_MAX_PROTO_VERSION          124
-+#define SSL_CTX_set_min_proto_version(ctx, version) \
-+        SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MIN_PROTO_VERSION, version, NULL)
-+#define SSL_CTX_set_max_proto_version(ctx, version) \
-+        SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, version, NULL)
-+#endif
-+
- #if defined(OPENSSL_FIPS)
- #define HAVE_FIPS
- #endif
-@@ -136,7 +146,7 @@
- #endif
- 
- /* session id constness */
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
- #define IDCONST
- #else
- #define IDCONST const
-@@ -199,7 +209,7 @@
- 
- #endif /* !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name) */
- 
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
- #define BN_get_rfc2409_prime_768   get_rfc2409_prime_768
- #define BN_get_rfc2409_prime_1024  get_rfc2409_prime_1024
- #define BN_get_rfc3526_prime_1536  get_rfc3526_prime_1536
-@@ -219,7 +229,7 @@ void init_bio_methods(void);
- void free_bio_methods(void);
- #endif
- 
--#if OPENSSL_VERSION_NUMBER < 0x10002000L
-+#if OPENSSL_VERSION_NUMBER < 0x10002000L || defined(LIBRESSL_VERSION_NUMBER)
- #define X509_STORE_CTX_get0_store(x) (x->ctx)
- #endif
- 
-@@ -934,7 +944,7 @@ char        *ssl_util_readfilter(server_
-                                  const char * const *);
- BOOL         ssl_util_path_check(ssl_pathcheck_t, const char *, apr_pool_t *);
- #if APR_HAS_THREADS
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
- void         ssl_util_thread_setup(apr_pool_t *);
- #endif
- void         ssl_util_thread_id_setup(apr_pool_t *);
diff --git a/www/apache24/files/patch-modules_ssl_ssl__util.c b/www/apache24/files/patch-modules_ssl_ssl__util.c
deleted file mode 100644
index 2ea1864dd9bc..000000000000
--- a/www/apache24/files/patch-modules_ssl_ssl__util.c
+++ /dev/null
@@ -1,11 +0,0 @@
---- modules/ssl/ssl_util.c.orig	2017-03-24 13:31:03 UTC
-+++ modules/ssl/ssl_util.c
-@@ -247,7 +247,7 @@ void ssl_asn1_table_unset(apr_hash_t *ta
- }
- 
- #if APR_HAS_THREADS
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
- /*
-  * To ensure thread-safetyness in OpenSSL - work in progress
-  */
diff --git a/www/apache24/files/patch-modules_ssl_ssl__util__ssl.h b/www/apache24/files/patch-modules_ssl_ssl__util__ssl.h
deleted file mode 100644
index 063492479e51..000000000000
--- a/www/apache24/files/patch-modules_ssl_ssl__util__ssl.h
+++ /dev/null
@@ -1,11 +0,0 @@
---- modules/ssl/ssl_util_ssl.h.orig	2017-03-20 12:01:16 UTC
-+++ modules/ssl/ssl_util_ssl.h
-@@ -41,7 +41,7 @@
- #define MODSSL_LIBRARY_VERSION OPENSSL_VERSION_NUMBER
- #define MODSSL_LIBRARY_NAME    "OpenSSL"
- #define MODSSL_LIBRARY_TEXT    OPENSSL_VERSION_TEXT
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
- #define MODSSL_LIBRARY_DYNTEXT SSLeay_version(SSLEAY_VERSION)
- #else
- #define MODSSL_LIBRARY_DYNTEXT OpenSSL_version(OPENSSL_VERSION)
diff --git a/www/apache24/files/patch-modules_ssl_ssl__util__stapling.c b/www/apache24/files/patch-modules_ssl_ssl__util__stapling.c
index c2025a9e5e12..5dcf5977ea89 100644
--- a/www/apache24/files/patch-modules_ssl_ssl__util__stapling.c
+++ b/www/apache24/files/patch-modules_ssl_ssl__util__stapling.c
@@ -5,7 +5,7 @@
          issuer = sk_X509_value(extra_certs, i);
          if (X509_check_issued(issuer, x) == X509_V_OK) {
 -#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L || LIBRESSL_VERSION_NUMBER < 0x2050000fL
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2050000fL)
              CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509);
  #else
              X509_up_ref(issuer);