/* Server side. Accept a new socket connection off our listen socket. This code is not specific to SSL. */ SOCKET socketAccept(SOCKET listenfd, int *err) { struct sockaddr_in addr; SOCKET fd; int len; /* Wait(blocking)/poll(non-blocking) for an incoming connection */ len = sizeof(addr); if ((fd = accept(listenfd, (struct sockaddr *)&addr, &len)) == INVALID_SOCKET) { *err = getSocketError(); if (*err != WOULD_BLOCK) { fprintf(stderr, "Error %d accepting new socket\n", *err); } return INVALID_SOCKET; } /* fd is the newly accepted socket. Disable Nagle on this socket. Set blocking mode as default */ /* fprintf(stdout, "Connection received from %d.%d.%d.%d\n", addr.sin_addr.S_un.S_un_b.s_b1, addr.sin_addr.S_un.S_un_b.s_b2, addr.sin_addr.S_un.S_un_b.s_b3, addr.sin_addr.S_un.S_un_b.s_b4); */ nvram_set("ssl_client_ip",inet_ntoa(addr.sin_addr)); setSocketNodelay(fd); setSocketBlock(fd); return fd; }
SOCKET socketConnect(char *ip, short port, int *err) { struct sockaddr_in addr; SOCKET fd; int rc; struct hostent *hp; if(!(hp = gethostbyname(ip))) { fprintf(stderr, "Host not found %s\n",ip); return INVALID_SOCKET; } memset(&addr,0,sizeof(addr)); addr.sin_addr=*(struct in_addr *)hp->h_addr_list[0]; addr.sin_family=AF_INET; addr.sin_port=htons(port); if ((fd = socket(AF_INET, SOCK_STREAM, 0)) < 0) { fprintf(stderr, "Error creating socket\n"); *err = getSocketError(); return INVALID_SOCKET; } fcntl(fd, F_SETFD, FD_CLOEXEC); rc = 1; setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, (char *)&rc, sizeof(rc)); setSocketNodelay(fd); setSocketBlock(fd); rc = connect(fd, (struct sockaddr *)&addr, sizeof(addr)); #if WIN if (rc != 0) #else if (rc < 0) #endif { *err = getSocketError(); perror("connect"); return INVALID_SOCKET; } return fd; }
SOCKET socketAccept(SOCKET listenfd, int *err) { struct sockaddr_in addr; SOCKET fd; int len; len = sizeof(addr); if ((fd = accept(listenfd, (struct sockaddr *)&addr, &len)) == INVALID_SOCKET) { *err = getSocketError(); if (*err != WOULD_BLOCK) { fprintf(stderr, "Error %d accepting new socket\n", *err); } return INVALID_SOCKET; } setSocketNodelay(fd); setSocketBlock(fd); return fd; }
int main(int argc, char **argv) #endif { sslConn_t *cp; sslKeys_t *keys; SOCKET listenfd, fd; WSADATA wsaData; unsigned char buf[1024]; unsigned char *response, *c; int responseHdrLen, acceptAgain, flags; int bytes, status, quit, again, rc, err; #if USE_MEM_CERTS unsigned char *servBin, *servKeyBin, *caBin; int servBinLen, caBinLen, servKeyBinLen; #endif cp = NULL; /* Initialize Windows sockets (no-op on other platforms) */ WSAStartup(MAKEWORD(1,1), &wsaData); /* Initialize the MatrixSSL Library, and read in the public key (certificate) and private key. */ if (matrixSslOpen() < 0) { fprintf(stderr, "matrixSslOpen failed, exiting..."); } #if USE_MEM_CERTS /* Example of DER binary certs for matrixSslReadKeysMem */ getFileBin("certSrv.der", &servBin, &servBinLen); getFileBin("privkeySrv.der", &servKeyBin, &servKeyBinLen); getFileBin("CACertCln.der", &caBin, &caBinLen); matrixSslReadKeysMem(&keys, servBin, servBinLen, servKeyBin, servKeyBinLen, caBin, caBinLen); free(servBin); free(servKeyBin); free(caBin); #else /* Standard PEM files */ if (matrixSslReadKeys(&keys, certfile, keyfile, NULL, NULL) < 0) { fprintf(stderr, "Error reading or parsing %s or %s.\n", certfile, keyfile); goto promptAndExit; } #endif /* USE_MEM_CERTS */ fprintf(stdout, "Run httpsClient or type https://127.0.0.1:%d into your local Web browser.\n", HTTPS_PORT); /* Create the listen socket */ if ((listenfd = socketListen(HTTPS_PORT, &err)) == INVALID_SOCKET) { fprintf(stderr, "Cannot listen on port %d\n", HTTPS_PORT); goto promptAndExit; } /* Set blocking or not on the listen socket */ setSocketBlock(listenfd); /* Loop control initalization */ quit = 0; again = 0; flags = 0; acceptAgain = 1; /* Main connection loop */ while (!quit) { if (acceptAgain) { /* sslAccept creates a new server session */ /* TODO - deadlock on blocking socket accept. Should disable blocking here */ if ((fd = socketAccept(listenfd, &err)) == INVALID_SOCKET) { fprintf(stdout, "Error accepting connection: %d\n", err); continue; } if ((rc = sslAccept(&cp, fd, keys, NULL, flags)) != 0) { socketShutdown(fd); continue; } flags = 0; acceptAgain = 0; } /* Read response < 0 return indicates an error. 0 return indicates an EOF or CLOSE_NOTIFY in this situation > 0 indicates that some bytes were read. Keep reading until we see the /r/n/r/n from the GET request. We don't actually parse the request, we just echo it back. */ c = buf; readMore: if ((rc = sslRead(cp, c, sizeof(buf) - (int)(c - buf), &status)) > 0) { c += rc; if (c - buf < 4 || memcmp(c - 4, "\r\n\r\n", 4) != 0) { goto readMore; } } else { if (rc < 0) { fprintf(stdout, "sslRead error. dropping connection.\n"); } if (rc < 0 || status == SSLSOCKET_EOF || status == SSLSOCKET_CLOSE_NOTIFY) { socketShutdown(cp->fd); sslFreeConnection(&cp); acceptAgain = 1; continue; } goto readMore; } /* Done reading. If the incoming data starts with the quitString, quit the application after this request */ if (memcmp(buf, quitString, min(c - buf, (int)strlen(quitString))) == 0) { quit++; fprintf(stdout, "Q"); } /* If the incoming data starts with the againString, we are getting a pipeline request on the same session. Don't close and wait for new connection in this case. */ if (memcmp(buf, againString, min(c - buf, (int)strlen(againString))) == 0) { again++; fprintf(stdout, "A"); } else { fprintf(stdout, "R"); again = 0; } /* Copy the canned response header and decoded data from socket as the response (reflector) */ responseHdrLen = (int)strlen(responseHdr); bytes = responseHdrLen + (int)(c - buf); response = malloc(bytes); memcpy(response, responseHdr, responseHdrLen); memcpy(response + responseHdrLen, buf, c - buf); /* Send response. < 0 return indicates an error. 0 return indicates not all data was sent and we must retry > 0 indicates that all requested bytes were sent */ writeMore: rc = sslWrite(cp, response, bytes, &status); if (rc < 0) { free(response); fprintf(stdout, "Internal sslWrite error\n"); socketShutdown(cp->fd); sslFreeConnection(&cp); continue; } else if (rc == 0) { goto writeMore; } free(response); /* If we saw an /again request, loop up and process another pipelined HTTP request. The /again request is supported in the httpsClient example code. */ if (again) { continue; } /* Send a closure alert for clean shutdown of remote SSL connection This is for good form, some implementations just close the socket */ sslWriteClosureAlert(cp); /* Close the socket and wait for next connection (new session) */ socketShutdown(cp->fd); sslFreeConnection(&cp); acceptAgain = 1; } /* Close listening socket, free remaining items */ if (cp && cp->ssl) { socketShutdown(cp->fd); sslFreeConnection(&cp); } socketShutdown(listenfd); matrixSslFreeKeys(keys); matrixSslClose(); WSACleanup(); promptAndExit: fprintf(stdout, "\n\nPress return to exit...\n"); getchar(); return 0; }
/* An example socket sslRead implementation that handles the ssl handshake transparently. Caller passes in allocated buf and length. Return codes are as follows: -1 return code is an error. If a socket level error, error code is contained in status parameter. If using a non-blocking socket implementation the caller should check for non-fatal errors such as WOULD_BLOCK before closing the connection. A zero value in status indicates an error with this routine. A positive integer return code is the number of bytes successfully read into the supplied buffer. User can call sslRead again on the updated buffer is there is more to be read. 0 return code indicates the read was successful, but there was no data to be returned. If status is set to zero, this is a case internal to the sslAccept and sslConnect functions that a handshake message has been exchanged. If status is set to SOCKET_EOF the connection has been closed by the other side. */ int sslRead(sslConn_t *cp, char *buf, int len, int *status) { int bytes, rc, remaining; unsigned char error, alertLevel, alertDescription, performRead; *status = 0; if (cp->ssl == NULL || len <= 0) { return -1; } /* If inbuf is valid, then we have previously decoded data that must be returned, return as much as possible. Once all buffered data is returned, free the inbuf. */ if (cp->inbuf.buf) { if (cp->inbuf.start < cp->inbuf.end) { remaining = (int)(cp->inbuf.end - cp->inbuf.start); bytes = (int)min(len, remaining); memcpy(buf, cp->inbuf.start, bytes); cp->inbuf.start += bytes; return bytes; } free(cp->inbuf.buf); cp->inbuf.buf = NULL; } /* Pack the buffered socket data (if any) so that start is at zero. */ if (cp->insock.buf < cp->insock.start) { if (cp->insock.start == cp->insock.end) { cp->insock.start = cp->insock.end = cp->insock.buf; } else { memmove(cp->insock.buf, cp->insock.start, cp->insock.end - cp->insock.start); cp->insock.end -= (cp->insock.start - cp->insock.buf); cp->insock.start = cp->insock.buf; } } /* Read up to as many bytes as there are remaining in the buffer. We could Have encrypted data already cached in conn->insock, but might as well read more if we can. */ performRead = 0; readMore: if (cp->insock.end == cp->insock.start || performRead) { performRead = 1; bytes = recv(cp->fd, (char *)cp->insock.end, (int)((cp->insock.buf + cp->insock.size) - cp->insock.end), MSG_NOSIGNAL); if (bytes == SOCKET_ERROR) { *status = getSocketError(); return -1; } if (bytes == 0) { *status = SSLSOCKET_EOF; return 0; } cp->insock.end += bytes; } /* Define a temporary sslBuf */ cp->inbuf.start = cp->inbuf.end = cp->inbuf.buf = malloc(len); cp->inbuf.size = len; /* Decode the data we just read from the socket */ decodeMore: error = 0; alertLevel = 0; alertDescription = 0; rc = matrixSslDecode(cp->ssl, &cp->insock, &cp->inbuf, &error, &alertLevel, &alertDescription); switch (rc) { /* Successfully decoded a record that did not return data or require a response. */ case SSL_SUCCESS: return 0; /* Successfully decoded an application data record, and placed in tmp buf */ case SSL_PROCESS_DATA: /* Copy as much as we can from the temp buffer into the caller's buffer and leave the remainder in conn->inbuf until the next call to read It is possible that len > data in buffer if the encoded record was longer than len, but the decoded record isn't! */ rc = (int)(cp->inbuf.end - cp->inbuf.start); rc = min(rc, len); memcpy(buf, cp->inbuf.start, rc); cp->inbuf.start += rc; return rc; /* We've decoded a record that requires a response into tmp If there is no data to be flushed in the out buffer, we can write out the contents of the tmp buffer. Otherwise, we need to append the data to the outgoing data buffer and flush it out. */ case SSL_SEND_RESPONSE: bytes = send(cp->fd, (char *)cp->inbuf.start, (int)(cp->inbuf.end - cp->inbuf.start), MSG_NOSIGNAL); if (bytes == SOCKET_ERROR) { *status = getSocketError(); if (*status != WOULD_BLOCK) { fprintf(stdout, "Socket send error: %d\n", *status); goto readError; } *status = 0; } cp->inbuf.start += bytes; if (cp->inbuf.start < cp->inbuf.end) { /* This must be a non-blocking socket since it didn't all get sent out and there was no error. We want to finish the send here simply because we are likely in the SSL handshake. */ setSocketBlock(cp->fd); bytes = send(cp->fd, (char *)cp->inbuf.start, (int)(cp->inbuf.end - cp->inbuf.start), MSG_NOSIGNAL); if (bytes == SOCKET_ERROR) { *status = getSocketError(); goto readError; } cp->inbuf.start += bytes; socketAssert(cp->inbuf.start == cp->inbuf.end); /* Can safely set back to non-blocking because we wouldn't have got here if this socket wasn't non-blocking to begin with. */ setSocketNonblock(cp->fd); } cp->inbuf.start = cp->inbuf.end = cp->inbuf.buf; return 0; /* There was an error decoding the data, or encoding the out buffer. There may be a response data in the out buffer, so try to send. We try a single hail-mary send of the data, and then close the socket. Since we're closing on error, we don't worry too much about a clean flush. */ case SSL_ERROR: fprintf(stderr, "SSL: Closing on protocol error %d\n", error); if (cp->inbuf.start < cp->inbuf.end) { setSocketNonblock(cp->fd); bytes = send(cp->fd, (char *)cp->inbuf.start, (int)(cp->inbuf.end - cp->inbuf.start), MSG_NOSIGNAL); } goto readError; /* We've decoded an alert. The level and description passed into matrixSslDecode are filled in with the specifics. */ case SSL_ALERT: if (alertDescription == SSL_ALERT_CLOSE_NOTIFY) { *status = SSLSOCKET_CLOSE_NOTIFY; goto readZero; } fprintf(stderr, "SSL: Closing on client alert %d: %d\n", alertLevel, alertDescription); goto readError; /* We have a partial record, we need to read more data off the socket. If we have a completely full conn->insock buffer, we'll need to grow it here so that we CAN read more data when called the next time. */ case SSL_PARTIAL: if (cp->insock.start == cp->insock.buf && cp->insock.end == (cp->insock.buf + cp->insock.size)) { if (cp->insock.size > SSL_MAX_BUF_SIZE) { goto readError; } cp->insock.size *= 2; cp->insock.start = cp->insock.buf = (unsigned char *)realloc(cp->insock.buf, cp->insock.size); cp->insock.end = cp->insock.buf + (cp->insock.size / 2); } if (!performRead) { performRead = 1; free(cp->inbuf.buf); cp->inbuf.buf = NULL; goto readMore; } else { goto readZero; } /* The out buffer is too small to fit the decoded or response data. Increase the size of the buffer and call decode again */ case SSL_FULL: cp->inbuf.size *= 2; if (cp->inbuf.buf != (unsigned char*)buf) { free(cp->inbuf.buf); cp->inbuf.buf = NULL; } cp->inbuf.start = cp->inbuf.end = cp->inbuf.buf = (unsigned char *)malloc(cp->inbuf.size); goto decodeMore; } /* We consolidated some of the returns here because we must ensure that conn->inbuf is cleared if pointing at caller's buffer, otherwise it will be freed later on. */ readZero: if (cp->inbuf.buf == (unsigned char*)buf) { cp->inbuf.buf = NULL; } return 0; readError: if (cp->inbuf.buf == (unsigned char*)buf) { cp->inbuf.buf = NULL; } return -1; }
/* Client side. Open a socket connection to a remote ip and port. This code is not specific to SSL. */ SOCKET socketConnect(char *ip, short port, int *err) { struct sockaddr_in addr; SOCKET fd; int rc; struct hostent *hent; char ipbuf[20]; if ((fd = socket(AF_INET, SOCK_STREAM, 0)) < 0) { fprintf(stderr, "Error creating socket\n"); *err = getSocketError(); return INVALID_SOCKET; } /* Make sure the socket is not inherited by exec'd processes Set the REUSEADDR flag to minimize the number of sockets in TIME_WAIT */ fcntl(fd, F_SETFD, FD_CLOEXEC); rc = 1; // setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, (char *)&rc, sizeof(rc)); setSocketNodelay(fd); /* Turn on blocking mode for the connecting socket */ setSocketBlock(fd); /* //Marked by Gemtek hent = gethostbyname(ip); if (!hent) { fprintf(stderr, "Error resolving host\n"); } */ memset((char *) &addr, 0x0, sizeof(addr)); addr.sin_family = AF_INET; addr.sin_port = htons(port); //Gemtek added sprintf( ipbuf ,"%s", "127.0.0.1" ); fprintf( stderr , "ip:port ==> %s:%d\n" , ipbuf , port ); //Gemtek added if( NULL != ip && strlen( ipbuf ) >= 7 && 0!=strcmp( ipbuf , "localhost") ) { //bcopy(hent->h_addr, &addr.sin_addr, hent->h_length); addr.sin_addr.s_addr = inet_addr( ipbuf ) ; } rc = connect(fd, (struct sockaddr *)&addr, sizeof(addr)); #if WIN if (rc != 0) { #else if (rc < 0) { #endif *err = getSocketError(); return INVALID_SOCKET; } return fd; } /******************************************************************************/ /* Server side. Accept an incomming SSL connection request. 'conn' will be filled in with information about the accepted ssl connection return -1 on error, 0 on success, or WOULD_BLOCK for non-blocking sockets */ int sslAccept(sslConn_t **cpp, SOCKET fd, sslKeys_t *keys, int (*certValidator)(sslCertInfo_t *t, void *arg), int flags) { sslConn_t *conn; unsigned char buf[1024]; int status, rc; /* Associate a new ssl session with this socket. The session represents the state of the ssl protocol over this socket. Session caching is handled automatically by this api. */ conn = calloc(sizeof(sslConn_t), 1); conn->fd = fd; if (matrixSslNewSession(&conn->ssl, keys, NULL, SSL_FLAGS_SERVER | flags) < 0) { sslFreeConnection(&conn); return -1; } /* MatrixSSL doesn't provide buffers for data internally. Define them here to support buffered reading and writing for non-blocking sockets. Although it causes quite a bit more work, we support dynamically growing the buffers as needed. Alternately, we could define 16K buffers here and not worry about growing them. */ memset(&conn->inbuf, 0x0, sizeof(sslBuf_t)); conn->insock.size = 10240; conn->insock.start = conn->insock.end = conn->insock.buf = (unsigned char *)malloc(conn->insock.size); conn->outsock.size = 10240; conn->outsock.start = conn->outsock.end = conn->outsock.buf = (unsigned char *)malloc(conn->outsock.size); conn->inbuf.size = 0; conn->inbuf.start = conn->inbuf.end = conn->inbuf.buf = NULL; *cpp = conn; readMore: rc = sslRead(conn, buf, sizeof(buf), &status); /* Reading handshake records should always return 0 bytes, we aren't expecting any data yet. */ if (rc == 0) { if (status == SSLSOCKET_EOF || status == SSLSOCKET_CLOSE_NOTIFY) { sslFreeConnection(&conn); return -1; } if (matrixSslHandshakeIsComplete(conn->ssl) == 0) { goto readMore; } } else if (rc > 0) { socketAssert(0); return -1; } else { fprintf(stderr, "sslRead error in sslAccept\n"); sslFreeConnection(&conn); return -1; } *cpp = conn; return 0; }
int main(int argc, char **argv) #endif { SOCKET srv_fd; int status; WSADATA wsaData; // options char *srv_host = NULL; int srv_port = 0; char *keyfile = NULL; //"privkeySrv.pem"; char *certfile = NULL; //"certSrv.pem"; int vlevel = 0; char *cpos,*opos; int tmpport; int c; int intarg; #if VXWORKS int argc; char **argv; parseCmdLineArgs(arg1, &argc, &argv); #endif /* VXWORKS */ #if WINCE int argc; char **argv; char args[256]; /* * parseCmdLineArgs expects an ASCII string and CE is unicoded, so convert * the command line. args will get hacked up, so you can't pass in a * static string. */ WideCharToMultiByte(CP_ACP, 0, lpCmdLine, -1, args, 256, NULL, NULL); /* * Parse the command line into an argv array. This allocs memory, so * we have to free argv when we're done. */ parseCmdLineArgs(args, &argc, &argv); #endif /* WINCE */ /* prepare */ #ifndef USE_FORK memset(connections,0,MAXPROXYCOUNT*sizeof(struct proxyConnection)); #endif /* getopt */ /* Gemtek add +++ */ if(argc == 1) usage(1); /* Gemtek add --- */ for (;;) { c = getopt (argc, argv, "VD:P:fo:cd:r:p:A:v:h"); if (c == -1) { break; } switch (c) { case 'c': // client mode isClient=1; break; case 'd': // daemon mode [host:]port cpos = NULL; tmpport = 0; if((cpos = strchr(optarg,':'))) { *cpos = '\0'; if(optarg && optarg[0]) srv_host = optarg; optarg = ++cpos; } if(optarg && optarg[0]) { tmpport = (int)strtol(optarg, (char **)NULL, 0); if(tmpport) srv_port = tmpport; } break; case 'r': // remote [host:]port cpos = NULL; tmpport = 0; if((cpos = strchr(optarg,':'))) { *cpos = '\0'; if(optarg && optarg[0]) dst_host = optarg; optarg = ++cpos; } if(optarg && optarg[0]) { tmpport = (int)strtol(optarg, (char **)NULL, 0); if(tmpport) dst_port = tmpport; } break; case 'p': // pemfile (requred in servermode) keyfile = optarg; break; case 'A': // CA file certfile = optarg; break; case 'v': // veryfication level if(optarg && optarg[0]) { vlevel = (int)strtol(optarg, (char **)NULL, 0); if(vlevel == 1 ) { cervalidator = certChecker; } else if(vlevel > 3 || vlevel < 0) { fprintf(stderr,"-v takes whole numbers between 0 and 3"); exit(2); } } break; case 'P': // create a pidfile pidfile=optarg; break; case 'f': // run in foreground. nofork=1; nosysl=1; break; case 'o': // append logmessages to a file instead of stdout/syslog break; case 'O': // socket options. TODO break; case 'D': // debug level 0...7 intarg=strtol(optarg,NULL,0); if(intarg<0 || intarg>7) { usage(1); } gLogLevel=intarg; break; case 'V': // version break; case '?': case 'h': usage(0); break; default: usage(1); break; } } /* install handlers */ signal( SIGPIPE, SIG_IGN ); signal(SIGCHLD,sigchld_handler); /* ignore child */ signal(SIGHUP,kill_handler); /* catch hangup signal */ signal(SIGTERM,kill_handler); /* catch kill signal */ /* Initialize Windows sockets (no-op on other platforms) */ WSAStartup(MAKEWORD(1,1), &wsaData); if(!nosysl) { openlog("matrixtunnel", LOG_PID, LOG_DAEMON); setlogmask(LOG_UPTO(gLogLevel)); } /* Initialize the MatrixSSL Library, and read in the public key (certificate) and private key. */ if (matrixSslOpen() < 0) { ELOG("matrixSslOpen failed, exiting..."); exit(1); } /* Standard PEM files */ if (matrixSslReadKeys(&keys, certfile, keyfile, NULL, NULL) < 0) { ELOG("Error reading or parsing %s or %s, exiting...", certfile, keyfile); exit(1); } // go to background if(!nofork) { daemonize(); } /* Create the listen socket */ if ((srv_fd = socketListen(srv_port, &status)) == INVALID_SOCKET) { ELOG("Cannot listen on port %d, exiting...", srv_port); exit(1); } /* Set blocking or not on the listen socket */ setSocketBlock(srv_fd); /* Main connection loop */ struct proxyConnection *cp=NULL; struct proxyConnection *ncp; fd_set rs, ws, es, cr; int fdmax; struct timeval tv; int res, dontClose; char buf[4096]; int pc, sc; int ccount; while (!quit) { fdmax=srv_fd; ncp=NULL; FD_ZERO(&rs); FD_ZERO(&ws); FD_ZERO(&es); FD_SET(srv_fd,&rs); FD_SET(srv_fd,&ws); FD_SET(srv_fd,&es); ccount=0; #ifndef USE_FORK DLOG("next select on fds: %d ",srv_fd); for(cp=connections;cp<&connections[MAXPROXYCOUNT];cp++) { if (cp->done) { closeProxyConnection(cp); } if (cp->secure_up) { FD_SET(cp->secure->fd,&rs); FD_SET(cp->secure->fd,&ws); FD_SET(cp->secure->fd,&es); if (fdmax < cp->secure->fd) fdmax = cp->secure->fd; DLOG("fd: %d",cp->secure->fd); ccount++; } if (cp->plain_up) { FD_SET(cp->plain,&rs); FD_SET(cp->plain,&ws); FD_SET(cp->plain,&es); if (fdmax < cp->plain) fdmax = cp->plain; DLOG("fd: %d",cp->plain); ccount++; } if(!ncp && !cp->inuse){ ncp=cp; memset(ncp,0,sizeof(struct proxyConnection)); } } #else struct proxyConnection ncp_s; ncp=&ncp_s; memset(ncp,0,sizeof(struct proxyConnection)); #endif tv.tv_sec=10; tv.tv_usec=0; DLOG("main : select on %d open connections. fdmax: %d", ccount, fdmax); res=select(fdmax+1,&rs,NULL,&es,&tv); DLOG("select returned: %d %s", res , strerror(errno) ); if(res<0) { perror("select"); continue; } if(res==0) continue; #ifndef USE_FORK // handle open connections for(cp=connections;cp<&connections[MAXPROXYCOUNT];cp++) { if (cp->secure_up && cp->plain_up) { if(FD_ISSET(cp->secure->fd,&es) || FD_ISSET(cp->plain,&es)) { closeProxyConnection(cp); continue; } if(secureReady(cp)) { sc=proxyReadwrite(cp,1); if(sc<0) { closeProxyConnection(cp); continue; } } if(plainReady(cp)) { pc=proxyReadwrite(cp,0); if(pc<0) { closeProxyConnection(cp); continue; } } } } #endif // do we have new connections? if(FD_ISSET(srv_fd,&rs)) { proxyAccept(srv_fd,ncp); } } /* Close listening socket, free remaining items */ socketShutdown(srv_fd); #ifndef USE_FORK for(cp=connections;cp<&connections[MAXPROXYCOUNT];cp++) { closeProxyConnection(cp); } #endif if(!nosysl) { closelog(); } matrixSslFreeKeys(keys); matrixSslClose(); WSACleanup(); return 0; }
int sslRead(sslConn_t *cp, char *buf, int len, int *status) { int bytes, rc, remaining; unsigned char error, alertLevel, alertDescription, performRead; *status = 0; if (cp->ssl == NULL || len <= 0) { return -1; } if (cp->inbuf.buf) { if (cp->inbuf.start < cp->inbuf.end) { remaining = (int)(cp->inbuf.end - cp->inbuf.start); bytes = (int)min(len, remaining); memcpy(buf, cp->inbuf.start, bytes); cp->inbuf.start += bytes; return bytes; } free(cp->inbuf.buf); cp->inbuf.buf = NULL; } if (cp->insock.buf < cp->insock.start) { if (cp->insock.start == cp->insock.end) { cp->insock.start = cp->insock.end = cp->insock.buf; } else { memmove(cp->insock.buf, cp->insock.start, cp->insock.end - cp->insock.start); cp->insock.end -= (cp->insock.start - cp->insock.buf); cp->insock.start = cp->insock.buf; } } performRead = 0; readMore: if (cp->insock.end == cp->insock.start || performRead) { performRead = 1; bytes = recv(cp->fd, (char *)cp->insock.end, (int)((cp->insock.buf + cp->insock.size) - cp->insock.end), MSG_NOSIGNAL); if (bytes == SOCKET_ERROR) { *status = getSocketError(); return -1; } if (bytes == 0) { *status = SSLSOCKET_EOF; return 0; } cp->insock.end += bytes; } cp->inbuf.start = cp->inbuf.end = cp->inbuf.buf = malloc(len); cp->inbuf.size = len; decodeMore: error = 0; alertLevel = 0; alertDescription = 0; rc = matrixSslDecode(cp->ssl, &cp->insock, &cp->inbuf, &error, &alertLevel, &alertDescription); switch (rc) { case SSL_SUCCESS: return 0; case SSL_PROCESS_DATA: rc = (int)(cp->inbuf.end - cp->inbuf.start); rc = min(rc, len); memcpy(buf, cp->inbuf.start, rc); cp->inbuf.start += rc; return rc; case SSL_SEND_RESPONSE: bytes = send(cp->fd, (char *)cp->inbuf.start, (int)(cp->inbuf.end - cp->inbuf.start), MSG_NOSIGNAL); if (bytes == SOCKET_ERROR) { *status = getSocketError(); if (*status != WOULD_BLOCK) { fprintf(stdout, "Socket send error: %d\n", *status); goto readError; } *status = 0; } cp->inbuf.start += bytes; if (cp->inbuf.start < cp->inbuf.end) { setSocketBlock(cp->fd); bytes = send(cp->fd, (char *)cp->inbuf.start, (int)(cp->inbuf.end - cp->inbuf.start), MSG_NOSIGNAL); if (bytes == SOCKET_ERROR) { *status = getSocketError(); goto readError; } cp->inbuf.start += bytes; socketAssert(cp->inbuf.start == cp->inbuf.end); setSocketNonblock(cp->fd); } cp->inbuf.start = cp->inbuf.end = cp->inbuf.buf; return 0; case SSL_ERROR: fprintf(stderr, "SSL: Closing on protocol error %d\n", error); if (cp->inbuf.start < cp->inbuf.end) { setSocketNonblock(cp->fd); bytes = send(cp->fd, (char *)cp->inbuf.start, (int)(cp->inbuf.end - cp->inbuf.start), MSG_NOSIGNAL); } goto readError; case SSL_ALERT: if (alertDescription == SSL_ALERT_CLOSE_NOTIFY) { *status = SSLSOCKET_CLOSE_NOTIFY; goto readZero; } fprintf(stderr, "SSL: Closing on client alert %d: %d\n", alertLevel, alertDescription); goto readError; case SSL_PARTIAL: if (cp->insock.start == cp->insock.buf && cp->insock.end == (cp->insock.buf + cp->insock.size)) { if (cp->insock.size > SSL_MAX_BUF_SIZE) { goto readError; } cp->insock.size *= 2; cp->insock.start = cp->insock.buf = (unsigned char *)realloc(cp->insock.buf, cp->insock.size); cp->insock.end = cp->insock.buf + (cp->insock.size / 2); } if (!performRead) { performRead = 1; free(cp->inbuf.buf); cp->inbuf.buf = NULL; goto readMore; } else { goto readZero; } case SSL_FULL: cp->inbuf.size *= 2; if (cp->inbuf.buf != (unsigned char*)buf) { free(cp->inbuf.buf); cp->inbuf.buf = NULL; } cp->inbuf.start = cp->inbuf.end = cp->inbuf.buf = (unsigned char *)malloc(cp->inbuf.size); goto decodeMore; } readZero: if (cp->inbuf.buf == (unsigned char*)buf) { cp->inbuf.buf = NULL; } return 0; readError: if (cp->inbuf.buf == (unsigned char*)buf) { cp->inbuf.buf = NULL; } return -1; }