2 * Copyright (C) 2004-2012 Free Software Foundation, Inc.
3 * Copyright (C) 2001,2002 Paul Sheer
4 * Portions Copyright (C) 2002,2003 Nikos Mavrogiannopoulos
6 * This file is part of GnuTLS.
8 * GnuTLS is free software: you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation, either version 3 of the License, or
11 * (at your option) any later version.
13 * GnuTLS is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>.
22 /* This server is heavily modified for GnuTLS by Nikos Mavrogiannopoulos
23 * (which means it is quite unreadable)
29 #include "serv-args.h"
33 #include <sys/types.h>
35 #include <gnutls/gnutls.h>
36 #include <gnutls/dtls.h>
37 #include <gnutls/openpgp.h>
39 #include <sys/select.h>
46 /* Gnulib portability files. */
48 #include "version-etc.h"
49 #include "read-file.h"
54 /* konqueror cannot handle sending the page in multiple
58 static int generate
= 0;
63 unsigned int verbose
= 1;
67 int disable_client_cert
;
69 const char *psk_passwd
= NULL
;
70 const char *srp_passwd
= NULL
;
71 const char *srp_passwd_conf
= NULL
;
72 const char *pgp_keyring
= NULL
;
73 const char *pgp_keyfile
= NULL
;
74 const char *pgp_certfile
= NULL
;
75 const char *x509_keyfile
= NULL
;
76 const char *x509_certfile
= NULL
;
77 const char *x509_dsakeyfile
= NULL
;
78 const char *x509_dsacertfile
= NULL
;
79 const char *x509_ecckeyfile
= NULL
;
80 const char *x509_ecccertfile
= NULL
;
81 const char *x509_cafile
= NULL
;
82 const char *dh_params_file
= NULL
;
83 const char *x509_crlfile
= NULL
;
84 const char * priorities
= NULL
;
85 const char * status_response_ocsp
= NULL
;
87 gnutls_datum_t session_ticket_key
;
88 static void tcp_server (const char *name
, int port
);
92 /* This is a sample TCP echo server.
93 * This will behave as an http server if any argument in the
94 * command line is present
97 #define SMALL_READ_TEST (2147483647)
99 #define GERR(ret) fprintf(stdout, "Error: %s\n", safe_strerror(ret))
101 #define HTTP_END "</BODY></HTML>\n\n"
103 #define HTTP_UNIMPLEMENTED "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\r\n<HTML><HEAD>\r\n<TITLE>501 Method Not Implemented</TITLE>\r\n</HEAD><BODY>\r\n<H1>Method Not Implemented</H1>\r\n<HR>\r\n</BODY></HTML>\r\n"
104 #define HTTP_OK "HTTP/1.0 200 OK\r\nContent-type: text/html\r\n\r\n"
106 #define HTTP_BEGIN HTTP_OK \
109 "<CENTER><H1>This is <a href=\"http://www.gnu.org/software/gnutls\">" \
110 "GnuTLS</a></H1></CENTER>\n\n"
112 /* These are global */
113 gnutls_srp_server_credentials_t srp_cred
= NULL
;
114 gnutls_psk_server_credentials_t psk_cred
= NULL
;
115 gnutls_anon_server_credentials_t dh_cred
= NULL
;
116 gnutls_certificate_credentials_t cert_cred
= NULL
;
118 const int ssl_session_cache
= 128;
120 static void wrap_db_init (void);
121 static void wrap_db_deinit (void);
122 static int wrap_db_store (void *dbf
, gnutls_datum_t key
, gnutls_datum_t data
);
123 static gnutls_datum_t
wrap_db_fetch (void *dbf
, gnutls_datum_t key
);
124 static int wrap_db_delete (void *dbf
, gnutls_datum_t key
);
126 static void cmd_parser (int argc
, char **argv
);
129 #define HTTP_STATE_REQUEST 1
130 #define HTTP_STATE_RESPONSE 2
131 #define HTTP_STATE_CLOSING 3
133 LIST_TYPE_DECLARE (listener_item
, char *http_request
;
134 char *http_response
; int request_length
;
135 int response_length
; int response_written
;
136 int http_state
; int listen_socket
;
137 int fd
; gnutls_session_t tls_session
; int handshake_ok
;);
140 safe_strerror (int value
)
142 const char *ret
= gnutls_strerror (value
);
149 listener_free (listener_item
* j
)
152 free (j
->http_request
);
153 free (j
->http_response
);
156 gnutls_bye (j
->tls_session
, GNUTLS_SHUT_WR
);
159 gnutls_deinit (j
->tls_session
);
164 /* we use primes up to 1024 in this server.
165 * otherwise we should add them here.
168 gnutls_dh_params_t dh_params
= NULL
;
169 gnutls_rsa_params_t rsa_params
= NULL
;
172 generate_dh_primes (void)
175 gnutls_sec_param_to_pk_bits (GNUTLS_PK_DH
, GNUTLS_SEC_PARAM_NORMAL
);
177 if (gnutls_dh_params_init (&dh_params
) < 0)
179 fprintf (stderr
, "Error in dh parameter initialization\n");
183 /* Generate Diffie-Hellman parameters - for use with DHE
184 * kx algorithms. These should be discarded and regenerated
185 * once a week or once a month. Depends on the
186 * security requirements.
189 ("Generating Diffie-Hellman parameters [%d]. Please wait...\n",
193 if (gnutls_dh_params_generate2 (dh_params
, prime_bits
) < 0)
195 fprintf (stderr
, "Error in prime generation\n");
203 read_dh_params (void)
207 gnutls_datum_t params
;
210 if (gnutls_dh_params_init (&dh_params
) < 0)
212 fprintf (stderr
, "Error in dh parameter initialization\n");
216 /* read the params file
218 fd
= fopen (dh_params_file
, "r");
221 fprintf (stderr
, "Could not open %s\n", dh_params_file
);
225 size
= fread (tmpdata
, 1, sizeof (tmpdata
) - 1, fd
);
229 params
.data
= (unsigned char *) tmpdata
;
233 gnutls_dh_params_import_pkcs3 (dh_params
, ¶ms
, GNUTLS_X509_FMT_PEM
);
237 fprintf (stderr
, "Error parsing dh params: %s\n", safe_strerror (size
));
241 printf ("Read Diffie-Hellman parameters.\n");
246 static char pkcs3
[] =
247 "-----BEGIN DH PARAMETERS-----\n"
248 "MIGGAoGAtkxw2jlsVCsrfLqxrN+IrF/3W8vVFvDzYbLmxi2GQv9s/PQGWP1d9i22\n"
249 "P2DprfcJknWt7KhCI1SaYseOQIIIAYP78CfyIpGScW/vS8khrw0rlQiyeCvQgF3O\n"
250 "GeGOEywcw+oQT4SmFOD7H0smJe2CNyjYpexBXQ/A0mbTF9QKm1cCAQU=\n"
251 "-----END DH PARAMETERS-----\n";
254 static_dh_params (void)
256 gnutls_datum_t params
= { (void *) pkcs3
, sizeof (pkcs3
) };
259 if (gnutls_dh_params_init (&dh_params
) < 0)
261 fprintf (stderr
, "Error in dh parameter initialization\n");
265 ret
= gnutls_dh_params_import_pkcs3 (dh_params
, ¶ms
,
266 GNUTLS_X509_FMT_PEM
);
270 fprintf (stderr
, "Error parsing dh params: %s\n", safe_strerror (ret
));
274 printf ("Set static Diffie-Hellman parameters, consider --dhparams.\n");
280 get_params (gnutls_session_t session
, gnutls_params_type_t type
,
281 gnutls_params_st
* st
)
284 if (type
== GNUTLS_PARAMS_RSA_EXPORT
)
286 if (rsa_params
== NULL
)
288 st
->params
.rsa_export
= rsa_params
;
290 else if (type
== GNUTLS_PARAMS_DH
)
292 if (dh_params
== NULL
)
294 st
->params
.dh
= dh_params
;
306 generate_rsa_params (void)
308 if (gnutls_rsa_params_init (&rsa_params
) < 0)
310 fprintf (stderr
, "Error in rsa parameter initialization\n");
314 /* Generate RSA parameters - for use with RSA-export
315 * cipher suites. These should be discarded and regenerated
316 * once a day, once every 500 transactions etc. Depends on the
317 * security requirements.
319 printf ("Generating temporary RSA parameters. Please wait...\n");
322 if (gnutls_rsa_params_generate2 (rsa_params
, 512) < 0)
324 fprintf (stderr
, "Error in rsa parameter generation\n");
331 LIST_DECLARE_INIT (listener_list
, listener_item
, listener_free
);
333 gnutls_session_t
initialize_session (int dtls
)
335 gnutls_session_t session
;
338 if (priorities
== NULL
)
339 priorities
= "NORMAL";
342 gnutls_init (&session
, GNUTLS_SERVER
| GNUTLS_DATAGRAM
);
344 gnutls_init (&session
, GNUTLS_SERVER
);
346 /* allow the use of private ciphersuites.
348 gnutls_handshake_set_private_extensions (session
, 1);
352 gnutls_db_set_retrieve_function (session
, wrap_db_fetch
);
353 gnutls_db_set_remove_function (session
, wrap_db_delete
);
354 gnutls_db_set_store_function (session
, wrap_db_store
);
355 gnutls_db_set_ptr (session
, NULL
);
357 #ifdef ENABLE_SESSION_TICKET
359 gnutls_session_ticket_enable_server (session
, &session_ticket_key
);
364 gnutls_session_ticket_enable_server (session
, &session_ticket_key
);
366 if (gnutls_priority_set_direct (session
, priorities
, &err
) < 0)
368 fprintf (stderr
, "Syntax error at: %s\n", err
);
372 gnutls_credentials_set (session
, GNUTLS_CRD_ANON
, dh_cred
);
374 if (srp_cred
!= NULL
)
375 gnutls_credentials_set (session
, GNUTLS_CRD_SRP
, srp_cred
);
377 if (psk_cred
!= NULL
)
378 gnutls_credentials_set (session
, GNUTLS_CRD_PSK
, psk_cred
);
380 if (cert_cred
!= NULL
)
381 gnutls_credentials_set (session
, GNUTLS_CRD_CERTIFICATE
, cert_cred
);
383 if (disable_client_cert
)
384 gnutls_certificate_server_set_request (session
, GNUTLS_CERT_IGNORE
);
388 gnutls_certificate_server_set_request (session
, GNUTLS_CERT_REQUIRE
);
390 gnutls_certificate_server_set_request (session
, GNUTLS_CERT_REQUEST
);
393 if (HAVE_OPT (HEARTBEAT
))
394 gnutls_heartbeat_enable(session
, GNUTLS_HB_PEER_ALLOWED_TO_SEND
);
399 #include <gnutls/x509.h>
401 static const char DEFAULT_DATA
[] =
402 "This is the default message reported by the GnuTLS implementation. "
403 "For more information please visit "
404 "<a href=\"http://www.gnutls.org/\">http://www.gnutls.org/</a>.";
406 /* Creates html with the current session information.
408 #define tmp_buffer &http_buffer[strlen(http_buffer)]
409 #define tmp_buffer_size len-strlen(http_buffer)
411 peer_print_info (gnutls_session_t session
, int *ret_length
,
415 unsigned char sesid
[32];
416 size_t i
, sesid_size
;
418 gnutls_kx_algorithm_t kx_alg
;
419 size_t len
= 20 * 1024 + strlen (header
);
420 char *crtinfo
= NULL
;
425 http_buffer
= malloc (len
);
426 if (http_buffer
== NULL
)
429 strcpy (http_buffer
, HTTP_BEGIN
);
430 strcpy (&http_buffer
[sizeof (HTTP_BEGIN
) - 1], DEFAULT_DATA
);
431 strcpy (&http_buffer
[sizeof (HTTP_BEGIN
) + sizeof (DEFAULT_DATA
) - 2],
434 sizeof (DEFAULT_DATA
) + sizeof (HTTP_BEGIN
) + sizeof (HTTP_END
) - 3;
438 if (gnutls_certificate_type_get (session
) == GNUTLS_CRT_X509
)
440 const gnutls_datum_t
*cert_list
;
441 unsigned int cert_list_size
= 0;
443 cert_list
= gnutls_certificate_get_peers (session
, &cert_list_size
);
445 for (i
= 0; i
< cert_list_size
; i
++)
447 gnutls_x509_crt_t cert
;
450 if (gnutls_x509_crt_init (&cert
) == 0 &&
451 gnutls_x509_crt_import (cert
, &cert_list
[i
],
452 GNUTLS_X509_FMT_DER
) == 0 &&
453 gnutls_x509_crt_print (cert
, GNUTLS_CRT_PRINT_FULL
, &info
) == 0)
455 const char *post
= "</PRE><P><PRE>";
457 crtinfo
= realloc (crtinfo
, ncrtinfo
+ info
.size
+
461 memcpy (crtinfo
+ ncrtinfo
, info
.data
, info
.size
);
462 ncrtinfo
+= info
.size
;
463 memcpy (crtinfo
+ ncrtinfo
, post
, strlen (post
));
464 ncrtinfo
+= strlen (post
);
465 crtinfo
[ncrtinfo
] = '\0';
466 gnutls_free (info
.data
);
471 http_buffer
= malloc (len
);
472 if (http_buffer
== NULL
)
478 strcpy (http_buffer
, HTTP_BEGIN
);
480 /* print session_id */
481 sesid_size
= sizeof(sesid
);
482 gnutls_session_get_id (session
, sesid
, &sesid_size
);
483 snprintf (tmp_buffer
, tmp_buffer_size
, "\n<p>Session ID: <i>");
484 for (i
= 0; i
< sesid_size
; i
++)
485 snprintf (tmp_buffer
, tmp_buffer_size
, "%.2X", sesid
[i
]);
486 snprintf (tmp_buffer
, tmp_buffer_size
, "</i></p>\n");
487 snprintf (tmp_buffer
, tmp_buffer_size
,
488 "<h5>If your browser supports session resuming, then you should see the "
489 "same session ID, when you press the <b>reload</b> button.</h5>\n");
491 /* Here unlike print_info() we use the kx algorithm to distinguish
492 * the functions to call.
496 size_t dns_size
= sizeof (dns
);
499 if (gnutls_server_name_get (session
, dns
, &dns_size
, &type
, 0) == 0)
501 snprintf (tmp_buffer
, tmp_buffer_size
, "\n<p>Server Name: %s</p>\n",
507 kx_alg
= gnutls_kx_get (session
);
509 /* print srp specific data */
511 if (kx_alg
== GNUTLS_KX_SRP
)
513 snprintf (tmp_buffer
, tmp_buffer_size
,
514 "<p>Connected as user '%s'.</p>\n",
515 gnutls_srp_server_get_username (session
));
520 if (kx_alg
== GNUTLS_KX_PSK
)
522 snprintf (tmp_buffer
, tmp_buffer_size
,
523 "<p>Connected as user '%s'.</p>\n",
524 gnutls_psk_server_get_username (session
));
529 if (kx_alg
== GNUTLS_KX_ANON_DH
)
531 snprintf (tmp_buffer
, tmp_buffer_size
,
532 "<p> Connect using anonymous DH (prime of %d bits)</p>\n",
533 gnutls_dh_get_prime_bits (session
));
537 if (kx_alg
== GNUTLS_KX_DHE_RSA
|| kx_alg
== GNUTLS_KX_DHE_DSS
)
539 snprintf (tmp_buffer
, tmp_buffer_size
,
540 "Ephemeral DH using prime of <b>%d</b> bits.<br>\n",
541 gnutls_dh_get_prime_bits (session
));
544 /* print session information */
545 strcat (http_buffer
, "<P>\n");
547 tmp
= gnutls_protocol_get_name (gnutls_protocol_get_version (session
));
550 snprintf (tmp_buffer
, tmp_buffer_size
,
551 "<TABLE border=1><TR><TD>Protocol version:</TD><TD>%s</TD></TR>\n",
554 if (gnutls_auth_get_type (session
) == GNUTLS_CRD_CERTIFICATE
)
557 gnutls_certificate_type_get_name (gnutls_certificate_type_get
561 snprintf (tmp_buffer
, tmp_buffer_size
,
562 "<TR><TD>Certificate Type:</TD><TD>%s</TD></TR>\n", tmp
);
565 tmp
= gnutls_kx_get_name (kx_alg
);
568 snprintf (tmp_buffer
, tmp_buffer_size
,
569 "<TR><TD>Key Exchange:</TD><TD>%s</TD></TR>\n", tmp
);
571 tmp
= gnutls_compression_get_name (gnutls_compression_get (session
));
574 snprintf (tmp_buffer
, tmp_buffer_size
,
575 "<TR><TD>Compression</TD><TD>%s</TD></TR>\n", tmp
);
577 tmp
= gnutls_cipher_get_name (gnutls_cipher_get (session
));
580 snprintf (tmp_buffer
, tmp_buffer_size
,
581 "<TR><TD>Cipher</TD><TD>%s</TD></TR>\n", tmp
);
583 tmp
= gnutls_mac_get_name (gnutls_mac_get (session
));
586 snprintf (tmp_buffer
, tmp_buffer_size
, "<TR><TD>MAC</TD><TD>%s</TD></TR>\n",
589 tmp
= gnutls_cipher_suite_get_name (kx_alg
,
590 gnutls_cipher_get (session
),
591 gnutls_mac_get (session
));
594 snprintf (tmp_buffer
, tmp_buffer_size
,
595 "<TR><TD>Ciphersuite</TD><TD>%s</TD></TR></p></TABLE>\n", tmp
);
599 snprintf (tmp_buffer
, tmp_buffer_size
, "<hr><PRE>%s\n</PRE>\n",
604 snprintf (tmp_buffer
, tmp_buffer_size
,
605 "<hr><P>Your HTTP header was:<PRE>%s</PRE></P>\n" HTTP_END
,
608 *ret_length
= strlen (http_buffer
);
614 human_addr (const struct sockaddr
*sa
, socklen_t salen
,
615 char *buf
, size_t buflen
)
617 const char *save_buf
= buf
;
625 switch (sa
->sa_family
)
629 snprintf (buf
, buflen
, "IPv6 ");
634 snprintf (buf
, buflen
, "IPv4 ");
642 if (getnameinfo (sa
, salen
, buf
, buflen
, NULL
, 0, NI_NUMERICHOST
) != 0)
649 strncat (buf
, " port ", buflen
);
655 if (getnameinfo (sa
, salen
, NULL
, 0, buf
, buflen
, NI_NUMERICSERV
) != 0)
662 wait_for_connection (void)
672 lloopstart (listener_list
, j
)
674 if (j
->listen_socket
)
680 lloopend (listener_list
, j
);
683 n
= select (n
+ 1, &rd
, &wr
, NULL
, NULL
);
684 if (n
== -1 && errno
== EINTR
)
692 /* find which one is ready */
693 lloopstart (listener_list
, j
)
695 /* a new connection has arrived */
696 if (FD_ISSET (j
->fd
, &rd
) && j
->listen_socket
)
702 lloopend (listener_list
, j
);
707 listen_socket (const char *name
, int listen_port
, int socktype
)
709 struct addrinfo hints
, *res
, *ptr
;
713 listener_item
*j
= NULL
;
715 snprintf (portname
, sizeof (portname
), "%d", listen_port
);
716 memset (&hints
, 0, sizeof (hints
));
717 hints
.ai_socktype
= socktype
;
718 hints
.ai_flags
= AI_PASSIVE
724 if ((s
= getaddrinfo (NULL
, portname
, &hints
, &res
)) != 0)
726 fprintf (stderr
, "getaddrinfo() failed: %s\n", gai_strerror (s
));
730 for (ptr
= res
; ptr
!= NULL
; ptr
= ptr
->ai_next
)
733 if (ptr
->ai_family
!= AF_INET
)
737 /* Print what we are doing. */
741 fprintf (stderr
, "%s listening on %s...",
742 name
, human_addr (ptr
->ai_addr
, ptr
->ai_addrlen
,
743 topbuf
, sizeof (topbuf
)));
746 if ((s
= socket (ptr
->ai_family
, ptr
->ai_socktype
,
747 ptr
->ai_protocol
)) < 0)
749 perror ("socket() failed");
753 #if defined(HAVE_IPV6) && !defined(_WIN32)
754 if (ptr
->ai_family
== AF_INET6
)
757 /* avoid listen on ipv6 addresses failing
758 * because already listening on ipv4 addresses: */
759 setsockopt (s
, IPPROTO_IPV6
, IPV6_V6ONLY
,
760 (const void *) &yes
, sizeof (yes
));
764 if (socktype
== SOCK_STREAM
)
767 if (setsockopt (s
, SOL_SOCKET
, SO_REUSEADDR
,
768 (const void *) &yes
, sizeof (yes
)) < 0)
770 perror ("setsockopt() failed");
777 #if defined(IP_DONTFRAG)
779 if (setsockopt (s
, IPPROTO_IP
, IP_DONTFRAG
,
780 (const void *) &yes
, sizeof (yes
)) < 0)
781 perror ("setsockopt(IP_DF) failed");
782 #elif defined(IP_MTU_DISCOVER)
783 yes
= IP_PMTUDISC_DO
;
784 if (setsockopt (s
, IPPROTO_IP
, IP_MTU_DISCOVER
,
785 (const void *) &yes
, sizeof (yes
)) < 0)
786 perror ("setsockopt(IP_DF) failed");
790 if (bind (s
, ptr
->ai_addr
, ptr
->ai_addrlen
) < 0)
792 perror ("bind() failed");
797 if (socktype
== SOCK_STREAM
)
799 if (listen (s
, 10) < 0)
801 perror ("listen() failed");
806 /* new list entry for the connection */
807 lappend (listener_list
);
808 j
= listener_list
.tail
;
809 j
->listen_socket
= 1;
812 /* Complete earlier message. */
813 fprintf (stderr
, "done\n");
823 /* strips \r\n from the end of the string
829 int len
= strlen (data
);
831 for (i
= 0; i
< len
; i
++)
833 if (data
[i
] == '\r' && data
[i
+ 1] == '\n' && data
[i
+ 1] == 0)
843 get_response (gnutls_session_t session
, char *request
,
844 char **response
, int *response_length
)
850 if (strncmp (request
, "GET ", 4))
853 if (!(h
= strchr (request
, '\n')))
857 while (*h
== '\r' || *h
== '\n')
860 if (!(p
= strchr (request
+ 4, ' ')))
864 /* *response = peer_print_info(session, request+4, h, response_length); */
867 *response
= peer_print_info (session
, response_length
, h
);
872 fprintf (stderr
, "received: %s\n", request
);
873 if (check_command (session
, request
))
876 *response_length
= 0;
879 *response
= strdup (request
);
880 *response_length
= ((*response
) ? strlen (*response
) : 0);
886 *response
= strdup (HTTP_UNIMPLEMENTED
);
887 *response_length
= ((*response
) ? strlen (*response
) : 0);
890 static void terminate (int sig
) __attribute__ ((noreturn
));
895 fprintf (stderr
, "Exiting via signal %d\n", sig
);
901 check_alert (gnutls_session_t session
, int ret
)
903 if (ret
== GNUTLS_E_WARNING_ALERT_RECEIVED
904 || ret
== GNUTLS_E_FATAL_ALERT_RECEIVED
)
906 int last_alert
= gnutls_alert_get (session
);
907 if (last_alert
== GNUTLS_A_NO_RENEGOTIATION
&&
908 ret
== GNUTLS_E_WARNING_ALERT_RECEIVED
)
910 ("* Received NO_RENEGOTIATION alert. Client does not support renegotiation.\n");
912 printf ("* Received alert '%d': %s.\n", last_alert
,
913 gnutls_alert_get_name (last_alert
));
918 tls_log_func (int level
, const char *str
)
920 fprintf (stderr
, "|<%d>| %s", level
, str
);
924 tls_audit_log_func (gnutls_session_t session
, const char *str
)
926 fprintf (stderr
, "|<%p>| %s", session
, str
);
930 main (int argc
, char **argv
)
935 set_program_name (argv
[0]);
936 cmd_parser (argc
, argv
);
939 signal (SIGHUP
, SIG_IGN
);
940 signal (SIGTERM
, terminate
);
941 if (signal (SIGINT
, terminate
) == SIG_IGN
)
942 signal (SIGINT
, SIG_IGN
); /* e.g. background process */
951 strcpy (name
, "UDP ");
957 strcat (name
, "HTTP Server");
961 strcat (name
, "Echo Server");
964 gnutls_global_set_log_function (tls_log_func
);
965 gnutls_global_set_audit_log_function (tls_audit_log_func
);
966 gnutls_global_set_log_level (debug
);
968 if ((ret
= gnutls_global_init ()) < 0)
970 fprintf (stderr
, "global_init: %s\n", gnutls_strerror (ret
));
978 /* Note that servers must generate parameters for
979 * Diffie-Hellman. See gnutls_dh_params_generate(), and
980 * gnutls_dh_params_set().
984 generate_rsa_params ();
985 generate_dh_primes ();
987 else if (dh_params_file
)
996 if (gnutls_certificate_allocate_credentials (&cert_cred
) < 0)
998 fprintf (stderr
, "memory error\n");
1002 if (x509_cafile
!= NULL
)
1004 if ((ret
= gnutls_certificate_set_x509_trust_file
1005 (cert_cred
, x509_cafile
, x509ctype
)) < 0)
1007 fprintf (stderr
, "Error reading '%s'\n", x509_cafile
);
1013 printf ("Processed %d CA certificate(s).\n", ret
);
1016 if (x509_crlfile
!= NULL
)
1018 if ((ret
= gnutls_certificate_set_x509_crl_file
1019 (cert_cred
, x509_crlfile
, x509ctype
)) < 0)
1021 fprintf (stderr
, "Error reading '%s'\n", x509_crlfile
);
1027 printf ("Processed %d CRL(s).\n", ret
);
1031 #ifdef ENABLE_OPENPGP
1032 if (pgp_keyring
!= NULL
)
1035 gnutls_certificate_set_openpgp_keyring_file (cert_cred
, pgp_keyring
,
1036 GNUTLS_OPENPGP_FMT_BASE64
);
1039 fprintf (stderr
, "Error setting the OpenPGP keyring file\n");
1044 if (HAVE_OPT (PGPCERTFILE
))
1046 if (HAVE_OPT (PGPSUBKEY
))
1047 ret
= gnutls_certificate_set_openpgp_key_file2
1048 (cert_cred
, pgp_certfile
, pgp_keyfile
, OPT_ARG (PGPSUBKEY
),
1049 GNUTLS_OPENPGP_FMT_BASE64
);
1051 ret
= gnutls_certificate_set_openpgp_key_file
1052 (cert_cred
, pgp_certfile
, pgp_keyfile
, GNUTLS_OPENPGP_FMT_BASE64
);
1057 "Error[%d] while reading the OpenPGP key pair ('%s', '%s')\n",
1058 ret
, pgp_certfile
, pgp_keyfile
);
1064 if (x509_certfile
!= NULL
)
1065 if ((ret
= gnutls_certificate_set_x509_key_file
1066 (cert_cred
, x509_certfile
, x509_keyfile
, x509ctype
)) < 0)
1069 "Error reading '%s' or '%s'\n", x509_certfile
, x509_keyfile
);
1074 if (x509_dsacertfile
!= NULL
)
1075 if ((ret
= gnutls_certificate_set_x509_key_file
1076 (cert_cred
, x509_dsacertfile
, x509_dsakeyfile
, x509ctype
)) < 0)
1078 fprintf (stderr
, "Error reading '%s' or '%s'\n",
1079 x509_dsacertfile
, x509_dsakeyfile
);
1084 if (x509_ecccertfile
!= NULL
)
1085 if ((ret
= gnutls_certificate_set_x509_key_file
1086 (cert_cred
, x509_ecccertfile
, x509_ecckeyfile
, x509ctype
)) < 0)
1088 fprintf (stderr
, "Error reading '%s' or '%s'\n",
1089 x509_ecccertfile
, x509_ecckeyfile
);
1094 /* OCSP status-request TLS extension */
1095 if (status_response_ocsp
)
1097 if (gnutls_certificate_set_ocsp_status_request_file (cert_cred
, status_response_ocsp
, 0) < 0)
1099 fprintf (stderr
, "Cannot set OCSP status request file: %s\n", gnutls_strerror(ret
));
1104 gnutls_certificate_set_params_function (cert_cred
, get_params
);
1105 /* gnutls_certificate_set_dh_params(cert_cred, dh_params);
1106 * gnutls_certificate_set_rsa_export_params(cert_cred, rsa_params);
1109 /* this is a password file (created with the included srpcrypt utility)
1110 * Read README.crypt prior to using SRP.
1113 if (srp_passwd
!= NULL
)
1115 gnutls_srp_allocate_server_credentials (&srp_cred
);
1118 gnutls_srp_set_server_credentials_file (srp_cred
, srp_passwd
,
1119 srp_passwd_conf
)) < 0)
1121 /* only exit is this function is not disabled
1123 fprintf (stderr
, "Error while setting SRP parameters\n");
1129 /* this is a password file
1132 if (psk_passwd
!= NULL
)
1134 gnutls_psk_allocate_server_credentials (&psk_cred
);
1137 gnutls_psk_set_server_credentials_file (psk_cred
, psk_passwd
)) < 0)
1139 /* only exit is this function is not disabled
1141 fprintf (stderr
, "Error while setting PSK parameters\n");
1145 if (HAVE_OPT (PSKHINT
))
1147 ret
= gnutls_psk_set_server_credentials_hint (psk_cred
,
1151 fprintf (stderr
, "Error setting PSK identity hint.\n");
1156 gnutls_psk_set_server_params_function (psk_cred
, get_params
);
1161 gnutls_anon_allocate_server_credentials (&dh_cred
);
1162 gnutls_anon_set_server_params_function (dh_cred
, get_params
);
1164 /* gnutls_anon_set_server_dh_params(dh_cred, dh_params); */
1167 #ifdef ENABLE_SESSION_TICKET
1169 gnutls_session_ticket_key_generate (&session_ticket_key
);
1173 mtu
= OPT_VALUE_MTU
;
1177 if (HAVE_OPT (PORT
))
1178 port
= OPT_VALUE_PORT
;
1183 udp_server (name
, port
, mtu
);
1185 tcp_server (name
, port
);
1189 tcp_server (const char *name
, int port
)
1194 struct sockaddr_storage client_address
;
1197 s
= listen_socket (name
, port
, SOCK_STREAM
);
1213 /* flag which connections we are reading or writing to within the fd sets */
1214 lloopstart (listener_list
, j
)
1218 val
= fcntl (j
->fd
, F_GETFL
, 0);
1219 if ((val
== -1) || (fcntl (j
->fd
, F_SETFL
, val
| O_NONBLOCK
) < 0))
1226 if (j
->listen_socket
)
1228 FD_SET (j
->fd
, &rd
);
1231 if (j
->http_state
== HTTP_STATE_REQUEST
)
1233 FD_SET (j
->fd
, &rd
);
1236 if (j
->http_state
== HTTP_STATE_RESPONSE
)
1238 FD_SET (j
->fd
, &wr
);
1242 lloopend (listener_list
, j
);
1244 /* core operation */
1245 n
= select (n
+ 1, &rd
, &wr
, NULL
, NULL
);
1246 if (n
== -1 && errno
== EINTR
)
1250 perror ("select()");
1254 /* read or write to each connection as indicated by select()'s return argument */
1255 lloopstart (listener_list
, j
)
1258 /* a new connection has arrived */
1259 if (FD_ISSET (j
->fd
, &rd
) && j
->listen_socket
)
1261 gnutls_session_t tls_session
;
1263 tls_session
= initialize_session (0);
1265 calen
= sizeof (client_address
);
1266 memset (&client_address
, 0, calen
);
1267 accept_fd
= accept (j
->fd
, (struct sockaddr
*) &client_address
,
1272 perror ("accept()");
1279 /* new list entry for the connection */
1280 lappend (listener_list
);
1281 j
= listener_list
.tail
;
1282 j
->http_request
= (char *) strdup ("");
1283 j
->http_state
= HTTP_STATE_REQUEST
;
1286 j
->tls_session
= tls_session
;
1287 gnutls_transport_set_ptr (tls_session
,
1288 (gnutls_transport_ptr_t
)
1289 gl_fd_to_handle (accept_fd
));
1290 j
->handshake_ok
= 0;
1296 ctt
[strlen (ctt
) - 1] = 0;
1298 printf ("\n* Accepted connection from %s on %s\n",
1299 human_addr ((struct sockaddr
*)
1300 &client_address
, calen
, topbuf
,
1301 sizeof (topbuf
)), ctt
);
1306 if (FD_ISSET (j
->fd
, &rd
) && !j
->listen_socket
)
1308 /* read partial GET request */
1312 if (j
->handshake_ok
== 0)
1314 r
= gnutls_handshake (j
->tls_session
);
1315 if (r
< 0 && gnutls_error_is_fatal (r
) == 0)
1317 check_alert (j
->tls_session
, r
);
1320 else if (r
< 0 && gnutls_error_is_fatal (r
) == 1)
1322 check_alert (j
->tls_session
, r
);
1323 fprintf (stderr
, "Error in handshake\n");
1329 gnutls_alert_send_appropriate (j
->tls_session
, r
);
1331 while (ret
== GNUTLS_E_AGAIN
1332 || ret
== GNUTLS_E_INTERRUPTED
);
1333 j
->http_state
= HTTP_STATE_CLOSING
;
1337 if (gnutls_session_is_resumed (j
->tls_session
) != 0
1339 printf ("*** This is a resumed session\n");
1343 printf ("\n* Successful handshake from %s\n",
1344 human_addr ((struct sockaddr
*)
1345 &client_address
, calen
, topbuf
,
1347 print_info (j
->tls_session
, verbose
, verbose
);
1348 if (gnutls_auth_get_type (j
->tls_session
) ==
1349 GNUTLS_CRD_CERTIFICATE
)
1350 cert_verify (j
->tls_session
, NULL
);
1352 j
->handshake_ok
= 1;
1356 if (j
->handshake_ok
== 1)
1358 r
= gnutls_record_recv (j
->tls_session
, buf
,
1359 MIN (1024, SMALL_READ_TEST
));
1360 if (r
== GNUTLS_E_HEARTBEAT_PING_RECEIVED
)
1362 gnutls_heartbeat_pong(j
->tls_session
, 0);
1364 if (r
== GNUTLS_E_INTERRUPTED
|| r
== GNUTLS_E_AGAIN
)
1370 if (r
== GNUTLS_E_REHANDSHAKE
)
1372 fprintf (stderr
, "*** Received hello message\n");
1375 r
= gnutls_handshake (j
->tls_session
);
1377 while (r
== GNUTLS_E_INTERRUPTED
1378 || r
== GNUTLS_E_AGAIN
);
1384 ret
= gnutls_alert_send_appropriate
1385 (j
->tls_session
, r
);
1387 while (ret
== GNUTLS_E_AGAIN
1388 || ret
== GNUTLS_E_INTERRUPTED
);
1391 j
->http_state
= HTTP_STATE_CLOSING
;
1398 if (r
!= GNUTLS_E_UNEXPECTED_PACKET_LENGTH
)
1400 j
->http_state
= HTTP_STATE_CLOSING
;
1401 check_alert (j
->tls_session
, r
);
1403 "Error while receiving data\n");
1412 realloc (j
->http_request
, j
->request_length
+ r
+ 1);
1413 if (j
->http_request
!= NULL
)
1415 memcpy (j
->http_request
+ j
->request_length
, buf
, r
);
1416 j
->request_length
+= r
;
1417 j
->http_request
[j
->request_length
] = '\0';
1420 j
->http_state
= HTTP_STATE_CLOSING
;
1423 /* check if we have a full HTTP header */
1425 j
->http_response
= NULL
;
1426 if (j
->http_request
!= NULL
)
1428 if ((http
== 0 && strchr (j
->http_request
, '\n'))
1429 || strstr (j
->http_request
, "\r\n\r\n")
1430 || strstr (j
->http_request
, "\n\n"))
1432 get_response (j
->tls_session
, j
->http_request
,
1433 &j
->http_response
, &j
->response_length
);
1434 j
->http_state
= HTTP_STATE_RESPONSE
;
1435 j
->response_written
= 0;
1440 if (FD_ISSET (j
->fd
, &wr
))
1442 /* write partial response request */
1445 if (j
->handshake_ok
== 0)
1447 r
= gnutls_handshake (j
->tls_session
);
1448 if (r
< 0 && gnutls_error_is_fatal (r
) == 0)
1450 check_alert (j
->tls_session
, r
);
1453 else if (r
< 0 && gnutls_error_is_fatal (r
) == 1)
1457 j
->http_state
= HTTP_STATE_CLOSING
;
1458 check_alert (j
->tls_session
, r
);
1459 fprintf (stderr
, "Error in handshake\n");
1465 gnutls_alert_send_appropriate (j
->tls_session
, r
);
1467 while (ret
== GNUTLS_E_AGAIN
);
1471 if (gnutls_session_is_resumed (j
->tls_session
) != 0
1473 printf ("*** This is a resumed session\n");
1476 printf ("- connection from %s\n",
1477 human_addr ((struct sockaddr
*)
1478 &client_address
, calen
, topbuf
,
1481 print_info (j
->tls_session
, verbose
, verbose
);
1482 if (gnutls_auth_get_type (j
->tls_session
) ==
1483 GNUTLS_CRD_CERTIFICATE
)
1484 cert_verify (j
->tls_session
, NULL
);
1486 j
->handshake_ok
= 1;
1490 if (j
->handshake_ok
== 1 && j
->http_response
!= NULL
)
1492 /* FIXME if j->http_response == NULL? */
1493 r
= gnutls_record_send (j
->tls_session
,
1495 j
->response_written
,
1496 MIN (j
->response_length
-
1497 j
->response_written
,
1499 if (r
== GNUTLS_E_INTERRUPTED
|| r
== GNUTLS_E_AGAIN
)
1506 j
->http_state
= HTTP_STATE_CLOSING
;
1509 j
->http_state
= HTTP_STATE_REQUEST
;
1510 free (j
->http_response
);
1511 j
->response_length
= 0;
1512 j
->request_length
= 0;
1513 j
->http_request
[0] = 0;
1518 fprintf (stderr
, "Error while sending data\n");
1521 check_alert (j
->tls_session
, r
);
1525 j
->response_written
+= r
;
1526 /* check if we have written a complete response */
1527 if (j
->response_written
== j
->response_length
)
1530 j
->http_state
= HTTP_STATE_CLOSING
;
1533 j
->http_state
= HTTP_STATE_REQUEST
;
1534 free (j
->http_response
);
1535 j
->response_length
= 0;
1536 j
->request_length
= 0;
1537 j
->http_request
[0] = 0;
1544 j
->request_length
= 0;
1545 j
->http_request
[0] = 0;
1546 j
->http_state
= HTTP_STATE_REQUEST
;
1550 lloopend (listener_list
, j
);
1552 /* loop through all connections, closing those that are in error */
1553 lloopstart (listener_list
, j
)
1555 if (j
->http_state
== HTTP_STATE_CLOSING
)
1557 ldeleteinc (listener_list
, j
);
1560 lloopend (listener_list
, j
);
1564 gnutls_certificate_free_credentials (cert_cred
);
1568 gnutls_srp_free_server_credentials (srp_cred
);
1573 gnutls_psk_free_server_credentials (psk_cred
);
1577 gnutls_anon_free_server_credentials (dh_cred
);
1580 #ifdef ENABLE_SESSION_TICKET
1582 gnutls_free (session_ticket_key
.data
);
1587 gnutls_global_deinit ();
1592 cmd_parser (int argc
, char **argv
)
1594 optionProcess (&gnutls_servOptions
, argc
, argv
);
1596 disable_client_cert
= HAVE_OPT (DISABLE_CLIENT_CERT
);
1597 require_cert
= HAVE_OPT (REQUIRE_CLIENT_CERT
);
1598 if (HAVE_OPT (DEBUG
))
1599 debug
= OPT_VALUE_DEBUG
;
1601 if (HAVE_OPT (QUIET
))
1604 if (HAVE_OPT (PRIORITY
))
1605 priorities
= OPT_ARG (PRIORITY
);
1607 if (HAVE_OPT (LIST
))
1609 print_list (priorities
, verbose
);
1613 nodb
= HAVE_OPT (NODB
);
1614 noticket
= HAVE_OPT (NOTICKET
);
1616 if (HAVE_OPT (ECHO
))
1621 if (HAVE_OPT (X509FMTDER
))
1622 x509ctype
= GNUTLS_X509_FMT_DER
;
1624 x509ctype
= GNUTLS_X509_FMT_PEM
;
1626 generate
= HAVE_OPT (GENERATE
);
1628 if (HAVE_OPT (DHPARAMS
))
1629 dh_params_file
= OPT_ARG (DHPARAMS
);
1631 if (HAVE_OPT (X509KEYFILE
))
1632 x509_keyfile
= OPT_ARG (X509KEYFILE
);
1633 if (HAVE_OPT (X509CERTFILE
))
1634 x509_certfile
= OPT_ARG (X509CERTFILE
);
1636 if (HAVE_OPT (X509DSAKEYFILE
))
1637 x509_dsakeyfile
= OPT_ARG (X509DSAKEYFILE
);
1638 if (HAVE_OPT (X509DSACERTFILE
))
1639 x509_dsacertfile
= OPT_ARG (X509DSACERTFILE
);
1642 if (HAVE_OPT (X509ECCKEYFILE
))
1643 x509_ecckeyfile
= OPT_ARG (X509ECCKEYFILE
);
1644 if (HAVE_OPT (X509CERTFILE
))
1645 x509_ecccertfile
= OPT_ARG (X509ECCCERTFILE
);
1647 if (HAVE_OPT (X509CAFILE
))
1648 x509_cafile
= OPT_ARG (X509CAFILE
);
1649 if (HAVE_OPT (X509CRLFILE
))
1650 x509_crlfile
= OPT_ARG (X509CRLFILE
);
1652 if (HAVE_OPT (PGPKEYFILE
))
1653 pgp_keyfile
= OPT_ARG (PGPKEYFILE
);
1654 if (HAVE_OPT (PGPCERTFILE
))
1655 pgp_certfile
= OPT_ARG (PGPCERTFILE
);
1657 if (HAVE_OPT (PGPKEYRING
))
1658 pgp_keyring
= OPT_ARG (PGPKEYRING
);
1660 if (HAVE_OPT (SRPPASSWD
))
1661 srp_passwd
= OPT_ARG (SRPPASSWD
);
1662 if (HAVE_OPT (SRPPASSWDCONF
))
1663 srp_passwd_conf
= OPT_ARG (SRPPASSWDCONF
);
1665 if (HAVE_OPT (PSKPASSWD
))
1666 psk_passwd
= OPT_ARG (PSKPASSWD
);
1668 if (HAVE_OPT(OCSP_RESPONSE
))
1669 status_response_ocsp
= OPT_ARG(OCSP_RESPONSE
);
1673 /* session resuming support */
1675 #define SESSION_ID_SIZE 32
1676 #define SESSION_DATA_SIZE 1024
1680 char session_id
[SESSION_ID_SIZE
];
1681 unsigned int session_id_size
;
1683 char session_data
[SESSION_DATA_SIZE
];
1684 unsigned int session_data_size
;
1687 static CACHE
*cache_db
;
1688 int cache_db_ptr
= 0;
1693 /* allocate cache_db */
1694 cache_db
= calloc (1, ssl_session_cache
* sizeof (CACHE
));
1698 wrap_db_deinit (void)
1703 wrap_db_store (void *dbf
, gnutls_datum_t key
, gnutls_datum_t data
)
1706 if (cache_db
== NULL
)
1709 if (key
.size
> SESSION_ID_SIZE
)
1711 if (data
.size
> SESSION_DATA_SIZE
)
1714 memcpy (cache_db
[cache_db_ptr
].session_id
, key
.data
, key
.size
);
1715 cache_db
[cache_db_ptr
].session_id_size
= key
.size
;
1717 memcpy (cache_db
[cache_db_ptr
].session_data
, data
.data
, data
.size
);
1718 cache_db
[cache_db_ptr
].session_data_size
= data
.size
;
1721 cache_db_ptr
%= ssl_session_cache
;
1726 static gnutls_datum_t
1727 wrap_db_fetch (void *dbf
, gnutls_datum_t key
)
1729 gnutls_datum_t res
= { NULL
, 0 };
1732 if (cache_db
== NULL
)
1735 for (i
= 0; i
< ssl_session_cache
; i
++)
1737 if (key
.size
== cache_db
[i
].session_id_size
&&
1738 memcmp (key
.data
, cache_db
[i
].session_id
, key
.size
) == 0)
1740 res
.size
= cache_db
[i
].session_data_size
;
1742 res
.data
= gnutls_malloc (res
.size
);
1743 if (res
.data
== NULL
)
1746 memcpy (res
.data
, cache_db
[i
].session_data
, res
.size
);
1755 wrap_db_delete (void *dbf
, gnutls_datum_t key
)
1759 if (cache_db
== NULL
)
1762 for (i
= 0; i
< ssl_session_cache
; i
++)
1764 if (key
.size
== (unsigned int) cache_db
[i
].session_id_size
&&
1765 memcmp (key
.data
, cache_db
[i
].session_id
, key
.size
) == 0)
1768 cache_db
[i
].session_id_size
= 0;
1769 cache_db
[i
].session_data_size
= 0;