Update lighttpd to 1.4.54 version.

The upstream version of lighttpd has changed in upstream.

A rebase in configfile.c and mod_openssl.c was required.

Closes-Bug: 1817351

Depends-On: https://review.opendev.org/#/c/653152
Change-Id: I22cdea5cd8abfa27cc85efa3fdeaabfed18f7e93
Signed-off-by: Erich Cordoba <erich.cordoba.malibran@intel.com>
This commit is contained in:
Erich Cordoba 2019-09-02 16:22:13 -05:00
parent b934934e9b
commit 90da89899c
4 changed files with 107 additions and 111 deletions

View File

@ -16,7 +16,7 @@ index 2f7b261..2553b27 100644
@@ -46,7 +46,7 @@ @@ -46,7 +46,7 @@
Summary: Lightning fast webserver with light system requirements Summary: Lightning fast webserver with light system requirements
Name: lighttpd Name: lighttpd
Version: 1.4.52 Version: 1.4.54
-Release: 1%{?dist} -Release: 1%{?dist}
+Release: 1.el7%{?_tis_dist}.%{tis_patch_ver} +Release: 1.el7%{?_tis_dist}.%{tis_patch_ver}
License: BSD License: BSD

View File

@ -5,24 +5,22 @@ Subject: [PATCH] check-length
Signed-off-by: zhipengl <zhipengs.liu@intel.com> Signed-off-by: zhipengl <zhipengs.liu@intel.com>
--- ---
src/request.c | 47 ++++++++++++++++++++++++++++++++++++++++++++++- src/request.c | 45 +++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 46 insertions(+), 1 deletion(-) 1 file changed, 45 insertions(+)
diff --git a/src/request.c b/src/request.c diff --git a/src/request.c b/src/request.c
index 213a87e..8c97f45 100644 index d25e1e7..fe541a5 100644
--- a/src/request.c --- a/src/request.c
+++ b/src/request.c +++ b/src/request.c
@@ -9,11 +9,40 @@ @@ -8,9 +8,38 @@
#include "log.h"
#include "sock_addr.h" #include "sock_addr.h"
#include <sys/stat.h> +#include <errno.h>
-
+#include <sys/statvfs.h>
#include <limits.h> #include <limits.h>
#include <stdlib.h> #include <stdlib.h>
#include <string.h> #include <string.h>
#include <sys-strings.h> +#include <sys/statvfs.h>
+#include <errno.h>
+ +
+static size_t get_tempdirs_free_space(server *srv) +static size_t get_tempdirs_free_space(server *srv)
+{ +{
@ -43,20 +41,19 @@ index 213a87e..8c97f45 100644
+ } + }
+ else { + else {
+ log_error_write(srv, __FILE__, __LINE__, "ssss", + log_error_write(srv, __FILE__, __LINE__, "ssss",
+ "dir:", name, + "dir:", name,
+ "error:", strerror(errno)); + "error:", strerror(errno));
+ } + }
+ } + }
+ +
+ return (valid) ? total : SSIZE_MAX; + return (valid) ? total : SSIZE_MAX;
+} +}
+
static int request_check_hostname(buffer *host) { static int request_check_hostname(buffer *host) {
enum { DOMAINLABEL, TOPLABEL } stage = TOPLABEL; enum { DOMAINLABEL, TOPLABEL } stage = TOPLABEL;
@@ -1176,6 +1205,22 @@ int http_request_parse(server *srv, connection *con) { @@ -901,6 +930,22 @@ int http_request_parse(server *srv, connection *con, buffer *hdrs) {
con->http_status = 411; if (!state.con_length_set) {
goto failure; return http_request_header_line_invalid(srv, 411, "POST-request, but content-length missing -> 411");
} }
+ /* content-length is larger than 64k */ + /* content-length is larger than 64k */
+ if (con->request.content_length > 64*1024) { + if (con->request.content_length > 64*1024) {
@ -66,17 +63,17 @@ index 213a87e..8c97f45 100644
+ con->keep_alive = 0; + con->keep_alive = 0;
+ +
+ log_error_write(srv, __FILE__, __LINE__, "ssosos", + log_error_write(srv, __FILE__, __LINE__, "ssosos",
+ "not enough free space in tempdirs:", + "not enough free space in tempdirs:",
+ "length =", (off_t) con->request.content_length, + "length =", (off_t) con->request.content_length,
+ "free =", (off_t) disk_free, + "free =", (off_t) disk_free,
+ "-> 413"); + "-> 413");
+ return 0; + return 0;
+ } + }
+ } + }
+ +
break; break;
default: default:
break; break;
-- --
2.7.4 2.21.0

View File

@ -4,14 +4,14 @@ Date: Wed, 29 Mar 2017 21:56:41 -0400
Subject: [PATCH] lighttpd tpm support Subject: [PATCH] lighttpd tpm support
--- ---
src/base.h | 24 ++++++++++++ src/base.h | 24 ++++++++++
src/configfile.c | 6 ++- src/configfile.c | 4 ++
src/mod_openssl.c | 113 +++++++++++++++++++++++++++++++++++++++++++++--------- src/mod_openssl.c | 116 +++++++++++++++++++++++++++++++++++++---------
src/server.c | 17 +++++++- src/server.c | 17 ++++++-
4 files changed, 139 insertions(+), 21 deletions(-) 4 files changed, 139 insertions(+), 22 deletions(-)
diff --git a/src/base.h b/src/base.h diff --git a/src/base.h b/src/base.h
index 2fe60b6..bddcd01 100644 index f21973b..f7b5777 100644
--- a/src/base.h --- a/src/base.h
+++ b/src/base.h +++ b/src/base.h
@@ -15,6 +15,21 @@ @@ -15,6 +15,21 @@
@ -36,59 +36,56 @@ index 2fe60b6..bddcd01 100644
struct fdevents; /* declaration */ struct fdevents; /* declaration */
struct stat_cache; /* declaration */ struct stat_cache; /* declaration */
@@ -344,6 +359,13 @@ typedef struct { @@ -342,6 +357,14 @@ typedef struct {
unsigned short high_precision_timestamps; unsigned short high_precision_timestamps;
time_t loadts; time_t loadts;
double loadavg[3]; double loadavg[3];
+#ifdef USE_OPENSSL +#ifdef USE_OPENSSL
+ // TPM engine and object configuration + // TPM engine and object configuration
+ buffer *tpm_object; + buffer *tpm_object;
+ buffer *tpm_engine; + buffer *tpm_engine;
+ ENGINE *tpm_engine_ref; + ENGINE *tpm_engine_ref;
+ EVP_PKEY *tpm_key; + EVP_PKEY *tpm_key;
+#endif +#endif
+
buffer *syslog_facility; buffer *syslog_facility;
unsigned short compat_module_load; unsigned short compat_module_load;
@@ -386,6 +408,8 @@ struct server { @@ -380,6 +403,7 @@ struct server {
int con_written; int con_written;
int con_closed; int con_closed;
+ int tpm_is_init; // has TPM been initialized already + int tpm_is_init; // has TPM been initialized already
+
int max_fds; /* max possible fds */ int max_fds; /* max possible fds */
int cur_fds; /* currently used fds */ int max_fds_lowat;/* low watermark */
int want_fds; /* waiting fds */ int max_fds_hiwat;/* high watermark */
diff --git a/src/configfile.c b/src/configfile.c diff --git a/src/configfile.c b/src/configfile.c
index c3b0f16..dca2a29 100644 index b870b59..5b91b35 100644
--- a/src/configfile.c --- a/src/configfile.c
+++ b/src/configfile.c +++ b/src/configfile.c
@@ -277,8 +277,10 @@ static int config_insert(server *srv) { @@ -282,6 +282,8 @@ static int config_insert(server *srv) {
{ "server.syslog-facility", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_SERVER }, /* 80 */
{ "server.socket-perms", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION }, /* 81 */ { "server.socket-perms", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION }, /* 81 */
{ "server.http-parseopts", NULL, T_CONFIG_ARRAY, T_CONFIG_SCOPE_SERVER }, /* 82 */ { "server.http-parseopts", NULL, T_CONFIG_ARRAY, T_CONFIG_SCOPE_SERVER }, /* 82 */
+ { "server.tpm-object", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_SERVER }, /* 83 */ { "server.systemd-socket-activation", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 83 */
+ { "server.tpm-engine", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_SERVER }, /* 84 */ + { "server.tpm-object", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_SERVER }, /* 84 */
+ { "server.tpm-engine", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_SERVER }, /* 85 */
- { NULL, NULL, T_CONFIG_UNSET, T_CONFIG_SCOPE_UNSET } { NULL, NULL, T_CONFIG_UNSET, T_CONFIG_SCOPE_UNSET }
+ { NULL, NULL, T_CONFIG_UNSET, T_CONFIG_SCOPE_UNSET }
}; };
@@ -327,6 +329,8 @@ static int config_insert(server *srv) {
/* all T_CONFIG_SCOPE_SERVER options */
@@ -321,6 +323,8 @@ static int config_insert(server *srv) {
cv[80].destination = srv->srvconf.syslog_facility;
http_parseopts = array_init(); http_parseopts = array_init();
cv[82].destination = http_parseopts; cv[82].destination = http_parseopts;
+ cv[83].destination = srv->srvconf.tpm_object; cv[83].destination = &(srv->srvconf.systemd_socket_activation);
+ cv[84].destination = srv->srvconf.tpm_engine; + cv[84].destination = srv->srvconf.tpm_object;
+ cv[85].destination = srv->srvconf.tpm_engine;
srv->config_storage = calloc(1, srv->config_context->used * sizeof(specific_config *)); srv->config_storage = calloc(1, srv->config_context->used * sizeof(specific_config *));
diff --git a/src/mod_openssl.c b/src/mod_openssl.c diff --git a/src/mod_openssl.c b/src/mod_openssl.c
index 75e0873..4cb0335 100644 index f9a4fe8..e38605c 100644
--- a/src/mod_openssl.c --- a/src/mod_openssl.c
+++ b/src/mod_openssl.c +++ b/src/mod_openssl.c
@@ -451,6 +451,29 @@ error: @@ -488,6 +488,29 @@ error:
return NULL; return NULL;
} }
@ -118,40 +115,43 @@ index 75e0873..4cb0335 100644
static EVP_PKEY * static EVP_PKEY *
evp_pkey_load_pem_file (server *srv, const char *file) evp_pkey_load_pem_file (server *srv, const char *file)
@@ -505,15 +528,23 @@ network_openssl_load_pemfile (server *srv, plugin_config *s, size_t ndx) @@ -542,17 +565,24 @@ network_openssl_load_pemfile (server *srv, plugin_config *s, size_t ndx)
s->ssl_pemfile_x509 = x509_load_pem_file(srv, s->ssl_pemfile->ptr); s->ssl_pemfile_x509 = x509_load_pem_file(srv, s->ssl_pemfile->ptr);
if (NULL == s->ssl_pemfile_x509) return -1; if (NULL == s->ssl_pemfile_x509) return -1;
- s->ssl_pemfile_pkey = evp_pkey_load_pem_file(srv, s->ssl_pemfile->ptr); - s->ssl_pemfile_pkey = !buffer_string_is_empty(s->ssl_privkey)
- ? evp_pkey_load_pem_file(srv, s->ssl_privkey->ptr)
- : evp_pkey_load_pem_file(srv, s->ssl_pemfile->ptr);
- if (NULL == s->ssl_pemfile_pkey) return -1; - if (NULL == s->ssl_pemfile_pkey) return -1;
- -
- if (!X509_check_private_key(s->ssl_pemfile_x509, s->ssl_pemfile_pkey)) { - if (!X509_check_private_key(s->ssl_pemfile_x509, s->ssl_pemfile_pkey)) {
- log_error_write(srv, __FILE__, __LINE__, "sssb", "SSL:", - log_error_write(srv, __FILE__, __LINE__, "sssbb", "SSL:",
- "Private key does not match the certificate public key," - "Private key does not match the certificate public key,"
- " reason:", ERR_error_string(ERR_get_error(), NULL), - " reason:", ERR_error_string(ERR_get_error(), NULL),
- s->ssl_pemfile); - s->ssl_pemfile, s->ssl_privkey);
- return -1; - return -1;
+ + // If TPM mode is enabled thenload the TPM key, otherwise load
+ // if TPM mode is enabled then load the TPM key otherwise load + // the regular SSL private key.
+ // the regular SSL private key
+ if (srv->tpm_is_init) { + if (srv->tpm_is_init) {
+ if (NULL == (s->ssl_pemfile_pkey = evp_pkey_load_tpm_object_file(srv))) return -1; + s->ssl_pemfile_pkey = evp_pkey_load_tpm_object_file(srv);
+ } + if (NULL == s->ssl_pemfile_pkey) return -1;
+ else { + } else {
+ if (NULL == (s->ssl_pemfile_pkey = evp_pkey_load_pem_file(srv, s->ssl_pemfile->ptr))) return -1; + s->ssl_pemfile_pkey = !buffer_string_is_empty(s->ssl_privkey)
+ ? evp_pkey_load_pem_file(srv, s->ssl_privkey->ptr)
+ : evp_pkey_load_pem_file(srv, s->ssl_pemfile->ptr);
+ if (NULL == s->ssl_pemfile_pkey) return -1;
+ +
+ if (!X509_check_private_key(s->ssl_pemfile_x509, s->ssl_pemfile_pkey)) { + if (!X509_check_private_key(s->ssl_pemfile_x509, s->ssl_pemfile_pkey)) {
+ log_error_write(srv, __FILE__, __LINE__, "sssb", "SSL:", + log_error_write(srv, __FILE__, __LINE__, "sssbb", "SSL:",
+ "Private key does not match the certificate public key, reason:", + "Private key does not match the certificate public key,"
+ ERR_error_string(ERR_get_error(), NULL), + " reason:", ERR_error_string(ERR_get_error(), NULL),
+ s->ssl_pemfile); + s->ssl_pemfile, s->ssl_privkey);
+ return -1; + return -1;
+ } + }
+
} }
return 0; return 0;
@@ -680,6 +711,43 @@ network_init_ssl (server *srv, void *p_d) @@ -878,6 +908,43 @@ network_init_ssl (server *srv, void *p_d)
force_assert(NULL != local_send_buffer); force_assert(NULL != local_send_buffer);
} }
@ -167,8 +167,8 @@ index 75e0873..4cb0335 100644
+ ENGINE *engine = ENGINE_by_id("dynamic"); + ENGINE *engine = ENGINE_by_id("dynamic");
+ if (!engine) { + if (!engine) {
+ log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:", + log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
+ "Unable to load the dynamic engine " + "Unable to load the dynamic engine "
+ "(needed for loading custom TPM engine)"); + "(needed for loading custom TPM engine)");
+ return -1; + return -1;
+ } + }
+ +
@ -177,7 +177,7 @@ index 75e0873..4cb0335 100644
+ ENGINE_ctrl_cmd_string(engine, "LOAD", NULL, 0); + ENGINE_ctrl_cmd_string(engine, "LOAD", NULL, 0);
+ if (ENGINE_init(engine) != 1) { + if (ENGINE_init(engine) != 1) {
+ log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:", + log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
+ ERR_error_string(ERR_get_error(), NULL)); + ERR_error_string(ERR_get_error(), NULL));
+ ENGINE_finish(engine); + ENGINE_finish(engine);
+ return -1; + return -1;
+ } + }
@ -187,7 +187,7 @@ index 75e0873..4cb0335 100644
+ } + }
+ else { // no TPM engine found + else { // no TPM engine found
+ log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:", + log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
+ "TPM engine option not set when TPM mode expected"); + "TPM engine option not set when TPM mode expected");
+ return -1; + return -1;
+ } + }
+ } + }
@ -195,7 +195,7 @@ index 75e0873..4cb0335 100644
if (!buffer_string_is_empty(s->ssl_pemfile)) { if (!buffer_string_is_empty(s->ssl_pemfile)) {
#ifdef OPENSSL_NO_TLSEXT #ifdef OPENSSL_NO_TLSEXT
data_config *dc = (data_config *)srv->config_context->data[i]; data_config *dc = (data_config *)srv->config_context->data[i];
@@ -949,29 +1017,36 @@ network_init_ssl (server *srv, void *p_d) @@ -1147,28 +1214,35 @@ network_init_ssl (server *srv, void *p_d)
} }
} }
@ -210,64 +210,63 @@ index 75e0873..4cb0335 100644
- if (1 != SSL_CTX_use_PrivateKey(s->ssl_ctx, s->ssl_pemfile_pkey)) { - if (1 != SSL_CTX_use_PrivateKey(s->ssl_ctx, s->ssl_pemfile_pkey)) {
+ if (1 != SSL_CTX_use_certificate(s->ssl_ctx, s->ssl_pemfile_x509)) { + if (1 != SSL_CTX_use_certificate(s->ssl_ctx, s->ssl_pemfile_x509)) {
log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:", log_error_write(srv, __FILE__, __LINE__, "ssbb", "SSL:",
ERR_error_string(ERR_get_error(), NULL), ERR_error_string(ERR_get_error(), NULL),
s->ssl_pemfile); s->ssl_pemfile, s->ssl_privkey);
return -1; return -1;
} }
- if (SSL_CTX_check_private_key(s->ssl_ctx) != 1) { - if (SSL_CTX_check_private_key(s->ssl_ctx) != 1) {
- log_error_write(srv, __FILE__, __LINE__, "sssb", "SSL:", - log_error_write(srv, __FILE__, __LINE__, "sssbb", "SSL:",
- "Private key does not match the certificate public " - "Private key does not match the certificate public "
- "key, reason:", - "key, reason:",
- ERR_error_string(ERR_get_error(), NULL), - ERR_error_string(ERR_get_error(), NULL),
- s->ssl_pemfile); - s->ssl_pemfile, s->ssl_privkey);
- return -1; - return -1;
+ /* + /*
+ * Only check private key against loaded + * Only check private key against loaded
+ * certificate, in non TPM mode, since + * certificate, in non TPM mode, since
+ * if this is a TPM key then it is wrapped + * if this is a TPM key then it is wrapped
+ * and will not match the public key + * and will not match the public key.
+ */ + */
+ if (!srv->tpm_is_init) { + if (!srv->tpm_is_init) {
+ if (SSL_CTX_check_private_key(s->ssl_ctx) != 1) { + if (SSL_CTX_check_private_key(s->ssl_ctx) != 1) {
+ log_error_write(srv, __FILE__, __LINE__, "sssb", "SSL:", + log_error_write(srv, __FILE__, __LINE__, "sssbb", "SSL:",
+ "Private key does not match the certificate public key, reason:", + "Private key does not match the certificate public "
+ ERR_error_string(ERR_get_error(), NULL), + "key, reason:",
+ s->ssl_pemfile); + ERR_error_string(ERR_get_error(), NULL),
+ return -1; + s->ssl_pemfile, s->ssl_privkey);
+ } + return -1;
+ }
} }
+
SSL_CTX_set_default_read_ahead(s->ssl_ctx, s->ssl_read_ahead); SSL_CTX_set_default_read_ahead(s->ssl_ctx, s->ssl_read_ahead);
SSL_CTX_set_mode(s->ssl_ctx, SSL_CTX_get_mode(s->ssl_ctx) SSL_CTX_set_mode(s->ssl_ctx, SSL_CTX_get_mode(s->ssl_ctx)
| SSL_MODE_ENABLE_PARTIAL_WRITE
diff --git a/src/server.c b/src/server.c diff --git a/src/server.c b/src/server.c
index f6409bb..2ace3f8 100644 index b7086b0..b90ce61 100644
--- a/src/server.c --- a/src/server.c
+++ b/src/server.c +++ b/src/server.c
@@ -247,6 +247,11 @@ static server *server_init(void) { @@ -248,6 +248,11 @@ static server *server_init(void) {
CLEAN(srvconf.pid_file); CLEAN(srvconf.pid_file);
CLEAN(srvconf.syslog_facility); CLEAN(srvconf.syslog_facility);
+#ifdef USE_OPENSSL +#ifdef USE_OPENSSL
+ CLEAN(srvconf.tpm_object); + CLEAN(srvconf.tpm_object);
+ CLEAN(srvconf.tpm_engine); + CLEAN(srvconf.tpm_engine);
+#endif +#endif
+ +
CLEAN(tmp_chunk_len); CLEAN(tmp_chunk_len);
#undef CLEAN #undef CLEAN
@@ -349,6 +354,14 @@ static void server_free(server *srv) { @@ -344,6 +349,14 @@ static void server_free(server *srv) {
CLEAN(srvconf.xattr_name); CLEAN(srvconf.xattr_name);
CLEAN(srvconf.syslog_facility); CLEAN(srvconf.syslog_facility);
+#ifdef USE_OPENSSL +#ifdef USE_OPENSSL
+ CLEAN(srvconf.tpm_object); + CLEAN(srvconf.tpm_object);
+ CLEAN(srvconf.tpm_engine); + CLEAN(srvconf.tpm_engine);
+ // don't free the tpm_key as that will be freed + // don't free the tpm_key as that will be freed
+ // below as ssl_pemfile_pkey + // below as ssl_pemfile_pkey
+ ENGINE_finish(srv->srvconf.tpm_engine_ref); + ENGINE_finish(srv->srvconf.tpm_engine_ref);
+#endif +#endif
+ +
CLEAN(tmp_chunk_len); CLEAN(tmp_chunk_len);
@ -278,12 +277,12 @@ index f6409bb..2ace3f8 100644
log_error_write(srv, __FILE__, __LINE__, "ss", log_error_write(srv, __FILE__, __LINE__, "ss",
"opening /dev/null failed:", strerror(errno)); "opening /dev/null failed:", strerror(errno));
- return -1; - return -1;
+ /* In version 1.4.45 it will also failed here but not check return value of openDevNull(STDERR_FILENO) + /* In version 1.4.45 it will also failed here but not check return value of openDevNull(STDERR_FILENO)
+ need further check with upstream to see if there is a potential bug */ + need further check with upstream to see if there is a potential bug */
+ //return -1; + //return -1;
} }
} }
else { else {
-- --
2.7.4 2.21.0

View File

@ -1 +1 @@
mirror:Source/lighttpd-1.4.52-1.el7.src.rpm mirror:Source/lighttpd-1.4.54-1.el7.src.rpm