httpd(8) fix tls comparison of servers

Mon, 15 Feb 2021 03:42:14 -0800 

For SNI all TLS servers need to run with the same config. The config
parser has an extra step for this. The problem is it also compares the
TLS config params with non-TLS servers when a server block has both
listen * port 80 and listen * tls port 443.

The following diff fixes that and also removes the unused last argument of
server_tls_cmp().
-- 
:wq Claudio

Index: httpd.h
===================================================================
RCS file: /cvs/src/usr.sbin/httpd/httpd.h,v
retrieving revision 1.154
diff -u -p -r1.154 httpd.h
--- httpd.h     27 Jan 2021 07:21:52 -0000      1.154
+++ httpd.h     13 Feb 2021 08:32:34 -0000
@@ -622,7 +622,7 @@ int  cmdline_symset(char *);
 
 /* server.c */
 void    server(struct privsep *, struct privsep_proc *);
-int     server_tls_cmp(struct server *, struct server *, int);
+int     server_tls_cmp(struct server *, struct server *);
 int     server_tls_load_ca(struct server *);
 int     server_tls_load_crl(struct server *);
 int     server_tls_load_keypair(struct server *);
Index: parse.y
===================================================================
RCS file: /cvs/src/usr.sbin/httpd/parse.y,v
retrieving revision 1.124
diff -u -p -r1.124 parse.y
--- parse.y     22 Jan 2021 13:07:17 -0000      1.124
+++ parse.y     13 Feb 2021 09:02:18 -0000
@@ -333,7 +333,8 @@ server              : SERVER optmatch STRING        {
                                        free(srv);
                                        YYERROR;
                                }
-                               if (server_tls_cmp(s, srv, 0) != 0) {
+                               if (srv->srv_conf.flags & SRVFLAG_TLS &&
+                                   server_tls_cmp(s, srv) != 0) {
                                        yyerror("server \"%s\": tls "
                                            "configuration mismatch on same "
                                            "address/port",
Index: server.c
===================================================================
RCS file: /cvs/src/usr.sbin/httpd/server.c,v
retrieving revision 1.124
diff -u -p -r1.124 server.c
--- server.c    2 Jan 2021 18:35:07 -0000       1.124
+++ server.c    15 Feb 2021 11:38:08 -0000
@@ -127,7 +127,7 @@ server_privinit(struct server *srv)
 }
 
 int
-server_tls_cmp(struct server *s1, struct server *s2, int match_keypair)
+server_tls_cmp(struct server *s1, struct server *s2)
 {
        struct server_config    *sc1, *sc2;
 
@@ -146,13 +146,6 @@ server_tls_cmp(struct server *s1, struct
                return (-1);
        if (strcmp(sc1->tls_ecdhe_curves, sc2->tls_ecdhe_curves) != 0)
                return (-1);
-
-       if (match_keypair) {
-               if (strcmp(sc1->tls_cert_file, sc2->tls_cert_file) != 0)
-                       return (-1);
-               if (strcmp(sc1->tls_key_file, sc2->tls_key_file) != 0)
-                       return (-1);
-       }
 
        return (0);
 }

Reply via email to