Browse Source

[TLS] set SSL_PROTOCOL, SSL_CIPHER* (fixes #2511)

initialized for mod_magnet and dynamic CGI-like handlers
(mod_cgi, mod_fastcgi, mod_scgi, mod_ssi) (*not* mod_proxy)

Note: in the future a config flag (does not yet exist) might be required
to activate initialization of these SSL_* env variables.  This might
occur if there are requests to access these variables in mod_accesslog,
and/or if more SSL_* varables are created, which would be more work.

x-ref:
  "pass protocol and cipher details to fcgi env"
  https://redmine.lighttpd.net/issues/2511
personal/stbuehler/mod-csrf
Glenn Strauss 5 years ago
parent
commit
b8b38f3067
  1. 4
      src/http-header-glue.c
  2. 4
      src/mod_magnet.c
  3. 31
      src/response.c
  4. 3
      src/response.h

4
src/http-header-glue.c

@ -1006,6 +1006,10 @@ int http_cgi_headers (server *srv, connection *con, http_cgi_opts *opts, http_cg
}
}
#ifdef USE_OPENSSL
if (con->ssl) http_cgi_ssl_env(srv, con);
#endif
for (n = 0; n < con->environment->used; n++) {
data_string *ds = (data_string *)con->environment->data[n];
if (!buffer_is_empty(ds->value) && !buffer_is_empty(ds->key)) {

4
src/mod_magnet.c

@ -1031,6 +1031,10 @@ static handler_t magnet_attract_array(server *srv, connection *con, plugin_data
/* no filename set */
if (files->used == 0) return HANDLER_GO_ON;
#ifdef USE_OPENSSL
if (con->ssl) http_cgi_ssl_env(srv, con);
#endif
/**
* execute all files and jump out on the first !HANDLER_GO_ON
*/

31
src/response.c

@ -220,6 +220,37 @@ static void https_add_ssl_client_entries(server *srv, connection *con) {
}
X509_free(xs);
}
void http_cgi_ssl_env(server *srv, connection *con) {
const char *s;
const SSL_CIPHER *cipher;
UNUSED(srv);
if (!con->ssl) return;
s = SSL_get_version(con->ssl);
array_set_key_value(con->environment,
CONST_STR_LEN("SSL_PROTOCOL"),
s, strlen(s));
if ((cipher = SSL_get_current_cipher(con->ssl))) {
int usekeysize, algkeysize;
char buf[LI_ITOSTRING_LENGTH];
s = SSL_CIPHER_get_name(cipher);
array_set_key_value(con->environment,
CONST_STR_LEN("SSL_CIPHER"),
s, strlen(s));
usekeysize = SSL_CIPHER_get_bits(cipher, &algkeysize);
li_itostrn(buf, sizeof(buf), usekeysize);
array_set_key_value(con->environment,
CONST_STR_LEN("SSL_CIPHER_USEKEYSIZE"),
buf, strlen(buf));
li_itostrn(buf, sizeof(buf), algkeysize);
array_set_key_value(con->environment,
CONST_STR_LEN("SSL_CIPHER_ALGKEYSIZE"),
buf, strlen(buf));
}
}
#endif

3
src/response.h

@ -22,6 +22,9 @@ typedef struct http_cgi_opts_t {
typedef int (*http_cgi_header_append_cb)(void *vdata, const char *k, size_t klen, const char *v, size_t vlen);
int http_cgi_headers(server *srv, connection *con, http_cgi_opts *opts, http_cgi_header_append_cb cb, void *vdata);
#ifdef USE_OPENSSL
void http_cgi_ssl_env(server *srv, connection *con);
#endif
handler_t http_response_prepare(server *srv, connection *con);
int http_response_redirect_to_directory(server *srv, connection *con);

Loading…
Cancel
Save