X-Git-Url: https://git.sesse.net/?p=cubemap;a=blobdiff_plain;f=server.cpp;h=0b4d076cd9f3fd36ac71fea0508e2e58d6d478cb;hp=d3b936f0b9c1f869c34c5dbf05c1beb32ad90a8e;hb=26fe3ab755034ea3be8321ec0af548670f8c3bd8;hpb=6544fa0ec3f3a501bcb89ea977756911bd7f3ebd

diff --git a/server.cpp b/server.cpp
index d3b936f..0b4d076 100644
--- a/server.cpp
+++ b/server.cpp
@@ -17,6 +17,9 @@
 #include <utility>
 #include <vector>
 
+#include "tlse.h"
+
+#include "acceptor.h"
 #include "accesslog.h"
 #include "log.h"
 #include "metacube2.h"
@@ -66,10 +69,6 @@ Server::Server()
 
 Server::~Server()
 {
-	for (size_t i = 0; i < streams.size(); ++i) {	
-		delete streams[i];
-	}
-
 	safe_close(epoll_fd);
 }
 
@@ -78,10 +77,8 @@ vector<ClientStats> Server::get_client_stats() const
 	vector<ClientStats> ret;
 
 	MutexLock lock(&mutex);
-	for (map<int, Client>::const_iterator client_it = clients.begin();
-	     client_it != clients.end();
-	     ++client_it) {
-		ret.push_back(client_it->second.get_stats());
+	for (const auto &fd_and_client : clients) {
+		ret.push_back(fd_and_client.second.get_stats());
 	}
 	return ret;
 }
@@ -109,7 +106,7 @@ void Server::do_work()
 
 		// Process each client where we have socket activity.
 		for (int i = 0; i < nfds; ++i) {
-			Client *client = reinterpret_cast<Client *>(events[i].data.u64);
+			Client *client = reinterpret_cast<Client *>(events[i].data.ptr);
 
 			if (events[i].events & (EPOLLERR | EPOLLRDHUP | EPOLLHUP)) {
 				close_client(client);
@@ -121,11 +118,11 @@ void Server::do_work()
 
 		// Process each client where its stream has new data,
 		// even if there was no socket activity.
-		for (size_t i = 0; i < streams.size(); ++i) {	
+		for (unique_ptr<Stream> &stream : streams) {
 			vector<Client *> to_process;
-			swap(streams[i]->to_process, to_process);
-			for (size_t i = 0; i < to_process.size(); ++i) {
-				process_client(to_process[i]);
+			swap(stream->to_process, to_process);
+			for (Client *client : to_process) {
+				process_client(client);
 			}
 		}
 
@@ -149,7 +146,7 @@ void Server::do_work()
 
 			// If this client doesn't exist anymore, just ignore it
 			// (it was deleted earlier).
-			map<int, Client>::iterator client_it = clients.find(connect_time_and_fd.second);
+			auto client_it = clients.find(connect_time_and_fd.second);
 			if (client_it == clients.end()) {
 				clients_ordered_by_connect_time.pop();
 				continue;
@@ -186,36 +183,32 @@ CubemapStateProto Server::serialize()
 	//
 	// TODO: Do this when clients are added back from serialized state instead;
 	// it would probably be less wasteful.
-	for (map<int, Client>::iterator client_it = clients.begin();
-	     client_it != clients.end();
-	     ++client_it) {
-		skip_lost_data(&client_it->second);
+	for (auto &fd_and_client : clients) {
+		skip_lost_data(&fd_and_client.second);
 	}
 
 	CubemapStateProto serialized;
-	for (map<int, Client>::const_iterator client_it = clients.begin();
-	     client_it != clients.end();
-	     ++client_it) {
-		serialized.add_clients()->MergeFrom(client_it->second.serialize());
+	for (const auto &fd_and_client : clients) {
+		serialized.add_clients()->MergeFrom(fd_and_client.second.serialize());
 	}
-	for (size_t i = 0; i < streams.size(); ++i) {	
-		serialized.add_streams()->MergeFrom(streams[i]->serialize());
+	for (unique_ptr<Stream> &stream : streams) {
+		serialized.add_streams()->MergeFrom(stream->serialize());
 	}
 	return serialized;
 }
 
-void Server::add_client_deferred(int sock)
+void Server::add_client_deferred(int sock, Acceptor *acceptor)
 {
 	MutexLock lock(&queued_clients_mutex);
-	queued_add_clients.push_back(sock);
+	queued_add_clients.push_back(std::make_pair(sock, acceptor));
 }
 
-void Server::add_client(int sock)
+void Server::add_client(int sock, Acceptor *acceptor)
 {
-	pair<map<int, Client>::iterator, bool> ret =
-		clients.insert(make_pair(sock, Client(sock)));
-	assert(ret.second == true);  // Should not already exist.
-	Client *client_ptr = &ret.first->second;
+	const bool is_tls = acceptor->is_tls();
+	auto inserted = clients.insert(make_pair(sock, Client(sock)));
+	assert(inserted.second == true);  // Should not already exist.
+	Client *client_ptr = &inserted.first->second;
 
 	// Connection timestamps must be nondecreasing. I can't find any guarantee
 	// that even the monotonic clock can't go backwards by a small amount
@@ -230,13 +223,32 @@ void Server::add_client(int sock)
 
 	// Start listening on data from this socket.
 	epoll_event ev;
-	ev.events = EPOLLIN | EPOLLET | EPOLLRDHUP;
-	ev.data.u64 = reinterpret_cast<uint64_t>(client_ptr);
+	if (is_tls) {
+		// Even in the initial state (READING_REQUEST), TLS needs to
+		// send data for the handshake, and thus might end up needing
+		// to know about EPOLLOUT.
+		ev.events = EPOLLIN | EPOLLOUT | EPOLLET | EPOLLRDHUP;
+	} else {
+		// EPOLLOUT will be added once we go out of READING_REQUEST.
+		ev.events = EPOLLIN | EPOLLET | EPOLLRDHUP;
+	}
+	ev.data.ptr = client_ptr;
 	if (epoll_ctl(epoll_fd, EPOLL_CTL_ADD, sock, &ev) == -1) {
 		log_perror("epoll_ctl(EPOLL_CTL_ADD)");
 		exit(1);
 	}
 
+	if (is_tls) {
+		assert(tls_server_contexts.count(acceptor));
+		client_ptr->tls_context = tls_accept(tls_server_contexts[acceptor]);
+		if (client_ptr->tls_context == NULL) {
+			log(ERROR, "tls_accept() failed");
+			close_client(client_ptr);
+			return;
+		}
+		tls_make_exportable(client_ptr->tls_context, 1);
+	}
+
 	process_client(client_ptr);
 }
 
@@ -249,12 +261,11 @@ void Server::add_client_from_serialized(const ClientProto &client)
 		assert(client.state() != Client::SENDING_DATA);
 		stream = NULL;
 	} else {
-		stream = streams[stream_index];
+		stream = streams[stream_index].get();
 	}
-	pair<map<int, Client>::iterator, bool> ret =
-		clients.insert(make_pair(client.sock(), Client(client, stream)));
-	assert(ret.second == true);  // Should not already exist.
-	Client *client_ptr = &ret.first->second;
+	auto inserted = clients.insert(make_pair(client.sock(), Client(client, stream)));
+	assert(inserted.second == true);  // Should not already exist.
+	Client *client_ptr = &inserted.first->second;
 
 	// Connection timestamps must be nondecreasing.
 	assert(clients_ordered_by_connect_time.empty() ||
@@ -264,13 +275,18 @@ void Server::add_client_from_serialized(const ClientProto &client)
 	// Start listening on data from this socket.
 	epoll_event ev;
 	if (client.state() == Client::READING_REQUEST) {
-		ev.events = EPOLLIN | EPOLLET | EPOLLRDHUP;
+		// See the corresponding comment in Server::add_client().
+		if (client.has_tls_context()) {
+			ev.events = EPOLLIN | EPOLLOUT | EPOLLET | EPOLLRDHUP;
+		} else {
+			ev.events = EPOLLIN | EPOLLET | EPOLLRDHUP;
+		}
 	} else {
 		// If we don't have more data for this client, we'll be putting it into
 		// the sleeping array again soon.
 		ev.events = EPOLLOUT | EPOLLET | EPOLLRDHUP;
 	}
-	ev.data.u64 = reinterpret_cast<uint64_t>(client_ptr);
+	ev.data.ptr = client_ptr;
 	if (epoll_ctl(epoll_fd, EPOLL_CTL_ADD, client.sock(), &ev) == -1) {
 		log_perror("epoll_ctl(EPOLL_CTL_ADD)");
 		exit(1);
@@ -299,7 +315,7 @@ int Server::add_stream(const string &url, size_t backlog_size, size_t prebufferi
 {
 	MutexLock lock(&mutex);
 	stream_url_map.insert(make_pair(url, streams.size()));
-	streams.push_back(new Stream(url, backlog_size, prebuffering_bytes, encoding, src_encoding));
+	streams.emplace_back(new Stream(url, backlog_size, prebuffering_bytes, encoding, src_encoding));
 	return streams.size() - 1;
 }
 
@@ -307,7 +323,7 @@ int Server::add_stream_from_serialized(const StreamProto &stream, int data_fd)
 {
 	MutexLock lock(&mutex);
 	stream_url_map.insert(make_pair(stream.url(), streams.size()));
-	streams.push_back(new Stream(stream, data_fd));
+	streams.emplace_back(new Stream(stream, data_fd));
 	return streams.size() - 1;
 }
 	
@@ -373,10 +389,28 @@ void Server::add_gen204(const std::string &url, const std::string &allow_origin)
 	ping_url_map[url] = allow_origin;
 }
 
-void Server::add_data_deferred(int stream_index, const char *data, size_t bytes, StreamStartSuitability suitable_for_stream_start)
+void Server::create_tls_context_for_acceptor(const Acceptor *acceptor)
+{
+	assert(acceptor->is_tls());
+
+	bool is_server = true;
+	TLSContext *server_context = tls_create_context(is_server, TLS_V12);
+
+	const string &cert = acceptor->get_certificate_chain();
+	int num_cert = tls_load_certificates(server_context, reinterpret_cast<const unsigned char *>(cert.data()), cert.size());
+	assert(num_cert > 0);  // Should have been checked by config earlier.
+
+	const string &key = acceptor->get_private_key();
+	int num_key = tls_load_private_key(server_context, reinterpret_cast<const unsigned char *>(key.data()), key.size());
+	assert(num_key > 0);  // Should have been checked by config earlier.
+
+	tls_server_contexts.insert(make_pair(acceptor, server_context));
+}
+
+void Server::add_data_deferred(int stream_index, const char *data, size_t bytes, uint16_t metacube_flags)
 {
 	assert(stream_index >= 0 && stream_index < ssize_t(streams.size()));
-	streams[stream_index]->add_data_deferred(data, bytes, suitable_for_stream_start);
+	streams[stream_index]->add_data_deferred(data, bytes, metacube_flags);
 }
 
 // See the .h file for postconditions after this function.	
@@ -384,28 +418,29 @@ void Server::process_client(Client *client)
 {
 	switch (client->state) {
 	case Client::READING_REQUEST: {
+		if (client->tls_context != NULL) {
+			if (send_pending_tls_data(client)) {
+				// send_pending_tls_data() hit postconditions #1 or #4.
+				return;
+			}
+		}
+
 read_request_again:
 		// Try to read more of the request.
 		char buf[1024];
 		int ret;
-		do {
-			ret = read(client->sock, buf, sizeof(buf));
-		} while (ret == -1 && errno == EINTR);
-
-		if (ret == -1 && errno == EAGAIN) {
-			// No more data right now. Nothing to do.
-			// This is postcondition #2.
-			return;
-		}
-		if (ret == -1) {
-			log_perror("read");
-			close_client(client);
-			return;
-		}
-		if (ret == 0) {
-			// OK, the socket is closed.
-			close_client(client);
-			return;
+		if (client->tls_context == NULL) {
+			ret = read_nontls_data(client, buf, sizeof(buf));
+			if (ret == -1) {
+				// read_nontls_data() hit postconditions #1 or #2.
+				return;
+			}
+		} else {
+			ret = read_tls_data(client, buf, sizeof(buf));
+			if (ret == -1) {
+				// read_tls_data() hit postconditions #1, #2 or #4.
+				return;
+			}
 		}
 
 		RequestParseStatus status = wait_for_double_newline(&client->request, buf, ret);
@@ -429,6 +464,22 @@ read_request_again:
 
 		assert(status == RP_FINISHED);
 
+		if (client->tls_context && !client->in_ktls_mode && tls_established(client->tls_context)) {
+			// We're ready to enter kTLS mode, unless we still have some
+			// handshake data to send (which then must be sent as non-kTLS).
+			if (send_pending_tls_data(client)) {
+				// send_pending_tls_data() hit postconditions #1 or #4.
+				return;
+			}
+			ret = tls_make_ktls(client->tls_context, client->sock);
+			if (ret < 0) {
+				log_tls_error("tls_make_ktls", ret);
+				close_client(client);
+				return;
+			}
+			client->in_ktls_mode = true;
+		}
+
 		int error_code = parse_request(client);
 		if (error_code == 200) {
 			construct_header(client);
@@ -607,6 +658,133 @@ sending_data_again:
 	}
 }
 
+bool Server::send_pending_tls_data(Client *client)
+{
+	// See if there's data from the TLS library to write.
+	if (client->tls_data_to_send == NULL) {
+		client->tls_data_to_send = tls_get_write_buffer(client->tls_context, &client->tls_data_left_to_send);
+		if (client->tls_data_to_send == NULL) {
+			// Really no data to send.
+			return false;
+		}
+	}
+
+send_data_again:
+	int ret;
+	do {
+		ret = write(client->sock, client->tls_data_to_send, client->tls_data_left_to_send);
+	} while (ret == -1 && errno == EINTR);
+	assert(ret < 0 || size_t(ret) <= client->tls_data_left_to_send);
+
+	if (ret == -1 && errno == EAGAIN) {
+		// We're out of socket space, so now we're at the “low edge” of epoll's
+		// edge triggering. epoll will tell us when there is more room, so for now,
+		// just return.
+		// This is postcondition #4.
+		return true;
+	}
+	if (ret == -1) {
+		// Error! Postcondition #1.
+		log_perror("write");
+		close_client(client);
+		return true;
+	}
+	if (ret > 0 && size_t(ret) == client->tls_data_left_to_send) {
+		// All data has been sent, so we don't need to go to sleep.
+		tls_buffer_clear(client->tls_context);
+		client->tls_data_to_send = NULL;
+		return false;
+	}
+
+	// More data to send, so try again.
+	client->tls_data_to_send += ret;
+	client->tls_data_left_to_send -= ret;
+	goto send_data_again;
+}
+
+int Server::read_nontls_data(Client *client, char *buf, size_t max_size)
+{
+	int ret;
+	do {
+	        ret = read(client->sock, buf, max_size);
+	} while (ret == -1 && errno == EINTR);
+
+	if (ret == -1 && errno == EAGAIN) {
+	        // No more data right now. Nothing to do.
+	        // This is postcondition #2.
+	        return -1;
+	}
+	if (ret == -1) {
+	        log_perror("read");
+	        close_client(client);
+	        return -1;
+	}
+	if (ret == 0) {
+	        // OK, the socket is closed.
+	        close_client(client);
+	        return -1;
+	}
+
+	return ret;
+}
+
+int Server::read_tls_data(Client *client, char *buf, size_t max_size)
+{
+read_again:
+	int ret;
+	do {
+		ret = read(client->sock, buf, max_size);
+	} while (ret == -1 && errno == EINTR);
+
+	if (ret == -1 && errno == EAGAIN) {
+		// No more data right now. Nothing to do.
+		// This is postcondition #2.
+		return -1;
+	}
+	if (ret == -1) {
+		log_perror("read");
+		close_client(client);
+		return -1;
+	}
+	if (ret == 0) {
+		// OK, the socket is closed.
+		close_client(client);
+		return -1;
+	}
+
+	// Give it to the TLS library.
+	int err = tls_consume_stream(client->tls_context, reinterpret_cast<const unsigned char *>(buf), ret, nullptr);
+	if (err < 0) {
+		log_tls_error("tls_consume_stream", err);
+		close_client(client);
+		return -1;
+	}
+	if (err == 0) {
+		// Not consumed any data. See if we can read more.
+		goto read_again;
+	}
+
+	// Read any decrypted data available for us. (We can reuse buf, since it's free now.)
+	ret = tls_read(client->tls_context, reinterpret_cast<unsigned char *>(buf), max_size);
+	if (ret == 0) {
+		// No decrypted data for us yet, but there might be some more handshaking
+		// to send. Do that if needed, then look for more data.
+		if (send_pending_tls_data(client)) {
+			// send_pending_tls_data() hit postconditions #1 or #4.
+			return -1;
+		}
+		goto read_again;
+	}
+	if (ret < 0) {
+		log_tls_error("tls_read", ret);
+		close_client(client);
+		return -1;
+	}
+
+	assert(ret > 0);
+	return ret;
+}
+
 // See if there's some data we've lost. Ideally, we should drop to a block boundary,
 // but resync will be the mux's problem.
 void Server::skip_lost_data(Client *client)
@@ -653,7 +831,7 @@ int Server::parse_request(Client *client)
 
 	string url = request_tokens[1];
 	client->url = url;
-	if (url.find("?backlog") == url.size() - 8) {
+	if (url.size() > 8 && url.find("?backlog") == url.size() - 8) {
 		client->stream_pos = -2;
 		url = url.substr(0, url.size() - 8);
 	} else {
@@ -670,7 +848,7 @@ int Server::parse_request(Client *client)
 		}
 	}
 
-	Stream *stream = streams[stream_url_map_it->second];
+	Stream *stream = streams[stream_url_map_it->second].get();
 	if (stream->http_header.empty()) {
 		return 503;  // Service unavailable.
 	}
@@ -713,15 +891,7 @@ void Server::construct_header(Client *client)
 
 	// Switch states.
 	client->state = Client::SENDING_HEADER;
-
-	epoll_event ev;
-	ev.events = EPOLLOUT | EPOLLET | EPOLLRDHUP;
-	ev.data.u64 = reinterpret_cast<uint64_t>(client);
-
-	if (epoll_ctl(epoll_fd, EPOLL_CTL_MOD, client->sock, &ev) == -1) {
-		log_perror("epoll_ctl(EPOLL_CTL_MOD)");
-		exit(1);
-	}
+	change_epoll_events(client, EPOLLOUT | EPOLLET | EPOLLRDHUP);
 }
 	
 void Server::construct_error(Client *client, int error_code)
@@ -733,15 +903,7 @@ void Server::construct_error(Client *client, int error_code)
 
 	// Switch states.
 	client->state = Client::SENDING_SHORT_RESPONSE;
-
-	epoll_event ev;
-	ev.events = EPOLLOUT | EPOLLET | EPOLLRDHUP;
-	ev.data.u64 = reinterpret_cast<uint64_t>(client);
-
-	if (epoll_ctl(epoll_fd, EPOLL_CTL_MOD, client->sock, &ev) == -1) {
-		log_perror("epoll_ctl(EPOLL_CTL_MOD)");
-		exit(1);
-	}
+	change_epoll_events(client, EPOLLOUT | EPOLLET | EPOLLRDHUP);
 }
 
 void Server::construct_204(Client *client)
@@ -765,15 +927,7 @@ void Server::construct_204(Client *client)
 
 	// Switch states.
 	client->state = Client::SENDING_SHORT_RESPONSE;
-
-	epoll_event ev;
-	ev.events = EPOLLOUT | EPOLLET | EPOLLRDHUP;
-	ev.data.u64 = reinterpret_cast<uint64_t>(client);
-
-	if (epoll_ctl(epoll_fd, EPOLL_CTL_MOD, client->sock, &ev) == -1) {
-		log_perror("epoll_ctl(EPOLL_CTL_MOD)");
-		exit(1);
-	}
+	change_epoll_events(client, EPOLLOUT | EPOLLET | EPOLLRDHUP);
 }
 
 template<class T>
@@ -796,6 +950,10 @@ void Server::close_client(Client *client)
 		delete_from(&client->stream->to_process, client);
 	}
 
+	if (client->tls_context) {
+		tls_destroy_context(client->tls_context);
+	}
+
 	// Log to access_log.
 	access_log->write(client->get_stats());
 
@@ -804,19 +962,31 @@ void Server::close_client(Client *client)
 
 	clients.erase(client->sock);
 }
-	
+
+void Server::change_epoll_events(Client *client, uint32_t events)
+{
+	epoll_event ev;
+	ev.events = events;
+	ev.data.ptr = client;
+
+	if (epoll_ctl(epoll_fd, EPOLL_CTL_MOD, client->sock, &ev) == -1) {
+		log_perror("epoll_ctl(EPOLL_CTL_MOD)");
+		exit(1);
+	}
+}
+
 void Server::process_queued_data()
 {
 	{
 		MutexLock lock(&queued_clients_mutex);
 
-		for (size_t i = 0; i < queued_add_clients.size(); ++i) {
-			add_client(queued_add_clients[i]);
+		for (const pair<int, Acceptor *> &id_and_acceptor : queued_add_clients) {
+			add_client(id_and_acceptor.first, id_and_acceptor.second);
 		}
 		queued_add_clients.clear();
 	}
 
-	for (size_t i = 0; i < streams.size(); ++i) {	
-		streams[i]->process_queued_data();
+	for (unique_ptr<Stream> &stream : streams) {
+		stream->process_queued_data();
 	}
 }