sync/ports
1
0
Fork 0
mirror of https://git.freebsd.org/ports.git synced 2025-07-18 17:59:20 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

- Update `www/pound' to version 2.8 and unbreak against

Browse source 
newish OpenSSL versions [*]
- Add a handful of useful patches from upstream SRPM
- Use upstream program description for COMMENT (shorter)
- Utilize its own installation target and only post-install
  documentation files; install sample configuration file
- Consummate conversion to option helpers and transfer
  maintainership to the new volunteer

PR:	234556 [*]
This commit is contained in:
Alexey Dokuchaev 2019-03-30 15:47:42 +00:00
parent 11fc921520
commit c7369f228e
Notes: svn2git 2021-03-31 03:12:20 +00:00 
svn path=/head/; revision=497256
11 changed files with 917 additions and 19 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

37
www/pound/Makefile
View file

@ -2,15 +2,22 @@
# $FreeBSD$
PORTNAME= pound
PORTVERSION= 2.7
PORTREVISION= 1
PORTVERSION= 2.8
CATEGORIES= www net
MASTER_SITES= http://www.apsis.ch/pound/ \
ftp://ftp.nuug.no/pub/anders/distfiles/
DISTNAME= Pound-${PORTVERSION}
MAINTAINER= ports@FreeBSD.org
COMMENT= Reverse proxy, load balancer and HTTP(S) frontend for web servers
EXTRA_PATCHES= \
${FILESDIR}/0001-Add-MKCALENDAR-to-xHTTP-2-and-above.patch:-p1 \
${FILESDIR}/0002-add-support-openssl1.1-dhparam.patch:-p1 \
${FILESDIR}/c5a95780e2233a05ab3fb8b4eb8a9550f0c3b53c.patch:-p1 \
${FILESDIR}/pound-2.8-websocket.diff:-p1 \
${FILESDIR}/pound-2.8-fallback_scsv.diff:-p0 \
${FILESDIR}/a2c9dde4d055ea8942afb150b7fc3a807d4e5d60.patch:-p1
MAINTAINER= zeus@gnu.org.ua
COMMENT= HTTP/HTTPS reverse-proxy and load-balancer
LICENSE= GPLv3
LICENSE_FILE= ${WRKSRC}/GPL.txt
@ -20,9 +27,11 @@ GNU_CONFIGURE= yes
CONFIGURE_ARGS= --disable-tcmalloc --disable-hoard
USE_RC_SUBR= ${PORTNAME}
SUB_FILES= ${PORTNAME}.cfg
SUB_LIST= NAME=${PORTNAME}
PLIST_FILES= sbin/pound \
PLIST_FILES= @sample\ etc/pound.cfg.sample \
sbin/pound \
sbin/poundctl \
man/man8/pound.8.gz \
man/man8/poundctl.8.gz
@ -31,21 +40,15 @@ PORTDOCS= README FAQ CHANGELOG
OPTIONS_DEFINE= DOCS PCRE
OPTIONS_DEFAULT=PCRE
PCRE_LIB_DEPENDS= libpcre.so:devel/pcre
PCRE_USES= localbase
PCRE_CONFIGURE_ENABLE= pcreposix
.include <bsd.port.options.mk>
post-install:
${INSTALL_DATA} ${WRKDIR}/${PORTNAME}.cfg \
${STAGEDIR}${PREFIX}/etc/${PORTNAME}.cfg.sample
.if ${PORT_OPTIONS:MPCRE}
LIB_DEPENDS+= libpcre.so:devel/pcre
CPPFLAGS+= -I${LOCALBASE}/include
LDFLAGS+= -L${LOCALBASE}/lib
.endif
do-install:
${INSTALL_PROGRAM} ${WRKSRC}/pound ${WRKSRC}/poundctl \
${STAGEDIR}${PREFIX}/sbin
${INSTALL_MAN} ${WRKSRC}/pound.8 ${WRKSRC}/poundctl.8 \
${STAGEDIR}${MANPREFIX}/man/man8
post-install-DOCS-on:
${MKDIR} ${STAGEDIR}${DOCSDIR}
cd ${WRKSRC} && ${INSTALL_DATA} ${PORTDOCS} ${STAGEDIR}${DOCSDIR}

5
www/pound/distinfo
View file

@ -1,2 +1,3 @@
SHA256 (Pound-2.7.tgz) = cdfbf5a7e8dc8fbbe0d6c1e83cd3bd3f2472160aac65684bb01ef661c626a8e4
SIZE (Pound-2.7.tgz) = 186887
TIMESTAMP = 1526033851
SHA256 (Pound-2.8.tgz) = a7fd8690de0fd390615e79fd0f4bfd56a544b8ef97dd6659c07ecd3207480c25
SIZE (Pound-2.8.tgz) = 186124

39
www/pound/files/0001-Add-MKCALENDAR-to-xHTTP-2-and-above.patch Normal file
View file

@ -0,0 +1,39 @@
From: Brett Parker <iDunno@sommitrealweird.co.uk>
Date: Sat, 30 Jul 2016 21:47:14 +0100
Subject: Add MKCALENDAR to xHTTP 2 and above
---
config.c | 6 +++---
pound.8 | 2 +-
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/config.c b/config.c
index de1e163..68e2d2f 100644
--- a/config.c
+++ b/config.c
@@ -87,9 +87,9 @@ static regmatch_t matches[5];
static char *xhttp[] = {
"^(GET|POST|HEAD) ([^ ]+) HTTP/1.[01]$",
"^(GET|POST|HEAD|PUT|PATCH|DELETE) ([^ ]+) HTTP/1.[01]$",
- "^(GET|POST|HEAD|PUT|PATCH|DELETE|LOCK|UNLOCK|PROPFIND|PROPPATCH|SEARCH|MKCOL|MOVE|COPY|OPTIONS|TRACE|MKACTIVITY|CHECKOUT|MERGE|REPORT) ([^ ]+) HTTP/1.[01]$",
- "^(GET|POST|HEAD|PUT|PATCH|DELETE|LOCK|UNLOCK|PROPFIND|PROPPATCH|SEARCH|MKCOL|MOVE|COPY|OPTIONS|TRACE|MKACTIVITY|CHECKOUT|MERGE|REPORT|SUBSCRIBE|UNSUBSCRIBE|BPROPPATCH|POLL|BMOVE|BCOPY|BDELETE|BPROPFIND|NOTIFY|CONNECT) ([^ ]+) HTTP/1.[01]$",
- "^(GET|POST|HEAD|PUT|PATCH|DELETE|LOCK|UNLOCK|PROPFIND|PROPPATCH|SEARCH|MKCOL|MOVE|COPY|OPTIONS|TRACE|MKACTIVITY|CHECKOUT|MERGE|REPORT|SUBSCRIBE|UNSUBSCRIBE|BPROPPATCH|POLL|BMOVE|BCOPY|BDELETE|BPROPFIND|NOTIFY|CONNECT|RPC_IN_DATA|RPC_OUT_DATA) ([^ ]+) HTTP/1.[01]$",
+ "^(GET|POST|HEAD|PUT|PATCH|DELETE|LOCK|UNLOCK|PROPFIND|PROPPATCH|SEARCH|MKCOL|MOVE|COPY|OPTIONS|TRACE|MKACTIVITY|CHECKOUT|MERGE|REPORT|MKCALENDAR) ([^ ]+) HTTP/1.[01]$",
+ "^(GET|POST|HEAD|PUT|PATCH|DELETE|LOCK|UNLOCK|PROPFIND|PROPPATCH|SEARCH|MKCOL|MOVE|COPY|OPTIONS|TRACE|MKACTIVITY|CHECKOUT|MERGE|REPORT|MKCALENDAR|SUBSCRIBE|UNSUBSCRIBE|BPROPPATCH|POLL|BMOVE|BCOPY|BDELETE|BPROPFIND|NOTIFY|CONNECT) ([^ ]+) HTTP/1.[01]$",
+ "^(GET|POST|HEAD|PUT|PATCH|DELETE|LOCK|UNLOCK|PROPFIND|PROPPATCH|SEARCH|MKCOL|MOVE|COPY|OPTIONS|TRACE|MKACTIVITY|CHECKOUT|MERGE|REPORT|MKCALENDAR|SUBSCRIBE|UNSUBSCRIBE|BPROPPATCH|POLL|BMOVE|BCOPY|BDELETE|BPROPFIND|NOTIFY|CONNECT|RPC_IN_DATA|RPC_OUT_DATA) ([^ ]+) HTTP/1.[01]$",
};
static int log_level = 1;
diff --git a/pound.8 b/pound.8
index ceddf48..235d829 100644
--- a/pound.8
+++ b/pound.8
@@ -368,7 +368,7 @@ additionally allow extended HTTP requests (PUT, PATCH, DELETE).
.I 2
additionally allow standard WebDAV verbs (LOCK, UNLOCK, PROPFIND,
PROPPATCH, SEARCH, MKCOL, MOVE, COPY, OPTIONS, TRACE, MKACTIVITY,
-CHECKOUT, MERGE, REPORT).
+CHECKOUT, MERGE, REPORT, MKCALENDAR).
.IP
.I 3
additionally allow MS extensions WebDAV verbs (SUBSCRIBE, UNSUBSCRIBE,

54
www/pound/files/0002-add-support-openssl1.1-dhparam.patch Normal file
View file

@ -0,0 +1,54 @@
From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Date: Sun, 19 Feb 2017 14:34:38 +0100
Subject: [PATCH] pound: Add support for openssl 1.1
This patch adds support for "openssl dhparam -C" created header files where
openssl binary itself is 1.1 but the code using the file is linked against
1.0.2.
This will not let the pound as compile against openssl 1.1.
Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
---
svc.c | 31 +++++++++++++++++++++++++++++++
1 file changed, 31 insertions(+)
--- a/svc.c
+++ b/svc.c
@@ -1448,6 +1448,37 @@ do_RSAgen(void)
return;
}
+#if OPENSSL_VERSION_NUMBER < 0x10100000
+static inline int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
+{
+ /* If the fields p and g in d are NULL, the corresponding input
+ * parameters MUST be non-NULL. q may remain NULL.
+ */
+ if ((dh->p == NULL && p == NULL)
+ || (dh->g == NULL && g == NULL))
+ return 0;
+
+ if (p != NULL) {
+ BN_free(dh->p);
+ dh->p = p;
+ }
+ if (q != NULL) {
+ BN_free(dh->q);
+ dh->q = q;
+ }
+ if (g != NULL) {
+ BN_free(dh->g);
+ dh->g = g;
+ }
+
+ if (q != NULL) {
+ dh->length = BN_num_bits(q);
+ }
+
+ return 1;
+}
+#endif
+
#include "dh512.h"
#if DH_LEN == 1024

323
www/pound/files/a2c9dde4d055ea8942afb150b7fc3a807d4e5d60.patch Normal file
View file

@ -0,0 +1,323 @@
From a2c9dde4d055ea8942afb150b7fc3a807d4e5d60 Mon Sep 17 00:00:00 2001
From: Sergey Poznyakoff <gray@gnu.org>
Date: Wed, 28 Feb 2018 13:44:01 +0000
Subject: [PATCH] Support for Openssl 1.1
---
config.c | 17 +++++++--
http.c | 12 ++++++-
pound.h | 4 ++-
svc.c | 101 +++++++++++++++++++++++++++++++++++++++++++----------
5 files changed, 125 insertions(+), 24 deletions(-)
create mode 100644 .gitignore
diff --git a/config.c b/config.c
index d41a3ee..e8fec0f 100644
--- a/config.c
+++ b/config.c
@@ -174,6 +174,16 @@ conf_fgets(char *buf, const int max)
}
}
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+# define general_name_string(n) \
+ strndup(ASN1_STRING_get0_data(n->d.dNSName), \
+ ASN1_STRING_length(n->d.dNSName) + 1)
+#else
+# define general_name_string(n) \
+ strndup(ASN1_STRING_data(n->d.dNSName), \
+ ASN1_STRING_length(n->d.dNSName) + 1)
+#endif
+
unsigned char **
get_subjectaltnames(X509 *x509, unsigned int *count)
{
@@ -194,8 +204,7 @@ get_subjectaltnames(X509 *x509, unsigned int *count)
name = sk_GENERAL_NAME_pop(san_stack);
switch(name->type) {
case GEN_DNS:
- temp[local_count] = strndup(ASN1_STRING_data(name->d.dNSName), ASN1_STRING_length(name->d.dNSName)
- + 1);
+ temp[local_count] = general_name_string(name);
if(temp[local_count] == NULL)
conf_err("out of memory");
local_count++;
@@ -565,7 +574,9 @@ parse_service(const char *svc_name)
pthread_mutex_init(&res->mut, NULL);
if(svc_name)
strncpy(res->name, svc_name, KEY_SIZE);
-#if OPENSSL_VERSION_NUMBER >= 0x10000000L
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ if((res->sessions = lh_TABNODE_new(t_hash, t_cmp)) == NULL)
+#elif OPENSSL_VERSION_NUMBER >= 0x10000000L
if((res->sessions = LHM_lh_new(TABNODE, t)) == NULL)
#else
if((res->sessions = lh_new(LHASH_HASH_FN(t_hash), LHASH_COMP_FN(t_cmp))) == NULL)
diff --git a/http.c b/http.c
index dd211e4..c8e756a 100644
--- a/http.c
+++ b/http.c
@@ -527,12 +527,22 @@ log_bytes(char *res, const LONG cnt)
/* Cleanup code. This should really be in the pthread_cleanup_push, except for bugs in some implementations */
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+# define clear_error()
+#elif OPENSSL_VERSION_NUMBER >= 0x10000000L
+# define clear_error() \
+ if(ssl != NULL) { ERR_clear_error(); ERR_remove_thread_state(NULL); }
+#else
+# define clear_error() \
+ if(ssl != NULL) { ERR_clear_error(); ERR_remove_state(0); }
+#endif
+
#define clean_all() { \
if(ssl != NULL) { BIO_ssl_shutdown(cl); } \
if(be != NULL) { BIO_flush(be); BIO_reset(be); BIO_free_all(be); be = NULL; } \
if(cl != NULL) { BIO_flush(cl); BIO_reset(cl); BIO_free_all(cl); cl = NULL; } \
if(x509 != NULL) { X509_free(x509); x509 = NULL; } \
- if(ssl != NULL) { ERR_clear_error(); ERR_remove_state(0); } \
+ clear_error(); \
}
/*
diff --git a/pound.h b/pound.h
index fa22c36..9603b91 100644
--- a/pound.h
+++ b/pound.h
@@ -344,7 +344,9 @@ typedef struct _tn {
/* maximal session key size */
#define KEY_SIZE 127
-#if OPENSSL_VERSION_NUMBER >= 0x10000000L
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ DEFINE_LHASH_OF(TABNODE);
+#elif OPENSSL_VERSION_NUMBER >= 0x10000000L
DECLARE_LHASH_OF(TABNODE);
#endif
diff --git a/svc.c b/svc.c
index 60ba488..063b92c 100644
--- a/svc.c
+++ b/svc.c
@@ -27,10 +27,17 @@
#include "pound.h"
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+# define TABNODE_GET_DOWN_LOAD(t) lh_TABNODE_get_down_load(t)
+# define TABNODE_SET_DOWN_LOAD(t,n) lh_TABNODE_set_down_load(t,n)
+#else
#ifndef LHASH_OF
#define LHASH_OF(x) LHASH
#define CHECKED_LHASH_OF(type, h) h
#endif
+# define TABNODE_GET_DOWN_LOAD(t) (CHECKED_LHASH_OF(TABNODE, t)->down_load)
+# define TABNODE_SET_DOWN_LOAD(t,n) (CHECKED_LHASH_OF(TABNODE, t)->down_load = n)
+#endif
/*
* Add a new key/content pair to a hash table
@@ -58,7 +65,9 @@ t_add(LHASH_OF(TABNODE) *const tab, const char *key, const void *content, const
}
memcpy(t->content, content, cont_len);
t->last_acc = time(NULL);
-#if OPENSSL_VERSION_NUMBER >= 0x10000000L
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ if((old = lh_TABNODE_insert(tab, t)) != NULL) {
+#elif OPENSSL_VERSION_NUMBER >= 0x10000000L
if((old = LHM_lh_insert(TABNODE, tab, t)) != NULL) {
#else
if((old = (TABNODE *)lh_insert(tab, t)) != NULL) {
@@ -82,7 +91,9 @@ t_find(LHASH_OF(TABNODE) *const tab, char *const key)
TABNODE t, *res;
t.key = key;
-#if OPENSSL_VERSION_NUMBER >= 0x10000000L
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ if((res = lh_TABNODE_retrieve(tab, &t)) != NULL) {
+#elif OPENSSL_VERSION_NUMBER >= 0x10000000L
if((res = (TABNODE *)LHM_lh_retrieve(TABNODE, tab, &t)) != NULL) {
#else
if((res = (TABNODE *)lh_retrieve(tab, &t)) != NULL) {
@@ -102,7 +113,9 @@ t_remove(LHASH_OF(TABNODE) *const tab, char *const key)
TABNODE t, *res;
t.key = key;
-#if OPENSSL_VERSION_NUMBER >= 0x10000000L
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ if((res = lh_TABNODE_delete(tab, &t)) != NULL) {
+#elif OPENSSL_VERSION_NUMBER >= 0x10000000L
if((res = LHM_lh_delete(TABNODE, tab, &t)) != NULL) {
#else
if((res = (TABNODE *)lh_delete(tab, &t)) != NULL) {
@@ -127,7 +140,9 @@ t_old_doall_arg(TABNODE *t, ALL_ARG *a)
TABNODE *res;
if(t->last_acc < a->lim)
-#if OPENSSL_VERSION_NUMBER >= 0x10000000L
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ if((res = lh_TABNODE_delete(a->tab, t)) != NULL) {
+#elif OPENSSL_VERSION_NUMBER >= 0x10000000L
if((res = LHM_lh_delete(TABNODE, a->tab, t)) != NULL) {
#else
if((res = lh_delete(a->tab, t)) != NULL) {
@@ -145,6 +160,10 @@ IMPLEMENT_LHASH_DOALL_ARG_FN(t_old, TABNODE, ALL_ARG)
IMPLEMENT_LHASH_DOALL_ARG_FN(t_old, TABNODE *, ALL_ARG *)
#endif
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+IMPLEMENT_LHASH_DOALL_ARG(TABNODE,ALL_ARG);
+#endif
+
/*
* Expire all old nodes
*/
@@ -156,14 +175,16 @@ t_expire(LHASH_OF(TABNODE) *const tab, const time_t lim)
a.tab = tab;
a.lim = lim;
- down_load = CHECKED_LHASH_OF(TABNODE, tab)->down_load;
- CHECKED_LHASH_OF(TABNODE, tab)->down_load = 0;
-#if OPENSSL_VERSION_NUMBER >= 0x10000000L
+ down_load = TABNODE_GET_DOWN_LOAD(tab);
+ TABNODE_SET_DOWN_LOAD(tab, 0);
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ lh_TABNODE_doall_ALL_ARG(tab, t_old_doall_arg, &a);
+#elif OPENSSL_VERSION_NUMBER >= 0x10000000L
LHM_lh_doall_arg(TABNODE, tab, LHASH_DOALL_ARG_FN(t_old), ALL_ARG, &a);
#else
lh_doall_arg(tab, LHASH_DOALL_ARG_FN(t_old), &a);
#endif
- CHECKED_LHASH_OF(TABNODE, tab)->down_load = down_load;
+ TABNODE_SET_DOWN_LOAD(tab, down_load);
return;
}
@@ -173,7 +194,9 @@ t_cont_doall_arg(TABNODE *t, ALL_ARG *arg)
TABNODE *res;
if(memcmp(t->content, arg->content, arg->cont_len) == 0)
-#if OPENSSL_VERSION_NUMBER >= 0x10000000L
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ if((res = lh_TABNODE_delete(arg->tab, t)) != NULL) {
+#elif OPENSSL_VERSION_NUMBER >= 0x10000000L
if((res = LHM_lh_delete(TABNODE, arg->tab, t)) != NULL) {
#else
if((res = lh_delete(arg->tab, t)) != NULL) {
@@ -203,15 +226,16 @@ t_clean(LHASH_OF(TABNODE) *const tab, void *const content, const size_t cont_len
a.tab = tab;
a.content = content;
a.cont_len = cont_len;
- down_load = CHECKED_LHASH_OF(TABNODE, tab)->down_load;
- CHECKED_LHASH_OF(TABNODE, tab)->down_load = 0;
-#if OPENSSL_VERSION_NUMBER >= 0x10000000L
+ down_load = TABNODE_GET_DOWN_LOAD(tab);
+ TABNODE_SET_DOWN_LOAD(tab, 0);
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ lh_TABNODE_doall_ALL_ARG(tab, t_cont_doall_arg, &a);
+#elif OPENSSL_VERSION_NUMBER >= 0x10000000L
LHM_lh_doall_arg(TABNODE, tab, LHASH_DOALL_ARG_FN(t_cont), ALL_ARG, &a);
#else
lh_doall_arg(tab, LHASH_DOALL_ARG_FN(t_cont), &a);
#endif
- CHECKED_LHASH_OF(TABNODE, tab)->down_load = down_load;
- return;
+ TABNODE_SET_DOWN_LOAD(tab, down_load);
}
/*
@@ -1262,6 +1286,31 @@ RSA_tmp_callback(/* not used */SSL *ssl, /* not used */int is_export, int keylen
return res;
}
+static int
+generate_key(RSA **ret_rsa, unsigned long bits)
+{
+#if OPENSSL_VERSION_NUMBER > 0x00908000L
+ int rc = 0;
+ RSA *rsa;
+
+ rsa = RSA_new();
+ if (rsa) {
+ BIGNUM *bne = BN_new();
+ if (BN_set_word(bne, RSA_F4))
+ rc = RSA_generate_key_ex(rsa, bits, bne, NULL);
+ BN_free(bne);
+ if (rc)
+ *ret_rsa = rsa;
+ else
+ RSA_free(rsa);
+ }
+ return rc;
+#else
+ *ret_rsa = RSA_generate_key(bits, RSA_F4, NULL, NULL);
+ return *ret_rsa != NULL;
+#endif
+}
+
/*
* Periodically regenerate ephemeral RSA keys
* runs every T_RSA_KEYS seconds
@@ -1274,8 +1323,9 @@ do_RSAgen(void)
RSA *t_RSA1024_keys[N_RSA_KEYS];
for(n = 0; n < N_RSA_KEYS; n++) {
- t_RSA512_keys[n] = RSA_generate_key(512, RSA_F4, NULL, NULL);
- t_RSA1024_keys[n] = RSA_generate_key(1024, RSA_F4, NULL, NULL);
+ /* FIXME: Error handling */
+ generate_key(&t_RSA512_keys[n], 512);
+ generate_key(&t_RSA1024_keys[n], 1024);
}
if(ret_val = pthread_mutex_lock(&RSA_mut))
logmsg(LOG_WARNING, "thr_RSAgen() lock: %s", strerror(ret_val));
@@ -1329,11 +1379,11 @@ init_timer(void)
* Pre-generate ephemeral RSA keys
*/
for(n = 0; n < N_RSA_KEYS; n++) {
- if((RSA512_keys[n] = RSA_generate_key(512, RSA_F4, NULL, NULL)) == NULL) {
+ if(!generate_key(&RSA512_keys[n], 512)) {
logmsg(LOG_WARNING,"RSA_generate(%d, 512) failed", n);
return;
}
- if((RSA1024_keys[n] = RSA_generate_key(1024, RSA_F4, NULL, NULL)) == NULL) {
+ if(!generate_key(&RSA1024_keys[n], 1024)) {
logmsg(LOG_WARNING,"RSA_generate(%d, 1024) failed", n);
return;
}
@@ -1420,6 +1470,10 @@ IMPLEMENT_LHASH_DOALL_ARG_FN(t_dump, TABNODE, DUMP_ARG)
IMPLEMENT_LHASH_DOALL_ARG_FN(t_dump, TABNODE *, DUMP_ARG *)
#endif
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+IMPLEMENT_LHASH_DOALL_ARG(TABNODE,DUMP_ARG);
+#endif
+
/*
* write sessions to the control socket
*/
@@ -1430,7 +1484,9 @@ dump_sess(const int control_sock, LHASH_OF(TABNODE) *const sess, BACKEND *const
a.control_sock = control_sock;
a.backends = backends;
-#if OPENSSL_VERSION_NUMBER >= 0x10000000L
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ lh_TABNODE_doall_DUMP_ARG(sess, t_dump_doall_arg, &a);
+#elif OPENSSL_VERSION_NUMBER >= 0x10000000L
LHM_lh_doall_arg(TABNODE, sess, LHASH_DOALL_ARG_FN(t_dump), DUMP_ARG, &a);
#else
lh_doall_arg(sess, LHASH_DOALL_ARG_FN(t_dump), &a);
@@ -1664,6 +1720,13 @@ thr_control(void *arg)
}
}
+#ifndef SSL3_ST_SR_CLNT_HELLO_A
+# define SSL3_ST_SR_CLNT_HELLO_A (0x110|SSL_ST_ACCEPT)
+#endif
+#ifndef SSL23_ST_SR_CLNT_HELLO_A
+# define SSL23_ST_SR_CLNT_HELLO_A (0x210|SSL_ST_ACCEPT)
+#endif
+
void
SSLINFO_callback(const SSL *ssl, int where, int rc)
{

41
www/pound/files/c5a95780e2233a05ab3fb8b4eb8a9550f0c3b53c.patch Normal file
View file

@ -0,0 +1,41 @@
From c5a95780e2233a05ab3fb8b4eb8a9550f0c3b53c Mon Sep 17 00:00:00 2001
From: Sergey Poznyakoff <gray@gnu.org>
Date: Mon, 19 Mar 2018 18:11:59 +0200
Subject: [PATCH] Bugfix
* http.c: Stop if BIO_read returns <= 0
---
http.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/http.c b/http.c
index 496a84e..c461489 100644
--- a/http.c
+++ b/http.c
@@ -142,7 +142,7 @@ get_line(BIO *const in, char *const buf, const int bufsize)
if(tmp != '\n') {
/* we have CR not followed by NL */
do {
- if(BIO_read(in, &tmp, 1) < 0)
+ if(BIO_read(in, &tmp, 1) <= 0)
return 1;
} while(tmp != '\n');
return 1;
@@ -169,7 +169,7 @@ get_line(BIO *const in, char *const buf, const int bufsize)
/* all other control characters cause an error */
do {
- if(BIO_read(in, &tmp, 1) < 0)
+ if(BIO_read(in, &tmp, 1) <= 0)
return 1;
} while(tmp != '\n');
return 1;
@@ -177,7 +177,7 @@ get_line(BIO *const in, char *const buf, const int bufsize)
/* line too long */
do {
- if(BIO_read(in, &tmp, 1) < 0)
+ if(BIO_read(in, &tmp, 1) <= 0)
return 1;
} while(tmp != '\n');
return 1;

18
www/pound/files/patch-Makefile.in Normal file
View file

@ -0,0 +1,18 @@
--- Makefile.in.orig 2018-05-11 10:16:05 UTC
+++ Makefile.in
@@ -58,11 +58,11 @@ $(OBJS) poundctl.o: pound.h config.h
install: all
@INSTALL@ -d ${DESTDIR}@sbindir@
- @INSTALL@ -o @I_OWNER@ -g @I_GRP@ -m 555 pound ${DESTDIR}@sbindir@/pound
- @INSTALL@ -o @I_OWNER@ -g @I_GRP@ -m 555 poundctl ${DESTDIR}@sbindir@/poundctl
+ @INSTALL@ -p -m 755 pound ${DESTDIR}@sbindir@/pound
+ @INSTALL@ -p -m 755 poundctl ${DESTDIR}@sbindir@/poundctl
@INSTALL@ -d ${DESTDIR}@mandir@/man8
- @INSTALL@ -o @I_OWNER@ -g @I_GRP@ -m 644 pound.8 ${DESTDIR}@mandir@/man8/pound.8
- @INSTALL@ -o @I_OWNER@ -g @I_GRP@ -m 644 poundctl.8 ${DESTDIR}@mandir@/man8/poundctl.8
+ @INSTALL@ -p -m 644 pound.8 ${DESTDIR}@mandir@/man8/pound.8
+ @INSTALL@ -p -m 644 poundctl.8 ${DESTDIR}@mandir@/man8/poundctl.8
clean:
rm -f pound $(OBJS) poundctl poundctl.o

29
www/pound/files/patch-svc.c Normal file
View file

@ -0,0 +1,29 @@
--- svc.c.orig 2018-05-11 10:16:05 UTC
+++ svc.c
@@ -273,6 +273,7 @@ addr2str(char *const res, const int res_len, const str
char buf[MAXBUF];
int port;
void *src;
+ char *p = buf;
memset(res, 0, res_len);
#ifdef HAVE_INET_NTOP
@@ -298,10 +299,15 @@ addr2str(char *const res, const int res_len, const str
port = 0;
break;
}
- if(no_port)
- snprintf(res, res_len, "%s", buf);
+ // Strip off the IPv6 prefix
+ if (strncmp(buf, "::ffff:", 7) == 0)
+ {
+ p = buf + 7;
+ }
+ if (no_port)
+ snprintf(res, res_len, "%s", p);
else
- snprintf(res, res_len, "%s:%d", buf, port);
+ snprintf(res, res_len, "%s:%d", p, port);
#else
#error "Pound needs inet_ntop()"
#endif

12
www/pound/files/pound-2.8-fallback_scsv.diff Normal file
View file

@ -0,0 +1,12 @@
--- config.c.orig 2018-05-11 12:16:05.000000000 +0200
+++ config.c 2018-12-22 23:19:53.912203188 +0100
@@ -347,9 +347,6 @@
SSL_CTX_set_app_data(res->ctx, res);
SSL_CTX_set_verify(res->ctx, SSL_VERIFY_NONE, NULL);
SSL_CTX_set_mode(res->ctx, SSL_MODE_AUTO_RETRY);
-#ifdef SSL_MODE_SEND_FALLBACK_SCSV
- SSL_CTX_set_mode(res->ctx, SSL_MODE_SEND_FALLBACK_SCSV);
-#endif
SSL_CTX_set_options(res->ctx, SSL_OP_ALL);
#ifdef SSL_OP_NO_COMPRESSION
SSL_CTX_set_options(res->ctx, SSL_OP_NO_COMPRESSION);

328
www/pound/files/pound-2.8-websocket.diff Normal file
View file

@ -0,0 +1,328 @@
diff -Nur Pound-2.8.orig/config.c Pound-2.8/config.c
--- Pound-2.8.orig/config.c 2018-05-11 12:16:05.000000000 +0200
+++ Pound-2.8/config.c 2018-07-30 14:10:01.693667854 +0200
@@ -77,7 +77,7 @@
static regex_t ListenHTTP, ListenHTTPS, End, Address, Port, Cert, xHTTP, Client, CheckURL;
static regex_t Err414, Err500, Err501, Err503, MaxRequest, HeadRemove, RewriteLocation, RewriteDestination;
static regex_t Service, ServiceName, URL, HeadRequire, HeadDeny, BackEnd, Emergency, Priority, HAport, HAportAddr;
-static regex_t Redirect, RedirectN, TimeOut, Session, Type, TTL, ID;
+static regex_t Redirect, RedirectN, TimeOut, WSTimeOut, Session, Type, TTL, ID;
static regex_t ClientCert, AddHeader, DisableProto, SSLAllowClientRenegotiation, SSLHonorCipherOrder, Ciphers;
static regex_t CAlist, VerifyList, CRLlist, NoHTTPS11, Grace, Include, ConnTO, IgnoreCase, HTTPS;
static regex_t Disabled, Threads, CNName, Anonymise, ECDHCurve;
@@ -96,6 +96,7 @@
static int def_facility = LOG_DAEMON;
static int clnt_to = 10;
static int be_to = 15;
+static int ws_to = 600;
static int be_connto = 15;
static int ignore_case = 0;
#if OPENSSL_VERSION_NUMBER >= 0x0090800fL
@@ -242,6 +243,7 @@
res->addr.ai_socktype = SOCK_STREAM;
res->to = is_emergency? 120: be_to;
res->conn_to = is_emergency? 120: be_connto;
+ res->ws_to = is_emergency? 120: ws_to;
res->alive = 1;
memset(&res->addr, 0, sizeof(res->addr));
res->priority = 5;
@@ -292,6 +294,8 @@
res->priority = atoi(lin + matches[1].rm_so);
} else if(!regexec(&TimeOut, lin, 4, matches, 0)) {
res->to = atoi(lin + matches[1].rm_so);
+ } else if(!regexec(&WSTimeOut, lin, 4, matches, 0)) {
+ res->ws_to = atoi(lin + matches[1].rm_so);
} else if(!regexec(&ConnTO, lin, 4, matches, 0)) {
res->conn_to = atoi(lin + matches[1].rm_so);
} else if(!regexec(&HAport, lin, 4, matches, 0)) {
@@ -1340,6 +1344,8 @@
alive_to = atoi(lin + matches[1].rm_so);
} else if(!regexec(&TimeOut, lin, 4, matches, 0)) {
be_to = atoi(lin + matches[1].rm_so);
+ } else if(!regexec(&WSTimeOut, lin, 4, matches, 0)) {
+ ws_to = atoi(lin + matches[1].rm_so);
} else if(!regexec(&ConnTO, lin, 4, matches, 0)) {
be_connto = atoi(lin + matches[1].rm_so);
} else if(!regexec(&IgnoreCase, lin, 4, matches, 0)) {
@@ -1467,6 +1473,7 @@
|| regcomp(&Emergency, "^[ \t]*Emergency[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED)
|| regcomp(&Priority, "^[ \t]*Priority[ \t]+([1-9])[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED)
|| regcomp(&TimeOut, "^[ \t]*TimeOut[ \t]+([1-9][0-9]*)[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED)
+ || regcomp(&WSTimeOut, "^[ \t]*WSTimeOut[ \t]+([1-9][0-9]*)[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED)
|| regcomp(&HAport, "^[ \t]*HAport[ \t]+([1-9][0-9]*)[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED)
|| regcomp(&HAportAddr, "^[ \t]*HAport[ \t]+([^ \t]+)[ \t]+([1-9][0-9]*)[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED)
|| regcomp(&Redirect, "^[ \t]*Redirect[ \t]+\"(.+)\"[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED)
@@ -1632,6 +1639,7 @@
regfree(&Emergency);
regfree(&Priority);
regfree(&TimeOut);
+ regfree(&WSTimeOut);
regfree(&HAport);
regfree(&HAportAddr);
regfree(&Redirect);
diff -Nur Pound-2.8.orig/http.c Pound-2.8/http.c
--- Pound-2.8.orig/http.c 2018-05-11 12:16:05.000000000 +0200
+++ Pound-2.8/http.c 2018-07-30 14:10:01.693667854 +0200
@@ -541,7 +541,7 @@
void
do_http(thr_arg *arg)
{
- int cl_11, be_11, res, chunked, n, sock, no_cont, skip, conn_closed, force_10, sock_proto, is_rpc;
+ int cl_11, be_11, res, chunked, n, sock, no_cont, skip, conn_closed, force_10, sock_proto, is_rpc, is_ws;
LISTENER *lstn;
SERVICE *svc;
BACKEND *backend, *cur_backend, *old_backend;
@@ -662,6 +662,7 @@
for(cl_11 = be_11 = 0;;) {
res_bytes = L0;
is_rpc = -1;
+ is_ws = 0;
v_host[0] = referer[0] = u_agent[0] = u_name[0] = '\0';
conn_closed = 0;
for(n = 0; n < MAXHEADERS; n++)
@@ -689,6 +690,8 @@
is_rpc = 1;
else if(!strncasecmp(request + matches[1].rm_so, "RPC_OUT_DATA", matches[1].rm_eo - matches[1].rm_so))
is_rpc = 0;
+ else if(!strncasecmp(request + matches[1].rm_so, "GET", matches[1].rm_eo - matches[1].rm_so))
+ is_ws |= 0x1;
} else {
addr2str(caddr, MAXBUF - 1, &from_host, 1);
logmsg(LOG_WARNING, "(%lx) e501 bad request \"%s\" from %s", pthread_self(), request, caddr);
@@ -733,6 +736,13 @@
case HEADER_CONNECTION:
if(!strcasecmp("close", buf))
conn_closed = 1;
+ /* Connection: upgrade */
+ else if(!regexec(&CONN_UPGRD, buf, 0, NULL, 0))
+ is_ws |= 0x2;
+ break;
+ case HEADER_UPGRADE:
+ if(!strcasecmp("websocket", buf))
+ is_ws |= 0x4;
break;
case HEADER_TRANSFER_ENCODING:
if(!strcasecmp("chunked", buf))
@@ -1402,12 +1412,21 @@
/* some response codes (1xx, 204, 304) have no content */
if(!no_cont && !regexec(&RESP_IGN, response, 0, NULL, 0))
no_cont = 1;
+ if(!strncasecmp("101", response + 9, 3))
+ is_ws |= 0x10;
for(chunked = 0, cont = -1L, n = 1; n < MAXHEADERS && headers[n]; n++) {
switch(check_header(headers[n], buf)) {
case HEADER_CONNECTION:
if(!strcasecmp("close", buf))
conn_closed = 1;
+ /* Connection: upgrade */
+ else if(!regexec(&CONN_UPGRD, buf, 0, NULL, 0))
+ is_ws |= 0x20;
+ break;
+ case HEADER_UPGRADE:
+ if(!strcasecmp("websocket", buf))
+ is_ws |= 0x40;
break;
case HEADER_TRANSFER_ENCODING:
if(!strcasecmp("chunked", buf)) {
@@ -1571,6 +1590,114 @@
clean_all();
return;
}
+ } else if(is_ws == 0x77) {
+ /*
+ * special mode for Websockets - content until EOF
+ */
+ char one;
+ BIO *cl_unbuf;
+ BIO *be_unbuf;
+ struct pollfd p[2];
+
+ cl_11 = be_11 = 0;
+
+ memset(p, 0, sizeof(p));
+ BIO_get_fd(cl, &p[0].fd);
+ p[0].events = POLLIN | POLLPRI;
+ BIO_get_fd(be, &p[1].fd);
+ p[1].events = POLLIN | POLLPRI;
+
+ while (BIO_pending(cl) || BIO_pending(be) || poll(p, 2, cur_backend->ws_to * 1000) > 0) {
+
+ /*
+ * first read whatever is already in the input buffer
+ */
+ while(BIO_pending(cl)) {
+ if(BIO_read(cl, &one, 1) != 1) {
+ logmsg(LOG_NOTICE, "(%lx) error read ws request pending: %s",
+ pthread_self(), strerror(errno));
+ clean_all();
+ return;
+ }
+ if(BIO_write(be, &one, 1) != 1) {
+ if(errno)
+ logmsg(LOG_NOTICE, "(%lx) error write ws request pending: %s",
+ pthread_self(), strerror(errno));
+ clean_all();
+ return;
+ }
+ }
+ BIO_flush(be);
+
+ while(BIO_pending(be)) {
+ if(BIO_read(be, &one, 1) != 1) {
+ logmsg(LOG_NOTICE, "(%lx) error read ws response pending: %s",
+ pthread_self(), strerror(errno));
+ clean_all();
+ return;
+ }
+ if(BIO_write(cl, &one, 1) != 1) {
+ if(errno)
+ logmsg(LOG_NOTICE, "(%lx) error write ws response pending: %s",
+ pthread_self(), strerror(errno));
+ clean_all();
+ return;
+ }
+ res_bytes++;
+ }
+ BIO_flush(cl);
+
+ /*
+ * find the socket BIO in the chain
+ */
+ if ((cl_unbuf = BIO_find_type(cl, lstn->ctx? BIO_TYPE_SSL : BIO_TYPE_SOCKET)) == NULL) {
+ logmsg(LOG_WARNING, "(%lx) error get unbuffered: %s", pthread_self(), strerror(errno));
+ clean_all();
+ return;
+ }
+ if((be_unbuf = BIO_find_type(be, cur_backend->ctx? BIO_TYPE_SSL : BIO_TYPE_SOCKET)) == NULL) {
+ logmsg(LOG_WARNING, "(%lx) error get unbuffered: %s", pthread_self(), strerror(errno));
+ clean_all();
+ return;
+ }
+
+ /*
+ * copy till EOF
+ */
+ if(p[0].revents) {
+ res = BIO_read(cl_unbuf, buf, MAXBUF);
+ if(res <= 0) {
+ break;
+ }
+ if(BIO_write(be, buf, res) != res) {
+ if(errno)
+ logmsg(LOG_NOTICE, "(%lx) error copy ws request body: %s",
+ pthread_self(), strerror(errno));
+ clean_all();
+ return;
+ } else {
+ BIO_flush(be);
+ }
+ p[0].revents = 0;
+ }
+ if(p[1].revents) {
+ res = BIO_read(be_unbuf, buf, MAXBUF);
+ if(res <= 0) {
+ break;
+ }
+ if(BIO_write(cl, buf, res) != res) {
+ if(errno)
+ logmsg(LOG_NOTICE, "(%lx) error copy ws response body: %s",
+ pthread_self(), strerror(errno));
+ clean_all();
+ return;
+ } else {
+ res_bytes += res;
+ BIO_flush(cl);
+ }
+ p[1].revents = 0;
+ }
+ }
}
}
end_req = cur_time();
diff -Nur Pound-2.8.orig/pound.8 Pound-2.8/pound.8
--- Pound-2.8.orig/pound.8 2018-05-11 12:16:05.000000000 +0200
+++ Pound-2.8/pound.8 2018-07-30 14:10:01.693667854 +0200
@@ -289,6 +289,13 @@
.B TimeOut
value. This value can be overridden for specific back-ends.
.TP
+\fBWSTimeOut\fR value
+How long should
+.B Pound
+wait for data from either back-end or client in a connection upgraded to
+a WebSocket (in seconds). Default: 600 seconds.
+This value can be overridden for specific back-ends.
+.TP
\fBGrace\fR value
How long should
.B Pound
@@ -762,6 +769,11 @@
.I ConnTO
value.
.TP
+\fBWSTimeOut\fR val
+Override the global
+.I WSTimeOut
+value.
+.TP
\fBHAport\fR [ address ] port
A port (and optional address) to be used for server function checks. See below
the "High Availability" section for a more detailed discussion. By default
diff -Nur Pound-2.8.orig/pound.c Pound-2.8/pound.c
--- Pound-2.8.orig/pound.c 2018-05-11 12:16:05.000000000 +0200
+++ Pound-2.8/pound.c 2018-07-30 14:10:01.693667854 +0200
@@ -47,6 +47,7 @@
LISTENER *listeners; /* all available listeners */
regex_t HEADER, /* Allowed header */
+ CONN_UPGRD, /* upgrade in connection header */
CHUNK_HEAD, /* chunk header line */
RESP_SKIP, /* responses for which we skip response */
RESP_IGN, /* responses for which we ignore content */
@@ -287,6 +288,7 @@
/* prepare regular expressions */
if(regcomp(&HEADER, "^([a-z0-9!#$%&'*+.^_`|~-]+):[ \t]*(.*)[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED)
+ || regcomp(&CONN_UPGRD, "(^|[ \t,])upgrade([ \t,]|$)", REG_ICASE | REG_NEWLINE | REG_EXTENDED)
|| regcomp(&CHUNK_HEAD, "^([0-9a-f]+).*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED)
|| regcomp(&RESP_SKIP, "^HTTP/1.1 100.*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED)
|| regcomp(&RESP_IGN, "^HTTP/1.[01] (10[1-9]|1[1-9][0-9]|204|30[456]).*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED)
diff -Nur Pound-2.8.orig/pound.h Pound-2.8/pound.h
--- Pound-2.8.orig/pound.h 2018-05-11 12:16:05.000000000 +0200
+++ Pound-2.8/pound.h 2018-07-30 14:10:01.697667855 +0200
@@ -276,6 +276,7 @@
control_sock; /* control socket */
extern regex_t HEADER, /* Allowed header */
+ CONN_UPGRD, /* upgrade in connection header */
CHUNK_HEAD, /* chunk header line */
RESP_SKIP, /* responses for which we skip response */
RESP_IGN, /* responses for which we ignore content */
@@ -319,6 +320,7 @@
int priority; /* priority */
int to; /* read/write time-out */
int conn_to; /* connection time-out */
+ int ws_to; /* websocket time-out */
struct addrinfo ha_addr; /* HA address/port */
char *url; /* for redirectors */
int redir_req; /* the redirect should include the request path */
@@ -440,6 +442,7 @@
#define HEADER_URI 9
#define HEADER_DESTINATION 10
#define HEADER_EXPECT 11
+#define HEADER_UPGRADE 13
/* control request stuff */
typedef enum {
diff -Nur Pound-2.8.orig/svc.c Pound-2.8/svc.c
--- Pound-2.8.orig/svc.c 2018-05-11 12:16:05.000000000 +0200
+++ Pound-2.8/svc.c 2018-07-30 14:10:01.697667855 +0200
@@ -395,6 +395,7 @@
{ "User-agent", 10, HEADER_USER_AGENT },
{ "Destination", 11, HEADER_DESTINATION },
{ "Expect", 6, HEADER_EXPECT },
+ { "Upgrade", 7, HEADER_UPGRADE },
{ "", 0, HEADER_OTHER },
};
int i;

50
www/pound/files/pound.cfg.in Normal file
View file

@ -0,0 +1,50 @@
#User "pound"
#Group "pound"
RootJail "/var/empty/pound"
Control "/var/run/pound/ctl_socket"
# Main listening ports
ListenHTTP
Address 0.0.0.0
Port 81
xHTTP 1
End
ListenHTTPS
Address 0.0.0.0
Port 444
Cert "%%PREFIX%%/share/certs/pound.pem"
Disable SSLv3
Ciphers "ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:-LOW"
xHTTP 1
End
# Images server(s)
Service
URL ".*.(jpg|gif)"
BackEnd
Address 127.0.0.1
Port 80
End
End
# Redirect all requests for /forbidden
Service
Url "/forbidden.*"
Redirect "https://localhost/"
End
# Catch-all server(s)
Service
BackEnd
Address 127.0.0.1
Port 80
End
BackEnd
Address 127.0.0.1
Port 80
End
Session
Type BASIC
TTL 300
End
End