search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
doc update
[gnutls.git] / src / serv.c
blob3541fbd52b23b23dfad4dbb205e27f14f39d9f72
1 /*
2 * Copyright (C) 2004-2012 Free Software Foundation, Inc.
3 * Copyright (C) 2001,2002 Paul Sheer
4 * Portions Copyright (C) 2002,2003 Nikos Mavrogiannopoulos
5 *
6 * This file is part of GnuTLS.
7 *
8 * GnuTLS is free software: you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation, either version 3 of the License, or
11 * (at your option) any later version.
12 *
13 * GnuTLS is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>.
20 */
21
22 /* This server is heavily modified for GnuTLS by Nikos Mavrogiannopoulos
23 * (which means it is quite unreadable)
24 */
25
26 #include <config.h>
27
28 #include "common.h"
29 #include "serv-args.h"
30 #include <stdio.h>
31 #include <stdlib.h>
32 #include <errno.h>
33 #include <sys/types.h>
34 #include <string.h>
35 #include <gnutls/gnutls.h>
36 #include <gnutls/dtls.h>
37 #include <gnutls/openpgp.h>
38 #include <sys/time.h>
39 #include <sys/select.h>
40 #include <fcntl.h>
41 #include <list.h>
42 #include <netdb.h>
43 #include <unistd.h>
44 #include <socket.h>
45
46 /* Gnulib portability files. */
47 #include "progname.h"
48 #include "version-etc.h"
49 #include "read-file.h"
50 #include "minmax.h"
51 #include "sockets.h"
52 #include "udp-serv.h"
53
54 /* konqueror cannot handle sending the page in multiple
55 * pieces.
56 */
57 /* global stuff */
58 static int generate = 0;
59 static int http = 0;
60 static int x509ctype;
61 static int debug = 0;
62
63 unsigned int verbose = 1;
64 static int nodb;
65 static int noticket;
66 int require_cert;
67 int disable_client_cert;
68
69 const char *psk_passwd = NULL;
70 const char *srp_passwd = NULL;
71 const char *srp_passwd_conf = NULL;
72 const char *pgp_keyring = NULL;
73 const char *pgp_keyfile = NULL;
74 const char *pgp_certfile = NULL;
75 const char *x509_keyfile = NULL;
76 const char *x509_certfile = NULL;
77 const char *x509_dsakeyfile = NULL;
78 const char *x509_dsacertfile = NULL;
79 const char *x509_ecckeyfile = NULL;
80 const char *x509_ecccertfile = NULL;
81 const char *x509_cafile = NULL;
82 const char *dh_params_file = NULL;
83 const char *x509_crlfile = NULL;
84 const char * priorities = NULL;
85 const char * status_response_ocsp = NULL;
86
87 gnutls_datum_t session_ticket_key;
88 static void tcp_server (const char *name, int port);
89
90 /* end of globals */
91
92 /* This is a sample TCP echo server.
93 * This will behave as an http server if any argument in the
94 * command line is present
95 */
96
97 #define SMALL_READ_TEST (2147483647)
98
99 #define GERR(ret) fprintf(stdout, "Error: %s\n", safe_strerror(ret))
100
101 #define HTTP_END "</BODY></HTML>\n\n"
102
103 #define HTTP_UNIMPLEMENTED "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\r\n<HTML><HEAD>\r\n<TITLE>501 Method Not Implemented</TITLE>\r\n</HEAD><BODY>\r\n<H1>Method Not Implemented</H1>\r\n<HR>\r\n</BODY></HTML>\r\n"
104 #define HTTP_OK "HTTP/1.0 200 OK\r\nContent-type: text/html\r\n\r\n"
105
106 #define HTTP_BEGIN HTTP_OK \
107 "\n" \
108 "<HTML><BODY>\n" \
109 "<CENTER><H1>This is <a href=\"http://www.gnu.org/software/gnutls\">" \
110 "GnuTLS</a></H1></CENTER>\n\n"
111
112 /* These are global */
113 gnutls_srp_server_credentials_t srp_cred = NULL;
114 gnutls_psk_server_credentials_t psk_cred = NULL;
115 gnutls_anon_server_credentials_t dh_cred = NULL;
116 gnutls_certificate_credentials_t cert_cred = NULL;
117
118 const int ssl_session_cache = 128;
119
120 static void wrap_db_init (void);
121 static void wrap_db_deinit (void);
122 static int wrap_db_store (void *dbf, gnutls_datum_t key, gnutls_datum_t data);
123 static gnutls_datum_t wrap_db_fetch (void *dbf, gnutls_datum_t key);
124 static int wrap_db_delete (void *dbf, gnutls_datum_t key);
125
126 static void cmd_parser (int argc, char **argv);
127
128
129 #define HTTP_STATE_REQUEST 1
130 #define HTTP_STATE_RESPONSE 2
131 #define HTTP_STATE_CLOSING 3
132
133 LIST_TYPE_DECLARE (listener_item, char *http_request;
134 char *http_response; int request_length;
135 int response_length; int response_written;
136 int http_state; int listen_socket;
137 int fd; gnutls_session_t tls_session; int handshake_ok;);
138
139 static const char *
140 safe_strerror (int value)
141 {
142 const char *ret = gnutls_strerror (value);
143 if (ret == NULL)
144 ret = str_unknown;
145 return ret;
146 }
147
148 static void
149 listener_free (listener_item * j)
150 {
151
152 free (j->http_request);
153 free (j->http_response);
154 if (j->fd >= 0)
155 {
156 gnutls_bye (j->tls_session, GNUTLS_SHUT_WR);
157 shutdown (j->fd, 2);
158 close (j->fd);
159 gnutls_deinit (j->tls_session);
160 }
161 }
162
163
164 /* we use primes up to 1024 in this server.
165 * otherwise we should add them here.
166 */
167
168 gnutls_dh_params_t dh_params = NULL;
169 gnutls_rsa_params_t rsa_params = NULL;
170
171 static int
172 generate_dh_primes (void)
173 {
174 int prime_bits =
175 gnutls_sec_param_to_pk_bits (GNUTLS_PK_DH, GNUTLS_SEC_PARAM_NORMAL);
176
177 if (gnutls_dh_params_init (&dh_params) < 0)
178 {
179 fprintf (stderr, "Error in dh parameter initialization\n");
180 exit (1);
181 }
182
183 /* Generate Diffie-Hellman parameters - for use with DHE
184 * kx algorithms. These should be discarded and regenerated
185 * once a week or once a month. Depends on the
186 * security requirements.
187 */
188 printf
189 ("Generating Diffie-Hellman parameters [%d]. Please wait...\n",
190 prime_bits);
191 fflush (stdout);
192
193 if (gnutls_dh_params_generate2 (dh_params, prime_bits) < 0)
194 {
195 fprintf (stderr, "Error in prime generation\n");
196 exit (1);
197 }
198
199 return 0;
200 }
201
202 static void
203 read_dh_params (void)
204 {
205 char tmpdata[2048];
206 int size;
207 gnutls_datum_t params;
208 FILE *fd;
209
210 if (gnutls_dh_params_init (&dh_params) < 0)
211 {
212 fprintf (stderr, "Error in dh parameter initialization\n");
213 exit (1);
214 }
215
216 /* read the params file
217 */
218 fd = fopen (dh_params_file, "r");
219 if (fd == NULL)
220 {
221 fprintf (stderr, "Could not open %s\n", dh_params_file);
222 exit (1);
223 }
224
225 size = fread (tmpdata, 1, sizeof (tmpdata) - 1, fd);
226 tmpdata[size] = 0;
227 fclose (fd);
228
229 params.data = (unsigned char *) tmpdata;
230 params.size = size;
231
232 size =
233 gnutls_dh_params_import_pkcs3 (dh_params, &params, GNUTLS_X509_FMT_PEM);
234
235 if (size < 0)
236 {
237 fprintf (stderr, "Error parsing dh params: %s\n", safe_strerror (size));
238 exit (1);
239 }
240
241 printf ("Read Diffie-Hellman parameters.\n");
242 fflush (stdout);
243
244 }
245
246 static char pkcs3[] =
247 "-----BEGIN DH PARAMETERS-----\n"
248 "MIGGAoGAtkxw2jlsVCsrfLqxrN+IrF/3W8vVFvDzYbLmxi2GQv9s/PQGWP1d9i22\n"
249 "P2DprfcJknWt7KhCI1SaYseOQIIIAYP78CfyIpGScW/vS8khrw0rlQiyeCvQgF3O\n"
250 "GeGOEywcw+oQT4SmFOD7H0smJe2CNyjYpexBXQ/A0mbTF9QKm1cCAQU=\n"
251 "-----END DH PARAMETERS-----\n";
252
253 static int
254 static_dh_params (void)
255 {
256 gnutls_datum_t params = { (void *) pkcs3, sizeof (pkcs3) };
257 int ret;
258
259 if (gnutls_dh_params_init (&dh_params) < 0)
260 {
261 fprintf (stderr, "Error in dh parameter initialization\n");
262 exit (1);
263 }
264
265 ret = gnutls_dh_params_import_pkcs3 (dh_params, &params,
266 GNUTLS_X509_FMT_PEM);
267
268 if (ret < 0)
269 {
270 fprintf (stderr, "Error parsing dh params: %s\n", safe_strerror (ret));
271 exit (1);
272 }
273
274 printf ("Set static Diffie-Hellman parameters, consider --dhparams.\n");
275
276 return 0;
277 }
278
279 static int
280 get_params (gnutls_session_t session, gnutls_params_type_t type,
281 gnutls_params_st * st)
282 {
283
284 if (type == GNUTLS_PARAMS_RSA_EXPORT)
285 {
286 if (rsa_params == NULL)
287 return -1;
288 st->params.rsa_export = rsa_params;
289 }
290 else if (type == GNUTLS_PARAMS_DH)
291 {
292 if (dh_params == NULL)
293 return -1;
294 st->params.dh = dh_params;
295 }
296 else
297 return -1;
298
299 st->type = type;
300 st->deinit = 0;
301
302 return 0;
303 }
304
305 static int
306 generate_rsa_params (void)
307 {
308 if (gnutls_rsa_params_init (&rsa_params) < 0)
309 {
310 fprintf (stderr, "Error in rsa parameter initialization\n");
311 exit (1);
312 }
313
314 /* Generate RSA parameters - for use with RSA-export
315 * cipher suites. These should be discarded and regenerated
316 * once a day, once every 500 transactions etc. Depends on the
317 * security requirements.
318 */
319 printf ("Generating temporary RSA parameters. Please wait...\n");
320 fflush (stdout);
321
322 if (gnutls_rsa_params_generate2 (rsa_params, 512) < 0)
323 {
324 fprintf (stderr, "Error in rsa parameter generation\n");
325 exit (1);
326 }
327
328 return 0;
329 }
330
331 LIST_DECLARE_INIT (listener_list, listener_item, listener_free);
332
333 gnutls_session_t initialize_session (int dtls)
334 {
335 gnutls_session_t session;
336 int ret;
337 const char *err;
338
339 if (priorities == NULL)
340 priorities = "NORMAL";
341
342 if (dtls)
343 gnutls_init (&session, GNUTLS_SERVER | GNUTLS_DATAGRAM);
344 else
345 gnutls_init (&session, GNUTLS_SERVER);
346
347 /* allow the use of private ciphersuites.
348 */
349 gnutls_handshake_set_private_extensions (session, 1);
350
351 if (nodb == 0)
352 {
353 gnutls_db_set_retrieve_function (session, wrap_db_fetch);
354 gnutls_db_set_remove_function (session, wrap_db_delete);
355 gnutls_db_set_store_function (session, wrap_db_store);
356 gnutls_db_set_ptr (session, NULL);
357 }
358 #ifdef ENABLE_SESSION_TICKET
359 if (noticket == 0)
360 gnutls_session_ticket_enable_server (session, &session_ticket_key);
361 #endif
362
363
364 if (noticket == 0)
365 gnutls_session_ticket_enable_server (session, &session_ticket_key);
366
367 if (gnutls_priority_set_direct (session, priorities, &err) < 0)
368 {
369 fprintf (stderr, "Syntax error at: %s\n", err);
370 exit (1);
371 }
372
373 gnutls_credentials_set (session, GNUTLS_CRD_ANON, dh_cred);
374
375 if (srp_cred != NULL)
376 gnutls_credentials_set (session, GNUTLS_CRD_SRP, srp_cred);
377
378 if (psk_cred != NULL)
379 gnutls_credentials_set (session, GNUTLS_CRD_PSK, psk_cred);
380
381 if (cert_cred != NULL)
382 gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, cert_cred);
383
384 if (disable_client_cert)
385 gnutls_certificate_server_set_request (session, GNUTLS_CERT_IGNORE);
386 else
387 {
388 if (require_cert)
389 gnutls_certificate_server_set_request (session, GNUTLS_CERT_REQUIRE);
390 else
391 gnutls_certificate_server_set_request (session, GNUTLS_CERT_REQUEST);
392 }
393
394 if (HAVE_OPT (HEARTBEAT))
395 gnutls_heartbeat_enable(session, GNUTLS_HB_PEER_ALLOWED_TO_SEND);
396
397 if (HAVE_OPT (SRTP_PROFILES))
398 {
399 ret = gnutls_srtp_set_profile_direct (session, OPT_ARG(SRTP_PROFILES), &err);
400 if (ret == GNUTLS_E_INVALID_REQUEST) fprintf (stderr, "Syntax error at: %s\n", err);
401 else
402 fprintf(stderr, "Error in profiles: %s\n", gnutls_strerror(ret));
403 exit (1);
404 }
405
406 return session;
407 }
408
409 #include <gnutls/x509.h>
410
411 static const char DEFAULT_DATA[] =
412 "This is the default message reported by the GnuTLS implementation. "
413 "For more information please visit "
414 "<a href=\"http://www.gnutls.org/\">http://www.gnutls.org/</a>.";
415
416 /* Creates html with the current session information.
417 */
418 #define tmp_buffer &http_buffer[strlen(http_buffer)]
419 #define tmp_buffer_size len-strlen(http_buffer)
420 static char *
421 peer_print_info (gnutls_session_t session, int *ret_length,
422 const char *header)
423 {
424 const char *tmp;
425 unsigned char sesid[32];
426 size_t i, sesid_size;
427 char *http_buffer;
428 gnutls_kx_algorithm_t kx_alg;
429 size_t len = 20 * 1024 + strlen (header);
430 char *crtinfo = NULL;
431 size_t ncrtinfo = 0;
432
433 if (verbose == 0)
434 {
435 http_buffer = malloc (len);
436 if (http_buffer == NULL)
437 return NULL;
438
439 strcpy (http_buffer, HTTP_BEGIN);
440 strcpy (&http_buffer[sizeof (HTTP_BEGIN) - 1], DEFAULT_DATA);
441 strcpy (&http_buffer[sizeof (HTTP_BEGIN) + sizeof (DEFAULT_DATA) - 2],
442 HTTP_END);
443 *ret_length =
444 sizeof (DEFAULT_DATA) + sizeof (HTTP_BEGIN) + sizeof (HTTP_END) - 3;
445 return http_buffer;
446 }
447
448 if (gnutls_certificate_type_get (session) == GNUTLS_CRT_X509)
449 {
450 const gnutls_datum_t *cert_list;
451 unsigned int cert_list_size = 0;
452
453 cert_list = gnutls_certificate_get_peers (session, &cert_list_size);
454
455 for (i = 0; i < cert_list_size; i++)
456 {
457 gnutls_x509_crt_t cert;
458 gnutls_datum_t info;
459
460 if (gnutls_x509_crt_init (&cert) == 0 &&
461 gnutls_x509_crt_import (cert, &cert_list[i],
462 GNUTLS_X509_FMT_DER) == 0 &&
463 gnutls_x509_crt_print (cert, GNUTLS_CRT_PRINT_FULL, &info) == 0)
464 {
465 const char *post = "</PRE><P><PRE>";
466
467 crtinfo = realloc (crtinfo, ncrtinfo + info.size +
468 strlen (post) + 1);
469 if (crtinfo == NULL)
470 return NULL;
471 memcpy (crtinfo + ncrtinfo, info.data, info.size);
472 ncrtinfo += info.size;
473 memcpy (crtinfo + ncrtinfo, post, strlen (post));
474 ncrtinfo += strlen (post);
475 crtinfo[ncrtinfo] = '\0';
476 gnutls_free (info.data);
477 }
478 }
479 }
480
481 http_buffer = malloc (len);
482 if (http_buffer == NULL)
483 {
484 free (crtinfo);
485 return NULL;
486 }
487
488 strcpy (http_buffer, HTTP_BEGIN);
489
490 /* print session_id */
491 sesid_size = sizeof(sesid);
492 gnutls_session_get_id (session, sesid, &sesid_size);
493 snprintf (tmp_buffer, tmp_buffer_size, "\n<p>Session ID: <i>");
494 for (i = 0; i < sesid_size; i++)
495 snprintf (tmp_buffer, tmp_buffer_size, "%.2X", sesid[i]);
496 snprintf (tmp_buffer, tmp_buffer_size, "</i></p>\n");
497 snprintf (tmp_buffer, tmp_buffer_size,
498 "<h5>If your browser supports session resuming, then you should see the "
499 "same session ID, when you press the <b>reload</b> button.</h5>\n");
500
501 /* Here unlike print_info() we use the kx algorithm to distinguish
502 * the functions to call.
503 */
504 {
505 char dns[256];
506 size_t dns_size = sizeof (dns);
507 unsigned int type;
508
509 if (gnutls_server_name_get (session, dns, &dns_size, &type, 0) == 0)
510 {
511 snprintf (tmp_buffer, tmp_buffer_size, "\n<p>Server Name: %s</p>\n",
512 dns);
513 }
514
515 }
516
517 kx_alg = gnutls_kx_get (session);
518
519 /* print srp specific data */
520 #ifdef ENABLE_SRP
521 if (kx_alg == GNUTLS_KX_SRP)
522 {
523 snprintf (tmp_buffer, tmp_buffer_size,
524 "<p>Connected as user '%s'.</p>\n",
525 gnutls_srp_server_get_username (session));
526 }
527 #endif
528
529 #ifdef ENABLE_PSK
530 if (kx_alg == GNUTLS_KX_PSK)
531 {
532 snprintf (tmp_buffer, tmp_buffer_size,
533 "<p>Connected as user '%s'.</p>\n",
534 gnutls_psk_server_get_username (session));
535 }
536 #endif
537
538 #ifdef ENABLE_ANON
539 if (kx_alg == GNUTLS_KX_ANON_DH)
540 {
541 snprintf (tmp_buffer, tmp_buffer_size,
542 "<p> Connect using anonymous DH (prime of %d bits)</p>\n",
543 gnutls_dh_get_prime_bits (session));
544 }
545 #endif
546
547 if (kx_alg == GNUTLS_KX_DHE_RSA || kx_alg == GNUTLS_KX_DHE_DSS)
548 {
549 snprintf (tmp_buffer, tmp_buffer_size,
550 "Ephemeral DH using prime of <b>%d</b> bits.<br>\n",
551 gnutls_dh_get_prime_bits (session));
552 }
553
554 /* print session information */
555 strcat (http_buffer, "<P>\n");
556
557 tmp = gnutls_protocol_get_name (gnutls_protocol_get_version (session));
558 if (tmp == NULL)
559 tmp = str_unknown;
560 snprintf (tmp_buffer, tmp_buffer_size,
561 "<TABLE border=1><TR><TD>Protocol version:</TD><TD>%s</TD></TR>\n",
562 tmp);
563
564 if (gnutls_auth_get_type (session) == GNUTLS_CRD_CERTIFICATE)
565 {
566 tmp =
567 gnutls_certificate_type_get_name (gnutls_certificate_type_get
568 (session));
569 if (tmp == NULL)
570 tmp = str_unknown;
571 snprintf (tmp_buffer, tmp_buffer_size,
572 "<TR><TD>Certificate Type:</TD><TD>%s</TD></TR>\n", tmp);
573 }
574
575 tmp = gnutls_kx_get_name (kx_alg);
576 if (tmp == NULL)
577 tmp = str_unknown;
578 snprintf (tmp_buffer, tmp_buffer_size,
579 "<TR><TD>Key Exchange:</TD><TD>%s</TD></TR>\n", tmp);
580
581 tmp = gnutls_compression_get_name (gnutls_compression_get (session));
582 if (tmp == NULL)
583 tmp = str_unknown;
584 snprintf (tmp_buffer, tmp_buffer_size,
585 "<TR><TD>Compression</TD><TD>%s</TD></TR>\n", tmp);
586
587 tmp = gnutls_cipher_get_name (gnutls_cipher_get (session));
588 if (tmp == NULL)
589 tmp = str_unknown;
590 snprintf (tmp_buffer, tmp_buffer_size,
591 "<TR><TD>Cipher</TD><TD>%s</TD></TR>\n", tmp);
592
593 tmp = gnutls_mac_get_name (gnutls_mac_get (session));
594 if (tmp == NULL)
595 tmp = str_unknown;
596 snprintf (tmp_buffer, tmp_buffer_size, "<TR><TD>MAC</TD><TD>%s</TD></TR>\n",
597 tmp);
598
599 tmp = gnutls_cipher_suite_get_name (kx_alg,
600 gnutls_cipher_get (session),
601 gnutls_mac_get (session));
602 if (tmp == NULL)
603 tmp = str_unknown;
604 snprintf (tmp_buffer, tmp_buffer_size,
605 "<TR><TD>Ciphersuite</TD><TD>%s</TD></TR></p></TABLE>\n", tmp);
606
607 if (crtinfo)
608 {
609 snprintf (tmp_buffer, tmp_buffer_size, "<hr><PRE>%s\n</PRE>\n",
610 crtinfo);
611 free (crtinfo);
612 }
613
614 snprintf (tmp_buffer, tmp_buffer_size,
615 "<hr><P>Your HTTP header was:<PRE>%s</PRE></P>\n" HTTP_END,
616 header);
617
618 *ret_length = strlen (http_buffer);
619
620 return http_buffer;
621 }
622
623 const char *
624 human_addr (const struct sockaddr *sa, socklen_t salen,
625 char *buf, size_t buflen)
626 {
627 const char *save_buf = buf;
628 size_t l;
629
630 if (!buf || !buflen)
631 return NULL;
632
633 *buf = '\0';
634
635 switch (sa->sa_family)
636 {
637 #if HAVE_IPV6
638 case AF_INET6:
639 snprintf (buf, buflen, "IPv6 ");
640 break;
641 #endif
642
643 case AF_INET:
644 snprintf (buf, buflen, "IPv4 ");
645 break;
646 }
647
648 l = strlen (buf);
649 buf += l;
650 buflen -= l;
651
652 if (getnameinfo (sa, salen, buf, buflen, NULL, 0, NI_NUMERICHOST) != 0)
653 return NULL;
654
655 l = strlen (buf);
656 buf += l;
657 buflen -= l;
658
659 strncat (buf, " port ", buflen);
660
661 l = strlen (buf);
662 buf += l;
663 buflen -= l;
664
665 if (getnameinfo (sa, salen, NULL, 0, buf, buflen, NI_NUMERICSERV) != 0)
666 return NULL;
667
668 return save_buf;
669 }
670
671 int
672 wait_for_connection (void)
673 {
674 listener_item *j;
675 fd_set rd, wr;
676 int n, sock = -1;
677
678 FD_ZERO (&rd);
679 FD_ZERO (&wr);
680 n = 0;
681
682 lloopstart (listener_list, j)
683 {
684 if (j->listen_socket)
685 {
686 FD_SET (j->fd, &rd);
687 n = MAX (n, j->fd);
688 }
689 }
690 lloopend (listener_list, j);
691
692 /* waiting part */
693 n = select (n + 1, &rd, &wr, NULL, NULL);
694 if (n == -1 && errno == EINTR)
695 return -1;
696 if (n < 0)
697 {
698 perror ("select()");
699 exit (1);
700 }
701
702 /* find which one is ready */
703 lloopstart (listener_list, j)
704 {
705 /* a new connection has arrived */
706 if (FD_ISSET (j->fd, &rd) && j->listen_socket)
707 {
708 sock = j->fd;
709 break;
710 }
711 }
712 lloopend (listener_list, j);
713 return sock;
714 }
715
716 int
717 listen_socket (const char *name, int listen_port, int socktype)
718 {
719 struct addrinfo hints, *res, *ptr;
720 char portname[6];
721 int s;
722 int yes;
723 listener_item *j = NULL;
724
725 snprintf (portname, sizeof (portname), "%d", listen_port);
726 memset (&hints, 0, sizeof (hints));
727 hints.ai_socktype = socktype;
728 hints.ai_flags = AI_PASSIVE
729 #ifdef AI_ADDRCONFIG
730 | AI_ADDRCONFIG
731 #endif
732 ;
733
734 if ((s = getaddrinfo (NULL, portname, &hints, &res)) != 0)
735 {
736 fprintf (stderr, "getaddrinfo() failed: %s\n", gai_strerror (s));
737 return -1;
738 }
739
740 for (ptr = res; ptr != NULL; ptr = ptr->ai_next)
741 {
742 #ifndef HAVE_IPV6
743 if (ptr->ai_family != AF_INET)
744 continue;
745 #endif
746
747 /* Print what we are doing. */
748 {
749 char topbuf[512];
750
751 fprintf (stderr, "%s listening on %s...",
752 name, human_addr (ptr->ai_addr, ptr->ai_addrlen,
753 topbuf, sizeof (topbuf)));
754 }
755
756 if ((s = socket (ptr->ai_family, ptr->ai_socktype,
757 ptr->ai_protocol)) < 0)
758 {
759 perror ("socket() failed");
760 continue;
761 }
762
763 #if defined(HAVE_IPV6) && !defined(_WIN32)
764 if (ptr->ai_family == AF_INET6)
765 {
766 yes = 1;
767 /* avoid listen on ipv6 addresses failing
768 * because already listening on ipv4 addresses: */
769 setsockopt (s, IPPROTO_IPV6, IPV6_V6ONLY,
770 (const void *) &yes, sizeof (yes));
771 }
772 #endif
773
774 if (socktype == SOCK_STREAM)
775 {
776 yes = 1;
777 if (setsockopt (s, SOL_SOCKET, SO_REUSEADDR,
778 (const void *) &yes, sizeof (yes)) < 0)
779 {
780 perror ("setsockopt() failed");
781 close (s);
782 continue;
783 }
784 }
785 else
786 {
787 #if defined(IP_DONTFRAG)
788 yes = 1;
789 if (setsockopt (s, IPPROTO_IP, IP_DONTFRAG,
790 (const void *) &yes, sizeof (yes)) < 0)
791 perror ("setsockopt(IP_DF) failed");
792 #elif defined(IP_MTU_DISCOVER)
793 yes = IP_PMTUDISC_DO;
794 if (setsockopt (s, IPPROTO_IP, IP_MTU_DISCOVER,
795 (const void *) &yes, sizeof (yes)) < 0)
796 perror ("setsockopt(IP_DF) failed");
797 #endif
798 }
799
800 if (bind (s, ptr->ai_addr, ptr->ai_addrlen) < 0)
801 {
802 perror ("bind() failed");
803 close (s);
804 continue;
805 }
806
807 if (socktype == SOCK_STREAM)
808 {
809 if (listen (s, 10) < 0)
810 {
811 perror ("listen() failed");
812 exit (1);
813 }
814 }
815
816 /* new list entry for the connection */
817 lappend (listener_list);
818 j = listener_list.tail;
819 j->listen_socket = 1;
820 j->fd = s;
821
822 /* Complete earlier message. */
823 fprintf (stderr, "done\n");
824 }
825
826 fflush (stderr);
827
828 freeaddrinfo (res);
829
830 return s;
831 }
832
833 /* strips \r\n from the end of the string
834 */
835 static void
836 strip (char *data)
837 {
838 int i;
839 int len = strlen (data);
840
841 for (i = 0; i < len; i++)
842 {
843 if (data[i] == '\r' && data[i + 1] == '\n' && data[i + 1] == 0)
844 {
845 data[i] = '\n';
846 data[i + 1] = 0;
847 break;
848 }
849 }
850 }
851
852 static void
853 get_response (gnutls_session_t session, char *request,
854 char **response, int *response_length)
855 {
856 char *p, *h;
857
858 if (http != 0)
859 {
860 if (strncmp (request, "GET ", 4))
861 goto unimplemented;
862
863 if (!(h = strchr (request, '\n')))
864 goto unimplemented;
865
866 *h++ = '\0';
867 while (*h == '\r' || *h == '\n')
868 h++;
869
870 if (!(p = strchr (request + 4, ' ')))
871 goto unimplemented;
872 *p = '\0';
873 }
874 /* *response = peer_print_info(session, request+4, h, response_length); */
875 if (http != 0)
876 {
877 *response = peer_print_info (session, response_length, h);
878 }
879 else
880 {
881 strip (request);
882 fprintf (stderr, "received: %s\n", request);
883 if (check_command (session, request))
884 {
885 *response = NULL;
886 *response_length = 0;
887 return;
888 }
889 *response = strdup (request);
890 *response_length = ((*response) ? strlen (*response) : 0);
891 }
892
893 return;
894
895 unimplemented:
896 *response = strdup (HTTP_UNIMPLEMENTED);
897 *response_length = ((*response) ? strlen (*response) : 0);
898 }
899
900 static void terminate (int sig) __attribute__ ((noreturn));
901
902 static void
903 terminate (int sig)
904 {
905 fprintf (stderr, "Exiting via signal %d\n", sig);
906 exit (1);
907 }
908
909
910 static void
911 check_alert (gnutls_session_t session, int ret)
912 {
913 if (ret == GNUTLS_E_WARNING_ALERT_RECEIVED
914 || ret == GNUTLS_E_FATAL_ALERT_RECEIVED)
915 {
916 int last_alert = gnutls_alert_get (session);
917 if (last_alert == GNUTLS_A_NO_RENEGOTIATION &&
918 ret == GNUTLS_E_WARNING_ALERT_RECEIVED)
919 printf
920 ("* Received NO_RENEGOTIATION alert. Client does not support renegotiation.\n");
921 else
922 printf ("* Received alert '%d': %s.\n", last_alert,
923 gnutls_alert_get_name (last_alert));
924 }
925 }
926
927 static void
928 tls_log_func (int level, const char *str)
929 {
930 fprintf (stderr, "|<%d>| %s", level, str);
931 }
932
933 static void
934 tls_audit_log_func (gnutls_session_t session, const char *str)
935 {
936 fprintf (stderr, "|<%p>| %s", session, str);
937 }
938
939 int
940 main (int argc, char **argv)
941 {
942 int ret, mtu, port;
943 char name[256];
944
945 set_program_name (argv[0]);
946 cmd_parser (argc, argv);
947
948 #ifndef _WIN32
949 signal (SIGHUP, SIG_IGN);
950 signal (SIGTERM, terminate);
951 if (signal (SIGINT, terminate) == SIG_IGN)
952 signal (SIGINT, SIG_IGN); /* e.g. background process */
953 #endif
954
955 sockets_init ();
956
957 if (nodb == 0)
958 wrap_db_init ();
959
960 if (HAVE_OPT (UDP))
961 strcpy (name, "UDP ");
962 else
963 name[0] = 0;
964
965 if (http == 1)
966 {
967 strcat (name, "HTTP Server");
968 }
969 else
970 {
971 strcat (name, "Echo Server");
972 }
973
974 gnutls_global_set_log_function (tls_log_func);
975 gnutls_global_set_audit_log_function (tls_audit_log_func);
976 gnutls_global_set_log_level (debug);
977
978 if ((ret = gnutls_global_init ()) < 0)
979 {
980 fprintf (stderr, "global_init: %s\n", gnutls_strerror (ret));
981 exit (1);
982 }
983
984 #ifdef ENABLE_PKCS11
985 pkcs11_common ();
986 #endif
987
988 /* Note that servers must generate parameters for
989 * Diffie-Hellman. See gnutls_dh_params_generate(), and
990 * gnutls_dh_params_set().
991 */
992 if (generate != 0)
993 {
994 generate_rsa_params ();
995 generate_dh_primes ();
996 }
997 else if (dh_params_file)
998 {
999 read_dh_params ();
1000 }
1001 else
1002 {
1003 static_dh_params ();
1004 }
1005
1006 if (gnutls_certificate_allocate_credentials (&cert_cred) < 0)
1007 {
1008 fprintf (stderr, "memory error\n");
1009 exit (1);
1010 }
1011
1012 if (x509_cafile != NULL)
1013 {
1014 if ((ret = gnutls_certificate_set_x509_trust_file
1015 (cert_cred, x509_cafile, x509ctype)) < 0)
1016 {
1017 fprintf (stderr, "Error reading '%s'\n", x509_cafile);
1018 GERR (ret);
1019 exit (1);
1020 }
1021 else
1022 {
1023 printf ("Processed %d CA certificate(s).\n", ret);
1024 }
1025 }
1026 if (x509_crlfile != NULL)
1027 {
1028 if ((ret = gnutls_certificate_set_x509_crl_file
1029 (cert_cred, x509_crlfile, x509ctype)) < 0)
1030 {
1031 fprintf (stderr, "Error reading '%s'\n", x509_crlfile);
1032 GERR (ret);
1033 exit (1);
1034 }
1035 else
1036 {
1037 printf ("Processed %d CRL(s).\n", ret);
1038 }
1039 }
1040
1041 #ifdef ENABLE_OPENPGP
1042 if (pgp_keyring != NULL)
1043 {
1044 ret =
1045 gnutls_certificate_set_openpgp_keyring_file (cert_cred, pgp_keyring,
1046 GNUTLS_OPENPGP_FMT_BASE64);
1047 if (ret < 0)
1048 {
1049 fprintf (stderr, "Error setting the OpenPGP keyring file\n");
1050 GERR (ret);
1051 }
1052 }
1053
1054 if (HAVE_OPT (PGPCERTFILE))
1055 {
1056 if (HAVE_OPT (PGPSUBKEY))
1057 ret = gnutls_certificate_set_openpgp_key_file2
1058 (cert_cred, pgp_certfile, pgp_keyfile, OPT_ARG (PGPSUBKEY),
1059 GNUTLS_OPENPGP_FMT_BASE64);
1060 else
1061 ret = gnutls_certificate_set_openpgp_key_file
1062 (cert_cred, pgp_certfile, pgp_keyfile, GNUTLS_OPENPGP_FMT_BASE64);
1063
1064 if (ret < 0)
1065 {
1066 fprintf (stderr,
1067 "Error[%d] while reading the OpenPGP key pair ('%s', '%s')\n",
1068 ret, pgp_certfile, pgp_keyfile);
1069 GERR (ret);
1070 }
1071 }
1072 #endif
1073
1074 if (x509_certfile != NULL)
1075 if ((ret = gnutls_certificate_set_x509_key_file
1076 (cert_cred, x509_certfile, x509_keyfile, x509ctype)) < 0)
1077 {
1078 fprintf (stderr,
1079 "Error reading '%s' or '%s'\n", x509_certfile, x509_keyfile);
1080 GERR (ret);
1081 exit (1);
1082 }
1083
1084 if (x509_dsacertfile != NULL)
1085 if ((ret = gnutls_certificate_set_x509_key_file
1086 (cert_cred, x509_dsacertfile, x509_dsakeyfile, x509ctype)) < 0)
1087 {
1088 fprintf (stderr, "Error reading '%s' or '%s'\n",
1089 x509_dsacertfile, x509_dsakeyfile);
1090 GERR (ret);
1091 exit (1);
1092 }
1093
1094 if (x509_ecccertfile != NULL)
1095 if ((ret = gnutls_certificate_set_x509_key_file
1096 (cert_cred, x509_ecccertfile, x509_ecckeyfile, x509ctype)) < 0)
1097 {
1098 fprintf (stderr, "Error reading '%s' or '%s'\n",
1099 x509_ecccertfile, x509_ecckeyfile);
1100 GERR (ret);
1101 exit (1);
1102 }
1103
1104 /* OCSP status-request TLS extension */
1105 if (status_response_ocsp)
1106 {
1107 if (gnutls_certificate_set_ocsp_status_request_file (cert_cred, status_response_ocsp, 0) < 0)
1108 {
1109 fprintf (stderr, "Cannot set OCSP status request file: %s\n", gnutls_strerror(ret));
1110 exit (1);
1111 }
1112 }
1113
1114 gnutls_certificate_set_params_function (cert_cred, get_params);
1115 /* gnutls_certificate_set_dh_params(cert_cred, dh_params);
1116 * gnutls_certificate_set_rsa_export_params(cert_cred, rsa_params);
1117 */
1118
1119 /* this is a password file (created with the included srpcrypt utility)
1120 * Read README.crypt prior to using SRP.
1121 */
1122 #ifdef ENABLE_SRP
1123 if (srp_passwd != NULL)
1124 {
1125 gnutls_srp_allocate_server_credentials (&srp_cred);
1126
1127 if ((ret =
1128 gnutls_srp_set_server_credentials_file (srp_cred, srp_passwd,
1129 srp_passwd_conf)) < 0)
1130 {
1131 /* only exit is this function is not disabled
1132 */
1133 fprintf (stderr, "Error while setting SRP parameters\n");
1134 GERR (ret);
1135 }
1136 }
1137 #endif
1138
1139 /* this is a password file
1140 */
1141 #ifdef ENABLE_PSK
1142 if (psk_passwd != NULL)
1143 {
1144 gnutls_psk_allocate_server_credentials (&psk_cred);
1145
1146 if ((ret =
1147 gnutls_psk_set_server_credentials_file (psk_cred, psk_passwd)) < 0)
1148 {
1149 /* only exit is this function is not disabled
1150 */
1151 fprintf (stderr, "Error while setting PSK parameters\n");
1152 GERR (ret);
1153 }
1154
1155 if (HAVE_OPT (PSKHINT))
1156 {
1157 ret = gnutls_psk_set_server_credentials_hint (psk_cred,
1158 OPT_ARG (PSKHINT));
1159 if (ret)
1160 {
1161 fprintf (stderr, "Error setting PSK identity hint.\n");
1162 GERR (ret);
1163 }
1164 }
1165
1166 gnutls_psk_set_server_params_function (psk_cred, get_params);
1167 }
1168 #endif
1169
1170 #ifdef ENABLE_ANON
1171 gnutls_anon_allocate_server_credentials (&dh_cred);
1172 gnutls_anon_set_server_params_function (dh_cred, get_params);
1173
1174 /* gnutls_anon_set_server_dh_params(dh_cred, dh_params); */
1175 #endif
1176
1177 #ifdef ENABLE_SESSION_TICKET
1178 if (noticket == 0)
1179 gnutls_session_ticket_key_generate (&session_ticket_key);
1180 #endif
1181
1182 if (HAVE_OPT (MTU))
1183 mtu = OPT_VALUE_MTU;
1184 else
1185 mtu = 1300;
1186
1187 if (HAVE_OPT (PORT))
1188 port = OPT_VALUE_PORT;
1189 else
1190 port = 5556;
1191
1192 if (HAVE_OPT (UDP))
1193 udp_server (name, port, mtu);
1194 else
1195 tcp_server (name, port);
1196 }
1197
1198 static void
1199 tcp_server (const char *name, int port)
1200 {
1201 int n, s;
1202 char topbuf[512];
1203 int accept_fd;
1204 struct sockaddr_storage client_address;
1205 socklen_t calen;
1206
1207 s = listen_socket (name, port, SOCK_STREAM);
1208 if (s < 0)
1209 exit (1);
1210
1211 for (;;)
1212 {
1213 listener_item *j;
1214 fd_set rd, wr;
1215 #ifndef _WIN32
1216 int val;
1217 #endif
1218
1219 FD_ZERO (&rd);
1220 FD_ZERO (&wr);
1221 n = 0;
1222
1223 /* flag which connections we are reading or writing to within the fd sets */
1224 lloopstart (listener_list, j)
1225 {
1226
1227 #ifndef _WIN32
1228 val = fcntl (j->fd, F_GETFL, 0);
1229 if ((val == -1) || (fcntl (j->fd, F_SETFL, val | O_NONBLOCK) < 0))
1230 {
1231 perror ("fcntl()");
1232 exit (1);
1233 }
1234 #endif
1235
1236 if (j->listen_socket)
1237 {
1238 FD_SET (j->fd, &rd);
1239 n = MAX (n, j->fd);
1240 }
1241 if (j->http_state == HTTP_STATE_REQUEST)
1242 {
1243 FD_SET (j->fd, &rd);
1244 n = MAX (n, j->fd);
1245 }
1246 if (j->http_state == HTTP_STATE_RESPONSE)
1247 {
1248 FD_SET (j->fd, &wr);
1249 n = MAX (n, j->fd);
1250 }
1251 }
1252 lloopend (listener_list, j);
1253
1254 /* core operation */
1255 n = select (n + 1, &rd, &wr, NULL, NULL);
1256 if (n == -1 && errno == EINTR)
1257 continue;
1258 if (n < 0)
1259 {
1260 perror ("select()");
1261 exit (1);
1262 }
1263
1264 /* read or write to each connection as indicated by select()'s return argument */
1265 lloopstart (listener_list, j)
1266 {
1267
1268 /* a new connection has arrived */
1269 if (FD_ISSET (j->fd, &rd) && j->listen_socket)
1270 {
1271 gnutls_session_t tls_session;
1272
1273 tls_session = initialize_session (0);
1274
1275 calen = sizeof (client_address);
1276 memset (&client_address, 0, calen);
1277 accept_fd = accept (j->fd, (struct sockaddr *) &client_address,
1278 &calen);
1279
1280 if (accept_fd < 0)
1281 {
1282 perror ("accept()");
1283 }
1284 else
1285 {
1286 time_t tt;
1287 char *ctt;
1288
1289 /* new list entry for the connection */
1290 lappend (listener_list);
1291 j = listener_list.tail;
1292 j->http_request = (char *) strdup ("");
1293 j->http_state = HTTP_STATE_REQUEST;
1294 j->fd = accept_fd;
1295
1296 j->tls_session = tls_session;
1297 gnutls_transport_set_ptr (tls_session,
1298 (gnutls_transport_ptr_t)
1299 gl_fd_to_handle (accept_fd));
1300 j->handshake_ok = 0;
1301
1302 if (verbose != 0)
1303 {
1304 tt = time (0);
1305 ctt = ctime (&tt);
1306 ctt[strlen (ctt) - 1] = 0;
1307
1308 printf ("\n* Accepted connection from %s on %s\n",
1309 human_addr ((struct sockaddr *)
1310 &client_address, calen, topbuf,
1311 sizeof (topbuf)), ctt);
1312 }
1313 }
1314 }
1315
1316 if (FD_ISSET (j->fd, &rd) && !j->listen_socket)
1317 {
1318 /* read partial GET request */
1319 char buf[1024];
1320 int r, ret;
1321
1322 if (j->handshake_ok == 0)
1323 {
1324 r = gnutls_handshake (j->tls_session);
1325 if (r < 0 && gnutls_error_is_fatal (r) == 0)
1326 {
1327 check_alert (j->tls_session, r);
1328 /* nothing */
1329 }
1330 else if (r < 0 && gnutls_error_is_fatal (r) == 1)
1331 {
1332 check_alert (j->tls_session, r);
1333 fprintf (stderr, "Error in handshake\n");
1334 GERR (r);
1335
1336 do
1337 {
1338 ret =
1339 gnutls_alert_send_appropriate (j->tls_session, r);
1340 }
1341 while (ret == GNUTLS_E_AGAIN
1342 || ret == GNUTLS_E_INTERRUPTED);
1343 j->http_state = HTTP_STATE_CLOSING;
1344 }
1345 else if (r == 0)
1346 {
1347 if (gnutls_session_is_resumed (j->tls_session) != 0
1348 && verbose != 0)
1349 printf ("*** This is a resumed session\n");
1350
1351 if (verbose != 0)
1352 {
1353 printf ("\n* Successful handshake from %s\n",
1354 human_addr ((struct sockaddr *)
1355 &client_address, calen, topbuf,
1356 sizeof (topbuf)));
1357 print_info (j->tls_session, verbose, verbose);
1358 if (gnutls_auth_get_type (j->tls_session) ==
1359 GNUTLS_CRD_CERTIFICATE)
1360 cert_verify (j->tls_session, NULL);
1361 }
1362 j->handshake_ok = 1;
1363 }
1364 }
1365
1366 if (j->handshake_ok == 1)
1367 {
1368 r = gnutls_record_recv (j->tls_session, buf,
1369 MIN (1024, SMALL_READ_TEST));
1370 if (r == GNUTLS_E_HEARTBEAT_PING_RECEIVED)
1371 {
1372 gnutls_heartbeat_pong(j->tls_session, 0);
1373 }
1374 if (r == GNUTLS_E_INTERRUPTED || r == GNUTLS_E_AGAIN)
1375 {
1376 /* do nothing */
1377 }
1378 else if (r <= 0)
1379 {
1380 if (r == GNUTLS_E_REHANDSHAKE)
1381 {
1382 fprintf (stderr, "*** Received hello message\n");
1383 do
1384 {
1385 r = gnutls_handshake (j->tls_session);
1386 }
1387 while (r == GNUTLS_E_INTERRUPTED
1388 || r == GNUTLS_E_AGAIN);
1389
1390 if (r < 0)
1391 {
1392 do
1393 {
1394 ret = gnutls_alert_send_appropriate
1395 (j->tls_session, r);
1396 }
1397 while (ret == GNUTLS_E_AGAIN
1398 || ret == GNUTLS_E_INTERRUPTED);
1399
1400 GERR (r);
1401 j->http_state = HTTP_STATE_CLOSING;
1402 }
1403 }
1404 else
1405 {
1406 if (r < 0)
1407 {
1408 if (r != GNUTLS_E_UNEXPECTED_PACKET_LENGTH)
1409 {
1410 j->http_state = HTTP_STATE_CLOSING;
1411 check_alert (j->tls_session, r);
1412 fprintf (stderr,
1413 "Error while receiving data\n");
1414 GERR (r);
1415 }
1416 }
1417 }
1418 }
1419 else
1420 {
1421 j->http_request =
1422 realloc (j->http_request, j->request_length + r + 1);
1423 if (j->http_request != NULL)
1424 {
1425 memcpy (j->http_request + j->request_length, buf, r);
1426 j->request_length += r;
1427 j->http_request[j->request_length] = '\0';
1428 }
1429 else
1430 j->http_state = HTTP_STATE_CLOSING;
1431
1432 }
1433 /* check if we have a full HTTP header */
1434
1435 j->http_response = NULL;
1436 if (j->http_request != NULL)
1437 {
1438 if ((http == 0 && strchr (j->http_request, '\n'))
1439 || strstr (j->http_request, "\r\n\r\n")
1440 || strstr (j->http_request, "\n\n"))
1441 {
1442 get_response (j->tls_session, j->http_request,
1443 &j->http_response, &j->response_length);
1444 j->http_state = HTTP_STATE_RESPONSE;
1445 j->response_written = 0;
1446 }
1447 }
1448 }
1449 }
1450 if (FD_ISSET (j->fd, &wr))
1451 {
1452 /* write partial response request */
1453 int r;
1454
1455 if (j->handshake_ok == 0)
1456 {
1457 r = gnutls_handshake (j->tls_session);
1458 if (r < 0 && gnutls_error_is_fatal (r) == 0)
1459 {
1460 check_alert (j->tls_session, r);
1461 /* nothing */
1462 }
1463 else if (r < 0 && gnutls_error_is_fatal (r) == 1)
1464 {
1465 int ret;
1466
1467 j->http_state = HTTP_STATE_CLOSING;
1468 check_alert (j->tls_session, r);
1469 fprintf (stderr, "Error in handshake\n");
1470 GERR (r);
1471
1472 do
1473 {
1474 ret =
1475 gnutls_alert_send_appropriate (j->tls_session, r);
1476 }
1477 while (ret == GNUTLS_E_AGAIN);
1478 }
1479 else if (r == 0)
1480 {
1481 if (gnutls_session_is_resumed (j->tls_session) != 0
1482 && verbose != 0)
1483 printf ("*** This is a resumed session\n");
1484 if (verbose != 0)
1485 {
1486 printf ("- connection from %s\n",
1487 human_addr ((struct sockaddr *)
1488 &client_address, calen, topbuf,
1489 sizeof (topbuf)));
1490
1491 print_info (j->tls_session, verbose, verbose);
1492 if (gnutls_auth_get_type (j->tls_session) ==
1493 GNUTLS_CRD_CERTIFICATE)
1494 cert_verify (j->tls_session, NULL);
1495 }
1496 j->handshake_ok = 1;
1497 }
1498 }
1499
1500 if (j->handshake_ok == 1 && j->http_response != NULL)
1501 {
1502 /* FIXME if j->http_response == NULL? */
1503 r = gnutls_record_send (j->tls_session,
1504 j->http_response +
1505 j->response_written,
1506 MIN (j->response_length -
1507 j->response_written,
1508 SMALL_READ_TEST));
1509 if (r == GNUTLS_E_INTERRUPTED || r == GNUTLS_E_AGAIN)
1510 {
1511 /* do nothing */
1512 }
1513 else if (r <= 0)
1514 {
1515 if (http != 0)
1516 j->http_state = HTTP_STATE_CLOSING;
1517 else
1518 {
1519 j->http_state = HTTP_STATE_REQUEST;
1520 free (j->http_response);
1521 j->response_length = 0;
1522 j->request_length = 0;
1523 j->http_request[0] = 0;
1524 }
1525
1526 if (r < 0)
1527 {
1528 fprintf (stderr, "Error while sending data\n");
1529 GERR (r);
1530 }
1531 check_alert (j->tls_session, r);
1532 }
1533 else
1534 {
1535 j->response_written += r;
1536 /* check if we have written a complete response */
1537 if (j->response_written == j->response_length)
1538 {
1539 if (http != 0)
1540 j->http_state = HTTP_STATE_CLOSING;
1541 else
1542 {
1543 j->http_state = HTTP_STATE_REQUEST;
1544 free (j->http_response);
1545 j->response_length = 0;
1546 j->request_length = 0;
1547 j->http_request[0] = 0;
1548 }
1549 }
1550 }
1551 }
1552 else
1553 {
1554 j->request_length = 0;
1555 j->http_request[0] = 0;
1556 j->http_state = HTTP_STATE_REQUEST;
1557 }
1558 }
1559 }
1560 lloopend (listener_list, j);
1561
1562 /* loop through all connections, closing those that are in error */
1563 lloopstart (listener_list, j)
1564 {
1565 if (j->http_state == HTTP_STATE_CLOSING)
1566 {
1567 ldeleteinc (listener_list, j);
1568 }
1569 }
1570 lloopend (listener_list, j);
1571 }
1572
1573
1574 gnutls_certificate_free_credentials (cert_cred);
1575
1576 #ifdef ENABLE_SRP
1577 if (srp_cred)
1578 gnutls_srp_free_server_credentials (srp_cred);
1579 #endif
1580
1581 #ifdef ENABLE_PSK
1582 if (psk_cred)
1583 gnutls_psk_free_server_credentials (psk_cred);
1584 #endif
1585
1586 #ifdef ENABLE_ANON
1587 gnutls_anon_free_server_credentials (dh_cred);
1588 #endif
1589
1590 #ifdef ENABLE_SESSION_TICKET
1591 if (noticket == 0)
1592 gnutls_free (session_ticket_key.data);
1593 #endif
1594
1595 if (nodb == 0)
1596 wrap_db_deinit ();
1597 gnutls_global_deinit ();
1598
1599 }
1600
1601 static void
1602 cmd_parser (int argc, char **argv)
1603 {
1604 optionProcess (&gnutls_servOptions, argc, argv);
1605
1606 disable_client_cert = HAVE_OPT (DISABLE_CLIENT_CERT);
1607 require_cert = HAVE_OPT (REQUIRE_CLIENT_CERT);
1608 if (HAVE_OPT (DEBUG))
1609 debug = OPT_VALUE_DEBUG;
1610
1611 if (HAVE_OPT (QUIET))
1612 verbose = 0;
1613
1614 if (HAVE_OPT (PRIORITY))
1615 priorities = OPT_ARG (PRIORITY);
1616
1617 if (HAVE_OPT (LIST))
1618 {
1619 print_list (priorities, verbose);
1620 exit (0);
1621 }
1622
1623 nodb = HAVE_OPT (NODB);
1624 noticket = HAVE_OPT (NOTICKET);
1625
1626 if (HAVE_OPT (ECHO))
1627 http = 0;
1628 else
1629 http = 1;
1630
1631 if (HAVE_OPT (X509FMTDER))
1632 x509ctype = GNUTLS_X509_FMT_DER;
1633 else
1634 x509ctype = GNUTLS_X509_FMT_PEM;
1635
1636 generate = HAVE_OPT (GENERATE);
1637
1638 if (HAVE_OPT (DHPARAMS))
1639 dh_params_file = OPT_ARG (DHPARAMS);
1640
1641 if (HAVE_OPT (X509KEYFILE))
1642 x509_keyfile = OPT_ARG (X509KEYFILE);
1643 if (HAVE_OPT (X509CERTFILE))
1644 x509_certfile = OPT_ARG (X509CERTFILE);
1645
1646 if (HAVE_OPT (X509DSAKEYFILE))
1647 x509_dsakeyfile = OPT_ARG (X509DSAKEYFILE);
1648 if (HAVE_OPT (X509DSACERTFILE))
1649 x509_dsacertfile = OPT_ARG (X509DSACERTFILE);
1650
1651
1652 if (HAVE_OPT (X509ECCKEYFILE))
1653 x509_ecckeyfile = OPT_ARG (X509ECCKEYFILE);
1654 if (HAVE_OPT (X509CERTFILE))
1655 x509_ecccertfile = OPT_ARG (X509ECCCERTFILE);
1656
1657 if (HAVE_OPT (X509CAFILE))
1658 x509_cafile = OPT_ARG (X509CAFILE);
1659 if (HAVE_OPT (X509CRLFILE))
1660 x509_crlfile = OPT_ARG (X509CRLFILE);
1661
1662 if (HAVE_OPT (PGPKEYFILE))
1663 pgp_keyfile = OPT_ARG (PGPKEYFILE);
1664 if (HAVE_OPT (PGPCERTFILE))
1665 pgp_certfile = OPT_ARG (PGPCERTFILE);
1666
1667 if (HAVE_OPT (PGPKEYRING))
1668 pgp_keyring = OPT_ARG (PGPKEYRING);
1669
1670 if (HAVE_OPT (SRPPASSWD))
1671 srp_passwd = OPT_ARG (SRPPASSWD);
1672 if (HAVE_OPT (SRPPASSWDCONF))
1673 srp_passwd_conf = OPT_ARG (SRPPASSWDCONF);
1674
1675 if (HAVE_OPT (PSKPASSWD))
1676 psk_passwd = OPT_ARG (PSKPASSWD);
1677
1678 if (HAVE_OPT(OCSP_RESPONSE))
1679 status_response_ocsp = OPT_ARG(OCSP_RESPONSE);
1680
1681 }
1682
1683 /* session resuming support */
1684
1685 #define SESSION_ID_SIZE 32
1686 #define SESSION_DATA_SIZE 1024
1687
1688 typedef struct
1689 {
1690 char session_id[SESSION_ID_SIZE];
1691 unsigned int session_id_size;
1692
1693 char session_data[SESSION_DATA_SIZE];
1694 unsigned int session_data_size;
1695 } CACHE;
1696
1697 static CACHE *cache_db;
1698 int cache_db_ptr = 0;
1699
1700 static void
1701 wrap_db_init (void)
1702 {
1703 /* allocate cache_db */
1704 cache_db = calloc (1, ssl_session_cache * sizeof (CACHE));
1705 }
1706
1707 static void
1708 wrap_db_deinit (void)
1709 {
1710 }
1711
1712 static int
1713 wrap_db_store (void *dbf, gnutls_datum_t key, gnutls_datum_t data)
1714 {
1715
1716 if (cache_db == NULL)
1717 return -1;
1718
1719 if (key.size > SESSION_ID_SIZE)
1720 return -1;
1721 if (data.size > SESSION_DATA_SIZE)
1722 return -1;
1723
1724 memcpy (cache_db[cache_db_ptr].session_id, key.data, key.size);
1725 cache_db[cache_db_ptr].session_id_size = key.size;
1726
1727 memcpy (cache_db[cache_db_ptr].session_data, data.data, data.size);
1728 cache_db[cache_db_ptr].session_data_size = data.size;
1729
1730 cache_db_ptr++;
1731 cache_db_ptr %= ssl_session_cache;
1732
1733 return 0;
1734 }
1735
1736 static gnutls_datum_t
1737 wrap_db_fetch (void *dbf, gnutls_datum_t key)
1738 {
1739 gnutls_datum_t res = { NULL, 0 };
1740 int i;
1741
1742 if (cache_db == NULL)
1743 return res;
1744
1745 for (i = 0; i < ssl_session_cache; i++)
1746 {
1747 if (key.size == cache_db[i].session_id_size &&
1748 memcmp (key.data, cache_db[i].session_id, key.size) == 0)
1749 {
1750 res.size = cache_db[i].session_data_size;
1751
1752 res.data = gnutls_malloc (res.size);
1753 if (res.data == NULL)
1754 return res;
1755
1756 memcpy (res.data, cache_db[i].session_data, res.size);
1757
1758 return res;
1759 }
1760 }
1761 return res;
1762 }
1763
1764 static int
1765 wrap_db_delete (void *dbf, gnutls_datum_t key)
1766 {
1767 int i;
1768
1769 if (cache_db == NULL)
1770 return -1;
1771
1772 for (i = 0; i < ssl_session_cache; i++)
1773 {
1774 if (key.size == (unsigned int) cache_db[i].session_id_size &&
1775 memcmp (key.data, cache_db[i].session_id, key.size) == 0)
1776 {
1777
1778 cache_db[i].session_id_size = 0;
1779 cache_db[i].session_data_size = 0;
1780
1781 return 0;
1782 }
1783 }
1784
1785 return -1;
1786 }
Implementation of the SSL/TLS protocol