upgrade lighttpd to CentOS 7.5 version
Story: 2003389 Task: 24482 Depends-On: https://review.openstack.org/#/c/596638/ Change-Id: I2916d08926db286ca8248d1fb22b66ad8482658d Signed-off-by: zhipengl <zhipengs.liu@intel.com>
This commit is contained in:
parent
e3b649669c
commit
0739032653
@ -1,6 +1,6 @@
|
||||
Metadata-Version: 1.1
|
||||
Name: lighttpd
|
||||
Version: 1.4.39
|
||||
Version: 1.4.50
|
||||
Summary: Lightning fast webserver with light system requirements
|
||||
Home-page:
|
||||
Author:
|
||||
|
@ -1,9 +1,2 @@
|
||||
COPY_LIST="lighttpd-1.4.35/index.html.lighttpd \
|
||||
lighttpd-1.4.35/lighttpd.conf \
|
||||
lighttpd-1.4.35/lighttpd.init \
|
||||
lighttpd-1.4.35/lighttpd-inc.conf \
|
||||
lighttpd-1.4.35/lighttpd.logrotate \
|
||||
lighttpd-1.4.35/lighttpd-csr.conf \
|
||||
lighttpd-1.4.35/check-content-length.patch \
|
||||
lighttpd-1.4.35/lighttpd-tpm-support.patch"
|
||||
COPY_LIST="files/*"
|
||||
TIS_PATCH_VER=6
|
||||
|
@ -1,7 +1,7 @@
|
||||
From 4bea2840e8b22d904be29d24d501c25201e13c57 Mon Sep 17 00:00:00 2001
|
||||
From 1c4a8d83d96eab943d1cb7b4f0d9b7175e6858f1 Mon Sep 17 00:00:00 2001
|
||||
From: Scott Little <scott.little@windriver.com>
|
||||
Date: Mon, 20 Mar 2017 10:21:28 -0400
|
||||
Subject: [PATCH 3/4] WRS: 0001-Update-package-versioning-for-TIS-format.patch
|
||||
Subject: [PATCH] WRS: 0001-Update-package-versioning-for-TIS-format.patch
|
||||
|
||||
Conflicts:
|
||||
SPECS/lighttpd.spec
|
||||
@ -10,18 +10,18 @@ Conflicts:
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/SPECS/lighttpd.spec b/SPECS/lighttpd.spec
|
||||
index 71737ac..b795a3f 100644
|
||||
index 2f7b261..2553b27 100644
|
||||
--- a/SPECS/lighttpd.spec
|
||||
+++ b/SPECS/lighttpd.spec
|
||||
@@ -45,7 +45,7 @@
|
||||
Summary: Lightning fast webserver with light system requirements
|
||||
Name: lighttpd
|
||||
Version: 1.4.45
|
||||
Version: 1.4.50
|
||||
-Release: 1%{?dist}
|
||||
+Release: 1.el7%{?_tis_dist}.%{tis_patch_ver}
|
||||
License: BSD
|
||||
Group: System Environment/Daemons
|
||||
URL: http://www.lighttpd.net/
|
||||
--
|
||||
1.8.3.1
|
||||
2.7.4
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
From 653e25505b1df7e7b3fd89e08729d6d9f9698d39 Mon Sep 17 00:00:00 2001
|
||||
From: Kam Nasim <kam.nasim@windriver.com>
|
||||
Date: Tue, 28 Mar 2017 17:33:34 -0400
|
||||
Subject: [PATCH] dding support for TPM 2.0
|
||||
Subject: [PATCH] Adding support for TPM 2.0
|
||||
|
||||
---
|
||||
SPECS/lighttpd.spec | 2 ++
|
||||
|
@ -1,7 +1,7 @@
|
||||
From c684477fa2b47bb3c00b0e501e817d088408bead Mon Sep 17 00:00:00 2001
|
||||
From 730a5321581e70790da4e94085698fd299072be5 Mon Sep 17 00:00:00 2001
|
||||
From: Scott Little <scott.little@windriver.com>
|
||||
Date: Mon, 20 Mar 2017 10:21:28 -0400
|
||||
Subject: [PATCH 4/4] WRS: spec-check-content-length.patch
|
||||
Subject: [PATCH] WRS: spec-check-content-length.patch
|
||||
|
||||
Conflicts:
|
||||
SPECS/lighttpd.spec
|
||||
@ -10,13 +10,13 @@ Conflicts:
|
||||
1 file changed, 8 insertions(+)
|
||||
|
||||
diff --git a/SPECS/lighttpd.spec b/SPECS/lighttpd.spec
|
||||
index b795a3f..9fd062a 100644
|
||||
index 2553b27..c27f78f 100644
|
||||
--- a/SPECS/lighttpd.spec
|
||||
+++ b/SPECS/lighttpd.spec
|
||||
@@ -78,6 +78,10 @@ Patch3: lighttpd-1.4.39-socket.patch
|
||||
#Patch6: changeset_r779c133c16f9af168b004dce7a2a64f16c1cb3a4.diff
|
||||
@@ -79,6 +79,10 @@ Patch3: lighttpd-1.4.39-socket.patch
|
||||
#Patch7: lighttpd-1.4.42-bignum.patch
|
||||
#Patch8: lighttpd-1.4.43-mysql.patch
|
||||
#Patch9: lighttpd-1.4.48-autoconf.patch
|
||||
+
|
||||
+# WRS Patches
|
||||
+Patch100: check-content-length.patch
|
||||
@ -24,10 +24,10 @@ index b795a3f..9fd062a 100644
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
|
||||
# For the target poweredby.png image (skip requirement + provide image on EL5)
|
||||
%if %{with systemlogos}
|
||||
@@ -179,6 +183,10 @@ Authentication module for lighttpd that uses GSSAPI
|
||||
#%patch6 -p1 -b .http_proxy
|
||||
@@ -182,6 +186,10 @@ Authentication module for lighttpd that uses GSSAPI
|
||||
#%patch7 -p0 -b .bignum
|
||||
#%patch8 -p0 -b .mysql
|
||||
#%patch9 -p0 -b .autoconf
|
||||
+
|
||||
+# WRS Patches
|
||||
+%patch100 -p1 -b .content_length
|
||||
@ -36,5 +36,5 @@ index b795a3f..9fd062a 100644
|
||||
#install -p -m 0644 %{SOURCE101} mod_geoip.txt
|
||||
|
||||
--
|
||||
1.8.3.1
|
||||
2.7.4
|
||||
|
||||
|
@ -1 +1 @@
|
||||
mirror:Source/lighttpd-1.4.45-1.el7.src.rpm
|
||||
mirror:Source/lighttpd-1.4.50-1.el7.src.rpm
|
||||
|
@ -1,24 +1,27 @@
|
||||
From b9410d967faf627d72fc5496a4c2e7aab879b7aa Mon Sep 17 00:00:00 2001
|
||||
From 65107586a55c594c44b0a97a2d6756f6a0f0a5ca Mon Sep 17 00:00:00 2001
|
||||
From: Giao Le <giao.le@windriver.com>
|
||||
Date: Wed, 19 Oct 2016 15:06:17 -0400
|
||||
Subject: [PATCH 1/1] check
|
||||
Date: Mon, 27 Aug 2018 19:41:36 +0800
|
||||
Subject: [PATCH] check-length
|
||||
|
||||
Signed-off-by: zhipengl <zhipengs.liu@intel.com>
|
||||
---
|
||||
src/request.c | 49 +++++++++++++++++++++++++++++++++++++++++++++++++
|
||||
1 file changed, 49 insertions(+)
|
||||
src/request.c | 47 ++++++++++++++++++++++++++++++++++++++++++++++-
|
||||
1 file changed, 46 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/request.c b/src/request.c
|
||||
index a2de944..857076c 100644
|
||||
index 213a87e..8c97f45 100644
|
||||
--- a/src/request.c
|
||||
+++ b/src/request.c
|
||||
@@ -12,6 +12,39 @@
|
||||
#include <stdio.h>
|
||||
#include <ctype.h>
|
||||
@@ -8,10 +8,39 @@
|
||||
#include "sock_addr.h"
|
||||
|
||||
#include <sys/stat.h>
|
||||
-
|
||||
+#include <sys/statvfs.h>
|
||||
+#include <string.h>
|
||||
#include <limits.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
+#include <errno.h>
|
||||
+#include <limits.h>
|
||||
+
|
||||
+static size_t get_tempdirs_free_space(server *srv)
|
||||
+{
|
||||
@ -47,19 +50,10 @@ index a2de944..857076c 100644
|
||||
+ return (valid) ? total : SSIZE_MAX;
|
||||
+}
|
||||
+
|
||||
+
|
||||
|
||||
static int request_check_hostname(buffer *host) {
|
||||
enum { DOMAINLABEL, TOPLABEL } stage = TOPLABEL;
|
||||
size_t i;
|
||||
@@ -409,6 +442,7 @@ static int request_uri_is_valid_char(unsigned char c) {
|
||||
return 1;
|
||||
}
|
||||
|
||||
+
|
||||
int http_request_parse(server *srv, connection *con) {
|
||||
char *uri = NULL, *proto = NULL, *method = NULL, con_length_set;
|
||||
int is_key = 1, key_len = 0, is_ws_after_key = 0, in_folding;
|
||||
@@ -1294,6 +1328,21 @@ int http_request_parse(server *srv, connection *con) {
|
||||
@@ -1287,6 +1316,22 @@ int http_request_parse(server *srv, connection *con) {
|
||||
return 0;
|
||||
|
||||
}
|
||||
@ -71,16 +65,17 @@ index a2de944..857076c 100644
|
||||
+ con->keep_alive = 0;
|
||||
+
|
||||
+ log_error_write(srv, __FILE__, __LINE__, "ssosos",
|
||||
+ "not enough free space in tempdirs:",
|
||||
+ "length =", (off_t) con->request.content_length,
|
||||
+ "free =", (off_t) disk_free,
|
||||
+ "-> 413");
|
||||
+ return 0;
|
||||
+ }
|
||||
+ }
|
||||
+ "not enough free space in tempdirs:",
|
||||
+ "length =", (off_t) con->request.content_length,
|
||||
+ "free =", (off_t) disk_free,
|
||||
+ "-> 413");
|
||||
+ return 0;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
--
|
||||
1.8.3.1
|
||||
2.7.4
|
||||
|
289
base/lighttpd/files/lighttpd-tpm-support.patch
Normal file
289
base/lighttpd/files/lighttpd-tpm-support.patch
Normal file
@ -0,0 +1,289 @@
|
||||
From c58d174a1d2872272bfa9d83c642591f04effcb1 Mon Sep 17 00:00:00 2001
|
||||
From: Kam Nasim <kam.nasim@windriver.com>
|
||||
Date: Wed, 29 Mar 2017 21:56:41 -0400
|
||||
Subject: [PATCH] lighttpd tpm support
|
||||
|
||||
---
|
||||
src/base.h | 24 ++++++++++++
|
||||
src/configfile.c | 6 ++-
|
||||
src/mod_openssl.c | 113 +++++++++++++++++++++++++++++++++++++++++++++---------
|
||||
src/server.c | 17 +++++++-
|
||||
4 files changed, 139 insertions(+), 21 deletions(-)
|
||||
|
||||
diff --git a/src/base.h b/src/base.h
|
||||
index 2fe60b6..bddcd01 100644
|
||||
--- a/src/base.h
|
||||
+++ b/src/base.h
|
||||
@@ -15,6 +15,21 @@
|
||||
#include "sock_addr.h"
|
||||
#include "etag.h"
|
||||
|
||||
+#if defined HAVE_LIBSSL && defined HAVE_OPENSSL_SSL_H
|
||||
+# define USE_OPENSSL
|
||||
+# include <openssl/opensslconf.h>
|
||||
+# ifndef USE_OPENSSL_KERBEROS
|
||||
+# ifndef OPENSSL_NO_KRB5
|
||||
+# define OPENSSL_NO_KRB5
|
||||
+# endif
|
||||
+# endif
|
||||
+# include <openssl/ssl.h>
|
||||
+# include <openssl/engine.h>
|
||||
+# if ! defined OPENSSL_NO_TLSEXT && ! defined SSL_CTRL_SET_TLSEXT_HOSTNAME
|
||||
+# define OPENSSL_NO_TLSEXT
|
||||
+# endif
|
||||
+#endif
|
||||
+
|
||||
struct fdevents; /* declaration */
|
||||
struct stat_cache; /* declaration */
|
||||
|
||||
@@ -360,6 +375,13 @@ typedef struct {
|
||||
unsigned short high_precision_timestamps;
|
||||
time_t loadts;
|
||||
double loadavg[3];
|
||||
+#ifdef USE_OPENSSL
|
||||
+ // TPM engine and object configuration
|
||||
+ buffer *tpm_object;
|
||||
+ buffer *tpm_engine;
|
||||
+ ENGINE *tpm_engine_ref;
|
||||
+ EVP_PKEY *tpm_key;
|
||||
+#endif
|
||||
buffer *syslog_facility;
|
||||
} server_config;
|
||||
|
||||
@@ -400,6 +422,8 @@ struct server {
|
||||
int con_written;
|
||||
int con_closed;
|
||||
|
||||
+ int tpm_is_init; // has TPM been initialized already
|
||||
+
|
||||
int max_fds; /* max possible fds */
|
||||
int cur_fds; /* currently used fds */
|
||||
int want_fds; /* waiting fds */
|
||||
diff --git a/src/configfile.c b/src/configfile.c
|
||||
index c3b0f16..dca2a29 100644
|
||||
--- a/src/configfile.c
|
||||
+++ b/src/configfile.c
|
||||
@@ -276,8 +276,10 @@ static int config_insert(server *srv) {
|
||||
{ "server.syslog-facility", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_SERVER }, /* 80 */
|
||||
{ "server.socket-perms", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION }, /* 81 */
|
||||
{ "server.http-parseopts", NULL, T_CONFIG_ARRAY, T_CONFIG_SCOPE_SERVER }, /* 82 */
|
||||
+ { "server.tpm-object", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_SERVER }, /* 83 */
|
||||
+ { "server.tpm-engine", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_SERVER }, /* 84 */
|
||||
|
||||
- { NULL, NULL, T_CONFIG_UNSET, T_CONFIG_SCOPE_UNSET }
|
||||
+ { NULL, NULL, T_CONFIG_UNSET, T_CONFIG_SCOPE_UNSET }
|
||||
};
|
||||
|
||||
/* all T_CONFIG_SCOPE_SERVER options */
|
||||
@@ -318,6 +320,8 @@ static int config_insert(server *srv) {
|
||||
cv[80].destination = srv->srvconf.syslog_facility;
|
||||
http_parseopts = array_init();
|
||||
cv[82].destination = http_parseopts;
|
||||
+ cv[83].destination = srv->srvconf.tpm_object;
|
||||
+ cv[84].destination = srv->srvconf.tpm_engine;
|
||||
|
||||
srv->config_storage = calloc(1, srv->config_context->used * sizeof(specific_config *));
|
||||
|
||||
diff --git a/src/mod_openssl.c b/src/mod_openssl.c
|
||||
index 75e0873..4cb0335 100644
|
||||
--- a/src/mod_openssl.c
|
||||
+++ b/src/mod_openssl.c
|
||||
@@ -422,6 +422,29 @@ error:
|
||||
return NULL;
|
||||
}
|
||||
|
||||
+static EVP_PKEY*
|
||||
+evp_pkey_load_tpm_object_file(server *srv) {
|
||||
+ if (!srv->tpm_is_init || !srv->srvconf.tpm_engine_ref)
|
||||
+ return NULL;
|
||||
+
|
||||
+ if (srv->srvconf.tpm_key) {
|
||||
+ // if a TPM key was previously loaded
|
||||
+ // then return that as there is no need to
|
||||
+ // reload this key into TPM
|
||||
+ return srv->srvconf.tpm_key;
|
||||
+ }
|
||||
+
|
||||
+ EVP_PKEY *pkey = ENGINE_load_private_key(srv->srvconf.tpm_engine_ref,
|
||||
+ srv->srvconf.tpm_object->ptr,
|
||||
+ NULL, NULL);
|
||||
+ if (!pkey) {
|
||||
+ log_error_write(srv, __FILE__, __LINE__, "SSS", "SSL:",
|
||||
+ ERR_error_string(ERR_get_error(), NULL));
|
||||
+ return NULL;
|
||||
+ }
|
||||
+ srv->srvconf.tpm_key = pkey;
|
||||
+ return pkey;
|
||||
+}
|
||||
|
||||
static EVP_PKEY *
|
||||
evp_pkey_load_pem_file (server *srv, const char *file)
|
||||
@@ -476,15 +499,23 @@ network_openssl_load_pemfile (server *srv, plugin_config *s, size_t ndx)
|
||||
|
||||
s->ssl_pemfile_x509 = x509_load_pem_file(srv, s->ssl_pemfile->ptr);
|
||||
if (NULL == s->ssl_pemfile_x509) return -1;
|
||||
- s->ssl_pemfile_pkey = evp_pkey_load_pem_file(srv, s->ssl_pemfile->ptr);
|
||||
- if (NULL == s->ssl_pemfile_pkey) return -1;
|
||||
-
|
||||
- if (!X509_check_private_key(s->ssl_pemfile_x509, s->ssl_pemfile_pkey)) {
|
||||
- log_error_write(srv, __FILE__, __LINE__, "sssb", "SSL:",
|
||||
- "Private key does not match the certificate public key,"
|
||||
- " reason:", ERR_error_string(ERR_get_error(), NULL),
|
||||
- s->ssl_pemfile);
|
||||
- return -1;
|
||||
+
|
||||
+ // if TPM mode is enabled then load the TPM key otherwise load
|
||||
+ // the regular SSL private key
|
||||
+ if (srv->tpm_is_init) {
|
||||
+ if (NULL == (s->ssl_pemfile_pkey = evp_pkey_load_tpm_object_file(srv))) return -1;
|
||||
+ }
|
||||
+ else {
|
||||
+ if (NULL == (s->ssl_pemfile_pkey = evp_pkey_load_pem_file(srv, s->ssl_pemfile->ptr))) return -1;
|
||||
+
|
||||
+ if (!X509_check_private_key(s->ssl_pemfile_x509, s->ssl_pemfile_pkey)) {
|
||||
+ log_error_write(srv, __FILE__, __LINE__, "sssb", "SSL:",
|
||||
+ "Private key does not match the certificate public key, reason:",
|
||||
+ ERR_error_string(ERR_get_error(), NULL),
|
||||
+ s->ssl_pemfile);
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
}
|
||||
|
||||
return 0;
|
||||
@@ -651,6 +682,43 @@ network_init_ssl (server *srv, void *p_d)
|
||||
force_assert(NULL != local_send_buffer);
|
||||
}
|
||||
|
||||
+ /* NOTE (knasim-wrs): US93721: TPM support
|
||||
+ * if TPM mode is configured, and we have not previously
|
||||
+ * initialized the engine then do so now
|
||||
+ */
|
||||
+ if (!buffer_string_is_empty(srv->srvconf.tpm_object) &&
|
||||
+ (!srv->tpm_is_init)) {
|
||||
+ if (!buffer_string_is_empty(srv->srvconf.tpm_engine)) {
|
||||
+ // load the dynamic TPM engine
|
||||
+ ENGINE_load_dynamic();
|
||||
+ ENGINE *engine = ENGINE_by_id("dynamic");
|
||||
+ if (!engine) {
|
||||
+ log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
|
||||
+ "Unable to load the dynamic engine "
|
||||
+ "(needed for loading custom TPM engine)");
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
+ ENGINE_ctrl_cmd_string(engine, "SO_PATH",
|
||||
+ srv->srvconf.tpm_engine->ptr, 0);
|
||||
+ ENGINE_ctrl_cmd_string(engine, "LOAD", NULL, 0);
|
||||
+ if (ENGINE_init(engine) != 1) {
|
||||
+ log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
|
||||
+ ERR_error_string(ERR_get_error(), NULL));
|
||||
+ ENGINE_finish(engine);
|
||||
+ return -1;
|
||||
+ }
|
||||
+ srv->tpm_is_init = 1;
|
||||
+ // stow away for ENGINE cleanup
|
||||
+ srv->srvconf.tpm_engine_ref = engine;
|
||||
+ }
|
||||
+ else { // no TPM engine found
|
||||
+ log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
|
||||
+ "TPM engine option not set when TPM mode expected");
|
||||
+ return -1;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
if (!buffer_string_is_empty(s->ssl_pemfile)) {
|
||||
#ifdef OPENSSL_NO_TLSEXT
|
||||
data_config *dc = (data_config *)srv->config_context->data[i];
|
||||
@@ -911,29 +979,36 @@ network_init_ssl (server *srv, void *p_d)
|
||||
}
|
||||
}
|
||||
|
||||
- if (1 != SSL_CTX_use_certificate_chain_file(s->ssl_ctx,
|
||||
- s->ssl_pemfile->ptr)) {
|
||||
+ if (1 != SSL_CTX_use_PrivateKey(s->ssl_ctx, s->ssl_pemfile_pkey)) {
|
||||
log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
|
||||
ERR_error_string(ERR_get_error(), NULL),
|
||||
s->ssl_pemfile);
|
||||
return -1;
|
||||
}
|
||||
|
||||
- if (1 != SSL_CTX_use_PrivateKey(s->ssl_ctx, s->ssl_pemfile_pkey)) {
|
||||
+ if (1 != SSL_CTX_use_certificate(s->ssl_ctx, s->ssl_pemfile_x509)) {
|
||||
log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
|
||||
ERR_error_string(ERR_get_error(), NULL),
|
||||
s->ssl_pemfile);
|
||||
return -1;
|
||||
}
|
||||
|
||||
- if (SSL_CTX_check_private_key(s->ssl_ctx) != 1) {
|
||||
- log_error_write(srv, __FILE__, __LINE__, "sssb", "SSL:",
|
||||
- "Private key does not match the certificate public "
|
||||
- "key, reason:",
|
||||
- ERR_error_string(ERR_get_error(), NULL),
|
||||
- s->ssl_pemfile);
|
||||
- return -1;
|
||||
+ /*
|
||||
+ * Only check private key against loaded
|
||||
+ * certificate, in non TPM mode, since
|
||||
+ * if this is a TPM key then it is wrapped
|
||||
+ * and will not match the public key
|
||||
+ */
|
||||
+ if (!srv->tpm_is_init) {
|
||||
+ if (SSL_CTX_check_private_key(s->ssl_ctx) != 1) {
|
||||
+ log_error_write(srv, __FILE__, __LINE__, "sssb", "SSL:",
|
||||
+ "Private key does not match the certificate public key, reason:",
|
||||
+ ERR_error_string(ERR_get_error(), NULL),
|
||||
+ s->ssl_pemfile);
|
||||
+ return -1;
|
||||
+ }
|
||||
}
|
||||
+
|
||||
SSL_CTX_set_default_read_ahead(s->ssl_ctx, s->ssl_read_ahead);
|
||||
SSL_CTX_set_mode(s->ssl_ctx, SSL_CTX_get_mode(s->ssl_ctx)
|
||||
| SSL_MODE_ENABLE_PARTIAL_WRITE
|
||||
diff --git a/src/server.c b/src/server.c
|
||||
index f6409bb..2ace3f8 100644
|
||||
--- a/src/server.c
|
||||
+++ b/src/server.c
|
||||
@@ -246,6 +246,11 @@ static server *server_init(void) {
|
||||
CLEAN(srvconf.pid_file);
|
||||
CLEAN(srvconf.syslog_facility);
|
||||
|
||||
+#ifdef USE_OPENSSL
|
||||
+ CLEAN(srvconf.tpm_object);
|
||||
+ CLEAN(srvconf.tpm_engine);
|
||||
+#endif
|
||||
+
|
||||
CLEAN(tmp_chunk_len);
|
||||
#undef CLEAN
|
||||
|
||||
@@ -347,6 +352,14 @@ static void server_free(server *srv) {
|
||||
CLEAN(srvconf.xattr_name);
|
||||
CLEAN(srvconf.syslog_facility);
|
||||
|
||||
+#ifdef USE_OPENSSL
|
||||
+ CLEAN(srvconf.tpm_object);
|
||||
+ CLEAN(srvconf.tpm_engine);
|
||||
+ // don't free the tpm_key as that will be freed
|
||||
+ // below as ssl_pemfile_pkey
|
||||
+ ENGINE_finish(srv->srvconf.tpm_engine_ref);
|
||||
+#endif
|
||||
+
|
||||
CLEAN(tmp_chunk_len);
|
||||
#undef CLEAN
|
||||
|
||||
@@ -776,7 +789,9 @@ static int log_error_open(server *srv) {
|
||||
if (-1 == (errfd = fdevent_open_devnull())) {
|
||||
log_error_write(srv, __FILE__, __LINE__, "ss",
|
||||
"opening /dev/null failed:", strerror(errno));
|
||||
- return -1;
|
||||
+ /* In version 1.4.45 it will also failed here but not check return value of openDevNull(STDERR_FILENO)
|
||||
+ need further check with upstrean to see if there is a potential bug */
|
||||
+ //return -1;
|
||||
}
|
||||
}
|
||||
else {
|
||||
--
|
||||
2.7.4
|
||||
|
@ -1,255 +0,0 @@
|
||||
From 3cf42638ea162be04cbfc8b8eedbef6292336640 Mon Sep 17 00:00:00 2001
|
||||
From: Kam Nasim <kam.nasim@windriver.com>
|
||||
Date: Wed, 29 Mar 2017 21:56:41 -0400
|
||||
Subject: [PATCH] lighttpd tpm support
|
||||
|
||||
---
|
||||
src/base.h | 10 ++++-
|
||||
src/configfile.c | 4 ++
|
||||
src/network.c | 111 ++++++++++++++++++++++++++++++++++++++++++++++---------
|
||||
src/server.c | 12 +++++-
|
||||
4 files changed, 118 insertions(+), 19 deletions(-)
|
||||
|
||||
diff --git a/src/base.h b/src/base.h
|
||||
index 134fc41..5fab1fd 100644
|
||||
--- a/src/base.h
|
||||
+++ b/src/base.h
|
||||
@@ -37,6 +37,7 @@
|
||||
# endif
|
||||
# endif
|
||||
# include <openssl/ssl.h>
|
||||
+# include <openssl/engine.h>
|
||||
# if ! defined OPENSSL_NO_TLSEXT && ! defined SSL_CTRL_SET_TLSEXT_HOSTNAME
|
||||
# define OPENSSL_NO_TLSEXT
|
||||
# endif
|
||||
@@ -567,6 +568,13 @@ typedef struct {
|
||||
unsigned short high_precision_timestamps;
|
||||
time_t loadts;
|
||||
double loadavg[3];
|
||||
+#ifdef USE_OPENSSL
|
||||
+ // TPM engine and object configuration
|
||||
+ buffer *tpm_object;
|
||||
+ buffer *tpm_engine;
|
||||
+ ENGINE *tpm_engine_ref;
|
||||
+ EVP_PKEY *tpm_key;
|
||||
+#endif
|
||||
} server_config;
|
||||
|
||||
typedef struct server_socket {
|
||||
@@ -610,7 +618,7 @@ typedef struct server {
|
||||
int con_closed;
|
||||
|
||||
int ssl_is_init;
|
||||
-
|
||||
+ int tpm_is_init; // has TPM been initialized already
|
||||
int max_fds; /* max possible fds */
|
||||
int cur_fds; /* currently used fds */
|
||||
int want_fds; /* waiting fds */
|
||||
diff --git a/src/configfile.c b/src/configfile.c
|
||||
index bba6925..da818ed 100644
|
||||
--- a/src/configfile.c
|
||||
+++ b/src/configfile.c
|
||||
@@ -145,6 +145,8 @@ static int config_insert(server *srv) {
|
||||
{ "server.stream-response-body", NULL, T_CONFIG_SHORT, T_CONFIG_SCOPE_CONNECTION }, /* 77 */
|
||||
{ "server.max-request-field-size", NULL, T_CONFIG_INT, T_CONFIG_SCOPE_SERVER }, /* 78 */
|
||||
{ "ssl.read-ahead", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, /* 79 */
|
||||
+ { "server.tpm-object", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_SERVER }, /* 80 */
|
||||
+ { "server.tpm-engine", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_SERVER }, /* 81 */
|
||||
|
||||
{ NULL, NULL, T_CONFIG_UNSET, T_CONFIG_SCOPE_UNSET }
|
||||
};
|
||||
@@ -184,6 +186,8 @@ static int config_insert(server *srv) {
|
||||
cv[73].destination = &(srv->srvconf.http_host_strict);
|
||||
cv[74].destination = &(srv->srvconf.http_host_normalize);
|
||||
cv[78].destination = &(srv->srvconf.max_request_field_size);
|
||||
+ cv[80].destination = srv->srvconf.tpm_object;
|
||||
+ cv[81].destination = srv->srvconf.tpm_engine;
|
||||
|
||||
srv->config_storage = calloc(1, srv->config_context->used * sizeof(specific_config *));
|
||||
|
||||
diff --git a/src/network.c b/src/network.c
|
||||
index 4295fe9..6460e72 100644
|
||||
--- a/src/network.c
|
||||
+++ b/src/network.c
|
||||
@@ -613,6 +613,29 @@ error:
|
||||
return NULL;
|
||||
}
|
||||
|
||||
+static EVP_PKEY* evp_pkey_load_tpm_object_file(server *srv) {
|
||||
+ if (!srv->tpm_is_init || !srv->srvconf.tpm_engine_ref)
|
||||
+ return NULL;
|
||||
+
|
||||
+ if (srv->srvconf.tpm_key) {
|
||||
+ // if a TPM key was previously loaded
|
||||
+ // then return that as there is no need to
|
||||
+ // reload this key into TPM
|
||||
+ return srv->srvconf.tpm_key;
|
||||
+ }
|
||||
+
|
||||
+ EVP_PKEY *pkey = ENGINE_load_private_key(srv->srvconf.tpm_engine_ref,
|
||||
+ srv->srvconf.tpm_object->ptr,
|
||||
+ NULL, NULL);
|
||||
+ if (!pkey) {
|
||||
+ log_error_write(srv, __FILE__, __LINE__, "SSS", "SSL:",
|
||||
+ ERR_error_string(ERR_get_error(), NULL));
|
||||
+ return NULL;
|
||||
+ }
|
||||
+ srv->srvconf.tpm_key = pkey;
|
||||
+ return pkey;
|
||||
+}
|
||||
+
|
||||
static EVP_PKEY* evp_pkey_load_pem_file(server *srv, const char *file) {
|
||||
BIO *in;
|
||||
EVP_PKEY *x = NULL;
|
||||
@@ -658,15 +681,23 @@ static int network_openssl_load_pemfile(server *srv, size_t ndx) {
|
||||
#endif
|
||||
|
||||
if (NULL == (s->ssl_pemfile_x509 = x509_load_pem_file(srv, s->ssl_pemfile->ptr))) return -1;
|
||||
- if (NULL == (s->ssl_pemfile_pkey = evp_pkey_load_pem_file(srv, s->ssl_pemfile->ptr))) return -1;
|
||||
|
||||
- if (!X509_check_private_key(s->ssl_pemfile_x509, s->ssl_pemfile_pkey)) {
|
||||
- log_error_write(srv, __FILE__, __LINE__, "sssb", "SSL:",
|
||||
- "Private key does not match the certificate public key, reason:",
|
||||
- ERR_error_string(ERR_get_error(), NULL),
|
||||
- s->ssl_pemfile);
|
||||
- return -1;
|
||||
- }
|
||||
+ // if TPM mode is enabled then load the TPM key otherwise load
|
||||
+ // the regular SSL private key
|
||||
+ if (srv->tpm_is_init) {
|
||||
+ if (NULL == (s->ssl_pemfile_pkey = evp_pkey_load_tpm_object_file(srv))) return -1;
|
||||
+ }
|
||||
+ else {
|
||||
+ if (NULL == (s->ssl_pemfile_pkey = evp_pkey_load_pem_file(srv, s->ssl_pemfile->ptr))) return -1;
|
||||
+
|
||||
+ if (!X509_check_private_key(s->ssl_pemfile_x509, s->ssl_pemfile_pkey)) {
|
||||
+ log_error_write(srv, __FILE__, __LINE__, "sssb", "SSL:",
|
||||
+ "Private key does not match the certificate public key, reason:",
|
||||
+ ERR_error_string(ERR_get_error(), NULL),
|
||||
+ s->ssl_pemfile);
|
||||
+ return -1;
|
||||
+ }
|
||||
+ }
|
||||
|
||||
return 0;
|
||||
}
|
||||
@@ -791,6 +822,44 @@ int network_init(server *srv) {
|
||||
}
|
||||
}
|
||||
|
||||
+ /* NOTE (knasim-wrs): US93721: TPM support
|
||||
+ * if TPM mode is configured, and we have not previously
|
||||
+ * initialized the engine then do so now
|
||||
+ */
|
||||
+ if (!buffer_string_is_empty(srv->srvconf.tpm_object) &&
|
||||
+ (!srv->tpm_is_init)) {
|
||||
+ if (!buffer_string_is_empty(srv->srvconf.tpm_engine)) {
|
||||
+ // load the dynamic TPM engine
|
||||
+ ENGINE_load_dynamic();
|
||||
+ ENGINE *engine = ENGINE_by_id("dynamic");
|
||||
+ if (!engine) {
|
||||
+ log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
|
||||
+ "Unable to load the dynamic engine "
|
||||
+ "(needed for loading custom TPM engine)");
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
+ ENGINE_ctrl_cmd_string(engine, "SO_PATH",
|
||||
+ srv->srvconf.tpm_engine->ptr, 0);
|
||||
+ ENGINE_ctrl_cmd_string(engine, "LOAD", NULL, 0);
|
||||
+ if (ENGINE_init(engine) != 1) {
|
||||
+ log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
|
||||
+ ERR_error_string(ERR_get_error(), NULL));
|
||||
+ ENGINE_finish(engine);
|
||||
+ return -1;
|
||||
+ }
|
||||
+ srv->tpm_is_init = 1;
|
||||
+ // stow away for ENGINE cleanup
|
||||
+ srv->srvconf.tpm_engine_ref = engine;
|
||||
+ }
|
||||
+ else { // no TPM engine found
|
||||
+ log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
|
||||
+ "TPM engine option not set when TPM mode expected");
|
||||
+ return -1;
|
||||
+ }
|
||||
+ }
|
||||
+ ///
|
||||
+
|
||||
if (!buffer_string_is_empty(s->ssl_pemfile)) {
|
||||
#ifdef OPENSSL_NO_TLSEXT
|
||||
data_config *dc = (data_config *)srv->config_context->data[i];
|
||||
@@ -975,24 +1044,32 @@ int network_init(server *srv) {
|
||||
SSL_CTX_set_verify_depth(s->ssl_ctx, s->ssl_verifyclient_depth);
|
||||
}
|
||||
|
||||
- if (1 != SSL_CTX_use_certificate(s->ssl_ctx, s->ssl_pemfile_x509)) {
|
||||
+ if (1 != SSL_CTX_use_PrivateKey(s->ssl_ctx, s->ssl_pemfile_pkey)) {
|
||||
log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
|
||||
ERR_error_string(ERR_get_error(), NULL), s->ssl_pemfile);
|
||||
return -1;
|
||||
}
|
||||
|
||||
- if (1 != SSL_CTX_use_PrivateKey(s->ssl_ctx, s->ssl_pemfile_pkey)) {
|
||||
+ if (1 != SSL_CTX_use_certificate(s->ssl_ctx, s->ssl_pemfile_x509)) {
|
||||
log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
|
||||
ERR_error_string(ERR_get_error(), NULL), s->ssl_pemfile);
|
||||
return -1;
|
||||
}
|
||||
-
|
||||
- if (SSL_CTX_check_private_key(s->ssl_ctx) != 1) {
|
||||
- log_error_write(srv, __FILE__, __LINE__, "sssb", "SSL:",
|
||||
- "Private key does not match the certificate public key, reason:",
|
||||
- ERR_error_string(ERR_get_error(), NULL),
|
||||
- s->ssl_pemfile);
|
||||
- return -1;
|
||||
+
|
||||
+ /*
|
||||
+ * Only check private key against loaded
|
||||
+ * certificate, in non TPM mode, since
|
||||
+ * if this is a TPM key then it is wrapped
|
||||
+ * and will not match the public key
|
||||
+ */
|
||||
+ if (!srv->tpm_is_init) {
|
||||
+ if (SSL_CTX_check_private_key(s->ssl_ctx) != 1) {
|
||||
+ log_error_write(srv, __FILE__, __LINE__, "sssb", "SSL:",
|
||||
+ "Private key does not match the certificate public key, reason:",
|
||||
+ ERR_error_string(ERR_get_error(), NULL),
|
||||
+ s->ssl_pemfile);
|
||||
+ return -1;
|
||||
+ }
|
||||
}
|
||||
SSL_CTX_set_default_read_ahead(s->ssl_ctx, s->ssl_read_ahead);
|
||||
SSL_CTX_set_mode(s->ssl_ctx, SSL_CTX_get_mode(s->ssl_ctx)
|
||||
diff --git a/src/server.c b/src/server.c
|
||||
index f27b003..5adfa15 100644
|
||||
--- a/src/server.c
|
||||
+++ b/src/server.c
|
||||
@@ -226,7 +226,10 @@ static server *server_init(void) {
|
||||
CLEAN(srvconf.bindhost);
|
||||
CLEAN(srvconf.event_handler);
|
||||
CLEAN(srvconf.pid_file);
|
||||
-
|
||||
+#ifdef USE_OPENSSL
|
||||
+ CLEAN(srvconf.tpm_object);
|
||||
+ CLEAN(srvconf.tpm_engine);
|
||||
+#endif
|
||||
CLEAN(tmp_chunk_len);
|
||||
#undef CLEAN
|
||||
|
||||
@@ -316,6 +319,13 @@ static void server_free(server *srv) {
|
||||
CLEAN(srvconf.modules_dir);
|
||||
CLEAN(srvconf.network_backend);
|
||||
CLEAN(srvconf.xattr_name);
|
||||
+#ifdef USE_OPENSSL
|
||||
+ CLEAN(srvconf.tpm_object);
|
||||
+ CLEAN(srvconf.tpm_engine);
|
||||
+ // don't free the tpm_key as that will be freed
|
||||
+ // below as ssl_pemfile_pkey
|
||||
+ ENGINE_finish(srv->srvconf.tpm_engine_ref);
|
||||
+#endif
|
||||
|
||||
CLEAN(tmp_chunk_len);
|
||||
#undef CLEAN
|
||||
--
|
||||
1.8.3.1
|
||||
|
@ -1,117 +0,0 @@
|
||||
--- lighttpd-1.4.35/src/configfile-glue.c.orig 2014-03-06 15:08:00.000000000 +0100
|
||||
+++ lighttpd-1.4.35/src/configfile-glue.c 2015-11-26 11:39:23.000000000 +0100
|
||||
@@ -8,6 +8,10 @@
|
||||
|
||||
#include <string.h>
|
||||
#include <stdlib.h>
|
||||
+#include <stdint.h>
|
||||
+#ifndef __WIN32
|
||||
+#include <arpa/inet.h>
|
||||
+#endif
|
||||
|
||||
/**
|
||||
* like all glue code this file contains functions which
|
||||
@@ -336,12 +340,22 @@ static cond_result_t config_check_cond_n
|
||||
|
||||
if ((dc->cond == CONFIG_COND_EQ ||
|
||||
dc->cond == CONFIG_COND_NE) &&
|
||||
- (con->dst_addr.plain.sa_family == AF_INET) &&
|
||||
(NULL != (nm_slash = strchr(dc->string->ptr, '/')))) {
|
||||
int nm_bits;
|
||||
- long nm;
|
||||
char *err;
|
||||
struct in_addr val_inp;
|
||||
+ struct in6_addr val_inp6;
|
||||
+ int val_af;
|
||||
+ uint8_t *a, *b;
|
||||
+ int result_match, result_nomatch;
|
||||
+
|
||||
+ if (dc->cond == CONFIG_COND_EQ) {
|
||||
+ result_match = COND_RESULT_TRUE;
|
||||
+ result_nomatch = COND_RESULT_FALSE;
|
||||
+ } else {
|
||||
+ result_match = COND_RESULT_FALSE;
|
||||
+ result_nomatch = COND_RESULT_TRUE;
|
||||
+ }
|
||||
|
||||
if (*(nm_slash+1) == '\0') {
|
||||
log_error_write(srv, __FILE__, __LINE__, "sb", "ERROR: no number after / ", dc->string);
|
||||
@@ -356,10 +370,16 @@ static cond_result_t config_check_cond_n
|
||||
|
||||
return COND_RESULT_FALSE;
|
||||
}
|
||||
+ if (nm_bits < 0) {
|
||||
+ log_error_write(srv, __FILE__, __LINE__, "sbs", "ERROR: negative netmask:", dc->string, err);
|
||||
+
|
||||
+ return COND_RESULT_FALSE;
|
||||
+ }
|
||||
|
||||
/* take IP convert to the native */
|
||||
buffer_copy_string_len(srv->cond_check_buf, dc->string->ptr, nm_slash - dc->string->ptr);
|
||||
#ifdef __WIN32
|
||||
+ val_af = AF_INET;
|
||||
if (INADDR_NONE == (val_inp.s_addr = inet_addr(srv->cond_check_buf->ptr))) {
|
||||
log_error_write(srv, __FILE__, __LINE__, "sb", "ERROR: ip addr is invalid:", srv->cond_check_buf);
|
||||
|
||||
@@ -367,21 +387,54 @@ static cond_result_t config_check_cond_n
|
||||
}
|
||||
|
||||
#else
|
||||
- if (0 == inet_aton(srv->cond_check_buf->ptr, &val_inp)) {
|
||||
+ if (1 == inet_pton(AF_INET, srv->cond_check_buf->ptr, &val_inp)) {
|
||||
+ val_af = AF_INET;
|
||||
+ } else if (1 == inet_pton(AF_INET6, srv->cond_check_buf->ptr, &val_inp6)) {
|
||||
+ val_af = AF_INET6;
|
||||
+ } else {
|
||||
log_error_write(srv, __FILE__, __LINE__, "sb", "ERROR: ip addr is invalid:", srv->cond_check_buf);
|
||||
|
||||
return COND_RESULT_FALSE;
|
||||
}
|
||||
#endif
|
||||
|
||||
- /* build netmask */
|
||||
- nm = htonl(~((1 << (32 - nm_bits)) - 1));
|
||||
+ if (val_af == AF_INET) {
|
||||
+ if (nm_bits > 32) {
|
||||
+ log_error_write(srv, __FILE__, __LINE__, "sd", "ERROR: ipv4 netmask too large:", nm_bits);
|
||||
|
||||
- if ((val_inp.s_addr & nm) == (con->dst_addr.ipv4.sin_addr.s_addr & nm)) {
|
||||
- return (dc->cond == CONFIG_COND_EQ) ? COND_RESULT_TRUE : COND_RESULT_FALSE;
|
||||
+ return COND_RESULT_FALSE;
|
||||
+ }
|
||||
+ a = (uint8_t *)&val_inp;
|
||||
+ if (con->dst_addr.plain.sa_family == AF_INET) {
|
||||
+ b = (uint8_t *)&con->dst_addr.ipv4.sin_addr.s_addr;
|
||||
+ } else if (IN6_IS_ADDR_V4MAPPED(&con->dst_addr.ipv6.sin6_addr)) {
|
||||
+ b = (uint8_t *)&con->dst_addr.ipv6.sin6_addr.s6_addr[12];
|
||||
+ } else {
|
||||
+ return result_nomatch;
|
||||
+ }
|
||||
} else {
|
||||
- return (dc->cond == CONFIG_COND_EQ) ? COND_RESULT_FALSE : COND_RESULT_TRUE;
|
||||
+ if (nm_bits > 128) {
|
||||
+ log_error_write(srv, __FILE__, __LINE__, "sd", "ERROR: ipv6 netmask too large:", nm_bits);
|
||||
+
|
||||
+ return COND_RESULT_FALSE;
|
||||
+ }
|
||||
+ a = (uint8_t *)&val_inp6;
|
||||
+ if (con->dst_addr.plain.sa_family == AF_INET) {
|
||||
+ return result_nomatch;
|
||||
+ } else {
|
||||
+ b = (uint8_t *)&con->dst_addr.ipv6.sin6_addr.s6_addr[0];
|
||||
+ }
|
||||
+ }
|
||||
+ while (nm_bits) {
|
||||
+ if (nm_bits >= 8) {
|
||||
+ if (*a++ != *b++) return result_nomatch;
|
||||
+ nm_bits -= 8;
|
||||
+ } else {
|
||||
+ if (*a >> (8 - nm_bits) != *b >> (8 - nm_bits)) return result_nomatch;
|
||||
+ nm_bits = 0;
|
||||
+ }
|
||||
}
|
||||
+ return result_match;
|
||||
} else {
|
||||
l = con->dst_addr_buf;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user