diff options
Diffstat (limited to 'src/serv.c')
-rw-r--r-- | src/serv.c | 491 |
1 files changed, 258 insertions, 233 deletions
diff --git a/src/serv.c b/src/serv.c index d798356bbd..640ed2ab57 100644 --- a/src/serv.c +++ b/src/serv.c @@ -134,16 +134,14 @@ const int ssl_session_cache = 2048; static void wrap_db_init(void); static void wrap_db_deinit(void); -static int wrap_db_store(void *dbf, gnutls_datum_t key, - gnutls_datum_t data); +static int wrap_db_store(void *dbf, gnutls_datum_t key, gnutls_datum_t data); static gnutls_datum_t wrap_db_fetch(void *dbf, gnutls_datum_t key); static int wrap_db_delete(void *dbf, gnutls_datum_t key); -static int anti_replay_db_add(void *dbf, time_t exp, const gnutls_datum_t *key, - const gnutls_datum_t *data); +static int anti_replay_db_add(void *dbf, time_t exp, const gnutls_datum_t * key, + const gnutls_datum_t * data); static void cmd_parser(int argc, char **argv); - #define HTTP_STATE_REQUEST 1 #define HTTP_STATE_RESPONSE 2 #define HTTP_STATE_CLOSING 3 @@ -174,7 +172,7 @@ static const char *safe_strerror(int value) static void listener_free(const void *elt) { - listener_item *j = (listener_item *)elt; + listener_item *j = (listener_item *) elt; free(j->http_request); free(j->http_response); @@ -187,7 +185,6 @@ static void listener_free(const void *elt) } } - /* we use primes up to 1024 in this server. * otherwise we should add them here. */ @@ -197,9 +194,8 @@ gnutls_rsa_params_t rsa_params = NULL; static int generate_dh_primes(void) { - int prime_bits = - gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, - GNUTLS_SEC_PARAM_MEDIUM); + int prime_bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, + GNUTLS_SEC_PARAM_MEDIUM); if (gnutls_dh_params_init(&dh_params) < 0) { fprintf(stderr, "Error in dh parameter initialization\n"); @@ -248,7 +244,7 @@ static void read_dh_params(void) tmpdata[size] = 0; fclose(fp); - params.data = (unsigned char *) tmpdata; + params.data = (unsigned char *)tmpdata; params.size = size; size = @@ -288,19 +284,24 @@ static gl_list_t listener_list; static int cert_verify_callback(gnutls_session_t session) { -listener_item * j = gnutls_session_get_ptr(session); -unsigned int size; -int ret; + listener_item *j = gnutls_session_get_ptr(session); + unsigned int size; + int ret; if (gnutls_auth_get_type(session) == GNUTLS_CRD_CERTIFICATE) { - if (!require_cert && gnutls_certificate_get_peers(session, &size) == NULL) + if (!require_cert + && gnutls_certificate_get_peers(session, &size) == NULL) return 0; if (ENABLED_OPT(VERIFY_CLIENT_CERT)) { if (cert_verify(session, NULL, NULL) == 0) { do { - ret = gnutls_alert_send(session, GNUTLS_AL_FATAL, GNUTLS_A_ACCESS_DENIED); - } while(ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN); + ret = + gnutls_alert_send(session, + GNUTLS_AL_FATAL, + GNUTLS_A_ACCESS_DENIED); + } while (ret == GNUTLS_E_INTERRUPTED + || ret == GNUTLS_E_AGAIN); j->http_state = HTTP_STATE_CLOSING; return -1; @@ -315,8 +316,7 @@ int ret; /* callback used to verify if the host name advertised in client hello matches * the one configured in server */ -static int -post_client_hello(gnutls_session_t session) +static int post_client_hello(gnutls_session_t session) { int ret; /* DNS names (only type supported) may be at most 256 byte long */ @@ -329,7 +329,7 @@ post_client_hello(gnutls_session_t session) if (name == NULL) return GNUTLS_E_MEMORY_ERROR; - for (i=0; ; ) { + for (i = 0;;) { ret = gnutls_server_name_get(session, name, &len, &type, i); if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) { char *new_name; @@ -339,7 +339,7 @@ post_client_hello(gnutls_session_t session) goto end; } name = new_name; - continue; /* retry call with same index */ + continue; /* retry call with same index */ } /* check if it is the last entry in list */ @@ -362,7 +362,8 @@ post_client_hello(gnutls_session_t session) }; /* when there is no extension, we can't send the extension specific alert */ if (i == 0) { - fprintf(stderr, "Warning: client did not include SNI extension, using default host\n"); + fprintf(stderr, + "Warning: client did not include SNI extension, using default host\n"); ret = GNUTLS_E_SUCCESS; goto end; } @@ -384,7 +385,7 @@ post_client_hello(gnutls_session_t session) } while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED); /* continue handshake, fall through */ -end: + end: free(name); return ret; } @@ -400,7 +401,8 @@ gnutls_session_t initialize_session(int dtls) gnutls_datum_t alpn[MAX_ALPN_PROTOCOLS]; #endif unsigned alpn_size; - unsigned flags = GNUTLS_SERVER | GNUTLS_POST_HANDSHAKE_AUTH | GNUTLS_ENABLE_RAWPK; + unsigned flags = + GNUTLS_SERVER | GNUTLS_POST_HANDSHAKE_AUTH | GNUTLS_ENABLE_RAWPK; if (dtls) flags |= GNUTLS_DATAGRAM; @@ -414,8 +416,7 @@ gnutls_session_t initialize_session(int dtls) */ gnutls_handshake_set_private_extensions(session, 1); - gnutls_handshake_set_timeout(session, - GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT); + gnutls_handshake_set_timeout(session, GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT); if (nodb == 0) { gnutls_db_set_retrieve_function(session, wrap_db_fetch); @@ -431,9 +432,13 @@ gnutls_session_t initialize_session(int dtls) if (earlydata) { gnutls_anti_replay_enable(session, anti_replay); if (HAVE_OPT(MAXEARLYDATA)) { - ret = gnutls_record_set_max_early_data_size(session, OPT_VALUE_MAXEARLYDATA); + ret = + gnutls_record_set_max_early_data_size(session, + OPT_VALUE_MAXEARLYDATA); if (ret < 0) { - fprintf(stderr, "Could not set max early data size: %s\n", gnutls_strerror(ret)); + fprintf(stderr, + "Could not set max early data size: %s\n", + gnutls_strerror(ret)); exit(1); } } @@ -446,7 +451,8 @@ gnutls_session_t initialize_session(int dtls) if (priorities == NULL) { ret = gnutls_set_default_priority(session); if (ret < 0) { - fprintf(stderr, "Could not set default policy: %s\n", gnutls_strerror(ret)); + fprintf(stderr, "Could not set default policy: %s\n", + gnutls_strerror(ret)); exit(1); } } else { @@ -463,15 +469,19 @@ gnutls_session_t initialize_session(int dtls) exit(1); } #else - alpn_size = MIN(MAX_ALPN_PROTOCOLS,alpn_protos_size); - for (i=0;i<alpn_size;i++) { - alpn[i].data = (void*)alpn_protos[i]; + alpn_size = MIN(MAX_ALPN_PROTOCOLS, alpn_protos_size); + for (i = 0; i < alpn_size; i++) { + alpn[i].data = (void *)alpn_protos[i]; alpn[i].size = strlen(alpn_protos[i]); } - ret = gnutls_alpn_set_protocols(session, alpn, alpn_size, HAVE_OPT(ALPN_FATAL)?GNUTLS_ALPN_MANDATORY:0); + ret = + gnutls_alpn_set_protocols(session, alpn, alpn_size, + HAVE_OPT(ALPN_FATAL) ? + GNUTLS_ALPN_MANDATORY : 0); if (ret < 0) { - fprintf(stderr, "Error setting ALPN protocols: %s\n", gnutls_strerror(ret)); + fprintf(stderr, "Error setting ALPN protocols: %s\n", + gnutls_strerror(ret)); exit(1); } #endif @@ -488,7 +498,7 @@ gnutls_session_t initialize_session(int dtls) if (cert_cred != NULL) { gnutls_certificate_set_verify_function(cert_cred, - cert_verify_callback); + cert_verify_callback); gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, cert_cred); @@ -540,14 +550,15 @@ gnutls_session_t initialize_session(int dtls) else if (ret != 0) fprintf(stderr, "Error in profiles: %s\n", gnutls_strerror(ret)); - else fprintf(stderr,"DTLS profile set to %s\n", - OPT_ARG(SRTP_PROFILES)); + else + fprintf(stderr, "DTLS profile set to %s\n", + OPT_ARG(SRTP_PROFILES)); - if (ret != 0) exit(1); + if (ret != 0) + exit(1); } #endif - return session; } @@ -591,7 +602,8 @@ static char *peer_print_info(gnutls_session_t session, int *ret_length, return http_buffer; } - if (gnutls_certificate_type_get2(session, GNUTLS_CTYPE_CLIENT) == GNUTLS_CRT_X509) { + if (gnutls_certificate_type_get2(session, GNUTLS_CTYPE_CLIENT) == + GNUTLS_CRT_X509) { const gnutls_datum_t *cert_list; unsigned int cert_list_size = 0; @@ -612,7 +624,7 @@ static char *peer_print_info(gnutls_session_t session, int *ret_length, const char post[] = "</PRE><P><PRE>"; char *crtinfo_new; size_t ncrtinfo_new; - + ncrtinfo_new = xsum3(ncrtinfo, info.size, sizeof(post)); if (size_overflow_p(ncrtinfo_new)) { @@ -628,8 +640,7 @@ static char *peer_print_info(gnutls_session_t session, int *ret_length, memcpy(crtinfo + ncrtinfo, info.data, info.size); ncrtinfo += info.size; - memcpy(crtinfo + ncrtinfo, post, - strlen(post)); + memcpy(crtinfo + ncrtinfo, post, strlen(post)); ncrtinfo += strlen(post); crtinfo[ncrtinfo] = '\0'; gnutls_free(info.data); @@ -694,12 +705,10 @@ static char *peer_print_info(gnutls_session_t session, int *ret_length, } #endif - /* print session information */ strcat(http_buffer, "<P>\n"); - tmp = - gnutls_protocol_get_name(version); + tmp = gnutls_protocol_get_name(version); if (tmp == NULL) tmp = str_unknown; snprintf(tmp_buffer, tmp_buffer_size, @@ -709,16 +718,18 @@ static char *peer_print_info(gnutls_session_t session, int *ret_length, desc = gnutls_session_get_desc(session); if (desc) { snprintf(tmp_buffer, tmp_buffer_size, - "<TR><TD>Description:</TD><TD>%s</TD></TR>\n", - desc); + "<TR><TD>Description:</TD><TD>%s</TD></TR>\n", desc); gnutls_free(desc); } if (gnutls_auth_get_type(session) == GNUTLS_CRD_CERTIFICATE && - gnutls_certificate_type_get2(session, GNUTLS_CTYPE_CLIENT) != GNUTLS_CRT_X509) { + gnutls_certificate_type_get2(session, + GNUTLS_CTYPE_CLIENT) != + GNUTLS_CRT_X509) { tmp = gnutls_certificate_type_get_name - (gnutls_certificate_type_get2(session, GNUTLS_CTYPE_CLIENT)); + (gnutls_certificate_type_get2 + (session, GNUTLS_CTYPE_CLIENT)); if (tmp == NULL) tmp = str_unknown; snprintf(tmp_buffer, tmp_buffer_size, @@ -749,7 +760,9 @@ static char *peer_print_info(gnutls_session_t session, int *ret_length, } #endif - tmp = gnutls_compression_get_name(gnutls_compression_get(session)); + tmp = + gnutls_compression_get_name(gnutls_compression_get + (session)); if (tmp == NULL) tmp = str_unknown; snprintf(tmp_buffer, tmp_buffer_size, @@ -761,8 +774,7 @@ static char *peer_print_info(gnutls_session_t session, int *ret_length, if (tmp == NULL) tmp = str_unknown; snprintf(tmp_buffer, tmp_buffer_size, - "<TR><TD>Ciphersuite</TD><TD>%s</TD></TR>\n", - tmp); + "<TR><TD>Ciphersuite</TD><TD>%s</TD></TR>\n", tmp); } tmp = gnutls_cipher_get_name(gnutls_cipher_get(session)); @@ -777,8 +789,7 @@ static char *peer_print_info(gnutls_session_t session, int *ret_length, snprintf(tmp_buffer, tmp_buffer_size, "<TR><TD>MAC</TD><TD>%s</TD></TR>\n", tmp); - snprintf(tmp_buffer, tmp_buffer_size, - "</TABLE></P>\n"); + snprintf(tmp_buffer, tmp_buffer_size, "</TABLE></P>\n"); if (crtinfo) { snprintf(tmp_buffer, tmp_buffer_size, @@ -821,9 +832,7 @@ static char *peer_print_data(gnutls_session_t session, int *ret_length) ret = asprintf(&http_buffer, "HTTP/1.0 200 OK\r\n" "Content-Type: application/octet-stream\r\n" - "Content-Length: %u\r\n" - "\r\n", - data.size); + "Content-Length: %u\r\n" "\r\n", data.size); if (ret < 0) return NULL; len = ret; @@ -861,8 +870,7 @@ const char *human_addr(const struct sockaddr *sa, socklen_t salen, buf += l; buflen -= l; - if (getnameinfo(sa, salen, buf, buflen, NULL, 0, NI_NUMERICHOST) != - 0) { + if (getnameinfo(sa, salen, buf, buflen, NULL, 0, NI_NUMERICHOST) != 0) { return "(error)"; } @@ -877,8 +885,7 @@ const char *human_addr(const struct sockaddr *sa, socklen_t salen, buf += 6; buflen -= 6; - if (getnameinfo(sa, salen, NULL, 0, buf, buflen, NI_NUMERICSERV) != - 0) { + if (getnameinfo(sa, salen, NULL, 0, buf, buflen, NI_NUMERICSERV) != 0) { snprintf(buf, buflen, "%s", " unknown"); } @@ -945,8 +952,7 @@ int listen_socket(const char *name, int listen_port, int socktype) hints.ai_flags = AI_PASSIVE; if ((s = getaddrinfo(NULL, portname, &hints, &res)) != 0) { - fprintf(stderr, "getaddrinfo() failed: %s\n", - gai_strerror(s)); + fprintf(stderr, "getaddrinfo() failed: %s\n", gai_strerror(s)); return -1; } @@ -968,26 +974,25 @@ int listen_socket(const char *name, int listen_port, int socktype) } if ((news = socket(ptr->ai_family, ptr->ai_socktype, - ptr->ai_protocol)) < 0) { + ptr->ai_protocol)) < 0) { perror("socket() failed"); continue; } - s = news; /* to not overwrite existing s from previous loops */ + s = news; /* to not overwrite existing s from previous loops */ #if defined(HAVE_IPV6) && !defined(_WIN32) if (ptr->ai_family == AF_INET6) { yes = 1; /* avoid listen on ipv6 addresses failing * because already listening on ipv4 addresses: */ (void)setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY, - (const void *) &yes, sizeof(yes)); + (const void *)&yes, sizeof(yes)); } #endif if (socktype == SOCK_STREAM) { yes = 1; if (setsockopt(s, SOL_SOCKET, SO_REUSEADDR, - (const void *) &yes, - sizeof(yes)) < 0) { + (const void *)&yes, sizeof(yes)) < 0) { perror("setsockopt() failed"); close(s); continue; @@ -996,14 +1001,12 @@ int listen_socket(const char *name, int listen_port, int socktype) #if defined(IP_DONTFRAG) yes = 1; if (setsockopt(s, IPPROTO_IP, IP_DONTFRAG, - (const void *) &yes, - sizeof(yes)) < 0) + (const void *)&yes, sizeof(yes)) < 0) perror("setsockopt(IP_DF) failed"); #elif defined(IP_MTU_DISCOVER) yes = IP_PMTUDISC_DO; if (setsockopt(s, IPPROTO_IP, IP_MTU_DISCOVER, - (const void *) &yes, - sizeof(yes)) < 0) + (const void *)&yes, sizeof(yes)) < 0) perror("setsockopt(IP_DF) failed"); #endif } @@ -1046,8 +1049,7 @@ static void strip(char *data) int len = strlen(data); for (i = 0; i < len; i++) { - if (data[i] == '\r' && data[i + 1] == '\n' - && data[i + 2] == 0) { + if (data[i] == '\r' && data[i + 1] == '\n' && data[i + 2] == 0) { data[i] = '\n'; data[i + 1] = 0; break; @@ -1079,7 +1081,8 @@ get_response(gnutls_session_t session, char *request, if (http != 0) { if (http_data_file == NULL) - *response = peer_print_info(session, response_length, h); + *response = + peer_print_info(session, response_length, h); else *response = peer_print_data(session, response_length); } else { @@ -1107,15 +1110,17 @@ get_response(gnutls_session_t session, char *request, } else { *response = NULL; do { - ret = gnutls_alert_send_appropriate(session, ret); - } while(ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED); + ret = + gnutls_alert_send_appropriate(session, ret); + } while (ret == GNUTLS_E_AGAIN + || ret == GNUTLS_E_INTERRUPTED); return 0; } } return 1; - unimplemented: + unimplemented: *response = strdup(HTTP_UNIMPLEMENTED); if (*response == NULL) return 0; @@ -1123,7 +1128,7 @@ get_response(gnutls_session_t session, char *request, return 1; } -static void terminate(int sig) __attribute__ ((__noreturn__)); +static void terminate(int sig) __attribute__((__noreturn__)); static void terminate(int sig) { @@ -1142,7 +1147,6 @@ static void terminate(int sig) _exit(1); } - static void check_alert(gnutls_session_t session, int ret) { if (ret == GNUTLS_E_WARNING_ALERT_RECEIVED @@ -1188,8 +1192,7 @@ int main(int argc, char **argv) sockets_init(); listener_list = gl_list_create_empty(GL_LINKED_LIST, - NULL, NULL, listener_free, - true); + NULL, NULL, listener_free, true); if (nodb == 0) wrap_db_init(); @@ -1221,8 +1224,7 @@ int main(int argc, char **argv) gnutls_strerror(ret)); else { ret = - gnutls_pkcs11_add_provider(OPT_ARG(PROVIDER), - NULL); + gnutls_pkcs11_add_provider(OPT_ARG(PROVIDER), NULL); if (ret < 0) { fprintf(stderr, "pkcs11_add_provider: %s", gnutls_strerror(ret)); @@ -1254,8 +1256,7 @@ int main(int argc, char **argv) if (x509_cafile != NULL) { if ((ret = gnutls_certificate_set_x509_trust_file (cert_cred, x509_cafile, x509ctype)) < 0) { - fprintf(stderr, "Error reading '%s'\n", - x509_cafile); + fprintf(stderr, "Error reading '%s'\n", x509_cafile); GERR(ret); exit(1); } else { @@ -1265,8 +1266,7 @@ int main(int argc, char **argv) if (x509_crlfile != NULL) { if ((ret = gnutls_certificate_set_x509_crl_file (cert_cred, x509_crlfile, x509ctype)) < 0) { - fprintf(stderr, "Error reading '%s'\n", - x509_crlfile); + fprintf(stderr, "Error reading '%s'\n", x509_crlfile); GERR(ret); exit(1); } else { @@ -1277,31 +1277,35 @@ int main(int argc, char **argv) if (x509_certfile_size > 0 && x509_keyfile_size > 0) { for (i = 0; i < x509_certfile_size; i++) { ret = gnutls_certificate_set_x509_key_file - (cert_cred, x509_certfile[i], x509_keyfile[i], x509ctype); + (cert_cred, x509_certfile[i], x509_keyfile[i], + x509ctype); if (ret < 0) { fprintf(stderr, - "Error reading '%s' or '%s'\n", - x509_certfile[i], x509_keyfile[i]); + "Error reading '%s' or '%s'\n", + x509_certfile[i], x509_keyfile[i]); GERR(ret); exit(1); } else cert_set = 1; } } - + /* Raw public-key credentials */ if (rawpk_file_size > 0 && rawpk_keyfile_size > 0) { for (i = 0; i < rawpk_keyfile_size; i++) { - ret = gnutls_certificate_set_rawpk_key_file(cert_cred, rawpk_file[i], - rawpk_keyfile[i], - x509ctype, - NULL, 0, NULL, 0, - 0, 0); + ret = + gnutls_certificate_set_rawpk_key_file(cert_cred, + rawpk_file[i], + rawpk_keyfile + [i], + x509ctype, + NULL, 0, NULL, + 0, 0, 0); if (ret < 0) { - fprintf(stderr, "Error reading '%s' or '%s'\n", - rawpk_file[i], rawpk_keyfile[i]); - GERR(ret); - exit(1); + fprintf(stderr, "Error reading '%s' or '%s'\n", + rawpk_file[i], rawpk_keyfile[i]); + GERR(ret); + exit(1); } else { cert_set = 1; } @@ -1312,25 +1316,24 @@ int main(int argc, char **argv) fprintf(stderr, "Warning: no private key and certificate pairs were set.\n"); } - #ifndef ENABLE_OCSP if (HAVE_OPT(IGNORE_OCSP_RESPONSE_ERRORS) || ocsp_responses_size != 0) { fprintf(stderr, "OCSP is not supported!\n"); - exit(1); + exit(1); } #else /* OCSP status-request TLS extension */ if (HAVE_OPT(IGNORE_OCSP_RESPONSE_ERRORS)) - gnutls_certificate_set_flags(cert_cred, GNUTLS_CERTIFICATE_SKIP_OCSP_RESPONSE_CHECK); + gnutls_certificate_set_flags(cert_cred, + GNUTLS_CERTIFICATE_SKIP_OCSP_RESPONSE_CHECK); - for (i = 0; i < ocsp_responses_size; i++ ) { + for (i = 0; i < ocsp_responses_size; i++) { ret = gnutls_certificate_set_ocsp_status_request_file (cert_cred, ocsp_responses[i], 0); if (ret < 0) { fprintf(stderr, "Cannot set OCSP status request file: %s: %s\n", - ocsp_responses[i], - gnutls_strerror(ret)); + ocsp_responses[i], gnutls_strerror(ret)); exit(1); } } @@ -1338,9 +1341,13 @@ int main(int argc, char **argv) if (use_static_dh_params) { #if defined(ENABLE_DHE) || defined(ENABLE_ANON) - ret = gnutls_certificate_set_known_dh_params(cert_cred, GNUTLS_SEC_PARAM_MEDIUM); + ret = + gnutls_certificate_set_known_dh_params(cert_cred, + GNUTLS_SEC_PARAM_MEDIUM); if (ret < 0) { - fprintf(stderr, "Error while setting DH parameters: %s\n", gnutls_strerror(ret)); + fprintf(stderr, + "Error while setting DH parameters: %s\n", + gnutls_strerror(ret)); exit(1); } #else @@ -1365,8 +1372,7 @@ int main(int argc, char **argv) < 0) { /* only exit is this function is not disabled */ - fprintf(stderr, - "Error while setting SRP parameters\n"); + fprintf(stderr, "Error while setting SRP parameters\n"); GERR(ret); } } @@ -1380,12 +1386,10 @@ int main(int argc, char **argv) if ((ret = gnutls_psk_set_server_credentials_file(psk_cred, - psk_passwd)) < - 0) { + psk_passwd)) < 0) { /* only exit is this function is not disabled */ - fprintf(stderr, - "Error while setting PSK parameters\n"); + fprintf(stderr, "Error while setting PSK parameters\n"); GERR(ret); } @@ -1401,9 +1405,13 @@ int main(int argc, char **argv) } if (use_static_dh_params) { - ret = gnutls_psk_set_server_known_dh_params(psk_cred, GNUTLS_SEC_PARAM_MEDIUM); + ret = + gnutls_psk_set_server_known_dh_params(psk_cred, + GNUTLS_SEC_PARAM_MEDIUM); if (ret < 0) { - fprintf(stderr, "Error while setting DH parameters: %s\n", gnutls_strerror(ret)); + fprintf(stderr, + "Error while setting DH parameters: %s\n", + gnutls_strerror(ret)); exit(1); } } else { @@ -1417,9 +1425,13 @@ int main(int argc, char **argv) gnutls_anon_allocate_server_credentials(&dh_cred); if (use_static_dh_params) { - ret = gnutls_anon_set_server_known_dh_params(dh_cred, GNUTLS_SEC_PARAM_MEDIUM); + ret = + gnutls_anon_set_server_known_dh_params(dh_cred, + GNUTLS_SEC_PARAM_MEDIUM); if (ret < 0) { - fprintf(stderr, "Error while setting DH parameters: %s\n", gnutls_strerror(ret)); + fprintf(stderr, + "Error while setting DH parameters: %s\n", + gnutls_strerror(ret)); exit(1); } } else { @@ -1433,10 +1445,13 @@ int main(int argc, char **argv) if (earlydata) { ret = gnutls_anti_replay_init(&anti_replay); if (ret < 0) { - fprintf(stderr, "Error while initializing anti-replay: %s\n", gnutls_strerror(ret)); + fprintf(stderr, + "Error while initializing anti-replay: %s\n", + gnutls_strerror(ret)); exit(1); } - gnutls_anti_replay_set_add_function(anti_replay, anti_replay_db_add); + gnutls_anti_replay_set_add_function(anti_replay, + anti_replay_db_add); gnutls_anti_replay_set_ptr(anti_replay, NULL); } @@ -1458,7 +1473,7 @@ int main(int argc, char **argv) return 0; } -static void retry_handshake(listener_item *j) +static void retry_handshake(listener_item * j) { int r, ret; @@ -1476,17 +1491,16 @@ static void retry_handshake(listener_item *j) } while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED); j->close_ok = 0; } else if (r == 0) { - if (gnutls_session_is_resumed(j->tls_session) != 0 && verbose != 0) + if (gnutls_session_is_resumed(j->tls_session) != 0 + && verbose != 0) printf("*** This is a resumed session\n"); if (verbose != 0) { #if 0 printf("- connection from %s\n", - human_addr((struct sockaddr *) - &client_address, - calen, - topbuf, - sizeof(topbuf))); + human_addr((struct sockaddr *) + &client_address, + calen, topbuf, sizeof(topbuf))); #endif print_info(j->tls_session, verbose, verbose); @@ -1504,7 +1518,7 @@ static void retry_handshake(listener_item *j) } } -static void try_rehandshake(listener_item *j) +static void try_rehandshake(listener_item * j) { int r, ret; fprintf(stderr, "*** Received hello message\n"); @@ -1517,7 +1531,8 @@ static void try_rehandshake(listener_item *j) do { ret = gnutls_alert_send_appropriate(j->tls_session, r); } while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED); - fprintf(stderr, "Error in rehandshake: %s\n", gnutls_strerror(r)); + fprintf(stderr, "Error in rehandshake: %s\n", + gnutls_strerror(r)); j->http_state = HTTP_STATE_CLOSING; } else { j->close_ok = 1; @@ -1558,20 +1573,20 @@ static void tcp_server(const char *name, int port) /* flag which connections we are reading or writing to within the fd sets */ iter = gl_list_iterator(listener_list); while (gl_list_iterator_next(&iter, &elt, &node)) { - listener_item *j = (listener_item *)elt; + listener_item *j = (listener_item *) elt; #ifndef _WIN32 val = fcntl(j->fd, F_GETFL, 0); if ((val == -1) - || (fcntl(j->fd, F_SETFL, val | O_NONBLOCK) < - 0)) { + || (fcntl(j->fd, F_SETFL, val | O_NONBLOCK) < 0)) { perror("fcntl()"); exit(1); } #endif if (j->start != 0 && now - j->start > 30) { if (verbose != 0) { - fprintf(stderr, "Scheduling inactive connection for close\n"); + fprintf(stderr, + "Scheduling inactive connection for close\n"); } j->http_state = HTTP_STATE_CLOSING; } @@ -1606,16 +1621,14 @@ static void tcp_server(const char *name, int port) /* read or write to each connection as indicated by select()'s return argument */ iter = gl_list_iterator(listener_list); while (gl_list_iterator_next(&iter, &elt, &node)) { - listener_item *j = (listener_item *)elt; + listener_item *j = (listener_item *) elt; /* a new connection has arrived */ if (FD_ISSET(j->fd, &rd) && j->listen_socket) { calen = sizeof(client_address); memset(&client_address, 0, calen); - accept_fd = - accept(j->fd, - (struct sockaddr *) - &client_address, &calen); + accept_fd = accept(j->fd, (struct sockaddr *) + &client_address, &calen); if (accept_fd < 0) { perror("accept()"); @@ -1628,14 +1641,14 @@ static void tcp_server(const char *name, int port) /* new list entry for the connection */ jj = xzalloc(sizeof(*jj)); gl_list_add_last(accepted_list, jj); - jj->http_request = - (char *) strdup(""); + jj->http_request = (char *)strdup(""); jj->http_state = HTTP_STATE_REQUEST; jj->fd = accept_fd; jj->start = tt; jj->tls_session = initialize_session(0); - gnutls_session_set_ptr(jj->tls_session, jj); + gnutls_session_set_ptr(jj->tls_session, + jj); gnutls_transport_set_int (jj->tls_session, accept_fd); set_read_funcs(jj->tls_session); @@ -1643,27 +1656,26 @@ static void tcp_server(const char *name, int port) jj->close_ok = 0; if (verbose != 0) { - ctt = simple_ctime(&tt, timebuf); + ctt = + simple_ctime(&tt, timebuf); ctt[strlen(ctt) - 1] = 0; printf ("\n* Accepted connection from %s on %s\n", human_addr((struct - sockaddr - *) + sockaddr *) &client_address, calen, topbuf, sizeof - (topbuf)), - ctt); + (topbuf)), ctt); } } } if (FD_ISSET(j->fd, &rd) && !j->listen_socket) { /* read partial GET request */ - char buf[16*1024]; + char buf[16 * 1024]; int r; if (j->handshake_ok == 0) { @@ -1673,12 +1685,10 @@ static void tcp_server(const char *name, int port) if (j->handshake_ok == 1) { int earlydata_read = 0; if (earlydata && !j->earlydata_eof) { - r = gnutls_record_recv_early_data(j-> - tls_session, - buf, - MIN(sizeof(buf), - SMALL_READ_TEST)); - if (r == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { + r = gnutls_record_recv_early_data(j->tls_session, buf, MIN(sizeof(buf), SMALL_READ_TEST)); + if (r == + GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) + { j->earlydata_eof = 1; } if (r == 0) { @@ -1686,52 +1696,62 @@ static void tcp_server(const char *name, int port) } } if (!earlydata_read) { - r = gnutls_record_recv(j-> - tls_session, - buf, - MIN(sizeof(buf), - SMALL_READ_TEST)); + r = gnutls_record_recv + (j->tls_session, buf, + MIN(sizeof(buf), + SMALL_READ_TEST)); } - if (r == GNUTLS_E_INTERRUPTED || r == GNUTLS_E_AGAIN) { + if (r == GNUTLS_E_INTERRUPTED + || r == GNUTLS_E_AGAIN) { /* do nothing */ } else if (r <= 0) { - if (r == GNUTLS_E_HEARTBEAT_PING_RECEIVED) { - gnutls_heartbeat_pong(j->tls_session, 0); - } else if (r == GNUTLS_E_REHANDSHAKE) { + if (r == + GNUTLS_E_HEARTBEAT_PING_RECEIVED) + { + gnutls_heartbeat_pong + (j->tls_session, 0); + } else if (r == + GNUTLS_E_REHANDSHAKE) + { try_rehandshake(j); } else { - j->http_state = HTTP_STATE_CLOSING; + j->http_state = + HTTP_STATE_CLOSING; if (r < 0) { int ret; - check_alert(j->tls_session, r); + check_alert + (j->tls_session, + r); fprintf(stderr, - "Error while receiving data\n"); + "Error while receiving data\n"); do { - ret = gnutls_alert_send_appropriate(j->tls_session, r); - } while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED); + ret = + gnutls_alert_send_appropriate + (j->tls_session, + r); + } while (ret == + GNUTLS_E_AGAIN + || ret + == + GNUTLS_E_INTERRUPTED); GERR(r); j->close_ok = 0; } } } else { j->http_request = - realloc(j-> - http_request, - j-> - request_length + realloc(j->http_request, + j->request_length + r + 1); - if (j->http_request != - NULL) { - memcpy(j-> - http_request + if (j->http_request != NULL) { + memcpy(j->http_request + j-> request_length, buf, r); - j->request_length - += r; - j->http_request[j-> - request_length] + j->request_length += r; + j->http_request + [j->request_length] = '\0'; } else { j->http_state = @@ -1741,31 +1761,27 @@ static void tcp_server(const char *name, int port) /* check if we have a full HTTP header */ j->http_response = NULL; - if (j->http_state == HTTP_STATE_REQUEST && j->http_request != NULL) { + if (j->http_state == HTTP_STATE_REQUEST + && j->http_request != NULL) { if ((http == 0 - && strchr(j-> - http_request, + && strchr(j->http_request, '\n')) - || strstr(j-> - http_request, + || strstr(j->http_request, "\r\n\r\n") - || strstr(j-> - http_request, + || strstr(j->http_request, "\n\n")) { - if (get_response(j-> - tls_session, - j-> - http_request, - &j-> - http_response, - &j-> - response_length)) { + if (get_response + (j->tls_session, + j->http_request, + &j->http_response, + &j-> + response_length)) { j->http_state = HTTP_STATE_RESPONSE; - j->response_written - = 0; + j->response_written = 0; } else { - j->http_state = HTTP_STATE_CLOSING; + j->http_state = + HTTP_STATE_CLOSING; } } } @@ -1780,43 +1796,51 @@ static void tcp_server(const char *name, int port) retry_handshake(j); } - if (j->handshake_ok == 1 && j->http_response == NULL) { + if (j->handshake_ok == 1 + && j->http_response == NULL) { j->http_state = HTTP_STATE_CLOSING; - } else if (j->handshake_ok == 1 && j->http_response != NULL) { + } else if (j->handshake_ok == 1 + && j->http_response != NULL) { r = gnutls_record_send(j->tls_session, j->http_response + j->response_written, - MIN(j->response_length - - - j->response_written, - SMALL_READ_TEST)); - if (r == GNUTLS_E_INTERRUPTED || r == GNUTLS_E_AGAIN) { + MIN + (j->response_length + - + j->response_written, + SMALL_READ_TEST)); + if (r == GNUTLS_E_INTERRUPTED + || r == GNUTLS_E_AGAIN) { /* do nothing */ } else if (r <= 0) { - j->http_state = HTTP_STATE_CLOSING; + j->http_state = + HTTP_STATE_CLOSING; if (r < 0) { fprintf(stderr, "Error while sending data\n"); GERR(r); } - check_alert(j->tls_session, - r); + check_alert(j->tls_session, r); } else { j->response_written += r; /* check if we have written a complete response */ if (j->response_written == j->response_length) { if (http != 0) - j->http_state = HTTP_STATE_CLOSING; + j->http_state = + HTTP_STATE_CLOSING; else { - j->http_state = HTTP_STATE_REQUEST; + j->http_state = + HTTP_STATE_REQUEST; free(j-> http_response); - j->http_response = NULL; + j->http_response + = NULL; j->response_length = 0; j->request_length = 0; - j->http_request[0] = 0; + j->http_request + [0] = 0; } } } @@ -1849,7 +1873,6 @@ static void tcp_server(const char *name, int port) gl_list_free(accepted_list); } - gnutls_certificate_free_credentials(cert_cred); #ifdef ENABLE_SRP @@ -1937,16 +1960,17 @@ static void cmd_parser(int argc, char **argv) } if (x509_certfile_size != x509_keyfile_size) { - fprintf(stderr, "The certificate number provided (%u) doesn't match the keys (%u)\n", + fprintf(stderr, + "The certificate number provided (%u) doesn't match the keys (%u)\n", x509_certfile_size, x509_keyfile_size); - exit(1); + exit(1); } if (HAVE_OPT(X509CAFILE)) x509_cafile = OPT_ARG(X509CAFILE); if (HAVE_OPT(X509CRLFILE)) x509_crlfile = OPT_ARG(X509CRLFILE); - + if (HAVE_OPT(RAWPKKEYFILE)) { rawpk_keyfile = STACKLST_OPT(RAWPKKEYFILE); rawpk_keyfile_size = STACKCT_OPT(RAWPKKEYFILE); @@ -1958,9 +1982,10 @@ static void cmd_parser(int argc, char **argv) } if (rawpk_file_size != rawpk_keyfile_size) { - fprintf(stderr, "The number of raw public-keys provided (%u) doesn't match the number of corresponding private keys (%u)\n", + fprintf(stderr, + "The number of raw public-keys provided (%u) doesn't match the number of corresponding private keys (%u)\n", rawpk_file_size, rawpk_keyfile_size); - exit(1); + exit(1); } if (HAVE_OPT(SRPPASSWD)) @@ -2016,8 +2041,7 @@ static void wrap_db_deinit(void) free(cache_db); } -static int -wrap_db_store(void *dbf, gnutls_datum_t key, gnutls_datum_t data) +static int wrap_db_store(void *dbf, gnutls_datum_t key, gnutls_datum_t data) { int i; time_t now = time(0); @@ -2034,15 +2058,15 @@ wrap_db_store(void *dbf, gnutls_datum_t key, gnutls_datum_t data) for (i = 0; i < cache_db_ptr; i++) if (cache_db[i].session_id_size == 0 || !(now < - gnutls_db_check_entry_expire_time(&cache_db[i]. + gnutls_db_check_entry_expire_time(&cache_db + [i]. session_data))) break; if (i == cache_db_ptr) { /* try to allocate additional slots */ if (cache_db_ptr == ssl_session_cache) { - fprintf(stderr, - "Error: too many sessions\n"); + fprintf(stderr, "Error: too many sessions\n"); return GNUTLS_E_DB_ERROR; } cache_db_alloc = cache_db_alloc * 2 + 1; @@ -2062,8 +2086,7 @@ wrap_db_store(void *dbf, gnutls_datum_t key, gnutls_datum_t data) /* resize the data slot if needed */ if (cache_db[i].session_data.size < data.size) { cache_db[i].session_data.data = - realloc(cache_db[i].session_data.data, - data.size); + realloc(cache_db[i].session_data.data, data.size); if (!cache_db[i].session_data.data) return GNUTLS_E_MEMORY_ERROR; } @@ -2083,8 +2106,9 @@ static gnutls_datum_t wrap_db_fetch(void *dbf, gnutls_datum_t key) if (key.size == cache_db[i].session_id_size && memcmp(key.data, cache_db[i].session_id, key.size) == 0 && - now < gnutls_db_check_entry_expire_time(&cache_db[i]. - session_data)) { + now < + gnutls_db_check_entry_expire_time(&cache_db + [i].session_data)) { res.size = cache_db[i].session_data.size; res.data = malloc(res.size); @@ -2106,8 +2130,7 @@ static int wrap_db_delete(void *dbf, gnutls_datum_t key) for (i = 0; i < cache_db_ptr; i++) { if (key.size == cache_db[i].session_id_size && - memcmp(key.data, cache_db[i].session_id, - key.size) == 0) { + memcmp(key.data, cache_db[i].session_id, key.size) == 0) { cache_db[i].session_id_size = 0; free(cache_db[i].session_data.data); @@ -2122,7 +2145,8 @@ static int wrap_db_delete(void *dbf, gnutls_datum_t key) } static int -anti_replay_db_add(void *dbf, time_t exp, const gnutls_datum_t *key, const gnutls_datum_t *data) +anti_replay_db_add(void *dbf, time_t exp, const gnutls_datum_t * key, + const gnutls_datum_t * data) { time_t now = time(0); int i; @@ -2131,8 +2155,9 @@ anti_replay_db_add(void *dbf, time_t exp, const gnutls_datum_t *key, const gnutl if (key->size == cache_db[i].session_id_size && memcmp(key->data, cache_db[i].session_id, key->size) == 0 && - now < gnutls_db_check_entry_expire_time(&cache_db[i]. - session_data)) + now < + gnutls_db_check_entry_expire_time(&cache_db + [i].session_data)) return GNUTLS_E_DB_ENTRY_EXISTS; } |