2 ashd - A Sane HTTP Daemon
3 Copyright (C) 2008 Fredrik Tolf <fredrik@dolda2000.com>
5 This program is free software: you can redistribute it and/or modify
6 it under the terms of the GNU General Public License as published by
7 the Free Software Foundation, either version 3 of the License, or
8 (at your option) any later version.
10 This program is distributed in the hope that it will be useful,
11 but WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 GNU General Public License for more details.
15 You should have received a copy of the GNU General Public License
16 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 #include <sys/socket.h>
23 #include <netinet/in.h>
24 #include <arpa/inet.h>
40 #include <openssl/ssl.h>
41 #include <openssl/err.h>
52 struct sockaddr *name;
56 static int tlsblock(int fd, int err, int to)
58 if(err == SSL_ERROR_WANT_READ) {
59 if(block(fd, EV_READ, to) <= 0)
62 } else if(err == SSL_ERROR_WANT_WRITE) {
63 if(block(fd, EV_WRITE, to) <= 0)
71 static ssize_t sslread(void *cookie, void *buf, size_t len)
73 struct sslconn *sdat = cookie;
79 nb = ((len - off) > INT_MAX) ? INT_MAX : (len - off);
80 if((ret = SSL_read(sdat->ssl, buf, nb)) <= 0) {
83 err = SSL_get_error(sdat->ssl, ret);
84 if(err == SSL_ERROR_ZERO_RETURN) {
86 } else if((err == SSL_ERROR_WANT_READ) || (err == SSL_ERROR_WANT_WRITE)) {
87 if(tlsblock(sdat->fd, err, 60)) {
92 if(err != SSL_ERROR_SYSCALL)
103 static ssize_t sslwrite(void *cookie, const void *buf, size_t len)
105 struct sslconn *sdat = cookie;
111 nb = ((len - off) > INT_MAX) ? INT_MAX : (len - off);
112 if((ret = SSL_write(sdat->ssl, buf, nb)) <= 0) {
115 err = SSL_get_error(sdat->ssl, ret);
116 if((err == SSL_ERROR_WANT_READ) || (err == SSL_ERROR_WANT_WRITE)) {
117 if(tlsblock(sdat->fd, err, 60)) {
122 if(err != SSL_ERROR_SYSCALL)
133 static int sslclose(void *cookie)
138 static struct bufioops iofuns = {
144 static int initreq(struct conn *conn, struct hthead *req)
146 struct sslconn *sdat = conn->pdata;
147 struct sockaddr_storage sa;
150 headappheader(req, "X-Ash-Address", formathaddress(sdat->name, sdat->namelen));
151 if(sdat->name->sa_family == AF_INET)
152 headappheader(req, "X-Ash-Port", sprintf3("%i", ntohs(((struct sockaddr_in *)sdat->name)->sin_port)));
153 else if(sdat->name->sa_family == AF_INET6)
154 headappheader(req, "X-Ash-Port", sprintf3("%i", ntohs(((struct sockaddr_in6 *)sdat->name)->sin6_port)));
156 if(!getsockname(sdat->fd, (struct sockaddr *)&sa, &salen))
157 headappheader(req, "X-Ash-Server-Address", formathaddress((struct sockaddr *)&sa, salen));
158 headappheader(req, "X-Ash-Server-Port", sprintf3("%i", sdat->port->sport));
159 headappheader(req, "X-Ash-Protocol", "https");
163 static void servessl(struct muth *muth, va_list args)
166 vavar(struct sockaddr_storage, name);
167 vavar(struct sslport *, pd);
173 fcntl(fd, F_SETFL, fcntl(fd, F_GETFL) | O_NONBLOCK);
174 ssl = SSL_new(pd->ctx);
176 while((ret = SSL_accept(ssl)) <= 0) {
177 if(tlsblock(fd, SSL_get_error(ssl, ret), 60))
180 memset(&conn, 0, sizeof(conn));
181 memset(&sdat, 0, sizeof(sdat));
183 conn.initreq = initreq;
187 sdat.name = (struct sockaddr *)&name;
188 sdat.namelen = sizeof(name);
189 serve(bioopen(&sdat, &iofuns), fd, &conn);
190 while((ret = SSL_shutdown(ssl)) < 0) {
191 if(tlsblock(fd, SSL_get_error(ssl, ret), 60))
199 static void listenloop(struct muth *muth, va_list args)
201 vavar(struct sslport *, pd);
203 struct sockaddr_storage name;
206 fcntl(pd->fd, F_SETFL, fcntl(pd->fd, F_GETFL) | O_NONBLOCK);
208 namelen = sizeof(name);
209 if(block(pd->fd, EV_READ, 0) == 0)
211 for(n = 0; n < 100; n++) {
212 if((ns = accept(pd->fd, (struct sockaddr *)&name, &namelen)) < 0) {
215 if(errno == ECONNABORTED)
217 flog(LOG_ERR, "accept: %s", strerror(errno));
220 mustart(servessl, ns, name, pd);
227 for(i = 0; i < listeners.d; i++) {
228 if(listeners.b[i] == muth)
229 bufdel(listeners, i);
233 void handleossl(int argc, char **argp, char **argv)
237 char *crtfile, *keyfile;
240 ctx = SSL_CTX_new(TLS_server_method());
242 flog(LOG_ERR, "ssl: could not create context: %s", ERR_error_string(ERR_get_error(), NULL));
246 for(i = 0; i < argc; i++) {
247 if(!strcmp(argp[i], "help")) {
248 printf("ssl handler parameters:\n");
249 printf("\tcert=CERT-FILE [mandatory]\n");
250 printf("\t\tThe name of the file to read the certificate from.\n");
251 printf("\tkey=KEY-FILE [same as CERT-FILE]\n");
252 printf("\t\tThe name of the file to read the private key from.\n");
253 printf("\tport=PORT [443]\n");
254 printf("\t\tThe TCP port to listen on.\n");
256 } else if(!strcmp(argp[i], "cert")) {
258 } else if(!strcmp(argp[i], "key")) {
260 } else if(!strcmp(argp[i], "port")) {
261 port = atoi(argv[i]);
263 flog(LOG_ERR, "unknown parameter `%s' to ssl handler", argp[i]);
267 if(crtfile == NULL) {
268 flog(LOG_ERR, "ssl: needs certificate file at the very least");
273 if(SSL_CTX_use_certificate_file(ctx, crtfile, SSL_FILETYPE_PEM) <= 0) {
274 flog(LOG_ERR, "ssl: could not load certificate: %s", ERR_error_string(ERR_get_error(), NULL));
277 if(SSL_CTX_use_PrivateKey_file(ctx, keyfile, SSL_FILETYPE_PEM) <= 0) {
278 flog(LOG_ERR, "ssl: could not load certificate: %s", ERR_error_string(ERR_get_error(), NULL));
281 if(!SSL_CTX_check_private_key(ctx)) {
282 flog(LOG_ERR, "ssl: key and certificate do not match");
285 if((fd = listensock6(port)) < 0) {
286 flog(LOG_ERR, "could not listen on IPv65 port (port %i): %s", port, strerror(errno));
293 bufadd(listeners, mustart(listenloop, pd));
294 if((fd = listensock4(port)) < 0) {
295 if(errno != EADDRINUSE) {
296 flog(LOG_ERR, "could not listen on IPv4 port (port %i): Is", port, strerror(errno));
304 bufadd(listeners, mustart(listenloop, pd));
Dolda2000 GitWeb / ashd.git / blob