On 2014/11/06 18:02, Robert Nagy wrote:
> I think that arc4random diff is not enough, there are more places where
> this is used aren't there?
They usually use ngx_random which is just a #define. There is room
for improvement, they have some calls which could be converted to
arc4random_uniform, and I'm not sure what they are doing with
ngx_random_number yet, but at least this gets rid of the random()
and srandom() users.
> On (2014-11-06 12:19), Stuart Henderson wrote:
> > Add a configure check for SSL_get0_alpn_selected() and use it instead
> > of TLSEXT_TYPE_application_layer_protocol_negotiation (which was added
> > to openssl at the same time as ALPN support, but arrived in libressl
> > before ALPN support).
> >
> > While there, use upstream's -Wfoo CFLAGS (CFLAGS are passed in by ports
> > so we miss their usual checks), and add a bonus arc4random conversion
> > (main use is in their dns resolver, I think).
> >
> > Unbreaks the port.
> >
> > OK?
> >
> >
> > Index: Makefile
> > ===================================================================
> > RCS file: /cvs/ports/www/nginx/Makefile,v
> > retrieving revision 1.66
> > diff -u -p -r1.66 Makefile
> > --- Makefile 31 Oct 2014 14:40:59 -0000 1.66
> > +++ Makefile 6 Nov 2014 12:10:03 -0000
> > @@ -3,6 +3,7 @@
> > COMMENT= robust and small HTTP server and mail proxy server
> >
> > VERSION= 1.7.7
> > +REVISION= 0
> > DISTNAME= nginx-${VERSION}
> > CATEGORIES= www
> >
> > @@ -25,6 +26,7 @@ LIB_DEPENDS+= devel/pcre
> >
> > NGINX_DIR= /var/www
> > SUBST_VARS= NGINX_DIR
> > +CFLAGS+= -Wall -Wpointer-arith -Werror
> >
> > FLAVORS= lua naxsi passenger
> > FLAVOR?=
> > Index: patches/patch-auto_lib_openssl_conf
> > ===================================================================
> > RCS file: patches/patch-auto_lib_openssl_conf
> > diff -N patches/patch-auto_lib_openssl_conf
> > --- /dev/null 1 Jan 1970 00:00:00 -0000
> > +++ patches/patch-auto_lib_openssl_conf 6 Nov 2014 12:10:03 -0000
> > @@ -0,0 +1,20 @@
> > +$OpenBSD$
> > +--- auto/lib/openssl/conf.orig Thu Nov 6 11:59:59 2014
> > ++++ auto/lib/openssl/conf Thu Nov 6 12:00:02 2014
> > +@@ -59,6 +59,16 @@ else
> > + have=NGX_SSL . auto/have
> > + CORE_LIBS="$CORE_LIBS $ngx_feature_libs $NGX_LIBDL"
> > + OPENSSL=YES
> > ++
> > ++ ngx_feature="SSL_get0_alpn_selected()"
> > ++ ngx_feature_name="NGX_HAVE_ALPN"
> > ++ ngx_feature_run=no
> > ++ ngx_feature_incs="#include <openssl/ssl.h>"
> > ++ ngx_feature_path=
> > ++ ngx_feature_libs="-lssl -lcrypto"
> > ++ ngx_feature_test="SSL_get0_alpn_selected(NULL, NULL, NULL);"
> > ++ . auto/feature
> > ++
> > + fi
> > + fi
> > +
> > Index: patches/patch-src_core_ngx_config_h
> > ===================================================================
> > RCS file: patches/patch-src_core_ngx_config_h
> > diff -N patches/patch-src_core_ngx_config_h
> > --- /dev/null 1 Jan 1970 00:00:00 -0000
> > +++ patches/patch-src_core_ngx_config_h 6 Nov 2014 12:10:03 -0000
> > @@ -0,0 +1,12 @@
> > +$OpenBSD$
> > +--- src/core/ngx_config.h.orig Thu Nov 6 11:42:58 2014
> > ++++ src/core/ngx_config.h Thu Nov 6 11:45:38 2014
> > +@@ -54,7 +54,7 @@
> > + #define ngx_signal_helper(n) SIG##n
> > + #define ngx_signal_value(n) ngx_signal_helper(n)
> > +
> > +-#define ngx_random random
> > ++#define ngx_random arc4random
> > +
> > + /* TODO: #ifndef */
> > + #define NGX_SHUTDOWN_SIGNAL QUIT
> > Index: patches/patch-src_http_modules_ngx_http_ssl_module_c
> > ===================================================================
> > RCS file: patches/patch-src_http_modules_ngx_http_ssl_module_c
> > diff -N patches/patch-src_http_modules_ngx_http_ssl_module_c
> > --- /dev/null 1 Jan 1970 00:00:00 -0000
> > +++ patches/patch-src_http_modules_ngx_http_ssl_module_c 6 Nov 2014
> > 12:10:03 -0000
> > @@ -0,0 +1,30 @@
> > +$OpenBSD$
> > +--- src/http/modules/ngx_http_ssl_module.c.orig Thu Nov 6 12:06:47 2014
> > ++++ src/http/modules/ngx_http_ssl_module.c Thu Nov 6 12:08:20 2014
> > +@@ -20,7 +20,7 @@ typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_c
> > + #define NGX_HTTP_NPN_ADVERTISE "\x08http/1.1"
> > +
> > +
> > +-#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
> > ++#ifdef NGX_HAVE_ALPN
> > + static int ngx_http_ssl_alpn_select(ngx_ssl_conn_t *ssl_conn,
> > + const unsigned char **out, unsigned char *outlen,
> > + const unsigned char *in, unsigned int inlen, void *arg);
> > +@@ -314,7 +314,7 @@ static ngx_http_variable_t ngx_http_ssl_vars[] = {
> > + static ngx_str_t ngx_http_ssl_sess_id_ctx = ngx_string("HTTP");
> > +
> > +
> > +-#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
> > ++#ifdef NGX_HAVE_ALPN
> > +
> > + static int
> > + ngx_http_ssl_alpn_select(ngx_ssl_conn_t *ssl_conn, const unsigned char
> > **out,
> > +@@ -646,7 +646,7 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *pare
> > +
> > + #endif
> > +
> > +-#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
> > ++#ifdef NGX_HAVE_ALPN
> > + SSL_CTX_set_alpn_select_cb(conf->ssl.ctx, ngx_http_ssl_alpn_select,
> > NULL);
> > + #endif
> > +
> > Index: patches/patch-src_http_ngx_http_request_c
> > ===================================================================
> > RCS file: patches/patch-src_http_ngx_http_request_c
> > diff -N patches/patch-src_http_ngx_http_request_c
> > --- /dev/null 1 Jan 1970 00:00:00 -0000
> > +++ patches/patch-src_http_ngx_http_request_c 6 Nov 2014 12:10:03
> > -0000
> > @@ -0,0 +1,12 @@
> > +$OpenBSD$
> > +--- src/http/ngx_http_request.c.orig Thu Nov 6 12:05:45 2014
> > ++++ src/http/ngx_http_request.c Thu Nov 6 12:06:04 2014
> > +@@ -771,7 +771,7 @@ ngx_http_ssl_handshake_handler(ngx_connection_t *c)
> > + const unsigned char *data;
> > + static const ngx_str_t spdy =
> > ngx_string(NGX_SPDY_NPN_NEGOTIATED);
> > +
> > +-#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
> > ++#ifdef NGINX_HAVE_ALPN
> > + SSL_get0_alpn_selected(c->ssl->connection, &data, &len);
> > +
> > + #ifdef TLSEXT_TYPE_next_proto_neg
> > Index: patches/patch-src_os_unix_ngx_posix_init_c
> > ===================================================================
> > RCS file: patches/patch-src_os_unix_ngx_posix_init_c
> > diff -N patches/patch-src_os_unix_ngx_posix_init_c
> > --- /dev/null 1 Jan 1970 00:00:00 -0000
> > +++ patches/patch-src_os_unix_ngx_posix_init_c 6 Nov 2014 12:10:03
> > -0000
> > @@ -0,0 +1,15 @@
> > +$OpenBSD$
> > +
> > +using arc4random (see ngx_config.h) so no need to seed.
> > +
> > +--- src/os/unix/ngx_posix_init.c.orig Thu Nov 6 11:48:48 2014
> > ++++ src/os/unix/ngx_posix_init.c Thu Nov 6 11:49:04 2014
> > +@@ -75,8 +75,6 @@ ngx_os_init(ngx_log_t *log)
> > + ngx_inherited_nonblocking = 0;
> > + #endif
> > +
> > +- srandom(ngx_time());
> > +-
> > + return NGX_OK;
> > + }
> > +
> > Index: patches/patch-src_os_unix_ngx_process_cycle_c
> > ===================================================================
> > RCS file: patches/patch-src_os_unix_ngx_process_cycle_c
> > diff -N patches/patch-src_os_unix_ngx_process_cycle_c
> > --- /dev/null 1 Jan 1970 00:00:00 -0000
> > +++ patches/patch-src_os_unix_ngx_process_cycle_c 6 Nov 2014 12:10:03
> > -0000
> > @@ -0,0 +1,15 @@
> > +$OpenBSD$
> > +
> > +using arc4random (see ngx_config.h) so no need to seed.
> > +
> > +--- src/os/unix/ngx_process_cycle.c.orig Thu Nov 6 11:48:48 2014
> > ++++ src/os/unix/ngx_process_cycle.c Thu Nov 6 11:49:12 2014
> > +@@ -1015,8 +1015,6 @@ nochroot:
> > + "sigprocmask() failed");
> > + }
> > +
> > +- srandom((ngx_pid << 16) ^ ngx_time());
> > +-
> > + /*
> > + * disable deleting previous events for the listening sockets because
> > + * in the worker processes there are no events at all at this point
> >
>
