dh parameters (7ef9447) - keks-overlay.git

dh parameters

Hanno Böck commited on 2012-05-04 11:05:06
Zeige 3 geänderte Dateien mit 318 Einfügungen und 2 Löschungen.

www-servers/apache/Manifest 55f72fa..e43ce7e
www-servers/apache/apache-2.2.22-r1.ebuild 9c1475c..3d007ff
www-servers/apache/files/apache-2.2.14-staticdhparameters.diff 0000000..b74d1da

...	...	@@ -1,4 +1,5 @@
1	1	AUX 2.2.22-envvars-std.in 1071 RMD160 4613555ac600a4941ccd43128f98a9f6a95ba57d SHA1 b69dc500bb49fb14c801c6ab130a624c24e4d7fa SHA256 1721b424f2335640e49d71e671a4be15424d29fe90f55fe4f52bd241a998d3ee
	2	+AUX apache-2.2.14-staticdhparameters.diff 11745 RMD160 3aa5d2a5fd56b55fbfac372241ed47431146b262 SHA1 ae91f275450cce294f6700bcb12fb7851fd7070f SHA256 1fecd496f7df6438cf44b331a0b15d6ceaa0522fcb20d7246772f10f7c3c41df
2	3	AUX apache-noip.diff 417 RMD160 8e16f7ff130cea52449a25aafbbdeb78919d9eae SHA1 7c19a0236e4eff23bee6e69ee6708a24529a974c SHA256 c9ed84fec20e69f711600261a395a3d4b3ae2685318f6354c4d2ebd01c0ec4cc
3	4	AUX apache-tlsext-workaround.diff 395 RMD160 c756f0e935e4392d44c57a202fd73af173b3b9b2 SHA1 f9619250609d4bd1bddc3e28e23f61cfedb93c09 SHA256 ee0b535bc401ae6b4028d4fa238198f067cacab936d69596c4d8b4ca1ea23619
4	5	AUX httpd-2.2.16-ecc.diff 8236 RMD160 604f1124c168805b7702a6ca4a26ee7004fbab0b SHA1 3badbccc36c21710ef1c60f47963bcc631c00917 SHA256 e7fe97852875de06372d8413248fa20419946e2ab7de5198c93bffa6b5a68461
...	...	@@ -19,5 +20,5 @@ EBUILD apache-2.2.17.ebuild 2800 RMD160 c2aa5d7da738e45373e0cc7339e413bad3557e5a
19	20	EBUILD apache-2.2.20.ebuild 2787 RMD160 33bcf018695ad8e6ce3beca2e1ce1479b7839f5a SHA1 5cb5d1cc61539e4c1bcb55fee6f5dff3b417bae4 SHA256 85f904c57696b368656837e5b195f8b2210ac703103d1a46ce7801f9983cd9ef
20	21	EBUILD apache-2.2.21-r1.ebuild 2878 RMD160 aebdac0ad671ac05b1c7bf112a4a4e855012608a SHA1 d0ec2d7e7c4ffa517e6f7102886363f493e4b48c SHA256 e492085938fba74ae3e623f4bc8916986a0260db7666db3dee6fbcdcef71d8d2
21	22	EBUILD apache-2.2.21.ebuild 2783 RMD160 18b86737a93ad332064e358b4078fea9c078c301 SHA1 7c8c3ac29b59c08823971f663bb4fde46ec9f3f6 SHA256 6695358dcc6ff20aec9508aaa2dca7df1fcbca92250df269a5b810b4dd129e75
22		-EBUILD apache-2.2.22-r1.ebuild 3144 RMD160 c5130c8c6edc5d684048e500d76c440dcf9ed9ef SHA1 1023434f888861822c5095e728b27c966c82b335 SHA256 be789e723540f07ade3e701ea285ce2f7a88c08f191704929eecbcfc4f12d5c2
	23	+EBUILD apache-2.2.22-r1.ebuild 3206 RMD160 2fe9d60ea36de0540bce18cba003a4c18191802a SHA1 3e26be46b7480b5cf2e4341f37c7ea81002062d7 SHA256 4c72b2164c32c34e85c6a8e99c68464e5505eeb79bf94eed7ad1d62ba2045c0e
23	24	EBUILD apache-2.2.22.ebuild 3001 RMD160 aa73c429658766b1ff9361259939794d8f267d78 SHA1 03d45671feb3621197c4a7c3d2e5550df7386db5 SHA256 cf930cea2f7e8a8bd2f7cabe7de9ecf56efb33d10bd3fe2d70acaa6e86cebb0c

www-servers/apache/apache-2.2.22-r1.ebuild

Zeige Datei @ 7ef9447

@@ -105,7 +105,8 @@ RDEPEND="${RDEPEND}
 # init script fixup - should be rolled into next tarball #389965
 src_prepare() {
 	epatch "${FILESDIR}"/apache-noip.diff
-	epatch "${FILESDIR}"/httpd-2.2.16-ecc.diff
+	#epatch "${FILESDIR}"/httpd-2.2.16-ecc.diff
+	#epatch "${FILESDIR}"/apache-2.2.14-staticdhparameters.diff
 	apache-2_src_prepare
 	sed -i -e 's/! test -f/test -f/' "${GENTOO_PATCHDIR}"/init/apache2.initd || die "Failed to fix init script"
 	cp ${FILESDIR}/2.2.22-envvars-std.in ${S}/support/envvars-std.in || die "Failed to apply LD_PRELOAD fix"

www-servers/apache/files/apache-2.2.14-staticdhparameters.diff

Zeige Datei @ 7ef9447

...	...	@@ -0,0 +1,314 @@
	1	+diff -ru httpd-2.2.14.orig/modules/ssl/mod_ssl.c httpd-2.2.14.new/modules/ssl/mod_ssl.c
	2	+--- httpd-2.2.14.orig/modules/ssl/mod_ssl.c 2009-05-19 13:44:59.000000000 +0200
	3	++++ httpd-2.2.14.new/modules/ssl/mod_ssl.c 2010-07-06 11:56:50.897588899 +0200
	4	+@@ -108,6 +108,9 @@
	5	+ SSL_CMD_SRV(CertificateKeyFile, TAKE1,
	6	+ "SSL Server Private Key file "
	7	+ "(`/path/to/file' - PEM or DER encoded)")
	8	++ SSL_CMD_SRV(DHParametersFile, TAKE1,
	9	++ "SSL Server Diffie-Hellman parameters file "
	10	++ "(`/path/to/file' - PEM or DER encoded)")
	11	+ SSL_CMD_SRV(CertificateChainFile, TAKE1,
	12	+ "SSL Server CA Certificate Chain file "
	13	+ "(`/path/to/file' - PEM encoded)")
	14	+diff -ru httpd-2.2.14.orig/modules/ssl/ssl_engine_config.c httpd-2.2.14.new/modules/ssl/ssl_engine_config.c
	15	+--- httpd-2.2.14.orig/modules/ssl/ssl_engine_config.c 2009-05-19 13:44:59.000000000 +0200
	16	++++ httpd-2.2.14.new/modules/ssl/ssl_engine_config.c 2010-07-06 11:56:50.897588899 +0200
	17	+@@ -72,6 +72,7 @@
	18	+ mc->tVHostKeys = apr_hash_make(pool);
	19	+ mc->tPrivateKey = apr_hash_make(pool);
	20	+ mc->tPublicCert = apr_hash_make(pool);
	21	++ mc->tDHParams = apr_hash_make(pool);
	22	+ #if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
	23	+ mc->szCryptoDevice = NULL;
	24	+ #endif
	25	+@@ -156,6 +157,9 @@
	26	+ mctx->pks = apr_pcalloc(p, sizeof(*mctx->pks));
	27	+
	28	+ /* mctx->pks->... certs/keys are set during module init */
	29	++
	30	++ mctx->pks->dhparams_file = NULL;
	31	++ mctx->pks->dhparams = NULL;
	32	+ }
	33	+
	34	+ static SSLSrvConfigRec ssl_config_server_new(apr_pool_t p)
	35	+@@ -246,6 +250,7 @@
	36	+
	37	+ cfgMergeString(pks->ca_name_path);
	38	+ cfgMergeString(pks->ca_name_file);
	39	++ cfgMergeString(pks->dhparams_file);
	40	+ }
	41	+
	42	+ /*
	43	+@@ -762,6 +767,22 @@
	44	+ return NULL;
	45	+ }
	46	+
	47	++const char ssl_cmd_SSLDHParametersFile(cmd_parms cmd,
	48	++ void *dcfg,
	49	++ const char *arg)
	50	++{
	51	++ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
	52	++ const char *err;
	53	++
	54	++ if ((err = ssl_cmd_check_file(cmd, &arg))) {
	55	++ return err;
	56	++ }
	57	++
	58	++ sc->server->pks->dhparams_file = arg;
	59	++
	60	++ return NULL;
	61	++}
	62	++
	63	+ const char ssl_cmd_SSLCertificateKeyFile(cmd_parms cmd,
	64	+ void *dcfg,
	65	+ const char *arg)
	66	+diff -ru httpd-2.2.14.orig/modules/ssl/ssl_engine_init.c httpd-2.2.14.new/modules/ssl/ssl_engine_init.c
	67	+--- httpd-2.2.14.orig/modules/ssl/ssl_engine_init.c 2009-08-16 17:53:12.000000000 +0200
	68	++++ httpd-2.2.14.new/modules/ssl/ssl_engine_init.c 2010-07-06 11:56:50.897588899 +0200
	69	+@@ -723,6 +723,42 @@
	70	+ }
	71	+ }
	72	+
	73	++static int ssl_server_import_dhparams(server_rec *s,
	74	++ modssl_ctx_t *mctx,
	75	++ const char *id)
	76	++{
	77	++ SSLModConfigRec *mc = myModConfig(s);
	78	++ ssl_asn1_t *asn1;
	79	++ MODSSL_D2I_DHparams_CONST unsigned char *ptr;
	80	++ DH *dhparams = NULL;
	81	++
	82	++ if (!(asn1 = ssl_asn1_table_get(mc->tDHParams, id))) {
	83	++ return FALSE;
	84	++ }
	85	++
	86	++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
	87	++ "Configuring server Diffie-Hellman parameters");
	88	++
	89	++ ptr = asn1->cpData;
	90	++ if (!(dhparams = d2i_DHparams(NULL, &ptr, asn1->nData))) {
	91	++ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
	92	++ "Unable to import server Diffie-Hellman parameters");
	93	++ ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
	94	++ ssl_die();
	95	++ }
	96	++
	97	++ if (SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dhparams) <= 0) {
	98	++ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
	99	++ "Unable to configure server Diffie-Hellman parameters");
	100	++ ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
	101	++ ssl_die();
	102	++ }
	103	++
	104	++ mctx->pks->dhparams = dhparams;
	105	++
	106	++ return TRUE;
	107	++}
	108	++
	109	+ static int ssl_server_import_cert(server_rec *s,
	110	+ modssl_ctx_t *mctx,
	111	+ const char *id,
	112	+@@ -882,16 +918,18 @@
	113	+ apr_pool_t *ptemp,
	114	+ modssl_ctx_t *mctx)
	115	+ {
	116	+- const char rsa_id, dsa_id;
	117	++ const char rsa_id, dsa_id, *dh_id;
	118	+ const char *vhost_id = mctx->sc->vhost_id;
	119	+ int i;
	120	+ int have_rsa, have_dsa;
	121	+
	122	+ rsa_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_RSA);
	123	+ dsa_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_DSA);
	124	++ dh_id = apr_pstrcat(ptemp, vhost_id, ":", "DH", NULL);
	125	+
	126	+ have_rsa = ssl_server_import_cert(s, mctx, rsa_id, SSL_AIDX_RSA);
	127	+ have_dsa = ssl_server_import_cert(s, mctx, dsa_id, SSL_AIDX_DSA);
	128	++ (void)ssl_server_import_dhparams(s, mctx, dh_id);
	129	+
	130	+ if (!(have_rsa \|\| have_dsa)) {
	131	+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
	132	+@@ -1265,6 +1303,7 @@
	133	+ MODSSL_CFG_ITEM_FREE(EVP_PKEY_free,
	134	+ mctx->pks->keys[i]);
	135	+ }
	136	++ MODSSL_CFG_ITEM_FREE(DH_free, mctx->pks->dhparams);
	137	+ }
	138	+
	139	+ apr_status_t ssl_init_ModuleKill(void *data)
	140	+diff -ru httpd-2.2.14.orig/modules/ssl/ssl_engine_pphrase.c httpd-2.2.14.new/modules/ssl/ssl_engine_pphrase.c
	141	+--- httpd-2.2.14.orig/modules/ssl/ssl_engine_pphrase.c 2009-09-16 22:06:05.000000000 +0200
	142	++++ httpd-2.2.14.new/modules/ssl/ssl_engine_pphrase.c 2010-07-06 11:56:50.897588899 +0200
	143	+@@ -144,6 +144,7 @@
	144	+ unsigned char *ucp;
	145	+ long int length;
	146	+ X509 *pX509Cert;
	147	++ DH *pDHParams;
	148	+ BOOL bReadable;
	149	+ apr_array_header_t *aPassPhrase;
	150	+ int nPassPhrase;
	151	+@@ -192,8 +193,10 @@
	152	+ pServ->defn_name, pServ->defn_line_number);
	153	+ ssl_die();
	154	+ }
	155	++
	156	+ algoCert = SSL_ALGO_UNKNOWN;
	157	+ algoKey = SSL_ALGO_UNKNOWN;
	158	++
	159	+ for (i = 0, j = 0; i < SSL_AIDX_MAX && sc->server->pks->cert_files[i] != NULL; i++) {
	160	+
	161	+ apr_cpystrn(szPath, sc->server->pks->cert_files[i], sizeof(szPath));
	162	+@@ -517,6 +520,45 @@
	163	+ */
	164	+ EVP_PKEY_free(pPrivateKey);
	165	+ }
	166	++
	167	++ /*
	168	++ * Read in Diffie-Hellman parameters file if such a file is
	169	++ * specified.
	170	++ */
	171	++ if (sc->server->pks->dhparams_file) {
	172	++ apr_cpystrn(szPath, sc->server->pks->dhparams_file, sizeof(szPath));
	173	++ if ((rv = exists_and_readable(szPath, p, NULL)) != APR_SUCCESS) {
	174	++ ap_log_error(APLOG_MARK, APLOG_ERR, rv, s,
	175	++ "Init: Can't open server Diffie-Hellman parameters file %s",
	176	++ szPath);
	177	++ ssl_die();
	178	++ }
	179	++ if ((pDHParams = SSL_read_DHparams(szPath, NULL, NULL)) == NULL) {
	180	++ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
	181	++ "Init: Unable to read server Diffie-Hellman parameters from file %s", szPath);
	182	++ ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
	183	++ ssl_die();
	184	++ }
	185	++
	186	++ /*
	187	++ * Insert the DH params into global module configuration
	188	++ * to let it survive the processing between the 1st Apache
	189	++ * API init round (where we operate here) and the 2nd
	190	++ * Apache init round (where it will be actually used to
	191	++ * configure mod_ssl's per-server configuration
	192	++ * structures).
	193	++ */
	194	++ cp = asn1_table_vhost_key(mc, p, cpVHostID, "DH");
	195	++ length = i2d_DHparams(pDHParams, NULL);
	196	++ ucp = ssl_asn1_table_set(mc->tDHParams, cp, length);
	197	++ (void)i2d_DHparams(pDHParams, &ucp); /* 2nd arg increments */
	198	++
	199	++ /*
	200	++ * Free the DH structure
	201	++ */
	202	++ DH_free(pDHParams);
	203	++ }
	204	++
	205	+ }
	206	+
	207	+ /*
	208	+diff -ru httpd-2.2.14.orig/modules/ssl/ssl_private.h httpd-2.2.14.new/modules/ssl/ssl_private.h
	209	+--- httpd-2.2.14.orig/modules/ssl/ssl_private.h 2009-05-19 13:44:59.000000000 +0200
	210	++++ httpd-2.2.14.new/modules/ssl/ssl_private.h 2010-07-06 11:56:50.897588899 +0200
	211	+@@ -378,6 +378,7 @@
	212	+ void *pTmpKeys[SSL_TMP_KEY_MAX];
	213	+ apr_hash_t *tPublicCert;
	214	+ apr_hash_t *tPrivateKey;
	215	++ apr_hash_t *tDHParams;
	216	+ #if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
	217	+ const char *szCryptoDevice;
	218	+ #endif
	219	+@@ -394,8 +395,10 @@
	220	+ */
	221	+ const char *cert_files[SSL_AIDX_MAX];
	222	+ const char *key_files[SSL_AIDX_MAX];
	223	++ const char *dhparams_file;
	224	+ X509 *certs[SSL_AIDX_MAX];
	225	+ EVP_PKEY *keys[SSL_AIDX_MAX];
	226	++ DH *dhparams;
	227	+
	228	+ /** Certificates which specify the set of CA names which should be
	229	+ * sent in the CertificateRequest message: */
	230	+@@ -510,6 +513,7 @@
	231	+ const char ssl_cmd_SSLRandomSeed(cmd_parms , void , const char , const char , const char );
	232	+ const char ssl_cmd_SSLEngine(cmd_parms , void , const char );
	233	+ const char ssl_cmd_SSLCipherSuite(cmd_parms , void , const char );
	234	++const char ssl_cmd_SSLDHParametersFile(cmd_parms , void , const char );
	235	+ const char ssl_cmd_SSLCertificateFile(cmd_parms , void , const char );
	236	+ const char ssl_cmd_SSLCertificateKeyFile(cmd_parms , void , const char );
	237	+ const char ssl_cmd_SSLCertificateChainFile(cmd_parms , void , const char );
	238	+diff -ru httpd-2.2.14.orig/modules/ssl/ssl_toolkit_compat.h httpd-2.2.14.new/modules/ssl/ssl_toolkit_compat.h
	239	+--- httpd-2.2.14.orig/modules/ssl/ssl_toolkit_compat.h 2009-05-19 13:44:59.000000000 +0200
	240	++++ httpd-2.2.14.new/modules/ssl/ssl_toolkit_compat.h 2010-07-06 11:56:50.897588899 +0200
	241	+@@ -100,9 +100,11 @@
	242	+ #if (OPENSSL_VERSION_NUMBER >= 0x00908000)
	243	+ # define MODSSL_D2I_PrivateKey_CONST const
	244	+ # define MODSSL_D2I_X509_CONST const
	245	++# define MODSSL_D2I_DHparams_CONST const
	246	+ #else
	247	+ # define MODSSL_D2I_PrivateKey_CONST
	248	+ # define MODSSL_D2I_X509_CONST
	249	++# define MODSSL_D2I_DHparams_CONST
	250	+ #endif
	251	+
	252	+ #if (OPENSSL_VERSION_NUMBER >= 0x00909000)
	253	+@@ -117,8 +119,10 @@
	254	+
	255	+ #if (OPENSSL_VERSION_NUMBER < 0x00904000)
	256	+ #define modssl_PEM_read_bio_X509(b, x, cb, arg) PEM_read_bio_X509(b, x, cb)
	257	++#define modssl_PEM_read_bio_DHparams(b, x, cb, arg) PEM_read_bio_DHparams(b, x, cb)
	258	+ #else
	259	+ #define modssl_PEM_read_bio_X509(b, x, cb, arg) PEM_read_bio_X509(b, x, cb, arg)
	260	++#define modssl_PEM_read_bio_DHparams(b, x, cb, arg) PEM_read_bio_DHparams(b, x, cb, arg)
	261	+ #endif
	262	+
	263	+ #define modssl_PEM_X509_INFO_read_bio PEM_X509_INFO_read_bio
	264	+diff -ru httpd-2.2.14.orig/modules/ssl/ssl_util_ssl.c httpd-2.2.14.new/modules/ssl/ssl_util_ssl.c
	265	+--- httpd-2.2.14.orig/modules/ssl/ssl_util_ssl.c 2009-08-06 09:28:47.000000000 +0200
	266	++++ httpd-2.2.14.new/modules/ssl/ssl_util_ssl.c 2010-07-06 11:56:50.897588899 +0200
	267	+@@ -115,6 +115,47 @@
	268	+ return rc;
	269	+ }
	270	+
	271	++DH SSL_read_DHparams(char filename, DH *DHparams, modssl_read_bio_cb_fn cb)
	272	++{
	273	++ DH *rc;
	274	++ BIO *bioS;
	275	++ BIO *bioF;
	276	++
	277	++ /* 1. try PEM (= DER+Base64+headers) */
	278	++ if ((bioS=BIO_new_file(filename, "r")) == NULL)
	279	++ return NULL;
	280	++ rc = modssl_PEM_read_bio_DHparams (bioS, DHparams, cb, NULL);
	281	++ BIO_free(bioS);
	282	++
	283	++ if (rc == NULL) {
	284	++ /* 2. try DER+Base64 */
	285	++ if ((bioS=BIO_new_file(filename, "r")) == NULL)
	286	++ return NULL;
	287	++
	288	++ if ((bioF = BIO_new(BIO_f_base64())) == NULL) {
	289	++ BIO_free(bioS);
	290	++ return NULL;
	291	++ }
	292	++ bioS = BIO_push(bioF, bioS);
	293	++ rc = d2i_DHparams_bio(bioS, NULL);
	294	++ BIO_free_all(bioS);
	295	++
	296	++ if (rc == NULL) {
	297	++ /* 3. try plain DER */
	298	++ if ((bioS=BIO_new_file(filename, "r")) == NULL)
	299	++ return NULL;
	300	++ rc = d2i_DHparams_bio(bioS, NULL);
	301	++ BIO_free(bioS);
	302	++ }
	303	++ }
	304	++ if (rc != NULL && DHparams != NULL) {
	305	++ if (*DHparams != NULL)
	306	++ DH_free(*DHparams);
	307	++ *DHparams = rc;
	308	++ }
	309	++ return rc;
	310	++}
	311	++
	312	+ #if SSL_LIBRARY_VERSION <= 0x00904100
	313	+ static EVP_PKEY d2i_PrivateKey_bio(BIO bio, EVP_PKEY **key)
	314	+ {
0	315

...	...	@@ -105,7 +105,8 @@ RDEPEND="${RDEPEND}
105	105	# init script fixup - should be rolled into next tarball #389965
106	106	src_prepare() {
107	107	epatch "${FILESDIR}"/apache-noip.diff
108		- epatch "${FILESDIR}"/httpd-2.2.16-ecc.diff
	108	+ #epatch "${FILESDIR}"/httpd-2.2.16-ecc.diff
	109	+ #epatch "${FILESDIR}"/apache-2.2.14-staticdhparameters.diff
109	110	apache-2_src_prepare
110	111	sed -i -e 's/! test -f/test -f/' "${GENTOO_PATCHDIR}"/init/apache2.initd \|\| die "Failed to fix init script"
111	112	cp ${FILESDIR}/2.2.22-envvars-std.in ${S}/support/envvars-std.in \|\| die "Failed to apply LD_PRELOAD fix"