update lighttpd to 1.4.29, from Brad
- while there, remove patch-src_server_c too, all the various /dev/*random are equivalent now, ok Brad
This commit is contained in:
sthen
parent
3a74e58db1
commit
076483e0f2
@ -1,11 +1,10 @@
|
||||
# $OpenBSD: Makefile,v 1.84 2011/04/25 09:39:36 sthen Exp $
|
||||
# $OpenBSD: Makefile,v 1.85 2011/07/07 14:34:36 sthen Exp $
|
||||
|
||||
SHARED_ONLY= Yes
|
||||
|
||||
COMMENT= secure, fast, compliant, and very flexible web-server
|
||||
|
||||
DISTNAME= lighttpd-1.4.28
|
||||
REVISION= 4
|
||||
DISTNAME= lighttpd-1.4.29
|
||||
CATEGORIES= www net
|
||||
MASTER_SITES= http://download.lighttpd.net/lighttpd/releases-1.4.x/
|
||||
|
||||
@ -27,11 +26,12 @@ RUN_DEPENDS+= www/spawn-fcgi
|
||||
USE_LIBTOOL= Yes
|
||||
LIBTOOL_FLAGS= --tag=disable-static
|
||||
CONFIGURE_STYLE= autoconf
|
||||
AUTOCONF_VERSION= 2.67
|
||||
AUTOCONF_VERSION= 2.68
|
||||
CONFIGURE_ARGS+= --libdir="${PREFIX}/lib/lighttpd" \
|
||||
--with-lua \
|
||||
--with-openssl \
|
||||
--without-bzip2
|
||||
--without-bzip2 \
|
||||
--without-libev
|
||||
CONFIGURE_ENV+= CPPFLAGS="-I${LOCALBASE}/include" \
|
||||
LDFLAGS="-L${LOCALBASE}/lib"
|
||||
|
||||
@ -59,7 +59,7 @@ pre-build:
|
||||
post-install:
|
||||
${INSTALL_DATA_DIR} ${PREFIX}/share/doc/lighttpd
|
||||
${INSTALL_DATA_DIR} ${PREFIX}/share/examples/lighttpd
|
||||
${INSTALL_DATA} ${WRKSRC}/doc/*.txt \
|
||||
${INSTALL_DATA} ${WRKSRC}/doc/outdated/*.txt \
|
||||
${PREFIX}/share/doc/lighttpd
|
||||
${INSTALL_DATA} ${WRKSRC}/doc/lighttpd.conf \
|
||||
${PREFIX}/share/examples/lighttpd
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
MD5 (lighttpd-1.4.28.tar.gz) = IC0278YyStuVo2ANKCbsag==
|
||||
RMD160 (lighttpd-1.4.28.tar.gz) = 8HFRWVVc62oCpfiCvxELD2geYxQ=
|
||||
SHA1 (lighttpd-1.4.28.tar.gz) = JNYU91s6uhjzz/XlKifsn9z4U7U=
|
||||
SHA256 (lighttpd-1.4.28.tar.gz) = 79diP0MYJyO5nFHVeiQVjiKiB82Q3KNarzsuO6wRVxI=
|
||||
SIZE (lighttpd-1.4.28.tar.gz) = 808352
|
||||
MD5 (lighttpd-1.4.29.tar.gz) = QTDSRAd3t5EeYt5qicmKkA==
|
||||
RMD160 (lighttpd-1.4.29.tar.gz) = 9JUO/lJ7U49X3MD7iLare5YAMSg=
|
||||
SHA1 (lighttpd-1.4.29.tar.gz) = IlEkbNZXzXh63Z6VQZQeiDuBvxM=
|
||||
SHA256 (lighttpd-1.4.29.tar.gz) = /59N45AdA7soVjTFsUkZEiPRfxwmmhbIY7rEQjgRnIU=
|
||||
SIZE (lighttpd-1.4.29.tar.gz) = 831201
|
||||
|
||||
@ -1,25 +0,0 @@
|
||||
$OpenBSD: patch-src_base_h,v 1.3 2011/03/20 13:42:53 sthen Exp $
|
||||
--- src/base.h.orig Mon Mar 14 21:18:03 2011
|
||||
+++ src/base.h Mon Mar 14 21:19:57 2011
|
||||
@@ -275,7 +275,10 @@ typedef struct {
|
||||
buffer *ssl_pemfile;
|
||||
buffer *ssl_ca_file;
|
||||
buffer *ssl_cipher_list;
|
||||
+ buffer *ssl_dh_file;
|
||||
+ buffer *ssl_ec_curve;
|
||||
unsigned short ssl_use_sslv2;
|
||||
+ unsigned short ssl_use_sslv3;
|
||||
unsigned short ssl_verifyclient;
|
||||
unsigned short ssl_verifyclient_enforce;
|
||||
unsigned short ssl_verifyclient_depth;
|
||||
@@ -527,7 +530,10 @@ typedef struct {
|
||||
buffer *ssl_pemfile;
|
||||
buffer *ssl_ca_file;
|
||||
buffer *ssl_cipher_list;
|
||||
+ buffer *ssl_dh_file;
|
||||
+ buffer *ssl_ec_curve;
|
||||
unsigned short ssl_use_sslv2;
|
||||
+ unsigned short ssl_use_sslv3;
|
||||
unsigned short use_ipv6;
|
||||
unsigned short is_ssl;
|
||||
|
||||
@ -1,68 +0,0 @@
|
||||
$OpenBSD: patch-src_configfile_c,v 1.1 2011/03/20 13:42:53 sthen Exp $
|
||||
--- src/configfile.c.orig Tue Aug 17 05:04:38 2010
|
||||
+++ src/configfile.c Mon Mar 14 21:21:27 2011
|
||||
@@ -102,6 +102,9 @@ static int config_insert(server *srv) {
|
||||
{ "ssl.verifyclient.exportcert", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 60 */
|
||||
|
||||
{ "server.set-v6only", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, /* 61 */
|
||||
+ { "ssl.use-sslv3", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 62 */
|
||||
+ { "ssl.dh-file", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_SERVER }, /* 63 */
|
||||
+ { "ssl.ec-curve", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_SERVER }, /* 64 */
|
||||
|
||||
{ "server.host", "use server.bind instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET },
|
||||
{ "server.docroot", "use server.document-root instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET },
|
||||
@@ -164,6 +167,8 @@ static int config_insert(server *srv) {
|
||||
s->error_handler = buffer_init();
|
||||
s->server_tag = buffer_init();
|
||||
s->ssl_cipher_list = buffer_init();
|
||||
+ s->ssl_dh_file = buffer_init();
|
||||
+ s->ssl_ec_curve = buffer_init();
|
||||
s->errorfile_prefix = buffer_init();
|
||||
s->max_keep_alive_requests = 16;
|
||||
s->max_keep_alive_idle = 5;
|
||||
@@ -172,6 +177,7 @@ static int config_insert(server *srv) {
|
||||
s->use_xattr = 0;
|
||||
s->is_ssl = 0;
|
||||
s->ssl_use_sslv2 = 0;
|
||||
+ s->ssl_use_sslv3 = 1;
|
||||
s->use_ipv6 = 0;
|
||||
s->set_v6only = 1;
|
||||
s->defer_accept = 0;
|
||||
@@ -236,6 +242,9 @@ static int config_insert(server *srv) {
|
||||
|
||||
cv[47].destination = s->ssl_cipher_list;
|
||||
cv[48].destination = &(s->ssl_use_sslv2);
|
||||
+ cv[62].destination = &(s->ssl_use_sslv3);
|
||||
+ cv[63].destination = s->ssl_dh_file;
|
||||
+ cv[64].destination = s->ssl_ec_curve;
|
||||
cv[49].destination = &(s->etag_use_inode);
|
||||
cv[50].destination = &(s->etag_use_mtime);
|
||||
cv[51].destination = &(s->etag_use_size);
|
||||
@@ -324,7 +333,10 @@ int config_setup_connection(server *srv, connection *c
|
||||
#endif
|
||||
PATCH(ssl_ca_file);
|
||||
PATCH(ssl_cipher_list);
|
||||
+ PATCH(ssl_dh_file);
|
||||
+ PATCH(ssl_ec_curve);
|
||||
PATCH(ssl_use_sslv2);
|
||||
+ PATCH(ssl_use_sslv3);
|
||||
PATCH(etag_use_inode);
|
||||
PATCH(etag_use_mtime);
|
||||
PATCH(etag_use_size);
|
||||
@@ -390,10 +402,16 @@ int config_patch_connection(server *srv, connection *c
|
||||
PATCH(ssl_ca_file);
|
||||
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.use-sslv2"))) {
|
||||
PATCH(ssl_use_sslv2);
|
||||
+ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.use-sslv3"))) {
|
||||
+ PATCH(ssl_use_sslv3);
|
||||
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.cipher-list"))) {
|
||||
PATCH(ssl_cipher_list);
|
||||
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.engine"))) {
|
||||
PATCH(is_ssl);
|
||||
+ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.dh-file"))) {
|
||||
+ PATCH(ssl_dh_file);
|
||||
+ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.ec-curve"))) {
|
||||
+ PATCH(ssl_ec_curve);
|
||||
#ifdef HAVE_LSTAT
|
||||
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("server.follow-symlink"))) {
|
||||
PATCH(follow_symlink);
|
||||
@ -1,84 +0,0 @@
|
||||
$OpenBSD: patch-src_md5_c,v 1.1 2011/04/25 09:39:36 sthen Exp $
|
||||
|
||||
http://redmine.lighttpd.net/issues/2269
|
||||
|
||||
--- src/md5.c.orig Sun Apr 24 22:03:40 2011
|
||||
+++ src/md5.c Sun Apr 24 22:07:52 2011
|
||||
@@ -52,7 +52,7 @@ documentation and/or software.
|
||||
#define S43 15
|
||||
#define S44 21
|
||||
|
||||
-static void MD5Transform (UINT4 [4], const unsigned char [64]);
|
||||
+static void li_MD5Transform (UINT4 [4], const unsigned char [64]);
|
||||
static void Encode (unsigned char *, UINT4 *, unsigned int);
|
||||
static void Decode (UINT4 *, const unsigned char *, unsigned int);
|
||||
|
||||
@@ -110,8 +110,8 @@ Rotation is separate from addition to prevent recomput
|
||||
|
||||
/* MD5 initialization. Begins an MD5 operation, writing a new context.
|
||||
*/
|
||||
-void MD5_Init (context)
|
||||
-MD5_CTX *context; /* context */
|
||||
+void li_MD5_Init (context)
|
||||
+li_MD5_CTX *context; /* context */
|
||||
{
|
||||
context->count[0] = context->count[1] = 0;
|
||||
/* Load magic initialization constants.
|
||||
@@ -126,8 +126,8 @@ MD5_CTX *context;
|
||||
operation, processing another message block, and updating the
|
||||
context.
|
||||
*/
|
||||
-void MD5_Update (context, _input, inputLen)
|
||||
-MD5_CTX *context; /* context */
|
||||
+void li_MD5_Update (context, _input, inputLen)
|
||||
+li_MD5_CTX *context; /* context */
|
||||
const void *_input; /* input block */
|
||||
unsigned int inputLen; /* length of input block */
|
||||
{
|
||||
@@ -151,10 +151,10 @@ unsigned int inputLen; /* length o
|
||||
if (inputLen >= partLen) {
|
||||
MD5_memcpy
|
||||
((POINTER)&context->buffer[ndx], (POINTER)input, partLen);
|
||||
- MD5Transform (context->state, context->buffer);
|
||||
+ li_MD5Transform (context->state, context->buffer);
|
||||
|
||||
for (i = partLen; i + 63 < inputLen; i += 64)
|
||||
- MD5Transform (context->state, &input[i]);
|
||||
+ li_MD5Transform (context->state, &input[i]);
|
||||
|
||||
ndx = 0;
|
||||
}
|
||||
@@ -170,9 +170,9 @@ unsigned int inputLen; /* length o
|
||||
/* MD5 finalization. Ends an MD5 message-digest operation, writing the
|
||||
the message digest and zeroizing the context.
|
||||
*/
|
||||
-void MD5_Final (digest, context)
|
||||
+void li_MD5_Final (digest, context)
|
||||
unsigned char digest[16]; /* message digest */
|
||||
-MD5_CTX *context; /* context */
|
||||
+li_MD5_CTX *context; /* context */
|
||||
{
|
||||
unsigned char bits[8];
|
||||
unsigned int ndx, padLen;
|
||||
@@ -184,10 +184,10 @@ MD5_CTX *context;
|
||||
*/
|
||||
ndx = (unsigned int)((context->count[0] >> 3) & 0x3f);
|
||||
padLen = (ndx < 56) ? (56 - ndx) : (120 - ndx);
|
||||
- MD5_Update (context, PADDING, padLen);
|
||||
+ li_MD5_Update (context, PADDING, padLen);
|
||||
|
||||
/* Append length (before padding) */
|
||||
- MD5_Update (context, bits, 8);
|
||||
+ li_MD5_Update (context, bits, 8);
|
||||
|
||||
/* Store state in digest */
|
||||
Encode (digest, context->state, 16);
|
||||
@@ -199,7 +199,7 @@ MD5_CTX *context;
|
||||
|
||||
/* MD5 basic transformation. Transforms state based on block.
|
||||
*/
|
||||
-static void MD5Transform (state, block)
|
||||
+static void li_MD5Transform (state, block)
|
||||
UINT4 state[4];
|
||||
const unsigned char block[64];
|
||||
{
|
||||
@ -1,20 +0,0 @@
|
||||
$OpenBSD: patch-src_md5_h,v 1.1 2011/04/25 09:39:36 sthen Exp $
|
||||
|
||||
http://redmine.lighttpd.net/issues/2269
|
||||
|
||||
--- src/md5.h.orig Sun Apr 24 22:03:58 2011
|
||||
+++ src/md5.h Sun Apr 24 22:05:09 2011
|
||||
@@ -39,9 +39,8 @@ typedef struct {
|
||||
UINT4 state[4]; /* state (ABCD) */
|
||||
UINT4 count[2]; /* number of bits, modulo 2^64 (lsb first) */
|
||||
unsigned char buffer[64]; /* input buffer */
|
||||
-} MD5_CTX;
|
||||
+} li_MD5_CTX;
|
||||
|
||||
-void MD5_Init (MD5_CTX *);
|
||||
-void MD5_Update (MD5_CTX *, const void *, unsigned int);
|
||||
-void MD5_Final (unsigned char [16], MD5_CTX *);
|
||||
-
|
||||
+void li_MD5_Init (li_MD5_CTX *);
|
||||
+void li_MD5_Update (li_MD5_CTX *, const void *, unsigned int);
|
||||
+void li_MD5_Final (unsigned char [16], li_MD5_CTX *);
|
||||
@ -1,24 +0,0 @@
|
||||
$OpenBSD: patch-src_mod_cgi_c,v 1.3 2011/03/20 13:42:53 sthen Exp $
|
||||
--- src/mod_cgi.c.orig Mon Mar 14 21:11:20 2011
|
||||
+++ src/mod_cgi.c Mon Mar 14 21:13:22 2011
|
||||
@@ -341,8 +341,19 @@ static int cgi_demux_response(server *srv, handler_ctx
|
||||
|
||||
while(1) {
|
||||
int n;
|
||||
+ int toread;
|
||||
|
||||
- buffer_prepare_copy(hctx->response, 1024);
|
||||
+#if defined(__WIN32)
|
||||
+ buffer_prepare_copy(hctx->response, 4 * 1024);
|
||||
+#else
|
||||
+ if (ioctl(con->fd, FIONREAD, &toread) || toread == 0 || toread <= 4*1024) {
|
||||
+ buffer_prepare_copy(hctx->response, 4 * 1024);
|
||||
+ } else {
|
||||
+ if (toread > MAX_READ_LIMIT) toread = MAX_READ_LIMIT;
|
||||
+ buffer_prepare_copy(hctx->response, toread + 1);
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
if (-1 == (n = read(hctx->fd, hctx->response->ptr, hctx->response->size - 1))) {
|
||||
if (errno == EAGAIN || errno == EINTR) {
|
||||
/* would block, wait for signal */
|
||||
@ -1,159 +0,0 @@
|
||||
$OpenBSD: patch-src_mod_proxy_c,v 1.6 2011/03/20 13:42:53 sthen Exp $
|
||||
--- src/mod_proxy.c.orig Mon Mar 14 21:16:15 2011
|
||||
+++ src/mod_proxy.c Mon Mar 14 21:16:22 2011
|
||||
@@ -724,9 +724,9 @@ static int proxy_demux_response(server *srv, handler_c
|
||||
con->file_started = 1;
|
||||
if (blen) {
|
||||
http_chunk_append_mem(srv, con, c + 4, blen + 1);
|
||||
- joblist_append(srv, con);
|
||||
}
|
||||
hctx->response->used = 0;
|
||||
+ joblist_append(srv, con);
|
||||
}
|
||||
} else {
|
||||
http_chunk_append_mem(srv, con, hctx->response->ptr, hctx->response->used);
|
||||
@@ -750,7 +750,6 @@ static int proxy_demux_response(server *srv, handler_c
|
||||
|
||||
static handler_t proxy_write_request(server *srv, handler_ctx *hctx) {
|
||||
data_proxy *host= hctx->host;
|
||||
- plugin_data *p = hctx->plugin_data;
|
||||
connection *con = hctx->remote_conn;
|
||||
|
||||
int ret;
|
||||
@@ -759,6 +758,17 @@ static handler_t proxy_write_request(server *srv, hand
|
||||
(!host->host->used || !host->port)) return -1;
|
||||
|
||||
switch(hctx->state) {
|
||||
+ case PROXY_STATE_CONNECT:
|
||||
+ /* wait for the connect() to finish */
|
||||
+
|
||||
+ /* connect failed ? */
|
||||
+ if (-1 == hctx->fde_ndx) return HANDLER_ERROR;
|
||||
+
|
||||
+ /* wait */
|
||||
+ return HANDLER_WAIT_FOR_EVENT;
|
||||
+
|
||||
+ break;
|
||||
+
|
||||
case PROXY_STATE_INIT:
|
||||
#if defined(HAVE_IPV6) && defined(HAVE_INET_PTON)
|
||||
if (strstr(host->host->ptr,":")) {
|
||||
@@ -786,58 +796,28 @@ static handler_t proxy_write_request(server *srv, hand
|
||||
return HANDLER_ERROR;
|
||||
}
|
||||
|
||||
- /* fall through */
|
||||
+ switch (proxy_establish_connection(srv, hctx)) {
|
||||
+ case 1:
|
||||
+ proxy_set_state(srv, hctx, PROXY_STATE_CONNECT);
|
||||
|
||||
- case PROXY_STATE_CONNECT:
|
||||
- /* try to finish the connect() */
|
||||
- if (hctx->state == PROXY_STATE_INIT) {
|
||||
- /* first round */
|
||||
- switch (proxy_establish_connection(srv, hctx)) {
|
||||
- case 1:
|
||||
- proxy_set_state(srv, hctx, PROXY_STATE_CONNECT);
|
||||
+ /* connection is in progress, wait for an event and call getsockopt() below */
|
||||
|
||||
- /* connection is in progress, wait for an event and call getsockopt() below */
|
||||
+ fdevent_event_set(srv->ev, &(hctx->fde_ndx), hctx->fd, FDEVENT_OUT);
|
||||
|
||||
- fdevent_event_set(srv->ev, &(hctx->fde_ndx), hctx->fd, FDEVENT_OUT);
|
||||
+ return HANDLER_WAIT_FOR_EVENT;
|
||||
+ case -1:
|
||||
+ /* if ECONNREFUSED choose another connection -> FIXME */
|
||||
+ hctx->fde_ndx = -1;
|
||||
|
||||
- return HANDLER_WAIT_FOR_EVENT;
|
||||
- case -1:
|
||||
- /* if ECONNREFUSED choose another connection -> FIXME */
|
||||
- hctx->fde_ndx = -1;
|
||||
-
|
||||
- return HANDLER_ERROR;
|
||||
- default:
|
||||
- /* everything is ok, go on */
|
||||
- break;
|
||||
- }
|
||||
- } else {
|
||||
- int socket_error;
|
||||
- socklen_t socket_error_len = sizeof(socket_error);
|
||||
-
|
||||
- /* we don't need it anymore */
|
||||
- fdevent_event_del(srv->ev, &(hctx->fde_ndx), hctx->fd);
|
||||
-
|
||||
- /* try to finish the connect() */
|
||||
- if (0 != getsockopt(hctx->fd, SOL_SOCKET, SO_ERROR, &socket_error, &socket_error_len)) {
|
||||
- log_error_write(srv, __FILE__, __LINE__, "ss",
|
||||
- "getsockopt failed:", strerror(errno));
|
||||
-
|
||||
- return HANDLER_ERROR;
|
||||
- }
|
||||
- if (socket_error != 0) {
|
||||
- log_error_write(srv, __FILE__, __LINE__, "ss",
|
||||
- "establishing connection failed:", strerror(socket_error),
|
||||
- "port:", hctx->host->port);
|
||||
-
|
||||
- return HANDLER_ERROR;
|
||||
- }
|
||||
- if (p->conf.debug) {
|
||||
- log_error_write(srv, __FILE__, __LINE__, "s", "proxy - connect - delayed success");
|
||||
- }
|
||||
+ return HANDLER_ERROR;
|
||||
+ default:
|
||||
+ /* everything is ok, go on */
|
||||
+ proxy_set_state(srv, hctx, PROXY_STATE_PREPARE_WRITE);
|
||||
+ break;
|
||||
}
|
||||
|
||||
- proxy_set_state(srv, hctx, PROXY_STATE_PREPARE_WRITE);
|
||||
/* fall through */
|
||||
+
|
||||
case PROXY_STATE_PREPARE_WRITE:
|
||||
proxy_create_env(srv, hctx);
|
||||
|
||||
@@ -1019,11 +999,42 @@ static handler_t proxy_handle_fdevent(server *srv, voi
|
||||
"proxy: fdevent-out", hctx->state);
|
||||
}
|
||||
|
||||
- if (hctx->state == PROXY_STATE_CONNECT ||
|
||||
+ if (hctx->state == PROXY_STATE_CONNECT) {
|
||||
+ int socket_error;
|
||||
+ socklen_t socket_error_len = sizeof(socket_error);
|
||||
+
|
||||
+ /* we don't need it anymore */
|
||||
+ fdevent_event_del(srv->ev, &(hctx->fde_ndx), hctx->fd);
|
||||
+ hctx->fde_ndx = -1;
|
||||
+
|
||||
+ /* try to finish the connect() */
|
||||
+ if (0 != getsockopt(hctx->fd, SOL_SOCKET, SO_ERROR, &socket_error, &socket_error_len)) {
|
||||
+ log_error_write(srv, __FILE__, __LINE__, "ss",
|
||||
+ "getsockopt failed:", strerror(errno));
|
||||
+
|
||||
+ joblist_append(srv, con);
|
||||
+ return HANDLER_FINISHED;
|
||||
+ }
|
||||
+ if (socket_error != 0) {
|
||||
+ log_error_write(srv, __FILE__, __LINE__, "ss",
|
||||
+ "establishing connection failed:", strerror(socket_error),
|
||||
+ "port:", hctx->host->port);
|
||||
+
|
||||
+ joblist_append(srv, con);
|
||||
+ return HANDLER_FINISHED;
|
||||
+ }
|
||||
+ if (p->conf.debug) {
|
||||
+ log_error_write(srv, __FILE__, __LINE__, "s", "proxy - connect - delayed success");
|
||||
+ }
|
||||
+
|
||||
+ proxy_set_state(srv, hctx, PROXY_STATE_PREPARE_WRITE);
|
||||
+ }
|
||||
+
|
||||
+ if (hctx->state == PROXY_STATE_PREPARE_WRITE ||
|
||||
hctx->state == PROXY_STATE_WRITE) {
|
||||
/* we are allowed to send something out
|
||||
*
|
||||
- * 1. in a unfinished connect() call
|
||||
+ * 1. after a just finished connect() call
|
||||
* 2. in a unfinished write() call (long POST request)
|
||||
*/
|
||||
return mod_proxy_handle_subrequest(srv, con, p);
|
||||
@ -1,152 +0,0 @@
|
||||
$OpenBSD: patch-src_network_c,v 1.3 2011/04/25 09:39:36 sthen Exp $
|
||||
|
||||
http://redmine.lighttpd.net/issues/2269
|
||||
|
||||
--- src/network.c.orig Tue Aug 17 05:04:38 2010
|
||||
+++ src/network.c Sun Apr 24 22:29:51 2011
|
||||
@@ -479,6 +479,55 @@ int network_init(server *srv) {
|
||||
size_t i;
|
||||
network_backend_t backend;
|
||||
|
||||
+#if OPENSSL_VERSION_NUMBER >= 0x0090800fL
|
||||
+ EC_KEY *ecdh;
|
||||
+ int nid;
|
||||
+#endif
|
||||
+
|
||||
+#ifdef USE_OPENSSL
|
||||
+ DH *dh;
|
||||
+ BIO *bio;
|
||||
+
|
||||
+ /* 1024-bit MODP Group with 160-bit prime order subgroup (RFC5114)
|
||||
+ * -----BEGIN DH PARAMETERS-----
|
||||
+ * MIIBDAKBgQCxC4+WoIDgHd6S3l6uXVTsUsmfvPsGo8aaap3KUtI7YWBz4oZ1oj0Y
|
||||
+ * mDjvHi7mUsAT7LSuqQYRIySXXDzUm4O/rMvdfZDEvXCYSI6cIZpzck7/1vrlZEc4
|
||||
+ * +qMaT/VbzMChUa9fDci0vUW/N982XBpl5oz9p21NpwjfH7K8LkpDcQKBgQCk0cvV
|
||||
+ * w/00EmdlpELvuZkF+BBN0lisUH/WQGz/FCZtMSZv6h5cQVZLd35pD1UE8hMWAhe0
|
||||
+ * sBuIal6RVH+eJ0n01/vX07mpLuGQnQ0iY/gKdqaiTAh6CR9THb8KAWm2oorWYqTR
|
||||
+ * jnOvoy13nVkY0IvIhY9Nzvl8KiSFXm7rIrOy5QICAKA=
|
||||
+ * -----END DH PARAMETERS-----
|
||||
+ */
|
||||
+
|
||||
+ static const unsigned char dh1024_p[]={
|
||||
+ 0xB1,0x0B,0x8F,0x96,0xA0,0x80,0xE0,0x1D,0xDE,0x92,0xDE,0x5E,
|
||||
+ 0xAE,0x5D,0x54,0xEC,0x52,0xC9,0x9F,0xBC,0xFB,0x06,0xA3,0xC6,
|
||||
+ 0x9A,0x6A,0x9D,0xCA,0x52,0xD2,0x3B,0x61,0x60,0x73,0xE2,0x86,
|
||||
+ 0x75,0xA2,0x3D,0x18,0x98,0x38,0xEF,0x1E,0x2E,0xE6,0x52,0xC0,
|
||||
+ 0x13,0xEC,0xB4,0xAE,0xA9,0x06,0x11,0x23,0x24,0x97,0x5C,0x3C,
|
||||
+ 0xD4,0x9B,0x83,0xBF,0xAC,0xCB,0xDD,0x7D,0x90,0xC4,0xBD,0x70,
|
||||
+ 0x98,0x48,0x8E,0x9C,0x21,0x9A,0x73,0x72,0x4E,0xFF,0xD6,0xFA,
|
||||
+ 0xE5,0x64,0x47,0x38,0xFA,0xA3,0x1A,0x4F,0xF5,0x5B,0xCC,0xC0,
|
||||
+ 0xA1,0x51,0xAF,0x5F,0x0D,0xC8,0xB4,0xBD,0x45,0xBF,0x37,0xDF,
|
||||
+ 0x36,0x5C,0x1A,0x65,0xE6,0x8C,0xFD,0xA7,0x6D,0x4D,0xA7,0x08,
|
||||
+ 0xDF,0x1F,0xB2,0xBC,0x2E,0x4A,0x43,0x71,
|
||||
+ };
|
||||
+
|
||||
+ static const unsigned char dh1024_g[]={
|
||||
+ 0xA4,0xD1,0xCB,0xD5,0xC3,0xFD,0x34,0x12,0x67,0x65,0xA4,0x42,
|
||||
+ 0xEF,0xB9,0x99,0x05,0xF8,0x10,0x4D,0xD2,0x58,0xAC,0x50,0x7F,
|
||||
+ 0xD6,0x40,0x6C,0xFF,0x14,0x26,0x6D,0x31,0x26,0x6F,0xEA,0x1E,
|
||||
+ 0x5C,0x41,0x56,0x4B,0x77,0x7E,0x69,0x0F,0x55,0x04,0xF2,0x13,
|
||||
+ 0x16,0x02,0x17,0xB4,0xB0,0x1B,0x88,0x6A,0x5E,0x91,0x54,0x7F,
|
||||
+ 0x9E,0x27,0x49,0xF4,0xD7,0xFB,0xD7,0xD3,0xB9,0xA9,0x2E,0xE1,
|
||||
+ 0x90,0x9D,0x0D,0x22,0x63,0xF8,0x0A,0x76,0xA6,0xA2,0x4C,0x08,
|
||||
+ 0x7A,0x09,0x1F,0x53,0x1D,0xBF,0x0A,0x01,0x69,0xB6,0xA2,0x8A,
|
||||
+ 0xD6,0x62,0xA4,0xD1,0x8E,0x73,0xAF,0xA3,0x2D,0x77,0x9D,0x59,
|
||||
+ 0x18,0xD0,0x8B,0xC8,0x85,0x8F,0x4D,0xCE,0xF9,0x7C,0x2A,0x24,
|
||||
+ 0x85,0x5E,0x6E,0xEB,0x22,0xB3,0xB2,0xE5,
|
||||
+ };
|
||||
+#endif
|
||||
+
|
||||
struct nb_map {
|
||||
network_backend_t nb;
|
||||
const char *name;
|
||||
@@ -521,6 +570,7 @@ int network_init(server *srv) {
|
||||
if (srv->ssl_is_init == 0) {
|
||||
SSL_load_error_strings();
|
||||
SSL_library_init();
|
||||
+ OpenSSL_add_all_algorithms();
|
||||
srv->ssl_is_init = 1;
|
||||
|
||||
if (0 == RAND_status()) {
|
||||
@@ -545,6 +595,15 @@ int network_init(server *srv) {
|
||||
}
|
||||
}
|
||||
|
||||
+ if (!s->ssl_use_sslv3) {
|
||||
+ /* disable SSLv3 */
|
||||
+ if (!(SSL_OP_NO_SSLv3 & SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_SSLv3))) {
|
||||
+ log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
|
||||
+ ERR_error_string(ERR_get_error(), NULL));
|
||||
+ return -1;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
if (!buffer_is_empty(s->ssl_cipher_list)) {
|
||||
/* Disable support for low encryption ciphers */
|
||||
if (SSL_CTX_set_cipher_list(s->ssl_ctx, s->ssl_cipher_list->ptr) != 1) {
|
||||
@@ -553,6 +612,65 @@ int network_init(server *srv) {
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
+
|
||||
+ /* Support for Diffie-Hellman key exchange */
|
||||
+ if (!buffer_is_empty(s->ssl_dh_file)) {
|
||||
+ /* DH parameters from file */
|
||||
+ bio = BIO_new_file((char *) s->ssl_dh_file->ptr, "r");
|
||||
+ if (bio == NULL) {
|
||||
+ log_error_write(srv, __FILE__, __LINE__, "ss", "SSL: Unable to open file", s->ssl_dh_file->ptr);
|
||||
+ return -1;
|
||||
+ }
|
||||
+ dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
|
||||
+ BIO_free(bio);
|
||||
+ if (dh == NULL) {
|
||||
+ log_error_write(srv, __FILE__, __LINE__, "ss", "SSL: PEM_read_bio_DHparams failed", s->ssl_dh_file->ptr);
|
||||
+ return -1;
|
||||
+ }
|
||||
+ } else {
|
||||
+ /* Default DH parameters from RFC5114 */
|
||||
+ dh = DH_new();
|
||||
+ if (dh == NULL) {
|
||||
+ log_error_write(srv, __FILE__, __LINE__, "s", "SSL: DH_new () failed");
|
||||
+ return -1;
|
||||
+ }
|
||||
+ dh->p = BN_bin2bn(dh1024_p,sizeof(dh1024_p), NULL);
|
||||
+ dh->g = BN_bin2bn(dh1024_g,sizeof(dh1024_g), NULL);
|
||||
+ dh->length = 160;
|
||||
+ if ((dh->p == NULL) || (dh->g == NULL)) {
|
||||
+ DH_free(dh);
|
||||
+ log_error_write(srv, __FILE__, __LINE__, "s", "SSL: BN_bin2bn () failed");
|
||||
+ return -1;
|
||||
+ }
|
||||
+ }
|
||||
+ SSL_CTX_set_tmp_dh(s->ssl_ctx,dh);
|
||||
+ SSL_CTX_set_options(s->ssl_ctx,SSL_OP_SINGLE_DH_USE);
|
||||
+ DH_free(dh);
|
||||
+
|
||||
+#if OPENSSL_VERSION_NUMBER >= 0x0090800fL
|
||||
+#ifndef OPENSSL_NO_ECDH
|
||||
+ /* Support for Elliptic-Curve Diffie-Hellman key exchange */
|
||||
+ if (!buffer_is_empty(s->ssl_ec_curve)) {
|
||||
+ /* OpenSSL only supports the "named curves" from RFC 4492, section 5.1.1. */
|
||||
+ nid = OBJ_sn2nid((char *) s->ssl_ec_curve->ptr);
|
||||
+ if (nid == 0) {
|
||||
+ log_error_write(srv, __FILE__, __LINE__, "ss", "SSL: Unknown curve name", s->ssl_ec_curve->ptr);
|
||||
+ return -1;
|
||||
+ }
|
||||
+ } else {
|
||||
+ /* Default curve */
|
||||
+ nid = OBJ_sn2nid("prime256v1");
|
||||
+ }
|
||||
+ ecdh = EC_KEY_new_by_curve_name(nid);
|
||||
+ if (ecdh == NULL) {
|
||||
+ log_error_write(srv, __FILE__, __LINE__, "ss", "SSL: Unable to create curve", s->ssl_ec_curve->ptr);
|
||||
+ return -1;
|
||||
+ }
|
||||
+ SSL_CTX_set_tmp_ecdh(s->ssl_ctx,ecdh);
|
||||
+ SSL_CTX_set_options(s->ssl_ctx,SSL_OP_SINGLE_ECDH_USE);
|
||||
+ EC_KEY_free(ecdh);
|
||||
+#endif
|
||||
+#endif
|
||||
|
||||
if (!buffer_is_empty(s->ssl_ca_file)) {
|
||||
if (1 != SSL_CTX_load_verify_locations(s->ssl_ctx, s->ssl_ca_file->ptr, NULL)) {
|
||||
@ -1,21 +0,0 @@
|
||||
$OpenBSD: patch-src_server_c,v 1.9 2011/04/25 09:39:36 sthen Exp $
|
||||
--- src/server.c.orig Tue Aug 17 05:04:38 2010
|
||||
+++ src/server.c Sun Apr 24 22:28:50 2011
|
||||
@@ -211,7 +211,7 @@ static server *server_init(void) {
|
||||
srv->mtime_cache[i].str = buffer_init();
|
||||
}
|
||||
|
||||
- if ((NULL != (frandom = fopen("/dev/urandom", "rb")) || NULL != (frandom = fopen("/dev/random", "rb")))
|
||||
+ if ((NULL != (frandom = fopen("/dev/arandom", "rb")) || NULL != (frandom = fopen("/dev/urandom", "rb")))
|
||||
&& 1 == fread(srv->entropy, sizeof(srv->entropy), 1, frandom)) {
|
||||
unsigned int e;
|
||||
memcpy(&e, srv->entropy, sizeof(e) < sizeof(srv->entropy) ? sizeof(e) : sizeof(srv->entropy));
|
||||
@@ -306,6 +306,8 @@ static void server_free(server *srv) {
|
||||
buffer_free(s->ssl_pemfile);
|
||||
buffer_free(s->ssl_ca_file);
|
||||
buffer_free(s->ssl_cipher_list);
|
||||
+ buffer_free(s->ssl_dh_file);
|
||||
+ buffer_free(s->ssl_ec_curve);
|
||||
buffer_free(s->error_handler);
|
||||
buffer_free(s->errorfile_prefix);
|
||||
array_free(s->mimetypes);
|
||||
Loading…
Reference in New Issue
Block a user