Pullup ticket #4733 - requested by sborrill www/apache22: security patch Revisions pulled up: - www/apache22/Makefile 1.103 - www/apache22/distinfo 1.61 - www/apache22/patches/patch-modules_ssl_ssl__engine__dh.c 1.1 --- Module Name: pkgsrc Committed By: sborrill Date: Fri May 22 09:20:20 UTC 2015 Modified Files: pkgsrc/www/apache22: Makefile distinfo Added Files: pkgsrc/www/apache22/patches: patch-modules_ssl_ssl__engine__dh.c Log Message: Add patch to mitigate Logjam TLS vulnerabilities (CVE-2015-4000). Based on FreeBSD ports.

(tron)

@@ -1,7 +1,8 @@
-# $NetBSD: Makefile,v 1.102 2014/09/09 08:11:48 adam Exp $
+# $NetBSD: Makefile,v 1.102.6.1 2015/05/24 11:41:00 tron Exp $
 
 DISTNAME=	httpd-2.2.29
 PKGNAME=	${DISTNAME:S/httpd/apache/}
+PKGREVISION=	1
 CATEGORIES=	www
 MASTER_SITES=	${MASTER_SITE_APACHE:=httpd/} \
 		http://archive.apache.org/dist/httpd/ \
@@ -208,6 +209,10 @@
 post-extract:
 	${TOUCH} ${WRKSRC}/build/libtool
 	${ECHO} "" >> ${WRKSRC}/docs/conf/extra/httpd-languages.conf.in
+
+pre-build:
+	${ECHO} "===>  Generating unique DH group to mitigate Logjam attack (this will take a while)"
+	(cd ${WRKSRC}/modules/ssl && ${PERL5} ssl_engine_dh.c)
 
 post-build:
 	${SED} "s#@PKG_SYSCONFDIR@#${PKG_SYSCONFDIR}#g"			\

@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.60 2014/09/09 08:11:48 adam Exp $
+$NetBSD: distinfo,v 1.60.6.1 2015/05/24 11:41:00 tron Exp $
 
 SHA1 (httpd-2.2.29.tar.bz2) = 1d6a8fbc1391d358cc6fe430edc16222b97258d5
 RMD160 (httpd-2.2.29.tar.bz2) = c9a823f038a6a1cbfd94cd9bdd067edd26cf7a3b
@@ -16,4 +16,5 @@
 SHA1 (patch-docs_man_apxs.8) = 70797ea73ae6379492971bec1106a8427ae7fdaa
 SHA1 (patch-lock.c) = 770ca03f1cb4421879bd5baa5a7c30cc91acb6e1
 SHA1 (patch-modules_proxy_mod_proxy_connect.c) = b2b5d0242a92c7bf20b14c16d8cd3abae42f3746
+SHA1 (patch-modules_ssl_ssl__engine__dh.c) = fc37a639ecfbade0cf8a4fc684d7ec3b92949897
 SHA1 (patch-repos.c) = 0e0361b91d4b0fe6c7c55a12fdfd2e6aacc710e1

--- modules/ssl/ssl_engine_dh.c.orig 2006-07-12 03:38:44 UTC +++ modules/ssl/ssl_engine_dh.c @@ -102,12 +102,12 @@ DH *ssl_dh_GetTmpParam(int nKeyLen) { DH *dh; - if (nKeyLen == 512) - dh = get_dh512(); - else if (nKeyLen == 1024) - dh = get_dh1024(); + if (nKeyLen == 2048) + dh = get_dh2048(); + else if (nKeyLen == 3072) + dh = get_dh3072(); else - dh = get_dh1024(); + dh = get_dh3072(); return dh; } @@ -151,7 +151,7 @@ print FP $source; close(FP); # generate the DH parameters -print "1. Generate 512 and 1024 bit Diffie-Hellman parameters (p, g)\n"; +print "1. Generate 2048 and 3072 bit Diffie-Hellman parameters (p, g)\n"; my $rand = ''; foreach $file (qw(/var/log/messages /var/adm/messages /kernel /vmunix /vmlinuz /etc/hosts /etc/resolv.conf)) { @@ -161,15 +161,15 @@ foreach $file (qw(/var/log/messages /var } } $rand = "-rand $rand" if ($rand ne ''); -system("openssl gendh $rand -out dh512.pem 512"); -system("openssl gendh $rand -out dh1024.pem 1024"); +system("openssl gendh $rand -out dh2048.pem 2048"); +system("openssl gendh $rand -out dh3072.pem 3072"); # generate DH param info my $dhinfo = ''; -open(FP, "openssl dh -noout -text -in dh512.pem |") || die; +open(FP, "openssl dh -noout -text -in dh2048.pem |") || die; $dhinfo .= $_ while (<FP>); close(FP); -open(FP, "openssl dh -noout -text -in dh1024.pem |") || die; +open(FP, "openssl dh -noout -text -in dh3072.pem |") || die; $dhinfo .= $_ while (<FP>); close(FP); $dhinfo =~ s|^|** |mg; @@ -177,10 +177,10 @@ $dhinfo = "\n\/\*\n$dhinfo\*\/\n\n"; # generate C source from DH params my $dhsource = ''; -open(FP, "openssl dh -noout -C -in dh512.pem | indent | expand |") || die; +open(FP, "openssl dh -noout -C -in dh2048.pem | indent | expand |") || die; $dhsource .= $_ while (<FP>); close(FP); -open(FP, "openssl dh -noout -C -in dh1024.pem | indent | expand |") || die; +open(FP, "openssl dh -noout -C -in dh3072.pem | indent | expand |") || die; $dhsource .= $_ while (<FP>); close(FP); $dhsource =~ s|(DH\s+\*get_dh)(\d+)[^}]*\n}|static $1$2(void) @@ -203,8 +203,8 @@ print FP $source; close(FP); # cleanup -unlink("dh512.pem"); -unlink("dh1024.pem"); +unlink("dh2048.pem"); +unlink("dh3072.pem"); =pod */