On Sun, Nov 13, 2022 at 03:31:03PM +0100, Theo Buehler wrote: > Now that libcrypto ships with Ed25519 support and X25519 support in EVP, > we can enable it in httpd. Ed448 is still not supported. > > Also, do not use a dubious quality ASN1_TIME_diff() implementation from > stackoverflow, use the one from libcrypto instead (which has been > available since LibreSSL 3.6). > > Regen patches while there. > > I have only compile tested this. > sure, ok giovanni@ Thanks Giovanni
> PS: The unconditional setting of OPENSSL_NO_CT for LibreSSL in
> md_crypt.c is also iffy (CT is available since LibreSSL 3.5). Let's
> leave that for another day.
>
> Index: Makefile
> ===================================================================
> RCS file: /cvs/ports/www/apache-httpd/Makefile,v
> retrieving revision 1.118
> diff -u -p -r1.118 Makefile
> --- Makefile 9 Jun 2022 07:05:50 -0000 1.118
> +++ Makefile 13 Nov 2022 14:20:02 -0000
> @@ -3,6 +3,7 @@ COMMENT= apache HTTP server
> V= 2.4.54
> DISTNAME= httpd-${V}
> PKGNAME= apache-httpd-${V}
> +REVISION= 0
>
> CATEGORIES= www net
>
> Index: patches/patch-configure
> ===================================================================
> RCS file: /cvs/ports/www/apache-httpd/patches/patch-configure,v
> retrieving revision 1.23
> diff -u -p -r1.23 patch-configure
> --- patches/patch-configure 11 Mar 2022 20:09:37 -0000 1.23
> +++ patches/patch-configure 13 Nov 2022 14:20:02 -0000
> @@ -1,7 +1,7 @@
> Index: configure
> --- configure.orig
> +++ configure
> -@@ -3462,7 +3462,7 @@ do
> +@@ -3472,7 +3472,7 @@ do
> ap_last="${ap_cur}"
> ap_cur=`eval "echo ${ap_cur}"`
> done
> @@ -10,7 +10,7 @@ Index: configure
>
>
> APACHE_VAR_SUBST="$APACHE_VAR_SUBST exp_sysconfdir"
> -@@ -4668,7 +4668,7 @@ APR_INCLUDEDIR=`$apr_config --includedir`
> +@@ -4678,7 +4678,7 @@ APR_INCLUDEDIR=`$apr_config --includedir`
> APR_INCLUDES=`$apr_config --includes`
> APR_VERSION=`$apr_config --version`
> apr_major_version=`echo ${APR_VERSION} | sed 's,\..*,,'`
> Index: patches/patch-modules_md_md_crypt_c
> ===================================================================
> RCS file: patches/patch-modules_md_md_crypt_c
> diff -N patches/patch-modules_md_md_crypt_c
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-modules_md_md_crypt_c 13 Nov 2022 14:24:25 -0000
> @@ -0,0 +1,35 @@
> +Hunk 1: LibreSSL 3.6.0 and later have ASN1_TIME_diff()
> +Hunks 2 and 3: LibreSSL 3.7.0 and later have X25519 support in EVP
> +Index: modules/md/md_crypt.c
> +--- modules/md/md_crypt.c.orig
> ++++ modules/md/md_crypt.c
> +@@ -210,7 +210,8 @@ static int pem_passwd(char *buf, int size, int rwflag,
> + */
> + static apr_time_t md_asn1_time_get(const ASN1_TIME* time)
> + {
> +-#if OPENSSL_VERSION_NUMBER < 0x10002000L || defined(LIBRESSL_VERSION_NUMBER)
> ++#if OPENSSL_VERSION_NUMBER < 0x10002000L ||
> (defined(LIBRESSL_VERSION_NUMBER) && \
> ++ LIBRESSL_VERSION_NUMBER <
> 0x3060000fL)
> + /* courtesy:
> https://stackoverflow.com/questions/10975542/asn1-time-to-time-t-conversion#11263731
> + * all bugs are mine */
> + apr_time_exp_t t;
> +@@ -854,7 +855,8 @@ static apr_status_t gen_ec(md_pkey_t **ppkey, apr_pool
> + curve = EC_curve_nid2nist(curve_nid);
> + }
> + #endif
> +-#if defined(NID_X25519) && !defined(LIBRESSL_VERSION_NUMBER)
> ++#if defined(NID_X25519) && (!defined(LIBRESSL_VERSION_NUMBER) || \
> ++ LIBRESSL_VERSION_NUMBER >= 0x3070000fL)
> + if (NID_undef == curve_nid && !apr_strnatcasecmp("X25519", curve)) {
> + curve_nid = NID_X25519;
> + curve = EC_curve_nid2nist(curve_nid);
> +@@ -872,7 +874,8 @@ static apr_status_t gen_ec(md_pkey_t **ppkey, apr_pool
> + *ppkey = make_pkey(p);
> + switch (curve_nid) {
> +
> +-#if defined(NID_X25519) && !defined(LIBRESSL_VERSION_NUMBER)
> ++#if defined(NID_X25519) && (!defined(LIBRESSL_VERSION_NUMBER) || \
> ++ LIBRESSL_VERSION_NUMBER >= 0x3070000fL)
> + case NID_X25519:
> + /* no parameters */
> + if (NULL == (ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_X25519, NULL))
> Index: patches/patch-modules_ssl_ssl_engine_init_c
> ===================================================================
> RCS file:
> /cvs/ports/www/apache-httpd/patches/patch-modules_ssl_ssl_engine_init_c,v
> retrieving revision 1.20
> diff -u -p -r1.20 patch-modules_ssl_ssl_engine_init_c
> --- patches/patch-modules_ssl_ssl_engine_init_c 11 Mar 2022 20:09:38
> -0000 1.20
> +++ patches/patch-modules_ssl_ssl_engine_init_c 13 Nov 2022 14:20:02
> -0000
> @@ -1,7 +1,7 @@
> Index: modules/ssl/ssl_engine_init.c
> --- modules/ssl/ssl_engine_init.c.orig
> +++ modules/ssl/ssl_engine_init.c
> -@@ -1601,7 +1601,7 @@ static apr_status_t ssl_init_proxy_certs(server_rec *s
> +@@ -1681,7 +1681,7 @@ static apr_status_t ssl_init_proxy_certs(server_rec *s
> X509_STORE_CTX *sctx;
> X509_STORE *store = SSL_CTX_get_cert_store(mctx->ssl_ctx);
>
> Index: patches/patch-modules_ssl_ssl_private_h
> ===================================================================
> RCS file:
> /cvs/ports/www/apache-httpd/patches/patch-modules_ssl_ssl_private_h,v
> retrieving revision 1.10
> diff -u -p -r1.10 patch-modules_ssl_ssl_private_h
> --- patches/patch-modules_ssl_ssl_private_h 11 Mar 2022 20:09:38 -0000
> 1.10
> +++ patches/patch-modules_ssl_ssl_private_h 13 Nov 2022 14:20:02 -0000
> @@ -1,7 +1,7 @@
> Index: modules/ssl/ssl_private.h
> --- modules/ssl/ssl_private.h.orig
> +++ modules/ssl/ssl_private.h
> -@@ -230,9 +230,11 @@
> +@@ -232,9 +232,11 @@
> #define BN_get_rfc3526_prime_4096 get_rfc3526_prime_4096
> #define BN_get_rfc3526_prime_6144 get_rfc3526_prime_6144
> #define BN_get_rfc3526_prime_8192 get_rfc3526_prime_8192
signature.asc
Description: PGP signature
