Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/www-servers/lighttpd/files/1.4.20-r1/04_all_1.4.x_tls_server_name_indication.diff
diff options
context:
space:
mode:
Diffstat (limited to 'www-servers/lighttpd/files/1.4.20-r1/04_all_1.4.x_tls_server_name_indication.diff')
-rw-r--r--www-servers/lighttpd/files/1.4.20-r1/04_all_1.4.x_tls_server_name_indication.diff324
1 files changed, 324 insertions, 0 deletions
diff --git a/www-servers/lighttpd/files/1.4.20-r1/04_all_1.4.x_tls_server_name_indication.diff b/www-servers/lighttpd/files/1.4.20-r1/04_all_1.4.x_tls_server_name_indication.diff
new file mode 100644
index 0000000..5cd19d6
--- /dev/null
+++ b/www-servers/lighttpd/files/1.4.20-r1/04_all_1.4.x_tls_server_name_indication.diff
@@ -0,0 +1,324 @@
+Index: src/configfile-glue.c
+===================================================================
+--- src/configfile-glue.c (revision 2402)
++++ src/configfile-glue.c (working copy)
+@@ -289,6 +289,10 @@
+ default:
+ break;
+ }
++#if defined USE_OPENSSL && ! defined OPENSSL_NO_TLSEXT
++ } else if (!buffer_is_empty(con->tlsext_server_name)) {
++ l = con->tlsext_server_name;
++#endif
+ } else {
+ l = srv->empty_string;
+ }
+Index: src/base.h
+===================================================================
+--- src/base.h (revision 2402)
++++ src/base.h (working copy)
+@@ -31,6 +31,9 @@
+ #if defined HAVE_LIBSSL && defined HAVE_OPENSSL_SSL_H
+ # define USE_OPENSSL
+ # include <openssl/ssl.h>
++# if ! defined OPENSSL_NO_TLSEXT && ! defined SSL_CTRL_SET_TLSEXT_HOSTNAME
++# define OPENSSL_NO_TLSEXT
++# endif
+ #endif
+
+ #ifdef HAVE_FAM_H
+@@ -417,7 +420,10 @@
+ #ifdef USE_OPENSSL
+ SSL *ssl;
+ buffer *ssl_error_want_reuse_buffer;
++#ifndef OPENSSL_NO_TLSEXT
++ buffer *tlsext_server_name;
+ #endif
++#endif
+ /* etag handling */
+ etag_flags_t etag_flags;
+
+Index: src/connections.c
+===================================================================
+--- src/connections.c (revision 2402)
++++ src/connections.c (working copy)
+@@ -664,6 +664,9 @@
+ CLEAN(server_name);
+ CLEAN(error_handler);
+ CLEAN(dst_addr_buf);
++#if defined USE_OPENSSL && ! defined OPENSSL_NO_TLSEXT
++ CLEAN(tlsext_server_name);
++#endif
+
+ #undef CLEAN
+ con->write_queue = chunkqueue_init();
+@@ -728,6 +731,9 @@
+ CLEAN(server_name);
+ CLEAN(error_handler);
+ CLEAN(dst_addr_buf);
++#if defined USE_OPENSSL && ! defined OPENSSL_NO_TLSEXT
++ CLEAN(tlsext_server_name);
++#endif
+ #undef CLEAN
+ free(con->plugin_ctx);
+ free(con->cond_cache);
+@@ -1338,6 +1344,9 @@
+ return NULL;
+ }
+
++#ifndef OPENSSL_NO_TLSEXT
++ SSL_set_app_data(con->ssl, con);
++#endif
+ SSL_set_accept_state(con->ssl);
+ con->conf.is_ssl=1;
+
+Index: src/network.c
+===================================================================
+--- src/network.c (revision 2402)
++++ src/network.c (working copy)
+@@ -62,6 +62,45 @@
+ return HANDLER_GO_ON;
+ }
+
++#if defined USE_OPENSSL && ! defined OPENSSL_NO_TLSEXT
++int network_ssl_servername_callback(SSL *ssl, int *al, server *srv) {
++ const char *servername;
++ connection *con = (connection *) SSL_get_app_data(ssl);
++
++ buffer_copy_string(con->uri.scheme, "https");
++
++ if (NULL == (servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
++ log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
++ "failed to get TLS server name");
++ return SSL_TLSEXT_ERR_NOACK;
++ }
++ buffer_copy_string(con->tlsext_server_name, servername);
++ buffer_to_lower(con->tlsext_server_name);
++
++ config_cond_cache_reset(srv, con);
++ config_setup_connection(srv, con);
++
++ config_patch_connection(srv, con, COMP_SERVER_SOCKET);
++ config_patch_connection(srv, con, COMP_HTTP_SCHEME);
++ config_patch_connection(srv, con, COMP_HTTP_HOST);
++
++ if (NULL == con->conf.ssl_ctx) {
++ log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
++ "null SSL_CTX for TLS server name", con->tlsext_server_name);
++ return SSL_TLSEXT_ERR_ALERT_FATAL;
++ }
++
++ /* switch to new SSL_CTX in reaction to a client's server_name extension */
++ if (con->conf.ssl_ctx != SSL_set_SSL_CTX(ssl, con->conf.ssl_ctx)) {
++ log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
++ "failed to set SSL_CTX for TLS server name", con->tlsext_server_name);
++ return SSL_TLSEXT_ERR_ALERT_FATAL;
++ }
++
++ return SSL_TLSEXT_ERR_OK;
++}
++#endif
++
+ int network_server_init(server *srv, buffer *host_token, specific_config *s) {
+ int val;
+ socklen_t addr_len;
+@@ -312,78 +351,10 @@
+
+ if (s->is_ssl) {
+ #ifdef USE_OPENSSL
+- if (srv->ssl_is_init == 0) {
+- SSL_load_error_strings();
+- SSL_library_init();
+- srv->ssl_is_init = 1;
+-
+- if (0 == RAND_status()) {
+- log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
+- "not enough entropy in the pool");
+- return -1;
+- }
+- }
+-
+- if (NULL == (s->ssl_ctx = SSL_CTX_new(SSLv23_server_method()))) {
+- log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
+- ERR_error_string(ERR_get_error(), NULL));
+- return -1;
+- }
+-
+- if (!s->ssl_use_sslv2) {
+- /* disable SSLv2 */
+- if (SSL_OP_NO_SSLv2 != SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_SSLv2)) {
+- log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
+- ERR_error_string(ERR_get_error(), NULL));
+- return -1;
+- }
+- }
+-
+- if (!buffer_is_empty(s->ssl_cipher_list)) {
+- /* Disable support for low encryption ciphers */
+- if (SSL_CTX_set_cipher_list(s->ssl_ctx, s->ssl_cipher_list->ptr) != 1) {
+- log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
+- ERR_error_string(ERR_get_error(), NULL));
+- return -1;
+- }
+- }
+-
+- if (buffer_is_empty(s->ssl_pemfile)) {
++ if (NULL == (srv_socket->ssl_ctx = s->ssl_ctx)) {
+ log_error_write(srv, __FILE__, __LINE__, "s", "ssl.pemfile has to be set");
+ return -1;
+ }
+-
+- if (!buffer_is_empty(s->ssl_ca_file)) {
+- if (1 != SSL_CTX_load_verify_locations(s->ssl_ctx, s->ssl_ca_file->ptr, NULL)) {
+- log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
+- ERR_error_string(ERR_get_error(), NULL), s->ssl_ca_file);
+- return -1;
+- }
+- }
+-
+- if (SSL_CTX_use_certificate_file(s->ssl_ctx, s->ssl_pemfile->ptr, SSL_FILETYPE_PEM) < 0) {
+- log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
+- ERR_error_string(ERR_get_error(), NULL), s->ssl_pemfile);
+- return -1;
+- }
+-
+- if (SSL_CTX_use_PrivateKey_file (s->ssl_ctx, s->ssl_pemfile->ptr, SSL_FILETYPE_PEM) < 0) {
+- log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
+- ERR_error_string(ERR_get_error(), NULL), s->ssl_pemfile);
+- return -1;
+- }
+-
+- if (SSL_CTX_check_private_key(s->ssl_ctx) != 1) {
+- log_error_write(srv, __FILE__, __LINE__, "sssb", "SSL:",
+- "Private key does not match the certificate public key, reason:",
+- ERR_error_string(ERR_get_error(), NULL),
+- s->ssl_pemfile);
+- return -1;
+- }
+- SSL_CTX_set_default_read_ahead(s->ssl_ctx, 1);
+- SSL_CTX_set_mode(s->ssl_ctx, SSL_CTX_get_mode(s->ssl_ctx) | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
+-
+- srv_socket->ssl_ctx = s->ssl_ctx;
+ #else
+
+ buffer_free(srv_socket->srv_token);
+@@ -491,6 +462,99 @@
+ { NETWORK_BACKEND_UNSET, NULL }
+ };
+
++#ifdef USE_OPENSSL
++ /* load SSL certificates */
++ for (i = 0; i < srv->config_context->used; i++) {
++ data_config *dc = (data_config *)srv->config_context->data[i];
++ specific_config *s = srv->config_storage[i];
++
++ if (buffer_is_empty(s->ssl_pemfile)) continue;
++
++#ifdef OPENSSL_NO_TLSEXT
++ if (COMP_HTTP_HOST == dc->comp) {
++ log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
++ "can't use ssl.pemfile with $HTTP[\"host\"], openssl version does not support TLS extensions");
++ return -1;
++ }
++#endif
++
++ if (srv->ssl_is_init == 0) {
++ SSL_load_error_strings();
++ SSL_library_init();
++ srv->ssl_is_init = 1;
++
++ if (0 == RAND_status()) {
++ log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
++ "not enough entropy in the pool");
++ return -1;
++ }
++ }
++
++ if (NULL == (s->ssl_ctx = SSL_CTX_new(SSLv23_server_method()))) {
++ log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
++ ERR_error_string(ERR_get_error(), NULL));
++ return -1;
++ }
++
++ if (!s->ssl_use_sslv2) {
++ /* disable SSLv2 */
++ if (SSL_OP_NO_SSLv2 != SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_SSLv2)) {
++ log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
++ ERR_error_string(ERR_get_error(), NULL));
++ return -1;
++ }
++ }
++
++ if (!buffer_is_empty(s->ssl_cipher_list)) {
++ /* Disable support for low encryption ciphers */
++ if (SSL_CTX_set_cipher_list(s->ssl_ctx, s->ssl_cipher_list->ptr) != 1) {
++ log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
++ ERR_error_string(ERR_get_error(), NULL));
++ return -1;
++ }
++ }
++
++ if (!buffer_is_empty(s->ssl_ca_file)) {
++ if (1 != SSL_CTX_load_verify_locations(s->ssl_ctx, s->ssl_ca_file->ptr, NULL)) {
++ log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
++ ERR_error_string(ERR_get_error(), NULL), s->ssl_ca_file);
++ return -1;
++ }
++ }
++
++ if (SSL_CTX_use_certificate_file(s->ssl_ctx, s->ssl_pemfile->ptr, SSL_FILETYPE_PEM) < 0) {
++ log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
++ ERR_error_string(ERR_get_error(), NULL), s->ssl_pemfile);
++ return -1;
++ }
++
++ if (SSL_CTX_use_PrivateKey_file (s->ssl_ctx, s->ssl_pemfile->ptr, SSL_FILETYPE_PEM) < 0) {
++ log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
++ ERR_error_string(ERR_get_error(), NULL), s->ssl_pemfile);
++ return -1;
++ }
++
++ if (SSL_CTX_check_private_key(s->ssl_ctx) != 1) {
++ log_error_write(srv, __FILE__, __LINE__, "sssb", "SSL:",
++ "Private key does not match the certificate public key, reason:",
++ ERR_error_string(ERR_get_error(), NULL),
++ s->ssl_pemfile);
++ return -1;
++ }
++ SSL_CTX_set_default_read_ahead(s->ssl_ctx, 1);
++ SSL_CTX_set_mode(s->ssl_ctx, SSL_CTX_get_mode(s->ssl_ctx) | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
++
++#ifndef OPENSSL_NO_TLSEXT
++ if (!SSL_CTX_set_tlsext_servername_callback(s->ssl_ctx, network_ssl_servername_callback) ||
++ !SSL_CTX_set_tlsext_servername_arg(s->ssl_ctx, srv)) {
++ log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
++ "failed to initialize TLS servername callback, openssl library does not support TLS servername extension");
++ return -1;
++ }
++#endif
++ }
++#endif
++
+ b = buffer_init();
+
+ buffer_copy_string_buffer(b, srv->srvconf.bindhost);
+Index: src/configfile.c
+===================================================================
+--- src/configfile.c (revision 2402)
++++ src/configfile.c (working copy)
+@@ -293,6 +293,7 @@
+ PATCH(is_ssl);
+
+ PATCH(ssl_pemfile);
++ PATCH(ssl_ctx);
+ PATCH(ssl_ca_file);
+ PATCH(ssl_cipher_list);
+ PATCH(ssl_use_sslv2);
+@@ -348,6 +349,7 @@
+ PATCH(etag_use_size);
+ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.pemfile"))) {
+ PATCH(ssl_pemfile);
++ PATCH(ssl_ctx);
+ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.ca-file"))) {
+ PATCH(ssl_ca_file);
+ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.use-sslv2"))) {