On Tue, May 18, 2021 at 01:21:25PM +0200, Theo Buehler wrote:
> On Tue, May 18, 2021 at 11:45:33AM +0200, Giovanni Bechis wrote:
> > Hi,
> > upcoming Apache httpd doesn't build with LibreSSL because it uses
> > EVP_PKEY_X25519 constants that are not defined on LibreSSL.
> > The following diff works, is it better to add EVP_PKEY_X constants
> > to evp.h instead ?
>
> There is more code that would need to be added to libcrypto to make this
> work. We will likely have to add EVP_PKEY_X25519 at some point, but
> libcrypto is not ready. There are currently no plans for X448 support.
>
> With your patch the call to EVP_PKEY_CTX_new_id() will fail. I would
> suggest disabling X25519 and X448 support as follows:
>
final diff follows, Apache httpd 2.4.48 also fixes some CVE on mod_proxy
and mod_session.
Full Changelog at https://downloads.apache.org/httpd/CHANGES_2.4.48
ok ?
Giovanni
Index: Makefile
===================================================================
RCS file: /cvs/ports/www/apache-httpd/Makefile,v
retrieving revision 1.107
diff -u -p -r1.107 Makefile
--- Makefile 13 Dec 2020 08:45:14 -0000 1.107
+++ Makefile 1 Jun 2021 22:44:59 -0000
@@ -2,10 +2,9 @@
COMMENT= apache HTTP server
-V= 2.4.46
+V= 2.4.48
DISTNAME= httpd-${V}
PKGNAME= apache-httpd-${V}
-REVISION= 1
CATEGORIES= www net
Index: distinfo
===================================================================
RCS file: /cvs/ports/www/apache-httpd/distinfo,v
retrieving revision 1.35
diff -u -p -r1.35 distinfo
--- distinfo 7 Aug 2020 15:15:37 -0000 1.35
+++ distinfo 1 Jun 2021 22:44:59 -0000
@@ -1,2 +1,2 @@
-SHA256 (httpd-2.4.46.tar.gz) = RLdZzpMtwJDA51wCELRIXr9pg0ZvuMobRGyBaOGhrsI=
-SIZE (httpd-2.4.46.tar.gz) = 9363314
+SHA256 (httpd-2.4.48.tar.gz) = MVwLxQIGuGb7F8LNwowZc3ZajVnKFouAKG6MsHfQUQ4=
+SIZE (httpd-2.4.48.tar.gz) = 9418226
Index: patches/patch-configure
===================================================================
RCS file: /cvs/ports/www/apache-httpd/patches/patch-configure,v
retrieving revision 1.20
diff -u -p -r1.20 patch-configure
--- patches/patch-configure 31 Mar 2020 14:30:33 -0000 1.20
+++ patches/patch-configure 1 Jun 2021 22:44:59 -0000
@@ -3,7 +3,7 @@ $OpenBSD: patch-configure,v 1.20 2020/03
Index: configure
--- configure.orig
+++ configure
-@@ -3473,7 +3473,7 @@ do
+@@ -3474,7 +3474,7 @@ do
ap_last="${ap_cur}"
ap_cur=`eval "echo ${ap_cur}"`
done
@@ -12,7 +12,7 @@ Index: configure
APACHE_VAR_SUBST="$APACHE_VAR_SUBST exp_sysconfdir"
-@@ -4679,7 +4679,7 @@ APR_INCLUDEDIR=`$apr_config --includedir`
+@@ -4680,7 +4680,7 @@ APR_INCLUDEDIR=`$apr_config --includedir`
APR_INCLUDES=`$apr_config --includes`
APR_VERSION=`$apr_config --version`
apr_major_version=`echo ${APR_VERSION} | sed 's,\..*,,'`
Index: patches/patch-modules_md_md_crypt_c
===================================================================
RCS file: patches/patch-modules_md_md_crypt_c
diff -N patches/patch-modules_md_md_crypt_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-modules_md_md_crypt_c 1 Jun 2021 22:44:59 -0000
@@ -0,0 +1,34 @@
+$OpenBSD$
+
+LibreSSL does not expose X25519 via EVP and has no X448 support.
+
+Index: modules/md/md_crypt.c
+--- modules/md/md_crypt.c.orig
++++ modules/md/md_crypt.c
+@@ -797,7 +797,7 @@ static apr_status_t gen_ec(md_pkey_t **ppkey, apr_pool
+ curve_nid = NID_X9_62_prime192v1;
+ }
+
No comments:
Post a Comment