[TLS] set SSL_PROTOCOL, SSL_CIPHER* (fixes #2511)

initialized for mod_magnet and dynamic CGI-like handlers (mod_cgi, mod_fastcgi, mod_scgi, mod_ssi) (*not* mod_proxy) Note: in the future a config flag (does not yet exist) might be required to activate initialization of these SSL_* env variables. This might occur if there are requests to access these variables in mod_accesslog, and/or if more SSL_* varables are created, which would be more work. x-ref: "pass protocol and cipher details to fcgi env" https://redmine.lighttpd.net/issues/2511
5 years ago · b8b38f3067
4 changed files with 42 additions and 0 deletions
--- a/src/http-header-glue.c
+++ b/src/http-header-glue.c
@ -1006,6 +1006,10 @@ int http_cgi_headers (server *srv, connection *con, http_cgi_opts *opts, http_cg
        }
    }

+  #ifdef USE_OPENSSL
+    if (con->ssl) http_cgi_ssl_env(srv, con);
+  #endif
+
    for (n = 0; n < con->environment->used; n++) {
        data_string *ds = (data_string *)con->environment->data[n];
        if (!buffer_is_empty(ds->value) && !buffer_is_empty(ds->key)) {
--- a/src/mod_magnet.c
+++ b/src/mod_magnet.c
@ -1031,6 +1031,10 @@ static handler_t magnet_attract_array(server *srv, connection *con, plugin_data
 	/* no filename set */
 	if (files->used == 0) return HANDLER_GO_ON;

+      #ifdef USE_OPENSSL
+	if (con->ssl) http_cgi_ssl_env(srv, con);
+      #endif
+
 	/**
 	 * execute all files and jump out on the first !HANDLER_GO_ON
 	 */
--- a/src/response.c
+++ b/src/response.c
@ -220,6 +220,37 @@ static void https_add_ssl_client_entries(server *srv, connection *con) {
 	}
 	X509_free(xs);
 }
+
+void http_cgi_ssl_env(server *srv, connection *con) {
+    const char *s;
+    const SSL_CIPHER *cipher;
+    UNUSED(srv);
+
+    if (!con->ssl) return;
+
+    s = SSL_get_version(con->ssl);
+    array_set_key_value(con->environment,
+                        CONST_STR_LEN("SSL_PROTOCOL"),
+                        s, strlen(s));
+
+    if ((cipher = SSL_get_current_cipher(con->ssl))) {
+        int usekeysize, algkeysize;
+        char buf[LI_ITOSTRING_LENGTH];
+        s = SSL_CIPHER_get_name(cipher);
+        array_set_key_value(con->environment,
+                            CONST_STR_LEN("SSL_CIPHER"),
+                            s, strlen(s));
+        usekeysize = SSL_CIPHER_get_bits(cipher, &algkeysize);
+        li_itostrn(buf, sizeof(buf), usekeysize);
+        array_set_key_value(con->environment,
+                            CONST_STR_LEN("SSL_CIPHER_USEKEYSIZE"),
+                            buf, strlen(buf));
+        li_itostrn(buf, sizeof(buf), algkeysize);
+        array_set_key_value(con->environment,
+                            CONST_STR_LEN("SSL_CIPHER_ALGKEYSIZE"),
+                            buf, strlen(buf));
+    }
+}
 #endif


--- a/src/response.h
+++ b/src/response.h
@ -22,6 +22,9 @@ typedef struct http_cgi_opts_t {

 typedef int (*http_cgi_header_append_cb)(void *vdata, const char *k, size_t klen, const char *v, size_t vlen);
 int http_cgi_headers(server *srv, connection *con, http_cgi_opts *opts, http_cgi_header_append_cb cb, void *vdata);
+#ifdef USE_OPENSSL
+void http_cgi_ssl_env(server *srv, connection *con);
+#endif

 handler_t http_response_prepare(server *srv, connection *con);
 int http_response_redirect_to_directory(server *srv, connection *con);