Changeset 1893

Timestamp:

08/22/08 01:17:09 (3 months ago)

Author:

alo

Message:

--

Files:

• cherokee/trunk/ChangeLog (modified) (1 diff)
• cherokee/trunk/cherokee/socket.c (modified) (3 diffs)
• cherokee/trunk/cherokee/virtual_server.c (modified) (8 diffs)
• cherokee/trunk/cherokee/virtual_server.h (modified) (2 diffs)

cherokee/trunk/ChangeLog

@@ -1 +1 @@
-2008-08-21  Alvaro Lopez Ortega  <alvaro@alobbs.com>
+
+        * cherokee/virtual_server.c, cherokee/virtual_server.h,
+        cherokee/socket.c: Adds TLS SNI support to the GNUTLS backend.
-
-        * cherokee/virtual_server.c, cherokee/socket.c, cherokee/socket.h,

cherokee/trunk/cherokee/socket.c

@@ -344 +344 @@
-
-static ret_t
-
-
+
+
+
+
-        int re;
-
+
-        /* Set the virtual server object reference
-         */
-        socket->vserver_ref = vserver;
-
-# if defined(HAVE_GNUTLS)
-        /* Init the TLS session
-         */
-        re = gnutls_init (&socket->session, GNUTLS_SERVER);
-
+
+
+
+
-
-        /* Set the socket file descriptor
-         */
-
+  
-
-        /* Load the credentials
@@ -380 +384 @@
-        gnutls_credentials_set (socket->session, GNUTLS_CRD_CERTIFICATE, vserver->credentials);
-        
-        /* Request client certificate if any.
-         */
-        gnutls_certificate_server_set_request (socket->session, GNUTLS_CERT_REQUEST);
-
-        /* Set the number of bits, for use in an Diffie Hellman key
-         * exchange: minimum size of the prime that will be used for
@@ -397 +397 @@
-        gnutls_db_set_ptr               (socket->session, socket);
-
+        /* Request client certificate if any.
+         */
+        gnutls_certificate_server_set_request (socket->session, GNUTLS_CERT_REQUEST);
+        gnutls_handshake_set_private_extensions (socket->session, 1);
+
-# elif defined (HAVE_OPENSSL)
+        int re;
+
+        /* Set the virtual server object reference
+         */
+        socket->vserver_ref = vserver;
-
-        /* New session

cherokee/trunk/cherokee/virtual_server.c

@@ -36 +36 @@
-
-#define ENTRIES "vserver"
+#define MAX_HOST_LEN 255
-
-
@@ -84 +85 @@
-# ifdef HAVE_GNUTLS
-        n->credentials     = NULL;
+        n->privkey_x509    = NULL;
+        n->certs_x509      = NULL;
-# endif
-# ifdef HAVE_OPENSSL
@@ -137 +140 @@
-                vserver->credentials = NULL;
-        }
+        if (vserver->privkey_x509 != NULL) {
+                gnutls_x509_privkey_deinit (vserver->privkey_x509);
+        }
+        if (vserver->certs_x509 != NULL) {
+                gnutls_x509_crt_deinit (vserver->certs_x509);
+        }
+
-# endif
-# ifdef HAVE_OPENSSL
@@ -220 +230 @@
-
-
-ndef OPENSSL_NO_TLSEXT 
+ defined(HAVE_OPENSSL) && !defined(OPENSSL_NO_TLSEXT)
-static int
-openssl_sni_servername_cb (SSL *ssl, int *ad, void *arg)
@@ -274 +284 @@
-
-
+#ifdef HAVE_TLS
+static int
+gnutls_sni_servername_cb (gnutls_session_t  session, 
+                          gnutls_retr_st   *retr)
+{
+        int                        re;
+        ret_t                      ret;
+        cherokee_buffer_t          tmp;
+        cherokee_socket_t         *socket;
+        cherokee_server_t         *srv;
+        char                       name[MAX_HOST_LEN];
+        size_t                     data_len             = MAX_HOST_LEN;
+        unsigned int               type                 = 0;
+        cherokee_virtual_server_t *vsrv                 = NULL;
+
+        re = gnutls_server_name_get (session, name, &data_len, &type, 0);
+        if (re != 0) {
+                TRACE (ENTRIES, "No SNI: Did not provide a server name%s", "\n");
+                return 0;
+        }
+        
+        if (type != GNUTLS_NAME_DNS) {
+                TRACE (ENTRIES, "SNI: Not a name entry: '%s'\n", name);
+                return 0;
+        }
+
+        TRACE (ENTRIES, "SNI: Switching to servername='%s'\n", name);
+
+        socket = gnutls_session_get_ptr (session);
+        if (socket == NULL) {
+                PRINT_ERROR ("Could not access the socket struct: %s\n", name);
+                return -1;
+        }
+
+        srv = VSERVER_SRV(socket->vserver_ref);
+        
+        cherokee_buffer_fake (&tmp, name, data_len);
+        ret = cherokee_server_get_vserver (srv, &tmp, &vsrv);
+        if ((ret != ret_ok) || (vsrv == NULL)) {
+                PRINT_ERROR ("Servername did not match: '%s'\n", name);
+                return -1; 
+        }
+
+        TRACE (ENTRIES, "SNI: Setting new TLS context. Virtual host='%s'\n",
+               vsrv->name.buf);
+            
+        retr->deinit_all = 0;
+        retr->type       = GNUTLS_CRT_X509;
+        retr->ncerts     = 1;
+        retr->cert.x509  = &vsrv->certs_x509;
+        retr->key.x509   = vsrv->privkey_x509;
+
+        return 0;
+}
+#endif
+
+# ifdef HAVE_GNUTLS
+static int
+set_x509_key_file (cherokee_virtual_server_t *vsrv)
+{
+        int               rc;
+        gnutls_datum_t    data;
+        unsigned int      max = 1;
+        cherokee_buffer_t tmp = CHEROKEE_BUF_INIT;
+
+        /* This function does basically the same as the previous call to:
+         *
+         *  rc = gnutls_certificate_set_x509_key_file (vsrv->credentials,
+         *                                         vsrv->server_cert.buf,
+         *                                         vsrv->server_key.buf,
+         *                                         GNUTLS_X509_FMT_PEM);
+         *
+         * but it keeps pointers to the X509 certs and privkey, which
+         * was needed for the SNI callback function.
+         */
+
+        /* X509 private key
+         */
+        cherokee_buffer_read_file (&tmp, vsrv->server_key.buf);
+        data.data = (unsigned char *)tmp.buf;
+        data.size = tmp.len;
+
+        rc = gnutls_x509_privkey_init (&vsrv->privkey_x509);
+        if (rc < 0)
+                goto error;
+
+        rc = gnutls_x509_privkey_import (vsrv->privkey_x509, &data, GNUTLS_X509_FMT_PEM);
+        if (rc < 0)
+                goto error;
+
+        /* X509 Certificate
+         */
+        cherokee_buffer_clean (&tmp);
+        cherokee_buffer_read_file (&tmp, vsrv->server_cert.buf);
+        data.data = (unsigned char *)tmp.buf;
+        data.size = tmp.len;
+        
+        gnutls_x509_crt_list_import (&vsrv->certs_x509, &max, &data, GNUTLS_X509_FMT_PEM, 0);
+
+        /* Update the credentials
+         */
+        rc = gnutls_certificate_set_x509_key (vsrv->credentials,
+                                              &vsrv->certs_x509, 1,
+                                              vsrv->privkey_x509);
+        if (rc < 0)
+                goto error;
+
+        /* Clean up 
+         */
+        cherokee_buffer_mrproper (&tmp);
+        return 0;
+
+error:
+        cherokee_buffer_mrproper (&tmp);
+        return rc;
+}
+#endif
+
+
-ret_t 
-cherokee_virtual_server_init_tls (cherokee_virtual_server_t *vsrv)
@@ -290 +419 @@
-        /* Check one or more are empty
-         */
-
-
+
-            cherokee_buffer_is_empty (&vsrv->server_cert))
-                return ret_error;
@@ -304 +432 @@
-        /* CA file
-         */
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
-        }
-
-        /* Key file
-         */
-
-
-
-
+
-        if (rc < 0) {
-                PRINT_ERROR ("ERROR: reading X.509 key '%s' or certificate '%s' file\n", 
@@ -324 +453 @@
-        }
-
+        /* SNI 
+         */
+        gnutls_certificate_server_set_retrieve_function (vsrv->credentials,
+                                                         gnutls_sni_servername_cb);
+
+
+        /* Ciphers
+         */
-        generate_dh_params (&vsrv->dh_params);
-        generate_rsa_params (&vsrv->rsa_params);

cherokee/trunk/cherokee/virtual_server.h

@@ -32 +32 @@
-# include <gnutls/extra.h>
-# include <gnutls/gnutls.h>
+# include <gnutls/x509.h>
-#endif
-
@@ -83 +84 @@
-        cherokee_avl_r_t             session_cache;
-
-
+   
-        gnutls_certificate_server_credentials credentials;
+        gnutls_x509_privkey_t                 privkey_x509;
+        gnutls_x509_crt_t                     certs_x509;
+
-        gnutls_dh_params             dh_params;
-        gnutls_rsa_params            rsa_params;