Changeset View
Changeset View
Standalone View
Standalone View
www/nghttp2/files/patch-LibreSSL-PSK
- This file was added.
Property | Old Value | New Value |
---|---|---|
fbsd:nokeywords | null | yes \ No newline at end of property |
svn:eol-style | null | native \ No newline at end of property |
svn:mime-type | null | text/plain \ No newline at end of property |
See https://github.com/nghttp2/nghttp2/pull/789 | |||||
nghttpx: Don't build PSK features with LibreSSL #789 | |||||
LibreSSL removed PSK in 2.0.0 | |||||
--- src/shrpx.cc.orig 2017-01-25 11:30:16 UTC | |||||
+++ src/shrpx.cc | |||||
@@ -2119,6 +2119,7 @@ SSL/TLS: | |||||
argument <CERT>, or certificate option in configuration | |||||
file. For additional certificates, use --subcert | |||||
option. This option requires OpenSSL >= 1.0.2. | |||||
+#if !LIBRESSL_IN_USE | |||||
--psk-secrets=<PATH> | |||||
Read list of PSK identity and secrets from <PATH>. This | |||||
is used for frontend connection. The each line of input | |||||
@@ -2146,6 +2147,7 @@ SSL/TLS: | |||||
HTTP/2. To use those cipher suites with HTTP/2, | |||||
consider to use --client-no-http2-cipher-black-list | |||||
option. But be aware its implications. | |||||
+#endif // !LIBRESSL_IN_USE | |||||
HTTP/2 and SPDY: | |||||
-c, --frontend-http2-max-concurrent-streams=<N> | |||||
@@ -3125,8 +3127,10 @@ int main(int argc, char **argv) { | |||||
{SHRPX_OPT_DNS_MAX_TRY.c_str(), required_argument, &flag, 145}, | |||||
{SHRPX_OPT_FRONTEND_KEEP_ALIVE_TIMEOUT.c_str(), required_argument, | |||||
&flag, 146}, | |||||
+#if !LIBRESSL_IN_USE | |||||
{SHRPX_OPT_PSK_SECRETS.c_str(), required_argument, &flag, 147}, | |||||
{SHRPX_OPT_CLIENT_PSK_SECRETS.c_str(), required_argument, &flag, 148}, | |||||
+#endif | |||||
{SHRPX_OPT_CLIENT_NO_HTTP2_CIPHER_BLACK_LIST.c_str(), no_argument, | |||||
&flag, 149}, | |||||
{SHRPX_OPT_CLIENT_CIPHERS.c_str(), required_argument, &flag, 150}, | |||||
@@ -3821,6 +3825,7 @@ int main(int argc, char **argv) { | |||||
cmdcfgs.emplace_back(SHRPX_OPT_FRONTEND_KEEP_ALIVE_TIMEOUT, | |||||
StringRef{optarg}); | |||||
break; | |||||
+#if !LIBRESSL_IN_USE | |||||
case 147: | |||||
// --psk-secrets | |||||
cmdcfgs.emplace_back(SHRPX_OPT_PSK_SECRETS, StringRef{optarg}); | |||||
@@ -3829,6 +3834,7 @@ int main(int argc, char **argv) { | |||||
// --client-psk-secrets | |||||
cmdcfgs.emplace_back(SHRPX_OPT_CLIENT_PSK_SECRETS, StringRef{optarg}); | |||||
break; | |||||
+#endif // !LIBRESSL_IN_USE | |||||
case 149: | |||||
// --client-no-http2-cipher-black-list | |||||
cmdcfgs.emplace_back(SHRPX_OPT_CLIENT_NO_HTTP2_CIPHER_BLACK_LIST, | |||||
--- src/shrpx_config.cc.orig 2017-01-25 11:30:16 UTC | |||||
+++ src/shrpx_config.cc | |||||
@@ -1199,6 +1199,7 @@ int read_tls_sct_from_dir(std::vector<ui | |||||
} | |||||
} // namespace | |||||
+#if !LIBRESSL_IN_USE | |||||
namespace { | |||||
// Reads PSK secrets from path, and parses each line. The result is | |||||
// directly stored into config->tls.psk_secrets. This function | |||||
@@ -1262,7 +1263,9 @@ int parse_psk_secrets(Config *config, co | |||||
return 0; | |||||
} | |||||
} // namespace | |||||
+#endif // !LIBRESSL_IN_USE | |||||
+#if !LIBRESSL_IN_USE | |||||
namespace { | |||||
// Reads PSK secrets from path, and parses each line. The result is | |||||
// directly stored into config->tls.client.psk. This function returns | |||||
@@ -1322,6 +1325,7 @@ int parse_client_psk_secrets(Config *con | |||||
return 0; | |||||
} | |||||
} // namespace | |||||
+#endif // !LIBRESSL_IN_USE | |||||
// generated by gennghttpxfun.py | |||||
int option_lookup_token(const char *name, size_t namelen) { | |||||
@@ -1490,10 +1494,12 @@ int option_lookup_token(const char *name | |||||
if (util::strieq_l("ecdh-curve", name, 10)) { | |||||
return SHRPX_OPTID_ECDH_CURVES; | |||||
} | |||||
+#if !LIBRESSL_IN_USE | |||||
if (util::strieq_l("psk-secret", name, 10)) { | |||||
return SHRPX_OPTID_PSK_SECRETS; | |||||
} | |||||
break; | |||||
+#endif | |||||
case 't': | |||||
if (util::strieq_l("write-burs", name, 10)) { | |||||
return SHRPX_OPTID_WRITE_BURST; | |||||
@@ -1683,11 +1689,13 @@ int option_lookup_token(const char *name | |||||
return SHRPX_OPTID_ADD_REQUEST_HEADER; | |||||
} | |||||
break; | |||||
+#if !LIBRESSL_IN_USE | |||||
case 's': | |||||
if (util::strieq_l("client-psk-secret", name, 17)) { | |||||
return SHRPX_OPTID_CLIENT_PSK_SECRETS; | |||||
} | |||||
break; | |||||
+#endif // !LIBRESSL_IN_USE | |||||
case 't': | |||||
if (util::strieq_l("dns-lookup-timeou", name, 17)) { | |||||
return SHRPX_OPTID_DNS_LOOKUP_TIMEOUT; | |||||
@@ -3283,10 +3291,12 @@ int parse_config(Config *config, int opt | |||||
case SHRPX_OPTID_FRONTEND_KEEP_ALIVE_TIMEOUT: | |||||
return parse_duration(&config->conn.upstream.timeout.idle_read, opt, | |||||
optarg); | |||||
+#if !LIBRESSL_IN_USE | |||||
case SHRPX_OPTID_PSK_SECRETS: | |||||
return parse_psk_secrets(config, optarg); | |||||
case SHRPX_OPTID_CLIENT_PSK_SECRETS: | |||||
return parse_client_psk_secrets(config, optarg); | |||||
+#endif // !LIBRESSL_IN_USE | |||||
case SHRPX_OPTID_CLIENT_NO_HTTP2_CIPHER_BLACK_LIST: | |||||
config->tls.client.no_http2_cipher_black_list = | |||||
util::strieq_l("yes", optarg); | |||||
--- src/shrpx_ssl.cc.orig 2017-01-25 11:30:16 UTC | |||||
+++ src/shrpx_ssl.cc | |||||
@@ -525,6 +525,7 @@ int sct_parse_cb(SSL *ssl, unsigned int | |||||
} // namespace | |||||
#endif // !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L | |||||
+#if !LIBRESSL_IN_USE | |||||
namespace { | |||||
unsigned int psk_server_cb(SSL *ssl, const char *identity, unsigned char *psk, | |||||
unsigned int max_psk_len) { | |||||
@@ -548,7 +549,9 @@ unsigned int psk_server_cb(SSL *ssl, con | |||||
return static_cast<unsigned int>(secret.size()); | |||||
} | |||||
} // namespace | |||||
+#endif // !LIBRESSL_IN_USE | |||||
+#if !LIBRESSL_IN_USE | |||||
namespace { | |||||
unsigned int psk_client_cb(SSL *ssl, const char *hint, char *identity_out, | |||||
unsigned int max_identity_len, unsigned char *psk, | |||||
@@ -581,6 +584,7 @@ unsigned int psk_client_cb(SSL *ssl, con | |||||
return (unsigned int)secret.size(); | |||||
} | |||||
} // namespace | |||||
+#endif // !LIBRESSL_IN_USE | |||||
struct TLSProtocol { | |||||
StringRef name; | |||||
@@ -784,7 +788,9 @@ SSL_CTX *create_ssl_context(const char * | |||||
} | |||||
#endif // !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L | |||||
+#if !LIBRESSL_IN_USE | |||||
SSL_CTX_set_psk_server_callback(ssl_ctx, psk_server_cb); | |||||
+#endif // !LIBRESSL_IN_USE | |||||
auto tls_ctx_data = new TLSContextData(); | |||||
tls_ctx_data->cert_file = cert_file; | |||||
@@ -919,7 +925,9 @@ SSL_CTX *create_ssl_client_context( | |||||
#endif // HAVE_NEVERBLEED | |||||
} | |||||
+#if !LIBRESSL_IN_USE | |||||
SSL_CTX_set_psk_client_callback(ssl_ctx, psk_client_cb); | |||||
+#endif // !LIBRESSL_IN_USE | |||||
// NPN selection callback. This is required to set SSL_CTX because | |||||
// OpenSSL does not offer SSL_set_next_proto_select_cb. |