From 93fd9ea7a43db9223d4d2d17b8549cf17d769735 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Stefan=20B=C3=BChler?= <stbuehler@web.de>
Date: Fri, 30 Aug 2013 13:14:50 +0000
Subject: [PATCH] [ssl] add option ssl.empty-fragments, defaulting to disabled
 (fixes #2492)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

  if ssl.empty-fragments is set to enabled, but the openssl version used
  to compile lighttpd doesn't support empty fragments, a warning is
  displayed (it might still work).

From: Stefan Bühler <stbuehler@web.de>

git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@2891 152afb58-edef-0310-8abb-c4023f1b3aa9
---
 NEWS             |  1 +
 src/base.h       |  1 +
 src/configfile.c |  6 ++++++
 src/network.c    | 10 ++++++++++
 4 files changed, 18 insertions(+)

diff --git a/NEWS b/NEWS
index cc42ebc4..24e3e370 100644
--- a/NEWS
+++ b/NEWS
@@ -25,6 +25,7 @@ NEWS
   * [network] use constants available at compile time for maximum number of chunks for writev instead of calling sysconf (fixes #2470)
   * [ssl] Fix $HTTP["scheme"] conditional, could be "http" for ssl connections if the ssl $SERVER["socket"] conditional was nested (fixes #2501)
   * [ssl] accept ssl renegotiations if they are not disabled (fixes #2491)
+  * [ssl] add option ssl.empty-fragments, defaulting to disabled (fixes #2492)
 
 - 1.4.32 - 2012-11-21
   * Code cleanup with clang/sparse (fixes #2437, thx kibi)
diff --git a/src/base.h b/src/base.h
index 90b2847d..1dcaaeed 100644
--- a/src/base.h
+++ b/src/base.h
@@ -278,6 +278,7 @@ typedef struct {
 	buffer *ssl_dh_file;
 	buffer *ssl_ec_curve;
 	unsigned short ssl_honor_cipher_order; /* determine SSL cipher in server-preferred order, not client-order */
+	unsigned short ssl_empty_fragments; /* whether to not set SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS */
 	unsigned short ssl_use_sslv2;
 	unsigned short ssl_use_sslv3;
 	unsigned short ssl_verifyclient;
diff --git a/src/configfile.c b/src/configfile.c
index 15cc6e44..b4d672d8 100644
--- a/src/configfile.c
+++ b/src/configfile.c
@@ -107,6 +107,7 @@ static int config_insert(server *srv) {
 		{ "ssl.ec-curve",                NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_SERVER },      /* 64 */
 		{ "ssl.disable-client-renegotiation", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER },/* 65 */
 		{ "ssl.honor-cipher-order",      NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER },     /* 66 */
+		{ "ssl.empty-fragments",         NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER },     /* 67 */
 
 		{ "server.host",                 "use server.bind instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET },
 		{ "server.docroot",              "use server.document-root instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET },
@@ -179,6 +180,7 @@ static int config_insert(server *srv) {
 		s->use_xattr     = 0;
 		s->ssl_enabled   = 0;
 		s->ssl_honor_cipher_order = 1;
+		s->ssl_empty_fragments = 0;
 		s->ssl_use_sslv2 = 0;
 		s->ssl_use_sslv3 = 1;
 		s->use_ipv6      = 0;
@@ -250,6 +252,7 @@ static int config_insert(server *srv) {
 		cv[63].destination = s->ssl_dh_file;
 		cv[64].destination = s->ssl_ec_curve;
 		cv[66].destination = &(s->ssl_honor_cipher_order);
+		cv[67].destination = &(s->ssl_empty_fragments);
 
 		cv[49].destination = &(s->etag_use_inode);
 		cv[50].destination = &(s->etag_use_mtime);
@@ -343,6 +346,7 @@ int config_setup_connection(server *srv, connection *con) {
 	PATCH(ssl_dh_file);
 	PATCH(ssl_ec_curve);
 	PATCH(ssl_honor_cipher_order);
+	PATCH(ssl_empty_fragments);
 	PATCH(ssl_use_sslv2);
 	PATCH(ssl_use_sslv3);
 	PATCH(etag_use_inode);
@@ -411,6 +415,8 @@ int config_patch_connection(server *srv, connection *con, comp_key_t comp) {
 				PATCH(ssl_ca_file);
 			} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.honor-cipher-order"))) {
 				PATCH(ssl_honor_cipher_order);
+			} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.empty-fragments"))) {
+				PATCH(ssl_empty_fragments);
 			} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.use-sslv2"))) {
 				PATCH(ssl_use_sslv2);
 			} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.use-sslv3"))) {
diff --git a/src/network.c b/src/network.c
index e368a524..395dfae9 100644
--- a/src/network.c
+++ b/src/network.c
@@ -613,6 +613,16 @@ int network_init(server *srv) {
 			return -1;
 		}
 
+		if (s->ssl_empty_fragments) {
+#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
+			ssloptions &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
+#else
+			ssloptions &= ~0x00000800L; /* hardcode constant */
+			log_error_write(srv, __FILE__, __LINE__, "ss", "WARNING: SSL:",
+					"'insert empty fragments' not supported by the openssl version used to compile lighttpd with");
+#endif
+		}
+
 		SSL_CTX_set_options(s->ssl_ctx, ssloptions);
 		SSL_CTX_set_info_callback(s->ssl_ctx, ssl_info_callback);