Project

General

Profile

lighttpd_1.4.x_r2024_tls_server_name_indication.patch

TLS server name indication support (lighttpd 1.4.x-svn) - phc, 2007-11-18 13:54

View differences:

lighttpd-1.4.x/src/configfile-glue.c (working copy)
272 272
			default:
273 273
				break;
274 274
			}
275
#if defined USE_OPENSSL && ! defined OPENSSL_NO_TLSEXT
276
		} else if (!buffer_is_empty(con->tlsext_server_name)) {
277
			l = con->tlsext_server_name;
278
#endif
275 279
		} else {
276 280
			l = srv->empty_string;
277 281
		}
lighttpd-1.4.x/src/base.h (working copy)
31 31
#if defined HAVE_LIBSSL && defined HAVE_OPENSSL_SSL_H
32 32
# define USE_OPENSSL
33 33
# include <openssl/ssl.h>
34
# if ! defined OPENSSL_NO_TLSEXT && ! defined SSL_CTRL_SET_TLSEXT_HOSTNAME
35
#  define OPENSSL_NO_TLSEXT
36
# endif
34 37
#endif
35 38

  
36 39
#ifdef HAVE_FAM_H
......
415 418
#ifdef USE_OPENSSL
416 419
	SSL *ssl;
417 420
	buffer *ssl_error_want_reuse_buffer;
421
#ifndef OPENSSL_NO_TLSEXT
422
	buffer *tlsext_server_name;
418 423
#endif
424
#endif
419 425
	/* etag handling */
420 426
	etag_flags_t etag_flags;
421 427

  
lighttpd-1.4.x/src/connections.c (working copy)
663 663
	CLEAN(server_name);
664 664
	CLEAN(error_handler);
665 665
	CLEAN(dst_addr_buf);
666
#if defined USE_OPENSSL && ! defined OPENSSL_NO_TLSEXT
667
	CLEAN(tlsext_server_name);
668
#endif
666 669

  
667 670
#undef CLEAN
668 671
	con->write_queue = chunkqueue_init();
......
727 730
		CLEAN(server_name);
728 731
		CLEAN(error_handler);
729 732
		CLEAN(dst_addr_buf);
733
#if defined USE_OPENSSL && ! defined OPENSSL_NO_TLSEXT
734
		CLEAN(tlsext_server_name);
735
#endif
730 736
#undef CLEAN
731 737
		free(con->plugin_ctx);
732 738
		free(con->cond_cache);
......
1340 1346
				return NULL;
1341 1347
			}
1342 1348

  
1349
#ifndef OPENSSL_NO_TLSEXT
1350
			SSL_set_app_data(con->ssl, con);
1351
#endif
1343 1352
			SSL_set_accept_state(con->ssl);
1344 1353
			con->conf.is_ssl=1;
1345 1354

  
lighttpd-1.4.x/src/network.c (working copy)
62 62
	return HANDLER_GO_ON;
63 63
}
64 64

  
65
#if defined USE_OPENSSL && ! defined OPENSSL_NO_TLSEXT
66
int network_ssl_servername_callback(SSL *ssl, int *al, server *srv) {
67
	const char *servername;
68
	connection *con = (connection *) SSL_get_app_data(ssl);
69

  
70
	buffer_copy_string(con->uri.scheme, "https");
71

  
72
	if (NULL == (servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
73
		log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
74
				"failed to get TLS server name");
75
		return SSL_TLSEXT_ERR_NOACK;
76
	}
77
	buffer_copy_string(con->tlsext_server_name, servername);
78
	buffer_to_lower(con->tlsext_server_name);
79

  
80
	config_patch_connection(srv, con, COMP_SERVER_SOCKET);
81
	config_patch_connection(srv, con, COMP_HTTP_SCHEME);
82
	config_patch_connection(srv, con, COMP_HTTP_HOST);
83

  
84
	if (NULL == con->conf.ssl_ctx) {
85
		log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
86
				"null SSL_CTX for TLS server name", con->tlsext_server_name);
87
		return SSL_TLSEXT_ERR_ALERT_FATAL;
88
	}
89

  
90
	/* switch to new SSL_CTX in reaction to a client's server_name extension */
91
	if (con->conf.ssl_ctx != SSL_set_SSL_CTX(ssl, con->conf.ssl_ctx)) {
92
		log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
93
				"failed to set SSL_CTX for TLS server name", con->tlsext_server_name);
94
		return SSL_TLSEXT_ERR_ALERT_FATAL;
95
	}
96

  
97
	return SSL_TLSEXT_ERR_OK;
98
}
99
#endif
100

  
65 101
int network_server_init(server *srv, buffer *host_token, specific_config *s) {
66 102
	int val;
67 103
	socklen_t addr_len;
......
312 348

  
313 349
	if (s->is_ssl) {
314 350
#ifdef USE_OPENSSL
315
		if (srv->ssl_is_init == 0) {
316
			SSL_load_error_strings();
317
			SSL_library_init();
318
			srv->ssl_is_init = 1;
319

  
320
			if (0 == RAND_status()) {
321
				log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
322
						"not enough entropy in the pool");
323
				return -1;
324
			}
325
		}
326

  
327
		if (NULL == (s->ssl_ctx = SSL_CTX_new(SSLv23_server_method()))) {
328
			log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
329
					ERR_error_string(ERR_get_error(), NULL));
330
			return -1;
331
		}
332

  
333
		if (!s->ssl_use_sslv2) {
334
			/* disable SSLv2 */
335
			if (SSL_OP_NO_SSLv2 != SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_SSLv2)) {
336
				log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
337
						ERR_error_string(ERR_get_error(), NULL));
338
				return -1;
339
			}
340
		}
341

  
342
		if (!buffer_is_empty(s->ssl_cipher_list)) {
343
			/* Disable support for low encryption ciphers */
344
			if (SSL_CTX_set_cipher_list(s->ssl_ctx, s->ssl_cipher_list->ptr) != 1) {
345
				log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
346
						ERR_error_string(ERR_get_error(), NULL));
347
				return -1;
348
			}
349
		}
350

  
351
		if (buffer_is_empty(s->ssl_pemfile)) {
351
		if (NULL == (srv_socket->ssl_ctx = s->ssl_ctx)) {
352 352
			log_error_write(srv, __FILE__, __LINE__, "s", "ssl.pemfile has to be set");
353 353
			return -1;
354 354
		}
355

  
356
		if (!buffer_is_empty(s->ssl_ca_file)) {
357
			if (1 != SSL_CTX_load_verify_locations(s->ssl_ctx, s->ssl_ca_file->ptr, NULL)) {
358
				log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
359
						ERR_error_string(ERR_get_error(), NULL), s->ssl_ca_file);
360
				return -1;
361
			}
362
		}
363

  
364
		if (SSL_CTX_use_certificate_file(s->ssl_ctx, s->ssl_pemfile->ptr, SSL_FILETYPE_PEM) < 0) {
365
			log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
366
					ERR_error_string(ERR_get_error(), NULL), s->ssl_pemfile);
367
			return -1;
368
		}
369

  
370
		if (SSL_CTX_use_PrivateKey_file (s->ssl_ctx, s->ssl_pemfile->ptr, SSL_FILETYPE_PEM) < 0) {
371
			log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
372
					ERR_error_string(ERR_get_error(), NULL), s->ssl_pemfile);
373
			return -1;
374
		}
375

  
376
		if (SSL_CTX_check_private_key(s->ssl_ctx) != 1) {
377
			log_error_write(srv, __FILE__, __LINE__, "sssb", "SSL:",
378
					"Private key does not match the certificate public key, reason:",
379
					ERR_error_string(ERR_get_error(), NULL),
380
					s->ssl_pemfile);
381
			return -1;
382
		}
383
		SSL_CTX_set_default_read_ahead(s->ssl_ctx, 1);
384
		SSL_CTX_set_mode(s->ssl_ctx, SSL_CTX_get_mode(s->ssl_ctx) | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
385

  
386
		srv_socket->ssl_ctx = s->ssl_ctx;
387 355
#else
388 356

  
389 357
		buffer_free(srv_socket->srv_token);
......
491 459
		{ NETWORK_BACKEND_UNSET,        	NULL }
492 460
	};
493 461

  
462
#ifdef USE_OPENSSL
463
	/* load SSL certificates */
464
	for (i = 0; i < srv->config_context->used; i++) {
465
		data_config *dc = (data_config *)srv->config_context->data[i];
466
		specific_config *s = srv->config_storage[i];
467

  
468
		if (buffer_is_empty(s->ssl_pemfile)) continue;
469

  
470
#ifdef OPENSSL_NO_TLSEXT
471
		if (COMP_HTTP_HOST == dc->comp) {
472
		    log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
473
				    "can't use ssl.pemfile with $HTTP[\"host\"], openssl version does not support TLS extensions");
474
		    return -1;
475
		}
476
#endif
477

  
478
		if (srv->ssl_is_init == 0) {
479
			SSL_load_error_strings();
480
			SSL_library_init();
481
			srv->ssl_is_init = 1;
482

  
483
			if (0 == RAND_status()) {
484
				log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
485
						"not enough entropy in the pool");
486
				return -1;
487
			}
488
		}
489

  
490
		if (NULL == (s->ssl_ctx = SSL_CTX_new(SSLv23_server_method()))) {
491
			log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
492
					ERR_error_string(ERR_get_error(), NULL));
493
			return -1;
494
		}
495

  
496
		if (!s->ssl_use_sslv2) {
497
			/* disable SSLv2 */
498
			if (SSL_OP_NO_SSLv2 != SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_SSLv2)) {
499
				log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
500
						ERR_error_string(ERR_get_error(), NULL));
501
				return -1;
502
			}
503
		}
504

  
505
		if (!buffer_is_empty(s->ssl_cipher_list)) {
506
			/* Disable support for low encryption ciphers */
507
			if (SSL_CTX_set_cipher_list(s->ssl_ctx, s->ssl_cipher_list->ptr) != 1) {
508
				log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
509
						ERR_error_string(ERR_get_error(), NULL));
510
				return -1;
511
			}
512
		}
513

  
514
		if (!buffer_is_empty(s->ssl_ca_file)) {
515
			if (1 != SSL_CTX_load_verify_locations(s->ssl_ctx, s->ssl_ca_file->ptr, NULL)) {
516
				log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
517
						ERR_error_string(ERR_get_error(), NULL), s->ssl_ca_file);
518
				return -1;
519
			}
520
		}
521

  
522
		if (SSL_CTX_use_certificate_file(s->ssl_ctx, s->ssl_pemfile->ptr, SSL_FILETYPE_PEM) < 0) {
523
			log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
524
					ERR_error_string(ERR_get_error(), NULL), s->ssl_pemfile);
525
			return -1;
526
		}
527

  
528
		if (SSL_CTX_use_PrivateKey_file (s->ssl_ctx, s->ssl_pemfile->ptr, SSL_FILETYPE_PEM) < 0) {
529
			log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
530
					ERR_error_string(ERR_get_error(), NULL), s->ssl_pemfile);
531
			return -1;
532
		}
533

  
534
		if (SSL_CTX_check_private_key(s->ssl_ctx) != 1) {
535
			log_error_write(srv, __FILE__, __LINE__, "sssb", "SSL:",
536
					"Private key does not match the certificate public key, reason:",
537
					ERR_error_string(ERR_get_error(), NULL),
538
					s->ssl_pemfile);
539
			return -1;
540
		}
541
		SSL_CTX_set_default_read_ahead(s->ssl_ctx, 1);
542
		SSL_CTX_set_mode(s->ssl_ctx, SSL_CTX_get_mode(s->ssl_ctx) | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
543

  
544
#ifndef OPENSSL_NO_TLSEXT
545
		if (!SSL_CTX_set_tlsext_servername_callback(s->ssl_ctx, network_ssl_servername_callback) ||
546
		    !SSL_CTX_set_tlsext_servername_arg(s->ssl_ctx, srv)) {
547
			log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
548
					"failed to initialize TLS servername callback, openssl library does not support TLS servername extension");
549
			return -1;
550
		}
551
#endif
552
	}
553
#endif
554

  
494 555
	b = buffer_init();
495 556

  
496 557
	buffer_copy_string_buffer(b, srv->srvconf.bindhost);
lighttpd-1.4.x/src/configfile.c (working copy)
285 285
	PATCH(is_ssl);
286 286

  
287 287
	PATCH(ssl_pemfile);
288
	PATCH(ssl_ctx);
288 289
	PATCH(ssl_ca_file);
289 290
	PATCH(ssl_cipher_list);
290 291
	PATCH(ssl_use_sslv2);
......
343 344
				PATCH(etag_use_size);
344 345
			} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.pemfile"))) {
345 346
				PATCH(ssl_pemfile);
347
				PATCH(ssl_ctx);
346 348
			} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.ca-file"))) {
347 349
				PATCH(ssl_ca_file);
348 350
			} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.use-sslv2"))) {