summaryrefslogtreecommitdiff
path: root/www/w3c-httpd/files/patch-SSL
diff options
context:
space:
mode:
Diffstat (limited to 'www/w3c-httpd/files/patch-SSL')
-rw-r--r--www/w3c-httpd/files/patch-SSL532
1 files changed, 0 insertions, 532 deletions
diff --git a/www/w3c-httpd/files/patch-SSL b/www/w3c-httpd/files/patch-SSL
deleted file mode 100644
index cb736267ba8c..000000000000
--- a/www/w3c-httpd/files/patch-SSL
+++ /dev/null
@@ -1,532 +0,0 @@
-============================================================================
-README:
-============================================================================
-
-OVERVIEW
-
- This SSL tunneling patch for CERN httpd adds support for the
- CONNECT method used by SSL enhanced clients to open a secure
- tunnel through the proxy.
-
-THEORY
-
- The CONNECT method takes
-
- hostname:port
-
- as its argument, and the request is in the form of the
- HTTP/1.0 request (that is, the string "HTTP/1.0" and the
- request headers must follow the request). Example:
-
- CONNECT home1.netscape.com:443 HTTP/1.0<crlf>
- <crlf>
-
- The response will be either a normal HTTP/1.0 error response
- (in case the host is unreachable for one reason or another),
- or in case of success:
-
- HTTP/1.0 200 Connection established<crlf>
- <crlf>
-
- after which the connection is open, and the client may start
- the SSL handshake.
-
- This is a superior approach because it allows the HTTP request
- headers to be passed, making it possible to do authentication
- on the proxy, and allows any other future extension.
-
-CONFIGURATION
-
- Because the configuration of CERN httpd is based on URL
- patterns, for ease of configuration, the hostname:port
- argument in automatically transformed into an internal
- representation:
-
- connect://hostname:port
-
- connect:// URLs do not exist in real life -- this is just a
- notion in the configuration file to make life easier!!
-
-ENABLING
-
- SSL tunneling is disabled by default. To enable it for HTTPS
- (uses the port 443), add the following line in the
- configuration file:
-
- Pass connect://*:443
-
- To enable secure news (SNEWS, uses port 563) tunneling, add
- line:
-
- Pass connect://*:563
-
- DO NOT use trailing slashes. DO NOT allow all connect://
- requests, the following is unsafe:
-
- Pass connect://*
-
-PROTECTION
-
- IP address protection should always be used in connection with
- SSL tunneling. To create a protection template P which allows
- access only for hosts with IP addresses 198.93.*.* and
- 198.95.*.*, use the template:
-
- Protection P {
- CONNECT-Mask @(198.93.*.*, 198.95.*.*)
- }
-
- Note that this only declares a template; to actually apply the
- protection use the Protect rule, AFTER the Protection
- declaration, but BEFORE the Pass rule:
-
- Protect connect://* P
-
- Or, to collect them all together:
-
- Protection P {
- CONNECT-Mask @(198.93.*.*, 198.95.*.*)
- }
- Protect connect://* P
- Pass connect://*:443
- Pass connect://*:563
-
- The Protection binding to name P may be left out in case it's
- only used once, and the protection configuration may be
- inlined in place of the protection name in Protect rule:
-
- Protect connect://* {
- CONNECT-Mask @(198.93.*.*, 198.95.*.*)
- }
- Pass connect://*:443
- Pass connect://*:563
-
- For a better insight of the CERN httpd's configuration system,
- please refer to the online manual:
-
- http://www.w3.org/httpd/
-
-PROXY AUTHENTICATION
-
- This patch does not enable proxy authentication. Proxy
- authentication is not supported by the CERN proxy. Proxy
- authentication uses the status code 407, and headers
- Proxy-Authenticate and Proxy-Authorization.
-
- You MUST NOT try to use the Protect directive to turn on
- normal user authentication on (the one that uses the 401
- status code, and WWW-Authenticate and Authorization headers).
- That is an incorrect way to do authentication for the proxy,
- and causes compatibility and security problems.
-
-CHAINING PROXIES
-
- This patch does not enable chaining proxies to do SSL
- tunneling. More specifically, the CERN proxy with this patch
- IS able to act as the OUTMOST proxy in the chain, but it
- doesn't work if it is the inner proxy that has to speak to
- another, outer proxy to establish a secure connection through
- that. Therefore, a combination such as inner Netscape Proxy
- and outer CERN httpd would work, but not vice versa.
-
-THE NETSCAPE PROXY SERVER
-
- The Netscape Proxy Server is a commercially supported proxy
- server available from Netscape Communications Corporation. In
- addition to it's unique, more efficient architecture, it
- natively supports proxy authentication, proxy chaining, SSL
- tunneling and HTTPS proxying, enabling also clients without
- native SSL support to use HTTPS.
-
-AUTHOR
- Ari Luotonen, Netscape Communications Corporation, 1995
- <ari@netscape.com>
-
-DISCLAIMER
-
- I do not have any official connection to the CERN httpd
- development anymore. I have left the CERN WWW project in
- summer '94. I do not provide any support for this software or
- this patch. For general CERN httpd support, please contact:
-
- httpd@w3.org
-
- THIS PATCH IS PROVIDED IN GOOD FAITH, AS IS. I AND NETSCAPE
- MAKE NO CLAIMS TO ITS SUITABILITY FOR ANY PARTICULAR PURPOSE,
- AND I AND NETSCAPE PROVIDE ABSOLUTELY NO WARRANTY OF ANY KIND
- WITH RESPECT TO THIS PATCH OR THIS SOFTWARE. THE ENTIRE RISK
- AS TO THE QUALITY AND PERFORMANCE OF THIS SOFTWARE/PATCH IS
- WITH THE USER. IN NO EVENT WILL I OR NETSCAPE BE LIABLE TO
- ANYONE FOR ANY DAMAGES ARISING OUT THE USE OF THIS
- SOFTWARE/PATCH, INCLUDING, WITHOUT LIMITATION, DAMAGES
- RESULTING FROM LOST DATA OR LOST PROFITS, OR FOR ANY SPECIAL,
- INCIDENTAL OR CONSEQUENTIAL DAMAGES.
-
-
-============================================================================
-PATCH TO WWW COMMON LIBRARY 2.17 AND CERN HTTPD 3.0:
-============================================================================
-
-*** Library/Implementation/HTAccess.c.orig Thu Sep 29 04:53:28 1994
---- Library/Implementation/HTAccess.c Tue May 9 13:16:50 1995
-***************
-*** 146,151 ****
---- 146,152 ----
- "SHOWMETHOD",
- "LINK",
- "UNLINK",
-+ "CONNECT",
- NULL
- };
-
-*** Library/Implementation/HTAccess.h.orig Sun Sep 25 07:15:14 1994
---- Library/Implementation/HTAccess.h Tue May 9 13:15:47 1995
-***************
-*** 60,65 ****
---- 60,66 ----
- METHOD_SHOWMETHOD,
- METHOD_LINK,
- METHOD_UNLINK,
-+ METHOD_CONNECT,
- MAX_METHODS
- } HTMethod;
- /*
-*** Daemon/Implementation/HTAAProt.h.orig Sun Sep 25 06:55:47 1994
---- Daemon/Implementation/HTAAProt.h Mon May 15 21:05:40 1995
-***************
-*** 52,57 ****
---- 52,58 ----
- GroupDef * put_mask; /* - " - (PUT) */
- GroupDef * post_mask; /* - " - (POST) */
- GroupDef * delete_mask; /* - " - (DELETE) */
-+ GroupDef * connect_mask; /* - " - (CONNECT) */
- GroupDef * gen_mask; /* General mask (used when needed but */
- /* other masks not set). */
- HTList * valid_schemes;/* Valid authentication schemes */
-*** Daemon/Implementation/HTAAProt.c.orig Sun Sep 25 11:53:03 1994
---- Daemon/Implementation/HTAAProt.c Mon May 15 21:18:05 1995
-***************
-*** 356,361 ****
---- 356,373 ----
- }
- } /* if "Post-Mask" */
-
-+ else if (0==strncasecomp(fieldname, "connect", 7)) {
-+ prot->connect_mask = HTAA_parseGroupDef(fp);
-+ lex_item=LEX_REC_SEP; /*groupdef parser read this already*/
-+ if (TRACE) {
-+ if (prot->connect_mask) {
-+ fprintf(stderr, "CONNECT-Mask\n");
-+ HTAA_printGroupDef(prot->connect_mask);
-+ }
-+ else fprintf(stderr,"SYNTAX ERROR parsing CONNECT-Mask\n");
-+ }
-+ } /* if "Connect-Mask" */
-+
- else if (0==strncasecomp(fieldname, "delete", 6)) {
- prot->delete_mask = HTAA_parseGroupDef(fp);
- lex_item=LEX_REC_SEP; /*groupdef parser read this already*/
-*** Daemon/Implementation/HTAAServ.c.orig Sun Sep 25 06:52:53 1994
---- Daemon/Implementation/HTAAServ.c Mon May 15 21:06:18 1995
-***************
-*** 208,213 ****
---- 208,215 ----
- mask = prot->post_mask;
- else if (!strcmp(method_name, "DELETE"))
- mask = prot->delete_mask;
-+ else if (!strcmp(method_name, "CONNECT"))
-+ mask = prot->connect_mask;
- if (!mask)
- mask = prot->gen_mask;
- }
-*** Daemon/Implementation/HTRequest.c.orig Fri Aug 12 03:36:29 1994
---- Daemon/Implementation/HTRequest.c Mon May 15 21:32:44 1995
-***************
-*** 1006,1011 ****
---- 1006,1028 ----
- }
-
- /*
-+ * SSL tunneling -- make host:port appear as connect://host:port
-+ * to make it work better with the configuration system.
-+ * Ari Luotonen <ari@netscape.com> May 1995
-+ */
-+ if (req->method == METHOD_CONNECT && HTReqArg) {
-+ char *tmp = HTReqArg;
-+ HTReqArg = NULL;
-+ StrAllocCopy(HTReqArg, "connect://");
-+ StrAllocCat(HTReqArg, tmp);
-+ free(tmp);
-+ if ((tmp = strchr(HTReqArg + 10, ':'))) {
-+ for (tmp++; *tmp && isdigit(*tmp); tmp++);
-+ *tmp = '\0';
-+ }
-+ }
-+
-+ /*
- ** Check that the third argument actually is a valid
- ** client protocol specifier (if it is not we might wait
- ** for an eternity for the rest of an HTTP1 request when it
-*** Daemon/Implementation/HTDaemon.c.orig Mon Sep 26 07:23:00 1994
---- Daemon/Implementation/HTDaemon.c Mon Jun 12 15:58:58 1995
-***************
-*** 65,70 ****
---- 65,71 ----
- ** defined via "ServerRoot" in the configuration file.
- ** Commented out dead extern declarations.
- ** 8 Jul 94 FM Insulate free() from _free structure element.
-+ ** May 95 AL SSL tunneling support
- */
-
- /* (c) CERN WorldWideWeb project 1990-1992. See Copyright.html for details */
-***************
-*** 162,167 ****
---- 163,173 ----
- #include <sys/param.h>
- #include <errno.h>
-
-+ #if !defined(__osf__) && !defined(AIX) && !defined(_HPUX_SOURCE) && \
-+ !defined(BSDI) && !defined(__linux)
-+ #include <sys/filio.h>
-+ #endif
-+
- #ifndef SIGCLD
- #ifdef SIGCHLD
- #define SIGCLD SIGCHLD
-***************
-*** 376,381 ****
---- 382,602 ----
-
-
-
-+ /*
-+ * SSL tunneling support by Ari Luotonen <ari@netscape.com>, May 1995
-+ */
-+
-+
-+ #define SSL_PROXY_BUFSIZE 4096
-+
-+
-+ int shove_buffer ARGS4(int, sd,
-+ char *, b,
-+ int *, i,
-+ int *, c)
-+ {
-+ int n = write(sd, &b[*i], *c);
-+
-+ if (n > 0)
-+ {
-+ *i += n;
-+ *c -= n;
-+ }
-+ else if (n == -1 && (errno == EWOULDBLOCK || errno == EINTR))
-+ {
-+ n = 0;
-+ }
-+
-+ return n;
-+ }
-+
-+ int drag_buffer ARGS4(int, sd,
-+ char *, b,
-+ int *, i,
-+ int *, c)
-+ {
-+ int n = read(sd, b, SSL_PROXY_BUFSIZE);
-+
-+ *i = *c = 0;
-+
-+ if (n > 0)
-+ {
-+ *c = n;
-+ }
-+ else if (n == -1 && errno != EWOULDBLOCK && errno != EINTR)
-+ {
-+ return 0;
-+ }
-+ return n;
-+ }
-+
-+
-+ int ssl_proxy_pump ARGS3(int, sd1,
-+ int, sd2,
-+ char *, initial)
-+ {
-+ char b1[SSL_PROXY_BUFSIZE];
-+ char b2[SSL_PROXY_BUFSIZE];
-+ int i1=0, i2=0; /* Buffer start index */
-+ int c1=0, c2=0; /* Buffer data counter */
-+ int r1=0, r2=0; /* Socket read ready */
-+ int w1=0, w2=0; /* Socket write ready */
-+ int closed1=0, closed2=0; /* Socket close */
-+ int n_fds = ((sd1 > sd2) ? sd1 : sd2) + 1;
-+ fd_set rd_fds, wr_fds;
-+ int status;
-+
-+ if (initial && *initial) {
-+ strcpy(b1, initial);
-+ c1 = strlen(initial);
-+ }
-+
-+ while (1) {
-+ FD_ZERO(&rd_fds);
-+ FD_ZERO(&wr_fds);
-+ /* Only set the FDs that are relevant - 10/12/98 gram@cdsec.com */
-+ if (!c1) FD_SET(sd2, &rd_fds);
-+ else FD_SET(sd1, &wr_fds);
-+ if (!c2) FD_SET(sd1, &rd_fds);
-+ else FD_SET(sd2, &wr_fds);
-+
-+ if (!(status = select(n_fds, &rd_fds, &wr_fds, NULL, NULL)))
-+ {
-+ break;
-+ }
-+ else if (status == -1)
-+ {
-+ if (errno == EINTR)
-+ continue;
-+ else
-+ break;
-+ }
-+
-+ r1 = FD_ISSET(sd1, &rd_fds);
-+ r2 = FD_ISSET(sd2, &rd_fds);
-+ w1 = FD_ISSET(sd1, &wr_fds);
-+ w2 = FD_ISSET(sd2, &wr_fds);
-+
-+ if (w1 && c1 > 0)
-+ {
-+ if (shove_buffer(sd1, b1, &i1, &c1) == -1)
-+ closed1 = 1;
-+ }
-+ if (w2 && c2 > 0)
-+ {
-+ if (shove_buffer(sd2, b2, &i2, &c2) == -1)
-+ closed2 = 1;
-+ }
-+ if (r1)
-+ {
-+ if (!drag_buffer(sd1, b2, &i2, &c2))
-+ closed1 = 1;
-+ }
-+ if (r2)
-+ {
-+ if (!drag_buffer(sd2, b1, &i1, &c1))
-+ closed2 = 1;
-+ }
-+
-+ if (closed1 || closed2)
-+ {
-+ break;
-+ }
-+ }
-+
-+ NETCLOSE(sd1);
-+ NETCLOSE(sd2);
-+
-+ return 1;
-+ }
-+
-+
-+ BOOL ssl_proxy_get_addr ARGS3(char *, arg,
-+ char **, host,
-+ int *, port)
-+ {
-+ char *p;
-+
-+ if (arg && host && port && !strncmp(arg, "connect://", 10)) {
-+
-+ *host = NULL;
-+ StrAllocCopy(*host, arg + 10);
-+
-+ if ((p = strchr(*host, ':'))) {
-+ *p++ = '\0';
-+ if ((*port = atoi(p)) > 0)
-+ return YES;
-+ }
-+ }
-+ return NO;
-+ }
-+
-+
-+ int ssl_proxy_connect ARGS3(HTRequest *, req,
-+ char *, host,
-+ int, port)
-+ {
-+ struct sockaddr_in sa;
-+ struct hostent *hp;
-+ int sd, status, one=1;
-+
-+ memset(&sa, 0, sizeof(sa));
-+ sa.sin_family = AF_INET;
-+ sa.sin_port = htons(port);
-+
-+ if (isdigit(*host))
-+ sa.sin_addr.s_addr = inet_addr(host);
-+ else if ((hp = gethostbyname(host)))
-+ memcpy(&sa.sin_addr, hp->h_addr, hp->h_length);
-+ else {
-+ HTLoadError(req, 500, "Unable to locate host");
-+ return -1;
-+ }
-+
-+ if ((sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) {
-+ HTLoadError(req, 500, "Can't create socket");
-+ return -1;
-+ }
-+
-+ if ((status = connect(sd, (struct sockaddr *)&sa, sizeof(sa))) == -1) {
-+ HTLoadError(req, 500, "Can't connect to host");
-+ return -1;
-+ }
-+
-+ if ((status = ioctl(sd, FIONBIO, &one)) == -1) {
-+ HTLoadError(req, 500, "Can't make socket non-blocking");
-+ return -1;
-+ }
-+
-+ return sd;
-+ }
-+
-+
-+
-+ BOOL ssl_proxy_request ARGS2(char *, arg, HTRequest *, req)
-+ {
-+ char *host = NULL;
-+ int port = 0;
-+ int sd, one=1;
-+
-+ CTRACE(stderr, "Handling CONNECT %s\n", arg);
-+
-+ if (!ssl_proxy_get_addr(arg, &host, &port)) {
-+ HTLoadError(req, 400, "Bad CONNECT request address");
-+ return NO;
-+ }
-+
-+ if ((sd = ssl_proxy_connect(req, host, port)) < 0)
-+ return NO;
-+
-+ if (ioctl(HTSoc, FIONBIO, &one) < -1) {
-+ HTLoadError(req, 500, "Can't make client socket non-blocking");
-+ return NO;
-+ }
-+
-+ ssl_proxy_pump(HTSoc, sd, "HTTP/1.0 200 Connection established\r\n\r\n");
-+ return YES;
-+ }
-
-
- #if defined(Mips)
-***************
-*** 1832,1837 ****
---- 2053,2062 ----
- }
- FREE(cfn);
- }
-+ else if (req->method==METHOD_CONNECT) {
-+ /* SSL tunneling by Ari Luotonen <ari@netscape.com>, May 1995 */
-+ ssl_proxy_request(HTReqArg, req);
-+ }
- else {
- /* Normal retrieve with no caching */
- CTRACE(stderr, "No caching.. %s\n",