hp e3000 webwise porting hp webwise secure web server porting case study presented by Mark Bixby mark_bixby@hp.
hp e3000 webwise components webwise porting • Apache 1.3.9 • vanilla web server • mod_ssl 2.4.9-1.3.9 • adds SSL support and other enhancements to Apache • OpenSSL 0.9.4 • SSL protocol, crypto algorithms, PKI utilities • MM 1.0.12 • platform independent shared memory library • RSA BSAFE Crypto-C 4.
hp e3000 the porting process webwise porting • configure • compile • install • load (unresolved externals) • run • repeat until successful • submit your changes back to the public source tree • diff -ru virginsourcedir mpesourcedir >patch.
hp e3000 apache configure issues webwise porting • resulting NMPRG needs chmod 755 permissions • new src/os/mpeix subdirectory required for DSO support and other things • workaround needed for shell variable problem • bad: foo=$foo ./some/script • good: foo=“$foo”; export foo; .
hp e3000 apache compile issues webwise porting • src/os/mpeix/Makefile.tmpl • copy and modify src/os/unix/Makefile.tmpl • src/os/mpeix/os-inline.c • clone from src/os/unix/os-inline.c • src/os/mpeix/os.c • clone from src/os/unix/os.c • src/os/mpeix/os.h • copy and modify src/os/unix/os.
hp e3000 apache compile issues (cont.) webwise porting • src/support/ab.c #ifndef MPE # include
hp e3000 apache install issues webwise porting • temporary installation file names contain # characters • bad: dsttmp=$dstdir/#inst.$$# • good: dsttmp=$dstdir/inst.
hp e3000 apache load issues webwise porting • getpass() • Richard Stevens’ Advanced Programming in the Unix Environment • http://www.kohala.com/start/apue.html • dlopen()/dlsym()/dlerror()/dlclose() • code from scratch using HPGETPROCPLABEL() and hpunload() • good enough for Apache, but not a 100% implementation • gettimeofday() • Porting Wrappers • http://jazz.external.hp.com/src/px_wrappers/index.
hp e3000 apache run issues - sockets webwise porting • #define USE_FCNTL_SERIALIZED_ACCEPT • Apache children must call accept() in a serialized manner to correctly handle multiple sockets (80,443) • http://httpd.apache.org/docs/misc/perf-tuning.html • setsockopt(SO_REUSEADDR) now supported by MPE • not supported at time of original apache port • enable this code by removing #ifndef MPE • setsockopt(SO_KEEPALIVE) exists but still errors out on MPE • suppress this code with #ifndef MPE • src/main/rfc1413.
hp e3000 apache run issues - processes webwise porting • parent and children must be able to use different POSIX uids to ensure server keys and certificates are secure • children now unconditionally call setuid() instead of requiring MANAGER.
hp e3000 apache run issues - miscellaneous webwise porting • third parameter of int main(int argc, char **argv, char **envp) not passed by MPE; workaround: extern char **environ; envp = environ; • proxy_cache.c tries to use link() to create hard links • link() exists on MPE, but always returns an error • already supported rename() workaround for other OSes • proxy_util.
hp e3000 mod_ssl configure issues webwise porting • portable non-GNU way to detect MPE from a script? • if [ -f '/SYS/PUB/MPEXLDIR' -a ".$HPSUSAN" != .
hp e3000 mod_ssl compile issues webwise porting • modify pkg.sslmod/libssl.version to contain WebWise version string • pkg.sslmod/mod_ssl.h #include
hp e3000 mod_ssl run issues webwise porting • because Apache parent and children run with different POSIX uids, all shared file and SVIPC semaphore permissions had to be modified to permit group access • pkg.sslsup/mkcert.
hp e3000 mod_ssl submit-back issues webwise porting • not accepting contributions from the U.S.
hp e3000 openssl configure issues webwise porting • modify Configure script to include MPE/iX-gcc entry with compile and link options • modify config script to change machine name (HPCPUNAME) hyphens to underscores • various modifications so that the OpenSSL RSA, RC2, RC4, and RC5 algorithms are suppressed when configuring with RSA BSAFE Crypto-C patch Solution Symposium February 9, 2001 Page 16
hp e3000 openssl compile issues webwise porting • suppress SO_KEEPALIVE code with #ifndef MPE • modify crypto/des/read_pwd.c to use TERMIOS terminal I/O methods on MPE (tcgetattr()/tcsetattr()) • modify e_os.h to suppress #include of and • integrate and extend Gordon Chaffee’s and G.
hp e3000 openssl run issues webwise porting • crypto/des/read_pwd.
hp e3000 openssl submit-back issues webwise porting • RSA BSAFE Crypto-C patch not submitted back to the OpenSSL developers • NOTE! The OpenSSL 0.9.5a patch fails to apply to OpenSSL 0.9.6 • http://jazz.external.hp.
hp e3000 mm configure issues webwise porting • modify GNU configure script to use callci run testprog;stdin=*bogus method for detecting unresolved externals • change each line that sets ac_link Solution Symposium February 9, 2001 Page 20
hp e3000 mm install issues webwise porting • modify shtool to remove # and @ from temporary filenames Solution Symposium February 9, 2001 Page 21
hp e3000 mm run issues webwise porting • modify SVIPC semget() calls to include group permissions due to Apache parent and children running with different uids Solution Symposium February 9, 2001 Page 22
hp e3000 mm submit-back issues webwise porting • not accepting contributions from the U.S.
hp e3000 RSA BSAFE Crypto-C issues webwise porting • censored! • proprietary code for which HP has a source license • MPE patches not submitted back to RSA Solution Symposium February 9, 2001 Page 24
hp e3000 summary webwise porting • porting was generally fairly easy, with only a couple of items requiring moderate effort that had not been required for previous ports: • a minimal MPE implementation of the dlopen() family for dynamically loading code and data from shared libraries • modifying permissions to allow differing parent/child uids in MPE's POSIX environment which doesn't support uid 0 • the high effort required to integrate OpenSSL and RSA BSAFE Crypto-C was integration effort, not porting ef
hp e3000 join the hp3000-l community! webwise porting • Available as a mailing list and as the Usenet newsgroup comp.sys.hp.mpe • In-depth discussions of all things HP e3000 • Talk with other people porting open-source to MPE • seek advice, exchange tips & techniques • Keep up with the latest HP e3000 news • Interact with CSY • http://jazz.external.hp.com/papers/hp3000-info.
hp e3000 porting is easier than you think! webwise porting Any questions? Solution Symposium February 9, 2001 Page 27