/* open new ports, update fds */ int bind_ports(void) { SERVICE_OPTIONS *opt; char *local_address; #ifdef USE_LIBWRAP /* execute after parse_commandline() to know service_options.next, * but as early as possible to avoid leaking file descriptors */ /* retry on each bind_ports() in case stunnel.conf was reloaded without "libwrap = no" */ libwrap_init(); #endif /* USE_LIBWRAP */ s_poll_init(fds); s_poll_add(fds, signal_pipe[0], 1, 0); /* allow clean unbind_ports() even though bind_ports() was not fully performed */ for(opt=service_options.next; opt; opt=opt->next) if(opt->option.accept) opt->fd=-1; for(opt=service_options.next; opt; opt=opt->next) { if(opt->option.accept) { opt->fd=s_socket(opt->local_addr.sa.sa_family, SOCK_STREAM, 0, 1, "accept socket"); if(opt->fd<0) return 1; if(set_socket_options(opt->fd, 0)<0) { closesocket(opt->fd); return 1; } /* local socket can't be unnamed */ local_address=s_ntop(&opt->local_addr, addr_len(&opt->local_addr)); if(bind(opt->fd, &opt->local_addr.sa, addr_len(&opt->local_addr))) { s_log(LOG_ERR, "Error binding service [%s] to %s", opt->servname, local_address); sockerror("bind"); closesocket(opt->fd); str_free(local_address); return 1; } if(listen(opt->fd, SOMAXCONN)) { sockerror("listen"); closesocket(opt->fd); str_free(local_address); return 1; } s_poll_add(fds, opt->fd, 1, 0); s_log(LOG_DEBUG, "Service [%s] (FD=%d) bound to %s", opt->servname, opt->fd, local_address); str_free(local_address); } else if(opt->option.program && opt->option.remote) { /* create exec+connect services */ create_client(-1, -1, alloc_client_session(opt, -1, -1), client_thread); } } return 0; /* OK */ }
/* return 1 when a short delay is needed before another try */ static int accept_connection(SERVICE_OPTIONS *opt) { SOCKADDR_UNION addr; char *from_address; int s; socklen_t addrlen; addrlen=sizeof addr; for(;;) { s=s_accept(opt->fd, &addr.sa, &addrlen, 1, "local socket"); if(s>=0) /* success! */ break; switch(get_last_socket_error()) { case S_EINTR: /* interrupted by a signal */ break; /* retry now */ case S_EMFILE: #ifdef S_ENFILE case S_ENFILE: #endif #ifdef S_ENOBUFS case S_ENOBUFS: #endif #ifdef S_ENOMEM case S_ENOMEM: #endif return 1; /* temporary lack of resources */ default: return 0; /* any other error */ } } from_address=s_ntop(&addr, addrlen); s_log(LOG_DEBUG, "Service [%s] accepted (FD=%d) from %s", opt->servname, s, from_address); str_free(from_address); #ifndef USE_FORK if(max_clients && num_clients>=max_clients) { s_log(LOG_WARNING, "Connection rejected: too many clients (>=%d)", max_clients); closesocket(s); return 0; } #endif if(create_client(opt->fd, s, alloc_client_session(opt, s, s), client_thread)) { s_log(LOG_ERR, "Connection rejected: create_client failed"); closesocket(s); return 0; } return 0; }
void main_execute(void) { ssl_configure(); /* configure global SSL settings */ context_init(); /* initialize global SSL context */ /* check if started from inetd */ if(local_options.next) { /* there are service sections -> daemon mode */ daemon_loop(); } else { /* inetd mode */ #if !defined (USE_WIN32) && !defined (__vms) max_fds=FD_SETSIZE; /* just in case */ drop_privileges(); #endif num_clients=1; client(alloc_client_session(&local_options, 0, 1)); } /* close SSL */ context_free(); /* free global SSL context */ log_close(); }
static void accept_connection(LOCAL_OPTIONS *opt) { SOCKADDR_UNION addr; char from_address[IPLEN]; int s; socklen_t addrlen; addrlen=sizeof(SOCKADDR_UNION); while((s=accept(opt->fd, &addr.sa, &addrlen))<0) { switch(get_last_socket_error()) { case EINTR: break; /* retry */ case EMFILE: case ENFILE: #ifdef ENOBUFS case ENOBUFS: #endif case ENOMEM: sleep(1); /* temporarily out of resources - short delay */ default: sockerror("accept"); return; /* error */ } } s_ntop(from_address, &addr); s_log(LOG_DEBUG, "%s accepted FD=%d from %s", opt->servname, s, from_address); if(max_clients && num_clients>=max_clients) { s_log(LOG_WARNING, "Connection rejected: too many clients (>=%d)", max_clients); closesocket(s); return; } #ifdef FD_CLOEXEC fcntl(s, F_SETFD, FD_CLOEXEC); /* close socket in child execvp */ #endif if(create_client(opt->fd, s, alloc_client_session(opt, s, s), client)) { s_log(LOG_ERR, "Connection rejected: create_client failed"); closesocket(s); return; } enter_critical_section(CRIT_CLIENTS); /* for multi-cpu machines */ num_clients++; leave_critical_section(CRIT_CLIENTS); }
static int main_unix(int argc, char* argv[]) { #if !defined(__vms) && !defined(USE_OS2) int fd; fd=open("/dev/null", O_RDWR); /* open /dev/null before chroot */ if(fd<0) fatal("Could not open /dev/null"); #endif /* standard Unix */ main_initialize(); if(main_configure(argc>1 ? argv[1] : NULL, argc>2 ? argv[2] : NULL)) return 1; if(service_options.next) { /* there are service sections -> daemon mode */ #if !defined(__vms) && !defined(USE_OS2) if(daemonize(fd)) return 1; close(fd); /* create_pid() must be called after drop_privileges() * or it won't be possible to remove the file on exit */ /* create_pid() must be called after daemonize() * since the final pid is not known beforehand */ if(create_pid()) return 1; #endif /* standard Unix */ signal(SIGCHLD, signal_handler); /* handle dead children */ signal(SIGHUP, signal_handler); /* configuration reload */ signal(SIGUSR1, signal_handler); /* log reopen */ signal(SIGPIPE, SIG_IGN); /* ignore broken pipe */ if(signal(SIGTERM, SIG_IGN)!=SIG_IGN) signal(SIGTERM, signal_handler); /* fatal */ if(signal(SIGQUIT, SIG_IGN)!=SIG_IGN) signal(SIGQUIT, signal_handler); /* fatal */ if(signal(SIGINT, SIG_IGN)!=SIG_IGN) signal(SIGINT, signal_handler); /* fatal */ daemon_loop(); } else { /* inetd mode */ #if !defined(__vms) && !defined(USE_OS2) close(fd); #endif /* standard Unix */ signal(SIGCHLD, SIG_IGN); /* ignore dead children */ signal(SIGPIPE, SIG_IGN); /* ignore broken pipe */ client_main(alloc_client_session(&service_options, 0, 1)); } return 0; }
NOEXPORT int main_unix(int argc, char* argv[]) { int configure_status; #if !defined(__vms) && !defined(USE_OS2) int fd; fd=open("/dev/null", O_RDWR); /* open /dev/null before chroot */ if(fd==INVALID_SOCKET) fatal("Could not open /dev/null"); #endif #ifdef WOLFSSL_DEBUG_ON wolfSSL_Debugging_ON(); wolfSSL_SetLoggingCb((wolfSSL_Logging_cb)&wolfSSL_s_log); #endif main_init(); configure_status=main_configure(argc>1 ? argv[1] : NULL, argc>2 ? argv[2] : NULL); switch(configure_status) { case 1: /* error -> exit with 1 to indicate error */ close(fd); return 1; case 2: /* information printed -> exit with 0 to indicate success */ close(fd); return 0; } if(service_options.next) { /* there are service sections -> daemon mode */ #if !defined(__vms) && !defined(USE_OS2) if(daemonize(fd)) { close(fd); return 1; } close(fd); /* create_pid() must be called after drop_privileges() * or it won't be possible to remove the file on exit */ /* create_pid() must be called after daemonize() * since the final pid is not known beforehand */ if(create_pid()) return 1; #endif #ifndef USE_OS2 signal(SIGCHLD, signal_handler); /* handle dead children */ signal(SIGHUP, signal_handler); /* configuration reload */ signal(SIGUSR1, signal_handler); /* log reopen */ signal(SIGPIPE, SIG_IGN); /* ignore broken pipe */ if(signal(SIGTERM, SIG_IGN)!=SIG_IGN) signal(SIGTERM, signal_handler); /* fatal */ if(signal(SIGQUIT, SIG_IGN)!=SIG_IGN) signal(SIGQUIT, signal_handler); /* fatal */ if(signal(SIGINT, SIG_IGN)!=SIG_IGN) signal(SIGINT, signal_handler); /* fatal */ #endif daemon_loop(); } else { /* inetd mode */ #if !defined(__vms) && !defined(USE_OS2) close(fd); #endif /* standard Unix */ #ifndef USE_OS2 signal(SIGCHLD, SIG_IGN); /* ignore dead children */ signal(SIGPIPE, SIG_IGN); /* ignore broken pipe */ #endif set_nonblock(0, 1); /* stdin */ set_nonblock(1, 1); /* stdout */ client_main(alloc_client_session(&service_options, 0, 1)); } return 0; }
static void daemon_loop(void) { SOCKADDR_UNION addr; s_poll_set fds; LOCAL_OPTIONS *opt; get_limits(); s_poll_zero(&fds); #ifndef USE_WIN32 s_poll_add(&fds, signal_pipe_init(), 1, 0); #endif if(!local_options.next) { s_log(LOG_ERR, "No connections defined in config file"); exit(1); } num_clients=0; /* bind local ports */ for(opt=local_options.next; opt; opt=opt->next) { if(!opt->option.accept) /* no need to bind this service */ continue; memcpy(&addr, &opt->local_addr.addr[0], sizeof(SOCKADDR_UNION)); if((opt->fd=socket(addr.sa.sa_family, SOCK_STREAM, 0))<0) { sockerror("local socket"); exit(1); } if(alloc_fd(opt->fd)) exit(1); if(set_socket_options(opt->fd, 0)<0) exit(1); s_ntop(opt->local_address, &addr); if(bind(opt->fd, &addr.sa, addr_len(addr))) { s_log(LOG_ERR, "Error binding %s to %s", opt->servname, opt->local_address); sockerror("bind"); exit(1); } s_log(LOG_DEBUG, "%s bound to %s", opt->servname, opt->local_address); if(listen(opt->fd, 5)) { sockerror("listen"); exit(1); } #ifdef FD_CLOEXEC fcntl(opt->fd, F_SETFD, FD_CLOEXEC); /* close socket in child execvp */ #endif s_poll_add(&fds, opt->fd, 1, 0); } #if !defined (USE_WIN32) && !defined (__vms) if(!(options.option.foreground)) daemonize(); drop_privileges(); create_pid(); #endif /* !defined USE_WIN32 && !defined (__vms) */ /* create exec+connect services */ for(opt=local_options.next; opt; opt=opt->next) { if(opt->option.accept) /* skip ordinary (accepting) services */ continue; enter_critical_section(CRIT_CLIENTS); /* for multi-cpu machines */ num_clients++; leave_critical_section(CRIT_CLIENTS); create_client(-1, -1, alloc_client_session(opt, -1, -1), client); } while(1) { if(s_poll_wait(&fds, -1)<0) /* non-critical error */ log_error(LOG_INFO, get_last_socket_error(), "daemon_loop: s_poll_wait"); else for(opt=local_options.next; opt; opt=opt->next) if(s_poll_canread(&fds, opt->fd)) accept_connection(opt); } s_log(LOG_ERR, "INTERNAL ERROR: End of infinite loop 8-)"); }
/* open new ports, update fds */ int bind_ports(void) { SERVICE_OPTIONS *opt; char *local_address; int listening_section; #ifdef USE_LIBWRAP /* execute after options_cmdline() to know service_options.next, * but as early as possible to avoid leaking file descriptors */ /* retry on each bind_ports() in case stunnel.conf was reloaded without "libwrap = no" */ libwrap_init(); #endif /* USE_LIBWRAP */ s_poll_init(fds); s_poll_add(fds, signal_pipe[0], 1, 0); /* allow clean unbind_ports() even though bind_ports() was not fully performed */ for(opt=service_options.next; opt; opt=opt->next) if(opt->option.accept) opt->fd=INVALID_SOCKET; listening_section=0; for(opt=service_options.next; opt; opt=opt->next) { if(opt->option.accept) { if(listening_section<systemd_fds) { opt->fd=(SOCKET)(listen_fds_start+listening_section); s_log(LOG_DEBUG, "Listening file descriptor received from systemd (FD=%d)", opt->fd); } else { opt->fd=s_socket(opt->local_addr.sa.sa_family, SOCK_STREAM, 0, 1, "accept socket"); if(opt->fd==INVALID_SOCKET) return 1; s_log(LOG_DEBUG, "Listening file descriptor created (FD=%d)", opt->fd); } if(set_socket_options(opt->fd, 0)<0) { closesocket(opt->fd); opt->fd=INVALID_SOCKET; return 1; } /* local socket can't be unnamed */ local_address=s_ntop(&opt->local_addr, addr_len(&opt->local_addr)); /* we don't bind or listen on a socket inherited from systemd */ if(listening_section>=systemd_fds) { if(bind(opt->fd, &opt->local_addr.sa, addr_len(&opt->local_addr))) { s_log(LOG_ERR, "Error binding service [%s] to %s", opt->servname, local_address); sockerror("bind"); closesocket(opt->fd); opt->fd=INVALID_SOCKET; str_free(local_address); return 1; } if(listen(opt->fd, SOMAXCONN)) { sockerror("listen"); closesocket(opt->fd); opt->fd=INVALID_SOCKET; str_free(local_address); return 1; } } s_poll_add(fds, opt->fd, 1, 0); s_log(LOG_DEBUG, "Service [%s] (FD=%d) bound to %s", opt->servname, opt->fd, local_address); str_free(local_address); ++listening_section; } else if(opt->exec_name && opt->connect_addr.names) { /* create exec+connect services */ /* FIXME: needs to be delayed on reload with opt->option.retry set */ create_client(INVALID_SOCKET, INVALID_SOCKET, alloc_client_session(opt, INVALID_SOCKET, INVALID_SOCKET), client_thread); } } if(listening_section<systemd_fds) { s_log(LOG_ERR, "Too many listening file descriptors received from systemd, got %d", systemd_fds); return 1; } return 0; /* OK */ }
void child_status(void) { /* dead libwrap or 'exec' process detected */ int pid, status; char *sig_name; #ifdef HAVE_WAIT_FOR_PID while((pid=wait_for_pid(-1, &status, WNOHANG))>0) { #else if((pid=wait(&status))>0) { #endif #ifdef WIFSIGNALED if(WIFSIGNALED(status)) { sig_name=signal_name(WTERMSIG(status)); s_log(LOG_INFO, "Child process %d terminated on %s", pid, sig_name); str_free(sig_name); } else { s_log(LOG_INFO, "Child process %d finished with code %d", pid, WEXITSTATUS(status)); } #else s_log(LOG_INFO, "Child process %d finished with status %d", pid, status); #endif } } #endif /* !defined(USE_OS2) */ #endif /* !defined(USE_WIN32) */ /**************************************** main loop accepting connections */ void daemon_loop(void) { while(1) { int temporary_lack_of_resources=0; int num=s_poll_wait(fds, -1, -1); if(num>=0) { SERVICE_OPTIONS *opt; s_log(LOG_DEBUG, "Found %d ready file descriptor(s)", num); if(service_options.log_level>=LOG_DEBUG) /* performance optimization */ s_poll_dump(fds, LOG_DEBUG); if(s_poll_canread(fds, signal_pipe[0])) if(signal_pipe_dispatch()) /* SIGNAL_TERMINATE or error */ break; /* terminate daemon_loop */ for(opt=service_options.next; opt; opt=opt->next) if(opt->option.accept && s_poll_canread(fds, opt->fd)) if(accept_connection(opt)) temporary_lack_of_resources=1; } else { log_error(LOG_NOTICE, get_last_socket_error(), "daemon_loop: s_poll_wait"); temporary_lack_of_resources=1; } if(temporary_lack_of_resources) { s_log(LOG_NOTICE, "Accepting new connections suspended for 1 second"); sleep(1); /* to avoid log trashing */ } } } /* return 1 when a short delay is needed before another try */ NOEXPORT int accept_connection(SERVICE_OPTIONS *opt) { SOCKADDR_UNION addr; char *from_address; SOCKET s; socklen_t addrlen; addrlen=sizeof addr; for(;;) { s=s_accept(opt->fd, &addr.sa, &addrlen, 1, "local socket"); if(s!=INVALID_SOCKET) /* success! */ break; switch(get_last_socket_error()) { case S_EINTR: /* interrupted by a signal */ break; /* retry now */ case S_EMFILE: #ifdef S_ENFILE case S_ENFILE: #endif #ifdef S_ENOBUFS case S_ENOBUFS: #endif #ifdef S_ENOMEM case S_ENOMEM: #endif return 1; /* temporary lack of resources */ default: return 0; /* any other error */ } } from_address=s_ntop(&addr, addrlen); s_log(LOG_DEBUG, "Service [%s] accepted (FD=%d) from %s", opt->servname, s, from_address); str_free(from_address); #ifdef USE_FORK RAND_add("", 1, 0.0); /* each child needs a unique entropy pool */ #else if(max_clients && num_clients>=max_clients) { s_log(LOG_WARNING, "Connection rejected: too many clients (>=%ld)", max_clients); closesocket(s); return 0; } #endif if(create_client(opt->fd, s, alloc_client_session(opt, s, s), client_thread)) { s_log(LOG_ERR, "Connection rejected: create_client failed"); closesocket(s); return 0; } return 0; }