From: Fredrik Tolf Date: Tue, 19 Oct 2010 06:42:47 +0000 (+0200) Subject: Merge branch 'sni' X-Git-Tag: 0.3~1 X-Git-Url: http://www.dolda2000.com/gitweb/?p=ashd.git;a=commitdiff_plain;h=e99e87db1f197126909a3c1a944200ce5d502f92;hp=d3ef283f46d0a506f56dfd3567e1df7f0b2e24a3 Merge branch 'sni' --- diff --git a/src/ssl-gnutls.c b/src/ssl-gnutls.c index de52524..3eca0bb 100644 --- a/src/ssl-gnutls.c +++ b/src/ssl-gnutls.c @@ -20,6 +20,7 @@ #include #include #include +#include #include #include #include @@ -39,11 +40,23 @@ #ifdef HAVE_GNUTLS #include +#include + +struct namedcreds { + char **names; + gnutls_certificate_credentials_t creds; +}; + +struct ncredbuf { + struct namedcreds **b; + size_t s, d; +}; struct sslport { int fd; int sport; gnutls_certificate_credentials_t creds; + struct namedcreds **ncreds; }; struct sslconn { @@ -168,11 +181,38 @@ static void servessl(struct muth *muth, va_list args) int ret; FILE *in; + int setcreds(gnutls_session_t sess) + { + int i, o, u; + unsigned int ntype; + char nambuf[256]; + size_t namlen; + + for(i = 0; 1; i++) { + namlen = sizeof(nambuf); + if(gnutls_server_name_get(sess, nambuf, &namlen, &ntype, i) != 0) + break; + if(ntype != GNUTLS_NAME_DNS) + continue; + for(o = 0; pd->ncreds[o] != NULL; o++) { + for(u = 0; pd->ncreds[o]->names[u] != NULL; u++) { + if(!strcmp(pd->ncreds[o]->names[u], nambuf)) { + gnutls_credentials_set(sess, GNUTLS_CRD_CERTIFICATE, pd->ncreds[o]->creds); + gnutls_certificate_server_set_request(sess, GNUTLS_CERT_REQUEST); + return(0); + } + } + } + } + gnutls_credentials_set(sess, GNUTLS_CRD_CERTIFICATE, pd->creds); + gnutls_certificate_server_set_request(sess, GNUTLS_CERT_REQUEST); + return(0); + } + fcntl(fd, F_SETFL, fcntl(fd, F_GETFL) | O_NONBLOCK); gnutls_init(&sess, GNUTLS_SERVER); gnutls_set_default_priority(sess); - gnutls_credentials_set(sess, GNUTLS_CRD_CERTIFICATE, pd->creds); - gnutls_certificate_server_set_request(sess, GNUTLS_CERT_REQUEST); + gnutls_handshake_set_post_client_hello_function(sess, setcreds); gnutls_transport_set_ptr(sess, (gnutls_transport_ptr_t)(intptr_t)fd); while((ret = gnutls_handshake(sess)) != 0) { if((ret != GNUTLS_E_INTERRUPTED) && (ret != GNUTLS_E_AGAIN)) @@ -239,15 +279,110 @@ static void init(void) } } +static struct namedcreds *readncreds(char *file) +{ + int i, fd, ret; + struct namedcreds *nc; + gnutls_x509_crt_t crt; + gnutls_x509_privkey_t key; + char cn[1024]; + size_t cnl; + gnutls_datum_t d; + struct charbuf keybuf; + struct charvbuf names; + unsigned int type; + + bufinit(keybuf); + bufinit(names); + if((fd = open(file, O_RDONLY)) < 0) { + flog(LOG_ERR, "ssl: %s: %s", file, strerror(errno)); + exit(1); + } + while(1) { + sizebuf(keybuf, keybuf.d + 1024); + ret = read(fd, keybuf.b + keybuf.d, keybuf.s - keybuf.d); + if(ret < 0) { + flog(LOG_ERR, "ssl: reading from %s: %s", file, strerror(errno)); + exit(1); + } else if(ret == 0) { + break; + } + keybuf.d += ret; + } + close(fd); + d.data = (unsigned char *)keybuf.b; + d.size = keybuf.d; + gnutls_x509_crt_init(&crt); + if((ret = gnutls_x509_crt_import(crt, &d, GNUTLS_X509_FMT_PEM)) != 0) { + flog(LOG_ERR, "ssl: could not load certificate from %s: %s", file, gnutls_strerror(ret)); + exit(1); + } + cnl = sizeof(cn) - 1; + if((ret = gnutls_x509_crt_get_dn_by_oid(crt, GNUTLS_OID_X520_COMMON_NAME, 0, 0, cn, &cnl)) != 0) { + flog(LOG_ERR, "ssl: could not read common name from %s: %s", file, gnutls_strerror(ret)); + exit(1); + } + cn[cnl] = 0; + bufadd(names, sstrdup(cn)); + for(i = 0; 1; i++) { + cnl = sizeof(cn) - 1; + if(gnutls_x509_crt_get_subject_alt_name2(crt, i, cn, &cnl, &type, NULL) < 0) + break; + cn[cnl] = 0; + if(type == GNUTLS_SAN_DNSNAME) + bufadd(names, sstrdup(cn)); + } + gnutls_x509_privkey_init(&key); + if((ret = gnutls_x509_privkey_import(key, &d, GNUTLS_X509_FMT_PEM)) != 0) { + flog(LOG_ERR, "ssl: could not load key from %s: %s", file, gnutls_strerror(ret)); + exit(1); + } + buffree(keybuf); + bufadd(names, NULL); + omalloc(nc); + nc->names = names.b; + gnutls_certificate_allocate_credentials(&nc->creds); + if((ret = gnutls_certificate_set_x509_key(nc->creds, &crt, 1, key)) != 0) { + flog(LOG_ERR, "ssl: could not use certificate from %s: %s", file, gnutls_strerror(ret)); + exit(1); + } + gnutls_certificate_set_dh_params(nc->creds, dhparams); + return(nc); +} + +static void readncdir(struct ncredbuf *buf, char *dir) +{ + DIR *d; + struct dirent *e; + size_t es; + + if((d = opendir(dir)) == NULL) { + flog(LOG_ERR, "ssl: could not read certificate directory %s: %s", dir, strerror(errno)); + exit(1); + } + while((e = readdir(d)) != NULL) { + if(e->d_name[0] == '.') + continue; + if((es = strlen(e->d_name)) <= 4) + continue; + if(strcmp(e->d_name + es - 4, ".crt")) + continue; + bufadd(*buf, readncreds(sprintf3("%s/%s", dir, e->d_name))); + } + closedir(d); +} + void handlegnussl(int argc, char **argp, char **argv) { int i, ret, port, fd; gnutls_certificate_credentials_t creds; + struct ncredbuf ncreds; struct sslport *pd; char *crtfile, *keyfile; init(); port = 443; + bufinit(ncreds); gnutls_certificate_allocate_credentials(&creds); keyfile = crtfile = NULL; for(i = 0; i < argc; i++) { @@ -263,10 +398,24 @@ void handlegnussl(int argc, char **argp, char **argv) printf("\tcrl=CRL-FILE [no default]\n"); printf("\t\tThe name of a file to read revocation lists from.\n"); printf("\t\tMay be given multiple times.\n"); + printf("\tncert=CERT-FILE [no default]\n"); + printf("\t\tThe name of a file to read a named certificate from,\n"); + printf("\t\tfor use with SNI-enabled clients.\n"); + printf("\t\tMay be given multiple times.\n"); + printf("\tncertdir=DIR [no default]\n"); + printf("\t\tRead all *.crt files in the given directory as if they\n"); + printf("\t\twere given with `ncert' options.\n"); + printf("\t\tMay be given multiple times.\n"); printf("\tport=PORT [443]\n"); printf("\t\tThe TCP port to listen on.\n"); printf("\n"); printf("\tAll X.509 data files must be PEM-encoded.\n"); + printf("\tIf any certificates were given with `ncert' options, they will be\n"); + printf("\tused if a client explicitly names one of them with a\n"); + printf("\tserver-name indication. If a client indicates no server name,\n"); + printf("\tor if a server-name indication does not match any given\n"); + printf("\tcertificate, the certificate given with the `cert' option will\n"); + printf("\tbe used instead.\n"); exit(0); } else if(!strcmp(argp[i], "cert")) { crtfile = argv[i]; @@ -277,13 +426,29 @@ void handlegnussl(int argc, char **argp, char **argv) flog(LOG_ERR, "ssl: could not load trust file `%s': %s", argv[i], gnutls_strerror(ret)); exit(1); } + for(i = 0; i < ncreds.d; i++) { + if((ret = gnutls_certificate_set_x509_trust_file(ncreds.b[i]->creds, argv[i], GNUTLS_X509_FMT_PEM)) != 0) { + flog(LOG_ERR, "ssl: could not load trust file `%s': %s", argv[i], gnutls_strerror(ret)); + exit(1); + } + } } else if(!strcmp(argp[i], "crl")) { if((ret = gnutls_certificate_set_x509_crl_file(creds, argv[i], GNUTLS_X509_FMT_PEM)) != 0) { flog(LOG_ERR, "ssl: could not load CRL file `%s': %s", argv[i], gnutls_strerror(ret)); exit(1); } + for(i = 0; i < ncreds.d; i++) { + if((ret = gnutls_certificate_set_x509_crl_file(ncreds.b[i]->creds, argv[i], GNUTLS_X509_FMT_PEM)) != 0) { + flog(LOG_ERR, "ssl: could not load CRL file `%s': %s", argv[i], gnutls_strerror(ret)); + exit(1); + } + } } else if(!strcmp(argp[i], "port")) { port = atoi(argv[i]); + } else if(!strcmp(argp[i], "ncert")) { + bufadd(ncreds, readncreds(argv[i])); + } else if(!strcmp(argp[i], "ncertdir")) { + readncdir(&ncreds, argv[i]); } else { flog(LOG_ERR, "unknown parameter `%s' to ssl handler", argp[i]); exit(1); @@ -304,10 +469,12 @@ void handlegnussl(int argc, char **argp, char **argv) flog(LOG_ERR, "could not listen on IPv6 port (port %i): %s", port, strerror(errno)); exit(1); } + bufadd(ncreds, NULL); omalloc(pd); pd->fd = fd; pd->sport = port; pd->creds = creds; + pd->ncreds = ncreds.b; mustart(listenloop, pd); if((fd = listensock6(port)) < 0) { if(errno != EADDRINUSE) {