/* open new ports, update fds */
int bind_ports(void) {
SERVICE_OPTIONS *opt;
char *local_address;
#ifdef USE_LIBWRAP
/* execute after parse_commandline() to know service_options.next,
* but as early as possible to avoid leaking file descriptors */
/* retry on each bind_ports() in case stunnel.conf was reloaded
without "libwrap = no" */
libwrap_init();
#endif /* USE_LIBWRAP */
s_poll_init(fds);
s_poll_add(fds, signal_pipe[0], 1, 0);
/* allow clean unbind_ports() even though
bind_ports() was not fully performed */
for(opt=service_options.next; opt; opt=opt->next)
if(opt->option.accept)
opt->fd=-1;
for(opt=service_options.next; opt; opt=opt->next) {
if(opt->option.accept) {
opt->fd=s_socket(opt->local_addr.sa.sa_family,
SOCK_STREAM, 0, 1, "accept socket");
if(opt->fd<0)
return 1;
if(set_socket_options(opt->fd, 0)<0) {
closesocket(opt->fd);
return 1;
}
/* local socket can't be unnamed */
local_address=s_ntop(&opt->local_addr, addr_len(&opt->local_addr));
if(bind(opt->fd, &opt->local_addr.sa, addr_len(&opt->local_addr))) {
s_log(LOG_ERR, "Error binding service [%s] to %s",
opt->servname, local_address);
sockerror("bind");
closesocket(opt->fd);
str_free(local_address);
return 1;
}
if(listen(opt->fd, SOMAXCONN)) {
sockerror("listen");
closesocket(opt->fd);
str_free(local_address);
return 1;
}
s_poll_add(fds, opt->fd, 1, 0);
s_log(LOG_DEBUG, "Service [%s] (FD=%d) bound to %s",
opt->servname, opt->fd, local_address);
str_free(local_address);
} else if(opt->option.program && opt->option.remote) {
/* create exec+connect services */
create_client(-1, -1,
alloc_client_session(opt, -1, -1), client_thread);
}
}
return 0; /* OK */
}
/* return 1 when a short delay is needed before another try */
static int accept_connection(SERVICE_OPTIONS *opt) {
SOCKADDR_UNION addr;
char *from_address;
int s;
socklen_t addrlen;
addrlen=sizeof addr;
for(;;) {
s=s_accept(opt->fd, &addr.sa, &addrlen, 1, "local socket");
if(s>=0) /* success! */
break;
switch(get_last_socket_error()) {
case S_EINTR: /* interrupted by a signal */
break; /* retry now */
case S_EMFILE:
#ifdef S_ENFILE
case S_ENFILE:
#endif
#ifdef S_ENOBUFS
case S_ENOBUFS:
#endif
#ifdef S_ENOMEM
case S_ENOMEM:
#endif
return 1; /* temporary lack of resources */
default:
return 0; /* any other error */
}
}
from_address=s_ntop(&addr, addrlen);
s_log(LOG_DEBUG, "Service [%s] accepted (FD=%d) from %s",
opt->servname, s, from_address);
str_free(from_address);
#ifndef USE_FORK
if(max_clients && num_clients>=max_clients) {
s_log(LOG_WARNING, "Connection rejected: too many clients (>=%d)",
max_clients);
closesocket(s);
return 0;
}
#endif
if(create_client(opt->fd, s,
alloc_client_session(opt, s, s), client_thread)) {
s_log(LOG_ERR, "Connection rejected: create_client failed");
closesocket(s);
return 0;
}
return 0;
}
void main_execute(void) {
ssl_configure(); /* configure global SSL settings */
context_init(); /* initialize global SSL context */
/* check if started from inetd */
if(local_options.next) { /* there are service sections -> daemon mode */
daemon_loop();
} else { /* inetd mode */
#if !defined (USE_WIN32) && !defined (__vms)
max_fds=FD_SETSIZE; /* just in case */
drop_privileges();
#endif
num_clients=1;
client(alloc_client_session(&local_options, 0, 1));
}
/* close SSL */
context_free(); /* free global SSL context */
log_close();
}
static void accept_connection(LOCAL_OPTIONS *opt) {
SOCKADDR_UNION addr;
char from_address[IPLEN];
int s;
socklen_t addrlen;
addrlen=sizeof(SOCKADDR_UNION);
while((s=accept(opt->fd, &addr.sa, &addrlen))<0) {
switch(get_last_socket_error()) {
case EINTR:
break; /* retry */
case EMFILE:
case ENFILE:
#ifdef ENOBUFS
case ENOBUFS:
#endif
case ENOMEM:
sleep(1); /* temporarily out of resources - short delay */
default:
sockerror("accept");
return; /* error */
}
}
s_ntop(from_address, &addr);
s_log(LOG_DEBUG, "%s accepted FD=%d from %s",
opt->servname, s, from_address);
if(max_clients && num_clients>=max_clients) {
s_log(LOG_WARNING, "Connection rejected: too many clients (>=%d)",
max_clients);
closesocket(s);
return;
}
#ifdef FD_CLOEXEC
fcntl(s, F_SETFD, FD_CLOEXEC); /* close socket in child execvp */
#endif
if(create_client(opt->fd, s, alloc_client_session(opt, s, s), client)) {
s_log(LOG_ERR, "Connection rejected: create_client failed");
closesocket(s);
return;
}
enter_critical_section(CRIT_CLIENTS); /* for multi-cpu machines */
num_clients++;
leave_critical_section(CRIT_CLIENTS);
}
static int main_unix(int argc, char* argv[]) {
#if !defined(__vms) && !defined(USE_OS2)
int fd;
fd=open("/dev/null", O_RDWR); /* open /dev/null before chroot */
if(fd<0)
fatal("Could not open /dev/null");
#endif /* standard Unix */
main_initialize();
if(main_configure(argc>1 ? argv[1] : NULL, argc>2 ? argv[2] : NULL))
return 1;
if(service_options.next) { /* there are service sections -> daemon mode */
#if !defined(__vms) && !defined(USE_OS2)
if(daemonize(fd))
return 1;
close(fd);
/* create_pid() must be called after drop_privileges()
* or it won't be possible to remove the file on exit */
/* create_pid() must be called after daemonize()
* since the final pid is not known beforehand */
if(create_pid())
return 1;
#endif /* standard Unix */
signal(SIGCHLD, signal_handler); /* handle dead children */
signal(SIGHUP, signal_handler); /* configuration reload */
signal(SIGUSR1, signal_handler); /* log reopen */
signal(SIGPIPE, SIG_IGN); /* ignore broken pipe */
if(signal(SIGTERM, SIG_IGN)!=SIG_IGN)
signal(SIGTERM, signal_handler); /* fatal */
if(signal(SIGQUIT, SIG_IGN)!=SIG_IGN)
signal(SIGQUIT, signal_handler); /* fatal */
if(signal(SIGINT, SIG_IGN)!=SIG_IGN)
signal(SIGINT, signal_handler); /* fatal */
daemon_loop();
} else { /* inetd mode */
#if !defined(__vms) && !defined(USE_OS2)
close(fd);
#endif /* standard Unix */
signal(SIGCHLD, SIG_IGN); /* ignore dead children */
signal(SIGPIPE, SIG_IGN); /* ignore broken pipe */
client_main(alloc_client_session(&service_options, 0, 1));
}
return 0;
}
NOEXPORT int main_unix(int argc, char* argv[]) {
int configure_status;
#if !defined(__vms) && !defined(USE_OS2)
int fd;
fd=open("/dev/null", O_RDWR); /* open /dev/null before chroot */
if(fd==INVALID_SOCKET)
fatal("Could not open /dev/null");
#endif
#ifdef WOLFSSL_DEBUG_ON
wolfSSL_Debugging_ON();
wolfSSL_SetLoggingCb((wolfSSL_Logging_cb)&wolfSSL_s_log);
#endif
main_init();
configure_status=main_configure(argc>1 ? argv[1] : NULL,
argc>2 ? argv[2] : NULL);
switch(configure_status) {
case 1: /* error -> exit with 1 to indicate error */
close(fd);
return 1;
case 2: /* information printed -> exit with 0 to indicate success */
close(fd);
return 0;
}
if(service_options.next) { /* there are service sections -> daemon mode */
#if !defined(__vms) && !defined(USE_OS2)
if(daemonize(fd)) {
close(fd);
return 1;
}
close(fd);
/* create_pid() must be called after drop_privileges()
* or it won't be possible to remove the file on exit */
/* create_pid() must be called after daemonize()
* since the final pid is not known beforehand */
if(create_pid())
return 1;
#endif
#ifndef USE_OS2
signal(SIGCHLD, signal_handler); /* handle dead children */
signal(SIGHUP, signal_handler); /* configuration reload */
signal(SIGUSR1, signal_handler); /* log reopen */
signal(SIGPIPE, SIG_IGN); /* ignore broken pipe */
if(signal(SIGTERM, SIG_IGN)!=SIG_IGN)
signal(SIGTERM, signal_handler); /* fatal */
if(signal(SIGQUIT, SIG_IGN)!=SIG_IGN)
signal(SIGQUIT, signal_handler); /* fatal */
if(signal(SIGINT, SIG_IGN)!=SIG_IGN)
signal(SIGINT, signal_handler); /* fatal */
#endif
daemon_loop();
} else { /* inetd mode */
#if !defined(__vms) && !defined(USE_OS2)
close(fd);
#endif /* standard Unix */
#ifndef USE_OS2
signal(SIGCHLD, SIG_IGN); /* ignore dead children */
signal(SIGPIPE, SIG_IGN); /* ignore broken pipe */
#endif
set_nonblock(0, 1); /* stdin */
set_nonblock(1, 1); /* stdout */
client_main(alloc_client_session(&service_options, 0, 1));
}
return 0;
}
static void daemon_loop(void) {
SOCKADDR_UNION addr;
s_poll_set fds;
LOCAL_OPTIONS *opt;
get_limits();
s_poll_zero(&fds);
#ifndef USE_WIN32
s_poll_add(&fds, signal_pipe_init(), 1, 0);
#endif
if(!local_options.next) {
s_log(LOG_ERR, "No connections defined in config file");
exit(1);
}
num_clients=0;
/* bind local ports */
for(opt=local_options.next; opt; opt=opt->next) {
if(!opt->option.accept) /* no need to bind this service */
continue;
memcpy(&addr, &opt->local_addr.addr[0], sizeof(SOCKADDR_UNION));
if((opt->fd=socket(addr.sa.sa_family, SOCK_STREAM, 0))<0) {
sockerror("local socket");
exit(1);
}
if(alloc_fd(opt->fd))
exit(1);
if(set_socket_options(opt->fd, 0)<0)
exit(1);
s_ntop(opt->local_address, &addr);
if(bind(opt->fd, &addr.sa, addr_len(addr))) {
s_log(LOG_ERR, "Error binding %s to %s",
opt->servname, opt->local_address);
sockerror("bind");
exit(1);
}
s_log(LOG_DEBUG, "%s bound to %s", opt->servname, opt->local_address);
if(listen(opt->fd, 5)) {
sockerror("listen");
exit(1);
}
#ifdef FD_CLOEXEC
fcntl(opt->fd, F_SETFD, FD_CLOEXEC); /* close socket in child execvp */
#endif
s_poll_add(&fds, opt->fd, 1, 0);
}
#if !defined (USE_WIN32) && !defined (__vms)
if(!(options.option.foreground))
daemonize();
drop_privileges();
create_pid();
#endif /* !defined USE_WIN32 && !defined (__vms) */
/* create exec+connect services */
for(opt=local_options.next; opt; opt=opt->next) {
if(opt->option.accept) /* skip ordinary (accepting) services */
continue;
enter_critical_section(CRIT_CLIENTS); /* for multi-cpu machines */
num_clients++;
leave_critical_section(CRIT_CLIENTS);
create_client(-1, -1, alloc_client_session(opt, -1, -1), client);
}
while(1) {
if(s_poll_wait(&fds, -1)<0) /* non-critical error */
log_error(LOG_INFO, get_last_socket_error(),
"daemon_loop: s_poll_wait");
else
for(opt=local_options.next; opt; opt=opt->next)
if(s_poll_canread(&fds, opt->fd))
accept_connection(opt);
}
s_log(LOG_ERR, "INTERNAL ERROR: End of infinite loop 8-)");
}
/* open new ports, update fds */
int bind_ports(void) {
SERVICE_OPTIONS *opt;
char *local_address;
int listening_section;
#ifdef USE_LIBWRAP
/* execute after options_cmdline() to know service_options.next,
* but as early as possible to avoid leaking file descriptors */
/* retry on each bind_ports() in case stunnel.conf was reloaded
without "libwrap = no" */
libwrap_init();
#endif /* USE_LIBWRAP */
s_poll_init(fds);
s_poll_add(fds, signal_pipe[0], 1, 0);
/* allow clean unbind_ports() even though
bind_ports() was not fully performed */
for(opt=service_options.next; opt; opt=opt->next)
if(opt->option.accept)
opt->fd=INVALID_SOCKET;
listening_section=0;
for(opt=service_options.next; opt; opt=opt->next) {
if(opt->option.accept) {
if(listening_section<systemd_fds) {
opt->fd=(SOCKET)(listen_fds_start+listening_section);
s_log(LOG_DEBUG,
"Listening file descriptor received from systemd (FD=%d)",
opt->fd);
} else {
opt->fd=s_socket(opt->local_addr.sa.sa_family,
SOCK_STREAM, 0, 1, "accept socket");
if(opt->fd==INVALID_SOCKET)
return 1;
s_log(LOG_DEBUG, "Listening file descriptor created (FD=%d)",
opt->fd);
}
if(set_socket_options(opt->fd, 0)<0) {
closesocket(opt->fd);
opt->fd=INVALID_SOCKET;
return 1;
}
/* local socket can't be unnamed */
local_address=s_ntop(&opt->local_addr, addr_len(&opt->local_addr));
/* we don't bind or listen on a socket inherited from systemd */
if(listening_section>=systemd_fds) {
if(bind(opt->fd, &opt->local_addr.sa, addr_len(&opt->local_addr))) {
s_log(LOG_ERR, "Error binding service [%s] to %s",
opt->servname, local_address);
sockerror("bind");
closesocket(opt->fd);
opt->fd=INVALID_SOCKET;
str_free(local_address);
return 1;
}
if(listen(opt->fd, SOMAXCONN)) {
sockerror("listen");
closesocket(opt->fd);
opt->fd=INVALID_SOCKET;
str_free(local_address);
return 1;
}
}
s_poll_add(fds, opt->fd, 1, 0);
s_log(LOG_DEBUG, "Service [%s] (FD=%d) bound to %s",
opt->servname, opt->fd, local_address);
str_free(local_address);
++listening_section;
} else if(opt->exec_name && opt->connect_addr.names) {
/* create exec+connect services */
/* FIXME: needs to be delayed on reload with opt->option.retry set */
create_client(INVALID_SOCKET, INVALID_SOCKET,
alloc_client_session(opt, INVALID_SOCKET, INVALID_SOCKET),
client_thread);
}
}
if(listening_section<systemd_fds) {
s_log(LOG_ERR,
"Too many listening file descriptors received from systemd, got %d",
systemd_fds);
return 1;
}
return 0; /* OK */
}
void child_status(void) { /* dead libwrap or 'exec' process detected */
int pid, status;
char *sig_name;
#ifdef HAVE_WAIT_FOR_PID
while((pid=wait_for_pid(-1, &status, WNOHANG))>0) {
#else
if((pid=wait(&status))>0) {
#endif
#ifdef WIFSIGNALED
if(WIFSIGNALED(status)) {
sig_name=signal_name(WTERMSIG(status));
s_log(LOG_INFO, "Child process %d terminated on %s",
pid, sig_name);
str_free(sig_name);
} else {
s_log(LOG_INFO, "Child process %d finished with code %d",
pid, WEXITSTATUS(status));
}
#else
s_log(LOG_INFO, "Child process %d finished with status %d",
pid, status);
#endif
}
}
#endif /* !defined(USE_OS2) */
#endif /* !defined(USE_WIN32) */
/**************************************** main loop accepting connections */
void daemon_loop(void) {
while(1) {
int temporary_lack_of_resources=0;
int num=s_poll_wait(fds, -1, -1);
if(num>=0) {
SERVICE_OPTIONS *opt;
s_log(LOG_DEBUG, "Found %d ready file descriptor(s)", num);
if(service_options.log_level>=LOG_DEBUG) /* performance optimization */
s_poll_dump(fds, LOG_DEBUG);
if(s_poll_canread(fds, signal_pipe[0]))
if(signal_pipe_dispatch()) /* SIGNAL_TERMINATE or error */
break; /* terminate daemon_loop */
for(opt=service_options.next; opt; opt=opt->next)
if(opt->option.accept && s_poll_canread(fds, opt->fd))
if(accept_connection(opt))
temporary_lack_of_resources=1;
} else {
log_error(LOG_NOTICE, get_last_socket_error(),
"daemon_loop: s_poll_wait");
temporary_lack_of_resources=1;
}
if(temporary_lack_of_resources) {
s_log(LOG_NOTICE,
"Accepting new connections suspended for 1 second");
sleep(1); /* to avoid log trashing */
}
}
}
/* return 1 when a short delay is needed before another try */
NOEXPORT int accept_connection(SERVICE_OPTIONS *opt) {
SOCKADDR_UNION addr;
char *from_address;
SOCKET s;
socklen_t addrlen;
addrlen=sizeof addr;
for(;;) {
s=s_accept(opt->fd, &addr.sa, &addrlen, 1, "local socket");
if(s!=INVALID_SOCKET) /* success! */
break;
switch(get_last_socket_error()) {
case S_EINTR: /* interrupted by a signal */
break; /* retry now */
case S_EMFILE:
#ifdef S_ENFILE
case S_ENFILE:
#endif
#ifdef S_ENOBUFS
case S_ENOBUFS:
#endif
#ifdef S_ENOMEM
case S_ENOMEM:
#endif
return 1; /* temporary lack of resources */
default:
return 0; /* any other error */
}
}
from_address=s_ntop(&addr, addrlen);
s_log(LOG_DEBUG, "Service [%s] accepted (FD=%d) from %s",
opt->servname, s, from_address);
str_free(from_address);
#ifdef USE_FORK
RAND_add("", 1, 0.0); /* each child needs a unique entropy pool */
#else
if(max_clients && num_clients>=max_clients) {
s_log(LOG_WARNING, "Connection rejected: too many clients (>=%ld)",
max_clients);
closesocket(s);
return 0;
}
#endif
if(create_client(opt->fd, s,
alloc_client_session(opt, s, s), client_thread)) {
s_log(LOG_ERR, "Connection rejected: create_client failed");
closesocket(s);
return 0;
}
return 0;
}
