Permalink
Browse files

- lophttpd: adding SNI (needs to be matched with Host: yet)

- lophttpd: removing ssl privsep code since its no longer needed in favor of sandboxing
  • Loading branch information...
stealth committed Jul 8, 2014
1 parent 3c7360a commit f6943011586b799bda0a67c9ed4f7d1476ba0601
Showing with 368 additions and 170 deletions.
  1. +8 −4 Makefile
  2. +6 −6 Makefile.android
  3. +8 −4 Makefile.osx
  4. +18 −8 client.cc
  5. +7 −1 client.h
  6. +1 −1 config.cc
  7. +2 −1 config.h
  8. +9 −81 lonely.cc
  9. +5 −25 lonely.h
  10. +14 −39 main.cc
  11. +190 −0 ssl.cc
  12. +100 −0 ssl.h
View
@@ -23,14 +23,14 @@ clean:
distclean: clean
rm -f lhttpd
lhttpd: lonely.o socket.o main.o misc.o log.o multicore.o config.o flavor.o client.o dh.o
lhttpd: lonely.o socket.o main.o misc.o log.o multicore.o config.o flavor.o client.o dh.o ssl.o
$(LD) $(LDFLAGS) lonely.o socket.o main.o misc.o log.o multicore.o config.o flavor.o\
client.o dh.o -o lhttpd $(LIBS)
client.o dh.o ssl.o -o lhttpd $(LIBS)
frontend: lonely.o socket.o frontend-main.o log.o multicore.o rproxy.o config.o misc.o flavor.o client.o dh.o
frontend: lonely.o socket.o frontend-main.o log.o multicore.o rproxy.o config.o misc.o flavor.o client.o dh.o ssl.o
$(LD) $(LDFLAGS) lonely.o socket.o frontend-main.o misc.o log.o multicore.o rproxy.o\
config.o flavor.o client.o dh.o -o frontend $(LIBS)
config.o flavor.o client.o dh.o ssl.o -o frontend $(LIBS)
frontend-main.o: frontend-main.cc
$(CXX) $(CFLAGS) -c frontend-main.cc
@@ -68,3 +68,7 @@ client.o: client.cc client.h
dh.o: dh.cc dh512.cc dh1024.cc
$(CXX) $(CFLAGS) -c dh.cc
ssl.o: ssl.cc ssl.h
$(CXX) $(CFLAGS) -c ssl.cc
View
@@ -3,13 +3,13 @@
#
ROOT=/S/SOURCES
NDK=android-ndk-r7
PREFIX=$(ROOT)/$(NDK)/toolchains/arm-linux-androideabi-4.4.3/prebuilt/linux-x86/bin/arm-linux-androideabi-
SYSROOT=--sysroot=$(ROOT)/$(NDK)/platforms/android-9/arch-arm/
NDK=android-ndk-r9d
PREFIX=$(ROOT)/$(NDK)/toolchains/arm-linux-androideabi-4.8/prebuilt/linux-x86_64/bin/arm-linux-androideabi-
SYSROOT=--sysroot=$(ROOT)/$(NDK)/platforms/android-19/arch-arm/
INC=-I$(ROOT)/$(NDK)/sources/cxx-stl/gnu-libstdc++/include\
-I$(ROOT)/$(NDK)/sources/cxx-stl/gnu-libstdc++/libs/armeabi/include
LIB=-Wl,$(ROOT)/$(NDK)/sources/cxx-stl/gnu-libstdc++/libs/armeabi/libgnustl_static.a
-I$(ROOT)/$(NDK)/sources/cxx-stl/gnu-libstdc++/4.8/include/\
-I$(ROOT)/$(NDK)/sources/cxx-stl/gnu-libstdc++/4.8/libs/armeabi/include
LIB=-Wl,$(ROOT)/$(NDK)/sources/cxx-stl/gnu-libstdc++/4.8/libs/armeabi/libgnustl_static.a
CXX=$(PREFIX)c++ $(INC) $(SYSROOT) -Wall -O2 -DANDROID
View
@@ -21,14 +21,14 @@ clean:
distclean: clean
rm -f lhttpd
lhttpd: lonely.o socket.o main.o misc.o log.o multicore.o config.o flavor.o client.o dh.o
lhttpd: lonely.o socket.o main.o misc.o log.o multicore.o config.o flavor.o client.o dh.o ssl.o
$(LD) $(LDFLAGS) lonely.o socket.o main.o misc.o log.o multicore.o config.o flavor.o\
client.o dh.o -o lhttpd $(LIBS)
client.o dh.o ssl.o -o lhttpd $(LIBS)
frontend: lonely.o socket.o frontend-main.o log.o multicore.o rproxy.o config.o misc.o flavor.o client.o dh.o
frontend: lonely.o socket.o frontend-main.o log.o multicore.o rproxy.o config.o misc.o flavor.o client.o dh.o ssl.o
$(LD) $(LDFLAGS) lonely.o socket.o frontend-main.o misc.o log.o multicore.o rproxy.o\
config.o flavor.o client.o dh.o -o frontend $(LIBS)
config.o flavor.o client.o dh.o ssl.o -o frontend $(LIBS)
frontend-main.o: frontend-main.cc
$(CXX) $(CFLAGS) -c frontend-main.cc
@@ -66,3 +66,7 @@ client.o: client.cc client.h
dh.o: dh.cc dh512.cc dh1024.cc
$(CXX) $(CFLAGS) -c dh.cc
ssl.o: ssl.cc ssl.h
$(CXX) $(CFLAGS) -c ssl.c
View
@@ -47,12 +47,6 @@ extern "C" {
#include <openssl/ssl.h>
}
#ifdef USE_SSL_PRIVSEP
extern "C" {
#include "sslps.h"
}
#endif
#endif
@@ -86,6 +80,7 @@ void http_client::cleanup()
if (ssl)
SSL_free(ssl);
ssl = NULL;
// do not free ssl_ctx, its only borrowed
#endif
}
@@ -272,13 +267,28 @@ SSL_SESSION *http_client::get_session(SSL *ssl, unsigned char *id, int len, int
}
int http_client::ssl_accept(SSL_CTX *ssl_ctx)
int http_client::match_sni(const string &host)
{
if (!ssl_enabled || !ssl || httpd_config::cfile.size() < 2)
return 0;
const char *sni = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
if (!sni)
return 0;
return strcasecmp(sni, host.c_str()) == 0 ? 1 : -1;
}
int http_client::ssl_accept(ssl_container *sslc)
{
int r = 0;
// may be re-entered if no complete handshake has been seen yet
if (!ssl) {
if ((ssl = SSL_new(ssl_ctx)) == NULL)
if ((ssl = SSL_new(sslc->find_ctx("<default>"))) == NULL)
return -1;
if (SSL_set_fd(ssl, peer_fd) != 1)
return -1;
View
@@ -43,6 +43,9 @@
#include "config.h"
#ifdef USE_SSL
#include "ssl.h"
extern "C" {
#include <openssl/ssl.h>
}
@@ -104,6 +107,7 @@ class http_client {
ino(0), path(""), from_ip(""), first_line(""), ct(0), in_queue(0), ftype(FILE_REGULAR), blen(0),
req_idx(0)
{
#ifdef USE_SSL
ssl = NULL;
#endif
@@ -130,14 +134,16 @@ class http_client {
#ifdef USE_SSL
int ssl_accept(SSL_CTX *);
int ssl_accept(ssl_container *);
static int new_session(SSL *, SSL_SESSION *);
static void remove_session(SSL_CTX *, SSL_SESSION *);
static SSL_SESSION *get_session(SSL *, unsigned char *, int, int *);
int match_sni(const std::string &);
#endif
};
View
@@ -15,7 +15,7 @@ namespace httpd_config
{
string root = "/srv/www/htdocs", base = "/";
string upload = "";
string kfile = "", cfile = "";
map<string, string> kfile, cfile;
bool gen_index = 0, virtual_hosts = 0, is_chrooted = 0, quiet = 0;
bool rand_upload = 0, no_error_kill = 0, rand_upload_quiet = 0, use_ssl = 0;
string user = "wwwrun", logfile = "/var/log/lophttpd", log_provider = "file";
View
@@ -12,7 +12,8 @@
namespace httpd_config
{
extern std::string root, base;
extern std::string upload, kfile, cfile;
extern std::string upload;
extern std::map<std::string, std::string> kfile, cfile;
extern bool gen_index, virtual_hosts, is_chrooted, quiet, use_ssl;
extern bool rand_upload, no_error_kill, rand_upload_quiet;
extern std::string user, logfile, log_provider;
View
@@ -32,7 +32,6 @@
#include <unistd.h>
#include <fcntl.h>
#include <cassert>
#include <cerrno>
#include <string>
#include <cstring>
@@ -61,23 +60,8 @@
#include "socket.h"
#include "flavor.h"
#include "client.h"
#include "ssl.h"
#ifdef USE_SSL
extern "C" {
#include <openssl/ssl.h>
#include <openssl/engine.h>
#include <openssl/err.h>
}
extern int enable_dh(SSL_CTX *);
#ifdef USE_SSL_PRIVSEP
extern "C" {
#include "sslps.h"
}
#endif
#endif
using namespace std;
using namespace ns_socket;
@@ -129,12 +113,6 @@ const string lonely_http::put_hdr_fmt =
"Content-Type: text/html\r\n\r\n";
#ifdef USE_CIPHERS
string ciphers = USE_CIPHERS;
#else
string ciphers = "!LOW:!EXP:!MD5:!CAMELLIA:!RC4:!MEDIUM:!DES:!ADH:kDHE:RSA:AES256:SHA256:SHA384:IDEA:@STRENGTH";
#endif
bool operator<(const inode &i1, const inode &i2)
{
@@ -352,72 +330,22 @@ void lonely<state_engine>::log(const string &msg)
int lonely_http::setup_ssl(const string &cpath, const string &kpath)
int lonely_http::setup_ssl(const map<string, string> &certs, const map<string, string> &keys)
{
#ifdef USE_SSL
SSL_library_init();
SSL_load_error_strings();
OpenSSL_add_all_algorithms();
OpenSSL_add_all_digests();
if ((ssl_method = TLSv1_server_method()) == NULL) {
err = "lonely_http::setup_ssl::TLSv1_server_method:";
err += ERR_error_string(ERR_get_error(), NULL);
return -1;
}
if ((ssl_ctx = SSL_CTX_new(ssl_method)) == NULL) {
err = "lonely_http::setup_ssl::SSL_CTX_new:";
err += ERR_error_string(ERR_get_error(), NULL);
return -1;
}
if (sslc)
delete sslc;
if (SSL_CTX_use_certificate_chain_file(ssl_ctx, cpath.c_str()) != 1) {
err = "lonely_http::setup_ssl::SSL_CTX_use_certificate_chain_file:";
err += ERR_error_string(ERR_get_error(), NULL);
return -1;
}
if (SSL_CTX_use_PrivateKey_file(ssl_ctx, kpath.c_str(), SSL_FILETYPE_PEM) != 1) {
err = "lonely_http::setup_ssl::SSL_CTX_use_PrivateKey_file:";
err += ERR_error_string(ERR_get_error(), NULL);
return -1;
}
if (SSL_CTX_check_private_key(ssl_ctx) != 1) {
err = "lonely_http::setup_ssl::SSL_CTX_check_private_key:";
err += ERR_error_string(ERR_get_error(), NULL);
return -1;
}
if (SSL_CTX_set_session_id_context(ssl_ctx, (const unsigned char *)"lophttpd", 8) != 1) {
err = "lonely_http::setup_ssl::SSL_CTX_set_session_id_context:";
err += ERR_error_string(ERR_get_error(), NULL);
if ((sslc = new (nothrow) ssl_container) == NULL) {
err = "lonely_http::setup_ssl: OOM";
return -1;
}
SSL_CTX_set_session_cache_mode(ssl_ctx, SSL_SESS_CACHE_SERVER);
// check for DHE and enable it if there are parameters
string::size_type dhe = ciphers.find("kDHE");
if (dhe != string::npos) {
if (enable_dh(ssl_ctx) != 1)
ciphers.erase(dhe, 4);
}
if (SSL_CTX_set_cipher_list(ssl_ctx, ciphers.c_str()) != 1) {
err = "lonely_http::setup_ssl::SSL_CTX_set_cipher_list:";
err += ERR_error_string(ERR_get_error(), NULL);
err += "(Try default cipher list in Makefile)";
if (sslc->init(certs, keys) < 0) {
err = string("lonely_http::setup_ssl:") + sslc->why();
return -1;
}
#ifndef USE_SSL_PRIVSEP
SSL_CTX_sess_set_new_cb(ssl_ctx, http_client::new_session);
SSL_CTX_sess_set_remove_cb(ssl_ctx, http_client::remove_session);
SSL_CTX_sess_set_get_cb(ssl_ctx, http_client::get_session);
#endif
#endif
return 0;
}
@@ -556,7 +484,7 @@ int lonely_http::loop()
continue;
#ifdef USE_SSL
} else if (peer->state() == STATE_HANDSHAKING) {
if ((r = peer->ssl_accept(ssl_ctx)) < 0) {
if ((r = peer->ssl_accept(sslc)) < 0) {
cleanup(i);
continue;
} else if (r > 0)
View
@@ -46,12 +46,7 @@
#include <utility>
#include "client.h"
#include "log.h"
#ifdef USE_SSL
extern "C" {
#include <openssl/ssl.h>
}
#endif
#include "ssl.h"
typedef enum {
@@ -184,16 +179,7 @@ class lonely_http : public lonely<http_client> {
static const std::string hdr_fmt, chunked_hdr_fmt, part_hdr_fmt, put_hdr_fmt;
#ifdef USE_SSL
SSL_CTX *ssl_ctx;
#if OPENSSL_VERSION_NUMBER >= 0x10000000L
const SSL_METHOD *ssl_method;
#else
SSL_METHOD *ssl_method;
#endif
#endif
ssl_container *sslc;
int OPTIONS();
@@ -236,30 +222,24 @@ class lonely_http : public lonely<http_client> {
: cur_start_range(0), cur_end_range(0),
cur_range_requested(0), forced_send_size(0), cur_request(HTTP_REQUEST_NONE),
min_send(MIN_SEND_SIZE), n_send(s), max_send(MAX_SEND_SIZE),
vhosts(0)
sslc(NULL), vhosts(0)
{
if (n_send != DEFAULT_SEND_SIZE)
forced_send_size = 1;
if (n_send > max_send)
n_send = max_send;
if (n_send < min_send)
n_send = min_send;
#ifdef USE_SSL
ssl_ctx = NULL;
ssl_method = NULL;
#endif
}
virtual ~lonely_http()
{
#ifdef USE_SSL
if (ssl_ctx)
SSL_CTX_free(ssl_ctx);
ssl_ctx = NULL;
sslc->clear();
#endif
}
int setup_ssl(const std::string &, const std::string &);
int setup_ssl(const std::map<std::string, std::string> &, const std::map<std::string, std::string> &);
int send_genindex();
Oops, something went wrong.

0 comments on commit f694301

Please sign in to comment.