"Fossies" - the Fresh Open Source Software Archive 
Member "hitch-1.7.2/src/hitch.c" (29 Nov 2021, 104116 Bytes) of package /linux/www/hitch-1.7.2.tar.gz:
As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) C and C++ source code syntax highlighting (style:
standard) with prefixed line numbers and
code folding option.
Alternatively you can here
view or
download the uninterpreted source code file.
For more information about "hitch.c" see the
Fossies "Dox" file reference documentation and the latest
Fossies "Diffs" side-by-side code changes report:
1.7.0_vs_1.7.2.
1 /**
2 * Copyright 2015-2016 Varnish Software
3 * Copyright 2011 Bump Technologies, Inc. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *
9 * 1. Redistributions of source code must retain the above
10 * copyright notice, this list of conditions and the following
11 * disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above
14 * copyright notice, this list of conditions and the following
15 * disclaimer in the documentation and/or other materials
16 * provided with the distribution.
17 *
18 * THIS SOFTWARE IS PROVIDED BY BUMP TECHNOLOGIES, INC. ``AS IS'' AND
19 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
20 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
21 * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL BUMP
22 * TECHNOLOGIES, INC. OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
23 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
24 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
27 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
28 * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
29 * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
30 *
31 * The views and conclusions contained in the software and
32 * documentation are those of the authors and should not be
33 * interpreted as representing official policies, either expressed or
34 * implied, of Bump Technologies, Inc.
35 *
36 */
37
38 #include "config.h"
39
40 #include <openssl/x509.h>
41 #include <openssl/x509_vfy.h>
42 #include <openssl/engine.h>
43 #include <sys/socket.h>
44 #include <sys/time.h>
45 #include <sys/types.h>
46 #include <sys/un.h>
47 #include <sys/wait.h> /* WAIT_PID */
48
49 #ifdef __linux__
50 # include <sys/prctl.h>
51 #endif
52
53 #ifdef __sun
54 # include <sys/filio.h>
55 #endif
56
57 #include <net/if.h>
58 #include <netinet/in.h>
59 #include <netinet/tcp.h> /* TCP_NODELAY */
60
61 #include <ctype.h>
62 #include <errno.h>
63 #include <getopt.h>
64 #include <grp.h>
65 #include <libgen.h>
66 #include <limits.h>
67 #include <netdb.h>
68 #include <pwd.h>
69 #include <sched.h>
70 #include <signal.h>
71 #include <stdarg.h>
72 #include <stdlib.h>
73 #include <string.h>
74 #include <strings.h>
75 #include <time.h>
76 #include <unistd.h>
77
78 #include "configuration.h"
79 #include "hitch.h"
80 #include "hssl_locks.h"
81 #include "logging.h"
82 #include "proxyv2.h"
83 #include "ocsp.h"
84 #include "shctx.h"
85 #include "foreign/vpf.h"
86 #include "foreign/uthash.h"
87 #include "foreign/vsa.h"
88
89 #ifndef MSG_NOSIGNAL
90 # define MSG_NOSIGNAL 0
91 #endif
92 #ifndef AI_ADDRCONFIG
93 # define AI_ADDRCONFIG 0
94 #endif
95
96 /* For Mac OS X */
97 #ifndef TCP_KEEPIDLE
98 # ifdef TCP_KEEPALIVE
99 # define TCP_KEEPIDLE TCP_KEEPALIVE
100 # endif
101 #endif
102
103 #ifndef SOL_TCP
104 # define SOL_TCP IPPROTO_TCP
105 #endif
106
107 /* Do we have SNI support? */
108 #ifndef OPENSSL_NO_TLSEXT
109 # ifndef SSL_CTRL_SET_TLSEXT_HOSTNAME
110 # define OPENSSL_NO_TLSEXT
111 # endif
112 #endif
113
114 #ifndef HAVE_SSL_CTX_GET_DEFAULT_PASSWD_CB
115 # define SSL_CTX_get_default_passwd_cb(ctx) ((ctx)->default_passwd_callback)
116 #endif
117
118 #ifndef HAVE_SSL_CTX_GET_DEFAULT_PASSWD_CB_USERDATA
119 # define SSL_CTX_get_default_passwd_cb_userdata(ctx) \
120 ((ctx)->default_passwd_callback_userdata)
121 #endif
122
123 #ifndef HAVE_X509_NAME_ENTRY_GET_DATA
124 # define X509_NAME_ENTRY_get_data(entry) ((entry)->value)
125 #endif
126
127 /* logging.c */
128 extern FILE *logfile;
129 extern struct stat logf_st;
130 extern time_t logf_check_t;
131
132 /* Globals */
133 struct ev_loop *loop;
134 hitch_config *CONFIG;
135
136 /* Worker proc's read side of mgt->worker pipe(2) */
137 static ev_io mgt_rd;
138
139 struct backend {
140 unsigned magic;
141 #define BACKEND_MAGIC 0x41c09397
142 struct suckaddr *backaddr;
143 int ref;
144 };
145
146 static struct backend *backaddr;
147 static pid_t master_pid;
148 static pid_t ocsp_proc_pid;
149 static int core_id;
150 static SSL_SESSION *client_session;
151
152 /* The current number of active client connections. */
153 static uint64_t n_conns;
154
155 /* Current generation of worker processes. Bumped after a sighup prior
156 * to launching new children. */
157 static unsigned worker_gen;
158
159 static volatile unsigned n_sighup;
160 static volatile unsigned n_sigchld;
161
162 enum worker_state_e {
163 WORKER_ACTIVE,
164 WORKER_EXITING
165 };
166
167 static enum worker_state_e worker_state;
168
169 struct worker_proc {
170 unsigned magic;
171 #define WORKER_PROC_MAGIC 0xbc7fe9e6
172
173 /* Writer end of pipe(2) for mgt -> worker ipc */
174 int pfd;
175 pid_t pid;
176 unsigned gen;
177 int core_id;
178 VTAILQ_ENTRY(worker_proc) list;
179 };
180
181 VTAILQ_HEAD(worker_proc_head, worker_proc);
182 static struct worker_proc_head worker_procs;
183 struct sslctx_s;
184 struct sni_name_s;
185
186 struct listen_sock {
187 unsigned magic;
188 #define LISTEN_SOCK_MAGIC 0xda96b2f6
189 int sock;
190 char *name;
191 ev_io listener;
192 struct sockaddr_storage addr;
193 VTAILQ_ENTRY(listen_sock) list;
194 };
195
196 VTAILQ_HEAD(listen_sock_head, listen_sock);
197
198 struct frontend {
199 unsigned magic;
200 #define FRONTEND_MAGIC 0x5b04e577
201 int match_global_certs;
202 int sni_nomatch_abort;
203 struct sni_name_s *sni_names;
204 struct sslctx_s *ssl_ctxs;
205 struct sslctx_s *default_ctx;
206 const struct front_arg *arg;
207 struct addrinfo *addrs;
208 struct listen_sock_head socks;
209 VTAILQ_ENTRY(frontend) list;
210 };
211
212 VTAILQ_HEAD(frontend_head, frontend);
213
214 static struct frontend_head frontends;
215
216 #ifdef USE_SHARED_CACHE
217 static ev_io shcupd_listener;
218 static int shcupd_socket;
219 struct addrinfo *shcupd_peers[MAX_SHCUPD_PEERS+1];
220 static unsigned char shared_secret[SHA_DIGEST_LENGTH];
221 #endif /*USE_SHARED_CACHE*/
222
223
224 int create_workers;
225 static struct vpf_fh *pfh = NULL;
226
227 /* What agent/state requests the shutdown--for proper half-closed
228 * handling */
229 typedef enum _SHUTDOWN_REQUESTOR {
230 SHUTDOWN_HARD,
231 SHUTDOWN_CLEAR,
232 SHUTDOWN_SSL
233 } SHUTDOWN_REQUESTOR;
234
235 static const char *SHUTDOWN_STR[] = {
236 [SHUTDOWN_HARD] = "SHUTDOWN_HARD",
237 [SHUTDOWN_CLEAR] = "SHUTDOWN_CLEAR",
238 [SHUTDOWN_SSL] = "SHUTDOWN_SSL",
239 };
240
241 #ifndef OPENSSL_NO_TLSEXT
242
243 sni_name *sni_names;
244 static sslctx *ssl_ctxs;
245 static sslctx *default_ctx;
246
247 static void insert_sni_names(sslctx *sc, sni_name **sn_tab);
248 static int load_cert_ctx(sslctx *so);
249 #endif /* OPENSSL_NO_TLSEXT */
250
251
252 enum worker_update_type {
253 WORKER_GEN,
254 BACKEND_REFRESH
255 };
256
257 union worker_update_payload {
258 unsigned gen;
259 struct sockaddr_storage addr;
260 };
261
262 struct worker_update {
263 enum worker_update_type type;
264 union worker_update_payload payload;
265 };
266
267 /* set a file descriptor (socket) to non-blocking mode */
268 static int
269 setnonblocking(int fd)
270 {
271 int flag = 1;
272
273 if (ioctl(fd, FIONBIO, &flag) < 0) {
274 assert (errno == ECONNRESET || errno == ENOTCONN);
275 return (-1);
276 }
277
278 return (0);
279 }
280
281
282 /* set a tcp socket to use TCP Keepalive */
283 static void
284 settcpkeepalive(int fd)
285 {
286 int optval = 1;
287 socklen_t optlen = sizeof(optval);
288
289 if(setsockopt(fd, SOL_SOCKET, SO_KEEPALIVE, &optval, optlen) < 0) {
290 SOCKERR("Error activating SO_KEEPALIVE on client socket");
291 }
292
293 #ifdef TCP_KEEPIDLE
294 optval = CONFIG->TCP_KEEPALIVE_TIME;
295 optlen = sizeof(optval);
296 if (setsockopt(fd, SOL_TCP, TCP_KEEPIDLE, &optval, optlen) < 0) {
297 SOCKERR("Error setting TCP_KEEPIDLE on client socket");
298 }
299 #endif
300 }
301
302
303 #ifndef OPENSSL_NO_DH
304 static int
305 init_dh(SSL_CTX *ctx, const char *cert)
306 {
307 DH *dh;
308 BIO *bio;
309
310 AN(cert);
311
312 bio = BIO_new_file(cert, "r");
313 if (!bio) {
314 log_ssl_error(NULL, "{core} BIO_new_file");
315 return (-1);
316 }
317
318 dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
319 BIO_free(bio);
320 if (!dh) {
321 LOG("{core} Note: no DH parameters found in %s\n", cert);
322 return (-1);
323 }
324
325 LOG("{core} Using DH parameters from %s\n", cert);
326 if (!SSL_CTX_set_tmp_dh(ctx, dh)) {
327 DH_free(dh);
328 log_ssl_error(NULL, "{core} Error setting temp DH params");
329 return (-1);
330 }
331 LOG("{core} DH initialized with %d bit key\n", 8*DH_size(dh));
332 DH_free(dh);
333 return (0);
334 }
335
336 static int init_ecdh(SSL_CTX *ctx, const char *ecdh_curve) {
337 #ifndef OPENSSL_NO_EC
338 if (ecdh_curve == NULL || strcmp(ecdh_curve, "auto") == 0) {
339 /* For openssl >= 1.1 'auto' is default on and this is
340 * just a NOOP macro. */
341 AN(SSL_CTX_set_ecdh_auto(ctx, 1));
342 } else {
343 /* For openssl >= 1.1 this should really be "groups"
344 * instead of "curves", but we use the old name to
345 * support openssl 1.0 as well */
346 if (SSL_CTX_set1_curves_list(ctx,
347 ecdh_curve) == 0) {
348 log_ssl_error(NULL,
349 "{core} Configuring ecdh curves '%s' failed\n",
350 ecdh_curve);
351 }
352 }
353 LOG("{core} ECDH Initialized\n");
354 #else
355 (void) ctx;
356 (void) ecdh_curve;
357 #endif /* OPENSSL_NO_EC */
358 return (0);
359 }
360 #endif /* OPENSSL_NO_DH */
361
362 /* This callback function is executed while OpenSSL processes the SSL
363 * handshake and does SSL record layer stuff. It's used to trap
364 * client-initiated renegotiations.
365 */
366 static void
367 info_callback(const SSL *ssl, int where, int ret)
368 {
369 proxystate *ps;
370 (void)ret;
371 if (where & SSL_CB_HANDSHAKE_START) {
372 CAST_OBJ_NOTNULL(ps, SSL_get_app_data(ssl), PROXYSTATE_MAGIC);
373 if (ps->handshaked) {
374 ps->renegotiation = 1;
375 LOG("{core} SSL renegotiation asked by client\n");
376 }
377 }
378 }
379
380 #ifdef OPENSSL_WITH_NPN
381 static int npn_select_cb(SSL *ssl, const unsigned char **out,
382 unsigned *outlen, void *arg) {
383 proxystate *ps;
384 (void)arg;
385 CAST_OBJ_NOTNULL(ps, SSL_get_app_data(ssl), PROXYSTATE_MAGIC);
386 ps->npn_alpn_tried = 1;
387
388 LOG("{npn} Got NPN callback\n");
389 *out = (unsigned char *) CONFIG->ALPN_PROTOS_LV;
390 *outlen = CONFIG->ALPN_PROTOS_LV_LEN;
391
392 return (SSL_TLSEXT_ERR_OK);
393 }
394 #endif
395
396 #ifdef OPENSSL_WITH_ALPN
397 static int alpn_select_cb(SSL *ssl,
398 const unsigned char **out,
399 unsigned char *outlen,
400 const unsigned char *in,
401 unsigned int inlen,
402 void *arg)
403 {
404 int selected;
405 proxystate *ps;
406 (void)arg;
407
408 CAST_OBJ_NOTNULL(ps, SSL_get_app_data(ssl), PROXYSTATE_MAGIC);
409 ps->npn_alpn_tried = 1;
410
411 selected = SSL_select_next_proto((unsigned char **)out, outlen,
412 CONFIG->ALPN_PROTOS_LV, CONFIG->ALPN_PROTOS_LV_LEN, in, inlen);
413 if (selected == OPENSSL_NPN_NEGOTIATED)
414 return (SSL_TLSEXT_ERR_OK);
415 else {
416 assert(selected == OPENSSL_NPN_NO_OVERLAP);
417 LOGPROXY(ps, "ALPN: no overlap in protocols.\n");
418 /* Here it is possible to add logging of which protocols
419 the client wanted */
420 return (SSL_TLSEXT_ERR_NOACK);
421 }
422 return (SSL_TLSEXT_ERR_NOACK);
423 }
424 #endif
425
426 #ifdef USE_SHARED_CACHE
427
428 /* Handle incoming message updates */
429 static void
430 handle_shcupd(struct ev_loop *loop, ev_io *w, int revents)
431 {
432 (void)revents;
433 unsigned char msg[SHSESS_MAX_ENCODED_LEN], hash[EVP_MAX_MD_SIZE];
434 ssize_t r;
435 unsigned int hash_len;
436 uint32_t encdate;
437 long now = (time_t)ev_now(loop);
438
439 while ((r = recv(w->fd, msg, sizeof(msg), 0)) > 0) {
440 /* msg len must be greater than 1 Byte of data + sig length */
441 if (r < (int)(1+sizeof(shared_secret)))
442 continue;
443
444 /* compute sig */
445 r -= sizeof(shared_secret);
446 HMAC(EVP_sha1(), shared_secret, sizeof(shared_secret), msg,
447 r, hash, &hash_len);
448
449 if (hash_len != sizeof(shared_secret)) /* should never happen */
450 continue;
451
452 /* check sign */
453 if (memcmp(msg+r, hash, hash_len))
454 continue;
455
456 /* msg len must be greater than 1 Byte of data +
457 * encdate length */
458 if (r < (int)(1+sizeof(uint32_t)))
459 continue;
460
461 /* drop too unsync updates */
462 r -= sizeof(uint32_t);
463 encdate = *((uint32_t *)&msg[r]);
464 assert(now >= ntohl(encdate));
465 if ((now - ntohl(encdate)) >=
466 SSL_CTX_get_timeout(default_ctx->ctx))
467 continue;
468
469 shctx_sess_add(msg, r, now);
470 }
471 }
472
473 /* Send remote updates messages callback */
474 void
475 shcupd_session_new(unsigned char *msg, unsigned int len, long cdate)
476 {
477 unsigned int hash_len;
478 struct addrinfo **pai = shcupd_peers;
479 uint32_t ncdate;
480
481 /* add session creation encoded date to footer */
482 ncdate = htonl((uint32_t)cdate);
483 memcpy(msg+len, &ncdate, sizeof(ncdate));
484 len += sizeof(ncdate);
485
486 /* add msg sign */
487 HMAC(EVP_sha1(), shared_secret, sizeof(shared_secret),
488 msg, len, msg+len, &hash_len);
489 len += hash_len;
490
491 /* send msg to peers */
492 while (*pai) {
493 sendto(shcupd_socket, msg, len, 0, (*pai)->ai_addr,
494 (*pai)->ai_addrlen);
495 pai++;
496 }
497 }
498
499 /* Compute a sha1 secret from an ASN1 rsa private key */
500 static int
501 compute_secret(RSA *rsa, unsigned char *secret)
502 {
503 unsigned char *buf, *p;
504 unsigned int length;
505
506 length = i2d_RSAPrivateKey(rsa, NULL);
507 if (length <= 0)
508 return (-1);
509
510 p = buf = (unsigned char *)malloc(length*sizeof(unsigned char));
511 if (!buf)
512 return (-1);
513
514 i2d_RSAPrivateKey(rsa,&p);
515 SHA1(buf, length, secret);
516 free(buf);
517 return (0);
518 }
519
520 /* Create udp socket to receive and send updates */
521 static int
522 create_shcupd_socket()
523 {
524 struct addrinfo *ai, hints;
525 struct addrinfo **pai = shcupd_peers;
526 memset(&hints, 0, sizeof hints);
527 hints.ai_family = AF_UNSPEC;
528 hints.ai_socktype = SOCK_DGRAM;
529 hints.ai_flags = AI_PASSIVE | AI_ADDRCONFIG;
530 const int gai_err = getaddrinfo(CONFIG->SHCUPD_IP,
531 CONFIG->SHCUPD_PORT, &hints, &ai);
532 if (gai_err != 0) {
533 ERR("{getaddrinfo}: %s\n", gai_strerror(gai_err));
534 exit(1);
535 }
536
537 /* check if peers inet family addresses match */
538 while (*pai) {
539 if ((*pai)->ai_family != ai->ai_family) {
540 ERR("Share host and peers inet family differs\n");
541 exit(1);
542 }
543 pai++;
544 }
545
546 int s = socket(ai->ai_family, SOCK_DGRAM, IPPROTO_UDP);
547
548 if (s == -1)
549 fail("{socket: shared cache updates}");
550
551 int t = 1;
552 (void)setsockopt(s, SOL_SOCKET, SO_REUSEADDR, &t, sizeof(int));
553 #ifdef SO_REUSEPORT_WORKS
554 (void)setsockopt(s, SOL_SOCKET, SO_REUSEPORT, &t, sizeof(int));
555 #endif
556
557 if (setnonblocking(s) < 0)
558 fail("{shared cache: setnonblocking}");
559
560 if (ai->ai_addr->sa_family == AF_INET) {
561 struct ip_mreqn mreqn;
562
563 memset(&mreqn, 0, sizeof(mreqn));
564 mreqn.imr_multiaddr.s_addr =
565 ((struct sockaddr_in *)ai->ai_addr)->sin_addr.s_addr;
566
567 if (CONFIG->SHCUPD_MCASTIF) {
568 if (isalpha(*CONFIG->SHCUPD_MCASTIF)) {
569 /* appears to be an iface name */
570 struct ifreq ifr;
571 memset(&ifr, 0, sizeof(ifr));
572 if (strlen(CONFIG->SHCUPD_MCASTIF) > IFNAMSIZ) {
573 ERR("Error iface name is too "
574 "long [%s]\n",
575 CONFIG->SHCUPD_MCASTIF);
576 exit(1);
577 }
578
579 memcpy(ifr.ifr_name, CONFIG->SHCUPD_MCASTIF,
580 strlen(CONFIG->SHCUPD_MCASTIF));
581 if (ioctl(s, SIOCGIFINDEX, &ifr)) {
582 fail("{ioctl: SIOCGIFINDEX}");
583 }
584
585 /* XXX: better use autoconf to detect those */
586 #ifdef __FreeBSD__
587 mreqn.imr_ifindex = ifr.ifr_ifru.ifru_index;
588 #else
589 mreqn.imr_ifindex = ifr.ifr_ifindex;
590 #endif
591 } else if (strchr(CONFIG->SHCUPD_MCASTIF,'.')) {
592 /* appears to be an ipv4 address */
593 mreqn.imr_address.s_addr =
594 inet_addr(CONFIG->SHCUPD_MCASTIF);
595 } else {
596 /* appears to be an iface index */
597 mreqn.imr_ifindex =
598 atoi(CONFIG->SHCUPD_MCASTIF);
599 }
600 }
601
602 if (setsockopt(s, IPPROTO_IP, IP_ADD_MEMBERSHIP,
603 &mreqn, sizeof(mreqn)) < 0) {
604 if (errno != EINVAL) {
605 /* EINVAL if it is not a multicast address,
606 * not an error we consider unicast */
607 fail("{setsockopt: IP_ADD_MEMBERSIP}");
608 }
609 } else { /* this is a multicast address */
610 unsigned char loop = 0;
611 if (setsockopt(s, IPPROTO_IP, IP_MULTICAST_LOOP,
612 &loop, sizeof(loop)) < 0) {
613 fail("{setsockopt: IP_MULTICAST_LOOP}");
614 }
615 }
616
617 /* optional set sockopts for sending to multicast msg */
618 if (CONFIG->SHCUPD_MCASTIF &&
619 setsockopt(s, IPPROTO_IP, IP_MULTICAST_IF,
620 &mreqn, sizeof(mreqn)) < 0) {
621 fail("{setsockopt: IP_MULTICAST_IF}");
622 }
623
624 if (CONFIG->SHCUPD_MCASTTTL) {
625 unsigned char ttl;
626
627 ttl = (unsigned char)atoi(CONFIG->SHCUPD_MCASTTTL);
628 if (setsockopt(s, IPPROTO_IP, IP_MULTICAST_TTL,
629 &ttl, sizeof(ttl)) < 0) {
630 fail("{setsockopt: IP_MULTICAST_TTL}");
631 }
632 }
633 }
634 #ifdef IPV6_ADD_MEMBERSHIP
635 else if (ai->ai_addr->sa_family == AF_INET6) {
636 struct ipv6_mreq mreq;
637
638 memset(&mreq, 0, sizeof(mreq));
639 memcpy(&mreq.ipv6mr_multiaddr,
640 &((struct sockaddr_in6 *)ai->ai_addr)->sin6_addr,
641 sizeof(mreq.ipv6mr_multiaddr));
642
643 if (CONFIG->SHCUPD_MCASTIF) {
644 if (isalpha(*CONFIG->SHCUPD_MCASTIF)) {
645 /* appears to be an iface name */
646 struct ifreq ifr;
647
648 memset(&ifr, 0, sizeof(ifr));
649 if (strlen(CONFIG->SHCUPD_MCASTIF) > IFNAMSIZ) {
650 ERR("Error iface name is too "
651 "long [%s]\n",
652 CONFIG->SHCUPD_MCASTIF);
653 exit(1);
654 }
655
656 memcpy(ifr.ifr_name, CONFIG->SHCUPD_MCASTIF,
657 strlen(CONFIG->SHCUPD_MCASTIF));
658
659 if (ioctl(s, SIOCGIFINDEX, &ifr))
660 fail("{ioctl: SIOCGIFINDEX}");
661
662 mreq.ipv6mr_interface = ifr.ifr_ifindex;
663 } else { /* option appears to be an iface index */
664 mreq.ipv6mr_interface =
665 atoi(CONFIG->SHCUPD_MCASTIF);
666 }
667 }
668
669 if (setsockopt(s, IPPROTO_IPV6, IPV6_ADD_MEMBERSHIP,
670 &mreq, sizeof(mreq)) < 0) {
671 if (errno != EINVAL) {
672 /* EINVAL if it is not a multicast address,
673 * not an error we consider unicast */
674 fail("{setsockopt: IPV6_ADD_MEMBERSIP}");
675 }
676 } else { /* this is a multicast address */
677 unsigned int loop = 0;
678 if (setsockopt(s, IPPROTO_IPV6, IPV6_MULTICAST_LOOP,
679 &loop, sizeof(loop)) < 0) {
680 fail("{setsockopt: IPV6_MULTICAST_LOOP}");
681 }
682 }
683 /* optional set sockopts for sending to multicast msg */
684 if (setsockopt(s, IPPROTO_IPV6, IPV6_MULTICAST_IF,
685 &mreq.ipv6mr_interface,
686 sizeof(mreq.ipv6mr_interface)) < 0) {
687 fail("{setsockopt: IPV6_MULTICAST_IF}");
688 }
689
690 if (CONFIG->SHCUPD_MCASTTTL) {
691 int hops;
692
693 hops = atoi(CONFIG->SHCUPD_MCASTTTL);
694 if (setsockopt(s, IPPROTO_IPV6, IPV6_MULTICAST_HOPS,
695 &hops, sizeof(hops)) < 0) {
696 fail("{setsockopt: IPV6_MULTICAST_HOPS}");
697 }
698 }
699 }
700 #endif /* IPV6_ADD_MEMBERSHIP */
701
702 if (bind(s, ai->ai_addr, ai->ai_addrlen)) {
703 fail("{bind-socket}");
704 }
705
706 freeaddrinfo(ai);
707 return (s);
708 }
709
710 #endif /*USE_SHARED_CACHE */
711
712 EVP_PKEY *
713 load_privatekey(SSL_CTX *ctx, const char *file)
714 {
715 BIO *bio;
716 EVP_PKEY *pkey;
717
718 bio = BIO_new_file(file, "r");
719 if (!bio) {
720 log_ssl_error(NULL, "{core} BIO_new_file");
721 return (NULL);
722 }
723
724 pkey = PEM_read_bio_PrivateKey(bio, NULL,
725 SSL_CTX_get_default_passwd_cb(ctx),
726 SSL_CTX_get_default_passwd_cb_userdata(ctx));
727 BIO_free(bio);
728
729 if (!pkey) {
730 log_ssl_error(NULL, "{core} PEM_read_bio_PrivateKey");
731 return (NULL);
732 }
733
734 return (pkey);
735 }
736
737 #ifndef OPENSSL_NO_TLSEXT
738 static int
739 sni_match(const sni_name *sn, const char *srvname)
740 {
741 if (!sn->is_wildcard)
742 return (strcasecmp(srvname, sn->sni_key) == 0);
743 else {
744 char *s = strchr(srvname, '.');
745 if (s == NULL)
746 return (0);
747 return (strcasecmp(s, sn->sni_key + 1) == 0);
748 }
749 }
750
751 static const sslctx *
752 sni_lookup(const char *sni_key, const sni_name *sn_tab)
753 {
754 const sni_name *sn;
755
756 AN(sni_key);
757 CHECK_OBJ_NOTNULL(sn_tab, SNI_NAME_MAGIC);
758
759 HASH_FIND_STR(sn_tab, sni_key, sn);
760 if (sn == NULL) {
761 char *s;
762 /* attempt another lookup for wildcard matches */
763 s = strchr(sni_key, '.');
764 if (s != NULL)
765 HASH_FIND_STR(sn_tab, s, sn);
766 }
767
768 if (sn != NULL) {
769 CHECK_OBJ_NOTNULL(sn, SNI_NAME_MAGIC);
770 if (sni_match(sn, sni_key))
771 return (sn->sctx);
772 }
773
774 return (NULL);
775 }
776
777 static int
778 sni_try_lookup(SSL *ssl, const char *sni_key, const struct sni_name_s *sn_tab)
779 {
780 const sslctx *sc;
781
782 AN(ssl);
783 AN(sni_key);
784 CHECK_OBJ_NOTNULL(sn_tab, SNI_NAME_MAGIC);
785
786 sc = sni_lookup(sni_key, sn_tab);
787 if (sc == NULL)
788 return (0);
789
790 CHECK_OBJ(sc, SSLCTX_MAGIC);
791 SSL_set_SSL_CTX(ssl, sc->ctx);
792 return (1);
793 }
794
795 char *
796 sni_build_key(const char *servername)
797 {
798 char *key, *c;
799
800 if (servername == NULL)
801 return (NULL);
802
803 AN(servername);
804 key = strdup(servername);
805
806 for (c = key; *c != '\0'; c++)
807 *c = tolower(*c);
808 return (key);
809 }
810
811 /*
812 * Switch the context of the current SSL object to the most appropriate one
813 * based on the SNI header
814 */
815 static int
816 sni_switch_ctx(SSL *ssl, int *al, void *data)
817 {
818 const struct frontend *fr = NULL;
819 const char *servername;
820 char *sni_key;
821 int lookup_global = 1;
822 int sni_nomatch_abort = CONFIG->SNI_NOMATCH_ABORT;
823
824 AN(ssl);
825 (void)al;
826 if (data != NULL)
827 CAST_OBJ_NOTNULL(fr, data, FRONTEND_MAGIC);
828
829 servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
830 if (servername == NULL)
831 return (SSL_TLSEXT_ERR_NOACK);
832
833 sni_key = sni_build_key(servername);
834 AN(sni_key);
835
836 if (fr != NULL) {
837 if (sni_try_lookup(ssl, sni_key, fr->sni_names)) {
838 free(sni_key);
839 return (SSL_TLSEXT_ERR_OK);
840 }
841 lookup_global = fr->match_global_certs;
842 if (fr->sni_nomatch_abort != -1)
843 sni_nomatch_abort = fr->sni_nomatch_abort;
844 }
845
846 if (lookup_global && sni_try_lookup(ssl, sni_key, sni_names)) {
847 free(sni_key);
848 return (SSL_TLSEXT_ERR_OK);
849 }
850
851 free(sni_key);
852
853 /* No matching certs */
854 if (sni_nomatch_abort)
855 return (SSL_TLSEXT_ERR_ALERT_FATAL);
856 else
857 return (SSL_TLSEXT_ERR_NOACK);
858 }
859 #endif /* OPENSSL_NO_TLSEXT */
860
861 static void
862 sctx_free(sslctx *sc, sni_name **sn_tab)
863 {
864 sni_name *sn, *sntmp;
865
866 if (sc == NULL)
867 return;
868
869 HOCSP_free(&sc->staple);
870
871 if (sn_tab != NULL)
872 CHECK_OBJ_NOTNULL(*sn_tab, SNI_NAME_MAGIC);
873
874 CHECK_OBJ_NOTNULL(sc, SSLCTX_MAGIC);
875 VTAILQ_FOREACH_SAFE(sn, &sc->sni_list, list, sntmp) {
876 CHECK_OBJ_NOTNULL(sn, SNI_NAME_MAGIC);
877 VTAILQ_REMOVE(&sc->sni_list, sn, list);
878 if (sn_tab != NULL)
879 HASH_DEL(*sn_tab, sn);
880 free(sn->servername);
881 free(sn->sni_key);
882 FREE_OBJ(sn);
883 }
884
885 free(sc->filename);
886 SSL_CTX_free(sc->ctx);
887 FREE_OBJ(sc);
888 }
889
890 X509 *
891 Find_issuer(X509 *subj, STACK_OF(X509) *chain)
892 {
893 int i;
894 X509 *x;
895
896 AN(subj);
897
898 for (i = 0; i < sk_X509_num(chain); i++) {
899 x = sk_X509_value(chain, i);
900 if (X509_check_issued(x, subj) == X509_V_OK)
901 return (x);
902 }
903
904 /* todo: look in cert store? */
905
906 return (NULL);
907 }
908
909 static int
910 client_vfy_cb(int preverify_ok, X509_STORE_CTX *storectx)
911 {
912 proxystate *ps;
913 SSL *ssl;
914
915 ssl = X509_STORE_CTX_get_ex_data(storectx,
916 SSL_get_ex_data_X509_STORE_CTX_idx());
917 CAST_OBJ_NOTNULL(ps, SSL_get_app_data(ssl), PROXYSTATE_MAGIC);
918 if (preverify_ok)
919 ps->client_cert_conn = 1;
920
921 return (preverify_ok);
922 }
923
924 static int
925 client_vfy_init(SSL_CTX *ctx, int flags, const char *cafile)
926 {
927 X509_STORE *vfy;
928 STACK_OF(X509_OBJECT) *objs;
929 X509_OBJECT *o;
930 X509 *crt;
931 int i;
932
933 AN(cafile);
934 assert(flags != SSL_VERIFY_NONE);
935 AN(flags & SSL_VERIFY_PEER);
936
937 vfy = X509_STORE_new();
938 if (!vfy) {
939 log_ssl_error(NULL, "X509_STORE_new: allocation failed");
940 return (1);
941 }
942 if (X509_STORE_load_locations(vfy, cafile, NULL) == 0) {
943 log_ssl_error(NULL, "client_verify_ca: unable to "
944 "load file '%s'",
945 cafile);
946 X509_STORE_free(vfy);
947 return (1);
948 }
949
950 SSL_CTX_set1_verify_cert_store(ctx, vfy);
951
952 #ifdef HAVE_X509_STORE_GET0_OBJECTS
953 objs = X509_STORE_get0_objects(vfy);
954 #else
955 objs = vfy->objs;
956 #endif
957 for (i = 0; i < sk_X509_OBJECT_num(objs); i++) {
958 o = sk_X509_OBJECT_value(objs, i);
959 #ifdef HAVE_X509_OBJECT_GET0_X509
960 crt = X509_OBJECT_get0_X509(o);
961 #else
962 crt = o->data.x509;
963 #endif
964 if (crt != NULL) {
965 /* SSL_CTX_add_client_CA makes a copy of the
966 * subject name, so the X509_STORE_free below
967 * is safe. */
968 SSL_CTX_add_client_CA(ctx, crt);
969 }
970 }
971
972 SSL_CTX_set_verify(ctx, flags, client_vfy_cb);
973
974 X509_STORE_free(vfy);
975 return (0);
976 }
977
978 /* Initialize an SSL context */
979 static sslctx *
980 make_ctx_fr(const struct cfg_cert_file *cf, const struct frontend *fr,
981 const struct front_arg *fa)
982 {
983 SSL_CTX *ctx;
984 sslctx *sc;
985 EVP_PKEY *pkey;
986 int selected_protos = CONFIG->SELECTED_TLS_PROTOS;
987 char *ciphers = CONFIG->CIPHERS_TLSv12;
988 char *ciphersuites = CONFIG->CIPHERSUITES_TLSv13;
989 int pref_srv_ciphers = CONFIG->PREFER_SERVER_CIPHERS;
990 int client_verify = CONFIG->CLIENT_VERIFY;
991
992 if (fa != NULL) {
993 CHECK_OBJ_NOTNULL(fa, FRONT_ARG_MAGIC);
994 if (fa->selected_protos != 0)
995 selected_protos = fa->selected_protos;
996 if (fa->ciphers_tlsv12 != NULL)
997 ciphers = fa->ciphers_tlsv12;
998 if (fa->prefer_server_ciphers != -1)
999 pref_srv_ciphers = fa->prefer_server_ciphers;
1000 if (fa->ciphersuites_tlsv13)
1001 ciphersuites = fa->ciphersuites_tlsv13;
1002 if (fa->client_verify != -1)
1003 client_verify = fa->client_verify;
1004 }
1005
1006 long ssloptions = SSL_OP_NO_SSLv2 | SSL_OP_ALL |
1007 SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION;
1008
1009 #ifdef SSL_OP_NO_COMPRESSION
1010 ssloptions |= SSL_OP_NO_COMPRESSION;
1011 #endif
1012 #ifdef SSL_OP_SINGLE_DH_USE
1013 ssloptions |= SSL_OP_SINGLE_DH_USE;
1014 #endif
1015 #ifdef SSL_OP_SINGLE_ECDH_USE
1016 ssloptions |= SSL_OP_SINGLE_ECDH_USE;
1017 #endif
1018 if (!(selected_protos & SSLv3_PROTO))
1019 ssloptions |= SSL_OP_NO_SSLv3;
1020 if (!(selected_protos & TLSv1_0_PROTO))
1021 ssloptions |= SSL_OP_NO_TLSv1;
1022 if (!(selected_protos & TLSv1_1_PROTO))
1023 ssloptions |= SSL_OP_NO_TLSv1_1;
1024 if (!(selected_protos & TLSv1_2_PROTO))
1025 ssloptions |= SSL_OP_NO_TLSv1_2;
1026 #ifdef SSL_OP_NO_TLSv1_3
1027 if (!(selected_protos & TLSv1_3_PROTO))
1028 ssloptions |= SSL_OP_NO_TLSv1_3;
1029 #endif
1030 ctx = SSL_CTX_new((CONFIG->PMODE == SSL_CLIENT) ?
1031 SSLv23_client_method() : SSLv23_server_method());
1032
1033 SSL_CTX_set_options(ctx, ssloptions);
1034 SSL_CTX_set_info_callback(ctx, info_callback);
1035 #ifdef OPENSSL_WITH_ALPN
1036 if (CONFIG->ALPN_PROTOS != NULL)
1037 SSL_CTX_set_alpn_select_cb(ctx, alpn_select_cb, NULL);
1038 #endif
1039 #ifdef OPENSSL_WITH_NPN
1040 if (CONFIG->ALPN_PROTOS != NULL)
1041 SSL_CTX_set_next_protos_advertised_cb(ctx, npn_select_cb, NULL);
1042 #endif
1043
1044 if (ciphers != NULL) {
1045 if (SSL_CTX_set_cipher_list(ctx, ciphers) != 1) {
1046 log_ssl_error(NULL, "{core} SSL_CTX_set_cipher_list");
1047 return (NULL);
1048 }
1049 }
1050
1051 #if HAVE_TLS_1_3
1052 if (ciphersuites != NULL) {
1053 if (SSL_CTX_set_ciphersuites(ctx, ciphersuites) != 1) {
1054 log_ssl_error(NULL, "{core} SSL_CTX_set_ciphersuites");
1055 return (NULL);
1056 }
1057 }
1058 #else
1059 (void) ciphersuites;
1060 #endif
1061 if (client_verify != SSL_VERIFY_NONE) {
1062 const char *ca = CONFIG->CLIENT_VERIFY_CA;
1063 if (fa && fa->client_verify_ca)
1064 ca = fa->client_verify_ca;
1065 AN(ca);
1066 if (client_vfy_init(ctx, client_verify, ca))
1067 return (NULL);
1068 }
1069
1070 if (pref_srv_ciphers)
1071 SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
1072
1073 AN(SSL_CTX_set_session_id_context(ctx, (const unsigned char *) "hitch",
1074 strlen("hitch")));
1075
1076 ALLOC_OBJ(sc, SSLCTX_MAGIC);
1077 AN(sc);
1078 sc->filename = strdup(cf->filename);
1079 sc->mtim = cf->mtim;
1080 sc->ctx = ctx;
1081 sc->staple_vfy = cf->ocsp_vfy;
1082 VTAILQ_INIT(&sc->sni_list);
1083
1084 if (sc->staple_vfy > 0 ||
1085 (sc-> staple_vfy < 0 && CONFIG->OCSP_VFY))
1086 AN(SSL_CTX_set_default_verify_paths(ctx));
1087
1088 if (CONFIG->PMODE == SSL_CLIENT)
1089 return (sc);
1090
1091 /* SSL_SERVER Mode stuff */
1092 if (SSL_CTX_use_certificate_chain_file(ctx, cf->filename) <= 0) {
1093 log_ssl_error(NULL,
1094 "Error loading certificate file %s\n", cf->filename);
1095 sctx_free(sc, NULL);
1096 return (NULL);
1097 }
1098
1099 pkey = 0;
1100 if (cf->priv_key_filename != 0) {
1101 pkey = load_privatekey(ctx, cf->priv_key_filename);
1102 if (!pkey) {
1103 ERR("Error loading private key (%s)\n",
1104 cf->priv_key_filename);
1105 sctx_free(sc, NULL);
1106 return (NULL);
1107 }
1108 }
1109 if (!pkey) {
1110 pkey = load_privatekey(ctx, cf->filename);
1111 if (!pkey) {
1112 ERR("Error loading private key (%s)\n", cf->filename);
1113 sctx_free(sc, NULL);
1114 return (NULL);
1115 }
1116 }
1117
1118 if (SSL_CTX_use_PrivateKey(ctx, pkey) <= 0) {
1119 log_ssl_error(NULL, "SSL_CTX_use_PrivateKey: %s",
1120 cf->filename);
1121 EVP_PKEY_free(pkey);
1122 sctx_free(sc, NULL);
1123 return (NULL);
1124 }
1125
1126 #ifndef OPENSSL_NO_DH
1127 init_dh(ctx, cf->filename);
1128 init_ecdh(ctx, CONFIG->ECDH_CURVE);
1129 #endif /* OPENSSL_NO_DH */
1130
1131 #ifndef OPENSSL_NO_TLSEXT
1132 if (!SSL_CTX_set_tlsext_servername_callback(ctx, sni_switch_ctx)) {
1133 ERR("Error setting up SNI support.\n");
1134 }
1135 CHECK_OBJ_ORNULL(fr, FRONTEND_MAGIC);
1136 if (!SSL_CTX_set_tlsext_servername_arg(ctx, (void *)fr)) {
1137 ERR("Error setting SNI servername arg.\n");
1138 }
1139
1140 if (load_cert_ctx(sc) != 0) {
1141 EVP_PKEY_free(pkey);
1142 sctx_free(sc, NULL);
1143 return (NULL);
1144 }
1145
1146 if (CONFIG->OCSP_DIR) {
1147 char *fn = HOCSP_fn(sc->filename);
1148 /* attempt loading of cached ocsp staple */
1149 if (fn != NULL) {
1150 if (HOCSP_init_file(fn, sc, 1) == 0) {
1151 LOG("{core} Loaded cached OCSP staple "
1152 "for cert '%s'\n", sc->filename);
1153 sc->staple_fn = fn;
1154 }
1155 else {
1156 free(fn);
1157 }
1158 }
1159 }
1160
1161 if (sc->staple == NULL && cf->ocspfn != NULL) {
1162 if (HOCSP_init_file(cf->ocspfn, sc, 0) != 0) {
1163 ERR("Error loading OCSP response %s for stapling.\n",
1164 cf->ocspfn);
1165 EVP_PKEY_free(pkey);
1166 sctx_free(sc, NULL);
1167 return (NULL);
1168 } else {
1169 LOG("{core} Loaded OCSP staple '%s'\n", cf->ocspfn);
1170 sc->staple_fn = strdup(cf->ocspfn);
1171 sc->staple->mtim = cf->ocsp_mtim;
1172 }
1173 }
1174
1175 if (CONFIG->OCSP_DIR != NULL)
1176 HOCSP_ev_stat(sc);
1177
1178 #endif /* OPENSSL_NO_TLSEXT */
1179
1180 #ifdef USE_SHARED_CACHE
1181 if (CONFIG->SHARED_CACHE) {
1182 if (shared_context_init(ctx, CONFIG->SHARED_CACHE) < 0) {
1183 ERR("Unable to alloc memory for shared cache.\n");
1184 EVP_PKEY_free(pkey);
1185 sctx_free(sc, NULL);
1186 return (NULL);
1187 }
1188 if (CONFIG->SHCUPD_PORT) {
1189 RSA *rsa;
1190 rsa = EVP_PKEY_get1_RSA(pkey);
1191 if (rsa != NULL &&
1192 compute_secret(rsa, shared_secret) < 0) {
1193 ERR("Unable to compute shared secret.\n");
1194 EVP_PKEY_free(pkey);
1195 sctx_free(sc, NULL);
1196 return (NULL);
1197 }
1198
1199 /* Force TLS tickets because keys differs. */
1200 SSL_CTX_set_options(ctx, SSL_OP_NO_TICKET);
1201
1202 if (*shcupd_peers) {
1203 shsess_set_new_cbk(shcupd_session_new);
1204 }
1205 }
1206 }
1207 #endif
1208 EVP_PKEY_free(pkey);
1209 return (sc);
1210 }
1211
1212 static void
1213 insert_sni_names(sslctx *sc, sni_name **sn_tab)
1214 {
1215 sni_name *sn, *sn2;
1216 char *key;
1217 CHECK_OBJ_NOTNULL(sc, SSLCTX_MAGIC);
1218
1219 VTAILQ_FOREACH(sn, &sc->sni_list, list) {
1220 CHECK_OBJ_NOTNULL(sn, SNI_NAME_MAGIC);
1221 key = sn->sni_key;
1222 AN(key);
1223 if (sn->is_wildcard)
1224 key = sn->sni_key + 1;
1225 HASH_FIND_STR(*sn_tab, key, sn2);
1226 if (sn2 != NULL) {
1227 ERR("Warning: SNI name '%s' from '%s' overridden"
1228 " by '%s'\n",
1229 key, sn2->sctx->filename, sn->sctx->filename);
1230 }
1231 HASH_ADD_KEYPTR(hh, *sn_tab, key, strlen(key), sn);
1232 }
1233 }
1234
1235 static sslctx *
1236 make_ctx(const struct cfg_cert_file *cf)
1237 {
1238 return (make_ctx_fr(cf, NULL, NULL));
1239 }
1240 #ifndef OPENSSL_NO_TLSEXT
1241 static int
1242 load_cert_ctx(sslctx *so)
1243 {
1244 X509 *x509;
1245 X509_NAME *x509_name;
1246 X509_NAME_ENTRY *x509_entry;
1247 BIO *f;
1248 STACK_OF(GENERAL_NAME) *names = NULL;
1249 GENERAL_NAME *name;
1250 int i;
1251
1252 #define PUSH_CTX(asn1_str, ctx) \
1253 do { \
1254 sni_name *sn; \
1255 ALLOC_OBJ(sn, SNI_NAME_MAGIC); \
1256 ASN1_STRING_to_UTF8( \
1257 (unsigned char **)&sn->servername, asn1_str); \
1258 sn->is_wildcard = \
1259 (strstr(sn->servername, "*.") == sn->servername); \
1260 sn->sni_key = sni_build_key(sn->servername); \
1261 sn->sctx = so; \
1262 VTAILQ_INSERT_TAIL(&so->sni_list, sn, list); \
1263 } while (0)
1264
1265 f = BIO_new(BIO_s_file());
1266 // TODO: error checking
1267
1268 if (!BIO_read_filename(f, so->filename)) {
1269 ERR("Could not read certificate '%s'\n", so->filename);
1270 return (1);
1271 }
1272 x509 = PEM_read_bio_X509_AUX(f, NULL, NULL, NULL);
1273 BIO_free(f);
1274
1275 so->x509 = x509;
1276
1277 /* First, look for Subject Alternative Names. */
1278 names = X509_get_ext_d2i(x509, NID_subject_alt_name, NULL, NULL);
1279 for (i = 0; i < sk_GENERAL_NAME_num(names); i++) {
1280 name = sk_GENERAL_NAME_value(names, i);
1281 if (name->type == GEN_DNS) {
1282 PUSH_CTX(name->d.dNSName, ctx);
1283 }
1284 }
1285 if (sk_GENERAL_NAME_num(names) > 0) {
1286 sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free);
1287 /* If we found some, don't bother looking any further. */
1288 return (0);
1289 } else if (names != NULL) {
1290 sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free);
1291 }
1292
1293 /* Now we're left looking at the CN on the cert. */
1294 x509_name = X509_get_subject_name(x509);
1295 i = X509_NAME_get_index_by_NID(x509_name, NID_commonName, -1);
1296 if (i < 0) {
1297 ERR("Could not find Subject Alternative Names"
1298 " or a CN on cert %s\n", so->filename);
1299 return (1);
1300 }
1301 x509_entry = X509_NAME_get_entry(x509_name, i);
1302 AN(x509_entry);
1303 PUSH_CTX(X509_NAME_ENTRY_get_data(x509_entry), ctx);
1304
1305 return (0);
1306 }
1307 #endif /* OPENSSL_NO_TLSEXT */
1308
1309 /* Check that we don't needlessly load a cert that's already loaded. */
1310 static sslctx *
1311 find_ctx(const char *file)
1312 {
1313 sslctx *so;
1314 HASH_FIND_STR(ssl_ctxs, file, so);
1315 return (so);
1316 }
1317
1318 /* Init library and load specified certificate.
1319 * Establishes a SSL_ctx, to act as a template for
1320 * each connection */
1321 void
1322 init_openssl(void)
1323 {
1324 SSL_library_init();
1325 SSL_load_error_strings();
1326 OpenSSL_add_all_digests();
1327
1328 if (CONFIG->ENGINE) {
1329 ENGINE *e = NULL;
1330 ENGINE_load_builtin_engines();
1331 HSSL_Locks_Init();
1332 if (!strcmp(CONFIG->ENGINE, "auto"))
1333 ENGINE_register_all_complete();
1334 else {
1335 if ((e = ENGINE_by_id(CONFIG->ENGINE)) == NULL ||
1336 !ENGINE_init(e) ||
1337 !ENGINE_set_default(e, ENGINE_METHOD_ALL)) {
1338 log_ssl_error(NULL,
1339 "{core} ENGINE initialization failed");
1340 exit(1);
1341 }
1342 LOG("{core} will use OpenSSL engine %s.\n",
1343 ENGINE_get_id(e));
1344 ENGINE_finish(e);
1345 ENGINE_free(e);
1346 }
1347 }
1348 }
1349
1350 static void
1351 init_certs(void) {
1352 struct cfg_cert_file *cf, *cftmp;
1353 sslctx *so;
1354
1355 if (CONFIG->CERT_DEFAULT != NULL) {
1356 default_ctx = make_ctx(CONFIG->CERT_DEFAULT);
1357 if (default_ctx == NULL)
1358 exit(1);
1359 #ifndef OPENSSL_NO_TLSEXT
1360 insert_sni_names(default_ctx, &sni_names);
1361 #endif
1362 }
1363
1364 // Go through the list of PEMs and make some SSL contexts for
1365 // them. We also keep track of the names associated with each
1366 // cert so we can do SNI on them later
1367 HASH_ITER(hh, CONFIG->CERT_FILES, cf, cftmp) {
1368 if (find_ctx(cf->filename) == NULL) {
1369 so = make_ctx(cf);
1370 if (so == NULL)
1371 exit(1);
1372 HASH_ADD_KEYPTR(hh, ssl_ctxs, so->filename,
1373 strlen(so->filename), so);
1374 #ifndef OPENSSL_NO_TLSEXT
1375 insert_sni_names(so, &sni_names);
1376 #endif
1377 }
1378 }
1379 }
1380
1381 static void
1382 destroy_lsock(struct listen_sock *ls)
1383 {
1384 CHECK_OBJ_NOTNULL(ls, LISTEN_SOCK_MAGIC);
1385 if (ls->sock > 0)
1386 (void) close(ls->sock);
1387 free(ls->name);
1388 FREE_OBJ(ls);
1389 }
1390
1391 static void
1392 destroy_frontend(struct frontend *fr)
1393 {
1394 struct listen_sock *ls, *lstmp;
1395 sslctx *sc, *sctmp;
1396
1397 CHECK_OBJ_NOTNULL(fr, FRONTEND_MAGIC);
1398
1399 VTAILQ_FOREACH_SAFE(ls, &fr->socks, list, lstmp) {
1400 CHECK_OBJ_NOTNULL(ls, LISTEN_SOCK_MAGIC);
1401 VTAILQ_REMOVE(&fr->socks, ls, list);
1402 destroy_lsock(ls);
1403 }
1404
1405 HASH_ITER(hh, fr->ssl_ctxs, sc, sctmp) {
1406 HASH_DEL(fr->ssl_ctxs, sc);
1407 sctx_free(sc, &fr->sni_names);
1408 }
1409
1410 AZ(HASH_COUNT(fr->sni_names));
1411 FREE_OBJ(fr);
1412 }
1413
1414 /* Create the bound socket in the parent process */
1415 static int
1416 frontend_listen(const struct front_arg *fa, struct frontend *fr)
1417 {
1418 struct addrinfo *ai, hints, *it;
1419 struct listen_sock *ls, *lstmp;
1420 struct listen_sock_head *slist;
1421 char buf[INET6_ADDRSTRLEN+20];
1422 char abuf[INET6_ADDRSTRLEN];
1423 char pbuf[8];
1424 int r, count = 0;
1425
1426 CHECK_OBJ_NOTNULL(fa, FRONT_ARG_MAGIC);
1427 CHECK_OBJ_NOTNULL(fr, FRONTEND_MAGIC);
1428 slist = &fr->socks;
1429
1430 ai = fr->addrs;
1431 if (ai == NULL) {
1432 memset(&hints, 0, sizeof hints);
1433 hints.ai_family = AF_UNSPEC;
1434 hints.ai_socktype = SOCK_STREAM;
1435 hints.ai_flags = AI_PASSIVE | AI_ADDRCONFIG;
1436 r = getaddrinfo(fa->ip, fa->port,
1437 &hints, &ai);
1438 if (r != 0) {
1439 ERR("{getaddrinfo-listen}: %s: %s\n", fa->pspec,
1440 gai_strerror(r));
1441 return (-1);
1442 }
1443 }
1444
1445 for (it = ai; it != NULL; it = it->ai_next) {
1446 ALLOC_OBJ(ls, LISTEN_SOCK_MAGIC);
1447 VTAILQ_INSERT_TAIL(slist, ls, list);
1448 count++;
1449
1450 ls->sock = socket(it->ai_family, SOCK_STREAM, IPPROTO_TCP);
1451 if (ls->sock == -1) {
1452 ERR("{socket: main}: %s: %s\n", strerror(errno),
1453 fa->pspec);
1454 goto creat_frontend_err;
1455 }
1456
1457 int t = 1;
1458 if (setsockopt(ls->sock, SOL_SOCKET, SO_REUSEADDR,
1459 &t, sizeof(int))
1460 < 0) {
1461 ERR("{setsockopt-reuseaddr}: %s: %s\n", strerror(errno),
1462 fa->pspec);
1463 goto creat_frontend_err;
1464 }
1465 #ifdef SO_REUSEPORT_WORKS
1466 if (setsockopt(ls->sock, SOL_SOCKET, SO_REUSEPORT,
1467 &t, sizeof(int))
1468 < 0) {
1469 ERR("{setsockopt-reuseport}: %s: %s\n", strerror(errno),
1470 fa->pspec);
1471 goto creat_frontend_err;
1472 }
1473 #endif
1474
1475 #ifdef TCP_FASTOPEN_WORKS
1476 if (CONFIG->TFO) {
1477 if (setsockopt(ls->sock, SOL_TCP, TCP_FASTOPEN,
1478 &t, sizeof(int))
1479 < 0) {
1480 ERR("{setsockopt-tcp_fastopen}: %s: %s\n", strerror(errno),
1481 fa->pspec);
1482 goto creat_frontend_err;
1483 }
1484 }
1485 #endif
1486
1487 if(setnonblocking(ls->sock) < 0) {
1488 ERR("{listen sock: setnonblocking}: %s: %s\n",
1489 strerror(errno), fa->pspec);
1490 goto creat_frontend_err;
1491 }
1492 #ifdef IPV6_V6ONLY
1493 t = 1;
1494 if (it->ai_family == AF_INET6 &&
1495 setsockopt(ls->sock, IPPROTO_IPV6, IPV6_V6ONLY, &t,
1496 sizeof (t)) != 0) {
1497 ERR("{setsockopt-ipv6only}: %s: %s\n", strerror(errno),
1498 fa->pspec);
1499 goto creat_frontend_err;
1500 }
1501 #endif
1502 if (CONFIG->RECV_BUFSIZE > 0) {
1503 r = setsockopt(ls->sock, SOL_SOCKET, SO_RCVBUF,
1504 &CONFIG->RECV_BUFSIZE,
1505 sizeof(CONFIG->RECV_BUFSIZE));
1506 if (r < 0) {
1507 ERR("{setsockopt-rcvbuf}: %s: %s\n",
1508 strerror(errno), fa->pspec);
1509 goto creat_frontend_err;
1510 }
1511 }
1512 if (CONFIG->SEND_BUFSIZE > 0) {
1513 r = setsockopt(ls->sock, SOL_SOCKET, SO_SNDBUF,
1514 &CONFIG->SEND_BUFSIZE,
1515 sizeof(CONFIG->SEND_BUFSIZE));
1516 if (r < 0) {
1517 ERR("{setsockopt-sndbuf}: %s: %s\n",
1518 strerror(errno), fa->pspec);
1519 goto creat_frontend_err;
1520 }
1521 }
1522
1523 if (bind(ls->sock, it->ai_addr, it->ai_addrlen)) {
1524 ERR("{bind-socket}: %s: %s\n", strerror(errno),
1525 fa->pspec);
1526 goto creat_frontend_err;
1527 }
1528
1529 #ifndef NO_DEFER_ACCEPT
1530 #if TCP_DEFER_ACCEPT
1531 int timeout = 1;
1532 if (setsockopt(ls->sock, IPPROTO_TCP, TCP_DEFER_ACCEPT,
1533 &timeout, sizeof(int)) < 0) {
1534 ERR("{setsockopt-defer_accept}: %s: %s\n",
1535 strerror(errno), fa->pspec);
1536 goto creat_frontend_err;
1537 }
1538 #endif /* TCP_DEFER_ACCEPT */
1539 #endif
1540 if (listen(ls->sock, CONFIG->BACKLOG) != 0) {
1541 ERR("{listen-socket}: %s: %s\n", strerror(errno),
1542 fa->pspec);
1543 goto creat_frontend_err;
1544 }
1545
1546 memcpy(&ls->addr, it->ai_addr, it->ai_addrlen);
1547
1548 r = getnameinfo(it->ai_addr, it->ai_addrlen, abuf,
1549 sizeof abuf, pbuf, sizeof pbuf,
1550 NI_NUMERICHOST | NI_NUMERICSERV);
1551 if (r != 0) {
1552 ERR("{getnameinfo}: %s\n", fa->pspec);
1553 goto creat_frontend_err;
1554 }
1555
1556 if (it->ai_addr->sa_family == AF_INET6) {
1557 sprintf(buf, "[%s]:%s", abuf, pbuf);
1558 } else {
1559 sprintf(buf, "%s:%s", abuf, pbuf);
1560 }
1561 ls->name = strdup(buf);
1562 AN(ls->name);
1563 if (getpid() != master_pid)
1564 LOG("{core} Listening on %s\n", ls->name);
1565 }
1566
1567 if (fr->addrs == NULL) {
1568 assert(getpid() == master_pid);
1569 VTAILQ_FOREACH_SAFE(ls, slist, list, lstmp) {
1570 VTAILQ_REMOVE(slist, ls, list);
1571 destroy_lsock(ls);
1572 }
1573 fr->addrs = ai;
1574 } else {
1575 fr->addrs = NULL;
1576 freeaddrinfo(ai);
1577 }
1578 return (count);
1579
1580 creat_frontend_err:
1581 freeaddrinfo(ai);
1582 VTAILQ_FOREACH_SAFE(ls, slist, list, lstmp) {
1583 VTAILQ_REMOVE(slist, ls, list);
1584 destroy_lsock(ls);
1585 }
1586
1587 return (-1);
1588 }
1589
1590 static struct frontend *
1591 create_frontend(const struct front_arg *fa)
1592 {
1593 struct frontend *fr;
1594 sslctx *so;
1595 int count = 0;
1596 struct frontend_head tmp_list;
1597 struct cfg_cert_file *cf;
1598
1599 CHECK_OBJ_NOTNULL(fa, FRONT_ARG_MAGIC);
1600 ALLOC_OBJ(fr, FRONTEND_MAGIC);
1601 VTAILQ_INIT(&fr->socks);
1602 AN(fr);
1603
1604 fr->arg = fa;
1605 fr->match_global_certs = fa->match_global_certs;
1606 fr->sni_nomatch_abort = fa->sni_nomatch_abort;
1607
1608 VTAILQ_INIT(&tmp_list);
1609 count = frontend_listen(fa, fr);
1610 if (count < 0) {
1611 destroy_frontend(fr);
1612 return (NULL);
1613 }
1614
1615 for (cf = fa->certs; cf != NULL; cf = cf->hh.next) {
1616 so = make_ctx_fr(cf, fr, fa);
1617 if (so == NULL) {
1618 destroy_frontend(fr);
1619 return (NULL);
1620 }
1621 HASH_ADD_KEYPTR(hh, fr->ssl_ctxs,
1622 so->filename, strlen(so->filename), so);
1623 #ifndef OPENSSL_NO_TLSEXT
1624 insert_sni_names(so, &fr->sni_names);
1625 #endif
1626 if (cf->hh.next == NULL)
1627 fr->default_ctx = so;
1628 }
1629
1630 return (fr);
1631 }
1632
1633 static const void *
1634 Get_Sockaddr(const struct sockaddr *sa, socklen_t *sl);
1635
1636 static struct backend *
1637 backend_create(struct sockaddr *sa)
1638 {
1639 socklen_t len;
1640 const void *addr;
1641 struct backend *b;
1642 struct suckaddr *su;
1643
1644 addr = Get_Sockaddr(sa, &len);
1645 AN(addr);
1646 su = VSA_Malloc(addr, len);
1647 ALLOC_OBJ(b, BACKEND_MAGIC);
1648 b->backaddr = su;
1649 b->ref = 1;
1650 return (b);
1651 }
1652
1653 static struct backend *
1654 backend_ref(void)
1655 {
1656 CHECK_OBJ_NOTNULL(backaddr, BACKEND_MAGIC);
1657 AN(backaddr->ref);
1658 backaddr->ref++;
1659 return (backaddr);
1660 }
1661
1662
1663 void
1664 backend_deref(struct backend **be)
1665 {
1666 struct backend *b;
1667 b = *be;
1668
1669 CHECK_OBJ_NOTNULL(b, BACKEND_MAGIC);
1670 AN(b->ref);
1671 b->ref--;
1672
1673 if (b->ref == 0) {
1674 free(b->backaddr);
1675 FREE_OBJ(*be);
1676 }
1677 }
1678
1679 /* Initiate a clear-text nonblocking connect() to the backend IP on behalf
1680 * of a newly connected upstream (encrypted) client */
1681 static int
1682 create_back_socket(struct backend *b)
1683 {
1684 socklen_t len;
1685 const struct sockaddr *addr;
1686
1687 CHECK_OBJ_NOTNULL(b, BACKEND_MAGIC);
1688 addr = (struct sockaddr *) VSA_Get_Sockaddr(b->backaddr, &len);
1689 AN(addr);
1690 int s = socket(addr->sa_family, SOCK_STREAM, 0);
1691
1692 if (s == -1)
1693 return (-1);
1694
1695 if (addr->sa_family != PF_UNIX) {
1696 int flag = 1;
1697 int ret = setsockopt(s, IPPROTO_TCP, TCP_NODELAY,
1698 (char *)&flag, sizeof(flag));
1699 if (ret == -1)
1700 ERR("Couldn't setsockopt to backend (TCP_NODELAY):"
1701 " %s\n", strerror(errno));
1702 }
1703 if (setnonblocking(s) < 0) {
1704 (void)close(s);
1705 return (-1);
1706 }
1707 return (s);
1708 }
1709
1710 /* Only enable a libev ev_io event if the proxied connection still
1711 * has both up and down connected */
1712 static void
1713 safe_enable_io(proxystate *ps, ev_io *w)
1714 {
1715 CHECK_OBJ_NOTNULL(ps, PROXYSTATE_MAGIC);
1716 if (!ps->want_shutdown)
1717 ev_io_start(loop, w);
1718 }
1719
1720 static void
1721 check_exit_state(void)
1722 {
1723 if (worker_state == WORKER_EXITING && n_conns == 0) {
1724 LOGL("Worker %d (gen: %d) in state EXITING "
1725 "is now exiting.\n", core_id, worker_gen);
1726 _exit(0);
1727 }
1728 }
1729
1730 /* Only enable a libev ev_io event if the proxied connection still
1731 * has both up and down connected */
1732 static void
1733 shutdown_proxy(proxystate *ps, SHUTDOWN_REQUESTOR req)
1734 {
1735 CHECK_OBJ_NOTNULL(ps, PROXYSTATE_MAGIC);
1736 LOGPROXY(ps, "proxy shutdown req=%s\n", SHUTDOWN_STR[req]);
1737 if (ps->want_shutdown || req == SHUTDOWN_HARD) {
1738 ev_io_stop(loop, &ps->ev_w_ssl);
1739 ev_io_stop(loop, &ps->ev_r_ssl);
1740 ev_io_stop(loop, &ps->ev_w_handshake);
1741 ev_io_stop(loop, &ps->ev_r_handshake);
1742 ev_timer_stop(loop, &ps->ev_t_handshake);
1743 ev_io_stop(loop, &ps->ev_w_connect);
1744 ev_timer_stop(loop, &ps->ev_t_connect);
1745 ev_io_stop(loop, &ps->ev_w_clear);
1746 ev_io_stop(loop, &ps->ev_r_clear);
1747 ev_io_stop(loop, &ps->ev_proxy);
1748
1749 (void)SSL_shutdown(ps->ssl);
1750
1751 ERR_clear_error();
1752 SSL_free(ps->ssl);
1753
1754 close(ps->fd_up);
1755 close(ps->fd_down);
1756 backend_deref(&ps->backend);
1757
1758 ringbuffer_cleanup(&ps->ring_clear2ssl);
1759 ringbuffer_cleanup(&ps->ring_ssl2clear);
1760 free(ps);
1761
1762 n_conns--;
1763 check_exit_state();
1764 }
1765 else {
1766 ps->want_shutdown = 1;
1767 if (req == SHUTDOWN_CLEAR &&
1768 ringbuffer_is_empty(&ps->ring_clear2ssl))
1769 shutdown_proxy(ps, SHUTDOWN_HARD);
1770 else if (req == SHUTDOWN_SSL &&
1771 ringbuffer_is_empty(&ps->ring_ssl2clear))
1772 shutdown_proxy(ps, SHUTDOWN_HARD);
1773 }
1774 }
1775
1776 /* Handle various socket errors */
1777 static void
1778 handle_socket_errno(proxystate *ps, int backend)
1779 {
1780 CHECK_OBJ_NOTNULL(ps, PROXYSTATE_MAGIC);
1781 if (errno == EAGAIN || errno == EWOULDBLOCK || errno == EINTR)
1782 return;
1783
1784 if (backend)
1785 ERR("{backend} Socket error: %s\n", strerror(errno));
1786 else
1787 LOG("{client} Socket error: %s\n", strerror(errno));
1788 shutdown_proxy(ps, SHUTDOWN_CLEAR);
1789 }
1790
1791 /* Start connect to backend */
1792 static int
1793 start_connect(proxystate *ps)
1794 {
1795 int t = 1;
1796 socklen_t len;
1797 const void *addr;
1798
1799 CHECK_OBJ_NOTNULL(ps, PROXYSTATE_MAGIC);
1800 CHECK_OBJ_NOTNULL(ps->backend, BACKEND_MAGIC);
1801 addr = VSA_Get_Sockaddr(ps->backend->backaddr, &len);
1802 AN(addr);
1803
1804 t = connect(ps->fd_down, addr, len);
1805 if (t == 0 || errno == EINPROGRESS || errno == EINTR) {
1806 ev_io_start(loop, &ps->ev_w_connect);
1807 ev_timer_start(loop, &ps->ev_t_connect);
1808 return (0);
1809 }
1810
1811 ERR("{backend-connect}: %s\n", strerror(errno));
1812 shutdown_proxy(ps, SHUTDOWN_HARD);
1813
1814 return (-1);
1815 }
1816
1817 /* Read some data from the backend when libev says data is available--
1818 * write it into the upstream buffer and make sure the write event is
1819 * enabled for the upstream socket */
1820 static void
1821 clear_read(struct ev_loop *loop, ev_io *w, int revents)
1822 {
1823 (void) revents;
1824 int t;
1825 proxystate *ps;
1826 CAST_OBJ_NOTNULL(ps, w->data, PROXYSTATE_MAGIC);
1827 if (ps->want_shutdown) {
1828 ev_io_stop(loop, &ps->ev_r_clear);
1829 return;
1830 }
1831 int fd = w->fd;
1832 char *buf = ringbuffer_write_ptr(&ps->ring_clear2ssl);
1833 t = recv(fd, buf, ps->ring_clear2ssl.data_len, 0);
1834
1835 if (t > 0) {
1836 ringbuffer_write_append(&ps->ring_clear2ssl, t);
1837 if (ringbuffer_is_full(&ps->ring_clear2ssl))
1838 ev_io_stop(loop, &ps->ev_r_clear);
1839 if (ps->handshaked)
1840 safe_enable_io(ps, &ps->ev_w_ssl);
1841 }
1842 else if (t == 0) {
1843 LOGPROXY(ps,"Connection closed by %s\n",
1844 fd == ps->fd_down ? "backend" : "client");
1845 shutdown_proxy(ps, SHUTDOWN_CLEAR);
1846 }
1847 else {
1848 assert(t == -1);
1849 handle_socket_errno(ps, fd == ps->fd_down ? 1 : 0);
1850 }
1851 }
1852
1853
1854 /* Write some data, previously received on the secure upstream socket,
1855 * out of the downstream buffer and onto the backend socket */
1856 static void
1857 clear_write(struct ev_loop *loop, ev_io *w, int revents)
1858 {
1859 (void)revents;
1860 int t;
1861 proxystate *ps;
1862 int fd = w->fd;
1863 int sz;
1864
1865 CAST_OBJ_NOTNULL(ps, w->data, PROXYSTATE_MAGIC);
1866 assert(!ringbuffer_is_empty(&ps->ring_ssl2clear));
1867
1868 char *next = ringbuffer_read_next(&ps->ring_ssl2clear, &sz);
1869 t = send(fd, next, sz, MSG_NOSIGNAL);
1870
1871 if (t > 0) {
1872 if (t == sz) {
1873 ringbuffer_read_pop(&ps->ring_ssl2clear);
1874 if (ps->handshaked)
1875 safe_enable_io(ps, &ps->ev_r_ssl);
1876 if (ringbuffer_is_empty(&ps->ring_ssl2clear)) {
1877 if (ps->want_shutdown) {
1878 shutdown_proxy(ps, SHUTDOWN_HARD);
1879 return; // dealloc'd
1880 }
1881 ev_io_stop(loop, &ps->ev_w_clear);
1882 }
1883 } else {
1884 ringbuffer_read_skip(&ps->ring_ssl2clear, t);
1885 }
1886 } else {
1887 assert(t == -1);
1888 handle_socket_errno(ps, fd == ps->fd_down ? 1 : 0);
1889 }
1890 }
1891
1892 static void start_handshake(proxystate *ps, int err);
1893
1894 static unsigned
1895 sockaddr_port(const struct sockaddr *sa)
1896 {
1897 const struct sockaddr_in *sa4;
1898 const struct sockaddr_in6 *sa6;
1899
1900 switch (sa->sa_family) {
1901 case PF_INET:
1902 sa4 = (struct sockaddr_in *) sa;
1903 return (ntohs((sa4->sin_port)));
1904 case PF_INET6:
1905 sa6 = (struct sockaddr_in6 *) sa;
1906 return (ntohs((sa6->sin6_port)));
1907 default:
1908 return (0);
1909 }
1910 }
1911
1912 /* Continue/complete the asynchronous connect() before starting data
1913 * transmission between front/backend */
1914 static void
1915 handle_connect(struct ev_loop *loop, ev_io *w, int revents)
1916 {
1917 int t, r;
1918 proxystate *ps;
1919 socklen_t len;
1920 const void *addr;
1921
1922 (void)revents;
1923 CAST_OBJ_NOTNULL(ps, w->data, PROXYSTATE_MAGIC);
1924 CHECK_OBJ_NOTNULL(ps->backend, BACKEND_MAGIC);
1925 addr = VSA_Get_Sockaddr(ps->backend->backaddr, &len);
1926 AN(addr);
1927
1928 t = connect(ps->fd_down, addr, len);
1929
1930 if (!t || errno == EISCONN || !errno) {
1931 ev_io_stop(loop, &ps->ev_w_connect);
1932 ev_timer_stop(loop, &ps->ev_t_connect);
1933
1934 if (!ps->clear_connected) {
1935 struct sockaddr_storage ss;
1936 socklen_t sl;
1937
1938 sl = sizeof(addr);
1939 r = getsockname(ps->fd_down,
1940 (struct sockaddr *) &ss, &sl);
1941 AZ(r);
1942 ps->connect_port = sockaddr_port(
1943 (struct sockaddr *) &ss);
1944 LOGPROXY(ps, "backend connected\n");
1945
1946 ps->clear_connected = 1;
1947
1948 /* if incoming buffer is not full */
1949 if (!ringbuffer_is_full(&ps->ring_clear2ssl))
1950 safe_enable_io(ps, &ps->ev_r_clear);
1951
1952 /* if outgoing buffer is not empty */
1953 if (!ringbuffer_is_empty(&ps->ring_ssl2clear))
1954 // not safe.. we want to resume stream
1955 // even during half-closed
1956 ev_io_start(loop, &ps->ev_w_clear);
1957 } else {
1958 /* Clear side already connected so connect is on
1959 * secure side: perform handshake */
1960 start_handshake(ps, SSL_ERROR_WANT_WRITE);
1961 }
1962 }
1963 else if (errno == EINPROGRESS || errno == EINTR || errno == EALREADY) {
1964 /* do nothing, we'll get phoned home again... */
1965 } else {
1966 ERR("{backend-connect}: %s\n", strerror(errno));
1967 shutdown_proxy(ps, SHUTDOWN_HARD);
1968 }
1969 }
1970
1971 static void
1972 connect_timeout(EV_P_ ev_timer *w, int revents)
1973 {
1974 (void)loop;
1975 (void)revents;
1976 proxystate *ps;
1977 CAST_OBJ_NOTNULL(ps, w->data, PROXYSTATE_MAGIC);
1978 ERRPROXY(ps,"backend connect timeout\n");
1979 //shutdown_proxy(ps, SHUTDOWN_HARD);
1980 }
1981
1982 /* Upon receiving a signal from OpenSSL that a handshake is required, re-wire
1983 * the read/write events to hook up to the handshake handlers */
1984 static void
1985 start_handshake(proxystate *ps, int err)
1986 {
1987 CHECK_OBJ_NOTNULL(ps, PROXYSTATE_MAGIC);
1988
1989 ev_io_stop(loop, &ps->ev_r_ssl);
1990 ev_io_stop(loop, &ps->ev_w_ssl);
1991
1992 ps->handshaked = 0;
1993
1994 LOGPROXY(ps,"ssl handshake start\n");
1995 if (err == SSL_ERROR_WANT_READ)
1996 ev_io_start(loop, &ps->ev_r_handshake);
1997 else if (err == SSL_ERROR_WANT_WRITE)
1998 ev_io_start(loop, &ps->ev_w_handshake);
1999 ev_timer_start(loop, &ps->ev_t_handshake);
2000 }
2001
2002 #if defined(OPENSSL_WITH_NPN) || defined(OPENSSL_WITH_ALPN)
2003 static void
2004 get_alpn(proxystate *ps, const unsigned char **selected, unsigned *len) {
2005 *selected = NULL;
2006 *len = 0;
2007 #ifdef OPENSSL_WITH_ALPN
2008 SSL_get0_alpn_selected(ps->ssl, selected, len);
2009 #endif
2010 #ifdef OPENSSL_WITH_NPN
2011 if (*len == 0)
2012 SSL_get0_next_proto_negotiated(ps->ssl, selected, len);
2013 #endif
2014 }
2015 #endif /* OPENSSL_WITH_NPN || OPENSSL_WITH_ALPN */
2016
2017 static int
2018 proxy_tlv_append(char *dst, ssize_t dstlen, unsigned type,
2019 const char *val, ssize_t len)
2020 {
2021 if (len == -1)
2022 len = strlen(val);
2023 if (dstlen < len + 3)
2024 return (0);
2025 dst[0] = type;
2026 dst[1] = (len >> 8) & 0xff;
2027 dst[2] = len & 0xff;
2028 memcpy(dst + 3, val, len);
2029 return (len + 3);
2030 }
2031
2032 static int
2033 proxy_tlv_cert(struct proxystate *ps, char *dst, ssize_t dstlen)
2034 {
2035 X509 *crt;
2036 BIO *bio;
2037 struct buf_mem_st bm[1];
2038
2039 crt = SSL_get_peer_certificate(ps->ssl);
2040 if (crt == NULL)
2041 return (0);
2042
2043 memset(bm, 0, sizeof(*bm));
2044 /* set aside the first three bytes for PROXY tlv type and size */
2045 bm->data = dst + 3;
2046 bm->max = dstlen - 3;
2047 bio = BIO_new(BIO_s_mem());
2048 AN(bio); /* this should only fail if OOM */
2049 BIO_set_mem_buf(bio, bm, BIO_NOCLOSE);
2050
2051 if (PEM_write_bio_X509_AUX(bio, crt) == 0) {
2052 BIO_free(bio);
2053 X509_free(crt);
2054 log_ssl_error(ps,
2055 "proxy-client-cert (PEM_write_bio_X509_AUX) failed");
2056 return (0);
2057 }
2058 X509_free(crt);
2059 AN(BIO_free(bio));
2060
2061 /* Type flag. Types 0xe0-0xef are available for custom
2062 * application-specific use. */
2063 dst[0] = 0xe0;
2064
2065 dst[1] = (bm->length >> 8) & 0xff;
2066 dst[2] = bm->length & 0xff;
2067
2068 return (bm->length + 3);
2069 }
2070
2071 static void
2072 write_proxy_v2(proxystate *ps, const struct sockaddr *local)
2073 {
2074 struct pp2_hdr *p;
2075 size_t len = 16, maxlen;
2076 char *base;
2077 const char *tlv_tok;
2078 unsigned tlv_len;
2079 int i;
2080
2081 union addr {
2082 struct sockaddr sa;
2083 struct sockaddr_in sa4;
2084 struct sockaddr_in6 sa6;
2085 } *l, *r;
2086
2087 CHECK_OBJ_NOTNULL(ps, PROXYSTATE_MAGIC);
2088 base = ringbuffer_write_ptr(&ps->ring_ssl2clear);
2089 p = (struct pp2_hdr *)base;
2090 l = (union addr *) local;
2091 r = (union addr *) &ps->remote_ip;
2092 maxlen = ps->ring_ssl2clear.data_len;
2093 /* XXX: should it be rounded down to PP2_HEADER_MAX? */
2094
2095 memcpy(&p->sig, PP2_SIG, sizeof PP2_SIG);
2096 p->ver_cmd = PP2_VERSION|PP2_CMD_PROXY;
2097 p->fam = l->sa.sa_family == AF_INET ?
2098 PP2_TRANS_STREAM|PP2_FAM_INET :
2099 PP2_TRANS_STREAM|PP2_FAM_INET6;
2100
2101 if (l->sa.sa_family == AF_INET) {
2102 len += 12;
2103
2104 /* src/client */
2105 memcpy(&p->addr.ipv4.src_addr, &r->sa4.sin_addr.s_addr,
2106 sizeof p->addr.ipv4.src_addr);
2107 memcpy(&p->addr.ipv4.src_port, &r->sa4.sin_port,
2108 sizeof p->addr.ipv4.src_port);
2109
2110 /* dst/server */
2111 memcpy(&p->addr.ipv4.dst_addr, &l->sa4.sin_addr.s_addr,
2112 sizeof p->addr.ipv4.dst_addr);
2113 memcpy(&p->addr.ipv4.dst_port, &l->sa4.sin_port,
2114 sizeof p->addr.ipv4.dst_port);
2115 } else {
2116 assert (l->sa.sa_family == AF_INET6);
2117 len += 36;
2118
2119 /* src/client */
2120 memcpy(&p->addr.ipv6.src_addr, &r->sa6.sin6_addr.s6_addr,
2121 sizeof p->addr.ipv6.src_addr);
2122 memcpy(&p->addr.ipv6.src_port, &r->sa6.sin6_port,
2123 sizeof p->addr.ipv6.src_port);
2124
2125 /* dst/server */
2126 memcpy(&p->addr.ipv6.dst_addr, &l->sa6.sin6_addr.s6_addr,
2127 sizeof p->addr.ipv6.dst_addr);
2128 memcpy(&p->addr.ipv6.dst_port, &l->sa6.sin6_port,
2129 sizeof p->addr.ipv6.dst_port);
2130 }
2131
2132 /* This is where we add something related to NPN or ALPN*/
2133 #if defined(OPENSSL_WITH_ALPN) || defined(OPENSSL_WITH_NPN)
2134 tlv_tok = NULL;
2135 tlv_len = 0;
2136 get_alpn(ps, (const unsigned char **)&tlv_tok, &tlv_len);
2137 if (tlv_len > 0) {
2138 /* let the server know that a protocol was selected. */
2139 i = proxy_tlv_append(base + len, maxlen - len,
2140 PP2_TYPE_ALPN, tlv_tok, tlv_len);
2141 AN(i);
2142 len += i;
2143 }
2144 #endif
2145 if (CONFIG->PROXY_AUTHORITY) {
2146 tlv_tok = SSL_get_servername(ps->ssl,
2147 TLSEXT_NAMETYPE_host_name);
2148 if (tlv_tok != NULL) {
2149 tlv_len = strlen(tlv_tok);
2150 i = proxy_tlv_append(base + len, maxlen - len,
2151 PP2_TYPE_AUTHORITY, tlv_tok, tlv_len);
2152 len += i;
2153 }
2154 }
2155 if (CONFIG->PROXY_CLIENT_CERT)
2156 len += proxy_tlv_cert(ps, base + len, maxlen - len);
2157
2158 if (CONFIG->PROXY_TLV) {
2159 X509 *crt;
2160 ssize_t sz = 0;
2161 struct pp2_tlv_ssl *tlv;
2162 char *tlvp = base + len;
2163 const char *tmp;
2164
2165 tlvp[0] = PP2_TYPE_SSL;
2166 /* tlvp[1..2] to be updated with payload length later */
2167 len += 3;
2168 tlv = (struct pp2_tlv_ssl *) (&base[len]);
2169 tlv->client = PP2_CLIENT_SSL;
2170 tlv->verify = htonl(1);
2171
2172 /* PP2_CLIENT_CERT_SESS */
2173 crt = SSL_get_peer_certificate(ps->ssl);
2174 if (crt) {
2175 tlv->client |= PP2_CLIENT_CERT_SESS;
2176 tlv->verify = htonl(SSL_get_verify_result(ps->ssl));
2177 X509_free(crt);
2178 }
2179
2180 /* PP2_CLIENT_CERT_CONN */
2181 if (ps->client_cert_conn)
2182 tlv->client |= PP2_CLIENT_CERT_CONN;
2183 len += 5;
2184 sz += 5;
2185
2186 tmp = SSL_get_version(ps->ssl);
2187 AN(tmp);
2188 i = proxy_tlv_append(base + len, maxlen - len,
2189 PP2_SUBTYPE_SSL_VERSION, tmp, -1);
2190 len += i;
2191 sz += i;
2192
2193 tmp = SSL_get_cipher_name(ps->ssl);
2194 AN(tmp);
2195 i = proxy_tlv_append(base + len, maxlen - len,
2196 PP2_SUBTYPE_SSL_CIPHER, tmp, -1);
2197 len += i;
2198 sz += i;
2199
2200 tlvp[1] = (sz >> 8) & 0xff;
2201 tlvp[2] = sz & 0xff;
2202 }
2203
2204 p->len = htons(len - 16);
2205 ringbuffer_write_append(&ps->ring_ssl2clear, len);
2206 }
2207
2208 static void
2209 write_proxy_v1(proxystate *ps, const struct sockaddr *local, socklen_t slen)
2210 {
2211 char *p;
2212 char src_addr[INET6_ADDRSTRLEN+1], dst_addr[INET6_ADDRSTRLEN+1];
2213 char src_port[8], dst_port[8];
2214 size_t len;
2215 int n;
2216
2217 CHECK_OBJ_NOTNULL(ps, PROXYSTATE_MAGIC);
2218
2219 p = ringbuffer_write_ptr(&ps->ring_ssl2clear);
2220 n = getnameinfo(local, slen, dst_addr, sizeof dst_addr, dst_port,
2221 sizeof dst_port, NI_NUMERICHOST | NI_NUMERICSERV);
2222 AZ(n);
2223
2224 n = getnameinfo((struct sockaddr *) &ps->remote_ip, slen, src_addr,
2225 sizeof src_addr, src_port, sizeof src_port,
2226 NI_NUMERICHOST | NI_NUMERICSERV);
2227 AZ(n);
2228
2229 if (local->sa_family == AF_INET) {
2230 len = sprintf(p, "PROXY TCP4 %s %s %s %s\r\n", src_addr,
2231 dst_addr, src_port, dst_port);
2232 } else {
2233 assert (local->sa_family == AF_INET6);
2234 len = sprintf(p, "PROXY TCP6 %s %s %s %s\r\n", src_addr,
2235 dst_addr, src_port, dst_port);
2236 }
2237 assert (len > 0);
2238 ringbuffer_write_append(&ps->ring_ssl2clear, len);
2239 }
2240
2241 static void
2242 write_ip_octet(proxystate *ps)
2243 {
2244 char *ring_pnt;
2245
2246 CHECK_OBJ_NOTNULL(ps, PROXYSTATE_MAGIC);
2247 ring_pnt = ringbuffer_write_ptr(&ps->ring_ssl2clear);
2248 assert(ps->remote_ip.ss_family == AF_INET ||
2249 ps->remote_ip.ss_family == AF_INET6);
2250 *ring_pnt++ = (unsigned char) ps->remote_ip.ss_family;
2251 if (ps->remote_ip.ss_family == AF_INET6) {
2252 memcpy(ring_pnt,
2253 &((struct sockaddr_in6 *)
2254 &ps->remote_ip)->sin6_addr.s6_addr, 16U);
2255 ringbuffer_write_append(&ps->ring_ssl2clear, 1U + 16U);
2256 }
2257 else {
2258 memcpy(ring_pnt, &((struct sockaddr_in *)
2259 &ps->remote_ip)->sin_addr.s_addr, 4U);
2260 ringbuffer_write_append(&ps->ring_ssl2clear, 1U + 4U);
2261 }
2262 }
2263
2264 #if defined(OPENSSL_WITH_NPN) || defined(OPENSSL_WITH_ALPN)
2265 static int is_protocol_matching(const unsigned char *selected, unsigned len) {
2266 int unsigned i = 0;
2267 if (CONFIG->ALPN_PROTOS_LV != NULL) {
2268 while (i < CONFIG->ALPN_PROTOS_LV_LEN) {
2269 if(CONFIG->ALPN_PROTOS_LV[i] == len &&
2270 0 == memcmp(selected,
2271 CONFIG->ALPN_PROTOS_LV + i + 1,
2272 len))
2273 return (1);
2274 i+= CONFIG->ALPN_PROTOS_LV[i] + 1;
2275 }
2276 }
2277 return (0);
2278 }
2279
2280 static int is_alpn_shutdown_needed(proxystate *ps) {
2281 const unsigned char *alpn_tok;
2282 unsigned alpn_len;
2283
2284 if (CONFIG->ALPN_PROTOS_LV == NULL)
2285 return (0);
2286
2287 get_alpn(ps, &alpn_tok, &alpn_len);
2288 if (alpn_len == 0) {
2289 /* If alpn / npn was tried, shut down */
2290 if(ps->npn_alpn_tried) {
2291 LOGPROXY(ps, "Unsuccessful NPN/ALPN negotiation\n");
2292 return (1);
2293 } else
2294 LOGPROXY(ps, "No NPN/ALPN negotiation happened.\n");
2295 } else if (!is_protocol_matching(alpn_tok, alpn_len)) {
2296 LOGPROXY(ps, "NPN: Unknown protocol selected\n");
2297 return (1);
2298 } else
2299 LOGPROXY(ps, "NPN/ALPN protocol: %.*s\n",
2300 alpn_len, alpn_tok);
2301 return (0);
2302 }
2303 #endif
2304
2305 /* After OpenSSL is done with a handshake, re-wire standard read/write handlers
2306 * for data transmission */
2307 static void end_handshake(proxystate *ps) {
2308 CHECK_OBJ_NOTNULL(ps, PROXYSTATE_MAGIC);
2309 ev_io_stop(loop, &ps->ev_r_handshake);
2310 ev_io_stop(loop, &ps->ev_w_handshake);
2311 ev_timer_stop(loop, &ps->ev_t_handshake);
2312
2313 #if defined(OPENSSL_WITH_NPN) || defined(OPENSSL_WITH_ALPN)
2314 if (is_alpn_shutdown_needed(ps)) {
2315 shutdown_proxy(ps, SHUTDOWN_HARD);
2316 return;
2317 }
2318 #endif
2319 LOGPROXY(ps,"ssl end handshake\n");
2320 /* Disable renegotiation (CVE-2009-3555) */
2321 #ifdef HAVE_STRUCT_SSL_ST_S3
2322 /* For OpenSSL 1.1, setting the following flag does not seem
2323 * to be possible. This is OK, since SSLv3 negotiation will
2324 * not happen in OpenSSL 0.9.8m or later unless
2325 * SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION is set. */
2326 if (ps->ssl->s3) {
2327 ps->ssl->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
2328 }
2329 #endif
2330 ps->handshaked = 1;
2331
2332 /* Check if clear side is connected */
2333 if (!ps->clear_connected) {
2334 if (CONFIG->WRITE_PROXY_LINE_V1 ||
2335 CONFIG->WRITE_PROXY_LINE_V2) {
2336 struct sockaddr_storage local;
2337 socklen_t slen = sizeof local;
2338 AZ(getsockname(ps->fd_up, (struct sockaddr *) &local,
2339 &slen));
2340 if (CONFIG->WRITE_PROXY_LINE_V1)
2341 write_proxy_v1(ps, (struct sockaddr *) &local,
2342 slen);
2343 else
2344 write_proxy_v2(ps, (struct sockaddr *) &local);
2345 } else if (CONFIG->WRITE_IP_OCTET) {
2346 write_ip_octet(ps);
2347 }
2348
2349 /* start connect now */
2350 if (0 != start_connect(ps))
2351 return;
2352 } else {
2353 /* hitch used in client mode, keep client session ) */
2354 if (!SSL_session_reused(ps->ssl)) {
2355 if (client_session)
2356 SSL_SESSION_free(client_session);
2357 client_session = SSL_get1_session(ps->ssl);
2358 }
2359 }
2360
2361 /* if incoming buffer is not full */
2362 if (!ringbuffer_is_full(&ps->ring_ssl2clear))
2363 safe_enable_io(ps, &ps->ev_r_ssl);
2364
2365 /* if outgoing buffer is not empty */
2366 if (!ringbuffer_is_empty(&ps->ring_clear2ssl))
2367 // not safe.. we want to resume stream even during half-closed
2368 ev_io_start(loop, &ps->ev_w_ssl);
2369 }
2370
2371
2372 static int
2373 client_proxy_proxy2(struct proxystate *ps, BIO *b, char *buf, int c)
2374 {
2375 struct pp2_hdr hdr;
2376 char *ring, *p;
2377 int n, sz, rlen;
2378
2379 memcpy(&hdr, buf, c);
2380 p = (char *) &hdr;
2381 p += c;
2382
2383 n = BIO_read(b, p, PP2_HDR_LEN - c);
2384 if (n <= 0 || n != PP2_HDR_LEN - c) {
2385 LOG("{client} Unexpected read error in proxy-proxyv2: "
2386 "BIO_read: %d\n", n);
2387 shutdown_proxy(ps, SHUTDOWN_SSL);
2388 return (1);
2389 }
2390
2391 sz = ntohs(hdr.len);
2392 AN(ringbuffer_is_empty(&ps->ring_ssl2clear));
2393 rlen = ps->ring_ssl2clear.data_len;
2394 if (sz + PP2_HDR_LEN > rlen) {
2395 /* we have 32k of space, so this should relly never occur. */
2396 LOG("{client} PROXYv2 overflow: header too long\n");
2397 shutdown_proxy(ps, SHUTDOWN_SSL);
2398 return (1);
2399 }
2400
2401 ring = ringbuffer_write_ptr(&ps->ring_ssl2clear);
2402 memcpy(ring, &hdr, PP2_HDR_LEN);
2403 n = BIO_read(b, ring + PP2_HDR_LEN, sz);
2404 if (n != sz) {
2405 LOG("{client} proxy-proxyv2: Short read: %d\n", n);
2406 shutdown_proxy(ps, SHUTDOWN_SSL);
2407 return (1);
2408 }
2409 ringbuffer_write_append(&ps->ring_ssl2clear, n + PP2_HDR_LEN);
2410 return (0);
2411 }
2412
2413 static int
2414 client_proxy_proxy1(struct proxystate *ps, BIO *b, char *buf, int n)
2415 {
2416 char *begin, *end, *p;
2417 int t;
2418
2419 assert(ringbuffer_is_empty(&ps->ring_ssl2clear));
2420 begin = ringbuffer_write_ptr(&ps->ring_ssl2clear);
2421
2422 /* PROXY spec says 107 bytes is the maximum size */
2423 end = begin + 108;
2424 memcpy(begin, buf, n);
2425 p = begin + n;
2426
2427 // Copy characters one-by-one until we hit a \n or an error
2428 while (p != end && (t = BIO_read(b, p, 1)) == 1) {
2429 if (*p++ == '\n')
2430 break;
2431 }
2432
2433 if (p == end) {
2434 LOG("{client} Unexpectedly long PROXY line. Malformed req?\n");
2435 shutdown_proxy(ps, SHUTDOWN_SSL);
2436 return (1);
2437 } else if (t != 1) {
2438 LOG("{client} Unexpected error reading PROXY line\n");
2439 shutdown_proxy(ps, SHUTDOWN_SSL);
2440 return (1);
2441
2442 }
2443
2444 ringbuffer_write_append(&ps->ring_ssl2clear,
2445 p - begin);
2446 return (0);
2447 }
2448
2449 static void
2450 client_proxy_proxy(struct ev_loop *loop, ev_io *w, int revents)
2451 {
2452 proxystate *ps;
2453 BIO *b;
2454 char buf[32];
2455 int n;
2456
2457 (void) revents;
2458
2459 CAST_OBJ_NOTNULL(ps, w->data, PROXYSTATE_MAGIC);
2460 b = SSL_get_rbio(ps->ssl);
2461
2462 /* PROXYv1: 'PROXY ' */
2463 /* PROXYv2: PP2_SIG, (12 octets) */
2464
2465 n = BIO_read(b, buf, 12);
2466 if (n != 12) {
2467 LOG("{client} Unexpected read error in proxy-proxyv2: "
2468 "BIO_read: %d\n", n);
2469 shutdown_proxy(ps, SHUTDOWN_SSL);
2470 return;
2471 }
2472
2473 if (memcmp(buf, "PROXY ", 6) == 0) {
2474 if (client_proxy_proxy1(ps, b, buf, n))
2475 return;
2476 } else if (memcmp(buf, PP2_SIG, 12) == 0) {
2477 if (client_proxy_proxy2(ps, b, buf, n))
2478 return;
2479 } else {
2480 LOG("{client} Received invalid PROXY/PROXYv2 header\n");
2481 shutdown_proxy(ps, SHUTDOWN_SSL);
2482 return;
2483 }
2484
2485 ev_io_stop(loop, &ps->ev_proxy);
2486 start_handshake(ps, SSL_ERROR_WANT_READ);
2487 }
2488
2489 /* The libev I/O handler during the OpenSSL handshake phase. Basically, just
2490 * let OpenSSL do what it likes with the socket and obey its requests for reads
2491 * or writes */
2492 static void
2493 client_handshake(struct ev_loop *loop, ev_io *w, int revents)
2494 {
2495 (void)revents;
2496 int t;
2497 const char *errtok;
2498 proxystate *ps;
2499 int errno_val;
2500
2501
2502 CAST_OBJ_NOTNULL(ps, w->data, PROXYSTATE_MAGIC);
2503
2504 LOGPROXY(ps,"ssl client handshake revents=%x\n",revents);
2505 t = SSL_do_handshake(ps->ssl);
2506 if (t == 1) {
2507 end_handshake(ps);
2508 } else {
2509 errno_val = errno;
2510 int err = SSL_get_error(ps->ssl, t);
2511 switch (err) {
2512 #define SSL_ERR(a) \
2513 case a: errtok = #a; break;
2514 #include "ssl_err.h"
2515 #undef SSL_ERR
2516 default:
2517 errtok = "<undefined>";
2518 }
2519
2520 LOGPROXY(ps,"ssl client handshake err=%s\n",errtok);
2521 if (err == SSL_ERROR_WANT_READ) {
2522 ev_io_stop(loop, &ps->ev_w_handshake);
2523 ev_io_start(loop, &ps->ev_r_handshake);
2524 } else if (err == SSL_ERROR_WANT_WRITE) {
2525 ev_io_stop(loop, &ps->ev_r_handshake);
2526 ev_io_start(loop, &ps->ev_w_handshake);
2527 } else if (err == SSL_ERROR_ZERO_RETURN) {
2528 LOG("{%s} Connection closed (in handshake)\n",
2529 w->fd == ps->fd_up ? "client" : "backend");
2530 shutdown_proxy(ps, SHUTDOWN_SSL);
2531 } else if (err == SSL_ERROR_SYSCALL) {
2532 LOG("{%s} SSL socket error in handshake: %s\n",
2533 w->fd == ps->fd_up ? "client" : "backend",
2534 strerror(errno_val));
2535 shutdown_proxy(ps, SHUTDOWN_SSL);
2536 } else {
2537 if (err == SSL_ERROR_SSL) {
2538 log_ssl_error(ps, "Handshake failure");
2539 } else {
2540 LOG("{%s} Unexpected SSL error "
2541 "(in handshake): %d\n",
2542 w->fd == ps->fd_up ? "client" : "backend",
2543 err);
2544 }
2545 shutdown_proxy(ps, SHUTDOWN_SSL);
2546 }
2547 }
2548 }
2549
2550 static void
2551 handshake_timeout(EV_P_ ev_timer *w, int revents)
2552 {
2553 (void)loop;
2554 (void)revents;
2555 proxystate *ps;
2556 CAST_OBJ_NOTNULL(ps, w->data, PROXYSTATE_MAGIC);
2557 LOGPROXY(ps,"SSL handshake timeout\n");
2558 shutdown_proxy(ps, SHUTDOWN_HARD);
2559 }
2560
2561 #define SSLERR(ps, which, log) \
2562 switch (err) { \
2563 case SSL_ERROR_ZERO_RETURN: \
2564 log(ps,"Connection closed by " which "\n"); \
2565 break; \
2566 case SSL_ERROR_SYSCALL: \
2567 if (errno == 0) { \
2568 log(ps,"Connection closed by " which "\n"); \
2569 } else { \
2570 log(ps,"SSL socket error (" which "): %s\n", \
2571 strerror(errno)); \
2572 } \
2573 break; \
2574 default: \
2575 log(ps,"{" which "} Unexpected SSL_read error (" \
2576 which "): %d\n", err); \
2577 }
2578
2579 /* Handle a socket error condition passed to us from OpenSSL */
2580 static void
2581 handle_fatal_ssl_error(proxystate *ps, int err, int backend)
2582 {
2583 CHECK_OBJ_NOTNULL(ps, PROXYSTATE_MAGIC);
2584 if (backend) {
2585 SSLERR(ps, "backend", ERRPROXY);
2586 } else {
2587 SSLERR(ps, "client", LOGPROXY);
2588 }
2589 shutdown_proxy(ps, SHUTDOWN_SSL);
2590 }
2591
2592 /* Read some data from the upstream secure socket via OpenSSL,
2593 * and buffer anything we get for writing to the backend */
2594 static void
2595 ssl_read(struct ev_loop *loop, ev_io *w, int revents)
2596 {
2597 (void)revents;
2598 int t;
2599 proxystate *ps;
2600
2601 CAST_OBJ_NOTNULL(ps, w->data, PROXYSTATE_MAGIC);
2602
2603 if (ps->want_shutdown) {
2604 ev_io_stop(loop, &ps->ev_r_ssl);
2605 return;
2606 }
2607 if (ringbuffer_is_full(&ps->ring_ssl2clear)) {
2608 ERRPROXY(ps, "attempt to read ssl when ring full");
2609 ev_io_stop(loop, &ps->ev_r_ssl);
2610 return;
2611 }
2612
2613 char *buf = ringbuffer_write_ptr(&ps->ring_ssl2clear);
2614 t = SSL_read(ps->ssl, buf, ps->ring_ssl2clear.data_len);
2615
2616 /* Fix CVE-2009-3555. Disable reneg if started by client. */
2617 if (ps->renegotiation) {
2618 shutdown_proxy(ps, SHUTDOWN_SSL);
2619 return;
2620 }
2621
2622 if (t > 0) {
2623 ringbuffer_write_append(&ps->ring_ssl2clear, t);
2624 if (ringbuffer_is_full(&ps->ring_ssl2clear))
2625 ev_io_stop(loop, &ps->ev_r_ssl);
2626 if (ps->clear_connected)
2627 safe_enable_io(ps, &ps->ev_w_clear);
2628 } else {
2629 int err = SSL_get_error(ps->ssl, t);
2630 if (err == SSL_ERROR_WANT_WRITE) {
2631 start_handshake(ps, err);
2632 } else if (err == SSL_ERROR_WANT_READ) {
2633 /* NOOP. Incomplete SSL data */
2634 } else {
2635 if (err == SSL_ERROR_SSL) {
2636 log_ssl_error(ps, "SSL_read error");
2637 }
2638 handle_fatal_ssl_error(ps, err,
2639 w->fd == ps->fd_up ? 0 : 1);
2640 }
2641 }
2642 }
2643
2644 /* Write some previously-buffered backend data upstream on the
2645 * secure socket using OpenSSL */
2646 static void
2647 ssl_write(struct ev_loop *loop, ev_io *w, int revents)
2648 {
2649 (void)revents;
2650 int t;
2651 int sz;
2652 proxystate *ps;
2653
2654 CAST_OBJ_NOTNULL(ps, w->data, PROXYSTATE_MAGIC);
2655
2656 assert(!ringbuffer_is_empty(&ps->ring_clear2ssl));
2657 char *next = ringbuffer_read_next(&ps->ring_clear2ssl, &sz);
2658 t = SSL_write(ps->ssl, next, sz);
2659 if (t > 0) {
2660 if (t == sz) {
2661 ringbuffer_read_pop(&ps->ring_clear2ssl);
2662 if (ps->clear_connected)
2663 // can be re-enabled b/c we've popped
2664 safe_enable_io(ps, &ps->ev_r_clear);
2665 if (ringbuffer_is_empty(&ps->ring_clear2ssl)) {
2666 if (ps->want_shutdown) {
2667 shutdown_proxy(ps, SHUTDOWN_HARD);
2668 return;
2669 }
2670 ev_io_stop(loop, &ps->ev_w_ssl);
2671 }
2672 } else {
2673 ringbuffer_read_skip(&ps->ring_clear2ssl, t);
2674 }
2675 } else {
2676 int err = SSL_get_error(ps->ssl, t);
2677 if (err == SSL_ERROR_WANT_READ) {
2678 start_handshake(ps, err);
2679 } else if (err == SSL_ERROR_WANT_WRITE) {
2680 /* NOOP. Incomplete SSL data */
2681 } else {
2682 if (err == SSL_ERROR_SSL) {
2683 log_ssl_error(ps, "SSL_write error");
2684 } else {
2685 LOG("{%s} SSL_write error: %d\n",
2686 w->fd == ps->fd_up ? "client" : "backend",
2687 err);
2688 }
2689 handle_fatal_ssl_error(ps, err,
2690 w->fd == ps->fd_up ? 0 : 1);
2691 }
2692 }
2693 }
2694
2695
2696 /* libev read handler for the bound sockets. Socket is accepted,
2697 * the proxystate is allocated and initalized, and we're off the races
2698 * connecting to the backend */
2699 static void
2700 handle_accept(struct ev_loop *loop, ev_io *w, int revents)
2701 {
2702 (void)revents;
2703 (void)loop;
2704 struct sockaddr_storage addr;
2705 sslctx *so;
2706 struct frontend *fr;
2707 proxystate *ps;
2708 socklen_t sl = sizeof(addr);
2709
2710 #if HAVE_ACCEPT4==1
2711 int client = accept4(w->fd, (struct sockaddr *) &addr, &sl,
2712 SOCK_NONBLOCK);
2713 #else
2714 int client = accept(w->fd, (struct sockaddr *) &addr, &sl);
2715 #endif
2716 if (client == -1) {
2717 switch (errno) {
2718 case EMFILE:
2719 ERR("{client} accept() failed; "
2720 "too many open files for this process\n");
2721 break;
2722
2723 case ENFILE:
2724 ERR("{client} accept() failed; "
2725 "too many open files for this system\n");
2726 break;
2727
2728 default:
2729 if (errno != EINTR && errno != EWOULDBLOCK &&
2730 errno != EAGAIN && errno != ENOTTY &&
2731 errno != ECONNABORTED) {
2732 SOCKERR("{client} accept() failed");
2733 }
2734 }
2735 return;
2736 }
2737
2738 int flag = 1;
2739 int ret = setsockopt(client, IPPROTO_TCP, TCP_NODELAY,
2740 (char *)&flag, sizeof(flag) );
2741 if (ret == -1) {
2742 SOCKERR("Couldn't setsockopt on client (TCP_NODELAY)");
2743 }
2744 #ifdef TCP_CWND
2745 int cwnd = 10;
2746 ret = setsockopt(client, IPPROTO_TCP, TCP_CWND, &cwnd, sizeof(cwnd));
2747 if (ret == -1) {
2748 SOCKERR("Couldn't setsockopt on client (TCP_CWND)");
2749 }
2750 #endif
2751
2752 #if HAVE_ACCEPT4==0
2753 if (setnonblocking(client) < 0) {
2754 SOCKERR("{client} setnonblocking failed");
2755 (void) close(client);
2756 return;
2757 }
2758 #endif
2759
2760 settcpkeepalive(client);
2761
2762 ALLOC_OBJ(ps, PROXYSTATE_MAGIC);
2763 if (ps == NULL) {
2764 (void)close(client);
2765 ERR("{malloc-err}: %s\n", strerror(errno));
2766 return;
2767 }
2768
2769 ps->backend = backend_ref();
2770 ps->fd_down = create_back_socket(ps->backend);
2771 if (ps->fd_down == -1) {
2772 (void) close(client);
2773 backend_deref(&ps->backend);
2774 free(ps);
2775 ERR("{backend-socket}: %s\n", strerror(errno));
2776 return;
2777 }
2778
2779
2780 CAST_OBJ_NOTNULL(fr, w->data, FRONTEND_MAGIC);
2781 if (fr->default_ctx != NULL)
2782 CAST_OBJ_NOTNULL(so, fr->default_ctx, SSLCTX_MAGIC);
2783 else
2784 CAST_OBJ_NOTNULL(so, default_ctx, SSLCTX_MAGIC);
2785
2786 SSL *ssl = SSL_new(so->ctx);
2787 if (ssl == NULL) {
2788 (void)close(ps->fd_down);
2789 (void)close(client);
2790 backend_deref(&ps->backend);
2791 free(ps);
2792 ERR("{SSL_new}: %s\n", strerror(errno));
2793 return;
2794 }
2795
2796 long mode = SSL_MODE_ENABLE_PARTIAL_WRITE;
2797 #ifdef SSL_MODE_RELEASE_BUFFERS
2798 mode |= SSL_MODE_RELEASE_BUFFERS;
2799 #endif
2800 SSL_set_mode(ssl, mode);
2801 SSL_set_accept_state(ssl);
2802 SSL_set_fd(ssl, client);
2803
2804 ps->fd_up = client;
2805 ps->ssl = ssl;
2806 ps->want_shutdown = 0;
2807 ps->clear_connected = 0;
2808 ps->handshaked = 0;
2809 ps->renegotiation = 0;
2810 ps->remote_ip = addr;
2811 ps->connect_port = 0;
2812
2813 ringbuffer_init(&ps->ring_clear2ssl, CONFIG->RING_SLOTS,
2814 CONFIG->RING_DATA_LEN);
2815 ringbuffer_init(&ps->ring_ssl2clear, CONFIG->RING_SLOTS,
2816 CONFIG->RING_DATA_LEN);
2817
2818 /* set up events */
2819 ev_io_init(&ps->ev_r_ssl, ssl_read, client, EV_READ);
2820 ev_io_init(&ps->ev_w_ssl, ssl_write, client, EV_WRITE);
2821
2822 ev_io_init(&ps->ev_r_handshake, client_handshake, client, EV_READ);
2823 ev_io_init(&ps->ev_w_handshake, client_handshake, client, EV_WRITE);
2824 ev_timer_init(&ps->ev_t_handshake, handshake_timeout,
2825 CONFIG->SSL_HANDSHAKE_TIMEOUT, 0.);
2826
2827 ev_io_init(&ps->ev_proxy, client_proxy_proxy, client, EV_READ);
2828 ev_io_init(&ps->ev_w_connect, handle_connect, ps->fd_down, EV_WRITE);
2829 ev_timer_init(&ps->ev_t_connect, connect_timeout,
2830 CONFIG->BACKEND_CONNECT_TIMEOUT, 0.);
2831
2832 ev_io_init(&ps->ev_w_clear, clear_write, ps->fd_down, EV_WRITE);
2833 ev_io_init(&ps->ev_r_clear, clear_read, ps->fd_down, EV_READ);
2834
2835 ps->ev_r_ssl.data = ps;
2836 ps->ev_w_ssl.data = ps;
2837 ps->ev_r_clear.data = ps;
2838 ps->ev_w_clear.data = ps;
2839 ps->ev_proxy.data = ps;
2840 ps->ev_w_connect.data = ps;
2841 ps->ev_t_connect.data = ps;
2842 ps->ev_r_handshake.data = ps;
2843 ps->ev_w_handshake.data = ps;
2844 ps->ev_t_handshake.data = ps;
2845
2846 /* Link back proxystate to SSL state */
2847 SSL_set_app_data(ssl, ps);
2848
2849 n_conns++;
2850
2851 LOGPROXY(ps, "proxy connect\n");
2852 if (CONFIG->PROXY_PROXY_LINE) {
2853 ev_io_start(loop, &ps->ev_proxy);
2854 } else {
2855 /* for client-first handshake */
2856 start_handshake(ps, SSL_ERROR_WANT_READ);
2857 }
2858 }
2859
2860
2861 static void
2862 check_ppid(struct ev_loop *loop, ev_timer *w, int revents)
2863 {
2864 struct frontend *fr;
2865 struct listen_sock *ls;
2866 (void)revents;
2867 pid_t ppid = getppid();
2868 if (ppid != master_pid) {
2869 ERR("{core} Process %d detected parent death, "
2870 "closing listener sockets.\n", core_id);
2871 ev_timer_stop(loop, w);
2872 VTAILQ_FOREACH(fr, &frontends, list) {
2873 CHECK_OBJ_NOTNULL(fr, FRONTEND_MAGIC);
2874 VTAILQ_FOREACH(ls, &fr->socks, list) {
2875 CHECK_OBJ_NOTNULL(ls, LISTEN_SOCK_MAGIC);
2876 ev_io_stop(loop, &ls->listener);
2877 close(ls->sock);
2878 }
2879 }
2880 }
2881 }
2882
2883 static const void *
2884 Get_Sockaddr(const struct sockaddr *sa, socklen_t *sl)
2885 {
2886 AN(sa);
2887 AN(sl);
2888
2889 switch (sa->sa_family) {
2890 case PF_INET:
2891 *sl = sizeof(struct sockaddr_in);
2892 break;
2893 case PF_INET6:
2894 *sl = sizeof(struct sockaddr_in6);
2895 break;
2896 case PF_UNIX:
2897 *sl = sizeof(struct sockaddr_un);
2898 break;
2899 default:
2900 *sl = 0;
2901 return (NULL);
2902 }
2903 return (sa);
2904 }
2905
2906 static void
2907 handle_mgt_rd(struct ev_loop *loop, ev_io *w, int revents)
2908 {
2909 ssize_t r;
2910 struct frontend *fr;
2911 struct listen_sock *ls;
2912 struct worker_update wu;
2913
2914 (void) revents;
2915 r = read(w->fd, &wu, sizeof(wu));
2916 if (r == -1) {
2917 if (errno == EWOULDBLOCK || errno == EAGAIN)
2918 return;
2919 LOGL("Error in mgt->worker read operation. "
2920 "Restarting process.");
2921 /* If something went wrong here, the process will be
2922 * left in utter limbo as to whether it should keep
2923 * running or not. Kill the process and let the mgt
2924 * process start it back up. */
2925 _exit(1);
2926 } else if (r == 0) {
2927 /* Parent died .. */
2928 _exit(1);
2929 }
2930
2931 if (wu.type == WORKER_GEN && wu.payload.gen != worker_gen) {
2932 /* This means this process has reached its retirement age. */
2933 if (worker_state == WORKER_EXITING)
2934 return;
2935 worker_state = WORKER_EXITING;
2936
2937 /* Stop accepting new connections. */
2938 VTAILQ_FOREACH(fr, &frontends, list) {
2939 CHECK_OBJ_NOTNULL(fr, FRONTEND_MAGIC);
2940 VTAILQ_FOREACH(ls, &fr->socks, list) {
2941 CHECK_OBJ_NOTNULL(ls, LISTEN_SOCK_MAGIC);
2942 ev_io_stop(loop, &ls->listener);
2943 close(ls->sock);
2944 }
2945 }
2946
2947 check_exit_state();
2948
2949 LOGL("Worker %d (gen: %d): State %s\n", core_id, worker_gen,
2950 (worker_state == WORKER_EXITING) ? "EXITING" : "ACTIVE");
2951 } else if (wu.type == WORKER_GEN && wu.payload.gen == worker_gen) {
2952 return;
2953 } else if (wu.type == BACKEND_REFRESH) {
2954 struct backend *b;
2955 b = backend_create((struct sockaddr *)&wu.payload.addr);
2956 backend_deref(&backaddr);
2957 backaddr = b;
2958 AN(VSA_Sane(backaddr->backaddr));
2959 } else
2960 WRONG("Invalid worker update state");
2961 }
2962
2963 static void
2964 handle_clear_accept(struct ev_loop *loop, ev_io *w, int revents)
2965 {
2966 (void)revents;
2967 (void)loop;
2968 struct sockaddr_storage addr;
2969 struct frontend *fr;
2970 sslctx *so;
2971 proxystate *ps;
2972 socklen_t sl = sizeof(addr);
2973 int client = accept(w->fd, (struct sockaddr *) &addr, &sl);
2974 if (client == -1) {
2975 switch (errno) {
2976 case EMFILE:
2977 ERR("{client} accept() failed; "
2978 "too many open files for this process\n");
2979 break;
2980
2981 case ENFILE:
2982 ERR("{client} accept() failed; "
2983 "too many open files for this system\n");
2984 break;
2985
2986 default:
2987 if (errno != EINTR && errno != EWOULDBLOCK &&
2988 errno != EAGAIN && errno != ECONNABORTED) {
2989 SOCKERR("{client} accept() failed");
2990 }
2991 break;
2992 }
2993 return;
2994 }
2995
2996 int flag = 1;
2997 int ret = setsockopt(client, IPPROTO_TCP, TCP_NODELAY,
2998 (char *)&flag, sizeof(flag) );
2999 if (ret == -1) {
3000 ERR("Couldn't setsockopt on client (TCP_NODELAY): %s\n",
3001 strerror(errno));
3002 }
3003 #ifdef TCP_CWND
3004 int cwnd = 10;
3005 ret = setsockopt(client, IPPROTO_TCP, TCP_CWND, &cwnd, sizeof(cwnd));
3006 if (ret == -1) {
3007 ERR("Couldn't setsockopt on client (TCP_CWND): %s\n",
3008 strerror(errno));
3009 }
3010 #endif
3011
3012 if (setnonblocking(client)) {
3013 SOCKERR("{client} setnonblocking failed");
3014 (void) close(client);
3015 return;
3016 }
3017
3018 settcpkeepalive(client);
3019
3020 ALLOC_OBJ(ps, PROXYSTATE_MAGIC);
3021 ps->backend = backend_ref();
3022 ps->fd_down = create_back_socket(ps->backend);
3023 if (ps->fd_down == -1) {
3024 backend_deref(&ps->backend);
3025 close(client);
3026 free(ps);
3027 ERR("{backend-socket}: %s\n", strerror(errno));
3028 return;
3029 }
3030
3031 CAST_OBJ_NOTNULL(fr, w->data, FRONTEND_MAGIC);
3032 if (fr->default_ctx != NULL)
3033 CAST_OBJ_NOTNULL(so, fr->default_ctx, SSLCTX_MAGIC);
3034 else
3035 CAST_OBJ_NOTNULL(so, default_ctx, SSLCTX_MAGIC);
3036 SSL *ssl = SSL_new(so->ctx);
3037 long mode = SSL_MODE_ENABLE_PARTIAL_WRITE;
3038 #ifdef SSL_MODE_RELEASE_BUFFERS
3039 mode |= SSL_MODE_RELEASE_BUFFERS;
3040 #endif
3041 SSL_set_mode(ssl, mode);
3042 SSL_set_connect_state(ssl);
3043 SSL_set_fd(ssl, ps->fd_down);
3044 if (client_session)
3045 SSL_set_session(ssl, client_session);
3046
3047 ps->fd_up = client;
3048 ps->ssl = ssl;
3049 ps->want_shutdown = 0;
3050 ps->clear_connected = 1;
3051 ps->handshaked = 0;
3052 ps->renegotiation = 0;
3053 ps->remote_ip = addr;
3054 ringbuffer_init(&ps->ring_clear2ssl, CONFIG->RING_SLOTS,
3055 CONFIG->RING_DATA_LEN);
3056 ringbuffer_init(&ps->ring_ssl2clear, CONFIG->RING_SLOTS,
3057 CONFIG->RING_DATA_LEN);
3058
3059 /* set up events */
3060 ev_io_init(&ps->ev_r_clear, clear_read, client, EV_READ);
3061 ev_io_init(&ps->ev_w_clear, clear_write, client, EV_WRITE);
3062
3063 ev_io_init(&ps->ev_w_connect, handle_connect, ps->fd_down, EV_WRITE);
3064 ev_timer_init(&ps->ev_t_connect, connect_timeout,
3065 CONFIG->BACKEND_CONNECT_TIMEOUT, 0.);
3066
3067 ev_io_init(&ps->ev_r_handshake, client_handshake,
3068 ps->fd_down, EV_READ);
3069 ev_io_init(&ps->ev_w_handshake, client_handshake,
3070 ps->fd_down, EV_WRITE);
3071 ev_timer_init(&ps->ev_t_handshake, handshake_timeout,
3072 CONFIG->SSL_HANDSHAKE_TIMEOUT, 0.);
3073
3074 ev_io_init(&ps->ev_w_ssl, ssl_write, ps->fd_down, EV_WRITE);
3075 ev_io_init(&ps->ev_r_ssl, ssl_read, ps->fd_down, EV_READ);
3076
3077 ps->ev_r_ssl.data = ps;
3078 ps->ev_w_ssl.data = ps;
3079 ps->ev_r_clear.data = ps;
3080 ps->ev_w_clear.data = ps;
3081 ps->ev_w_connect.data = ps;
3082 ps->ev_r_handshake.data = ps;
3083 ps->ev_w_handshake.data = ps;
3084 ps->ev_t_handshake.data = ps;
3085
3086 /* Link back proxystate to SSL state */
3087 SSL_set_app_data(ssl, ps);
3088
3089 n_conns++;
3090
3091 ev_io_start(loop, &ps->ev_r_clear);
3092 start_connect(ps); /* start connect */
3093 }
3094
3095 /* Set up the child (worker) process including libev event loop, read event
3096 * on the bound sockets, etc */
3097 static void
3098 handle_connections(int mgt_fd)
3099 {
3100 struct frontend *fr;
3101 sslctx *sc, *sctmp;
3102 struct listen_sock *ls;
3103 struct sigaction sa;
3104
3105 worker_state = WORKER_ACTIVE;
3106 LOGL("{core} Process %d online\n", core_id);
3107
3108 /* child cannot create new children... */
3109 create_workers = 0;
3110
3111 /* nor can they handle SIGHUP */
3112 sa.sa_flags = 0;
3113 sa.sa_handler = SIG_IGN;
3114 sigemptyset(&sa.sa_mask);
3115 AZ(sigaction(SIGHUP, &sa, NULL));
3116
3117 #if defined(CPU_ZERO) && defined(CPU_SET)
3118 cpu_set_t cpus;
3119
3120 CPU_ZERO(&cpus);
3121 CPU_SET(core_id, &cpus);
3122
3123 int res = sched_setaffinity(0, sizeof(cpus), &cpus);
3124 if (!res)
3125 LOG("{core} Successfully attached to CPU #%d\n", core_id);
3126 else
3127 ERR("{core-warning} Unable to attach to CPU #%d; "
3128 "do you have that many cores?\n", core_id);
3129 #endif
3130
3131 loop = ev_default_loop(EVFLAG_AUTO);
3132
3133 ev_timer timer_ppid_check;
3134 ev_timer_init(&timer_ppid_check, check_ppid, 1.0, 1.0);
3135 ev_timer_start(loop, &timer_ppid_check);
3136
3137 VTAILQ_FOREACH(fr, &frontends, list) {
3138 VTAILQ_FOREACH(ls, &fr->socks, list) {
3139 ev_io_init(&ls->listener,
3140 (CONFIG->PMODE == SSL_CLIENT) ?
3141 handle_clear_accept : handle_accept,
3142 ls->sock, EV_READ);
3143 ls->listener.data = fr;
3144 ev_io_start(loop, &ls->listener);
3145 }
3146 }
3147
3148 if (CONFIG->OCSP_DIR != NULL) {
3149 HASH_ITER(hh, ssl_ctxs, sc, sctmp) {
3150 if (sc->ev_staple)
3151 ev_stat_start(loop, sc->ev_staple);
3152 }
3153
3154 VTAILQ_FOREACH(fr, &frontends, list) {
3155 HASH_ITER(hh, fr->ssl_ctxs, sc, sctmp) {
3156 if (sc->ev_staple)
3157 ev_stat_start(loop, sc->ev_staple);
3158 }
3159 }
3160
3161 if (default_ctx != NULL && default_ctx->ev_staple != NULL)
3162 ev_stat_start(loop, default_ctx->ev_staple);
3163 }
3164
3165 AZ(setnonblocking(mgt_fd));
3166 ev_io_init(&mgt_rd, handle_mgt_rd, mgt_fd, EV_READ);
3167 ev_io_start(loop, &mgt_rd);
3168
3169 ev_loop(loop, 0);
3170 ERR("Worker %d (gen: %d) exiting.\n", core_id, worker_gen);
3171 _exit(1);
3172 }
3173
3174
3175 /*
3176 OCSP requestor process.
3177 */
3178 static void
3179 handle_ocsp_task(void) {
3180 struct frontend *fr;
3181 struct listen_sock *ls;
3182 sslctx *sc, *sctmp;
3183 ev_timer timer_ppid_check;
3184
3185 /* we don't accept incoming connections for this process. */
3186 VTAILQ_FOREACH(fr, &frontends, list) {
3187 CHECK_OBJ_NOTNULL(fr, FRONTEND_MAGIC);
3188 VTAILQ_FOREACH(ls, &fr->socks, list) {
3189 CHECK_OBJ_NOTNULL(ls, LISTEN_SOCK_MAGIC);
3190 ev_io_stop(loop, &ls->listener);
3191 close(ls->sock);
3192 }
3193 }
3194
3195 (void) umask(027);
3196 loop = ev_default_loop(EVFLAG_AUTO);
3197
3198 /* Create ocspquery work items for any eligible ocsp queries */
3199
3200 HASH_ITER(hh, ssl_ctxs, sc, sctmp) {
3201 HOCSP_mktask(sc, NULL, -1.0);
3202 }
3203
3204 VTAILQ_FOREACH(fr, &frontends, list) {
3205 HASH_ITER(hh, fr->ssl_ctxs, sc, sctmp) {
3206 HOCSP_mktask(sc, NULL, -1.0);
3207 }
3208 }
3209
3210 if (default_ctx != NULL)
3211 HOCSP_mktask(default_ctx, NULL, -1.0);
3212
3213 ev_timer_init(&timer_ppid_check, check_ppid, 1.0, 1.0);
3214 ev_timer_start(loop, &timer_ppid_check);
3215
3216 ev_loop(loop, 0);
3217
3218 _exit(0);
3219 }
3220
3221 void
3222 change_root()
3223 {
3224 if (chroot(CONFIG->CHROOT) == -1)
3225 fail("chroot");
3226 if (chdir("/"))
3227 fail("chdir");
3228 }
3229
3230 void
3231 drop_privileges(void)
3232 {
3233
3234 if (geteuid() == 0) {
3235 if (CONFIG->UID >= 0)
3236 AZ(setgroups(0, NULL));
3237 if (CONFIG->GID >= 0)
3238 AZ(setgid(CONFIG->GID));
3239 if (CONFIG->UID >= 0)
3240 AZ(setuid(CONFIG->UID));
3241 } else {
3242 LOG("{core} Not running as root, no priv-sep\n");
3243 }
3244
3245 /* On Linux >= 2.4, you need to set the dumpable flag
3246 to get core dumps after you have done a setuid. */
3247
3248 #ifdef __linux__
3249 if (prctl(PR_SET_DUMPABLE, 1) != 0)
3250 LOG("Could not set dumpable bit. Core dumps turned off\n");
3251 #endif
3252 }
3253
3254 static int
3255 verify_privileges(void)
3256 {
3257 if (geteuid() == 0 &&
3258 !(CONFIG->UID == 0 && CONFIG->GID == 0)) {
3259 ERR("{core} ERROR: "
3260 "Refusing to run workers as root, "
3261 "unless user and group is explicitly set"
3262 " to root.\n");
3263 return (0);
3264 }
3265 return (1);
3266 }
3267
3268 static int
3269 backaddr_init_uds(void)
3270 {
3271 struct sockaddr_un sun;
3272 struct backend *b;
3273 int l;
3274
3275 if (backaddr != NULL)
3276 /* Already configured - we don't refresh UDS addresses. */
3277 return (0);
3278
3279 AN(CONFIG->BACK_PATH);
3280 memset(&sun, 0, sizeof sun);
3281 sun.sun_family = PF_UNIX;
3282 l = snprintf(sun.sun_path, sizeof(sun.sun_path), "%s",
3283 CONFIG->BACK_PATH);
3284 /* the length of BACK_PATH is verified to fit into
3285 * sun.sun_path in configuration.c */
3286 assert(l < (int)sizeof(sun.sun_path));
3287
3288 b = backend_create((struct sockaddr *)&sun);
3289 backaddr = b;
3290
3291 return (0);
3292 }
3293
3294 static int
3295 backaddr_init(void) {
3296 struct addrinfo *result;
3297 struct addrinfo hints;
3298 struct backend *b;
3299
3300 if (CONFIG->BACK_PATH)
3301 return (backaddr_init_uds());
3302
3303 memset(&hints, 0, sizeof hints);
3304 hints.ai_family = AF_UNSPEC;
3305 hints.ai_socktype = SOCK_STREAM;
3306 hints.ai_flags = 0;
3307 const int gai_err = getaddrinfo(CONFIG->BACK_IP, CONFIG->BACK_PORT,
3308 &hints, &result);
3309 if (gai_err != 0) {
3310 ERR("{getaddrinfo-backend}: %s\n", gai_strerror(gai_err));
3311 exit(1);
3312 }
3313
3314 b = backend_create(result->ai_addr);
3315 freeaddrinfo(result);
3316
3317 if (backaddr == NULL) {
3318 backaddr = b;
3319 return (1);
3320 }
3321
3322 if (VSA_Compare(backaddr->backaddr, b->backaddr) != 0) {
3323 free(backaddr);
3324 backaddr = b;
3325 return (1);
3326 }
3327
3328 backend_deref(&b);
3329 AZ(b);
3330
3331 return (0);
3332 }
3333
3334 void
3335 init_globals(void)
3336 {
3337 struct addrinfo hints;
3338
3339 VTAILQ_INIT(&frontends);
3340 VTAILQ_INIT(&worker_procs);
3341
3342 backaddr_init();
3343
3344 (void)hints;
3345
3346 #ifdef USE_SHARED_CACHE
3347 if (CONFIG->SHARED_CACHE) {
3348 /* cache update peers addresses */
3349 shcupd_peer_opt *spo = CONFIG->SHCUPD_PEERS;
3350 struct addrinfo **pai = shcupd_peers;
3351
3352 while (spo->ip) {
3353 memset(&hints, 0, sizeof hints);
3354 hints.ai_family = AF_UNSPEC;
3355 hints.ai_socktype = SOCK_DGRAM;
3356 hints.ai_flags = 0;
3357 const int gai_err = getaddrinfo(spo->ip,
3358 spo->port ? spo->port : CONFIG->SHCUPD_PORT,
3359 &hints, pai);
3360 if (gai_err != 0) {
3361 ERR("{getaddrinfo}: %s\n",
3362 gai_strerror(gai_err));
3363 exit(1);
3364 }
3365 spo++;
3366 pai++;
3367 }
3368 }
3369 #endif
3370 if (CONFIG->SYSLOG)
3371 openlog("hitch", LOG_CONS | LOG_PID | LOG_NDELAY,
3372 CONFIG->SYSLOG_FACILITY);
3373 }
3374
3375 /* Forks COUNT children starting with START_INDEX. We keep a struct
3376 * child_proc per child so the parent can manage it later. */
3377 void
3378 start_workers(int start_index, int count)
3379 {
3380 struct worker_proc *c;
3381 struct frontend *fr;
3382 int pfd[2];
3383
3384 /* don't do anything if we're not allowed to create new workers */
3385 if (!create_workers)
3386 return;
3387
3388 for (core_id = start_index;
3389 core_id < start_index + count; core_id++) {
3390 ALLOC_OBJ(c, WORKER_PROC_MAGIC);
3391 AZ(pipe(pfd));
3392 c->pfd = pfd[1];
3393 c->gen = worker_gen;
3394 c->pid = fork();
3395 c->core_id = core_id;
3396 if (c->pid == -1) {
3397 ERR("{core} fork() failed: %s; Goodbye cruel world!\n",
3398 strerror(errno));
3399 exit(1);
3400 } else if (c->pid == 0) { /* child */
3401 close(pfd[1]);
3402 FREE_OBJ(c);
3403 VTAILQ_FOREACH(fr, &frontends, list) {
3404 CHECK_OBJ_NOTNULL(fr->arg, FRONT_ARG_MAGIC);
3405 assert(frontend_listen(fr->arg, fr) > 0);
3406 }
3407 if (CONFIG->CHROOT && CONFIG->CHROOT[0])
3408 change_root();
3409 if (CONFIG->UID >= 0 || CONFIG->GID >= 0)
3410 drop_privileges();
3411 if (!verify_privileges())
3412 _exit(1);
3413 handle_connections(pfd[0]);
3414 exit(0);
3415 } else { /* parent. Track new child. */
3416 close(pfd[0]);
3417 VTAILQ_INSERT_TAIL(&worker_procs, c, list);
3418 }
3419 }
3420 }
3421
3422 void
3423 start_ocsp_proc(void)
3424 {
3425 ocsp_proc_pid = fork();
3426
3427 if (ocsp_proc_pid == -1) {
3428 ERR("{core}: fork() failed: %s: Exiting.\n", strerror(errno));
3429 exit(1);
3430 } else if (ocsp_proc_pid == 0) {
3431 if (CONFIG->UID >= 0 || CONFIG->GID >= 0)
3432 drop_privileges();
3433 if (!verify_privileges())
3434 _exit(1);
3435 handle_ocsp_task();
3436 }
3437
3438 /* child proc should never return. */
3439 AN(ocsp_proc_pid);
3440 }
3441
3442
3443 /* Forks a new child to replace the old, dead, one with the given PID.*/
3444 void
3445 replace_child_with_pid(pid_t pid)
3446 {
3447 struct worker_proc *c, *cp;
3448
3449 /* find old child's slot and put a new child there */
3450 VTAILQ_FOREACH_SAFE(c, &worker_procs, list, cp) {
3451 if (c->pid == pid) {
3452 VTAILQ_REMOVE(&worker_procs, c, list);
3453 /* Only replace if it matches current generation. */
3454 if (c->gen == worker_gen)
3455 start_workers(c->core_id, 1);
3456 FREE_OBJ(c);
3457 return;
3458 }
3459 }
3460
3461 ERR("Cannot find index for child pid %d", pid);
3462 }
3463
3464 /* Manage status changes in child processes */
3465 static void
3466 do_wait(void)
3467 {
3468 struct worker_proc *c, *ctmp;
3469 int status;
3470 int pid;
3471
3472 #define WAIT_PID(p, action) do { \
3473 pid = waitpid(p, &status, WNOHANG); \
3474 if (pid == 0) { \
3475 /* child has not exited */ \
3476 break; \
3477 } \
3478 else if (pid == -1) { \
3479 if (errno == EINTR) \
3480 ERR("{core} Interrupted waitpid\n"); \
3481 else \
3482 fail("waitpid"); \
3483 } else { \
3484 if (WIFEXITED(status)) { \
3485 ERR("{core} Child %d exited with status %d.\n", \
3486 pid, WEXITSTATUS(status)); \
3487 action; \
3488 } else if (WIFSIGNALED(status)) { \
3489 ERR("{core} Child %d was terminated by " \
3490 "signal %d.\n", pid, WTERMSIG(status)); \
3491 action; \
3492 } \
3493 } \
3494 } while (0)
3495
3496 VTAILQ_FOREACH_SAFE(c, &worker_procs, list, ctmp) {
3497 WAIT_PID(c->pid, replace_child_with_pid(pid));
3498 }
3499
3500 /* also check if the ocsp worker killed itself */
3501 if (ocsp_proc_pid != 0)
3502 WAIT_PID(ocsp_proc_pid,
3503 if (CONFIG->OCSP_DIR) {
3504 start_ocsp_proc();
3505 } else {
3506 ocsp_proc_pid = 0;
3507 });
3508 }
3509
3510 static void
3511 sigchld_handler(int signum)
3512 {
3513 assert(signum == SIGCHLD);
3514 n_sigchld++;
3515 }
3516
3517
3518 static void
3519 sigh_terminate (int __attribute__ ((unused)) signo)
3520 {
3521 struct worker_proc *c;
3522 /* don't create any more children */
3523 create_workers = 0;
3524
3525 /* are we the master? */
3526 if (getpid() == master_pid) {
3527 LOGL("{core} Received signal %d, shutting down.\n", signo);
3528
3529 /* kill all children */
3530 VTAILQ_FOREACH(c, &worker_procs, list) {
3531 /* LOG("Stopping worker pid %d.\n", c->pid); */
3532 if (c->pid > 1 &&
3533 kill(c->pid, SIGTERM) != 0) {
3534 ERR("{core} Unable to send SIGTERM to worker "
3535 "pid %d: %s\n", c->pid,
3536 strerror(errno));
3537 }
3538 }
3539
3540 if (ocsp_proc_pid != 0)
3541 kill(ocsp_proc_pid, SIGTERM);
3542 }
3543
3544 /* this is it, we're done... */
3545 exit(0);
3546 }
3547
3548 static void
3549 sighup_handler(int signum)
3550 {
3551 assert(signum == SIGHUP);
3552 n_sighup++;
3553 }
3554
3555 static void
3556 init_signals()
3557 {
3558 struct sigaction act;
3559
3560 sigemptyset(&act.sa_mask);
3561 act.sa_flags = 0;
3562 act.sa_handler = SIG_IGN;
3563
3564 /* Avoid getting PIPE signal when writing to a closed file descriptor */
3565 if (sigaction(SIGPIPE, &act, NULL) < 0)
3566 fail("sigaction - sigpipe");
3567
3568 /* We don't care if someone stops and starts a child process
3569 * with kill (1) */
3570 act.sa_flags = SA_NOCLDSTOP;
3571 act.sa_handler = sigchld_handler;
3572
3573 /* We do care when child processes change status */
3574 if (sigaction(SIGCHLD, &act, NULL) < 0)
3575 fail("sigaction - sigchld");
3576
3577 /* catch INT and TERM signals */
3578 act.sa_flags = 0;
3579 act.sa_handler = sigh_terminate;
3580 if (sigaction(SIGINT, &act, NULL) < 0) {
3581 ERR("Unable to register SIGINT signal handler: %s\n",
3582 strerror(errno));
3583 exit(1);
3584 }
3585 if (sigaction(SIGTERM, &act, NULL) < 0) {
3586 ERR("Unable to register SIGTERM signal handler: %s\n",
3587 strerror(errno));
3588 exit(1);
3589 }
3590
3591 act.sa_handler = sighup_handler;
3592 if (sigaction(SIGHUP, &act, NULL) != 0) {
3593 ERR("Unable to register SIGHUP signal handler: %s\n",
3594 strerror(errno));
3595 exit(1);
3596 }
3597
3598 }
3599
3600 static void
3601 openssl_check_version()
3602 {
3603 /* detect OpenSSL version in runtime */
3604 long openssl_version = SSLeay();
3605
3606 /* check if we're running the same openssl that we were */
3607 /* compiled with */
3608 if ((openssl_version ^ OPENSSL_VERSION_NUMBER) & ~0xff0L) {
3609 ERR(
3610 "WARNING: {core} OpenSSL version mismatch; "
3611 "hitch was compiled with %lx, now using %lx.\n",
3612 (unsigned long int)OPENSSL_VERSION_NUMBER,
3613 (unsigned long int)openssl_version
3614 );
3615 /* now what? exit now? */
3616 /* exit(1); */
3617 }
3618
3619 LOG("{core} Using OpenSSL version %lx.\n",
3620 (unsigned long int)openssl_version);
3621 }
3622
3623
3624 static void
3625 remove_pfh(void)
3626 {
3627 if (pfh && master_pid == getpid()) {
3628 VPF_Remove(pfh);
3629 }
3630 }
3631
3632 struct cfg_tpc_obj;
3633
3634 enum cfg_tpc_type {
3635 CFG_FRONTEND,
3636 CFG_CERT
3637
3638 /* ... */
3639 };
3640
3641 /* Commit/rollback handling:
3642 - KEEP:
3643 - commit: reuse
3644 - rollback: do nothing
3645 - NEW:
3646 - commit: use as new
3647 - rollback: drop
3648
3649 - DROP:
3650 - commit: drop
3651 - rollback: do nothing
3652 */
3653 enum cfg_tpc_handling {
3654 CFG_TPC_KEEP,
3655 CFG_TPC_NEW,
3656 CFG_TPC_DROP
3657 };
3658
3659 typedef void cfg_tpc_rollback_f(struct cfg_tpc_obj *o);
3660 typedef void cfg_tpc_commit_f(struct cfg_tpc_obj *o);
3661
3662 struct cfg_tpc_obj {
3663 unsigned magic;
3664 #define CFG_TPC_OBJ_MAGIC 0xd6953e5f
3665 enum cfg_tpc_type type;
3666 enum cfg_tpc_handling handling;
3667 void *p[2];
3668 cfg_tpc_rollback_f *rollback;
3669 cfg_tpc_commit_f *commit;
3670 VTAILQ_ENTRY(cfg_tpc_obj) list;
3671 };
3672
3673 VTAILQ_HEAD(cfg_tpc_obj_head, cfg_tpc_obj);
3674
3675 static struct cfg_tpc_obj *
3676 make_cfg_obj(enum cfg_tpc_type type, enum cfg_tpc_handling handling,
3677 void *priv0, void *priv1, cfg_tpc_rollback_f *rollback,
3678 cfg_tpc_commit_f *commit)
3679 {
3680 struct cfg_tpc_obj *o;
3681
3682 ALLOC_OBJ(o, CFG_TPC_OBJ_MAGIC);
3683 AN(o);
3684 o->type = type;
3685 o->handling = handling;
3686 o->p[0] = priv0;
3687 o->p[1] = priv1;
3688 o->rollback = rollback;
3689 o->commit = commit;
3690
3691 return (o);
3692 }
3693
3694 static void
3695 frontend_rollback(struct cfg_tpc_obj *o)
3696 {
3697 struct frontend *fr;
3698
3699 if (o->handling == CFG_TPC_NEW) {
3700 CAST_OBJ_NOTNULL(fr, o->p[0], FRONTEND_MAGIC);
3701 destroy_frontend(fr);
3702 }
3703
3704 /* KEEP/DROP: ignore */
3705 }
3706
3707 static void
3708 frontend_commit(struct cfg_tpc_obj *o)
3709 {
3710 struct frontend *fr;
3711 sslctx *sc;
3712 CAST_OBJ_NOTNULL(fr, o->p[0], FRONTEND_MAGIC);
3713
3714 switch (o->handling) {
3715 case CFG_TPC_NEW:
3716 VTAILQ_INSERT_TAIL(&frontends, fr, list);
3717 /* FALL-THROUGH */
3718 case CFG_TPC_KEEP:
3719 if (o->p[1]) {
3720 CAST_OBJ_NOTNULL(sc, o->p[1], SSLCTX_MAGIC);
3721 /* fr->sctx = sc; */
3722 }
3723 break;
3724 case CFG_TPC_DROP:
3725 VTAILQ_REMOVE(&frontends, fr, list);
3726 destroy_frontend(fr);
3727 break;
3728 }
3729 }
3730
3731 static void cert_rollback(struct cfg_tpc_obj *o);
3732 static void cert_commit(struct cfg_tpc_obj *o);
3733
3734 // Is this incorrectly named?
3735 static int
3736 ocsp_cfg_changed(const struct cfg_cert_file *cf, const sslctx *sc)
3737 {
3738 if (sc->staple != NULL && cf->ocspfn == NULL)
3739 return (1); /* Dropped OCSP definition */
3740
3741 if (sc->staple == NULL && cf->ocspfn != NULL)
3742 return (1); /* Added OCSP definition */
3743
3744 if (sc->staple != NULL && cf->ocspfn != NULL) {
3745 if (strcmp(sc->staple_fn, cf->ocspfn) != 0
3746 || sc->staple->mtim < cf->ocsp_mtim)
3747 return (1); /* Updated */
3748 }
3749
3750 return (0);
3751 }
3752
3753 /* Query frontend-specific certificates. */
3754 static int
3755 cert_fr_query(struct frontend *fr, struct front_arg *fa,
3756 struct cfg_tpc_obj_head *cfg_objs)
3757 {
3758 struct cfg_cert_file *cf, *cftmp;
3759 sslctx *sc, *sctmp;
3760 struct cfg_tpc_obj *o;
3761
3762 HASH_ITER(hh, fr->ssl_ctxs, sc, sctmp) {
3763 HASH_FIND_STR(fa->certs, sc->filename, cf);
3764 if (cf != NULL && cf->mtim <= sc->mtim
3765 && !ocsp_cfg_changed(cf, sc)) {
3766 cf->mark = 1;
3767 } else {
3768 o = make_cfg_obj(CFG_CERT, CFG_TPC_DROP,
3769 sc, fr, cert_rollback, cert_commit);
3770 VTAILQ_INSERT_TAIL(cfg_objs, o, list);
3771 }
3772 }
3773
3774 HASH_ITER(hh, fa->certs, cf, cftmp) {
3775 if (cf->mark)
3776 continue;
3777 sc = make_ctx_fr(cf, fr, fa);
3778 if (sc == NULL)
3779 return (-1);
3780 o = make_cfg_obj(CFG_CERT, CFG_TPC_NEW,
3781 sc, fr, cert_rollback, cert_commit);
3782 VTAILQ_INSERT_TAIL(cfg_objs, o, list);
3783 }
3784
3785 return (0);
3786 }
3787
3788 /* Query reload of listen sockets.
3789 Returns -1 on failure.
3790 Failure: Caller calls .rollback() on the objects added in cfg_objs.
3791 Success: Caller calls .commit()
3792 */
3793 static int
3794 frontend_query(struct front_arg *new_set, struct cfg_tpc_obj_head *cfg_objs)
3795 {
3796 struct frontend *fr;
3797 struct front_arg *fa, *ftmp;
3798 struct cfg_tpc_obj *o;
3799
3800 VTAILQ_FOREACH(fr, &frontends, list) {
3801 HASH_FIND_STR(new_set, fr->arg->pspec, fa);
3802 if (fa != NULL) {
3803 fa->mark = 1;
3804 o = make_cfg_obj(CFG_FRONTEND, CFG_TPC_KEEP, fr, NULL,
3805 frontend_rollback, frontend_commit);
3806 if(cert_fr_query(fr, fa, cfg_objs) < 0) {
3807 FREE_OBJ(o);
3808 return (-1);
3809 }
3810
3811 } else
3812 o = make_cfg_obj(CFG_FRONTEND, CFG_TPC_DROP, fr, NULL,
3813 frontend_rollback, frontend_commit);
3814 VTAILQ_INSERT_TAIL(cfg_objs, o, list);
3815 }
3816
3817 HASH_ITER(hh, new_set, fa, ftmp) {
3818 if (!fa->mark) {
3819 fr = create_frontend(fa);
3820 if (fr == NULL)
3821 return (-1);
3822 o = make_cfg_obj(CFG_FRONTEND, CFG_TPC_NEW,
3823 fr, NULL, frontend_rollback, frontend_commit);
3824 VTAILQ_INSERT_TAIL(cfg_objs, o, list);
3825 }
3826 }
3827
3828 return (0);
3829 }
3830
3831 static void
3832 cert_rollback(struct cfg_tpc_obj *o)
3833 {
3834 sslctx *sc;
3835
3836 if (o->handling != CFG_TPC_NEW)
3837 return;
3838
3839 CAST_OBJ_NOTNULL(sc, o->p[0], SSLCTX_MAGIC);
3840 sctx_free(sc, NULL);
3841 }
3842
3843 static void
3844 cert_commit(struct cfg_tpc_obj *o)
3845 {
3846 sslctx *sc;
3847 sni_name **sn_tab;
3848 sslctx **ctxs;
3849 struct frontend *fr;
3850
3851 sn_tab = &sni_names;
3852 ctxs = &ssl_ctxs;
3853
3854 CAST_OBJ_NOTNULL(sc, o->p[0], SSLCTX_MAGIC);
3855 if (o->p[1] != NULL) {
3856 CAST_OBJ_NOTNULL(fr, o->p[1], FRONTEND_MAGIC);
3857 sn_tab = &fr->sni_names;
3858 ctxs = &fr->ssl_ctxs;
3859 }
3860
3861 switch (o->handling) {
3862 case CFG_TPC_NEW:
3863 HASH_ADD_KEYPTR(hh, *ctxs, sc->filename,
3864 strlen(sc->filename), sc);
3865 insert_sni_names(sc, sn_tab);
3866 break;
3867 case CFG_TPC_KEEP:
3868 WRONG("unreachable");
3869 break;
3870 case CFG_TPC_DROP:
3871 HASH_DEL(*ctxs, sc);
3872 sctx_free(sc, sn_tab);
3873 break;
3874 }
3875 }
3876
3877 static void
3878 dcert_rollback(struct cfg_tpc_obj *o)
3879 {
3880 cert_rollback(o);
3881 }
3882
3883 static void
3884 dcert_commit(struct cfg_tpc_obj *o)
3885 {
3886 sslctx *sc;
3887
3888 CAST_OBJ_NOTNULL(sc, o->p[0], SSLCTX_MAGIC);
3889 CHECK_OBJ_NOTNULL(sni_names, SNI_NAME_MAGIC);
3890
3891 switch (o->handling) {
3892 case CFG_TPC_NEW:
3893 sctx_free(default_ctx, &sni_names);
3894 default_ctx = sc;
3895 insert_sni_names(sc, &sni_names);
3896 break;
3897 case CFG_TPC_KEEP:
3898 /* FALL-THROUGH */
3899 case CFG_TPC_DROP:
3900 /* We always have a default cert. This should not
3901 * happen. */
3902 WRONG("unreachable");
3903 break;
3904 }
3905 }
3906
3907 /* Query reload of certificate files */
3908 static int
3909 cert_query(hitch_config *cfg, struct cfg_tpc_obj_head *cfg_objs)
3910 {
3911 struct cfg_cert_file *cf, *cftmp;
3912 sslctx *sc, *sctmp;
3913 struct cfg_tpc_obj *o;
3914
3915 /* NB: The ordering here is significant. It is imperative that
3916 * all DROP objects are inserted before any NEW objects, in
3917 * order to not wreak havoc in cert_commit(). */
3918 HASH_ITER(hh, ssl_ctxs, sc, sctmp) {
3919 HASH_FIND_STR(cfg->CERT_FILES, sc->filename, cf);
3920 if (cf != NULL && cf->mtim <= sc->mtim
3921 && !ocsp_cfg_changed(cf, sc)) {
3922 cf->mark = 1;
3923 } else {
3924 o = make_cfg_obj(CFG_CERT, CFG_TPC_DROP,
3925 sc, NULL, cert_rollback, cert_commit);
3926 VTAILQ_INSERT_TAIL(cfg_objs, o, list);
3927 }
3928 }
3929
3930 /* handle default cert. Default cert has its own
3931 * rollback/commit functions. */
3932 if (cfg->CERT_DEFAULT != NULL) {
3933 cf = cfg->CERT_DEFAULT;
3934 CHECK_OBJ_NOTNULL(default_ctx, SSLCTX_MAGIC);
3935 if (strcmp(default_ctx->filename, cf->filename) != 0
3936 || cf->mtim > default_ctx->mtim
3937 || ocsp_cfg_changed(cf, default_ctx)) {
3938 sc = make_ctx(cf);
3939 if (sc == NULL)
3940 return (-1);
3941 o = make_cfg_obj(CFG_CERT, CFG_TPC_NEW,
3942 sc, NULL, dcert_rollback, dcert_commit);
3943 VTAILQ_INSERT_TAIL(cfg_objs, o, list);
3944 }
3945 }
3946
3947 HASH_ITER(hh, cfg->CERT_FILES, cf, cftmp) {
3948 if (cf->mark)
3949 continue;
3950 sc = make_ctx(cf);
3951 if (sc == NULL)
3952 return (-1);
3953 o = make_cfg_obj(CFG_CERT, CFG_TPC_NEW,
3954 sc, NULL, cert_rollback, cert_commit);
3955 VTAILQ_INSERT_TAIL(cfg_objs, o, list);
3956 }
3957
3958 return (0);
3959 }
3960
3961 static void
3962 notify_workers(struct worker_update *wu)
3963 {
3964 struct worker_proc *c;
3965 int i;
3966 VTAILQ_FOREACH(c, &worker_procs, list) {
3967 if ((wu->type == WORKER_GEN && wu->payload.gen != c->gen) ||
3968 (wu->type == BACKEND_REFRESH)) {
3969 errno = 0;
3970 do {
3971 i = write(c->pfd, (void*)wu, sizeof(*wu));
3972 if (i == -1 && errno != EINTR) {
3973 if (wu->type == WORKER_GEN)
3974 ERR("WARNING: {core} Unable to "
3975 "gracefully reload worker %d"
3976 " (%s).\n",
3977 c->pid, strerror(errno));
3978 else
3979 ERR("WARNING: {core} Unable to "
3980 "notify worker %d "
3981 "with changed backend address (%s).\n",
3982 c->pid, strerror(errno));
3983
3984 (void)kill(c->pid, SIGTERM);
3985 break;
3986 }
3987 } while (i == -1 && errno == EINTR);
3988
3989 if (wu->type == WORKER_GEN)
3990 (void)close(c->pfd);
3991
3992 }
3993 }
3994 }
3995
3996 /*
3997 * Print Hitch's listen enpoints to a file.
3998 * Used for testing purposes.
3999 */
4000 int
4001 listen_endpoint_print(const char *fn)
4002 {
4003 FILE *fp;
4004 int n;
4005 struct frontend *fr;
4006 struct addrinfo *it;
4007 char hostbuf[NI_MAXHOST];
4008 char servbuf[NI_MAXSERV];
4009
4010 fp = fopen(fn, "w");
4011 if (fp == NULL) {
4012 perror("fopen");
4013 return (1);
4014 }
4015
4016 VTAILQ_FOREACH(fr, &frontends, list) {
4017 for (it = fr->addrs; it != NULL; it = it->ai_next) {
4018 if (it->ai_addr->sa_family != AF_INET)
4019 continue;
4020 n = getnameinfo(it->ai_addr, it->ai_addrlen,
4021 hostbuf, sizeof(hostbuf), servbuf, sizeof(servbuf),
4022 NI_NUMERICHOST|NI_NUMERICSERV);
4023 AZ(n);
4024 fprintf(fp, "%s:%s\n", hostbuf, servbuf);
4025 }
4026 }
4027
4028 fclose(fp);
4029 return (0);
4030 }
4031
4032 static void
4033 reconfigure(int argc, char **argv)
4034 {
4035 hitch_config *cfg_new;
4036 struct cfg_tpc_obj_head cfg_objs;
4037 struct cfg_tpc_obj *cto, *cto_tmp;
4038 struct timeval tv;
4039 double t0, t1;
4040 struct worker_update wu;
4041 struct frontend *fr;
4042
4043 LOGL("Received SIGHUP: Initiating configuration reload.\n");
4044 AZ(gettimeofday(&tv, NULL));
4045 t0 = tv.tv_sec + 1e-6 * tv.tv_usec;
4046
4047 VTAILQ_INIT(&cfg_objs);
4048 cfg_new = config_new();
4049 AN(cfg_new);
4050 if (config_parse_cli(argc, argv, cfg_new) != 0) {
4051 ERR("Config reload failed: %s\n", config_error_get());
4052 config_destroy(cfg_new);
4053 return;
4054 }
4055
4056 /* NB: the ordering of the foo_query() calls here is
4057 * significant. */
4058 if (frontend_query(cfg_new->LISTEN_ARGS, &cfg_objs) < 0
4059 || cert_query(cfg_new, &cfg_objs) < 0) {
4060 VTAILQ_FOREACH_SAFE(cto, &cfg_objs, list, cto_tmp) {
4061 VTAILQ_REMOVE(&cfg_objs, cto, list);
4062 AN(cto->rollback);
4063 cto->rollback(cto);
4064 FREE_OBJ(cto);
4065 }
4066 ERR("{core} Config reload failed.\n");
4067 return;
4068 } else {
4069 VTAILQ_FOREACH_SAFE(cto, &cfg_objs, list, cto_tmp) {
4070 VTAILQ_REMOVE(&cfg_objs, cto, list);
4071 AN(cto->commit);
4072 cto->commit(cto);
4073 FREE_OBJ(cto);
4074 }
4075 }
4076
4077 /* Rewire default sslctx and front_arg for each frontend after
4078 * a reload */
4079 VTAILQ_FOREACH(fr, &frontends, list) {
4080 struct front_arg *fa;
4081 struct cfg_cert_file *cf;
4082 sslctx *sc;
4083
4084 HASH_FIND_STR(cfg_new->LISTEN_ARGS, fr->arg->pspec, fa);
4085 CHECK_OBJ_NOTNULL(fa, FRONT_ARG_MAGIC);
4086
4087 /* rewire fr->arg: the previous value will be freed
4088 * below when we config_destroy() the old
4089 * configuration set. */
4090 fr->arg = fa;
4091
4092 if (HASH_COUNT(fr->ssl_ctxs) == 0) {
4093 fr->default_ctx = NULL;
4094 continue;
4095 }
4096
4097 cf = fa->certs;
4098 CHECK_OBJ_NOTNULL(cf, CFG_CERT_FILE_MAGIC);
4099 while (cf->hh.next != NULL)
4100 cf = cf->hh.next;
4101 HASH_FIND_STR(fr->ssl_ctxs, cf->filename, sc);
4102 CHECK_OBJ_NOTNULL(sc, SSLCTX_MAGIC);
4103 fr->default_ctx = sc;
4104 }
4105
4106 AZ(gettimeofday(&tv, NULL));
4107 t1 = tv.tv_sec + 1e-6 * tv.tv_usec;
4108
4109 LOGL("{core} Config reloaded in %.2lf seconds. "
4110 "Starting new child processes.\n", t1 - t0);
4111
4112 config_destroy(CONFIG);
4113 CONFIG = cfg_new;
4114
4115 worker_gen++;
4116 start_workers(0, CONFIG->NCORES);
4117
4118 if (CONFIG->DEBUG_LISTEN_ADDR)
4119 listen_endpoint_print(CONFIG->DEBUG_LISTEN_ADDR);
4120
4121 wu.type = WORKER_GEN;
4122 wu.payload.gen = worker_gen;
4123 notify_workers(&wu);
4124
4125 if (ocsp_proc_pid > 0) {
4126 (void) kill(ocsp_proc_pid, SIGTERM);
4127 /*
4128 * Restarting the OCSP process is taken
4129 * care of in do_wait
4130 */
4131 } else if (CONFIG->OCSP_DIR != NULL && ocsp_proc_pid <= 0) {
4132 start_ocsp_proc();
4133 }
4134 }
4135
4136 void
4137 sleep_and_refresh(hitch_config *CONFIG)
4138 {
4139 /* static backend address */
4140 if (!CONFIG->BACKEND_REFRESH_TIME) {
4141 pause();
4142 return;
4143 }
4144
4145 int rv = 0;
4146 while (1) {
4147 rv = usleep(CONFIG->BACKEND_REFRESH_TIME*1000000);
4148 if (rv == -1 && errno == EINTR)
4149 break;
4150 else if(backaddr_init()) {
4151 struct worker_update wu;
4152 wu.type = BACKEND_REFRESH;
4153 socklen_t len;
4154 const void *addr =
4155 VSA_Get_Sockaddr(backaddr->backaddr, &len);
4156 AN(addr);
4157 memcpy(&(wu.payload.addr), addr, len);
4158 notify_workers(&wu);
4159 }
4160 }
4161 }
4162
4163
4164 /* Process command line args, create the bound socket,
4165 * spawn child (worker) processes, and respawn if any die */
4166 int
4167 main(int argc, char **argv)
4168 {
4169 // initialize configuration
4170 struct front_arg *fa, *ftmp;
4171
4172 master_pid = getpid();
4173 CONFIG = config_new();
4174
4175 // parse command line
4176 if (config_parse_cli(argc, argv, CONFIG) != 0) {
4177 fprintf(stderr, "%s\n", config_error_get());
4178 return (1);
4179 }
4180
4181 if (CONFIG->LOG_FILENAME) {
4182 FILE* f;
4183 if ((f = fopen(CONFIG->LOG_FILENAME, "a")) == NULL) {
4184 /* logging.c */
4185 logfile = stderr;
4186 ERR("FATAL: Unable to open log file: %s: %s\n",
4187 CONFIG->LOG_FILENAME, strerror(errno));
4188 exit(2);
4189 }
4190 logfile = f;
4191 if (CONFIG->UID >=0 || CONFIG->GID >= 0) {
4192 AZ(fchown(fileno(logfile), CONFIG->UID, CONFIG->GID));
4193 }
4194 AZ(fstat(fileno(logfile), &logf_st));
4195 logf_check_t = time(NULL);
4196 } else {
4197 logfile = stderr;
4198 }
4199 AZ(setvbuf(logfile, NULL, _IONBF, BUFSIZ));
4200
4201 if (CONFIG->TEST) {
4202 /* Override log level for config test */
4203 CONFIG->LOG_LEVEL = 3;
4204 fprintf(stderr, "Trying to initialize SSL contexts with your"
4205 " certificates\n");
4206 init_globals();
4207 init_openssl();
4208 init_certs();
4209 fprintf(stderr, "%s configuration looks ok.\n",
4210 basename(argv[0]));
4211 return (0);
4212 }
4213
4214 LOGL("{core} %s starting\n", PACKAGE_STRING);
4215 create_workers = 1;
4216
4217 openssl_check_version();
4218
4219 init_signals();
4220 init_globals();
4221 init_openssl();
4222
4223 HASH_ITER(hh, CONFIG->LISTEN_ARGS, fa, ftmp) {
4224 struct frontend *fr = create_frontend(fa);
4225 if (fr == NULL)
4226 exit(1);
4227 VTAILQ_INSERT_TAIL(&frontends, fr, list);
4228 }
4229
4230 /* load certificates, pass to handle_connections */
4231 LOGL("{core} Loading certificate pem files (%d)\n",
4232 HASH_COUNT(CONFIG->CERT_FILES) + 1); /* XXX: TODO */
4233 init_certs();
4234
4235 #ifdef USE_SHARED_CACHE
4236 if (CONFIG->SHCUPD_PORT) {
4237 /* create socket to send(children) and
4238 receive(parent) cache updates */
4239 shcupd_socket = create_shcupd_socket();
4240 }
4241 #endif /* USE_SHARED_CACHE */
4242
4243 if (CONFIG->CHROOT && CONFIG->CHROOT[0] && geteuid() != 0) {
4244 ERR("{core} ERROR: chroot requires hitch to be"
4245 " started as root.\n");
4246 exit(1);
4247 }
4248
4249 if (geteuid() == 0 && CONFIG->UID < 0) {
4250 ERR("{core} ERROR: Refusing to run workers as root.\n");
4251 exit(1);
4252 }
4253
4254 if (CONFIG->DAEMONIZE) {
4255 if (!CONFIG->SYSLOG && !CONFIG->LOG_FILENAME) {
4256 LOG("{core} Warning: daemonizing with neither "
4257 "'syslog' nor 'log-filename' configured: "
4258 "Hitch will not produce log messages.\n");
4259 }
4260 if (logfile == stdout || logfile == stderr)
4261 logfile = NULL;
4262 if (daemon(0, 0) == -1) {
4263 ERR("Unable to daemonize: %s\n", strerror(errno));
4264 exit(1);
4265 }
4266 }
4267
4268 /* Reset master_pid in case we daemonized */
4269 master_pid = getpid();
4270
4271 if (CONFIG->PIDFILE) {
4272 pfh = VPF_Open(CONFIG->PIDFILE, 0644, NULL);
4273 if (pfh == NULL) {
4274 ERR("FATAL: Could not open pid (-p) file (%s): %s\n",
4275 CONFIG->PIDFILE, strerror(errno));
4276 exit(1);
4277 }
4278
4279 AZ(VPF_Write(pfh));
4280 atexit(remove_pfh);
4281 }
4282
4283 start_workers(0, CONFIG->NCORES);
4284
4285 if (CONFIG->DEBUG_LISTEN_ADDR) {
4286 listen_endpoint_print(CONFIG->DEBUG_LISTEN_ADDR);
4287 }
4288
4289 if (CONFIG->OCSP_DIR != NULL)
4290 start_ocsp_proc();
4291
4292 #ifdef USE_SHARED_CACHE
4293 if (CONFIG->SHCUPD_PORT) {
4294 /* start event loop to receive cache updates */
4295 loop = ev_default_loop(EVFLAG_AUTO);
4296 ev_io_init(&shcupd_listener, handle_shcupd, shcupd_socket,
4297 EV_READ);
4298 ev_io_start(loop, &shcupd_listener);
4299 }
4300 #endif /* USE_SHARED_CACHE */
4301
4302 LOGL("{core} %s initialization complete\n", PACKAGE_STRING);
4303 for (;;) {
4304 #ifdef USE_SHARED_CACHE
4305 if (CONFIG->SHCUPD_PORT) {
4306 while (n_sighup == 0 && n_sigchld == 0) {
4307 /* event loop to receive cache updates */
4308 ev_loop(loop, EVRUN_ONCE);
4309 }
4310 } else
4311 sleep_and_refresh(CONFIG);
4312 #else
4313
4314 sleep_and_refresh(CONFIG);
4315 /* Sleep and let the children work.
4316 * Parent will be woken up if a signal arrives */
4317 #endif /* USE_SHARED_CACHE */
4318
4319 while (n_sighup != 0) {
4320 n_sighup = 0;
4321 reconfigure(argc, argv);
4322 }
4323
4324 while (n_sigchld != 0) {
4325 n_sigchld = 0;
4326 do_wait();
4327 }
4328 }
4329
4330 exit(0); /* just a formality; we never get here */
4331 }