kore/src/domain.c

/*
 * Copyright (c) 2013 Joris Vink <joris@coders.se>
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

#include "kore.h"

struct kore_domain_h		domains;
struct kore_domain		*primary_dom = NULL;
DH				*ssl_dhparam = NULL;
int				ssl_no_compression = 0;

void
kore_domain_init(void)
{
	TAILQ_INIT(&domains);
}

int
kore_domain_new(char *domain)
{
	struct kore_domain	*dom;

	if (kore_domain_lookup(domain) != NULL)
		return (KORE_RESULT_ERROR);

	kore_debug("kore_domain_new(%s)", domain);

	dom = kore_malloc(sizeof(*dom));
	dom->accesslog = -1;
	dom->certfile = NULL;
	dom->certkey = NULL;
	dom->ssl_ctx = NULL;
	dom->domain = kore_strdup(domain);
	TAILQ_INIT(&(dom->handlers));
	TAILQ_INSERT_TAIL(&domains, dom, list);

	if (primary_dom == NULL)
		primary_dom = dom;

	return (KORE_RESULT_OK);
}

void
kore_domain_sslstart(struct kore_domain *dom)
{
	kore_debug("kore_domain_sslstart(%s)", dom->domain);

	dom->ssl_ctx = SSL_CTX_new(SSLv23_server_method());
	if (dom->ssl_ctx == NULL)
		fatal("kore_domain_sslstart(): SSL_ctx_new(): %s", ssl_errno_s);
	if (!SSL_CTX_use_certificate_chain_file(dom->ssl_ctx, dom->certfile)) {
		fatal("SSL_CTX_use_certificate_chain_file(%s): %s",
		    dom->certfile, ssl_errno_s);
	}

	if (!SSL_CTX_use_PrivateKey_file(dom->ssl_ctx, dom->certkey,
	    SSL_FILETYPE_PEM)) {
		fatal("SSL_CTX_use_PrivateKey_file(%s): %s",
		    dom->certkey, ssl_errno_s);
	}

	if (!SSL_CTX_check_private_key(dom->ssl_ctx))
		fatal("Public/Private key for %s do not match", dom->domain);

	if (ssl_dhparam != NULL) {
		SSL_CTX_set_tmp_dh(dom->ssl_ctx, ssl_dhparam);
		SSL_CTX_set_options(dom->ssl_ctx, SSL_OP_SINGLE_DH_USE);
	}

	if (ssl_no_compression)
		SSL_CTX_set_options(dom->ssl_ctx, SSL_OP_NO_COMPRESSION);

	SSL_CTX_set_mode(dom->ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
	SSL_CTX_set_cipher_list(dom->ssl_ctx, kore_ssl_cipher_list);
	SSL_CTX_set_mode(dom->ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
	SSL_CTX_set_options(dom->ssl_ctx, SSL_OP_NO_SSLv2);
	SSL_CTX_set_tlsext_servername_callback(dom->ssl_ctx, kore_ssl_sni_cb);
	SSL_CTX_set_next_protos_advertised_cb(dom->ssl_ctx,
	    kore_ssl_npn_cb, NULL);

	kore_mem_free(dom->certfile);
	kore_mem_free(dom->certkey);
}

struct kore_domain *
kore_domain_lookup(const char *domain)
{
	struct kore_domain	*dom;

	TAILQ_FOREACH(dom, &domains, list) {
		if (!strcmp(dom->domain, domain))
			return (dom);
	}

	return (NULL);
}

void
kore_domain_closelogs(void)
{
	struct kore_domain	*dom;

	TAILQ_FOREACH(dom, &domains, list)
		close(dom->accesslog);
}
add SNI support, and change domain configuration a bit. 2013-06-24 11:32:45 +02:00			`/*`
			`* Copyright (c) 2013 Joris Vink <joris@coders.se>`
			`*`
			`* Permission to use, copy, modify, and distribute this software for any`
			`* purpose with or without fee is hereby granted, provided that the above`
			`* copyright notice and this permission notice appear in all copies.`
			`*`
			`* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES`
			`* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF`
			`* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR`
			`* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES`
			`* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN`
			`* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF`
			`* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.`
			`*/`

			`#include "kore.h"`

			`struct kore_domain_h domains;`
			`struct kore_domain *primary_dom = NULL;`
Add support for ephemeral key exchange mechanisms, ssl_dhparam configuration option must be set (and point to a file containing a generated DH key). 2013-08-07 16:51:39 +02:00			`DH *ssl_dhparam = NULL;`
add ssl_no_compression option to allow one to disable OpenSSL compression. 2013-08-07 16:59:45 +02:00			`int ssl_no_compression = 0;`
add SNI support, and change domain configuration a bit. 2013-06-24 11:32:45 +02:00
			`void`
			`kore_domain_init(void)`
			`{`
			`TAILQ_INIT(&domains);`
			`}`

			`int`
			`kore_domain_new(char *domain)`
			`{`
			`struct kore_domain *dom;`

			`if (kore_domain_lookup(domain) != NULL)`
			`return (KORE_RESULT_ERROR);`

- Better spread load between all worker processes. - Introduce own memory management system on top of malloc to keep track of all our allocations and free's. Later we should introduce a pooling mechanism for fixed size allocations (http_request comes to mind). - Introduce ssl_cipher in configuration. Memory usage is kind of high right now, but it seems its OpenSSL doing it rather then Kore. 2013-06-27 08:43:07 +02:00			`kore_debug("kore_domain_new(%s)", domain);`
add SNI support, and change domain configuration a bit. 2013-06-24 11:32:45 +02:00
Remove unneeded malloc result casting, annoying habbit of mine but serves no purpose. 2013-07-13 21:08:55 +02:00			`dom = kore_malloc(sizeof(*dom));`
add SNI support, and change domain configuration a bit. 2013-06-24 11:32:45 +02:00			`dom->accesslog = -1;`
			`dom->certfile = NULL;`
			`dom->certkey = NULL;`
- Better spread load between all worker processes. - Introduce own memory management system on top of malloc to keep track of all our allocations and free's. Later we should introduce a pooling mechanism for fixed size allocations (http_request comes to mind). - Introduce ssl_cipher in configuration. Memory usage is kind of high right now, but it seems its OpenSSL doing it rather then Kore. 2013-06-27 08:43:07 +02:00			`dom->ssl_ctx = NULL;`
add SNI support, and change domain configuration a bit. 2013-06-24 11:32:45 +02:00			`dom->domain = kore_strdup(domain);`
			`TAILQ_INIT(&(dom->handlers));`
			`TAILQ_INSERT_TAIL(&domains, dom, list);`

			`if (primary_dom == NULL)`
			`primary_dom = dom;`

			`return (KORE_RESULT_OK);`
			`}`

			`void`
			`kore_domain_sslstart(struct kore_domain *dom)`
			`{`
			`kore_debug("kore_domain_sslstart(%s)", dom->domain);`

			`dom->ssl_ctx = SSL_CTX_new(SSLv23_server_method());`
			`if (dom->ssl_ctx == NULL)`
- Better spread load between all worker processes. - Introduce own memory management system on top of malloc to keep track of all our allocations and free's. Later we should introduce a pooling mechanism for fixed size allocations (http_request comes to mind). - Introduce ssl_cipher in configuration. Memory usage is kind of high right now, but it seems its OpenSSL doing it rather then Kore. 2013-06-27 08:43:07 +02:00			`fatal("kore_domain_sslstart(): SSL_ctx_new(): %s", ssl_errno_s);`
add SNI support, and change domain configuration a bit. 2013-06-24 11:32:45 +02:00			`if (!SSL_CTX_use_certificate_chain_file(dom->ssl_ctx, dom->certfile)) {`
			`fatal("SSL_CTX_use_certificate_chain_file(%s): %s",`
			`dom->certfile, ssl_errno_s);`
			`}`

			`if (!SSL_CTX_use_PrivateKey_file(dom->ssl_ctx, dom->certkey,`
			`SSL_FILETYPE_PEM)) {`
			`fatal("SSL_CTX_use_PrivateKey_file(%s): %s",`
			`dom->certkey, ssl_errno_s);`
			`}`

			`if (!SSL_CTX_check_private_key(dom->ssl_ctx))`
			`fatal("Public/Private key for %s do not match", dom->domain);`

Add support for ephemeral key exchange mechanisms, ssl_dhparam configuration option must be set (and point to a file containing a generated DH key). 2013-08-07 16:51:39 +02:00			`if (ssl_dhparam != NULL) {`
			`SSL_CTX_set_tmp_dh(dom->ssl_ctx, ssl_dhparam);`
			`SSL_CTX_set_options(dom->ssl_ctx, SSL_OP_SINGLE_DH_USE);`
			`}`

add ssl_no_compression option to allow one to disable OpenSSL compression. 2013-08-07 16:59:45 +02:00			`if (ssl_no_compression)`
			`SSL_CTX_set_options(dom->ssl_ctx, SSL_OP_NO_COMPRESSION);`

- Better spread load between all worker processes. - Introduce own memory management system on top of malloc to keep track of all our allocations and free's. Later we should introduce a pooling mechanism for fixed size allocations (http_request comes to mind). - Introduce ssl_cipher in configuration. Memory usage is kind of high right now, but it seems its OpenSSL doing it rather then Kore. 2013-06-27 08:43:07 +02:00			`SSL_CTX_set_mode(dom->ssl_ctx, SSL_MODE_RELEASE_BUFFERS);`
			`SSL_CTX_set_cipher_list(dom->ssl_ctx, kore_ssl_cipher_list);`
add SNI support, and change domain configuration a bit. 2013-06-24 11:32:45 +02:00			`SSL_CTX_set_mode(dom->ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);`
			`SSL_CTX_set_options(dom->ssl_ctx, SSL_OP_NO_SSLv2);`
			`SSL_CTX_set_tlsext_servername_callback(dom->ssl_ctx, kore_ssl_sni_cb);`
			`SSL_CTX_set_next_protos_advertised_cb(dom->ssl_ctx,`
			`kore_ssl_npn_cb, NULL);`

- Better spread load between all worker processes. - Introduce own memory management system on top of malloc to keep track of all our allocations and free's. Later we should introduce a pooling mechanism for fixed size allocations (http_request comes to mind). - Introduce ssl_cipher in configuration. Memory usage is kind of high right now, but it seems its OpenSSL doing it rather then Kore. 2013-06-27 08:43:07 +02:00			`kore_mem_free(dom->certfile);`
			`kore_mem_free(dom->certkey);`
add SNI support, and change domain configuration a bit. 2013-06-24 11:32:45 +02:00			`}`

			`struct kore_domain *`
			`kore_domain_lookup(const char *domain)`
			`{`
			`struct kore_domain *dom;`

			`TAILQ_FOREACH(dom, &domains, list) {`
			`if (!strcmp(dom->domain, domain))`
			`return (dom);`
			`}`

			`return (NULL);`
			`}`

			`void`
			`kore_domain_closelogs(void)`
			`{`
			`struct kore_domain *dom;`

			`TAILQ_FOREACH(dom, &domains, list)`
			`close(dom->accesslog);`
			`}`