2 * sslproc.c: An interface to ssld
3 * Copyright (C) 2007 Aaron Sethman <androsyn@ratbox.org>
4 * Copyright (C) 2007 ircd-ratbox development team
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301
38 static void ssl_read_ctl(rb_fde_t
* F
, void *data
);
39 static int ssld_count
;
41 static char tmpbuf
[READBUF_SIZE
];
42 static char nul
= '\0';
46 typedef struct _ssl_ctl_buf
51 rb_fde_t
*F
[MAXPASSFD
];
70 static void ssld_update_config_one(ssl_ctl_t
*ctl
);
71 static void send_new_ssl_certs_one(ssl_ctl_t
* ctl
);
72 static void send_certfp_method(ssl_ctl_t
*ctl
);
75 static rb_dlink_list ssl_daemons
;
77 static inline uint32_t
78 buf_to_uint32(char *buf
)
81 memcpy(&x
, buf
, sizeof(x
));
86 uint32_to_buf(char *buf
, uint32_t x
)
88 memcpy(buf
, &x
, sizeof(x
));
93 allocate_ssl_daemon(rb_fde_t
* F
, rb_fde_t
* P
, int pid
)
97 if(F
== NULL
|| pid
< 0)
99 ctl
= rb_malloc(sizeof(ssl_ctl_t
));
104 rb_dlinkAdd(ctl
, &ctl
->node
, &ssl_daemons
);
109 free_ssl_daemon(ssl_ctl_t
* ctl
)
112 ssl_ctl_buf_t
*ctl_buf
;
117 RB_DLINK_FOREACH(ptr
, ctl
->readq
.head
)
120 for(x
= 0; x
< ctl_buf
->nfds
; x
++)
121 rb_close(ctl_buf
->F
[x
]);
123 rb_free(ctl_buf
->buf
);
127 RB_DLINK_FOREACH(ptr
, ctl
->writeq
.head
)
130 for(x
= 0; x
< ctl_buf
->nfds
; x
++)
131 rb_close(ctl_buf
->F
[x
]);
133 rb_free(ctl_buf
->buf
);
138 rb_dlinkDelete(&ctl
->node
, &ssl_daemons
);
142 static char *ssld_path
;
144 static int ssld_spin_count
= 0;
145 static time_t last_spin
;
146 static int ssld_wait
= 0;
152 rb_dlink_node
*ptr
, *next
;
155 RB_DLINK_FOREACH_SAFE(ptr
, next
, ssl_daemons
.head
)
166 rb_kill(ctl
->pid
, SIGKILL
);
167 free_ssl_daemon(ctl
);
174 start_ssldaemon(ServerInfo
.ssld_count
);
180 rb_dlink_node
*ptr
, *next
;
182 RB_DLINK_FOREACH_SAFE(ptr
, next
, ssl_daemons
.head
)
190 rb_kill(ctl
->pid
, SIGKILL
);
192 free_ssl_daemon(ctl
);
197 ssl_dead(ssl_ctl_t
* ctl
)
203 rb_kill(ctl
->pid
, SIGKILL
); /* make sure the process is really gone */
208 ilog(L_MAIN
, "ssld helper died - attempting to restart");
209 sendto_realops_snomask(SNO_GENERAL
, L_NETWIDE
, "ssld helper died - attempting to restart");
215 ssl_do_pipe(rb_fde_t
* F
, void *data
)
218 ssl_ctl_t
*ctl
= data
;
219 retlen
= rb_write(F
, "0", 1);
220 if(retlen
== 0 || (retlen
< 0 && !rb_ignore_errno(errno
)))
225 rb_setselect(F
, RB_SELECT_READ
, ssl_do_pipe
, data
);
229 restart_ssld_event(void *unused
)
234 if(ServerInfo
.ssld_count
> get_ssld_count())
236 int start
= ServerInfo
.ssld_count
- get_ssld_count();
237 ilog(L_MAIN
, "Attempting to restart ssld processes");
238 sendto_realops_snomask(SNO_GENERAL
, L_NETWIDE
, "Attempt to restart ssld processes");
239 start_ssldaemon(start
);
244 start_ssldaemon(int count
)
248 char fullpath
[PATH_MAX
+ 1];
259 if(ssld_spin_count
> 20 && (rb_current_time() - last_spin
< 5))
261 ilog(L_MAIN
, "ssld helper is spinning - will attempt to restart in 1 minute");
262 sendto_realops_snomask(SNO_GENERAL
, L_NETWIDE
,
263 "ssld helper is spinning - will attempt to restart in 1 minute");
264 rb_event_add("restart_ssld_event", restart_ssld_event
, NULL
, 60);
270 last_spin
= rb_current_time();
272 if(ssld_path
== NULL
)
274 snprintf(fullpath
, sizeof(fullpath
), "%s/ssld", ircd_paths
[IRCD_PATH_LIBEXEC
]);
276 if(access(fullpath
, X_OK
) == -1)
278 snprintf(fullpath
, sizeof(fullpath
), "%s/bin/ssld", ConfigFileEntry
.dpath
);
279 if(access(fullpath
, X_OK
) == -1)
282 "Unable to execute ssld in %s or %s/bin",
283 ircd_paths
[IRCD_PATH_LIBEXEC
], ConfigFileEntry
.dpath
);
287 ssld_path
= rb_strdup(fullpath
);
289 rb_strlcpy(buf
, "-ircd ssld daemon", sizeof(buf
));
293 for(i
= 0; i
< count
; i
++)
296 if(rb_socketpair(AF_UNIX
, SOCK_DGRAM
, 0, &F1
, &F2
, "SSL/TLS handle passing socket") == -1)
298 ilog(L_MAIN
, "Unable to create ssld - rb_socketpair failed: %s", strerror(errno
));
302 rb_set_buffers(F1
, READBUF_SIZE
);
303 rb_set_buffers(F2
, READBUF_SIZE
);
304 snprintf(fdarg
, sizeof(fdarg
), "%d", rb_get_fd(F2
));
305 rb_setenv("CTL_FD", fdarg
, 1);
306 if(rb_pipe(&P1
, &P2
, "SSL/TLS pipe") == -1)
308 ilog(L_MAIN
, "Unable to create ssld - rb_pipe failed: %s", strerror(errno
));
311 snprintf(fdarg
, sizeof(fdarg
), "%d", rb_get_fd(P1
));
312 rb_setenv("CTL_PIPE", fdarg
, 1);
313 snprintf(s_pid
, sizeof(s_pid
), "%d", (int)getpid());
314 rb_setenv("CTL_PPID", s_pid
, 1);
316 rb_clear_cloexec(F2
);
317 rb_clear_cloexec(P1
);
319 pid
= rb_spawn_process(ssld_path
, (const char **) parv
);
322 ilog(L_MAIN
, "Unable to create ssld: %s\n", strerror(errno
));
332 ctl
= allocate_ssl_daemon(F1
, P2
, pid
);
334 ssld_update_config_one(ctl
);
335 ssl_read_ctl(ctl
->F
, ctl
);
336 ssl_do_pipe(P2
, ctl
);
339 ilog(L_MAIN
, "ssld helper started");
340 sendto_realops_snomask(SNO_GENERAL
, L_NETWIDE
, "ssld helper started");
345 ssl_process_open_fd(ssl_ctl_t
* ctl
, ssl_ctl_buf_t
* ctl_buf
)
347 struct Client
*client_p
;
350 if(ctl_buf
->buflen
< 5)
351 return; /* bogus message..drop it.. XXX should warn here */
353 fd
= buf_to_uint32(&ctl_buf
->buf
[1]);
354 client_p
= find_cli_connid_hash(fd
);
355 if(client_p
== NULL
|| client_p
->localClient
== NULL
)
358 if(client_p
->localClient
->ssl_callback
)
360 SSL_OPEN_CB
*hdl
= client_p
->localClient
->ssl_callback
;
362 client_p
->localClient
->ssl_callback
= NULL
;
364 hdl(client_p
, RB_OK
);
369 ssl_process_dead_fd(ssl_ctl_t
* ctl
, ssl_ctl_buf_t
* ctl_buf
)
371 struct Client
*client_p
;
375 if(ctl_buf
->buflen
< 6)
376 return; /* bogus message..drop it.. XXX should warn here */
378 fd
= buf_to_uint32(&ctl_buf
->buf
[1]);
379 rb_strlcpy(reason
, &ctl_buf
->buf
[5], sizeof(reason
));
380 client_p
= find_cli_connid_hash(fd
);
381 if(client_p
== NULL
|| client_p
->localClient
== NULL
)
384 if(IsAnyServer(client_p
))
386 sendto_realops_snomask(SNO_GENERAL
, L_NETWIDE
, "ssld error for %s: %s", client_p
->name
, reason
);
387 ilog(L_SERVER
, "ssld error for %s: %s", log_client_name(client_p
, SHOW_IP
), reason
);
390 /* if there is still a pending callback, call it now */
391 if(client_p
->localClient
->ssl_callback
)
393 SSL_OPEN_CB
*hdl
= client_p
->localClient
->ssl_callback
;
395 client_p
->localClient
->ssl_callback
= NULL
;
397 if (hdl(client_p
, RB_ERROR_SSL
))
399 /* the callback has exited the client */
404 if(IsAnyServer(client_p
) || IsRegistered(client_p
))
406 /* read any last moment ERROR, QUIT or the like -- jilles */
407 if (!strcmp(reason
, "Remote host closed the connection"))
408 read_packet(client_p
->localClient
->F
, client_p
);
409 if (IsAnyDead(client_p
))
412 exit_client(client_p
, client_p
, &me
, reason
);
417 ssl_process_cipher_string(ssl_ctl_t
*ctl
, ssl_ctl_buf_t
*ctl_buf
)
419 struct Client
*client_p
;
423 if(ctl_buf
->buflen
< 6)
424 return; /* bogus message..drop it.. XXX should warn here */
426 fd
= buf_to_uint32(&ctl_buf
->buf
[1]);
427 cstring
= (const char *)&ctl_buf
->buf
[5];
429 if(EmptyString(cstring
))
432 client_p
= find_cli_connid_hash(fd
);
433 if(client_p
!= NULL
&& client_p
->localClient
!= NULL
)
435 rb_free(client_p
->localClient
->cipher_string
);
436 client_p
->localClient
->cipher_string
= rb_strdup(cstring
);
442 ssl_process_certfp(ssl_ctl_t
* ctl
, ssl_ctl_buf_t
* ctl_buf
)
444 struct Client
*client_p
;
446 uint32_t certfp_method
;
450 const char *method_string
;
453 if(ctl_buf
->buflen
> 13 + RB_SSL_CERTFP_LEN
)
454 return; /* bogus message..drop it.. XXX should warn here */
456 fd
= buf_to_uint32(&ctl_buf
->buf
[1]);
457 certfp_method
= buf_to_uint32(&ctl_buf
->buf
[5]);
458 len
= buf_to_uint32(&ctl_buf
->buf
[9]);
459 certfp
= (uint8_t *)&ctl_buf
->buf
[13];
460 client_p
= find_cli_connid_hash(fd
);
464 switch (certfp_method
) {
465 case RB_SSL_CERTFP_METH_CERT_SHA1
:
466 method_string
= CERTFP_PREFIX_CERT_SHA1
;
468 case RB_SSL_CERTFP_METH_CERT_SHA256
:
469 method_string
= CERTFP_PREFIX_CERT_SHA256
;
471 case RB_SSL_CERTFP_METH_CERT_SHA512
:
472 method_string
= CERTFP_PREFIX_CERT_SHA512
;
474 case RB_SSL_CERTFP_METH_SPKI_SHA256
:
475 method_string
= CERTFP_PREFIX_SPKI_SHA256
;
477 case RB_SSL_CERTFP_METH_SPKI_SHA512
:
478 method_string
= CERTFP_PREFIX_SPKI_SHA512
;
483 method_len
= strlen(method_string
);
485 rb_free(client_p
->certfp
);
486 certfp_string
= rb_malloc(method_len
+ len
* 2 + 1);
487 rb_strlcpy(certfp_string
, method_string
, method_len
+ len
* 2 + 1);
488 for(uint32_t i
= 0; i
< len
; i
++)
489 snprintf(certfp_string
+ method_len
+ 2 * i
, 3, "%02x",
491 client_p
->certfp
= certfp_string
;
495 ssl_process_cmd_recv(ssl_ctl_t
* ctl
)
497 static const char *cannot_setup_ssl
= "ssld cannot setup ssl, check your certificates and private key";
498 static const char *no_ssl_or_zlib
= "ssld has neither SSL/TLS or zlib support killing all sslds";
499 rb_dlink_node
*ptr
, *next
;
500 ssl_ctl_buf_t
*ctl_buf
;
506 RB_DLINK_FOREACH_SAFE(ptr
, next
, ctl
->readq
.head
)
509 switch (*ctl_buf
->buf
)
512 ircd_ssl_ok
= false; /* ssld says it can't do ssl/tls */
515 ssl_process_open_fd(ctl
, ctl_buf
);
518 ssl_process_dead_fd(ctl
, ctl_buf
);
521 ssl_process_cipher_string(ctl
, ctl_buf
);
524 ssl_process_certfp(ctl
, ctl_buf
);
528 ilog(L_MAIN
, "%s", cannot_setup_ssl
);
529 sendto_realops_snomask(SNO_GENERAL
, L_NETWIDE
, "%s", cannot_setup_ssl
);
534 ilog(L_MAIN
, "%s", no_ssl_or_zlib
);
535 sendto_realops_snomask(SNO_GENERAL
, L_NETWIDE
, "%s", no_ssl_or_zlib
);
539 len
= ctl_buf
->buflen
- 1;
540 if (len
> sizeof(ctl
->version
) - 1)
541 len
= sizeof(ctl
->version
) - 1;
542 strncpy(ctl
->version
, &ctl_buf
->buf
[1], len
);
547 ilog(L_MAIN
, "Received invalid command from ssld: %s", ctl_buf
->buf
);
548 sendto_realops_snomask(SNO_GENERAL
, L_NETWIDE
, "Received invalid command from ssld");
551 rb_dlinkDelete(ptr
, &ctl
->readq
);
552 rb_free(ctl_buf
->buf
);
560 ssl_read_ctl(rb_fde_t
* F
, void *data
)
562 ssl_ctl_buf_t
*ctl_buf
;
563 ssl_ctl_t
*ctl
= data
;
570 ctl_buf
= rb_malloc(sizeof(ssl_ctl_buf_t
));
571 ctl_buf
->buf
= rb_malloc(READSIZE
);
572 retlen
= rb_recv_fd_buf(ctl
->F
, ctl_buf
->buf
, READSIZE
, ctl_buf
->F
, 4);
573 ctl_buf
->buflen
= retlen
;
576 rb_free(ctl_buf
->buf
);
580 rb_dlinkAddTail(ctl_buf
, &ctl_buf
->node
, &ctl
->readq
);
584 if(retlen
== 0 || (retlen
< 0 && !rb_ignore_errno(errno
)))
589 ssl_process_cmd_recv(ctl
);
590 rb_setselect(ctl
->F
, RB_SELECT_READ
, ssl_read_ctl
, ctl
);
596 ssl_ctl_t
*ctl
, *lowest
= NULL
;
599 RB_DLINK_FOREACH(ptr
, ssl_daemons
.head
)
611 if(ctl
->cli_count
< lowest
->cli_count
)
618 ssl_write_ctl(rb_fde_t
* F
, void *data
)
620 ssl_ctl_t
*ctl
= data
;
621 ssl_ctl_buf_t
*ctl_buf
;
622 rb_dlink_node
*ptr
, *next
;
628 RB_DLINK_FOREACH_SAFE(ptr
, next
, ctl
->writeq
.head
)
631 /* in theory unix sock_dgram shouldn't ever short write this.. */
632 retlen
= rb_send_fd_buf(ctl
->F
, ctl_buf
->F
, ctl_buf
->nfds
, ctl_buf
->buf
, ctl_buf
->buflen
, ctl
->pid
);
635 rb_dlinkDelete(ptr
, &ctl
->writeq
);
636 for(x
= 0; x
< ctl_buf
->nfds
; x
++)
637 rb_close(ctl_buf
->F
[x
]);
638 rb_free(ctl_buf
->buf
);
642 if(retlen
== 0 || (retlen
< 0 && !rb_ignore_errno(errno
)))
649 rb_setselect(ctl
->F
, RB_SELECT_WRITE
, ssl_write_ctl
, ctl
);
655 ssl_cmd_write_queue(ssl_ctl_t
* ctl
, rb_fde_t
** F
, int count
, const void *buf
, size_t buflen
)
657 ssl_ctl_buf_t
*ctl_buf
;
664 ctl_buf
= rb_malloc(sizeof(ssl_ctl_buf_t
));
665 ctl_buf
->buf
= rb_malloc(buflen
);
666 memcpy(ctl_buf
->buf
, buf
, buflen
);
667 ctl_buf
->buflen
= buflen
;
669 for(x
= 0; x
< count
&& x
< MAXPASSFD
; x
++)
671 ctl_buf
->F
[x
] = F
[x
];
673 ctl_buf
->nfds
= count
;
674 rb_dlinkAddTail(ctl_buf
, &ctl_buf
->node
, &ctl
->writeq
);
675 ssl_write_ctl(ctl
->F
, ctl
);
680 send_new_ssl_certs_one(ssl_ctl_t
* ctl
)
684 if(ServerInfo
.ssl_cert
)
685 len
+= strlen(ServerInfo
.ssl_cert
);
689 if(ServerInfo
.ssl_private_key
)
690 len
+= strlen(ServerInfo
.ssl_private_key
);
692 if(ServerInfo
.ssl_dh_params
)
693 len
+= strlen(ServerInfo
.ssl_dh_params
);
695 if(ServerInfo
.ssl_cipher_list
)
696 len
+= strlen(ServerInfo
.ssl_cipher_list
);
698 if(len
> sizeof(tmpbuf
))
700 sendto_realops_snomask(SNO_GENERAL
, L_NETWIDE
,
701 "Parameters for send_new_ssl_certs_one too long (%zu > %zu) to pass to ssld, not sending...",
702 len
, sizeof(tmpbuf
));
704 "Parameters for send_new_ssl_certs_one too long (%zu > %zu) to pass to ssld, not sending...",
705 len
, sizeof(tmpbuf
));
709 int ret
= snprintf(tmpbuf
, sizeof(tmpbuf
), "K%c%s%c%s%c%s%c%s%c", nul
,
710 ServerInfo
.ssl_cert
, nul
,
711 ServerInfo
.ssl_private_key
!= NULL
? ServerInfo
.ssl_private_key
: "", nul
,
712 ServerInfo
.ssl_dh_params
!= NULL
? ServerInfo
.ssl_dh_params
: "", nul
,
713 ServerInfo
.ssl_cipher_list
!= NULL
? ServerInfo
.ssl_cipher_list
: "", nul
);
716 ssl_cmd_write_queue(ctl
, NULL
, 0, tmpbuf
, (size_t) ret
);
720 send_certfp_method(ssl_ctl_t
*ctl
)
725 uint32_to_buf(&buf
[1], ConfigFileEntry
.certfp_method
);
726 ssl_cmd_write_queue(ctl
, NULL
, 0, buf
, sizeof(buf
));
730 ssld_update_config_one(ssl_ctl_t
*ctl
)
732 send_certfp_method(ctl
);
733 send_new_ssl_certs_one(ctl
);
737 ssld_update_config(void)
741 RB_DLINK_FOREACH(ptr
, ssl_daemons
.head
)
743 ssl_ctl_t
*ctl
= ptr
->data
;
745 if (ctl
->dead
|| ctl
->shutdown
)
748 ssld_update_config_one(ctl
);
753 start_ssld_accept(rb_fde_t
* sslF
, rb_fde_t
* plainF
, uint32_t id
)
762 uint32_to_buf(&buf
[1], id
);
767 ssl_cmd_write_queue(ctl
, F
, 2, buf
, sizeof(buf
));
772 start_ssld_connect(rb_fde_t
* sslF
, rb_fde_t
* plainF
, uint32_t id
)
781 uint32_to_buf(&buf
[1], id
);
787 ssl_cmd_write_queue(ctl
, F
, 2, buf
, sizeof(buf
));
792 ssld_decrement_clicount(ssl_ctl_t
* ctl
)
798 if(ctl
->shutdown
&& !ctl
->cli_count
)
801 rb_kill(ctl
->pid
, SIGKILL
);
803 if(ctl
->dead
&& !ctl
->cli_count
)
805 free_ssl_daemon(ctl
);
810 cleanup_dead_ssl(void *unused
)
812 rb_dlink_node
*ptr
, *next
;
814 RB_DLINK_FOREACH_SAFE(ptr
, next
, ssl_daemons
.head
)
817 if(ctl
->dead
&& !ctl
->cli_count
)
819 free_ssl_daemon(ctl
);
831 ssld_foreach_info(void (*func
)(void *data
, pid_t pid
, int cli_count
, enum ssld_status status
, const char *version
), void *data
)
833 rb_dlink_node
*ptr
, *next
;
835 RB_DLINK_FOREACH_SAFE(ptr
, next
, ssl_daemons
.head
)
838 func(data
, ctl
->pid
, ctl
->cli_count
,
839 ctl
->dead
? SSLD_DEAD
:
840 (ctl
->shutdown
? SSLD_SHUTDOWN
: SSLD_ACTIVE
),
848 rb_event_addish("cleanup_dead_ssld", cleanup_dead_ssl
, NULL
, 60);