search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
[core] allow earlier plugin init for SSL/TLS
[lighttpd.git] / src / mod_openssl.c
blobffe5cd53f485402d43e71a99ab27f3aeb6ecb7ce
1 #include "first.h"
2
3 #include <errno.h>
4 #include <string.h>
5 #include <unistd.h>
6
7 #ifndef USE_OPENSSL_KERBEROS
8 #ifndef OPENSSL_NO_KRB5
9 #define OPENSSL_NO_KRB5
10 #endif
11 #endif
12
13 #include <openssl/ssl.h>
14 #include <openssl/bn.h>
15 #include <openssl/err.h>
16 #include <openssl/rand.h>
17 #ifndef OPENSSL_NO_DH
18 #include <openssl/dh.h>
19 #endif
20
21 #if ! defined OPENSSL_NO_TLSEXT && ! defined SSL_CTRL_SET_TLSEXT_HOSTNAME
22 #define OPENSSL_NO_TLSEXT
23 #endif
24
25 #if OPENSSL_VERSION_NUMBER >= 0x0090800fL
26 #ifndef OPENSSL_NO_ECDH
27 #include <openssl/ecdh.h>
28 #endif
29 #endif
30
31 #include "base.h"
32 #include "log.h"
33 #include "plugin.h"
34
35 typedef struct {
36 SSL_CTX *ssl_ctx; /* not patched */
37 /* SNI per host: with COMP_SERVER_SOCKET, COMP_HTTP_SCHEME, COMP_HTTP_HOST */
38 EVP_PKEY *ssl_pemfile_pkey;
39 X509 *ssl_pemfile_x509;
40 STACK_OF(X509_NAME) *ssl_ca_file_cert_names;
41
42 unsigned short ssl_verifyclient;
43 unsigned short ssl_verifyclient_enforce;
44 unsigned short ssl_verifyclient_depth;
45 unsigned short ssl_verifyclient_export_cert;
46 buffer *ssl_verifyclient_username;
47
48 unsigned short ssl_disable_client_renegotiation;
49 unsigned short ssl_read_ahead;
50 unsigned short ssl_log_noise;
51
52 /*(used only during startup; not patched)*/
53 unsigned short ssl_enabled; /* only interesting for setting up listening sockets. don't use at runtime */
54 unsigned short ssl_honor_cipher_order; /* determine SSL cipher in server-preferred order, not client-order */
55 unsigned short ssl_empty_fragments; /* whether to not set SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS */
56 unsigned short ssl_use_sslv2;
57 unsigned short ssl_use_sslv3;
58 buffer *ssl_pemfile;
59 buffer *ssl_ca_file;
60 buffer *ssl_ca_crl_file;
61 buffer *ssl_ca_dn_file;
62 buffer *ssl_cipher_list;
63 buffer *ssl_dh_file;
64 buffer *ssl_ec_curve;
65 } plugin_config;
66
67 typedef struct {
68 PLUGIN_DATA;
69 plugin_config **config_storage;
70 } plugin_data;
71
72 static int ssl_is_init;
73 /* need assigned p->id for deep access of module handler_ctx for connection
74 * i.e. handler_ctx *hctx = con->plugin_ctx[plugin_data_singleton->id]; */
75 static plugin_data *plugin_data_singleton;
76 #define LOCAL_SEND_BUFSIZE (64 * 1024)
77 static char *local_send_buffer;
78
79 typedef struct {
80 SSL *ssl;
81 connection *con;
82 unsigned int renegotiations; /* count of SSL_CB_HANDSHAKE_START */
83 int request_env_patched;
84 plugin_config conf;
85 server *srv;
86 } handler_ctx;
87
88
89 static handler_ctx *
90 handler_ctx_init (void)
91 {
92 handler_ctx *hctx = calloc(1, sizeof(*hctx));
93 force_assert(hctx);
94 return hctx;
95 }
96
97
98 static void
99 handler_ctx_free (handler_ctx *hctx)
100 {
101 if (hctx->ssl) SSL_free(hctx->ssl);
102 free(hctx);
103 }
104
105
106 INIT_FUNC(mod_openssl_init)
107 {
108 plugin_data_singleton = (plugin_data *)calloc(1, sizeof(plugin_data));
109 return plugin_data_singleton;
110 }
111
112
113 FREE_FUNC(mod_openssl_free)
114 {
115 plugin_data *p = p_d;
116 if (!p) return HANDLER_GO_ON;
117
118 if (p->config_storage) {
119 for (size_t i = 0; i < srv->config_context->used; ++i) {
120 plugin_config *s = p->config_storage[i];
121 int copy;
122 if (NULL == s) continue;
123 copy = s->ssl_enabled && buffer_string_is_empty(s->ssl_pemfile);
124 buffer_free(s->ssl_pemfile);
125 buffer_free(s->ssl_ca_file);
126 buffer_free(s->ssl_ca_crl_file);
127 buffer_free(s->ssl_ca_dn_file);
128 buffer_free(s->ssl_cipher_list);
129 buffer_free(s->ssl_dh_file);
130 buffer_free(s->ssl_ec_curve);
131 buffer_free(s->ssl_verifyclient_username);
132 if (copy) continue;
133 SSL_CTX_free(s->ssl_ctx);
134 EVP_PKEY_free(s->ssl_pemfile_pkey);
135 X509_free(s->ssl_pemfile_x509);
136 if (NULL != s->ssl_ca_file_cert_names)
137 sk_X509_NAME_pop_free(s->ssl_ca_file_cert_names,X509_NAME_free);
138 }
139 for (size_t i = 0; i < srv->config_context->used; ++i) {
140 plugin_config *s = p->config_storage[i];
141 if (NULL == s) continue;
142
143 free(s);
144 }
145 free(p->config_storage);
146 }
147
148 if (ssl_is_init) {
149 #if OPENSSL_VERSION_NUMBER >= 0x10100000L \
150 && !defined(LIBRESSL_VERSION_NUMBER)
151 /*(OpenSSL libraries handle thread init and deinit)
152 * https://github.com/openssl/openssl/pull/1048 */
153 #else
154 CRYPTO_cleanup_all_ex_data();
155 ERR_free_strings();
156 #if OPENSSL_VERSION_NUMBER >= 0x10000000L
157 ERR_remove_thread_state(NULL);
158 #else
159 ERR_remove_state(0);
160 #endif
161 EVP_cleanup();
162 #endif
163
164 free(local_send_buffer);
165 }
166
167 free(p);
168
169 return HANDLER_GO_ON;
170 }
171
172
173 static int
174 safer_X509_NAME_oneline(X509_NAME *name, char *buf, size_t sz)
175 {
176 BIO *bio = BIO_new(BIO_s_mem());
177 if (bio) {
178 int len = X509_NAME_print_ex(bio, name, 0, XN_FLAG_ONELINE);
179 BIO_gets(bio, buf, (int)sz); /*(may be truncated if len >= sz)*/
180 BIO_free(bio);
181 return len; /*return value has similar semantics to that of snprintf()*/
182 }
183 else {
184 buf[0] = '\0';
185 return -1;
186 }
187 }
188
189
190 static void
191 ssl_info_callback (const SSL *ssl, int where, int ret)
192 {
193 UNUSED(ret);
194
195 if (0 != (where & SSL_CB_HANDSHAKE_START)) {
196 handler_ctx *hctx = (handler_ctx *) SSL_get_app_data(ssl);
197 ++hctx->renegotiations;
198 }
199 }
200
201 /* https://wiki.openssl.org/index.php/Manual:SSL_CTX_set_verify(3)#EXAMPLES */
202 static int
203 verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
204 {
205 char buf[256];
206 X509 *err_cert;
207 int err, depth;
208 SSL *ssl;
209 handler_ctx *hctx;
210 server *srv;
211
212 err = X509_STORE_CTX_get_error(ctx);
213 depth = X509_STORE_CTX_get_error_depth(ctx);
214
215 /*
216 * Retrieve the pointer to the SSL of the connection currently treated
217 * and the application specific data stored into the SSL object.
218 */
219 ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
220 hctx = (handler_ctx *) SSL_get_app_data(ssl);
221 srv = hctx->srv;
222
223 /*
224 * Catch a too long certificate chain. The depth limit set using
225 * SSL_CTX_set_verify_depth() is by purpose set to "limit+1" so
226 * that whenever the "depth>verify_depth" condition is met, we
227 * have violated the limit and want to log this error condition.
228 * We must do it here, because the CHAIN_TOO_LONG error would not
229 * be found explicitly; only errors introduced by cutting off the
230 * additional certificates would be logged.
231 */
232 if (depth > hctx->conf.ssl_verifyclient_depth) {
233 preverify_ok = 0;
234 err = X509_V_ERR_CERT_CHAIN_TOO_LONG;
235 X509_STORE_CTX_set_error(ctx, err);
236 }
237
238 if (preverify_ok) {
239 return preverify_ok;
240 }
241
242 #if OPENSSL_VERSION_NUMBER >= 0x10002000L
243 err_cert = X509_STORE_CTX_get_current_cert(ctx);
244 #else
245 err_cert = ctx->current_cert;
246 #endif
247 if (NULL == err_cert) return !hctx->conf.ssl_verifyclient_enforce;
248 safer_X509_NAME_oneline(X509_get_subject_name(err_cert),buf,sizeof(buf));
249 log_error_write(srv, __FILE__, __LINE__, "SDSSSDSS",
250 "SSL: verify error:num=", err, ":",
251 X509_verify_cert_error_string(err), ":depth=", depth,
252 ":subject=", buf);
253
254 /*
255 * At this point, err contains the last verification error. We can use
256 * it for something special
257 */
258 if (!preverify_ok && (err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY ||
259 err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT)) {
260 safer_X509_NAME_oneline(X509_get_issuer_name(err_cert),buf,sizeof(buf));
261 log_error_write(srv, __FILE__, __LINE__, "SS", "SSL: issuer=", buf);
262 }
263
264 return !hctx->conf.ssl_verifyclient_enforce;
265 }
266
267 #ifndef OPENSSL_NO_TLSEXT
268 static int mod_openssl_patch_connection (server *srv, connection *con, handler_ctx *hctx);
269
270 static int
271 network_ssl_servername_callback (SSL *ssl, int *al, server *srv)
272 {
273 const char *servername;
274 handler_ctx *hctx = (handler_ctx *) SSL_get_app_data(ssl);
275 connection *con = hctx->con;
276 UNUSED(al);
277
278 buffer_copy_string(con->uri.scheme, "https");
279
280 servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
281 if (NULL == servername) {
282 #if 0
283 /* this "error" just means the client didn't support it */
284 log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
285 "failed to get TLS server name");
286 #endif
287 return SSL_TLSEXT_ERR_NOACK;
288 }
289 /* use SNI to patch mod_openssl config and then reset COMP_HTTP_HOST */
290 buffer_copy_string(con->uri.authority, servername);
291 buffer_to_lower(con->uri.authority);
292
293 con->conditional_is_valid[COMP_HTTP_SCHEME] = 1;
294 con->conditional_is_valid[COMP_HTTP_HOST] = 1;
295 mod_openssl_patch_connection(srv, con, hctx);
296 /* reset COMP_HTTP_HOST so that conditions re-run after request hdrs read */
297 /*(done in response.c:config_cond_cache_reset() after request hdrs read)*/
298 /*config_cond_cache_reset_item(con, COMP_HTTP_HOST);*/
299 /*buffer_reset(con->uri.authority);*/
300
301 if (NULL == hctx->conf.ssl_pemfile_x509
302 || NULL == hctx->conf.ssl_pemfile_pkey) {
303 /* x509/pkey available <=> pemfile was set <=> pemfile got patched:
304 * so this should never happen, unless you nest $SERVER["socket"] */
305 log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
306 "no certificate/private key for TLS server name",
307 con->uri.authority);
308 return SSL_TLSEXT_ERR_ALERT_FATAL;
309 }
310
311 /* first set certificate!
312 * setting private key checks whether certificate matches it */
313 if (!SSL_use_certificate(ssl, hctx->conf.ssl_pemfile_x509)) {
314 log_error_write(srv, __FILE__, __LINE__, "ssb:s", "SSL:",
315 "failed to set certificate for TLS server name",
316 con->uri.authority,
317 ERR_error_string(ERR_get_error(), NULL));
318 return SSL_TLSEXT_ERR_ALERT_FATAL;
319 }
320
321 if (!SSL_use_PrivateKey(ssl, hctx->conf.ssl_pemfile_pkey)) {
322 log_error_write(srv, __FILE__, __LINE__, "ssb:s", "SSL:",
323 "failed to set private key for TLS server name",
324 con->uri.authority,
325 ERR_error_string(ERR_get_error(), NULL));
326 return SSL_TLSEXT_ERR_ALERT_FATAL;
327 }
328
329 if (hctx->conf.ssl_verifyclient) {
330 int mode;
331 if (NULL == hctx->conf.ssl_ca_file_cert_names) {
332 log_error_write(srv, __FILE__, __LINE__, "ssb:s", "SSL:",
333 "can't verify client without ssl.ca-file "
334 "for TLS server name", con->uri.authority,
335 ERR_error_string(ERR_get_error(), NULL));
336 return SSL_TLSEXT_ERR_ALERT_FATAL;
337 }
338
339 SSL_set_client_CA_list(
340 ssl, SSL_dup_CA_list(hctx->conf.ssl_ca_file_cert_names));
341 /* forcing verification here is really not that useful
342 * -- a client could just connect without SNI */
343 mode = SSL_VERIFY_PEER;
344 if (hctx->conf.ssl_verifyclient_enforce) {
345 mode |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
346 }
347 SSL_set_verify(ssl, mode, verify_callback);
348 SSL_set_verify_depth(ssl, hctx->conf.ssl_verifyclient_depth + 1);
349 } else {
350 SSL_set_verify(ssl, SSL_VERIFY_NONE, NULL);
351 }
352
353 return SSL_TLSEXT_ERR_OK;
354 }
355 #endif
356
357
358 static X509 *
359 x509_load_pem_file (server *srv, const char *file)
360 {
361 BIO *in;
362 X509 *x = NULL;
363
364 in = BIO_new(BIO_s_file());
365 if (NULL == in) {
366 log_error_write(srv, __FILE__, __LINE__, "S",
367 "SSL: BIO_new(BIO_s_file()) failed");
368 goto error;
369 }
370
371 if (BIO_read_filename(in,file) <= 0) {
372 log_error_write(srv, __FILE__, __LINE__, "SSS",
373 "SSL: BIO_read_filename('", file,"') failed");
374 goto error;
375 }
376
377 x = PEM_read_bio_X509(in, NULL, NULL, NULL);
378 if (NULL == x) {
379 log_error_write(srv, __FILE__, __LINE__, "SSS",
380 "SSL: couldn't read X509 certificate from '", file,"'");
381 goto error;
382 }
383
384 BIO_free(in);
385 return x;
386
387 error:
388 if (NULL != in) BIO_free(in);
389 return NULL;
390 }
391
392
393 static EVP_PKEY *
394 evp_pkey_load_pem_file (server *srv, const char *file)
395 {
396 BIO *in;
397 EVP_PKEY *x = NULL;
398
399 in = BIO_new(BIO_s_file());
400 if (NULL == in) {
401 log_error_write(srv, __FILE__, __LINE__, "s",
402 "SSL: BIO_new(BIO_s_file()) failed");
403 goto error;
404 }
405
406 if (BIO_read_filename(in,file) <= 0) {
407 log_error_write(srv, __FILE__, __LINE__, "SSS",
408 "SSL: BIO_read_filename('", file,"') failed");
409 goto error;
410 }
411
412 x = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL);
413 if (NULL == x) {
414 log_error_write(srv, __FILE__, __LINE__, "SSS",
415 "SSL: couldn't read private key from '", file,"'");
416 goto error;
417 }
418
419 BIO_free(in);
420 return x;
421
422 error:
423 if (NULL != in) BIO_free(in);
424 return NULL;
425 }
426
427
428 static int
429 network_openssl_load_pemfile (server *srv, plugin_config *s, size_t ndx)
430 {
431 #ifdef OPENSSL_NO_TLSEXT
432 data_config *dc = (data_config *)srv->config_context->data[ndx];
433 if ((ndx > 0 && (COMP_SERVER_SOCKET != dc->comp
434 || dc->cond != CONFIG_COND_EQ)) || !s->ssl_enabled) {
435 log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
436 "ssl.pemfile only works in SSL socket binding context "
437 "as openssl version does not support TLS extensions");
438 return -1;
439 }
440 #else
441 UNUSED(ndx);
442 #endif
443
444 s->ssl_pemfile_x509 = x509_load_pem_file(srv, s->ssl_pemfile->ptr);
445 if (NULL == s->ssl_pemfile_x509) return -1;
446 s->ssl_pemfile_pkey = evp_pkey_load_pem_file(srv, s->ssl_pemfile->ptr);
447 if (NULL == s->ssl_pemfile_pkey) return -1;
448
449 if (!X509_check_private_key(s->ssl_pemfile_x509, s->ssl_pemfile_pkey)) {
450 log_error_write(srv, __FILE__, __LINE__, "sssb", "SSL:",
451 "Private key does not match the certificate public key,"
452 " reason:", ERR_error_string(ERR_get_error(), NULL),
453 s->ssl_pemfile);
454 return -1;
455 }
456
457 return 0;
458 }
459
460
461 static int
462 network_init_ssl (server *srv, void *p_d)
463 {
464 plugin_data *p = p_d;
465 #if OPENSSL_VERSION_NUMBER >= 0x0090800fL
466 #ifndef OPENSSL_NO_ECDH
467 EC_KEY *ecdh;
468 int nid;
469 #endif
470 #endif
471
472 #ifndef OPENSSL_NO_DH
473 DH *dh;
474 #endif
475 BIO *bio;
476
477 /* 1024-bit MODP Group with 160-bit prime order subgroup (RFC5114)
478 * -----BEGIN DH PARAMETERS-----
479 * MIIBDAKBgQCxC4+WoIDgHd6S3l6uXVTsUsmfvPsGo8aaap3KUtI7YWBz4oZ1oj0Y
480 * mDjvHi7mUsAT7LSuqQYRIySXXDzUm4O/rMvdfZDEvXCYSI6cIZpzck7/1vrlZEc4
481 * +qMaT/VbzMChUa9fDci0vUW/N982XBpl5oz9p21NpwjfH7K8LkpDcQKBgQCk0cvV
482 * w/00EmdlpELvuZkF+BBN0lisUH/WQGz/FCZtMSZv6h5cQVZLd35pD1UE8hMWAhe0
483 * sBuIal6RVH+eJ0n01/vX07mpLuGQnQ0iY/gKdqaiTAh6CR9THb8KAWm2oorWYqTR
484 * jnOvoy13nVkY0IvIhY9Nzvl8KiSFXm7rIrOy5QICAKA=
485 * -----END DH PARAMETERS-----
486 */
487
488 static const unsigned char dh1024_p[]={
489 0xB1,0x0B,0x8F,0x96,0xA0,0x80,0xE0,0x1D,0xDE,0x92,0xDE,0x5E,
490 0xAE,0x5D,0x54,0xEC,0x52,0xC9,0x9F,0xBC,0xFB,0x06,0xA3,0xC6,
491 0x9A,0x6A,0x9D,0xCA,0x52,0xD2,0x3B,0x61,0x60,0x73,0xE2,0x86,
492 0x75,0xA2,0x3D,0x18,0x98,0x38,0xEF,0x1E,0x2E,0xE6,0x52,0xC0,
493 0x13,0xEC,0xB4,0xAE,0xA9,0x06,0x11,0x23,0x24,0x97,0x5C,0x3C,
494 0xD4,0x9B,0x83,0xBF,0xAC,0xCB,0xDD,0x7D,0x90,0xC4,0xBD,0x70,
495 0x98,0x48,0x8E,0x9C,0x21,0x9A,0x73,0x72,0x4E,0xFF,0xD6,0xFA,
496 0xE5,0x64,0x47,0x38,0xFA,0xA3,0x1A,0x4F,0xF5,0x5B,0xCC,0xC0,
497 0xA1,0x51,0xAF,0x5F,0x0D,0xC8,0xB4,0xBD,0x45,0xBF,0x37,0xDF,
498 0x36,0x5C,0x1A,0x65,0xE6,0x8C,0xFD,0xA7,0x6D,0x4D,0xA7,0x08,
499 0xDF,0x1F,0xB2,0xBC,0x2E,0x4A,0x43,0x71,
500 };
501
502 static const unsigned char dh1024_g[]={
503 0xA4,0xD1,0xCB,0xD5,0xC3,0xFD,0x34,0x12,0x67,0x65,0xA4,0x42,
504 0xEF,0xB9,0x99,0x05,0xF8,0x10,0x4D,0xD2,0x58,0xAC,0x50,0x7F,
505 0xD6,0x40,0x6C,0xFF,0x14,0x26,0x6D,0x31,0x26,0x6F,0xEA,0x1E,
506 0x5C,0x41,0x56,0x4B,0x77,0x7E,0x69,0x0F,0x55,0x04,0xF2,0x13,
507 0x16,0x02,0x17,0xB4,0xB0,0x1B,0x88,0x6A,0x5E,0x91,0x54,0x7F,
508 0x9E,0x27,0x49,0xF4,0xD7,0xFB,0xD7,0xD3,0xB9,0xA9,0x2E,0xE1,
509 0x90,0x9D,0x0D,0x22,0x63,0xF8,0x0A,0x76,0xA6,0xA2,0x4C,0x08,
510 0x7A,0x09,0x1F,0x53,0x1D,0xBF,0x0A,0x01,0x69,0xB6,0xA2,0x8A,
511 0xD6,0x62,0xA4,0xD1,0x8E,0x73,0xAF,0xA3,0x2D,0x77,0x9D,0x59,
512 0x18,0xD0,0x8B,0xC8,0x85,0x8F,0x4D,0xCE,0xF9,0x7C,0x2A,0x24,
513 0x85,0x5E,0x6E,0xEB,0x22,0xB3,0xB2,0xE5,
514 };
515
516 /* load SSL certificates */
517 for (size_t i = 0; i < srv->config_context->used; ++i) {
518 plugin_config *s = p->config_storage[i];
519 #ifndef SSL_OP_NO_COMPRESSION
520 #define SSL_OP_NO_COMPRESSION 0
521 #endif
522 #ifndef SSL_MODE_RELEASE_BUFFERS /* OpenSSL >= 1.0.0 */
523 #define SSL_MODE_RELEASE_BUFFERS 0
524 #endif
525 long ssloptions = SSL_OP_ALL
526 | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
527 | SSL_OP_NO_COMPRESSION;
528
529 if (s->ssl_enabled) {
530 if (buffer_string_is_empty(s->ssl_pemfile)) {
531 /* inherit ssl settings from global scope
532 * (if only ssl.engine = "enable" and no other ssl.* settings)*/
533 if (0 != i && p->config_storage[0]->ssl_enabled) {
534 s->ssl_ctx = p->config_storage[0]->ssl_ctx;
535 continue;
536 }
537 /* PEM file is require */
538 log_error_write(srv, __FILE__, __LINE__, "s",
539 "ssl.pemfile has to be set");
540 return -1;
541 }
542 }
543
544 if (buffer_string_is_empty(s->ssl_pemfile)
545 && buffer_string_is_empty(s->ssl_ca_file)) continue;
546
547 if (ssl_is_init == 0) {
548 #if OPENSSL_VERSION_NUMBER >= 0x10100000L \
549 && !defined(LIBRESSL_VERSION_NUMBER)
550 OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS
551 |OPENSSL_INIT_LOAD_CRYPTO_STRINGS,NULL);
552 OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS
553 |OPENSSL_INIT_ADD_ALL_DIGESTS
554 |OPENSSL_INIT_LOAD_CONFIG, NULL);
555 #else
556 SSL_load_error_strings();
557 SSL_library_init();
558 OpenSSL_add_all_algorithms();
559 #endif
560 ssl_is_init = 1;
561
562 if (0 == RAND_status()) {
563 log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
564 "not enough entropy in the pool");
565 return -1;
566 }
567
568 local_send_buffer = malloc(LOCAL_SEND_BUFSIZE);
569 force_assert(NULL != local_send_buffer);
570 }
571
572 if (!buffer_string_is_empty(s->ssl_pemfile)) {
573 #ifdef OPENSSL_NO_TLSEXT
574 data_config *dc = (data_config *)srv->config_context->data[i];
575 if (COMP_HTTP_HOST == dc->comp) {
576 log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
577 "can't use ssl.pemfile with $HTTP[\"host\"], "
578 "openssl version does not support TLS "
579 "extensions");
580 return -1;
581 }
582 #endif
583 if (network_openssl_load_pemfile(srv, s, i)) return -1;
584 }
585
586
587 if (!buffer_string_is_empty(s->ssl_ca_dn_file)) {
588 s->ssl_ca_file_cert_names =
589 SSL_load_client_CA_file(s->ssl_ca_dn_file->ptr);
590 if (NULL == s->ssl_ca_file_cert_names) {
591 log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
592 ERR_error_string(ERR_get_error(), NULL),
593 s->ssl_ca_dn_file);
594 }
595 }
596
597 if (NULL == s->ssl_ca_file_cert_names
598 && !buffer_string_is_empty(s->ssl_ca_file)) {
599 s->ssl_ca_file_cert_names =
600 SSL_load_client_CA_file(s->ssl_ca_file->ptr);
601 if (NULL == s->ssl_ca_file_cert_names) {
602 log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
603 ERR_error_string(ERR_get_error(), NULL),
604 s->ssl_ca_file);
605 }
606 }
607
608 if (buffer_string_is_empty(s->ssl_pemfile) || !s->ssl_enabled) continue;
609
610 if (NULL == (s->ssl_ctx = SSL_CTX_new(SSLv23_server_method()))) {
611 log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
612 ERR_error_string(ERR_get_error(), NULL));
613 return -1;
614 }
615
616 /* completely useless identifier;
617 * required for client cert verification to work with sessions */
618 if (0 == SSL_CTX_set_session_id_context(
619 s->ssl_ctx,(const unsigned char*)CONST_STR_LEN("lighttpd"))){
620 log_error_write(srv, __FILE__, __LINE__, "ss:s", "SSL:",
621 "failed to set session context",
622 ERR_error_string(ERR_get_error(), NULL));
623 return -1;
624 }
625
626 if (s->ssl_empty_fragments) {
627 #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
628 ssloptions &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
629 #else
630 ssloptions &= ~0x00000800L; /* hardcode constant */
631 log_error_write(srv, __FILE__, __LINE__, "ss", "WARNING: SSL:",
632 "'insert empty fragments' not supported by the "
633 "openssl version used to compile lighttpd with");
634 #endif
635 }
636
637 SSL_CTX_set_options(s->ssl_ctx, ssloptions);
638 SSL_CTX_set_info_callback(s->ssl_ctx, ssl_info_callback);
639
640 if (!s->ssl_use_sslv2 && 0 != SSL_OP_NO_SSLv2) {
641 /* disable SSLv2 */
642 if ((SSL_OP_NO_SSLv2
643 & SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_SSLv2))
644 != SSL_OP_NO_SSLv2) {
645 log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
646 ERR_error_string(ERR_get_error(), NULL));
647 return -1;
648 }
649 }
650
651 if (!s->ssl_use_sslv3 && 0 != SSL_OP_NO_SSLv3) {
652 /* disable SSLv3 */
653 if ((SSL_OP_NO_SSLv3
654 & SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_SSLv3))
655 != SSL_OP_NO_SSLv3) {
656 log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
657 ERR_error_string(ERR_get_error(), NULL));
658 return -1;
659 }
660 }
661
662 if (!buffer_string_is_empty(s->ssl_cipher_list)) {
663 /* Disable support for low encryption ciphers */
664 if (SSL_CTX_set_cipher_list(s->ssl_ctx,s->ssl_cipher_list->ptr)!=1){
665 log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
666 ERR_error_string(ERR_get_error(), NULL));
667 return -1;
668 }
669
670 if (s->ssl_honor_cipher_order) {
671 SSL_CTX_set_options(s->ssl_ctx,SSL_OP_CIPHER_SERVER_PREFERENCE);
672 }
673 }
674
675 #ifndef OPENSSL_NO_DH
676 /* Support for Diffie-Hellman key exchange */
677 if (!buffer_string_is_empty(s->ssl_dh_file)) {
678 /* DH parameters from file */
679 bio = BIO_new_file((char *) s->ssl_dh_file->ptr, "r");
680 if (bio == NULL) {
681 log_error_write(srv, __FILE__, __LINE__, "ss",
682 "SSL: Unable to open file",
683 s->ssl_dh_file->ptr);
684 return -1;
685 }
686 dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
687 BIO_free(bio);
688 if (dh == NULL) {
689 log_error_write(srv, __FILE__, __LINE__, "ss",
690 "SSL: PEM_read_bio_DHparams failed",
691 s->ssl_dh_file->ptr);
692 return -1;
693 }
694 } else {
695 BIGNUM *dh_p, *dh_g;
696 /* Default DH parameters from RFC5114 */
697 dh = DH_new();
698 if (dh == NULL) {
699 log_error_write(srv, __FILE__, __LINE__, "s",
700 "SSL: DH_new () failed");
701 return -1;
702 }
703 dh_p = BN_bin2bn(dh1024_p,sizeof(dh1024_p), NULL);
704 dh_g = BN_bin2bn(dh1024_g,sizeof(dh1024_g), NULL);
705 if ((dh_p == NULL) || (dh_g == NULL)) {
706 DH_free(dh);
707 log_error_write(srv, __FILE__, __LINE__, "s",
708 "SSL: BN_bin2bn () failed");
709 return -1;
710 }
711 #if OPENSSL_VERSION_NUMBER < 0x10100000L \
712 || defined(LIBRESSL_VERSION_NUMBER)
713 dh->p = dh_p;
714 dh->g = dh_g;
715 dh->length = 160;
716 #else
717 DH_set0_pqg(dh, dh_p, NULL, dh_g);
718 DH_set_length(dh, 160);
719 #endif
720 }
721 SSL_CTX_set_tmp_dh(s->ssl_ctx,dh);
722 SSL_CTX_set_options(s->ssl_ctx,SSL_OP_SINGLE_DH_USE);
723 DH_free(dh);
724 #else
725 if (!buffer_string_is_empty(s->ssl_dh_file)) {
726 log_error_write(srv, __FILE__, __LINE__, "ss",
727 "SSL: openssl compiled without DH support, "
728 "can't load parameters from", s->ssl_dh_file->ptr);
729 }
730 #endif
731
732 #if OPENSSL_VERSION_NUMBER >= 0x0090800fL
733 #ifndef OPENSSL_NO_ECDH
734 /* Support for Elliptic-Curve Diffie-Hellman key exchange */
735 if (!buffer_string_is_empty(s->ssl_ec_curve)) {
736 /* OpenSSL only supports the "named curves"
737 * from RFC 4492, section 5.1.1. */
738 nid = OBJ_sn2nid((char *) s->ssl_ec_curve->ptr);
739 if (nid == 0) {
740 log_error_write(srv, __FILE__, __LINE__, "ss",
741 "SSL: Unknown curve name",
742 s->ssl_ec_curve->ptr);
743 return -1;
744 }
745 } else {
746 /* Default curve */
747 nid = OBJ_sn2nid("prime256v1");
748 }
749 ecdh = EC_KEY_new_by_curve_name(nid);
750 if (ecdh == NULL) {
751 log_error_write(srv, __FILE__, __LINE__, "ss",
752 "SSL: Unable to create curve",
753 s->ssl_ec_curve->ptr);
754 return -1;
755 }
756 SSL_CTX_set_tmp_ecdh(s->ssl_ctx,ecdh);
757 SSL_CTX_set_options(s->ssl_ctx,SSL_OP_SINGLE_ECDH_USE);
758 EC_KEY_free(ecdh);
759 #endif
760 #endif
761
762 /* load all ssl.ca-files specified in the config into each SSL_CTX
763 * to be prepared for SNI */
764 for (size_t j = 0; j < srv->config_context->used; ++j) {
765 plugin_config *s1 = p->config_storage[j];
766
767 if (!buffer_string_is_empty(s1->ssl_ca_file)) {
768 if (1 != SSL_CTX_load_verify_locations(
769 s->ssl_ctx, s1->ssl_ca_file->ptr, NULL)) {
770 log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
771 ERR_error_string(ERR_get_error(), NULL),
772 s1->ssl_ca_file);
773 return -1;
774 }
775 }
776 }
777
778 if (s->ssl_verifyclient) {
779 int mode;
780 if (NULL == s->ssl_ca_file_cert_names) {
781 log_error_write(srv, __FILE__, __LINE__, "s",
782 "SSL: You specified ssl.verifyclient.activate "
783 "but no ca_file");
784 return -1;
785 }
786 SSL_CTX_set_client_CA_list(
787 s->ssl_ctx, SSL_dup_CA_list(s->ssl_ca_file_cert_names));
788 mode = SSL_VERIFY_PEER;
789 if (s->ssl_verifyclient_enforce) {
790 mode |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
791 }
792 SSL_CTX_set_verify(s->ssl_ctx, mode, verify_callback);
793 SSL_CTX_set_verify_depth(s->ssl_ctx, s->ssl_verifyclient_depth + 1);
794 if (!buffer_string_is_empty(s->ssl_ca_crl_file)) {
795 X509_STORE *store = SSL_CTX_get_cert_store(s->ssl_ctx);
796 if (1 != X509_STORE_load_locations(store, s->ssl_ca_crl_file->ptr, NULL)) {
797 log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
798 ERR_error_string(ERR_get_error(), NULL), s->ssl_ca_crl_file);
799 return -1;
800 }
801 X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
802 }
803 }
804
805 if (1 != SSL_CTX_use_certificate(s->ssl_ctx, s->ssl_pemfile_x509)) {
806 log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
807 ERR_error_string(ERR_get_error(), NULL),
808 s->ssl_pemfile);
809 return -1;
810 }
811
812 if (1 != SSL_CTX_use_PrivateKey(s->ssl_ctx, s->ssl_pemfile_pkey)) {
813 log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
814 ERR_error_string(ERR_get_error(), NULL),
815 s->ssl_pemfile);
816 return -1;
817 }
818
819 if (SSL_CTX_check_private_key(s->ssl_ctx) != 1) {
820 log_error_write(srv, __FILE__, __LINE__, "sssb", "SSL:",
821 "Private key does not match the certificate public "
822 "key, reason:",
823 ERR_error_string(ERR_get_error(), NULL),
824 s->ssl_pemfile);
825 return -1;
826 }
827 SSL_CTX_set_default_read_ahead(s->ssl_ctx, s->ssl_read_ahead);
828 SSL_CTX_set_mode(s->ssl_ctx, SSL_CTX_get_mode(s->ssl_ctx)
829 | SSL_MODE_ENABLE_PARTIAL_WRITE
830 | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER
831 | SSL_MODE_RELEASE_BUFFERS);
832
833 #ifndef OPENSSL_NO_TLSEXT
834 if (!SSL_CTX_set_tlsext_servername_callback(
835 s->ssl_ctx, network_ssl_servername_callback) ||
836 !SSL_CTX_set_tlsext_servername_arg(s->ssl_ctx, srv)) {
837 log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
838 "failed to initialize TLS servername callback, "
839 "openssl library does not support TLS servername "
840 "extension");
841 return -1;
842 }
843 #endif
844 }
845
846 return 0;
847 }
848
849
850 SETDEFAULTS_FUNC(mod_openssl_set_defaults)
851 {
852 plugin_data *p = p_d;
853 config_values_t cv[] = {
854 { "debug.log-ssl-noise", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, /* 0 */
855 { "ssl.engine", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, /* 1 */
856 { "ssl.pemfile", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION }, /* 2 */
857 { "ssl.ca-file", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION }, /* 3 */
858 { "ssl.dh-file", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION }, /* 4 */
859 { "ssl.ec-curve", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION }, /* 5 */
860 { "ssl.cipher-list", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION }, /* 6 */
861 { "ssl.honor-cipher-order", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, /* 7 */
862 { "ssl.empty-fragments", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, /* 8 */
863 { "ssl.disable-client-renegotiation", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, /* 9 */
864 { "ssl.read-ahead", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, /* 10 */
865 { "ssl.verifyclient.activate", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, /* 11 */
866 { "ssl.verifyclient.enforce", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, /* 12 */
867 { "ssl.verifyclient.depth", NULL, T_CONFIG_SHORT, T_CONFIG_SCOPE_CONNECTION }, /* 13 */
868 { "ssl.verifyclient.username", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION }, /* 14 */
869 { "ssl.verifyclient.exportcert", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, /* 15 */
870 { "ssl.use-sslv2", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, /* 16 */
871 { "ssl.use-sslv3", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, /* 17 */
872 { "ssl.ca-crl-file", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION }, /* 18 */
873 { "ssl.ca-dn-file", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION }, /* 19 */
874 { NULL, NULL, T_CONFIG_UNSET, T_CONFIG_SCOPE_UNSET }
875 };
876
877 if (!p) return HANDLER_ERROR;
878
879 p->config_storage = calloc(1, srv->config_context->used * sizeof(plugin_config *));
880
881 for (size_t i = 0; i < srv->config_context->used; i++) {
882 data_config const* config = (data_config const*)srv->config_context->data[i];
883 plugin_config *s = calloc(1, sizeof(plugin_config));
884
885 s->ssl_enabled = 0;
886 s->ssl_pemfile = buffer_init();
887 s->ssl_ca_file = buffer_init();
888 s->ssl_ca_crl_file = buffer_init();
889 s->ssl_ca_dn_file = buffer_init();
890 s->ssl_cipher_list = buffer_init();
891 s->ssl_dh_file = buffer_init();
892 s->ssl_ec_curve = buffer_init();
893 s->ssl_honor_cipher_order = 1;
894 s->ssl_empty_fragments = 0;
895 s->ssl_use_sslv2 = 0;
896 s->ssl_use_sslv3 = 0;
897 s->ssl_verifyclient = 0;
898 s->ssl_verifyclient_enforce = 1;
899 s->ssl_verifyclient_username = buffer_init();
900 s->ssl_verifyclient_depth = 9;
901 s->ssl_verifyclient_export_cert = 0;
902 s->ssl_disable_client_renegotiation = 1;
903 s->ssl_read_ahead = (0 == i ? 1 : p->config_storage[0]->ssl_read_ahead);
904 if (0 != i) buffer_copy_buffer(s->ssl_ca_crl_file, p->config_storage[0]->ssl_ca_crl_file);
905 if (0 != i) buffer_copy_buffer(s->ssl_ca_dn_file, p->config_storage[0]->ssl_ca_dn_file);
906
907 cv[0].destination = &(s->ssl_log_noise);
908 cv[1].destination = &(s->ssl_enabled);
909 cv[2].destination = s->ssl_pemfile;
910 cv[3].destination = s->ssl_ca_file;
911 cv[4].destination = s->ssl_dh_file;
912 cv[5].destination = s->ssl_ec_curve;
913 cv[6].destination = s->ssl_cipher_list;
914 cv[7].destination = &(s->ssl_honor_cipher_order);
915 cv[8].destination = &(s->ssl_empty_fragments);
916 cv[9].destination = &(s->ssl_disable_client_renegotiation);
917 cv[10].destination = &(s->ssl_read_ahead);
918 cv[11].destination = &(s->ssl_verifyclient);
919 cv[12].destination = &(s->ssl_verifyclient_enforce);
920 cv[13].destination = &(s->ssl_verifyclient_depth);
921 cv[14].destination = s->ssl_verifyclient_username;
922 cv[15].destination = &(s->ssl_verifyclient_export_cert);
923 cv[16].destination = &(s->ssl_use_sslv2);
924 cv[17].destination = &(s->ssl_use_sslv3);
925 cv[18].destination = s->ssl_ca_crl_file;
926 cv[19].destination = s->ssl_ca_dn_file;
927
928 p->config_storage[i] = s;
929
930 if (0 != config_insert_values_global(srv, config->value, cv, i == 0 ? T_CONFIG_SCOPE_SERVER : T_CONFIG_SCOPE_CONNECTION)) {
931 return HANDLER_ERROR;
932 }
933
934 if (0 != i && s->ssl_enabled && buffer_string_is_empty(s->ssl_pemfile)){
935 /* inherit ssl settings from global scope (in network_init_ssl())
936 * (if only ssl.engine = "enable" and no other ssl.* settings)*/
937 for (size_t j = 0; j < config->value->used; ++j) {
938 buffer *k = config->value->data[j]->key;
939 if (0 == strncmp(k->ptr, "ssl.", sizeof("ssl.")-1)
940 && !buffer_is_equal_string(k, CONST_STR_LEN("ssl.engine"))){
941 log_error_write(srv, __FILE__, __LINE__, "sb",
942 "ssl.pemfile has to be set in same scope "
943 "as other ssl.* directives, unless only "
944 "ssl.engine is set, inheriting ssl.* from "
945 "global scope", k);
946 return HANDLER_ERROR;
947 }
948 }
949 }
950 }
951
952 if (0 != network_init_ssl(srv, p)) return HANDLER_ERROR;
953
954 return HANDLER_GO_ON;
955 }
956
957
958 #define PATCH(x) \
959 hctx->conf.x = s->x;
960 static int
961 mod_openssl_patch_connection (server *srv, connection *con, handler_ctx *hctx)
962 {
963 plugin_config *s = plugin_data_singleton->config_storage[0];
964
965 /*PATCH(ssl_enabled);*//*(not patched)*/
966 /*PATCH(ssl_pemfile);*//*(not patched)*/
967 PATCH(ssl_pemfile_x509);
968 PATCH(ssl_pemfile_pkey);
969 /*PATCH(ssl_ca_file);*//*(not patched)*/
970 /*PATCH(ssl_ca_crl_file);*//*(not patched)*/
971 /*PATCH(ssl_ca_dn_file);*//*(not patched)*/
972 PATCH(ssl_ca_file_cert_names);
973 /*PATCH(ssl_cipher_list);*//*(not patched)*/
974 /*PATCH(ssl_dh_file);*//*(not patched)*/
975 /*PATCH(ssl_ec_curve);*//*(not patched)*/
976 /*PATCH(ssl_honor_cipher_order);*//*(not patched)*/
977 /*PATCH(ssl_empty_fragments);*//*(not patched)*/
978 /*PATCH(ssl_use_sslv2);*//*(not patched)*/
979 /*PATCH(ssl_use_sslv3);*//*(not patched)*/
980
981 PATCH(ssl_verifyclient);
982 PATCH(ssl_verifyclient_enforce);
983 PATCH(ssl_verifyclient_depth);
984 PATCH(ssl_verifyclient_username);
985 PATCH(ssl_verifyclient_export_cert);
986 PATCH(ssl_disable_client_renegotiation);
987 PATCH(ssl_read_ahead);
988
989 PATCH(ssl_log_noise);
990
991 /* skip the first, the global context */
992 for (size_t i = 1; i < srv->config_context->used; ++i) {
993 data_config *dc = (data_config *)srv->config_context->data[i];
994 s = plugin_data_singleton->config_storage[i];
995
996 /* condition didn't match */
997 if (!config_check_cond(srv, con, dc)) continue;
998
999 /* merge config */
1000 for (size_t j = 0; j < dc->value->used; ++j) {
1001 data_unset *du = dc->value->data[j];
1002
1003 if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.pemfile"))) {
1004 /*PATCH(ssl_pemfile);*//*(not patched)*/
1005 PATCH(ssl_pemfile_x509);
1006 PATCH(ssl_pemfile_pkey);
1007 } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.ca-file"))) {
1008 /*PATCH(ssl_ca_file);*//*(not patched)*/
1009 PATCH(ssl_ca_file_cert_names);
1010 } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.verifyclient.activate"))) {
1011 PATCH(ssl_verifyclient);
1012 } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.verifyclient.enforce"))) {
1013 PATCH(ssl_verifyclient_enforce);
1014 } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.verifyclient.depth"))) {
1015 PATCH(ssl_verifyclient_depth);
1016 } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.verifyclient.username"))) {
1017 PATCH(ssl_verifyclient_username);
1018 } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.verifyclient.exportcert"))) {
1019 PATCH(ssl_verifyclient_export_cert);
1020 } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.disable-client-renegotiation"))) {
1021 PATCH(ssl_disable_client_renegotiation);
1022 } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.read-ahead"))) {
1023 PATCH(ssl_read_ahead);
1024 } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("debug.log-ssl-noise"))) {
1025 PATCH(ssl_log_noise);
1026 #if 0 /*(not patched)*/
1027 } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.ca-crl-file"))) {
1028 PATCH(ssl_ca_crl_file);
1029 } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.ca-dn-file"))) {
1030 PATCH(ssl_ca_dn_file);
1031 } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.honor-cipher-order"))) {
1032 PATCH(ssl_honor_cipher_order);
1033 } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.empty-fragments"))) {
1034 PATCH(ssl_empty_fragments);
1035 } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.use-sslv2"))) {
1036 PATCH(ssl_use_sslv2);
1037 } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.use-sslv3"))) {
1038 PATCH(ssl_use_sslv3);
1039 } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.cipher-list"))) {
1040 PATCH(ssl_cipher_list);
1041 } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.dh-file"))) {
1042 PATCH(ssl_dh_file);
1043 } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.ec-curve"))) {
1044 PATCH(ssl_ec_curve);
1045 } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.engine"))) {
1046 PATCH(ssl_enabled);
1047 #endif
1048 }
1049 }
1050 }
1051
1052 return 0;
1053 }
1054 #undef PATCH
1055
1056
1057 static int
1058 load_next_chunk (server *srv, chunkqueue *cq, off_t max_bytes,
1059 const char **data, size_t *data_len)
1060 {
1061 chunk * const c = cq->first;
1062
1063 /* local_send_buffer is a 64k sendbuffer (LOCAL_SEND_BUFSIZE)
1064 *
1065 * it has to stay at the same location all the time to satisfy the needs
1066 * of SSL_write to pass the SAME parameter in case of a _WANT_WRITE
1067 *
1068 * buffer is allocated once, is NOT realloced
1069 *
1070 * (Note: above restriction no longer true since SSL_CTX_set_mode() is
1071 * called with SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER)
1072 * */
1073
1074 force_assert(NULL != c);
1075
1076 switch (c->type) {
1077 case MEM_CHUNK:
1078 {
1079 size_t have;
1080
1081 force_assert(c->offset >= 0
1082 && c->offset <= (off_t)buffer_string_length(c->mem));
1083
1084 have = buffer_string_length(c->mem) - c->offset;
1085 if ((off_t) have > max_bytes) have = max_bytes;
1086
1087 *data = c->mem->ptr + c->offset;
1088 *data_len = have;
1089 }
1090 return 0;
1091
1092 case FILE_CHUNK:
1093 if (0 != chunkqueue_open_file_chunk(srv, cq)) return -1;
1094
1095 {
1096 off_t offset, toSend;
1097
1098 force_assert(c->offset >= 0 && c->offset <= c->file.length);
1099 offset = c->file.start + c->offset;
1100 toSend = c->file.length - c->offset;
1101
1102 if (toSend > LOCAL_SEND_BUFSIZE) toSend = LOCAL_SEND_BUFSIZE;
1103 if (toSend > max_bytes) toSend = max_bytes;
1104
1105 if (-1 == lseek(c->file.fd, offset, SEEK_SET)) {
1106 log_error_write(srv, __FILE__, __LINE__, "ss",
1107 "lseek: ", strerror(errno));
1108 return -1;
1109 }
1110 if (-1 == (toSend = read(c->file.fd, local_send_buffer, toSend))) {
1111 log_error_write(srv, __FILE__, __LINE__, "ss",
1112 "read: ", strerror(errno));
1113 return -1;
1114 }
1115
1116 *data = local_send_buffer;
1117 *data_len = toSend;
1118 }
1119 return 0;
1120 }
1121
1122 return -1;
1123 }
1124
1125
1126 static int
1127 connection_write_cq_ssl (server *srv, connection *con,
1128 chunkqueue *cq, off_t max_bytes)
1129 {
1130 /* the remote side closed the connection before without shutdown request
1131 * - IE
1132 * - wget
1133 * if keep-alive is disabled */
1134 handler_ctx *hctx = con->plugin_ctx[plugin_data_singleton->id];
1135 SSL *ssl = hctx->ssl;
1136
1137 if (con->keep_alive == 0) {
1138 SSL_set_shutdown(ssl, SSL_RECEIVED_SHUTDOWN);
1139 }
1140
1141 chunkqueue_remove_finished_chunks(cq);
1142
1143 while (max_bytes > 0 && NULL != cq->first) {
1144 const char *data;
1145 size_t data_len;
1146 int r;
1147
1148 if (0 != load_next_chunk(srv,cq,max_bytes,&data,&data_len)) return -1;
1149
1150 /**
1151 * SSL_write man-page
1152 *
1153 * WARNING
1154 * When an SSL_write() operation has to be repeated because of
1155 * SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE, it must be
1156 * repeated with the same arguments.
1157 */
1158
1159 ERR_clear_error();
1160 r = SSL_write(ssl, data, data_len);
1161
1162 if (hctx->renegotiations > 1
1163 && hctx->conf.ssl_disable_client_renegotiation) {
1164 log_error_write(srv, __FILE__, __LINE__, "s",
1165 "SSL: renegotiation initiated by client, killing connection");
1166 return -1;
1167 }
1168
1169 if (r <= 0) {
1170 int ssl_r;
1171 unsigned long err;
1172
1173 switch ((ssl_r = SSL_get_error(ssl, r))) {
1174 case SSL_ERROR_WANT_READ:
1175 con->is_readable = -1;
1176 return 0; /* try again later */
1177 case SSL_ERROR_WANT_WRITE:
1178 con->is_writable = -1;
1179 return 0; /* try again later */
1180 case SSL_ERROR_SYSCALL:
1181 /* perhaps we have error waiting in our error-queue */
1182 if (0 != (err = ERR_get_error())) {
1183 do {
1184 log_error_write(srv, __FILE__, __LINE__, "sdds",
1185 "SSL:", ssl_r, r,
1186 ERR_error_string(err, NULL));
1187 } while((err = ERR_get_error()));
1188 } else if (r == -1) {
1189 /* no, but we have errno */
1190 switch(errno) {
1191 case EPIPE:
1192 case ECONNRESET:
1193 return -2;
1194 default:
1195 log_error_write(srv, __FILE__, __LINE__, "sddds",
1196 "SSL:", ssl_r, r, errno,
1197 strerror(errno));
1198 break;
1199 }
1200 } else {
1201 /* neither error-queue nor errno ? */
1202 log_error_write(srv, __FILE__, __LINE__, "sddds",
1203 "SSL (error):", ssl_r, r, errno,
1204 strerror(errno));
1205 }
1206 break;
1207
1208 case SSL_ERROR_ZERO_RETURN:
1209 /* clean shutdown on the remote side */
1210
1211 if (r == 0) return -2;
1212
1213 /* fall through */
1214 default:
1215 while((err = ERR_get_error())) {
1216 log_error_write(srv, __FILE__, __LINE__, "sdds",
1217 "SSL:", ssl_r, r,
1218 ERR_error_string(err, NULL));
1219 }
1220 break;
1221 }
1222 return -1;
1223 }
1224
1225 chunkqueue_mark_written(cq, r);
1226 max_bytes -= r;
1227
1228 if ((size_t) r < data_len) break; /* try again later */
1229 }
1230
1231 return 0;
1232 }
1233
1234
1235 static int
1236 connection_read_cq_ssl (server *srv, connection *con,
1237 chunkqueue *cq, off_t max_bytes)
1238 {
1239 handler_ctx *hctx = con->plugin_ctx[plugin_data_singleton->id];
1240 int r, ssl_err, len;
1241 char *mem = NULL;
1242 size_t mem_len = 0;
1243
1244 /*(code transform assumption; minimize diff)*/
1245 force_assert(cq == con->read_queue);
1246 UNUSED(max_bytes);
1247
1248 ERR_clear_error();
1249 do {
1250 chunkqueue_get_memory(con->read_queue, &mem, &mem_len, 0,
1251 SSL_pending(hctx->ssl));
1252 #if 0
1253 /* overwrite everything with 0 */
1254 memset(mem, 0, mem_len);
1255 #endif
1256
1257 len = SSL_read(hctx->ssl, mem, mem_len);
1258 if (len > 0) {
1259 chunkqueue_use_memory(con->read_queue, len);
1260 con->bytes_read += len;
1261 } else {
1262 chunkqueue_use_memory(con->read_queue, 0);
1263 }
1264
1265 if (hctx->renegotiations > 1
1266 && hctx->conf.ssl_disable_client_renegotiation) {
1267 log_error_write(srv, __FILE__, __LINE__, "s",
1268 "SSL: renegotiation initiated by client, killing connection");
1269 return -1;
1270 }
1271 } while (len > 0
1272 && (hctx->conf.ssl_read_ahead || SSL_pending(hctx->ssl) > 0));
1273
1274 if (len < 0) {
1275 int oerrno = errno;
1276 switch ((r = SSL_get_error(hctx->ssl, len))) {
1277 case SSL_ERROR_WANT_WRITE:
1278 con->is_writable = -1;
1279 case SSL_ERROR_WANT_READ:
1280 con->is_readable = 0;
1281
1282 /* the manual says we have to call SSL_read with the same arguments
1283 * next time. we ignore this restriction; no one has complained
1284 * about it in 1.5 yet, so it probably works anyway.
1285 */
1286
1287 return 0;
1288 case SSL_ERROR_SYSCALL:
1289 /**
1290 * man SSL_get_error()
1291 *
1292 * SSL_ERROR_SYSCALL
1293 * Some I/O error occurred. The OpenSSL error queue may contain
1294 * more information on the error. If the error queue is empty
1295 * (i.e. ERR_get_error() returns 0), ret can be used to find out
1296 * more about the error: If ret == 0, an EOF was observed that
1297 * violates the protocol. If ret == -1, the underlying BIO
1298 * reported an I/O error (for socket I/O on Unix systems, consult
1299 * errno for details).
1300 *
1301 */
1302 while((ssl_err = ERR_get_error())) {
1303 /* get all errors from the error-queue */
1304 log_error_write(srv, __FILE__, __LINE__, "sds", "SSL:",
1305 r, ERR_error_string(ssl_err, NULL));
1306 }
1307
1308 switch(oerrno) {
1309 default:
1310 log_error_write(srv, __FILE__, __LINE__, "sddds", "SSL:",
1311 len, r, oerrno,
1312 strerror(oerrno));
1313 break;
1314 }
1315
1316 break;
1317 case SSL_ERROR_ZERO_RETURN:
1318 /* clean shutdown on the remote side */
1319
1320 if (r == 0) {
1321 /* FIXME: later */
1322 }
1323
1324 /* fall thourgh */
1325 default:
1326 while((ssl_err = ERR_get_error())) {
1327 switch (ERR_GET_REASON(ssl_err)) {
1328 case SSL_R_SSL_HANDSHAKE_FAILURE:
1329 #ifdef SSL_R_TLSV1_ALERT_UNKNOWN_CA
1330 case SSL_R_TLSV1_ALERT_UNKNOWN_CA:
1331 #endif
1332 #ifdef SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN
1333 case SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN:
1334 #endif
1335 #ifdef SSL_R_SSLV3_ALERT_BAD_CERTIFICATE
1336 case SSL_R_SSLV3_ALERT_BAD_CERTIFICATE:
1337 #endif
1338 if (!hctx->conf.ssl_log_noise) continue;
1339 break;
1340 default:
1341 break;
1342 }
1343 /* get all errors from the error-queue */
1344 log_error_write(srv, __FILE__, __LINE__, "sds", "SSL:",
1345 r, ERR_error_string(ssl_err, NULL));
1346 }
1347 break;
1348 }
1349 return -1;
1350 } else if (len == 0) {
1351 con->is_readable = 0;
1352 /* the other end close the connection -> KEEP-ALIVE */
1353
1354 return -2;
1355 } else {
1356 return 0;
1357 }
1358 }
1359
1360
1361 CONNECTION_FUNC(mod_openssl_handle_con_accept)
1362 {
1363 plugin_data *p = p_d;
1364 handler_ctx *hctx;
1365 server_socket *srv_sock = con->srv_socket;
1366 if (!srv_sock->is_ssl) return HANDLER_GO_ON;
1367
1368 hctx = handler_ctx_init();
1369 hctx->con = con;
1370 hctx->srv = srv;
1371 con->plugin_ctx[p->id] = hctx;
1372 mod_openssl_patch_connection(srv, con, hctx);
1373
1374 /* connect fd to SSL */
1375 hctx->ssl = SSL_new(p->config_storage[srv_sock->sidx]->ssl_ctx);
1376 if (NULL == hctx->ssl) {
1377 log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
1378 ERR_error_string(ERR_get_error(), NULL));
1379 return HANDLER_ERROR;
1380 }
1381
1382 buffer_copy_string_len(con->proto, CONST_STR_LEN("https"));
1383 con->network_read = connection_read_cq_ssl;
1384 con->network_write = connection_write_cq_ssl;
1385 SSL_set_app_data(hctx->ssl, hctx);
1386 SSL_set_accept_state(hctx->ssl);
1387
1388 if (1 != (SSL_set_fd(hctx->ssl, con->fd))) {
1389 log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
1390 ERR_error_string(ERR_get_error(), NULL));
1391 return HANDLER_ERROR;
1392 }
1393
1394 return HANDLER_GO_ON;
1395 }
1396
1397
1398 CONNECTION_FUNC(mod_openssl_handle_con_shut_wr)
1399 {
1400 plugin_data *p = p_d;
1401 handler_ctx *hctx = con->plugin_ctx[p->id];
1402 if (NULL == hctx) return HANDLER_GO_ON;
1403
1404 if (SSL_is_init_finished(hctx->ssl)) {
1405 int ret, ssl_r;
1406 unsigned long err;
1407 ERR_clear_error();
1408 switch ((ret = SSL_shutdown(hctx->ssl))) {
1409 case 1:
1410 /* ok */
1411 break;
1412 case 0:
1413 /* wait for fd-event
1414 *
1415 * FIXME: wait for fdevent and call SSL_shutdown again
1416 *
1417 */
1418 ERR_clear_error();
1419 if (-1 != (ret = SSL_shutdown(hctx->ssl))) break;
1420
1421 /* fall through */
1422 default:
1423
1424 switch ((ssl_r = SSL_get_error(hctx->ssl, ret))) {
1425 case SSL_ERROR_ZERO_RETURN:
1426 break;
1427 case SSL_ERROR_WANT_WRITE:
1428 /*con->is_writable=-1;*//*(no effect; shutdown() called below)*/
1429 case SSL_ERROR_WANT_READ:
1430 break;
1431 case SSL_ERROR_SYSCALL:
1432 /* perhaps we have error waiting in our error-queue */
1433 if (0 != (err = ERR_get_error())) {
1434 do {
1435 log_error_write(srv, __FILE__, __LINE__, "sdds",
1436 "SSL:", ssl_r, ret,
1437 ERR_error_string(err, NULL));
1438 } while((err = ERR_get_error()));
1439 } else if (errno != 0) {
1440 /*ssl bug (see lighttpd ticket #2213): sometimes errno==0*/
1441 switch(errno) {
1442 case EPIPE:
1443 case ECONNRESET:
1444 break;
1445 default:
1446 log_error_write(srv, __FILE__, __LINE__, "sddds",
1447 "SSL (error):", ssl_r, ret, errno,
1448 strerror(errno));
1449 break;
1450 }
1451 }
1452
1453 break;
1454 default:
1455 while((err = ERR_get_error())) {
1456 log_error_write(srv, __FILE__, __LINE__, "sdds",
1457 "SSL:", ssl_r, ret,
1458 ERR_error_string(err, NULL));
1459 }
1460
1461 break;
1462 }
1463 }
1464 ERR_clear_error();
1465 }
1466
1467 return HANDLER_GO_ON;
1468 }
1469
1470
1471 CONNECTION_FUNC(mod_openssl_handle_con_close)
1472 {
1473 plugin_data *p = p_d;
1474 handler_ctx *hctx = con->plugin_ctx[p->id];
1475 if (NULL != hctx) {
1476 handler_ctx_free(hctx);
1477 con->plugin_ctx[p->id] = NULL;
1478 }
1479
1480 UNUSED(srv);
1481 return HANDLER_GO_ON;
1482 }
1483
1484
1485 static void
1486 https_add_ssl_client_entries (server *srv, connection *con, handler_ctx *hctx)
1487 {
1488 X509 *xs;
1489 X509_NAME *xn;
1490 int i, nentries;
1491
1492 long vr = SSL_get_verify_result(hctx->ssl);
1493 if (vr != X509_V_OK) {
1494 char errstr[256];
1495 ERR_error_string_n(vr, errstr, sizeof(errstr));
1496 buffer_copy_string_len(srv->tmp_buf, CONST_STR_LEN("FAILED:"));
1497 buffer_append_string(srv->tmp_buf, errstr);
1498 array_set_key_value(con->environment,
1499 CONST_STR_LEN("SSL_CLIENT_VERIFY"),
1500 CONST_BUF_LEN(srv->tmp_buf));
1501 return;
1502 } else if (!(xs = SSL_get_peer_certificate(hctx->ssl))) {
1503 array_set_key_value(con->environment,
1504 CONST_STR_LEN("SSL_CLIENT_VERIFY"),
1505 CONST_STR_LEN("NONE"));
1506 return;
1507 } else {
1508 array_set_key_value(con->environment,
1509 CONST_STR_LEN("SSL_CLIENT_VERIFY"),
1510 CONST_STR_LEN("SUCCESS"));
1511 }
1512
1513 xn = X509_get_subject_name(xs);
1514 {
1515 char buf[256];
1516 int len = safer_X509_NAME_oneline(xn, buf, sizeof(buf));
1517 if (len > 0) {
1518 if (len >= (int)sizeof(buf)) len = (int)sizeof(buf)-1;
1519 array_set_key_value(con->environment,
1520 CONST_STR_LEN("SSL_CLIENT_S_DN"),
1521 buf, (size_t)len);
1522 }
1523 }
1524 buffer_copy_string_len(srv->tmp_buf, CONST_STR_LEN("SSL_CLIENT_S_DN_"));
1525 for (i = 0, nentries = X509_NAME_entry_count(xn); i < nentries; ++i) {
1526 int xobjnid;
1527 const char * xobjsn;
1528 X509_NAME_ENTRY *xe;
1529
1530 if (!(xe = X509_NAME_get_entry(xn, i))) {
1531 continue;
1532 }
1533 xobjnid = OBJ_obj2nid((ASN1_OBJECT*)X509_NAME_ENTRY_get_object(xe));
1534 xobjsn = OBJ_nid2sn(xobjnid);
1535 if (xobjsn) {
1536 buffer_string_set_length(srv->tmp_buf,sizeof("SSL_CLIENT_S_DN_")-1);
1537 buffer_append_string(srv->tmp_buf, xobjsn);
1538 array_set_key_value(con->environment,
1539 CONST_BUF_LEN(srv->tmp_buf),
1540 (const char*)X509_NAME_ENTRY_get_data(xe)->data,
1541 X509_NAME_ENTRY_get_data(xe)->length);
1542 }
1543 }
1544
1545 {
1546 ASN1_INTEGER *xsn = X509_get_serialNumber(xs);
1547 BIGNUM *serialBN = ASN1_INTEGER_to_BN(xsn, NULL);
1548 char *serialHex = BN_bn2hex(serialBN);
1549 array_set_key_value(con->environment,
1550 CONST_STR_LEN("SSL_CLIENT_M_SERIAL"),
1551 serialHex, strlen(serialHex));
1552 OPENSSL_free(serialHex);
1553 BN_free(serialBN);
1554 }
1555
1556 if (!buffer_string_is_empty(hctx->conf.ssl_verifyclient_username)) {
1557 /* pick one of the exported values as "REMOTE_USER", for example
1558 * ssl.verifyclient.username = "SSL_CLIENT_S_DN_UID"
1559 * or
1560 * ssl.verifyclient.username = "SSL_CLIENT_S_DN_emailAddress"
1561 */
1562 data_string *ds = (data_string *)
1563 array_get_element_klen(con->environment,
1564 CONST_BUF_LEN(hctx->conf.ssl_verifyclient_username));
1565 if (ds) { /* same as http_auth.c:http_auth_setenv() */
1566 array_set_key_value(con->environment,
1567 CONST_STR_LEN("REMOTE_USER"),
1568 CONST_BUF_LEN(ds->value));
1569 array_set_key_value(con->environment,
1570 CONST_STR_LEN("AUTH_TYPE"),
1571 CONST_STR_LEN("SSL_CLIENT_VERIFY"));
1572 }
1573 }
1574
1575 if (hctx->conf.ssl_verifyclient_export_cert) {
1576 BIO *bio;
1577 if (NULL != (bio = BIO_new(BIO_s_mem()))) {
1578 data_string *envds;
1579 int n;
1580
1581 PEM_write_bio_X509(bio, xs);
1582 n = BIO_pending(bio);
1583
1584 envds = (data_string *)
1585 array_get_unused_element(con->environment, TYPE_STRING);
1586 if (NULL == envds) {
1587 envds = data_string_init();
1588 }
1589
1590 buffer_copy_string_len(envds->key,CONST_STR_LEN("SSL_CLIENT_CERT"));
1591 buffer_string_prepare_copy(envds->value, n);
1592 BIO_read(bio, envds->value->ptr, n);
1593 BIO_free(bio);
1594 buffer_commit(envds->value, n);
1595 array_replace(con->environment, (data_unset *)envds);
1596 }
1597 }
1598 X509_free(xs);
1599 }
1600
1601
1602 static void
1603 http_cgi_ssl_env (server *srv, connection *con, handler_ctx *hctx)
1604 {
1605 const char *s;
1606 const SSL_CIPHER *cipher;
1607 UNUSED(srv);
1608
1609 s = SSL_get_version(hctx->ssl);
1610 array_set_key_value(con->environment,
1611 CONST_STR_LEN("SSL_PROTOCOL"),
1612 s, strlen(s));
1613
1614 if ((cipher = SSL_get_current_cipher(hctx->ssl))) {
1615 int usekeysize, algkeysize;
1616 char buf[LI_ITOSTRING_LENGTH];
1617 s = SSL_CIPHER_get_name(cipher);
1618 array_set_key_value(con->environment,
1619 CONST_STR_LEN("SSL_CIPHER"),
1620 s, strlen(s));
1621 usekeysize = SSL_CIPHER_get_bits(cipher, &algkeysize);
1622 li_itostrn(buf, sizeof(buf), usekeysize);
1623 array_set_key_value(con->environment,
1624 CONST_STR_LEN("SSL_CIPHER_USEKEYSIZE"),
1625 buf, strlen(buf));
1626 li_itostrn(buf, sizeof(buf), algkeysize);
1627 array_set_key_value(con->environment,
1628 CONST_STR_LEN("SSL_CIPHER_ALGKEYSIZE"),
1629 buf, strlen(buf));
1630 }
1631 }
1632
1633
1634 CONNECTION_FUNC(mod_openssl_handle_request_env)
1635 {
1636 plugin_data *p = p_d;
1637 handler_ctx *hctx = con->plugin_ctx[p->id];
1638 if (NULL == hctx) return HANDLER_GO_ON;
1639 if (hctx->request_env_patched) return HANDLER_GO_ON;
1640 hctx->request_env_patched = 1;
1641
1642 http_cgi_ssl_env(srv, con, hctx);
1643 if (hctx->conf.ssl_verifyclient) {
1644 https_add_ssl_client_entries(srv, con, hctx);
1645 }
1646
1647 return HANDLER_GO_ON;
1648 }
1649
1650
1651 CONNECTION_FUNC(mod_openssl_handle_uri_raw)
1652 {
1653 /* mod_openssl must be loaded prior to mod_auth
1654 * if mod_openssl is configured to set REMOTE_USER based on client cert */
1655 /* mod_openssl must be loaded after mod_extforward
1656 * if mod_openssl config is based on lighttpd.conf remote IP conditional
1657 * using remote IP address set by mod_extforward, *unless* PROXY protocol
1658 * is enabled with extforward.hap-PROXY = "enable", in which case the
1659 * reverse is true: mod_extforward must be loaded after mod_openssl */
1660 plugin_data *p = p_d;
1661 handler_ctx *hctx = con->plugin_ctx[p->id];
1662 if (NULL == hctx) return HANDLER_GO_ON;
1663
1664 mod_openssl_patch_connection(srv, con, hctx);
1665 if (hctx->conf.ssl_verifyclient) {
1666 mod_openssl_handle_request_env(srv, con, p);
1667 }
1668
1669 return HANDLER_GO_ON;
1670 }
1671
1672
1673 CONNECTION_FUNC(mod_openssl_handle_request_reset)
1674 {
1675 plugin_data *p = p_d;
1676 handler_ctx *hctx = con->plugin_ctx[p->id];
1677 if (NULL == hctx) return HANDLER_GO_ON;
1678
1679 hctx->request_env_patched = 0;
1680
1681 UNUSED(srv);
1682 return HANDLER_GO_ON;
1683 }
1684
1685
1686 int mod_openssl_plugin_init (plugin *p);
1687 int mod_openssl_plugin_init (plugin *p)
1688 {
1689 p->version = LIGHTTPD_VERSION_ID;
1690 p->name = buffer_init_string("openssl");
1691 p->init = mod_openssl_init;
1692 p->cleanup = mod_openssl_free;
1693 p->priv_defaults= mod_openssl_set_defaults;
1694
1695 p->handle_connection_accept = mod_openssl_handle_con_accept;
1696 p->handle_connection_shut_wr = mod_openssl_handle_con_shut_wr;
1697 p->handle_connection_close = mod_openssl_handle_con_close;
1698 p->handle_uri_raw = mod_openssl_handle_uri_raw;
1699 p->handle_request_env = mod_openssl_handle_request_env;
1700 p->connection_reset = mod_openssl_handle_request_reset;
1701
1702 p->data = NULL;
1703
1704 return 0;
1705 }
A fast webserver with minimal memory-footprint (lighttpd)