Pullup ticket #4733 - requested by sborrill www/apache22: security patch Revisions pulled up: - www/apache22/Makefile 1.103 - www/apache22/distinfo 1.61 - www/apache22/patches/patch-modules_ssl_ssl__engine__dh.c 1.1 --- Module Name: pkgsrc Committed By: sborrill Date: Fri May 22 09:20:20 UTC 2015 Modified Files: pkgsrc/www/apache22: Makefile distinfo Added Files: pkgsrc/www/apache22/patches: patch-modules_ssl_ssl__engine__dh.c Log Message: Add patch to mitigate Logjam TLS vulnerabilities (CVE-2015-4000). Based on FreeBSD ports.diff -r1.102 -r1.102.6.1 pkgsrc/www/apache22/Makefile
(tron)
| @@ -1,17 +1,18 @@ | @@ -1,17 +1,18 @@ | |||
| 1 | # $NetBSD: Makefile,v 1.102 2014/09/09 08:11:48 adam Exp $ | 1 | # $NetBSD: Makefile,v 1.102.6.1 2015/05/24 11:41:00 tron Exp $ | |
| 2 | 2 | |||
| 3 | DISTNAME= httpd-2.2.29 | 3 | DISTNAME= httpd-2.2.29 | |
| 4 | PKGNAME= ${DISTNAME:S/httpd/apache/} | 4 | PKGNAME= ${DISTNAME:S/httpd/apache/} | |
| 5 | PKGREVISION= 1 | |||
| 5 | CATEGORIES= www | 6 | CATEGORIES= www | |
| 6 | MASTER_SITES= ${MASTER_SITE_APACHE:=httpd/} \ | 7 | MASTER_SITES= ${MASTER_SITE_APACHE:=httpd/} \ | |
| 7 | http://archive.apache.org/dist/httpd/ \ | 8 | http://archive.apache.org/dist/httpd/ \ | |
| 8 | http://archive.eu.apache.org/dist/httpd/ | 9 | http://archive.eu.apache.org/dist/httpd/ | |
| 9 | EXTRACT_SUFX= .tar.bz2 | 10 | EXTRACT_SUFX= .tar.bz2 | |
| 10 | 11 | |||
| 11 | MAINTAINER= pkgsrc-users@NetBSD.org | 12 | MAINTAINER= pkgsrc-users@NetBSD.org | |
| 12 | HOMEPAGE= http://httpd.apache.org/ | 13 | HOMEPAGE= http://httpd.apache.org/ | |
| 13 | COMMENT= Apache HTTP (Web) server, version 2.2 | 14 | COMMENT= Apache HTTP (Web) server, version 2.2 | |
| 14 | LICENSE= apache-2.0 | 15 | LICENSE= apache-2.0 | |
| 15 | 16 | |||
| 16 | BUILD_DEFS+= IPV6_READY | 17 | BUILD_DEFS+= IPV6_READY | |
| 17 | BUILD_DEFS+= VARBASE | 18 | BUILD_DEFS+= VARBASE | |
| @@ -199,26 +200,30 @@ DEPENDS+= ${ap_depend} | @@ -199,26 +200,30 @@ DEPENDS+= ${ap_depend} | |||
| 199 | . endif | 200 | . endif | |
| 200 | . endfor | 201 | . endfor | |
| 201 | . endif | 202 | . endif | |
| 202 | . if defined(AP_CFG_ARGS.${ap_mod}) && !empty(AP_CFG_ARGS.${ap_mod}) | 203 | . if defined(AP_CFG_ARGS.${ap_mod}) && !empty(AP_CFG_ARGS.${ap_mod}) | |
| 203 | CONFIGURE_ARGS+= ${AP_CFG_ARGS.${ap_mod}} | 204 | CONFIGURE_ARGS+= ${AP_CFG_ARGS.${ap_mod}} | |
| 204 | . endif | 205 | . endif | |
| 205 | . endfor | 206 | . endfor | |
| 206 | .endif | 207 | .endif | |
| 207 | 208 | |||
| 208 | post-extract: | 209 | post-extract: | |
| 209 | ${TOUCH} ${WRKSRC}/build/libtool | 210 | ${TOUCH} ${WRKSRC}/build/libtool | |
| 210 | ${ECHO} "" >> ${WRKSRC}/docs/conf/extra/httpd-languages.conf.in | 211 | ${ECHO} "" >> ${WRKSRC}/docs/conf/extra/httpd-languages.conf.in | |
| 211 | 212 | |||
| 213 | pre-build: | |||
| 214 | ${ECHO} "===> Generating unique DH group to mitigate Logjam attack (this will take a while)" | |||
| 215 | (cd ${WRKSRC}/modules/ssl && ${PERL5} ssl_engine_dh.c) | |||
| 216 | ||||
| 212 | post-build: | 217 | post-build: | |
| 213 | ${SED} "s#@PKG_SYSCONFDIR@#${PKG_SYSCONFDIR}#g" \ | 218 | ${SED} "s#@PKG_SYSCONFDIR@#${PKG_SYSCONFDIR}#g" \ | |
| 214 | < ${FILESDIR}/mkcert.sh > ${WRKDIR}/mkcert | 219 | < ${FILESDIR}/mkcert.sh > ${WRKDIR}/mkcert | |
| 215 | 220 | |||
| 216 | INSTALL_TARGET= install-conf install | 221 | INSTALL_TARGET= install-conf install | |
| 217 | INSTALL_MAKE_FLAGS+= sysconfdir="${EGDIR}" | 222 | INSTALL_MAKE_FLAGS+= sysconfdir="${EGDIR}" | |
| 218 | 223 | |||
| 219 | post-install: | 224 | post-install: | |
| 220 | ${LN} -sf ${LOCALBASE}/libexec/apr/libtool ${DESTDIR}${PREFIX}/share/httpd/build | 225 | ${LN} -sf ${LOCALBASE}/libexec/apr/libtool ${DESTDIR}${PREFIX}/share/httpd/build | |
| 221 | ${LN} -sf ${SBINDIR}/envvars-std ${DESTDIR}${SBINDIR}/envvars | 226 | ${LN} -sf ${SBINDIR}/envvars-std ${DESTDIR}${SBINDIR}/envvars | |
| 222 | 227 | |||
| 223 | ${INSTALL_SCRIPT} ${WRKDIR}/mkcert ${DESTDIR}${PREFIX}/sbin | 228 | ${INSTALL_SCRIPT} ${WRKDIR}/mkcert ${DESTDIR}${PREFIX}/sbin | |
| 224 | 229 |
| @@ -1,19 +1,20 @@ | @@ -1,19 +1,20 @@ | |||
| 1 | $NetBSD: distinfo,v 1.60 2014/09/09 08:11:48 adam Exp $ | 1 | $NetBSD: distinfo,v 1.60.6.1 2015/05/24 11:41:00 tron Exp $ | |
| 2 | 2 | |||
| 3 | SHA1 (httpd-2.2.29.tar.bz2) = 1d6a8fbc1391d358cc6fe430edc16222b97258d5 | 3 | SHA1 (httpd-2.2.29.tar.bz2) = 1d6a8fbc1391d358cc6fe430edc16222b97258d5 | |
| 4 | RMD160 (httpd-2.2.29.tar.bz2) = c9a823f038a6a1cbfd94cd9bdd067edd26cf7a3b | 4 | RMD160 (httpd-2.2.29.tar.bz2) = c9a823f038a6a1cbfd94cd9bdd067edd26cf7a3b | |
| 5 | Size (httpd-2.2.29.tar.bz2) = 5625498 bytes | 5 | Size (httpd-2.2.29.tar.bz2) = 5625498 bytes | |
| 6 | SHA1 (patch-aa) = e0bfdf6bc9cb034bea46a390a12a5508e363c9a7 | 6 | SHA1 (patch-aa) = e0bfdf6bc9cb034bea46a390a12a5508e363c9a7 | |
| 7 | SHA1 (patch-ab) = 365cc3b0ac2d9d68ccb94f5699fe168a1c9b0150 | 7 | SHA1 (patch-ab) = 365cc3b0ac2d9d68ccb94f5699fe168a1c9b0150 | |
| 8 | SHA1 (patch-ac) = 515043b5c215d49fe8f6d3191b502c978e2a2dad | 8 | SHA1 (patch-ac) = 515043b5c215d49fe8f6d3191b502c978e2a2dad | |
| 9 | SHA1 (patch-ad) = 088d6ff0e7a8acfe70b4f85a6ce58d42c935fd13 | 9 | SHA1 (patch-ad) = 088d6ff0e7a8acfe70b4f85a6ce58d42c935fd13 | |
| 10 | SHA1 (patch-ae) = 86b307d6eefef232b6223afc3f69e64be40bd913 | 10 | SHA1 (patch-ae) = 86b307d6eefef232b6223afc3f69e64be40bd913 | |
| 11 | SHA1 (patch-ag) = 78dcb023f524ef65928b529320932c9664ec0d01 | 11 | SHA1 (patch-ag) = 78dcb023f524ef65928b529320932c9664ec0d01 | |
| 12 | SHA1 (patch-ai) = 4ebc3bd580a298973928eb6d13d2ce745eac0312 | 12 | SHA1 (patch-ai) = 4ebc3bd580a298973928eb6d13d2ce745eac0312 | |
| 13 | SHA1 (patch-al) = 56b9f5c2f6fd01fe5067f9210e328cbf674c68f1 | 13 | SHA1 (patch-al) = 56b9f5c2f6fd01fe5067f9210e328cbf674c68f1 | |
| 14 | SHA1 (patch-am) = ab4a2f7e5a1a3064e908b61157e7fd349c0b0c08 | 14 | SHA1 (patch-am) = ab4a2f7e5a1a3064e908b61157e7fd349c0b0c08 | |
| 15 | SHA1 (patch-aw) = ca53d67beeb2c2c4d9adb04d3d79e24a8c427fd4 | 15 | SHA1 (patch-aw) = ca53d67beeb2c2c4d9adb04d3d79e24a8c427fd4 | |
| 16 | SHA1 (patch-docs_man_apxs.8) = 70797ea73ae6379492971bec1106a8427ae7fdaa | 16 | SHA1 (patch-docs_man_apxs.8) = 70797ea73ae6379492971bec1106a8427ae7fdaa | |
| 17 | SHA1 (patch-lock.c) = 770ca03f1cb4421879bd5baa5a7c30cc91acb6e1 | 17 | SHA1 (patch-lock.c) = 770ca03f1cb4421879bd5baa5a7c30cc91acb6e1 | |
| 18 | SHA1 (patch-modules_proxy_mod_proxy_connect.c) = b2b5d0242a92c7bf20b14c16d8cd3abae42f3746 | 18 | SHA1 (patch-modules_proxy_mod_proxy_connect.c) = b2b5d0242a92c7bf20b14c16d8cd3abae42f3746 | |
| 19 | SHA1 (patch-modules_ssl_ssl__engine__dh.c) = fc37a639ecfbade0cf8a4fc684d7ec3b92949897 | |||
| 19 | SHA1 (patch-repos.c) = 0e0361b91d4b0fe6c7c55a12fdfd2e6aacc710e1 | 20 | SHA1 (patch-repos.c) = 0e0361b91d4b0fe6c7c55a12fdfd2e6aacc710e1 |
--- modules/ssl/ssl_engine_dh.c.orig 2006-07-12 03:38:44 UTC
+++ modules/ssl/ssl_engine_dh.c
@@ -102,12 +102,12 @@ DH *ssl_dh_GetTmpParam(int nKeyLen)
{
DH *dh;
- if (nKeyLen == 512)
- dh = get_dh512();
- else if (nKeyLen == 1024)
- dh = get_dh1024();
+ if (nKeyLen == 2048)
+ dh = get_dh2048();
+ else if (nKeyLen == 3072)
+ dh = get_dh3072();
else
- dh = get_dh1024();
+ dh = get_dh3072();
return dh;
}
@@ -151,7 +151,7 @@ print FP $source;
close(FP);
# generate the DH parameters
-print "1. Generate 512 and 1024 bit Diffie-Hellman parameters (p, g)\n";
+print "1. Generate 2048 and 3072 bit Diffie-Hellman parameters (p, g)\n";
my $rand = '';
foreach $file (qw(/var/log/messages /var/adm/messages
/kernel /vmunix /vmlinuz /etc/hosts /etc/resolv.conf)) {
@@ -161,15 +161,15 @@ foreach $file (qw(/var/log/messages /var
}
}
$rand = "-rand $rand" if ($rand ne '');
-system("openssl gendh $rand -out dh512.pem 512");
-system("openssl gendh $rand -out dh1024.pem 1024");
+system("openssl gendh $rand -out dh2048.pem 2048");
+system("openssl gendh $rand -out dh3072.pem 3072");
# generate DH param info
my $dhinfo = '';
-open(FP, "openssl dh -noout -text -in dh512.pem |") || die;
+open(FP, "openssl dh -noout -text -in dh2048.pem |") || die;
$dhinfo .= $_ while (<FP>);
close(FP);
-open(FP, "openssl dh -noout -text -in dh1024.pem |") || die;
+open(FP, "openssl dh -noout -text -in dh3072.pem |") || die;
$dhinfo .= $_ while (<FP>);
close(FP);
$dhinfo =~ s|^|** |mg;
@@ -177,10 +177,10 @@ $dhinfo = "\n\/\*\n$dhinfo\*\/\n\n";
# generate C source from DH params
my $dhsource = '';
-open(FP, "openssl dh -noout -C -in dh512.pem | indent | expand |") || die;
+open(FP, "openssl dh -noout -C -in dh2048.pem | indent | expand |") || die;
$dhsource .= $_ while (<FP>);
close(FP);
-open(FP, "openssl dh -noout -C -in dh1024.pem | indent | expand |") || die;
+open(FP, "openssl dh -noout -C -in dh3072.pem | indent | expand |") || die;
$dhsource .= $_ while (<FP>);
close(FP);
$dhsource =~ s|(DH\s+\*get_dh)(\d+)[^}]*\n}|static $1$2(void)
@@ -203,8 +203,8 @@ print FP $source;
close(FP);
# cleanup
-unlink("dh512.pem");
-unlink("dh1024.pem");
+unlink("dh2048.pem");
+unlink("dh3072.pem");
=pod
*/