diff options
46 files changed, 809 insertions, 508 deletions
@@ -3,7 +3,21 @@ NEWS ==== -- 1.4.29 - +- 1.4.30 - + * Always use our 'own' md5 implementation, fixes linking issues on MacOS (fixes #2331) + * Limit amount of bytes we send in one go; fixes stalling in one connection and timeouts on slow systems. + * [ssl] fix build errors when Elliptic-Curve Diffie-Hellman is disabled + * Add static-file.disable-pathinfo option to prevent handling of urls like .../secret.php/image.jpg as static file + * Don't overwrite 401 (auth required) with 501 (unknown method) (fixes #2341) + * Fix mod_status bug: always showed "0/0" in the "Read" column for uploads (fixes #2351) + * [mod_auth] Fix signedness error in http_auth (fixes #2370, CVE-2011-4362) + * [ssl] count renegotiations to prevent client renegotiations + * [ssl] add option to honor server cipher order (fixes #2364, BEAST attack) + * [core] accept dots in ipv6 addresses in host header (fixes #2359) + * [ssl] fix ssl connection aborts if files are larger than the MAX_WRITE_LIMIT (256kb) + * [libev/cgi] fix waitpid ECHILD errors in cgi with libev (fixes #2324) + +- 1.4.29 - 2011-07-03 * Fix mod_proxy waiting for response even if content-length is 0 (fixes #2259) * Silence annoying "connection closed: poll() -> ERR" error.log message (fixes #2257) * mod_cgi: make read buffer as big as incoming data block @@ -5,7 +5,7 @@ import string from stat import * package = 'lighttpd' -version = '1.4.29' +version = '1.4.30' def checkCHeaders(autoconf, hdrs): p = re.compile('[^A-Z0-9]') @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.68 for lighttpd 1.4.29. +# Generated by GNU Autoconf 2.68 for lighttpd 1.4.30. # # Report bugs to <contact@lighttpd.net>. # @@ -570,8 +570,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='lighttpd' PACKAGE_TARNAME='lighttpd' -PACKAGE_VERSION='1.4.29' -PACKAGE_STRING='lighttpd 1.4.29' +PACKAGE_VERSION='1.4.30' +PACKAGE_STRING='lighttpd 1.4.30' PACKAGE_BUGREPORT='contact@lighttpd.net' PACKAGE_URL='' @@ -1365,7 +1365,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures lighttpd 1.4.29 to adapt to many kinds of systems. +\`configure' configures lighttpd 1.4.30 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1436,7 +1436,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of lighttpd 1.4.29:";; + short | recursive ) echo "Configuration of lighttpd 1.4.30:";; esac cat <<\_ACEOF @@ -1461,7 +1461,7 @@ Optional Packages: --with-PACKAGE[=ARG] use PACKAGE [ARG=yes] --without-PACKAGE do not use PACKAGE (same as --with-PACKAGE=no) --with-gnu-ld assume the C compiler uses GNU ld [default=no] - --with-pic try to use only PIC/non-PIC objects [default=use + --with-pic[=PKGS] try to use only PIC/non-PIC objects [default=use both] --with-sysroot=DIR Search for dependent libraries within DIR (or the compiler's sysroot if not specified). @@ -1580,7 +1580,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -lighttpd configure 1.4.29 +lighttpd configure 1.4.30 generated by GNU Autoconf 2.68 Copyright (C) 2010 Free Software Foundation, Inc. @@ -2238,7 +2238,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by lighttpd $as_me 1.4.29, which was +It was created by lighttpd $as_me 1.4.30, which was generated by GNU Autoconf 2.68. Invocation command line was $ $0 $@ @@ -3169,7 +3169,7 @@ fi # Define the identity of the package. PACKAGE='lighttpd' - VERSION='1.4.29' + VERSION='1.4.30' cat >>confdefs.h <<_ACEOF @@ -5473,8 +5473,8 @@ esac -macro_version='2.4' -macro_revision='1.3293' +macro_version='2.4.2' +macro_revision='1.3337' @@ -5775,6 +5775,11 @@ else lt_cv_sys_max_cmd_len=196608 ;; + os2*) + # The test takes a long time on OS/2. + lt_cv_sys_max_cmd_len=8192 + ;; + osf*) # Dr. Hans Ekkehard Plesser reports seeing a kernel panic running configure # due to this test when exec_disable_arg_limit is 1 on Tru64. It is not @@ -5814,7 +5819,7 @@ else # If test is not a shell built-in, we'll probably end up computing a # maximum length that is only half of the actual maximum length, but # we can't tell. - while { test "X"`func_fallback_echo "$teststring$teststring" 2>/dev/null` \ + while { test "X"`env echo "$teststring$teststring" 2>/dev/null` \ = "X$teststring$teststring"; } >/dev/null 2>&1 && test $i != 17 # 1/2 MB should be enough do @@ -6243,7 +6248,7 @@ irix5* | irix6* | nonstopux*) lt_cv_deplibs_check_method=pass_all ;; -# This must be Linux ELF. +# This must be glibc/ELF. linux* | k*bsd*-gnu | kopensolaris*-gnu) lt_cv_deplibs_check_method=pass_all ;; @@ -6883,13 +6888,13 @@ old_postuninstall_cmds= if test -n "$RANLIB"; then case $host_os in openbsd*) - old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB -t \$oldlib" + old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB -t \$tool_oldlib" ;; *) - old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB \$oldlib" + old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB \$tool_oldlib" ;; esac - old_archive_cmds="$old_archive_cmds~\$RANLIB \$oldlib" + old_archive_cmds="$old_archive_cmds~\$RANLIB \$tool_oldlib" fi case $host_os in @@ -7036,6 +7041,7 @@ for ac_symprfx in "" "_"; do # which start with @ or ?. lt_cv_sys_global_symbol_pipe="$AWK '"\ " {last_section=section; section=\$ 3};"\ +" /^COFF SYMBOL TABLE/{for(i in hide) delete hide[i]};"\ " /Section length .*#relocs.*(pick any)/{hide[last_section]=1};"\ " \$ 0!~/External *\|/{next};"\ " / 0+ UNDEF /{next}; / UNDEF \([^|]\)*()/{next};"\ @@ -7424,7 +7430,7 @@ $as_echo "$lt_cv_cc_needs_belf" >&6; } CFLAGS="$SAVE_CFLAGS" fi ;; -sparc*-*solaris*) +*-*solaris*) # Find out which ABI we are using. echo 'int i;' > conftest.$ac_ext if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5 @@ -7435,7 +7441,20 @@ sparc*-*solaris*) case `/usr/bin/file conftest.o` in *64-bit*) case $lt_cv_prog_gnu_ld in - yes*) LD="${LD-ld} -m elf64_sparc" ;; + yes*) + case $host in + i?86-*-solaris*) + LD="${LD-ld} -m elf_x86_64" + ;; + sparc*-*-solaris*) + LD="${LD-ld} -m elf64_sparc" + ;; + esac + # GNU ld 2.21 introduced _sol2 emulations. Use them if available. + if ${LD-ld} -V | grep _sol2 >/dev/null 2>&1; then + LD="${LD-ld}_sol2" + fi + ;; *) if ${LD-ld} -64 -r -o conftest2.o conftest.o >/dev/null 2>&1; then LD="${LD-ld} -64" @@ -8075,7 +8094,13 @@ else $LTCC $LTCFLAGS $LDFLAGS -o libconftest.dylib \ -dynamiclib -Wl,-single_module conftest.c 2>conftest.err _lt_result=$? - if test -f libconftest.dylib && test ! -s conftest.err && test $_lt_result = 0; then + # If there is a non-empty error log, and "single_module" + # appears in it, assume the flag caused a linker warning + if test -s conftest.err && $GREP single_module conftest.err; then + cat conftest.err >&5 + # Otherwise, if the output was created with a 0 exit code from + # the compiler, it worked. + elif test -f libconftest.dylib && test $_lt_result -eq 0; then lt_cv_apple_cc_single_mod=yes else cat conftest.err >&5 @@ -8086,6 +8111,7 @@ else fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_apple_cc_single_mod" >&5 $as_echo "$lt_cv_apple_cc_single_mod" >&6; } + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for -exported_symbols_list linker flag" >&5 $as_echo_n "checking for -exported_symbols_list linker flag... " >&6; } if ${lt_cv_ld_exported_symbols_list+:} false; then : @@ -8118,6 +8144,7 @@ rm -f core conftest.err conftest.$ac_objext \ fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_ld_exported_symbols_list" >&5 $as_echo "$lt_cv_ld_exported_symbols_list" >&6; } + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for -force_load linker flag" >&5 $as_echo_n "checking for -force_load linker flag... " >&6; } if ${lt_cv_ld_force_load+:} false; then : @@ -8139,7 +8166,9 @@ _LT_EOF echo "$LTCC $LTCFLAGS $LDFLAGS -o conftest conftest.c -Wl,-force_load,./libconftest.a" >&5 $LTCC $LTCFLAGS $LDFLAGS -o conftest conftest.c -Wl,-force_load,./libconftest.a 2>conftest.err _lt_result=$? - if test -f conftest && test ! -s conftest.err && test $_lt_result = 0 && $GREP forced_load conftest 2>&1 >/dev/null; then + if test -s conftest.err && $GREP force_load conftest.err; then + cat conftest.err >&5 + elif test -f conftest && test $_lt_result -eq 0 && $GREP forced_load conftest >/dev/null 2>&1 ; then lt_cv_ld_force_load=yes else cat conftest.err >&5 @@ -8215,7 +8244,22 @@ done # Check whether --with-pic was given. if test "${with_pic+set}" = set; then : - withval=$with_pic; pic_mode="$withval" + withval=$with_pic; lt_p=${PACKAGE-default} + case $withval in + yes|no) pic_mode=$withval ;; + *) + pic_mode=default + # Look at the argument we got. We use all the common list separators. + lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR," + for lt_pkg in $withval; do + IFS="$lt_save_ifs" + if test "X$lt_pkg" = "X$lt_p"; then + pic_mode=yes + fi + done + IFS="$lt_save_ifs" + ;; + esac else pic_mode=default fi @@ -8293,6 +8337,10 @@ LIBTOOL='$(SHELL) $(top_builddir)/libtool' + + + + test -z "$LN_S" && LN_S="ln -s" @@ -8752,7 +8800,9 @@ lt_prog_compiler_static= case $cc_basename in nvcc*) # Cuda Compiler Driver 2.2 lt_prog_compiler_wl='-Xlinker ' - lt_prog_compiler_pic='-Xcompiler -fPIC' + if test -n "$lt_prog_compiler_pic"; then + lt_prog_compiler_pic="-Xcompiler $lt_prog_compiler_pic" + fi ;; esac else @@ -8843,18 +8893,33 @@ lt_prog_compiler_static= ;; *) case `$CC -V 2>&1 | sed 5q` in - *Sun\ F* | *Sun*Fortran*) + *Sun\ Ceres\ Fortran* | *Sun*Fortran*\ [1-7].* | *Sun*Fortran*\ 8.[0-3]*) # Sun Fortran 8.3 passes all unrecognized flags to the linker lt_prog_compiler_pic='-KPIC' lt_prog_compiler_static='-Bstatic' lt_prog_compiler_wl='' ;; + *Sun\ F* | *Sun*Fortran*) + lt_prog_compiler_pic='-KPIC' + lt_prog_compiler_static='-Bstatic' + lt_prog_compiler_wl='-Qoption ld ' + ;; *Sun\ C*) # Sun C 5.9 lt_prog_compiler_pic='-KPIC' lt_prog_compiler_static='-Bstatic' lt_prog_compiler_wl='-Wl,' ;; + *Intel*\ [CF]*Compiler*) + lt_prog_compiler_wl='-Wl,' + lt_prog_compiler_pic='-fPIC' + lt_prog_compiler_static='-static' + ;; + *Portland\ Group*) + lt_prog_compiler_wl='-Wl,' + lt_prog_compiler_pic='-fpic' + lt_prog_compiler_static='-Bstatic' + ;; esac ;; esac @@ -9216,7 +9281,6 @@ $as_echo_n "checking whether the $compiler linker ($LD) supports shared librarie hardcode_direct=no hardcode_direct_absolute=no hardcode_libdir_flag_spec= - hardcode_libdir_flag_spec_ld= hardcode_libdir_separator= hardcode_minus_L=no hardcode_shlibpath_var=unsupported @@ -9469,8 +9533,7 @@ _LT_EOF xlf* | bgf* | bgxlf* | mpixlf*) # IBM XL Fortran 10.1 on PPC cannot create shared libs itself whole_archive_flag_spec='--whole-archive$convenience --no-whole-archive' - hardcode_libdir_flag_spec= - hardcode_libdir_flag_spec_ld='-rpath $libdir' + hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir' archive_cmds='$LD -shared $libobjs $deplibs $linker_flags -soname $soname -o $lib' if test "x$supports_anon_versioning" = xyes; then archive_expsym_cmds='echo "{ global:" > $output_objdir/$libname.ver~ @@ -9850,6 +9913,7 @@ fi # The linker will not automatically build a static lib if we build a DLL. # _LT_TAGVAR(old_archive_from_new_cmds, )='true' enable_shared_with_static_runtimes=yes + exclude_expsyms='_NULL_IMPORT_DESCRIPTOR|_IMPORT_DESCRIPTOR_.*' export_symbols_cmds='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[BCDGRS][ ]/s/.*[ ]\([^ ]*\)/\1,DATA/'\'' | $SED -e '\''/^[AITW][ ]/s/.*[ ]//'\'' | sort | uniq > $export_symbols' # Don't use ranlib old_postinstall_cmds='chmod 644 $oldlib' @@ -9895,6 +9959,7 @@ fi hardcode_shlibpath_var=unsupported if test "$lt_cv_ld_force_load" = "yes"; then whole_archive_flag_spec='`for conv in $convenience\"\"; do test -n \"$conv\" && new_convenience=\"$new_convenience ${wl}-force_load,$conv\"; done; func_echo_all \"$new_convenience\"`' + else whole_archive_flag_spec='' fi @@ -9923,10 +9988,6 @@ fi hardcode_shlibpath_var=no ;; - freebsd1*) - ld_shlibs=no - ;; - # FreeBSD 2.2.[012] allows us to include c++rt0.o to get C++ constructor # support. Future versions do this automatically, but an explicit c++rt0.o # does not break anything, and helps significantly (at the cost of a little @@ -9939,7 +10000,7 @@ fi ;; # Unfortunately, older versions of FreeBSD 2 do not have this feature. - freebsd2*) + freebsd2.*) archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags' hardcode_direct=yes hardcode_minus_L=yes @@ -9978,7 +10039,6 @@ fi fi if test "$with_gnu_ld" = no; then hardcode_libdir_flag_spec='${wl}+b ${wl}$libdir' - hardcode_libdir_flag_spec_ld='+b $libdir' hardcode_libdir_separator=: hardcode_direct=yes hardcode_direct_absolute=yes @@ -10602,11 +10662,6 @@ esac - - - - - { $as_echo "$as_me:${as_lineno-$LINENO}: checking dynamic linker characteristics" >&5 $as_echo_n "checking dynamic linker characteristics... " >&6; } @@ -10696,7 +10751,7 @@ need_version=unknown case $host_os in aix3*) - version_type=linux + version_type=linux # correct to gnu/linux during the next big refactor library_names_spec='${libname}${release}${shared_ext}$versuffix $libname.a' shlibpath_var=LIBPATH @@ -10705,7 +10760,7 @@ aix3*) ;; aix[4-9]*) - version_type=linux + version_type=linux # correct to gnu/linux during the next big refactor need_lib_prefix=no need_version=no hardcode_into_libs=yes @@ -10770,7 +10825,7 @@ beos*) ;; bsdi[45]*) - version_type=linux + version_type=linux # correct to gnu/linux during the next big refactor need_version=no library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' soname_spec='${libname}${release}${shared_ext}$major' @@ -10909,7 +10964,7 @@ darwin* | rhapsody*) ;; dgux*) - version_type=linux + version_type=linux # correct to gnu/linux during the next big refactor need_lib_prefix=no need_version=no library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname$shared_ext' @@ -10917,10 +10972,6 @@ dgux*) shlibpath_var=LD_LIBRARY_PATH ;; -freebsd1*) - dynamic_linker=no - ;; - freebsd* | dragonfly*) # DragonFly does not have aout. When/if they implement a new # versioning mechanism, adjust this. @@ -10928,7 +10979,7 @@ freebsd* | dragonfly*) objformat=`/usr/bin/objformat` else case $host_os in - freebsd[123]*) objformat=aout ;; + freebsd[23].*) objformat=aout ;; *) objformat=elf ;; esac fi @@ -10946,7 +10997,7 @@ freebsd* | dragonfly*) esac shlibpath_var=LD_LIBRARY_PATH case $host_os in - freebsd2*) + freebsd2.*) shlibpath_overrides_runpath=yes ;; freebsd3.[01]* | freebsdelf3.[01]*) @@ -10966,7 +11017,7 @@ freebsd* | dragonfly*) ;; gnu*) - version_type=linux + version_type=linux # correct to gnu/linux during the next big refactor need_lib_prefix=no need_version=no library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}${major} ${libname}${shared_ext}' @@ -10977,7 +11028,7 @@ gnu*) ;; haiku*) - version_type=linux + version_type=linux # correct to gnu/linux during the next big refactor need_lib_prefix=no need_version=no dynamic_linker="$host_os runtime_loader" @@ -11038,7 +11089,7 @@ hpux9* | hpux10* | hpux11*) ;; interix[3-9]*) - version_type=linux + version_type=linux # correct to gnu/linux during the next big refactor need_lib_prefix=no need_version=no library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}' @@ -11054,7 +11105,7 @@ irix5* | irix6* | nonstopux*) nonstopux*) version_type=nonstopux ;; *) if test "$lt_cv_prog_gnu_ld" = yes; then - version_type=linux + version_type=linux # correct to gnu/linux during the next big refactor else version_type=irix fi ;; @@ -11091,9 +11142,9 @@ linux*oldld* | linux*aout* | linux*coff*) dynamic_linker=no ;; -# This must be Linux ELF. +# This must be glibc/ELF. linux* | k*bsd*-gnu | kopensolaris*-gnu) - version_type=linux + version_type=linux # correct to gnu/linux during the next big refactor need_lib_prefix=no need_version=no library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' @@ -11187,7 +11238,7 @@ netbsd*) ;; newsos6) - version_type=linux + version_type=linux # correct to gnu/linux during the next big refactor library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' shlibpath_var=LD_LIBRARY_PATH shlibpath_overrides_runpath=yes @@ -11256,7 +11307,7 @@ rdos*) ;; solaris*) - version_type=linux + version_type=linux # correct to gnu/linux during the next big refactor need_lib_prefix=no need_version=no library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' @@ -11281,7 +11332,7 @@ sunos4*) ;; sysv4 | sysv4.3*) - version_type=linux + version_type=linux # correct to gnu/linux during the next big refactor library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' soname_spec='${libname}${release}${shared_ext}$major' shlibpath_var=LD_LIBRARY_PATH @@ -11305,7 +11356,7 @@ sysv4 | sysv4.3*) sysv4*MP*) if test -d /usr/nec ;then - version_type=linux + version_type=linux # correct to gnu/linux during the next big refactor library_names_spec='$libname${shared_ext}.$versuffix $libname${shared_ext}.$major $libname${shared_ext}' soname_spec='$libname${shared_ext}.$major' shlibpath_var=LD_LIBRARY_PATH @@ -11336,7 +11387,7 @@ sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*) tpf*) # TPF is a cross-target only. Preferred cross-host = GNU/Linux. - version_type=linux + version_type=linux # correct to gnu/linux during the next big refactor need_lib_prefix=no need_version=no library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' @@ -11346,7 +11397,7 @@ tpf*) ;; uts4*) - version_type=linux + version_type=linux # correct to gnu/linux during the next big refactor library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' soname_spec='${libname}${release}${shared_ext}$major' shlibpath_var=LD_LIBRARY_PATH @@ -12128,6 +12179,8 @@ CC="$lt_save_CC" + + ac_config_commands="$ac_config_commands libtool" @@ -16647,7 +16700,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by lighttpd $as_me 1.4.29, which was +This file was extended by lighttpd $as_me 1.4.30, which was generated by GNU Autoconf 2.68. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -16713,7 +16766,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -lighttpd config.status 1.4.29 +lighttpd config.status 1.4.30 configured by $0, generated by GNU Autoconf 2.68, with options \\"\$ac_cs_config\\" @@ -16856,6 +16909,7 @@ macro_version='`$ECHO "$macro_version" | $SED "$delay_single_quote_subst"`' macro_revision='`$ECHO "$macro_revision" | $SED "$delay_single_quote_subst"`' pic_mode='`$ECHO "$pic_mode" | $SED "$delay_single_quote_subst"`' enable_fast_install='`$ECHO "$enable_fast_install" | $SED "$delay_single_quote_subst"`' +PATH_SEPARATOR='`$ECHO "$PATH_SEPARATOR" | $SED "$delay_single_quote_subst"`' host_alias='`$ECHO "$host_alias" | $SED "$delay_single_quote_subst"`' host='`$ECHO "$host" | $SED "$delay_single_quote_subst"`' host_os='`$ECHO "$host_os" | $SED "$delay_single_quote_subst"`' @@ -16932,7 +16986,6 @@ with_gnu_ld='`$ECHO "$with_gnu_ld" | $SED "$delay_single_quote_subst"`' allow_undefined_flag='`$ECHO "$allow_undefined_flag" | $SED "$delay_single_quote_subst"`' no_undefined_flag='`$ECHO "$no_undefined_flag" | $SED "$delay_single_quote_subst"`' hardcode_libdir_flag_spec='`$ECHO "$hardcode_libdir_flag_spec" | $SED "$delay_single_quote_subst"`' -hardcode_libdir_flag_spec_ld='`$ECHO "$hardcode_libdir_flag_spec_ld" | $SED "$delay_single_quote_subst"`' hardcode_libdir_separator='`$ECHO "$hardcode_libdir_separator" | $SED "$delay_single_quote_subst"`' hardcode_direct='`$ECHO "$hardcode_direct" | $SED "$delay_single_quote_subst"`' hardcode_direct_absolute='`$ECHO "$hardcode_direct_absolute" | $SED "$delay_single_quote_subst"`' @@ -16993,6 +17046,7 @@ FGREP \ SHELL \ ECHO \ LD \ +PATH_SEPARATOR \ NM \ LN_S \ lt_SP2NL \ @@ -17038,7 +17092,6 @@ with_gnu_ld \ allow_undefined_flag \ no_undefined_flag \ hardcode_libdir_flag_spec \ -hardcode_libdir_flag_spec_ld \ hardcode_libdir_separator \ exclude_expsyms \ include_expsyms \ @@ -17850,8 +17903,8 @@ $as_echo X"$file" | # NOTE: Changes made to this file will be lost: look at ltmain.sh. # # Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2003, 2004, 2005, -# 2006, 2007, 2008, 2009, 2010 Free Software Foundation, -# Inc. +# 2006, 2007, 2008, 2009, 2010, 2011 Free Software +# Foundation, Inc. # Written by Gordon Matzigkeit, 1996 # # This file is part of GNU Libtool. @@ -17920,6 +17973,9 @@ pic_mode=$pic_mode # Whether or not to optimize for fast installation. fast_install=$enable_fast_install +# The PATH separator for the build system. +PATH_SEPARATOR=$lt_PATH_SEPARATOR + # The host system. host_alias=$host_alias host=$host @@ -18206,10 +18262,6 @@ no_undefined_flag=$lt_no_undefined_flag # This must work even if \$libdir does not exist hardcode_libdir_flag_spec=$lt_hardcode_libdir_flag_spec -# If ld is used when linking, flag to hardcode \$libdir into a binary -# during linking. This must work even if \$libdir does not exist. -hardcode_libdir_flag_spec_ld=$lt_hardcode_libdir_flag_spec_ld - # Whether we need a single "-rpath" flag with a separated argument. hardcode_libdir_separator=$lt_hardcode_libdir_separator diff --git a/configure.ac b/configure.ac index 7fde3ca..bbbe2f3 100644 --- a/configure.ac +++ b/configure.ac @@ -1,7 +1,7 @@ dnl -*- Autoconf -*- dnl Process this file with autoconf to produce a configure script. AC_PREREQ(2.57) -AC_INIT([lighttpd], [1.4.29], [contact@lighttpd.net]) +AC_INIT([lighttpd], [1.4.30], [contact@lighttpd.net]) AC_CONFIG_SRCDIR([src/server.c]) AC_CONFIG_HEADER([config.h]) AC_CONFIG_MACRO_DIR([m4]) diff --git a/doc/config/lighttpd.conf b/doc/config/lighttpd.conf index efe96be..47d6729 100644 --- a/doc/config/lighttpd.conf +++ b/doc/config/lighttpd.conf @@ -394,6 +394,25 @@ server.upload-dirs = ( "/var/tmp" ) ## $SERVER["socket"] == "10.0.0.1:443" { ## ssl.engine = "enable" ## ssl.pemfile = "/etc/ssl/private/www.example.com.pem" +## # +## # Mitigate BEAST attack: +## # +## # A stricter base cipher suite. For details see: +## # http://blog.ivanristic.com/2011/10/mitigating-the-beast-attack-on-tls.html +## # +## ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM" +## # +## # Make the server prefer the order of the server side cipher suite instead of the client suite. +## # This is necessary to mitigate the BEAST attack (unless you disable all non RC4 algorithms). +## # This option is enabled by default, but only used if ssl.cipher-list is set. +## # +## # ssl.honor-cipher-order = "enable" +## # +## # Mitigate CVE-2009-3555 by disabling client triggered renegotation +## # This is enabled by default. +## # +## # ssl.disable-client-renegotiation = "enable" +## # ## server.name = "www.example.com" ## ## server.document-root = "/srv/www/vhosts/example.com/www/" diff --git a/ltmain.sh b/ltmain.sh index 6f650ae..c7d06c3 100755..100644 --- a/ltmain.sh +++ b/ltmain.sh @@ -1,9 +1,9 @@ -# libtool (GNU libtool) 2.4 +# libtool (GNU libtool) 2.4.2 # Written by Gordon Matzigkeit <gord@gnu.ai.mit.edu>, 1996 # Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2003, 2004, 2005, 2006, -# 2007, 2008, 2009, 2010 Free Software Foundation, Inc. +# 2007, 2008, 2009, 2010, 2011 Free Software Foundation, Inc. # This is free software; see the source for copying conditions. There is NO # warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. @@ -41,6 +41,7 @@ # --quiet, --silent don't print informational messages # --no-quiet, --no-silent # print informational messages (default) +# --no-warn don't display warning messages # --tag=TAG use configuration variables from tag TAG # -v, --verbose print more informational messages than default # --no-verbose don't print the extra informational messages @@ -69,7 +70,7 @@ # compiler: $LTCC # compiler flags: $LTCFLAGS # linker: $LD (gnu? $with_gnu_ld) -# $progname: (GNU libtool) 2.4 Debian-2.4-2 +# $progname: (GNU libtool) 2.4.2 Debian-2.4.2-1 # automake: $automake_version # autoconf: $autoconf_version # @@ -79,9 +80,9 @@ PROGRAM=libtool PACKAGE=libtool -VERSION="2.4 Debian-2.4-2" +VERSION="2.4.2 Debian-2.4.2-1" TIMESTAMP="" -package_revision=1.3293 +package_revision=1.3337 # Be Bourne compatible if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then @@ -136,15 +137,10 @@ progpath="$0" : ${CP="cp -f"} test "${ECHO+set}" = set || ECHO=${as_echo-'printf %s\n'} -: ${EGREP="/bin/grep -E"} -: ${FGREP="/bin/grep -F"} -: ${GREP="/bin/grep"} -: ${LN_S="ln -s"} : ${MAKE="make"} : ${MKDIR="mkdir"} : ${MV="mv -f"} : ${RM="rm -f"} -: ${SED="/bin/sed"} : ${SHELL="${CONFIG_SHELL-/bin/sh}"} : ${Xsed="$SED -e 1s/^X//"} @@ -387,7 +383,7 @@ case $progpath in ;; *) save_IFS="$IFS" - IFS=: + IFS=${PATH_SEPARATOR-:} for progdir in $PATH; do IFS="$save_IFS" test -x "$progdir/$progname" && break @@ -771,8 +767,8 @@ func_help () s*\$LTCFLAGS*'"$LTCFLAGS"'* s*\$LD*'"$LD"'* s/\$with_gnu_ld/'"$with_gnu_ld"'/ - s/\$automake_version/'"`(automake --version) 2>/dev/null |$SED 1q`"'/ - s/\$autoconf_version/'"`(autoconf --version) 2>/dev/null |$SED 1q`"'/ + s/\$automake_version/'"`(${AUTOMAKE-automake} --version) 2>/dev/null |$SED 1q`"'/ + s/\$autoconf_version/'"`(${AUTOCONF-autoconf} --version) 2>/dev/null |$SED 1q`"'/ p d } @@ -1052,6 +1048,7 @@ opt_finish=false opt_help=false opt_help_all=false opt_silent=: +opt_warning=: opt_verbose=: opt_silent=false opt_verbose=false @@ -1120,6 +1117,10 @@ esac opt_silent=false func_append preserve_args " $opt" ;; + --no-warning|--no-warn) + opt_warning=false +func_append preserve_args " $opt" + ;; --no-verbose) opt_verbose=false func_append preserve_args " $opt" @@ -2059,7 +2060,7 @@ func_mode_compile () *.[cCFSifmso] | \ *.ada | *.adb | *.ads | *.asm | \ *.c++ | *.cc | *.ii | *.class | *.cpp | *.cxx | \ - *.[fF][09]? | *.for | *.java | *.obj | *.sx | *.cu | *.cup) + *.[fF][09]? | *.for | *.java | *.go | *.obj | *.sx | *.cu | *.cup) func_xform "$libobj" libobj=$func_xform_result ;; @@ -3201,11 +3202,13 @@ func_mode_install () # Set up the ranlib parameters. oldlib="$destdir/$name" + func_to_tool_file "$oldlib" func_convert_file_msys_to_w32 + tool_oldlib=$func_to_tool_file_result func_show_eval "$install_prog \$file \$oldlib" 'exit $?' if test -n "$stripme" && test -n "$old_striplib"; then - func_show_eval "$old_striplib $oldlib" 'exit $?' + func_show_eval "$old_striplib $tool_oldlib" 'exit $?' fi # Do each command in the postinstall commands. @@ -3470,7 +3473,7 @@ static const void *lt_preloaded_setup() { # linked before any other PIC object. But we must not use # pic_flag when linking with -static. The problem exists in # FreeBSD 2.2.6 and is fixed in FreeBSD 3.1. - *-*-freebsd2*|*-*-freebsd3.0*|*-*-freebsdelf3.0*) + *-*-freebsd2.*|*-*-freebsd3.0*|*-*-freebsdelf3.0*) pic_flag_for_symtable=" $pic_flag -DFREEBSD_WORKAROUND" ;; *-*-hpux*) pic_flag_for_symtable=" $pic_flag" ;; @@ -3982,14 +3985,17 @@ func_exec_program_core () # launches target application with the remaining arguments. func_exec_program () { - for lt_wr_arg - do - case \$lt_wr_arg in - --lt-*) ;; - *) set x \"\$@\" \"\$lt_wr_arg\"; shift;; - esac - shift - done + case \" \$* \" in + *\\ --lt-*) + for lt_wr_arg + do + case \$lt_wr_arg in + --lt-*) ;; + *) set x \"\$@\" \"\$lt_wr_arg\"; shift;; + esac + shift + done ;; + esac func_exec_program_core \${1+\"\$@\"} } @@ -5057,9 +5063,15 @@ void lt_dump_script (FILE* f) { EOF func_emit_wrapper yes | - $SED -e 's/\([\\"]\)/\\\1/g' \ - -e 's/^/ fputs ("/' -e 's/$/\\n", f);/' - + $SED -n -e ' +s/^\(.\{79\}\)\(..*\)/\1\ +\2/ +h +s/\([\\"]\)/\\\1/g +s/$/\\n/ +s/\([^\n]*\).*/ fputs ("\1", f);/p +g +D' cat <<"EOF" } EOF @@ -5643,7 +5655,8 @@ func_mode_link () continue ;; - -mt|-mthreads|-kthread|-Kthread|-pthread|-pthreads|--thread-safe|-threads) + -mt|-mthreads|-kthread|-Kthread|-pthread|-pthreads|--thread-safe \ + |-threads|-fopenmp|-openmp|-mp|-xopenmp|-omp|-qsmp=*) func_append compiler_flags " $arg" func_append compile_command " $arg" func_append finalize_command " $arg" @@ -6150,7 +6163,8 @@ func_mode_link () lib= found=no case $deplib in - -mt|-mthreads|-kthread|-Kthread|-pthread|-pthreads|--thread-safe|-threads) + -mt|-mthreads|-kthread|-Kthread|-pthread|-pthreads|--thread-safe \ + |-threads|-fopenmp|-openmp|-mp|-xopenmp|-omp|-qsmp=*) if test "$linkmode,$pass" = "prog,link"; then compile_deplibs="$deplib $compile_deplibs" finalize_deplibs="$deplib $finalize_deplibs" @@ -6834,7 +6848,7 @@ func_mode_link () test "$hardcode_direct_absolute" = no; then add="$dir/$linklib" elif test "$hardcode_minus_L" = yes; then - add_dir="-L$dir" + add_dir="-L$absdir" # Try looking first in the location we're being installed to. if test -n "$inst_prefix_dir"; then case $libdir in @@ -7319,6 +7333,7 @@ func_mode_link () # which has an extra 1 added just for fun # case $version_type in + # correct linux to gnu/linux during the next big refactor darwin|linux|osf|windows|none) func_arith $number_major + $number_minor current=$func_arith_result @@ -7438,7 +7453,7 @@ func_mode_link () versuffix="$major.$revision" ;; - linux) + linux) # correct to gnu/linux during the next big refactor func_arith $current - $age major=.$func_arith_result versuffix="$major.$age.$revision" @@ -8026,6 +8041,11 @@ EOF # Test again, we may have decided not to build it any more if test "$build_libtool_libs" = yes; then + # Remove ${wl} instances when linking with ld. + # FIXME: should test the right _cmds variable. + case $archive_cmds in + *\$LD\ *) wl= ;; + esac if test "$hardcode_into_libs" = yes; then # Hardcode the library paths hardcode_libdirs= @@ -8056,7 +8076,7 @@ EOF elif test -n "$runpath_var"; then case "$perm_rpath " in *" $libdir "*) ;; - *) func_apped perm_rpath " $libdir" ;; + *) func_append perm_rpath " $libdir" ;; esac fi done @@ -8064,11 +8084,7 @@ EOF if test -n "$hardcode_libdir_separator" && test -n "$hardcode_libdirs"; then libdir="$hardcode_libdirs" - if test -n "$hardcode_libdir_flag_spec_ld"; then - eval dep_rpath=\"$hardcode_libdir_flag_spec_ld\" - else - eval dep_rpath=\"$hardcode_libdir_flag_spec\" - fi + eval "dep_rpath=\"$hardcode_libdir_flag_spec\"" fi if test -n "$runpath_var" && test -n "$perm_rpath"; then # We should set the runpath_var. @@ -9158,6 +9174,8 @@ EOF esac done fi + func_to_tool_file "$oldlib" func_convert_file_msys_to_w32 + tool_oldlib=$func_to_tool_file_result eval cmds=\"$old_archive_cmds\" func_len " $cmds" @@ -9267,7 +9285,8 @@ EOF *.la) func_basename "$deplib" name="$func_basename_result" - eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $deplib` + func_resolve_sysroot "$deplib" + eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $func_resolve_sysroot_result` test -z "$libdir" && \ func_fatal_error "\`$deplib' is not a valid libtool archive" func_append newdependency_libs " ${lt_sysroot:+=}$libdir/$name" diff --git a/m4/libtool.m4 b/m4/libtool.m4 index 8ff3c76..828104c 100644 --- a/m4/libtool.m4 +++ b/m4/libtool.m4 @@ -1,8 +1,8 @@ # libtool.m4 - Configure libtool for the host system. -*-Autoconf-*- # # Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2003, 2004, 2005, -# 2006, 2007, 2008, 2009, 2010 Free Software Foundation, -# Inc. +# 2006, 2007, 2008, 2009, 2010, 2011 Free Software +# Foundation, Inc. # Written by Gordon Matzigkeit, 1996 # # This file is free software; the Free Software Foundation gives @@ -11,8 +11,8 @@ m4_define([_LT_COPYING], [dnl # Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2003, 2004, 2005, -# 2006, 2007, 2008, 2009, 2010 Free Software Foundation, -# Inc. +# 2006, 2007, 2008, 2009, 2010, 2011 Free Software +# Foundation, Inc. # Written by Gordon Matzigkeit, 1996 # # This file is part of GNU Libtool. @@ -146,6 +146,8 @@ AC_REQUIRE([AC_CANONICAL_BUILD])dnl AC_REQUIRE([_LT_PREPARE_SED_QUOTE_VARS])dnl AC_REQUIRE([_LT_PROG_ECHO_BACKSLASH])dnl +_LT_DECL([], [PATH_SEPARATOR], [1], [The PATH separator for the build system])dnl +dnl _LT_DECL([], [host_alias], [0], [The host system])dnl _LT_DECL([], [host], [0])dnl _LT_DECL([], [host_os], [0])dnl @@ -637,7 +639,7 @@ m4_ifset([AC_PACKAGE_NAME], [AC_PACKAGE_NAME ])config.lt[]dnl m4_ifset([AC_PACKAGE_VERSION], [ AC_PACKAGE_VERSION]) configured by $[0], generated by m4_PACKAGE_STRING. -Copyright (C) 2010 Free Software Foundation, Inc. +Copyright (C) 2011 Free Software Foundation, Inc. This config.lt script is free software; the Free Software Foundation gives unlimited permision to copy, distribute and modify it." @@ -801,6 +803,7 @@ AC_DEFUN([LT_LANG], m4_case([$1], [C], [_LT_LANG(C)], [C++], [_LT_LANG(CXX)], + [Go], [_LT_LANG(GO)], [Java], [_LT_LANG(GCJ)], [Fortran 77], [_LT_LANG(F77)], [Fortran], [_LT_LANG(FC)], @@ -822,6 +825,31 @@ m4_defun([_LT_LANG], ])# _LT_LANG +m4_ifndef([AC_PROG_GO], [ +############################################################ +# NOTE: This macro has been submitted for inclusion into # +# GNU Autoconf as AC_PROG_GO. When it is available in # +# a released version of Autoconf we should remove this # +# macro and use it instead. # +############################################################ +m4_defun([AC_PROG_GO], +[AC_LANG_PUSH(Go)dnl +AC_ARG_VAR([GOC], [Go compiler command])dnl +AC_ARG_VAR([GOFLAGS], [Go compiler flags])dnl +_AC_ARG_VAR_LDFLAGS()dnl +AC_CHECK_TOOL(GOC, gccgo) +if test -z "$GOC"; then + if test -n "$ac_tool_prefix"; then + AC_CHECK_PROG(GOC, [${ac_tool_prefix}gccgo], [${ac_tool_prefix}gccgo]) + fi +fi +if test -z "$GOC"; then + AC_CHECK_PROG(GOC, gccgo, gccgo, false) +fi +])#m4_defun +])#m4_ifndef + + # _LT_LANG_DEFAULT_CONFIG # ----------------------- m4_defun([_LT_LANG_DEFAULT_CONFIG], @@ -852,6 +880,10 @@ AC_PROVIDE_IFELSE([AC_PROG_GCJ], m4_ifdef([LT_PROG_GCJ], [m4_define([LT_PROG_GCJ], defn([LT_PROG_GCJ])[LT_LANG(GCJ)])])])])]) +AC_PROVIDE_IFELSE([AC_PROG_GO], + [LT_LANG(GO)], + [m4_define([AC_PROG_GO], defn([AC_PROG_GO])[LT_LANG(GO)])]) + AC_PROVIDE_IFELSE([LT_PROG_RC], [LT_LANG(RC)], [m4_define([LT_PROG_RC], defn([LT_PROG_RC])[LT_LANG(RC)])]) @@ -954,7 +986,13 @@ m4_defun_once([_LT_REQUIRED_DARWIN_CHECKS],[ $LTCC $LTCFLAGS $LDFLAGS -o libconftest.dylib \ -dynamiclib -Wl,-single_module conftest.c 2>conftest.err _lt_result=$? - if test -f libconftest.dylib && test ! -s conftest.err && test $_lt_result = 0; then + # If there is a non-empty error log, and "single_module" + # appears in it, assume the flag caused a linker warning + if test -s conftest.err && $GREP single_module conftest.err; then + cat conftest.err >&AS_MESSAGE_LOG_FD + # Otherwise, if the output was created with a 0 exit code from + # the compiler, it worked. + elif test -f libconftest.dylib && test $_lt_result -eq 0; then lt_cv_apple_cc_single_mod=yes else cat conftest.err >&AS_MESSAGE_LOG_FD @@ -962,6 +1000,7 @@ m4_defun_once([_LT_REQUIRED_DARWIN_CHECKS],[ rm -rf libconftest.dylib* rm -f conftest.* fi]) + AC_CACHE_CHECK([for -exported_symbols_list linker flag], [lt_cv_ld_exported_symbols_list], [lt_cv_ld_exported_symbols_list=no @@ -973,6 +1012,7 @@ m4_defun_once([_LT_REQUIRED_DARWIN_CHECKS],[ [lt_cv_ld_exported_symbols_list=no]) LDFLAGS="$save_LDFLAGS" ]) + AC_CACHE_CHECK([for -force_load linker flag],[lt_cv_ld_force_load], [lt_cv_ld_force_load=no cat > conftest.c << _LT_EOF @@ -990,7 +1030,9 @@ _LT_EOF echo "$LTCC $LTCFLAGS $LDFLAGS -o conftest conftest.c -Wl,-force_load,./libconftest.a" >&AS_MESSAGE_LOG_FD $LTCC $LTCFLAGS $LDFLAGS -o conftest conftest.c -Wl,-force_load,./libconftest.a 2>conftest.err _lt_result=$? - if test -f conftest && test ! -s conftest.err && test $_lt_result = 0 && $GREP forced_load conftest 2>&1 >/dev/null; then + if test -s conftest.err && $GREP force_load conftest.err; then + cat conftest.err >&AS_MESSAGE_LOG_FD + elif test -f conftest && test $_lt_result -eq 0 && $GREP forced_load conftest >/dev/null 2>&1 ; then lt_cv_ld_force_load=yes else cat conftest.err >&AS_MESSAGE_LOG_FD @@ -1035,8 +1077,8 @@ _LT_EOF ]) -# _LT_DARWIN_LINKER_FEATURES -# -------------------------- +# _LT_DARWIN_LINKER_FEATURES([TAG]) +# --------------------------------- # Checks for linker and compiler features on darwin m4_defun([_LT_DARWIN_LINKER_FEATURES], [ @@ -1047,6 +1089,8 @@ m4_defun([_LT_DARWIN_LINKER_FEATURES], _LT_TAGVAR(hardcode_shlibpath_var, $1)=unsupported if test "$lt_cv_ld_force_load" = "yes"; then _LT_TAGVAR(whole_archive_flag_spec, $1)='`for conv in $convenience\"\"; do test -n \"$conv\" && new_convenience=\"$new_convenience ${wl}-force_load,$conv\"; done; func_echo_all \"$new_convenience\"`' + m4_case([$1], [F77], [_LT_TAGVAR(compiler_needs_object, $1)=yes], + [FC], [_LT_TAGVAR(compiler_needs_object, $1)=yes]) else _LT_TAGVAR(whole_archive_flag_spec, $1)='' fi @@ -1330,14 +1374,27 @@ s390*-*linux*|s390*-*tpf*|sparc*-*linux*) CFLAGS="$SAVE_CFLAGS" fi ;; -sparc*-*solaris*) +*-*solaris*) # Find out which ABI we are using. echo 'int i;' > conftest.$ac_ext if AC_TRY_EVAL(ac_compile); then case `/usr/bin/file conftest.o` in *64-bit*) case $lt_cv_prog_gnu_ld in - yes*) LD="${LD-ld} -m elf64_sparc" ;; + yes*) + case $host in + i?86-*-solaris*) + LD="${LD-ld} -m elf_x86_64" + ;; + sparc*-*-solaris*) + LD="${LD-ld} -m elf64_sparc" + ;; + esac + # GNU ld 2.21 introduced _sol2 emulations. Use them if available. + if ${LD-ld} -V | grep _sol2 >/dev/null 2>&1; then + LD="${LD-ld}_sol2" + fi + ;; *) if ${LD-ld} -64 -r -o conftest2.o conftest.o >/dev/null 2>&1; then LD="${LD-ld} -64" @@ -1414,13 +1471,13 @@ old_postuninstall_cmds= if test -n "$RANLIB"; then case $host_os in openbsd*) - old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB -t \$oldlib" + old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB -t \$tool_oldlib" ;; *) - old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB \$oldlib" + old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB \$tool_oldlib" ;; esac - old_archive_cmds="$old_archive_cmds~\$RANLIB \$oldlib" + old_archive_cmds="$old_archive_cmds~\$RANLIB \$tool_oldlib" fi case $host_os in @@ -1600,6 +1657,11 @@ AC_CACHE_VAL([lt_cv_sys_max_cmd_len], [dnl lt_cv_sys_max_cmd_len=196608 ;; + os2*) + # The test takes a long time on OS/2. + lt_cv_sys_max_cmd_len=8192 + ;; + osf*) # Dr. Hans Ekkehard Plesser reports seeing a kernel panic running configure # due to this test when exec_disable_arg_limit is 1 on Tru64. It is not @@ -1639,7 +1701,7 @@ AC_CACHE_VAL([lt_cv_sys_max_cmd_len], [dnl # If test is not a shell built-in, we'll probably end up computing a # maximum length that is only half of the actual maximum length, but # we can't tell. - while { test "X"`func_fallback_echo "$teststring$teststring" 2>/dev/null` \ + while { test "X"`env echo "$teststring$teststring" 2>/dev/null` \ = "X$teststring$teststring"; } >/dev/null 2>&1 && test $i != 17 # 1/2 MB should be enough do @@ -2185,7 +2247,7 @@ need_version=unknown case $host_os in aix3*) - version_type=linux + version_type=linux # correct to gnu/linux during the next big refactor library_names_spec='${libname}${release}${shared_ext}$versuffix $libname.a' shlibpath_var=LIBPATH @@ -2194,7 +2256,7 @@ aix3*) ;; aix[[4-9]]*) - version_type=linux + version_type=linux # correct to gnu/linux during the next big refactor need_lib_prefix=no need_version=no hardcode_into_libs=yes @@ -2259,7 +2321,7 @@ beos*) ;; bsdi[[45]]*) - version_type=linux + version_type=linux # correct to gnu/linux during the next big refactor need_version=no library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' soname_spec='${libname}${release}${shared_ext}$major' @@ -2398,7 +2460,7 @@ m4_if([$1], [],[ ;; dgux*) - version_type=linux + version_type=linux # correct to gnu/linux during the next big refactor need_lib_prefix=no need_version=no library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname$shared_ext' @@ -2406,10 +2468,6 @@ dgux*) shlibpath_var=LD_LIBRARY_PATH ;; -freebsd1*) - dynamic_linker=no - ;; - freebsd* | dragonfly*) # DragonFly does not have aout. When/if they implement a new # versioning mechanism, adjust this. @@ -2417,7 +2475,7 @@ freebsd* | dragonfly*) objformat=`/usr/bin/objformat` else case $host_os in - freebsd[[123]]*) objformat=aout ;; + freebsd[[23]].*) objformat=aout ;; *) objformat=elf ;; esac fi @@ -2435,7 +2493,7 @@ freebsd* | dragonfly*) esac shlibpath_var=LD_LIBRARY_PATH case $host_os in - freebsd2*) + freebsd2.*) shlibpath_overrides_runpath=yes ;; freebsd3.[[01]]* | freebsdelf3.[[01]]*) @@ -2455,7 +2513,7 @@ freebsd* | dragonfly*) ;; gnu*) - version_type=linux + version_type=linux # correct to gnu/linux during the next big refactor need_lib_prefix=no need_version=no library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}${major} ${libname}${shared_ext}' @@ -2466,7 +2524,7 @@ gnu*) ;; haiku*) - version_type=linux + version_type=linux # correct to gnu/linux during the next big refactor need_lib_prefix=no need_version=no dynamic_linker="$host_os runtime_loader" @@ -2527,7 +2585,7 @@ hpux9* | hpux10* | hpux11*) ;; interix[[3-9]]*) - version_type=linux + version_type=linux # correct to gnu/linux during the next big refactor need_lib_prefix=no need_version=no library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}' @@ -2543,7 +2601,7 @@ irix5* | irix6* | nonstopux*) nonstopux*) version_type=nonstopux ;; *) if test "$lt_cv_prog_gnu_ld" = yes; then - version_type=linux + version_type=linux # correct to gnu/linux during the next big refactor else version_type=irix fi ;; @@ -2580,9 +2638,9 @@ linux*oldld* | linux*aout* | linux*coff*) dynamic_linker=no ;; -# This must be Linux ELF. +# This must be glibc/ELF. linux* | k*bsd*-gnu | kopensolaris*-gnu) - version_type=linux + version_type=linux # correct to gnu/linux during the next big refactor need_lib_prefix=no need_version=no library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' @@ -2657,7 +2715,7 @@ netbsd*) ;; newsos6) - version_type=linux + version_type=linux # correct to gnu/linux during the next big refactor library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' shlibpath_var=LD_LIBRARY_PATH shlibpath_overrides_runpath=yes @@ -2726,7 +2784,7 @@ rdos*) ;; solaris*) - version_type=linux + version_type=linux # correct to gnu/linux during the next big refactor need_lib_prefix=no need_version=no library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' @@ -2751,7 +2809,7 @@ sunos4*) ;; sysv4 | sysv4.3*) - version_type=linux + version_type=linux # correct to gnu/linux during the next big refactor library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' soname_spec='${libname}${release}${shared_ext}$major' shlibpath_var=LD_LIBRARY_PATH @@ -2775,7 +2833,7 @@ sysv4 | sysv4.3*) sysv4*MP*) if test -d /usr/nec ;then - version_type=linux + version_type=linux # correct to gnu/linux during the next big refactor library_names_spec='$libname${shared_ext}.$versuffix $libname${shared_ext}.$major $libname${shared_ext}' soname_spec='$libname${shared_ext}.$major' shlibpath_var=LD_LIBRARY_PATH @@ -2806,7 +2864,7 @@ sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*) tpf*) # TPF is a cross-target only. Preferred cross-host = GNU/Linux. - version_type=linux + version_type=linux # correct to gnu/linux during the next big refactor need_lib_prefix=no need_version=no library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' @@ -2816,7 +2874,7 @@ tpf*) ;; uts4*) - version_type=linux + version_type=linux # correct to gnu/linux during the next big refactor library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' soname_spec='${libname}${release}${shared_ext}$major' shlibpath_var=LD_LIBRARY_PATH @@ -3238,7 +3296,7 @@ irix5* | irix6* | nonstopux*) lt_cv_deplibs_check_method=pass_all ;; -# This must be Linux ELF. +# This must be glibc/ELF. linux* | k*bsd*-gnu | kopensolaris*-gnu) lt_cv_deplibs_check_method=pass_all ;; @@ -3658,6 +3716,7 @@ for ac_symprfx in "" "_"; do # which start with @ or ?. lt_cv_sys_global_symbol_pipe="$AWK ['"\ " {last_section=section; section=\$ 3};"\ +" /^COFF SYMBOL TABLE/{for(i in hide) delete hide[i]};"\ " /Section length .*#relocs.*(pick any)/{hide[last_section]=1};"\ " \$ 0!~/External *\|/{next};"\ " / 0+ UNDEF /{next}; / UNDEF \([^|]\)*()/{next};"\ @@ -4242,7 +4301,9 @@ m4_if([$1], [CXX], [ case $cc_basename in nvcc*) # Cuda Compiler Driver 2.2 _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Xlinker ' - _LT_TAGVAR(lt_prog_compiler_pic, $1)='-Xcompiler -fPIC' + if test -n "$_LT_TAGVAR(lt_prog_compiler_pic, $1)"; then + _LT_TAGVAR(lt_prog_compiler_pic, $1)="-Xcompiler $_LT_TAGVAR(lt_prog_compiler_pic, $1)" + fi ;; esac else @@ -4334,18 +4395,33 @@ m4_if([$1], [CXX], [ ;; *) case `$CC -V 2>&1 | sed 5q` in - *Sun\ F* | *Sun*Fortran*) + *Sun\ Ceres\ Fortran* | *Sun*Fortran*\ [[1-7]].* | *Sun*Fortran*\ 8.[[0-3]]*) # Sun Fortran 8.3 passes all unrecognized flags to the linker _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' _LT_TAGVAR(lt_prog_compiler_wl, $1)='' ;; + *Sun\ F* | *Sun*Fortran*) + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld ' + ;; *Sun\ C*) # Sun C 5.9 _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' ;; + *Intel*\ [[CF]]*Compiler*) + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-static' + ;; + *Portland\ Group*) + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fpic' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' + ;; esac ;; esac @@ -4505,7 +4581,9 @@ m4_if([$1], [CXX], [ ;; cygwin* | mingw* | cegcc*) case $cc_basename in - cl*) ;; + cl*) + _LT_TAGVAR(exclude_expsyms, $1)='_NULL_IMPORT_DESCRIPTOR|_IMPORT_DESCRIPTOR_.*' + ;; *) _LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[[BCDGRS]][[ ]]/s/.*[[ ]]\([[^ ]]*\)/\1 DATA/;s/^.*[[ ]]__nm__\([[^ ]]*\)[[ ]][[^ ]]*/\1 DATA/;/^I[[ ]]/d;/^[[AITW]][[ ]]/s/.* //'\'' | sort | uniq > $export_symbols' _LT_TAGVAR(exclude_expsyms, $1)=['[_]+GLOBAL_OFFSET_TABLE_|[_]+GLOBAL__[FID]_.*|[_]+head_[A-Za-z0-9_]+_dll|[A-Za-z0-9_]+_dll_iname'] @@ -4533,7 +4611,6 @@ m4_if([$1], [CXX], [ _LT_TAGVAR(hardcode_direct, $1)=no _LT_TAGVAR(hardcode_direct_absolute, $1)=no _LT_TAGVAR(hardcode_libdir_flag_spec, $1)= - _LT_TAGVAR(hardcode_libdir_flag_spec_ld, $1)= _LT_TAGVAR(hardcode_libdir_separator, $1)= _LT_TAGVAR(hardcode_minus_L, $1)=no _LT_TAGVAR(hardcode_shlibpath_var, $1)=unsupported @@ -4787,8 +4864,7 @@ _LT_EOF xlf* | bgf* | bgxlf* | mpixlf*) # IBM XL Fortran 10.1 on PPC cannot create shared libs itself _LT_TAGVAR(whole_archive_flag_spec, $1)='--whole-archive$convenience --no-whole-archive' - _LT_TAGVAR(hardcode_libdir_flag_spec, $1)= - _LT_TAGVAR(hardcode_libdir_flag_spec_ld, $1)='-rpath $libdir' + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir' _LT_TAGVAR(archive_cmds, $1)='$LD -shared $libobjs $deplibs $linker_flags -soname $soname -o $lib' if test "x$supports_anon_versioning" = xyes; then _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $output_objdir/$libname.ver~ @@ -5084,6 +5160,7 @@ _LT_EOF # The linker will not automatically build a static lib if we build a DLL. # _LT_TAGVAR(old_archive_from_new_cmds, $1)='true' _LT_TAGVAR(enable_shared_with_static_runtimes, $1)=yes + _LT_TAGVAR(exclude_expsyms, $1)='_NULL_IMPORT_DESCRIPTOR|_IMPORT_DESCRIPTOR_.*' _LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[[BCDGRS]][[ ]]/s/.*[[ ]]\([[^ ]]*\)/\1,DATA/'\'' | $SED -e '\''/^[[AITW]][[ ]]/s/.*[[ ]]//'\'' | sort | uniq > $export_symbols' # Don't use ranlib _LT_TAGVAR(old_postinstall_cmds, $1)='chmod 644 $oldlib' @@ -5130,10 +5207,6 @@ _LT_EOF _LT_TAGVAR(hardcode_shlibpath_var, $1)=no ;; - freebsd1*) - _LT_TAGVAR(ld_shlibs, $1)=no - ;; - # FreeBSD 2.2.[012] allows us to include c++rt0.o to get C++ constructor # support. Future versions do this automatically, but an explicit c++rt0.o # does not break anything, and helps significantly (at the cost of a little @@ -5146,7 +5219,7 @@ _LT_EOF ;; # Unfortunately, older versions of FreeBSD 2 do not have this feature. - freebsd2*) + freebsd2.*) _LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags' _LT_TAGVAR(hardcode_direct, $1)=yes _LT_TAGVAR(hardcode_minus_L, $1)=yes @@ -5185,7 +5258,6 @@ _LT_EOF fi if test "$with_gnu_ld" = no; then _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir' - _LT_TAGVAR(hardcode_libdir_flag_spec_ld, $1)='+b $libdir' _LT_TAGVAR(hardcode_libdir_separator, $1)=: _LT_TAGVAR(hardcode_direct, $1)=yes _LT_TAGVAR(hardcode_direct_absolute, $1)=yes @@ -5627,9 +5699,6 @@ _LT_TAGDECL([], [no_undefined_flag], [1], _LT_TAGDECL([], [hardcode_libdir_flag_spec], [1], [Flag to hardcode $libdir into a binary during linking. This must work even if $libdir does not exist]) -_LT_TAGDECL([], [hardcode_libdir_flag_spec_ld], [1], - [[If ld is used when linking, flag to hardcode $libdir into a binary - during linking. This must work even if $libdir does not exist]]) _LT_TAGDECL([], [hardcode_libdir_separator], [1], [Whether we need a single "-rpath" flag with a separated argument]) _LT_TAGDECL([], [hardcode_direct], [0], @@ -5787,7 +5856,6 @@ _LT_TAGVAR(export_dynamic_flag_spec, $1)= _LT_TAGVAR(hardcode_direct, $1)=no _LT_TAGVAR(hardcode_direct_absolute, $1)=no _LT_TAGVAR(hardcode_libdir_flag_spec, $1)= -_LT_TAGVAR(hardcode_libdir_flag_spec_ld, $1)= _LT_TAGVAR(hardcode_libdir_separator, $1)= _LT_TAGVAR(hardcode_minus_L, $1)=no _LT_TAGVAR(hardcode_shlibpath_var, $1)=unsupported @@ -6157,7 +6225,7 @@ if test "$_lt_caught_CXX_error" != yes; then esac ;; - freebsd[[12]]*) + freebsd2.*) # C++ shared libraries reported to be fairly broken before # switch to ELF _LT_TAGVAR(ld_shlibs, $1)=no @@ -6918,12 +6986,18 @@ public class foo { } }; _LT_EOF +], [$1], [GO], [cat > conftest.$ac_ext <<_LT_EOF +package foo +func foo() { +} +_LT_EOF ]) _lt_libdeps_save_CFLAGS=$CFLAGS case "$CC $CFLAGS " in #( *\ -flto*\ *) CFLAGS="$CFLAGS -fno-lto" ;; *\ -fwhopr*\ *) CFLAGS="$CFLAGS -fno-whopr" ;; +*\ -fuse-linker-plugin*\ *) CFLAGS="$CFLAGS -fno-use-linker-plugin" ;; esac dnl Parse the compiler output and extract the necessary @@ -7120,7 +7194,6 @@ _LT_TAGVAR(export_dynamic_flag_spec, $1)= _LT_TAGVAR(hardcode_direct, $1)=no _LT_TAGVAR(hardcode_direct_absolute, $1)=no _LT_TAGVAR(hardcode_libdir_flag_spec, $1)= -_LT_TAGVAR(hardcode_libdir_flag_spec_ld, $1)= _LT_TAGVAR(hardcode_libdir_separator, $1)= _LT_TAGVAR(hardcode_minus_L, $1)=no _LT_TAGVAR(hardcode_automatic, $1)=no @@ -7253,7 +7326,6 @@ _LT_TAGVAR(export_dynamic_flag_spec, $1)= _LT_TAGVAR(hardcode_direct, $1)=no _LT_TAGVAR(hardcode_direct_absolute, $1)=no _LT_TAGVAR(hardcode_libdir_flag_spec, $1)= -_LT_TAGVAR(hardcode_libdir_flag_spec_ld, $1)= _LT_TAGVAR(hardcode_libdir_separator, $1)= _LT_TAGVAR(hardcode_minus_L, $1)=no _LT_TAGVAR(hardcode_automatic, $1)=no @@ -7440,6 +7512,77 @@ CFLAGS=$lt_save_CFLAGS ])# _LT_LANG_GCJ_CONFIG +# _LT_LANG_GO_CONFIG([TAG]) +# -------------------------- +# Ensure that the configuration variables for the GNU Go compiler +# are suitably defined. These variables are subsequently used by _LT_CONFIG +# to write the compiler configuration to `libtool'. +m4_defun([_LT_LANG_GO_CONFIG], +[AC_REQUIRE([LT_PROG_GO])dnl +AC_LANG_SAVE + +# Source file extension for Go test sources. +ac_ext=go + +# Object file extension for compiled Go test sources. +objext=o +_LT_TAGVAR(objext, $1)=$objext + +# Code to be used in simple compile tests +lt_simple_compile_test_code="package main; func main() { }" + +# Code to be used in simple link tests +lt_simple_link_test_code='package main; func main() { }' + +# ltmain only uses $CC for tagged configurations so make sure $CC is set. +_LT_TAG_COMPILER + +# save warnings/boilerplate of simple test code +_LT_COMPILER_BOILERPLATE +_LT_LINKER_BOILERPLATE + +# Allow CC to be a program name with arguments. +lt_save_CC=$CC +lt_save_CFLAGS=$CFLAGS +lt_save_GCC=$GCC +GCC=yes +CC=${GOC-"gccgo"} +CFLAGS=$GOFLAGS +compiler=$CC +_LT_TAGVAR(compiler, $1)=$CC +_LT_TAGVAR(LD, $1)="$LD" +_LT_CC_BASENAME([$compiler]) + +# Go did not exist at the time GCC didn't implicitly link libc in. +_LT_TAGVAR(archive_cmds_need_lc, $1)=no + +_LT_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds +_LT_TAGVAR(reload_flag, $1)=$reload_flag +_LT_TAGVAR(reload_cmds, $1)=$reload_cmds + +## CAVEAT EMPTOR: +## There is no encapsulation within the following macros, do not change +## the running order or otherwise move them around unless you know exactly +## what you are doing... +if test -n "$compiler"; then + _LT_COMPILER_NO_RTTI($1) + _LT_COMPILER_PIC($1) + _LT_COMPILER_C_O($1) + _LT_COMPILER_FILE_LOCKS($1) + _LT_LINKER_SHLIBS($1) + _LT_LINKER_HARDCODE_LIBPATH($1) + + _LT_CONFIG($1) +fi + +AC_LANG_RESTORE + +GCC=$lt_save_GCC +CC=$lt_save_CC +CFLAGS=$lt_save_CFLAGS +])# _LT_LANG_GO_CONFIG + + # _LT_LANG_RC_CONFIG([TAG]) # ------------------------- # Ensure that the configuration variables for the Windows resource compiler @@ -7509,6 +7652,13 @@ dnl aclocal-1.4 backwards compatibility: dnl AC_DEFUN([LT_AC_PROG_GCJ], []) +# LT_PROG_GO +# ---------- +AC_DEFUN([LT_PROG_GO], +[AC_CHECK_TOOL(GOC, gccgo,) +]) + + # LT_PROG_RC # ---------- AC_DEFUN([LT_PROG_RC], diff --git a/m4/ltoptions.m4 b/m4/ltoptions.m4 index 17cfd51..5d9acd8 100644 --- a/m4/ltoptions.m4 +++ b/m4/ltoptions.m4 @@ -326,9 +326,24 @@ dnl AC_DEFUN([AM_DISABLE_FAST_INSTALL], []) # MODE is either `yes' or `no'. If omitted, it defaults to `both'. m4_define([_LT_WITH_PIC], [AC_ARG_WITH([pic], - [AS_HELP_STRING([--with-pic], + [AS_HELP_STRING([--with-pic@<:@=PKGS@:>@], [try to use only PIC/non-PIC objects @<:@default=use both@:>@])], - [pic_mode="$withval"], + [lt_p=${PACKAGE-default} + case $withval in + yes|no) pic_mode=$withval ;; + *) + pic_mode=default + # Look at the argument we got. We use all the common list separators. + lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR," + for lt_pkg in $withval; do + IFS="$lt_save_ifs" + if test "X$lt_pkg" = "X$lt_p"; then + pic_mode=yes + fi + done + IFS="$lt_save_ifs" + ;; + esac], [pic_mode=default]) test -z "$pic_mode" && pic_mode=m4_default([$1], [default]) diff --git a/m4/ltversion.m4 b/m4/ltversion.m4 index 9c7b5d4..07a8602 100644 --- a/m4/ltversion.m4 +++ b/m4/ltversion.m4 @@ -9,15 +9,15 @@ # @configure_input@ -# serial 3293 ltversion.m4 +# serial 3337 ltversion.m4 # This file is part of GNU Libtool -m4_define([LT_PACKAGE_VERSION], [2.4]) -m4_define([LT_PACKAGE_REVISION], [1.3293]) +m4_define([LT_PACKAGE_VERSION], [2.4.2]) +m4_define([LT_PACKAGE_REVISION], [1.3337]) AC_DEFUN([LTVERSION_VERSION], -[macro_version='2.4' -macro_revision='1.3293' +[macro_version='2.4.2' +macro_revision='1.3337' _LT_DECL(, macro_version, 0, [Which release of libtool.m4 was used?]) _LT_DECL(, macro_revision, 0) ]) diff --git a/src/Makefile.am b/src/Makefile.am index dbb6e81..367f5d9 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -241,7 +241,7 @@ mod_compress_la_LDFLAGS = -module -export-dynamic -avoid-version -no-undefined mod_compress_la_LIBADD = $(Z_LIB) $(BZ_LIB) $(common_libadd) lib_LTLIBRARIES += mod_auth.la -mod_auth_la_SOURCES = mod_auth.c http_auth_digest.c http_auth.c +mod_auth_la_SOURCES = mod_auth.c http_auth.c mod_auth_la_LDFLAGS = -module -export-dynamic -avoid-version -no-undefined mod_auth_la_LIBADD = $(CRYPT_LIB) $(LDAP_LIB) $(LBER_LIB) $(common_libadd) @@ -268,7 +268,7 @@ mod_accesslog_la_LIBADD = $(common_libadd) hdr = server.h buffer.h network.h log.h keyvalue.h \ response.h request.h fastcgi.h chunk.h \ - settings.h http_chunk.h http_auth_digest.h \ + settings.h http_chunk.h \ md5.h http_auth.h stream.h \ fdevent.h connections.h base.h stat_cache.h \ plugin.h mod_auth.h \ diff --git a/src/Makefile.in b/src/Makefile.in index b2d79d0..ddf128c 100644 --- a/src/Makefile.in +++ b/src/Makefile.in @@ -158,7 +158,7 @@ mod_alias_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ $(mod_alias_la_LDFLAGS) $(LDFLAGS) -o $@ mod_auth_la_DEPENDENCIES = $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_2) -am_mod_auth_la_OBJECTS = mod_auth.lo http_auth_digest.lo http_auth.lo +am_mod_auth_la_OBJECTS = mod_auth.lo http_auth.lo mod_auth_la_OBJECTS = $(am_mod_auth_la_OBJECTS) mod_auth_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ @@ -769,7 +769,7 @@ mod_access_la_LIBADD = $(common_libadd) mod_compress_la_SOURCES = mod_compress.c mod_compress_la_LDFLAGS = -module -export-dynamic -avoid-version -no-undefined mod_compress_la_LIBADD = $(Z_LIB) $(BZ_LIB) $(common_libadd) -mod_auth_la_SOURCES = mod_auth.c http_auth_digest.c http_auth.c +mod_auth_la_SOURCES = mod_auth.c http_auth.c mod_auth_la_LDFLAGS = -module -export-dynamic -avoid-version -no-undefined mod_auth_la_LIBADD = $(CRYPT_LIB) $(LDAP_LIB) $(LBER_LIB) $(common_libadd) mod_rewrite_la_SOURCES = mod_rewrite.c @@ -786,7 +786,7 @@ mod_accesslog_la_LDFLAGS = -module -export-dynamic -avoid-version -no-undefined mod_accesslog_la_LIBADD = $(common_libadd) hdr = server.h buffer.h network.h log.h keyvalue.h \ response.h request.h fastcgi.h chunk.h \ - settings.h http_chunk.h http_auth_digest.h \ + settings.h http_chunk.h \ md5.h http_auth.h stream.h \ fdevent.h connections.h base.h stat_cache.h \ plugin.h mod_auth.h \ @@ -1050,7 +1050,6 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fdevent_solaris_port.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/http-header-glue.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/http_auth.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/http_auth_digest.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/http_chunk.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/inet_ntop_cache.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/joblist.Po@am__quote@ diff --git a/src/SConscript b/src/SConscript index 1d1592e..7565094 100644 --- a/src/SConscript +++ b/src/SConscript @@ -12,7 +12,8 @@ common_src = Split("buffer.c log.c \ data_integer.c md5.c data_fastcgi.c \ fdevent_select.c fdevent_libev.c \ fdevent_poll.c fdevent_linux_sysepoll.c \ - fdevent_solaris_devpoll.c fdevent_freebsd_kqueue.c \ + fdevent_solaris_devpoll.c fdevent_solaris_port.c \ + fdevent_freebsd_kqueue.c \ data_config.c bitset.c \ inet_ntop_cache.c crc32.c \ connections-glue.c \ @@ -62,7 +63,7 @@ modules = { 'mod_redirect' : { 'src' : [ 'mod_redirect.c' ], 'lib' : [ env['LIBPCRE'] ] }, 'mod_rewrite' : { 'src' : [ 'mod_rewrite.c' ], 'lib' : [ env['LIBPCRE'] ] }, 'mod_auth' : { - 'src' : [ 'mod_auth.c', 'http_auth_digest.c', 'http_auth.c' ], + 'src' : [ 'mod_auth.c', 'http_auth.c' ], 'lib' : [ env['LIBCRYPT'], env['LIBLDAP'], env['LIBLBER'] ] }, 'mod_webdav' : { 'src' : [ 'mod_webdav.c' ], 'lib' : [ env['LIBXML2'], env['LIBSQLITE3'], env['LIBUUID'] ] }, 'mod_mysql_vhost' : { 'src' : [ 'mod_mysql_vhost.c' ], 'lib' : [ env['LIBMYSQL'] ] }, @@ -277,6 +277,7 @@ typedef struct { buffer *ssl_cipher_list; buffer *ssl_dh_file; buffer *ssl_ec_curve; + unsigned short ssl_honor_cipher_order; /* determine SSL cipher in server-preferred order, not client-order */ unsigned short ssl_use_sslv2; unsigned short ssl_use_sslv3; unsigned short ssl_verifyclient; @@ -284,6 +285,7 @@ typedef struct { unsigned short ssl_verifyclient_depth; buffer *ssl_verifyclient_username; unsigned short ssl_verifyclient_export_cert; + unsigned short ssl_disable_client_renegotiation; unsigned short use_ipv6, set_v6only; /* set_v6only is only a temporary option */ unsigned short defer_accept; @@ -437,6 +439,7 @@ typedef struct { # ifndef OPENSSL_NO_TLSEXT buffer *tlsext_server_name; # endif + unsigned int renegotiations; /* count of SSL_CB_HANDSHAKE_START */ #endif /* etag handling */ etag_flags_t etag_flags; @@ -647,11 +650,9 @@ typedef struct server { fdevent_handler_t event_handler; - int (* network_backend_write)(struct server *srv, connection *con, int fd, chunkqueue *cq); - int (* network_backend_read)(struct server *srv, connection *con, int fd, chunkqueue *cq); + int (* network_backend_write)(struct server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes); #ifdef USE_OPENSSL - int (* network_ssl_backend_write)(struct server *srv, connection *con, SSL *ssl, chunkqueue *cq); - int (* network_ssl_backend_read)(struct server *srv, connection *con, SSL *ssl, chunkqueue *cq); + int (* network_ssl_backend_write)(struct server *srv, connection *con, SSL *ssl, chunkqueue *cq, off_t max_bytes); #endif uid_t uid; diff --git a/src/configfile.c b/src/configfile.c index 162fa00..a03c9bd 100644 --- a/src/configfile.c +++ b/src/configfile.c @@ -105,6 +105,8 @@ static int config_insert(server *srv) { { "ssl.use-sslv3", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 62 */ { "ssl.dh-file", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_SERVER }, /* 63 */ { "ssl.ec-curve", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_SERVER }, /* 64 */ + { "ssl.disable-client-renegotiation", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER },/* 65 */ + { "ssl.honor-cipher-order", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 66 */ { "server.host", "use server.bind instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET }, { "server.docroot", "use server.document-root instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET }, @@ -176,6 +178,7 @@ static int config_insert(server *srv) { s->max_write_idle = 360; s->use_xattr = 0; s->is_ssl = 0; + s->ssl_honor_cipher_order = 1; s->ssl_use_sslv2 = 0; s->ssl_use_sslv3 = 1; s->use_ipv6 = 0; @@ -199,6 +202,7 @@ static int config_insert(server *srv) { s->ssl_verifyclient_username = buffer_init(); s->ssl_verifyclient_depth = 9; s->ssl_verifyclient_export_cert = 0; + s->ssl_disable_client_renegotiation = 1; cv[2].destination = s->errorfile_prefix; @@ -245,6 +249,8 @@ static int config_insert(server *srv) { cv[62].destination = &(s->ssl_use_sslv3); cv[63].destination = s->ssl_dh_file; cv[64].destination = s->ssl_ec_curve; + cv[66].destination = &(s->ssl_honor_cipher_order); + cv[49].destination = &(s->etag_use_inode); cv[50].destination = &(s->etag_use_mtime); cv[51].destination = &(s->etag_use_size); @@ -255,6 +261,7 @@ static int config_insert(server *srv) { cv[58].destination = &(s->ssl_verifyclient_depth); cv[59].destination = s->ssl_verifyclient_username; cv[60].destination = &(s->ssl_verifyclient_export_cert); + cv[65].destination = &(s->ssl_disable_client_renegotiation); srv->config_storage[i] = s; @@ -335,6 +342,7 @@ int config_setup_connection(server *srv, connection *con) { PATCH(ssl_cipher_list); PATCH(ssl_dh_file); PATCH(ssl_ec_curve); + PATCH(ssl_honor_cipher_order); PATCH(ssl_use_sslv2); PATCH(ssl_use_sslv3); PATCH(etag_use_inode); @@ -346,6 +354,7 @@ int config_setup_connection(server *srv, connection *con) { PATCH(ssl_verifyclient_depth); PATCH(ssl_verifyclient_username); PATCH(ssl_verifyclient_export_cert); + PATCH(ssl_disable_client_renegotiation); return 0; } @@ -400,6 +409,8 @@ int config_patch_connection(server *srv, connection *con, comp_key_t comp) { #endif } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.ca-file"))) { PATCH(ssl_ca_file); + } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.honor-cipher-order"))) { + PATCH(ssl_honor_cipher_order); } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.use-sslv2"))) { PATCH(ssl_use_sslv2); } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.use-sslv3"))) { @@ -454,6 +465,8 @@ int config_patch_connection(server *srv, connection *con, comp_key_t comp) { PATCH(ssl_verifyclient_username); } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.verifyclient.exportcert"))) { PATCH(ssl_verifyclient_export_cert); + } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.disable-client-renegotiation"))) { + PATCH(ssl_disable_client_renegotiation); } } } diff --git a/src/connections.c b/src/connections.c index 75a8f61..cde78e1 100644 --- a/src/connections.c +++ b/src/connections.c @@ -223,6 +223,12 @@ static int connection_handle_read_ssl(server *srv, connection *con) { len = SSL_read(con->ssl, b->ptr + read_offset, toread); + if (con->renegotiations > 1 && con->conf.ssl_disable_client_renegotiation) { + connection_set_state(srv, con, CON_STATE_ERROR); + log_error_write(srv, __FILE__, __LINE__, "s", "SSL: renegotiation initiated by client"); + return -1; + } + if (len > 0) { if (b->used > 0) b->used--; b->used += len; @@ -445,6 +451,7 @@ static int connection_handle_write_prepare(server *srv, connection *con) { default: switch(con->http_status) { case 400: /* bad request */ + case 401: /* authorization required */ case 414: /* overload request header */ case 505: /* unknown protocol */ case 207: /* this was webdav */ @@ -617,8 +624,9 @@ static int connection_handle_write_prepare(server *srv, connection *con) { } static int connection_handle_write(server *srv, connection *con) { - switch(network_write_chunkqueue(srv, con, con->write_queue)) { + switch(network_write_chunkqueue(srv, con, con->write_queue, MAX_WRITE_LIMIT)) { case 0: + con->write_request_ts = srv->cur_ts; if (con->file_finished) { connection_set_state(srv, con, CON_STATE_RESPONSE_END); joblist_append(srv, con); @@ -635,6 +643,7 @@ static int connection_handle_write(server *srv, connection *con) { joblist_append(srv, con); break; case 1: + con->write_request_ts = srv->cur_ts; con->is_writable = 0; /* not finished yet -> WRITE */ @@ -1251,8 +1260,6 @@ static handler_t connection_handle_fdevent(server *srv, void *context, int reven log_error_write(srv, __FILE__, __LINE__, "ds", con->fd, "handle write failed."); - } else if (con->state == CON_STATE_WRITE) { - con->write_request_ts = srv->cur_ts; } } @@ -1352,6 +1359,7 @@ connection *connection_accept(server *srv, server_socket *srv_socket) { return NULL; } + con->renegotiations = 0; #ifndef OPENSSL_NO_TLSEXT SSL_set_app_data(con->ssl, con); #endif @@ -1667,8 +1675,6 @@ int connection_state_machine(server *srv, connection *con) { con->fd, "handle write failed."); connection_set_state(srv, con, CON_STATE_ERROR); - } else if (con->state == CON_STATE_WRITE) { - con->write_request_ts = srv->cur_ts; } } diff --git a/src/http_auth.c b/src/http_auth.c index e479683..33adf71 100644 --- a/src/http_auth.c +++ b/src/http_auth.c @@ -1,7 +1,6 @@ #include "server.h" #include "log.h" #include "http_auth.h" -#include "http_auth_digest.h" #include "inet_ntop_cache.h" #include "stream.h" @@ -28,17 +27,22 @@ #include <unistd.h> #include <ctype.h> -#ifdef USE_OPENSSL -# include <openssl/md5.h> -#else -# include "md5.h" +#include "md5.h" -typedef li_MD5_CTX MD5_CTX; -#define MD5_Init li_MD5_Init -#define MD5_Update li_MD5_Update -#define MD5_Final li_MD5_Final +#define HASHLEN 16 +#define HASHHEXLEN 32 +typedef unsigned char HASH[HASHLEN]; +typedef char HASHHEX[HASHHEXLEN+1]; -#endif +static void CvtHex(const HASH Bin, char Hex[33]) { + unsigned short i; + + for (i = 0; i < 16; i++) { + Hex[i*2] = int2hex((Bin[i] >> 4) & 0xf); + Hex[i*2+1] = int2hex(Bin[i] & 0xf); + } + Hex[32] = '\0'; +} /** * the $apr1$ handling is taken from apache 1.3.x @@ -95,7 +99,7 @@ static unsigned char * base64_decode(buffer *out, const char *in) { ch = in[0]; /* run through the whole string, converting as we go */ for (i = 0; i < in_len; i++) { - ch = in[i]; + ch = (unsigned char) in[i]; if (ch == '\0') break; @@ -435,7 +439,7 @@ static int http_auth_match_rules(server *srv, mod_auth_plugin_data *p, const cha static void to64(char *s, unsigned long v, int n) { - static unsigned char itoa64[] = /* 0 ... 63 => ASCII - 64 */ + static const unsigned char itoa64[] = /* 0 ... 63 => ASCII - 64 */ "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; while (--n >= 0) { @@ -455,7 +459,7 @@ static void apr_md5_encode(const char *pw, const char *salt, char *result, size_ const char *sp, *ep; unsigned char final[APR_MD5_DIGESTSIZE]; ssize_t sl, pl, i; - MD5_CTX ctx, ctx1; + li_MD5_CTX ctx, ctx1; unsigned long l; /* @@ -487,33 +491,33 @@ static void apr_md5_encode(const char *pw, const char *salt, char *result, size_ /* * 'Time to make the doughnuts..' */ - MD5_Init(&ctx); + li_MD5_Init(&ctx); /* * The password first, since that is what is most unknown */ - MD5_Update(&ctx, pw, strlen(pw)); + li_MD5_Update(&ctx, pw, strlen(pw)); /* * Then our magic string */ - MD5_Update(&ctx, APR1_ID, strlen(APR1_ID)); + li_MD5_Update(&ctx, APR1_ID, strlen(APR1_ID)); /* * Then the raw salt */ - MD5_Update(&ctx, sp, sl); + li_MD5_Update(&ctx, sp, sl); /* * Then just as many characters of the MD5(pw, salt, pw) */ - MD5_Init(&ctx1); - MD5_Update(&ctx1, pw, strlen(pw)); - MD5_Update(&ctx1, sp, sl); - MD5_Update(&ctx1, pw, strlen(pw)); - MD5_Final(final, &ctx1); + li_MD5_Init(&ctx1); + li_MD5_Update(&ctx1, pw, strlen(pw)); + li_MD5_Update(&ctx1, sp, sl); + li_MD5_Update(&ctx1, pw, strlen(pw)); + li_MD5_Final(final, &ctx1); for (pl = strlen(pw); pl > 0; pl -= APR_MD5_DIGESTSIZE) { - MD5_Update(&ctx, final, + li_MD5_Update(&ctx, final, (pl > APR_MD5_DIGESTSIZE) ? APR_MD5_DIGESTSIZE : pl); } @@ -527,10 +531,10 @@ static void apr_md5_encode(const char *pw, const char *salt, char *result, size_ */ for (i = strlen(pw); i != 0; i >>= 1) { if (i & 1) { - MD5_Update(&ctx, final, 1); + li_MD5_Update(&ctx, final, 1); } else { - MD5_Update(&ctx, pw, 1); + li_MD5_Update(&ctx, pw, 1); } } @@ -542,7 +546,7 @@ static void apr_md5_encode(const char *pw, const char *salt, char *result, size_ strncat(passwd, sp, sl); strcat(passwd, "$"); - MD5_Final(final, &ctx); + li_MD5_Final(final, &ctx); /* * And now, just to make sure things don't run too fast.. @@ -550,28 +554,28 @@ static void apr_md5_encode(const char *pw, const char *salt, char *result, size_ * need 30 seconds to build a 1000 entry dictionary... */ for (i = 0; i < 1000; i++) { - MD5_Init(&ctx1); + li_MD5_Init(&ctx1); if (i & 1) { - MD5_Update(&ctx1, pw, strlen(pw)); + li_MD5_Update(&ctx1, pw, strlen(pw)); } else { - MD5_Update(&ctx1, final, APR_MD5_DIGESTSIZE); + li_MD5_Update(&ctx1, final, APR_MD5_DIGESTSIZE); } if (i % 3) { - MD5_Update(&ctx1, sp, sl); + li_MD5_Update(&ctx1, sp, sl); } if (i % 7) { - MD5_Update(&ctx1, pw, strlen(pw)); + li_MD5_Update(&ctx1, pw, strlen(pw)); } if (i & 1) { - MD5_Update(&ctx1, final, APR_MD5_DIGESTSIZE); + li_MD5_Update(&ctx1, final, APR_MD5_DIGESTSIZE); } else { - MD5_Update(&ctx1, pw, strlen(pw)); + li_MD5_Update(&ctx1, pw, strlen(pw)); } - MD5_Final(final,&ctx1); + li_MD5_Final(final,&ctx1); } p = passwd + strlen(passwd); @@ -614,17 +618,17 @@ static int http_auth_basic_password_compare(server *srv, mod_auth_plugin_data *p * user:realm:md5(user:realm:password) */ - MD5_CTX Md5Ctx; + li_MD5_CTX Md5Ctx; HASH HA1; char a1[256]; - MD5_Init(&Md5Ctx); - MD5_Update(&Md5Ctx, (unsigned char *)username->ptr, username->used - 1); - MD5_Update(&Md5Ctx, (unsigned char *)":", 1); - MD5_Update(&Md5Ctx, (unsigned char *)realm->ptr, realm->used - 1); - MD5_Update(&Md5Ctx, (unsigned char *)":", 1); - MD5_Update(&Md5Ctx, (unsigned char *)pw, strlen(pw)); - MD5_Final(HA1, &Md5Ctx); + li_MD5_Init(&Md5Ctx); + li_MD5_Update(&Md5Ctx, (unsigned char *)username->ptr, username->used - 1); + li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); + li_MD5_Update(&Md5Ctx, (unsigned char *)realm->ptr, realm->used - 1); + li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); + li_MD5_Update(&Md5Ctx, (unsigned char *)pw, strlen(pw)); + li_MD5_Final(HA1, &Md5Ctx); CvtHex(HA1, a1); @@ -930,7 +934,7 @@ int http_auth_digest_check(server *srv, connection *con, mod_auth_plugin_data *p int i; buffer *password, *b, *username_buf, *realm_buf; - MD5_CTX Md5Ctx; + li_MD5_CTX Md5Ctx; HASH HA1; HASH HA2; HASH RespHash; @@ -1067,13 +1071,13 @@ int http_auth_digest_check(server *srv, connection *con, mod_auth_plugin_data *p if (p->conf.auth_backend == AUTH_BACKEND_PLAIN) { /* generate password from plain-text */ - MD5_Init(&Md5Ctx); - MD5_Update(&Md5Ctx, (unsigned char *)username, strlen(username)); - MD5_Update(&Md5Ctx, (unsigned char *)":", 1); - MD5_Update(&Md5Ctx, (unsigned char *)realm, strlen(realm)); - MD5_Update(&Md5Ctx, (unsigned char *)":", 1); - MD5_Update(&Md5Ctx, (unsigned char *)password->ptr, password->used - 1); - MD5_Final(HA1, &Md5Ctx); + li_MD5_Init(&Md5Ctx); + li_MD5_Update(&Md5Ctx, (unsigned char *)username, strlen(username)); + li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); + li_MD5_Update(&Md5Ctx, (unsigned char *)realm, strlen(realm)); + li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); + li_MD5_Update(&Md5Ctx, (unsigned char *)password->ptr, password->used - 1); + li_MD5_Final(HA1, &Md5Ctx); } else if (p->conf.auth_backend == AUTH_BACKEND_HTDIGEST) { /* HA1 */ /* transform the 32-byte-hex-md5 to a 16-byte-md5 */ @@ -1090,45 +1094,45 @@ int http_auth_digest_check(server *srv, connection *con, mod_auth_plugin_data *p if (algorithm && strcasecmp(algorithm, "md5-sess") == 0) { - MD5_Init(&Md5Ctx); - MD5_Update(&Md5Ctx, (unsigned char *)HA1, 16); - MD5_Update(&Md5Ctx, (unsigned char *)":", 1); - MD5_Update(&Md5Ctx, (unsigned char *)nonce, strlen(nonce)); - MD5_Update(&Md5Ctx, (unsigned char *)":", 1); - MD5_Update(&Md5Ctx, (unsigned char *)cnonce, strlen(cnonce)); - MD5_Final(HA1, &Md5Ctx); + li_MD5_Init(&Md5Ctx); + li_MD5_Update(&Md5Ctx, (unsigned char *)HA1, 16); + li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); + li_MD5_Update(&Md5Ctx, (unsigned char *)nonce, strlen(nonce)); + li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); + li_MD5_Update(&Md5Ctx, (unsigned char *)cnonce, strlen(cnonce)); + li_MD5_Final(HA1, &Md5Ctx); } CvtHex(HA1, a1); /* calculate H(A2) */ - MD5_Init(&Md5Ctx); - MD5_Update(&Md5Ctx, (unsigned char *)m, strlen(m)); - MD5_Update(&Md5Ctx, (unsigned char *)":", 1); - MD5_Update(&Md5Ctx, (unsigned char *)uri, strlen(uri)); + li_MD5_Init(&Md5Ctx); + li_MD5_Update(&Md5Ctx, (unsigned char *)m, strlen(m)); + li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); + li_MD5_Update(&Md5Ctx, (unsigned char *)uri, strlen(uri)); if (qop && strcasecmp(qop, "auth-int") == 0) { - MD5_Update(&Md5Ctx, (unsigned char *)":", 1); - MD5_Update(&Md5Ctx, (unsigned char *)"", HASHHEXLEN); + li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); + li_MD5_Update(&Md5Ctx, (unsigned char *)"", HASHHEXLEN); } - MD5_Final(HA2, &Md5Ctx); + li_MD5_Final(HA2, &Md5Ctx); CvtHex(HA2, HA2Hex); /* calculate response */ - MD5_Init(&Md5Ctx); - MD5_Update(&Md5Ctx, (unsigned char *)a1, HASHHEXLEN); - MD5_Update(&Md5Ctx, (unsigned char *)":", 1); - MD5_Update(&Md5Ctx, (unsigned char *)nonce, strlen(nonce)); - MD5_Update(&Md5Ctx, (unsigned char *)":", 1); + li_MD5_Init(&Md5Ctx); + li_MD5_Update(&Md5Ctx, (unsigned char *)a1, HASHHEXLEN); + li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); + li_MD5_Update(&Md5Ctx, (unsigned char *)nonce, strlen(nonce)); + li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); if (qop && *qop) { - MD5_Update(&Md5Ctx, (unsigned char *)nc, strlen(nc)); - MD5_Update(&Md5Ctx, (unsigned char *)":", 1); - MD5_Update(&Md5Ctx, (unsigned char *)cnonce, strlen(cnonce)); - MD5_Update(&Md5Ctx, (unsigned char *)":", 1); - MD5_Update(&Md5Ctx, (unsigned char *)qop, strlen(qop)); - MD5_Update(&Md5Ctx, (unsigned char *)":", 1); + li_MD5_Update(&Md5Ctx, (unsigned char *)nc, strlen(nc)); + li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); + li_MD5_Update(&Md5Ctx, (unsigned char *)cnonce, strlen(cnonce)); + li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); + li_MD5_Update(&Md5Ctx, (unsigned char *)qop, strlen(qop)); + li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); }; - MD5_Update(&Md5Ctx, (unsigned char *)HA2Hex, HASHHEXLEN); - MD5_Final(RespHash, &Md5Ctx); + li_MD5_Update(&Md5Ctx, (unsigned char *)HA2Hex, HASHHEXLEN); + li_MD5_Final(RespHash, &Md5Ctx); CvtHex(RespHash, a2); if (0 != strcmp(a2, respons)) { @@ -1171,24 +1175,24 @@ int http_auth_digest_check(server *srv, connection *con, mod_auth_plugin_data *p int http_auth_digest_generate_nonce(server *srv, mod_auth_plugin_data *p, buffer *fn, char out[33]) { HASH h; - MD5_CTX Md5Ctx; + li_MD5_CTX Md5Ctx; char hh[32]; UNUSED(p); /* generate shared-secret */ - MD5_Init(&Md5Ctx); - MD5_Update(&Md5Ctx, (unsigned char *)fn->ptr, fn->used - 1); - MD5_Update(&Md5Ctx, (unsigned char *)"+", 1); + li_MD5_Init(&Md5Ctx); + li_MD5_Update(&Md5Ctx, (unsigned char *)fn->ptr, fn->used - 1); + li_MD5_Update(&Md5Ctx, (unsigned char *)"+", 1); /* we assume sizeof(time_t) == 4 here, but if not it ain't a problem at all */ LI_ltostr(hh, srv->cur_ts); - MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh)); - MD5_Update(&Md5Ctx, (unsigned char *)srv->entropy, sizeof(srv->entropy)); + li_MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh)); + li_MD5_Update(&Md5Ctx, (unsigned char *)srv->entropy, sizeof(srv->entropy)); LI_ltostr(hh, rand()); - MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh)); + li_MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh)); - MD5_Final(h, &Md5Ctx); + li_MD5_Final(h, &Md5Ctx); CvtHex(h, out); diff --git a/src/http_auth_digest.c b/src/http_auth_digest.c deleted file mode 100644 index 83b3c60..0000000 --- a/src/http_auth_digest.c +++ /dev/null @@ -1,26 +0,0 @@ -#include "buffer.h" - -#include "http_auth_digest.h" - -#include <string.h> - -#ifndef USE_OPENSSL -# include "md5.h" - -typedef li_MD5_CTX MD5_CTX; -#define MD5_Init li_MD5_Init -#define MD5_Update li_MD5_Update -#define MD5_Final li_MD5_Final - -#endif - -void CvtHex(IN HASH Bin, OUT HASHHEX Hex) { - unsigned short i; - - for (i = 0; i < HASHLEN; i++) { - Hex[i*2] = int2hex((Bin[i] >> 4) & 0xf); - Hex[i*2+1] = int2hex(Bin[i] & 0xf); - } - Hex[HASHHEXLEN] = '\0'; -} - diff --git a/src/http_auth_digest.h b/src/http_auth_digest.h deleted file mode 100644 index 58e8cb5..0000000 --- a/src/http_auth_digest.h +++ /dev/null @@ -1,24 +0,0 @@ -#ifndef _DIGCALC_H_ -#define _DIGCALC_H_ - -#ifdef HAVE_CONFIG_H -# include "config.h" -#endif - -#define HASHLEN 16 -typedef unsigned char HASH[HASHLEN]; -#define HASHHEXLEN 32 -typedef char HASHHEX[HASHHEXLEN+1]; -#ifdef USE_OPENSSL -#define IN const -#else -#define IN -#endif -#define OUT - -void CvtHex( - IN HASH Bin, - OUT HASHHEX Hex - ); - -#endif diff --git a/src/mod_cgi.c b/src/mod_cgi.c index 25d2f65..083be91 100644 --- a/src/mod_cgi.c +++ b/src/mod_cgi.c @@ -1288,6 +1288,15 @@ TRIGGER_FUNC(cgi_trigger) { #endif break; case -1: + if (errno == ECHILD) { + /* someone else called waitpid... remove the pid to stop looping the error each time */ + log_error_write(srv, __FILE__, __LINE__, "s", "cgi child vanished, probably someone else called waitpid"); + + cgi_pid_del(srv, p, p->cgi_pid.ptr[ndx]); + ndx--; + continue; + } + log_error_write(srv, __FILE__, __LINE__, "ss", "waitpid failed: ", strerror(errno)); return HANDLER_ERROR; diff --git a/src/mod_cml_funcs.c b/src/mod_cml_funcs.c index b8958ab..9d859c7 100644 --- a/src/mod_cml_funcs.c +++ b/src/mod_cml_funcs.c @@ -17,17 +17,7 @@ #include <dirent.h> #include <stdio.h> -#ifdef USE_OPENSSL -# include <openssl/md5.h> -#else -# include "md5.h" - -typedef li_MD5_CTX MD5_CTX; -#define MD5_Init li_MD5_Init -#define MD5_Update li_MD5_Update -#define MD5_Final li_MD5_Final - -#endif +#include "md5.h" #define HASHLEN 16 typedef unsigned char HASH[HASHLEN]; @@ -43,7 +33,7 @@ typedef char HASHHEX[HASHHEXLEN+1]; #ifdef HAVE_LUA_H int f_crypto_md5(lua_State *L) { - MD5_CTX Md5Ctx; + li_MD5_CTX Md5Ctx; HASH HA1; buffer b; char hex[33]; @@ -63,9 +53,9 @@ int f_crypto_md5(lua_State *L) { lua_error(L); } - MD5_Init(&Md5Ctx); - MD5_Update(&Md5Ctx, (unsigned char *)lua_tostring(L, 1), lua_strlen(L, 1)); - MD5_Final(HA1, &Md5Ctx); + li_MD5_Init(&Md5Ctx); + li_MD5_Update(&Md5Ctx, (unsigned char *)lua_tostring(L, 1), lua_strlen(L, 1)); + li_MD5_Final(HA1, &Md5Ctx); buffer_copy_string_hex(&b, (char *)HA1, 16); diff --git a/src/mod_cml_lua.c b/src/mod_cml_lua.c index 8be4538..9f4e27a 100644 --- a/src/mod_cml_lua.c +++ b/src/mod_cml_lua.c @@ -11,18 +11,6 @@ #include <time.h> #include <string.h> -#ifdef USE_OPENSSL -# include <openssl/md5.h> -#else -# include "md5.h" - -typedef li_MD5_CTX MD5_CTX; -#define MD5_Init li_MD5_Init -#define MD5_Update li_MD5_Update -#define MD5_Final li_MD5_Final - -#endif - #define HASHLEN 16 typedef unsigned char HASH[HASHLEN]; #define HASHHEXLEN 32 diff --git a/src/mod_dirlisting.c b/src/mod_dirlisting.c index bef8923..cd317ec 100644 --- a/src/mod_dirlisting.c +++ b/src/mod_dirlisting.c @@ -657,7 +657,8 @@ static int http_list_directory(server *srv, connection *con, plugin_data *p, buf i = dir->used - 1; #ifdef HAVE_PATHCONF - if (-1 == (name_max = pathconf(dir->ptr, _PC_NAME_MAX))) { + if (0 >= (name_max = pathconf(dir->ptr, _PC_NAME_MAX))) { + /* some broken fs (fuse) return 0 instead of -1 */ #ifdef NAME_MAX name_max = NAME_MAX; #else diff --git a/src/mod_fastcgi.c b/src/mod_fastcgi.c index 0fbcc17..18a433f 100644 --- a/src/mod_fastcgi.c +++ b/src/mod_fastcgi.c @@ -3075,7 +3075,7 @@ static handler_t fcgi_write_request(server *srv, handler_ctx *hctx) { fcgi_set_state(srv, hctx, FCGI_STATE_WRITE); /* fall through */ case FCGI_STATE_WRITE: - ret = srv->network_backend_write(srv, con, hctx->fd, hctx->wb); + ret = srv->network_backend_write(srv, con, hctx->fd, hctx->wb, MAX_WRITE_LIMIT); chunkqueue_remove_finished_chunks(hctx->wb); @@ -3132,7 +3132,6 @@ SUBREQUEST_FUNC(mod_fastcgi_handle_subrequest) { plugin_data *p = p_d; handler_ctx *hctx = con->plugin_ctx[p->id]; - fcgi_proc *proc; fcgi_extension_host *host; if (NULL == hctx) return HANDLER_GO_ON; @@ -3201,7 +3200,6 @@ SUBREQUEST_FUNC(mod_fastcgi_handle_subrequest) { /* ok, create the request */ switch(fcgi_write_request(srv, hctx)) { case HANDLER_ERROR: - proc = hctx->proc; host = hctx->host; if (hctx->state == FCGI_STATE_INIT || diff --git a/src/mod_proxy.c b/src/mod_proxy.c index bd82654..06fe3db 100644 --- a/src/mod_proxy.c +++ b/src/mod_proxy.c @@ -825,7 +825,7 @@ static handler_t proxy_write_request(server *srv, handler_ctx *hctx) { /* fall through */ case PROXY_STATE_WRITE:; - ret = srv->network_backend_write(srv, con, hctx->fd, hctx->wb); + ret = srv->network_backend_write(srv, con, hctx->fd, hctx->wb, MAX_WRITE_LIMIT); chunkqueue_remove_finished_chunks(hctx->wb); diff --git a/src/mod_scgi.c b/src/mod_scgi.c index 59e5ccb..c63de6a 100644 --- a/src/mod_scgi.c +++ b/src/mod_scgi.c @@ -2296,7 +2296,7 @@ static handler_t scgi_write_request(server *srv, handler_ctx *hctx) { /* fall through */ case FCGI_STATE_WRITE: - ret = srv->network_backend_write(srv, con, hctx->fd, hctx->wb); + ret = srv->network_backend_write(srv, con, hctx->fd, hctx->wb, MAX_WRITE_LIMIT); chunkqueue_remove_finished_chunks(hctx->wb); diff --git a/src/mod_secure_download.c b/src/mod_secure_download.c index bf33b43..a9c031f 100644 --- a/src/mod_secure_download.c +++ b/src/mod_secure_download.c @@ -8,17 +8,7 @@ #include <stdlib.h> #include <string.h> -#ifdef USE_OPENSSL -# include <openssl/md5.h> -#else -# include "md5.h" - -typedef li_MD5_CTX MD5_CTX; -#define MD5_Init li_MD5_Init -#define MD5_Update li_MD5_Update -#define MD5_Final li_MD5_Final - -#endif +#include "md5.h" #define HASHLEN 16 typedef unsigned char HASH[HASHLEN]; @@ -200,7 +190,7 @@ static int mod_secdownload_patch_connection(server *srv, connection *con, plugin URIHANDLER_FUNC(mod_secdownload_uri_handler) { plugin_data *p = p_d; - MD5_CTX Md5Ctx; + li_MD5_CTX Md5Ctx; HASH HA1; const char *rel_uri, *ts_str, *md5_str; time_t ts = 0; @@ -266,9 +256,9 @@ URIHANDLER_FUNC(mod_secdownload_uri_handler) { buffer_append_string(p->md5, rel_uri); buffer_append_string_len(p->md5, ts_str, 8); - MD5_Init(&Md5Ctx); - MD5_Update(&Md5Ctx, (unsigned char *)p->md5->ptr, p->md5->used - 1); - MD5_Final(HA1, &Md5Ctx); + li_MD5_Init(&Md5Ctx); + li_MD5_Update(&Md5Ctx, (unsigned char *)p->md5->ptr, p->md5->used - 1); + li_MD5_Final(HA1, &Md5Ctx); buffer_copy_string_hex(p->md5, (char *)HA1, 16); diff --git a/src/mod_staticfile.c b/src/mod_staticfile.c index 9b937ce..f5114dd 100644 --- a/src/mod_staticfile.c +++ b/src/mod_staticfile.c @@ -26,6 +26,7 @@ typedef struct { array *exclude_ext; unsigned short etags_used; + unsigned short disable_pathinfo; } plugin_config; typedef struct { @@ -84,6 +85,7 @@ SETDEFAULTS_FUNC(mod_staticfile_set_defaults) { config_values_t cv[] = { { "static-file.exclude-extensions", NULL, T_CONFIG_ARRAY, T_CONFIG_SCOPE_CONNECTION }, /* 0 */ { "static-file.etags", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, /* 1 */ + { "static-file.disable-pathinfo", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, /* 2 */ { NULL, NULL, T_CONFIG_UNSET, T_CONFIG_SCOPE_UNSET } }; @@ -97,9 +99,11 @@ SETDEFAULTS_FUNC(mod_staticfile_set_defaults) { s = calloc(1, sizeof(plugin_config)); s->exclude_ext = array_init(); s->etags_used = 1; + s->disable_pathinfo = 0; cv[0].destination = s->exclude_ext; cv[1].destination = &(s->etags_used); + cv[2].destination = &(s->disable_pathinfo); p->config_storage[i] = s; @@ -119,6 +123,7 @@ static int mod_staticfile_patch_connection(server *srv, connection *con, plugin_ PATCH(exclude_ext); PATCH(etags_used); + PATCH(disable_pathinfo); /* skip the first, the global context */ for (i = 1; i < srv->config_context->used; i++) { @@ -136,7 +141,9 @@ static int mod_staticfile_patch_connection(server *srv, connection *con, plugin_ PATCH(exclude_ext); } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("static-file.etags"))) { PATCH(etags_used); - } + } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("static-file.disable-pathinfo"))) { + PATCH(disable_pathinfo); + } } } @@ -350,7 +357,6 @@ static int http_response_parse_range(server *srv, connection *con, plugin_data * URIHANDLER_FUNC(mod_staticfile_subrequest) { plugin_data *p = p_d; size_t k; - int s_len; stat_cache_entry *sce = NULL; buffer *mtime = NULL; data_string *ds; @@ -376,7 +382,12 @@ URIHANDLER_FUNC(mod_staticfile_subrequest) { mod_staticfile_patch_connection(srv, con, p); - s_len = con->uri.path->used - 1; + if (p->conf.disable_pathinfo && 0 != con->request.pathinfo->used) { + if (con->conf.log_request_handling) { + log_error_write(srv, __FILE__, __LINE__, "s", "-- NOT handling file as static file, pathinfo forbidden"); + } + return HANDLER_GO_ON; + } /* ignore certain extensions */ for (k = 0; k < p->conf.exclude_ext->used; k++) { diff --git a/src/mod_status.c b/src/mod_status.c index 69c5de5..76061f9 100644 --- a/src/mod_status.c +++ b/src/mod_status.c @@ -487,7 +487,7 @@ static handler_t mod_status_handle_server_status_html(server *srv, connection *c buffer_append_string_len(b, CONST_STR_LEN("</td><td class=\"int\">")); - if (con->request.content_length) { + if (c->request.content_length) { buffer_append_long(b, c->request_content_queue->bytes_in); buffer_append_string_len(b, CONST_STR_LEN("/")); buffer_append_long(b, c->request.content_length); diff --git a/src/mod_userdir.c b/src/mod_userdir.c index f0fc005..4a1967f 100644 --- a/src/mod_userdir.c +++ b/src/mod_userdir.c @@ -166,7 +166,6 @@ static int mod_userdir_patch_connection(server *srv, connection *con, plugin_dat URIHANDLER_FUNC(mod_userdir_docroot_handler) { plugin_data *p = p_d; - int uri_len; size_t k; char *rel_url; #ifdef HAVE_PWD_H @@ -182,8 +181,6 @@ URIHANDLER_FUNC(mod_userdir_docroot_handler) { */ if (p->conf.path->used == 0) return HANDLER_GO_ON; - uri_len = con->uri.path->used - 1; - /* /~user/foo.html -> /home/user/public_html/foo.html */ if (con->uri.path->ptr[0] != '/' || diff --git a/src/mod_usertrack.c b/src/mod_usertrack.c index 06de298..9ecabdc 100644 --- a/src/mod_usertrack.c +++ b/src/mod_usertrack.c @@ -8,17 +8,7 @@ #include <stdlib.h> #include <string.h> -#ifdef USE_OPENSSL -# include <openssl/md5.h> -#else -# include "md5.h" - -typedef li_MD5_CTX MD5_CTX; -#define MD5_Init li_MD5_Init -#define MD5_Update li_MD5_Update -#define MD5_Final li_MD5_Final - -#endif +#include "md5.h" /* plugin config for all request/connections */ @@ -182,7 +172,7 @@ URIHANDLER_FUNC(mod_usertrack_uri_handler) { plugin_data *p = p_d; data_string *ds; unsigned char h[16]; - MD5_CTX Md5Ctx; + li_MD5_CTX Md5Ctx; char hh[32]; if (con->uri.path->used == 0) return HANDLER_GO_ON; @@ -228,18 +218,18 @@ URIHANDLER_FUNC(mod_usertrack_uri_handler) { /* taken from mod_auth.c */ /* generate shared-secret */ - MD5_Init(&Md5Ctx); - MD5_Update(&Md5Ctx, (unsigned char *)con->uri.path->ptr, con->uri.path->used - 1); - MD5_Update(&Md5Ctx, (unsigned char *)"+", 1); + li_MD5_Init(&Md5Ctx); + li_MD5_Update(&Md5Ctx, (unsigned char *)con->uri.path->ptr, con->uri.path->used - 1); + li_MD5_Update(&Md5Ctx, (unsigned char *)"+", 1); /* we assume sizeof(time_t) == 4 here, but if not it ain't a problem at all */ LI_ltostr(hh, srv->cur_ts); - MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh)); - MD5_Update(&Md5Ctx, (unsigned char *)srv->entropy, sizeof(srv->entropy)); + li_MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh)); + li_MD5_Update(&Md5Ctx, (unsigned char *)srv->entropy, sizeof(srv->entropy)); LI_ltostr(hh, rand()); - MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh)); + li_MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh)); - MD5_Final(h, &Md5Ctx); + li_MD5_Final(h, &Md5Ctx); buffer_append_string_encoded(ds->value, (char *)h, 16, ENCODING_HEX); buffer_append_string_len(ds->value, CONST_STR_LEN("; Path=/")); diff --git a/src/network.c b/src/network.c index 58b8e5c..ba36654 100644 --- a/src/network.c +++ b/src/network.c @@ -27,6 +27,19 @@ # include <openssl/rand.h> #endif +#ifdef USE_OPENSSL +static void ssl_info_callback(const SSL *ssl, int where, int ret) { + UNUSED(ret); + + if (0 != (where & SSL_CB_HANDSHAKE_START)) { + connection *con = SSL_get_app_data(ssl); + ++con->renegotiations; + } else if (0 != (where & SSL_CB_HANDSHAKE_DONE)) { + ssl->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS; + } +} +#endif + static handler_t network_server_handle_fdevent(server *srv, void *context, int revents) { server_socket *srv_socket = (server_socket *)context; connection *con; @@ -480,9 +493,11 @@ int network_init(server *srv) { network_backend_t backend; #if OPENSSL_VERSION_NUMBER >= 0x0090800fL +#ifndef OPENSSL_NO_ECDH EC_KEY *ecdh; int nid; #endif +#endif #ifdef USE_OPENSSL DH *dh; @@ -553,6 +568,11 @@ int network_init(server *srv) { /* load SSL certificates */ for (i = 0; i < srv->config_context->used; i++) { specific_config *s = srv->config_storage[i]; +#ifndef SSL_OP_NO_COMPRESSION +# define SSL_OP_NO_COMPRESSION 0 +#endif + long ssloptions = + SSL_OP_ALL | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION | SSL_OP_NO_COMPRESSION; if (buffer_is_empty(s->ssl_pemfile)) continue; @@ -586,6 +606,9 @@ int network_init(server *srv) { return -1; } + SSL_CTX_set_options(s->ssl_ctx, ssloptions); + SSL_CTX_set_info_callback(s->ssl_ctx, ssl_info_callback); + if (!s->ssl_use_sslv2) { /* disable SSLv2 */ if (!(SSL_OP_NO_SSLv2 & SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_SSLv2))) { @@ -611,6 +634,10 @@ int network_init(server *srv) { ERR_error_string(ERR_get_error(), NULL)); return -1; } + + if (s->ssl_honor_cipher_order) { + SSL_CTX_set_options(s->ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); + } } /* Support for Diffie-Hellman key exchange */ @@ -847,7 +874,7 @@ int network_register_fdevents(server *srv) { return 0; } -int network_write_chunkqueue(server *srv, connection *con, chunkqueue *cq) { +int network_write_chunkqueue(server *srv, connection *con, chunkqueue *cq, off_t max_bytes) { int ret = -1; off_t written = 0; #ifdef TCP_CORK @@ -855,14 +882,32 @@ int network_write_chunkqueue(server *srv, connection *con, chunkqueue *cq) { #endif server_socket *srv_socket = con->srv_socket; - if (con->conf.global_kbytes_per_second && - *(con->conf.global_bytes_per_second_cnt_ptr) > con->conf.global_kbytes_per_second * 1024) { - /* we reached the global traffic limit */ + if (con->conf.global_kbytes_per_second) { + off_t limit = con->conf.global_kbytes_per_second * 1024 - *(con->conf.global_bytes_per_second_cnt_ptr); + if (limit <= 0) { + /* we reached the global traffic limit */ - con->traffic_limit_reached = 1; - joblist_append(srv, con); + con->traffic_limit_reached = 1; + joblist_append(srv, con); - return 1; + return 1; + } else { + if (max_bytes > limit) max_bytes = limit; + } + } + + if (con->conf.kbytes_per_second) { + off_t limit = con->conf.kbytes_per_second * 1024 - con->bytes_written_cur_second; + if (limit <= 0) { + /* we reached the traffic limit */ + + con->traffic_limit_reached = 1; + joblist_append(srv, con); + + return 1; + } else { + if (max_bytes > limit) max_bytes = limit; + } } written = cq->bytes_out; @@ -879,10 +924,10 @@ int network_write_chunkqueue(server *srv, connection *con, chunkqueue *cq) { if (srv_socket->is_ssl) { #ifdef USE_OPENSSL - ret = srv->network_ssl_backend_write(srv, con, con->ssl, cq); + ret = srv->network_ssl_backend_write(srv, con, con->ssl, cq, max_bytes); #endif } else { - ret = srv->network_backend_write(srv, con, con->fd, cq); + ret = srv->network_backend_write(srv, con, con->fd, cq, max_bytes); } if (ret >= 0) { @@ -903,12 +948,5 @@ int network_write_chunkqueue(server *srv, connection *con, chunkqueue *cq) { *(con->conf.global_bytes_per_second_cnt_ptr) += written; - if (con->conf.kbytes_per_second && - (con->bytes_written_cur_second > con->conf.kbytes_per_second * 1024)) { - /* we reached the traffic limit */ - - con->traffic_limit_reached = 1; - joblist_append(srv, con); - } return ret; } diff --git a/src/network.h b/src/network.h index 99c7596..d9d4e7a 100644 --- a/src/network.h +++ b/src/network.h @@ -3,7 +3,7 @@ #include "server.h" -int network_write_chunkqueue(server *srv, connection *con, chunkqueue *c); +int network_write_chunkqueue(server *srv, connection *con, chunkqueue *c, off_t max_bytes); int network_init(server *srv); int network_close(server *srv); diff --git a/src/network_backends.h b/src/network_backends.h index 8d92006..54a07d7 100644 --- a/src/network_backends.h +++ b/src/network_backends.h @@ -47,18 +47,18 @@ #include "base.h" /* return values: - * >= 0 : chunks completed + * >= 0 : no error * -1 : error (on our side) * -2 : remote close */ -int network_write_chunkqueue_write(server *srv, connection *con, int fd, chunkqueue *cq); -int network_write_chunkqueue_writev(server *srv, connection *con, int fd, chunkqueue *cq); -int network_write_chunkqueue_linuxsendfile(server *srv, connection *con, int fd, chunkqueue *cq); -int network_write_chunkqueue_freebsdsendfile(server *srv, connection *con, int fd, chunkqueue *cq); -int network_write_chunkqueue_solarissendfilev(server *srv, connection *con, int fd, chunkqueue *cq); +int network_write_chunkqueue_write(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes); +int network_write_chunkqueue_writev(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes); +int network_write_chunkqueue_linuxsendfile(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes); +int network_write_chunkqueue_freebsdsendfile(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes); +int network_write_chunkqueue_solarissendfilev(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes); #ifdef USE_OPENSSL -int network_write_chunkqueue_openssl(server *srv, connection *con, SSL *ssl, chunkqueue *cq); +int network_write_chunkqueue_openssl(server *srv, connection *con, SSL *ssl, chunkqueue *cq, off_t max_bytes); #endif #endif diff --git a/src/network_freebsd_sendfile.c b/src/network_freebsd_sendfile.c index ba92aaf..7b165fc 100644 --- a/src/network_freebsd_sendfile.c +++ b/src/network_freebsd_sendfile.c @@ -31,17 +31,16 @@ # endif #endif -int network_write_chunkqueue_freebsdsendfile(server *srv, connection *con, int fd, chunkqueue *cq) { +int network_write_chunkqueue_freebsdsendfile(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes) { chunk *c; - size_t chunks_written = 0; - for(c = cq->first; c; c = c->next, chunks_written++) { + for(c = cq->first; (max_bytes > 0) && (NULL != c); c = c->next) { int chunk_finished = 0; switch(c->type) { case MEM_CHUNK: { char * offset; - size_t toSend; + off_t toSend; ssize_t r; size_t num_chunks, i; @@ -49,12 +48,10 @@ int network_write_chunkqueue_freebsdsendfile(server *srv, connection *con, int f chunk *tc; size_t num_bytes = 0; - /* we can't send more then SSIZE_MAX bytes in one chunk */ - /* build writev list * * 1. limit: num_chunks < UIO_MAXIOV - * 2. limit: num_bytes < SSIZE_MAX + * 2. limit: num_bytes < max_bytes */ for(num_chunks = 0, tc = c; tc && tc->type == MEM_CHUNK && num_chunks < UIO_MAXIOV; num_chunks++, tc = tc->next); @@ -69,9 +66,9 @@ int network_write_chunkqueue_freebsdsendfile(server *srv, connection *con, int f chunks[i].iov_base = offset; /* protect the return value of writev() */ - if (toSend > SSIZE_MAX || - num_bytes + toSend > SSIZE_MAX) { - chunks[i].iov_len = SSIZE_MAX - num_bytes; + if (toSend > max_bytes || + (off_t) num_bytes + toSend > max_bytes) { + chunks[i].iov_len = max_bytes - num_bytes; num_chunks = i + 1; break; @@ -105,6 +102,7 @@ int network_write_chunkqueue_freebsdsendfile(server *srv, connection *con, int f /* check which chunks have been written */ cq->bytes_out += r; + max_bytes -= r; for(i = 0, tc = c; i < num_chunks; i++, tc = tc->next) { if (r >= (ssize_t)chunks[i].iov_len) { @@ -114,11 +112,10 @@ int network_write_chunkqueue_freebsdsendfile(server *srv, connection *con, int f if (chunk_finished) { /* skip the chunks from further touches */ - chunks_written++; c = c->next; } else { /* chunks_written + c = c->next is done in the for()*/ - chunk_finished++; + chunk_finished = 1; } } else { /* partially written */ @@ -134,7 +131,7 @@ int network_write_chunkqueue_freebsdsendfile(server *srv, connection *con, int f } case FILE_CHUNK: { off_t offset, r; - size_t toSend; + off_t toSend; stat_cache_entry *sce = NULL; if (HANDLER_ERROR == stat_cache_get_entry(srv, con, c->file.name, &sce)) { @@ -144,9 +141,8 @@ int network_write_chunkqueue_freebsdsendfile(server *srv, connection *con, int f } offset = c->file.start + c->offset; - /* limit the toSend to 2^31-1 bytes in a chunk */ - toSend = c->file.length - c->offset > ((1 << 30) - 1) ? - ((1 << 30) - 1) : c->file.length - c->offset; + toSend = c->file.length - c->offset; + if (toSend > max_bytes) toSend = max_bytes; if (-1 == c->file.fd) { if (-1 == (c->file.fd = open(c->file.name->ptr, O_RDONLY))) { @@ -197,6 +193,7 @@ int network_write_chunkqueue_freebsdsendfile(server *srv, connection *con, int f c->offset += r; cq->bytes_out += r; + max_bytes -= r; if (c->offset == c->file.length) { chunk_finished = 1; @@ -218,7 +215,7 @@ int network_write_chunkqueue_freebsdsendfile(server *srv, connection *con, int f } } - return chunks_written; + return 0; } #endif diff --git a/src/network_linux_sendfile.c b/src/network_linux_sendfile.c index 5a44b47..9105603 100644 --- a/src/network_linux_sendfile.c +++ b/src/network_linux_sendfile.c @@ -27,17 +27,16 @@ /* on linux 2.4.29 + debian/ubuntu we have crashes if this is enabled */ #undef HAVE_POSIX_FADVISE -int network_write_chunkqueue_linuxsendfile(server *srv, connection *con, int fd, chunkqueue *cq) { +int network_write_chunkqueue_linuxsendfile(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes) { chunk *c; - size_t chunks_written = 0; - for(c = cq->first; c; c = c->next, chunks_written++) { + for(c = cq->first; (max_bytes > 0) && (NULL != c); c = c->next) { int chunk_finished = 0; switch(c->type) { case MEM_CHUNK: { char * offset; - size_t toSend; + off_t toSend; ssize_t r; size_t num_chunks, i; @@ -45,12 +44,10 @@ int network_write_chunkqueue_linuxsendfile(server *srv, connection *con, int fd, chunk *tc; size_t num_bytes = 0; - /* we can't send more then SSIZE_MAX bytes in one chunk */ - /* build writev list * * 1. limit: num_chunks < UIO_MAXIOV - * 2. limit: num_bytes < SSIZE_MAX + * 2. limit: num_bytes < max_bytes */ for (num_chunks = 0, tc = c; tc && tc->type == MEM_CHUNK && num_chunks < UIO_MAXIOV; @@ -67,9 +64,9 @@ int network_write_chunkqueue_linuxsendfile(server *srv, connection *con, int fd, chunks[i].iov_base = offset; /* protect the return value of writev() */ - if (toSend > SSIZE_MAX || - num_bytes + toSend > SSIZE_MAX) { - chunks[i].iov_len = SSIZE_MAX - num_bytes; + if (toSend > max_bytes || + (off_t) num_bytes + toSend > max_bytes) { + chunks[i].iov_len = max_bytes - num_bytes; num_chunks = i + 1; break; @@ -100,6 +97,7 @@ int network_write_chunkqueue_linuxsendfile(server *srv, connection *con, int fd, /* check which chunks have been written */ cq->bytes_out += r; + max_bytes -= r; for(i = 0, tc = c; i < num_chunks; i++, tc = tc->next) { if (r >= (ssize_t)chunks[i].iov_len) { @@ -109,11 +107,10 @@ int network_write_chunkqueue_linuxsendfile(server *srv, connection *con, int fd, if (chunk_finished) { /* skip the chunks from further touches */ - chunks_written++; c = c->next; } else { /* chunks_written + c = c->next is done in the for()*/ - chunk_finished++; + chunk_finished = 1; } } else { /* partially written */ @@ -130,13 +127,12 @@ int network_write_chunkqueue_linuxsendfile(server *srv, connection *con, int fd, case FILE_CHUNK: { ssize_t r; off_t offset; - size_t toSend; + off_t toSend; stat_cache_entry *sce = NULL; offset = c->file.start + c->offset; - /* limit the toSend to 2^31-1 bytes in a chunk */ - toSend = c->file.length - c->offset > ((1 << 30) - 1) ? - ((1 << 30) - 1) : c->file.length - c->offset; + toSend = c->file.length - c->offset; + if (toSend > max_bytes) toSend = max_bytes; /* open file if not already opened */ if (-1 == c->file.fd) { @@ -215,6 +211,7 @@ int network_write_chunkqueue_linuxsendfile(server *srv, connection *con, int fd, c->offset += r; cq->bytes_out += r; + max_bytes -= r; if (c->offset == c->file.length) { chunk_finished = 1; @@ -243,7 +240,7 @@ int network_write_chunkqueue_linuxsendfile(server *srv, connection *con, int fd, } } - return chunks_written; + return 0; } #endif diff --git a/src/network_openssl.c b/src/network_openssl.c index d2fb6d8..7bed710 100644 --- a/src/network_openssl.c +++ b/src/network_openssl.c @@ -27,10 +27,9 @@ # include <openssl/ssl.h> # include <openssl/err.h> -int network_write_chunkqueue_openssl(server *srv, connection *con, SSL *ssl, chunkqueue *cq) { +int network_write_chunkqueue_openssl(server *srv, connection *con, SSL *ssl, chunkqueue *cq, off_t max_bytes) { int ssl_r; chunk *c; - size_t chunks_written = 0; /* this is a 64k sendbuffer * @@ -59,13 +58,13 @@ int network_write_chunkqueue_openssl(server *srv, connection *con, SSL *ssl, chu SSL_set_shutdown(ssl, SSL_RECEIVED_SHUTDOWN); } - for(c = cq->first; c; c = c->next) { + for(c = cq->first; (max_bytes > 0) && (NULL != c); c = c->next) { int chunk_finished = 0; switch(c->type) { case MEM_CHUNK: { char * offset; - size_t toSend; + off_t toSend; ssize_t r; if (c->mem->used == 0 || c->mem->used == 1) { @@ -75,6 +74,7 @@ int network_write_chunkqueue_openssl(server *srv, connection *con, SSL *ssl, chu offset = c->mem->ptr + c->offset; toSend = c->mem->used - 1 - c->offset; + if (toSend > max_bytes) toSend = max_bytes; /** * SSL_write man-page @@ -87,7 +87,14 @@ int network_write_chunkqueue_openssl(server *srv, connection *con, SSL *ssl, chu */ ERR_clear_error(); - if ((r = SSL_write(ssl, offset, toSend)) <= 0) { + r = SSL_write(ssl, offset, toSend); + + if (con->renegotiations > 1 && con->conf.ssl_disable_client_renegotiation) { + log_error_write(srv, __FILE__, __LINE__, "s", "SSL: renegotiation initiated by client"); + return -1; + } + + if (r <= 0) { unsigned long err; switch ((ssl_r = SSL_get_error(ssl, r))) { @@ -139,6 +146,7 @@ int network_write_chunkqueue_openssl(server *srv, connection *con, SSL *ssl, chu } else { c->offset += r; cq->bytes_out += r; + max_bytes -= r; } if (c->offset == (off_t)c->mem->used - 1) { @@ -168,6 +176,7 @@ int network_write_chunkqueue_openssl(server *srv, connection *con, SSL *ssl, chu do { off_t offset = c->file.start + c->offset; off_t toSend = c->file.length - c->offset; + if (toSend > max_bytes) toSend = max_bytes; if (toSend > LOCAL_SEND_BUFSIZE) toSend = LOCAL_SEND_BUFSIZE; @@ -190,7 +199,14 @@ int network_write_chunkqueue_openssl(server *srv, connection *con, SSL *ssl, chu close(ifd); ERR_clear_error(); - if ((r = SSL_write(ssl, s, toSend)) <= 0) { + r = SSL_write(ssl, s, toSend); + + if (con->renegotiations > 1 && con->conf.ssl_disable_client_renegotiation) { + log_error_write(srv, __FILE__, __LINE__, "s", "SSL: renegotiation initiated by client"); + return -1; + } + + if (r <= 0) { unsigned long err; switch ((ssl_r = SSL_get_error(ssl, r))) { @@ -243,12 +259,13 @@ int network_write_chunkqueue_openssl(server *srv, connection *con, SSL *ssl, chu } else { c->offset += r; cq->bytes_out += r; + max_bytes -= r; } if (c->offset == c->file.length) { chunk_finished = 1; } - } while(!chunk_finished && !write_wait); + } while (!chunk_finished && !write_wait && max_bytes > 0); break; } @@ -263,11 +280,9 @@ int network_write_chunkqueue_openssl(server *srv, connection *con, SSL *ssl, chu break; } - - chunks_written++; } - return chunks_written; + return 0; } #endif diff --git a/src/network_solaris_sendfilev.c b/src/network_solaris_sendfilev.c index fcfa178..2003200 100644 --- a/src/network_solaris_sendfilev.c +++ b/src/network_solaris_sendfilev.c @@ -38,17 +38,16 @@ */ -int network_write_chunkqueue_solarissendfilev(server *srv, connection *con, int fd, chunkqueue *cq) { +int network_write_chunkqueue_solarissendfilev(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes) { chunk *c; - size_t chunks_written = 0; - for(c = cq->first; c; c = c->next, chunks_written++) { + for(c = cq->first; (max_bytes > 0) && (NULL != c); c = c->next) { int chunk_finished = 0; switch(c->type) { case MEM_CHUNK: { char * offset; - size_t toSend; + off_t toSend; ssize_t r; size_t num_chunks, i; @@ -77,9 +76,9 @@ int network_write_chunkqueue_solarissendfilev(server *srv, connection *con, int chunks[i].iov_base = offset; /* protect the return value of writev() */ - if (toSend > SSIZE_MAX || - num_bytes + toSend > SSIZE_MAX) { - chunks[i].iov_len = SSIZE_MAX - num_bytes; + if (toSend > max_bytes || + (off_t) num_bytes + toSend > max_bytes) { + chunks[i].iov_len = max_bytes - num_bytes; num_chunks = i + 1; break; @@ -119,11 +118,10 @@ int network_write_chunkqueue_solarissendfilev(server *srv, connection *con, int if (chunk_finished) { /* skip the chunks from further touches */ - chunks_written++; c = c->next; } else { /* chunks_written + c = c->next is done in the for()*/ - chunk_finished++; + chunk_finished = 1; } } else { /* partially written */ @@ -139,8 +137,8 @@ int network_write_chunkqueue_solarissendfilev(server *srv, connection *con, int } case FILE_CHUNK: { ssize_t r; - off_t offset; - size_t toSend, written; + off_t offset, toSend; + size_t written; sendfilevec_t fvec; stat_cache_entry *sce = NULL; int ifd; @@ -153,6 +151,7 @@ int network_write_chunkqueue_solarissendfilev(server *srv, connection *con, int offset = c->file.start + c->offset; toSend = c->file.length - c->offset; + if (toSend > max_bytes) toSend = max_bytes; if (offset > sce->st.st_size) { log_error_write(srv, __FILE__, __LINE__, "sb", "file was shrinked:", c->file.name); @@ -186,6 +185,7 @@ int network_write_chunkqueue_solarissendfilev(server *srv, connection *con, int close(ifd); c->offset += written; cq->bytes_out += written; + max_bytes -= written; if (c->offset == c->file.length) { chunk_finished = 1; @@ -207,7 +207,7 @@ int network_write_chunkqueue_solarissendfilev(server *srv, connection *con, int } } - return chunks_written; + return 0; } #endif diff --git a/src/network_write.c b/src/network_write.c index b5c89f5..6aa6cfa 100644 --- a/src/network_write.c +++ b/src/network_write.c @@ -24,17 +24,16 @@ # include <sys/resource.h> #endif -int network_write_chunkqueue_write(server *srv, connection *con, int fd, chunkqueue *cq) { +int network_write_chunkqueue_write(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes) { chunk *c; - size_t chunks_written = 0; - for(c = cq->first; c; c = c->next) { + for(c = cq->first; (max_bytes > 0) && (NULL != c); c = c->next) { int chunk_finished = 0; switch(c->type) { case MEM_CHUNK: { char * offset; - size_t toSend; + off_t toSend; ssize_t r; if (c->mem->used == 0) { @@ -44,6 +43,8 @@ int network_write_chunkqueue_write(server *srv, connection *con, int fd, chunkqu offset = c->mem->ptr + c->offset; toSend = c->mem->used - 1 - c->offset; + if (toSend > max_bytes) toSend = max_bytes; + #ifdef __WIN32 if ((r = send(fd, offset, toSend, 0)) < 0) { /* no error handling for windows... */ @@ -72,6 +73,7 @@ int network_write_chunkqueue_write(server *srv, connection *con, int fd, chunkqu c->offset += r; cq->bytes_out += r; + max_bytes -= r; if (c->offset == (off_t)c->mem->used - 1) { chunk_finished = 1; @@ -85,7 +87,7 @@ int network_write_chunkqueue_write(server *srv, connection *con, int fd, chunkqu #endif ssize_t r; off_t offset; - size_t toSend; + off_t toSend; stat_cache_entry *sce = NULL; int ifd; @@ -98,6 +100,8 @@ int network_write_chunkqueue_write(server *srv, connection *con, int fd, chunkqu offset = c->file.start + c->offset; toSend = c->file.length - c->offset; + if (toSend > max_bytes) toSend = max_bytes; + if (offset > sce->st.st_size) { log_error_write(srv, __FILE__, __LINE__, "sb", "file was shrinked:", c->file.name); @@ -181,6 +185,7 @@ int network_write_chunkqueue_write(server *srv, connection *con, int fd, chunkqu c->offset += r; cq->bytes_out += r; + max_bytes -= r; if (c->offset == c->file.length) { chunk_finished = 1; @@ -200,11 +205,9 @@ int network_write_chunkqueue_write(server *srv, connection *con, int fd, chunkqu break; } - - chunks_written++; } - return chunks_written; + return 0; } #if 0 diff --git a/src/network_writev.c b/src/network_writev.c index 6a19348..65bb19d 100644 --- a/src/network_writev.c +++ b/src/network_writev.c @@ -30,17 +30,16 @@ #define LOCAL_BUFFERING 1 #endif -int network_write_chunkqueue_writev(server *srv, connection *con, int fd, chunkqueue *cq) { +int network_write_chunkqueue_writev(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes) { chunk *c; - size_t chunks_written = 0; - for(c = cq->first; c; c = c->next) { + for(c = cq->first; (max_bytes > 0) && (NULL != c); c = c->next) { int chunk_finished = 0; switch(c->type) { case MEM_CHUNK: { char * offset; - size_t toSend; + off_t toSend; ssize_t r; size_t num_chunks, i; @@ -65,12 +64,10 @@ int network_write_chunkqueue_writev(server *srv, connection *con, int fd, chunkq #error "sysconf() doesnt return _SC_IOV_MAX ..., check the output of 'man writev' for the EINVAL error and send the output to jan@kneschke.de" #endif - /* we can't send more then SSIZE_MAX bytes in one chunk */ - /* build writev list * * 1. limit: num_chunks < max_chunks - * 2. limit: num_bytes < SSIZE_MAX + * 2. limit: num_bytes < max_bytes */ for (num_chunks = 0, tc = c; tc && tc->type == MEM_CHUNK && num_chunks < max_chunks; num_chunks++, tc = tc->next); @@ -87,9 +84,9 @@ int network_write_chunkqueue_writev(server *srv, connection *con, int fd, chunkq chunks[i].iov_base = offset; /* protect the return value of writev() */ - if (toSend > SSIZE_MAX || - num_bytes + toSend > SSIZE_MAX) { - chunks[i].iov_len = SSIZE_MAX - num_bytes; + if (toSend > max_bytes || + (off_t) num_bytes + toSend > max_bytes) { + chunks[i].iov_len = max_bytes - num_bytes; num_chunks = i + 1; break; @@ -121,6 +118,7 @@ int network_write_chunkqueue_writev(server *srv, connection *con, int fd, chunkq } cq->bytes_out += r; + max_bytes -= r; /* check which chunks have been written */ @@ -132,11 +130,10 @@ int network_write_chunkqueue_writev(server *srv, connection *con, int fd, chunkq if (chunk_finished) { /* skip the chunks from further touches */ - chunks_written++; c = c->next; } else { /* chunks_written + c = c->next is done in the for()*/ - chunk_finished++; + chunk_finished = 1; } } else { /* partially written */ @@ -284,6 +281,8 @@ int network_write_chunkqueue_writev(server *srv, connection *con, int fd, chunkq assert(toSend < 0); } + if (toSend > max_bytes) toSend = max_bytes; + #ifdef LOCAL_BUFFERING start = c->mem->ptr; #else @@ -309,6 +308,7 @@ int network_write_chunkqueue_writev(server *srv, connection *con, int fd, chunkq c->offset += r; cq->bytes_out += r; + max_bytes -= r; if (c->offset == c->file.length) { chunk_finished = 1; @@ -334,11 +334,9 @@ int network_write_chunkqueue_writev(server *srv, connection *con, int fd, chunkq break; } - - chunks_written++; } - return chunks_written; + return 0; } #endif diff --git a/src/request.c b/src/request.c index 5879efe..a48bf48 100644 --- a/src/request.c +++ b/src/request.c @@ -49,7 +49,7 @@ static int request_check_hostname(server *srv, connection *con, buffer *host) { if (++colon_cnt > 7) { return -1; } - } else if (!light_isxdigit(*c)) { + } else if (!light_isxdigit(*c) && '.' != *c) { return -1; } } diff --git a/src/server.c b/src/server.c index 5fcbfe4..bad6c07 100644 --- a/src/server.c +++ b/src/server.c @@ -1120,6 +1120,14 @@ int main (int argc, char **argv) { "s", "fdevent_init failed"); return -1; } + + /* libev backend overwrites our SIGCHLD handler and calls waitpid on SIGCHLD; we want our own SIGCHLD handling. */ +#ifdef HAVE_SIGACTION + sigaction(SIGCHLD, &act, NULL); +#elif defined(HAVE_SIGNAL) + signal(SIGCHLD, signal_handler); +#endif + /* * kqueue() is called here, select resets its internals, * all server sockets get their handlers diff --git a/src/settings.h b/src/settings.h index 6ee44b6..137a0a8 100644 --- a/src/settings.h +++ b/src/settings.h @@ -21,7 +21,10 @@ * 64kB (no real reason, just a guess) */ #define BUFFER_MAX_REUSE_SIZE (4 * 1024) -#define MAX_READ_LIMIT (4*1024*1024) + +/* both should be way smaller than SSIZE_MAX :) */ +#define MAX_READ_LIMIT (256*1024) +#define MAX_WRITE_LIMIT (256*1024) /** * max size of the HTTP request header diff --git a/tests/lighttpd.conf b/tests/lighttpd.conf index f93311d..8608fdd 100644 --- a/tests/lighttpd.conf +++ b/tests/lighttpd.conf @@ -149,6 +149,7 @@ $HTTP["host"] == "vvv.example.org" { $HTTP["host"] == "zzz.example.org" { server.document-root = env.SRCDIR + "/tmp/lighttpd/servers/www.example.org/pages/" server.name = "zzz.example.org" + static-file.disable-pathinfo = "enable" } $HTTP["host"] == "symlink.example.org" { diff --git a/tests/mod-auth.t b/tests/mod-auth.t index 475a5f6..89ead9d 100755 --- a/tests/mod-auth.t +++ b/tests/mod-auth.t @@ -8,7 +8,7 @@ BEGIN { use strict; use IO::Socket; -use Test::More tests => 14; +use Test::More tests => 15; use LightyTest; my $tf = LightyTest->new(); @@ -25,6 +25,14 @@ ok($tf->handle_http($t) == 0, 'Missing Auth-token'); $t->{REQUEST} = ( <<EOF GET /server-status HTTP/1.0 +Authorization: Basic \x80mFuOmphb +EOF + ); +$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 401 } ]; +ok($tf->handle_http($t) == 0, 'Basic-Auth: Invalid base64 Auth-token'); + +$t->{REQUEST} = ( <<EOF +GET /server-status HTTP/1.0 Authorization: Basic amFuOmphb EOF ); diff --git a/tests/request.t b/tests/request.t index 5c2dfd5..c4bd958 100755 --- a/tests/request.t +++ b/tests/request.t @@ -8,7 +8,7 @@ BEGIN { use strict; use IO::Socket; -use Test::More tests => 44; +use Test::More tests => 46; use LightyTest; my $tf = LightyTest->new(); @@ -413,5 +413,21 @@ $t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200, 'HTTP- $t->{SLOWREQUEST} = 1; ok($tf->handle_http($t) == 0, 'GET, slow \\r\\n\\r\\n (#2105)'); +print "\nPathinfo for static files\n"; +$t->{REQUEST} = ( <<EOF +GET /image.jpg/index.php HTTP/1.0 +EOF + ); +$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200, 'Content-Type' => 'image/jpeg' } ]; +ok($tf->handle_http($t) == 0, 'static file accepting pathinfo by default'); + +$t->{REQUEST} = ( <<EOF +GET /image.jpg/index.php HTTP/1.0 +Host: zzz.example.org +EOF + ); +$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 403 } ]; +ok($tf->handle_http($t) == 0, 'static file with forbidden pathinfo'); + ok($tf->stop_proc == 0, "Stopping lighttpd"); diff --git a/tests/wrapper.sh b/tests/wrapper.sh index 07cc784..571594c 100755 --- a/tests/wrapper.sh +++ b/tests/wrapper.sh @@ -6,4 +6,4 @@ srcdir=$1 top_builddir=$2 export SHELL srcdir top_builddir -$3 +exec $3 |