hitch  1.5.2
About: Hitch is a libev-based high performance SSL/TLS proxy that terminates TLS/SSL connections and forwards the unencrypted traffic to some backend.
  Fossies Dox: hitch-1.5.2.tar.gz  ("unofficial" and yet experimental doxygen-generated source code documentation)  

hitch.c
Go to the documentation of this file.
1 
38 #include "config.h"
39 
40 #include <sys/socket.h>
41 #include <sys/time.h>
42 #include <sys/types.h>
43 #include <sys/un.h>
44 #include <sys/wait.h> /* WAIT_PID */
45 
46 #ifdef __linux__
47 # include <sys/prctl.h>
48 #endif
49 
50 #ifdef __sun
51 # include <sys/filio.h>
52 #endif
53 
54 #include <net/if.h>
55 #include <netinet/in.h>
56 #include <netinet/tcp.h> /* TCP_NODELAY */
57 
58 #include <ctype.h>
59 #include <errno.h>
60 #include <getopt.h>
61 #include <grp.h>
62 #include <libgen.h>
63 #include <limits.h>
64 #include <netdb.h>
65 #include <pwd.h>
66 #include <sched.h>
67 #include <signal.h>
68 #include <stdarg.h>
69 #include <stdlib.h>
70 #include <string.h>
71 #include <strings.h>
72 #include <time.h>
73 #include <unistd.h>
74 
75 #include "configuration.h"
76 #include "hitch.h"
77 #include "hssl_locks.h"
78 #include "logging.h"
79 #include "proxyv2.h"
80 #include "ocsp.h"
81 #include "shctx.h"
82 #include "foreign/vpf.h"
83 #include "foreign/uthash.h"
84 #include "foreign/vsa.h"
85 
86 #ifndef MSG_NOSIGNAL
87 # define MSG_NOSIGNAL 0
88 #endif
89 #ifndef AI_ADDRCONFIG
90 # define AI_ADDRCONFIG 0
91 #endif
92 
93 /* For Mac OS X */
94 #ifndef TCP_KEEPIDLE
95 # ifdef TCP_KEEPALIVE
96 # define TCP_KEEPIDLE TCP_KEEPALIVE
97 # endif
98 #endif
99 
100 #ifndef SOL_TCP
101 # define SOL_TCP IPPROTO_TCP
102 #endif
103 
104 /* Do we have SNI support? */
105 #ifndef OPENSSL_NO_TLSEXT
106 # ifndef SSL_CTRL_SET_TLSEXT_HOSTNAME
107 # define OPENSSL_NO_TLSEXT
108 # endif
109 #endif
110 
111 #ifndef HAVE_SSL_CTX_GET_DEFAULT_PASSWD_CB
112 # define SSL_CTX_get_default_passwd_cb(ctx) ((ctx)->default_passwd_callback)
113 #endif
114 
115 #ifndef HAVE_SSL_CTX_GET_DEFAULT_PASSWD_CB_USERDATA
116 # define SSL_CTX_get_default_passwd_cb_userdata(ctx) \
117  ((ctx)->default_passwd_callback_userdata)
118 #endif
119 
120 #ifndef HAVE_X509_NAME_ENTRY_GET_DATA
121 # define X509_NAME_ENTRY_get_data(entry) ((entry)->value)
122 #endif
123 
124 /* logging.c */
125 extern FILE *logfile;
126 extern struct stat logf_st;
127 extern time_t logf_check_t;
128 
129 /* Globals */
130 struct ev_loop *loop;
132 
133 /* Worker proc's read side of mgt->worker pipe(2) */
134 static ev_io mgt_rd;
135 
136 struct backend {
137  unsigned magic;
138 #define BACKEND_MAGIC 0x41c09397
140  int ref;
141 };
142 
143 static struct backend *backaddr;
144 static pid_t master_pid;
145 static pid_t ocsp_proc_pid;
146 static int core_id;
147 static SSL_SESSION *client_session;
148 
149 /* The current number of active client connections. */
150 static uint64_t n_conns;
151 
152 /* Current generation of worker processes. Bumped after a sighup prior
153  * to launching new children. */
154 static unsigned worker_gen;
155 
156 static volatile unsigned n_sighup;
157 static volatile unsigned n_sigchld;
158 
162 };
163 
165 
166 struct worker_proc {
167  unsigned magic;
168 #define WORKER_PROC_MAGIC 0xbc7fe9e6
169 
170  /* Writer end of pipe(2) for mgt -> worker ipc */
171  int pfd;
172  pid_t pid;
173  unsigned gen;
174  int core_id;
176 };
177 
180 struct sslctx_s;
181 struct sni_name_s;
182 
183 struct listen_sock {
184  unsigned magic;
185 #define LISTEN_SOCK_MAGIC 0xda96b2f6
186  int sock;
187  char *name;
188  ev_io listener;
189  struct sockaddr_storage addr;
191 };
192 
194 
195 struct frontend {
196  unsigned magic;
197 #define FRONTEND_MAGIC 0x5b04e577
203  char *pspec;
206 };
207 
209 
210 static struct frontend_head frontends;
211 
212 #ifdef USE_SHARED_CACHE
213 static ev_io shcupd_listener;
214 static int shcupd_socket;
215 struct addrinfo *shcupd_peers[MAX_SHCUPD_PEERS+1];
216 static unsigned char shared_secret[SHA_DIGEST_LENGTH];
217 #endif /*USE_SHARED_CACHE*/
218 
219 
221 static struct vpf_fh *pfh = NULL;
222 
223 static char tcp_proxy_line[128] = "";
224 
225 /* What agent/state requests the shutdown--for proper half-closed
226  * handling */
227 typedef enum _SHUTDOWN_REQUESTOR {
232 
233 static const char *SHUTDOWN_STR[] = {
234  [SHUTDOWN_HARD] = "SHUTDOWN_HARD",
235  [SHUTDOWN_CLEAR] = "SHUTDOWN_CLEAR",
236  [SHUTDOWN_SSL] = "SHUTDOWN_SSL",
237 };
238 
239 #ifndef OPENSSL_NO_TLSEXT
240 
242 static sslctx *ssl_ctxs;
243 static sslctx *default_ctx;
244 
245 static void insert_sni_names(sslctx *sc, sni_name **sn_tab);
246 static int load_cert_ctx(sslctx *so);
247 #endif /* OPENSSL_NO_TLSEXT */
248 
249 
253 };
254 
256  unsigned gen;
257  struct sockaddr_storage addr;
258 };
259 
263 };
264 
265 /* set a file descriptor (socket) to non-blocking mode */
266 static int
268 {
269  int flag = 1;
270 
271  if (ioctl(fd, FIONBIO, &flag) < 0) {
272  assert (errno == ECONNRESET || errno == ENOTCONN);
273  return (-1);
274  }
275 
276  return (0);
277 }
278 
279 
280 /* set a tcp socket to use TCP Keepalive */
281 static void
283 {
284  int optval = 1;
285  socklen_t optlen = sizeof(optval);
286 
287  if(setsockopt(fd, SOL_SOCKET, SO_KEEPALIVE, &optval, optlen) < 0) {
288  SOCKERR("Error activating SO_KEEPALIVE on client socket");
289  }
290 
291 #ifdef TCP_KEEPIDLE
292  optval = CONFIG->TCP_KEEPALIVE_TIME;
293  optlen = sizeof(optval);
294  if (setsockopt(fd, SOL_TCP, TCP_KEEPIDLE, &optval, optlen) < 0) {
295  SOCKERR("Error setting TCP_KEEPIDLE on client socket");
296  }
297 #endif
298 }
299 
300 
301 #ifndef OPENSSL_NO_DH
302 static int
303 init_dh(SSL_CTX *ctx, const char *cert)
304 {
305  DH *dh;
306  BIO *bio;
307 
308  AN(cert);
309 
310  bio = BIO_new_file(cert, "r");
311  if (!bio) {
312  log_ssl_error(NULL, "{core} BIO_new_file");
313  return (-1);
314  }
315 
316  dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
317  BIO_free(bio);
318  if (!dh) {
319  LOG("{core} Note: no DH parameters found in %s\n", cert);
320  return (-1);
321  }
322 
323  LOG("{core} Using DH parameters from %s\n", cert);
324  if (!SSL_CTX_set_tmp_dh(ctx, dh)) {
325  log_ssl_error(NULL, "{core} Error setting temp DH params");
326  return (-1);
327  }
328  LOG("{core} DH initialized with %d bit key\n", 8*DH_size(dh));
329  DH_free(dh);
330  return (0);
331 }
332 
333 static int init_ecdh(SSL_CTX *ctx) {
334 #ifndef OPENSSL_NO_EC
335 #ifdef NID_X9_62_prime256v1
336  EC_KEY *ecdh = NULL;
337  ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
338  SSL_CTX_set_tmp_ecdh(ctx, ecdh);
339  EC_KEY_free(ecdh);
340  LOG("{core} ECDH Initialized with NIST P-256\n");
341 #endif /* NID_X9_62_prime256v1 */
342 #endif /* OPENSSL_NO_EC */
343 
344  return (0);
345 }
346 #endif /* OPENSSL_NO_DH */
347 
348 /* This callback function is executed while OpenSSL processes the SSL
349  * handshake and does SSL record layer stuff. It's used to trap
350  * client-initiated renegotiations.
351  */
352 static void
353 info_callback(const SSL *ssl, int where, int ret)
354 {
355  proxystate *ps;
356  (void)ret;
357  if (where & SSL_CB_HANDSHAKE_START) {
358  CAST_OBJ_NOTNULL(ps, SSL_get_app_data(ssl), PROXYSTATE_MAGIC);
359  if (ps->handshaked) {
360  ps->renegotiation = 1;
361  LOG("{core} SSL renegotiation asked by client\n");
362  }
363  }
364 }
365 
366 #ifdef OPENSSL_WITH_NPN
367 static int npn_select_cb(SSL *ssl, const unsigned char **out,
368  unsigned *outlen, void *arg) {
369  proxystate *ps;
370  (void)arg;
371  CAST_OBJ_NOTNULL(ps, SSL_get_app_data(ssl), PROXYSTATE_MAGIC);
372  ps->npn_alpn_tried = 1;
373 
374  LOG("{npn} Got NPN callback\n");
375  *out = (unsigned char *) CONFIG->ALPN_PROTOS_LV;
376  *outlen = CONFIG->ALPN_PROTOS_LV_LEN;
377 
378  return (SSL_TLSEXT_ERR_OK);
379 }
380 #endif
381 
382 #ifdef OPENSSL_WITH_ALPN
383 static int alpn_select_cb(SSL *ssl,
384  const unsigned char **out,
385  unsigned char *outlen,
386  const unsigned char *in,
387  unsigned int inlen,
388  void *arg)
389 {
390  int selected;
391  proxystate *ps;
392  (void)arg;
393 
394  CAST_OBJ_NOTNULL(ps, SSL_get_app_data(ssl), PROXYSTATE_MAGIC);
395  ps->npn_alpn_tried = 1;
396 
397  selected = SSL_select_next_proto((unsigned char **)out, outlen,
399  if (selected == OPENSSL_NPN_NEGOTIATED)
400  return (SSL_TLSEXT_ERR_OK);
401  else {
402  assert(selected == OPENSSL_NPN_NO_OVERLAP);
403  LOGPROXY(ps, "ALPN: no overlap in protocols.\n");
404  /* Here it is possible to add logging of which protocols
405  the client wanted */
406  return (SSL_TLSEXT_ERR_NOACK);
407  }
408  return (SSL_TLSEXT_ERR_NOACK);
409 }
410 #endif
411 
412 #ifdef USE_SHARED_CACHE
413 
414 /* Handle incoming message updates */
415 static void
416 handle_shcupd(struct ev_loop *loop, ev_io *w, int revents)
417 {
418  (void)revents;
419  unsigned char msg[SHSESS_MAX_ENCODED_LEN], hash[EVP_MAX_MD_SIZE];
420  ssize_t r;
421  unsigned int hash_len;
422  uint32_t encdate;
423  long now = (time_t)ev_now(loop);
424 
425  while ((r = recv(w->fd, msg, sizeof(msg), 0)) > 0) {
426  /* msg len must be greater than 1 Byte of data + sig length */
427  if (r < (int)(1+sizeof(shared_secret)))
428  continue;
429 
430  /* compute sig */
431  r -= sizeof(shared_secret);
432  HMAC(EVP_sha1(), shared_secret, sizeof(shared_secret), msg,
433  r, hash, &hash_len);
434 
435  if (hash_len != sizeof(shared_secret)) /* should never happen */
436  continue;
437 
438  /* check sign */
439  if (memcmp(msg+r, hash, hash_len))
440  continue;
441 
442  /* msg len must be greater than 1 Byte of data +
443  * encdate length */
444  if (r < (int)(1+sizeof(uint32_t)))
445  continue;
446 
447  /* drop too unsync updates */
448  r -= sizeof(uint32_t);
449  encdate = *((uint32_t *)&msg[r]);
450  assert(now >= ntohl(encdate));
451  if ((now - ntohl(encdate)) >=
452  SSL_CTX_get_timeout(default_ctx->ctx))
453  continue;
454 
455  shctx_sess_add(msg, r, now);
456  }
457 }
458 
459 /* Send remote updates messages callback */
460 void
461 shcupd_session_new(unsigned char *msg, unsigned int len, long cdate)
462 {
463  unsigned int hash_len;
464  struct addrinfo **pai = shcupd_peers;
465  uint32_t ncdate;
466 
467  /* add session creation encoded date to footer */
468  ncdate = htonl((uint32_t)cdate);
469  memcpy(msg+len, &ncdate, sizeof(ncdate));
470  len += sizeof(ncdate);
471 
472  /* add msg sign */
473  HMAC(EVP_sha1(), shared_secret, sizeof(shared_secret),
474  msg, len, msg+len, &hash_len);
475  len += hash_len;
476 
477  /* send msg to peers */
478  while (*pai) {
479  sendto(shcupd_socket, msg, len, 0, (*pai)->ai_addr,
480  (*pai)->ai_addrlen);
481  pai++;
482  }
483 }
484 
485 /* Compute a sha1 secret from an ASN1 rsa private key */
486 static int
487 compute_secret(RSA *rsa, unsigned char *secret)
488 {
489  unsigned char *buf, *p;
490  unsigned int length;
491 
492  length = i2d_RSAPrivateKey(rsa, NULL);
493  if (length <= 0)
494  return (-1);
495 
496  p = buf = (unsigned char *)malloc(length*sizeof(unsigned char));
497  if (!buf)
498  return (-1);
499 
500  i2d_RSAPrivateKey(rsa,&p);
501  SHA1(buf, length, secret);
502  free(buf);
503  return (0);
504 }
505 
506 /* Create udp socket to receive and send updates */
507 static int
508 create_shcupd_socket()
509 {
510  struct addrinfo *ai, hints;
511  struct addrinfo **pai = shcupd_peers;
512  memset(&hints, 0, sizeof hints);
513  hints.ai_family = AF_UNSPEC;
514  hints.ai_socktype = SOCK_DGRAM;
515  hints.ai_flags = AI_PASSIVE | AI_ADDRCONFIG;
516  const int gai_err = getaddrinfo(CONFIG->SHCUPD_IP,
517  CONFIG->SHCUPD_PORT, &hints, &ai);
518  if (gai_err != 0) {
519  ERR("{getaddrinfo}: %s\n", gai_strerror(gai_err));
520  exit(1);
521  }
522 
523  /* check if peers inet family addresses match */
524  while (*pai) {
525  if ((*pai)->ai_family != ai->ai_family) {
526  ERR("Share host and peers inet family differs\n");
527  exit(1);
528  }
529  pai++;
530  }
531 
532  int s = socket(ai->ai_family, SOCK_DGRAM, IPPROTO_UDP);
533 
534  if (s == -1)
535  fail("{socket: shared cache updates}");
536 
537  int t = 1;
538  (void)setsockopt(s, SOL_SOCKET, SO_REUSEADDR, &t, sizeof(int));
539 #ifdef SO_REUSEPORT_WORKS
540  (void)setsockopt(s, SOL_SOCKET, SO_REUSEPORT, &t, sizeof(int));
541 #endif
542 
543  if (setnonblocking(s) < 0)
544  fail("{shared cache: setnonblocking}");
545 
546  if (ai->ai_addr->sa_family == AF_INET) {
547  struct ip_mreqn mreqn;
548 
549  memset(&mreqn, 0, sizeof(mreqn));
550  mreqn.imr_multiaddr.s_addr =
551  ((struct sockaddr_in *)ai->ai_addr)->sin_addr.s_addr;
552 
553  if (CONFIG->SHCUPD_MCASTIF) {
554  if (isalpha(*CONFIG->SHCUPD_MCASTIF)) {
555  /* appears to be an iface name */
556  struct ifreq ifr;
557  memset(&ifr, 0, sizeof(ifr));
558  if (strlen(CONFIG->SHCUPD_MCASTIF) > IFNAMSIZ) {
559  ERR("Error iface name is too "
560  "long [%s]\n",
561  CONFIG->SHCUPD_MCASTIF);
562  exit(1);
563  }
564 
565  memcpy(ifr.ifr_name, CONFIG->SHCUPD_MCASTIF,
566  strlen(CONFIG->SHCUPD_MCASTIF));
567  if (ioctl(s, SIOCGIFINDEX, &ifr)) {
568  fail("{ioctl: SIOCGIFINDEX}");
569  }
570 
571  /* XXX: better use autoconf to detect those */
572 #ifdef __FreeBSD__
573  mreqn.imr_ifindex = ifr.ifr_ifru.ifru_index;
574 #else
575  mreqn.imr_ifindex = ifr.ifr_ifindex;
576 #endif
577  } else if (strchr(CONFIG->SHCUPD_MCASTIF,'.')) {
578  /* appears to be an ipv4 address */
579  mreqn.imr_address.s_addr =
580  inet_addr(CONFIG->SHCUPD_MCASTIF);
581  } else {
582  /* appears to be an iface index */
583  mreqn.imr_ifindex =
584  atoi(CONFIG->SHCUPD_MCASTIF);
585  }
586  }
587 
588  if (setsockopt(s, IPPROTO_IP, IP_ADD_MEMBERSHIP,
589  &mreqn, sizeof(mreqn)) < 0) {
590  if (errno != EINVAL) {
591  /* EINVAL if it is not a multicast address,
592  * not an error we consider unicast */
593  fail("{setsockopt: IP_ADD_MEMBERSIP}");
594  }
595  } else { /* this is a multicast address */
596  unsigned char loop = 0;
597  if (setsockopt(s, IPPROTO_IP, IP_MULTICAST_LOOP,
598  &loop, sizeof(loop)) < 0) {
599  fail("{setsockopt: IP_MULTICAST_LOOP}");
600  }
601  }
602 
603  /* optional set sockopts for sending to multicast msg */
604  if (CONFIG->SHCUPD_MCASTIF &&
605  setsockopt(s, IPPROTO_IP, IP_MULTICAST_IF,
606  &mreqn, sizeof(mreqn)) < 0) {
607  fail("{setsockopt: IP_MULTICAST_IF}");
608  }
609 
610  if (CONFIG->SHCUPD_MCASTTTL) {
611  unsigned char ttl;
612 
613  ttl = (unsigned char)atoi(CONFIG->SHCUPD_MCASTTTL);
614  if (setsockopt(s, IPPROTO_IP, IP_MULTICAST_TTL,
615  &ttl, sizeof(ttl)) < 0) {
616  fail("{setsockopt: IP_MULTICAST_TTL}");
617  }
618  }
619  }
620 #ifdef IPV6_ADD_MEMBERSHIP
621  else if (ai->ai_addr->sa_family == AF_INET6) {
622  struct ipv6_mreq mreq;
623 
624  memset(&mreq, 0, sizeof(mreq));
625  memcpy(&mreq.ipv6mr_multiaddr,
626  &((struct sockaddr_in6 *)ai->ai_addr)->sin6_addr,
627  sizeof(mreq.ipv6mr_multiaddr));
628 
629  if (CONFIG->SHCUPD_MCASTIF) {
630  if (isalpha(*CONFIG->SHCUPD_MCASTIF)) {
631  /* appears to be an iface name */
632  struct ifreq ifr;
633 
634  memset(&ifr, 0, sizeof(ifr));
635  if (strlen(CONFIG->SHCUPD_MCASTIF) > IFNAMSIZ) {
636  ERR("Error iface name is too "
637  "long [%s]\n",
638  CONFIG->SHCUPD_MCASTIF);
639  exit(1);
640  }
641 
642  memcpy(ifr.ifr_name, CONFIG->SHCUPD_MCASTIF,
643  strlen(CONFIG->SHCUPD_MCASTIF));
644 
645  if (ioctl(s, SIOCGIFINDEX, &ifr))
646  fail("{ioctl: SIOCGIFINDEX}");
647 
648  mreq.ipv6mr_interface = ifr.ifr_ifindex;
649  } else { /* option appears to be an iface index */
650  mreq.ipv6mr_interface =
651  atoi(CONFIG->SHCUPD_MCASTIF);
652  }
653  }
654 
655  if (setsockopt(s, IPPROTO_IPV6, IPV6_ADD_MEMBERSHIP,
656  &mreq, sizeof(mreq)) < 0) {
657  if (errno != EINVAL) {
658  /* EINVAL if it is not a multicast address,
659  * not an error we consider unicast */
660  fail("{setsockopt: IPV6_ADD_MEMBERSIP}");
661  }
662  } else { /* this is a multicast address */
663  unsigned int loop = 0;
664  if (setsockopt(s, IPPROTO_IPV6, IPV6_MULTICAST_LOOP,
665  &loop, sizeof(loop)) < 0) {
666  fail("{setsockopt: IPV6_MULTICAST_LOOP}");
667  }
668  }
669  /* optional set sockopts for sending to multicast msg */
670  if (setsockopt(s, IPPROTO_IPV6, IPV6_MULTICAST_IF,
671  &mreq.ipv6mr_interface,
672  sizeof(mreq.ipv6mr_interface)) < 0) {
673  fail("{setsockopt: IPV6_MULTICAST_IF}");
674  }
675 
676  if (CONFIG->SHCUPD_MCASTTTL) {
677  int hops;
678 
679  hops = atoi(CONFIG->SHCUPD_MCASTTTL);
680  if (setsockopt(s, IPPROTO_IPV6, IPV6_MULTICAST_HOPS,
681  &hops, sizeof(hops)) < 0) {
682  fail("{setsockopt: IPV6_MULTICAST_HOPS}");
683  }
684  }
685  }
686 #endif /* IPV6_ADD_MEMBERSHIP */
687 
688  if (bind(s, ai->ai_addr, ai->ai_addrlen)) {
689  fail("{bind-socket}");
690  }
691 
692  freeaddrinfo(ai);
693  return (s);
694 }
695 
696 #endif /*USE_SHARED_CACHE */
697 
698 EVP_PKEY *
699 load_privatekey(SSL_CTX *ctx, const char *file)
700 {
701  BIO *bio;
702  EVP_PKEY *pkey;
703 
704  bio = BIO_new_file(file, "r");
705  if (!bio) {
706  log_ssl_error(NULL, "{core} BIO_new_file");
707  return (NULL);
708  }
709 
710  pkey = PEM_read_bio_PrivateKey(bio, NULL,
713  BIO_free(bio);
714 
715  if (!pkey) {
716  log_ssl_error(NULL, "{core} PEM_read_bio_PrivateKey");
717  return (NULL);
718  }
719 
720  return (pkey);
721 }
722 
723 #ifndef OPENSSL_NO_TLSEXT
724 static int
725 sni_match(const sni_name *sn, const char *srvname)
726 {
727  if (!sn->is_wildcard)
728  return (strcasecmp(srvname, sn->sni_key) == 0);
729  else {
730  char *s = strchr(srvname, '.');
731  if (s == NULL)
732  return (0);
733  return (strcasecmp(s, sn->sni_key + 1) == 0);
734  }
735 }
736 
737 static const sslctx *
738 sni_lookup(const char *sni_key, const sni_name *sn_tab)
739 {
740  const sni_name *sn;
741 
742  AN(sni_key);
744 
745  HASH_FIND_STR(sn_tab, sni_key, sn);
746  if (sn == NULL) {
747  char *s;
748  /* attempt another lookup for wildcard matches */
749  s = strchr(sni_key, '.');
750  if (s != NULL)
751  HASH_FIND_STR(sn_tab, s, sn);
752  }
753 
754  if (sn != NULL) {
756  if (sni_match(sn, sni_key))
757  return (sn->sctx);
758  }
759 
760  return (NULL);
761 }
762 
763 static int
764 sni_try_lookup(SSL *ssl, const char *sni_key, const struct sni_name_s *sn_tab)
765 {
766  const sslctx *sc;
767 
768  AN(ssl);
769  AN(sni_key);
771 
772  sc = sni_lookup(sni_key, sn_tab);
773  if (sc == NULL)
774  return (0);
775 
776  CHECK_OBJ(sc, SSLCTX_MAGIC);
777  SSL_set_SSL_CTX(ssl, sc->ctx);
778  return (1);
779 }
780 
781 char *
782 sni_build_key(const char *servername)
783 {
784  char *key, *c;
785 
786  if (servername == NULL)
787  return (NULL);
788 
789  AN(servername);
790  key = strdup(servername);
791 
792  for (c = key; *c != '\0'; c++)
793  *c = tolower(*c);
794  return (key);
795 }
796 
797 /*
798  * Switch the context of the current SSL object to the most appropriate one
799  * based on the SNI header
800  */
801 static int
802 sni_switch_ctx(SSL *ssl, int *al, void *data)
803 {
804  const struct frontend *fr = NULL;
805  const char *servername;
806  char *sni_key;
807  int lookup_global = 1;
809 
810  AN(ssl);
811  (void)al;
812  if (data != NULL)
813  CAST_OBJ_NOTNULL(fr, data, FRONTEND_MAGIC);
814 
815  servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
816  if (servername == NULL)
817  return (SSL_TLSEXT_ERR_NOACK);
818 
819  sni_key = sni_build_key(servername);
820  AN(sni_key);
821 
822  if (fr != NULL) {
823  if (sni_try_lookup(ssl, sni_key, fr->sni_names)) {
824  free(sni_key);
825  return (SSL_TLSEXT_ERR_OK);
826  }
827  lookup_global = fr->match_global_certs;
828  if (fr->sni_nomatch_abort != -1)
830  }
831 
832  if (lookup_global && sni_try_lookup(ssl, sni_key, sni_names)) {
833  free(sni_key);
834  return (SSL_TLSEXT_ERR_OK);
835  }
836 
837  free(sni_key);
838 
839  /* No matching certs */
840  if (sni_nomatch_abort)
841  return (SSL_TLSEXT_ERR_ALERT_FATAL);
842  else
843  return (SSL_TLSEXT_ERR_NOACK);
844 }
845 #endif /* OPENSSL_NO_TLSEXT */
846 
847 static void
848 sctx_free(sslctx *sc, sni_name **sn_tab)
849 {
850  sni_name *sn, *sntmp;
851 
852  if (sc == NULL)
853  return;
854 
855  HOCSP_free(&sc->staple);
856 
857  if (sn_tab != NULL)
859 
861  VTAILQ_FOREACH_SAFE(sn, &sc->sni_list, list, sntmp) {
863  VTAILQ_REMOVE(&sc->sni_list, sn, list);
864  if (sn_tab != NULL)
865  HASH_DEL(*sn_tab, sn);
866  free(sn->servername);
867  free(sn->sni_key);
868  FREE_OBJ(sn);
869  }
870 
871  free(sc->filename);
872  SSL_CTX_free(sc->ctx);
873  FREE_OBJ(sc);
874 }
875 
876 X509 *
877 Find_issuer(X509 *subj, STACK_OF(X509) *chain)
878 {
879  int i;
880  X509 *x;
881 
882  AN(subj);
883 
884  for (i = 0; i < sk_X509_num(chain); i++) {
885  x = sk_X509_value(chain, i);
886  if (X509_check_issued(x, subj) == X509_V_OK)
887  return (x);
888  }
889 
890  /* todo: look in cert store? */
891 
892  return (NULL);
893 }
894 
895 
896 
897 /* Initialize an SSL context */
898 static sslctx *
899 make_ctx_fr(const struct cfg_cert_file *cf, const struct frontend *fr,
900  const struct front_arg *fa)
901 {
902  SSL_CTX *ctx;
903  sslctx *sc;
904  EVP_PKEY *pkey;
905  int selected_protos = CONFIG->SELECTED_TLS_PROTOS;
906  char *ciphers = CONFIG->CIPHER_SUITE;
907  int pref_srv_ciphers = CONFIG->PREFER_SERVER_CIPHERS;
908 
909  if (fa != NULL) {
911  if (fa->selected_protos != 0)
912  selected_protos = fa->selected_protos;
913  if (fa->ciphers != NULL)
914  ciphers = fa->ciphers;
915  if (fa->prefer_server_ciphers != -1)
916  pref_srv_ciphers = fa->prefer_server_ciphers;
917  }
918 
919  long ssloptions = SSL_OP_NO_SSLv2 | SSL_OP_ALL |
920  SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION;
921 
922 #ifdef SSL_OP_NO_COMPRESSION
923  ssloptions |= SSL_OP_NO_COMPRESSION;
924 #endif
925 #ifdef SSL_OP_SINGLE_DH_USE
926  ssloptions |= SSL_OP_SINGLE_DH_USE;
927 #endif
928 #ifdef SSL_OP_SINGLE_ECDH_USE
929  ssloptions |= SSL_OP_SINGLE_ECDH_USE;
930 #endif
931  if (!(selected_protos & SSLv3_PROTO))
932  ssloptions |= SSL_OP_NO_SSLv3;
933  if (!(selected_protos & TLSv1_0_PROTO))
934  ssloptions |= SSL_OP_NO_TLSv1;
935  if (!(selected_protos & TLSv1_1_PROTO))
936  ssloptions |= SSL_OP_NO_TLSv1_1;
937  if (!(selected_protos & TLSv1_2_PROTO))
938  ssloptions |= SSL_OP_NO_TLSv1_2;
939 #ifdef SSL_OP_NO_TLSv1_3
940  if (!(selected_protos & TLSv1_3_PROTO))
941  ssloptions |= SSL_OP_NO_TLSv1_3;
942 #endif
943  ctx = SSL_CTX_new((CONFIG->PMODE == SSL_CLIENT) ?
944  SSLv23_client_method() : SSLv23_server_method());
945 
946  SSL_CTX_set_options(ctx, ssloptions);
947  SSL_CTX_set_info_callback(ctx, info_callback);
948 #ifdef OPENSSL_WITH_ALPN
949  if (CONFIG->ALPN_PROTOS != NULL)
950  SSL_CTX_set_alpn_select_cb(ctx, alpn_select_cb, NULL);
951 #endif
952 #ifdef OPENSSL_WITH_NPN
953  if (CONFIG->ALPN_PROTOS != NULL)
954  SSL_CTX_set_next_protos_advertised_cb(ctx, npn_select_cb, NULL);
955 #endif
956 
957  if (ciphers != NULL) {
958  if (SSL_CTX_set_cipher_list(ctx, ciphers) != 1) {
959  log_ssl_error(NULL, "{core} SSL_CTX_set_cipher_list");
960  return (NULL);
961  }
962  }
963 
964  if (pref_srv_ciphers)
965  SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
966 
967  ALLOC_OBJ(sc, SSLCTX_MAGIC);
968  AN(sc);
969  sc->filename = strdup(cf->filename);
970  sc->mtim = cf->mtim;
971  sc->ctx = ctx;
972  sc->staple_vfy = cf->ocsp_vfy;
973  VTAILQ_INIT(&sc->sni_list);
974 
975  if (sc->staple_vfy > 0 ||
976  (sc-> staple_vfy < 0 && CONFIG->OCSP_VFY))
977  AN(SSL_CTX_set_default_verify_paths(ctx));
978 
979  if (CONFIG->PMODE == SSL_CLIENT)
980  return (sc);
981 
982  /* SSL_SERVER Mode stuff */
983  if (SSL_CTX_use_certificate_chain_file(ctx, cf->filename) <= 0) {
984  log_ssl_error(NULL,
985  "Error loading certificate file %s\n", cf->filename);
986  sctx_free(sc, NULL);
987  return (NULL);
988  }
989 
990  pkey = 0;
991  if (cf->priv_key_filename != 0) {
992  pkey = load_privatekey(ctx, cf->priv_key_filename);
993  if (!pkey) {
994  ERR("Error loading private key (%s)\n",
995  cf->priv_key_filename);
996  sctx_free(sc, NULL);
997  return (NULL);
998  }
999  }
1000  if (!pkey) {
1001  pkey = load_privatekey(ctx, cf->filename);
1002  if (!pkey) {
1003  ERR("Error loading private key (%s)\n", cf->filename);
1004  sctx_free(sc, NULL);
1005  return (NULL);
1006  }
1007  }
1008 
1009  if (SSL_CTX_use_PrivateKey(ctx, pkey) <= 0) {
1010  log_ssl_error(NULL, "SSL_CTX_use_PrivateKey: %s",
1011  cf->filename);
1012  EVP_PKEY_free(pkey);
1013  sctx_free(sc, NULL);
1014  return (NULL);
1015  }
1016 
1017 #ifndef OPENSSL_NO_DH
1018  init_dh(ctx, cf->filename);
1019  init_ecdh(ctx);
1020 #endif /* OPENSSL_NO_DH */
1021 
1022 #ifndef OPENSSL_NO_TLSEXT
1023  if (!SSL_CTX_set_tlsext_servername_callback(ctx, sni_switch_ctx)) {
1024  ERR("Error setting up SNI support.\n");
1025  }
1027  if (!SSL_CTX_set_tlsext_servername_arg(ctx, (void *)fr)) {
1028  ERR("Error setting SNI servername arg.\n");
1029  }
1030 
1031  if (load_cert_ctx(sc) != 0) {
1032  EVP_PKEY_free(pkey);
1033  sctx_free(sc, NULL);
1034  return (NULL);
1035  }
1036 
1037  if (CONFIG->OCSP_DIR) {
1038  char *fn = HOCSP_fn(sc->filename);
1039  /* attempt loading of cached ocsp staple */
1040  if (fn != NULL && HOCSP_init_file(fn, sc, 1) == 0) {
1041  LOG("{core} Loaded cached OCSP staple for cert '%s'\n",
1042  sc->filename);
1043  sc->staple_fn = fn;
1044  }
1045  }
1046 
1047  if (sc->staple == NULL && cf->ocspfn != NULL) {
1048  if (HOCSP_init_file(cf->ocspfn, sc, 0) != 0) {
1049  ERR("Error loading OCSP response %s for stapling.\n",
1050  cf->ocspfn);
1051  EVP_PKEY_free(pkey);
1052  sctx_free(sc, NULL);
1053  return (NULL);
1054  } else {
1055  LOG("{core} Loaded OCSP staple '%s'\n", cf->ocspfn);
1056  sc->staple_fn = strdup(cf->ocspfn);
1057  sc->staple->mtim = cf->ocsp_mtim;
1058  }
1059  }
1060 
1061  if (CONFIG->OCSP_DIR != NULL)
1062  HOCSP_ev_stat(sc);
1063 
1064 #endif /* OPENSSL_NO_TLSEXT */
1065 
1066 #ifdef USE_SHARED_CACHE
1067  if (CONFIG->SHARED_CACHE) {
1068  if (shared_context_init(ctx, CONFIG->SHARED_CACHE) < 0) {
1069  ERR("Unable to alloc memory for shared cache.\n");
1070  EVP_PKEY_free(pkey);
1071  sctx_free(sc, NULL);
1072  return (NULL);
1073  }
1074  if (CONFIG->SHCUPD_PORT) {
1075  RSA *rsa;
1076  rsa = EVP_PKEY_get1_RSA(pkey);
1077  if (rsa != NULL &&
1078  compute_secret(rsa, shared_secret) < 0) {
1079  ERR("Unable to compute shared secret.\n");
1080  EVP_PKEY_free(pkey);
1081  sctx_free(sc, NULL);
1082  return (NULL);
1083  }
1084 
1085  /* Force TLS tickets because keys differs. */
1086  SSL_CTX_set_options(ctx, SSL_OP_NO_TICKET);
1087 
1088  if (*shcupd_peers) {
1089  shsess_set_new_cbk(shcupd_session_new);
1090  }
1091  }
1092  }
1093 #endif
1094  EVP_PKEY_free(pkey);
1095  return (sc);
1096 }
1097 
1098 static void
1100 {
1101  sni_name *sn, *sn2;
1102  char *key;
1104 
1105  VTAILQ_FOREACH(sn, &sc->sni_list, list) {
1107  key = sn->sni_key;
1108  AN(key);
1109  if (sn->is_wildcard)
1110  key = sn->sni_key + 1;
1111  HASH_FIND_STR(*sn_tab, key, sn2);
1112  if (sn2 != NULL) {
1113  ERR("Warning: SNI name '%s' from '%s' overridden"
1114  " by '%s'\n",
1115  key, sn2->sctx->filename, sn->sctx->filename);
1116  }
1117  HASH_ADD_KEYPTR(hh, *sn_tab, key, strlen(key), sn);
1118  }
1119 }
1120 
1121 static sslctx *
1122 make_ctx(const struct cfg_cert_file *cf)
1123 {
1124  return (make_ctx_fr(cf, NULL, NULL));
1125 }
1126 #ifndef OPENSSL_NO_TLSEXT
1127 static int
1128 load_cert_ctx(sslctx *so)
1129 {
1130  X509 *x509;
1131  X509_NAME *x509_name;
1132  X509_NAME_ENTRY *x509_entry;
1133  BIO *f;
1134  STACK_OF(GENERAL_NAME) *names = NULL;
1135  GENERAL_NAME *name;
1136  int i;
1137 
1138 #define PUSH_CTX(asn1_str, ctx) \
1139  do { \
1140  sni_name *sn; \
1141  ALLOC_OBJ(sn, SNI_NAME_MAGIC); \
1142  ASN1_STRING_to_UTF8( \
1143  (unsigned char **)&sn->servername, asn1_str); \
1144  sn->is_wildcard = \
1145  (strstr(sn->servername, "*.") == sn->servername); \
1146  sn->sni_key = sni_build_key(sn->servername); \
1147  sn->sctx = so; \
1148  VTAILQ_INSERT_TAIL(&so->sni_list, sn, list); \
1149  } while (0)
1150 
1151  f = BIO_new(BIO_s_file());
1152  // TODO: error checking
1153 
1154  if (!BIO_read_filename(f, so->filename)) {
1155  ERR("Could not read certificate '%s'\n", so->filename);
1156  return (1);
1157  }
1158  x509 = PEM_read_bio_X509_AUX(f, NULL, NULL, NULL);
1159  BIO_free(f);
1160 
1161  so->x509 = x509;
1162 
1163  /* First, look for Subject Alternative Names. */
1164  names = X509_get_ext_d2i(x509, NID_subject_alt_name, NULL, NULL);
1165  for (i = 0; i < sk_GENERAL_NAME_num(names); i++) {
1166  name = sk_GENERAL_NAME_value(names, i);
1167  if (name->type == GEN_DNS) {
1168  PUSH_CTX(name->d.dNSName, ctx);
1169  }
1170  }
1171  if (sk_GENERAL_NAME_num(names) > 0) {
1172  sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free);
1173  /* If we found some, don't bother looking any further. */
1174  return (0);
1175  } else if (names != NULL) {
1176  sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free);
1177  }
1178 
1179  /* Now we're left looking at the CN on the cert. */
1180  x509_name = X509_get_subject_name(x509);
1181  i = X509_NAME_get_index_by_NID(x509_name, NID_commonName, -1);
1182  if (i < 0) {
1183  ERR("Could not find Subject Alternative Names"
1184  " or a CN on cert %s\n", so->filename);
1185  return (1);
1186  }
1187  x509_entry = X509_NAME_get_entry(x509_name, i);
1188  AN(x509_entry);
1189  PUSH_CTX(X509_NAME_ENTRY_get_data(x509_entry), ctx);
1190 
1191  return (0);
1192 }
1193 #endif /* OPENSSL_NO_TLSEXT */
1194 
1195 /* Check that we don't needlessly load a cert that's already loaded. */
1196 static sslctx *
1197 find_ctx(const char *file)
1198 {
1199  sslctx *so;
1200  HASH_FIND_STR(ssl_ctxs, file, so);
1201  return (so);
1202 }
1203 
1204 /* Init library and load specified certificate.
1205  * Establishes a SSL_ctx, to act as a template for
1206  * each connection */
1207 void
1209 {
1210  SSL_library_init();
1211  SSL_load_error_strings();
1212  OpenSSL_add_all_digests();
1213 
1214  if (CONFIG->ENGINE) {
1215  ENGINE *e = NULL;
1216  ENGINE_load_builtin_engines();
1217  HSSL_Locks_Init();
1218  if (!strcmp(CONFIG->ENGINE, "auto"))
1219  ENGINE_register_all_complete();
1220  else {
1221  if ((e = ENGINE_by_id(CONFIG->ENGINE)) == NULL ||
1222  !ENGINE_init(e) ||
1223  !ENGINE_set_default(e, ENGINE_METHOD_ALL)) {
1224  log_ssl_error(NULL,
1225  "{core} ENGINE initialization failed");
1226  exit(1);
1227  }
1228  LOG("{core} will use OpenSSL engine %s.\n",
1229  ENGINE_get_id(e));
1230  ENGINE_finish(e);
1231  ENGINE_free(e);
1232  }
1233  }
1234 }
1235 
1236 static void
1237 init_certs(void) {
1238  struct cfg_cert_file *cf, *cftmp;
1239  sslctx *so;
1240 
1241  if (CONFIG->CERT_DEFAULT != NULL) {
1242  default_ctx = make_ctx(CONFIG->CERT_DEFAULT);
1243  if (default_ctx == NULL)
1244  exit(1);
1245 #ifndef OPENSSL_NO_TLSEXT
1246  insert_sni_names(default_ctx, &sni_names);
1247 #endif
1248  }
1249 
1250  // Go through the list of PEMs and make some SSL contexts for
1251  // them. We also keep track of the names associated with each
1252  // cert so we can do SNI on them later
1253  HASH_ITER(hh, CONFIG->CERT_FILES, cf, cftmp) {
1254  if (find_ctx(cf->filename) == NULL) {
1255  so = make_ctx(cf);
1256  if (so == NULL)
1257  exit(1);
1258  HASH_ADD_KEYPTR(hh, ssl_ctxs, so->filename,
1259  strlen(so->filename), so);
1260 #ifndef OPENSSL_NO_TLSEXT
1262 #endif
1263  }
1264  }
1265 }
1266 
1267 static void
1269 {
1271  if (ls->sock > 0)
1272  (void) close(ls->sock);
1273  free(ls->name);
1274  FREE_OBJ(ls);
1275 }
1276 
1277 static void
1279 {
1280  struct listen_sock *ls, *lstmp;
1281  sslctx *sc, *sctmp;
1282 
1284 
1285  VTAILQ_FOREACH_SAFE(ls, &fr->socks, list, lstmp) {
1287  VTAILQ_REMOVE(&fr->socks, ls, list);
1288  destroy_lsock(ls);
1289  }
1290 
1291  HASH_ITER(hh, fr->ssl_ctxs, sc, sctmp) {
1292  HASH_DEL(fr->ssl_ctxs, sc);
1293  sctx_free(sc, &fr->sni_names);
1294  }
1295 
1296  AZ(HASH_COUNT(fr->sni_names));
1297  free(fr->pspec);
1298  FREE_OBJ(fr);
1299 }
1300 
1301 /* Create the bound socket in the parent process */
1302 static int
1303 frontend_listen(const struct front_arg *fa, struct listen_sock_head *slist)
1304 {
1305  struct addrinfo *ai, hints, *it;
1306  struct listen_sock *ls, *lstmp;
1307  char buf[INET6_ADDRSTRLEN+20];
1308  char abuf[INET6_ADDRSTRLEN];
1309  char pbuf[8];
1310  int r, count = 0;
1311 
1313  memset(&hints, 0, sizeof hints);
1314  hints.ai_family = AF_UNSPEC;
1315  hints.ai_socktype = SOCK_STREAM;
1316  hints.ai_flags = AI_PASSIVE | AI_ADDRCONFIG;
1317  r = getaddrinfo(fa->ip, fa->port,
1318  &hints, &ai);
1319  if (r != 0) {
1320  ERR("{getaddrinfo-listen}: %s: %s\n", fa->pspec,
1321  gai_strerror(r));
1322  return (-1);
1323  }
1324 
1325  for (it = ai; it != NULL; it = it->ai_next) {
1327  VTAILQ_INSERT_TAIL(slist, ls, list);
1328  count++;
1329 
1330  ls->sock = socket(it->ai_family, SOCK_STREAM, IPPROTO_TCP);
1331  if (ls->sock == -1) {
1332  ERR("{socket: main}: %s: %s\n", strerror(errno),
1333  fa->pspec);
1334  goto creat_frontend_err;
1335  }
1336 
1337  int t = 1;
1338  if (setsockopt(ls->sock, SOL_SOCKET, SO_REUSEADDR,
1339  &t, sizeof(int))
1340  < 0) {
1341  ERR("{setsockopt-reuseaddr}: %s: %s\n", strerror(errno),
1342  fa->pspec);
1343  goto creat_frontend_err;
1344  }
1345 #ifdef SO_REUSEPORT_WORKS
1346  if (setsockopt(ls->sock, SOL_SOCKET, SO_REUSEPORT,
1347  &t, sizeof(int))
1348  < 0) {
1349  ERR("{setsockopt-reuseport}: %s: %s\n", strerror(errno),
1350  fa->pspec);
1351  goto creat_frontend_err;
1352  }
1353 #endif
1354 
1355 #ifdef TCP_FASTOPEN_WORKS
1356  if (CONFIG->TFO) {
1357  if (setsockopt(ls->sock, SOL_TCP, TCP_FASTOPEN,
1358  &t, sizeof(int))
1359  < 0) {
1360  ERR("{setsockopt-tcp_fastopen}: %s: %s\n", strerror(errno),
1361  fa->pspec);
1362  goto creat_frontend_err;
1363  }
1364  }
1365 #endif
1366 
1367  if(setnonblocking(ls->sock) < 0) {
1368  ERR("{listen sock: setnonblocking}: %s: %s\n",
1369  strerror(errno), fa->pspec);
1370  goto creat_frontend_err;
1371  }
1372 #ifdef IPV6_V6ONLY
1373  t = 1;
1374  if (it->ai_family == AF_INET6 &&
1375  setsockopt(ls->sock, IPPROTO_IPV6, IPV6_V6ONLY, &t,
1376  sizeof (t)) != 0) {
1377  ERR("{setsockopt-ipv6only}: %s: %s\n", strerror(errno),
1378  fa->pspec);
1379  goto creat_frontend_err;
1380  }
1381 #endif
1382  if (CONFIG->RECV_BUFSIZE > 0) {
1383  r = setsockopt(ls->sock, SOL_SOCKET, SO_RCVBUF,
1384  &CONFIG->RECV_BUFSIZE,
1385  sizeof(CONFIG->RECV_BUFSIZE));
1386  if (r < 0) {
1387  ERR("{setsockopt-rcvbuf}: %s: %s\n",
1388  strerror(errno), fa->pspec);
1389  goto creat_frontend_err;
1390  }
1391  }
1392  if (CONFIG->SEND_BUFSIZE > 0) {
1393  r = setsockopt(ls->sock, SOL_SOCKET, SO_SNDBUF,
1394  &CONFIG->SEND_BUFSIZE,
1395  sizeof(CONFIG->SEND_BUFSIZE));
1396  if (r < 0) {
1397  ERR("{setsockopt-sndbuf}: %s: %s\n",
1398  strerror(errno), fa->pspec);
1399  goto creat_frontend_err;
1400  }
1401  }
1402 
1403  if (bind(ls->sock, it->ai_addr, it->ai_addrlen)) {
1404  ERR("{bind-socket}: %s: %s\n", strerror(errno),
1405  fa->pspec);
1406  goto creat_frontend_err;
1407  }
1408 
1409 #ifndef NO_DEFER_ACCEPT
1410 #if TCP_DEFER_ACCEPT
1411  int timeout = 1;
1412  if (setsockopt(ls->sock, IPPROTO_TCP, TCP_DEFER_ACCEPT,
1413  &timeout, sizeof(int)) < 0) {
1414  ERR("{setsockopt-defer_accept}: %s: %s\n",
1415  strerror(errno), fa->pspec);
1416  goto creat_frontend_err;
1417  }
1418 #endif /* TCP_DEFER_ACCEPT */
1419 #endif
1420  if (listen(ls->sock, CONFIG->BACKLOG) != 0) {
1421  ERR("{listen-socket}: %s: %s\n", strerror(errno),
1422  fa->pspec);
1423  goto creat_frontend_err;
1424  }
1425 
1426  memcpy(&ls->addr, it->ai_addr, it->ai_addrlen);
1427 
1428  r = getnameinfo(it->ai_addr, it->ai_addrlen, abuf,
1429  sizeof abuf, pbuf, sizeof pbuf,
1430  NI_NUMERICHOST | NI_NUMERICSERV);
1431  if (r != 0) {
1432  ERR("{getnameinfo}: %s\n", fa->pspec);
1433  goto creat_frontend_err;
1434  }
1435 
1436  if (it->ai_addr->sa_family == AF_INET6) {
1437  sprintf(buf, "[%s]:%s", abuf, pbuf);
1438  } else {
1439  sprintf(buf, "%s:%s", abuf, pbuf);
1440  }
1441  ls->name = strdup(buf);
1442  AN(ls->name);
1443  LOG("{core} Listening on %s\n", ls->name);
1444  }
1445 
1446  freeaddrinfo(ai);
1447  return (count);
1448 
1449 creat_frontend_err:
1450  freeaddrinfo(ai);
1451  VTAILQ_FOREACH_SAFE(ls, slist, list, lstmp) {
1452  VTAILQ_REMOVE(slist, ls, list);
1453  free(ls->name);
1454  if (ls->sock > 0)
1455  (void) close(ls->sock);
1456  FREE_OBJ(ls);
1457  }
1458 
1459  return (-1);
1460 }
1461 
1462 static struct frontend *
1463 create_frontend(const struct front_arg *fa)
1464 {
1465  struct frontend *fr;
1466  sslctx *so;
1467  int count = 0;
1468  struct frontend_head tmp_list;
1469  struct cfg_cert_file *cf;
1470 
1473  VTAILQ_INIT(&fr->socks);
1474  AN(fr);
1475 
1476  fr->pspec = strdup(fa->pspec);
1479 
1480  VTAILQ_INIT(&tmp_list);
1481  count = frontend_listen(fa, &fr->socks);
1482  if (count < 0) {
1483  destroy_frontend(fr);
1484  return (NULL);
1485  }
1486 
1487  for (cf = fa->certs; cf != NULL; cf = cf->hh.next) {
1488  so = make_ctx_fr(cf, fr, fa);
1489  if (so == NULL) {
1490  destroy_frontend(fr);
1491  return (NULL);
1492  }
1494  so->filename, strlen(so->filename), so);
1495 #ifndef OPENSSL_NO_TLSEXT
1496  insert_sni_names(so, &fr->sni_names);
1497 #endif
1498  if (cf->hh.next == NULL)
1499  fr->default_ctx = so;
1500  }
1501 
1502  return (fr);
1503 }
1504 
1505 static const void *
1506 Get_Sockaddr(const struct sockaddr *sa, socklen_t *sl);
1507 
1508 static struct backend *
1509 backend_create(struct sockaddr *sa)
1510 {
1511  socklen_t len;
1512  const void *addr;
1513  struct backend *b;
1514  struct suckaddr *su;
1515 
1516  addr = Get_Sockaddr(sa, &len);
1517  AN(addr);
1518  su = VSA_Malloc(addr, len);
1520  b->backaddr = su;
1521  b->ref = 1;
1522  return (b);
1523 }
1524 
1525 static struct backend *
1527 {
1529  AN(backaddr->ref);
1530  backaddr->ref++;
1531  return (backaddr);
1532 }
1533 
1534 
1535 void
1537 {
1538  struct backend *b;
1539  b = *be;
1540 
1542  AN(b->ref);
1543  b->ref--;
1544 
1545  if (b->ref == 0) {
1546  free(b->backaddr);
1547  FREE_OBJ(*be);
1548  }
1549 }
1550 
1551 /* Initiate a clear-text nonblocking connect() to the backend IP on behalf
1552  * of a newly connected upstream (encrypted) client */
1553 static int
1555 {
1556  socklen_t len;
1557  const struct sockaddr *addr;
1558 
1560  addr = (struct sockaddr *) VSA_Get_Sockaddr(b->backaddr, &len);
1561  AN(addr);
1562  int s = socket(addr->sa_family, SOCK_STREAM, 0);
1563 
1564  if (s == -1)
1565  return (-1);
1566 
1567  if (addr->sa_family != PF_UNIX) {
1568  int flag = 1;
1569  int ret = setsockopt(s, IPPROTO_TCP, TCP_NODELAY,
1570  (char *)&flag, sizeof(flag));
1571  if (ret == -1)
1572  ERR("Couldn't setsockopt to backend (TCP_NODELAY):"
1573  " %s\n", strerror(errno));
1574  }
1575  if (setnonblocking(s) < 0) {
1576  (void)close(s);
1577  return (-1);
1578  }
1579  return (s);
1580 }
1581 
1582 /* Only enable a libev ev_io event if the proxied connection still
1583  * has both up and down connected */
1584 static void
1586 {
1588  if (!ps->want_shutdown)
1589  ev_io_start(loop, w);
1590 }
1591 
1592 static void
1594 {
1595  if (worker_state == WORKER_EXITING && n_conns == 0) {
1596  LOGL("Worker %d (gen: %d) in state EXITING "
1597  "is now exiting.\n", core_id, worker_gen);
1598  _exit(0);
1599  }
1600 }
1601 
1602 /* Only enable a libev ev_io event if the proxied connection still
1603  * has both up and down connected */
1604 static void
1606 {
1608  LOGPROXY(ps, "proxy shutdown req=%s\n", SHUTDOWN_STR[req]);
1609  if (ps->want_shutdown || req == SHUTDOWN_HARD) {
1610  ev_io_stop(loop, &ps->ev_w_ssl);
1611  ev_io_stop(loop, &ps->ev_r_ssl);
1612  ev_io_stop(loop, &ps->ev_w_handshake);
1613  ev_io_stop(loop, &ps->ev_r_handshake);
1614  ev_timer_stop(loop, &ps->ev_t_handshake);
1615  ev_io_stop(loop, &ps->ev_w_connect);
1616  ev_timer_stop(loop, &ps->ev_t_connect);
1617  ev_io_stop(loop, &ps->ev_w_clear);
1618  ev_io_stop(loop, &ps->ev_r_clear);
1619  ev_io_stop(loop, &ps->ev_proxy);
1620 
1621  (void)SSL_shutdown(ps->ssl);
1622 
1623  ERR_clear_error();
1624  SSL_free(ps->ssl);
1625 
1626  close(ps->fd_up);
1627  close(ps->fd_down);
1628  backend_deref(&ps->backend);
1629 
1632  free(ps);
1633 
1634  n_conns--;
1635  check_exit_state();
1636  }
1637  else {
1638  ps->want_shutdown = 1;
1639  if (req == SHUTDOWN_CLEAR &&
1642  else if (req == SHUTDOWN_SSL &&
1645  }
1646 }
1647 
1648 /* Handle various socket errors */
1649 static void
1651 {
1653  if (errno == EAGAIN || errno == EWOULDBLOCK || errno == EINTR)
1654  return;
1655 
1656  if (backend)
1657  ERR("{backend} Socket error: %s\n", strerror(errno));
1658  else
1659  LOG("{client} Socket error: %s\n", strerror(errno));
1661 }
1662 
1663 /* Start connect to backend */
1664 static int
1666 {
1667  int t = 1;
1668  socklen_t len;
1669  const void *addr;
1670 
1673  addr = VSA_Get_Sockaddr(ps->backend->backaddr, &len);
1674  AN(addr);
1675 
1676  t = connect(ps->fd_down, addr, len);
1677  if (t == 0 || errno == EINPROGRESS || errno == EINTR) {
1678  ev_io_start(loop, &ps->ev_w_connect);
1679  ev_timer_start(loop, &ps->ev_t_connect);
1680  return (0);
1681  }
1682 
1683  ERR("{backend-connect}: %s\n", strerror(errno));
1685 
1686  return (-1);
1687 }
1688 
1689 /* Read some data from the backend when libev says data is available--
1690  * write it into the upstream buffer and make sure the write event is
1691  * enabled for the upstream socket */
1692 static void
1693 clear_read(struct ev_loop *loop, ev_io *w, int revents)
1694 {
1695  (void) revents;
1696  int t;
1697  proxystate *ps;
1698  CAST_OBJ_NOTNULL(ps, w->data, PROXYSTATE_MAGIC);
1699  if (ps->want_shutdown) {
1700  ev_io_stop(loop, &ps->ev_r_clear);
1701  return;
1702  }
1703  int fd = w->fd;
1704  char *buf = ringbuffer_write_ptr(&ps->ring_clear2ssl);
1705  t = recv(fd, buf, ps->ring_clear2ssl.data_len, 0);
1706 
1707  if (t > 0) {
1710  ev_io_stop(loop, &ps->ev_r_clear);
1711  if (ps->handshaked)
1712  safe_enable_io(ps, &ps->ev_w_ssl);
1713  }
1714  else if (t == 0) {
1715  LOGPROXY(ps,"Connection closed by %s\n",
1716  fd == ps->fd_down ? "backend" : "client");
1718  }
1719  else {
1720  assert(t == -1);
1721  handle_socket_errno(ps, fd == ps->fd_down ? 1 : 0);
1722  }
1723 }
1724 
1725 
1726 /* Write some data, previously received on the secure upstream socket,
1727  * out of the downstream buffer and onto the backend socket */
1728 static void
1729 clear_write(struct ev_loop *loop, ev_io *w, int revents)
1730 {
1731  (void)revents;
1732  int t;
1733  proxystate *ps;
1734  int fd = w->fd;
1735  int sz;
1736 
1737  CAST_OBJ_NOTNULL(ps, w->data, PROXYSTATE_MAGIC);
1739 
1740  char *next = ringbuffer_read_next(&ps->ring_ssl2clear, &sz);
1741  t = send(fd, next, sz, MSG_NOSIGNAL);
1742 
1743  if (t > 0) {
1744  if (t == sz) {
1746  if (ps->handshaked)
1747  safe_enable_io(ps, &ps->ev_r_ssl);
1748  if (ringbuffer_is_empty(&ps->ring_ssl2clear)) {
1749  if (ps->want_shutdown) {
1751  return; // dealloc'd
1752  }
1753  ev_io_stop(loop, &ps->ev_w_clear);
1754  }
1755  } else {
1757  }
1758  } else {
1759  assert(t == -1);
1760  handle_socket_errno(ps, fd == ps->fd_down ? 1 : 0);
1761  }
1762 }
1763 
1764 static void start_handshake(proxystate *ps, int err);
1765 
1766 static unsigned
1767 sockaddr_port(const struct sockaddr *sa)
1768 {
1769  const struct sockaddr_in *sa4;
1770  const struct sockaddr_in6 *sa6;
1771 
1772  switch (sa->sa_family) {
1773  case PF_INET:
1774  sa4 = (struct sockaddr_in *) sa;
1775  return (ntohs((sa4->sin_port)));
1776  case PF_INET6:
1777  sa6 = (struct sockaddr_in6 *) sa;
1778  return (ntohs((sa6->sin6_port)));
1779  default:
1780  return (0);
1781  }
1782 }
1783 
1784 /* Continue/complete the asynchronous connect() before starting data
1785  * transmission between front/backend */
1786 static void
1787 handle_connect(struct ev_loop *loop, ev_io *w, int revents)
1788 {
1789  int t, r;
1790  proxystate *ps;
1791  socklen_t len;
1792  const void *addr;
1793 
1794  (void)revents;
1795  CAST_OBJ_NOTNULL(ps, w->data, PROXYSTATE_MAGIC);
1797  addr = VSA_Get_Sockaddr(ps->backend->backaddr, &len);
1798  AN(addr);
1799 
1800  t = connect(ps->fd_down, addr, len);
1801 
1802  if (!t || errno == EISCONN || !errno) {
1803  ev_io_stop(loop, &ps->ev_w_connect);
1804  ev_timer_stop(loop, &ps->ev_t_connect);
1805 
1806  if (!ps->clear_connected) {
1807  struct sockaddr_storage ss;
1808  socklen_t sl;
1809 
1810  sl = sizeof(addr);
1811  r = getsockname(ps->fd_down,
1812  (struct sockaddr *) &ss, &sl);
1813  AZ(r);
1815  (struct sockaddr *) &ss);
1816  LOGPROXY(ps, "backend connected\n");
1817 
1818  ps->clear_connected = 1;
1819 
1820  /* if incoming buffer is not full */
1822  safe_enable_io(ps, &ps->ev_r_clear);
1823 
1824  /* if outgoing buffer is not empty */
1826  // not safe.. we want to resume stream
1827  // even during half-closed
1828  ev_io_start(loop, &ps->ev_w_clear);
1829  } else {
1830  /* Clear side already connected so connect is on
1831  * secure side: perform handshake */
1832  start_handshake(ps, SSL_ERROR_WANT_WRITE);
1833  }
1834  }
1835  else if (errno == EINPROGRESS || errno == EINTR || errno == EALREADY) {
1836  /* do nothing, we'll get phoned home again... */
1837  } else {
1838  ERR("{backend-connect}: %s\n", strerror(errno));
1840  }
1841 }
1842 
1843 static void
1844 connect_timeout(EV_P_ ev_timer *w, int revents)
1845 {
1846  (void)loop;
1847  (void)revents;
1848  proxystate *ps;
1849  CAST_OBJ_NOTNULL(ps, w->data, PROXYSTATE_MAGIC);
1850  ERRPROXY(ps,"backend connect timeout\n");
1851  //shutdown_proxy(ps, SHUTDOWN_HARD);
1852 }
1853 
1854 /* Upon receiving a signal from OpenSSL that a handshake is required, re-wire
1855  * the read/write events to hook up to the handshake handlers */
1856 static void
1858 {
1860 
1861  ev_io_stop(loop, &ps->ev_r_ssl);
1862  ev_io_stop(loop, &ps->ev_w_ssl);
1863 
1864  ps->handshaked = 0;
1865 
1866  LOGPROXY(ps,"ssl handshake start\n");
1867  if (err == SSL_ERROR_WANT_READ)
1868  ev_io_start(loop, &ps->ev_r_handshake);
1869  else if (err == SSL_ERROR_WANT_WRITE)
1870  ev_io_start(loop, &ps->ev_w_handshake);
1871  ev_timer_start(loop, &ps->ev_t_handshake);
1872 }
1873 
1874 static void
1875 get_alpn(proxystate *ps, const unsigned char **selected, unsigned *len) {
1876  *selected = NULL;
1877  *len = 0;
1878 #ifdef OPENSSL_WITH_ALPN
1879  SSL_get0_alpn_selected(ps->ssl, selected, len);
1880 #endif
1881 #ifdef OPENSSL_WITH_NPN
1882  if (*len == 0)
1883  SSL_get0_next_proto_negotiated(ps->ssl, selected, len);
1884 #endif
1885 }
1886 
1887 static int
1888 proxy_tlv_append(char *dst, ssize_t dstlen, unsigned type,
1889  const char *val, ssize_t len)
1890 {
1891  if (len == -1)
1892  len = strlen(val);
1893  if (dstlen < len + 3)
1894  return (0);
1895  dst[0] = type;
1896  dst[1] = (len >> 8) & 0xff;
1897  dst[2] = len & 0xff;
1898  memcpy(dst + 3, val, len);
1899  return (len + 3);
1900 }
1901 
1902 static void
1903 write_proxy_v2(proxystate *ps, const struct sockaddr *local)
1904 {
1905  struct pp2_hdr *p;
1906  size_t len = 16, maxlen;
1907  char *base;
1908  const char *tlv_tok;
1909  unsigned tlv_len;
1910  int i;
1911 
1912  union addr {
1913  struct sockaddr sa;
1914  struct sockaddr_in sa4;
1915  struct sockaddr_in6 sa6;
1916  } *l, *r;
1917 
1919  base = ringbuffer_write_ptr(&ps->ring_ssl2clear);
1920  p = (struct pp2_hdr *)base; /* XXX: is this endian-safe? */
1921  l = (union addr *) local;
1922  r = (union addr *) &ps->remote_ip;
1923  maxlen = ps->ring_ssl2clear.data_len;
1924  /* XXX: should it be rounded down to PP2_HEADER_MAX? */
1925 
1926  memcpy(&p->sig, PP2_SIG, sizeof PP2_SIG);
1928  p->fam = l->sa.sa_family == AF_INET ?
1931 
1932  if (l->sa.sa_family == AF_INET) {
1933  len += 12;
1934 
1935  /* src/client */
1936  memcpy(&p->addr.ipv4.src_addr, &r->sa4.sin_addr.s_addr,
1937  sizeof p->addr.ipv4.src_addr);
1938  memcpy(&p->addr.ipv4.src_port, &r->sa4.sin_port,
1939  sizeof p->addr.ipv4.src_port);
1940 
1941  /* dst/server */
1942  memcpy(&p->addr.ipv4.dst_addr, &l->sa4.sin_addr.s_addr,
1943  sizeof p->addr.ipv4.dst_addr);
1944  memcpy(&p->addr.ipv4.dst_port, &l->sa4.sin_port,
1945  sizeof p->addr.ipv4.dst_port);
1946  } else {
1947  assert (l->sa.sa_family == AF_INET6);
1948  len += 36;
1949 
1950  /* src/client */
1951  memcpy(&p->addr.ipv6.src_addr, &r->sa6.sin6_addr.s6_addr,
1952  sizeof p->addr.ipv6.src_addr);
1953  memcpy(&p->addr.ipv6.src_port, &r->sa6.sin6_port,
1954  sizeof p->addr.ipv6.src_port);
1955 
1956  /* dst/server */
1957  memcpy(&p->addr.ipv6.dst_addr, &l->sa6.sin6_addr.s6_addr,
1958  sizeof p->addr.ipv6.dst_addr);
1959  memcpy(&p->addr.ipv6.dst_port, &l->sa6.sin6_port,
1960  sizeof p->addr.ipv6.dst_port);
1961  }
1962 
1963  /* This is where we add something related to NPN or ALPN*/
1964 #if defined(OPENSSL_WITH_ALPN) || defined(OPENSSL_WITH_NPN)
1965  tlv_tok = NULL;
1966  tlv_len = 0;
1967  get_alpn(ps, (const unsigned char **)&tlv_tok, &tlv_len);
1968  if (tlv_len > 0) {
1969  /* let the server know that a protocol was selected. */
1970  i = proxy_tlv_append(base + len, maxlen - len,
1971  PP2_TYPE_ALPN, tlv_tok, tlv_len);
1972  AN(i);
1973  len += i;
1974  }
1975 #endif
1976  if (CONFIG->PROXY_AUTHORITY) {
1977  tlv_tok = SSL_get_servername(ps->ssl,
1978  TLSEXT_NAMETYPE_host_name);
1979  if (tlv_tok != NULL) {
1980  tlv_len = strlen(tlv_tok);
1981  i = proxy_tlv_append(base + len, maxlen - len,
1982  PP2_TYPE_AUTHORITY, tlv_tok, tlv_len);
1983  len += i;
1984  }
1985  }
1986  if (CONFIG->PROXY_TLV) {
1987  char *tlvp = base + len;
1988  ssize_t sz = 0;
1989  const char *tmp;
1990 
1991  tlvp[0] = PP2_TYPE_SSL;
1992  /* tlvp[1..2] to be updated with payload length later */
1993  len += 3;
1994 
1995  base[len] = PP2_CLIENT_SSL;
1996  base[len + 1] = 1;
1997  len += 5;
1998  sz += 5;
1999 
2000  tmp = SSL_get_version(ps->ssl);
2001  AN(tmp);
2002  i = proxy_tlv_append(base + len, maxlen - len,
2003  PP2_SUBTYPE_SSL_VERSION, tmp, -1);
2004  len += i;
2005  sz += i;
2006 
2007  tmp = SSL_get_cipher_name(ps->ssl);
2008  AN(tmp);
2009  i = proxy_tlv_append(base + len, maxlen - len,
2010  PP2_SUBTYPE_SSL_CIPHER, tmp, -1);
2011  len += i;
2012  sz += i;
2013 
2014  tlvp[1] = (sz >> 8) & 0xff;
2015  tlvp[2] = sz & 0xff;
2016  }
2017 
2018  p->len = htons(len - 16);
2020 }
2021 
2022 static void
2023 write_proxy_v1(proxystate *ps, const struct sockaddr *local, socklen_t slen)
2024 {
2025  char *p;
2026  char src_addr[INET6_ADDRSTRLEN+1], dst_addr[INET6_ADDRSTRLEN+1];
2027  char src_port[8], dst_port[8];
2028  size_t len;
2029  int n;
2030 
2032 
2034  n = getnameinfo(local, slen, dst_addr, sizeof dst_addr, dst_port,
2035  sizeof dst_port, NI_NUMERICHOST | NI_NUMERICSERV);
2036  AZ(n);
2037 
2038  n = getnameinfo((struct sockaddr *) &ps->remote_ip, slen, src_addr,
2039  sizeof src_addr, src_port, sizeof src_port,
2040  NI_NUMERICHOST | NI_NUMERICSERV);
2041  AZ(n);
2042 
2043  if (local->sa_family == AF_INET) {
2044  len = sprintf(p, "PROXY TCP4 %s %s %s %s\r\n", src_addr,
2045  dst_addr, src_port, dst_port);
2046  } else {
2047  assert (local->sa_family == AF_INET6);
2048  len = sprintf(p, "PROXY TCP6 %s %s %s %s\r\n", src_addr,
2049  dst_addr, src_port, dst_port);
2050  }
2051  assert (len > 0);
2053 }
2054 
2055 static void
2057 {
2058  char *ring_pnt;
2059 
2061  ring_pnt = ringbuffer_write_ptr(&ps->ring_ssl2clear);
2062  assert(ps->remote_ip.ss_family == AF_INET ||
2063  ps->remote_ip.ss_family == AF_INET6);
2064  *ring_pnt++ = (unsigned char) ps->remote_ip.ss_family;
2065  if (ps->remote_ip.ss_family == AF_INET6) {
2066  memcpy(ring_pnt,
2067  &((struct sockaddr_in6 *)
2068  &ps->remote_ip)->sin6_addr.s6_addr, 16U);
2069  ringbuffer_write_append(&ps->ring_ssl2clear, 1U + 16U);
2070  }
2071  else {
2072  memcpy(ring_pnt, &((struct sockaddr_in *)
2073  &ps->remote_ip)->sin_addr.s_addr, 4U);
2074  ringbuffer_write_append(&ps->ring_ssl2clear, 1U + 4U);
2075  }
2076 }
2077 
2078 #if defined(OPENSSL_WITH_NPN) || defined(OPENSSL_WITH_ALPN)
2079 static int is_protocol_matching(const unsigned char *selected, unsigned len) {
2080  int unsigned i = 0;
2081  if (CONFIG->ALPN_PROTOS_LV != NULL) {
2082  while (i < CONFIG->ALPN_PROTOS_LV_LEN) {
2083  if(CONFIG->ALPN_PROTOS_LV[i] == len &&
2084  0 == memcmp(selected,
2085  CONFIG->ALPN_PROTOS_LV + i + 1,
2086  len))
2087  return (1);
2088  i+= CONFIG->ALPN_PROTOS_LV[i] + 1;
2089  }
2090  }
2091  return (0);
2092 }
2093 
2094 static int is_alpn_shutdown_needed(proxystate *ps) {
2095  const unsigned char *alpn_tok;
2096  unsigned alpn_len;
2097 
2098  if (CONFIG->ALPN_PROTOS_LV == NULL)
2099  return (0);
2100 
2101  get_alpn(ps, &alpn_tok, &alpn_len);
2102  if (alpn_len == 0) {
2103  /* If alpn / npn was tried, shut down */
2104  if(ps->npn_alpn_tried) {
2105  LOGPROXY(ps, "Unsuccessful NPN/ALPN negotiation\n");
2106  return (1);
2107  } else
2108  LOGPROXY(ps, "No NPN/ALPN negotiation happened.\n");
2109  } else if (!is_protocol_matching(alpn_tok, alpn_len)) {
2110  LOGPROXY(ps, "NPN: Unknown protocol selected\n");
2111  return (1);
2112  } else
2113  LOGPROXY(ps, "NPN/ALPN protocol: %.*s\n",
2114  alpn_len, alpn_tok);
2115  return (0);
2116 }
2117 #endif
2118 
2119 /* After OpenSSL is done with a handshake, re-wire standard read/write handlers
2120  * for data transmission */
2121 static void end_handshake(proxystate *ps) {
2123  ev_io_stop(loop, &ps->ev_r_handshake);
2124  ev_io_stop(loop, &ps->ev_w_handshake);
2125  ev_timer_stop(loop, &ps->ev_t_handshake);
2126 
2127 #if defined(OPENSSL_WITH_NPN) || defined(OPENSSL_WITH_ALPN)
2128  if (is_alpn_shutdown_needed(ps)) {
2130  return;
2131  }
2132 #endif
2133  LOGPROXY(ps,"ssl end handshake\n");
2134  /* Disable renegotiation (CVE-2009-3555) */
2135 #ifdef HAVE_STRUCT_SSL_ST_S3
2136  /* For OpenSSL 1.1, setting the following flag does not seem
2137  * to be possible. This is OK, since SSLv3 negotiation will
2138  * not happen in OpenSSL 0.9.8m or later unless
2139  * SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION is set. */
2140  if (ps->ssl->s3) {
2141  ps->ssl->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
2142  }
2143 #endif
2144  ps->handshaked = 1;
2145 
2146  /* Check if clear side is connected */
2147  if (!ps->clear_connected) {
2148  if (CONFIG->WRITE_PROXY_LINE_V1 ||
2150  struct sockaddr_storage local;
2151  socklen_t slen = sizeof local;
2152  AZ(getsockname(ps->fd_up, (struct sockaddr *) &local,
2153  &slen));
2155  write_proxy_v1(ps, (struct sockaddr *) &local,
2156  slen);
2157  else
2158  write_proxy_v2(ps, (struct sockaddr *) &local);
2159  } else if (CONFIG->WRITE_IP_OCTET) {
2160  write_ip_octet(ps);
2161  }
2162 
2163  /* start connect now */
2164  if (0 != start_connect(ps))
2165  return;
2166  } else {
2167  /* hitch used in client mode, keep client session ) */
2168  if (!SSL_session_reused(ps->ssl)) {
2169  if (client_session)
2170  SSL_SESSION_free(client_session);
2171  client_session = SSL_get1_session(ps->ssl);
2172  }
2173  }
2174 
2175  /* if incoming buffer is not full */
2177  safe_enable_io(ps, &ps->ev_r_ssl);
2178 
2179  /* if outgoing buffer is not empty */
2181  // not safe.. we want to resume stream even during half-closed
2182  ev_io_start(loop, &ps->ev_w_ssl);
2183 }
2184 
2185 static void
2186 client_proxy_proxy(struct ev_loop *loop, ev_io *w, int revents)
2187 {
2188  (void)revents;
2189  int t;
2190  char *proxy = tcp_proxy_line;
2191  char *end = tcp_proxy_line + sizeof(tcp_proxy_line);
2192  proxystate *ps;
2193  BIO *b;
2194 
2195  CAST_OBJ_NOTNULL(ps, w->data, PROXYSTATE_MAGIC);
2196  b = SSL_get_rbio(ps->ssl);
2197 
2198  // Copy characters one-by-one until we hit a \n or an error
2199  while (proxy != end && (t = BIO_read(b, proxy, 1)) == 1) {
2200  if (*proxy++ == '\n')
2201  break;
2202  }
2203 
2204  if (proxy == end) {
2205  LOG("{client} Unexpectedly long PROXY line. Malformed req?");
2207  } else if (t == 1) {
2208  if (ringbuffer_is_full(&ps->ring_ssl2clear)) {
2209  LOG("{client} Error writing PROXY line");
2211  return;
2212  }
2213 
2214  char *ring = ringbuffer_write_ptr(&ps->ring_ssl2clear);
2215  memcpy(ring, tcp_proxy_line, proxy - tcp_proxy_line);
2216  ringbuffer_write_append(&ps->ring_ssl2clear,
2217  proxy - tcp_proxy_line);
2218 
2219  // Finished reading the PROXY header
2220  if (*(proxy - 1) == '\n') {
2221  ev_io_stop(loop, &ps->ev_proxy);
2222 
2223  // Start the real handshake
2224  start_handshake(ps, SSL_ERROR_WANT_READ);
2225  }
2226  } else if (!BIO_should_retry(b)) {
2227  LOG("{client} Unexpected error reading PROXY line");
2229  }
2230 }
2231 
2232 /* The libev I/O handler during the OpenSSL handshake phase. Basically, just
2233  * let OpenSSL do what it likes with the socket and obey its requests for reads
2234  * or writes */
2235 static void
2236 client_handshake(struct ev_loop *loop, ev_io *w, int revents)
2237 {
2238  (void)revents;
2239  int t;
2240  const char *errtok;
2241  proxystate *ps;
2242  int errno_val;
2243 
2244 
2245  CAST_OBJ_NOTNULL(ps, w->data, PROXYSTATE_MAGIC);
2246 
2247  LOGPROXY(ps,"ssl client handshake revents=%x\n",revents);
2248  t = SSL_do_handshake(ps->ssl);
2249  if (t == 1) {
2250  end_handshake(ps);
2251  } else {
2252  errno_val = errno;
2253  int err = SSL_get_error(ps->ssl, t);
2254  switch (err) {
2255 #define SSL_ERR(a) \
2256  case a: errtok = #a; break;
2257 #include "ssl_err.h"
2258 #undef SSL_ERR
2259  default:
2260  errtok = "<undefined>";
2261  }
2262 
2263  LOGPROXY(ps,"ssl client handshake err=%s\n",errtok);
2264  if (err == SSL_ERROR_WANT_READ) {
2265  ev_io_stop(loop, &ps->ev_w_handshake);
2266  ev_io_start(loop, &ps->ev_r_handshake);
2267  } else if (err == SSL_ERROR_WANT_WRITE) {
2268  ev_io_stop(loop, &ps->ev_r_handshake);
2269  ev_io_start(loop, &ps->ev_w_handshake);
2270  } else if (err == SSL_ERROR_ZERO_RETURN) {
2271  LOG("{%s} Connection closed (in handshake)\n",
2272  w->fd == ps->fd_up ? "client" : "backend");
2274  } else if (err == SSL_ERROR_SYSCALL) {
2275  LOG("{%s} SSL socket error in handshake: %s\n",
2276  w->fd == ps->fd_up ? "client" : "backend",
2277  strerror(errno_val));
2279  } else {
2280  if (err == SSL_ERROR_SSL) {
2281  log_ssl_error(ps, "Handshake failure");
2282  } else {
2283  LOG("{%s} Unexpected SSL error "
2284  "(in handshake): %d\n",
2285  w->fd == ps->fd_up ? "client" : "backend",
2286  err);
2287  }
2289  }
2290  }
2291 }
2292 
2293 static void
2294 handshake_timeout(EV_P_ ev_timer *w, int revents)
2295 {
2296  (void)loop;
2297  (void)revents;
2298  proxystate *ps;
2299  CAST_OBJ_NOTNULL(ps, w->data, PROXYSTATE_MAGIC);
2300  LOGPROXY(ps,"SSL handshake timeout\n");
2302 }
2303 
2304 #define SSLERR(ps, which, log) \
2305  switch (err) { \
2306  case SSL_ERROR_ZERO_RETURN: \
2307  log(ps,"Connection closed by " which "\n"); \
2308  break; \
2309  case SSL_ERROR_SYSCALL: \
2310  if (errno == 0) { \
2311  log(ps,"Connection closed by " which "\n"); \
2312  } else { \
2313  log(ps,"SSL socket error (" which "): %s\n", \
2314  strerror(errno)); \
2315  } \
2316  break; \
2317  default: \
2318  log(ps,"{" which "} Unexpected SSL_read error (" \
2319  which "): %d\n", err); \
2320  }
2321 
2322 /* Handle a socket error condition passed to us from OpenSSL */
2323 static void
2325 {
2327  if (backend) {
2328  SSLERR(ps, "backend", ERRPROXY);
2329  } else {
2330  SSLERR(ps, "client", LOGPROXY);
2331  }
2333 }
2334 
2335 /* Read some data from the upstream secure socket via OpenSSL,
2336  * and buffer anything we get for writing to the backend */
2337 static void
2338 ssl_read(struct ev_loop *loop, ev_io *w, int revents)
2339 {
2340  (void)revents;
2341  int t;
2342  proxystate *ps;
2343 
2344  CAST_OBJ_NOTNULL(ps, w->data, PROXYSTATE_MAGIC);
2345 
2346  if (ps->want_shutdown) {
2347  ev_io_stop(loop, &ps->ev_r_ssl);
2348  return;
2349  }
2350  if (ringbuffer_is_full(&ps->ring_ssl2clear)) {
2351  ERRPROXY(ps, "attempt to read ssl when ring full");
2352  ev_io_stop(loop, &ps->ev_r_ssl);
2353  return;
2354  }
2355 
2356  char *buf = ringbuffer_write_ptr(&ps->ring_ssl2clear);
2357  t = SSL_read(ps->ssl, buf, ps->ring_ssl2clear.data_len);
2358 
2359  /* Fix CVE-2009-3555. Disable reneg if started by client. */
2360  if (ps->renegotiation) {
2362  return;
2363  }
2364 
2365  if (t > 0) {
2368  ev_io_stop(loop, &ps->ev_r_ssl);
2369  if (ps->clear_connected)
2370  safe_enable_io(ps, &ps->ev_w_clear);
2371  } else {
2372  int err = SSL_get_error(ps->ssl, t);
2373  if (err == SSL_ERROR_WANT_WRITE) {
2374  start_handshake(ps, err);
2375  } else if (err == SSL_ERROR_WANT_READ) {
2376  /* NOOP. Incomplete SSL data */
2377  } else {
2378  if (err == SSL_ERROR_SSL) {
2379  log_ssl_error(ps, "SSL_read error");
2380  }
2381  handle_fatal_ssl_error(ps, err,
2382  w->fd == ps->fd_up ? 0 : 1);
2383  }
2384  }
2385 }
2386 
2387 /* Write some previously-buffered backend data upstream on the
2388  * secure socket using OpenSSL */
2389 static void
2390 ssl_write(struct ev_loop *loop, ev_io *w, int revents)
2391 {
2392  (void)revents;
2393  int t;
2394  int sz;
2395  proxystate *ps;
2396 
2397  CAST_OBJ_NOTNULL(ps, w->data, PROXYSTATE_MAGIC);
2398 
2400  char *next = ringbuffer_read_next(&ps->ring_clear2ssl, &sz);
2401  t = SSL_write(ps->ssl, next, sz);
2402  if (t > 0) {
2403  if (t == sz) {
2405  if (ps->clear_connected)
2406  // can be re-enabled b/c we've popped
2407  safe_enable_io(ps, &ps->ev_r_clear);
2408  if (ringbuffer_is_empty(&ps->ring_clear2ssl)) {
2409  if (ps->want_shutdown) {
2411  return;
2412  }
2413  ev_io_stop(loop, &ps->ev_w_ssl);
2414  }
2415  } else {
2417  }
2418  } else {
2419  int err = SSL_get_error(ps->ssl, t);
2420  if (err == SSL_ERROR_WANT_READ) {
2421  start_handshake(ps, err);
2422  } else if (err == SSL_ERROR_WANT_WRITE) {
2423  /* NOOP. Incomplete SSL data */
2424  } else {
2425  if (err == SSL_ERROR_SSL) {
2426  log_ssl_error(ps, "SSL_write error");
2427  } else {
2428  LOG("{%s} SSL_write error: %d\n",
2429  w->fd == ps->fd_up ? "client" : "backend",
2430  err);
2431  }
2432  handle_fatal_ssl_error(ps, err,
2433  w->fd == ps->fd_up ? 0 : 1);
2434  }
2435  }
2436 }
2437 
2438 
2439 /* libev read handler for the bound sockets. Socket is accepted,
2440  * the proxystate is allocated and initalized, and we're off the races
2441  * connecting to the backend */
2442 static void
2443 handle_accept(struct ev_loop *loop, ev_io *w, int revents)
2444 {
2445  (void)revents;
2446  (void)loop;
2447  struct sockaddr_storage addr;
2448  sslctx *so;
2449  struct frontend *fr;
2450  proxystate *ps;
2451  socklen_t sl = sizeof(addr);
2452 
2453 #if HAVE_ACCEPT4==1
2454  int client = accept4(w->fd, (struct sockaddr *) &addr, &sl,
2455  SOCK_NONBLOCK);
2456 #else
2457  int client = accept(w->fd, (struct sockaddr *) &addr, &sl);
2458 #endif
2459  if (client == -1) {
2460  switch (errno) {
2461  case EMFILE:
2462  ERR("{client} accept() failed; "
2463  "too many open files for this process\n");
2464  break;
2465 
2466  case ENFILE:
2467  ERR("{client} accept() failed; "
2468  "too many open files for this system\n");
2469  break;
2470 
2471  default:
2472  if (errno != EINTR && errno != EWOULDBLOCK &&
2473  errno != EAGAIN && errno != ENOTTY &&
2474  errno != ECONNABORTED) {
2475  SOCKERR("{client} accept() failed");
2476  }
2477  }
2478  return;
2479  }
2480 
2481  int flag = 1;
2482  int ret = setsockopt(client, IPPROTO_TCP, TCP_NODELAY,
2483  (char *)&flag, sizeof(flag) );
2484  if (ret == -1) {
2485  SOCKERR("Couldn't setsockopt on client (TCP_NODELAY)");
2486  }
2487 #ifdef TCP_CWND
2488  int cwnd = 10;
2489  ret = setsockopt(client, IPPROTO_TCP, TCP_CWND, &cwnd, sizeof(cwnd));
2490  if (ret == -1) {
2491  SOCKERR("Couldn't setsockopt on client (TCP_CWND)");
2492  }
2493 #endif
2494 
2495 #if HAVE_ACCEPT4==0
2496  if (setnonblocking(client) < 0) {
2497  SOCKERR("{client} setnonblocking failed");
2498  (void) close(client);
2499  return;
2500  }
2501 #endif
2502 
2503  settcpkeepalive(client);
2504 
2506  if (ps == NULL) {
2507  (void)close(client);
2508  ERR("{malloc-err}: %s\n", strerror(errno));
2509  return;
2510  }
2511 
2512  ps->backend = backend_ref();
2513  ps->fd_down = create_back_socket(ps->backend);
2514  if (ps->fd_down == -1) {
2515  (void) close(client);
2516  backend_deref(&ps->backend);
2517  free(ps);
2518  ERR("{backend-socket}: %s\n", strerror(errno));
2519  return;
2520  }
2521 
2522 
2523  CAST_OBJ_NOTNULL(fr, w->data, FRONTEND_MAGIC);
2524  if (fr->default_ctx != NULL)
2526  else
2528 
2529  SSL *ssl = SSL_new(so->ctx);
2530  if (ssl == NULL) {
2531  (void)close(ps->fd_down);
2532  (void)close(client);
2533  backend_deref(&ps->backend);
2534  free(ps);
2535  ERR("{SSL_new}: %s\n", strerror(errno));
2536  return;
2537  }
2538 
2539  long mode = SSL_MODE_ENABLE_PARTIAL_WRITE;
2540 #ifdef SSL_MODE_RELEASE_BUFFERS
2541  mode |= SSL_MODE_RELEASE_BUFFERS;
2542 #endif
2543  SSL_set_mode(ssl, mode);
2544  SSL_set_accept_state(ssl);
2545  SSL_set_fd(ssl, client);
2546 
2547  ps->fd_up = client;
2548  ps->ssl = ssl;
2549  ps->want_shutdown = 0;
2550  ps->clear_connected = 0;
2551  ps->handshaked = 0;
2552  ps->renegotiation = 0;
2553  ps->remote_ip = addr;
2554  ps->connect_port = 0;
2555 
2560 
2561  /* set up events */
2562  ev_io_init(&ps->ev_r_ssl, ssl_read, client, EV_READ);
2563  ev_io_init(&ps->ev_w_ssl, ssl_write, client, EV_WRITE);
2564 
2565  ev_io_init(&ps->ev_r_handshake, client_handshake, client, EV_READ);
2566  ev_io_init(&ps->ev_w_handshake, client_handshake, client, EV_WRITE);
2567  ev_timer_init(&ps->ev_t_handshake, handshake_timeout,
2569 
2570  ev_io_init(&ps->ev_proxy, client_proxy_proxy, client, EV_READ);
2571  ev_io_init(&ps->ev_w_connect, handle_connect, ps->fd_down, EV_WRITE);
2572  ev_timer_init(&ps->ev_t_connect, connect_timeout,
2574 
2575  ev_io_init(&ps->ev_w_clear, clear_write, ps->fd_down, EV_WRITE);
2576  ev_io_init(&ps->ev_r_clear, clear_read, ps->fd_down, EV_READ);
2577 
2578  ps->ev_r_ssl.data = ps;
2579  ps->ev_w_ssl.data = ps;
2580  ps->ev_r_clear.data = ps;
2581  ps->ev_w_clear.data = ps;
2582  ps->ev_proxy.data = ps;
2583  ps->ev_w_connect.data = ps;
2584  ps->ev_t_connect.data = ps;
2585  ps->ev_r_handshake.data = ps;
2586  ps->ev_w_handshake.data = ps;
2587  ps->ev_t_handshake.data = ps;
2588 
2589  /* Link back proxystate to SSL state */
2590  SSL_set_app_data(ssl, ps);
2591 
2592  n_conns++;
2593 
2594  LOGPROXY(ps, "proxy connect\n");
2595  if (CONFIG->PROXY_PROXY_LINE) {
2596  ev_io_start(loop, &ps->ev_proxy);
2597  } else {
2598  /* for client-first handshake */
2599  start_handshake(ps, SSL_ERROR_WANT_READ);
2600  }
2601 }
2602 
2603 
2604 static void
2605 check_ppid(struct ev_loop *loop, ev_timer *w, int revents)
2606 {
2607  struct frontend *fr;
2608  struct listen_sock *ls;
2609  (void)revents;
2610  pid_t ppid = getppid();
2611  if (ppid != master_pid) {
2612  ERR("{core} Process %d detected parent death, "
2613  "closing listener sockets.\n", core_id);
2614  ev_timer_stop(loop, w);
2615  VTAILQ_FOREACH(fr, &frontends, list) {
2617  VTAILQ_FOREACH(ls, &fr->socks, list) {
2619  ev_io_stop(loop, &ls->listener);
2620  close(ls->sock);
2621  }
2622  }
2623  }
2624 }
2625 
2626 static const void *
2627 Get_Sockaddr(const struct sockaddr *sa, socklen_t *sl)
2628 {
2629  AN(sa);
2630  AN(sl);
2631 
2632  switch (sa->sa_family) {
2633  case PF_INET:
2634  *sl = sizeof(struct sockaddr_in);
2635  break;
2636  case PF_INET6:
2637  *sl = sizeof(struct sockaddr_in6);
2638  break;
2639  case PF_UNIX:
2640  *sl = sizeof(struct sockaddr_un);
2641  break;
2642  default:
2643  *sl = 0;
2644  return (NULL);
2645  }
2646  return (sa);
2647 }
2648 
2649 static void
2650 handle_mgt_rd(struct ev_loop *loop, ev_io *w, int revents)
2651 {
2652  ssize_t r;
2653  struct frontend *fr;
2654  struct listen_sock *ls;
2655  struct worker_update wu;
2656 
2657  (void) revents;
2658  r = read(w->fd, &wu, sizeof(wu));
2659  if (r == -1) {
2660  if (errno == EWOULDBLOCK || errno == EAGAIN)
2661  return;
2662  LOGL("Error in mgt->worker read operation. "
2663  "Restarting process.");
2664  /* If something went wrong here, the process will be
2665  * left in utter limbo as to whether it should keep
2666  * running or not. Kill the process and let the mgt
2667  * process start it back up. */
2668  _exit(1);
2669  } else if (r == 0) {
2670  /* Parent died .. */
2671  _exit(1);
2672  }
2673 
2674  if (wu.type == WORKER_GEN && wu.payload.gen != worker_gen) {
2675  /* This means this process has reached its retirement age. */
2677  return;
2679 
2680  /* Stop accepting new connections. */
2681  VTAILQ_FOREACH(fr, &frontends, list) {
2683  VTAILQ_FOREACH(ls, &fr->socks, list) {
2685  ev_io_stop(loop, &ls->listener);
2686  close(ls->sock);
2687  }
2688  }
2689 
2690  check_exit_state();
2691 
2692  LOGL("Worker %d (gen: %d): State %s\n", core_id, worker_gen,
2693  (worker_state == WORKER_EXITING) ? "EXITING" : "ACTIVE");
2694  } else if (wu.type == WORKER_GEN && wu.payload.gen == worker_gen) {
2695  return;
2696  } else if (wu.type == BACKEND_REFRESH) {
2697  struct backend *b;
2698  b = backend_create((struct sockaddr *)&wu.payload.addr);
2700  backaddr = b;
2702  } else
2703  WRONG("Invalid worker update state");
2704 }
2705 
2706 static void
2707 handle_clear_accept(struct ev_loop *loop, ev_io *w, int revents)
2708 {
2709  (void)revents;
2710  (void)loop;
2711  struct sockaddr_storage addr;
2712  struct frontend *fr;
2713  sslctx *so;
2714  proxystate *ps;
2715  socklen_t sl = sizeof(addr);
2716  int client = accept(w->fd, (struct sockaddr *) &addr, &sl);
2717  if (client == -1) {
2718  switch (errno) {
2719  case EMFILE:
2720  ERR("{client} accept() failed; "
2721  "too many open files for this process\n");
2722  break;
2723 
2724  case ENFILE:
2725  ERR("{client} accept() failed; "
2726  "too many open files for this system\n");
2727  break;
2728 
2729  default:
2730  if (errno != EINTR && errno != EWOULDBLOCK &&
2731  errno != EAGAIN && errno != ECONNABORTED) {
2732  SOCKERR("{client} accept() failed");
2733  }
2734  break;
2735  }
2736  return;
2737  }
2738 
2739  int flag = 1;
2740  int ret = setsockopt(client, IPPROTO_TCP, TCP_NODELAY,
2741  (char *)&flag, sizeof(flag) );
2742  if (ret == -1) {
2743  ERR("Couldn't setsockopt on client (TCP_NODELAY): %s\n",
2744  strerror(errno));
2745  }
2746 #ifdef TCP_CWND
2747  int cwnd = 10;
2748  ret = setsockopt(client, IPPROTO_TCP, TCP_CWND, &cwnd, sizeof(cwnd));
2749  if (ret == -1) {
2750  ERR("Couldn't setsockopt on client (TCP_CWND): %s\n",
2751  strerror(errno));
2752  }
2753 #endif
2754 
2755  if (setnonblocking(client)) {
2756  SOCKERR("{client} setnonblocking failed");
2757  (void) close(client);
2758  return;
2759  }
2760 
2761  settcpkeepalive(client);
2762 
2764  ps->backend = backend_ref();
2765  ps->fd_down = create_back_socket(ps->backend);
2766  if (ps->fd_down == -1) {
2767  backend_deref(&ps->backend);
2768  close(client);
2769  free(ps);
2770  ERR("{backend-socket}: %s\n", strerror(errno));
2771  return;
2772  }
2773 
2774  CAST_OBJ_NOTNULL(fr, w->data, FRONTEND_MAGIC);
2775  if (fr->default_ctx != NULL)
2777  else
2779  SSL *ssl = SSL_new(so->ctx);
2780  long mode = SSL_MODE_ENABLE_PARTIAL_WRITE;
2781 #ifdef SSL_MODE_RELEASE_BUFFERS
2782  mode |= SSL_MODE_RELEASE_BUFFERS;
2783 #endif
2784  SSL_set_mode(ssl, mode);
2785  SSL_set_connect_state(ssl);
2786  SSL_set_fd(ssl, ps->fd_down);
2787  if (client_session)
2788  SSL_set_session(ssl, client_session);
2789 
2790  ps->fd_up = client;
2791  ps->ssl = ssl;
2792  ps->want_shutdown = 0;
2793  ps->clear_connected = 1;
2794  ps->handshaked = 0;
2795  ps->renegotiation = 0;
2796  ps->remote_ip = addr;
2801 
2802  /* set up events */
2803  ev_io_init(&ps->ev_r_clear, clear_read, client, EV_READ);
2804  ev_io_init(&ps->ev_w_clear, clear_write, client, EV_WRITE);
2805 
2806  ev_io_init(&ps->ev_w_connect, handle_connect, ps->fd_down, EV_WRITE);
2807  ev_timer_init(&ps->ev_t_connect, connect_timeout,
2809 
2810  ev_io_init(&ps->ev_r_handshake, client_handshake,
2811  ps->fd_down, EV_READ);
2812  ev_io_init(&ps->ev_w_handshake, client_handshake,
2813  ps->fd_down, EV_WRITE);
2814  ev_timer_init(&ps->ev_t_handshake, handshake_timeout,
2816 
2817  ev_io_init(&ps->ev_w_ssl, ssl_write, ps->fd_down, EV_WRITE);
2818  ev_io_init(&ps->ev_r_ssl, ssl_read, ps->fd_down, EV_READ);
2819 
2820  ps->ev_r_ssl.data = ps;
2821  ps->ev_w_ssl.data = ps;
2822  ps->ev_r_clear.data = ps;
2823  ps->ev_w_clear.data = ps;
2824  ps->ev_w_connect.data = ps;
2825  ps->ev_r_handshake.data = ps;
2826  ps->ev_w_handshake.data = ps;
2827  ps->ev_t_handshake.data = ps;
2828 
2829  /* Link back proxystate to SSL state */
2830  SSL_set_app_data(ssl, ps);
2831 
2832  n_conns++;
2833 
2834  ev_io_start(loop, &ps->ev_r_clear);
2835  start_connect(ps); /* start connect */
2836 }
2837 
2838 /* Set up the child (worker) process including libev event loop, read event
2839  * on the bound sockets, etc */
2840 static void
2842 {
2843  struct frontend *fr;
2844  sslctx *sc, *sctmp;
2845  struct listen_sock *ls;
2846  struct sigaction sa;
2847 
2849  LOGL("{core} Process %d online\n", core_id);
2850 
2851  /* child cannot create new children... */
2852  create_workers = 0;
2853 
2854  /* nor can they handle SIGHUP */
2855  sa.sa_flags = 0;
2856  sa.sa_handler = SIG_IGN;
2857  sigemptyset(&sa.sa_mask);
2858  AZ(sigaction(SIGHUP, &sa, NULL));
2859 
2860 #if defined(CPU_ZERO) && defined(CPU_SET)
2861  cpu_set_t cpus;
2862 
2863  CPU_ZERO(&cpus);
2864  CPU_SET(core_id, &cpus);
2865 
2866  int res = sched_setaffinity(0, sizeof(cpus), &cpus);
2867  if (!res)
2868  LOG("{core} Successfully attached to CPU #%d\n", core_id);
2869  else
2870  ERR("{core-warning} Unable to attach to CPU #%d; "
2871  "do you have that many cores?\n", core_id);
2872 #endif
2873 
2874  loop = ev_default_loop(EVFLAG_AUTO);
2875 
2876  ev_timer timer_ppid_check;
2877  ev_timer_init(&timer_ppid_check, check_ppid, 1.0, 1.0);
2878  ev_timer_start(loop, &timer_ppid_check);
2879 
2880  VTAILQ_FOREACH(fr, &frontends, list) {
2881  VTAILQ_FOREACH(ls, &fr->socks, list) {
2882  ev_io_init(&ls->listener,
2883  (CONFIG->PMODE == SSL_CLIENT) ?
2885  ls->sock, EV_READ);
2886  ls->listener.data = fr;
2887  ev_io_start(loop, &ls->listener);
2888  }
2889  }
2890 
2891  if (CONFIG->OCSP_DIR != NULL) {
2892  HASH_ITER(hh, ssl_ctxs, sc, sctmp) {
2893  if (sc->ev_staple)
2894  ev_stat_start(loop, sc->ev_staple);
2895  }
2896 
2897  VTAILQ_FOREACH(fr, &frontends, list) {
2898  HASH_ITER(hh, fr->ssl_ctxs, sc, sctmp) {
2899  if (sc->ev_staple)
2900  ev_stat_start(loop, sc->ev_staple);
2901  }
2902  }
2903 
2904  if (default_ctx != NULL && default_ctx->ev_staple != NULL)
2905  ev_stat_start(loop, default_ctx->ev_staple);
2906  }
2907 
2908  AZ(setnonblocking(mgt_fd));
2909  ev_io_init(&mgt_rd, handle_mgt_rd, mgt_fd, EV_READ);
2910  ev_io_start(loop, &mgt_rd);
2911 
2912  ev_loop(loop, 0);
2913  ERR("Worker %d (gen: %d) exiting.\n", core_id, worker_gen);
2914  _exit(1);
2915 }
2916 
2917 
2918 /*
2919  OCSP requestor process.
2920 */
2921 static void
2923  struct frontend *fr;
2924  struct listen_sock *ls;
2925  sslctx *sc, *sctmp;
2926  ev_timer timer_ppid_check;
2927 
2928  /* we don't accept incoming connections for this process. */
2929  VTAILQ_FOREACH(fr, &frontends, list) {
2931  VTAILQ_FOREACH(ls, &fr->socks, list) {
2933  ev_io_stop(loop, &ls->listener);
2934  close(ls->sock);
2935  }
2936  }
2937 
2938  (void) umask(027);
2939  loop = ev_default_loop(EVFLAG_AUTO);
2940 
2941  /* Create ocspquery work items for any eligible ocsp queries */
2942 
2943  HASH_ITER(hh, ssl_ctxs, sc, sctmp) {
2944  HOCSP_mktask(sc, NULL, -1.0);
2945  }
2946 
2947  VTAILQ_FOREACH(fr, &frontends, list) {
2948  HASH_ITER(hh, fr->ssl_ctxs, sc, sctmp) {
2949  HOCSP_mktask(sc, NULL, -1.0);
2950  }
2951  }
2952 
2953  if (default_ctx != NULL)
2954  HOCSP_mktask(default_ctx, NULL, -1.0);
2955 
2956  ev_timer_init(&timer_ppid_check, check_ppid, 1.0, 1.0);
2957  ev_timer_start(loop, &timer_ppid_check);
2958 
2959  ev_loop(loop, 0);
2960 
2961  _exit(0);
2962 }
2963 
2964 void
2966 {
2967  if (chroot(CONFIG->CHROOT) == -1)
2968  fail("chroot");
2969  if (chdir("/"))
2970  fail("chdir");
2971 }
2972 
2973 void
2975 {
2976 
2977  if (geteuid() == 0) {
2978  if (CONFIG->UID >= 0)
2979  AZ(setgroups(0, NULL));
2980  if (CONFIG->GID >= 0)
2981  AZ(setgid(CONFIG->GID));
2982  if (CONFIG->UID >= 0)
2983  AZ(setuid(CONFIG->UID));
2984  } else {
2985  LOG("{core} Not running as root, no priv-sep\n");
2986  }
2987 
2988  /* On Linux >= 2.4, you need to set the dumpable flag
2989  to get core dumps after you have done a setuid. */
2990 
2991 #ifdef __linux__
2992  if (prctl(PR_SET_DUMPABLE, 1) != 0)
2993  LOG("Could not set dumpable bit. Core dumps turned off\n");
2994 #endif
2995 }
2996 
2997 static int
2999 {
3000  if (geteuid() == 0 &&
3001  !(CONFIG->UID == 0 && CONFIG->GID == 0)) {
3002  ERR("{core} ERROR: "
3003  "Refusing to run workers as root, "
3004  "unless user and group is explicitly set"
3005  " to root.\n");
3006  return (0);
3007  }
3008  return (1);
3009 }
3010 
3011 static int
3013 {
3014  struct sockaddr_un sun;
3015  struct backend *b;
3016  int l;
3017 
3018  if (backaddr != NULL)
3019  /* Already configured - we don't refresh UDS addresses. */
3020  return (0);
3021 
3022  AN(CONFIG->BACK_PATH);
3023  memset(&sun, 0, sizeof sun);
3024  sun.sun_family = PF_UNIX;
3025  l = snprintf(sun.sun_path, sizeof(sun.sun_path), "%s",
3026  CONFIG->BACK_PATH);
3027  /* the length of BACK_PATH is verified to fit into
3028  * sun.sun_path in configuration.c */
3029  assert(l < (int)sizeof(sun.sun_path));
3030 
3031  b = backend_create((struct sockaddr *)&sun);
3032  backaddr = b;
3033 
3034  return (0);
3035 }
3036 
3037 static int
3039  struct addrinfo *result;
3040  struct addrinfo hints;
3041  struct backend *b;
3042 
3043  if (CONFIG->BACK_PATH)
3044  return (backaddr_init_uds());
3045 
3046  memset(&hints, 0, sizeof hints);
3047  hints.ai_family = AF_UNSPEC;
3048  hints.ai_socktype = SOCK_STREAM;
3049  hints.ai_flags = 0;
3050  const int gai_err = getaddrinfo(CONFIG->BACK_IP, CONFIG->BACK_PORT,
3051  &hints, &result);
3052  if (gai_err != 0) {
3053  ERR("{getaddrinfo-backend}: %s\n", gai_strerror(gai_err));
3054  exit(1);
3055  }
3056 
3057  b = backend_create(result->ai_addr);
3058  freeaddrinfo(result);
3059 
3060  if (backaddr == NULL) {
3061  backaddr = b;
3062  return (1);
3063  }
3064 
3065  if (VSA_Compare(backaddr->backaddr, b->backaddr) != 0) {
3066  free(backaddr);
3067  backaddr = b;
3068  return (1);
3069  }
3070 
3071  backend_deref(&b);
3072  AZ(b);
3073 
3074  return (0);
3075 }
3076 
3077 void
3079 {
3080  struct addrinfo hints;
3081 
3084 
3085  backaddr_init();
3086 
3087  (void)hints;
3088 
3089 #ifdef USE_SHARED_CACHE
3090  if (CONFIG->SHARED_CACHE) {
3091  /* cache update peers addresses */
3092  shcupd_peer_opt *spo = CONFIG->SHCUPD_PEERS;
3093  struct addrinfo **pai = shcupd_peers;
3094 
3095  while (spo->ip) {
3096  memset(&hints, 0, sizeof hints);
3097  hints.ai_family = AF_UNSPEC;
3098  hints.ai_socktype = SOCK_DGRAM;
3099  hints.ai_flags = 0;
3100  const int gai_err = getaddrinfo(spo->ip,
3101  spo->port ? spo->port : CONFIG->SHCUPD_PORT,
3102  &hints, pai);
3103  if (gai_err != 0) {
3104  ERR("{getaddrinfo}: %s\n",
3105  gai_strerror(gai_err));
3106  exit(1);
3107  }
3108  spo++;
3109  pai++;
3110  }
3111  }
3112 #endif
3113  if (CONFIG->SYSLOG)
3114  openlog("hitch", LOG_CONS | LOG_PID | LOG_NDELAY,
3116 }
3117 
3118 /* Forks COUNT children starting with START_INDEX. We keep a struct
3119  * child_proc per child so the parent can manage it later. */
3120 void
3121 start_workers(int start_index, int count)
3122 {
3123  struct worker_proc *c;
3124  int pfd[2];
3125 
3126  /* don't do anything if we're not allowed to create new workers */
3127  if (!create_workers)
3128  return;
3129 
3130  for (core_id = start_index;
3131  core_id < start_index + count; core_id++) {
3133  AZ(pipe(pfd));
3134  c->pfd = pfd[1];
3135  c->gen = worker_gen;
3136  c->pid = fork();
3137  c->core_id = core_id;
3138  if (c->pid == -1) {
3139  ERR("{core} fork() failed: %s; Goodbye cruel world!\n",
3140  strerror(errno));
3141  exit(1);
3142  } else if (c->pid == 0) { /* child */
3143  close(pfd[1]);
3144  FREE_OBJ(c);
3145  if (CONFIG->CHROOT && CONFIG->CHROOT[0])
3146  change_root();
3147  if (CONFIG->UID >= 0 || CONFIG->GID >= 0)
3148  drop_privileges();
3149  if (!verify_privileges())
3150  _exit(1);
3151  handle_connections(pfd[0]);
3152  exit(0);
3153  } else { /* parent. Track new child. */
3154  close(pfd[0]);
3156  }
3157  }
3158 }
3159 
3160 void
3162 {
3163  ocsp_proc_pid = fork();
3164 
3165  if (ocsp_proc_pid == -1) {
3166  ERR("{core}: fork() failed: %s: Exiting.\n", strerror(errno));
3167  exit(1);
3168  } else if (ocsp_proc_pid == 0) {
3169  if (CONFIG->UID >= 0 || CONFIG->GID >= 0)
3170  drop_privileges();
3171  if (!verify_privileges())
3172  _exit(1);
3173  handle_ocsp_task();
3174  }
3175 
3176  /* child proc should never return. */
3177  AN(ocsp_proc_pid);
3178 }
3179 
3180 
3181 /* Forks a new child to replace the old, dead, one with the given PID.*/
3182 void
3184 {
3185  struct worker_proc *c, *cp;
3186 
3187  /* find old child's slot and put a new child there */
3189  if (c->pid == pid) {
3191  /* Only replace if it matches current generation. */
3192  if (c->gen == worker_gen)
3193  start_workers(c->core_id, 1);
3194  FREE_OBJ(c);
3195  return;
3196  }
3197  }
3198 
3199  ERR("Cannot find index for child pid %d", pid);
3200 }
3201 
3202 /* Manage status changes in child processes */
3203 static void
3204 do_wait(void)
3205 {
3206  struct worker_proc *c, *ctmp;
3207  int status;
3208  int pid;
3209 
3210 #define WAIT_PID(p, action) do { \
3211  pid = waitpid(p, &status, WNOHANG); \
3212  if (pid == 0) { \
3213  /* child has not exited */ \
3214  break; \
3215  } \
3216  else if (pid == -1) { \
3217  if (errno == EINTR) \
3218  ERR("{core} Interrupted waitpid\n"); \
3219  else \
3220  fail("waitpid"); \
3221  } else { \
3222  if (WIFEXITED(status)) { \
3223  ERR("{core} Child %d exited with status %d.\n", \
3224  pid, WEXITSTATUS(status)); \
3225  action; \
3226  } else if (WIFSIGNALED(status)) { \
3227  ERR("{core} Child %d was terminated by " \
3228  "signal %d.\n", pid, WTERMSIG(status)); \
3229  action; \
3230  } \
3231  } \
3232  } while (0)
3233 
3234  VTAILQ_FOREACH_SAFE(c, &worker_procs, list, ctmp) {
3236  }
3237 
3238  /* also check if the ocsp worker killed itself */
3239  if (ocsp_proc_pid != 0)
3241  if (CONFIG->OCSP_DIR) {
3242  start_ocsp_proc();
3243  } else {
3244  ocsp_proc_pid = 0;
3245  });
3246 }
3247 
3248 static void
3249 sigchld_handler(int signum)
3250 {
3251  assert(signum == SIGCHLD);
3252  n_sigchld++;
3253 }
3254 
3255 
3256 static void
3257 sigh_terminate (int __attribute__ ((unused)) signo)
3258 {
3259  struct worker_proc *c;
3260  /* don't create any more children */
3261  create_workers = 0;
3262 
3263  /* are we the master? */
3264  if (getpid() == master_pid) {
3265  LOGL("{core} Received signal %d, shutting down.\n", signo);
3266 
3267  /* kill all children */
3269  /* LOG("Stopping worker pid %d.\n", c->pid); */
3270  if (c->pid > 1 &&
3271  kill(c->pid, SIGTERM) != 0) {
3272  ERR("{core} Unable to send SIGTERM to worker "
3273  "pid %d: %s\n", c->pid,
3274  strerror(errno));
3275  }
3276  }
3277 
3278  if (ocsp_proc_pid != 0)
3279  kill(ocsp_proc_pid, SIGTERM);
3280  }
3281 
3282  /* this is it, we're done... */
3283  exit(0);
3284 }
3285 
3286 static void
3287 sighup_handler(int signum)
3288 {
3289  assert(signum == SIGHUP);
3290  n_sighup++;
3291 }
3292 
3293 static void
3295 {
3296  struct sigaction act;
3297 
3298  sigemptyset(&act.sa_mask);
3299  act.sa_flags = 0;
3300  act.sa_handler = SIG_IGN;
3301 
3302  /* Avoid getting PIPE signal when writing to a closed file descriptor */
3303  if (sigaction(SIGPIPE, &act, NULL) < 0)
3304  fail("sigaction - sigpipe");
3305 
3306  /* We don't care if someone stops and starts a child process
3307  * with kill (1) */
3308  act.sa_flags = SA_NOCLDSTOP;
3309  act.sa_handler = sigchld_handler;
3310 
3311  /* We do care when child processes change status */
3312  if (sigaction(SIGCHLD, &act, NULL) < 0)
3313  fail("sigaction - sigchld");
3314 
3315  /* catch INT and TERM signals */
3316  act.sa_flags = 0;
3317  act.sa_handler = sigh_terminate;
3318  if (sigaction(SIGINT, &act, NULL) < 0) {
3319  ERR("Unable to register SIGINT signal handler: %s\n",
3320  strerror(errno));
3321  exit(1);
3322  }
3323  if (sigaction(SIGTERM, &act, NULL) < 0) {
3324  ERR("Unable to register SIGTERM signal handler: %s\n",
3325  strerror(errno));
3326  exit(1);
3327  }
3328 
3329  act.sa_handler = sighup_handler;
3330  if (sigaction(SIGHUP, &act, NULL) != 0) {
3331  ERR("Unable to register SIGHUP signal handler: %s\n",
3332  strerror(errno));
3333  exit(1);
3334  }
3335 
3336 }
3337 
3338 #define NULL_DEV "/dev/null"
3339 static void
3341 {
3342  /* logging.c */
3343  if (logfile == stdout || logfile == stderr) {
3344  logfile = NULL;
3345  }
3346 
3347  /* go to root directory */
3348  if (chdir("/") != 0) {
3349  ERR("Unable change directory to /: %s\n", strerror(errno));
3350  exit(1);
3351  }
3352 
3353  /* let's make some children, baby :) */
3354  pid_t pid = fork();
3355  if (pid < 0) {
3356  ERR("Unable to daemonize: fork failed: %s\n", strerror(errno));
3357  exit(1);
3358  }
3359 
3360  /* am i the parent? */
3361  if (pid != 0) {
3362  LOGL("{core} Daemonized as pid %d.\n", pid);
3363  exit(0);
3364  }
3365 
3366  /* reopen standard streams to null device */
3367  if (freopen(NULL_DEV, "r", stdin) == NULL) {
3368  ERR("Unable to reopen stdin to %s: %s\n",
3369  NULL_DEV, strerror(errno));
3370  exit(1);
3371  }
3372  if (freopen(NULL_DEV, "w", stdout) == NULL) {
3373  ERR("Unable to reopen stdout to %s: %s\n",
3374  NULL_DEV, strerror(errno));
3375  exit(1);
3376  }
3377  if (freopen(NULL_DEV, "w", stderr) == NULL) {
3378  ERR("Unable to reopen stderr to %s: %s\n",
3379  NULL_DEV, strerror(errno));
3380  exit(1);
3381  }
3382 
3383  /* this is child, the new master */
3384  pid_t s = setsid();
3385  if (s < 0) {
3386  ERR("Unable to create new session, setsid(2) failed: "
3387  "%s :: %d\n", strerror(errno), s);
3388  exit(1);
3389  }
3390 
3391  LOG("Successfully daemonized as pid %d.\n", getpid());
3392 }
3393 
3394 static void
3396 {
3397  /* detect OpenSSL version in runtime */
3398  long openssl_version = SSLeay();
3399 
3400  /* check if we're running the same openssl that we were */
3401  /* compiled with */
3402  if ((openssl_version ^ OPENSSL_VERSION_NUMBER) & ~0xff0L) {
3403  ERR(
3404  "WARNING: {core} OpenSSL version mismatch; "
3405  "hitch was compiled with %lx, now using %lx.\n",
3406  (unsigned long int)OPENSSL_VERSION_NUMBER,
3407  (unsigned long int)openssl_version
3408  );
3409  /* now what? exit now? */
3410  /* exit(1); */
3411  }
3412 
3413  LOG("{core} Using OpenSSL version %lx.\n",
3414  (unsigned long int)openssl_version);
3415 }
3416 
3417 
3418 static void
3420 {
3421  if (pfh && master_pid == getpid()) {
3422  VPF_Remove(pfh);
3423  }
3424 }
3425 
3426 struct cfg_tpc_obj;
3427 
3431 
3432  /* ... */
3433 };
3434 
3435 /* Commit/rollback handling:
3436  - KEEP:
3437  - commit: reuse
3438  - rollback: do nothing
3439  - NEW:
3440  - commit: use as new
3441  - rollback: drop
3442 
3443  - DROP:
3444  - commit: drop
3445  - rollback: do nothing
3446  */
3451 };
3452 
3453 typedef void cfg_tpc_rollback_f(struct cfg_tpc_obj *o);
3454 typedef void cfg_tpc_commit_f(struct cfg_tpc_obj *o);
3455 
3456 struct cfg_tpc_obj {
3457  unsigned magic;
3458 #define CFG_TPC_OBJ_MAGIC 0xd6953e5f
3461  void *p[2];
3465 };
3466 
3468 
3469 static struct cfg_tpc_obj *
3471  void *priv0, void *priv1, cfg_tpc_rollback_f *rollback,
3473 {
3474  struct cfg_tpc_obj *o;
3475 
3477  AN(o);
3478  o->type = type;
3479  o->handling = handling;
3480  o->p[0] = priv0;
3481  o->p[1] = priv1;
3482  o->rollback = rollback;
3483  o->commit = commit;
3484 
3485  return (o);
3486 }
3487 
3488 static void
3490 {
3491  struct frontend *fr;
3492 
3493  if (o->handling == CFG_TPC_NEW) {
3494  CAST_OBJ_NOTNULL(fr, o->p[0], FRONTEND_MAGIC);
3495  destroy_frontend(fr);
3496  }
3497 
3498  /* KEEP/DROP: ignore */
3499 }
3500 
3501 static void
3503 {
3504  struct frontend *fr;
3505  sslctx *sc;
3506  CAST_OBJ_NOTNULL(fr, o->p[0], FRONTEND_MAGIC);
3507 
3508  switch (o->handling) {
3509  case CFG_TPC_NEW:
3511  /* FALL-THROUGH */
3512  case CFG_TPC_KEEP:
3513  if (o->p[1]) {
3514  CAST_OBJ_NOTNULL(sc, o->p[1], SSLCTX_MAGIC);
3515  /* fr->sctx = sc; */
3516  }
3517  break;
3518  case CFG_TPC_DROP:
3519  VTAILQ_REMOVE(&frontends, fr, list);
3520  destroy_frontend(fr);
3521  break;
3522  }
3523 }
3524 
3525 static void cert_rollback(struct cfg_tpc_obj *o);
3526 static void cert_commit(struct cfg_tpc_obj *o);
3527 
3528 // Is this incorrectly named?
3529 static int
3530 ocsp_cfg_changed(const struct cfg_cert_file *cf, const sslctx *sc)
3531 {
3532  if (sc->staple != NULL && cf->ocspfn == NULL)
3533  return (1); /* Dropped OCSP definition */
3534 
3535  if (sc->staple == NULL && cf->ocspfn != NULL)
3536  return (1); /* Added OCSP definition */
3537 
3538  if (sc->staple != NULL && cf->ocspfn != NULL) {
3539  if (strcmp(sc->staple_fn, cf->ocspfn) != 0
3540  || sc->staple->mtim < cf->ocsp_mtim)
3541  return (1); /* Updated */
3542  }
3543 
3544  return (0);
3545 }
3546 
3547 /* Query frontend-specific certificates. */
3548 static int
3549 cert_fr_query(struct frontend *fr, struct front_arg *fa,
3550  struct cfg_tpc_obj_head *cfg_objs)
3551 {
3552  struct cfg_cert_file *cf, *cftmp;
3553  sslctx *sc, *sctmp;
3554  struct cfg_tpc_obj *o;
3555 
3556  HASH_ITER(hh, fr->ssl_ctxs, sc, sctmp) {
3557  HASH_FIND_STR(fa->certs, sc->filename, cf);
3558  if (cf != NULL && cf->mtim <= sc->mtim
3559  && !ocsp_cfg_changed(cf, sc)) {
3560  cf->mark = 1;
3561  } else {
3563  sc, fr, cert_rollback, cert_commit);
3564  VTAILQ_INSERT_TAIL(cfg_objs, o, list);
3565  }
3566  }
3567 
3568  HASH_ITER(hh, fa->certs, cf, cftmp) {
3569  if (cf->mark)
3570  continue;
3571  sc = make_ctx_fr(cf, fr, fa);
3572  if (sc == NULL)
3573  return (-1);
3575  sc, fr, cert_rollback, cert_commit);
3576  VTAILQ_INSERT_TAIL(cfg_objs, o, list);
3577  }
3578 
3579  return (0);
3580 }
3581 
3582 /* Query reload of listen sockets.
3583  Returns -1 on failure.
3584  Failure: Caller calls .rollback() on the objects added in cfg_objs.
3585  Success: Caller calls .commit()
3586 */
3587 static int
3588 frontend_query(struct front_arg *new_set, struct cfg_tpc_obj_head *cfg_objs)
3589 {
3590  struct frontend *fr;
3591  struct front_arg *fa, *ftmp;
3592  struct cfg_tpc_obj *o;
3593 
3594  VTAILQ_FOREACH(fr, &frontends, list) {
3595  HASH_FIND_STR(new_set, fr->pspec, fa);
3596  if (fa != NULL) {
3597  fa->mark = 1;
3598  o = make_cfg_obj(CFG_FRONTEND, CFG_TPC_KEEP, fr, NULL,
3600  if(cert_fr_query(fr, fa, cfg_objs) < 0) {
3601  FREE_OBJ(o);
3602  return (-1);
3603  }
3604 
3605  } else
3606  o = make_cfg_obj(CFG_FRONTEND, CFG_TPC_DROP, fr, NULL,
3608  VTAILQ_INSERT_TAIL(cfg_objs, o, list);
3609  }
3610 
3611  HASH_ITER(hh, new_set, fa, ftmp) {
3612  if (!fa->mark) {
3613  fr = create_frontend(fa);
3614  if (fr == NULL)
3615  return (-1);
3617  fr, NULL, frontend_rollback, frontend_commit);
3618  VTAILQ_INSERT_TAIL(cfg_objs, o, list);
3619  }
3620  }
3621 
3622  return (0);
3623 }
3624 
3625 static void
3627 {
3628  sslctx *sc;
3629 
3630  if (o->handling != CFG_TPC_NEW)
3631  return;
3632 
3633  CAST_OBJ_NOTNULL(sc, o->p[0], SSLCTX_MAGIC);
3634  sctx_free(sc, NULL);
3635 }
3636 
3637 static void
3639 {
3640  sslctx *sc;
3641  sni_name **sn_tab;
3642  sslctx **ctxs;
3643  struct frontend *fr;
3644 
3645  sn_tab = &sni_names;
3646  ctxs = &ssl_ctxs;
3647 
3648  CAST_OBJ_NOTNULL(sc, o->p[0], SSLCTX_MAGIC);
3649  if (o->p[1] != NULL) {
3650  CAST_OBJ_NOTNULL(fr, o->p[1], FRONTEND_MAGIC);
3651  sn_tab = &fr->sni_names;
3652  ctxs = &fr->ssl_ctxs;
3653  }
3654 
3655  switch (o->handling) {
3656  case CFG_TPC_NEW:
3657  HASH_ADD_KEYPTR(hh, *ctxs, sc->filename,
3658  strlen(sc->filename), sc);
3659  insert_sni_names(sc, sn_tab);
3660  break;
3661  case CFG_TPC_KEEP:
3662  WRONG("unreachable");
3663  break;
3664  case CFG_TPC_DROP:
3665  HASH_DEL(*ctxs, sc);
3666  sctx_free(sc, sn_tab);
3667  break;
3668  }
3669 }
3670 
3671 static void
3673 {
3674  cert_rollback(o);
3675 }
3676 
3677 static void
3679 {
3680  sslctx *sc;
3681 
3682  CAST_OBJ_NOTNULL(sc, o->p[0], SSLCTX_MAGIC);
3684 
3685  switch (o->handling) {
3686  case CFG_TPC_NEW:
3688  default_ctx = sc;
3690  break;
3691  case CFG_TPC_KEEP:
3692  /* FALL-THROUGH */
3693  case CFG_TPC_DROP:
3694  /* We always have a default cert. This should not
3695  * happen. */
3696  WRONG("unreachable");
3697  break;
3698  }
3699 }
3700 
3701 /* Query reload of certificate files */
3702 static int
3704 {
3705  struct cfg_cert_file *cf, *cftmp;
3706  sslctx *sc, *sctmp;
3707  struct cfg_tpc_obj *o;
3708 
3709  /* NB: The ordering here is significant. It is imperative that
3710  * all DROP objects are inserted before any NEW objects, in
3711  * order to not wreak havoc in cert_commit(). */
3712  HASH_ITER(hh, ssl_ctxs, sc, sctmp) {
3713  HASH_FIND_STR(cfg->CERT_FILES, sc->filename, cf);
3714  if (cf != NULL && cf->mtim <= sc->mtim
3715  && !ocsp_cfg_changed(cf, sc)) {
3716  cf->mark = 1;
3717  } else {
3719  sc, NULL, cert_rollback, cert_commit);
3720  VTAILQ_INSERT_TAIL(cfg_objs, o, list);
3721  }
3722  }
3723 
3724  /* handle default cert. Default cert has its own
3725  * rollback/commit functions. */
3726  if (cfg->CERT_DEFAULT != NULL) {
3727  cf = cfg->CERT_DEFAULT;
3728  CHECK_OBJ_NOTNULL(default_ctx, SSLCTX_MAGIC);
3729  if (strcmp(default_ctx->filename, cf->filename) != 0
3730  || cf->mtim > default_ctx->mtim
3731  || ocsp_cfg_changed(cf, default_ctx)) {
3732  sc = make_ctx(cf);
3733  if (sc == NULL)
3734  return (-1);
3736  sc, NULL, dcert_rollback, dcert_commit);
3737  VTAILQ_INSERT_TAIL(cfg_objs, o, list);
3738  }
3739  }
3740 
3741  HASH_ITER(hh, cfg->CERT_FILES, cf, cftmp) {
3742  if (cf->mark)
3743  continue;
3744  sc = make_ctx(cf);
3745  if (sc == NULL)
3746  return (-1);
3748  sc, NULL, cert_rollback, cert_commit);
3749  VTAILQ_INSERT_TAIL(cfg_objs, o, list);
3750  }
3751 
3752  return (0);
3753 }
3754 
3755 static void
3757 {
3758  struct worker_proc *c;
3759  int i;
3761  if ((wu->type == WORKER_GEN && wu->payload.gen != c->gen) ||
3762  (wu->type == BACKEND_REFRESH)) {
3763  errno = 0;
3764  do {
3765  i = write(c->pfd, (void*)wu, sizeof(*wu));
3766  if (i == -1 && errno != EINTR) {
3767  if (wu->type == WORKER_GEN)
3768  ERR("WARNING: {core} Unable to "
3769  "gracefully reload worker %d"
3770  " (%s).\n",
3771  c->pid, strerror(errno));
3772  else
3773  ERR("WARNING: {core} Unable to "
3774  "notify worker %d "
3775  "with changed backend address (%s).\n",
3776  c->pid, strerror(errno));
3777 
3778  (void)kill(c->pid, SIGTERM);
3779  break;
3780  }
3781  } while (i == -1 && errno == EINTR);
3782 
3783  if (wu->type == WORKER_GEN)
3784  (void)close(c->pfd);
3785 
3786  }
3787  }
3788 }
3789 
3790 static void
3791 reconfigure(int argc, char **argv)
3792 {
3793  hitch_config *cfg_new;
3794  struct cfg_tpc_obj_head cfg_objs;
3795  struct cfg_tpc_obj *cto, *cto_tmp;
3796  struct timeval tv;
3797  double t0, t1;
3798  struct worker_update wu;
3799  struct frontend *fr;
3800 
3801  LOGL("Received SIGHUP: Initiating configuration reload.\n");
3802  AZ(gettimeofday(&tv, NULL));
3803  t0 = tv.tv_sec + 1e-6 * tv.tv_usec;
3804 
3805  VTAILQ_INIT(&cfg_objs);
3806  cfg_new = config_new();
3807  AN(cfg_new);
3808  if (config_parse_cli(argc, argv, cfg_new) != 0) {
3809  ERR("Config reload failed: %s\n", config_error_get());
3810  config_destroy(cfg_new);
3811  return;
3812  }
3813 
3814  /* NB: the ordering of the foo_query() calls here is
3815  * significant. */
3816  if (frontend_query(cfg_new->LISTEN_ARGS, &cfg_objs) < 0
3817  || cert_query(cfg_new, &cfg_objs) < 0) {
3818  VTAILQ_FOREACH_SAFE(cto, &cfg_objs, list, cto_tmp) {
3819  VTAILQ_REMOVE(&cfg_objs, cto, list);
3820  AN(cto->rollback);
3821  cto->rollback(cto);
3822  FREE_OBJ(cto);
3823  }
3824  ERR("{core} Config reload failed.\n");
3825  return;
3826  } else {
3827  VTAILQ_FOREACH_SAFE(cto, &cfg_objs, list, cto_tmp) {
3828  VTAILQ_REMOVE(&cfg_objs, cto, list);
3829  AN(cto->commit);
3830  cto->commit(cto);
3831  FREE_OBJ(cto);
3832  }
3833  }
3834 
3835  /* Rewire default sslctx for each frontend after a reload */
3836  VTAILQ_FOREACH(fr, &frontends, list) {
3837  struct front_arg *fa;
3838  struct cfg_cert_file *cf;
3839  sslctx *sc;
3840 
3841  if (HASH_COUNT(fr->ssl_ctxs) == 0) {
3842  fr->default_ctx = NULL;
3843  continue;
3844  }
3845 
3846  HASH_FIND_STR(cfg_new->LISTEN_ARGS, fr->pspec, fa);
3847  AN(fa);
3848  cf = fa->certs;
3850  while (cf->hh.next != NULL)
3851  cf = cf->hh.next;
3852  HASH_FIND_STR(fr->ssl_ctxs, cf->filename, sc);
3854  fr->default_ctx = sc;
3855  }
3856 
3857  AZ(gettimeofday(&tv, NULL));
3858  t1 = tv.tv_sec + 1e-6 * tv.tv_usec;
3859 
3860  LOGL("{core} Config reloaded in %.2lf seconds. "
3861  "Starting new child processes.\n", t1 - t0);
3862 
3864  CONFIG = cfg_new;
3865 
3866  worker_gen++;
3868 
3869  wu.type = WORKER_GEN;
3870  wu.payload.gen = worker_gen;
3871  notify_workers(&wu);
3872 
3873  if (ocsp_proc_pid > 0) {
3874  (void) kill(ocsp_proc_pid, SIGTERM);
3875  /*
3876  * Restarting the OCSP process is taken
3877  * care of in do_wait
3878  */
3879  } else if (CONFIG->OCSP_DIR != NULL && ocsp_proc_pid <= 0) {
3880  start_ocsp_proc();
3881  }
3882 }
3883 
3884 void
3886 {
3887  /* static backend address */
3888  if (!CONFIG->BACKEND_REFRESH_TIME) {
3889  pause();
3890  return;
3891  }
3892 
3893  int rv = 0;
3894  while (1) {
3895  rv = usleep(CONFIG->BACKEND_REFRESH_TIME*1000000);
3896  if (rv == -1 && errno == EINTR)
3897  break;
3898  else if(backaddr_init()) {
3899  struct worker_update wu;
3900  wu.type = BACKEND_REFRESH;
3901  socklen_t len;
3902  const void *addr =
3904  AN(addr);
3905  memcpy(&(wu.payload.addr), addr, len);
3906  notify_workers(&wu);
3907  }
3908  }
3909 }
3910 
3911 /* Process command line args, create the bound socket,
3912  * spawn child (worker) processes, and respawn if any die */
3913 int
3914 main(int argc, char **argv)
3915 {
3916  // initialize configuration
3917  struct front_arg *fa, *ftmp;
3918 
3919  CONFIG = config_new();
3920 
3921  // parse command line
3922  if (config_parse_cli(argc, argv, CONFIG) != 0) {
3923  fprintf(stderr, "%s\n", config_error_get());
3924  return (1);
3925  }
3926 
3927  if (CONFIG->TEST) {
3928  fprintf(stderr, "Trying to initialize SSL contexts with your"
3929  " certificates\n");
3930  init_globals();
3931  init_openssl();
3932  init_certs();
3933  fprintf(stderr, "%s configuration looks ok.\n",
3934  basename(argv[0]));
3935  return (0);
3936  }
3937 
3938  if (CONFIG->LOG_FILENAME) {
3939  FILE* f;
3940  if ((f = fopen(CONFIG->LOG_FILENAME, "a")) == NULL) {
3941  /* logging.c */
3942  logfile = stderr;
3943  ERR("FATAL: Unable to open log file: %s: %s\n",
3944  CONFIG->LOG_FILENAME, strerror(errno));
3945  exit(2);
3946  }
3947  logfile = f;
3948  if (CONFIG->UID >=0 || CONFIG->GID >= 0) {
3949  AZ(fchown(fileno(logfile), CONFIG->UID, CONFIG->GID));
3950  }
3951  AZ(fstat(fileno(logfile), &logf_st));
3952  logf_check_t = time(NULL);
3953  } else {
3954  logfile = stderr;
3955  }
3956  AZ(setvbuf(logfile, NULL, _IONBF, BUFSIZ));
3957 
3958  if (CONFIG->DAEMONIZE && (logfile == stdout || logfile == stderr))
3959  logfile = NULL;
3960 
3961  LOGL("{core} %s starting\n", PACKAGE_STRING);
3962  create_workers = 1;
3963 
3965 
3966  init_signals();
3967  init_globals();
3968  init_openssl();
3969 
3970  HASH_ITER(hh, CONFIG->LISTEN_ARGS, fa, ftmp) {
3971  struct frontend *fr = create_frontend(fa);
3972  if (fr == NULL)
3973  exit(1);
3975  }
3976 
3977  /* load certificates, pass to handle_connections */
3978  LOGL("{core} Loading certificate pem files (%d)\n",
3979  HASH_COUNT(CONFIG->CERT_FILES) + 1); /* XXX: TODO */
3980  init_certs();
3981 
3982 #ifdef USE_SHARED_CACHE
3983  if (CONFIG->SHCUPD_PORT) {
3984  /* create socket to send(children) and
3985  receive(parent) cache updates */
3986  shcupd_socket = create_shcupd_socket();
3987  }
3988 #endif /* USE_SHARED_CACHE */
3989 
3990  if (CONFIG->CHROOT && CONFIG->CHROOT[0] && geteuid() != 0) {
3991  ERR("{core} ERROR: chroot requires hitch to be"
3992  " started as root.\n");
3993  exit(1);
3994  }
3995 
3996  if (geteuid() == 0 && CONFIG->UID < 0) {
3997  ERR("{core} ERROR: Refusing to run workers as root.\n");
3998  exit(1);
3999  }
4000 
4001  if (CONFIG->DAEMONIZE)
4002  daemonize();
4003 
4004  master_pid = getpid();
4005 
4006  if (CONFIG->PIDFILE) {
4007  pfh = VPF_Open(CONFIG->PIDFILE, 0644, NULL);
4008  if (pfh == NULL) {
4009  ERR("FATAL: Could not open pid (-p) file (%s): %s\n",
4010  CONFIG->PIDFILE, strerror(errno));
4011  exit(1);
4012  }
4013 
4014  AZ(VPF_Write(pfh));
4015  atexit(remove_pfh);
4016  }
4017 
4019 
4020  if (CONFIG->OCSP_DIR != NULL)
4021  start_ocsp_proc();
4022 
4023 #ifdef USE_SHARED_CACHE
4024  if (CONFIG->SHCUPD_PORT) {
4025  /* start event loop to receive cache updates */
4026  loop = ev_default_loop(EVFLAG_AUTO);
4027  ev_io_init(&shcupd_listener, handle_shcupd, shcupd_socket,
4028  EV_READ);
4029  ev_io_start(loop, &shcupd_listener);
4030  }
4031 #endif /* USE_SHARED_CACHE */
4032 
4033  LOGL("{core} %s initialization complete\n", PACKAGE_STRING);
4034  for (;;) {
4035 #ifdef USE_SHARED_CACHE
4036  if (CONFIG->SHCUPD_PORT) {
4037  while (n_sighup == 0 && n_sigchld == 0) {
4038  /* event loop to receive cache updates */
4039  ev_loop(loop, EVRUN_ONCE);
4040  }
4041  } else
4043 #else
4044 
4046  /* Sleep and let the children work.
4047  * Parent will be woken up if a signal arrives */
4048 #endif /* USE_SHARED_CACHE */
4049 
4050  while (n_sighup != 0) {
4051  n_sighup = 0;
4052  reconfigure(argc, argv);
4053  }
4054 
4055  while (n_sigchld != 0) {
4056  n_sigchld = 0;
4057  do_wait();
4058  }
4059  }
4060 
4061  exit(0); /* just a formality; we never get here */
4062 }
front_arg::match_global_certs
int match_global_certs
Definition: configuration.h:78
start_ocsp_proc
void start_ocsp_proc(void)
Definition: hitch.c:3161
VTAILQ_HEAD
#define VTAILQ_HEAD(name, type)
Definition: vqueue.h:423
UT_hash_handle::next
void * next
Definition: uthash.h:955
__hitch_config::ALPN_PROTOS
char * ALPN_PROTOS
Definition: configuration.h:97
SHUTDOWN_REQUESTOR
enum _SHUTDOWN_REQUESTOR SHUTDOWN_REQUESTOR
change_root
void change_root()
Definition: hitch.c:2965
proxystate::fd_down
int fd_down
Definition: hitch.h:142
config_parse_cli
int config_parse_cli(int argc, char **argv, hitch_config *cfg)
Definition: configuration.c:1383
listen_sock::sock
int sock
Definition: hitch.c:186
CFG_CERT
@ CFG_CERT
Definition: hitch.c:3430
vpf_fh
Definition: vpf.c:47
shctx.h
SOCKERR
#define SOCKERR(msg)
Definition: logging.h:83
handle_mgt_rd
static void handle_mgt_rd(struct ev_loop *loop, ev_io *w, int revents)
Definition: hitch.c:2650
VPF_Open
struct vpf_fh * VPF_Open(const char *path, mode_t mode, pid_t *pidptr)
Definition: vpf.c:98
proxystate::ev_w_ssl
ev_io ev_w_ssl
Definition: hitch.h:128
frontend::list
struct frontend::@4 list
worker_procs
static struct worker_proc_head worker_procs
Definition: hitch.c:179
client_session
static SSL_SESSION * client_session
Definition: hitch.c:147
cfg_tpc_obj::rollback
cfg_tpc_rollback_f * rollback
Definition: hitch.c:3462
pp2_hdr
Definition: proxyv2.h:32
ringbuffer_is_full
int ringbuffer_is_full(ringbuffer *rb)
Definition: ringbuffer.c:148
backend_deref
void backend_deref(struct backend **be)
Definition: hitch.c:1536
log_ssl_error
void log_ssl_error(proxystate *ps, const char *what,...)
Definition: logging.c:182
proxystate
Definition: hitch.h:118
TLSv1_0_PROTO
@ TLSv1_0_PROTO
Definition: configuration.h:42
__hitch_config::GID
int GID
Definition: configuration.h:102
cfg_tpc_obj::magic
unsigned magic
Definition: hitch.c:3457
worker_proc_head
Definition: hitch.c:178
find_ctx
static sslctx * find_ctx(const char *file)
Definition: hitch.c:1197
__hitch_config::LOG_FILENAME
char * LOG_FILENAME
Definition: configuration.h:133
PROXYSTATE_MAGIC
#define PROXYSTATE_MAGIC
Definition: hitch.h:120
__hitch_config::BACK_PATH
char * BACK_PATH
Definition: configuration.h:107
worker_proc::list
struct worker_proc::@2 list
SSLERR
#define SSLERR(ps, which, log)
Definition: hitch.c:2304
SHUTDOWN_CLEAR
@ SHUTDOWN_CLEAR
Definition: hitch.c:229
__hitch_config::PMODE
PROXY_MODE PMODE
Definition: configuration.h:89
sni_name_s::is_wildcard
int is_wildcard
Definition: hitch.h:102
insert_sni_names
static void insert_sni_names(sslctx *sc, sni_name **sn_tab)
Definition: hitch.c:1099
check_ppid
static void check_ppid(struct ev_loop *loop, ev_timer *w, int revents)
Definition: hitch.c:2605
loop
struct ev_loop * loop
Definition: hitch.c:130
destroy_frontend
static void destroy_frontend(struct frontend *fr)
Definition: hitch.c:1278
cfg_cert_file::filename
char * filename
Definition: configuration.h:61
proxystate::ssl
SSL * ssl
Definition: hitch.h:155
n_sighup
static volatile unsigned n_sighup
Definition: hitch.c:156
__hitch_config
Definition: configuration.h:88
safe_enable_io
static void safe_enable_io(proxystate *ps, ev_io *w)
Definition: hitch.c:1585
listen_sock_head
Definition: hitch.c:193
VSA_Compare
int VSA_Compare(const struct suckaddr *sua1, const struct suckaddr *sua2)
Definition: vsa.c:327
VTAILQ_REMOVE
#define VTAILQ_REMOVE(head, elm, field)
Definition: vqueue.h:545
SSLv3_PROTO
@ SSLv3_PROTO
Definition: configuration.h:41
clear_write
static void clear_write(struct ev_loop *loop, ev_io *w, int revents)
Definition: hitch.c:1729
make_cfg_obj
static struct cfg_tpc_obj * make_cfg_obj(enum cfg_tpc_type type, enum cfg_tpc_handling handling, void *priv0, void *priv1, cfg_tpc_rollback_f *rollback, cfg_tpc_commit_f *commit)
Definition: hitch.c:3470
HOCSP_mktask
void HOCSP_mktask(sslctx *sc, ocspquery *oq, double refresh_hint)
Definition: ocsp.c:493
PP2_SUBTYPE_SSL_CIPHER
#define PP2_SUBTYPE_SSL_CIPHER
Definition: proxyv2.h:83
front_arg::ciphers
char * ciphers
Definition: configuration.h:81
__hitch_config::PROXY_AUTHORITY
unsigned PROXY_AUTHORITY
Definition: configuration.h:96
handle_connections
static void handle_connections(int mgt_fd)
Definition: hitch.c:2841
front_arg::prefer_server_ciphers
int prefer_server_ciphers
Definition: configuration.h:80
ringbuffer_init
void ringbuffer_init(ringbuffer *rb, int num_slots, int data_len)
Definition: ringbuffer.c:40
proxystate::fd_up
int fd_up
Definition: hitch.h:141
worker_proc
Definition: hitch.c:166
worker_state
static enum worker_state_e worker_state
Definition: hitch.c:164
proxystate::npn_alpn_tried
int npn_alpn_tried
Definition: hitch.h:153
CFG_TPC_KEEP
@ CFG_TPC_KEEP
Definition: hitch.c:3448
backend::ref
int ref
Definition: hitch.c:140
cfg_cert_file::mtim
double mtim
Definition: configuration.h:67
cfg_cert_file::ocsp_vfy
int ocsp_vfy
Definition: configuration.h:66
__hitch_config::CIPHER_SUITE
char * CIPHER_SUITE
Definition: configuration.h:111
WRONG
#define WRONG(expl)
Definition: vas.h:78
frontend::default_ctx
struct sslctx_s * default_ctx
Definition: hitch.c:202
FRONT_ARG_MAGIC
#define FRONT_ARG_MAGIC
Definition: configuration.h:73
HASH_ITER
#define HASH_ITER(hh, head, el, tmp)
Definition: uthash.h:886
backend::backaddr
struct suckaddr * backaddr
Definition: hitch.c:139
__hitch_config::WRITE_IP_OCTET
int WRITE_IP_OCTET
Definition: configuration.h:91
sigchld_handler
static void sigchld_handler(int signum)
Definition: hitch.c:3249
cfg_tpc_type
cfg_tpc_type
Definition: hitch.c:3428
HOCSP_ev_stat
void HOCSP_ev_stat(sslctx *sc)
Definition: ocsp.c:256
TLSv1_2_PROTO
@ TLSv1_2_PROTO
Definition: configuration.h:44
__hitch_config::TEST
int TEST
Definition: configuration.h:138
__hitch_config::CERT_DEFAULT
struct cfg_cert_file * CERT_DEFAULT
Definition: configuration.h:110
init_certs
static void init_certs(void)
Definition: hitch.c:1237
HASH_COUNT
#define HASH_COUNT(head)
Definition: uthash.h:892
hssl_locks.h
sni_name_s::servername
char * servername
Definition: hitch.h:99
proxystate::ev_r_clear
ev_io ev_r_clear
Definition: hitch.h:137
init_ecdh
static int init_ecdh(SSL_CTX *ctx)
Definition: hitch.c:333
SSL_CTX_get_default_passwd_cb_userdata
#define SSL_CTX_get_default_passwd_cb_userdata(ctx)
Definition: hitch.c:116
config_error_get
const char * config_error_get(void)
Definition: configuration.c:136
PP2_TYPE_AUTHORITY
#define PP2_TYPE_AUTHORITY
Definition: proxyv2.h:77
main
int main(int argc, char **argv)
Definition: hitch.c:3914
WORKER_EXITING
@ WORKER_EXITING
Definition: hitch.c:161
sslctx_s::staple_fn
char * staple_fn
Definition: hitch.h:76
cfg_tpc_obj_head
Definition: hitch.c:3467
worker_update_type
worker_update_type
Definition: hitch.c:250
SHUTDOWN_HARD
@ SHUTDOWN_HARD
Definition: hitch.c:228
HOCSP_fn
char * HOCSP_fn(const char *certfn)
Definition: ocsp.c:436
PP2_FAM_INET
#define PP2_FAM_INET
Definition: proxyv2.h:62
openssl_check_version
static void openssl_check_version()
Definition: hitch.c:3395
PP2_FAM_INET6
#define PP2_FAM_INET6
Definition: proxyv2.h:63
sslstaple_s::mtim
double mtim
Definition: hitch.h:90
cert_commit
static void cert_commit(struct cfg_tpc_obj *o)
Definition: hitch.c:3638
front_arg
Definition: configuration.h:71
__hitch_config::RING_DATA_LEN
int RING_DATA_LEN
Definition: configuration.h:135
__hitch_config::SYSLOG_FACILITY
int SYSLOG_FACILITY
Definition: configuration.h:124
write_ip_octet
static void write_ip_octet(proxystate *ps)
Definition: hitch.c:2056
HSSL_Locks_Init
void HSSL_Locks_Init(void)
Definition: hssl_locks.c:86
WORKER_GEN
@ WORKER_GEN
Definition: hitch.c:251
CHECK_OBJ_ORNULL
#define CHECK_OBJ_ORNULL(ptr, type_magic)
Definition: miniobj.h:42
proxystate::ring_ssl2clear
ringbuffer ring_ssl2clear
Definition: hitch.h:121
n_conns
static uint64_t n_conns
Definition: hitch.c:150
PP2_TRANS_STREAM
#define PP2_TRANS_STREAM
Definition: proxyv2.h:57
worker_proc::magic
unsigned magic
Definition: hitch.c:167
TLSv1_1_PROTO
@ TLSv1_1_PROTO
Definition: configuration.h:43
sni_name_s
Definition: hitch.h:96
__hitch_config::PIDFILE
char * PIDFILE
Definition: configuration.h:136
vsa.h
cfg_tpc_obj::handling
enum cfg_tpc_handling handling
Definition: hitch.c:3460
__hitch_config::ENGINE
char * ENGINE
Definition: configuration.h:112
front_arg::certs
struct cfg_cert_file * certs
Definition: configuration.h:76
pp2_hdr::addr
union pp2_addr addr
Definition: proxyv2.h:37
VSA_Malloc
struct suckaddr * VSA_Malloc(const void *s, unsigned sal)
Definition: vsa.c:215
cfg_tpc_rollback_f
void cfg_tpc_rollback_f(struct cfg_tpc_obj *o)
Definition: hitch.c:3453
make_ctx_fr
static sslctx * make_ctx_fr(const struct cfg_cert_file *cf, const struct frontend *fr, const struct front_arg *fa)
Definition: hitch.c:899
__hitch_config::LISTEN_ARGS
struct front_arg * LISTEN_ARGS
Definition: configuration.h:103
LOG
#define LOG(...)
Definition: logging.h:69
core_id
static int core_id
Definition: hitch.c:146
__hitch_config::BACKLOG
int BACKLOG
Definition: configuration.h:113
WAIT_PID
#define WAIT_PID(p, action)
tcp_proxy_line
static char tcp_proxy_line[128]
Definition: hitch.c:223
proxystate::ev_w_clear
ev_io ev_w_clear
Definition: hitch.h:138
VTAILQ_INSERT_TAIL
#define VTAILQ_INSERT_TAIL(head, elm, field)
Definition: vqueue.h:530
SNI_NAME_MAGIC
#define SNI_NAME_MAGIC
Definition: hitch.h:98
cfg_cert_file::ocspfn
char * ocspfn
Definition: configuration.h:63
init_signals
static void init_signals()
Definition: hitch.c:3294
vpf.h
pp2_hdr::len
uint16_t len
Definition: proxyv2.h:36
ringbuffer_read_skip
void ringbuffer_read_skip(ringbuffer *rb, int length)
Definition: ringbuffer.c:82
proxy_tlv_append
static int proxy_tlv_append(char *dst, ssize_t dstlen, unsigned type, const char *val, ssize_t len)
Definition: hitch.c:1888
listen_sock::magic
unsigned magic
Definition: hitch.c:184
verify_privileges
static int verify_privileges(void)
Definition: hitch.c:2998
__hitch_config::SNI_NOMATCH_ABORT
int SNI_NOMATCH_ABORT
Definition: configuration.h:137
sslctx_s::filename
char * filename
Definition: hitch.h:71
proxystate::ev_r_ssl
ev_io ev_r_ssl
Definition: hitch.h:127
destroy_lsock
static void destroy_lsock(struct listen_sock *ls)
Definition: hitch.c:1268
sslctx_s::sni_list
struct sni_name_head sni_list
Definition: hitch.h:79
AN
#define AN(foo)
Definition: vas.h:74
_SHUTDOWN_REQUESTOR
_SHUTDOWN_REQUESTOR
Definition: hitch.c:227
frontend::socks
struct listen_sock_head socks
Definition: hitch.c:204
ssl_err.h
clear_read
static void clear_read(struct ev_loop *loop, ev_io *w, int revents)
Definition: hitch.c:1693
__hitch_config::OCSP_DIR
char * OCSP_DIR
Definition: configuration.h:142
proxystate::ev_proxy
ev_io ev_proxy
Definition: hitch.h:139
create_back_socket
static int create_back_socket(struct backend *b)
Definition: hitch.c:1554
proxystate::backend
struct backend * backend
Definition: hitch.h:144
front_arg::mark
int mark
Definition: configuration.h:83
proxystate::ev_r_handshake
ev_io ev_r_handshake
Definition: hitch.h:129
info_callback
static void info_callback(const SSL *ssl, int where, int ret)
Definition: hitch.c:353
worker_state_e
worker_state_e
Definition: hitch.c:159
hitch.h
cfg_tpc_commit_f
void cfg_tpc_commit_f(struct cfg_tpc_obj *o)
Definition: hitch.c:3454
pp2_addr::dst_port
uint16_t dst_port
Definition: proxyv2.h:18
backend
Definition: hitch.c:136
master_pid
static pid_t master_pid
Definition: hitch.c:144
frontend_head
Definition: hitch.c:208
frontend_query
static int frontend_query(struct front_arg *new_set, struct cfg_tpc_obj_head *cfg_objs)
Definition: hitch.c:3588
config_destroy
void config_destroy(hitch_config *cfg)
Definition: configuration.c:267
frontend::sni_names
struct sni_name_s * sni_names
Definition: hitch.c:200
shared_context_init
int shared_context_init(SSL_CTX *ctx, int size)
Definition: shctx.c:410
__hitch_config::UID
int UID
Definition: configuration.h:101
client_proxy_proxy
static void client_proxy_proxy(struct ev_loop *loop, ev_io *w, int revents)
Definition: hitch.c:2186
worker_gen
static unsigned worker_gen
Definition: hitch.c:154
VSA_Get_Sockaddr
const void * VSA_Get_Sockaddr(const struct suckaddr *sua, socklen_t *sl)
Definition: vsa.c:282
CHECK_OBJ
#define CHECK_OBJ(ptr, type_magic)
Definition: miniobj.h:31
sslctx_s::ctx
SSL_CTX * ctx
Definition: hitch.h:72
__hitch_config::PROXY_TLV
unsigned PROXY_TLV
Definition: configuration.h:95
worker_update_payload
Definition: hitch.c:255
cfg_cert_file::hh
UT_hash_handle hh
Definition: configuration.h:68
sslctx_s::staple
sslstaple * staple
Definition: hitch.h:74
HASH_ADD_KEYPTR
#define HASH_ADD_KEYPTR(hh, head, keyptr, keylen_in, add)
Definition: uthash.h:182
PP2_CMD_PROXY
#define PP2_CMD_PROXY
Definition: proxyv2.h:48
dcert_commit
static void dcert_commit(struct cfg_tpc_obj *o)
Definition: hitch.c:3678
__hitch_config::DAEMONIZE
int DAEMONIZE
Definition: configuration.h:127
ssl_write
static void ssl_write(struct ev_loop *loop, ev_io *w, int revents)
Definition: hitch.c:2390
PP2_TYPE_ALPN
#define PP2_TYPE_ALPN
Definition: proxyv2.h:76
ringbuffer_read_next
char * ringbuffer_read_next(ringbuffer *rb, int *length)
Definition: ringbuffer.c:73
PP2_CLIENT_SSL
#define PP2_CLIENT_SSL
Definition: proxyv2.h:103
shutdown_proxy
static void shutdown_proxy(proxystate *ps, SHUTDOWN_REQUESTOR req)
Definition: hitch.c:1605
__hitch_config::SYSLOG
int SYSLOG
Definition: configuration.h:123
__attribute__
vas_f *VAS_Fail __attribute__((__noreturn__))
backend_create
static struct backend * backend_create(struct sockaddr *sa)
Definition: hitch.c:1509
frontend::pspec
char * pspec
Definition: hitch.c:203
start_workers
void start_workers(int start_index, int count)
Definition: hitch.c:3121
worker_update::type
enum worker_update_type type
Definition: hitch.c:261
proxystate::renegotiation
int renegotiation
Definition: hitch.h:151
frontend::ssl_ctxs
struct sslctx_s * ssl_ctxs
Definition: hitch.c:201
LOGL
#define LOGL(...)
Definition: logging.h:81
shctx_sess_add
void shctx_sess_add(const unsigned char *encsess, unsigned len, long cdate)
Definition: shctx.c:316
SHUTDOWN_SSL
@ SHUTDOWN_SSL
Definition: hitch.c:230
proxystate::handshaked
int handshaked
Definition: hitch.h:148
proxystate::ev_t_handshake
ev_timer ev_t_handshake
Definition: hitch.h:133
pp2_addr::ipv4
struct pp2_addr::@7 ipv4
handle_accept
static void handle_accept(struct ev_loop *loop, ev_io *w, int revents)
Definition: hitch.c:2443
BACKEND_MAGIC
#define BACKEND_MAGIC
Definition: hitch.c:138
__hitch_config::WRITE_PROXY_LINE_V2
int WRITE_PROXY_LINE_V2
Definition: configuration.h:93
WORKER_ACTIVE
@ WORKER_ACTIVE
Definition: hitch.c:160
__hitch_config::BACK_PORT
char * BACK_PORT
Definition: configuration.h:106
ocsp_cfg_changed
static int ocsp_cfg_changed(const struct cfg_cert_file *cf, const sslctx *sc)
Definition: hitch.c:3530
worker_proc::pfd
int pfd
Definition: hitch.c:171
sslctx_s
Definition: hitch.h:68
proxystate::want_shutdown
int want_shutdown
Definition: hitch.h:146
LOGPROXY
#define LOGPROXY(...)
Definition: logging.h:93
handle_connect
static void handle_connect(struct ev_loop *loop, ev_io *w, int revents)
Definition: hitch.c:1787
__hitch_config::SSL_HANDSHAKE_TIMEOUT
int SSL_HANDSHAKE_TIMEOUT
Definition: configuration.h:130
check_exit_state
static void check_exit_state(void)
Definition: hitch.c:1593
cfg_tpc_obj::type
enum cfg_tpc_type type
Definition: hitch.c:3459
mgt_rd
static ev_io mgt_rd
Definition: hitch.c:134
proxystate::ring_clear2ssl
ringbuffer ring_clear2ssl
Definition: hitch.h:124
ringbuffer_read_pop
void ringbuffer_read_pop(ringbuffer *rb)
Definition: ringbuffer.c:91
malloc
void * malloc(size_t)
replace_child_with_pid
void replace_child_with_pid(pid_t pid)
Definition: hitch.c:3183
pfh
static struct vpf_fh * pfh
Definition: hitch.c:221
CFG_TPC_NEW
@ CFG_TPC_NEW
Definition: hitch.c:3449
notify_workers
static void notify_workers(struct worker_update *wu)
Definition: hitch.c:3756
sslctx_s::x509
X509 * x509
Definition: hitch.h:77
pp2_addr::dst_addr
uint32_t dst_addr
Definition: proxyv2.h:16
logfile
FILE * logfile
Definition: logging.c:73
front_arg::pspec
char * pspec
Definition: configuration.h:77
assert
#define assert(e)
Definition: vas.h:55
PP2_TYPE_SSL
#define PP2_TYPE_SSL
Definition: proxyv2.h:80
HASH_FIND_STR
#define HASH_FIND_STR(head, findstr, out)
Definition: uthash.h:261
init_dh
static int init_dh(SSL_CTX *ctx, const char *cert)
Definition: hitch.c:303
sleep_and_refresh
void sleep_and_refresh(hitch_config *CONFIG)
Definition: hitch.c:3885
shsess_set_new_cbk
void shsess_set_new_cbk(shsess_new_f *func)
Definition: shctx.c:350
sslctx_s::ev_staple
ev_stat * ev_staple
Definition: hitch.h:78
worker_update_payload::gen
unsigned gen
Definition: hitch.c:256
free
void free(void *)
handshake_timeout
static void handshake_timeout(EV_P_ ev_timer *w, int revents)
Definition: hitch.c:2294
ringbuffer_write_ptr
char * ringbuffer_write_ptr(ringbuffer *rb)
Definition: ringbuffer.c:103
HOCSP_init_file
int HOCSP_init_file(const char *ocspfn, sslctx *sc, int is_cached)
Definition: ocsp.c:397
listen_sock
Definition: hitch.c:183
reconfigure
static void reconfigure(int argc, char **argv)
Definition: hitch.c:3791
connect_timeout
static void connect_timeout(EV_P_ ev_timer *w, int revents)
Definition: hitch.c:1844
suckaddr::sa
struct sockaddr sa
Definition: vsa.c:168
__hitch_config::SELECTED_TLS_PROTOS
int SELECTED_TLS_PROTOS
Definition: configuration.h:90
start_connect
static int start_connect(proxystate *ps)
Definition: hitch.c:1665
sni_name_s::sctx
sslctx * sctx
Definition: hitch.h:101
proxyv2.h
ssl_read
static void ssl_read(struct ev_loop *loop, ev_io *w, int revents)
Definition: hitch.c:2338
suckaddr
Definition: vsa.c:164
proxystate::clear_connected
int clear_connected
Definition: hitch.h:149
cert_fr_query
static int cert_fr_query(struct frontend *fr, struct front_arg *fa, struct cfg_tpc_obj_head *cfg_objs)
Definition: hitch.c:3549
SSL_CLIENT
@ SSL_CLIENT
Definition: configuration.h:55
pp2_addr::src_port
uint16_t src_port
Definition: proxyv2.h:17
sni_names
sni_name * sni_names
Definition: hitch.h:107
dcert_rollback
static void dcert_rollback(struct cfg_tpc_obj *o)
Definition: hitch.c:3672
pp2_hdr::sig
uint8_t sig[12]
Definition: proxyv2.h:33
proxystate::connect_port
int connect_port
Definition: hitch.h:159
proxystate::remote_ip
struct sockaddr_storage remote_ip
Definition: hitch.h:157
NULL_DEV
#define NULL_DEV
Definition: hitch.c:3338
VPF_Remove
int VPF_Remove(struct vpf_fh *pfh)
Definition: vpf.c:253
init_globals
void init_globals(void)
Definition: hitch.c:3078
ALLOC_OBJ
#define ALLOC_OBJ(to, type_magic)
Definition: miniobj.h:14
front_arg::port
char * port
Definition: configuration.h:75
pp2_addr::src_addr
uint32_t src_addr
Definition: proxyv2.h:15
pp2_hdr::ver_cmd
uint8_t ver_cmd
Definition: proxyv2.h:34
__hitch_config::PROXY_PROXY_LINE
int PROXY_PROXY_LINE
Definition: configuration.h:94
__hitch_config::NCORES
long NCORES
Definition: configuration.h:108
VTAILQ_FOREACH
#define VTAILQ_FOREACH(var, head, field)
Definition: vqueue.h:457
__hitch_config::BACKEND_CONNECT_TIMEOUT
int BACKEND_CONNECT_TIMEOUT
Definition: configuration.h:129
cfg_tpc_obj::list
struct cfg_tpc_obj::@5 list
CFG_FRONTEND
@ CFG_FRONTEND
Definition: hitch.c:3429
handle_clear_accept
static void handle_clear_accept(struct ev_loop *loop, ev_io *w, int revents)
Definition: hitch.c:2707
proxystate::ev_t_connect
ev_timer ev_t_connect
Definition: hitch.h:135
__hitch_config::WRITE_PROXY_LINE_V1
int WRITE_PROXY_LINE_V1
Definition: configuration.h:92
SHSESS_MAX_ENCODED_LEN
#define SHSESS_MAX_ENCODED_LEN
Definition: shctx.h:24
CHECK_OBJ_NOTNULL
#define CHECK_OBJ_NOTNULL(ptr, type_magic)
Definition: miniobj.h:36
X509_NAME_ENTRY_get_data
#define X509_NAME_ENTRY_get_data(entry)
Definition: hitch.c:121
sslctx_s::mtim
double mtim
Definition: hitch.h:73
__hitch_config::SEND_BUFSIZE
int SEND_BUFSIZE
Definition: configuration.h:132
write_proxy_v2
static void write_proxy_v2(proxystate *ps, const struct sockaddr *local)
Definition: hitch.c:1903
sctx_free
static void sctx_free(sslctx *sc, sni_name **sn_tab)
Definition: hitch.c:848
cfg_cert_file::priv_key_filename
char * priv_key_filename
Definition: configuration.h:62
create_workers
int create_workers
Definition: hitch.c:220
front_arg::ip
char * ip
Definition: configuration.h:74
CFG_TPC_DROP
@ CFG_TPC_DROP
Definition: hitch.c:3450
cfg_tpc_obj::commit
cfg_tpc_commit_f * commit
Definition: hitch.c:3463
logf_st
struct stat logf_st
Definition: logging.c:74
cfg_cert_file::mark
int mark
Definition: configuration.h:65
start_handshake
static void start_handshake(proxystate *ps, int err)
Definition: hitch.c:1857
worker_update
Definition: hitch.c:260
MSG_NOSIGNAL
#define MSG_NOSIGNAL
Definition: hitch.c:87
pp2_addr::ipv6
struct pp2_addr::@8 ipv6
proxystate::ev_w_handshake
ev_io ev_w_handshake
Definition: hitch.h:131
listen_sock::name
char * name
Definition: hitch.c:187
BACKEND_REFRESH
@ BACKEND_REFRESH
Definition: hitch.c:252
ringbuffer::data_len
int data_len
Definition: ringbuffer.h:52
listen_sock::listener
ev_io listener
Definition: hitch.c:188
client_handshake
static void client_handshake(struct ev_loop *loop, ev_io *w, int revents)
Definition: hitch.c:2236
ringbuffer_is_empty
int ringbuffer_is_empty(ringbuffer *rb)
Definition: ringbuffer.c:141
cfg_cert_file::ocsp_mtim
double ocsp_mtim
Definition: configuration.h:64
config_new
hitch_config * config_new(void)
Definition: configuration.c:175
frontend::magic
unsigned magic
Definition: hitch.c:196
AI_ADDRCONFIG
#define AI_ADDRCONFIG
Definition: hitch.c:90
Get_Sockaddr
static const void * Get_Sockaddr(const struct sockaddr *sa, socklen_t *sl)
Definition: hitch.c:2627
logf_check_t
time_t logf_check_t
Definition: logging.c:75
backaddr
static struct backend * backaddr
Definition: hitch.c:143
__hitch_config::ALPN_PROTOS_LV_LEN
unsigned ALPN_PROTOS_LV_LEN
Definition: configuration.h:99
logging.h
handle_socket_errno
static void handle_socket_errno(proxystate *ps, int backend)
Definition: hitch.c:1650
frontend
Definition: hitch.c:195
WORKER_PROC_MAGIC
#define WORKER_PROC_MAGIC
Definition: hitch.c:168
frontend_listen
static int frontend_listen(const struct front_arg *fa, struct listen_sock_head *slist)
Definition: hitch.c:1303
listen_sock::list
struct listen_sock::@3 list
configuration.h
end_handshake
static void end_handshake(proxystate *ps)
Definition: hitch.c:2121
frontend_rollback
static void frontend_rollback(struct cfg_tpc_obj *o)
Definition: hitch.c:3489
sighup_handler
static void sighup_handler(int signum)
Definition: hitch.c:3287
PP2_VERSION
#define PP2_VERSION
Definition: proxyv2.h:51
load_privatekey
EVP_PKEY * load_privatekey(SSL_CTX *ctx, const char *file)
Definition: hitch.c:699
listen_sock::addr
struct sockaddr_storage addr
Definition: hitch.c:189
worker_update_payload::addr
struct sockaddr_storage addr
Definition: hitch.c:257
front_arg::sni_nomatch_abort
int sni_nomatch_abort
Definition: configuration.h:79
__hitch_config::ALPN_PROTOS_LV
unsigned char * ALPN_PROTOS_LV
Definition: configuration.h:98
SSL_CTX_get_default_passwd_cb
#define SSL_CTX_get_default_passwd_cb(ctx)
Definition: hitch.c:112
__hitch_config::TCP_KEEPALIVE_TIME
int TCP_KEEPALIVE_TIME
Definition: configuration.h:125
frontends
static struct frontend_head frontends
Definition: hitch.c:210
frontend::sni_nomatch_abort
int sni_nomatch_abort
Definition: hitch.c:199
daemonize
static void daemonize()
Definition: hitch.c:3340
uthash.h
VSA_Sane
int VSA_Sane(const struct suckaddr *sua)
Definition: vsa.c:312
__hitch_config::RECV_BUFSIZE
int RECV_BUFSIZE
Definition: configuration.h:131
VTAILQ_FOREACH_SAFE
#define VTAILQ_FOREACH_SAFE(var, head, field, tvar)
Definition: vqueue.h:467
AZ
#define AZ(foo)
Definition: vas.h:73
remove_pfh
static void remove_pfh(void)
Definition: hitch.c:3419
sockaddr_port
static unsigned sockaddr_port(const struct sockaddr *sa)
Definition: hitch.c:1767
pp2_hdr::fam
uint8_t fam
Definition: proxyv2.h:35
backaddr_init_uds
static int backaddr_init_uds(void)
Definition: hitch.c:3012
__hitch_config::BACKEND_REFRESH_TIME
int BACKEND_REFRESH_TIME
Definition: configuration.h:126
CFG_TPC_OBJ_MAGIC
#define CFG_TPC_OBJ_MAGIC
Definition: hitch.c:3458
SHUTDOWN_STR
static const char * SHUTDOWN_STR[]
Definition: hitch.c:233
HOCSP_free
void HOCSP_free(sslstaple **staple)
Definition: ocsp.c:47
handle_fatal_ssl_error
static void handle_fatal_ssl_error(proxystate *ps, int err, int backend)
Definition: hitch.c:2324
ERR
#define ERR(...)
Definition: logging.h:75
SSLCTX_MAGIC
#define SSLCTX_MAGIC
Definition: hitch.h:70
get_alpn
static void get_alpn(proxystate *ps, const unsigned char **selected, unsigned *len)
Definition: hitch.c:1875
worker_proc::core_id
int core_id
Definition: hitch.c:174
__hitch_config::CHROOT
char * CHROOT
Definition: configuration.h:100
create_frontend
static struct frontend * create_frontend(const struct front_arg *fa)
Definition: hitch.c:1463
sigh_terminate
static void sigh_terminate(int __attribute__((unused)) signo)
Definition: hitch.c:3257
__hitch_config::PREFER_SERVER_CIPHERS
int PREFER_SERVER_CIPHERS
Definition: configuration.h:128
sni_name_s::sni_key
char * sni_key
Definition: hitch.h:100
backend_ref
static struct backend * backend_ref(void)
Definition: hitch.c:1526
__hitch_config::RING_SLOTS
int RING_SLOTS
Definition: configuration.h:134
sslctx_s::staple_vfy
int staple_vfy
Definition: hitch.h:75
cfg_cert_file
Definition: configuration.h:58
PP2_SUBTYPE_SSL_VERSION
#define PP2_SUBTYPE_SSL_VERSION
Definition: proxyv2.h:81
backaddr_init
static int backaddr_init(void)
Definition: hitch.c:3038
fail
void fail(const char *s)
Definition: logging.c:174
cert_query
static int cert_query(hitch_config *cfg, struct cfg_tpc_obj_head *cfg_objs)
Definition: hitch.c:3703
FREE_OBJ
#define FREE_OBJ(to)
Definition: miniobj.h:21
setnonblocking
static int setnonblocking(int fd)
Definition: hitch.c:267
worker_update::payload
union worker_update_payload payload
Definition: hitch.c:262
__hitch_config::CERT_FILES
struct cfg_cert_file * CERT_FILES
Definition: configuration.h:109
VPF_Write
int VPF_Write(struct vpf_fh *pfh)
Definition: vpf.c:163
LISTEN_SOCK_MAGIC
#define LISTEN_SOCK_MAGIC
Definition: hitch.c:185
HASH_DEL
#define HASH_DEL(head, delptr)
Definition: uthash.h:279
CFG_CERT_FILE_MAGIC
#define CFG_CERT_FILE_MAGIC
Definition: configuration.h:60
drop_privileges
void drop_privileges(void)
Definition: hitch.c:2974
ocsp_proc_pid
static pid_t ocsp_proc_pid
Definition: hitch.c:145
cfg_tpc_handling
cfg_tpc_handling
Definition: hitch.c:3447
worker_proc::pid
pid_t pid
Definition: hitch.c:172
frontend_commit
static void frontend_commit(struct cfg_tpc_obj *o)
Definition: hitch.c:3502
__hitch_config::BACK_IP
char * BACK_IP
Definition: configuration.h:105
frontend::match_global_certs
int match_global_certs
Definition: hitch.c:198
cert_rollback
static void cert_rollback(struct cfg_tpc_obj *o)
Definition: hitch.c:3626
ERRPROXY
#define ERRPROXY(...)
Definition: logging.h:100
ringbuffer_cleanup
void ringbuffer_cleanup(ringbuffer *rb)
Definition: ringbuffer.c:60
handle_ocsp_task
static void handle_ocsp_task(void)
Definition: hitch.c:2922
SOL_TCP
#define SOL_TCP
Definition: hitch.c:101
CAST_OBJ_NOTNULL
#define CAST_OBJ_NOTNULL(to, from, type_magic)
Definition: miniobj.h:55
cfg_tpc_obj::p
void * p[2]
Definition: hitch.c:3461
proxystate::ev_w_connect
ev_io ev_w_connect
Definition: hitch.h:134
TLSv1_3_PROTO
@ TLSv1_3_PROTO
Definition: configuration.h:45
do_wait
static void do_wait(void)
Definition: hitch.c:3204
VTAILQ_INIT
#define VTAILQ_INIT(head)
Definition: vqueue.h:497
CONFIG
hitch_config * CONFIG
Definition: hitch.c:131
make_ctx
static sslctx * make_ctx(const struct cfg_cert_file *cf)
Definition: hitch.c:1122
worker_proc::gen
unsigned gen
Definition: hitch.c:173
init_openssl
void init_openssl(void)
Definition: hitch.c:1208
Find_issuer
X509 * Find_issuer(X509 *subj, STACK_OF(X509) *chain)
Definition: hitch.c:877
ocsp.h
front_arg::hh
UT_hash_handle hh
Definition: configuration.h:84
ringbuffer_write_append
void ringbuffer_write_append(ringbuffer *rb, int length)
Definition: ringbuffer.c:112
write_proxy_v1
static void write_proxy_v1(proxystate *ps, const struct sockaddr *local, socklen_t slen)
Definition: hitch.c:2023
backend::magic
unsigned magic
Definition: hitch.c:137
cfg_tpc_obj
Definition: hitch.c:3456
VTAILQ_ENTRY
#define VTAILQ_ENTRY(type)
Definition: vqueue.h:433
n_sigchld
static volatile unsigned n_sigchld
Definition: hitch.c:157
PP2_SIG
const uint8_t PP2_SIG[12]
Definition: proxyv2.h:40
front_arg::selected_protos
int selected_protos
Definition: configuration.h:82
settcpkeepalive
static void settcpkeepalive(int fd)
Definition: hitch.c:282
FRONTEND_MAGIC
#define FRONTEND_MAGIC
Definition: hitch.c:197