Index: /branches/rel_avx_2_7_6/src/webui/webui.h
===================================================================
--- /branches/rel_avx_2_7_6/src/webui/webui.h (revision 9215)
+++ /branches/rel_avx_2_7_6/src/webui/webui.h (working copy)
@@ -70,13 +70,13 @@
#define WEBUI_IDLE_TIMEOUT_DEFAULT_VAL 15
-#define MAX_WEBUI_SSL_CIPHER_NUM 19
+#define MAX_WEBUI_SSL_CIPHER_NUM 21
#define WEBUI_SSL_SSLv30 0x01
#define WEBUI_SSL_TLSv10 0x02
#define WEBUI_SSL_TLSv11 0x04
#define WEBUI_SSL_TLSv12 0x08
-
+#define WEBUI_SSL_TLSv13 0x10
#define REST_DEFAULT_PORT 9997
Index: /branches/rel_avx_2_7_6/src/webui/webui.c
===================================================================
--- /branches/rel_avx_2_7_6/src/webui/webui.c (revision 9215)
+++ /branches/rel_avx_2_7_6/src/webui/webui.c (working copy)
@@ -121,6 +121,9 @@
WEBUI_AES128_SHA,
WEBUI_AES256_SHA,
WEBUI_DES_CBC3_SHA,
+ /* TLS 1.3 ciphers */
+ WEBUI_TLS_AES_128_GCM_SHA256,
+ WEBUI_TLS_AES_256_GCM_SHA384,
};
#define CIPHER_ECC 0x01
@@ -128,6 +131,7 @@
#define CIPHER_ONLY_TLSV12 0x04
#define CIPHER_COMMON 0x08
#define CIPHER_GCM 0x10
+#define CIPHER_ONLY_TLSV13 0x20
#define NID_sm2 1172
#define EVP_PKEY_SM2 NID_sm2
@@ -152,11 +156,14 @@
{WEBUI_AES128_SHA, "AES128-SHA", CIPHER_RSA|CIPHER_COMMON, 0},
{WEBUI_AES256_SHA, "AES256-SHA", CIPHER_RSA|CIPHER_COMMON, 0},
{WEBUI_DES_CBC3_SHA, "DES-CBC3-SHA", CIPHER_RSA|CIPHER_COMMON, 0},
+ /*TLS 1.3 ciphers (lighttpd format)*/
+ {WEBUI_TLS_AES_128_GCM_SHA256, "TLS-AES128-GCM-SHA256", CIPHER_GCM|CIPHER_ONLY_TLSV13, 0},
+ {WEBUI_TLS_AES_256_GCM_SHA384, "TLS-AES256-GCM-SHA384", CIPHER_GCM|CIPHER_ONLY_TLSV13, 0},
};
static webui_app_config_t *userland_app_config_p = NULL;
-#define WEBUI_SSL_SUPPORTED_CIPHER ("ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA")
+#define WEBUI_SSL_SUPPORTED_CIPHER ("ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:TLS-AES128-GCM-SHA256:TLS-AES256-GCM-SHA384")
#define MAX_CIPHERSTR_SIZE 512
#define MAX_PROTOCOL_SIZE 64
#define MAX_WEBUI_SSL_CONF_SIZE 1024
@@ -1536,6 +1543,10 @@
if (config_p->ssl_proto & WEBUI_SSL_SSLv30) {
len += snprintf(ssl_protos+len, MAX_PROTOCOL_SIZE-len, "%s", is_exist ? ",SSLv3" : "SSLv3");
}
+ if (config_p->ssl_proto & WEBUI_SSL_TLSv13) {
+ len += snprintf(ssl_protos+len, MAX_PROTOCOL_SIZE-len, "%s", is_exist ? ",TLSv1.3" : "TLSv1.3");
+ is_exist = 1;
+ }
idx += snprintf(cmd_str+idx, BUFSIZE_4K-idx, " ssl_protocol=\"%s\"", ssl_protos);
@@ -3252,6 +3263,7 @@
webui_ssl_set_ciphersuites(char *new_cipher)
{
webui_app_config_t* config_p = userland_app_config_attach();
+
if (!config_p) {
printf("Internal error.\n");
return -1;
@@ -3351,6 +3363,7 @@
/* If no change, no need to reload config */
if (0 != memcmp(config_p->ssl_cipherlist, ssl_cipherlist, sizeof(config_p->ssl_cipherlist))) {
memcpy(config_p->ssl_cipherlist, ssl_cipherlist, sizeof(config_p->ssl_cipherlist));
+
webui_reload();
}
@@ -3368,8 +3381,10 @@
int tlsv1_flag = 0;
int tlsv11_flag = 0;
int tlsv12_flag = 0;
+ int tlsv13_flag = 0;
webui_app_config_t* config_p = userland_app_config_attach();
+
if (!config_p) {
printf("Internal error.\n");
return -1;
@@ -3377,7 +3392,7 @@
/* check protocol value valid */
if(strcasecmp(newvalue, "ALL") == 0) {
- protos = WEBUI_SSL_SSLv30 | WEBUI_SSL_TLSv10 | WEBUI_SSL_TLSv11 | WEBUI_SSL_TLSv12;
+ protos = WEBUI_SSL_SSLv30 | WEBUI_SSL_TLSv10 | WEBUI_SSL_TLSv11 | WEBUI_SSL_TLSv12 | WEBUI_SSL_TLSv13;
} else {
newver = (char *)malloc((strlen(newvalue)+1)*sizeof(char));
if(newver == NULL) {
@@ -3441,11 +3456,21 @@
free(stringp);
return ERR_WEBUI_WRONG_SSL_PROTO;
}
- } else {
- printf("Wrong versions, try SSLv3, TLSv1, TLSv11, TLSv12 again\n");
- free(tofree);
- free(stringp);
- return ERR_WEBUI_WRONG_SSL_PROTO;
+ } else if (strcasecmp(*stringp, "TLSv13") == 0) {
+ if(tlsv13_flag == 0) {
+ tlsv13_flag = 1;
+ protos |= WEBUI_SSL_TLSv13;
+ }else {
+ printf("The input protocols contain duplicated \"TLSv13\". Please input again.\n");
+ free(tofree);
+ free(stringp);
+ return ERR_WEBUI_WRONG_SSL_PROTO;
+ }
+ } else {
+ printf("Wrong versions, try SSLv3, TLSv1, TLSv11, TLSv12, TLSv13 again\n");
+ free(tofree);
+ free(stringp);
+ return ERR_WEBUI_WRONG_SSL_PROTO;
}
}
free(tofree);
@@ -3477,6 +3502,7 @@
}
config_p->ssl_proto = protos;
+
webui_reload();
return ERR_WEBUI_OK;
@@ -3529,6 +3555,10 @@
if (config_p->ssl_proto & WEBUI_SSL_TLSv12) {
len += snprintf(ssl_protos+len, MAX_PROTOCOL_SIZE-len, "%s", is_exist ? ":TLSv12" : "TLSv12");
}
+ if (config_p->ssl_proto & WEBUI_SSL_TLSv13) {
+ len += snprintf(ssl_protos+len, MAX_PROTOCOL_SIZE-len, "%s", is_exist ? ":TLSv13" : "TLSv13");
+ }
+
outlen += sprintf(buff + outlen, "webui ssl settings protocol \"%s\"\n", ssl_protos);
Index: /branches/rel_avx_2_7_6/src/webui/webui/Makefile
===================================================================
--- /branches/rel_avx_2_7_6/src/webui/webui/Makefile (revision 9215)
+++ /branches/rel_avx_2_7_6/src/webui/webui/Makefile (working copy)
@@ -1,5 +1,5 @@
-SUBDIR = htdocs
+SUBDIR = lighttpd_1.4.64 htdocs
all:
@for i in ${SUBDIR} ; do echo `/bin/pwd`/$${i}; cd $${i};\
make all || exit "$$?"; cd ..; done
Index: /branches/rel_avx_2_7_6/src/webui/webui/htdocs/new/src/client/app/modules/system/submenu/access_control/webui.html
===================================================================
--- /branches/rel_avx_2_7_6/src/webui/webui/htdocs/new/src/client/app/modules/system/submenu/access_control/webui.html (revision 9215)
+++ /branches/rel_avx_2_7_6/src/webui/webui/htdocs/new/src/client/app/modules/system/submenu/access_control/webui.html (working copy)
@@ -39,6 +39,7 @@
+
@@ -65,6 +66,8 @@
+
+
@@ -85,4 +88,4 @@
-
\ No newline at end of file
+
Index: /branches/rel_avx_2_7_6/src/webui/webui/lighttpd_1.4.64/Makefile
===================================================================
--- /branches/rel_avx_2_7_6/src/webui/webui/lighttpd_1.4.64/Makefile (revision 0)
+++ /branches/rel_avx_2_7_6/src/webui/webui/lighttpd_1.4.64/Makefile (working copy)
@@ -0,0 +1,11 @@
+LIGHTTPD_NAME=lighttpd-1.4.64
+all:
+ ./build.sh
+
+clean:
+ rm -rf ${LIGHTTPD_NAME}
+ rm -f *.so
+
+install:
+
+
Index: /branches/rel_avx_2_7_6/src/webui/webui/lighttpd_1.4.64/build.sh
===================================================================
--- /branches/rel_avx_2_7_6/src/webui/webui/lighttpd_1.4.64/build.sh (revision 0)
+++ /branches/rel_avx_2_7_6/src/webui/webui/lighttpd_1.4.64/build.sh (working copy)
@@ -0,0 +1,51 @@
+#!/usr/bin/env bash
+export CFLAGS="-I${TOP}/lib/libopenssl-1.1.1/include"
+export LDFLAGS="-L${TOP}/lib/libopenssl-1.1.1"
+export LD_LIBRARY_PATH="${TOP}/lib/libopenssl-1.1.1"
+
+TOP=../../../../../..
+LIGHTTPD_NAME=lighttpd-1.4.64
+TAR_NAME=${LIGHTTPD_NAME}.tar.xz
+PATCH1=lighttpd_openssl_linker.patch
+
+if [ ! -d $LIGHTTPD_NAME ]
+then
+ tar -xf $TAR_NAME
+ if [ $? -ne 0 ]
+ then
+ echo "Uncompress $TAR_NAME failed!"
+ exit 1
+ fi
+
+ cd $LIGHTTPD_NAME
+ patch < ../$PATCH1
+else
+ cd $LIGHTTPD_NAME
+fi
+
+if [ Makefile -nt configure ]
+then
+ #Configure have been done
+ echo "No need to compile lighttpd-1.4.64"
+else
+ echo "Start to configure lighttpd-1.4.64"
+ ./configure \
+ --with-openssl=${TOP}/lib/libopenssl-1.1.1 \
+ --without-pcre2 \
+ --disable-ipv6
+
+ if [ $? -ne 0 ]
+ then
+ echo "Configure lighttpd-1.4.64 failed!"
+ exit 1
+ fi
+fi
+
+make -C src mod_openssl.la
+if [ $? -ne 0 ]
+then
+ echo "Make mod_openssl in lighttpd-1.4.64 failed!"
+ exit 1
+fi
+cd ..
+cp -f $LIGHTTPD_NAME/src/.libs/mod_openssl.so .
Property changes on: src/webui/webui/lighttpd_1.4.64/build.sh
___________________________________________________________________
Added: svn:executable
## -0,0 +1 ##
+*
\ No newline at end of property
Index: /branches/rel_avx_2_7_6/src/webui/webui/lighttpd_1.4.64/lighttpd-1.4.64.tar.xz
===================================================================
Cannot display: file marked as a binary type.
svn:mime-type = application/x-xz
Index: /branches/rel_avx_2_7_6/src/webui/webui/lighttpd_1.4.64/lighttpd-1.4.64.tar.xz
===================================================================
--- /branches/rel_avx_2_7_6/src/webui/webui/lighttpd_1.4.64/lighttpd-1.4.64.tar.xz (revision 0)
+++ /branches/rel_avx_2_7_6/src/webui/webui/lighttpd_1.4.64/lighttpd-1.4.64.tar.xz (working copy)
Property changes on: src/webui/webui/lighttpd_1.4.64/lighttpd-1.4.64.tar.xz
___________________________________________________________________
Added: svn:mime-type
## -0,0 +1 ##
+application/x-xz
\ No newline at end of property
Index: /branches/rel_avx_2_7_6/src/webui/webui/lighttpd_1.4.64/lighttpd_openssl_linker.patch
===================================================================
--- /branches/rel_avx_2_7_6/src/webui/webui/lighttpd_1.4.64/lighttpd_openssl_linker.patch (revision 0)
+++ /branches/rel_avx_2_7_6/src/webui/webui/lighttpd_1.4.64/lighttpd_openssl_linker.patch (working copy)
@@ -0,0 +1,20 @@
+--- /root/changed/lighttpd-1.4.64/configure 2022-01-20 01:54:06.000000000 +0800
++++ configure 2026-03-27 15:02:42.207489575 +0800
+@@ -16817,7 +16817,7 @@
+ if test "$WITH_OPENSSL" != no; then
+ if test "$WITH_OPENSSL" != yes; then
+ openssl_append_CPPFLAGS=" -I$WITH_OPENSSL/include"
+- openssl_append_LDFLAGS=" -L$WITH_OPENSSL/lib"
++ openssl_append_LDFLAGS=" -L$WITH_OPENSSL"
+ fi
+ fi
+
+@@ -16968,7 +16968,7 @@
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_ssl_SSL_new" >&5
+ $as_echo "$ac_cv_lib_ssl_SSL_new" >&6; }
+ if test "x$ac_cv_lib_ssl_SSL_new" = xyes; then :
+- OPENSSL_LIBS="${openssl_append_LDFLAGS} -lssl -lcrypto"
++ OPENSSL_LIBS="${openssl_append_LDFLAGS} -lssl-tls13 -lcrypto-tls13"
+ else
+ as_fn_error $? "openssl ssl library not found. install it or build without --with-openssl" "$LINENO" 5
+ fi
Index: /branches/rel_avx_2_7_6/update/avxsystem.ks
===================================================================
--- /branches/rel_avx_2_7_6/update/avxsystem.ks (revision 9215)
+++ /branches/rel_avx_2_7_6/update/avxsystem.ks (working copy)
@@ -718,6 +718,7 @@
rm -rf /usr/local/etc/composer/*.conf
cp /ca/webui/conf/agent.default /usr/local/etc/composer/agent.default
cp /ca/webui/conf/engine.default /usr/local/etc/composer/engine.default
+cp /ca/webui/lighttpd_1.4.64/mod_openssl.so /ca/lighttpd/lib
#rm -rf /ca/webui/exfiles
#openvswitch config