odyssey/sources/tls.c


/*
 * Odissey.
 *
 * Advanced PostgreSQL connection pooler.
*/

#include <stdlib.h>
#include <stdarg.h>
#include <stdint.h>
#include <stdio.h>
#include <string.h>
#include <inttypes.h>
#include <signal.h>

#include <machinarium.h>
#include <shapito.h>

#include "sources/macro.h"
#include "sources/version.h"
#include "sources/atomic.h"
#include "sources/util.h"
#include "sources/error.h"
#include "sources/list.h"
#include "sources/pid.h"
#include "sources/id.h"
#include "sources/logger.h"
#include "sources/daemon.h"
#include "sources/config.h"
#include "sources/config_mgr.h"
#include "sources/config_reader.h"
#include "sources/msg.h"
#include "sources/system.h"
#include "sources/server.h"
#include "sources/server_pool.h"
#include "sources/client.h"
#include "sources/client_pool.h"
#include "sources/route_id.h"
#include "sources/route.h"
#include "sources/route_pool.h"
#include "sources/io.h"
#include "sources/instance.h"
#include "sources/router_cancel.h"
#include "sources/router.h"
#include "sources/pooler.h"
#include "sources/worker.h"
#include "sources/tls.h"
#include "sources/frontend.h"

machine_tls_t*
od_tls_frontend(od_configlisten_t *config)
{
	int rc;
	machine_tls_t *tls;
	tls = machine_tls_create();
	if (tls == NULL)
		return NULL;
	if (config->tls_mode == OD_TLS_ALLOW)
		machine_tls_set_verify(tls, "none");
	else
	if (config->tls_mode == OD_TLS_REQUIRE)
		machine_tls_set_verify(tls, "peer");
	else
		machine_tls_set_verify(tls, "peer_strict");
	if (config->tls_ca_file) {
		rc = machine_tls_set_ca_file(tls, config->tls_ca_file);
		if (rc == -1) {
			machine_tls_free(tls);
			return NULL;
		}
	}
	if (config->tls_cert_file) {
		rc = machine_tls_set_cert_file(tls, config->tls_cert_file);
		if (rc == -1) {
			machine_tls_free(tls);
			return NULL;
		}
	}
	if (config->tls_key_file) {
		rc = machine_tls_set_key_file(tls, config->tls_key_file);
		if (rc == -1) {
			machine_tls_free(tls);
			return NULL;
		}
	}
	return tls;
}

int
od_tls_frontend_accept(od_client_t *client,
                       od_logger_t *logger,
                       od_configlisten_t *config,
                       machine_tls_t *tls)
{
	shapito_stream_t *stream = client->stream;

	if (client->startup.is_ssl_request)
	{
		od_debug(logger, "tls", client, NULL, "ssl request");
		shapito_stream_reset(stream);
		int rc;
		if (config->tls_mode == OD_TLS_DISABLE) {
			/* not supported 'N' */
			shapito_stream_write8(stream, 'N');
			rc = od_write(client->io, stream);
			if (rc == -1) {
				od_error(logger, "tls", client, NULL, "write error: %s",
				         machine_error(client->io));
				return -1;
			}
			od_debug(logger, "tls", client, NULL, "is disabled, ignoring");
			return 0;
		}
		/* supported 'S' */
		shapito_stream_write8(stream, 'S');
		rc = od_write(client->io, stream);
		if (rc == -1) {
			od_error(logger, "tls", client, NULL, "write error: %s",
			         machine_error(client->io));
			return -1;
		}
		rc = machine_set_tls(client->io, tls);
		if (rc == -1) {
			od_error(logger, "tls", client, NULL, "error: %s",
			         machine_error(client->io));
			return -1;
		}
		od_debug(logger, "tls", client, NULL, "ok");
		return 0;
	}
	switch (config->tls_mode) {
	case OD_TLS_DISABLE:
	case OD_TLS_ALLOW:
		break;
	default:
		od_log(logger, "tls", client, NULL, "required, closing");
		od_frontend_error(client, SHAPITO_PROTOCOL_VIOLATION,
		                  "SSL is required");
		return -1;
	}
	return 0;
}

machine_tls_t*
od_tls_backend(od_configstorage_t *config)
{
	int rc;
	machine_tls_t *tls;
	tls = machine_tls_create();
	if (tls == NULL)
		return NULL;
	if (config->tls_mode == OD_TLS_ALLOW)
		machine_tls_set_verify(tls, "none");
	else
	if (config->tls_mode == OD_TLS_REQUIRE)
		machine_tls_set_verify(tls, "peer");
	else
		machine_tls_set_verify(tls, "peer_strict");
	if (config->tls_ca_file) {
		rc = machine_tls_set_ca_file(tls, config->tls_ca_file);
		if (rc == -1) {
			machine_tls_free(tls);
			return NULL;
		}
	}
	if (config->tls_cert_file) {
		rc = machine_tls_set_cert_file(tls, config->tls_cert_file);
		if (rc == -1) {
			machine_tls_free(tls);
			return NULL;
		}
	}
	if (config->tls_key_file) {
		rc = machine_tls_set_key_file(tls, config->tls_key_file);
		if (rc == -1) {
			machine_tls_free(tls);
			return NULL;
		}
	}
	return tls;
}

int
od_tls_backend_connect(od_server_t *server,
                       od_logger_t *logger,
                       shapito_stream_t *stream,
                       od_configstorage_t *config)
{
	od_debug(logger, "tls", NULL, server, "init");

	/* SSL Request */
	shapito_stream_reset(stream);
	int rc;
	rc = shapito_fe_write_ssl_request(stream);
	if (rc == -1)
		return -1;
	rc = od_write(server->io, stream);
	if (rc == -1) {
		od_error(logger, "tls", NULL, server, "write error: %s",
		         machine_error(server->io));
		return -1;
	}

	/* read server reply */
	shapito_stream_reset(stream);
	rc = machine_read(server->io, stream->pos, 1, UINT32_MAX);
	if (rc == -1) {
		od_error(logger, "tls", NULL, server, "read error: %s",
		         machine_error(server->io));
		return -1;
	}
	switch (*stream->pos) {
	case 'S':
		/* supported */
		od_debug(logger, "tls", NULL, server, "supported");
		rc = machine_set_tls(server->io, server->tls);
		if (rc == -1) {
			od_error(logger, "tls", NULL, server, "error: %s",
			         machine_error(server->io));
			return -1;
		}
		od_debug(logger, "tls", NULL, server, "ok");
		break;
	case 'N':
		/* not supported */
		if (config->tls_mode == OD_TLS_ALLOW) {
			od_debug(logger, "tls", NULL, server,
			         "not supported, continue (allow)");
		} else {
			od_error(logger, "tls", NULL, server, "not supported, closing");
			return -1;
		}
		break;
	default:
		od_error(logger, "tls", NULL, server, "unexpected status reply");
		return -1;
	}
	return 0;
}
odissey: assemble tls support; rework cancel 2017-06-02 13:49:20 +00:00
			`/*`
odissey: update banners 2017-07-05 12:42:49 +00:00			`* Odissey.`
odissey: assemble tls support; rework cancel 2017-06-02 13:49:20 +00:00			`*`
odissey: update banners 2017-07-05 12:42:49 +00:00			`* Advanced PostgreSQL connection pooler.`
odissey: assemble tls support; rework cancel 2017-06-02 13:49:20 +00:00			`*/`

			`#include <stdlib.h>`
			`#include <stdarg.h>`
			`#include <stdint.h>`
			`#include <stdio.h>`
			`#include <string.h>`
			`#include <inttypes.h>`
			`#include <signal.h>`

			`#include <machinarium.h>`
odissey: update shapito submodule 2017-06-07 11:50:58 +00:00			`#include <shapito.h>`
odissey: assemble tls support; rework cancel 2017-06-02 13:49:20 +00:00
odissey: rework file naming and include path 2017-07-05 12:15:17 +00:00			`#include "sources/macro.h"`
			`#include "sources/version.h"`
odissey: update file includes 2017-08-08 13:50:50 +00:00			`#include "sources/atomic.h"`
odissey: use copy safe od_snprintf() implementation 2017-11-27 12:54:16 +00:00			`#include "sources/util.h"`
			`#include "sources/error.h"`
odissey: rework file naming and include path 2017-07-05 12:15:17 +00:00			`#include "sources/list.h"`
			`#include "sources/pid.h"`
			`#include "sources/id.h"`
odissey: major logger rework 2017-07-26 14:05:29 +00:00			`#include "sources/logger.h"`
odissey: rework file naming and include path 2017-07-05 12:15:17 +00:00			`#include "sources/daemon.h"`
odissey: major scheme rework, rename it to config 2018-03-06 15:23:52 +00:00			`#include "sources/config.h"`
			`#include "sources/config_mgr.h"`
odissey: move config to config_reader 2018-03-05 14:24:30 +00:00			`#include "sources/config_reader.h"`
odissey: rework file naming and include path 2017-07-05 12:15:17 +00:00			`#include "sources/msg.h"`
			`#include "sources/system.h"`
			`#include "sources/server.h"`
			`#include "sources/server_pool.h"`
			`#include "sources/client.h"`
			`#include "sources/client_pool.h"`
			`#include "sources/route_id.h"`
			`#include "sources/route.h"`
			`#include "sources/route_pool.h"`
			`#include "sources/io.h"`
odissey: reorder instance.h inclusion 2017-09-15 12:58:29 +00:00			`#include "sources/instance.h"`
odissey: rework router cancel logic 2018-02-22 13:43:52 +00:00			`#include "sources/router_cancel.h"`
odissey: rework file naming and include path 2017-07-05 12:15:17 +00:00			`#include "sources/router.h"`
			`#include "sources/pooler.h"`
odissey: relay and relay_pool is worker and worker_pool now 2018-03-02 10:00:52 +00:00			`#include "sources/worker.h"`
odissey: rework file naming and include path 2017-07-05 12:15:17 +00:00			`#include "sources/tls.h"`
			`#include "sources/frontend.h"`
odissey: assemble tls support; rework cancel 2017-06-02 13:49:20 +00:00
odissey: update machinarium api 2017-06-13 11:57:54 +00:00			`machine_tls_t*`
odissey: major scheme rework, rename it to config 2018-03-06 15:23:52 +00:00			`od_tls_frontend(od_configlisten_t *config)`
odissey: assemble tls support; rework cancel 2017-06-02 13:49:20 +00:00			`{`
			`int rc;`
odissey: update machinarium api 2017-06-13 11:57:54 +00:00			`machine_tls_t *tls;`
odissey: assemble tls support; rework cancel 2017-06-02 13:49:20 +00:00			`tls = machine_tls_create();`
			`if (tls == NULL)`
			`return NULL;`
odissey: major scheme rework, rename it to config 2018-03-06 15:23:52 +00:00			`if (config->tls_mode == OD_TLS_ALLOW)`
odissey: assemble tls support; rework cancel 2017-06-02 13:49:20 +00:00			`machine_tls_set_verify(tls, "none");`
			`else`
odissey: major scheme rework, rename it to config 2018-03-06 15:23:52 +00:00			`if (config->tls_mode == OD_TLS_REQUIRE)`
odissey: assemble tls support; rework cancel 2017-06-02 13:49:20 +00:00			`machine_tls_set_verify(tls, "peer");`
			`else`
			`machine_tls_set_verify(tls, "peer_strict");`
odissey: major scheme rework, rename it to config 2018-03-06 15:23:52 +00:00			`if (config->tls_ca_file) {`
			`rc = machine_tls_set_ca_file(tls, config->tls_ca_file);`
odissey: assemble tls support; rework cancel 2017-06-02 13:49:20 +00:00			`if (rc == -1) {`
			`machine_tls_free(tls);`
			`return NULL;`
			`}`
			`}`
odissey: major scheme rework, rename it to config 2018-03-06 15:23:52 +00:00			`if (config->tls_cert_file) {`
			`rc = machine_tls_set_cert_file(tls, config->tls_cert_file);`
odissey: assemble tls support; rework cancel 2017-06-02 13:49:20 +00:00			`if (rc == -1) {`
			`machine_tls_free(tls);`
			`return NULL;`
			`}`
			`}`
odissey: major scheme rework, rename it to config 2018-03-06 15:23:52 +00:00			`if (config->tls_key_file) {`
			`rc = machine_tls_set_key_file(tls, config->tls_key_file);`
odissey: assemble tls support; rework cancel 2017-06-02 13:49:20 +00:00			`if (rc == -1) {`
			`machine_tls_free(tls);`
			`return NULL;`
			`}`
			`}`
			`return tls;`
			`}`

			`int`
			`od_tls_frontend_accept(od_client_t *client,`
odissey: major logger rework 2017-07-26 14:05:29 +00:00			`od_logger_t *logger,`
odissey: major scheme rework, rename it to config 2018-03-06 15:23:52 +00:00			`od_configlisten_t *config,`
odissey: update machinarium api 2017-06-13 11:57:54 +00:00			`machine_tls_t *tls)`
odissey: assemble tls support; rework cancel 2017-06-02 13:49:20 +00:00			`{`
odissey: make client stream shared 2018-02-12 13:50:51 +00:00			`shapito_stream_t *stream = client->stream;`
odissey: assemble tls support; rework cancel 2017-06-02 13:49:20 +00:00
			`if (client->startup.is_ssl_request)`
			`{`
odissey: major logging rework (introduce log format) 2017-09-21 13:44:19 +00:00			`od_debug(logger, "tls", client, NULL, "ssl request");`
odissey: major shapito api update 2017-07-06 13:36:14 +00:00			`shapito_stream_reset(stream);`
odissey: assemble tls support; rework cancel 2017-06-02 13:49:20 +00:00			`int rc;`
odissey: major scheme rework, rename it to config 2018-03-06 15:23:52 +00:00			`if (config->tls_mode == OD_TLS_DISABLE) {`
odissey: assemble tls support; rework cancel 2017-06-02 13:49:20 +00:00			`/* not supported 'N' */`
odissey: major shapito api update 2017-07-06 13:36:14 +00:00			`shapito_stream_write8(stream, 'N');`
odissey: assemble tls support; rework cancel 2017-06-02 13:49:20 +00:00			`rc = od_write(client->io, stream);`
			`if (rc == -1) {`
odissey: major logging rework (introduce log format) 2017-09-21 13:44:19 +00:00			`od_error(logger, "tls", client, NULL, "write error: %s",`
			`machine_error(client->io));`
odissey: assemble tls support; rework cancel 2017-06-02 13:49:20 +00:00			`return -1;`
			`}`
odissey: major logging rework (introduce log format) 2017-09-21 13:44:19 +00:00			`od_debug(logger, "tls", client, NULL, "is disabled, ignoring");`
odissey: do not close client tls connection if disable 2017-09-04 12:22:26 +00:00			`return 0;`
odissey: assemble tls support; rework cancel 2017-06-02 13:49:20 +00:00			`}`
			`/* supported 'S' */`
odissey: major shapito api update 2017-07-06 13:36:14 +00:00			`shapito_stream_write8(stream, 'S');`
odissey: assemble tls support; rework cancel 2017-06-02 13:49:20 +00:00			`rc = od_write(client->io, stream);`
			`if (rc == -1) {`
odissey: major logging rework (introduce log format) 2017-09-21 13:44:19 +00:00			`od_error(logger, "tls", client, NULL, "write error: %s",`
			`machine_error(client->io));`
odissey: assemble tls support; rework cancel 2017-06-02 13:49:20 +00:00			`return -1;`
			`}`
			`rc = machine_set_tls(client->io, tls);`
			`if (rc == -1) {`
odissey: major logging rework (introduce log format) 2017-09-21 13:44:19 +00:00			`od_error(logger, "tls", client, NULL, "error: %s",`
			`machine_error(client->io));`
odissey: assemble tls support; rework cancel 2017-06-02 13:49:20 +00:00			`return -1;`
			`}`
odissey: major logging rework (introduce log format) 2017-09-21 13:44:19 +00:00			`od_debug(logger, "tls", client, NULL, "ok");`
odissey: assemble tls support; rework cancel 2017-06-02 13:49:20 +00:00			`return 0;`
			`}`
odissey: major scheme rework, rename it to config 2018-03-06 15:23:52 +00:00			`switch (config->tls_mode) {`
odissey: give better names to tls modes 2017-07-28 13:16:46 +00:00			`case OD_TLS_DISABLE:`
			`case OD_TLS_ALLOW:`
odissey: assemble tls support; rework cancel 2017-06-02 13:49:20 +00:00			`break;`
			`default:`
odissey: major logging rework (introduce log format) 2017-09-21 13:44:19 +00:00			`od_log(logger, "tls", client, NULL, "required, closing");`
odissey: major shapito api update 2017-07-06 13:36:14 +00:00			`od_frontend_error(client, SHAPITO_PROTOCOL_VIOLATION,`
odissey: send client errors 2017-06-08 12:36:21 +00:00			`"SSL is required");`
odissey: assemble tls support; rework cancel 2017-06-02 13:49:20 +00:00			`return -1;`
			`}`
			`return 0;`
			`}`

odissey: update machinarium api 2017-06-13 11:57:54 +00:00			`machine_tls_t*`
odissey: major scheme rework, rename it to config 2018-03-06 15:23:52 +00:00			`od_tls_backend(od_configstorage_t *config)`
odissey: assemble tls support; rework cancel 2017-06-02 13:49:20 +00:00			`{`
			`int rc;`
odissey: update machinarium api 2017-06-13 11:57:54 +00:00			`machine_tls_t *tls;`
odissey: assemble tls support; rework cancel 2017-06-02 13:49:20 +00:00			`tls = machine_tls_create();`
			`if (tls == NULL)`
			`return NULL;`
odissey: major scheme rework, rename it to config 2018-03-06 15:23:52 +00:00			`if (config->tls_mode == OD_TLS_ALLOW)`
odissey: assemble tls support; rework cancel 2017-06-02 13:49:20 +00:00			`machine_tls_set_verify(tls, "none");`
			`else`
odissey: major scheme rework, rename it to config 2018-03-06 15:23:52 +00:00			`if (config->tls_mode == OD_TLS_REQUIRE)`
odissey: assemble tls support; rework cancel 2017-06-02 13:49:20 +00:00			`machine_tls_set_verify(tls, "peer");`
			`else`
			`machine_tls_set_verify(tls, "peer_strict");`
odissey: major scheme rework, rename it to config 2018-03-06 15:23:52 +00:00			`if (config->tls_ca_file) {`
			`rc = machine_tls_set_ca_file(tls, config->tls_ca_file);`
odissey: assemble tls support; rework cancel 2017-06-02 13:49:20 +00:00			`if (rc == -1) {`
			`machine_tls_free(tls);`
			`return NULL;`
			`}`
			`}`
odissey: major scheme rework, rename it to config 2018-03-06 15:23:52 +00:00			`if (config->tls_cert_file) {`
			`rc = machine_tls_set_cert_file(tls, config->tls_cert_file);`
odissey: assemble tls support; rework cancel 2017-06-02 13:49:20 +00:00			`if (rc == -1) {`
			`machine_tls_free(tls);`
			`return NULL;`
			`}`
			`}`
odissey: major scheme rework, rename it to config 2018-03-06 15:23:52 +00:00			`if (config->tls_key_file) {`
			`rc = machine_tls_set_key_file(tls, config->tls_key_file);`
odissey: assemble tls support; rework cancel 2017-06-02 13:49:20 +00:00			`if (rc == -1) {`
			`machine_tls_free(tls);`
			`return NULL;`
			`}`
			`}`
			`return tls;`
			`}`

			`int`
			`od_tls_backend_connect(od_server_t *server,`
odissey: major logger rework 2017-07-26 14:05:29 +00:00			`od_logger_t *logger,`
odissey: rework server buffering using client stream 2018-02-13 13:33:40 +00:00			`shapito_stream_t *stream,`
odissey: major scheme rework, rename it to config 2018-03-06 15:23:52 +00:00			`od_configstorage_t *config)`
odissey: assemble tls support; rework cancel 2017-06-02 13:49:20 +00:00			`{`
odissey: major logging rework (introduce log format) 2017-09-21 13:44:19 +00:00			`od_debug(logger, "tls", NULL, server, "init");`
odissey: assemble tls support; rework cancel 2017-06-02 13:49:20 +00:00
			`/* SSL Request */`
odissey: major shapito api update 2017-07-06 13:36:14 +00:00			`shapito_stream_reset(stream);`
odissey: assemble tls support; rework cancel 2017-06-02 13:49:20 +00:00			`int rc;`
odissey: major shapito api update 2017-07-06 13:36:14 +00:00			`rc = shapito_fe_write_ssl_request(stream);`
odissey: assemble tls support; rework cancel 2017-06-02 13:49:20 +00:00			`if (rc == -1)`
			`return -1;`
			`rc = od_write(server->io, stream);`
			`if (rc == -1) {`
odissey: major logging rework (introduce log format) 2017-09-21 13:44:19 +00:00			`od_error(logger, "tls", NULL, server, "write error: %s",`
			`machine_error(server->io));`
odissey: assemble tls support; rework cancel 2017-06-02 13:49:20 +00:00			`return -1;`
			`}`

			`/* read server reply */`
odissey: major shapito api update 2017-07-06 13:36:14 +00:00			`shapito_stream_reset(stream);`
odissey: update to latest shapito changes 2017-07-04 13:27:42 +00:00			`rc = machine_read(server->io, stream->pos, 1, UINT32_MAX);`
odissey: exit on signal; minor fixes 2017-06-14 12:35:04 +00:00			`if (rc == -1) {`
odissey: major logging rework (introduce log format) 2017-09-21 13:44:19 +00:00			`od_error(logger, "tls", NULL, server, "read error: %s",`
			`machine_error(server->io));`
odissey: assemble tls support; rework cancel 2017-06-02 13:49:20 +00:00			`return -1;`
			`}`
odissey: update to latest shapito changes 2017-07-04 13:27:42 +00:00			`switch (*stream->pos) {`
odissey: assemble tls support; rework cancel 2017-06-02 13:49:20 +00:00			`case 'S':`
			`/* supported */`
odissey: major logging rework (introduce log format) 2017-09-21 13:44:19 +00:00			`od_debug(logger, "tls", NULL, server, "supported");`
odissey: assemble tls support; rework cancel 2017-06-02 13:49:20 +00:00			`rc = machine_set_tls(server->io, server->tls);`
			`if (rc == -1) {`
odissey: major logging rework (introduce log format) 2017-09-21 13:44:19 +00:00			`od_error(logger, "tls", NULL, server, "error: %s",`
			`machine_error(server->io));`
odissey: assemble tls support; rework cancel 2017-06-02 13:49:20 +00:00			`return -1;`
			`}`
odissey: major logging rework (introduce log format) 2017-09-21 13:44:19 +00:00			`od_debug(logger, "tls", NULL, server, "ok");`
odissey: assemble tls support; rework cancel 2017-06-02 13:49:20 +00:00			`break;`
			`case 'N':`
			`/* not supported */`
odissey: major scheme rework, rename it to config 2018-03-06 15:23:52 +00:00			`if (config->tls_mode == OD_TLS_ALLOW) {`
odissey: major logging rework (introduce log format) 2017-09-21 13:44:19 +00:00			`od_debug(logger, "tls", NULL, server,`
			`"not supported, continue (allow)");`
odissey: assemble tls support; rework cancel 2017-06-02 13:49:20 +00:00			`} else {`
odissey: major logging rework (introduce log format) 2017-09-21 13:44:19 +00:00			`od_error(logger, "tls", NULL, server, "not supported, closing");`
odissey: assemble tls support; rework cancel 2017-06-02 13:49:20 +00:00			`return -1;`
			`}`
			`break;`
			`default:`
odissey: major logging rework (introduce log format) 2017-09-21 13:44:19 +00:00			`od_error(logger, "tls", NULL, server, "unexpected status reply");`
odissey: assemble tls support; rework cancel 2017-06-02 13:49:20 +00:00			`return -1;`
			`}`
			`return 0;`
			`}`