static void
virgo__global_init(virgo_t **p_v) {
#if !defined(OPENSSL_NO_COMP)
STACK_OF(SSL_COMP)* comp_methods;
#endif
if (global_virgo_init++) {
return;
}
SSL_library_init();
OpenSSL_add_all_algorithms();
OpenSSL_add_all_digests();
SSL_load_error_strings();
ERR_load_crypto_strings();
/* Turn off compression. Saves memory - do it in userland. */
#if !defined(OPENSSL_NO_COMP)
#if OPENSSL_VERSION_NUMBER < 0x00908000L
comp_methods = SSL_COMP_get_compression_method()
#else
comp_methods = SSL_COMP_get_compression_methods();
#endif
sk_SSL_COMP_zero(comp_methods);
assert(sk_SSL_COMP_num(comp_methods) == 0);
#endif
/* TODO: other platform init */
}
EXPORT_C int SSL_library_init(void)
{
//#ifdef EMULATOR
// InitSSLWsdVar();
//#endif
#ifndef OPENSSL_NO_DES
EVP_add_cipher(EVP_des_cbc());
EVP_add_cipher(EVP_des_ede3_cbc());
#endif
#ifndef OPENSSL_NO_IDEA
EVP_add_cipher(EVP_idea_cbc());
#endif
#ifndef OPENSSL_NO_RC4
EVP_add_cipher(EVP_rc4());
#endif
#ifndef OPENSSL_NO_RC2
EVP_add_cipher(EVP_rc2_cbc());
#endif
#ifndef OPENSSL_NO_AES
EVP_add_cipher(EVP_aes_128_cbc());
EVP_add_cipher(EVP_aes_192_cbc());
EVP_add_cipher(EVP_aes_256_cbc());
#endif
#ifndef OPENSSL_NO_MD2
EVP_add_digest(EVP_md2());
#endif
#ifndef OPENSSL_NO_MD5
EVP_add_digest(EVP_md5());
EVP_add_digest_alias(SN_md5,"ssl2-md5");
EVP_add_digest_alias(SN_md5,"ssl3-md5");
#endif
#ifndef OPENSSL_NO_SHA
EVP_add_digest(EVP_sha1()); /* RSA with sha1 */
EVP_add_digest_alias(SN_sha1,"ssl3-sha1");
EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA);
#endif
#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_DSA)
EVP_add_digest(EVP_dss1()); /* DSA with sha1 */
EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2);
EVP_add_digest_alias(SN_dsaWithSHA1,"DSS1");
EVP_add_digest_alias(SN_dsaWithSHA1,"dss1");
#endif
#ifndef OPENSSL_NO_ECDSA
EVP_add_digest(EVP_ecdsa());
#endif
/* If you want support for phased out ciphers, add the following */
#if 0
EVP_add_digest(EVP_sha());
EVP_add_digest(EVP_dss());
#endif
#ifndef OPENSSL_NO_COMP
/* This will initialise the built-in compression algorithms.
The value returned is a STACK_OF(SSL_COMP), but that can
be discarded safely */
(void)SSL_COMP_get_compression_methods();
#endif
/* initialize cipher/digest methods table */
ssl_load_ciphers();
return(1);
}
/*
Release SSL and free resources
Will be automatically executed by
mysql_server_end() function
SYNOPSIS
my_ssl_end()
void
RETURN VALUES
void
*/
void my_ssl_end()
{
DBUG_ENTER("my_ssl_end");
pthread_mutex_lock(&LOCK_ssl_config);
if (my_ssl_initialized)
{
int i;
CRYPTO_set_locking_callback(NULL);
CRYPTO_set_id_callback(NULL);
for (i=0; i < CRYPTO_num_locks(); i++)
pthread_mutex_destroy(&LOCK_crypto[i]);
my_free((gptr)LOCK_crypto, MYF(0));
if (SSL_context)
{
SSL_CTX_free(SSL_context);
SSL_context= FALSE;
}
ERR_remove_state(0);
EVP_cleanup();
CRYPTO_cleanup_all_ex_data();
ERR_free_strings();
ENGINE_cleanup();
CONF_modules_free();
CONF_modules_unload(1);
sk_SSL_COMP_free(SSL_COMP_get_compression_methods());
my_ssl_initialized= FALSE;
}
pthread_mutex_unlock(&LOCK_ssl_config);
pthread_mutex_destroy(&LOCK_ssl_config);
DBUG_VOID_RETURN;
}
static void internal_idevice_deinit(void)
{
#ifdef HAVE_OPENSSL
int i;
if (mutex_buf) {
CRYPTO_set_id_callback(NULL);
CRYPTO_set_locking_callback(NULL);
for (i = 0; i < CRYPTO_num_locks(); i++)
mutex_destroy(&mutex_buf[i]);
free(mutex_buf);
mutex_buf = NULL;
}
EVP_cleanup();
CRYPTO_cleanup_all_ex_data();
sk_SSL_COMP_free(SSL_COMP_get_compression_methods());
#ifdef HAVE_ERR_REMOVE_THREAD_STATE
ERR_remove_thread_state(NULL);
#else
ERR_remove_state(0);
#endif
#else
gnutls_global_deinit();
#endif
}
/*
Release SSL and free resources
Will be automatically executed by
mysql_server_end() function
SYNOPSIS
my_ssl_end()
void
RETURN VALUES
void
*/
void ma_ssl_end()
{
pthread_mutex_lock(&LOCK_openssl_config);
if (ma_ssl_initialized)
{
int i;
CRYPTO_set_locking_callback(NULL);
CRYPTO_set_id_callback(NULL);
for (i=0; i < CRYPTO_num_locks(); i++)
pthread_mutex_destroy(&LOCK_crypto[i]);
my_free((gptr)LOCK_crypto);
LOCK_crypto= NULL;
if (SSL_context)
{
SSL_CTX_free(SSL_context);
SSL_context= NULL;
}
ERR_remove_state(0);
EVP_cleanup();
CRYPTO_cleanup_all_ex_data();
ERR_free_strings();
//ENGINE_cleanup();
CONF_modules_free();
CONF_modules_unload(1);
sk_SSL_COMP_free(SSL_COMP_get_compression_methods());
ma_ssl_initialized= FALSE;
}
pthread_mutex_unlock(&LOCK_openssl_config);
pthread_mutex_destroy(&LOCK_openssl_config);
return;
}
void
as_tls_cleanup(void)
{
// Skip if we were never initialized.
if (! s_tls_inited) {
return;
}
#if !defined USE_XDR
// Cleanup global OpenSSL state, must be after all other OpenSSL
// API calls, of course ...
#if OPENSSL_VERSION_NUMBER < 0x10100000L
threading_cleanup();
#endif
// https://wiki.openssl.org/index.php/Library_Initialization#Cleanup
//
FIPS_mode_set(0);
ENGINE_cleanup();
CONF_modules_unload(1);
EVP_cleanup();
as_tls_thread_cleanup();
CRYPTO_cleanup_all_ex_data();
ERR_free_strings();
// http://stackoverflow.com/questions/29845527/how-to-properly-uninitialize-openssl
STACK_OF(SSL_COMP) *ssl_comp_methods = SSL_COMP_get_compression_methods();
if (ssl_comp_methods != NULL) {
sk_SSL_COMP_free(ssl_comp_methods);
}
#endif
}
static void disable_SSL_compression(void) {
STACK_OF(SSL_COMP) *ssl_comp_methods;
ssl_comp_methods = SSL_COMP_get_compression_methods();
int n = sk_SSL_COMP_num(ssl_comp_methods);
for (int i = 0; i < n; i++) {
(void) sk_SSL_COMP_pop(ssl_comp_methods);
}
}
void krx_end() {
ERR_remove_state(0);
ENGINE_cleanup();
CONF_modules_unload(1);
ERR_free_strings();
EVP_cleanup();
sk_SSL_COMP_free(SSL_COMP_get_compression_methods());
CRYPTO_cleanup_all_ex_data();
}
/**
* Free Droplet global data.
*
* Must be called once and only once after all Droplet library calls
* have stopped.
*/
void
dpl_free()
{
ERR_clear_error();
ERR_remove_state(0);
ERR_free_strings();
EVP_cleanup();
sk_SSL_COMP_free(SSL_COMP_get_compression_methods());
CRYPTO_cleanup_all_ex_data();
}
/**
* Clean up all the global objects.
*
* This will make memory-leak checkers happy.
* There are globally shared resources in libevent and openssl and
* it's usually not a problem since they don't grow but having these
* can confuse some debugging tools into thinking as memory leak.
* If you need to make sure that libasyncd has released all internal
* library-global data structures, call this.
*/
void ad_server_global_free(void) {
// Libevent related.
//libevent_global_shutdown(); // From libevent v2.1
// OpenSSL related.
ENGINE_cleanup();
CONF_modules_free();
ERR_free_strings();
EVP_cleanup();
CRYPTO_cleanup_all_ex_data();
sk_SSL_COMP_free(SSL_COMP_get_compression_methods());
}
void ape_ssl_library_destroy()
{
return;
FIPS_mode_set(0);
ENGINE_cleanup();
CONF_modules_unload(1);
CONF_modules_free();
EVP_cleanup();
CRYPTO_cleanup_all_ex_data();
sk_SSL_COMP_free(SSL_COMP_get_compression_methods());
ERR_remove_state(0);
ERR_free_strings();
}
void main_cleanup(void) {
ecies_group_free();
// As a child I was taught that your done eating until your plate is completely clean.
// The following should release _all_ of the memory allocated by the OpenSSL functions used.
EVP_cleanup();
CRYPTO_cleanup_all_ex_data();
ERR_free_strings();
ERR_remove_thread_state(NULL);
sk_pop_free((_STACK *)SSL_COMP_get_compression_methods(), CRYPTO_free);
return;
}
/**
* Initializes the OpenSSL library.
*/
static void InitializeOpenSSL(void)
{
if (l_SSLInitialized)
return;
SSL_library_init();
SSL_load_error_strings();
SSL_COMP_get_compression_methods();
l_Mutexes = new boost::mutex[CRYPTO_num_locks()];
CRYPTO_set_locking_callback(&OpenSSLLockingCallback);
l_SSLInitialized = true;
}
int
SPDYF_openssl_init(struct SPDY_Daemon *daemon)
{
int options;
//create ssl context. TLSv1 used
if(NULL == (daemon->io_context = SSL_CTX_new(TLSv1_server_method())))
{
SPDYF_DEBUG("Couldn't create ssl context");
return SPDY_NO;
}
//set options for tls
//TODO DH is not enabled for easier debugging
//SSL_CTX_set_options(daemon->io_context, SSL_OP_SINGLE_DH_USE);
//TODO here session tickets are disabled for easier debuging with
//wireshark when using Chrome
// SSL_OP_NO_COMPRESSION disables TLS compression to avoid CRIME attack
options = SSL_OP_NO_TICKET;
#ifdef SSL_OP_NO_COMPRESSION
options |= SSL_OP_NO_COMPRESSION;
#elif OPENSSL_VERSION_NUMBER >= 0x00908000L /* workaround for OpenSSL 0.9.8 */
sk_SSL_COMP_zero(SSL_COMP_get_compression_methods());
#endif
SSL_CTX_set_options(daemon->io_context, options);
if(1 != SSL_CTX_use_certificate_file(daemon->io_context, daemon->certfile , SSL_FILETYPE_PEM))
{
SPDYF_DEBUG("Couldn't load the cert file");
SSL_CTX_free(daemon->io_context);
return SPDY_NO;
}
if(1 != SSL_CTX_use_PrivateKey_file(daemon->io_context, daemon->keyfile, SSL_FILETYPE_PEM))
{
SPDYF_DEBUG("Couldn't load the name file");
SSL_CTX_free(daemon->io_context);
return SPDY_NO;
}
SSL_CTX_set_next_protos_advertised_cb(daemon->io_context, &spdyf_next_protos_advertised_cb, NULL);
//TODO only RC4-SHA is used to make it easy to debug with wireshark
if (1 != SSL_CTX_set_cipher_list(daemon->io_context, "RC4-SHA"))
{
SPDYF_DEBUG("Couldn't set the desired cipher list");
SSL_CTX_free(daemon->io_context);
return SPDY_NO;
}
return SPDY_YES;
}
int FuzzerInitialize(int *argc, char ***argv)
{
STACK_OF(SSL_COMP) *comp_methods;
OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS | OPENSSL_INIT_ASYNC, NULL);
OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL);
ERR_get_state();
CRYPTO_free_ex_index(0, -1);
idx = SSL_get_ex_data_X509_STORE_CTX_idx();
FuzzerSetRand();
comp_methods = SSL_COMP_get_compression_methods();
if (comp_methods != NULL)
sk_SSL_COMP_sort(comp_methods);
return 1;
}
/**
* @brief Configure generic SSL parameters
* @param d domain
* @return 0
*/
static int set_ssl_options(tls_domain_t* d)
{
int i;
int procs_no;
long options;
#if OPENSSL_VERSION_NUMBER >= 0x00908000L
long ssl_version;
STACK_OF(SSL_COMP)* comp_methods;
#endif
procs_no=get_max_procs();
options=SSL_OP_ALL; /* all the bug workarrounds by default */
#if OPENSSL_VERSION_NUMBER >= 0x00907000L
options|=SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION |
SSL_OP_CIPHER_SERVER_PREFERENCE;
#if OPENSSL_VERSION_NUMBER >= 0x00908000L
ssl_version=SSLeay();
if ((ssl_version >= 0x0090800L) && (ssl_version < 0x0090803fL)){
/* if 0.9.8 <= openssl version < 0.9.8c and compression support is
* enabled disable SSL_OP_TLS_BLOCK_PADDING_BUG (set by SSL_OP_ALL),
* see openssl #1204 http://rt.openssl.org/Ticket/Display.html?id=1204
*/
comp_methods=SSL_COMP_get_compression_methods();
if (comp_methods && (sk_SSL_COMP_num(comp_methods) > 0)){
options &= ~SSL_OP_TLS_BLOCK_PADDING_BUG;
LOG(L_WARN, "tls: set_ssl_options: openssl "
"SSL_OP_TLS_BLOCK_PADDING bug workaround enabled "
"(openssl version %lx)\n", ssl_version);
}else{
LOG(L_INFO, "tls: set_ssl_options: detected openssl version (%lx) "
" has the SSL_OP_TLS_BLOCK_PADDING bug, but compression "
" is disabled so no workaround is needed\n", ssl_version);
}
}
# endif
#endif
for(i = 0; i < procs_no; i++) {
SSL_CTX_set_options(d->ctx[i], options);
if(sr_tls_renegotiation==0)
SSL_CTX_set_info_callback(d->ctx[i], sr_ssl_ctx_info_callback);
}
return 0;
}
static void internal_idevice_deinit(void)
{
#ifdef HAVE_OPENSSL
int i;
if (mutex_buf) {
CRYPTO_set_id_callback(NULL);
CRYPTO_set_locking_callback(NULL);
for (i = 0; i < CRYPTO_num_locks(); i++)
mutex_destroy(&mutex_buf[i]);
free(mutex_buf);
mutex_buf = NULL;
}
/* Since there is no SSL_library_deinit... */
EVP_cleanup();
CRYPTO_cleanup_all_ex_data();
sk_SSL_COMP_free(SSL_COMP_get_compression_methods());
#else
gnutls_global_deinit();
#endif
}
void lwp_init ()
{
if (init_called)
return;
init_called = lw_true;
#ifdef ENABLE_SSL
STACK_OF (SSL_COMP) * comp_methods;
SSL_library_init ();
SSL_load_error_strings ();
ERR_load_crypto_strings ();
comp_methods = SSL_COMP_get_compression_methods ();
sk_SSL_COMP_zero (comp_methods);
#endif
}
void Stop(int signo)
{
printf("oops! stop by ctrl+c or kill!!!----------------------------------------\n");
if(flock(fileno(fd_pid_conf),LOCK_UN) != 0)
{
DEBUG_printf("unlock fd_pid_conf failed!\n");
}
else
{
DEBUG_printf("unlock fd_pid_conf succeed!\n");
}
fclose(fd_pid_conf);
DeleteList(L_cmd);
p_n_over = false;
//sleep(5);
pthread_join(thread_id,NULL);
//pthread_join(thread_rev,NULL);
pthread_join(thread_deal_cmd_id,NULL);
pthread_join(thread_deal_response_id,NULL);
DestroyQueue(&Q_cmd);
DestroyQueue(&Q_respond);
SSL_shutdown(ssl);
SSL_free(ssl);
close(sockfd);
SSL_CTX_free(ctx);
CONF_modules_free();
ERR_remove_state(0);
ENGINE_cleanup();
CONF_modules_unload(1);
ERR_free_strings();
EVP_cleanup();
CRYPTO_cleanup_all_ex_data();
sk_SSL_COMP_free(SSL_COMP_get_compression_methods());
exit(0);
}
SSL_CTX *
_SSL_context_init (void (*info_cb_func), int server)
{
SSL_CTX *ctx;
#ifdef WIN32
int i, r;
#endif
SSLeay_add_ssl_algorithms ();
SSL_load_error_strings ();
ctx = SSL_CTX_new (server ? SSLv23_server_method() : SSLv23_client_method ());
SSL_CTX_set_session_cache_mode (ctx, SSL_SESS_CACHE_BOTH);
SSL_CTX_set_timeout (ctx, 300);
SSL_CTX_set_options (ctx, SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3
|SSL_OP_NO_COMPRESSION
|SSL_OP_SINGLE_DH_USE|SSL_OP_SINGLE_ECDH_USE
|SSL_OP_NO_TICKET
|SSL_OP_CIPHER_SERVER_PREFERENCE);
#if OPENSSL_VERSION_NUMBER >= 0x00908000L /* workaround for OpenSSL 0.9.8 */
sk_SSL_COMP_zero(SSL_COMP_get_compression_methods());
#endif
/* used in SSL_connect(), SSL_accept() */
SSL_CTX_set_info_callback (ctx, info_cb_func);
#ifdef WIN32
/* under win32, OpenSSL needs to be seeded with some randomness */
for (i = 0; i < 128; i++)
{
r = rand ();
RAND_seed ((unsigned char *)&r, sizeof (r));
}
#endif
return(ctx);
}
void OpenSSL::ClassDestroy() {
MS_TRACE();
MS_DEBUG("unloading openssl");
// FAQ: https://www.openssl.org/support/faq.html#PROG13
// Thread-local cleanup functions.
ERR_remove_thread_state(nullptr);
// Application-global cleanup functions that are aware of usage (and
// therefore thread-safe).
ENGINE_cleanup();
// "Brutal" (thread-unsafe) Application-global cleanup functions.
ERR_free_strings();
EVP_cleanup(); // Removes all ciphers and digests.
CRYPTO_cleanup_all_ex_data();
// https://bugs.launchpad.net/percona-server/+bug/1341067.
sk_SSL_COMP_free(SSL_COMP_get_compression_methods());
// Free mutexes.
for (int i=0; i<OpenSSL::numMutexes; i++) {
int err = pthread_mutex_destroy(&OpenSSL::mutexes[i]);
if (err)
MS_ERROR("pthread_mutex_destroy() failed with return code %d\n", err);
}
if (OpenSSL::mutexes)
delete[] OpenSSL::mutexes;
// Reset callbacks.
CRYPTO_THREADID_set_callback(nullptr);
CRYPTO_set_locking_callback(nullptr);
CRYPTO_set_dynlock_create_callback(nullptr);
CRYPTO_set_dynlock_lock_callback(nullptr);
CRYPTO_set_dynlock_destroy_callback(nullptr);
}
void OpenSSLSession::Stop()
{
if(!m_bStarted)
{
return;
}
if(m_ConnectionCtx)
{
SSL_CTX_free(m_ConnectionCtx);
m_ConnectionCtx = 0;
}
ERR_remove_state(0);
ENGINE_cleanup();
CONF_modules_unload(1);
ERR_free_strings();
EVP_cleanup();
sk_SSL_COMP_free(SSL_COMP_get_compression_methods());
CRYPTO_cleanup_all_ex_data();
m_bStarted = false;
}
int
main(int argc, char **argv)
{
int i;
sigset_t set;
#if ENABLE_MPEGTS
uint32_t adapter_mask = 0;
#endif
int log_level = LOG_INFO;
int log_options = TVHLOG_OPT_MILLIS | TVHLOG_OPT_STDERR | TVHLOG_OPT_SYSLOG;
const char *log_debug = NULL, *log_trace = NULL;
gid_t gid = -1;
uid_t uid = -1;
char buf[512];
FILE *pidfile = NULL;
extern int dvb_bouquets_parse;
main_tid = pthread_self();
/* Setup global mutexes */
pthread_mutex_init(&fork_lock, NULL);
pthread_mutex_init(&global_lock, NULL);
pthread_mutex_init(&tasklet_lock, NULL);
pthread_mutex_init(&atomic_lock, NULL);
pthread_cond_init(>imer_cond, NULL);
pthread_cond_init(&tasklet_cond, NULL);
TAILQ_INIT(&tasklets);
/* Defaults */
tvheadend_webui_port = 9981;
tvheadend_webroot = NULL;
tvheadend_htsp_port = 9982;
tvheadend_htsp_port_extra = 0;
time(&dispatch_clock);
/* Command line options */
int opt_help = 0,
opt_version = 0,
opt_fork = 0,
opt_firstrun = 0,
opt_stderr = 0,
opt_syslog = 0,
opt_nosyslog = 0,
opt_uidebug = 0,
opt_abort = 0,
opt_noacl = 0,
opt_fileline = 0,
opt_threadid = 0,
opt_libav = 0,
opt_ipv6 = 0,
opt_satip_rtsp = 0,
#if ENABLE_TSFILE
opt_tsfile_tuner = 0,
#endif
opt_dump = 0,
opt_xspf = 0,
opt_dbus = 0,
opt_dbus_session = 0,
opt_nobackup = 0,
opt_nobat = 0;
const char *opt_config = NULL,
*opt_user = NULL,
*opt_group = NULL,
*opt_logpath = NULL,
*opt_log_debug = NULL,
*opt_log_trace = NULL,
*opt_pidpath = "/var/run/tvheadend.pid",
#if ENABLE_LINUXDVB
*opt_dvb_adapters = NULL,
#endif
*opt_bindaddr = NULL,
*opt_subscribe = NULL,
*opt_user_agent = NULL;
str_list_t opt_satip_xml = { .max = 10, .num = 0, .str = calloc(10, sizeof(char*)) };
str_list_t opt_tsfile = { .max = 10, .num = 0, .str = calloc(10, sizeof(char*)) };
cmdline_opt_t cmdline_opts[] = {
{ 0, NULL, N_("Generic Options"), OPT_BOOL, NULL },
{ 'h', "help", N_("Show this page"), OPT_BOOL, &opt_help },
{ 'v', "version", N_("Show version information"),OPT_BOOL, &opt_version },
{ 0, NULL, N_("Service Configuration"), OPT_BOOL, NULL },
{ 'c', "config", N_("Alternate config path"), OPT_STR, &opt_config },
{ 'B', "nobackup", N_("Don't backup config tree at upgrade"), OPT_BOOL, &opt_nobackup },
{ 'f', "fork", N_("Fork and run as daemon"), OPT_BOOL, &opt_fork },
{ 'u', "user", N_("Run as user"), OPT_STR, &opt_user },
{ 'g', "group", N_("Run as group"), OPT_STR, &opt_group },
{ 'p', "pid", N_("Alternate pid path"), OPT_STR, &opt_pidpath },
{ 'C', "firstrun", N_("If no user account exists then create one with\n"
"no username and no password. Use with care as\n"
"it will allow world-wide administrative access\n"
"to your Tvheadend installation until you edit/create\n"
"access-control from within the Tvheadend UI"),
OPT_BOOL, &opt_firstrun },
#if ENABLE_DBUS_1
{ 'U', "dbus", N_("Enable DBus"),
OPT_BOOL, &opt_dbus },
{ 'e', "dbus_session", N_("DBus - use the session message bus instead system one"),
OPT_BOOL, &opt_dbus_session },
#endif
#if ENABLE_LINUXDVB
{ 'a', "adapters", N_("Only use specified DVB adapters (comma separated)"),
OPT_STR, &opt_dvb_adapters },
#endif
#if ENABLE_SATIP_SERVER
{ 0, "satip_rtsp", N_("SAT>IP RTSP port number for server\n"
"(default: -1 = disable, 0 = webconfig, standard port is 554)"),
OPT_INT, &opt_satip_rtsp },
#endif
#if ENABLE_SATIP_CLIENT
{ 0, "satip_xml", N_("URL with the SAT>IP server XML location"),
OPT_STR_LIST, &opt_satip_xml },
#endif
{ 0, NULL, N_("Server Connectivity"), OPT_BOOL, NULL },
{ '6', "ipv6", N_("Listen on IPv6"), OPT_BOOL, &opt_ipv6 },
{ 'b', "bindaddr", N_("Specify bind address"), OPT_STR, &opt_bindaddr},
{ 0, "http_port", N_("Specify alternative http port"),
OPT_INT, &tvheadend_webui_port },
{ 0, "http_root", N_("Specify alternative http webroot"),
OPT_STR, &tvheadend_webroot },
{ 0, "htsp_port", N_("Specify alternative htsp port"),
OPT_INT, &tvheadend_htsp_port },
{ 0, "htsp_port2", N_("Specify extra htsp port"),
OPT_INT, &tvheadend_htsp_port_extra },
{ 0, "useragent", N_("Specify User-Agent header for the http client"),
OPT_STR, &opt_user_agent },
{ 0, "xspf", N_("Use XSPF playlist instead of M3U"),
OPT_BOOL, &opt_xspf },
{ 0, NULL, N_("Debug Options"), OPT_BOOL, NULL },
{ 'd', "stderr", N_("Enable debug on stderr"), OPT_BOOL, &opt_stderr },
{ 's', "syslog", N_("Enable debug to syslog"), OPT_BOOL, &opt_syslog },
{ 'S', "nosyslog", N_("Disable syslog (all msgs)"), OPT_BOOL, &opt_nosyslog },
{ 'l', "logfile", N_("Enable debug to file"), OPT_STR, &opt_logpath },
{ 0, "debug", N_("Enable debug subsystems"), OPT_STR, &opt_log_debug },
#if ENABLE_TRACE
{ 0, "trace", N_("Enable trace subsystems"), OPT_STR, &opt_log_trace },
#endif
{ 0, "fileline", N_("Add file and line numbers to debug"), OPT_BOOL, &opt_fileline },
{ 0, "threadid", N_("Add the thread ID to debug"), OPT_BOOL, &opt_threadid },
#if ENABLE_LIBAV
{ 0, "libav", N_("More verbose libav log"), OPT_BOOL, &opt_libav },
#endif
{ 0, "uidebug", N_("Enable webUI debug (non-minified JS)"), OPT_BOOL, &opt_uidebug },
{ 'A', "abort", N_("Immediately abort"), OPT_BOOL, &opt_abort },
{ 'D', "dump", N_("Enable coredumps for daemon"), OPT_BOOL, &opt_dump },
{ 0, "noacl", N_("Disable all access control checks"),
OPT_BOOL, &opt_noacl },
{ 0, "nobat", N_("Disable DVB bouquets"),
OPT_BOOL, &opt_nobat },
{ 'j', "join", N_("Subscribe to a service permanently"),
OPT_STR, &opt_subscribe },
#if ENABLE_TSFILE || ENABLE_TSDEBUG
{ 0, NULL, N_("Testing options"), OPT_BOOL, NULL },
{ 0, "tsfile_tuners", N_("Number of tsfile tuners"), OPT_INT, &opt_tsfile_tuner },
{ 0, "tsfile", N_("tsfile input (mux file)"), OPT_STR_LIST, &opt_tsfile },
#endif
#if ENABLE_TSDEBUG
{ 0, "tsdebug", N_("Output directory for tsdebug"), OPT_STR, &tvheadend_tsdebug },
#endif
};
/* Get current directory */
tvheadend_cwd0 = dirname(tvh_strdupa(argv[0]));
tvheadend_cwd = dirname(tvh_strdupa(tvheadend_cwd0));
/* Set locale */
setlocale(LC_ALL, "");
setlocale(LC_NUMERIC, "C");
/* make sure the timezone is set */
tzset();
/* Process command line */
for (i = 1; i < argc; i++) {
/* Find option */
cmdline_opt_t *opt
= cmdline_opt_find(cmdline_opts, ARRAY_SIZE(cmdline_opts), argv[i]);
if (!opt)
show_usage(argv[0], cmdline_opts, ARRAY_SIZE(cmdline_opts),
_("invalid option specified [%s]"), argv[i]);
/* Process */
if (opt->type == OPT_BOOL)
*((int*)opt->param) = 1;
else if (++i == argc)
show_usage(argv[0], cmdline_opts, ARRAY_SIZE(cmdline_opts),
_("option %s requires a value"), opt->lopt);
else if (opt->type == OPT_INT)
*((int*)opt->param) = atoi(argv[i]);
else if (opt->type == OPT_STR_LIST) {
str_list_t *strl = opt->param;
if (strl->num < strl->max)
strl->str[strl->num++] = argv[i];
}
else
*((char**)opt->param) = argv[i];
/* Stop processing */
if (opt_help)
show_usage(argv[0], cmdline_opts, ARRAY_SIZE(cmdline_opts), NULL);
if (opt_version)
show_version(argv[0]);
}
/* Additional cmdline processing */
if (opt_nobat)
dvb_bouquets_parse = 0;
#if ENABLE_LINUXDVB
if (!opt_dvb_adapters) {
adapter_mask = ~0;
} else {
char *p, *e;
char *r = NULL;
char *dvb_adapters = strdup(opt_dvb_adapters);
adapter_mask = 0x0;
p = strtok_r(dvb_adapters, ",", &r);
while (p) {
int a = strtol(p, &e, 10);
if (*e != 0 || a < 0 || a > 31) {
fprintf(stderr, _("Invalid adapter number '%s'\n"), p);
free(dvb_adapters);
return 1;
}
adapter_mask |= (1 << a);
p = strtok_r(NULL, ",", &r);
}
free(dvb_adapters);
if (!adapter_mask) {
fprintf(stderr, "%s", _("No adapters specified!\n"));
return 1;
}
}
#endif
if (tvheadend_webroot) {
char *tmp;
if (*tvheadend_webroot == '/')
tmp = strdup(tvheadend_webroot);
else {
tmp = malloc(strlen(tvheadend_webroot)+2);
*tmp = '/';
strcpy(tmp+1, tvheadend_webroot);
}
if (tmp[strlen(tmp)-1] == '/')
tmp[strlen(tmp)-1] = '\0';
tvheadend_webroot = tmp;
}
tvheadend_webui_debug = opt_uidebug;
/* Setup logging */
if (isatty(2))
log_options |= TVHLOG_OPT_DECORATE;
if (opt_stderr || opt_syslog || opt_logpath) {
if (!opt_log_trace && !opt_log_debug)
log_debug = "all";
log_level = LOG_DEBUG;
if (opt_stderr)
log_options |= TVHLOG_OPT_DBG_STDERR;
if (opt_syslog)
log_options |= TVHLOG_OPT_DBG_SYSLOG;
if (opt_logpath)
log_options |= TVHLOG_OPT_DBG_FILE;
}
if (opt_nosyslog)
log_options &= ~(TVHLOG_OPT_SYSLOG|TVHLOG_OPT_DBG_SYSLOG);
if (opt_fileline)
log_options |= TVHLOG_OPT_FILELINE;
if (opt_threadid)
log_options |= TVHLOG_OPT_THREAD;
if (opt_libav)
log_options |= TVHLOG_OPT_LIBAV;
if (opt_log_trace) {
log_level = LOG_TRACE;
log_trace = opt_log_trace;
}
if (opt_log_debug)
log_debug = opt_log_debug;
tvhlog_init(log_level, log_options, opt_logpath);
tvhlog_set_debug(log_debug);
tvhlog_set_trace(log_trace);
tvhinfo("main", "Log started");
signal(SIGPIPE, handle_sigpipe); // will be redundant later
signal(SIGILL, handle_sigill); // see handler..
/* Set priviledges */
if(opt_fork || opt_group || opt_user) {
const char *homedir;
struct group *grp = getgrnam(opt_group ?: "video");
struct passwd *pw = opt_user ? getpwnam(opt_user) : NULL;
if(grp != NULL) {
gid = grp->gr_gid;
} else {
gid = 1;
}
if (pw != NULL) {
if (getuid() != pw->pw_uid) {
gid_t glist[16];
int gnum;
gnum = get_user_groups(pw, glist, ARRAY_SIZE(glist));
if (gnum > 0 && setgroups(gnum, glist)) {
char buf[256] = "";
int i;
for (i = 0; i < gnum; i++)
snprintf(buf + strlen(buf), sizeof(buf) - 1 - strlen(buf),
",%d", glist[i]);
tvhlog(LOG_ALERT, "START",
"setgroups(%s) failed, do you have permission?", buf+1);
return 1;
}
}
uid = pw->pw_uid;
homedir = pw->pw_dir;
setenv("HOME", homedir, 1);
} else {
uid = 1;
}
}
uuid_init();
config_boot(opt_config, gid, uid);
tcp_server_preinit(opt_ipv6);
http_server_init(opt_bindaddr); // bind to ports only
htsp_init(opt_bindaddr); // bind to ports only
satip_server_init(opt_satip_rtsp); // bind to ports only
if (opt_fork)
pidfile = tvh_fopen(opt_pidpath, "w+");
if (gid != -1 && (getgid() != gid) && setgid(gid)) {
tvhlog(LOG_ALERT, "START",
"setgid(%d) failed, do you have permission?", gid);
return 1;
}
if (uid != -1 && (getuid() != uid) && setuid(uid)) {
tvhlog(LOG_ALERT, "START",
"setuid(%d) failed, do you have permission?", uid);
return 1;
}
/* Daemonise */
if(opt_fork) {
if(daemon(0, 0)) {
exit(2);
}
if(pidfile != NULL) {
fprintf(pidfile, "%d\n", getpid());
fclose(pidfile);
}
/* Make dumpable */
if (opt_dump) {
#ifdef PLATFORM_LINUX
if (chdir("/tmp"))
tvhwarn("START", "failed to change cwd to /tmp");
prctl(PR_SET_DUMPABLE, 1);
#else
tvhwarn("START", "Coredumps not implemented on your platform");
#endif
}
umask(0);
}
tvheadend_running = 1;
/* Start log thread (must be done post fork) */
tvhlog_start();
/* Alter logging */
if (opt_fork)
tvhlog_options &= ~TVHLOG_OPT_STDERR;
if (!isatty(2))
tvhlog_options &= ~TVHLOG_OPT_DECORATE;
/* Initialise clock */
pthread_mutex_lock(&global_lock);
time(&dispatch_clock);
/* Signal handling */
sigfillset(&set);
sigprocmask(SIG_BLOCK, &set, NULL);
trap_init(argv[0]);
/* SSL library init */
OPENSSL_config(NULL);
SSL_load_error_strings();
SSL_library_init();
/* Initialise configuration */
notify_init();
idnode_init();
spawn_init();
config_init(opt_nobackup == 0);
/**
* Initialize subsystems
*/
epg_in_load = 1;
tvhthread_create(&tasklet_tid, NULL, tasklet_thread, NULL);
dbus_server_init(opt_dbus, opt_dbus_session);
intlconv_init();
api_init();
fsmonitor_init();
libav_init();
tvhtime_init();
profile_init();
imagecache_init();
http_client_init(opt_user_agent);
esfilter_init();
bouquet_init();
service_init();
dvb_init();
#if ENABLE_MPEGTS
mpegts_init(adapter_mask, &opt_satip_xml, &opt_tsfile, opt_tsfile_tuner);
#endif
channel_init();
bouquet_service_resolve();
subscription_init();
dvr_config_init();
access_init(opt_firstrun, opt_noacl);
#if ENABLE_TIMESHIFT
timeshift_init();
#endif
tcp_server_init();
webui_init(opt_xspf);
#if ENABLE_UPNP
upnp_server_init(opt_bindaddr);
#endif
service_mapper_init();
descrambler_init();
epggrab_init();
epg_init();
dvr_init();
dbus_server_start();
http_server_register();
satip_server_register();
htsp_register();
if(opt_subscribe != NULL)
subscription_dummy_join(opt_subscribe, 1);
avahi_init();
bonjour_init();
epg_updated(); // cleanup now all prev ref's should have been created
epg_in_load = 0;
pthread_mutex_unlock(&global_lock);
/**
* Wait for SIGTERM / SIGINT, but only in this thread
*/
sigemptyset(&set);
sigaddset(&set, SIGTERM);
sigaddset(&set, SIGINT);
signal(SIGTERM, doexit);
signal(SIGINT, doexit);
pthread_sigmask(SIG_UNBLOCK, &set, NULL);
tvhlog(LOG_NOTICE, "START", "HTS Tvheadend version %s started, "
"running as PID:%d UID:%d GID:%d, CWD:%s CNF:%s",
tvheadend_version,
getpid(), getuid(), getgid(), getcwd(buf, sizeof(buf)),
hts_settings_get_root());
if(opt_abort)
abort();
mainloop();
#if ENABLE_DBUS_1
tvhftrace("main", dbus_server_done);
#endif
#if ENABLE_UPNP
tvhftrace("main", upnp_server_done);
#endif
tvhftrace("main", satip_server_done);
tvhftrace("main", htsp_done);
tvhftrace("main", http_server_done);
tvhftrace("main", webui_done);
tvhftrace("main", fsmonitor_done);
tvhftrace("main", http_client_done);
tvhftrace("main", tcp_server_done);
// Note: the locking is obviously a bit redundant, but without
// we need to disable the gtimer_arm call in epg_save()
pthread_mutex_lock(&global_lock);
tvhftrace("main", epg_save);
#if ENABLE_TIMESHIFT
tvhftrace("main", timeshift_term);
#endif
pthread_mutex_unlock(&global_lock);
tvhftrace("main", epggrab_done);
#if ENABLE_MPEGTS
tvhftrace("main", mpegts_done);
#endif
tvhftrace("main", descrambler_done);
tvhftrace("main", service_mapper_done);
tvhftrace("main", service_done);
tvhftrace("main", channel_done);
tvhftrace("main", bouquet_done);
tvhftrace("main", dvr_done);
tvhftrace("main", subscription_done);
tvhftrace("main", access_done);
tvhftrace("main", epg_done);
tvhftrace("main", avahi_done);
tvhftrace("main", bonjour_done);
tvhftrace("main", imagecache_done);
tvhftrace("main", lang_code_done);
tvhftrace("main", api_done);
tvhtrace("main", "tasklet enter");
pthread_cond_signal(&tasklet_cond);
pthread_join(tasklet_tid, NULL);
tvhtrace("main", "tasklet thread end");
tasklet_flush();
tvhtrace("main", "tasklet leave");
tvhftrace("main", hts_settings_done);
tvhftrace("main", dvb_done);
tvhftrace("main", lang_str_done);
tvhftrace("main", esfilter_done);
tvhftrace("main", profile_done);
tvhftrace("main", intlconv_done);
tvhftrace("main", urlparse_done);
tvhftrace("main", idnode_done);
tvhftrace("main", notify_done);
tvhftrace("main", spawn_done);
tvhlog(LOG_NOTICE, "STOP", "Exiting HTS Tvheadend");
tvhlog_end();
tvhftrace("main", config_done);
if(opt_fork)
unlink(opt_pidpath);
#if ENABLE_TSFILE
free(opt_tsfile.str);
#endif
free(opt_satip_xml.str);
/* OpenSSL - welcome to the "cleanup" hell */
ENGINE_cleanup();
RAND_cleanup();
CRYPTO_cleanup_all_ex_data();
EVP_cleanup();
CONF_modules_free();
#ifndef OPENSSL_NO_COMP
COMP_zlib_cleanup();
#endif
ERR_remove_state(0);
ERR_free_strings();
#ifndef OPENSSL_NO_COMP
sk_SSL_COMP_free(SSL_COMP_get_compression_methods());
#endif
/* end of OpenSSL cleanup code */
#if ENABLE_DBUS_1
extern void dbus_shutdown(void);
if (opt_dbus) dbus_shutdown();
#endif
return 0;
}
/**
*
*/
void
tvh_str_set(char **strp, const char *src)
{
free(*strp);
*strp = src ? strdup(src) : NULL;
}
/**
*
*/
int
tvh_str_update(char **strp, const char *src)
{
if(src == NULL)
return 0;
free(*strp);
*strp = strdup(src);
return 1;
}
/**
*
*/
void
scopedunlock(pthread_mutex_t **mtxp)
{
pthread_mutex_unlock(*mtxp);
}
/*
* called once from main.c (main process)
*/
int
init_tls(void)
{
int i;
#if (OPENSSL_VERSION_NUMBER >= 0x00908000L) && !defined(OPENSSL_NO_COMP)
STACK_OF(SSL_COMP)* comp_methods;
#endif
LM_DBG("entered\n");
#if OPENSSL_VERSION_NUMBER < 0x00907000L
LM_WARN("using an old version of OpenSSL (< 0.9.7). Upgrade!\n");
#endif
/*
* this has to be called before any function calling CRYPTO_malloc,
* CRYPTO_malloc will set allow_customize in openssl to 0
*/
if (!CRYPTO_set_mem_functions(ser_malloc, ser_realloc, ser_free)) {
LM_ERR("unable to set the memory allocation functions\n");
return -1;
}
#if (OPENSSL_VERSION_NUMBER >= 0x00908000L) && !defined(OPENSSL_NO_COMP)
/* disabling compression */
LM_WARN("disabling compression due ZLIB problems\n");
comp_methods = SSL_COMP_get_compression_methods();
if (comp_methods==0) {
LM_INFO("openssl compression already disabled\n");
} else {
sk_SSL_COMP_zero(comp_methods);
}
#endif
if (tls_init_multithread() < 0) {
LM_ERR("failed to init multi-threading support\n");
return -1;
}
SSL_library_init();
SSL_load_error_strings();
init_ssl_methods();
i = check_for_krb();
if (i==-1) {
LM_ERR("kerberos check failed\n");
return -1;
}
if ( ( i ^
#ifndef OPENSSL_NO_KRB5
1
#else
0
#endif
)!=0 ) {
LM_ERR("compiled agaist an openssl with %s"
"kerberos, but run with one with %skerberos\n",
(i==1)?"":"no ",(i!=1)?"no ":"");
return -1;
}
/*
* now initialize tls default domains
*/
if ( (i=init_tls_domains(tls_default_server_domain)) ) {
return i;
}
if ( (i=init_tls_domains(tls_default_client_domain)) ) {
return i;
}
/*
* now initialize tls virtual domains
*/
if ( (i=init_tls_domains(tls_server_domains)) ) {
return i;
}
if ( (i=init_tls_domains(tls_client_domains)) ) {
return i;
}
/*
* we are all set
*/
return 0;
}
int
main(int argc, char **argv)
{
int r;
struct evhttp_uri *http_uri = NULL;
const char *url = NULL, *data_file = NULL;
const char *crt = "/etc/ssl/certs/ca-certificates.crt";
const char *scheme, *host, *path, *query;
char uri[256];
int port;
int retries = 0;
int timeout = -1;
SSL_CTX *ssl_ctx = NULL;
SSL *ssl = NULL;
struct bufferevent *bev;
struct evhttp_connection *evcon = NULL;
struct evhttp_request *req;
struct evkeyvalq *output_headers;
struct evbuffer *output_buffer;
int i;
int ret = 0;
enum { HTTP, HTTPS } type = HTTP;
for (i = 1; i < argc; i++) {
if (!strcmp("-url", argv[i])) {
if (i < argc - 1) {
url = argv[i + 1];
} else {
syntax();
goto error;
}
} else if (!strcmp("-crt", argv[i])) {
if (i < argc - 1) {
crt = argv[i + 1];
} else {
syntax();
goto error;
}
} else if (!strcmp("-ignore-cert", argv[i])) {
ignore_cert = 1;
} else if (!strcmp("-data", argv[i])) {
if (i < argc - 1) {
data_file = argv[i + 1];
} else {
syntax();
goto error;
}
} else if (!strcmp("-retries", argv[i])) {
if (i < argc - 1) {
retries = atoi(argv[i + 1]);
} else {
syntax();
goto error;
}
} else if (!strcmp("-timeout", argv[i])) {
if (i < argc - 1) {
timeout = atoi(argv[i + 1]);
} else {
syntax();
goto error;
}
} else if (!strcmp("-help", argv[i])) {
syntax();
goto error;
}
}
if (!url) {
syntax();
goto error;
}
#ifdef _WIN32
{
WORD wVersionRequested;
WSADATA wsaData;
int err;
wVersionRequested = MAKEWORD(2, 2);
err = WSAStartup(wVersionRequested, &wsaData);
if (err != 0) {
printf("WSAStartup failed with error: %d\n", err);
goto error;
}
}
#endif // _WIN32
http_uri = evhttp_uri_parse(url);
if (http_uri == NULL) {
err("malformed url");
goto error;
}
scheme = evhttp_uri_get_scheme(http_uri);
if (scheme == NULL || (strcasecmp(scheme, "https") != 0 &&
strcasecmp(scheme, "http") != 0)) {
err("url must be http or https");
goto error;
}
host = evhttp_uri_get_host(http_uri);
if (host == NULL) {
err("url must have a host");
goto error;
}
port = evhttp_uri_get_port(http_uri);
if (port == -1) {
port = (strcasecmp(scheme, "http") == 0) ? 80 : 443;
}
path = evhttp_uri_get_path(http_uri);
if (strlen(path) == 0) {
path = "/";
}
query = evhttp_uri_get_query(http_uri);
if (query == NULL) {
snprintf(uri, sizeof(uri) - 1, "%s", path);
} else {
snprintf(uri, sizeof(uri) - 1, "%s?%s", path, query);
}
uri[sizeof(uri) - 1] = '\0';
#if OPENSSL_VERSION_NUMBER < 0x10100000L
// Initialize OpenSSL
SSL_library_init();
ERR_load_crypto_strings();
SSL_load_error_strings();
OpenSSL_add_all_algorithms();
#endif
/* This isn't strictly necessary... OpenSSL performs RAND_poll
* automatically on first use of random number generator. */
r = RAND_poll();
if (r == 0) {
err_openssl("RAND_poll");
goto error;
}
/* Create a new OpenSSL context */
ssl_ctx = SSL_CTX_new(SSLv23_method());
if (!ssl_ctx) {
err_openssl("SSL_CTX_new");
goto error;
}
#ifndef _WIN32
/* TODO: Add certificate loading on Windows as well */
/* Attempt to use the system's trusted root certificates.
* (This path is only valid for Debian-based systems.) */
if (1 != SSL_CTX_load_verify_locations(ssl_ctx, crt, NULL)) {
err_openssl("SSL_CTX_load_verify_locations");
goto error;
}
/* Ask OpenSSL to verify the server certificate. Note that this
* does NOT include verifying that the hostname is correct.
* So, by itself, this means anyone with any legitimate
* CA-issued certificate for any website, can impersonate any
* other website in the world. This is not good. See "The
* Most Dangerous Code in the World" article at
* https://crypto.stanford.edu/~dabo/pubs/abstracts/ssl-client-bugs.html
*/
SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, NULL);
/* This is how we solve the problem mentioned in the previous
* comment. We "wrap" OpenSSL's validation routine in our
* own routine, which also validates the hostname by calling
* the code provided by iSECPartners. Note that even though
* the "Everything You've Always Wanted to Know About
* Certificate Validation With OpenSSL (But Were Afraid to
* Ask)" paper from iSECPartners says very explicitly not to
* call SSL_CTX_set_cert_verify_callback (at the bottom of
* page 2), what we're doing here is safe because our
* cert_verify_callback() calls X509_verify_cert(), which is
* OpenSSL's built-in routine which would have been called if
* we hadn't set the callback. Therefore, we're just
* "wrapping" OpenSSL's routine, not replacing it. */
SSL_CTX_set_cert_verify_callback(ssl_ctx, cert_verify_callback,
(void *) host);
#else // _WIN32
(void)crt;
#endif // _WIN32
// Create event base
base = event_base_new();
if (!base) {
perror("event_base_new()");
goto error;
}
// Create OpenSSL bufferevent and stack evhttp on top of it
ssl = SSL_new(ssl_ctx);
if (ssl == NULL) {
err_openssl("SSL_new()");
goto error;
}
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
// Set hostname for SNI extension
SSL_set_tlsext_host_name(ssl, host);
#endif
if (strcasecmp(scheme, "http") == 0) {
bev = bufferevent_socket_new(base, -1, BEV_OPT_CLOSE_ON_FREE);
} else {
type = HTTPS;
bev = bufferevent_openssl_socket_new(base, -1, ssl,
BUFFEREVENT_SSL_CONNECTING,
BEV_OPT_CLOSE_ON_FREE|BEV_OPT_DEFER_CALLBACKS);
}
if (bev == NULL) {
fprintf(stderr, "bufferevent_openssl_socket_new() failed\n");
goto error;
}
bufferevent_openssl_set_allow_dirty_shutdown(bev, 1);
// For simplicity, we let DNS resolution block. Everything else should be
// asynchronous though.
evcon = evhttp_connection_base_bufferevent_new(base, NULL, bev,
host, port);
if (evcon == NULL) {
fprintf(stderr, "evhttp_connection_base_bufferevent_new() failed\n");
goto error;
}
if (retries > 0) {
evhttp_connection_set_retries(evcon, retries);
}
if (timeout >= 0) {
evhttp_connection_set_timeout(evcon, timeout);
}
// Fire off the request
req = evhttp_request_new(http_request_done, bev);
if (req == NULL) {
fprintf(stderr, "evhttp_request_new() failed\n");
goto error;
}
output_headers = evhttp_request_get_output_headers(req);
evhttp_add_header(output_headers, "Host", host);
evhttp_add_header(output_headers, "Connection", "close");
if (data_file) {
/* NOTE: In production code, you'd probably want to use
* evbuffer_add_file() or evbuffer_add_file_segment(), to
* avoid needless copying. */
FILE * f = fopen(data_file, "rb");
char buf[1024];
size_t s;
size_t bytes = 0;
if (!f) {
syntax();
goto error;
}
output_buffer = evhttp_request_get_output_buffer(req);
while ((s = fread(buf, 1, sizeof(buf), f)) > 0) {
evbuffer_add(output_buffer, buf, s);
bytes += s;
}
evutil_snprintf(buf, sizeof(buf)-1, "%lu", (unsigned long)bytes);
evhttp_add_header(output_headers, "Content-Length", buf);
fclose(f);
}
r = evhttp_make_request(evcon, req, data_file ? EVHTTP_REQ_POST : EVHTTP_REQ_GET, uri);
if (r != 0) {
fprintf(stderr, "evhttp_make_request() failed\n");
goto error;
}
event_base_dispatch(base);
goto cleanup;
error:
ret = 1;
cleanup:
if (evcon)
evhttp_connection_free(evcon);
if (http_uri)
evhttp_uri_free(http_uri);
event_base_free(base);
if (ssl_ctx)
SSL_CTX_free(ssl_ctx);
if (type == HTTP && ssl)
SSL_free(ssl);
#if OPENSSL_VERSION_NUMBER < 0x10100000L
EVP_cleanup();
ERR_free_strings();
#ifdef EVENT__HAVE_ERR_REMOVE_THREAD_STATE
ERR_remove_thread_state(NULL);
#else
ERR_remove_state(0);
#endif
CRYPTO_cleanup_all_ex_data();
sk_SSL_COMP_free(SSL_COMP_get_compression_methods());
#endif /*OPENSSL_VERSION_NUMBER < 0x10100000L */
#ifdef _WIN32
WSACleanup();
#endif
return ret;
}
int SSL_library_init(void)
{
#ifndef OPENSSL_NO_DES
EVP_add_cipher(EVP_des_cbc());
EVP_add_cipher(EVP_des_ede3_cbc());
#endif
#ifndef OPENSSL_NO_IDEA
EVP_add_cipher(EVP_idea_cbc());
#endif
#ifndef OPENSSL_NO_RC4
EVP_add_cipher(EVP_rc4());
# if !defined(OPENSSL_NO_MD5) && (defined(__x86_64) || defined(__x86_64__))
EVP_add_cipher(EVP_rc4_hmac_md5());
# endif
#endif
#ifndef OPENSSL_NO_RC2
EVP_add_cipher(EVP_rc2_cbc());
/*
* Not actually used for SSL/TLS but this makes PKCS#12 work if an
* application only calls SSL_library_init().
*/
EVP_add_cipher(EVP_rc2_40_cbc());
#endif
#ifndef OPENSSL_NO_AES
EVP_add_cipher(EVP_aes_128_cbc());
EVP_add_cipher(EVP_aes_192_cbc());
EVP_add_cipher(EVP_aes_256_cbc());
EVP_add_cipher(EVP_aes_128_gcm());
EVP_add_cipher(EVP_aes_256_gcm());
# if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
EVP_add_cipher(EVP_aes_128_cbc_hmac_sha1());
EVP_add_cipher(EVP_aes_256_cbc_hmac_sha1());
# endif
# if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA256)
EVP_add_cipher(EVP_aes_128_cbc_hmac_sha256());
EVP_add_cipher(EVP_aes_256_cbc_hmac_sha256());
# endif
#endif
#ifndef OPENSSL_NO_CAMELLIA
EVP_add_cipher(EVP_camellia_128_cbc());
EVP_add_cipher(EVP_camellia_256_cbc());
#endif
#ifndef OPENSSL_NO_SEED
EVP_add_cipher(EVP_seed_cbc());
#endif
#ifndef OPENSSL_NO_MD5
EVP_add_digest(EVP_md5());
EVP_add_digest_alias(SN_md5, "ssl2-md5");
EVP_add_digest_alias(SN_md5, "ssl3-md5");
#endif
#ifndef OPENSSL_NO_SHA
EVP_add_digest(EVP_sha1()); /* RSA with sha1 */
EVP_add_digest_alias(SN_sha1, "ssl3-sha1");
EVP_add_digest_alias(SN_sha1WithRSAEncryption, SN_sha1WithRSA);
#endif
#ifndef OPENSSL_NO_SHA256
EVP_add_digest(EVP_sha224());
EVP_add_digest(EVP_sha256());
#endif
#ifndef OPENSSL_NO_SHA512
EVP_add_digest(EVP_sha384());
EVP_add_digest(EVP_sha512());
#endif
#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_DSA)
EVP_add_digest(EVP_dss1()); /* DSA with sha1 */
EVP_add_digest_alias(SN_dsaWithSHA1, SN_dsaWithSHA1_2);
EVP_add_digest_alias(SN_dsaWithSHA1, "DSS1");
EVP_add_digest_alias(SN_dsaWithSHA1, "dss1");
#endif
#ifndef OPENSSL_NO_ECDSA
EVP_add_digest(EVP_ecdsa());
#endif
#ifndef NO_GMSSL
EVP_add_cipher(EVP_sms4_cbc());
EVP_add_digest(EVP_sm3());
#endif
/* If you want support for phased out ciphers, add the following */
#if 0
EVP_add_digest(EVP_sha());
EVP_add_digest(EVP_dss());
#endif
#ifndef OPENSSL_NO_COMP
/*
* This will initialise the built-in compression algorithms. The value
* returned is a STACK_OF(SSL_COMP), but that can be discarded safely
*/
(void)SSL_COMP_get_compression_methods();
#endif
/* initialize cipher/digest methods table */
ssl_load_ciphers();
return (1);
}
static void ossl_init_ssl_base(void)
{
#ifdef OPENSSL_INIT_DEBUG
fprintf(stderr, "OPENSSL_INIT: ossl_init_ssl_base: "
"Adding SSL ciphers and digests\n");
#endif
#ifndef OPENSSL_NO_DES
EVP_add_cipher(EVP_des_cbc());
EVP_add_cipher(EVP_des_ede3_cbc());
#endif
#ifndef OPENSSL_NO_IDEA
EVP_add_cipher(EVP_idea_cbc());
#endif
#ifndef OPENSSL_NO_RC4
EVP_add_cipher(EVP_rc4());
# ifndef OPENSSL_NO_MD5
EVP_add_cipher(EVP_rc4_hmac_md5());
# endif
#endif
#ifndef OPENSSL_NO_RC2
EVP_add_cipher(EVP_rc2_cbc());
/*
* Not actually used for SSL/TLS but this makes PKCS#12 work if an
* application only calls SSL_library_init().
*/
EVP_add_cipher(EVP_rc2_40_cbc());
#endif
#ifndef OPENSSL_NO_AES
EVP_add_cipher(EVP_aes_128_cbc());
EVP_add_cipher(EVP_aes_192_cbc());
EVP_add_cipher(EVP_aes_256_cbc());
EVP_add_cipher(EVP_aes_128_gcm());
EVP_add_cipher(EVP_aes_256_gcm());
EVP_add_cipher(EVP_aes_128_ccm());
EVP_add_cipher(EVP_aes_256_ccm());
EVP_add_cipher(EVP_aes_128_cbc_hmac_sha1());
EVP_add_cipher(EVP_aes_256_cbc_hmac_sha1());
EVP_add_cipher(EVP_aes_128_cbc_hmac_sha256());
EVP_add_cipher(EVP_aes_256_cbc_hmac_sha256());
#endif
#ifndef OPENSSL_NO_CAMELLIA
EVP_add_cipher(EVP_camellia_128_cbc());
EVP_add_cipher(EVP_camellia_256_cbc());
#endif
#if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
EVP_add_cipher(EVP_chacha20_poly1305());
#endif
#ifndef OPENSSL_NO_SEED
EVP_add_cipher(EVP_seed_cbc());
#endif
#ifndef OPENSSL_NO_MD5
EVP_add_digest(EVP_md5());
EVP_add_digest_alias(SN_md5, "ssl3-md5");
# ifndef OPENSSL_NO_SHA
EVP_add_digest(EVP_md5_sha1());
# endif
#endif
EVP_add_digest(EVP_sha1()); /* RSA with sha1 */
EVP_add_digest_alias(SN_sha1, "ssl3-sha1");
EVP_add_digest_alias(SN_sha1WithRSAEncryption, SN_sha1WithRSA);
EVP_add_digest(EVP_sha224());
EVP_add_digest(EVP_sha256());
EVP_add_digest(EVP_sha384());
EVP_add_digest(EVP_sha512());
#ifndef OPENSSL_NO_COMP
#ifdef OPENSSL_INIT_DEBUG
fprintf(stderr, "OPENSSL_INIT: ossl_init_ssl_base: "
"SSL_COMP_get_compression_methods()\n");
#endif
/*
* This will initialise the built-in compression algorithms. The value
* returned is a STACK_OF(SSL_COMP), but that can be discarded safely
*/
SSL_COMP_get_compression_methods();
#endif
/* initialize cipher/digest methods table */
ssl_load_ciphers();
#ifdef OPENSSL_INIT_DEBUG
fprintf(stderr, "OPENSSL_INIT: ossl_init_ssl_base: "
"SSL_add_ssl_module()\n");
#endif
SSL_add_ssl_module();
/*
* We ignore an error return here. Not much we can do - but not that bad
* either. We can still safely continue.
*/
OPENSSL_atexit(ssl_library_stop);
ssl_base_inited = 1;
}
int
main(const int argc, char **argv)
{
int n_listeners, i, clnt_length, clnt;
struct pollfd *polls;
LISTENER *lstn;
pthread_t thr;
pthread_attr_t attr;
struct sched_param sp;
uid_t user_id;
gid_t group_id;
FILE *fpid;
struct sockaddr_storage clnt_addr;
char tmp[MAXBUF];
#ifndef SOL_TCP
struct protoent *pe;
#endif
print_log = 0;
(void)umask(077);
control_sock = -1;
log_facility = -1;
logmsg(LOG_NOTICE, "starting...");
signal(SIGHUP, h_shut);
signal(SIGINT, h_shut);
signal(SIGTERM, h_term);
signal(SIGQUIT, h_term);
signal(SIGPIPE, SIG_IGN);
srandom(getpid());
/* SSL stuff */
SSL_load_error_strings();
SSL_library_init();
OpenSSL_add_all_algorithms();
l_init();
init_thr_arg();
CRYPTO_set_id_callback(l_id);
CRYPTO_set_locking_callback(l_lock);
init_timer();
/* Disable SSL Compression for OpenSSL pre-1.0. 1.0 is handled with an option in config.c */
#if OPENSSL_VERSION_NUMBER >= 0x00907000L
#ifndef SSL_OP_NO_COMPRESSION
{
int i,n;
STACK_OF(SSL_COMP) *ssl_comp_methods;
ssl_comp_methods = SSL_COMP_get_compression_methods();
n = sk_SSL_COMP_num(ssl_comp_methods);
for(i=n-1; i>=0; i--) {
sk_SSL_COMP_delete(ssl_comp_methods, i);
}
}
#endif
#endif
/* prepare regular expressions */
if(regcomp(&HEADER, "^([a-z0-9!#$%&'*+.^_`|~-]+):[ \t]*(.*)[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED)
|| regcomp(&CHUNK_HEAD, "^([0-9a-f]+).*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED)
|| regcomp(&RESP_SKIP, "^HTTP/1.1 100.*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED)
|| regcomp(&RESP_IGN, "^HTTP/1.[01] (10[1-9]|1[1-9][0-9]|204|30[456]).*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED)
|| regcomp(&LOCATION, "(http|https)://([^/]+)(.*)", REG_ICASE | REG_NEWLINE | REG_EXTENDED)
|| regcomp(&AUTHORIZATION, "Authorization:[ \t]*Basic[ \t]*\"?([^ \t]*)\"?[ \t]*", REG_ICASE | REG_NEWLINE | REG_EXTENDED)
) {
logmsg(LOG_ERR, "bad essential Regex - aborted");
exit(1);
}
#ifndef SOL_TCP
/* for systems without the definition */
if((pe = getprotobyname("tcp")) == NULL) {
logmsg(LOG_ERR, "missing TCP protocol");
exit(1);
}
SOL_TCP = pe->p_proto;
#endif
/* read config */
config_parse(argc, argv);
if(log_facility != -1)
openlog("pound", LOG_CONS | LOG_NDELAY, LOG_DAEMON);
if(ctrl_name != NULL) {
struct sockaddr_un ctrl;
memset(&ctrl, 0, sizeof(ctrl));
ctrl.sun_family = AF_UNIX;
strncpy(ctrl.sun_path, ctrl_name, sizeof(ctrl.sun_path) - 1);
(void)unlink(ctrl.sun_path);
if((control_sock = socket(PF_UNIX, SOCK_STREAM, 0)) < 0) {
logmsg(LOG_ERR, "Control \"%s\" create: %s", ctrl.sun_path, strerror(errno));
exit(1);
}
if(bind(control_sock, (struct sockaddr *)&ctrl, (socklen_t)sizeof(ctrl)) < 0) {
logmsg(LOG_ERR, "Control \"%s\" bind: %s", ctrl.sun_path, strerror(errno));
exit(1);
}
listen(control_sock, 512);
}
/* open listeners */
for(lstn = listeners, n_listeners = 0; lstn; lstn = lstn->next, n_listeners++) {
int opt;
/* prepare the socket */
if((lstn->sock = socket(lstn->addr.ai_family == AF_INET? PF_INET: PF_INET6, SOCK_STREAM, 0)) < 0) {
addr2str(tmp, MAXBUF - 1, &lstn->addr, 0);
logmsg(LOG_ERR, "HTTP socket %s create: %s - aborted", tmp, strerror(errno));
exit(1);
}
opt = 1;
setsockopt(lstn->sock, SOL_SOCKET, SO_REUSEADDR, (void *)&opt, sizeof(opt));
if(bind(lstn->sock, lstn->addr.ai_addr, (socklen_t)lstn->addr.ai_addrlen) < 0) {
addr2str(tmp, MAXBUF - 1, &lstn->addr, 0);
logmsg(LOG_ERR, "HTTP socket bind %s: %s - aborted", tmp, strerror(errno));
exit(1);
}
listen(lstn->sock, 512);
}
/* alloc the poll structures */
if((polls = (struct pollfd *)calloc(n_listeners, sizeof(struct pollfd))) == NULL) {
logmsg(LOG_ERR, "Out of memory for poll - aborted");
exit(1);
}
for(lstn = listeners, i = 0; lstn; lstn = lstn->next, i++)
polls[i].fd = lstn->sock;
/* set uid if necessary */
if(user) {
struct passwd *pw;
if((pw = getpwnam(user)) == NULL) {
logmsg(LOG_ERR, "no such user %s - aborted", user);
exit(1);
}
user_id = pw->pw_uid;
}
/* set gid if necessary */
if(group) {
struct group *gr;
if((gr = getgrnam(group)) == NULL) {
logmsg(LOG_ERR, "no such group %s - aborted", group);
exit(1);
}
group_id = gr->gr_gid;
}
/* Turn off verbose messages (if necessary) */
print_log = 0;
if(daemonize) {
/* daemonize - make ourselves a subprocess. */
switch (fork()) {
case 0:
if(log_facility != -1) {
close(0);
close(1);
close(2);
}
break;
case -1:
logmsg(LOG_ERR, "fork: %s - aborted", strerror(errno));
exit(1);
default:
exit(0);
}
#ifdef HAVE_SETSID
(void) setsid();
#endif
}
/* record pid in file */
if((fpid = fopen(pid_name, "wt")) != NULL) {
fprintf(fpid, "%d\n", getpid());
fclose(fpid);
} else
logmsg(LOG_NOTICE, "Create \"%s\": %s", pid_name, strerror(errno));
/* chroot if necessary */
if(root_jail) {
if(chroot(root_jail)) {
logmsg(LOG_ERR, "chroot: %s - aborted", strerror(errno));
exit(1);
}
if(chdir("/")) {
logmsg(LOG_ERR, "chroot/chdir: %s - aborted", strerror(errno));
exit(1);
}
}
if(group)
if(setgid(group_id) || setegid(group_id)) {
logmsg(LOG_ERR, "setgid: %s - aborted", strerror(errno));
exit(1);
}
if(user)
if(setuid(user_id) || seteuid(user_id)) {
logmsg(LOG_ERR, "setuid: %s - aborted", strerror(errno));
exit(1);
}
/* split off into monitor and working process if necessary */
for(;;) {
#ifdef UPER
if((son = fork()) > 0) {
int status;
(void)wait(&status);
if(WIFEXITED(status))
logmsg(LOG_ERR, "MONITOR: worker exited normally %d, restarting...", WEXITSTATUS(status));
else if(WIFSIGNALED(status))
logmsg(LOG_ERR, "MONITOR: worker exited on signal %d, restarting...", WTERMSIG(status));
else
logmsg(LOG_ERR, "MONITOR: worker exited (stopped?) %d, restarting...", status);
} else if (son == 0) {
#endif
/* thread stuff */
pthread_attr_init(&attr);
pthread_attr_setdetachstate(&attr, PTHREAD_CREATE_DETACHED);
#ifdef NEED_STACK
/* set new stack size - necessary for OpenBSD/FreeBSD and Linux NPTL */
if(pthread_attr_setstacksize(&attr, 1 << 18)) {
logmsg(LOG_ERR, "can't set stack size - aborted");
exit(1);
}
#endif
/* start timer */
if(pthread_create(&thr, &attr, thr_timer, NULL)) {
logmsg(LOG_ERR, "create thr_resurect: %s - aborted", strerror(errno));
exit(1);
}
/* start the controlling thread (if needed) */
if(control_sock >= 0 && pthread_create(&thr, &attr, thr_control, NULL)) {
logmsg(LOG_ERR, "create thr_control: %s - aborted", strerror(errno));
exit(1);
}
/* pause to make sure the service threads were started */
sleep(1);
/* create the worker threads */
for(i = 0; i < numthreads; i++)
if(pthread_create(&thr, &attr, thr_http, NULL)) {
logmsg(LOG_ERR, "create thr_http: %s - aborted", strerror(errno));
exit(1);
}
/* pause to make sure at least some of the worker threads were started */
sleep(1);
/* and start working */
for(;;) {
if(shut_down) {
logmsg(LOG_NOTICE, "shutting down...");
for(lstn = listeners; lstn; lstn = lstn->next)
close(lstn->sock);
if(grace > 0) {
sleep(grace);
logmsg(LOG_NOTICE, "grace period expired - exiting...");
}
if(ctrl_name != NULL)
(void)unlink(ctrl_name);
exit(0);
}
for(lstn = listeners, i = 0; i < n_listeners; lstn = lstn->next, i++) {
polls[i].events = POLLIN | POLLPRI;
polls[i].revents = 0;
}
if(poll(polls, n_listeners, -1) < 0) {
logmsg(LOG_WARNING, "poll: %s", strerror(errno));
} else {
for(lstn = listeners, i = 0; lstn; lstn = lstn->next, i++) {
if(polls[i].revents & (POLLIN | POLLPRI)) {
memset(&clnt_addr, 0, sizeof(clnt_addr));
clnt_length = sizeof(clnt_addr);
if((clnt = accept(lstn->sock, (struct sockaddr *)&clnt_addr,
(socklen_t *)&clnt_length)) < 0) {
logmsg(LOG_WARNING, "HTTP accept: %s", strerror(errno));
} else if(((struct sockaddr_in *)&clnt_addr)->sin_family == AF_INET
|| ((struct sockaddr_in *)&clnt_addr)->sin_family == AF_INET6) {
thr_arg arg;
if(lstn->disabled) {
/*
addr2str(tmp, MAXBUF - 1, &clnt_addr, 1);
logmsg(LOG_WARNING, "HTTP disabled listener from %s", tmp);
*/
close(clnt);
}
arg.sock = clnt;
arg.lstn = lstn;
if((arg.from_host.ai_addr = (struct sockaddr *)malloc(clnt_length)) == NULL) {
logmsg(LOG_WARNING, "HTTP arg address: malloc");
close(clnt);
continue;
}
memcpy(arg.from_host.ai_addr, &clnt_addr, clnt_length);
arg.from_host.ai_addrlen = clnt_length;
if(((struct sockaddr_in *)&clnt_addr)->sin_family == AF_INET)
arg.from_host.ai_family = AF_INET;
else
arg.from_host.ai_family = AF_INET6;
if(put_thr_arg(&arg))
close(clnt);
} else {
/* may happen on FreeBSD, I am told */
logmsg(LOG_WARNING, "HTTP connection prematurely closed by peer");
close(clnt);
}
}
}
}
}
#ifdef UPER
} else {
/* failed to spawn son */
logmsg(LOG_ERR, "Can't fork worker (%s) - aborted", strerror(errno));
exit(1);
}
#endif
}
}
struct daemon*
daemon_init(void)
{
struct daemon* daemon = (struct daemon*)calloc(1,
sizeof(struct daemon));
#ifdef USE_WINSOCK
int r;
WSADATA wsa_data;
#endif
if(!daemon)
return NULL;
#ifdef USE_WINSOCK
r = WSAStartup(MAKEWORD(2,2), &wsa_data);
if(r != 0) {
fatal_exit("could not init winsock. WSAStartup: %s",
wsa_strerror(r));
}
#endif /* USE_WINSOCK */
signal_handling_record();
checklock_start();
#ifdef HAVE_SSL
# ifdef HAVE_ERR_LOAD_CRYPTO_STRINGS
ERR_load_crypto_strings();
# endif
#if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_SSL)
ERR_load_SSL_strings();
#endif
# ifdef USE_GOST
(void)sldns_key_EVP_load_gost_id();
# endif
# if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_CRYPTO)
OpenSSL_add_all_algorithms();
# else
OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS
| OPENSSL_INIT_ADD_ALL_DIGESTS
| OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
# endif
# if HAVE_DECL_SSL_COMP_GET_COMPRESSION_METHODS
/* grab the COMP method ptr because openssl leaks it */
comp_meth = (void*)SSL_COMP_get_compression_methods();
# endif
# if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_SSL)
(void)SSL_library_init();
# else
(void)OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL);
# endif
# if defined(HAVE_SSL) && defined(OPENSSL_THREADS) && !defined(THREADS_DISABLED)
if(!ub_openssl_lock_init())
fatal_exit("could not init openssl locks");
# endif
#elif defined(HAVE_NSS)
if(NSS_NoDB_Init(NULL) != SECSuccess)
fatal_exit("could not init NSS");
#endif /* HAVE_SSL or HAVE_NSS */
#ifdef HAVE_TZSET
/* init timezone info while we are not chrooted yet */
tzset();
#endif
/* open /dev/random if needed */
ub_systemseed((unsigned)time(NULL)^(unsigned)getpid()^0xe67);
daemon->need_to_exit = 0;
modstack_init(&daemon->mods);
if(!(daemon->env = (struct module_env*)calloc(1,
sizeof(*daemon->env)))) {
free(daemon);
return NULL;
}
/* init edns_known_options */
if(!edns_known_options_init(daemon->env)) {
free(daemon->env);
free(daemon);
return NULL;
}
alloc_init(&daemon->superalloc, NULL, 0);
daemon->acl = acl_list_create();
if(!daemon->acl) {
edns_known_options_delete(daemon->env);
free(daemon->env);
free(daemon);
return NULL;
}
if(gettimeofday(&daemon->time_boot, NULL) < 0)
log_err("gettimeofday: %s", strerror(errno));
daemon->time_last_stat = daemon->time_boot;
if((daemon->env->auth_zones = auth_zones_create()) == 0) {
acl_list_delete(daemon->acl);
edns_known_options_delete(daemon->env);
free(daemon->env);
free(daemon);
return NULL;
}
return daemon;
}
NOEXPORT int compression_init(GLOBAL_OPTIONS *global) {
STACK_OF(SSL_COMP) *methods;
methods=SSL_COMP_get_compression_methods();
if(!methods) {
if(global->compression==COMP_NONE) {
s_log(LOG_NOTICE, "Failed to get compression methods");
return 0; /* ignore */
} else {
s_log(LOG_ERR, "Failed to get compression methods");
return 1;
}
}
if(global->compression==COMP_NONE ||
SSLeay()<0x00908051L /* 0.9.8e-beta1 */) {
/* delete OpenSSL defaults (empty the SSL_COMP stack) */
/* cannot use sk_SSL_COMP_pop_free,
* as it also destroys the stack itself */
/* only leave the standard RFC 1951 (DEFLATE) algorithm,
* if any of the private algorithms is enabled */
/* only allow DEFLATE with OpenSSL 0.9.8 or later
* with OpenSSL #1468 zlib memory leak fixed */
while(sk_SSL_COMP_num(methods))
#if OPENSSL_VERSION_NUMBER>=0x10100000L
/* FIXME: remove when sk_SSL_COMP_pop() works again */
OPENSSL_free(sk_pop((void *)methods));
#else
OPENSSL_free(sk_SSL_COMP_pop(methods));
#endif
}
if(global->compression==COMP_NONE) {
s_log(LOG_DEBUG, "Compression disabled");
return 0; /* success */
}
/* also insert the obsolete ZLIB algorithm */
if(global->compression==COMP_ZLIB) {
/* 224 - within the private range (193 to 255) */
COMP_METHOD *meth=COMP_zlib();
#if OPENSSL_VERSION_NUMBER>=0x10100000L
if(!meth || COMP_get_type(meth)==NID_undef) {
#else
if(!meth || meth->type==NID_undef) {
#endif
s_log(LOG_ERR, "ZLIB compression is not supported");
return 1;
}
SSL_COMP_add_compression_method(0xe0, meth);
}
s_log(LOG_INFO, "Compression enabled: %d method(s)",
sk_SSL_COMP_num(methods));
return 0; /* success */
}
#endif /* OPENSSL_NO_COMP */
NOEXPORT int prng_init(GLOBAL_OPTIONS *global) {
int totbytes=0;
char filename[256];
#ifndef USE_WIN32
int bytes;
#endif
filename[0]='\0';
/* if they specify a rand file on the command line we
assume that they really do want it, so try it first */
if(global->rand_file) {
totbytes+=add_rand_file(global, global->rand_file);
if(RAND_status())
return 0; /* success */
}
/* try the $RANDFILE or $HOME/.rnd files */
RAND_file_name(filename, 256);
if(filename[0]) {
totbytes+=add_rand_file(global, filename);
if(RAND_status())
return 0; /* success */
}
#ifdef RANDOM_FILE
totbytes+=add_rand_file(global, RANDOM_FILE);
if(RAND_status())
return 0; /* success */
#endif
#ifdef USE_WIN32
RAND_screen();
if(RAND_status()) {
s_log(LOG_DEBUG, "Seeded PRNG with RAND_screen");
return 0; /* success */
}
s_log(LOG_DEBUG, "RAND_screen failed to sufficiently seed PRNG");
#else
if(global->egd_sock) {
if((bytes=RAND_egd(global->egd_sock))==-1) {
s_log(LOG_WARNING, "EGD Socket %s failed", global->egd_sock);
bytes=0;
} else {
totbytes+=bytes;
s_log(LOG_DEBUG, "Snagged %d random bytes from EGD Socket %s",
bytes, global->egd_sock);
return 0; /* OpenSSL always gets what it needs or fails,
so no need to check if seeded sufficiently */
}
}
/* try the good-old default /dev/urandom, if available */
totbytes+=add_rand_file(global, "/dev/urandom");
if(RAND_status())
return 0; /* success */
#endif /* USE_WIN32 */
/* random file specified during configure */
s_log(LOG_ERR, "PRNG seeded with %d bytes total", totbytes);
s_log(LOG_ERR, "PRNG was not seeded with enough random bytes");
return 1; /* FAILED */
}