www-servers/apache: backport DH regression patch

Closes: https://bugs.gentoo.org/929064
Signed-off-by: Hans de Graaff <graaff@gentoo.org>

2 files changed, 335 insertions, 0 deletions

diff --git a/www-servers/apache/apache-2.4.59-r1.ebuild b/www-servers/apache/apache-2.4.59-r1.ebuild
new file mode 100644
index 000000000000..48a82e0ad1c9
--- /dev/null
+++ b/www-servers/apache/apache-2.4.59-r1.ebuild
@@ -0,0 +1,254 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+# latest gentoo apache files
+GENTOO_PATCHSTAMP="20240405"
+GENTOO_DEVELOPER="graaff"
+GENTOO_PATCHNAME="gentoo-apache-2.4.59"
+
+# IUSE/USE_EXPAND magic
+IUSE_MPMS_FORK="prefork"
+IUSE_MPMS_THREAD="event worker"
+
+# << obsolete modules:
+# authn_default authz_default mem_cache
+# mem_cache is replaced by cache_disk
+# ?? buggy modules
+# proxy_scgi: startup error: undefined symbol "ap_proxy_release_connection", no fix found
+# >> added modules for reason:
+# compat: compatibility with 2.2 access control
+# authz_host: new module for access control
+# authn_core: functionality provided by authn_alias in previous versions
+# authz_core: new module, provides core authorization capabilities
+# cache_disk: replacement for mem_cache
+# lbmethod_byrequests: Split off from mod_proxy_balancer in 2.3
+# lbmethod_bytraffic: Split off from mod_proxy_balancer in 2.3
+# lbmethod_bybusyness: Split off from mod_proxy_balancer in 2.3
+# lbmethod_heartbeat: Split off from mod_proxy_balancer in 2.3
+# slotmem_shm: Slot-based shared memory provider (for lbmethod_byrequests).
+# socache_shmcb: shared object cache provider. Default config with ssl needs it
+# unixd: fixes startup error: Invalid command 'User'
+IUSE_MODULES="access_compat actions alias allowmethods asis auth_basic auth_digest auth_form
+authn_anon authn_core authn_dbd authn_dbm authn_file authn_socache authz_core
+authz_dbd authz_dbm authz_groupfile authz_host authz_owner authz_user autoindex
+brotli cache cache_disk cache_socache cern_meta charset_lite cgi cgid dav dav_fs dav_lock
+dbd deflate dir dumpio env expires ext_filter file_cache filter headers http2
+ident imagemap include info lbmethod_byrequests lbmethod_bytraffic lbmethod_bybusyness
+lbmethod_heartbeat log_config log_forensic logio lua macro md mime mime_magic negotiation
+proxy proxy_ajp proxy_balancer proxy_connect proxy_ftp proxy_hcheck proxy_html proxy_http proxy_scgi
+proxy_http2 proxy_fcgi proxy_uwsgi proxy_wstunnel rewrite ratelimit remoteip reqtimeout
+session session_cookie session_crypto session_dbd setenvif slotmem_shm socache_memcache
+socache_shmcb speling status substitute systemd tls unique_id userdir usertrack
+unixd version vhost_alias watchdog xml2enc"
+# The following are also in the source as of this version, but are not available
+# for user selection:
+# bucketeer case_filter case_filter_in echo http isapi optional_fn_export
+# optional_fn_import optional_hook_export optional_hook_import
+
+# inter-module dependencies
+# TODO: this may still be incomplete
+MODULE_DEPENDS="
+	auth_form:session
+	brotli:filter
+	dav_fs:dav
+	dav_lock:dav
+	deflate:filter
+	cache_disk:cache
+	ext_filter:filter
+	file_cache:cache
+	lbmethod_byrequests:proxy_balancer
+	lbmethod_byrequests:slotmem_shm
+	lbmethod_bytraffic:proxy_balancer
+	lbmethod_bybusyness:proxy_balancer
+	lbmethod_heartbeat:proxy_balancer
+	log_forensic:log_config
+	logio:log_config
+	cache_disk:cache
+	cache_socache:cache
+	md:watchdog
+	mime_magic:mime
+	proxy_ajp:proxy
+	proxy_balancer:proxy
+	proxy_balancer:slotmem_shm
+	proxy_connect:proxy
+	proxy_ftp:proxy
+	proxy_hcheck:proxy
+	proxy_hcheck:watchdog
+	proxy_html:proxy
+	proxy_html:xml2enc
+	proxy_http:proxy
+	proxy_http2:proxy
+	proxy_scgi:proxy
+	proxy_uwsgi:proxy
+	proxy_fcgi:proxy
+	proxy_wstunnel:proxy
+	session_cookie:session
+	session_dbd:dbd
+	session_dbd:session
+	socache_memcache:cache
+	substitute:filter
+"
+
+# module<->define mappings
+MODULE_DEFINES="
+	auth_digest:AUTH_DIGEST
+	authnz_ldap:AUTHNZ_LDAP
+	cache:CACHE
+	cache_disk:CACHE
+	cache_socache:CACHE
+	dav:DAV
+	dav_fs:DAV
+	dav_lock:DAV
+	file_cache:CACHE
+	http2:HTTP2
+	info:INFO
+	ldap:LDAP
+	lua:LUA
+	md:SSL
+	proxy:PROXY
+	proxy_ajp:PROXY
+	proxy_balancer:PROXY
+	proxy_connect:PROXY
+	proxy_fcgi:PROXY
+	proxy_ftp:PROXY
+	proxy_hcheck:PROXY
+	proxy_html:PROXY
+	proxy_http:PROXY
+	proxy_http2:PROXY
+	proxy_scgi:PROXY
+	proxy_uwsgi:PROXY
+	proxy_wstunnel:PROXY
+	socache_shmcb:SSL
+	socache_memcache:CACHE
+	ssl:SSL
+	status:STATUS
+	suexec:SUEXEC
+	systemd:SYSTEMD
+	userdir:USERDIR
+"
+
+# critical modules for the default config
+MODULE_CRITICAL="
+	authn_core
+	authz_core
+	authz_host
+	dir
+	mime
+	unixd
+"
+inherit apache-2 systemd tmpfiles toolchain-funcs
+
+DESCRIPTION="The Apache Web Server"
+HOMEPAGE="https://httpd.apache.org/"
+
+# some helper scripts are Apache-1.1, thus both are here
+LICENSE="Apache-2.0 Apache-1.1"
+SLOT="2"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x64-macos ~x64-solaris"
+
+PATCHES=( "${FILESDIR}/${P}-dh-regression.patch" )
+
+pkg_setup() {
+	# dependent critical modules which are not allowed in global scope due
+	# to USE flag conditionals (bug #499260)
+	use ssl && MODULE_CRITICAL+=" socache_shmcb"
+	use doc && MODULE_CRITICAL+=" alias negotiation setenvif"
+	apache-2_pkg_setup
+}
+
+src_configure() {
+	# Brain dead check.
+	tc-is-cross-compiler && export ap_cv_void_ptr_lt_long="no"
+
+	apache-2_src_configure
+}
+
+src_compile() {
+	if tc-is-cross-compiler ; then
+		# This header is the same across targets, so use the build compiler.
+		pushd server >/dev/null
+		emake gen_test_char
+		tc-export_build_env BUILD_CC
+		${BUILD_CC} ${BUILD_CFLAGS} ${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} \
+			gen_test_char.c -o gen_test_char $(apr-1-config --includes) || die
+		popd >/dev/null
+	fi
+
+	default
+}
+
+src_install() {
+	apache-2_src_install
+	local i
+	local apache_tools_prune_list=(
+		/usr/bin/{htdigest,logresolve,htpasswd,htdbm,ab,httxt2dbm}
+		/usr/sbin/{checkgid,fcgistarter,htcacheclean,rotatelogs}
+		/usr/share/man/man1/{logresolve.1,htdbm.1,htdigest.1,htpasswd.1,dbmmanage.1,ab.1}
+		/usr/share/man/man8/{rotatelogs.8,htcacheclean.8}
+	)
+	for i in ${apache_tools_prune_list[@]} ; do
+		rm "${ED}"/${i} || die "Failed to prune apache-tools bits"
+	done
+
+	dobin support/apxs
+
+	# Note: wait for mod_systemd to be included in some forthcoming release,
+	# Then apache2.4.service can be used and systemd support controlled
+	# through --enable-systemd
+	systemd_newunit "${FILESDIR}/apache2.4-hardened.service" "apache2.service"
+	dotmpfiles "${FILESDIR}/apache.conf"
+	#insinto /etc/apache2/modules.d
+	#doins "${FILESDIR}/00_systemd.conf"
+
+	# Install http2 module config
+	insinto /etc/apache2/modules.d
+	doins "${FILESDIR}"/41_mod_http2.conf
+
+	# Fix path to apache libdir
+	sed "s|@LIBDIR@|$(get_libdir)|" -i "${ED}"/usr/sbin/apache2ctl || die
+}
+
+pkg_postinst() {
+	apache-2_pkg_postinst || die "apache-2_pkg_postinst failed"
+
+	tmpfiles_process apache.conf #662544
+
+	# warnings that default config might not work out of the box
+	local mod cmod
+	for mod in ${MODULE_CRITICAL} ; do
+		if ! use "apache2_modules_${mod}"; then
+			echo
+			ewarn "Warning: Critical module not installed!"
+			ewarn "Modules 'authn_core', 'authz_core' and 'unixd'"
+			ewarn "are highly recomended but might not be in the base profile yet."
+			ewarn "Default config for ssl needs module 'socache_shmcb'."
+			ewarn "Enabling the following flags is highly recommended:"
+			for cmod in ${MODULE_CRITICAL} ; do
+				use "apache2_modules_${cmod}" || \
+					ewarn "+ apache2_modules_${cmod}"
+			done
+			echo
+			break
+		fi
+	done
+	# warning for proxy_balancer and missing load balancing scheduler
+	if use apache2_modules_proxy_balancer; then
+		local lbset=
+		for mod in lbmethod_byrequests lbmethod_bytraffic lbmethod_bybusyness lbmethod_heartbeat; do
+			if use "apache2_modules_${mod}"; then
+				lbset=1 && break
+			fi
+		done
+		if [[ ! ${lbset} ]] ; then
+			echo
+			ewarn "Info: Missing load balancing scheduler algorithm module"
+			ewarn "(They were split off from proxy_balancer in 2.3)"
+			ewarn "In order to get the ability of load balancing, at least"
+			ewarn "one of these modules has to be present:"
+			ewarn "lbmethod_byrequests lbmethod_bytraffic lbmethod_bybusyness lbmethod_heartbeat"
+			echo
+		fi
+	fi
+}
diff --git a/www-servers/apache/files/apache-2.4.59-dh-regression.patch b/www-servers/apache/files/apache-2.4.59-dh-regression.patch
new file mode 100644
index 000000000000..63cb606a2630
--- /dev/null
+++ b/www-servers/apache/files/apache-2.4.59-dh-regression.patch
@@ -0,0 +1,81 @@
+From dee1eb37d787d34cb37df7eab535240e1774293a Mon Sep 17 00:00:00 2001
+From: Ruediger Pluem <rpluem@apache.org>
+Date: Mon, 8 Apr 2024 13:18:28 +0000
+Subject: [PATCH] * Ensure that we set the default DH parameters for the key
+
+Replace else with an if as the if branch no longer ensures that
+custome DH parameters have been loaded.
+This fixes a regression that causes the default DH parameters for a key
+no longer set and thus effectively disabling DH ciphers when no explicit
+DH parameters are set.
+
+PR: 68863
+
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1916863 13f79535-47bb-0310-9956-ffa450edef68
+---
+ changes-entries/pr68863.txt   |  3 +++
+ modules/ssl/ssl_engine_init.c | 11 ++++++-----
+ 2 files changed, 9 insertions(+), 5 deletions(-)
+ create mode 100644 changes-entries/pr68863.txt
+
+diff --git a/changes-entries/pr68863.txt b/changes-entries/pr68863.txt
+new file mode 100644
+index 00000000000..d45ffc708cc
+--- /dev/null
++++ b/changes-entries/pr68863.txt
+@@ -0,0 +1,3 @@
++  *) mod_ssl: Fix a regression that causes the default DH parameters for a key
++     no longer set and thus effectively disabling DH ciphers when no explicit
++     DH parameters are set. PR 68863 [Ruediger Pluem]
+diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
+index 64e4aaf1dcd..f657026d137 100644
+--- a/modules/ssl/ssl_engine_init.c
++++ b/modules/ssl/ssl_engine_init.c
+@@ -1416,6 +1416,7 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
+     const char *vhost_id = mctx->sc->vhost_id, *key_id, *certfile, *keyfile;
+     int i;
+     EVP_PKEY *pkey;
++    int custom_dh_done = 0;
+ #ifdef HAVE_ECC
+     EC_GROUP *ecgroup = NULL;
+     int curve_nid = 0;
+@@ -1591,14 +1592,14 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
+      */
+     certfile = APR_ARRAY_IDX(mctx->pks->cert_files, 0, const char *);
+     if (certfile && !modssl_is_engine_id(certfile)) {
+-        int done = 0, num_bits = 0;
++        int num_bits = 0;
+ #if OPENSSL_VERSION_NUMBER < 0x30000000L
+         DH *dh = modssl_dh_from_file(certfile);
+         if (dh) {
+             num_bits = DH_bits(dh);
+             SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dh);
+             DH_free(dh);
+-            done = 1;
++            custom_dh_done = 1;
+         }
+ #else
+         pkey = modssl_dh_pkey_from_file(certfile);
+@@ -1608,18 +1609,18 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
+                 EVP_PKEY_free(pkey);
+             }
+             else {
+-                done = 1;
++                custom_dh_done = 1;
+             }
+         }
+ #endif
+-        if (done) {
++        if (custom_dh_done) {
+             ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02540)
+                          "Custom DH parameters (%d bits) for %s loaded from %s",
+                          num_bits, vhost_id, certfile);
+         }
+     }
+ #if !MODSSL_USE_OPENSSL_PRE_1_1_API
+-    else {
++    if (!custom_dh_done) {
+         /* If no parameter is manually configured, enable auto
+          * selection. */
+         SSL_CTX_set_dh_auto(mctx->ssl_ctx, 1);