X-Git-Url: http://www.dolda2000.com/gitweb/?p=ashd.git;a=blobdiff_plain;f=src%2Fssl-gnutls.c;h=544a7101e0ef4ac902edfb722ed3a8f6ef1cff5c;hp=e27d31462e2b738836987379dd6e51d05737cfd8;hb=bcd711f045db18bb92ad2e20bff6c6c0ff4bb5f3;hpb=26902200a8061d8e9211e5104abbf2acc84ed7b9 diff --git a/src/ssl-gnutls.c b/src/ssl-gnutls.c index e27d314..544a710 100644 --- a/src/ssl-gnutls.c +++ b/src/ssl-gnutls.c @@ -34,6 +34,7 @@ #include #include #include +#include #include "htparser.h" @@ -53,9 +54,9 @@ struct ncredbuf { }; struct sslport { - int fd; - int sport; + int fd, sport, clreq; gnutls_certificate_credentials_t creds; + gnutls_priority_t ciphers; struct namedcreds **ncreds; }; @@ -67,7 +68,122 @@ struct sslconn { struct charbuf in; }; -static gnutls_dh_params_t dhparams; +struct savedsess { + struct savedsess *next, *prev; + gnutls_datum_t key, value; +}; + +struct certbuffer { + gnutls_x509_crt_t *b; + size_t s, d; +}; + +static int numconn = 0, numsess = 0; +static struct btree *sessidx = NULL; +static struct savedsess *sesslistf = NULL, *sesslistl = NULL; + +static int sesscmp(void *ap, void *bp) +{ + struct savedsess *a = ap, *b = bp; + + if(a->key.size != b->key.size) + return(a->key.size - b->key.size); + return(memcmp(a->key.data, b->key.data, a->key.size)); +} + +static gnutls_datum_t sessdbfetch(void *uudata, gnutls_datum_t key) +{ + struct savedsess *sess, lkey; + gnutls_datum_t ret; + + memset(&ret, 0, sizeof(ret)); + lkey.key = key; + if((sess = btreeget(sessidx, &lkey, sesscmp)) == NULL) + return(ret); + ret.data = memcpy(gnutls_malloc(ret.size = sess->value.size), sess->value.data, sess->value.size); + return(ret); +} + +static void freesess(struct savedsess *sess) +{ + bbtreedel(&sessidx, sess, sesscmp); + if(sess->next) + sess->next->prev = sess->prev; + if(sess->prev) + sess->prev->next = sess->next; + if(sess == sesslistf) + sesslistf = sess->next; + if(sess == sesslistl) + sesslistl = sess->prev; + free(sess->key.data); + free(sess->value.data); + free(sess); + numsess--; +} + +static int sessdbdel(void *uudata, gnutls_datum_t key) +{ + struct savedsess *sess, lkey; + + lkey.key = key; + if((sess = btreeget(sessidx, &lkey, sesscmp)) == NULL) + return(-1); + freesess(sess); + return(0); +} + +static void cleansess(void) +{ + while(numsess > (max(numconn, 1) * 100)) + freesess(sesslistl); +} + +static int sessdbstore(void *uudata, gnutls_datum_t key, gnutls_datum_t value) +{ + static int cc = 0; + struct savedsess *sess, lkey; + + if((value.data == NULL) || (value.size == 0)) { + sessdbdel(NULL, key); + return(0); + } + lkey.key = key; + if((sess = btreeget(sessidx, &lkey, sesscmp)) == NULL) { + omalloc(sess); + sess->key.data = memcpy(smalloc(sess->key.size = key.size), key.data, key.size); + sess->value.data = memcpy(smalloc(sess->value.size = value.size), value.data, value.size); + bbtreeput(&sessidx, sess, sesscmp); + sess->prev = NULL; + sess->next = sesslistf; + if(sesslistf) + sesslistf->prev = sess; + sesslistf = sess; + if(sesslistl == NULL) + sesslistl = sess; + numsess++; + } else { + free(sess->value.data); + sess->value.data = memcpy(smalloc(sess->value.size = value.size), value.data, value.size); + if(sess != sesslistf) { + if(sess->next) + sess->next->prev = sess->prev; + if(sess->prev) + sess->prev->next = sess->next; + if(sess == sesslistl) + sesslistl = sess->prev; + sess->prev = NULL; + sess->next = sesslistf; + if(sesslistf) + sesslistf->prev = sess; + sesslistf = sess; + } + } + if(cc++ > 100) { + cleansess(); + cc = 0; + } + return(0); +} static int tlsblock(int fd, gnutls_session_t sess, time_t to) { @@ -77,7 +193,7 @@ static int tlsblock(int fd, gnutls_session_t sess, time_t to) return(block(fd, EV_READ, to)); } -static ssize_t sslread(void *cookie, char *buf, size_t len) +static ssize_t sslread(void *cookie, void *buf, size_t len) { struct sslconn *ssl = cookie; ssize_t xf; @@ -106,7 +222,7 @@ static ssize_t sslread(void *cookie, char *buf, size_t len) return(xf); } -static ssize_t sslwrite(void *cookie, const char *buf, size_t len) +static ssize_t sslwrite(void *cookie, const void *buf, size_t len) { struct sslconn *ssl = cookie; int ret; @@ -138,10 +254,13 @@ static ssize_t sslwrite(void *cookie, const char *buf, size_t len) static int sslclose(void *cookie) { + struct sslconn *ssl = cookie; + + buffree(ssl->in); return(0); } -static cookie_io_functions_t iofuns = { +static struct bufioops iofuns = { .read = sslread, .write = sslwrite, .close = sslclose, @@ -152,16 +271,12 @@ static int initreq(struct conn *conn, struct hthead *req) struct sslconn *ssl = conn->pdata; struct sockaddr_storage sa; socklen_t salen; - char nmbuf[256]; headappheader(req, "X-Ash-Address", formathaddress((struct sockaddr *)&ssl->name, sizeof(sa))); - if(ssl->name.ss_family == AF_INET) { - headappheader(req, "X-Ash-Address", inet_ntop(AF_INET, &((struct sockaddr_in *)&ssl->name)->sin_addr, nmbuf, sizeof(nmbuf))); + if(ssl->name.ss_family == AF_INET) headappheader(req, "X-Ash-Port", sprintf3("%i", ntohs(((struct sockaddr_in *)&ssl->name)->sin_port))); - } else if(ssl->name.ss_family == AF_INET6) { - headappheader(req, "X-Ash-Address", inet_ntop(AF_INET6, &((struct sockaddr_in6 *)&ssl->name)->sin6_addr, nmbuf, sizeof(nmbuf))); + else if(ssl->name.ss_family == AF_INET6) headappheader(req, "X-Ash-Port", sprintf3("%i", ntohs(((struct sockaddr_in6 *)&ssl->name)->sin6_port))); - } salen = sizeof(sa); if(!getsockname(ssl->fd, (struct sockaddr *)&sa, &salen)) headappheader(req, "X-Ash-Server-Address", formathaddress((struct sockaddr *)&sa, sizeof(sa))); @@ -179,7 +294,6 @@ static void servessl(struct muth *muth, va_list args) struct sslconn ssl; gnutls_session_t sess; int ret; - FILE *in; int setcreds(gnutls_session_t sess) { @@ -198,20 +312,27 @@ static void servessl(struct muth *muth, va_list args) for(u = 0; pd->ncreds[o]->names[u] != NULL; u++) { if(!strcmp(pd->ncreds[o]->names[u], nambuf)) { gnutls_credentials_set(sess, GNUTLS_CRD_CERTIFICATE, pd->ncreds[o]->creds); - gnutls_certificate_server_set_request(sess, GNUTLS_CERT_REQUEST); + if(pd->clreq) + gnutls_certificate_server_set_request(sess, GNUTLS_CERT_REQUEST); return(0); } } } } gnutls_credentials_set(sess, GNUTLS_CRD_CERTIFICATE, pd->creds); - gnutls_certificate_server_set_request(sess, GNUTLS_CERT_REQUEST); + if(pd->clreq) + gnutls_certificate_server_set_request(sess, GNUTLS_CERT_REQUEST); return(0); } + numconn++; fcntl(fd, F_SETFL, fcntl(fd, F_GETFL) | O_NONBLOCK); gnutls_init(&sess, GNUTLS_SERVER); - gnutls_set_default_priority(sess); + gnutls_priority_set(sess, pd->ciphers); + gnutls_db_set_retrieve_function(sess, sessdbfetch); + gnutls_db_set_store_function(sess, sessdbstore); + gnutls_db_set_remove_function(sess, sessdbdel); + gnutls_db_set_ptr(sess, NULL); gnutls_handshake_set_post_client_hello_function(sess, setcreds); gnutls_transport_set_ptr(sess, (gnutls_transport_ptr_t)(intptr_t)fd); while((ret = gnutls_handshake(sess)) != 0) { @@ -229,35 +350,67 @@ static void servessl(struct muth *muth, va_list args) ssl.name = name; ssl.sess = sess; bufinit(ssl.in); - in = fopencookie(&ssl, "r+", iofuns); - serve(in, &conn); + serve(bioopen(&ssl, &iofuns), fd, &conn); out: gnutls_deinit(sess); close(fd); + numconn--; } static void listenloop(struct muth *muth, va_list args) { vavar(struct sslport *, pd); - int ns; + int i, ns, n; struct sockaddr_storage name; socklen_t namelen; + fcntl(pd->fd, F_SETFL, fcntl(pd->fd, F_GETFL) | O_NONBLOCK); while(1) { namelen = sizeof(name); - block(pd->fd, EV_READ, 0); - ns = accept(pd->fd, (struct sockaddr *)&name, &namelen); - if(ns < 0) { - flog(LOG_ERR, "accept: %s", strerror(errno)); + if(block(pd->fd, EV_READ, 0) == 0) goto out; + n = 0; + while(1) { + ns = accept(pd->fd, (struct sockaddr *)&name, &namelen); + if(ns < 0) { + if(errno == EAGAIN) + break; + if(errno == ECONNABORTED) + continue; + flog(LOG_ERR, "accept: %s", strerror(errno)); + goto out; + } + mustart(servessl, ns, name, pd); + if(++n >= 100) + break; } - mustart(servessl, ns, name, pd); } out: close(pd->fd); free(pd); + for(i = 0; i < listeners.d; i++) { + if(listeners.b[i] == muth) + bufdel(listeners, i); + } +} + +static gnutls_dh_params_t dhparams(void) +{ + static int inited = 0; + static gnutls_dh_params_t pars; + int ret; + + if(!inited) { + if(((ret = gnutls_dh_params_init(&pars)) != 0) || + ((ret = gnutls_dh_params_generate2(pars, 2048)) != 0)) { + flog(LOG_ERR, "GnuTLS could not generate Diffie-Hellman parameters: %s", gnutls_strerror(ret)); + exit(1); + } + inited = 1; + } + return(pars); } static void init(void) @@ -272,27 +425,61 @@ static void init(void) flog(LOG_ERR, "could not initialize GnuTLS: %s", gnutls_strerror(ret)); exit(1); } - if(((ret = gnutls_dh_params_init(&dhparams)) != 0) || - ((ret = gnutls_dh_params_generate2(dhparams, 2048)) != 0)) { - flog(LOG_ERR, "GnuTLS could not generate Diffie-Hellman parameters: %s", gnutls_strerror(ret)); - exit(1); +} + +/* This implementation seems somewhat ugly, but it's the way the + * GnuTLS implements the same thing internally, so it should probably + * be interoperable, at least. */ +static int readcrtchain(struct certbuffer *ret, struct charbuf *pem) +{ + static char *headers[] = {"-----BEGIN CERTIFICATE", "-----BEGIN X509 CERTIFICATE"}; + int i, rv; + char *p, *p2, *f; + gnutls_x509_crt_t crt; + + for(i = 0, p = NULL; i < sizeof(headers) / sizeof(*headers); i++) { + f = memmem(pem->b, pem->d, headers[i], strlen(headers[i])); + if((f != NULL) && ((p == NULL) || (f < p))) + p = f; } + if(p == NULL) + return(-GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE); + do { + if((rv = gnutls_x509_crt_init(&crt)) < 0) + goto error; + if((rv = gnutls_x509_crt_import(crt, &(gnutls_datum_t){.data = (unsigned char *)p, .size = pem->d - (p - pem->b)}, GNUTLS_X509_FMT_PEM)) < 0) { + gnutls_x509_crt_deinit(crt); + goto error; + } + bufadd(*ret, crt); + for(i = 0, p2 = NULL; i < sizeof(headers) / sizeof(*headers); i++) { + f = memmem(p + 1, pem->d - (p + 1 - pem->b), headers[i], strlen(headers[i])); + if((f != NULL) && ((p2 == NULL) || (f < p2))) + p2 = f; + } + } while((p = p2) != NULL); + return(0); +error: + for(i = 0; i < ret->d; i++) + gnutls_x509_crt_deinit(ret->b[i]); + ret->d = 0; + return(rv); } -static struct namedcreds *readncreds(char *file) +static struct namedcreds *readncreds(char *file, gnutls_x509_privkey_t defkey) { int i, fd, ret; struct namedcreds *nc; - gnutls_x509_crt_t crt; + struct certbuffer crts; gnutls_x509_privkey_t key; char cn[1024]; size_t cnl; - gnutls_datum_t d; struct charbuf keybuf; struct charvbuf names; unsigned int type; bufinit(keybuf); + bufinit(crts); bufinit(names); if((fd = open(file, O_RDONLY)) < 0) { flog(LOG_ERR, "ssl: %s: %s", file, strerror(errno)); @@ -310,15 +497,12 @@ static struct namedcreds *readncreds(char *file) keybuf.d += ret; } close(fd); - d.data = (unsigned char *)keybuf.b; - d.size = keybuf.d; - gnutls_x509_crt_init(&crt); - if((ret = gnutls_x509_crt_import(crt, &d, GNUTLS_X509_FMT_PEM)) != 0) { - flog(LOG_ERR, "ssl: could not load certificate from %s: %s", file, gnutls_strerror(ret)); + if((ret = readcrtchain(&crts, &keybuf)) != 0) { + flog(LOG_ERR, "ssl: could not load certificate chain from %s: %s", file, gnutls_strerror(ret)); exit(1); } cnl = sizeof(cn) - 1; - if((ret = gnutls_x509_crt_get_dn_by_oid(crt, GNUTLS_OID_X520_COMMON_NAME, 0, 0, cn, &cnl)) != 0) { + if((ret = gnutls_x509_crt_get_dn_by_oid(crts.b[0], GNUTLS_OID_X520_COMMON_NAME, 0, 0, cn, &cnl)) != 0) { flog(LOG_ERR, "ssl: could not read common name from %s: %s", file, gnutls_strerror(ret)); exit(1); } @@ -326,31 +510,36 @@ static struct namedcreds *readncreds(char *file) bufadd(names, sstrdup(cn)); for(i = 0; 1; i++) { cnl = sizeof(cn) - 1; - if(gnutls_x509_crt_get_subject_alt_name2(crt, i, cn, &cnl, &type, NULL) < 0) + if(gnutls_x509_crt_get_subject_alt_name2(crts.b[0], i, cn, &cnl, &type, NULL) < 0) break; cn[cnl] = 0; if(type == GNUTLS_SAN_DNSNAME) bufadd(names, sstrdup(cn)); } gnutls_x509_privkey_init(&key); - if((ret = gnutls_x509_privkey_import(key, &d, GNUTLS_X509_FMT_PEM)) != 0) { - flog(LOG_ERR, "ssl: could not load key from %s: %s", file, gnutls_strerror(ret)); - exit(1); + if((ret = gnutls_x509_privkey_import(key, &(gnutls_datum_t){.data = (unsigned char *)keybuf.b, .size = keybuf.d}, GNUTLS_X509_FMT_PEM)) != 0) { + if(ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { + gnutls_x509_privkey_deinit(key); + key = defkey; + } else { + flog(LOG_ERR, "ssl: could not load key from %s: %s", file, gnutls_strerror(ret)); + exit(1); + } } buffree(keybuf); bufadd(names, NULL); omalloc(nc); nc->names = names.b; gnutls_certificate_allocate_credentials(&nc->creds); - if((ret = gnutls_certificate_set_x509_key(nc->creds, &crt, 1, key)) != 0) { + if((ret = gnutls_certificate_set_x509_key(nc->creds, crts.b, crts.d, key)) != 0) { flog(LOG_ERR, "ssl: could not use certificate from %s: %s", file, gnutls_strerror(ret)); exit(1); } - gnutls_certificate_set_dh_params(nc->creds, dhparams); + gnutls_certificate_set_dh_params(nc->creds, dhparams()); return(nc); } -static void readncdir(struct ncredbuf *buf, char *dir) +static void readncdir(struct ncredbuf *buf, char *dir, gnutls_x509_privkey_t defkey) { DIR *d; struct dirent *e; @@ -367,24 +556,31 @@ static void readncdir(struct ncredbuf *buf, char *dir) continue; if(strcmp(e->d_name + es - 4, ".crt")) continue; - bufadd(*buf, readncreds(sprintf3("%s/%s", dir, e->d_name))); + bufadd(*buf, readncreds(sprintf3("%s/%s", dir, e->d_name), defkey)); } closedir(d); } void handlegnussl(int argc, char **argp, char **argv) { - int i, ret, port, fd; + int i, ret, port, fd, clreq; gnutls_certificate_credentials_t creds; + gnutls_priority_t ciphers; + gnutls_x509_privkey_t defkey; struct ncredbuf ncreds; + struct charvbuf ncertf, ncertd; struct sslport *pd; - char *crtfile, *keyfile; + char *crtfile, *keyfile, *perr; init(); port = 443; + clreq = 0; bufinit(ncreds); + bufinit(ncertf); + bufinit(ncertd); gnutls_certificate_allocate_credentials(&creds); keyfile = crtfile = NULL; + ciphers = NULL; for(i = 0; i < argc; i++) { if(!strcmp(argp[i], "help")) { printf("ssl handler parameters:\n"); @@ -392,22 +588,48 @@ void handlegnussl(int argc, char **argp, char **argv) printf("\t\tThe name of the file to read the certificate from.\n"); printf("\tkey=KEY-FILE [same as CERT-FILE]\n"); printf("\t\tThe name of the file to read the private key from.\n"); + printf("\tprio=PRIORITIES [NORMAL]\n"); + printf("\t\tCiphersuite priorities, as a GnuTLS priority string.\n"); printf("\ttrust=CA-FILE [no default]\n"); printf("\t\tThe name of a file to read trusted certificates from.\n"); printf("\t\tMay be given multiple times.\n"); printf("\tcrl=CRL-FILE [no default]\n"); printf("\t\tThe name of a file to read revocation lists from.\n"); printf("\t\tMay be given multiple times.\n"); + printf("\tncert=CERT-FILE [no default]\n"); + printf("\t\tThe name of a file to read a named certificate from,\n"); + printf("\t\tfor use with SNI-enabled clients.\n"); + printf("\t\tMay be given multiple times.\n"); + printf("\tncertdir=DIR [no default]\n"); + printf("\t\tRead all *.crt files in the given directory as if they\n"); + printf("\t\twere given with `ncert' options.\n"); + printf("\t\tMay be given multiple times.\n"); printf("\tport=PORT [443]\n"); printf("\t\tThe TCP port to listen on.\n"); printf("\n"); printf("\tAll X.509 data files must be PEM-encoded.\n"); - printf("\tSee the manpage for information on specifying multiple\n\tcertificates to support SNI operation.\n"); + printf("\tIf any certificates were given with `ncert' options, they will be\n"); + printf("\tused if a client explicitly names one of them with a\n"); + printf("\tserver-name indication. If a client indicates no server name,\n"); + printf("\tor if a server-name indication does not match any given\n"); + printf("\tcertificate, the certificate given with the `cert' option will\n"); + printf("\tbe used instead.\n"); exit(0); } else if(!strcmp(argp[i], "cert")) { crtfile = argv[i]; } else if(!strcmp(argp[i], "key")) { keyfile = argv[i]; + } else if(!strcmp(argp[i], "prio")) { + if(ciphers != NULL) + gnutls_priority_deinit(ciphers); + ret = gnutls_priority_init(&ciphers, argv[i], (const char **)&perr); + if(ret == GNUTLS_E_INVALID_REQUEST) { + flog(LOG_ERR, "ssl: invalid cipher priority string, at `%s'", perr); + exit(1); + } else if(ret != 0) { + flog(LOG_ERR, "ssl: could not initialize cipher priorities: %s", gnutls_strerror(ret)); + exit(1); + } } else if(!strcmp(argp[i], "trust")) { if((ret = gnutls_certificate_set_x509_trust_file(creds, argv[i], GNUTLS_X509_FMT_PEM)) != 0) { flog(LOG_ERR, "ssl: could not load trust file `%s': %s", argv[i], gnutls_strerror(ret)); @@ -419,6 +641,7 @@ void handlegnussl(int argc, char **argp, char **argv) exit(1); } } + clreq = 1; } else if(!strcmp(argp[i], "crl")) { if((ret = gnutls_certificate_set_x509_crl_file(creds, argv[i], GNUTLS_X509_FMT_PEM)) != 0) { flog(LOG_ERR, "ssl: could not load CRL file `%s': %s", argv[i], gnutls_strerror(ret)); @@ -430,12 +653,13 @@ void handlegnussl(int argc, char **argp, char **argv) exit(1); } } + clreq = 1; } else if(!strcmp(argp[i], "port")) { port = atoi(argv[i]); } else if(!strcmp(argp[i], "ncert")) { - bufadd(ncreds, readncreds(argv[i])); + bufadd(ncertf, argv[i]); } else if(!strcmp(argp[i], "ncertdir")) { - readncdir(&ncreds, argv[i]); + bufadd(ncertd, argv[i]); } else { flog(LOG_ERR, "unknown parameter `%s' to ssl handler", argp[i]); exit(1); @@ -445,27 +669,43 @@ void handlegnussl(int argc, char **argp, char **argv) flog(LOG_ERR, "ssl: needs certificate file at the very least"); exit(1); } + if((fd = listensock6(port)) < 0) { + flog(LOG_ERR, "could not listen on IPv6 port (port %i): %s", port, strerror(errno)); + exit(1); + } if(keyfile == NULL) keyfile = crtfile; if((ret = gnutls_certificate_set_x509_key_file(creds, crtfile, keyfile, GNUTLS_X509_FMT_PEM)) != 0) { flog(LOG_ERR, "ssl: could not load certificate or key: %s", gnutls_strerror(ret)); exit(1); } - gnutls_certificate_set_dh_params(creds, dhparams); - if((fd = listensock6(port)) < 0) { - flog(LOG_ERR, "could not listen on IPv6 port (port %i): %s", port, strerror(errno)); + if((ciphers == NULL) && ((ret = gnutls_priority_init(&ciphers, "NORMAL", NULL)) != 0)) { + flog(LOG_ERR, "ssl: could not initialize cipher priorities: %s", gnutls_strerror(ret)); + exit(1); + } + if((ret = gnutls_certificate_get_x509_key(creds, 0, &defkey)) != 0) { + flog(LOG_ERR, "ssl: could not get default key: %s", gnutls_strerror(ret)); exit(1); } + for(i = 0; i < ncertf.d; i++) + bufadd(ncreds, readncreds(ncertf.b[i], defkey)); + for(i = 0; i < ncertd.d; i++) + readncdir(&ncreds, ncertd.b[i], defkey); + buffree(ncertf); + buffree(ncertd); + gnutls_certificate_set_dh_params(creds, dhparams()); bufadd(ncreds, NULL); omalloc(pd); pd->fd = fd; pd->sport = port; + pd->clreq = clreq; pd->creds = creds; pd->ncreds = ncreds.b; - mustart(listenloop, pd); - if((fd = listensock6(port)) < 0) { + pd->ciphers = ciphers; + bufadd(listeners, mustart(listenloop, pd)); + if((fd = listensock4(port)) < 0) { if(errno != EADDRINUSE) { - flog(LOG_ERR, "could not listen on IPv6 port (port %i): %s", port, strerror(errno)); + flog(LOG_ERR, "could not listen on IPv4 port (port %i): %s", port, strerror(errno)); exit(1); } } else { @@ -473,7 +713,9 @@ void handlegnussl(int argc, char **argp, char **argv) pd->fd = fd; pd->sport = port; pd->creds = creds; - mustart(listenloop, pd); + pd->ncreds = ncreds.b; + pd->ciphers = ciphers; + bufadd(listeners, mustart(listenloop, pd)); } }