From 82501d24f23719e69c85479595eea28c992bae62 Mon Sep 17 00:00:00 2001
From: Glenn Strauss <gstrauss@gluelogic.com>
Date: Thu, 2 Feb 2017 08:48:29 -0500
Subject: [PATCH] [mod_openssl] inherit ssl.* from global scope

inherit ssl.* from global scope if $SERVER["socket"] contains
ssl.engine = "enable" and no other ssl.* settings

(In earlier versions of lighttpd, specifying ssl.engine = "enable"
 without specifying ssl.pemfile was a configuration error, so this
 change should not break any pre-existing and previously working
 configs)

x-ref:
  https://github.com/pfsense/FreeBSD-ports/pull/284
---
 src/mod_openssl.c | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/src/mod_openssl.c b/src/mod_openssl.c
index 05bfb964..c8fa2df5 100644
--- a/src/mod_openssl.c
+++ b/src/mod_openssl.c
@@ -113,12 +113,14 @@ FREE_FUNC(mod_openssl_free)
     if (p->config_storage) {
         for (size_t i = 0; i < srv->config_context->used; ++i) {
             plugin_config *s = p->config_storage[i];
+            int copy = s->ssl_enabled && buffer_string_is_empty(s->ssl_pemfile);
             buffer_free(s->ssl_pemfile);
             buffer_free(s->ssl_ca_file);
             buffer_free(s->ssl_cipher_list);
             buffer_free(s->ssl_dh_file);
             buffer_free(s->ssl_ec_curve);
             buffer_free(s->ssl_verifyclient_username);
+            if (copy) continue;
             SSL_CTX_free(s->ssl_ctx);
             EVP_PKEY_free(s->ssl_pemfile_pkey);
             X509_free(s->ssl_pemfile_x509);
@@ -433,6 +435,12 @@ network_init_ssl (server *srv, void *p_d)
 
         if (s->ssl_enabled) {
             if (buffer_string_is_empty(s->ssl_pemfile)) {
+                /* inherit ssl settings from global scope
+                 * (if only ssl.engine = "enable" and no other ssl.* settings)*/
+                if (0 != i && p->config_storage[0]->ssl_enabled) {
+                    s->ssl_ctx = p->config_storage[0]->ssl_ctx;
+                    continue;
+                }
                 /* PEM file is require */
                 log_error_write(srv, __FILE__, __LINE__, "s",
                                 "ssl.pemfile has to be set");
@@ -798,6 +806,23 @@ SETDEFAULTS_FUNC(mod_openssl_set_defaults)
         if (0 != config_insert_values_global(srv, config->value, cv, i == 0 ? T_CONFIG_SCOPE_SERVER : T_CONFIG_SCOPE_CONNECTION)) {
             return HANDLER_ERROR;
         }
+
+        if (0 != i && s->ssl_enabled && buffer_string_is_empty(s->ssl_pemfile)){
+            /* inherit ssl settings from global scope (in network_init_ssl())
+             * (if only ssl.engine = "enable" and no other ssl.* settings)*/
+            for (size_t j = 0; j < config->value->used; ++j) {
+                buffer *k = config->value->data[j]->key;
+                if (0 == strncmp(k->ptr, "ssl.", sizeof("ssl.")-1)
+                    && !buffer_is_equal_string(k, CONST_STR_LEN("ssl.engine"))){
+                    log_error_write(srv, __FILE__, __LINE__, "sb",
+                                    "ssl.pemfile has to be set in same scope "
+                                    "as other ssl.* directives, unless only "
+                                    "ssl.engine is set, inheriting ssl.* from "
+                                    "global scope", k);
+                    return HANDLER_ERROR;
+                }
+            }
+        }
     }
 
     if (0 != network_init_ssl(srv, p)) return HANDLER_ERROR;