Now that libcrypto ships with Ed25519 support and X25519 support in EVP,
we can enable it in httpd. Ed448 is still not supported.
Also, do not use a dubious quality ASN1_TIME_diff() implementation from
stackoverflow, use the one from libcrypto instead (which has been
available since LibreSSL 3.6).
Regen patches while there.
I have only compile tested this.
PS: The unconditional setting of OPENSSL_NO_CT for LibreSSL in
md_crypt.c is also iffy (CT is available since LibreSSL 3.5). Let's
leave that for another day.
Index: Makefile
===================================================================
RCS file: /cvs/ports/www/apache-httpd/Makefile,v
retrieving revision 1.118
diff -u -p -r1.118 Makefile
--- Makefile 9 Jun 2022 07:05:50 -0000 1.118
+++ Makefile 13 Nov 2022 14:20:02 -0000
@@ -3,6 +3,7 @@ COMMENT= apache HTTP server
V= 2.4.54
DISTNAME= httpd-${V}
PKGNAME= apache-httpd-${V}
+REVISION= 0
CATEGORIES= www net
Index: patches/patch-configure
===================================================================
RCS file: /cvs/ports/www/apache-httpd/patches/patch-configure,v
retrieving revision 1.23
diff -u -p -r1.23 patch-configure
--- patches/patch-configure 11 Mar 2022 20:09:37 -0000 1.23
+++ patches/patch-configure 13 Nov 2022 14:20:02 -0000
@@ -1,7 +1,7 @@
Index: configure
--- configure.orig
+++ configure
-@@ -3462,7 +3462,7 @@ do
+@@ -3472,7 +3472,7 @@ do
ap_last="${ap_cur}"
ap_cur=`eval "echo ${ap_cur}"`
done
@@ -10,7 +10,7 @@ Index: configure
APACHE_VAR_SUBST="$APACHE_VAR_SUBST exp_sysconfdir"
-@@ -4668,7 +4668,7 @@ APR_INCLUDEDIR=`$apr_config --includedir`
+@@ -4678,7 +4678,7 @@ APR_INCLUDEDIR=`$apr_config --includedir`
APR_INCLUDES=`$apr_config --includes`
APR_VERSION=`$apr_config --version`
apr_major_version=`echo ${APR_VERSION} | sed 's,\..*,,'`
Index: patches/patch-modules_md_md_crypt_c
===================================================================
RCS file: patches/patch-modules_md_md_crypt_c
diff -N patches/patch-modules_md_md_crypt_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-modules_md_md_crypt_c 13 Nov 2022 14:24:25 -0000
@@ -0,0 +1,35 @@
+Hunk 1: LibreSSL 3.6.0 and later have ASN1_TIME_diff()
+Hunks 2 and 3: LibreSSL 3.7.0 and later have X25519 support in EVP
+Index: modules/md/md_crypt.c
+--- modules/md/md_crypt.c.orig
++++ modules/md/md_crypt.c
+@@ -210,7 +210,8 @@ static int pem_passwd(char *buf, int size, int rwflag,
+ */
+ static apr_time_t md_asn1_time_get(const ASN1_TIME* time)
+ {
+-#if OPENSSL_VERSION_NUMBER < 0x10002000L || defined(LIBRESSL_VERSION_NUMBER)
++#if OPENSSL_VERSION_NUMBER < 0x10002000L || (defined(LIBRESSL_VERSION_NUMBER)
&& \
++ LIBRESSL_VERSION_NUMBER <
0x3060000fL)
+ /* courtesy:
https://stackoverflow.com/questions/10975542/asn1-time-to-time-t-conversion#11263731
+ * all bugs are mine */
+ apr_time_exp_t t;
+@@ -854,7 +855,8 @@ static apr_status_t gen_ec(md_pkey_t **ppkey, apr_pool
+ curve = EC_curve_nid2nist(curve_nid);
+ }
+ #endif
+-#if defined(NID_X25519) && !defined(LIBRESSL_VERSION_NUMBER)
++#if defined(NID_X25519) && (!defined(LIBRESSL_VERSION_NUMBER) || \
++ LIBRESSL_VERSION_NUMBER >= 0x3070000fL)
+ if (NID_undef == curve_nid && !apr_strnatcasecmp("X25519", curve)) {
+ curve_nid = NID_X25519;
+ curve = EC_curve_nid2nist(curve_nid);
+@@ -872,7 +874,8 @@ static apr_status_t gen_ec(md_pkey_t **ppkey, apr_pool
+ *ppkey = make_pkey(p);
+ switch (curve_nid) {
+
+-#if defined(NID_X25519) && !defined(LIBRESSL_VERSION_NUMBER)
++#if defined(NID_X25519) && (!defined(LIBRESSL_VERSION_NUMBER) || \
++ LIBRESSL_VERSION_NUMBER >= 0x3070000fL)
+ case NID_X25519:
+ /* no parameters */
+ if (NULL == (ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_X25519, NULL))
Index: patches/patch-modules_ssl_ssl_engine_init_c
===================================================================
RCS file:
/cvs/ports/www/apache-httpd/patches/patch-modules_ssl_ssl_engine_init_c,v
retrieving revision 1.20
diff -u -p -r1.20 patch-modules_ssl_ssl_engine_init_c
--- patches/patch-modules_ssl_ssl_engine_init_c 11 Mar 2022 20:09:38 -0000
1.20
+++ patches/patch-modules_ssl_ssl_engine_init_c 13 Nov 2022 14:20:02 -0000
@@ -1,7 +1,7 @@
Index: modules/ssl/ssl_engine_init.c
--- modules/ssl/ssl_engine_init.c.orig
+++ modules/ssl/ssl_engine_init.c
-@@ -1601,7 +1601,7 @@ static apr_status_t ssl_init_proxy_certs(server_rec *s
+@@ -1681,7 +1681,7 @@ static apr_status_t ssl_init_proxy_certs(server_rec *s
X509_STORE_CTX *sctx;
X509_STORE *store = SSL_CTX_get_cert_store(mctx->ssl_ctx);
Index: patches/patch-modules_ssl_ssl_private_h
===================================================================
RCS file: /cvs/ports/www/apache-httpd/patches/patch-modules_ssl_ssl_private_h,v
retrieving revision 1.10
diff -u -p -r1.10 patch-modules_ssl_ssl_private_h
--- patches/patch-modules_ssl_ssl_private_h 11 Mar 2022 20:09:38 -0000
1.10
+++ patches/patch-modules_ssl_ssl_private_h 13 Nov 2022 14:20:02 -0000
@@ -1,7 +1,7 @@
Index: modules/ssl/ssl_private.h
--- modules/ssl/ssl_private.h.orig
+++ modules/ssl/ssl_private.h
-@@ -230,9 +230,11 @@
+@@ -232,9 +232,11 @@
#define BN_get_rfc3526_prime_4096 get_rfc3526_prime_4096
#define BN_get_rfc3526_prime_6144 get_rfc3526_prime_6144
#define BN_get_rfc3526_prime_8192 get_rfc3526_prime_8192
