[ashd.git] / src / ssl-gnutls.c

/*
    ashd - A Sane HTTP Daemon
    Copyright (C) 2008  Fredrik Tolf <fredrik@dolda2000.com>

    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation, either version 3 of the License, or
    (at your option) any later version.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.

    You should have received a copy of the GNU General Public License
    along with this program.  If not, see <http://www.gnu.org/licenses/>.
*/

#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <fcntl.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <errno.h>

#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
#include <utils.h>
#include <mt.h>
#include <mtio.h>
#include <req.h>
#include <log.h>

#include "htparser.h"

#ifdef HAVE_GNUTLS

#include <gnutls/gnutls.h>

struct sslport {
    int fd;
    int sport;
    gnutls_certificate_credentials_t creds;
};

struct sslconn {
    int fd;
    struct sslport *port;
    struct sockaddr_storage name;
    gnutls_session_t sess;
    struct charbuf in;
};

static gnutls_dh_params_t dhparams;

static int tlsblock(int fd, gnutls_session_t sess, time_t to)
{
    if(gnutls_record_get_direction(sess))
	return(block(fd, EV_WRITE, to));
    else
	return(block(fd, EV_READ, to));
}

static ssize_t sslread(void *cookie, char *buf, size_t len)
{
    struct sslconn *ssl = cookie;
    ssize_t xf;
    int ret;

    while(ssl->in.d == 0) {
	sizebuf(ssl->in, ssl->in.d + 1024);
	ret = gnutls_record_recv(ssl->sess, ssl->in.b + ssl->in.d, ssl->in.s - ssl->in.d);
	if((ret == GNUTLS_E_INTERRUPTED) || (ret == GNUTLS_E_AGAIN)) {
	    if(tlsblock(ssl->fd, ssl->sess, 60) == 0) {
		errno = ETIMEDOUT;
		return(-1);
	    }
	} else if(ret < 0) {
	    errno = EIO;
	    return(-1);
	} else if(ret == 0) {
	    return(0);
	} else {
	    ssl->in.d += ret;
	}
    }
    xf = min(ssl->in.d, len);
    memcpy(buf, ssl->in.b, xf);
    memmove(ssl->in.b, ssl->in.b + xf, ssl->in.d -= xf);
    return(xf);
}

static ssize_t sslwrite(void *cookie, const char *buf, size_t len)
{
    struct sslconn *ssl = cookie;
    int ret;
    size_t off;
    
    off = 0;
    while(off < len) {
	ret = gnutls_record_send(ssl->sess, buf + off, len - off);
	if((ret == GNUTLS_E_INTERRUPTED) || (ret == GNUTLS_E_AGAIN)) {
	    if(tlsblock(ssl->fd, ssl->sess, 60) == 0) {
		if(off == 0) {
		    errno = ETIMEDOUT;
		    return(-1);
		}
		return(off);
	    }
	} else if(ret < 0) {
	    if(off == 0) {
		errno = EIO;
		return(-1);
	    }
	    return(off);
	} else {
	    off += ret;
	}
    }
    return(off);
}

static int sslclose(void *cookie)
{
    return(0);
}

static cookie_io_functions_t iofuns = {
    .read = sslread,
    .write = sslwrite,
    .close = sslclose,
};

static int initreq(struct conn *conn, struct hthead *req)
{
    struct sslconn *ssl = conn->pdata;
    struct sockaddr_storage sa;
    socklen_t salen;
    char nmbuf[256];
    
    headappheader(req, "X-Ash-Address", formathaddress((struct sockaddr *)&ssl->name, sizeof(sa)));
    if(ssl->name.ss_family == AF_INET) {
	headappheader(req, "X-Ash-Address", inet_ntop(AF_INET, &((struct sockaddr_in *)&ssl->name)->sin_addr, nmbuf, sizeof(nmbuf)));
	headappheader(req, "X-Ash-Port", sprintf3("%i", ntohs(((struct sockaddr_in *)&ssl->name)->sin_port)));
    } else if(ssl->name.ss_family == AF_INET6) {
	headappheader(req, "X-Ash-Address", inet_ntop(AF_INET6, &((struct sockaddr_in6 *)&ssl->name)->sin6_addr, nmbuf, sizeof(nmbuf)));
	headappheader(req, "X-Ash-Port", sprintf3("%i", ntohs(((struct sockaddr_in6 *)&ssl->name)->sin6_port)));
    }
    salen = sizeof(sa);
    if(!getsockname(ssl->fd, (struct sockaddr *)&sa, &salen))
	headappheader(req, "X-Ash-Server-Address", formathaddress((struct sockaddr *)&sa, sizeof(sa)));
    headappheader(req, "X-Ash-Server-Port", sprintf3("%i", ssl->port->sport));
    headappheader(req, "X-Ash-Protocol", "https");
    return(0);
}

static void servessl(struct muth *muth, va_list args)
{
    vavar(int, fd);
    vavar(struct sockaddr_storage, name);
    vavar(struct sslport *, pd);
    struct conn conn;
    struct sslconn ssl;
    gnutls_session_t sess;
    int ret;
    FILE *in;
    
    fcntl(fd, F_SETFL, fcntl(fd, F_GETFL) | O_NONBLOCK);
    gnutls_init(&sess, GNUTLS_SERVER);
    gnutls_set_default_priority(sess);
    gnutls_credentials_set(sess, GNUTLS_CRD_CERTIFICATE, pd->creds);
    gnutls_certificate_server_set_request(sess, GNUTLS_CERT_REQUEST);
    gnutls_transport_set_ptr(sess, (gnutls_transport_ptr_t)(intptr_t)fd);
    while((ret = gnutls_handshake(sess)) != 0) {
	if((ret != GNUTLS_E_INTERRUPTED) && (ret != GNUTLS_E_AGAIN))
	    goto out;
	if(tlsblock(fd, sess, 60) <= 0)
	    goto out;
    }
    memset(&conn, 0, sizeof(conn));
    memset(&ssl, 0, sizeof(ssl));
    conn.pdata = &ssl;
    conn.initreq = initreq;
    ssl.fd = fd;
    ssl.port = pd;
    ssl.name = name;
    ssl.sess = sess;
    bufinit(ssl.in);
    in = fopencookie(&ssl, "r+", iofuns);
    serve(in, &conn);
    
out:
    gnutls_deinit(sess);
    close(fd);
}

static void listenloop(struct muth *muth, va_list args)
{
    vavar(struct sslport *, pd);
    int ns;
    struct sockaddr_storage name;
    socklen_t namelen;
    
    while(1) {
	namelen = sizeof(name);
	block(pd->fd, EV_READ, 0);
	ns = accept(pd->fd, (struct sockaddr *)&name, &namelen);
	if(ns < 0) {
	    flog(LOG_ERR, "accept: %s", strerror(errno));
	    goto out;
	}
	mustart(servessl, ns, name, pd);
    }
    
out:
    close(pd->fd);
    free(pd);
}

static void init(void)
{
    static int inited = 0;
    int ret;
    
    if(inited)
	return;
    inited = 1;
    if((ret = gnutls_global_init()) != 0) {
	flog(LOG_ERR, "could not initialize GnuTLS: %s", gnutls_strerror(ret));
	exit(1);
    }
    if(((ret = gnutls_dh_params_init(&dhparams)) != 0) ||
       ((ret = gnutls_dh_params_generate2(dhparams, 2048)) != 0)) {
	flog(LOG_ERR, "GnuTLS could not generate Diffie-Hellman parameters: %s", gnutls_strerror(ret));
	exit(1);
    }
}

void handlegnussl(int argc, char **argp, char **argv)
{
    int i, ret, port, fd;
    gnutls_certificate_credentials_t creds;
    struct sslport *pd;
    char *crtfile, *keyfile;
    
    init();
    port = 443;
    gnutls_certificate_allocate_credentials(&creds);
    keyfile = crtfile = NULL;
    for(i = 0; i < argc; i++) {
	if(!strcmp(argp[i], "help")) {
	    printf("ssl handler parameters:\n");
	    printf("\tcert=CERT-FILE  [mandatory]\n");
	    printf("\t\tThe name of the file to read the certificate from.\n");
	    printf("\tkey=KEY-FILE    [same as CERT-FILE]\n");
	    printf("\t\tThe name of the file to read the private key from.\n");
	    printf("\ttrust=CA-FILE   [no default]\n");
	    printf("\t\tThe name of a file to read trusted certificates from.\n");
	    printf("\t\tMay be given multiple times.\n");
	    printf("\tcrl=CRL-FILE    [no default]\n");
	    printf("\t\tThe name of a file to read revocation lists from.\n");
	    printf("\t\tMay be given multiple times.\n");
	    printf("\tport=PORT       [443]\n");
	    printf("\t\tThe TCP port to listen on.\n");
	    printf("\n");
	    printf("\tAll X.509 data files must be PEM-encoded.\n");
	    exit(0);
	} else if(!strcmp(argp[i], "cert")) {
	    crtfile = argv[i];
	} else if(!strcmp(argp[i], "key")) {
	    keyfile = argv[i];
	} else if(!strcmp(argp[i], "trust")) {
	    if((ret = gnutls_certificate_set_x509_trust_file(creds, argv[i], GNUTLS_X509_FMT_PEM)) != 0) {
		flog(LOG_ERR, "ssl: could not load trust file `%s': %s", argv[i], gnutls_strerror(ret));
		exit(1);
	    }
	} else if(!strcmp(argp[i], "crl")) {
	    if((ret = gnutls_certificate_set_x509_crl_file(creds, argv[i], GNUTLS_X509_FMT_PEM)) != 0) {
		flog(LOG_ERR, "ssl: could not load CRL file `%s': %s", argv[i], gnutls_strerror(ret));
		exit(1);
	    }
	} else if(!strcmp(argp[i], "port")) {
	    port = atoi(argv[i]);
	} else {
	    flog(LOG_ERR, "unknown parameter `%s' to ssl handler", argp[i]);
	    exit(1);
	}
    }
    if(crtfile == NULL) {
	flog(LOG_ERR, "ssl: needs certificate file at the very least");
	exit(1);
    }
    if(keyfile == NULL)
	keyfile = crtfile;
    if((ret = gnutls_certificate_set_x509_key_file(creds, crtfile, keyfile, GNUTLS_X509_FMT_PEM)) != 0) {
	flog(LOG_ERR, "ssl: could not load certificate or key: %s", gnutls_strerror(ret));
	exit(1);
    }
    gnutls_certificate_set_dh_params(creds, dhparams);
    if((fd = listensock6(port)) < 0) {
	flog(LOG_ERR, "could not listen on IPv6 port (port %i): %s", port, strerror(errno));
	exit(1);
    }
    omalloc(pd);
    pd->fd = fd;
    pd->sport = port;
    pd->creds = creds;
    mustart(listenloop, pd);
    if((fd = listensock6(port)) < 0) {
	if(errno != EADDRINUSE) {
	    flog(LOG_ERR, "could not listen on IPv6 port (port %i): %s", port, strerror(errno));
	    exit(1);
	}
    } else {
	omalloc(pd);
	pd->fd = fd;
	pd->sport = port;
	pd->creds = creds;
	mustart(listenloop, pd);
    }
}

#endif
Commit	Line	Data
6ca53b2e FT	1	/*
	2	ashd - A Sane HTTP Daemon
	3	Copyright (C) 2008 Fredrik Tolf <fredrik@dolda2000.com>
	4
	5	This program is free software: you can redistribute it and/or modify
	6	it under the terms of the GNU General Public License as published by
	7	the Free Software Foundation, either version 3 of the License, or
	8	(at your option) any later version.
	9
	10	This program is distributed in the hope that it will be useful,
	11	but WITHOUT ANY WARRANTY; without even the implied warranty of
	12	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	13	GNU General Public License for more details.
	14
	15	You should have received a copy of the GNU General Public License
	16	along with this program. If not, see <http://www.gnu.org/licenses/>.
	17	*/
	18
	19	#include <stdlib.h>
	20	#include <unistd.h>
	21	#include <string.h>
	22	#include <fcntl.h>
	23	#include <sys/socket.h>
	24	#include <netinet/in.h>
	25	#include <arpa/inet.h>
	26	#include <errno.h>
	27
	28	#ifdef HAVE_CONFIG_H
	29	#include <config.h>
	30	#endif
	31	#include <utils.h>
	32	#include <mt.h>
	33	#include <mtio.h>
	34	#include <req.h>
	35	#include <log.h>
	36
	37	#include "htparser.h"
	38
	39	#ifdef HAVE_GNUTLS
	40
	41	#include <gnutls/gnutls.h>
	42
	43	struct sslport {
	44	int fd;
	45	int sport;
	46	gnutls_certificate_credentials_t creds;
	47	};
	48
	49	struct sslconn {
	50	int fd;
	51	struct sslport *port;
	52	struct sockaddr_storage name;
	53	gnutls_session_t sess;
	54	struct charbuf in;
	55	};
	56
	57	static gnutls_dh_params_t dhparams;
	58
	59	static int tlsblock(int fd, gnutls_session_t sess, time_t to)
	60	{
	61	if(gnutls_record_get_direction(sess))
	62	return(block(fd, EV_WRITE, to));
	63	else
	64	return(block(fd, EV_READ, to));
65	}
66
67	static ssize_t sslread(void cookie, char buf, size_t len)
68	{
69	struct sslconn *ssl = cookie;
70	ssize_t xf;
71	int ret;
72
73	while(ssl->in.d == 0) {
74	sizebuf(ssl->in, ssl->in.d + 1024);
75	ret = gnutls_record_recv(ssl->sess, ssl->in.b + ssl->in.d, ssl->in.s - ssl->in.d);
76	if((ret == GNUTLS_E_INTERRUPTED) \|\| (ret == GNUTLS_E_AGAIN)) {
77	if(tlsblock(ssl->fd, ssl->sess, 60) == 0) {
78	errno = ETIMEDOUT;
79	return(-1);
80	}
81	} else if(ret < 0) {
82	errno = EIO;
83	return(-1);
84	} else if(ret == 0) {
85	return(0);
86	} else {
87	ssl->in.d += ret;
88	}
89	}
90	xf = min(ssl->in.d, len);
91	memcpy(buf, ssl->in.b, xf);
92	memmove(ssl->in.b, ssl->in.b + xf, ssl->in.d -= xf);
93	return(xf);
94	}
95
96	static ssize_t sslwrite(void cookie, const char buf, size_t len)
97	{
98	struct sslconn *ssl = cookie;
99	int ret;
100	size_t off;
101
102	off = 0;
103	while(off < len) {
104	ret = gnutls_record_send(ssl->sess, buf + off, len - off);
105	if((ret == GNUTLS_E_INTERRUPTED) \|\| (ret == GNUTLS_E_AGAIN)) {
106	if(tlsblock(ssl->fd, ssl->sess, 60) == 0) {
107	if(off == 0) {
108	errno = ETIMEDOUT;
109	return(-1);
110	}
111	return(off);
112	}
113	} else if(ret < 0) {
114	if(off == 0) {
115	errno = EIO;
116	return(-1);
117	}
118	return(off);
119	} else {
120	off += ret;
121	}
122	}
123	return(off);
124	}
125
126	static int sslclose(void *cookie)
127	{
128	return(0);
129	}
130
131	static cookie_io_functions_t iofuns = {
132	.read = sslread,
133	.write = sslwrite,
134	.close = sslclose,
135	};
136
137	static int initreq(struct conn conn, struct hthead req)
138	{
139	struct sslconn *ssl = conn->pdata;
6b84641a FT	140	struct sockaddr_storage sa;
6b84641a FT	141	socklen_t salen;
6ca53b2e FT	142	char nmbuf[256];
6ca53b2e FT	143
7595e3a4	144	headappheader(req, "X-Ash-Address", formathaddress((struct sockaddr *)&ssl->name, sizeof(sa)));
6ca53b2e FT	145	if(ssl->name.ss_family == AF_INET) {
	146	headappheader(req, "X-Ash-Address", inet_ntop(AF_INET, &((struct sockaddr_in *)&ssl->name)->sin_addr, nmbuf, sizeof(nmbuf)));
	147	headappheader(req, "X-Ash-Port", sprintf3("%i", ntohs(((struct sockaddr_in *)&ssl->name)->sin_port)));
	148	} else if(ssl->name.ss_family == AF_INET6) {
	149	headappheader(req, "X-Ash-Address", inet_ntop(AF_INET6, &((struct sockaddr_in6 *)&ssl->name)->sin6_addr, nmbuf, sizeof(nmbuf)));
	150	headappheader(req, "X-Ash-Port", sprintf3("%i", ntohs(((struct sockaddr_in6 *)&ssl->name)->sin6_port)));
	151	}
6b84641a	152	salen = sizeof(sa);
7595e3a4 FT	153	if(!getsockname(ssl->fd, (struct sockaddr *)&sa, &salen))
7595e3a4 FT	154	headappheader(req, "X-Ash-Server-Address", formathaddress((struct sockaddr *)&sa, sizeof(sa)));
6ca53b2e FT	155	headappheader(req, "X-Ash-Server-Port", sprintf3("%i", ssl->port->sport));
	156	headappheader(req, "X-Ash-Protocol", "https");
	157	return(0);
	158	}
	159
	160	static void servessl(struct muth *muth, va_list args)
	161	{
	162	vavar(int, fd);
	163	vavar(struct sockaddr_storage, name);
	164	vavar(struct sslport *, pd);
	165	struct conn conn;
	166	struct sslconn ssl;
	167	gnutls_session_t sess;
	168	int ret;
	169	FILE *in;
	170
	171	fcntl(fd, F_SETFL, fcntl(fd, F_GETFL) \| O_NONBLOCK);
	172	gnutls_init(&sess, GNUTLS_SERVER);
	173	gnutls_set_default_priority(sess);
	174	gnutls_credentials_set(sess, GNUTLS_CRD_CERTIFICATE, pd->creds);
	175	gnutls_certificate_server_set_request(sess, GNUTLS_CERT_REQUEST);
	176	gnutls_transport_set_ptr(sess, (gnutls_transport_ptr_t)(intptr_t)fd);
	177	while((ret = gnutls_handshake(sess)) != 0) {
	178	if((ret != GNUTLS_E_INTERRUPTED) && (ret != GNUTLS_E_AGAIN))
	179	goto out;
	180	if(tlsblock(fd, sess, 60) <= 0)
	181	goto out;
	182	}
	183	memset(&conn, 0, sizeof(conn));
	184	memset(&ssl, 0, sizeof(ssl));
	185	conn.pdata = &ssl;
	186	conn.initreq = initreq;
	187	ssl.fd = fd;
	188	ssl.port = pd;
	189	ssl.name = name;
	190	ssl.sess = sess;
	191	bufinit(ssl.in);
	192	in = fopencookie(&ssl, "r+", iofuns);
	193	serve(in, &conn);
	194
	195	out:
	196	gnutls_deinit(sess);
	197	close(fd);
	198	}
	199
	200	static void listenloop(struct muth *muth, va_list args)
	201	{
	202	vavar(struct sslport *, pd);
	203	int ns;
	204	struct sockaddr_storage name;
	205	socklen_t namelen;
	206
	207	while(1) {
	208	namelen = sizeof(name);
	209	block(pd->fd, EV_READ, 0);
	210	ns = accept(pd->fd, (struct sockaddr *)&name, &namelen);
	211	if(ns < 0) {
	212	flog(LOG_ERR, "accept: %s", strerror(errno));
	213	goto out;
	214	}
	215	mustart(servessl, ns, name, pd);
	216	}
	217
	218	out:
219	close(pd->fd);
220	free(pd);
221	}
222
223	static void init(void)
224	{
225	static int inited = 0;
226	int ret;
227
228	if(inited)
229	return;
230	inited = 1;
231	if((ret = gnutls_global_init()) != 0) {
232	flog(LOG_ERR, "could not initialize GnuTLS: %s", gnutls_strerror(ret));
233	exit(1);
234	}
235	if(((ret = gnutls_dh_params_init(&dhparams)) != 0) \|\|
236	((ret = gnutls_dh_params_generate2(dhparams, 2048)) != 0)) {
237	flog(LOG_ERR, "GnuTLS could not generate Diffie-Hellman parameters: %s", gnutls_strerror(ret));
238	exit(1);
239	}
240	}
241
242	void handlegnussl(int argc, char argp, char argv)
243	{
244	int i, ret, port, fd;
245	gnutls_certificate_credentials_t creds;
246	struct sslport *pd;
247	char crtfile, keyfile;
248
249	init();
250	port = 443;
251	gnutls_certificate_allocate_credentials(&creds);
252	keyfile = crtfile = NULL;
253	for(i = 0; i < argc; i++) {
254	if(!strcmp(argp[i], "help")) {
255	printf("ssl handler parameters:\n");
256	printf("\tcert=CERT-FILE [mandatory]\n");
257	printf("\t\tThe name of the file to read the certificate from.\n");
258	printf("\tkey=KEY-FILE [same as CERT-FILE]\n");
259	printf("\t\tThe name of the file to read the private key from.\n");
260	printf("\ttrust=CA-FILE [no default]\n");
261	printf("\t\tThe name of a file to read trusted certificates from.\n");
262	printf("\t\tMay be given multiple times.\n");
263	printf("\tcrl=CRL-FILE [no default]\n");
264	printf("\t\tThe name of a file to read revocation lists from.\n");
265	printf("\t\tMay be given multiple times.\n");
266	printf("\tport=PORT [443]\n");
267	printf("\t\tThe TCP port to listen on.\n");
268	printf("\n");
269	printf("\tAll X.509 data files must be PEM-encoded.\n");
270	exit(0);
271	} else if(!strcmp(argp[i], "cert")) {
272	crtfile = argv[i];
273	} else if(!strcmp(argp[i], "key")) {
274	keyfile = argv[i];
275	} else if(!strcmp(argp[i], "trust")) {
276	if((ret = gnutls_certificate_set_x509_trust_file(creds, argv[i], GNUTLS_X509_FMT_PEM)) != 0) {
277	flog(LOG_ERR, "ssl: could not load trust file `%s': %s", argv[i], gnutls_strerror(ret));
278	exit(1);
279	}
280	} else if(!strcmp(argp[i], "crl")) {
281	if((ret = gnutls_certificate_set_x509_crl_file(creds, argv[i], GNUTLS_X509_FMT_PEM)) != 0) {
282	flog(LOG_ERR, "ssl: could not load CRL file `%s': %s", argv[i], gnutls_strerror(ret));
283	exit(1);
284	}
285	} else if(!strcmp(argp[i], "port")) {
286	port = atoi(argv[i]);
287	} else {
288	flog(LOG_ERR, "unknown parameter `%s' to ssl handler", argp[i]);
289	exit(1);
290	}
291	}
292	if(crtfile == NULL) {
293	flog(LOG_ERR, "ssl: needs certificate file at the very least");
294	exit(1);
295	}
296	if(keyfile == NULL)
297	keyfile = crtfile;
298	if((ret = gnutls_certificate_set_x509_key_file(creds, crtfile, keyfile, GNUTLS_X509_FMT_PEM)) != 0) {
299	flog(LOG_ERR, "ssl: could not load certificate or key: %s", gnutls_strerror(ret));
300	exit(1);
301	}
302	gnutls_certificate_set_dh_params(creds, dhparams);
303	if((fd = listensock6(port)) < 0) {
304	flog(LOG_ERR, "could not listen on IPv6 port (port %i): %s", port, strerror(errno));
305	exit(1);
306	}
307	omalloc(pd);
308	pd->fd = fd;
309	pd->sport = port;
310	pd->creds = creds;
311	mustart(listenloop, pd);
312	if((fd = listensock6(port)) < 0) {
313	if(errno != EADDRINUSE) {
314	flog(LOG_ERR, "could not listen on IPv6 port (port %i): %s", port, strerror(errno));
315	exit(1);
316	}
317	} else {
318	omalloc(pd);
319	pd->fd = fd;
320	pd->sport = port;
321	pd->creds = creds;
322	mustart(listenloop, pd);
323	}
324	}
325
326	#endif