2020-04-13 04:07:07 +02:00
|
|
|
// The Construct
|
|
|
|
//
|
|
|
|
// Copyright (C) The Construct Developers, Authors & Contributors
|
|
|
|
// Copyright (C) 2016-2020 Jason Volk <jason@zemos.net>
|
|
|
|
//
|
|
|
|
// Permission to use, copy, modify, and/or distribute this software for any
|
|
|
|
// purpose with or without fee is hereby granted, provided that the above
|
|
|
|
// copyright notice and this permission notice is present in all copies. The
|
|
|
|
// full license for this software is available in the LICENSE file.
|
|
|
|
|
|
|
|
/// Option to indicate if any listener sockets should be allowed to bind. If
|
|
|
|
/// false then no listeners should bind. This is only effective on startup
|
|
|
|
/// unless a conf item updated function is implemented here.
|
|
|
|
decltype(ircd::net::listen)
|
|
|
|
ircd::net::listen
|
|
|
|
{
|
|
|
|
{ "name", "ircd.net.listen" },
|
|
|
|
{ "default", true },
|
|
|
|
{ "persist", false },
|
|
|
|
};
|
|
|
|
|
|
|
|
bool
|
|
|
|
ircd::net::stop(acceptor &a)
|
|
|
|
{
|
|
|
|
a.close();
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
|
|
|
bool
|
|
|
|
ircd::net::start(acceptor &a)
|
|
|
|
{
|
|
|
|
if(!a.a.is_open())
|
|
|
|
a.open();
|
|
|
|
|
|
|
|
allow(a);
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
|
|
|
bool
|
|
|
|
ircd::net::allow(acceptor &a)
|
|
|
|
{
|
|
|
|
if(unlikely(!a.a.is_open()))
|
|
|
|
return false;
|
|
|
|
|
|
|
|
if(a.accepting > 0)
|
|
|
|
return false;
|
|
|
|
|
|
|
|
a.set_handle();
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
|
|
|
ircd::string_view
|
|
|
|
ircd::net::loghead(const acceptor &a)
|
|
|
|
{
|
|
|
|
thread_local char buf[512];
|
|
|
|
return loghead(buf, a);
|
|
|
|
}
|
|
|
|
|
|
|
|
ircd::string_view
|
|
|
|
ircd::net::loghead(const mutable_buffer &out,
|
|
|
|
const acceptor &a)
|
|
|
|
{
|
2020-12-21 15:43:15 +01:00
|
|
|
char addrbuf[128];
|
2020-04-13 04:07:07 +02:00
|
|
|
return fmt::sprintf
|
|
|
|
{
|
|
|
|
out, "[%s] @ [%s]:%u",
|
|
|
|
name(a),
|
|
|
|
string(addrbuf, a.ep.address()),
|
|
|
|
a.ep.port(),
|
|
|
|
};
|
|
|
|
}
|
|
|
|
|
|
|
|
size_t
|
|
|
|
ircd::net::accepting_count(const acceptor &a)
|
|
|
|
{
|
|
|
|
return a.accepting;
|
|
|
|
}
|
|
|
|
|
|
|
|
size_t
|
|
|
|
ircd::net::handshaking_count(const acceptor &a)
|
|
|
|
{
|
|
|
|
return a.handshaking.size();
|
|
|
|
}
|
|
|
|
|
|
|
|
size_t
|
|
|
|
ircd::net::handshaking_count(const acceptor &a,
|
|
|
|
const ipaddr &ipaddr)
|
|
|
|
{
|
|
|
|
return std::count_if(begin(a.handshaking), end(a.handshaking), [&ipaddr]
|
|
|
|
(const auto &socket_p)
|
|
|
|
{
|
|
|
|
return remote_ipport(*socket_p) == ipaddr;
|
|
|
|
});
|
|
|
|
}
|
|
|
|
|
|
|
|
ircd::net::ipport
|
|
|
|
ircd::net::local(const acceptor &a)
|
|
|
|
{
|
|
|
|
return make_ipport(a.a.local_endpoint());
|
|
|
|
}
|
|
|
|
|
|
|
|
ircd::net::ipport
|
|
|
|
ircd::net::binder(const acceptor &a)
|
|
|
|
{
|
|
|
|
return make_ipport(a.ep);
|
|
|
|
}
|
|
|
|
|
|
|
|
ircd::string_view
|
|
|
|
ircd::net::name(const acceptor &a)
|
|
|
|
{
|
|
|
|
return a.name;
|
|
|
|
}
|
|
|
|
|
|
|
|
ircd::json::object
|
|
|
|
ircd::net::config(const acceptor &a)
|
|
|
|
{
|
|
|
|
return a.opts;
|
|
|
|
}
|
|
|
|
|
|
|
|
std::string
|
|
|
|
ircd::net::cipher_list(const acceptor &a)
|
|
|
|
{
|
2020-11-03 20:30:15 +01:00
|
|
|
auto &ssl(mutable_cast(a).ssl);
|
2020-04-13 04:07:07 +02:00
|
|
|
return openssl::cipher_list(*ssl.native_handle());
|
|
|
|
}
|
|
|
|
|
|
|
|
//
|
|
|
|
// listener::listener
|
|
|
|
//
|
|
|
|
|
|
|
|
ircd::net::listener::listener(const string_view &name,
|
|
|
|
const std::string &opts,
|
|
|
|
callback cb,
|
|
|
|
proffer pcb)
|
|
|
|
:listener
|
|
|
|
{
|
|
|
|
name,
|
|
|
|
json::object{opts},
|
|
|
|
std::move(cb),
|
|
|
|
std::move(pcb)
|
|
|
|
}
|
|
|
|
{
|
|
|
|
}
|
|
|
|
|
|
|
|
ircd::net::listener::listener(const string_view &name,
|
|
|
|
const json::object &opts,
|
|
|
|
callback cb,
|
|
|
|
proffer pcb)
|
|
|
|
:acceptor
|
|
|
|
{
|
|
|
|
std::make_shared<struct acceptor>
|
|
|
|
(
|
|
|
|
*this,
|
|
|
|
name,
|
|
|
|
opts,
|
|
|
|
std::move(cb),
|
|
|
|
std::move(pcb)
|
|
|
|
)
|
|
|
|
}
|
|
|
|
{
|
|
|
|
}
|
|
|
|
|
|
|
|
/// Cancels all pending accepts and handshakes and waits (yields ircd::ctx)
|
|
|
|
/// until report.
|
|
|
|
///
|
|
|
|
ircd::net::listener::~listener()
|
|
|
|
noexcept
|
|
|
|
{
|
|
|
|
if(acceptor)
|
|
|
|
acceptor->close();
|
|
|
|
}
|
|
|
|
|
|
|
|
ircd::string_view
|
|
|
|
ircd::net::listener::name()
|
|
|
|
const
|
|
|
|
{
|
|
|
|
const net::acceptor &a(*this);
|
|
|
|
return net::name(a);
|
|
|
|
}
|
|
|
|
|
|
|
|
ircd::net::listener::operator
|
|
|
|
ircd::json::object()
|
|
|
|
const
|
|
|
|
{
|
|
|
|
const net::acceptor &a(*this);
|
|
|
|
return net::config(a);
|
|
|
|
}
|
|
|
|
|
|
|
|
ircd::net::listener::operator
|
|
|
|
net::acceptor &()
|
|
|
|
{
|
|
|
|
assert(acceptor);
|
|
|
|
return *acceptor;
|
|
|
|
}
|
|
|
|
|
|
|
|
ircd::net::listener::operator
|
|
|
|
const net::acceptor &()
|
|
|
|
const
|
|
|
|
{
|
|
|
|
assert(acceptor);
|
|
|
|
return *acceptor;
|
|
|
|
}
|
|
|
|
|
|
|
|
///////////////////////////////////////////////////////////////////////////////
|
|
|
|
//
|
|
|
|
// net/acceptor.h
|
|
|
|
//
|
|
|
|
|
|
|
|
decltype(ircd::net::acceptor::log)
|
|
|
|
ircd::net::acceptor::log
|
|
|
|
{
|
|
|
|
"net.listen"
|
|
|
|
};
|
|
|
|
|
2022-06-15 18:36:03 +02:00
|
|
|
[[clang::always_destroy]]
|
2020-12-18 05:27:44 +01:00
|
|
|
decltype(ircd::net::acceptor::accept_desc)
|
|
|
|
ircd::net::acceptor::accept_desc
|
|
|
|
{
|
|
|
|
"ircd.net.acceptor.accept"
|
|
|
|
};
|
|
|
|
|
2022-06-15 18:36:03 +02:00
|
|
|
[[clang::always_destroy]]
|
2020-12-18 05:27:44 +01:00
|
|
|
decltype(ircd::net::acceptor::handshake_desc)
|
|
|
|
ircd::net::acceptor::handshake_desc
|
|
|
|
{
|
|
|
|
"ircd.net.acceptor.handshake"
|
|
|
|
};
|
|
|
|
|
2020-04-13 04:07:07 +02:00
|
|
|
decltype(ircd::net::acceptor::timeout)
|
|
|
|
ircd::net::acceptor::timeout
|
|
|
|
{
|
|
|
|
{ "name", "ircd.net.acceptor.timeout" },
|
|
|
|
{ "default", 12000L },
|
|
|
|
};
|
|
|
|
|
|
|
|
/// The number of simultaneous handshakes we conduct across all clients.
|
|
|
|
decltype(ircd::net::acceptor::handshaking_max)
|
|
|
|
ircd::net::acceptor::handshaking_max
|
|
|
|
{
|
|
|
|
{ "name", "ircd.net.acceptor.handshaking.max" },
|
|
|
|
{ "default", 1024L },
|
|
|
|
};
|
|
|
|
|
|
|
|
/// The number of simultaneous handshakes we conduct for a single peer (which
|
|
|
|
/// is an IP without a port in this context). This prevents a peer from
|
|
|
|
/// reaching the handshaking.max limit to DoS out other peers.
|
|
|
|
decltype(ircd::net::acceptor::handshaking_max_per_peer)
|
|
|
|
ircd::net::acceptor::handshaking_max_per_peer
|
|
|
|
{
|
|
|
|
{ "name", "ircd.net.acceptor.handshaking.max_per_peer" },
|
|
|
|
{ "default", 16L },
|
|
|
|
};
|
|
|
|
|
|
|
|
decltype(ircd::net::acceptor::ssl_curve_list)
|
|
|
|
ircd::net::acceptor::ssl_curve_list
|
|
|
|
{
|
|
|
|
{ "name", "ircd.net.acceptor.ssl.curve.list" },
|
|
|
|
{ "default", string_view{ircd::net::ssl_curve_list} },
|
|
|
|
};
|
|
|
|
|
|
|
|
decltype(ircd::net::acceptor::ssl_cipher_list)
|
|
|
|
ircd::net::acceptor::ssl_cipher_list
|
|
|
|
{
|
|
|
|
{ "name", "ircd.net.acceptor.ssl.cipher.list" },
|
|
|
|
{ "default", string_view{ircd::net::ssl_cipher_list} },
|
|
|
|
};
|
|
|
|
|
|
|
|
decltype(ircd::net::acceptor::ssl_cipher_blacklist)
|
|
|
|
ircd::net::acceptor::ssl_cipher_blacklist
|
|
|
|
{
|
|
|
|
{ "name", "ircd.net.acceptor.ssl.cipher.blacklist" },
|
|
|
|
{ "default", string_view{ircd::net::ssl_cipher_blacklist} },
|
|
|
|
};
|
|
|
|
|
|
|
|
//
|
|
|
|
// acceptor::acceptor
|
|
|
|
//
|
|
|
|
|
|
|
|
ircd::net::acceptor::acceptor(net::listener &listener,
|
|
|
|
const string_view &name,
|
|
|
|
const json::object &opts,
|
|
|
|
listener::callback cb,
|
|
|
|
listener::proffer pcb)
|
|
|
|
try
|
2023-03-08 17:36:04 +01:00
|
|
|
:name
|
2020-04-13 04:07:07 +02:00
|
|
|
{
|
|
|
|
name
|
|
|
|
}
|
|
|
|
,opts
|
|
|
|
{
|
|
|
|
opts
|
|
|
|
}
|
|
|
|
,backlog
|
|
|
|
{
|
|
|
|
//TODO: XXX
|
|
|
|
//boost::asio::ip::tcp::socket::max_connections <-- linkage failed?
|
|
|
|
std::min(opts.get<uint>("backlog", SOMAXCONN), uint(SOMAXCONN))
|
|
|
|
}
|
|
|
|
,cb
|
|
|
|
{
|
|
|
|
std::move(cb)
|
|
|
|
}
|
|
|
|
,pcb
|
|
|
|
{
|
|
|
|
pcb?
|
|
|
|
std::move(pcb):
|
|
|
|
proffer_default
|
|
|
|
}
|
2022-07-08 07:07:59 +02:00
|
|
|
,filter
|
|
|
|
{
|
|
|
|
const_buffer
|
|
|
|
{
|
|
|
|
nullptr, nullptr
|
|
|
|
},
|
|
|
|
}
|
2020-04-13 04:07:07 +02:00
|
|
|
,ssl
|
|
|
|
{
|
|
|
|
asio::ssl::context::method::sslv23_server
|
|
|
|
}
|
|
|
|
,ep
|
|
|
|
{
|
|
|
|
make_address(unquote(opts.get("host", "*"_sv))),
|
|
|
|
opts.at<uint16_t>("port")
|
|
|
|
}
|
|
|
|
,a
|
|
|
|
{
|
|
|
|
ios::get()
|
|
|
|
}
|
2023-03-18 19:34:45 +01:00
|
|
|
,secure
|
|
|
|
{
|
|
|
|
configure(opts)
|
|
|
|
}
|
2020-04-13 04:07:07 +02:00
|
|
|
{
|
|
|
|
open();
|
|
|
|
}
|
|
|
|
catch(const boost::system::system_error &e)
|
|
|
|
{
|
|
|
|
throw_system_error(e);
|
|
|
|
}
|
|
|
|
|
|
|
|
ircd::net::acceptor::~acceptor()
|
|
|
|
noexcept
|
|
|
|
{
|
|
|
|
if(accepting || !handshaking.empty())
|
|
|
|
log::critical
|
|
|
|
{
|
|
|
|
"The acceptor must not have clients during destruction!"
|
|
|
|
" (accepting:%zu handshaking:%zu)",
|
|
|
|
accepting,
|
|
|
|
handshaking.size(),
|
|
|
|
};
|
|
|
|
}
|
|
|
|
|
|
|
|
void
|
|
|
|
ircd::net::acceptor::open()
|
|
|
|
{
|
|
|
|
static const auto &max_connections
|
|
|
|
{
|
|
|
|
//TODO: XXX
|
|
|
|
//boost::asio::ip::tcp::socket::max_connections <-- linkage failed?
|
|
|
|
std::min(json::object(opts).get<uint>("max_connections", SOMAXCONN), uint(SOMAXCONN))
|
|
|
|
};
|
|
|
|
|
|
|
|
static const ip::tcp::acceptor::reuse_address reuse_address
|
|
|
|
{
|
|
|
|
true
|
|
|
|
};
|
|
|
|
|
|
|
|
assert(!interrupting);
|
|
|
|
interrupting = false;
|
|
|
|
a.open(ep.protocol());
|
|
|
|
a.set_option(reuse_address);
|
|
|
|
a.non_blocking(true);
|
|
|
|
log::debug
|
|
|
|
{
|
2022-07-08 07:07:59 +02:00
|
|
|
log, "%s opened listener socket:%d",
|
|
|
|
loghead(*this),
|
|
|
|
int(a.native_handle()),
|
2020-04-13 04:07:07 +02:00
|
|
|
};
|
|
|
|
|
2022-07-08 07:07:59 +02:00
|
|
|
if(filter)
|
|
|
|
{
|
|
|
|
net::attach(a.native_handle(), filter.fd);
|
|
|
|
log::debug
|
|
|
|
{
|
|
|
|
log, "%s attach filter fd:%d",
|
|
|
|
loghead(*this),
|
|
|
|
int(filter.fd),
|
|
|
|
};
|
|
|
|
}
|
|
|
|
|
2020-04-13 04:07:07 +02:00
|
|
|
a.bind(ep);
|
|
|
|
log::debug
|
|
|
|
{
|
|
|
|
log, "%s bound listener socket",
|
|
|
|
loghead(*this)
|
|
|
|
};
|
|
|
|
|
|
|
|
a.listen(backlog);
|
|
|
|
log::debug
|
|
|
|
{
|
|
|
|
log, "%s listening (backlog: %lu, max connections: %zu)",
|
|
|
|
loghead(*this),
|
|
|
|
backlog,
|
|
|
|
max_connections
|
|
|
|
};
|
|
|
|
}
|
|
|
|
|
|
|
|
void
|
|
|
|
ircd::net::acceptor::close()
|
|
|
|
{
|
|
|
|
if(!interrupting)
|
|
|
|
interrupt();
|
|
|
|
|
|
|
|
if(a.is_open())
|
|
|
|
a.close();
|
|
|
|
|
|
|
|
for(const auto &sock : handshaking)
|
|
|
|
sock->cancel();
|
|
|
|
|
|
|
|
join();
|
|
|
|
log::debug
|
|
|
|
{
|
|
|
|
log, "%s listener finished",
|
|
|
|
loghead(*this)
|
|
|
|
};
|
|
|
|
}
|
|
|
|
|
|
|
|
void
|
|
|
|
ircd::net::acceptor::join()
|
|
|
|
noexcept try
|
|
|
|
{
|
|
|
|
if(!interrupting)
|
|
|
|
interrupt();
|
|
|
|
|
|
|
|
if(!ctx::current)
|
|
|
|
return;
|
|
|
|
|
2022-06-24 04:18:05 +02:00
|
|
|
joining.wait([this]() noexcept
|
2020-04-13 04:07:07 +02:00
|
|
|
{
|
|
|
|
return !accepting && handshaking.empty();
|
|
|
|
});
|
|
|
|
|
|
|
|
interrupting = false;
|
|
|
|
}
|
|
|
|
catch(const std::exception &e)
|
|
|
|
{
|
|
|
|
log::error
|
|
|
|
{
|
|
|
|
log, "acceptor(%p) join :%s",
|
|
|
|
this,
|
|
|
|
e.what()
|
|
|
|
};
|
|
|
|
}
|
|
|
|
|
|
|
|
bool
|
|
|
|
ircd::net::acceptor::interrupt()
|
|
|
|
noexcept try
|
|
|
|
{
|
|
|
|
if(interrupting)
|
|
|
|
return false;
|
|
|
|
|
2020-06-13 04:14:07 +02:00
|
|
|
if(!a.is_open())
|
|
|
|
return false;
|
|
|
|
|
2020-04-13 04:07:07 +02:00
|
|
|
interrupting = true;
|
|
|
|
a.cancel();
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
catch(const boost::system::system_error &e)
|
|
|
|
{
|
|
|
|
log::error
|
|
|
|
{
|
|
|
|
log, "acceptor(%p) interrupt :%s",
|
|
|
|
this,
|
|
|
|
string(e)
|
|
|
|
};
|
|
|
|
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
/// Sets the next asynchronous handler to start the next accept sequence.
|
|
|
|
/// Each call to next() sets one handler which handles the connect for one
|
|
|
|
/// socket. After the connect, an asynchronous SSL handshake handler is set
|
|
|
|
/// for the socket.
|
|
|
|
bool
|
|
|
|
ircd::net::acceptor::set_handle()
|
|
|
|
try
|
|
|
|
{
|
|
|
|
const auto &sock
|
|
|
|
{
|
2023-03-18 19:34:45 +01:00
|
|
|
secure?
|
|
|
|
std::make_shared<ircd::socket>(ssl):
|
|
|
|
std::make_shared<ircd::socket>()
|
2020-04-13 04:07:07 +02:00
|
|
|
};
|
|
|
|
|
|
|
|
auto handler
|
|
|
|
{
|
|
|
|
std::bind(&acceptor::accept, this, ph::_1, sock)
|
|
|
|
};
|
|
|
|
|
2023-02-08 06:41:32 +01:00
|
|
|
sock->local = ep;
|
2020-04-13 04:07:07 +02:00
|
|
|
ip::tcp::socket &sd(*sock);
|
2023-03-19 22:12:00 +01:00
|
|
|
a.async_accept(sd, sock->remote, ios::handle(accept_desc, std::move(handler)));
|
2020-04-13 04:07:07 +02:00
|
|
|
++accepting;
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
catch(const std::exception &e)
|
|
|
|
{
|
|
|
|
throw panic
|
|
|
|
{
|
|
|
|
"%s :%s",
|
|
|
|
loghead(*this),
|
|
|
|
e.what()
|
|
|
|
};
|
|
|
|
}
|
|
|
|
|
|
|
|
/// Callback for a socket connected. This handler then invokes the
|
|
|
|
/// asynchronous SSL handshake sequence.
|
|
|
|
///
|
|
|
|
void
|
|
|
|
ircd::net::acceptor::accept(const error_code &ec,
|
|
|
|
const std::shared_ptr<socket> sock)
|
|
|
|
noexcept try
|
|
|
|
{
|
|
|
|
assert(bool(sock));
|
|
|
|
assert(accepting > 0);
|
|
|
|
assert(accepting == 1); // for now
|
2023-02-08 06:41:32 +01:00
|
|
|
|
2020-12-21 15:43:15 +01:00
|
|
|
char ecbuf[64];
|
2020-04-13 04:07:07 +02:00
|
|
|
log::debug
|
|
|
|
{
|
|
|
|
log, "%s %s accepted(%zu) %s",
|
|
|
|
loghead(*sock),
|
|
|
|
loghead(*this),
|
|
|
|
accepting,
|
|
|
|
string(ecbuf, ec)
|
|
|
|
};
|
|
|
|
|
|
|
|
--accepting;
|
|
|
|
if(unlikely(!check_accept_error(ec, *sock)))
|
|
|
|
{
|
|
|
|
allow(*this);
|
|
|
|
net::close(*sock, dc::RST, close_ignore);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2023-03-19 22:12:00 +01:00
|
|
|
const auto remote
|
|
|
|
{
|
|
|
|
remote_ipport(*sock)
|
|
|
|
};
|
|
|
|
|
2023-03-18 19:34:45 +01:00
|
|
|
if(unlikely(secure && !check_handshake_limit(*sock, remote)))
|
2020-04-13 04:07:07 +02:00
|
|
|
{
|
|
|
|
allow(*this);
|
|
|
|
net::close(*sock, dc::RST, close_ignore);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
// Call the proffer-callback. This allows the application to check whether
|
|
|
|
// to allow or deny this remote before the handshake, as well as setting
|
|
|
|
// the next accept to shape the kernel's queue.
|
2023-03-08 17:36:04 +01:00
|
|
|
if(!pcb(*this, remote))
|
2020-04-13 04:07:07 +02:00
|
|
|
{
|
|
|
|
net::close(*sock, dc::RST, close_ignore);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2023-03-18 19:34:45 +01:00
|
|
|
if(!secure)
|
|
|
|
{
|
|
|
|
accepted(sock);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2020-04-13 04:07:07 +02:00
|
|
|
static const socket::handshake_type handshake_type
|
|
|
|
{
|
|
|
|
socket::handshake_type::server
|
|
|
|
};
|
|
|
|
|
|
|
|
const auto it
|
|
|
|
{
|
|
|
|
handshaking.emplace(end(handshaking), sock)
|
|
|
|
};
|
|
|
|
|
|
|
|
auto handshake
|
|
|
|
{
|
|
|
|
std::bind(&acceptor::handshake, this, ph::_1, sock, it)
|
|
|
|
};
|
|
|
|
|
|
|
|
sock->set_timeout(milliseconds(timeout));
|
2023-03-18 19:20:57 +01:00
|
|
|
sock->ssl->async_handshake(handshake_type, ios::handle(handshake_desc, std::move(handshake)));
|
2020-05-31 07:27:53 +02:00
|
|
|
assert(!openssl::get_app_data(*sock));
|
|
|
|
openssl::set_app_data(*sock, sock.get());
|
2020-04-13 04:07:07 +02:00
|
|
|
}
|
|
|
|
catch(const ctx::interrupted &e)
|
|
|
|
{
|
|
|
|
assert(bool(sock));
|
|
|
|
|
2020-12-21 15:43:15 +01:00
|
|
|
char ecbuf[64];
|
2020-04-13 04:07:07 +02:00
|
|
|
log::debug
|
|
|
|
{
|
|
|
|
log, "%s acceptor interrupted %s :%s",
|
|
|
|
loghead(*this),
|
|
|
|
loghead(*sock),
|
|
|
|
string(ecbuf, ec)
|
|
|
|
};
|
|
|
|
|
|
|
|
error_code ec_;
|
|
|
|
sock->sd.close(ec_);
|
|
|
|
assert(!ec_);
|
|
|
|
joining.notify_all();
|
|
|
|
}
|
|
|
|
catch(const std::exception &e)
|
|
|
|
{
|
|
|
|
assert(bool(sock));
|
|
|
|
log::error
|
|
|
|
{
|
|
|
|
log, "%s acceptor error in accept() %s :%s",
|
|
|
|
loghead(*this),
|
|
|
|
loghead(*sock),
|
|
|
|
e.what()
|
|
|
|
};
|
|
|
|
|
|
|
|
error_code ec_;
|
|
|
|
sock->sd.close(ec_);
|
|
|
|
assert(!ec_);
|
|
|
|
joining.notify_all();
|
|
|
|
}
|
|
|
|
|
|
|
|
/// Error handler for the accept socket callback. This handler determines
|
|
|
|
/// whether or not the handler should return or continue processing the
|
|
|
|
/// result.
|
|
|
|
///
|
|
|
|
bool
|
|
|
|
ircd::net::acceptor::check_accept_error(const error_code &ec,
|
|
|
|
socket &sock)
|
|
|
|
const
|
|
|
|
{
|
|
|
|
using std::errc;
|
|
|
|
|
|
|
|
if(unlikely(interrupting))
|
|
|
|
throw ctx::interrupted();
|
|
|
|
|
|
|
|
if(likely(!ec))
|
|
|
|
return true;
|
|
|
|
|
|
|
|
if(system_category(ec)) switch(ec.value())
|
|
|
|
{
|
|
|
|
case int(errc::operation_canceled):
|
|
|
|
throw ctx::interrupted();
|
|
|
|
|
|
|
|
default:
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
2020-12-21 15:43:15 +01:00
|
|
|
char ecbuf[64];
|
2020-04-13 04:07:07 +02:00
|
|
|
log::derror
|
|
|
|
{
|
|
|
|
log, "%s in accept %s :%s",
|
|
|
|
loghead(*this),
|
|
|
|
loghead(sock),
|
|
|
|
string(ecbuf, ec),
|
|
|
|
};
|
|
|
|
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
/// Checks performed for whether handshaking limits have been reached before
|
|
|
|
/// allowing a handshake.
|
|
|
|
bool
|
|
|
|
ircd::net::acceptor::check_handshake_limit(socket &sock,
|
|
|
|
const ipport &remote)
|
|
|
|
const
|
|
|
|
{
|
|
|
|
if(unlikely(handshaking_count(*this) >= size_t(handshaking_max)))
|
|
|
|
{
|
|
|
|
log::warning
|
|
|
|
{
|
|
|
|
log, "%s refusing to handshake %s; exceeds maximum of %zu handshakes.",
|
|
|
|
loghead(sock),
|
|
|
|
loghead(*this),
|
|
|
|
size_t(handshaking_max),
|
|
|
|
};
|
|
|
|
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
if(unlikely(handshaking_count(*this, remote) >= size_t(handshaking_max_per_peer)))
|
|
|
|
{
|
|
|
|
log::dwarning
|
|
|
|
{
|
|
|
|
log, "%s refusing to handshake %s; exceeds maximum of %zu handshakes to them.",
|
|
|
|
loghead(sock),
|
|
|
|
loghead(*this),
|
|
|
|
size_t(handshaking_max_per_peer),
|
|
|
|
};
|
|
|
|
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
|
|
|
/// Default proffer callback which accepts this connection and allows the
|
|
|
|
/// next accept to take place as well. This is generally overriden by a
|
|
|
|
/// user callback to control this behavior.
|
|
|
|
bool
|
2023-03-08 17:36:04 +01:00
|
|
|
ircd::net::acceptor::proffer_default(acceptor &acceptor,
|
2020-04-13 04:07:07 +02:00
|
|
|
const ipport &ipport)
|
|
|
|
{
|
2023-03-08 17:36:04 +01:00
|
|
|
allow(acceptor);
|
2020-04-13 04:07:07 +02:00
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
|
|
|
void
|
|
|
|
ircd::net::acceptor::handshake(const error_code &ec,
|
|
|
|
const std::shared_ptr<socket> sock,
|
|
|
|
const decltype(handshaking)::const_iterator it)
|
|
|
|
noexcept try
|
|
|
|
{
|
|
|
|
assert(bool(sock));
|
|
|
|
assert(!handshaking.empty());
|
|
|
|
assert(it != end(handshaking));
|
2020-05-31 07:27:53 +02:00
|
|
|
assert(openssl::get_app_data(*sock) == sock.get());
|
2020-04-13 04:07:07 +02:00
|
|
|
|
2023-02-09 20:54:57 +01:00
|
|
|
if constexpr(RB_DEBUG_LEVEL)
|
2020-04-13 04:07:07 +02:00
|
|
|
{
|
2023-02-09 20:54:57 +01:00
|
|
|
const auto *const current_cipher
|
|
|
|
{
|
|
|
|
!ec?
|
|
|
|
openssl::current_cipher(*sock):
|
|
|
|
nullptr
|
|
|
|
};
|
2020-04-13 04:07:07 +02:00
|
|
|
|
2023-02-09 20:54:57 +01:00
|
|
|
char ecbuf[64];
|
|
|
|
log::debug
|
|
|
|
{
|
|
|
|
log, "%s %s handshook(%zd:%zu) cipher:%s %s",
|
|
|
|
loghead(*sock),
|
|
|
|
loghead(*this),
|
|
|
|
std::distance(cbegin(handshaking), it),
|
|
|
|
handshaking.size(),
|
|
|
|
current_cipher?
|
|
|
|
openssl::name(*current_cipher):
|
|
|
|
"<NO CIPHER>"_sv,
|
|
|
|
string(ecbuf, ec)
|
|
|
|
};
|
|
|
|
}
|
2020-04-13 04:07:07 +02:00
|
|
|
|
|
|
|
handshaking.erase(it);
|
2020-05-31 07:27:53 +02:00
|
|
|
openssl::set_app_data(*sock, nullptr);
|
2020-04-13 04:07:07 +02:00
|
|
|
check_handshake_error(ec, *sock);
|
|
|
|
sock->cancel_timeout();
|
2023-03-18 19:34:45 +01:00
|
|
|
accepted(sock);
|
2020-04-13 04:07:07 +02:00
|
|
|
}
|
|
|
|
catch(const ctx::interrupted &e)
|
|
|
|
{
|
|
|
|
assert(bool(sock));
|
2020-12-21 15:43:15 +01:00
|
|
|
char ecbuf[64];
|
2020-04-13 04:07:07 +02:00
|
|
|
log::debug
|
|
|
|
{
|
|
|
|
log, "%s SSL handshake interrupted %s %s",
|
|
|
|
loghead(*sock),
|
|
|
|
loghead(*this),
|
|
|
|
string(ecbuf, ec)
|
|
|
|
};
|
|
|
|
|
|
|
|
net::close(*sock, dc::RST, close_ignore);
|
|
|
|
joining.notify_all();
|
|
|
|
}
|
|
|
|
catch(const std::system_error &e)
|
|
|
|
{
|
|
|
|
assert(bool(sock));
|
|
|
|
log::derror
|
|
|
|
{
|
|
|
|
log, "%s %s in handshake() :%s",
|
|
|
|
loghead(*sock),
|
|
|
|
loghead(*this),
|
|
|
|
e.what()
|
|
|
|
};
|
|
|
|
|
|
|
|
net::close(*sock, dc::RST, close_ignore);
|
|
|
|
joining.notify_all();
|
|
|
|
}
|
|
|
|
catch(const std::exception &e)
|
|
|
|
{
|
|
|
|
assert(bool(sock));
|
|
|
|
log::error
|
|
|
|
{
|
|
|
|
log, "%s %s in handshake() :%s",
|
|
|
|
loghead(*sock),
|
|
|
|
loghead(*this),
|
|
|
|
e.what()
|
|
|
|
};
|
|
|
|
|
|
|
|
net::close(*sock, dc::RST, close_ignore);
|
|
|
|
joining.notify_all();
|
|
|
|
}
|
|
|
|
|
|
|
|
/// Error handler for the SSL handshake callback. This handler determines
|
|
|
|
/// whether or not the handler should return or continue processing the
|
|
|
|
/// result.
|
|
|
|
///
|
|
|
|
void
|
|
|
|
ircd::net::acceptor::check_handshake_error(const error_code &ec,
|
|
|
|
socket &sock)
|
|
|
|
const
|
|
|
|
{
|
|
|
|
using std::errc;
|
|
|
|
|
|
|
|
if(unlikely(interrupting))
|
|
|
|
throw ctx::interrupted();
|
|
|
|
|
|
|
|
if(likely(system_category(ec))) switch(ec.value())
|
|
|
|
{
|
|
|
|
case 0:
|
|
|
|
return;
|
|
|
|
|
|
|
|
case int(errc::operation_canceled):
|
|
|
|
if(sock.timedout)
|
|
|
|
throw_system_error(errc::timed_out);
|
|
|
|
else
|
|
|
|
break;
|
|
|
|
|
|
|
|
default:
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
throw_system_error(ec);
|
|
|
|
__builtin_unreachable();
|
|
|
|
}
|
|
|
|
|
|
|
|
ircd::string_view
|
2020-05-31 07:27:53 +02:00
|
|
|
ircd::net::acceptor::handle_alpn(socket &socket,
|
2020-04-13 04:07:07 +02:00
|
|
|
const vector_view<const string_view> &in)
|
|
|
|
{
|
|
|
|
if(empty(in))
|
|
|
|
return {};
|
|
|
|
|
|
|
|
log::debug
|
|
|
|
{
|
2020-05-31 07:27:53 +02:00
|
|
|
log, "%s %s offered %zu ALPN protocols",
|
|
|
|
loghead(socket),
|
2020-04-13 04:07:07 +02:00
|
|
|
loghead(*this),
|
|
|
|
size(in),
|
|
|
|
};
|
|
|
|
|
2023-02-18 04:10:06 +01:00
|
|
|
if constexpr(debug_alpn)
|
|
|
|
for(size_t i(0); i < size(in); ++i)
|
2020-04-13 04:07:07 +02:00
|
|
|
{
|
2023-02-18 04:10:06 +01:00
|
|
|
log::debug
|
|
|
|
{
|
|
|
|
log, "%s ALPN protocol %zu of %zu: '%s'",
|
|
|
|
loghead(socket),
|
|
|
|
i,
|
|
|
|
size(in),
|
|
|
|
in[i],
|
|
|
|
};
|
|
|
|
}
|
2020-04-13 04:07:07 +02:00
|
|
|
|
2020-04-15 20:49:26 +02:00
|
|
|
//NOTE: proto == "h2" condition goes here
|
|
|
|
for(const auto &proto : in)
|
|
|
|
if(proto == "http/1.1")
|
2020-05-31 08:08:09 +02:00
|
|
|
{
|
|
|
|
strlcpy(socket.alpn, proto);
|
2020-04-15 20:49:26 +02:00
|
|
|
return proto;
|
2020-05-31 08:08:09 +02:00
|
|
|
}
|
2020-04-15 20:49:26 +02:00
|
|
|
|
2020-04-13 04:07:07 +02:00
|
|
|
return {};
|
|
|
|
}
|
|
|
|
|
|
|
|
static int
|
|
|
|
ircd_net_acceptor_handle_alpn(SSL *const s,
|
|
|
|
const unsigned char **out,
|
|
|
|
unsigned char *const outlen,
|
|
|
|
const unsigned char *const in,
|
|
|
|
unsigned int inlen,
|
|
|
|
void *const arg)
|
|
|
|
noexcept try
|
|
|
|
{
|
|
|
|
static const size_t PROTOS_MAX
|
|
|
|
{
|
|
|
|
8
|
|
|
|
};
|
|
|
|
|
|
|
|
auto &acceptor
|
|
|
|
{
|
|
|
|
*reinterpret_cast<ircd::net::acceptor *>(arg)
|
|
|
|
};
|
|
|
|
|
|
|
|
size_t p(0), i(0);
|
|
|
|
ircd::string_view protos[PROTOS_MAX];
|
|
|
|
while(i < inlen && p < PROTOS_MAX)
|
|
|
|
{
|
|
|
|
const uint8_t &len(in[i++]);
|
|
|
|
if(unlikely(!len || i + len >= inlen))
|
|
|
|
break;
|
|
|
|
|
|
|
|
protos[p++] = ircd::string_view
|
|
|
|
{
|
|
|
|
reinterpret_cast<const char *>(in + i), len
|
|
|
|
};
|
|
|
|
|
|
|
|
i += len;
|
|
|
|
}
|
|
|
|
|
|
|
|
const ircd::vector_view<const ircd::string_view> vec
|
|
|
|
{
|
|
|
|
protos, p
|
|
|
|
};
|
|
|
|
|
2020-05-31 07:27:53 +02:00
|
|
|
assert(s);
|
|
|
|
assert(ircd::openssl::get_app_data(*s));
|
|
|
|
if(unlikely(!ircd::openssl::get_app_data(*s)))
|
|
|
|
return SSL_TLSEXT_ERR_ALERT_FATAL;
|
|
|
|
|
|
|
|
auto &socket
|
|
|
|
{
|
|
|
|
*static_cast<ircd::net::socket *>(ircd::openssl::get_app_data(*s))
|
|
|
|
};
|
|
|
|
|
2020-04-13 04:07:07 +02:00
|
|
|
const ircd::string_view sel
|
|
|
|
{
|
2020-05-31 07:27:53 +02:00
|
|
|
acceptor.handle_alpn(socket, vec)
|
2020-04-13 04:07:07 +02:00
|
|
|
};
|
|
|
|
|
|
|
|
if(!sel)
|
|
|
|
return SSL_TLSEXT_ERR_NOACK;
|
|
|
|
|
|
|
|
*out = reinterpret_cast<const unsigned char *>(data(sel));
|
|
|
|
*outlen = size(sel);
|
|
|
|
return SSL_TLSEXT_ERR_OK;
|
|
|
|
}
|
|
|
|
catch(const std::exception &)
|
|
|
|
{
|
|
|
|
return SSL_TLSEXT_ERR_ALERT_FATAL;
|
|
|
|
}
|
|
|
|
catch(...)
|
|
|
|
{
|
|
|
|
ircd::log::critical
|
|
|
|
{
|
|
|
|
ircd::net::acceptor::log,
|
|
|
|
"Acceptor ALPN callback unhandled."
|
|
|
|
};
|
|
|
|
|
|
|
|
ircd::terminate();
|
|
|
|
__builtin_unreachable();
|
|
|
|
}
|
|
|
|
|
|
|
|
bool
|
2020-05-31 07:27:53 +02:00
|
|
|
ircd::net::acceptor::handle_sni(socket &socket,
|
2020-04-13 04:07:07 +02:00
|
|
|
int &client_server)
|
|
|
|
try
|
|
|
|
{
|
|
|
|
const string_view &name
|
|
|
|
{
|
2020-05-31 07:27:53 +02:00
|
|
|
openssl::server_name(socket)
|
2020-04-13 04:07:07 +02:00
|
|
|
};
|
|
|
|
|
|
|
|
if(!name)
|
|
|
|
return true;
|
|
|
|
|
|
|
|
const bool accepts
|
|
|
|
{
|
2023-02-24 04:15:20 +01:00
|
|
|
name == this->cname
|
2020-04-13 04:07:07 +02:00
|
|
|
};
|
|
|
|
|
|
|
|
if(!accepts)
|
|
|
|
{
|
|
|
|
log::dwarning
|
|
|
|
{
|
2020-05-31 07:27:53 +02:00
|
|
|
log, "%s %s unrecognized SNI '%s' offered.",
|
|
|
|
loghead(socket),
|
2020-04-13 04:07:07 +02:00
|
|
|
loghead(*this),
|
|
|
|
name,
|
|
|
|
};
|
|
|
|
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
log::debug
|
|
|
|
{
|
2020-05-31 07:27:53 +02:00
|
|
|
log, "%s %s offered SNI '%s'",
|
|
|
|
loghead(socket),
|
2020-04-13 04:07:07 +02:00
|
|
|
loghead(*this),
|
2020-05-31 07:27:53 +02:00
|
|
|
name,
|
2020-04-13 04:07:07 +02:00
|
|
|
};
|
|
|
|
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
catch(const sni_warning &e)
|
|
|
|
{
|
|
|
|
log::warning
|
|
|
|
{
|
2020-05-31 07:27:53 +02:00
|
|
|
log, "%s %s during SNI :%s",
|
|
|
|
loghead(socket),
|
2020-04-13 04:07:07 +02:00
|
|
|
loghead(*this),
|
2020-05-31 07:27:53 +02:00
|
|
|
e.what(),
|
2020-04-13 04:07:07 +02:00
|
|
|
};
|
|
|
|
|
|
|
|
throw;
|
|
|
|
}
|
|
|
|
catch(const std::exception &e)
|
|
|
|
{
|
|
|
|
log::error
|
|
|
|
{
|
2020-05-31 07:27:53 +02:00
|
|
|
log, "%s %s during SNI :%s",
|
|
|
|
loghead(socket),
|
2020-04-13 04:07:07 +02:00
|
|
|
loghead(*this),
|
2020-05-31 07:27:53 +02:00
|
|
|
e.what(),
|
2020-04-13 04:07:07 +02:00
|
|
|
};
|
|
|
|
|
|
|
|
throw;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int
|
|
|
|
ircd_net_acceptor_handle_sni(SSL *const s,
|
|
|
|
int *const i,
|
|
|
|
void *const a)
|
|
|
|
noexcept try
|
|
|
|
{
|
|
|
|
if(unlikely(!s || !i || !a))
|
|
|
|
throw ircd::panic
|
|
|
|
{
|
|
|
|
"Missing arguments to callback s:%p i:%p a:%p", s, i, a
|
|
|
|
};
|
|
|
|
|
|
|
|
auto &acceptor
|
|
|
|
{
|
|
|
|
*reinterpret_cast<ircd::net::acceptor *>(a)
|
|
|
|
};
|
|
|
|
|
2020-05-31 07:27:53 +02:00
|
|
|
assert(s);
|
|
|
|
assert(ircd::openssl::get_app_data(*s));
|
|
|
|
if(unlikely(!ircd::openssl::get_app_data(*s)))
|
|
|
|
return SSL_TLSEXT_ERR_ALERT_FATAL;
|
|
|
|
|
|
|
|
auto &socket
|
|
|
|
{
|
|
|
|
*static_cast<ircd::net::socket *>(ircd::openssl::get_app_data(*s))
|
|
|
|
};
|
|
|
|
|
|
|
|
return acceptor.handle_sni(socket, *i)?
|
2020-04-13 04:07:07 +02:00
|
|
|
SSL_TLSEXT_ERR_OK:
|
|
|
|
SSL_TLSEXT_ERR_NOACK;
|
|
|
|
}
|
|
|
|
catch(const ircd::net::acceptor::sni_warning &)
|
|
|
|
{
|
|
|
|
return SSL_TLSEXT_ERR_ALERT_WARNING;
|
|
|
|
}
|
|
|
|
catch(const std::exception &)
|
|
|
|
{
|
|
|
|
return SSL_TLSEXT_ERR_ALERT_FATAL;
|
|
|
|
}
|
|
|
|
catch(...)
|
|
|
|
{
|
|
|
|
ircd::log::critical
|
|
|
|
{
|
|
|
|
ircd::net::acceptor::log,
|
|
|
|
"Acceptor SNI callback unhandled."
|
|
|
|
};
|
|
|
|
|
|
|
|
ircd::terminate();
|
|
|
|
__builtin_unreachable();
|
|
|
|
}
|
|
|
|
|
|
|
|
void
|
2023-03-18 19:34:45 +01:00
|
|
|
ircd::net::acceptor::accepted(const std::shared_ptr<socket> &sock)
|
|
|
|
{
|
|
|
|
assert(bool(cb));
|
|
|
|
assert(bool(sock));
|
|
|
|
|
2023-03-20 02:34:43 +01:00
|
|
|
#if !defined(BSD_BASED_OS)
|
2023-03-18 19:34:45 +01:00
|
|
|
// Toggles the behavior of non-async functions; see func comment
|
2023-03-20 02:34:43 +01:00
|
|
|
// This is not needed on BSD because the socket inherits the listener's
|
|
|
|
// non-blocking disposition.
|
2023-03-18 19:34:45 +01:00
|
|
|
blocking(*sock, false);
|
2023-03-20 02:34:43 +01:00
|
|
|
#endif
|
|
|
|
|
2023-03-18 19:34:45 +01:00
|
|
|
cb(*this, sock);
|
|
|
|
}
|
|
|
|
|
|
|
|
bool
|
2020-04-13 04:07:07 +02:00
|
|
|
ircd::net::acceptor::configure(const json::object &opts)
|
|
|
|
{
|
|
|
|
log::debug
|
|
|
|
{
|
|
|
|
log, "%s preparing listener socket configuration...",
|
|
|
|
loghead(*this)
|
|
|
|
};
|
|
|
|
|
|
|
|
configure_flags(opts);
|
2023-03-18 19:34:45 +01:00
|
|
|
if(!configure_certs(opts))
|
|
|
|
return false;
|
|
|
|
|
|
|
|
configure_password(opts);
|
2020-04-13 04:07:07 +02:00
|
|
|
configure_ciphers(opts);
|
|
|
|
configure_curves(opts);
|
2023-03-18 19:10:34 +01:00
|
|
|
configure_sni(opts);
|
|
|
|
log::debug
|
|
|
|
{
|
|
|
|
log, "%s configured listener SSL",
|
|
|
|
loghead(*this)
|
|
|
|
};
|
2023-03-18 19:34:45 +01:00
|
|
|
|
|
|
|
return true;
|
2023-03-18 19:10:34 +01:00
|
|
|
}
|
2020-04-13 04:07:07 +02:00
|
|
|
|
2023-03-18 19:10:34 +01:00
|
|
|
void
|
|
|
|
ircd::net::acceptor::configure_sni(const json::object &opts)
|
|
|
|
{
|
2020-04-13 04:07:07 +02:00
|
|
|
SSL_CTX_set_alpn_select_cb(ssl.native_handle(), ircd_net_acceptor_handle_alpn, this);
|
|
|
|
SSL_CTX_set_tlsext_servername_callback(ssl.native_handle(), ircd_net_acceptor_handle_sni);
|
|
|
|
SSL_CTX_set_tlsext_servername_arg(ssl.native_handle(), this);
|
|
|
|
}
|
|
|
|
|
|
|
|
void
|
|
|
|
ircd::net::acceptor::configure_flags(const json::object &opts)
|
|
|
|
{
|
|
|
|
ulong flags(0);
|
|
|
|
|
|
|
|
if(opts.get<bool>("ssl_default_workarounds", false))
|
|
|
|
flags |= ssl.default_workarounds;
|
|
|
|
|
|
|
|
if(opts.get<bool>("ssl_single_dh_use", false))
|
|
|
|
flags |= ssl.single_dh_use;
|
|
|
|
|
|
|
|
if(opts.get<bool>("ssl_no_sslv2", false))
|
|
|
|
flags |= ssl.no_sslv2;
|
|
|
|
|
|
|
|
if(opts.get<bool>("ssl_no_sslv3", false))
|
|
|
|
flags |= ssl.no_sslv3;
|
|
|
|
|
|
|
|
if(opts.get<bool>("ssl_no_tlsv1", false))
|
|
|
|
flags |= ssl.no_tlsv1;
|
|
|
|
|
|
|
|
if(opts.get<bool>("ssl_no_tlsv1_1", false))
|
|
|
|
flags |= ssl.no_tlsv1_1;
|
|
|
|
|
|
|
|
if(opts.get<bool>("ssl_no_tlsv1_2", false))
|
|
|
|
flags |= ssl.no_tlsv1_2;
|
|
|
|
|
2023-03-18 19:34:45 +01:00
|
|
|
if(flags)
|
|
|
|
ssl.set_options(flags);
|
2020-04-13 04:07:07 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
void
|
|
|
|
ircd::net::acceptor::configure_ciphers(const json::object &opts)
|
|
|
|
{
|
|
|
|
if(!empty(unquote(opts["ssl_cipher_list"])))
|
|
|
|
{
|
|
|
|
const json::string &list
|
|
|
|
{
|
|
|
|
opts["ssl_cipher_list"]
|
|
|
|
};
|
|
|
|
|
|
|
|
assert(ssl.native_handle());
|
|
|
|
openssl::set_cipher_list(*ssl.native_handle(), list);
|
|
|
|
}
|
|
|
|
else if(!empty(string_view(ssl_cipher_list)))
|
|
|
|
{
|
|
|
|
assert(ssl.native_handle());
|
|
|
|
const string_view &list
|
|
|
|
{
|
|
|
|
ssl_cipher_list
|
|
|
|
};
|
|
|
|
|
|
|
|
openssl::set_cipher_list(*ssl.native_handle(), list);
|
|
|
|
}
|
|
|
|
else if(!empty(string_view(ssl_cipher_blacklist)))
|
|
|
|
{
|
|
|
|
assert(ssl.native_handle());
|
|
|
|
|
|
|
|
std::stringstream res;
|
|
|
|
const string_view &blacklist
|
|
|
|
{
|
|
|
|
ssl_cipher_blacklist
|
|
|
|
};
|
|
|
|
|
|
|
|
const auto ciphers
|
|
|
|
{
|
|
|
|
openssl::cipher_list(*ssl.native_handle(), 0)
|
|
|
|
};
|
|
|
|
|
|
|
|
ircd::tokens(ciphers, ':', [&res, &blacklist]
|
|
|
|
(const string_view &cipher)
|
|
|
|
{
|
|
|
|
assert(cipher);
|
|
|
|
if(!has(blacklist, cipher))
|
|
|
|
res << cipher << ':';
|
|
|
|
});
|
|
|
|
|
|
|
|
std::string list(res.str());
|
|
|
|
assert(list.empty() || list.back() == ':');
|
|
|
|
list.pop_back();
|
|
|
|
|
|
|
|
openssl::set_cipher_list(*ssl.native_handle(), list);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
void
|
|
|
|
ircd::net::acceptor::configure_curves(const json::object &opts)
|
|
|
|
{
|
|
|
|
if(!empty(unquote(opts["ssl_curve_list"])))
|
|
|
|
{
|
|
|
|
const json::string &list
|
|
|
|
{
|
|
|
|
opts["ssl_curve_list"]
|
|
|
|
};
|
|
|
|
|
|
|
|
assert(ssl.native_handle());
|
|
|
|
openssl::set_curves(*ssl.native_handle(), list);
|
|
|
|
}
|
|
|
|
else if(!empty(string_view(ssl_curve_list)))
|
|
|
|
{
|
|
|
|
const string_view &list
|
|
|
|
{
|
|
|
|
ssl_curve_list
|
|
|
|
};
|
|
|
|
|
|
|
|
assert(ssl.native_handle());
|
|
|
|
openssl::set_curves(*ssl.native_handle(), list);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2023-03-18 19:34:45 +01:00
|
|
|
bool
|
2020-04-13 04:07:07 +02:00
|
|
|
ircd::net::acceptor::configure_certs(const json::object &opts)
|
|
|
|
{
|
2023-03-18 19:34:45 +01:00
|
|
|
uint ret(0);
|
2020-04-13 04:07:07 +02:00
|
|
|
if(!empty(unquote(opts["certificate_chain_path"])))
|
|
|
|
{
|
|
|
|
const json::string filename
|
|
|
|
{
|
|
|
|
opts["certificate_chain_path"]
|
|
|
|
};
|
|
|
|
|
|
|
|
if(!fs::exists(filename))
|
|
|
|
throw error
|
|
|
|
{
|
|
|
|
"%s SSL certificate chain file @ `%s' not found",
|
|
|
|
loghead(*this),
|
|
|
|
filename
|
|
|
|
};
|
|
|
|
|
|
|
|
ssl.use_certificate_chain_file(filename);
|
2023-03-18 19:34:45 +01:00
|
|
|
ret += 1;
|
2020-04-13 04:07:07 +02:00
|
|
|
log::info
|
|
|
|
{
|
|
|
|
log, "%s using certificate chain file '%s'",
|
|
|
|
loghead(*this),
|
|
|
|
filename
|
|
|
|
};
|
|
|
|
}
|
|
|
|
|
|
|
|
if(!empty(unquote(opts["certificate_pem_path"])))
|
|
|
|
{
|
|
|
|
const std::string filename
|
|
|
|
{
|
|
|
|
unquote(opts.get("certificate_pem_path", name + ".crt"))
|
|
|
|
};
|
|
|
|
|
|
|
|
if(!fs::exists(filename))
|
|
|
|
throw error
|
|
|
|
{
|
|
|
|
"%s SSL certificate pem file @ `%s' not found",
|
|
|
|
loghead(*this),
|
|
|
|
filename
|
|
|
|
};
|
|
|
|
|
|
|
|
ssl.use_certificate_file(filename, asio::ssl::context::pem);
|
|
|
|
const auto *const x509
|
|
|
|
{
|
|
|
|
SSL_CTX_get0_certificate(ssl.native_handle())
|
|
|
|
};
|
|
|
|
|
|
|
|
this->cname = ircd::string(rfc3986::DOMAIN_BUFSIZE | SHRINK_TO_FIT, [&x509]
|
|
|
|
(const mutable_buffer &buf)
|
|
|
|
{
|
|
|
|
return x509?
|
|
|
|
openssl::subject_common_name(buf, *x509):
|
|
|
|
string_view{};
|
|
|
|
});
|
|
|
|
|
2023-03-18 19:34:45 +01:00
|
|
|
ret += 1;
|
2020-04-13 04:07:07 +02:00
|
|
|
log::info
|
|
|
|
{
|
|
|
|
log, "%s using file '%s' with certificate for '%s'",
|
|
|
|
loghead(*this),
|
|
|
|
filename,
|
|
|
|
this->cname,
|
|
|
|
};
|
|
|
|
}
|
|
|
|
|
|
|
|
if(!empty(unquote(opts["private_key_pem_path"])))
|
|
|
|
{
|
|
|
|
const std::string filename
|
|
|
|
{
|
|
|
|
unquote(opts.get("private_key_pem_path", name + ".crt.key"))
|
|
|
|
};
|
|
|
|
|
|
|
|
if(!fs::exists(filename))
|
|
|
|
throw error
|
|
|
|
{
|
|
|
|
"%s SSL private key file @ `%s' not found",
|
|
|
|
loghead(*this),
|
|
|
|
filename
|
|
|
|
};
|
|
|
|
|
|
|
|
ssl.use_private_key_file(filename, asio::ssl::context::pem);
|
2023-03-18 19:34:45 +01:00
|
|
|
|
|
|
|
ret += 1;
|
2020-04-13 04:07:07 +02:00
|
|
|
log::info
|
|
|
|
{
|
|
|
|
log, "%s using private key file '%s'",
|
|
|
|
loghead(*this),
|
|
|
|
filename
|
|
|
|
};
|
|
|
|
}
|
2023-03-18 19:34:45 +01:00
|
|
|
|
|
|
|
if(ret != 0 && ret != 3)
|
|
|
|
log::warning
|
|
|
|
{
|
|
|
|
"%s missing some paths to PEM files in its options."
|
|
|
|
" SSL is probably misconfigured.",
|
|
|
|
loghead(*this),
|
|
|
|
};
|
|
|
|
|
|
|
|
return ret;
|
2020-04-13 04:07:07 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
void
|
|
|
|
ircd::net::acceptor::configure_dh(const json::object &opts)
|
|
|
|
{
|
|
|
|
if(!empty(unquote(opts["tmp_dh_path"])))
|
|
|
|
{
|
|
|
|
const json::string filename
|
|
|
|
{
|
|
|
|
opts.at("tmp_dh_path")
|
|
|
|
};
|
|
|
|
|
|
|
|
if(!fs::exists(filename))
|
|
|
|
throw error
|
|
|
|
{
|
|
|
|
"%s SSL tmp dh file @ `%s' not found",
|
|
|
|
loghead(*this),
|
|
|
|
filename
|
|
|
|
};
|
|
|
|
|
|
|
|
ssl.use_tmp_dh_file(filename);
|
|
|
|
log::info
|
|
|
|
{
|
|
|
|
log, "%s using tmp dh file '%s'",
|
|
|
|
loghead(*this),
|
|
|
|
filename,
|
|
|
|
};
|
|
|
|
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
assert(ssl.native_handle());
|
|
|
|
openssl::set_ecdh_auto(*ssl.native_handle(), true);
|
|
|
|
}
|
|
|
|
|
|
|
|
void
|
|
|
|
ircd::net::acceptor::configure_password(const json::object &opts)
|
|
|
|
{
|
|
|
|
//TODO: XXX
|
|
|
|
ssl.set_password_callback([this]
|
|
|
|
(const auto &size, const auto &purpose)
|
|
|
|
{
|
|
|
|
log::notice
|
|
|
|
{
|
|
|
|
log, "%s asking for password with purpose '%s' (size: %zu)",
|
|
|
|
loghead(*this),
|
|
|
|
purpose,
|
|
|
|
size
|
|
|
|
};
|
|
|
|
|
|
|
|
//XXX: TODO
|
|
|
|
assert(0);
|
|
|
|
return "foobar";
|
|
|
|
});
|
|
|
|
}
|