From a5c170e3419869318d07c9f389090297ea3a101f Mon Sep 17 00:00:00 2001
From: Glenn Strauss <gstrauss@gluelogic.com>
Date: Sun, 23 Apr 2023 09:04:05 -0400
Subject: [TLS] $SERVER["socket"] inherit global ssl.engine

$SERVER["socket"] inherits ssl.engine = "enable" from global scope

fixes issue of TLS-enabled socket, but missing config,
if ssl.engine = "enable" in global scope
and $SERVER["socket"] does not contain ssl.engine = "enable"

e.g. default TLS-enabled, and explicitly disabled on specific sockets
server.port = 443
ssl.engine = "enable"
ssl.pemfile = ...
ssl.privkey = ...
$SERVER["socket"] ==     ":80"  { ssl.engine = "disable" }
$SERVER["socket"] == "[::]:80"  { ssl.engine = "disable" }
$SERVER["socket"] == "    :443" { }
$SERVER["socket"] == "[::]:443" { }
---
 src/mod_gnutls.c  |  3 ++-
 src/mod_mbedtls.c |  1 +
 src/mod_nss.c     |  3 ++-
 src/mod_openssl.c | 27 ++++++++++++++++++++++++++-
 src/mod_wolfssl.c |  3 ++-
 5 files changed, 33 insertions(+), 4 deletions(-)

diff --git a/src/mod_gnutls.c b/src/mod_gnutls.c
index d091243a..6f430aaa 100644
--- a/src/mod_gnutls.c
+++ b/src/mod_gnutls.c
@@ -2605,7 +2605,8 @@ CONNECTION_FUNC(mod_gnutls_handle_con_accept)
     con->plugin_ctx[p->id] = hctx;
     buffer_blank(&r->uri.authority);
 
-    plugin_ssl_ctx * const s = p->ssl_ctxs + srv_sock->sidx;
+    plugin_ssl_ctx *s = p->ssl_ctxs + srv_sock->sidx;
+    if (NULL == s->priority_cache) s = p->ssl_ctxs; /*(inherit from global)*/
     hctx->ssl_session_ticket = s->ssl_session_ticket;
     int flags = GNUTLS_SERVER | GNUTLS_NO_SIGNAL | GNUTLS_NONBLOCK;
              /* ??? add feature: GNUTLS_ENABLE_EARLY_START ??? */
diff --git a/src/mod_mbedtls.c b/src/mod_mbedtls.c
index 8da81fce..0f429e50 100644
--- a/src/mod_mbedtls.c
+++ b/src/mod_mbedtls.c
@@ -2333,6 +2333,7 @@ CONNECTION_FUNC(mod_mbedtls_handle_con_accept)
     buffer_blank(&r->uri.authority);
 
     hctx->ssl_ctx = p->ssl_ctxs[srv_sock->sidx].ssl_ctx;
+    if (NULL == hctx->ssl_ctx) hctx->ssl_ctx = p->ssl_ctxs[0].ssl_ctx;
     mbedtls_ssl_init(&hctx->ssl);
     int rc = mbedtls_ssl_setup(&hctx->ssl, hctx->ssl_ctx);
     if (0 == rc) {
diff --git a/src/mod_nss.c b/src/mod_nss.c
index 1d800706..735289ca 100644
--- a/src/mod_nss.c
+++ b/src/mod_nss.c
@@ -2308,7 +2308,8 @@ CONNECTION_FUNC(mod_nss_handle_con_accept)
     con->plugin_ctx[p->id] = hctx;
     buffer_blank(&r->uri.authority);
 
-    plugin_ssl_ctx * const s = p->ssl_ctxs + srv_sock->sidx;
+    plugin_ssl_ctx *s = p->ssl_ctxs + srv_sock->sidx;
+    if (NULL == s->model) s = p->ssl_ctxs; /*(inherit from global scope)*/
     hctx->ssl_session_ticket = s->ssl_session_ticket;
 
     con->network_read = connection_read_cq_ssl;
diff --git a/src/mod_openssl.c b/src/mod_openssl.c
index 46a86d49..a587a74a 100644
--- a/src/mod_openssl.c
+++ b/src/mod_openssl.c
@@ -2694,6 +2694,30 @@ mod_openssl_set_defaults_sockets(server *srv, plugin_data *p)
   #endif
 
     free(srvplug.cvlist);
+
+  #if 0 /*(alt: inherit from global scope in mod_openssl_handle_con_accept()*/
+    if (defaults.ssl_enabled) {
+      #if 0 /* used == 0; priv_defaults hook is called before network_init() */
+        for (uint32_t i = 0; i < srv->srv_sockets.used; ++i) {
+            if (!srv->srv_sockets.ptr[i]->is_ssl) continue;
+            plugin_ssl_ctx *s = p->ssl_ctxs + srv->srv_sockets.ptr[i]->sidx;
+            if (!s->ssl_ctx)/*(no ssl.* directives; inherit from global scope)*/
+                *s = *p->ssl_ctxs;/*(copy struct of ssl_ctx from global scope)*/
+        }
+      #endif
+        for (uint32_t i = 1; i < srv->config_context->used; ++i) {
+            config_cond_info cfginfo;
+            config_get_config_cond_info(&cfginfo, (uint32_t)i);
+            if (cfginfo.comp != COMP_SERVER_SOCKET) continue;
+            plugin_ssl_ctx * const s = p->ssl_ctxs + i;
+            if (!s->ssl_ctx)
+                *s = *p->ssl_ctxs;/*(copy struct of ssl_ctx from global scope)*/
+                /* note: copied even when ssl.engine = "disabled",
+                 * even though config will not be used when disabled */
+        }
+    }
+  #endif
+
     return rc;
 }
 
@@ -3318,7 +3342,8 @@ CONNECTION_FUNC(mod_openssl_handle_con_accept)
     con->plugin_ctx[p->id] = hctx;
     buffer_blank(&r->uri.authority);
 
-    plugin_ssl_ctx * const s = p->ssl_ctxs + srv_sock->sidx;
+    plugin_ssl_ctx *s = p->ssl_ctxs + srv_sock->sidx;
+    if (NULL == s->ssl_ctx) s = p->ssl_ctxs; /*(inherit from global scope)*/
     hctx->ssl = SSL_new(s->ssl_ctx);
     if (NULL != hctx->ssl
         && SSL_set_app_data(hctx->ssl, hctx)
diff --git a/src/mod_wolfssl.c b/src/mod_wolfssl.c
index 2459396d..3a26cce9 100644
--- a/src/mod_wolfssl.c
+++ b/src/mod_wolfssl.c
@@ -3005,7 +3005,8 @@ CONNECTION_FUNC(mod_openssl_handle_con_accept)
     con->plugin_ctx[p->id] = hctx;
     buffer_blank(&r->uri.authority);
 
-    plugin_ssl_ctx * const s = p->ssl_ctxs + srv_sock->sidx;
+    plugin_ssl_ctx *s = p->ssl_ctxs + srv_sock->sidx;
+    if (NULL == s->ssl_ctx) s = p->ssl_ctxs; /*(inherit from global scope)*/
     hctx->ssl = SSL_new(s->ssl_ctx);
     if (NULL != hctx->ssl
         && SSL_set_app_data(hctx->ssl, hctx)
-- 
cgit v1.2.1