git: bb35a6275a79 - main - security/duo_openvpn: Pass script pass in less silly way, add support to force override an authentication method, bump PORTREVISION
Ryan Steinmetz
zi at FreeBSD.org
Thu May 20 16:33:45 UTC 2021
The branch main has been updated by zi:
URL: https://cgit.FreeBSD.org/ports/commit/?id=bb35a6275a799441a7b54165499d2274e79b002a
commit bb35a6275a799441a7b54165499d2274e79b002a
Author: Ryan Steinmetz <zi at FreeBSD.org>
AuthorDate: 2021-05-20 16:33:22 +0000
Commit: Ryan Steinmetz <zi at FreeBSD.org>
CommitDate: 2021-05-20 16:33:22 +0000
security/duo_openvpn: Pass script pass in less silly way, add support to force override an authentication method, bump PORTREVISION
---
security/duo_openvpn/Makefile | 10 +-
www/nginx/Makefile | 2 +-
www/nginx/Makefile.extmod | 2 +
www/nginx/files/extra-patch-dynamic-tls | 225 ++++++++++++++++++++++++++++++++
4 files changed, 236 insertions(+), 3 deletions(-)
diff --git a/security/duo_openvpn/Makefile b/security/duo_openvpn/Makefile
index 09cc5bab9d44..de121d3320e9 100644
--- a/security/duo_openvpn/Makefile
+++ b/security/duo_openvpn/Makefile
@@ -2,6 +2,7 @@
PORTNAME= duo_openvpn
PORTVERSION= 2.4
+PORTREVISION= 1
CATEGORIES= security
MAINTAINER= zi at FreeBSD.org
@@ -15,15 +16,16 @@ USES= gmake
USE_GITHUB= yes
GH_ACCOUNT= duosecurity
-CFLAGS+= -DPREFIX='\"${DATADIR}\"'
-
SUB_FILES= pkg-message
+OPTIONS_DEFINE= METHOD
OPTIONS_SINGLE= HELPER
OPTIONS_SINGLE_HELPER= PERL PYTHON
OPTIONS_DEFAULT=PERL
OPTIONS_SUB= yes
+METHOD_DESC= Force an authentication method (defaults to push, via METHOD)
+METHOD?= push
PERL_USES= perl5
PERL_VARS= USE_PERL5=run CFLAGS+=-DUSE_PERL
PERL_RUN_DEPENDS= p5-JSON-XS>0:converters/p5-JSON-XS \
@@ -36,6 +38,10 @@ PYTHON_USES= python:3.7+,run
post-patch:
${REINPLACE_CMD} 's|%%SHEBANG%%|${PYTHON_CMD}|' ${WRKSRC}/duo_openvpn.py
+ ${REINPLACE_CMD} 's|PREFIX "|"${DATADIR}|' ${WRKSRC}/duo_openvpn.c
+.if ${PORT_OPTIONS:MMETHOD}
+ ${REINPLACE_CMD} 's|get_env("password", envp);|"${METHOD}";|' ${WRKSRC}/duo_openvpn.c
+.endif
do-install:
@${MKDIR} ${STAGEDIR}${DATADIR}
diff --git a/www/nginx/Makefile b/www/nginx/Makefile
index c664aeb3565c..1f876403e27c 100644
--- a/www/nginx/Makefile
+++ b/www/nginx/Makefile
@@ -2,7 +2,7 @@
PORTNAME= nginx
PORTVERSION= 1.20.0
-PORTREVISION?= 1
+PORTREVISION?= 2
PORTEPOCH= 2
CATEGORIES= www
MASTER_SITES= https://nginx.org/download/ \
diff --git a/www/nginx/Makefile.extmod b/www/nginx/Makefile.extmod
index bf4bb53f8659..daaac6da544f 100644
--- a/www/nginx/Makefile.extmod
+++ b/www/nginx/Makefile.extmod
@@ -35,6 +35,8 @@ DRIZZLE_GH_TUPLE= openresty:drizzle-nginx-module:v0.1.11:drizzle
DRIZZLE_EXTRA_PATCHES= ${PATCHDIR}/extra-patch-openresty-drizzle-nginx-module-config
DRIZZLE_VARS= DSO_EXTMODS+=drizzle
+DYNAMIC_TLS_EXTRA_PATCHES= ${PATCHDIR}/extra-patch-dynamic-tls
+
DYNAMIC_UPSTREAM_GH_TUPLE= ZigzagAK:ngx_dynamic_upstream:960eef2:dynamic_upstream
DYNAMIC_UPSTREAM_VARS= DSO_EXTMODS+=dynamic_upstream
diff --git a/www/nginx/files/extra-patch-dynamic-tls b/www/nginx/files/extra-patch-dynamic-tls
new file mode 100644
index 000000000000..86b617a55750
--- /dev/null
+++ b/www/nginx/files/extra-patch-dynamic-tls
@@ -0,0 +1,225 @@
+--- src/event/ngx_event_openssl.c.orig 2021-04-20 13:35:47 UTC
++++ src/event/ngx_event_openssl.c
+@@ -1616,6 +1616,7 @@ ngx_ssl_create_connection(ngx_ssl_t *ssl
+
+ sc->buffer = ((flags & NGX_SSL_BUFFER) != 0);
+ sc->buffer_size = ssl->buffer_size;
++ sc->dyn_rec = ssl->dyn_rec;
+
+ sc->session_ctx = ssl->ctx;
+
+@@ -2555,6 +2556,41 @@ ngx_ssl_send_chain(ngx_connection_t *c,
+
+ for ( ;; ) {
+
++ /* Dynamic record resizing:
++ We want the initial records to fit into one TCP segment
++ so we don't get TCP HoL blocking due to TCP Slow Start.
++ A connection always starts with small records, but after
++ a given amount of records sent, we make the records larger
++ to reduce header overhead.
++ After a connection has idled for a given timeout, begin
++ the process from the start. The actual parameters are
++ configurable. If dyn_rec_timeout is 0, we assume dyn_rec is off. */
++
++ if (c->ssl->dyn_rec.timeout > 0 ) {
++
++ if (ngx_current_msec - c->ssl->dyn_rec_last_write >
++ c->ssl->dyn_rec.timeout)
++ {
++ buf->end = buf->start + c->ssl->dyn_rec.size_lo;
++ c->ssl->dyn_rec_records_sent = 0;
++
++ } else {
++ if (c->ssl->dyn_rec_records_sent >
++ c->ssl->dyn_rec.threshold * 2)
++ {
++ buf->end = buf->start + c->ssl->buffer_size;
++
++ } else if (c->ssl->dyn_rec_records_sent >
++ c->ssl->dyn_rec.threshold)
++ {
++ buf->end = buf->start + c->ssl->dyn_rec.size_hi;
++
++ } else {
++ buf->end = buf->start + c->ssl->dyn_rec.size_lo;
++ }
++ }
++ }
++
+ while (in && buf->last < buf->end && send < limit) {
+ if (in->buf->last_buf || in->buf->flush) {
+ flush = 1;
+@@ -2662,6 +2698,9 @@ ngx_ssl_write(ngx_connection_t *c, u_cha
+
+ if (n > 0) {
+
++ c->ssl->dyn_rec_records_sent++;
++ c->ssl->dyn_rec_last_write = ngx_current_msec;
++
+ if (c->ssl->saved_read_handler) {
+
+ c->read->handler = c->ssl->saved_read_handler;
+--- src/event/ngx_event_openssl.h.orig 2021-04-20 13:35:47 UTC
++++ src/event/ngx_event_openssl.h
+@@ -66,11 +66,19 @@
+
+ typedef struct ngx_ssl_ocsp_s ngx_ssl_ocsp_t;
+
++typedef struct {
++ ngx_msec_t timeout;
++ ngx_uint_t threshold;
++ size_t size_lo;
++ size_t size_hi;
++} ngx_ssl_dyn_rec_t;
++
+
+ struct ngx_ssl_s {
+ SSL_CTX *ctx;
+ ngx_log_t *log;
+ size_t buffer_size;
++ ngx_ssl_dyn_rec_t dyn_rec;
+ };
+
+
+@@ -106,6 +114,10 @@ struct ngx_ssl_connection_s {
+ unsigned in_ocsp:1;
+ unsigned early_preread:1;
+ unsigned write_blocked:1;
++
++ ngx_ssl_dyn_rec_t dyn_rec;
++ ngx_msec_t dyn_rec_last_write;
++ ngx_uint_t dyn_rec_records_sent;
+ };
+
+
+@@ -115,7 +127,7 @@ struct ngx_ssl_connection_s {
+ #define NGX_SSL_DFLT_BUILTIN_SCACHE -5
+
+
+-#define NGX_SSL_MAX_SESSION_SIZE 4096
++#define NGX_SSL_MAX_SESSION_SIZE 16384
+
+ typedef struct ngx_ssl_sess_id_s ngx_ssl_sess_id_t;
+
+--- src/http/modules/ngx_http_ssl_module.c.orig 2021-04-20 13:35:47 UTC
++++ src/http/modules/ngx_http_ssl_module.c
+@@ -301,6 +301,41 @@ static ngx_command_t ngx_http_ssl_comma
+ offsetof(ngx_http_ssl_srv_conf_t, reject_handshake),
+ NULL },
+
++ { ngx_string("ssl_dyn_rec_enable"),
++ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
++ ngx_conf_set_flag_slot,
++ NGX_HTTP_SRV_CONF_OFFSET,
++ offsetof(ngx_http_ssl_srv_conf_t, dyn_rec_enable),
++ NULL },
++
++ { ngx_string("ssl_dyn_rec_timeout"),
++ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
++ ngx_conf_set_msec_slot,
++ NGX_HTTP_SRV_CONF_OFFSET,
++ offsetof(ngx_http_ssl_srv_conf_t, dyn_rec_timeout),
++ NULL },
++
++ { ngx_string("ssl_dyn_rec_size_lo"),
++ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
++ ngx_conf_set_size_slot,
++ NGX_HTTP_SRV_CONF_OFFSET,
++ offsetof(ngx_http_ssl_srv_conf_t, dyn_rec_size_lo),
++ NULL },
++
++ { ngx_string("ssl_dyn_rec_size_hi"),
++ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
++ ngx_conf_set_size_slot,
++ NGX_HTTP_SRV_CONF_OFFSET,
++ offsetof(ngx_http_ssl_srv_conf_t, dyn_rec_size_hi),
++ NULL },
++
++ { ngx_string("ssl_dyn_rec_threshold"),
++ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
++ ngx_conf_set_num_slot,
++ NGX_HTTP_SRV_CONF_OFFSET,
++ offsetof(ngx_http_ssl_srv_conf_t, dyn_rec_threshold),
++ NULL },
++
+ ngx_null_command
+ };
+
+@@ -637,6 +672,11 @@ ngx_http_ssl_create_srv_conf(ngx_conf_t
+ sscf->ocsp_cache_zone = NGX_CONF_UNSET_PTR;
+ sscf->stapling = NGX_CONF_UNSET;
+ sscf->stapling_verify = NGX_CONF_UNSET;
++ sscf->dyn_rec_enable = NGX_CONF_UNSET;
++ sscf->dyn_rec_timeout = NGX_CONF_UNSET_MSEC;
++ sscf->dyn_rec_size_lo = NGX_CONF_UNSET_SIZE;
++ sscf->dyn_rec_size_hi = NGX_CONF_UNSET_SIZE;
++ sscf->dyn_rec_threshold = NGX_CONF_UNSET_UINT;
+
+ return sscf;
+ }
+@@ -712,6 +752,20 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *
+ ngx_conf_merge_str_value(conf->stapling_responder,
+ prev->stapling_responder, "");
+
++ ngx_conf_merge_value(conf->dyn_rec_enable, prev->dyn_rec_enable, 0);
++ ngx_conf_merge_msec_value(conf->dyn_rec_timeout, prev->dyn_rec_timeout,
++ 1000);
++ /* Default sizes for the dynamic record sizes are defined to fit maximal
++ TLS + IPv6 overhead in a single TCP segment for lo and 3 segments for hi:
++ 1369 = 1500 - 40 (IP) - 20 (TCP) - 10 (Time) - 61 (Max TLS overhead) */
++ ngx_conf_merge_size_value(conf->dyn_rec_size_lo, prev->dyn_rec_size_lo,
++ 1369);
++ /* 4229 = (1500 - 40 - 20 - 10) * 3 - 61 */
++ ngx_conf_merge_size_value(conf->dyn_rec_size_hi, prev->dyn_rec_size_hi,
++ 4229);
++ ngx_conf_merge_uint_value(conf->dyn_rec_threshold, prev->dyn_rec_threshold,
++ 40);
++
+ conf->ssl.log = cf->log;
+
+ if (conf->enable) {
+@@ -943,6 +997,28 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *
+ return NGX_CONF_ERROR;
+ }
+
++ if (conf->dyn_rec_enable) {
++ conf->ssl.dyn_rec.timeout = conf->dyn_rec_timeout;
++ conf->ssl.dyn_rec.threshold = conf->dyn_rec_threshold;
++
++ if (conf->buffer_size > conf->dyn_rec_size_lo) {
++ conf->ssl.dyn_rec.size_lo = conf->dyn_rec_size_lo;
++
++ } else {
++ conf->ssl.dyn_rec.size_lo = conf->buffer_size;
++ }
++
++ if (conf->buffer_size > conf->dyn_rec_size_hi) {
++ conf->ssl.dyn_rec.size_hi = conf->dyn_rec_size_hi;
++
++ } else {
++ conf->ssl.dyn_rec.size_hi = conf->buffer_size;
++ }
++
++ } else {
++ conf->ssl.dyn_rec.timeout = 0;
++ }
++
+ return NGX_CONF_OK;
+ }
+
+--- src/http/modules/ngx_http_ssl_module.h.orig 2021-04-20 13:35:47 UTC
++++ src/http/modules/ngx_http_ssl_module.h
+@@ -67,6 +67,12 @@ typedef struct {
+
+ u_char *file;
+ ngx_uint_t line;
++
++ ngx_flag_t dyn_rec_enable;
++ ngx_msec_t dyn_rec_timeout;
++ size_t dyn_rec_size_lo;
++ size_t dyn_rec_size_hi;
++ ngx_uint_t dyn_rec_threshold;
+ } ngx_http_ssl_srv_conf_t;
+
+
More information about the dev-commits-ports-all
mailing list