extern "C" int ssl_verify_wrapper(int preverify_ok, X509_STORE_CTX *ctx)
{
// if the pre verification has failed, then don't bother validating via ruby
if (preverify_ok != 1) {
return preverify_ok;
}
unsigned long binding;
X509 *cert;
SSL *ssl;
BUF_MEM *buf;
BIO *out;
int result;
cert = X509_STORE_CTX_get_current_cert(ctx);
ssl = (SSL*) X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
binding = (unsigned long) SSL_get_ex_data(ssl, 0);
out = BIO_new(BIO_s_mem());
PEM_write_bio_X509(out, cert);
BIO_write(out, "\0", 1);
BIO_get_mem_ptr(out, &buf);
ConnectionDescriptor *cd = dynamic_cast <ConnectionDescriptor*> (Bindable_t::GetObject(binding));
result = (cd->VerifySslPeer(buf->data) == true ? 1 : 0);
BUF_MEM_free(buf);
return result;
}
extern "C" void evma_accept_ssl_peer (const unsigned long binding)
{
ensure_eventmachine("evma_accept_ssl_peer");
ConnectionDescriptor *cd = dynamic_cast <ConnectionDescriptor*> (Bindable_t::GetObject (binding));
if (cd)
cd->AcceptSslPeer();
}
extern "C" int evma_is_notify_writable (const unsigned long binding)
{
ConnectionDescriptor *cd = dynamic_cast <ConnectionDescriptor*> (Bindable_t::GetObject (binding));
if (cd)
return cd->IsNotifyWritable() ? 1 : 0;
return -1;
}
extern "C" int evma_is_paused (const unsigned long binding)
{
ConnectionDescriptor *cd = dynamic_cast <ConnectionDescriptor*> (Bindable_t::GetObject (binding));
if (cd)
return cd->IsPaused() ? 1 : 0;
return 0;
}
int ConnectionDescriptor::ReportErrorStatus (const char *binding)
{
// TODO: This is something of a hack, or at least it's a static method of the wrong class.
// TODO: Poor polymorphism here. We should be calling one virtual method
// instead of hacking out the runtime information of the target object.
ConnectionDescriptor *cd = dynamic_cast <ConnectionDescriptor*> (Bindable_t::GetObject (binding));
if (cd)
return cd->_ReportErrorStatus();
return -1;
}
int ConnectionDescriptor::SendDataToConnection (const char *binding, const char *data, int data_length)
{
// TODO: This is something of a hack, or at least it's a static method of the wrong class.
// TODO: Poor polymorphism here. We should be calling one virtual method
// instead of hacking out the runtime information of the target object.
ConnectionDescriptor *cd = dynamic_cast <ConnectionDescriptor*> (Bindable_t::GetObject (binding));
if (cd)
return cd->SendOutboundData (data, data_length);
DatagramDescriptor *ds = dynamic_cast <DatagramDescriptor*> (Bindable_t::GetObject (binding));
if (ds)
return ds->SendOutboundData (data, data_length);
#ifdef OS_UNIX
PipeDescriptor *ps = dynamic_cast <PipeDescriptor*> (Bindable_t::GetObject (binding));
if (ps)
return ps->SendOutboundData (data, data_length);
#endif
return -1;
}
void AcceptorDescriptor::Read()
{
/* Accept up to a certain number of sockets on the listening connection.
* Don't try to accept all that are present, because this would allow a DoS attack
* in which no data were ever read or written. We should accept more than one,
* if available, to keep the partially accepted sockets from backing up in the kernel.
*/
/* Make sure we use non-blocking i/o on the acceptor socket, since we're selecting it
* for readability. According to Stevens UNP, it's possible for an acceptor to select readable
* and then block when we call accept. For example, the other end resets the connection after
* the socket selects readable and before we call accept. The kernel will remove the dead
* socket from the accept queue. If the accept queue is now empty, accept will block.
*/
struct sockaddr_in pin;
socklen_t addrlen = sizeof (pin);
for (int i=0; i < 10; i++) {
int sd = accept (GetSocket(), (struct sockaddr*)&pin, &addrlen);
if (sd == INVALID_SOCKET) {
// This breaks the loop when we've accepted everything on the kernel queue,
// up to 10 new connections. But what if the *first* accept fails?
// Does that mean anything serious is happening, beyond the situation
// described in the note above?
break;
}
// Set the newly-accepted socket non-blocking.
// On Windows, this may fail because, weirdly, Windows inherits the non-blocking
// attribute that we applied to the acceptor socket into the accepted one.
if (!SetSocketNonblocking (sd)) {
//int val = fcntl (sd, F_GETFL, 0);
//if (fcntl (sd, F_SETFL, val | O_NONBLOCK) == -1) {
shutdown (sd, 1);
closesocket (sd);
continue;
}
// Disable slow-start (Nagle algorithm). Eventually make this configurable.
int one = 1;
setsockopt (sd, IPPROTO_TCP, TCP_NODELAY, (char*) &one, sizeof(one));
ConnectionDescriptor *cd = new ConnectionDescriptor (sd, MyEventMachine);
if (!cd)
throw std::runtime_error ("no newly accepted connection");
cd->SetServerMode();
if (EventCallback) {
(*EventCallback) (GetBinding().c_str(), EM_CONNECTION_ACCEPTED, cd->GetBinding().c_str(), cd->GetBinding().size());
}
#ifdef HAVE_EPOLL
cd->GetEpollEvent()->events = EPOLLIN | (cd->SelectForWrite() ? EPOLLOUT : 0);
#endif
assert (MyEventMachine);
MyEventMachine->Add (cd);
#ifdef HAVE_KQUEUE
if (cd->SelectForWrite())
MyEventMachine->ArmKqueueWriter (cd);
MyEventMachine->ArmKqueueReader (cd);
#endif
}
}
const char *EventMachine_t::ConnectToServer (const char *server, int port)
{
/* We want to spend no more than a few seconds waiting for a connection
* to a remote host. So we use a nonblocking connect.
* Linux disobeys the usual rules for nonblocking connects.
* Per Stevens (UNP p.410), you expect a nonblocking connect to select
* both readable and writable on error, and not to return EINPROGRESS
* if the connect can be fulfilled immediately. Linux violates both
* of these expectations.
* Any kind of nonblocking connect on Linux returns EINPROGRESS.
* The socket will then return writable when the disposition of the
* connect is known, but it will not also be readable in case of
* error! Weirdly, it will be readable in case there is data to read!!!
* (Which can happen with protocols like SSH and SMTP.)
* I suppose if you were so inclined you could consider this logical,
* but it's not the way Unix has historically done it.
* So we ignore the readable flag and read getsockopt to see if there
* was an error connecting. A select timeout works as expected.
* In regard to getsockopt: Linux does the Berkeley-style thing,
* not the Solaris-style, and returns zero with the error code in
* the error parameter.
* Return the binding-text of the newly-created pending connection,
* or NULL if there was a problem.
*/
if (!server || !*server || !port)
return NULL;
int family, bind_size;
struct sockaddr *bind_as = name2address (server, port, &family, &bind_size);
if (!bind_as)
return NULL;
int sd = socket (family, SOCK_STREAM, 0);
if (sd == INVALID_SOCKET)
return NULL;
/*
sockaddr_in pin;
unsigned long HostAddr;
HostAddr = inet_addr (server);
if (HostAddr == INADDR_NONE) {
hostent *hp = gethostbyname ((char*)server); // Windows requires (char*)
if (!hp) {
// TODO: This gives the caller a fatal error. Not good.
// They can respond by catching RuntimeError (blecch).
// Possibly we need to fire an unbind event and provide
// a status code so user code can detect the cause of the
// failure.
return NULL;
}
HostAddr = ((in_addr*)(hp->h_addr))->s_addr;
}
memset (&pin, 0, sizeof(pin));
pin.sin_family = AF_INET;
pin.sin_addr.s_addr = HostAddr;
pin.sin_port = htons (port);
int sd = socket (AF_INET, SOCK_STREAM, 0);
if (sd == INVALID_SOCKET)
return NULL;
*/
// From here on, ALL error returns must close the socket.
// Set the new socket nonblocking.
if (!SetSocketNonblocking (sd)) {
closesocket (sd);
return NULL;
}
// Disable slow-start (Nagle algorithm).
int one = 1;
setsockopt (sd, IPPROTO_TCP, TCP_NODELAY, (char*) &one, sizeof(one));
const char *out = NULL;
#ifdef OS_UNIX
//if (connect (sd, (sockaddr*)&pin, sizeof pin) == 0) {
if (connect (sd, bind_as, bind_size) == 0) {
// This is a connect success, which Linux appears
// never to give when the socket is nonblocking,
// even if the connection is intramachine or to
// localhost.
/* Changed this branch 08Aug06. Evidently some kernels
* (FreeBSD for example) will actually return success from
* a nonblocking connect. This is a pretty simple case,
* just set up the new connection and clear the pending flag.
* Thanks to Chris Ochs for helping track this down.
* This branch never gets taken on Linux or (oddly) OSX.
* The original behavior was to throw an unimplemented,
* which the user saw as a fatal exception. Very unfriendly.
*
* Tweaked 10Aug06. Even though the connect disposition is
* known, we still set the connect-pending flag. That way
* some needed initialization will happen in the ConnectionDescriptor.
* (To wit, the ConnectionCompleted event gets sent to the client.)
*/
ConnectionDescriptor *cd = new ConnectionDescriptor (sd, this);
if (!cd)
throw std::runtime_error ("no connection allocated");
cd->SetConnectPending (true);
Add (cd);
out = cd->GetBinding().c_str();
}
else if (errno == EINPROGRESS) {
// Errno will generally always be EINPROGRESS, but on Linux
// we have to look at getsockopt to be sure what really happened.
int error;
socklen_t len;
len = sizeof(error);
int o = getsockopt (sd, SOL_SOCKET, SO_ERROR, &error, &len);
if ((o == 0) && (error == 0)) {
// Here, there's no disposition.
// Put the connection on the stack and wait for it to complete
// or time out.
ConnectionDescriptor *cd = new ConnectionDescriptor (sd, this);
if (!cd)
throw std::runtime_error ("no connection allocated");
cd->SetConnectPending (true);
Add (cd);
out = cd->GetBinding().c_str();
}
else {
/* This could be connection refused or some such thing.
* We will come here on Linux if a localhost connection fails.
* Changed 16Jul06: Originally this branch was a no-op, and
* we'd drop down to the end of the method, close the socket,
* and return NULL, which would cause the caller to GET A
* FATAL EXCEPTION. Now we keep the socket around but schedule an
* immediate close on it, so the caller will get a close-event
* scheduled on it. This was only an issue for localhost connections
* to non-listening ports. We may eventually need to revise this
* revised behavior, in case it causes problems like making it hard
* for people to know that a failure occurred.
*/
ConnectionDescriptor *cd = new ConnectionDescriptor (sd, this);
if (!cd)
throw std::runtime_error ("no connection allocated");
cd->ScheduleClose (false);
Add (cd);
out = cd->GetBinding().c_str();
}
}
else {
// The error from connect was something other then EINPROGRESS.
}
#endif
#ifdef OS_WIN32
//if (connect (sd, (sockaddr*)&pin, sizeof pin) == 0) {
if (connect (sd, bind_as, bind_size) == 0) {
// This is a connect success, which Windows appears
// never to give when the socket is nonblocking,
// even if the connection is intramachine or to
// localhost.
throw std::runtime_error ("unimplemented");
}
else if (WSAGetLastError() == WSAEWOULDBLOCK) {
// Here, there's no disposition.
// Windows appears not to surface refused connections or
// such stuff at this point.
// Put the connection on the stack and wait for it to complete
// or time out.
ConnectionDescriptor *cd = new ConnectionDescriptor (sd, this);
if (!cd)
throw std::runtime_error ("no connection allocated");
cd->SetConnectPending (true);
Add (cd);
out = cd->GetBinding().c_str();
}
else {
// The error from connect was something other then WSAEWOULDBLOCK.
}
#endif
if (out == NULL)
closesocket (sd);
return out;
}
const char *EventMachine_t::ConnectToUnixServer (const char *server)
{
/* Connect to a Unix-domain server, which by definition is running
* on the same host.
* There is no meaningful implementation on Windows.
* There's no need to do a nonblocking connect, since the connection
* is always local and can always be fulfilled immediately.
*/
#ifdef OS_WIN32
throw std::runtime_error ("unix-domain connection unavailable on this platform");
return NULL;
#endif
// The whole rest of this function is only compiled on Unix systems.
#ifdef OS_UNIX
const char *out = NULL;
if (!server || !*server)
return NULL;
sockaddr_un pun;
memset (&pun, 0, sizeof(pun));
pun.sun_family = AF_LOCAL;
// You ordinarily expect the server name field to be at least 1024 bytes long,
// but on Linux it can be MUCH shorter.
if (strlen(server) >= sizeof(pun.sun_path))
throw std::runtime_error ("unix-domain server name is too long");
strcpy (pun.sun_path, server);
int fd = socket (AF_LOCAL, SOCK_STREAM, 0);
if (fd == INVALID_SOCKET)
return NULL;
// From here on, ALL error returns must close the socket.
// NOTE: At this point, the socket is still a blocking socket.
if (connect (fd, (struct sockaddr*)&pun, sizeof(pun)) != 0) {
closesocket (fd);
return NULL;
}
// Set the newly-connected socket nonblocking.
if (!SetSocketNonblocking (fd)) {
closesocket (fd);
return NULL;
}
// Set up a connection descriptor and add it to the event-machine.
// Observe, even though we know the connection status is connect-success,
// we still set the "pending" flag, so some needed initializations take
// place.
ConnectionDescriptor *cd = new ConnectionDescriptor (fd, this);
if (!cd)
throw std::runtime_error ("no connection allocated");
cd->SetConnectPending (true);
Add (cd);
out = cd->GetBinding().c_str();
if (out == NULL)
closesocket (fd);
return out;
#endif
}
extern "C" void evma_set_notify_writable (const unsigned long binding, int mode)
{
ConnectionDescriptor *cd = dynamic_cast <ConnectionDescriptor*> (Bindable_t::GetObject (binding));
if (cd)
cd->SetNotifyWritable (mode ? true : false);
}
