diff --git a/www/lighttpd/Makefile b/www/lighttpd/Makefile index f34a596b4f8..4fe7778db6d 100644 --- a/www/lighttpd/Makefile +++ b/www/lighttpd/Makefile @@ -1,11 +1,10 @@ -# $OpenBSD: Makefile,v 1.84 2011/04/25 09:39:36 sthen Exp $ +# $OpenBSD: Makefile,v 1.85 2011/07/07 14:34:36 sthen Exp $ SHARED_ONLY= Yes COMMENT= secure, fast, compliant, and very flexible web-server -DISTNAME= lighttpd-1.4.28 -REVISION= 4 +DISTNAME= lighttpd-1.4.29 CATEGORIES= www net MASTER_SITES= http://download.lighttpd.net/lighttpd/releases-1.4.x/ @@ -27,11 +26,12 @@ RUN_DEPENDS+= www/spawn-fcgi USE_LIBTOOL= Yes LIBTOOL_FLAGS= --tag=disable-static CONFIGURE_STYLE= autoconf -AUTOCONF_VERSION= 2.67 +AUTOCONF_VERSION= 2.68 CONFIGURE_ARGS+= --libdir="${PREFIX}/lib/lighttpd" \ --with-lua \ --with-openssl \ - --without-bzip2 + --without-bzip2 \ + --without-libev CONFIGURE_ENV+= CPPFLAGS="-I${LOCALBASE}/include" \ LDFLAGS="-L${LOCALBASE}/lib" @@ -59,7 +59,7 @@ pre-build: post-install: ${INSTALL_DATA_DIR} ${PREFIX}/share/doc/lighttpd ${INSTALL_DATA_DIR} ${PREFIX}/share/examples/lighttpd - ${INSTALL_DATA} ${WRKSRC}/doc/*.txt \ + ${INSTALL_DATA} ${WRKSRC}/doc/outdated/*.txt \ ${PREFIX}/share/doc/lighttpd ${INSTALL_DATA} ${WRKSRC}/doc/lighttpd.conf \ ${PREFIX}/share/examples/lighttpd diff --git a/www/lighttpd/distinfo b/www/lighttpd/distinfo index dcb3ac676f6..eb3c8a7d203 100644 --- a/www/lighttpd/distinfo +++ b/www/lighttpd/distinfo @@ -1,5 +1,5 @@ -MD5 (lighttpd-1.4.28.tar.gz) = IC0278YyStuVo2ANKCbsag== -RMD160 (lighttpd-1.4.28.tar.gz) = 8HFRWVVc62oCpfiCvxELD2geYxQ= -SHA1 (lighttpd-1.4.28.tar.gz) = JNYU91s6uhjzz/XlKifsn9z4U7U= -SHA256 (lighttpd-1.4.28.tar.gz) = 79diP0MYJyO5nFHVeiQVjiKiB82Q3KNarzsuO6wRVxI= -SIZE (lighttpd-1.4.28.tar.gz) = 808352 +MD5 (lighttpd-1.4.29.tar.gz) = QTDSRAd3t5EeYt5qicmKkA== +RMD160 (lighttpd-1.4.29.tar.gz) = 9JUO/lJ7U49X3MD7iLare5YAMSg= +SHA1 (lighttpd-1.4.29.tar.gz) = IlEkbNZXzXh63Z6VQZQeiDuBvxM= +SHA256 (lighttpd-1.4.29.tar.gz) = /59N45AdA7soVjTFsUkZEiPRfxwmmhbIY7rEQjgRnIU= +SIZE (lighttpd-1.4.29.tar.gz) = 831201 diff --git a/www/lighttpd/patches/patch-src_base_h b/www/lighttpd/patches/patch-src_base_h deleted file mode 100644 index 7456a55fdda..00000000000 --- a/www/lighttpd/patches/patch-src_base_h +++ /dev/null @@ -1,25 +0,0 @@ -$OpenBSD: patch-src_base_h,v 1.3 2011/03/20 13:42:53 sthen Exp $ ---- src/base.h.orig Mon Mar 14 21:18:03 2011 -+++ src/base.h Mon Mar 14 21:19:57 2011 -@@ -275,7 +275,10 @@ typedef struct { - buffer *ssl_pemfile; - buffer *ssl_ca_file; - buffer *ssl_cipher_list; -+ buffer *ssl_dh_file; -+ buffer *ssl_ec_curve; - unsigned short ssl_use_sslv2; -+ unsigned short ssl_use_sslv3; - unsigned short ssl_verifyclient; - unsigned short ssl_verifyclient_enforce; - unsigned short ssl_verifyclient_depth; -@@ -527,7 +530,10 @@ typedef struct { - buffer *ssl_pemfile; - buffer *ssl_ca_file; - buffer *ssl_cipher_list; -+ buffer *ssl_dh_file; -+ buffer *ssl_ec_curve; - unsigned short ssl_use_sslv2; -+ unsigned short ssl_use_sslv3; - unsigned short use_ipv6; - unsigned short is_ssl; - diff --git a/www/lighttpd/patches/patch-src_configfile_c b/www/lighttpd/patches/patch-src_configfile_c deleted file mode 100644 index 40efc93d4cb..00000000000 --- a/www/lighttpd/patches/patch-src_configfile_c +++ /dev/null @@ -1,68 +0,0 @@ -$OpenBSD: patch-src_configfile_c,v 1.1 2011/03/20 13:42:53 sthen Exp $ ---- src/configfile.c.orig Tue Aug 17 05:04:38 2010 -+++ src/configfile.c Mon Mar 14 21:21:27 2011 -@@ -102,6 +102,9 @@ static int config_insert(server *srv) { - { "ssl.verifyclient.exportcert", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 60 */ - - { "server.set-v6only", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, /* 61 */ -+ { "ssl.use-sslv3", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 62 */ -+ { "ssl.dh-file", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_SERVER }, /* 63 */ -+ { "ssl.ec-curve", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_SERVER }, /* 64 */ - - { "server.host", "use server.bind instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET }, - { "server.docroot", "use server.document-root instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET }, -@@ -164,6 +167,8 @@ static int config_insert(server *srv) { - s->error_handler = buffer_init(); - s->server_tag = buffer_init(); - s->ssl_cipher_list = buffer_init(); -+ s->ssl_dh_file = buffer_init(); -+ s->ssl_ec_curve = buffer_init(); - s->errorfile_prefix = buffer_init(); - s->max_keep_alive_requests = 16; - s->max_keep_alive_idle = 5; -@@ -172,6 +177,7 @@ static int config_insert(server *srv) { - s->use_xattr = 0; - s->is_ssl = 0; - s->ssl_use_sslv2 = 0; -+ s->ssl_use_sslv3 = 1; - s->use_ipv6 = 0; - s->set_v6only = 1; - s->defer_accept = 0; -@@ -236,6 +242,9 @@ static int config_insert(server *srv) { - - cv[47].destination = s->ssl_cipher_list; - cv[48].destination = &(s->ssl_use_sslv2); -+ cv[62].destination = &(s->ssl_use_sslv3); -+ cv[63].destination = s->ssl_dh_file; -+ cv[64].destination = s->ssl_ec_curve; - cv[49].destination = &(s->etag_use_inode); - cv[50].destination = &(s->etag_use_mtime); - cv[51].destination = &(s->etag_use_size); -@@ -324,7 +333,10 @@ int config_setup_connection(server *srv, connection *c - #endif - PATCH(ssl_ca_file); - PATCH(ssl_cipher_list); -+ PATCH(ssl_dh_file); -+ PATCH(ssl_ec_curve); - PATCH(ssl_use_sslv2); -+ PATCH(ssl_use_sslv3); - PATCH(etag_use_inode); - PATCH(etag_use_mtime); - PATCH(etag_use_size); -@@ -390,10 +402,16 @@ int config_patch_connection(server *srv, connection *c - PATCH(ssl_ca_file); - } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.use-sslv2"))) { - PATCH(ssl_use_sslv2); -+ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.use-sslv3"))) { -+ PATCH(ssl_use_sslv3); - } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.cipher-list"))) { - PATCH(ssl_cipher_list); - } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.engine"))) { - PATCH(is_ssl); -+ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.dh-file"))) { -+ PATCH(ssl_dh_file); -+ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.ec-curve"))) { -+ PATCH(ssl_ec_curve); - #ifdef HAVE_LSTAT - } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("server.follow-symlink"))) { - PATCH(follow_symlink); diff --git a/www/lighttpd/patches/patch-src_md5_c b/www/lighttpd/patches/patch-src_md5_c deleted file mode 100644 index dbeb1530677..00000000000 --- a/www/lighttpd/patches/patch-src_md5_c +++ /dev/null @@ -1,84 +0,0 @@ -$OpenBSD: patch-src_md5_c,v 1.1 2011/04/25 09:39:36 sthen Exp $ - -http://redmine.lighttpd.net/issues/2269 - ---- src/md5.c.orig Sun Apr 24 22:03:40 2011 -+++ src/md5.c Sun Apr 24 22:07:52 2011 -@@ -52,7 +52,7 @@ documentation and/or software. - #define S43 15 - #define S44 21 - --static void MD5Transform (UINT4 [4], const unsigned char [64]); -+static void li_MD5Transform (UINT4 [4], const unsigned char [64]); - static void Encode (unsigned char *, UINT4 *, unsigned int); - static void Decode (UINT4 *, const unsigned char *, unsigned int); - -@@ -110,8 +110,8 @@ Rotation is separate from addition to prevent recomput - - /* MD5 initialization. Begins an MD5 operation, writing a new context. - */ --void MD5_Init (context) --MD5_CTX *context; /* context */ -+void li_MD5_Init (context) -+li_MD5_CTX *context; /* context */ - { - context->count[0] = context->count[1] = 0; - /* Load magic initialization constants. -@@ -126,8 +126,8 @@ MD5_CTX *context; - operation, processing another message block, and updating the - context. - */ --void MD5_Update (context, _input, inputLen) --MD5_CTX *context; /* context */ -+void li_MD5_Update (context, _input, inputLen) -+li_MD5_CTX *context; /* context */ - const void *_input; /* input block */ - unsigned int inputLen; /* length of input block */ - { -@@ -151,10 +151,10 @@ unsigned int inputLen; /* length o - if (inputLen >= partLen) { - MD5_memcpy - ((POINTER)&context->buffer[ndx], (POINTER)input, partLen); -- MD5Transform (context->state, context->buffer); -+ li_MD5Transform (context->state, context->buffer); - - for (i = partLen; i + 63 < inputLen; i += 64) -- MD5Transform (context->state, &input[i]); -+ li_MD5Transform (context->state, &input[i]); - - ndx = 0; - } -@@ -170,9 +170,9 @@ unsigned int inputLen; /* length o - /* MD5 finalization. Ends an MD5 message-digest operation, writing the - the message digest and zeroizing the context. - */ --void MD5_Final (digest, context) -+void li_MD5_Final (digest, context) - unsigned char digest[16]; /* message digest */ --MD5_CTX *context; /* context */ -+li_MD5_CTX *context; /* context */ - { - unsigned char bits[8]; - unsigned int ndx, padLen; -@@ -184,10 +184,10 @@ MD5_CTX *context; - */ - ndx = (unsigned int)((context->count[0] >> 3) & 0x3f); - padLen = (ndx < 56) ? (56 - ndx) : (120 - ndx); -- MD5_Update (context, PADDING, padLen); -+ li_MD5_Update (context, PADDING, padLen); - - /* Append length (before padding) */ -- MD5_Update (context, bits, 8); -+ li_MD5_Update (context, bits, 8); - - /* Store state in digest */ - Encode (digest, context->state, 16); -@@ -199,7 +199,7 @@ MD5_CTX *context; - - /* MD5 basic transformation. Transforms state based on block. - */ --static void MD5Transform (state, block) -+static void li_MD5Transform (state, block) - UINT4 state[4]; - const unsigned char block[64]; - { diff --git a/www/lighttpd/patches/patch-src_md5_h b/www/lighttpd/patches/patch-src_md5_h deleted file mode 100644 index 6c8bee44b61..00000000000 --- a/www/lighttpd/patches/patch-src_md5_h +++ /dev/null @@ -1,20 +0,0 @@ -$OpenBSD: patch-src_md5_h,v 1.1 2011/04/25 09:39:36 sthen Exp $ - -http://redmine.lighttpd.net/issues/2269 - ---- src/md5.h.orig Sun Apr 24 22:03:58 2011 -+++ src/md5.h Sun Apr 24 22:05:09 2011 -@@ -39,9 +39,8 @@ typedef struct { - UINT4 state[4]; /* state (ABCD) */ - UINT4 count[2]; /* number of bits, modulo 2^64 (lsb first) */ - unsigned char buffer[64]; /* input buffer */ --} MD5_CTX; -+} li_MD5_CTX; - --void MD5_Init (MD5_CTX *); --void MD5_Update (MD5_CTX *, const void *, unsigned int); --void MD5_Final (unsigned char [16], MD5_CTX *); -- -+void li_MD5_Init (li_MD5_CTX *); -+void li_MD5_Update (li_MD5_CTX *, const void *, unsigned int); -+void li_MD5_Final (unsigned char [16], li_MD5_CTX *); diff --git a/www/lighttpd/patches/patch-src_mod_cgi_c b/www/lighttpd/patches/patch-src_mod_cgi_c deleted file mode 100644 index 64e2db17194..00000000000 --- a/www/lighttpd/patches/patch-src_mod_cgi_c +++ /dev/null @@ -1,24 +0,0 @@ -$OpenBSD: patch-src_mod_cgi_c,v 1.3 2011/03/20 13:42:53 sthen Exp $ ---- src/mod_cgi.c.orig Mon Mar 14 21:11:20 2011 -+++ src/mod_cgi.c Mon Mar 14 21:13:22 2011 -@@ -341,8 +341,19 @@ static int cgi_demux_response(server *srv, handler_ctx - - while(1) { - int n; -+ int toread; - -- buffer_prepare_copy(hctx->response, 1024); -+#if defined(__WIN32) -+ buffer_prepare_copy(hctx->response, 4 * 1024); -+#else -+ if (ioctl(con->fd, FIONREAD, &toread) || toread == 0 || toread <= 4*1024) { -+ buffer_prepare_copy(hctx->response, 4 * 1024); -+ } else { -+ if (toread > MAX_READ_LIMIT) toread = MAX_READ_LIMIT; -+ buffer_prepare_copy(hctx->response, toread + 1); -+ } -+#endif -+ - if (-1 == (n = read(hctx->fd, hctx->response->ptr, hctx->response->size - 1))) { - if (errno == EAGAIN || errno == EINTR) { - /* would block, wait for signal */ diff --git a/www/lighttpd/patches/patch-src_mod_proxy_c b/www/lighttpd/patches/patch-src_mod_proxy_c deleted file mode 100644 index bcbff3816f4..00000000000 --- a/www/lighttpd/patches/patch-src_mod_proxy_c +++ /dev/null @@ -1,159 +0,0 @@ -$OpenBSD: patch-src_mod_proxy_c,v 1.6 2011/03/20 13:42:53 sthen Exp $ ---- src/mod_proxy.c.orig Mon Mar 14 21:16:15 2011 -+++ src/mod_proxy.c Mon Mar 14 21:16:22 2011 -@@ -724,9 +724,9 @@ static int proxy_demux_response(server *srv, handler_c - con->file_started = 1; - if (blen) { - http_chunk_append_mem(srv, con, c + 4, blen + 1); -- joblist_append(srv, con); - } - hctx->response->used = 0; -+ joblist_append(srv, con); - } - } else { - http_chunk_append_mem(srv, con, hctx->response->ptr, hctx->response->used); -@@ -750,7 +750,6 @@ static int proxy_demux_response(server *srv, handler_c - - static handler_t proxy_write_request(server *srv, handler_ctx *hctx) { - data_proxy *host= hctx->host; -- plugin_data *p = hctx->plugin_data; - connection *con = hctx->remote_conn; - - int ret; -@@ -759,6 +758,17 @@ static handler_t proxy_write_request(server *srv, hand - (!host->host->used || !host->port)) return -1; - - switch(hctx->state) { -+ case PROXY_STATE_CONNECT: -+ /* wait for the connect() to finish */ -+ -+ /* connect failed ? */ -+ if (-1 == hctx->fde_ndx) return HANDLER_ERROR; -+ -+ /* wait */ -+ return HANDLER_WAIT_FOR_EVENT; -+ -+ break; -+ - case PROXY_STATE_INIT: - #if defined(HAVE_IPV6) && defined(HAVE_INET_PTON) - if (strstr(host->host->ptr,":")) { -@@ -786,58 +796,28 @@ static handler_t proxy_write_request(server *srv, hand - return HANDLER_ERROR; - } - -- /* fall through */ -+ switch (proxy_establish_connection(srv, hctx)) { -+ case 1: -+ proxy_set_state(srv, hctx, PROXY_STATE_CONNECT); - -- case PROXY_STATE_CONNECT: -- /* try to finish the connect() */ -- if (hctx->state == PROXY_STATE_INIT) { -- /* first round */ -- switch (proxy_establish_connection(srv, hctx)) { -- case 1: -- proxy_set_state(srv, hctx, PROXY_STATE_CONNECT); -+ /* connection is in progress, wait for an event and call getsockopt() below */ - -- /* connection is in progress, wait for an event and call getsockopt() below */ -+ fdevent_event_set(srv->ev, &(hctx->fde_ndx), hctx->fd, FDEVENT_OUT); - -- fdevent_event_set(srv->ev, &(hctx->fde_ndx), hctx->fd, FDEVENT_OUT); -+ return HANDLER_WAIT_FOR_EVENT; -+ case -1: -+ /* if ECONNREFUSED choose another connection -> FIXME */ -+ hctx->fde_ndx = -1; - -- return HANDLER_WAIT_FOR_EVENT; -- case -1: -- /* if ECONNREFUSED choose another connection -> FIXME */ -- hctx->fde_ndx = -1; -- -- return HANDLER_ERROR; -- default: -- /* everything is ok, go on */ -- break; -- } -- } else { -- int socket_error; -- socklen_t socket_error_len = sizeof(socket_error); -- -- /* we don't need it anymore */ -- fdevent_event_del(srv->ev, &(hctx->fde_ndx), hctx->fd); -- -- /* try to finish the connect() */ -- if (0 != getsockopt(hctx->fd, SOL_SOCKET, SO_ERROR, &socket_error, &socket_error_len)) { -- log_error_write(srv, __FILE__, __LINE__, "ss", -- "getsockopt failed:", strerror(errno)); -- -- return HANDLER_ERROR; -- } -- if (socket_error != 0) { -- log_error_write(srv, __FILE__, __LINE__, "ss", -- "establishing connection failed:", strerror(socket_error), -- "port:", hctx->host->port); -- -- return HANDLER_ERROR; -- } -- if (p->conf.debug) { -- log_error_write(srv, __FILE__, __LINE__, "s", "proxy - connect - delayed success"); -- } -+ return HANDLER_ERROR; -+ default: -+ /* everything is ok, go on */ -+ proxy_set_state(srv, hctx, PROXY_STATE_PREPARE_WRITE); -+ break; - } - -- proxy_set_state(srv, hctx, PROXY_STATE_PREPARE_WRITE); - /* fall through */ -+ - case PROXY_STATE_PREPARE_WRITE: - proxy_create_env(srv, hctx); - -@@ -1019,11 +999,42 @@ static handler_t proxy_handle_fdevent(server *srv, voi - "proxy: fdevent-out", hctx->state); - } - -- if (hctx->state == PROXY_STATE_CONNECT || -+ if (hctx->state == PROXY_STATE_CONNECT) { -+ int socket_error; -+ socklen_t socket_error_len = sizeof(socket_error); -+ -+ /* we don't need it anymore */ -+ fdevent_event_del(srv->ev, &(hctx->fde_ndx), hctx->fd); -+ hctx->fde_ndx = -1; -+ -+ /* try to finish the connect() */ -+ if (0 != getsockopt(hctx->fd, SOL_SOCKET, SO_ERROR, &socket_error, &socket_error_len)) { -+ log_error_write(srv, __FILE__, __LINE__, "ss", -+ "getsockopt failed:", strerror(errno)); -+ -+ joblist_append(srv, con); -+ return HANDLER_FINISHED; -+ } -+ if (socket_error != 0) { -+ log_error_write(srv, __FILE__, __LINE__, "ss", -+ "establishing connection failed:", strerror(socket_error), -+ "port:", hctx->host->port); -+ -+ joblist_append(srv, con); -+ return HANDLER_FINISHED; -+ } -+ if (p->conf.debug) { -+ log_error_write(srv, __FILE__, __LINE__, "s", "proxy - connect - delayed success"); -+ } -+ -+ proxy_set_state(srv, hctx, PROXY_STATE_PREPARE_WRITE); -+ } -+ -+ if (hctx->state == PROXY_STATE_PREPARE_WRITE || - hctx->state == PROXY_STATE_WRITE) { - /* we are allowed to send something out - * -- * 1. in a unfinished connect() call -+ * 1. after a just finished connect() call - * 2. in a unfinished write() call (long POST request) - */ - return mod_proxy_handle_subrequest(srv, con, p); diff --git a/www/lighttpd/patches/patch-src_network_c b/www/lighttpd/patches/patch-src_network_c deleted file mode 100644 index dfda0f9ffbf..00000000000 --- a/www/lighttpd/patches/patch-src_network_c +++ /dev/null @@ -1,152 +0,0 @@ -$OpenBSD: patch-src_network_c,v 1.3 2011/04/25 09:39:36 sthen Exp $ - -http://redmine.lighttpd.net/issues/2269 - ---- src/network.c.orig Tue Aug 17 05:04:38 2010 -+++ src/network.c Sun Apr 24 22:29:51 2011 -@@ -479,6 +479,55 @@ int network_init(server *srv) { - size_t i; - network_backend_t backend; - -+#if OPENSSL_VERSION_NUMBER >= 0x0090800fL -+ EC_KEY *ecdh; -+ int nid; -+#endif -+ -+#ifdef USE_OPENSSL -+ DH *dh; -+ BIO *bio; -+ -+ /* 1024-bit MODP Group with 160-bit prime order subgroup (RFC5114) -+ * -----BEGIN DH PARAMETERS----- -+ * MIIBDAKBgQCxC4+WoIDgHd6S3l6uXVTsUsmfvPsGo8aaap3KUtI7YWBz4oZ1oj0Y -+ * mDjvHi7mUsAT7LSuqQYRIySXXDzUm4O/rMvdfZDEvXCYSI6cIZpzck7/1vrlZEc4 -+ * +qMaT/VbzMChUa9fDci0vUW/N982XBpl5oz9p21NpwjfH7K8LkpDcQKBgQCk0cvV -+ * w/00EmdlpELvuZkF+BBN0lisUH/WQGz/FCZtMSZv6h5cQVZLd35pD1UE8hMWAhe0 -+ * sBuIal6RVH+eJ0n01/vX07mpLuGQnQ0iY/gKdqaiTAh6CR9THb8KAWm2oorWYqTR -+ * jnOvoy13nVkY0IvIhY9Nzvl8KiSFXm7rIrOy5QICAKA= -+ * -----END DH PARAMETERS----- -+ */ -+ -+ static const unsigned char dh1024_p[]={ -+ 0xB1,0x0B,0x8F,0x96,0xA0,0x80,0xE0,0x1D,0xDE,0x92,0xDE,0x5E, -+ 0xAE,0x5D,0x54,0xEC,0x52,0xC9,0x9F,0xBC,0xFB,0x06,0xA3,0xC6, -+ 0x9A,0x6A,0x9D,0xCA,0x52,0xD2,0x3B,0x61,0x60,0x73,0xE2,0x86, -+ 0x75,0xA2,0x3D,0x18,0x98,0x38,0xEF,0x1E,0x2E,0xE6,0x52,0xC0, -+ 0x13,0xEC,0xB4,0xAE,0xA9,0x06,0x11,0x23,0x24,0x97,0x5C,0x3C, -+ 0xD4,0x9B,0x83,0xBF,0xAC,0xCB,0xDD,0x7D,0x90,0xC4,0xBD,0x70, -+ 0x98,0x48,0x8E,0x9C,0x21,0x9A,0x73,0x72,0x4E,0xFF,0xD6,0xFA, -+ 0xE5,0x64,0x47,0x38,0xFA,0xA3,0x1A,0x4F,0xF5,0x5B,0xCC,0xC0, -+ 0xA1,0x51,0xAF,0x5F,0x0D,0xC8,0xB4,0xBD,0x45,0xBF,0x37,0xDF, -+ 0x36,0x5C,0x1A,0x65,0xE6,0x8C,0xFD,0xA7,0x6D,0x4D,0xA7,0x08, -+ 0xDF,0x1F,0xB2,0xBC,0x2E,0x4A,0x43,0x71, -+ }; -+ -+ static const unsigned char dh1024_g[]={ -+ 0xA4,0xD1,0xCB,0xD5,0xC3,0xFD,0x34,0x12,0x67,0x65,0xA4,0x42, -+ 0xEF,0xB9,0x99,0x05,0xF8,0x10,0x4D,0xD2,0x58,0xAC,0x50,0x7F, -+ 0xD6,0x40,0x6C,0xFF,0x14,0x26,0x6D,0x31,0x26,0x6F,0xEA,0x1E, -+ 0x5C,0x41,0x56,0x4B,0x77,0x7E,0x69,0x0F,0x55,0x04,0xF2,0x13, -+ 0x16,0x02,0x17,0xB4,0xB0,0x1B,0x88,0x6A,0x5E,0x91,0x54,0x7F, -+ 0x9E,0x27,0x49,0xF4,0xD7,0xFB,0xD7,0xD3,0xB9,0xA9,0x2E,0xE1, -+ 0x90,0x9D,0x0D,0x22,0x63,0xF8,0x0A,0x76,0xA6,0xA2,0x4C,0x08, -+ 0x7A,0x09,0x1F,0x53,0x1D,0xBF,0x0A,0x01,0x69,0xB6,0xA2,0x8A, -+ 0xD6,0x62,0xA4,0xD1,0x8E,0x73,0xAF,0xA3,0x2D,0x77,0x9D,0x59, -+ 0x18,0xD0,0x8B,0xC8,0x85,0x8F,0x4D,0xCE,0xF9,0x7C,0x2A,0x24, -+ 0x85,0x5E,0x6E,0xEB,0x22,0xB3,0xB2,0xE5, -+ }; -+#endif -+ - struct nb_map { - network_backend_t nb; - const char *name; -@@ -521,6 +570,7 @@ int network_init(server *srv) { - if (srv->ssl_is_init == 0) { - SSL_load_error_strings(); - SSL_library_init(); -+ OpenSSL_add_all_algorithms(); - srv->ssl_is_init = 1; - - if (0 == RAND_status()) { -@@ -545,6 +595,15 @@ int network_init(server *srv) { - } - } - -+ if (!s->ssl_use_sslv3) { -+ /* disable SSLv3 */ -+ if (!(SSL_OP_NO_SSLv3 & SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_SSLv3))) { -+ log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:", -+ ERR_error_string(ERR_get_error(), NULL)); -+ return -1; -+ } -+ } -+ - if (!buffer_is_empty(s->ssl_cipher_list)) { - /* Disable support for low encryption ciphers */ - if (SSL_CTX_set_cipher_list(s->ssl_ctx, s->ssl_cipher_list->ptr) != 1) { -@@ -553,6 +612,65 @@ int network_init(server *srv) { - return -1; - } - } -+ -+ /* Support for Diffie-Hellman key exchange */ -+ if (!buffer_is_empty(s->ssl_dh_file)) { -+ /* DH parameters from file */ -+ bio = BIO_new_file((char *) s->ssl_dh_file->ptr, "r"); -+ if (bio == NULL) { -+ log_error_write(srv, __FILE__, __LINE__, "ss", "SSL: Unable to open file", s->ssl_dh_file->ptr); -+ return -1; -+ } -+ dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL); -+ BIO_free(bio); -+ if (dh == NULL) { -+ log_error_write(srv, __FILE__, __LINE__, "ss", "SSL: PEM_read_bio_DHparams failed", s->ssl_dh_file->ptr); -+ return -1; -+ } -+ } else { -+ /* Default DH parameters from RFC5114 */ -+ dh = DH_new(); -+ if (dh == NULL) { -+ log_error_write(srv, __FILE__, __LINE__, "s", "SSL: DH_new () failed"); -+ return -1; -+ } -+ dh->p = BN_bin2bn(dh1024_p,sizeof(dh1024_p), NULL); -+ dh->g = BN_bin2bn(dh1024_g,sizeof(dh1024_g), NULL); -+ dh->length = 160; -+ if ((dh->p == NULL) || (dh->g == NULL)) { -+ DH_free(dh); -+ log_error_write(srv, __FILE__, __LINE__, "s", "SSL: BN_bin2bn () failed"); -+ return -1; -+ } -+ } -+ SSL_CTX_set_tmp_dh(s->ssl_ctx,dh); -+ SSL_CTX_set_options(s->ssl_ctx,SSL_OP_SINGLE_DH_USE); -+ DH_free(dh); -+ -+#if OPENSSL_VERSION_NUMBER >= 0x0090800fL -+#ifndef OPENSSL_NO_ECDH -+ /* Support for Elliptic-Curve Diffie-Hellman key exchange */ -+ if (!buffer_is_empty(s->ssl_ec_curve)) { -+ /* OpenSSL only supports the "named curves" from RFC 4492, section 5.1.1. */ -+ nid = OBJ_sn2nid((char *) s->ssl_ec_curve->ptr); -+ if (nid == 0) { -+ log_error_write(srv, __FILE__, __LINE__, "ss", "SSL: Unknown curve name", s->ssl_ec_curve->ptr); -+ return -1; -+ } -+ } else { -+ /* Default curve */ -+ nid = OBJ_sn2nid("prime256v1"); -+ } -+ ecdh = EC_KEY_new_by_curve_name(nid); -+ if (ecdh == NULL) { -+ log_error_write(srv, __FILE__, __LINE__, "ss", "SSL: Unable to create curve", s->ssl_ec_curve->ptr); -+ return -1; -+ } -+ SSL_CTX_set_tmp_ecdh(s->ssl_ctx,ecdh); -+ SSL_CTX_set_options(s->ssl_ctx,SSL_OP_SINGLE_ECDH_USE); -+ EC_KEY_free(ecdh); -+#endif -+#endif - - if (!buffer_is_empty(s->ssl_ca_file)) { - if (1 != SSL_CTX_load_verify_locations(s->ssl_ctx, s->ssl_ca_file->ptr, NULL)) { diff --git a/www/lighttpd/patches/patch-src_server_c b/www/lighttpd/patches/patch-src_server_c deleted file mode 100644 index 9cdfe6e065d..00000000000 --- a/www/lighttpd/patches/patch-src_server_c +++ /dev/null @@ -1,21 +0,0 @@ -$OpenBSD: patch-src_server_c,v 1.9 2011/04/25 09:39:36 sthen Exp $ ---- src/server.c.orig Tue Aug 17 05:04:38 2010 -+++ src/server.c Sun Apr 24 22:28:50 2011 -@@ -211,7 +211,7 @@ static server *server_init(void) { - srv->mtime_cache[i].str = buffer_init(); - } - -- if ((NULL != (frandom = fopen("/dev/urandom", "rb")) || NULL != (frandom = fopen("/dev/random", "rb"))) -+ if ((NULL != (frandom = fopen("/dev/arandom", "rb")) || NULL != (frandom = fopen("/dev/urandom", "rb"))) - && 1 == fread(srv->entropy, sizeof(srv->entropy), 1, frandom)) { - unsigned int e; - memcpy(&e, srv->entropy, sizeof(e) < sizeof(srv->entropy) ? sizeof(e) : sizeof(srv->entropy)); -@@ -306,6 +306,8 @@ static void server_free(server *srv) { - buffer_free(s->ssl_pemfile); - buffer_free(s->ssl_ca_file); - buffer_free(s->ssl_cipher_list); -+ buffer_free(s->ssl_dh_file); -+ buffer_free(s->ssl_ec_curve); - buffer_free(s->error_handler); - buffer_free(s->errorfile_prefix); - array_free(s->mimetypes);