0
0
Fork 0
mirror of https://github.com/matrix-construct/construct synced 2025-01-04 03:44:15 +01:00
construct/ssld/ssld.c
Simon Arlott cf430c1a40
ssld: Add new certfp_methods spki_sha256 and spki_sha512
These operate on the SubjectPublicKeyInfo of the certificate, which does
change unless the private key is changed. This allows the fingerprint to
stay constant even if the certificate is reissued.

(The same fingerprint is also used by DANE)
2016-04-23 22:51:05 +01:00

1274 lines
28 KiB
C

/*
* ssld.c: The ircd-ratbox ssl/zlib helper daemon thingy
* Copyright (C) 2007 Aaron Sethman <androsyn@ratbox.org>
* Copyright (C) 2007 ircd-ratbox development team
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301
* USA
*/
#include "stdinc.h"
#ifdef HAVE_LIBZ
#include <zlib.h>
#endif
#define MAXPASSFD 4
#ifndef READBUF_SIZE
#define READBUF_SIZE 16384
#endif
static void setup_signals(void);
static pid_t ppid;
static inline uint32_t
buf_to_uint32(uint8_t *buf)
{
uint32_t x;
memcpy(&x, buf, sizeof(x));
return x;
}
static inline void
uint32_to_buf(uint8_t *buf, uint32_t x)
{
memcpy(buf, &x, sizeof(x));
return;
}
typedef struct _mod_ctl_buf
{
rb_dlink_node node;
uint8_t *buf;
size_t buflen;
rb_fde_t *F[MAXPASSFD];
int nfds;
} mod_ctl_buf_t;
typedef struct _mod_ctl
{
rb_dlink_node node;
int cli_count;
rb_fde_t *F;
rb_fde_t *F_pipe;
rb_dlink_list readq;
rb_dlink_list writeq;
} mod_ctl_t;
static mod_ctl_t *mod_ctl;
#ifdef HAVE_LIBZ
typedef struct _zlib_stream
{
z_stream instream;
z_stream outstream;
} zlib_stream_t;
#endif
typedef struct _conn
{
rb_dlink_node node;
mod_ctl_t *ctl;
rawbuf_head_t *modbuf_out;
rawbuf_head_t *plainbuf_out;
uint32_t id;
rb_fde_t *mod_fd;
rb_fde_t *plain_fd;
uint64_t mod_out;
uint64_t mod_in;
uint64_t plain_in;
uint64_t plain_out;
uint8_t flags;
void *stream;
} conn_t;
#define FLAG_SSL 0x01
#define FLAG_ZIP 0x02
#define FLAG_CORK 0x04
#define FLAG_DEAD 0x08
#define FLAG_SSL_W_WANTS_R 0x10 /* output needs to wait until input possible */
#define FLAG_SSL_R_WANTS_W 0x20 /* input needs to wait until output possible */
#define FLAG_ZIPSSL 0x40
#define IsSSL(x) ((x)->flags & FLAG_SSL)
#define IsZip(x) ((x)->flags & FLAG_ZIP)
#define IsCork(x) ((x)->flags & FLAG_CORK)
#define IsDead(x) ((x)->flags & FLAG_DEAD)
#define IsSSLWWantsR(x) ((x)->flags & FLAG_SSL_W_WANTS_R)
#define IsSSLRWantsW(x) ((x)->flags & FLAG_SSL_R_WANTS_W)
#define IsZipSSL(x) ((x)->flags & FLAG_ZIPSSL)
#define SetSSL(x) ((x)->flags |= FLAG_SSL)
#define SetZip(x) ((x)->flags |= FLAG_ZIP)
#define SetCork(x) ((x)->flags |= FLAG_CORK)
#define SetDead(x) ((x)->flags |= FLAG_DEAD)
#define SetSSLWWantsR(x) ((x)->flags |= FLAG_SSL_W_WANTS_R)
#define SetSSLRWantsW(x) ((x)->flags |= FLAG_SSL_R_WANTS_W)
#define SetZipSSL(x) ((x)->flags |= FLAG_ZIPSSL)
#define ClearSSL(x) ((x)->flags &= ~FLAG_SSL)
#define ClearZip(x) ((x)->flags &= ~FLAG_ZIP)
#define ClearCork(x) ((x)->flags &= ~FLAG_CORK)
#define ClearDead(x) ((x)->flags &= ~FLAG_DEAD)
#define ClearSSLWWantsR(x) ((x)->flags &= ~FLAG_SSL_W_WANTS_R)
#define ClearSSLRWantsW(x) ((x)->flags &= ~FLAG_SSL_R_WANTS_W)
#define ClearZipSSL(x) ((x)->flags &= ~FLAG_ZIPSSL)
#define NO_WAIT 0x0
#define WAIT_PLAIN 0x1
#define HASH_WALK_SAFE(i, max, ptr, next, table) for(i = 0; i < max; i++) { RB_DLINK_FOREACH_SAFE(ptr, next, table[i].head)
#define HASH_WALK_END }
#define CONN_HASH_SIZE 2000
#define connid_hash(x) (&connid_hash_table[(x % CONN_HASH_SIZE)])
static rb_dlink_list connid_hash_table[CONN_HASH_SIZE];
static rb_dlink_list dead_list;
static void conn_mod_read_cb(rb_fde_t *fd, void *data);
static void conn_mod_write_sendq(rb_fde_t *, void *data);
static void conn_plain_write_sendq(rb_fde_t *, void *data);
static void mod_write_ctl(rb_fde_t *, void *data);
static void conn_plain_read_cb(rb_fde_t *fd, void *data);
static void conn_plain_read_shutdown_cb(rb_fde_t *fd, void *data);
static void mod_cmd_write_queue(mod_ctl_t * ctl, const void *data, size_t len);
static const char *remote_closed = "Remote host closed the connection";
static bool ssld_ssl_ok;
static int certfp_method = RB_SSL_CERTFP_METH_CERT_SHA1;
#ifdef HAVE_LIBZ
static bool zlib_ok = true;
#else
static bool zlib_ok = false;
#endif
#ifdef HAVE_LIBZ
static void *
ssld_alloc(void *unused, size_t count, size_t size)
{
return rb_malloc(count * size);
}
static void
ssld_free(void *unused, void *ptr)
{
rb_free(ptr);
}
#endif
static conn_t *
conn_find_by_id(uint32_t id)
{
rb_dlink_node *ptr;
conn_t *conn;
RB_DLINK_FOREACH(ptr, (connid_hash(id))->head)
{
conn = ptr->data;
if(conn->id == id && !IsDead(conn))
return conn;
}
return NULL;
}
static void
conn_add_id_hash(conn_t * conn, uint32_t id)
{
conn->id = id;
rb_dlinkAdd(conn, &conn->node, connid_hash(id));
}
static void
free_conn(conn_t * conn)
{
rb_free_rawbuffer(conn->modbuf_out);
rb_free_rawbuffer(conn->plainbuf_out);
#ifdef HAVE_LIBZ
if(IsZip(conn))
{
zlib_stream_t *stream = conn->stream;
inflateEnd(&stream->instream);
deflateEnd(&stream->outstream);
rb_free(stream);
}
#endif
rb_free(conn);
}
static void
clean_dead_conns(void *unused)
{
conn_t *conn;
rb_dlink_node *ptr, *next;
RB_DLINK_FOREACH_SAFE(ptr, next, dead_list.head)
{
conn = ptr->data;
free_conn(conn);
}
dead_list.tail = dead_list.head = NULL;
}
static void
close_conn(conn_t * conn, int wait_plain, const char *fmt, ...)
{
va_list ap;
char reason[128]; /* must always be under 250 bytes */
uint8_t buf[256];
int len;
if(IsDead(conn))
return;
rb_rawbuf_flush(conn->modbuf_out, conn->mod_fd);
rb_rawbuf_flush(conn->plainbuf_out, conn->plain_fd);
rb_close(conn->mod_fd);
SetDead(conn);
if(!IsZipSSL(conn))
rb_dlinkDelete(&conn->node, connid_hash(conn->id));
if(!wait_plain || fmt == NULL)
{
rb_close(conn->plain_fd);
rb_dlinkAdd(conn, &conn->node, &dead_list);
return;
}
rb_setselect(conn->plain_fd, RB_SELECT_READ, conn_plain_read_shutdown_cb, conn);
rb_setselect(conn->plain_fd, RB_SELECT_WRITE, NULL, NULL);
va_start(ap, fmt);
vsnprintf(reason, sizeof(reason), fmt, ap);
va_end(ap);
buf[0] = 'D';
uint32_to_buf(&buf[1], conn->id);
rb_strlcpy((char *) &buf[5], reason, sizeof(buf) - 5);
len = (strlen(reason) + 1) + 5;
mod_cmd_write_queue(conn->ctl, buf, len);
}
static conn_t *
make_conn(mod_ctl_t * ctl, rb_fde_t *mod_fd, rb_fde_t *plain_fd)
{
conn_t *conn = rb_malloc(sizeof(conn_t));
conn->ctl = ctl;
conn->modbuf_out = rb_new_rawbuffer();
conn->plainbuf_out = rb_new_rawbuffer();
conn->mod_fd = mod_fd;
conn->plain_fd = plain_fd;
conn->id = -1;
conn->stream = NULL;
rb_set_nb(mod_fd);
rb_set_nb(plain_fd);
return conn;
}
static void
check_handshake_flood(void *unused)
{
conn_t *conn;
rb_dlink_node *ptr, *next;
unsigned int count;
int i;
HASH_WALK_SAFE(i, CONN_HASH_SIZE, ptr, next, connid_hash_table)
{
conn = ptr->data;
if(!IsSSL(conn))
continue;
count = rb_ssl_handshake_count(conn->mod_fd);
/* nothing needs to do this more than twice in ten seconds i don't think */
if(count > 2)
close_conn(conn, WAIT_PLAIN, "Handshake flooding");
else
rb_ssl_clear_handshake_count(conn->mod_fd);
}
HASH_WALK_END}
static void
conn_mod_write_sendq(rb_fde_t *fd, void *data)
{
conn_t *conn = data;
const char *err;
int retlen;
if(IsDead(conn))
return;
if(IsSSLWWantsR(conn))
{
ClearSSLWWantsR(conn);
conn_mod_read_cb(conn->mod_fd, conn);
if(IsDead(conn))
return;
}
while((retlen = rb_rawbuf_flush(conn->modbuf_out, fd)) > 0)
conn->mod_out += retlen;
if(retlen == 0 || (retlen < 0 && !rb_ignore_errno(errno)))
{
if(retlen == 0)
close_conn(conn, WAIT_PLAIN, "%s", remote_closed);
if(IsSSL(conn) && retlen == RB_RW_SSL_ERROR)
err = rb_get_ssl_strerror(conn->mod_fd);
else
err = strerror(errno);
close_conn(conn, WAIT_PLAIN, "Write error: %s", err);
return;
}
if(rb_rawbuf_length(conn->modbuf_out) > 0)
{
if(retlen != RB_RW_SSL_NEED_READ)
rb_setselect(conn->mod_fd, RB_SELECT_WRITE, conn_mod_write_sendq, conn);
else
{
rb_setselect(conn->mod_fd, RB_SELECT_READ, conn_mod_write_sendq, conn);
rb_setselect(conn->mod_fd, RB_SELECT_WRITE, NULL, NULL);
SetSSLWWantsR(conn);
}
}
else
rb_setselect(conn->mod_fd, RB_SELECT_WRITE, NULL, NULL);
if(IsCork(conn) && rb_rawbuf_length(conn->modbuf_out) == 0)
{
ClearCork(conn);
conn_plain_read_cb(conn->plain_fd, conn);
}
}
static void
conn_mod_write(conn_t * conn, void *data, size_t len)
{
if(IsDead(conn)) /* no point in queueing to a dead man */
return;
rb_rawbuf_append(conn->modbuf_out, data, len);
}
static void
conn_plain_write(conn_t * conn, void *data, size_t len)
{
if(IsDead(conn)) /* again no point in queueing to dead men */
return;
rb_rawbuf_append(conn->plainbuf_out, data, len);
}
static void
mod_cmd_write_queue(mod_ctl_t * ctl, const void *data, size_t len)
{
mod_ctl_buf_t *ctl_buf;
ctl_buf = rb_malloc(sizeof(mod_ctl_buf_t));
ctl_buf->buf = rb_malloc(len);
ctl_buf->buflen = len;
memcpy(ctl_buf->buf, data, len);
ctl_buf->nfds = 0;
rb_dlinkAddTail(ctl_buf, &ctl_buf->node, &ctl->writeq);
mod_write_ctl(ctl->F, ctl);
}
#ifdef HAVE_LIBZ
static void
common_zlib_deflate(conn_t * conn, void *buf, size_t len)
{
char outbuf[READBUF_SIZE];
int ret, have;
z_stream *outstream = &((zlib_stream_t *) conn->stream)->outstream;
outstream->next_in = buf;
outstream->avail_in = len;
outstream->next_out = (Bytef *) outbuf;
outstream->avail_out = sizeof(outbuf);
ret = deflate(outstream, Z_SYNC_FLUSH);
if(ret != Z_OK)
{
/* deflate error */
close_conn(conn, WAIT_PLAIN, "Deflate failed: %s", zError(ret));
return;
}
if(outstream->avail_out == 0)
{
/* avail_out empty */
close_conn(conn, WAIT_PLAIN, "error compressing data, avail_out == 0");
return;
}
if(outstream->avail_in != 0)
{
/* avail_in isn't empty... */
close_conn(conn, WAIT_PLAIN, "error compressing data, avail_in != 0");
return;
}
have = sizeof(outbuf) - outstream->avail_out;
conn_mod_write(conn, outbuf, have);
}
static void
common_zlib_inflate(conn_t * conn, void *buf, size_t len)
{
char outbuf[READBUF_SIZE];
int ret, have = 0;
((zlib_stream_t *) conn->stream)->instream.next_in = buf;
((zlib_stream_t *) conn->stream)->instream.avail_in = len;
((zlib_stream_t *) conn->stream)->instream.next_out = (Bytef *) outbuf;
((zlib_stream_t *) conn->stream)->instream.avail_out = sizeof(outbuf);
while(((zlib_stream_t *) conn->stream)->instream.avail_in)
{
ret = inflate(&((zlib_stream_t *) conn->stream)->instream, Z_NO_FLUSH);
if(ret != Z_OK)
{
if(!strncmp("ERROR ", buf, 6))
{
close_conn(conn, WAIT_PLAIN, "Received uncompressed ERROR");
return;
}
close_conn(conn, WAIT_PLAIN, "Inflate failed: %s", zError(ret));
return;
}
have = sizeof(outbuf) - ((zlib_stream_t *) conn->stream)->instream.avail_out;
if(((zlib_stream_t *) conn->stream)->instream.avail_in)
{
conn_plain_write(conn, outbuf, have);
have = 0;
((zlib_stream_t *) conn->stream)->instream.next_out = (Bytef *) outbuf;
((zlib_stream_t *) conn->stream)->instream.avail_out = sizeof(outbuf);
}
}
if(have == 0)
return;
conn_plain_write(conn, outbuf, have);
}
#endif
static bool
plain_check_cork(conn_t * conn)
{
if(rb_rawbuf_length(conn->modbuf_out) >= 4096)
{
/* if we have over 4k pending outbound, don't read until
* we've cleared the queue */
SetCork(conn);
rb_setselect(conn->plain_fd, RB_SELECT_READ, NULL, NULL);
/* try to write */
conn_mod_write_sendq(conn->mod_fd, conn);
return true;
}
return false;
}
static void
conn_plain_read_cb(rb_fde_t *fd, void *data)
{
char inbuf[READBUF_SIZE];
conn_t *conn = data;
int length = 0;
if(conn == NULL)
return;
if(IsDead(conn))
return;
if(plain_check_cork(conn))
return;
while(1)
{
if(IsDead(conn))
return;
length = rb_read(conn->plain_fd, inbuf, sizeof(inbuf));
if(length == 0 || (length < 0 && !rb_ignore_errno(errno)))
{
close_conn(conn, NO_WAIT, NULL);
return;
}
if(length < 0)
{
rb_setselect(conn->plain_fd, RB_SELECT_READ, conn_plain_read_cb, conn);
conn_mod_write_sendq(conn->mod_fd, conn);
return;
}
conn->plain_in += length;
#ifdef HAVE_LIBZ
if(IsZip(conn))
common_zlib_deflate(conn, inbuf, length);
else
#endif
conn_mod_write(conn, inbuf, length);
if(IsDead(conn))
return;
if(plain_check_cork(conn))
return;
}
}
static void
conn_plain_read_shutdown_cb(rb_fde_t *fd, void *data)
{
char inbuf[READBUF_SIZE];
conn_t *conn = data;
int length = 0;
if(conn == NULL)
return;
while(1)
{
length = rb_read(conn->plain_fd, inbuf, sizeof(inbuf));
if(length == 0 || (length < 0 && !rb_ignore_errno(errno)))
{
rb_close(conn->plain_fd);
rb_dlinkAdd(conn, &conn->node, &dead_list);
return;
}
if(length < 0)
{
rb_setselect(conn->plain_fd, RB_SELECT_READ, conn_plain_read_shutdown_cb, conn);
return;
}
}
}
static void
conn_mod_read_cb(rb_fde_t *fd, void *data)
{
char inbuf[READBUF_SIZE];
conn_t *conn = data;
const char *err = remote_closed;
int length;
if(conn == NULL)
return;
if(IsDead(conn))
return;
if(IsSSLRWantsW(conn))
{
ClearSSLRWantsW(conn);
conn_mod_write_sendq(conn->mod_fd, conn);
if(IsDead(conn))
return;
}
while(1)
{
if(IsDead(conn))
return;
length = rb_read(conn->mod_fd, inbuf, sizeof(inbuf));
if(length == 0 || (length < 0 && !rb_ignore_errno(errno)))
{
if(length == 0)
{
close_conn(conn, WAIT_PLAIN, "%s", remote_closed);
return;
}
if(IsSSL(conn) && length == RB_RW_SSL_ERROR)
err = rb_get_ssl_strerror(conn->mod_fd);
else
err = strerror(errno);
close_conn(conn, WAIT_PLAIN, "Read error: %s", err);
return;
}
if(length < 0)
{
if(length != RB_RW_SSL_NEED_WRITE)
rb_setselect(conn->mod_fd, RB_SELECT_READ, conn_mod_read_cb, conn);
else
{
rb_setselect(conn->mod_fd, RB_SELECT_READ, NULL, NULL);
rb_setselect(conn->mod_fd, RB_SELECT_WRITE, conn_mod_read_cb, conn);
SetSSLRWantsW(conn);
}
conn_plain_write_sendq(conn->plain_fd, conn);
return;
}
conn->mod_in += length;
#ifdef HAVE_LIBZ
if(IsZip(conn))
common_zlib_inflate(conn, inbuf, length);
else
#endif
conn_plain_write(conn, inbuf, length);
}
}
static void
conn_plain_write_sendq(rb_fde_t *fd, void *data)
{
conn_t *conn = data;
int retlen;
if(IsDead(conn))
return;
while((retlen = rb_rawbuf_flush(conn->plainbuf_out, fd)) > 0)
{
conn->plain_out += retlen;
}
if(retlen == 0 || (retlen < 0 && !rb_ignore_errno(errno)))
{
close_conn(data, NO_WAIT, NULL);
return;
}
if(rb_rawbuf_length(conn->plainbuf_out) > 0)
rb_setselect(conn->plain_fd, RB_SELECT_WRITE, conn_plain_write_sendq, conn);
else
rb_setselect(conn->plain_fd, RB_SELECT_WRITE, NULL, NULL);
}
static int
maxconn(void)
{
#if defined(RLIMIT_NOFILE) && defined(HAVE_SYS_RESOURCE_H)
struct rlimit limit;
if(!getrlimit(RLIMIT_NOFILE, &limit))
{
return limit.rlim_cur;
}
#endif /* RLIMIT_FD_MAX */
return MAXCONNECTIONS;
}
static void
ssl_send_cipher(conn_t *conn)
{
size_t len;
uint8_t buf[512];
char cstring[256];
const char *p;
if(!IsSSL(conn))
return;
p = rb_ssl_get_cipher(conn->mod_fd);
if(p == NULL)
return;
rb_strlcpy(cstring, p, sizeof(cstring));
buf[0] = 'C';
uint32_to_buf(&buf[1], conn->id);
strcpy((char *) &buf[5], cstring);
len = (strlen(cstring) + 1) + 5;
mod_cmd_write_queue(conn->ctl, buf, len);
}
static void
ssl_send_certfp(conn_t *conn)
{
uint8_t buf[9 + RB_SSL_CERTFP_LEN];
int len = rb_get_ssl_certfp(conn->mod_fd, &buf[9], certfp_method);
if (!len)
return;
lrb_assert(len <= RB_SSL_CERTFP_LEN);
buf[0] = 'F';
uint32_to_buf(&buf[1], conn->id);
uint32_to_buf(&buf[5], len);
mod_cmd_write_queue(conn->ctl, buf, 9 + len);
}
static void
ssl_process_accept_cb(rb_fde_t *F, int status, struct sockaddr *addr, rb_socklen_t len, void *data)
{
conn_t *conn = data;
if(status == RB_OK)
{
conn_mod_read_cb(conn->mod_fd, conn);
conn_plain_read_cb(conn->plain_fd, conn);
ssl_send_cipher(conn);
ssl_send_certfp(conn);
return;
}
/* ircd doesn't care about the reason for this */
close_conn(conn, NO_WAIT, 0);
return;
}
static void
ssl_process_connect_cb(rb_fde_t *F, int status, void *data)
{
conn_t *conn = data;
if(status == RB_OK)
{
conn_mod_read_cb(conn->mod_fd, conn);
conn_plain_read_cb(conn->plain_fd, conn);
ssl_send_cipher(conn);
ssl_send_certfp(conn);
}
else if(status == RB_ERR_TIMEOUT)
close_conn(conn, WAIT_PLAIN, "SSL handshake timed out");
else if(status == RB_ERROR_SSL)
close_conn(conn, WAIT_PLAIN, "%s", rb_get_ssl_strerror(conn->mod_fd));
else
close_conn(conn, WAIT_PLAIN, "SSL handshake failed");
}
static void
cleanup_bad_message(mod_ctl_t * ctl, mod_ctl_buf_t * ctlb)
{
int i;
/* XXX should log this somehow */
for (i = 0; i < ctlb->nfds; i++)
rb_close(ctlb->F[i]);
}
static void
ssl_process_accept(mod_ctl_t * ctl, mod_ctl_buf_t * ctlb)
{
conn_t *conn;
uint32_t id;
conn = make_conn(ctl, ctlb->F[0], ctlb->F[1]);
id = buf_to_uint32(&ctlb->buf[1]);
conn_add_id_hash(conn, id);
SetSSL(conn);
if(rb_get_type(conn->mod_fd) & RB_FD_UNKNOWN)
rb_set_type(conn->mod_fd, RB_FD_SOCKET);
if(rb_get_type(conn->plain_fd) == RB_FD_UNKNOWN)
rb_set_type(conn->plain_fd, RB_FD_SOCKET);
rb_ssl_start_accepted(ctlb->F[0], ssl_process_accept_cb, conn, 10);
}
static void
ssl_change_certfp_method(mod_ctl_t * ctl, mod_ctl_buf_t * ctlb)
{
certfp_method = buf_to_uint32(&ctlb->buf[1]);
}
static void
ssl_process_connect(mod_ctl_t * ctl, mod_ctl_buf_t * ctlb)
{
conn_t *conn;
uint32_t id;
conn = make_conn(ctl, ctlb->F[0], ctlb->F[1]);
id = buf_to_uint32(&ctlb->buf[1]);
conn_add_id_hash(conn, id);
SetSSL(conn);
if(rb_get_type(conn->mod_fd) == RB_FD_UNKNOWN)
rb_set_type(conn->mod_fd, RB_FD_SOCKET);
if(rb_get_type(conn->plain_fd) == RB_FD_UNKNOWN)
rb_set_type(conn->plain_fd, RB_FD_SOCKET);
rb_ssl_start_connected(ctlb->F[0], ssl_process_connect_cb, conn, 10);
}
static void
process_stats(mod_ctl_t * ctl, mod_ctl_buf_t * ctlb)
{
char outstat[512];
conn_t *conn;
uint8_t *odata;
uint32_t id;
id = buf_to_uint32(&ctlb->buf[1]);
odata = &ctlb->buf[5];
conn = conn_find_by_id(id);
if(conn == NULL)
return;
snprintf(outstat, sizeof(outstat), "S %s %llu %llu %llu %llu", odata,
(unsigned long long)conn->plain_out,
(unsigned long long)conn->mod_in,
(unsigned long long)conn->plain_in,
(unsigned long long)conn->mod_out);
conn->plain_out = 0;
conn->plain_in = 0;
conn->mod_in = 0;
conn->mod_out = 0;
mod_cmd_write_queue(ctl, outstat, strlen(outstat) + 1); /* +1 is so we send the \0 as well */
}
#ifdef HAVE_LIBZ
static void
zlib_process(mod_ctl_t * ctl, mod_ctl_buf_t * ctlb)
{
uint8_t level;
size_t recvqlen;
size_t hdr = (sizeof(uint8_t) * 2) + sizeof(uint32_t);
void *recvq_start;
z_stream *instream, *outstream;
conn_t *conn;
uint32_t id;
conn = make_conn(ctl, ctlb->F[0], ctlb->F[1]);
if(rb_get_type(conn->mod_fd) == RB_FD_UNKNOWN)
rb_set_type(conn->mod_fd, RB_FD_SOCKET);
if(rb_get_type(conn->plain_fd) == RB_FD_UNKNOWN)
rb_set_type(conn->plain_fd, RB_FD_SOCKET);
id = buf_to_uint32(&ctlb->buf[1]);
conn_add_id_hash(conn, id);
level = (uint8_t)ctlb->buf[5];
recvqlen = ctlb->buflen - hdr;
recvq_start = &ctlb->buf[6];
SetZip(conn);
conn->stream = rb_malloc(sizeof(zlib_stream_t));
instream = &((zlib_stream_t *) conn->stream)->instream;
outstream = &((zlib_stream_t *) conn->stream)->outstream;
instream->total_in = 0;
instream->total_out = 0;
instream->zalloc = (alloc_func) ssld_alloc;
instream->zfree = (free_func) ssld_free;
instream->data_type = Z_ASCII;
inflateInit(&((zlib_stream_t *) conn->stream)->instream);
outstream->total_in = 0;
outstream->total_out = 0;
outstream->zalloc = (alloc_func) ssld_alloc;
outstream->zfree = (free_func) ssld_free;
outstream->data_type = Z_ASCII;
if(level > 9)
level = (uint8_t) Z_DEFAULT_COMPRESSION;
deflateInit(&((zlib_stream_t *) conn->stream)->outstream, level);
if(recvqlen > 0)
common_zlib_inflate(conn, recvq_start, recvqlen);
conn_mod_read_cb(conn->mod_fd, conn);
conn_plain_read_cb(conn->plain_fd, conn);
return;
}
#endif
static void
init_prng(mod_ctl_t * ctl, mod_ctl_buf_t * ctl_buf)
{
char *path;
prng_seed_t seed_type;
seed_type = (prng_seed_t) ctl_buf->buf[1];
path = (char *) &ctl_buf->buf[2];
rb_init_prng(path, seed_type);
}
static void
ssl_new_keys(mod_ctl_t * ctl, mod_ctl_buf_t * ctl_buf)
{
char *buf;
char *cert, *key, *dhparam, *cipher_list;
buf = (char *) &ctl_buf->buf[2];
cert = buf;
buf += strlen(cert) + 1;
key = buf;
buf += strlen(key) + 1;
dhparam = buf;
if(strlen(dhparam) == 0)
dhparam = NULL;
buf += strlen(dhparam) + 1;
cipher_list = buf;
if(strlen(cipher_list) == 0)
cipher_list = NULL;
if(!rb_setup_ssl_server(cert, key, dhparam, cipher_list))
{
const char *invalid = "I";
mod_cmd_write_queue(ctl, invalid, strlen(invalid));
return;
}
}
static void
send_nossl_support(mod_ctl_t * ctl, mod_ctl_buf_t * ctlb)
{
static const char *nossl_cmd = "N";
conn_t *conn;
uint32_t id;
if(ctlb != NULL)
{
conn = make_conn(ctl, ctlb->F[0], ctlb->F[1]);
id = buf_to_uint32(&ctlb->buf[1]);
conn_add_id_hash(conn, id);
close_conn(conn, WAIT_PLAIN, "libratbox reports no SSL/TLS support");
}
mod_cmd_write_queue(ctl, nossl_cmd, strlen(nossl_cmd));
}
static void
send_i_am_useless(mod_ctl_t * ctl)
{
static const char *useless = "U";
mod_cmd_write_queue(ctl, useless, strlen(useless));
}
static void
send_version(mod_ctl_t * ctl)
{
char version[256] = { 'V', 0 };
strncpy(&version[1], rb_lib_version(), sizeof(version) - 2);
mod_cmd_write_queue(ctl, version, strlen(version));
}
static void
send_nozlib_support(mod_ctl_t * ctl, mod_ctl_buf_t * ctlb)
{
static const char *nozlib_cmd = "z";
conn_t *conn;
uint32_t id;
if(ctlb != NULL)
{
conn = make_conn(ctl, ctlb->F[0], ctlb->F[1]);
id = buf_to_uint32(&ctlb->buf[1]);
conn_add_id_hash(conn, id);
close_conn(conn, WAIT_PLAIN, "libratbox reports no zlib support");
}
mod_cmd_write_queue(ctl, nozlib_cmd, strlen(nozlib_cmd));
}
static void
mod_process_cmd_recv(mod_ctl_t * ctl)
{
rb_dlink_node *ptr, *next;
mod_ctl_buf_t *ctl_buf;
RB_DLINK_FOREACH_SAFE(ptr, next, ctl->readq.head)
{
ctl_buf = ptr->data;
switch (*ctl_buf->buf)
{
case 'A':
{
if (ctl_buf->nfds != 2 || ctl_buf->buflen != 5)
{
cleanup_bad_message(ctl, ctl_buf);
break;
}
if(!ssld_ssl_ok)
{
send_nossl_support(ctl, ctl_buf);
break;
}
ssl_process_accept(ctl, ctl_buf);
break;
}
case 'C':
{
if (ctl_buf->buflen != 5)
{
cleanup_bad_message(ctl, ctl_buf);
break;
}
if(!ssld_ssl_ok)
{
send_nossl_support(ctl, ctl_buf);
break;
}
ssl_process_connect(ctl, ctl_buf);
break;
}
case 'F':
{
if (ctl_buf->buflen != 5)
{
cleanup_bad_message(ctl, ctl_buf);
break;
}
ssl_change_certfp_method(ctl, ctl_buf);
break;
}
case 'K':
{
if(!ssld_ssl_ok)
{
send_nossl_support(ctl, ctl_buf);
break;
}
ssl_new_keys(ctl, ctl_buf);
break;
}
case 'I':
init_prng(ctl, ctl_buf);
break;
case 'S':
{
process_stats(ctl, ctl_buf);
break;
}
#ifdef HAVE_LIBZ
case 'Z':
{
if (ctl_buf->nfds != 2 || ctl_buf->buflen < 6)
{
cleanup_bad_message(ctl, ctl_buf);
break;
}
/* just zlib only */
zlib_process(ctl, ctl_buf);
break;
}
#else
case 'Z':
send_nozlib_support(ctl, ctl_buf);
break;
#endif
default:
break;
/* Log unknown commands */
}
rb_dlinkDelete(ptr, &ctl->readq);
rb_free(ctl_buf->buf);
rb_free(ctl_buf);
}
}
static void
mod_read_ctl(rb_fde_t *F, void *data)
{
mod_ctl_buf_t *ctl_buf;
mod_ctl_t *ctl = data;
int retlen;
int i;
do
{
ctl_buf = rb_malloc(sizeof(mod_ctl_buf_t));
ctl_buf->buf = rb_malloc(READBUF_SIZE);
ctl_buf->buflen = READBUF_SIZE;
retlen = rb_recv_fd_buf(ctl->F, ctl_buf->buf, ctl_buf->buflen, ctl_buf->F,
MAXPASSFD);
if(retlen <= 0)
{
rb_free(ctl_buf->buf);
rb_free(ctl_buf);
}
else
{
ctl_buf->buflen = retlen;
rb_dlinkAddTail(ctl_buf, &ctl_buf->node, &ctl->readq);
for (i = 0; i < MAXPASSFD && ctl_buf->F[i] != NULL; i++)
;
ctl_buf->nfds = i;
}
}
while(retlen > 0);
if(retlen == 0 || (retlen < 0 && !rb_ignore_errno(errno)))
exit(0);
mod_process_cmd_recv(ctl);
rb_setselect(ctl->F, RB_SELECT_READ, mod_read_ctl, ctl);
}
static void
mod_write_ctl(rb_fde_t *F, void *data)
{
mod_ctl_t *ctl = data;
mod_ctl_buf_t *ctl_buf;
rb_dlink_node *ptr, *next;
int retlen, x;
RB_DLINK_FOREACH_SAFE(ptr, next, ctl->writeq.head)
{
ctl_buf = ptr->data;
retlen = rb_send_fd_buf(ctl->F, ctl_buf->F, ctl_buf->nfds, ctl_buf->buf,
ctl_buf->buflen, ppid);
if(retlen > 0)
{
rb_dlinkDelete(ptr, &ctl->writeq);
for(x = 0; x < ctl_buf->nfds; x++)
rb_close(ctl_buf->F[x]);
rb_free(ctl_buf->buf);
rb_free(ctl_buf);
}
if(retlen == 0 || (retlen < 0 && !rb_ignore_errno(errno)))
exit(0);
}
if(rb_dlink_list_length(&ctl->writeq) > 0)
rb_setselect(ctl->F, RB_SELECT_WRITE, mod_write_ctl, ctl);
}
static void
read_pipe_ctl(rb_fde_t *F, void *data)
{
char inbuf[READBUF_SIZE];
int retlen;
while((retlen = rb_read(F, inbuf, sizeof(inbuf))) > 0)
{
;; /* we don't do anything with the pipe really, just care if the other process dies.. */
}
if(retlen == 0 || (retlen < 0 && !rb_ignore_errno(errno)))
exit(0);
rb_setselect(F, RB_SELECT_READ, read_pipe_ctl, NULL);
}
int
main(int argc, char **argv)
{
const char *s_ctlfd, *s_pipe, *s_pid;
int ctlfd, pipefd, x, maxfd;
maxfd = maxconn();
s_ctlfd = getenv("CTL_FD");
s_pipe = getenv("CTL_PIPE");
s_pid = getenv("CTL_PPID");
if(s_ctlfd == NULL || s_pipe == NULL || s_pid == NULL)
{
fprintf(stderr,
"This is the charybdis ssld for internal ircd use.\n");
fprintf(stderr,
"You aren't supposed to run me directly. Exiting.\n");
exit(1);
}
ctlfd = atoi(s_ctlfd);
pipefd = atoi(s_pipe);
ppid = atoi(s_pid);
x = 0;
#ifndef _WIN32
for(x = 0; x < maxfd; x++)
{
if(x != ctlfd && x != pipefd && x > 2)
close(x);
}
x = open("/dev/null", O_RDWR);
if(x >= 0)
{
if(ctlfd != 0 && pipefd != 0)
dup2(x, 0);
if(ctlfd != 1 && pipefd != 1)
dup2(x, 1);
if(ctlfd != 2 && pipefd != 2)
dup2(x, 2);
if(x > 2)
close(x);
}
#endif
setup_signals();
rb_lib_init(NULL, NULL, NULL, 0, maxfd, 1024, 4096);
rb_init_rawbuffers(1024);
ssld_ssl_ok = rb_supports_ssl();
mod_ctl = rb_malloc(sizeof(mod_ctl_t));
mod_ctl->F = rb_open(ctlfd, RB_FD_SOCKET, "ircd control socket");
mod_ctl->F_pipe = rb_open(pipefd, RB_FD_PIPE, "ircd pipe");
rb_set_nb(mod_ctl->F);
rb_set_nb(mod_ctl->F_pipe);
rb_event_addish("clean_dead_conns", clean_dead_conns, NULL, 10);
rb_event_add("check_handshake_flood", check_handshake_flood, NULL, 10);
read_pipe_ctl(mod_ctl->F_pipe, NULL);
mod_read_ctl(mod_ctl->F, mod_ctl);
send_version(mod_ctl);
if(!zlib_ok && !ssld_ssl_ok)
{
/* this is really useless... */
send_i_am_useless(mod_ctl);
/* sleep until the ircd kills us */
rb_sleep(2 << 30, 0);
exit(1);
}
if(!zlib_ok)
send_nozlib_support(mod_ctl, NULL);
if(!ssld_ssl_ok)
send_nossl_support(mod_ctl, NULL);
rb_lib_loop(0);
return 0;
}
#ifndef _WIN32
static void
dummy_handler(int sig)
{
return;
}
#endif
static void
setup_signals()
{
#ifndef _WIN32
struct sigaction act;
act.sa_flags = 0;
act.sa_handler = SIG_IGN;
sigemptyset(&act.sa_mask);
sigaddset(&act.sa_mask, SIGPIPE);
sigaddset(&act.sa_mask, SIGALRM);
#ifdef SIGTRAP
sigaddset(&act.sa_mask, SIGTRAP);
#endif
#ifdef SIGWINCH
sigaddset(&act.sa_mask, SIGWINCH);
sigaction(SIGWINCH, &act, 0);
#endif
sigaction(SIGPIPE, &act, 0);
#ifdef SIGTRAP
sigaction(SIGTRAP, &act, 0);
#endif
act.sa_handler = dummy_handler;
sigaction(SIGALRM, &act, 0);
#endif
}