nginx vs TLSEXT_TYPE_application_layer_protocol_negotiation

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

nginx vs TLSEXT_TYPE_application_layer_protocol_negotiation

Stuart Henderson-6
Add a configure check for SSL_get0_alpn_selected() and use it instead
of TLSEXT_TYPE_application_layer_protocol_negotiation (which was added
to openssl at the same time as ALPN support, but arrived in libressl
before ALPN support).

While there, use upstream's -Wfoo CFLAGS (CFLAGS are passed in by ports
so we miss their usual checks), and add a bonus arc4random conversion
(main use is in their dns resolver, I think).

Unbreaks the port.

OK?


Index: Makefile
===================================================================
RCS file: /cvs/ports/www/nginx/Makefile,v
retrieving revision 1.66
diff -u -p -r1.66 Makefile
--- Makefile 31 Oct 2014 14:40:59 -0000 1.66
+++ Makefile 6 Nov 2014 12:10:03 -0000
@@ -3,6 +3,7 @@
 COMMENT= robust and small HTTP server and mail proxy server
 
 VERSION= 1.7.7
+REVISION= 0
 DISTNAME= nginx-${VERSION}
 CATEGORIES= www
 
@@ -25,6 +26,7 @@ LIB_DEPENDS+= devel/pcre
 
 NGINX_DIR= /var/www
 SUBST_VARS= NGINX_DIR
+CFLAGS+= -Wall -Wpointer-arith -Werror
 
 FLAVORS= lua naxsi passenger
 FLAVOR?=
Index: patches/patch-auto_lib_openssl_conf
===================================================================
RCS file: patches/patch-auto_lib_openssl_conf
diff -N patches/patch-auto_lib_openssl_conf
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-auto_lib_openssl_conf 6 Nov 2014 12:10:03 -0000
@@ -0,0 +1,20 @@
+$OpenBSD$
+--- auto/lib/openssl/conf.orig Thu Nov  6 11:59:59 2014
++++ auto/lib/openssl/conf Thu Nov  6 12:00:02 2014
+@@ -59,6 +59,16 @@ else
+             have=NGX_SSL . auto/have
+             CORE_LIBS="$CORE_LIBS $ngx_feature_libs $NGX_LIBDL"
+             OPENSSL=YES
++
++            ngx_feature="SSL_get0_alpn_selected()"
++            ngx_feature_name="NGX_HAVE_ALPN"
++            ngx_feature_run=no
++            ngx_feature_incs="#include <openssl/ssl.h>"
++            ngx_feature_path=
++            ngx_feature_libs="-lssl -lcrypto"
++            ngx_feature_test="SSL_get0_alpn_selected(NULL, NULL, NULL);"
++            . auto/feature
++
+         fi
+     fi
+
Index: patches/patch-src_core_ngx_config_h
===================================================================
RCS file: patches/patch-src_core_ngx_config_h
diff -N patches/patch-src_core_ngx_config_h
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-src_core_ngx_config_h 6 Nov 2014 12:10:03 -0000
@@ -0,0 +1,12 @@
+$OpenBSD$
+--- src/core/ngx_config.h.orig Thu Nov  6 11:42:58 2014
++++ src/core/ngx_config.h Thu Nov  6 11:45:38 2014
+@@ -54,7 +54,7 @@
+ #define ngx_signal_helper(n)     SIG##n
+ #define ngx_signal_value(n)      ngx_signal_helper(n)
+
+-#define ngx_random               random
++#define ngx_random               arc4random
+
+ /* TODO: #ifndef */
+ #define NGX_SHUTDOWN_SIGNAL      QUIT
Index: patches/patch-src_http_modules_ngx_http_ssl_module_c
===================================================================
RCS file: patches/patch-src_http_modules_ngx_http_ssl_module_c
diff -N patches/patch-src_http_modules_ngx_http_ssl_module_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-src_http_modules_ngx_http_ssl_module_c 6 Nov 2014 12:10:03 -0000
@@ -0,0 +1,30 @@
+$OpenBSD$
+--- src/http/modules/ngx_http_ssl_module.c.orig Thu Nov  6 12:06:47 2014
++++ src/http/modules/ngx_http_ssl_module.c Thu Nov  6 12:08:20 2014
+@@ -20,7 +20,7 @@ typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_c
+ #define NGX_HTTP_NPN_ADVERTISE  "\x08http/1.1"
+
+
+-#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
++#ifdef NGX_HAVE_ALPN
+ static int ngx_http_ssl_alpn_select(ngx_ssl_conn_t *ssl_conn,
+     const unsigned char **out, unsigned char *outlen,
+     const unsigned char *in, unsigned int inlen, void *arg);
+@@ -314,7 +314,7 @@ static ngx_http_variable_t  ngx_http_ssl_vars[] = {
+ static ngx_str_t ngx_http_ssl_sess_id_ctx = ngx_string("HTTP");
+
+
+-#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
++#ifdef NGX_HAVE_ALPN
+
+ static int
+ ngx_http_ssl_alpn_select(ngx_ssl_conn_t *ssl_conn, const unsigned char **out,
+@@ -646,7 +646,7 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *pare
+
+ #endif
+
+-#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
++#ifdef NGX_HAVE_ALPN
+     SSL_CTX_set_alpn_select_cb(conf->ssl.ctx, ngx_http_ssl_alpn_select, NULL);
+ #endif
+
Index: patches/patch-src_http_ngx_http_request_c
===================================================================
RCS file: patches/patch-src_http_ngx_http_request_c
diff -N patches/patch-src_http_ngx_http_request_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-src_http_ngx_http_request_c 6 Nov 2014 12:10:03 -0000
@@ -0,0 +1,12 @@
+$OpenBSD$
+--- src/http/ngx_http_request.c.orig Thu Nov  6 12:05:45 2014
++++ src/http/ngx_http_request.c Thu Nov  6 12:06:04 2014
+@@ -771,7 +771,7 @@ ngx_http_ssl_handshake_handler(ngx_connection_t *c)
+         const unsigned char     *data;
+         static const ngx_str_t   spdy = ngx_string(NGX_SPDY_NPN_NEGOTIATED);
+
+-#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
++#ifdef NGINX_HAVE_ALPN
+         SSL_get0_alpn_selected(c->ssl->connection, &data, &len);
+
+ #ifdef TLSEXT_TYPE_next_proto_neg
Index: patches/patch-src_os_unix_ngx_posix_init_c
===================================================================
RCS file: patches/patch-src_os_unix_ngx_posix_init_c
diff -N patches/patch-src_os_unix_ngx_posix_init_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-src_os_unix_ngx_posix_init_c 6 Nov 2014 12:10:03 -0000
@@ -0,0 +1,15 @@
+$OpenBSD$
+
+using arc4random (see ngx_config.h) so no need to seed.
+
+--- src/os/unix/ngx_posix_init.c.orig Thu Nov  6 11:48:48 2014
++++ src/os/unix/ngx_posix_init.c Thu Nov  6 11:49:04 2014
+@@ -75,8 +75,6 @@ ngx_os_init(ngx_log_t *log)
+     ngx_inherited_nonblocking = 0;
+ #endif
+
+-    srandom(ngx_time());
+-
+     return NGX_OK;
+ }
+
Index: patches/patch-src_os_unix_ngx_process_cycle_c
===================================================================
RCS file: patches/patch-src_os_unix_ngx_process_cycle_c
diff -N patches/patch-src_os_unix_ngx_process_cycle_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-src_os_unix_ngx_process_cycle_c 6 Nov 2014 12:10:03 -0000
@@ -0,0 +1,15 @@
+$OpenBSD$
+
+using arc4random (see ngx_config.h) so no need to seed.
+
+--- src/os/unix/ngx_process_cycle.c.orig Thu Nov  6 11:48:48 2014
++++ src/os/unix/ngx_process_cycle.c Thu Nov  6 11:49:12 2014
+@@ -1015,8 +1015,6 @@ nochroot:
+                       "sigprocmask() failed");
+     }
+
+-    srandom((ngx_pid << 16) ^ ngx_time());
+-
+     /*
+      * disable deleting previous events for the listening sockets because
+      * in the worker processes there are no events at all at this point

Reply | Threaded
Open this post in threaded view
|

Re: nginx vs TLSEXT_TYPE_application_layer_protocol_negotiation

Robert Nagy
I think that arc4random diff is not enough, there are more places where
this is used aren't there?

On (2014-11-06 12:19), Stuart Henderson wrote:

> Add a configure check for SSL_get0_alpn_selected() and use it instead
> of TLSEXT_TYPE_application_layer_protocol_negotiation (which was added
> to openssl at the same time as ALPN support, but arrived in libressl
> before ALPN support).
>
> While there, use upstream's -Wfoo CFLAGS (CFLAGS are passed in by ports
> so we miss their usual checks), and add a bonus arc4random conversion
> (main use is in their dns resolver, I think).
>
> Unbreaks the port.
>
> OK?
>
>
> Index: Makefile
> ===================================================================
> RCS file: /cvs/ports/www/nginx/Makefile,v
> retrieving revision 1.66
> diff -u -p -r1.66 Makefile
> --- Makefile 31 Oct 2014 14:40:59 -0000 1.66
> +++ Makefile 6 Nov 2014 12:10:03 -0000
> @@ -3,6 +3,7 @@
>  COMMENT= robust and small HTTP server and mail proxy server
>  
>  VERSION= 1.7.7
> +REVISION= 0
>  DISTNAME= nginx-${VERSION}
>  CATEGORIES= www
>  
> @@ -25,6 +26,7 @@ LIB_DEPENDS+= devel/pcre
>  
>  NGINX_DIR= /var/www
>  SUBST_VARS= NGINX_DIR
> +CFLAGS+= -Wall -Wpointer-arith -Werror
>  
>  FLAVORS= lua naxsi passenger
>  FLAVOR?=
> Index: patches/patch-auto_lib_openssl_conf
> ===================================================================
> RCS file: patches/patch-auto_lib_openssl_conf
> diff -N patches/patch-auto_lib_openssl_conf
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-auto_lib_openssl_conf 6 Nov 2014 12:10:03 -0000
> @@ -0,0 +1,20 @@
> +$OpenBSD$
> +--- auto/lib/openssl/conf.orig Thu Nov  6 11:59:59 2014
> ++++ auto/lib/openssl/conf Thu Nov  6 12:00:02 2014
> +@@ -59,6 +59,16 @@ else
> +             have=NGX_SSL . auto/have
> +             CORE_LIBS="$CORE_LIBS $ngx_feature_libs $NGX_LIBDL"
> +             OPENSSL=YES
> ++
> ++            ngx_feature="SSL_get0_alpn_selected()"
> ++            ngx_feature_name="NGX_HAVE_ALPN"
> ++            ngx_feature_run=no
> ++            ngx_feature_incs="#include <openssl/ssl.h>"
> ++            ngx_feature_path=
> ++            ngx_feature_libs="-lssl -lcrypto"
> ++            ngx_feature_test="SSL_get0_alpn_selected(NULL, NULL, NULL);"
> ++            . auto/feature
> ++
> +         fi
> +     fi
> +
> Index: patches/patch-src_core_ngx_config_h
> ===================================================================
> RCS file: patches/patch-src_core_ngx_config_h
> diff -N patches/patch-src_core_ngx_config_h
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-src_core_ngx_config_h 6 Nov 2014 12:10:03 -0000
> @@ -0,0 +1,12 @@
> +$OpenBSD$
> +--- src/core/ngx_config.h.orig Thu Nov  6 11:42:58 2014
> ++++ src/core/ngx_config.h Thu Nov  6 11:45:38 2014
> +@@ -54,7 +54,7 @@
> + #define ngx_signal_helper(n)     SIG##n
> + #define ngx_signal_value(n)      ngx_signal_helper(n)
> +
> +-#define ngx_random               random
> ++#define ngx_random               arc4random
> +
> + /* TODO: #ifndef */
> + #define NGX_SHUTDOWN_SIGNAL      QUIT
> Index: patches/patch-src_http_modules_ngx_http_ssl_module_c
> ===================================================================
> RCS file: patches/patch-src_http_modules_ngx_http_ssl_module_c
> diff -N patches/patch-src_http_modules_ngx_http_ssl_module_c
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-src_http_modules_ngx_http_ssl_module_c 6 Nov 2014 12:10:03 -0000
> @@ -0,0 +1,30 @@
> +$OpenBSD$
> +--- src/http/modules/ngx_http_ssl_module.c.orig Thu Nov  6 12:06:47 2014
> ++++ src/http/modules/ngx_http_ssl_module.c Thu Nov  6 12:08:20 2014
> +@@ -20,7 +20,7 @@ typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_c
> + #define NGX_HTTP_NPN_ADVERTISE  "\x08http/1.1"
> +
> +
> +-#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
> ++#ifdef NGX_HAVE_ALPN
> + static int ngx_http_ssl_alpn_select(ngx_ssl_conn_t *ssl_conn,
> +     const unsigned char **out, unsigned char *outlen,
> +     const unsigned char *in, unsigned int inlen, void *arg);
> +@@ -314,7 +314,7 @@ static ngx_http_variable_t  ngx_http_ssl_vars[] = {
> + static ngx_str_t ngx_http_ssl_sess_id_ctx = ngx_string("HTTP");
> +
> +
> +-#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
> ++#ifdef NGX_HAVE_ALPN
> +
> + static int
> + ngx_http_ssl_alpn_select(ngx_ssl_conn_t *ssl_conn, const unsigned char **out,
> +@@ -646,7 +646,7 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *pare
> +
> + #endif
> +
> +-#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
> ++#ifdef NGX_HAVE_ALPN
> +     SSL_CTX_set_alpn_select_cb(conf->ssl.ctx, ngx_http_ssl_alpn_select, NULL);
> + #endif
> +
> Index: patches/patch-src_http_ngx_http_request_c
> ===================================================================
> RCS file: patches/patch-src_http_ngx_http_request_c
> diff -N patches/patch-src_http_ngx_http_request_c
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-src_http_ngx_http_request_c 6 Nov 2014 12:10:03 -0000
> @@ -0,0 +1,12 @@
> +$OpenBSD$
> +--- src/http/ngx_http_request.c.orig Thu Nov  6 12:05:45 2014
> ++++ src/http/ngx_http_request.c Thu Nov  6 12:06:04 2014
> +@@ -771,7 +771,7 @@ ngx_http_ssl_handshake_handler(ngx_connection_t *c)
> +         const unsigned char     *data;
> +         static const ngx_str_t   spdy = ngx_string(NGX_SPDY_NPN_NEGOTIATED);
> +
> +-#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
> ++#ifdef NGINX_HAVE_ALPN
> +         SSL_get0_alpn_selected(c->ssl->connection, &data, &len);
> +
> + #ifdef TLSEXT_TYPE_next_proto_neg
> Index: patches/patch-src_os_unix_ngx_posix_init_c
> ===================================================================
> RCS file: patches/patch-src_os_unix_ngx_posix_init_c
> diff -N patches/patch-src_os_unix_ngx_posix_init_c
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-src_os_unix_ngx_posix_init_c 6 Nov 2014 12:10:03 -0000
> @@ -0,0 +1,15 @@
> +$OpenBSD$
> +
> +using arc4random (see ngx_config.h) so no need to seed.
> +
> +--- src/os/unix/ngx_posix_init.c.orig Thu Nov  6 11:48:48 2014
> ++++ src/os/unix/ngx_posix_init.c Thu Nov  6 11:49:04 2014
> +@@ -75,8 +75,6 @@ ngx_os_init(ngx_log_t *log)
> +     ngx_inherited_nonblocking = 0;
> + #endif
> +
> +-    srandom(ngx_time());
> +-
> +     return NGX_OK;
> + }
> +
> Index: patches/patch-src_os_unix_ngx_process_cycle_c
> ===================================================================
> RCS file: patches/patch-src_os_unix_ngx_process_cycle_c
> diff -N patches/patch-src_os_unix_ngx_process_cycle_c
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-src_os_unix_ngx_process_cycle_c 6 Nov 2014 12:10:03 -0000
> @@ -0,0 +1,15 @@
> +$OpenBSD$
> +
> +using arc4random (see ngx_config.h) so no need to seed.
> +
> +--- src/os/unix/ngx_process_cycle.c.orig Thu Nov  6 11:48:48 2014
> ++++ src/os/unix/ngx_process_cycle.c Thu Nov  6 11:49:12 2014
> +@@ -1015,8 +1015,6 @@ nochroot:
> +                       "sigprocmask() failed");
> +     }
> +
> +-    srandom((ngx_pid << 16) ^ ngx_time());
> +-
> +     /*
> +      * disable deleting previous events for the listening sockets because
> +      * in the worker processes there are no events at all at this point
>

Reply | Threaded
Open this post in threaded view
|

Re: nginx vs TLSEXT_TYPE_application_layer_protocol_negotiation

Stuart Henderson-6
On 2014/11/06 18:02, Robert Nagy wrote:
> I think that arc4random diff is not enough, there are more places where
> this is used aren't there?

They usually use ngx_random which is just a #define. There is room
for improvement, they have some calls which could be converted to
arc4random_uniform, and I'm not sure what they are doing with
ngx_random_number yet, but at least this gets rid of the random()
and srandom() users.


> On (2014-11-06 12:19), Stuart Henderson wrote:
> > Add a configure check for SSL_get0_alpn_selected() and use it instead
> > of TLSEXT_TYPE_application_layer_protocol_negotiation (which was added
> > to openssl at the same time as ALPN support, but arrived in libressl
> > before ALPN support).
> >
> > While there, use upstream's -Wfoo CFLAGS (CFLAGS are passed in by ports
> > so we miss their usual checks), and add a bonus arc4random conversion
> > (main use is in their dns resolver, I think).
> >
> > Unbreaks the port.
> >
> > OK?
> >
> >
> > Index: Makefile
> > ===================================================================
> > RCS file: /cvs/ports/www/nginx/Makefile,v
> > retrieving revision 1.66
> > diff -u -p -r1.66 Makefile
> > --- Makefile 31 Oct 2014 14:40:59 -0000 1.66
> > +++ Makefile 6 Nov 2014 12:10:03 -0000
> > @@ -3,6 +3,7 @@
> >  COMMENT= robust and small HTTP server and mail proxy server
> >  
> >  VERSION= 1.7.7
> > +REVISION= 0
> >  DISTNAME= nginx-${VERSION}
> >  CATEGORIES= www
> >  
> > @@ -25,6 +26,7 @@ LIB_DEPENDS+= devel/pcre
> >  
> >  NGINX_DIR= /var/www
> >  SUBST_VARS= NGINX_DIR
> > +CFLAGS+= -Wall -Wpointer-arith -Werror
> >  
> >  FLAVORS= lua naxsi passenger
> >  FLAVOR?=
> > Index: patches/patch-auto_lib_openssl_conf
> > ===================================================================
> > RCS file: patches/patch-auto_lib_openssl_conf
> > diff -N patches/patch-auto_lib_openssl_conf
> > --- /dev/null 1 Jan 1970 00:00:00 -0000
> > +++ patches/patch-auto_lib_openssl_conf 6 Nov 2014 12:10:03 -0000
> > @@ -0,0 +1,20 @@
> > +$OpenBSD$
> > +--- auto/lib/openssl/conf.orig Thu Nov  6 11:59:59 2014
> > ++++ auto/lib/openssl/conf Thu Nov  6 12:00:02 2014
> > +@@ -59,6 +59,16 @@ else
> > +             have=NGX_SSL . auto/have
> > +             CORE_LIBS="$CORE_LIBS $ngx_feature_libs $NGX_LIBDL"
> > +             OPENSSL=YES
> > ++
> > ++            ngx_feature="SSL_get0_alpn_selected()"
> > ++            ngx_feature_name="NGX_HAVE_ALPN"
> > ++            ngx_feature_run=no
> > ++            ngx_feature_incs="#include <openssl/ssl.h>"
> > ++            ngx_feature_path=
> > ++            ngx_feature_libs="-lssl -lcrypto"
> > ++            ngx_feature_test="SSL_get0_alpn_selected(NULL, NULL, NULL);"
> > ++            . auto/feature
> > ++
> > +         fi
> > +     fi
> > +
> > Index: patches/patch-src_core_ngx_config_h
> > ===================================================================
> > RCS file: patches/patch-src_core_ngx_config_h
> > diff -N patches/patch-src_core_ngx_config_h
> > --- /dev/null 1 Jan 1970 00:00:00 -0000
> > +++ patches/patch-src_core_ngx_config_h 6 Nov 2014 12:10:03 -0000
> > @@ -0,0 +1,12 @@
> > +$OpenBSD$
> > +--- src/core/ngx_config.h.orig Thu Nov  6 11:42:58 2014
> > ++++ src/core/ngx_config.h Thu Nov  6 11:45:38 2014
> > +@@ -54,7 +54,7 @@
> > + #define ngx_signal_helper(n)     SIG##n
> > + #define ngx_signal_value(n)      ngx_signal_helper(n)
> > +
> > +-#define ngx_random               random
> > ++#define ngx_random               arc4random
> > +
> > + /* TODO: #ifndef */
> > + #define NGX_SHUTDOWN_SIGNAL      QUIT
> > Index: patches/patch-src_http_modules_ngx_http_ssl_module_c
> > ===================================================================
> > RCS file: patches/patch-src_http_modules_ngx_http_ssl_module_c
> > diff -N patches/patch-src_http_modules_ngx_http_ssl_module_c
> > --- /dev/null 1 Jan 1970 00:00:00 -0000
> > +++ patches/patch-src_http_modules_ngx_http_ssl_module_c 6 Nov 2014 12:10:03 -0000
> > @@ -0,0 +1,30 @@
> > +$OpenBSD$
> > +--- src/http/modules/ngx_http_ssl_module.c.orig Thu Nov  6 12:06:47 2014
> > ++++ src/http/modules/ngx_http_ssl_module.c Thu Nov  6 12:08:20 2014
> > +@@ -20,7 +20,7 @@ typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_c
> > + #define NGX_HTTP_NPN_ADVERTISE  "\x08http/1.1"
> > +
> > +
> > +-#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
> > ++#ifdef NGX_HAVE_ALPN
> > + static int ngx_http_ssl_alpn_select(ngx_ssl_conn_t *ssl_conn,
> > +     const unsigned char **out, unsigned char *outlen,
> > +     const unsigned char *in, unsigned int inlen, void *arg);
> > +@@ -314,7 +314,7 @@ static ngx_http_variable_t  ngx_http_ssl_vars[] = {
> > + static ngx_str_t ngx_http_ssl_sess_id_ctx = ngx_string("HTTP");
> > +
> > +
> > +-#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
> > ++#ifdef NGX_HAVE_ALPN
> > +
> > + static int
> > + ngx_http_ssl_alpn_select(ngx_ssl_conn_t *ssl_conn, const unsigned char **out,
> > +@@ -646,7 +646,7 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *pare
> > +
> > + #endif
> > +
> > +-#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
> > ++#ifdef NGX_HAVE_ALPN
> > +     SSL_CTX_set_alpn_select_cb(conf->ssl.ctx, ngx_http_ssl_alpn_select, NULL);
> > + #endif
> > +
> > Index: patches/patch-src_http_ngx_http_request_c
> > ===================================================================
> > RCS file: patches/patch-src_http_ngx_http_request_c
> > diff -N patches/patch-src_http_ngx_http_request_c
> > --- /dev/null 1 Jan 1970 00:00:00 -0000
> > +++ patches/patch-src_http_ngx_http_request_c 6 Nov 2014 12:10:03 -0000
> > @@ -0,0 +1,12 @@
> > +$OpenBSD$
> > +--- src/http/ngx_http_request.c.orig Thu Nov  6 12:05:45 2014
> > ++++ src/http/ngx_http_request.c Thu Nov  6 12:06:04 2014
> > +@@ -771,7 +771,7 @@ ngx_http_ssl_handshake_handler(ngx_connection_t *c)
> > +         const unsigned char     *data;
> > +         static const ngx_str_t   spdy = ngx_string(NGX_SPDY_NPN_NEGOTIATED);
> > +
> > +-#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
> > ++#ifdef NGINX_HAVE_ALPN
> > +         SSL_get0_alpn_selected(c->ssl->connection, &data, &len);
> > +
> > + #ifdef TLSEXT_TYPE_next_proto_neg
> > Index: patches/patch-src_os_unix_ngx_posix_init_c
> > ===================================================================
> > RCS file: patches/patch-src_os_unix_ngx_posix_init_c
> > diff -N patches/patch-src_os_unix_ngx_posix_init_c
> > --- /dev/null 1 Jan 1970 00:00:00 -0000
> > +++ patches/patch-src_os_unix_ngx_posix_init_c 6 Nov 2014 12:10:03 -0000
> > @@ -0,0 +1,15 @@
> > +$OpenBSD$
> > +
> > +using arc4random (see ngx_config.h) so no need to seed.
> > +
> > +--- src/os/unix/ngx_posix_init.c.orig Thu Nov  6 11:48:48 2014
> > ++++ src/os/unix/ngx_posix_init.c Thu Nov  6 11:49:04 2014
> > +@@ -75,8 +75,6 @@ ngx_os_init(ngx_log_t *log)
> > +     ngx_inherited_nonblocking = 0;
> > + #endif
> > +
> > +-    srandom(ngx_time());
> > +-
> > +     return NGX_OK;
> > + }
> > +
> > Index: patches/patch-src_os_unix_ngx_process_cycle_c
> > ===================================================================
> > RCS file: patches/patch-src_os_unix_ngx_process_cycle_c
> > diff -N patches/patch-src_os_unix_ngx_process_cycle_c
> > --- /dev/null 1 Jan 1970 00:00:00 -0000
> > +++ patches/patch-src_os_unix_ngx_process_cycle_c 6 Nov 2014 12:10:03 -0000
> > @@ -0,0 +1,15 @@
> > +$OpenBSD$
> > +
> > +using arc4random (see ngx_config.h) so no need to seed.
> > +
> > +--- src/os/unix/ngx_process_cycle.c.orig Thu Nov  6 11:48:48 2014
> > ++++ src/os/unix/ngx_process_cycle.c Thu Nov  6 11:49:12 2014
> > +@@ -1015,8 +1015,6 @@ nochroot:
> > +                       "sigprocmask() failed");
> > +     }
> > +
> > +-    srandom((ngx_pid << 16) ^ ngx_time());
> > +-
> > +     /*
> > +      * disable deleting previous events for the listening sockets because
> > +      * in the worker processes there are no events at all at this point
> >
>

Reply | Threaded
Open this post in threaded view
|

Re: nginx vs TLSEXT_TYPE_application_layer_protocol_negotiation

Stuart Henderson-6
OK let's forget the random stuff for now, and use a simpler diff for ALPN,
I think the way that nginx is checking for this is pretty reasonable actually,
they are trying to keep their autoconf checks clean and avoid nasty ifdefs as
much as possible, and doing it this way it's simple to remove when we do
add support.

Since the port has been broken for about a week I plan to commit this in
a couple of hours unless there are objections.

Index: Makefile
===================================================================
RCS file: /cvs/ports/www/nginx/Makefile,v
retrieving revision 1.66
diff -u -p -r1.66 Makefile
--- Makefile 31 Oct 2014 14:40:59 -0000 1.66
+++ Makefile 7 Nov 2014 16:53:40 -0000
@@ -25,6 +25,7 @@ LIB_DEPENDS+= devel/pcre
 
 NGINX_DIR= /var/www
 SUBST_VARS= NGINX_DIR
+CFLAGS+= -Wall -Wpointer-arith -Werror
 
 FLAVORS= lua naxsi passenger
 FLAVOR?=
Index: patches/patch-src_event_ngx_event_openssl_h
===================================================================
RCS file: patches/patch-src_event_ngx_event_openssl_h
diff -N patches/patch-src_event_ngx_event_openssl_h
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-src_event_ngx_event_openssl_h 7 Nov 2014 16:53:40 -0000
@@ -0,0 +1,16 @@
+$OpenBSD$
+--- src/event/ngx_event_openssl.h.orig Fri Nov  7 16:50:18 2014
++++ src/event/ngx_event_openssl.h Fri Nov  7 16:51:52 2014
+@@ -30,6 +30,12 @@
+ #include <openssl/x509.h>
+ #include <openssl/x509v3.h>
+
++/*
++ * XXX nginx checks this define to detect ALPN support;
++ *     libressl has added, the macro but doesn't have support yet
++ */
++#undef TLSEXT_TYPE_application_layer_protocol_negotiation
++
+ #define NGX_SSL_NAME     "OpenSSL"
+
+