fix #4859: properly configure TLSv1.3 only mode

[pve-http-server.git] / src / PVE / APIServer / AnyEvent.pm

diff --git a/src/PVE/APIServer/AnyEvent.pm b/src/PVE/APIServer/AnyEvent.pm
index 0425ea1239da8bddd9e1cc15906a705412238457..cebd9ba60888e7dc72bce1b7de3b1fb7dda96cc2 100644 (file)
--- a/src/PVE/APIServer/AnyEvent.pm
+++ b/src/PVE/APIServer/AnyEvent.pm
@@ -12,7 +12,6 @@ use warnings;
 
 use AnyEvent::HTTP;
 use AnyEvent::Handle;
-use AnyEvent::IO;
 use AnyEvent::Socket;
 # use AnyEvent::Strict; # only use this for debugging
 use AnyEvent::TLS;
@@ -745,11 +744,17 @@ sub proxy_request {
        my $content;
 
        if  ($method eq 'POST' || $method eq 'PUT') {
-           $headers->{'Content-Type'} = 'application/x-www-form-urlencoded';
-           # use URI object to format application/x-www-form-urlencoded content.
-           my $url = URI->new('http:');
-           $url->query_form(%$params);
-           $content = $url->query;
+           my $request_ct = $reqstate->{request}->header('Content-Type');
+           if (defined($request_ct) && $request_ct =~ 'application/json') {
+               $headers->{'Content-Type'} = 'application/json';
+               $content = encode_json($params);
+           } else {
+               $headers->{'Content-Type'} = 'application/x-www-form-urlencoded';
+               # use URI object to format application/x-www-form-urlencoded content.
+               my $url = URI->new('http:');
+               $url->query_form(%$params);
+               $content = $url->query;
+           }
            if (defined($content)) {
                $headers->{'Content-Length'} = length($content);
            }
@@ -761,6 +766,7 @@ sub proxy_request {
            sslv2 => 0,
            sslv3 => 0,
            verify => 1,
+           ca_path => '/usr/lib/ssl/certs', # to avoid loading the combined CA cert file
            verify_cb => sub {
                my (undef, undef, undef, $depth, undef, undef, $cert) = @_;
                # we don't care about intermediate or root certificates
@@ -845,7 +851,12 @@ sub decode_urlencoded {
            $v = Encode::decode('utf8', $v);
 
            if (defined(my $old = $res->{$k})) {
-               $v = "$old\0$v";
+               if (ref($old) eq 'ARRAY') {
+                   push @$old, $v;
+                   $v = $old;
+               } else {
+                   $v = [$old, $v];
+               }
            }
        }
 
@@ -933,8 +944,8 @@ sub handle_api2_request {
 
            $res->{proxy_params}->{tmpfilename} = $reqstate->{tmpfilename} if $upload_state;
 
-           $self->proxy_request($reqstate, $clientip, $host, $res->{proxynode}, $method,
-                                $r->uri, $auth, $res->{proxy_params});
+           $self->proxy_request(
+               $reqstate, $clientip, $host, $res->{proxynode}, $method, $r->uri, $auth, $res->{proxy_params});
            return;
 
        } elsif ($upgrade && ($method eq 'GET') && ($path =~ m|websocket$|)) {
@@ -1222,7 +1233,7 @@ sub file_upload_multipart {
            $extract_form_disposition->('checksum-algorithm');
            $extract_form_disposition->('checksum');
 
-           if ($hdl->{rbuf} =~ s/^${delim_re}Content-Disposition: (.*?); name="(.*?)"; filename="([^"]+)"${newline_re}//s) {
+           if ($hdl->{rbuf} =~ s/^${delim_re}Content-Disposition: (.*?); name="(.*?)"; filename="([^"]+)"//s) {
                assert_form_disposition($1);
                die "wrong field name '$2' for file upload, expected 'filename'" if $2 ne "filename";
                $rstate->{phase} = 2;
@@ -1245,15 +1256,14 @@ sub file_upload_multipart {
            if ($write_length > 0) {
                syswrite($rstate->{outfh}, $data) == $write_length or die "write to temporary file failed - $!\n";
                $rstate->{bytes} += $write_length;
-               $rstate->{ctx}->add($data);
            }
        }
 
        if ($rstate->{phase} == 100) { # Phase 100 - transfer finished
-           $rstate->{md5sum} = $rstate->{ctx}->hexdigest;
            my $elapsed = tv_interval($rstate->{starttime});
-           syslog('info', "multipart upload complete (size: %dB time: %.3fs rate: %.2fMiB/s md5sum: %s)",
-               $rstate->{bytes}, $elapsed, $rstate->{bytes} / ($elapsed * 1024 * 1024), $rstate->{md5sum}
+           syslog('info', "multipart upload complete (size: %dB time: %.3fs rate: %.2fMiB/s filename: %s)",
+               $rstate->{bytes}, $elapsed, $rstate->{bytes} / ($elapsed * 1024 * 1024),
+               $rstate->{params}->{filename}
            );
            $self->handle_api2_request($reqstate, $auth, $method, $path, $rstate);
        }
@@ -1333,6 +1343,7 @@ sub unshift_read_header {
     });
 };
 
+# sends an (error) response and returns 0 in case of errors
 sub process_header {
     my ($self, $reqstate) = @_;
 
@@ -1385,6 +1396,8 @@ sub process_header {
     return 1;
 }
 
+# sends an (redirect) response, disconnects the client and returns 0 if
+# connection is not TLS-protected
 sub ensure_tls_connection {
     my ($self, $reqstate) = @_;
 
@@ -1560,7 +1573,6 @@ sub authenticate_and_handle_request {
            my $state = {
                size => $len,
                boundary => $boundary,
-               ctx => Digest::MD5->new,
                boundlen =>  $boundlen,
                maxheader => 2048 + $boundlen, # should be large enough
                params => decode_urlencoded($request->url->query()),
@@ -1570,6 +1582,10 @@ sub authenticate_and_handle_request {
                starttime => [gettimeofday],
                outfh => $outfh,
            };
+
+           die "'tmpfilename' query parameter is not allowed for file uploads\n"
+               if exists $state->{params}->{tmpfilename};
+
            $reqstate->{tmpfilename} = $tmpfilename;
            $reqstate->{hdl}->on_read(sub {
                $self->file_upload_multipart($reqstate, $auth, $method, $path, $state);
@@ -1635,7 +1651,7 @@ sub push_request_header {
                    $reqstate->{proto}->{min} = $min;
                    $reqstate->{proto}->{ver} = $maj*1000+$min;
                    $reqstate->{request} = HTTP::Request->new($method, $url);
-                   $reqstate->{starttime} = [gettimeofday],
+                   $reqstate->{starttime} = [gettimeofday];
 
                    $self->unshift_read_header($reqstate);
                } elsif ($line eq '') {
@@ -1996,6 +2012,23 @@ sub new {
            warn "Failed to set TLS 1.3 ciphersuites '$ciphersuites'\n"
                if !Net::SSLeay::CTX_set_ciphersuites($self->{tls_ctx}->{ctx}, $ciphersuites);
        }
+
+       my $opts = Net::SSLeay::CTX_get_options($self->{tls_ctx}->{ctx});
+       my $min_version = Net::SSLeay::TLS1_1_VERSION();
+       my $max_version = Net::SSLeay::TLS1_3_VERSION();
+       if ($opts & &Net::SSLeay::OP_NO_TLSv1_1) {
+           $min_version = Net::SSLeay::TLS1_2_VERSION();
+       }
+       if ($opts & &Net::SSLeay::OP_NO_TLSv1_2) {
+           $min_version = Net::SSLeay::TLS1_3_VERSION();
+       }
+       if ($opts & &Net::SSLeay::OP_NO_TLSv1_3) {
+           die "misconfigured TLS settings - cannot disable all supported TLS versions!\n"
+               if $min_version && $min_version == Net::SSLeay::TLS1_3_VERSION();
+           $max_version = Net::SSLeay::TLS1_2_VERSION();
+       }
+       Net::SSLeay::CTX_set_min_proto_version($self->{tls_ctx}->{ctx}, $min_version) if $min_version;
+       Net::SSLeay::CTX_set_max_proto_version($self->{tls_ctx}->{ctx}, $max_version);
     }
 
     if ($self->{spiceproxy}) {