From c14983a53ac88f8d6e078d7b5fa31f1168d6eeba Mon Sep 17 00:00:00 2001 From: Anton Novojilov Date: Fri, 14 Oct 2016 08:25:04 -0400 Subject: [PATCH] Version 1.11.5 with Nginx 1.11.5 and BoringSSL --- SOURCES/boring.patch | 35 ++++++ SOURCES/webkaos-dynamic-tls-records.patch | 54 +++------ SOURCES/webkaos.patch | 58 +++++----- patch-check.sh | 77 ------------- patch-proc.sh | 131 ++++++++++++++++++++++ webkaos-centos6.spec | 79 ++++++++++--- webkaos-centos7.spec | 79 ++++++++++--- 7 files changed, 333 insertions(+), 180 deletions(-) create mode 100644 SOURCES/boring.patch delete mode 100755 patch-check.sh create mode 100755 patch-proc.sh diff --git a/SOURCES/boring.patch b/SOURCES/boring.patch new file mode 100644 index 0000000..a447aef --- /dev/null +++ b/SOURCES/boring.patch @@ -0,0 +1,35 @@ +diff -ur nginx-1.11.5/src/event/ngx_event_openssl.c nginx-1.11.5-patched/src/event/ngx_event_openssl.c +--- nginx-1.11.5/src/event/ngx_event_openssl.c 2016-09-13 16:39:24.000000000 +0100 ++++ nginx-1.11.5-patched/src/event/ngx_event_openssl.c 2016-09-17 17:33:34.705709306 +0100 +@@ -2016,7 +2016,9 @@ + + /* handshake failures */ + if (n == SSL_R_BAD_CHANGE_CIPHER_SPEC /* 103 */ ++#ifdef SSL_R_BLOCK_CIPHER_PAD_IS_WRONG + || n == SSL_R_BLOCK_CIPHER_PAD_IS_WRONG /* 129 */ ++#endif + || n == SSL_R_DIGEST_CHECK_FAILED /* 149 */ + || n == SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST /* 151 */ + || n == SSL_R_EXCESSIVE_MESSAGE_SIZE /* 152 */ +@@ -2024,7 +2026,9 @@ + #ifdef SSL_R_NO_CIPHERS_PASSED + || n == SSL_R_NO_CIPHERS_PASSED /* 182 */ + #endif ++#ifdef SSL_R_NO_CIPHERS_SPECIFIED + || n == SSL_R_NO_CIPHERS_SPECIFIED /* 183 */ ++#endif + || n == SSL_R_NO_COMPRESSION_SPECIFIED /* 187 */ + || n == SSL_R_NO_SHARED_CIPHER /* 193 */ + || n == SSL_R_RECORD_LENGTH_MISMATCH /* 213 */ +diff -ur nginx-1.11.5/src/http/ngx_http_upstream.c nginx-1.11.5-patched/src/http/ngx_http_upstream.c +--- nginx-1.11.5/src/http/ngx_http_upstream.c 2016-09-13 16:39:25.000000000 +0100 ++++ nginx-1.11.5-patched/src/http/ngx_http_upstream.c 2016-09-17 17:34:15.882031550 +0100 +@@ -1694,7 +1694,7 @@ + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, + "upstream SSL server name: \"%s\"", name.data); + +- if (SSL_set_tlsext_host_name(c->ssl->connection, name.data) == 0) { ++ if (SSL_set_tlsext_host_name(c->ssl->connection, (const char*) name.data) == 0) { + ngx_ssl_error(NGX_LOG_ERR, r->connection->log, 0, + "SSL_set_tlsext_host_name(\"%s\") failed", name.data); + return NGX_ERROR; diff --git a/SOURCES/webkaos-dynamic-tls-records.patch b/SOURCES/webkaos-dynamic-tls-records.patch index 843d7ff..01968be 100644 --- a/SOURCES/webkaos-dynamic-tls-records.patch +++ b/SOURCES/webkaos-dynamic-tls-records.patch @@ -1,8 +1,3 @@ -From a424fefb0a638eb6d32756b5a0c471efc63e5384 Mon Sep 17 00:00:00 2001 -From: Vlad Krasnov -Date: Sat, 9 Jan 2016 06:53:14 -0800 -Subject: [PATCH] - Add TLS Dynamic Record Resizing - What we do now: We use a static record size of 4K. This gives a good balance of latency and throughput. @@ -27,18 +22,9 @@ In case the connection idles for a given amount of time (1s, ssl_dyn_rec_timeout), the process repeats itself (i.e. begin sending small records again). ---- - src/event/ngx_event_openssl.c | 39 +++++++++++++++++ - src/event/ngx_event_openssl.h | 15 ++++++- - src/http/modules/ngx_http_ssl_module.c | 76 ++++++++++++++++++++++++++++++++++ - src/http/modules/ngx_http_ssl_module.h | 6 +++ - 4 files changed, 135 insertions(+), 1 deletion(-) - -diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c -index 57dfc6c..4a0d41a 100644 --- a/src/event/ngx_event_openssl.c +++ b/src/event/ngx_event_openssl.c -@@ -1037,6 +1037,7 @@ ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c, ngx_uint_t flags) +@@ -1131,6 +1131,7 @@ sc->buffer = ((flags & NGX_SSL_BUFFER) != 0); sc->buffer_size = ssl->buffer_size; @@ -46,7 +32,7 @@ index 57dfc6c..4a0d41a 100644 sc->session_ctx = ssl->ctx; -@@ -1575,6 +1576,41 @@ ngx_ssl_send_chain(ngx_connection_t *c, ngx_chain_t *in, off_t limit) +@@ -1669,6 +1670,41 @@ for ( ;; ) { @@ -88,7 +74,7 @@ index 57dfc6c..4a0d41a 100644 while (in && buf->last < buf->end && send < limit) { if (in->buf->last_buf || in->buf->flush) { flush = 1; -@@ -1676,6 +1712,9 @@ ngx_ssl_write(ngx_connection_t *c, u_char *data, size_t size) +@@ -1770,6 +1806,9 @@ if (n > 0) { @@ -98,14 +84,13 @@ index 57dfc6c..4a0d41a 100644 if (c->ssl->saved_read_handler) { c->read->handler = c->ssl->saved_read_handler; -diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h -index c86be2a..4a45934 100644 --- a/src/event/ngx_event_openssl.h +++ b/src/event/ngx_event_openssl.h -@@ -38,9 +38,18 @@ +@@ -54,10 +54,19 @@ + #define ngx_ssl_conn_t SSL - typedef struct { ++typedef struct { + ngx_msec_t timeout; + ngx_uint_t threshold; + size_t size_lo; @@ -113,15 +98,15 @@ index c86be2a..4a45934 100644 +} ngx_ssl_dyn_rec_t; + + -+typedef struct { + struct ngx_ssl_s { SSL_CTX *ctx; ngx_log_t *log; size_t buffer_size; + ngx_ssl_dyn_rec_t dyn_rec; - } ngx_ssl_t; + }; -@@ -63,6 +72,10 @@ typedef struct { +@@ -80,6 +89,10 @@ unsigned no_wait_shutdown:1; unsigned no_send_shutdown:1; unsigned handshake_buffer_set:1; @@ -129,10 +114,10 @@ index c86be2a..4a45934 100644 + ngx_ssl_dyn_rec_t dyn_rec; + ngx_msec_t dyn_rec_last_write; + ngx_uint_t dyn_rec_records_sent; - } ngx_ssl_connection_t; + }; -@@ -72,7 +85,7 @@ typedef struct { +@@ -89,7 +102,7 @@ #define NGX_SSL_DFLT_BUILTIN_SCACHE -5 @@ -141,11 +126,9 @@ index c86be2a..4a45934 100644 typedef struct ngx_ssl_sess_id_s ngx_ssl_sess_id_t; -diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c -index 7b051ea..e2941af 100644 --- a/src/http/modules/ngx_http_ssl_module.c +++ b/src/http/modules/ngx_http_ssl_module.c -@@ -233,6 +233,41 @@ static ngx_command_t ngx_http_ssl_commands[] = { +@@ -233,6 +233,41 @@ offsetof(ngx_http_ssl_srv_conf_t, stapling_verify), NULL }, @@ -187,7 +170,7 @@ index 7b051ea..e2941af 100644 ngx_null_command }; -@@ -532,6 +567,11 @@ ngx_http_ssl_create_srv_conf(ngx_conf_t *cf) +@@ -533,6 +568,11 @@ sscf->session_ticket_keys = NGX_CONF_UNSET_PTR; sscf->stapling = NGX_CONF_UNSET; sscf->stapling_verify = NGX_CONF_UNSET; @@ -199,7 +182,7 @@ index 7b051ea..e2941af 100644 return sscf; } -@@ -596,6 +636,20 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child) +@@ -598,6 +638,20 @@ ngx_conf_merge_str_value(conf->stapling_responder, prev->stapling_responder, ""); @@ -220,7 +203,7 @@ index 7b051ea..e2941af 100644 conf->ssl.log = cf->log; if (conf->enable) { -@@ -773,6 +827,28 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child) +@@ -778,6 +832,28 @@ } @@ -249,11 +232,9 @@ index 7b051ea..e2941af 100644 return NGX_CONF_OK; } -diff --git a/src/http/modules/ngx_http_ssl_module.h b/src/http/modules/ngx_http_ssl_module.h -index 8e69e9e..05967d4 100644 --- a/src/http/modules/ngx_http_ssl_module.h +++ b/src/http/modules/ngx_http_ssl_module.h -@@ -56,6 +56,12 @@ typedef struct { +@@ -57,6 +57,12 @@ u_char *file; ngx_uint_t line; @@ -266,6 +247,3 @@ index 8e69e9e..05967d4 100644 } ngx_http_ssl_srv_conf_t; --- -2.7.4 (Apple Git-66) - diff --git a/SOURCES/webkaos.patch b/SOURCES/webkaos.patch index bf96aec..665bc43 100644 --- a/SOURCES/webkaos.patch +++ b/SOURCES/webkaos.patch @@ -1,6 +1,6 @@ -diff -urN nginx-1.11.4-orig/auto/lib/openssl/make nginx-1.11.4/auto/lib/openssl/make ---- nginx-1.11.4-orig/auto/lib/openssl/make 2016-09-24 18:38:32.876164921 -0400 -+++ nginx-1.11.4/auto/lib/openssl/make 2016-09-24 18:45:56.153104377 -0400 +diff -urN nginx-1.11.5-orig/auto/lib/openssl/make nginx-1.11.5/auto/lib/openssl/make +--- nginx-1.11.5-orig/auto/lib/openssl/make 2016-10-13 19:43:12.433021795 -0400 ++++ nginx-1.11.5/auto/lib/openssl/make 2016-10-13 19:45:29.774029162 -0400 @@ -45,18 +45,18 @@ /*) ngx_prefix="$OPENSSL/.openssl" ;; *) ngx_prefix="$PWD/$OPENSSL/.openssl" ;; @@ -24,9 +24,9 @@ diff -urN nginx-1.11.4-orig/auto/lib/openssl/make nginx-1.11.4/auto/lib/openssl/ ;; esac -diff -urN nginx-1.11.4-orig/src/core/nginx.c nginx-1.11.4/src/core/nginx.c ---- nginx-1.11.4-orig/src/core/nginx.c 2016-09-24 18:38:32.912168205 -0400 -+++ nginx-1.11.4/src/core/nginx.c 2016-09-24 18:46:01.468094372 -0400 +diff -urN nginx-1.11.5-orig/src/core/nginx.c nginx-1.11.5/src/core/nginx.c +--- nginx-1.11.5-orig/src/core/nginx.c 2016-10-13 19:43:12.479022089 -0400 ++++ nginx-1.11.5/src/core/nginx.c 2016-10-13 19:45:29.789027430 -0400 @@ -378,9 +378,9 @@ if (ngx_show_help) { @@ -40,13 +40,13 @@ diff -urN nginx-1.11.4-orig/src/core/nginx.c nginx-1.11.4/src/core/nginx.c "Options:" NGX_LINEFEED " -?,-h : this help" NGX_LINEFEED " -v : show version and exit" NGX_LINEFEED -diff -urN nginx-1.11.4-orig/src/core/nginx.h nginx-1.11.4/src/core/nginx.h ---- nginx-1.11.4-orig/src/core/nginx.h 2016-09-24 18:38:32.915168521 -0400 -+++ nginx-1.11.4/src/core/nginx.h 2016-09-24 18:47:13.000000000 -0400 +diff -urN nginx-1.11.5-orig/src/core/nginx.h nginx-1.11.5/src/core/nginx.h +--- nginx-1.11.5-orig/src/core/nginx.h 2016-10-13 19:43:12.482022088 -0400 ++++ nginx-1.11.5/src/core/nginx.h 2016-10-13 20:15:46.000000000 -0400 @@ -11,7 +11,7 @@ - #define nginx_version 1011004 - #define NGINX_VERSION "1.11.4" + #define nginx_version 1011005 + #define NGINX_VERSION "1.11.5" -#define NGINX_VER "nginx/" NGINX_VERSION +#define NGINX_VER "webkaos/" NGINX_VERSION @@ -61,9 +61,9 @@ diff -urN nginx-1.11.4-orig/src/core/nginx.h nginx-1.11.4/src/core/nginx.h #define NGX_OLDPID_EXT ".oldbin" -diff -urN nginx-1.11.4-orig/src/core/ngx_log.c nginx-1.11.4/src/core/ngx_log.c ---- nginx-1.11.4-orig/src/core/ngx_log.c 2016-09-24 18:38:32.914168419 -0400 -+++ nginx-1.11.4/src/core/ngx_log.c 2016-09-24 18:46:05.775102520 -0400 +diff -urN nginx-1.11.5-orig/src/core/ngx_log.c nginx-1.11.5/src/core/ngx_log.c +--- nginx-1.11.5-orig/src/core/ngx_log.c 2016-10-13 19:43:12.481022088 -0400 ++++ nginx-1.11.5/src/core/ngx_log.c 2016-10-13 19:45:29.807025840 -0400 @@ -202,9 +202,9 @@ return; } @@ -94,9 +94,9 @@ diff -urN nginx-1.11.4-orig/src/core/ngx_log.c nginx-1.11.4/src/core/ngx_log.c return NGX_CONF_ERROR; #endif -diff -urN nginx-1.11.4-orig/src/http/modules/ngx_http_autoindex_module.c nginx-1.11.4/src/http/modules/ngx_http_autoindex_module.c ---- nginx-1.11.4-orig/src/http/modules/ngx_http_autoindex_module.c 2016-09-24 18:38:32.899166988 -0400 -+++ nginx-1.11.4/src/http/modules/ngx_http_autoindex_module.c 2016-09-24 18:46:10.110101776 -0400 +diff -urN nginx-1.11.5-orig/src/http/modules/ngx_http_autoindex_module.c nginx-1.11.5/src/http/modules/ngx_http_autoindex_module.c +--- nginx-1.11.5-orig/src/http/modules/ngx_http_autoindex_module.c 2016-10-13 19:43:12.461022088 -0400 ++++ nginx-1.11.5/src/http/modules/ngx_http_autoindex_module.c 2016-10-13 19:45:29.821024648 -0400 @@ -445,9 +445,11 @@ ; @@ -172,9 +172,9 @@ diff -urN nginx-1.11.4-orig/src/http/modules/ngx_http_autoindex_module.c nginx-1 tm.ngx_tm_mday, months[tm.ngx_tm_mon - 1], tm.ngx_tm_year, -diff -urN nginx-1.11.4-orig/src/http/ngx_http_header_filter_module.c nginx-1.11.4/src/http/ngx_http_header_filter_module.c ---- nginx-1.11.4-orig/src/http/ngx_http_header_filter_module.c 2016-09-24 18:38:32.904167347 -0400 -+++ nginx-1.11.4/src/http/ngx_http_header_filter_module.c 2016-09-24 18:46:14.697101031 -0400 +diff -urN nginx-1.11.5-orig/src/http/ngx_http_header_filter_module.c nginx-1.11.5/src/http/ngx_http_header_filter_module.c +--- nginx-1.11.5-orig/src/http/ngx_http_header_filter_module.c 2016-10-13 19:43:12.470022089 -0400 ++++ nginx-1.11.5/src/http/ngx_http_header_filter_module.c 2016-10-13 19:45:29.833023482 -0400 @@ -46,7 +46,7 @@ }; @@ -228,9 +228,9 @@ diff -urN nginx-1.11.4-orig/src/http/ngx_http_header_filter_module.c nginx-1.11. #define NGX_HTTP_OFF_5XX (NGX_HTTP_LAST_4XX - 400 + NGX_HTTP_OFF_4XX) ngx_string("500 Internal Server Error"), -diff -urN nginx-1.11.4-orig/src/http/ngx_http_special_response.c nginx-1.11.4/src/http/ngx_http_special_response.c ---- nginx-1.11.4-orig/src/http/ngx_http_special_response.c 2016-09-24 18:38:32.905167415 -0400 -+++ nginx-1.11.4/src/http/ngx_http_special_response.c 2016-09-24 18:46:26.282099228 -0400 +diff -urN nginx-1.11.5-orig/src/http/ngx_http_special_response.c nginx-1.11.5/src/http/ngx_http_special_response.c +--- nginx-1.11.5-orig/src/http/ngx_http_special_response.c 2016-10-13 19:43:12.471022089 -0400 ++++ nginx-1.11.5/src/http/ngx_http_special_response.c 2016-10-13 20:21:05.000000000 -0400 @@ -19,14 +19,14 @@ @@ -683,9 +683,9 @@ diff -urN nginx-1.11.4-orig/src/http/ngx_http_special_response.c nginx-1.11.4/sr #define NGX_HTTP_OFF_5XX (NGX_HTTP_LAST_4XX - 400 + NGX_HTTP_OFF_4XX) ngx_string(ngx_http_error_494_page), /* 494, request header too large */ -diff -urN nginx-1.11.4-orig/src/http/v2/ngx_http_v2_filter_module.c nginx-1.11.4/src/http/v2/ngx_http_v2_filter_module.c ---- nginx-1.11.4-orig/src/http/v2/ngx_http_v2_filter_module.c 2016-09-24 18:38:32.908167736 -0400 -+++ nginx-1.11.4/src/http/v2/ngx_http_v2_filter_module.c 2016-09-24 18:49:16.000000000 -0400 +diff -urN nginx-1.11.5-orig/src/http/v2/ngx_http_v2_filter_module.c nginx-1.11.5/src/http/v2/ngx_http_v2_filter_module.c +--- nginx-1.11.5-orig/src/http/v2/ngx_http_v2_filter_module.c 2016-10-13 19:43:12.474022089 -0400 ++++ nginx-1.11.5/src/http/v2/ngx_http_v2_filter_module.c 2016-10-13 19:45:29.852022348 -0400 @@ -139,7 +139,7 @@ ngx_http_core_srv_conf_t *cscf; u_char addr[NGX_SOCKADDR_STRLEN]; @@ -704,9 +704,9 @@ diff -urN nginx-1.11.4-orig/src/http/v2/ngx_http_v2_filter_module.c nginx-1.11.4 *pos++ = ngx_http_v2_inc_indexed(NGX_HTTP_V2_SERVER_INDEX); -diff -urN nginx-1.11.4-orig/src/os/unix/ngx_setproctitle.c nginx-1.11.4/src/os/unix/ngx_setproctitle.c ---- nginx-1.11.4-orig/src/os/unix/ngx_setproctitle.c 2016-09-24 18:38:32.882165538 -0400 -+++ nginx-1.11.4/src/os/unix/ngx_setproctitle.c 2016-09-24 18:46:31.267098432 -0400 +diff -urN nginx-1.11.5-orig/src/os/unix/ngx_setproctitle.c nginx-1.11.5/src/os/unix/ngx_setproctitle.c +--- nginx-1.11.5-orig/src/os/unix/ngx_setproctitle.c 2016-10-13 19:43:12.442022001 -0400 ++++ nginx-1.11.5/src/os/unix/ngx_setproctitle.c 2016-10-13 19:45:29.870021555 -0400 @@ -89,7 +89,7 @@ ngx_os_argv[1] = NULL; diff --git a/patch-check.sh b/patch-check.sh deleted file mode 100755 index 70b0370..0000000 --- a/patch-check.sh +++ /dev/null @@ -1,77 +0,0 @@ -#!/usr/bin/env bash - -############################################################################### - -NORM=0 -BOLD=1 -UNLN=4 -RED=31 -GREEN=32 -BROWN=33 -BLUE=34 -MAG=35 -CYAN=36 -GREY=90 - -CL_NORM="\e[${NORM}m" -CL_RED="\e[0;${RED};49m" -CL_GREEN="\e[0;${GREEN};49m" -CL_BROWN="\e[0;${BROWN};49m" -CL_BLUE="\e[0;${BLUE};49m" -CL_MAG="\e[0;${MAG};49m" -CL_CYAN="\e[0;${CYAN};49m" -CL_GREY="\e[0;${GREY};49m" -CL_BL_RED="\e[1;${RED};49m" -CL_BL_GREEN="\e[1;${GREEN};49m" -CL_BL_BROWN="\e[1;${BROWN};49m" -CL_BL_BLUE="\e[1;${BLUE};49m" -CL_BL_MAG="\e[1;${MAG};49m" -CL_BL_CYAN="\e[1;${CYAN};49m" -CL_BL_GREY="\e[1;${GREY};49m" - -############################################################################### - -main() { - if [[ $# -ne 3 ]] ; then - echo "Usage: ./patch-check.sh webkaos.patch old-ver-dir new-ver-dir" - exit 0 - fi - - local patch_file="$1" - local old_ver_dir="$2" - local new_ver_dir="$3" - - local sources=$(grep '+++' "$patch_file" | tr "\t" " " | cut -f2 -d" " | cut -f2-99 -d "/") - - show "" - - for source_file in $sources ; do - local old_ver_hash=$(getHash "$old_ver_dir/$source_file") - local new_ver_hash=$(getHash "$new_ver_dir/$source_file") - - if [[ "$old_ver_hash" == "$new_ver_hash" ]] ; then - show " ${CL_GREEN}✔ ${CL_NORM}$source_file" - else - local diff_size=$(diff -U 0 "$old_ver_dir/$source_file" "$new_ver_dir/$source_file" | grep -v ^@ | wc -l) - show " ${CL_RED}✖ ${CL_NORM}$source_file ${CL_GREY}($diff_size lines)${CL_NORM}" - fi - done - - show "" -} - -getHash() { - sha256sum "$1" | cut -f1 -d" " -} - -show() { - if [[ -n "$2" ]] ; then - echo -e "\e[${2}m${1}${CL_NORM}" - else - echo -e "$@" - fi -} - -############################################################################### - -main $@ diff --git a/patch-proc.sh b/patch-proc.sh new file mode 100755 index 0000000..caf2882 --- /dev/null +++ b/patch-proc.sh @@ -0,0 +1,131 @@ +#!/usr/bin/env bash + +############################################################################### + +NORM=0 +BOLD=1 +RED=31 +GREEN=32 +BROWN=33 +BLUE=34 +MAG=35 +CYAN=36 +GREY=90 + +CL_NORM="\e[${NORM}m" +CL_BOLD="\e[${BOLD}m" +CL_RED="\e[0;${RED};49m" +CL_GREEN="\e[0;${GREEN};49m" +CL_BROWN="\e[0;${BROWN};49m" +CL_BLUE="\e[0;${BLUE};49m" +CL_MAG="\e[0;${MAG};49m" +CL_CYAN="\e[0;${CYAN};49m" +CL_GREY="\e[0;${GREY};49m" +CL_BL_RED="\e[1;${RED};49m" +CL_BL_GREEN="\e[1;${GREEN};49m" +CL_BL_BROWN="\e[1;${BROWN};49m" +CL_BL_BLUE="\e[1;${BLUE};49m" +CL_BL_MAG="\e[1;${MAG};49m" +CL_BL_CYAN="\e[1;${CYAN};49m" +CL_BL_GREY="\e[1;${GREY};49m" + +############################################################################### + +main() { + local cmd="$1" + + shift + + case $cmd in + "check") check $@ ;; + "copy") copy $@ ;; + *) usage ;; + esac +} + +check() { + local patch_file="$1" + local data_dir="$2" + local old_ver="$3" + local new_ver="$4" + + local old_ver_dir="${data_dir}/nginx-${old_ver}-orig" + local new_ver_dir="${data_dir}/nginx-${new_ver}-orig" + + local sources=$(grep '+++' "$patch_file" | tr "\t" " " | cut -f2 -d" " | cut -f2-99 -d "/") + + show "" + + for source_file in $sources ; do + local old_ver_hash=$(getHash "$old_ver_dir/$source_file") + local new_ver_hash=$(getHash "$new_ver_dir/$source_file") + + if [[ "$old_ver_hash" == "$new_ver_hash" ]] ; then + show " ${CL_GREEN}✔ ${CL_NORM}$source_file" + else + local diff_size=$(diff -U 0 "$old_ver_dir/$source_file" "$new_ver_dir/$source_file" | grep -v ^@ | wc -l) + show " ${CL_RED}✖ ${CL_NORM}$source_file ${CL_GREY}(± $diff_size lines)${CL_NORM}" + fi + done + + show "" +} + +copy() { + local patch_file="$1" + local data_dir="$2" + local old_ver="$3" + local new_ver="$4" + + local old_ver_dir="${data_dir}/nginx-${old_ver}-orig" + local new_ver_dir="${data_dir}/nginx-${new_ver}-orig" + local old_ver_pt_dir="${data_dir}/nginx-${old_ver}" + local new_ver_pt_dir="${data_dir}/nginx-${new_ver}" + + local sources=$(grep '+++' "$patch_file" | tr "\t" " " | cut -f2 -d" " | cut -f2-99 -d "/") + + show "" + + for source_file in $sources ; do + local old_ver_hash=$(getHash "$old_ver_dir/$source_file") + local new_ver_hash=$(getHash "$new_ver_dir/$source_file") + + if [[ "$old_ver_hash" == "$new_ver_hash" ]] ; then + show " $old_ver_pt_dir/$source_file → $new_ver_pt_dir/$source_file" + cp $old_ver_pt_dir/$source_file $new_ver_pt_dir/$source_file + fi + done + + show "" +} + +getHash() { + sha256sum "$1" | cut -f1 -d" " +} + +usage() { + show "" + show "${CL_BOLD}Usage:${CL_NORM} ./patch-proc.sh ${CL_BROWN}{command}${CL_NORM} webkaos.patch data-dir prev-ver new-ver" + show "" + show "Commands" $BOLD + show "" + show " ${CL_BROWN}check${CL_NORM} Check webkaos patch" + show " ${CL_BROWN}copy${CL_NORM} Copy unchanged files from previous patched version" + show "" + show "Examples" $BOLD + show "" + show " ./patch-proc.sh SOURCES/webkaos.patch /some/dir 1.11.1 1.11.2" + show "" +} + +show() { + if [[ -n "$2" ]] ; then + echo -e "\e[${2}m${1}${CL_NORM}" + else + echo -e "$@" + fi +} + +############################################################################### + +main $@ diff --git a/webkaos-centos6.spec b/webkaos-centos6.spec index 27247cc..fab2b3e 100644 --- a/webkaos-centos6.spec +++ b/webkaos-centos6.spec @@ -43,7 +43,7 @@ %define service_name %{name} %define service_home %{_cachedir}/%{service_name} -%define open_ssl_ver 1.0.2i +%define boring_commit 4c0e6c64b6866926f96576bc8e8ea8849f018159 %define psol_ver 1.11.33.4 %define lua_module_ver 0.10.6 %define mh_module_ver 0.31 @@ -58,14 +58,14 @@ Summary: Superb high performance web server Name: webkaos -Version: 1.11.4 +Version: 1.11.5 Release: 0%{?dist} License: 2-clause BSD-like license Group: System Environment/Daemons Vendor: Nginx / Google / CloudFlare / ESSENTIALKAOS -URL: http://essentialkaos.com +URL: https://github.com/essentialkaos/webkaos -Source0: http://nginx.org/download/nginx-%{version}.tar.gz +Source0: https://nginx.org/download/nginx-%{version}.tar.gz Source1: %{name}.logrotate Source2: %{name}.init Source3: %{name}.sysconfig @@ -81,17 +81,20 @@ Source26: bots.conf Source30: %{name}-index.html -Source50: https://github.com/pagespeed/ngx_pagespeed/archive/%{pagespeed_fullver}.zip +Source50: https://github.com/pagespeed/ngx_pagespeed/archive/%{pagespeed_fullver}.tar.gz Source51: https://dl.google.com/dl/page-speed/psol/%{psol_ver}.tar.gz Source52: https://github.com/openresty/lua-nginx-module/archive/v%{lua_module_ver}.tar.gz -Source53: https://www.openssl.org/source/openssl-%{open_ssl_ver}.tar.gz +Source53: https://boringssl.googlesource.com/boringssl/+archive/%{boring_commit}.tar.gz Source54: https://github.com/openresty/headers-more-nginx-module/archive/v%{mh_module_ver}.tar.gz Source55: http://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-%{pcre_ver}.tar.gz Source56: http://zlib.net/zlib-%{zlib_ver}.tar.gz Patch0: %{name}.patch -Patch1: %{name}-dynamic-tls-records.patch -Patch2: mime.patch +Patch1: mime.patch +# https://github.com/cloudflare/sslconfig/blob/master/patches/nginx__1.11.5_dynamic_tls_records.patch +Patch2: %{name}-dynamic-tls-records.patch +# https://github.com/ajhaydock/BoringNginx/blob/master/1.11.4/src/boring.patch +Patch3: boring.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -99,7 +102,7 @@ Requires: initscripts >= 8.36 kaosv >= 2.8 Requires: gd libXpm libxslt libluajit BuildRequires: make devtoolset-2-gcc-c++ devtoolset-2-binutils -BuildRequires: perl libluajit-devel +BuildRequires: perl libluajit-devel cmake golang Requires(pre): shadow-utils Requires(post): chkconfig @@ -141,10 +144,12 @@ Links for nginx compatibility. %prep %setup -q -n nginx-%{version} -%{__unzip} %{SOURCE50} +mkdir boringssl + +%{__tar} xzvf %{SOURCE50} %{__tar} xzvf %{SOURCE51} -C ngx_pagespeed-%{pagespeed_fullver} %{__tar} xzvf %{SOURCE52} -%{__tar} xzvf %{SOURCE53} +%{__tar} xzvf %{SOURCE53} -C boringssl %{__tar} xzvf %{SOURCE54} %{__tar} xzvf %{SOURCE55} %{__tar} xzvf %{SOURCE56} @@ -152,6 +157,7 @@ Links for nginx compatibility. %patch0 -p1 %patch1 -p1 %patch2 -p1 +%patch3 -p1 %build @@ -176,6 +182,25 @@ Links for nginx compatibility. # Use gcc and gcc-c++ from devtoolset for build export PATH="/opt/rh/devtoolset-2/root/usr/bin:$PATH" +# BoringSSL Build ############################################################## + +mkdir boringssl/build + +pushd boringssl/build &> /dev/null + cmake ../ + %{__make} %{?_smp_mflags} +popd + +mkdir -p "boringssl/.openssl/lib" + +pushd boringssl/.openssl &> /dev/null + ln -s ../include +popd + +cp boringssl/build/crypto/libcrypto.a boringssl/build/ssl/libssl.a boringssl/.openssl/lib + +################################################################################ + ./configure \ --prefix=%{_sysconfdir}/%{name} \ --sbin-path=%{_sbindir}/%{name} \ @@ -206,6 +231,9 @@ export PATH="/opt/rh/devtoolset-2/root/usr/bin:$PATH" --with-http_gzip_static_module \ --with-http_secure_link_module \ --with-http_stub_status_module \ + --with-stream \ + --with-stream_ssl_module \ + --with-stream_ssl_preread_module \ --with-mail \ --with-mail_ssl_module \ --with-file-aio \ @@ -214,13 +242,17 @@ export PATH="/opt/rh/devtoolset-2/root/usr/bin:$PATH" --with-zlib=zlib-%{zlib_ver} \ --with-pcre-jit \ --with-pcre=pcre-%{pcre_ver} \ - --with-openssl-opt=no-krb5 \ - --with-openssl=openssl-%{open_ssl_ver} \ + --with-openssl=boringssl \ --add-module=ngx_pagespeed-%{pagespeed_fullver} \ --add-module=lua-nginx-module-%{lua_module_ver} \ --add-module=headers-more-nginx-module-%{mh_module_ver} \ - --with-cc-opt="%{optflags} $(pcre-config --cflags)" \ + --with-cc-opt="-g -O2 -fPIE -fstack-protector-all -D_FORTIFY_SOURCE=2 -Wformat -Werror=format-security -I ../boringssl/.openssl/include/" \ + --with-ld-opt="-Wl,-Bsymbolic-functions -Wl,-z,relro -L ../boringssl/.openssl/lib" \ $* + +# Fix "Error 127" during build with BoringSSL +touch boringssl/.openssl/include/openssl/ssl.h + %{__make} %{?_smp_mflags} %{__mv} %{_builddir}/nginx-%{version}/objs/nginx \ @@ -255,6 +287,9 @@ export PATH="/opt/rh/devtoolset-2/root/usr/bin:$PATH" --with-http_gzip_static_module \ --with-http_secure_link_module \ --with-http_stub_status_module \ + --with-stream \ + --with-stream_ssl_module \ + --with-stream_ssl_preread_module \ --with-mail \ --with-mail_ssl_module \ --with-file-aio \ @@ -262,13 +297,17 @@ export PATH="/opt/rh/devtoolset-2/root/usr/bin:$PATH" --with-zlib=zlib-%{zlib_ver} \ --with-pcre-jit \ --with-pcre=pcre-%{pcre_ver} \ - --with-openssl-opt=no-krb5 \ - --with-openssl=openssl-%{open_ssl_ver} \ + --with-openssl=boringssl \ --add-module=ngx_pagespeed-%{pagespeed_fullver} \ --add-module=lua-nginx-module-%{lua_module_ver} \ --add-module=headers-more-nginx-module-%{mh_module_ver} \ - --with-cc-opt="%{optflags} $(pcre-config --cflags)" \ + --with-cc-opt="-g -O2 -fPIE -fstack-protector-all -D_FORTIFY_SOURCE=2 -Wformat -Werror=format-security -I ../boringssl/.openssl/include/" \ + --with-ld-opt="-Wl,-Bsymbolic-functions -Wl,-z,relro -L ../boringssl/.openssl/lib" \ $* + +# Fix "Error 127" during build with BoringSSL +touch boringssl/.openssl/include/openssl/ssl.h + %{__make} %{?_smp_mflags} %install @@ -294,7 +333,7 @@ install -dm 755 %{buildroot}%{pagespeed_cache_path} # Install html pages install -pm 644 %{SOURCE30} \ - %{buildroot}%{_datadir}/%{name}/html/index.html + %{buildroot}%{_datadir}/%{name}/html/index.html ln -sf %{_datadir}/%{name}/html \ %{buildroot}%{_sysconfdir}/%{name}/html @@ -467,6 +506,10 @@ fi ############################################################################### %changelog +* Fri Oct 14 2016 Anton Novojilov - 1.11.5-0 +- Nginx updated to 1.11.5 +- OpenSSL replaced by BoringSSL + * Fri Sep 23 2016 Gleb Goncharov - 1.11.4-0 - Nginx updated to 1.11.4 - OpenSSL updated to 1.0.2i diff --git a/webkaos-centos7.spec b/webkaos-centos7.spec index 3e8e3cc..a247c97 100644 --- a/webkaos-centos7.spec +++ b/webkaos-centos7.spec @@ -43,7 +43,7 @@ %define service_name %{name} %define service_home %{_cachedir}/%{service_name} -%define open_ssl_ver 1.0.2i +%define boring_commit 4c0e6c64b6866926f96576bc8e8ea8849f018159 %define psol_ver 1.11.33.4 %define lua_module_ver 0.10.6 %define mh_module_ver 0.31 @@ -58,14 +58,14 @@ Summary: Superb high performance web server Name: webkaos -Version: 1.11.4 +Version: 1.11.5 Release: 0%{?dist} License: 2-clause BSD-like license Group: System Environment/Daemons Vendor: Nginx / Google / CloudFlare / ESSENTIALKAOS -URL: http://essentialkaos.com +URL: https://github.com/essentialkaos/webkaos -Source0: http://nginx.org/download/nginx-%{version}.tar.gz +Source0: https://nginx.org/download/nginx-%{version}.tar.gz Source1: %{name}.logrotate Source2: %{name}.init Source3: %{name}.sysconfig @@ -81,24 +81,27 @@ Source26: bots.conf Source30: %{name}-index.html -Source50: https://github.com/pagespeed/ngx_pagespeed/archive/%{pagespeed_fullver}.zip +Source50: https://github.com/pagespeed/ngx_pagespeed/archive/%{pagespeed_fullver}.tar.gz Source51: https://dl.google.com/dl/page-speed/psol/%{psol_ver}.tar.gz Source52: https://github.com/openresty/lua-nginx-module/archive/v%{lua_module_ver}.tar.gz -Source53: https://www.openssl.org/source/openssl-%{open_ssl_ver}.tar.gz +Source53: https://boringssl.googlesource.com/boringssl/+archive/%{boring_commit}.tar.gz Source54: https://github.com/openresty/headers-more-nginx-module/archive/v%{mh_module_ver}.tar.gz Source55: http://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-%{pcre_ver}.tar.gz Source56: http://zlib.net/zlib-%{zlib_ver}.tar.gz Patch0: %{name}.patch -Patch1: %{name}-dynamic-tls-records.patch -Patch2: mime.patch +Patch1: mime.patch +# https://github.com/cloudflare/sslconfig/blob/master/patches/nginx__1.11.5_dynamic_tls_records.patch +Patch2: %{name}-dynamic-tls-records.patch +# https://github.com/ajhaydock/BoringNginx/blob/master/1.11.4/src/boring.patch +Patch3: boring.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) Requires: initscripts >= 8.36 kaosv >= 2.8 Requires: gd libXpm libxslt libluajit -BuildRequires: make gcc-c++ perl libluajit-devel +BuildRequires: make gcc-c++ perl libluajit-devel cmake golang Requires(pre): shadow-utils Requires(post): chkconfig @@ -140,10 +143,12 @@ Links for nginx compatibility. %prep %setup -q -n nginx-%{version} -%{__unzip} %{SOURCE50} +mkdir boringssl + +%{__tar} xzvf %{SOURCE50} %{__tar} xzvf %{SOURCE51} -C ngx_pagespeed-%{pagespeed_fullver} %{__tar} xzvf %{SOURCE52} -%{__tar} xzvf %{SOURCE53} +%{__tar} xzvf %{SOURCE53} -C boringssl %{__tar} xzvf %{SOURCE54} %{__tar} xzvf %{SOURCE55} %{__tar} xzvf %{SOURCE56} @@ -151,6 +156,7 @@ Links for nginx compatibility. %patch0 -p1 %patch1 -p1 %patch2 -p1 +%patch3 -p1 %build @@ -172,6 +178,25 @@ Links for nginx compatibility. %{__mv} headers-more-nginx-module-%{mh_module_ver}/README.markdown ./HEADERSMORE-README.markdown +# BoringSSL Build ############################################################## + +mkdir boringssl/build + +pushd boringssl/build &> /dev/null + cmake ../ + %{__make} %{?_smp_mflags} +popd + +mkdir -p "boringssl/.openssl/lib" + +pushd boringssl/.openssl &> /dev/null + ln -s ../include +popd + +cp boringssl/build/crypto/libcrypto.a boringssl/build/ssl/libssl.a boringssl/.openssl/lib + +################################################################################ + ./configure \ --prefix=%{_sysconfdir}/%{name} \ --sbin-path=%{_sbindir}/%{name} \ @@ -202,6 +227,9 @@ Links for nginx compatibility. --with-http_gzip_static_module \ --with-http_secure_link_module \ --with-http_stub_status_module \ + --with-stream \ + --with-stream_ssl_module \ + --with-stream_ssl_preread_module \ --with-mail \ --with-mail_ssl_module \ --with-file-aio \ @@ -210,13 +238,17 @@ Links for nginx compatibility. --with-zlib=zlib-%{zlib_ver} \ --with-pcre-jit \ --with-pcre=pcre-%{pcre_ver} \ - --with-openssl-opt=no-krb5 \ - --with-openssl=openssl-%{open_ssl_ver} \ + --with-openssl=boringssl \ --add-module=ngx_pagespeed-%{pagespeed_fullver} \ --add-module=lua-nginx-module-%{lua_module_ver} \ --add-module=headers-more-nginx-module-%{mh_module_ver} \ - --with-cc-opt="%{optflags} $(pcre-config --cflags) -DTCP_FASTOPEN=23" \ + --with-cc-opt="-g -O2 -fPIE -fstack-protector-all -DTCP_FASTOPEN=23 -D_FORTIFY_SOURCE=2 -Wformat -Werror=format-security -I ../boringssl/.openssl/include/" \ + --with-ld-opt="-Wl,-Bsymbolic-functions -Wl,-z,relro -L ../boringssl/.openssl/lib" \ $* + +# Fix "Error 127" during build with BoringSSL +touch boringssl/.openssl/include/openssl/ssl.h + %{__make} %{?_smp_mflags} %{__mv} %{_builddir}/nginx-%{version}/objs/nginx \ @@ -251,6 +283,9 @@ Links for nginx compatibility. --with-http_gzip_static_module \ --with-http_secure_link_module \ --with-http_stub_status_module \ + --with-stream \ + --with-stream_ssl_module \ + --with-stream_ssl_preread_module \ --with-mail \ --with-mail_ssl_module \ --with-file-aio \ @@ -258,13 +293,17 @@ Links for nginx compatibility. --with-zlib=zlib-%{zlib_ver} \ --with-pcre-jit \ --with-pcre=pcre-%{pcre_ver} \ - --with-openssl-opt=no-krb5 \ - --with-openssl=openssl-%{open_ssl_ver} \ + --with-openssl=boringssl \ --add-module=ngx_pagespeed-%{pagespeed_fullver} \ --add-module=lua-nginx-module-%{lua_module_ver} \ --add-module=headers-more-nginx-module-%{mh_module_ver} \ - --with-cc-opt="%{optflags} $(pcre-config --cflags) -DTCP_FASTOPEN=23" \ + --with-cc-opt="-g -O2 -fPIE -fstack-protector-all -DTCP_FASTOPEN=23 -D_FORTIFY_SOURCE=2 -Wformat -Werror=format-security -I ../boringssl/.openssl/include/" \ + --with-ld-opt="-Wl,-Bsymbolic-functions -Wl,-z,relro -L ../boringssl/.openssl/lib" \ $* + +# Fix "Error 127" during build with BoringSSL +touch boringssl/.openssl/include/openssl/ssl.h + %{__make} %{?_smp_mflags} %install @@ -290,7 +329,7 @@ install -dm 755 %{buildroot}%{pagespeed_cache_path} # Install html pages install -pm 644 %{SOURCE30} \ - %{buildroot}%{_datadir}/%{name}/html/index.html + %{buildroot}%{_datadir}/%{name}/html/index.html ln -sf %{_datadir}/%{name}/html \ %{buildroot}%{_sysconfdir}/%{name}/html @@ -463,6 +502,10 @@ fi ############################################################################### %changelog +* Fri Oct 14 2016 Anton Novojilov - 1.11.5-0 +- Nginx updated to 1.11.5 +- OpenSSL replaced by BoringSSL + * Fri Sep 23 2016 Gleb Goncharov - 1.11.4-0 - Nginx updated to 1.11.4 - OpenSSL updated to 1.0.2i