Hello community,
here is the log from the commit of package hiawatha for openSUSE:Factory
checked in at 2014-11-04 17:29:25
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/hiawatha (Old)
and /work/SRC/openSUSE:Factory/.hiawatha.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "hiawatha"
Changes:
--------
--- /work/SRC/openSUSE:Factory/hiawatha/hiawatha.changes 2014-09-12
10:03:20.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.hiawatha.new/hiawatha.changes 2014-11-04
17:29:57.000000000 +0100
@@ -1,0 +2,8 @@
+Sun Nov 2 22:37:08 UTC 2014 - fi...@opensuse.org
+
+- Update to 9.8:
+ * Added support for websockets. WebSocket option added.
+ * SSL key and certificate checks added to wigwam.
+ * Small bugfixes and improvements.
+
+-------------------------------------------------------------------
Old:
----
hiawatha-9.7.tar.gz
New:
----
hiawatha-9.8.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ hiawatha.spec ++++++
--- /var/tmp/diff_new_pack.UyEkxT/_old 2014-11-04 17:29:57.000000000 +0100
+++ /var/tmp/diff_new_pack.UyEkxT/_new 2014-11-04 17:29:57.000000000 +0100
@@ -20,7 +20,7 @@
%define webroot /srv/www
Name: hiawatha
-Version: 9.7
+Version: 9.8
Release: 0
Summary: A secure and advanced webserver
License: GPL-2.0
@@ -78,7 +78,7 @@
-DENABLE_TOOLKIT=On \
-DENABLE_XSLT=On \
-DENABLE_ZLIB_SUPPORT=On \
- -DUSE_SYSTEM_POLARSSL=on
+ -DUSE_SYSTEM_POLARSSL=On
make %{?_smp_mflags}
++++++ hiawatha-9.7.tar.gz -> hiawatha-9.8.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/hiawatha-9.7/CMakeLists.txt
new/hiawatha-9.8/CMakeLists.txt
--- old/hiawatha-9.7/CMakeLists.txt 2014-08-22 00:07:39.000000000 +0200
+++ new/hiawatha-9.8/CMakeLists.txt 2014-09-05 16:15:40.000000000 +0200
@@ -34,7 +34,7 @@
# Settings
set(HIAWATHA_VERSION_MAJOR 9)
-set(HIAWATHA_VERSION_MINOR 7)
+set(HIAWATHA_VERSION_MINOR 8)
set(HIAWATHA_VERSION_PATCH 0)
string(TOLOWER ${CMAKE_PROJECT_NAME} PROJECT_NAME)
if(${HIAWATHA_VERSION_PATCH} EQUAL 0)
@@ -66,6 +66,7 @@
check_function_exists(strnstr HAVE_STRNSTR)
check_function_exists(strcasestr HAVE_STRCASESTR)
check_function_exists(strncasestr HAVE_STRNCASESTR)
+check_function_exists(arc4random_uniform HAVE_ARC4RANDOM)
check_library_exists(crypt crypt_r "" HAVE_CRYPT_R)
check_library_exists(crypt crypt "" HAVE_CRYPT_LIBRARY)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/hiawatha-9.7/ChangeLog new/hiawatha-9.8/ChangeLog
--- old/hiawatha-9.7/ChangeLog 2014-08-22 23:04:54.000000000 +0200
+++ new/hiawatha-9.8/ChangeLog 2014-09-27 14:13:17.000000000 +0200
@@ -1,3 +1,13 @@
+hiawatha (9.8) stable; urgency=low
+
+ * Added support for websockets. WebSocket option added.
+ * Added Red Hat package building script (extra/make_redhat_package).
+ Thanks to Paul F. Bernal B.
+ * SSL key and certificate checks added to wigwam.
+ * Small bugfixes and improvements.
+
+ -- Hugo Leisink <h...@leisink.net> Sat, 27 Sep 2014 14:13:21 +0200
+
hiawatha (9.7) stable; urgency=low
* UseToolkit now possible in .hiawatha file at root of website.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/hiawatha-9.7/config.h.in new/hiawatha-9.8/config.h.in
--- old/hiawatha-9.7/config.h.in 2014-08-22 00:07:39.000000000 +0200
+++ new/hiawatha-9.8/config.h.in 2014-09-05 16:24:11.000000000 +0200
@@ -46,6 +46,7 @@
#cmakedefine HAVE_STRNCASECMP ${HAVE_STRNCASECMP}
#cmakedefine HAVE_STRNSTR ${HAVE_STRNSTR}
#cmakedefine HAVE_STRCASESTR ${HAVE_STRCASESTR}
+#cmakedefine HAVE_ARC4RANDOM ${HAVE_ARC4RANDOM}
/* Features
*/
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/hiawatha-9.7/extra/debian/init.d/hiawatha
new/hiawatha-9.8/extra/debian/init.d/hiawatha
--- old/hiawatha-9.7/extra/debian/init.d/hiawatha 2014-08-22
00:07:39.000000000 +0200
+++ new/hiawatha-9.8/extra/debian/init.d/hiawatha 2014-09-26
14:21:02.000000000 +0200
@@ -43,7 +43,7 @@
if [ "${result}" != "0" ]; then
echo -e "${RED}Hiawatha has NOT been started!${NORMAL}"
- exit 7
+ exit 0
fi
echo -n "Starting webserver: "
@@ -53,7 +53,7 @@
echo -e "${GREEN}Hiawatha${NORMAL}"
else
echo -e "${RED}error!${NORMAL}"
- exit 7
+ exit 0
fi
}
@@ -61,7 +61,7 @@
if [ ! -f ${PIDFILE} ]; then
echo -e "Hiawatha${NORMAL}"
echo -e "${YELLOW}Hiawatha PID file not found${NORMAL}"
- exit 7
+ exit 0
fi
PID=`cat ${PIDFILE}`
@@ -70,7 +70,7 @@
if [ ! -d /proc/${PID} ]; then
echo -e "Hiawatha${NORMAL}"
echo -e "${YELLOW}Hiawatha is not running${NORMAL}"
- exit 7
+ exit 0
fi
echo -en "Stopping webserver: ${GREEN}"
Files old/hiawatha-9.7/extra/macosx/HiawathaWebserver.prefPane_source.tar.gz
and new/hiawatha-9.8/extra/macosx/HiawathaWebserver.prefPane_source.tar.gz
differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/hiawatha-9.7/extra/make_redhat_package
new/hiawatha-9.8/extra/make_redhat_package
--- old/hiawatha-9.7/extra/make_redhat_package 2014-08-22 00:07:39.000000000
+0200
+++ new/hiawatha-9.8/extra/make_redhat_package 2014-09-15 10:05:32.000000000
+0200
@@ -1,7 +1,5 @@
#!/bin/sh
-echo "=== Warning, this package building script is still in beta stage.\n"
-
if [ ! -f /etc/redhat-release ]; then
echo "Red Hat (clone) required."
exit
@@ -47,6 +45,10 @@
#
rm -f ~/rpmbuild/SOURCES/hiawatha-${version}.tar.gz
cd ..
+if [ ! -d "hiawatha-${version}" ]; then
+ echo -e "\n!! Invalid source directory name. Should be named
'hiawatha-${version}'."
+ exit
+fi
mkdir -p ${HOME}/rpmbuild/SOURCES
tar -czf ${HOME}/rpmbuild/SOURCES/hiawatha-${version}.tar.gz
hiawatha-${version}
cd hiawatha-${version}
@@ -59,4 +61,4 @@
# Done
#
rm -rf build_redhat_package
-echo -e "\n-- Package located at ~/rpmbuild/RPMS/${MACHTYPE}/"
+echo -e "\n-- Package located at ~/rpmbuild/RPMS/"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/hiawatha-9.7/extra/make_windows_package
new/hiawatha-9.8/extra/make_windows_package
--- old/hiawatha-9.7/extra/make_windows_package 2014-08-22 00:07:39.000000000
+0200
+++ new/hiawatha-9.8/extra/make_windows_package 2014-09-14 00:23:36.000000000
+0200
@@ -1,5 +1,7 @@
#!/bin/sh
+install_dir="C:\\\\Program Files\\\\Hiawatha"
+
if [ `uname -o` != "Cygwin" ]; then
echo "Cygwin required."
exit
@@ -31,19 +33,20 @@
# Setup build directory
#
cd `dirname $0`/..
-if [ -d build ]; then
- rm -rf build
+if [ -d build_windows_package ]; then
+ rm -rf build_windows_package
fi
-mkdir build
-cd build
+mkdir build_windows_package
+cd build_windows_package
# Compile Hiawatha
#
-cmake .. -DCMAKE_INSTALL_SBINDIR="/cygdrive/c/Program Files/Hiawatha/bin" \
- -DCONFIG_DIR="/cygdrive/c/Program Files/Hiawatha/config" \
- -DLOG_DIR="/cygdrive/c/Program Files/Hiawatha/log" \
- -DPID_DIR="/cygdrive/c/Program Files/Hiawatha/log" \
- -DWORK_DIR="/cygdrive/c/Program Files/Hiawatha/work" \
+install_dir_cyg=`cygpath -p "${install_dir}"`
+cmake .. -DCMAKE_INSTALL_SBINDIR="${install_dir_cyg}/bin" \
+ -DCONFIG_DIR="${install_dir_cyg}/config" \
+ -DLOG_DIR="${install_dir_cyg}/log" \
+ -DPID_DIR="${install_dir_cyg}/log" \
+ -DWORK_DIR="${install_dir_cyg}/work" \
-DWEBROOT_DIR="C:\wwwroot" -DCMAKE_LEGACY_CYGWIN_WIN32=0
make
@@ -71,12 +74,15 @@
cp /bin/${file} ${dir}/Hiawatha/bin
done
+install_dir="C:\Program Files\Hiawatha"
+
cp ../config/index.xslt ${dir}/Hiawatha/config
cp ../config/error.xslt ${dir}/Hiawatha/config
cp ../config/mimetype.conf ${dir}/Hiawatha/config
cp ../extra/windows/*.lnk ${dir}/Hiawatha
-cp ../extra/windows/*.bat ${dir}/Hiawatha/bin
-cp ../extra/windows/hiawatha.conf ${dir}/Hiawatha/config
+sed "s/INSTALL_DIR/${install_dir}/" ../extra/windows/Hiawatha.bat >
${dir}/Hiawatha/bin/Hiawatha.bat
+sed "s/INSTALL_DIR/${install_dir}/" ../extra/windows/TestConfig.bat >
${dir}/Hiawatha/bin/TestConfig.bat
+sed "s/INSTALL_DIR/${install_dir}/" ../extra/windows/hiawatha.conf >
${dir}/Hiawatha/config/hiawatha.conf
cp ../extra/windows/Hiawatha.ico ${dir}/Hiawatha
cp ../extra/windows/Installation.txt ${dir}
cp ../extra/index.html ${dir}/wwwroot
@@ -100,5 +106,5 @@
#
cd ..
if [ "$1" != "-b" ]; then
- rm -rf build
+ rm -rf build_windows_package
fi
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/hiawatha-9.7/extra/redhat/hiawatha.spec
new/hiawatha-9.8/extra/redhat/hiawatha.spec
--- old/hiawatha-9.7/extra/redhat/hiawatha.spec 2014-08-22 00:07:39.000000000
+0200
+++ new/hiawatha-9.8/extra/redhat/hiawatha.spec 2014-09-11 20:48:11.000000000
+0200
@@ -25,16 +25,37 @@
-DCMAKE_INSTALL_BINDIR=%{_bindir} -DCMAKE_INSTALL_SBINDIR=%{_sbindir} \
-DCMAKE_INSTALL_SYSCONFDIR=%{_sysconfdir}
-DCMAKE_INSTALL_MANDIR=%{_mandir} \
-DENABLE_TOMAHAWK=on -DENABLE_MONITOR=on
-make %{?_smp_mflags}
+%__make %{?_smp_mflags}
%install
rm -rf %{buildroot}
mkdir -p %{buildroot}
-make install DESTDIR=%{buildroot}
+%__make install DESTDIR=%{buildroot}
mkdir -p %{buildroot}%{_defaultdocdir}/hiawatha
cp ChangeLog %{buildroot}%{_defaultdocdir}/hiawatha
mkdir -p %{buildroot}%{_initrddir}
cp extra/debian/init.d/hiawatha %{buildroot}%{_initrddir}
+sed -i "s/#ServerId/ServerId/"
%{buildroot}%{_sysconfdir}/hiawatha/hiawatha.conf
+
+%post
+getent group www-data >/dev/null || groupadd -r www-data
+getent passwd www-data >/dev/null || \
+ useradd -r -g www-data -d /var/www -s /sbin/nologin \
+ -c "Web server user" www-data
+chkconfig --add hiawatha
+if [ "$1" = 1 ]; then
+ service hiawatha start
+else
+ service hiawatha restart
+fi
+exit 0
+
+%preun
+if [ "$1" = 0 ]; then
+ service hiawatha stop
+ chkconfig --del hiawatha
+fi
+exit 0
%clean
rm -rf %{buildroot}
@@ -44,10 +65,10 @@
%attr(-, root, root) %{_sbindir}/
%attr(-, root, root) %{_libdir}/hiawatha/
%attr(-, root, root) %{_mandir}/
-%attr(-, root, root) %{_sysconfdir}/hiawatha/
%attr(-, root, root) %{_localstatedir}/log/hiawatha/
%attr(-, root, root) %{_localstatedir}/www/hiawatha/
%attr(-, root, root) %{_defaultdocdir}/hiawatha/
%attr(-, root, root) %{_initrddir}/
+%config %{_sysconfdir}/hiawatha
%changelog
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/hiawatha-9.7/extra/windows/Hiawatha.bat
new/hiawatha-9.8/extra/windows/Hiawatha.bat
--- old/hiawatha-9.7/extra/windows/Hiawatha.bat 2014-08-22 00:07:39.000000000
+0200
+++ new/hiawatha-9.8/extra/windows/Hiawatha.bat 2014-09-13 19:40:14.000000000
+0200
@@ -1,8 +1,8 @@
@ECHO OFF
-"C:\Program Files\Hiawatha\bin\wigwam.exe" -q
+"INSTALL_DIR\bin\wigwam.exe" -q
IF ERRORLEVEL 1 GOTO ERROR
-"C:\Program Files\Hiawatha\bin\hiawatha.exe" -d
+"INSTALL_DIR\bin\hiawatha.exe" -d
IF ERRORLEVEL 1 GOTO ERROR
GOTO END
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/hiawatha-9.7/extra/windows/TestConfig.bat
new/hiawatha-9.8/extra/windows/TestConfig.bat
--- old/hiawatha-9.7/extra/windows/TestConfig.bat 2014-08-22
00:07:39.000000000 +0200
+++ new/hiawatha-9.8/extra/windows/TestConfig.bat 2014-09-13
19:40:27.000000000 +0200
@@ -1,11 +1,11 @@
@ECHO OFF
ECHO Wigwam:
-"C:\Program Files\Hiawatha\bin\wigwam.exe"
+"INSTALL_DIR\bin\wigwam.exe"
IF ERRORLEVEL 1 GOTO ERROR
ECHO.
ECHO Hiawatha:
-"C:\Program Files\Hiawatha\bin\hiawatha.exe" -k
+"INSTALL_DIR\bin\hiawatha.exe" -k
:ERROR
ECHO.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/hiawatha-9.7/extra/windows/hiawatha.conf
new/hiawatha-9.8/extra/windows/hiawatha.conf
--- old/hiawatha-9.7/extra/windows/hiawatha.conf 2014-08-22
00:07:39.000000000 +0200
+++ new/hiawatha-9.8/extra/windows/hiawatha.conf 2014-09-13
19:40:06.000000000 +0200
@@ -7,10 +7,10 @@
#ServerId = www-data
ConnectionsTotal = 150
ConnectionsPerIP = 10
-SystemLogfile = C:\Program Files\Hiawatha\log\system.log
-GarbageLogfile = C:\Program Files\Hiawatha\log\garbage.log
-ExploitLogfile = C:\Program Files\Hiawatha\log\exploit.log
-PIDfile = C:\Program Files\Hiawatha\log\hiawatha.pid
+SystemLogfile = INSTALL_DIR\log\system.log
+GarbageLogfile = INSTALL_DIR\log\garbage.log
+ExploitLogfile = INSTALL_DIR\log\exploit.log
+PIDfile = INSTALL_DIR\log\hiawatha.pid
# BINDING SETTINGS
@@ -28,7 +28,7 @@
# Interface = ::1
# MaxKeepAlive = 30
# TimeForRequest = 3,20
-# SSLcertFile = C:\Program Files\Hiawatha\config\hiawatha.pem
+# SSLcertFile = INSTALL_DIR\config\hiawatha.pem
#}
@@ -46,7 +46,7 @@
# These settings can be used to run CGI applications.
#
#CGIhandler = C:\Program Files\PHP5\php-cgi.exe:php
-#CGIhandler = C:\Program Files\Hiawatha\bin\ssi-cgi.exe:shtml
+#CGIhandler = INSTALL_DIR\bin\ssi-cgi.exe:shtml
#CGIextension = cgi
#
#FastCGIserver {
@@ -78,5 +78,5 @@
Hostname = 127.0.0.1
WebsiteRoot = C:\wwwroot
StartFile = index.html
-AccessLogfile = C:\Program Files\Hiawatha\log\access.log
-ErrorLogfile = C:\Program Files\Hiawatha\log\error.log
+AccessLogfile = INSTALL_DIR\log\access.log
+ErrorLogfile = INSTALL_DIR\log\error.log
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/hiawatha-9.7/man/hiawatha.1.in
new/hiawatha-9.8/man/hiawatha.1.in
--- old/hiawatha-9.7/man/hiawatha.1.in 2014-08-22 00:07:39.000000000 +0200
+++ new/hiawatha-9.8/man/hiawatha.1.in 2014-09-25 17:32:27.000000000 +0200
@@ -29,7 +29,7 @@
.\" ==========[ Configuration files ]==========================================
.SH CONFIGURATION FILES
-Hiawatha has the following configurationfiles:
+Hiawatha has the following configuration files:
.TP
.B cgi-wrapper.conf
See cgi-wrapper(1) for more information.
@@ -191,7 +191,7 @@
Example: HideProxy = 192.168.10.20
.TP
.B Include <filename>|<directory>
-Include another configurationfile or configurationfiles in a directory.
+Include another configuration file or configuration files in a directory.
.br
Example: Include /etc/hiawatha/hosts.conf
.TP
@@ -225,8 +225,8 @@
.br
Default = 1000, example: MaxUrlLength = 500
.TP
-.B MimetypeConfig = <configurationfile>
-The location of the mimetype configurationfile. It the path is omitted,
Hiawatha's configurationfile directory will be used.
+.B MimetypeConfig = <configuration file>
+The location of the mimetype configuration file. It the path is omitted,
Hiawatha's configuration file directory will be used.
.br
Default = mimetype.conf, example: MimetypeConfig = /etc/mime.types
.TP
@@ -674,6 +674,11 @@
.br
Example: WebsiteRoot = /home/webmaster/website
.TP
+.B WebSocket = ws[s]://<IP address>:<port> <request uri>[,...] [connection
timeout]
+This setting will make Hiawatha forward the connection to a websocket for
every request matching the <request uri>. A wildcard request URI will forward
every request for this host. The connection timeout is in minutes and the
default is 10.
+.br
+Example: WebSocket = ws://127.0.0.1:5000 /chat 30
+.TP
.B WrapCGI = <wrap_id>
Specify a CGI-wrapper id for this virtual host (see cgi-wrapper(1) for more
information).
.br
@@ -786,7 +791,7 @@
.br
Call, DenyAccess, Exit, Goto, Redirect, Return, Skip and Use.
.br
-A negative pattern (leading exclamation mark) can't be used with the redirect
action.
+A negative pattern (leading exclamation mark) can't be used with the redirect
action. The <key> can be * to test every HTTP header.
.TP
.B Match [!]<pattern> <action>
.br
@@ -796,6 +801,14 @@
.br
Use MatchCI to perform case insensitive URL matching. A negative pattern
(leading exclamation mark) can't be used with the redirect and rewrite action.
.TP
+.B Method <request method> <action>
+.br
+Perform an action when the request method equals <request method>, where
<action> can be one of the following:
+.br
+Call, DenyAccess, Exit, Goto, Redirect, Return, Skip or Use
+.br
+Example: Method POST Return
+.TP
.B RequestURI exists|isfile|isdir Return|Exit
If the requested URL exists on disk, don't continue with the URL toolkit.
.br
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/hiawatha-9.7/polarssl/library/x509_crt.c
new/hiawatha-9.8/polarssl/library/x509_crt.c
--- old/hiawatha-9.7/polarssl/library/x509_crt.c 2014-08-22
00:07:39.000000000 +0200
+++ new/hiawatha-9.8/polarssl/library/x509_crt.c 2014-09-26
14:34:00.000000000 +0200
@@ -898,6 +898,7 @@
if( first_error == 0 )
first_error = ret;
+ total_failed++;
continue;
}
else
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/hiawatha-9.7/polarssl/patches/1.3.8.diff
new/hiawatha-9.8/polarssl/patches/1.3.8.diff
--- old/hiawatha-9.7/polarssl/patches/1.3.8.diff 1970-01-01
01:00:00.000000000 +0100
+++ new/hiawatha-9.8/polarssl/patches/1.3.8.diff 2014-09-26
14:33:56.000000000 +0200
@@ -0,0 +1,12 @@
+diff --git old/library/x509_crt.c new/library/x509_crt.c
+index 03cdda8..7b22bc5 100644
+--- old/library/x509_crt.c
++++ new/library/x509_crt.c
+@@ -898,6 +898,7 @@ int x509_crt_parse( x509_crt *chain, const unsigned char
*bu
+ if( first_error == 0 )
+ first_error = ret;
+
++ total_failed++;
+ continue;
+ }
+ else
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/hiawatha-9.7/src/cache.c new/hiawatha-9.8/src/cache.c
--- old/hiawatha-9.7/src/cache.c 2014-08-22 00:07:39.000000000 +0200
+++ new/hiawatha-9.8/src/cache.c 2014-09-24 16:19:52.000000000 +0200
@@ -162,7 +162,7 @@
strcpy(pos, "X-Empty: ");
pos += 9;
do {
- *(pos++) = ' ';
+ *(pos++) = 'x';
} while ((*pos != '\r') && (*pos != '\0'));
}
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/hiawatha-9.7/src/hiawatha.c
new/hiawatha-9.8/src/hiawatha.c
--- old/hiawatha-9.7/src/hiawatha.c 2014-08-22 00:07:39.000000000 +0200
+++ new/hiawatha-9.8/src/hiawatha.c 2014-09-24 15:26:52.000000000 +0200
@@ -122,7 +122,7 @@
create_logfile(config->exploit_logfile, LOG_PERM,
config->server_uid, config->server_gid);
}
#ifdef ENABLE_DEBUG
- create_logfile(LOG_DIR"/debug.log", LOG_PERM, config->server_uid,
config->server_gid);
+ create_logfile(config->debug_logfile, LOG_PERM, config->server_uid,
config->server_gid);
#endif
host = config->first_host;
@@ -469,6 +469,8 @@
if (session->request_limit == false) {
conns_per_ip = config->total_connections;
+ } else if (in_iplist(config->hide_proxy, &(session->ip_address))) {
+ conns_per_ip = config->total_connections;
} else {
conns_per_ip = config->connections_per_ip;
}
@@ -614,7 +616,11 @@
}
#ifdef ENABLE_SSL
- if (init_ssl_module(config->system_logfile) == -1) {
+#ifdef ENABLE_DEBUG
+ if (init_ssl_module(config->debug_logfile) == -1) {
+#else
+ if (init_ssl_module() == -1) {
+#endif
return -1;
}
#endif
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/hiawatha-9.7/src/ip.c new/hiawatha-9.8/src/ip.c
--- old/hiawatha-9.7/src/ip.c 2014-08-22 00:07:39.000000000 +0200
+++ new/hiawatha-9.8/src/ip.c 2014-09-01 22:07:37.000000000 +0200
@@ -12,8 +12,9 @@
#include "config.h"
#include <sys/types.h>
#include <stdio.h>
-#include <stdbool.h>
#include <stdlib.h>
+#include <stdbool.h>
+#include <unistd.h>
#include <string.h>
#include <sys/socket.h>
#include <netdb.h>
@@ -374,3 +375,49 @@
free(item);
}
}
+
+/* Connect to the webserver
+ */
+int connect_to_server(t_ip_addr *ip_addr, int port) {
+ int sock = -1;
+ struct sockaddr_in saddr4;
+#ifdef ENABLE_IPV6
+ struct sockaddr_in6 saddr6;
+#endif
+
+ if (ip_addr == NULL) {
+ return -1;
+ }
+
+ if (ip_addr->family == AF_INET) {
+ /* IPv4
+ */
+ if ((sock = socket(AF_INET, SOCK_STREAM, 0)) > 0) {
+ memset(&saddr4, 0, sizeof(struct sockaddr_in));
+ saddr4.sin_family = AF_INET;
+ saddr4.sin_port = htons(port);
+ memcpy(&saddr4.sin_addr.s_addr, &(ip_addr->value),
ip_addr->size);
+ if (connect(sock, (struct sockaddr*)&saddr4,
sizeof(struct sockaddr_in)) != 0) {
+ close(sock);
+ sock = -1;
+ }
+ }
+#ifdef ENABLE_IPV6
+ } else if (ip_addr->family == AF_INET6) {
+ /* IPv6
+ */
+ if ((sock = socket(AF_INET6, SOCK_STREAM, 0)) > 0) {
+ memset(&saddr6, 0, sizeof(struct sockaddr_in6));
+ saddr6.sin6_family = AF_INET6;
+ saddr6.sin6_port = htons(port);
+ memcpy(&saddr6.sin6_addr.s6_addr, &(ip_addr->value),
ip_addr->size);
+ if (connect(sock, (struct sockaddr*)&saddr6,
sizeof(struct sockaddr_in6)) != 0) {
+ close(sock);
+ sock = -1;
+ }
+ }
+#endif
+ }
+
+ return sock;
+}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/hiawatha-9.7/src/ip.h new/hiawatha-9.8/src/ip.h
--- old/hiawatha-9.7/src/ip.h 2014-08-22 00:07:39.000000000 +0200
+++ new/hiawatha-9.8/src/ip.h 2014-09-01 22:06:21.000000000 +0200
@@ -66,5 +66,6 @@
int parse_iplist(char *line, t_iplist **list);
bool in_iplist(t_iplist *list, t_ip_addr *ip);
void remove_iplist(t_iplist *list);
+int connect_to_server(t_ip_addr *ip_addr, int port);
#endif
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/hiawatha-9.7/src/rproxy.c
new/hiawatha-9.8/src/rproxy.c
--- old/hiawatha-9.7/src/rproxy.c 2014-08-22 00:07:39.000000000 +0200
+++ new/hiawatha-9.8/src/rproxy.c 2014-09-03 19:44:06.000000000 +0200
@@ -28,6 +28,7 @@
#include "global.h"
#include "rproxy.h"
#include "ssl.h"
+#include "ip.h"
#include "libstr.h"
#include "libfs.h"
#include "polarssl/md5.h"
@@ -280,52 +281,6 @@
result->bytes_sent = 0;
}
-/* Connect to the webserver
- */
-int connect_to_server(t_ip_addr *ip_addr, int port) {
- int sock = -1;
- struct sockaddr_in saddr4;
-#ifdef ENABLE_IPV6
- struct sockaddr_in6 saddr6;
-#endif
-
- if (ip_addr == NULL) {
- return -1;
- }
-
- if (ip_addr->family == AF_INET) {
- /* IPv4
- */
- if ((sock = socket(AF_INET, SOCK_STREAM, 0)) > 0) {
- memset(&saddr4, 0, sizeof(struct sockaddr_in));
- saddr4.sin_family = AF_INET;
- saddr4.sin_port = htons(port);
- memcpy(&saddr4.sin_addr.s_addr, &(ip_addr->value),
ip_addr->size);
- if (connect(sock, (struct sockaddr*)&saddr4,
sizeof(struct sockaddr_in)) != 0) {
- close(sock);
- sock = -1;
- }
- }
-#ifdef ENABLE_IPV6
- } else if (ip_addr->family == AF_INET6) {
- /* IPv6
- */
- if ((sock = socket(AF_INET6, SOCK_STREAM, 0)) > 0) {
- memset(&saddr6, 0, sizeof(struct sockaddr_in6));
- saddr6.sin6_family = AF_INET6;
- saddr6.sin6_port = htons(port);
- memcpy(&saddr6.sin6_addr.s6_addr, &(ip_addr->value),
ip_addr->size);
- if (connect(sock, (struct sockaddr*)&saddr6,
sizeof(struct sockaddr_in6)) != 0) {
- close(sock);
- sock = -1;
- }
- }
-#endif
- }
-
- return sock;
-}
-
/* Send output buffer to webserver
*/
static int send_buffer_to_webserver(t_rproxy_webserver *webserver, const char
*buffer, int size) {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/hiawatha-9.7/src/rproxy.h
new/hiawatha-9.8/src/rproxy.h
--- old/hiawatha-9.7/src/rproxy.h 2014-08-22 00:07:39.000000000 +0200
+++ new/hiawatha-9.8/src/rproxy.h 2014-09-01 22:06:15.000000000 +0200
@@ -81,7 +81,6 @@
bool rproxy_match(t_rproxy *rproxy, char *uri);
bool rproxy_loop_detected(t_http_header *http_headers);
void init_rproxy_result(t_rproxy_result *result);
-int connect_to_server(t_ip_addr *ip_addr, int port);
int send_request_to_webserver(t_rproxy_webserver *webserver, t_rproxy_options
*options,
t_rproxy *rproxy, t_rproxy_result *result, bool
session_keep_alive);
int tunnel_ssh_connection(int client_sock);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/hiawatha-9.7/src/serverconfig.c
new/hiawatha-9.8/src/serverconfig.c
--- old/hiawatha-9.7/src/serverconfig.c 2014-08-22 00:07:39.000000000 +0200
+++ new/hiawatha-9.8/src/serverconfig.c 2014-09-24 15:21:27.000000000 +0200
@@ -28,7 +28,7 @@
#include "memdbg.h"
#define ID_NOBODY 65534
-#define MAX_LENGTH_CONFIGLINE 512
+#define MAX_LENGTH_CONFIGLINE 1024
#define MAX_CACHE_SIZE 100
#define MAX_UPLOAD_SIZE 2047
#define MONITOR_HOSTNAME "monitor"
@@ -132,6 +132,7 @@
host->monitor_host = false;
#endif
host->file_hashes = NULL;
+ host->websockets = NULL;
host->next = NULL;
@@ -311,6 +312,9 @@
config->system_logfile = LOG_DIR"/system.log";
config->garbage_logfile = NULL;
config->exploit_logfile = LOG_DIR"/exploit.log";
+#ifdef ENABLE_DEBUG
+ config->debug_logfile = LOG_DIR"/debug.log";
+#endif
config->logfile_mask = NULL;
config->ban_on_denied_body = 0;
@@ -1274,6 +1278,7 @@
static bool host_setting(char *key, char *value, t_host *host) {
t_deny_body *deny_body;
char *rest;
+ t_websocket *websocket, *ws;
#ifdef ENABLE_RPROXY
t_rproxy *rproxy, *list;
#endif
@@ -1498,6 +1503,48 @@
return true;
}
}
+ } else if (strcmp(key, "websocket") == 0) {
+ if ((websocket = (t_websocket*)malloc(sizeof(t_websocket))) !=
NULL) {
+ init_charlist(&(websocket->path));
+ websocket->timeout = 10 * MINUTE * 1000;
+ websocket->next = NULL;
+
+ if (host->websockets == NULL) {
+ host->websockets = websocket;
+ } else {
+ ws = host->websockets;
+ while (ws->next != NULL) {
+ ws = ws->next;
+ }
+ ws->next = websocket;
+ }
+
+ if (strncmp(value, "ws://", 5) == 0) {
+ value += 5;
+#ifdef ENABLE_SSL
+ websocket->use_ssl = false;
+ } else if (strncmp(value, "wss://", 6) == 0) {
+ value += 6;
+ websocket->use_ssl = true;
+#endif
+ } else {
+ return false;
+ }
+
+ if (split_string(value, &value, &rest, ' ') == 0) {
+ if (parse_ip_port(value,
&(websocket->ip_address), &(websocket->port)) == 0) {
+ split_string(rest, &value, &rest, ' ');
+ if (parse_charlist(value,
&(websocket->path)) == 0) {
+ if (rest == NULL) {
+ return true;
+ } else if ((websocket->timeout
= str_to_int(rest)) > 0) {
+ websocket->timeout *=
MINUTE * 1000;
+ return true;
+ }
+ }
+ }
+ }
+ }
} else if (strcmp(key, "wrapcgi") == 0) {
if ((host->wrap_cgi = strdup(value)) != NULL) {
return true;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/hiawatha-9.7/src/serverconfig.h
new/hiawatha-9.8/src/serverconfig.h
--- old/hiawatha-9.7/src/serverconfig.h 2014-08-22 00:07:39.000000000 +0200
+++ new/hiawatha-9.8/src/serverconfig.h 2014-09-24 15:21:52.000000000 +0200
@@ -73,6 +73,18 @@
} t_monitor_host_stats;
#endif
+typedef struct type_websocket {
+ t_ip_addr ip_address;
+ int port;
+ t_charlist path;
+ int timeout;
+#ifdef ENABLE_SSL
+ bool use_ssl;
+#endif
+
+ struct type_websocket *next;
+} t_websocket;
+
typedef struct type_deny_body {
regex_t pattern;
struct type_deny_body *next;
@@ -275,6 +287,7 @@
bool monitor_host;
#endif
t_file_hash *file_hashes;
+ t_websocket *websockets;
struct type_host *next;
} t_host;
@@ -306,6 +319,9 @@
char *system_logfile;
char *garbage_logfile;
char *exploit_logfile;
+#ifdef ENABLE_DEBUG
+ char *debug_logfile;
+#endif
char *pidfile;
t_accesslist *logfile_mask;
char *user_directory;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/hiawatha-9.7/src/ssl.c new/hiawatha-9.8/src/ssl.c
--- old/hiawatha-9.7/src/ssl.c 2014-08-22 00:07:39.000000000 +0200
+++ new/hiawatha-9.8/src/ssl.c 2014-09-24 19:17:19.000000000 +0200
@@ -34,6 +34,13 @@
#include "polarssl/dhm.h"
#include "polarssl/ssl_cache.h"
#include "polarssl/error.h"
+#ifdef ENABLE_SSL
+#include "polarssl/ssl.h"
+#include "polarssl/x509.h"
+#ifdef ENABLE_DEBUG
+#include "polarssl/debug.h"
+#endif
+#endif
#include "memdbg.h"
typedef struct type_sni_list {
@@ -167,24 +174,34 @@
static char *dhm_8192_G = "02";
*/
-static char *ssl_error_logfile;
static pthread_mutex_t random_mutex;
static pthread_mutex_t cache_mutex;
static ssl_cache_context cache;
static t_sni_list *sni_list = NULL;
static ctr_drbg_context ctr_drbg;
static entropy_context entropy;
+#ifdef ENABLE_DEBUG
+static char *ssl_error_logfile;
+#endif
/* Initialize SSL library
*/
+#ifdef ENABLE_DEBUG
int init_ssl_module(char *logfile) {
ssl_error_logfile = logfile;
+#else
+int init_ssl_module(void) {
+#endif
#if POLARSSL_VERSION_NUMBER >= 0x01030700
if (version_check_feature("POLARSSL_THREADING_PTHREAD") != 0) {
fprintf(stderr, "PolarSSL was compiled without the required
POLARSSL_THREADING_PTHREAD compiler flag.\n");
return -1;
}
+
+#ifdef ENABLE_DEBUG
+ debug_set_threshold(SSL_DEBUG_LEVEL);
+#endif
#endif
entropy_init(&entropy);
@@ -209,7 +226,7 @@
*/
int ssl_register_sni(t_charlist *hostname, pk_context *private_key, x509_crt
*certificate,
x509_crt *ca_certificate, x509_crl *ca_crl) {
- t_sni_list *sni;
+ t_sni_list *sni, *last;
if ((sni = (t_sni_list*)malloc(sizeof(t_sni_list))) == NULL) {
return -1;
@@ -220,9 +237,17 @@
sni->certificate = certificate;
sni->ca_certificate = ca_certificate;
sni->ca_crl = ca_crl;
+ sni->next = NULL;
- sni->next = sni_list;
- sni_list = sni;
+ if (sni_list == NULL) {
+ sni_list = sni;
+ } else {
+ last = sni_list;
+ while (last->next != NULL) {
+ last = last->next;
+ }
+ last->next = sni;
+ }
return 0;
}
@@ -235,7 +260,7 @@
return;
}
- log_string(ssl_error_logfile, "PolarSSL (%d):%s", *(int*)thread_id,
str);
+ log_string(ssl_error_logfile, "PolarSSL (%d): %s", *(int*)thread_id,
str);
}
#endif
@@ -372,6 +397,7 @@
return 0;
}
}
+
sni = sni->next;
}
@@ -473,7 +499,9 @@
result = ssl_read(ssl, (unsigned char*)buffer, maxlength);
} while (result == POLARSSL_ERR_NET_WANT_READ);
- if (result < 0) {
+ if (result == POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY) {
+ return 0;
+ } else if (result < 0) {
return -1;
}
@@ -585,7 +613,9 @@
if (hostname != NULL) {
ssl_set_hostname(ssl, hostname);
}
- ssl_set_ciphersuites(ssl, ciphersuites_tls10);
+ ssl_set_ciphersuites_for_version(ssl, ciphersuites_tls10,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_1);
+ ssl_set_ciphersuites_for_version(ssl, ciphersuites_tls10,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_2);
+ ssl_set_ciphersuites_for_version(ssl, ciphersuites_tls12,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3);
if (ssl_handshake(ssl) != 0) {
return SSL_HANDSHAKE_ERROR;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/hiawatha-9.7/src/ssl.h new/hiawatha-9.8/src/ssl.h
--- old/hiawatha-9.7/src/ssl.h 2014-08-22 00:07:39.000000000 +0200
+++ new/hiawatha-9.8/src/ssl.h 2014-09-24 15:24:28.000000000 +0200
@@ -47,7 +47,11 @@
#endif
} t_ssl_accept_data;
+#ifdef ENABLE_DEBUG
int init_ssl_module(char *logfile);
+#else
+int init_ssl_module(void);
+#endif
#if POLARSSL_VERSION_NUMBER >= 0x01020000
int ssl_register_sni(t_charlist *hostname, pk_context *private_key, x509_crt
*certificate,
x509_crt *ca_certificate, x509_crl *ca_crl);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/hiawatha-9.7/src/target.c
new/hiawatha-9.8/src/target.c
--- old/hiawatha-9.7/src/target.c 2014-08-22 00:07:39.000000000 +0200
+++ new/hiawatha-9.8/src/target.c 2014-09-06 17:45:38.000000000 +0200
@@ -49,6 +49,7 @@
#define CGI_BUFFER_SIZE 32 * KILOBYTE
#define RPROXY_BUFFER_SIZE 32 * KILOBYTE
#define MAX_TRACE_HEADER 2 * KILOBYTE
+#define WS_BUFFER_SIZE 32 * KILOBYTE
#define VALUE_SIZE 64
#define WAIT_FOR_LOCK 3
@@ -1465,7 +1466,7 @@
}
static int find_chunk_size(char *buffer, int size, int *chunk_size, int
*chunk_left) {
- int extra, total;
+ int total;
char *c;
if (*chunk_left > 0) {
@@ -1484,15 +1485,17 @@
return -1;
}
- extra = 4 + c - buffer;
+ *c = '\0';
+ *chunk_size = hex_to_int(buffer);
+ *c = '\r';
- if ((*chunk_size = hex_to_int(buffer)) == -1) {
+ if (*chunk_size == -1) {
return -1;
} else if (*chunk_size == 0) {
return 0;
}
- total = *chunk_size + extra;
+ total = *chunk_size + 4 + (c - buffer);
if (total < size) {
return find_chunk_size(buffer + total, size - total,
chunk_size, chunk_left);
@@ -1648,18 +1651,16 @@
*/
deadline = time(NULL) + rproxy->timeout;
+ poll_data.fd = webserver.socket;
+ poll_data.events = POLL_EVENT_BITS;
+
do {
#ifdef ENABLE_SSL
poll_result = session->binding->use_ssl ?
ssl_pending(&(session->ssl_context)) : 0;
- if (poll_result == 0) {
+ if (poll_result == 0)
#endif
- poll_data.fd = webserver.socket;
- poll_data.events = POLL_EVENT_BITS;
poll_result = poll(&poll_data, 1, 1000);
-#ifdef ENABLE_SSL
- }
-#endif
switch (poll_result) {
case -1:
@@ -1942,3 +1943,206 @@
return result;
}
#endif
+
+static int add_to_buffer(char *str, char *buffer, size_t *size, size_t
max_size) {
+ size_t str_len;
+
+ str_len = strlen(str);
+ if (*size + str_len >= max_size) {
+ return -1;
+ }
+
+ memcpy(buffer + *size, str, str_len);
+ *size += str_len;
+ *(buffer + *size) = '\0';
+
+ return 0;
+}
+
+int forward_to_websocket(t_session *session) {
+ t_websocket *ws;
+ int result = -1, ws_socket, poll_result, bytes_read;
+ size_t size;
+ t_http_header *http_header;
+ struct pollfd poll_data[2];
+ bool keep_reading = true;
+ char buffer[WS_BUFFER_SIZE];
+#ifdef ENABLE_SSL
+ ssl_context ws_ssl_context;
+#endif
+
+ ws = session->host->websockets;
+ while (ws != NULL) {
+ if (in_charlist(session->uri, &(ws->path))) {
+ break;
+ } else if (in_charlist("*", &(ws->path))) {
+ break;
+ }
+ ws = ws->next;
+ }
+
+ if (ws == NULL) {
+ return -1;
+ }
+
+ if ((ws_socket = connect_to_server(&(ws->ip_address), ws->port)) == -1)
{
+ return -1;
+ }
+
+#ifdef ENABLE_SSL
+ if (ws->use_ssl) {
+ if (ssl_connect(&ws_ssl_context, &ws_socket, NULL) ==
SSL_HANDSHAKE_ERROR) {
+ close(ws_socket);
+ return -1;
+ }
+ }
+#endif
+
+ size = 0;
+ add_to_buffer("GET ", buffer, &size, WS_BUFFER_SIZE);
+ if (add_to_buffer(session->uri, buffer, &size, WS_BUFFER_SIZE) == -1) {
+ goto ws_error;
+ }
+
+ if (add_to_buffer(" HTTP/1.1\r\n", buffer, &size, WS_BUFFER_SIZE) ==
-1) {
+ goto ws_error;
+ }
+
+ http_header = session->http_headers;
+ while (http_header != NULL) {
+ if (add_to_buffer(http_header->data, buffer, &size,
WS_BUFFER_SIZE) == -1) {
+ goto ws_error;
+ }
+
+ if (add_to_buffer("\r\n", buffer, &size, WS_BUFFER_SIZE) == -1)
{
+ goto ws_error;
+ }
+
+ http_header = http_header->next;
+ }
+
+ if (add_to_buffer("\r\n", buffer, &size, WS_BUFFER_SIZE) == -1) {
+ goto ws_error;
+ }
+
+ if (write_buffer(ws_socket, buffer, size) == -1) {
+ goto ws_error;
+ }
+
+ poll_data[0].fd = ws_socket;
+ poll_data[0].events = POLL_EVENT_BITS;
+ poll_data[1].fd = session->client_socket;
+ poll_data[1].events = POLL_EVENT_BITS;
+
+ result = 0;
+
+ /* Forward data
+ */
+ do {
+#ifdef ENABLE_SSL
+ poll_result = session->binding->use_ssl ?
ssl_pending(&(session->ssl_context)) : 0;
+
+ if (poll_result == 0)
+#endif
+ poll_result = poll(poll_data, 2, ws->timeout);
+
+ switch (poll_result) {
+ case -1:
+ result = -1;
+ keep_reading = false;
+ break;
+ case 0:
+ result = 504;
+ keep_reading = false;
+ break;
+ default:
+ /* Data from websocket to client
+ */
+ if (poll_data[0].revents != 0) {
+#ifdef ENABLE_SSL
+ if (ws->use_ssl) {
+ if ((bytes_read =
ssl_receive(&ws_ssl_context, buffer, WS_BUFFER_SIZE)) == -1) {
+ keep_reading = false;
+ result = -1;
+ break;
+ }
+ } else
+#endif
+ if ((bytes_read =
read(ws_socket, buffer, WS_BUFFER_SIZE)) == -1) {
+ keep_reading = false;
+ result = -1;
+ break;
+ }
+
+ if (bytes_read == 0) {
+ keep_reading = false;
+ break;
+ }
+
+#ifdef ENABLE_SSL
+ if (session->binding->use_ssl) {
+ if
(ssl_send(&(session->ssl_context), buffer, bytes_read) == -1) {
+ keep_reading = false;
+ result = -1;
+ break;
+ }
+ } else
+#endif
+ if
(write_buffer(session->client_socket, buffer, bytes_read) == -1) {
+ keep_reading = false;
+ result = -1;
+ break;
+ }
+ }
+
+ /* Data from client to websocket
+ */
+ if (poll_data[1].revents != 0) {
+#ifdef ENABLE_SSL
+ if (session->binding->use_ssl) {
+ if ((bytes_read =
ssl_receive(&(session->ssl_context), buffer, WS_BUFFER_SIZE)) == -1) {
+ keep_reading = false;
+ result = -1;
+ break;
+ }
+ } else
+#endif
+ if ((bytes_read =
read(session->client_socket, buffer, WS_BUFFER_SIZE)) == -1) {
+ keep_reading = false;
+ result = -1;
+ break;
+ }
+
+ if (bytes_read == 0) {
+ keep_reading = false;
+ break;
+ }
+
+#ifdef ENABLE_SSL
+ if (ws->use_ssl) {
+ if (ssl_send(&ws_ssl_context,
buffer, bytes_read) == -1) {
+ keep_reading = false;
+ result = -1;
+ break;
+ }
+ } else
+#endif
+ if (write_buffer(ws_socket,
buffer, bytes_read) == -1) {
+ keep_reading = false;
+ result = -1;
+ break;
+ }
+ }
+ }
+ } while (keep_reading);
+
+ws_error:
+#ifdef ENABLE_SSL
+ if (ws->use_ssl) {
+ ssl_close(&ws_ssl_context);
+ }
+#endif
+ close(ws_socket);
+
+ return result;
+}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/hiawatha-9.7/src/target.h
new/hiawatha-9.8/src/target.h
--- old/hiawatha-9.7/src/target.h 2014-08-22 00:07:39.000000000 +0200
+++ new/hiawatha-9.8/src/target.h 2014-09-02 00:23:22.000000000 +0200
@@ -28,5 +28,6 @@
#ifdef ENABLE_RPROXY
int proxy_request(t_session *session, t_rproxy *proxy);
#endif
+int forward_to_websocket(t_session *session);
#endif
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/hiawatha-9.7/src/toolkit.c
new/hiawatha-9.8/src/toolkit.c
--- old/hiawatha-9.7/src/toolkit.c 2014-08-22 00:07:39.000000000 +0200
+++ new/hiawatha-9.8/src/toolkit.c 2014-09-25 17:30:21.000000000 +0200
@@ -337,11 +337,15 @@
return false;
}
- len = strlen(value);
- if ((new_rule->header = (char*)malloc(len + 2)) == NULL) {
- return false;
+ if (strcmp(value, "*") == 0) {
+ new_rule->header = NULL;
+ } else {
+ len = strlen(value);
+ if ((new_rule->header = (char*)malloc(len + 2)) ==
NULL) {
+ return false;
+ }
+ sprintf(new_rule->header, "%s:", value);
}
- sprintf(new_rule->header, "%s:", value);
if ((*rest == '\'') || (*rest == '"')) {
value = rest + 1;
@@ -583,6 +587,7 @@
char *file, *qmark, *header;
regmatch_t pmatch[REGEXEC_NMATCH];
struct stat fileinfo;
+ t_http_header *headers;
if (options == NULL) {
return UT_ERROR;
@@ -627,14 +632,32 @@
case tc_header:
/* Header
*/
- if ((header = get_http_header(rule->header,
options->http_headers)) == NULL) {
- break;
- }
- if (regexec(&(rule->pattern), header,
REGEXEC_NMATCH, pmatch, 0) == 0) {
- condition_met = true;
- }
- if (rule->neg_match) {
- condition_met = (condition_met ==
false);
+ if (rule->header == NULL) {
+ headers = options->http_headers;
+ while (headers != NULL) {
+ if (regexec(&(rule->pattern),
headers->data + headers->value_offset, REGEXEC_NMATCH, pmatch, 0) == 0) {
+ condition_met = true;
+ }
+ if (rule->neg_match) {
+ condition_met =
(condition_met == false);
+ }
+
+ if (condition_met) {
+ break;
+ }
+
+ headers = headers->next;
+ }
+ } else {
+ if ((header =
get_http_header(rule->header, options->http_headers)) == NULL) {
+ break;
+ }
+ if (regexec(&(rule->pattern), header,
REGEXEC_NMATCH, pmatch, 0) == 0) {
+ condition_met = true;
+ }
+ if (rule->neg_match) {
+ condition_met = (condition_met
== false);
+ }
}
break;
case tc_method:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/hiawatha-9.7/src/wigwam.c
new/hiawatha-9.8/src/wigwam.c
--- old/hiawatha-9.7/src/wigwam.c 2014-08-22 00:07:39.000000000 +0200
+++ new/hiawatha-9.8/src/wigwam.c 2014-09-17 17:15:53.000000000 +0200
@@ -32,6 +32,10 @@
#include "toolkit.h"
#include "filehashes.h"
#include "polarssl/md5.h"
+#ifdef ENABLE_SSL
+#include "polarssl/ssl.h"
+#include "polarssl/x509.h"
+#endif
#define MAX_INPUT_SIZE KILOBYTE
#define MAX_PATH 1024
@@ -42,6 +46,10 @@
#define HASH_ALGORITM HASH_MD5
+#ifdef ENABLE_SSL
+#define RSA_MIN_SIZE 2048
+#endif
+
typedef struct type_line {
char *key, *value, *file;
int linenr;
@@ -319,6 +327,11 @@
t_line *config = NULL, *haystack, *needles, *needle;
char *item, *rest, *info;
bool inside_section, has_dot;
+#ifdef ENABLE_SSL
+ pk_context private_key;
+ x509_crt certificate;
+ char *last_file = NULL;
+#endif
if (quiet == false) {
printf("Using %s\n", config_dir);
@@ -368,7 +381,7 @@
dispose_result(needles, false);
dispose_result(haystack, true);
- /* Binding Id check
+ /* Binding ID check
*/
haystack = search_key(config, "bindingid");
needles = needle = search_key(config, "requiredbinding");
@@ -389,7 +402,7 @@
dispose_result(needles, false);
dispose_result(haystack, false);
- /* FastCGI Id check
+ /* FastCGI ID check
*/
haystack = search_key(config, "fastcgiid");
needles = needle = search_key(config, "usefastcgi");
@@ -552,6 +565,50 @@
haystack = haystack->next;
}
+#ifdef ENABLE_SSL
+ /* SSL checks
+ */
+ needles = needle = search_key(config, "sslcertfile");
+ while (needle != NULL) {
+ if (last_file != NULL) {
+ if (strcmp(needle->value, last_file) == 0) {
+ goto next_crt;
+ }
+ }
+
+ /* Private key check
+ */
+ pk_init(&private_key);
+ if (pk_parse_keyfile(&private_key, needle->value, NULL) != 0) {
+ printf("Error loading RSA private key from %s.\n",
needle->value);
+ errors++;
+ goto next_crt;
+ }
+
+ if ((pk_get_type(&private_key) == POLARSSL_PK_RSA) &&
(pk_get_size(&private_key) < RSA_MIN_SIZE)) {
+ printf("Warning: the RSA key size in %s should be at
least %d bits.\n", needle->value, RSA_MIN_SIZE);
+ }
+
+ /* Certificate check
+ */
+ x509_crt_init(&certificate);
+ if (x509_crt_parse_file(&certificate, needle->value) != 0) {
+ printf("Error loading X.509 certificate from %s.\n",
needle->value);
+ errors++;
+ goto next_crt;
+ }
+
+ if (certificate.sig_md < POLARSSL_MD_SHA256) {
+ printf("Warning: the certificate signature algoritm in
%s should at least be SHA256.\n", needle->value);
+ }
+
+next_crt:
+ last_file = needle->value;
+ needle = needle->next;
+ }
+ dispose_result(needles, false);
+#endif
+
dispose_result(config, true);
return errors;
@@ -795,7 +852,11 @@
sprintf(salt, "$%d$", HASH_ALGORITM);
for (i = 3; i < 19; i++) {
+#ifdef HAVE_ARC4RANDOM
+ salt[i] = salt_digits[arc4random_uniform(len)];
+#else
salt[i] = salt_digits[rand() % len];
+#endif
}
strcpy(salt + 19, "$");
encrypted = crypt(password, salt);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/hiawatha-9.7/src/workers.c
new/hiawatha-9.8/src/workers.c
--- old/hiawatha-9.7/src/workers.c 2014-08-22 00:07:39.000000000 +0200
+++ new/hiawatha-9.8/src/workers.c 2014-09-23 13:51:08.000000000 +0200
@@ -308,7 +308,7 @@
*/
static int serve_client(t_session *session) {
int result, length, auth_result;
- char *qmark, chr;
+ char *qmark, chr, *header;
t_host *host_record;
t_access access;
t_deny_body *deny_body;
@@ -343,6 +343,18 @@
session->time = time(NULL);
+ /* Hide reverse proxies
+ */
+ if (in_iplist(session->config->hide_proxy, &(session->ip_address))) {
+ if (last_forwarded_ip(session->http_headers, &ip_addr) == 0) {
+ if (reposition_client(session, &ip_addr) != -1) {
+ copy_ip(&(session->ip_address), &ip_addr);
+ }
+ }
+ }
+
+ /* SSH tunneling
+ */
#ifdef ENABLE_RPROXY
if (session->request_method == CONNECT) {
if (in_iplist(session->config->tunnel_ssh,
&(session->ip_address)) == false) {
@@ -376,16 +388,6 @@
}
#endif
- /* Hide reverse proxies
- */
- if (in_iplist(session->config->hide_proxy, &(session->ip_address))) {
- if (last_forwarded_ip(session->http_headers, &ip_addr) == 0) {
- if (reposition_client(session, &ip_addr) != -1) {
- copy_ip(&(session->ip_address), &ip_addr);
- }
- }
- }
-
/* Find host record
*/
if (session->hostname != NULL) {
@@ -479,6 +481,38 @@
*(session->body + session->content_length) = chr;
}
+ /* Websocket
+ */
+ if (session->request_method == GET) {
+ if ((header = get_http_header("Connection:",
session->http_headers)) != NULL) {
+ if (strcasestr(header, "upgrade") != NULL) {
+ if ((header = get_http_header("Upgrade:",
session->http_headers)) != NULL) {
+ if (strcasecmp(header, "websocket") ==
0) {
+ switch (access =
allow_client(session)) {
+ case deny:
+
log_error(session, fb_accesslist);
+ return 403;
+ case allow:
+ break;
+ case pwd:
+ case unspecified:
+ if
((auth_result = http_authentication_result(session, access == unspecified)) !=
200) {
+ return
auth_result;
+ }
+ }
+
+ session->keep_alive = false;
+ if
(forward_to_websocket(session) == -1) {
+ return 500;
+ }
+
+ return 200;
+ }
+ }
+ }
+ }
+ }
+
#ifdef ENABLE_RPROXY
/* Reverse proxy
*/
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/hiawatha-9.7/src/xslt.c new/hiawatha-9.8/src/xslt.c
--- old/hiawatha-9.7/src/xslt.c 2014-08-22 00:07:39.000000000 +0200
+++ new/hiawatha-9.8/src/xslt.c 2014-09-17 14:57:21.000000000 +0200
@@ -207,6 +207,7 @@
add_http_header(session, params, "Accept:", "HTTP_ACCEPT", &i);
add_http_header(session, params, "Accept-Charset:",
"HTTP_ACCEPT_CHARSET", &i);
+ add_http_header(session, params, "Accept-Encoding:",
"HTTP_ACCEPT_ENCODING", &i);
add_http_header(session, params, "Accept-Language:",
"HTTP_ACCEPT_LANGUAGE", &i);
add_http_header(session, params, "Client-IP:", "HTTP_CLIENT_IP", &i);
add_http_header(session, params, "From:", "HTTP_FROM", &i);
@@ -623,7 +624,7 @@
return -1;
}
- if ((ruri = strdup(session->request_uri)) == NULL) {
+ if (xml_special_chars(session->request_uri, &ruri) == -1) {
free(text_xml);
remove_filelist(filelist);
return -1;
@@ -877,7 +878,7 @@
xmlDocPtr data_xml;
char *text_xml;
int text_size, text_max, result;
- char ecode[5], *emesg;
+ char ecode[5], *emesg, *uri;
ecode[4] = '\0';
snprintf(ecode, 4, "%d", session->return_code);
@@ -919,10 +920,16 @@
return -1;
}
- if (add_tag(&text_xml, &text_max, XML_CHUNK_LEN, &text_size,
"request_uri", session->request_uri) == -1) {
+ if (xml_special_chars(session->request_uri, &uri) == -1) {
free(text_xml);
return -1;
}
+ if (add_tag(&text_xml, &text_max, XML_CHUNK_LEN, &text_size,
"request_uri", uri) == -1) {
+ free(uri);
+ free(text_xml);
+ return -1;
+ }
+ free(uri);
if (session->config->server_string != NULL) {
if (add_tag(&text_xml, &text_max, XML_CHUNK_LEN, &text_size,
"software", session->config->server_string) == -1) {
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
