Commit Graph

3781 Commits

Author SHA1 Message Date
Glenn Strauss 4a600dabd5 [mod_auth] close HTTP/2 connection after bad pass
mitigation slows down brute force password attacks

  "Possible feature: authentication brute force hardening"
2021-02-06 08:29:41 -05:00
Glenn Strauss dc4ff14c1f [tests] remove stray option in test lighttpd.conf 2021-02-05 19:40:22 -05:00
Glenn Strauss 2403cc4f09 [mod_gnutls,mod_mbedtls] recog common cipherstring
recognize and translate a common recommended cipherstring

 without CBC ciphers reported as weak by SSLLabs)
2021-02-05 02:26:20 -05:00
Glenn Strauss 1ca25d4e2c [core] 101 upgrade fails if Content-Length incl (fixes #3063)
(thx daimh)

commit 903024d7 in lighttpd 1.4.57 fixed issue #3046 but in the process
broke HTTP/1.1 101 Switching Protocols which included Content-Length: 0
in the response headers.  Content-Length response header is permitted
by the RFCs, but not necessary with HTTP status 101 Switching Protocols.

  "websocket proxy fails if 101 Switching Protocols from backend includes Content-Length"
2021-02-04 00:22:12 -05:00
Glenn Strauss 5e8567f820 [mod_magnet] do not call luaL_error outside pcall (#3065)
(thx axe34)

do not call luaL_error() outside lua_pcall()

In magnet_attach_content(), call log_error() to report error,
not luaL_error(), and set flag to exit loop to allow the proper
number of entries to be popped off the lua stack.

  "Segmentation Fault due to Empty String on Mod Magnet"
2021-02-03 14:34:06 -05:00
Glenn Strauss 5c386efe8f [mod_magnet] avoid infinite loop in atpanic (fixes #3065)
(thx axe34)

Be more careful inside the atpanic handler to avoid an infinite loop
that repeats the call to the atpanic handler

  "Segmentation Fault due to Empty String on Mod Magnet"
2021-02-03 14:29:54 -05:00
Glenn Strauss e56e387196 [mod_magnet] reject stat() of empty string (fixes #3064)
(thx axe34)

Anyone running lua code inside the lighttpd server has control over
the lighttpd server, so this commit does not protect against
malicious behavior, but instead this commit more gracefully handles
a lua programmer mistake of attempting to stat() an empty string.

  "Server Aborted due to Malicious Data sent to lighty.stat"
2021-02-03 14:26:13 -05:00
Glenn Strauss a737572aa4 [meson] add with_zstd to meson_options.txt 2021-02-03 00:36:34 -05:00
Glenn Strauss 5921b2f411 - next is 1.4.60 2021-02-02 08:44:04 -05:00
Glenn Strauss 529cf9547e [doc] NEWS 2021-02-02 08:06:02 -05:00
Glenn Strauss ba290f181f [core] quiet coverity warning
add arbitrary limit of 4096 fds to accept via systemd socket activation
(through environment variables)
2021-02-02 01:07:37 -05:00
Glenn Strauss b0439d8fa8 [mod_mbedtls] remove redundant condition check
(identified by coverity)
2021-02-02 01:06:58 -05:00
Glenn Strauss 2a557809d9 [core] re-validate h2 CONTINUATION frame len in cq
(identified by coverity)
2021-02-02 01:04:39 -05:00
Glenn Strauss 3edeb6b432 [mod_mbedtls] restore ALPN chk after client hello
(removed two commits ago)

must check selected ALPN after client hello has completed
for case where hctx->conf.ssl_acme_tls_1 is not enabled
or else ALPN "h2" will not be detected
2021-02-01 08:18:08 -05:00
Glenn Strauss 649829f906 [mod_cgi] fix assert if empty X-Sendfile path (fixes #3062)
(thx axe34)

Please note that this would not have crashed "x-sendfile-docroot"
were set to restrict the locations of files that can be sent via
X-Sendfile.  If users are untrusted, "x-sendfile" should not be
enable without also configuring "x-sendfile-docroot"

  "Server Aborted due to Malicious Data sent through CGI Sendfile"
2021-02-01 04:11:38 -05:00
Glenn Strauss b80d287df7 [mod_mbedtls] fix acme-tls/1 challenge bootstrap
mbedtls does not provide a callback for ALPN and expects certificate to
be set in SNI callback (if set), while still in MBEDTLS_SSL_CLIENT_HELLO
state.  Waiting until after MBEDTLS_SSL_CLIENT_HELLO would be fine for
using ALPN for "h2", but is too late to set acme-tls/1 challenge cert.
Therefore, parse client hello for ALPN prior to initiating mbedtls
processing of handshake.
2021-02-01 03:08:48 -05:00
Glenn Strauss 889d53aea4 [mod_mbedtls] fix acme-tls/1 challenge bootstrap
handle id-pe-acmeIdentifier OID in custom callback
(requires mbedtls 2.23.0 or later)
2021-02-01 03:06:52 -05:00
Glenn Strauss 86a6c9ca35 [mod_wolfssl] copy stapling buf for OCSP resp 2021-02-01 03:00:54 -05:00
Glenn Strauss e37b962c31 [mod_nss] fix acme-tls/1 challenge bootstrap
ALPN requires SNI, but ALPN hook appears to be called before SNI hook in
NSS, so set flag in ALPN hook, and handle acme-tls/1 ALPN in SNI hook
2021-02-01 03:00:54 -05:00
Glenn Strauss 0936fe6905 [mod_gnutls] fix acme-tls/1 challenge bootstrap
parse ALPN in GNUTLS_HOOK_PRE via gnutls_ext_raw_parse()

(does not appear to work when checking in GNUTLS_HOOK_POST)
2021-02-01 03:00:51 -05:00
Glenn Strauss 2d78182546 [TLS] set r->uri.authority empty str upon accept()
ensure not NULL for error messages
2021-01-30 22:17:40 -05:00
Glenn Strauss 77209c7a26 [mod_openssl] fix acme-tls/1 challenge bootstrap
do not send multiple certs in server hello
2021-01-30 22:17:40 -05:00
Glenn Strauss 18fc244a8e [TLS] fix invalid cfg warning 2021-01-30 22:17:40 -05:00
Glenn Strauss 8d4f785f69 [mod_wolfssl] wolfSSL might repeat SNI_Callback()
wolfSSL might call SNI_Callback() multiple times,
so detect and short-circuit if already called for connection
2021-01-30 22:17:40 -05:00
Glenn Strauss f885498b46 [build] fix typo in SConstruct (fixes #3061)
(thx eryretqwewrqr)

  "NameError ins SConstruct"
2021-01-29 16:21:51 -05:00
Glenn Strauss 1098de533a [mod_gnutls,mod_mbedtls] recog common cipherstring
recognize and translate a common recommended cipherstring

 without CBC ciphers reported as weak by SSLLabs)
2021-01-29 13:11:19 -05:00
Glenn Strauss b03b86f47b [core] fix merging large headers across mult reads (fixes #3059)
(thx mitd)

  "Connections stuck in Close_Wait causing 100% cpu usage"
2021-01-29 03:10:22 -05:00
Glenn Strauss cf3e301272 [core] tighten struct data_config and related code
tighten struct data_config and config_cond_info
create config key at startup and reuse for debug/trace
separate routine for configparser_parse_condition()
separate routine for configparser_parse_else_condition()
2021-01-29 03:10:22 -05:00
Glenn Strauss 0045b9aa1a [core] const data_unset *array_get_element_klen()
return (const data_unset *) from array_get_element_klen();
use array_get_data_unset() for non-const (note: marked attribute cold)
2021-01-29 03:10:22 -05:00
Glenn Strauss db73879bf0 [mod_ajp13] AJPv13 Tomcat connector for lighttpd

AJPv13 protocol reference:
2021-01-29 03:10:22 -05:00
Glenn Strauss d9b956b938 [core] enable HTTP/2 by default
HTTP/2 via TLS ALPN extension  (TLS)
HTTP/2 via Upgrade: h2c        (cleartext)
HTTP/2 via Prior Knowledge     (cleartext)

To disable HTTP/2:
  server.feature-flags += ("server.h2proto" => "disable")
To disable upgrade to HTTP/2 over cleartext HTTP:
  server.feature-flags += ("server.h2c"     => "disable")
2021-01-29 03:10:22 -05:00
Glenn Strauss 5ccebbf04e [multiple] quiet some clang-analyzer warnings 2021-01-29 03:10:21 -05:00
Glenn Strauss 33e400b429 [multiple] avoid duplicate parsing in trigger func (#3056)
  "OCSP Stapling reload seems not to work"
2021-01-29 03:10:21 -05:00
Glenn Strauss 81e4f4c4a7 [TLS] detect expired stapling file at startup (fixes #3056)
also adjust time_t comparison to (pc_stapling_nextts > cur_ts + 256)
(time_t is expected to be signed integral type, but might be unsigned)

  "OCSP Stapling reload seems not to work"
2021-01-29 03:10:11 -05:00
Glenn Strauss 3a2ddc6cf8 [core] skip interest in POLLRDHUP after POLLRDHUP (#3059)
  "Connections stuck in Close_Wait causing 100% cpu usage"
2021-01-20 00:46:41 -05:00
Glenn Strauss 471ab4dd5b [core] fix 100% CPU spin if traffic limit hit
(thx Dirk) (reported on FreeBSD)

HTTP/1.1 requests might end up spinning if traffic limits are configured
2021-01-19 12:02:12 -05:00
Glenn Strauss fcbfc08352 [core] check more carefully after SSL_WANT_WRITE
con->is_readable and con->is_writable might be set to -1 by TLS modules
which encounter SSL_WANT_READ or SSL_WANT_WRITE.  Either might occur
during read or write, and so -1 was used to flag this.

However, code which used con->is_readable and con->is_writable now needs
to check for value > 0 rather than treating value as a boolean.
2021-01-19 12:01:10 -05:00
Glenn Strauss b757e738fd [mod_gnutls] fix alt code for coverity 2021-01-17 16:17:01 -05:00
Glenn Strauss 915b4ef3fc [multiple] fix TLS config string parsing
flagged by coverity

(incomplete fix a few commits back)
2021-01-17 15:50:28 -05:00
Glenn Strauss 9d8d559e1f [mod_wolfssl] fix syntax errors 2021-01-17 15:06:24 -05:00
Glenn Strauss 755f895b79 [mod_wolfssl] wipe ssl_pemfile_pkey before free() 2021-01-17 14:52:12 -05:00
Glenn Strauss a16488269d [mod_gnutls] fix ssl.ca_dn_file data access
identified by coverity

If ssl.ca_dn_file is set, then its contents were not properly matched
against the provided client certificate
2021-01-17 14:45:10 -05:00
Glenn Strauss d5b166c04d [multiple] fix TLS config string parsing
flagged by coverity

final segment of colon (':') separated string was being ignored
in some TLS config strings in mod_gnutls and mod_mbedtls

workaround: add ':' at end of config string (or apply this patch)
2021-01-17 14:33:19 -05:00
Glenn Strauss 0e2a14921e [multiple] fix coverity warnings 2021-01-17 14:32:46 -05:00
Glenn Strauss 5b0aed8c32 [mod_deflate] compat with zstd < v1.4.0
ZSTD_compressStream2() was an "advanced API" (experimental; unstable)
in v1.3.x
2021-01-17 08:33:02 -05:00
Glenn Strauss f8792bfb5a [mod_deflate] use zstd typedefs (minor cleanup) 2021-01-17 08:32:38 -05:00
Glenn Strauss 625d57b2d9 build] scripts/ remove --with-maxminddb
remove --with-maxminddb;
  maxminddb libs not currently part of our FreeBSD build images
2021-01-16 23:07:06 -05:00
Glenn Strauss 02c83d735c [build] scripts/ add --with-maxminddb 2021-01-16 22:52:32 -05:00
Glenn Strauss 62a874df32 [mod_alias] modify r->physical.path in place
(reduce string copying)

split out func mod_alias_remap() from handler func for unit testing
2021-01-16 22:33:47 -05:00
Glenn Strauss 43cc87dd67 [build] adjust crypto vars in src/CMakeLists.txt 2021-01-16 20:11:48 -05:00