Project

General

Profile

lighttpd_1.4.18_tls_server_name_indication.patch

TLS server name indication support (lighttpd 1.4.18) - phc, 2007-11-12 23:48

View differences:

src/base.h Tue Nov 06 21:58:58 2007 +0100 → src/base.h Mon Nov 12 00:28:06 2007 +0100
31 31
#if defined HAVE_LIBSSL && defined HAVE_OPENSSL_SSL_H
32 32
# define USE_OPENSSL
33 33
# include <openssl/ssl.h>
34
# if ! defined OPENSSL_NO_TLSEXT && ! defined SSL_CTRL_SET_TLSEXT_HOSTNAME
35
#  define OPENSSL_NO_TLSEXT
36
# endif
34 37
#endif
35 38

  
36 39
#ifdef HAVE_FAM_H
......
415 418
#ifdef USE_OPENSSL
416 419
	SSL *ssl;
417 420
	buffer *ssl_error_want_reuse_buffer;
421
#ifndef OPENSSL_NO_TLSEXT
422
	buffer *tlsext_server_name;
423
#endif
418 424
#endif
419 425
	/* etag handling */
420 426
	etag_flags_t etag_flags;
src/configfile-glue.c Tue Nov 06 21:58:58 2007 +0100 → src/configfile-glue.c Mon Nov 12 00:28:06 2007 +0100
272 272
			default:
273 273
				break;
274 274
			}
275
#if defined USE_OPENSSL && ! defined OPENSSL_NO_TLSEXT
276
		} else if (!buffer_is_empty(con->tlsext_server_name)) {
277
			l = con->tlsext_server_name;
278
#endif
275 279
		} else {
276 280
			l = srv->empty_string;
277 281
		}
src/configfile.c Tue Nov 06 21:58:58 2007 +0100 → src/configfile.c Mon Nov 12 00:28:06 2007 +0100
285 285
	PATCH(is_ssl);
286 286

  
287 287
	PATCH(ssl_pemfile);
288
	PATCH(ssl_ctx);
288 289
	PATCH(ssl_ca_file);
289 290
	PATCH(ssl_cipher_list);
290 291
	PATCH(ssl_use_sslv2);
......
343 344
				PATCH(etag_use_size);
344 345
			} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.pemfile"))) {
345 346
				PATCH(ssl_pemfile);
347
				PATCH(ssl_ctx);
346 348
			} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.ca-file"))) {
347 349
				PATCH(ssl_ca_file);
348 350
			} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.use-sslv2"))) {
src/connections.c Tue Nov 06 21:58:58 2007 +0100 → src/connections.c Mon Nov 12 00:28:06 2007 +0100
663 663
	CLEAN(server_name);
664 664
	CLEAN(error_handler);
665 665
	CLEAN(dst_addr_buf);
666
#if defined USE_OPENSSL && ! defined OPENSSL_NO_TLSEXT
667
	CLEAN(tlsext_server_name);
668
#endif
666 669

  
667 670
#undef CLEAN
668 671
	con->write_queue = chunkqueue_init();
......
727 730
		CLEAN(server_name);
728 731
		CLEAN(error_handler);
729 732
		CLEAN(dst_addr_buf);
733
#if defined USE_OPENSSL && ! defined OPENSSL_NO_TLSEXT
734
		CLEAN(tlsext_server_name);
735
#endif
730 736
#undef CLEAN
731 737
		free(con->plugin_ctx);
732 738
		free(con->cond_cache);
......
1340 1346
				return NULL;
1341 1347
			}
1342 1348

  
1349
#ifndef OPENSSL_NO_TLSEXT
1350
			SSL_set_app_data(con->ssl, con);
1351
#endif
1343 1352
			SSL_set_accept_state(con->ssl);
1344 1353
			con->conf.is_ssl=1;
1345 1354

  
src/network.c Tue Nov 06 21:58:58 2007 +0100 → src/network.c Mon Nov 12 00:28:06 2007 +0100
61 61
	}
62 62
	return HANDLER_GO_ON;
63 63
}
64

  
65
#if defined USE_OPENSSL && ! defined OPENSSL_NO_TLSEXT
66
int network_ssl_servername_callback(SSL *ssl, int *al, server *srv) {
67
	const char *servername;
68
	connection *con = (connection *) SSL_get_app_data(ssl);
69

  
70
	if (NULL == (servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
71
		log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
72
				"failed to get TLS server name");
73
		return SSL_TLSEXT_ERR_NOACK;
74
	}
75
	buffer_copy_string(con->tlsext_server_name, servername);
76
	buffer_to_lower(con->tlsext_server_name);
77

  
78
	config_patch_connection(srv, con, COMP_SERVER_SOCKET);
79
	config_patch_connection(srv, con, COMP_HTTP_HOST);
80

  
81
	if (NULL == con->conf.ssl_ctx) {
82
		log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
83
				"null SSL_CTX for TLS server name", con->tlsext_server_name);
84
		return SSL_TLSEXT_ERR_ALERT_FATAL;
85
	}
86

  
87
	/* switch to new SSL_CTX in reaction to a client's server_name extension */
88
	if (con->conf.ssl_ctx != SSL_set_SSL_CTX(ssl, con->conf.ssl_ctx)) {
89
		log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
90
				"failed to set SSL_CTX for TLS server name", con->tlsext_server_name);
91
		return SSL_TLSEXT_ERR_ALERT_FATAL;
92
	}
93

  
94
	return SSL_TLSEXT_ERR_OK;
95
}
96
#endif
64 97

  
65 98
int network_server_init(server *srv, buffer *host_token, specific_config *s) {
66 99
	int val;
......
312 345

  
313 346
	if (s->is_ssl) {
314 347
#ifdef USE_OPENSSL
315
		if (srv->ssl_is_init == 0) {
316
			SSL_load_error_strings();
317
			SSL_library_init();
318
			srv->ssl_is_init = 1;
319

  
320
			if (0 == RAND_status()) {
321
				log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
322
						"not enough entropy in the pool");
323
				return -1;
324
			}
325
		}
326

  
327
		if (NULL == (s->ssl_ctx = SSL_CTX_new(SSLv23_server_method()))) {
328
			log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
329
					ERR_error_string(ERR_get_error(), NULL));
330
			return -1;
331
		}
332

  
333
		if (!s->ssl_use_sslv2) {
334
			/* disable SSLv2 */
335
			if (SSL_OP_NO_SSLv2 != SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_SSLv2)) {
336
				log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
337
						ERR_error_string(ERR_get_error(), NULL));
338
				return -1;
339
			}
340
		}
341

  
342
		if (!buffer_is_empty(s->ssl_cipher_list)) {
343
			/* Disable support for low encryption ciphers */
344
			if (SSL_CTX_set_cipher_list(s->ssl_ctx, s->ssl_cipher_list->ptr) != 1) {
345
				log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
346
						ERR_error_string(ERR_get_error(), NULL));
347
				return -1;
348
			}
349
		}
350

  
351
		if (buffer_is_empty(s->ssl_pemfile)) {
348
		if (NULL == (srv_socket->ssl_ctx = s->ssl_ctx)) {
352 349
			log_error_write(srv, __FILE__, __LINE__, "s", "ssl.pemfile has to be set");
353 350
			return -1;
354 351
		}
355

  
356
		if (!buffer_is_empty(s->ssl_ca_file)) {
357
			if (1 != SSL_CTX_load_verify_locations(s->ssl_ctx, s->ssl_ca_file->ptr, NULL)) {
358
				log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
359
						ERR_error_string(ERR_get_error(), NULL), s->ssl_ca_file);
360
				return -1;
361
			}
362
		}
363

  
364
		if (SSL_CTX_use_certificate_file(s->ssl_ctx, s->ssl_pemfile->ptr, SSL_FILETYPE_PEM) < 0) {
365
			log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
366
					ERR_error_string(ERR_get_error(), NULL), s->ssl_pemfile);
367
			return -1;
368
		}
369

  
370
		if (SSL_CTX_use_PrivateKey_file (s->ssl_ctx, s->ssl_pemfile->ptr, SSL_FILETYPE_PEM) < 0) {
371
			log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
372
					ERR_error_string(ERR_get_error(), NULL), s->ssl_pemfile);
373
			return -1;
374
		}
375

  
376
		if (SSL_CTX_check_private_key(s->ssl_ctx) != 1) {
377
			log_error_write(srv, __FILE__, __LINE__, "sssb", "SSL:",
378
					"Private key does not match the certificate public key, reason:",
379
					ERR_error_string(ERR_get_error(), NULL),
380
					s->ssl_pemfile);
381
			return -1;
382
		}
383
		SSL_CTX_set_default_read_ahead(s->ssl_ctx, 1);
384
		SSL_CTX_set_mode(s->ssl_ctx, SSL_CTX_get_mode(s->ssl_ctx) | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
385

  
386
		srv_socket->ssl_ctx = s->ssl_ctx;
387 352
#else
388 353

  
389 354
		buffer_free(srv_socket->srv_token);
......
490 455
		{ NETWORK_BACKEND_WRITE,		"write" },
491 456
		{ NETWORK_BACKEND_UNSET,        	NULL }
492 457
	};
458

  
459
#ifdef USE_OPENSSL
460
	/* load SSL certificates */
461
	for (i = 0; i < srv->config_context->used; i++) {
462
		data_config *dc = (data_config *)srv->config_context->data[i];
463
		specific_config *s = srv->config_storage[i];
464

  
465
		if (buffer_is_empty(s->ssl_pemfile)) continue;
466

  
467
#ifdef OPENSSL_NO_TLSEXT
468
		if (COMP_HTTP_HOST == dc->comp) {
469
		    log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
470
				    "can't use ssl.pemfile with $HTTP[\"host\"], openssl version does not support TLS extensions");
471
		    return -1;
472
		}
473
#endif
474

  
475
		if (srv->ssl_is_init == 0) {
476
			SSL_load_error_strings();
477
			SSL_library_init();
478
			srv->ssl_is_init = 1;
479

  
480
			if (0 == RAND_status()) {
481
				log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
482
						"not enough entropy in the pool");
483
				return -1;
484
			}
485
		}
486

  
487
		if (NULL == (s->ssl_ctx = SSL_CTX_new(SSLv23_server_method()))) {
488
			log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
489
					ERR_error_string(ERR_get_error(), NULL));
490
			return -1;
491
		}
492

  
493
		if (!s->ssl_use_sslv2) {
494
			/* disable SSLv2 */
495
			if (SSL_OP_NO_SSLv2 != SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_SSLv2)) {
496
				log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
497
						ERR_error_string(ERR_get_error(), NULL));
498
				return -1;
499
			}
500
		}
501

  
502
		if (!buffer_is_empty(s->ssl_cipher_list)) {
503
			/* Disable support for low encryption ciphers */
504
			if (SSL_CTX_set_cipher_list(s->ssl_ctx, s->ssl_cipher_list->ptr) != 1) {
505
				log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
506
						ERR_error_string(ERR_get_error(), NULL));
507
				return -1;
508
			}
509
		}
510

  
511
		if (!buffer_is_empty(s->ssl_ca_file)) {
512
			if (1 != SSL_CTX_load_verify_locations(s->ssl_ctx, s->ssl_ca_file->ptr, NULL)) {
513
				log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
514
						ERR_error_string(ERR_get_error(), NULL), s->ssl_ca_file);
515
				return -1;
516
			}
517
		}
518

  
519
		if (SSL_CTX_use_certificate_file(s->ssl_ctx, s->ssl_pemfile->ptr, SSL_FILETYPE_PEM) < 0) {
520
			log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
521
					ERR_error_string(ERR_get_error(), NULL), s->ssl_pemfile);
522
			return -1;
523
		}
524

  
525
		if (SSL_CTX_use_PrivateKey_file (s->ssl_ctx, s->ssl_pemfile->ptr, SSL_FILETYPE_PEM) < 0) {
526
			log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
527
					ERR_error_string(ERR_get_error(), NULL), s->ssl_pemfile);
528
			return -1;
529
		}
530

  
531
		if (SSL_CTX_check_private_key(s->ssl_ctx) != 1) {
532
			log_error_write(srv, __FILE__, __LINE__, "sssb", "SSL:",
533
					"Private key does not match the certificate public key, reason:",
534
					ERR_error_string(ERR_get_error(), NULL),
535
					s->ssl_pemfile);
536
			return -1;
537
		}
538
		SSL_CTX_set_default_read_ahead(s->ssl_ctx, 1);
539
		SSL_CTX_set_mode(s->ssl_ctx, SSL_CTX_get_mode(s->ssl_ctx) | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
540

  
541
#ifndef OPENSSL_NO_TLSEXT
542
		if (!SSL_CTX_set_tlsext_servername_callback(s->ssl_ctx, network_ssl_servername_callback) ||
543
		    !SSL_CTX_set_tlsext_servername_arg(s->ssl_ctx, srv)) {
544
			log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
545
					"failed to initialize TLS servername callback, openssl library does not support TLS servername extension");
546
			return -1;
547
		}
548
#endif
549
	}
550
#endif
493 551

  
494 552
	b = buffer_init();
495 553