Implement TLS exchange with clients

This probably leaves a bit to be desired tbh
2020-09-24 19:58:34 -04:00 · 2020-09-24 19:58:34 -04:00 · fa69887e52
commit fa69887e52
parent 7af04ea471
7 changed files with 145 additions and 17 deletions
--- a/include/config.h
+++ b/include/config.h
@ -7,12 +7,12 @@ struct gmnisrv_tls {
 	char *store;
 	char *organization;
 	char *email;
+	SSL_CTX *ssl_ctx;
 };

 struct gmnisrv_host {
 	char *hostname;
 	char *root;
-	SSL_CTX *ssl_ctx;
 	X509 *x509;
 	EVP_PKEY *pkey;
 	struct gmnisrv_host *next;
--- a/include/server.h
+++ b/include/server.h
@ -1,5 +1,6 @@
 #ifndef GMNISRV_SERVER
 #define GMNISRV_SERVER
+#include <openssl/ssl.h>
 #include <poll.h>
 #include <stdbool.h>

@ -8,11 +9,14 @@
 struct gmnisrv_client {
 	struct sockaddr addr;
 	socklen_t addrlen;
-
-	char buf[GEMINI_MAX_URL + 2];
-	size_t bufln;
-
 	int sockfd;
+
+	SSL *ssl;
+	BIO *bio;
+
+	char buf[GEMINI_MAX_URL + 3];
+
+	struct gmnisrv_host *host;
 };

 struct gmisrv_config;
--- a/include/tls.h
+++ b/include/tls.h
@ -4,5 +4,7 @@
 struct gmnisrv_config;

 int gmnisrv_tls_init(struct gmnisrv_config *conf);
+SSL *gmnisrv_tls_get_ssl(struct gmnisrv_config *conf, int fd);
+void gmnisrv_tls_set_host(SSL *ssl, struct gmnisrv_host *host);

 #endif
--- a/src/log.c
+++ b/src/log.c
@ -8,7 +8,7 @@
 static void
 server_logf(FILE *f, const char *fmt, va_list ap)
 {
-	fprintf(f, "<server>\t");
+	fprintf(f, "[gmnisrv] ");
 	vfprintf(f, fmt, ap);
 	fprintf(f, "\n");
 }
@ -16,12 +16,12 @@ server_logf(FILE *f, const char *fmt, va_list ap)
 static void
 client_logf(FILE *f, struct sockaddr *addr, const char *fmt, va_list ap)
 {
-	char abuf[INET6_ADDRSTRLEN];
+	char abuf[INET6_ADDRSTRLEN + 1];
 	const char *addrs = inet_ntop(addr->sa_family,
 		addr->sa_data, abuf, sizeof(abuf));
 	assert(addrs);

-	fprintf(f, "%s\t", addrs);
+	fprintf(f, "%s ", addrs);
 	vfprintf(f, fmt, ap);
 	fprintf(f, "\n");
 }
--- a/src/main.c
+++ b/src/main.c
@ -1,6 +1,7 @@
 #include <getopt.h>
 #include <stdio.h>
 #include "config.h"
+#include "log.h"
 #include "server.h"
 #include "tls.h"

@ -38,11 +39,13 @@ main(int argc, char **argv)

 	int r = load_config(&conf, confpath);
 	if (r != 0) {
+		server_error("Config load failed");
 		goto exit_conf;
 	}

 	r = gmnisrv_tls_init(&conf);
 	if (r != 0) {
+		server_error("TLS initialization failed");
 		goto exit_conf;
 	}

--- a/src/server.c
+++ b/src/server.c
@ -1,6 +1,7 @@
 #include <arpa/inet.h>
 #include <assert.h>
 #include <errno.h>
+#include <openssl/err.h>
 #include <signal.h>
 #include <stdbool.h>
 #include <stdio.h>
@ -9,8 +10,9 @@
 #include <sys/socket.h>
 #include <unistd.h>
 #include "config.h"
-#include "server.h"
 #include "log.h"
+#include "server.h"
+#include "tls.h"

 int
 server_init(struct gmnisrv_server *server, struct gmnisrv_config *conf)
@ -135,7 +137,7 @@ accept_client(struct gmnisrv_server *server, int fd)
 	struct gmnisrv_client *client = &server->clients[server->nclients++];
 	client->sockfd = sockfd;
 	client->addrlen = addrlen;
-	memcpy(&client->addr, &addr, addrlen);
+	memcpy(&client->addr, &addr, sizeof(addr));
 	pollfd->fd = sockfd;
 	pollfd->events = POLLIN;
 }
@ -153,16 +155,72 @@ disconnect_client(struct gmnisrv_server *server, struct gmnisrv_client *client)
 	--server->nclients;
 }

+static int
+client_init_ssl(struct gmnisrv_server *server, struct gmnisrv_client *client)
+{
+	// TODO: Re-work this to use a non-blocking bio
+	client->ssl = gmnisrv_tls_get_ssl(server->conf, client->sockfd);
+	if (!client->ssl) {
+		client_error(&client->addr,
+			"unable to initialize SSL, disconnecting");
+		disconnect_client(server, client);
+		return 1;
+	}
+
+	int r = SSL_accept(client->ssl);
+	if (r != 1) {
+		r = SSL_get_error(client->ssl, r);
+		client_error(&client->addr, "SSL accept error %s, disconnecting",
+				ERR_error_string(r, NULL));
+		disconnect_client(server, client);
+		return 1;
+	}
+
+	BIO *sbio = BIO_new(BIO_f_ssl());
+	BIO_set_ssl(sbio, client->ssl, 0);
+	client->bio = BIO_new(BIO_f_buffer());
+	BIO_push(client->bio, sbio);
+	return 0;
+}
+
 static void
 client_readable(struct gmnisrv_server *server, struct gmnisrv_client *client)
 {
-	// TODO
-	ssize_t n = read(client->sockfd, client->buf, sizeof(client->buf));
-	if (n == 0) {
+	if (!client->ssl && client_init_ssl(server, client) != 0) {
+		return;
+	}
+
+	int r = BIO_gets(client->bio, client->buf, sizeof(client->buf));
+	if (r <= 0) {
+		r = SSL_get_error(client->ssl, r);
+		if (r == SSL_ERROR_WANT_READ) {
+			return;
+		}
+		client_error(&client->addr, "SSL read error %s, disconnecting",
+				ERR_error_string(r, NULL));
 		disconnect_client(server, client);
 		return;
 	}
-	(void)server;
+	client->buf[r] = '\0';
+
+	if (!client->host) {
+		// TODO: We can do a friendly disconnect at this point
+		client_error(&client->addr,
+			"client did not perform SNI, disconnecting");
+		disconnect_client(server, client);
+		return;
+	}
+
+	char *newline = strstr(client->buf, "\r\n");
+	if (!newline) {
+		// TODO: We can do a friendly disconnect at this point
+		client_error(&client->addr, "protocol error, disconnecting");
+		disconnect_client(server, client);
+		return;
+	}
+	*newline = 0;
+
+	client_log(&client->addr, "%s", client->buf);
 }

 static void
@ -173,6 +231,37 @@ client_writable(struct gmnisrv_server *server, struct gmnisrv_client *client)
 	(void)client;
 }

+static long
+sni_callback(SSL *ssl, int *al, void *arg)
+{
+	(void)al;
+	struct gmnisrv_server *server = (struct gmnisrv_server *)arg;
+	struct gmnisrv_client *client;
+	for (size_t i = 0; i < server->nclients; ++i) {
+		client = &server->clients[i];
+		if (client->ssl == ssl) {
+			break;
+		}
+		client = NULL;
+	}
+
+	if (!client) {
+		return SSL_TLSEXT_ERR_NOACK;
+	}
+
+	const char *hostname = SSL_get_servername(client->ssl,
+		SSL_get_servername_type(client->ssl));
+	struct gmnisrv_host *host = gmnisrv_config_get_host(
+		server->conf, hostname);
+	if (!host) {
+		return SSL_TLSEXT_ERR_NOACK;
+	}
+
+	client->host = host;
+	gmnisrv_tls_set_host(client->ssl, client->host);
+	return SSL_TLSEXT_ERR_OK;
+}
+
 bool *run;

 static void
@ -196,6 +285,10 @@ server_run(struct gmnisrv_server *server)
 	r = sigaction(SIGTERM, &act, &oterm);
 	assert(r == 0);

+	SSL_CTX_set_tlsext_servername_arg(server->conf->tls.ssl_ctx, server);
+	SSL_CTX_set_tlsext_servername_callback(
+		server->conf->tls.ssl_ctx, sni_callback);
+
 	server_log("gmnisrv started");

 	server->run = true;
--- a/src/tls.c
+++ b/src/tls.c
@ -2,6 +2,7 @@
 #include <errno.h>
 #include <fcntl.h>
 #include <limits.h>
+#include <openssl/err.h>
 #include <openssl/pem.h>
 #include <openssl/ssl.h>
 #include <openssl/x509.h>
@ -102,9 +103,6 @@ tls_host_init(struct gmnisrv_tls *tlsconf, struct gmnisrv_host *host)
 		"%s/%s.key", tlsconf->store, host->hostname);
 	mkdirs(tlsconf->store, 0755);

-	host->ssl_ctx = SSL_CTX_new(TLS_method());
-	assert(host->ssl_ctx);
-
 	FILE *xf = fopen(crtpath, "r");
 	if (!xf && errno != ENOENT) {
 		server_error("error opening %s for reading: %s",
@ -160,6 +158,14 @@ generate:
 int
 gmnisrv_tls_init(struct gmnisrv_config *conf)
 {
+	SSL_load_error_strings();
+	ERR_load_crypto_strings();
+
+	conf->tls.ssl_ctx = SSL_CTX_new(TLS_method());
+	assert(conf->tls.ssl_ctx);
+
+	SSL_CTX_set_tlsext_servername_callback(conf->tls.ssl_ctx, NULL);
+
 	int r;
 	for (struct gmnisrv_host *host = conf->hosts; host; host = host->next) {
 		r = tls_host_init(&conf->tls, host);
@ -167,5 +173,25 @@ gmnisrv_tls_init(struct gmnisrv_config *conf)
 			return r;
 		}
 	}
+
 	return 0;
 }
+
+SSL *
+gmnisrv_tls_get_ssl(struct gmnisrv_config *conf, int fd)
+{
+	SSL *ssl = SSL_new(conf->tls.ssl_ctx);
+	if (!ssl) {
+		return NULL;
+	}
+	int r = SSL_set_fd(ssl, fd);
+	assert(r == 1);
+	return ssl;
+}
+
+void
+gmnisrv_tls_set_host(SSL *ssl, struct gmnisrv_host *host)
+{
+	SSL_use_certificate(ssl, host->x509);
+	SSL_use_PrivateKey(ssl, host->pkey);
+}