1 /*
2 * Pound - the reverse-proxy load-balancer
3 * Copyright (C) 2002-2010 Apsis GmbH
4 *
5 * This file is part of Pound.
6 *
7 * Pound is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 3 of the License, or
10 * (at your option) any later version.
11 *
12 * Pound is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
16 *
17 * You should have received a copy of the GNU General Public License
18 * along with this program. If not, see <http://www.gnu.org/licenses/>.
19 *
20 * Contact information:
21 * Apsis GmbH
22 * P.O.Box
23 * 8707 Uetikon am See
24 * Switzerland
25 * EMail: roseg@apsis.ch
26 */
27
28 #include "pound.h"
29
30 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
31 # define TABNODE_GET_DOWN_LOAD(t) lh_TABNODE_get_down_load(t)
32 # define TABNODE_SET_DOWN_LOAD(t,n) lh_TABNODE_set_down_load(t,n)
33 #else
34 #ifndef LHASH_OF
35 #define LHASH_OF(x) LHASH
36 #define CHECKED_LHASH_OF(type, h) h
37 #endif
38 # define TABNODE_GET_DOWN_LOAD(t) (CHECKED_LHASH_OF(TABNODE, t)->down_load)
39 # define TABNODE_SET_DOWN_LOAD(t,n) (CHECKED_LHASH_OF(TABNODE, t)->down_load = n)
40 #endif
41
42 /*
43 * Add a new key/content pair to a hash table
44 * the table should be already locked
45 */
46 static void
t_add(LHASH_OF (TABNODE)* const tab,const char * key,const void * content,const size_t cont_len)47 t_add(LHASH_OF(TABNODE) *const tab, const char *key, const void *content, const size_t cont_len)
48 {
49 TABNODE *t, *old;
50
51 if((t = (TABNODE *)malloc(sizeof(TABNODE))) == NULL) {
52 logmsg(LOG_WARNING, "t_add() content malloc");
53 return;
54 }
55 if((t->key = strdup(key)) == NULL) {
56 free(t);
57 logmsg(LOG_WARNING, "t_add() strdup");
58 return;
59 }
60 if((t->content = malloc(cont_len)) == NULL) {
61 free(t->key);
62 free(t);
63 logmsg(LOG_WARNING, "t_add() content malloc");
64 return;
65 }
66 memcpy(t->content, content, cont_len);
67 t->last_acc = time(NULL);
68 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
69 if((old = lh_TABNODE_insert(tab, t)) != NULL) {
70 #elif OPENSSL_VERSION_NUMBER >= 0x10000000L
71 if((old = LHM_lh_insert(TABNODE, tab, t)) != NULL) {
72 #else
73 if((old = (TABNODE *)lh_insert(tab, t)) != NULL) {
74 #endif
75 free(old->key);
76 free(old->content);
77 free(old);
78 logmsg(LOG_WARNING, "t_add() DUP");
79 }
80 return;
81 }
82
83 /*
84 * Find a key
85 * returns the content in the parameter
86 * side-effect: update the time of last access
87 */
88 static void *
89 t_find(LHASH_OF(TABNODE) *const tab, char *const key)
90 {
91 TABNODE t, *res;
92
93 t.key = key;
94 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
95 if((res = lh_TABNODE_retrieve(tab, &t)) != NULL) {
96 #elif OPENSSL_VERSION_NUMBER >= 0x10000000L
97 if((res = (TABNODE *)LHM_lh_retrieve(TABNODE, tab, &t)) != NULL) {
98 #else
99 if((res = (TABNODE *)lh_retrieve(tab, &t)) != NULL) {
100 #endif
101 res->last_acc = time(NULL);
102 return res->content;
103 }
104 return NULL;
105 }
106
107 /*
108 * Delete a key
109 */
110 static void
111 t_remove(LHASH_OF(TABNODE) *const tab, char *const key)
112 {
113 TABNODE t, *res;
114
115 t.key = key;
116 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
117 if((res = lh_TABNODE_delete(tab, &t)) != NULL) {
118 #elif OPENSSL_VERSION_NUMBER >= 0x10000000L
119 if((res = LHM_lh_delete(TABNODE, tab, &t)) != NULL) {
120 #else
121 if((res = (TABNODE *)lh_delete(tab, &t)) != NULL) {
122 #endif
123 free(res->key);
124 free(res->content);
125 free(res);
126 }
127 return;
128 }
129
130 typedef struct {
131 LHASH_OF(TABNODE) *tab;
132 time_t lim;
133 void *content;
134 int cont_len;
135 } ALL_ARG;
136
137 static void
138 t_old_doall_arg(TABNODE *t, ALL_ARG *a)
139 {
140 TABNODE *res;
141
142 if(t->last_acc < a->lim)
143 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
144 if((res = lh_TABNODE_delete(a->tab, t)) != NULL) {
145 #elif OPENSSL_VERSION_NUMBER >= 0x10000000L
146 if((res = LHM_lh_delete(TABNODE, a->tab, t)) != NULL) {
147 #else
148 if((res = lh_delete(a->tab, t)) != NULL) {
149 #endif
150 free(res->key);
151 free(res->content);
152 free(res);
153 }
154 return;
155 }
156 #if OPENSSL_VERSION_NUMBER >= 0x10000000L
157 IMPLEMENT_LHASH_DOALL_ARG_FN(t_old, TABNODE, ALL_ARG)
158 #else
159 #define t_old t_old_doall_arg
160 IMPLEMENT_LHASH_DOALL_ARG_FN(t_old, TABNODE *, ALL_ARG *)
161 #endif
162
163 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
164 IMPLEMENT_LHASH_DOALL_ARG(TABNODE,ALL_ARG);
165 #endif
166
167 /*
168 * Expire all old nodes
169 */
170 static void
171 t_expire(LHASH_OF(TABNODE) *const tab, const time_t lim)
172 {
173 ALL_ARG a;
174 int down_load;
175
176 a.tab = tab;
177 a.lim = lim;
178 down_load = TABNODE_GET_DOWN_LOAD(tab);
179 TABNODE_SET_DOWN_LOAD(tab, 0);
180 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
181 lh_TABNODE_doall_ALL_ARG(tab, t_old_doall_arg, &a);
182 #elif OPENSSL_VERSION_NUMBER >= 0x10000000L
183 LHM_lh_doall_arg(TABNODE, tab, LHASH_DOALL_ARG_FN(t_old), ALL_ARG, &a);
184 #else
185 lh_doall_arg(tab, LHASH_DOALL_ARG_FN(t_old), &a);
186 #endif
187 TABNODE_SET_DOWN_LOAD(tab, down_load);
188 return;
189 }
190
191 static void
192 t_cont_doall_arg(TABNODE *t, ALL_ARG *arg)
193 {
194 TABNODE *res;
195
196 if(memcmp(t->content, arg->content, arg->cont_len) == 0)
197 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
198 if((res = lh_TABNODE_delete(arg->tab, t)) != NULL) {
199 #elif OPENSSL_VERSION_NUMBER >= 0x10000000L
200 if((res = LHM_lh_delete(TABNODE, arg->tab, t)) != NULL) {
201 #else
202 if((res = lh_delete(arg->tab, t)) != NULL) {
203 #endif
204 free(res->key);
205 free(res->content);
206 free(res);
207 }
208 return;
209 }
210 #if OPENSSL_VERSION_NUMBER >= 0x10000000L
211 IMPLEMENT_LHASH_DOALL_ARG_FN(t_cont, TABNODE, ALL_ARG)
212 #else
213 #define t_cont t_cont_doall_arg
214 IMPLEMENT_LHASH_DOALL_ARG_FN(t_cont, TABNODE *, ALL_ARG *)
215 #endif
216
217 /*
218 * Remove all nodes with the given content
219 */
220 static void
221 t_clean(LHASH_OF(TABNODE) *const tab, void *const content, const size_t cont_len)
222 {
223 ALL_ARG a;
224 int down_load;
225
226 a.tab = tab;
227 a.content = content;
228 a.cont_len = cont_len;
229 down_load = TABNODE_GET_DOWN_LOAD(tab);
230 TABNODE_SET_DOWN_LOAD(tab, 0);
231 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
232 lh_TABNODE_doall_ALL_ARG(tab, t_cont_doall_arg, &a);
233 #elif OPENSSL_VERSION_NUMBER >= 0x10000000L
234 LHM_lh_doall_arg(TABNODE, tab, LHASH_DOALL_ARG_FN(t_cont), ALL_ARG, &a);
235 #else
236 lh_doall_arg(tab, LHASH_DOALL_ARG_FN(t_cont), &a);
237 #endif
238 TABNODE_SET_DOWN_LOAD(tab, down_load);
239 }
240
241 /*
242 * Log an error to the syslog or to stderr
243 */
244 #ifdef HAVE_STDARG_H
245 void
246 logmsg(const int priority, const char *fmt, ...)
247 {
248 char buf[MAXBUF + 1];
249 va_list ap;
250 struct tm *t_now, t_res;
251
252 buf[MAXBUF] = '\0';
253 va_start(ap, fmt);
254 vsnprintf(buf, MAXBUF, fmt, ap);
255 va_end(ap);
256 if(log_facility == -1) {
257 fprintf((priority == LOG_INFO || priority == LOG_DEBUG)? stdout: stderr, "%s\n", buf);
258 } else {
259 if(print_log)
260 printf("%s\n", buf);
261 else
262 syslog(log_facility | priority, "%s", buf);
263 }
264 return;
265 }
266 #else
267 void
268 logmsg(const int priority, const char *fmt, va_alist)
269 va_dcl
270 {
271 char buf[MAXBUF + 1];
272 va_list ap;
273 struct tm *t_now, t_res;
274
275 buf[MAXBUF] = '\0';
276 va_start(ap);
277 vsnprintf(buf, MAXBUF, fmt, ap);
278 va_end(ap);
279 if(log_facility == -1) {
280 fprintf((priority == LOG_INFO || priority == LOG_DEBUG)? stdout: stderr, "%s\n", buf);
281 } else {
282 if(print_log)
283 printf("%s\n", buf);
284 else
285 syslog(log_facility | priority, "%s", buf);
286 }
287 return;
288 }
289 #endif
290
291 /*
292 * Translate inet/inet6 address/port into a string
293 */
294 void
295 addr2str(char *const res, const int res_len, const struct addrinfo *addr, const int no_port)
296 {
297 char buf[MAXBUF];
298 int port;
299 void *src;
300 char *p = buf;
301
302 memset(res, 0, res_len);
303 #ifdef HAVE_INET_NTOP
304 switch(addr->ai_family) {
305 case AF_INET:
306 src = (void *)&((struct sockaddr_in *)addr->ai_addr)->sin_addr.s_addr;
307 port = ntohs(((struct sockaddr_in *)addr->ai_addr)->sin_port);
308 if(inet_ntop(AF_INET, src, buf, MAXBUF - 1) == NULL)
309 strncpy(buf, "(UNKNOWN)", MAXBUF - 1);
310 break;
311 case AF_INET6:
312 src = (void *)&((struct sockaddr_in6 *)addr->ai_addr)->sin6_addr.s6_addr;
313 port = ntohs(((struct sockaddr_in6 *)addr->ai_addr)->sin6_port);
314 if(inet_ntop(AF_INET6, src, buf, MAXBUF - 1) == NULL)
315 strncpy(buf, "(UNKNOWN)", MAXBUF - 1);
316 break;
317 case AF_UNIX:
318 strncpy(buf, (char *)addr->ai_addr, MAXBUF - 1);
319 port = 0;
320 break;
321 default:
322 strncpy(buf, "(UNKNOWN)", MAXBUF - 1);
323 port = 0;
324 break;
325 }
326 // Strip off the IPv6 prefix
327 if (strncmp(buf, "::ffff:", 7) == 0)
328 {
329 p = buf + 7;
330 }
331 if (no_port)
332 snprintf(res, res_len, "%s", p);
333 else
334 snprintf(res, res_len, "%s:%d", p, port);
335 #else
336 #error "Pound needs inet_ntop()"
337 #endif
338 return;
339 }
340
341 /*
342 * Parse a URL, possibly decoding hexadecimal-encoded characters
343 */
344 int
345 cpURL(char *res, char *src, int len)
346 {
347 int state;
348 char *kp_res;
349
350 for(kp_res = res, state = 0; len > 0; len--)
351 switch(state) {
352 case 1:
353 if(*src >= '0' && *src <= '9') {
354 *res = *src++ - '0';
355 state = 2;
356 } else if(*src >= 'A' && *src <= 'F') {
357 *res = *src++ - 'A' + 10;
358 state = 2;
359 } else if(*src >= 'a' && *src <= 'f') {
360 *res = *src++ - 'a' + 10;
361 state = 2;
362 } else {
363 *res++ = '%';
364 *res++ = *src++;
365 state = 0;
366 }
367 break;
368 case 2:
369 if(*src >= '0' && *src <= '9') {
370 *res = *res * 16 + *src++ - '0';
371 res++;
372 state = 0;
373 } else if(*src >= 'A' && *src <= 'F') {
374 *res = *res * 16 + *src++ - 'A' + 10;
375 res++;
376 state = 0;
377 } else if(*src >= 'a' && *src <= 'f') {
378 *res = *res * 16 + *src++ - 'a' + 10;
379 res++;
380 state = 0;
381 } else {
382 *res++ = '%';
383 *res++ = *(src - 1);
384 *res++ = *src++;
385 state = 0;
386 }
387 break;
388 default:
389 if(*src != '%')
390 *res++ = *src++;
391 else {
392 src++;
393 state = 1;
394 }
395 break;
396 }
397 if(state > 0)
398 *res++ = '%';
399 if(state > 1)
400 *res++ = *(src - 1);
401 *res = '\0';
402 return res - kp_res;
403 }
404
405 /*
406 * Parse a header
407 * return a code and possibly content in the arg
408 */
409 int
410 check_header(const char *header, char *const content)
411 {
412 regmatch_t matches[4];
413 static struct {
414 char header[32];
415 int len;
416 int val;
417 } hd_types[] = {
418 { "Transfer-encoding", 17, HEADER_TRANSFER_ENCODING },
419 { "Content-length", 14, HEADER_CONTENT_LENGTH },
420 { "Connection", 10, HEADER_CONNECTION },
421 { "Location", 8, HEADER_LOCATION },
422 { "Content-location", 16, HEADER_CONTLOCATION },
423 { "Host", 4, HEADER_HOST },
424 { "Referer", 7, HEADER_REFERER },
425 { "User-agent", 10, HEADER_USER_AGENT },
426 { "Destination", 11, HEADER_DESTINATION },
427 { "Expect", 6, HEADER_EXPECT },
428 { "Upgrade", 7, HEADER_UPGRADE },
429 { "", 0, HEADER_OTHER },
430 };
431 int i;
432
433 if(!regexec(&HEADER, header, 4, matches, 0)) {
434 for(i = 0; hd_types[i].len > 0; i++)
435 if((matches[1].rm_eo - matches[1].rm_so) == hd_types[i].len
436 && strncasecmp(header + matches[1].rm_so, hd_types[i].header, hd_types[i].len) == 0) {
437 /* we know that the original header was read into a buffer of size MAXBUF, so no overflow */
438 strncpy(content, header + matches[2].rm_so, matches[2].rm_eo - matches[2].rm_so);
439 content[matches[2].rm_eo - matches[2].rm_so] = '\0';
440 return hd_types[i].val;
441 }
442 return HEADER_OTHER;
443 } else
444 return HEADER_ILLEGAL;
445 }
446
447 static int
448 match_service(const SERVICE *svc, const char *request, char **const headers)
449 {
450 MATCHER *m;
451 int i, found;
452
453 /* check for request */
454 for(m = svc->url; m; m = m->next)
455 if(regexec(&m->pat, request, 0, NULL, 0))
456 return 0;
457
458 /* check for required headers */
459 for(m = svc->req_head; m; m = m->next) {
460 for(found = i = 0; i < (MAXHEADERS - 1) && !found; i++)
461 if(headers[i] && !regexec(&m->pat, headers[i], 0, NULL, 0))
462 found = 1;
463 if(!found)
464 return 0;
465 }
466
467 /* check for forbidden headers */
468 for(m = svc->deny_head; m; m = m->next) {
469 for(found = i = 0; i < (MAXHEADERS - 1) && !found; i++)
470 if(headers[i] && !regexec(&m->pat, headers[i], 0, NULL, 0))
471 found = 1;
472 if(found)
473 return 0;
474 }
475
476 return 1;
477 }
478
479 /*
480 * Find the right service for a request
481 */
482 SERVICE *
483 get_service(const LISTENER *lstn, const char *request, char **const headers)
484 {
485 SERVICE *svc;
486
487 for(svc = lstn->services; svc; svc = svc->next) {
488 if(svc->disabled)
489 continue;
490 if(match_service(svc, request, headers))
491 return svc;
492 }
493
494 /* try global services */
495 for(svc = services; svc; svc = svc->next) {
496 if(svc->disabled)
497 continue;
498 if(match_service(svc, request, headers))
499 return svc;
500 }
501
502 /* nothing matched */
503 return NULL;
504 }
505
506 /*
507 * extract the session key for a given request
508 */
509 static int
510 get_REQUEST(char *res, const SERVICE *svc, const char *request)
511 {
512 int n, s;
513 regmatch_t matches[4];
514
515 if(regexec(&svc->sess_start, request, 4, matches, 0)) {
516 res[0] = '\0';
517 return 0;
518 }
519 s = matches[0].rm_eo;
520 if(regexec(&svc->sess_pat, request + s, 4, matches, 0)) {
521 res[0] = '\0';
522 return 0;
523 }
524 if((n = matches[1].rm_eo - matches[1].rm_so) > KEY_SIZE)
525 n = KEY_SIZE;
526 strncpy(res, request + s + matches[1].rm_so, n);
527 res[n] = '\0';
528 return 1;
529 }
530
531 static int
532 get_HEADERS(char *res, const SERVICE *svc, char **const headers)
533 {
534 int i, n, s;
535 regmatch_t matches[4];
536
537 /* this will match SESS_COOKIE, SESS_HEADER and SESS_BASIC */
538 res[0] = '\0';
539 for(i = 0; i < (MAXHEADERS - 1); i++) {
540 if(headers[i] == NULL)
541 continue;
542 if(regexec(&svc->sess_start, headers[i], 4, matches, 0))
543 continue;
544 s = matches[0].rm_eo;
545 if(regexec(&svc->sess_pat, headers[i] + s, 4, matches, 0))
546 continue;
547 if((n = matches[1].rm_eo - matches[1].rm_so) > KEY_SIZE)
548 n = KEY_SIZE;
549 strncpy(res, headers[i] + s + matches[1].rm_so, n);
550 res[n] = '\0';
551 }
552 return res[0] != '\0';
553 }
554
555 /*
556 * Pick a random back-end from a candidate list
557 */
558 static BACKEND *
559 rand_backend(BACKEND *be, int pri)
560 {
561 while(be) {
562 if(!be->alive || be->disabled) {
563 be = be->next;
564 continue;
565 }
566 if((pri -= be->priority) < 0)
567 break;
568 be = be->next;
569 }
570 return be;
571 }
572
573 /*
574 * return a back-end based on a fixed hash value
575 * this is used for session_ttl < 0
576 *
577 * WARNING: the function may return different back-ends
578 * if the target back-end is disabled or not alive
579 */
580 static BACKEND *
581 hash_backend(BACKEND *be, int abs_pri, char *key)
582 {
583 unsigned long hv;
584 BACKEND *res, *tb;
585 int pri;
586
587 hv = 2166136261;
588 while(*key)
589 hv = ((hv ^ *key++) * 16777619) & 0xFFFFFFFF;
590 pri = hv % abs_pri;
591 for(tb = be; tb; tb = tb->next)
592 if((pri -= tb->priority) < 0)
593 break;
594 if(!tb)
595 /* should NEVER happen */
596 return NULL;
597 for(res = tb; !res->alive || res->disabled; ) {
598 res = res->next;
599 if(res == NULL)
600 res = be;
601 if(res == tb)
602 /* NO back-end available */
603 return NULL;
604 }
605 return res;
606 }
607
608 /*
609 * Find the right back-end for a request
610 */
611 BACKEND *
612 get_backend(SERVICE *const svc, const struct addrinfo *from_host, const char *request, char **const headers)
613 {
614 BACKEND *res;
615 char key[KEY_SIZE + 1];
616 int ret_val, no_be;
617 void *vp;
618
619 if(ret_val = pthread_mutex_lock(&svc->mut))
620 logmsg(LOG_WARNING, "get_backend() lock: %s", strerror(ret_val));
621
622 no_be = (svc->tot_pri <= 0);
623
624 switch(svc->sess_type) {
625 case SESS_NONE:
626 /* choose one back-end randomly */
627 res = no_be? svc->emergency: rand_backend(svc->backends, random() % svc->tot_pri);
628 break;
629 case SESS_IP:
630 addr2str(key, KEY_SIZE, from_host, 1);
631 if(svc->sess_ttl < 0)
632 res = no_be? svc->emergency: hash_backend(svc->backends, svc->abs_pri, key);
633 else if((vp = t_find(svc->sessions, key)) == NULL) {
634 if(no_be)
635 res = svc->emergency;
636 else {
637 /* no session yet - create one */
638 res = rand_backend(svc->backends, random() % svc->tot_pri);
639 t_add(svc->sessions, key, &res, sizeof(res));
640 }
641 } else
642 memcpy(&res, vp, sizeof(res));
643 break;
644 case SESS_URL:
645 case SESS_PARM:
646 if(get_REQUEST(key, svc, request)) {
647 if(svc->sess_ttl < 0)
648 res = no_be? svc->emergency: hash_backend(svc->backends, svc->abs_pri, key);
649 else if((vp = t_find(svc->sessions, key)) == NULL) {
650 if(no_be)
651 res = svc->emergency;
652 else {
653 /* no session yet - create one */
654 res = rand_backend(svc->backends, random() % svc->tot_pri);
655 t_add(svc->sessions, key, &res, sizeof(res));
656 }
657 } else
658 memcpy(&res, vp, sizeof(res));
659 } else {
660 res = no_be? svc->emergency: rand_backend(svc->backends, random() % svc->tot_pri);
661 }
662 break;
663 default:
664 /* this works for SESS_BASIC, SESS_HEADER and SESS_COOKIE */
665 if(get_HEADERS(key, svc, headers)) {
666 if(svc->sess_ttl < 0)
667 res = no_be? svc->emergency: hash_backend(svc->backends, svc->abs_pri, key);
668 else if((vp = t_find(svc->sessions, key)) == NULL) {
669 if(no_be)
670 res = svc->emergency;
671 else {
672 /* no session yet - create one */
673 res = rand_backend(svc->backends, random() % svc->tot_pri);
674 t_add(svc->sessions, key, &res, sizeof(res));
675 }
676 } else
677 memcpy(&res, vp, sizeof(res));
678 } else {
679 res = no_be? svc->emergency: rand_backend(svc->backends, random() % svc->tot_pri);
680 }
681 break;
682 }
683 if(ret_val = pthread_mutex_unlock(&svc->mut))
684 logmsg(LOG_WARNING, "get_backend() unlock: %s", strerror(ret_val));
685
686 return res;
687 }
688
689 /*
690 * (for cookies/header only) possibly create session based on response headers
691 */
692 void
693 upd_session(SERVICE *const svc, char **const headers, BACKEND *const be)
694 {
695 char key[KEY_SIZE + 1];
696 int ret_val;
697
698 if(svc->sess_type != SESS_HEADER && svc->sess_type != SESS_COOKIE)
699 return;
700 if(ret_val = pthread_mutex_lock(&svc->mut))
701 logmsg(LOG_WARNING, "upd_session() lock: %s", strerror(ret_val));
702 if(get_HEADERS(key, svc, headers))
703 if(t_find(svc->sessions, key) == NULL)
704 t_add(svc->sessions, key, &be, sizeof(be));
705 if(ret_val = pthread_mutex_unlock(&svc->mut))
706 logmsg(LOG_WARNING, "upd_session() unlock: %s", strerror(ret_val));
707 return;
708 }
709
710 /*
711 * mark a backend host as dead/disabled; remove its sessions if necessary
712 * disable_only == 1: mark as disabled
713 * disable_only == 0: mark as dead, remove sessions
714 * disable_only == -1: mark as enabled
715 */
716 void
717 kill_be(SERVICE *const svc, const BACKEND *be, const int disable_mode)
718 {
719 BACKEND *b;
720 int ret_val;
721 char buf[MAXBUF];
722
723 if(ret_val = pthread_mutex_lock(&svc->mut))
724 logmsg(LOG_WARNING, "kill_be() lock: %s", strerror(ret_val));
725 svc->tot_pri = 0;
726 for(b = svc->backends; b; b = b->next) {
727 if(b == be)
728 switch(disable_mode) {
729 case BE_DISABLE:
730 b->disabled = 1;
731 str_be(buf, MAXBUF - 1, b);
732 logmsg(LOG_NOTICE, "(%lx) BackEnd %s disabled", pthread_self(), buf);
733 break;
734 case BE_KILL:
735 b->alive = 0;
736 str_be(buf, MAXBUF - 1, b);
737 logmsg(LOG_NOTICE, "(%lx) BackEnd %s dead (killed)", pthread_self(), buf);
738 t_clean(svc->sessions, &be, sizeof(be));
739 break;
740 case BE_ENABLE:
741 str_be(buf, MAXBUF - 1, b);
742 logmsg(LOG_NOTICE, "(%lx) BackEnd %s enabled", pthread_self(), buf);
743 b->disabled = 0;
744 break;
745 default:
746 logmsg(LOG_WARNING, "kill_be(): unknown mode %d", disable_mode);
747 break;
748 }
749 if(b->alive && !b->disabled)
750 svc->tot_pri += b->priority;
751 }
752 if(ret_val = pthread_mutex_unlock(&svc->mut))
753 logmsg(LOG_WARNING, "kill_be() unlock: %s", strerror(ret_val));
754 return;
755 }
756
757 /*
758 * Search for a host name, return the addrinfo for it
759 */
760 int
761 get_host(char *const name, struct addrinfo *res, int ai_family)
762 {
763 struct addrinfo *chain, *ap;
764 struct addrinfo hints;
765 int ret_val;
766
767 #ifdef HAVE_INET_NTOP
768 memset (&hints, 0, sizeof(hints));
769 hints.ai_family = ai_family;
770 hints.ai_socktype = SOCK_STREAM;
771 hints.ai_flags = AI_CANONNAME;
772 if((ret_val = getaddrinfo(name, NULL, &hints, &chain)) == 0) {
773 #ifdef _AIX
774 ap = chain;
775 #else
776 for(ap = chain; ap != NULL; ap = ap->ai_next)
777 if(ap->ai_socktype == SOCK_STREAM)
778 break;
779 #endif
780 if(ap == NULL) {
781 freeaddrinfo(chain);
782 return EAI_NONAME;
783 }
784 *res = *ap;
785 if((res->ai_addr = (struct sockaddr *)malloc(ap->ai_addrlen)) == NULL) {
786 freeaddrinfo(chain);
787 return EAI_MEMORY;
788 }
789 memcpy(res->ai_addr, ap->ai_addr, ap->ai_addrlen);
790 freeaddrinfo(chain);
791 }
792 #else
793 #error "Pound requires getaddrinfo()"
794 #endif
795 return ret_val;
796 }
797
798 /*
799 * Find if a redirect needs rewriting
800 * In general we have two possibilities that require it:
801 * (1) if the redirect was done to the correct location with the wrong port
802 * (2) if the redirect was done to the back-end rather than the listener
803 */
804 int
805 need_rewrite(const int rewr_loc, char *const location, char *const path, const char *v_host, const LISTENER *lstn, const BACKEND *be)
806 {
807 struct addrinfo addr;
808 struct sockaddr_in in_addr, be_addr;
809 struct sockaddr_in6 in6_addr, be6_addr;
810 regmatch_t matches[4];
811 char *proto, *host, *port, *cp, buf[MAXBUF];
812
813 /* check if rewriting is required at all */
814 if(rewr_loc == 0)
815 return 0;
816
817 /* applies only to INET/INET6 back-ends */
818 if(be->addr.ai_family != AF_INET && be->addr.ai_family != AF_INET6)
819 return 0;
820
821 /* split the location into its fields */
822 if(regexec(&LOCATION, location, 4, matches, 0))
823 return 0;
824 proto = location + matches[1].rm_so;
825 host = location + matches[2].rm_so;
826 if(location[matches[3].rm_so] == '/')
827 matches[3].rm_so++;
828 /* path is guaranteed to be large enough */
829 strcpy(path, location + matches[3].rm_so);
830 location[matches[1].rm_eo] = location[matches[2].rm_eo] = '\0';
831 if((port = strchr(host, ':')) != NULL)
832 *port++ = '\0';
833
834 /*
835 * Check if the location has the same address as the listener or the back-end
836 */
837 memset(&addr, 0, sizeof(addr));
838 if(get_host(host, &addr, be->addr.ai_family))
839 return 0;
840
841 /*
842 * compare the back-end
843 */
844 if(addr.ai_family != be->addr.ai_family) {
845 free(addr.ai_addr);
846 return 0;
847 }
848 if(addr.ai_family == AF_INET) {
849 memcpy(&in_addr, addr.ai_addr, sizeof(in_addr));
850 memcpy(&be_addr, be->addr.ai_addr, sizeof(be_addr));
851 if(port)
852 in_addr.sin_port = (in_port_t)htons(atoi(port));
853 else if(!strcasecmp(proto, "https"))
854 in_addr.sin_port = (in_port_t)htons(443);
855 else
856 in_addr.sin_port = (in_port_t)htons(80);
857 /*
858 * check if the Location points to the back-end
859 */
860 if(memcmp(&be_addr.sin_addr.s_addr, &in_addr.sin_addr.s_addr, sizeof(in_addr.sin_addr.s_addr)) == 0
861 && memcmp(&be_addr.sin_port, &in_addr.sin_port, sizeof(in_addr.sin_port)) == 0) {
862 free(addr.ai_addr);
863 return 1;
864 }
865 } else /* AF_INET6 */ {
866 memcpy(&in6_addr, addr.ai_addr, sizeof(in6_addr));
867 memcpy(&be6_addr, be->addr.ai_addr, sizeof(be6_addr));
868 if(port)
869 in6_addr.sin6_port = (in_port_t)htons(atoi(port));
870 else if(!strcasecmp(proto, "https"))
871 in6_addr.sin6_port = (in_port_t)htons(443);
872 else
873 in6_addr.sin6_port = (in_port_t)htons(80);
874 /*
875 * check if the Location points to the back-end
876 */
877 if(memcmp(&be6_addr.sin6_addr.s6_addr, &in6_addr.sin6_addr.s6_addr, sizeof(in6_addr.sin6_addr.s6_addr)) == 0
878 && memcmp(&be6_addr.sin6_port, &in6_addr.sin6_port, sizeof(in6_addr.sin6_port)) == 0) {
879 free(addr.ai_addr);
880 return 1;
881 }
882 }
883
884 /*
885 * compare the listener
886 */
887 if(rewr_loc != 1 || addr.ai_family != lstn->addr.ai_family) {
888 free(addr.ai_addr);
889 return 0;
890 }
891 memset(buf, '\0', MAXBUF);
892 strncpy(buf, v_host, MAXBUF - 1);
893 if((cp = strchr(buf, ':')) != NULL)
894 *cp = '\0';
895 if(addr.ai_family == AF_INET) {
896 memcpy(&be_addr, lstn->addr.ai_addr, sizeof(be_addr));
897 /*
898 * check if the Location points to the Listener but with the wrong port or protocol
899 */
900 if((memcmp(&be_addr.sin_addr.s_addr, &in_addr.sin_addr.s_addr, sizeof(in_addr.sin_addr.s_addr)) == 0
901 || strcasecmp(host, buf) == 0)
902 && (memcmp(&be_addr.sin_port, &in_addr.sin_port, sizeof(in_addr.sin_port)) != 0
903 || strcasecmp(proto, lstn->ctx? "http": "https"))) {
904 free(addr.ai_addr);
905 return 1;
906 }
907 } else {
908 memcpy(&be6_addr, lstn->addr.ai_addr, sizeof(be6_addr));
909 /*
910 * check if the Location points to the Listener but with the wrong port or protocol
911 */
912 if((memcmp(&be6_addr.sin6_addr.s6_addr, &in6_addr.sin6_addr.s6_addr, sizeof(in6_addr.sin6_addr.s6_addr)) == 0
913 || strcasecmp(host, buf) == 0)
914 && (memcmp(&be6_addr.sin6_port, &in6_addr.sin6_port, sizeof(in6_addr.sin6_port)) != 0
915 || strcasecmp(proto, lstn->ctx? "http": "https"))) {
916 free(addr.ai_addr);
917 return 1;
918 }
919 }
920
921 free(addr.ai_addr);
922 return 0;
923 }
924
925 /*
926 * Non-blocking connect(). Does the same as connect(2) but ensures
927 * it will time-out after a much shorter time period SERVER_TO
928 */
929 int
930 connect_nb(const int sockfd, const struct addrinfo *serv_addr, const int to)
931 {
932 int flags, res, error;
933 socklen_t len;
934 struct pollfd p;
935
936 if((flags = fcntl(sockfd, F_GETFL, 0)) < 0) {
937 logmsg(LOG_WARNING, "(%lx) connect_nb: fcntl GETFL failed: %s", pthread_self(), strerror(errno));
938 return -1;
939 }
940 if(fcntl(sockfd, F_SETFL, flags | O_NONBLOCK) < 0) {
941 logmsg(LOG_WARNING, "(%lx) connect_nb: fcntl SETFL failed: %s", pthread_self(), strerror(errno));
942 return -1;
943 }
944
945 error = 0;
946 if((res = connect(sockfd, serv_addr->ai_addr, serv_addr->ai_addrlen)) < 0)
947 if(errno != EINPROGRESS) {
948 logmsg(LOG_WARNING, "(%lx) connect_nb: connect failed: %s", pthread_self(), strerror(errno));
949 return (-1);
950 }
951
952 if(res == 0) {
953 /* connect completed immediately (usually localhost) */
954 if(fcntl(sockfd, F_SETFL, flags) < 0) {
955 logmsg(LOG_WARNING, "(%lx) connect_nb: fcntl reSETFL failed: %s", pthread_self(), strerror(errno));
956 return -1;
957 }
958 return 0;
959 }
960
961 memset(&p, 0, sizeof(p));
962 p.fd = sockfd;
963 p.events = POLLOUT;
964 if((res = poll(&p, 1, to * 1000)) != 1) {
965 if(res == 0) {
966 /* timeout */
967 logmsg(LOG_WARNING, "(%lx) connect_nb: poll timed out", pthread_self());
968 errno = ETIMEDOUT;
969 } else
970 logmsg(LOG_WARNING, "(%lx) connect_nb: poll failed: %s", pthread_self(), strerror(errno));
971 return -1;
972 }
973
974 /* socket is writeable == operation completed */
975 len = sizeof(error);
976 if(getsockopt(sockfd, SOL_SOCKET, SO_ERROR, &error, &len) < 0) {
977 logmsg(LOG_WARNING, "(%lx) connect_nb: getsockopt failed: %s", pthread_self(), strerror(errno));
978 return -1;
979 }
980
981 /* restore file status flags */
982 if(fcntl(sockfd, F_SETFL, flags) < 0) {
983 logmsg(LOG_WARNING, "(%lx) connect_nb: fcntl reSETFL failed: %s", pthread_self(), strerror(errno));
984 return -1;
985 }
986
987 if(error) {
988 /* getsockopt() shows an error */
989 errno = error;
990 logmsg(LOG_WARNING, "(%lx) connect_nb: error after getsockopt: %s", pthread_self(), strerror(errno));
991 return -1;
992 }
993
994 /* really connected */
995 return 0;
996 }
997
998 /*
999 * Check if dead hosts returned to life;
1000 * runs every alive seconds
1001 */
1002 static void
1003 do_resurect(void)
1004 {
1005 LISTENER *lstn;
1006 SERVICE *svc;
1007 BACKEND *be;
1008 struct addrinfo z_addr, *addr;
1009 int sock, modified;
1010 char buf[MAXBUF];
1011 int ret_val;
1012
1013 /* check hosts still alive - HAport */
1014 memset(&z_addr, 0, sizeof(z_addr));
1015 for(lstn = listeners; lstn; lstn = lstn->next)
1016 for(svc = lstn->services; svc; svc = svc->next)
1017 for(be = svc->backends; be; be = be->next) {
1018 if(be->be_type)
1019 continue;
1020 if(!be->alive)
1021 /* already dead */
1022 continue;
1023 if(memcmp(&(be->ha_addr), &z_addr, sizeof(z_addr)) == 0)
1024 /* no HA port */
1025 continue;
1026 /* try connecting */
1027 switch(be->ha_addr.ai_family) {
1028 case AF_INET:
1029 if((sock = socket(PF_INET, SOCK_STREAM, 0)) < 0)
1030 continue;
1031 break;
1032 case AF_INET6:
1033 if((sock = socket(PF_INET6, SOCK_STREAM, 0)) < 0)
1034 continue;
1035 break;
1036 case AF_UNIX:
1037 if((sock = socket(PF_UNIX, SOCK_STREAM, 0)) < 0)
1038 continue;
1039 break;
1040 default:
1041 continue;
1042 }
1043 if(connect_nb(sock, &be->ha_addr, be->conn_to) != 0) {
1044 kill_be(svc, be, BE_KILL);
1045 str_be(buf, MAXBUF - 1, be);
1046 logmsg(LOG_NOTICE, "BackEnd %s is dead (HA)", buf);
1047 }
1048 shutdown(sock, 2);
1049 close(sock);
1050 }
1051
1052 for(svc = services; svc; svc = svc->next)
1053 for(be = svc->backends; be; be = be->next) {
1054 if(be->be_type)
1055 continue;
1056 if(!be->alive)
1057 /* already dead */
1058 continue;
1059 if(memcmp(&(be->ha_addr), &z_addr, sizeof(z_addr)) == 0)
1060 /* no HA port */
1061 continue;
1062 /* try connecting */
1063 switch(be->ha_addr.ai_family) {
1064 case AF_INET:
1065 if((sock = socket(PF_INET, SOCK_STREAM, 0)) < 0)
1066 continue;
1067 break;
1068 case AF_INET6:
1069 if((sock = socket(PF_INET6, SOCK_STREAM, 0)) < 0)
1070 continue;
1071 break;
1072 case AF_UNIX:
1073 if((sock = socket(PF_UNIX, SOCK_STREAM, 0)) < 0)
1074 continue;
1075 break;
1076 default:
1077 continue;
1078 }
1079 if(connect_nb(sock, &be->ha_addr, be->conn_to) != 0) {
1080 kill_be(svc, be, BE_KILL);
1081 str_be(buf, MAXBUF - 1, be);
1082 logmsg(LOG_NOTICE, "BackEnd %s is dead (HA)", buf);
1083 }
1084 shutdown(sock, 2);
1085 close(sock);
1086 }
1087
1088 /* check hosts alive again */
1089 for(lstn = listeners; lstn; lstn = lstn->next)
1090 for(svc = lstn->services; svc; svc = svc->next) {
1091 for(modified = 0, be = svc->backends; be; be = be->next) {
1092 be->resurrect = 0;
1093 if(be->be_type)
1094 continue;
1095 if(be->alive)
1096 continue;
1097 if(memcmp(&(be->ha_addr), &z_addr, sizeof(z_addr)) == 0) {
1098 switch(be->addr.ai_family) {
1099 case AF_INET:
1100 if((sock = socket(PF_INET, SOCK_STREAM, 0)) < 0)
1101 continue;
1102 break;
1103 case AF_INET6:
1104 if((sock = socket(PF_INET6, SOCK_STREAM, 0)) < 0)
1105 continue;
1106 break;
1107 case AF_UNIX:
1108 if((sock = socket(PF_UNIX, SOCK_STREAM, 0)) < 0)
1109 continue;
1110 break;
1111 default:
1112 continue;
1113 }
1114 addr = &be->addr;
1115 } else {
1116 switch(be->ha_addr.ai_family) {
1117 case AF_INET:
1118 if((sock = socket(PF_INET, SOCK_STREAM, 0)) < 0)
1119 continue;
1120 break;
1121 case AF_INET6:
1122 if((sock = socket(PF_INET6, SOCK_STREAM, 0)) < 0)
1123 continue;
1124 break;
1125 case AF_UNIX:
1126 if((sock = socket(PF_UNIX, SOCK_STREAM, 0)) < 0)
1127 continue;
1128 break;
1129 default:
1130 continue;
1131 }
1132 addr = &be->ha_addr;
1133 }
1134 if(connect_nb(sock, addr, be->conn_to) == 0) {
1135 be->resurrect = 1;
1136 modified = 1;
1137 }
1138 shutdown(sock, 2);
1139 close(sock);
1140 }
1141 if(modified) {
1142 if(ret_val = pthread_mutex_lock(&svc->mut))
1143 logmsg(LOG_WARNING, "do_resurect() lock: %s", strerror(ret_val));
1144 svc->tot_pri = 0;
1145 for(be = svc->backends; be; be = be->next) {
1146 if(be->resurrect) {
1147 be->alive = 1;
1148 str_be(buf, MAXBUF - 1, be);
1149 logmsg(LOG_NOTICE, "BackEnd %s resurrect", buf);
1150 }
1151 if(be->alive && !be->disabled)
1152 svc->tot_pri += be->priority;
1153 }
1154 if(ret_val = pthread_mutex_unlock(&svc->mut))
1155 logmsg(LOG_WARNING, "do_resurect() unlock: %s", strerror(ret_val));
1156 }
1157 }
1158
1159 for(svc = services; svc; svc = svc->next) {
1160 for(modified = 0, be = svc->backends; be; be = be->next) {
1161 be->resurrect = 0;
1162 if(be->be_type)
1163 continue;
1164 if(be->alive)
1165 continue;
1166 if(memcmp(&(be->ha_addr), &z_addr, sizeof(z_addr)) == 0) {
1167 switch(be->addr.ai_family) {
1168 case AF_INET:
1169 if((sock = socket(PF_INET, SOCK_STREAM, 0)) < 0)
1170 continue;
1171 break;
1172 case AF_INET6:
1173 if((sock = socket(PF_INET6, SOCK_STREAM, 0)) < 0)
1174 continue;
1175 break;
1176 case AF_UNIX:
1177 if((sock = socket(PF_UNIX, SOCK_STREAM, 0)) < 0)
1178 continue;
1179 break;
1180 default:
1181 continue;
1182 }
1183 addr = &be->addr;
1184 } else {
1185 switch(be->ha_addr.ai_family) {
1186 case AF_INET:
1187 if((sock = socket(PF_INET, SOCK_STREAM, 0)) < 0)
1188 continue;
1189 break;
1190 case AF_INET6:
1191 if((sock = socket(PF_INET6, SOCK_STREAM, 0)) < 0)
1192 continue;
1193 break;
1194 case AF_UNIX:
1195 if((sock = socket(PF_UNIX, SOCK_STREAM, 0)) < 0)
1196 continue;
1197 break;
1198 default:
1199 continue;
1200 }
1201 addr = &be->ha_addr;
1202 }
1203 if(connect_nb(sock, addr, be->conn_to) == 0) {
1204 be->resurrect = 1;
1205 modified = 1;
1206 }
1207 shutdown(sock, 2);
1208 close(sock);
1209 }
1210 if(modified) {
1211 if(ret_val = pthread_mutex_lock(&svc->mut))
1212 logmsg(LOG_WARNING, "do_resurect() lock: %s", strerror(ret_val));
1213 svc->tot_pri = 0;
1214 for(be = svc->backends; be; be = be->next) {
1215 if(be->resurrect) {
1216 be->alive = 1;
1217 str_be(buf, MAXBUF - 1, be);
1218 logmsg(LOG_NOTICE, "BackEnd %s resurrect", buf);
1219 }
1220 if(be->alive && !be->disabled)
1221 svc->tot_pri += be->priority;
1222 }
1223 if(ret_val = pthread_mutex_unlock(&svc->mut))
1224 logmsg(LOG_WARNING, "do_resurect() unlock: %s", strerror(ret_val));
1225 }
1226 }
1227
1228 return;
1229 }
1230
1231 /*
1232 * Remove expired sessions
1233 * runs every EXPIRE_TO seconds
1234 */
1235 static void
1236 do_expire(void)
1237 {
1238 LISTENER *lstn;
1239 SERVICE *svc;
1240 time_t cur_time;
1241 int ret_val;
1242
1243 /* remove stale sessions */
1244 cur_time = time(NULL);
1245
1246 for(lstn = listeners; lstn; lstn = lstn->next)
1247 for(svc = lstn->services; svc; svc = svc->next)
1248 if(svc->sess_type != SESS_NONE) {
1249 if(ret_val = pthread_mutex_lock(&svc->mut)) {
1250 logmsg(LOG_WARNING, "do_expire() lock: %s", strerror(ret_val));
1251 continue;
1252 }
1253 t_expire(svc->sessions, cur_time - svc->sess_ttl);
1254 if(ret_val = pthread_mutex_unlock(&svc->mut))
1255 logmsg(LOG_WARNING, "do_expire() unlock: %s", strerror(ret_val));
1256 }
1257
1258 for(svc = services; svc; svc = svc->next)
1259 if(svc->sess_type != SESS_NONE) {
1260 if(ret_val = pthread_mutex_lock(&svc->mut)) {
1261 logmsg(LOG_WARNING, "do_expire() lock: %s", strerror(ret_val));
1262 continue;
1263 }
1264 t_expire(svc->sessions, cur_time - svc->sess_ttl);
1265 if(ret_val = pthread_mutex_unlock(&svc->mut))
1266 logmsg(LOG_WARNING, "do_expire() unlock: %s", strerror(ret_val));
1267 }
1268
1269 return;
1270 }
1271
1272 static pthread_mutex_t RSA_mut; /* mutex for RSA keygen */
1273 static RSA *RSA512_keys[N_RSA_KEYS]; /* ephemeral RSA keys */
1274 static RSA *RSA1024_keys[N_RSA_KEYS]; /* ephemeral RSA keys */
1275
1276 /*
1277 * return a pre-generated RSA key
1278 */
1279 RSA *
1280 RSA_tmp_callback(/* not used */SSL *ssl, /* not used */int is_export, int keylength)
1281 {
1282 RSA *res;
1283 int ret_val;
1284
1285 if(ret_val = pthread_mutex_lock(&RSA_mut))
1286 logmsg(LOG_WARNING, "RSA_tmp_callback() lock: %s", strerror(ret_val));
1287 res = (keylength <= 512)? RSA512_keys[rand() % N_RSA_KEYS]: RSA1024_keys[rand() % N_RSA_KEYS];
1288 if(ret_val = pthread_mutex_unlock(&RSA_mut))
1289 logmsg(LOG_WARNING, "RSA_tmp_callback() unlock: %s", strerror(ret_val));
1290 return res;
1291 }
1292
1293 static int
1294 generate_key(RSA **ret_rsa, unsigned long bits)
1295 {
1296 #if OPENSSL_VERSION_NUMBER > 0x00908000L
1297 int rc = 0;
1298 RSA *rsa;
1299
1300 rsa = RSA_new();
1301 if (rsa) {
1302 BIGNUM *bne = BN_new();
1303 if (BN_set_word(bne, RSA_F4))
1304 rc = RSA_generate_key_ex(rsa, bits, bne, NULL);
1305 BN_free(bne);
1306 if (rc)
1307 *ret_rsa = rsa;
1308 else
1309 RSA_free(rsa);
1310 }
1311 return rc;
1312 #else
1313 *ret_rsa = RSA_generate_key(bits, RSA_F4, NULL, NULL);
1314 return *ret_rsa != NULL;
1315 #endif
1316 }
1317
1318 /*
1319 * Periodically regenerate ephemeral RSA keys
1320 * runs every T_RSA_KEYS seconds
1321 */
1322 static void
1323 do_RSAgen(void)
1324 {
1325 int n, ret_val;
1326 RSA *t_RSA512_keys[N_RSA_KEYS];
1327 RSA *t_RSA1024_keys[N_RSA_KEYS];
1328
1329 for(n = 0; n < N_RSA_KEYS; n++) {
1330 /* FIXME: Error handling */
1331 generate_key(&t_RSA512_keys[n], 512);
1332 generate_key(&t_RSA1024_keys[n], 1024);
1333 }
1334 if(ret_val = pthread_mutex_lock(&RSA_mut))
1335 logmsg(LOG_WARNING, "thr_RSAgen() lock: %s", strerror(ret_val));
1336 for(n = 0; n < N_RSA_KEYS; n++) {
1337 RSA_free(RSA512_keys[n]);
1338 RSA512_keys[n] = t_RSA512_keys[n];
1339 RSA_free(RSA1024_keys[n]);
1340 RSA1024_keys[n] = t_RSA1024_keys[n];
1341 }
1342 if(ret_val = pthread_mutex_unlock(&RSA_mut))
1343 logmsg(LOG_WARNING, "thr_RSAgen() unlock: %s", strerror(ret_val));
1344 return;
1345 }
1346
1347 #if OPENSSL_VERSION_NUMBER < 0x10100000
1348 static inline int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
1349 {
1350 /* If the fields p and g in d are NULL, the corresponding input
1351 * parameters MUST be non-NULL. q may remain NULL.
1352 */
1353 if ((dh->p == NULL && p == NULL)
1354 || (dh->g == NULL && g == NULL))
1355 return 0;
1356
1357 if (p != NULL) {
1358 BN_free(dh->p);
1359 dh->p = p;
1360 }
1361 if (q != NULL) {
1362 BN_free(dh->q);
1363 dh->q = q;
1364 }
1365 if (g != NULL) {
1366 BN_free(dh->g);
1367 dh->g = g;
1368 }
1369
1370 if (q != NULL) {
1371 dh->length = BN_num_bits(q);
1372 }
1373
1374 return 1;
1375 }
1376 #endif
1377
1378 #include "dh512.h"
1379
1380 #if DH_LEN == 1024
1381 #include "dh1024.h"
1382 static DH *DH512_params, *DH1024_params;
1383
1384 DH *
1385 DH_tmp_callback(/* not used */SSL *s, /* not used */int is_export, int keylength)
1386 {
1387 return keylength == 512? DH512_params: DH1024_params;
1388 }
1389 #else
1390 #include "dh2048.h"
1391 static DH *DH512_params, *DH2048_params;
1392
1393 DH *
1394 DH_tmp_callback(/* not used */SSL *s, /* not used */int is_export, int keylength)
1395 {
1396 return keylength == 512? DH512_params: DH2048_params;
1397 }
1398 #endif
1399
1400 static time_t last_RSA, last_alive, last_expire;
1401
1402 /*
1403 * initialise the timer functions:
1404 * - RSA_mut and keys
1405 */
1406 void
1407 init_timer(void)
1408 {
1409 int n;
1410
1411 last_RSA = last_alive = last_expire = time(NULL);
1412
1413 /*
1414 * Pre-generate ephemeral RSA keys
1415 */
1416 for(n = 0; n < N_RSA_KEYS; n++) {
1417 if(!generate_key(&RSA512_keys[n], 512)) {
1418 logmsg(LOG_WARNING,"RSA_generate(%d, 512) failed", n);
1419 return;
1420 }
1421 if(!generate_key(&RSA1024_keys[n], 1024)) {
1422 logmsg(LOG_WARNING,"RSA_generate(%d, 1024) failed", n);
1423 return;
1424 }
1425 }
1426 /* pthread_mutex_init() always returns 0 */
1427 pthread_mutex_init(&RSA_mut, NULL);
1428
1429 DH512_params = get_dh512();
1430 #if DH_LEN == 1024
1431 DH1024_params = get_dh1024();
1432 #else
1433 DH2048_params = get_dh2048();
1434 #endif
1435
1436 return;
1437 }
1438
1439 /*
1440 * run timed functions:
1441 * - RSAgen every T_RSA_KEYS seconds
1442 * - resurect every alive_to seconds
1443 * - expire every EXPIRE_TO seconds
1444 */
1445 void *
1446 thr_timer(void *arg)
1447 {
1448 time_t last_time, cur_time;
1449 int n_wait, n_remain;
1450
1451 n_wait = EXPIRE_TO;
1452 if(n_wait > alive_to)
1453 n_wait = alive_to;
1454 if(n_wait > T_RSA_KEYS)
1455 n_wait = T_RSA_KEYS;
1456 for(last_time = time(NULL) - n_wait;;) {
1457 cur_time = time(NULL);
1458 if((n_remain = n_wait - (cur_time - last_time)) > 0)
1459 sleep(n_remain);
1460 last_time = time(NULL);
1461 if((last_time - last_RSA) >= T_RSA_KEYS) {
1462 last_RSA = time(NULL);
1463 do_RSAgen();
1464 }
1465 if((last_time - last_alive) >= alive_to) {
1466 last_alive = time(NULL);
1467 do_resurect();
1468 }
1469 if((last_time - last_expire) >= EXPIRE_TO) {
1470 last_expire = time(NULL);
1471 do_expire();
1472 }
1473 }
1474 }
1475
1476 typedef struct {
1477 int control_sock;
1478 BACKEND *backends;
1479 } DUMP_ARG;
1480
1481 static void
1482 t_dump_doall_arg(TABNODE *t, DUMP_ARG *arg)
1483 {
1484 BACKEND *be, *bep;
1485 int n_be, sz;
1486
1487 memcpy(&bep, t->content, sizeof(bep));
1488 for(n_be = 0, be = arg->backends; be; be = be->next, n_be++)
1489 if(be == bep)
1490 break;
1491 if(!be)
1492 /* should NEVER happen */
1493 n_be = 0;
1494 (void)write(arg->control_sock, t, sizeof(TABNODE));
1495 (void)write(arg->control_sock, &n_be, sizeof(n_be));
1496 sz = strlen(t->key);
1497 (void)write(arg->control_sock, &sz, sizeof(sz));
1498 (void)write(arg->control_sock, t->key, sz);
1499 return;
1500 }
1501 #if OPENSSL_VERSION_NUMBER >= 0x10000000L
1502 IMPLEMENT_LHASH_DOALL_ARG_FN(t_dump, TABNODE, DUMP_ARG)
1503 #else
1504 #define t_dump t_dump_doall_arg
1505 IMPLEMENT_LHASH_DOALL_ARG_FN(t_dump, TABNODE *, DUMP_ARG *)
1506 #endif
1507
1508 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
1509 IMPLEMENT_LHASH_DOALL_ARG(TABNODE,DUMP_ARG);
1510 #endif
1511
1512 /*
1513 * write sessions to the control socket
1514 */
1515 static void
1516 dump_sess(const int control_sock, LHASH_OF(TABNODE) *const sess, BACKEND *const backends)
1517 {
1518 DUMP_ARG a;
1519
1520 a.control_sock = control_sock;
1521 a.backends = backends;
1522 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
1523 lh_TABNODE_doall_DUMP_ARG(sess, t_dump_doall_arg, &a);
1524 #elif OPENSSL_VERSION_NUMBER >= 0x10000000L
1525 LHM_lh_doall_arg(TABNODE, sess, LHASH_DOALL_ARG_FN(t_dump), DUMP_ARG, &a);
1526 #else
1527 lh_doall_arg(sess, LHASH_DOALL_ARG_FN(t_dump), &a);
1528 #endif
1529 return;
1530 }
1531
1532 /*
1533 * given a command, select a listener
1534 */
1535 static LISTENER *
1536 sel_lstn(const CTRL_CMD *cmd)
1537 {
1538 LISTENER *lstn;
1539 int i;
1540
1541 if(cmd->listener < 0)
1542 return NULL;
1543 for(i = 0, lstn = listeners; lstn && i < cmd->listener; i++, lstn = lstn->next)
1544 ;
1545 return lstn;
1546 }
1547
1548 /*
1549 * given a command, select a service
1550 */
1551 static SERVICE *
1552 sel_svc(const CTRL_CMD *cmd)
1553 {
1554 SERVICE *svc;
1555 LISTENER *lstn;
1556 int i;
1557
1558 if(cmd->listener < 0) {
1559 svc = services;
1560 } else {
1561 if((lstn = sel_lstn(cmd)) == NULL)
1562 return NULL;
1563 svc = lstn->services;
1564 }
1565 for(i = 0; svc && i < cmd->service; i++, svc = svc->next)
1566 ;
1567 return svc;
1568 }
1569
1570 /*
1571 * given a command, select a back-end
1572 */
1573 static BACKEND *
1574 sel_be(const CTRL_CMD *cmd)
1575 {
1576 BACKEND *be;
1577 SERVICE *svc;
1578 int i;
1579
1580 if((svc = sel_svc(cmd)) == NULL)
1581 return NULL;
1582 for(i = 0, be = svc->backends; be && i < cmd->backend; i++, be = be->next)
1583 ;
1584 return be;
1585 }
1586
1587 /*
1588 * The controlling thread
1589 * listens to client requests and calls the appropriate functions
1590 */
1591 void *
1592 thr_control(void *arg)
1593 {
1594 CTRL_CMD cmd;
1595 struct sockaddr sa;
1596 int ctl, dummy, n, ret_val;
1597 LISTENER *lstn, dummy_lstn;
1598 SERVICE *svc, dummy_svc;
1599 BACKEND *be, dummy_be;
1600 TABNODE dummy_sess;
1601 struct pollfd polls;
1602
1603 /* just to be safe */
1604 if(control_sock < 0)
1605 return NULL;
1606 memset(&dummy_lstn, 0, sizeof(dummy_lstn));
1607 dummy_lstn.disabled = -1;
1608 memset(&dummy_svc, 0, sizeof(dummy_svc));
1609 dummy_svc.disabled = -1;
1610 memset(&dummy_be, 0, sizeof(dummy_be));
1611 dummy_be.disabled = -1;
1612 memset(&dummy_sess, 0, sizeof(dummy_sess));
1613 dummy_sess.content = NULL;
1614 dummy = sizeof(sa);
1615 for(;;) {
1616 polls.fd = control_sock;
1617 polls.events = POLLIN | POLLPRI;
1618 polls.revents = 0;
1619 if(poll(&polls, 1, -1) < 0) {
1620 logmsg(LOG_WARNING, "thr_control() poll: %s", strerror(errno));
1621 continue;
1622 }
1623 if((ctl = accept(control_sock, &sa, (socklen_t *)&dummy)) < 0) {
1624 logmsg(LOG_WARNING, "thr_control() accept: %s", strerror(errno));
1625 continue;
1626 }
1627 if(read(ctl, &cmd, sizeof(cmd)) != sizeof(cmd)) {
1628 logmsg(LOG_WARNING, "thr_control() read: %s", strerror(errno));
1629 continue;
1630 }
1631 switch(cmd.cmd) {
1632 case CTRL_LST:
1633 /* logmsg(LOG_INFO, "thr_control() list"); */
1634 n = get_thr_qlen();
1635 (void)write(ctl, (void *)&n, sizeof(n));
1636 for(lstn = listeners; lstn; lstn = lstn->next) {
1637 (void)write(ctl, (void *)lstn, sizeof(LISTENER));
1638 (void)write(ctl, lstn->addr.ai_addr, lstn->addr.ai_addrlen);
1639 for(svc = lstn->services; svc; svc = svc->next) {
1640 (void)write(ctl, (void *)svc, sizeof(SERVICE));
1641 for(be = svc->backends; be; be = be->next) {
1642 (void)write(ctl, (void *)be, sizeof(BACKEND));
1643 (void)write(ctl, be->addr.ai_addr, be->addr.ai_addrlen);
1644 if(be->ha_addr.ai_addrlen > 0)
1645 (void)write(ctl, be->ha_addr.ai_addr, be->ha_addr.ai_addrlen);
1646 }
1647 (void)write(ctl, (void *)&dummy_be, sizeof(BACKEND));
1648 if(dummy = pthread_mutex_lock(&svc->mut))
1649 logmsg(LOG_WARNING, "thr_control() lock: %s", strerror(dummy));
1650 else {
1651 dump_sess(ctl, svc->sessions, svc->backends);
1652 if(dummy = pthread_mutex_unlock(&svc->mut))
1653 logmsg(LOG_WARNING, "thr_control() unlock: %s", strerror(dummy));
1654 }
1655 (void)write(ctl, (void *)&dummy_sess, sizeof(TABNODE));
1656 }
1657 (void)write(ctl, (void *)&dummy_svc, sizeof(SERVICE));
1658 }
1659 (void)write(ctl, (void *)&dummy_lstn, sizeof(LISTENER));
1660 for(svc = services; svc; svc = svc->next) {
1661 (void)write(ctl, (void *)svc, sizeof(SERVICE));
1662 for(be = svc->backends; be; be = be->next) {
1663 (void)write(ctl, (void *)be, sizeof(BACKEND));
1664 (void)write(ctl, be->addr.ai_addr, be->addr.ai_addrlen);
1665 if(be->ha_addr.ai_addrlen > 0)
1666 (void)write(ctl, be->ha_addr.ai_addr, be->ha_addr.ai_addrlen);
1667 }
1668 (void)write(ctl, (void *)&dummy_be, sizeof(BACKEND));
1669 if(dummy = pthread_mutex_lock(&svc->mut))
1670 logmsg(LOG_WARNING, "thr_control() lock: %s", strerror(dummy));
1671 else {
1672 dump_sess(ctl, svc->sessions, svc->backends);
1673 if(dummy = pthread_mutex_unlock(&svc->mut))
1674 logmsg(LOG_WARNING, "thr_control() unlock: %s", strerror(dummy));
1675 }
1676 (void)write(ctl, (void *)&dummy_sess, sizeof(TABNODE));
1677 }
1678 (void)write(ctl, (void *)&dummy_svc, sizeof(SERVICE));
1679 break;
1680 case CTRL_EN_LSTN:
1681 if((lstn = sel_lstn(&cmd)) == NULL)
1682 logmsg(LOG_INFO, "thr_control() bad listener %d", cmd.listener);
1683 else
1684 lstn->disabled = 0;
1685 break;
1686 case CTRL_DE_LSTN:
1687 if((lstn = sel_lstn(&cmd)) == NULL)
1688 logmsg(LOG_INFO, "thr_control() bad listener %d", cmd.listener);
1689 else
1690 lstn->disabled = 1;
1691 break;
1692 case CTRL_EN_SVC:
1693 if((svc = sel_svc(&cmd)) == NULL)
1694 logmsg(LOG_INFO, "thr_control() bad service %d/%d", cmd.listener, cmd.service);
1695 else
1696 svc->disabled = 0;
1697 break;
1698 case CTRL_DE_SVC:
1699 if((svc = sel_svc(&cmd)) == NULL)
1700 logmsg(LOG_INFO, "thr_control() bad service %d/%d", cmd.listener, cmd.service);
1701 else
1702 svc->disabled = 1;
1703 break;
1704 case CTRL_EN_BE:
1705 if((svc = sel_svc(&cmd)) == NULL) {
1706 logmsg(LOG_INFO, "thr_control() bad service %d/%d", cmd.listener, cmd.service);
1707 break;
1708 }
1709 if((be = sel_be(&cmd)) == NULL)
1710 logmsg(LOG_INFO, "thr_control() bad backend %d/%d/%d", cmd.listener, cmd.service, cmd.backend);
1711 else
1712 kill_be(svc, be, BE_ENABLE);
1713 break;
1714 case CTRL_DE_BE:
1715 if((svc = sel_svc(&cmd)) == NULL) {
1716 logmsg(LOG_INFO, "thr_control() bad service %d/%d", cmd.listener, cmd.service);
1717 break;
1718 }
1719 if((be = sel_be(&cmd)) == NULL)
1720 logmsg(LOG_INFO, "thr_control() bad backend %d/%d/%d", cmd.listener, cmd.service, cmd.backend);
1721 else
1722 kill_be(svc, be, BE_DISABLE);
1723 break;
1724 case CTRL_ADD_SESS:
1725 if((svc = sel_svc(&cmd)) == NULL) {
1726 logmsg(LOG_INFO, "thr_control() bad service %d/%d", cmd.listener, cmd.service);
1727 break;
1728 }
1729 if((be = sel_be(&cmd)) == NULL) {
1730 logmsg(LOG_INFO, "thr_control() bad back-end %d/%d", cmd.listener, cmd.service);
1731 break;
1732 }
1733 if(ret_val = pthread_mutex_lock(&svc->mut))
1734 logmsg(LOG_WARNING, "thr_control() add session lock: %s", strerror(ret_val));
1735 t_add(svc->sessions, cmd.key, &be, sizeof(be));
1736 if(ret_val = pthread_mutex_unlock(&svc->mut))
1737 logmsg(LOG_WARNING, "thoriginalfiler_control() add session unlock: %s", strerror(ret_val));
1738 break;
1739 case CTRL_DEL_SESS:
1740 if((svc = sel_svc(&cmd)) == NULL) {
1741 logmsg(LOG_INFO, "thr_control() bad service %d/%d", cmd.listener, cmd.service);
1742 break;
1743 }
1744 if(ret_val = pthread_mutex_lock(&svc->mut))
1745 logmsg(LOG_WARNING, "thr_control() del session lock: %s", strerror(ret_val));
1746 t_remove(svc->sessions, cmd.key);
1747 if(ret_val = pthread_mutex_unlock(&svc->mut))
1748 logmsg(LOG_WARNING, "thr_control() del session unlock: %s", strerror(ret_val));
1749 break;
1750 default:
1751 logmsg(LOG_WARNING, "thr_control() unknown command");
1752 break;
1753 }
1754 close(ctl);
1755 }
1756 }
1757
1758 #ifndef SSL3_ST_SR_CLNT_HELLO_A
1759 # define SSL3_ST_SR_CLNT_HELLO_A (0x110|SSL_ST_ACCEPT)
1760 #endif
1761 #ifndef SSL23_ST_SR_CLNT_HELLO_A
1762 # define SSL23_ST_SR_CLNT_HELLO_A (0x210|SSL_ST_ACCEPT)
1763 #endif
1764
1765 void
1766 SSLINFO_callback(const SSL *ssl, int where, int rc)
1767 {
1768 RENEG_STATE *reneg_state;
1769
1770 /* Get our thr_arg where we're tracking this connection info */
1771 if((reneg_state = (RENEG_STATE *)SSL_get_app_data(ssl)) == NULL)
1772 return;
1773
1774 /* If we're rejecting renegotiations, move to ABORT if Client Hello is being read. */
1775 if((where & SSL_CB_ACCEPT_LOOP) && *reneg_state == RENEG_REJECT) {
1776 int state;
1777
1778 state = SSL_get_state(ssl);
1779 if (state == SSL3_ST_SR_CLNT_HELLO_A || state == SSL23_ST_SR_CLNT_HELLO_A) {
1780 *reneg_state = RENEG_ABORT;
1781 logmsg(LOG_WARNING,"rejecting client initiated renegotiation");
1782 }
1783 } else if(where & SSL_CB_HANDSHAKE_DONE && *reneg_state == RENEG_INIT) {
1784 // Reject any followup renegotiations
1785 *reneg_state = RENEG_REJECT;
1786 }
1787 }
1788