Mercurial > hg > freeDiameter
view libfdcore/server.c @ 1187:436e4342ecd0
Rollback to using TLS/SCTP in release 1.2.0. DTLS dev to happen in freeDiameter-dtls branch
| author | Sebastien Decugis <sdecugis@freediameter.net> |
|---|---|
| date | Mon, 10 Jun 2013 12:04:50 +0800 |
| parents | 22de21feec64 |
| children | 50bf33dc8fe0 |
line wrap: on
line source
/********************************************************************************************************* * Software License Agreement (BSD License) * * Author: Sebastien Decugis <sdecugis@freediameter.net> * * * * Copyright (c) 2013, WIDE Project and NICT * * All rights reserved. * * * * Redistribution and use of this software in source and binary forms, with or without modification, are * * permitted provided that the following conditions are met: * * * * * Redistributions of source code must retain the above * * copyright notice, this list of conditions and the * * following disclaimer. * * * * * Redistributions in binary form must reproduce the above * * copyright notice, this list of conditions and the * * following disclaimer in the documentation and/or other * * materials provided with the distribution. * * * * * Neither the name of the WIDE Project or NICT nor the * * names of its contributors may be used to endorse or * * promote products derived from this software without * * specific prior written permission of WIDE Project and * * NICT. * * * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED * * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A * * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR * * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT * * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS * * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR * * TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF * * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * *********************************************************************************************************/ #include "fdcore-internal.h" /* Server (listening) part of the framework */ static struct fd_list FD_SERVERS = FD_LIST_INITIALIZER(FD_SERVERS); /* The list of all server objects */ /* We don't need to protect this list, it is only accessed from the main framework thread. */ enum s_state { NOT_CREATED=0, RUNNING, TERMINATED, ERROR /* an error occurred, this is not a valid status */ }; /* Servers information */ struct server { struct fd_list chain; /* link in the FD_SERVERS list */ struct cnxctx * conn; /* server connection context (listening socket) */ int proto; /* IPPROTO_TCP or IPPROTO_SCTP */ int secur; /* TLS is started immediatly after connection ? 0: no; 2: yes (TLS/TCP or TLS/SCTP) */ pthread_t thr; /* The thread listening for new connections */ enum s_state state; /* state of the thread */ struct fd_list clients; /* List of clients connected to this server, not yet identified */ pthread_mutex_t clients_mtx; /* Mutex to protect the list of clients */ }; /* Client information (connecting peer for which we don't have the CER yet) */ struct client { struct fd_list chain; /* link in the server's list of clients */ struct cnxctx *conn; /* Parameters of the connection */ struct timespec ts; /* Deadline for receiving CER (after INCNX_TIMEOUT) */ pthread_t thr; /* connection state machine */ }; /* Micro functions to read/change the status thread-safely */ static pthread_mutex_t s_lock = PTHREAD_MUTEX_INITIALIZER; static enum s_state get_status(struct server * s) { enum s_state r; CHECK_POSIX_DO( pthread_mutex_lock(&s_lock), return ERROR ); r = s->state; CHECK_POSIX_DO( pthread_mutex_unlock(&s_lock), return ERROR ); return r; } static void set_status(struct server * s, enum s_state st) { CHECK_POSIX_DO( pthread_mutex_lock(&s_lock), return ); s->state = st; CHECK_POSIX_DO( pthread_mutex_unlock(&s_lock), return ); } /* Dump all servers information */ DECLARE_FD_DUMP_PROTOTYPE(fd_servers_dump, int details) { struct fd_list * li, *cli; FD_DUMP_HANDLE_OFFSET(); for (li = FD_SERVERS.next; li != &FD_SERVERS; li = li->next) { struct server * s = (struct server *)li; enum s_state st = get_status(s); if (details) { CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, "{server}(@%p)'%s': %s, %s(%d), %s", s, fd_cnx_getid(s->conn), IPPROTO_NAME( s->proto ), s->secur ? "Secur" : "NotSecur", s->secur, (st == NOT_CREATED) ? "Thread not created" : ((st == RUNNING) ? "Thread running" : ((st == TERMINATED) ? "Thread terminated" : "Thread status unknown"))), return NULL); /* Dump the client list of this server */ CHECK_POSIX_DO( pthread_mutex_lock(&s->clients_mtx), ); for (cli = s->clients.next; cli != &s->clients; cli = cli->next) { struct client * c = (struct client *)cli; char bufts[128]; CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, "\n {client}(@%p)'%s': to:%s", c, fd_cnx_getid(c->conn), fd_log_time(&c->ts, bufts, sizeof(bufts))), break); } CHECK_POSIX_DO( pthread_mutex_unlock(&s->clients_mtx), ); if (li->next != &FD_SERVERS) { CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, "\n"), return NULL); } } else { CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, "'%s'(%s,%s) ", fd_cnx_getid(s->conn), IPPROTO_NAME( s->proto ), s->secur ? "Secur" : "NotSecur"), return NULL); } } return *buf; } /* The state machine to handle incoming connection before the remote peer is identified */ static void * client_sm(void * arg) { struct client * c = arg; struct server * s = NULL; struct fd_cnx_rcvdata rcv_data; struct fd_msg_pmdl * pmdl = NULL; struct msg * msg = NULL; struct msg_hdr *hdr = NULL; struct fd_pei pei; TRACE_ENTRY("%p", c); memset(&rcv_data, 0, sizeof(rcv_data)); CHECK_PARAMS_DO(c && c->conn && c->chain.head, goto fatal_error ); s = c->chain.head->o; /* Name the current thread */ fd_log_threadname ( fd_cnx_getid(c->conn) ); /* Handshake if we are a secure server port, or start clear otherwise */ if (s->secur) { int ret = fd_cnx_handshake(c->conn, GNUTLS_SERVER, (s->secur == 1) ? ALGO_HANDSHAKE_DEFAULT : ALGO_HANDSHAKE_3436, NULL, NULL); if (ret != 0) { char buf[1024]; snprintf(buf, sizeof(buf), "TLS handshake failed for client '%s', connection aborted.", fd_cnx_getid(c->conn)); fd_hook_call(HOOK_PEER_CONNECT_FAILED, NULL, NULL, buf, NULL); goto cleanup; } } else { CHECK_FCT_DO( fd_cnx_start_clear(c->conn, 0), goto cleanup ); } /* Set the timeout to receive the first message */ CHECK_SYS_DO( clock_gettime(CLOCK_REALTIME, &c->ts), goto fatal_error ); c->ts.tv_sec += INCNX_TIMEOUT; /* Receive the first Diameter message on the connection -- cleanup in case of timeout */ CHECK_FCT_DO( fd_cnx_receive(c->conn, &c->ts, &rcv_data.buffer, &rcv_data.length), { char buf[1024]; switch (__ret__) { case ETIMEDOUT: snprintf(buf, sizeof(buf), "Client '%s' did not send CER within %ds, connection aborted.", fd_cnx_getid(c->conn), INCNX_TIMEOUT); fd_hook_call(HOOK_PEER_CONNECT_FAILED, NULL, NULL, buf, NULL); break; case ENOTCONN: snprintf(buf, sizeof(buf), "Connection from '%s' in error before CER was received.", fd_cnx_getid(c->conn)); fd_hook_call(HOOK_PEER_CONNECT_FAILED, NULL, NULL, buf, NULL); break; default: snprintf(buf, sizeof(buf), "Connection from '%s': unspecified error, connection aborted.", fd_cnx_getid(c->conn)); fd_hook_call(HOOK_PEER_CONNECT_FAILED, NULL, NULL, buf, NULL); } goto cleanup; } ); TRACE_DEBUG(FULL, "Received %zdb from new client '%s'", rcv_data.length, fd_cnx_getid(c->conn)); pmdl = fd_msg_pmdl_get_inbuf(rcv_data.buffer, rcv_data.length); /* Try parsing this message */ CHECK_FCT_DO( fd_msg_parse_buffer( &rcv_data.buffer, rcv_data.length, &msg ), { /* Parsing failed */ fd_hook_call(HOOK_MESSAGE_PARSING_ERROR, NULL, NULL, &rcv_data, pmdl ); goto cleanup; } ); /* Log incoming message */ fd_hook_associate(msg, pmdl); fd_hook_call(HOOK_MESSAGE_RECEIVED, msg, NULL, fd_cnx_getid(c->conn), fd_msg_pmdl_get(msg)); /* We expect a CER, it must parse with our dictionary and rules */ CHECK_FCT_DO( fd_msg_parse_rules( msg, fd_g_config->cnf_dict, &pei ), { /* Parsing failed -- trace details */ char buf[1024]; fd_hook_call(HOOK_MESSAGE_PARSING_ERROR, msg, NULL, pei.pei_message ?: pei.pei_errcode, fd_msg_pmdl_get(msg)); snprintf(buf, sizeof(buf), "Error parsing CER from '%s', connection aborted.", fd_cnx_getid(c->conn)); fd_hook_call(HOOK_PEER_CONNECT_FAILED, NULL, NULL, buf, NULL); goto cleanup; } ); /* Now check we received a CER */ CHECK_FCT_DO( fd_msg_hdr ( msg, &hdr ), goto fatal_error ); CHECK_PARAMS_DO( (hdr->msg_appl == 0) && (hdr->msg_flags & CMD_FLAG_REQUEST) && (hdr->msg_code == CC_CAPABILITIES_EXCHANGE), { /* Parsing failed -- trace details */ char buf[1024]; snprintf(buf, sizeof(buf), "Expected CER from '%s', received a different message, connection aborted.", fd_cnx_getid(c->conn)); fd_hook_call(HOOK_PEER_CONNECT_FAILED, msg, NULL, buf, NULL); goto cleanup; } ); /* Finally, pass the information to the peers module which will handle it next */ pthread_cleanup_push((void *)fd_cnx_destroy, c->conn); pthread_cleanup_push((void *)fd_msg_free, msg); CHECK_FCT_DO( fd_peer_handle_newCER( &msg, &c->conn ), ); pthread_cleanup_pop(0); pthread_cleanup_pop(0); /* The end, we cleanup the client structure */ cleanup: /* Unlink the client structure */ CHECK_POSIX_DO( pthread_mutex_lock(&s->clients_mtx), goto fatal_error ); fd_list_unlink( &c->chain ); CHECK_POSIX_DO( pthread_mutex_unlock(&s->clients_mtx), goto fatal_error ); /* Cleanup the parsed message if any */ if (msg) { CHECK_FCT_DO( fd_msg_free(msg), /* continue */); } /* Destroy the connection object if present */ if (c->conn) fd_cnx_destroy(c->conn); /* Cleanup the received buffer if any */ free(rcv_data.buffer); /* Detach the thread, cleanup the client structure */ pthread_detach(pthread_self()); free(c); return NULL; fatal_error: /* This has effect to terminate the daemon */ CHECK_FCT_DO(fd_event_send(fd_g_config->cnf_main_ev, FDEV_TERMINATE, 0, NULL), ); return NULL; } /* The thread managing a server */ static void * serv_th(void * arg) { struct server *s = (struct server *)arg; CHECK_PARAMS_DO(s, goto error); fd_log_threadname ( fd_cnx_getid(s->conn) ); set_status(s, RUNNING); /* Accept incoming connections */ CHECK_FCT_DO( fd_cnx_serv_listen(s->conn), goto error ); do { struct client * c = NULL; struct cnxctx * conn = NULL; /* Wait for a new client or cancel */ CHECK_MALLOC_DO( conn = fd_cnx_serv_accept(s->conn), goto error ); /* Create a client structure */ CHECK_MALLOC_DO( c = malloc(sizeof(struct client)), goto error ); memset(c, 0, sizeof(struct client)); fd_list_init(&c->chain, c); c->conn = conn; /* Save the client in the list */ CHECK_POSIX_DO( pthread_mutex_lock( &s->clients_mtx ), goto error ); fd_list_insert_before(&s->clients, &c->chain); CHECK_POSIX_DO( pthread_mutex_unlock( &s->clients_mtx ), goto error ); /* Start the client thread */ CHECK_POSIX_DO( pthread_create( &c->thr, NULL, client_sm, c ), goto error ); } while (1); error: if (s) set_status(s, TERMINATED); /* Send error signal to the core */ LOG_F( "An error occurred in server module! Thread is terminating..."); CHECK_FCT_DO(fd_event_send(fd_g_config->cnf_main_ev, FDEV_TERMINATE, 0, NULL), ); return NULL; } /* Create a new server structure */ static struct server * new_serv( int proto, int secur ) { struct server * new; /* New server structure */ CHECK_MALLOC_DO( new = malloc(sizeof(struct server)), return NULL ); memset(new, 0, sizeof(struct server)); fd_list_init(&new->chain, new); new->proto = proto; new->secur = secur; CHECK_POSIX_DO( pthread_mutex_init(&new->clients_mtx, NULL), return NULL ); fd_list_init(&new->clients, new); return new; } /* Start all the servers */ int fd_servers_start() { struct server * s; int empty_conf_ep = FD_IS_LIST_EMPTY(&fd_g_config->cnf_endpoints); /* SCTP */ if (!fd_g_config->cnf_flags.no_sctp) { #ifdef DISABLE_SCTP ASSERT(0); #else /* DISABLE_SCTP */ /* Create the server on unsecure port */ if (fd_g_config->cnf_port) { CHECK_MALLOC( s = new_serv(IPPROTO_SCTP, 0) ); CHECK_MALLOC( s->conn = fd_cnx_serv_sctp(fd_g_config->cnf_port, empty_conf_ep ? NULL : &fd_g_config->cnf_endpoints) ); fd_list_insert_before( &FD_SERVERS, &s->chain ); CHECK_POSIX( pthread_create( &s->thr, NULL, serv_th, s ) ); } /* Create the server on secure port */ if (fd_g_config->cnf_port_tls) { CHECK_MALLOC( s = new_serv(IPPROTO_SCTP, 2 /* Change when DTLS is introduced */) ); CHECK_MALLOC( s->conn = fd_cnx_serv_sctp(fd_g_config->cnf_port_tls, empty_conf_ep ? NULL : &fd_g_config->cnf_endpoints) ); fd_list_insert_before( &FD_SERVERS, &s->chain ); CHECK_POSIX( pthread_create( &s->thr, NULL, serv_th, s ) ); } /* Create the other server on 3436 secure port */ /*if (fd_g_config->cnf_port_3436) { CHECK_MALLOC( s = new_serv(IPPROTO_SCTP, 2) ); CHECK_MALLOC( s->conn = fd_cnx_serv_sctp(fd_g_config->cnf_port_3436, empty_conf_ep ? NULL : &fd_g_config->cnf_endpoints) ); fd_list_insert_before( &FD_SERVERS, &s->chain ); CHECK_POSIX( pthread_create( &s->thr, NULL, serv_th, s ) ); }*/ #endif /* DISABLE_SCTP */ } /* TCP */ if (!fd_g_config->cnf_flags.no_tcp) { if (empty_conf_ep) { /* Bind TCP servers on [0.0.0.0] */ if (!fd_g_config->cnf_flags.no_ip4) { if (fd_g_config->cnf_port) { CHECK_MALLOC( s = new_serv(IPPROTO_TCP, 0) ); CHECK_MALLOC( s->conn = fd_cnx_serv_tcp(fd_g_config->cnf_port, AF_INET, NULL) ); fd_list_insert_before( &FD_SERVERS, &s->chain ); CHECK_POSIX( pthread_create( &s->thr, NULL, serv_th, s ) ); } if (fd_g_config->cnf_port_tls) { CHECK_MALLOC( s = new_serv(IPPROTO_TCP, 1) ); CHECK_MALLOC( s->conn = fd_cnx_serv_tcp(fd_g_config->cnf_port_tls, AF_INET, NULL) ); fd_list_insert_before( &FD_SERVERS, &s->chain ); CHECK_POSIX( pthread_create( &s->thr, NULL, serv_th, s ) ); } } /* Bind TCP servers on [::] */ if (!fd_g_config->cnf_flags.no_ip6) { if (fd_g_config->cnf_port) { CHECK_MALLOC( s = new_serv(IPPROTO_TCP, 0) ); CHECK_MALLOC( s->conn = fd_cnx_serv_tcp(fd_g_config->cnf_port, AF_INET6, NULL) ); fd_list_insert_before( &FD_SERVERS, &s->chain ); CHECK_POSIX( pthread_create( &s->thr, NULL, serv_th, s ) ); } if (fd_g_config->cnf_port_tls) { CHECK_MALLOC( s = new_serv(IPPROTO_TCP, 1) ); CHECK_MALLOC( s->conn = fd_cnx_serv_tcp(fd_g_config->cnf_port_tls, AF_INET6, NULL) ); fd_list_insert_before( &FD_SERVERS, &s->chain ); CHECK_POSIX( pthread_create( &s->thr, NULL, serv_th, s ) ); } } } else { /* Create all endpoints -- check flags */ struct fd_list * li; for (li = fd_g_config->cnf_endpoints.next; li != &fd_g_config->cnf_endpoints; li = li->next) { struct fd_endpoint * ep = (struct fd_endpoint *)li; sSA * sa = (sSA *) &ep->ss; if (! (ep->flags & EP_FL_CONF)) continue; if (fd_g_config->cnf_flags.no_ip4 && (sa->sa_family == AF_INET)) continue; if (fd_g_config->cnf_flags.no_ip6 && (sa->sa_family == AF_INET6)) continue; if (fd_g_config->cnf_port) { CHECK_MALLOC( s = new_serv(IPPROTO_TCP, 0) ); CHECK_MALLOC( s->conn = fd_cnx_serv_tcp(fd_g_config->cnf_port, sa->sa_family, ep) ); fd_list_insert_before( &FD_SERVERS, &s->chain ); CHECK_POSIX( pthread_create( &s->thr, NULL, serv_th, s ) ); } if (fd_g_config->cnf_port_tls) { CHECK_MALLOC( s = new_serv(IPPROTO_TCP, 1) ); CHECK_MALLOC( s->conn = fd_cnx_serv_tcp(fd_g_config->cnf_port_tls, sa->sa_family, ep) ); fd_list_insert_before( &FD_SERVERS, &s->chain ); CHECK_POSIX( pthread_create( &s->thr, NULL, serv_th, s ) ); } } } } /* Now, if we had an empty list of local adresses (no address configured), try to read the real addresses from the kernel */ if (empty_conf_ep) { CHECK_FCT(fd_cnx_get_local_eps(&fd_g_config->cnf_endpoints)); if (FD_IS_LIST_EMPTY(&fd_g_config->cnf_endpoints)) { TRACE_DEBUG(INFO, "Unable to find the address(es) of the local system. " "Please use \"ListenOn\" parameter in the configuration. " "This information is required to generate the CER/CEA messages."); return EINVAL; } } { char * buf = NULL; size_t len = 0, offset = 0; CHECK_MALLOC_DO( fd_dump_extend( &buf, &len, &offset , "Local server address(es): "), ); CHECK_MALLOC_DO( fd_ep_dump( &buf, &len, &offset, 0, 0, &fd_g_config->cnf_endpoints ), ); LOG_N("%s", buf ?: "Error dumping addresses"); free(buf); } return 0; } /* Terminate all the servers */ int fd_servers_stop() { TRACE_ENTRY(""); TRACE_DEBUG(INFO, "Shutting down server sockets..."); /* Loop on all servers */ while (!FD_IS_LIST_EMPTY(&FD_SERVERS)) { struct server * s = (struct server *)(FD_SERVERS.next); /* Lock client list now */ CHECK_FCT_DO( pthread_mutex_lock(&s->clients_mtx), /* continue anyway */); /* cancel thread */ CHECK_FCT_DO( fd_thr_term(&s->thr), /* continue */); /* destroy server connection context */ fd_cnx_destroy(s->conn); /* cancel and destroy all clients */ while (!FD_IS_LIST_EMPTY(&s->clients)) { struct client * c = (struct client *)(s->clients.next); /* Destroy client's thread */ CHECK_FCT_DO( fd_thr_term(&c->thr), /* continue */); /* Destroy client's connection */ fd_cnx_destroy(c->conn); /* Unlink and free the client */ fd_list_unlink(&c->chain); free(c); } /* Unlock & destroy */ CHECK_FCT_DO( pthread_mutex_unlock(&s->clients_mtx), /* continue anyway */); CHECK_FCT_DO( pthread_mutex_destroy(&s->clients_mtx), /* continue */); /* Now destroy the server object */ fd_list_unlink(&s->chain); free(s); } /* We're done! */ return 0; }