Ticket #386: lighttpd_1.5.0_r2171_tls_server_name_indication.patch

trunk/src/configfile-glue.c

@@ -300 +300 @@
-                        default:
-                                break;
-                        }
+#if defined USE_OPENSSL && ! defined OPENSSL_NO_TLSEXT
+                } else if (!buffer_is_empty(con->sock->tlsext_server_name)) {
+                        l = con->sock->tlsext_server_name;
+#endif
-                } else {
-                        l = srv->empty_string;
-                }

trunk/src/base.h

@@ -37 +37 @@
-#if defined HAVE_LIBSSL && defined HAVE_OPENSSL_SSL_H
-# define USE_OPENSSL
-# include <openssl/ssl.h>
+# if ! defined OPENSSL_NO_TLSEXT && ! defined SSL_CTRL_SET_TLSEXT_HOSTNAME
+#  define OPENSSL_NO_TLSEXT
+# endif
-#endif
-
-#ifdef HAVE_SYS_INOTIFY_H

trunk/src/connections.c

@@ -955 +955 @@
-                                return NULL;
-                        }
-
+#ifndef OPENSSL_NO_TLSEXT
+                        SSL_set_app_data(con->sock->ssl, con);
+#endif
-                        SSL_set_accept_state(con->sock->ssl);
-                        con->conf.is_ssl=1;
-

trunk/src/network.c

@@ -219 +219 @@
-        return HANDLER_GO_ON;
-}
-
+#if defined USE_OPENSSL && ! defined OPENSSL_NO_TLSEXT
+int network_ssl_servername_callback(SSL *ssl, int *al, server *srv) {
+        const char *servername;
+        connection *con = (connection *) SSL_get_app_data(ssl);
+
+        buffer_copy_string(con->uri.scheme, "https");
+
+        if (NULL == (servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
+                log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
+                                "failed to get TLS server name");
+                return SSL_TLSEXT_ERR_NOACK;
+        }
+        buffer_copy_string(con->sock->tlsext_server_name, servername);
+        buffer_to_lower(con->sock->tlsext_server_name);
+
+        config_patch_connection(srv, con, COMP_SERVER_SOCKET);
+        config_patch_connection(srv, con, COMP_HTTP_SCHEME);
+        config_patch_connection(srv, con, COMP_HTTP_HOST);
+
+        if (NULL == con->conf.ssl_ctx) {
+                log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
+                                "null SSL_CTX for TLS server name", con->sock->tlsext_server_name);
+                return SSL_TLSEXT_ERR_ALERT_FATAL;
+        }
+
+        /* switch to new SSL_CTX in reaction to a client's server_name extension */
+        if (con->conf.ssl_ctx != SSL_set_SSL_CTX(ssl, con->conf.ssl_ctx)) {
+                log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
+                                "failed to set SSL_CTX for TLS server name", con->sock->tlsext_server_name);
+                return SSL_TLSEXT_ERR_ALERT_FATAL;
+        }
+
+        return SSL_TLSEXT_ERR_OK;
+}
+#endif
+
-int network_server_init(server *srv, buffer *host_token, specific_config *s) {
-        int val;
-        socklen_t addr_len;
@@ -468 +504 @@
-
-        if (s->is_ssl) {
-#ifdef USE_OPENSSL
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
-                        log_error_write(srv, __FILE__, __LINE__, "s", "ssl.pemfile has to be set");
-                        return -1;
-                }
-
-                if (!buffer_is_empty(s->ssl_ca_file)) {
-                        if (1 != SSL_CTX_load_verify_locations(s->ssl_ctx, s->ssl_ca_file->ptr, NULL)) {
-                                log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
-                                                ERR_error_string(ERR_get_error(), NULL), s->ssl_ca_file);
-                                return -1;
-                        }
-                }
-
-                if (SSL_CTX_use_certificate_file(s->ssl_ctx, s->ssl_pemfile->ptr, SSL_FILETYPE_PEM) < 0) {
-                        log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
-                                        ERR_error_string(ERR_get_error(), NULL), s->ssl_pemfile);
-                        return -1;
-                }
-
-                if (SSL_CTX_use_PrivateKey_file (s->ssl_ctx, s->ssl_pemfile->ptr, SSL_FILETYPE_PEM) < 0) {
-                        log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
-                                        ERR_error_string(ERR_get_error(), NULL), s->ssl_pemfile);
-                        return -1;
-                }
-
-                if (SSL_CTX_check_private_key(s->ssl_ctx) != 1) {
-                        log_error_write(srv, __FILE__, __LINE__, "sssb", "SSL:",
-                                        "Private key does not match the certificate public key, reason:",
-                                        ERR_error_string(ERR_get_error(), NULL),
-                                        s->ssl_pemfile);
-                        return -1;
-                }
-                srv_socket->ssl_ctx = s->ssl_ctx;
-#else
-
-                buffer_free(srv_socket->srv_token);
@@ -594 +566 @@
-                        }
-                }
-
-                if (srv_socket->is_ssl) {
-#ifdef USE_OPENSSL
-                        SSL_CTX_free(srv_socket->ssl_ctx);
-#endif
-                }
-
-                iosocket_free(srv_socket->sock);
-
-                buffer_free(srv_socket->srv_token);
@@ -620 +586 @@
-        size_t i;
-        const network_backend_info_t *backend;
-
+#ifdef USE_OPENSSL
+        /* load SSL certificates */
+        for (i = 0; i < srv->config_context->used; i++) {
+                data_config *dc = (data_config *)srv->config_context->data[i];
+                specific_config *s = srv->config_storage[i];
+
+                if (buffer_is_empty(s->ssl_pemfile)) continue;
+
+#ifdef OPENSSL_NO_TLSEXT
+                if (COMP_HTTP_HOST == dc->comp) {
+                        log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
+                                        "can't use ssl.pemfile with $HTTP[\"host\"], openssl version does not support TLS extensions");
+                        return -1;
+                }
+#endif
+
+                if (srv->ssl_is_init == 0) {
+                        SSL_load_error_strings();
+                        SSL_library_init();
+                        srv->ssl_is_init = 1;
+
+                        if (0 == RAND_status()) {
+                                log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
+                                                "not enough entropy in the pool");
+                                return -1;
+                        }
+                }
+
+                if (NULL == (s->ssl_ctx = SSL_CTX_new(SSLv23_server_method()))) {
+                        log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
+                                        ERR_error_string(ERR_get_error(), NULL));
+                        return -1;
+                }
+
+                if (!s->ssl_use_sslv2) {
+                        /* disable SSLv2 */
+                        if (SSL_OP_NO_SSLv2 != SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_SSLv2)) {
+                                log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
+                                                ERR_error_string(ERR_get_error(), NULL));
+                                return -1;
+                        }
+                }
+
+                if (!buffer_is_empty(s->ssl_cipher_list)) {
+                        if (SSL_CTX_set_cipher_list(s->ssl_ctx, s->ssl_cipher_list->ptr) != 1) {
+                                log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
+                                                ERR_error_string(ERR_get_error(), NULL));
+                                return -1;
+                        }
+                }
+
+                if (!buffer_is_empty(s->ssl_ca_file)) {
+                        if (1 != SSL_CTX_load_verify_locations(s->ssl_ctx, s->ssl_ca_file->ptr, NULL)) {
+                                log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
+                                                ERR_error_string(ERR_get_error(), NULL), s->ssl_ca_file);
+                                return -1;
+                        }
+                }
+
+                if (SSL_CTX_use_certificate_file(s->ssl_ctx, s->ssl_pemfile->ptr, SSL_FILETYPE_PEM) < 0) {
+                        log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
+                                        ERR_error_string(ERR_get_error(), NULL), s->ssl_pemfile);
+                        return -1;
+                }
+
+                if (SSL_CTX_use_PrivateKey_file (s->ssl_ctx, s->ssl_pemfile->ptr, SSL_FILETYPE_PEM) < 0) {
+                        log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
+                                        ERR_error_string(ERR_get_error(), NULL), s->ssl_pemfile);
+                        return -1;
+                }
+
+                if (SSL_CTX_check_private_key(s->ssl_ctx) != 1) {
+                        log_error_write(srv, __FILE__, __LINE__, "sssb", "SSL:",
+                                        "Private key does not match the certificate public key, reason:",
+                                        ERR_error_string(ERR_get_error(), NULL),
+                                        s->ssl_pemfile);
+                        return -1;
+                }
+
+#ifndef OPENSSL_NO_TLSEXT
+                if (!SSL_CTX_set_tlsext_servername_callback(s->ssl_ctx, network_ssl_servername_callback) ||
+                    !SSL_CTX_set_tlsext_servername_arg(s->ssl_ctx, srv)) {
+                        log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
+                                        "failed to initialize TLS servername callback, openssl library does not support TLS servername extension");
+                        return -1;
+                }
+#endif
+        }
+#endif
+
-        b = buffer_init();
-
-        buffer_copy_string_buffer(b, srv->srvconf.bindhost);

trunk/src/configfile.c

@@ -294 +294 @@
-        PATCH(is_ssl);
-
-        PATCH(ssl_pemfile);
+        PATCH(ssl_ctx);
-        PATCH(ssl_ca_file);
-        PATCH(ssl_cipher_list);
-        PATCH(ssl_use_sslv2);
@@ -344 +345 @@
-                                PATCH(use_xattr);
-                        } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.pemfile"))) {
-                                PATCH(ssl_pemfile);
+                                PATCH(ssl_ctx);
-                        } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.ca-file"))) {
-                                PATCH(ssl_ca_file);
-                        } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.engine"))) {

trunk/src/server.c

@@ -309 +309 @@
-                        buffer_free(s->error_handler);
-                        buffer_free(s->errorfile_prefix);
-                        array_free(s->mimetypes);
+#ifdef USE_OPENSSL
+                        SSL_CTX_free(s->ssl_ctx);
+#endif
-
-                        free(s);
-                }

trunk/src/iosocket.c

@@ -13 +13 @@
-
-        sock->type = IOSOCKET_TYPE_SOCKET;
-
+#if defined USE_OPENSSL && ! defined OPENSSL_NO_TLSEXT
+        sock->tlsext_server_name = buffer_init();
+#endif
+
-        return sock;
-}
-
@@ -32 +36 @@
-                }
-        }
-
+#if defined USE_OPENSSL && ! defined OPENSSL_NO_TLSEXT
+        buffer_free(sock->tlsext_server_name);
+#endif
+
-        free(sock);
-}

trunk/src/iosocket.h

@@ -19 +19 @@
-#endif
-
-#include "settings.h"
+#include "buffer.h"
-
-typedef enum {
-        IOSOCKET_TYPE_UNSET,
@@ -35 +36 @@
-
-#ifdef USE_OPENSSL
-        SSL *ssl;
+#ifndef OPENSSL_NO_TLSEXT
+        buffer *tlsext_server_name;
-#endif
+#endif
-
-        iosocket_t type; /**< sendfile on solaris doesn't work on pipes */
-} iosocket;