search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
removed old flag
[gnutls.git] / src / serv.c
blob6be7a6d29c5ab7e038a36a8b990f19ea83a42ae6
1 /*
2 * Copyright (C) 2004-2012 Free Software Foundation, Inc.
3 * Copyright (C) 2001,2002 Paul Sheer
4 * Portions Copyright (C) 2002,2003 Nikos Mavrogiannopoulos
5 *
6 * This file is part of GnuTLS.
7 *
8 * GnuTLS is free software: you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation, either version 3 of the License, or
11 * (at your option) any later version.
12 *
13 * GnuTLS is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>.
20 */
21
22 /* This server is heavily modified for GnuTLS by Nikos Mavrogiannopoulos
23 * (which means it is quite unreadable)
24 */
25
26 #include <config.h>
27
28 #include "common.h"
29 #include "serv-args.h"
30 #include <stdio.h>
31 #include <stdlib.h>
32 #include <errno.h>
33 #include <sys/types.h>
34 #include <string.h>
35 #include <gnutls/gnutls.h>
36 #include <gnutls/dtls.h>
37 #include <gnutls/openpgp.h>
38 #include <sys/time.h>
39 #include <sys/select.h>
40 #include <fcntl.h>
41 #include <list.h>
42 #include <netdb.h>
43 #include <unistd.h>
44 #include <socket.h>
45
46 /* Gnulib portability files. */
47 #include "progname.h"
48 #include "version-etc.h"
49 #include "read-file.h"
50 #include "minmax.h"
51 #include "sockets.h"
52 #include "udp-serv.h"
53
54 /* konqueror cannot handle sending the page in multiple
55 * pieces.
56 */
57 /* global stuff */
58 static int generate = 0;
59 static int http = 0;
60 static int x509ctype;
61 static int debug = 0;
62
63 unsigned int verbose = 1;
64 static int nodb;
65 static int noticket;
66 int require_cert;
67 int disable_client_cert;
68
69 const char *psk_passwd = NULL;
70 const char *srp_passwd = NULL;
71 const char *srp_passwd_conf = NULL;
72 const char *pgp_keyring = NULL;
73 const char *pgp_keyfile = NULL;
74 const char *pgp_certfile = NULL;
75 const char *x509_keyfile = NULL;
76 const char *x509_certfile = NULL;
77 const char *x509_dsakeyfile = NULL;
78 const char *x509_dsacertfile = NULL;
79 const char *x509_ecckeyfile = NULL;
80 const char *x509_ecccertfile = NULL;
81 const char *x509_cafile = NULL;
82 const char *dh_params_file = NULL;
83 const char *x509_crlfile = NULL;
84 const char * priorities = NULL;
85 const char * status_response_ocsp = NULL;
86
87 gnutls_datum_t session_ticket_key;
88 static void tcp_server (const char *name, int port);
89
90 /* end of globals */
91
92 /* This is a sample TCP echo server.
93 * This will behave as an http server if any argument in the
94 * command line is present
95 */
96
97 #define SMALL_READ_TEST (2147483647)
98
99 #define GERR(ret) fprintf(stdout, "Error: %s\n", safe_strerror(ret))
100
101 #define HTTP_END "</BODY></HTML>\n\n"
102
103 #define HTTP_UNIMPLEMENTED "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\r\n<HTML><HEAD>\r\n<TITLE>501 Method Not Implemented</TITLE>\r\n</HEAD><BODY>\r\n<H1>Method Not Implemented</H1>\r\n<HR>\r\n</BODY></HTML>\r\n"
104 #define HTTP_OK "HTTP/1.0 200 OK\r\nContent-type: text/html\r\n\r\n"
105
106 #define HTTP_BEGIN HTTP_OK \
107 "\n" \
108 "<HTML><BODY>\n" \
109 "<CENTER><H1>This is <a href=\"http://www.gnu.org/software/gnutls\">" \
110 "GnuTLS</a></H1></CENTER>\n\n"
111
112 /* These are global */
113 gnutls_srp_server_credentials_t srp_cred = NULL;
114 gnutls_psk_server_credentials_t psk_cred = NULL;
115 gnutls_anon_server_credentials_t dh_cred = NULL;
116 gnutls_certificate_credentials_t cert_cred = NULL;
117
118 const int ssl_session_cache = 128;
119
120 static void wrap_db_init (void);
121 static void wrap_db_deinit (void);
122 static int wrap_db_store (void *dbf, gnutls_datum_t key, gnutls_datum_t data);
123 static gnutls_datum_t wrap_db_fetch (void *dbf, gnutls_datum_t key);
124 static int wrap_db_delete (void *dbf, gnutls_datum_t key);
125
126 static void cmd_parser (int argc, char **argv);
127
128
129 #define HTTP_STATE_REQUEST 1
130 #define HTTP_STATE_RESPONSE 2
131 #define HTTP_STATE_CLOSING 3
132
133 LIST_TYPE_DECLARE (listener_item, char *http_request;
134 char *http_response; int request_length;
135 int response_length; int response_written;
136 int http_state; int listen_socket;
137 int fd; gnutls_session_t tls_session; int handshake_ok;);
138
139 static const char *
140 safe_strerror (int value)
141 {
142 const char *ret = gnutls_strerror (value);
143 if (ret == NULL)
144 ret = str_unknown;
145 return ret;
146 }
147
148 static void
149 listener_free (listener_item * j)
150 {
151
152 free (j->http_request);
153 free (j->http_response);
154 if (j->fd >= 0)
155 {
156 gnutls_bye (j->tls_session, GNUTLS_SHUT_WR);
157 shutdown (j->fd, 2);
158 close (j->fd);
159 gnutls_deinit (j->tls_session);
160 }
161 }
162
163
164 /* we use primes up to 1024 in this server.
165 * otherwise we should add them here.
166 */
167
168 gnutls_dh_params_t dh_params = NULL;
169 gnutls_rsa_params_t rsa_params = NULL;
170
171 static int
172 generate_dh_primes (void)
173 {
174 int prime_bits =
175 gnutls_sec_param_to_pk_bits (GNUTLS_PK_DH, GNUTLS_SEC_PARAM_NORMAL);
176
177 if (gnutls_dh_params_init (&dh_params) < 0)
178 {
179 fprintf (stderr, "Error in dh parameter initialization\n");
180 exit (1);
181 }
182
183 /* Generate Diffie-Hellman parameters - for use with DHE
184 * kx algorithms. These should be discarded and regenerated
185 * once a week or once a month. Depends on the
186 * security requirements.
187 */
188 printf
189 ("Generating Diffie-Hellman parameters [%d]. Please wait...\n",
190 prime_bits);
191 fflush (stdout);
192
193 if (gnutls_dh_params_generate2 (dh_params, prime_bits) < 0)
194 {
195 fprintf (stderr, "Error in prime generation\n");
196 exit (1);
197 }
198
199 return 0;
200 }
201
202 static void
203 read_dh_params (void)
204 {
205 char tmpdata[2048];
206 int size;
207 gnutls_datum_t params;
208 FILE *fd;
209
210 if (gnutls_dh_params_init (&dh_params) < 0)
211 {
212 fprintf (stderr, "Error in dh parameter initialization\n");
213 exit (1);
214 }
215
216 /* read the params file
217 */
218 fd = fopen (dh_params_file, "r");
219 if (fd == NULL)
220 {
221 fprintf (stderr, "Could not open %s\n", dh_params_file);
222 exit (1);
223 }
224
225 size = fread (tmpdata, 1, sizeof (tmpdata) - 1, fd);
226 tmpdata[size] = 0;
227 fclose (fd);
228
229 params.data = (unsigned char *) tmpdata;
230 params.size = size;
231
232 size =
233 gnutls_dh_params_import_pkcs3 (dh_params, &params, GNUTLS_X509_FMT_PEM);
234
235 if (size < 0)
236 {
237 fprintf (stderr, "Error parsing dh params: %s\n", safe_strerror (size));
238 exit (1);
239 }
240
241 printf ("Read Diffie-Hellman parameters.\n");
242 fflush (stdout);
243
244 }
245
246 static char pkcs3[] =
247 "-----BEGIN DH PARAMETERS-----\n"
248 "MIGGAoGAtkxw2jlsVCsrfLqxrN+IrF/3W8vVFvDzYbLmxi2GQv9s/PQGWP1d9i22\n"
249 "P2DprfcJknWt7KhCI1SaYseOQIIIAYP78CfyIpGScW/vS8khrw0rlQiyeCvQgF3O\n"
250 "GeGOEywcw+oQT4SmFOD7H0smJe2CNyjYpexBXQ/A0mbTF9QKm1cCAQU=\n"
251 "-----END DH PARAMETERS-----\n";
252
253 static int
254 static_dh_params (void)
255 {
256 gnutls_datum_t params = { (void *) pkcs3, sizeof (pkcs3) };
257 int ret;
258
259 if (gnutls_dh_params_init (&dh_params) < 0)
260 {
261 fprintf (stderr, "Error in dh parameter initialization\n");
262 exit (1);
263 }
264
265 ret = gnutls_dh_params_import_pkcs3 (dh_params, &params,
266 GNUTLS_X509_FMT_PEM);
267
268 if (ret < 0)
269 {
270 fprintf (stderr, "Error parsing dh params: %s\n", safe_strerror (ret));
271 exit (1);
272 }
273
274 printf ("Set static Diffie-Hellman parameters, consider --dhparams.\n");
275
276 return 0;
277 }
278
279 static int
280 get_params (gnutls_session_t session, gnutls_params_type_t type,
281 gnutls_params_st * st)
282 {
283
284 if (type == GNUTLS_PARAMS_RSA_EXPORT)
285 {
286 if (rsa_params == NULL)
287 return -1;
288 st->params.rsa_export = rsa_params;
289 }
290 else if (type == GNUTLS_PARAMS_DH)
291 {
292 if (dh_params == NULL)
293 return -1;
294 st->params.dh = dh_params;
295 }
296 else
297 return -1;
298
299 st->type = type;
300 st->deinit = 0;
301
302 return 0;
303 }
304
305 static int
306 generate_rsa_params (void)
307 {
308 if (gnutls_rsa_params_init (&rsa_params) < 0)
309 {
310 fprintf (stderr, "Error in rsa parameter initialization\n");
311 exit (1);
312 }
313
314 /* Generate RSA parameters - for use with RSA-export
315 * cipher suites. These should be discarded and regenerated
316 * once a day, once every 500 transactions etc. Depends on the
317 * security requirements.
318 */
319 printf ("Generating temporary RSA parameters. Please wait...\n");
320 fflush (stdout);
321
322 if (gnutls_rsa_params_generate2 (rsa_params, 512) < 0)
323 {
324 fprintf (stderr, "Error in rsa parameter generation\n");
325 exit (1);
326 }
327
328 return 0;
329 }
330
331 LIST_DECLARE_INIT (listener_list, listener_item, listener_free);
332
333 gnutls_session_t initialize_session (int dtls)
334 {
335 gnutls_session_t session;
336 const char *err;
337
338 if (priorities == NULL)
339 priorities = "NORMAL";
340
341 if (dtls)
342 gnutls_init (&session, GNUTLS_SERVER | GNUTLS_DATAGRAM);
343 else
344 gnutls_init (&session, GNUTLS_SERVER);
345
346 /* allow the use of private ciphersuites.
347 */
348 gnutls_handshake_set_private_extensions (session, 1);
349
350 if (nodb == 0)
351 {
352 gnutls_db_set_retrieve_function (session, wrap_db_fetch);
353 gnutls_db_set_remove_function (session, wrap_db_delete);
354 gnutls_db_set_store_function (session, wrap_db_store);
355 gnutls_db_set_ptr (session, NULL);
356 }
357 #ifdef ENABLE_SESSION_TICKET
358 if (noticket == 0)
359 gnutls_session_ticket_enable_server (session, &session_ticket_key);
360 #endif
361
362
363 if (noticket == 0)
364 gnutls_session_ticket_enable_server (session, &session_ticket_key);
365
366 if (gnutls_priority_set_direct (session, priorities, &err) < 0)
367 {
368 fprintf (stderr, "Syntax error at: %s\n", err);
369 exit (1);
370 }
371
372 gnutls_credentials_set (session, GNUTLS_CRD_ANON, dh_cred);
373
374 if (srp_cred != NULL)
375 gnutls_credentials_set (session, GNUTLS_CRD_SRP, srp_cred);
376
377 if (psk_cred != NULL)
378 gnutls_credentials_set (session, GNUTLS_CRD_PSK, psk_cred);
379
380 if (cert_cred != NULL)
381 gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, cert_cred);
382
383 if (disable_client_cert)
384 gnutls_certificate_server_set_request (session, GNUTLS_CERT_IGNORE);
385 else
386 {
387 if (require_cert)
388 gnutls_certificate_server_set_request (session, GNUTLS_CERT_REQUIRE);
389 else
390 gnutls_certificate_server_set_request (session, GNUTLS_CERT_REQUEST);
391 }
392
393 if (HAVE_OPT (HEARTBEAT))
394 gnutls_heartbeat_enable(session, GNUTLS_HB_PEER_ALLOWED_TO_SEND);
395
396 return session;
397 }
398
399 #include <gnutls/x509.h>
400
401 static const char DEFAULT_DATA[] =
402 "This is the default message reported by the GnuTLS implementation. "
403 "For more information please visit "
404 "<a href=\"http://www.gnutls.org/\">http://www.gnutls.org/</a>.";
405
406 /* Creates html with the current session information.
407 */
408 #define tmp_buffer &http_buffer[strlen(http_buffer)]
409 #define tmp_buffer_size len-strlen(http_buffer)
410 static char *
411 peer_print_info (gnutls_session_t session, int *ret_length,
412 const char *header)
413 {
414 const char *tmp;
415 unsigned char sesid[32];
416 size_t i, sesid_size;
417 char *http_buffer;
418 gnutls_kx_algorithm_t kx_alg;
419 size_t len = 20 * 1024 + strlen (header);
420 char *crtinfo = NULL;
421 size_t ncrtinfo = 0;
422
423 if (verbose == 0)
424 {
425 http_buffer = malloc (len);
426 if (http_buffer == NULL)
427 return NULL;
428
429 strcpy (http_buffer, HTTP_BEGIN);
430 strcpy (&http_buffer[sizeof (HTTP_BEGIN) - 1], DEFAULT_DATA);
431 strcpy (&http_buffer[sizeof (HTTP_BEGIN) + sizeof (DEFAULT_DATA) - 2],
432 HTTP_END);
433 *ret_length =
434 sizeof (DEFAULT_DATA) + sizeof (HTTP_BEGIN) + sizeof (HTTP_END) - 3;
435 return http_buffer;
436 }
437
438 if (gnutls_certificate_type_get (session) == GNUTLS_CRT_X509)
439 {
440 const gnutls_datum_t *cert_list;
441 unsigned int cert_list_size = 0;
442
443 cert_list = gnutls_certificate_get_peers (session, &cert_list_size);
444
445 for (i = 0; i < cert_list_size; i++)
446 {
447 gnutls_x509_crt_t cert;
448 gnutls_datum_t info;
449
450 if (gnutls_x509_crt_init (&cert) == 0 &&
451 gnutls_x509_crt_import (cert, &cert_list[i],
452 GNUTLS_X509_FMT_DER) == 0 &&
453 gnutls_x509_crt_print (cert, GNUTLS_CRT_PRINT_FULL, &info) == 0)
454 {
455 const char *post = "</PRE><P><PRE>";
456
457 crtinfo = realloc (crtinfo, ncrtinfo + info.size +
458 strlen (post) + 1);
459 if (crtinfo == NULL)
460 return NULL;
461 memcpy (crtinfo + ncrtinfo, info.data, info.size);
462 ncrtinfo += info.size;
463 memcpy (crtinfo + ncrtinfo, post, strlen (post));
464 ncrtinfo += strlen (post);
465 crtinfo[ncrtinfo] = '\0';
466 gnutls_free (info.data);
467 }
468 }
469 }
470
471 http_buffer = malloc (len);
472 if (http_buffer == NULL)
473 {
474 free (crtinfo);
475 return NULL;
476 }
477
478 strcpy (http_buffer, HTTP_BEGIN);
479
480 /* print session_id */
481 sesid_size = sizeof(sesid);
482 gnutls_session_get_id (session, sesid, &sesid_size);
483 snprintf (tmp_buffer, tmp_buffer_size, "\n<p>Session ID: <i>");
484 for (i = 0; i < sesid_size; i++)
485 snprintf (tmp_buffer, tmp_buffer_size, "%.2X", sesid[i]);
486 snprintf (tmp_buffer, tmp_buffer_size, "</i></p>\n");
487 snprintf (tmp_buffer, tmp_buffer_size,
488 "<h5>If your browser supports session resuming, then you should see the "
489 "same session ID, when you press the <b>reload</b> button.</h5>\n");
490
491 /* Here unlike print_info() we use the kx algorithm to distinguish
492 * the functions to call.
493 */
494 {
495 char dns[256];
496 size_t dns_size = sizeof (dns);
497 unsigned int type;
498
499 if (gnutls_server_name_get (session, dns, &dns_size, &type, 0) == 0)
500 {
501 snprintf (tmp_buffer, tmp_buffer_size, "\n<p>Server Name: %s</p>\n",
502 dns);
503 }
504
505 }
506
507 kx_alg = gnutls_kx_get (session);
508
509 /* print srp specific data */
510 #ifdef ENABLE_SRP
511 if (kx_alg == GNUTLS_KX_SRP)
512 {
513 snprintf (tmp_buffer, tmp_buffer_size,
514 "<p>Connected as user '%s'.</p>\n",
515 gnutls_srp_server_get_username (session));
516 }
517 #endif
518
519 #ifdef ENABLE_PSK
520 if (kx_alg == GNUTLS_KX_PSK)
521 {
522 snprintf (tmp_buffer, tmp_buffer_size,
523 "<p>Connected as user '%s'.</p>\n",
524 gnutls_psk_server_get_username (session));
525 }
526 #endif
527
528 #ifdef ENABLE_ANON
529 if (kx_alg == GNUTLS_KX_ANON_DH)
530 {
531 snprintf (tmp_buffer, tmp_buffer_size,
532 "<p> Connect using anonymous DH (prime of %d bits)</p>\n",
533 gnutls_dh_get_prime_bits (session));
534 }
535 #endif
536
537 if (kx_alg == GNUTLS_KX_DHE_RSA || kx_alg == GNUTLS_KX_DHE_DSS)
538 {
539 snprintf (tmp_buffer, tmp_buffer_size,
540 "Ephemeral DH using prime of <b>%d</b> bits.<br>\n",
541 gnutls_dh_get_prime_bits (session));
542 }
543
544 /* print session information */
545 strcat (http_buffer, "<P>\n");
546
547 tmp = gnutls_protocol_get_name (gnutls_protocol_get_version (session));
548 if (tmp == NULL)
549 tmp = str_unknown;
550 snprintf (tmp_buffer, tmp_buffer_size,
551 "<TABLE border=1><TR><TD>Protocol version:</TD><TD>%s</TD></TR>\n",
552 tmp);
553
554 if (gnutls_auth_get_type (session) == GNUTLS_CRD_CERTIFICATE)
555 {
556 tmp =
557 gnutls_certificate_type_get_name (gnutls_certificate_type_get
558 (session));
559 if (tmp == NULL)
560 tmp = str_unknown;
561 snprintf (tmp_buffer, tmp_buffer_size,
562 "<TR><TD>Certificate Type:</TD><TD>%s</TD></TR>\n", tmp);
563 }
564
565 tmp = gnutls_kx_get_name (kx_alg);
566 if (tmp == NULL)
567 tmp = str_unknown;
568 snprintf (tmp_buffer, tmp_buffer_size,
569 "<TR><TD>Key Exchange:</TD><TD>%s</TD></TR>\n", tmp);
570
571 tmp = gnutls_compression_get_name (gnutls_compression_get (session));
572 if (tmp == NULL)
573 tmp = str_unknown;
574 snprintf (tmp_buffer, tmp_buffer_size,
575 "<TR><TD>Compression</TD><TD>%s</TD></TR>\n", tmp);
576
577 tmp = gnutls_cipher_get_name (gnutls_cipher_get (session));
578 if (tmp == NULL)
579 tmp = str_unknown;
580 snprintf (tmp_buffer, tmp_buffer_size,
581 "<TR><TD>Cipher</TD><TD>%s</TD></TR>\n", tmp);
582
583 tmp = gnutls_mac_get_name (gnutls_mac_get (session));
584 if (tmp == NULL)
585 tmp = str_unknown;
586 snprintf (tmp_buffer, tmp_buffer_size, "<TR><TD>MAC</TD><TD>%s</TD></TR>\n",
587 tmp);
588
589 tmp = gnutls_cipher_suite_get_name (kx_alg,
590 gnutls_cipher_get (session),
591 gnutls_mac_get (session));
592 if (tmp == NULL)
593 tmp = str_unknown;
594 snprintf (tmp_buffer, tmp_buffer_size,
595 "<TR><TD>Ciphersuite</TD><TD>%s</TD></TR></p></TABLE>\n", tmp);
596
597 if (crtinfo)
598 {
599 snprintf (tmp_buffer, tmp_buffer_size, "<hr><PRE>%s\n</PRE>\n",
600 crtinfo);
601 free (crtinfo);
602 }
603
604 snprintf (tmp_buffer, tmp_buffer_size,
605 "<hr><P>Your HTTP header was:<PRE>%s</PRE></P>\n" HTTP_END,
606 header);
607
608 *ret_length = strlen (http_buffer);
609
610 return http_buffer;
611 }
612
613 const char *
614 human_addr (const struct sockaddr *sa, socklen_t salen,
615 char *buf, size_t buflen)
616 {
617 const char *save_buf = buf;
618 size_t l;
619
620 if (!buf || !buflen)
621 return NULL;
622
623 *buf = '\0';
624
625 switch (sa->sa_family)
626 {
627 #if HAVE_IPV6
628 case AF_INET6:
629 snprintf (buf, buflen, "IPv6 ");
630 break;
631 #endif
632
633 case AF_INET:
634 snprintf (buf, buflen, "IPv4 ");
635 break;
636 }
637
638 l = strlen (buf);
639 buf += l;
640 buflen -= l;
641
642 if (getnameinfo (sa, salen, buf, buflen, NULL, 0, NI_NUMERICHOST) != 0)
643 return NULL;
644
645 l = strlen (buf);
646 buf += l;
647 buflen -= l;
648
649 strncat (buf, " port ", buflen);
650
651 l = strlen (buf);
652 buf += l;
653 buflen -= l;
654
655 if (getnameinfo (sa, salen, NULL, 0, buf, buflen, NI_NUMERICSERV) != 0)
656 return NULL;
657
658 return save_buf;
659 }
660
661 int
662 wait_for_connection (void)
663 {
664 listener_item *j;
665 fd_set rd, wr;
666 int n, sock = -1;
667
668 FD_ZERO (&rd);
669 FD_ZERO (&wr);
670 n = 0;
671
672 lloopstart (listener_list, j)
673 {
674 if (j->listen_socket)
675 {
676 FD_SET (j->fd, &rd);
677 n = MAX (n, j->fd);
678 }
679 }
680 lloopend (listener_list, j);
681
682 /* waiting part */
683 n = select (n + 1, &rd, &wr, NULL, NULL);
684 if (n == -1 && errno == EINTR)
685 return -1;
686 if (n < 0)
687 {
688 perror ("select()");
689 exit (1);
690 }
691
692 /* find which one is ready */
693 lloopstart (listener_list, j)
694 {
695 /* a new connection has arrived */
696 if (FD_ISSET (j->fd, &rd) && j->listen_socket)
697 {
698 sock = j->fd;
699 break;
700 }
701 }
702 lloopend (listener_list, j);
703 return sock;
704 }
705
706 int
707 listen_socket (const char *name, int listen_port, int socktype)
708 {
709 struct addrinfo hints, *res, *ptr;
710 char portname[6];
711 int s;
712 int yes;
713 listener_item *j = NULL;
714
715 snprintf (portname, sizeof (portname), "%d", listen_port);
716 memset (&hints, 0, sizeof (hints));
717 hints.ai_socktype = socktype;
718 hints.ai_flags = AI_PASSIVE
719 #ifdef AI_ADDRCONFIG
720 | AI_ADDRCONFIG
721 #endif
722 ;
723
724 if ((s = getaddrinfo (NULL, portname, &hints, &res)) != 0)
725 {
726 fprintf (stderr, "getaddrinfo() failed: %s\n", gai_strerror (s));
727 return -1;
728 }
729
730 for (ptr = res; ptr != NULL; ptr = ptr->ai_next)
731 {
732 #ifndef HAVE_IPV6
733 if (ptr->ai_family != AF_INET)
734 continue;
735 #endif
736
737 /* Print what we are doing. */
738 {
739 char topbuf[512];
740
741 fprintf (stderr, "%s listening on %s...",
742 name, human_addr (ptr->ai_addr, ptr->ai_addrlen,
743 topbuf, sizeof (topbuf)));
744 }
745
746 if ((s = socket (ptr->ai_family, ptr->ai_socktype,
747 ptr->ai_protocol)) < 0)
748 {
749 perror ("socket() failed");
750 continue;
751 }
752
753 #if defined(HAVE_IPV6) && !defined(_WIN32)
754 if (ptr->ai_family == AF_INET6)
755 {
756 yes = 1;
757 /* avoid listen on ipv6 addresses failing
758 * because already listening on ipv4 addresses: */
759 setsockopt (s, IPPROTO_IPV6, IPV6_V6ONLY,
760 (const void *) &yes, sizeof (yes));
761 }
762 #endif
763
764 if (socktype == SOCK_STREAM)
765 {
766 yes = 1;
767 if (setsockopt (s, SOL_SOCKET, SO_REUSEADDR,
768 (const void *) &yes, sizeof (yes)) < 0)
769 {
770 perror ("setsockopt() failed");
771 close (s);
772 continue;
773 }
774 }
775 else
776 {
777 #if defined(IP_DONTFRAG)
778 yes = 1;
779 if (setsockopt (s, IPPROTO_IP, IP_DONTFRAG,
780 (const void *) &yes, sizeof (yes)) < 0)
781 perror ("setsockopt(IP_DF) failed");
782 #elif defined(IP_MTU_DISCOVER)
783 yes = IP_PMTUDISC_DO;
784 if (setsockopt (s, IPPROTO_IP, IP_MTU_DISCOVER,
785 (const void *) &yes, sizeof (yes)) < 0)
786 perror ("setsockopt(IP_DF) failed");
787 #endif
788 }
789
790 if (bind (s, ptr->ai_addr, ptr->ai_addrlen) < 0)
791 {
792 perror ("bind() failed");
793 close (s);
794 continue;
795 }
796
797 if (socktype == SOCK_STREAM)
798 {
799 if (listen (s, 10) < 0)
800 {
801 perror ("listen() failed");
802 exit (1);
803 }
804 }
805
806 /* new list entry for the connection */
807 lappend (listener_list);
808 j = listener_list.tail;
809 j->listen_socket = 1;
810 j->fd = s;
811
812 /* Complete earlier message. */
813 fprintf (stderr, "done\n");
814 }
815
816 fflush (stderr);
817
818 freeaddrinfo (res);
819
820 return s;
821 }
822
823 /* strips \r\n from the end of the string
824 */
825 static void
826 strip (char *data)
827 {
828 int i;
829 int len = strlen (data);
830
831 for (i = 0; i < len; i++)
832 {
833 if (data[i] == '\r' && data[i + 1] == '\n' && data[i + 1] == 0)
834 {
835 data[i] = '\n';
836 data[i + 1] = 0;
837 break;
838 }
839 }
840 }
841
842 static void
843 get_response (gnutls_session_t session, char *request,
844 char **response, int *response_length)
845 {
846 char *p, *h;
847
848 if (http != 0)
849 {
850 if (strncmp (request, "GET ", 4))
851 goto unimplemented;
852
853 if (!(h = strchr (request, '\n')))
854 goto unimplemented;
855
856 *h++ = '\0';
857 while (*h == '\r' || *h == '\n')
858 h++;
859
860 if (!(p = strchr (request + 4, ' ')))
861 goto unimplemented;
862 *p = '\0';
863 }
864 /* *response = peer_print_info(session, request+4, h, response_length); */
865 if (http != 0)
866 {
867 *response = peer_print_info (session, response_length, h);
868 }
869 else
870 {
871 strip (request);
872 fprintf (stderr, "received: %s\n", request);
873 if (check_command (session, request))
874 {
875 *response = NULL;
876 *response_length = 0;
877 return;
878 }
879 *response = strdup (request);
880 *response_length = ((*response) ? strlen (*response) : 0);
881 }
882
883 return;
884
885 unimplemented:
886 *response = strdup (HTTP_UNIMPLEMENTED);
887 *response_length = ((*response) ? strlen (*response) : 0);
888 }
889
890 static void terminate (int sig) __attribute__ ((noreturn));
891
892 static void
893 terminate (int sig)
894 {
895 fprintf (stderr, "Exiting via signal %d\n", sig);
896 exit (1);
897 }
898
899
900 static void
901 check_alert (gnutls_session_t session, int ret)
902 {
903 if (ret == GNUTLS_E_WARNING_ALERT_RECEIVED
904 || ret == GNUTLS_E_FATAL_ALERT_RECEIVED)
905 {
906 int last_alert = gnutls_alert_get (session);
907 if (last_alert == GNUTLS_A_NO_RENEGOTIATION &&
908 ret == GNUTLS_E_WARNING_ALERT_RECEIVED)
909 printf
910 ("* Received NO_RENEGOTIATION alert. Client does not support renegotiation.\n");
911 else
912 printf ("* Received alert '%d': %s.\n", last_alert,
913 gnutls_alert_get_name (last_alert));
914 }
915 }
916
917 static void
918 tls_log_func (int level, const char *str)
919 {
920 fprintf (stderr, "|<%d>| %s", level, str);
921 }
922
923 static void
924 tls_audit_log_func (gnutls_session_t session, const char *str)
925 {
926 fprintf (stderr, "|<%p>| %s", session, str);
927 }
928
929 int
930 main (int argc, char **argv)
931 {
932 int ret, mtu, port;
933 char name[256];
934
935 set_program_name (argv[0]);
936 cmd_parser (argc, argv);
937
938 #ifndef _WIN32
939 signal (SIGHUP, SIG_IGN);
940 signal (SIGTERM, terminate);
941 if (signal (SIGINT, terminate) == SIG_IGN)
942 signal (SIGINT, SIG_IGN); /* e.g. background process */
943 #endif
944
945 sockets_init ();
946
947 if (nodb == 0)
948 wrap_db_init ();
949
950 if (HAVE_OPT (UDP))
951 strcpy (name, "UDP ");
952 else
953 name[0] = 0;
954
955 if (http == 1)
956 {
957 strcat (name, "HTTP Server");
958 }
959 else
960 {
961 strcat (name, "Echo Server");
962 }
963
964 gnutls_global_set_log_function (tls_log_func);
965 gnutls_global_set_audit_log_function (tls_audit_log_func);
966 gnutls_global_set_log_level (debug);
967
968 if ((ret = gnutls_global_init ()) < 0)
969 {
970 fprintf (stderr, "global_init: %s\n", gnutls_strerror (ret));
971 exit (1);
972 }
973
974 #ifdef ENABLE_PKCS11
975 pkcs11_common ();
976 #endif
977
978 /* Note that servers must generate parameters for
979 * Diffie-Hellman. See gnutls_dh_params_generate(), and
980 * gnutls_dh_params_set().
981 */
982 if (generate != 0)
983 {
984 generate_rsa_params ();
985 generate_dh_primes ();
986 }
987 else if (dh_params_file)
988 {
989 read_dh_params ();
990 }
991 else
992 {
993 static_dh_params ();
994 }
995
996 if (gnutls_certificate_allocate_credentials (&cert_cred) < 0)
997 {
998 fprintf (stderr, "memory error\n");
999 exit (1);
1000 }
1001
1002 if (x509_cafile != NULL)
1003 {
1004 if ((ret = gnutls_certificate_set_x509_trust_file
1005 (cert_cred, x509_cafile, x509ctype)) < 0)
1006 {
1007 fprintf (stderr, "Error reading '%s'\n", x509_cafile);
1008 GERR (ret);
1009 exit (1);
1010 }
1011 else
1012 {
1013 printf ("Processed %d CA certificate(s).\n", ret);
1014 }
1015 }
1016 if (x509_crlfile != NULL)
1017 {
1018 if ((ret = gnutls_certificate_set_x509_crl_file
1019 (cert_cred, x509_crlfile, x509ctype)) < 0)
1020 {
1021 fprintf (stderr, "Error reading '%s'\n", x509_crlfile);
1022 GERR (ret);
1023 exit (1);
1024 }
1025 else
1026 {
1027 printf ("Processed %d CRL(s).\n", ret);
1028 }
1029 }
1030
1031 #ifdef ENABLE_OPENPGP
1032 if (pgp_keyring != NULL)
1033 {
1034 ret =
1035 gnutls_certificate_set_openpgp_keyring_file (cert_cred, pgp_keyring,
1036 GNUTLS_OPENPGP_FMT_BASE64);
1037 if (ret < 0)
1038 {
1039 fprintf (stderr, "Error setting the OpenPGP keyring file\n");
1040 GERR (ret);
1041 }
1042 }
1043
1044 if (HAVE_OPT (PGPCERTFILE))
1045 {
1046 if (HAVE_OPT (PGPSUBKEY))
1047 ret = gnutls_certificate_set_openpgp_key_file2
1048 (cert_cred, pgp_certfile, pgp_keyfile, OPT_ARG (PGPSUBKEY),
1049 GNUTLS_OPENPGP_FMT_BASE64);
1050 else
1051 ret = gnutls_certificate_set_openpgp_key_file
1052 (cert_cred, pgp_certfile, pgp_keyfile, GNUTLS_OPENPGP_FMT_BASE64);
1053
1054 if (ret < 0)
1055 {
1056 fprintf (stderr,
1057 "Error[%d] while reading the OpenPGP key pair ('%s', '%s')\n",
1058 ret, pgp_certfile, pgp_keyfile);
1059 GERR (ret);
1060 }
1061 }
1062 #endif
1063
1064 if (x509_certfile != NULL)
1065 if ((ret = gnutls_certificate_set_x509_key_file
1066 (cert_cred, x509_certfile, x509_keyfile, x509ctype)) < 0)
1067 {
1068 fprintf (stderr,
1069 "Error reading '%s' or '%s'\n", x509_certfile, x509_keyfile);
1070 GERR (ret);
1071 exit (1);
1072 }
1073
1074 if (x509_dsacertfile != NULL)
1075 if ((ret = gnutls_certificate_set_x509_key_file
1076 (cert_cred, x509_dsacertfile, x509_dsakeyfile, x509ctype)) < 0)
1077 {
1078 fprintf (stderr, "Error reading '%s' or '%s'\n",
1079 x509_dsacertfile, x509_dsakeyfile);
1080 GERR (ret);
1081 exit (1);
1082 }
1083
1084 if (x509_ecccertfile != NULL)
1085 if ((ret = gnutls_certificate_set_x509_key_file
1086 (cert_cred, x509_ecccertfile, x509_ecckeyfile, x509ctype)) < 0)
1087 {
1088 fprintf (stderr, "Error reading '%s' or '%s'\n",
1089 x509_ecccertfile, x509_ecckeyfile);
1090 GERR (ret);
1091 exit (1);
1092 }
1093
1094 /* OCSP status-request TLS extension */
1095 if (status_response_ocsp)
1096 {
1097 if (gnutls_certificate_set_ocsp_status_request_file (cert_cred, status_response_ocsp, 0) < 0)
1098 {
1099 fprintf (stderr, "Cannot set OCSP status request file: %s\n", gnutls_strerror(ret));
1100 exit (1);
1101 }
1102 }
1103
1104 gnutls_certificate_set_params_function (cert_cred, get_params);
1105 /* gnutls_certificate_set_dh_params(cert_cred, dh_params);
1106 * gnutls_certificate_set_rsa_export_params(cert_cred, rsa_params);
1107 */
1108
1109 /* this is a password file (created with the included srpcrypt utility)
1110 * Read README.crypt prior to using SRP.
1111 */
1112 #ifdef ENABLE_SRP
1113 if (srp_passwd != NULL)
1114 {
1115 gnutls_srp_allocate_server_credentials (&srp_cred);
1116
1117 if ((ret =
1118 gnutls_srp_set_server_credentials_file (srp_cred, srp_passwd,
1119 srp_passwd_conf)) < 0)
1120 {
1121 /* only exit is this function is not disabled
1122 */
1123 fprintf (stderr, "Error while setting SRP parameters\n");
1124 GERR (ret);
1125 }
1126 }
1127 #endif
1128
1129 /* this is a password file
1130 */
1131 #ifdef ENABLE_PSK
1132 if (psk_passwd != NULL)
1133 {
1134 gnutls_psk_allocate_server_credentials (&psk_cred);
1135
1136 if ((ret =
1137 gnutls_psk_set_server_credentials_file (psk_cred, psk_passwd)) < 0)
1138 {
1139 /* only exit is this function is not disabled
1140 */
1141 fprintf (stderr, "Error while setting PSK parameters\n");
1142 GERR (ret);
1143 }
1144
1145 if (HAVE_OPT (PSKHINT))
1146 {
1147 ret = gnutls_psk_set_server_credentials_hint (psk_cred,
1148 OPT_ARG (PSKHINT));
1149 if (ret)
1150 {
1151 fprintf (stderr, "Error setting PSK identity hint.\n");
1152 GERR (ret);
1153 }
1154 }
1155
1156 gnutls_psk_set_server_params_function (psk_cred, get_params);
1157 }
1158 #endif
1159
1160 #ifdef ENABLE_ANON
1161 gnutls_anon_allocate_server_credentials (&dh_cred);
1162 gnutls_anon_set_server_params_function (dh_cred, get_params);
1163
1164 /* gnutls_anon_set_server_dh_params(dh_cred, dh_params); */
1165 #endif
1166
1167 #ifdef ENABLE_SESSION_TICKET
1168 if (noticket == 0)
1169 gnutls_session_ticket_key_generate (&session_ticket_key);
1170 #endif
1171
1172 if (HAVE_OPT (MTU))
1173 mtu = OPT_VALUE_MTU;
1174 else
1175 mtu = 1300;
1176
1177 if (HAVE_OPT (PORT))
1178 port = OPT_VALUE_PORT;
1179 else
1180 port = 5556;
1181
1182 if (HAVE_OPT (UDP))
1183 udp_server (name, port, mtu);
1184 else
1185 tcp_server (name, port);
1186 }
1187
1188 static void
1189 tcp_server (const char *name, int port)
1190 {
1191 int n, s;
1192 char topbuf[512];
1193 int accept_fd;
1194 struct sockaddr_storage client_address;
1195 socklen_t calen;
1196
1197 s = listen_socket (name, port, SOCK_STREAM);
1198 if (s < 0)
1199 exit (1);
1200
1201 for (;;)
1202 {
1203 listener_item *j;
1204 fd_set rd, wr;
1205 #ifndef _WIN32
1206 int val;
1207 #endif
1208
1209 FD_ZERO (&rd);
1210 FD_ZERO (&wr);
1211 n = 0;
1212
1213 /* flag which connections we are reading or writing to within the fd sets */
1214 lloopstart (listener_list, j)
1215 {
1216
1217 #ifndef _WIN32
1218 val = fcntl (j->fd, F_GETFL, 0);
1219 if ((val == -1) || (fcntl (j->fd, F_SETFL, val | O_NONBLOCK) < 0))
1220 {
1221 perror ("fcntl()");
1222 exit (1);
1223 }
1224 #endif
1225
1226 if (j->listen_socket)
1227 {
1228 FD_SET (j->fd, &rd);
1229 n = MAX (n, j->fd);
1230 }
1231 if (j->http_state == HTTP_STATE_REQUEST)
1232 {
1233 FD_SET (j->fd, &rd);
1234 n = MAX (n, j->fd);
1235 }
1236 if (j->http_state == HTTP_STATE_RESPONSE)
1237 {
1238 FD_SET (j->fd, &wr);
1239 n = MAX (n, j->fd);
1240 }
1241 }
1242 lloopend (listener_list, j);
1243
1244 /* core operation */
1245 n = select (n + 1, &rd, &wr, NULL, NULL);
1246 if (n == -1 && errno == EINTR)
1247 continue;
1248 if (n < 0)
1249 {
1250 perror ("select()");
1251 exit (1);
1252 }
1253
1254 /* read or write to each connection as indicated by select()'s return argument */
1255 lloopstart (listener_list, j)
1256 {
1257
1258 /* a new connection has arrived */
1259 if (FD_ISSET (j->fd, &rd) && j->listen_socket)
1260 {
1261 gnutls_session_t tls_session;
1262
1263 tls_session = initialize_session (0);
1264
1265 calen = sizeof (client_address);
1266 memset (&client_address, 0, calen);
1267 accept_fd = accept (j->fd, (struct sockaddr *) &client_address,
1268 &calen);
1269
1270 if (accept_fd < 0)
1271 {
1272 perror ("accept()");
1273 }
1274 else
1275 {
1276 time_t tt;
1277 char *ctt;
1278
1279 /* new list entry for the connection */
1280 lappend (listener_list);
1281 j = listener_list.tail;
1282 j->http_request = (char *) strdup ("");
1283 j->http_state = HTTP_STATE_REQUEST;
1284 j->fd = accept_fd;
1285
1286 j->tls_session = tls_session;
1287 gnutls_transport_set_ptr (tls_session,
1288 (gnutls_transport_ptr_t)
1289 gl_fd_to_handle (accept_fd));
1290 j->handshake_ok = 0;
1291
1292 if (verbose != 0)
1293 {
1294 tt = time (0);
1295 ctt = ctime (&tt);
1296 ctt[strlen (ctt) - 1] = 0;
1297
1298 printf ("\n* Accepted connection from %s on %s\n",
1299 human_addr ((struct sockaddr *)
1300 &client_address, calen, topbuf,
1301 sizeof (topbuf)), ctt);
1302 }
1303 }
1304 }
1305
1306 if (FD_ISSET (j->fd, &rd) && !j->listen_socket)
1307 {
1308 /* read partial GET request */
1309 char buf[1024];
1310 int r, ret;
1311
1312 if (j->handshake_ok == 0)
1313 {
1314 r = gnutls_handshake (j->tls_session);
1315 if (r < 0 && gnutls_error_is_fatal (r) == 0)
1316 {
1317 check_alert (j->tls_session, r);
1318 /* nothing */
1319 }
1320 else if (r < 0 && gnutls_error_is_fatal (r) == 1)
1321 {
1322 check_alert (j->tls_session, r);
1323 fprintf (stderr, "Error in handshake\n");
1324 GERR (r);
1325
1326 do
1327 {
1328 ret =
1329 gnutls_alert_send_appropriate (j->tls_session, r);
1330 }
1331 while (ret == GNUTLS_E_AGAIN
1332 || ret == GNUTLS_E_INTERRUPTED);
1333 j->http_state = HTTP_STATE_CLOSING;
1334 }
1335 else if (r == 0)
1336 {
1337 if (gnutls_session_is_resumed (j->tls_session) != 0
1338 && verbose != 0)
1339 printf ("*** This is a resumed session\n");
1340
1341 if (verbose != 0)
1342 {
1343 printf ("\n* Successful handshake from %s\n",
1344 human_addr ((struct sockaddr *)
1345 &client_address, calen, topbuf,
1346 sizeof (topbuf)));
1347 print_info (j->tls_session, verbose, verbose);
1348 if (gnutls_auth_get_type (j->tls_session) ==
1349 GNUTLS_CRD_CERTIFICATE)
1350 cert_verify (j->tls_session, NULL);
1351 }
1352 j->handshake_ok = 1;
1353 }
1354 }
1355
1356 if (j->handshake_ok == 1)
1357 {
1358 r = gnutls_record_recv (j->tls_session, buf,
1359 MIN (1024, SMALL_READ_TEST));
1360 if (r == GNUTLS_E_HEARTBEAT_PING_RECEIVED)
1361 {
1362 gnutls_heartbeat_pong(j->tls_session, 0);
1363 }
1364 if (r == GNUTLS_E_INTERRUPTED || r == GNUTLS_E_AGAIN)
1365 {
1366 /* do nothing */
1367 }
1368 else if (r <= 0)
1369 {
1370 if (r == GNUTLS_E_REHANDSHAKE)
1371 {
1372 fprintf (stderr, "*** Received hello message\n");
1373 do
1374 {
1375 r = gnutls_handshake (j->tls_session);
1376 }
1377 while (r == GNUTLS_E_INTERRUPTED
1378 || r == GNUTLS_E_AGAIN);
1379
1380 if (r < 0)
1381 {
1382 do
1383 {
1384 ret = gnutls_alert_send_appropriate
1385 (j->tls_session, r);
1386 }
1387 while (ret == GNUTLS_E_AGAIN
1388 || ret == GNUTLS_E_INTERRUPTED);
1389
1390 GERR (r);
1391 j->http_state = HTTP_STATE_CLOSING;
1392 }
1393 }
1394 else
1395 {
1396 if (r < 0)
1397 {
1398 if (r != GNUTLS_E_UNEXPECTED_PACKET_LENGTH)
1399 {
1400 j->http_state = HTTP_STATE_CLOSING;
1401 check_alert (j->tls_session, r);
1402 fprintf (stderr,
1403 "Error while receiving data\n");
1404 GERR (r);
1405 }
1406 }
1407 }
1408 }
1409 else
1410 {
1411 j->http_request =
1412 realloc (j->http_request, j->request_length + r + 1);
1413 if (j->http_request != NULL)
1414 {
1415 memcpy (j->http_request + j->request_length, buf, r);
1416 j->request_length += r;
1417 j->http_request[j->request_length] = '\0';
1418 }
1419 else
1420 j->http_state = HTTP_STATE_CLOSING;
1421
1422 }
1423 /* check if we have a full HTTP header */
1424
1425 j->http_response = NULL;
1426 if (j->http_request != NULL)
1427 {
1428 if ((http == 0 && strchr (j->http_request, '\n'))
1429 || strstr (j->http_request, "\r\n\r\n")
1430 || strstr (j->http_request, "\n\n"))
1431 {
1432 get_response (j->tls_session, j->http_request,
1433 &j->http_response, &j->response_length);
1434 j->http_state = HTTP_STATE_RESPONSE;
1435 j->response_written = 0;
1436 }
1437 }
1438 }
1439 }
1440 if (FD_ISSET (j->fd, &wr))
1441 {
1442 /* write partial response request */
1443 int r;
1444
1445 if (j->handshake_ok == 0)
1446 {
1447 r = gnutls_handshake (j->tls_session);
1448 if (r < 0 && gnutls_error_is_fatal (r) == 0)
1449 {
1450 check_alert (j->tls_session, r);
1451 /* nothing */
1452 }
1453 else if (r < 0 && gnutls_error_is_fatal (r) == 1)
1454 {
1455 int ret;
1456
1457 j->http_state = HTTP_STATE_CLOSING;
1458 check_alert (j->tls_session, r);
1459 fprintf (stderr, "Error in handshake\n");
1460 GERR (r);
1461
1462 do
1463 {
1464 ret =
1465 gnutls_alert_send_appropriate (j->tls_session, r);
1466 }
1467 while (ret == GNUTLS_E_AGAIN);
1468 }
1469 else if (r == 0)
1470 {
1471 if (gnutls_session_is_resumed (j->tls_session) != 0
1472 && verbose != 0)
1473 printf ("*** This is a resumed session\n");
1474 if (verbose != 0)
1475 {
1476 printf ("- connection from %s\n",
1477 human_addr ((struct sockaddr *)
1478 &client_address, calen, topbuf,
1479 sizeof (topbuf)));
1480
1481 print_info (j->tls_session, verbose, verbose);
1482 if (gnutls_auth_get_type (j->tls_session) ==
1483 GNUTLS_CRD_CERTIFICATE)
1484 cert_verify (j->tls_session, NULL);
1485 }
1486 j->handshake_ok = 1;
1487 }
1488 }
1489
1490 if (j->handshake_ok == 1 && j->http_response != NULL)
1491 {
1492 /* FIXME if j->http_response == NULL? */
1493 r = gnutls_record_send (j->tls_session,
1494 j->http_response +
1495 j->response_written,
1496 MIN (j->response_length -
1497 j->response_written,
1498 SMALL_READ_TEST));
1499 if (r == GNUTLS_E_INTERRUPTED || r == GNUTLS_E_AGAIN)
1500 {
1501 /* do nothing */
1502 }
1503 else if (r <= 0)
1504 {
1505 if (http != 0)
1506 j->http_state = HTTP_STATE_CLOSING;
1507 else
1508 {
1509 j->http_state = HTTP_STATE_REQUEST;
1510 free (j->http_response);
1511 j->response_length = 0;
1512 j->request_length = 0;
1513 j->http_request[0] = 0;
1514 }
1515
1516 if (r < 0)
1517 {
1518 fprintf (stderr, "Error while sending data\n");
1519 GERR (r);
1520 }
1521 check_alert (j->tls_session, r);
1522 }
1523 else
1524 {
1525 j->response_written += r;
1526 /* check if we have written a complete response */
1527 if (j->response_written == j->response_length)
1528 {
1529 if (http != 0)
1530 j->http_state = HTTP_STATE_CLOSING;
1531 else
1532 {
1533 j->http_state = HTTP_STATE_REQUEST;
1534 free (j->http_response);
1535 j->response_length = 0;
1536 j->request_length = 0;
1537 j->http_request[0] = 0;
1538 }
1539 }
1540 }
1541 }
1542 else
1543 {
1544 j->request_length = 0;
1545 j->http_request[0] = 0;
1546 j->http_state = HTTP_STATE_REQUEST;
1547 }
1548 }
1549 }
1550 lloopend (listener_list, j);
1551
1552 /* loop through all connections, closing those that are in error */
1553 lloopstart (listener_list, j)
1554 {
1555 if (j->http_state == HTTP_STATE_CLOSING)
1556 {
1557 ldeleteinc (listener_list, j);
1558 }
1559 }
1560 lloopend (listener_list, j);
1561 }
1562
1563
1564 gnutls_certificate_free_credentials (cert_cred);
1565
1566 #ifdef ENABLE_SRP
1567 if (srp_cred)
1568 gnutls_srp_free_server_credentials (srp_cred);
1569 #endif
1570
1571 #ifdef ENABLE_PSK
1572 if (psk_cred)
1573 gnutls_psk_free_server_credentials (psk_cred);
1574 #endif
1575
1576 #ifdef ENABLE_ANON
1577 gnutls_anon_free_server_credentials (dh_cred);
1578 #endif
1579
1580 #ifdef ENABLE_SESSION_TICKET
1581 if (noticket == 0)
1582 gnutls_free (session_ticket_key.data);
1583 #endif
1584
1585 if (nodb == 0)
1586 wrap_db_deinit ();
1587 gnutls_global_deinit ();
1588
1589 }
1590
1591 static void
1592 cmd_parser (int argc, char **argv)
1593 {
1594 optionProcess (&gnutls_servOptions, argc, argv);
1595
1596 disable_client_cert = HAVE_OPT (DISABLE_CLIENT_CERT);
1597 require_cert = HAVE_OPT (REQUIRE_CLIENT_CERT);
1598 if (HAVE_OPT (DEBUG))
1599 debug = OPT_VALUE_DEBUG;
1600
1601 if (HAVE_OPT (QUIET))
1602 verbose = 0;
1603
1604 if (HAVE_OPT (PRIORITY))
1605 priorities = OPT_ARG (PRIORITY);
1606
1607 if (HAVE_OPT (LIST))
1608 {
1609 print_list (priorities, verbose);
1610 exit (0);
1611 }
1612
1613 nodb = HAVE_OPT (NODB);
1614 noticket = HAVE_OPT (NOTICKET);
1615
1616 if (HAVE_OPT (ECHO))
1617 http = 0;
1618 else
1619 http = 1;
1620
1621 if (HAVE_OPT (X509FMTDER))
1622 x509ctype = GNUTLS_X509_FMT_DER;
1623 else
1624 x509ctype = GNUTLS_X509_FMT_PEM;
1625
1626 generate = HAVE_OPT (GENERATE);
1627
1628 if (HAVE_OPT (DHPARAMS))
1629 dh_params_file = OPT_ARG (DHPARAMS);
1630
1631 if (HAVE_OPT (X509KEYFILE))
1632 x509_keyfile = OPT_ARG (X509KEYFILE);
1633 if (HAVE_OPT (X509CERTFILE))
1634 x509_certfile = OPT_ARG (X509CERTFILE);
1635
1636 if (HAVE_OPT (X509DSAKEYFILE))
1637 x509_dsakeyfile = OPT_ARG (X509DSAKEYFILE);
1638 if (HAVE_OPT (X509DSACERTFILE))
1639 x509_dsacertfile = OPT_ARG (X509DSACERTFILE);
1640
1641
1642 if (HAVE_OPT (X509ECCKEYFILE))
1643 x509_ecckeyfile = OPT_ARG (X509ECCKEYFILE);
1644 if (HAVE_OPT (X509CERTFILE))
1645 x509_ecccertfile = OPT_ARG (X509ECCCERTFILE);
1646
1647 if (HAVE_OPT (X509CAFILE))
1648 x509_cafile = OPT_ARG (X509CAFILE);
1649 if (HAVE_OPT (X509CRLFILE))
1650 x509_crlfile = OPT_ARG (X509CRLFILE);
1651
1652 if (HAVE_OPT (PGPKEYFILE))
1653 pgp_keyfile = OPT_ARG (PGPKEYFILE);
1654 if (HAVE_OPT (PGPCERTFILE))
1655 pgp_certfile = OPT_ARG (PGPCERTFILE);
1656
1657 if (HAVE_OPT (PGPKEYRING))
1658 pgp_keyring = OPT_ARG (PGPKEYRING);
1659
1660 if (HAVE_OPT (SRPPASSWD))
1661 srp_passwd = OPT_ARG (SRPPASSWD);
1662 if (HAVE_OPT (SRPPASSWDCONF))
1663 srp_passwd_conf = OPT_ARG (SRPPASSWDCONF);
1664
1665 if (HAVE_OPT (PSKPASSWD))
1666 psk_passwd = OPT_ARG (PSKPASSWD);
1667
1668 if (HAVE_OPT(OCSP_RESPONSE))
1669 status_response_ocsp = OPT_ARG(OCSP_RESPONSE);
1670
1671 }
1672
1673 /* session resuming support */
1674
1675 #define SESSION_ID_SIZE 32
1676 #define SESSION_DATA_SIZE 1024
1677
1678 typedef struct
1679 {
1680 char session_id[SESSION_ID_SIZE];
1681 unsigned int session_id_size;
1682
1683 char session_data[SESSION_DATA_SIZE];
1684 unsigned int session_data_size;
1685 } CACHE;
1686
1687 static CACHE *cache_db;
1688 int cache_db_ptr = 0;
1689
1690 static void
1691 wrap_db_init (void)
1692 {
1693 /* allocate cache_db */
1694 cache_db = calloc (1, ssl_session_cache * sizeof (CACHE));
1695 }
1696
1697 static void
1698 wrap_db_deinit (void)
1699 {
1700 }
1701
1702 static int
1703 wrap_db_store (void *dbf, gnutls_datum_t key, gnutls_datum_t data)
1704 {
1705
1706 if (cache_db == NULL)
1707 return -1;
1708
1709 if (key.size > SESSION_ID_SIZE)
1710 return -1;
1711 if (data.size > SESSION_DATA_SIZE)
1712 return -1;
1713
1714 memcpy (cache_db[cache_db_ptr].session_id, key.data, key.size);
1715 cache_db[cache_db_ptr].session_id_size = key.size;
1716
1717 memcpy (cache_db[cache_db_ptr].session_data, data.data, data.size);
1718 cache_db[cache_db_ptr].session_data_size = data.size;
1719
1720 cache_db_ptr++;
1721 cache_db_ptr %= ssl_session_cache;
1722
1723 return 0;
1724 }
1725
1726 static gnutls_datum_t
1727 wrap_db_fetch (void *dbf, gnutls_datum_t key)
1728 {
1729 gnutls_datum_t res = { NULL, 0 };
1730 int i;
1731
1732 if (cache_db == NULL)
1733 return res;
1734
1735 for (i = 0; i < ssl_session_cache; i++)
1736 {
1737 if (key.size == cache_db[i].session_id_size &&
1738 memcmp (key.data, cache_db[i].session_id, key.size) == 0)
1739 {
1740 res.size = cache_db[i].session_data_size;
1741
1742 res.data = gnutls_malloc (res.size);
1743 if (res.data == NULL)
1744 return res;
1745
1746 memcpy (res.data, cache_db[i].session_data, res.size);
1747
1748 return res;
1749 }
1750 }
1751 return res;
1752 }
1753
1754 static int
1755 wrap_db_delete (void *dbf, gnutls_datum_t key)
1756 {
1757 int i;
1758
1759 if (cache_db == NULL)
1760 return -1;
1761
1762 for (i = 0; i < ssl_session_cache; i++)
1763 {
1764 if (key.size == (unsigned int) cache_db[i].session_id_size &&
1765 memcmp (key.data, cache_db[i].session_id, key.size) == 0)
1766 {
1767
1768 cache_db[i].session_id_size = 0;
1769 cache_db[i].session_data_size = 0;
1770
1771 return 0;
1772 }
1773 }
1774
1775 return -1;
1776 }
Implementation of the SSL/TLS protocol