apache-httpd-openbsd: new DH params

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

apache-httpd-openbsd: new DH params

Stuart Henderson-6
Based on my memory of dtucker's earlier diff which I OK'd and lost :-)
This updates the baked-in DH params of the apache 1.3 port for people
who haven't been able to migrate to a supported http server yet.
There's an explanation in the comment in the patch header.

OK?

Note that presence of this port is starting to cause problems
with other ports, it is quite likely to be retired after 5.9 release.

Index: Makefile
===================================================================
RCS file: /cvs/ports/www/apache-httpd-openbsd/Makefile,v
retrieving revision 1.12
diff -u -p -r1.12 Makefile
--- Makefile 30 Dec 2015 10:22:33 -0000 1.12
+++ Makefile 1 Feb 2016 12:51:59 -0000
@@ -3,7 +3,7 @@
 COMMENT= OpenBSD improved and secured version of Apache 1.3
 
 DISTNAME= apache-httpd-openbsd-1.3.20140502
-REVISION= 6
+REVISION= 7
 CATEGORIES= www
 
 HOMEPAGE= https://github.com/fobser/apache-httpd-openbsd
Index: patches/patch-src_modules_ssl_ssl_engine_dh_c
===================================================================
RCS file: patches/patch-src_modules_ssl_ssl_engine_dh_c
diff -N patches/patch-src_modules_ssl_ssl_engine_dh_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-src_modules_ssl_ssl_engine_dh_c 1 Feb 2016 12:51:59 -0000
@@ -0,0 +1,154 @@
+$OpenBSD$
+
+Replace baked-in DH parameters with new ones. ("Logjam" attack).
+The whole source file can be run as a perl script (note it uses
+indent(1) and .indent.pro files in your $HOME affect formatting).
+This is not done at build time to avoid a means of fingerprinting
+the build/arch/etc.
+
+These are still only 1024 bit to avoid adjusting logic to do with
+export ciphers (they're no longer supported by LibreSSL anyway,
+but that's a bigger change than desirable for this port which
+is on life-support anyway).
+
+USERS OF THIS PORT ARE STRONGLY ENCOURAGED TO MIGRATE THEIR
+CONFIGURATION TO ALTERNATIVE SERVER SOFTWARE.
+
+--- src/modules/ssl/ssl_engine_dh.c.orig Sat Apr 26 14:51:13 2014
++++ src/modules/ssl/ssl_engine_dh.c Mon Feb  1 12:42:33 2016
+@@ -67,43 +67,42 @@
+ /* ----BEGIN GENERATED SECTION-------- */
+
+ /*
+-** Diffie-Hellman-Parameters: (512 bit)
+-**     prime:
+-**         00:d4:bc:d5:24:06:f6:9b:35:99:4b:88:de:5d:b8:
+-**         96:82:c8:15:7f:62:d8:f3:36:33:ee:57:72:f1:1f:
+-**         05:ab:22:d6:b5:14:5b:9f:24:1e:5a:cc:31:ff:09:
+-**         0a:4b:c7:11:48:97:6f:76:79:50:94:e7:1e:79:03:
+-**         52:9f:5a:82:4b
+-**     generator: 2 (0x2)
+-** Diffie-Hellman-Parameters: (1024 bit)
+-**     prime:
+-**         00:e6:96:9d:3d:49:5b:e3:2c:7c:f1:80:c3:bd:d4:
+-**         79:8e:91:b7:81:82:51:bb:05:5e:2a:20:64:90:4a:
+-**         79:a7:70:fa:15:a2:59:cb:d5:23:a6:a6:ef:09:c4:
+-**         30:48:d5:a2:2f:97:1f:3c:20:12:9b:48:00:0e:6e:
+-**         dd:06:1c:bc:05:3e:37:1d:79:4e:53:27:df:61:1e:
+-**         bb:be:1b:ac:9b:5c:60:44:cf:02:3d:76:e0:5e:ea:
+-**         9b:ad:99:1b:13:a6:3c:97:4e:9e:f1:83:9e:b5:db:
+-**         12:51:36:f7:26:2e:56:a8:87:15:38:df:d8:23:c6:
+-**         50:50:85:e2:1f:0d:d5:c8:6b
+-**     generator: 2 (0x2)
++**     PKCS#3 DH Parameters: (512 bit)
++**         prime:
++**             00:d3:9e:43:c4:21:05:a4:94:3a:28:c0:c0:2b:4c:
++**             45:d9:89:d8:17:e6:73:7a:32:5b:f2:5a:f3:51:b8:
++**             ec:ee:34:3a:76:1a:43:63:38:5e:6c:bc:63:2c:41:
++**             81:50:7a:ff:69:a9:f0:ba:ca:5a:61:f7:01:d7:db:
++**             cc:9f:5e:33:83
++**         generator: 2 (0x2)
++**     PKCS#3 DH Parameters: (1024 bit)
++**         prime:
++**             00:8b:23:e7:d5:7b:42:16:0f:b3:e3:36:89:de:ca:
++**             eb:0f:6b:44:e6:96:78:81:5c:89:55:55:10:c3:73:
++**             d6:5d:3a:30:b3:3f:b5:c6:12:f4:6d:16:f6:55:24:
++**             4e:92:1e:c8:d1:da:18:27:ce:d3:98:cf:7c:3d:f0:
++**             77:ea:d6:8f:e4:24:b4:67:4a:7d:9c:e2:83:bc:e9:
++**             16:a5:3f:01:f1:4f:e4:1a:51:2f:50:66:4b:b4:12:
++**             4a:5e:c9:43:e0:54:85:c3:93:57:b3:43:0f:20:f7:
++**             32:14:d1:79:11:c2:fb:c5:a4:ea:34:3b:f2:eb:f3:
++**             c1:8b:37:01:a6:61:04:cb:c3
++**         generator: 2 (0x2)
+ */
+
+-static unsigned char dh512_p[] =
+-{
+-    0xD4, 0xBC, 0xD5, 0x24, 0x06, 0xF6, 0x9B, 0x35, 0x99, 0x4B, 0x88, 0xDE,
+-    0x5D, 0xB8, 0x96, 0x82, 0xC8, 0x15, 0x7F, 0x62, 0xD8, 0xF3, 0x36, 0x33,
+-    0xEE, 0x57, 0x72, 0xF1, 0x1F, 0x05, 0xAB, 0x22, 0xD6, 0xB5, 0x14, 0x5B,
+-    0x9F, 0x24, 0x1E, 0x5A, 0xCC, 0x31, 0xFF, 0x09, 0x0A, 0x4B, 0xC7, 0x11,
+-    0x48, 0x97, 0x6F, 0x76, 0x79, 0x50, 0x94, 0xE7, 0x1E, 0x79, 0x03, 0x52,
+-    0x9F, 0x5A, 0x82, 0x4B,
++static unsigned char dh512_p[] = {
++    0xD3, 0x9E, 0x43, 0xC4, 0x21, 0x05, 0xA4, 0x94, 0x3A, 0x28, 0xC0, 0xC0,
++    0x2B, 0x4C, 0x45, 0xD9, 0x89, 0xD8, 0x17, 0xE6, 0x73, 0x7A, 0x32, 0x5B,
++    0xF2, 0x5A, 0xF3, 0x51, 0xB8, 0xEC, 0xEE, 0x34, 0x3A, 0x76, 0x1A, 0x43,
++    0x63, 0x38, 0x5E, 0x6C, 0xBC, 0x63, 0x2C, 0x41, 0x81, 0x50, 0x7A, 0xFF,
++    0x69, 0xA9, 0xF0, 0xBA, 0xCA, 0x5A, 0x61, 0xF7, 0x01, 0xD7, 0xDB, 0xCC,
++    0x9F, 0x5E, 0x33, 0x83,
+ };
+-static unsigned char dh512_g[] =
+-{
++
++static unsigned char dh512_g[] = {
+     0x02,
+ };
+
+-static DH *get_dh512(void)
++static DH *get_dh512()
+ {
+     DH *dh;
+
+@@ -115,26 +114,25 @@ static DH *get_dh512(void)
+         return (NULL);
+     return (dh);
+ }
+-static unsigned char dh1024_p[] =
+-{
+-    0xE6, 0x96, 0x9D, 0x3D, 0x49, 0x5B, 0xE3, 0x2C, 0x7C, 0xF1, 0x80, 0xC3,
+-    0xBD, 0xD4, 0x79, 0x8E, 0x91, 0xB7, 0x81, 0x82, 0x51, 0xBB, 0x05, 0x5E,
+-    0x2A, 0x20, 0x64, 0x90, 0x4A, 0x79, 0xA7, 0x70, 0xFA, 0x15, 0xA2, 0x59,
+-    0xCB, 0xD5, 0x23, 0xA6, 0xA6, 0xEF, 0x09, 0xC4, 0x30, 0x48, 0xD5, 0xA2,
+-    0x2F, 0x97, 0x1F, 0x3C, 0x20, 0x12, 0x9B, 0x48, 0x00, 0x0E, 0x6E, 0xDD,
+-    0x06, 0x1C, 0xBC, 0x05, 0x3E, 0x37, 0x1D, 0x79, 0x4E, 0x53, 0x27, 0xDF,
+-    0x61, 0x1E, 0xBB, 0xBE, 0x1B, 0xAC, 0x9B, 0x5C, 0x60, 0x44, 0xCF, 0x02,
+-    0x3D, 0x76, 0xE0, 0x5E, 0xEA, 0x9B, 0xAD, 0x99, 0x1B, 0x13, 0xA6, 0x3C,
+-    0x97, 0x4E, 0x9E, 0xF1, 0x83, 0x9E, 0xB5, 0xDB, 0x12, 0x51, 0x36, 0xF7,
+-    0x26, 0x2E, 0x56, 0xA8, 0x87, 0x15, 0x38, 0xDF, 0xD8, 0x23, 0xC6, 0x50,
+-    0x50, 0x85, 0xE2, 0x1F, 0x0D, 0xD5, 0xC8, 0x6B,
++static unsigned char dh1024_p[] = {
++    0x8B, 0x23, 0xE7, 0xD5, 0x7B, 0x42, 0x16, 0x0F, 0xB3, 0xE3, 0x36, 0x89,
++    0xDE, 0xCA, 0xEB, 0x0F, 0x6B, 0x44, 0xE6, 0x96, 0x78, 0x81, 0x5C, 0x89,
++    0x55, 0x55, 0x10, 0xC3, 0x73, 0xD6, 0x5D, 0x3A, 0x30, 0xB3, 0x3F, 0xB5,
++    0xC6, 0x12, 0xF4, 0x6D, 0x16, 0xF6, 0x55, 0x24, 0x4E, 0x92, 0x1E, 0xC8,
++    0xD1, 0xDA, 0x18, 0x27, 0xCE, 0xD3, 0x98, 0xCF, 0x7C, 0x3D, 0xF0, 0x77,
++    0xEA, 0xD6, 0x8F, 0xE4, 0x24, 0xB4, 0x67, 0x4A, 0x7D, 0x9C, 0xE2, 0x83,
++    0xBC, 0xE9, 0x16, 0xA5, 0x3F, 0x01, 0xF1, 0x4F, 0xE4, 0x1A, 0x51, 0x2F,
++    0x50, 0x66, 0x4B, 0xB4, 0x12, 0x4A, 0x5E, 0xC9, 0x43, 0xE0, 0x54, 0x85,
++    0xC3, 0x93, 0x57, 0xB3, 0x43, 0x0F, 0x20, 0xF7, 0x32, 0x14, 0xD1, 0x79,
++    0x11, 0xC2, 0xFB, 0xC5, 0xA4, 0xEA, 0x34, 0x3B, 0xF2, 0xEB, 0xF3, 0xC1,
++    0x8B, 0x37, 0x01, 0xA6, 0x61, 0x04, 0xCB, 0xC3,
+ };
+-static unsigned char dh1024_g[] =
+-{
++
++static unsigned char dh1024_g[] = {
+     0x02,
+ };
+
+-static DH *get_dh1024(void)
++static DH *get_dh1024()
+ {
+     DH *dh;
+
+@@ -198,17 +196,8 @@ close(FP);
+
+ #   generate the DH parameters
+ print "1. Generate 512 and 1024 bit Diffie-Hellman parameters (p, g)\n";
+-my $rand = '';
+-foreach $file (qw(/var/log/messages /var/adm/messages
+-                  /kernel /vmunix /vmlinuz /etc/hosts /etc/resolv.conf)) {
+-    if (-f $file) {
+-        $rand = $file     if ($rand eq '');
+-        $rand .= ":$file" if ($rand ne '');
+-    }
+-}
+-$rand = "-rand $rand" if ($rand ne '');
+-system("openssl gendh $rand -out dh512.pem 512");
+-system("openssl gendh $rand -out dh1024.pem 1024");
++system("openssl gendh -out dh512.pem 512");
++system("openssl gendh -out dh1024.pem 1024");
+
+ #   generate DH param info
+ my $dhinfo = '';

Reply | Threaded
Open this post in threaded view
|

Re: apache-httpd-openbsd: new DH params

Otto Moerbeek
Thanks,

looking at the diff I might just spend the effort moving to a newer
apache or other webserver. I'd like to be able o use different dh
parameters per site. There is also other stuff like sni etc.

        -Otto

On Mon, Feb 01, 2016 at 12:56:43PM +0000, Stuart Henderson wrote:

> Based on my memory of dtucker's earlier diff which I OK'd and lost :-)
> This updates the baked-in DH params of the apache 1.3 port for people
> who haven't been able to migrate to a supported http server yet.
> There's an explanation in the comment in the patch header.
>
> OK?
>
> Note that presence of this port is starting to cause problems
> with other ports, it is quite likely to be retired after 5.9 release.
>
> Index: Makefile
> ===================================================================
> RCS file: /cvs/ports/www/apache-httpd-openbsd/Makefile,v
> retrieving revision 1.12
> diff -u -p -r1.12 Makefile
> --- Makefile 30 Dec 2015 10:22:33 -0000 1.12
> +++ Makefile 1 Feb 2016 12:51:59 -0000
> @@ -3,7 +3,7 @@
>  COMMENT= OpenBSD improved and secured version of Apache 1.3
>  
>  DISTNAME= apache-httpd-openbsd-1.3.20140502
> -REVISION= 6
> +REVISION= 7
>  CATEGORIES= www
>  
>  HOMEPAGE= https://github.com/fobser/apache-httpd-openbsd
> Index: patches/patch-src_modules_ssl_ssl_engine_dh_c
> ===================================================================
> RCS file: patches/patch-src_modules_ssl_ssl_engine_dh_c
> diff -N patches/patch-src_modules_ssl_ssl_engine_dh_c
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-src_modules_ssl_ssl_engine_dh_c 1 Feb 2016 12:51:59 -0000
> @@ -0,0 +1,154 @@
> +$OpenBSD$
> +
> +Replace baked-in DH parameters with new ones. ("Logjam" attack).
> +The whole source file can be run as a perl script (note it uses
> +indent(1) and .indent.pro files in your $HOME affect formatting).
> +This is not done at build time to avoid a means of fingerprinting
> +the build/arch/etc.
> +
> +These are still only 1024 bit to avoid adjusting logic to do with
> +export ciphers (they're no longer supported by LibreSSL anyway,
> +but that's a bigger change than desirable for this port which
> +is on life-support anyway).
> +
> +USERS OF THIS PORT ARE STRONGLY ENCOURAGED TO MIGRATE THEIR
> +CONFIGURATION TO ALTERNATIVE SERVER SOFTWARE.
> +
> +--- src/modules/ssl/ssl_engine_dh.c.orig Sat Apr 26 14:51:13 2014
> ++++ src/modules/ssl/ssl_engine_dh.c Mon Feb  1 12:42:33 2016
> +@@ -67,43 +67,42 @@
> + /* ----BEGIN GENERATED SECTION-------- */
> +
> + /*
> +-** Diffie-Hellman-Parameters: (512 bit)
> +-**     prime:
> +-**         00:d4:bc:d5:24:06:f6:9b:35:99:4b:88:de:5d:b8:
> +-**         96:82:c8:15:7f:62:d8:f3:36:33:ee:57:72:f1:1f:
> +-**         05:ab:22:d6:b5:14:5b:9f:24:1e:5a:cc:31:ff:09:
> +-**         0a:4b:c7:11:48:97:6f:76:79:50:94:e7:1e:79:03:
> +-**         52:9f:5a:82:4b
> +-**     generator: 2 (0x2)
> +-** Diffie-Hellman-Parameters: (1024 bit)
> +-**     prime:
> +-**         00:e6:96:9d:3d:49:5b:e3:2c:7c:f1:80:c3:bd:d4:
> +-**         79:8e:91:b7:81:82:51:bb:05:5e:2a:20:64:90:4a:
> +-**         79:a7:70:fa:15:a2:59:cb:d5:23:a6:a6:ef:09:c4:
> +-**         30:48:d5:a2:2f:97:1f:3c:20:12:9b:48:00:0e:6e:
> +-**         dd:06:1c:bc:05:3e:37:1d:79:4e:53:27:df:61:1e:
> +-**         bb:be:1b:ac:9b:5c:60:44:cf:02:3d:76:e0:5e:ea:
> +-**         9b:ad:99:1b:13:a6:3c:97:4e:9e:f1:83:9e:b5:db:
> +-**         12:51:36:f7:26:2e:56:a8:87:15:38:df:d8:23:c6:
> +-**         50:50:85:e2:1f:0d:d5:c8:6b
> +-**     generator: 2 (0x2)
> ++**     PKCS#3 DH Parameters: (512 bit)
> ++**         prime:
> ++**             00:d3:9e:43:c4:21:05:a4:94:3a:28:c0:c0:2b:4c:
> ++**             45:d9:89:d8:17:e6:73:7a:32:5b:f2:5a:f3:51:b8:
> ++**             ec:ee:34:3a:76:1a:43:63:38:5e:6c:bc:63:2c:41:
> ++**             81:50:7a:ff:69:a9:f0:ba:ca:5a:61:f7:01:d7:db:
> ++**             cc:9f:5e:33:83
> ++**         generator: 2 (0x2)
> ++**     PKCS#3 DH Parameters: (1024 bit)
> ++**         prime:
> ++**             00:8b:23:e7:d5:7b:42:16:0f:b3:e3:36:89:de:ca:
> ++**             eb:0f:6b:44:e6:96:78:81:5c:89:55:55:10:c3:73:
> ++**             d6:5d:3a:30:b3:3f:b5:c6:12:f4:6d:16:f6:55:24:
> ++**             4e:92:1e:c8:d1:da:18:27:ce:d3:98:cf:7c:3d:f0:
> ++**             77:ea:d6:8f:e4:24:b4:67:4a:7d:9c:e2:83:bc:e9:
> ++**             16:a5:3f:01:f1:4f:e4:1a:51:2f:50:66:4b:b4:12:
> ++**             4a:5e:c9:43:e0:54:85:c3:93:57:b3:43:0f:20:f7:
> ++**             32:14:d1:79:11:c2:fb:c5:a4:ea:34:3b:f2:eb:f3:
> ++**             c1:8b:37:01:a6:61:04:cb:c3
> ++**         generator: 2 (0x2)
> + */
> +
> +-static unsigned char dh512_p[] =
> +-{
> +-    0xD4, 0xBC, 0xD5, 0x24, 0x06, 0xF6, 0x9B, 0x35, 0x99, 0x4B, 0x88, 0xDE,
> +-    0x5D, 0xB8, 0x96, 0x82, 0xC8, 0x15, 0x7F, 0x62, 0xD8, 0xF3, 0x36, 0x33,
> +-    0xEE, 0x57, 0x72, 0xF1, 0x1F, 0x05, 0xAB, 0x22, 0xD6, 0xB5, 0x14, 0x5B,
> +-    0x9F, 0x24, 0x1E, 0x5A, 0xCC, 0x31, 0xFF, 0x09, 0x0A, 0x4B, 0xC7, 0x11,
> +-    0x48, 0x97, 0x6F, 0x76, 0x79, 0x50, 0x94, 0xE7, 0x1E, 0x79, 0x03, 0x52,
> +-    0x9F, 0x5A, 0x82, 0x4B,
> ++static unsigned char dh512_p[] = {
> ++    0xD3, 0x9E, 0x43, 0xC4, 0x21, 0x05, 0xA4, 0x94, 0x3A, 0x28, 0xC0, 0xC0,
> ++    0x2B, 0x4C, 0x45, 0xD9, 0x89, 0xD8, 0x17, 0xE6, 0x73, 0x7A, 0x32, 0x5B,
> ++    0xF2, 0x5A, 0xF3, 0x51, 0xB8, 0xEC, 0xEE, 0x34, 0x3A, 0x76, 0x1A, 0x43,
> ++    0x63, 0x38, 0x5E, 0x6C, 0xBC, 0x63, 0x2C, 0x41, 0x81, 0x50, 0x7A, 0xFF,
> ++    0x69, 0xA9, 0xF0, 0xBA, 0xCA, 0x5A, 0x61, 0xF7, 0x01, 0xD7, 0xDB, 0xCC,
> ++    0x9F, 0x5E, 0x33, 0x83,
> + };
> +-static unsigned char dh512_g[] =
> +-{
> ++
> ++static unsigned char dh512_g[] = {
> +     0x02,
> + };
> +
> +-static DH *get_dh512(void)
> ++static DH *get_dh512()
> + {
> +     DH *dh;
> +
> +@@ -115,26 +114,25 @@ static DH *get_dh512(void)
> +         return (NULL);
> +     return (dh);
> + }
> +-static unsigned char dh1024_p[] =
> +-{
> +-    0xE6, 0x96, 0x9D, 0x3D, 0x49, 0x5B, 0xE3, 0x2C, 0x7C, 0xF1, 0x80, 0xC3,
> +-    0xBD, 0xD4, 0x79, 0x8E, 0x91, 0xB7, 0x81, 0x82, 0x51, 0xBB, 0x05, 0x5E,
> +-    0x2A, 0x20, 0x64, 0x90, 0x4A, 0x79, 0xA7, 0x70, 0xFA, 0x15, 0xA2, 0x59,
> +-    0xCB, 0xD5, 0x23, 0xA6, 0xA6, 0xEF, 0x09, 0xC4, 0x30, 0x48, 0xD5, 0xA2,
> +-    0x2F, 0x97, 0x1F, 0x3C, 0x20, 0x12, 0x9B, 0x48, 0x00, 0x0E, 0x6E, 0xDD,
> +-    0x06, 0x1C, 0xBC, 0x05, 0x3E, 0x37, 0x1D, 0x79, 0x4E, 0x53, 0x27, 0xDF,
> +-    0x61, 0x1E, 0xBB, 0xBE, 0x1B, 0xAC, 0x9B, 0x5C, 0x60, 0x44, 0xCF, 0x02,
> +-    0x3D, 0x76, 0xE0, 0x5E, 0xEA, 0x9B, 0xAD, 0x99, 0x1B, 0x13, 0xA6, 0x3C,
> +-    0x97, 0x4E, 0x9E, 0xF1, 0x83, 0x9E, 0xB5, 0xDB, 0x12, 0x51, 0x36, 0xF7,
> +-    0x26, 0x2E, 0x56, 0xA8, 0x87, 0x15, 0x38, 0xDF, 0xD8, 0x23, 0xC6, 0x50,
> +-    0x50, 0x85, 0xE2, 0x1F, 0x0D, 0xD5, 0xC8, 0x6B,
> ++static unsigned char dh1024_p[] = {
> ++    0x8B, 0x23, 0xE7, 0xD5, 0x7B, 0x42, 0x16, 0x0F, 0xB3, 0xE3, 0x36, 0x89,
> ++    0xDE, 0xCA, 0xEB, 0x0F, 0x6B, 0x44, 0xE6, 0x96, 0x78, 0x81, 0x5C, 0x89,
> ++    0x55, 0x55, 0x10, 0xC3, 0x73, 0xD6, 0x5D, 0x3A, 0x30, 0xB3, 0x3F, 0xB5,
> ++    0xC6, 0x12, 0xF4, 0x6D, 0x16, 0xF6, 0x55, 0x24, 0x4E, 0x92, 0x1E, 0xC8,
> ++    0xD1, 0xDA, 0x18, 0x27, 0xCE, 0xD3, 0x98, 0xCF, 0x7C, 0x3D, 0xF0, 0x77,
> ++    0xEA, 0xD6, 0x8F, 0xE4, 0x24, 0xB4, 0x67, 0x4A, 0x7D, 0x9C, 0xE2, 0x83,
> ++    0xBC, 0xE9, 0x16, 0xA5, 0x3F, 0x01, 0xF1, 0x4F, 0xE4, 0x1A, 0x51, 0x2F,
> ++    0x50, 0x66, 0x4B, 0xB4, 0x12, 0x4A, 0x5E, 0xC9, 0x43, 0xE0, 0x54, 0x85,
> ++    0xC3, 0x93, 0x57, 0xB3, 0x43, 0x0F, 0x20, 0xF7, 0x32, 0x14, 0xD1, 0x79,
> ++    0x11, 0xC2, 0xFB, 0xC5, 0xA4, 0xEA, 0x34, 0x3B, 0xF2, 0xEB, 0xF3, 0xC1,
> ++    0x8B, 0x37, 0x01, 0xA6, 0x61, 0x04, 0xCB, 0xC3,
> + };
> +-static unsigned char dh1024_g[] =
> +-{
> ++
> ++static unsigned char dh1024_g[] = {
> +     0x02,
> + };
> +
> +-static DH *get_dh1024(void)
> ++static DH *get_dh1024()
> + {
> +     DH *dh;
> +
> +@@ -198,17 +196,8 @@ close(FP);
> +
> + #   generate the DH parameters
> + print "1. Generate 512 and 1024 bit Diffie-Hellman parameters (p, g)\n";
> +-my $rand = '';
> +-foreach $file (qw(/var/log/messages /var/adm/messages
> +-                  /kernel /vmunix /vmlinuz /etc/hosts /etc/resolv.conf)) {
> +-    if (-f $file) {
> +-        $rand = $file     if ($rand eq '');
> +-        $rand .= ":$file" if ($rand ne '');
> +-    }
> +-}
> +-$rand = "-rand $rand" if ($rand ne '');
> +-system("openssl gendh $rand -out dh512.pem 512");
> +-system("openssl gendh $rand -out dh1024.pem 1024");
> ++system("openssl gendh -out dh512.pem 512");
> ++system("openssl gendh -out dh1024.pem 1024");
> +
> + #   generate DH param info
> + my $dhinfo = '';

Reply | Threaded
Open this post in threaded view
|

Re: apache-httpd-openbsd: new DH params

Darren Tucker
In reply to this post by Stuart Henderson-6
On Mon, Feb 01, 2016 at 12:56:43PM +0000, Stuart Henderson wrote:
> Based on my memory of dtucker's earlier diff which I OK'd and lost :-)

Below is the patch for reference (after some more turd polishing on my
part).  I also had second thoughts about generating it at build time for
reasons of slowness and fingerprinting potential and never got back to it.

> This updates the baked-in DH params of the apache 1.3 port for people
> who haven't been able to migrate to a supported http server yet.
> There's an explanation in the comment in the patch header.
[...]
> +The whole source file can be run as a perl script (note it uses
> +indent(1) and .indent.pro files in your $HOME affect formatting).

My diff cd'ed to and setenv'ed HOME to the buld working dir to avoid
those dependencies (based on what the FreeBSD port did):

(cd ${WRKSRC}/src/modules/ssl && ${SETENV} HOME=${WRKSRC} perl ssl_engine_dh.c)

Index: www/apache-httpd-openbsd/Makefile
===================================================================
RCS file: /cvs/ports/www/apache-httpd-openbsd/Makefile,v
retrieving revision 1.10
diff -u -p -r1.10 Makefile
--- www/apache-httpd-openbsd/Makefile 17 Jul 2015 23:58:25 -0000 1.10
+++ www/apache-httpd-openbsd/Makefile 2 Feb 2016 03:01:22 -0000
@@ -3,7 +3,7 @@
 COMMENT= OpenBSD improved and secured version of Apache 1.3
 
 DISTNAME= apache-httpd-openbsd-1.3.20140502
-REVISION= 4
+REVISION= 5
 CATEGORIES= www
 
 HOMEPAGE= https://github.com/fobser/apache-httpd-openbsd
@@ -24,6 +24,7 @@ RUN_DEPENDS= www/apache-httpd,-common
 
 do-configure:
  @${SUBST_CMD} ${WRKSRC}/config.layout ${WRKSRC}/Makefile.bsd-wrapper
+ (cd ${WRKSRC}/src/modules/ssl && ${SETENV} HOME=${WRKSRC} perl ssl_engine_dh.c)
 
 post-install:
 .for i in httpd.conf mime.types magic
Index: www/apache-httpd-openbsd/patches/patch-gendh
===================================================================
RCS file: www/apache-httpd-openbsd/patches/patch-gendh
diff -N www/apache-httpd-openbsd/patches/patch-gendh
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ www/apache-httpd-openbsd/patches/patch-gendh 2 Feb 2016 03:01:22 -0000
@@ -0,0 +1,69 @@
+--- src/modules/ssl/ssl_engine_dh.c.orig Tue Dec  1 17:43:37 2015
++++ src/modules/ssl/ssl_engine_dh.c Wed Dec  2 10:16:33 2015
+@@ -152,12 +152,10 @@
+ {
+     DH *dh;
+
+-    if (nKeyLen == 512)
+-        dh = get_dh512();
+-    else if (nKeyLen == 1024)
++    if (nKeyLen < 1024)
+         dh = get_dh1024();
+     else
+-        dh = get_dh1024();
++        dh = get_dh2048();
+     return dh;
+ }
+
+@@ -197,7 +195,7 @@
+ close(FP);
+
+ #   generate the DH parameters
+-print "1. Generate 512 and 1024 bit Diffie-Hellman parameters (p, g)\n";
++print "1. Generate 1024 and 2048 bit Diffie-Hellman parameters (p, g)\n";
+ my $rand = '';
+ foreach $file (qw(/var/log/messages /var/adm/messages
+                   /kernel /vmunix /vmlinuz /etc/hosts /etc/resolv.conf)) {
+@@ -207,15 +205,15 @@
+     }
+ }
+ $rand = "-rand $rand" if ($rand ne '');
+-system("openssl gendh $rand -out dh512.pem 512");
+-system("openssl gendh $rand -out dh1024.pem 1024");
++system("openssl gendh -out dh1024.pem 1024");
++system("openssl gendh -out dh2048.pem 2048");
+
+ #   generate DH param info
+ my $dhinfo = '';
+-open(FP, "openssl dh -noout -text -in dh512.pem |") || die;
++open(FP, "openssl dh -noout -text -in dh1024.pem |") || die;
+ $dhinfo .= $_ while (<FP>);
+ close(FP);
+-open(FP, "openssl dh -noout -text -in dh1024.pem |") || die;
++open(FP, "openssl dh -noout -text -in dh2048.pem |") || die;
+ $dhinfo .= $_ while (<FP>);
+ close(FP);
+ $dhinfo =~ s|^|** |mg;
+@@ -223,10 +221,10 @@
+
+ #   generate C source from DH params
+ my $dhsource = '';
+-open(FP, "openssl dh -noout -C -in dh512.pem | indent | expand |") || die;
++open(FP, "openssl dh -noout -C -in dh1024.pem | indent | expand |") || die;
+ $dhsource .= $_ while (<FP>);
+ close(FP);
+-open(FP, "openssl dh -noout -C -in dh1024.pem | indent | expand |") || die;
++open(FP, "openssl dh -noout -C -in dh2048.pem | indent | expand |") || die;
+ $dhsource .= $_ while (<FP>);
+ close(FP);
+ $dhsource =~ s|(DH\s+\*get_dh)|static $1|sg;
+@@ -244,8 +242,8 @@
+ close(FP);
+
+ #   cleanup
+-unlink("dh512.pem");
+ unlink("dh1024.pem");
++unlink("dh2048.pem");
+
+ =pod
+ */

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Reply | Threaded
Open this post in threaded view
|

Re: apache-httpd-openbsd: new DH params

Stuart Henderson-6
On 2016/02/02 14:10, Darren Tucker wrote:
> On Mon, Feb 01, 2016 at 12:56:43PM +0000, Stuart Henderson wrote:
> > Based on my memory of dtucker's earlier diff which I OK'd and lost :-)
>
> Below is the patch for reference (after some more turd polishing on my
> part).  I also had second thoughts about generating it at build time for
> reasons of slowness and fingerprinting potential and never got back to it.

I have that one, but didn't forward that for those reasons (and
I didn't want to dig into all the implications of changing sizes)
it's the earlier one which updated the 512/1024 hardcoded values
that I didn't keep a copy of and was recreating here.

> > This updates the baked-in DH params of the apache 1.3 port for people
> > who haven't been able to migrate to a supported http server yet.
> > There's an explanation in the comment in the patch header.
> [...]
> > +The whole source file can be run as a perl script (note it uses
> > +indent(1) and .indent.pro files in your $HOME affect formatting).
>
> My diff cd'ed to and setenv'ed HOME to the buld working dir to avoid
> those dependencies (based on what the FreeBSD port did):
>
> (cd ${WRKSRC}/src/modules/ssl && ${SETENV} HOME=${WRKSRC} perl ssl_engine_dh.c)

Yes, that's definitely needed if it's generated during the build.