diff --git a/base/lighttpd/PKG-INFO b/base/lighttpd/PKG-INFO index 03c09d0c1..8f653085b 100644 --- a/base/lighttpd/PKG-INFO +++ b/base/lighttpd/PKG-INFO @@ -1,6 +1,6 @@ Metadata-Version: 1.1 Name: lighttpd -Version: 1.4.39 +Version: 1.4.50 Summary: Lightning fast webserver with light system requirements Home-page: Author: diff --git a/base/lighttpd/centos/build_srpm.data b/base/lighttpd/centos/build_srpm.data index 6d94d3e28..3a9f62926 100755 --- a/base/lighttpd/centos/build_srpm.data +++ b/base/lighttpd/centos/build_srpm.data @@ -1,9 +1,2 @@ -COPY_LIST="lighttpd-1.4.35/index.html.lighttpd \ - lighttpd-1.4.35/lighttpd.conf \ - lighttpd-1.4.35/lighttpd.init \ - lighttpd-1.4.35/lighttpd-inc.conf \ - lighttpd-1.4.35/lighttpd.logrotate \ - lighttpd-1.4.35/lighttpd-csr.conf \ - lighttpd-1.4.35/check-content-length.patch \ - lighttpd-1.4.35/lighttpd-tpm-support.patch" +COPY_LIST="files/*" TIS_PATCH_VER=6 diff --git a/base/lighttpd/centos/meta_patches/0001-Update-package-versioning-for-TIS-format.patch b/base/lighttpd/centos/meta_patches/0001-Update-package-versioning-for-TIS-format.patch index 594e77520..ad2de7848 100644 --- a/base/lighttpd/centos/meta_patches/0001-Update-package-versioning-for-TIS-format.patch +++ b/base/lighttpd/centos/meta_patches/0001-Update-package-versioning-for-TIS-format.patch @@ -1,7 +1,7 @@ -From 4bea2840e8b22d904be29d24d501c25201e13c57 Mon Sep 17 00:00:00 2001 +From 1c4a8d83d96eab943d1cb7b4f0d9b7175e6858f1 Mon Sep 17 00:00:00 2001 From: Scott Little Date: Mon, 20 Mar 2017 10:21:28 -0400 -Subject: [PATCH 3/4] WRS: 0001-Update-package-versioning-for-TIS-format.patch +Subject: [PATCH] WRS: 0001-Update-package-versioning-for-TIS-format.patch Conflicts: SPECS/lighttpd.spec @@ -10,18 +10,18 @@ Conflicts: 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SPECS/lighttpd.spec b/SPECS/lighttpd.spec -index 71737ac..b795a3f 100644 +index 2f7b261..2553b27 100644 --- a/SPECS/lighttpd.spec +++ b/SPECS/lighttpd.spec @@ -45,7 +45,7 @@ Summary: Lightning fast webserver with light system requirements Name: lighttpd - Version: 1.4.45 + Version: 1.4.50 -Release: 1%{?dist} +Release: 1.el7%{?_tis_dist}.%{tis_patch_ver} License: BSD Group: System Environment/Daemons URL: http://www.lighttpd.net/ -- -1.8.3.1 +2.7.4 diff --git a/base/lighttpd/centos/meta_patches/meta_add_support_for_tpm.patch b/base/lighttpd/centos/meta_patches/meta_add_support_for_tpm.patch index ba7a90001..4c61dfca3 100644 --- a/base/lighttpd/centos/meta_patches/meta_add_support_for_tpm.patch +++ b/base/lighttpd/centos/meta_patches/meta_add_support_for_tpm.patch @@ -1,7 +1,7 @@ From 653e25505b1df7e7b3fd89e08729d6d9f9698d39 Mon Sep 17 00:00:00 2001 From: Kam Nasim Date: Tue, 28 Mar 2017 17:33:34 -0400 -Subject: [PATCH] dding support for TPM 2.0 +Subject: [PATCH] Adding support for TPM 2.0 --- SPECS/lighttpd.spec | 2 ++ diff --git a/base/lighttpd/centos/meta_patches/spec-check-content-length.patch b/base/lighttpd/centos/meta_patches/spec-check-content-length.patch index d5bc59a7e..2fb2fd5fd 100644 --- a/base/lighttpd/centos/meta_patches/spec-check-content-length.patch +++ b/base/lighttpd/centos/meta_patches/spec-check-content-length.patch @@ -1,7 +1,7 @@ -From c684477fa2b47bb3c00b0e501e817d088408bead Mon Sep 17 00:00:00 2001 +From 730a5321581e70790da4e94085698fd299072be5 Mon Sep 17 00:00:00 2001 From: Scott Little Date: Mon, 20 Mar 2017 10:21:28 -0400 -Subject: [PATCH 4/4] WRS: spec-check-content-length.patch +Subject: [PATCH] WRS: spec-check-content-length.patch Conflicts: SPECS/lighttpd.spec @@ -10,13 +10,13 @@ Conflicts: 1 file changed, 8 insertions(+) diff --git a/SPECS/lighttpd.spec b/SPECS/lighttpd.spec -index b795a3f..9fd062a 100644 +index 2553b27..c27f78f 100644 --- a/SPECS/lighttpd.spec +++ b/SPECS/lighttpd.spec -@@ -78,6 +78,10 @@ Patch3: lighttpd-1.4.39-socket.patch - #Patch6: changeset_r779c133c16f9af168b004dce7a2a64f16c1cb3a4.diff +@@ -79,6 +79,10 @@ Patch3: lighttpd-1.4.39-socket.patch #Patch7: lighttpd-1.4.42-bignum.patch #Patch8: lighttpd-1.4.43-mysql.patch + #Patch9: lighttpd-1.4.48-autoconf.patch + +# WRS Patches +Patch100: check-content-length.patch @@ -24,10 +24,10 @@ index b795a3f..9fd062a 100644 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root # For the target poweredby.png image (skip requirement + provide image on EL5) %if %{with systemlogos} -@@ -179,6 +183,10 @@ Authentication module for lighttpd that uses GSSAPI - #%patch6 -p1 -b .http_proxy +@@ -182,6 +186,10 @@ Authentication module for lighttpd that uses GSSAPI #%patch7 -p0 -b .bignum #%patch8 -p0 -b .mysql + #%patch9 -p0 -b .autoconf + +# WRS Patches +%patch100 -p1 -b .content_length @@ -36,5 +36,5 @@ index b795a3f..9fd062a 100644 #install -p -m 0644 %{SOURCE101} mod_geoip.txt -- -1.8.3.1 +2.7.4 diff --git a/base/lighttpd/centos/srpm_path b/base/lighttpd/centos/srpm_path index 898dda45a..8432c2437 100644 --- a/base/lighttpd/centos/srpm_path +++ b/base/lighttpd/centos/srpm_path @@ -1 +1 @@ -mirror:Source/lighttpd-1.4.45-1.el7.src.rpm +mirror:Source/lighttpd-1.4.50-1.el7.src.rpm diff --git a/base/lighttpd/lighttpd-1.4.35/check-content-length.patch b/base/lighttpd/files/check-content-length.patch similarity index 58% rename from base/lighttpd/lighttpd-1.4.35/check-content-length.patch rename to base/lighttpd/files/check-content-length.patch index 330958e12..a01708993 100644 --- a/base/lighttpd/lighttpd-1.4.35/check-content-length.patch +++ b/base/lighttpd/files/check-content-length.patch @@ -1,24 +1,27 @@ -From b9410d967faf627d72fc5496a4c2e7aab879b7aa Mon Sep 17 00:00:00 2001 +From 65107586a55c594c44b0a97a2d6756f6a0f0a5ca Mon Sep 17 00:00:00 2001 From: Giao Le -Date: Wed, 19 Oct 2016 15:06:17 -0400 -Subject: [PATCH 1/1] check +Date: Mon, 27 Aug 2018 19:41:36 +0800 +Subject: [PATCH] check-length +Signed-off-by: zhipengl --- - src/request.c | 49 +++++++++++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 49 insertions(+) + src/request.c | 47 ++++++++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 46 insertions(+), 1 deletion(-) diff --git a/src/request.c b/src/request.c -index a2de944..857076c 100644 +index 213a87e..8c97f45 100644 --- a/src/request.c +++ b/src/request.c -@@ -12,6 +12,39 @@ - #include - #include +@@ -8,10 +8,39 @@ + #include "sock_addr.h" + #include +- +#include -+#include + #include + #include + #include +#include -+#include + +static size_t get_tempdirs_free_space(server *srv) +{ @@ -47,19 +50,10 @@ index a2de944..857076c 100644 + return (valid) ? total : SSIZE_MAX; +} + -+ + static int request_check_hostname(buffer *host) { enum { DOMAINLABEL, TOPLABEL } stage = TOPLABEL; - size_t i; -@@ -409,6 +442,7 @@ static int request_uri_is_valid_char(unsigned char c) { - return 1; - } - -+ - int http_request_parse(server *srv, connection *con) { - char *uri = NULL, *proto = NULL, *method = NULL, con_length_set; - int is_key = 1, key_len = 0, is_ws_after_key = 0, in_folding; -@@ -1294,6 +1328,21 @@ int http_request_parse(server *srv, connection *con) { +@@ -1287,6 +1316,22 @@ int http_request_parse(server *srv, connection *con) { return 0; } @@ -71,16 +65,17 @@ index a2de944..857076c 100644 + con->keep_alive = 0; + + log_error_write(srv, __FILE__, __LINE__, "ssosos", -+ "not enough free space in tempdirs:", -+ "length =", (off_t) con->request.content_length, -+ "free =", (off_t) disk_free, -+ "-> 413"); -+ return 0; -+ } -+ } ++ "not enough free space in tempdirs:", ++ "length =", (off_t) con->request.content_length, ++ "free =", (off_t) disk_free, ++ "-> 413"); ++ return 0; ++ } ++ } ++ break; default: break; -- -1.8.3.1 +2.7.4 diff --git a/base/lighttpd/lighttpd-1.4.35/index.html.lighttpd b/base/lighttpd/files/index.html.lighttpd similarity index 100% rename from base/lighttpd/lighttpd-1.4.35/index.html.lighttpd rename to base/lighttpd/files/index.html.lighttpd diff --git a/base/lighttpd/lighttpd-1.4.35/lighttpd-csr.conf b/base/lighttpd/files/lighttpd-csr.conf similarity index 100% rename from base/lighttpd/lighttpd-1.4.35/lighttpd-csr.conf rename to base/lighttpd/files/lighttpd-csr.conf diff --git a/base/lighttpd/lighttpd-1.4.35/lighttpd-inc.conf b/base/lighttpd/files/lighttpd-inc.conf similarity index 100% rename from base/lighttpd/lighttpd-1.4.35/lighttpd-inc.conf rename to base/lighttpd/files/lighttpd-inc.conf diff --git a/base/lighttpd/files/lighttpd-tpm-support.patch b/base/lighttpd/files/lighttpd-tpm-support.patch new file mode 100644 index 000000000..69d1450d2 --- /dev/null +++ b/base/lighttpd/files/lighttpd-tpm-support.patch @@ -0,0 +1,289 @@ +From c58d174a1d2872272bfa9d83c642591f04effcb1 Mon Sep 17 00:00:00 2001 +From: Kam Nasim +Date: Wed, 29 Mar 2017 21:56:41 -0400 +Subject: [PATCH] lighttpd tpm support + +--- + src/base.h | 24 ++++++++++++ + src/configfile.c | 6 ++- + src/mod_openssl.c | 113 +++++++++++++++++++++++++++++++++++++++++++++--------- + src/server.c | 17 +++++++- + 4 files changed, 139 insertions(+), 21 deletions(-) + +diff --git a/src/base.h b/src/base.h +index 2fe60b6..bddcd01 100644 +--- a/src/base.h ++++ b/src/base.h +@@ -15,6 +15,21 @@ + #include "sock_addr.h" + #include "etag.h" + ++#if defined HAVE_LIBSSL && defined HAVE_OPENSSL_SSL_H ++# define USE_OPENSSL ++# include ++# ifndef USE_OPENSSL_KERBEROS ++# ifndef OPENSSL_NO_KRB5 ++# define OPENSSL_NO_KRB5 ++# endif ++# endif ++# include ++# include ++# if ! defined OPENSSL_NO_TLSEXT && ! defined SSL_CTRL_SET_TLSEXT_HOSTNAME ++# define OPENSSL_NO_TLSEXT ++# endif ++#endif ++ + struct fdevents; /* declaration */ + struct stat_cache; /* declaration */ + +@@ -360,6 +375,13 @@ typedef struct { + unsigned short high_precision_timestamps; + time_t loadts; + double loadavg[3]; ++#ifdef USE_OPENSSL ++ // TPM engine and object configuration ++ buffer *tpm_object; ++ buffer *tpm_engine; ++ ENGINE *tpm_engine_ref; ++ EVP_PKEY *tpm_key; ++#endif + buffer *syslog_facility; + } server_config; + +@@ -400,6 +422,8 @@ struct server { + int con_written; + int con_closed; + ++ int tpm_is_init; // has TPM been initialized already ++ + int max_fds; /* max possible fds */ + int cur_fds; /* currently used fds */ + int want_fds; /* waiting fds */ +diff --git a/src/configfile.c b/src/configfile.c +index c3b0f16..dca2a29 100644 +--- a/src/configfile.c ++++ b/src/configfile.c +@@ -276,8 +276,10 @@ static int config_insert(server *srv) { + { "server.syslog-facility", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_SERVER }, /* 80 */ + { "server.socket-perms", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION }, /* 81 */ + { "server.http-parseopts", NULL, T_CONFIG_ARRAY, T_CONFIG_SCOPE_SERVER }, /* 82 */ ++ { "server.tpm-object", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_SERVER }, /* 83 */ ++ { "server.tpm-engine", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_SERVER }, /* 84 */ + +- { NULL, NULL, T_CONFIG_UNSET, T_CONFIG_SCOPE_UNSET } ++ { NULL, NULL, T_CONFIG_UNSET, T_CONFIG_SCOPE_UNSET } + }; + + /* all T_CONFIG_SCOPE_SERVER options */ +@@ -318,6 +320,8 @@ static int config_insert(server *srv) { + cv[80].destination = srv->srvconf.syslog_facility; + http_parseopts = array_init(); + cv[82].destination = http_parseopts; ++ cv[83].destination = srv->srvconf.tpm_object; ++ cv[84].destination = srv->srvconf.tpm_engine; + + srv->config_storage = calloc(1, srv->config_context->used * sizeof(specific_config *)); + +diff --git a/src/mod_openssl.c b/src/mod_openssl.c +index 75e0873..4cb0335 100644 +--- a/src/mod_openssl.c ++++ b/src/mod_openssl.c +@@ -422,6 +422,29 @@ error: + return NULL; + } + ++static EVP_PKEY* ++evp_pkey_load_tpm_object_file(server *srv) { ++ if (!srv->tpm_is_init || !srv->srvconf.tpm_engine_ref) ++ return NULL; ++ ++ if (srv->srvconf.tpm_key) { ++ // if a TPM key was previously loaded ++ // then return that as there is no need to ++ // reload this key into TPM ++ return srv->srvconf.tpm_key; ++ } ++ ++ EVP_PKEY *pkey = ENGINE_load_private_key(srv->srvconf.tpm_engine_ref, ++ srv->srvconf.tpm_object->ptr, ++ NULL, NULL); ++ if (!pkey) { ++ log_error_write(srv, __FILE__, __LINE__, "SSS", "SSL:", ++ ERR_error_string(ERR_get_error(), NULL)); ++ return NULL; ++ } ++ srv->srvconf.tpm_key = pkey; ++ return pkey; ++} + + static EVP_PKEY * + evp_pkey_load_pem_file (server *srv, const char *file) +@@ -476,15 +499,23 @@ network_openssl_load_pemfile (server *srv, plugin_config *s, size_t ndx) + + s->ssl_pemfile_x509 = x509_load_pem_file(srv, s->ssl_pemfile->ptr); + if (NULL == s->ssl_pemfile_x509) return -1; +- s->ssl_pemfile_pkey = evp_pkey_load_pem_file(srv, s->ssl_pemfile->ptr); +- if (NULL == s->ssl_pemfile_pkey) return -1; +- +- if (!X509_check_private_key(s->ssl_pemfile_x509, s->ssl_pemfile_pkey)) { +- log_error_write(srv, __FILE__, __LINE__, "sssb", "SSL:", +- "Private key does not match the certificate public key," +- " reason:", ERR_error_string(ERR_get_error(), NULL), +- s->ssl_pemfile); +- return -1; ++ ++ // if TPM mode is enabled then load the TPM key otherwise load ++ // the regular SSL private key ++ if (srv->tpm_is_init) { ++ if (NULL == (s->ssl_pemfile_pkey = evp_pkey_load_tpm_object_file(srv))) return -1; ++ } ++ else { ++ if (NULL == (s->ssl_pemfile_pkey = evp_pkey_load_pem_file(srv, s->ssl_pemfile->ptr))) return -1; ++ ++ if (!X509_check_private_key(s->ssl_pemfile_x509, s->ssl_pemfile_pkey)) { ++ log_error_write(srv, __FILE__, __LINE__, "sssb", "SSL:", ++ "Private key does not match the certificate public key, reason:", ++ ERR_error_string(ERR_get_error(), NULL), ++ s->ssl_pemfile); ++ return -1; ++ } ++ + } + + return 0; +@@ -651,6 +682,43 @@ network_init_ssl (server *srv, void *p_d) + force_assert(NULL != local_send_buffer); + } + ++ /* NOTE (knasim-wrs): US93721: TPM support ++ * if TPM mode is configured, and we have not previously ++ * initialized the engine then do so now ++ */ ++ if (!buffer_string_is_empty(srv->srvconf.tpm_object) && ++ (!srv->tpm_is_init)) { ++ if (!buffer_string_is_empty(srv->srvconf.tpm_engine)) { ++ // load the dynamic TPM engine ++ ENGINE_load_dynamic(); ++ ENGINE *engine = ENGINE_by_id("dynamic"); ++ if (!engine) { ++ log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:", ++ "Unable to load the dynamic engine " ++ "(needed for loading custom TPM engine)"); ++ return -1; ++ } ++ ++ ENGINE_ctrl_cmd_string(engine, "SO_PATH", ++ srv->srvconf.tpm_engine->ptr, 0); ++ ENGINE_ctrl_cmd_string(engine, "LOAD", NULL, 0); ++ if (ENGINE_init(engine) != 1) { ++ log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:", ++ ERR_error_string(ERR_get_error(), NULL)); ++ ENGINE_finish(engine); ++ return -1; ++ } ++ srv->tpm_is_init = 1; ++ // stow away for ENGINE cleanup ++ srv->srvconf.tpm_engine_ref = engine; ++ } ++ else { // no TPM engine found ++ log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:", ++ "TPM engine option not set when TPM mode expected"); ++ return -1; ++ } ++ } ++ + if (!buffer_string_is_empty(s->ssl_pemfile)) { + #ifdef OPENSSL_NO_TLSEXT + data_config *dc = (data_config *)srv->config_context->data[i]; +@@ -911,29 +979,36 @@ network_init_ssl (server *srv, void *p_d) + } + } + +- if (1 != SSL_CTX_use_certificate_chain_file(s->ssl_ctx, +- s->ssl_pemfile->ptr)) { ++ if (1 != SSL_CTX_use_PrivateKey(s->ssl_ctx, s->ssl_pemfile_pkey)) { + log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:", + ERR_error_string(ERR_get_error(), NULL), + s->ssl_pemfile); + return -1; + } + +- if (1 != SSL_CTX_use_PrivateKey(s->ssl_ctx, s->ssl_pemfile_pkey)) { ++ if (1 != SSL_CTX_use_certificate(s->ssl_ctx, s->ssl_pemfile_x509)) { + log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:", + ERR_error_string(ERR_get_error(), NULL), + s->ssl_pemfile); + return -1; + } + +- if (SSL_CTX_check_private_key(s->ssl_ctx) != 1) { +- log_error_write(srv, __FILE__, __LINE__, "sssb", "SSL:", +- "Private key does not match the certificate public " +- "key, reason:", +- ERR_error_string(ERR_get_error(), NULL), +- s->ssl_pemfile); +- return -1; ++ /* ++ * Only check private key against loaded ++ * certificate, in non TPM mode, since ++ * if this is a TPM key then it is wrapped ++ * and will not match the public key ++ */ ++ if (!srv->tpm_is_init) { ++ if (SSL_CTX_check_private_key(s->ssl_ctx) != 1) { ++ log_error_write(srv, __FILE__, __LINE__, "sssb", "SSL:", ++ "Private key does not match the certificate public key, reason:", ++ ERR_error_string(ERR_get_error(), NULL), ++ s->ssl_pemfile); ++ return -1; ++ } + } ++ + SSL_CTX_set_default_read_ahead(s->ssl_ctx, s->ssl_read_ahead); + SSL_CTX_set_mode(s->ssl_ctx, SSL_CTX_get_mode(s->ssl_ctx) + | SSL_MODE_ENABLE_PARTIAL_WRITE +diff --git a/src/server.c b/src/server.c +index f6409bb..2ace3f8 100644 +--- a/src/server.c ++++ b/src/server.c +@@ -246,6 +246,11 @@ static server *server_init(void) { + CLEAN(srvconf.pid_file); + CLEAN(srvconf.syslog_facility); + ++#ifdef USE_OPENSSL ++ CLEAN(srvconf.tpm_object); ++ CLEAN(srvconf.tpm_engine); ++#endif ++ + CLEAN(tmp_chunk_len); + #undef CLEAN + +@@ -347,6 +352,14 @@ static void server_free(server *srv) { + CLEAN(srvconf.xattr_name); + CLEAN(srvconf.syslog_facility); + ++#ifdef USE_OPENSSL ++ CLEAN(srvconf.tpm_object); ++ CLEAN(srvconf.tpm_engine); ++ // don't free the tpm_key as that will be freed ++ // below as ssl_pemfile_pkey ++ ENGINE_finish(srv->srvconf.tpm_engine_ref); ++#endif ++ + CLEAN(tmp_chunk_len); + #undef CLEAN + +@@ -776,7 +789,9 @@ static int log_error_open(server *srv) { + if (-1 == (errfd = fdevent_open_devnull())) { + log_error_write(srv, __FILE__, __LINE__, "ss", + "opening /dev/null failed:", strerror(errno)); +- return -1; ++ /* In version 1.4.45 it will also failed here but not check return value of openDevNull(STDERR_FILENO) ++ need further check with upstrean to see if there is a potential bug */ ++ //return -1; + } + } + else { +-- +2.7.4 + diff --git a/base/lighttpd/lighttpd-1.4.35/lighttpd.conf b/base/lighttpd/files/lighttpd.conf similarity index 100% rename from base/lighttpd/lighttpd-1.4.35/lighttpd.conf rename to base/lighttpd/files/lighttpd.conf diff --git a/base/lighttpd/lighttpd-1.4.35/lighttpd.init b/base/lighttpd/files/lighttpd.init similarity index 100% rename from base/lighttpd/lighttpd-1.4.35/lighttpd.init rename to base/lighttpd/files/lighttpd.init diff --git a/base/lighttpd/lighttpd-1.4.35/lighttpd.logrotate b/base/lighttpd/files/lighttpd.logrotate similarity index 100% rename from base/lighttpd/lighttpd-1.4.35/lighttpd.logrotate rename to base/lighttpd/files/lighttpd.logrotate diff --git a/base/lighttpd/lighttpd-1.4.35/lighttpd-tpm-support.patch b/base/lighttpd/lighttpd-1.4.35/lighttpd-tpm-support.patch deleted file mode 100644 index 16744684d..000000000 --- a/base/lighttpd/lighttpd-1.4.35/lighttpd-tpm-support.patch +++ /dev/null @@ -1,255 +0,0 @@ -From 3cf42638ea162be04cbfc8b8eedbef6292336640 Mon Sep 17 00:00:00 2001 -From: Kam Nasim -Date: Wed, 29 Mar 2017 21:56:41 -0400 -Subject: [PATCH] lighttpd tpm support - ---- - src/base.h | 10 ++++- - src/configfile.c | 4 ++ - src/network.c | 111 ++++++++++++++++++++++++++++++++++++++++++++++--------- - src/server.c | 12 +++++- - 4 files changed, 118 insertions(+), 19 deletions(-) - -diff --git a/src/base.h b/src/base.h -index 134fc41..5fab1fd 100644 ---- a/src/base.h -+++ b/src/base.h -@@ -37,6 +37,7 @@ - # endif - # endif - # include -+# include - # if ! defined OPENSSL_NO_TLSEXT && ! defined SSL_CTRL_SET_TLSEXT_HOSTNAME - # define OPENSSL_NO_TLSEXT - # endif -@@ -567,6 +568,13 @@ typedef struct { - unsigned short high_precision_timestamps; - time_t loadts; - double loadavg[3]; -+#ifdef USE_OPENSSL -+ // TPM engine and object configuration -+ buffer *tpm_object; -+ buffer *tpm_engine; -+ ENGINE *tpm_engine_ref; -+ EVP_PKEY *tpm_key; -+#endif - } server_config; - - typedef struct server_socket { -@@ -610,7 +618,7 @@ typedef struct server { - int con_closed; - - int ssl_is_init; -- -+ int tpm_is_init; // has TPM been initialized already - int max_fds; /* max possible fds */ - int cur_fds; /* currently used fds */ - int want_fds; /* waiting fds */ -diff --git a/src/configfile.c b/src/configfile.c -index bba6925..da818ed 100644 ---- a/src/configfile.c -+++ b/src/configfile.c -@@ -145,6 +145,8 @@ static int config_insert(server *srv) { - { "server.stream-response-body", NULL, T_CONFIG_SHORT, T_CONFIG_SCOPE_CONNECTION }, /* 77 */ - { "server.max-request-field-size", NULL, T_CONFIG_INT, T_CONFIG_SCOPE_SERVER }, /* 78 */ - { "ssl.read-ahead", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, /* 79 */ -+ { "server.tpm-object", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_SERVER }, /* 80 */ -+ { "server.tpm-engine", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_SERVER }, /* 81 */ - - { NULL, NULL, T_CONFIG_UNSET, T_CONFIG_SCOPE_UNSET } - }; -@@ -184,6 +186,8 @@ static int config_insert(server *srv) { - cv[73].destination = &(srv->srvconf.http_host_strict); - cv[74].destination = &(srv->srvconf.http_host_normalize); - cv[78].destination = &(srv->srvconf.max_request_field_size); -+ cv[80].destination = srv->srvconf.tpm_object; -+ cv[81].destination = srv->srvconf.tpm_engine; - - srv->config_storage = calloc(1, srv->config_context->used * sizeof(specific_config *)); - -diff --git a/src/network.c b/src/network.c -index 4295fe9..6460e72 100644 ---- a/src/network.c -+++ b/src/network.c -@@ -613,6 +613,29 @@ error: - return NULL; - } - -+static EVP_PKEY* evp_pkey_load_tpm_object_file(server *srv) { -+ if (!srv->tpm_is_init || !srv->srvconf.tpm_engine_ref) -+ return NULL; -+ -+ if (srv->srvconf.tpm_key) { -+ // if a TPM key was previously loaded -+ // then return that as there is no need to -+ // reload this key into TPM -+ return srv->srvconf.tpm_key; -+ } -+ -+ EVP_PKEY *pkey = ENGINE_load_private_key(srv->srvconf.tpm_engine_ref, -+ srv->srvconf.tpm_object->ptr, -+ NULL, NULL); -+ if (!pkey) { -+ log_error_write(srv, __FILE__, __LINE__, "SSS", "SSL:", -+ ERR_error_string(ERR_get_error(), NULL)); -+ return NULL; -+ } -+ srv->srvconf.tpm_key = pkey; -+ return pkey; -+} -+ - static EVP_PKEY* evp_pkey_load_pem_file(server *srv, const char *file) { - BIO *in; - EVP_PKEY *x = NULL; -@@ -658,15 +681,23 @@ static int network_openssl_load_pemfile(server *srv, size_t ndx) { - #endif - - if (NULL == (s->ssl_pemfile_x509 = x509_load_pem_file(srv, s->ssl_pemfile->ptr))) return -1; -- if (NULL == (s->ssl_pemfile_pkey = evp_pkey_load_pem_file(srv, s->ssl_pemfile->ptr))) return -1; - -- if (!X509_check_private_key(s->ssl_pemfile_x509, s->ssl_pemfile_pkey)) { -- log_error_write(srv, __FILE__, __LINE__, "sssb", "SSL:", -- "Private key does not match the certificate public key, reason:", -- ERR_error_string(ERR_get_error(), NULL), -- s->ssl_pemfile); -- return -1; -- } -+ // if TPM mode is enabled then load the TPM key otherwise load -+ // the regular SSL private key -+ if (srv->tpm_is_init) { -+ if (NULL == (s->ssl_pemfile_pkey = evp_pkey_load_tpm_object_file(srv))) return -1; -+ } -+ else { -+ if (NULL == (s->ssl_pemfile_pkey = evp_pkey_load_pem_file(srv, s->ssl_pemfile->ptr))) return -1; -+ -+ if (!X509_check_private_key(s->ssl_pemfile_x509, s->ssl_pemfile_pkey)) { -+ log_error_write(srv, __FILE__, __LINE__, "sssb", "SSL:", -+ "Private key does not match the certificate public key, reason:", -+ ERR_error_string(ERR_get_error(), NULL), -+ s->ssl_pemfile); -+ return -1; -+ } -+ } - - return 0; - } -@@ -791,6 +822,44 @@ int network_init(server *srv) { - } - } - -+ /* NOTE (knasim-wrs): US93721: TPM support -+ * if TPM mode is configured, and we have not previously -+ * initialized the engine then do so now -+ */ -+ if (!buffer_string_is_empty(srv->srvconf.tpm_object) && -+ (!srv->tpm_is_init)) { -+ if (!buffer_string_is_empty(srv->srvconf.tpm_engine)) { -+ // load the dynamic TPM engine -+ ENGINE_load_dynamic(); -+ ENGINE *engine = ENGINE_by_id("dynamic"); -+ if (!engine) { -+ log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:", -+ "Unable to load the dynamic engine " -+ "(needed for loading custom TPM engine)"); -+ return -1; -+ } -+ -+ ENGINE_ctrl_cmd_string(engine, "SO_PATH", -+ srv->srvconf.tpm_engine->ptr, 0); -+ ENGINE_ctrl_cmd_string(engine, "LOAD", NULL, 0); -+ if (ENGINE_init(engine) != 1) { -+ log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:", -+ ERR_error_string(ERR_get_error(), NULL)); -+ ENGINE_finish(engine); -+ return -1; -+ } -+ srv->tpm_is_init = 1; -+ // stow away for ENGINE cleanup -+ srv->srvconf.tpm_engine_ref = engine; -+ } -+ else { // no TPM engine found -+ log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:", -+ "TPM engine option not set when TPM mode expected"); -+ return -1; -+ } -+ } -+ /// -+ - if (!buffer_string_is_empty(s->ssl_pemfile)) { - #ifdef OPENSSL_NO_TLSEXT - data_config *dc = (data_config *)srv->config_context->data[i]; -@@ -975,24 +1044,32 @@ int network_init(server *srv) { - SSL_CTX_set_verify_depth(s->ssl_ctx, s->ssl_verifyclient_depth); - } - -- if (1 != SSL_CTX_use_certificate(s->ssl_ctx, s->ssl_pemfile_x509)) { -+ if (1 != SSL_CTX_use_PrivateKey(s->ssl_ctx, s->ssl_pemfile_pkey)) { - log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:", - ERR_error_string(ERR_get_error(), NULL), s->ssl_pemfile); - return -1; - } - -- if (1 != SSL_CTX_use_PrivateKey(s->ssl_ctx, s->ssl_pemfile_pkey)) { -+ if (1 != SSL_CTX_use_certificate(s->ssl_ctx, s->ssl_pemfile_x509)) { - log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:", - ERR_error_string(ERR_get_error(), NULL), s->ssl_pemfile); - return -1; - } -- -- if (SSL_CTX_check_private_key(s->ssl_ctx) != 1) { -- log_error_write(srv, __FILE__, __LINE__, "sssb", "SSL:", -- "Private key does not match the certificate public key, reason:", -- ERR_error_string(ERR_get_error(), NULL), -- s->ssl_pemfile); -- return -1; -+ -+ /* -+ * Only check private key against loaded -+ * certificate, in non TPM mode, since -+ * if this is a TPM key then it is wrapped -+ * and will not match the public key -+ */ -+ if (!srv->tpm_is_init) { -+ if (SSL_CTX_check_private_key(s->ssl_ctx) != 1) { -+ log_error_write(srv, __FILE__, __LINE__, "sssb", "SSL:", -+ "Private key does not match the certificate public key, reason:", -+ ERR_error_string(ERR_get_error(), NULL), -+ s->ssl_pemfile); -+ return -1; -+ } - } - SSL_CTX_set_default_read_ahead(s->ssl_ctx, s->ssl_read_ahead); - SSL_CTX_set_mode(s->ssl_ctx, SSL_CTX_get_mode(s->ssl_ctx) -diff --git a/src/server.c b/src/server.c -index f27b003..5adfa15 100644 ---- a/src/server.c -+++ b/src/server.c -@@ -226,7 +226,10 @@ static server *server_init(void) { - CLEAN(srvconf.bindhost); - CLEAN(srvconf.event_handler); - CLEAN(srvconf.pid_file); -- -+#ifdef USE_OPENSSL -+ CLEAN(srvconf.tpm_object); -+ CLEAN(srvconf.tpm_engine); -+#endif - CLEAN(tmp_chunk_len); - #undef CLEAN - -@@ -316,6 +319,13 @@ static void server_free(server *srv) { - CLEAN(srvconf.modules_dir); - CLEAN(srvconf.network_backend); - CLEAN(srvconf.xattr_name); -+#ifdef USE_OPENSSL -+ CLEAN(srvconf.tpm_object); -+ CLEAN(srvconf.tpm_engine); -+ // don't free the tpm_key as that will be freed -+ // below as ssl_pemfile_pkey -+ ENGINE_finish(srv->srvconf.tpm_engine_ref); -+#endif - - CLEAN(tmp_chunk_len); - #undef CLEAN --- -1.8.3.1 - diff --git a/base/lighttpd/lighttpd-1.4.35/remote-ip-ipv6-support.patch b/base/lighttpd/lighttpd-1.4.35/remote-ip-ipv6-support.patch deleted file mode 100644 index 5460374cb..000000000 --- a/base/lighttpd/lighttpd-1.4.35/remote-ip-ipv6-support.patch +++ /dev/null @@ -1,117 +0,0 @@ ---- lighttpd-1.4.35/src/configfile-glue.c.orig 2014-03-06 15:08:00.000000000 +0100 -+++ lighttpd-1.4.35/src/configfile-glue.c 2015-11-26 11:39:23.000000000 +0100 -@@ -8,6 +8,10 @@ - - #include - #include -+#include -+#ifndef __WIN32 -+#include -+#endif - - /** - * like all glue code this file contains functions which -@@ -336,12 +340,22 @@ static cond_result_t config_check_cond_n - - if ((dc->cond == CONFIG_COND_EQ || - dc->cond == CONFIG_COND_NE) && -- (con->dst_addr.plain.sa_family == AF_INET) && - (NULL != (nm_slash = strchr(dc->string->ptr, '/')))) { - int nm_bits; -- long nm; - char *err; - struct in_addr val_inp; -+ struct in6_addr val_inp6; -+ int val_af; -+ uint8_t *a, *b; -+ int result_match, result_nomatch; -+ -+ if (dc->cond == CONFIG_COND_EQ) { -+ result_match = COND_RESULT_TRUE; -+ result_nomatch = COND_RESULT_FALSE; -+ } else { -+ result_match = COND_RESULT_FALSE; -+ result_nomatch = COND_RESULT_TRUE; -+ } - - if (*(nm_slash+1) == '\0') { - log_error_write(srv, __FILE__, __LINE__, "sb", "ERROR: no number after / ", dc->string); -@@ -356,10 +370,16 @@ static cond_result_t config_check_cond_n - - return COND_RESULT_FALSE; - } -+ if (nm_bits < 0) { -+ log_error_write(srv, __FILE__, __LINE__, "sbs", "ERROR: negative netmask:", dc->string, err); -+ -+ return COND_RESULT_FALSE; -+ } - - /* take IP convert to the native */ - buffer_copy_string_len(srv->cond_check_buf, dc->string->ptr, nm_slash - dc->string->ptr); - #ifdef __WIN32 -+ val_af = AF_INET; - if (INADDR_NONE == (val_inp.s_addr = inet_addr(srv->cond_check_buf->ptr))) { - log_error_write(srv, __FILE__, __LINE__, "sb", "ERROR: ip addr is invalid:", srv->cond_check_buf); - -@@ -367,21 +387,54 @@ static cond_result_t config_check_cond_n - } - - #else -- if (0 == inet_aton(srv->cond_check_buf->ptr, &val_inp)) { -+ if (1 == inet_pton(AF_INET, srv->cond_check_buf->ptr, &val_inp)) { -+ val_af = AF_INET; -+ } else if (1 == inet_pton(AF_INET6, srv->cond_check_buf->ptr, &val_inp6)) { -+ val_af = AF_INET6; -+ } else { - log_error_write(srv, __FILE__, __LINE__, "sb", "ERROR: ip addr is invalid:", srv->cond_check_buf); - - return COND_RESULT_FALSE; - } - #endif - -- /* build netmask */ -- nm = htonl(~((1 << (32 - nm_bits)) - 1)); -+ if (val_af == AF_INET) { -+ if (nm_bits > 32) { -+ log_error_write(srv, __FILE__, __LINE__, "sd", "ERROR: ipv4 netmask too large:", nm_bits); - -- if ((val_inp.s_addr & nm) == (con->dst_addr.ipv4.sin_addr.s_addr & nm)) { -- return (dc->cond == CONFIG_COND_EQ) ? COND_RESULT_TRUE : COND_RESULT_FALSE; -+ return COND_RESULT_FALSE; -+ } -+ a = (uint8_t *)&val_inp; -+ if (con->dst_addr.plain.sa_family == AF_INET) { -+ b = (uint8_t *)&con->dst_addr.ipv4.sin_addr.s_addr; -+ } else if (IN6_IS_ADDR_V4MAPPED(&con->dst_addr.ipv6.sin6_addr)) { -+ b = (uint8_t *)&con->dst_addr.ipv6.sin6_addr.s6_addr[12]; -+ } else { -+ return result_nomatch; -+ } - } else { -- return (dc->cond == CONFIG_COND_EQ) ? COND_RESULT_FALSE : COND_RESULT_TRUE; -+ if (nm_bits > 128) { -+ log_error_write(srv, __FILE__, __LINE__, "sd", "ERROR: ipv6 netmask too large:", nm_bits); -+ -+ return COND_RESULT_FALSE; -+ } -+ a = (uint8_t *)&val_inp6; -+ if (con->dst_addr.plain.sa_family == AF_INET) { -+ return result_nomatch; -+ } else { -+ b = (uint8_t *)&con->dst_addr.ipv6.sin6_addr.s6_addr[0]; -+ } -+ } -+ while (nm_bits) { -+ if (nm_bits >= 8) { -+ if (*a++ != *b++) return result_nomatch; -+ nm_bits -= 8; -+ } else { -+ if (*a >> (8 - nm_bits) != *b >> (8 - nm_bits)) return result_nomatch; -+ nm_bits = 0; -+ } - } -+ return result_match; - } else { - l = con->dst_addr_buf; - } -