Commit d3310c4c authored by Hugo Leisink's avatar Hugo Leisink

Release 10.6

parent 2cfb0724
cmake_minimum_required(VERSION 2.8.2)
project(Hiawatha C)
cmake_minimum_required(VERSION 3.0)
project(Hiawatha VERSION 10.6)
# Compiler
set(CMAKE_C_FLAGS "-O2 -Wall -Wextra ${CMAKE_C_FLAGS}")
......@@ -24,6 +24,7 @@ include(CheckIncludeFiles)
include(CheckFunctionExists)
include(CheckLibraryExists)
include(CheckSymbolExists)
include(GNUInstallDirs)
if(ENABLE_XSLT)
include(FindLibXml2)
include(FindLibXslt)
......@@ -33,22 +34,9 @@ if(ENABLE_XSLT)
endif()
endif()
include(FindZLIB)
include(cmake/GNUInstallDirs.cmake)
include(cmake/CopyIfNotExists.cmake)
# Settings
set(HIAWATHA_VERSION_MAJOR 10)
set(HIAWATHA_VERSION_MINOR 5)
set(HIAWATHA_VERSION_PATCH 0)
set(HIAWATHA_VERSION_TWEAK 0)
string(TOLOWER ${CMAKE_PROJECT_NAME} PROJECT_NAME)
set(HIAWATHA_VERSION "${HIAWATHA_VERSION_MAJOR}.${HIAWATHA_VERSION_MINOR}")
if(NOT ${HIAWATHA_VERSION_PATCH} EQUAL 0)
set(HIAWATHA_VERSION "${HIAWATHA_VERSION}.${HIAWATHA_VERSION_PATCH}")
endif()
if(NOT ${HIAWATHA_VERSION_TWEAK} EQUAL 0)
set(HIAWATHA_VERSION "${HIAWATHA_VERSION}-${HIAWATHA_VERSION_TWEAK}")
endif()
if(EXISTS "/proc/loadavg")
option(ENABLE_LOADCHECK "Enable the ability to check for server load." on)
endif()
......@@ -92,11 +80,12 @@ if(APPLE OR CYGWIN)
endif()
# CPack
set(CPACK_PACKAGE_VERSION_MAJOR ${HIAWATHA_VERSION_MAJOR})
set(CPACK_PACKAGE_VERSION_MINOR ${HIAWATHA_VERSION_MINOR})
set(CPACK_PACKAGE_VERSION_PATCH ${HIAWATHA_VERSION_PATCH})
set(CPACK_PACKAGE_VERSION_MAJOR ${PROJECT_VERSION_MAJOR})
set(CPACK_PACKAGE_VERSION_MINOR ${PROJECT_VERSION_MINOR})
set(CPACK_PACKAGE_VERSION_PATCH ${PROJECT_VERSION_PATCH})
set(CPACK_SOURCE_GENERATOR "TGZ")
set(CPACK_SOURCE_PACKAGE_FILE_NAME "${PROJECT_NAME}-${HIAWATHA_VERSION}")
string(TOLOWER ${PROJECT_NAME} PROJECT_NAME)
set(CPACK_SOURCE_PACKAGE_FILE_NAME "${PROJECT_NAME}-${PROJECT_VERSION}")
set(CPACK_SOURCE_IGNORE_FILES "/build(/|_.*/)")
include(CPack)
......
hiawatha (10.6) stable; urgency=low
* Added PublicKeyPins option.
* Added renewal-scripts to Let's Encrypt script.
* mbed TLS updated to 2.4.2.
* Small changes to CMake build system.
* Small improvements.
* Bugfix: SCSV bug in mbed TLS.
-- Hugo Leisink <hugo@leisink.net> Sun, 16 Apr 2017 22:04:37 +0200
hiawatha (10.5) stable; urgency=low
* mbed TLS updated to 2.4.0, using GPL version.
......
......@@ -6,7 +6,7 @@ The Hiawatha webserver has been written by Hugo Leisink <hugo@leisink.net>. More
Installation
------------
If the CMake version installed on your system is lower than 2.8.2, remove it, download the latest version from https://cmake.org/download/#latest and install it.
If the CMake version installed on your system is lower than 3.0, remove it, download the latest version from https://cmake.org/download/#latest and install it.
tar -xzf cmake-<version>.tar.gz
cd cmake-<version>
......
# - Define GNU standard installation directories
# Provides install directory variables as defined for GNU software:
# http://www.gnu.org/prep/standards/html_node/Directory-Variables.html
# Inclusion of this module defines the following variables:
# CMAKE_INSTALL_<dir> - destination for files of a given type
# CMAKE_INSTALL_FULL_<dir> - corresponding absolute path
# where <dir> is one of:
# BINDIR - user executables (bin)
# SBINDIR - system admin executables (sbin)
# LIBEXECDIR - program executables (libexec)
# SYSCONFDIR - read-only single-machine data (etc)
# SHAREDSTATEDIR - modifiable architecture-independent data (com)
# LOCALSTATEDIR - modifiable single-machine data (var)
# LIBDIR - object code libraries (lib or lib64)
# INCLUDEDIR - C header files (include)
# OLDINCLUDEDIR - C header files for non-gcc (/usr/include)
# DATAROOTDIR - read-only architecture-independent data root (share)
# DATADIR - read-only architecture-independent data (DATAROOTDIR)
# INFODIR - info documentation (DATAROOTDIR/info)
# LOCALEDIR - locale-dependent data (DATAROOTDIR/locale)
# MANDIR - man documentation (DATAROOTDIR/man)
# DOCDIR - documentation root (DATAROOTDIR/doc/PROJECT_NAME)
# Each CMAKE_INSTALL_<dir> value may be passed to the DESTINATION options of
# install() commands for the corresponding file type. If the includer does
# not define a value the above-shown default will be used and the value will
# appear in the cache for editing by the user.
# Each CMAKE_INSTALL_FULL_<dir> value contains an absolute path constructed
# from the corresponding destination by prepending (if necessary) the value
# of CMAKE_INSTALL_PREFIX.
#=============================================================================
# Copyright 2011 Nikita Krupen'ko <krnekit@gmail.com>
# Copyright 2011 Kitware, Inc.
#
# Distributed under the OSI-approved BSD License (the "License");
# see accompanying file Copyright.txt for details.
#
# This software is distributed WITHOUT ANY WARRANTY; without even the
# implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
# See the License for more information.
#=============================================================================
# (To distribute this file outside of CMake, substitute the full
# License text for the above reference.)
# Installation directories
#
if(NOT DEFINED CMAKE_INSTALL_BINDIR)
set(CMAKE_INSTALL_BINDIR "bin" CACHE PATH "user executables (bin)")
endif()
if(NOT DEFINED CMAKE_INSTALL_SBINDIR)
set(CMAKE_INSTALL_SBINDIR "sbin" CACHE PATH "system admin executables (sbin)")
endif()
if(NOT DEFINED CMAKE_INSTALL_LIBEXECDIR)
set(CMAKE_INSTALL_LIBEXECDIR "libexec" CACHE PATH "program executables (libexec)")
endif()
if(NOT DEFINED CMAKE_INSTALL_SYSCONFDIR)
set(CMAKE_INSTALL_SYSCONFDIR "etc" CACHE PATH "read-only single-machine data (etc)")
endif()
if(NOT DEFINED CMAKE_INSTALL_SHAREDSTATEDIR)
set(CMAKE_INSTALL_SHAREDSTATEDIR "com" CACHE PATH "modifiable architecture-independent data (com)")
endif()
if(NOT DEFINED CMAKE_INSTALL_LOCALSTATEDIR)
set(CMAKE_INSTALL_LOCALSTATEDIR "var" CACHE PATH "modifiable single-machine data (var)")
endif()
if(NOT DEFINED CMAKE_INSTALL_LIBDIR)
set(_LIBDIR_DEFAULT "lib")
# Override this default 'lib' with 'lib64' iff:
# - we are on Linux system but NOT cross-compiling
# - we are NOT on debian
# - we are on a 64 bits system
# reason is: amd64 ABI: http://www.x86-64.org/documentation/abi.pdf
# Note that the future of multi-arch handling may be even
# more complicated than that: http://wiki.debian.org/Multiarch
if(CMAKE_SYSTEM_NAME MATCHES "Linux"
AND NOT CMAKE_CROSSCOMPILING
AND NOT EXISTS "/etc/debian_version")
if(NOT DEFINED CMAKE_SIZEOF_VOID_P)
message(AUTHOR_WARNING
"Unable to determine default CMAKE_INSTALL_LIBDIR directory because no target architecture is known. "
"Please enable at least one language before including GNUInstallDirs.")
else()
if("${CMAKE_SIZEOF_VOID_P}" EQUAL "8")
set(_LIBDIR_DEFAULT "lib64")
endif()
endif()
endif()
set(CMAKE_INSTALL_LIBDIR "${_LIBDIR_DEFAULT}" CACHE PATH "object code libraries (${_LIBDIR_DEFAULT})")
endif()
if(NOT DEFINED CMAKE_INSTALL_INCLUDEDIR)
set(CMAKE_INSTALL_INCLUDEDIR "include" CACHE PATH "C header files (include)")
endif()
if(NOT DEFINED CMAKE_INSTALL_OLDINCLUDEDIR)
set(CMAKE_INSTALL_OLDINCLUDEDIR "/usr/include" CACHE PATH "C header files for non-gcc (/usr/include)")
endif()
if(NOT DEFINED CMAKE_INSTALL_DATAROOTDIR)
set(CMAKE_INSTALL_DATAROOTDIR "share" CACHE PATH "read-only architecture-independent data root (share)")
endif()
#-----------------------------------------------------------------------------
# Values whose defaults are relative to DATAROOTDIR. Store empty values in
# the cache and store the defaults in local variables if the cache values are
# not set explicitly. This auto-updates the defaults as DATAROOTDIR changes.
if(NOT CMAKE_INSTALL_DATADIR)
set(CMAKE_INSTALL_DATADIR "" CACHE PATH "read-only architecture-independent data (DATAROOTDIR)")
set(CMAKE_INSTALL_DATADIR "${CMAKE_INSTALL_DATAROOTDIR}")
endif()
if(NOT CMAKE_INSTALL_INFODIR)
set(CMAKE_INSTALL_INFODIR "" CACHE PATH "info documentation (DATAROOTDIR/info)")
set(CMAKE_INSTALL_INFODIR "${CMAKE_INSTALL_DATAROOTDIR}/info")
endif()
if(NOT CMAKE_INSTALL_LOCALEDIR)
set(CMAKE_INSTALL_LOCALEDIR "" CACHE PATH "locale-dependent data (DATAROOTDIR/locale)")
set(CMAKE_INSTALL_LOCALEDIR "${CMAKE_INSTALL_DATAROOTDIR}/locale")
endif()
if(NOT CMAKE_INSTALL_MANDIR)
set(CMAKE_INSTALL_MANDIR "" CACHE PATH "man documentation (DATAROOTDIR/man)")
set(CMAKE_INSTALL_MANDIR "${CMAKE_INSTALL_DATAROOTDIR}/man")
endif()
if(NOT CMAKE_INSTALL_DOCDIR)
set(CMAKE_INSTALL_DOCDIR "" CACHE PATH "documentation root (DATAROOTDIR/doc/PROJECT_NAME)")
set(CMAKE_INSTALL_DOCDIR "${CMAKE_INSTALL_DATAROOTDIR}/doc/${PROJECT_NAME}")
endif()
#-----------------------------------------------------------------------------
mark_as_advanced(
CMAKE_INSTALL_BINDIR
CMAKE_INSTALL_SBINDIR
CMAKE_INSTALL_LIBEXECDIR
CMAKE_INSTALL_SYSCONFDIR
CMAKE_INSTALL_SHAREDSTATEDIR
CMAKE_INSTALL_LOCALSTATEDIR
CMAKE_INSTALL_LIBDIR
CMAKE_INSTALL_INCLUDEDIR
CMAKE_INSTALL_OLDINCLUDEDIR
CMAKE_INSTALL_DATAROOTDIR
CMAKE_INSTALL_DATADIR
CMAKE_INSTALL_INFODIR
CMAKE_INSTALL_LOCALEDIR
CMAKE_INSTALL_MANDIR
CMAKE_INSTALL_DOCDIR
)
# Result directories
#
foreach(dir
BINDIR
SBINDIR
LIBEXECDIR
SYSCONFDIR
SHAREDSTATEDIR
LOCALSTATEDIR
LIBDIR
INCLUDEDIR
OLDINCLUDEDIR
DATAROOTDIR
DATADIR
INFODIR
LOCALEDIR
MANDIR
DOCDIR
)
if(NOT IS_ABSOLUTE ${CMAKE_INSTALL_${dir}})
set(CMAKE_INSTALL_FULL_${dir} "${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_${dir}}")
else()
set(CMAKE_INSTALL_FULL_${dir} "${CMAKE_INSTALL_${dir}}")
endif()
endforeach()
......@@ -4,13 +4,14 @@
#define LOG_DIR "${LOG_DIR}"
#define PID_DIR "${PID_DIR}"
#define SBIN_DIR "${CMAKE_INSTALL_FULL_SBINDIR}"
#define VERSION "${HIAWATHA_VERSION}"
#define VERSION "${PROJECT_VERSION}"
#define WEBROOT_DIR "${WEBROOT_DIR}"
#define WORK_DIR "${WORK_DIR}"
/* Settings
*/
#define _GNU_SOURCE 1
#define _FILE_OFFSET_BITS 64
#cmakedefine CYGWIN ${CYGWIN}
#cmakedefine CIFS ${CIFS}
......@@ -28,10 +29,9 @@
/* Other Hiawatha features
*/
#define ENABLE_CHALLENGE ON
#define ENABLE_CHALLENGE ON
/* #define ENABLE_DEBUG ON */
#define ENABLE_FILEHASHES ON
/* #define ENABLE_HTTP2 ON */
/* #define ENABLE_MEMDBG ON */
#define ENABLE_THREAD_POOL ON
......
<?xml version="1.0" ?>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:output method="html" encoding="utf-8" doctype-public="-//W3C//DTD HTML 4.01//EN" doctype-system="http://www.w3.org/TR/html4/strict.dtd" />
<xsl:output method="html" doctype-system="about:legacy-compat" />
<xsl:template match="/error">
<html>
......
<?xml version="1.0" ?>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:output method="html" encoding="utf-8" doctype-public="-//W3C//DTD HTML 4.01//EN" doctype-system="http://www.w3.org/TR/html4/strict.dtd" />
<xsl:output method="html" doctype-system="about:legacy-compat" />
<xsl:template match="/index">
<html>
......
......@@ -54,7 +54,7 @@ case "$1" in
fi
log_daemon_msg "Stopping Hiawatha webserver" $NAME || true
if start-stop-daemon --stop --quiet --oknodo --pidfile $PIDFILE; then
if start-stop-daemon --stop --quiet --oknodo --retry 30 --pidfile $PIDFILE; then
log_end_msg 0 || true
rm -f $PIDFILE
else
......
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<!DOCTYPE html>
<html>
<head>
......
......@@ -32,4 +32,11 @@ configured via the HIAWATHA_CERT_DIR setting.
To automatically renew certificates that are about to get expired, run the
letsencrypt tool with the parameter 'renew' as a cronjob of the user root.
Add the parameter 'restart' to automatically restart the webserver when one or
more certificates have been renewed.
more certificates have been renewed. All certificates located in the
HIAWATHA_CERT_DIR directory and those referred to in the Hiawatha configuration
will be renewed.
You can run a script when the certificate of a host is renewed. Create a script
in the RENEWAL_SCRIPT_DIR directory and give it the name of the hostname for
which it must be run. That script will be executed upon renewal of the matching
certificate.
......@@ -86,30 +86,16 @@
case "expire":
/* Renew certificates
*/
if (($dp = opendir(HIAWATHA_CERT_DIR)) == false) {
printf(" - Can't read Hiawatha certificate directory.\n");
break;
}
$lets_encrypt_issuers = explode("|", LE_ISSUERS);
$now = time();
$restart = false;
$cert_files = array();
while (($file = readdir($dp)) !== false) {
if (substr($file, 0, 1) == ".") {
continue;
}
array_push($cert_files, $file);
}
sort($cert_files);
$cert_files = $lets_encrypt->get_certificate_files();
foreach ($cert_files as $file) {
foreach ($cert_files as $cert_file) {
/* Read certificate
*/
$cert_file = HIAWATHA_CERT_DIR."/".$file;
if (($cert = file_get_contents($cert_file)) == false) {
printf(" - Error reading %s.\n", $cert_file);
continue;
......@@ -139,15 +125,21 @@
printf("Renewing certificate for %s.\n", $x509["subject"]["CN"]);
$reuse_key = in_array(strtolower(RENEWAL_REUSE_KEY), array("yes", "true"));
if ($lets_encrypt->request_certificate($x509["subject"]["CN"], $cert_file, $reuse_key) == false) {
break;
continue;
}
/* Renewal script
*/
$renewal_script = RENEWAL_SCRIPT_DIR."/".str_replace(".pem", "", $file);
if (file_exists($renewal_script)) {
printf("Running script %s.\n", $renewal_script);
system($renewal_script);
}
$restart = true;
}
}
closedir($dp);
if ($restart) {
if ($argv[2] == "restart") {
system(HIAWATHA_RESTART_COMMAND);
......
......@@ -17,6 +17,7 @@ CERTIFICATE_RSA_KEY_SIZE = 2048
#
RENEWAL_EXPIRE_THRESHOLD = 7 # number of days
RENEWAL_REUSE_KEY = false
RENEWAL_SCRIPT_DIR = scripts
# Let's Encrypt API settings
#
......
......@@ -2,8 +2,28 @@
class Hiawatha_config {
private $website_root = array();
private $website_hostnames = array();
private $certificate_files = array();
public function __construct($config_dir) {
if (($dp = opendir(HIAWATHA_CERT_DIR)) == false) {
printf(" - Can't read Hiawatha certificate directory.\n");
} else {
while (($file = readdir($dp)) !== false) {
if (substr($file, 0, 1) == ".") {
continue;
}
if (substr($file, 0, 1) != "/") {
$file = HIAWATHA_CERT_DIR."/".$file;
}
array_push($this->certificate_files, $file);
}
sort($this->certificate_files);
closedir($dp);
}
$this->read_config_file($config_dir."/hiawatha.conf");
}
......@@ -15,6 +35,10 @@
return $this->website_hostnames[$hostname];
}
public function get_certificate_files() {
return $this->certificate_files;
}
private function read_config_dir($config_dir) {
if (($dp = opendir($config_dir)) === false) {
printf("Can't find directory %s.\n", $config_dir);
......@@ -42,12 +66,13 @@
$inside_virtual_host = false;
while (($line = fgets($fp)) !== false) {
list($command, $param) = explode(" ", strtolower(trim($line)), 2);
list($command, $param) = explode(" ", trim($line), 2);
$command = strtolower($command);
$param = trim($param, " =");
if ($inside_virtual_host) {
if ($command == "hostname") {
$hostnames = explode(",", $param);
$hostnames = explode(",", strtolower($param));
foreach ($hostnames as $key => $value) {
$hostnames[$key] = trim($value);
}
......@@ -59,6 +84,14 @@
}
} else if ($command == "websiteroot") {
$websiteroot = $param;
} else if ($command == "tlscertfile") {
if (substr($param, 0, 1) != "/") {
$param = HIAWATHA_CONFIG_DIR."/".$param;
}
if (in_array($param, $this->certificate_files) == false) {
array_push($this->certificate_files, $param);
sort($this->certificate_files);
}
} else if ($command == "}") {
if (($hostname != null) && ($websiteroot != null)) {
$this->website_root[$hostname] = $websiteroot;
......
......@@ -55,6 +55,19 @@
return array_diff(array_unique($result), array($main));
}
/* Remove IP addresses from hostname list
*/
private function remove_ip_addresses($hostnames) {
$result = array();
foreach ($hostnames as $hostname) {
if (filter_var($hostname, FILTER_VALIDATE_IP) === false) {
array_push($result, $hostname);
}
}
return $result;
}
/* Check if certificate is in PEM format
*/
private function is_pem_format($cert) {
......@@ -68,6 +81,12 @@
return "-----BEGIN CERTIFICATE-----\n".$pem_data."-----END CERTIFICATE-----\n";
}
/* Get all Hiawatha certificates
*/
public function get_certificate_files() {
return $this->hiawatha->get_certificate_files();
}
/* Register account
*/
public function register_account($email_address, $ca_terms) {
......@@ -95,6 +114,7 @@
/* Alternative hostnames
*/
$website_alt_hostnames = $this->hiawatha->get_website_hostnames($website_hostname);
$website_alt_hostnames = $this->remove_ip_addresses($website_alt_hostnames);
$website_alt_hostnames = $this->remove_wildcard_hostnames($website_alt_hostnames, $website_hostname);
foreach ($website_alt_hostnames as $alt_hostname) {
if ($this->acme->authorize_hostname($alt_hostname, $website_root) == false) {
......
#!/bin/sh
#
# You can use the certificate, which you obtain for your webmail application,
# for your mail server and POP3S / IMAPS server as well. This script copies
# the certificate and restarts the mail daemons.
# Postfix
#
cp /etc/hiawatha/tls/mail.example.org.pem /etc/postfix/tls/mail.example.org.pem
/etc/init.d/postfix restart
# Dovecot
#
openssl rsa -in /etc/hiawatha/tls/mail.example.org.pem -out /etc/dovecot/private/dovecot.pem
openssl x509 -in /etc/hiawatha/tls/mail.example.org.pem -out /etc/dovecot/dovecot.pem
/etc/init.d/dovecot restart
......@@ -44,15 +44,17 @@ depends=`cat extra/debian/control | grep Build-Depends | cut -f2 -d:`
sed "s/<VERSION>/${version}/" extra/debian/hiawatha.dsc | sed "s/<SIZE>/${size}/" | sed "s/<DEPENDS>/${depends}/" | \
sed "s/<MD5>/${md5}/" | sed "s/<SHA1>/${sha1}/" | sed "s/<SHA256>/${sha256}/" > hiawatha_${version}.dsc
gpg --clearsign hiawatha_${version}.dsc
mv hiawatha_${version}.dsc.asc hiawatha_${version}.dsc
if [ -x /usr/bin/gpg ]; then
gpg --clearsign hiawatha_${version}.dsc
mv hiawatha_${version}.dsc.asc hiawatha_${version}.dsc
fi
# Generate .changes file
#
cd build_debian_package
dpkg-genchanges > ../hiawatha_${version}.changes
cd ..
if [ -x /usr/bin/gpg ] && [ "`gpg -K | grep uid | grep 'Hugo Leisink' | wc -l`" = "1" ]; then
if [ -x /usr/bin/gpg ]; then
gpg --clearsign hiawatha_${version}.changes
mv hiawatha_${version}.changes.asc hiawatha_${version}.changes
fi
......
......@@ -49,8 +49,7 @@ cmake .. -DCMAKE_INSTALL_SBINDIR="${default_dir_cyg}/program" \
-DLOG_DIR="${default_dir_cyg}/logfiles" \
-DPID_DIR="${default_dir_cyg}/work" \
-DWORK_DIR="${default_dir_cyg}/work" \
-DWEBROOT_DIR="${default_dir}/default_site" \
-DCMAKE_LEGACY_CYGWIN_WIN32=0
-DWEBROOT_DIR="${default_dir}/default_site"
make
# Make Windows package
......
......@@ -76,7 +76,7 @@ Default = no, example: AnonymizeIP = yes
.B BanlistMask = (allow|deny) <ip-address>[/netmask][, (allow|deny) <ip-address>[/netmask], ...]
Prevent IPs from getting banned in case of bad behaviour. By default, all IPs can be banned. IPs that are 'denied' in the banlist will not be banned.
.br
Example: BanlistMask = allow 192.168.1.2, deny 192.168.0.0/16
Example: BanlistMask = deny 127.0.0.1, deny 192.168.0.1
.TP
.B BanOnDeniedBody = <ban-time>
Number of seconds to ban an IP in case of a denied request body. See als DenyBody.
......@@ -593,6 +593,14 @@ Prevent Cross-Site Scripting attacks. The 'detect' option only detects and logs
.br
Default = no, example: PreventXSS = prevent
.TP
.B PublicKeyPins = <public key file>[, max_age=<value>[d]]
Hiawatha will load public keys from the <public key file>, which will be used to calculate the pin-sha256 values for the Public-Key-Pins HTTP header (HPKP). The <public key file> can contain certificates, certificate signing requests and public keys, all in PEM format. The optional max_age value is in seconds or in days when it ends with a 'd'. The default value for max_age is '30d'.
.br
Example: PublicKeyPins = /etc/hiawatha/letsencrypt.pem, 60d
.br
(requires that Hiawatha was not compiled with -DENABLE_TLS=off)
.TP
.B RequiredBinding = <binding_id>[, <binding_id>, ...]
By default, a virtual host can be visited via all bindings. Via this opion, you can specify via which bindings a virtual host can be visited (see chapter BINDING CONFIGURATION for more information).
.br
......@@ -611,8 +619,8 @@ The <groupname> is the name of the group a user must be a member of to have acce
.br
Example: RequiredGroup = webadmins,staff
.TP
.B RequireTLS = yes|no[, HSTS time][; includeSubDomains][; preload]
Specify that a domain must be visited with a TLS connection. If it is visited via HTTP, Hiawatha will send a redirect (301) with an HTTPS URL. The HSTS time is the max-age value of the Strict-Transport-Security HTTP header.
.B RequireTLS = yes|no[, <HSTS time>[d]][; includeSubDomains][; preload]
Specify that a domain must be visited with a TLS connection. If it is visited via HTTP, Hiawatha will send a redirect (301) with an HTTPS URL. The <HSTS time> is the max-age value of the Strict-Transport-Security HTTP header in seconds or in days when it ends with a 'd'.
.br
Hiawatha will ignore this setting for files in /.well-known/acme-challenge/, which are used for authentication in the Let's Encrypt certificate request process.
.br
......
diff -u old/library/ssl_srv.c new/library/ssl_srv.c
--- old/library/ssl_srv.c 2017-02-22 21:00:45.802549643 +0100
+++ new/library/ssl_srv.c 2017-02-22 20:59:35.366221490 +0100
@@ -984,7 +987,7 @@
{
MBEDTLS_SSL_DEBUG_MSG( 3, ( "received FALLBACK_SCSV" ) );
- if( ssl->minor_ver < ssl->conf->max_minor_ver )
+ if( ssl->minor_ver < ssl->conf->max_minor_ver || i + 3 != ciph_len )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) );
@@ -1702,14 +1705,14 @@
#endif
#if defined(MBEDTLS_SSL_FALLBACK_SCSV)
- for( i = 0, p = buf + 41 + sess_len; i < ciph_len; i += 2, p += 2 )
+ for( i = 0, p = buf + ciph_offset + 2; i < ciph_len; i += 2, p += 2 )
{
if( p[0] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 ) & 0xff ) &&
p[1] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE ) & 0xff ) )
{
MBEDTLS_SSL_DEBUG_MSG( 2, ( "received FALLBACK_SCSV" ) );
- if( ssl->minor_ver < ssl->conf->max_minor_ver )
+ if( ssl->minor_ver < ssl->conf->max_minor_ver || i + 2 != ciph_len )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) );
cmake_minimum_required(VERSION 2.6)
cmake_minimum_required(VERSION 3.0)
project("mbed TLS" C)
option(USE_PKCS11_HELPER_LIBRARY "Build mbed TLS with the pkcs11-helper library." OFF)
......
mbed TLS ChangeLog (Sorted per branch, date)
= mbed TLS 2.4.2 branch released 2017-03-08
Security
* Add checks to prevent signature forgeries for very large messages while
using RSA through the PK module in 64-bit systems. The issue was caused by
some data loss when casting a size_t to an unsigned int value in the
functions rsa_verify_wrap(), rsa_sign_wrap(), rsa_alt_sign_wrap() and
mbedtls_pk_sign(). Found by Jean-Philippe Aumasson.
* Fixed potential livelock during the parsing of a CRL in PEM format in
mbedtls_x509_crl_parse(). A string containing a CRL followed by trailing
characters after the footer could result in the execution of an infinite
loop. The issue can be triggered remotely. Found by Greg Zaverucha,
Microsoft.
* Removed MD5 from the allowed hash algorithms for CertificateRequest and
CertificateVerify messages, to prevent SLOTH attacks against TLS 1.2.
Introduced by interoperability fix for #513.
* Fixed a bug that caused freeing a buffer that was allocated on the stack,
when verifying the validity of a key on secp224k1. This could be
triggered remotely for example with a maliciously constructed certificate
and potentially could lead to remote code execution on some platforms.
Reported independently by rongsaws and Aleksandar Nikolic, Cisco Talos
team. #569 CVE-2017-2784
Bugfix
* Fix output certificate verification flags set by x509_crt_verify_top() when
traversing a chain of trusted CA. The issue would cause both flags,
MBEDTLS_X509_BADCERT_NOT_TRUSTED and MBEDTLS_X509_BADCERT_EXPIRED, to be
set when the verification conditions are not met regardless of the cause.
Found by Harm Verhagen and inestlerode. #665 #561
* Fix the redefinition of macro ssl_set_bio to an undefined symbol
mbedtls_ssl_set_bio_timeout in compat-1.3.h, by removing it.
Found by omlib-lin. #673
* Fix unused variable/function compilation warnings in pem.c, x509_crt.c and
x509_csr.c that are reported when building mbed TLS with a config.h that
does not define MBEDTLS_PEM_PARSE_C. Found by omnium21. #562
* Fix incorrect renegotiation condition in ssl_check_ctr_renegotiate() that
would compare 64 bits of the record counter instead of 48 bits as indicated
in RFC 6347 Section 4.3.1. This could cause the execution of the
renegotiation routines at unexpected times when the protocol is DTLS. Found
by wariua. #687
* Fixed multiple buffer overreads in mbedtls_pem_read_buffer() when parsing
the input string in PEM format to extract the different components. Found
by Eyal Itkin.
* Fixed potential arithmetic overflow in mbedtls_ctr_drbg_reseed() that could
cause buffer bound checks to be bypassed. Found by Eyal Itkin.
* Fixed potential arithmetic overflows in mbedtls_cipher_update() that could
cause buffer bound checks to be bypassed. Found by Eyal Itkin.
* Fixed potential arithmetic overflow in mbedtls_md2_update() that could
cause buffer bound checks to be bypassed. Found by Eyal Itkin.
* Fixed potential arithmetic overflow in mbedtls_base64_decode() that could
cause buffer bound checks to be bypassed. Found by Eyal Itkin.
* Fixed heap overreads in mbedtls_x509_get_time(). Found by Peng
Li/Yueh-Hsun Lin, KNOX Security, Samsung Research America.
* Fix potential memory leak in mbedtls_x509_crl_parse(). The leak was caused
by missing calls to mbedtls_pem_free() in cases when a
MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT error was encountered. Found and
fix proposed by Guido Vranken. #722
* Fixed the templates used to generate project and solution files for Visual
Studio 2015 as well as the files themselves, to remove a build warning
generated in Visual Studio 2015. Reported by Steve Valliere. #742
* Fix a resource leak in ssl_cookie, when using MBEDTLS_THREADING_C.
Raised and fix suggested by Alan Gillingham in the mbed TLS forum. #771
* Fix 1 byte buffer overflow in mbedtls_mpi_write_string() when the MPI
number to write in hexadecimal is negative and requires an odd number of
digits. Found and fixed by Guido Vranken.
* Fix unlisted DES configuration dependency in some pkparse test cases. Found
by inestlerode. #555
= mbed TLS 2.4.1 branch released 2016-12-13
Changes
* Update to CMAC test data, taken from - NIST Special Publication 800-38B -
Recommendation for Block Cipher Modes of Operation: The CMAC Mode for
Authentication – October 2016
= mbed TLS 2.4.0 branch released 2016-10-17
Security
......
......@@ -60,9 +60,13 @@ struct mbedtls_cmac_context_t
/**
* \brief Set the CMAC key and prepare to authenticate the input
* data.