Commit | Line | Data |
---|---|---|
6ca53b2e FT |
1 | /* |
2 | ashd - A Sane HTTP Daemon | |
3 | Copyright (C) 2008 Fredrik Tolf <fredrik@dolda2000.com> | |
4 | ||
5 | This program is free software: you can redistribute it and/or modify | |
6 | it under the terms of the GNU General Public License as published by | |
7 | the Free Software Foundation, either version 3 of the License, or | |
8 | (at your option) any later version. | |
9 | ||
10 | This program is distributed in the hope that it will be useful, | |
11 | but WITHOUT ANY WARRANTY; without even the implied warranty of | |
12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
13 | GNU General Public License for more details. | |
14 | ||
15 | You should have received a copy of the GNU General Public License | |
16 | along with this program. If not, see <http://www.gnu.org/licenses/>. | |
17 | */ | |
18 | ||
19 | #include <stdlib.h> | |
20 | #include <unistd.h> | |
21 | #include <string.h> | |
22 | #include <fcntl.h> | |
23 | #include <sys/socket.h> | |
24 | #include <netinet/in.h> | |
25 | #include <arpa/inet.h> | |
26 | #include <errno.h> | |
27 | ||
28 | #ifdef HAVE_CONFIG_H | |
29 | #include <config.h> | |
30 | #endif | |
31 | #include <utils.h> | |
32 | #include <mt.h> | |
33 | #include <mtio.h> | |
34 | #include <req.h> | |
35 | #include <log.h> | |
36 | ||
37 | #include "htparser.h" | |
38 | ||
39 | #ifdef HAVE_GNUTLS | |
40 | ||
41 | #include <gnutls/gnutls.h> | |
42 | ||
43 | struct sslport { | |
44 | int fd; | |
45 | int sport; | |
46 | gnutls_certificate_credentials_t creds; | |
47 | }; | |
48 | ||
49 | struct sslconn { | |
50 | int fd; | |
51 | struct sslport *port; | |
52 | struct sockaddr_storage name; | |
53 | gnutls_session_t sess; | |
54 | struct charbuf in; | |
55 | }; | |
56 | ||
57 | static gnutls_dh_params_t dhparams; | |
58 | ||
59 | static int tlsblock(int fd, gnutls_session_t sess, time_t to) | |
60 | { | |
61 | if(gnutls_record_get_direction(sess)) | |
62 | return(block(fd, EV_WRITE, to)); | |
63 | else | |
64 | return(block(fd, EV_READ, to)); | |
65 | } | |
66 | ||
67 | static ssize_t sslread(void *cookie, char *buf, size_t len) | |
68 | { | |
69 | struct sslconn *ssl = cookie; | |
70 | ssize_t xf; | |
71 | int ret; | |
72 | ||
73 | while(ssl->in.d == 0) { | |
74 | sizebuf(ssl->in, ssl->in.d + 1024); | |
75 | ret = gnutls_record_recv(ssl->sess, ssl->in.b + ssl->in.d, ssl->in.s - ssl->in.d); | |
76 | if((ret == GNUTLS_E_INTERRUPTED) || (ret == GNUTLS_E_AGAIN)) { | |
77 | if(tlsblock(ssl->fd, ssl->sess, 60) == 0) { | |
78 | errno = ETIMEDOUT; | |
79 | return(-1); | |
80 | } | |
81 | } else if(ret < 0) { | |
82 | errno = EIO; | |
83 | return(-1); | |
84 | } else if(ret == 0) { | |
85 | return(0); | |
86 | } else { | |
87 | ssl->in.d += ret; | |
88 | } | |
89 | } | |
90 | xf = min(ssl->in.d, len); | |
91 | memcpy(buf, ssl->in.b, xf); | |
92 | memmove(ssl->in.b, ssl->in.b + xf, ssl->in.d -= xf); | |
93 | return(xf); | |
94 | } | |
95 | ||
96 | static ssize_t sslwrite(void *cookie, const char *buf, size_t len) | |
97 | { | |
98 | struct sslconn *ssl = cookie; | |
99 | int ret; | |
100 | size_t off; | |
101 | ||
102 | off = 0; | |
103 | while(off < len) { | |
104 | ret = gnutls_record_send(ssl->sess, buf + off, len - off); | |
105 | if((ret == GNUTLS_E_INTERRUPTED) || (ret == GNUTLS_E_AGAIN)) { | |
106 | if(tlsblock(ssl->fd, ssl->sess, 60) == 0) { | |
107 | if(off == 0) { | |
108 | errno = ETIMEDOUT; | |
109 | return(-1); | |
110 | } | |
111 | return(off); | |
112 | } | |
113 | } else if(ret < 0) { | |
114 | if(off == 0) { | |
115 | errno = EIO; | |
116 | return(-1); | |
117 | } | |
118 | return(off); | |
119 | } else { | |
120 | off += ret; | |
121 | } | |
122 | } | |
123 | return(off); | |
124 | } | |
125 | ||
126 | static int sslclose(void *cookie) | |
127 | { | |
128 | return(0); | |
129 | } | |
130 | ||
131 | static cookie_io_functions_t iofuns = { | |
132 | .read = sslread, | |
133 | .write = sslwrite, | |
134 | .close = sslclose, | |
135 | }; | |
136 | ||
137 | static int initreq(struct conn *conn, struct hthead *req) | |
138 | { | |
139 | struct sslconn *ssl = conn->pdata; | |
140 | char nmbuf[256]; | |
141 | ||
142 | if(ssl->name.ss_family == AF_INET) { | |
143 | headappheader(req, "X-Ash-Address", inet_ntop(AF_INET, &((struct sockaddr_in *)&ssl->name)->sin_addr, nmbuf, sizeof(nmbuf))); | |
144 | headappheader(req, "X-Ash-Port", sprintf3("%i", ntohs(((struct sockaddr_in *)&ssl->name)->sin_port))); | |
145 | } else if(ssl->name.ss_family == AF_INET6) { | |
146 | headappheader(req, "X-Ash-Address", inet_ntop(AF_INET6, &((struct sockaddr_in6 *)&ssl->name)->sin6_addr, nmbuf, sizeof(nmbuf))); | |
147 | headappheader(req, "X-Ash-Port", sprintf3("%i", ntohs(((struct sockaddr_in6 *)&ssl->name)->sin6_port))); | |
148 | } | |
149 | headappheader(req, "X-Ash-Server-Port", sprintf3("%i", ssl->port->sport)); | |
150 | headappheader(req, "X-Ash-Protocol", "https"); | |
151 | return(0); | |
152 | } | |
153 | ||
154 | static void servessl(struct muth *muth, va_list args) | |
155 | { | |
156 | vavar(int, fd); | |
157 | vavar(struct sockaddr_storage, name); | |
158 | vavar(struct sslport *, pd); | |
159 | struct conn conn; | |
160 | struct sslconn ssl; | |
161 | gnutls_session_t sess; | |
162 | int ret; | |
163 | FILE *in; | |
164 | ||
165 | fcntl(fd, F_SETFL, fcntl(fd, F_GETFL) | O_NONBLOCK); | |
166 | gnutls_init(&sess, GNUTLS_SERVER); | |
167 | gnutls_set_default_priority(sess); | |
168 | gnutls_credentials_set(sess, GNUTLS_CRD_CERTIFICATE, pd->creds); | |
169 | gnutls_certificate_server_set_request(sess, GNUTLS_CERT_REQUEST); | |
170 | gnutls_transport_set_ptr(sess, (gnutls_transport_ptr_t)(intptr_t)fd); | |
171 | while((ret = gnutls_handshake(sess)) != 0) { | |
172 | if((ret != GNUTLS_E_INTERRUPTED) && (ret != GNUTLS_E_AGAIN)) | |
173 | goto out; | |
174 | if(tlsblock(fd, sess, 60) <= 0) | |
175 | goto out; | |
176 | } | |
177 | memset(&conn, 0, sizeof(conn)); | |
178 | memset(&ssl, 0, sizeof(ssl)); | |
179 | conn.pdata = &ssl; | |
180 | conn.initreq = initreq; | |
181 | ssl.fd = fd; | |
182 | ssl.port = pd; | |
183 | ssl.name = name; | |
184 | ssl.sess = sess; | |
185 | bufinit(ssl.in); | |
186 | in = fopencookie(&ssl, "r+", iofuns); | |
187 | serve(in, &conn); | |
188 | ||
189 | out: | |
190 | gnutls_deinit(sess); | |
191 | close(fd); | |
192 | } | |
193 | ||
194 | static void listenloop(struct muth *muth, va_list args) | |
195 | { | |
196 | vavar(struct sslport *, pd); | |
197 | int ns; | |
198 | struct sockaddr_storage name; | |
199 | socklen_t namelen; | |
200 | ||
201 | while(1) { | |
202 | namelen = sizeof(name); | |
203 | block(pd->fd, EV_READ, 0); | |
204 | ns = accept(pd->fd, (struct sockaddr *)&name, &namelen); | |
205 | if(ns < 0) { | |
206 | flog(LOG_ERR, "accept: %s", strerror(errno)); | |
207 | goto out; | |
208 | } | |
209 | mustart(servessl, ns, name, pd); | |
210 | } | |
211 | ||
212 | out: | |
213 | close(pd->fd); | |
214 | free(pd); | |
215 | } | |
216 | ||
217 | static void init(void) | |
218 | { | |
219 | static int inited = 0; | |
220 | int ret; | |
221 | ||
222 | if(inited) | |
223 | return; | |
224 | inited = 1; | |
225 | if((ret = gnutls_global_init()) != 0) { | |
226 | flog(LOG_ERR, "could not initialize GnuTLS: %s", gnutls_strerror(ret)); | |
227 | exit(1); | |
228 | } | |
229 | if(((ret = gnutls_dh_params_init(&dhparams)) != 0) || | |
230 | ((ret = gnutls_dh_params_generate2(dhparams, 2048)) != 0)) { | |
231 | flog(LOG_ERR, "GnuTLS could not generate Diffie-Hellman parameters: %s", gnutls_strerror(ret)); | |
232 | exit(1); | |
233 | } | |
234 | } | |
235 | ||
236 | void handlegnussl(int argc, char **argp, char **argv) | |
237 | { | |
238 | int i, ret, port, fd; | |
239 | gnutls_certificate_credentials_t creds; | |
240 | struct sslport *pd; | |
241 | char *crtfile, *keyfile; | |
242 | ||
243 | init(); | |
244 | port = 443; | |
245 | gnutls_certificate_allocate_credentials(&creds); | |
246 | keyfile = crtfile = NULL; | |
247 | for(i = 0; i < argc; i++) { | |
248 | if(!strcmp(argp[i], "help")) { | |
249 | printf("ssl handler parameters:\n"); | |
250 | printf("\tcert=CERT-FILE [mandatory]\n"); | |
251 | printf("\t\tThe name of the file to read the certificate from.\n"); | |
252 | printf("\tkey=KEY-FILE [same as CERT-FILE]\n"); | |
253 | printf("\t\tThe name of the file to read the private key from.\n"); | |
254 | printf("\ttrust=CA-FILE [no default]\n"); | |
255 | printf("\t\tThe name of a file to read trusted certificates from.\n"); | |
256 | printf("\t\tMay be given multiple times.\n"); | |
257 | printf("\tcrl=CRL-FILE [no default]\n"); | |
258 | printf("\t\tThe name of a file to read revocation lists from.\n"); | |
259 | printf("\t\tMay be given multiple times.\n"); | |
260 | printf("\tport=PORT [443]\n"); | |
261 | printf("\t\tThe TCP port to listen on.\n"); | |
262 | printf("\n"); | |
263 | printf("\tAll X.509 data files must be PEM-encoded.\n"); | |
264 | exit(0); | |
265 | } else if(!strcmp(argp[i], "cert")) { | |
266 | crtfile = argv[i]; | |
267 | } else if(!strcmp(argp[i], "key")) { | |
268 | keyfile = argv[i]; | |
269 | } else if(!strcmp(argp[i], "trust")) { | |
270 | if((ret = gnutls_certificate_set_x509_trust_file(creds, argv[i], GNUTLS_X509_FMT_PEM)) != 0) { | |
271 | flog(LOG_ERR, "ssl: could not load trust file `%s': %s", argv[i], gnutls_strerror(ret)); | |
272 | exit(1); | |
273 | } | |
274 | } else if(!strcmp(argp[i], "crl")) { | |
275 | if((ret = gnutls_certificate_set_x509_crl_file(creds, argv[i], GNUTLS_X509_FMT_PEM)) != 0) { | |
276 | flog(LOG_ERR, "ssl: could not load CRL file `%s': %s", argv[i], gnutls_strerror(ret)); | |
277 | exit(1); | |
278 | } | |
279 | } else if(!strcmp(argp[i], "port")) { | |
280 | port = atoi(argv[i]); | |
281 | } else { | |
282 | flog(LOG_ERR, "unknown parameter `%s' to ssl handler", argp[i]); | |
283 | exit(1); | |
284 | } | |
285 | } | |
286 | if(crtfile == NULL) { | |
287 | flog(LOG_ERR, "ssl: needs certificate file at the very least"); | |
288 | exit(1); | |
289 | } | |
290 | if(keyfile == NULL) | |
291 | keyfile = crtfile; | |
292 | if((ret = gnutls_certificate_set_x509_key_file(creds, crtfile, keyfile, GNUTLS_X509_FMT_PEM)) != 0) { | |
293 | flog(LOG_ERR, "ssl: could not load certificate or key: %s", gnutls_strerror(ret)); | |
294 | exit(1); | |
295 | } | |
296 | gnutls_certificate_set_dh_params(creds, dhparams); | |
297 | if((fd = listensock6(port)) < 0) { | |
298 | flog(LOG_ERR, "could not listen on IPv6 port (port %i): %s", port, strerror(errno)); | |
299 | exit(1); | |
300 | } | |
301 | omalloc(pd); | |
302 | pd->fd = fd; | |
303 | pd->sport = port; | |
304 | pd->creds = creds; | |
305 | mustart(listenloop, pd); | |
306 | if((fd = listensock6(port)) < 0) { | |
307 | if(errno != EADDRINUSE) { | |
308 | flog(LOG_ERR, "could not listen on IPv6 port (port %i): %s", port, strerror(errno)); | |
309 | exit(1); | |
310 | } | |
311 | } else { | |
312 | omalloc(pd); | |
313 | pd->fd = fd; | |
314 | pd->sport = port; | |
315 | pd->creds = creds; | |
316 | mustart(listenloop, pd); | |
317 | } | |
318 | } | |
319 | ||
320 | #endif |