I think that arc4random diff is not enough, there are more places where
this is used aren't there?
On (2014-11-06 12:19), Stuart Henderson wrote:
> Add a configure check for SSL_get0_alpn_selected() and use it instead
> of TLSEXT_TYPE_application_layer_protocol_negotiation (which was added
> to openssl at the same time as ALPN support, but arrived in libressl
> before ALPN support).
>
> While there, use upstream's -Wfoo CFLAGS (CFLAGS are passed in by ports
> so we miss their usual checks), and add a bonus arc4random conversion
> (main use is in their dns resolver, I think).
>
> Unbreaks the port.
>
> OK?
>
>
> Index: Makefile
> ===================================================================
> RCS file: /cvs/ports/www/nginx/Makefile,v
> retrieving revision 1.66
> diff -u -p -r1.66 Makefile
> --- Makefile 31 Oct 2014 14:40:59 -0000 1.66
> +++ Makefile 6 Nov 2014 12:10:03 -0000
> @@ -3,6 +3,7 @@
> COMMENT= robust and small HTTP server and mail proxy server
>
> VERSION= 1.7.7
> +REVISION= 0
> DISTNAME= nginx-${VERSION}
> CATEGORIES= www
>
> @@ -25,6 +26,7 @@ LIB_DEPENDS+= devel/pcre
>
> NGINX_DIR= /var/www
> SUBST_VARS= NGINX_DIR
> +CFLAGS+= -Wall -Wpointer-arith -Werror
>
> FLAVORS= lua naxsi passenger
> FLAVOR?=
> Index: patches/patch-auto_lib_openssl_conf
> ===================================================================
> RCS file: patches/patch-auto_lib_openssl_conf
> diff -N patches/patch-auto_lib_openssl_conf
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-auto_lib_openssl_conf 6 Nov 2014 12:10:03 -0000
> @@ -0,0 +1,20 @@
> +$OpenBSD$
> +--- auto/lib/openssl/conf.orig Thu Nov 6 11:59:59 2014
> ++++ auto/lib/openssl/conf Thu Nov 6 12:00:02 2014
> +@@ -59,6 +59,16 @@ else
> + have=NGX_SSL . auto/have
> + CORE_LIBS="$CORE_LIBS $ngx_feature_libs $NGX_LIBDL"
> + OPENSSL=YES
> ++
> ++ ngx_feature="SSL_get0_alpn_selected()"
> ++ ngx_feature_name="NGX_HAVE_ALPN"
> ++ ngx_feature_run=no
> ++ ngx_feature_incs="#include <openssl/ssl.h>"
> ++ ngx_feature_path=
> ++ ngx_feature_libs="-lssl -lcrypto"
> ++ ngx_feature_test="SSL_get0_alpn_selected(NULL, NULL, NULL);"
> ++ . auto/feature
> ++
> + fi
> + fi
> +
> Index: patches/patch-src_core_ngx_config_h
> ===================================================================
> RCS file: patches/patch-src_core_ngx_config_h
> diff -N patches/patch-src_core_ngx_config_h
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-src_core_ngx_config_h 6 Nov 2014 12:10:03 -0000
> @@ -0,0 +1,12 @@
> +$OpenBSD$
> +--- src/core/ngx_config.h.orig Thu Nov 6 11:42:58 2014
> ++++ src/core/ngx_config.h Thu Nov 6 11:45:38 2014
> +@@ -54,7 +54,7 @@
> + #define ngx_signal_helper(n) SIG##n
> + #define ngx_signal_value(n) ngx_signal_helper(n)
> +
> +-#define ngx_random random
> ++#define ngx_random arc4random
> +
> + /* TODO: #ifndef */
> + #define NGX_SHUTDOWN_SIGNAL QUIT
> Index: patches/patch-src_http_modules_ngx_http_ssl_module_c
> ===================================================================
> RCS file: patches/patch-src_http_modules_ngx_http_ssl_module_c
> diff -N patches/patch-src_http_modules_ngx_http_ssl_module_c
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-src_http_modules_ngx_http_ssl_module_c 6 Nov 2014
> 12:10:03 -0000
> @@ -0,0 +1,30 @@
> +$OpenBSD$
> +--- src/http/modules/ngx_http_ssl_module.c.orig Thu Nov 6 12:06:47 2014
> ++++ src/http/modules/ngx_http_ssl_module.c Thu Nov 6 12:08:20 2014
> +@@ -20,7 +20,7 @@ typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_c
> + #define NGX_HTTP_NPN_ADVERTISE "\x08http/1.1"
> +
> +
> +-#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
> ++#ifdef NGX_HAVE_ALPN
> + static int ngx_http_ssl_alpn_select(ngx_ssl_conn_t *ssl_conn,
> + const unsigned char **out, unsigned char *outlen,
> + const unsigned char *in, unsigned int inlen, void *arg);
> +@@ -314,7 +314,7 @@ static ngx_http_variable_t ngx_http_ssl_vars[] = {
> + static ngx_str_t ngx_http_ssl_sess_id_ctx = ngx_string("HTTP");
> +
> +
> +-#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
> ++#ifdef NGX_HAVE_ALPN
> +
> + static int
> + ngx_http_ssl_alpn_select(ngx_ssl_conn_t *ssl_conn, const unsigned char
> **out,
> +@@ -646,7 +646,7 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *pare
> +
> + #endif
> +
> +-#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
> ++#ifdef NGX_HAVE_ALPN
> + SSL_CTX_set_alpn_select_cb(conf->ssl.ctx, ngx_http_ssl_alpn_select,
> NULL);
> + #endif
> +
> Index: patches/patch-src_http_ngx_http_request_c
> ===================================================================
> RCS file: patches/patch-src_http_ngx_http_request_c
> diff -N patches/patch-src_http_ngx_http_request_c
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-src_http_ngx_http_request_c 6 Nov 2014 12:10:03 -0000
> @@ -0,0 +1,12 @@
> +$OpenBSD$
> +--- src/http/ngx_http_request.c.orig Thu Nov 6 12:05:45 2014
> ++++ src/http/ngx_http_request.c Thu Nov 6 12:06:04 2014
> +@@ -771,7 +771,7 @@ ngx_http_ssl_handshake_handler(ngx_connection_t *c)
> + const unsigned char *data;
> + static const ngx_str_t spdy = ngx_string(NGX_SPDY_NPN_NEGOTIATED);
> +
> +-#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
> ++#ifdef NGINX_HAVE_ALPN
> + SSL_get0_alpn_selected(c->ssl->connection, &data, &len);
> +
> + #ifdef TLSEXT_TYPE_next_proto_neg
> Index: patches/patch-src_os_unix_ngx_posix_init_c
> ===================================================================
> RCS file: patches/patch-src_os_unix_ngx_posix_init_c
> diff -N patches/patch-src_os_unix_ngx_posix_init_c
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-src_os_unix_ngx_posix_init_c 6 Nov 2014 12:10:03
> -0000
> @@ -0,0 +1,15 @@
> +$OpenBSD$
> +
> +using arc4random (see ngx_config.h) so no need to seed.
> +
> +--- src/os/unix/ngx_posix_init.c.orig Thu Nov 6 11:48:48 2014
> ++++ src/os/unix/ngx_posix_init.c Thu Nov 6 11:49:04 2014
> +@@ -75,8 +75,6 @@ ngx_os_init(ngx_log_t *log)
> + ngx_inherited_nonblocking = 0;
> + #endif
> +
> +- srandom(ngx_time());
> +-
> + return NGX_OK;
> + }
> +
> Index: patches/patch-src_os_unix_ngx_process_cycle_c
> ===================================================================
> RCS file: patches/patch-src_os_unix_ngx_process_cycle_c
> diff -N patches/patch-src_os_unix_ngx_process_cycle_c
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-src_os_unix_ngx_process_cycle_c 6 Nov 2014 12:10:03
> -0000
> @@ -0,0 +1,15 @@
> +$OpenBSD$
> +
> +using arc4random (see ngx_config.h) so no need to seed.
> +
> +--- src/os/unix/ngx_process_cycle.c.orig Thu Nov 6 11:48:48 2014
> ++++ src/os/unix/ngx_process_cycle.c Thu Nov 6 11:49:12 2014
> +@@ -1015,8 +1015,6 @@ nochroot:
> + "sigprocmask() failed");
> + }
> +
> +- srandom((ngx_pid << 16) ^ ngx_time());
> +-
> + /*
> + * disable deleting previous events for the listening sockets because
> + * in the worker processes there are no events at all at this point
>
