cpet/openbsd-ports
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

update lighttpd to 1.4.29, from Brad

Browse Source 
- while there, remove patch-src_server_c too, all the various /dev/*random
are equivalent now, ok Brad
This commit is contained in:
sthen 2011-07-07 14:34:36 +00:00
parent 3a74e58db1
commit 076483e0f2
10 changed files with 11 additions and 564 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
www/lighttpd/Makefile
View File

@ -1,11 +1,10 @@
# $OpenBSD: Makefile,v 1.84 2011/04/25 09:39:36 sthen Exp $
# $OpenBSD: Makefile,v 1.85 2011/07/07 14:34:36 sthen Exp $
SHARED_ONLY= Yes
COMMENT= secure, fast, compliant, and very flexible web-server
DISTNAME= lighttpd-1.4.28
REVISION= 4
DISTNAME= lighttpd-1.4.29
CATEGORIES= www net
MASTER_SITES= http://download.lighttpd.net/lighttpd/releases-1.4.x/
@ -27,11 +26,12 @@ RUN_DEPENDS+= www/spawn-fcgi
USE_LIBTOOL= Yes
LIBTOOL_FLAGS= --tag=disable-static
CONFIGURE_STYLE= autoconf
AUTOCONF_VERSION= 2.67
AUTOCONF_VERSION= 2.68
CONFIGURE_ARGS+= --libdir="${PREFIX}/lib/lighttpd" \
--with-lua \
--with-openssl \
--without-bzip2
--without-bzip2 \
--without-libev
CONFIGURE_ENV+= CPPFLAGS="-I${LOCALBASE}/include" \
LDFLAGS="-L${LOCALBASE}/lib"
@ -59,7 +59,7 @@ pre-build:
post-install:
${INSTALL_DATA_DIR} ${PREFIX}/share/doc/lighttpd
${INSTALL_DATA_DIR} ${PREFIX}/share/examples/lighttpd
${INSTALL_DATA} ${WRKSRC}/doc/*.txt \
${INSTALL_DATA} ${WRKSRC}/doc/outdated/*.txt \
${PREFIX}/share/doc/lighttpd
${INSTALL_DATA} ${WRKSRC}/doc/lighttpd.conf \
${PREFIX}/share/examples/lighttpd

10
www/lighttpd/distinfo
View File

@ -1,5 +1,5 @@
MD5 (lighttpd-1.4.28.tar.gz) = IC0278YyStuVo2ANKCbsag==
RMD160 (lighttpd-1.4.28.tar.gz) = 8HFRWVVc62oCpfiCvxELD2geYxQ=
SHA1 (lighttpd-1.4.28.tar.gz) = JNYU91s6uhjzz/XlKifsn9z4U7U=
SHA256 (lighttpd-1.4.28.tar.gz) = 79diP0MYJyO5nFHVeiQVjiKiB82Q3KNarzsuO6wRVxI=
SIZE (lighttpd-1.4.28.tar.gz) = 808352
MD5 (lighttpd-1.4.29.tar.gz) = QTDSRAd3t5EeYt5qicmKkA==
RMD160 (lighttpd-1.4.29.tar.gz) = 9JUO/lJ7U49X3MD7iLare5YAMSg=
SHA1 (lighttpd-1.4.29.tar.gz) = IlEkbNZXzXh63Z6VQZQeiDuBvxM=
SHA256 (lighttpd-1.4.29.tar.gz) = /59N45AdA7soVjTFsUkZEiPRfxwmmhbIY7rEQjgRnIU=
SIZE (lighttpd-1.4.29.tar.gz) = 831201

25
www/lighttpd/patches/patch-src_base_h
View File

@ -1,25 +0,0 @@
$OpenBSD: patch-src_base_h,v 1.3 2011/03/20 13:42:53 sthen Exp $
--- src/base.h.orig Mon Mar 14 21:18:03 2011
+++ src/base.h Mon Mar 14 21:19:57 2011
@@ -275,7 +275,10 @@ typedef struct {
buffer *ssl_pemfile;
buffer *ssl_ca_file;
buffer *ssl_cipher_list;
+ buffer *ssl_dh_file;
+ buffer *ssl_ec_curve;
unsigned short ssl_use_sslv2;
+ unsigned short ssl_use_sslv3;
unsigned short ssl_verifyclient;
unsigned short ssl_verifyclient_enforce;
unsigned short ssl_verifyclient_depth;
@@ -527,7 +530,10 @@ typedef struct {
buffer *ssl_pemfile;
buffer *ssl_ca_file;
buffer *ssl_cipher_list;
+ buffer *ssl_dh_file;
+ buffer *ssl_ec_curve;
unsigned short ssl_use_sslv2;
+ unsigned short ssl_use_sslv3;
unsigned short use_ipv6;
unsigned short is_ssl;

68
www/lighttpd/patches/patch-src_configfile_c
View File

@ -1,68 +0,0 @@
$OpenBSD: patch-src_configfile_c,v 1.1 2011/03/20 13:42:53 sthen Exp $
--- src/configfile.c.orig Tue Aug 17 05:04:38 2010
+++ src/configfile.c Mon Mar 14 21:21:27 2011
@@ -102,6 +102,9 @@ static int config_insert(server *srv) {
{ "ssl.verifyclient.exportcert", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 60 */
{ "server.set-v6only", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, /* 61 */
+ { "ssl.use-sslv3", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 62 */
+ { "ssl.dh-file", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_SERVER }, /* 63 */
+ { "ssl.ec-curve", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_SERVER }, /* 64 */
{ "server.host", "use server.bind instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET },
{ "server.docroot", "use server.document-root instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET },
@@ -164,6 +167,8 @@ static int config_insert(server *srv) {
s->error_handler = buffer_init();
s->server_tag = buffer_init();
s->ssl_cipher_list = buffer_init();
+ s->ssl_dh_file = buffer_init();
+ s->ssl_ec_curve = buffer_init();
s->errorfile_prefix = buffer_init();
s->max_keep_alive_requests = 16;
s->max_keep_alive_idle = 5;
@@ -172,6 +177,7 @@ static int config_insert(server *srv) {
s->use_xattr = 0;
s->is_ssl = 0;
s->ssl_use_sslv2 = 0;
+ s->ssl_use_sslv3 = 1;
s->use_ipv6 = 0;
s->set_v6only = 1;
s->defer_accept = 0;
@@ -236,6 +242,9 @@ static int config_insert(server *srv) {
cv[47].destination = s->ssl_cipher_list;
cv[48].destination = &(s->ssl_use_sslv2);
+ cv[62].destination = &(s->ssl_use_sslv3);
+ cv[63].destination = s->ssl_dh_file;
+ cv[64].destination = s->ssl_ec_curve;
cv[49].destination = &(s->etag_use_inode);
cv[50].destination = &(s->etag_use_mtime);
cv[51].destination = &(s->etag_use_size);
@@ -324,7 +333,10 @@ int config_setup_connection(server *srv, connection *c
#endif
PATCH(ssl_ca_file);
PATCH(ssl_cipher_list);
+ PATCH(ssl_dh_file);
+ PATCH(ssl_ec_curve);
PATCH(ssl_use_sslv2);
+ PATCH(ssl_use_sslv3);
PATCH(etag_use_inode);
PATCH(etag_use_mtime);
PATCH(etag_use_size);
@@ -390,10 +402,16 @@ int config_patch_connection(server *srv, connection *c
PATCH(ssl_ca_file);
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.use-sslv2"))) {
PATCH(ssl_use_sslv2);
+ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.use-sslv3"))) {
+ PATCH(ssl_use_sslv3);
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.cipher-list"))) {
PATCH(ssl_cipher_list);
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.engine"))) {
PATCH(is_ssl);
+ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.dh-file"))) {
+ PATCH(ssl_dh_file);
+ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.ec-curve"))) {
+ PATCH(ssl_ec_curve);
#ifdef HAVE_LSTAT
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("server.follow-symlink"))) {
PATCH(follow_symlink);

84
www/lighttpd/patches/patch-src_md5_c
View File

@ -1,84 +0,0 @@
$OpenBSD: patch-src_md5_c,v 1.1 2011/04/25 09:39:36 sthen Exp $
http://redmine.lighttpd.net/issues/2269
--- src/md5.c.orig Sun Apr 24 22:03:40 2011
+++ src/md5.c Sun Apr 24 22:07:52 2011
@@ -52,7 +52,7 @@ documentation and/or software.
#define S43 15
#define S44 21
-static void MD5Transform (UINT4 [4], const unsigned char [64]);
+static void li_MD5Transform (UINT4 [4], const unsigned char [64]);
static void Encode (unsigned char *, UINT4 *, unsigned int);
static void Decode (UINT4 *, const unsigned char *, unsigned int);
@@ -110,8 +110,8 @@ Rotation is separate from addition to prevent recomput
/* MD5 initialization. Begins an MD5 operation, writing a new context.
*/
-void MD5_Init (context)
-MD5_CTX *context; /* context */
+void li_MD5_Init (context)
+li_MD5_CTX *context; /* context */
{
context->count[0] = context->count[1] = 0;
/* Load magic initialization constants.
@@ -126,8 +126,8 @@ MD5_CTX *context;
operation, processing another message block, and updating the
context.
*/
-void MD5_Update (context, _input, inputLen)
-MD5_CTX *context; /* context */
+void li_MD5_Update (context, _input, inputLen)
+li_MD5_CTX *context; /* context */
const void *_input; /* input block */
unsigned int inputLen; /* length of input block */
{
@@ -151,10 +151,10 @@ unsigned int inputLen; /* length o
if (inputLen >= partLen) {
MD5_memcpy
((POINTER)&context->buffer[ndx], (POINTER)input, partLen);
- MD5Transform (context->state, context->buffer);
+ li_MD5Transform (context->state, context->buffer);
for (i = partLen; i + 63 < inputLen; i += 64)
- MD5Transform (context->state, &input[i]);
+ li_MD5Transform (context->state, &input[i]);
ndx = 0;
}
@@ -170,9 +170,9 @@ unsigned int inputLen; /* length o
/* MD5 finalization. Ends an MD5 message-digest operation, writing the
the message digest and zeroizing the context.
*/
-void MD5_Final (digest, context)
+void li_MD5_Final (digest, context)
unsigned char digest[16]; /* message digest */
-MD5_CTX *context; /* context */
+li_MD5_CTX *context; /* context */
{
unsigned char bits[8];
unsigned int ndx, padLen;
@@ -184,10 +184,10 @@ MD5_CTX *context;
*/
ndx = (unsigned int)((context->count[0] >> 3) & 0x3f);
padLen = (ndx < 56) ? (56 - ndx) : (120 - ndx);
- MD5_Update (context, PADDING, padLen);
+ li_MD5_Update (context, PADDING, padLen);
/* Append length (before padding) */
- MD5_Update (context, bits, 8);
+ li_MD5_Update (context, bits, 8);
/* Store state in digest */
Encode (digest, context->state, 16);
@@ -199,7 +199,7 @@ MD5_CTX *context;
/* MD5 basic transformation. Transforms state based on block.
*/
-static void MD5Transform (state, block)
+static void li_MD5Transform (state, block)
UINT4 state[4];
const unsigned char block[64];
{

20
www/lighttpd/patches/patch-src_md5_h
View File

@ -1,20 +0,0 @@
$OpenBSD: patch-src_md5_h,v 1.1 2011/04/25 09:39:36 sthen Exp $
http://redmine.lighttpd.net/issues/2269
--- src/md5.h.orig Sun Apr 24 22:03:58 2011
+++ src/md5.h Sun Apr 24 22:05:09 2011
@@ -39,9 +39,8 @@ typedef struct {
UINT4 state[4]; /* state (ABCD) */
UINT4 count[2]; /* number of bits, modulo 2^64 (lsb first) */
unsigned char buffer[64]; /* input buffer */
-} MD5_CTX;
+} li_MD5_CTX;
-void MD5_Init (MD5_CTX *);
-void MD5_Update (MD5_CTX *, const void *, unsigned int);
-void MD5_Final (unsigned char [16], MD5_CTX *);
-
+void li_MD5_Init (li_MD5_CTX *);
+void li_MD5_Update (li_MD5_CTX *, const void *, unsigned int);
+void li_MD5_Final (unsigned char [16], li_MD5_CTX *);

24
www/lighttpd/patches/patch-src_mod_cgi_c
View File

@ -1,24 +0,0 @@
$OpenBSD: patch-src_mod_cgi_c,v 1.3 2011/03/20 13:42:53 sthen Exp $
--- src/mod_cgi.c.orig Mon Mar 14 21:11:20 2011
+++ src/mod_cgi.c Mon Mar 14 21:13:22 2011
@@ -341,8 +341,19 @@ static int cgi_demux_response(server *srv, handler_ctx
while(1) {
int n;
+ int toread;
- buffer_prepare_copy(hctx->response, 1024);
+#if defined(__WIN32)
+ buffer_prepare_copy(hctx->response, 4 * 1024);
+#else
+ if (ioctl(con->fd, FIONREAD, &toread) || toread == 0 || toread <= 4*1024) {
+ buffer_prepare_copy(hctx->response, 4 * 1024);
+ } else {
+ if (toread > MAX_READ_LIMIT) toread = MAX_READ_LIMIT;
+ buffer_prepare_copy(hctx->response, toread + 1);
+ }
+#endif
+
if (-1 == (n = read(hctx->fd, hctx->response->ptr, hctx->response->size - 1))) {
if (errno == EAGAIN || errno == EINTR) {
/* would block, wait for signal */

159
www/lighttpd/patches/patch-src_mod_proxy_c
View File

@ -1,159 +0,0 @@
$OpenBSD: patch-src_mod_proxy_c,v 1.6 2011/03/20 13:42:53 sthen Exp $
--- src/mod_proxy.c.orig Mon Mar 14 21:16:15 2011
+++ src/mod_proxy.c Mon Mar 14 21:16:22 2011
@@ -724,9 +724,9 @@ static int proxy_demux_response(server *srv, handler_c
con->file_started = 1;
if (blen) {
http_chunk_append_mem(srv, con, c + 4, blen + 1);
- joblist_append(srv, con);
}
hctx->response->used = 0;
+ joblist_append(srv, con);
}
} else {
http_chunk_append_mem(srv, con, hctx->response->ptr, hctx->response->used);
@@ -750,7 +750,6 @@ static int proxy_demux_response(server *srv, handler_c
static handler_t proxy_write_request(server *srv, handler_ctx *hctx) {
data_proxy *host= hctx->host;
- plugin_data *p = hctx->plugin_data;
connection *con = hctx->remote_conn;
int ret;
@@ -759,6 +758,17 @@ static handler_t proxy_write_request(server *srv, hand
(!host->host->used || !host->port)) return -1;
switch(hctx->state) {
+ case PROXY_STATE_CONNECT:
+ /* wait for the connect() to finish */
+
+ /* connect failed ? */
+ if (-1 == hctx->fde_ndx) return HANDLER_ERROR;
+
+ /* wait */
+ return HANDLER_WAIT_FOR_EVENT;
+
+ break;
+
case PROXY_STATE_INIT:
#if defined(HAVE_IPV6) && defined(HAVE_INET_PTON)
if (strstr(host->host->ptr,":")) {
@@ -786,58 +796,28 @@ static handler_t proxy_write_request(server *srv, hand
return HANDLER_ERROR;
}
- /* fall through */
+ switch (proxy_establish_connection(srv, hctx)) {
+ case 1:
+ proxy_set_state(srv, hctx, PROXY_STATE_CONNECT);
- case PROXY_STATE_CONNECT:
- /* try to finish the connect() */
- if (hctx->state == PROXY_STATE_INIT) {
- /* first round */
- switch (proxy_establish_connection(srv, hctx)) {
- case 1:
- proxy_set_state(srv, hctx, PROXY_STATE_CONNECT);
+ /* connection is in progress, wait for an event and call getsockopt() below */
- /* connection is in progress, wait for an event and call getsockopt() below */
+ fdevent_event_set(srv->ev, &(hctx->fde_ndx), hctx->fd, FDEVENT_OUT);
- fdevent_event_set(srv->ev, &(hctx->fde_ndx), hctx->fd, FDEVENT_OUT);
+ return HANDLER_WAIT_FOR_EVENT;
+ case -1:
+ /* if ECONNREFUSED choose another connection -> FIXME */
+ hctx->fde_ndx = -1;
- return HANDLER_WAIT_FOR_EVENT;
- case -1:
- /* if ECONNREFUSED choose another connection -> FIXME */
- hctx->fde_ndx = -1;
-
- return HANDLER_ERROR;
- default:
- /* everything is ok, go on */
- break;
- }
- } else {
- int socket_error;
- socklen_t socket_error_len = sizeof(socket_error);
-
- /* we don't need it anymore */
- fdevent_event_del(srv->ev, &(hctx->fde_ndx), hctx->fd);
-
- /* try to finish the connect() */
- if (0 != getsockopt(hctx->fd, SOL_SOCKET, SO_ERROR, &socket_error, &socket_error_len)) {
- log_error_write(srv, __FILE__, __LINE__, "ss",
- "getsockopt failed:", strerror(errno));
-
- return HANDLER_ERROR;
- }
- if (socket_error != 0) {
- log_error_write(srv, __FILE__, __LINE__, "ss",
- "establishing connection failed:", strerror(socket_error),
- "port:", hctx->host->port);
-
- return HANDLER_ERROR;
- }
- if (p->conf.debug) {
- log_error_write(srv, __FILE__, __LINE__, "s", "proxy - connect - delayed success");
- }
+ return HANDLER_ERROR;
+ default:
+ /* everything is ok, go on */
+ proxy_set_state(srv, hctx, PROXY_STATE_PREPARE_WRITE);
+ break;
}
- proxy_set_state(srv, hctx, PROXY_STATE_PREPARE_WRITE);
/* fall through */
+
case PROXY_STATE_PREPARE_WRITE:
proxy_create_env(srv, hctx);
@@ -1019,11 +999,42 @@ static handler_t proxy_handle_fdevent(server *srv, voi
"proxy: fdevent-out", hctx->state);
}
- if (hctx->state == PROXY_STATE_CONNECT ||
+ if (hctx->state == PROXY_STATE_CONNECT) {
+ int socket_error;
+ socklen_t socket_error_len = sizeof(socket_error);
+
+ /* we don't need it anymore */
+ fdevent_event_del(srv->ev, &(hctx->fde_ndx), hctx->fd);
+ hctx->fde_ndx = -1;
+
+ /* try to finish the connect() */
+ if (0 != getsockopt(hctx->fd, SOL_SOCKET, SO_ERROR, &socket_error, &socket_error_len)) {
+ log_error_write(srv, __FILE__, __LINE__, "ss",
+ "getsockopt failed:", strerror(errno));
+
+ joblist_append(srv, con);
+ return HANDLER_FINISHED;
+ }
+ if (socket_error != 0) {
+ log_error_write(srv, __FILE__, __LINE__, "ss",
+ "establishing connection failed:", strerror(socket_error),
+ "port:", hctx->host->port);
+
+ joblist_append(srv, con);
+ return HANDLER_FINISHED;
+ }
+ if (p->conf.debug) {
+ log_error_write(srv, __FILE__, __LINE__, "s", "proxy - connect - delayed success");
+ }
+
+ proxy_set_state(srv, hctx, PROXY_STATE_PREPARE_WRITE);
+ }
+
+ if (hctx->state == PROXY_STATE_PREPARE_WRITE ||
hctx->state == PROXY_STATE_WRITE) {
/* we are allowed to send something out
*
- * 1. in a unfinished connect() call
+ * 1. after a just finished connect() call
* 2. in a unfinished write() call (long POST request)
*/
return mod_proxy_handle_subrequest(srv, con, p);

152
www/lighttpd/patches/patch-src_network_c
View File

@ -1,152 +0,0 @@
$OpenBSD: patch-src_network_c,v 1.3 2011/04/25 09:39:36 sthen Exp $
http://redmine.lighttpd.net/issues/2269
--- src/network.c.orig Tue Aug 17 05:04:38 2010
+++ src/network.c Sun Apr 24 22:29:51 2011
@@ -479,6 +479,55 @@ int network_init(server *srv) {
size_t i;
network_backend_t backend;
+#if OPENSSL_VERSION_NUMBER >= 0x0090800fL
+ EC_KEY *ecdh;
+ int nid;
+#endif
+
+#ifdef USE_OPENSSL
+ DH *dh;
+ BIO *bio;
+
+ /* 1024-bit MODP Group with 160-bit prime order subgroup (RFC5114)
+ * -----BEGIN DH PARAMETERS-----
+ * MIIBDAKBgQCxC4+WoIDgHd6S3l6uXVTsUsmfvPsGo8aaap3KUtI7YWBz4oZ1oj0Y
+ * mDjvHi7mUsAT7LSuqQYRIySXXDzUm4O/rMvdfZDEvXCYSI6cIZpzck7/1vrlZEc4
+ * +qMaT/VbzMChUa9fDci0vUW/N982XBpl5oz9p21NpwjfH7K8LkpDcQKBgQCk0cvV
+ * w/00EmdlpELvuZkF+BBN0lisUH/WQGz/FCZtMSZv6h5cQVZLd35pD1UE8hMWAhe0
+ * sBuIal6RVH+eJ0n01/vX07mpLuGQnQ0iY/gKdqaiTAh6CR9THb8KAWm2oorWYqTR
+ * jnOvoy13nVkY0IvIhY9Nzvl8KiSFXm7rIrOy5QICAKA=
+ * -----END DH PARAMETERS-----
+ */
+
+ static const unsigned char dh1024_p[]={
+ 0xB1,0x0B,0x8F,0x96,0xA0,0x80,0xE0,0x1D,0xDE,0x92,0xDE,0x5E,
+ 0xAE,0x5D,0x54,0xEC,0x52,0xC9,0x9F,0xBC,0xFB,0x06,0xA3,0xC6,
+ 0x9A,0x6A,0x9D,0xCA,0x52,0xD2,0x3B,0x61,0x60,0x73,0xE2,0x86,
+ 0x75,0xA2,0x3D,0x18,0x98,0x38,0xEF,0x1E,0x2E,0xE6,0x52,0xC0,
+ 0x13,0xEC,0xB4,0xAE,0xA9,0x06,0x11,0x23,0x24,0x97,0x5C,0x3C,
+ 0xD4,0x9B,0x83,0xBF,0xAC,0xCB,0xDD,0x7D,0x90,0xC4,0xBD,0x70,
+ 0x98,0x48,0x8E,0x9C,0x21,0x9A,0x73,0x72,0x4E,0xFF,0xD6,0xFA,
+ 0xE5,0x64,0x47,0x38,0xFA,0xA3,0x1A,0x4F,0xF5,0x5B,0xCC,0xC0,
+ 0xA1,0x51,0xAF,0x5F,0x0D,0xC8,0xB4,0xBD,0x45,0xBF,0x37,0xDF,
+ 0x36,0x5C,0x1A,0x65,0xE6,0x8C,0xFD,0xA7,0x6D,0x4D,0xA7,0x08,
+ 0xDF,0x1F,0xB2,0xBC,0x2E,0x4A,0x43,0x71,
+ };
+
+ static const unsigned char dh1024_g[]={
+ 0xA4,0xD1,0xCB,0xD5,0xC3,0xFD,0x34,0x12,0x67,0x65,0xA4,0x42,
+ 0xEF,0xB9,0x99,0x05,0xF8,0x10,0x4D,0xD2,0x58,0xAC,0x50,0x7F,
+ 0xD6,0x40,0x6C,0xFF,0x14,0x26,0x6D,0x31,0x26,0x6F,0xEA,0x1E,
+ 0x5C,0x41,0x56,0x4B,0x77,0x7E,0x69,0x0F,0x55,0x04,0xF2,0x13,
+ 0x16,0x02,0x17,0xB4,0xB0,0x1B,0x88,0x6A,0x5E,0x91,0x54,0x7F,
+ 0x9E,0x27,0x49,0xF4,0xD7,0xFB,0xD7,0xD3,0xB9,0xA9,0x2E,0xE1,
+ 0x90,0x9D,0x0D,0x22,0x63,0xF8,0x0A,0x76,0xA6,0xA2,0x4C,0x08,
+ 0x7A,0x09,0x1F,0x53,0x1D,0xBF,0x0A,0x01,0x69,0xB6,0xA2,0x8A,
+ 0xD6,0x62,0xA4,0xD1,0x8E,0x73,0xAF,0xA3,0x2D,0x77,0x9D,0x59,
+ 0x18,0xD0,0x8B,0xC8,0x85,0x8F,0x4D,0xCE,0xF9,0x7C,0x2A,0x24,
+ 0x85,0x5E,0x6E,0xEB,0x22,0xB3,0xB2,0xE5,
+ };
+#endif
+
struct nb_map {
network_backend_t nb;
const char *name;
@@ -521,6 +570,7 @@ int network_init(server *srv) {
if (srv->ssl_is_init == 0) {
SSL_load_error_strings();
SSL_library_init();
+ OpenSSL_add_all_algorithms();
srv->ssl_is_init = 1;
if (0 == RAND_status()) {
@@ -545,6 +595,15 @@ int network_init(server *srv) {
}
}
+ if (!s->ssl_use_sslv3) {
+ /* disable SSLv3 */
+ if (!(SSL_OP_NO_SSLv3 & SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_SSLv3))) {
+ log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
+ ERR_error_string(ERR_get_error(), NULL));
+ return -1;
+ }
+ }
+
if (!buffer_is_empty(s->ssl_cipher_list)) {
/* Disable support for low encryption ciphers */
if (SSL_CTX_set_cipher_list(s->ssl_ctx, s->ssl_cipher_list->ptr) != 1) {
@@ -553,6 +612,65 @@ int network_init(server *srv) {
return -1;
}
}
+
+ /* Support for Diffie-Hellman key exchange */
+ if (!buffer_is_empty(s->ssl_dh_file)) {
+ /* DH parameters from file */
+ bio = BIO_new_file((char *) s->ssl_dh_file->ptr, "r");
+ if (bio == NULL) {
+ log_error_write(srv, __FILE__, __LINE__, "ss", "SSL: Unable to open file", s->ssl_dh_file->ptr);
+ return -1;
+ }
+ dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
+ BIO_free(bio);
+ if (dh == NULL) {
+ log_error_write(srv, __FILE__, __LINE__, "ss", "SSL: PEM_read_bio_DHparams failed", s->ssl_dh_file->ptr);
+ return -1;
+ }
+ } else {
+ /* Default DH parameters from RFC5114 */
+ dh = DH_new();
+ if (dh == NULL) {
+ log_error_write(srv, __FILE__, __LINE__, "s", "SSL: DH_new () failed");
+ return -1;
+ }
+ dh->p = BN_bin2bn(dh1024_p,sizeof(dh1024_p), NULL);
+ dh->g = BN_bin2bn(dh1024_g,sizeof(dh1024_g), NULL);
+ dh->length = 160;
+ if ((dh->p == NULL) || (dh->g == NULL)) {
+ DH_free(dh);
+ log_error_write(srv, __FILE__, __LINE__, "s", "SSL: BN_bin2bn () failed");
+ return -1;
+ }
+ }
+ SSL_CTX_set_tmp_dh(s->ssl_ctx,dh);
+ SSL_CTX_set_options(s->ssl_ctx,SSL_OP_SINGLE_DH_USE);
+ DH_free(dh);
+
+#if OPENSSL_VERSION_NUMBER >= 0x0090800fL
+#ifndef OPENSSL_NO_ECDH
+ /* Support for Elliptic-Curve Diffie-Hellman key exchange */
+ if (!buffer_is_empty(s->ssl_ec_curve)) {
+ /* OpenSSL only supports the "named curves" from RFC 4492, section 5.1.1. */
+ nid = OBJ_sn2nid((char *) s->ssl_ec_curve->ptr);
+ if (nid == 0) {
+ log_error_write(srv, __FILE__, __LINE__, "ss", "SSL: Unknown curve name", s->ssl_ec_curve->ptr);
+ return -1;
+ }
+ } else {
+ /* Default curve */
+ nid = OBJ_sn2nid("prime256v1");
+ }
+ ecdh = EC_KEY_new_by_curve_name(nid);
+ if (ecdh == NULL) {
+ log_error_write(srv, __FILE__, __LINE__, "ss", "SSL: Unable to create curve", s->ssl_ec_curve->ptr);
+ return -1;
+ }
+ SSL_CTX_set_tmp_ecdh(s->ssl_ctx,ecdh);
+ SSL_CTX_set_options(s->ssl_ctx,SSL_OP_SINGLE_ECDH_USE);
+ EC_KEY_free(ecdh);
+#endif
+#endif
if (!buffer_is_empty(s->ssl_ca_file)) {
if (1 != SSL_CTX_load_verify_locations(s->ssl_ctx, s->ssl_ca_file->ptr, NULL)) {

21
www/lighttpd/patches/patch-src_server_c
View File

@ -1,21 +0,0 @@
$OpenBSD: patch-src_server_c,v 1.9 2011/04/25 09:39:36 sthen Exp $
--- src/server.c.orig Tue Aug 17 05:04:38 2010
+++ src/server.c Sun Apr 24 22:28:50 2011
@@ -211,7 +211,7 @@ static server *server_init(void) {
srv->mtime_cache[i].str = buffer_init();
}
- if ((NULL != (frandom = fopen("/dev/urandom", "rb")) || NULL != (frandom = fopen("/dev/random", "rb")))
+ if ((NULL != (frandom = fopen("/dev/arandom", "rb")) || NULL != (frandom = fopen("/dev/urandom", "rb")))
&& 1 == fread(srv->entropy, sizeof(srv->entropy), 1, frandom)) {
unsigned int e;
memcpy(&e, srv->entropy, sizeof(e) < sizeof(srv->entropy) ? sizeof(e) : sizeof(srv->entropy));
@@ -306,6 +306,8 @@ static void server_free(server *srv) {
buffer_free(s->ssl_pemfile);
buffer_free(s->ssl_ca_file);
buffer_free(s->ssl_cipher_list);
+ buffer_free(s->ssl_dh_file);
+ buffer_free(s->ssl_ec_curve);
buffer_free(s->error_handler);
buffer_free(s->errorfile_prefix);
array_free(s->mimetypes);