};
struct sslport {
- int fd;
- int sport;
+ int fd, sport, clreq;
gnutls_certificate_credentials_t creds;
gnutls_priority_t ciphers;
struct namedcreds **ncreds;
struct sslconn *ssl = conn->pdata;
struct sockaddr_storage sa;
socklen_t salen;
+ gnutls_datum_t sessid;
+ char *esessid;
headappheader(req, "X-Ash-Address", formathaddress((struct sockaddr *)&ssl->name, sizeof(sa)));
if(ssl->name.ss_family == AF_INET)
headappheader(req, "X-Ash-Server-Address", formathaddress((struct sockaddr *)&sa, sizeof(sa)));
headappheader(req, "X-Ash-Server-Port", sprintf3("%i", ssl->port->sport));
headappheader(req, "X-Ash-Protocol", "https");
+ if(gnutls_session_get_id2(ssl->sess, &sessid) == GNUTLS_E_SUCCESS) {
+ esessid = base64encode((void *)sessid.data, sessid.size);
+ headappheader(req, "X-Ash-TLS-Session", esessid);
+ free(esessid);
+ }
+ return(0);
+}
+
+static int setcreds(gnutls_session_t sess)
+{
+ int i, o, u;
+ struct sslport *pd;
+ unsigned int ntype;
+ char nambuf[256];
+ size_t namlen;
+
+ pd = gnutls_session_get_ptr(sess);
+ for(i = 0; 1; i++) {
+ namlen = sizeof(nambuf);
+ if(gnutls_server_name_get(sess, nambuf, &namlen, &ntype, i) != 0)
+ break;
+ if(ntype != GNUTLS_NAME_DNS)
+ continue;
+ for(o = 0; pd->ncreds[o] != NULL; o++) {
+ for(u = 0; pd->ncreds[o]->names[u] != NULL; u++) {
+ if(!strcmp(pd->ncreds[o]->names[u], nambuf)) {
+ gnutls_credentials_set(sess, GNUTLS_CRD_CERTIFICATE, pd->ncreds[o]->creds);
+ if(pd->clreq)
+ gnutls_certificate_server_set_request(sess, GNUTLS_CERT_REQUEST);
+ return(0);
+ }
+ }
+ }
+ }
+ gnutls_credentials_set(sess, GNUTLS_CRD_CERTIFICATE, pd->creds);
+ if(pd->clreq)
+ gnutls_certificate_server_set_request(sess, GNUTLS_CERT_REQUEST);
return(0);
}
struct sslconn ssl;
gnutls_session_t sess;
int ret;
-
- int setcreds(gnutls_session_t sess)
- {
- int i, o, u;
- unsigned int ntype;
- char nambuf[256];
- size_t namlen;
-
- for(i = 0; 1; i++) {
- namlen = sizeof(nambuf);
- if(gnutls_server_name_get(sess, nambuf, &namlen, &ntype, i) != 0)
- break;
- if(ntype != GNUTLS_NAME_DNS)
- continue;
- for(o = 0; pd->ncreds[o] != NULL; o++) {
- for(u = 0; pd->ncreds[o]->names[u] != NULL; u++) {
- if(!strcmp(pd->ncreds[o]->names[u], nambuf)) {
- gnutls_credentials_set(sess, GNUTLS_CRD_CERTIFICATE, pd->ncreds[o]->creds);
- gnutls_certificate_server_set_request(sess, GNUTLS_CERT_REQUEST);
- return(0);
- }
- }
- }
- }
- gnutls_credentials_set(sess, GNUTLS_CRD_CERTIFICATE, pd->creds);
- gnutls_certificate_server_set_request(sess, GNUTLS_CERT_REQUEST);
- return(0);
- }
numconn++;
fcntl(fd, F_SETFL, fcntl(fd, F_GETFL) | O_NONBLOCK);
gnutls_db_set_store_function(sess, sessdbstore);
gnutls_db_set_remove_function(sess, sessdbdel);
gnutls_db_set_ptr(sess, NULL);
+ gnutls_session_set_ptr(sess, pd);
gnutls_handshake_set_post_client_hello_function(sess, setcreds);
gnutls_transport_set_ptr(sess, (gnutls_transport_ptr_t)(intptr_t)fd);
while((ret = gnutls_handshake(sess)) != 0) {
for(i = 0, p = NULL; i < sizeof(headers) / sizeof(*headers); i++) {
f = memmem(pem->b, pem->d, headers[i], strlen(headers[i]));
- if((p == NULL) || (f < p))
+ if((f != NULL) && ((p == NULL) || (f < p)))
p = f;
}
if(p == NULL)
bufadd(*ret, crt);
for(i = 0, p2 = NULL; i < sizeof(headers) / sizeof(*headers); i++) {
f = memmem(p + 1, pem->d - (p + 1 - pem->b), headers[i], strlen(headers[i]));
- if((p2 == NULL) || (f < p2))
+ if((f != NULL) && ((p2 == NULL) || (f < p2)))
p2 = f;
}
} while((p = p2) != NULL);
void handlegnussl(int argc, char **argp, char **argv)
{
- int i, ret, port, fd;
+ int i, ret, port, fd, clreq;
gnutls_certificate_credentials_t creds;
gnutls_priority_t ciphers;
gnutls_x509_privkey_t defkey;
init();
port = 443;
+ clreq = 0;
bufinit(ncreds);
bufinit(ncertf);
bufinit(ncertd);
exit(1);
}
}
+ clreq = 1;
} else if(!strcmp(argp[i], "crl")) {
if((ret = gnutls_certificate_set_x509_crl_file(creds, argv[i], GNUTLS_X509_FMT_PEM)) != 0) {
flog(LOG_ERR, "ssl: could not load CRL file `%s': %s", argv[i], gnutls_strerror(ret));
exit(1);
}
}
+ clreq = 1;
} else if(!strcmp(argp[i], "port")) {
port = atoi(argv[i]);
} else if(!strcmp(argp[i], "ncert")) {
omalloc(pd);
pd->fd = fd;
pd->sport = port;
+ pd->clreq = clreq;
pd->creds = creds;
pd->ncreds = ncreds.b;
pd->ciphers = ciphers;