diff --git a/core/od_be.c b/core/od_be.c index ddc8555d..a8e56473 100644 --- a/core/od_be.c +++ b/core/od_be.c @@ -153,67 +153,6 @@ od_besetup(od_server_t *server) return 0; } -static int -od_beconnect_tls(od_pooler_t *pooler, od_server_t *server, - od_schemeserver_t *scheme) -{ - od_debug(&pooler->od->log, server->io, "S (tls): init"); - - /* SSL Request */ - so_stream_t *stream = &server->stream; - so_stream_reset(stream); - int rc; - rc = so_fewrite_ssl_request(stream); - if (rc == -1) - return -1; - rc = od_write(server->io, stream); - if (rc == -1) { - od_error(&pooler->od->log, server->io, "S (tls): write error: %s", - machine_error(server->io)); - return -1; - } - - /* read server reply */ - so_stream_reset(stream); - rc = machine_read(server->io, (char*)stream->p, 1, 0); - if (rc < 0) { - od_error(&pooler->od->log, server->io, - "S (tls): read error: %s", - machine_error(server->io)); - return -1; - } - switch (*stream->p) { - case 'S': - /* supported */ - od_debug(&pooler->od->log, server->io, - "S (tls): supported"); - rc = machine_set_tls(server->io, server->tls); - if (rc == -1) { - od_error(&pooler->od->log, server->io, - "S (tls): %s", machine_error(pooler->od)); - return -1; - } - od_debug(&pooler->od->log, server->io, "S (tls): ok"); - break; - case 'N': - /* not supported */ - if (scheme->tls_verify == OD_TALLOW) { - od_debug(&pooler->od->log, server->io, - "S (tls): not supported, continue (allow)"); - } else { - od_error(&pooler->od->log, server->io, - "S (tls): not supported, closing"); - return -1; - } - break; - default: - od_error(&pooler->od->log, server->io, - "S (tls): unexpected status reply"); - return -1; - } - return 0; -} - static int od_beconnect(od_pooler_t *pooler, od_server_t *server) { @@ -259,7 +198,10 @@ od_beconnect(od_pooler_t *pooler, od_server_t *server) /* do tls handshake */ if (server_scheme->tls_verify != OD_TDISABLE) { - rc = od_beconnect_tls(pooler, server, server_scheme); + rc = od_tlsbe_connect(pooler->env, server->io, server->tls, + &server->stream, + &pooler->od->log, "S", + server_scheme); if (rc == -1) return -1; } @@ -368,7 +310,7 @@ od_bepop(od_pooler_t *pooler, od_route_t *route, od_client_t *client) od_schemeserver_t *server_scheme; server_scheme = route->scheme->server; if (server_scheme->tls_verify != OD_TDISABLE) { - server->tls = od_tls_server(pooler, server_scheme); + server->tls = od_tlsbe(pooler->env, server_scheme); if (server->tls == NULL) { od_serverfree(server); return NULL; diff --git a/core/od_cancel.c b/core/od_cancel.c index dcfb72cd..cda8fb96 100644 --- a/core/od_cancel.c +++ b/core/od_cancel.c @@ -76,6 +76,10 @@ int od_cancel_of(od_pooler_t *pooler, } assert(ai != NULL); + machine_set_nodelay(io, pooler->od->scheme.nodelay); + if (pooler->od->scheme.keepalive > 0) + machine_set_keepalive(io, 1, pooler->od->scheme.keepalive); + /* connect to server */ rc = machine_connect(io, ai->ai_addr, 0); freeaddrinfo(ai); @@ -86,9 +90,7 @@ int od_cancel_of(od_pooler_t *pooler, machine_close(io); return -1; } - machine_set_nodelay(io, pooler->od->scheme.nodelay); - if (pooler->od->scheme.keepalive > 0) - machine_set_keepalive(io, 1, pooler->od->scheme.keepalive); + /* send cancel and disconnect */ so_stream_t stream; so_stream_init(&stream); diff --git a/core/od_fe.c b/core/od_fe.c index af4433e6..ffc31daa 100644 --- a/core/od_fe.c +++ b/core/od_fe.c @@ -35,6 +35,7 @@ #include "od_io.h" #include "od_pooler.h" #include "od_fe.h" +#include "od_tls.h" void od_feclose(od_client_t *client) { @@ -124,51 +125,16 @@ int od_festartup(od_client_t *client) return -1; /* client ssl request */ - if (client->startup.is_ssl_request) - { - od_debug(&pooler->od->log, client->io, "C (tls): ssl request"); - so_stream_reset(stream); - if (pooler->od->scheme.tls_verify == OD_TDISABLE) { - /* not supported 'N' */ - so_stream_write8(stream, 'N'); - rc = od_write(client->io, stream); - if (rc == -1) { - od_error(&pooler->od->log, client->io, "C (tls): write error: %s", - machine_error(client->io)); - return -1; - } - od_log(&pooler->od->log, client->io, - "C (tls): disabled, closing"); - return -1; - } - /* supported 'S' */ - so_stream_write8(stream, 'S'); - rc = od_write(client->io, stream); - if (rc == -1) { - od_error(&pooler->od->log, client->io, "C (tls): write error: %s", - machine_error(client->io)); - return -1; - } - rc = machine_set_tls(client->io, pooler->tls); - if (rc == -1) { - od_error(&pooler->od->log, client->io, - "C (tls): error: %s", machine_error(client->io)); - return -1; - } - od_debug(&pooler->od->log, client->io, "C (tls): ok"); + rc = od_tlsfe_accept(pooler->env, client->io, pooler->tls, + &client->stream, + &pooler->od->log, "C", + &pooler->od->scheme, + &client->startup); + if (rc == -1) + return -1; - } else { - switch (pooler->od->scheme.tls_verify) { - case OD_TDISABLE: - case OD_TALLOW: - break; - default: - od_log(&pooler->od->log, client->io, - "C (tls): required, closing"); - return -1; - } + if (! client->startup.is_ssl_request) return 0; - } /* read startup-cancel message followed after ssl * negotiation */ diff --git a/core/od_pooler.c b/core/od_pooler.c index dc13845f..69201970 100644 --- a/core/od_pooler.c +++ b/core/od_pooler.c @@ -48,7 +48,7 @@ od_pooler(void *arg) pooler->tls = NULL; od_scheme_t *scheme = &pooler->od->scheme; if (scheme->tls_verify != OD_TDISABLE) { - pooler->tls = od_tls_client(pooler, scheme); + pooler->tls = od_tlsfe(pooler->env, scheme); if (pooler->tls == NULL) return; } diff --git a/core/od_tls.c b/core/od_tls.c index 0ff80bf1..5356a6e6 100644 --- a/core/od_tls.c +++ b/core/od_tls.c @@ -37,11 +37,11 @@ #include "od_tls.h" machine_tls_t -od_tls_client(od_pooler_t *pooler, od_scheme_t *scheme) +od_tlsfe(machine_t machine, od_scheme_t *scheme) { int rc; machine_tls_t tls; - tls = machine_create_tls(pooler->env); + tls = machine_create_tls(machine); if (tls == NULL) return NULL; if (scheme->tls_verify == OD_TALLOW) @@ -75,12 +75,69 @@ od_tls_client(od_pooler_t *pooler, od_scheme_t *scheme) return tls; } +int +od_tlsfe_accept(machine_t machine, + machine_io_t io, + machine_tls_t tls, + so_stream_t *stream, + od_log_t *log, + char *prefix, + od_scheme_t *scheme, + so_bestartup_t *startup) +{ + if (startup->is_ssl_request) + { + od_debug(log, io, "%s (tls): ssl request", prefix); + so_stream_reset(stream); + int rc; + if (scheme->tls_verify == OD_TDISABLE) { + /* not supported 'N' */ + so_stream_write8(stream, 'N'); + rc = od_write(io, stream); + if (rc == -1) { + od_error(log, io, "%s (tls): write error: %s", + prefix, machine_error(io)); + return -1; + } + od_log(log, io, "%s (tls): disabled, closing", prefix); + return -1; + } + /* supported 'S' */ + so_stream_write8(stream, 'S'); + rc = od_write(io, stream); + if (rc == -1) { + od_error(log, io, "%s (tls): write error: %s", + prefix, machine_error(io)); + return -1; + } + rc = machine_set_tls(io, tls); + if (rc == -1) { + od_error(log, io, "%s (tls): error: %s", prefix, + machine_error(io)); + return -1; + } + od_debug(log, io, "%s (tls): ok", prefix); + return 0; + } + switch (scheme->tls_verify) { + case OD_TDISABLE: + case OD_TALLOW: + break; + default: + od_log(log, io, "%s (tls): required, closing", prefix); + return -1; + } + + (void)machine; + return 0; +} + machine_tls_t -od_tls_server(od_pooler_t *pooler, od_schemeserver_t *scheme) +od_tlsbe(machine_t machine, od_schemeserver_t *scheme) { int rc; machine_tls_t tls; - tls = machine_create_tls(pooler->env); + tls = machine_create_tls(machine); if (tls == NULL) return NULL; if (scheme->tls_verify == OD_TALLOW) @@ -113,3 +170,66 @@ od_tls_server(od_pooler_t *pooler, od_schemeserver_t *scheme) } return tls; } + +int +od_tlsbe_connect(machine_t machine, + machine_io_t io, + machine_tls_t tls, + so_stream_t *stream, + od_log_t *log, + char *prefix, + od_schemeserver_t *scheme) +{ + od_debug(log, io, "%s (tls): init", prefix); + + /* SSL Request */ + so_stream_reset(stream); + int rc; + rc = so_fewrite_ssl_request(stream); + if (rc == -1) + return -1; + rc = od_write(io, stream); + if (rc == -1) { + od_error(log, io, "%s (tls): write error: %s", + prefix, machine_error(io)); + return -1; + } + + /* read server reply */ + so_stream_reset(stream); + rc = machine_read(io, (char*)stream->p, 1, 0); + if (rc < 0) { + od_error(log, io, "%s (tls): read error: %s", + prefix, machine_error(io)); + return -1; + } + switch (*stream->p) { + case 'S': + /* supported */ + od_debug(log, io, "%s (tls): supported", prefix); + rc = machine_set_tls(io, tls); + if (rc == -1) { + od_error(log, io, "%s (tls): %s", prefix, + machine_error(machine)); + return -1; + } + od_debug(log, io, "%s (tls): ok", prefix); + break; + case 'N': + /* not supported */ + if (scheme->tls_verify == OD_TALLOW) { + od_debug(log, io, "%s (tls): not supported, continue (allow)", + prefix); + } else { + od_error(log, io, "%s (tls): not supported, closing", + prefix); + return -1; + } + break; + default: + od_error(log, io, "%s (tls): unexpected status reply", + prefix); + return -1; + } + return 0; +} diff --git a/core/od_tls.h b/core/od_tls.h index 7c308a1b..9c31c9ad 100644 --- a/core/od_tls.h +++ b/core/od_tls.h @@ -8,9 +8,24 @@ */ machine_tls_t -od_tls_client(od_pooler_t*, od_scheme_t*); +od_tlsfe(machine_t, od_scheme_t*); + +int +od_tlsfe_accept(machine_t, machine_io_t, machine_tls_t, + so_stream_t*, + od_log_t*, + char*, + od_scheme_t*, + so_bestartup_t*); machine_tls_t -od_tls_server(od_pooler_t*, od_schemeserver_t*); +od_tlsbe(machine_t, od_schemeserver_t*); + +int +od_tlsbe_connect(machine_t, machine_io_t, machine_tls_t, + so_stream_t*, + od_log_t*, + char*, + od_schemeserver_t*); #endif