[ashd.git] / src / ssl-openssl.c

/*
    ashd - A Sane HTTP Daemon
    Copyright (C) 2008  Fredrik Tolf <fredrik@dolda2000.com>

    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation, either version 3 of the License, or
    (at your option) any later version.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.

    You should have received a copy of the GNU General Public License
    along with this program.  If not, see <http://www.gnu.org/licenses/>.
*/

#include <fcntl.h>
#include <unistd.h>
#include <string.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>

#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
#include <utils.h>
#include <mt.h>
#include <mtio.h>
#include <req.h>
#include <log.h>
#include <bufio.h>

#include "htparser.h"

#ifdef HAVE_OPENSSL

#include <openssl/ssl.h>
#include <openssl/err.h>

struct sslport {
    int fd, sport;
    SSL_CTX *ctx;
};

struct sslconn {
    struct sslport *port;
    int fd;
    SSL *ssl;
    struct sockaddr *name;
    socklen_t namelen;
};

static int tlsblock(int fd, int err, int to)
{
    if(err == SSL_ERROR_WANT_READ) {
	if(block(fd, EV_READ, to) <= 0)
	    return(1);
	return(0);
    } else if(err == SSL_ERROR_WANT_WRITE) {
	if(block(fd, EV_WRITE, to) <= 0)
	    return(1);
	return(0);
    } else {
	return(1);
    }
}

static ssize_t sslread(void *cookie, void *buf, size_t len)
{
    struct sslconn *sdat = cookie;
    int ret, err, nb;
    size_t off;
    
    off = 0;
    while(off < len) {
	nb = ((len - off) > INT_MAX) ? INT_MAX : (len - off);
	if((ret = SSL_read(sdat->ssl, buf, nb)) <= 0) {
	    if(off > 0)
		return(off);
	    err = SSL_get_error(sdat->ssl, ret);
	    if(err == SSL_ERROR_ZERO_RETURN) {
		return(0);
	    } else if((err == SSL_ERROR_WANT_READ) || (err == SSL_ERROR_WANT_WRITE)) {
		if(tlsblock(sdat->fd, err, 60)) {
		    errno = ETIMEDOUT;
		    return(-1);
		}
	    } else {
		if(err != SSL_ERROR_SYSCALL)
		    errno = EPROTO;
		return(-1);
	    }
	} else {
	    off += ret;
	}
    }
    return(off);
}

static ssize_t sslwrite(void *cookie, const void *buf, size_t len)
{
    struct sslconn *sdat = cookie;
    int ret, err, nb;
    size_t off;
    
    off = 0;
    while(off < len) {
	nb = ((len - off) > INT_MAX) ? INT_MAX : (len - off);
	if((ret = SSL_write(sdat->ssl, buf, nb)) <= 0) {
	    if(off > 0)
		return(off);
	    err = SSL_get_error(sdat->ssl, ret);
	    if((err == SSL_ERROR_WANT_READ) || (err == SSL_ERROR_WANT_WRITE)) {
		if(tlsblock(sdat->fd, err, 60)) {
		    errno = ETIMEDOUT;
		    return(-1);
		}
	    } else {
		if(err != SSL_ERROR_SYSCALL)
		    errno = EIO;
		return(-1);
	    }
	} else {
	    off += ret;
	}
    }
    return(off);
}

static int sslclose(void *cookie)
{
    return(0);
}

static struct bufioops iofuns = {
    .read = sslread,
    .write = sslwrite,
    .close = sslclose,
};

static int initreq(struct conn *conn, struct hthead *req)
{
    struct sslconn *sdat = conn->pdata;
    struct sockaddr_storage sa;
    socklen_t salen;
    
    headappheader(req, "X-Ash-Address", formathaddress(sdat->name, sdat->namelen));
    if(sdat->name->sa_family == AF_INET)
	headappheader(req, "X-Ash-Port", sprintf3("%i", ntohs(((struct sockaddr_in *)sdat->name)->sin_port)));
    else if(sdat->name->sa_family == AF_INET6)
	headappheader(req, "X-Ash-Port", sprintf3("%i", ntohs(((struct sockaddr_in6 *)sdat->name)->sin6_port)));
    salen = sizeof(sa);
    if(!getsockname(sdat->fd, (struct sockaddr *)&sa, &salen))
	headappheader(req, "X-Ash-Server-Address", formathaddress((struct sockaddr *)&sa, salen));
    headappheader(req, "X-Ash-Server-Port", sprintf3("%i", sdat->port->sport));
    headappheader(req, "X-Ash-Protocol", "https");
    return(0);
}

static void servessl(struct muth *muth, va_list args)
{
    vavar(int, fd);
    vavar(struct sockaddr_storage, name);
    vavar(struct sslport *, pd);
    int ret;
    SSL *ssl;
    struct conn conn;
    struct sslconn sdat;
    
    fcntl(fd, F_SETFL, fcntl(fd, F_GETFL) | O_NONBLOCK);
    ssl = SSL_new(pd->ctx);
    SSL_set_fd(ssl, fd);
    while((ret = SSL_accept(ssl)) <= 0) {
	if(tlsblock(fd, SSL_get_error(ssl, ret), 60))
	    goto out;
    }
    memset(&conn, 0, sizeof(conn));
    memset(&sdat, 0, sizeof(sdat));
    conn.pdata = &sdat;
    conn.initreq = initreq;
    sdat.port = pd;
    sdat.fd = fd;
    sdat.ssl = ssl;
    sdat.name = (struct sockaddr *)&name;
    sdat.namelen = sizeof(name);
    serve(bioopen(&sdat, &iofuns), fd, &conn);
    while((ret = SSL_shutdown(ssl)) < 0) {
	if(tlsblock(fd, SSL_get_error(ssl, ret), 60))
	    goto out;
    }
out:
    SSL_free(ssl);
    close(fd);
}

static void listenloop(struct muth *muth, va_list args)
{
    vavar(struct sslport *, pd);
    int i, ns, n;
    struct sockaddr_storage name;
    socklen_t namelen;
    
    fcntl(pd->fd, F_SETFL, fcntl(pd->fd, F_GETFL) | O_NONBLOCK);
    while(1) {
	namelen = sizeof(name);
	if(block(pd->fd, EV_READ, 0) == 0)
	    goto out;
	for(n = 0; n < 100; n++) {
	    if((ns = accept(pd->fd, (struct sockaddr *)&name, &namelen)) < 0) {
		if(errno == EAGAIN)
		    break;
		if(errno == ECONNABORTED)
		    continue;
		flog(LOG_ERR, "accept: %s", strerror(errno));
		goto out;
	    }
	    mustart(servessl, ns, name, pd);
	}
    }
    
out:
    close(pd->fd);
    free(pd);
    for(i = 0; i < listeners.d; i++) {
	if(listeners.b[i] == muth)
	    bufdel(listeners, i);
    }
}

void handleossl(int argc, char **argp, char **argv)
{
    int i, port, fd;
    SSL_CTX *ctx;
    char *crtfile, *keyfile;
    struct sslport *pd;
    
    ctx = SSL_CTX_new(TLS_server_method());
    if(!ctx) {
	flog(LOG_ERR, "ssl: could not create context: %s", ERR_error_string(ERR_get_error(), NULL));
	exit(1);
    }
    port = 443;
    for(i = 0; i < argc; i++) {
	if(!strcmp(argp[i], "help")) {
	    printf("ssl handler parameters:\n");
	    printf("\tcert=CERT-FILE  [mandatory]\n");
	    printf("\t\tThe name of the file to read the certificate from.\n");
	    printf("\tkey=KEY-FILE    [same as CERT-FILE]\n");
	    printf("\t\tThe name of the file to read the private key from.\n");
	    printf("\tport=PORT       [443]\n");
	    printf("\t\tThe TCP port to listen on.\n");
	    exit(0);
	} else if(!strcmp(argp[i], "cert")) {
	    crtfile = argv[i];
	} else if(!strcmp(argp[i], "key")) {
	    keyfile = argv[i];
	} else if(!strcmp(argp[i], "port")) {
	    port = atoi(argv[i]);
	} else {
	    flog(LOG_ERR, "unknown parameter `%s' to ssl handler", argp[i]);
	    exit(1);
	}
    }
    if(crtfile == NULL) {
	flog(LOG_ERR, "ssl: needs certificate file at the very least");
	exit(1);
    }
    if(keyfile == NULL)
	keyfile = crtfile;
    if(SSL_CTX_use_certificate_file(ctx, crtfile, SSL_FILETYPE_PEM) <= 0) {
	flog(LOG_ERR, "ssl: could not load certificate: %s", ERR_error_string(ERR_get_error(), NULL));
	exit(1);
    }
    if(SSL_CTX_use_PrivateKey_file(ctx, keyfile, SSL_FILETYPE_PEM) <= 0) {
	flog(LOG_ERR, "ssl: could not load certificate: %s", ERR_error_string(ERR_get_error(), NULL));
	exit(1);
    }
    if(!SSL_CTX_check_private_key(ctx)) {
	flog(LOG_ERR, "ssl: key and certificate do not match");
	exit(1);
    }
    if((fd = listensock6(port)) < 0) {
	flog(LOG_ERR, "could not listen on IPv65 port (port %i): %s", port, strerror(errno));
	exit(1);
    }
    omalloc(pd);
    pd->fd = fd;
    pd->sport = port;
    pd->ctx = ctx;
    bufadd(listeners, mustart(listenloop, pd));
    if((fd = listensock4(port)) < 0) {
	if(errno != EADDRINUSE) {
	    flog(LOG_ERR, "could not listen on IPv4 port (port %i): Is", port, strerror(errno));
	    exit(1);
	}
    } else {
	omalloc(pd);
	pd->fd = fd;
	pd->sport = port;
	pd->ctx = ctx;
	bufadd(listeners, mustart(listenloop, pd));
    }
}

#endif
Commit	Line	Data
3c5954e9 FT	1	/*
	2	ashd - A Sane HTTP Daemon
	3	Copyright (C) 2008 Fredrik Tolf <fredrik@dolda2000.com>
	4
	5	This program is free software: you can redistribute it and/or modify
	6	it under the terms of the GNU General Public License as published by
	7	the Free Software Foundation, either version 3 of the License, or
	8	(at your option) any later version.
	9
	10	This program is distributed in the hope that it will be useful,
	11	but WITHOUT ANY WARRANTY; without even the implied warranty of
	12	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	13	GNU General Public License for more details.
	14
	15	You should have received a copy of the GNU General Public License
	16	along with this program. If not, see <http://www.gnu.org/licenses/>.
	17	*/
	18
	19	#include <fcntl.h>
	20	#include <unistd.h>
e3d4500a	21	#include <string.h>
3c5954e9	22	#include <sys/socket.h>
e3d4500a	23	#include <netinet/in.h>
3c5954e9 FT	24	#include <arpa/inet.h>
	25
	26	#ifdef HAVE_CONFIG_H
	27	#include <config.h>
	28	#endif
	29	#include <utils.h>
	30	#include <mt.h>
	31	#include <mtio.h>
	32	#include <req.h>
	33	#include <log.h>
	34	#include <bufio.h>
	35
	36	#include "htparser.h"
	37
ecda1e6a FT	38	#ifdef HAVE_OPENSSL
ecda1e6a FT	39
3c5954e9 FT	40	#include <openssl/ssl.h>
	41	#include <openssl/err.h>
	42
	43	struct sslport {
	44	int fd, sport;
	45	SSL_CTX *ctx;
	46	};
	47
	48	struct sslconn {
	49	struct sslport *port;
	50	int fd;
	51	SSL *ssl;
	52	struct sockaddr *name;
	53	socklen_t namelen;
	54	};
	55
	56	static int tlsblock(int fd, int err, int to)
	57	{
	58	if(err == SSL_ERROR_WANT_READ) {
	59	if(block(fd, EV_READ, to) <= 0)
	60	return(1);
	61	return(0);
	62	} else if(err == SSL_ERROR_WANT_WRITE) {
	63	if(block(fd, EV_WRITE, to) <= 0)
	64	return(1);
	65	return(0);
	66	} else {
	67	return(1);
	68	}
	69	}
	70
	71	static ssize_t sslread(void cookie, void buf, size_t len)
	72	{
	73	struct sslconn *sdat = cookie;
	74	int ret, err, nb;
	75	size_t off;
	76
	77	off = 0;
	78	while(off < len) {
	79	nb = ((len - off) > INT_MAX) ? INT_MAX : (len - off);
	80	if((ret = SSL_read(sdat->ssl, buf, nb)) <= 0) {
	81	if(off > 0)
	82	return(off);
	83	err = SSL_get_error(sdat->ssl, ret);
	84	if(err == SSL_ERROR_ZERO_RETURN) {
	85	return(0);
	86	} else if((err == SSL_ERROR_WANT_READ) \|\| (err == SSL_ERROR_WANT_WRITE)) {
	87	if(tlsblock(sdat->fd, err, 60)) {
	88	errno = ETIMEDOUT;
	89	return(-1);
	90	}
	91	} else {
	92	if(err != SSL_ERROR_SYSCALL)
	93	errno = EPROTO;
	94	return(-1);
	95	}
	96	} else {
	97	off += ret;
	98	}
	99	}
	100	return(off);
	101	}
	102
	103	static ssize_t sslwrite(void cookie, const void buf, size_t len)
104	{
105	struct sslconn *sdat = cookie;
106	int ret, err, nb;
107	size_t off;
108
109	off = 0;
110	while(off < len) {
111	nb = ((len - off) > INT_MAX) ? INT_MAX : (len - off);
112	if((ret = SSL_write(sdat->ssl, buf, nb)) <= 0) {
113	if(off > 0)
114	return(off);
115	err = SSL_get_error(sdat->ssl, ret);
116	if((err == SSL_ERROR_WANT_READ) \|\| (err == SSL_ERROR_WANT_WRITE)) {
117	if(tlsblock(sdat->fd, err, 60)) {
118	errno = ETIMEDOUT;
119	return(-1);
120	}
121	} else {
122	if(err != SSL_ERROR_SYSCALL)
123	errno = EIO;
124	return(-1);
125	}
126	} else {
127	off += ret;
128	}
129	}
130	return(off);
131	}
132
133	static int sslclose(void *cookie)
134	{
135	return(0);
136	}
137
138	static struct bufioops iofuns = {
139	.read = sslread,
140	.write = sslwrite,
141	.close = sslclose,
142	};
143
144	static int initreq(struct conn conn, struct hthead req)
145	{
146	struct sslconn *sdat = conn->pdata;
147	struct sockaddr_storage sa;
148	socklen_t salen;
149
150	headappheader(req, "X-Ash-Address", formathaddress(sdat->name, sdat->namelen));
151	if(sdat->name->sa_family == AF_INET)
152	headappheader(req, "X-Ash-Port", sprintf3("%i", ntohs(((struct sockaddr_in *)sdat->name)->sin_port)));
153	else if(sdat->name->sa_family == AF_INET6)
154	headappheader(req, "X-Ash-Port", sprintf3("%i", ntohs(((struct sockaddr_in6 *)sdat->name)->sin6_port)));
155	salen = sizeof(sa);
156	if(!getsockname(sdat->fd, (struct sockaddr *)&sa, &salen))
157	headappheader(req, "X-Ash-Server-Address", formathaddress((struct sockaddr *)&sa, salen));
158	headappheader(req, "X-Ash-Server-Port", sprintf3("%i", sdat->port->sport));
159	headappheader(req, "X-Ash-Protocol", "https");
160	return(0);
161	}
162
163	static void servessl(struct muth *muth, va_list args)
164	{
165	vavar(int, fd);
166	vavar(struct sockaddr_storage, name);
167	vavar(struct sslport *, pd);
168	int ret;
169	SSL *ssl;
170	struct conn conn;
171	struct sslconn sdat;
172
173	fcntl(fd, F_SETFL, fcntl(fd, F_GETFL) \| O_NONBLOCK);
174	ssl = SSL_new(pd->ctx);
175	SSL_set_fd(ssl, fd);
176	while((ret = SSL_accept(ssl)) <= 0) {
177	if(tlsblock(fd, SSL_get_error(ssl, ret), 60))
178	goto out;
179	}
180	memset(&conn, 0, sizeof(conn));
181	memset(&sdat, 0, sizeof(sdat));
182	conn.pdata = &sdat;
183	conn.initreq = initreq;
184	sdat.port = pd;
185	sdat.fd = fd;
186	sdat.ssl = ssl;
187	sdat.name = (struct sockaddr *)&name;
188	sdat.namelen = sizeof(name);
189	serve(bioopen(&sdat, &iofuns), fd, &conn);
190	while((ret = SSL_shutdown(ssl)) < 0) {
191	if(tlsblock(fd, SSL_get_error(ssl, ret), 60))
192	goto out;
193	}
194	out:
195	SSL_free(ssl);
196	close(fd);
197	}
198
199	static void listenloop(struct muth *muth, va_list args)
200	{
201	vavar(struct sslport *, pd);
202	int i, ns, n;
203	struct sockaddr_storage name;
204	socklen_t namelen;
205
206	fcntl(pd->fd, F_SETFL, fcntl(pd->fd, F_GETFL) \| O_NONBLOCK);
207	while(1) {
208	namelen = sizeof(name);
209	if(block(pd->fd, EV_READ, 0) == 0)
210	goto out;
211	for(n = 0; n < 100; n++) {
212	if((ns = accept(pd->fd, (struct sockaddr *)&name, &namelen)) < 0) {
213	if(errno == EAGAIN)
214	break;
215	if(errno == ECONNABORTED)
216	continue;
217	flog(LOG_ERR, "accept: %s", strerror(errno));
218	goto out;
219	}
220	mustart(servessl, ns, name, pd);
221	}
222	}
223
224	out:
225	close(pd->fd);
226	free(pd);
227	for(i = 0; i < listeners.d; i++) {
228	if(listeners.b[i] == muth)
229	bufdel(listeners, i);
230	}
231	}
232
233	void handleossl(int argc, char argp, char argv)
234	{
235	int i, port, fd;
236	SSL_CTX *ctx;
237	char crtfile, keyfile;
238	struct sslport *pd;
239
240	ctx = SSL_CTX_new(TLS_server_method());
241	if(!ctx) {
242	flog(LOG_ERR, "ssl: could not create context: %s", ERR_error_string(ERR_get_error(), NULL));
243	exit(1);
244	}
245	port = 443;
246	for(i = 0; i < argc; i++) {
247	if(!strcmp(argp[i], "help")) {
248	printf("ssl handler parameters:\n");
249	printf("\tcert=CERT-FILE [mandatory]\n");
250	printf("\t\tThe name of the file to read the certificate from.\n");
251	printf("\tkey=KEY-FILE [same as CERT-FILE]\n");
252	printf("\t\tThe name of the file to read the private key from.\n");
253	printf("\tport=PORT [443]\n");
254	printf("\t\tThe TCP port to listen on.\n");
255	exit(0);
256	} else if(!strcmp(argp[i], "cert")) {
257	crtfile = argv[i];
258	} else if(!strcmp(argp[i], "key")) {
259	keyfile = argv[i];
260	} else if(!strcmp(argp[i], "port")) {
261	port = atoi(argv[i]);
262	} else {
263	flog(LOG_ERR, "unknown parameter `%s' to ssl handler", argp[i]);
264	exit(1);
265	}
266	}
267	if(crtfile == NULL) {
268	flog(LOG_ERR, "ssl: needs certificate file at the very least");
269	exit(1);
270	}
271	if(keyfile == NULL)
272	keyfile = crtfile;
273	if(SSL_CTX_use_certificate_file(ctx, crtfile, SSL_FILETYPE_PEM) <= 0) {
274	flog(LOG_ERR, "ssl: could not load certificate: %s", ERR_error_string(ERR_get_error(), NULL));
275	exit(1);
276	}
277	if(SSL_CTX_use_PrivateKey_file(ctx, keyfile, SSL_FILETYPE_PEM) <= 0) {
278	flog(LOG_ERR, "ssl: could not load certificate: %s", ERR_error_string(ERR_get_error(), NULL));
279	exit(1);
280	}
281	if(!SSL_CTX_check_private_key(ctx)) {
282	flog(LOG_ERR, "ssl: key and certificate do not match");
283	exit(1);
284	}
285	if((fd = listensock6(port)) < 0) {
286	flog(LOG_ERR, "could not listen on IPv65 port (port %i): %s", port, strerror(errno));
287	exit(1);
288	}
289	omalloc(pd);
290	pd->fd = fd;
291	pd->sport = port;
292	pd->ctx = ctx;
293	bufadd(listeners, mustart(listenloop, pd));
294	if((fd = listensock4(port)) < 0) {
295	if(errno != EADDRINUSE) {
296	flog(LOG_ERR, "could not listen on IPv4 port (port %i): Is", port, strerror(errno));
297	exit(1);
298	}
299	} else {
300	omalloc(pd);
301	pd->fd = fd;
302	pd->sport = port;
303	pd->ctx = ctx;
304	bufadd(listeners, mustart(listenloop, pd));
305	}
306	}
ecda1e6a FT	307
ecda1e6a FT	308	#endif