troglobit · romanbsd · Feb 8, 2025
diff --git a/Dockerfile b/Dockerfile
@@ -1,12 +1,13 @@
-FROM alpine:3.6
+FROM alpine:3.21
 
 # Build depends
 RUN apk add --no-cache gcc musl-dev make automake autoconf zlib-dev
+# For OpenSSL and libconfuse support:
+# RUN apk add --no-cache openssl-dev confuse-dev
 
 # Install from GIT
-WORKDIR .
 ADD . /merecat
-RUN cd merecat/; ./build.sh; make install-strip; cd ..; rm -rf merecat
+RUN cd merecat && ./build.sh && make install-strip && cd .. && rm -rf merecat
 
 # Alternatively, install from released tarball
 #RUN wget https://ftp.troglobit.com/merecat/merecat-2.32.tar.xz;	\
@@ -16,9 +17,9 @@ RUN cd merecat/; ./build.sh; make install-strip; cd ..; rm -rf merecat
 #    make install-strip
 
 # Clean up container
-# m4 perl binutils binutils-libs bmp isl libgomp libatomic pkgconf 
+# m4 perl binutils binutils-libs bmp isl libgomp libatomic pkgconf
 RUN apk del --purge gcc musl-dev make automake autoconf zlib-dev
 
 EXPOSE 80
 VOLUME /var/www
-ENTRYPOINT merecat -p 80 -n /var/www
+ENTRYPOINT ["/usr/sbin/merecat", "-p", "80", "-n", "/var/www"]
diff --git a/build.sh b/build.sh
@@ -1,9 +1,7 @@
-if [ ! -x configure ]; then
-    ./autogen.sh
-fi
-
+#!/bin/sh
+./autogen.sh
 ./configure --prefix=/usr --localstatedir=/var --sysconfdir=/etc --enable-builtin-icons \
 	    --without-config --without-ssl --without-symlinks --enable-htaccess --enable-htpasswd
 
-make -j5 clean
+make clean
 make -j5
diff --git a/configure.ac b/configure.ac
@@ -1,9 +1,19 @@
-AC_PREREQ([2.68])
-AC_INIT([Merecat httpd], [2.32-rc4], [https://github.com/troglobit/merecat/issues], [merecat])
+AC_PREREQ([2.72])
+AC_INIT([Merecat httpd],[2.32-rc4],[https://github.com/troglobit/merecat/issues],[merecat])
 AC_CONFIG_AUX_DIR(aux)
 AM_INIT_AUTOMAKE([1.11 foreign dist-xz])
 AM_SILENT_RULES([yes])
 
+AC_CANONICAL_HOST
+
+case "$host_os" in
+  darwin*|macos*)
+    CFLAGS="$CFLAGS -D_DARWIN_C_SOURCE"
+    AC_DEFINE([_DARWIN_C_SOURCE], [1],
+              [Define to enable Darwin-specific extensions (e.g. utimensat)])
+    ;;
+esac
+
 AC_CONFIG_SRCDIR([src/libhttpd.c])
 AC_CONFIG_HEADERS([config.h])
 AC_CONFIG_FILES([Makefile
@@ -34,9 +44,8 @@ AC_CHECK_LIB(rt, clock_gettime)
 AC_CHECK_LIB(resolv, hstrerror)
 
 # Checks for header files.
-AC_CHECK_HEADERS([arpa/inet.h fcntl.h grp.h memory.h netdb.h netinet/in.h osreldate.h paths.h poll.h stddef.h stdlib.h string.h termios.h sys/devpoll.h sys/event.h sys/param.h sys/poll.h sys/socket.h sys/time.h syslog.h unistd.h])
+AC_CHECK_HEADERS_ONCE([arpa/inet.h fcntl.h grp.h memory.h netdb.h netinet/in.h osreldate.h paths.h poll.h stddef.h stdlib.h string.h termios.h sys/devpoll.h sys/event.h sys/param.h sys/poll.h sys/socket.h sys/time.h syslog.h unistd.h])
 AC_CHECK_HEADER_STDBOOL
-AC_HEADER_TIME
 AC_HEADER_DIRENT
 
 AC_C_INLINE
@@ -138,7 +147,7 @@ AM_CONDITIONAL([HAVE_CONFUSE], [test "x$with_config" != "xno"])
 AM_CONDITIONAL([CREATE_SYMLINKS], [test "x$with_symlinks" != "xno"])
 
 AS_IF([test "x$with_ssl" != "xno"], [
-	PKG_CHECK_MODULES([OpenSSL], [openssl >= 1.1.1])
+	PKG_CHECK_MODULES([OpenSSL], [openssl >= 3.0.0])
 	LDFLAGS="$LDFLAGS $OpenSSL_LIBS"
 	CPPFLAGS="$CPPFLAGS $OpenSSL_CFLAGS"
 	AC_CHECK_LIB([crypto], [EVP_EncryptInit], [],

diff --git a/lib/tempfile.c b/lib/tempfile.c
@@ -19,18 +19,23 @@
 #include <paths.h>
 #include <fcntl.h>		/* O_TMPFILE requires -D_GNU_SOURCE */
 #include <stdio.h>		/* fdopen() */
-#include <stdlib.h>		/* mkostemp() */
+#include <stdlib.h>		/* mkstemp() */
+#include <unistd.h>   /* mkstemp() */
 #include <sys/stat.h>		/* umask() */
 
 static FILE *fallback(void)
 {
 	char nm[15] = _PATH_TMP "XXXXXXXX";
 	int fd;
 
-	fd = mkostemp(nm, O_CLOEXEC);
+	fd = mkstemp(nm);
 	if (-1 == fd)
 		return NULL;
 
+	if (-1 == fcntl(fd, F_SETFD, FD_CLOEXEC)) {
+		close(fd);
+		return NULL;
+	}
 	return fdopen(fd, "w+");
 }
 

diff --git a/merecat.conf b/merecat.conf
@@ -131,8 +131,9 @@
 #}
 #server secure {
 #    port = 443
-#    ssl = on
-#    certfile = /etc/letsencrypt/live/example.com/fullchain.pem
-#    keyfile = /etc/letsencrypt/live/example.com/privkey.pem
-#    dhfile = certs/dhparam.pem
+#    ssl {
+#      certfile = /etc/letsencrypt/live/example.com/fullchain.pem
+#      keyfile = /etc/letsencrypt/live/example.com/privkey.pem
+#      dhfile = certs/dhparam.pem
+#    }
 #}
diff --git a/src/conf.h b/src/conf.h
@@ -87,7 +87,7 @@ static inline int conf_srv(struct srv *arr, size_t len)
 	arr[0].port = port;
 	arr[0].ssl  = 0;
 	arr[0].host = hostname;
-	arr[0].path = data_dir;
+	arr[0].path = path;
 
 	return 1;
 }

diff --git a/src/fdwatch.c b/src/fdwatch.c
@@ -176,7 +176,11 @@ int fdwatch_get_nfiles(void)
 #endif
 
 	/* Figure out how many fd's we can have. */
-	nfiles = getdtablesize();
+	nfiles = sysconf(_SC_OPEN_MAX);
+	if (nfiles == -1) {
+		/* Fallback if sysconf fails */
+		nfiles = 1024;
+	}
 #ifdef RLIMIT_NOFILE
 	/* If we have getrlimit(), use that, and attempt to raise the limit. */
 	if (getrlimit(RLIMIT_NOFILE, &rl) == 0) {
@@ -436,7 +440,7 @@ static int kqueue_check_fd(int fd)
 	if (ridx >= nreturned)
 		return 0;
 
-	if (kqrevents[ridx].ident != fd)
+	if ((int)kqrevents[ridx].ident != fd)
 		return 0;
 
 	if (kqrevents[ridx].flags & EV_ERROR)

diff --git a/src/libhttpd.c b/src/libhttpd.c
@@ -3170,13 +3170,10 @@ static struct mime_entry typ_tab[] = {
 
 static const int n_typ_tab = sizeof(typ_tab) / sizeof(*typ_tab);
 
-
-/* qsort comparison routine - declared old-style on purpose, for portability. */
-static int ext_compare(a, b)
-struct mime_entry *a;
-struct mime_entry *b;
+/* qsort comparison routine */
+static int ext_compare(const void *a, const void *b)
 {
-	return strcmp(a->ext, b->ext);
+	return strcmp(((struct mime_entry *)a)->ext, ((struct mime_entry *)b)->ext);
 }
 
 static int mime_bsearch(struct http_conn *hc, char *ext, size_t ext_len)
@@ -3380,12 +3377,10 @@ static int is_reserved_htfile(const char *fn)
 	return 0;
 }
 
-/* qsort comparison routine - declared old-style on purpose, for portability. */
-static int name_compare(a, b)
-char **a;
-char **b;
+/* qsort comparison routine */
+static int name_compare(const void *a, const void *b)
 {
-	return strcmp(*a, *b);
+	return strcmp(*(char **)a, *(char **)b);
 }
 
 static int child_ls_read_names(struct http_conn *hc, DIR *dirp, FILE *fp, int onlydir)

diff --git a/src/mmc.c b/src/mmc.c
@@ -36,16 +36,10 @@
 #include <fcntl.h>
 #include <syslog.h>
 #include <errno.h>
-#ifdef TIME_WITH_SYS_TIME
-# include <sys/time.h>
-# include <time.h>
-#else
-# ifdef HAVE_SYS_TIME_H
-#  include <sys/time.h>
-# else
-#  include <time.h>
-# endif
+#ifdef HAVE_SYS_TIME_H
+ #include <sys/time.h>
 #endif
+#include <time.h>
 #include <sys/mman.h>
 
 #include "file.h"

diff --git a/src/ssl.c b/src/ssl.c
@@ -33,6 +33,9 @@
 #include <sys/uio.h>
 #include <unistd.h>
 
+#include <openssl/bio.h>
+#include <openssl/decoder.h>
+#include <openssl/dh.h>
 #include <openssl/ssl.h>
 #include <openssl/err.h>
 #include <openssl/x509.h>
@@ -155,6 +158,34 @@ static void dump_supported_ciphers(SSL_CTX *ctx)
 	free(buf);
 }
 
+const DH *load_dh_params(FILE *fp)
+{
+    EVP_PKEY *pkey = NULL;
+    BIO *bio = BIO_new_fp(fp, BIO_NOCLOSE);
+    if (bio == NULL) {
+        syslog(LOG_ERR, "BIO_new_fp failed");
+        return NULL;
+    }
+
+    pkey = PEM_read_bio_Parameters(bio, NULL);
+    if (pkey == NULL) {
+        syslog(LOG_ERR, "PEM_read_bio_Parameters failed");
+        BIO_free(bio);
+        return NULL;
+    }
+    BIO_free(bio);
+
+    /* Extract the DH parameters from the EVP_PKEY.
+     * (Note: EVP_PKEY_get0_DH is deprecated in OpenSSL 3 but still available for now.)
+     */
+    const DH *dh = EVP_PKEY_get0_DH(pkey);
+    if (dh == NULL) {
+        syslog(LOG_ERR, "EVP_PKEY_get0_DH failed");
+    }
+    EVP_PKEY_free(pkey);
+    return dh;
+}
+
 void *httpd_ssl_init(char *cert, char *key, char *dhparm, char *proto, char *ciphers)
 {
 	SSL_CTX *ctx;
@@ -224,7 +255,6 @@ void *httpd_ssl_init(char *cert, char *key, char *dhparm, char *proto, char *cip
 
 	if (dhparm) {
 		FILE *fp;
-		DH *dh = NULL;
 
 		fp = fopen(dhparm, "r");
 		if (!fp) {
@@ -233,7 +263,7 @@ void *httpd_ssl_init(char *cert, char *key, char *dhparm, char *proto, char *cip
 			return ctx;
 		}
 
-		dh = PEM_read_DHparams(fp, NULL, NULL, NULL);
+		const DH *dh = load_dh_params(fp);
 		fclose(fp);
 		if (!dh || SSL_CTX_set_tmp_dh(ctx, dh) != 1)
 			httpd_ssl_log_errors();

diff --git a/src/tdate_parse.c b/src/tdate_parse.c
@@ -58,9 +58,7 @@ static void pound_case(char *str)
 	}
 }
 
-static int strlong_compare(v1, v2)
-char *v1;
-char *v2;
+static int strlong_compare(const void *v1, const void *v2)
 {
 	return strcmp(((struct strlong *)v1)->s, ((struct strlong *)v2)->s);
 }