1 /*
2 * Copyright (C) 2013-2018 Nikos Mavrogiannopoulos
3 * Copyright (C) 2015-2016 Red Hat, Inc.
4 *
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License as published by
7 * the Free Software Foundation; either version 2 of the License, or
8 * (at your option) any later version.
9 *
10 * This program is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 * GNU General Public License for more details.
14 *
15 * You should have received a copy of the GNU General Public License
16 * along with this program. If not, see <http://www.gnu.org/licenses/>.
17 */
18
19 #include <config.h>
20
21 #include <stdio.h>
22 #include <stdlib.h>
23 #include <string.h>
24 #include <unistd.h>
25 #include <sys/types.h>
26 #include <sys/select.h>
27 #include <sys/wait.h>
28 #include <fcntl.h>
29 #include <sys/socket.h>
30 #include <netdb.h>
31 #include <system.h>
32 #include <errno.h>
33 #include <sys/ioctl.h>
34 #include <sys/resource.h>
35 #include <sys/types.h>
36 #include <sys/stat.h>
37 #include <cloexec.h>
38 #ifdef HAVE_MALLOC_TRIM
39 # include <malloc.h> /* for malloc_trim() */
40 #endif
41 #include <script-list.h>
42
43 #include <gnutls/x509.h>
44 #include <gnutls/crypto.h>
45 #include <tlslib.h>
46 #include "setproctitle.h"
47 #ifdef HAVE_LIBWRAP
48 # include <tcpd.h>
49 #endif
50 #include <ev.h>
51
52 #ifdef HAVE_LIBSYSTEMD
53 # include <systemd/sd-daemon.h>
54 #endif
55 #include <main.h>
56 #include <main-ctl.h>
57 #include <main-ban.h>
58 #include <route-add.h>
59 #include <worker.h>
60 #include <proc-search.h>
61 #include <tun.h>
62 #include <grp.h>
63 #include <ip-lease.h>
64 #include <ccan/list/list.h>
65 #include <hmac.h>
66 #include <base64-helper.h>
67 #include <snapshot.h>
68 #include <isolate.h>
69 #include <sockdiag.h>
70 #include <namespace.h>
71
72 #ifdef HAVE_GSSAPI
73 # include <libtasn1.h>
74
75 extern const ASN1_ARRAY_TYPE kkdcp_asn1_tab[];
76 ASN1_TYPE _kkdcp_pkix1_asn = ASN1_TYPE_EMPTY;
77 #endif
78
79 extern struct snapshot_t * config_snapshot;
80
81 int worker_argc = 0;
82 char **worker_argv = NULL;
83
84 static void listen_watcher_cb (EV_P_ ev_io *w, int revents);
85 static void resume_accept_cb (EV_P_ ev_timer *w, int revents);
86
87 int syslog_open = 0;
88 sigset_t sig_default_set;
89 struct ev_loop *main_loop = NULL;
90 static unsigned allow_broken_clients = 0;
91
92 typedef struct sec_mod_watcher_st {
93 ev_io sec_mod_watcher;
94 ev_child child_watcher;
95 unsigned int sec_mod_instance_index;
96 } sec_mod_watcher_st;
97
98 /* EV watchers */
99 ev_io ctl_watcher;
100 sec_mod_watcher_st * sec_mod_watchers = NULL;
101 ev_timer maintenance_watcher;
102 ev_timer graceful_shutdown_watcher;
103 ev_signal maintenance_sig_watcher;
104 ev_signal term_sig_watcher;
105 ev_signal int_sig_watcher;
106 ev_signal reload_sig_watcher;
107 #if defined(CAPTURE_LATENCY_SUPPORT)
108 ev_timer latency_watcher;
109 #endif
110
111 static bool set_env_from_ws(main_server_st * ws);
112
add_listener(void * pool,struct listen_list_st * list,int fd,int family,int socktype,int protocol,struct sockaddr * addr,socklen_t addr_len)113 static void add_listener(void *pool, struct listen_list_st *list,
114 int fd, int family, int socktype, int protocol,
115 struct sockaddr* addr, socklen_t addr_len)
116 {
117 struct listener_st *tmp;
118
119 tmp = talloc_zero(pool, struct listener_st);
120 tmp->fd = fd;
121 tmp->family = family;
122 tmp->sock_type = socktype;
123 tmp->protocol = protocol;
124
125 tmp->addr_len = addr_len;
126 memcpy(&tmp->addr, addr, addr_len);
127
128 ev_init(&tmp->io, listen_watcher_cb);
129 ev_io_set(&tmp->io, fd, EV_READ);
130
131 ev_init(&tmp->resume_accept, resume_accept_cb);
132
133 list_add(&list->head, &(tmp->list));
134 list->total++;
135 }
136
set_udp_socket_options(struct perm_cfg_st * config,int fd,int family)137 static void set_udp_socket_options(struct perm_cfg_st* config, int fd, int family)
138 {
139 int y;
140 if (config->config->try_mtu) {
141 set_mtu_disc(fd, family, 1);
142 }
143 #if defined(IP_PKTINFO)
144 y = 1;
145 if (setsockopt(fd, SOL_IP, IP_PKTINFO,
146 (const void *)&y, sizeof(y)) < 0)
147 perror("setsockopt(IP_PKTINFO) failed");
148 #elif defined(IP_RECVDSTADDR) /* *BSD */
149 if (family == AF_INET) {
150 y = 1;
151 if (setsockopt(fd, IPPROTO_IP, IP_RECVDSTADDR,
152 (const void *)&y, sizeof(y)) < 0)
153 perror("setsockopt(IP_RECVDSTADDR) failed");
154 }
155 #endif
156 #if defined(IPV6_RECVPKTINFO)
157 if (family == AF_INET6) {
158 y = 1;
159 if (setsockopt(fd, IPPROTO_IPV6, IPV6_RECVPKTINFO,
160 (const void *)&y, sizeof(y)) < 0)
161 perror("setsockopt(IPV6_RECVPKTINFO) failed");
162 }
163 #endif
164 }
165
set_common_socket_options(int fd)166 static void set_common_socket_options(int fd)
167 {
168 set_non_block(fd);
169 set_cloexec_flag (fd, 1);
170 }
171
172 static
_listen_ports(void * pool,struct perm_cfg_st * config,struct addrinfo * res,struct listen_list_st * list,struct netns_fds * netns)173 int _listen_ports(void *pool, struct perm_cfg_st* config, struct addrinfo *res,
174 struct listen_list_st *list, struct netns_fds *netns)
175 {
176 struct addrinfo *ptr;
177 int s, y;
178 const char* type = NULL;
179 char buf[512];
180
181 for (ptr = res; ptr != NULL; ptr = ptr->ai_next) {
182 if (ptr->ai_family != AF_INET && ptr->ai_family != AF_INET6)
183 continue;
184
185 if (ptr->ai_socktype == SOCK_STREAM)
186 type = "TCP";
187 else if (ptr->ai_socktype == SOCK_DGRAM)
188 type = "UDP";
189 else
190 continue;
191
192 if (config->foreground != 0)
193 fprintf(stderr, "listening (%s) on %s...\n",
194 type, human_addr(ptr->ai_addr, ptr->ai_addrlen,
195 buf, sizeof(buf)));
196
197 s = socket_netns(netns, ptr->ai_family, ptr->ai_socktype,
198 ptr->ai_protocol);
199 if (s < 0) {
200 perror("socket() failed");
201 continue;
202 }
203
204 #if defined(IPV6_V6ONLY)
205 if (ptr->ai_family == AF_INET6) {
206 y = 1;
207 /* avoid listen on ipv6 addresses failing
208 * because already listening on ipv4 addresses: */
209 if (setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY,
210 (const void *) &y, sizeof(y)) < 0) {
211 perror("setsockopt(IPV6_V6ONLY) failed");
212 }
213 }
214 #endif
215
216 y = 1;
217 if (setsockopt(s, SOL_SOCKET, SO_REUSEADDR,
218 (const void *) &y, sizeof(y)) < 0) {
219 perror("setsockopt(SO_REUSEADDR) failed");
220 }
221
222 if (ptr->ai_socktype == SOCK_DGRAM) {
223 set_udp_socket_options(config, s, ptr->ai_family);
224 }
225
226
227 if (bind(s, ptr->ai_addr, ptr->ai_addrlen) < 0) {
228 perror("bind() failed");
229 close(s);
230 continue;
231 }
232
233 if (ptr->ai_socktype == SOCK_STREAM) {
234 if (listen(s, 1024) < 0) {
235 perror("listen() failed");
236 close(s);
237 return -1;
238 }
239 }
240
241 set_common_socket_options(s);
242
243 add_listener(pool, list, s, ptr->ai_family, ptr->ai_socktype==SOCK_STREAM?SOCK_TYPE_TCP:SOCK_TYPE_UDP,
244 ptr->ai_protocol, ptr->ai_addr, ptr->ai_addrlen);
245
246 }
247
248 fflush(stderr);
249
250 return 0;
251 }
252
253 /* Returns 0 on success or negative value on error.
254 */
255 static int
listen_ports(void * pool,struct perm_cfg_st * config,struct listen_list_st * list,struct netns_fds * netns)256 listen_ports(void *pool, struct perm_cfg_st* config,
257 struct listen_list_st *list,
258 struct netns_fds *netns)
259 {
260 struct addrinfo hints, *res;
261 char portname[6];
262 int ret;
263 #ifdef HAVE_LIBSYSTEMD
264 int fds;
265 #endif
266
267 list_head_init(&list->head);
268 list->total = 0;
269
270 #ifdef HAVE_LIBSYSTEMD
271 /* Support for systemd socket-activatable service */
272 if ((fds=sd_listen_fds(0)) > 0) {
273 /* if we get our fds from systemd */
274 unsigned i;
275 int family, type, fd;
276 struct sockaddr_storage tmp_sock;
277 socklen_t tmp_sock_len;
278
279 for (i=0;i<fds;i++) {
280 fd = SD_LISTEN_FDS_START+i;
281
282 if (sd_is_socket(fd, AF_INET, 0, -1))
283 family = AF_INET;
284 else if (sd_is_socket(fd, AF_INET6, 0, -1))
285 family = AF_INET6;
286 else {
287 fprintf(stderr, "Non-internet socket fd received!\n");
288 continue;
289 }
290
291 if (sd_is_socket(fd, 0, SOCK_STREAM, -1))
292 type = SOCK_STREAM;
293 else if (sd_is_socket(fd, 0, SOCK_DGRAM, -1))
294 type = SOCK_DGRAM;
295 else {
296 fprintf(stderr, "Non-TCP or UDP socket fd received!\n");
297 continue;
298 }
299
300 if (type == SOCK_DGRAM)
301 set_udp_socket_options(config, fd, family);
302
303 /* obtain socket params */
304 tmp_sock_len = sizeof(tmp_sock);
305 ret = getsockname(fd, (struct sockaddr*)&tmp_sock, &tmp_sock_len);
306 if (ret == -1) {
307 perror("getsockname failed");
308 continue;
309 }
310
311 set_common_socket_options(fd);
312
313 if (type == SOCK_STREAM) {
314 if (family == AF_INET)
315 config->port = ntohs(((struct sockaddr_in*)&tmp_sock)->sin_port);
316 else
317 config->port = ntohs(((struct sockaddr_in6*)&tmp_sock)->sin6_port);
318 } else if (type == SOCK_DGRAM) {
319 if (family == AF_INET)
320 config->udp_port = ntohs(((struct sockaddr_in*)&tmp_sock)->sin_port);
321 else
322 config->udp_port = ntohs(((struct sockaddr_in6*)&tmp_sock)->sin6_port);
323 }
324
325 add_listener(pool, list, fd, family, type==SOCK_STREAM?SOCK_TYPE_TCP:SOCK_TYPE_UDP, 0, (struct sockaddr*)&tmp_sock, tmp_sock_len);
326 }
327
328 if (list->total == 0) {
329 fprintf(stderr, "no useful sockets were provided by systemd\n");
330 exit(1);
331 }
332
333 if (config->foreground != 0)
334 fprintf(stderr, "listening on %d systemd sockets...\n", list->total);
335
336 return 0;
337 }
338 #endif
339
340 if (config->port == 0) {
341 fprintf(stderr, "tcp-port option is mandatory!\n");
342 return -1;
343 }
344
345 if (config->port != 0) {
346 snprintf(portname, sizeof(portname), "%d", config->port);
347
348 memset(&hints, 0, sizeof(hints));
349 hints.ai_socktype = SOCK_STREAM;
350 hints.ai_flags = AI_PASSIVE
351 #ifdef AI_ADDRCONFIG
352 | AI_ADDRCONFIG
353 #endif
354 ;
355
356 ret = getaddrinfo(config->listen_host, portname, &hints, &res);
357 if (ret != 0) {
358 fprintf(stderr, "getaddrinfo() failed: %s\n",
359 gai_strerror(ret));
360 return -1;
361 }
362
363 ret = _listen_ports(pool, config, res, list, netns);
364 freeaddrinfo(res);
365
366 if (ret < 0) {
367 return -1;
368 }
369
370 }
371
372 if (list->total == 0) {
373 fprintf(stderr, "Could not listen to any TCP or UNIX ports\n");
374 exit(1);
375 }
376
377 if (config->udp_port) {
378 snprintf(portname, sizeof(portname), "%d", config->udp_port);
379
380 memset(&hints, 0, sizeof(hints));
381 hints.ai_socktype = SOCK_DGRAM;
382 hints.ai_flags = AI_PASSIVE
383 #ifdef AI_ADDRCONFIG
384 | AI_ADDRCONFIG
385 #endif
386 ;
387
388 ret = getaddrinfo(config->udp_listen_host, portname, &hints, &res);
389 if (ret != 0) {
390 fprintf(stderr, "getaddrinfo() failed: %s\n",
391 gai_strerror(ret));
392 return -1;
393 }
394
395 ret = _listen_ports(pool, config, res, list, netns);
396 if (ret < 0) {
397 return -1;
398 }
399
400 freeaddrinfo(res);
401 }
402
403 return 0;
404 }
405
406 /* Sets the options needed in the UDP socket we forward to
407 * worker */
408 static
set_worker_udp_opts(main_server_st * s,int fd,int family)409 void set_worker_udp_opts(main_server_st *s, int fd, int family)
410 {
411 int y;
412
413 #ifdef IPV6_V6ONLY
414 if (family == AF_INET6) {
415 y = 1;
416 /* avoid listen on ipv6 addresses failing
417 * because already listening on ipv4 addresses: */
418 if (setsockopt(fd, IPPROTO_IPV6, IPV6_V6ONLY,
419 (const void *) &y, sizeof(y)) < 0) {
420 perror("setsockopt(IPV6_V6ONLY) failed");
421 }
422 }
423 #endif
424
425 y = 1;
426 if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, (const void *) &y, sizeof(y)) < 0) {
427 perror("setsockopt(SO_REUSEADDR) failed");
428 }
429
430 if (GETCONFIG(s)->try_mtu) {
431 set_mtu_disc(fd, family, 1);
432 }
433 set_cloexec_flag (fd, 1);
434
435 return;
436 }
437
438 /* clears the server listen_list and proc_list. To be used after fork().
439 * It frees unused memory and descriptors.
440 */
clear_lists(main_server_st * s)441 void clear_lists(main_server_st *s)
442 {
443 int i;
444 struct listener_st *ltmp = NULL, *lpos;
445 struct proc_st *ctmp = NULL, *cpos;
446 struct script_wait_st *script_tmp = NULL, *script_pos;
447
448 list_for_each_safe(&s->listen_list.head, ltmp, lpos, list) {
449 close(ltmp->fd);
450 list_del(<mp->list);
451 talloc_free(ltmp);
452 s->listen_list.total--;
453 }
454
455 list_for_each_safe(&s->proc_list.head, ctmp, cpos, list) {
456 if (ctmp->fd >= 0)
457 close(ctmp->fd);
458 if (ctmp->tun_lease.fd >= 0)
459 close(ctmp->tun_lease.fd);
460 list_del(&ctmp->list);
461 ev_child_stop(main_loop, &ctmp->ev_child);
462 ev_io_stop(main_loop, &ctmp->io);
463 safe_memset(ctmp, 0, sizeof(*ctmp));
464 talloc_free(ctmp);
465 s->proc_list.total--;
466 }
467
468 list_for_each_safe(&s->script_list.head, script_tmp, script_pos, list) {
469 list_del(&script_tmp->list);
470 ev_child_stop(main_loop, &script_tmp->ev_child);
471 talloc_free(script_tmp);
472 }
473
474 ip_lease_deinit(&s->ip_leases);
475 proc_table_deinit(s);
476 ctl_handler_deinit(s);
477 main_ban_db_deinit(s);
478 if_address_cleanup(s);
479
480 /* clear libev state */
481 if (main_loop) {
482 ev_io_stop (main_loop, &ctl_watcher);
483 for (i = 0; i < s->sec_mod_instance_count; i++) {
484 ev_io_stop (main_loop, &sec_mod_watchers[i].sec_mod_watcher);
485 ev_child_stop (main_loop, &sec_mod_watchers[i].child_watcher);
486 }
487 ev_timer_stop(main_loop, &maintenance_watcher);
488 #if defined(CAPTURE_LATENCY_SUPPORT)
489 ev_timer_stop(main_loop, &latency_watcher);
490 #endif
491 /* free memory and descriptors by the event loop */
492 ev_loop_destroy (main_loop);
493 }
494 }
495
496 #define SKIP16(pos, total) { \
497 uint16_t _s; \
498 if (pos+2 > total) goto fallback; \
499 _s = (buffer[pos] << 8) | buffer[pos+1]; \
500 if ((size_t)(pos+2+_s) > total) goto fallback; \
501 pos += 2+_s; \
502 }
503
504 #define SKIP8(pos, total) { \
505 uint8_t _s; \
506 if (pos+1 > total) goto fallback; \
507 _s = buffer[pos]; \
508 if ((size_t)(pos+1+_s) > total) goto fallback; \
509 pos += 1+_s; \
510 }
511
512 #define TLS_EXT_APP_ID 48018
513 #define RECORD_PAYLOAD_POS 13
514 #define HANDSHAKE_SESSION_ID_POS 46
515 #define HANDSHAKE_RANDOM_POS 14
516
517 /* This returns either the application-specific ID extension contents,
518 * or the session ID contents. The former is used on the new protocol,
519 * while the latter on the legacy protocol.
520 *
521 * Extension ID: 48018
522 * opaque ApplicationID<1..2^8-1>;
523 *
524 * struct {
525 * ExtensionType extension_type;
526 * opaque extension_data<0..2^16-1>;
527 * } Extension;
528 *
529 * struct {
530 * ProtocolVersion server_version;
531 * Random random;
532 * SessionID session_id;
533 * opaque cookie<0..2^8-1>;
534 * CipherSuite cipher_suite;
535 * CompressionMethod compression_method;
536 * Extension server_hello_extension_list<0..2^16-1>;
537 * } ServerHello;
538 */
539 static
get_session_id(main_server_st * s,uint8_t * buffer,size_t buffer_size,uint8_t ** id,int * id_size)540 unsigned get_session_id(main_server_st* s, uint8_t *buffer, size_t buffer_size, uint8_t **id, int *id_size)
541 {
542 size_t pos;
543
544 /* A client hello packet. We can get the session ID and figure
545 * the associated connection. */
546 if (buffer_size < RECORD_PAYLOAD_POS+HANDSHAKE_SESSION_ID_POS+GNUTLS_MAX_SESSION_ID+2) {
547 return 0;
548 }
549
550 if (!GETCONFIG(s)->dtls_psk)
551 goto fallback;
552
553 /* try to read the extension data */
554 pos = RECORD_PAYLOAD_POS+HANDSHAKE_SESSION_ID_POS;
555 SKIP8(pos, buffer_size);
556
557 /* Cookie */
558 SKIP8(pos, buffer_size);
559
560 /* CipherSuite */
561 SKIP16(pos, buffer_size);
562
563 /* CompressionMethod */
564
565 SKIP8(pos, buffer_size);
566
567 if (pos+2 > buffer_size)
568 goto fallback;
569 pos+=2;
570
571 /* Extension(s) */
572 while (pos < buffer_size) {
573 uint16_t type;
574 uint16_t len;
575
576 if (pos+4 > buffer_size)
577 goto fallback;
578
579 type = (buffer[pos] << 8) | buffer[pos+1];
580 pos+=2;
581 if (type != TLS_EXT_APP_ID) {
582 SKIP16(pos, buffer_size);
583 } else { /* found */
584 if (pos+2 > buffer_size)
585 return 0; /* invalid format */
586
587 len = (buffer[pos] << 8) | buffer[pos+1];
588 if ((size_t)(pos+2+len) > buffer_size)
589 return 0; /* invalid format */
590 pos+=2;
591
592 len = buffer[pos];
593 if ((size_t)(pos+1+len) > buffer_size)
594 return 0; /* invalid format */
595 pos++;
596 *id_size = len;
597 *id = &buffer[pos];
598 return 1;
599 }
600 }
601
602 fallback:
603 /* read session_id */
604 *id_size = buffer[RECORD_PAYLOAD_POS+HANDSHAKE_SESSION_ID_POS];
605 *id = &buffer[RECORD_PAYLOAD_POS+HANDSHAKE_SESSION_ID_POS+1];
606
607 return 1;
608 }
609
610 static
has_broken_random(main_server_st * s,uint8_t * buffer,size_t buffer_size)611 unsigned has_broken_random(main_server_st* s, uint8_t *buffer, size_t buffer_size)
612 {
613 size_t pos,i;
614
615 if (allow_broken_clients)
616 return 0;
617
618 if (buffer_size < RECORD_PAYLOAD_POS+HANDSHAKE_RANDOM_POS+32)
619 return 0;
620
621 /* check whether the client hello contains a random value of all zeros;
622 * if that's the case it indicates a broken DTLS client. Relates to:
623 * https://gitlab.com/gnutls/gnutls/-/issues/960 */
624 pos = RECORD_PAYLOAD_POS+HANDSHAKE_RANDOM_POS;
625
626 for (i=0;i<32;i++) {
627 if (buffer[pos+i] != 0)
628 return 0;
629 }
630
631 return 1;
632 }
633
634 /* A UDP fd will not be forwarded to worker process before this number of
635 * seconds has passed. That is to prevent a duplicate message messing the worker.
636 */
637 #define UDP_FD_RESEND_TIME 3
638
forward_udp_to_owner(main_server_st * s,struct listener_st * listener)639 static int forward_udp_to_owner(main_server_st* s, struct listener_st *listener)
640 {
641 int ret, e;
642 struct sockaddr_storage cli_addr;
643 struct sockaddr_storage our_addr;
644 struct proc_st *proc_to_send = NULL;
645 socklen_t cli_addr_size, our_addr_size;
646 char tbuf[64];
647 uint8_t *session_id = NULL;
648 int session_id_size = 0;
649 ssize_t buffer_size;
650 int match_ip_only = 0;
651 time_t now;
652 int sfd = -1;
653
654 /* first receive from the correct client and connect socket */
655 cli_addr_size = sizeof(cli_addr);
656 our_addr_size = sizeof(our_addr);
657 ret = oc_recvfrom_at(listener->fd, s->msg_buffer, sizeof(s->msg_buffer), 0,
658 (struct sockaddr*)&cli_addr, &cli_addr_size,
659 (struct sockaddr*)&our_addr, &our_addr_size,
660 GETPCONFIG(s)->udp_port);
661 if (ret < 0) {
662 mslog(s, NULL, LOG_INFO, "error receiving in UDP socket");
663 return -1;
664 }
665 buffer_size = ret;
666
667 // Sanitize values returned from oc_recvfrom_at to make coverity happy.
668 cli_addr_size = MIN(sizeof(cli_addr), cli_addr_size);
669 our_addr_size = MIN(sizeof(our_addr), our_addr_size);
670
671 if (buffer_size < RECORD_PAYLOAD_POS) {
672 mslog(s, NULL, LOG_INFO, "%s: too short UDP packet",
673 human_addr((struct sockaddr*)&cli_addr, cli_addr_size, tbuf, sizeof(tbuf)));
674 goto fail;
675 }
676
677 /* check version */
678 if (s->msg_buffer[0] == 22) {
679 mslog(s, NULL, LOG_DEBUG, "new DTLS session from %s (record v%u.%u, hello v%u.%u)",
680 human_addr((struct sockaddr*)&cli_addr, cli_addr_size, tbuf, sizeof(tbuf)),
681 (unsigned int)s->msg_buffer[1], (unsigned int)s->msg_buffer[2],
682 (unsigned int)s->msg_buffer[RECORD_PAYLOAD_POS], (unsigned int)s->msg_buffer[RECORD_PAYLOAD_POS+1]);
683 }
684
685 if (s->msg_buffer[1] != 254 && (s->msg_buffer[1] != 1 && s->msg_buffer[2] != 0) &&
686 s->msg_buffer[RECORD_PAYLOAD_POS] != 254 && (s->msg_buffer[RECORD_PAYLOAD_POS] != 0 && s->msg_buffer[RECORD_PAYLOAD_POS+1] != 0)) {
687 mslog(s, NULL, LOG_INFO, "%s: unknown DTLS record version: %u.%u",
688 human_addr((struct sockaddr*)&cli_addr, cli_addr_size, tbuf, sizeof(tbuf)),
689 (unsigned)s->msg_buffer[1], (unsigned)s->msg_buffer[2]);
690 goto fail;
691 }
692
693 if (s->msg_buffer[0] != 22) {
694 mslog(s, NULL, LOG_DEBUG, "%s: unexpected DTLS content type: %u; possibly a firewall disassociated a UDP session",
695 human_addr((struct sockaddr*)&cli_addr, cli_addr_size, tbuf, sizeof(tbuf)),
696 (unsigned int)s->msg_buffer[0]);
697 /* Here we received a non-client-hello packet. It may be that
698 * the client's NAT changed its UDP source port and the previous
699 * connection is invalidated. Try to see if we can simply match
700 * the IP address and forward the socket.
701 */
702 match_ip_only = 1;
703 } else {
704 if (has_broken_random(s, s->msg_buffer, buffer_size)) {
705 mslog(s, NULL, LOG_INFO, "%s: detected broken DTLS client hello (no randomness); ignoring",
706 human_addr((struct sockaddr*)&cli_addr, cli_addr_size, tbuf, sizeof(tbuf)));
707 goto fail;
708 }
709
710 if (!get_session_id(s, s->msg_buffer, buffer_size, &session_id, &session_id_size)) {
711 mslog(s, NULL, LOG_INFO, "%s: too short handshake packet",
712 human_addr((struct sockaddr*)&cli_addr, cli_addr_size, tbuf, sizeof(tbuf)));
713 goto fail;
714 }
715 }
716
717 /* search for the IP and the session ID in all procs */
718 now = time(0);
719
720 if (match_ip_only == 0) {
721 proc_to_send = proc_search_dtls_id(s, session_id, session_id_size);
722 } else {
723 proc_to_send = proc_search_single_ip(s, &cli_addr, cli_addr_size);
724 }
725
726 if (proc_to_send != 0) {
727 UdpFdMsg msg = UDP_FD_MSG__INIT;
728
729 if (now - proc_to_send->udp_fd_receive_time <= UDP_FD_RESEND_TIME) {
730 mslog(s, proc_to_send, LOG_DEBUG, "received UDP connection too soon from %s",
731 human_addr((struct sockaddr*)&cli_addr, cli_addr_size, tbuf, sizeof(tbuf)));
732 goto fail;
733 }
734
735 sfd = socket_netns(&s->netns, listener->family, SOCK_DGRAM, listener->protocol);
736 if (sfd < 0) {
737 e = errno;
738 mslog(s, proc_to_send, LOG_ERR, "new UDP socket failed: %s",
739 strerror(e));
740 goto fail;
741 }
742
743 set_worker_udp_opts(s, sfd, listener->family);
744
745 if (our_addr_size > 0) {
746 ret = bind(sfd, (struct sockaddr *)&our_addr, our_addr_size);
747 if (ret == -1) {
748 e = errno;
749 mslog(s, proc_to_send, LOG_INFO, "bind UDP to %s: %s",
750 human_addr((struct sockaddr*)&listener->addr, listener->addr_len, tbuf, sizeof(tbuf)),
751 strerror(e));
752 }
753 }
754
755 ret = connect(sfd, (void*)&cli_addr, cli_addr_size);
756 if (ret == -1) {
757 e = errno;
758 mslog(s, proc_to_send, LOG_ERR, "connect UDP socket from %s: %s",
759 human_addr((struct sockaddr*)&cli_addr, cli_addr_size, tbuf, sizeof(tbuf)),
760 strerror(e));
761 goto fail;
762 }
763
764 if (match_ip_only != 0) {
765 msg.hello = 0; /* by default this is one */
766 } else {
767 /* a new DTLS session, store the DTLS IPs into proc and add it into hash table */
768 proc_table_update_dtls_ip(s, proc_to_send, &cli_addr, cli_addr_size);
769 }
770
771 msg.data.data = s->msg_buffer;
772 msg.data.len = buffer_size;
773
774 ret = send_socket_msg_to_worker(s, proc_to_send, CMD_UDP_FD,
775 sfd,
776 &msg,
777 (pack_size_func)udp_fd_msg__get_packed_size,
778 (pack_func)udp_fd_msg__pack);
779 if (ret < 0) {
780 mslog(s, proc_to_send, LOG_ERR, "error passing UDP socket from %s",
781 human_addr((struct sockaddr*)&cli_addr, cli_addr_size, tbuf, sizeof(tbuf)));
782 goto fail;
783 }
784 mslog(s, proc_to_send, LOG_DEBUG, "passed UDP socket from %s",
785 human_addr((struct sockaddr*)&cli_addr, cli_addr_size, tbuf, sizeof(tbuf)));
786 proc_to_send->udp_fd_receive_time = now;
787 }
788
789 fail:
790 if (sfd != -1)
791 close(sfd);
792
793 return 0;
794
795 }
796
797 #ifdef HAVE_LIBWRAP
check_tcp_wrapper(int fd)798 static int check_tcp_wrapper(int fd)
799 {
800 struct request_info req;
801
802 if (request_init(&req, RQ_FILE, fd, RQ_DAEMON, PACKAGE_NAME, 0) == NULL)
803 return -1;
804
805 sock_host(&req);
806 if (hosts_access(&req) == 0)
807 return -1;
808
809 return 0;
810 }
811 #else
812 # define check_tcp_wrapper(x) 0
813 #endif
814
sec_mod_child_watcher_cb(struct ev_loop * loop,ev_child * w,int revents)815 static void sec_mod_child_watcher_cb(struct ev_loop *loop, ev_child *w, int revents)
816 {
817 main_server_st *s = ev_userdata(loop);
818
819 if (WIFSIGNALED(w->rstatus)) {
820 if (WTERMSIG(w->rstatus) == SIGSEGV)
821 mslog(s, NULL, LOG_ERR, "Sec-mod %u died with sigsegv\n", (unsigned)w->pid);
822 else if (WTERMSIG(w->rstatus) == SIGSYS)
823 mslog(s, NULL, LOG_ERR, "Sec-mod %u died with sigsys\n", (unsigned)w->pid);
824 else
825 mslog(s, NULL, LOG_ERR, "Sec-mod %u died with signal %d\n", (unsigned)w->pid, (int)WTERMSIG(w->rstatus));
826 }
827
828 ev_child_stop(loop, w);
829 mslog(s, NULL, LOG_ERR, "ocserv-secmod died unexpectedly");
830 ev_feed_signal_event (loop, SIGTERM);
831 }
832
script_child_watcher_cb(struct ev_loop * loop,ev_child * w,int revents)833 void script_child_watcher_cb(struct ev_loop *loop, ev_child *w, int revents)
834 {
835 main_server_st *s = ev_userdata(loop);
836 int ret;
837 struct script_wait_st *stmp = (struct script_wait_st*)w;
838 unsigned estatus;
839
840 estatus = WEXITSTATUS(w->rstatus);
841 if (WIFSIGNALED(w->rstatus))
842 estatus = 1;
843
844 /* check if someone was waiting for that pid */
845 mslog(s, stmp->proc, LOG_DEBUG, "connect-script exit status: %u", estatus);
846 list_del(&stmp->list);
847 ev_child_stop(loop, &stmp->ev_child);
848
849 ret = handle_script_exit(s, stmp->proc, estatus);
850 if (ret < 0) {
851 /* takes care of free */
852 remove_proc(s, stmp->proc, RPROC_KILL);
853 } else {
854 talloc_free(stmp);
855 }
856 }
857
worker_child_watcher_cb(struct ev_loop * loop,ev_child * w,int revents)858 static void worker_child_watcher_cb(struct ev_loop *loop, ev_child *w, int revents)
859 {
860 main_server_st *s = ev_userdata(loop);
861
862 if (WIFSIGNALED(w->rstatus)) {
863 if (WTERMSIG(w->rstatus) == SIGSEGV)
864 mslog(s, NULL, LOG_ERR, "Child %u died with sigsegv\n", (unsigned)w->pid);
865 else if (WTERMSIG(w->rstatus) == SIGSYS)
866 mslog(s, NULL, LOG_ERR, "Child %u died with sigsys\n", (unsigned)w->pid);
867 else
868 mslog(s, NULL, LOG_ERR, "Child %u died with signal %d\n", (unsigned)w->pid, (int)WTERMSIG(w->rstatus));
869 }
870
871 ev_child_stop(loop, w);
872 }
873
kill_children(main_server_st * s)874 static void kill_children(main_server_st* s)
875 {
876 struct proc_st *ctmp = NULL, *cpos;
877 int i;
878 /* kill the security module server */
879 list_for_each_safe(&s->proc_list.head, ctmp, cpos, list) {
880 if (ctmp->pid != -1) {
881 remove_proc(s, ctmp, RPROC_KILL|RPROC_QUIT);
882 }
883 }
884
885 for (i = 0; i < s->sec_mod_instance_count; i ++) {
886 kill(s->sec_mod_instances[i].sec_mod_pid, SIGTERM);
887 }
888 }
889
kill_children_auth_timeout(main_server_st * s)890 static void kill_children_auth_timeout(main_server_st* s)
891 {
892 struct proc_st *ctmp = NULL, *cpos;
893 time_t oldest_permitted_session = time(NULL) - GETCONFIG(s)->auth_timeout;
894
895 /* kill the security module server */
896 list_for_each_safe(&s->proc_list.head, ctmp, cpos, list) {
897 /* If the worker has not completed it's auth within auth_timeout seconds, kill it */
898 if ((ctmp->status < PS_AUTH_COMPLETED) &&
899 (ctmp->conn_time < oldest_permitted_session) &&
900 (ctmp->pid != -1)) {
901 remove_proc(s, ctmp, RPROC_KILL);
902 }
903 }
904 }
905
terminate_server(main_server_st * s)906 static void terminate_server(main_server_st * s)
907 {
908 unsigned total = 10;
909
910 mslog(s, NULL, LOG_INFO, "termination request received; waiting for sessions to die");
911 kill_children(s);
912
913 while (waitpid(-1, NULL, WNOHANG) >= 0) {
914 if (total == 0) {
915 mslog(s, NULL, LOG_INFO, "not all sessions died; forcing kill");
916 kill(0, SIGKILL);
917 }
918 ms_sleep(500);
919 total--;
920 }
921
922 ev_break (main_loop, EVBREAK_ALL);
923 }
924
graceful_shutdown_watcher_cb(EV_P_ ev_timer * w,int revents)925 static void graceful_shutdown_watcher_cb(EV_P_ ev_timer *w, int revents)
926 {
927 main_server_st *s = ev_userdata(loop);
928
929 terminate_server(s);
930 }
931
term_sig_watcher_cb(struct ev_loop * loop,ev_signal * w,int revents)932 static void term_sig_watcher_cb(struct ev_loop *loop, ev_signal *w, int revents)
933 {
934 main_server_st *s = ev_userdata(loop);
935 struct listener_st *ltmp = NULL, *lpos;
936 unsigned int server_drain_ms = GETCONFIG(s)->server_drain_ms;
937
938 if (server_drain_ms == 0) {
939 terminate_server(s);
940 }
941 else
942 {
943 if (!ev_is_active(&graceful_shutdown_watcher)) {
944 mslog(s, NULL, LOG_INFO, "termination request received; stopping new connections");
945 graceful_shutdown_watcher.repeat = ((ev_tstamp)(server_drain_ms)) / 1000.;
946 mslog(s, NULL, LOG_INFO, "termination request received; waiting %d ms", server_drain_ms);
947 ev_timer_again(loop, &graceful_shutdown_watcher);
948
949 // Close the listening ports and stop the IO
950 list_for_each_safe(&s->listen_list.head, ltmp, lpos, list) {
951 ev_io_stop(loop, <mp->io);
952 close(ltmp->fd);
953 list_del(<mp->list);
954 talloc_free(ltmp);
955 s->listen_list.total--;
956 }
957 }
958 }
959 }
960
reload_sig_watcher_cb(struct ev_loop * loop,ev_signal * w,int revents)961 static void reload_sig_watcher_cb(struct ev_loop *loop, ev_signal *w, int revents)
962 {
963 main_server_st *s = ev_userdata(loop);
964 int ret;
965 int i;
966
967 mslog(s, NULL, LOG_INFO, "reloading configuration");
968 for (i = 0; i < s->sec_mod_instance_count; i ++) {
969 kill(s->sec_mod_instances[i].sec_mod_pid, SIGHUP);
970
971 /* Reload on main needs to happen later than sec-mod.
972 * That's because of a test that the certificate matches the
973 * used key. */
974 ret = secmod_reload(&s->sec_mod_instances[i]);
975 if (ret < 0) {
976 mslog(s, NULL, LOG_ERR, "could not reload sec-mod!\n");
977 ev_feed_signal_event (loop, SIGTERM);
978 }
979 }
980 reload_cfg_file(s->config_pool, s->vconfig, 0);
981 }
982
cmd_watcher_cb(EV_P_ ev_io * w,int revents)983 static void cmd_watcher_cb (EV_P_ ev_io *w, int revents)
984 {
985 main_server_st *s = ev_userdata(loop);
986 struct proc_st *ctmp = (struct proc_st*)w;
987 int ret;
988
989 /* Check for any pending commands */
990 ret = handle_worker_commands(s, ctmp);
991 if (ret < 0) {
992 remove_proc(s, ctmp, (ret!=ERR_WORKER_TERMINATED)?RPROC_KILL:0);
993 }
994 }
995
resume_accept_cb(EV_P_ ev_timer * w,int revents)996 static void resume_accept_cb (EV_P_ ev_timer *w, int revents)
997 {
998 main_server_st *s = ev_userdata(loop);
999 struct listener_st *ltmp = (struct listener_st *)((char*)w - offsetof(struct listener_st, resume_accept));
1000 // Add hysteresis to the pause/resume cycle to damp oscillations
1001 unsigned int resume_threshold = GETCONFIG(s)->max_clients * 9 / 10;
1002
1003 // Only resume accepting connections if we are under the limit
1004 if (resume_threshold == 0 || s->stats.active_clients < resume_threshold) {
1005 // Clear the timer and resume accept
1006 ev_timer_stop(loop, <mp->resume_accept);
1007 ev_io_start(loop, <mp->io);
1008 }
1009 }
1010
listen_watcher_cb(EV_P_ ev_io * w,int revents)1011 static void listen_watcher_cb (EV_P_ ev_io *w, int revents)
1012 {
1013 main_server_st *s = ev_userdata(loop);
1014 struct listener_st *ltmp = (struct listener_st *)w;
1015 struct proc_st *ctmp = NULL;
1016 struct worker_st *ws = s->ws;
1017 int fd, ret;
1018 int cmd_fd[2];
1019 pid_t pid;
1020 int i;
1021 hmac_component_st hmac_components[3];
1022 char worker_path[_POSIX_PATH_MAX];
1023
1024 if (ltmp->sock_type == SOCK_TYPE_TCP || ltmp->sock_type == SOCK_TYPE_UNIX) {
1025 /* connection on TCP port */
1026 int stype = ltmp->sock_type;
1027
1028 ws->remote_addr_len = sizeof(ws->remote_addr);
1029 fd = accept(ltmp->fd, (void*)&ws->remote_addr, &ws->remote_addr_len);
1030 if (fd < 0) {
1031 mslog(s, NULL, LOG_ERR,
1032 "error in accept(): %s", strerror(errno));
1033 return;
1034 }
1035 set_cloexec_flag (fd, 1);
1036 #ifndef __linux__
1037 /* OpenBSD sets the non-blocking flag if accept's fd is non-blocking */
1038 set_block(fd);
1039 #endif
1040
1041 if (GETCONFIG(s)->max_clients > 0 && s->stats.active_clients >= GETCONFIG(s)->max_clients) {
1042 close(fd);
1043 mslog(s, NULL, LOG_INFO, "reached maximum client limit (active: %u)", s->stats.active_clients);
1044 return;
1045 }
1046
1047 if (check_tcp_wrapper(fd) < 0) {
1048 close(fd);
1049 mslog(s, NULL, LOG_INFO, "TCP wrappers rejected the connection (see /etc/hosts->[allow|deny])");
1050 return;
1051 }
1052
1053 if (ws->conn_type != SOCK_TYPE_UNIX && !GETCONFIG(s)->listen_proxy_proto) {
1054 memset(&ws->our_addr, 0, sizeof(ws->our_addr));
1055 ws->our_addr_len = sizeof(ws->our_addr);
1056 if (getsockname(fd, (struct sockaddr*)&ws->our_addr, &ws->our_addr_len) < 0)
1057 ws->our_addr_len = 0;
1058
1059 if (check_if_banned(s, &ws->remote_addr, ws->remote_addr_len) != 0) {
1060 close(fd);
1061 return;
1062 }
1063 }
1064
1065 /* Create a command socket */
1066 ret = socketpair(AF_UNIX, SOCK_STREAM, 0, cmd_fd);
1067 if (ret < 0) {
1068 mslog(s, NULL, LOG_ERR, "error creating command socket");
1069 close(fd);
1070 return;
1071 }
1072
1073 pid = fork();
1074 if (pid == 0) { /* child */
1075 unsigned int sec_mod_instance_index;
1076 /* close any open descriptors, and erase
1077 * sensitive data before running the worker
1078 */
1079 sigprocmask(SIG_SETMASK, &sig_default_set, NULL);
1080 close(cmd_fd[0]);
1081 clear_lists(s);
1082 if (s->top_fd != -1) close(s->top_fd);
1083 for (i = 0; i < s->sec_mod_instance_count; i ++) {
1084 close(s->sec_mod_instances[i].sec_mod_fd);
1085 close(s->sec_mod_instances[i].sec_mod_fd_sync);
1086 }
1087
1088 setproctitle(PACKAGE_NAME"-worker");
1089 kill_on_parent_kill(SIGTERM);
1090
1091 set_self_oom_score_adj(s);
1092
1093 sec_mod_instance_index = hash_any(
1094 SA_IN_P_GENERIC(&ws->remote_addr, ws->remote_addr_len),
1095 SA_IN_SIZE(ws->remote_addr_len), 0) % s->sec_mod_instance_count;
1096
1097 /* write sec-mod's address */
1098 memcpy(&ws->secmod_addr, &s->sec_mod_instances[sec_mod_instance_index].secmod_addr, s->sec_mod_instances[sec_mod_instance_index].secmod_addr_len);
1099 ws->secmod_addr_len = s->sec_mod_instances[sec_mod_instance_index].secmod_addr_len;
1100
1101
1102 ws->main_pool = s->main_pool;
1103
1104 ws->vconfig = s->vconfig;
1105
1106 ws->cmd_fd = cmd_fd[1];
1107 ws->tun_fd = -1;
1108 set_cloexec_flag(fd, false);
1109 ws->conn_fd = fd;
1110 ws->conn_type = stype;
1111 ws->session_start_time = time(0);
1112
1113 human_addr2((const struct sockaddr *)&ws->remote_addr, ws->remote_addr_len, ws->remote_ip_str, sizeof(ws->remote_ip_str), 0);
1114 human_addr2((const struct sockaddr *)&ws->our_addr, ws->our_addr_len, ws->our_ip_str, sizeof(ws->our_ip_str), 0);
1115
1116 hmac_components[0].data = ws->remote_ip_str;
1117 hmac_components[0].length = strlen(ws->remote_ip_str);
1118 hmac_components[1].data = ws->our_ip_str;
1119 hmac_components[1].length = strlen(ws->our_ip_str);
1120 hmac_components[2].data = &ws->session_start_time;
1121 hmac_components[2].length = sizeof(ws->session_start_time);
1122
1123 generate_hmac(sizeof(s->hmac_key), s->hmac_key, sizeof(hmac_components) / sizeof(hmac_components[0]), hmac_components, (uint8_t*) ws->sec_auth_init_hmac);
1124
1125 // Clear the HMAC key
1126 safe_memset((uint8_t*)s->hmac_key, 0, sizeof(s->hmac_key));
1127
1128 if (!set_env_from_ws(s))
1129 exit(1);
1130
1131 #if defined(PROC_FS_SUPPORTED)
1132 {
1133 char path[_POSIX_PATH_MAX];
1134 size_t path_length;
1135 path_length = readlink("/proc/self/exe", path, sizeof(path)-1);
1136 if (path_length == -1) {
1137 mslog(s, NULL, LOG_ERR, "readlink failed %s", strerror(ret));
1138 exit(1);
1139 }
1140 path[path_length] = '\0';
1141 if (snprintf(worker_path, sizeof(worker_path), "%s-worker", path) >= sizeof(worker_path)) {
1142 mslog(s, NULL, LOG_ERR, "snprint of path %s and ocserv-worker failed", path);
1143 exit(1);
1144 }
1145 }
1146 #else
1147 if (snprintf(worker_path, sizeof(worker_path), "%s-worker", worker_argv[0]) >= sizeof(worker_path)) {
1148 mslog(s, NULL, LOG_ERR, "snprint of path %s and ocserv-worker failed", worker_argv[0]);
1149 exit(1);
1150 }
1151 #endif
1152
1153 worker_argv[0] = worker_path;
1154 execv(worker_path, worker_argv);
1155 ret = errno;
1156 mslog(s, NULL, LOG_ERR, "exec %s failed %s", worker_path, strerror(ret));
1157 exit(1);
1158 } else if (pid == -1) {
1159 fork_failed:
1160 mslog(s, NULL, LOG_ERR, "fork failed");
1161 close(cmd_fd[0]);
1162 } else { /* parent */
1163 /* add_proc */
1164 ctmp = new_proc(s, pid, cmd_fd[0],
1165 &ws->remote_addr, ws->remote_addr_len,
1166 &ws->our_addr, ws->our_addr_len,
1167 ws->sid, sizeof(ws->sid));
1168 if (ctmp == NULL) {
1169 kill(pid, SIGTERM);
1170 goto fork_failed;
1171 }
1172
1173 ev_io_init(&ctmp->io, cmd_watcher_cb, cmd_fd[0], EV_READ);
1174 ev_io_start(loop, &ctmp->io);
1175
1176 ev_child_init(&ctmp->ev_child, worker_child_watcher_cb, pid, 0);
1177 ev_child_start(loop, &ctmp->ev_child);
1178 }
1179 close(cmd_fd[1]);
1180 close(fd);
1181 } else if (ltmp->sock_type == SOCK_TYPE_UDP) {
1182 /* connection on UDP port */
1183 forward_udp_to_owner(s, ltmp);
1184 }
1185
1186 if (GETCONFIG(s)->max_clients > 0 && s->stats.active_clients >= GETCONFIG(s)->max_clients) {
1187 ltmp->resume_accept.repeat = ((ev_tstamp)(1));
1188 ev_io_stop(loop, <mp->io);
1189 ev_timer_again(loop, <mp->resume_accept);
1190 }
1191
1192 // Rate limiting of incoming connections is implemented as follows:
1193 // After accepting a client connection:
1194 // Arm the flow control timer.
1195 // Stop accepting connections.
1196 // When the timer fires, it resumes accepting the connections.
1197 if (GETCONFIG(s)->rate_limit_ms > 0) {
1198 int rqueue = 0;
1199 int wqueue = 0;
1200 int retval = sockdiag_query_unix_domain_socket_queue_length(s->sec_mod_instances[0].secmod_addr.sun_path, &rqueue, &wqueue);
1201 mslog(s, NULL, LOG_DEBUG, "queue_length retval:%d rqueue:%d wqueue:%d", retval, rqueue, wqueue);
1202 if (retval || rqueue > wqueue / 2) {
1203 mslog(s, NULL, LOG_INFO, "delaying accepts for %d ms", GETCONFIG(s)->rate_limit_ms);
1204 // Arm the timer and pause accept
1205 ltmp->resume_accept.repeat = ((ev_tstamp)(GETCONFIG(s)->rate_limit_ms)) / 1000.;
1206 ev_io_stop(loop, <mp->io);
1207 ev_timer_again(loop, <mp->resume_accept);
1208 }
1209 }
1210 }
1211
sec_mod_watcher_cb(EV_P_ ev_io * w,int revents)1212 static void sec_mod_watcher_cb (EV_P_ ev_io *w, int revents)
1213 {
1214 sec_mod_watcher_st *sec_mod = (sec_mod_watcher_st *)w;
1215 main_server_st *s = ev_userdata(loop);
1216 int ret;
1217
1218 ret = handle_sec_mod_commands(&s->sec_mod_instances[sec_mod->sec_mod_instance_index]);
1219 if (ret < 0) { /* bad commands from sec-mod are unacceptable */
1220 mslog(s, NULL, LOG_ERR,
1221 "error in command from sec-mod");
1222 ev_io_stop(loop, w);
1223 ev_feed_signal_event (loop, SIGTERM);
1224 }
1225 }
1226
ctl_watcher_cb(EV_P_ ev_io * w,int revents)1227 static void ctl_watcher_cb (EV_P_ ev_io *w, int revents)
1228 {
1229 main_server_st *s = ev_userdata(loop);
1230
1231 ctl_handler_run_pending(s, w);
1232 }
1233
perform_maintenance(main_server_st * s)1234 static void perform_maintenance(main_server_st *s)
1235 {
1236 vhost_cfg_st *vhost = NULL;
1237
1238 /* Check if we need to expire any data */
1239 mslog(s, NULL, LOG_DEBUG, "performing maintenance");
1240 cleanup_banned_entries(s);
1241 clear_old_configs(s->vconfig);
1242
1243 kill_children_auth_timeout(s);
1244
1245 list_for_each_rev(s->vconfig, vhost, list) {
1246 tls_reload_crl(s, vhost, 0);
1247 }
1248 }
1249
maintenance_watcher_cb(EV_P_ ev_timer * w,int revents)1250 static void maintenance_watcher_cb(EV_P_ ev_timer *w, int revents)
1251 {
1252 main_server_st *s = ev_userdata(loop);
1253
1254 perform_maintenance(s);
1255 }
1256
1257 #if defined(CAPTURE_LATENCY_SUPPORT)
latency_watcher_cb(EV_P_ ev_timer * w,int revents)1258 static void latency_watcher_cb(EV_P_ ev_timer *w, int revents)
1259 {
1260 main_server_st *s = ev_userdata(loop);
1261 s->stats.current_latency_stats = s->stats.delta_latency_stats;
1262 s->stats.delta_latency_stats.median_total = 0;
1263 s->stats.delta_latency_stats.rms_total = 0;
1264 s->stats.delta_latency_stats.sample_count = 0;
1265 mslog(
1266 s,
1267 NULL,
1268 LOG_DEBUG,
1269 "Latency: Median Total %ld RMS Total %ld Sample Count %ld",
1270 s->stats.current_latency_stats.median_total,
1271 s->stats.current_latency_stats.rms_total,
1272 s->stats.current_latency_stats.sample_count);
1273 }
1274 #endif
1275
maintenance_sig_watcher_cb(struct ev_loop * loop,ev_signal * w,int revents)1276 static void maintenance_sig_watcher_cb(struct ev_loop *loop, ev_signal *w, int revents)
1277 {
1278 main_server_st *s = ev_userdata(loop);
1279
1280 mslog(s, NULL, LOG_INFO, "forcing maintenance cycle");
1281 perform_maintenance(s);
1282 }
1283
1284
syserr_cb(const char * msg)1285 static void syserr_cb (const char *msg)
1286 {
1287 main_server_st *s = ev_userdata(main_loop);
1288
1289 mslog(s, NULL, LOG_ERR, "libev fatal error: %s", msg);
1290 abort();
1291 }
1292
1293 extern char secmod_socket_file_name_socket_file[_POSIX_PATH_MAX];
1294
main(int argc,char ** argv)1295 int main(int argc, char** argv)
1296 {
1297 int e;
1298 struct listener_st *ltmp = NULL;
1299 int ret, flags;
1300 char *p;
1301 void *worker_pool;
1302 void *main_pool, *config_pool;
1303 main_server_st *s;
1304 char *str;
1305 int i;
1306 int processor_count = 0;
1307
1308 #ifdef DEBUG_LEAKS
1309 talloc_enable_leak_report_full();
1310 #endif
1311
1312 saved_argc = argc;
1313 saved_argv = argv;
1314
1315 processor_count = sysconf(_SC_NPROCESSORS_ONLN);
1316
1317 /* main pool */
1318 main_pool = talloc_init("main");
1319 if (main_pool == NULL) {
1320 fprintf(stderr, "talloc init error\n");
1321 exit(1);
1322 }
1323
1324 config_pool = talloc_init("config");
1325 if (config_pool == NULL) {
1326 fprintf(stderr, "talloc init error\n");
1327 exit(1);
1328 }
1329
1330 if (snapshot_init(config_pool, &config_snapshot, "/tmp/ocserv_") < 0) {
1331 fprintf(stderr, "failed to init snapshot");
1332 exit(1);
1333 }
1334
1335 s = talloc_zero(main_pool, main_server_st);
1336 if (s == NULL) {
1337 fprintf(stderr, "memory error\n");
1338 exit(1);
1339 }
1340 s->main_pool = main_pool;
1341 s->config_pool = config_pool;
1342 s->stats.start_time = s->stats.last_reset = time(0);
1343 s->top_fd = -1;
1344 s->ctl_fd = -1;
1345 s->netns.default_fd = -1;
1346 s->netns.listen_fd = -1;
1347
1348 if (!hmac_init_key(sizeof(s->hmac_key), (uint8_t*)(s->hmac_key))) {
1349 fprintf(stderr, "unable to generate hmac key\n");
1350 exit(1);
1351 }
1352
1353 // getopt processing mutates argv. Save a copy to pass to the child.
1354 worker_argc = argc;
1355 worker_argv = talloc_zero_array(main_pool, char*, worker_argc + 1);
1356 if (!worker_argv) {
1357 fprintf(stderr, "memory error\n");
1358 exit(1);
1359 }
1360 for (i = 0; i < argc; i ++) {
1361 worker_argv[i] = talloc_strdup(main_pool, argv[i]);
1362 if (!worker_argv[i]) {
1363 fprintf(stderr, "memory error\n");
1364 exit(1);
1365 }
1366 }
1367
1368 init_fd_limits_default(s);
1369
1370 str = getenv("OCSERV_ALLOW_BROKEN_CLIENTS");
1371 if (str && str[0] == '1' && str[1] == 0)
1372 allow_broken_clients = 1;
1373
1374 list_head_init(&s->proc_list.head);
1375 list_head_init(&s->script_list.head);
1376 ip_lease_init(&s->ip_leases);
1377 proc_table_init(s);
1378 main_ban_db_init(s);
1379 if (if_address_init(s) == 0)
1380 {
1381 fprintf(stderr, "failed to initialize local addresses\n");
1382 exit(1);
1383 }
1384
1385 sigemptyset(&sig_default_set);
1386
1387 ocsignal(SIGPIPE, SIG_IGN);
1388
1389 /* Initialize GnuTLS */
1390 tls_global_init();
1391
1392 /* load configuration */
1393 s->vconfig = talloc_zero(config_pool, struct list_head);
1394 if (s->vconfig == NULL) {
1395 fprintf(stderr, "memory error\n");
1396 exit(1);
1397 }
1398 list_head_init(s->vconfig);
1399
1400 ret = cmd_parser(config_pool, argc, argv, s->vconfig, false);
1401 if (ret < 0) {
1402 fprintf(stderr, "Error in arguments\n");
1403 exit(1);
1404 }
1405
1406 setproctitle(PACKAGE_NAME"-main");
1407
1408 if (getuid() != 0) {
1409 fprintf(stderr, "This server requires root access to operate.\n");
1410 exit(1);
1411 }
1412
1413 if (GETPCONFIG(s)->listen_netns_name && open_namespaces(&s->netns, GETPCONFIG(s)) < 0) {
1414 fprintf(stderr, "cannot init listen namespaces\n");
1415 exit(1);
1416 }
1417 /* Listen to network ports */
1418 ret = listen_ports(s, GETPCONFIG(s), &s->listen_list, &s->netns);
1419 if (ret < 0) {
1420 fprintf(stderr, "Cannot listen to specified ports\n");
1421 exit(1);
1422 }
1423
1424 flags = LOG_PID|LOG_NDELAY;
1425 #ifdef LOG_PERROR
1426 if (GETPCONFIG(s)->debug != 0)
1427 flags |= LOG_PERROR;
1428 #endif
1429 openlog("ocserv", flags, LOG_DAEMON);
1430 syslog_open = 1;
1431 #ifdef HAVE_LIBWRAP
1432 allow_severity = LOG_DAEMON|LOG_INFO;
1433 deny_severity = LOG_DAEMON|LOG_WARNING;
1434 #endif
1435
1436 if (GETPCONFIG(s)->foreground == 0) {
1437 if (daemon(GETPCONFIG(s)->no_chdir, 0) == -1) {
1438 e = errno;
1439 fprintf(stderr, "daemon failed: %s\n", strerror(e));
1440 exit(1);
1441 }
1442 }
1443
1444 /* create our process group */
1445 setpgid(0, 0);
1446
1447 /* we don't need them */
1448 close(STDIN_FILENO);
1449 close(STDOUT_FILENO);
1450
1451 write_pid_file();
1452
1453 // Start the configured number of ocserv-sm processes
1454 s->sec_mod_instance_count = GETPCONFIG(s)->sec_mod_scale;
1455
1456 if (s->sec_mod_instance_count == 0) {
1457 if (GETCONFIG(s)->max_clients != 0) {
1458 // Compute ideal number of clients per sec-mod
1459 unsigned int sec_mod_count_for_users = GETCONFIG(s)->max_clients / MINIMUM_USERS_PER_SEC_MOD + 1;
1460 // Limit it to number of processors.
1461 s->sec_mod_instance_count = MIN(processor_count,sec_mod_count_for_users);
1462 } else {
1463 // If it's unlimited, the use processor count.
1464 s->sec_mod_instance_count = processor_count;
1465 }
1466 }
1467
1468 s->sec_mod_instances = talloc_zero_array(s, sec_mod_instance_st, s->sec_mod_instance_count);
1469 sec_mod_watchers = talloc_zero_array(s, sec_mod_watcher_st, s->sec_mod_instance_count);
1470
1471 mslog(s, NULL, LOG_INFO, "Starting %d instances of ocserv-sm", s->sec_mod_instance_count);
1472 for (i = 0; i < s->sec_mod_instance_count; i ++) {
1473 s->sec_mod_instances[i].server = s;
1474 run_sec_mod(&s->sec_mod_instances[i], i);
1475 }
1476
1477 ret = ctl_handler_init(s);
1478 if (ret < 0) {
1479 mslog(s, NULL, LOG_ERR, "Cannot create command handler");
1480 exit(1);
1481 }
1482
1483 main_loop = EV_DEFAULT;
1484 if (main_loop == NULL) {
1485 mslog(s, NULL, LOG_ERR, "could not initialise libev");
1486 exit(1);
1487 }
1488
1489 mslog(s, NULL, LOG_INFO, "initialized %s", PACKAGE_STRING);
1490
1491 /* chdir to our chroot directory, to allow opening the sec-mod
1492 * socket if necessary. */
1493 if (GETPCONFIG(s)->chroot_dir) {
1494 if (chdir(GETPCONFIG(s)->chroot_dir) != 0) {
1495 e = errno;
1496 mslog(s, NULL, LOG_ERR, "cannot chdir to %s: %s", GETPCONFIG(s)->chroot_dir, strerror(e));
1497 exit(1);
1498 }
1499 }
1500 ms_sleep(100); /* give some time for sec-mod to initialize */
1501
1502 for (i = 0; i < s->sec_mod_instance_count; i ++) {
1503 s->sec_mod_instances[i].secmod_addr.sun_family = AF_UNIX;
1504 p = s->sec_mod_instances[i].socket_file;
1505 if (GETPCONFIG(s)->chroot_dir) /* if we are on chroot make the socket file path relative */
1506 while (*p == '/') p++;
1507 strlcpy(s->sec_mod_instances[i].secmod_addr.sun_path, p, sizeof(s->sec_mod_instances[i].secmod_addr.sun_path));
1508 s->sec_mod_instances[i].secmod_addr_len = SUN_LEN(&s->sec_mod_instances[i].secmod_addr);
1509 }
1510
1511 /* initialize memory for worker process */
1512 worker_pool = talloc_named(main_pool, 0, "worker");
1513 if (worker_pool == NULL) {
1514 mslog(s, NULL, LOG_ERR, "talloc init error");
1515 exit(1);
1516 }
1517
1518 s->ws = talloc_zero(worker_pool, struct worker_st);
1519 if (s->ws == NULL) {
1520 mslog(s, NULL, LOG_ERR, "memory error");
1521 exit(1);
1522 }
1523
1524 #ifdef HAVE_GSSAPI
1525 /* Initialize kkdcp structures */
1526 ret = asn1_array2tree(kkdcp_asn1_tab, &_kkdcp_pkix1_asn, NULL);
1527 if (ret != ASN1_SUCCESS) {
1528 mslog(s, NULL, LOG_ERR, "KKDCP ASN.1 initialization error");
1529 exit(1);
1530 }
1531 #endif
1532
1533 init_fd_limits_default(s);
1534
1535 /* increase the number of our allowed file descriptors */
1536 update_fd_limits(s, 1);
1537
1538 ev_set_userdata (main_loop, s);
1539 ev_set_syserr_cb(syserr_cb);
1540
1541 ev_init(&ctl_watcher, ctl_watcher_cb);
1542 for (i = 0; i < s->sec_mod_instance_count; i ++) {
1543 ev_init(&sec_mod_watchers[i].sec_mod_watcher, sec_mod_watcher_cb);
1544 sec_mod_watchers[i].sec_mod_instance_index = i;
1545 }
1546
1547 ev_init (&int_sig_watcher, term_sig_watcher_cb);
1548 ev_signal_set (&int_sig_watcher, SIGINT);
1549 ev_signal_start (main_loop, &int_sig_watcher);
1550
1551 ev_init (&term_sig_watcher, term_sig_watcher_cb);
1552 ev_signal_set (&term_sig_watcher, SIGTERM);
1553 ev_signal_start (main_loop, &term_sig_watcher);
1554
1555 ev_init (&reload_sig_watcher, reload_sig_watcher_cb);
1556 ev_signal_set (&reload_sig_watcher, SIGHUP);
1557 ev_signal_start (main_loop, &reload_sig_watcher);
1558
1559 /* set the standard fds we watch */
1560 list_for_each(&s->listen_list.head, ltmp, list) {
1561 if (ltmp->fd == -1) continue;
1562
1563 ev_io_start (main_loop, <mp->io);
1564 }
1565
1566 for (i = 0; i < s->sec_mod_instance_count; i ++) {
1567 ev_io_set(&sec_mod_watchers[i].sec_mod_watcher, s->sec_mod_instances[i].sec_mod_fd, EV_READ);
1568 ev_io_start (main_loop, &sec_mod_watchers[i].sec_mod_watcher);
1569 }
1570
1571 ctl_handler_set_fds(s, &ctl_watcher);
1572
1573 ev_io_start (main_loop, &ctl_watcher);
1574
1575 for (i = 0; i < s->sec_mod_instance_count; i ++) {
1576 ev_child_init(&sec_mod_watchers[i].child_watcher, sec_mod_child_watcher_cb, s->sec_mod_instances[i].sec_mod_pid, 0);
1577 ev_child_start (main_loop, &sec_mod_watchers[i].child_watcher);
1578 }
1579
1580 ev_init(&maintenance_watcher, maintenance_watcher_cb);
1581 ev_timer_set(&maintenance_watcher, MAIN_MAINTENANCE_TIME, MAIN_MAINTENANCE_TIME);
1582 ev_timer_start(main_loop, &maintenance_watcher);
1583
1584 ev_init(&graceful_shutdown_watcher, graceful_shutdown_watcher_cb);
1585
1586 #if defined(CAPTURE_LATENCY_SUPPORT)
1587 ev_init(&latency_watcher, latency_watcher_cb);
1588 ev_timer_set(&latency_watcher, LATENCY_AGGREGATION_TIME, LATENCY_AGGREGATION_TIME);
1589 ev_timer_start(main_loop, &latency_watcher);
1590 #endif
1591
1592 /* allow forcing maintenance with SIGUSR2 */
1593 ev_init (&maintenance_sig_watcher, maintenance_sig_watcher_cb);
1594 ev_signal_set (&maintenance_sig_watcher, SIGUSR2);
1595 ev_signal_start (main_loop, &maintenance_sig_watcher);
1596
1597 /* Main server loop */
1598 ev_run (main_loop, 0);
1599
1600 /* try to clean-up everything allocated to ease checks
1601 * for memory leaks.
1602 */
1603 for (i = 0; i < s->sec_mod_instance_count; i ++) {
1604 remove(s->sec_mod_instances[i].full_socket_file);
1605 }
1606 remove(GETPCONFIG(s)->occtl_socket_file);
1607 remove_pid_file();
1608
1609 snapshot_terminate(config_snapshot);
1610
1611 if (GETPCONFIG(s)->listen_netns_name && close_namespaces(&s->netns) < 0) {
1612 fprintf(stderr, "cannot close listen namespaces\n");
1613 exit(1);
1614 }
1615 clear_lists(s);
1616 clear_vhosts(s->vconfig);
1617 talloc_free(s->config_pool);
1618 talloc_free(s->main_pool);
1619 closelog();
1620
1621 return 0;
1622 }
1623
1624 extern char ** pam_auth_group_list;
1625 extern char ** gssapi_auth_group_list;
1626 extern char ** plain_auth_group_list;
1627 extern unsigned pam_auth_group_list_size;
1628 extern unsigned gssapi_auth_group_list_size;
1629 extern unsigned plain_auth_group_list_size;
1630
set_env_from_ws(main_server_st * s)1631 static bool set_env_from_ws(main_server_st *s)
1632 {
1633 worker_st *ws = s->ws;
1634 WorkerStartupMsg msg = WORKER_STARTUP_MSG__INIT;
1635 size_t msg_size;
1636 uint8_t *msg_buffer = NULL;
1637 size_t string_size = 0;
1638 char *string_buffer = NULL;
1639 int ret = 0;
1640 SnapshotEntryMsg **entries = NULL;
1641 SnapshotEntryMsg entry_template = SNAPSHOT_ENTRY_MSG__INIT;
1642 size_t entry_count;
1643 size_t index = 0;
1644 struct htable_iter iter;
1645
1646 msg.secmod_addr.data = (uint8_t *)&ws->secmod_addr;
1647 msg.secmod_addr.len = ws->secmod_addr_len;
1648 msg.cmd_fd = ws->cmd_fd;
1649 msg.conn_fd = ws->conn_fd;
1650 msg.conn_type = (WorkerStartupMsg__CONNTYPE)ws->conn_type;
1651 msg.remote_ip_str = ws->remote_ip_str;
1652 msg.our_ip_str = ws->our_ip_str;
1653 msg.session_start_time = ws->session_start_time;
1654 msg.remote_addr.data = (uint8_t *)&ws->remote_addr;
1655 msg.remote_addr.len = ws->remote_addr_len;
1656 msg.our_addr.data = (uint8_t *)&ws->our_addr;
1657 msg.our_addr.len = ws->our_addr_len;
1658 msg.sec_auth_init_hmac.data = (uint8_t *)ws->sec_auth_init_hmac;
1659 msg.sec_auth_init_hmac.len = sizeof(ws->sec_auth_init_hmac);
1660
1661 entry_count = snapshot_entry_count(config_snapshot);
1662
1663 entries = talloc_zero_array(s, SnapshotEntryMsg *, entry_count);
1664 if (!entries)
1665 goto cleanup;
1666
1667 for (index = 0; index < entry_count; index++) {
1668 int fd, rr;
1669 const char *file_name;
1670 if (index == 0) {
1671 rr = snapshot_first(config_snapshot, &iter, &fd, &file_name);
1672 } else {
1673 rr = snapshot_next(config_snapshot, &iter, &fd, &file_name);
1674 }
1675 if (rr < 0) {
1676 mslog(s, NULL, LOG_ERR, "snapshot restoration failed (%d)\n", ret);
1677 goto cleanup;
1678 }
1679
1680 entries[index] = talloc_zero(s, SnapshotEntryMsg);
1681 *entries[index] = entry_template;
1682 entries[index]->file_descriptor = fd;
1683 entries[index]->file_name = (char *)file_name;
1684 }
1685
1686 msg.n_snapshot_entries = entry_count;
1687 msg.snapshot_entries = entries;
1688
1689 msg.n_gssapi_auth_group_list = gssapi_auth_group_list_size;
1690 msg.gssapi_auth_group_list = gssapi_auth_group_list;
1691 msg.n_pam_auth_group_list = pam_auth_group_list_size;
1692 msg.pam_auth_group_list = pam_auth_group_list;
1693 msg.n_plain_auth_group_list = plain_auth_group_list_size;
1694 msg.plain_auth_group_list = plain_auth_group_list;
1695
1696 msg_size = worker_startup_msg__get_packed_size(&msg);
1697 if (msg_size == 0) {
1698 mslog(s, NULL, LOG_ERR, "worker_startup_msg__get_packed_size failed\n");
1699 goto cleanup;
1700 }
1701
1702 msg_buffer = talloc_size(ws, msg_size);
1703 if (!msg_buffer) {
1704 mslog(s, NULL, LOG_ERR, "talloc_size failed\n");
1705 goto cleanup;
1706 }
1707 msg_size = worker_startup_msg__pack(&msg, msg_buffer);
1708 if (msg_size == 0) {
1709 mslog(s, NULL, LOG_ERR, "worker_startup_msg__pack failed\n");
1710 goto cleanup;
1711 }
1712 string_size = BASE64_ENCODE_RAW_LENGTH(msg_size) + 1;
1713 string_buffer = talloc_size(ws, string_size);
1714 if (!msg_buffer) {
1715 mslog(s, NULL, LOG_ERR, "talloc_size failed\n");
1716 goto cleanup;
1717 }
1718
1719 oc_base64_encode((const char *)msg_buffer, msg_size, string_buffer, string_size);
1720 if (setenv(OCSERV_ENV_WORKER_STARTUP_MSG, string_buffer, 1)) {
1721 mslog(s, NULL, LOG_ERR, "setenv failed\n");
1722 goto cleanup;
1723 }
1724
1725 ret = 1;
1726
1727 cleanup:
1728 if (entries)
1729 talloc_free(entries);
1730
1731 if (msg_buffer)
1732 talloc_free(msg_buffer);
1733
1734 if (string_buffer)
1735 talloc_free(string_buffer);
1736
1737 return ret;
1738 }
1739