Commit Graph

3301 Commits

Author SHA1 Message Date
Glenn Strauss 3119d938cb [mod_webdav] build fix: ifdef live_properties 2020-07-10 21:54:27 -04:00
Glenn Strauss 50ddc8108b [mod_webdav] update rc for PROPFIND allprop
(rc currently ignored in case of PROPFIND allprop)
2020-07-10 21:36:32 -04:00
Glenn Strauss 10b7aedcdb [mod_webdav] fix theoretical NULL dereference
fix theoretical NULL dereference identified by Coverity Scan

possible for PROPFIND with specific atypical choices in lighttpd.conf:
- possible for getcontenttype if no content type matches resource
  and no default type configured in lighttpd.conf
- possible for getetag if etag disabled in lighttpd.conf
2020-07-10 21:34:28 -04:00
Glenn Strauss 2781a3be6d [multiple] address coverity warnings 2020-07-10 21:34:28 -04:00
Glenn Strauss ea58cc6f3f [core] store fd in srv->stdin_fd during setup
(pedantic; no impact)

upon error, server will exit, so the impact of momentarily leaking fd
has no impact.  This commit holds the fd in srv->stdin_fd to address
Coverity warning about leaking fd when using server.bind = "/dev/stdin"
2020-07-10 19:30:24 -04:00
Glenn Strauss 6886e78bca [core] remove unused mbedtls_enabled flag
(initially used during development of mod_mbedtls, but no longer used)
2020-07-10 19:28:12 -04:00
Glenn Strauss 2f5fc68b59 [build] fix typo in src/ EXTRA_DIST 2020-07-10 19:27:42 -04:00
Glenn Strauss c75fd15d7a [build] remove tests/mod-userdir.t from builds
(replaced with src/t/test_mod_userdir.c)
2020-07-10 03:29:42 -04:00
Glenn Strauss be0d11414e [cmake] update deps for src/t/test_* 2020-07-10 03:20:37 -04:00
Glenn Strauss 52fb78459f [cmake] update deps for src/t/test_* 2020-07-10 03:13:08 -04:00
Glenn Strauss f85d1f9070 [core] splaytree_djbhash() in splaytree.h (reuse)
rename and move hashme() from stat_cache.c to splaytree_djbhash() in
splaytree.h for code reuse
2020-07-10 00:02:48 -04:00
Glenn Strauss 0d4c8edd8f [mod_mysql_vhost] deprecated; use mod_vhostdb_mysql
add warning at server startup when mod_mysql_vhost is loaded

mod_vhostdb_mysql subsumes mod_mysql_vhost.  Individual mod_mysql_vhost
directives map one-to-one to keywords in vhostdb.mysql = (...) directive
2020-07-09 23:45:06 -04:00
Glenn Strauss d334eaf1ee [core] uint32_t is plenty large for path names 2020-07-09 23:45:04 -04:00
Glenn Strauss 28f1867c11 quiet clang analyzer scan-build warnings
(expansion of buffer_string_lenth() inline function and CONST_BUF_LEN()
 macro, which always check for NULL, appears to cause the analyzer to
 believe that a pointer might be NULL in cases where it otherwise can
 not be NULL)

2020-07-08 22:51:32 -04:00
Glenn Strauss 98a224a4a2 [mod_openssl] prefer some WolfSSL native APIs
Prefer some WolfSSL native APIs when building with WolfSSL.

However, some functionality in WolfSSL is available only through the
WolfSSL compatibility layer for OpenSSL, so the effort to create a
native mod_wolfssl halted here.
2020-07-08 22:51:32 -04:00
Glenn Strauss ed088f5728 [core] error if s->socket_perms chmod() fails 2020-07-08 22:51:32 -04:00
Glenn Strauss 0ad57da55b [mod_openssl,mbedtls,gnutls,nss] fdevent_load_file
employ fdevent_load_file() to load CRL, X509 cert, and private key files
into memory
2020-07-08 22:51:32 -04:00
Glenn Strauss cc04468762 [core] fdevent_load_file() shared code 2020-07-08 22:51:32 -04:00
Glenn Strauss e00deb5578 [mod_nss] NSS option for TLS (fixes #1218)


mod_nss supports most ssl.* config options supported by mod_openssl

  "alternate ssl backend"
2020-07-08 22:51:32 -04:00
Glenn Strauss 8a1ddce0c2 [mod_openssl] default to set MinProtocol TLSv1.2
(behavior change)

TLSv1.0 and TLSv1.1 are deprecated and no longer supported by major

MinProtocol is configurable, if required:
e.g. ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.1")

2020-07-08 22:51:32 -04:00
Glenn Strauss 8422fa4573 [mod_gnutls] detect certs marked OCSP Must-Staple 2020-07-08 22:51:32 -04:00
Glenn Strauss f56c8e58e4 [mod_openssl] detect certs marked OCSP Must-Staple 2020-07-08 22:51:32 -04:00
Glenn Strauss 1c5def49f6 [mod_webdav] webdav.opts "propfind-depth-infinity"
webdav.opts = ("propfind-depth-infinity" => "enable")
to allow PROPFIND with Depth: infinity   (default "disable")
2020-07-08 22:51:32 -04:00
Glenn Strauss 6bf0b57787 [mod_webdav] unsafe-propfind-follow-symlink option
webdav.opts = ("unsafe-propfind-follow-symlink" => "enable")

This option is unsafe and unsupported.  This option enables non-standard
behavior.  If it works for you, great.  If it does not work for you,
then too bad.

WebDAV resource and collection concepts do not have an equivalence
to unix symlinks.  If "unsafe-propfind-follow-symlink" is "enable",
then lighttpd mod_webdav PROPFIND handling will follow symlinks
if and only if webdav.is_readonly = "enable" is also set.

Allowing symlinks is unsafe in the general case.  Using WebDAV methods
to MOVE a relative symlink does not update the symlink relative target.
LOCK is on the resource (e.g. a symlink), not the target of the symlink.
COPY replaces the resource (e.g. a symlink), not the target of the
symlink.  There are only a few examples of possibly many more reasons
why using symlinks in a WebDAV-writable collection is unsafe.
2020-07-08 22:51:32 -04:00
Glenn Strauss 1a02cd7e33 [mod_webdav] limit webdav_propfind_dir() recursion 2020-07-08 22:51:32 -04:00
Glenn Strauss 965c47c85a [mod_webdav] store webdav.opts as bitflags 2020-07-08 22:51:31 -04:00
Glenn Strauss a479d08b7c [mod_extforward] config warning for module order
expand config warning for module load order to include other TLS modules
2020-07-08 22:51:31 -04:00
Glenn Strauss c0796ee1dd [mod_gnutls] OCSP stapling (#2469) 2020-07-08 22:51:31 -04:00
Glenn Strauss 12e5e745b0 [mod_gnutls] option to override GnuTLS priority
provide option to override GnuTLS priority string
ssl.openssl.ssl-conf-cmd = ("gnutls-override" => "...")
will *entirely* replace the priority string constructed by mod_gnutls.
Admin is responsible to ensure that the override is complete.

A non-zero value for debug.log-ssl-noise = x *in the global scope*
will cause mod_gnutls to print the GnuTLS priority string to the
error log at startup.  debug.log-ssl-noise = 0 in $SERVER["socket"]
scopes can then be used to disable runtime ssl log noise, or
debug.log-ssl-noise can be removed from the global scope after debugging
2020-07-08 22:51:31 -04:00
Glenn Strauss 5bbf0d34ca [mod_openssl] compat with BoringSSL 2020-07-08 22:51:31 -04:00
Glenn Strauss 0563407d09 [TLS] - refresh OCSP responses (#2469)
convenience script that can be run periodically from scheduled job
to refresh OCSP responses used for OCSP stapling
2020-07-08 22:51:31 -04:00
Glenn Strauss b2b6257c7a [mod_openssl] OCSP stapling (fixes #2469)
Define ssl.stapling-file in lighttpd.conf in same scope as ssl.pemfile

  "OCSP Stapling"
2020-07-08 22:51:31 -04:00
Glenn Strauss 60ddaf26c4 [mod_openssl] basic SSL_CONF_cmd for alt TLS libs
provide *basic* (limited) parsing of ssl.openssl.ssl-conf-cmd
for BoringSSL, LibreSSL, WolfSSL
2020-07-08 22:51:31 -04:00
Glenn Strauss 1ba36fda93 [mod_openssl] move SSL_CTX curve conf to new func 2020-07-08 22:51:31 -04:00
Glenn Strauss 3fbedbced2 [mod_openssl] set SSL_OP_PRIORITIZE_CHACHA
set SSL_OP_PRIORITIZE_CHACHA, if available, when
  ssl.honor-cipher-order = "enable"
2020-07-08 22:51:31 -04:00
Glenn Strauss 7d9052c059 [mod_openssl] compat with WolfSSL 2020-07-08 22:51:31 -04:00
Glenn Strauss b4036938de [mod_openssl] compat with LibreSSL 2020-07-08 22:51:31 -04:00
Glenn Strauss c93ecb32a5 [mod_openssl] disable session cache; prefer ticket
reduce memory usage and overhead

many TLSv1.2 implementations support TLSv1.2 session ticket extension
2020-07-08 22:51:31 -04:00
Glenn Strauss 83fb1aed6f [mod_gnutls] ssl.stek-file to specify encrypt key
difference from mod_openssl:

Admin should schedule an independent job to periodically
generate a new STEK before prior STEK lifetime expires.
Only one STEK is active at a time in mod_gnutls.

(more details in prior commit message for mod_openssl)
2020-07-08 22:51:31 -04:00
Glenn Strauss 3e2e8e6d29 [mod_mbedtls] ssl.stek-file to specify encrypt key
difference from mod_openssl:

Admin should schedule an independent job to periodically
generate a new STEK up to 2 times during key lifetime
(mbedtls internals store up to 2 keys)

(more details in prior commit message for mod_openssl)
2020-07-08 22:51:31 -04:00
Glenn Strauss 32a2145f67 [mod_openssl] ssl.stek-file to specify encrypt key
ssl.stek-file to specify session ticket encryption key (STEK)
If ssl.stek-file is specified, it overrides builtin STEK rotation.
STEK file is checked for changes (stat()) once every 64 seconds.

STEK file should be stored in non-persistent storage,
  e.g. /dev/shm/lighttpd/stek-file  (in memory)
with appropriate permissions set to keep stek-file from being
read by other users.  Where possible, systems should also be
configured without swap.

Admin should schedule an independent job to periodically
generate a new STEK up to 3 times during key lifetime
(lighttpd stores up to 3 keys)

format of binary file is:
   4-byte - format version (always 0; for use if format changes)
   4-byte - activation timestamp
   4-byte - expiration timestamp
  16-byte - session ticket key name
  32-byte - session ticket HMAC encrpytion key
  32-byte - session ticket AES encrpytion key

STEK file can be created with a command such as:
  dd if=/dev/random bs=1 count=80 status=none | \
    perl -e 'print pack("iii",0,time()+300,time()+86400),<>' \
    > STEK-file.$$ && mv STEK-file.$$ STEK-file

The above delays activation time by 5 mins (+300 sec) to allow file to
be propagated to other machines.  (admin must handle this independently)
If STEK generation is performed immediately prior to starting lighttpd,
admin should activate keys immediately (without +300).
2020-07-08 22:51:31 -04:00
Glenn Strauss 953fa4ba4d [mod_openssl] rotate session ticket encryption key
server ticket encryption key (STEK) rotation occurs every 28800 seconds
(8 hours) and upon lighttpd server restart.  While lighttpd is running,
(3) encryption keys are preserved, so tickets expire after 1 day.

If using lighttpd with multiple lighttpd workers, then restarting
lighttpd keeps the STEK in sync between lighttpd workers, though
restarting lighttpd three times a day might not be palatable.
Work is in progress to allow admin to supply new encryption keys.
2020-07-08 22:51:31 -04:00
Glenn Strauss 6d62a498a2 [core] more precise check for request stream flags 2020-07-08 22:51:31 -04:00
Glenn Strauss 9570cc2f5c [doc] update comments in doc/config/modules.conf 2020-07-08 22:51:31 -04:00
Glenn Strauss 7b9230ee51 [core] safe memset calls memset() through volatile
safe_memclear() calls memset() through volatile func ptr
2020-07-08 22:51:31 -04:00
Glenn Strauss 6f2dcc58cd [core] SecureZeroMemory() on _WIN32 2020-07-08 22:51:31 -04:00
Glenn Strauss 10c65e88f7 [mod_openssl] update default DH params
update default DH params to use RFC 7919 FFDHE2048 2048-bit group
if ssl.dh-file is not specified
2020-07-08 22:51:31 -04:00
Glenn Strauss 27dbac34a8 [mod_openssl] use openssl feature define for ALPN
use #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
rather than checking OPENSSL_VERSION_NUMBER >= 0x10002000 (1.0.2)
2020-07-08 22:51:31 -04:00
Glenn Strauss bdb3040f14 [mod_openssl] use SSL_OP_NO_RENEGOTIATION if avail
use [mod_openssl] SSL_OP_NO_RENEGOTIATION if available
(openssl 1.1.0 and later)
2020-07-08 22:51:31 -04:00
Glenn Strauss 3403382261 [mod_openssl] issue warning for deprecated options 2020-07-08 22:51:31 -04:00