diff options
Diffstat (limited to 'www-servers/lighttpd/files/1.4.20-r1')
-rw-r--r-- | www-servers/lighttpd/files/1.4.20-r1/03_all_lighttpd-1.4.11-errorlog-pipe.diff | 175 | ||||
-rw-r--r-- | www-servers/lighttpd/files/1.4.20-r1/04_all_1.4.x_tls_server_name_indication.diff | 324 |
2 files changed, 499 insertions, 0 deletions
diff --git a/www-servers/lighttpd/files/1.4.20-r1/03_all_lighttpd-1.4.11-errorlog-pipe.diff b/www-servers/lighttpd/files/1.4.20-r1/03_all_lighttpd-1.4.11-errorlog-pipe.diff new file mode 100644 index 0000000..5133fea --- /dev/null +++ b/www-servers/lighttpd/files/1.4.20-r1/03_all_lighttpd-1.4.11-errorlog-pipe.diff @@ -0,0 +1,175 @@ +Initial patch from http://trac.lighttpd.net/trac/ticket/296 +Updated to apply against 1.4.20 by hoffie +Upstream will only accept it once it has been changed to make the pipe logging more generic + +diff -r 447bac6969ef src/base.h +--- a/src/base.h Tue Aug 19 18:04:17 2008 +0200 ++++ b/src/base.h Tue Aug 19 19:45:00 2008 +0200 +@@ -530,7 +530,7 @@ + + /* the errorlog */ + int errorlog_fd; +- enum { ERRORLOG_STDERR, ERRORLOG_FILE, ERRORLOG_SYSLOG } errorlog_mode; ++ enum { ERRORLOG_STDERR, ERRORLOG_FILE, ERRORLOG_SYSLOG, ERRORLOG_PIPE } errorlog_mode; + buffer *errorlog_buf; + + fdevents *ev, *ev_ins; +diff -r 447bac6969ef src/log.c +--- a/src/log.c Tue Aug 19 18:04:17 2008 +0200 ++++ b/src/log.c Tue Aug 19 19:45:00 2008 +0200 +@@ -57,10 +57,11 @@ + /** + * open the errorlog + * +- * we have 3 possibilities: ++ * we have 4 possibilities: + * - stderr (default) + * - syslog + * - logfile ++ * - pipe + * + * if the open failed, report to the user and die + * +@@ -79,21 +80,80 @@ + srv->errorlog_mode = ERRORLOG_SYSLOG; + } else if (!buffer_is_empty(srv->srvconf.errorlog_file)) { + const char *logfile = srv->srvconf.errorlog_file->ptr; ++ if (logfile[0] == '|') { ++#ifdef HAVE_FORK ++ /* create write pipe and spawn process */ + +- if (-1 == (srv->errorlog_fd = open(logfile, O_APPEND | O_WRONLY | O_CREAT | O_LARGEFILE, 0644))) { +- log_error_write(srv, __FILE__, __LINE__, "SSSS", ++ int to_log_fds[2]; ++ int fd; ++ pid_t pid; ++ ++ if (pipe(to_log_fds)) { ++ log_error_write(srv, __FILE__, __LINE__, "ss", ++ "pipe failed: ", strerror(errno)); ++ return -1; ++ } ++ ++ /* fork, execve */ ++ switch (pid = fork()) { ++ case 0: ++ /* child */ ++ ++ close(STDIN_FILENO); ++ dup2(to_log_fds[0], STDIN_FILENO); ++ close(to_log_fds[0]); ++ /* not needed */ ++ close(to_log_fds[1]); ++ ++ /* we don't need the client socket */ ++ for (fd = 3; fd < 256; fd++) { ++ close(fd); ++ } ++ ++ /* exec the log-process (skip the | ) ++ * ++ */ ++ ++ execl("/bin/sh", "sh", "-c", logfile + 1, NULL); ++ ++ log_error_write(srv, __FILE__, __LINE__, "sss", ++ "spawning log-process failed: ", ++ strerror(errno), logfile + 1); ++ ++ exit(-1); ++ break; ++ case -1: ++ /* error */ ++ log_error_write(srv, __FILE__, __LINE__, "ss", "fork failed:", strerror(errno)); ++ break; ++ default: ++ close(to_log_fds[0]); ++ ++ srv->errorlog_fd = to_log_fds[1]; ++ ++ break; ++ } ++ srv->errorlog_mode = ERRORLOG_PIPE; ++#else ++ log_error_write(srv, __FILE__, __LINE__, "SSS", ++ "opening errorlog '", logfile,"' impossible"); ++ return -1; ++#endif ++ } else { ++ if (-1 == (srv->errorlog_fd = open(logfile, O_APPEND | O_WRONLY | O_CREAT | O_LARGEFILE, 0644))) { ++ log_error_write(srv, __FILE__, __LINE__, "SSSS", + "opening errorlog '", logfile, + "' failed: ", strerror(errno)); + +- return -1; ++ return -1; ++ } ++ srv->errorlog_mode = ERRORLOG_FILE; + } + #ifdef FD_CLOEXEC + /* close fd on exec (cgi) */ + fcntl(srv->errorlog_fd, F_SETFD, FD_CLOEXEC); + #endif +- srv->errorlog_mode = ERRORLOG_FILE; + } +- + log_error_write(srv, __FILE__, __LINE__, "s", "server started"); + + #ifdef HAVE_VALGRIND_VALGRIND_H +@@ -122,7 +182,7 @@ + */ + + int log_error_cycle(server *srv) { +- /* only cycle if we are not in syslog-mode */ ++ /* only cycle if the error log is a file */ + + if (srv->errorlog_mode == ERRORLOG_FILE) { + const char *logfile = srv->srvconf.errorlog_file->ptr; +@@ -154,6 +214,7 @@ + + int log_error_close(server *srv) { + switch(srv->errorlog_mode) { ++ case ERRORLOG_PIPE: /* fall through */ + case ERRORLOG_FILE: + close(srv->errorlog_fd); + break; +@@ -173,6 +234,7 @@ + va_list ap; + + switch(srv->errorlog_mode) { ++ case ERRORLOG_PIPE: + case ERRORLOG_FILE: + case ERRORLOG_STDERR: + /* cache the generated timestamp */ +@@ -257,6 +319,7 @@ + va_end(ap); + + switch(srv->errorlog_mode) { ++ case ERRORLOG_PIPE: /* fall through */ + case ERRORLOG_FILE: + buffer_append_string_len(srv->errorlog_buf, CONST_STR_LEN("\n")); + write(srv->errorlog_fd, srv->errorlog_buf->ptr, srv->errorlog_buf->used - 1); +diff -r 447bac6969ef src/mod_cgi.c +--- a/src/mod_cgi.c Tue Aug 19 18:04:17 2008 +0200 ++++ b/src/mod_cgi.c Tue Aug 19 19:45:00 2008 +0200 +@@ -781,7 +781,7 @@ + * + * we feed the stderr of the CGI to our errorlog, if possible + */ +- if (srv->errorlog_mode == ERRORLOG_FILE) { ++ if ((srv->errorlog_mode == ERRORLOG_FILE) || (srv->errorlog_mode == ERRORLOG_PIPE)) { + close(STDERR_FILENO); + dup2(srv->errorlog_fd, STDERR_FILENO); + } +diff -r 447bac6969ef src/mod_rrdtool.c +--- a/src/mod_rrdtool.c Tue Aug 19 18:04:17 2008 +0200 ++++ b/src/mod_rrdtool.c Tue Aug 19 19:45:00 2008 +0200 +@@ -134,7 +134,7 @@ + + close(STDERR_FILENO); + +- if (srv->errorlog_mode == ERRORLOG_FILE) { ++ if ((srv->errorlog_mode == ERRORLOG_FILE) || (srv->errorlog_mode == ERRORLOG_PIPE)) { + dup2(srv->errorlog_fd, STDERR_FILENO); + close(srv->errorlog_fd); + } diff --git a/www-servers/lighttpd/files/1.4.20-r1/04_all_1.4.x_tls_server_name_indication.diff b/www-servers/lighttpd/files/1.4.20-r1/04_all_1.4.x_tls_server_name_indication.diff new file mode 100644 index 0000000..5cd19d6 --- /dev/null +++ b/www-servers/lighttpd/files/1.4.20-r1/04_all_1.4.x_tls_server_name_indication.diff @@ -0,0 +1,324 @@ +Index: src/configfile-glue.c +=================================================================== +--- src/configfile-glue.c (revision 2402) ++++ src/configfile-glue.c (working copy) +@@ -289,6 +289,10 @@ + default: + break; + } ++#if defined USE_OPENSSL && ! defined OPENSSL_NO_TLSEXT ++ } else if (!buffer_is_empty(con->tlsext_server_name)) { ++ l = con->tlsext_server_name; ++#endif + } else { + l = srv->empty_string; + } +Index: src/base.h +=================================================================== +--- src/base.h (revision 2402) ++++ src/base.h (working copy) +@@ -31,6 +31,9 @@ + #if defined HAVE_LIBSSL && defined HAVE_OPENSSL_SSL_H + # define USE_OPENSSL + # include <openssl/ssl.h> ++# if ! defined OPENSSL_NO_TLSEXT && ! defined SSL_CTRL_SET_TLSEXT_HOSTNAME ++# define OPENSSL_NO_TLSEXT ++# endif + #endif + + #ifdef HAVE_FAM_H +@@ -417,7 +420,10 @@ + #ifdef USE_OPENSSL + SSL *ssl; + buffer *ssl_error_want_reuse_buffer; ++#ifndef OPENSSL_NO_TLSEXT ++ buffer *tlsext_server_name; + #endif ++#endif + /* etag handling */ + etag_flags_t etag_flags; + +Index: src/connections.c +=================================================================== +--- src/connections.c (revision 2402) ++++ src/connections.c (working copy) +@@ -664,6 +664,9 @@ + CLEAN(server_name); + CLEAN(error_handler); + CLEAN(dst_addr_buf); ++#if defined USE_OPENSSL && ! defined OPENSSL_NO_TLSEXT ++ CLEAN(tlsext_server_name); ++#endif + + #undef CLEAN + con->write_queue = chunkqueue_init(); +@@ -728,6 +731,9 @@ + CLEAN(server_name); + CLEAN(error_handler); + CLEAN(dst_addr_buf); ++#if defined USE_OPENSSL && ! defined OPENSSL_NO_TLSEXT ++ CLEAN(tlsext_server_name); ++#endif + #undef CLEAN + free(con->plugin_ctx); + free(con->cond_cache); +@@ -1338,6 +1344,9 @@ + return NULL; + } + ++#ifndef OPENSSL_NO_TLSEXT ++ SSL_set_app_data(con->ssl, con); ++#endif + SSL_set_accept_state(con->ssl); + con->conf.is_ssl=1; + +Index: src/network.c +=================================================================== +--- src/network.c (revision 2402) ++++ src/network.c (working copy) +@@ -62,6 +62,45 @@ + return HANDLER_GO_ON; + } + ++#if defined USE_OPENSSL && ! defined OPENSSL_NO_TLSEXT ++int network_ssl_servername_callback(SSL *ssl, int *al, server *srv) { ++ const char *servername; ++ connection *con = (connection *) SSL_get_app_data(ssl); ++ ++ buffer_copy_string(con->uri.scheme, "https"); ++ ++ if (NULL == (servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) { ++ log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:", ++ "failed to get TLS server name"); ++ return SSL_TLSEXT_ERR_NOACK; ++ } ++ buffer_copy_string(con->tlsext_server_name, servername); ++ buffer_to_lower(con->tlsext_server_name); ++ ++ config_cond_cache_reset(srv, con); ++ config_setup_connection(srv, con); ++ ++ config_patch_connection(srv, con, COMP_SERVER_SOCKET); ++ config_patch_connection(srv, con, COMP_HTTP_SCHEME); ++ config_patch_connection(srv, con, COMP_HTTP_HOST); ++ ++ if (NULL == con->conf.ssl_ctx) { ++ log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:", ++ "null SSL_CTX for TLS server name", con->tlsext_server_name); ++ return SSL_TLSEXT_ERR_ALERT_FATAL; ++ } ++ ++ /* switch to new SSL_CTX in reaction to a client's server_name extension */ ++ if (con->conf.ssl_ctx != SSL_set_SSL_CTX(ssl, con->conf.ssl_ctx)) { ++ log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:", ++ "failed to set SSL_CTX for TLS server name", con->tlsext_server_name); ++ return SSL_TLSEXT_ERR_ALERT_FATAL; ++ } ++ ++ return SSL_TLSEXT_ERR_OK; ++} ++#endif ++ + int network_server_init(server *srv, buffer *host_token, specific_config *s) { + int val; + socklen_t addr_len; +@@ -312,78 +351,10 @@ + + if (s->is_ssl) { + #ifdef USE_OPENSSL +- if (srv->ssl_is_init == 0) { +- SSL_load_error_strings(); +- SSL_library_init(); +- srv->ssl_is_init = 1; +- +- if (0 == RAND_status()) { +- log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:", +- "not enough entropy in the pool"); +- return -1; +- } +- } +- +- if (NULL == (s->ssl_ctx = SSL_CTX_new(SSLv23_server_method()))) { +- log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:", +- ERR_error_string(ERR_get_error(), NULL)); +- return -1; +- } +- +- if (!s->ssl_use_sslv2) { +- /* disable SSLv2 */ +- if (SSL_OP_NO_SSLv2 != SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_SSLv2)) { +- log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:", +- ERR_error_string(ERR_get_error(), NULL)); +- return -1; +- } +- } +- +- if (!buffer_is_empty(s->ssl_cipher_list)) { +- /* Disable support for low encryption ciphers */ +- if (SSL_CTX_set_cipher_list(s->ssl_ctx, s->ssl_cipher_list->ptr) != 1) { +- log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:", +- ERR_error_string(ERR_get_error(), NULL)); +- return -1; +- } +- } +- +- if (buffer_is_empty(s->ssl_pemfile)) { ++ if (NULL == (srv_socket->ssl_ctx = s->ssl_ctx)) { + log_error_write(srv, __FILE__, __LINE__, "s", "ssl.pemfile has to be set"); + return -1; + } +- +- if (!buffer_is_empty(s->ssl_ca_file)) { +- if (1 != SSL_CTX_load_verify_locations(s->ssl_ctx, s->ssl_ca_file->ptr, NULL)) { +- log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:", +- ERR_error_string(ERR_get_error(), NULL), s->ssl_ca_file); +- return -1; +- } +- } +- +- if (SSL_CTX_use_certificate_file(s->ssl_ctx, s->ssl_pemfile->ptr, SSL_FILETYPE_PEM) < 0) { +- log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:", +- ERR_error_string(ERR_get_error(), NULL), s->ssl_pemfile); +- return -1; +- } +- +- if (SSL_CTX_use_PrivateKey_file (s->ssl_ctx, s->ssl_pemfile->ptr, SSL_FILETYPE_PEM) < 0) { +- log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:", +- ERR_error_string(ERR_get_error(), NULL), s->ssl_pemfile); +- return -1; +- } +- +- if (SSL_CTX_check_private_key(s->ssl_ctx) != 1) { +- log_error_write(srv, __FILE__, __LINE__, "sssb", "SSL:", +- "Private key does not match the certificate public key, reason:", +- ERR_error_string(ERR_get_error(), NULL), +- s->ssl_pemfile); +- return -1; +- } +- SSL_CTX_set_default_read_ahead(s->ssl_ctx, 1); +- SSL_CTX_set_mode(s->ssl_ctx, SSL_CTX_get_mode(s->ssl_ctx) | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); +- +- srv_socket->ssl_ctx = s->ssl_ctx; + #else + + buffer_free(srv_socket->srv_token); +@@ -491,6 +462,99 @@ + { NETWORK_BACKEND_UNSET, NULL } + }; + ++#ifdef USE_OPENSSL ++ /* load SSL certificates */ ++ for (i = 0; i < srv->config_context->used; i++) { ++ data_config *dc = (data_config *)srv->config_context->data[i]; ++ specific_config *s = srv->config_storage[i]; ++ ++ if (buffer_is_empty(s->ssl_pemfile)) continue; ++ ++#ifdef OPENSSL_NO_TLSEXT ++ if (COMP_HTTP_HOST == dc->comp) { ++ log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:", ++ "can't use ssl.pemfile with $HTTP[\"host\"], openssl version does not support TLS extensions"); ++ return -1; ++ } ++#endif ++ ++ if (srv->ssl_is_init == 0) { ++ SSL_load_error_strings(); ++ SSL_library_init(); ++ srv->ssl_is_init = 1; ++ ++ if (0 == RAND_status()) { ++ log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:", ++ "not enough entropy in the pool"); ++ return -1; ++ } ++ } ++ ++ if (NULL == (s->ssl_ctx = SSL_CTX_new(SSLv23_server_method()))) { ++ log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:", ++ ERR_error_string(ERR_get_error(), NULL)); ++ return -1; ++ } ++ ++ if (!s->ssl_use_sslv2) { ++ /* disable SSLv2 */ ++ if (SSL_OP_NO_SSLv2 != SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_SSLv2)) { ++ log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:", ++ ERR_error_string(ERR_get_error(), NULL)); ++ return -1; ++ } ++ } ++ ++ if (!buffer_is_empty(s->ssl_cipher_list)) { ++ /* Disable support for low encryption ciphers */ ++ if (SSL_CTX_set_cipher_list(s->ssl_ctx, s->ssl_cipher_list->ptr) != 1) { ++ log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:", ++ ERR_error_string(ERR_get_error(), NULL)); ++ return -1; ++ } ++ } ++ ++ if (!buffer_is_empty(s->ssl_ca_file)) { ++ if (1 != SSL_CTX_load_verify_locations(s->ssl_ctx, s->ssl_ca_file->ptr, NULL)) { ++ log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:", ++ ERR_error_string(ERR_get_error(), NULL), s->ssl_ca_file); ++ return -1; ++ } ++ } ++ ++ if (SSL_CTX_use_certificate_file(s->ssl_ctx, s->ssl_pemfile->ptr, SSL_FILETYPE_PEM) < 0) { ++ log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:", ++ ERR_error_string(ERR_get_error(), NULL), s->ssl_pemfile); ++ return -1; ++ } ++ ++ if (SSL_CTX_use_PrivateKey_file (s->ssl_ctx, s->ssl_pemfile->ptr, SSL_FILETYPE_PEM) < 0) { ++ log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:", ++ ERR_error_string(ERR_get_error(), NULL), s->ssl_pemfile); ++ return -1; ++ } ++ ++ if (SSL_CTX_check_private_key(s->ssl_ctx) != 1) { ++ log_error_write(srv, __FILE__, __LINE__, "sssb", "SSL:", ++ "Private key does not match the certificate public key, reason:", ++ ERR_error_string(ERR_get_error(), NULL), ++ s->ssl_pemfile); ++ return -1; ++ } ++ SSL_CTX_set_default_read_ahead(s->ssl_ctx, 1); ++ SSL_CTX_set_mode(s->ssl_ctx, SSL_CTX_get_mode(s->ssl_ctx) | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); ++ ++#ifndef OPENSSL_NO_TLSEXT ++ if (!SSL_CTX_set_tlsext_servername_callback(s->ssl_ctx, network_ssl_servername_callback) || ++ !SSL_CTX_set_tlsext_servername_arg(s->ssl_ctx, srv)) { ++ log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:", ++ "failed to initialize TLS servername callback, openssl library does not support TLS servername extension"); ++ return -1; ++ } ++#endif ++ } ++#endif ++ + b = buffer_init(); + + buffer_copy_string_buffer(b, srv->srvconf.bindhost); +Index: src/configfile.c +=================================================================== +--- src/configfile.c (revision 2402) ++++ src/configfile.c (working copy) +@@ -293,6 +293,7 @@ + PATCH(is_ssl); + + PATCH(ssl_pemfile); ++ PATCH(ssl_ctx); + PATCH(ssl_ca_file); + PATCH(ssl_cipher_list); + PATCH(ssl_use_sslv2); +@@ -348,6 +349,7 @@ + PATCH(etag_use_size); + } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.pemfile"))) { + PATCH(ssl_pemfile); ++ PATCH(ssl_ctx); + } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.ca-file"))) { + PATCH(ssl_ca_file); + } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.use-sslv2"))) { |