Commit Graph

3568 Commits

Author SHA1 Message Date
Glenn Strauss 441c95c697 [multiple] consistent order for crypto lib select 2020-10-29 16:39:56 -04:00
Glenn Strauss e726a41a74 [core] adjust wolfssl workaround for another case
adjust wolfssl types.h workaround for another edge case
2020-10-29 05:45:18 -04:00
Glenn Strauss 78b13b610c [core] move misplaced error trace to match option
(thx grohne)
2020-10-29 05:34:43 -04:00
Glenn Strauss e9590277ca [core] workaround fragile code in wolfssl types.h
workaround fragile code in wolfssl/wolfcrypto/types.h

Including header blows up compile in 32-bit when lighttpd meson build
in OpenWRT on a 32-bit platform generates lighttpd config.h containing
define of SIZEOF_LONG, but not SIZEOF_LONG_LONG, and the wolfssl types.h
flubs and fails to choose an enum value used by a macro that is unused
by most consumers of the wolfssl header.
2020-10-29 05:06:24 -04:00
Glenn Strauss 31fc3a0773 [TLS] server.feature-flags "ssl.session-cache"
disabled by default, but can be enabled
(session tickets should be preferred)

applies to mod_openssl, mod_wolfssl, mod_nss

session cache is not currently implemented in mod_mbedtls or mod_gnutls
2020-10-29 01:05:55 -04:00
Glenn Strauss 1d27391c29 [mod_mbedtls] wrap addtl code in preproc defines
wrap additional code in preprocessor defines to check if enabled in lib
2020-10-28 22:58:47 -04:00
Glenn Strauss 3353ff2024 [build] adjust for use by OpenWRT 2020-10-28 22:58:47 -04:00
Glenn Strauss babfb43873 [build] WITHOUT_LIB_CRYPTO option in code
(not (yet?) an end-user option in the build system)
(If extended to build system, build system should also unset CRYPTO_LIB)

If WITHOUT_LIB_CRYPTO is defined in sys-crypto.h, then non-TLS modules
will have access to MD5() and SHA1() built with lighttpd (algo_md5.[ch]
and algo_sha1.[ch]), but not to other message digest algorithms.

As of this commit, this affects only mod_secdownload with SHA256 digest
and mod_auth* modules using HTTP Digest Auth with digest=SHA-256, which
is not currently well-supported by client browers (besides Opera)
2020-10-27 16:47:33 -04:00
Glenn Strauss 31a7f0d43c [build] detect nss3/nss.h or nss/nss.h for NSS 2020-10-27 16:40:08 -04:00
Glenn Strauss 75c29505be [build] CMake use pkg_check_modules() w/ wolfssl 2020-10-27 13:01:01 -04:00
Glenn Strauss 07f40eaf9a [build] CMake mod_openssl, mod_wolfssl can coexist 2020-10-27 12:37:48 -04:00
Glenn Strauss e130124892 [build] add --with-brotli to 2020-10-27 12:32:10 -04:00
Glenn Strauss db7252ec13 [build] fix lib paths for GnuTLS, NSS
(thx dirk)
2020-10-27 03:47:35 -04:00
Glenn Strauss 1f1b3bcc55 [mod_secdownload] fix compile w/ NSS on FreeBSD
(thx dirk)

nss/alghmac.h might not exist
2020-10-26 22:24:24 -04:00
Glenn Strauss 988fa8ecfa [mod_wolfssl] need to build --enable-alpn for ALPN
need to build wolfSSL library with --enable-alpn for ALPN
even if already building wolfSSL library with --enable-openssall

ALPN is required by the HTTP/2 specification
2020-10-26 22:21:16 -04:00
Glenn Strauss 17d8d9c919 [mod_wolfssl] cripple SNI if not built OPENSSL_ALL
crippled functionality if wolfssl library not built --enable-opensslall
* SNI not handled since SNI callbacks are disabled in wolfSSL library
  unless the wolfSSL library is built with --enable-openssall

  This means that there is only one certificate per listening socket --
  no certificate selection based on server name indication (SNI)
  and is additionally a violation of the HTTP/2 specification,
  which requires SNI.

slightly reduced functionality if wolfssl not built --enable-opensslall
* disable client certificate verification (error out if in lighttpd.conf)
2020-10-26 22:12:39 -04:00
Glenn Strauss 1221bd6e40 [mod_wolfssl] use more wolfssl/options.h defines 2020-10-26 20:26:24 -04:00
Glenn Strauss 8f31ed7fe1 [build] use pkg-config with wolfssl 2020-10-26 16:09:21 -04:00
Glenn Strauss a1f6d1322a [build] mark dependencies on crypto lib for MD5()
(lighttpd base executable depends on crypto lib for rand functionality,
 so the crypto library was already being loaded -- no missing symbols)
2020-10-26 13:53:07 -04:00
Glenn Strauss 2576b2c3d0 [tests] OpenBSD crypt() support limited to bcrypt
OpenBSD crypt() does not support (insecure) crypt-des or crypt-md5
2020-10-26 11:45:48 -04:00
Glenn Strauss 1fad70f4f7 [core] STAILQ_* -> SIMPLEQ_* on OpenBSD
(thx brad)
2020-10-26 11:29:40 -04:00
Glenn Strauss 008533e355 [doc] NEWS 2020-10-25 15:47:31 -04:00
Glenn Strauss 48384c7e2f [core] fix (startup) mem leaks in configparser.y
(thx stbuehler)
2020-10-24 17:06:50 -04:00
Glenn Strauss 949662d27e [multiple] add some missing config cleanup
(thx stbuehler)
2020-10-24 16:08:21 -04:00
Glenn Strauss 55fb46f695 [mod_accesslog] update defaults after cycling log
(thx avij)

must update the cached copy of global scope config after cycling log.
Although (accesslog_st *) is modified in-place, the log_access_fd member
of (accesslog_st *) is copied into the cache and must be updated after
cycling logs in the global scope.
2020-10-24 14:38:47 -04:00
Glenn Strauss 61f7d531eb [mod_mbedtls] newer mbedTLS vers support TLSv1.3 2020-10-24 02:03:05 -04:00
Glenn Strauss 0a2aab88d2 [core] silence coverity warnings (another try) 2020-10-23 23:14:06 -04:00
Glenn Strauss ad62991a5b [mod_webdav] define _NETBSD_SOURCE on NetBSD
NetBSD dirent.h improperly hides fdopendir() (POSIX.1-2008) declaration
which should be visible w/ _XOPEN_SOURCE 700 or _POSIX_C_SOURCE 200809L
2020-10-23 21:29:43 -04:00
Glenn Strauss 7adc66259e [build] more portable shell script
Use more portable shell function definition, better supported by /bin/sh

Some /bin/sh, e.g. dash, do not support trap on ERR,
so that will issue some trace and will not trigger on ERR,
but the rest of the script runs fine.
2020-10-23 21:27:32 -04:00
Glenn Strauss f65b054887 [mod_nss] more nss includes fixes 2020-10-22 01:34:25 -04:00
Glenn Strauss 033209393e [multiple] test for nss includes
some distro packages deploy NSS includes under nss/, others nss3/
(and similar for nspr/ vs nspr4/)
2020-10-22 00:48:40 -04:00
Glenn Strauss fef1a94509 [doc] /var/run -> /run 2020-10-22 00:24:22 -04:00
Glenn Strauss 0158c7f0fd [build] remove svnversion from versionstamp rule 2020-10-21 20:56:18 -04:00
Glenn Strauss 8dae5bd405 [doc] replace bzip2 refs with brotli 2020-10-21 19:22:58 -04:00
Glenn Strauss dab212b5f5 [doc] change mod_compress refs to mod_deflate 2020-10-21 19:14:55 -04:00
Glenn Strauss 23fdff645a [core] init NSS lib for basic crypto algorithms
basic algorithms fail if NSS library has not been init'd (WTH)

lighttpd defers initialization of rand and crypto until first use
to attempt to avoid long, blocking init at startup while waiting
for sufficient system entropy to become available
2020-10-21 18:18:40 -04:00
Glenn Strauss 9868d3b348 [core] add missing declaration for NSS rand
(bug on master branch; never released)
2020-10-21 17:05:24 -04:00
Glenn Strauss 2209c0cf6e [core] use inline funcs in sys-crypto-md.h
use inline funcs in sys-crypto-md.h for consistency
and to avoid compiler warnings when result is ignored
2020-10-21 00:57:24 -04:00
Glenn Strauss f98dff9bc3 [mod_mbedtls] quiet unused variable warning 2020-10-20 23:16:00 -04:00
Glenn Strauss 8f7019adf0 [core] fix fd sharing when splitting file chunk
(bug on master branch; never released)

fix fd sharing in chunkqueue_steal_partial_file_chunk()
2020-10-20 16:53:51 -04:00
Glenn Strauss 0f82722f5f [core] silence coverity warnings (another try) 2020-10-20 16:22:38 -04:00
Glenn Strauss fb7e5a7832 [core] silence coverity warnings in ls-hpack
The code originates from
and is explicitly documented as not needing to be initialized.

2020-10-20 16:04:48 -04:00
Glenn Strauss af04e0b0e1 [core] silence coverity warnings (false positives) 2020-10-20 15:29:25 -04:00
Glenn Strauss 1b74c50854 [core] always lseek() with shared fd
always lseek() with shared fd; remove optim to skip with offset = 0
2020-10-20 11:51:48 -04:00
Glenn Strauss 019c513819 [multiple] use http_chunk_append_file_ref()
use http_chunk_append_file_ref() and http_chunk_append_file_ref_range()

reduce resource usage (number of fds open) by reference counting open
fds to files served, and sharing the fd among FILE_CHUNKs in responses
2020-10-20 11:51:48 -04:00
Glenn Strauss 9078cc4ce8 [core] http_chunk_append_file_ref_range()
http_chunk_append_file_ref() and http_chunk_append_file_ref_range()
to take stat_cache_entry ref and append FILE_CHUNK
2020-10-20 11:51:48 -04:00
Glenn Strauss 6be2bd35a1 [core] FILE_CHUNK can hold stat_cache_entry ref 2020-10-20 11:51:48 -04:00
Glenn Strauss 7f8ab9dd29 [core] stat_cache_entry reference counting
future: should probably create fd cache separate from stat_cache,
        perhaps along w/ http-specific fields like etag and content_type
        and maybe even mmap
2020-10-20 11:51:48 -04:00
Glenn Strauss e057c5413b [mod_deflate] use large mmap chunks to compress
use large chunks since server blocks while compressing, anyway
(mod_deflate is not recommended for large files)
2020-10-20 11:51:47 -04:00
Glenn Strauss fc6612d7c7 [core] minimize pause during graceful restart
minimize pause during graceful restart for server.max-worker = 0 case

The previous generation continues to accept new connections until the
restarted parent signals that the restarted server is ready to accept
new connections, and so the previous server should gracefully shutdown.

This does not apply in the case of multiple workers.

When there are multiple workers, they receive SIGINT to gracefully shut
down and stop accepting new connections.  While the listen sockets are
kept open (and not closed and reopened), there is a small pause while
the parent process restarts before it begins accepting new connections
from the listen backlog.

Note: there is a window during restart during which lighttpd may exit
if it receives certain signals before it sets up signal handlers.
future: might block signals (sigprocmask()) during restart, but if that
is done, then care must be taken to unblock signals in restarted server
as soon as signal handlers are set up and before any other children are
created, e.g. by modules, or else signals must be explicitly unblocked
in children.  Also, during command line and config file processing,
signals would be blocked, too, which might not be ideal.
2020-10-19 21:40:14 -04:00