int kore_connection_accept(struct listener *l, struct connection **out) { socklen_t len; struct connection *c; kore_debug("kore_connection_accept(%p)", l); *out = NULL; len = sizeof(struct sockaddr_in); c = kore_pool_get(&connection_pool); if ((c->fd = accept(l->fd, (struct sockaddr *)&(c->sin), &len)) == -1) { kore_pool_put(&connection_pool, c); kore_debug("accept(): %s", errno_s); return (KORE_RESULT_ERROR); } if (!kore_connection_nonblock(c->fd)) { close(c->fd); kore_pool_put(&connection_pool, c); return (KORE_RESULT_ERROR); } c->owner = l; c->ssl = NULL; c->flags = 0; c->inflate_started = 0; c->deflate_started = 0; c->client_stream_id = 0; c->proto = CONN_PROTO_UNKNOWN; c->state = CONN_STATE_SSL_SHAKE; c->wsize_initial = SPDY_INIT_WSIZE; c->idle_timer.start = 0; c->idle_timer.length = KORE_IDLE_TIMER_MAX; TAILQ_INIT(&(c->send_queue)); TAILQ_INIT(&(c->recv_queue)); TAILQ_INIT(&(c->spdy_streams)); kore_worker_connection_add(c); kore_connection_start_idletimer(c); *out = c; return (KORE_RESULT_OK); }
/* * Called for every new connection on a certain ip/port. Which one is * configured in the TLS proxy its configuration file. */ void client_setup(struct connection *c) { int i, fd; struct connection *backend; /* Paranoia. */ if (c->ssl->session == NULL || c->ssl->session->tlsext_hostname == NULL) { kore_connection_disconnect(c); return; } /* Figure out what backend to use. */ for (i = 0; backends[i].name != NULL; i++) { if (!strcasecmp(backends[i].name, c->ssl->session->tlsext_hostname)) break; } /* If we don't have any backends, we just disconnect the client. */ if (backends[i].name == NULL) { kore_connection_disconnect(c); return; } /* Create new socket for the backend connection. */ if ((fd = socket(AF_INET, SOCK_STREAM, 0)) == -1) { kore_log(LOG_ERR, "socket(): %s", errno_s); kore_connection_disconnect(c); return; } /* Set it to non blocking as well. */ if (!kore_connection_nonblock(fd, 1)) { close(fd); kore_connection_disconnect(c); return; } /* Grab a new connection from Kore to hook backend into. */ backend = kore_connection_new(NULL); /* Prepare our connection. */ backend->addrtype = AF_INET; backend->addr.ipv4.sin_family = AF_INET; backend->addr.ipv4.sin_port = htons(backends[i].port); backend->addr.ipv4.sin_addr.s_addr = inet_addr(backends[i].ip); /* Set the file descriptor for the backend. */ backend->fd = fd; /* Default write/read callbacks for backend. */ backend->read = net_read; backend->write = net_write; /* Connection type (unknown to Kore). */ backend->proto = CONN_PROTO_UNKNOWN; backend->state = CONN_STATE_ESTABLISHED; /* The backend idle timer is set first to connection timeout. */ backend->idle_timer.length = PROXY_CONNECT_TIMEOUT; /* The client idle timer is set to default idle time. */ c->idle_timer.length = PROXY_TIMEOUT; /* Now link both the client and the backend connection together. */ c->hdlr_extra = backend; backend->hdlr_extra = c; /* * The handle function pointer for the backend is set to the * backend_handle_connect() while connecting. */ c->handle = client_handle; backend->handle = backend_handle_connect; /* Set the disconnect method for both connections. */ c->disconnect = disconnect; backend->disconnect = disconnect; /* Queue write events for the backend connection for now. */ kore_platform_schedule_write(backend->fd, backend); /* Start idle timer for the backend. */ kore_connection_start_idletimer(backend); /* Set our client connection to established. */ c->state = CONN_STATE_ESTABLISHED; /* Insert the backend into the list of Kore connections. */ TAILQ_INSERT_TAIL(&connections, backend, list); /* Kick off connecting. */ backend->flags |= CONN_WRITE_POSSIBLE; backend->handle(backend); }
/* * Connect to our target host:port and attach it to a struct connection that * Kore understands. We set the disconnect method so we get a callback * whenever either of the connections will go away so we can cleanup the * one it is attached to. */ static int ktunnel_pipe_create(struct connection *c, const char *host, const char *port) { struct sockaddr_in sin; struct connection *cpipe; u_int16_t nport; int fd, err; nport = kore_strtonum(port, 10, 1, SHRT_MAX, &err); if (err == KORE_RESULT_ERROR) { kore_log(LOG_ERR, "invalid port given %s", port); return (KORE_RESULT_ERROR); } if ((fd = socket(AF_INET, SOCK_STREAM, 0)) == -1) { kore_log(LOG_ERR, "socket(): %s", errno_s); return (KORE_RESULT_ERROR); } memset(&sin, 0, sizeof(sin)); sin.sin_family = AF_INET; sin.sin_port = htons(nport); sin.sin_addr.s_addr = inet_addr(host); kore_log(LOG_NOTICE, "Attempting to connect to %s:%s", host, port); if (connect(fd, (struct sockaddr *)&sin, sizeof(sin)) == -1) { close(fd); kore_log(LOG_ERR, "connect(): %s", errno_s); return (KORE_RESULT_ERROR); } if (!kore_connection_nonblock(fd)) { close(fd); return (KORE_RESULT_ERROR); } cpipe = kore_connection_new(c); cpipe->fd = fd; cpipe->addr.ipv4 = sin; cpipe->read = net_read; cpipe->write = net_write; cpipe->addrtype = AF_INET; cpipe->proto = CONN_PROTO_UNKNOWN; cpipe->state = CONN_STATE_ESTABLISHED; /* Don't let these connections timeout any time soon. */ cpipe->idle_timer.length = 10000000000; c->idle_timer.length = 10000000000; c->hdlr_extra = cpipe; cpipe->hdlr_extra = c; c->disconnect = ktunnel_pipe_disconnect; cpipe->disconnect = ktunnel_pipe_disconnect; kore_worker_connection_add(cpipe); kore_connection_start_idletimer(cpipe); kore_platform_event_all(cpipe->fd, cpipe); net_recv_reset(c, NETBUF_SEND_PAYLOAD_MAX, ktunnel_pipe_data); net_recv_queue(cpipe, NETBUF_SEND_PAYLOAD_MAX, NETBUF_CALL_CB_ALWAYS, ktunnel_pipe_data); printf("connection started to %s (%p -> %p)\n", host, c, cpipe); return (KORE_RESULT_OK); }
int main(int argc, char *argv[]) { int ch, flags; flags = 0; #if !defined(KORE_SINGLE_BINARY) while ((ch = getopt(argc, argv, "c:dfhnrv")) != -1) { #else while ((ch = getopt(argc, argv, "dfhnrv")) != -1) { #endif flags++; switch (ch) { #if !defined(KORE_SINGLE_BINARY) case 'c': config_file = optarg; break; #endif #if defined(KORE_DEBUG) case 'd': kore_debug = 1; break; #endif case 'f': foreground = 1; break; case 'h': usage(); break; case 'n': skip_chroot = 1; break; case 'r': skip_runas = 1; break; case 'v': version(); break; default: usage(); } } argc -= optind; argv += optind; kore_mem_init(); #if !defined(KORE_SINGLE_BINARY) if (argc > 0) { if (flags) fatal("You cannot specify kore flags and a command"); return (kore_cli_main(argc, argv)); } #endif kore_pid = getpid(); nlisteners = 0; LIST_INIT(&listeners); kore_log_init(); #if !defined(KORE_NO_HTTP) kore_auth_init(); kore_validator_init(); #endif kore_domain_init(); kore_module_init(); kore_server_sslstart(); #if !defined(KORE_SINGLE_BINARY) if (config_file == NULL) usage(); #else kore_module_load(NULL, NULL); #endif kore_parse_config(); kore_platform_init(); #if !defined(KORE_NO_HTTP) kore_accesslog_init(); if (http_body_disk_offload > 0) { if (mkdir(http_body_disk_path, 0700) == -1 && errno != EEXIST) { printf("can't create http_body_disk_path '%s': %s\n", http_body_disk_path, errno_s); return (KORE_RESULT_ERROR); } } #endif sig_recv = 0; signal(SIGHUP, kore_signal); signal(SIGQUIT, kore_signal); signal(SIGTERM, kore_signal); if (foreground) signal(SIGINT, kore_signal); else signal(SIGINT, SIG_IGN); kore_server_start(); kore_log(LOG_NOTICE, "server shutting down"); kore_worker_shutdown(); if (!foreground) unlink(kore_pidfile); kore_listener_cleanup(); kore_log(LOG_NOTICE, "goodbye"); return (0); } #if !defined(KORE_NO_TLS) int kore_tls_sni_cb(SSL *ssl, int *ad, void *arg) { struct kore_domain *dom; const char *sname; sname = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name); kore_debug("kore_tls_sni_cb(): received host %s", sname); if (sname != NULL && (dom = kore_domain_lookup(sname)) != NULL) { kore_debug("kore_ssl_sni_cb(): Using %s CTX", sname); SSL_set_SSL_CTX(ssl, dom->ssl_ctx); if (dom->cafile != NULL) { SSL_set_verify(ssl, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL); } else { SSL_set_verify(ssl, SSL_VERIFY_NONE, NULL); } return (SSL_TLSEXT_ERR_OK); } return (SSL_TLSEXT_ERR_NOACK); } void kore_tls_info_callback(const SSL *ssl, int flags, int ret) { struct connection *c; if (flags & SSL_CB_HANDSHAKE_START) { if ((c = SSL_get_app_data(ssl)) == NULL) fatal("no SSL_get_app_data"); c->tls_reneg++; } } #endif int kore_server_bind(const char *ip, const char *port, const char *ccb) { struct listener *l; int on, r; struct addrinfo hints, *results; kore_debug("kore_server_bind(%s, %s)", ip, port); memset(&hints, 0, sizeof(hints)); hints.ai_family = AF_UNSPEC; hints.ai_socktype = SOCK_STREAM; hints.ai_protocol = IPPROTO_TCP; hints.ai_flags = 0; r = getaddrinfo(ip, port, &hints, &results); if (r != 0) fatal("getaddrinfo(%s): %s", ip, gai_strerror(r)); l = kore_malloc(sizeof(struct listener)); l->type = KORE_TYPE_LISTENER; l->addrtype = results->ai_family; if (l->addrtype != AF_INET && l->addrtype != AF_INET6) fatal("getaddrinfo(): unknown address family %d", l->addrtype); if ((l->fd = socket(results->ai_family, SOCK_STREAM, 0)) == -1) { kore_free(l); freeaddrinfo(results); kore_debug("socket(): %s", errno_s); printf("failed to create socket: %s\n", errno_s); return (KORE_RESULT_ERROR); } if (!kore_connection_nonblock(l->fd, 1)) { kore_free(l); freeaddrinfo(results); printf("failed to make socket non blocking: %s\n", errno_s); return (KORE_RESULT_ERROR); } on = 1; if (setsockopt(l->fd, SOL_SOCKET, SO_REUSEADDR, (const char *)&on, sizeof(on)) == -1) { close(l->fd); kore_free(l); freeaddrinfo(results); kore_debug("setsockopt(): %s", errno_s); printf("failed to set SO_REUSEADDR: %s\n", errno_s); return (KORE_RESULT_ERROR); } if (bind(l->fd, results->ai_addr, results->ai_addrlen) == -1) { close(l->fd); kore_free(l); freeaddrinfo(results); kore_debug("bind(): %s", errno_s); printf("failed to bind to %s port %s: %s\n", ip, port, errno_s); return (KORE_RESULT_ERROR); } freeaddrinfo(results); if (listen(l->fd, kore_socket_backlog) == -1) { close(l->fd); kore_free(l); kore_debug("listen(): %s", errno_s); printf("failed to listen on socket: %s\n", errno_s); return (KORE_RESULT_ERROR); } if (ccb != NULL) { *(void **)&(l->connect) = kore_module_getsym(ccb); if (l->connect == NULL) { printf("no such callback: '%s'\n", ccb); close(l->fd); kore_free(l); return (KORE_RESULT_ERROR); } } else { l->connect = NULL; } nlisteners++; LIST_INSERT_HEAD(&listeners, l, list); if (foreground) { #if !defined(KORE_NO_TLS) kore_log(LOG_NOTICE, "running on https://%s:%s", ip, port); #else kore_log(LOG_NOTICE, "running on http://%s:%s", ip, port); #endif } return (KORE_RESULT_OK); } void kore_listener_cleanup(void) { struct listener *l; while (!LIST_EMPTY(&listeners)) { l = LIST_FIRST(&listeners); LIST_REMOVE(l, list); close(l->fd); kore_free(l); } } void kore_signal(int sig) { sig_recv = sig; } static void kore_server_sslstart(void) { #if !defined(KORE_NO_TLS) kore_debug("kore_server_sslstart()"); SSL_library_init(); SSL_load_error_strings(); #endif }