2 * Copyright (C) 2004-2012 Free Software Foundation, Inc.
3 * Copyright (C) 2001,2002 Paul Sheer
4 * Portions Copyright (C) 2002,2003 Nikos Mavrogiannopoulos
6 * This file is part of GnuTLS.
8 * GnuTLS is free software: you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation, either version 3 of the License, or
11 * (at your option) any later version.
13 * GnuTLS is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>.
22 /* This server is heavily modified for GnuTLS by Nikos Mavrogiannopoulos
23 * (which means it is quite unreadable)
29 #include "serv-args.h"
33 #include <sys/types.h>
35 #include <gnutls/gnutls.h>
36 #include <gnutls/dtls.h>
37 #include <gnutls/openpgp.h>
39 #include <sys/select.h>
46 /* Gnulib portability files. */
48 #include "version-etc.h"
49 #include "read-file.h"
54 /* konqueror cannot handle sending the page in multiple
58 static int generate
= 0;
63 unsigned int verbose
= 1;
67 int disable_client_cert
;
69 const char *psk_passwd
= NULL
;
70 const char *srp_passwd
= NULL
;
71 const char *srp_passwd_conf
= NULL
;
72 const char *pgp_keyring
= NULL
;
73 const char *pgp_keyfile
= NULL
;
74 const char *pgp_certfile
= NULL
;
75 const char *x509_keyfile
= NULL
;
76 const char *x509_certfile
= NULL
;
77 const char *x509_dsakeyfile
= NULL
;
78 const char *x509_dsacertfile
= NULL
;
79 const char *x509_ecckeyfile
= NULL
;
80 const char *x509_ecccertfile
= NULL
;
81 const char *x509_cafile
= NULL
;
82 const char *dh_params_file
= NULL
;
83 const char *x509_crlfile
= NULL
;
84 const char *priorities
= NULL
;
86 gnutls_datum_t session_ticket_key
;
87 static void tcp_server (const char *name
, int port
);
91 /* This is a sample TCP echo server.
92 * This will behave as an http server if any argument in the
93 * command line is present
96 #define SMALL_READ_TEST (2147483647)
98 #define GERR(ret) fprintf(stdout, "Error: %s\n", safe_strerror(ret))
100 #define HTTP_END "</BODY></HTML>\n\n"
102 #define HTTP_UNIMPLEMENTED "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\r\n<HTML><HEAD>\r\n<TITLE>501 Method Not Implemented</TITLE>\r\n</HEAD><BODY>\r\n<H1>Method Not Implemented</H1>\r\n<HR>\r\n</BODY></HTML>\r\n"
103 #define HTTP_OK "HTTP/1.0 200 OK\r\nContent-type: text/html\r\n\r\n"
105 #define HTTP_BEGIN HTTP_OK \
108 "<CENTER><H1>This is <a href=\"http://www.gnu.org/software/gnutls\">" \
109 "GnuTLS</a></H1></CENTER>\n\n"
111 /* These are global */
112 gnutls_srp_server_credentials_t srp_cred
= NULL
;
113 gnutls_psk_server_credentials_t psk_cred
= NULL
;
114 gnutls_anon_server_credentials_t dh_cred
= NULL
;
115 gnutls_certificate_credentials_t cert_cred
= NULL
;
117 const int ssl_session_cache
= 128;
119 static void wrap_db_init (void);
120 static void wrap_db_deinit (void);
121 static int wrap_db_store (void *dbf
, gnutls_datum_t key
, gnutls_datum_t data
);
122 static gnutls_datum_t
wrap_db_fetch (void *dbf
, gnutls_datum_t key
);
123 static int wrap_db_delete (void *dbf
, gnutls_datum_t key
);
125 static void cmd_parser (int argc
, char **argv
);
128 #define HTTP_STATE_REQUEST 1
129 #define HTTP_STATE_RESPONSE 2
130 #define HTTP_STATE_CLOSING 3
132 LIST_TYPE_DECLARE (listener_item
, char *http_request
;
133 char *http_response
; int request_length
;
134 int response_length
; int response_written
;
135 int http_state
; int listen_socket
;
136 int fd
; gnutls_session_t tls_session
; int handshake_ok
;);
139 safe_strerror (int value
)
141 const char *ret
= gnutls_strerror (value
);
148 listener_free (listener_item
* j
)
151 free (j
->http_request
);
152 free (j
->http_response
);
155 gnutls_bye (j
->tls_session
, GNUTLS_SHUT_WR
);
158 gnutls_deinit (j
->tls_session
);
163 /* we use primes up to 1024 in this server.
164 * otherwise we should add them here.
167 gnutls_dh_params_t dh_params
= NULL
;
168 gnutls_rsa_params_t rsa_params
= NULL
;
171 generate_dh_primes (void)
174 gnutls_sec_param_to_pk_bits (GNUTLS_PK_DH
, GNUTLS_SEC_PARAM_NORMAL
);
176 if (gnutls_dh_params_init (&dh_params
) < 0)
178 fprintf (stderr
, "Error in dh parameter initialization\n");
182 /* Generate Diffie-Hellman parameters - for use with DHE
183 * kx algorithms. These should be discarded and regenerated
184 * once a week or once a month. Depends on the
185 * security requirements.
188 ("Generating Diffie-Hellman parameters [%d]. Please wait...\n",
192 if (gnutls_dh_params_generate2 (dh_params
, prime_bits
) < 0)
194 fprintf (stderr
, "Error in prime generation\n");
202 read_dh_params (void)
206 gnutls_datum_t params
;
209 if (gnutls_dh_params_init (&dh_params
) < 0)
211 fprintf (stderr
, "Error in dh parameter initialization\n");
215 /* read the params file
217 fd
= fopen (dh_params_file
, "r");
220 fprintf (stderr
, "Could not open %s\n", dh_params_file
);
224 size
= fread (tmpdata
, 1, sizeof (tmpdata
) - 1, fd
);
228 params
.data
= (unsigned char *) tmpdata
;
232 gnutls_dh_params_import_pkcs3 (dh_params
, ¶ms
, GNUTLS_X509_FMT_PEM
);
236 fprintf (stderr
, "Error parsing dh params: %s\n", safe_strerror (size
));
240 printf ("Read Diffie-Hellman parameters.\n");
245 static char pkcs3
[] =
246 "-----BEGIN DH PARAMETERS-----\n"
247 "MIGGAoGAtkxw2jlsVCsrfLqxrN+IrF/3W8vVFvDzYbLmxi2GQv9s/PQGWP1d9i22\n"
248 "P2DprfcJknWt7KhCI1SaYseOQIIIAYP78CfyIpGScW/vS8khrw0rlQiyeCvQgF3O\n"
249 "GeGOEywcw+oQT4SmFOD7H0smJe2CNyjYpexBXQ/A0mbTF9QKm1cCAQU=\n"
250 "-----END DH PARAMETERS-----\n";
253 static_dh_params (void)
255 gnutls_datum_t params
= { (void *) pkcs3
, sizeof (pkcs3
) };
258 if (gnutls_dh_params_init (&dh_params
) < 0)
260 fprintf (stderr
, "Error in dh parameter initialization\n");
264 ret
= gnutls_dh_params_import_pkcs3 (dh_params
, ¶ms
,
265 GNUTLS_X509_FMT_PEM
);
269 fprintf (stderr
, "Error parsing dh params: %s\n", safe_strerror (ret
));
273 printf ("Set static Diffie-Hellman parameters, consider --dhparams.\n");
279 get_params (gnutls_session_t session
, gnutls_params_type_t type
,
280 gnutls_params_st
* st
)
283 if (type
== GNUTLS_PARAMS_RSA_EXPORT
)
285 if (rsa_params
== NULL
)
287 st
->params
.rsa_export
= rsa_params
;
289 else if (type
== GNUTLS_PARAMS_DH
)
291 if (dh_params
== NULL
)
293 st
->params
.dh
= dh_params
;
305 generate_rsa_params (void)
307 if (gnutls_rsa_params_init (&rsa_params
) < 0)
309 fprintf (stderr
, "Error in rsa parameter initialization\n");
313 /* Generate RSA parameters - for use with RSA-export
314 * cipher suites. These should be discarded and regenerated
315 * once a day, once every 500 transactions etc. Depends on the
316 * security requirements.
318 printf ("Generating temporary RSA parameters. Please wait...\n");
321 if (gnutls_rsa_params_generate2 (rsa_params
, 512) < 0)
323 fprintf (stderr
, "Error in rsa parameter generation\n");
330 LIST_DECLARE_INIT (listener_list
, listener_item
, listener_free
);
333 initialize_session (int dtls
)
335 gnutls_session_t session
;
338 if (priorities
== NULL
)
339 priorities
= "NORMAL";
342 gnutls_init (&session
, GNUTLS_SERVER
| GNUTLS_DATAGRAM
);
344 gnutls_init (&session
, GNUTLS_SERVER
);
346 /* allow the use of private ciphersuites.
348 gnutls_handshake_set_private_extensions (session
, 1);
352 gnutls_db_set_retrieve_function (session
, wrap_db_fetch
);
353 gnutls_db_set_remove_function (session
, wrap_db_delete
);
354 gnutls_db_set_store_function (session
, wrap_db_store
);
355 gnutls_db_set_ptr (session
, NULL
);
357 #ifdef ENABLE_SESSION_TICKET
359 gnutls_session_ticket_enable_server (session
, &session_ticket_key
);
362 if (gnutls_priority_set_direct (session
, priorities
, &err
) < 0)
364 fprintf (stderr
, "Syntax error at: %s\n", err
);
368 gnutls_credentials_set (session
, GNUTLS_CRD_ANON
, dh_cred
);
370 if (srp_cred
!= NULL
)
371 gnutls_credentials_set (session
, GNUTLS_CRD_SRP
, srp_cred
);
373 if (psk_cred
!= NULL
)
374 gnutls_credentials_set (session
, GNUTLS_CRD_PSK
, psk_cred
);
376 if (cert_cred
!= NULL
)
377 gnutls_credentials_set (session
, GNUTLS_CRD_CERTIFICATE
, cert_cred
);
379 if (disable_client_cert
)
380 gnutls_certificate_server_set_request (session
, GNUTLS_CERT_IGNORE
);
384 gnutls_certificate_server_set_request (session
, GNUTLS_CERT_REQUIRE
);
386 gnutls_certificate_server_set_request (session
, GNUTLS_CERT_REQUEST
);
389 if (HAVE_OPT (HEARTBEAT
))
390 gnutls_heartbeat_enable(session
, GNUTLS_HB_PEER_ALLOWED_TO_SEND
);
395 #include <gnutls/x509.h>
397 static const char DEFAULT_DATA
[] =
398 "This is the default message reported by the GnuTLS implementation. "
399 "For more information please visit "
400 "<a href=\"http://www.gnutls.org/\">http://www.gnutls.org/</a>.";
402 /* Creates html with the current session information.
404 #define tmp_buffer &http_buffer[strlen(http_buffer)]
405 #define tmp_buffer_size len-strlen(http_buffer)
407 peer_print_info (gnutls_session_t session
, int *ret_length
,
411 unsigned char sesid
[32];
412 size_t i
, sesid_size
;
414 gnutls_kx_algorithm_t kx_alg
;
415 size_t len
= 20 * 1024 + strlen (header
);
416 char *crtinfo
= NULL
;
421 http_buffer
= malloc (len
);
422 if (http_buffer
== NULL
)
425 strcpy (http_buffer
, HTTP_BEGIN
);
426 strcpy (&http_buffer
[sizeof (HTTP_BEGIN
) - 1], DEFAULT_DATA
);
427 strcpy (&http_buffer
[sizeof (HTTP_BEGIN
) + sizeof (DEFAULT_DATA
) - 2],
430 sizeof (DEFAULT_DATA
) + sizeof (HTTP_BEGIN
) + sizeof (HTTP_END
) - 3;
434 if (gnutls_certificate_type_get (session
) == GNUTLS_CRT_X509
)
436 const gnutls_datum_t
*cert_list
;
437 unsigned int cert_list_size
= 0;
439 cert_list
= gnutls_certificate_get_peers (session
, &cert_list_size
);
441 for (i
= 0; i
< cert_list_size
; i
++)
443 gnutls_x509_crt_t cert
;
446 if (gnutls_x509_crt_init (&cert
) == 0 &&
447 gnutls_x509_crt_import (cert
, &cert_list
[i
],
448 GNUTLS_X509_FMT_DER
) == 0 &&
449 gnutls_x509_crt_print (cert
, GNUTLS_CRT_PRINT_FULL
, &info
) == 0)
451 const char *post
= "</PRE><P><PRE>";
453 crtinfo
= realloc (crtinfo
, ncrtinfo
+ info
.size
+
457 memcpy (crtinfo
+ ncrtinfo
, info
.data
, info
.size
);
458 ncrtinfo
+= info
.size
;
459 memcpy (crtinfo
+ ncrtinfo
, post
, strlen (post
));
460 ncrtinfo
+= strlen (post
);
461 crtinfo
[ncrtinfo
] = '\0';
462 gnutls_free (info
.data
);
467 http_buffer
= malloc (len
);
468 if (http_buffer
== NULL
)
474 strcpy (http_buffer
, HTTP_BEGIN
);
476 /* print session_id */
477 gnutls_session_get_id (session
, sesid
, &sesid_size
);
478 snprintf (tmp_buffer
, tmp_buffer_size
, "\n<p>Session ID: <i>");
479 for (i
= 0; i
< sesid_size
; i
++)
480 snprintf (tmp_buffer
, tmp_buffer_size
, "%.2X", sesid
[i
]);
481 snprintf (tmp_buffer
, tmp_buffer_size
, "</i></p>\n");
482 snprintf (tmp_buffer
, tmp_buffer_size
,
483 "<h5>If your browser supports session resuming, then you should see the "
484 "same session ID, when you press the <b>reload</b> button.</h5>\n");
486 /* Here unlike print_info() we use the kx algorithm to distinguish
487 * the functions to call.
491 size_t dns_size
= sizeof (dns
);
494 if (gnutls_server_name_get (session
, dns
, &dns_size
, &type
, 0) == 0)
496 snprintf (tmp_buffer
, tmp_buffer_size
, "\n<p>Server Name: %s</p>\n",
502 kx_alg
= gnutls_kx_get (session
);
504 /* print srp specific data */
506 if (kx_alg
== GNUTLS_KX_SRP
)
508 snprintf (tmp_buffer
, tmp_buffer_size
,
509 "<p>Connected as user '%s'.</p>\n",
510 gnutls_srp_server_get_username (session
));
515 if (kx_alg
== GNUTLS_KX_PSK
)
517 snprintf (tmp_buffer
, tmp_buffer_size
,
518 "<p>Connected as user '%s'.</p>\n",
519 gnutls_psk_server_get_username (session
));
524 if (kx_alg
== GNUTLS_KX_ANON_DH
)
526 snprintf (tmp_buffer
, tmp_buffer_size
,
527 "<p> Connect using anonymous DH (prime of %d bits)</p>\n",
528 gnutls_dh_get_prime_bits (session
));
532 if (kx_alg
== GNUTLS_KX_DHE_RSA
|| kx_alg
== GNUTLS_KX_DHE_DSS
)
534 snprintf (tmp_buffer
, tmp_buffer_size
,
535 "Ephemeral DH using prime of <b>%d</b> bits.<br>\n",
536 gnutls_dh_get_prime_bits (session
));
539 /* print session information */
540 strcat (http_buffer
, "<P>\n");
542 tmp
= gnutls_protocol_get_name (gnutls_protocol_get_version (session
));
545 snprintf (tmp_buffer
, tmp_buffer_size
,
546 "<TABLE border=1><TR><TD>Protocol version:</TD><TD>%s</TD></TR>\n",
549 if (gnutls_auth_get_type (session
) == GNUTLS_CRD_CERTIFICATE
)
552 gnutls_certificate_type_get_name (gnutls_certificate_type_get
556 snprintf (tmp_buffer
, tmp_buffer_size
,
557 "<TR><TD>Certificate Type:</TD><TD>%s</TD></TR>\n", tmp
);
560 tmp
= gnutls_kx_get_name (kx_alg
);
563 snprintf (tmp_buffer
, tmp_buffer_size
,
564 "<TR><TD>Key Exchange:</TD><TD>%s</TD></TR>\n", tmp
);
566 tmp
= gnutls_compression_get_name (gnutls_compression_get (session
));
569 snprintf (tmp_buffer
, tmp_buffer_size
,
570 "<TR><TD>Compression</TD><TD>%s</TD></TR>\n", tmp
);
572 tmp
= gnutls_cipher_get_name (gnutls_cipher_get (session
));
575 snprintf (tmp_buffer
, tmp_buffer_size
,
576 "<TR><TD>Cipher</TD><TD>%s</TD></TR>\n", tmp
);
578 tmp
= gnutls_mac_get_name (gnutls_mac_get (session
));
581 snprintf (tmp_buffer
, tmp_buffer_size
, "<TR><TD>MAC</TD><TD>%s</TD></TR>\n",
584 tmp
= gnutls_cipher_suite_get_name (kx_alg
,
585 gnutls_cipher_get (session
),
586 gnutls_mac_get (session
));
589 snprintf (tmp_buffer
, tmp_buffer_size
,
590 "<TR><TD>Ciphersuite</TD><TD>%s</TD></TR></p></TABLE>\n", tmp
);
594 snprintf (tmp_buffer
, tmp_buffer_size
, "<hr><PRE>%s\n</PRE>\n",
599 snprintf (tmp_buffer
, tmp_buffer_size
,
600 "<hr><P>Your HTTP header was:<PRE>%s</PRE></P>\n" HTTP_END
,
603 *ret_length
= strlen (http_buffer
);
609 human_addr (const struct sockaddr
*sa
, socklen_t salen
,
610 char *buf
, size_t buflen
)
612 const char *save_buf
= buf
;
620 switch (sa
->sa_family
)
624 snprintf (buf
, buflen
, "IPv6 ");
629 snprintf (buf
, buflen
, "IPv4 ");
637 if (getnameinfo (sa
, salen
, buf
, buflen
, NULL
, 0, NI_NUMERICHOST
) != 0)
644 strncat (buf
, " port ", buflen
);
650 if (getnameinfo (sa
, salen
, NULL
, 0, buf
, buflen
, NI_NUMERICSERV
) != 0)
657 wait_for_connection (void)
667 lloopstart (listener_list
, j
)
669 if (j
->listen_socket
)
675 lloopend (listener_list
, j
);
678 n
= select (n
+ 1, &rd
, &wr
, NULL
, NULL
);
679 if (n
== -1 && errno
== EINTR
)
687 /* find which one is ready */
688 lloopstart (listener_list
, j
)
690 /* a new connection has arrived */
691 if (FD_ISSET (j
->fd
, &rd
) && j
->listen_socket
)
697 lloopend (listener_list
, j
);
702 listen_socket (const char *name
, int listen_port
, int socktype
)
704 struct addrinfo hints
, *res
, *ptr
;
708 listener_item
*j
= NULL
;
710 snprintf (portname
, sizeof (portname
), "%d", listen_port
);
711 memset (&hints
, 0, sizeof (hints
));
712 hints
.ai_socktype
= socktype
;
713 hints
.ai_flags
= AI_PASSIVE
719 if ((s
= getaddrinfo (NULL
, portname
, &hints
, &res
)) != 0)
721 fprintf (stderr
, "getaddrinfo() failed: %s\n", gai_strerror (s
));
725 for (ptr
= res
; ptr
!= NULL
; ptr
= ptr
->ai_next
)
728 if (ptr
->ai_family
!= AF_INET
)
732 /* Print what we are doing. */
736 fprintf (stderr
, "%s listening on %s...",
737 name
, human_addr (ptr
->ai_addr
, ptr
->ai_addrlen
,
738 topbuf
, sizeof (topbuf
)));
741 if ((s
= socket (ptr
->ai_family
, ptr
->ai_socktype
,
742 ptr
->ai_protocol
)) < 0)
744 perror ("socket() failed");
748 #if defined(HAVE_IPV6) && !defined(_WIN32)
749 if (ptr
->ai_family
== AF_INET6
)
752 /* avoid listen on ipv6 addresses failing
753 * because already listening on ipv4 addresses: */
754 setsockopt (s
, IPPROTO_IPV6
, IPV6_V6ONLY
,
755 (const void *) &yes
, sizeof (yes
));
759 if (socktype
== SOCK_STREAM
)
762 if (setsockopt (s
, SOL_SOCKET
, SO_REUSEADDR
,
763 (const void *) &yes
, sizeof (yes
)) < 0)
765 perror ("setsockopt() failed");
772 #if defined(IP_DONTFRAG)
774 if (setsockopt (s
, IPPROTO_IP
, IP_DONTFRAG
,
775 (const void *) &yes
, sizeof (yes
)) < 0)
776 perror ("setsockopt(IP_DF) failed");
777 #elif defined(IP_MTU_DISCOVER)
778 yes
= IP_PMTUDISC_DO
;
779 if (setsockopt (s
, IPPROTO_IP
, IP_MTU_DISCOVER
,
780 (const void *) &yes
, sizeof (yes
)) < 0)
781 perror ("setsockopt(IP_DF) failed");
785 if (bind (s
, ptr
->ai_addr
, ptr
->ai_addrlen
) < 0)
787 perror ("bind() failed");
792 if (socktype
== SOCK_STREAM
)
794 if (listen (s
, 10) < 0)
796 perror ("listen() failed");
801 /* new list entry for the connection */
802 lappend (listener_list
);
803 j
= listener_list
.tail
;
804 j
->listen_socket
= 1;
807 /* Complete earlier message. */
808 fprintf (stderr
, "done\n");
818 /* strips \r\n from the end of the string
824 int len
= strlen (data
);
826 for (i
= 0; i
< len
; i
++)
828 if (data
[i
] == '\r' && data
[i
+ 1] == '\n' && data
[i
+ 1] == 0)
838 get_response (gnutls_session_t session
, char *request
,
839 char **response
, int *response_length
)
845 if (strncmp (request
, "GET ", 4))
848 if (!(h
= strchr (request
, '\n')))
852 while (*h
== '\r' || *h
== '\n')
855 if (!(p
= strchr (request
+ 4, ' ')))
859 /* *response = peer_print_info(session, request+4, h, response_length); */
862 *response
= peer_print_info (session
, response_length
, h
);
867 fprintf (stderr
, "received: %s\n", request
);
868 if (check_command (session
, request
))
871 *response_length
= 0;
874 *response
= strdup (request
);
875 *response_length
= ((*response
) ? strlen (*response
) : 0);
881 *response
= strdup (HTTP_UNIMPLEMENTED
);
882 *response_length
= ((*response
) ? strlen (*response
) : 0);
885 static void terminate (int sig
) __attribute__ ((noreturn
));
890 fprintf (stderr
, "Exiting via signal %d\n", sig
);
896 check_alert (gnutls_session_t session
, int ret
)
898 if (ret
== GNUTLS_E_WARNING_ALERT_RECEIVED
899 || ret
== GNUTLS_E_FATAL_ALERT_RECEIVED
)
901 int last_alert
= gnutls_alert_get (session
);
902 if (last_alert
== GNUTLS_A_NO_RENEGOTIATION
&&
903 ret
== GNUTLS_E_WARNING_ALERT_RECEIVED
)
905 ("* Received NO_RENEGOTIATION alert. Client does not support renegotiation.\n");
907 printf ("* Received alert '%d': %s.\n", last_alert
,
908 gnutls_alert_get_name (last_alert
));
913 tls_log_func (int level
, const char *str
)
915 fprintf (stderr
, "|<%d>| %s", level
, str
);
919 tls_audit_log_func (gnutls_session_t session
, const char *str
)
921 fprintf (stderr
, "|<%p>| %s", session
, str
);
925 main (int argc
, char **argv
)
930 set_program_name (argv
[0]);
931 cmd_parser (argc
, argv
);
934 signal (SIGHUP
, SIG_IGN
);
935 signal (SIGTERM
, terminate
);
936 if (signal (SIGINT
, terminate
) == SIG_IGN
)
937 signal (SIGINT
, SIG_IGN
); /* e.g. background process */
946 strcpy (name
, "UDP ");
952 strcat (name
, "HTTP Server");
956 strcat (name
, "Echo Server");
959 gnutls_global_set_log_function (tls_log_func
);
960 gnutls_global_set_audit_log_function (tls_audit_log_func
);
961 gnutls_global_set_log_level (debug
);
963 if ((ret
= gnutls_global_init ()) < 0)
965 fprintf (stderr
, "global_init: %s\n", gnutls_strerror (ret
));
973 /* Note that servers must generate parameters for
974 * Diffie-Hellman. See gnutls_dh_params_generate(), and
975 * gnutls_dh_params_set().
979 generate_rsa_params ();
980 generate_dh_primes ();
982 else if (dh_params_file
)
991 if (gnutls_certificate_allocate_credentials (&cert_cred
) < 0)
993 fprintf (stderr
, "memory error\n");
997 if (x509_cafile
!= NULL
)
999 if ((ret
= gnutls_certificate_set_x509_trust_file
1000 (cert_cred
, x509_cafile
, x509ctype
)) < 0)
1002 fprintf (stderr
, "Error reading '%s'\n", x509_cafile
);
1008 printf ("Processed %d CA certificate(s).\n", ret
);
1011 if (x509_crlfile
!= NULL
)
1013 if ((ret
= gnutls_certificate_set_x509_crl_file
1014 (cert_cred
, x509_crlfile
, x509ctype
)) < 0)
1016 fprintf (stderr
, "Error reading '%s'\n", x509_crlfile
);
1022 printf ("Processed %d CRL(s).\n", ret
);
1026 #ifdef ENABLE_OPENPGP
1027 if (pgp_keyring
!= NULL
)
1030 gnutls_certificate_set_openpgp_keyring_file (cert_cred
, pgp_keyring
,
1031 GNUTLS_OPENPGP_FMT_BASE64
);
1034 fprintf (stderr
, "Error setting the OpenPGP keyring file\n");
1039 if (HAVE_OPT (PGPCERTFILE
))
1041 if (HAVE_OPT (PGPSUBKEY
))
1042 ret
= gnutls_certificate_set_openpgp_key_file2
1043 (cert_cred
, pgp_certfile
, pgp_keyfile
, OPT_ARG (PGPSUBKEY
),
1044 GNUTLS_OPENPGP_FMT_BASE64
);
1046 ret
= gnutls_certificate_set_openpgp_key_file
1047 (cert_cred
, pgp_certfile
, pgp_keyfile
, GNUTLS_OPENPGP_FMT_BASE64
);
1052 "Error[%d] while reading the OpenPGP key pair ('%s', '%s')\n",
1053 ret
, pgp_certfile
, pgp_keyfile
);
1059 if (x509_certfile
!= NULL
)
1060 if ((ret
= gnutls_certificate_set_x509_key_file
1061 (cert_cred
, x509_certfile
, x509_keyfile
, x509ctype
)) < 0)
1064 "Error reading '%s' or '%s'\n", x509_certfile
, x509_keyfile
);
1069 if (x509_dsacertfile
!= NULL
)
1070 if ((ret
= gnutls_certificate_set_x509_key_file
1071 (cert_cred
, x509_dsacertfile
, x509_dsakeyfile
, x509ctype
)) < 0)
1073 fprintf (stderr
, "Error reading '%s' or '%s'\n",
1074 x509_dsacertfile
, x509_dsakeyfile
);
1079 if (x509_ecccertfile
!= NULL
)
1080 if ((ret
= gnutls_certificate_set_x509_key_file
1081 (cert_cred
, x509_ecccertfile
, x509_ecckeyfile
, x509ctype
)) < 0)
1083 fprintf (stderr
, "Error reading '%s' or '%s'\n",
1084 x509_ecccertfile
, x509_ecckeyfile
);
1089 gnutls_certificate_set_params_function (cert_cred
, get_params
);
1090 /* gnutls_certificate_set_dh_params(cert_cred, dh_params);
1091 * gnutls_certificate_set_rsa_export_params(cert_cred, rsa_params);
1094 /* this is a password file (created with the included srpcrypt utility)
1095 * Read README.crypt prior to using SRP.
1098 if (srp_passwd
!= NULL
)
1100 gnutls_srp_allocate_server_credentials (&srp_cred
);
1103 gnutls_srp_set_server_credentials_file (srp_cred
, srp_passwd
,
1104 srp_passwd_conf
)) < 0)
1106 /* only exit is this function is not disabled
1108 fprintf (stderr
, "Error while setting SRP parameters\n");
1114 /* this is a password file
1117 if (psk_passwd
!= NULL
)
1119 gnutls_psk_allocate_server_credentials (&psk_cred
);
1122 gnutls_psk_set_server_credentials_file (psk_cred
, psk_passwd
)) < 0)
1124 /* only exit is this function is not disabled
1126 fprintf (stderr
, "Error while setting PSK parameters\n");
1130 if (HAVE_OPT (PSKHINT
))
1132 ret
= gnutls_psk_set_server_credentials_hint (psk_cred
,
1136 fprintf (stderr
, "Error setting PSK identity hint.\n");
1141 gnutls_psk_set_server_params_function (psk_cred
, get_params
);
1146 gnutls_anon_allocate_server_credentials (&dh_cred
);
1147 gnutls_anon_set_server_params_function (dh_cred
, get_params
);
1149 /* gnutls_anon_set_server_dh_params(dh_cred, dh_params); */
1152 #ifdef ENABLE_SESSION_TICKET
1154 gnutls_session_ticket_key_generate (&session_ticket_key
);
1158 mtu
= OPT_VALUE_MTU
;
1162 if (HAVE_OPT (PORT
))
1163 port
= OPT_VALUE_PORT
;
1168 udp_server (name
, port
, mtu
);
1170 tcp_server (name
, port
);
1174 tcp_server (const char *name
, int port
)
1179 struct sockaddr_storage client_address
;
1182 s
= listen_socket (name
, port
, SOCK_STREAM
);
1198 /* flag which connections we are reading or writing to within the fd sets */
1199 lloopstart (listener_list
, j
)
1203 val
= fcntl (j
->fd
, F_GETFL
, 0);
1204 if ((val
== -1) || (fcntl (j
->fd
, F_SETFL
, val
| O_NONBLOCK
) < 0))
1211 if (j
->listen_socket
)
1213 FD_SET (j
->fd
, &rd
);
1216 if (j
->http_state
== HTTP_STATE_REQUEST
)
1218 FD_SET (j
->fd
, &rd
);
1221 if (j
->http_state
== HTTP_STATE_RESPONSE
)
1223 FD_SET (j
->fd
, &wr
);
1227 lloopend (listener_list
, j
);
1229 /* core operation */
1230 n
= select (n
+ 1, &rd
, &wr
, NULL
, NULL
);
1231 if (n
== -1 && errno
== EINTR
)
1235 perror ("select()");
1239 /* read or write to each connection as indicated by select()'s return argument */
1240 lloopstart (listener_list
, j
)
1243 /* a new connection has arrived */
1244 if (FD_ISSET (j
->fd
, &rd
) && j
->listen_socket
)
1246 gnutls_session_t tls_session
;
1248 tls_session
= initialize_session (0);
1250 calen
= sizeof (client_address
);
1251 memset (&client_address
, 0, calen
);
1252 accept_fd
= accept (j
->fd
, (struct sockaddr
*) &client_address
,
1257 perror ("accept()");
1264 /* new list entry for the connection */
1265 lappend (listener_list
);
1266 j
= listener_list
.tail
;
1267 j
->http_request
= (char *) strdup ("");
1268 j
->http_state
= HTTP_STATE_REQUEST
;
1271 j
->tls_session
= tls_session
;
1272 gnutls_transport_set_ptr (tls_session
,
1273 (gnutls_transport_ptr_t
)
1274 gl_fd_to_handle (accept_fd
));
1275 j
->handshake_ok
= 0;
1281 ctt
[strlen (ctt
) - 1] = 0;
1283 printf ("\n* Accepted connection from %s on %s\n",
1284 human_addr ((struct sockaddr
*)
1285 &client_address
, calen
, topbuf
,
1286 sizeof (topbuf
)), ctt
);
1291 if (FD_ISSET (j
->fd
, &rd
) && !j
->listen_socket
)
1293 /* read partial GET request */
1297 if (j
->handshake_ok
== 0)
1299 r
= gnutls_handshake (j
->tls_session
);
1300 if (r
< 0 && gnutls_error_is_fatal (r
) == 0)
1302 check_alert (j
->tls_session
, r
);
1305 else if (r
< 0 && gnutls_error_is_fatal (r
) == 1)
1307 check_alert (j
->tls_session
, r
);
1308 fprintf (stderr
, "Error in handshake\n");
1314 gnutls_alert_send_appropriate (j
->tls_session
, r
);
1316 while (ret
== GNUTLS_E_AGAIN
1317 || ret
== GNUTLS_E_INTERRUPTED
);
1318 j
->http_state
= HTTP_STATE_CLOSING
;
1322 if (gnutls_session_is_resumed (j
->tls_session
) != 0
1324 printf ("*** This is a resumed session\n");
1328 printf ("\n* Successful handshake from %s\n",
1329 human_addr ((struct sockaddr
*)
1330 &client_address
, calen
, topbuf
,
1332 print_info (j
->tls_session
, verbose
, verbose
);
1333 if (gnutls_auth_get_type (j
->tls_session
) ==
1334 GNUTLS_CRD_CERTIFICATE
)
1335 cert_verify (j
->tls_session
, NULL
);
1337 j
->handshake_ok
= 1;
1341 if (j
->handshake_ok
== 1)
1343 r
= gnutls_record_recv (j
->tls_session
, buf
,
1344 MIN (1024, SMALL_READ_TEST
));
1345 if (r
== GNUTLS_E_HEARTBEAT_PING_RECEIVED
)
1347 gnutls_heartbeat_pong(j
->tls_session
, 0);
1349 if (r
== GNUTLS_E_INTERRUPTED
|| r
== GNUTLS_E_AGAIN
)
1355 if (r
== GNUTLS_E_REHANDSHAKE
)
1357 fprintf (stderr
, "*** Received hello message\n");
1360 r
= gnutls_handshake (j
->tls_session
);
1362 while (r
== GNUTLS_E_INTERRUPTED
1363 || r
== GNUTLS_E_AGAIN
);
1369 ret
= gnutls_alert_send_appropriate
1370 (j
->tls_session
, r
);
1372 while (ret
== GNUTLS_E_AGAIN
1373 || ret
== GNUTLS_E_INTERRUPTED
);
1376 j
->http_state
= HTTP_STATE_CLOSING
;
1383 if (r
!= GNUTLS_E_UNEXPECTED_PACKET_LENGTH
)
1385 j
->http_state
= HTTP_STATE_CLOSING
;
1386 check_alert (j
->tls_session
, r
);
1388 "Error while receiving data\n");
1397 realloc (j
->http_request
, j
->request_length
+ r
+ 1);
1398 if (j
->http_request
!= NULL
)
1400 memcpy (j
->http_request
+ j
->request_length
, buf
, r
);
1401 j
->request_length
+= r
;
1402 j
->http_request
[j
->request_length
] = '\0';
1405 j
->http_state
= HTTP_STATE_CLOSING
;
1408 /* check if we have a full HTTP header */
1410 j
->http_response
= NULL
;
1411 if (j
->http_request
!= NULL
)
1413 if ((http
== 0 && strchr (j
->http_request
, '\n'))
1414 || strstr (j
->http_request
, "\r\n\r\n")
1415 || strstr (j
->http_request
, "\n\n"))
1417 get_response (j
->tls_session
, j
->http_request
,
1418 &j
->http_response
, &j
->response_length
);
1419 j
->http_state
= HTTP_STATE_RESPONSE
;
1420 j
->response_written
= 0;
1425 if (FD_ISSET (j
->fd
, &wr
))
1427 /* write partial response request */
1430 if (j
->handshake_ok
== 0)
1432 r
= gnutls_handshake (j
->tls_session
);
1433 if (r
< 0 && gnutls_error_is_fatal (r
) == 0)
1435 check_alert (j
->tls_session
, r
);
1438 else if (r
< 0 && gnutls_error_is_fatal (r
) == 1)
1442 j
->http_state
= HTTP_STATE_CLOSING
;
1443 check_alert (j
->tls_session
, r
);
1444 fprintf (stderr
, "Error in handshake\n");
1450 gnutls_alert_send_appropriate (j
->tls_session
, r
);
1452 while (ret
== GNUTLS_E_AGAIN
);
1456 if (gnutls_session_is_resumed (j
->tls_session
) != 0
1458 printf ("*** This is a resumed session\n");
1461 printf ("- connection from %s\n",
1462 human_addr ((struct sockaddr
*)
1463 &client_address
, calen
, topbuf
,
1466 print_info (j
->tls_session
, verbose
, verbose
);
1467 if (gnutls_auth_get_type (j
->tls_session
) ==
1468 GNUTLS_CRD_CERTIFICATE
)
1469 cert_verify (j
->tls_session
, NULL
);
1471 j
->handshake_ok
= 1;
1475 if (j
->handshake_ok
== 1 && j
->http_response
!= NULL
)
1477 /* FIXME if j->http_response == NULL? */
1478 r
= gnutls_record_send (j
->tls_session
,
1480 j
->response_written
,
1481 MIN (j
->response_length
-
1482 j
->response_written
,
1484 if (r
== GNUTLS_E_INTERRUPTED
|| r
== GNUTLS_E_AGAIN
)
1491 j
->http_state
= HTTP_STATE_CLOSING
;
1494 j
->http_state
= HTTP_STATE_REQUEST
;
1495 free (j
->http_response
);
1496 j
->response_length
= 0;
1497 j
->request_length
= 0;
1498 j
->http_request
[0] = 0;
1503 fprintf (stderr
, "Error while sending data\n");
1506 check_alert (j
->tls_session
, r
);
1510 j
->response_written
+= r
;
1511 /* check if we have written a complete response */
1512 if (j
->response_written
== j
->response_length
)
1515 j
->http_state
= HTTP_STATE_CLOSING
;
1518 j
->http_state
= HTTP_STATE_REQUEST
;
1519 free (j
->http_response
);
1520 j
->response_length
= 0;
1521 j
->request_length
= 0;
1522 j
->http_request
[0] = 0;
1529 j
->request_length
= 0;
1530 j
->http_request
[0] = 0;
1531 j
->http_state
= HTTP_STATE_REQUEST
;
1535 lloopend (listener_list
, j
);
1537 /* loop through all connections, closing those that are in error */
1538 lloopstart (listener_list
, j
)
1540 if (j
->http_state
== HTTP_STATE_CLOSING
)
1542 ldeleteinc (listener_list
, j
);
1545 lloopend (listener_list
, j
);
1549 gnutls_certificate_free_credentials (cert_cred
);
1553 gnutls_srp_free_server_credentials (srp_cred
);
1558 gnutls_psk_free_server_credentials (psk_cred
);
1562 gnutls_anon_free_server_credentials (dh_cred
);
1565 #ifdef ENABLE_SESSION_TICKET
1567 gnutls_free (session_ticket_key
.data
);
1572 gnutls_global_deinit ();
1577 cmd_parser (int argc
, char **argv
)
1579 optionProcess (&gnutls_servOptions
, argc
, argv
);
1581 disable_client_cert
= HAVE_OPT (DISABLE_CLIENT_CERT
);
1582 require_cert
= HAVE_OPT (REQUIRE_CLIENT_CERT
);
1583 if (HAVE_OPT (DEBUG
))
1584 debug
= OPT_VALUE_DEBUG
;
1586 if (HAVE_OPT (QUIET
))
1589 if (HAVE_OPT (PRIORITY
))
1590 priorities
= OPT_ARG (PRIORITY
);
1592 if (HAVE_OPT (LIST
))
1594 print_list (priorities
, verbose
);
1598 nodb
= HAVE_OPT (NODB
);
1599 noticket
= HAVE_OPT (NOTICKET
);
1601 if (HAVE_OPT (ECHO
))
1606 if (HAVE_OPT (X509FMTDER
))
1607 x509ctype
= GNUTLS_X509_FMT_DER
;
1609 x509ctype
= GNUTLS_X509_FMT_PEM
;
1611 generate
= HAVE_OPT (GENERATE
);
1613 if (HAVE_OPT (DHPARAMS
))
1614 dh_params_file
= OPT_ARG (DHPARAMS
);
1616 if (HAVE_OPT (X509KEYFILE
))
1617 x509_keyfile
= OPT_ARG (X509KEYFILE
);
1618 if (HAVE_OPT (X509CERTFILE
))
1619 x509_certfile
= OPT_ARG (X509CERTFILE
);
1621 if (HAVE_OPT (X509DSAKEYFILE
))
1622 x509_dsakeyfile
= OPT_ARG (X509DSAKEYFILE
);
1623 if (HAVE_OPT (X509DSACERTFILE
))
1624 x509_dsacertfile
= OPT_ARG (X509DSACERTFILE
);
1627 if (HAVE_OPT (X509ECCKEYFILE
))
1628 x509_ecckeyfile
= OPT_ARG (X509ECCKEYFILE
);
1629 if (HAVE_OPT (X509CERTFILE
))
1630 x509_ecccertfile
= OPT_ARG (X509ECCCERTFILE
);
1632 if (HAVE_OPT (X509CAFILE
))
1633 x509_cafile
= OPT_ARG (X509CAFILE
);
1634 if (HAVE_OPT (X509CRLFILE
))
1635 x509_crlfile
= OPT_ARG (X509CRLFILE
);
1637 if (HAVE_OPT (PGPKEYFILE
))
1638 pgp_keyfile
= OPT_ARG (PGPKEYFILE
);
1639 if (HAVE_OPT (PGPCERTFILE
))
1640 pgp_certfile
= OPT_ARG (PGPCERTFILE
);
1642 if (HAVE_OPT (PGPKEYRING
))
1643 pgp_keyring
= OPT_ARG (PGPKEYRING
);
1645 if (HAVE_OPT (SRPPASSWD
))
1646 srp_passwd
= OPT_ARG (SRPPASSWD
);
1647 if (HAVE_OPT (SRPPASSWDCONF
))
1648 srp_passwd_conf
= OPT_ARG (SRPPASSWDCONF
);
1650 if (HAVE_OPT (PSKPASSWD
))
1651 psk_passwd
= OPT_ARG (PSKPASSWD
);
1655 /* session resuming support */
1657 #define SESSION_ID_SIZE 32
1658 #define SESSION_DATA_SIZE 1024
1662 char session_id
[SESSION_ID_SIZE
];
1663 unsigned int session_id_size
;
1665 char session_data
[SESSION_DATA_SIZE
];
1666 unsigned int session_data_size
;
1669 static CACHE
*cache_db
;
1670 int cache_db_ptr
= 0;
1675 /* allocate cache_db */
1676 cache_db
= calloc (1, ssl_session_cache
* sizeof (CACHE
));
1680 wrap_db_deinit (void)
1685 wrap_db_store (void *dbf
, gnutls_datum_t key
, gnutls_datum_t data
)
1688 if (cache_db
== NULL
)
1691 if (key
.size
> SESSION_ID_SIZE
)
1693 if (data
.size
> SESSION_DATA_SIZE
)
1696 memcpy (cache_db
[cache_db_ptr
].session_id
, key
.data
, key
.size
);
1697 cache_db
[cache_db_ptr
].session_id_size
= key
.size
;
1699 memcpy (cache_db
[cache_db_ptr
].session_data
, data
.data
, data
.size
);
1700 cache_db
[cache_db_ptr
].session_data_size
= data
.size
;
1703 cache_db_ptr
%= ssl_session_cache
;
1708 static gnutls_datum_t
1709 wrap_db_fetch (void *dbf
, gnutls_datum_t key
)
1711 gnutls_datum_t res
= { NULL
, 0 };
1714 if (cache_db
== NULL
)
1717 for (i
= 0; i
< ssl_session_cache
; i
++)
1719 if (key
.size
== cache_db
[i
].session_id_size
&&
1720 memcmp (key
.data
, cache_db
[i
].session_id
, key
.size
) == 0)
1722 res
.size
= cache_db
[i
].session_data_size
;
1724 res
.data
= gnutls_malloc (res
.size
);
1725 if (res
.data
== NULL
)
1728 memcpy (res
.data
, cache_db
[i
].session_data
, res
.size
);
1737 wrap_db_delete (void *dbf
, gnutls_datum_t key
)
1741 if (cache_db
== NULL
)
1744 for (i
= 0; i
< ssl_session_cache
; i
++)
1746 if (key
.size
== (unsigned int) cache_db
[i
].session_id_size
&&
1747 memcmp (key
.data
, cache_db
[i
].session_id
, key
.size
) == 0)
1750 cache_db
[i
].session_id_size
= 0;
1751 cache_db
[i
].session_data_size
= 0;