odyssey/sources/tls.c


/*
 * Odissey.
 *
 * Advanced PostgreSQL connection pooler.
*/

#include <stdlib.h>
#include <stdarg.h>
#include <stdint.h>
#include <stdio.h>
#include <string.h>
#include <inttypes.h>
#include <signal.h>

#include <machinarium.h>
#include <shapito.h>

#include "sources/macro.h"
#include "sources/version.h"
#include "sources/atomic.h"
#include "sources/list.h"
#include "sources/pid.h"
#include "sources/id.h"
#include "sources/log_file.h"
#include "sources/log_system.h"
#include "sources/logger.h"
#include "sources/daemon.h"
#include "sources/scheme.h"
#include "sources/scheme_mgr.h"
#include "sources/config.h"
#include "sources/msg.h"
#include "sources/system.h"
#include "sources/instance.h"
#include "sources/server.h"
#include "sources/server_pool.h"
#include "sources/client.h"
#include "sources/client_pool.h"
#include "sources/route_id.h"
#include "sources/route.h"
#include "sources/route_pool.h"
#include "sources/io.h"
#include "sources/router.h"
#include "sources/pooler.h"
#include "sources/relay.h"
#include "sources/tls.h"
#include "sources/frontend.h"

machine_tls_t*
od_tls_frontend(od_schemelisten_t *scheme)
{
	int rc;
	machine_tls_t *tls;
	tls = machine_tls_create();
	if (tls == NULL)
		return NULL;
	if (scheme->tls_mode == OD_TLS_ALLOW)
		machine_tls_set_verify(tls, "none");
	else
	if (scheme->tls_mode == OD_TLS_REQUIRE)
		machine_tls_set_verify(tls, "peer");
	else
		machine_tls_set_verify(tls, "peer_strict");
	if (scheme->tls_ca_file) {
		rc = machine_tls_set_ca_file(tls, scheme->tls_ca_file);
		if (rc == -1) {
			machine_tls_free(tls);
			return NULL;
		}
	}
	if (scheme->tls_cert_file) {
		rc = machine_tls_set_cert_file(tls, scheme->tls_cert_file);
		if (rc == -1) {
			machine_tls_free(tls);
			return NULL;
		}
	}
	if (scheme->tls_key_file) {
		rc = machine_tls_set_key_file(tls, scheme->tls_key_file);
		if (rc == -1) {
			machine_tls_free(tls);
			return NULL;
		}
	}
	return tls;
}

int
od_tls_frontend_accept(od_client_t *client,
                       od_logger_t *logger,
                       od_schemelisten_t *scheme,
                       machine_tls_t *tls)
{
	shapito_stream_t *stream = &client->stream;

	if (client->startup.is_ssl_request)
	{
		od_debug_client(logger, &client->id, "tls", "ssl request");
		shapito_stream_reset(stream);
		int rc;
		if (scheme->tls_mode == OD_TLS_DISABLE) {
			/* not supported 'N' */
			shapito_stream_write8(stream, 'N');
			rc = od_write(client->io, stream);
			if (rc == -1) {
				od_error_client(logger, &client->id, "tls", "write error: %s",
				                machine_error(client->io));
				return -1;
			}
			od_log_client(logger, &client->id, "tls", "disabled, closing");
			od_frontend_error(client, SHAPITO_FEATURE_NOT_SUPPORTED,
			                  "SSL is not supported");
			return -1;
		}
		/* supported 'S' */
		shapito_stream_write8(stream, 'S');
		rc = od_write(client->io, stream);
		if (rc == -1) {
			od_error_client(logger, &client->id, "tls", "write error: %s",
			                machine_error(client->io));
			return -1;
		}
		rc = machine_set_tls(client->io, tls);
		if (rc == -1) {
			od_error_client(logger, &client->id, "tls", "error: %s",
			                machine_error(client->io));
			return -1;
		}
		od_debug_client(logger, &client->id, "tls", "ok");
		return 0;
	}
	switch (scheme->tls_mode) {
	case OD_TLS_DISABLE:
	case OD_TLS_ALLOW:
		break;
	default:
		od_log_client(logger, &client->id, "tls", "required, closing");
		od_frontend_error(client, SHAPITO_PROTOCOL_VIOLATION,
		                  "SSL is required");
		return -1;
	}
	return 0;
}

machine_tls_t*
od_tls_backend(od_schemestorage_t *scheme)
{
	int rc;
	machine_tls_t *tls;
	tls = machine_tls_create();
	if (tls == NULL)
		return NULL;
	if (scheme->tls_mode == OD_TLS_ALLOW)
		machine_tls_set_verify(tls, "none");
	else
	if (scheme->tls_mode == OD_TLS_REQUIRE)
		machine_tls_set_verify(tls, "peer");
	else
		machine_tls_set_verify(tls, "peer_strict");
	if (scheme->tls_ca_file) {
		rc = machine_tls_set_ca_file(tls, scheme->tls_ca_file);
		if (rc == -1) {
			machine_tls_free(tls);
			return NULL;
		}
	}
	if (scheme->tls_cert_file) {
		rc = machine_tls_set_cert_file(tls, scheme->tls_cert_file);
		if (rc == -1) {
			machine_tls_free(tls);
			return NULL;
		}
	}
	if (scheme->tls_key_file) {
		rc = machine_tls_set_key_file(tls, scheme->tls_key_file);
		if (rc == -1) {
			machine_tls_free(tls);
			return NULL;
		}
	}
	return tls;
}

int
od_tls_backend_connect(od_server_t *server,
                       od_logger_t *logger,
                       od_schemestorage_t *scheme)
{
	shapito_stream_t *stream = &server->stream;

	od_debug_server(logger, &server->id, "tls", "init");

	/* SSL Request */
	shapito_stream_reset(stream);
	int rc;
	rc = shapito_fe_write_ssl_request(stream);
	if (rc == -1)
		return -1;
	rc = od_write(server->io, stream);
	if (rc == -1) {
		od_error_server(logger, &server->id, "tls", "write error: %s",
		                machine_error(server->io));
		return -1;
	}

	/* read server reply */
	shapito_stream_reset(stream);
	rc = machine_read(server->io, stream->pos, 1, UINT32_MAX);
	if (rc == -1) {
		od_error_server(logger, &server->id, "tls", "read error: %s",
		                machine_error(server->io));
		return -1;
	}
	switch (*stream->pos) {
	case 'S':
		/* supported */
		od_debug_server(logger, &server->id, "tls", "supported");
		rc = machine_set_tls(server->io, server->tls);
		if (rc == -1) {
			od_error_server(logger, &server->id, "tls", "error: %s",
			                machine_error(server->io));
			return -1;
		}
		od_debug_server(logger, &server->id, "tls", "ok");
		break;
	case 'N':
		/* not supported */
		if (scheme->tls_mode == OD_TLS_ALLOW) {
			od_debug_server(logger, &server->id, "tls", "not supported, continue (allow)");
		} else {
			od_error_server(logger, &server->id, "tls", "not supported, closing");
			return -1;
		}
		break;
	default:
		od_error_server(logger, &server->id, "tls", "unexpected status reply");
		return -1;
	}
	return 0;
}
odissey: assemble tls support; rework cancel 2017-06-02 13:49:20 +00:00
			`/*`
odissey: update banners 2017-07-05 12:42:49 +00:00			`* Odissey.`
odissey: assemble tls support; rework cancel 2017-06-02 13:49:20 +00:00			`*`
odissey: update banners 2017-07-05 12:42:49 +00:00			`* Advanced PostgreSQL connection pooler.`
odissey: assemble tls support; rework cancel 2017-06-02 13:49:20 +00:00			`*/`

			`#include <stdlib.h>`
			`#include <stdarg.h>`
			`#include <stdint.h>`
			`#include <stdio.h>`
			`#include <string.h>`
			`#include <inttypes.h>`
			`#include <signal.h>`

			`#include <machinarium.h>`
odissey: update shapito submodule 2017-06-07 11:50:58 +00:00			`#include <shapito.h>`
odissey: assemble tls support; rework cancel 2017-06-02 13:49:20 +00:00
odissey: rework file naming and include path 2017-07-05 12:15:17 +00:00			`#include "sources/macro.h"`
			`#include "sources/version.h"`
odissey: update file includes 2017-08-08 13:50:50 +00:00			`#include "sources/atomic.h"`
odissey: rework file naming and include path 2017-07-05 12:15:17 +00:00			`#include "sources/list.h"`
			`#include "sources/pid.h"`
			`#include "sources/id.h"`
odissey: major logger rework 2017-07-26 14:05:29 +00:00			`#include "sources/log_file.h"`
			`#include "sources/log_system.h"`
			`#include "sources/logger.h"`
odissey: rework file naming and include path 2017-07-05 12:15:17 +00:00			`#include "sources/daemon.h"`
			`#include "sources/scheme.h"`
odissey: add scheme manager; first attempt to make scheme versional 2017-07-14 13:40:31 +00:00			`#include "sources/scheme_mgr.h"`
odissey: rework file naming and include path 2017-07-05 12:15:17 +00:00			`#include "sources/config.h"`
			`#include "sources/msg.h"`
			`#include "sources/system.h"`
			`#include "sources/instance.h"`
			`#include "sources/server.h"`
			`#include "sources/server_pool.h"`
			`#include "sources/client.h"`
			`#include "sources/client_pool.h"`
			`#include "sources/route_id.h"`
			`#include "sources/route.h"`
			`#include "sources/route_pool.h"`
			`#include "sources/io.h"`
			`#include "sources/router.h"`
			`#include "sources/pooler.h"`
			`#include "sources/relay.h"`
			`#include "sources/tls.h"`
			`#include "sources/frontend.h"`
odissey: assemble tls support; rework cancel 2017-06-02 13:49:20 +00:00
odissey: update machinarium api 2017-06-13 11:57:54 +00:00			`machine_tls_t*`
odissey: allow to define serveral listen servers 2017-08-29 14:43:41 +00:00			`od_tls_frontend(od_schemelisten_t *scheme)`
odissey: assemble tls support; rework cancel 2017-06-02 13:49:20 +00:00			`{`
			`int rc;`
odissey: update machinarium api 2017-06-13 11:57:54 +00:00			`machine_tls_t *tls;`
odissey: assemble tls support; rework cancel 2017-06-02 13:49:20 +00:00			`tls = machine_tls_create();`
			`if (tls == NULL)`
			`return NULL;`
odissey: rename tls_verify to tls_mode 2017-07-28 13:19:53 +00:00			`if (scheme->tls_mode == OD_TLS_ALLOW)`
odissey: assemble tls support; rework cancel 2017-06-02 13:49:20 +00:00			`machine_tls_set_verify(tls, "none");`
			`else`
odissey: rename tls_verify to tls_mode 2017-07-28 13:19:53 +00:00			`if (scheme->tls_mode == OD_TLS_REQUIRE)`
odissey: assemble tls support; rework cancel 2017-06-02 13:49:20 +00:00			`machine_tls_set_verify(tls, "peer");`
			`else`
			`machine_tls_set_verify(tls, "peer_strict");`
			`if (scheme->tls_ca_file) {`
			`rc = machine_tls_set_ca_file(tls, scheme->tls_ca_file);`
			`if (rc == -1) {`
			`machine_tls_free(tls);`
			`return NULL;`
			`}`
			`}`
			`if (scheme->tls_cert_file) {`
			`rc = machine_tls_set_cert_file(tls, scheme->tls_cert_file);`
			`if (rc == -1) {`
			`machine_tls_free(tls);`
			`return NULL;`
			`}`
			`}`
			`if (scheme->tls_key_file) {`
			`rc = machine_tls_set_key_file(tls, scheme->tls_key_file);`
			`if (rc == -1) {`
			`machine_tls_free(tls);`
			`return NULL;`
			`}`
			`}`
			`return tls;`
			`}`

			`int`
			`od_tls_frontend_accept(od_client_t *client,`
odissey: major logger rework 2017-07-26 14:05:29 +00:00			`od_logger_t *logger,`
odissey: allow to define serveral listen servers 2017-08-29 14:43:41 +00:00			`od_schemelisten_t *scheme,`
odissey: update machinarium api 2017-06-13 11:57:54 +00:00			`machine_tls_t *tls)`
odissey: assemble tls support; rework cancel 2017-06-02 13:49:20 +00:00			`{`
odissey: major shapito api update 2017-07-06 13:36:14 +00:00			`shapito_stream_t *stream = &client->stream;`
odissey: assemble tls support; rework cancel 2017-06-02 13:49:20 +00:00
			`if (client->startup.is_ssl_request)`
			`{`
odissey: major logger rework 2017-07-26 14:05:29 +00:00			`od_debug_client(logger, &client->id, "tls", "ssl request");`
odissey: major shapito api update 2017-07-06 13:36:14 +00:00			`shapito_stream_reset(stream);`
odissey: assemble tls support; rework cancel 2017-06-02 13:49:20 +00:00			`int rc;`
odissey: rename tls_verify to tls_mode 2017-07-28 13:19:53 +00:00			`if (scheme->tls_mode == OD_TLS_DISABLE) {`
odissey: assemble tls support; rework cancel 2017-06-02 13:49:20 +00:00			`/* not supported 'N' */`
odissey: major shapito api update 2017-07-06 13:36:14 +00:00			`shapito_stream_write8(stream, 'N');`
odissey: assemble tls support; rework cancel 2017-06-02 13:49:20 +00:00			`rc = od_write(client->io, stream);`
			`if (rc == -1) {`
odissey: major logger rework 2017-07-26 14:05:29 +00:00			`od_error_client(logger, &client->id, "tls", "write error: %s",`
odissey: assemble tls support; rework cancel 2017-06-02 13:49:20 +00:00			`machine_error(client->io));`
			`return -1;`
			`}`
odissey: major logger rework 2017-07-26 14:05:29 +00:00			`od_log_client(logger, &client->id, "tls", "disabled, closing");`
odissey: major shapito api update 2017-07-06 13:36:14 +00:00			`od_frontend_error(client, SHAPITO_FEATURE_NOT_SUPPORTED,`
odissey: send client errors 2017-06-08 12:36:21 +00:00			`"SSL is not supported");`
odissey: assemble tls support; rework cancel 2017-06-02 13:49:20 +00:00			`return -1;`
			`}`
			`/* supported 'S' */`
odissey: major shapito api update 2017-07-06 13:36:14 +00:00			`shapito_stream_write8(stream, 'S');`
odissey: assemble tls support; rework cancel 2017-06-02 13:49:20 +00:00			`rc = od_write(client->io, stream);`
			`if (rc == -1) {`
odissey: major logger rework 2017-07-26 14:05:29 +00:00			`od_error_client(logger, &client->id, "tls", "write error: %s",`
odissey: assemble tls support; rework cancel 2017-06-02 13:49:20 +00:00			`machine_error(client->io));`
			`return -1;`
			`}`
			`rc = machine_set_tls(client->io, tls);`
			`if (rc == -1) {`
odissey: major logger rework 2017-07-26 14:05:29 +00:00			`od_error_client(logger, &client->id, "tls", "error: %s",`
odissey: assemble tls support; rework cancel 2017-06-02 13:49:20 +00:00			`machine_error(client->io));`
			`return -1;`
			`}`
odissey: major logger rework 2017-07-26 14:05:29 +00:00			`od_debug_client(logger, &client->id, "tls", "ok");`
odissey: assemble tls support; rework cancel 2017-06-02 13:49:20 +00:00			`return 0;`
			`}`
odissey: rename tls_verify to tls_mode 2017-07-28 13:19:53 +00:00			`switch (scheme->tls_mode) {`
odissey: give better names to tls modes 2017-07-28 13:16:46 +00:00			`case OD_TLS_DISABLE:`
			`case OD_TLS_ALLOW:`
odissey: assemble tls support; rework cancel 2017-06-02 13:49:20 +00:00			`break;`
			`default:`
odissey: major logger rework 2017-07-26 14:05:29 +00:00			`od_log_client(logger, &client->id, "tls", "required, closing");`
odissey: major shapito api update 2017-07-06 13:36:14 +00:00			`od_frontend_error(client, SHAPITO_PROTOCOL_VIOLATION,`
odissey: send client errors 2017-06-08 12:36:21 +00:00			`"SSL is required");`
odissey: assemble tls support; rework cancel 2017-06-02 13:49:20 +00:00			`return -1;`
			`}`
			`return 0;`
			`}`

odissey: update machinarium api 2017-06-13 11:57:54 +00:00			`machine_tls_t*`
odissey: rename server scheme into storage scheme 2017-06-21 12:18:48 +00:00			`od_tls_backend(od_schemestorage_t *scheme)`
odissey: assemble tls support; rework cancel 2017-06-02 13:49:20 +00:00			`{`
			`int rc;`
odissey: update machinarium api 2017-06-13 11:57:54 +00:00			`machine_tls_t *tls;`
odissey: assemble tls support; rework cancel 2017-06-02 13:49:20 +00:00			`tls = machine_tls_create();`
			`if (tls == NULL)`
			`return NULL;`
odissey: rename tls_verify to tls_mode 2017-07-28 13:19:53 +00:00			`if (scheme->tls_mode == OD_TLS_ALLOW)`
odissey: assemble tls support; rework cancel 2017-06-02 13:49:20 +00:00			`machine_tls_set_verify(tls, "none");`
			`else`
odissey: rename tls_verify to tls_mode 2017-07-28 13:19:53 +00:00			`if (scheme->tls_mode == OD_TLS_REQUIRE)`
odissey: assemble tls support; rework cancel 2017-06-02 13:49:20 +00:00			`machine_tls_set_verify(tls, "peer");`
			`else`
			`machine_tls_set_verify(tls, "peer_strict");`
			`if (scheme->tls_ca_file) {`
			`rc = machine_tls_set_ca_file(tls, scheme->tls_ca_file);`
			`if (rc == -1) {`
			`machine_tls_free(tls);`
			`return NULL;`
			`}`
			`}`
			`if (scheme->tls_cert_file) {`
			`rc = machine_tls_set_cert_file(tls, scheme->tls_cert_file);`
			`if (rc == -1) {`
			`machine_tls_free(tls);`
			`return NULL;`
			`}`
			`}`
			`if (scheme->tls_key_file) {`
			`rc = machine_tls_set_key_file(tls, scheme->tls_key_file);`
			`if (rc == -1) {`
			`machine_tls_free(tls);`
			`return NULL;`
			`}`
			`}`
			`return tls;`
			`}`

			`int`
			`od_tls_backend_connect(od_server_t *server,`
odissey: major logger rework 2017-07-26 14:05:29 +00:00			`od_logger_t *logger,`
odissey: rename server scheme into storage scheme 2017-06-21 12:18:48 +00:00			`od_schemestorage_t *scheme)`
odissey: assemble tls support; rework cancel 2017-06-02 13:49:20 +00:00			`{`
odissey: major shapito api update 2017-07-06 13:36:14 +00:00			`shapito_stream_t *stream = &server->stream;`
odissey: assemble tls support; rework cancel 2017-06-02 13:49:20 +00:00
odissey: major logger rework 2017-07-26 14:05:29 +00:00			`od_debug_server(logger, &server->id, "tls", "init");`
odissey: assemble tls support; rework cancel 2017-06-02 13:49:20 +00:00
			`/* SSL Request */`
odissey: major shapito api update 2017-07-06 13:36:14 +00:00			`shapito_stream_reset(stream);`
odissey: assemble tls support; rework cancel 2017-06-02 13:49:20 +00:00			`int rc;`
odissey: major shapito api update 2017-07-06 13:36:14 +00:00			`rc = shapito_fe_write_ssl_request(stream);`
odissey: assemble tls support; rework cancel 2017-06-02 13:49:20 +00:00			`if (rc == -1)`
			`return -1;`
			`rc = od_write(server->io, stream);`
			`if (rc == -1) {`
odissey: major logger rework 2017-07-26 14:05:29 +00:00			`od_error_server(logger, &server->id, "tls", "write error: %s",`
odissey: assemble tls support; rework cancel 2017-06-02 13:49:20 +00:00			`machine_error(server->io));`
			`return -1;`
			`}`

			`/* read server reply */`
odissey: major shapito api update 2017-07-06 13:36:14 +00:00			`shapito_stream_reset(stream);`
odissey: update to latest shapito changes 2017-07-04 13:27:42 +00:00			`rc = machine_read(server->io, stream->pos, 1, UINT32_MAX);`
odissey: exit on signal; minor fixes 2017-06-14 12:35:04 +00:00			`if (rc == -1) {`
odissey: major logger rework 2017-07-26 14:05:29 +00:00			`od_error_server(logger, &server->id, "tls", "read error: %s",`
odissey: assemble tls support; rework cancel 2017-06-02 13:49:20 +00:00			`machine_error(server->io));`
			`return -1;`
			`}`
odissey: update to latest shapito changes 2017-07-04 13:27:42 +00:00			`switch (*stream->pos) {`
odissey: assemble tls support; rework cancel 2017-06-02 13:49:20 +00:00			`case 'S':`
			`/* supported */`
odissey: major logger rework 2017-07-26 14:05:29 +00:00			`od_debug_server(logger, &server->id, "tls", "supported");`
odissey: assemble tls support; rework cancel 2017-06-02 13:49:20 +00:00			`rc = machine_set_tls(server->io, server->tls);`
			`if (rc == -1) {`
odissey: major logger rework 2017-07-26 14:05:29 +00:00			`od_error_server(logger, &server->id, "tls", "error: %s",`
odissey: assemble tls support; rework cancel 2017-06-02 13:49:20 +00:00			`machine_error(server->io));`
			`return -1;`
			`}`
odissey: major logger rework 2017-07-26 14:05:29 +00:00			`od_debug_server(logger, &server->id, "tls", "ok");`
odissey: assemble tls support; rework cancel 2017-06-02 13:49:20 +00:00			`break;`
			`case 'N':`
			`/* not supported */`
odissey: rename tls_verify to tls_mode 2017-07-28 13:19:53 +00:00			`if (scheme->tls_mode == OD_TLS_ALLOW) {`
odissey: major logger rework 2017-07-26 14:05:29 +00:00			`od_debug_server(logger, &server->id, "tls", "not supported, continue (allow)");`
odissey: assemble tls support; rework cancel 2017-06-02 13:49:20 +00:00			`} else {`
odissey: major logger rework 2017-07-26 14:05:29 +00:00			`od_error_server(logger, &server->id, "tls", "not supported, closing");`
odissey: assemble tls support; rework cancel 2017-06-02 13:49:20 +00:00			`return -1;`
			`}`
			`break;`
			`default:`
odissey: major logger rework 2017-07-26 14:05:29 +00:00			`od_error_server(logger, &server->id, "tls", "unexpected status reply");`
odissey: assemble tls support; rework cancel 2017-06-02 13:49:20 +00:00			`return -1;`
			`}`
			`return 0;`
			`}`