nginx vs TLSEXT_TYPE_application_layer_protocol_negotiation

Stuart Henderson Thu, 06 Nov 2014 04:21:02 -0800

Add a configure check for SSL_get0_alpn_selected() and use it instead
of TLSEXT_TYPE_application_layer_protocol_negotiation (which was added
to openssl at the same time as ALPN support, but arrived in libressl
before ALPN support).


While there, use upstream's -Wfoo CFLAGS (CFLAGS are passed in by ports
so we miss their usual checks), and add a bonus arc4random conversion
(main use is in their dns resolver, I think).

Unbreaks the port.

OK?


Index: Makefile
===================================================================
RCS file: /cvs/ports/www/nginx/Makefile,v
retrieving revision 1.66
diff -u -p -r1.66 Makefile
--- Makefile    31 Oct 2014 14:40:59 -0000      1.66
+++ Makefile    6 Nov 2014 12:10:03 -0000
@@ -3,6 +3,7 @@
 COMMENT=       robust and small HTTP server and mail proxy server
 
 VERSION=       1.7.7
+REVISION=      0
 DISTNAME=      nginx-${VERSION}
 CATEGORIES=    www
 
@@ -25,6 +26,7 @@ LIB_DEPENDS+= devel/pcre
 
 NGINX_DIR=     /var/www
 SUBST_VARS=    NGINX_DIR
+CFLAGS+=       -Wall -Wpointer-arith -Werror
 
 FLAVORS=       lua naxsi passenger
 FLAVOR?=
Index: patches/patch-auto_lib_openssl_conf
===================================================================
RCS file: patches/patch-auto_lib_openssl_conf
diff -N patches/patch-auto_lib_openssl_conf
--- /dev/null   1 Jan 1970 00:00:00 -0000
+++ patches/patch-auto_lib_openssl_conf 6 Nov 2014 12:10:03 -0000
@@ -0,0 +1,20 @@
+$OpenBSD$
+--- auto/lib/openssl/conf.orig Thu Nov  6 11:59:59 2014
++++ auto/lib/openssl/conf      Thu Nov  6 12:00:02 2014
+@@ -59,6 +59,16 @@ else
+             have=NGX_SSL . auto/have
+             CORE_LIBS="$CORE_LIBS $ngx_feature_libs $NGX_LIBDL"
+             OPENSSL=YES
++
++            ngx_feature="SSL_get0_alpn_selected()"
++            ngx_feature_name="NGX_HAVE_ALPN"
++            ngx_feature_run=no
++            ngx_feature_incs="#include <openssl/ssl.h>"
++            ngx_feature_path=
++            ngx_feature_libs="-lssl -lcrypto"
++            ngx_feature_test="SSL_get0_alpn_selected(NULL, NULL, NULL);"
++            . auto/feature
++
+         fi
+     fi
+ 
Index: patches/patch-src_core_ngx_config_h
===================================================================
RCS file: patches/patch-src_core_ngx_config_h
diff -N patches/patch-src_core_ngx_config_h
--- /dev/null   1 Jan 1970 00:00:00 -0000
+++ patches/patch-src_core_ngx_config_h 6 Nov 2014 12:10:03 -0000
@@ -0,0 +1,12 @@
+$OpenBSD$
+--- src/core/ngx_config.h.orig Thu Nov  6 11:42:58 2014
++++ src/core/ngx_config.h      Thu Nov  6 11:45:38 2014
+@@ -54,7 +54,7 @@
+ #define ngx_signal_helper(n)     SIG##n
+ #define ngx_signal_value(n)      ngx_signal_helper(n)
+ 
+-#define ngx_random               random
++#define ngx_random               arc4random
+ 
+ /* TODO: #ifndef */
+ #define NGX_SHUTDOWN_SIGNAL      QUIT
Index: patches/patch-src_http_modules_ngx_http_ssl_module_c
===================================================================
RCS file: patches/patch-src_http_modules_ngx_http_ssl_module_c
diff -N patches/patch-src_http_modules_ngx_http_ssl_module_c
--- /dev/null   1 Jan 1970 00:00:00 -0000
+++ patches/patch-src_http_modules_ngx_http_ssl_module_c        6 Nov 2014 
12:10:03 -0000
@@ -0,0 +1,30 @@
+$OpenBSD$
+--- src/http/modules/ngx_http_ssl_module.c.orig        Thu Nov  6 12:06:47 2014
++++ src/http/modules/ngx_http_ssl_module.c     Thu Nov  6 12:08:20 2014
+@@ -20,7 +20,7 @@ typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_c
+ #define NGX_HTTP_NPN_ADVERTISE  "\x08http/1.1"
+ 
+ 
+-#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
++#ifdef NGX_HAVE_ALPN
+ static int ngx_http_ssl_alpn_select(ngx_ssl_conn_t *ssl_conn,
+     const unsigned char **out, unsigned char *outlen,
+     const unsigned char *in, unsigned int inlen, void *arg);
+@@ -314,7 +314,7 @@ static ngx_http_variable_t  ngx_http_ssl_vars[] = {
+ static ngx_str_t ngx_http_ssl_sess_id_ctx = ngx_string("HTTP");
+ 
+ 
+-#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
++#ifdef NGX_HAVE_ALPN
+ 
+ static int
+ ngx_http_ssl_alpn_select(ngx_ssl_conn_t *ssl_conn, const unsigned char **out,
+@@ -646,7 +646,7 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *pare
+ 
+ #endif
+ 
+-#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
++#ifdef NGX_HAVE_ALPN
+     SSL_CTX_set_alpn_select_cb(conf->ssl.ctx, ngx_http_ssl_alpn_select, NULL);
+ #endif
+ 
Index: patches/patch-src_http_ngx_http_request_c
===================================================================
RCS file: patches/patch-src_http_ngx_http_request_c
diff -N patches/patch-src_http_ngx_http_request_c
--- /dev/null   1 Jan 1970 00:00:00 -0000
+++ patches/patch-src_http_ngx_http_request_c   6 Nov 2014 12:10:03 -0000
@@ -0,0 +1,12 @@
+$OpenBSD$
+--- src/http/ngx_http_request.c.orig   Thu Nov  6 12:05:45 2014
++++ src/http/ngx_http_request.c        Thu Nov  6 12:06:04 2014
+@@ -771,7 +771,7 @@ ngx_http_ssl_handshake_handler(ngx_connection_t *c)
+         const unsigned char     *data;
+         static const ngx_str_t   spdy = ngx_string(NGX_SPDY_NPN_NEGOTIATED);
+ 
+-#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
++#ifdef NGINX_HAVE_ALPN
+         SSL_get0_alpn_selected(c->ssl->connection, &data, &len);
+ 
+ #ifdef TLSEXT_TYPE_next_proto_neg
Index: patches/patch-src_os_unix_ngx_posix_init_c
===================================================================
RCS file: patches/patch-src_os_unix_ngx_posix_init_c
diff -N patches/patch-src_os_unix_ngx_posix_init_c
--- /dev/null   1 Jan 1970 00:00:00 -0000
+++ patches/patch-src_os_unix_ngx_posix_init_c  6 Nov 2014 12:10:03 -0000
@@ -0,0 +1,15 @@
+$OpenBSD$
+
+using arc4random (see ngx_config.h) so no need to seed.
+
+--- src/os/unix/ngx_posix_init.c.orig  Thu Nov  6 11:48:48 2014
++++ src/os/unix/ngx_posix_init.c       Thu Nov  6 11:49:04 2014
+@@ -75,8 +75,6 @@ ngx_os_init(ngx_log_t *log)
+     ngx_inherited_nonblocking = 0;
+ #endif
+ 
+-    srandom(ngx_time());
+-
+     return NGX_OK;
+ }
+ 
Index: patches/patch-src_os_unix_ngx_process_cycle_c
===================================================================
RCS file: patches/patch-src_os_unix_ngx_process_cycle_c
diff -N patches/patch-src_os_unix_ngx_process_cycle_c
--- /dev/null   1 Jan 1970 00:00:00 -0000
+++ patches/patch-src_os_unix_ngx_process_cycle_c       6 Nov 2014 12:10:03 
-0000
@@ -0,0 +1,15 @@
+$OpenBSD$
+
+using arc4random (see ngx_config.h) so no need to seed.
+
+--- src/os/unix/ngx_process_cycle.c.orig       Thu Nov  6 11:48:48 2014
++++ src/os/unix/ngx_process_cycle.c    Thu Nov  6 11:49:12 2014
+@@ -1015,8 +1015,6 @@ nochroot:
+                       "sigprocmask() failed");
+     }
+ 
+-    srandom((ngx_pid << 16) ^ ngx_time());
+-
+     /*
+      * disable deleting previous events for the listening sockets because
+      * in the worker processes there are no events at all at this point

nginx vs TLSEXT_TYPE_application_layer_protocol_negotiation

Reply via email to