OK florian
On Mon, Feb 15, 2021 at 12:41:31PM +0100, Claudio Jeker wrote:
> For SNI all TLS servers need to run with the same config. The config
> parser has an extra step for this. The problem is it also compares the
> TLS config params with non-TLS servers when a server block has both
> listen * port 80 and listen * tls port 443.
>
> The following diff fixes that and also removes the unused last argument of
> server_tls_cmp().
> --
> :wq Claudio
>
> Index: httpd.h
> ===================================================================
> RCS file: /cvs/src/usr.sbin/httpd/httpd.h,v
> retrieving revision 1.154
> diff -u -p -r1.154 httpd.h
> --- httpd.h 27 Jan 2021 07:21:52 -0000 1.154
> +++ httpd.h 13 Feb 2021 08:32:34 -0000
> @@ -622,7 +622,7 @@ int cmdline_symset(char *);
>
> /* server.c */
> void server(struct privsep *, struct privsep_proc *);
> -int server_tls_cmp(struct server *, struct server *, int);
> +int server_tls_cmp(struct server *, struct server *);
> int server_tls_load_ca(struct server *);
> int server_tls_load_crl(struct server *);
> int server_tls_load_keypair(struct server *);
> Index: parse.y
> ===================================================================
> RCS file: /cvs/src/usr.sbin/httpd/parse.y,v
> retrieving revision 1.124
> diff -u -p -r1.124 parse.y
> --- parse.y 22 Jan 2021 13:07:17 -0000 1.124
> +++ parse.y 13 Feb 2021 09:02:18 -0000
> @@ -333,7 +333,8 @@ server : SERVER optmatch STRING {
> free(srv);
> YYERROR;
> }
> - if (server_tls_cmp(s, srv, 0) != 0) {
> + if (srv->srv_conf.flags & SRVFLAG_TLS &&
> + server_tls_cmp(s, srv) != 0) {
> yyerror("server \"%s\": tls "
> "configuration mismatch on same "
> "address/port",
> Index: server.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/httpd/server.c,v
> retrieving revision 1.124
> diff -u -p -r1.124 server.c
> --- server.c 2 Jan 2021 18:35:07 -0000 1.124
> +++ server.c 15 Feb 2021 11:38:08 -0000
> @@ -127,7 +127,7 @@ server_privinit(struct server *srv)
> }
>
> int
> -server_tls_cmp(struct server *s1, struct server *s2, int match_keypair)
> +server_tls_cmp(struct server *s1, struct server *s2)
> {
> struct server_config *sc1, *sc2;
>
> @@ -146,13 +146,6 @@ server_tls_cmp(struct server *s1, struct
> return (-1);
> if (strcmp(sc1->tls_ecdhe_curves, sc2->tls_ecdhe_curves) != 0)
> return (-1);
> -
> - if (match_keypair) {
> - if (strcmp(sc1->tls_cert_file, sc2->tls_cert_file) != 0)
> - return (-1);
> - if (strcmp(sc1->tls_key_file, sc2->tls_key_file) != 0)
> - return (-1);
> - }
>
> return (0);
> }
>
--
I'm not entirely sure you are real.
