Commit Graph

3256 Commits

Author SHA1 Message Date
Glenn Strauss 6f2dcc58cd [core] SecureZeroMemory() on _WIN32 2020-07-08 22:51:31 -04:00
Glenn Strauss 10c65e88f7 [mod_openssl] update default DH params
update default DH params to use RFC 7919 FFDHE2048 2048-bit group
if ssl.dh-file is not specified
2020-07-08 22:51:31 -04:00
Glenn Strauss 27dbac34a8 [mod_openssl] use openssl feature define for ALPN
use #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
rather than checking OPENSSL_VERSION_NUMBER >= 0x10002000 (1.0.2)
2020-07-08 22:51:31 -04:00
Glenn Strauss bdb3040f14 [mod_openssl] use SSL_OP_NO_RENEGOTIATION if avail
use [mod_openssl] SSL_OP_NO_RENEGOTIATION if available
(openssl 1.1.0 and later)
2020-07-08 22:51:31 -04:00
Glenn Strauss 3403382261 [mod_openssl] issue warning for deprecated options 2020-07-08 22:51:31 -04:00
Glenn Strauss d605c83a73 [mod_openssl] enable read-ahead, if set, after SNI
note: not disabling if enabled; extra blocks may already have been read
2020-07-08 22:51:31 -04:00
Glenn Strauss 1fc8a3e1f2 [core] sys-crypto-md.h w/ inline message digest fn
sys-crypto-md.h w/ inline message digest functions; shared code
2020-07-08 22:51:31 -04:00
Glenn Strauss c18f442a63 [multiple] add summaries to top of some modules 2020-07-08 22:51:31 -04:00
Glenn Strauss 10dbe38a92 [core] stricter parse of numerical digits
stricter parse of numerical digits for http status code, port num,
and a few other places.  (stricter parse than that of strtol())

content ranges are still parsed more loosely at points of use
2020-07-08 22:51:31 -04:00
Glenn Strauss 68387462e0 [build] point ./configure --help to support forum
./configure --help will point people to the support forums, as the vast
majority of "bugs" filed are support requests. The lighttpd homepage
( sidebar links "bugs" to
2020-07-08 22:51:31 -04:00
Glenn Strauss 6876c16be0 [core] RFC-strict parse of Content-Length
augment simple strtoll() which allowed number to begin with '+'

This is not exploitable for HTTP Request Smuggling since lighttpd
mod_proxy sends "Connection: close" to backends, and other CGI-based
backends reconstitute CONTENT_LENGTH in the environment without '+'.

(thx Amit Klein, Safebreach)
2020-07-08 22:51:31 -04:00
Glenn Strauss acff179322 [mod_openssl] set chains from callback in 1.0.2+ (#2842)
mod_openssl leverages cert callback in openssl 1.0.2 and later

server certificate chain
  is now set in the cert callback

verify_store (for client certificate verification) (
  is now set in the cert callback

more carefully load sensitive files and clear temporary storage
  (with openssl 1.1.1 and later)

  "Lighttpd Returns Wrong Cert In Multi-cert Set-up"
2020-07-08 22:51:31 -04:00
Glenn Strauss 01b1f16b3f [mod_openssl] set cert from callback in 1.0.2+ (fixes #2842)
set server certificate from callback in openssl 1.0.2 and later

For existing versions of lighttpd, certificate selection influenced by
ssl.cipher-list which can be used to set server cipher order preference
(along with ssl.honor-cipher-order = "enable", which is the default)

  "Lighttpd Returns Wrong Cert In Multi-cert Set-up"
  "lighttpd uses wrong pem-file"
2020-07-08 22:51:31 -04:00
Glenn Strauss 2a5b7c648a [mod_openssl] rotate session ticket encryption key
server ticket encryption key (STEK) rotation occurs every 86400 seconds
and upon lighttpd server restart.  If using lighttpd with multiple
lighttpd workers, then restarting lighttpd keeps the STEK in sync
between lighttpd workers.
2020-07-08 22:51:31 -04:00
Glenn Strauss bf4054f8ec [mod_gnutls] GnuTLS option for TLS (fixes #109)

mod_gnutls supports most ssl.* config options supported by mod_openssl

  "GnuTLS support for the mod_ssl"
2020-07-08 22:51:31 -04:00
Glenn Strauss 68d626fa9f [mod_openssl] SSL_R_UNEXPECTED_EOF_WHILE_READING
report SSL_R_UNEXPECTED_EOF_WHILE_READING if debug.log-ssl-noise enabled

added in openssl 1.1.1e and reverted in 1.1.1f, but kept in 3.0 branch
2020-07-08 22:51:31 -04:00
Glenn Strauss b33b6f9121 [mod_openssl] do not log ECONNRESET unless debug
do not log ECONNRESET to errorlog unless debug.log-ssl-noise = "enable"
2020-07-08 22:51:31 -04:00
Glenn Strauss 446866333f [multiple] use *(unsigned char *) with ctypes 2020-07-08 22:51:31 -04:00
Glenn Strauss 455dc03778 [core] prefer getxattr() instead of get_attr()
(when lighttpd is built ./configure --with-attr)
2020-07-08 22:51:31 -04:00
Glenn Strauss cb753ec5b5 [mod_mbedtls] mbedTLS option for TLS

mod_mbedtls supports most ssl.* config options supported by mod_openssl

thx Ward Willats for the initial discussion and attempt in the comments
2020-07-08 22:51:31 -04:00
Glenn Strauss 7de51cc77b [core] add seed before openssl RAND_pseudo_bytes() 2020-07-08 19:54:30 -04:00
Glenn Strauss ce7840504d [mod_openssl] disable cert vrfy if ALPN acme-tls/1
disable client cert verification if ALPN "acme-tls/1"
2020-07-08 19:54:30 -04:00
Glenn Strauss f7bac374ee [mod_accesslog] process backslash-escapes in fmt
Process basic backslash-escapes in format string from lighttpd.conf
Supported sequences: \a \b \f \n \r \t \v
Other backslash-sequences are replaces with the char following backslash

(Apache mod_log_config supports \n and \t as special-cases)
2020-07-08 19:54:30 -04:00
Glenn Strauss f70912ee44 [mod_webdav] define PATH_MAX if not defined
(PATH_MAX does not appear to be defined on hurd-i386)
2020-07-08 19:54:30 -04:00
Glenn Strauss abe61d0445 [core] return EINVAL if stat_cache_get_entry w/o /
return EINVAL if stat_cache_get_entry() called on path w/o leading '/'
2020-07-08 19:54:30 -04:00
Glenn Strauss e6c47d6ecf [mod_cgi] remove redundant calls to set FD_CLOEXEC 2020-07-08 19:54:30 -04:00
Glenn Strauss 95b2774863 [core] skip excess close() when FD_CLOEXEC defined
do not run through close() loop after fork() and before execve()
when FD_CLOEXEC is defined
2020-07-08 19:54:30 -04:00
Glenn Strauss b28a3714c4 [multiple] ./configure --with-nettle to use Nettle
./configure --with-nettle to use Nettle crypto lib for algorithms,
instead of OpenSSL or wolfSSL.  Note: Nettle does not provide TLS.

  "How to use SHA-256 without OpenSSL?"
2020-07-08 19:54:30 -04:00
Glenn Strauss af836b94d3 [tests] fix skip count in mod-fastcgi w/o php-cgi
(fix test skip count when php-cgi is not available)
2020-07-08 19:54:30 -04:00
Glenn Strauss 0acb0f3604 [multiple] fix some cc warnings in 32-bit, powerpc 2020-07-08 19:54:30 -04:00
Glenn Strauss c752d4696e [multiple] correct misspellings in comments
  "Script for fixing spelling errors with codespell"
2020-07-08 19:54:30 -04:00
Glenn Strauss bcddbe186f [mod_proxy] stream request using HTTP/1.1 chunked (fixes #3006)
stream request body using HTTP/1.1 Transfer-Encoding: chunked

(Note: if backend proxy target does not support HTTP/1.1,
 then do not use = 1 or 2)

If not streaming to backend, collect request body
(now supporting Transfer-Encoding: chunked from client
 and then sending with Content-Length to backend)

  "Lighty returns HTTP 411 Length Required with proxy and streaming requests/reponses body"
2020-07-08 19:54:29 -04:00
Glenn Strauss 89082a12ca [config] blank server.tag if whitespace-only 2020-07-08 19:54:29 -04:00
Glenn Strauss e11f72b11d [doc] lighttpd.conf: lighttpd choose event-handler
comment out server.event-handler in sample lighttpd.conf
so that lighttpd chooses the recommended event-handler
for each OS
2020-07-08 19:54:29 -04:00
Glenn Strauss bc89b98acb [build] fix build on MacOS X Tiger
fixes for Tiger build, but can be applied generally to all builds
also requires legacysupport PortGroup for *at functions

2020-07-08 19:54:29 -04:00
Glenn Strauss e1188e770e [mod_auth] "nonce_secret" option to validate nonce (fixes #2976)
"nonce_secret" option to validate nonce was generated by the server

Marginally hardens HTTP Digest Auth.  Necessary piece, but not
sufficient, to restrict re-use of nonce (mitigations for replay
or limiting nonce count reuse via nc=... are not implemented)

  "Digest auth nonces are not validated"
2020-07-08 19:54:29 -04:00
Glenn Strauss 9fdf24468d [doc] src/t/README 2020-07-08 19:54:29 -04:00
Glenn Strauss 48e272b347 [doc] add link to wiki in doc/outdated/ssl.txt 2020-07-08 19:54:29 -04:00
Glenn Strauss 41a268b805 [core] parse header label before end of line
parse header label for colon before checking end of line for whitespace
2020-07-08 19:54:29 -04:00
Glenn Strauss b04f0311f9 [core] perf: tighten some code in some hot paths 2020-07-08 19:54:29 -04:00
Glenn Strauss a200e0c204 [core] use uint32_t in http_header.[ch]
headers should never approach anywhere remotely close to > 4 GB
2020-07-08 19:54:29 -04:00
Glenn Strauss 1d6003e575 [core] mark some chunk.c funcs as pure 2020-07-08 19:54:29 -04:00
Glenn Strauss eae84b6a69 [core] http_status_append() short-circuit 200 OK 2020-07-08 19:54:29 -04:00
Glenn Strauss 17e0b6fe30 [tests] use buffer_eq_slen() for str comparison
(substitute buffer_eq_slen() for buffer_is_equal_string())
2020-07-08 19:54:29 -04:00
Glenn Strauss dd91c1459c [core] http_response_config()
split from http_response_prepare()
2020-07-08 19:54:29 -04:00
Glenn Strauss 3f4f934485 [core] http_response_comeback()
group HANDLER_COMEBACK logic in http_response_comeback() and call it
from places that reset state in order to (sometimes partially) reprocess
a request.  This includes error handler (server.error-handler),
r->handler_module when cgi.local-redir, and looping in
http_response_prepare() when modules make changes to the request and
return HANDLER_COMEBACK (e.g. mod_rewrite, mod_magnet, mod_cml)

Also, set r->conditional_is_valid closer to where elements are set
(and become valid for use in condition checks), and parse target
in http_request_parse() instead of http_response_prepare()
2020-07-08 19:54:29 -04:00
Glenn Strauss a0029b21a1 [core] remove r->uri.path_raw; generate as needed
(r->uri.path_raw previously duplicated from r->target, minus query-part)
2020-07-08 19:54:29 -04:00
Glenn Strauss 9aa0b3409e [mod_magnet] modify r->target with "uri.path-raw" 2020-07-08 19:54:29 -04:00
Glenn Strauss d013d0abd3 [core] http_request_parse_target()
http_request_parse_target() split from http_response_prepare()
2020-07-08 19:54:29 -04:00
Glenn Strauss 34285ed0fa [core] dispatch handler in handle_request func
dispatch handler in connection_handle_request()
instead of in http_response_prepare()
2020-07-08 19:54:29 -04:00