2017-06-02 13:49:20 +00:00
|
|
|
|
|
|
|
|
/*
|
2018-03-12 14:03:15 +00:00
|
|
|
* Odyssey.
|
2017-06-02 13:49:20 +00:00
|
|
|
*
|
2018-04-04 13:19:58 +00:00
|
|
|
* Scalable PostgreSQL connection pooler.
|
2020-04-02 11:00:56 +00:00
|
|
|
*/
|
2017-06-02 13:49:20 +00:00
|
|
|
|
2018-08-28 14:43:46 +00:00
|
|
|
#include <kiwi.h>
|
2020-11-25 10:17:15 +00:00
|
|
|
#include <machinarium.h>
|
2018-08-28 14:43:46 +00:00
|
|
|
#include <odyssey.h>
|
2017-06-02 13:49:20 +00:00
|
|
|
|
2020-12-28 10:43:31 +00:00
|
|
|
machine_tls_t *od_tls_frontend(od_config_listen_t *config)
|
2017-06-02 13:49:20 +00:00
|
|
|
{
|
|
|
|
|
int rc;
|
2017-06-13 11:57:54 +00:00
|
|
|
machine_tls_t *tls;
|
2017-06-02 13:49:20 +00:00
|
|
|
tls = machine_tls_create();
|
|
|
|
|
if (tls == NULL)
|
|
|
|
|
return NULL;
|
2018-12-06 14:23:15 +00:00
|
|
|
if (config->tls_mode == OD_CONFIG_TLS_ALLOW)
|
2017-06-02 13:49:20 +00:00
|
|
|
machine_tls_set_verify(tls, "none");
|
2020-04-02 11:00:56 +00:00
|
|
|
else if (config->tls_mode == OD_CONFIG_TLS_REQUIRE)
|
2017-06-02 13:49:20 +00:00
|
|
|
machine_tls_set_verify(tls, "peer");
|
|
|
|
|
else
|
|
|
|
|
machine_tls_set_verify(tls, "peer_strict");
|
2018-03-06 15:23:52 +00:00
|
|
|
if (config->tls_ca_file) {
|
|
|
|
|
rc = machine_tls_set_ca_file(tls, config->tls_ca_file);
|
2017-06-02 13:49:20 +00:00
|
|
|
if (rc == -1) {
|
|
|
|
|
machine_tls_free(tls);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
}
|
2018-03-06 15:23:52 +00:00
|
|
|
if (config->tls_cert_file) {
|
|
|
|
|
rc = machine_tls_set_cert_file(tls, config->tls_cert_file);
|
2017-06-02 13:49:20 +00:00
|
|
|
if (rc == -1) {
|
|
|
|
|
machine_tls_free(tls);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
}
|
2018-03-06 15:23:52 +00:00
|
|
|
if (config->tls_key_file) {
|
|
|
|
|
rc = machine_tls_set_key_file(tls, config->tls_key_file);
|
2017-06-02 13:49:20 +00:00
|
|
|
if (rc == -1) {
|
|
|
|
|
machine_tls_free(tls);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return tls;
|
|
|
|
|
}
|
|
|
|
|
|
2020-12-28 10:43:31 +00:00
|
|
|
int od_tls_frontend_accept(od_client_t *client, od_logger_t *logger,
|
|
|
|
|
od_config_listen_t *config, machine_tls_t *tls)
|
2017-06-02 13:49:20 +00:00
|
|
|
{
|
2020-04-02 11:00:56 +00:00
|
|
|
if (client->startup.is_ssl_request) {
|
2017-09-21 13:44:19 +00:00
|
|
|
od_debug(logger, "tls", client, NULL, "ssl request");
|
2018-08-28 14:43:46 +00:00
|
|
|
|
2017-06-02 13:49:20 +00:00
|
|
|
int rc;
|
2018-12-06 14:23:15 +00:00
|
|
|
if (config->tls_mode == OD_CONFIG_TLS_DISABLE) {
|
2017-06-02 13:49:20 +00:00
|
|
|
/* not supported 'N' */
|
2018-08-28 14:43:46 +00:00
|
|
|
machine_msg_t *msg;
|
|
|
|
|
msg = machine_msg_create(sizeof(uint8_t));
|
|
|
|
|
if (msg == NULL)
|
|
|
|
|
return -1;
|
2019-01-23 15:43:52 +00:00
|
|
|
uint8_t *type = machine_msg_data(msg);
|
2020-12-28 10:43:31 +00:00
|
|
|
*type = 'N';
|
|
|
|
|
rc = od_write(&client->io, msg);
|
2018-08-28 14:43:46 +00:00
|
|
|
if (rc == -1) {
|
2020-12-28 10:43:31 +00:00
|
|
|
od_error(logger, "tls", client, NULL,
|
|
|
|
|
"write error: %s",
|
|
|
|
|
od_io_error(&client->io));
|
2017-06-02 13:49:20 +00:00
|
|
|
return -1;
|
|
|
|
|
}
|
2020-12-28 10:43:31 +00:00
|
|
|
od_debug(logger, "tls", client, NULL,
|
|
|
|
|
"is disabled, ignoring");
|
2017-09-04 12:22:26 +00:00
|
|
|
return 0;
|
2017-06-02 13:49:20 +00:00
|
|
|
}
|
2018-08-28 14:43:46 +00:00
|
|
|
|
2017-06-02 13:49:20 +00:00
|
|
|
/* supported 'S' */
|
2018-08-28 14:43:46 +00:00
|
|
|
machine_msg_t *msg;
|
|
|
|
|
msg = machine_msg_create(sizeof(uint8_t));
|
|
|
|
|
if (msg == NULL)
|
|
|
|
|
return -1;
|
2019-01-23 15:43:52 +00:00
|
|
|
uint8_t *type = machine_msg_data(msg);
|
2020-12-28 10:43:31 +00:00
|
|
|
*type = 'S';
|
|
|
|
|
rc = od_write(&client->io, msg);
|
2017-06-02 13:49:20 +00:00
|
|
|
if (rc == -1) {
|
2020-12-28 10:43:31 +00:00
|
|
|
od_error(logger, "tls", client, NULL, "write error: %s",
|
|
|
|
|
od_io_error(&client->io));
|
2017-06-02 13:49:20 +00:00
|
|
|
return -1;
|
|
|
|
|
}
|
2020-12-28 10:43:31 +00:00
|
|
|
rc = machine_set_tls(client->io.io, tls,
|
|
|
|
|
config->client_login_timeout);
|
2017-06-02 13:49:20 +00:00
|
|
|
if (rc == -1) {
|
2020-12-28 10:43:31 +00:00
|
|
|
od_error(logger, "tls", client, NULL,
|
|
|
|
|
"error: %s, login time %d us",
|
|
|
|
|
od_io_error(&client->io),
|
|
|
|
|
machine_time_us() - client->time_accept);
|
2017-06-02 13:49:20 +00:00
|
|
|
return -1;
|
|
|
|
|
}
|
2017-09-21 13:44:19 +00:00
|
|
|
od_debug(logger, "tls", client, NULL, "ok");
|
2017-06-02 13:49:20 +00:00
|
|
|
return 0;
|
|
|
|
|
}
|
2020-01-28 09:23:38 +00:00
|
|
|
|
|
|
|
|
/* Client sends cancel request without encryption */
|
|
|
|
|
if (client->startup.is_cancel)
|
|
|
|
|
return 0;
|
|
|
|
|
|
2018-03-06 15:23:52 +00:00
|
|
|
switch (config->tls_mode) {
|
2020-12-28 10:43:31 +00:00
|
|
|
case OD_CONFIG_TLS_DISABLE:
|
|
|
|
|
case OD_CONFIG_TLS_ALLOW:
|
|
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
od_log(logger, "tls", client, NULL, "required, closing");
|
|
|
|
|
od_frontend_error(client, KIWI_PROTOCOL_VIOLATION,
|
|
|
|
|
"SSL is required");
|
|
|
|
|
return -1;
|
2017-06-02 13:49:20 +00:00
|
|
|
}
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2020-12-28 10:43:31 +00:00
|
|
|
machine_tls_t *od_tls_backend(od_rule_storage_t *storage)
|
2017-06-02 13:49:20 +00:00
|
|
|
{
|
|
|
|
|
int rc;
|
2017-06-13 11:57:54 +00:00
|
|
|
machine_tls_t *tls;
|
2017-06-02 13:49:20 +00:00
|
|
|
tls = machine_tls_create();
|
|
|
|
|
if (tls == NULL)
|
|
|
|
|
return NULL;
|
2018-12-06 14:23:15 +00:00
|
|
|
if (storage->tls_mode == OD_RULE_TLS_ALLOW)
|
2017-06-02 13:49:20 +00:00
|
|
|
machine_tls_set_verify(tls, "none");
|
2020-04-02 11:00:56 +00:00
|
|
|
else if (storage->tls_mode == OD_RULE_TLS_REQUIRE)
|
2017-06-02 13:49:20 +00:00
|
|
|
machine_tls_set_verify(tls, "peer");
|
|
|
|
|
else
|
|
|
|
|
machine_tls_set_verify(tls, "peer_strict");
|
2018-12-06 14:23:15 +00:00
|
|
|
if (storage->tls_ca_file) {
|
|
|
|
|
rc = machine_tls_set_ca_file(tls, storage->tls_ca_file);
|
2017-06-02 13:49:20 +00:00
|
|
|
if (rc == -1) {
|
|
|
|
|
machine_tls_free(tls);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
}
|
2018-12-06 14:23:15 +00:00
|
|
|
if (storage->tls_cert_file) {
|
|
|
|
|
rc = machine_tls_set_cert_file(tls, storage->tls_cert_file);
|
2017-06-02 13:49:20 +00:00
|
|
|
if (rc == -1) {
|
|
|
|
|
machine_tls_free(tls);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
}
|
2018-12-06 14:23:15 +00:00
|
|
|
if (storage->tls_key_file) {
|
|
|
|
|
rc = machine_tls_set_key_file(tls, storage->tls_key_file);
|
2017-06-02 13:49:20 +00:00
|
|
|
if (rc == -1) {
|
|
|
|
|
machine_tls_free(tls);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return tls;
|
|
|
|
|
}
|
|
|
|
|
|
2020-12-28 10:43:31 +00:00
|
|
|
int od_tls_backend_connect(od_server_t *server, od_logger_t *logger,
|
|
|
|
|
od_rule_storage_t *storage)
|
2017-06-02 13:49:20 +00:00
|
|
|
{
|
2017-09-21 13:44:19 +00:00
|
|
|
od_debug(logger, "tls", NULL, server, "init");
|
2017-06-02 13:49:20 +00:00
|
|
|
|
|
|
|
|
/* SSL Request */
|
2018-08-28 14:43:46 +00:00
|
|
|
machine_msg_t *msg;
|
2019-01-23 15:43:52 +00:00
|
|
|
msg = kiwi_fe_write_ssl_request(NULL);
|
2018-08-28 14:43:46 +00:00
|
|
|
if (msg == NULL)
|
|
|
|
|
return -1;
|
2017-06-02 13:49:20 +00:00
|
|
|
int rc;
|
2019-01-23 15:43:52 +00:00
|
|
|
rc = od_write(&server->io, msg);
|
2017-06-02 13:49:20 +00:00
|
|
|
if (rc == -1) {
|
2020-12-28 10:43:31 +00:00
|
|
|
od_error(logger, "tls", NULL, server, "write error: %s",
|
|
|
|
|
od_io_error(&server->io));
|
2017-06-02 13:49:20 +00:00
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* read server reply */
|
2019-01-23 15:43:52 +00:00
|
|
|
char type;
|
|
|
|
|
rc = od_io_read(&server->io, &type, 1, UINT32_MAX);
|
2017-06-14 12:35:04 +00:00
|
|
|
if (rc == -1) {
|
2020-12-28 10:43:31 +00:00
|
|
|
od_error(logger, "tls", NULL, server, "read error: %s",
|
|
|
|
|
od_io_error(&server->io));
|
2017-06-02 13:49:20 +00:00
|
|
|
return -1;
|
|
|
|
|
}
|
2018-08-28 14:43:46 +00:00
|
|
|
|
|
|
|
|
switch (type) {
|
2020-12-28 10:43:31 +00:00
|
|
|
case 'S':
|
|
|
|
|
/* supported */
|
|
|
|
|
od_debug(logger, "tls", NULL, server, "supported");
|
|
|
|
|
rc = machine_set_tls(server->io.io, server->tls, UINT32_MAX);
|
|
|
|
|
if (rc == -1) {
|
|
|
|
|
od_error(logger, "tls", NULL, server, "error: %s",
|
|
|
|
|
od_io_error(&server->io));
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
od_debug(logger, "tls", NULL, server, "ok");
|
|
|
|
|
break;
|
|
|
|
|
case 'N':
|
|
|
|
|
/* not supported */
|
|
|
|
|
if (storage->tls_mode == OD_RULE_TLS_ALLOW) {
|
|
|
|
|
od_debug(logger, "tls", NULL, server,
|
|
|
|
|
"not supported, continue (allow)");
|
|
|
|
|
} else {
|
|
|
|
|
od_error(logger, "tls", NULL, server,
|
|
|
|
|
"not supported, closing");
|
2017-06-02 13:49:20 +00:00
|
|
|
return -1;
|
2020-12-28 10:43:31 +00:00
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
od_error(logger, "tls", NULL, server,
|
|
|
|
|
"unexpected status reply");
|
|
|
|
|
return -1;
|
2017-06-02 13:49:20 +00:00
|
|
|
}
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
