Using variable name USING_GCCGO, add latest TLS 1.3 support

3 files changed, 259 insertions, 4 deletions

diff --git a/.SRCINFO b/.SRCINFO
index 60be37485ffd..222dc6a06fac 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -1,7 +1,7 @@
 pkgbase = caddy-with-cgi
 	pkgdesc = HTTP/2 Web Server with Automatic HTTPS, with caddy-cgi plugin and gcc-go support
 	pkgver = 0.11.4
-	pkgrel = 2
+	pkgrel = 3
 	url = https://caddyserver.com
 	install = caddy.install
 	arch = i686
@@ -21,6 +21,7 @@ pkgbase = caddy-with-cgi
 	source = caddy.tmpfiles
 	source = caddy.conf
 	source = default_nocbc.patch
+	source = latest_tls13.patch
 	source = noquic_aesni.patch
 	source = plugins.patch
 	sha256sums = 5f95c5dc8e0d6a63ae067bdfa42f78a4ca467cfff5407934582f1133ffcda532
@@ -31,6 +32,7 @@ pkgbase = caddy-with-cgi
 	sha256sums = bd4d912d083be176727882ccc1bbe577a27cc160db09238e5edc05ba458aebce
 	sha256sums = 80520b80ccabf077a3269f6a1bf55faa3811ef5adce115131b35ef2044d37b64
 	sha256sums = 35410797a8deb629a974dbbf4b3784c3237d3db8d9c7c589ba85e8b9dddf2be0
+	sha256sums = 75f0f3744117d9423b629e67e8dcee71e52791751be822fbd524a29f9f3a7575
 	sha256sums = f3f9fa975a174928d727f3040fa28e2fbd073b1f4ebd3a68fa43b0aebb90eb64
 	sha256sums = c8d56b2295e04720ae8fe9493a7931bb2dba5c568fbcae469887ac143bd6b934
 
diff --git a/PKGBUILD b/PKGBUILD
index c180d8a8d704..013620ae7818 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -10,7 +10,7 @@ _cgipkgname='github.com/jung-kurt/caddy-cgi'
 # build some asm files needed by quic-go
 if `pacman -Qq gcc-go >/dev/null 2>/dev/null`
 then
-	NOQUIC=y
+	USING_GCCGO=y
 	GOFLAGS="-gccgoflags -O2"
 fi
 
@@ -18,7 +18,7 @@ pkgname=caddy-with-cgi
 _pkgbase=caddy
 pkgver=0.11.4
 _cgiver=1.10
-pkgrel=2
+pkgrel=3
 pkgdesc='HTTP/2 Web Server with Automatic HTTPS, with caddy-cgi plugin and gcc-go support'
 arch=('i686' 'x86_64' 'armv7h' 'aarch64')
 url='https://caddyserver.com'
@@ -36,6 +36,7 @@ source=("https://$_gopkgname/archive/v$pkgver/$_pkgbase-$pkgver.tar.gz"
 	'caddy.tmpfiles'
 	'caddy.conf'
 	'default_nocbc.patch'
+	'latest_tls13.patch'
 	'noquic_aesni.patch'
 	'plugins.patch')
 sha256sums=('5f95c5dc8e0d6a63ae067bdfa42f78a4ca467cfff5407934582f1133ffcda532'
@@ -46,6 +47,7 @@ sha256sums=('5f95c5dc8e0d6a63ae067bdfa42f78a4ca467cfff5407934582f1133ffcda532'
 	'bd4d912d083be176727882ccc1bbe577a27cc160db09238e5edc05ba458aebce'
 	'80520b80ccabf077a3269f6a1bf55faa3811ef5adce115131b35ef2044d37b64'
 	'35410797a8deb629a974dbbf4b3784c3237d3db8d9c7c589ba85e8b9dddf2be0'
+	'75f0f3744117d9423b629e67e8dcee71e52791751be822fbd524a29f9f3a7575'
 	'f3f9fa975a174928d727f3040fa28e2fbd073b1f4ebd3a68fa43b0aebb90eb64'
 	'c8d56b2295e04720ae8fe9493a7931bb2dba5c568fbcae469887ac143bd6b934')
 
@@ -61,9 +63,11 @@ prepare() {
 	# fix rewrite: rewrite the URI instead of just the path
 	# https://github.com/mholt/caddy/issues/2129
 	sed -i 's/URL.Path/URL.RequestURI()/g' caddyhttp/rewrite/rewrite.go
-	if [ "$NOQUIC" == y ]
+	if [ "$USING_GCCGO" == y ]
 	then
 		patch -p1 -i "$srcdir/noquic_aesni.patch"
+	else
+		patch -p1 -i "$srcdir/latest_tls13.patch"
 	fi
 }
 
diff --git a/latest_tls13.patch b/latest_tls13.patch
new file mode 100644
index 000000000000..2c606bc7455e
--- /dev/null
+++ b/latest_tls13.patch
@@ -0,0 +1,249 @@
+diff --git a/appveyor.yml b/appveyor.yml
+index b19eb7a..7d04da9 100644
+--- a/appveyor.yml
++++ b/appveyor.yml
+@@ -10,7 +10,7 @@ clone_folder: c:\gopath\src\github.com\mholt\caddy
+ environment:
+   GOPATH: c:\gopath
+ 
+-stack: go 1.11
++stack: go 1.12
+ 
+ install:
+   - set PATH=%GOPATH%\bin;%PATH%
+diff --git a/caddyhttp/internalsrv/setup.go b/caddyhttp/internalsrv/setup.go
+index 35c79d2..f70147a 100644
+--- a/caddyhttp/internalsrv/setup.go
++++ b/caddyhttp/internalsrv/setup.go
+@@ -33,7 +33,12 @@ func setup(c *caddy.Controller) error {
+ 		return err
+ 	}
+ 
+-	httpserver.GetConfig(c).AddMiddleware(func(next httpserver.Handler) httpserver.Handler {
++	// Append Internal paths to Caddy config HiddenFiles to ensure
++	// files do not appear in Browse
++	config := httpserver.GetConfig(c)
++	config.HiddenFiles = append(config.HiddenFiles, paths...)
++
++	config.AddMiddleware(func(next httpserver.Handler) httpserver.Handler {
+ 		return Internal{Next: next, Paths: paths}
+ 	})
+ 
+diff --git a/caddyhttp/staticfiles/fileserver.go b/caddyhttp/staticfiles/fileserver.go
+index 93a7c6d..0863ebe 100644
+--- a/caddyhttp/staticfiles/fileserver.go
++++ b/caddyhttp/staticfiles/fileserver.go
+@@ -53,7 +53,7 @@ type FileServer struct {
+ 
+ // ServeHTTP serves static files for r according to fs's configuration.
+ func (fs FileServer) ServeHTTP(w http.ResponseWriter, r *http.Request) (int, error) {
+-	if r.Method != "GET" {
++	if r.Method != "GET" && r.Method != "HEAD" {
+ 		return http.StatusMethodNotAllowed, nil
+ 	}
+ 	return fs.serveFile(w, r)
+diff --git a/caddytls/config.go b/caddytls/config.go
+index 77d3795..939f3df 100644
+--- a/caddytls/config.go
++++ b/caddytls/config.go
+@@ -407,7 +407,7 @@ func SetDefaultTLSParams(config *Config) {
+ 		config.ProtocolMinVersion = tls.VersionTLS12
+ 	}
+ 	if config.ProtocolMaxVersion == 0 {
+-		config.ProtocolMaxVersion = tls.VersionTLS12
++		config.ProtocolMaxVersion = tls.VersionTLS13
+ 	}
+ 
+ 	// Prefer server cipher suites
+@@ -430,6 +430,7 @@ var SupportedProtocols = map[string]uint16{
+ 	"tls1.0": tls.VersionTLS10,
+ 	"tls1.1": tls.VersionTLS11,
+ 	"tls1.2": tls.VersionTLS12,
++	"tls1.3": tls.VersionTLS13,
+ }
+ 
+ // GetSupportedProtocolName returns the protocol name
+diff --git a/caddytls/selfsigned.go b/caddytls/selfsigned.go
+index 367cd73..60d5345 100644
+--- a/caddytls/selfsigned.go
++++ b/caddytls/selfsigned.go
+@@ -62,13 +62,10 @@ func newSelfSignedCertificate(ssconfig selfSignedConfig) (tls.Certificate, error
+ 	if len(ssconfig.SAN) == 0 {
+ 		ssconfig.SAN = []string{""}
+ 	}
+-	var names []string
+ 	for _, san := range ssconfig.SAN {
+ 		if ip := net.ParseIP(san); ip != nil {
+-			names = append(names, strings.ToLower(ip.String()))
+ 			cert.IPAddresses = append(cert.IPAddresses, ip)
+ 		} else {
+-			names = append(names, strings.ToLower(san))
+ 			cert.DNSNames = append(cert.DNSNames, strings.ToLower(san))
+ 		}
+ 	}
+diff --git a/caddytls/setup.go b/caddytls/setup.go
+index 02a694b..798c743 100644
+--- a/caddytls/setup.go
++++ b/caddytls/setup.go
+@@ -34,6 +34,10 @@ import (
+ )
+ 
+ func init() {
++	// opt-in TLS 1.3 for Go1.12
++	// TODO: remove this line when Go1.13 is released.
++	os.Setenv("GODEBUG", os.Getenv("GODEBUG")+",tls13=1")
++
+ 	caddy.RegisterPlugin("tls", caddy.Plugin{Action: setupTLS})
+ 
+ 	// ensure the default Storage implementation is plugged in
+diff --git a/caddytls/setup_test.go b/caddytls/setup_test.go
+index e973eb2..3c5ded0 100644
+--- a/caddytls/setup_test.go
++++ b/caddytls/setup_test.go
+@@ -75,8 +75,8 @@ func TestSetupParseBasic(t *testing.T) {
+ 	if cfg.ProtocolMinVersion != tls.VersionTLS12 {
+ 		t.Errorf("Expected 'tls1.2 (0x0303)' as ProtocolMinVersion, got %#v", cfg.ProtocolMinVersion)
+ 	}
+-	if cfg.ProtocolMaxVersion != tls.VersionTLS12 {
+-		t.Errorf("Expected 'tls1.2 (0x0303)' as ProtocolMaxVersion, got %v", cfg.ProtocolMaxVersion)
++	if cfg.ProtocolMaxVersion != tls.VersionTLS13 {
++		t.Errorf("Expected 'tls1.3 (0x0304)' as ProtocolMaxVersion, got %#v", cfg.ProtocolMaxVersion)
+ 	}
+ 
+ 	// Cipher checks
+diff --git a/vendor/github.com/mholt/certmagic/config.go b/vendor/github.com/mholt/certmagic/config.go
+index 77072d4..a6528da 100644
+--- a/vendor/github.com/mholt/certmagic/config.go
++++ b/vendor/github.com/mholt/certmagic/config.go
+@@ -240,6 +240,10 @@ func NewWithCache(certCache *Cache, cfg Config) *Config {
+ // prepared to serve them up during TLS handshakes.
+ func (cfg *Config) Manage(domainNames []string) error {
+ 	for _, domainName := range domainNames {
++		if !HostQualifies(domainName) {
++			return fmt.Errorf("name does not qualify for automatic certificate management: %s", domainName)
++		}
++
+ 		// if on-demand is configured, simply whitelist this name
+ 		if cfg.OnDemand != nil {
+ 			if !cfg.OnDemand.whitelistContains(domainName) {
+@@ -289,6 +293,9 @@ func (cfg *Config) Manage(domainNames []string) error {
+ // it does not load them into memory. If interactive is true,
+ // the user may be shown a prompt.
+ func (cfg *Config) ObtainCert(name string, interactive bool) error {
++	if cfg.storageHasCertResources(name) {
++		return nil
++	}
+ 	skip, err := cfg.preObtainOrRenewChecks(name, interactive)
+ 	if err != nil {
+ 		return err
+@@ -296,16 +303,10 @@ func (cfg *Config) ObtainCert(name string, interactive bool) error {
+ 	if skip {
+ 		return nil
+ 	}
+-
+-	if cfg.storageHasCertResources(name) {
+-		return nil
+-	}
+-
+ 	client, err := cfg.newACMEClient(interactive)
+ 	if err != nil {
+ 		return err
+ 	}
+-
+ 	return client.Obtain(name)
+ }
+ 
+diff --git a/vendor/github.com/mholt/certmagic/user.go b/vendor/github.com/mholt/certmagic/user.go
+index 9055a15..e5852d5 100644
+--- a/vendor/github.com/mholt/certmagic/user.go
++++ b/vendor/github.com/mholt/certmagic/user.go
+@@ -84,10 +84,11 @@ func (cfg *Config) getEmail(allowPrompts bool) error {
+ 		leEmail = Email
+ 	}
+ 	// Then try to get most recent user email from storage
++	var gotRecentEmail bool
+ 	if leEmail == "" {
+-		leEmail = cfg.mostRecentUserEmail()
++		leEmail, gotRecentEmail = cfg.mostRecentUserEmail()
+ 	}
+-	if leEmail == "" && allowPrompts {
++	if !gotRecentEmail && leEmail == "" && allowPrompts {
+ 		// Looks like there is no email address readily available,
+ 		// so we will have to ask the user if we can.
+ 		var err error
+@@ -95,10 +96,14 @@ func (cfg *Config) getEmail(allowPrompts bool) error {
+ 		if err != nil {
+ 			return err
+ 		}
+-		cfg.Agreed = true
+ 	}
+-	// lower-casing the email is important for consistency
+-	cfg.Email = strings.ToLower(leEmail)
++
++	// save the email for later and ensure it is consistent
++	// for repeated use; then update cfg with our new defaults
++	Email = strings.TrimSpace(strings.ToLower(leEmail))
++	cfg.Email = Email
++	cfg.Agreed = Agreed
++
+ 	return nil
+ }
+ 
+@@ -123,6 +128,11 @@ func (cfg *Config) getAgreementURL() (string, error) {
+ 	return dir.Meta.TermsOfService, nil
+ }
+ 
++// promptUserForEmail prompts the user for an email address
++// and returns the email address they entered (which could
++// be the empty string). If no error is returned, then Agreed
++// will also be set to true, since continuing through the
++// prompt signifies agreement.
+ func (cfg *Config) promptUserForEmail() (string, error) {
+ 	agreementURL, err := cfg.getAgreementURL()
+ 	if err != nil {
+@@ -139,6 +149,7 @@ func (cfg *Config) promptUserForEmail() (string, error) {
+ 		return "", fmt.Errorf("reading email address: %v", err)
+ 	}
+ 	leEmail = strings.TrimSpace(leEmail)
++	Agreed = true
+ 	return leEmail, nil
+ }
+ 
+@@ -234,10 +245,10 @@ func (cfg *Config) askUserAgreement(agreementURL string) bool {
+ // in s. Since this is part of a complex sequence to get a user
+ // account, errors here are discarded to simplify code flow in
+ // the caller, and errors are not important here anyway.
+-func (cfg *Config) mostRecentUserEmail() string {
++func (cfg *Config) mostRecentUserEmail() (string, bool) {
+ 	userList, err := cfg.certCache.storage.List(StorageKeys.UsersPrefix(cfg.CA), false)
+ 	if err != nil || len(userList) == 0 {
+-		return ""
++		return "", false
+ 	}
+ 	sort.Slice(userList, func(i, j int) bool {
+ 		iInfo, _ := cfg.certCache.storage.Stat(userList[i])
+@@ -246,9 +257,9 @@ func (cfg *Config) mostRecentUserEmail() string {
+ 	})
+ 	user, err := cfg.getUser(path.Base(userList[0]))
+ 	if err != nil {
+-		return ""
++		return "", false
+ 	}
+-	return user.Email
++	return user.Email, true
+ }
+ 
+ // agreementTestURL is set during tests to skip requiring
+diff --git a/vendor/manifest b/vendor/manifest
+index 0abcba8..d00333f 100644
+--- a/vendor/manifest
++++ b/vendor/manifest
+@@ -138,7 +138,7 @@
+ 			"importpath": "github.com/mholt/certmagic",
+ 			"repository": "https://github.com/mholt/certmagic",
+ 			"vcs": "git",
+-			"revision": "a7f18a937c080b88693cd4e14d48e42cc067b268",
++			"revision": "e3e89d1096d76d61680f8eeb8f67649baa6c54b8",
+ 			"branch": "master",
+ 			"notests": true
+ 		},