2 ashd - A Sane HTTP Daemon
3 Copyright (C) 2008 Fredrik Tolf <fredrik@dolda2000.com>
5 This program is free software: you can redistribute it and/or modify
6 it under the terms of the GNU General Public License as published by
7 the Free Software Foundation, either version 3 of the License, or
8 (at your option) any later version.
10 This program is distributed in the hope that it will be useful,
11 but WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 GNU General Public License for more details.
15 You should have received a copy of the GNU General Public License
16 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 #include <sys/socket.h>
22 #include <arpa/inet.h>
36 #include <openssl/ssl.h>
37 #include <openssl/err.h>
48 struct sockaddr *name;
52 static int tlsblock(int fd, int err, int to)
54 if(err == SSL_ERROR_WANT_READ) {
55 if(block(fd, EV_READ, to) <= 0)
58 } else if(err == SSL_ERROR_WANT_WRITE) {
59 if(block(fd, EV_WRITE, to) <= 0)
67 static ssize_t sslread(void *cookie, void *buf, size_t len)
69 struct sslconn *sdat = cookie;
75 nb = ((len - off) > INT_MAX) ? INT_MAX : (len - off);
76 if((ret = SSL_read(sdat->ssl, buf, nb)) <= 0) {
79 err = SSL_get_error(sdat->ssl, ret);
80 if(err == SSL_ERROR_ZERO_RETURN) {
82 } else if((err == SSL_ERROR_WANT_READ) || (err == SSL_ERROR_WANT_WRITE)) {
83 if(tlsblock(sdat->fd, err, 60)) {
88 if(err != SSL_ERROR_SYSCALL)
99 static ssize_t sslwrite(void *cookie, const void *buf, size_t len)
101 struct sslconn *sdat = cookie;
107 nb = ((len - off) > INT_MAX) ? INT_MAX : (len - off);
108 if((ret = SSL_write(sdat->ssl, buf, nb)) <= 0) {
111 err = SSL_get_error(sdat->ssl, ret);
112 if((err == SSL_ERROR_WANT_READ) || (err == SSL_ERROR_WANT_WRITE)) {
113 if(tlsblock(sdat->fd, err, 60)) {
118 if(err != SSL_ERROR_SYSCALL)
129 static int sslclose(void *cookie)
134 static struct bufioops iofuns = {
140 static int initreq(struct conn *conn, struct hthead *req)
142 struct sslconn *sdat = conn->pdata;
143 struct sockaddr_storage sa;
146 headappheader(req, "X-Ash-Address", formathaddress(sdat->name, sdat->namelen));
147 if(sdat->name->sa_family == AF_INET)
148 headappheader(req, "X-Ash-Port", sprintf3("%i", ntohs(((struct sockaddr_in *)sdat->name)->sin_port)));
149 else if(sdat->name->sa_family == AF_INET6)
150 headappheader(req, "X-Ash-Port", sprintf3("%i", ntohs(((struct sockaddr_in6 *)sdat->name)->sin6_port)));
152 if(!getsockname(sdat->fd, (struct sockaddr *)&sa, &salen))
153 headappheader(req, "X-Ash-Server-Address", formathaddress((struct sockaddr *)&sa, salen));
154 headappheader(req, "X-Ash-Server-Port", sprintf3("%i", sdat->port->sport));
155 headappheader(req, "X-Ash-Protocol", "https");
159 static void servessl(struct muth *muth, va_list args)
162 vavar(struct sockaddr_storage, name);
163 vavar(struct sslport *, pd);
169 fcntl(fd, F_SETFL, fcntl(fd, F_GETFL) | O_NONBLOCK);
170 ssl = SSL_new(pd->ctx);
172 while((ret = SSL_accept(ssl)) <= 0) {
173 if(tlsblock(fd, SSL_get_error(ssl, ret), 60))
176 memset(&conn, 0, sizeof(conn));
177 memset(&sdat, 0, sizeof(sdat));
179 conn.initreq = initreq;
183 sdat.name = (struct sockaddr *)&name;
184 sdat.namelen = sizeof(name);
185 serve(bioopen(&sdat, &iofuns), fd, &conn);
186 while((ret = SSL_shutdown(ssl)) < 0) {
187 if(tlsblock(fd, SSL_get_error(ssl, ret), 60))
195 static void listenloop(struct muth *muth, va_list args)
197 vavar(struct sslport *, pd);
199 struct sockaddr_storage name;
202 fcntl(pd->fd, F_SETFL, fcntl(pd->fd, F_GETFL) | O_NONBLOCK);
204 namelen = sizeof(name);
205 if(block(pd->fd, EV_READ, 0) == 0)
207 for(n = 0; n < 100; n++) {
208 if((ns = accept(pd->fd, (struct sockaddr *)&name, &namelen)) < 0) {
211 if(errno == ECONNABORTED)
213 flog(LOG_ERR, "accept: %s", strerror(errno));
216 mustart(servessl, ns, name, pd);
223 for(i = 0; i < listeners.d; i++) {
224 if(listeners.b[i] == muth)
225 bufdel(listeners, i);
229 void handleossl(int argc, char **argp, char **argv)
233 char *crtfile, *keyfile;
236 ctx = SSL_CTX_new(TLS_server_method());
238 flog(LOG_ERR, "ssl: could not create context: %s", ERR_error_string(ERR_get_error(), NULL));
242 for(i = 0; i < argc; i++) {
243 if(!strcmp(argp[i], "help")) {
244 printf("ssl handler parameters:\n");
245 printf("\tcert=CERT-FILE [mandatory]\n");
246 printf("\t\tThe name of the file to read the certificate from.\n");
247 printf("\tkey=KEY-FILE [same as CERT-FILE]\n");
248 printf("\t\tThe name of the file to read the private key from.\n");
249 printf("\tport=PORT [443]\n");
250 printf("\t\tThe TCP port to listen on.\n");
252 } else if(!strcmp(argp[i], "cert")) {
254 } else if(!strcmp(argp[i], "key")) {
256 } else if(!strcmp(argp[i], "port")) {
257 port = atoi(argv[i]);
259 flog(LOG_ERR, "unknown parameter `%s' to ssl handler", argp[i]);
263 if(crtfile == NULL) {
264 flog(LOG_ERR, "ssl: needs certificate file at the very least");
269 if(SSL_CTX_use_certificate_file(ctx, crtfile, SSL_FILETYPE_PEM) <= 0) {
270 flog(LOG_ERR, "ssl: could not load certificate: %s", ERR_error_string(ERR_get_error(), NULL));
273 if(SSL_CTX_use_PrivateKey_file(ctx, keyfile, SSL_FILETYPE_PEM) <= 0) {
274 flog(LOG_ERR, "ssl: could not load certificate: %s", ERR_error_string(ERR_get_error(), NULL));
277 if(!SSL_CTX_check_private_key(ctx)) {
278 flog(LOG_ERR, "ssl: key and certificate do not match");
281 if((fd = listensock6(port)) < 0) {
282 flog(LOG_ERR, "could not listen on IPv65 port (port %i): %s", port, strerror(errno));
289 bufadd(listeners, mustart(listenloop, pd));
290 if((fd = listensock4(port)) < 0) {
291 if(errno != EADDRINUSE) {
292 flog(LOG_ERR, "could not listen on IPv4 port (port %i): Is", port, strerror(errno));
300 bufadd(listeners, mustart(listenloop, pd));