Initial commit
Change-Id: I6a4444e3c193dae437cd7929f4c39aba7b749efa
diff --git a/libfdcore/cnxctx.c b/libfdcore/cnxctx.c
new file mode 100644
index 0000000..1fc336e
--- /dev/null
+++ b/libfdcore/cnxctx.c
@@ -0,0 +1,2045 @@
+/*********************************************************************************************************
+* Software License Agreement (BSD License) *
+* Author: Sebastien Decugis <sdecugis@freediameter.net> *
+* *
+* Copyright (c) 2015, WIDE Project and NICT *
+* All rights reserved. *
+* *
+* Redistribution and use of this software in source and binary forms, with or without modification, are *
+* permitted provided that the following conditions are met: *
+* *
+* * Redistributions of source code must retain the above *
+* copyright notice, this list of conditions and the *
+* following disclaimer. *
+* *
+* * Redistributions in binary form must reproduce the above *
+* copyright notice, this list of conditions and the *
+* following disclaimer in the documentation and/or other *
+* materials provided with the distribution. *
+* *
+* * Neither the name of the WIDE Project or NICT nor the *
+* names of its contributors may be used to endorse or *
+* promote products derived from this software without *
+* specific prior written permission of WIDE Project and *
+* NICT. *
+* *
+* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED *
+* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A *
+* PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR *
+* ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT *
+* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS *
+* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR *
+* TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF *
+* ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. *
+*********************************************************************************************************/
+
+#include "fdcore-internal.h"
+#include "cnxctx.h"
+
+#include <net/if.h>
+#include <ifaddrs.h> /* for getifaddrs */
+#include <sys/uio.h> /* writev */
+
+/* The maximum size of Diameter message we accept to receive (<= 2^24) to avoid too big mallocs in case of trashed headers */
+#ifndef DIAMETER_MSG_SIZE_MAX
+#define DIAMETER_MSG_SIZE_MAX 65535 /* in bytes */
+#endif /* DIAMETER_MSG_SIZE_MAX */
+
+
+/* Connections contexts (cnxctx) in freeDiameter are wrappers around the sockets and TLS operations .
+ * They are used to hide the details of the processing to the higher layers of the daemon.
+ * They are always oriented on connections (TCP or SCTP), connectionless modes (UDP or SCTP) are not supported.
+ */
+
+/* Lifetime of a cnxctx object:
+ * 1) Creation
+ * a) a server socket:
+ * - create the object with fd_cnx_serv_tcp or fd_cnx_serv_sctp
+ * - start listening incoming connections: fd_cnx_serv_listen
+ * - accept new clients with fd_cnx_serv_accept.
+ * b) a client socket:
+ * - connect to a remote server with fd_cnx_cli_connect
+ *
+ * 2) Initialization
+ * - if TLS is started first, call fd_cnx_handshake
+ * - otherwise to receive clear messages, call fd_cnx_start_clear. fd_cnx_handshake can be called later.
+ *
+ * 3) Usage
+ * - fd_cnx_receive, fd_cnx_send : exchange messages on this connection (send is synchronous, receive is not, but blocking).
+ * - fd_cnx_recv_setaltfifo : when a message is received, the event is sent to an external fifo list. fd_cnx_receive does not work when the alt_fifo is set.
+ * - fd_cnx_getid : retrieve a descriptive string for the connection (for debug)
+ * - fd_cnx_getremoteid : identification of the remote peer (IP address or fqdn)
+ * - fd_cnx_getcred : get the remote peer TLS credentials, after handshake
+ *
+ * 4) End
+ * - fd_cnx_destroy
+ */
+
+/*******************************************/
+/* Creation of a connection object */
+/*******************************************/
+
+/* Initialize a context structure */
+static struct cnxctx * fd_cnx_init(int full)
+{
+ struct cnxctx * conn = NULL;
+
+ TRACE_ENTRY("%d", full);
+
+ CHECK_MALLOC_DO( conn = malloc(sizeof(struct cnxctx)), return NULL );
+ memset(conn, 0, sizeof(struct cnxctx));
+
+ if (full) {
+ CHECK_FCT_DO( fd_fifo_new ( &conn->cc_incoming, 5 ), return NULL );
+ }
+
+ return conn;
+}
+
+#define CC_ID_HDR "{----} "
+
+/* Create and bind a server socket to the given endpoint and port */
+struct cnxctx * fd_cnx_serv_tcp(uint16_t port, int family, struct fd_endpoint * ep)
+{
+ struct cnxctx * cnx = NULL;
+ sSS dummy;
+ sSA * sa = (sSA *) &dummy;
+
+ TRACE_ENTRY("%hu %d %p", port, family, ep);
+
+ CHECK_PARAMS_DO( port, return NULL );
+ CHECK_PARAMS_DO( ep || family, return NULL );
+ CHECK_PARAMS_DO( (! family) || (family == AF_INET) || (family == AF_INET6), return NULL );
+ CHECK_PARAMS_DO( (! ep) || (ep->ss.ss_family == AF_INET) || (ep->ss.ss_family == AF_INET6), return NULL );
+ CHECK_PARAMS_DO( (! ep) || (!family) || (ep->ss.ss_family == family), return NULL );
+
+ /* The connection object */
+ CHECK_MALLOC_DO( cnx = fd_cnx_init(0), return NULL );
+
+ /* Prepare the socket address information */
+ if (ep) {
+ memcpy(sa, &ep->ss, sizeof(sSS));
+ } else {
+ memset(&dummy, 0, sizeof(dummy));
+ sa->sa_family = family;
+ }
+ if (sa->sa_family == AF_INET) {
+ ((sSA4 *)sa)->sin_port = htons(port);
+ cnx->cc_family = AF_INET;
+ } else {
+ ((sSA6 *)sa)->sin6_port = htons(port);
+ cnx->cc_family = AF_INET6;
+ }
+
+ /* Create the socket */
+ CHECK_FCT_DO( fd_tcp_create_bind_server( &cnx->cc_socket, sa, sSAlen(sa) ), goto error );
+
+ /* Generate the name for the connection object */
+ {
+ char addrbuf[INET6_ADDRSTRLEN];
+ int rc;
+ rc = getnameinfo(sa, sSAlen(sa), addrbuf, sizeof(addrbuf), NULL, 0, NI_NUMERICHOST);
+ if (rc)
+ snprintf(addrbuf, sizeof(addrbuf), "[err:%s]", gai_strerror(rc));
+ snprintf(cnx->cc_id, sizeof(cnx->cc_id), CC_ID_HDR "TCP srv [%s]:%hu (%d)", addrbuf, port, cnx->cc_socket);
+ }
+
+ cnx->cc_proto = IPPROTO_TCP;
+
+ return cnx;
+
+error:
+ fd_cnx_destroy(cnx);
+ return NULL;
+}
+
+/* Same function for SCTP, with a list of local endpoints to bind to */
+struct cnxctx * fd_cnx_serv_sctp(uint16_t port, struct fd_list * ep_list)
+{
+#ifdef DISABLE_SCTP
+ TRACE_DEBUG(INFO, "This function should never been called when SCTP is disabled...");
+ ASSERT(0);
+ CHECK_FCT_DO( ENOTSUP, );
+ return NULL;
+#else /* DISABLE_SCTP */
+ struct cnxctx * cnx = NULL;
+
+ TRACE_ENTRY("%hu %p", port, ep_list);
+
+ CHECK_PARAMS_DO( port, return NULL );
+
+ /* The connection object */
+ CHECK_MALLOC_DO( cnx = fd_cnx_init(0), return NULL );
+
+ if (fd_g_config->cnf_flags.no_ip6) {
+ cnx->cc_family = AF_INET;
+ } else {
+ cnx->cc_family = AF_INET6; /* can create socket for both IP and IPv6 */
+ }
+
+ /* Create the socket */
+ CHECK_FCT_DO( fd_sctp_create_bind_server( &cnx->cc_socket, cnx->cc_family, ep_list, port ), goto error );
+
+ /* Generate the name for the connection object */
+ snprintf(cnx->cc_id, sizeof(cnx->cc_id), CC_ID_HDR "SCTP srv :%hu (%d)", port, cnx->cc_socket);
+
+ cnx->cc_proto = IPPROTO_SCTP;
+
+ return cnx;
+
+error:
+ fd_cnx_destroy(cnx);
+ return NULL;
+#endif /* DISABLE_SCTP */
+}
+
+/* Allow clients to connect on the server socket */
+int fd_cnx_serv_listen(struct cnxctx * conn)
+{
+ CHECK_PARAMS( conn );
+
+ switch (conn->cc_proto) {
+ case IPPROTO_TCP:
+ CHECK_FCT(fd_tcp_listen(conn->cc_socket));
+ break;
+
+#ifndef DISABLE_SCTP
+ case IPPROTO_SCTP:
+ CHECK_FCT(fd_sctp_listen(conn->cc_socket));
+ break;
+#endif /* DISABLE_SCTP */
+
+ default:
+ CHECK_PARAMS(0);
+ }
+
+ return 0;
+}
+
+/* Accept a client (blocking until a new client connects) -- cancelable */
+struct cnxctx * fd_cnx_serv_accept(struct cnxctx * serv)
+{
+ struct cnxctx * cli = NULL;
+ sSS ss;
+ socklen_t ss_len = sizeof(ss);
+ int cli_sock = 0;
+
+ TRACE_ENTRY("%p", serv);
+ CHECK_PARAMS_DO(serv, return NULL);
+
+ /* Accept the new connection -- this is blocking until new client enters or until cancellation */
+ CHECK_SYS_DO( cli_sock = accept(serv->cc_socket, (sSA *)&ss, &ss_len), return NULL );
+
+ CHECK_MALLOC_DO( cli = fd_cnx_init(1), { shutdown(cli_sock, SHUT_RDWR); close(cli_sock); return NULL; } );
+ cli->cc_socket = cli_sock;
+ cli->cc_family = serv->cc_family;
+ cli->cc_proto = serv->cc_proto;
+
+ /* Set the timeout */
+ fd_cnx_s_setto(cli->cc_socket);
+
+ /* Generate the name for the connection object */
+ {
+ char addrbuf[INET6_ADDRSTRLEN];
+ char portbuf[10];
+ int rc;
+
+ rc = getnameinfo((sSA *)&ss, ss_len, addrbuf, sizeof(addrbuf), portbuf, sizeof(portbuf), NI_NUMERICHOST | NI_NUMERICSERV);
+ if (rc) {
+ snprintf(addrbuf, sizeof(addrbuf), "[err:%s]", gai_strerror(rc));
+ portbuf[0] = '\0';
+ }
+
+ /* Numeric values for debug... */
+ snprintf(cli->cc_id, sizeof(cli->cc_id), CC_ID_HDR "%s from [%s]:%s (%d<-%d)",
+ IPPROTO_NAME(cli->cc_proto), addrbuf, portbuf, serv->cc_socket, cli->cc_socket);
+
+
+ /* ...Name for log messages */
+ rc = getnameinfo((sSA *)&ss, ss_len, cli->cc_remid, sizeof(cli->cc_remid), NULL, 0, 0);
+ if (rc)
+ snprintf(cli->cc_remid, sizeof(cli->cc_remid), "[err:%s]", gai_strerror(rc));
+ }
+
+ LOG_D("Incoming connection: '%s' <- '%s' {%s}", fd_cnx_getid(serv), cli->cc_remid, cli->cc_id);
+
+#ifndef DISABLE_SCTP
+ /* SCTP-specific handlings */
+ if (cli->cc_proto == IPPROTO_SCTP) {
+ /* Retrieve the number of streams */
+ CHECK_FCT_DO( fd_sctp_get_str_info( cli->cc_socket, &cli->cc_sctp_para.str_in, &cli->cc_sctp_para.str_out, NULL ), {fd_cnx_destroy(cli); return NULL;} );
+ if (cli->cc_sctp_para.str_out < cli->cc_sctp_para.str_in)
+ cli->cc_sctp_para.pairs = cli->cc_sctp_para.str_out;
+ else
+ cli->cc_sctp_para.pairs = cli->cc_sctp_para.str_in;
+
+ LOG_A( "%s : client '%s' (SCTP:%d, %d/%d streams)", fd_cnx_getid(serv), fd_cnx_getid(cli), cli->cc_socket, cli->cc_sctp_para.str_in, cli->cc_sctp_para.str_out);
+ }
+#endif /* DISABLE_SCTP */
+
+ return cli;
+}
+
+/* Client side: connect to a remote server -- cancelable */
+struct cnxctx * fd_cnx_cli_connect_tcp(sSA * sa /* contains the port already */, socklen_t addrlen)
+{
+ int sock = 0;
+ struct cnxctx * cnx = NULL;
+ char sa_buf[sSA_DUMP_STRLEN];
+
+ TRACE_ENTRY("%p %d", sa, addrlen);
+ CHECK_PARAMS_DO( sa && addrlen, return NULL );
+
+ fd_sa_sdump_numeric(sa_buf, sa);
+
+ LOG_D("Connecting to TCP %s...", sa_buf);
+
+ /* Create the socket and connect, which can take some time and/or fail */
+ {
+ int ret = fd_tcp_client( &sock, sa, addrlen );
+ if (ret != 0) {
+ LOG_D("TCP connection to %s failed: %s", sa_buf, strerror(ret));
+ return NULL;
+ }
+ }
+
+ /* Once the socket is created successfuly, prepare the remaining of the cnx */
+ CHECK_MALLOC_DO( cnx = fd_cnx_init(1), { shutdown(sock, SHUT_RDWR); close(sock); return NULL; } );
+
+ cnx->cc_socket = sock;
+ cnx->cc_family = sa->sa_family;
+ cnx->cc_proto = IPPROTO_TCP;
+
+ /* Set the timeout */
+ fd_cnx_s_setto(cnx->cc_socket);
+
+ /* Generate the names for the object */
+ {
+ int rc;
+
+ snprintf(cnx->cc_id, sizeof(cnx->cc_id), CC_ID_HDR "TCP,#%d->%s", cnx->cc_socket, sa_buf);
+
+ /* ...Name for log messages */
+ rc = getnameinfo(sa, addrlen, cnx->cc_remid, sizeof(cnx->cc_remid), NULL, 0, 0);
+ if (rc)
+ snprintf(cnx->cc_remid, sizeof(cnx->cc_remid), "[err:%s]", gai_strerror(rc));
+ }
+
+ LOG_A("TCP connection to %s succeed (socket:%d).", sa_buf, sock);
+
+ return cnx;
+}
+
+/* Same for SCTP, accepts a list of remote addresses to connect to (see sctp_connectx for how they are used) */
+struct cnxctx * fd_cnx_cli_connect_sctp(int no_ip6, uint16_t port, struct fd_list * list)
+{
+#ifdef DISABLE_SCTP
+ TRACE_DEBUG(INFO, "This function should never be called when SCTP is disabled...");
+ ASSERT(0);
+ CHECK_FCT_DO( ENOTSUP, );
+ return NULL;
+#else /* DISABLE_SCTP */
+ int sock = 0;
+ struct cnxctx * cnx = NULL;
+ char sa_buf[sSA_DUMP_STRLEN];
+ sSS primary;
+
+ TRACE_ENTRY("%p", list);
+ CHECK_PARAMS_DO( list && !FD_IS_LIST_EMPTY(list), return NULL );
+
+ fd_sa_sdump_numeric(sa_buf, &((struct fd_endpoint *)(list->next))->sa);
+
+ LOG_D("Connecting to SCTP %s:%hu...", sa_buf, port);
+
+ {
+ int ret = fd_sctp_client( &sock, no_ip6, port, list );
+ if (ret != 0) {
+ LOG_D("SCTP connection to [%s,...] failed: %s", sa_buf, strerror(ret));
+ return NULL;
+ }
+ }
+
+ /* Once the socket is created successfuly, prepare the remaining of the cnx */
+ CHECK_MALLOC_DO( cnx = fd_cnx_init(1), { shutdown(sock, SHUT_RDWR); close(sock); return NULL; } );
+
+ cnx->cc_socket = sock;
+ cnx->cc_family = no_ip6 ? AF_INET : AF_INET6;
+ cnx->cc_proto = IPPROTO_SCTP;
+
+ /* Set the timeout */
+ fd_cnx_s_setto(cnx->cc_socket);
+
+ /* Retrieve the number of streams and primary address */
+ CHECK_FCT_DO( fd_sctp_get_str_info( sock, &cnx->cc_sctp_para.str_in, &cnx->cc_sctp_para.str_out, &primary ), goto error );
+ if (cnx->cc_sctp_para.str_out < cnx->cc_sctp_para.str_in)
+ cnx->cc_sctp_para.pairs = cnx->cc_sctp_para.str_out;
+ else
+ cnx->cc_sctp_para.pairs = cnx->cc_sctp_para.str_in;
+
+ fd_sa_sdump_numeric(sa_buf, (sSA *)&primary);
+
+ /* Generate the names for the object */
+ {
+ int rc;
+
+ snprintf(cnx->cc_id, sizeof(cnx->cc_id), CC_ID_HDR "SCTP,#%d->%s", cnx->cc_socket, sa_buf);
+
+ /* ...Name for log messages */
+ rc = getnameinfo((sSA *)&primary, sSAlen(&primary), cnx->cc_remid, sizeof(cnx->cc_remid), NULL, 0, 0);
+ if (rc)
+ snprintf(cnx->cc_remid, sizeof(cnx->cc_remid), "[err:%s]", gai_strerror(rc));
+ }
+
+ LOG_A("SCTP connection to %s succeed (socket:%d, %d/%d streams).", sa_buf, sock, cnx->cc_sctp_para.str_in, cnx->cc_sctp_para.str_out);
+
+ return cnx;
+
+error:
+ fd_cnx_destroy(cnx);
+ return NULL;
+#endif /* DISABLE_SCTP */
+}
+
+/* Return a string describing the connection, for debug */
+char * fd_cnx_getid(struct cnxctx * conn)
+{
+ CHECK_PARAMS_DO( conn, return "" );
+ return conn->cc_id;
+}
+
+/* Return the protocol of a connection */
+int fd_cnx_getproto(struct cnxctx * conn)
+{
+ CHECK_PARAMS_DO( conn, return 0 );
+ return conn->cc_proto;
+}
+
+/* Set the hostname to check during handshake */
+void fd_cnx_sethostname(struct cnxctx * conn, DiamId_t hn)
+{
+ CHECK_PARAMS_DO( conn, return );
+ conn->cc_tls_para.cn = hn;
+}
+
+/* We share a lock with many threads but we hold it only very short time so it is OK */
+static pthread_mutex_t state_lock = PTHREAD_MUTEX_INITIALIZER;
+uint32_t fd_cnx_getstate(struct cnxctx * conn)
+{
+ uint32_t st;
+ CHECK_POSIX_DO( pthread_mutex_lock(&state_lock), { ASSERT(0); } );
+ st = conn->cc_state;
+ CHECK_POSIX_DO( pthread_mutex_unlock(&state_lock), { ASSERT(0); } );
+ return st;
+}
+int fd_cnx_teststate(struct cnxctx * conn, uint32_t flag)
+{
+ uint32_t st;
+ CHECK_POSIX_DO( pthread_mutex_lock(&state_lock), { ASSERT(0); } );
+ st = conn->cc_state;
+ CHECK_POSIX_DO( pthread_mutex_unlock(&state_lock), { ASSERT(0); } );
+ return st & flag;
+}
+void fd_cnx_update_id(struct cnxctx * conn) {
+ if (conn->cc_state & CC_STATUS_CLOSING)
+ conn->cc_id[1] = 'C';
+ else
+ conn->cc_id[1] = '-';
+
+ if (conn->cc_state & CC_STATUS_ERROR)
+ conn->cc_id[2] = 'E';
+ else
+ conn->cc_id[2] = '-';
+
+ if (conn->cc_state & CC_STATUS_SIGNALED)
+ conn->cc_id[3] = 'S';
+ else
+ conn->cc_id[3] = '-';
+
+ if (conn->cc_state & CC_STATUS_TLS)
+ conn->cc_id[4] = 'T';
+ else
+ conn->cc_id[4] = '-';
+}
+void fd_cnx_addstate(struct cnxctx * conn, uint32_t orstate)
+{
+ CHECK_POSIX_DO( pthread_mutex_lock(&state_lock), { ASSERT(0); } );
+ conn->cc_state |= orstate;
+ fd_cnx_update_id(conn);
+ CHECK_POSIX_DO( pthread_mutex_unlock(&state_lock), { ASSERT(0); } );
+}
+void fd_cnx_setstate(struct cnxctx * conn, uint32_t abstate)
+{
+ CHECK_POSIX_DO( pthread_mutex_lock(&state_lock), { ASSERT(0); } );
+ conn->cc_state = abstate;
+ fd_cnx_update_id(conn);
+ CHECK_POSIX_DO( pthread_mutex_unlock(&state_lock), { ASSERT(0); } );
+}
+
+
+/* Return the TLS state of a connection */
+int fd_cnx_getTLS(struct cnxctx * conn)
+{
+ CHECK_PARAMS_DO( conn, return 0 );
+ return fd_cnx_teststate(conn, CC_STATUS_TLS);
+}
+
+/* Mark the connection to tell if OOO delivery is permitted (only for SCTP) */
+int fd_cnx_unordered_delivery(struct cnxctx * conn, int is_allowed)
+{
+ CHECK_PARAMS( conn );
+ conn->cc_sctp_para.unordered = is_allowed;
+ return 0;
+}
+
+/* Return true if the connection supports unordered delivery of messages */
+int fd_cnx_is_unordered_delivery_supported(struct cnxctx * conn)
+{
+ CHECK_PARAMS_DO( conn, return 0 );
+ #ifndef DISABLE_SCTP
+ if (conn->cc_proto == IPPROTO_SCTP)
+ return (conn->cc_sctp_para.str_out > 1);
+ #endif /* DISABLE_SCTP */
+ return 0;
+}
+
+
+/* Get the list of endpoints (IP addresses) of the local and remote peers on this connection */
+int fd_cnx_getremoteeps(struct cnxctx * conn, struct fd_list * eps)
+{
+ TRACE_ENTRY("%p %p", conn, eps);
+ CHECK_PARAMS(conn && eps);
+
+ /* Check we have a full connection object, not a listening socket (with no remote) */
+ CHECK_PARAMS( conn->cc_incoming );
+
+ /* Retrieve the peer endpoint(s) of the connection */
+ switch (conn->cc_proto) {
+ case IPPROTO_TCP: {
+ sSS ss;
+ socklen_t sl;
+ CHECK_FCT(fd_tcp_get_remote_ep(conn->cc_socket, &ss, &sl));
+ CHECK_FCT(fd_ep_add_merge( eps, (sSA *)&ss, sl, EP_FL_LL | EP_FL_PRIMARY ));
+ }
+ break;
+
+ #ifndef DISABLE_SCTP
+ case IPPROTO_SCTP: {
+ CHECK_FCT(fd_sctp_get_remote_ep(conn->cc_socket, eps));
+ }
+ break;
+ #endif /* DISABLE_SCTP */
+
+ default:
+ CHECK_PARAMS(0);
+ }
+
+ return 0;
+}
+
+/* Get a string describing the remote peer address (ip address or fqdn) */
+char * fd_cnx_getremoteid(struct cnxctx * conn)
+{
+ CHECK_PARAMS_DO( conn, return "" );
+ return conn->cc_remid;
+}
+
+static int fd_cnx_may_dtls(struct cnxctx * conn);
+
+/* Get a short string representing the connection */
+int fd_cnx_proto_info(struct cnxctx * conn, char * buf, size_t len)
+{
+ CHECK_PARAMS( conn );
+
+ if (fd_cnx_teststate(conn, CC_STATUS_TLS)) {
+ snprintf(buf, len, "%s,%s,soc#%d", IPPROTO_NAME(conn->cc_proto), fd_cnx_may_dtls(conn) ? "DTLS" : "TLS", conn->cc_socket);
+ } else {
+ snprintf(buf, len, "%s,soc#%d", IPPROTO_NAME(conn->cc_proto), conn->cc_socket);
+ }
+
+ return 0;
+}
+
+/* Retrieve a list of all IP addresses of the local system from the kernel, using getifaddrs */
+int fd_cnx_get_local_eps(struct fd_list * list)
+{
+ struct ifaddrs *iflist, *cur;
+
+ CHECK_SYS(getifaddrs(&iflist));
+
+ for (cur = iflist; cur != NULL; cur = cur->ifa_next) {
+ if (cur->ifa_flags & IFF_LOOPBACK)
+ continue;
+
+ if (cur->ifa_addr == NULL) /* may happen with ppp interfaces */
+ continue;
+
+ if (fd_g_config->cnf_flags.no_ip4 && (cur->ifa_addr->sa_family == AF_INET))
+ continue;
+
+ if (fd_g_config->cnf_flags.no_ip6 && (cur->ifa_addr->sa_family == AF_INET6))
+ continue;
+
+ CHECK_FCT(fd_ep_add_merge( list, cur->ifa_addr, sSAlen(cur->ifa_addr), EP_FL_LL ));
+ }
+
+ freeifaddrs(iflist);
+
+ return 0;
+}
+
+
+/**************************************/
+/* Use of a connection object */
+/**************************************/
+
+/* An error occurred on the socket */
+void fd_cnx_markerror(struct cnxctx * conn)
+{
+ TRACE_ENTRY("%p", conn);
+ CHECK_PARAMS_DO( conn, goto fatal );
+
+ TRACE_DEBUG(FULL, "Error flag set for socket %d (%s, %s)", conn->cc_socket, conn->cc_id, conn->cc_remid);
+
+ /* Mark the error */
+ fd_cnx_addstate(conn, CC_STATUS_ERROR);
+
+ /* Report the error if not reported yet, and not closing */
+ if (!fd_cnx_teststate(conn, CC_STATUS_CLOSING | CC_STATUS_SIGNALED )) {
+ TRACE_DEBUG(FULL, "Sending FDEVP_CNX_ERROR event");
+ CHECK_FCT_DO( fd_event_send( fd_cnx_target_queue(conn), FDEVP_CNX_ERROR, 0, NULL), goto fatal);
+ fd_cnx_addstate(conn, CC_STATUS_SIGNALED);
+ }
+
+ return;
+fatal:
+ /* An unrecoverable error occurred, stop the daemon */
+ ASSERT(0);
+ CHECK_FCT_DO(fd_core_shutdown(), );
+}
+
+/* Set the timeout option on the socket */
+void fd_cnx_s_setto(int sock)
+{
+ struct timeval tv;
+
+ /* Set a timeout on the socket so that in any case we are not stuck waiting for something */
+ memset(&tv, 0, sizeof(tv));
+ tv.tv_usec = 100000L; /* 100ms, to react quickly to head-of-the-line blocking. */
+ CHECK_SYS_DO( setsockopt(sock, SOL_SOCKET, SO_RCVTIMEO, &tv, sizeof(tv)), );
+ CHECK_SYS_DO( setsockopt(sock, SOL_SOCKET, SO_SNDTIMEO, &tv, sizeof(tv)), );
+}
+
+
+#ifdef GNUTLS_VERSION_300
+/* The pull_timeout function for gnutls */
+static int fd_cnx_s_select (struct cnxctx * conn, unsigned int ms)
+{
+ fd_set rfds;
+ struct timeval tv;
+
+ FD_ZERO (&rfds);
+ FD_SET (conn->cc_socket, &rfds);
+
+ tv.tv_sec = ms / 1000;
+ tv.tv_usec = (ms * 1000) % 1000000;
+
+ return select (conn->cc_socket + 1, &rfds, NULL, NULL, &tv);
+}
+#endif /* GNUTLS_VERSION_300 */
+
+/* A recv-like function, taking a cnxctx object instead of socket as entry. We use it to quickly react to timeouts without traversing GNUTLS wrapper each time */
+ssize_t fd_cnx_s_recv(struct cnxctx * conn, void *buffer, size_t length)
+{
+ ssize_t ret = 0;
+ int timedout = 0;
+again:
+ ret = recv(conn->cc_socket, buffer, length, 0);
+ /* Handle special case of timeout / interrupts */
+ if ((ret < 0) && ((errno == EAGAIN) || (errno == EINTR))) {
+ pthread_testcancel();
+ if (! fd_cnx_teststate(conn, CC_STATUS_CLOSING ))
+ goto again; /* don't care, just ignore */
+ if (!timedout) {
+ timedout ++; /* allow for one timeout while closing */
+ goto again;
+ }
+ }
+
+ /* Mark the error */
+ if (ret <= 0) {
+ CHECK_SYS_DO(ret, /* continue, this is only used to log the error here */);
+ fd_cnx_markerror(conn);
+ }
+
+ return ret;
+}
+
+/* Send */
+static ssize_t fd_cnx_s_sendv(struct cnxctx * conn, const struct iovec * iov, int iovcnt)
+{
+ ssize_t ret = 0;
+ struct timespec ts, now;
+ CHECK_SYS_DO( clock_gettime(CLOCK_REALTIME, &ts), return -1 );
+again:
+ ret = writev(conn->cc_socket, iov, iovcnt);
+ /* Handle special case of timeout */
+ if ((ret < 0) && ((errno == EAGAIN) || (errno == EINTR))) {
+ ret = -errno;
+ pthread_testcancel();
+
+ /* Check how much time we were blocked for this sending. */
+ CHECK_SYS_DO( clock_gettime(CLOCK_REALTIME, &now), return -1 );
+ if ( ((now.tv_sec - ts.tv_sec) * 1000 + ((now.tv_nsec - ts.tv_nsec) / 1000000L)) > MAX_HOTL_BLOCKING_TIME) {
+ LOG_D("Unable to send any data for %dms, closing the connection", MAX_HOTL_BLOCKING_TIME);
+ } else if (! fd_cnx_teststate(conn, CC_STATUS_CLOSING )) {
+ goto again; /* don't care, just ignore */
+ }
+
+ /* propagate the error */
+ errno = -ret;
+ ret = -1;
+ CHECK_SYS_DO(ret, /* continue */);
+ }
+
+ /* Mark the error */
+ if (ret <= 0)
+ fd_cnx_markerror(conn);
+
+ return ret;
+}
+
+/* Send, for older GNUTLS */
+#ifndef GNUTLS_VERSION_212
+static ssize_t fd_cnx_s_send(struct cnxctx * conn, const void *buffer, size_t length)
+{
+ struct iovec iov;
+ iov.iov_base = (void *)buffer;
+ iov.iov_len = length;
+ return fd_cnx_s_sendv(conn, &iov, 1);
+}
+#endif /* GNUTLS_VERSION_212 */
+
+#define ALIGNOF(t) ((char *)(&((struct { char c; t _h; } *)0)->_h) - (char *)0) /* Could use __alignof__(t) on some systems but this is more portable probably */
+#define PMDL_PADDED(len) ( ((len) + ALIGNOF(struct fd_msg_pmdl) - 1) & ~(ALIGNOF(struct fd_msg_pmdl) - 1) )
+
+size_t fd_msg_pmdl_sizewithoverhead(size_t datalen)
+{
+ return PMDL_PADDED(datalen) + sizeof(struct fd_msg_pmdl);
+}
+
+struct fd_msg_pmdl * fd_msg_pmdl_get_inbuf(uint8_t * buf, size_t datalen)
+{
+ return (struct fd_msg_pmdl *)(buf + PMDL_PADDED(datalen));
+}
+
+static int fd_cnx_init_msg_buffer(uint8_t * buffer, size_t expected_len, struct fd_msg_pmdl ** pmdl)
+{
+ *pmdl = fd_msg_pmdl_get_inbuf(buffer, expected_len);
+ fd_list_init(&(*pmdl)->sentinel, NULL);
+ CHECK_POSIX(pthread_mutex_init(&(*pmdl)->lock, NULL) );
+ return 0;
+}
+
+static uint8_t * fd_cnx_alloc_msg_buffer(size_t expected_len, struct fd_msg_pmdl ** pmdl)
+{
+ uint8_t * ret = NULL;
+
+ CHECK_MALLOC_DO( ret = malloc( fd_msg_pmdl_sizewithoverhead(expected_len) ), return NULL );
+ CHECK_FCT_DO( fd_cnx_init_msg_buffer(ret, expected_len, pmdl), {free(ret); return NULL;} );
+ return ret;
+}
+
+#ifndef DISABLE_SCTP /* WE use this function only in SCTP code */
+static uint8_t * fd_cnx_realloc_msg_buffer(uint8_t * buffer, size_t expected_len, struct fd_msg_pmdl ** pmdl)
+{
+ uint8_t * ret = NULL;
+
+ CHECK_MALLOC_DO( ret = realloc( buffer, fd_msg_pmdl_sizewithoverhead(expected_len) ), return NULL );
+ CHECK_FCT_DO( fd_cnx_init_msg_buffer(ret, expected_len, pmdl), {free(ret); return NULL;} );
+ return ret;
+}
+#endif /* DISABLE_SCTP */
+
+static void free_rcvdata(void * arg)
+{
+ struct fd_cnx_rcvdata * data = arg;
+ struct fd_msg_pmdl * pmdl = fd_msg_pmdl_get_inbuf(data->buffer, data->length);
+ (void) pthread_mutex_destroy(&pmdl->lock);
+ free(data->buffer);
+}
+
+/* Receiver thread (TCP & noTLS) : incoming message is directly saved into the target queue */
+static void * rcvthr_notls_tcp(void * arg)
+{
+ struct cnxctx * conn = arg;
+
+ TRACE_ENTRY("%p", arg);
+ CHECK_PARAMS_DO(conn && (conn->cc_socket > 0), goto out);
+
+ /* Set the thread name */
+ {
+ char buf[48];
+ snprintf(buf, sizeof(buf), "Receiver (%d) TCP/noTLS)", conn->cc_socket);
+ fd_log_threadname ( buf );
+ }
+
+ ASSERT( conn->cc_proto == IPPROTO_TCP );
+ ASSERT( ! fd_cnx_teststate(conn, CC_STATUS_TLS ) );
+ ASSERT( fd_cnx_target_queue(conn) );
+
+ /* Receive from a TCP connection: we have to rebuild the message boundaries */
+ do {
+ uint8_t header[4];
+ struct fd_cnx_rcvdata rcv_data;
+ struct fd_msg_pmdl *pmdl=NULL;
+ ssize_t ret = 0;
+ size_t received = 0;
+
+ do {
+ ret = fd_cnx_s_recv(conn, &header[received], sizeof(header) - received);
+ if (ret <= 0) {
+ goto out; /* Stop the thread, the event was already sent */
+ }
+
+ received += ret;
+
+ if (header[0] != DIAMETER_VERSION)
+ break; /* No need to wait for 4 bytes in this case */
+ } while (received < sizeof(header));
+
+ rcv_data.length = ((size_t)header[1] << 16) + ((size_t)header[2] << 8) + (size_t)header[3];
+
+ /* Check the received word is a valid begining of a Diameter message */
+ if ((header[0] != DIAMETER_VERSION) /* defined in <libfdproto.h> */
+ || (rcv_data.length > DIAMETER_MSG_SIZE_MAX)) { /* to avoid too big mallocs */
+ /* The message is suspect */
+ LOG_E( "Received suspect header [ver: %d, size: %zd] from '%s', assuming disconnection", (int)header[0], rcv_data.length, conn->cc_remid);
+ fd_cnx_markerror(conn);
+ goto out; /* Stop the thread, the recipient of the event will cleanup */
+ }
+
+ /* Ok, now we can really receive the data */
+ CHECK_MALLOC_DO( rcv_data.buffer = fd_cnx_alloc_msg_buffer( rcv_data.length, &pmdl ), goto fatal );
+ memcpy(rcv_data.buffer, header, sizeof(header));
+
+ while (received < rcv_data.length) {
+ pthread_cleanup_push(free_rcvdata, &rcv_data); /* In case we are canceled, clean the partialy built buffer */
+ ret = fd_cnx_s_recv(conn, rcv_data.buffer + received, rcv_data.length - received);
+ pthread_cleanup_pop(0);
+
+ if (ret <= 0) {
+ free_rcvdata(&rcv_data);
+ goto out;
+ }
+ received += ret;
+ }
+
+ fd_hook_call(HOOK_DATA_RECEIVED, NULL, NULL, &rcv_data, pmdl);
+
+ /* We have received a complete message, pass it to the daemon */
+ CHECK_FCT_DO( fd_event_send( fd_cnx_target_queue(conn), FDEVP_CNX_MSG_RECV, rcv_data.length, rcv_data.buffer),
+ {
+ free_rcvdata(&rcv_data);
+ goto fatal;
+ } );
+
+ } while (conn->cc_loop);
+
+out:
+ TRACE_DEBUG(FULL, "Thread terminated");
+ return NULL;
+
+fatal:
+ /* An unrecoverable error occurred, stop the daemon */
+ CHECK_FCT_DO(fd_core_shutdown(), );
+ goto out;
+}
+
+#ifndef DISABLE_SCTP
+/* Receiver thread (SCTP & noTLS) : incoming message is directly saved into cc_incoming, no need to care for the stream ID */
+static void * rcvthr_notls_sctp(void * arg)
+{
+ struct cnxctx * conn = arg;
+ struct fd_cnx_rcvdata rcv_data;
+ int event;
+
+ TRACE_ENTRY("%p", arg);
+ CHECK_PARAMS_DO(conn && (conn->cc_socket > 0), goto fatal);
+
+ /* Set the thread name */
+ {
+ char buf[48];
+ snprintf(buf, sizeof(buf), "Receiver (%d) SCTP/noTLS)", conn->cc_socket);
+ fd_log_threadname ( buf );
+ }
+
+ ASSERT( conn->cc_proto == IPPROTO_SCTP );
+ ASSERT( ! fd_cnx_teststate(conn, CC_STATUS_TLS ) );
+ ASSERT( fd_cnx_target_queue(conn) );
+
+ do {
+ struct fd_msg_pmdl *pmdl=NULL;
+ CHECK_FCT_DO( fd_sctp_recvmeta(conn, NULL, &rcv_data.buffer, &rcv_data.length, &event), goto fatal );
+ if (event == FDEVP_CNX_ERROR) {
+ fd_cnx_markerror(conn);
+ goto out;
+ }
+
+ if (event == FDEVP_CNX_SHUTDOWN) {
+ /* Just ignore the notification for now, we will get another error later anyway */
+ continue;
+ }
+
+ if (event == FDEVP_CNX_MSG_RECV) {
+ CHECK_MALLOC_DO( rcv_data.buffer = fd_cnx_realloc_msg_buffer(rcv_data.buffer, rcv_data.length, &pmdl), goto fatal );
+ fd_hook_call(HOOK_DATA_RECEIVED, NULL, NULL, &rcv_data, pmdl);
+ }
+ CHECK_FCT_DO( fd_event_send( fd_cnx_target_queue(conn), event, rcv_data.length, rcv_data.buffer), goto fatal );
+
+ } while (conn->cc_loop || (event != FDEVP_CNX_MSG_RECV));
+
+out:
+ TRACE_DEBUG(FULL, "Thread terminated");
+ return NULL;
+
+fatal:
+ /* An unrecoverable error occurred, stop the daemon */
+ CHECK_FCT_DO(fd_core_shutdown(), );
+ goto out;
+}
+#endif /* DISABLE_SCTP */
+
+/* Start receving messages in clear (no TLS) on the connection */
+int fd_cnx_start_clear(struct cnxctx * conn, int loop)
+{
+ TRACE_ENTRY("%p %i", conn, loop);
+
+ CHECK_PARAMS( conn && fd_cnx_target_queue(conn) && (!fd_cnx_teststate(conn, CC_STATUS_TLS)) && (!conn->cc_loop));
+
+ /* Release resources in case of a previous call was already made */
+ CHECK_FCT_DO( fd_thr_term(&conn->cc_rcvthr), /* continue */);
+
+ /* Save the loop request */
+ conn->cc_loop = loop;
+
+ switch (conn->cc_proto) {
+ case IPPROTO_TCP:
+ /* Start the tcp_notls thread */
+ CHECK_POSIX( pthread_create( &conn->cc_rcvthr, NULL, rcvthr_notls_tcp, conn ) );
+ break;
+#ifndef DISABLE_SCTP
+ case IPPROTO_SCTP:
+ /* Start the tcp_notls thread */
+ CHECK_POSIX( pthread_create( &conn->cc_rcvthr, NULL, rcvthr_notls_sctp, conn ) );
+ break;
+#endif /* DISABLE_SCTP */
+ default:
+ TRACE_DEBUG(INFO, "Unknown protocol: %d", conn->cc_proto);
+ ASSERT(0);
+ return ENOTSUP;
+ }
+
+ return 0;
+}
+
+
+
+
+/* Returns 0 on error, received data size otherwise (always >= 0). This is not used for DTLS-protected associations. */
+static ssize_t fd_tls_recv_handle_error(struct cnxctx * conn, gnutls_session_t session, void * data, size_t sz)
+{
+ ssize_t ret;
+again:
+ CHECK_GNUTLS_DO( ret = gnutls_record_recv(session, data, sz),
+ {
+ switch (ret) {
+ case GNUTLS_E_REHANDSHAKE:
+ if (!fd_cnx_teststate(conn, CC_STATUS_CLOSING)) {
+ CHECK_GNUTLS_DO( ret = gnutls_handshake(session),
+ {
+ if (TRACE_BOOL(INFO)) {
+ fd_log_debug("TLS re-handshake failed on socket %d (%s) : %s", conn->cc_socket, conn->cc_id, gnutls_strerror(ret));
+ }
+ goto end;
+ } );
+ }
+
+ case GNUTLS_E_AGAIN:
+ case GNUTLS_E_INTERRUPTED:
+ if (!fd_cnx_teststate(conn, CC_STATUS_CLOSING))
+ goto again;
+ TRACE_DEBUG(FULL, "Connection is closing, so abord gnutls_record_recv now.");
+ break;
+
+ case GNUTLS_E_UNEXPECTED_PACKET_LENGTH:
+ /* The connection is closed */
+ TRACE_DEBUG(FULL, "Got 0 size while reading the socket, probably connection closed...");
+ break;
+
+ default:
+ if (gnutls_error_is_fatal (ret) == 0) {
+ LOG_N("Ignoring non-fatal GNU TLS error: %s", gnutls_strerror (ret));
+ goto again;
+ }
+ LOG_E("Fatal GNUTLS error: %s", gnutls_strerror (ret));
+ }
+ } );
+
+ if (ret == 0)
+ CHECK_GNUTLS_DO( gnutls_bye(session, GNUTLS_SHUT_RDWR), );
+
+end:
+ if (ret <= 0)
+ fd_cnx_markerror(conn);
+ return ret;
+}
+
+/* Wrapper around gnutls_record_send to handle some error codes. This is also used for DTLS-protected associations */
+static ssize_t fd_tls_send_handle_error(struct cnxctx * conn, gnutls_session_t session, void * data, size_t sz)
+{
+ ssize_t ret;
+ struct timespec ts, now;
+ CHECK_SYS_DO( clock_gettime(CLOCK_REALTIME, &ts), return -1 );
+again:
+ CHECK_GNUTLS_DO( ret = gnutls_record_send(session, data, sz),
+ {
+ pthread_testcancel();
+ switch (ret) {
+ case GNUTLS_E_REHANDSHAKE:
+ if (!fd_cnx_teststate(conn, CC_STATUS_CLOSING)) {
+ CHECK_GNUTLS_DO( ret = gnutls_handshake(session),
+ {
+ if (TRACE_BOOL(INFO)) {
+ fd_log_debug("TLS re-handshake failed on socket %d (%s) : %s", conn->cc_socket, conn->cc_id, gnutls_strerror(ret));
+ }
+ goto end;
+ } );
+ }
+
+ case GNUTLS_E_AGAIN:
+ case GNUTLS_E_INTERRUPTED:
+ CHECK_SYS_DO( clock_gettime(CLOCK_REALTIME, &now), return -1 );
+ if ( ((now.tv_sec - ts.tv_sec) * 1000 + ((now.tv_nsec - ts.tv_nsec) / 1000000L)) > MAX_HOTL_BLOCKING_TIME) {
+ LOG_D("Unable to send any data for %dms, closing the connection", MAX_HOTL_BLOCKING_TIME);
+ } else if (! fd_cnx_teststate(conn, CC_STATUS_CLOSING )) {
+ goto again;
+ }
+ break;
+
+ default:
+ if (gnutls_error_is_fatal (ret) == 0) {
+ LOG_N("Ignoring non-fatal GNU TLS error: %s", gnutls_strerror (ret));
+ goto again;
+ }
+ LOG_E("Fatal GNUTLS error: %s", gnutls_strerror (ret));
+ }
+ } );
+end:
+ if (ret <= 0)
+ fd_cnx_markerror(conn);
+
+ return ret;
+}
+
+
+/* The function that receives TLS data and re-builds a Diameter message -- it exits only on error or cancelation */
+/* For the case of DTLS, since we are not using SCTP_UNORDERED, the messages over a single stream are ordered.
+ Furthermore, as long as messages are shorter than the MTU [2^14 = 16384 bytes], they are delivered in a single
+ record, as far as I understand.
+ For larger messages, however, it is possible that pieces of messages coming from different streams can get interleaved.
+ As a result, we do not use the following function for DTLS reception, because we use the sequence number to rebuild the
+ messages. */
+int fd_tls_rcvthr_core(struct cnxctx * conn, gnutls_session_t session)
+{
+ /* No guarantee that GnuTLS preserves the message boundaries, so we re-build it as in TCP. */
+ do {
+ uint8_t header[4];
+ struct fd_cnx_rcvdata rcv_data;
+ struct fd_msg_pmdl *pmdl=NULL;
+ ssize_t ret = 0;
+ size_t received = 0;
+
+ do {
+ ret = fd_tls_recv_handle_error(conn, session, &header[received], sizeof(header) - received);
+ if (ret <= 0) {
+ /* The connection is closed */
+ goto out;
+ }
+ received += ret;
+ } while (received < sizeof(header));
+
+ rcv_data.length = ((size_t)header[1] << 16) + ((size_t)header[2] << 8) + (size_t)header[3];
+
+ /* Check the received word is a valid beginning of a Diameter message */
+ if ((header[0] != DIAMETER_VERSION) /* defined in <libfreeDiameter.h> */
+ || (rcv_data.length > DIAMETER_MSG_SIZE_MAX)) { /* to avoid too big mallocs */
+ /* The message is suspect */
+ LOG_E( "Received suspect header [ver: %d, size: %zd] from '%s', assume disconnection", (int)header[0], rcv_data.length, conn->cc_remid);
+ fd_cnx_markerror(conn);
+ goto out;
+ }
+
+ /* Ok, now we can really receive the data */
+ CHECK_MALLOC( rcv_data.buffer = fd_cnx_alloc_msg_buffer( rcv_data.length, &pmdl ) );
+ memcpy(rcv_data.buffer, header, sizeof(header));
+
+ while (received < rcv_data.length) {
+ pthread_cleanup_push(free_rcvdata, &rcv_data); /* In case we are canceled, clean the partialy built buffer */
+ ret = fd_tls_recv_handle_error(conn, session, rcv_data.buffer + received, rcv_data.length - received);
+ pthread_cleanup_pop(0);
+
+ if (ret <= 0) {
+ free_rcvdata(&rcv_data);
+ goto out;
+ }
+ received += ret;
+ }
+
+ fd_hook_call(HOOK_DATA_RECEIVED, NULL, NULL, &rcv_data, pmdl);
+
+ /* We have received a complete message, pass it to the daemon */
+ CHECK_FCT_DO( ret = fd_event_send( fd_cnx_target_queue(conn), FDEVP_CNX_MSG_RECV, rcv_data.length, rcv_data.buffer),
+ {
+ free_rcvdata(&rcv_data);
+ CHECK_FCT_DO(fd_core_shutdown(), );
+ return ret;
+ } );
+
+ } while (1);
+
+out:
+ return ENOTCONN;
+}
+
+/* Receiver thread (TLS & 1 stream SCTP or TCP) */
+static void * rcvthr_tls_single(void * arg)
+{
+ struct cnxctx * conn = arg;
+
+ TRACE_ENTRY("%p", arg);
+ CHECK_PARAMS_DO(conn && (conn->cc_socket > 0), return NULL );
+
+ /* Set the thread name */
+ {
+ char buf[48];
+ snprintf(buf, sizeof(buf), "Receiver (%d) TLS/single stream", conn->cc_socket);
+ fd_log_threadname ( buf );
+ }
+
+ ASSERT( fd_cnx_teststate(conn, CC_STATUS_TLS) );
+ ASSERT( fd_cnx_target_queue(conn) );
+
+ /* The next function only returns when there is an error on the socket */
+ CHECK_FCT_DO(fd_tls_rcvthr_core(conn, conn->cc_tls_para.session), /* continue */);
+
+ TRACE_DEBUG(FULL, "Thread terminated");
+ return NULL;
+}
+
+/* Prepare a gnutls session object for handshake */
+int fd_tls_prepare(gnutls_session_t * session, int mode, int dtls, char * priority, void * alt_creds)
+{
+ if (dtls) {
+ LOG_E("DTLS sessions not yet supported");
+ return ENOTSUP;
+ }
+
+ /* Create the session context */
+ CHECK_GNUTLS_DO( gnutls_init (session, mode), return ENOMEM );
+
+ /* Set the algorithm suite */
+ if (priority) {
+ const char * errorpos;
+ CHECK_GNUTLS_DO( gnutls_priority_set_direct( *session, priority, &errorpos ),
+ { TRACE_DEBUG(INFO, "Error in priority string '%s' at position: '%s'", priority, errorpos); return EINVAL; } );
+ } else {
+ CHECK_GNUTLS_DO( gnutls_priority_set( *session, fd_g_config->cnf_sec_data.prio_cache ), return EINVAL );
+ }
+
+ /* Set the credentials of this side of the connection */
+ CHECK_GNUTLS_DO( gnutls_credentials_set (*session, GNUTLS_CRD_CERTIFICATE, alt_creds ?: fd_g_config->cnf_sec_data.credentials), return EINVAL );
+
+ /* Request the remote credentials as well */
+ if (mode == GNUTLS_SERVER) {
+ gnutls_certificate_server_set_request (*session, GNUTLS_CERT_REQUIRE);
+ }
+
+ return 0;
+}
+
+#ifndef GNUTLS_VERSION_300
+
+/* Verify remote credentials after successful handshake (return 0 if OK, EINVAL otherwise) */
+int fd_tls_verify_credentials(gnutls_session_t session, struct cnxctx * conn, int verbose)
+{
+ int i, ret = 0;
+ unsigned int gtret;
+ const gnutls_datum_t *cert_list;
+ unsigned int cert_list_size;
+ gnutls_x509_crt_t cert;
+ time_t now;
+
+ TRACE_ENTRY("%p %d", conn, verbose);
+ CHECK_PARAMS(conn);
+
+ /* Trace the session information -- http://www.gnu.org/software/gnutls/manual/gnutls.html#Obtaining-session-information */
+ #ifdef DEBUG
+ if (verbose) {
+ const char *tmp;
+ gnutls_kx_algorithm_t kx;
+ gnutls_credentials_type_t cred;
+
+ LOG_D("TLS Session information for connection '%s':", conn->cc_id);
+
+ /* print the key exchange's algorithm name */
+ GNUTLS_TRACE( kx = gnutls_kx_get (session) );
+ GNUTLS_TRACE( tmp = gnutls_kx_get_name (kx) );
+ LOG_D("\t - Key Exchange: %s", tmp);
+
+ /* Check the authentication type used and switch
+ * to the appropriate. */
+ GNUTLS_TRACE( cred = gnutls_auth_get_type (session) );
+ switch (cred)
+ {
+ case GNUTLS_CRD_IA:
+ LOG_D("\t - TLS/IA session");
+ break;
+
+ case GNUTLS_CRD_PSK:
+ /* This returns NULL in server side. */
+ if (gnutls_psk_client_get_hint (session) != NULL)
+ LOG_D("\t - PSK authentication. PSK hint '%s'",
+ gnutls_psk_client_get_hint (session));
+ /* This returns NULL in client side. */
+ if (gnutls_psk_server_get_username (session) != NULL)
+ LOG_D("\t - PSK authentication. Connected as '%s'",
+ gnutls_psk_server_get_username (session));
+ break;
+
+ case GNUTLS_CRD_ANON: /* anonymous authentication */
+ LOG_D("\t - Anonymous DH using prime of %d bits",
+ gnutls_dh_get_prime_bits (session));
+ break;
+
+ case GNUTLS_CRD_CERTIFICATE: /* certificate authentication */
+ /* Check if we have been using ephemeral Diffie-Hellman. */
+ if (kx == GNUTLS_KX_DHE_RSA || kx == GNUTLS_KX_DHE_DSS) {
+ LOG_D("\t - Ephemeral DH using prime of %d bits",
+ gnutls_dh_get_prime_bits (session));
+ }
+ break;
+#ifdef ENABLE_SRP
+ case GNUTLS_CRD_SRP:
+ LOG_D("\t - SRP session with username %s",
+ gnutls_srp_server_get_username (session));
+ break;
+#endif /* ENABLE_SRP */
+
+ default:
+ fd_log_debug("\t - Different type of credentials for the session (%d).", cred);
+ break;
+
+ }
+
+ /* print the protocol's name (ie TLS 1.0) */
+ tmp = gnutls_protocol_get_name (gnutls_protocol_get_version (session));
+ LOG_D("\t - Protocol: %s", tmp);
+
+ /* print the certificate type of the peer. ie X.509 */
+ tmp = gnutls_certificate_type_get_name (gnutls_certificate_type_get (session));
+ LOG_D("\t - Certificate Type: %s", tmp);
+
+ /* print the compression algorithm (if any) */
+ tmp = gnutls_compression_get_name (gnutls_compression_get (session));
+ LOG_D("\t - Compression: %s", tmp);
+
+ /* print the name of the cipher used. ie 3DES. */
+ tmp = gnutls_cipher_get_name (gnutls_cipher_get (session));
+ LOG_D("\t - Cipher: %s", tmp);
+
+ /* Print the MAC algorithms name. ie SHA1 */
+ tmp = gnutls_mac_get_name (gnutls_mac_get (session));
+ LOG_D("\t - MAC: %s", tmp);
+ }
+ #endif /* DEBUG */
+
+ /* First, use built-in verification */
+ CHECK_GNUTLS_DO( gnutls_certificate_verify_peers2 (session, >ret), return EINVAL );
+ if (gtret) {
+ LOG_E("TLS: Remote certificate invalid on socket %d (Remote: '%s')(Connection: '%s') :", conn->cc_socket, conn->cc_remid, conn->cc_id);
+ if (gtret & GNUTLS_CERT_INVALID)
+ LOG_E(" - The certificate is not trusted (unknown CA? expired?)");
+ if (gtret & GNUTLS_CERT_REVOKED)
+ LOG_E(" - The certificate has been revoked.");
+ if (gtret & GNUTLS_CERT_SIGNER_NOT_FOUND)
+ LOG_E(" - The certificate hasn't got a known issuer.");
+ if (gtret & GNUTLS_CERT_SIGNER_NOT_CA)
+ LOG_E(" - The certificate signer is not a CA, or uses version 1, or 3 without basic constraints.");
+ if (gtret & GNUTLS_CERT_INSECURE_ALGORITHM)
+ LOG_E(" - The certificate signature uses a weak algorithm.");
+ return EINVAL;
+ }
+
+ /* Code from http://www.gnu.org/software/gnutls/manual/gnutls.html#Verifying-peer_0027s-certificate */
+ if (gnutls_certificate_type_get (session) != GNUTLS_CRT_X509) {
+ LOG_E("TLS: Remote peer did not present a certificate, other mechanisms are not supported yet. socket %d (Remote: '%s')(Connection: '%s') :", conn->cc_socket, conn->cc_remid, conn->cc_id);
+ return EINVAL;
+ }
+
+ GNUTLS_TRACE( cert_list = gnutls_certificate_get_peers (session, &cert_list_size) );
+ if (cert_list == NULL)
+ return EINVAL;
+
+ now = time(NULL);
+
+ #ifdef DEBUG
+ char serial[40];
+ char dn[128];
+ size_t size;
+ unsigned int algo, bits;
+ time_t expiration_time, activation_time;
+
+ LOG_D("TLS Certificate information for connection '%s' (%d certs provided):", conn->cc_id, cert_list_size);
+ for (i = 0; i < cert_list_size; i++)
+ {
+
+ CHECK_GNUTLS_DO( gnutls_x509_crt_init (&cert), return EINVAL);
+ CHECK_GNUTLS_DO( gnutls_x509_crt_import (cert, &cert_list[i], GNUTLS_X509_FMT_DER), return EINVAL);
+
+ LOG_A(" Certificate %d info:", i);
+
+ GNUTLS_TRACE( expiration_time = gnutls_x509_crt_get_expiration_time (cert) );
+ GNUTLS_TRACE( activation_time = gnutls_x509_crt_get_activation_time (cert) );
+
+ LOG( i ? FD_LOG_ANNOYING : FD_LOG_DEBUG, "\t - Certificate is valid since: %.24s", ctime (&activation_time));
+ LOG( i ? FD_LOG_ANNOYING : FD_LOG_DEBUG, "\t - Certificate expires: %.24s", ctime (&expiration_time));
+
+ /* Print the serial number of the certificate. */
+ size = sizeof (serial);
+ gnutls_x509_crt_get_serial (cert, serial, &size);
+
+ {
+ int j;
+ char buf[1024];
+ snprintf(buf, sizeof(buf), "\t - Certificate serial number: ");
+ for (j = 0; j < size; j++) {
+ snprintf(buf+strlen(buf), sizeof(buf)-strlen(buf), "%02hhx", serial[j]);
+ }
+ LOG( i ? FD_LOG_ANNOYING : FD_LOG_DEBUG, "%s", buf);
+ }
+
+ /* Extract some of the public key algorithm's parameters */
+ GNUTLS_TRACE( algo = gnutls_x509_crt_get_pk_algorithm (cert, &bits) );
+ LOG( i ? FD_LOG_ANNOYING : FD_LOG_DEBUG, "\t - Certificate public key: %s",
+ gnutls_pk_algorithm_get_name (algo));
+
+ /* Print the version of the X.509 certificate. */
+ LOG( i ? FD_LOG_ANNOYING : FD_LOG_DEBUG, "\t - Certificate version: #%d",
+ gnutls_x509_crt_get_version (cert));
+
+ size = sizeof (dn);
+ GNUTLS_TRACE( gnutls_x509_crt_get_dn (cert, dn, &size) );
+ LOG( i ? FD_LOG_ANNOYING : FD_LOG_DEBUG, "\t - DN: %s", dn);
+
+ size = sizeof (dn);
+ GNUTLS_TRACE( gnutls_x509_crt_get_issuer_dn (cert, dn, &size) );
+ LOG( i ? FD_LOG_ANNOYING : FD_LOG_DEBUG, "\t - Issuer's DN: %s", dn);
+
+ GNUTLS_TRACE( gnutls_x509_crt_deinit (cert) );
+ }
+ #endif /* DEBUG */
+
+ /* Check validity of all the certificates */
+ for (i = 0; i < cert_list_size; i++)
+ {
+ time_t deadline;
+
+ CHECK_GNUTLS_DO( gnutls_x509_crt_init (&cert), return EINVAL);
+ CHECK_GNUTLS_DO( gnutls_x509_crt_import (cert, &cert_list[i], GNUTLS_X509_FMT_DER), return EINVAL);
+
+ GNUTLS_TRACE( deadline = gnutls_x509_crt_get_expiration_time(cert) );
+ if ((deadline != (time_t)-1) && (deadline < now)) {
+ LOG_E("TLS: Remote certificate invalid on socket %d (Remote: '%s')(Connection: '%s') :", conn->cc_socket, conn->cc_remid, conn->cc_id);
+ LOG_E(" - The certificate %d in the chain is expired", i);
+ ret = EINVAL;
+ }
+
+ GNUTLS_TRACE( deadline = gnutls_x509_crt_get_activation_time(cert) );
+ if ((deadline != (time_t)-1) && (deadline > now)) {
+ LOG_E("TLS: Remote certificate invalid on socket %d (Remote: '%s')(Connection: '%s') :", conn->cc_socket, conn->cc_remid, conn->cc_id);
+ LOG_E(" - The certificate %d in the chain is not yet activated", i);
+ ret = EINVAL;
+ }
+
+ if ((i == 0) && (conn->cc_tls_para.cn)) {
+ if (!gnutls_x509_crt_check_hostname (cert, conn->cc_tls_para.cn)) {
+ LOG_E("TLS: Remote certificate invalid on socket %d (Remote: '%s')(Connection: '%s') :", conn->cc_socket, conn->cc_remid, conn->cc_id);
+ LOG_E(" - The certificate hostname does not match '%s'", conn->cc_tls_para.cn);
+ ret = EINVAL;
+ }
+ }
+
+ GNUTLS_TRACE( gnutls_x509_crt_deinit (cert) );
+ }
+
+ return ret;
+}
+
+#else /* GNUTLS_VERSION_300 */
+
+/* Verify remote credentials DURING handshake (return gnutls status) */
+int fd_tls_verify_credentials_2(gnutls_session_t session)
+{
+ /* inspired from gnutls 3.x guidelines */
+ unsigned int status;
+ const gnutls_datum_t *cert_list = NULL;
+ unsigned int cert_list_size;
+ gnutls_x509_crt_t cert;
+ struct cnxctx * conn;
+ int hostname_verified = 0;
+
+ TRACE_ENTRY("%p", session);
+
+ /* get the associated connection */
+ conn = gnutls_session_get_ptr (session);
+
+ /* Trace the session information -- http://www.gnu.org/software/gnutls/manual/gnutls.html#Obtaining-session-information */
+#ifdef DEBUG
+ const char *tmp;
+ gnutls_credentials_type_t cred;
+ gnutls_kx_algorithm_t kx;
+ int dhe, ecdh;
+
+ dhe = ecdh = 0;
+
+ LOG_A("TLS Session information for connection '%s':", conn->cc_id);
+
+ /* print the key exchange's algorithm name
+ */
+ GNUTLS_TRACE( kx = gnutls_kx_get (session) );
+ GNUTLS_TRACE( tmp = gnutls_kx_get_name (kx) );
+ LOG_D("\t- Key Exchange: %s", tmp);
+
+ /* Check the authentication type used and switch
+ * to the appropriate.
+ */
+ GNUTLS_TRACE( cred = gnutls_auth_get_type (session) );
+ switch (cred)
+ {
+ case GNUTLS_CRD_IA:
+ LOG_D("\t - TLS/IA session");
+ break;
+
+
+ #ifdef ENABLE_SRP
+ case GNUTLS_CRD_SRP:
+ LOG_D("\t - SRP session with username %s",
+ gnutls_srp_server_get_username (session));
+ break;
+ #endif
+
+ case GNUTLS_CRD_PSK:
+ /* This returns NULL in server side.
+ */
+ if (gnutls_psk_client_get_hint (session) != NULL)
+ LOG_D("\t - PSK authentication. PSK hint '%s'",
+ gnutls_psk_client_get_hint (session));
+ /* This returns NULL in client side.
+ */
+ if (gnutls_psk_server_get_username (session) != NULL)
+ LOG_D("\t - PSK authentication. Connected as '%s'",
+ gnutls_psk_server_get_username (session));
+
+ if (kx == GNUTLS_KX_ECDHE_PSK)
+ ecdh = 1;
+ else if (kx == GNUTLS_KX_DHE_PSK)
+ dhe = 1;
+ break;
+
+ case GNUTLS_CRD_ANON: /* anonymous authentication */
+ LOG_D("\t - Anonymous DH using prime of %d bits",
+ gnutls_dh_get_prime_bits (session));
+ if (kx == GNUTLS_KX_ANON_ECDH)
+ ecdh = 1;
+ else if (kx == GNUTLS_KX_ANON_DH)
+ dhe = 1;
+ break;
+
+ case GNUTLS_CRD_CERTIFICATE: /* certificate authentication */
+
+ /* Check if we have been using ephemeral Diffie-Hellman.
+ */
+ if (kx == GNUTLS_KX_DHE_RSA || kx == GNUTLS_KX_DHE_DSS)
+ dhe = 1;
+ else if (kx == GNUTLS_KX_ECDHE_RSA || kx == GNUTLS_KX_ECDHE_ECDSA)
+ ecdh = 1;
+
+ /* Now print some info on the remote certificate */
+ if (gnutls_certificate_type_get (session) == GNUTLS_CRT_X509) {
+ gnutls_datum_t cinfo;
+
+ cert_list = gnutls_certificate_get_peers (session, &cert_list_size);
+
+ LOG_D("\t Peer provided %d certificates.", cert_list_size);
+
+ if (cert_list_size > 0)
+ {
+ int ret;
+
+ /* we only print information about the first certificate.
+ */
+ gnutls_x509_crt_init (&cert);
+
+ gnutls_x509_crt_import (cert, &cert_list[0], GNUTLS_X509_FMT_DER);
+
+ LOG_A("\t Certificate info:");
+
+ /* This is the preferred way of printing short information about
+ a certificate. */
+
+ ret = gnutls_x509_crt_print (cert, GNUTLS_CRT_PRINT_ONELINE, &cinfo);
+ if (ret == 0)
+ {
+ LOG_D("\t\t%s", cinfo.data);
+ gnutls_free (cinfo.data);
+ }
+
+ if (conn->cc_tls_para.cn) {
+ if (!gnutls_x509_crt_check_hostname (cert, conn->cc_tls_para.cn)) {
+ LOG_E("\tTLS: Remote certificate invalid on socket %d (Remote: '%s')(Connection: '%s') :", conn->cc_socket, conn->cc_remid, conn->cc_id);
+ LOG_E("\t - The certificate hostname does not match '%s'", conn->cc_tls_para.cn);
+ gnutls_x509_crt_deinit (cert);
+ return GNUTLS_E_CERTIFICATE_ERROR;
+ }
+
+ }
+
+ hostname_verified = 1;
+
+ gnutls_x509_crt_deinit (cert);
+
+ }
+ }
+ break;
+
+ default:
+ LOG_E("\t - unknown session type (%d)", cred);
+
+ } /* switch */
+
+ if (ecdh != 0)
+ LOG_D("\t - Ephemeral ECDH using curve %s",
+ gnutls_ecc_curve_get_name (gnutls_ecc_curve_get (session)));
+ else if (dhe != 0)
+ LOG_D("\t - Ephemeral DH using prime of %d bits",
+ gnutls_dh_get_prime_bits (session));
+
+ /* print the protocol's name (ie TLS 1.0)
+ */
+ tmp = gnutls_protocol_get_name (gnutls_protocol_get_version (session));
+ LOG_D("\t - Protocol: %s", tmp);
+
+ /* print the certificate type of the peer.
+ * ie X.509
+ */
+ tmp = gnutls_certificate_type_get_name (gnutls_certificate_type_get (session));
+ LOG_D("\t - Certificate Type: %s", tmp);
+
+ /* print the compression algorithm (if any)
+ */
+ tmp = gnutls_compression_get_name (gnutls_compression_get (session));
+ LOG_D("\t - Compression: %s", tmp);
+
+ /* print the name of the cipher used.
+ * ie 3DES.
+ */
+ tmp = gnutls_cipher_get_name (gnutls_cipher_get (session));
+ LOG_D("\t - Cipher: %s", tmp);
+
+ /* Print the MAC algorithms name.
+ * ie SHA1
+ */
+ tmp = gnutls_mac_get_name (gnutls_mac_get (session));
+ LOG_D("\t - MAC: %s", tmp);
+
+#endif /* DEBUG */
+
+ /* This verification function uses the trusted CAs in the credentials
+ * structure. So you must have installed one or more CA certificates.
+ */
+ CHECK_GNUTLS_DO( gnutls_certificate_verify_peers2 (session, &status), return GNUTLS_E_CERTIFICATE_ERROR );
+ if (status & GNUTLS_CERT_INVALID) {
+ LOG_E("TLS: Remote certificate invalid on socket %d (Remote: '%s')(Connection: '%s') :", conn->cc_socket, conn->cc_remid, conn->cc_id);
+ if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
+ LOG_E(" - The certificate hasn't got a known issuer.");
+
+ if (status & GNUTLS_CERT_REVOKED)
+ LOG_E(" - The certificate has been revoked.");
+
+ if (status & GNUTLS_CERT_EXPIRED)
+ LOG_E(" - The certificate has expired.");
+
+ if (status & GNUTLS_CERT_NOT_ACTIVATED)
+ LOG_E(" - The certificate is not yet activated.");
+ }
+ if (status & GNUTLS_CERT_INVALID)
+ {
+ return GNUTLS_E_CERTIFICATE_ERROR;
+ }
+
+ /* Up to here the process is the same for X.509 certificates and
+ * OpenPGP keys. From now on X.509 certificates are assumed. This can
+ * be easily extended to work with openpgp keys as well.
+ */
+ if ((!hostname_verified) && (conn->cc_tls_para.cn)) {
+ if (gnutls_certificate_type_get (session) != GNUTLS_CRT_X509) {
+ LOG_E("TLS: Remote credentials are not x509, rejected on socket %d (Remote: '%s')(Connection: '%s') :", conn->cc_socket, conn->cc_remid, conn->cc_id);
+ return GNUTLS_E_CERTIFICATE_ERROR;
+ }
+
+ CHECK_GNUTLS_DO( gnutls_x509_crt_init (&cert), return GNUTLS_E_CERTIFICATE_ERROR );
+
+ cert_list = gnutls_certificate_get_peers (session, &cert_list_size);
+ CHECK_PARAMS_DO( cert_list, return GNUTLS_E_CERTIFICATE_ERROR );
+
+ CHECK_GNUTLS_DO( gnutls_x509_crt_import (cert, &cert_list[0], GNUTLS_X509_FMT_DER), return GNUTLS_E_CERTIFICATE_ERROR );
+
+ if (!gnutls_x509_crt_check_hostname (cert, conn->cc_tls_para.cn)) {
+ LOG_E("TLS: Remote certificate invalid on socket %d (Remote: '%s')(Connection: '%s') :", conn->cc_socket, conn->cc_remid, conn->cc_id);
+ LOG_E(" - The certificate hostname does not match '%s'", conn->cc_tls_para.cn);
+ gnutls_x509_crt_deinit (cert);
+ return GNUTLS_E_CERTIFICATE_ERROR;
+ }
+
+ gnutls_x509_crt_deinit (cert);
+ }
+
+ /* notify gnutls to continue handshake normally */
+ return 0;
+}
+
+#endif /* GNUTLS_VERSION_300 */
+
+static int fd_cnx_may_dtls(struct cnxctx * conn) {
+#ifndef DISABLE_SCTP
+ if ((conn->cc_proto == IPPROTO_SCTP) && (conn->cc_tls_para.algo == ALGO_HANDSHAKE_DEFAULT))
+ return 1;
+#endif /* DISABLE_SCTP */
+ return 0;
+}
+
+#ifndef DISABLE_SCTP
+static int fd_cnx_uses_dtls(struct cnxctx * conn) {
+ return fd_cnx_may_dtls(conn) && (fd_cnx_teststate(conn, CC_STATUS_TLS));
+}
+#endif /* DISABLE_SCTP */
+
+/* TLS handshake a connection; no need to have called start_clear before. Reception is active if handhsake is successful */
+int fd_cnx_handshake(struct cnxctx * conn, int mode, int algo, char * priority, void * alt_creds)
+{
+ int dtls = 0;
+
+ TRACE_ENTRY( "%p %d %d %p %p", conn, mode, algo, priority, alt_creds);
+ CHECK_PARAMS( conn && (!fd_cnx_teststate(conn, CC_STATUS_TLS)) && ( (mode == GNUTLS_CLIENT) || (mode == GNUTLS_SERVER) ) && (!conn->cc_loop) );
+
+ /* Save the mode */
+ conn->cc_tls_para.mode = mode;
+ conn->cc_tls_para.algo = algo;
+
+ /* Cancel receiving thread if any -- it should already be terminated anyway, we just release the resources */
+ CHECK_FCT_DO( fd_thr_term(&conn->cc_rcvthr), /* continue */);
+
+ /* Once TLS handshake is done, we don't stop after the first message */
+ conn->cc_loop = 1;
+
+ dtls = fd_cnx_may_dtls(conn);
+
+ /* Prepare the master session credentials and priority */
+ CHECK_FCT( fd_tls_prepare(&conn->cc_tls_para.session, mode, dtls, priority, alt_creds) );
+
+ /* Special case: multi-stream TLS is not natively managed in GNU TLS, we use a wrapper library */
+ if ((!dtls) && (conn->cc_sctp_para.pairs > 1)) {
+#ifdef DISABLE_SCTP
+ ASSERT(0);
+ CHECK_FCT( ENOTSUP );
+#else /* DISABLE_SCTP */
+ /* Initialize the wrapper, start the demux thread */
+ CHECK_FCT( fd_sctp3436_init(conn) );
+#endif /* DISABLE_SCTP */
+ } else {
+ /* Set the transport pointer passed to push & pull callbacks */
+ GNUTLS_TRACE( gnutls_transport_set_ptr( conn->cc_tls_para.session, (gnutls_transport_ptr_t) conn ) );
+
+ /* Set the push and pull callbacks */
+ if (!dtls) {
+ #ifdef GNUTLS_VERSION_300
+ GNUTLS_TRACE( gnutls_transport_set_pull_timeout_function( conn->cc_tls_para.session, (void *)fd_cnx_s_select ) );
+ #endif /* GNUTLS_VERSION_300 */
+ GNUTLS_TRACE( gnutls_transport_set_pull_function(conn->cc_tls_para.session, (void *)fd_cnx_s_recv) );
+ #ifndef GNUTLS_VERSION_212
+ GNUTLS_TRACE( gnutls_transport_set_push_function(conn->cc_tls_para.session, (void *)fd_cnx_s_send) );
+ #else /* GNUTLS_VERSION_212 */
+ GNUTLS_TRACE( gnutls_transport_set_vec_push_function(conn->cc_tls_para.session, (void *)fd_cnx_s_sendv) );
+ #endif /* GNUTLS_VERSION_212 */
+ } else {
+ TODO("DTLS push/pull functions");
+ return ENOTSUP;
+ }
+ }
+
+ /* additional initialization for gnutls 3.x */
+ #ifdef GNUTLS_VERSION_300
+ /* the verify function has already been set in the global initialization in config.c */
+
+ /* fd_tls_verify_credentials_2 uses the connection */
+ gnutls_session_set_ptr (conn->cc_tls_para.session, (void *) conn);
+
+ if ((conn->cc_tls_para.cn != NULL) && (mode == GNUTLS_CLIENT)) {
+ /* this might allow virtual hosting on the remote peer */
+ CHECK_GNUTLS_DO( gnutls_server_name_set (conn->cc_tls_para.session, GNUTLS_NAME_DNS, conn->cc_tls_para.cn, strlen(conn->cc_tls_para.cn)), /* ignore failure */);
+ }
+
+ #endif /* GNUTLS_VERSION_300 */
+
+ #ifdef GNUTLS_VERSION_310
+ GNUTLS_TRACE( gnutls_handshake_set_timeout( conn->cc_tls_para.session, GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT));
+ #endif /* GNUTLS_VERSION_310 */
+
+ /* Mark the connection as protected from here, so that the gnutls credentials will be freed */
+ fd_cnx_addstate(conn, CC_STATUS_TLS);
+
+ /* Handshake master session */
+ {
+ int ret;
+
+ CHECK_GNUTLS_DO( ret = gnutls_handshake(conn->cc_tls_para.session),
+ {
+ if (TRACE_BOOL(INFO)) {
+ fd_log_debug("TLS Handshake failed on socket %d (%s) : %s", conn->cc_socket, conn->cc_id, gnutls_strerror(ret));
+ }
+ fd_cnx_markerror(conn);
+ return EINVAL;
+ } );
+
+ #ifndef GNUTLS_VERSION_300
+ /* Now verify the remote credentials are valid -- only simple tests here */
+ CHECK_FCT_DO( fd_tls_verify_credentials(conn->cc_tls_para.session, conn, 1),
+ {
+ CHECK_GNUTLS_DO( gnutls_bye(conn->cc_tls_para.session, GNUTLS_SHUT_RDWR), );
+ fd_cnx_markerror(conn);
+ return EINVAL;
+ });
+ #endif /* GNUTLS_VERSION_300 */
+ }
+
+ /* Multi-stream TLS: handshake other streams as well */
+ if ((!dtls) && (conn->cc_sctp_para.pairs > 1)) {
+#ifndef DISABLE_SCTP
+ /* Start reading the messages from the master session. That way, if the remote peer closed, we are not stuck inside handshake */
+ CHECK_FCT(fd_sctp3436_startthreads(conn, 0));
+
+ /* Resume all additional sessions from the master one. */
+ CHECK_FCT(fd_sctp3436_handshake_others(conn, priority, alt_creds));
+
+ /* Start decrypting the messages from all threads and queuing them in target queue */
+ CHECK_FCT(fd_sctp3436_startthreads(conn, 1));
+#endif /* DISABLE_SCTP */
+ } else {
+ /* Start decrypting the data */
+ if (!dtls) {
+ CHECK_POSIX( pthread_create( &conn->cc_rcvthr, NULL, rcvthr_tls_single, conn ) );
+ } else {
+ TODO("Signal the dtls_push function that multiple streams can be used from this point.");
+ TODO("Create DTLS rcvthr (must reassembly based on seq numbers & stream id ?)");
+ return ENOTSUP;
+ }
+ }
+
+ return 0;
+}
+
+/* Retrieve TLS credentials of the remote peer, after handshake */
+int fd_cnx_getcred(struct cnxctx * conn, const gnutls_datum_t **cert_list, unsigned int *cert_list_size)
+{
+ TRACE_ENTRY("%p %p %p", conn, cert_list, cert_list_size);
+ CHECK_PARAMS( conn && fd_cnx_teststate(conn, CC_STATUS_TLS) && cert_list && cert_list_size );
+
+ /* This function only works for X.509 certificates. */
+ CHECK_PARAMS( gnutls_certificate_type_get (conn->cc_tls_para.session) == GNUTLS_CRT_X509 );
+
+ GNUTLS_TRACE( *cert_list = gnutls_certificate_get_peers (conn->cc_tls_para.session, cert_list_size) );
+ if (*cert_list == NULL) {
+ TRACE_DEBUG(INFO, "No certificate was provided by remote peer / an error occurred.");
+ return EINVAL;
+ }
+
+ TRACE_DEBUG( FULL, "Saved certificate chain (%d certificates) in peer structure.", *cert_list_size);
+
+ return 0;
+}
+
+/* Receive next message. if timeout is not NULL, wait only until timeout. This function only pulls from a queue, mgr thread is filling that queue aynchrounously. */
+/* if the altfifo has been set on this conn object, this function must not be called */
+int fd_cnx_receive(struct cnxctx * conn, struct timespec * timeout, unsigned char **buf, size_t * len)
+{
+ int ev;
+ size_t ev_sz;
+ void * ev_data;
+
+ TRACE_ENTRY("%p %p %p %p", conn, timeout, buf, len);
+ CHECK_PARAMS(conn && (conn->cc_socket > 0) && buf && len);
+ CHECK_PARAMS(conn->cc_rcvthr != (pthread_t)NULL);
+ CHECK_PARAMS(conn->cc_alt == NULL);
+
+ /* Now, pull the first event */
+get_next:
+ if (timeout) {
+ CHECK_FCT( fd_event_timedget(conn->cc_incoming, timeout, FDEVP_PSM_TIMEOUT, &ev, &ev_sz, &ev_data) );
+ } else {
+ CHECK_FCT( fd_event_get(conn->cc_incoming, &ev, &ev_sz, &ev_data) );
+ }
+
+ switch (ev) {
+ case FDEVP_CNX_MSG_RECV:
+ /* We got one */
+ *len = ev_sz;
+ *buf = ev_data;
+ return 0;
+
+ case FDEVP_PSM_TIMEOUT:
+ TRACE_DEBUG(FULL, "Timeout event received");
+ return ETIMEDOUT;
+
+ case FDEVP_CNX_EP_CHANGE:
+ /* We ignore this event */
+ goto get_next;
+
+ case FDEVP_CNX_ERROR:
+ TRACE_DEBUG(FULL, "Received ERROR event on the connection");
+ return ENOTCONN;
+ }
+
+ TRACE_DEBUG(INFO, "Received unexpected event %d (%s)", ev, fd_pev_str(ev));
+ return EINVAL;
+}
+
+/* Where the events are sent */
+struct fifo * fd_cnx_target_queue(struct cnxctx * conn)
+{
+ struct fifo *q;
+ CHECK_POSIX_DO( pthread_mutex_lock(&state_lock), { ASSERT(0); } );
+ q = conn->cc_alt ?: conn->cc_incoming;
+ CHECK_POSIX_DO( pthread_mutex_unlock(&state_lock), { ASSERT(0); } );
+ return q;
+}
+
+/* Set an alternate FIFO list to send FDEVP_CNX_* events to */
+int fd_cnx_recv_setaltfifo(struct cnxctx * conn, struct fifo * alt_fifo)
+{
+ int ret;
+ TRACE_ENTRY( "%p %p", conn, alt_fifo );
+ CHECK_PARAMS( conn && alt_fifo && conn->cc_incoming );
+
+ /* The magic function does it all */
+ CHECK_POSIX_DO( pthread_mutex_lock(&state_lock), { ASSERT(0); } );
+ CHECK_FCT_DO( ret = fd_fifo_move( conn->cc_incoming, alt_fifo, &conn->cc_alt ), );
+ CHECK_POSIX_DO( pthread_mutex_unlock(&state_lock), { ASSERT(0); } );
+
+ return ret;
+}
+
+/* Send function when no multi-stream is involved, or sending on stream #0 (send() always use stream 0)*/
+static int send_simple(struct cnxctx * conn, unsigned char * buf, size_t len)
+{
+ ssize_t ret;
+ size_t sent = 0;
+ TRACE_ENTRY("%p %p %zd", conn, buf, len);
+ do {
+ if (fd_cnx_teststate(conn, CC_STATUS_TLS)) {
+ CHECK_GNUTLS_DO( ret = fd_tls_send_handle_error(conn, conn->cc_tls_para.session, buf + sent, len - sent), );
+ } else {
+ struct iovec iov;
+ iov.iov_base = buf + sent;
+ iov.iov_len = len - sent;
+ CHECK_SYS_DO( ret = fd_cnx_s_sendv(conn, &iov, 1), );
+ }
+ if (ret <= 0)
+ return ENOTCONN;
+
+ sent += ret;
+ } while ( sent < len );
+ return 0;
+}
+
+/* Send a message -- this is synchronous -- and we assume it's never called by several threads at the same time (on the same conn), so we don't protect. */
+int fd_cnx_send(struct cnxctx * conn, unsigned char * buf, size_t len)
+{
+ TRACE_ENTRY("%p %p %zd", conn, buf, len);
+
+ CHECK_PARAMS(conn && (conn->cc_socket > 0) && (! fd_cnx_teststate(conn, CC_STATUS_ERROR)) && buf && len);
+
+ TRACE_DEBUG(FULL, "Sending %zdb %sdata on connection %s", len, fd_cnx_teststate(conn, CC_STATUS_TLS) ? "TLS-protected ":"", conn->cc_id);
+
+ switch (conn->cc_proto) {
+ case IPPROTO_TCP:
+ CHECK_FCT( send_simple(conn, buf, len) );
+ break;
+
+#ifndef DISABLE_SCTP
+ case IPPROTO_SCTP: {
+ int dtls = fd_cnx_uses_dtls(conn);
+ if (!dtls) {
+ int stream = 0;
+ if (conn->cc_sctp_para.unordered) {
+ int limit;
+ if (fd_cnx_teststate(conn, CC_STATUS_TLS))
+ limit = conn->cc_sctp_para.pairs;
+ else
+ limit = conn->cc_sctp_para.str_out;
+
+ if (limit > 1) {
+ conn->cc_sctp_para.next += 1;
+ conn->cc_sctp_para.next %= limit;
+ stream = conn->cc_sctp_para.next;
+ }
+ }
+
+ if (stream == 0) {
+ /* We can use default function, it sends over stream #0 */
+ CHECK_FCT( send_simple(conn, buf, len) );
+ } else {
+ if (!fd_cnx_teststate(conn, CC_STATUS_TLS)) {
+ struct iovec iov;
+ iov.iov_base = buf;
+ iov.iov_len = len;
+
+ CHECK_SYS_DO( fd_sctp_sendstrv(conn, stream, &iov, 1), { fd_cnx_markerror(conn); return ENOTCONN; } );
+ } else {
+ /* push the data to the appropriate session */
+ ssize_t ret;
+ size_t sent = 0;
+ ASSERT(conn->cc_sctp3436_data.array != NULL);
+ do {
+ CHECK_GNUTLS_DO( ret = fd_tls_send_handle_error(conn, conn->cc_sctp3436_data.array[stream].session, buf + sent, len - sent), );
+ if (ret <= 0)
+ return ENOTCONN;
+
+ sent += ret;
+ } while ( sent < len );
+ }
+ }
+ } else {
+ /* DTLS */
+ /* Multistream is handled at lower layer in the push/pull function */
+ CHECK_FCT( send_simple(conn, buf, len) );
+ }
+ }
+ break;
+#endif /* DISABLE_SCTP */
+
+ default:
+ TRACE_DEBUG(INFO, "Unknown protocol: %d", conn->cc_proto);
+ ASSERT(0);
+ return ENOTSUP; /* or EINVAL... */
+ }
+
+ return 0;
+}
+
+
+/**************************************/
+/* Destruction of connection */
+/**************************************/
+
+/* Destroy a conn structure, and shutdown the socket */
+void fd_cnx_destroy(struct cnxctx * conn)
+{
+ TRACE_ENTRY("%p", conn);
+
+ CHECK_PARAMS_DO(conn, return);
+
+ fd_cnx_addstate(conn, CC_STATUS_CLOSING);
+
+ /* Initiate shutdown of the TLS session(s): call gnutls_bye(WR), then read until error */
+ if (fd_cnx_teststate(conn, CC_STATUS_TLS)) {
+#ifndef DISABLE_SCTP
+ int dtls = fd_cnx_uses_dtls(conn);
+ if ((!dtls) && (conn->cc_sctp_para.pairs > 1)) {
+ if (! fd_cnx_teststate(conn, CC_STATUS_ERROR )) {
+ /* Bye on master session */
+ CHECK_GNUTLS_DO( gnutls_bye(conn->cc_tls_para.session, GNUTLS_SHUT_WR), fd_cnx_markerror(conn) );
+ }
+
+ if (! fd_cnx_teststate(conn, CC_STATUS_ERROR ) ) {
+ /* and other stream pairs */
+ fd_sctp3436_bye(conn);
+ }
+
+ if (! fd_cnx_teststate(conn, CC_STATUS_ERROR ) ) {
+ /* Now wait for all decipher threads to terminate */
+ fd_sctp3436_waitthreadsterm(conn);
+ } else {
+ /* Abord the threads, the connection is dead already */
+ fd_sctp3436_stopthreads(conn);
+ }
+
+ /* Deinit gnutls resources */
+ fd_sctp3436_gnutls_deinit_others(conn);
+ if (conn->cc_tls_para.session) {
+ GNUTLS_TRACE( gnutls_deinit(conn->cc_tls_para.session) );
+ conn->cc_tls_para.session = NULL;
+ }
+
+ /* Destroy the wrapper (also stops the demux thread) */
+ fd_sctp3436_destroy(conn);
+
+ } else {
+#endif /* DISABLE_SCTP */
+ /* We are TLS, but not using the sctp3436 wrapper layer */
+ if (! fd_cnx_teststate(conn, CC_STATUS_ERROR ) ) {
+ /* Master session */
+ CHECK_GNUTLS_DO( gnutls_bye(conn->cc_tls_para.session, GNUTLS_SHUT_WR), fd_cnx_markerror(conn) );
+ }
+
+ if (! fd_cnx_teststate(conn, CC_STATUS_ERROR ) ) {
+ /* In this case, just wait for thread rcvthr_tls_single to terminate */
+ if (conn->cc_rcvthr != (pthread_t)NULL) {
+ CHECK_POSIX_DO( pthread_join(conn->cc_rcvthr, NULL), /* continue */ );
+ conn->cc_rcvthr = (pthread_t)NULL;
+ }
+ } else {
+ /* Cancel the receiver thread in case it did not already terminate */
+ CHECK_FCT_DO( fd_thr_term(&conn->cc_rcvthr), /* continue */ );
+ }
+
+ /* Free the resources of the TLS session */
+ if (conn->cc_tls_para.session) {
+ GNUTLS_TRACE( gnutls_deinit(conn->cc_tls_para.session) );
+ conn->cc_tls_para.session = NULL;
+ }
+#ifndef DISABLE_SCTP
+ }
+#endif /* DISABLE_SCTP */
+ }
+
+ /* Terminate the thread in case it is not done yet -- is there any such case left ?*/
+ CHECK_FCT_DO( fd_thr_term(&conn->cc_rcvthr), /* continue */ );
+
+ /* Shut the connection down */
+ if (conn->cc_socket > 0) {
+ shutdown(conn->cc_socket, SHUT_RDWR);
+ close(conn->cc_socket);
+ conn->cc_socket = -1;
+ }
+
+ /* Empty and destroy FIFO list */
+ if (conn->cc_incoming) {
+ fd_event_destroy( &conn->cc_incoming, free );
+ }
+
+ /* Free the object */
+ free(conn);
+
+ /* Done! */
+ return;
+}