# Revision 2815 Index: src/http_auth_digest.c =================================================================== --- src/http_auth_digest.c (.../tags/lighttpd-1.4.29) +++ src/http_auth_digest.c (.../branches/lighttpd-1.4.x) @@ -1,26 +0,0 @@ -#include "buffer.h" - -#include "http_auth_digest.h" - -#include - -#ifndef USE_OPENSSL -# include "md5.h" - -typedef li_MD5_CTX MD5_CTX; -#define MD5_Init li_MD5_Init -#define MD5_Update li_MD5_Update -#define MD5_Final li_MD5_Final - -#endif - -void CvtHex(IN HASH Bin, OUT HASHHEX Hex) { - unsigned short i; - - for (i = 0; i < HASHLEN; i++) { - Hex[i*2] = int2hex((Bin[i] >> 4) & 0xf); - Hex[i*2+1] = int2hex(Bin[i] & 0xf); - } - Hex[HASHHEXLEN] = '\0'; -} - Index: src/http_auth_digest.h =================================================================== --- src/http_auth_digest.h (.../tags/lighttpd-1.4.29) +++ src/http_auth_digest.h (.../branches/lighttpd-1.4.x) @@ -1,24 +0,0 @@ -#ifndef _DIGCALC_H_ -#define _DIGCALC_H_ - -#ifdef HAVE_CONFIG_H -# include "config.h" -#endif - -#define HASHLEN 16 -typedef unsigned char HASH[HASHLEN]; -#define HASHHEXLEN 32 -typedef char HASHHEX[HASHHEXLEN+1]; -#ifdef USE_OPENSSL -#define IN const -#else -#define IN -#endif -#define OUT - -void CvtHex( - IN HASH Bin, - OUT HASHHEX Hex - ); - -#endif Index: src/network_write.c =================================================================== --- src/network_write.c (.../tags/lighttpd-1.4.29) +++ src/network_write.c (.../branches/lighttpd-1.4.x) @@ -24,17 +24,16 @@ # include #endif -int network_write_chunkqueue_write(server *srv, connection *con, int fd, chunkqueue *cq) { +int network_write_chunkqueue_write(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes) { chunk *c; - size_t chunks_written = 0; - for(c = cq->first; c; c = c->next) { + for(c = cq->first; (max_bytes > 0) && (NULL != c); c = c->next) { int chunk_finished = 0; switch(c->type) { case MEM_CHUNK: { char * offset; - size_t toSend; + off_t toSend; ssize_t r; if (c->mem->used == 0) { @@ -44,6 +43,8 @@ offset = c->mem->ptr + c->offset; toSend = c->mem->used - 1 - c->offset; + if (toSend > max_bytes) toSend = max_bytes; + #ifdef __WIN32 if ((r = send(fd, offset, toSend, 0)) < 0) { /* no error handling for windows... */ @@ -72,6 +73,7 @@ c->offset += r; cq->bytes_out += r; + max_bytes -= r; if (c->offset == (off_t)c->mem->used - 1) { chunk_finished = 1; @@ -85,7 +87,7 @@ #endif ssize_t r; off_t offset; - size_t toSend; + off_t toSend; stat_cache_entry *sce = NULL; int ifd; @@ -98,6 +100,8 @@ offset = c->file.start + c->offset; toSend = c->file.length - c->offset; + if (toSend > max_bytes) toSend = max_bytes; + if (offset > sce->st.st_size) { log_error_write(srv, __FILE__, __LINE__, "sb", "file was shrinked:", c->file.name); @@ -181,6 +185,7 @@ c->offset += r; cq->bytes_out += r; + max_bytes -= r; if (c->offset == c->file.length) { chunk_finished = 1; @@ -200,11 +205,9 @@ break; } - - chunks_written++; } - return chunks_written; + return 0; } #if 0 Index: src/mod_secure_download.c =================================================================== --- src/mod_secure_download.c (.../tags/lighttpd-1.4.29) +++ src/mod_secure_download.c (.../branches/lighttpd-1.4.x) @@ -8,18 +8,8 @@ #include #include -#ifdef USE_OPENSSL -# include -#else -# include "md5.h" +#include "md5.h" -typedef li_MD5_CTX MD5_CTX; -#define MD5_Init li_MD5_Init -#define MD5_Update li_MD5_Update -#define MD5_Final li_MD5_Final - -#endif - #define HASHLEN 16 typedef unsigned char HASH[HASHLEN]; #define HASHHEXLEN 32 @@ -200,7 +190,7 @@ URIHANDLER_FUNC(mod_secdownload_uri_handler) { plugin_data *p = p_d; - MD5_CTX Md5Ctx; + li_MD5_CTX Md5Ctx; HASH HA1; const char *rel_uri, *ts_str, *md5_str; time_t ts = 0; @@ -266,9 +256,9 @@ buffer_append_string(p->md5, rel_uri); buffer_append_string_len(p->md5, ts_str, 8); - MD5_Init(&Md5Ctx); - MD5_Update(&Md5Ctx, (unsigned char *)p->md5->ptr, p->md5->used - 1); - MD5_Final(HA1, &Md5Ctx); + li_MD5_Init(&Md5Ctx); + li_MD5_Update(&Md5Ctx, (unsigned char *)p->md5->ptr, p->md5->used - 1); + li_MD5_Final(HA1, &Md5Ctx); buffer_copy_string_hex(p->md5, (char *)HA1, 16); Index: src/base.h =================================================================== --- src/base.h (.../tags/lighttpd-1.4.29) +++ src/base.h (.../branches/lighttpd-1.4.x) @@ -277,6 +277,7 @@ buffer *ssl_cipher_list; buffer *ssl_dh_file; buffer *ssl_ec_curve; + unsigned short ssl_honor_cipher_order; /* determine SSL cipher in server-preferred order, not client-order */ unsigned short ssl_use_sslv2; unsigned short ssl_use_sslv3; unsigned short ssl_verifyclient; @@ -284,6 +285,7 @@ unsigned short ssl_verifyclient_depth; buffer *ssl_verifyclient_username; unsigned short ssl_verifyclient_export_cert; + unsigned short ssl_disable_client_renegotiation; unsigned short use_ipv6, set_v6only; /* set_v6only is only a temporary option */ unsigned short defer_accept; @@ -437,6 +439,7 @@ # ifndef OPENSSL_NO_TLSEXT buffer *tlsext_server_name; # endif + unsigned int renegotiations; /* count of SSL_CB_HANDSHAKE_START */ #endif /* etag handling */ etag_flags_t etag_flags; @@ -647,11 +650,9 @@ fdevent_handler_t event_handler; - int (* network_backend_write)(struct server *srv, connection *con, int fd, chunkqueue *cq); - int (* network_backend_read)(struct server *srv, connection *con, int fd, chunkqueue *cq); + int (* network_backend_write)(struct server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes); #ifdef USE_OPENSSL - int (* network_ssl_backend_write)(struct server *srv, connection *con, SSL *ssl, chunkqueue *cq); - int (* network_ssl_backend_read)(struct server *srv, connection *con, SSL *ssl, chunkqueue *cq); + int (* network_ssl_backend_write)(struct server *srv, connection *con, SSL *ssl, chunkqueue *cq, off_t max_bytes); #endif uid_t uid; Index: src/connections.c =================================================================== --- src/connections.c (.../tags/lighttpd-1.4.29) +++ src/connections.c (.../branches/lighttpd-1.4.x) @@ -223,6 +223,12 @@ len = SSL_read(con->ssl, b->ptr + read_offset, toread); + if (con->renegotiations > 1 && con->conf.ssl_disable_client_renegotiation) { + connection_set_state(srv, con, CON_STATE_ERROR); + log_error_write(srv, __FILE__, __LINE__, "s", "SSL: renegotiation initiated by client"); + return -1; + } + if (len > 0) { if (b->used > 0) b->used--; b->used += len; @@ -445,6 +451,7 @@ default: switch(con->http_status) { case 400: /* bad request */ + case 401: /* authorization required */ case 414: /* overload request header */ case 505: /* unknown protocol */ case 207: /* this was webdav */ @@ -617,8 +624,9 @@ } static int connection_handle_write(server *srv, connection *con) { - switch(network_write_chunkqueue(srv, con, con->write_queue)) { + switch(network_write_chunkqueue(srv, con, con->write_queue, MAX_WRITE_LIMIT)) { case 0: + con->write_request_ts = srv->cur_ts; if (con->file_finished) { connection_set_state(srv, con, CON_STATE_RESPONSE_END); joblist_append(srv, con); @@ -635,6 +643,7 @@ joblist_append(srv, con); break; case 1: + con->write_request_ts = srv->cur_ts; con->is_writable = 0; /* not finished yet -> WRITE */ @@ -1251,8 +1260,6 @@ log_error_write(srv, __FILE__, __LINE__, "ds", con->fd, "handle write failed."); - } else if (con->state == CON_STATE_WRITE) { - con->write_request_ts = srv->cur_ts; } } @@ -1352,6 +1359,7 @@ return NULL; } + con->renegotiations = 0; #ifndef OPENSSL_NO_TLSEXT SSL_set_app_data(con->ssl, con); #endif @@ -1667,8 +1675,6 @@ con->fd, "handle write failed."); connection_set_state(srv, con, CON_STATE_ERROR); - } else if (con->state == CON_STATE_WRITE) { - con->write_request_ts = srv->cur_ts; } } Index: src/mod_staticfile.c =================================================================== --- src/mod_staticfile.c (.../tags/lighttpd-1.4.29) +++ src/mod_staticfile.c (.../branches/lighttpd-1.4.x) @@ -26,6 +26,7 @@ typedef struct { array *exclude_ext; unsigned short etags_used; + unsigned short disable_pathinfo; } plugin_config; typedef struct { @@ -84,6 +85,7 @@ config_values_t cv[] = { { "static-file.exclude-extensions", NULL, T_CONFIG_ARRAY, T_CONFIG_SCOPE_CONNECTION }, /* 0 */ { "static-file.etags", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, /* 1 */ + { "static-file.disable-pathinfo", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, /* 2 */ { NULL, NULL, T_CONFIG_UNSET, T_CONFIG_SCOPE_UNSET } }; @@ -97,9 +99,11 @@ s = calloc(1, sizeof(plugin_config)); s->exclude_ext = array_init(); s->etags_used = 1; + s->disable_pathinfo = 0; cv[0].destination = s->exclude_ext; cv[1].destination = &(s->etags_used); + cv[2].destination = &(s->disable_pathinfo); p->config_storage[i] = s; @@ -119,6 +123,7 @@ PATCH(exclude_ext); PATCH(etags_used); + PATCH(disable_pathinfo); /* skip the first, the global context */ for (i = 1; i < srv->config_context->used; i++) { @@ -136,7 +141,9 @@ PATCH(exclude_ext); } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("static-file.etags"))) { PATCH(etags_used); - } + } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("static-file.disable-pathinfo"))) { + PATCH(disable_pathinfo); + } } } @@ -350,7 +357,6 @@ URIHANDLER_FUNC(mod_staticfile_subrequest) { plugin_data *p = p_d; size_t k; - int s_len; stat_cache_entry *sce = NULL; buffer *mtime = NULL; data_string *ds; @@ -376,7 +382,12 @@ mod_staticfile_patch_connection(srv, con, p); - s_len = con->uri.path->used - 1; + if (p->conf.disable_pathinfo && 0 != con->request.pathinfo->used) { + if (con->conf.log_request_handling) { + log_error_write(srv, __FILE__, __LINE__, "s", "-- NOT handling file as static file, pathinfo forbidden"); + } + return HANDLER_GO_ON; + } /* ignore certain extensions */ for (k = 0; k < p->conf.exclude_ext->used; k++) { Index: src/network.c =================================================================== --- src/network.c (.../tags/lighttpd-1.4.29) +++ src/network.c (.../branches/lighttpd-1.4.x) @@ -27,6 +27,19 @@ # include #endif +#ifdef USE_OPENSSL +static void ssl_info_callback(const SSL *ssl, int where, int ret) { + UNUSED(ret); + + if (0 != (where & SSL_CB_HANDSHAKE_START)) { + connection *con = SSL_get_app_data(ssl); + ++con->renegotiations; + } else if (0 != (where & SSL_CB_HANDSHAKE_DONE)) { + ssl->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS; + } +} +#endif + static handler_t network_server_handle_fdevent(server *srv, void *context, int revents) { server_socket *srv_socket = (server_socket *)context; connection *con; @@ -480,9 +493,11 @@ network_backend_t backend; #if OPENSSL_VERSION_NUMBER >= 0x0090800fL +#ifndef OPENSSL_NO_ECDH EC_KEY *ecdh; int nid; #endif +#endif #ifdef USE_OPENSSL DH *dh; @@ -553,6 +568,11 @@ /* load SSL certificates */ for (i = 0; i < srv->config_context->used; i++) { specific_config *s = srv->config_storage[i]; +#ifndef SSL_OP_NO_COMPRESSION +# define SSL_OP_NO_COMPRESSION 0 +#endif + long ssloptions = + SSL_OP_ALL | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION | SSL_OP_NO_COMPRESSION; if (buffer_is_empty(s->ssl_pemfile)) continue; @@ -586,6 +606,9 @@ return -1; } + SSL_CTX_set_options(s->ssl_ctx, ssloptions); + SSL_CTX_set_info_callback(s->ssl_ctx, ssl_info_callback); + if (!s->ssl_use_sslv2) { /* disable SSLv2 */ if (!(SSL_OP_NO_SSLv2 & SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_SSLv2))) { @@ -611,6 +634,10 @@ ERR_error_string(ERR_get_error(), NULL)); return -1; } + + if (s->ssl_honor_cipher_order) { + SSL_CTX_set_options(s->ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); + } } /* Support for Diffie-Hellman key exchange */ @@ -847,7 +874,7 @@ return 0; } -int network_write_chunkqueue(server *srv, connection *con, chunkqueue *cq) { +int network_write_chunkqueue(server *srv, connection *con, chunkqueue *cq, off_t max_bytes) { int ret = -1; off_t written = 0; #ifdef TCP_CORK @@ -855,16 +882,34 @@ #endif server_socket *srv_socket = con->srv_socket; - if (con->conf.global_kbytes_per_second && - *(con->conf.global_bytes_per_second_cnt_ptr) > con->conf.global_kbytes_per_second * 1024) { - /* we reached the global traffic limit */ + if (con->conf.global_kbytes_per_second) { + off_t limit = con->conf.global_kbytes_per_second * 1024 - *(con->conf.global_bytes_per_second_cnt_ptr); + if (limit <= 0) { + /* we reached the global traffic limit */ - con->traffic_limit_reached = 1; - joblist_append(srv, con); + con->traffic_limit_reached = 1; + joblist_append(srv, con); - return 1; + return 1; + } else { + if (max_bytes > limit) max_bytes = limit; + } } + if (con->conf.kbytes_per_second) { + off_t limit = con->conf.kbytes_per_second * 1024 - con->bytes_written_cur_second; + if (limit <= 0) { + /* we reached the traffic limit */ + + con->traffic_limit_reached = 1; + joblist_append(srv, con); + + return 1; + } else { + if (max_bytes > limit) max_bytes = limit; + } + } + written = cq->bytes_out; #ifdef TCP_CORK @@ -879,10 +924,10 @@ if (srv_socket->is_ssl) { #ifdef USE_OPENSSL - ret = srv->network_ssl_backend_write(srv, con, con->ssl, cq); + ret = srv->network_ssl_backend_write(srv, con, con->ssl, cq, max_bytes); #endif } else { - ret = srv->network_backend_write(srv, con, con->fd, cq); + ret = srv->network_backend_write(srv, con, con->fd, cq, max_bytes); } if (ret >= 0) { @@ -903,12 +948,5 @@ *(con->conf.global_bytes_per_second_cnt_ptr) += written; - if (con->conf.kbytes_per_second && - (con->bytes_written_cur_second > con->conf.kbytes_per_second * 1024)) { - /* we reached the traffic limit */ - - con->traffic_limit_reached = 1; - joblist_append(srv, con); - } return ret; } Index: src/network.h =================================================================== --- src/network.h (.../tags/lighttpd-1.4.29) +++ src/network.h (.../branches/lighttpd-1.4.x) @@ -3,7 +3,7 @@ #include "server.h" -int network_write_chunkqueue(server *srv, connection *con, chunkqueue *c); +int network_write_chunkqueue(server *srv, connection *con, chunkqueue *c, off_t max_bytes); int network_init(server *srv); int network_close(server *srv); Index: src/configfile.c =================================================================== --- src/configfile.c (.../tags/lighttpd-1.4.29) +++ src/configfile.c (.../branches/lighttpd-1.4.x) @@ -105,6 +105,8 @@ { "ssl.use-sslv3", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 62 */ { "ssl.dh-file", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_SERVER }, /* 63 */ { "ssl.ec-curve", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_SERVER }, /* 64 */ + { "ssl.disable-client-renegotiation", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER },/* 65 */ + { "ssl.honor-cipher-order", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 66 */ { "server.host", "use server.bind instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET }, { "server.docroot", "use server.document-root instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET }, @@ -176,6 +178,7 @@ s->max_write_idle = 360; s->use_xattr = 0; s->is_ssl = 0; + s->ssl_honor_cipher_order = 1; s->ssl_use_sslv2 = 0; s->ssl_use_sslv3 = 1; s->use_ipv6 = 0; @@ -199,6 +202,7 @@ s->ssl_verifyclient_username = buffer_init(); s->ssl_verifyclient_depth = 9; s->ssl_verifyclient_export_cert = 0; + s->ssl_disable_client_renegotiation = 1; cv[2].destination = s->errorfile_prefix; @@ -245,6 +249,8 @@ cv[62].destination = &(s->ssl_use_sslv3); cv[63].destination = s->ssl_dh_file; cv[64].destination = s->ssl_ec_curve; + cv[66].destination = &(s->ssl_honor_cipher_order); + cv[49].destination = &(s->etag_use_inode); cv[50].destination = &(s->etag_use_mtime); cv[51].destination = &(s->etag_use_size); @@ -255,6 +261,7 @@ cv[58].destination = &(s->ssl_verifyclient_depth); cv[59].destination = s->ssl_verifyclient_username; cv[60].destination = &(s->ssl_verifyclient_export_cert); + cv[65].destination = &(s->ssl_disable_client_renegotiation); srv->config_storage[i] = s; @@ -335,6 +342,7 @@ PATCH(ssl_cipher_list); PATCH(ssl_dh_file); PATCH(ssl_ec_curve); + PATCH(ssl_honor_cipher_order); PATCH(ssl_use_sslv2); PATCH(ssl_use_sslv3); PATCH(etag_use_inode); @@ -346,6 +354,7 @@ PATCH(ssl_verifyclient_depth); PATCH(ssl_verifyclient_username); PATCH(ssl_verifyclient_export_cert); + PATCH(ssl_disable_client_renegotiation); return 0; } @@ -400,6 +409,8 @@ #endif } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.ca-file"))) { PATCH(ssl_ca_file); + } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.honor-cipher-order"))) { + PATCH(ssl_honor_cipher_order); } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.use-sslv2"))) { PATCH(ssl_use_sslv2); } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.use-sslv3"))) { @@ -454,6 +465,8 @@ PATCH(ssl_verifyclient_username); } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.verifyclient.exportcert"))) { PATCH(ssl_verifyclient_export_cert); + } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.disable-client-renegotiation"))) { + PATCH(ssl_disable_client_renegotiation); } } } Index: src/mod_scgi.c =================================================================== --- src/mod_scgi.c (.../tags/lighttpd-1.4.29) +++ src/mod_scgi.c (.../branches/lighttpd-1.4.x) @@ -2296,7 +2296,7 @@ /* fall through */ case FCGI_STATE_WRITE: - ret = srv->network_backend_write(srv, con, hctx->fd, hctx->wb); + ret = srv->network_backend_write(srv, con, hctx->fd, hctx->wb, MAX_WRITE_LIMIT); chunkqueue_remove_finished_chunks(hctx->wb); Index: src/request.c =================================================================== --- src/request.c (.../tags/lighttpd-1.4.29) +++ src/request.c (.../branches/lighttpd-1.4.x) @@ -49,7 +49,7 @@ if (++colon_cnt > 7) { return -1; } - } else if (!light_isxdigit(*c)) { + } else if (!light_isxdigit(*c) && '.' != *c) { return -1; } } Index: src/network_backends.h =================================================================== --- src/network_backends.h (.../tags/lighttpd-1.4.29) +++ src/network_backends.h (.../branches/lighttpd-1.4.x) @@ -47,18 +47,18 @@ #include "base.h" /* return values: - * >= 0 : chunks completed + * >= 0 : no error * -1 : error (on our side) * -2 : remote close */ -int network_write_chunkqueue_write(server *srv, connection *con, int fd, chunkqueue *cq); -int network_write_chunkqueue_writev(server *srv, connection *con, int fd, chunkqueue *cq); -int network_write_chunkqueue_linuxsendfile(server *srv, connection *con, int fd, chunkqueue *cq); -int network_write_chunkqueue_freebsdsendfile(server *srv, connection *con, int fd, chunkqueue *cq); -int network_write_chunkqueue_solarissendfilev(server *srv, connection *con, int fd, chunkqueue *cq); +int network_write_chunkqueue_write(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes); +int network_write_chunkqueue_writev(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes); +int network_write_chunkqueue_linuxsendfile(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes); +int network_write_chunkqueue_freebsdsendfile(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes); +int network_write_chunkqueue_solarissendfilev(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes); #ifdef USE_OPENSSL -int network_write_chunkqueue_openssl(server *srv, connection *con, SSL *ssl, chunkqueue *cq); +int network_write_chunkqueue_openssl(server *srv, connection *con, SSL *ssl, chunkqueue *cq, off_t max_bytes); #endif #endif Index: src/SConscript =================================================================== --- src/SConscript (.../tags/lighttpd-1.4.29) +++ src/SConscript (.../branches/lighttpd-1.4.x) @@ -12,7 +12,8 @@ data_integer.c md5.c data_fastcgi.c \ fdevent_select.c fdevent_libev.c \ fdevent_poll.c fdevent_linux_sysepoll.c \ - fdevent_solaris_devpoll.c fdevent_freebsd_kqueue.c \ + fdevent_solaris_devpoll.c fdevent_solaris_port.c \ + fdevent_freebsd_kqueue.c \ data_config.c bitset.c \ inet_ntop_cache.c crc32.c \ connections-glue.c \ @@ -62,7 +63,7 @@ 'mod_redirect' : { 'src' : [ 'mod_redirect.c' ], 'lib' : [ env['LIBPCRE'] ] }, 'mod_rewrite' : { 'src' : [ 'mod_rewrite.c' ], 'lib' : [ env['LIBPCRE'] ] }, 'mod_auth' : { - 'src' : [ 'mod_auth.c', 'http_auth_digest.c', 'http_auth.c' ], + 'src' : [ 'mod_auth.c', 'http_auth.c' ], 'lib' : [ env['LIBCRYPT'], env['LIBLDAP'], env['LIBLBER'] ] }, 'mod_webdav' : { 'src' : [ 'mod_webdav.c' ], 'lib' : [ env['LIBXML2'], env['LIBSQLITE3'], env['LIBUUID'] ] }, 'mod_mysql_vhost' : { 'src' : [ 'mod_mysql_vhost.c' ], 'lib' : [ env['LIBMYSQL'] ] }, Index: src/mod_cml_funcs.c =================================================================== --- src/mod_cml_funcs.c (.../tags/lighttpd-1.4.29) +++ src/mod_cml_funcs.c (.../branches/lighttpd-1.4.x) @@ -17,18 +17,8 @@ #include #include -#ifdef USE_OPENSSL -# include -#else -# include "md5.h" +#include "md5.h" -typedef li_MD5_CTX MD5_CTX; -#define MD5_Init li_MD5_Init -#define MD5_Update li_MD5_Update -#define MD5_Final li_MD5_Final - -#endif - #define HASHLEN 16 typedef unsigned char HASH[HASHLEN]; #define HASHHEXLEN 32 @@ -43,7 +33,7 @@ #ifdef HAVE_LUA_H int f_crypto_md5(lua_State *L) { - MD5_CTX Md5Ctx; + li_MD5_CTX Md5Ctx; HASH HA1; buffer b; char hex[33]; @@ -63,9 +53,9 @@ lua_error(L); } - MD5_Init(&Md5Ctx); - MD5_Update(&Md5Ctx, (unsigned char *)lua_tostring(L, 1), lua_strlen(L, 1)); - MD5_Final(HA1, &Md5Ctx); + li_MD5_Init(&Md5Ctx); + li_MD5_Update(&Md5Ctx, (unsigned char *)lua_tostring(L, 1), lua_strlen(L, 1)); + li_MD5_Final(HA1, &Md5Ctx); buffer_copy_string_hex(&b, (char *)HA1, 16); Index: src/mod_userdir.c =================================================================== --- src/mod_userdir.c (.../tags/lighttpd-1.4.29) +++ src/mod_userdir.c (.../branches/lighttpd-1.4.x) @@ -166,7 +166,6 @@ URIHANDLER_FUNC(mod_userdir_docroot_handler) { plugin_data *p = p_d; - int uri_len; size_t k; char *rel_url; #ifdef HAVE_PWD_H @@ -182,8 +181,6 @@ */ if (p->conf.path->used == 0) return HANDLER_GO_ON; - uri_len = con->uri.path->used - 1; - /* /~user/foo.html -> /home/user/public_html/foo.html */ if (con->uri.path->ptr[0] != '/' || Index: src/mod_proxy.c =================================================================== --- src/mod_proxy.c (.../tags/lighttpd-1.4.29) +++ src/mod_proxy.c (.../branches/lighttpd-1.4.x) @@ -825,7 +825,7 @@ /* fall through */ case PROXY_STATE_WRITE:; - ret = srv->network_backend_write(srv, con, hctx->fd, hctx->wb); + ret = srv->network_backend_write(srv, con, hctx->fd, hctx->wb, MAX_WRITE_LIMIT); chunkqueue_remove_finished_chunks(hctx->wb); Index: src/Makefile.am =================================================================== --- src/Makefile.am (.../tags/lighttpd-1.4.29) +++ src/Makefile.am (.../branches/lighttpd-1.4.x) @@ -241,7 +241,7 @@ mod_compress_la_LIBADD = $(Z_LIB) $(BZ_LIB) $(common_libadd) lib_LTLIBRARIES += mod_auth.la -mod_auth_la_SOURCES = mod_auth.c http_auth_digest.c http_auth.c +mod_auth_la_SOURCES = mod_auth.c http_auth.c mod_auth_la_LDFLAGS = -module -export-dynamic -avoid-version -no-undefined mod_auth_la_LIBADD = $(CRYPT_LIB) $(LDAP_LIB) $(LBER_LIB) $(common_libadd) @@ -268,7 +268,7 @@ hdr = server.h buffer.h network.h log.h keyvalue.h \ response.h request.h fastcgi.h chunk.h \ - settings.h http_chunk.h http_auth_digest.h \ + settings.h http_chunk.h \ md5.h http_auth.h stream.h \ fdevent.h connections.h base.h stat_cache.h \ plugin.h mod_auth.h \ Index: src/network_writev.c =================================================================== --- src/network_writev.c (.../tags/lighttpd-1.4.29) +++ src/network_writev.c (.../branches/lighttpd-1.4.x) @@ -30,17 +30,16 @@ #define LOCAL_BUFFERING 1 #endif -int network_write_chunkqueue_writev(server *srv, connection *con, int fd, chunkqueue *cq) { +int network_write_chunkqueue_writev(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes) { chunk *c; - size_t chunks_written = 0; - for(c = cq->first; c; c = c->next) { + for(c = cq->first; (max_bytes > 0) && (NULL != c); c = c->next) { int chunk_finished = 0; switch(c->type) { case MEM_CHUNK: { char * offset; - size_t toSend; + off_t toSend; ssize_t r; size_t num_chunks, i; @@ -65,12 +64,10 @@ #error "sysconf() doesnt return _SC_IOV_MAX ..., check the output of 'man writev' for the EINVAL error and send the output to jan@kneschke.de" #endif - /* we can't send more then SSIZE_MAX bytes in one chunk */ - /* build writev list * * 1. limit: num_chunks < max_chunks - * 2. limit: num_bytes < SSIZE_MAX + * 2. limit: num_bytes < max_bytes */ for (num_chunks = 0, tc = c; tc && tc->type == MEM_CHUNK && num_chunks < max_chunks; num_chunks++, tc = tc->next); @@ -87,9 +84,9 @@ chunks[i].iov_base = offset; /* protect the return value of writev() */ - if (toSend > SSIZE_MAX || - num_bytes + toSend > SSIZE_MAX) { - chunks[i].iov_len = SSIZE_MAX - num_bytes; + if (toSend > max_bytes || + (off_t) num_bytes + toSend > max_bytes) { + chunks[i].iov_len = max_bytes - num_bytes; num_chunks = i + 1; break; @@ -121,6 +118,7 @@ } cq->bytes_out += r; + max_bytes -= r; /* check which chunks have been written */ @@ -132,11 +130,10 @@ if (chunk_finished) { /* skip the chunks from further touches */ - chunks_written++; c = c->next; } else { /* chunks_written + c = c->next is done in the for()*/ - chunk_finished++; + chunk_finished = 1; } } else { /* partially written */ @@ -284,6 +281,8 @@ assert(toSend < 0); } + if (toSend > max_bytes) toSend = max_bytes; + #ifdef LOCAL_BUFFERING start = c->mem->ptr; #else @@ -309,6 +308,7 @@ c->offset += r; cq->bytes_out += r; + max_bytes -= r; if (c->offset == c->file.length) { chunk_finished = 1; @@ -334,11 +334,9 @@ break; } - - chunks_written++; } - return chunks_written; + return 0; } #endif Index: src/network_freebsd_sendfile.c =================================================================== --- src/network_freebsd_sendfile.c (.../tags/lighttpd-1.4.29) +++ src/network_freebsd_sendfile.c (.../branches/lighttpd-1.4.x) @@ -31,17 +31,16 @@ # endif #endif -int network_write_chunkqueue_freebsdsendfile(server *srv, connection *con, int fd, chunkqueue *cq) { +int network_write_chunkqueue_freebsdsendfile(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes) { chunk *c; - size_t chunks_written = 0; - for(c = cq->first; c; c = c->next, chunks_written++) { + for(c = cq->first; (max_bytes > 0) && (NULL != c); c = c->next) { int chunk_finished = 0; switch(c->type) { case MEM_CHUNK: { char * offset; - size_t toSend; + off_t toSend; ssize_t r; size_t num_chunks, i; @@ -49,12 +48,10 @@ chunk *tc; size_t num_bytes = 0; - /* we can't send more then SSIZE_MAX bytes in one chunk */ - /* build writev list * * 1. limit: num_chunks < UIO_MAXIOV - * 2. limit: num_bytes < SSIZE_MAX + * 2. limit: num_bytes < max_bytes */ for(num_chunks = 0, tc = c; tc && tc->type == MEM_CHUNK && num_chunks < UIO_MAXIOV; num_chunks++, tc = tc->next); @@ -69,9 +66,9 @@ chunks[i].iov_base = offset; /* protect the return value of writev() */ - if (toSend > SSIZE_MAX || - num_bytes + toSend > SSIZE_MAX) { - chunks[i].iov_len = SSIZE_MAX - num_bytes; + if (toSend > max_bytes || + (off_t) num_bytes + toSend > max_bytes) { + chunks[i].iov_len = max_bytes - num_bytes; num_chunks = i + 1; break; @@ -105,6 +102,7 @@ /* check which chunks have been written */ cq->bytes_out += r; + max_bytes -= r; for(i = 0, tc = c; i < num_chunks; i++, tc = tc->next) { if (r >= (ssize_t)chunks[i].iov_len) { @@ -114,11 +112,10 @@ if (chunk_finished) { /* skip the chunks from further touches */ - chunks_written++; c = c->next; } else { /* chunks_written + c = c->next is done in the for()*/ - chunk_finished++; + chunk_finished = 1; } } else { /* partially written */ @@ -134,7 +131,7 @@ } case FILE_CHUNK: { off_t offset, r; - size_t toSend; + off_t toSend; stat_cache_entry *sce = NULL; if (HANDLER_ERROR == stat_cache_get_entry(srv, con, c->file.name, &sce)) { @@ -144,9 +141,8 @@ } offset = c->file.start + c->offset; - /* limit the toSend to 2^31-1 bytes in a chunk */ - toSend = c->file.length - c->offset > ((1 << 30) - 1) ? - ((1 << 30) - 1) : c->file.length - c->offset; + toSend = c->file.length - c->offset; + if (toSend > max_bytes) toSend = max_bytes; if (-1 == c->file.fd) { if (-1 == (c->file.fd = open(c->file.name->ptr, O_RDONLY))) { @@ -197,6 +193,7 @@ c->offset += r; cq->bytes_out += r; + max_bytes -= r; if (c->offset == c->file.length) { chunk_finished = 1; @@ -218,7 +215,7 @@ } } - return chunks_written; + return 0; } #endif Index: src/network_openssl.c =================================================================== --- src/network_openssl.c (.../tags/lighttpd-1.4.29) +++ src/network_openssl.c (.../branches/lighttpd-1.4.x) @@ -27,10 +27,9 @@ # include # include -int network_write_chunkqueue_openssl(server *srv, connection *con, SSL *ssl, chunkqueue *cq) { +int network_write_chunkqueue_openssl(server *srv, connection *con, SSL *ssl, chunkqueue *cq, off_t max_bytes) { int ssl_r; chunk *c; - size_t chunks_written = 0; /* this is a 64k sendbuffer * @@ -59,13 +58,13 @@ SSL_set_shutdown(ssl, SSL_RECEIVED_SHUTDOWN); } - for(c = cq->first; c; c = c->next) { + for(c = cq->first; (max_bytes > 0) && (NULL != c); c = c->next) { int chunk_finished = 0; switch(c->type) { case MEM_CHUNK: { char * offset; - size_t toSend; + off_t toSend; ssize_t r; if (c->mem->used == 0 || c->mem->used == 1) { @@ -75,6 +74,7 @@ offset = c->mem->ptr + c->offset; toSend = c->mem->used - 1 - c->offset; + if (toSend > max_bytes) toSend = max_bytes; /** * SSL_write man-page @@ -87,7 +87,14 @@ */ ERR_clear_error(); - if ((r = SSL_write(ssl, offset, toSend)) <= 0) { + r = SSL_write(ssl, offset, toSend); + + if (con->renegotiations > 1 && con->conf.ssl_disable_client_renegotiation) { + log_error_write(srv, __FILE__, __LINE__, "s", "SSL: renegotiation initiated by client"); + return -1; + } + + if (r <= 0) { unsigned long err; switch ((ssl_r = SSL_get_error(ssl, r))) { @@ -139,6 +146,7 @@ } else { c->offset += r; cq->bytes_out += r; + max_bytes -= r; } if (c->offset == (off_t)c->mem->used - 1) { @@ -168,6 +176,7 @@ do { off_t offset = c->file.start + c->offset; off_t toSend = c->file.length - c->offset; + if (toSend > max_bytes) toSend = max_bytes; if (toSend > LOCAL_SEND_BUFSIZE) toSend = LOCAL_SEND_BUFSIZE; @@ -190,7 +199,14 @@ close(ifd); ERR_clear_error(); - if ((r = SSL_write(ssl, s, toSend)) <= 0) { + r = SSL_write(ssl, s, toSend); + + if (con->renegotiations > 1 && con->conf.ssl_disable_client_renegotiation) { + log_error_write(srv, __FILE__, __LINE__, "s", "SSL: renegotiation initiated by client"); + return -1; + } + + if (r <= 0) { unsigned long err; switch ((ssl_r = SSL_get_error(ssl, r))) { @@ -243,12 +259,13 @@ } else { c->offset += r; cq->bytes_out += r; + max_bytes -= r; } if (c->offset == c->file.length) { chunk_finished = 1; } - } while(!chunk_finished && !write_wait); + } while (!chunk_finished && !write_wait && max_bytes > 0); break; } @@ -263,11 +280,9 @@ break; } - - chunks_written++; } - return chunks_written; + return 0; } #endif Index: src/http_auth.c =================================================================== --- src/http_auth.c (.../tags/lighttpd-1.4.29) +++ src/http_auth.c (.../branches/lighttpd-1.4.x) @@ -1,7 +1,6 @@ #include "server.h" #include "log.h" #include "http_auth.h" -#include "http_auth_digest.h" #include "inet_ntop_cache.h" #include "stream.h" @@ -28,18 +27,23 @@ #include #include -#ifdef USE_OPENSSL -# include -#else -# include "md5.h" +#include "md5.h" -typedef li_MD5_CTX MD5_CTX; -#define MD5_Init li_MD5_Init -#define MD5_Update li_MD5_Update -#define MD5_Final li_MD5_Final +#define HASHLEN 16 +#define HASHHEXLEN 32 +typedef unsigned char HASH[HASHLEN]; +typedef char HASHHEX[HASHHEXLEN+1]; -#endif +static void CvtHex(const HASH Bin, char Hex[33]) { + unsigned short i; + for (i = 0; i < 16; i++) { + Hex[i*2] = int2hex((Bin[i] >> 4) & 0xf); + Hex[i*2+1] = int2hex(Bin[i] & 0xf); + } + Hex[32] = '\0'; +} + /** * the $apr1$ handling is taken from apache 1.3.x */ @@ -95,7 +99,7 @@ ch = in[0]; /* run through the whole string, converting as we go */ for (i = 0; i < in_len; i++) { - ch = in[i]; + ch = (unsigned char) in[i]; if (ch == '\0') break; @@ -435,7 +439,7 @@ static void to64(char *s, unsigned long v, int n) { - static unsigned char itoa64[] = /* 0 ... 63 => ASCII - 64 */ + static const unsigned char itoa64[] = /* 0 ... 63 => ASCII - 64 */ "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; while (--n >= 0) { @@ -455,7 +459,7 @@ const char *sp, *ep; unsigned char final[APR_MD5_DIGESTSIZE]; ssize_t sl, pl, i; - MD5_CTX ctx, ctx1; + li_MD5_CTX ctx, ctx1; unsigned long l; /* @@ -487,33 +491,33 @@ /* * 'Time to make the doughnuts..' */ - MD5_Init(&ctx); + li_MD5_Init(&ctx); /* * The password first, since that is what is most unknown */ - MD5_Update(&ctx, pw, strlen(pw)); + li_MD5_Update(&ctx, pw, strlen(pw)); /* * Then our magic string */ - MD5_Update(&ctx, APR1_ID, strlen(APR1_ID)); + li_MD5_Update(&ctx, APR1_ID, strlen(APR1_ID)); /* * Then the raw salt */ - MD5_Update(&ctx, sp, sl); + li_MD5_Update(&ctx, sp, sl); /* * Then just as many characters of the MD5(pw, salt, pw) */ - MD5_Init(&ctx1); - MD5_Update(&ctx1, pw, strlen(pw)); - MD5_Update(&ctx1, sp, sl); - MD5_Update(&ctx1, pw, strlen(pw)); - MD5_Final(final, &ctx1); + li_MD5_Init(&ctx1); + li_MD5_Update(&ctx1, pw, strlen(pw)); + li_MD5_Update(&ctx1, sp, sl); + li_MD5_Update(&ctx1, pw, strlen(pw)); + li_MD5_Final(final, &ctx1); for (pl = strlen(pw); pl > 0; pl -= APR_MD5_DIGESTSIZE) { - MD5_Update(&ctx, final, + li_MD5_Update(&ctx, final, (pl > APR_MD5_DIGESTSIZE) ? APR_MD5_DIGESTSIZE : pl); } @@ -527,10 +531,10 @@ */ for (i = strlen(pw); i != 0; i >>= 1) { if (i & 1) { - MD5_Update(&ctx, final, 1); + li_MD5_Update(&ctx, final, 1); } else { - MD5_Update(&ctx, pw, 1); + li_MD5_Update(&ctx, pw, 1); } } @@ -542,7 +546,7 @@ strncat(passwd, sp, sl); strcat(passwd, "$"); - MD5_Final(final, &ctx); + li_MD5_Final(final, &ctx); /* * And now, just to make sure things don't run too fast.. @@ -550,28 +554,28 @@ * need 30 seconds to build a 1000 entry dictionary... */ for (i = 0; i < 1000; i++) { - MD5_Init(&ctx1); + li_MD5_Init(&ctx1); if (i & 1) { - MD5_Update(&ctx1, pw, strlen(pw)); + li_MD5_Update(&ctx1, pw, strlen(pw)); } else { - MD5_Update(&ctx1, final, APR_MD5_DIGESTSIZE); + li_MD5_Update(&ctx1, final, APR_MD5_DIGESTSIZE); } if (i % 3) { - MD5_Update(&ctx1, sp, sl); + li_MD5_Update(&ctx1, sp, sl); } if (i % 7) { - MD5_Update(&ctx1, pw, strlen(pw)); + li_MD5_Update(&ctx1, pw, strlen(pw)); } if (i & 1) { - MD5_Update(&ctx1, final, APR_MD5_DIGESTSIZE); + li_MD5_Update(&ctx1, final, APR_MD5_DIGESTSIZE); } else { - MD5_Update(&ctx1, pw, strlen(pw)); + li_MD5_Update(&ctx1, pw, strlen(pw)); } - MD5_Final(final,&ctx1); + li_MD5_Final(final,&ctx1); } p = passwd + strlen(passwd); @@ -614,17 +618,17 @@ * user:realm:md5(user:realm:password) */ - MD5_CTX Md5Ctx; + li_MD5_CTX Md5Ctx; HASH HA1; char a1[256]; - MD5_Init(&Md5Ctx); - MD5_Update(&Md5Ctx, (unsigned char *)username->ptr, username->used - 1); - MD5_Update(&Md5Ctx, (unsigned char *)":", 1); - MD5_Update(&Md5Ctx, (unsigned char *)realm->ptr, realm->used - 1); - MD5_Update(&Md5Ctx, (unsigned char *)":", 1); - MD5_Update(&Md5Ctx, (unsigned char *)pw, strlen(pw)); - MD5_Final(HA1, &Md5Ctx); + li_MD5_Init(&Md5Ctx); + li_MD5_Update(&Md5Ctx, (unsigned char *)username->ptr, username->used - 1); + li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); + li_MD5_Update(&Md5Ctx, (unsigned char *)realm->ptr, realm->used - 1); + li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); + li_MD5_Update(&Md5Ctx, (unsigned char *)pw, strlen(pw)); + li_MD5_Final(HA1, &Md5Ctx); CvtHex(HA1, a1); @@ -930,7 +934,7 @@ int i; buffer *password, *b, *username_buf, *realm_buf; - MD5_CTX Md5Ctx; + li_MD5_CTX Md5Ctx; HASH HA1; HASH HA2; HASH RespHash; @@ -1067,13 +1071,13 @@ if (p->conf.auth_backend == AUTH_BACKEND_PLAIN) { /* generate password from plain-text */ - MD5_Init(&Md5Ctx); - MD5_Update(&Md5Ctx, (unsigned char *)username, strlen(username)); - MD5_Update(&Md5Ctx, (unsigned char *)":", 1); - MD5_Update(&Md5Ctx, (unsigned char *)realm, strlen(realm)); - MD5_Update(&Md5Ctx, (unsigned char *)":", 1); - MD5_Update(&Md5Ctx, (unsigned char *)password->ptr, password->used - 1); - MD5_Final(HA1, &Md5Ctx); + li_MD5_Init(&Md5Ctx); + li_MD5_Update(&Md5Ctx, (unsigned char *)username, strlen(username)); + li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); + li_MD5_Update(&Md5Ctx, (unsigned char *)realm, strlen(realm)); + li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); + li_MD5_Update(&Md5Ctx, (unsigned char *)password->ptr, password->used - 1); + li_MD5_Final(HA1, &Md5Ctx); } else if (p->conf.auth_backend == AUTH_BACKEND_HTDIGEST) { /* HA1 */ /* transform the 32-byte-hex-md5 to a 16-byte-md5 */ @@ -1090,45 +1094,45 @@ if (algorithm && strcasecmp(algorithm, "md5-sess") == 0) { - MD5_Init(&Md5Ctx); - MD5_Update(&Md5Ctx, (unsigned char *)HA1, 16); - MD5_Update(&Md5Ctx, (unsigned char *)":", 1); - MD5_Update(&Md5Ctx, (unsigned char *)nonce, strlen(nonce)); - MD5_Update(&Md5Ctx, (unsigned char *)":", 1); - MD5_Update(&Md5Ctx, (unsigned char *)cnonce, strlen(cnonce)); - MD5_Final(HA1, &Md5Ctx); + li_MD5_Init(&Md5Ctx); + li_MD5_Update(&Md5Ctx, (unsigned char *)HA1, 16); + li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); + li_MD5_Update(&Md5Ctx, (unsigned char *)nonce, strlen(nonce)); + li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); + li_MD5_Update(&Md5Ctx, (unsigned char *)cnonce, strlen(cnonce)); + li_MD5_Final(HA1, &Md5Ctx); } CvtHex(HA1, a1); /* calculate H(A2) */ - MD5_Init(&Md5Ctx); - MD5_Update(&Md5Ctx, (unsigned char *)m, strlen(m)); - MD5_Update(&Md5Ctx, (unsigned char *)":", 1); - MD5_Update(&Md5Ctx, (unsigned char *)uri, strlen(uri)); + li_MD5_Init(&Md5Ctx); + li_MD5_Update(&Md5Ctx, (unsigned char *)m, strlen(m)); + li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); + li_MD5_Update(&Md5Ctx, (unsigned char *)uri, strlen(uri)); if (qop && strcasecmp(qop, "auth-int") == 0) { - MD5_Update(&Md5Ctx, (unsigned char *)":", 1); - MD5_Update(&Md5Ctx, (unsigned char *)"", HASHHEXLEN); + li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); + li_MD5_Update(&Md5Ctx, (unsigned char *)"", HASHHEXLEN); } - MD5_Final(HA2, &Md5Ctx); + li_MD5_Final(HA2, &Md5Ctx); CvtHex(HA2, HA2Hex); /* calculate response */ - MD5_Init(&Md5Ctx); - MD5_Update(&Md5Ctx, (unsigned char *)a1, HASHHEXLEN); - MD5_Update(&Md5Ctx, (unsigned char *)":", 1); - MD5_Update(&Md5Ctx, (unsigned char *)nonce, strlen(nonce)); - MD5_Update(&Md5Ctx, (unsigned char *)":", 1); + li_MD5_Init(&Md5Ctx); + li_MD5_Update(&Md5Ctx, (unsigned char *)a1, HASHHEXLEN); + li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); + li_MD5_Update(&Md5Ctx, (unsigned char *)nonce, strlen(nonce)); + li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); if (qop && *qop) { - MD5_Update(&Md5Ctx, (unsigned char *)nc, strlen(nc)); - MD5_Update(&Md5Ctx, (unsigned char *)":", 1); - MD5_Update(&Md5Ctx, (unsigned char *)cnonce, strlen(cnonce)); - MD5_Update(&Md5Ctx, (unsigned char *)":", 1); - MD5_Update(&Md5Ctx, (unsigned char *)qop, strlen(qop)); - MD5_Update(&Md5Ctx, (unsigned char *)":", 1); + li_MD5_Update(&Md5Ctx, (unsigned char *)nc, strlen(nc)); + li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); + li_MD5_Update(&Md5Ctx, (unsigned char *)cnonce, strlen(cnonce)); + li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); + li_MD5_Update(&Md5Ctx, (unsigned char *)qop, strlen(qop)); + li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); }; - MD5_Update(&Md5Ctx, (unsigned char *)HA2Hex, HASHHEXLEN); - MD5_Final(RespHash, &Md5Ctx); + li_MD5_Update(&Md5Ctx, (unsigned char *)HA2Hex, HASHHEXLEN); + li_MD5_Final(RespHash, &Md5Ctx); CvtHex(RespHash, a2); if (0 != strcmp(a2, respons)) { @@ -1171,24 +1175,24 @@ int http_auth_digest_generate_nonce(server *srv, mod_auth_plugin_data *p, buffer *fn, char out[33]) { HASH h; - MD5_CTX Md5Ctx; + li_MD5_CTX Md5Ctx; char hh[32]; UNUSED(p); /* generate shared-secret */ - MD5_Init(&Md5Ctx); - MD5_Update(&Md5Ctx, (unsigned char *)fn->ptr, fn->used - 1); - MD5_Update(&Md5Ctx, (unsigned char *)"+", 1); + li_MD5_Init(&Md5Ctx); + li_MD5_Update(&Md5Ctx, (unsigned char *)fn->ptr, fn->used - 1); + li_MD5_Update(&Md5Ctx, (unsigned char *)"+", 1); /* we assume sizeof(time_t) == 4 here, but if not it ain't a problem at all */ LI_ltostr(hh, srv->cur_ts); - MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh)); - MD5_Update(&Md5Ctx, (unsigned char *)srv->entropy, sizeof(srv->entropy)); + li_MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh)); + li_MD5_Update(&Md5Ctx, (unsigned char *)srv->entropy, sizeof(srv->entropy)); LI_ltostr(hh, rand()); - MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh)); + li_MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh)); - MD5_Final(h, &Md5Ctx); + li_MD5_Final(h, &Md5Ctx); CvtHex(h, out); Index: src/mod_usertrack.c =================================================================== --- src/mod_usertrack.c (.../tags/lighttpd-1.4.29) +++ src/mod_usertrack.c (.../branches/lighttpd-1.4.x) @@ -8,18 +8,8 @@ #include #include -#ifdef USE_OPENSSL -# include -#else -# include "md5.h" +#include "md5.h" -typedef li_MD5_CTX MD5_CTX; -#define MD5_Init li_MD5_Init -#define MD5_Update li_MD5_Update -#define MD5_Final li_MD5_Final - -#endif - /* plugin config for all request/connections */ typedef struct { @@ -182,7 +172,7 @@ plugin_data *p = p_d; data_string *ds; unsigned char h[16]; - MD5_CTX Md5Ctx; + li_MD5_CTX Md5Ctx; char hh[32]; if (con->uri.path->used == 0) return HANDLER_GO_ON; @@ -228,18 +218,18 @@ /* taken from mod_auth.c */ /* generate shared-secret */ - MD5_Init(&Md5Ctx); - MD5_Update(&Md5Ctx, (unsigned char *)con->uri.path->ptr, con->uri.path->used - 1); - MD5_Update(&Md5Ctx, (unsigned char *)"+", 1); + li_MD5_Init(&Md5Ctx); + li_MD5_Update(&Md5Ctx, (unsigned char *)con->uri.path->ptr, con->uri.path->used - 1); + li_MD5_Update(&Md5Ctx, (unsigned char *)"+", 1); /* we assume sizeof(time_t) == 4 here, but if not it ain't a problem at all */ LI_ltostr(hh, srv->cur_ts); - MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh)); - MD5_Update(&Md5Ctx, (unsigned char *)srv->entropy, sizeof(srv->entropy)); + li_MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh)); + li_MD5_Update(&Md5Ctx, (unsigned char *)srv->entropy, sizeof(srv->entropy)); LI_ltostr(hh, rand()); - MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh)); + li_MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh)); - MD5_Final(h, &Md5Ctx); + li_MD5_Final(h, &Md5Ctx); buffer_append_string_encoded(ds->value, (char *)h, 16, ENCODING_HEX); buffer_append_string_len(ds->value, CONST_STR_LEN("; Path=/")); Index: src/mod_status.c =================================================================== --- src/mod_status.c (.../tags/lighttpd-1.4.29) +++ src/mod_status.c (.../branches/lighttpd-1.4.x) @@ -487,7 +487,7 @@ buffer_append_string_len(b, CONST_STR_LEN("")); - if (con->request.content_length) { + if (c->request.content_length) { buffer_append_long(b, c->request_content_queue->bytes_in); buffer_append_string_len(b, CONST_STR_LEN("/")); buffer_append_long(b, c->request.content_length); Index: src/settings.h =================================================================== --- src/settings.h (.../tags/lighttpd-1.4.29) +++ src/settings.h (.../branches/lighttpd-1.4.x) @@ -21,8 +21,11 @@ * 64kB (no real reason, just a guess) */ #define BUFFER_MAX_REUSE_SIZE (4 * 1024) -#define MAX_READ_LIMIT (4*1024*1024) +/* both should be way smaller than SSIZE_MAX :) */ +#define MAX_READ_LIMIT (256*1024) +#define MAX_WRITE_LIMIT (256*1024) + /** * max size of the HTTP request header * Index: src/mod_cml_lua.c =================================================================== --- src/mod_cml_lua.c (.../tags/lighttpd-1.4.29) +++ src/mod_cml_lua.c (.../branches/lighttpd-1.4.x) @@ -11,18 +11,6 @@ #include #include -#ifdef USE_OPENSSL -# include -#else -# include "md5.h" - -typedef li_MD5_CTX MD5_CTX; -#define MD5_Init li_MD5_Init -#define MD5_Update li_MD5_Update -#define MD5_Final li_MD5_Final - -#endif - #define HASHLEN 16 typedef unsigned char HASH[HASHLEN]; #define HASHHEXLEN 32 Index: src/mod_fastcgi.c =================================================================== --- src/mod_fastcgi.c (.../tags/lighttpd-1.4.29) +++ src/mod_fastcgi.c (.../branches/lighttpd-1.4.x) @@ -3075,7 +3075,7 @@ fcgi_set_state(srv, hctx, FCGI_STATE_WRITE); /* fall through */ case FCGI_STATE_WRITE: - ret = srv->network_backend_write(srv, con, hctx->fd, hctx->wb); + ret = srv->network_backend_write(srv, con, hctx->fd, hctx->wb, MAX_WRITE_LIMIT); chunkqueue_remove_finished_chunks(hctx->wb); @@ -3132,7 +3132,6 @@ plugin_data *p = p_d; handler_ctx *hctx = con->plugin_ctx[p->id]; - fcgi_proc *proc; fcgi_extension_host *host; if (NULL == hctx) return HANDLER_GO_ON; @@ -3201,7 +3200,6 @@ /* ok, create the request */ switch(fcgi_write_request(srv, hctx)) { case HANDLER_ERROR: - proc = hctx->proc; host = hctx->host; if (hctx->state == FCGI_STATE_INIT || Index: src/network_solaris_sendfilev.c =================================================================== --- src/network_solaris_sendfilev.c (.../tags/lighttpd-1.4.29) +++ src/network_solaris_sendfilev.c (.../branches/lighttpd-1.4.x) @@ -38,17 +38,16 @@ */ -int network_write_chunkqueue_solarissendfilev(server *srv, connection *con, int fd, chunkqueue *cq) { +int network_write_chunkqueue_solarissendfilev(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes) { chunk *c; - size_t chunks_written = 0; - for(c = cq->first; c; c = c->next, chunks_written++) { + for(c = cq->first; (max_bytes > 0) && (NULL != c); c = c->next) { int chunk_finished = 0; switch(c->type) { case MEM_CHUNK: { char * offset; - size_t toSend; + off_t toSend; ssize_t r; size_t num_chunks, i; @@ -77,9 +76,9 @@ chunks[i].iov_base = offset; /* protect the return value of writev() */ - if (toSend > SSIZE_MAX || - num_bytes + toSend > SSIZE_MAX) { - chunks[i].iov_len = SSIZE_MAX - num_bytes; + if (toSend > max_bytes || + (off_t) num_bytes + toSend > max_bytes) { + chunks[i].iov_len = max_bytes - num_bytes; num_chunks = i + 1; break; @@ -119,11 +118,10 @@ if (chunk_finished) { /* skip the chunks from further touches */ - chunks_written++; c = c->next; } else { /* chunks_written + c = c->next is done in the for()*/ - chunk_finished++; + chunk_finished = 1; } } else { /* partially written */ @@ -139,8 +137,8 @@ } case FILE_CHUNK: { ssize_t r; - off_t offset; - size_t toSend, written; + off_t offset, toSend; + size_t written; sendfilevec_t fvec; stat_cache_entry *sce = NULL; int ifd; @@ -153,6 +151,7 @@ offset = c->file.start + c->offset; toSend = c->file.length - c->offset; + if (toSend > max_bytes) toSend = max_bytes; if (offset > sce->st.st_size) { log_error_write(srv, __FILE__, __LINE__, "sb", "file was shrinked:", c->file.name); @@ -186,6 +185,7 @@ close(ifd); c->offset += written; cq->bytes_out += written; + max_bytes -= written; if (c->offset == c->file.length) { chunk_finished = 1; @@ -207,7 +207,7 @@ } } - return chunks_written; + return 0; } #endif Index: src/CMakeLists.txt =================================================================== Index: src/mod_dirlisting.c =================================================================== --- src/mod_dirlisting.c (.../tags/lighttpd-1.4.29) +++ src/mod_dirlisting.c (.../branches/lighttpd-1.4.x) @@ -657,7 +657,8 @@ i = dir->used - 1; #ifdef HAVE_PATHCONF - if (-1 == (name_max = pathconf(dir->ptr, _PC_NAME_MAX))) { + if (0 >= (name_max = pathconf(dir->ptr, _PC_NAME_MAX))) { + /* some broken fs (fuse) return 0 instead of -1 */ #ifdef NAME_MAX name_max = NAME_MAX; #else Index: src/network_linux_sendfile.c =================================================================== --- src/network_linux_sendfile.c (.../tags/lighttpd-1.4.29) +++ src/network_linux_sendfile.c (.../branches/lighttpd-1.4.x) @@ -27,17 +27,16 @@ /* on linux 2.4.29 + debian/ubuntu we have crashes if this is enabled */ #undef HAVE_POSIX_FADVISE -int network_write_chunkqueue_linuxsendfile(server *srv, connection *con, int fd, chunkqueue *cq) { +int network_write_chunkqueue_linuxsendfile(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes) { chunk *c; - size_t chunks_written = 0; - for(c = cq->first; c; c = c->next, chunks_written++) { + for(c = cq->first; (max_bytes > 0) && (NULL != c); c = c->next) { int chunk_finished = 0; switch(c->type) { case MEM_CHUNK: { char * offset; - size_t toSend; + off_t toSend; ssize_t r; size_t num_chunks, i; @@ -45,12 +44,10 @@ chunk *tc; size_t num_bytes = 0; - /* we can't send more then SSIZE_MAX bytes in one chunk */ - /* build writev list * * 1. limit: num_chunks < UIO_MAXIOV - * 2. limit: num_bytes < SSIZE_MAX + * 2. limit: num_bytes < max_bytes */ for (num_chunks = 0, tc = c; tc && tc->type == MEM_CHUNK && num_chunks < UIO_MAXIOV; @@ -67,9 +64,9 @@ chunks[i].iov_base = offset; /* protect the return value of writev() */ - if (toSend > SSIZE_MAX || - num_bytes + toSend > SSIZE_MAX) { - chunks[i].iov_len = SSIZE_MAX - num_bytes; + if (toSend > max_bytes || + (off_t) num_bytes + toSend > max_bytes) { + chunks[i].iov_len = max_bytes - num_bytes; num_chunks = i + 1; break; @@ -100,6 +97,7 @@ /* check which chunks have been written */ cq->bytes_out += r; + max_bytes -= r; for(i = 0, tc = c; i < num_chunks; i++, tc = tc->next) { if (r >= (ssize_t)chunks[i].iov_len) { @@ -109,11 +107,10 @@ if (chunk_finished) { /* skip the chunks from further touches */ - chunks_written++; c = c->next; } else { /* chunks_written + c = c->next is done in the for()*/ - chunk_finished++; + chunk_finished = 1; } } else { /* partially written */ @@ -130,13 +127,12 @@ case FILE_CHUNK: { ssize_t r; off_t offset; - size_t toSend; + off_t toSend; stat_cache_entry *sce = NULL; offset = c->file.start + c->offset; - /* limit the toSend to 2^31-1 bytes in a chunk */ - toSend = c->file.length - c->offset > ((1 << 30) - 1) ? - ((1 << 30) - 1) : c->file.length - c->offset; + toSend = c->file.length - c->offset; + if (toSend > max_bytes) toSend = max_bytes; /* open file if not already opened */ if (-1 == c->file.fd) { @@ -215,6 +211,7 @@ c->offset += r; cq->bytes_out += r; + max_bytes -= r; if (c->offset == c->file.length) { chunk_finished = 1; @@ -243,7 +240,7 @@ } } - return chunks_written; + return 0; } #endif Index: tests/mod-auth.t =================================================================== --- tests/mod-auth.t (.../tags/lighttpd-1.4.29) +++ tests/mod-auth.t (.../branches/lighttpd-1.4.x) @@ -8,7 +8,7 @@ use strict; use IO::Socket; -use Test::More tests => 14; +use Test::More tests => 15; use LightyTest; my $tf = LightyTest->new(); @@ -25,6 +25,14 @@ $t->{REQUEST} = ( <{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 401 } ]; +ok($tf->handle_http($t) == 0, 'Basic-Auth: Invalid base64 Auth-token'); + +$t->{REQUEST} = ( < 44; +use Test::More tests => 46; use LightyTest; my $tf = LightyTest->new(); @@ -413,5 +413,21 @@ $t->{SLOWREQUEST} = 1; ok($tf->handle_http($t) == 0, 'GET, slow \\r\\n\\r\\n (#2105)'); +print "\nPathinfo for static files\n"; +$t->{REQUEST} = ( <{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200, 'Content-Type' => 'image/jpeg' } ]; +ok($tf->handle_http($t) == 0, 'static file accepting pathinfo by default'); + +$t->{REQUEST} = ( <{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 403 } ]; +ok($tf->handle_http($t) == 0, 'static file with forbidden pathinfo'); + ok($tf->stop_proc == 0, "Stopping lighttpd"); Index: tests/wrapper.sh =================================================================== --- tests/wrapper.sh (.../tags/lighttpd-1.4.29) +++ tests/wrapper.sh (.../branches/lighttpd-1.4.x) @@ -6,4 +6,4 @@ top_builddir=$2 export SHELL srcdir top_builddir -$3 +exec $3 Index: tests/lighttpd.conf =================================================================== --- tests/lighttpd.conf (.../tags/lighttpd-1.4.29) +++ tests/lighttpd.conf (.../branches/lighttpd-1.4.x) @@ -149,6 +149,7 @@ $HTTP["host"] == "zzz.example.org" { server.document-root = env.SRCDIR + "/tmp/lighttpd/servers/www.example.org/pages/" server.name = "zzz.example.org" + static-file.disable-pathinfo = "enable" } $HTTP["host"] == "symlink.example.org" { Index: configure.ac =================================================================== Index: doc/config/lighttpd.conf =================================================================== --- doc/config/lighttpd.conf (.../tags/lighttpd-1.4.29) +++ doc/config/lighttpd.conf (.../branches/lighttpd-1.4.x) @@ -394,6 +394,25 @@ ## $SERVER["socket"] == "10.0.0.1:443" { ## ssl.engine = "enable" ## ssl.pemfile = "/etc/ssl/private/www.example.com.pem" +## # +## # Mitigate BEAST attack: +## # +## # A stricter base cipher suite. For details see: +## # http://blog.ivanristic.com/2011/10/mitigating-the-beast-attack-on-tls.html +## # +## ssl.ciphers = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM" +## # +## # Make the server prefer the order of the server side cipher suite instead of the client suite. +## # This is necessary to mitigate the BEAST attack (unless you disable all non RC4 algorithms). +## # This option is enabled by default, but only used if ssl.ciphers is set. +## # +## # ssl.honor-cipher-order = "enable" +## # +## # Mitigate CVE-2009-3555 by disabling client triggered renegotation +## # This is enabled by default. +## # +## # ssl.disable-client-renegotiation = "enable" +## # ## server.name = "www.example.com" ## ## server.document-root = "/srv/www/vhosts/example.com/www/" Index: SConstruct =================================================================== Index: NEWS =================================================================== --- NEWS (.../tags/lighttpd-1.4.29) +++ NEWS (.../branches/lighttpd-1.4.x) @@ -3,7 +3,20 @@ NEWS ==== -- 1.4.29 - +- 1.4.30 - + * Always use our 'own' md5 implementation, fixes linking issues on MacOS (fixes #2331) + * Limit amount of bytes we send in one go; fixes stalling in one connection and timeouts on slow systems. + * [ssl] fix build errors when Elliptic-Curve Diffie-Hellman is disabled + * Add static-file.disable-pathinfo option to prevent handling of urls like .../secret.php/image.jpg as static file + * Don't overwrite 401 (auth required) with 501 (unknown method) (fixes #2341) + * Fix mod_status bug: always showed "0/0" in the "Read" column for uploads (fixes #2351) + * [mod_auth] Fix signedness error in http_auth (fixes #2370, CVE-2011-4362) + * [ssl] count renegotiations to prevent client renegotiations + * [ssl] add option to honor server cipher order (fixes #2364, BEAST attack) + * [core] accept dots in ipv6 addresses in host header (fixes #2359) + * [ssl] fix ssl connection aborts if files are larger than the MAX_WRITE_LIMIT (256kb) + +- 1.4.29 - 2011-07-03 * Fix mod_proxy waiting for response even if content-length is 0 (fixes #2259) * Silence annoying "connection closed: poll() -> ERR" error.log message (fixes #2257) * mod_cgi: make read buffer as big as incoming data block Index: CMakeLists.txt ===================================================================