[pkgsrc/pkgsrc-2015Q1]: pkgsrc/www/apache22 Pullup ticket #4733 - requested b...

[tron <tron%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/da0bac80f134
branches:  pkgsrc-2015Q1
changeset: 649260:da0bac80f134
user:      tron <tron%pkgsrc.org@localhost>
date:      Sun May 24 11:41:00 2015 +0000

description:
Pullup ticket #4733 - requested by sborrill
www/apache22: security patch

Revisions pulled up:
- www/apache22/Makefile                                         1.103
- www/apache22/distinfo                                         1.61
- www/apache22/patches/patch-modules_ssl_ssl__engine__dh.c      1.1

---
   Module Name: pkgsrc
   Committed By:        sborrill
   Date:                Fri May 22 09:20:20 UTC 2015

   Modified Files:
        pkgsrc/www/apache22: Makefile distinfo
   Added Files:
        pkgsrc/www/apache22/patches: patch-modules_ssl_ssl__engine__dh.c

   Log Message:
   Add patch to mitigate Logjam TLS vulnerabilities (CVE-2015-4000).
   Based on FreeBSD ports.

diffstat:

 www/apache22/Makefile                                    |   7 +-
 www/apache22/distinfo                                    |   3 +-
 www/apache22/patches/patch-modules_ssl_ssl__engine__dh.c |  73 ++++++++++++++++
 3 files changed, 81 insertions(+), 2 deletions(-)

diffs (116 lines):

diff -r 6eec91eb1dd5 -r da0bac80f134 www/apache22/Makefile
--- a/www/apache22/Makefile     Sun May 24 11:33:38 2015 +0000
+++ b/www/apache22/Makefile     Sun May 24 11:41:00 2015 +0000
@@ -1,7 +1,8 @@
-# $NetBSD: Makefile,v 1.102 2014/09/09 08:11:48 adam Exp $
+# $NetBSD: Makefile,v 1.102.6.1 2015/05/24 11:41:00 tron Exp $
 
 DISTNAME=      httpd-2.2.29
 PKGNAME=       ${DISTNAME:S/httpd/apache/}
+PKGREVISION=   1
 CATEGORIES=    www
 MASTER_SITES=  ${MASTER_SITE_APACHE:=httpd/} \
                http://archive.apache.org/dist/httpd/ \
@@ -209,6 +210,10 @@
        ${TOUCH} ${WRKSRC}/build/libtool
        ${ECHO} "" >> ${WRKSRC}/docs/conf/extra/httpd-languages.conf.in
 
+pre-build:
+       ${ECHO} "===>  Generating unique DH group to mitigate Logjam attack (this will take a while)"
+       (cd ${WRKSRC}/modules/ssl && ${PERL5} ssl_engine_dh.c)
+
 post-build:
        ${SED} "s#@PKG_SYSCONFDIR@#${PKG_SYSCONFDIR}#g"                 \
                < ${FILESDIR}/mkcert.sh > ${WRKDIR}/mkcert
diff -r 6eec91eb1dd5 -r da0bac80f134 www/apache22/distinfo
--- a/www/apache22/distinfo     Sun May 24 11:33:38 2015 +0000
+++ b/www/apache22/distinfo     Sun May 24 11:41:00 2015 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.60 2014/09/09 08:11:48 adam Exp $
+$NetBSD: distinfo,v 1.60.6.1 2015/05/24 11:41:00 tron Exp $
 
 SHA1 (httpd-2.2.29.tar.bz2) = 1d6a8fbc1391d358cc6fe430edc16222b97258d5
 RMD160 (httpd-2.2.29.tar.bz2) = c9a823f038a6a1cbfd94cd9bdd067edd26cf7a3b
@@ -16,4 +16,5 @@
 SHA1 (patch-docs_man_apxs.8) = 70797ea73ae6379492971bec1106a8427ae7fdaa
 SHA1 (patch-lock.c) = 770ca03f1cb4421879bd5baa5a7c30cc91acb6e1
 SHA1 (patch-modules_proxy_mod_proxy_connect.c) = b2b5d0242a92c7bf20b14c16d8cd3abae42f3746
+SHA1 (patch-modules_ssl_ssl__engine__dh.c) = fc37a639ecfbade0cf8a4fc684d7ec3b92949897
 SHA1 (patch-repos.c) = 0e0361b91d4b0fe6c7c55a12fdfd2e6aacc710e1
diff -r 6eec91eb1dd5 -r da0bac80f134 www/apache22/patches/patch-modules_ssl_ssl__engine__dh.c
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/www/apache22/patches/patch-modules_ssl_ssl__engine__dh.c  Sun May 24 11:41:00 2015 +0000
@@ -0,0 +1,73 @@
+--- modules/ssl/ssl_engine_dh.c.orig   2006-07-12 03:38:44 UTC
++++ modules/ssl/ssl_engine_dh.c
+@@ -102,12 +102,12 @@ DH *ssl_dh_GetTmpParam(int nKeyLen)
+ {
+     DH *dh;
+ 
+-    if (nKeyLen == 512)
+-        dh = get_dh512();
+-    else if (nKeyLen == 1024)
+-        dh = get_dh1024();
++    if (nKeyLen == 2048)
++        dh = get_dh2048();
++    else if (nKeyLen == 3072)
++        dh = get_dh3072();
+     else
+-        dh = get_dh1024();
++        dh = get_dh3072();
+     return dh;
+ }
+ 
+@@ -151,7 +151,7 @@ print FP $source;
+ close(FP);
+ 
+ #   generate the DH parameters
+-print "1. Generate 512 and 1024 bit Diffie-Hellman parameters (p, g)\n";
++print "1. Generate 2048 and 3072 bit Diffie-Hellman parameters (p, g)\n";
+ my $rand = '';
+ foreach $file (qw(/var/log/messages /var/adm/messages
+                   /kernel /vmunix /vmlinuz /etc/hosts /etc/resolv.conf)) {
+@@ -161,15 +161,15 @@ foreach $file (qw(/var/log/messages /var
+     }
+ }
+ $rand = "-rand $rand" if ($rand ne '');
+-system("openssl gendh $rand -out dh512.pem 512");
+-system("openssl gendh $rand -out dh1024.pem 1024");
++system("openssl gendh $rand -out dh2048.pem 2048");
++system("openssl gendh $rand -out dh3072.pem 3072");
+ 
+ #   generate DH param info
+ my $dhinfo = '';
+-open(FP, "openssl dh -noout -text -in dh512.pem |") || die;
++open(FP, "openssl dh -noout -text -in dh2048.pem |") || die;
+ $dhinfo .= $_ while (<FP>);
+ close(FP);
+-open(FP, "openssl dh -noout -text -in dh1024.pem |") || die;
++open(FP, "openssl dh -noout -text -in dh3072.pem |") || die;
+ $dhinfo .= $_ while (<FP>);
+ close(FP);
+ $dhinfo =~ s|^|** |mg;
+@@ -177,10 +177,10 @@ $dhinfo = "\n\/\*\n$dhinfo\*\/\n\n";
+ 
+ #   generate C source from DH params
+ my $dhsource = '';
+-open(FP, "openssl dh -noout -C -in dh512.pem | indent | expand |") || die;
++open(FP, "openssl dh -noout -C -in dh2048.pem | indent | expand |") || die;
+ $dhsource .= $_ while (<FP>);
+ close(FP);
+-open(FP, "openssl dh -noout -C -in dh1024.pem | indent | expand |") || die;
++open(FP, "openssl dh -noout -C -in dh3072.pem | indent | expand |") || die;
+ $dhsource .= $_ while (<FP>);
+ close(FP);
+ $dhsource =~ s|(DH\s+\*get_dh)(\d+)[^}]*\n}|static $1$2(void)
+@@ -203,8 +203,8 @@ print FP $source;
+ close(FP);
+ 
+ #   cleanup
+-unlink("dh512.pem");
+-unlink("dh1024.pem");
++unlink("dh2048.pem");
++unlink("dh3072.pem");
+ 
+ =pod
+ */