From b29ae919dfe5ebeef4e921adffa5c848ad89de7a Mon Sep 17 00:00:00 2001 From: Mikel Bancroft Date: Wed, 3 Dec 2014 00:54:05 -0800 Subject: [PATCH] bug22888: Fix buggy ssl arg checking. When establishing an https server using the :ssl-args keyword, net.aserve:start required a :certificate argument even when passed a :context. Now, the function accepts either a valid certificate or context object. Tests: none, added in the ssl module. bug22888: Better ssl arg checking in net.aserve:start Previously, when specifying an https server, net.aserve:start would require a :certficiate argument even if a :context argument was specified. Now, either is acceptable. Change-Id: I890f5d55535a2accf0298fa0dc8d32e10f3f0ad7 --- main.cl | 21 +++++++--- packages.cl | 114 +++++++++++++++++++++------------------------------- 2 files changed, 60 insertions(+), 75 deletions(-) diff --git a/main.cl b/main.cl index 0dedcd03..11e0001e 100644 --- a/main.cl +++ b/main.cl @@ -38,7 +38,7 @@ #+ignore (check-smp-consistency) -(defparameter *aserve-version* '(1 3 32)) +(defparameter *aserve-version* '(1 3 33)) (eval-when (eval load) (require :sock) @@ -1264,17 +1264,26 @@ by keyword symbols and not by strings" (if* efp then (setf (wserver-external-format server) external-format)) + ;; the only required ssl arg is a certificate. check that a certificate has been specified here, so + ;; that we can error immediately instead of when the first https connection is attempted. + + ;; ssl must be a string or pathmame pointing at a cert, or ssl-args must be specified + ;; and include a :certificate that is a string-or-pathname or a :context that is an excl::ssl-context (when (or ssl ssl-args) (flet ((string-or-pathname-p (arg) (or (stringp arg) (pathnamep arg))) (bad-cert (var) (error "The ~s parameter should be a string or pathname holding the filename of the certificate and private key file" var))) (if* ssl-args - then (let ((cert (getf ssl-args :certificate))) - (when (not cert) - (error "ssl-args is missing a :certificate parameter.")) - (when (not (string-or-pathname-p cert)) - (bad-cert :certificate)))) + then (let ((cert (getf ssl-args :certificate)) + (context (getf ssl-args :context))) + (when (not (or cert context)) + (error "ssl-args is missing a :certificate or :context parameter.")) + (when (and cert (not (string-or-pathname-p cert))) + (bad-cert :certificate)) + (when (and context (not (typep context 'excl::ssl-context))) + (error "Invalid :context argument ~a." context)))) + ;; for backward compatibility. ssl-args is preferred. (if* ssl then (when (not (string-or-pathname-p ssl)) (bad-cert :ssl)))) diff --git a/packages.cl b/packages.cl index b4af133a..ba7b0ac6 100644 --- a/packages.cl +++ b/packages.cl @@ -1,79 +1,55 @@ #+(version= 9 0) -(sys:defpatch "aserve" 15 - "v1: 1.3.16: fix freeing freed buffer; -v2: 1.3.18: introduce allegroserve-error condition object, - fix compression with logical pathnames; -v3: add timeout for reading request header. -v4: 1.3.20: handle connection reset and aborted errors - properly in the client; -v5: 1.3.21: new proxy control. -v6: 1.3.23: fixes socket leak in client when the the writing - of the initial headers and body fails. -v7: 1.3.24: Move 100-continue expectation handling until after authorization - and an entity has been found. Allow disabling of auto handling per entity. -v8: 1.3.25: fix keep-alive timeout header: use wserver-header-read-timeout - instead of wserver-read-request-timeout. -v9: 1.3.26: Make do-http-request merge the query part of the uri of - requests with the query argument. -v10: 1.3.27: Make clients reading a chunked response detect an unexpected eof - instead of busy looping. -v11: 1.3.28: Have server send a 408 Request Timeout response on timeout - instead of closing connection. Allow client to auto-retry. -v12: 1.3.28: Fix bug in retry-on-timeout code in do-http-request. -v13: 1.3.29: proxy now returns content-length. -v14: 1.3.30: For https, use defaults of the underlying ssl module. -v15: 1.3.32: add no-proxy argument to do-http-request." +(sys:defpatch "aserve" 16 + "v16: 1.3.33: Fix buggy argument checking for ssl arguments; +v15: 1.3.32: add no-proxy argument to do-http-request; +v14: 1.3.30: For https, use defaults of the underlying ssl module; +v13: 1.3.29: proxy now returns content-length; +v12: 1.3.28: Fix bug in retry-on-timeout code in do-http-request; +v11: 1.3.28: Have server send a 408 Request Timeout response on timeout instead of closing connection. Allow client to auto-retry; +v10: 1.3.27: Make clients reading a chunked response detect an unexpected eof instead of busy looping; +v9: 1.3.26: Make do-http-request merge the query part of the uri of requests with the query argument; +v8: 1.3.25: fix keep-alive timeout header: use wserver-header-read-timeout instead of wserver-read-request-timeout; +v7: 1.3.24: Move 100-continue expectation handling until after authorization and an entity has been found. Allow disabling of auto handling per entity; +v6: 1.3.23: fixes socket leak in client when the the writing of the initial headers and body fails; +v5: 1.3.21: new proxy control; +v4: 1.3.20: handle connection reset and aborted errors properly in the client; +v3: add timeout for reading request header; +v2: 1.3.18: introduce allegroserve-error condition object, fix compression with logical pathnames; +v1: 1.3.16: fix freeing freed buffer." :type :system :post-loadable t) #+(version= 8 2) -(sys:defpatch "aserve" 27 - "v1: version 1.2.67, implement keep-alive in allegroserve client; -v2: 1.2.68, obey keep-alive requests for PUT and POST requests; -v3: 1.2.69, make logging though method specialized on wserver class; -v4: 1.2.70: add support for Expect: 100-continue requests; -v5: 1.3.1: compression support, publish-directory :destination can be a - list of directories, and various SSL improvements; -v6: 1.3.5: doc updates, make client-request-read-sequence work with - compressed responses, delay sending headers for computed entities, - add option to do hidden redirect to an index file in a directory, - fix prepend-headers so that it works on windows; -v7: 1.3.7: Add :default-actions to webactions, - Avoid polling in http-accept-thread, - smp thread safety changes; -v8: 1.3.8: fix problem w/response handler using string output streams; -v9: 1.3.9: speed up unchunking-streams; -v10: 1.3.10: fix buffer boundary error in unchunking-streams. -v11: 1.3.11: fix log reporting of content-length when using keep-alive. -v12: 1.3.12: make aserve compatible with patch inflate.003, - request-query cache includes external-format as a key, - send cookies on one line as per rfc6265, - add support for ssl CRLs; -v13: 1.3.13: improve debugging facilities; -v14: 1.3.16: fix freeing freed buffer; -v15: 1.3.18: introduce allegroserve-error condition object, - fix compression with logical pathnames; -v16: add timeout for reading request header. - fix compression with logical pathnames. -v17: 1.3.20: handle connection reset and aborted errors - properly in the client; -v18: 1.3.23: fixes socket leak in client when the the writing - of the initial headers and body fails. -v19: 1.3.24: Move 100-continue expectation handling until after authorization - and an entity has been found. Allow disabling of auto handling per entity. -v20: 1.3.25: fix keep-alive timeout header: use wserver-header-read-timeout - instead of wserver-read-request-timeout. -v21: 1.3.26: Make do-http-request merge the query part of the uri of - requests with the query argument. -v22: 1.3.27: Make clients reading a chunked response detect an unexpected eof - instead of busy looping. -v23: 1.3.28: Have server send a 408 Request Timeout response on timeout - instead of closing connection. Allow client to auto-retry. -v24: 1.3.28: Fix bug in retry-on-timeout code in do-http-request. -v25: 1.3.29: proxy now returns content-length. +(sys:defpatch "aserve" 28 + "v28: 1.3.33: Fix buggy argument checking for ssl arguments; +v27: 1.3.32: add no-proxy argument to do-http-request; v26: 1.3.30: For https, use defaults of the underlying ssl module. -v27: 1.3.32: add no-proxy argument to do-http-request." +v25: 1.3.29: proxy now returns content-length; +v24: 1.3.28: Fix bug in retry-on-timeout code in do-http-request; +v23: 1.3.28: Have server send a 408 Request Timeout response on timeout instead of closing connection. Allow client to auto-retry; +v22: 1.3.27: Make clients reading a chunked response detect an unexpected eof instead of busy looping; +v21: 1.3.26: Make do-http-request merge the query part of the uri of requests with the query argument; +v20: 1.3.25: fix keep-alive timeout header: use wserver-header-read-timeout instead of wserver-read-request-timeout; +v19: 1.3.24: Move 100-continue expectation handling until after authorization and an entity has been found. Allow disabling of auto handling per entity; +v18: 1.3.23: fixes socket leak in client when the the writing of the initial headers and body fails; +v17: 1.3.20: handle connection reset and aborted errors properly in the client; +v16: add timeout for reading request header. Fix compression with logical pathnames; +v15: 1.3.18: introduce allegroserve-error condition object, Fix compression with logical pathnames; +v14: 1.3.16: fix freeing freed buffer; +v13: 1.3.13: improve debugging facilities; +v12: 1.3.12: make aserve compatible with patch inflate.003, request-query cache includes external-format as a key, send cookies on one line as per rfc6265, add support for ssl CRLs; +v11: 1.3.11: fix log reporting of content-length when using keep-alive; +v10: 1.3.10: fix buffer boundary error in unchunking-streams; +v9: 1.3.9: speed up unchunking-streams; +v8: 1.3.8: fix problem w/response handler using string output streams; +v7: 1.3.7: Add :default-actions to webactions, Avoid polling in http-accept-thread, smp thread safety changes; +v6: 1.3.5: doc updates, make client-request-read-sequence work with compressed responses, delay sending headers for computed entities, add option to do hidden redirect to an index file in a directory, fix prepend-headers so that it works on windows; +v5: 1.3.1: compression support, publish-directory :destination can be a list of directories, and various SSL improvements; +v4: 1.2.70: add support for Expect: 100-continue requests; +v3: 1.2.69, make logging though method specialized on wserver class; +v2: 1.2.68, obey keep-alive requests for PUT and POST requests; +v1: version 1.2.67, implement keep-alive in allegroserve client." :type :system :post-loadable t)