/*
* called before tls_read, the this function should attempt tls_accept or
* tls_connect depending on the state of the connection, if this function
* does not transit a connection into S_CONN_OK then tcp layer would not
* call tcp_read
*/
int tls_fix_read_conn(struct tcp_connection *c)
{
/*
* no lock acquired
*/
int ret;
ret = 0;
/*
* We have to acquire the lock before testing c->state, otherwise a
* writer could modify the structure if it gets preempted and has
* something to write
*/
lock_get(&c->write_lock);
if ( c->proto_flags & F_TLS_DO_ACCEPT ) {
ret = tls_update_fd(c, c->fd);
if (!ret)
ret = tls_accept(c, NULL);
} else if ( c->proto_flags & F_TLS_DO_CONNECT ) {
ret = tls_update_fd(c, c->fd);
if (!ret)
ret = tls_connect(c, NULL);
}
lock_release(&c->write_lock);
return ret;
}
/** callback for tls_ct_q_flush().
*
* @param *ssl - ssl context.
* @param *err - error reason (set on exit).
* @return >0 on success (bytes written), <=0 on ssl error (should be
* handled outside).
* WARNING: the ssl context must have the wbio and rbio previously set!
*/
static int ssl_flush(void* tcp_c, void* error, const void* buf, unsigned size)
{
int n;
int ssl_error;
struct tls_extra_data* tls_c;
SSL* ssl;
tls_c = ((struct tcp_connection*)tcp_c)->extra_data;
ssl = tls_c->ssl;
ssl_error = SSL_ERROR_NONE;
if (unlikely(tls_c->state == S_TLS_CONNECTING)) {
n = tls_connect(tcp_c, &ssl_error);
if (unlikely(n>=1)) {
n = SSL_write(ssl, buf, size);
if (unlikely(n <= 0))
ssl_error = SSL_get_error(ssl, n);
}
} else if (unlikely(tls_c->state == S_TLS_ACCEPTING)) {
n = tls_accept(tcp_c, &ssl_error);
if (unlikely(n>=1)) {
n = SSL_write(ssl, buf, size);
if (unlikely(n <= 0))
ssl_error = SSL_get_error(ssl, n);
}
} else {
n = SSL_write(ssl, buf, size);
if (unlikely(n <= 0))
ssl_error = SSL_get_error(ssl, n);
}
*(long*)error = ssl_error;
return n;
}
boolean transport_accept_tls(rdpTransport* transport)
{
if (transport->tls == NULL)
transport->tls = tls_new();
transport->layer = TRANSPORT_LAYER_TLS;
transport->tls->sockfd = transport->tcp->sockfd;
if (tls_accept(transport->tls, transport->settings->cert_file, transport->settings->privatekey_file) != True)
return False;
return True;
}
BOOL transport_accept_nla(rdpTransport* transport)
{
freerdp* instance;
rdpSettings* settings;
settings = transport->settings;
instance = (freerdp*) settings->instance;
if (!transport->TlsIn)
transport->TlsIn = tls_new(transport->settings);
if (!transport->TlsOut)
transport->TlsOut = transport->TlsIn;
transport->layer = TRANSPORT_LAYER_TLS;
if (!tls_accept(transport->TlsIn, transport->TcpIn->bufferedBio, settings->CertificateFile, settings->PrivateKeyFile))
return FALSE;
transport->frontBio = transport->TlsIn->bio;
/* Network Level Authentication */
if (!settings->Authentication)
return TRUE;
if (!transport->credssp)
{
transport->credssp = credssp_new(instance, transport, settings);
transport_set_nla_mode(transport, TRUE);
}
if (credssp_authenticate(transport->credssp) < 0)
{
fprintf(stderr, "client authentication failure\n");
transport_set_nla_mode(transport, FALSE);
credssp_free(transport->credssp);
transport->credssp = NULL;
tls_set_alert_code(transport->TlsIn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DESCRIPTION_ACCESS_DENIED);
return FALSE;
}
/* don't free credssp module yet, we need to copy the credentials from it first */
transport_set_nla_mode(transport, FALSE);
return TRUE;
}
BOOL transport_accept_tls(rdpTransport* transport)
{
rdpSettings* settings = transport->settings;
if (!transport->tls)
transport->tls = tls_new(transport->settings);
transport->layer = TRANSPORT_LAYER_TLS;
if (!tls_accept(transport->tls, transport->frontBio, settings))
return FALSE;
transport->frontBio = transport->tls->bio;
return TRUE;
}
BOOL transport_accept_tls(rdpTransport* transport)
{
if (transport->TlsIn == NULL)
transport->TlsIn = tls_new(transport->settings);
if (transport->TlsOut == NULL)
transport->TlsOut = transport->TlsIn;
transport->layer = TRANSPORT_LAYER_TLS;
transport->TlsIn->sockfd = transport->TcpIn->sockfd;
if (tls_accept(transport->TlsIn, transport->settings->CertificateFile, transport->settings->PrivateKeyFile) != TRUE)
return FALSE;
return TRUE;
}
BOOL transport_accept_tls(rdpTransport* transport)
{
if (!transport->TlsIn)
transport->TlsIn = tls_new(transport->settings);
if (!transport->TlsOut)
transport->TlsOut = transport->TlsIn;
transport->layer = TRANSPORT_LAYER_TLS;
if (!tls_accept(transport->TlsIn, transport->TcpIn->bufferedBio, transport->settings->CertificateFile, transport->settings->PrivateKeyFile))
return FALSE;
transport->frontBio = transport->TlsIn->bio;
return TRUE;
}
BOOL transport_accept_nla(rdpTransport* transport)
{
rdpSettings* settings = transport->settings;
freerdp* instance = (freerdp*) settings->instance;
if (!transport->tls)
transport->tls = tls_new(transport->settings);
transport->layer = TRANSPORT_LAYER_TLS;
if (!tls_accept(transport->tls, transport->frontBio, settings))
return FALSE;
transport->frontBio = transport->tls->bio;
/* Network Level Authentication */
if (!settings->Authentication)
return TRUE;
if (!transport->nla)
{
transport->nla = nla_new(instance, transport, settings);
transport_set_nla_mode(transport, TRUE);
}
if (nla_authenticate(transport->nla) < 0)
{
WLog_Print(transport->log, WLOG_ERROR, "client authentication failure");
transport_set_nla_mode(transport, FALSE);
nla_free(transport->nla);
transport->nla = NULL;
tls_set_alert_code(transport->tls, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_DESCRIPTION_ACCESS_DENIED);
tls_send_alert(transport->tls);
return FALSE;
}
/* don't free nla module yet, we need to copy the credentials from it first */
transport_set_nla_mode(transport, FALSE);
return TRUE;
}
boolean transport_accept_nla(rdpTransport* transport)
{
if (transport->tls == NULL)
transport->tls = tls_new();
transport->layer = TRANSPORT_LAYER_TLS;
transport->tls->sockfd = transport->tcp->sockfd;
if (tls_accept(transport->tls, transport->settings->cert_file, transport->settings->privatekey_file) != True)
return False;
/* Network Level Authentication */
if (transport->settings->authentication != True)
return True;
/* Blocking here until NLA is complete */
return True;
}
BOOL transport_accept_nla(rdpTransport* transport)
{
freerdp* instance;
rdpSettings* settings;
if (transport->TlsIn == NULL)
transport->TlsIn = tls_new(transport->settings);
if (transport->TlsOut == NULL)
transport->TlsOut = transport->TlsIn;
transport->layer = TRANSPORT_LAYER_TLS;
transport->TlsIn->sockfd = transport->TcpIn->sockfd;
if (tls_accept(transport->TlsIn, transport->settings->CertificateFile, transport->settings->PrivateKeyFile) != TRUE)
return FALSE;
/* Network Level Authentication */
if (transport->settings->Authentication != TRUE)
return TRUE;
settings = transport->settings;
instance = (freerdp*) settings->instance;
if (transport->credssp == NULL)
transport->credssp = credssp_new(instance, transport, settings);
if (credssp_authenticate(transport->credssp) < 0)
{
fprintf(stderr, "client authentication failure\n");
credssp_free(transport->credssp);
transport->credssp = NULL;
return FALSE;
}
/* don't free credssp module yet, we need to copy the credentials from it first */
return TRUE;
}
/*
* called before tls_read, the this function should attempt tls_accept or
* tls_connect depending on the state of the connection, if this function
* does not transit a connection into S_CONN_OK then tcp layer would not
* call tcp_read
*/
int
tls_fix_read_conn(struct tcp_connection *c)
{
/*
* no lock acquired
*/
int ret;
ret = 0;
/*
* We have to acquire the lock before testing c->state, otherwise a
* writer could modify the structure if it gets preempted and has
* something to write
*/
lock_get(&c->write_lock);
switch (c->state) {
case S_CONN_ACCEPT:
ret = tls_update_fd(c, c->fd);
if (!ret)
ret = tls_accept(c, NULL);
break;
case S_CONN_CONNECT:
ret = tls_update_fd(c, c->fd);
if (!ret)
ret = tls_connect(c, NULL);
break;
default: /* fall through */
break;
}
lock_release(&c->write_lock);
return ret;
}
boolean transport_accept_nla(rdpTransport* transport)
{
freerdp* instance;
rdpSettings* settings;
if (transport->tls == NULL)
transport->tls = tls_new(transport->settings);
transport->layer = TRANSPORT_LAYER_TLS;
transport->tls->sockfd = transport->tcp->sockfd;
if (tls_accept(transport->tls, transport->settings->cert_file, transport->settings->privatekey_file) != true)
return false;
/* Network Level Authentication */
if (transport->settings->authentication != true)
return true;
settings = transport->settings;
instance = (freerdp*) settings->instance;
if (transport->credssp == NULL)
transport->credssp = credssp_new(instance, transport->tls, settings);
if (credssp_authenticate(transport->credssp) < 0)
{
printf("client authentication failure\n");
credssp_free(transport->credssp);
return false;
}
credssp_free(transport->credssp);
return true;
}
int main(int argc , char *argv[]) {
int socket_desc , client_sock , read_size;
socklen_t c;
struct sockaddr_in server , client;
char client_message[0xFFFF];
#ifdef _WIN32
WSADATA wsaData;
WSAStartup(MAKEWORD(2, 2), &wsaData);
#else
signal(SIGPIPE, SIG_IGN);
#endif
socket_desc = socket(AF_INET , SOCK_STREAM , 0);
if (socket_desc == -1) {
printf("Could not create socket");
return 0;
}
int port = 2000;
if (argc > 1) {
port = atoi(argv[1]);
if (port <= 0)
port = 2000;
}
server.sin_family = AF_INET;
server.sin_addr.s_addr = INADDR_ANY;
server.sin_port = htons(port);
if( bind(socket_desc,(struct sockaddr *)&server , sizeof(server)) < 0) {
perror("bind failed. Error");
return 1;
}
int enable = 1;
setsockopt(socket_desc, SOL_SOCKET, SO_REUSEADDR, &enable, sizeof(int));
listen(socket_desc , 3);
c = sizeof(struct sockaddr_in);
unsigned int size;
struct TLSContext *server_context = tls_create_context(1, TLS_V12);
// load keys
load_keys(server_context, "testcert/fullchain.pem", "testcert/privkey.pem");
char source_buf[0xFFFF];
int source_size = read_from_file("tlshelloworld.c", source_buf, 0xFFFF);
while (1) {
identity_str[0] = 0;
client_sock = accept(socket_desc, (struct sockaddr *)&client, &c);
if (client_sock < 0) {
perror("accept failed");
return 1;
}
struct TLSContext *context = tls_accept(server_context);
// uncomment next line to request client certificate
tls_request_client_certificate(context);
// make the TLS context serializable (this must be called before negotiation)
tls_make_exportable(context, 1);
fprintf(stderr, "Client connected\n");
while ((read_size = recv(client_sock, client_message, sizeof(client_message), 0)) > 0) {
if (tls_consume_stream(context, client_message, read_size, verify_signature) > 0)
break;
}
send_pending(client_sock, context);
if (read_size > 0) {
fprintf(stderr, "USED CIPHER: %s\n", tls_cipher_name(context));
int ref_packet_count = 0;
int res;
while ((read_size = recv(client_sock, client_message, sizeof(client_message) , 0)) > 0) {
if (tls_consume_stream(context, client_message, read_size, verify_signature) < 0) {
fprintf(stderr, "Error in stream consume\n");
break;
}
send_pending(client_sock, context);
if (tls_established(context) == 1) {
unsigned char read_buffer[0xFFFF];
int read_size = tls_read(context, read_buffer, sizeof(read_buffer) - 1);
if (read_size > 0) {
read_buffer[read_size] = 0;
unsigned char export_buffer[0xFFF];
// simulate serialization / deserialization to another process
char sni[0xFF];
sni[0] = 0;
if (context->sni)
snprintf(sni, 0xFF, "%s", context->sni);
/* COOL STUFF => */ int size = tls_export_context(context, export_buffer, sizeof(export_buffer), 1);
if (size > 0) {
/* COOLER STUFF => */ struct TLSContext *imported_context = tls_import_context(export_buffer, size);
// This is cool because a context can be sent to an existing process.
// It will work both with fork and with already existing worker process.
fprintf(stderr, "Imported context (size: %i): %x\n", size, imported_context);
if (imported_context) {
// destroy old context
tls_destroy_context(context);
// simulate serialization/deserialization of context
context = imported_context;
}
}
// ugly inefficient code ... don't write like me
char send_buffer[0xF000];
char send_buffer_with_header[0xF000];
char out_buffer[0xFFF];
int tls_version = 2;
switch (context->version) {
case TLS_V10:
tls_version = 0;
break;
case TLS_V11:
tls_version = 1;
break;
}
snprintf(send_buffer, sizeof(send_buffer), "Hello world from TLS 1.%i (used chipher is: %s), SNI: %s\r\nYour identity is: %s\r\n\r\nCertificate: %s\r\n\r\nBelow is the received header:\r\n%s\r\nAnd the source code for this example: \r\n\r\n%s", tls_version, tls_cipher_name(context), sni, identity_str, tls_certificate_to_string(server_context->certificates[0], out_buffer, sizeof(out_buffer)), read_buffer, source_buf);
int content_length = strlen(send_buffer);
snprintf(send_buffer_with_header, sizeof(send_buffer), "HTTP/1.1 200 OK\r\nConnection: close\r\nContent-type: text/plain\r\nContent-length: %i\r\n\r\n%s", content_length, send_buffer);
tls_write(context, send_buffer_with_header, strlen(send_buffer_with_header));
tls_close_notify(context);
send_pending(client_sock, context);
break;
}
}
}
}
#ifdef __WIN32
shutdown(client_sock, SD_BOTH);
closesocket(client_sock);
#else
shutdown(client_sock, SHUT_RDWR);
close(client_sock);
#endif
tls_destroy_context(context);
}
tls_destroy_context(server_context);
return 0;
}
static bool recv_handler(int *err, struct mbuf *mb, bool *estab, void *arg)
{
struct tls_conn *tc = arg;
int r;
/* feed SSL data to the BIO */
r = BIO_write(tc->sbio_in, mbuf_buf(mb), (int)mbuf_get_left(mb));
if (r <= 0) {
DEBUG_WARNING("recv: BIO_write %d\n", r);
*err = ENOMEM;
return true;
}
if (SSL_state(tc->ssl) != SSL_ST_OK) {
if (tc->up) {
*err = EPROTO;
return true;
}
if (tc->active) {
*err = tls_connect(tc);
}
else {
*err = tls_accept(tc);
}
DEBUG_INFO("state=0x%04x\n", SSL_state(tc->ssl));
/* TLS connection is established */
if (SSL_state(tc->ssl) != SSL_ST_OK)
return true;
*estab = true;
tc->up = true;
}
mbuf_set_pos(mb, 0);
for (;;) {
int n;
if (mbuf_get_space(mb) < 4096) {
*err = mbuf_resize(mb, mb->size + 8192);
if (*err)
return true;
}
n = SSL_read(tc->ssl, mbuf_buf(mb), (int)mbuf_get_space(mb));
if (n < 0) {
const int ssl_err = SSL_get_error(tc->ssl, n);
switch (ssl_err) {
case SSL_ERROR_WANT_READ:
break;
default:
*err = EPROTO;
return true;
}
break;
}
else if (n == 0)
break;
mb->pos += n;
}
mbuf_set_end(mb, mb->pos);
mbuf_set_pos(mb, 0);
return false;
}
/*
* fixme: probably does not work correctly
*/
size_t tls_blocking_write(struct tcp_connection *c, int fd, const char *buf,
size_t len)
{
#define MAX_SSL_RETRIES 32
int written, n;
int timeout, retries;
struct pollfd pf;
pf.fd = fd;
written = 0;
retries = 0;
if (c->state!=S_CONN_OK) {
LM_ERR("TLS broken connection\n");
goto error;
}
lock_get(&c->write_lock);
if (tls_update_fd(c, fd) < 0)
goto error;
timeout = tls_send_timeout;
again:
n = 0;
pf.events = 0;
if ( c->proto_flags & F_TLS_DO_ACCEPT ) {
if (tls_accept(c, &(pf.events)) < 0)
goto error;
timeout = tls_handshake_timeout;
} else if ( c->proto_flags & F_TLS_DO_CONNECT ) {
if (tls_connect(c, &(pf.events)) < 0)
goto error;
timeout = tls_handshake_timeout;
} else {
n = tls_write(c, fd, buf, len, &(pf.events));
timeout = tls_send_timeout;
}
if (n < 0) {
LM_ERR("TLS failed to send data\n");
goto error;
}
/* nothing happens */
if (n==0) {
retries++;
/* avoid looping */
if (retries==MAX_SSL_RETRIES) {
LM_ERR("too many retries with no operation\n");
goto error;
}
} else {
/* reset the retries if we succeded in doing something*/
retries = 0;
}
written += n;
if (n < len) {
/*
* partial write
*/
buf += n;
len -= n;
} else {
/*
* successful full write
*/
lock_release(&c->write_lock);
return written;
}
if (pf.events == 0)
pf.events = POLLOUT;
poll_loop:
while (1) {
n = poll(&pf, 1, timeout);
if (n < 0) {
if (errno == EINTR)
continue; /* signal, ignore */
else if (errno != EAGAIN && errno != EWOULDBLOCK) {
LM_ERR("TLS poll failed: %s [%d]\n",strerror(errno), errno);
goto error;
} else
goto poll_loop;
} else if (n == 0) {
/*
* timeout
*/
LM_ERR("TLS send timeout (%d)\n", timeout);
goto error;
}
if (pf.revents & POLLOUT || pf.revents & POLLIN) {
/*
* we can read or write again
*/
goto again;
} else if (pf.revents & (POLLERR | POLLHUP | POLLNVAL)) {
LM_ERR("TLS bad poll flags %x\n",pf.revents);
goto error;
}
/*
* if POLLPRI or other non-harmful events happened, continue (
* although poll should never signal them since we're not
* interested in them => we should never reach this point)
*/
}
error:
lock_release(&c->write_lock);
return -1;
}
/** tls read.
* Each modification of ssl data structures has to be protected, another process * might ask for the same connection and attempt write to it which would
* result in updating the ssl structures.
* WARNING: must be called whic c->write_lock _unlocked_.
* @param c - tcp connection pointer. The following flags might be set:
* @param flags - value/result:
* input: RD_CONN_FORCE_EOF - force EOF after the first
* successful read (bytes_read >=0 )
* output: RD_CONN_SHORT_READ if the read exhausted
* all the bytes in the socket read buffer.
* RD_CONN_EOF if EOF detected (0 bytes read)
* or forced via RD_CONN_FORCE_EOF.
* RD_CONN_REPEAT_READ if this function should
* be called again (e.g. has some data
* buffered internally that didn't fit in
* tcp_req).
* Note: RD_CONN_SHORT_READ & RD_CONN_EOF should be cleared
* before calling this function when there is new
* data (e.g. POLLIN), but not if the called is
* retried because of RD_CONN_REPEAT_READ and there
* is no information about the socket having more
* read data available.
* @return bytes decrypted on success, -1 on error (it also sets some
* tcp connection flags and might set c->state and r->error on
* EOF or error).
*/
int tls_read_f(struct tcp_connection* c, int* flags)
{
struct tcp_req* r;
int bytes_free, bytes_read, read_size, ssl_error, ssl_read;
SSL* ssl;
unsigned char rd_buf[TLS_RD_MBUF_SZ];
unsigned char wr_buf[TLS_WR_MBUF_SZ];
struct tls_mbuf rd, wr;
struct tls_extra_data* tls_c;
struct tls_rd_buf* enc_rd_buf;
int n, flush_flags;
char* err_src;
int x;
int tls_dbg;
TLS_RD_TRACE("(%p, %p (%d)) start (%s -> %s:%d*)\n",
c, flags, *flags,
su2a(&c->rcv.src_su, sizeof(c->rcv.src_su)),
ip_addr2a(&c->rcv.dst_ip), c->rcv.dst_port);
ssl_read = 0;
r = &c->req;
enc_rd_buf = 0;
*flags &= ~RD_CONN_REPEAT_READ;
if (unlikely(tls_fix_connection(c) < 0)) {
TLS_RD_TRACE("(%p, %p) end: tls_fix_connection failed =>"
" immediate error exit\n", c, flags);
return -1;
}
/* here it's safe to use c->extra_data in read-only mode.
If it's != 0 is changed only on destroy. It's not possible to have
parallel reads.*/
tls_c = c->extra_data;
bytes_free = c->req.b_size - (int)(r->pos - r->buf);
if (unlikely(bytes_free == 0)) {
ERR("Buffer overrun, dropping\n");
r->error = TCP_REQ_OVERRUN;
return -1;
}
redo_read:
/* if data queued from a previous read(), use it (don't perform
* a real read()).
*/
if (unlikely(tls_c->enc_rd_buf)) {
/* use queued data */
/* safe to use without locks, because only read changes it and
there can't be parallel reads on the same connection */
enc_rd_buf = tls_c->enc_rd_buf;
tls_c->enc_rd_buf = 0;
TLS_RD_TRACE("(%p, %p) using queued data (%p: %p %d bytes)\n", c,
flags, enc_rd_buf, enc_rd_buf->buf + enc_rd_buf->pos,
enc_rd_buf->size - enc_rd_buf->pos);
tls_mbuf_init(&rd, enc_rd_buf->buf + enc_rd_buf->pos,
enc_rd_buf->size - enc_rd_buf->pos);
rd.used = enc_rd_buf->size - enc_rd_buf->pos;
} else {
/* if we were using using queued data before, free & reset the
the queued read data before performing the real read() */
if (unlikely(enc_rd_buf)) {
TLS_RD_TRACE("(%p, %p) reset prev. used enc_rd_buf (%p)\n", c,
flags, enc_rd_buf);
shm_free(enc_rd_buf);
enc_rd_buf = 0;
}
/* real read() */
tls_mbuf_init(&rd, rd_buf, sizeof(rd_buf));
/* read() only if no previously detected EOF, or previous
short read (which means the socket buffer was emptied) */
if (likely(!(*flags & (RD_CONN_EOF|RD_CONN_SHORT_READ)))) {
/* don't read more then the free bytes in the tcp req buffer */
read_size = MIN_unsigned(rd.size, bytes_free);
bytes_read = tcp_read_data(c->fd, c, (char*)rd.buf, read_size,
flags);
TLS_RD_TRACE("(%p, %p) tcp_read_data(..., %d, *%d) => %d bytes\n",
c, flags, read_size, *flags, bytes_read);
/* try SSL_read even on 0 bytes read, it might have
internally buffered data */
if (unlikely(bytes_read < 0)) {
goto error;
}
rd.used = bytes_read;
}
}
continue_ssl_read:
tls_mbuf_init(&wr, wr_buf, sizeof(wr_buf));
ssl_error = SSL_ERROR_NONE;
err_src = "TLS read:";
/* we have to avoid to run in the same time
* with a tls_write because of the
* update bio stuff (we don't want a write
* stealing the wbio or rbio under us or vice versa)
* => lock on con->write_lock (ugly hack) */
lock_get(&c->write_lock);
tls_set_mbufs(c, &rd, &wr);
ssl = tls_c->ssl;
n = 0;
if (unlikely(tls_write_wants_read(tls_c) &&
!(*flags & RD_CONN_EOF))) {
n = tls_ct_wq_flush(c, &tls_c->ct_wq, &flush_flags,
&ssl_error);
TLS_RD_TRACE("(%p, %p) tls write on read (WRITE_WANTS_READ):"
" ct_wq_flush()=> %d (ff=%d ssl_error=%d))\n",
c, flags, n, flush_flags, ssl_error);
if (unlikely(n < 0 )) {
tls_set_mbufs(c, 0, 0);
lock_release(&c->write_lock);
ERR("write flush error (%d)\n", n);
goto error;
}
if (likely(flush_flags & F_BUFQ_EMPTY))
tls_c->flags &= ~F_TLS_CON_WR_WANTS_RD;
if (unlikely(flush_flags & F_BUFQ_ERROR_FLUSH))
err_src = "TLS write:";
}
if (likely(ssl_error == SSL_ERROR_NONE)) {
if (unlikely(tls_c->state == S_TLS_CONNECTING)) {
n = tls_connect(c, &ssl_error);
TLS_RD_TRACE("(%p, %p) tls_connect() => %d (err=%d)\n",
c, flags, n, ssl_error);
if (unlikely(n>=1)) {
n = SSL_read(ssl, r->pos, bytes_free);
} else {
/* tls_connect failed/needs more IO */
if (unlikely(n < 0 && ssl_error == SSL_ERROR_NONE)) {
lock_release(&c->write_lock);
goto error;
}
err_src = "TLS connect:";
goto ssl_read_skipped;
}
} else if (unlikely(tls_c->state == S_TLS_ACCEPTING)) {
n = tls_accept(c, &ssl_error);
TLS_RD_TRACE("(%p, %p) tls_accept() => %d (err=%d)\n",
c, flags, n, ssl_error);
if (unlikely(n>=1)) {
n = SSL_read(ssl, r->pos, bytes_free);
} else {
/* tls_accept failed/needs more IO */
if (unlikely(n < 0 && ssl_error == SSL_ERROR_NONE)) {
lock_release(&c->write_lock);
goto error;
}
err_src = "TLS accept:";
goto ssl_read_skipped;
}
} else {
/* if bytes in then decrypt read buffer into tcpconn req.
buffer */
n = SSL_read(ssl, r->pos, bytes_free);
}
/** handle SSL_read() return.
* There are 3 main cases, each with several sub-cases, depending
* on whether or not the output buffer was filled, if there
* is still unconsumed input data in the input buffer (rd)
* and if there is "cached" data in the internal openssl
* buffers.
* 0. error (n<=0):
* SSL_ERROR_WANT_READ - input data fully
* consumed, no more returnable cached data inside openssl
* => exit.
* SSL_ERROR_WANT_WRITE - should never happen (the write
* buffer is big enough to handle any re-negociation).
* SSL_ERROR_ZERO_RETURN - ssl level shutdown => exit.
* other errors are unexpected.
* 1. output buffer filled (n == bytes_free):
* 1i. - still unconsumed input, nothing buffered by openssl
* 1ip. - unconsumed input + buffered data by openssl (pending
on the next SSL_read).
* 1p. - completely consumed input, buffered data internally
* by openssl (pending).
* Likely to happen, about the only case when
* SSL_pending() could be used (but only if readahead=0).
* 1f. - consumed input, no buffered data.
* 2. output buffer not fully filled (n < bytes_free):
* 2i. - still unconsumed input, nothing buffered by openssl.
* This can appear if SSL readahead is 0 (SSL_read()
* tries to get only 1 record from the input).
* 2ip. - unconsumed input and buffered data by openssl.
* Unlikely to happen (e.g. readahead is 1, more
* records are buffered internally by openssl, but
* there was not enough space for buffering the whole
* input).
* 2p - consumed input, but buffered data by openssl.
* It happens especially when readahead is 1.
* 2f. - consumed input, no buffered data.
*
* One should repeat SSL_read() until and error is detected
* (0*) or the input and internal ssl buffers are fully consumed
* (1f or 2f). However in general is not possible to see if
* SSL_read() could return more data. SSL_pending() has very
* limited usability (basically it would return !=0 only if there
* was no enough space in the output buffer and only if this did
* not happen at a record boundary).
* The solution is to repeat SSL_read() until error or until
* the output buffer is filled (0* or 1*).
* In the later case, this whole function should be called again
* once there is more output space (set RD_CONN_REPEAT_READ).
*/
if (unlikely(tls_c->flags & F_TLS_CON_RENEGOTIATION)) {
/* Fix CVE-2009-3555 - disable renegotiation if started by client
* - simulate SSL EOF to force close connection*/
tls_dbg = cfg_get(tls, tls_cfg, debug);
LOG(tls_dbg, "Reading on a renegotiation of connection (n:%d) (%d)\n",
n, SSL_get_error(ssl, n));
err_src = "TLS R-N read:";
ssl_error = SSL_ERROR_ZERO_RETURN;
} else {
if (unlikely(n <= 0)) {
ssl_error = SSL_get_error(ssl, n);
err_src = "TLS read:";
/* errors handled below, outside the lock */
} else {
ssl_error = SSL_ERROR_NONE;
r->pos += n;
ssl_read += n;
bytes_free -=n;
}
}
TLS_RD_TRACE("(%p, %p) SSL_read() => %d (err=%d) ssl_read=%d"
" *flags=%d tls_c->flags=%d\n",
c, flags, n, ssl_error, ssl_read, *flags,
tls_c->flags);
ssl_read_skipped:
;
}
if (unlikely(wr.used != 0 && ssl_error != SSL_ERROR_ZERO_RETURN)) {
TLS_RD_TRACE("(%p, %p) tcpconn_send_unsafe %d bytes\n",
c, flags, wr.used);
/* something was written and it's not ssl EOF*/
if (unlikely(tcpconn_send_unsafe(c->fd, c, (char*)wr.buf,
wr.used, c->send_flags) < 0)) {
tls_set_mbufs(c, 0, 0);
lock_release(&c->write_lock);
TLS_RD_TRACE("(%p, %p) tcpconn_send_unsafe error\n", c, flags);
goto error_send;
}
}
/* quickly catch bugs: segfault if accessed and not set */
tls_set_mbufs(c, 0, 0);
lock_release(&c->write_lock);
switch(ssl_error) {
case SSL_ERROR_NONE:
if (unlikely(n < 0)) {
BUG("unexpected SSL_ERROR_NONE for n=%d\n", n);
goto error;
}
break;
case SSL_ERROR_ZERO_RETURN:
/* SSL EOF */
TLS_RD_TRACE("(%p, %p) SSL EOF (fd=%d)\n", c, flags, c->fd);
goto ssl_eof;
case SSL_ERROR_WANT_READ:
TLS_RD_TRACE("(%p, %p) SSL_ERROR_WANT_READ *flags=%d\n",
c, flags, *flags);
/* needs to read more data */
if (unlikely(rd.pos != rd.used)) {
/* data still in the read buffer */
BUG("SSL_ERROR_WANT_READ but data still in"
" the rbio (%p, %d bytes at %d)\n", rd.buf,
rd.used - rd.pos, rd.pos);
goto bug;
}
if (unlikely((*flags & (RD_CONN_EOF | RD_CONN_SHORT_READ)) == 0) &&
bytes_free){
/* there might still be data to read and there is space
to decrypt it in tcp_req (no byte has been written into
tcp_req in this case) */
TLS_RD_TRACE("(%p, %p) redo read *flags=%d bytes_free=%d\n",
c, flags, *flags, bytes_free);
goto redo_read;
}
goto end; /* no more data to read */
case SSL_ERROR_WANT_WRITE:
if (wr.used) {
/* something was written => buffer not big enough to hold
everything => reset buffer & retry (the tcp_write already
happened if we are here) */
TLS_RD_TRACE("(%p) SSL_ERROR_WANT_WRITE partial write"
" (written %d), retrying\n", c, wr.used);
goto continue_ssl_read;
}
/* else write buffer too small, nothing written */
BUG("write buffer too small (%d/%d bytes)\n",
wr.used, wr.size);
goto bug;
case SSL_ERROR_SSL:
/* protocol level error */
TLS_ERR(err_src);
goto error;
#if OPENSSL_VERSION_NUMBER >= 0x00907000L /*0.9.7*/
case SSL_ERROR_WANT_CONNECT:
/* only if the underlying BIO is not yet connected
and the call would block in connect().
(not possible in our case) */
BUG("unexpected SSL_ERROR_WANT_CONNECT\n");
goto bug;
case SSL_ERROR_WANT_ACCEPT:
/* only if the underlying BIO is not yet connected
and call would block in accept()
(not possible in our case) */
BUG("unexpected SSL_ERROR_WANT_ACCEPT\n");
goto bug;
#endif
case SSL_ERROR_WANT_X509_LOOKUP:
/* can only appear on client application and it indicates that
an installed client cert. callback should be called again
(it returned < 0 indicated that it wants to be called
later). Not possible in our case */
BUG("unsupported SSL_ERROR_WANT_X509_LOOKUP");
goto bug;
case SSL_ERROR_SYSCALL:
TLS_ERR_RET(x, err_src);
if (!x) {
if (n == 0) {
WARN("Unexpected EOF\n");
} else
/* should never happen */
BUG("IO error (%d) %s\n", errno, strerror(errno));
}
goto error;
default:
TLS_ERR(err_src);
BUG("unexpected SSL error %d\n", ssl_error);
goto bug;
}
if (unlikely(n < 0)) {
/* here n should always be >= 0 */
BUG("unexpected value (n = %d)\n", n);
goto bug;
}
if (unlikely(rd.pos != rd.used)) {
/* encrypted data still in the read buffer (SSL_read() did not
consume all of it) */
if (unlikely(n < 0))
/* here n should always be >= 0 */
BUG("unexpected value (n = %d)\n", n);
else {
if (unlikely(bytes_free != 0)) {
/* 2i or 2ip: unconsumed input and output buffer not filled =>
retry ssl read (SSL_read() will read will stop at
record boundaries, unless readahead==1).
No tcp_read() is attempted, since that would reset the
current no-yet-consumed input data.
*/
TLS_RD_TRACE("(%p, %p) input not fully consumed =>"
" retry SSL_read"
" (pos: %d, remaining %d, output free %d)\n",
c, flags, rd.pos, rd.used-rd.pos, bytes_free);
goto continue_ssl_read;
}
/* 1i or 1ip: bytes_free == 0
(unconsumed input, but filled output buffer) =>
queue read data, and exit asking for repeating the call
once there is some space in the output buffer.
*/
if (likely(!enc_rd_buf)) {
TLS_RD_TRACE("(%p, %p) creating enc_rd_buf (for %d bytes)\n",
c, flags, rd.used - rd.pos);
enc_rd_buf = shm_malloc(sizeof(*enc_rd_buf) -
sizeof(enc_rd_buf->buf) +
rd.used - rd.pos);
if (unlikely(enc_rd_buf == 0)) {
ERR("memory allocation error (%d bytes requested)\n",
(int)(sizeof(*enc_rd_buf) + sizeof(enc_rd_buf->buf) +
rd.used - rd.pos));
goto error;
}
enc_rd_buf->pos = 0;
enc_rd_buf->size = rd.used - rd.pos;
memcpy(enc_rd_buf->buf, rd.buf + rd.pos,
enc_rd_buf->size);
} else if ((enc_rd_buf->buf + enc_rd_buf->pos) == rd.buf) {
TLS_RD_TRACE("(%p, %p) enc_rd_buf already in use,"
" updating pos %d\n",
c, flags, enc_rd_buf->pos);
enc_rd_buf->pos += rd.pos;
} else {
BUG("enc_rd_buf->buf = %p, pos = %d, rd_buf.buf = %p\n",
enc_rd_buf->buf, enc_rd_buf->pos, rd.buf);
goto bug;
}
if (unlikely(tls_c->enc_rd_buf))
BUG("tls_c->enc_rd_buf!=0 (%p)\n", tls_c->enc_rd_buf);
/* there can't be 2 reads in parallel, so no locking is needed
here */
tls_c->enc_rd_buf = enc_rd_buf;
enc_rd_buf = 0;
*flags |= RD_CONN_REPEAT_READ;
}
} else if (bytes_free != 0) {
/* 2f or 2p: input fully consumed (rd.pos == rd.used),
output buffer not filled, still possible to have pending
data buffered by openssl */
if (unlikely((*flags & (RD_CONN_EOF|RD_CONN_SHORT_READ)) == 0)) {
/* still space in the tcp unenc. req. buffer, no SSL_read error,
not a short read and not an EOF (possible more data in
the socket buffer) => try a new tcp read too */
TLS_RD_TRACE("(%p, %p) retry read (still space and no short"
" tcp read: %d)\n", c, flags, *flags);
goto redo_read;
} else {
/* don't tcp_read() anymore, but there might still be data
buffered internally by openssl (e.g. if readahead==1) =>
retry SSL_read() with the current full input buffer
(if no more internally SSL buffered data => WANT_READ => exit).
*/
TLS_RD_TRACE("(%p, %p) retry SSL_read only (*flags =%d)\n",
c, flags, *flags);
goto continue_ssl_read;
}
} else {
/* 1p or 1f: rd.pos == rd.used && bytes_free == 0
(input fully consumed && output buffer filled) */
/* ask for a repeat when there is more buffer space
(there is no definitive way to know if ssl doesn't still have
some internal buffered data until we get WANT_READ, see
SSL_read() comment above) */
*flags |= RD_CONN_REPEAT_READ;
TLS_RD_TRACE("(%p, %p) output filled, exit asking to be called again"
" (*flags =%d)\n", c, flags, *flags);
}
end:
if (enc_rd_buf)
shm_free(enc_rd_buf);
TLS_RD_TRACE("(%p, %p) end => %d (*flags=%d)\n",
c, flags, ssl_read, *flags);
return ssl_read;
ssl_eof:
/* behave as an EOF would have been received at the tcp level */
if (enc_rd_buf)
shm_free(enc_rd_buf);
c->state = S_CONN_EOF;
*flags |= RD_CONN_EOF;
TLS_RD_TRACE("(%p, %p) end EOF => %d (*flags=%d)\n",
c, flags, ssl_read, *flags);
return ssl_read;
error_send:
error:
bug:
if (enc_rd_buf)
shm_free(enc_rd_buf);
r->error=TCP_READ_ERROR;
TLS_RD_TRACE("(%p, %p) end error => %d (*flags=%d)\n",
c, flags, ssl_read, *flags);
return -1;
}
/** tls encrypt before sending function.
* It is a callback that will be called by the tcp code, before a send
* on TLS would be attempted. It should replace the input buffer with a
* new static buffer containing the TLS processed data.
* If the input buffer could not be fully encoded (e.g. run out of space
* in the internal static buffer), it should set rest_buf and rest_len to
* the remaining part, so that it could be called again once the output has
* been used (sent). The send_flags used are also passed and they can be
* changed (e.g. to disallow a close() after a partial encode).
* WARNING: it must always be called with c->write_lock held!
* @param c - tcp connection
* @param pbuf - pointer to buffer (value/result, on success it will be
* replaced with a static buffer).
* @param plen - pointer to buffer size (value/result, on success it will be
* replaced with the size of the replacement buffer.
* @param rest_buf - (result) should be filled with a pointer to the
* remaining unencoded part of the original buffer if any,
* 0 otherwise.
* @param rest_len - (result) should be filled with the length of the
* remaining unencoded part of the original buffer (0 if
* the original buffer was fully encoded).
* @param send_flags - pointer to the send_flags that will be used for sending
* the message.
* @return *plen on success (>=0), < 0 on error.
*/
int tls_encode_f(struct tcp_connection *c,
const char** pbuf, unsigned int* plen,
const char** rest_buf, unsigned int* rest_len,
snd_flags_t* send_flags)
{
int n, offs;
SSL* ssl;
struct tls_extra_data* tls_c;
static unsigned char wr_buf[TLS_WR_MBUF_SZ];
struct tls_mbuf rd, wr;
int ssl_error;
char* err_src;
const char* buf;
unsigned int len;
int x;
buf = *pbuf;
len = *plen;
*rest_buf = 0;
*rest_len = 0;
TLS_WR_TRACE("(%p, %p, %d, ... 0x%0x) start (%s:%d* -> %s)\n",
c, buf, len, send_flags->f,
ip_addr2a(&c->rcv.dst_ip), c->rcv.dst_port,
su2a(&c->rcv.src_su, sizeof(c->rcv.src_su)));
n = 0;
offs = 0;
ssl_error = SSL_ERROR_NONE;
err_src = "TLS write:";
if (unlikely(tls_fix_connection_unsafe(c) < 0)) {
/* c->extra_data might be null => exit immediately */
TLS_WR_TRACE("(%p) end: tls_fix_connection_unsafe failed =>"
" immediate error exit\n", c);
return -1;
}
tls_c = (struct tls_extra_data*)c->extra_data;
ssl = tls_c->ssl;
tls_mbuf_init(&rd, 0, 0); /* no read */
tls_mbuf_init(&wr, wr_buf, sizeof(wr_buf));
/* clear text already queued (WANTS_READ) queue directly*/
if (unlikely(tls_write_wants_read(tls_c))) {
TLS_WR_TRACE("(%p) WANTS_READ queue present => queueing"
" (%d bytes, %p + %d)\n", c, len - offs, buf, offs);
if (unlikely(tls_ct_wq_add(&tls_c->ct_wq, buf+offs, len -offs) < 0)) {
ERR("ct write buffer full for %p (%d bytes)\n",
c, tls_c->ct_wq?tls_c->ct_wq->queued:0);
goto error_wq_full;
}
/* buffer queued for a future send attempt, after first reading
some data (key exchange) => don't allow immediate closing of
the connection */
send_flags->f &= ~SND_F_CON_CLOSE;
goto end;
}
if (unlikely(tls_set_mbufs(c, &rd, &wr) < 0)) {
ERR("tls_set_mbufs failed\n");
goto error;
}
redo_wr:
if (unlikely(tls_c->state == S_TLS_CONNECTING)) {
n = tls_connect(c, &ssl_error);
TLS_WR_TRACE("(%p) tls_connect() => %d (err=%d)\n", c, n, ssl_error);
if (unlikely(n>=1)) {
n = SSL_write(ssl, buf + offs, len - offs);
if (unlikely(n <= 0))
ssl_error = SSL_get_error(ssl, n);
} else {
/* tls_connect failed/needs more IO */
if (unlikely(n < 0 && ssl_error == SSL_ERROR_NONE))
goto error;
err_src = "TLS connect:";
}
} else if (unlikely(tls_c->state == S_TLS_ACCEPTING)) {
n = tls_accept(c, &ssl_error);
TLS_WR_TRACE("(%p) tls_accept() => %d (err=%d)\n", c, n, ssl_error);
if (unlikely(n>=1)) {
n = SSL_write(ssl, buf + offs, len - offs);
if (unlikely(n <= 0))
ssl_error = SSL_get_error(ssl, n);
} else {
/* tls_accept failed/needs more IO */
if (unlikely(n < 0 && ssl_error == SSL_ERROR_NONE))
goto error;
err_src = "TLS accept:";
}
} else {
n = SSL_write(ssl, buf + offs, len - offs);
if (unlikely(n <= 0))
ssl_error = SSL_get_error(ssl, n);
}
TLS_WR_TRACE("(%p) SSL_write(%p + %d, %d) => %d (err=%d)\n",
c, buf, offs, len - offs, n, ssl_error);
/* check for possible ssl errors */
if (unlikely(n <= 0)){
switch(ssl_error) {
case SSL_ERROR_NONE:
BUG("unexpected SSL_ERROR_NONE for n=%d\n", n);
goto error;
break;
case SSL_ERROR_ZERO_RETURN:
/* SSL EOF */
ERR("ssl level EOF\n");
goto ssl_eof;
case SSL_ERROR_WANT_READ:
/* queue write buffer */
TLS_WR_TRACE("(%p) SSL_ERROR_WANT_READ => queueing for read"
" (%p + %d, %d)\n", c, buf, offs, len -offs);
if (unlikely(tls_ct_wq_add(&tls_c->ct_wq, buf+offs, len -offs)
< 0)) {
ERR("ct write buffer full (%d bytes)\n",
tls_c->ct_wq?tls_c->ct_wq->queued:0);
goto error_wq_full;
}
tls_c->flags |= F_TLS_CON_WR_WANTS_RD;
/* buffer queued for a future send attempt, after first
reading some data (key exchange) => don't allow immediate
closing of the connection */
send_flags->f &= ~SND_F_CON_CLOSE;
break; /* or goto end */
case SSL_ERROR_WANT_WRITE:
if (unlikely(offs == 0)) {
/* error, no record fits in the buffer or
no partial write enabled and buffer to small to fit
all the records */
BUG("write buffer too small (%d/%d bytes)\n",
wr.used, wr.size);
goto bug;
} else {
/* offs != 0 => something was "written" */
*rest_buf = buf + offs;
*rest_len = len - offs;
/* this function should be called again => disallow
immediate closing of the connection */
send_flags->f &= ~SND_F_CON_CLOSE;
TLS_WR_TRACE("(%p) SSL_ERROR_WANT_WRITE partial write"
" (written %p , %d, rest_buf=%p"
" rest_len=%d))\n", c, buf, offs,
*rest_buf, *rest_len);
}
break; /* or goto end */
case SSL_ERROR_SSL:
/* protocol level error */
TLS_ERR(err_src);
goto error;
#if OPENSSL_VERSION_NUMBER >= 0x00907000L /*0.9.7*/
case SSL_ERROR_WANT_CONNECT:
/* only if the underlying BIO is not yet connected
and the call would block in connect().
(not possible in our case) */
BUG("unexpected SSL_ERROR_WANT_CONNECT\n");
break;
case SSL_ERROR_WANT_ACCEPT:
/* only if the underlying BIO is not yet connected
and call would block in accept()
(not possible in our case) */
BUG("unexpected SSL_ERROR_WANT_ACCEPT\n");
break;
#endif
case SSL_ERROR_WANT_X509_LOOKUP:
/* can only appear on client application and it indicates that
an installed client cert. callback should be called again
(it returned < 0 indicated that it wants to be called
later). Not possible in our case */
BUG("unsupported SSL_ERROR_WANT_X509_LOOKUP");
goto bug;
case SSL_ERROR_SYSCALL:
TLS_ERR_RET(x, err_src);
if (!x) {
if (n == 0) {
WARN("Unexpected EOF\n");
} else
/* should never happen */
BUG("IO error (%d) %s\n", errno, strerror(errno));
}
goto error;
default:
TLS_ERR(err_src);
BUG("unexpected SSL error %d\n", ssl_error);
goto bug;
}
} else if (unlikely(n < (len - offs))) {
/* partial ssl write (possible if SSL_MODE_ENABLE_PARTIAL_WRITE) =>
retry with the rest */
TLS_WR_TRACE("(%p) partial write (%d < %d, offset %d), retry\n",
c, n, len - offs, offs);
offs += n;
goto redo_wr;
}
tls_set_mbufs(c, 0, 0);
end:
*pbuf = (const char*)wr.buf;
*plen = wr.used;
TLS_WR_TRACE("(%p) end (offs %d, rest_buf=%p rest_len=%d 0x%0x) => %d \n",
c, offs, *rest_buf, *rest_len, send_flags->f, *plen);
return *plen;
error:
/*error_send:*/
error_wq_full:
bug:
tls_set_mbufs(c, 0, 0);
TLS_WR_TRACE("(%p) end error (offs %d, %d encoded) => -1\n",
c, offs, wr.used);
return -1;
ssl_eof:
c->state = S_CONN_EOF;
c->flags |= F_CONN_FORCE_EOF;
*pbuf = (const char*)wr.buf;
*plen = wr.used;
DBG("TLS connection has been closed\n");
TLS_WR_TRACE("(%p) end EOF (offs %d) => (%d\n",
c, offs, *plen);
return *plen;
}
/* Handle the connection of a client.
*/
static void connection_handler(t_session *session) {
int result;
#ifdef ENABLE_TLS
int timeout;
#endif
#ifdef ENABLE_DEBUG
session->current_task = "thread started";
#endif
#ifdef ENABLE_TLS
if (session->binding->use_tls) {
#ifdef ENABLE_DEBUG
session->current_task = "ssl accept";
#endif
timeout = session->kept_alive == 0 ? session->binding->time_for_1st_request : session->binding->time_for_request;
switch (tls_accept(&(session->client_socket), &(session->tls_context), session->binding->tls_config, timeout)) {
case -1:
break;
case TLS_HANDSHAKE_NO_MATCH:
log_system(session, "No cypher overlap during TLS handshake.");
break;
case TLS_HANDSHAKE_TIMEOUT:
handle_timeout(session);
break;
case TLS_HANDSHAKE_OKE:
session->socket_open = true;
break;
}
} else
#endif
session->socket_open = true;
if (session->socket_open) {
#ifdef ENABLE_MONITOR
if (session->config->monitor_enabled) {
monitor_count_connection(session);
}
#endif
do {
result = serve_client(session);
handle_request_result(session, result);
#ifdef ENABLE_TOMAHAWK
if (session->parsing_oke) {
show_request_to_admins(session->method, session->request_uri, session->http_version, &(session->ip_address),
session->http_headers, session->return_code, session->bytes_sent);
}
#endif
#ifdef ENABLE_DEBUG
session->current_task = "request done";
#endif
if (session->socket_open) {
/* Flush the output-buffer
*/
if (send_buffer(session, NULL, 0) == -1) {
session->keep_alive = false;
}
}
#ifdef ENABLE_MONITOR
if (session->config->monitor_enabled) {
monitor_count_host(session);
}
#endif
reset_session(session);
#ifdef ENABLE_DEBUG
session->current_task = "session reset";
#endif
if ((session->kept_alive > 0) && (session->config->ban_on_flooding > 0)) {
if (client_is_flooding(session)) {
if (ip_allowed(&(session->ip_address), session->config->banlist_mask) != deny) {
ban_ip(&(session->ip_address), session->config->ban_on_flooding, session->config->kick_on_ban);
log_system(session, "Client banned because of flooding");
session->keep_alive = false;
#ifdef ENABLE_MONITOR
if (session->config->monitor_enabled) {
monitor_count_ban(session);
}
#endif
}
}
}
} while (session->keep_alive && session->socket_open);
#ifdef ENABLE_DEBUG
session->current_task = "session done";
#endif
destroy_session(session);
close_socket(session);
} else {
close(session->client_socket);
}
if (session->config->reconnect_delay > 0) {
mark_client_for_removal(session, session->config->reconnect_delay);
} else {
remove_client(session, true);
}
#ifdef ENABLE_DEBUG
/* Show memory usage by thread
*/
memdbg_print_log(false);
#endif
/* Client session ends here
*/
#ifndef ENABLE_THREAD_POOL
pthread_exit(NULL);
#endif
}
