[ashd.git] / src / ssl-openssl.c

/*
    ashd - A Sane HTTP Daemon
    Copyright (C) 2008  Fredrik Tolf <fredrik@dolda2000.com>

    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation, either version 3 of the License, or
    (at your option) any later version.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.

    You should have received a copy of the GNU General Public License
    along with this program.  If not, see <http://www.gnu.org/licenses/>.
*/

#include <fcntl.h>
#include <unistd.h>
#include <sys/socket.h>
#include <arpa/inet.h>

#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
#include <utils.h>
#include <mt.h>
#include <mtio.h>
#include <req.h>
#include <log.h>
#include <bufio.h>

#include "htparser.h"

#include <openssl/ssl.h>
#include <openssl/err.h>

struct sslport {
    int fd, sport;
    SSL_CTX *ctx;
};

struct sslconn {
    struct sslport *port;
    int fd;
    SSL *ssl;
    struct sockaddr *name;
    socklen_t namelen;
};

static int tlsblock(int fd, int err, int to)
{
    if(err == SSL_ERROR_WANT_READ) {
	if(block(fd, EV_READ, to) <= 0)
	    return(1);
	return(0);
    } else if(err == SSL_ERROR_WANT_WRITE) {
	if(block(fd, EV_WRITE, to) <= 0)
	    return(1);
	return(0);
    } else {
	return(1);
    }
}

static ssize_t sslread(void *cookie, void *buf, size_t len)
{
    struct sslconn *sdat = cookie;
    int ret, err, nb;
    size_t off;
    
    off = 0;
    while(off < len) {
	nb = ((len - off) > INT_MAX) ? INT_MAX : (len - off);
	if((ret = SSL_read(sdat->ssl, buf, nb)) <= 0) {
	    if(off > 0)
		return(off);
	    err = SSL_get_error(sdat->ssl, ret);
	    if(err == SSL_ERROR_ZERO_RETURN) {
		return(0);
	    } else if((err == SSL_ERROR_WANT_READ) || (err == SSL_ERROR_WANT_WRITE)) {
		if(tlsblock(sdat->fd, err, 60)) {
		    errno = ETIMEDOUT;
		    return(-1);
		}
	    } else {
		if(err != SSL_ERROR_SYSCALL)
		    errno = EPROTO;
		return(-1);
	    }
	} else {
	    off += ret;
	}
    }
    return(off);
}

static ssize_t sslwrite(void *cookie, const void *buf, size_t len)
{
    struct sslconn *sdat = cookie;
    int ret, err, nb;
    size_t off;
    
    off = 0;
    while(off < len) {
	nb = ((len - off) > INT_MAX) ? INT_MAX : (len - off);
	if((ret = SSL_write(sdat->ssl, buf, nb)) <= 0) {
	    if(off > 0)
		return(off);
	    err = SSL_get_error(sdat->ssl, ret);
	    if((err == SSL_ERROR_WANT_READ) || (err == SSL_ERROR_WANT_WRITE)) {
		if(tlsblock(sdat->fd, err, 60)) {
		    errno = ETIMEDOUT;
		    return(-1);
		}
	    } else {
		if(err != SSL_ERROR_SYSCALL)
		    errno = EIO;
		return(-1);
	    }
	} else {
	    off += ret;
	}
    }
    return(off);
}

static int sslclose(void *cookie)
{
    return(0);
}

static struct bufioops iofuns = {
    .read = sslread,
    .write = sslwrite,
    .close = sslclose,
};

static int initreq(struct conn *conn, struct hthead *req)
{
    struct sslconn *sdat = conn->pdata;
    struct sockaddr_storage sa;
    socklen_t salen;
    
    headappheader(req, "X-Ash-Address", formathaddress(sdat->name, sdat->namelen));
    if(sdat->name->sa_family == AF_INET)
	headappheader(req, "X-Ash-Port", sprintf3("%i", ntohs(((struct sockaddr_in *)sdat->name)->sin_port)));
    else if(sdat->name->sa_family == AF_INET6)
	headappheader(req, "X-Ash-Port", sprintf3("%i", ntohs(((struct sockaddr_in6 *)sdat->name)->sin6_port)));
    salen = sizeof(sa);
    if(!getsockname(sdat->fd, (struct sockaddr *)&sa, &salen))
	headappheader(req, "X-Ash-Server-Address", formathaddress((struct sockaddr *)&sa, salen));
    headappheader(req, "X-Ash-Server-Port", sprintf3("%i", sdat->port->sport));
    headappheader(req, "X-Ash-Protocol", "https");
    return(0);
}

static void servessl(struct muth *muth, va_list args)
{
    vavar(int, fd);
    vavar(struct sockaddr_storage, name);
    vavar(struct sslport *, pd);
    int ret;
    SSL *ssl;
    struct conn conn;
    struct sslconn sdat;
    
    fcntl(fd, F_SETFL, fcntl(fd, F_GETFL) | O_NONBLOCK);
    ssl = SSL_new(pd->ctx);
    SSL_set_fd(ssl, fd);
    while((ret = SSL_accept(ssl)) <= 0) {
	if(tlsblock(fd, SSL_get_error(ssl, ret), 60))
	    goto out;
    }
    memset(&conn, 0, sizeof(conn));
    memset(&sdat, 0, sizeof(sdat));
    conn.pdata = &sdat;
    conn.initreq = initreq;
    sdat.port = pd;
    sdat.fd = fd;
    sdat.ssl = ssl;
    sdat.name = (struct sockaddr *)&name;
    sdat.namelen = sizeof(name);
    serve(bioopen(&sdat, &iofuns), fd, &conn);
    while((ret = SSL_shutdown(ssl)) < 0) {
	if(tlsblock(fd, SSL_get_error(ssl, ret), 60))
	    goto out;
    }
out:
    SSL_free(ssl);
    close(fd);
}

static void listenloop(struct muth *muth, va_list args)
{
    vavar(struct sslport *, pd);
    int i, ns, n;
    struct sockaddr_storage name;
    socklen_t namelen;
    
    fcntl(pd->fd, F_SETFL, fcntl(pd->fd, F_GETFL) | O_NONBLOCK);
    while(1) {
	namelen = sizeof(name);
	if(block(pd->fd, EV_READ, 0) == 0)
	    goto out;
	for(n = 0; n < 100; n++) {
	    if((ns = accept(pd->fd, (struct sockaddr *)&name, &namelen)) < 0) {
		if(errno == EAGAIN)
		    break;
		if(errno == ECONNABORTED)
		    continue;
		flog(LOG_ERR, "accept: %s", strerror(errno));
		goto out;
	    }
	    mustart(servessl, ns, name, pd);
	}
    }
    
out:
    close(pd->fd);
    free(pd);
    for(i = 0; i < listeners.d; i++) {
	if(listeners.b[i] == muth)
	    bufdel(listeners, i);
    }
}

void handleossl(int argc, char **argp, char **argv)
{
    int i, port, fd;
    SSL_CTX *ctx;
    char *crtfile, *keyfile;
    struct sslport *pd;
    
    ctx = SSL_CTX_new(TLS_server_method());
    if(!ctx) {
	flog(LOG_ERR, "ssl: could not create context: %s", ERR_error_string(ERR_get_error(), NULL));
	exit(1);
    }
    port = 443;
    for(i = 0; i < argc; i++) {
	if(!strcmp(argp[i], "help")) {
	    printf("ssl handler parameters:\n");
	    printf("\tcert=CERT-FILE  [mandatory]\n");
	    printf("\t\tThe name of the file to read the certificate from.\n");
	    printf("\tkey=KEY-FILE    [same as CERT-FILE]\n");
	    printf("\t\tThe name of the file to read the private key from.\n");
	    printf("\tport=PORT       [443]\n");
	    printf("\t\tThe TCP port to listen on.\n");
	    exit(0);
	} else if(!strcmp(argp[i], "cert")) {
	    crtfile = argv[i];
	} else if(!strcmp(argp[i], "key")) {
	    keyfile = argv[i];
	} else if(!strcmp(argp[i], "port")) {
	    port = atoi(argv[i]);
	} else {
	    flog(LOG_ERR, "unknown parameter `%s' to ssl handler", argp[i]);
	    exit(1);
	}
    }
    if(crtfile == NULL) {
	flog(LOG_ERR, "ssl: needs certificate file at the very least");
	exit(1);
    }
    if(keyfile == NULL)
	keyfile = crtfile;
    if(SSL_CTX_use_certificate_file(ctx, crtfile, SSL_FILETYPE_PEM) <= 0) {
	flog(LOG_ERR, "ssl: could not load certificate: %s", ERR_error_string(ERR_get_error(), NULL));
	exit(1);
    }
    if(SSL_CTX_use_PrivateKey_file(ctx, keyfile, SSL_FILETYPE_PEM) <= 0) {
	flog(LOG_ERR, "ssl: could not load certificate: %s", ERR_error_string(ERR_get_error(), NULL));
	exit(1);
    }
    if(!SSL_CTX_check_private_key(ctx)) {
	flog(LOG_ERR, "ssl: key and certificate do not match");
	exit(1);
    }
    if((fd = listensock6(port)) < 0) {
	flog(LOG_ERR, "could not listen on IPv65 port (port %i): %s", port, strerror(errno));
	exit(1);
    }
    omalloc(pd);
    pd->fd = fd;
    pd->sport = port;
    pd->ctx = ctx;
    bufadd(listeners, mustart(listenloop, pd));
    if((fd = listensock4(port)) < 0) {
	if(errno != EADDRINUSE) {
	    flog(LOG_ERR, "could not listen on IPv4 port (port %i): Is", port, strerror(errno));
	    exit(1);
	}
    } else {
	omalloc(pd);
	pd->fd = fd;
	pd->sport = port;
	pd->ctx = ctx;
	bufadd(listeners, mustart(listenloop, pd));
    }
}
Commit	Line	Data
3c5954e9 FT	1	/*
	2	ashd - A Sane HTTP Daemon
	3	Copyright (C) 2008 Fredrik Tolf <fredrik@dolda2000.com>
	4
	5	This program is free software: you can redistribute it and/or modify
	6	it under the terms of the GNU General Public License as published by
	7	the Free Software Foundation, either version 3 of the License, or
	8	(at your option) any later version.
	9
	10	This program is distributed in the hope that it will be useful,
	11	but WITHOUT ANY WARRANTY; without even the implied warranty of
	12	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	13	GNU General Public License for more details.
	14
	15	You should have received a copy of the GNU General Public License
	16	along with this program. If not, see <http://www.gnu.org/licenses/>.
	17	*/
	18
	19	#include <fcntl.h>
	20	#include <unistd.h>
	21	#include <sys/socket.h>
	22	#include <arpa/inet.h>
	23
	24	#ifdef HAVE_CONFIG_H
	25	#include <config.h>
	26	#endif
	27	#include <utils.h>
	28	#include <mt.h>
	29	#include <mtio.h>
	30	#include <req.h>
	31	#include <log.h>
	32	#include <bufio.h>
	33
	34	#include "htparser.h"
	35
	36	#include <openssl/ssl.h>
	37	#include <openssl/err.h>
	38
	39	struct sslport {
	40	int fd, sport;
	41	SSL_CTX *ctx;
	42	};
	43
	44	struct sslconn {
	45	struct sslport *port;
	46	int fd;
	47	SSL *ssl;
	48	struct sockaddr *name;
	49	socklen_t namelen;
	50	};
	51
	52	static int tlsblock(int fd, int err, int to)
	53	{
	54	if(err == SSL_ERROR_WANT_READ) {
	55	if(block(fd, EV_READ, to) <= 0)
	56	return(1);
	57	return(0);
	58	} else if(err == SSL_ERROR_WANT_WRITE) {
	59	if(block(fd, EV_WRITE, to) <= 0)
	60	return(1);
	61	return(0);
	62	} else {
	63	return(1);
	64	}
65	}
66
67	static ssize_t sslread(void cookie, void buf, size_t len)
68	{
69	struct sslconn *sdat = cookie;
70	int ret, err, nb;
71	size_t off;
72
73	off = 0;
74	while(off < len) {
75	nb = ((len - off) > INT_MAX) ? INT_MAX : (len - off);
76	if((ret = SSL_read(sdat->ssl, buf, nb)) <= 0) {
77	if(off > 0)
78	return(off);
79	err = SSL_get_error(sdat->ssl, ret);
80	if(err == SSL_ERROR_ZERO_RETURN) {
81	return(0);
82	} else if((err == SSL_ERROR_WANT_READ) \|\| (err == SSL_ERROR_WANT_WRITE)) {
83	if(tlsblock(sdat->fd, err, 60)) {
84	errno = ETIMEDOUT;
85	return(-1);
86	}
87	} else {
88	if(err != SSL_ERROR_SYSCALL)
89	errno = EPROTO;
90	return(-1);
91	}
92	} else {
93	off += ret;
94	}
95	}
96	return(off);
97	}
98
99	static ssize_t sslwrite(void cookie, const void buf, size_t len)
100	{
101	struct sslconn *sdat = cookie;
102	int ret, err, nb;
103	size_t off;
104
105	off = 0;
106	while(off < len) {
107	nb = ((len - off) > INT_MAX) ? INT_MAX : (len - off);
108	if((ret = SSL_write(sdat->ssl, buf, nb)) <= 0) {
109	if(off > 0)
110	return(off);
111	err = SSL_get_error(sdat->ssl, ret);
112	if((err == SSL_ERROR_WANT_READ) \|\| (err == SSL_ERROR_WANT_WRITE)) {
113	if(tlsblock(sdat->fd, err, 60)) {
114	errno = ETIMEDOUT;
115	return(-1);
116	}
117	} else {
118	if(err != SSL_ERROR_SYSCALL)
119	errno = EIO;
120	return(-1);
121	}
122	} else {
123	off += ret;
124	}
125	}
126	return(off);
127	}
128
129	static int sslclose(void *cookie)
130	{
131	return(0);
132	}
133
134	static struct bufioops iofuns = {
135	.read = sslread,
136	.write = sslwrite,
137	.close = sslclose,
138	};
139
140	static int initreq(struct conn conn, struct hthead req)
141	{
142	struct sslconn *sdat = conn->pdata;
143	struct sockaddr_storage sa;
144	socklen_t salen;
145
146	headappheader(req, "X-Ash-Address", formathaddress(sdat->name, sdat->namelen));
147	if(sdat->name->sa_family == AF_INET)
148	headappheader(req, "X-Ash-Port", sprintf3("%i", ntohs(((struct sockaddr_in *)sdat->name)->sin_port)));
149	else if(sdat->name->sa_family == AF_INET6)
150	headappheader(req, "X-Ash-Port", sprintf3("%i", ntohs(((struct sockaddr_in6 *)sdat->name)->sin6_port)));
151	salen = sizeof(sa);
152	if(!getsockname(sdat->fd, (struct sockaddr *)&sa, &salen))
153	headappheader(req, "X-Ash-Server-Address", formathaddress((struct sockaddr *)&sa, salen));
154	headappheader(req, "X-Ash-Server-Port", sprintf3("%i", sdat->port->sport));
155	headappheader(req, "X-Ash-Protocol", "https");
156	return(0);
157	}
158
159	static void servessl(struct muth *muth, va_list args)
160	{
161	vavar(int, fd);
162	vavar(struct sockaddr_storage, name);
163	vavar(struct sslport *, pd);
164	int ret;
165	SSL *ssl;
166	struct conn conn;
167	struct sslconn sdat;
168
169	fcntl(fd, F_SETFL, fcntl(fd, F_GETFL) \| O_NONBLOCK);
170	ssl = SSL_new(pd->ctx);
171	SSL_set_fd(ssl, fd);
172	while((ret = SSL_accept(ssl)) <= 0) {
173	if(tlsblock(fd, SSL_get_error(ssl, ret), 60))
174	goto out;
175	}
176	memset(&conn, 0, sizeof(conn));
177	memset(&sdat, 0, sizeof(sdat));
178	conn.pdata = &sdat;
179	conn.initreq = initreq;
180	sdat.port = pd;
181	sdat.fd = fd;
182	sdat.ssl = ssl;
183	sdat.name = (struct sockaddr *)&name;
184	sdat.namelen = sizeof(name);
185	serve(bioopen(&sdat, &iofuns), fd, &conn);
186	while((ret = SSL_shutdown(ssl)) < 0) {
187	if(tlsblock(fd, SSL_get_error(ssl, ret), 60))
188	goto out;
189	}
190	out:
191	SSL_free(ssl);
192	close(fd);
193	}
194
195	static void listenloop(struct muth *muth, va_list args)
196	{
197	vavar(struct sslport *, pd);
198	int i, ns, n;
199	struct sockaddr_storage name;
200	socklen_t namelen;
201
202	fcntl(pd->fd, F_SETFL, fcntl(pd->fd, F_GETFL) \| O_NONBLOCK);
203	while(1) {
204	namelen = sizeof(name);
205	if(block(pd->fd, EV_READ, 0) == 0)
206	goto out;
207	for(n = 0; n < 100; n++) {
208	if((ns = accept(pd->fd, (struct sockaddr *)&name, &namelen)) < 0) {
209	if(errno == EAGAIN)
210	break;
211	if(errno == ECONNABORTED)
212	continue;
213	flog(LOG_ERR, "accept: %s", strerror(errno));
214	goto out;
215	}
216	mustart(servessl, ns, name, pd);
217	}
218	}
219
220	out:
221	close(pd->fd);
222	free(pd);
223	for(i = 0; i < listeners.d; i++) {
224	if(listeners.b[i] == muth)
225	bufdel(listeners, i);
226	}
227	}
228
229	void handleossl(int argc, char argp, char argv)
230	{
231	int i, port, fd;
232	SSL_CTX *ctx;
233	char crtfile, keyfile;
234	struct sslport *pd;
235
236	ctx = SSL_CTX_new(TLS_server_method());
237	if(!ctx) {
238	flog(LOG_ERR, "ssl: could not create context: %s", ERR_error_string(ERR_get_error(), NULL));
239	exit(1);
240	}
241	port = 443;
242	for(i = 0; i < argc; i++) {
243	if(!strcmp(argp[i], "help")) {
244	printf("ssl handler parameters:\n");
245	printf("\tcert=CERT-FILE [mandatory]\n");
246	printf("\t\tThe name of the file to read the certificate from.\n");
247	printf("\tkey=KEY-FILE [same as CERT-FILE]\n");
248	printf("\t\tThe name of the file to read the private key from.\n");
249	printf("\tport=PORT [443]\n");
250	printf("\t\tThe TCP port to listen on.\n");
251	exit(0);
252	} else if(!strcmp(argp[i], "cert")) {
253	crtfile = argv[i];
254	} else if(!strcmp(argp[i], "key")) {
255	keyfile = argv[i];
256	} else if(!strcmp(argp[i], "port")) {
257	port = atoi(argv[i]);
258	} else {
259	flog(LOG_ERR, "unknown parameter `%s' to ssl handler", argp[i]);
260	exit(1);
261	}
262	}
263	if(crtfile == NULL) {
264	flog(LOG_ERR, "ssl: needs certificate file at the very least");
265	exit(1);
266	}
267	if(keyfile == NULL)
268	keyfile = crtfile;
269	if(SSL_CTX_use_certificate_file(ctx, crtfile, SSL_FILETYPE_PEM) <= 0) {
270	flog(LOG_ERR, "ssl: could not load certificate: %s", ERR_error_string(ERR_get_error(), NULL));
271	exit(1);
272	}
273	if(SSL_CTX_use_PrivateKey_file(ctx, keyfile, SSL_FILETYPE_PEM) <= 0) {
274	flog(LOG_ERR, "ssl: could not load certificate: %s", ERR_error_string(ERR_get_error(), NULL));
275	exit(1);
276	}
277	if(!SSL_CTX_check_private_key(ctx)) {
278	flog(LOG_ERR, "ssl: key and certificate do not match");
279	exit(1);
280	}
281	if((fd = listensock6(port)) < 0) {
282	flog(LOG_ERR, "could not listen on IPv65 port (port %i): %s", port, strerror(errno));
283	exit(1);
284	}
285	omalloc(pd);
286	pd->fd = fd;
287	pd->sport = port;
288	pd->ctx = ctx;
289	bufadd(listeners, mustart(listenloop, pd));
290	if((fd = listensock4(port)) < 0) {
291	if(errno != EADDRINUSE) {
292	flog(LOG_ERR, "could not listen on IPv4 port (port %i): Is", port, strerror(errno));
293	exit(1);
294	}
295	} else {
296	omalloc(pd);
297	pd->fd = fd;
298	pd->sport = port;
299	pd->ctx = ctx;
300	bufadd(listeners, mustart(listenloop, pd));
301	}
302	}