2 * Copyright (C) 2004-2012 Free Software Foundation, Inc.
3 * Copyright (C) 2001,2002 Paul Sheer
4 * Portions Copyright (C) 2002,2003 Nikos Mavrogiannopoulos
6 * This file is part of GnuTLS.
8 * GnuTLS is free software: you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation, either version 3 of the License, or
11 * (at your option) any later version.
13 * GnuTLS is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>.
22 /* This server is heavily modified for GnuTLS by Nikos Mavrogiannopoulos
23 * (which means it is quite unreadable)
29 #include "serv-args.h"
33 #include <sys/types.h>
35 #include <gnutls/gnutls.h>
36 #include <gnutls/dtls.h>
37 #include <gnutls/openpgp.h>
39 #include <sys/select.h>
46 /* Gnulib portability files. */
47 #include "read-file.h"
52 /* konqueror cannot handle sending the page in multiple
56 static int generate = 0;
61 unsigned int verbose = 1;
65 int disable_client_cert;
67 const char *psk_passwd = NULL;
68 const char *srp_passwd = NULL;
69 const char *srp_passwd_conf = NULL;
70 const char *pgp_keyring = NULL;
71 const char *pgp_keyfile = NULL;
72 const char *pgp_certfile = NULL;
73 const char *x509_keyfile = NULL;
74 const char *x509_certfile = NULL;
75 const char *x509_dsakeyfile = NULL;
76 const char *x509_dsacertfile = NULL;
77 const char *x509_ecckeyfile = NULL;
78 const char *x509_ecccertfile = NULL;
79 const char *x509_cafile = NULL;
80 const char *dh_params_file = NULL;
81 const char *x509_crlfile = NULL;
82 const char *priorities = NULL;
83 const char *status_response_ocsp = NULL;
85 gnutls_datum_t session_ticket_key;
86 static void tcp_server(const char *name, int port);
90 /* This is a sample TCP echo server.
91 * This will behave as an http server if any argument in the
92 * command line is present
95 #define SMALL_READ_TEST (2147483647)
97 #define GERR(ret) fprintf(stdout, "Error: %s\n", safe_strerror(ret))
99 #define HTTP_END "</BODY></HTML>\n\n"
101 #define HTTP_UNIMPLEMENTED "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\r\n<HTML><HEAD>\r\n<TITLE>501 Method Not Implemented</TITLE>\r\n</HEAD><BODY>\r\n<H1>Method Not Implemented</H1>\r\n<HR>\r\n</BODY></HTML>\r\n"
102 #define HTTP_OK "HTTP/1.0 200 OK\r\nContent-type: text/html\r\n\r\n"
104 #define HTTP_BEGIN HTTP_OK \
107 "<CENTER><H1>This is <a href=\"http://www.gnu.org/software/gnutls\">" \
108 "GnuTLS</a></H1></CENTER>\n\n"
110 /* These are global */
111 gnutls_srp_server_credentials_t srp_cred = NULL;
112 gnutls_psk_server_credentials_t psk_cred = NULL;
113 gnutls_anon_server_credentials_t dh_cred = NULL;
114 gnutls_certificate_credentials_t cert_cred = NULL;
116 const int ssl_session_cache = 128;
118 static void wrap_db_init(void);
119 static void wrap_db_deinit(void);
120 static int wrap_db_store(void *dbf, gnutls_datum_t key,
121 gnutls_datum_t data);
122 static gnutls_datum_t wrap_db_fetch(void *dbf, gnutls_datum_t key);
123 static int wrap_db_delete(void *dbf, gnutls_datum_t key);
125 static void cmd_parser(int argc, char **argv);
128 #define HTTP_STATE_REQUEST 1
129 #define HTTP_STATE_RESPONSE 2
130 #define HTTP_STATE_CLOSING 3
132 LIST_TYPE_DECLARE(listener_item, char *http_request; char *http_response;
133 int request_length; int response_length;
134 int response_written; int http_state;
135 int listen_socket; int fd;
136 gnutls_session_t tls_session;
141 static const char *safe_strerror(int value)
143 const char *ret = gnutls_strerror(value);
149 static void listener_free(listener_item * j)
152 free(j->http_request);
153 free(j->http_response);
155 gnutls_bye(j->tls_session, GNUTLS_SHUT_WR);
158 gnutls_deinit(j->tls_session);
163 /* we use primes up to 1024 in this server.
164 * otherwise we should add them here.
167 gnutls_dh_params_t dh_params = NULL;
168 gnutls_rsa_params_t rsa_params = NULL;
170 static int generate_dh_primes(void)
173 gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH,
174 GNUTLS_SEC_PARAM_MEDIUM);
176 if (gnutls_dh_params_init(&dh_params) < 0) {
177 fprintf(stderr, "Error in dh parameter initialization\n");
181 /* Generate Diffie-Hellman parameters - for use with DHE
182 * kx algorithms. These should be discarded and regenerated
183 * once a week or once a month. Depends on the
184 * security requirements.
187 ("Generating Diffie-Hellman parameters [%d]. Please wait...\n",
191 if (gnutls_dh_params_generate2(dh_params, prime_bits) < 0) {
192 fprintf(stderr, "Error in prime generation\n");
199 static void read_dh_params(void)
203 gnutls_datum_t params;
206 if (gnutls_dh_params_init(&dh_params) < 0) {
207 fprintf(stderr, "Error in dh parameter initialization\n");
211 /* read the params file
213 fd = fopen(dh_params_file, "r");
215 fprintf(stderr, "Could not open %s\n", dh_params_file);
219 size = fread(tmpdata, 1, sizeof(tmpdata) - 1, fd);
223 params.data = (unsigned char *) tmpdata;
227 gnutls_dh_params_import_pkcs3(dh_params, ¶ms,
228 GNUTLS_X509_FMT_PEM);
231 fprintf(stderr, "Error parsing dh params: %s\n",
232 safe_strerror(size));
236 printf("Read Diffie-Hellman parameters.\n");
241 static char pkcs3[] =
242 "-----BEGIN DH PARAMETERS-----\n"
243 "MIGGAoGAtkxw2jlsVCsrfLqxrN+IrF/3W8vVFvDzYbLmxi2GQv9s/PQGWP1d9i22\n"
244 "P2DprfcJknWt7KhCI1SaYseOQIIIAYP78CfyIpGScW/vS8khrw0rlQiyeCvQgF3O\n"
245 "GeGOEywcw+oQT4SmFOD7H0smJe2CNyjYpexBXQ/A0mbTF9QKm1cCAQU=\n"
246 "-----END DH PARAMETERS-----\n";
248 static int static_dh_params(void)
250 gnutls_datum_t params = { (void *) pkcs3, sizeof(pkcs3) };
253 if (gnutls_dh_params_init(&dh_params) < 0) {
254 fprintf(stderr, "Error in dh parameter initialization\n");
258 ret = gnutls_dh_params_import_pkcs3(dh_params, ¶ms,
259 GNUTLS_X509_FMT_PEM);
262 fprintf(stderr, "Error parsing dh params: %s\n",
268 ("Set static Diffie-Hellman parameters, consider --dhparams.\n");
274 get_params(gnutls_session_t session, gnutls_params_type_t type,
275 gnutls_params_st * st)
278 if (type == GNUTLS_PARAMS_DH) {
279 if (dh_params == NULL)
281 st->params.dh = dh_params;
291 LIST_DECLARE_INIT(listener_list, listener_item, listener_free);
293 static int cert_verify_callback(gnutls_session_t session)
295 listener_item * j = gnutls_session_get_ptr(session);
299 if (gnutls_auth_get_type(session) == GNUTLS_CRD_CERTIFICATE) {
300 if (!require_cert && gnutls_certificate_get_peers(session, &size) == NULL)
303 if ((require_cert || ENABLED_OPT(VERIFY_CLIENT_CERT)) && cert_verify(session, NULL, NULL) == 0) {
305 ret = gnutls_alert_send(session, GNUTLS_AL_FATAL, GNUTLS_A_ACCESS_DENIED);
306 } while(ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN);
308 j->http_state = HTTP_STATE_CLOSING;
315 gnutls_session_t initialize_session(int dtls)
317 gnutls_session_t session;
321 if (priorities == NULL)
322 priorities = "NORMAL";
325 gnutls_init(&session, GNUTLS_SERVER | GNUTLS_DATAGRAM);
327 gnutls_init(&session, GNUTLS_SERVER);
329 /* allow the use of private ciphersuites.
331 gnutls_handshake_set_private_extensions(session, 1);
334 gnutls_db_set_retrieve_function(session, wrap_db_fetch);
335 gnutls_db_set_remove_function(session, wrap_db_delete);
336 gnutls_db_set_store_function(session, wrap_db_store);
337 gnutls_db_set_ptr(session, NULL);
340 #ifdef ENABLE_SESSION_TICKETS
342 gnutls_session_ticket_enable_server(session,
343 &session_ticket_key);
346 if (gnutls_priority_set_direct(session, priorities, &err) < 0) {
347 fprintf(stderr, "Syntax error at: %s\n", err);
351 gnutls_credentials_set(session, GNUTLS_CRD_ANON, dh_cred);
353 if (srp_cred != NULL)
354 gnutls_credentials_set(session, GNUTLS_CRD_SRP, srp_cred);
356 if (psk_cred != NULL)
357 gnutls_credentials_set(session, GNUTLS_CRD_PSK, psk_cred);
359 if (cert_cred != NULL) {
360 gnutls_certificate_set_verify_function(cert_cred,
361 cert_verify_callback);
363 gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE,
367 if (disable_client_cert)
368 gnutls_certificate_server_set_request(session,
372 gnutls_certificate_server_set_request(session,
373 GNUTLS_CERT_REQUIRE);
375 gnutls_certificate_server_set_request(session,
376 GNUTLS_CERT_REQUEST);
379 if (HAVE_OPT(HEARTBEAT))
380 gnutls_heartbeat_enable(session,
381 GNUTLS_HB_PEER_ALLOWED_TO_SEND);
383 #ifdef ENABLE_DTLS_SRTP
384 if (HAVE_OPT(SRTP_PROFILES)) {
386 gnutls_srtp_set_profile_direct(session,
387 OPT_ARG(SRTP_PROFILES),
389 if (ret == GNUTLS_E_INVALID_REQUEST)
390 fprintf(stderr, "Syntax error at: %s\n", err);
392 fprintf(stderr, "Error in profiles: %s\n",
393 gnutls_strerror(ret));
401 #include <gnutls/x509.h>
403 static const char DEFAULT_DATA[] =
404 "This is the default message reported by the GnuTLS implementation. "
405 "For more information please visit "
406 "<a href=\"http://www.gnutls.org/\">http://www.gnutls.org/</a>.";
408 /* Creates html with the current session information.
410 #define tmp_buffer &http_buffer[strlen(http_buffer)]
411 #define tmp_buffer_size len-strlen(http_buffer)
412 static char *peer_print_info(gnutls_session_t session, int *ret_length,
416 unsigned char sesid[32];
417 size_t i, sesid_size;
419 gnutls_kx_algorithm_t kx_alg;
420 size_t len = 20 * 1024 + strlen(header);
421 char *crtinfo = NULL, *crtinfo_old = NULL;
425 http_buffer = malloc(len);
426 if (http_buffer == NULL)
429 strcpy(http_buffer, HTTP_BEGIN);
430 strcpy(&http_buffer[sizeof(HTTP_BEGIN) - 1], DEFAULT_DATA);
432 [sizeof(HTTP_BEGIN) + sizeof(DEFAULT_DATA) - 2],
435 sizeof(DEFAULT_DATA) + sizeof(HTTP_BEGIN) +
436 sizeof(HTTP_END) - 3;
440 if (gnutls_certificate_type_get(session) == GNUTLS_CRT_X509) {
441 const gnutls_datum_t *cert_list;
442 unsigned int cert_list_size = 0;
445 gnutls_certificate_get_peers(session, &cert_list_size);
447 for (i = 0; i < cert_list_size; i++) {
448 gnutls_x509_crt_t cert;
451 if (gnutls_x509_crt_init(&cert) == 0 &&
452 gnutls_x509_crt_import(cert, &cert_list[i],
453 GNUTLS_X509_FMT_DER) ==
455 && gnutls_x509_crt_print(cert,
456 GNUTLS_CRT_PRINT_FULL,
458 const char *post = "</PRE><P><PRE>";
460 crtinfo_old = crtinfo;
463 ncrtinfo + info.size +
465 if (crtinfo == NULL) {
469 memcpy(crtinfo + ncrtinfo, info.data,
471 ncrtinfo += info.size;
472 memcpy(crtinfo + ncrtinfo, post,
474 ncrtinfo += strlen(post);
475 crtinfo[ncrtinfo] = '\0';
476 gnutls_free(info.data);
481 http_buffer = malloc(len);
482 if (http_buffer == NULL) {
487 strcpy(http_buffer, HTTP_BEGIN);
489 /* print session_id */
490 sesid_size = sizeof(sesid);
491 gnutls_session_get_id(session, sesid, &sesid_size);
492 snprintf(tmp_buffer, tmp_buffer_size, "\n<p>Session ID: <i>");
493 for (i = 0; i < sesid_size; i++)
494 snprintf(tmp_buffer, tmp_buffer_size, "%.2X", sesid[i]);
495 snprintf(tmp_buffer, tmp_buffer_size, "</i></p>\n");
496 snprintf(tmp_buffer, tmp_buffer_size,
497 "<h5>If your browser supports session resuming, then you should see the "
498 "same session ID, when you press the <b>reload</b> button.</h5>\n");
500 /* Here unlike print_info() we use the kx algorithm to distinguish
501 * the functions to call.
505 size_t dns_size = sizeof(dns);
508 if (gnutls_server_name_get
509 (session, dns, &dns_size, &type, 0) == 0) {
510 snprintf(tmp_buffer, tmp_buffer_size,
511 "\n<p>Server Name: %s</p>\n", dns);
516 kx_alg = gnutls_kx_get(session);
518 /* print srp specific data */
520 if (kx_alg == GNUTLS_KX_SRP) {
521 snprintf(tmp_buffer, tmp_buffer_size,
522 "<p>Connected as user '%s'.</p>\n",
523 gnutls_srp_server_get_username(session));
528 if (kx_alg == GNUTLS_KX_PSK) {
529 snprintf(tmp_buffer, tmp_buffer_size,
530 "<p>Connected as user '%s'.</p>\n",
531 gnutls_psk_server_get_username(session));
536 if (kx_alg == GNUTLS_KX_ANON_DH) {
537 snprintf(tmp_buffer, tmp_buffer_size,
538 "<p> Connect using anonymous DH (prime of %d bits)</p>\n",
539 gnutls_dh_get_prime_bits(session));
543 if (kx_alg == GNUTLS_KX_DHE_RSA || kx_alg == GNUTLS_KX_DHE_DSS) {
544 snprintf(tmp_buffer, tmp_buffer_size,
545 "Ephemeral DH using prime of <b>%d</b> bits.<br>\n",
546 gnutls_dh_get_prime_bits(session));
549 /* print session information */
550 strcat(http_buffer, "<P>\n");
553 gnutls_protocol_get_name(gnutls_protocol_get_version(session));
556 snprintf(tmp_buffer, tmp_buffer_size,
557 "<TABLE border=1><TR><TD>Protocol version:</TD><TD>%s</TD></TR>\n",
560 if (gnutls_auth_get_type(session) == GNUTLS_CRD_CERTIFICATE) {
562 gnutls_certificate_type_get_name
563 (gnutls_certificate_type_get(session));
566 snprintf(tmp_buffer, tmp_buffer_size,
567 "<TR><TD>Certificate Type:</TD><TD>%s</TD></TR>\n",
571 tmp = gnutls_kx_get_name(kx_alg);
574 snprintf(tmp_buffer, tmp_buffer_size,
575 "<TR><TD>Key Exchange:</TD><TD>%s</TD></TR>\n", tmp);
577 tmp = gnutls_compression_get_name(gnutls_compression_get(session));
580 snprintf(tmp_buffer, tmp_buffer_size,
581 "<TR><TD>Compression</TD><TD>%s</TD></TR>\n", tmp);
583 tmp = gnutls_cipher_get_name(gnutls_cipher_get(session));
586 snprintf(tmp_buffer, tmp_buffer_size,
587 "<TR><TD>Cipher</TD><TD>%s</TD></TR>\n", tmp);
589 tmp = gnutls_mac_get_name(gnutls_mac_get(session));
592 snprintf(tmp_buffer, tmp_buffer_size,
593 "<TR><TD>MAC</TD><TD>%s</TD></TR>\n", tmp);
595 tmp = gnutls_cipher_suite_get_name(kx_alg,
596 gnutls_cipher_get(session),
597 gnutls_mac_get(session));
600 snprintf(tmp_buffer, tmp_buffer_size,
601 "<TR><TD>Ciphersuite</TD><TD>%s</TD></TR></p></TABLE>\n",
605 snprintf(tmp_buffer, tmp_buffer_size,
606 "<hr><PRE>%s\n</PRE>\n", crtinfo);
610 snprintf(tmp_buffer, tmp_buffer_size,
611 "<hr><P>Your HTTP header was:<PRE>%s</PRE></P>\n"
614 *ret_length = strlen(http_buffer);
619 const char *human_addr(const struct sockaddr *sa, socklen_t salen,
620 char *buf, size_t buflen)
622 const char *save_buf = buf;
630 switch (sa->sa_family) {
633 snprintf(buf, buflen, "IPv6 ");
638 snprintf(buf, buflen, "IPv4 ");
646 if (getnameinfo(sa, salen, buf, buflen, NULL, 0, NI_NUMERICHOST) !=
658 strcat(buf, " port ");
662 if (getnameinfo(sa, salen, NULL, 0, buf, buflen, NI_NUMERICSERV) !=
664 snprintf(buf, buflen, "%s", " unknown");
670 int wait_for_connection(void)
680 lloopstart(listener_list, j) {
681 if (j->listen_socket) {
686 lloopend(listener_list, j);
689 n = select(n + 1, &rd, &wr, NULL, NULL);
690 if (n == -1 && errno == EINTR)
697 /* find which one is ready */
698 lloopstart(listener_list, j) {
699 /* a new connection has arrived */
700 if (FD_ISSET(j->fd, &rd) && j->listen_socket) {
705 lloopend(listener_list, j);
709 int listen_socket(const char *name, int listen_port, int socktype)
711 struct addrinfo hints, *res, *ptr;
715 listener_item *j = NULL;
717 snprintf(portname, sizeof(portname), "%d", listen_port);
718 memset(&hints, 0, sizeof(hints));
719 hints.ai_socktype = socktype;
720 hints.ai_flags = AI_PASSIVE
726 if ((s = getaddrinfo(NULL, portname, &hints, &res)) != 0) {
727 fprintf(stderr, "getaddrinfo() failed: %s\n",
732 for (ptr = res; ptr != NULL; ptr = ptr->ai_next) {
735 if (ptr->ai_family != AF_INET)
739 /* Print what we are doing. */
743 fprintf(stderr, "%s listening on %s...",
744 name, human_addr(ptr->ai_addr,
745 ptr->ai_addrlen, topbuf,
749 if ((news = socket(ptr->ai_family, ptr->ai_socktype,
750 ptr->ai_protocol)) < 0) {
751 perror("socket() failed");
754 s = news; /* to not overwrite existing s from previous loops */
755 #if defined(HAVE_IPV6) && !defined(_WIN32)
756 if (ptr->ai_family == AF_INET6) {
758 /* avoid listen on ipv6 addresses failing
759 * because already listening on ipv4 addresses: */
760 setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY,
761 (const void *) &yes, sizeof(yes));
765 if (socktype == SOCK_STREAM) {
767 if (setsockopt(s, SOL_SOCKET, SO_REUSEADDR,
770 perror("setsockopt() failed");
775 #if defined(IP_DONTFRAG)
777 if (setsockopt(s, IPPROTO_IP, IP_DONTFRAG,
780 perror("setsockopt(IP_DF) failed");
781 #elif defined(IP_MTU_DISCOVER)
782 yes = IP_PMTUDISC_DO;
783 if (setsockopt(s, IPPROTO_IP, IP_MTU_DISCOVER,
786 perror("setsockopt(IP_DF) failed");
790 if (bind(s, ptr->ai_addr, ptr->ai_addrlen) < 0) {
791 perror("bind() failed");
796 if (socktype == SOCK_STREAM) {
797 if (listen(s, 10) < 0) {
798 perror("listen() failed");
803 /* new list entry for the connection */
804 lappend(listener_list);
805 j = listener_list.tail;
806 j->listen_socket = 1;
809 /* Complete earlier message. */
810 fprintf(stderr, "done\n");
820 /* strips \r\n from the end of the string
822 static void strip(char *data)
825 int len = strlen(data);
827 for (i = 0; i < len; i++) {
828 if (data[i] == '\r' && data[i + 1] == '\n'
829 && data[i + 1] == 0) {
838 get_response(gnutls_session_t session, char *request,
839 char **response, int *response_length)
844 if (strncmp(request, "GET ", 4))
847 if (!(h = strchr(request, '\n')))
851 while (*h == '\r' || *h == '\n')
854 if (!(p = strchr(request + 4, ' ')))
858 /* *response = peer_print_info(session, request+4, h, response_length); */
860 *response = peer_print_info(session, response_length, h);
863 fprintf(stderr, "received: %s\n", request);
864 if (check_command(session, request)) {
866 *response_length = 0;
869 *response = strdup(request);
870 *response_length = ((*response) ? strlen(*response) : 0);
876 *response = strdup(HTTP_UNIMPLEMENTED);
877 *response_length = ((*response) ? strlen(*response) : 0);
880 static void terminate(int sig) __attribute__ ((noreturn));
882 static void terminate(int sig)
884 fprintf(stderr, "Exiting via signal %d\n", sig);
889 static void check_alert(gnutls_session_t session, int ret)
891 if (ret == GNUTLS_E_WARNING_ALERT_RECEIVED
892 || ret == GNUTLS_E_FATAL_ALERT_RECEIVED) {
893 int last_alert = gnutls_alert_get(session);
894 if (last_alert == GNUTLS_A_NO_RENEGOTIATION &&
895 ret == GNUTLS_E_WARNING_ALERT_RECEIVED)
897 ("* Received NO_RENEGOTIATION alert. Client does not support renegotiation.\n");
899 printf("* Received alert '%d': %s.\n", last_alert,
900 gnutls_alert_get_name(last_alert));
904 static void tls_log_func(int level, const char *str)
906 fprintf(stderr, "|<%d>| %s", level, str);
909 static void tls_audit_log_func(gnutls_session_t session, const char *str)
911 fprintf(stderr, "|<%p>| %s", session, str);
914 int main(int argc, char **argv)
920 cmd_parser(argc, argv);
923 signal(SIGHUP, SIG_IGN);
924 signal(SIGTERM, terminate);
925 if (signal(SIGINT, terminate) == SIG_IGN)
926 signal(SIGINT, SIG_IGN); /* e.g. background process */
935 strcpy(name, "UDP ");
940 strcat(name, "HTTP Server");
942 strcat(name, "Echo Server");
945 gnutls_global_set_log_function(tls_log_func);
946 gnutls_global_set_audit_log_function(tls_audit_log_func);
947 gnutls_global_set_log_level(debug);
949 if ((ret = gnutls_global_init()) < 0) {
950 fprintf(stderr, "global_init: %s\n", gnutls_strerror(ret));
957 /* Note that servers must generate parameters for
958 * Diffie-Hellman. See gnutls_dh_params_generate(), and
959 * gnutls_dh_params_set().
962 generate_dh_primes();
963 } else if (dh_params_file) {
969 if (gnutls_certificate_allocate_credentials(&cert_cred) < 0) {
970 fprintf(stderr, "memory error\n");
974 if (x509_cafile != NULL) {
975 if ((ret = gnutls_certificate_set_x509_trust_file
976 (cert_cred, x509_cafile, x509ctype)) < 0) {
977 fprintf(stderr, "Error reading '%s'\n",
982 printf("Processed %d CA certificate(s).\n", ret);
985 if (x509_crlfile != NULL) {
986 if ((ret = gnutls_certificate_set_x509_crl_file
987 (cert_cred, x509_crlfile, x509ctype)) < 0) {
988 fprintf(stderr, "Error reading '%s'\n",
993 printf("Processed %d CRL(s).\n", ret);
996 #ifdef ENABLE_OPENPGP
997 if (pgp_keyring != NULL) {
999 gnutls_certificate_set_openpgp_keyring_file(cert_cred,
1001 GNUTLS_OPENPGP_FMT_BASE64);
1004 "Error setting the OpenPGP keyring file\n");
1009 if (pgp_certfile != NULL && pgp_keyfile != NULL) {
1010 if (HAVE_OPT(PGPSUBKEY))
1011 ret = gnutls_certificate_set_openpgp_key_file2
1012 (cert_cred, pgp_certfile, pgp_keyfile,
1014 GNUTLS_OPENPGP_FMT_BASE64);
1016 ret = gnutls_certificate_set_openpgp_key_file
1017 (cert_cred, pgp_certfile, pgp_keyfile,
1018 GNUTLS_OPENPGP_FMT_BASE64);
1022 "Error[%d] while reading the OpenPGP key pair ('%s', '%s')\n",
1023 ret, pgp_certfile, pgp_keyfile);
1030 if (x509_certfile != NULL && x509_keyfile != NULL) {
1031 ret = gnutls_certificate_set_x509_key_file
1032 (cert_cred, x509_certfile, x509_keyfile, x509ctype);
1035 "Error reading '%s' or '%s'\n",
1036 x509_certfile, x509_keyfile);
1043 if (x509_dsacertfile != NULL && x509_dsakeyfile != NULL) {
1044 ret = gnutls_certificate_set_x509_key_file
1045 (cert_cred, x509_dsacertfile, x509_dsakeyfile,
1049 "Error reading '%s' or '%s'\n",
1050 x509_dsacertfile, x509_dsakeyfile);
1057 if (x509_ecccertfile != NULL && x509_ecckeyfile != NULL) {
1058 ret = gnutls_certificate_set_x509_key_file
1059 (cert_cred, x509_ecccertfile, x509_ecckeyfile,
1063 "Error reading '%s' or '%s'\n",
1064 x509_ecccertfile, x509_ecckeyfile);
1071 if (cert_set == 0) {
1073 "Warning: no private key and certificate pairs were set.\n");
1076 /* OCSP status-request TLS extension */
1077 if (status_response_ocsp) {
1078 if (gnutls_certificate_set_ocsp_status_request_file
1079 (cert_cred, status_response_ocsp, 0) < 0) {
1081 "Cannot set OCSP status request file: %s\n",
1082 gnutls_strerror(ret));
1087 gnutls_certificate_set_params_function(cert_cred, get_params);
1088 /* gnutls_certificate_set_dh_params(cert_cred, dh_params);
1089 * gnutls_certificate_set_rsa_export_params(cert_cred, rsa_params);
1092 /* this is a password file (created with the included srpcrypt utility)
1093 * Read README.crypt prior to using SRP.
1096 if (srp_passwd != NULL) {
1097 gnutls_srp_allocate_server_credentials(&srp_cred);
1100 gnutls_srp_set_server_credentials_file(srp_cred,
1104 /* only exit is this function is not disabled
1107 "Error while setting SRP parameters\n");
1113 /* this is a password file
1116 if (psk_passwd != NULL) {
1117 gnutls_psk_allocate_server_credentials(&psk_cred);
1120 gnutls_psk_set_server_credentials_file(psk_cred,
1123 /* only exit is this function is not disabled
1126 "Error while setting PSK parameters\n");
1130 if (HAVE_OPT(PSKHINT)) {
1132 gnutls_psk_set_server_credentials_hint
1133 (psk_cred, OPT_ARG(PSKHINT));
1136 "Error setting PSK identity hint.\n");
1141 gnutls_psk_set_server_params_function(psk_cred,
1147 gnutls_anon_allocate_server_credentials(&dh_cred);
1148 gnutls_anon_set_server_params_function(dh_cred, get_params);
1150 /* gnutls_anon_set_server_dh_params(dh_cred, dh_params); */
1153 #ifdef ENABLE_SESSION_TICKETS
1155 gnutls_session_ticket_key_generate(&session_ticket_key);
1159 mtu = OPT_VALUE_MTU;
1164 port = OPT_VALUE_PORT;
1169 udp_server(name, port, mtu);
1171 tcp_server(name, port);
1176 static void retry_handshake(listener_item *j)
1180 r = gnutls_handshake(j->tls_session);
1181 if (r < 0 && gnutls_error_is_fatal(r) == 0) {
1182 check_alert(j->tls_session, r);
1185 j->http_state = HTTP_STATE_CLOSING;
1186 check_alert(j->tls_session, r);
1187 fprintf(stderr, "Error in handshake\n");
1191 ret = gnutls_alert_send_appropriate(j->tls_session, r);
1192 } while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED);
1193 } else if (r == 0) {
1194 if (gnutls_session_is_resumed(j->tls_session) != 0 && verbose != 0)
1195 printf("*** This is a resumed session\n");
1199 printf("- connection from %s\n",
1200 human_addr((struct sockaddr *)
1207 print_info(j->tls_session, verbose, verbose);
1210 j->handshake_ok = 1;
1214 static void try_rehandshake(listener_item *j)
1217 fprintf(stderr, "*** Received hello message\n");
1219 r = gnutls_handshake(j->tls_session);
1220 } while (r == GNUTLS_E_INTERRUPTED || r == GNUTLS_E_AGAIN);
1224 ret = gnutls_alert_send_appropriate(j->tls_session, r);
1225 } while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED);
1227 j->http_state = HTTP_STATE_CLOSING;
1229 j->http_state = HTTP_STATE_REQUEST;
1233 static void tcp_server(const char *name, int port)
1238 struct sockaddr_storage client_address;
1242 s = listen_socket(name, port, SOCK_STREAM);
1249 time_t now = time(0);
1258 /* flag which connections we are reading or writing to within the fd sets */
1259 lloopstart(listener_list, j) {
1262 val = fcntl(j->fd, F_GETFL, 0);
1264 || (fcntl(j->fd, F_SETFL, val | O_NONBLOCK) <
1270 if (j->start != 0 && now - j->start > 30) {
1272 fprintf(stderr, "Scheduling inactive connection for close\n");
1274 j->http_state = HTTP_STATE_CLOSING;
1277 if (j->listen_socket) {
1281 if (j->http_state == HTTP_STATE_REQUEST) {
1285 if (j->http_state == HTTP_STATE_RESPONSE) {
1290 lloopend(listener_list, j);
1292 /* core operation */
1295 n = select(n + 1, &rd, &wr, NULL, &tv);
1296 if (n == -1 && errno == EINTR)
1303 /* read or write to each connection as indicated by select()'s return argument */
1304 lloopstart(listener_list, j) {
1306 /* a new connection has arrived */
1307 if (FD_ISSET(j->fd, &rd) && j->listen_socket) {
1308 calen = sizeof(client_address);
1309 memset(&client_address, 0, calen);
1313 &client_address, &calen);
1315 if (accept_fd < 0) {
1318 time_t tt = time(0);
1321 /* new list entry for the connection */
1322 lappend(listener_list);
1323 j = listener_list.tail;
1325 (char *) strdup("");
1326 j->http_state = HTTP_STATE_REQUEST;
1330 j->tls_session = initialize_session(0);
1331 gnutls_session_set_ptr(j->tls_session, j);
1332 gnutls_transport_set_int
1333 (j->tls_session, accept_fd);
1334 set_read_funcs(j->tls_session);
1335 j->handshake_ok = 0;
1339 ctt[strlen(ctt) - 1] = 0;
1342 ("\n* Accepted connection from %s on %s\n",
1356 if (FD_ISSET(j->fd, &rd) && !j->listen_socket) {
1357 /* read partial GET request */
1361 if (j->handshake_ok == 0) {
1365 if (j->handshake_ok == 1) {
1366 r = gnutls_record_recv(j->
1371 if (r == GNUTLS_E_INTERRUPTED || r == GNUTLS_E_AGAIN) {
1373 } else if (r <= 0) {
1374 if (r == GNUTLS_E_HEARTBEAT_PING_RECEIVED) {
1375 gnutls_heartbeat_pong(j->tls_session, 0);
1376 } else if (r == GNUTLS_E_REHANDSHAKE) {
1379 j->http_state = HTTP_STATE_CLOSING;
1381 check_alert(j->tls_session, r);
1383 "Error while receiving data\n");
1394 if (j->http_request !=
1412 /* check if we have a full HTTP header */
1414 j->http_response = NULL;
1415 if (j->http_state == HTTP_STATE_REQUEST && j->http_request != NULL) {
1435 HTTP_STATE_RESPONSE;
1443 if (FD_ISSET(j->fd, &wr)) {
1444 /* write partial response request */
1447 if (j->handshake_ok == 0) {
1451 if (j->handshake_ok == 1 && j->http_response == NULL) {
1452 j->http_state = HTTP_STATE_CLOSING;
1453 } else if (j->handshake_ok == 1 && j->http_response != NULL) {
1454 r = gnutls_record_send(j->tls_session,
1457 j->response_written,
1458 MIN(j->response_length
1460 j->response_written,
1462 if (r == GNUTLS_E_INTERRUPTED || r == GNUTLS_E_AGAIN) {
1464 } else if (r <= 0) {
1465 j->http_state = HTTP_STATE_CLOSING;
1468 "Error while sending data\n");
1471 check_alert(j->tls_session,
1474 j->response_written += r;
1475 /* check if we have written a complete response */
1476 if (j->response_written ==
1477 j->response_length) {
1479 j->http_state = HTTP_STATE_CLOSING;
1481 j->http_state = HTTP_STATE_REQUEST;
1484 j->response_length = 0;
1485 j->request_length = 0;
1486 j->http_request[0] = 0;
1491 j->request_length = 0;
1492 j->http_request[0] = 0;
1493 j->http_state = HTTP_STATE_REQUEST;
1497 lloopend(listener_list, j);
1499 /* loop through all connections, closing those that are in error */
1500 lloopstart(listener_list, j) {
1501 if (j->http_state == HTTP_STATE_CLOSING) {
1502 ldeleteinc(listener_list, j);
1505 lloopend(listener_list, j);
1509 gnutls_certificate_free_credentials(cert_cred);
1513 gnutls_srp_free_server_credentials(srp_cred);
1518 gnutls_psk_free_server_credentials(psk_cred);
1522 gnutls_anon_free_server_credentials(dh_cred);
1526 gnutls_free(session_ticket_key.data);
1530 gnutls_global_deinit();
1534 static void cmd_parser(int argc, char **argv)
1536 optionProcess(&gnutls_servOptions, argc, argv);
1538 disable_client_cert = HAVE_OPT(DISABLE_CLIENT_CERT);
1539 require_cert = ENABLED_OPT(REQUIRE_CLIENT_CERT);
1540 if (HAVE_OPT(DEBUG))
1541 debug = OPT_VALUE_DEBUG;
1543 if (HAVE_OPT(QUIET))
1546 if (HAVE_OPT(PRIORITY))
1547 priorities = OPT_ARG(PRIORITY);
1549 if (HAVE_OPT(LIST)) {
1550 print_list(priorities, verbose);
1554 nodb = HAVE_OPT(NODB);
1555 noticket = HAVE_OPT(NOTICKET);
1562 if (HAVE_OPT(X509FMTDER))
1563 x509ctype = GNUTLS_X509_FMT_DER;
1565 x509ctype = GNUTLS_X509_FMT_PEM;
1567 generate = HAVE_OPT(GENERATE);
1569 if (HAVE_OPT(DHPARAMS))
1570 dh_params_file = OPT_ARG(DHPARAMS);
1572 if (HAVE_OPT(X509KEYFILE))
1573 x509_keyfile = OPT_ARG(X509KEYFILE);
1574 if (HAVE_OPT(X509CERTFILE))
1575 x509_certfile = OPT_ARG(X509CERTFILE);
1577 if (HAVE_OPT(X509DSAKEYFILE))
1578 x509_dsakeyfile = OPT_ARG(X509DSAKEYFILE);
1579 if (HAVE_OPT(X509DSACERTFILE))
1580 x509_dsacertfile = OPT_ARG(X509DSACERTFILE);
1583 if (HAVE_OPT(X509ECCKEYFILE))
1584 x509_ecckeyfile = OPT_ARG(X509ECCKEYFILE);
1585 if (HAVE_OPT(X509ECCCERTFILE))
1586 x509_ecccertfile = OPT_ARG(X509ECCCERTFILE);
1588 if (HAVE_OPT(X509CAFILE))
1589 x509_cafile = OPT_ARG(X509CAFILE);
1590 if (HAVE_OPT(X509CRLFILE))
1591 x509_crlfile = OPT_ARG(X509CRLFILE);
1593 if (HAVE_OPT(PGPKEYFILE))
1594 pgp_keyfile = OPT_ARG(PGPKEYFILE);
1595 if (HAVE_OPT(PGPCERTFILE))
1596 pgp_certfile = OPT_ARG(PGPCERTFILE);
1598 if (HAVE_OPT(PGPKEYRING))
1599 pgp_keyring = OPT_ARG(PGPKEYRING);
1601 if (HAVE_OPT(SRPPASSWD))
1602 srp_passwd = OPT_ARG(SRPPASSWD);
1603 if (HAVE_OPT(SRPPASSWDCONF))
1604 srp_passwd_conf = OPT_ARG(SRPPASSWDCONF);
1606 if (HAVE_OPT(PSKPASSWD))
1607 psk_passwd = OPT_ARG(PSKPASSWD);
1609 if (HAVE_OPT(OCSP_RESPONSE))
1610 status_response_ocsp = OPT_ARG(OCSP_RESPONSE);
1614 /* session resuming support */
1616 #define SESSION_ID_SIZE 32
1617 #define SESSION_DATA_SIZE 1024
1620 char session_id[SESSION_ID_SIZE];
1621 unsigned int session_id_size;
1623 char session_data[SESSION_DATA_SIZE];
1624 unsigned int session_data_size;
1627 static CACHE *cache_db;
1628 int cache_db_ptr = 0;
1630 static void wrap_db_init(void)
1632 /* allocate cache_db */
1633 cache_db = calloc(1, ssl_session_cache * sizeof(CACHE));
1636 static void wrap_db_deinit(void)
1641 wrap_db_store(void *dbf, gnutls_datum_t key, gnutls_datum_t data)
1644 if (cache_db == NULL)
1647 if (key.size > SESSION_ID_SIZE)
1649 if (data.size > SESSION_DATA_SIZE)
1652 memcpy(cache_db[cache_db_ptr].session_id, key.data, key.size);
1653 cache_db[cache_db_ptr].session_id_size = key.size;
1655 memcpy(cache_db[cache_db_ptr].session_data, data.data, data.size);
1656 cache_db[cache_db_ptr].session_data_size = data.size;
1659 cache_db_ptr %= ssl_session_cache;
1664 static gnutls_datum_t wrap_db_fetch(void *dbf, gnutls_datum_t key)
1666 gnutls_datum_t res = { NULL, 0 };
1669 if (cache_db == NULL)
1672 for (i = 0; i < ssl_session_cache; i++) {
1673 if (key.size == cache_db[i].session_id_size &&
1674 memcmp(key.data, cache_db[i].session_id,
1676 res.size = cache_db[i].session_data_size;
1678 res.data = gnutls_malloc(res.size);
1679 if (res.data == NULL)
1682 memcpy(res.data, cache_db[i].session_data,
1691 static int wrap_db_delete(void *dbf, gnutls_datum_t key)
1695 if (cache_db == NULL)
1698 for (i = 0; i < ssl_session_cache; i++) {
1699 if (key.size == (unsigned int) cache_db[i].session_id_size
1700 && memcmp(key.data, cache_db[i].session_id,
1703 cache_db[i].session_id_size = 0;
1704 cache_db[i].session_data_size = 0;