From 278f50268f5f20e285c08cb8a2b55462331c36bb Mon Sep 17 00:00:00 2001
From: Thadeu Lima de Souza Cascardo <cascardo@holoscopio.com>
Date: Tue, 7 Jul 2009 14:38:24 -0300
Subject: [PATCH] Added support for server-side SSL with anonymous credentials.

---
 hcconn.h     |  1 +
 hcconn_ssl.c | 42 +++++++++++++++++++++++++++++++++++++++---
 popproxy.c   | 11 ++++++++++-
 3 files changed, 50 insertions(+), 4 deletions(-)

diff --git a/hcconn.h b/hcconn.h
index f5164ed..c4c9cfd 100644
--- a/hcconn.h
+++ b/hcconn.h
@@ -47,5 +47,6 @@ void hc_conn_set_callback (HCConn *, HCClientFunc, gpointer);
 
 int hc_conn_set_driver_channel (HCConn *, int);
 int hc_conn_set_driver_ssl_client (HCConn *, HCConn *);
+int hc_conn_set_driver_ssl_server (HCConn *, HCConn *);
 
 #endif
diff --git a/hcconn_ssl.c b/hcconn_ssl.c
index 264be27..cdcca97 100644
--- a/hcconn_ssl.c
+++ b/hcconn_ssl.c
@@ -33,6 +33,35 @@ struct ssl_data
   gpointer lowconn;
 };
 
+#define DH_BITS 1024
+static gnutls_anon_server_credentials_t
+ssl_server_get_credentials (void)
+{
+  static int initialized = 0;
+  static gnutls_anon_server_credentials_t cred;
+  gnutls_dh_params_t dh_params;
+  if (initialized)
+    return cred;
+  gnutls_dh_params_init (&dh_params);
+  gnutls_dh_params_generate2 (dh_params, DH_BITS);
+  gnutls_anon_allocate_server_credentials (&cred);
+  gnutls_anon_set_server_dh_params (cred, dh_params);
+  initialized = 1;
+  return cred;
+}
+
+static void
+ssl_server_session_new (gnutls_session_t *session)
+{
+  static gnutls_anon_server_credentials_t cred;
+  cred = ssl_server_get_credentials ();
+  gnutls_init (session, GNUTLS_SERVER);
+  gnutls_priority_set_direct (*session, "NORMAL:+ANON-DH", NULL);
+  gnutls_credentials_set (*session, GNUTLS_CRD_ANON, cred);
+  gnutls_dh_set_prime_bits (*session, DH_BITS);
+}
+#undef DH_BITS
+
 static void
 ssl_client_session_new (gnutls_session_t *session)
 {
@@ -49,10 +78,11 @@ static struct ssl_data *
 ssl_data_new (int server)
 {
   struct ssl_data *ssl;
-  if (server)
-    return NULL;
   ssl = g_slice_new (struct ssl_data);
-  ssl_client_session_new (&ssl->session);
+  if (server)
+    ssl_server_session_new (&ssl->session);
+  else
+    ssl_client_session_new (&ssl->session);
   ssl->buffer = g_string_sized_new (4096);
   ssl->handshaking = FALSE;
   return ssl;
@@ -207,3 +237,9 @@ hc_conn_set_driver_ssl_client (HCConn *conn, HCConn *lowconn)
 {
   return hc_conn_set_driver_ssl (conn, lowconn, 0);
 }
+
+int
+hc_conn_set_driver_ssl_server (HCConn *conn, HCConn *lowconn)
+{
+  return hc_conn_set_driver_ssl (conn, lowconn, 1);
+}
diff --git a/popproxy.c b/popproxy.c
index 39d837c..cae6458 100644
--- a/popproxy.c
+++ b/popproxy.c
@@ -76,6 +76,7 @@ static HCConn *
 client_conn_new (int fd)
 {
   HCConn *conn;
+  HCConn *ssl_conn;
   HCConn *pop_conn;
   int r;
   conn = hc_conn_new (NULL, NULL);
@@ -86,12 +87,20 @@ client_conn_new (int fd)
       close (fd);
       return NULL;
     }
+  ssl_conn = hc_conn_new (NULL, NULL);
+  hc_conn_set_driver_ssl_server (ssl_conn, conn);
+  if (r != 0)
+    {
+      hc_conn_close (ssl_conn);
+      hc_conn_close (conn);
+      return NULL;
+    }
   pop_conn = hc_conn_new (NULL, NULL);
   r = hc_conn_set_driver_pop (pop_conn, conn);
   if (r != 0)
     {
       hc_conn_close (pop_conn);
-      hc_conn_close (conn);
+      hc_conn_close (ssl_conn);
       return NULL;
     }
   return pop_conn;
-- 
2.20.1