2 ashd - A Sane HTTP Daemon
3 Copyright (C) 2008 Fredrik Tolf <fredrik@dolda2000.com>
5 This program is free software: you can redistribute it and/or modify
6 it under the terms of the GNU General Public License as published by
7 the Free Software Foundation, either version 3 of the License, or
8 (at your option) any later version.
10 This program is distributed in the hope that it will be useful,
11 but WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 GNU General Public License for more details.
15 You should have received a copy of the GNU General Public License
16 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 #include <sys/socket.h>
22 #include <arpa/inet.h>
38 #include <openssl/ssl.h>
39 #include <openssl/err.h>
50 struct sockaddr *name;
54 static int tlsblock(int fd, int err, int to)
56 if(err == SSL_ERROR_WANT_READ) {
57 if(block(fd, EV_READ, to) <= 0)
60 } else if(err == SSL_ERROR_WANT_WRITE) {
61 if(block(fd, EV_WRITE, to) <= 0)
69 static ssize_t sslread(void *cookie, void *buf, size_t len)
71 struct sslconn *sdat = cookie;
77 nb = ((len - off) > INT_MAX) ? INT_MAX : (len - off);
78 if((ret = SSL_read(sdat->ssl, buf, nb)) <= 0) {
81 err = SSL_get_error(sdat->ssl, ret);
82 if(err == SSL_ERROR_ZERO_RETURN) {
84 } else if((err == SSL_ERROR_WANT_READ) || (err == SSL_ERROR_WANT_WRITE)) {
85 if(tlsblock(sdat->fd, err, 60)) {
90 if(err != SSL_ERROR_SYSCALL)
101 static ssize_t sslwrite(void *cookie, const void *buf, size_t len)
103 struct sslconn *sdat = cookie;
109 nb = ((len - off) > INT_MAX) ? INT_MAX : (len - off);
110 if((ret = SSL_write(sdat->ssl, buf, nb)) <= 0) {
113 err = SSL_get_error(sdat->ssl, ret);
114 if((err == SSL_ERROR_WANT_READ) || (err == SSL_ERROR_WANT_WRITE)) {
115 if(tlsblock(sdat->fd, err, 60)) {
120 if(err != SSL_ERROR_SYSCALL)
131 static int sslclose(void *cookie)
136 static struct bufioops iofuns = {
142 static int initreq(struct conn *conn, struct hthead *req)
144 struct sslconn *sdat = conn->pdata;
145 struct sockaddr_storage sa;
148 headappheader(req, "X-Ash-Address", formathaddress(sdat->name, sdat->namelen));
149 if(sdat->name->sa_family == AF_INET)
150 headappheader(req, "X-Ash-Port", sprintf3("%i", ntohs(((struct sockaddr_in *)sdat->name)->sin_port)));
151 else if(sdat->name->sa_family == AF_INET6)
152 headappheader(req, "X-Ash-Port", sprintf3("%i", ntohs(((struct sockaddr_in6 *)sdat->name)->sin6_port)));
154 if(!getsockname(sdat->fd, (struct sockaddr *)&sa, &salen))
155 headappheader(req, "X-Ash-Server-Address", formathaddress((struct sockaddr *)&sa, salen));
156 headappheader(req, "X-Ash-Server-Port", sprintf3("%i", sdat->port->sport));
157 headappheader(req, "X-Ash-Protocol", "https");
161 static void servessl(struct muth *muth, va_list args)
164 vavar(struct sockaddr_storage, name);
165 vavar(struct sslport *, pd);
171 fcntl(fd, F_SETFL, fcntl(fd, F_GETFL) | O_NONBLOCK);
172 ssl = SSL_new(pd->ctx);
174 while((ret = SSL_accept(ssl)) <= 0) {
175 if(tlsblock(fd, SSL_get_error(ssl, ret), 60))
178 memset(&conn, 0, sizeof(conn));
179 memset(&sdat, 0, sizeof(sdat));
181 conn.initreq = initreq;
185 sdat.name = (struct sockaddr *)&name;
186 sdat.namelen = sizeof(name);
187 serve(bioopen(&sdat, &iofuns), fd, &conn);
188 while((ret = SSL_shutdown(ssl)) < 0) {
189 if(tlsblock(fd, SSL_get_error(ssl, ret), 60))
197 static void listenloop(struct muth *muth, va_list args)
199 vavar(struct sslport *, pd);
201 struct sockaddr_storage name;
204 fcntl(pd->fd, F_SETFL, fcntl(pd->fd, F_GETFL) | O_NONBLOCK);
206 namelen = sizeof(name);
207 if(block(pd->fd, EV_READ, 0) == 0)
209 for(n = 0; n < 100; n++) {
210 if((ns = accept(pd->fd, (struct sockaddr *)&name, &namelen)) < 0) {
213 if(errno == ECONNABORTED)
215 flog(LOG_ERR, "accept: %s", strerror(errno));
218 mustart(servessl, ns, name, pd);
225 for(i = 0; i < listeners.d; i++) {
226 if(listeners.b[i] == muth)
227 bufdel(listeners, i);
231 void handleossl(int argc, char **argp, char **argv)
235 char *crtfile, *keyfile;
238 ctx = SSL_CTX_new(TLS_server_method());
240 flog(LOG_ERR, "ssl: could not create context: %s", ERR_error_string(ERR_get_error(), NULL));
244 for(i = 0; i < argc; i++) {
245 if(!strcmp(argp[i], "help")) {
246 printf("ssl handler parameters:\n");
247 printf("\tcert=CERT-FILE [mandatory]\n");
248 printf("\t\tThe name of the file to read the certificate from.\n");
249 printf("\tkey=KEY-FILE [same as CERT-FILE]\n");
250 printf("\t\tThe name of the file to read the private key from.\n");
251 printf("\tport=PORT [443]\n");
252 printf("\t\tThe TCP port to listen on.\n");
254 } else if(!strcmp(argp[i], "cert")) {
256 } else if(!strcmp(argp[i], "key")) {
258 } else if(!strcmp(argp[i], "port")) {
259 port = atoi(argv[i]);
261 flog(LOG_ERR, "unknown parameter `%s' to ssl handler", argp[i]);
265 if(crtfile == NULL) {
266 flog(LOG_ERR, "ssl: needs certificate file at the very least");
271 if(SSL_CTX_use_certificate_file(ctx, crtfile, SSL_FILETYPE_PEM) <= 0) {
272 flog(LOG_ERR, "ssl: could not load certificate: %s", ERR_error_string(ERR_get_error(), NULL));
275 if(SSL_CTX_use_PrivateKey_file(ctx, keyfile, SSL_FILETYPE_PEM) <= 0) {
276 flog(LOG_ERR, "ssl: could not load certificate: %s", ERR_error_string(ERR_get_error(), NULL));
279 if(!SSL_CTX_check_private_key(ctx)) {
280 flog(LOG_ERR, "ssl: key and certificate do not match");
283 if((fd = listensock6(port)) < 0) {
284 flog(LOG_ERR, "could not listen on IPv65 port (port %i): %s", port, strerror(errno));
291 bufadd(listeners, mustart(listenloop, pd));
292 if((fd = listensock4(port)) < 0) {
293 if(errno != EADDRINUSE) {
294 flog(LOG_ERR, "could not listen on IPv4 port (port %i): Is", port, strerror(errno));
302 bufadd(listeners, mustart(listenloop, pd));