Browse code

dh parameters

Hanno Böck authored on 04/05/2012 11:05:06
Showing 3 changed files
... ...
@@ -1,4 +1,5 @@
1 1
 AUX 2.2.22-envvars-std.in 1071 RMD160 4613555ac600a4941ccd43128f98a9f6a95ba57d SHA1 b69dc500bb49fb14c801c6ab130a624c24e4d7fa SHA256 1721b424f2335640e49d71e671a4be15424d29fe90f55fe4f52bd241a998d3ee
2
+AUX apache-2.2.14-staticdhparameters.diff 11745 RMD160 3aa5d2a5fd56b55fbfac372241ed47431146b262 SHA1 ae91f275450cce294f6700bcb12fb7851fd7070f SHA256 1fecd496f7df6438cf44b331a0b15d6ceaa0522fcb20d7246772f10f7c3c41df
2 3
 AUX apache-noip.diff 417 RMD160 8e16f7ff130cea52449a25aafbbdeb78919d9eae SHA1 7c19a0236e4eff23bee6e69ee6708a24529a974c SHA256 c9ed84fec20e69f711600261a395a3d4b3ae2685318f6354c4d2ebd01c0ec4cc
3 4
 AUX apache-tlsext-workaround.diff 395 RMD160 c756f0e935e4392d44c57a202fd73af173b3b9b2 SHA1 f9619250609d4bd1bddc3e28e23f61cfedb93c09 SHA256 ee0b535bc401ae6b4028d4fa238198f067cacab936d69596c4d8b4ca1ea23619
4 5
 AUX httpd-2.2.16-ecc.diff 8236 RMD160 604f1124c168805b7702a6ca4a26ee7004fbab0b SHA1 3badbccc36c21710ef1c60f47963bcc631c00917 SHA256 e7fe97852875de06372d8413248fa20419946e2ab7de5198c93bffa6b5a68461
... ...
@@ -19,5 +20,5 @@ EBUILD apache-2.2.17.ebuild 2800 RMD160 c2aa5d7da738e45373e0cc7339e413bad3557e5a
19 20
 EBUILD apache-2.2.20.ebuild 2787 RMD160 33bcf018695ad8e6ce3beca2e1ce1479b7839f5a SHA1 5cb5d1cc61539e4c1bcb55fee6f5dff3b417bae4 SHA256 85f904c57696b368656837e5b195f8b2210ac703103d1a46ce7801f9983cd9ef
20 21
 EBUILD apache-2.2.21-r1.ebuild 2878 RMD160 aebdac0ad671ac05b1c7bf112a4a4e855012608a SHA1 d0ec2d7e7c4ffa517e6f7102886363f493e4b48c SHA256 e492085938fba74ae3e623f4bc8916986a0260db7666db3dee6fbcdcef71d8d2
21 22
 EBUILD apache-2.2.21.ebuild 2783 RMD160 18b86737a93ad332064e358b4078fea9c078c301 SHA1 7c8c3ac29b59c08823971f663bb4fde46ec9f3f6 SHA256 6695358dcc6ff20aec9508aaa2dca7df1fcbca92250df269a5b810b4dd129e75
22
-EBUILD apache-2.2.22-r1.ebuild 3144 RMD160 c5130c8c6edc5d684048e500d76c440dcf9ed9ef SHA1 1023434f888861822c5095e728b27c966c82b335 SHA256 be789e723540f07ade3e701ea285ce2f7a88c08f191704929eecbcfc4f12d5c2
23
+EBUILD apache-2.2.22-r1.ebuild 3206 RMD160 2fe9d60ea36de0540bce18cba003a4c18191802a SHA1 3e26be46b7480b5cf2e4341f37c7ea81002062d7 SHA256 4c72b2164c32c34e85c6a8e99c68464e5505eeb79bf94eed7ad1d62ba2045c0e
23 24
 EBUILD apache-2.2.22.ebuild 3001 RMD160 aa73c429658766b1ff9361259939794d8f267d78 SHA1 03d45671feb3621197c4a7c3d2e5550df7386db5 SHA256 cf930cea2f7e8a8bd2f7cabe7de9ecf56efb33d10bd3fe2d70acaa6e86cebb0c
... ...
@@ -105,7 +105,8 @@ RDEPEND="${RDEPEND}
105 105
 # init script fixup - should be rolled into next tarball #389965
106 106
 src_prepare() {
107 107
 	epatch "${FILESDIR}"/apache-noip.diff
108
-	epatch "${FILESDIR}"/httpd-2.2.16-ecc.diff
108
+	#epatch "${FILESDIR}"/httpd-2.2.16-ecc.diff
109
+	#epatch "${FILESDIR}"/apache-2.2.14-staticdhparameters.diff
109 110
 	apache-2_src_prepare
110 111
 	sed -i -e 's/! test -f/test -f/' "${GENTOO_PATCHDIR}"/init/apache2.initd || die "Failed to fix init script"
111 112
 	cp ${FILESDIR}/2.2.22-envvars-std.in ${S}/support/envvars-std.in || die "Failed to apply LD_PRELOAD fix"
112 113
new file mode 100644
... ...
@@ -0,0 +1,314 @@
1
+diff -ru httpd-2.2.14.orig/modules/ssl/mod_ssl.c httpd-2.2.14.new/modules/ssl/mod_ssl.c
2
+--- httpd-2.2.14.orig/modules/ssl/mod_ssl.c	2009-05-19 13:44:59.000000000 +0200
3
+@@ -108,6 +108,9 @@
4
+     SSL_CMD_SRV(CertificateKeyFile, TAKE1,
5
+                 "SSL Server Private Key file "
6
+                 "(`/path/to/file' - PEM or DER encoded)")
7
++    SSL_CMD_SRV(DHParametersFile, TAKE1,
8
++                "SSL Server Diffie-Hellman parameters file "
9
++                "(`/path/to/file' - PEM or DER encoded)")
10
+     SSL_CMD_SRV(CertificateChainFile, TAKE1,
11
+                 "SSL Server CA Certificate Chain file "
12
+                 "(`/path/to/file' - PEM encoded)")
13
+diff -ru httpd-2.2.14.orig/modules/ssl/ssl_engine_config.c httpd-2.2.14.new/modules/ssl/ssl_engine_config.c
14
+--- httpd-2.2.14.orig/modules/ssl/ssl_engine_config.c	2009-05-19 13:44:59.000000000 +0200
15
+@@ -72,6 +72,7 @@
16
+     mc->tVHostKeys             = apr_hash_make(pool);
17
+     mc->tPrivateKey            = apr_hash_make(pool);
18
+     mc->tPublicCert            = apr_hash_make(pool);
19
++    mc->tDHParams              = apr_hash_make(pool);
20
+ #if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
21
+     mc->szCryptoDevice         = NULL;
22
+ #endif
23
+@@ -156,6 +157,9 @@
24
+     mctx->pks = apr_pcalloc(p, sizeof(*mctx->pks));
25
+ 
26
+     /* mctx->pks->... certs/keys are set during module init */
27
++
28
++    mctx->pks->dhparams_file = NULL;
29
++    mctx->pks->dhparams     = NULL;
30
+ }
31
+ 
32
+ static SSLSrvConfigRec *ssl_config_server_new(apr_pool_t *p)
33
+@@ -246,6 +250,7 @@
34
+ 
35
+     cfgMergeString(pks->ca_name_path);
36
+     cfgMergeString(pks->ca_name_file);
37
++    cfgMergeString(pks->dhparams_file);
38
+ }
39
+ 
40
+ /*
41
+@@ -762,6 +767,22 @@
42
+     return NULL;
43
+ }
44
+ 
45
++const char *ssl_cmd_SSLDHParametersFile(cmd_parms *cmd,
46
++    				        void *dcfg,
47
++				        const char *arg)
48
++{
49
++    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
50
++    const char *err;
51
++
52
++    if ((err = ssl_cmd_check_file(cmd, &arg))) {
53
++        return err;
54
++    }
55
++
56
++    sc->server->pks->dhparams_file = arg;
57
++
58
++    return NULL;
59
++}
60
++
61
+ const char *ssl_cmd_SSLCertificateKeyFile(cmd_parms *cmd,
62
+                                           void *dcfg,
63
+                                           const char *arg)
64
+diff -ru httpd-2.2.14.orig/modules/ssl/ssl_engine_init.c httpd-2.2.14.new/modules/ssl/ssl_engine_init.c
65
+--- httpd-2.2.14.orig/modules/ssl/ssl_engine_init.c	2009-08-16 17:53:12.000000000 +0200
66
+@@ -723,6 +723,42 @@
67
+     }
68
+ }
69
+ 
70
++static int ssl_server_import_dhparams(server_rec *s,
71
++                                      modssl_ctx_t *mctx,
72
++                                      const char *id)
73
++{
74
++    SSLModConfigRec *mc = myModConfig(s);
75
++    ssl_asn1_t *asn1;
76
++    MODSSL_D2I_DHparams_CONST unsigned char *ptr;
77
++    DH *dhparams = NULL;
78
++
79
++    if (!(asn1 = ssl_asn1_table_get(mc->tDHParams, id))) {
80
++        return FALSE;
81
++    }
82
++
83
++    ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
84
++                 "Configuring server Diffie-Hellman parameters");
85
++
86
++    ptr = asn1->cpData;
87
++    if (!(dhparams = d2i_DHparams(NULL, &ptr, asn1->nData))) {
88
++        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
89
++                "Unable to import server Diffie-Hellman parameters");
90
++        ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
91
++        ssl_die();
92
++    }
93
++
94
++    if (SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dhparams) <= 0) {
95
++        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
96
++                "Unable to configure server Diffie-Hellman parameters");
97
++        ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
98
++        ssl_die();
99
++    }
100
++
101
++    mctx->pks->dhparams = dhparams;
102
++
103
++    return TRUE;
104
++}
105
++
106
+ static int ssl_server_import_cert(server_rec *s,
107
+                                   modssl_ctx_t *mctx,
108
+                                   const char *id,
109
+@@ -882,16 +918,18 @@
110
+                                   apr_pool_t *ptemp,
111
+                                   modssl_ctx_t *mctx)
112
+ {
113
+-    const char *rsa_id, *dsa_id;
114
++    const char *rsa_id, *dsa_id, *dh_id;
115
+     const char *vhost_id = mctx->sc->vhost_id;
116
+     int i;
117
+     int have_rsa, have_dsa;
118
+ 
119
+     rsa_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_RSA);
120
+     dsa_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_DSA);
121
++    dh_id = apr_pstrcat(ptemp, vhost_id, ":", "DH", NULL);
122
+ 
123
+     have_rsa = ssl_server_import_cert(s, mctx, rsa_id, SSL_AIDX_RSA);
124
+     have_dsa = ssl_server_import_cert(s, mctx, dsa_id, SSL_AIDX_DSA);
125
++    (void)ssl_server_import_dhparams(s, mctx, dh_id);
126
+ 
127
+     if (!(have_rsa || have_dsa)) {
128
+         ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
129
+@@ -1265,6 +1303,7 @@
130
+         MODSSL_CFG_ITEM_FREE(EVP_PKEY_free,
131
+                              mctx->pks->keys[i]);
132
+     }
133
++    MODSSL_CFG_ITEM_FREE(DH_free, mctx->pks->dhparams);
134
+ }
135
+ 
136
+ apr_status_t ssl_init_ModuleKill(void *data)
137
+diff -ru httpd-2.2.14.orig/modules/ssl/ssl_engine_pphrase.c httpd-2.2.14.new/modules/ssl/ssl_engine_pphrase.c
138
+--- httpd-2.2.14.orig/modules/ssl/ssl_engine_pphrase.c	2009-09-16 22:06:05.000000000 +0200
139
+@@ -144,6 +144,7 @@
140
+     unsigned char *ucp;
141
+     long int length;
142
+     X509 *pX509Cert;
143
++    DH *pDHParams;
144
+     BOOL bReadable;
145
+     apr_array_header_t *aPassPhrase;
146
+     int nPassPhrase;
147
+@@ -192,8 +193,10 @@
148
+                          pServ->defn_name, pServ->defn_line_number);
149
+             ssl_die();
150
+         }
151
++
152
+         algoCert = SSL_ALGO_UNKNOWN;
153
+         algoKey  = SSL_ALGO_UNKNOWN;
154
++
155
+         for (i = 0, j = 0; i < SSL_AIDX_MAX && sc->server->pks->cert_files[i] != NULL; i++) {
156
+ 
157
+             apr_cpystrn(szPath, sc->server->pks->cert_files[i], sizeof(szPath));
158
+@@ -517,6 +520,45 @@
159
+              */
160
+             EVP_PKEY_free(pPrivateKey);
161
+         }
162
++
163
++	/*
164
++	 * Read in Diffie-Hellman parameters file if such a file is
165
++	 * specified.
166
++	 */
167
++	if (sc->server->pks->dhparams_file) {
168
++            apr_cpystrn(szPath, sc->server->pks->dhparams_file, sizeof(szPath));
169
++            if ((rv = exists_and_readable(szPath, p, NULL)) != APR_SUCCESS) {
170
++                ap_log_error(APLOG_MARK, APLOG_ERR, rv, s,
171
++                             "Init: Can't open server Diffie-Hellman parameters file %s",
172
++                             szPath);
173
++                ssl_die();
174
++            }
175
++            if ((pDHParams = SSL_read_DHparams(szPath, NULL, NULL)) == NULL) {
176
++                ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
177
++                        "Init: Unable to read server Diffie-Hellman parameters from file %s", szPath);
178
++                ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
179
++                ssl_die();
180
++            }
181
++
182
++            /*
183
++	     * Insert the DH params into global module configuration
184
++	     * to let it survive the processing between the 1st Apache
185
++	     * API init round (where we operate here) and the 2nd
186
++	     * Apache init round (where it will be actually used to
187
++	     * configure mod_ssl's per-server configuration
188
++	     * structures).
189
++             */
190
++            cp = asn1_table_vhost_key(mc, p, cpVHostID, "DH");
191
++            length = i2d_DHparams(pDHParams, NULL);
192
++            ucp = ssl_asn1_table_set(mc->tDHParams, cp, length);
193
++            (void)i2d_DHparams(pDHParams, &ucp); /* 2nd arg increments */
194
++
195
++            /*
196
++             * Free the DH structure
197
++             */
198
++            DH_free(pDHParams);
199
++	}
200
++
201
+     }
202
+ 
203
+     /*
204
+diff -ru httpd-2.2.14.orig/modules/ssl/ssl_private.h httpd-2.2.14.new/modules/ssl/ssl_private.h
205
+--- httpd-2.2.14.orig/modules/ssl/ssl_private.h	2009-05-19 13:44:59.000000000 +0200
206
+@@ -378,6 +378,7 @@
207
+     void           *pTmpKeys[SSL_TMP_KEY_MAX];
208
+     apr_hash_t     *tPublicCert;
209
+     apr_hash_t     *tPrivateKey;
210
++    apr_hash_t     *tDHParams;
211
+ #if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
212
+     const char     *szCryptoDevice;
213
+ #endif
214
+@@ -394,8 +395,10 @@
215
+      */
216
+     const char  *cert_files[SSL_AIDX_MAX];
217
+     const char  *key_files[SSL_AIDX_MAX];
218
++    const char	*dhparams_file;
219
+     X509        *certs[SSL_AIDX_MAX];
220
+     EVP_PKEY    *keys[SSL_AIDX_MAX];
221
++    DH		*dhparams;
222
+ 
223
+     /** Certificates which specify the set of CA names which should be
224
+      * sent in the CertificateRequest message: */
225
+@@ -510,6 +513,7 @@
226
+ const char  *ssl_cmd_SSLRandomSeed(cmd_parms *, void *, const char *, const char *, const char *);
227
+ const char  *ssl_cmd_SSLEngine(cmd_parms *, void *, const char *);
228
+ const char  *ssl_cmd_SSLCipherSuite(cmd_parms *, void *, const char *);
229
++const char  *ssl_cmd_SSLDHParametersFile(cmd_parms *, void *, const char *);
230
+ const char  *ssl_cmd_SSLCertificateFile(cmd_parms *, void *, const char *);
231
+ const char  *ssl_cmd_SSLCertificateKeyFile(cmd_parms *, void *, const char *);
232
+ const char  *ssl_cmd_SSLCertificateChainFile(cmd_parms *, void *, const char *);
233
+diff -ru httpd-2.2.14.orig/modules/ssl/ssl_toolkit_compat.h httpd-2.2.14.new/modules/ssl/ssl_toolkit_compat.h
234
+--- httpd-2.2.14.orig/modules/ssl/ssl_toolkit_compat.h	2009-05-19 13:44:59.000000000 +0200
235
+@@ -100,9 +100,11 @@
236
+ #if (OPENSSL_VERSION_NUMBER >= 0x00908000)
237
+ # define MODSSL_D2I_PrivateKey_CONST const
238
+ # define MODSSL_D2I_X509_CONST const
239
++# define MODSSL_D2I_DHparams_CONST const
240
+ #else
241
+ # define MODSSL_D2I_PrivateKey_CONST
242
+ # define MODSSL_D2I_X509_CONST
243
++# define MODSSL_D2I_DHparams_CONST
244
+ #endif
245
+ 
246
+ #if (OPENSSL_VERSION_NUMBER >= 0x00909000)
247
+@@ -117,8 +119,10 @@
248
+ 
249
+ #if (OPENSSL_VERSION_NUMBER < 0x00904000)
250
+ #define modssl_PEM_read_bio_X509(b, x, cb, arg) PEM_read_bio_X509(b, x, cb)
251
++#define modssl_PEM_read_bio_DHparams(b, x, cb, arg) PEM_read_bio_DHparams(b, x, cb)
252
+ #else
253
+ #define modssl_PEM_read_bio_X509(b, x, cb, arg) PEM_read_bio_X509(b, x, cb, arg)
254
++#define modssl_PEM_read_bio_DHparams(b, x, cb, arg) PEM_read_bio_DHparams(b, x, cb, arg)
255
+ #endif
256
+ 
257
+ #define modssl_PEM_X509_INFO_read_bio PEM_X509_INFO_read_bio 
258
+diff -ru httpd-2.2.14.orig/modules/ssl/ssl_util_ssl.c httpd-2.2.14.new/modules/ssl/ssl_util_ssl.c
259
+--- httpd-2.2.14.orig/modules/ssl/ssl_util_ssl.c	2009-08-06 09:28:47.000000000 +0200
260
+@@ -115,6 +115,47 @@
261
+     return rc;
262
+ }
263
+ 
264
++DH *SSL_read_DHparams(char* filename, DH **DHparams, modssl_read_bio_cb_fn *cb)
265
++{
266
++    DH  *rc;
267
++    BIO *bioS;
268
++    BIO *bioF;
269
++
270
++    /* 1. try PEM (= DER+Base64+headers) */
271
++    if ((bioS=BIO_new_file(filename, "r")) == NULL)
272
++        return NULL;
273
++    rc = modssl_PEM_read_bio_DHparams (bioS, DHparams, cb, NULL);
274
++    BIO_free(bioS);
275
++
276
++    if (rc == NULL) {
277
++        /* 2. try DER+Base64 */
278
++        if ((bioS=BIO_new_file(filename, "r")) == NULL)
279
++            return NULL;
280
++
281
++        if ((bioF = BIO_new(BIO_f_base64())) == NULL) {
282
++            BIO_free(bioS);
283
++            return NULL;
284
++        }
285
++        bioS = BIO_push(bioF, bioS);
286
++        rc = d2i_DHparams_bio(bioS, NULL);
287
++        BIO_free_all(bioS);
288
++
289
++        if (rc == NULL) {
290
++            /* 3. try plain DER */
291
++            if ((bioS=BIO_new_file(filename, "r")) == NULL)
292
++                return NULL;
293
++            rc = d2i_DHparams_bio(bioS, NULL);
294
++            BIO_free(bioS);
295
++        }
296
++    }
297
++    if (rc != NULL && DHparams != NULL) {
298
++        if (*DHparams != NULL)
299
++            DH_free(*DHparams);
300
++        *DHparams = rc;
301
++    }
302
++    return rc;
303
++}
304
++
305
+ #if SSL_LIBRARY_VERSION <= 0x00904100
306
+ static EVP_PKEY *d2i_PrivateKey_bio(BIO *bio, EVP_PKEY **key)
307
+ {