1 /*
2 * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
3 *
4 * This Source Code Form is subject to the terms of the Mozilla Public
5 * License, v. 2.0. If a copy of the MPL was not distributed with this
6 * file, you can obtain one at https://mozilla.org/MPL/2.0/.
7 *
8 * See the COPYRIGHT file distributed with this work for additional
9 * information regarding copyright ownership.
10 */
11
12 #include <errno.h>
13 #include <libgen.h>
14 #include <unistd.h>
15 #include <uv.h>
16
17 #include <openssl/err.h>
18 #include <openssl/ssl.h>
19
20 #include <isc/atomic.h>
21 #include <isc/buffer.h>
22 #include <isc/condition.h>
23 #include <isc/log.h>
24 #include <isc/magic.h>
25 #include <isc/mem.h>
26 #include <isc/netmgr.h>
27 #include <isc/once.h>
28 #include <isc/quota.h>
29 #include <isc/random.h>
30 #include <isc/refcount.h>
31 #include <isc/region.h>
32 #include <isc/result.h>
33 #include <isc/sockaddr.h>
34 #include <isc/stdtime.h>
35 #include <isc/thread.h>
36 #include <isc/util.h>
37
38 #include "../openssl_shim.h"
39 #include "netmgr-int.h"
40 #include "uv-compat.h"
41
42 #define TLS_BUF_SIZE (UINT16_MAX)
43
44 static isc_result_t
tls_error_to_result(int tls_err)45 tls_error_to_result(int tls_err) {
46 switch (tls_err) {
47 case SSL_ERROR_ZERO_RETURN:
48 return (ISC_R_EOF);
49 case SSL_ERROR_SSL:
50 return (ISC_R_TLSERROR);
51 default:
52 return (ISC_R_UNEXPECTED);
53 }
54 }
55
56 static void
57 tls_failed_read_cb(isc_nmsocket_t *sock, const isc_result_t result);
58
59 static void
60 tls_do_bio(isc_nmsocket_t *sock, isc_region_t *received_data,
61 isc__nm_uvreq_t *send_data, bool finish);
62
63 static void
64 tls_readcb(isc_nmhandle_t *handle, isc_result_t result, isc_region_t *region,
65 void *cbarg);
66
67 static void
68 tls_close_direct(isc_nmsocket_t *sock);
69
70 static void
71 async_tls_do_bio(isc_nmsocket_t *sock);
72
73 /*
74 * The socket is closing, outerhandle has been detached, listener is
75 * inactive, or the netmgr is closing: any operation on it should abort
76 * with ISC_R_CANCELED.
77 */
78 static bool
inactive(isc_nmsocket_t * sock)79 inactive(isc_nmsocket_t *sock) {
80 return (!isc__nmsocket_active(sock) || atomic_load(&sock->closing) ||
81 sock->outerhandle == NULL ||
82 !isc__nmsocket_active(sock->outerhandle->sock) ||
83 atomic_load(&sock->outerhandle->sock->closing) ||
84 (sock->listener != NULL &&
85 !isc__nmsocket_active(sock->listener)) ||
86 isc__nm_closing(sock));
87 }
88
89 static void
tls_call_connect_cb(isc_nmsocket_t * sock,isc_nmhandle_t * handle,const isc_result_t result)90 tls_call_connect_cb(isc_nmsocket_t *sock, isc_nmhandle_t *handle,
91 const isc_result_t result) {
92 if (sock->connect_cb == NULL) {
93 return;
94 }
95 sock->connect_cb(handle, result, sock->connect_cbarg);
96 if (result != ISC_R_SUCCESS) {
97 isc__nmsocket_clearcb(handle->sock);
98 }
99 }
100
101 static void
tls_senddone(isc_nmhandle_t * handle,isc_result_t eresult,void * cbarg)102 tls_senddone(isc_nmhandle_t *handle, isc_result_t eresult, void *cbarg) {
103 isc_nmsocket_tls_send_req_t *send_req =
104 (isc_nmsocket_tls_send_req_t *)cbarg;
105 isc_nmsocket_t *tlssock = NULL;
106 bool finish = send_req->finish;
107
108 REQUIRE(VALID_NMHANDLE(handle));
109 REQUIRE(VALID_NMSOCK(handle->sock));
110 REQUIRE(VALID_NMSOCK(send_req->tlssock));
111
112 tlssock = send_req->tlssock;
113 send_req->tlssock = NULL;
114
115 if (send_req->cb != NULL) {
116 INSIST(VALID_NMHANDLE(tlssock->statichandle));
117 send_req->cb(send_req->handle, eresult, send_req->cbarg);
118 isc_nmhandle_detach(&send_req->handle);
119 /* The last handle has been just detached: close the underlying
120 * socket. */
121 if (tlssock->statichandle == NULL) {
122 finish = true;
123 }
124 }
125
126 /* We are tying to avoid a memory allocation for small write
127 * requests. See the mirroring code in the tls_send_outgoing()
128 * function. */
129 if (ISC_UNLIKELY(send_req->data.length > sizeof(send_req->smallbuf))) {
130 isc_mem_put(handle->sock->mgr->mctx, send_req->data.base,
131 send_req->data.length);
132 } else {
133 INSIST(&send_req->smallbuf[0] == send_req->data.base);
134 }
135 isc_mem_put(handle->sock->mgr->mctx, send_req, sizeof(*send_req));
136 tlssock->tlsstream.nsending--;
137
138 if (finish && eresult == ISC_R_SUCCESS) {
139 tlssock->tlsstream.reading = false;
140 isc_nm_cancelread(handle);
141 } else if (eresult == ISC_R_SUCCESS) {
142 tls_do_bio(tlssock, NULL, NULL, false);
143 } else if (eresult != ISC_R_SUCCESS &&
144 tlssock->tlsstream.state <= TLS_HANDSHAKE &&
145 !tlssock->tlsstream.server)
146 {
147 /*
148 * We are still waiting for the handshake to complete, but
149 * it isn't going to happen. Call the connect callback,
150 * passing the error code there.
151 *
152 * (Note: tls_failed_read_cb() calls the connect
153 * rather than the read callback in this case.
154 * XXX: clarify?)
155 */
156 tls_failed_read_cb(tlssock, eresult);
157 }
158
159 isc__nmsocket_detach(&tlssock);
160 }
161
162 static void
tls_failed_read_cb(isc_nmsocket_t * sock,const isc_result_t result)163 tls_failed_read_cb(isc_nmsocket_t *sock, const isc_result_t result) {
164 bool destroy = true;
165
166 REQUIRE(VALID_NMSOCK(sock));
167 REQUIRE(result != ISC_R_SUCCESS);
168
169 if (!sock->tlsstream.server &&
170 (sock->tlsstream.state == TLS_INIT ||
171 sock->tlsstream.state == TLS_HANDSHAKE) &&
172 sock->connect_cb != NULL)
173 {
174 isc_nmhandle_t *handle = NULL;
175 INSIST(sock->statichandle == NULL);
176 handle = isc__nmhandle_get(sock, &sock->peer, &sock->iface);
177 tls_call_connect_cb(sock, handle, result);
178 isc__nmsocket_clearcb(sock);
179 isc_nmhandle_detach(&handle);
180 } else if (sock->recv_cb != NULL && sock->statichandle != NULL) {
181 isc__nm_uvreq_t *req = NULL;
182 INSIST(VALID_NMHANDLE(sock->statichandle));
183 req = isc__nm_uvreq_get(sock->mgr, sock);
184 req->cb.recv = sock->recv_cb;
185 req->cbarg = sock->recv_cbarg;
186 isc_nmhandle_attach(sock->statichandle, &req->handle);
187 if (result != ISC_R_TIMEDOUT) {
188 isc__nmsocket_clearcb(sock);
189 }
190 isc__nm_readcb(sock, req, result);
191 if (result == ISC_R_TIMEDOUT &&
192 (sock->outerhandle == NULL ||
193 isc__nmsocket_timer_running(sock->outerhandle->sock)))
194 {
195 destroy = false;
196 }
197 }
198
199 if (destroy) {
200 isc__nmsocket_prep_destroy(sock);
201 isc__nmsocket_detach(&sock);
202 }
203 }
204
205 static void
async_tls_do_bio(isc_nmsocket_t * sock)206 async_tls_do_bio(isc_nmsocket_t *sock) {
207 isc__netievent_tlsdobio_t *ievent =
208 isc__nm_get_netievent_tlsdobio(sock->mgr, sock);
209 isc__nm_enqueue_ievent(&sock->mgr->workers[sock->tid],
210 (isc__netievent_t *)ievent);
211 }
212
213 static int
tls_send_outgoing(isc_nmsocket_t * sock,bool finish,isc_nmhandle_t * tlshandle,isc_nm_cb_t cb,void * cbarg)214 tls_send_outgoing(isc_nmsocket_t *sock, bool finish, isc_nmhandle_t *tlshandle,
215 isc_nm_cb_t cb, void *cbarg) {
216 isc_nmsocket_tls_send_req_t *send_req = NULL;
217 int pending;
218 int rv;
219 size_t len = 0;
220
221 if (inactive(sock)) {
222 if (cb != NULL) {
223 INSIST(VALID_NMHANDLE(tlshandle));
224 cb(tlshandle, ISC_R_CANCELED, cbarg);
225 }
226 return (0);
227 }
228
229 if (finish && (SSL_get_shutdown(sock->tlsstream.tls) &
230 SSL_SENT_SHUTDOWN) != SSL_SENT_SHUTDOWN)
231 {
232 (void)SSL_shutdown(sock->tlsstream.tls);
233 }
234
235 pending = BIO_pending(sock->tlsstream.bio_out);
236 if (pending <= 0) {
237 return (pending);
238 }
239
240 /* TODO Should we keep track of these requests in a list? */
241 if ((unsigned int)pending > TLS_BUF_SIZE) {
242 pending = TLS_BUF_SIZE;
243 }
244
245 send_req = isc_mem_get(sock->mgr->mctx, sizeof(*send_req));
246 *send_req = (isc_nmsocket_tls_send_req_t){ .finish = finish,
247 .data.length = pending };
248
249 /* Let's try to avoid a memory allocation for small write requests */
250 if (ISC_UNLIKELY((size_t)pending > sizeof(send_req->smallbuf))) {
251 send_req->data.base = isc_mem_get(sock->mgr->mctx, pending);
252 } else {
253 send_req->data.base = &send_req->smallbuf[0];
254 }
255
256 isc__nmsocket_attach(sock, &send_req->tlssock);
257 if (cb != NULL) {
258 send_req->cb = cb;
259 send_req->cbarg = cbarg;
260 isc_nmhandle_attach(tlshandle, &send_req->handle);
261 }
262
263 rv = BIO_read_ex(sock->tlsstream.bio_out, send_req->data.base, pending,
264 &len);
265 /* There's something pending, read must succeed */
266 RUNTIME_CHECK(rv == 1);
267
268 INSIST(VALID_NMHANDLE(sock->outerhandle));
269
270 sock->tlsstream.nsending++;
271 isc_nm_send(sock->outerhandle, &send_req->data, tls_senddone, send_req);
272
273 return (pending);
274 }
275
276 static int
tls_process_outgoing(isc_nmsocket_t * sock,bool finish,isc__nm_uvreq_t * send_data)277 tls_process_outgoing(isc_nmsocket_t *sock, bool finish,
278 isc__nm_uvreq_t *send_data) {
279 int pending;
280
281 /* Data from TLS to network */
282 if (send_data != NULL) {
283 pending = tls_send_outgoing(sock, finish, send_data->handle,
284 send_data->cb.send,
285 send_data->cbarg);
286 } else {
287 bool received_shutdown =
288 ((SSL_get_shutdown(sock->tlsstream.tls) &
289 SSL_RECEIVED_SHUTDOWN) != 0);
290 bool sent_shutdown = ((SSL_get_shutdown(sock->tlsstream.tls) &
291 SSL_SENT_SHUTDOWN) != 0);
292
293 if (received_shutdown && !sent_shutdown) {
294 finish = true;
295 (void)SSL_shutdown(sock->tlsstream.tls);
296 }
297 pending = tls_send_outgoing(sock, finish, NULL, NULL, NULL);
298 }
299
300 return (pending);
301 }
302
303 static int
tls_try_handshake(isc_nmsocket_t * sock)304 tls_try_handshake(isc_nmsocket_t *sock) {
305 int rv = 0;
306 isc_nmhandle_t *tlshandle = NULL;
307
308 REQUIRE(sock->tlsstream.state == TLS_HANDSHAKE);
309
310 if (SSL_is_init_finished(sock->tlsstream.tls) == 1) {
311 return (0);
312 }
313
314 rv = SSL_do_handshake(sock->tlsstream.tls);
315 if (rv == 1) {
316 INSIST(SSL_is_init_finished(sock->tlsstream.tls) == 1);
317 INSIST(sock->statichandle == NULL);
318 tlshandle = isc__nmhandle_get(sock, &sock->peer, &sock->iface);
319 if (sock->tlsstream.server) {
320 sock->listener->accept_cb(tlshandle, ISC_R_SUCCESS,
321 sock->listener->accept_cbarg);
322 } else {
323 tls_call_connect_cb(sock, tlshandle, ISC_R_SUCCESS);
324 }
325 isc_nmhandle_detach(&tlshandle);
326 sock->tlsstream.state = TLS_IO;
327 }
328
329 return (rv);
330 }
331
332 static void
tls_do_bio(isc_nmsocket_t * sock,isc_region_t * received_data,isc__nm_uvreq_t * send_data,bool finish)333 tls_do_bio(isc_nmsocket_t *sock, isc_region_t *received_data,
334 isc__nm_uvreq_t *send_data, bool finish) {
335 isc_result_t result = ISC_R_SUCCESS;
336 int pending, tls_status = SSL_ERROR_NONE;
337 int rv = 0;
338 size_t len = 0;
339 int saved_errno = 0;
340
341 REQUIRE(VALID_NMSOCK(sock));
342 REQUIRE(sock->tid == isc_nm_tid());
343
344 /* We will resume read if TLS layer wants us to */
345 if (sock->tlsstream.reading && sock->outerhandle) {
346 REQUIRE(VALID_NMHANDLE(sock->outerhandle));
347 isc_nm_pauseread(sock->outerhandle);
348 }
349
350 if (sock->tlsstream.state == TLS_INIT) {
351 INSIST(received_data == NULL && send_data == NULL);
352 if (sock->tlsstream.server) {
353 SSL_set_accept_state(sock->tlsstream.tls);
354 } else {
355 SSL_set_connect_state(sock->tlsstream.tls);
356 }
357 sock->tlsstream.state = TLS_HANDSHAKE;
358 rv = tls_try_handshake(sock);
359 INSIST(SSL_is_init_finished(sock->tlsstream.tls) == 0);
360 } else if (sock->tlsstream.state == TLS_CLOSED) {
361 return;
362 } else { /* initialised and doing I/O */
363 if (received_data != NULL) {
364 INSIST(send_data == NULL);
365 rv = BIO_write_ex(sock->tlsstream.bio_in,
366 received_data->base,
367 received_data->length, &len);
368 if (rv <= 0 || len != received_data->length) {
369 result = ISC_R_TLSERROR;
370 saved_errno = errno;
371 goto error;
372 }
373
374 /*
375 * Only after doing the IO we can check whether SSL
376 * handshake is done.
377 */
378 if (sock->tlsstream.state == TLS_HANDSHAKE) {
379 rv = tls_try_handshake(sock);
380 }
381 } else if (send_data != NULL) {
382 INSIST(received_data == NULL);
383 INSIST(sock->tlsstream.state > TLS_HANDSHAKE);
384 bool received_shutdown =
385 ((SSL_get_shutdown(sock->tlsstream.tls) &
386 SSL_RECEIVED_SHUTDOWN) != 0);
387 bool sent_shutdown =
388 ((SSL_get_shutdown(sock->tlsstream.tls) &
389 SSL_SENT_SHUTDOWN) != 0);
390 rv = SSL_write_ex(sock->tlsstream.tls,
391 send_data->uvbuf.base,
392 send_data->uvbuf.len, &len);
393 if (rv != 1 || len != send_data->uvbuf.len) {
394 result = received_shutdown || sent_shutdown
395 ? ISC_R_CANCELED
396 : ISC_R_TLSERROR;
397 send_data->cb.send(send_data->handle, result,
398 send_data->cbarg);
399 send_data = NULL;
400 /* This situation might occur only when SSL
401 * shutdown was already sent (see
402 * tls_send_outgoing()), and we are in the
403 * process of shutting down the connection (in
404 * this case tls_senddone() will be called), but
405 * some code tries to send data over the
406 * connection and called isc_tls_send(). The
407 * socket will be detached there, in
408 * tls_senddone().*/
409 if (sent_shutdown || received_shutdown) {
410 return;
411 } else {
412 isc__nmsocket_detach(&sock);
413 return;
414 }
415 }
416 }
417
418 /* Decrypt and pass data from network to client */
419 if (sock->tlsstream.state >= TLS_IO && sock->recv_cb != NULL &&
420 !atomic_load(&sock->readpaused) &&
421 sock->statichandle != NULL)
422 {
423 uint8_t recv_buf[TLS_BUF_SIZE];
424 INSIST(sock->tlsstream.state > TLS_HANDSHAKE);
425 while ((rv = SSL_read_ex(sock->tlsstream.tls, recv_buf,
426 TLS_BUF_SIZE, &len)) == 1)
427 {
428 isc_region_t region;
429 region = (isc_region_t){ .base = &recv_buf[0],
430 .length = len };
431
432 INSIST(VALID_NMHANDLE(sock->statichandle));
433 sock->recv_cb(sock->statichandle, ISC_R_SUCCESS,
434 ®ion, sock->recv_cbarg);
435 /* The handle could have been detached in
436 * sock->recv_cb, making the sock->statichandle
437 * nullified (it happens in netmgr.c). If it is
438 * the case, then it means that we are not
439 * interested in keeping the connection alive
440 * anymore. Let's shutdown the SSL session, send
441 * what we have in the SSL buffers, and close
442 * the connection.
443 */
444 if (sock->statichandle == NULL) {
445 finish = true;
446 break;
447 }
448 }
449 }
450 }
451 tls_status = SSL_get_error(sock->tlsstream.tls, rv);
452 saved_errno = errno;
453
454 /* See "BUGS" section at:
455 * https://www.openssl.org/docs/man1.1.1/man3/SSL_get_error.html
456 *
457 * It is mentioned there that when TLS status equals
458 * SSL_ERROR_SYSCALL AND errno == 0 it means that underlying
459 * transport layer returned EOF prematurely. However, we are
460 * managing the transport ourselves, so we should just resume
461 * reading from the TCP socket.
462 *
463 * It seems that this case has been handled properly on modern
464 * versions of OpenSSL. That being said, the situation goes in
465 * line with the manual: it is briefly mentioned there that
466 * SSL_ERROR_SYSCALL might be returned not only in a case of
467 * low-level errors (like system call failures).
468 */
469 if (tls_status == SSL_ERROR_SYSCALL && saved_errno == 0 &&
470 received_data == NULL && send_data == NULL && finish == false)
471 {
472 tls_status = SSL_ERROR_WANT_READ;
473 }
474
475 pending = tls_process_outgoing(sock, finish, send_data);
476 if (pending > 0) {
477 /* We'll continue in tls_senddone */
478 return;
479 }
480
481 switch (tls_status) {
482 case SSL_ERROR_NONE:
483 case SSL_ERROR_ZERO_RETURN:
484 return;
485 case SSL_ERROR_WANT_WRITE:
486 if (sock->tlsstream.nsending == 0) {
487 /*
488 * Launch tls_do_bio asynchronously. If we're sending
489 * already the send callback will call it.
490 */
491 async_tls_do_bio(sock);
492 }
493 return;
494 case SSL_ERROR_WANT_READ:
495 if (sock->tlsstream.reading) {
496 INSIST(VALID_NMHANDLE(sock->outerhandle));
497 isc_nm_resumeread(sock->outerhandle);
498 } else if (sock->tlsstream.state == TLS_HANDSHAKE) {
499 sock->tlsstream.reading = true;
500 isc_nm_read(sock->outerhandle, tls_readcb, sock);
501 }
502 return;
503 default:
504 result = tls_error_to_result(tls_status);
505 break;
506 }
507
508 error:
509 isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL, ISC_LOGMODULE_NETMGR,
510 ISC_LOG_NOTICE,
511 "SSL error in BIO: %d %s (errno: %d). Arguments: "
512 "received_data: %p, "
513 "send_data: %p, finish: %s",
514 tls_status, isc_result_totext(result), saved_errno,
515 received_data, send_data, finish ? "true" : "false");
516 tls_failed_read_cb(sock, result);
517 }
518
519 static void
tls_readcb(isc_nmhandle_t * handle,isc_result_t result,isc_region_t * region,void * cbarg)520 tls_readcb(isc_nmhandle_t *handle, isc_result_t result, isc_region_t *region,
521 void *cbarg) {
522 isc_nmsocket_t *tlssock = (isc_nmsocket_t *)cbarg;
523
524 REQUIRE(VALID_NMSOCK(tlssock));
525 REQUIRE(VALID_NMHANDLE(handle));
526 REQUIRE(tlssock->tid == isc_nm_tid());
527
528 if (result != ISC_R_SUCCESS) {
529 tls_failed_read_cb(tlssock, result);
530 return;
531 }
532
533 tls_do_bio(tlssock, region, NULL, false);
534 }
535
536 static isc_result_t
initialize_tls(isc_nmsocket_t * sock,bool server)537 initialize_tls(isc_nmsocket_t *sock, bool server) {
538 REQUIRE(sock->tid == isc_nm_tid());
539
540 sock->tlsstream.bio_in = BIO_new(BIO_s_mem());
541 if (sock->tlsstream.bio_in == NULL) {
542 isc_tls_free(&sock->tlsstream.tls);
543 return (ISC_R_TLSERROR);
544 }
545 sock->tlsstream.bio_out = BIO_new(BIO_s_mem());
546 if (sock->tlsstream.bio_out == NULL) {
547 BIO_free_all(sock->tlsstream.bio_in);
548 sock->tlsstream.bio_in = NULL;
549 isc_tls_free(&sock->tlsstream.tls);
550 return (ISC_R_TLSERROR);
551 }
552
553 if (BIO_set_mem_eof_return(sock->tlsstream.bio_in, EOF) != 1 ||
554 BIO_set_mem_eof_return(sock->tlsstream.bio_out, EOF) != 1)
555 {
556 goto error;
557 }
558
559 SSL_set_bio(sock->tlsstream.tls, sock->tlsstream.bio_in,
560 sock->tlsstream.bio_out);
561 sock->tlsstream.server = server;
562 sock->tlsstream.nsending = 0;
563 sock->tlsstream.state = TLS_INIT;
564 return (ISC_R_SUCCESS);
565 error:
566 isc_tls_free(&sock->tlsstream.tls);
567 sock->tlsstream.bio_out = sock->tlsstream.bio_in = NULL;
568 return (ISC_R_TLSERROR);
569 }
570
571 static isc_result_t
tlslisten_acceptcb(isc_nmhandle_t * handle,isc_result_t result,void * cbarg)572 tlslisten_acceptcb(isc_nmhandle_t *handle, isc_result_t result, void *cbarg) {
573 isc_nmsocket_t *tlslistensock = (isc_nmsocket_t *)cbarg;
574 isc_nmsocket_t *tlssock = NULL;
575
576 /* If accept() was unsuccessful we can't do anything */
577 if (result != ISC_R_SUCCESS) {
578 return (result);
579 }
580
581 REQUIRE(VALID_NMHANDLE(handle));
582 REQUIRE(VALID_NMSOCK(handle->sock));
583 REQUIRE(VALID_NMSOCK(tlslistensock));
584 REQUIRE(tlslistensock->type == isc_nm_tlslistener);
585
586 /*
587 * We need to create a 'wrapper' tlssocket for this connection.
588 */
589 tlssock = isc_mem_get(handle->sock->mgr->mctx, sizeof(*tlssock));
590 isc__nmsocket_init(tlssock, handle->sock->mgr, isc_nm_tlssocket,
591 &handle->sock->iface);
592
593 /* We need to initialize SSL now to reference SSL_CTX properly */
594 tlssock->tlsstream.ctx = tlslistensock->tlsstream.ctx;
595 tlssock->tlsstream.tls = isc_tls_create(tlssock->tlsstream.ctx);
596 if (tlssock->tlsstream.tls == NULL) {
597 atomic_store(&tlssock->closed, true);
598 isc__nmsocket_detach(&tlssock);
599 return (ISC_R_TLSERROR);
600 }
601
602 tlssock->extrahandlesize = tlslistensock->extrahandlesize;
603 isc__nmsocket_attach(tlslistensock, &tlssock->listener);
604 isc_nmhandle_attach(handle, &tlssock->outerhandle);
605 tlssock->peer = handle->sock->peer;
606 tlssock->read_timeout = atomic_load(&handle->sock->mgr->init);
607 tlssock->tid = isc_nm_tid();
608
609 tlssock->tlsstream.ctx = tlslistensock->tlsstream.ctx;
610
611 result = initialize_tls(tlssock, true);
612 RUNTIME_CHECK(result == ISC_R_SUCCESS);
613 /* TODO: catch failure code, detach tlssock, and log the error */
614
615 tls_do_bio(tlssock, NULL, NULL, false);
616 return (result);
617 }
618
619 isc_result_t
isc_nm_listentls(isc_nm_t * mgr,isc_sockaddr_t * iface,isc_nm_accept_cb_t accept_cb,void * accept_cbarg,size_t extrahandlesize,int backlog,isc_quota_t * quota,SSL_CTX * sslctx,isc_nmsocket_t ** sockp)620 isc_nm_listentls(isc_nm_t *mgr, isc_sockaddr_t *iface,
621 isc_nm_accept_cb_t accept_cb, void *accept_cbarg,
622 size_t extrahandlesize, int backlog, isc_quota_t *quota,
623 SSL_CTX *sslctx, isc_nmsocket_t **sockp) {
624 isc_result_t result;
625 isc_nmsocket_t *tlssock = NULL;
626 isc_nmsocket_t *tsock = NULL;
627
628 REQUIRE(VALID_NM(mgr));
629
630 tlssock = isc_mem_get(mgr->mctx, sizeof(*tlssock));
631
632 isc__nmsocket_init(tlssock, mgr, isc_nm_tlslistener, iface);
633 tlssock->result = ISC_R_UNSET;
634 tlssock->accept_cb = accept_cb;
635 tlssock->accept_cbarg = accept_cbarg;
636 tlssock->extrahandlesize = extrahandlesize;
637 tlssock->tlsstream.ctx = sslctx;
638 tlssock->tlsstream.tls = NULL;
639
640 /*
641 * tlssock will be a TLS 'wrapper' around an unencrypted stream.
642 * We set tlssock->outer to a socket listening for a TCP connection.
643 */
644 result = isc_nm_listentcp(mgr, iface, tlslisten_acceptcb, tlssock,
645 extrahandlesize, backlog, quota,
646 &tlssock->outer);
647 if (result != ISC_R_SUCCESS) {
648 atomic_store(&tlssock->closed, true);
649 isc__nmsocket_detach(&tlssock);
650 return (result);
651 }
652
653 /* wait for listen result */
654 isc__nmsocket_attach(tlssock->outer, &tsock);
655 tlssock->result = result;
656 atomic_store(&tlssock->active, true);
657 INSIST(tlssock->outer->tlsstream.tlslistener == NULL);
658 isc__nmsocket_attach(tlssock, &tlssock->outer->tlsstream.tlslistener);
659 isc__nmsocket_detach(&tsock);
660 INSIST(result != ISC_R_UNSET);
661
662 if (result == ISC_R_SUCCESS) {
663 atomic_store(&tlssock->listening, true);
664 *sockp = tlssock;
665 }
666
667 return (result);
668 }
669
670 void
isc__nm_async_tlssend(isc__networker_t * worker,isc__netievent_t * ev0)671 isc__nm_async_tlssend(isc__networker_t *worker, isc__netievent_t *ev0) {
672 isc__netievent_tlssend_t *ievent = (isc__netievent_tlssend_t *)ev0;
673 isc_nmsocket_t *sock = ievent->sock;
674 isc__nm_uvreq_t *req = ievent->req;
675
676 REQUIRE(VALID_UVREQ(req));
677 REQUIRE(sock->tid == isc_nm_tid());
678
679 UNUSED(worker);
680
681 ievent->req = NULL;
682
683 if (inactive(sock)) {
684 req->cb.send(req->handle, ISC_R_CANCELED, req->cbarg);
685 goto done;
686 }
687
688 tls_do_bio(sock, NULL, req, false);
689 done:
690 isc__nm_uvreq_put(&req, sock);
691 return;
692 }
693
694 void
isc__nm_tls_send(isc_nmhandle_t * handle,const isc_region_t * region,isc_nm_cb_t cb,void * cbarg)695 isc__nm_tls_send(isc_nmhandle_t *handle, const isc_region_t *region,
696 isc_nm_cb_t cb, void *cbarg) {
697 isc__netievent_tlssend_t *ievent = NULL;
698 isc__nm_uvreq_t *uvreq = NULL;
699 isc_nmsocket_t *sock = NULL;
700
701 REQUIRE(VALID_NMHANDLE(handle));
702 REQUIRE(VALID_NMSOCK(handle->sock));
703
704 sock = handle->sock;
705
706 REQUIRE(sock->type == isc_nm_tlssocket);
707
708 if (inactive(sock)) {
709 cb(handle, ISC_R_CANCELED, cbarg);
710 return;
711 }
712
713 uvreq = isc__nm_uvreq_get(sock->mgr, sock);
714 isc_nmhandle_attach(handle, &uvreq->handle);
715 uvreq->cb.send = cb;
716 uvreq->cbarg = cbarg;
717 uvreq->uvbuf.base = (char *)region->base;
718 uvreq->uvbuf.len = region->length;
719
720 /*
721 * We need to create an event and pass it using async channel
722 */
723 ievent = isc__nm_get_netievent_tlssend(sock->mgr, sock, uvreq);
724 isc__nm_enqueue_ievent(&sock->mgr->workers[sock->tid],
725 (isc__netievent_t *)ievent);
726 }
727
728 void
isc__nm_async_tlsstartread(isc__networker_t * worker,isc__netievent_t * ev0)729 isc__nm_async_tlsstartread(isc__networker_t *worker, isc__netievent_t *ev0) {
730 isc__netievent_tlsstartread_t *ievent =
731 (isc__netievent_tlsstartread_t *)ev0;
732 isc_nmsocket_t *sock = ievent->sock;
733
734 REQUIRE(sock->tid == isc_nm_tid());
735
736 UNUSED(worker);
737
738 tls_do_bio(sock, NULL, NULL, false);
739 }
740
741 void
isc__nm_tls_read(isc_nmhandle_t * handle,isc_nm_recv_cb_t cb,void * cbarg)742 isc__nm_tls_read(isc_nmhandle_t *handle, isc_nm_recv_cb_t cb, void *cbarg) {
743 isc__netievent_tlsstartread_t *ievent = NULL;
744 isc_nmsocket_t *sock = NULL;
745
746 REQUIRE(VALID_NMHANDLE(handle));
747
748 sock = handle->sock;
749 REQUIRE(VALID_NMSOCK(sock));
750 REQUIRE(sock->statichandle == handle);
751 REQUIRE(sock->tid == isc_nm_tid());
752 REQUIRE(sock->recv_cb == NULL);
753
754 if (inactive(sock)) {
755 cb(handle, ISC_R_NOTCONNECTED, NULL, cbarg);
756 return;
757 }
758
759 sock->recv_cb = cb;
760 sock->recv_cbarg = cbarg;
761
762 ievent = isc__nm_get_netievent_tlsstartread(sock->mgr, sock);
763 isc__nm_enqueue_ievent(&sock->mgr->workers[sock->tid],
764 (isc__netievent_t *)ievent);
765 }
766
767 void
isc__nm_tls_pauseread(isc_nmhandle_t * handle)768 isc__nm_tls_pauseread(isc_nmhandle_t *handle) {
769 REQUIRE(VALID_NMHANDLE(handle));
770 REQUIRE(VALID_NMSOCK(handle->sock));
771
772 if (atomic_compare_exchange_strong(&handle->sock->readpaused,
773 &(bool){ false }, true))
774 {
775 if (handle->sock->outerhandle != NULL) {
776 isc_nm_pauseread(handle->sock->outerhandle);
777 }
778 }
779 }
780
781 void
isc__nm_tls_resumeread(isc_nmhandle_t * handle)782 isc__nm_tls_resumeread(isc_nmhandle_t *handle) {
783 REQUIRE(VALID_NMHANDLE(handle));
784 REQUIRE(VALID_NMSOCK(handle->sock));
785
786 if (!atomic_compare_exchange_strong(&handle->sock->readpaused,
787 &(bool){ false }, false))
788 {
789 async_tls_do_bio(handle->sock);
790 }
791 }
792
793 static void
tls_close_direct(isc_nmsocket_t * sock)794 tls_close_direct(isc_nmsocket_t *sock) {
795 REQUIRE(VALID_NMSOCK(sock));
796 REQUIRE(sock->tid == isc_nm_tid());
797 /*
798 * At this point we're certain that there are no
799 * external references, we can close everything.
800 */
801 if (sock->outerhandle != NULL) {
802 isc_nm_pauseread(sock->outerhandle);
803 isc__nmsocket_clearcb(sock->outerhandle->sock);
804 isc_nmhandle_detach(&sock->outerhandle);
805 }
806
807 if (sock->listener != NULL) {
808 isc__nmsocket_detach(&sock->listener);
809 }
810
811 /* further cleanup performed in isc__nm_tls_cleanup_data() */
812 atomic_store(&sock->closed, true);
813 atomic_store(&sock->active, false);
814 sock->tlsstream.state = TLS_CLOSED;
815 }
816
817 void
isc__nm_tls_close(isc_nmsocket_t * sock)818 isc__nm_tls_close(isc_nmsocket_t *sock) {
819 isc__netievent_tlsclose_t *ievent = NULL;
820
821 REQUIRE(VALID_NMSOCK(sock));
822 REQUIRE(sock->type == isc_nm_tlssocket);
823
824 if (!atomic_compare_exchange_strong(&sock->closing, &(bool){ false },
825 true)) {
826 return;
827 }
828
829 ievent = isc__nm_get_netievent_tlsclose(sock->mgr, sock);
830 isc__nm_maybe_enqueue_ievent(&sock->mgr->workers[sock->tid],
831 (isc__netievent_t *)ievent);
832 }
833
834 void
isc__nm_async_tlsclose(isc__networker_t * worker,isc__netievent_t * ev0)835 isc__nm_async_tlsclose(isc__networker_t *worker, isc__netievent_t *ev0) {
836 isc__netievent_tlsclose_t *ievent = (isc__netievent_tlsclose_t *)ev0;
837 isc_nmsocket_t *sock = ievent->sock;
838
839 REQUIRE(ievent->sock->tid == isc_nm_tid());
840
841 UNUSED(worker);
842
843 tls_close_direct(sock);
844 }
845
846 void
isc__nm_tls_stoplistening(isc_nmsocket_t * sock)847 isc__nm_tls_stoplistening(isc_nmsocket_t *sock) {
848 REQUIRE(VALID_NMSOCK(sock));
849 REQUIRE(sock->type == isc_nm_tlslistener);
850
851 if (!atomic_compare_exchange_strong(&sock->closing, &(bool){ false },
852 true)) {
853 INSIST(0);
854 ISC_UNREACHABLE();
855 }
856
857 atomic_store(&sock->listening, false);
858 atomic_store(&sock->closed, true);
859 sock->recv_cb = NULL;
860 sock->recv_cbarg = NULL;
861 if (sock->tlsstream.tls != NULL) {
862 isc_tls_free(&sock->tlsstream.tls);
863 sock->tlsstream.ctx = NULL;
864 }
865
866 if (sock->outer != NULL) {
867 isc_nm_stoplistening(sock->outer);
868 isc__nmsocket_detach(&sock->outer);
869 }
870 }
871
872 static void
873 tcp_connected(isc_nmhandle_t *handle, isc_result_t result, void *cbarg);
874
875 void
isc_nm_tlsconnect(isc_nm_t * mgr,isc_sockaddr_t * local,isc_sockaddr_t * peer,isc_nm_cb_t cb,void * cbarg,SSL_CTX * ctx,unsigned int timeout,size_t extrahandlesize)876 isc_nm_tlsconnect(isc_nm_t *mgr, isc_sockaddr_t *local, isc_sockaddr_t *peer,
877 isc_nm_cb_t cb, void *cbarg, SSL_CTX *ctx,
878 unsigned int timeout, size_t extrahandlesize) {
879 isc_nmsocket_t *nsock = NULL;
880 #if defined(NETMGR_TRACE) && defined(NETMGR_TRACE_VERBOSE)
881 fprintf(stderr, "TLS: isc_nm_tlsconnect(): in net thread: %s\n",
882 isc__nm_in_netthread() ? "yes" : "no");
883 #endif /* NETMGR_TRACE */
884
885 REQUIRE(VALID_NM(mgr));
886
887 nsock = isc_mem_get(mgr->mctx, sizeof(*nsock));
888 isc__nmsocket_init(nsock, mgr, isc_nm_tlssocket, local);
889 nsock->extrahandlesize = extrahandlesize;
890 nsock->result = ISC_R_UNSET;
891 nsock->connect_cb = cb;
892 nsock->connect_cbarg = cbarg;
893 nsock->connect_timeout = timeout;
894 nsock->tlsstream.ctx = ctx;
895
896 isc_nm_tcpconnect(mgr, local, peer, tcp_connected, nsock,
897 nsock->connect_timeout, 0);
898 }
899
900 static void
tcp_connected(isc_nmhandle_t * handle,isc_result_t result,void * cbarg)901 tcp_connected(isc_nmhandle_t *handle, isc_result_t result, void *cbarg) {
902 isc_nmsocket_t *tlssock = (isc_nmsocket_t *)cbarg;
903 isc_nmhandle_t *tlshandle = NULL;
904
905 REQUIRE(VALID_NMSOCK(tlssock));
906 REQUIRE(VALID_NMHANDLE(handle));
907
908 tlssock->tid = isc_nm_tid();
909 if (result != ISC_R_SUCCESS) {
910 goto error;
911 }
912
913 tlssock->iface = handle->sock->iface;
914 tlssock->peer = handle->sock->peer;
915 if (isc__nm_closing(tlssock)) {
916 result = ISC_R_SHUTTINGDOWN;
917 goto error;
918 }
919
920 /*
921 * We need to initialize SSL now to reference SSL_CTX properly.
922 */
923 tlssock->tlsstream.tls = isc_tls_create(tlssock->tlsstream.ctx);
924 if (tlssock->tlsstream.tls == NULL) {
925 result = ISC_R_TLSERROR;
926 goto error;
927 }
928
929 result = initialize_tls(tlssock, false);
930 if (result != ISC_R_SUCCESS) {
931 goto error;
932 }
933 tlssock->peer = isc_nmhandle_peeraddr(handle);
934 isc_nmhandle_attach(handle, &tlssock->outerhandle);
935 atomic_store(&tlssock->active, true);
936
937 tls_do_bio(tlssock, NULL, NULL, false);
938 return;
939 error:
940 tlshandle = isc__nmhandle_get(tlssock, NULL, NULL);
941 atomic_store(&tlssock->closed, true);
942 tls_call_connect_cb(tlssock, tlshandle, result);
943 isc_nmhandle_detach(&tlshandle);
944 isc__nmsocket_detach(&tlssock);
945 }
946
947 static void
tls_cancelread(isc_nmsocket_t * sock)948 tls_cancelread(isc_nmsocket_t *sock) {
949 if (!inactive(sock) && sock->tlsstream.state == TLS_IO) {
950 tls_do_bio(sock, NULL, NULL, true);
951 } else if (sock->outerhandle != NULL) {
952 sock->tlsstream.reading = false;
953 isc_nm_cancelread(sock->outerhandle);
954 }
955 }
956
957 void
isc__nm_tls_cancelread(isc_nmhandle_t * handle)958 isc__nm_tls_cancelread(isc_nmhandle_t *handle) {
959 isc_nmsocket_t *sock = NULL;
960 isc__netievent_tlscancel_t *ievent = NULL;
961
962 REQUIRE(VALID_NMHANDLE(handle));
963
964 sock = handle->sock;
965
966 REQUIRE(sock->type == isc_nm_tlssocket);
967
968 if (sock->tid == isc_nm_tid()) {
969 tls_cancelread(sock);
970 } else {
971 ievent = isc__nm_get_netievent_tlscancel(sock->mgr, sock,
972 handle);
973 isc__nm_enqueue_ievent(&sock->mgr->workers[sock->tid],
974 (isc__netievent_t *)ievent);
975 }
976 }
977
978 void
isc__nm_async_tlscancel(isc__networker_t * worker,isc__netievent_t * ev0)979 isc__nm_async_tlscancel(isc__networker_t *worker, isc__netievent_t *ev0) {
980 isc__netievent_tlscancel_t *ievent = (isc__netievent_tlscancel_t *)ev0;
981 isc_nmsocket_t *sock = ievent->sock;
982
983 REQUIRE(VALID_NMSOCK(sock));
984 REQUIRE(worker->id == sock->tid);
985 REQUIRE(sock->tid == isc_nm_tid());
986
987 UNUSED(worker);
988 tls_cancelread(sock);
989 }
990
991 void
isc__nm_async_tlsdobio(isc__networker_t * worker,isc__netievent_t * ev0)992 isc__nm_async_tlsdobio(isc__networker_t *worker, isc__netievent_t *ev0) {
993 isc__netievent_tlsdobio_t *ievent = (isc__netievent_tlsdobio_t *)ev0;
994
995 UNUSED(worker);
996
997 tls_do_bio(ievent->sock, NULL, NULL, false);
998 }
999
1000 void
isc__nm_tls_cleanup_data(isc_nmsocket_t * sock)1001 isc__nm_tls_cleanup_data(isc_nmsocket_t *sock) {
1002 if (sock->type == isc_nm_tcplistener &&
1003 sock->tlsstream.tlslistener != NULL) {
1004 REQUIRE(VALID_NMSOCK(sock->tlsstream.tlslistener));
1005 isc__nmsocket_detach(&sock->tlsstream.tlslistener);
1006 } else if (sock->type == isc_nm_tlssocket) {
1007 if (sock->tlsstream.tls != NULL) {
1008 isc_tls_free(&sock->tlsstream.tls);
1009 /* These are destroyed when we free SSL */
1010 sock->tlsstream.ctx = NULL;
1011 sock->tlsstream.bio_out = NULL;
1012 sock->tlsstream.bio_in = NULL;
1013 }
1014 }
1015 }
1016
1017 void
isc__nm_tls_cleartimeout(isc_nmhandle_t * handle)1018 isc__nm_tls_cleartimeout(isc_nmhandle_t *handle) {
1019 isc_nmsocket_t *sock = NULL;
1020
1021 REQUIRE(VALID_NMHANDLE(handle));
1022 REQUIRE(VALID_NMSOCK(handle->sock));
1023 REQUIRE(handle->sock->type == isc_nm_tlssocket);
1024
1025 sock = handle->sock;
1026 if (sock->outerhandle != NULL) {
1027 INSIST(VALID_NMHANDLE(sock->outerhandle));
1028 isc_nmhandle_cleartimeout(sock->outerhandle);
1029 }
1030 }
1031
1032 void
isc__nm_tls_settimeout(isc_nmhandle_t * handle,uint32_t timeout)1033 isc__nm_tls_settimeout(isc_nmhandle_t *handle, uint32_t timeout) {
1034 isc_nmsocket_t *sock = NULL;
1035
1036 REQUIRE(VALID_NMHANDLE(handle));
1037 REQUIRE(VALID_NMSOCK(handle->sock));
1038 REQUIRE(handle->sock->type == isc_nm_tlssocket);
1039
1040 sock = handle->sock;
1041 if (sock->outerhandle != NULL) {
1042 INSIST(VALID_NMHANDLE(sock->outerhandle));
1043 isc_nmhandle_settimeout(sock->outerhandle, timeout);
1044 }
1045 }
1046
1047 void
isc__nmhandle_tls_keepalive(isc_nmhandle_t * handle,bool value)1048 isc__nmhandle_tls_keepalive(isc_nmhandle_t *handle, bool value) {
1049 isc_nmsocket_t *sock = NULL;
1050
1051 REQUIRE(VALID_NMHANDLE(handle));
1052 REQUIRE(VALID_NMSOCK(handle->sock));
1053 REQUIRE(handle->sock->type == isc_nm_tlssocket);
1054
1055 sock = handle->sock;
1056 if (sock->outerhandle != NULL) {
1057 INSIST(VALID_NMHANDLE(sock->outerhandle));
1058
1059 isc_nmhandle_keepalive(sock->outerhandle, value);
1060 }
1061 }
1062