Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/www-servers/lighttpd/files/1.4.20-r1
diff options
context:
space:
mode:
Diffstat (limited to 'www-servers/lighttpd/files/1.4.20-r1')
-rw-r--r--www-servers/lighttpd/files/1.4.20-r1/03_all_lighttpd-1.4.11-errorlog-pipe.diff175
-rw-r--r--www-servers/lighttpd/files/1.4.20-r1/04_all_1.4.x_tls_server_name_indication.diff324
2 files changed, 499 insertions, 0 deletions
diff --git a/www-servers/lighttpd/files/1.4.20-r1/03_all_lighttpd-1.4.11-errorlog-pipe.diff b/www-servers/lighttpd/files/1.4.20-r1/03_all_lighttpd-1.4.11-errorlog-pipe.diff
new file mode 100644
index 0000000..5133fea
--- /dev/null
+++ b/www-servers/lighttpd/files/1.4.20-r1/03_all_lighttpd-1.4.11-errorlog-pipe.diff
@@ -0,0 +1,175 @@
+Initial patch from http://trac.lighttpd.net/trac/ticket/296
+Updated to apply against 1.4.20 by hoffie
+Upstream will only accept it once it has been changed to make the pipe logging more generic
+
+diff -r 447bac6969ef src/base.h
+--- a/src/base.h Tue Aug 19 18:04:17 2008 +0200
++++ b/src/base.h Tue Aug 19 19:45:00 2008 +0200
+@@ -530,7 +530,7 @@
+
+ /* the errorlog */
+ int errorlog_fd;
+- enum { ERRORLOG_STDERR, ERRORLOG_FILE, ERRORLOG_SYSLOG } errorlog_mode;
++ enum { ERRORLOG_STDERR, ERRORLOG_FILE, ERRORLOG_SYSLOG, ERRORLOG_PIPE } errorlog_mode;
+ buffer *errorlog_buf;
+
+ fdevents *ev, *ev_ins;
+diff -r 447bac6969ef src/log.c
+--- a/src/log.c Tue Aug 19 18:04:17 2008 +0200
++++ b/src/log.c Tue Aug 19 19:45:00 2008 +0200
+@@ -57,10 +57,11 @@
+ /**
+ * open the errorlog
+ *
+- * we have 3 possibilities:
++ * we have 4 possibilities:
+ * - stderr (default)
+ * - syslog
+ * - logfile
++ * - pipe
+ *
+ * if the open failed, report to the user and die
+ *
+@@ -79,21 +80,80 @@
+ srv->errorlog_mode = ERRORLOG_SYSLOG;
+ } else if (!buffer_is_empty(srv->srvconf.errorlog_file)) {
+ const char *logfile = srv->srvconf.errorlog_file->ptr;
++ if (logfile[0] == '|') {
++#ifdef HAVE_FORK
++ /* create write pipe and spawn process */
+
+- if (-1 == (srv->errorlog_fd = open(logfile, O_APPEND | O_WRONLY | O_CREAT | O_LARGEFILE, 0644))) {
+- log_error_write(srv, __FILE__, __LINE__, "SSSS",
++ int to_log_fds[2];
++ int fd;
++ pid_t pid;
++
++ if (pipe(to_log_fds)) {
++ log_error_write(srv, __FILE__, __LINE__, "ss",
++ "pipe failed: ", strerror(errno));
++ return -1;
++ }
++
++ /* fork, execve */
++ switch (pid = fork()) {
++ case 0:
++ /* child */
++
++ close(STDIN_FILENO);
++ dup2(to_log_fds[0], STDIN_FILENO);
++ close(to_log_fds[0]);
++ /* not needed */
++ close(to_log_fds[1]);
++
++ /* we don't need the client socket */
++ for (fd = 3; fd < 256; fd++) {
++ close(fd);
++ }
++
++ /* exec the log-process (skip the | )
++ *
++ */
++
++ execl("/bin/sh", "sh", "-c", logfile + 1, NULL);
++
++ log_error_write(srv, __FILE__, __LINE__, "sss",
++ "spawning log-process failed: ",
++ strerror(errno), logfile + 1);
++
++ exit(-1);
++ break;
++ case -1:
++ /* error */
++ log_error_write(srv, __FILE__, __LINE__, "ss", "fork failed:", strerror(errno));
++ break;
++ default:
++ close(to_log_fds[0]);
++
++ srv->errorlog_fd = to_log_fds[1];
++
++ break;
++ }
++ srv->errorlog_mode = ERRORLOG_PIPE;
++#else
++ log_error_write(srv, __FILE__, __LINE__, "SSS",
++ "opening errorlog '", logfile,"' impossible");
++ return -1;
++#endif
++ } else {
++ if (-1 == (srv->errorlog_fd = open(logfile, O_APPEND | O_WRONLY | O_CREAT | O_LARGEFILE, 0644))) {
++ log_error_write(srv, __FILE__, __LINE__, "SSSS",
+ "opening errorlog '", logfile,
+ "' failed: ", strerror(errno));
+
+- return -1;
++ return -1;
++ }
++ srv->errorlog_mode = ERRORLOG_FILE;
+ }
+ #ifdef FD_CLOEXEC
+ /* close fd on exec (cgi) */
+ fcntl(srv->errorlog_fd, F_SETFD, FD_CLOEXEC);
+ #endif
+- srv->errorlog_mode = ERRORLOG_FILE;
+ }
+-
+ log_error_write(srv, __FILE__, __LINE__, "s", "server started");
+
+ #ifdef HAVE_VALGRIND_VALGRIND_H
+@@ -122,7 +182,7 @@
+ */
+
+ int log_error_cycle(server *srv) {
+- /* only cycle if we are not in syslog-mode */
++ /* only cycle if the error log is a file */
+
+ if (srv->errorlog_mode == ERRORLOG_FILE) {
+ const char *logfile = srv->srvconf.errorlog_file->ptr;
+@@ -154,6 +214,7 @@
+
+ int log_error_close(server *srv) {
+ switch(srv->errorlog_mode) {
++ case ERRORLOG_PIPE: /* fall through */
+ case ERRORLOG_FILE:
+ close(srv->errorlog_fd);
+ break;
+@@ -173,6 +234,7 @@
+ va_list ap;
+
+ switch(srv->errorlog_mode) {
++ case ERRORLOG_PIPE:
+ case ERRORLOG_FILE:
+ case ERRORLOG_STDERR:
+ /* cache the generated timestamp */
+@@ -257,6 +319,7 @@
+ va_end(ap);
+
+ switch(srv->errorlog_mode) {
++ case ERRORLOG_PIPE: /* fall through */
+ case ERRORLOG_FILE:
+ buffer_append_string_len(srv->errorlog_buf, CONST_STR_LEN("\n"));
+ write(srv->errorlog_fd, srv->errorlog_buf->ptr, srv->errorlog_buf->used - 1);
+diff -r 447bac6969ef src/mod_cgi.c
+--- a/src/mod_cgi.c Tue Aug 19 18:04:17 2008 +0200
++++ b/src/mod_cgi.c Tue Aug 19 19:45:00 2008 +0200
+@@ -781,7 +781,7 @@
+ *
+ * we feed the stderr of the CGI to our errorlog, if possible
+ */
+- if (srv->errorlog_mode == ERRORLOG_FILE) {
++ if ((srv->errorlog_mode == ERRORLOG_FILE) || (srv->errorlog_mode == ERRORLOG_PIPE)) {
+ close(STDERR_FILENO);
+ dup2(srv->errorlog_fd, STDERR_FILENO);
+ }
+diff -r 447bac6969ef src/mod_rrdtool.c
+--- a/src/mod_rrdtool.c Tue Aug 19 18:04:17 2008 +0200
++++ b/src/mod_rrdtool.c Tue Aug 19 19:45:00 2008 +0200
+@@ -134,7 +134,7 @@
+
+ close(STDERR_FILENO);
+
+- if (srv->errorlog_mode == ERRORLOG_FILE) {
++ if ((srv->errorlog_mode == ERRORLOG_FILE) || (srv->errorlog_mode == ERRORLOG_PIPE)) {
+ dup2(srv->errorlog_fd, STDERR_FILENO);
+ close(srv->errorlog_fd);
+ }
diff --git a/www-servers/lighttpd/files/1.4.20-r1/04_all_1.4.x_tls_server_name_indication.diff b/www-servers/lighttpd/files/1.4.20-r1/04_all_1.4.x_tls_server_name_indication.diff
new file mode 100644
index 0000000..5cd19d6
--- /dev/null
+++ b/www-servers/lighttpd/files/1.4.20-r1/04_all_1.4.x_tls_server_name_indication.diff
@@ -0,0 +1,324 @@
+Index: src/configfile-glue.c
+===================================================================
+--- src/configfile-glue.c (revision 2402)
++++ src/configfile-glue.c (working copy)
+@@ -289,6 +289,10 @@
+ default:
+ break;
+ }
++#if defined USE_OPENSSL && ! defined OPENSSL_NO_TLSEXT
++ } else if (!buffer_is_empty(con->tlsext_server_name)) {
++ l = con->tlsext_server_name;
++#endif
+ } else {
+ l = srv->empty_string;
+ }
+Index: src/base.h
+===================================================================
+--- src/base.h (revision 2402)
++++ src/base.h (working copy)
+@@ -31,6 +31,9 @@
+ #if defined HAVE_LIBSSL && defined HAVE_OPENSSL_SSL_H
+ # define USE_OPENSSL
+ # include <openssl/ssl.h>
++# if ! defined OPENSSL_NO_TLSEXT && ! defined SSL_CTRL_SET_TLSEXT_HOSTNAME
++# define OPENSSL_NO_TLSEXT
++# endif
+ #endif
+
+ #ifdef HAVE_FAM_H
+@@ -417,7 +420,10 @@
+ #ifdef USE_OPENSSL
+ SSL *ssl;
+ buffer *ssl_error_want_reuse_buffer;
++#ifndef OPENSSL_NO_TLSEXT
++ buffer *tlsext_server_name;
+ #endif
++#endif
+ /* etag handling */
+ etag_flags_t etag_flags;
+
+Index: src/connections.c
+===================================================================
+--- src/connections.c (revision 2402)
++++ src/connections.c (working copy)
+@@ -664,6 +664,9 @@
+ CLEAN(server_name);
+ CLEAN(error_handler);
+ CLEAN(dst_addr_buf);
++#if defined USE_OPENSSL && ! defined OPENSSL_NO_TLSEXT
++ CLEAN(tlsext_server_name);
++#endif
+
+ #undef CLEAN
+ con->write_queue = chunkqueue_init();
+@@ -728,6 +731,9 @@
+ CLEAN(server_name);
+ CLEAN(error_handler);
+ CLEAN(dst_addr_buf);
++#if defined USE_OPENSSL && ! defined OPENSSL_NO_TLSEXT
++ CLEAN(tlsext_server_name);
++#endif
+ #undef CLEAN
+ free(con->plugin_ctx);
+ free(con->cond_cache);
+@@ -1338,6 +1344,9 @@
+ return NULL;
+ }
+
++#ifndef OPENSSL_NO_TLSEXT
++ SSL_set_app_data(con->ssl, con);
++#endif
+ SSL_set_accept_state(con->ssl);
+ con->conf.is_ssl=1;
+
+Index: src/network.c
+===================================================================
+--- src/network.c (revision 2402)
++++ src/network.c (working copy)
+@@ -62,6 +62,45 @@
+ return HANDLER_GO_ON;
+ }
+
++#if defined USE_OPENSSL && ! defined OPENSSL_NO_TLSEXT
++int network_ssl_servername_callback(SSL *ssl, int *al, server *srv) {
++ const char *servername;
++ connection *con = (connection *) SSL_get_app_data(ssl);
++
++ buffer_copy_string(con->uri.scheme, "https");
++
++ if (NULL == (servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
++ log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
++ "failed to get TLS server name");
++ return SSL_TLSEXT_ERR_NOACK;
++ }
++ buffer_copy_string(con->tlsext_server_name, servername);
++ buffer_to_lower(con->tlsext_server_name);
++
++ config_cond_cache_reset(srv, con);
++ config_setup_connection(srv, con);
++
++ config_patch_connection(srv, con, COMP_SERVER_SOCKET);
++ config_patch_connection(srv, con, COMP_HTTP_SCHEME);
++ config_patch_connection(srv, con, COMP_HTTP_HOST);
++
++ if (NULL == con->conf.ssl_ctx) {
++ log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
++ "null SSL_CTX for TLS server name", con->tlsext_server_name);
++ return SSL_TLSEXT_ERR_ALERT_FATAL;
++ }
++
++ /* switch to new SSL_CTX in reaction to a client's server_name extension */
++ if (con->conf.ssl_ctx != SSL_set_SSL_CTX(ssl, con->conf.ssl_ctx)) {
++ log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
++ "failed to set SSL_CTX for TLS server name", con->tlsext_server_name);
++ return SSL_TLSEXT_ERR_ALERT_FATAL;
++ }
++
++ return SSL_TLSEXT_ERR_OK;
++}
++#endif
++
+ int network_server_init(server *srv, buffer *host_token, specific_config *s) {
+ int val;
+ socklen_t addr_len;
+@@ -312,78 +351,10 @@
+
+ if (s->is_ssl) {
+ #ifdef USE_OPENSSL
+- if (srv->ssl_is_init == 0) {
+- SSL_load_error_strings();
+- SSL_library_init();
+- srv->ssl_is_init = 1;
+-
+- if (0 == RAND_status()) {
+- log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
+- "not enough entropy in the pool");
+- return -1;
+- }
+- }
+-
+- if (NULL == (s->ssl_ctx = SSL_CTX_new(SSLv23_server_method()))) {
+- log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
+- ERR_error_string(ERR_get_error(), NULL));
+- return -1;
+- }
+-
+- if (!s->ssl_use_sslv2) {
+- /* disable SSLv2 */
+- if (SSL_OP_NO_SSLv2 != SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_SSLv2)) {
+- log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
+- ERR_error_string(ERR_get_error(), NULL));
+- return -1;
+- }
+- }
+-
+- if (!buffer_is_empty(s->ssl_cipher_list)) {
+- /* Disable support for low encryption ciphers */
+- if (SSL_CTX_set_cipher_list(s->ssl_ctx, s->ssl_cipher_list->ptr) != 1) {
+- log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
+- ERR_error_string(ERR_get_error(), NULL));
+- return -1;
+- }
+- }
+-
+- if (buffer_is_empty(s->ssl_pemfile)) {
++ if (NULL == (srv_socket->ssl_ctx = s->ssl_ctx)) {
+ log_error_write(srv, __FILE__, __LINE__, "s", "ssl.pemfile has to be set");
+ return -1;
+ }
+-
+- if (!buffer_is_empty(s->ssl_ca_file)) {
+- if (1 != SSL_CTX_load_verify_locations(s->ssl_ctx, s->ssl_ca_file->ptr, NULL)) {
+- log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
+- ERR_error_string(ERR_get_error(), NULL), s->ssl_ca_file);
+- return -1;
+- }
+- }
+-
+- if (SSL_CTX_use_certificate_file(s->ssl_ctx, s->ssl_pemfile->ptr, SSL_FILETYPE_PEM) < 0) {
+- log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
+- ERR_error_string(ERR_get_error(), NULL), s->ssl_pemfile);
+- return -1;
+- }
+-
+- if (SSL_CTX_use_PrivateKey_file (s->ssl_ctx, s->ssl_pemfile->ptr, SSL_FILETYPE_PEM) < 0) {
+- log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
+- ERR_error_string(ERR_get_error(), NULL), s->ssl_pemfile);
+- return -1;
+- }
+-
+- if (SSL_CTX_check_private_key(s->ssl_ctx) != 1) {
+- log_error_write(srv, __FILE__, __LINE__, "sssb", "SSL:",
+- "Private key does not match the certificate public key, reason:",
+- ERR_error_string(ERR_get_error(), NULL),
+- s->ssl_pemfile);
+- return -1;
+- }
+- SSL_CTX_set_default_read_ahead(s->ssl_ctx, 1);
+- SSL_CTX_set_mode(s->ssl_ctx, SSL_CTX_get_mode(s->ssl_ctx) | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
+-
+- srv_socket->ssl_ctx = s->ssl_ctx;
+ #else
+
+ buffer_free(srv_socket->srv_token);
+@@ -491,6 +462,99 @@
+ { NETWORK_BACKEND_UNSET, NULL }
+ };
+
++#ifdef USE_OPENSSL
++ /* load SSL certificates */
++ for (i = 0; i < srv->config_context->used; i++) {
++ data_config *dc = (data_config *)srv->config_context->data[i];
++ specific_config *s = srv->config_storage[i];
++
++ if (buffer_is_empty(s->ssl_pemfile)) continue;
++
++#ifdef OPENSSL_NO_TLSEXT
++ if (COMP_HTTP_HOST == dc->comp) {
++ log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
++ "can't use ssl.pemfile with $HTTP[\"host\"], openssl version does not support TLS extensions");
++ return -1;
++ }
++#endif
++
++ if (srv->ssl_is_init == 0) {
++ SSL_load_error_strings();
++ SSL_library_init();
++ srv->ssl_is_init = 1;
++
++ if (0 == RAND_status()) {
++ log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
++ "not enough entropy in the pool");
++ return -1;
++ }
++ }
++
++ if (NULL == (s->ssl_ctx = SSL_CTX_new(SSLv23_server_method()))) {
++ log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
++ ERR_error_string(ERR_get_error(), NULL));
++ return -1;
++ }
++
++ if (!s->ssl_use_sslv2) {
++ /* disable SSLv2 */
++ if (SSL_OP_NO_SSLv2 != SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_SSLv2)) {
++ log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
++ ERR_error_string(ERR_get_error(), NULL));
++ return -1;
++ }
++ }
++
++ if (!buffer_is_empty(s->ssl_cipher_list)) {
++ /* Disable support for low encryption ciphers */
++ if (SSL_CTX_set_cipher_list(s->ssl_ctx, s->ssl_cipher_list->ptr) != 1) {
++ log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
++ ERR_error_string(ERR_get_error(), NULL));
++ return -1;
++ }
++ }
++
++ if (!buffer_is_empty(s->ssl_ca_file)) {
++ if (1 != SSL_CTX_load_verify_locations(s->ssl_ctx, s->ssl_ca_file->ptr, NULL)) {
++ log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
++ ERR_error_string(ERR_get_error(), NULL), s->ssl_ca_file);
++ return -1;
++ }
++ }
++
++ if (SSL_CTX_use_certificate_file(s->ssl_ctx, s->ssl_pemfile->ptr, SSL_FILETYPE_PEM) < 0) {
++ log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
++ ERR_error_string(ERR_get_error(), NULL), s->ssl_pemfile);
++ return -1;
++ }
++
++ if (SSL_CTX_use_PrivateKey_file (s->ssl_ctx, s->ssl_pemfile->ptr, SSL_FILETYPE_PEM) < 0) {
++ log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
++ ERR_error_string(ERR_get_error(), NULL), s->ssl_pemfile);
++ return -1;
++ }
++
++ if (SSL_CTX_check_private_key(s->ssl_ctx) != 1) {
++ log_error_write(srv, __FILE__, __LINE__, "sssb", "SSL:",
++ "Private key does not match the certificate public key, reason:",
++ ERR_error_string(ERR_get_error(), NULL),
++ s->ssl_pemfile);
++ return -1;
++ }
++ SSL_CTX_set_default_read_ahead(s->ssl_ctx, 1);
++ SSL_CTX_set_mode(s->ssl_ctx, SSL_CTX_get_mode(s->ssl_ctx) | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
++
++#ifndef OPENSSL_NO_TLSEXT
++ if (!SSL_CTX_set_tlsext_servername_callback(s->ssl_ctx, network_ssl_servername_callback) ||
++ !SSL_CTX_set_tlsext_servername_arg(s->ssl_ctx, srv)) {
++ log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
++ "failed to initialize TLS servername callback, openssl library does not support TLS servername extension");
++ return -1;
++ }
++#endif
++ }
++#endif
++
+ b = buffer_init();
+
+ buffer_copy_string_buffer(b, srv->srvconf.bindhost);
+Index: src/configfile.c
+===================================================================
+--- src/configfile.c (revision 2402)
++++ src/configfile.c (working copy)
+@@ -293,6 +293,7 @@
+ PATCH(is_ssl);
+
+ PATCH(ssl_pemfile);
++ PATCH(ssl_ctx);
+ PATCH(ssl_ca_file);
+ PATCH(ssl_cipher_list);
+ PATCH(ssl_use_sslv2);
+@@ -348,6 +349,7 @@
+ PATCH(etag_use_size);
+ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.pemfile"))) {
+ PATCH(ssl_pemfile);
++ PATCH(ssl_ctx);
+ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.ca-file"))) {
+ PATCH(ssl_ca_file);
+ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.use-sslv2"))) {