From 5262fc0208252ae3aeb340ffbffdf2146e52b8ea Mon Sep 17 00:00:00 2001 From: sthen Date: Mon, 25 Apr 2011 09:39:36 +0000 Subject: [PATCH] - backport a patch from upstream to avoid a conflict between OpenSSL and internal implementations of MD5. Fixes SSL problems with some clients. From Brad --- www/lighttpd/Makefile | 4 +- www/lighttpd/patches/patch-src_md5_c | 84 ++++++++++++++++++++++++ www/lighttpd/patches/patch-src_md5_h | 20 ++++++ www/lighttpd/patches/patch-src_network_c | 25 +++---- www/lighttpd/patches/patch-src_server_c | 15 ++++- 5 files changed, 132 insertions(+), 16 deletions(-) create mode 100644 www/lighttpd/patches/patch-src_md5_c create mode 100644 www/lighttpd/patches/patch-src_md5_h diff --git a/www/lighttpd/Makefile b/www/lighttpd/Makefile index 13defe290ab..f34a596b4f8 100644 --- a/www/lighttpd/Makefile +++ b/www/lighttpd/Makefile @@ -1,11 +1,11 @@ -# $OpenBSD: Makefile,v 1.83 2011/04/15 21:43:14 sthen Exp $ +# $OpenBSD: Makefile,v 1.84 2011/04/25 09:39:36 sthen Exp $ SHARED_ONLY= Yes COMMENT= secure, fast, compliant, and very flexible web-server DISTNAME= lighttpd-1.4.28 -REVISION= 3 +REVISION= 4 CATEGORIES= www net MASTER_SITES= http://download.lighttpd.net/lighttpd/releases-1.4.x/ diff --git a/www/lighttpd/patches/patch-src_md5_c b/www/lighttpd/patches/patch-src_md5_c new file mode 100644 index 00000000000..dbeb1530677 --- /dev/null +++ b/www/lighttpd/patches/patch-src_md5_c @@ -0,0 +1,84 @@ +$OpenBSD: patch-src_md5_c,v 1.1 2011/04/25 09:39:36 sthen Exp $ + +http://redmine.lighttpd.net/issues/2269 + +--- src/md5.c.orig Sun Apr 24 22:03:40 2011 ++++ src/md5.c Sun Apr 24 22:07:52 2011 +@@ -52,7 +52,7 @@ documentation and/or software. + #define S43 15 + #define S44 21 + +-static void MD5Transform (UINT4 [4], const unsigned char [64]); ++static void li_MD5Transform (UINT4 [4], const unsigned char [64]); + static void Encode (unsigned char *, UINT4 *, unsigned int); + static void Decode (UINT4 *, const unsigned char *, unsigned int); + +@@ -110,8 +110,8 @@ Rotation is separate from addition to prevent recomput + + /* MD5 initialization. Begins an MD5 operation, writing a new context. + */ +-void MD5_Init (context) +-MD5_CTX *context; /* context */ ++void li_MD5_Init (context) ++li_MD5_CTX *context; /* context */ + { + context->count[0] = context->count[1] = 0; + /* Load magic initialization constants. +@@ -126,8 +126,8 @@ MD5_CTX *context; + operation, processing another message block, and updating the + context. + */ +-void MD5_Update (context, _input, inputLen) +-MD5_CTX *context; /* context */ ++void li_MD5_Update (context, _input, inputLen) ++li_MD5_CTX *context; /* context */ + const void *_input; /* input block */ + unsigned int inputLen; /* length of input block */ + { +@@ -151,10 +151,10 @@ unsigned int inputLen; /* length o + if (inputLen >= partLen) { + MD5_memcpy + ((POINTER)&context->buffer[ndx], (POINTER)input, partLen); +- MD5Transform (context->state, context->buffer); ++ li_MD5Transform (context->state, context->buffer); + + for (i = partLen; i + 63 < inputLen; i += 64) +- MD5Transform (context->state, &input[i]); ++ li_MD5Transform (context->state, &input[i]); + + ndx = 0; + } +@@ -170,9 +170,9 @@ unsigned int inputLen; /* length o + /* MD5 finalization. Ends an MD5 message-digest operation, writing the + the message digest and zeroizing the context. + */ +-void MD5_Final (digest, context) ++void li_MD5_Final (digest, context) + unsigned char digest[16]; /* message digest */ +-MD5_CTX *context; /* context */ ++li_MD5_CTX *context; /* context */ + { + unsigned char bits[8]; + unsigned int ndx, padLen; +@@ -184,10 +184,10 @@ MD5_CTX *context; + */ + ndx = (unsigned int)((context->count[0] >> 3) & 0x3f); + padLen = (ndx < 56) ? (56 - ndx) : (120 - ndx); +- MD5_Update (context, PADDING, padLen); ++ li_MD5_Update (context, PADDING, padLen); + + /* Append length (before padding) */ +- MD5_Update (context, bits, 8); ++ li_MD5_Update (context, bits, 8); + + /* Store state in digest */ + Encode (digest, context->state, 16); +@@ -199,7 +199,7 @@ MD5_CTX *context; + + /* MD5 basic transformation. Transforms state based on block. + */ +-static void MD5Transform (state, block) ++static void li_MD5Transform (state, block) + UINT4 state[4]; + const unsigned char block[64]; + { diff --git a/www/lighttpd/patches/patch-src_md5_h b/www/lighttpd/patches/patch-src_md5_h new file mode 100644 index 00000000000..6c8bee44b61 --- /dev/null +++ b/www/lighttpd/patches/patch-src_md5_h @@ -0,0 +1,20 @@ +$OpenBSD: patch-src_md5_h,v 1.1 2011/04/25 09:39:36 sthen Exp $ + +http://redmine.lighttpd.net/issues/2269 + +--- src/md5.h.orig Sun Apr 24 22:03:58 2011 ++++ src/md5.h Sun Apr 24 22:05:09 2011 +@@ -39,9 +39,8 @@ typedef struct { + UINT4 state[4]; /* state (ABCD) */ + UINT4 count[2]; /* number of bits, modulo 2^64 (lsb first) */ + unsigned char buffer[64]; /* input buffer */ +-} MD5_CTX; ++} li_MD5_CTX; + +-void MD5_Init (MD5_CTX *); +-void MD5_Update (MD5_CTX *, const void *, unsigned int); +-void MD5_Final (unsigned char [16], MD5_CTX *); +- ++void li_MD5_Init (li_MD5_CTX *); ++void li_MD5_Update (li_MD5_CTX *, const void *, unsigned int); ++void li_MD5_Final (unsigned char [16], li_MD5_CTX *); diff --git a/www/lighttpd/patches/patch-src_network_c b/www/lighttpd/patches/patch-src_network_c index 8535adfab6e..dfda0f9ffbf 100644 --- a/www/lighttpd/patches/patch-src_network_c +++ b/www/lighttpd/patches/patch-src_network_c @@ -1,20 +1,22 @@ -$OpenBSD: patch-src_network_c,v 1.2 2011/03/20 13:42:53 sthen Exp $ +$OpenBSD: patch-src_network_c,v 1.3 2011/04/25 09:39:36 sthen Exp $ http://redmine.lighttpd.net/issues/2269 ---- src/network.c.orig Mon Mar 14 21:24:13 2011 -+++ src/network.c Mon Mar 14 21:24:17 2011 -@@ -479,6 +479,52 @@ int network_init(server *srv) { +--- src/network.c.orig Tue Aug 17 05:04:38 2010 ++++ src/network.c Sun Apr 24 22:29:51 2011 +@@ -479,6 +479,55 @@ int network_init(server *srv) { size_t i; network_backend_t backend; -+ DH *dh; -+ BIO *bio; +#if OPENSSL_VERSION_NUMBER >= 0x0090800fL + EC_KEY *ecdh; + int nid; +#endif + ++#ifdef USE_OPENSSL ++ DH *dh; ++ BIO *bio; ++ + /* 1024-bit MODP Group with 160-bit prime order subgroup (RFC5114) + * -----BEGIN DH PARAMETERS----- + * MIIBDAKBgQCxC4+WoIDgHd6S3l6uXVTsUsmfvPsGo8aaap3KUtI7YWBz4oZ1oj0Y @@ -26,7 +28,7 @@ http://redmine.lighttpd.net/issues/2269 + * -----END DH PARAMETERS----- + */ + -+ static unsigned char dh1024_p[]={ ++ static const unsigned char dh1024_p[]={ + 0xB1,0x0B,0x8F,0x96,0xA0,0x80,0xE0,0x1D,0xDE,0x92,0xDE,0x5E, + 0xAE,0x5D,0x54,0xEC,0x52,0xC9,0x9F,0xBC,0xFB,0x06,0xA3,0xC6, + 0x9A,0x6A,0x9D,0xCA,0x52,0xD2,0x3B,0x61,0x60,0x73,0xE2,0x86, @@ -40,7 +42,7 @@ http://redmine.lighttpd.net/issues/2269 + 0xDF,0x1F,0xB2,0xBC,0x2E,0x4A,0x43,0x71, + }; + -+ static unsigned char dh1024_g[]={ ++ static const unsigned char dh1024_g[]={ + 0xA4,0xD1,0xCB,0xD5,0xC3,0xFD,0x34,0x12,0x67,0x65,0xA4,0x42, + 0xEF,0xB9,0x99,0x05,0xF8,0x10,0x4D,0xD2,0x58,0xAC,0x50,0x7F, + 0xD6,0x40,0x6C,0xFF,0x14,0x26,0x6D,0x31,0x26,0x6F,0xEA,0x1E, @@ -53,11 +55,12 @@ http://redmine.lighttpd.net/issues/2269 + 0x18,0xD0,0x8B,0xC8,0x85,0x8F,0x4D,0xCE,0xF9,0x7C,0x2A,0x24, + 0x85,0x5E,0x6E,0xEB,0x22,0xB3,0xB2,0xE5, + }; ++#endif + struct nb_map { network_backend_t nb; const char *name; -@@ -521,6 +567,7 @@ int network_init(server *srv) { +@@ -521,6 +570,7 @@ int network_init(server *srv) { if (srv->ssl_is_init == 0) { SSL_load_error_strings(); SSL_library_init(); @@ -65,7 +68,7 @@ http://redmine.lighttpd.net/issues/2269 srv->ssl_is_init = 1; if (0 == RAND_status()) { -@@ -545,6 +592,15 @@ int network_init(server *srv) { +@@ -545,6 +595,15 @@ int network_init(server *srv) { } } @@ -81,7 +84,7 @@ http://redmine.lighttpd.net/issues/2269 if (!buffer_is_empty(s->ssl_cipher_list)) { /* Disable support for low encryption ciphers */ if (SSL_CTX_set_cipher_list(s->ssl_ctx, s->ssl_cipher_list->ptr) != 1) { -@@ -553,6 +609,65 @@ int network_init(server *srv) { +@@ -553,6 +612,65 @@ int network_init(server *srv) { return -1; } } diff --git a/www/lighttpd/patches/patch-src_server_c b/www/lighttpd/patches/patch-src_server_c index baa4ebc857a..9cdfe6e065d 100644 --- a/www/lighttpd/patches/patch-src_server_c +++ b/www/lighttpd/patches/patch-src_server_c @@ -1,6 +1,6 @@ -$OpenBSD: patch-src_server_c,v 1.8 2010/08/18 11:16:55 sthen Exp $ ---- src/server.c.orig Sat Aug 7 07:00:16 2010 -+++ src/server.c Sun Aug 8 22:18:55 2010 +$OpenBSD: patch-src_server_c,v 1.9 2011/04/25 09:39:36 sthen Exp $ +--- src/server.c.orig Tue Aug 17 05:04:38 2010 ++++ src/server.c Sun Apr 24 22:28:50 2011 @@ -211,7 +211,7 @@ static server *server_init(void) { srv->mtime_cache[i].str = buffer_init(); } @@ -10,3 +10,12 @@ $OpenBSD: patch-src_server_c,v 1.8 2010/08/18 11:16:55 sthen Exp $ && 1 == fread(srv->entropy, sizeof(srv->entropy), 1, frandom)) { unsigned int e; memcpy(&e, srv->entropy, sizeof(e) < sizeof(srv->entropy) ? sizeof(e) : sizeof(srv->entropy)); +@@ -306,6 +306,8 @@ static void server_free(server *srv) { + buffer_free(s->ssl_pemfile); + buffer_free(s->ssl_ca_file); + buffer_free(s->ssl_cipher_list); ++ buffer_free(s->ssl_dh_file); ++ buffer_free(s->ssl_ec_curve); + buffer_free(s->error_handler); + buffer_free(s->errorfile_prefix); + array_free(s->mimetypes);