// Copyright (c) 2004  David Muse
// See the file COPYING for more information

#include <rudiments/daemonprocess.h>
#include <rudiments/permissions.h>
#include <rudiments/inetserversocket.h>
#include <rudiments/charstring.h>
#include <rudiments/error.h>
#include <rudiments/file.h>

#include <openssl/err.h>

#ifdef RUDIMENTS_NAMESPACE
using namespace rudiments;
#endif

int passwdCallback(char *buf, int size, int rwflag, void *userdata) {
	charstring::copy(buf,(char *)userdata,size);
	buf[size-1]=(char)NULL;
	return charstring::length(buf);
}

class myserver : public daemonprocess, public inetserversocket {
	public:
			myserver() : daemonprocess(), inetserversocket() {}
		void	listen();
};


void	myserver::listen() {


	// make sure that only one instance is running
	int	pid=checkForPidFile("/tmp/svr.pidfile");
	if (pid>-1) {
		printf("Sorry, an instance of this server is already running with process id: %d\n",pid);
		return;
	}


	// detach from the controlling terminal
	//detach();


	// create a pid file which is used to make sure that only one instance
	// is running and can also be used to kill the process
	createPidFile("/tmp/svr.pidfile",permissions::ownerReadWrite());

	// initalize the libarary
	SSL_library_init();
	SSL_load_error_strings();

	// Create a new server context usng SSLv2.
	SSL_CTX	*ctx=SSL_CTX_new(SSLv2_server_method());

	// in cases where a re-negotiation must take place during an SSL_read
	// or SSL_write, automatically re-negotiate, then retry the read/write
	// instead of causing the read/write to fail
	SSL_CTX_set_mode(ctx,SSL_MODE_AUTO_RETRY);

	// load the server's certificate chain
	SSL_CTX_use_certificate_chain_file(ctx,"server.pem");

	// if the private key requires a password in order to read it,
	// supply "password"
	SSL_CTX_set_default_passwd_cb(ctx,passwdCallback);
	SSL_CTX_set_default_passwd_cb_userdata(ctx,(void *)"password");

	// load the server's private key
	SSL_CTX_use_PrivateKey_file(ctx,"server.pem",SSL_FILETYPE_PEM);

	// Instruct the server to request the client's certificate.  Servers
	// always send certificates to clients, but in order for a client to
	// send a certificate to a server, the server must request it.
	SSL_CTX_set_verify(ctx,SSL_VERIFY_PEER,NULL);

	// load certificates for the signing authorities that we trust
	SSL_CTX_load_verify_locations(ctx,"ca.pem",0);
	#if (OPENSSL_VERSION_NUMBER < 0x0090600fL)
		// client certificates must be directly signed
		// by one of the signing authorities that we trust
		SSL_CTX_set_verify_depth(ctx,1);
	#endif

	// Instruct the context to use an ephemeral
	// dh key for encrypting the session.
	SSL_CTX_set_options(ctx,SSL_OP_SINGLE_DH_USE);

	// Get parameters for generating the dh key from dh1024.pem.
	BIO	*bio=BIO_new_file("dh1024.pem","r");
	#if (OPENSSL_VERSION_NUMBER < 0x00904000)
		DH	*dh=PEM_read_bio_DHparams(bio,NULL,NULL);
	#else
		DH	*dh=PEM_read_bio_DHparams(bio,NULL,NULL,NULL);
	#endif
	BIO_free(bio);

	// Supply the context with the dh parameters for generating the key.
	SSL_CTX_set_tmp_dh(ctx,dh);

	// listen on inet socket port 8000
	if (!inetserversocket::listen(NULL,8000,15)) {
		printf("couldn't listen on port 8000\n");
		exit(0);
	}

	// loop...
	for (;;) {

		// attach the ssl context to the server
		setSSLContext(ctx);

		// accept a client connection
		filedescriptor	*clientsock=accept();

		if (clientsock) {

			// make sure the client sent a certificate
			X509	*certificate=SSL_get_peer_certificate(
						clientsock->getSSL());
			if (!certificate) {
				printf("peer sent no certificate\n");
				clientsock->close();
				delete clientsock;
				continue;
			}

			// make sure the certificate was valid
			long	result=SSL_get_verify_result(
						clientsock->getSSL());
			if (result!=X509_V_OK) {
				printf("SSL_get_verify_result failed: %d\n",
									result);
				clientsock->close();
				continue;
			}

			// Make sure the commonname in the certificate is the
			// one we expect it to be (client.localdomain).
			// (we may also want to check the subject name field or
			// certificate extension for the commonname because
			// sometimes it's there instead of in the commonname
			// field)
			char	commonname[256];
			X509_NAME_get_text_by_NID(
					X509_get_subject_name(certificate),
					NID_commonName,commonname,256);
			if (charstring::compareIgnoringCase(commonname,
							"client.localdomain")) {
				printf("%s!=client.localdomain\n",commonname);
				clientsock->close();
				delete clientsock;
				continue;
			}

			// read 5 bytes from the client and display it
			char	buffer[6];
			buffer[5]=(char)NULL;
			clientsock->read((char *)buffer,5);
			printf("%s\n",buffer);

			// write "hello" back to the client
			clientsock->write("hello",5);

		} else {

			// if errno>0 then we got a system error, otherwise we
			// got an SSL-specific error
			if (errno) {
				printf("accept failed: %s\n",
					error::getErrorString());
			} else {
				printf("accept failed: ");
				ERR_print_errors_fp(stdout);
				printf("\n");
			}
		}

		// close the socket and clean up
		clientsock->close();
		delete clientsock;
	}
}


myserver	*mysvr;

// define a function to shut down the process cleanly
RETSIGTYPE	shutDown() {
	printf("shutting down\n");
	mysvr->close();
	delete mysvr;
	file::remove("/tmp/svr.pidfile");
	exit(0);
}


int main(int argc, const char **argv) {

	mysvr=new myserver();

	// set up signal handlers for clean shutdown
	mysvr->handleShutDown((RETSIGTYPE *)shutDown);
	mysvr->handleCrash((RETSIGTYPE *)shutDown);

	mysvr->listen();
}