On Tue, May 18, 2021 at 01:21:25PM +0200, Theo Buehler wrote: > On Tue, May 18, 2021 at 11:45:33AM +0200, Giovanni Bechis wrote: > > Hi, > > upcoming Apache httpd doesn't build with LibreSSL because it uses > > EVP_PKEY_X25519 constants that are not defined on LibreSSL. > > The following diff works, is it better to add EVP_PKEY_X constants > > to evp.h instead ? > > There is more code that would need to be added to libcrypto to make this > work. We will likely have to add EVP_PKEY_X25519 at some point, but > libcrypto is not ready. There are currently no plans for X448 support. > > With your patch the call to EVP_PKEY_CTX_new_id() will fail. I would > suggest disabling X25519 and X448 support as follows: > final diff follows, Apache httpd 2.4.48 also fixes some CVE on mod_proxy and mod_session. Full Changelog at https://downloads.apache.org/httpd/CHANGES_2.4.48
ok ?
Giovanni
Index: Makefile
===================================================================
RCS file: /cvs/ports/www/apache-httpd/Makefile,v
retrieving revision 1.107
diff -u -p -r1.107 Makefile
--- Makefile 13 Dec 2020 08:45:14 -0000 1.107
+++ Makefile 1 Jun 2021 22:44:59 -0000
@@ -2,10 +2,9 @@
COMMENT= apache HTTP server
-V= 2.4.46
+V= 2.4.48
DISTNAME= httpd-${V}
PKGNAME= apache-httpd-${V}
-REVISION= 1
CATEGORIES= www net
Index: distinfo
===================================================================
RCS file: /cvs/ports/www/apache-httpd/distinfo,v
retrieving revision 1.35
diff -u -p -r1.35 distinfo
--- distinfo 7 Aug 2020 15:15:37 -0000 1.35
+++ distinfo 1 Jun 2021 22:44:59 -0000
@@ -1,2 +1,2 @@
-SHA256 (httpd-2.4.46.tar.gz) = RLdZzpMtwJDA51wCELRIXr9pg0ZvuMobRGyBaOGhrsI=
-SIZE (httpd-2.4.46.tar.gz) = 9363314
+SHA256 (httpd-2.4.48.tar.gz) = MVwLxQIGuGb7F8LNwowZc3ZajVnKFouAKG6MsHfQUQ4=
+SIZE (httpd-2.4.48.tar.gz) = 9418226
Index: patches/patch-configure
===================================================================
RCS file: /cvs/ports/www/apache-httpd/patches/patch-configure,v
retrieving revision 1.20
diff -u -p -r1.20 patch-configure
--- patches/patch-configure 31 Mar 2020 14:30:33 -0000 1.20
+++ patches/patch-configure 1 Jun 2021 22:44:59 -0000
@@ -3,7 +3,7 @@ $OpenBSD: patch-configure,v 1.20 2020/03
Index: configure
--- configure.orig
+++ configure
-@@ -3473,7 +3473,7 @@ do
+@@ -3474,7 +3474,7 @@ do
ap_last="${ap_cur}"
ap_cur=`eval "echo ${ap_cur}"`
done
@@ -12,7 +12,7 @@ Index: configure
APACHE_VAR_SUBST="$APACHE_VAR_SUBST exp_sysconfdir"
-@@ -4679,7 +4679,7 @@ APR_INCLUDEDIR=`$apr_config --includedir`
+@@ -4680,7 +4680,7 @@ APR_INCLUDEDIR=`$apr_config --includedir`
APR_INCLUDES=`$apr_config --includes`
APR_VERSION=`$apr_config --version`
apr_major_version=`echo ${APR_VERSION} | sed 's,\..*,,'`
Index: patches/patch-modules_md_md_crypt_c
===================================================================
RCS file: patches/patch-modules_md_md_crypt_c
diff -N patches/patch-modules_md_md_crypt_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-modules_md_md_crypt_c 1 Jun 2021 22:44:59 -0000
@@ -0,0 +1,34 @@
+$OpenBSD$
+
+LibreSSL does not expose X25519 via EVP and has no X448 support.
+
+Index: modules/md/md_crypt.c
+--- modules/md/md_crypt.c.orig
++++ modules/md/md_crypt.c
+@@ -797,7 +797,7 @@ static apr_status_t gen_ec(md_pkey_t **ppkey, apr_pool
+ curve_nid = NID_X9_62_prime192v1;
+ }
+ #endif
+-#ifdef NID_X25519
++#if defined(NID_X25519) && !defined(LIBRESSL_VERSION_NUMBER)
+ if (NID_undef == curve_nid && !apr_strnatcasecmp("X25519", curve)) {
+ curve_nid = NID_X25519;
+ }
+@@ -814,7 +814,7 @@ static apr_status_t gen_ec(md_pkey_t **ppkey, apr_pool
+ *ppkey = make_pkey(p);
+ switch (curve_nid) {
+
+-#ifdef NID_X25519
++#if defined(NID_X25519) && !defined(LIBRESSL_VERSION_NUMBER)
+ case NID_X25519:
+ /* no parameters */
+ if (NULL == (ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_X25519, NULL))
+@@ -828,7 +828,7 @@ static apr_status_t gen_ec(md_pkey_t **ppkey, apr_pool
+ break;
+ #endif
+
+-#ifdef NID_X448
++#if defined(NID_X448) && !defined(LIBRESSL_VERSION_NUMBER)
+ case NID_X448:
+ /* no parameters */
+ if (NULL == (ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_X448, NULL))
Index: patches/patch-modules_proxy_mod_proxy_uwsgi_c
===================================================================
RCS file: patches/patch-modules_proxy_mod_proxy_uwsgi_c
diff -N patches/patch-modules_proxy_mod_proxy_uwsgi_c
--- patches/patch-modules_proxy_mod_proxy_uwsgi_c 10 Aug 2020 15:17:12
-0000 1.3
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,32 +0,0 @@
-$OpenBSD: patch-modules_proxy_mod_proxy_uwsgi_c,v 1.3 2020/08/10 15:17:12
giovanni Exp $
-
-Avoid NULL pointer dereferences for empty environment variable values
-PR 64598
-
-Index: modules/proxy/mod_proxy_uwsgi.c
---- modules/proxy/mod_proxy_uwsgi.c.orig
-+++ modules/proxy/mod_proxy_uwsgi.c
-@@ -175,7 +175,7 @@ static int uwsgi_send_headers(request_rec *r, proxy_co
- env = (apr_table_entry_t *) env_table->elts;
-
- for (j = 0; j < env_table->nelts; ++j) {
-- headerlen += 2 + strlen(env[j].key) + 2 + strlen(env[j].val);
-+ headerlen += 2 + strlen(env[j].key) + 2 + (env[j].val ?
strlen(env[j].val) : 0);
- }
-
- pktsize = headerlen - 4;
-@@ -198,10 +198,12 @@ static int uwsgi_send_headers(request_rec *r, proxy_co
- memcpy(ptr, env[j].key, keylen);
- ptr += keylen;
-
-- vallen = strlen(env[j].val);
-+ vallen = env[j].val ? strlen(env[j].val) : 0;
- *ptr++ = (apr_byte_t) (vallen & 0xff);
- *ptr++ = (apr_byte_t) ((vallen >> 8) & 0xff);
-- memcpy(ptr, env[j].val, vallen);
-+ if (env[j].val) {
-+ memcpy(ptr, env[j].val, vallen);
-+ }
- ptr += vallen;
- }
-
Index: patches/patch-modules_ssl_ssl_engine_init_c
===================================================================
RCS file:
/cvs/ports/www/apache-httpd/patches/patch-modules_ssl_ssl_engine_init_c,v
retrieving revision 1.17
diff -u -p -r1.17 patch-modules_ssl_ssl_engine_init_c
--- patches/patch-modules_ssl_ssl_engine_init_c 10 Aug 2020 15:17:12 -0000
1.17
+++ patches/patch-modules_ssl_ssl_engine_init_c 1 Jun 2021 22:44:59 -0000
@@ -3,7 +3,7 @@ $OpenBSD: patch-modules_ssl_ssl_engine_i
Index: modules/ssl/ssl_engine_init.c
--- modules/ssl/ssl_engine_init.c.orig
+++ modules/ssl/ssl_engine_init.c
-@@ -1568,7 +1568,7 @@ static apr_status_t ssl_init_proxy_certs(server_rec *s
+@@ -1573,7 +1573,7 @@ static apr_status_t ssl_init_proxy_certs(server_rec *s
X509_STORE_CTX *sctx;
X509_STORE *store = SSL_CTX_get_cert_store(mctx->ssl_ctx);
Index: patches/patch-modules_ssl_ssl_private_h
===================================================================
RCS file: /cvs/ports/www/apache-httpd/patches/patch-modules_ssl_ssl_private_h,v
retrieving revision 1.8
diff -u -p -r1.8 patch-modules_ssl_ssl_private_h
--- patches/patch-modules_ssl_ssl_private_h 31 Mar 2020 14:30:33 -0000
1.8
+++ patches/patch-modules_ssl_ssl_private_h 1 Jun 2021 22:44:59 -0000
@@ -3,7 +3,7 @@ $OpenBSD: patch-modules_ssl_ssl_private_
Index: modules/ssl/ssl_private.h
--- modules/ssl/ssl_private.h.orig
+++ modules/ssl/ssl_private.h
-@@ -229,9 +229,11 @@
+@@ -230,9 +230,11 @@
#define BN_get_rfc3526_prime_4096 get_rfc3526_prime_4096
#define BN_get_rfc3526_prime_6144 get_rfc3526_prime_6144
#define BN_get_rfc3526_prime_8192 get_rfc3526_prime_8192
Index: patches/patch-server_mpm_unix_c
===================================================================
RCS file: /cvs/ports/www/apache-httpd/patches/patch-server_mpm_unix_c,v
retrieving revision 1.3
diff -u -p -r1.3 patch-server_mpm_unix_c
--- patches/patch-server_mpm_unix_c 13 Aug 2019 21:14:11 -0000 1.3
+++ patches/patch-server_mpm_unix_c 1 Jun 2021 22:44:59 -0000
@@ -3,7 +3,7 @@ $OpenBSD: patch-server_mpm_unix_c,v 1.3
Index: server/mpm_unix.c
--- server/mpm_unix.c.orig
+++ server/mpm_unix.c
-@@ -795,7 +795,7 @@ int ap_signal_server(int *exit_status, apr_pool_t *pco
+@@ -796,7 +796,7 @@ int ap_signal_server(int *exit_status, apr_pool_t *pco
*exit_status = 1;
return 1;
}
@@ -12,7 +12,7 @@ Index: server/mpm_unix.c
}
else {
/* With containerization, httpd may get the same PID at each startup,
-@@ -804,12 +804,12 @@ int ap_signal_server(int *exit_status, apr_pool_t *pco
+@@ -805,12 +805,12 @@ int ap_signal_server(int *exit_status, apr_pool_t *pco
if (otherpid != getpid() && kill(otherpid, 0) == 0) {
running = 1;
status = apr_psprintf(pconf,
@@ -27,7 +27,7 @@ Index: server/mpm_unix.c
otherpid);
}
}
-@@ -833,7 +833,7 @@ int ap_signal_server(int *exit_status, apr_pool_t *pco
+@@ -834,7 +834,7 @@ int ap_signal_server(int *exit_status, apr_pool_t *pco
if (!strcmp(dash_k_arg, "restart")) {
if (!running) {
@@ -36,7 +36,7 @@ Index: server/mpm_unix.c
}
else {
*exit_status = send_signal(otherpid, SIGHUP);
-@@ -843,7 +843,7 @@ int ap_signal_server(int *exit_status, apr_pool_t *pco
+@@ -844,7 +844,7 @@ int ap_signal_server(int *exit_status, apr_pool_t *pco
if (!strcmp(dash_k_arg, "graceful")) {
if (!running) {
Index: pkg/PLIST
===================================================================
RCS file: /cvs/ports/www/apache-httpd/pkg/PLIST,v
retrieving revision 1.33
diff -u -p -r1.33 PLIST
--- pkg/PLIST 31 Mar 2020 14:30:33 -0000 1.33
+++ pkg/PLIST 1 Jun 2021 22:44:59 -0000
@@ -39,6 +39,7 @@ include/apache2/http_log.h
include/apache2/http_main.h
include/apache2/http_protocol.h
include/apache2/http_request.h
+include/apache2/http_ssl.h
include/apache2/http_vhost.h
include/apache2/httpd.h
include/apache2/mod_auth.h
@@ -334,6 +335,7 @@ share/doc/apache2/filter.html.tr.utf8
share/doc/apache2/getting-started.html
share/doc/apache2/getting-started.html.en
share/doc/apache2/getting-started.html.fr.utf8
+share/doc/apache2/getting-started.html.ru.utf8
share/doc/apache2/glossary.html
share/doc/apache2/glossary.html.de
share/doc/apache2/glossary.html.en
@@ -457,6 +459,7 @@ share/doc/apache2/index.html.fr.utf8
share/doc/apache2/index.html.ja.utf8
share/doc/apache2/index.html.ko.euc-kr
share/doc/apache2/index.html.pt-br
+share/doc/apache2/index.html.ru.utf8
share/doc/apache2/index.html.tr.utf8
share/doc/apache2/index.html.zh-cn.utf8
share/doc/apache2/install.html
@@ -1086,7 +1089,6 @@ share/doc/apache2/new_features_2_0.html.
share/doc/apache2/new_features_2_0.html.ja.utf8
share/doc/apache2/new_features_2_0.html.ko.euc-kr
share/doc/apache2/new_features_2_0.html.pt-br
-share/doc/apache2/new_features_2_0.html.ru.koi8-r
share/doc/apache2/new_features_2_0.html.tr.utf8
share/doc/apache2/new_features_2_2.html
share/doc/apache2/new_features_2_2.html.en
signature.asc
Description: PGP signature
