[ashd.git] / src / ssl-gnutls.c

/*
    ashd - A Sane HTTP Daemon
    Copyright (C) 2008  Fredrik Tolf <fredrik@dolda2000.com>

    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation, either version 3 of the License, or
    (at your option) any later version.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.

    You should have received a copy of the GNU General Public License
    along with this program.  If not, see <http://www.gnu.org/licenses/>.
*/

#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <fcntl.h>
#include <dirent.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <errno.h>

#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
#include <utils.h>
#include <mt.h>
#include <mtio.h>
#include <req.h>
#include <log.h>
#include <bufio.h>

#include "htparser.h"

#ifdef HAVE_GNUTLS

#include <gnutls/gnutls.h>
#include <gnutls/x509.h>

struct namedcreds {
    char **names;
    gnutls_certificate_credentials_t creds;
};

struct ncredbuf {
    struct namedcreds **b;
    size_t s, d;
};

struct sslport {
    int fd;
    int sport;
    gnutls_certificate_credentials_t creds;
    gnutls_priority_t ciphers;
    struct namedcreds **ncreds;
};

struct sslconn {
    int fd;
    struct sslport *port;
    struct sockaddr_storage name;
    gnutls_session_t sess;
    struct charbuf in;
};

struct savedsess {
    struct savedsess *next, *prev;
    gnutls_datum_t key, value;
};

static int numconn = 0, numsess = 0;
static struct btree *sessidx = NULL;
static struct savedsess *sesslistf = NULL, *sesslistl = NULL;

static int sesscmp(void *ap, void *bp)
{
    struct savedsess *a = ap, *b = bp;
    
    if(a->key.size != b->key.size)
	return(a->key.size - b->key.size);
    return(memcmp(a->key.data, b->key.data, a->key.size));
}

static gnutls_datum_t sessdbfetch(void *uudata, gnutls_datum_t key)
{
    struct savedsess *sess, lkey;
    gnutls_datum_t ret;
    
    memset(&ret, 0, sizeof(ret));
    lkey.key = key;
    if((sess = btreeget(sessidx, &lkey, sesscmp)) == NULL)
	return(ret);
    ret.data = memcpy(gnutls_malloc(ret.size = sess->value.size), sess->value.data, sess->value.size);
    return(ret);
}

static void freesess(struct savedsess *sess)
{
    bbtreedel(&sessidx, sess, sesscmp);
    if(sess->next)
	sess->next->prev = sess->prev;
    if(sess->prev)
	sess->prev->next = sess->next;
    if(sess == sesslistf)
	sesslistf = sess->next;
    if(sess == sesslistl)
	sesslistl = sess->prev;
    free(sess->key.data);
    free(sess->value.data);
    free(sess);
    numsess--;
}

static int sessdbdel(void *uudata, gnutls_datum_t key)
{
    struct savedsess *sess, lkey;
    
    lkey.key = key;
    if((sess = btreeget(sessidx, &lkey, sesscmp)) == NULL)
	return(-1);
    freesess(sess);
    return(0);
}

static void cleansess(void)
{
    while(numsess > (max(numconn, 1) * 100))
	freesess(sesslistl);
}

static int sessdbstore(void *uudata, gnutls_datum_t key, gnutls_datum_t value)
{
    static int cc = 0;
    struct savedsess *sess, lkey;
    
    if((value.data == NULL) || (value.size == 0)) {
	sessdbdel(NULL, key);
	return(0);
    }
    lkey.key = key;
    if((sess = btreeget(sessidx, &lkey, sesscmp)) == NULL) {
	omalloc(sess);
	sess->key.data = memcpy(smalloc(sess->key.size = key.size), key.data, key.size);
	sess->value.data = memcpy(smalloc(sess->value.size = value.size), value.data, value.size);
	bbtreeput(&sessidx, sess, sesscmp);
	sess->prev = NULL;
	sess->next = sesslistf;
	if(sesslistf)
	    sesslistf->prev = sess;
	sesslistf = sess;
	if(sesslistl == NULL)
	    sesslistl = sess;
	numsess++;
    } else {
	free(sess->value.data);
	sess->value.data = memcpy(smalloc(sess->value.size = value.size), value.data, value.size);
	if(sess != sesslistf) {
	    if(sess->next)
		sess->next->prev = sess->prev;
	    if(sess->prev)
		sess->prev->next = sess->next;
	    if(sess == sesslistl)
		sesslistl = sess->prev;
	    sess->prev = NULL;
	    sess->next = sesslistf;
	    if(sesslistf)
		sesslistf->prev = sess;
	    sesslistf = sess;
	}
    }
    if(cc++ > 100) {
	cleansess();
	cc = 0;
    }
    return(0);
}

static int tlsblock(int fd, gnutls_session_t sess, time_t to)
{
    if(gnutls_record_get_direction(sess))
	return(block(fd, EV_WRITE, to));
    else
	return(block(fd, EV_READ, to));
}

static ssize_t sslread(void *cookie, void *buf, size_t len)
{
    struct sslconn *ssl = cookie;
    ssize_t xf;
    int ret;

    while(ssl->in.d == 0) {
	sizebuf(ssl->in, ssl->in.d + 1024);
	ret = gnutls_record_recv(ssl->sess, ssl->in.b + ssl->in.d, ssl->in.s - ssl->in.d);
	if((ret == GNUTLS_E_INTERRUPTED) || (ret == GNUTLS_E_AGAIN)) {
	    if(tlsblock(ssl->fd, ssl->sess, 60) == 0) {
		errno = ETIMEDOUT;
		return(-1);
	    }
	} else if(ret < 0) {
	    errno = EIO;
	    return(-1);
	} else if(ret == 0) {
	    return(0);
	} else {
	    ssl->in.d += ret;
	}
    }
    xf = min(ssl->in.d, len);
    memcpy(buf, ssl->in.b, xf);
    memmove(ssl->in.b, ssl->in.b + xf, ssl->in.d -= xf);
    return(xf);
}

static ssize_t sslwrite(void *cookie, const void *buf, size_t len)
{
    struct sslconn *ssl = cookie;
    int ret;
    size_t off;
    
    off = 0;
    while(off < len) {
	ret = gnutls_record_send(ssl->sess, buf + off, len - off);
	if((ret == GNUTLS_E_INTERRUPTED) || (ret == GNUTLS_E_AGAIN)) {
	    if(tlsblock(ssl->fd, ssl->sess, 60) == 0) {
		if(off == 0) {
		    errno = ETIMEDOUT;
		    return(-1);
		}
		return(off);
	    }
	} else if(ret < 0) {
	    if(off == 0) {
		errno = EIO;
		return(-1);
	    }
	    return(off);
	} else {
	    off += ret;
	}
    }
    return(off);
}

static int sslclose(void *cookie)
{
    struct sslconn *ssl = cookie;
    
    buffree(ssl->in);
    return(0);
}

static struct bufioops iofuns = {
    .read = sslread,
    .write = sslwrite,
    .close = sslclose,
};

static int initreq(struct conn *conn, struct hthead *req)
{
    struct sslconn *ssl = conn->pdata;
    struct sockaddr_storage sa;
    socklen_t salen;
    
    headappheader(req, "X-Ash-Address", formathaddress((struct sockaddr *)&ssl->name, sizeof(sa)));
    if(ssl->name.ss_family == AF_INET)
	headappheader(req, "X-Ash-Port", sprintf3("%i", ntohs(((struct sockaddr_in *)&ssl->name)->sin_port)));
    else if(ssl->name.ss_family == AF_INET6)
	headappheader(req, "X-Ash-Port", sprintf3("%i", ntohs(((struct sockaddr_in6 *)&ssl->name)->sin6_port)));
    salen = sizeof(sa);
    if(!getsockname(ssl->fd, (struct sockaddr *)&sa, &salen))
	headappheader(req, "X-Ash-Server-Address", formathaddress((struct sockaddr *)&sa, sizeof(sa)));
    headappheader(req, "X-Ash-Server-Port", sprintf3("%i", ssl->port->sport));
    headappheader(req, "X-Ash-Protocol", "https");
    return(0);
}

static void servessl(struct muth *muth, va_list args)
{
    vavar(int, fd);
    vavar(struct sockaddr_storage, name);
    vavar(struct sslport *, pd);
    struct conn conn;
    struct sslconn ssl;
    gnutls_session_t sess;
    int ret;
    
    int setcreds(gnutls_session_t sess)
    {
	int i, o, u;
	unsigned int ntype;
	char nambuf[256];
	size_t namlen;
	
	for(i = 0; 1; i++) {
	    namlen = sizeof(nambuf);
	    if(gnutls_server_name_get(sess, nambuf, &namlen, &ntype, i) != 0)
		break;
	    if(ntype != GNUTLS_NAME_DNS)
		continue;
	    for(o = 0; pd->ncreds[o] != NULL; o++) {
		for(u = 0; pd->ncreds[o]->names[u] != NULL; u++) {
		    if(!strcmp(pd->ncreds[o]->names[u], nambuf)) {
			gnutls_credentials_set(sess, GNUTLS_CRD_CERTIFICATE, pd->ncreds[o]->creds);
			gnutls_certificate_server_set_request(sess, GNUTLS_CERT_REQUEST);
			return(0);
		    }
		}
	    }
	}
	gnutls_credentials_set(sess, GNUTLS_CRD_CERTIFICATE, pd->creds);
	gnutls_certificate_server_set_request(sess, GNUTLS_CERT_REQUEST);
	return(0);
    }

    numconn++;
    fcntl(fd, F_SETFL, fcntl(fd, F_GETFL) | O_NONBLOCK);
    gnutls_init(&sess, GNUTLS_SERVER);
    gnutls_priority_set(sess, pd->ciphers);
    gnutls_db_set_retrieve_function(sess, sessdbfetch);
    gnutls_db_set_store_function(sess, sessdbstore);
    gnutls_db_set_remove_function(sess, sessdbdel);
    gnutls_db_set_ptr(sess, NULL);
    gnutls_handshake_set_post_client_hello_function(sess, setcreds);
    gnutls_transport_set_ptr(sess, (gnutls_transport_ptr_t)(intptr_t)fd);
    while((ret = gnutls_handshake(sess)) != 0) {
	if((ret != GNUTLS_E_INTERRUPTED) && (ret != GNUTLS_E_AGAIN))
	    goto out;
	if(tlsblock(fd, sess, 60) <= 0)
	    goto out;
    }
    memset(&conn, 0, sizeof(conn));
    memset(&ssl, 0, sizeof(ssl));
    conn.pdata = &ssl;
    conn.initreq = initreq;
    ssl.fd = fd;
    ssl.port = pd;
    ssl.name = name;
    ssl.sess = sess;
    bufinit(ssl.in);
    serve(bioopen(&ssl, &iofuns), fd, &conn);
    
out:
    gnutls_deinit(sess);
    close(fd);
    numconn--;
}

static void listenloop(struct muth *muth, va_list args)
{
    vavar(struct sslport *, pd);
    int i, ns, n;
    struct sockaddr_storage name;
    socklen_t namelen;
    
    fcntl(pd->fd, F_SETFL, fcntl(pd->fd, F_GETFL) | O_NONBLOCK);
    while(1) {
	namelen = sizeof(name);
	if(block(pd->fd, EV_READ, 0) == 0)
	    goto out;
	n = 0;
	while(1) {
	    ns = accept(pd->fd, (struct sockaddr *)&name, &namelen);
	    if(ns < 0) {
		if(errno == EAGAIN)
		    break;
		if(errno == ECONNABORTED)
		    continue;
		flog(LOG_ERR, "accept: %s", strerror(errno));
		goto out;
	    }
	    mustart(servessl, ns, name, pd);
	    if(++n >= 100)
		break;
	}
    }
    
out:
    close(pd->fd);
    free(pd);
    for(i = 0; i < listeners.d; i++) {
	if(listeners.b[i] == muth)
	    bufdel(listeners, i);
    }
}

static gnutls_dh_params_t dhparams(void)
{
    static int inited = 0;
    static gnutls_dh_params_t pars;
    int ret;
    
    if(!inited) {
	if(((ret = gnutls_dh_params_init(&pars)) != 0) ||
	   ((ret = gnutls_dh_params_generate2(pars, 2048)) != 0)) {
	    flog(LOG_ERR, "GnuTLS could not generate Diffie-Hellman parameters: %s", gnutls_strerror(ret));
	    exit(1);
	}
	inited = 1;
    }
    return(pars);
}

static void init(void)
{
    static int inited = 0;
    int ret;
    
    if(inited)
	return;
    inited = 1;
    if((ret = gnutls_global_init()) != 0) {
	flog(LOG_ERR, "could not initialize GnuTLS: %s", gnutls_strerror(ret));
	exit(1);
    }
}

static struct namedcreds *readncreds(char *file)
{
    int i, fd, ret;
    struct namedcreds *nc;
    gnutls_x509_crt_t crt;
    gnutls_x509_privkey_t key;
    char cn[1024];
    size_t cnl;
    gnutls_datum_t d;
    struct charbuf keybuf;
    struct charvbuf names;
    unsigned int type;
    
    bufinit(keybuf);
    bufinit(names);
    if((fd = open(file, O_RDONLY)) < 0) {
	flog(LOG_ERR, "ssl: %s: %s", file, strerror(errno));
	exit(1);
    }
    while(1) {
	sizebuf(keybuf, keybuf.d + 1024);
	ret = read(fd, keybuf.b + keybuf.d, keybuf.s - keybuf.d);
	if(ret < 0) {
	    flog(LOG_ERR, "ssl: reading from %s: %s", file, strerror(errno));
	    exit(1);
	} else if(ret == 0) {
	    break;
	}
	keybuf.d += ret;
    }
    close(fd);
    d.data = (unsigned char *)keybuf.b;
    d.size = keybuf.d;
    gnutls_x509_crt_init(&crt);
    if((ret = gnutls_x509_crt_import(crt, &d, GNUTLS_X509_FMT_PEM)) != 0) {
	flog(LOG_ERR, "ssl: could not load certificate from %s: %s", file, gnutls_strerror(ret));
	exit(1);
    }
    cnl = sizeof(cn) - 1;
    if((ret = gnutls_x509_crt_get_dn_by_oid(crt, GNUTLS_OID_X520_COMMON_NAME, 0, 0, cn, &cnl)) != 0) {
	flog(LOG_ERR, "ssl: could not read common name from %s: %s", file, gnutls_strerror(ret));
	exit(1);
    }
    cn[cnl] = 0;
    bufadd(names, sstrdup(cn));
    for(i = 0; 1; i++) {
	cnl = sizeof(cn) - 1;
	if(gnutls_x509_crt_get_subject_alt_name2(crt, i, cn, &cnl, &type, NULL) < 0)
	    break;
	cn[cnl] = 0;
	if(type == GNUTLS_SAN_DNSNAME)
	    bufadd(names, sstrdup(cn));
    }
    gnutls_x509_privkey_init(&key);
    if((ret = gnutls_x509_privkey_import(key, &d, GNUTLS_X509_FMT_PEM)) != 0) {
	flog(LOG_ERR, "ssl: could not load key from %s: %s", file, gnutls_strerror(ret));
	exit(1);
    }
    buffree(keybuf);
    bufadd(names, NULL);
    omalloc(nc);
    nc->names = names.b;
    gnutls_certificate_allocate_credentials(&nc->creds);
    if((ret = gnutls_certificate_set_x509_key(nc->creds, &crt, 1, key)) != 0) {
	flog(LOG_ERR, "ssl: could not use certificate from %s: %s", file, gnutls_strerror(ret));
	exit(1);
    }
    gnutls_certificate_set_dh_params(nc->creds, dhparams());
    return(nc);
}

static void readncdir(struct ncredbuf *buf, char *dir)
{
    DIR *d;
    struct dirent *e;
    size_t es;
    
    if((d = opendir(dir)) == NULL) {
	flog(LOG_ERR, "ssl: could not read certificate directory %s: %s", dir, strerror(errno));
	exit(1);
    }
    while((e = readdir(d)) != NULL) {
	if(e->d_name[0] == '.')
	    continue;
	if((es = strlen(e->d_name)) <= 4)
	    continue;
	if(strcmp(e->d_name + es - 4, ".crt"))
	    continue;
	bufadd(*buf, readncreds(sprintf3("%s/%s", dir, e->d_name)));
    }
    closedir(d);
}

void handlegnussl(int argc, char **argp, char **argv)
{
    int i, ret, port, fd;
    gnutls_certificate_credentials_t creds;
    gnutls_priority_t ciphers;
    struct ncredbuf ncreds;
    struct sslport *pd;
    char *crtfile, *keyfile, *perr;
    
    init();
    port = 443;
    bufinit(ncreds);
    gnutls_certificate_allocate_credentials(&creds);
    keyfile = crtfile = NULL;
    ciphers = NULL;
    for(i = 0; i < argc; i++) {
	if(!strcmp(argp[i], "help")) {
	    printf("ssl handler parameters:\n");
	    printf("\tcert=CERT-FILE  [mandatory]\n");
	    printf("\t\tThe name of the file to read the certificate from.\n");
	    printf("\tkey=KEY-FILE    [same as CERT-FILE]\n");
	    printf("\t\tThe name of the file to read the private key from.\n");
	    printf("\tprio=PRIORITIES [NORMAL]\n");
	    printf("\t\tCiphersuite priorities, as a GnuTLS priority string.\n");
	    printf("\ttrust=CA-FILE   [no default]\n");
	    printf("\t\tThe name of a file to read trusted certificates from.\n");
	    printf("\t\tMay be given multiple times.\n");
	    printf("\tcrl=CRL-FILE    [no default]\n");
	    printf("\t\tThe name of a file to read revocation lists from.\n");
	    printf("\t\tMay be given multiple times.\n");
	    printf("\tncert=CERT-FILE [no default]\n");
	    printf("\t\tThe name of a file to read a named certificate from,\n");
	    printf("\t\tfor use with SNI-enabled clients.\n");
	    printf("\t\tMay be given multiple times.\n");
	    printf("\tncertdir=DIR    [no default]\n");
	    printf("\t\tRead all *.crt files in the given directory as if they\n");
	    printf("\t\twere given with `ncert' options.\n");
	    printf("\t\tMay be given multiple times.\n");
	    printf("\tport=PORT       [443]\n");
	    printf("\t\tThe TCP port to listen on.\n");
	    printf("\n");
	    printf("\tAll X.509 data files must be PEM-encoded.\n");
	    printf("\tIf any certificates were given with `ncert' options, they will be\n");
	    printf("\tused if a client explicitly names one of them with a\n");
	    printf("\tserver-name indication. If a client indicates no server name,\n");
	    printf("\tor if a server-name indication does not match any given\n");
	    printf("\tcertificate, the certificate given with the `cert' option will\n");
	    printf("\tbe used instead.\n");
	    exit(0);
	} else if(!strcmp(argp[i], "cert")) {
	    crtfile = argv[i];
	} else if(!strcmp(argp[i], "key")) {
	    keyfile = argv[i];
	} else if(!strcmp(argp[i], "prio")) {
	    if(ciphers != NULL)
		gnutls_priority_deinit(ciphers);
	    ret = gnutls_priority_init(&ciphers, argv[i], (const char **)&perr);
	    if(ret == GNUTLS_E_INVALID_REQUEST) {
		flog(LOG_ERR, "ssl: invalid cipher priority string, at `%s'", perr);
		exit(1);
	    } else if(ret != 0) {
		flog(LOG_ERR, "ssl: could not initialize cipher priorities: %s", gnutls_strerror(ret));
		exit(1);
	    }
	} else if(!strcmp(argp[i], "trust")) {
	    if((ret = gnutls_certificate_set_x509_trust_file(creds, argv[i], GNUTLS_X509_FMT_PEM)) != 0) {
		flog(LOG_ERR, "ssl: could not load trust file `%s': %s", argv[i], gnutls_strerror(ret));
		exit(1);
	    }
	    for(i = 0; i < ncreds.d; i++) {
		if((ret = gnutls_certificate_set_x509_trust_file(ncreds.b[i]->creds, argv[i], GNUTLS_X509_FMT_PEM)) != 0) {
		    flog(LOG_ERR, "ssl: could not load trust file `%s': %s", argv[i], gnutls_strerror(ret));
		    exit(1);
		}
	    }
	} else if(!strcmp(argp[i], "crl")) {
	    if((ret = gnutls_certificate_set_x509_crl_file(creds, argv[i], GNUTLS_X509_FMT_PEM)) != 0) {
		flog(LOG_ERR, "ssl: could not load CRL file `%s': %s", argv[i], gnutls_strerror(ret));
		exit(1);
	    }
	    for(i = 0; i < ncreds.d; i++) {
		if((ret = gnutls_certificate_set_x509_crl_file(ncreds.b[i]->creds, argv[i], GNUTLS_X509_FMT_PEM)) != 0) {
		    flog(LOG_ERR, "ssl: could not load CRL file `%s': %s", argv[i], gnutls_strerror(ret));
		    exit(1);
		}
	    }
	} else if(!strcmp(argp[i], "port")) {
	    port = atoi(argv[i]);
	} else if(!strcmp(argp[i], "ncert")) {
	    bufadd(ncreds, readncreds(argv[i]));
	} else if(!strcmp(argp[i], "ncertdir")) {
	    readncdir(&ncreds, argv[i]);
	} else {
	    flog(LOG_ERR, "unknown parameter `%s' to ssl handler", argp[i]);
	    exit(1);
	}
    }
    if(crtfile == NULL) {
	flog(LOG_ERR, "ssl: needs certificate file at the very least");
	exit(1);
    }
    if((fd = listensock6(port)) < 0) {
	flog(LOG_ERR, "could not listen on IPv6 port (port %i): %s", port, strerror(errno));
	exit(1);
    }
    if(keyfile == NULL)
	keyfile = crtfile;
    if((ret = gnutls_certificate_set_x509_key_file(creds, crtfile, keyfile, GNUTLS_X509_FMT_PEM)) != 0) {
	flog(LOG_ERR, "ssl: could not load certificate or key: %s", gnutls_strerror(ret));
	exit(1);
    }
    if((ciphers == NULL) && ((ret = gnutls_priority_init(&ciphers, "NORMAL", NULL)) != 0)) {
	flog(LOG_ERR, "ssl: could not initialize cipher priorities: %s", gnutls_strerror(ret));
	exit(1);
    }
    gnutls_certificate_set_dh_params(creds, dhparams());
    bufadd(ncreds, NULL);
    omalloc(pd);
    pd->fd = fd;
    pd->sport = port;
    pd->creds = creds;
    pd->ncreds = ncreds.b;
    pd->ciphers = ciphers;
    bufadd(listeners, mustart(listenloop, pd));
    if((fd = listensock4(port)) < 0) {
	if(errno != EADDRINUSE) {
	    flog(LOG_ERR, "could not listen on IPv4 port (port %i): %s", port, strerror(errno));
	    exit(1);
	}
    } else {
	omalloc(pd);
	pd->fd = fd;
	pd->sport = port;
	pd->creds = creds;
	pd->ncreds = ncreds.b;
	pd->ciphers = ciphers;
	bufadd(listeners, mustart(listenloop, pd));
    }
}

#endif
Commit	Line	Data
6ca53b2e FT	1	/*
	2	ashd - A Sane HTTP Daemon
	3	Copyright (C) 2008 Fredrik Tolf <fredrik@dolda2000.com>
	4
	5	This program is free software: you can redistribute it and/or modify
	6	it under the terms of the GNU General Public License as published by
	7	the Free Software Foundation, either version 3 of the License, or
	8	(at your option) any later version.
	9
	10	This program is distributed in the hope that it will be useful,
	11	but WITHOUT ANY WARRANTY; without even the implied warranty of
	12	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	13	GNU General Public License for more details.
	14
	15	You should have received a copy of the GNU General Public License
	16	along with this program. If not, see <http://www.gnu.org/licenses/>.
	17	*/
	18
	19	#include <stdlib.h>
	20	#include <unistd.h>
	21	#include <string.h>
	22	#include <fcntl.h>
26902200	23	#include <dirent.h>
6ca53b2e FT	24	#include <sys/socket.h>
	25	#include <netinet/in.h>
	26	#include <arpa/inet.h>
	27	#include <errno.h>
	28
	29	#ifdef HAVE_CONFIG_H
	30	#include <config.h>
	31	#endif
	32	#include <utils.h>
	33	#include <mt.h>
	34	#include <mtio.h>
	35	#include <req.h>
	36	#include <log.h>
fc253e2f	37	#include <bufio.h>
6ca53b2e FT	38
	39	#include "htparser.h"
	40
	41	#ifdef HAVE_GNUTLS
	42
	43	#include <gnutls/gnutls.h>
28b2e619 FT	44	#include <gnutls/x509.h>
	45
	46	struct namedcreds {
	47	char **names;
	48	gnutls_certificate_credentials_t creds;
	49	};
	50
	51	struct ncredbuf {
	52	struct namedcreds **b;
	53	size_t s, d;
	54	};
6ca53b2e FT	55
	56	struct sslport {
	57	int fd;
	58	int sport;
	59	gnutls_certificate_credentials_t creds;
76d6825e	60	gnutls_priority_t ciphers;
28b2e619	61	struct namedcreds **ncreds;
6ca53b2e FT	62	};
	63
	64	struct sslconn {
	65	int fd;
	66	struct sslport *port;
	67	struct sockaddr_storage name;
	68	gnutls_session_t sess;
	69	struct charbuf in;
	70	};
	71
d8d4ed57 FT	72	struct savedsess {
	73	struct savedsess next, prev;
	74	gnutls_datum_t key, value;
	75	};
	76
	77	static int numconn = 0, numsess = 0;
	78	static struct btree *sessidx = NULL;
	79	static struct savedsess sesslistf = NULL, sesslistl = NULL;
	80
	81	static int sesscmp(void ap, void bp)
	82	{
	83	struct savedsess a = ap, b = bp;
	84
	85	if(a->key.size != b->key.size)
	86	return(a->key.size - b->key.size);
	87	return(memcmp(a->key.data, b->key.data, a->key.size));
	88	}
	89
	90	static gnutls_datum_t sessdbfetch(void *uudata, gnutls_datum_t key)
	91	{
	92	struct savedsess *sess, lkey;
	93	gnutls_datum_t ret;
	94
	95	memset(&ret, 0, sizeof(ret));
	96	lkey.key = key;
	97	if((sess = btreeget(sessidx, &lkey, sesscmp)) == NULL)
	98	return(ret);
	99	ret.data = memcpy(gnutls_malloc(ret.size = sess->value.size), sess->value.data, sess->value.size);
	100	return(ret);
	101	}
	102
	103	static void freesess(struct savedsess *sess)
	104	{
	105	bbtreedel(&sessidx, sess, sesscmp);
	106	if(sess->next)
	107	sess->next->prev = sess->prev;
	108	if(sess->prev)
	109	sess->prev->next = sess->next;
	110	if(sess == sesslistf)
	111	sesslistf = sess->next;
	112	if(sess == sesslistl)
	113	sesslistl = sess->prev;
	114	free(sess->key.data);
	115	free(sess->value.data);
	116	free(sess);
	117	numsess--;
	118	}
	119
	120	static int sessdbdel(void *uudata, gnutls_datum_t key)
	121	{
	122	struct savedsess *sess, lkey;
	123
	124	lkey.key = key;
	125	if((sess = btreeget(sessidx, &lkey, sesscmp)) == NULL)
	126	return(-1);
	127	freesess(sess);
	128	return(0);
	129	}
	130
	131	static void cleansess(void)
	132	{
	133	while(numsess > (max(numconn, 1) * 100))
	134	freesess(sesslistl);
	135	}
136
137	static int sessdbstore(void *uudata, gnutls_datum_t key, gnutls_datum_t value)
138	{
139	static int cc = 0;
140	struct savedsess *sess, lkey;
141
142	if((value.data == NULL) \|\| (value.size == 0)) {
143	sessdbdel(NULL, key);
144	return(0);
145	}
146	lkey.key = key;
147	if((sess = btreeget(sessidx, &lkey, sesscmp)) == NULL) {
148	omalloc(sess);
149	sess->key.data = memcpy(smalloc(sess->key.size = key.size), key.data, key.size);
150	sess->value.data = memcpy(smalloc(sess->value.size = value.size), value.data, value.size);
151	bbtreeput(&sessidx, sess, sesscmp);
152	sess->prev = NULL;
153	sess->next = sesslistf;
154	if(sesslistf)
155	sesslistf->prev = sess;
156	sesslistf = sess;
157	if(sesslistl == NULL)
158	sesslistl = sess;
159	numsess++;
160	} else {
161	free(sess->value.data);
162	sess->value.data = memcpy(smalloc(sess->value.size = value.size), value.data, value.size);
163	if(sess != sesslistf) {
164	if(sess->next)
165	sess->next->prev = sess->prev;
166	if(sess->prev)
167	sess->prev->next = sess->next;
168	if(sess == sesslistl)
169	sesslistl = sess->prev;
170	sess->prev = NULL;
171	sess->next = sesslistf;
172	if(sesslistf)
173	sesslistf->prev = sess;
174	sesslistf = sess;
175	}
176	}
177	if(cc++ > 100) {
178	cleansess();
179	cc = 0;
180	}
181	return(0);
182	}
183
6ca53b2e FT	184	static int tlsblock(int fd, gnutls_session_t sess, time_t to)
	185	{
	186	if(gnutls_record_get_direction(sess))
	187	return(block(fd, EV_WRITE, to));
	188	else
	189	return(block(fd, EV_READ, to));
	190	}
	191
fc253e2f	192	static ssize_t sslread(void cookie, void buf, size_t len)
6ca53b2e FT	193	{
	194	struct sslconn *ssl = cookie;
	195	ssize_t xf;
	196	int ret;
	197
	198	while(ssl->in.d == 0) {
	199	sizebuf(ssl->in, ssl->in.d + 1024);
	200	ret = gnutls_record_recv(ssl->sess, ssl->in.b + ssl->in.d, ssl->in.s - ssl->in.d);
	201	if((ret == GNUTLS_E_INTERRUPTED) \|\| (ret == GNUTLS_E_AGAIN)) {
	202	if(tlsblock(ssl->fd, ssl->sess, 60) == 0) {
	203	errno = ETIMEDOUT;
	204	return(-1);
	205	}
	206	} else if(ret < 0) {
	207	errno = EIO;
	208	return(-1);
	209	} else if(ret == 0) {
	210	return(0);
	211	} else {
	212	ssl->in.d += ret;
	213	}
	214	}
	215	xf = min(ssl->in.d, len);
	216	memcpy(buf, ssl->in.b, xf);
	217	memmove(ssl->in.b, ssl->in.b + xf, ssl->in.d -= xf);
	218	return(xf);
	219	}
	220
fc253e2f	221	static ssize_t sslwrite(void cookie, const void buf, size_t len)
6ca53b2e FT	222	{
	223	struct sslconn *ssl = cookie;
	224	int ret;
	225	size_t off;
	226
	227	off = 0;
	228	while(off < len) {
	229	ret = gnutls_record_send(ssl->sess, buf + off, len - off);
	230	if((ret == GNUTLS_E_INTERRUPTED) \|\| (ret == GNUTLS_E_AGAIN)) {
	231	if(tlsblock(ssl->fd, ssl->sess, 60) == 0) {
	232	if(off == 0) {
	233	errno = ETIMEDOUT;
	234	return(-1);
	235	}
	236	return(off);
	237	}
	238	} else if(ret < 0) {
	239	if(off == 0) {
	240	errno = EIO;
	241	return(-1);
	242	}
	243	return(off);
	244	} else {
	245	off += ret;
	246	}
	247	}
	248	return(off);
	249	}
	250
	251	static int sslclose(void *cookie)
	252	{
5ba5dd0b FT	253	struct sslconn *ssl = cookie;
	254
	255	buffree(ssl->in);
6ca53b2e FT	256	return(0);
	257	}
	258
fc253e2f	259	static struct bufioops iofuns = {
6ca53b2e FT	260	.read = sslread,
	261	.write = sslwrite,
	262	.close = sslclose,
	263	};
	264
	265	static int initreq(struct conn conn, struct hthead req)
	266	{
	267	struct sslconn *ssl = conn->pdata;
6b84641a FT	268	struct sockaddr_storage sa;
6b84641a FT	269	socklen_t salen;
6ca53b2e	270
7595e3a4	271	headappheader(req, "X-Ash-Address", formathaddress((struct sockaddr *)&ssl->name, sizeof(sa)));
a5f63653	272	if(ssl->name.ss_family == AF_INET)
6ca53b2e	273	headappheader(req, "X-Ash-Port", sprintf3("%i", ntohs(((struct sockaddr_in *)&ssl->name)->sin_port)));
a5f63653	274	else if(ssl->name.ss_family == AF_INET6)
6ca53b2e	275	headappheader(req, "X-Ash-Port", sprintf3("%i", ntohs(((struct sockaddr_in6 *)&ssl->name)->sin6_port)));
6b84641a	276	salen = sizeof(sa);
7595e3a4 FT	277	if(!getsockname(ssl->fd, (struct sockaddr *)&sa, &salen))
7595e3a4 FT	278	headappheader(req, "X-Ash-Server-Address", formathaddress((struct sockaddr *)&sa, sizeof(sa)));
6ca53b2e FT	279	headappheader(req, "X-Ash-Server-Port", sprintf3("%i", ssl->port->sport));
	280	headappheader(req, "X-Ash-Protocol", "https");
	281	return(0);
	282	}
	283
	284	static void servessl(struct muth *muth, va_list args)
	285	{
	286	vavar(int, fd);
	287	vavar(struct sockaddr_storage, name);
	288	vavar(struct sslport *, pd);
	289	struct conn conn;
	290	struct sslconn ssl;
	291	gnutls_session_t sess;
	292	int ret;
6ca53b2e	293
1b77e192 FT	294	int setcreds(gnutls_session_t sess)
1b77e192 FT	295	{
28b2e619	296	int i, o, u;
1b77e192 FT	297	unsigned int ntype;
	298	char nambuf[256];
	299	size_t namlen;
	300
	301	for(i = 0; 1; i++) {
	302	namlen = sizeof(nambuf);
	303	if(gnutls_server_name_get(sess, nambuf, &namlen, &ntype, i) != 0)
	304	break;
	305	if(ntype != GNUTLS_NAME_DNS)
	306	continue;
28b2e619 FT	307	for(o = 0; pd->ncreds[o] != NULL; o++) {
	308	for(u = 0; pd->ncreds[o]->names[u] != NULL; u++) {
	309	if(!strcmp(pd->ncreds[o]->names[u], nambuf)) {
	310	gnutls_credentials_set(sess, GNUTLS_CRD_CERTIFICATE, pd->ncreds[o]->creds);
	311	gnutls_certificate_server_set_request(sess, GNUTLS_CERT_REQUEST);
	312	return(0);
	313	}
	314	}
	315	}
1b77e192 FT	316	}
	317	gnutls_credentials_set(sess, GNUTLS_CRD_CERTIFICATE, pd->creds);
	318	gnutls_certificate_server_set_request(sess, GNUTLS_CERT_REQUEST);
	319	return(0);
	320	}
	321
d8d4ed57	322	numconn++;
6ca53b2e FT	323	fcntl(fd, F_SETFL, fcntl(fd, F_GETFL) \| O_NONBLOCK);
6ca53b2e FT	324	gnutls_init(&sess, GNUTLS_SERVER);
76d6825e	325	gnutls_priority_set(sess, pd->ciphers);
d8d4ed57 FT	326	gnutls_db_set_retrieve_function(sess, sessdbfetch);
	327	gnutls_db_set_store_function(sess, sessdbstore);
	328	gnutls_db_set_remove_function(sess, sessdbdel);
	329	gnutls_db_set_ptr(sess, NULL);
1b77e192	330	gnutls_handshake_set_post_client_hello_function(sess, setcreds);
6ca53b2e FT	331	gnutls_transport_set_ptr(sess, (gnutls_transport_ptr_t)(intptr_t)fd);
	332	while((ret = gnutls_handshake(sess)) != 0) {
	333	if((ret != GNUTLS_E_INTERRUPTED) && (ret != GNUTLS_E_AGAIN))
	334	goto out;
	335	if(tlsblock(fd, sess, 60) <= 0)
	336	goto out;
	337	}
	338	memset(&conn, 0, sizeof(conn));
	339	memset(&ssl, 0, sizeof(ssl));
	340	conn.pdata = &ssl;
	341	conn.initreq = initreq;
	342	ssl.fd = fd;
	343	ssl.port = pd;
	344	ssl.name = name;
	345	ssl.sess = sess;
	346	bufinit(ssl.in);
a68db17d	347	serve(bioopen(&ssl, &iofuns), fd, &conn);
6ca53b2e FT	348
	349	out:
	350	gnutls_deinit(sess);
	351	close(fd);
d8d4ed57	352	numconn--;
6ca53b2e FT	353	}
	354
	355	static void listenloop(struct muth *muth, va_list args)
	356	{
	357	vavar(struct sslport *, pd);
f24b7bb5	358	int i, ns, n;
6ca53b2e FT	359	struct sockaddr_storage name;
	360	socklen_t namelen;
	361
3ae56649	362	fcntl(pd->fd, F_SETFL, fcntl(pd->fd, F_GETFL) \| O_NONBLOCK);
6ca53b2e FT	363	while(1) {
6ca53b2e FT	364	namelen = sizeof(name);
cac13158 FT	365	if(block(pd->fd, EV_READ, 0) == 0)
cac13158 FT	366	goto out;
f24b7bb5 FT	367	n = 0;
	368	while(1) {
	369	ns = accept(pd->fd, (struct sockaddr *)&name, &namelen);
	370	if(ns < 0) {
	371	if(errno == EAGAIN)
	372	break;
51893006 FT	373	if(errno == ECONNABORTED)
51893006 FT	374	continue;
f24b7bb5 FT	375	flog(LOG_ERR, "accept: %s", strerror(errno));
	376	goto out;
	377	}
	378	mustart(servessl, ns, name, pd);
	379	if(++n >= 100)
	380	break;
6ca53b2e	381	}
6ca53b2e FT	382	}
	383
	384	out:
	385	close(pd->fd);
	386	free(pd);
8e9ec020 FT	387	for(i = 0; i < listeners.d; i++) {
	388	if(listeners.b[i] == muth)
	389	bufdel(listeners, i);
	390	}
6ca53b2e FT	391	}
6ca53b2e FT	392
2daf4411 FT	393	static gnutls_dh_params_t dhparams(void)
	394	{
	395	static int inited = 0;
	396	static gnutls_dh_params_t pars;
	397	int ret;
	398
	399	if(!inited) {
	400	if(((ret = gnutls_dh_params_init(&pars)) != 0) \|\|
	401	((ret = gnutls_dh_params_generate2(pars, 2048)) != 0)) {
	402	flog(LOG_ERR, "GnuTLS could not generate Diffie-Hellman parameters: %s", gnutls_strerror(ret));
	403	exit(1);
	404	}
	405	inited = 1;
	406	}
	407	return(pars);
	408	}
	409
6ca53b2e FT	410	static void init(void)
	411	{
	412	static int inited = 0;
	413	int ret;
	414
	415	if(inited)
	416	return;
	417	inited = 1;
	418	if((ret = gnutls_global_init()) != 0) {
	419	flog(LOG_ERR, "could not initialize GnuTLS: %s", gnutls_strerror(ret));
	420	exit(1);
	421	}
6ca53b2e FT	422	}
6ca53b2e FT	423
28b2e619 FT	424	static struct namedcreds readncreds(char file)
	425	{
	426	int i, fd, ret;
	427	struct namedcreds *nc;
	428	gnutls_x509_crt_t crt;
	429	gnutls_x509_privkey_t key;
	430	char cn[1024];
	431	size_t cnl;
	432	gnutls_datum_t d;
	433	struct charbuf keybuf;
	434	struct charvbuf names;
	435	unsigned int type;
	436
	437	bufinit(keybuf);
	438	bufinit(names);
	439	if((fd = open(file, O_RDONLY)) < 0) {
	440	flog(LOG_ERR, "ssl: %s: %s", file, strerror(errno));
	441	exit(1);
	442	}
	443	while(1) {
	444	sizebuf(keybuf, keybuf.d + 1024);
	445	ret = read(fd, keybuf.b + keybuf.d, keybuf.s - keybuf.d);
	446	if(ret < 0) {
	447	flog(LOG_ERR, "ssl: reading from %s: %s", file, strerror(errno));
	448	exit(1);
	449	} else if(ret == 0) {
	450	break;
	451	}
	452	keybuf.d += ret;
	453	}
	454	close(fd);
	455	d.data = (unsigned char *)keybuf.b;
	456	d.size = keybuf.d;
	457	gnutls_x509_crt_init(&crt);
	458	if((ret = gnutls_x509_crt_import(crt, &d, GNUTLS_X509_FMT_PEM)) != 0) {
	459	flog(LOG_ERR, "ssl: could not load certificate from %s: %s", file, gnutls_strerror(ret));
	460	exit(1);
	461	}
	462	cnl = sizeof(cn) - 1;
	463	if((ret = gnutls_x509_crt_get_dn_by_oid(crt, GNUTLS_OID_X520_COMMON_NAME, 0, 0, cn, &cnl)) != 0) {
	464	flog(LOG_ERR, "ssl: could not read common name from %s: %s", file, gnutls_strerror(ret));
	465	exit(1);
	466	}
	467	cn[cnl] = 0;
	468	bufadd(names, sstrdup(cn));
	469	for(i = 0; 1; i++) {
	470	cnl = sizeof(cn) - 1;
	471	if(gnutls_x509_crt_get_subject_alt_name2(crt, i, cn, &cnl, &type, NULL) < 0)
	472	break;
	473	cn[cnl] = 0;
	474	if(type == GNUTLS_SAN_DNSNAME)
	475	bufadd(names, sstrdup(cn));
	476	}
	477	gnutls_x509_privkey_init(&key);
	478	if((ret = gnutls_x509_privkey_import(key, &d, GNUTLS_X509_FMT_PEM)) != 0) {
	479	flog(LOG_ERR, "ssl: could not load key from %s: %s", file, gnutls_strerror(ret));
	480	exit(1);
	481	}
	482	buffree(keybuf);
	483	bufadd(names, NULL);
	484	omalloc(nc);
	485	nc->names = names.b;
	486	gnutls_certificate_allocate_credentials(&nc->creds);
	487	if((ret = gnutls_certificate_set_x509_key(nc->creds, &crt, 1, key)) != 0) {
488	flog(LOG_ERR, "ssl: could not use certificate from %s: %s", file, gnutls_strerror(ret));
489	exit(1);
490	}
2daf4411	491	gnutls_certificate_set_dh_params(nc->creds, dhparams());
28b2e619 FT	492	return(nc);
	493	}
	494
26902200 FT	495	static void readncdir(struct ncredbuf buf, char dir)
	496	{
	497	DIR *d;
	498	struct dirent *e;
	499	size_t es;
	500
	501	if((d = opendir(dir)) == NULL) {
	502	flog(LOG_ERR, "ssl: could not read certificate directory %s: %s", dir, strerror(errno));
	503	exit(1);
	504	}
	505	while((e = readdir(d)) != NULL) {
	506	if(e->d_name[0] == '.')
	507	continue;
	508	if((es = strlen(e->d_name)) <= 4)
	509	continue;
	510	if(strcmp(e->d_name + es - 4, ".crt"))
	511	continue;
	512	bufadd(*buf, readncreds(sprintf3("%s/%s", dir, e->d_name)));
	513	}
	514	closedir(d);
	515	}
	516
6ca53b2e FT	517	void handlegnussl(int argc, char argp, char argv)
	518	{
	519	int i, ret, port, fd;
	520	gnutls_certificate_credentials_t creds;
76d6825e	521	gnutls_priority_t ciphers;
28b2e619	522	struct ncredbuf ncreds;
6ca53b2e	523	struct sslport *pd;
76d6825e	524	char crtfile, keyfile, *perr;
6ca53b2e FT	525
	526	init();
	527	port = 443;
28b2e619	528	bufinit(ncreds);
6ca53b2e FT	529	gnutls_certificate_allocate_credentials(&creds);
6ca53b2e FT	530	keyfile = crtfile = NULL;
76d6825e	531	ciphers = NULL;
6ca53b2e FT	532	for(i = 0; i < argc; i++) {
	533	if(!strcmp(argp[i], "help")) {
	534	printf("ssl handler parameters:\n");
	535	printf("\tcert=CERT-FILE [mandatory]\n");
	536	printf("\t\tThe name of the file to read the certificate from.\n");
	537	printf("\tkey=KEY-FILE [same as CERT-FILE]\n");
	538	printf("\t\tThe name of the file to read the private key from.\n");
76d6825e FT	539	printf("\tprio=PRIORITIES [NORMAL]\n");
76d6825e FT	540	printf("\t\tCiphersuite priorities, as a GnuTLS priority string.\n");
6ca53b2e FT	541	printf("\ttrust=CA-FILE [no default]\n");
	542	printf("\t\tThe name of a file to read trusted certificates from.\n");
	543	printf("\t\tMay be given multiple times.\n");
	544	printf("\tcrl=CRL-FILE [no default]\n");
	545	printf("\t\tThe name of a file to read revocation lists from.\n");
	546	printf("\t\tMay be given multiple times.\n");
4094af22 FT	547	printf("\tncert=CERT-FILE [no default]\n");
	548	printf("\t\tThe name of a file to read a named certificate from,\n");
	549	printf("\t\tfor use with SNI-enabled clients.\n");
	550	printf("\t\tMay be given multiple times.\n");
	551	printf("\tncertdir=DIR [no default]\n");
	552	printf("\t\tRead all *.crt files in the given directory as if they\n");
	553	printf("\t\twere given with `ncert' options.\n");
	554	printf("\t\tMay be given multiple times.\n");
6ca53b2e FT	555	printf("\tport=PORT [443]\n");
	556	printf("\t\tThe TCP port to listen on.\n");
	557	printf("\n");
	558	printf("\tAll X.509 data files must be PEM-encoded.\n");
4094af22 FT	559	printf("\tIf any certificates were given with `ncert' options, they will be\n");
	560	printf("\tused if a client explicitly names one of them with a\n");
	561	printf("\tserver-name indication. If a client indicates no server name,\n");
	562	printf("\tor if a server-name indication does not match any given\n");
	563	printf("\tcertificate, the certificate given with the `cert' option will\n");
	564	printf("\tbe used instead.\n");
6ca53b2e FT	565	exit(0);
	566	} else if(!strcmp(argp[i], "cert")) {
	567	crtfile = argv[i];
	568	} else if(!strcmp(argp[i], "key")) {
	569	keyfile = argv[i];
76d6825e FT	570	} else if(!strcmp(argp[i], "prio")) {
	571	if(ciphers != NULL)
	572	gnutls_priority_deinit(ciphers);
	573	ret = gnutls_priority_init(&ciphers, argv[i], (const char **)&perr);
	574	if(ret == GNUTLS_E_INVALID_REQUEST) {
	575	flog(LOG_ERR, "ssl: invalid cipher priority string, at `%s'", perr);
	576	exit(1);
	577	} else if(ret != 0) {
	578	flog(LOG_ERR, "ssl: could not initialize cipher priorities: %s", gnutls_strerror(ret));
	579	exit(1);
	580	}
6ca53b2e FT	581	} else if(!strcmp(argp[i], "trust")) {
	582	if((ret = gnutls_certificate_set_x509_trust_file(creds, argv[i], GNUTLS_X509_FMT_PEM)) != 0) {
	583	flog(LOG_ERR, "ssl: could not load trust file `%s': %s", argv[i], gnutls_strerror(ret));
	584	exit(1);
	585	}
28b2e619 FT	586	for(i = 0; i < ncreds.d; i++) {
	587	if((ret = gnutls_certificate_set_x509_trust_file(ncreds.b[i]->creds, argv[i], GNUTLS_X509_FMT_PEM)) != 0) {
	588	flog(LOG_ERR, "ssl: could not load trust file `%s': %s", argv[i], gnutls_strerror(ret));
	589	exit(1);
	590	}
	591	}
6ca53b2e FT	592	} else if(!strcmp(argp[i], "crl")) {
	593	if((ret = gnutls_certificate_set_x509_crl_file(creds, argv[i], GNUTLS_X509_FMT_PEM)) != 0) {
	594	flog(LOG_ERR, "ssl: could not load CRL file `%s': %s", argv[i], gnutls_strerror(ret));
	595	exit(1);
	596	}
28b2e619 FT	597	for(i = 0; i < ncreds.d; i++) {
	598	if((ret = gnutls_certificate_set_x509_crl_file(ncreds.b[i]->creds, argv[i], GNUTLS_X509_FMT_PEM)) != 0) {
	599	flog(LOG_ERR, "ssl: could not load CRL file `%s': %s", argv[i], gnutls_strerror(ret));
	600	exit(1);
	601	}
	602	}
6ca53b2e FT	603	} else if(!strcmp(argp[i], "port")) {
6ca53b2e FT	604	port = atoi(argv[i]);
28b2e619 FT	605	} else if(!strcmp(argp[i], "ncert")) {
28b2e619 FT	606	bufadd(ncreds, readncreds(argv[i]));
26902200 FT	607	} else if(!strcmp(argp[i], "ncertdir")) {
26902200 FT	608	readncdir(&ncreds, argv[i]);
6ca53b2e FT	609	} else {
	610	flog(LOG_ERR, "unknown parameter `%s' to ssl handler", argp[i]);
	611	exit(1);
	612	}
	613	}
	614	if(crtfile == NULL) {
	615	flog(LOG_ERR, "ssl: needs certificate file at the very least");
	616	exit(1);
	617	}
2daf4411 FT	618	if((fd = listensock6(port)) < 0) {
	619	flog(LOG_ERR, "could not listen on IPv6 port (port %i): %s", port, strerror(errno));
	620	exit(1);
	621	}
6ca53b2e FT	622	if(keyfile == NULL)
	623	keyfile = crtfile;
	624	if((ret = gnutls_certificate_set_x509_key_file(creds, crtfile, keyfile, GNUTLS_X509_FMT_PEM)) != 0) {
	625	flog(LOG_ERR, "ssl: could not load certificate or key: %s", gnutls_strerror(ret));
	626	exit(1);
	627	}
76d6825e FT	628	if((ciphers == NULL) && ((ret = gnutls_priority_init(&ciphers, "NORMAL", NULL)) != 0)) {
	629	flog(LOG_ERR, "ssl: could not initialize cipher priorities: %s", gnutls_strerror(ret));
	630	exit(1);
	631	}
2daf4411	632	gnutls_certificate_set_dh_params(creds, dhparams());
28b2e619	633	bufadd(ncreds, NULL);
6ca53b2e FT	634	omalloc(pd);
	635	pd->fd = fd;
	636	pd->sport = port;
	637	pd->creds = creds;
28b2e619	638	pd->ncreds = ncreds.b;
76d6825e	639	pd->ciphers = ciphers;
cac13158	640	bufadd(listeners, mustart(listenloop, pd));
aa06d1b3	641	if((fd = listensock4(port)) < 0) {
6ca53b2e	642	if(errno != EADDRINUSE) {
aa06d1b3	643	flog(LOG_ERR, "could not listen on IPv4 port (port %i): %s", port, strerror(errno));
6ca53b2e FT	644	exit(1);
	645	}
	646	} else {
	647	omalloc(pd);
	648	pd->fd = fd;
	649	pd->sport = port;
	650	pd->creds = creds;
76d6825e FT	651	pd->ncreds = ncreds.b;
76d6825e FT	652	pd->ciphers = ciphers;
cac13158	653	bufadd(listeners, mustart(listenloop, pd));
6ca53b2e FT	654	}
	655	}
	656
	657	#endif