From b80d4b70891106421e3b188ffc1a8d84fd6f16bb Mon Sep 17 00:00:00 2001 From: Petteri Räty Date: Fri, 20 Feb 2009 18:09:10 +0000 Subject: Fix patch dir name svn path=/; revision=179 --- www-servers/lighttpd/Manifest | 4 +- .../03_all_lighttpd-1.4.11-errorlog-pipe.diff | 175 +++++++++++ .../04_all_1.4.x_tls_server_name_indication.diff | 324 +++++++++++++++++++++ .../03_all_lighttpd-1.4.11-errorlog-pipe.diff | 175 ----------- .../04_all_1.4.x_tls_server_name_indication.diff | 324 --------------------- 5 files changed, 501 insertions(+), 501 deletions(-) create mode 100644 www-servers/lighttpd/files/1.4.20-r1/03_all_lighttpd-1.4.11-errorlog-pipe.diff create mode 100644 www-servers/lighttpd/files/1.4.20-r1/04_all_1.4.x_tls_server_name_indication.diff delete mode 100644 www-servers/lighttpd/files/1.4.20/03_all_lighttpd-1.4.11-errorlog-pipe.diff delete mode 100644 www-servers/lighttpd/files/1.4.20/04_all_1.4.x_tls_server_name_indication.diff diff --git a/www-servers/lighttpd/Manifest b/www-servers/lighttpd/Manifest index cec68c1..7ccbe5f 100644 --- a/www-servers/lighttpd/Manifest +++ b/www-servers/lighttpd/Manifest @@ -1,5 +1,5 @@ -AUX 1.4.20/03_all_lighttpd-1.4.11-errorlog-pipe.diff 4931 RMD160 7653167b0cd3fde6cb7d3d6fe4ae30a8d2e56ebe SHA1 bd0ff91b5caf447f78bcad66a444fbe3719897fb SHA256 2b1a253dda1dbc688ac072608656121f8c2d346a64be1080c65f2ca1d81f8e2d -AUX 1.4.20/04_all_1.4.x_tls_server_name_indication.diff 10217 RMD160 1c02edd64c339be353335291a0dc7a0879af64e6 SHA1 aa49f9831b0c43c48f6554d73e4c9da5a6c19465 SHA256 becb5e0b3b33f3e522bc304dd50626743f987d2b9d2039a72a0d74ad00280fa7 +AUX 1.4.20-r1/03_all_lighttpd-1.4.11-errorlog-pipe.diff 4931 RMD160 7653167b0cd3fde6cb7d3d6fe4ae30a8d2e56ebe SHA1 bd0ff91b5caf447f78bcad66a444fbe3719897fb SHA256 2b1a253dda1dbc688ac072608656121f8c2d346a64be1080c65f2ca1d81f8e2d +AUX 1.4.20-r1/04_all_1.4.x_tls_server_name_indication.diff 10217 RMD160 1c02edd64c339be353335291a0dc7a0879af64e6 SHA1 aa49f9831b0c43c48f6554d73e4c9da5a6c19465 SHA256 becb5e0b3b33f3e522bc304dd50626743f987d2b9d2039a72a0d74ad00280fa7 AUX conf/lighttpd.conf 8182 RMD160 450cf40f4ec517331f8932618a3c492cb566e4f3 SHA1 16922786a79807fa3233d1af105a99582d3486a5 SHA256 c0f6951e00d4e8c928f1799a84976ab8bb536bd59a104c13ca9d1d3661d8cebd AUX conf/mime-types.conf 3291 RMD160 157c9a6f7d00e52c7d4118edcce8d1eb1e0a3c20 SHA1 3eec39060014e1498d3254919b10a64ca1e6ff00 SHA256 575231104d51fa1882c47021ab0aa00d615401059a6748d64453cb39aafba537 AUX conf/mod_cgi.conf 869 RMD160 1d447bad36822657d014990128891cbdb6169468 SHA1 30066f52e469339cc8a5df8864b4cc2d9c558c3d SHA256 322656b4cfd22ca9f1f8ab160e0b932f1646622422fd49c6fc82ab416223eecf diff --git a/www-servers/lighttpd/files/1.4.20-r1/03_all_lighttpd-1.4.11-errorlog-pipe.diff b/www-servers/lighttpd/files/1.4.20-r1/03_all_lighttpd-1.4.11-errorlog-pipe.diff new file mode 100644 index 0000000..5133fea --- /dev/null +++ b/www-servers/lighttpd/files/1.4.20-r1/03_all_lighttpd-1.4.11-errorlog-pipe.diff @@ -0,0 +1,175 @@ +Initial patch from http://trac.lighttpd.net/trac/ticket/296 +Updated to apply against 1.4.20 by hoffie +Upstream will only accept it once it has been changed to make the pipe logging more generic + +diff -r 447bac6969ef src/base.h +--- a/src/base.h Tue Aug 19 18:04:17 2008 +0200 ++++ b/src/base.h Tue Aug 19 19:45:00 2008 +0200 +@@ -530,7 +530,7 @@ + + /* the errorlog */ + int errorlog_fd; +- enum { ERRORLOG_STDERR, ERRORLOG_FILE, ERRORLOG_SYSLOG } errorlog_mode; ++ enum { ERRORLOG_STDERR, ERRORLOG_FILE, ERRORLOG_SYSLOG, ERRORLOG_PIPE } errorlog_mode; + buffer *errorlog_buf; + + fdevents *ev, *ev_ins; +diff -r 447bac6969ef src/log.c +--- a/src/log.c Tue Aug 19 18:04:17 2008 +0200 ++++ b/src/log.c Tue Aug 19 19:45:00 2008 +0200 +@@ -57,10 +57,11 @@ + /** + * open the errorlog + * +- * we have 3 possibilities: ++ * we have 4 possibilities: + * - stderr (default) + * - syslog + * - logfile ++ * - pipe + * + * if the open failed, report to the user and die + * +@@ -79,21 +80,80 @@ + srv->errorlog_mode = ERRORLOG_SYSLOG; + } else if (!buffer_is_empty(srv->srvconf.errorlog_file)) { + const char *logfile = srv->srvconf.errorlog_file->ptr; ++ if (logfile[0] == '|') { ++#ifdef HAVE_FORK ++ /* create write pipe and spawn process */ + +- if (-1 == (srv->errorlog_fd = open(logfile, O_APPEND | O_WRONLY | O_CREAT | O_LARGEFILE, 0644))) { +- log_error_write(srv, __FILE__, __LINE__, "SSSS", ++ int to_log_fds[2]; ++ int fd; ++ pid_t pid; ++ ++ if (pipe(to_log_fds)) { ++ log_error_write(srv, __FILE__, __LINE__, "ss", ++ "pipe failed: ", strerror(errno)); ++ return -1; ++ } ++ ++ /* fork, execve */ ++ switch (pid = fork()) { ++ case 0: ++ /* child */ ++ ++ close(STDIN_FILENO); ++ dup2(to_log_fds[0], STDIN_FILENO); ++ close(to_log_fds[0]); ++ /* not needed */ ++ close(to_log_fds[1]); ++ ++ /* we don't need the client socket */ ++ for (fd = 3; fd < 256; fd++) { ++ close(fd); ++ } ++ ++ /* exec the log-process (skip the | ) ++ * ++ */ ++ ++ execl("/bin/sh", "sh", "-c", logfile + 1, NULL); ++ ++ log_error_write(srv, __FILE__, __LINE__, "sss", ++ "spawning log-process failed: ", ++ strerror(errno), logfile + 1); ++ ++ exit(-1); ++ break; ++ case -1: ++ /* error */ ++ log_error_write(srv, __FILE__, __LINE__, "ss", "fork failed:", strerror(errno)); ++ break; ++ default: ++ close(to_log_fds[0]); ++ ++ srv->errorlog_fd = to_log_fds[1]; ++ ++ break; ++ } ++ srv->errorlog_mode = ERRORLOG_PIPE; ++#else ++ log_error_write(srv, __FILE__, __LINE__, "SSS", ++ "opening errorlog '", logfile,"' impossible"); ++ return -1; ++#endif ++ } else { ++ if (-1 == (srv->errorlog_fd = open(logfile, O_APPEND | O_WRONLY | O_CREAT | O_LARGEFILE, 0644))) { ++ log_error_write(srv, __FILE__, __LINE__, "SSSS", + "opening errorlog '", logfile, + "' failed: ", strerror(errno)); + +- return -1; ++ return -1; ++ } ++ srv->errorlog_mode = ERRORLOG_FILE; + } + #ifdef FD_CLOEXEC + /* close fd on exec (cgi) */ + fcntl(srv->errorlog_fd, F_SETFD, FD_CLOEXEC); + #endif +- srv->errorlog_mode = ERRORLOG_FILE; + } +- + log_error_write(srv, __FILE__, __LINE__, "s", "server started"); + + #ifdef HAVE_VALGRIND_VALGRIND_H +@@ -122,7 +182,7 @@ + */ + + int log_error_cycle(server *srv) { +- /* only cycle if we are not in syslog-mode */ ++ /* only cycle if the error log is a file */ + + if (srv->errorlog_mode == ERRORLOG_FILE) { + const char *logfile = srv->srvconf.errorlog_file->ptr; +@@ -154,6 +214,7 @@ + + int log_error_close(server *srv) { + switch(srv->errorlog_mode) { ++ case ERRORLOG_PIPE: /* fall through */ + case ERRORLOG_FILE: + close(srv->errorlog_fd); + break; +@@ -173,6 +234,7 @@ + va_list ap; + + switch(srv->errorlog_mode) { ++ case ERRORLOG_PIPE: + case ERRORLOG_FILE: + case ERRORLOG_STDERR: + /* cache the generated timestamp */ +@@ -257,6 +319,7 @@ + va_end(ap); + + switch(srv->errorlog_mode) { ++ case ERRORLOG_PIPE: /* fall through */ + case ERRORLOG_FILE: + buffer_append_string_len(srv->errorlog_buf, CONST_STR_LEN("\n")); + write(srv->errorlog_fd, srv->errorlog_buf->ptr, srv->errorlog_buf->used - 1); +diff -r 447bac6969ef src/mod_cgi.c +--- a/src/mod_cgi.c Tue Aug 19 18:04:17 2008 +0200 ++++ b/src/mod_cgi.c Tue Aug 19 19:45:00 2008 +0200 +@@ -781,7 +781,7 @@ + * + * we feed the stderr of the CGI to our errorlog, if possible + */ +- if (srv->errorlog_mode == ERRORLOG_FILE) { ++ if ((srv->errorlog_mode == ERRORLOG_FILE) || (srv->errorlog_mode == ERRORLOG_PIPE)) { + close(STDERR_FILENO); + dup2(srv->errorlog_fd, STDERR_FILENO); + } +diff -r 447bac6969ef src/mod_rrdtool.c +--- a/src/mod_rrdtool.c Tue Aug 19 18:04:17 2008 +0200 ++++ b/src/mod_rrdtool.c Tue Aug 19 19:45:00 2008 +0200 +@@ -134,7 +134,7 @@ + + close(STDERR_FILENO); + +- if (srv->errorlog_mode == ERRORLOG_FILE) { ++ if ((srv->errorlog_mode == ERRORLOG_FILE) || (srv->errorlog_mode == ERRORLOG_PIPE)) { + dup2(srv->errorlog_fd, STDERR_FILENO); + close(srv->errorlog_fd); + } diff --git a/www-servers/lighttpd/files/1.4.20-r1/04_all_1.4.x_tls_server_name_indication.diff b/www-servers/lighttpd/files/1.4.20-r1/04_all_1.4.x_tls_server_name_indication.diff new file mode 100644 index 0000000..5cd19d6 --- /dev/null +++ b/www-servers/lighttpd/files/1.4.20-r1/04_all_1.4.x_tls_server_name_indication.diff @@ -0,0 +1,324 @@ +Index: src/configfile-glue.c +=================================================================== +--- src/configfile-glue.c (revision 2402) ++++ src/configfile-glue.c (working copy) +@@ -289,6 +289,10 @@ + default: + break; + } ++#if defined USE_OPENSSL && ! defined OPENSSL_NO_TLSEXT ++ } else if (!buffer_is_empty(con->tlsext_server_name)) { ++ l = con->tlsext_server_name; ++#endif + } else { + l = srv->empty_string; + } +Index: src/base.h +=================================================================== +--- src/base.h (revision 2402) ++++ src/base.h (working copy) +@@ -31,6 +31,9 @@ + #if defined HAVE_LIBSSL && defined HAVE_OPENSSL_SSL_H + # define USE_OPENSSL + # include ++# if ! defined OPENSSL_NO_TLSEXT && ! defined SSL_CTRL_SET_TLSEXT_HOSTNAME ++# define OPENSSL_NO_TLSEXT ++# endif + #endif + + #ifdef HAVE_FAM_H +@@ -417,7 +420,10 @@ + #ifdef USE_OPENSSL + SSL *ssl; + buffer *ssl_error_want_reuse_buffer; ++#ifndef OPENSSL_NO_TLSEXT ++ buffer *tlsext_server_name; + #endif ++#endif + /* etag handling */ + etag_flags_t etag_flags; + +Index: src/connections.c +=================================================================== +--- src/connections.c (revision 2402) ++++ src/connections.c (working copy) +@@ -664,6 +664,9 @@ + CLEAN(server_name); + CLEAN(error_handler); + CLEAN(dst_addr_buf); ++#if defined USE_OPENSSL && ! defined OPENSSL_NO_TLSEXT ++ CLEAN(tlsext_server_name); ++#endif + + #undef CLEAN + con->write_queue = chunkqueue_init(); +@@ -728,6 +731,9 @@ + CLEAN(server_name); + CLEAN(error_handler); + CLEAN(dst_addr_buf); ++#if defined USE_OPENSSL && ! defined OPENSSL_NO_TLSEXT ++ CLEAN(tlsext_server_name); ++#endif + #undef CLEAN + free(con->plugin_ctx); + free(con->cond_cache); +@@ -1338,6 +1344,9 @@ + return NULL; + } + ++#ifndef OPENSSL_NO_TLSEXT ++ SSL_set_app_data(con->ssl, con); ++#endif + SSL_set_accept_state(con->ssl); + con->conf.is_ssl=1; + +Index: src/network.c +=================================================================== +--- src/network.c (revision 2402) ++++ src/network.c (working copy) +@@ -62,6 +62,45 @@ + return HANDLER_GO_ON; + } + ++#if defined USE_OPENSSL && ! defined OPENSSL_NO_TLSEXT ++int network_ssl_servername_callback(SSL *ssl, int *al, server *srv) { ++ const char *servername; ++ connection *con = (connection *) SSL_get_app_data(ssl); ++ ++ buffer_copy_string(con->uri.scheme, "https"); ++ ++ if (NULL == (servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) { ++ log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:", ++ "failed to get TLS server name"); ++ return SSL_TLSEXT_ERR_NOACK; ++ } ++ buffer_copy_string(con->tlsext_server_name, servername); ++ buffer_to_lower(con->tlsext_server_name); ++ ++ config_cond_cache_reset(srv, con); ++ config_setup_connection(srv, con); ++ ++ config_patch_connection(srv, con, COMP_SERVER_SOCKET); ++ config_patch_connection(srv, con, COMP_HTTP_SCHEME); ++ config_patch_connection(srv, con, COMP_HTTP_HOST); ++ ++ if (NULL == con->conf.ssl_ctx) { ++ log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:", ++ "null SSL_CTX for TLS server name", con->tlsext_server_name); ++ return SSL_TLSEXT_ERR_ALERT_FATAL; ++ } ++ ++ /* switch to new SSL_CTX in reaction to a client's server_name extension */ ++ if (con->conf.ssl_ctx != SSL_set_SSL_CTX(ssl, con->conf.ssl_ctx)) { ++ log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:", ++ "failed to set SSL_CTX for TLS server name", con->tlsext_server_name); ++ return SSL_TLSEXT_ERR_ALERT_FATAL; ++ } ++ ++ return SSL_TLSEXT_ERR_OK; ++} ++#endif ++ + int network_server_init(server *srv, buffer *host_token, specific_config *s) { + int val; + socklen_t addr_len; +@@ -312,78 +351,10 @@ + + if (s->is_ssl) { + #ifdef USE_OPENSSL +- if (srv->ssl_is_init == 0) { +- SSL_load_error_strings(); +- SSL_library_init(); +- srv->ssl_is_init = 1; +- +- if (0 == RAND_status()) { +- log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:", +- "not enough entropy in the pool"); +- return -1; +- } +- } +- +- if (NULL == (s->ssl_ctx = SSL_CTX_new(SSLv23_server_method()))) { +- log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:", +- ERR_error_string(ERR_get_error(), NULL)); +- return -1; +- } +- +- if (!s->ssl_use_sslv2) { +- /* disable SSLv2 */ +- if (SSL_OP_NO_SSLv2 != SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_SSLv2)) { +- log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:", +- ERR_error_string(ERR_get_error(), NULL)); +- return -1; +- } +- } +- +- if (!buffer_is_empty(s->ssl_cipher_list)) { +- /* Disable support for low encryption ciphers */ +- if (SSL_CTX_set_cipher_list(s->ssl_ctx, s->ssl_cipher_list->ptr) != 1) { +- log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:", +- ERR_error_string(ERR_get_error(), NULL)); +- return -1; +- } +- } +- +- if (buffer_is_empty(s->ssl_pemfile)) { ++ if (NULL == (srv_socket->ssl_ctx = s->ssl_ctx)) { + log_error_write(srv, __FILE__, __LINE__, "s", "ssl.pemfile has to be set"); + return -1; + } +- +- if (!buffer_is_empty(s->ssl_ca_file)) { +- if (1 != SSL_CTX_load_verify_locations(s->ssl_ctx, s->ssl_ca_file->ptr, NULL)) { +- log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:", +- ERR_error_string(ERR_get_error(), NULL), s->ssl_ca_file); +- return -1; +- } +- } +- +- if (SSL_CTX_use_certificate_file(s->ssl_ctx, s->ssl_pemfile->ptr, SSL_FILETYPE_PEM) < 0) { +- log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:", +- ERR_error_string(ERR_get_error(), NULL), s->ssl_pemfile); +- return -1; +- } +- +- if (SSL_CTX_use_PrivateKey_file (s->ssl_ctx, s->ssl_pemfile->ptr, SSL_FILETYPE_PEM) < 0) { +- log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:", +- ERR_error_string(ERR_get_error(), NULL), s->ssl_pemfile); +- return -1; +- } +- +- if (SSL_CTX_check_private_key(s->ssl_ctx) != 1) { +- log_error_write(srv, __FILE__, __LINE__, "sssb", "SSL:", +- "Private key does not match the certificate public key, reason:", +- ERR_error_string(ERR_get_error(), NULL), +- s->ssl_pemfile); +- return -1; +- } +- SSL_CTX_set_default_read_ahead(s->ssl_ctx, 1); +- SSL_CTX_set_mode(s->ssl_ctx, SSL_CTX_get_mode(s->ssl_ctx) | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); +- +- srv_socket->ssl_ctx = s->ssl_ctx; + #else + + buffer_free(srv_socket->srv_token); +@@ -491,6 +462,99 @@ + { NETWORK_BACKEND_UNSET, NULL } + }; + ++#ifdef USE_OPENSSL ++ /* load SSL certificates */ ++ for (i = 0; i < srv->config_context->used; i++) { ++ data_config *dc = (data_config *)srv->config_context->data[i]; ++ specific_config *s = srv->config_storage[i]; ++ ++ if (buffer_is_empty(s->ssl_pemfile)) continue; ++ ++#ifdef OPENSSL_NO_TLSEXT ++ if (COMP_HTTP_HOST == dc->comp) { ++ log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:", ++ "can't use ssl.pemfile with $HTTP[\"host\"], openssl version does not support TLS extensions"); ++ return -1; ++ } ++#endif ++ ++ if (srv->ssl_is_init == 0) { ++ SSL_load_error_strings(); ++ SSL_library_init(); ++ srv->ssl_is_init = 1; ++ ++ if (0 == RAND_status()) { ++ log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:", ++ "not enough entropy in the pool"); ++ return -1; ++ } ++ } ++ ++ if (NULL == (s->ssl_ctx = SSL_CTX_new(SSLv23_server_method()))) { ++ log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:", ++ ERR_error_string(ERR_get_error(), NULL)); ++ return -1; ++ } ++ ++ if (!s->ssl_use_sslv2) { ++ /* disable SSLv2 */ ++ if (SSL_OP_NO_SSLv2 != SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_SSLv2)) { ++ log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:", ++ ERR_error_string(ERR_get_error(), NULL)); ++ return -1; ++ } ++ } ++ ++ if (!buffer_is_empty(s->ssl_cipher_list)) { ++ /* Disable support for low encryption ciphers */ ++ if (SSL_CTX_set_cipher_list(s->ssl_ctx, s->ssl_cipher_list->ptr) != 1) { ++ log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:", ++ ERR_error_string(ERR_get_error(), NULL)); ++ return -1; ++ } ++ } ++ ++ if (!buffer_is_empty(s->ssl_ca_file)) { ++ if (1 != SSL_CTX_load_verify_locations(s->ssl_ctx, s->ssl_ca_file->ptr, NULL)) { ++ log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:", ++ ERR_error_string(ERR_get_error(), NULL), s->ssl_ca_file); ++ return -1; ++ } ++ } ++ ++ if (SSL_CTX_use_certificate_file(s->ssl_ctx, s->ssl_pemfile->ptr, SSL_FILETYPE_PEM) < 0) { ++ log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:", ++ ERR_error_string(ERR_get_error(), NULL), s->ssl_pemfile); ++ return -1; ++ } ++ ++ if (SSL_CTX_use_PrivateKey_file (s->ssl_ctx, s->ssl_pemfile->ptr, SSL_FILETYPE_PEM) < 0) { ++ log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:", ++ ERR_error_string(ERR_get_error(), NULL), s->ssl_pemfile); ++ return -1; ++ } ++ ++ if (SSL_CTX_check_private_key(s->ssl_ctx) != 1) { ++ log_error_write(srv, __FILE__, __LINE__, "sssb", "SSL:", ++ "Private key does not match the certificate public key, reason:", ++ ERR_error_string(ERR_get_error(), NULL), ++ s->ssl_pemfile); ++ return -1; ++ } ++ SSL_CTX_set_default_read_ahead(s->ssl_ctx, 1); ++ SSL_CTX_set_mode(s->ssl_ctx, SSL_CTX_get_mode(s->ssl_ctx) | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); ++ ++#ifndef OPENSSL_NO_TLSEXT ++ if (!SSL_CTX_set_tlsext_servername_callback(s->ssl_ctx, network_ssl_servername_callback) || ++ !SSL_CTX_set_tlsext_servername_arg(s->ssl_ctx, srv)) { ++ log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:", ++ "failed to initialize TLS servername callback, openssl library does not support TLS servername extension"); ++ return -1; ++ } ++#endif ++ } ++#endif ++ + b = buffer_init(); + + buffer_copy_string_buffer(b, srv->srvconf.bindhost); +Index: src/configfile.c +=================================================================== +--- src/configfile.c (revision 2402) ++++ src/configfile.c (working copy) +@@ -293,6 +293,7 @@ + PATCH(is_ssl); + + PATCH(ssl_pemfile); ++ PATCH(ssl_ctx); + PATCH(ssl_ca_file); + PATCH(ssl_cipher_list); + PATCH(ssl_use_sslv2); +@@ -348,6 +349,7 @@ + PATCH(etag_use_size); + } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.pemfile"))) { + PATCH(ssl_pemfile); ++ PATCH(ssl_ctx); + } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.ca-file"))) { + PATCH(ssl_ca_file); + } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.use-sslv2"))) { diff --git a/www-servers/lighttpd/files/1.4.20/03_all_lighttpd-1.4.11-errorlog-pipe.diff b/www-servers/lighttpd/files/1.4.20/03_all_lighttpd-1.4.11-errorlog-pipe.diff deleted file mode 100644 index 5133fea..0000000 --- a/www-servers/lighttpd/files/1.4.20/03_all_lighttpd-1.4.11-errorlog-pipe.diff +++ /dev/null @@ -1,175 +0,0 @@ -Initial patch from http://trac.lighttpd.net/trac/ticket/296 -Updated to apply against 1.4.20 by hoffie -Upstream will only accept it once it has been changed to make the pipe logging more generic - -diff -r 447bac6969ef src/base.h ---- a/src/base.h Tue Aug 19 18:04:17 2008 +0200 -+++ b/src/base.h Tue Aug 19 19:45:00 2008 +0200 -@@ -530,7 +530,7 @@ - - /* the errorlog */ - int errorlog_fd; -- enum { ERRORLOG_STDERR, ERRORLOG_FILE, ERRORLOG_SYSLOG } errorlog_mode; -+ enum { ERRORLOG_STDERR, ERRORLOG_FILE, ERRORLOG_SYSLOG, ERRORLOG_PIPE } errorlog_mode; - buffer *errorlog_buf; - - fdevents *ev, *ev_ins; -diff -r 447bac6969ef src/log.c ---- a/src/log.c Tue Aug 19 18:04:17 2008 +0200 -+++ b/src/log.c Tue Aug 19 19:45:00 2008 +0200 -@@ -57,10 +57,11 @@ - /** - * open the errorlog - * -- * we have 3 possibilities: -+ * we have 4 possibilities: - * - stderr (default) - * - syslog - * - logfile -+ * - pipe - * - * if the open failed, report to the user and die - * -@@ -79,21 +80,80 @@ - srv->errorlog_mode = ERRORLOG_SYSLOG; - } else if (!buffer_is_empty(srv->srvconf.errorlog_file)) { - const char *logfile = srv->srvconf.errorlog_file->ptr; -+ if (logfile[0] == '|') { -+#ifdef HAVE_FORK -+ /* create write pipe and spawn process */ - -- if (-1 == (srv->errorlog_fd = open(logfile, O_APPEND | O_WRONLY | O_CREAT | O_LARGEFILE, 0644))) { -- log_error_write(srv, __FILE__, __LINE__, "SSSS", -+ int to_log_fds[2]; -+ int fd; -+ pid_t pid; -+ -+ if (pipe(to_log_fds)) { -+ log_error_write(srv, __FILE__, __LINE__, "ss", -+ "pipe failed: ", strerror(errno)); -+ return -1; -+ } -+ -+ /* fork, execve */ -+ switch (pid = fork()) { -+ case 0: -+ /* child */ -+ -+ close(STDIN_FILENO); -+ dup2(to_log_fds[0], STDIN_FILENO); -+ close(to_log_fds[0]); -+ /* not needed */ -+ close(to_log_fds[1]); -+ -+ /* we don't need the client socket */ -+ for (fd = 3; fd < 256; fd++) { -+ close(fd); -+ } -+ -+ /* exec the log-process (skip the | ) -+ * -+ */ -+ -+ execl("/bin/sh", "sh", "-c", logfile + 1, NULL); -+ -+ log_error_write(srv, __FILE__, __LINE__, "sss", -+ "spawning log-process failed: ", -+ strerror(errno), logfile + 1); -+ -+ exit(-1); -+ break; -+ case -1: -+ /* error */ -+ log_error_write(srv, __FILE__, __LINE__, "ss", "fork failed:", strerror(errno)); -+ break; -+ default: -+ close(to_log_fds[0]); -+ -+ srv->errorlog_fd = to_log_fds[1]; -+ -+ break; -+ } -+ srv->errorlog_mode = ERRORLOG_PIPE; -+#else -+ log_error_write(srv, __FILE__, __LINE__, "SSS", -+ "opening errorlog '", logfile,"' impossible"); -+ return -1; -+#endif -+ } else { -+ if (-1 == (srv->errorlog_fd = open(logfile, O_APPEND | O_WRONLY | O_CREAT | O_LARGEFILE, 0644))) { -+ log_error_write(srv, __FILE__, __LINE__, "SSSS", - "opening errorlog '", logfile, - "' failed: ", strerror(errno)); - -- return -1; -+ return -1; -+ } -+ srv->errorlog_mode = ERRORLOG_FILE; - } - #ifdef FD_CLOEXEC - /* close fd on exec (cgi) */ - fcntl(srv->errorlog_fd, F_SETFD, FD_CLOEXEC); - #endif -- srv->errorlog_mode = ERRORLOG_FILE; - } -- - log_error_write(srv, __FILE__, __LINE__, "s", "server started"); - - #ifdef HAVE_VALGRIND_VALGRIND_H -@@ -122,7 +182,7 @@ - */ - - int log_error_cycle(server *srv) { -- /* only cycle if we are not in syslog-mode */ -+ /* only cycle if the error log is a file */ - - if (srv->errorlog_mode == ERRORLOG_FILE) { - const char *logfile = srv->srvconf.errorlog_file->ptr; -@@ -154,6 +214,7 @@ - - int log_error_close(server *srv) { - switch(srv->errorlog_mode) { -+ case ERRORLOG_PIPE: /* fall through */ - case ERRORLOG_FILE: - close(srv->errorlog_fd); - break; -@@ -173,6 +234,7 @@ - va_list ap; - - switch(srv->errorlog_mode) { -+ case ERRORLOG_PIPE: - case ERRORLOG_FILE: - case ERRORLOG_STDERR: - /* cache the generated timestamp */ -@@ -257,6 +319,7 @@ - va_end(ap); - - switch(srv->errorlog_mode) { -+ case ERRORLOG_PIPE: /* fall through */ - case ERRORLOG_FILE: - buffer_append_string_len(srv->errorlog_buf, CONST_STR_LEN("\n")); - write(srv->errorlog_fd, srv->errorlog_buf->ptr, srv->errorlog_buf->used - 1); -diff -r 447bac6969ef src/mod_cgi.c ---- a/src/mod_cgi.c Tue Aug 19 18:04:17 2008 +0200 -+++ b/src/mod_cgi.c Tue Aug 19 19:45:00 2008 +0200 -@@ -781,7 +781,7 @@ - * - * we feed the stderr of the CGI to our errorlog, if possible - */ -- if (srv->errorlog_mode == ERRORLOG_FILE) { -+ if ((srv->errorlog_mode == ERRORLOG_FILE) || (srv->errorlog_mode == ERRORLOG_PIPE)) { - close(STDERR_FILENO); - dup2(srv->errorlog_fd, STDERR_FILENO); - } -diff -r 447bac6969ef src/mod_rrdtool.c ---- a/src/mod_rrdtool.c Tue Aug 19 18:04:17 2008 +0200 -+++ b/src/mod_rrdtool.c Tue Aug 19 19:45:00 2008 +0200 -@@ -134,7 +134,7 @@ - - close(STDERR_FILENO); - -- if (srv->errorlog_mode == ERRORLOG_FILE) { -+ if ((srv->errorlog_mode == ERRORLOG_FILE) || (srv->errorlog_mode == ERRORLOG_PIPE)) { - dup2(srv->errorlog_fd, STDERR_FILENO); - close(srv->errorlog_fd); - } diff --git a/www-servers/lighttpd/files/1.4.20/04_all_1.4.x_tls_server_name_indication.diff b/www-servers/lighttpd/files/1.4.20/04_all_1.4.x_tls_server_name_indication.diff deleted file mode 100644 index 5cd19d6..0000000 --- a/www-servers/lighttpd/files/1.4.20/04_all_1.4.x_tls_server_name_indication.diff +++ /dev/null @@ -1,324 +0,0 @@ -Index: src/configfile-glue.c -=================================================================== ---- src/configfile-glue.c (revision 2402) -+++ src/configfile-glue.c (working copy) -@@ -289,6 +289,10 @@ - default: - break; - } -+#if defined USE_OPENSSL && ! defined OPENSSL_NO_TLSEXT -+ } else if (!buffer_is_empty(con->tlsext_server_name)) { -+ l = con->tlsext_server_name; -+#endif - } else { - l = srv->empty_string; - } -Index: src/base.h -=================================================================== ---- src/base.h (revision 2402) -+++ src/base.h (working copy) -@@ -31,6 +31,9 @@ - #if defined HAVE_LIBSSL && defined HAVE_OPENSSL_SSL_H - # define USE_OPENSSL - # include -+# if ! defined OPENSSL_NO_TLSEXT && ! defined SSL_CTRL_SET_TLSEXT_HOSTNAME -+# define OPENSSL_NO_TLSEXT -+# endif - #endif - - #ifdef HAVE_FAM_H -@@ -417,7 +420,10 @@ - #ifdef USE_OPENSSL - SSL *ssl; - buffer *ssl_error_want_reuse_buffer; -+#ifndef OPENSSL_NO_TLSEXT -+ buffer *tlsext_server_name; - #endif -+#endif - /* etag handling */ - etag_flags_t etag_flags; - -Index: src/connections.c -=================================================================== ---- src/connections.c (revision 2402) -+++ src/connections.c (working copy) -@@ -664,6 +664,9 @@ - CLEAN(server_name); - CLEAN(error_handler); - CLEAN(dst_addr_buf); -+#if defined USE_OPENSSL && ! defined OPENSSL_NO_TLSEXT -+ CLEAN(tlsext_server_name); -+#endif - - #undef CLEAN - con->write_queue = chunkqueue_init(); -@@ -728,6 +731,9 @@ - CLEAN(server_name); - CLEAN(error_handler); - CLEAN(dst_addr_buf); -+#if defined USE_OPENSSL && ! defined OPENSSL_NO_TLSEXT -+ CLEAN(tlsext_server_name); -+#endif - #undef CLEAN - free(con->plugin_ctx); - free(con->cond_cache); -@@ -1338,6 +1344,9 @@ - return NULL; - } - -+#ifndef OPENSSL_NO_TLSEXT -+ SSL_set_app_data(con->ssl, con); -+#endif - SSL_set_accept_state(con->ssl); - con->conf.is_ssl=1; - -Index: src/network.c -=================================================================== ---- src/network.c (revision 2402) -+++ src/network.c (working copy) -@@ -62,6 +62,45 @@ - return HANDLER_GO_ON; - } - -+#if defined USE_OPENSSL && ! defined OPENSSL_NO_TLSEXT -+int network_ssl_servername_callback(SSL *ssl, int *al, server *srv) { -+ const char *servername; -+ connection *con = (connection *) SSL_get_app_data(ssl); -+ -+ buffer_copy_string(con->uri.scheme, "https"); -+ -+ if (NULL == (servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) { -+ log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:", -+ "failed to get TLS server name"); -+ return SSL_TLSEXT_ERR_NOACK; -+ } -+ buffer_copy_string(con->tlsext_server_name, servername); -+ buffer_to_lower(con->tlsext_server_name); -+ -+ config_cond_cache_reset(srv, con); -+ config_setup_connection(srv, con); -+ -+ config_patch_connection(srv, con, COMP_SERVER_SOCKET); -+ config_patch_connection(srv, con, COMP_HTTP_SCHEME); -+ config_patch_connection(srv, con, COMP_HTTP_HOST); -+ -+ if (NULL == con->conf.ssl_ctx) { -+ log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:", -+ "null SSL_CTX for TLS server name", con->tlsext_server_name); -+ return SSL_TLSEXT_ERR_ALERT_FATAL; -+ } -+ -+ /* switch to new SSL_CTX in reaction to a client's server_name extension */ -+ if (con->conf.ssl_ctx != SSL_set_SSL_CTX(ssl, con->conf.ssl_ctx)) { -+ log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:", -+ "failed to set SSL_CTX for TLS server name", con->tlsext_server_name); -+ return SSL_TLSEXT_ERR_ALERT_FATAL; -+ } -+ -+ return SSL_TLSEXT_ERR_OK; -+} -+#endif -+ - int network_server_init(server *srv, buffer *host_token, specific_config *s) { - int val; - socklen_t addr_len; -@@ -312,78 +351,10 @@ - - if (s->is_ssl) { - #ifdef USE_OPENSSL -- if (srv->ssl_is_init == 0) { -- SSL_load_error_strings(); -- SSL_library_init(); -- srv->ssl_is_init = 1; -- -- if (0 == RAND_status()) { -- log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:", -- "not enough entropy in the pool"); -- return -1; -- } -- } -- -- if (NULL == (s->ssl_ctx = SSL_CTX_new(SSLv23_server_method()))) { -- log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:", -- ERR_error_string(ERR_get_error(), NULL)); -- return -1; -- } -- -- if (!s->ssl_use_sslv2) { -- /* disable SSLv2 */ -- if (SSL_OP_NO_SSLv2 != SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_SSLv2)) { -- log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:", -- ERR_error_string(ERR_get_error(), NULL)); -- return -1; -- } -- } -- -- if (!buffer_is_empty(s->ssl_cipher_list)) { -- /* Disable support for low encryption ciphers */ -- if (SSL_CTX_set_cipher_list(s->ssl_ctx, s->ssl_cipher_list->ptr) != 1) { -- log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:", -- ERR_error_string(ERR_get_error(), NULL)); -- return -1; -- } -- } -- -- if (buffer_is_empty(s->ssl_pemfile)) { -+ if (NULL == (srv_socket->ssl_ctx = s->ssl_ctx)) { - log_error_write(srv, __FILE__, __LINE__, "s", "ssl.pemfile has to be set"); - return -1; - } -- -- if (!buffer_is_empty(s->ssl_ca_file)) { -- if (1 != SSL_CTX_load_verify_locations(s->ssl_ctx, s->ssl_ca_file->ptr, NULL)) { -- log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:", -- ERR_error_string(ERR_get_error(), NULL), s->ssl_ca_file); -- return -1; -- } -- } -- -- if (SSL_CTX_use_certificate_file(s->ssl_ctx, s->ssl_pemfile->ptr, SSL_FILETYPE_PEM) < 0) { -- log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:", -- ERR_error_string(ERR_get_error(), NULL), s->ssl_pemfile); -- return -1; -- } -- -- if (SSL_CTX_use_PrivateKey_file (s->ssl_ctx, s->ssl_pemfile->ptr, SSL_FILETYPE_PEM) < 0) { -- log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:", -- ERR_error_string(ERR_get_error(), NULL), s->ssl_pemfile); -- return -1; -- } -- -- if (SSL_CTX_check_private_key(s->ssl_ctx) != 1) { -- log_error_write(srv, __FILE__, __LINE__, "sssb", "SSL:", -- "Private key does not match the certificate public key, reason:", -- ERR_error_string(ERR_get_error(), NULL), -- s->ssl_pemfile); -- return -1; -- } -- SSL_CTX_set_default_read_ahead(s->ssl_ctx, 1); -- SSL_CTX_set_mode(s->ssl_ctx, SSL_CTX_get_mode(s->ssl_ctx) | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); -- -- srv_socket->ssl_ctx = s->ssl_ctx; - #else - - buffer_free(srv_socket->srv_token); -@@ -491,6 +462,99 @@ - { NETWORK_BACKEND_UNSET, NULL } - }; - -+#ifdef USE_OPENSSL -+ /* load SSL certificates */ -+ for (i = 0; i < srv->config_context->used; i++) { -+ data_config *dc = (data_config *)srv->config_context->data[i]; -+ specific_config *s = srv->config_storage[i]; -+ -+ if (buffer_is_empty(s->ssl_pemfile)) continue; -+ -+#ifdef OPENSSL_NO_TLSEXT -+ if (COMP_HTTP_HOST == dc->comp) { -+ log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:", -+ "can't use ssl.pemfile with $HTTP[\"host\"], openssl version does not support TLS extensions"); -+ return -1; -+ } -+#endif -+ -+ if (srv->ssl_is_init == 0) { -+ SSL_load_error_strings(); -+ SSL_library_init(); -+ srv->ssl_is_init = 1; -+ -+ if (0 == RAND_status()) { -+ log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:", -+ "not enough entropy in the pool"); -+ return -1; -+ } -+ } -+ -+ if (NULL == (s->ssl_ctx = SSL_CTX_new(SSLv23_server_method()))) { -+ log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:", -+ ERR_error_string(ERR_get_error(), NULL)); -+ return -1; -+ } -+ -+ if (!s->ssl_use_sslv2) { -+ /* disable SSLv2 */ -+ if (SSL_OP_NO_SSLv2 != SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_SSLv2)) { -+ log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:", -+ ERR_error_string(ERR_get_error(), NULL)); -+ return -1; -+ } -+ } -+ -+ if (!buffer_is_empty(s->ssl_cipher_list)) { -+ /* Disable support for low encryption ciphers */ -+ if (SSL_CTX_set_cipher_list(s->ssl_ctx, s->ssl_cipher_list->ptr) != 1) { -+ log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:", -+ ERR_error_string(ERR_get_error(), NULL)); -+ return -1; -+ } -+ } -+ -+ if (!buffer_is_empty(s->ssl_ca_file)) { -+ if (1 != SSL_CTX_load_verify_locations(s->ssl_ctx, s->ssl_ca_file->ptr, NULL)) { -+ log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:", -+ ERR_error_string(ERR_get_error(), NULL), s->ssl_ca_file); -+ return -1; -+ } -+ } -+ -+ if (SSL_CTX_use_certificate_file(s->ssl_ctx, s->ssl_pemfile->ptr, SSL_FILETYPE_PEM) < 0) { -+ log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:", -+ ERR_error_string(ERR_get_error(), NULL), s->ssl_pemfile); -+ return -1; -+ } -+ -+ if (SSL_CTX_use_PrivateKey_file (s->ssl_ctx, s->ssl_pemfile->ptr, SSL_FILETYPE_PEM) < 0) { -+ log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:", -+ ERR_error_string(ERR_get_error(), NULL), s->ssl_pemfile); -+ return -1; -+ } -+ -+ if (SSL_CTX_check_private_key(s->ssl_ctx) != 1) { -+ log_error_write(srv, __FILE__, __LINE__, "sssb", "SSL:", -+ "Private key does not match the certificate public key, reason:", -+ ERR_error_string(ERR_get_error(), NULL), -+ s->ssl_pemfile); -+ return -1; -+ } -+ SSL_CTX_set_default_read_ahead(s->ssl_ctx, 1); -+ SSL_CTX_set_mode(s->ssl_ctx, SSL_CTX_get_mode(s->ssl_ctx) | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); -+ -+#ifndef OPENSSL_NO_TLSEXT -+ if (!SSL_CTX_set_tlsext_servername_callback(s->ssl_ctx, network_ssl_servername_callback) || -+ !SSL_CTX_set_tlsext_servername_arg(s->ssl_ctx, srv)) { -+ log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:", -+ "failed to initialize TLS servername callback, openssl library does not support TLS servername extension"); -+ return -1; -+ } -+#endif -+ } -+#endif -+ - b = buffer_init(); - - buffer_copy_string_buffer(b, srv->srvconf.bindhost); -Index: src/configfile.c -=================================================================== ---- src/configfile.c (revision 2402) -+++ src/configfile.c (working copy) -@@ -293,6 +293,7 @@ - PATCH(is_ssl); - - PATCH(ssl_pemfile); -+ PATCH(ssl_ctx); - PATCH(ssl_ca_file); - PATCH(ssl_cipher_list); - PATCH(ssl_use_sslv2); -@@ -348,6 +349,7 @@ - PATCH(etag_use_size); - } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.pemfile"))) { - PATCH(ssl_pemfile); -+ PATCH(ssl_ctx); - } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.ca-file"))) { - PATCH(ssl_ca_file); - } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.use-sslv2"))) { -- cgit v1.2.3-18-g5258