svn commit: r386904 - in head/www/apache22: . files

Ryan Steinmetz zi at FreeBSD.org
Thu May 21 02:13:08 UTC 2015 

Author: zi
Date: Thu May 21 02:13:07 2015
New Revision: 386904
URL: https://svnweb.freebsd.org/changeset/ports/386904

Log:
  - Generate new DH params during build to mitigate Logjam attack
  - Fix deprecated USE_AUTOTOOLS
  - Bump PORTREVISION
  
  With hat:	ports-secteam
  Obtained from:	Winni Neessen

Added:
  head/www/apache22/files/patch-modules_ssl_ssl__engine__dh.c   (contents, props changed)
Modified:
  head/www/apache22/Makefile

Modified: head/www/apache22/Makefile
==============================================================================
--- head/www/apache22/Makefile	Thu May 21 00:58:26 2015	(r386903)
+++ head/www/apache22/Makefile	Thu May 21 02:13:07 2015	(r386904)
@@ -2,7 +2,7 @@
 
 PORTNAME=	apache22
 PORTVERSION=	2.2.29
-PORTREVISION?=	2
+PORTREVISION?=	3
 CATEGORIES=	www ipv6
 MASTER_SITES=	APACHE_HTTPD
 DISTNAME=	httpd-${PORTVERSION}
@@ -20,9 +20,9 @@ CONFLICTS_INSTALL=	caudium14-1.* \
 		apache-*-2.4.* apache24-*-2.4.*
 
 USE_APACHE=	common22
-USES=		tar:bzip2 iconv perl5 libtool cpe
+USES=		tar:bzip2 iconv perl5 libtool cpe autoreconf
 USE_PERL5=	run
-USE_AUTOTOOLS=	autoconf
+GNU_CONFIGURE=	yes
 USE_RC_SUBR=	apache22 htcacheclean
 
 CPE_VENDOR=	apache
@@ -173,6 +173,12 @@ post-configure:
 	@${REINPLACE_CMD} -e "s,%%WWWOWN%%,${WWWOWN}," -e "s,%%WWWGRP%%,${WWWGRP}," ${WRKSRC}/docs/conf/httpd.conf
 	@${REINPLACE_CMD} -e "s,%%PREFIX%%,${PREFIX}," ${WRKSRC}/support/envvars-std
 
+pre-build:
+.if ${PORT_OPTIONS:MSSL}
+	@${ECHO_MSG}    "===>  Generating unique DH group to mitigate Logjam attack (this will take a while)"
+	(cd ${WRKSRC}/modules/ssl && ${SETENV} HOME=${WRKDIR} ${PERL} ssl_engine_dh.c)
+.endif
+
 post-install:
 	@${MKDIR} ${ETC_SUBDIRS:S|^|${STAGEDIR}${ETCDIR}/|}
 	${INSTALL_DATA} ${FILESDIR}/no-accf.conf ${STAGEDIR}${ETCDIR}/Includes/

Added: head/www/apache22/files/patch-modules_ssl_ssl__engine__dh.c
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/www/apache22/files/patch-modules_ssl_ssl__engine__dh.c	Thu May 21 02:13:07 2015	(r386904)
@@ -0,0 +1,73 @@
+--- modules/ssl/ssl_engine_dh.c.orig	2006-07-12 03:38:44 UTC
++++ modules/ssl/ssl_engine_dh.c
+@@ -102,12 +102,12 @@ DH *ssl_dh_GetTmpParam(int nKeyLen)
+ {
+     DH *dh;
+ 
+-    if (nKeyLen == 512)
+-        dh = get_dh512();
+-    else if (nKeyLen == 1024)
+-        dh = get_dh1024();
++    if (nKeyLen == 2048)
++        dh = get_dh2048();
++    else if (nKeyLen == 3072)
++        dh = get_dh3072();
+     else
+-        dh = get_dh1024();
++        dh = get_dh3072();
+     return dh;
+ }
+ 
+@@ -151,7 +151,7 @@ print FP $source;
+ close(FP);
+ 
+ #   generate the DH parameters
+-print "1. Generate 512 and 1024 bit Diffie-Hellman parameters (p, g)\n";
++print "1. Generate 2048 and 3072 bit Diffie-Hellman parameters (p, g)\n";
+ my $rand = '';
+ foreach $file (qw(/var/log/messages /var/adm/messages
+                   /kernel /vmunix /vmlinuz /etc/hosts /etc/resolv.conf)) {
+@@ -161,15 +161,15 @@ foreach $file (qw(/var/log/messages /var
+     }
+ }
+ $rand = "-rand $rand" if ($rand ne '');
+-system("openssl gendh $rand -out dh512.pem 512");
+-system("openssl gendh $rand -out dh1024.pem 1024");
++system("openssl gendh $rand -out dh2048.pem 2048");
++system("openssl gendh $rand -out dh3072.pem 3072");
+ 
+ #   generate DH param info
+ my $dhinfo = '';
+-open(FP, "openssl dh -noout -text -in dh512.pem |") || die;
++open(FP, "openssl dh -noout -text -in dh2048.pem |") || die;
+ $dhinfo .= $_ while (<FP>);
+ close(FP);
+-open(FP, "openssl dh -noout -text -in dh1024.pem |") || die;
++open(FP, "openssl dh -noout -text -in dh3072.pem |") || die;
+ $dhinfo .= $_ while (<FP>);
+ close(FP);
+ $dhinfo =~ s|^|** |mg;
+@@ -177,10 +177,10 @@ $dhinfo = "\n\/\*\n$dhinfo\*\/\n\n";
+ 
+ #   generate C source from DH params
+ my $dhsource = '';
+-open(FP, "openssl dh -noout -C -in dh512.pem | indent | expand |") || die;
++open(FP, "openssl dh -noout -C -in dh2048.pem | indent | expand |") || die;
+ $dhsource .= $_ while (<FP>);
+ close(FP);
+-open(FP, "openssl dh -noout -C -in dh1024.pem | indent | expand |") || die;
++open(FP, "openssl dh -noout -C -in dh3072.pem | indent | expand |") || die;
+ $dhsource .= $_ while (<FP>);
+ close(FP);
+ $dhsource =~ s|(DH\s+\*get_dh)(\d+)[^}]*\n}|static $1$2(void)
+@@ -203,8 +203,8 @@ print FP $source;
+ close(FP);
+ 
+ #   cleanup
+-unlink("dh512.pem");
+-unlink("dh1024.pem");
++unlink("dh2048.pem");
++unlink("dh3072.pem");
+ 
+ =pod
+ */

More information about the svn-ports-all mailing list