Re: apache-httpd-openbsd: new DH params

Mon, 01 Feb 2016 19:48:04 -0800 

On Mon, Feb 01, 2016 at 12:56:43PM +0000, Stuart Henderson wrote:
> Based on my memory of dtucker's earlier diff which I OK'd and lost :-)

Below is the patch for reference (after some more turd polishing on my
part).  I also had second thoughts about generating it at build time for
reasons of slowness and fingerprinting potential and never got back to it.

> This updates the baked-in DH params of the apache 1.3 port for people
> who haven't been able to migrate to a supported http server yet.
> There's an explanation in the comment in the patch header.
[...]
> +The whole source file can be run as a perl script (note it uses
> +indent(1) and .indent.pro files in your $HOME affect formatting).

My diff cd'ed to and setenv'ed HOME to the buld working dir to avoid
those dependencies (based on what the FreeBSD port did):

(cd ${WRKSRC}/src/modules/ssl && ${SETENV} HOME=${WRKSRC} perl ssl_engine_dh.c)

Index: www/apache-httpd-openbsd/Makefile
===================================================================
RCS file: /cvs/ports/www/apache-httpd-openbsd/Makefile,v
retrieving revision 1.10
diff -u -p -r1.10 Makefile
--- www/apache-httpd-openbsd/Makefile   17 Jul 2015 23:58:25 -0000      1.10
+++ www/apache-httpd-openbsd/Makefile   2 Feb 2016 03:01:22 -0000
@@ -3,7 +3,7 @@
 COMMENT=       OpenBSD improved and secured version of Apache 1.3
 
 DISTNAME=      apache-httpd-openbsd-1.3.20140502
-REVISION=      4
+REVISION=      5
 CATEGORIES=    www
 
 HOMEPAGE=      https://github.com/fobser/apache-httpd-openbsd
@@ -24,6 +24,7 @@ RUN_DEPENDS=  www/apache-httpd,-common
 
 do-configure:
        @${SUBST_CMD} ${WRKSRC}/config.layout ${WRKSRC}/Makefile.bsd-wrapper
+       (cd ${WRKSRC}/src/modules/ssl && ${SETENV} HOME=${WRKSRC} perl 
ssl_engine_dh.c)
 
 post-install:
 .for i in httpd.conf mime.types magic
Index: www/apache-httpd-openbsd/patches/patch-gendh
===================================================================
RCS file: www/apache-httpd-openbsd/patches/patch-gendh
diff -N www/apache-httpd-openbsd/patches/patch-gendh
--- /dev/null   1 Jan 1970 00:00:00 -0000
+++ www/apache-httpd-openbsd/patches/patch-gendh        2 Feb 2016 03:01:22 
-0000
@@ -0,0 +1,69 @@
+--- src/modules/ssl/ssl_engine_dh.c.orig       Tue Dec  1 17:43:37 2015
++++ src/modules/ssl/ssl_engine_dh.c    Wed Dec  2 10:16:33 2015
+@@ -152,12 +152,10 @@
+ {
+     DH *dh;
+ 
+-    if (nKeyLen == 512)
+-        dh = get_dh512();
+-    else if (nKeyLen == 1024)
++    if (nKeyLen < 1024)
+         dh = get_dh1024();
+     else
+-        dh = get_dh1024();
++        dh = get_dh2048();
+     return dh;
+ }
+ 
+@@ -197,7 +195,7 @@
+ close(FP);
+ 
+ #   generate the DH parameters
+-print "1. Generate 512 and 1024 bit Diffie-Hellman parameters (p, g)\n";
++print "1. Generate 1024 and 2048 bit Diffie-Hellman parameters (p, g)\n";
+ my $rand = '';
+ foreach $file (qw(/var/log/messages /var/adm/messages 
+                   /kernel /vmunix /vmlinuz /etc/hosts /etc/resolv.conf)) {
+@@ -207,15 +205,15 @@
+     }
+ }
+ $rand = "-rand $rand" if ($rand ne '');
+-system("openssl gendh $rand -out dh512.pem 512");
+-system("openssl gendh $rand -out dh1024.pem 1024");
++system("openssl gendh -out dh1024.pem 1024");
++system("openssl gendh -out dh2048.pem 2048");
+ 
+ #   generate DH param info 
+ my $dhinfo = '';
+-open(FP, "openssl dh -noout -text -in dh512.pem |") || die;
++open(FP, "openssl dh -noout -text -in dh1024.pem |") || die;
+ $dhinfo .= $_ while (<FP>);
+ close(FP);
+-open(FP, "openssl dh -noout -text -in dh1024.pem |") || die;
++open(FP, "openssl dh -noout -text -in dh2048.pem |") || die;
+ $dhinfo .= $_ while (<FP>);
+ close(FP);
+ $dhinfo =~ s|^|** |mg;
+@@ -223,10 +221,10 @@
+ 
+ #   generate C source from DH params
+ my $dhsource = '';
+-open(FP, "openssl dh -noout -C -in dh512.pem | indent | expand |") || die;
++open(FP, "openssl dh -noout -C -in dh1024.pem | indent | expand |") || die;
+ $dhsource .= $_ while (<FP>);
+ close(FP);
+-open(FP, "openssl dh -noout -C -in dh1024.pem | indent | expand |") || die;
++open(FP, "openssl dh -noout -C -in dh2048.pem | indent | expand |") || die;
+ $dhsource .= $_ while (<FP>);
+ close(FP);
+ $dhsource =~ s|(DH\s+\*get_dh)|static $1|sg;
+@@ -244,8 +242,8 @@
+ close(FP);
+ 
+ #   cleanup
+-unlink("dh512.pem");
+ unlink("dh1024.pem");
++unlink("dh2048.pem");
+ 
+ =pod
+ */

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Reply via email to