Page MenuHomeFreeBSD
Differential D9334 Diff 24439 www/nghttp2/files/patch-LibreSSL-PSK

Changeset View

Standalone View

View Options

www/nghttp2/files/patch-LibreSSL-PSK

  • This file was added.
PropertyOld ValueNew Value
fbsd:nokeywordsnullyes
\ No newline at end of property
svn:eol-stylenullnative
\ No newline at end of property
svn:mime-typenulltext/plain
\ No newline at end of property
See https://github.com/nghttp2/nghttp2/pull/789
nghttpx: Don't build PSK features with LibreSSL #789
LibreSSL removed PSK in 2.0.0
--- src/shrpx.cc.orig 2017-01-25 11:30:16 UTC
+++ src/shrpx.cc
@@ -2119,6 +2119,7 @@ SSL/TLS:
argument <CERT>, or certificate option in configuration
file. For additional certificates, use --subcert
option. This option requires OpenSSL >= 1.0.2.
+#if !LIBRESSL_IN_USE
--psk-secrets=<PATH>
Read list of PSK identity and secrets from <PATH>. This
is used for frontend connection. The each line of input
@@ -2146,6 +2147,7 @@ SSL/TLS:
HTTP/2. To use those cipher suites with HTTP/2,
consider to use --client-no-http2-cipher-black-list
option. But be aware its implications.
+#endif // !LIBRESSL_IN_USE
HTTP/2 and SPDY:
-c, --frontend-http2-max-concurrent-streams=<N>
@@ -3125,8 +3127,10 @@ int main(int argc, char **argv) {
{SHRPX_OPT_DNS_MAX_TRY.c_str(), required_argument, &flag, 145},
{SHRPX_OPT_FRONTEND_KEEP_ALIVE_TIMEOUT.c_str(), required_argument,
&flag, 146},
+#if !LIBRESSL_IN_USE
{SHRPX_OPT_PSK_SECRETS.c_str(), required_argument, &flag, 147},
{SHRPX_OPT_CLIENT_PSK_SECRETS.c_str(), required_argument, &flag, 148},
+#endif
{SHRPX_OPT_CLIENT_NO_HTTP2_CIPHER_BLACK_LIST.c_str(), no_argument,
&flag, 149},
{SHRPX_OPT_CLIENT_CIPHERS.c_str(), required_argument, &flag, 150},
@@ -3821,6 +3825,7 @@ int main(int argc, char **argv) {
cmdcfgs.emplace_back(SHRPX_OPT_FRONTEND_KEEP_ALIVE_TIMEOUT,
StringRef{optarg});
break;
+#if !LIBRESSL_IN_USE
case 147:
// --psk-secrets
cmdcfgs.emplace_back(SHRPX_OPT_PSK_SECRETS, StringRef{optarg});
@@ -3829,6 +3834,7 @@ int main(int argc, char **argv) {
// --client-psk-secrets
cmdcfgs.emplace_back(SHRPX_OPT_CLIENT_PSK_SECRETS, StringRef{optarg});
break;
+#endif // !LIBRESSL_IN_USE
case 149:
// --client-no-http2-cipher-black-list
cmdcfgs.emplace_back(SHRPX_OPT_CLIENT_NO_HTTP2_CIPHER_BLACK_LIST,
--- src/shrpx_config.cc.orig 2017-01-25 11:30:16 UTC
+++ src/shrpx_config.cc
@@ -1199,6 +1199,7 @@ int read_tls_sct_from_dir(std::vector<ui
}
} // namespace
+#if !LIBRESSL_IN_USE
namespace {
// Reads PSK secrets from path, and parses each line. The result is
// directly stored into config->tls.psk_secrets. This function
@@ -1262,7 +1263,9 @@ int parse_psk_secrets(Config *config, co
return 0;
}
} // namespace
+#endif // !LIBRESSL_IN_USE
+#if !LIBRESSL_IN_USE
namespace {
// Reads PSK secrets from path, and parses each line. The result is
// directly stored into config->tls.client.psk. This function returns
@@ -1322,6 +1325,7 @@ int parse_client_psk_secrets(Config *con
return 0;
}
} // namespace
+#endif // !LIBRESSL_IN_USE
// generated by gennghttpxfun.py
int option_lookup_token(const char *name, size_t namelen) {
@@ -1490,10 +1494,12 @@ int option_lookup_token(const char *name
if (util::strieq_l("ecdh-curve", name, 10)) {
return SHRPX_OPTID_ECDH_CURVES;
}
+#if !LIBRESSL_IN_USE
if (util::strieq_l("psk-secret", name, 10)) {
return SHRPX_OPTID_PSK_SECRETS;
}
break;
+#endif
case 't':
if (util::strieq_l("write-burs", name, 10)) {
return SHRPX_OPTID_WRITE_BURST;
@@ -1683,11 +1689,13 @@ int option_lookup_token(const char *name
return SHRPX_OPTID_ADD_REQUEST_HEADER;
}
break;
+#if !LIBRESSL_IN_USE
case 's':
if (util::strieq_l("client-psk-secret", name, 17)) {
return SHRPX_OPTID_CLIENT_PSK_SECRETS;
}
break;
+#endif // !LIBRESSL_IN_USE
case 't':
if (util::strieq_l("dns-lookup-timeou", name, 17)) {
return SHRPX_OPTID_DNS_LOOKUP_TIMEOUT;
@@ -3283,10 +3291,12 @@ int parse_config(Config *config, int opt
case SHRPX_OPTID_FRONTEND_KEEP_ALIVE_TIMEOUT:
return parse_duration(&config->conn.upstream.timeout.idle_read, opt,
optarg);
+#if !LIBRESSL_IN_USE
case SHRPX_OPTID_PSK_SECRETS:
return parse_psk_secrets(config, optarg);
case SHRPX_OPTID_CLIENT_PSK_SECRETS:
return parse_client_psk_secrets(config, optarg);
+#endif // !LIBRESSL_IN_USE
case SHRPX_OPTID_CLIENT_NO_HTTP2_CIPHER_BLACK_LIST:
config->tls.client.no_http2_cipher_black_list =
util::strieq_l("yes", optarg);
--- src/shrpx_ssl.cc.orig 2017-01-25 11:30:16 UTC
+++ src/shrpx_ssl.cc
@@ -525,6 +525,7 @@ int sct_parse_cb(SSL *ssl, unsigned int
} // namespace
#endif // !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L
+#if !LIBRESSL_IN_USE
namespace {
unsigned int psk_server_cb(SSL *ssl, const char *identity, unsigned char *psk,
unsigned int max_psk_len) {
@@ -548,7 +549,9 @@ unsigned int psk_server_cb(SSL *ssl, con
return static_cast<unsigned int>(secret.size());
}
} // namespace
+#endif // !LIBRESSL_IN_USE
+#if !LIBRESSL_IN_USE
namespace {
unsigned int psk_client_cb(SSL *ssl, const char *hint, char *identity_out,
unsigned int max_identity_len, unsigned char *psk,
@@ -581,6 +584,7 @@ unsigned int psk_client_cb(SSL *ssl, con
return (unsigned int)secret.size();
}
} // namespace
+#endif // !LIBRESSL_IN_USE
struct TLSProtocol {
StringRef name;
@@ -784,7 +788,9 @@ SSL_CTX *create_ssl_context(const char *
}
#endif // !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L
+#if !LIBRESSL_IN_USE
SSL_CTX_set_psk_server_callback(ssl_ctx, psk_server_cb);
+#endif // !LIBRESSL_IN_USE
auto tls_ctx_data = new TLSContextData();
tls_ctx_data->cert_file = cert_file;
@@ -919,7 +925,9 @@ SSL_CTX *create_ssl_client_context(
#endif // HAVE_NEVERBLEED
}
+#if !LIBRESSL_IN_USE
SSL_CTX_set_psk_client_callback(ssl_ctx, psk_client_cb);
+#endif // !LIBRESSL_IN_USE
// NPN selection callback. This is required to set SSL_CTX because
// OpenSSL does not offer SSL_set_next_proto_select_cb.