2 * sslproc.c: An interface to ssld
3 * Copyright (C) 2007 Aaron Sethman <androsyn@ratbox.org>
4 * Copyright (C) 2007 ircd-ratbox development team
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301
21 * $Id: sslproc.c 25179 2008-03-30 16:34:57Z androsyn $
24 #include <ratbox_lib.h>
37 #define ZIPSTATS_TIME 60
39 static void collect_zipstats(void *unused
);
40 static void ssl_read_ctl(rb_fde_t
*F
, void *data
);
41 static int ssld_count
;
43 static char tmpbuf
[READBUF_SIZE
];
44 static char nul
= '\0';
48 typedef struct _ssl_ctl_buf
53 rb_fde_t
*F
[MAXPASSFD
];
70 static void send_new_ssl_certs_one(ssl_ctl_t
*ctl
, const char *ssl_cert
, const char *ssl_private_key
, const char *ssl_dh_params
);
71 static void send_init_prng(ssl_ctl_t
*ctl
, prng_seed_t seedtype
, const char *path
);
74 static rb_dlink_list ssl_daemons
;
76 static inline rb_int32_t
buf_to_int32(char *buf
)
86 static inline void int32_to_buf(char *buf
, rb_int32_t x
)
88 *(buf
) = x
>> 24 & 0xFF;
89 *(++buf
) = x
>> 16 & 0xFF;
90 *(++buf
) = x
>> 8 & 0xFF;
96 static inline rb_uint16_t
buf_to_uint16(char *buf
)
104 static inline void uint16_to_buf(char *buf
, rb_uint16_t x
)
106 *(buf
) = x
>> 8 & 0xFF;
113 allocate_ssl_daemon(rb_fde_t
*F
, rb_fde_t
*P
, int pid
)
117 if(F
== NULL
|| pid
< 0)
119 ctl
= rb_malloc(sizeof(ssl_ctl_t
));
124 rb_dlinkAdd(ctl
, &ctl
->node
, &ssl_daemons
);
129 free_ssl_daemon(ssl_ctl_t
*ctl
)
132 ssl_ctl_buf_t
*ctl_buf
;
137 RB_DLINK_FOREACH(ptr
, ctl
->readq
.head
)
140 for(x
= 0; x
< ctl_buf
->nfds
; x
++)
141 rb_close(ctl_buf
->F
[x
]);
143 rb_free(ctl_buf
->buf
);
147 RB_DLINK_FOREACH(ptr
, ctl
->writeq
.head
)
150 for(x
= 0; x
< ctl_buf
->nfds
; x
++)
151 rb_close(ctl_buf
->F
[x
]);
153 rb_free(ctl_buf
->buf
);
158 rb_dlinkDelete(&ctl
->node
, &ssl_daemons
);
162 static char *ssld_path
;
164 static int ssld_spin_count
= 0;
165 static time_t last_spin
;
166 static int ssld_wait
= 0;
172 rb_dlink_node
*ptr
, *next
;
174 RB_DLINK_FOREACH_SAFE(ptr
, next
, ssl_daemons
.head
)
181 kill(ctl
->pid
, SIGKILL
);
186 ssl_dead(ssl_ctl_t
*ctl
)
193 kill(ctl
->pid
, SIGKILL
); /* make sure the process is really gone */
194 ilog(L_MAIN
, "ssld helper died - attempting to restart");
195 sendto_realops_snomask(SNO_GENERAL
, L_ALL
, "ssld helper died - attempting to restart");
196 start_ssldaemon(1, ServerInfo
.ssl_cert
, ServerInfo
.ssl_private_key
, ServerInfo
.ssl_dh_params
);
200 ssl_do_pipe(rb_fde_t
*F
, void *data
)
203 ssl_ctl_t
*ctl
= data
;
204 retlen
= rb_write(F
, "0", 1);
205 if(retlen
== 0 || (retlen
< 0 && !rb_ignore_errno(errno
)))
210 rb_setselect(F
, RB_SELECT_READ
, ssl_do_pipe
, data
);
214 restart_ssld_event(void *unused
)
219 if(ServerInfo
.ssld_count
> get_ssld_count())
221 int start
= ServerInfo
.ssld_count
- get_ssld_count();
222 ilog(L_MAIN
, "Attempting to restart ssld processes");
223 sendto_realops_snomask(SNO_GENERAL
, L_ALL
, "Attempt to restart ssld processes");
224 start_ssldaemon(start
, ServerInfo
.ssl_cert
, ServerInfo
.ssl_private_key
, ServerInfo
.ssl_dh_params
);
229 start_ssldaemon(int count
, const char *ssl_cert
, const char *ssl_private_key
, const char *ssl_dh_params
)
233 char fullpath
[PATH_MAX
+ 1];
243 if(ssld_spin_count
> 20 && (rb_current_time() - last_spin
< 5))
245 ilog(L_MAIN
, "ssld helper is spinning - will attempt to restart in 5 minutes");
246 sendto_realops_snomask(SNO_GENERAL
, L_ALL
, "ssld helper is spinning - will attempt to restart in 1 minute");
247 rb_event_add("restart_ssld_event", restart_ssld_event
, NULL
, 60);
253 last_spin
= rb_current_time();
254 if(ssld_path
== NULL
)
256 rb_snprintf(fullpath
, sizeof(fullpath
), "%s/ssld", BINPATH
);
258 if(access(fullpath
, X_OK
) == -1)
260 rb_snprintf(fullpath
, sizeof(fullpath
), "%s/bin/ssld", ConfigFileEntry
.dpath
);
261 if(access(fullpath
, X_OK
) == -1)
263 ilog(L_MAIN
, "Unable to execute ssld in %s/bin or %s", ConfigFileEntry
.dpath
, BINPATH
);
267 ssld_path
= rb_strdup(fullpath
);
270 rb_strlcpy(buf
, "-ircd ssld daemon helper", sizeof(buf
));
274 for(i
= 0; i
< count
; i
++)
277 rb_socketpair(AF_UNIX
, SOCK_DGRAM
, 0, &F1
, &F2
, "SSL/TLS handle passing socket");
278 rb_set_buffers(F1
, READBUF_SIZE
);
279 rb_set_buffers(F2
, READBUF_SIZE
);
280 rb_snprintf(fdarg
, sizeof(fdarg
), "%d", rb_get_fd(F2
));
281 setenv("CTL_FD", fdarg
, 1);
282 rb_pipe(&P1
, &P2
, "SSL/TLS pipe");
283 rb_snprintf(fdarg
, sizeof(fdarg
), "%d", rb_get_fd(P1
));
284 setenv("CTL_PIPE", fdarg
, 1);
286 pid
= rb_spawn_process(ssld_path
, (const char **)parv
);
289 ilog(L_MAIN
, "Unable to create ssld: %s\n", strerror(errno
));
299 ctl
= allocate_ssl_daemon(F1
, P2
, pid
);
302 if(ConfigFileEntry
.use_egd
&& (ConfigFileEntry
.egdpool_path
!= NULL
))
303 send_init_prng(ctl
, RB_PRNG_EGD
, ConfigFileEntry
.egdpool_path
);
305 send_init_prng(ctl
, RB_PRNG_DEFAULT
, NULL
);
307 if(ssl_ok
&& ssl_cert
!= NULL
&& ssl_private_key
!= NULL
)
308 send_new_ssl_certs_one(ctl
, ssl_cert
, ssl_private_key
, ssl_dh_params
!= NULL
? ssl_dh_params
: "");
309 ssl_read_ctl(ctl
->F
, ctl
);
310 ssl_do_pipe(P2
, ctl
);
316 ssl_process_zipstats(ssl_ctl_t
*ctl
, ssl_ctl_buf_t
*ctl_buf
)
318 struct Client
*server
;
319 struct ZipStats
*zips
;
322 parc
= rb_string_to_array(ctl_buf
->buf
, parv
, 6);
323 server
= find_server(NULL
, parv
[1]);
324 if(server
== NULL
|| server
->localClient
== NULL
|| !IsCapable(server
, CAP_ZIP
))
326 if(server
->localClient
->zipstats
== NULL
)
327 server
->localClient
->zipstats
= rb_malloc(sizeof(struct ZipStats
));
329 zips
= server
->localClient
->zipstats
;
331 zips
->in
+= strtoull(parv
[2], NULL
, 10);
332 zips
->in_wire
+= strtoull(parv
[3], NULL
, 10);
333 zips
->out
+= strtoull(parv
[4], NULL
, 10);
334 zips
->out_wire
+= strtoull(parv
[5], NULL
, 10);
337 zips
->in_ratio
= ((double)(zips
->in
- zips
->in_wire
) / (double) zips
->in
) * 100.00;
342 zips
->out_ratio
= ((double)(zips
->out
- zips
->out_wire
) / (double) zips
->out
) * 100.00;
348 ssl_process_dead_fd(ssl_ctl_t
*ctl
, ssl_ctl_buf_t
*ctl_buf
)
350 struct Client
*client_p
;
354 if(ctl_buf
->buflen
< 6)
355 return; /* bogus message..drop it.. XXX should warn here */
357 fd
= buf_to_int32(&ctl_buf
->buf
[1]);
358 rb_strlcpy(reason
, &ctl_buf
->buf
[5], sizeof(reason
));
359 client_p
= find_cli_fd_hash(fd
);
362 if(IsAnyServer(client_p
))
363 sendto_realops_snomask(SNO_GENERAL
, L_ALL
, "ssld error for %s: %s", client_p
->name
, reason
);
364 exit_client(client_p
, client_p
, &me
, reason
);
369 ssl_process_zip_ready(ssl_ctl_t
*ctl
, ssl_ctl_buf_t
*ctl_buf
)
371 struct Client
*client_p
;
374 if(ctl_buf
->buflen
< 5)
375 return; /* bogus message..drop it.. XXX should warn here */
377 fd
= buf_to_int32(&ctl_buf
->buf
[1]);
378 client_p
= find_cli_fd_hash(fd
);
382 /* Now start sending the data that should be compressed. */
383 // ClearCork(client_p);
384 send_pop_queue(client_p
);
385 /* Start reading uncompressed data. */
386 read_packet(client_p
->localClient
->F
, client_p
);
391 ssl_process_cmd_recv(ssl_ctl_t
*ctl
)
393 static const char *cannot_setup_ssl
= "ssld cannot setup ssl, check your certificates and private key";
394 static const char *no_ssl_or_zlib
= "ssld has neither SSL/TLS or zlib support killing all sslds";
395 rb_dlink_node
*ptr
, *next
;
396 ssl_ctl_buf_t
*ctl_buf
;
399 RB_DLINK_FOREACH_SAFE(ptr
, next
, ctl
->readq
.head
)
402 switch(*ctl_buf
->buf
)
405 ssl_ok
= 0; /* ssld says it can't do ssl/tls */
408 ssl_process_dead_fd(ctl
, ctl_buf
);
411 ssl_process_zipstats(ctl
, ctl_buf
);
415 ilog(L_MAIN
, cannot_setup_ssl
);
416 sendto_realops_snomask(SNO_GENERAL
, L_ALL
, cannot_setup_ssl
);
420 ilog(L_MAIN
, no_ssl_or_zlib
);
421 sendto_realops_snomask(SNO_GENERAL
, L_ALL
, no_ssl_or_zlib
);
425 ssl_process_zip_ready(ctl
, ctl_buf
);
431 ilog(L_MAIN
, "Received invalid command from ssld: %s", ctl_buf
->buf
);
432 sendto_realops_snomask(SNO_GENERAL
, L_ALL
, "Received invalid command from ssld");
435 rb_dlinkDelete(ptr
, &ctl
->readq
);
436 rb_free(ctl_buf
->buf
);
444 ssl_read_ctl(rb_fde_t
*F
, void *data
)
446 ssl_ctl_buf_t
*ctl_buf
;
447 ssl_ctl_t
*ctl
= data
;
454 ctl_buf
= rb_malloc(sizeof(ssl_ctl_buf_t
));
455 ctl_buf
->buf
= rb_malloc(READSIZE
);
456 retlen
= rb_recv_fd_buf(ctl
->F
, ctl_buf
->buf
, READSIZE
, ctl_buf
->F
, 4);
457 ctl_buf
->buflen
= retlen
;
459 rb_free(ctl_buf
->buf
);
463 rb_dlinkAddTail(ctl_buf
, &ctl_buf
->node
, &ctl
->readq
);
466 if(retlen
== 0 || (retlen
< 0 && !rb_ignore_errno(errno
)))
471 ssl_process_cmd_recv(ctl
);
472 rb_setselect(ctl
->F
, RB_SELECT_READ
, ssl_read_ctl
, ctl
);
478 ssl_ctl_t
*ctl
, *lowest
= NULL
;
481 RB_DLINK_FOREACH(ptr
, ssl_daemons
.head
)
490 if(ctl
->cli_count
< lowest
->cli_count
)
497 ssl_write_ctl(rb_fde_t
*F
, void *data
)
499 ssl_ctl_t
*ctl
= data
;
500 ssl_ctl_buf_t
*ctl_buf
;
501 rb_dlink_node
*ptr
, *next
;
507 RB_DLINK_FOREACH_SAFE(ptr
, next
, ctl
->writeq
.head
)
510 /* in theory unix sock_dgram shouldn't ever short write this.. */
511 retlen
= rb_send_fd_buf(ctl
->F
, ctl_buf
->F
, ctl_buf
->nfds
, ctl_buf
->buf
, ctl_buf
->buflen
);
514 rb_dlinkDelete(ptr
, &ctl
->writeq
);
515 for(x
= 0; x
< ctl_buf
->nfds
; x
++)
516 rb_close(ctl_buf
->F
[x
]);
517 rb_free(ctl_buf
->buf
);
521 if(retlen
== 0 || (retlen
< 0 && !rb_ignore_errno(errno
)))
526 rb_setselect(ctl
->F
, RB_SELECT_WRITE
, ssl_write_ctl
, ctl
);
532 ssl_cmd_write_queue(ssl_ctl_t
*ctl
, rb_fde_t
**F
, int count
, const void *buf
, size_t buflen
)
534 ssl_ctl_buf_t
*ctl_buf
;
541 ctl_buf
= rb_malloc(sizeof(ssl_ctl_buf_t
));
542 ctl_buf
->buf
= rb_malloc(buflen
);
543 memcpy(ctl_buf
->buf
, buf
, buflen
);
544 ctl_buf
->buflen
= buflen
;
546 for(x
= 0; x
< count
&& x
< MAXPASSFD
; x
++)
548 ctl_buf
->F
[x
] = F
[x
];
550 ctl_buf
->nfds
= count
;
551 rb_dlinkAddTail(ctl_buf
, &ctl_buf
->node
, &ctl
->writeq
);
552 ssl_write_ctl(ctl
->F
, ctl
);
557 send_new_ssl_certs_one(ssl_ctl_t
*ctl
, const char *ssl_cert
, const char *ssl_private_key
, const char *ssl_dh_params
)
561 len
= strlen(ssl_cert
) + strlen(ssl_private_key
) + strlen(ssl_dh_params
) + 5;
562 if(len
> sizeof(tmpbuf
))
564 sendto_realops_snomask(SNO_GENERAL
, L_ALL
,
565 "Parameters for send_new_ssl_certs_one too long (%zu > %zu) to pass to ssld, not sending...",
566 len
, sizeof(tmpbuf
));
567 ilog(L_MAIN
, "Parameters for send_new_ssl_certs_one too long (%zu > %zu) to pass to ssld, not sending...",
568 len
, sizeof(tmpbuf
));
571 len
= rb_snprintf(tmpbuf
, sizeof(tmpbuf
), "K%c%s%c%s%c%s%c", nul
, ssl_cert
, nul
, ssl_private_key
, nul
, ssl_dh_params
, nul
);
572 ssl_cmd_write_queue(ctl
, NULL
, 0, tmpbuf
, len
);
576 send_init_prng(ssl_ctl_t
*ctl
, prng_seed_t seedtype
, const char *path
)
580 rb_uint8_t seed
= (rb_uint8_t
) seedtype
;
588 if(len
> sizeof(tmpbuf
))
590 sendto_realops_snomask(SNO_GENERAL
, L_ALL
,
591 "Parameters for send_init_prng too long (%zd > %zd) to pass to ssld, not sending...",
592 len
, sizeof(tmpbuf
));
593 ilog(L_MAIN
, "Parameters for send_init_prng too long (%zd > %zd) to pass to ssld, not sending...",
594 len
, sizeof(tmpbuf
));
598 len
= rb_snprintf(tmpbuf
, sizeof(tmpbuf
), "I%c%s%c", seed
, s
, nul
);
599 ssl_cmd_write_queue(ctl
, NULL
, 0, tmpbuf
, len
);
603 send_new_ssl_certs(const char *ssl_cert
, const char *ssl_private_key
, const char *ssl_dh_params
)
606 if(ssl_cert
== NULL
|| ssl_private_key
== NULL
|| ssl_dh_params
== NULL
)
611 RB_DLINK_FOREACH(ptr
, ssl_daemons
.head
)
613 ssl_ctl_t
*ctl
= ptr
->data
;
614 send_new_ssl_certs_one(ctl
, ssl_cert
, ssl_private_key
, ssl_dh_params
);
620 start_ssld_accept(rb_fde_t
*sslF
, rb_fde_t
*plainF
, rb_int32_t id
)
629 int32_to_buf(&buf
[1], id
);
632 ssl_cmd_write_queue(ctl
, F
, 2, buf
, sizeof(buf
));
637 start_ssld_connect(rb_fde_t
*sslF
, rb_fde_t
*plainF
, rb_int32_t id
)
646 int32_to_buf(&buf
[1], id
);
650 ssl_cmd_write_queue(ctl
, F
, 2, buf
, sizeof(buf
));
655 ssld_decrement_clicount(ssl_ctl_t
*ctl
)
661 if(ctl
->dead
&& !ctl
->cli_count
)
663 free_ssl_daemon(ctl
);
668 * what we end up sending to the ssld process for ziplinks is the following
669 * Z[ourfd][level][RECVQ]
670 * Z = ziplinks command = buf[0]
671 * ourfd = Our end of the socketpair = buf[1..4]
672 * level = zip level buf[5]
673 * recvqlen = our recvq len = buf[6-7]
674 * recvq = any data we read prior to starting ziplinks
677 start_zlib_session(void *data
)
679 struct Client
*server
= (struct Client
*)data
;
680 rb_uint16_t recvqlen
;
689 size_t hdr
= (sizeof(rb_uint8_t
) * 2) + sizeof(rb_int32_t
);
693 server
->localClient
->event
= NULL
;
695 recvqlen
= rb_linebuf_len(&server
->localClient
->buf_recvq
);
697 len
= recvqlen
+ hdr
;
699 if(len
> READBUF_SIZE
)
702 sendto_realops_snomask(SNO_GENERAL
, L_ALL
, "ssld - attempted to pass message of %zd len, max len %d, giving up", len
, READBUF_SIZE
);
703 ilog(L_MAIN
, "ssld - attempted to pass message of %zd len, max len %d, giving up", len
, READBUF_SIZE
);
704 exit_client(server
, server
, server
, "ssld readbuf exceeded");
708 buf
= rb_malloc(len
);
709 level
= ConfigFileEntry
.compression_level
;
711 int32_to_buf(&buf
[1], rb_get_fd(server
->localClient
->F
));
712 buf
[5] = (char)level
;
714 recvq_start
= &buf
[6];
715 server
->localClient
->zipstats
= rb_malloc(sizeof(struct ZipStats
));
722 cpylen
= rb_linebuf_get(&server
->localClient
->buf_recvq
, xbuf
, left
, LINEBUF_PARTIAL
, LINEBUF_RAW
);
727 /* Pass the socket to ssld. */
729 rb_socketpair(AF_UNIX
, SOCK_STREAM
, 0, &xF1
, &xF2
, "Initial zlib socketpairs");
731 F
[0] = server
->localClient
->F
;
733 del_from_cli_fd_hash(server
);
734 server
->localClient
->F
= xF2
;
735 /* need to redo as what we did before isn't valid now */
736 int32_to_buf(&buf
[1], rb_get_fd(server
->localClient
->F
));
737 add_to_cli_fd_hash(server
);
738 server
->localClient
->ssl_ctl
= which_ssld();
739 server
->localClient
->ssl_ctl
->cli_count
++;
740 ssl_cmd_write_queue(server
->localClient
->ssl_ctl
, F
, 2, buf
, len
);
745 collect_zipstats(void *unused
)
748 struct Client
*target_p
;
749 char buf
[sizeof(rb_uint8_t
) + sizeof(rb_int32_t
) + HOSTLEN
];
755 odata
= buf
+ sizeof(rb_uint8_t
) + sizeof(rb_int32_t
);
757 RB_DLINK_FOREACH(ptr
, serv_list
.head
)
759 target_p
= ptr
->data
;
760 if(IsCapable(target_p
, CAP_ZIP
))
762 len
= sizeof(rb_uint8_t
) + sizeof(rb_uint32_t
);
764 id
= rb_get_fd(target_p
->localClient
->F
);
765 int32_to_buf(&buf
[1], rb_get_fd(target_p
->localClient
->F
));
766 rb_strlcpy(odata
, target_p
->name
, (sizeof(buf
)-len
));
767 len
+= strlen(odata
) + 1; /* Get the \0 as well */
768 ssl_cmd_write_queue(target_p
->localClient
->ssl_ctl
, NULL
, 0, buf
, len
);
774 cleanup_dead_ssl(void *unused
)
776 rb_dlink_node
*ptr
, *next
;
778 RB_DLINK_FOREACH_SAFE(ptr
, next
, ssl_daemons
.head
)
781 if(ctl
->dead
&& !ctl
->cli_count
)
783 free_ssl_daemon(ctl
);
796 rb_event_addish("collect_zipstats", collect_zipstats
, NULL
, ZIPSTATS_TIME
);
797 rb_event_addish("cleanup_dead_ssld", cleanup_dead_ssl
, NULL
, 1200);