2012-06-04 16:48:31 +02:00
|
|
|
/*
|
2014-03-30 12:09:21 +02:00
|
|
|
* nghttp2 - HTTP/2 C Library
|
2012-06-04 16:48:31 +02:00
|
|
|
*
|
|
|
|
* Copyright (c) 2012 Tatsuhiro Tsujikawa
|
|
|
|
*
|
|
|
|
* Permission is hereby granted, free of charge, to any person obtaining
|
|
|
|
* a copy of this software and associated documentation files (the
|
|
|
|
* "Software"), to deal in the Software without restriction, including
|
|
|
|
* without limitation the rights to use, copy, modify, merge, publish,
|
|
|
|
* distribute, sublicense, and/or sell copies of the Software, and to
|
|
|
|
* permit persons to whom the Software is furnished to do so, subject to
|
|
|
|
* the following conditions:
|
|
|
|
*
|
|
|
|
* The above copyright notice and this permission notice shall be
|
|
|
|
* included in all copies or substantial portions of the Software.
|
|
|
|
*
|
|
|
|
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
|
|
|
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
|
|
|
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
|
|
|
|
* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
|
|
|
|
* LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
|
|
|
|
* OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
|
|
|
|
* WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
|
|
|
*/
|
2015-01-08 13:48:39 +01:00
|
|
|
#include "shrpx_connection_handler.h"
|
2012-06-04 16:48:31 +02:00
|
|
|
|
2015-05-13 15:30:35 +02:00
|
|
|
#ifdef HAVE_UNISTD_H
|
2018-06-09 09:21:30 +02:00
|
|
|
# include <unistd.h>
|
2015-05-13 15:30:35 +02:00
|
|
|
#endif // HAVE_UNISTD_H
|
2015-04-08 17:25:47 +02:00
|
|
|
#include <sys/types.h>
|
|
|
|
#include <sys/wait.h>
|
2012-06-05 18:26:04 +02:00
|
|
|
|
|
|
|
#include <cerrno>
|
2013-08-19 17:07:01 +02:00
|
|
|
#include <thread>
|
2015-07-27 17:54:44 +02:00
|
|
|
#include <random>
|
2012-06-05 18:26:04 +02:00
|
|
|
|
2012-06-04 16:48:31 +02:00
|
|
|
#include "shrpx_client_handler.h"
|
2017-04-01 08:07:32 +02:00
|
|
|
#include "shrpx_tls.h"
|
2012-06-05 18:26:04 +02:00
|
|
|
#include "shrpx_worker.h"
|
2012-11-18 13:23:13 +01:00
|
|
|
#include "shrpx_config.h"
|
2013-11-04 09:53:57 +01:00
|
|
|
#include "shrpx_http2_session.h"
|
2014-08-19 16:36:04 +02:00
|
|
|
#include "shrpx_connect_blocker.h"
|
2014-10-13 14:09:00 +02:00
|
|
|
#include "shrpx_downstream_connection.h"
|
2014-12-27 18:59:06 +01:00
|
|
|
#include "shrpx_accept_handler.h"
|
2015-07-27 17:54:44 +02:00
|
|
|
#include "shrpx_memcached_dispatcher.h"
|
2015-09-24 16:33:28 +02:00
|
|
|
#include "shrpx_signal.h"
|
2017-02-16 14:46:22 +01:00
|
|
|
#include "shrpx_log.h"
|
2021-08-29 03:18:59 +02:00
|
|
|
#include "xsi_strerror.h"
|
2014-06-26 15:55:22 +02:00
|
|
|
#include "util.h"
|
2015-02-05 15:21:53 +01:00
|
|
|
#include "template.h"
|
2014-06-26 15:55:22 +02:00
|
|
|
|
|
|
|
using namespace nghttp2;
|
2012-06-04 16:48:31 +02:00
|
|
|
|
|
|
|
namespace shrpx {
|
|
|
|
|
2014-08-27 15:34:00 +02:00
|
|
|
namespace {
|
2014-12-27 18:59:06 +01:00
|
|
|
void acceptor_disable_cb(struct ev_loop *loop, ev_timer *w, int revent) {
|
2015-01-08 13:48:39 +01:00
|
|
|
auto h = static_cast<ConnectionHandler *>(w->data);
|
2014-08-27 15:34:00 +02:00
|
|
|
|
|
|
|
// If we are in graceful shutdown period, we must not enable
|
2015-01-08 13:48:39 +01:00
|
|
|
// acceptors again.
|
2015-02-25 14:53:23 +01:00
|
|
|
if (h->get_graceful_shutdown()) {
|
2014-08-27 15:34:00 +02:00
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2014-12-27 18:59:06 +01:00
|
|
|
h->enable_acceptor();
|
2014-08-27 15:34:00 +02:00
|
|
|
}
|
|
|
|
} // namespace
|
|
|
|
|
2015-03-30 16:20:40 +02:00
|
|
|
namespace {
|
|
|
|
void ocsp_cb(struct ev_loop *loop, ev_timer *w, int revent) {
|
|
|
|
auto h = static_cast<ConnectionHandler *>(w->data);
|
|
|
|
|
|
|
|
// If we are in graceful shutdown period, we won't do ocsp query.
|
|
|
|
if (h->get_graceful_shutdown()) {
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2015-04-10 17:08:28 +02:00
|
|
|
LOG(NOTICE) << "Start ocsp update";
|
|
|
|
|
2015-04-08 17:25:47 +02:00
|
|
|
h->proceed_next_cert_ocsp();
|
|
|
|
}
|
|
|
|
} // namespace
|
|
|
|
|
|
|
|
namespace {
|
|
|
|
void ocsp_read_cb(struct ev_loop *loop, ev_io *w, int revent) {
|
|
|
|
auto h = static_cast<ConnectionHandler *>(w->data);
|
|
|
|
|
|
|
|
h->read_ocsp_chunk();
|
|
|
|
}
|
|
|
|
} // namespace
|
|
|
|
|
|
|
|
namespace {
|
|
|
|
void ocsp_chld_cb(struct ev_loop *loop, ev_child *w, int revent) {
|
|
|
|
auto h = static_cast<ConnectionHandler *>(w->data);
|
|
|
|
|
|
|
|
h->handle_ocsp_complete();
|
2015-03-30 16:20:40 +02:00
|
|
|
}
|
|
|
|
} // namespace
|
|
|
|
|
2015-09-28 17:40:33 +02:00
|
|
|
namespace {
|
|
|
|
void thread_join_async_cb(struct ev_loop *loop, ev_async *w, int revent) {
|
|
|
|
ev_break(loop);
|
|
|
|
}
|
|
|
|
} // namespace
|
|
|
|
|
2016-06-03 18:02:57 +02:00
|
|
|
namespace {
|
|
|
|
void serial_event_async_cb(struct ev_loop *loop, ev_async *w, int revent) {
|
|
|
|
auto h = static_cast<ConnectionHandler *>(w->data);
|
|
|
|
|
|
|
|
h->handle_serial_event();
|
|
|
|
}
|
|
|
|
} // namespace
|
|
|
|
|
2016-07-08 16:41:53 +02:00
|
|
|
ConnectionHandler::ConnectionHandler(struct ev_loop *loop, std::mt19937 &gen)
|
2021-08-29 03:18:59 +02:00
|
|
|
:
|
|
|
|
#ifdef ENABLE_HTTP3
|
|
|
|
quic_ipc_fd_(-1),
|
|
|
|
#endif // ENABLE_HTTP3
|
|
|
|
gen_(gen),
|
2016-01-27 13:14:07 +01:00
|
|
|
single_worker_(nullptr),
|
|
|
|
loop_(loop),
|
2018-08-24 15:15:43 +02:00
|
|
|
#ifdef HAVE_NEVERBLEED
|
|
|
|
nb_(nullptr),
|
|
|
|
#endif // HAVE_NEVERBLEED
|
2015-07-27 17:54:44 +02:00
|
|
|
tls_ticket_key_memcached_get_retry_count_(0),
|
2016-01-27 13:14:07 +01:00
|
|
|
tls_ticket_key_memcached_fail_count_(0),
|
2016-06-16 17:09:15 +02:00
|
|
|
worker_round_robin_cnt_(get_config()->api.enabled ? 1 : 0),
|
2017-05-18 14:11:10 +02:00
|
|
|
graceful_shutdown_(false),
|
|
|
|
enable_acceptor_on_ocsp_completion_(false) {
|
2014-12-27 18:59:06 +01:00
|
|
|
ev_timer_init(&disable_acceptor_timer_, acceptor_disable_cb, 0., 0.);
|
|
|
|
disable_acceptor_timer_.data = this;
|
2015-03-30 16:20:40 +02:00
|
|
|
|
|
|
|
ev_timer_init(&ocsp_timer_, ocsp_cb, 0., 0.);
|
|
|
|
ocsp_timer_.data = this;
|
2015-04-08 17:25:47 +02:00
|
|
|
|
|
|
|
ev_io_init(&ocsp_.rev, ocsp_read_cb, -1, EV_READ);
|
|
|
|
ocsp_.rev.data = this;
|
|
|
|
|
2015-09-28 17:40:33 +02:00
|
|
|
ev_async_init(&thread_join_asyncev_, thread_join_async_cb);
|
|
|
|
|
2016-06-03 18:02:57 +02:00
|
|
|
ev_async_init(&serial_event_asyncev_, serial_event_async_cb);
|
|
|
|
serial_event_asyncev_.data = this;
|
|
|
|
|
|
|
|
ev_async_start(loop_, &serial_event_asyncev_);
|
|
|
|
|
2015-04-08 17:25:47 +02:00
|
|
|
ev_child_init(&ocsp_.chldev, ocsp_chld_cb, 0, 0);
|
|
|
|
ocsp_.chldev.data = this;
|
|
|
|
|
|
|
|
ocsp_.next = 0;
|
2016-10-08 08:26:13 +02:00
|
|
|
ocsp_.proc.rfd = -1;
|
2015-04-08 17:25:47 +02:00
|
|
|
|
|
|
|
reset_ocsp();
|
2014-12-27 18:59:06 +01:00
|
|
|
}
|
2014-11-27 15:39:04 +01:00
|
|
|
|
2015-01-08 13:48:39 +01:00
|
|
|
ConnectionHandler::~ConnectionHandler() {
|
2015-09-28 17:45:31 +02:00
|
|
|
ev_child_stop(loop_, &ocsp_.chldev);
|
2016-06-03 18:02:57 +02:00
|
|
|
ev_async_stop(loop_, &serial_event_asyncev_);
|
2015-09-28 17:40:33 +02:00
|
|
|
ev_async_stop(loop_, &thread_join_asyncev_);
|
2015-09-28 17:45:31 +02:00
|
|
|
ev_io_stop(loop_, &ocsp_.rev);
|
2015-03-30 16:20:40 +02:00
|
|
|
ev_timer_stop(loop_, &ocsp_timer_);
|
2015-09-28 17:45:31 +02:00
|
|
|
ev_timer_stop(loop_, &disable_acceptor_timer_);
|
2015-06-10 14:31:58 +02:00
|
|
|
|
2021-08-21 12:00:43 +02:00
|
|
|
#ifdef ENABLE_HTTP3
|
2021-08-15 15:57:26 +02:00
|
|
|
for (auto ssl_ctx : quic_all_ssl_ctx_) {
|
|
|
|
if (ssl_ctx == nullptr) {
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
|
|
|
|
auto tls_ctx_data =
|
|
|
|
static_cast<tls::TLSContextData *>(SSL_CTX_get_app_data(ssl_ctx));
|
|
|
|
delete tls_ctx_data;
|
|
|
|
SSL_CTX_free(ssl_ctx);
|
|
|
|
}
|
2021-08-21 12:00:43 +02:00
|
|
|
#endif // ENABLE_HTTP3
|
2021-08-15 15:57:26 +02:00
|
|
|
|
2015-06-10 14:31:58 +02:00
|
|
|
for (auto ssl_ctx : all_ssl_ctx_) {
|
|
|
|
auto tls_ctx_data =
|
2017-04-01 08:07:32 +02:00
|
|
|
static_cast<tls::TLSContextData *>(SSL_CTX_get_app_data(ssl_ctx));
|
2019-08-19 15:27:32 +02:00
|
|
|
delete tls_ctx_data;
|
2015-06-10 14:31:58 +02:00
|
|
|
SSL_CTX_free(ssl_ctx);
|
|
|
|
}
|
2015-09-04 15:21:10 +02:00
|
|
|
|
|
|
|
// Free workers before destroying ev_loop
|
|
|
|
workers_.clear();
|
|
|
|
|
|
|
|
for (auto loop : worker_loops_) {
|
|
|
|
ev_loop_destroy(loop);
|
|
|
|
}
|
2014-03-09 06:53:28 +01:00
|
|
|
}
|
2012-06-04 16:48:31 +02:00
|
|
|
|
2015-07-23 16:13:29 +02:00
|
|
|
void ConnectionHandler::set_ticket_keys_to_worker(
|
|
|
|
const std::shared_ptr<TicketKeys> &ticket_keys) {
|
2014-12-27 18:59:06 +01:00
|
|
|
for (auto &worker : workers_) {
|
2015-07-23 16:13:29 +02:00
|
|
|
worker->set_ticket_keys(ticket_keys);
|
2014-08-12 15:22:02 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-07-23 16:13:29 +02:00
|
|
|
void ConnectionHandler::worker_reopen_log_files() {
|
2021-08-23 14:40:24 +02:00
|
|
|
for (auto &worker : workers_) {
|
|
|
|
WorkerEvent wev{};
|
2015-01-08 13:15:45 +01:00
|
|
|
|
2021-08-23 14:40:24 +02:00
|
|
|
wev.type = WorkerEventType::REOPEN_LOG;
|
2015-01-08 13:15:45 +01:00
|
|
|
|
2021-08-23 14:40:24 +02:00
|
|
|
worker->send(std::move(wev));
|
2015-01-08 13:15:45 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2016-06-03 18:02:57 +02:00
|
|
|
void ConnectionHandler::worker_replace_downstream(
|
|
|
|
std::shared_ptr<DownstreamConfig> downstreamconf) {
|
2021-08-23 14:40:24 +02:00
|
|
|
for (auto &worker : workers_) {
|
|
|
|
WorkerEvent wev{};
|
2016-06-03 18:02:57 +02:00
|
|
|
|
2021-08-23 14:40:24 +02:00
|
|
|
wev.type = WorkerEventType::REPLACE_DOWNSTREAM;
|
|
|
|
wev.downstreamconf = downstreamconf;
|
2016-06-03 18:02:57 +02:00
|
|
|
|
2021-08-23 14:40:24 +02:00
|
|
|
worker->send(std::move(wev));
|
2016-06-03 18:02:57 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-09-01 17:19:32 +02:00
|
|
|
int ConnectionHandler::create_single_worker() {
|
2017-04-01 08:07:32 +02:00
|
|
|
cert_tree_ = tls::create_cert_lookup_tree();
|
|
|
|
auto sv_ssl_ctx = tls::setup_server_ssl_context(
|
2017-02-04 10:59:06 +01:00
|
|
|
all_ssl_ctx_, indexed_ssl_ctx_, cert_tree_.get()
|
2015-09-23 12:45:53 +02:00
|
|
|
#ifdef HAVE_NEVERBLEED
|
2017-02-04 10:59:06 +01:00
|
|
|
,
|
2018-08-24 15:15:43 +02:00
|
|
|
nb_
|
2015-09-23 12:45:53 +02:00
|
|
|
#endif // HAVE_NEVERBLEED
|
2017-11-23 06:19:12 +01:00
|
|
|
);
|
2021-08-15 15:57:26 +02:00
|
|
|
|
2021-08-21 12:00:43 +02:00
|
|
|
#ifdef ENABLE_HTTP3
|
2021-08-15 15:57:26 +02:00
|
|
|
quic_cert_tree_ = tls::create_cert_lookup_tree();
|
2021-08-16 08:11:18 +02:00
|
|
|
auto quic_sv_ssl_ctx = tls::setup_quic_server_ssl_context(
|
|
|
|
quic_all_ssl_ctx_, quic_indexed_ssl_ctx_, quic_cert_tree_.get()
|
2021-08-21 12:00:43 +02:00
|
|
|
# ifdef HAVE_NEVERBLEED
|
2021-08-16 08:11:18 +02:00
|
|
|
,
|
|
|
|
nb_
|
2021-08-21 12:00:43 +02:00
|
|
|
# endif // HAVE_NEVERBLEED
|
2021-08-15 15:57:26 +02:00
|
|
|
);
|
2021-08-21 12:00:43 +02:00
|
|
|
#endif // ENABLE_HTTP3
|
2021-08-15 15:57:26 +02:00
|
|
|
|
2017-04-01 08:07:32 +02:00
|
|
|
auto cl_ssl_ctx = tls::setup_downstream_client_ssl_context(
|
2015-09-26 14:28:16 +02:00
|
|
|
#ifdef HAVE_NEVERBLEED
|
2018-08-24 15:15:43 +02:00
|
|
|
nb_
|
2015-09-26 14:28:16 +02:00
|
|
|
#endif // HAVE_NEVERBLEED
|
2017-11-23 06:19:12 +01:00
|
|
|
);
|
2015-02-11 11:18:41 +01:00
|
|
|
|
2015-06-10 14:31:58 +02:00
|
|
|
if (cl_ssl_ctx) {
|
|
|
|
all_ssl_ctx_.push_back(cl_ssl_ctx);
|
2021-08-21 12:00:43 +02:00
|
|
|
#ifdef ENABLE_HTTP3
|
2021-08-15 15:57:26 +02:00
|
|
|
quic_all_ssl_ctx_.push_back(nullptr);
|
2021-08-21 12:00:43 +02:00
|
|
|
#endif // ENABLE_HTTP3
|
2015-06-10 14:31:58 +02:00
|
|
|
}
|
|
|
|
|
2016-10-08 04:34:23 +02:00
|
|
|
auto config = get_config();
|
|
|
|
auto &tlsconf = config->tls;
|
2016-02-11 14:56:45 +01:00
|
|
|
|
|
|
|
SSL_CTX *session_cache_ssl_ctx = nullptr;
|
2017-05-14 10:45:16 +02:00
|
|
|
{
|
|
|
|
auto &memcachedconf = config->tls.session_cache.memcached;
|
|
|
|
if (memcachedconf.tls) {
|
|
|
|
session_cache_ssl_ctx = tls::create_ssl_client_context(
|
2016-02-11 14:56:45 +01:00
|
|
|
#ifdef HAVE_NEVERBLEED
|
2018-08-24 15:15:43 +02:00
|
|
|
nb_,
|
2016-02-11 14:56:45 +01:00
|
|
|
#endif // HAVE_NEVERBLEED
|
2017-05-14 10:45:16 +02:00
|
|
|
tlsconf.cacert, memcachedconf.cert_file,
|
|
|
|
memcachedconf.private_key_file, nullptr);
|
|
|
|
all_ssl_ctx_.push_back(session_cache_ssl_ctx);
|
2021-08-21 12:00:43 +02:00
|
|
|
#ifdef ENABLE_HTTP3
|
2021-08-15 15:57:26 +02:00
|
|
|
quic_all_ssl_ctx_.push_back(nullptr);
|
2021-08-21 12:00:43 +02:00
|
|
|
#endif // ENABLE_HTTP3
|
2017-05-14 10:45:16 +02:00
|
|
|
}
|
2016-02-11 14:56:45 +01:00
|
|
|
}
|
|
|
|
|
2021-08-29 03:18:59 +02:00
|
|
|
#if defined(ENABLE_HTTP3) && defined(HAVE_LIBBPF)
|
|
|
|
quic_bpf_refs_.resize(config->conn.quic_listener.addrs.size());
|
|
|
|
#endif // ENABLE_HTTP3 && HAVE_LIBBPF
|
|
|
|
|
2021-08-23 14:40:24 +02:00
|
|
|
#ifdef ENABLE_HTTP3
|
2021-08-29 03:18:59 +02:00
|
|
|
assert(cid_prefixes_.size() == 1);
|
|
|
|
const auto &cid_prefix = cid_prefixes_[0];
|
2021-08-23 14:40:24 +02:00
|
|
|
#endif // ENABLE_HTTP3
|
|
|
|
|
2018-10-15 16:02:44 +02:00
|
|
|
single_worker_ = std::make_unique<Worker>(
|
2016-06-25 16:47:22 +02:00
|
|
|
loop_, sv_ssl_ctx, cl_ssl_ctx, session_cache_ssl_ctx, cert_tree_.get(),
|
2021-08-21 12:00:43 +02:00
|
|
|
#ifdef ENABLE_HTTP3
|
2021-08-23 14:40:24 +02:00
|
|
|
quic_sv_ssl_ctx, quic_cert_tree_.get(), cid_prefix.data(),
|
|
|
|
cid_prefix.size(),
|
2021-08-24 14:13:05 +02:00
|
|
|
# ifdef HAVE_LIBBPF
|
|
|
|
/* index = */ 0,
|
|
|
|
# endif // HAVE_LIBBPF
|
|
|
|
#endif // ENABLE_HTTP3
|
2021-08-21 12:00:43 +02:00
|
|
|
ticket_keys_, this, config->conn.downstream);
|
2015-09-03 17:54:41 +02:00
|
|
|
#ifdef HAVE_MRUBY
|
2015-09-01 17:19:32 +02:00
|
|
|
if (single_worker_->create_mruby_context() != 0) {
|
|
|
|
return -1;
|
|
|
|
}
|
2015-09-03 17:54:41 +02:00
|
|
|
#endif // HAVE_MRUBY
|
2021-08-21 12:00:43 +02:00
|
|
|
|
|
|
|
#ifdef ENABLE_HTTP3
|
2021-08-15 05:22:10 +02:00
|
|
|
if (single_worker_->setup_quic_server_socket() != 0) {
|
|
|
|
return -1;
|
|
|
|
}
|
2021-08-21 12:00:43 +02:00
|
|
|
#endif // ENABLE_HTTP3
|
2015-09-01 17:19:32 +02:00
|
|
|
|
|
|
|
return 0;
|
2015-02-11 11:18:41 +01:00
|
|
|
}
|
|
|
|
|
2015-09-01 17:19:32 +02:00
|
|
|
int ConnectionHandler::create_worker_thread(size_t num) {
|
2014-08-17 11:50:10 +02:00
|
|
|
#ifndef NOTHREADS
|
2014-12-27 18:59:06 +01:00
|
|
|
assert(workers_.size() == 0);
|
2014-07-05 11:22:40 +02:00
|
|
|
|
2017-04-01 08:07:32 +02:00
|
|
|
cert_tree_ = tls::create_cert_lookup_tree();
|
|
|
|
auto sv_ssl_ctx = tls::setup_server_ssl_context(
|
2017-02-04 10:59:06 +01:00
|
|
|
all_ssl_ctx_, indexed_ssl_ctx_, cert_tree_.get()
|
2018-06-09 09:21:30 +02:00
|
|
|
# ifdef HAVE_NEVERBLEED
|
2017-02-04 10:59:06 +01:00
|
|
|
,
|
2018-08-24 15:15:43 +02:00
|
|
|
nb_
|
2018-06-09 09:21:30 +02:00
|
|
|
# endif // HAVE_NEVERBLEED
|
2017-11-23 06:19:12 +01:00
|
|
|
);
|
2021-08-15 15:57:26 +02:00
|
|
|
|
2021-08-21 12:00:43 +02:00
|
|
|
# ifdef ENABLE_HTTP3
|
2021-08-15 15:57:26 +02:00
|
|
|
quic_cert_tree_ = tls::create_cert_lookup_tree();
|
2021-08-16 08:11:18 +02:00
|
|
|
auto quic_sv_ssl_ctx = tls::setup_quic_server_ssl_context(
|
|
|
|
quic_all_ssl_ctx_, quic_indexed_ssl_ctx_, quic_cert_tree_.get()
|
2021-08-21 12:00:43 +02:00
|
|
|
# ifdef HAVE_NEVERBLEED
|
2021-08-16 08:11:18 +02:00
|
|
|
,
|
|
|
|
nb_
|
2021-08-21 12:00:43 +02:00
|
|
|
# endif // HAVE_NEVERBLEED
|
2021-08-15 15:57:26 +02:00
|
|
|
);
|
2021-08-21 12:00:43 +02:00
|
|
|
# endif // ENABLE_HTTP3
|
2021-08-15 15:57:26 +02:00
|
|
|
|
2017-04-01 08:07:32 +02:00
|
|
|
auto cl_ssl_ctx = tls::setup_downstream_client_ssl_context(
|
2018-06-09 09:21:30 +02:00
|
|
|
# ifdef HAVE_NEVERBLEED
|
2018-08-24 15:15:43 +02:00
|
|
|
nb_
|
2018-06-09 09:21:30 +02:00
|
|
|
# endif // HAVE_NEVERBLEED
|
2017-11-23 06:19:12 +01:00
|
|
|
);
|
2015-02-11 11:18:41 +01:00
|
|
|
|
2015-06-10 14:31:58 +02:00
|
|
|
if (cl_ssl_ctx) {
|
|
|
|
all_ssl_ctx_.push_back(cl_ssl_ctx);
|
2021-08-21 12:00:43 +02:00
|
|
|
# ifdef ENABLE_HTTP3
|
2021-08-15 15:57:26 +02:00
|
|
|
quic_all_ssl_ctx_.push_back(nullptr);
|
2021-08-21 12:00:43 +02:00
|
|
|
# endif // ENABLE_HTTP3
|
2015-06-10 14:31:58 +02:00
|
|
|
}
|
|
|
|
|
2016-10-08 04:34:23 +02:00
|
|
|
auto config = get_config();
|
|
|
|
auto &tlsconf = config->tls;
|
|
|
|
auto &apiconf = config->api;
|
2016-06-16 14:22:36 +02:00
|
|
|
|
2021-08-24 14:13:05 +02:00
|
|
|
# if defined(ENABLE_HTTP3) && defined(HAVE_LIBBPF)
|
2021-08-29 03:18:59 +02:00
|
|
|
quic_bpf_refs_.resize(config->conn.quic_listener.addrs.size());
|
2021-08-24 14:13:05 +02:00
|
|
|
# endif // ENABLE_HTTP3 && HAVE_LIBBPF
|
|
|
|
|
2016-06-16 14:22:36 +02:00
|
|
|
// We have dedicated worker for API request processing.
|
2016-06-16 17:09:15 +02:00
|
|
|
if (apiconf.enabled) {
|
2016-06-16 14:22:36 +02:00
|
|
|
++num;
|
|
|
|
}
|
2016-02-11 14:56:45 +01:00
|
|
|
|
2017-05-14 10:43:11 +02:00
|
|
|
SSL_CTX *session_cache_ssl_ctx = nullptr;
|
|
|
|
{
|
|
|
|
auto &memcachedconf = config->tls.session_cache.memcached;
|
2015-02-11 11:18:41 +01:00
|
|
|
|
2016-02-12 16:20:38 +01:00
|
|
|
if (memcachedconf.tls) {
|
2017-04-01 08:07:32 +02:00
|
|
|
session_cache_ssl_ctx = tls::create_ssl_client_context(
|
2018-06-09 09:21:30 +02:00
|
|
|
# ifdef HAVE_NEVERBLEED
|
2018-08-24 15:15:43 +02:00
|
|
|
nb_,
|
2018-06-09 09:21:30 +02:00
|
|
|
# endif // HAVE_NEVERBLEED
|
2016-10-02 14:22:02 +02:00
|
|
|
tlsconf.cacert, memcachedconf.cert_file,
|
|
|
|
memcachedconf.private_key_file, nullptr);
|
2016-02-11 14:56:45 +01:00
|
|
|
all_ssl_ctx_.push_back(session_cache_ssl_ctx);
|
2021-08-21 12:00:43 +02:00
|
|
|
# ifdef ENABLE_HTTP3
|
2021-08-15 15:57:26 +02:00
|
|
|
quic_all_ssl_ctx_.push_back(nullptr);
|
2021-08-21 12:00:43 +02:00
|
|
|
# endif // ENABLE_HTTP3
|
2016-02-11 14:56:45 +01:00
|
|
|
}
|
2017-05-14 10:43:11 +02:00
|
|
|
}
|
|
|
|
|
2021-08-29 03:18:59 +02:00
|
|
|
# ifdef ENABLE_HTTP3
|
|
|
|
assert(cid_prefixes_.size() == num);
|
|
|
|
# endif // ENABLE_HTTP3
|
|
|
|
|
2017-05-14 10:43:11 +02:00
|
|
|
for (size_t i = 0; i < num; ++i) {
|
|
|
|
auto loop = ev_loop_new(config->ev_loop_flags);
|
|
|
|
|
2021-08-23 14:40:24 +02:00
|
|
|
# ifdef ENABLE_HTTP3
|
2021-08-29 03:18:59 +02:00
|
|
|
const auto &cid_prefix = cid_prefixes_[i];
|
2021-08-23 14:40:24 +02:00
|
|
|
# endif // ENABLE_HTTP3
|
|
|
|
|
2018-10-15 16:02:44 +02:00
|
|
|
auto worker = std::make_unique<Worker>(
|
2016-06-25 16:47:22 +02:00
|
|
|
loop, sv_ssl_ctx, cl_ssl_ctx, session_cache_ssl_ctx, cert_tree_.get(),
|
2021-08-21 12:00:43 +02:00
|
|
|
# ifdef ENABLE_HTTP3
|
2021-08-23 14:40:24 +02:00
|
|
|
quic_sv_ssl_ctx, quic_cert_tree_.get(), cid_prefix.data(),
|
|
|
|
cid_prefix.size(),
|
2021-08-24 14:13:05 +02:00
|
|
|
# ifdef HAVE_LIBBPF
|
|
|
|
i,
|
|
|
|
# endif // HAVE_LIBBPF
|
|
|
|
# endif // ENABLE_HTTP3
|
2021-08-21 12:00:43 +02:00
|
|
|
ticket_keys_, this, config->conn.downstream);
|
2018-06-09 09:21:30 +02:00
|
|
|
# ifdef HAVE_MRUBY
|
2015-09-01 17:19:32 +02:00
|
|
|
if (worker->create_mruby_context() != 0) {
|
|
|
|
return -1;
|
|
|
|
}
|
2018-06-09 09:21:30 +02:00
|
|
|
# endif // HAVE_MRUBY
|
2021-08-21 12:00:43 +02:00
|
|
|
|
|
|
|
# ifdef ENABLE_HTTP3
|
2021-08-16 15:45:36 +02:00
|
|
|
if ((!apiconf.enabled || i != 0) &&
|
|
|
|
worker->setup_quic_server_socket() != 0) {
|
2021-08-15 05:22:10 +02:00
|
|
|
return -1;
|
|
|
|
}
|
2021-08-21 12:00:43 +02:00
|
|
|
# endif // ENABLE_HTTP3
|
2015-09-01 17:19:32 +02:00
|
|
|
|
2015-02-11 11:18:41 +01:00
|
|
|
workers_.push_back(std::move(worker));
|
2015-09-04 15:21:10 +02:00
|
|
|
worker_loops_.push_back(loop);
|
2014-07-05 11:22:40 +02:00
|
|
|
|
2015-09-18 16:35:25 +02:00
|
|
|
LLOG(NOTICE, this) << "Created worker thread #" << workers_.size() - 1;
|
2012-06-05 18:26:04 +02:00
|
|
|
}
|
2015-09-01 17:19:32 +02:00
|
|
|
|
|
|
|
for (auto &worker : workers_) {
|
|
|
|
worker->run_async();
|
|
|
|
}
|
2016-06-16 14:22:36 +02:00
|
|
|
|
2014-08-17 11:50:10 +02:00
|
|
|
#endif // NOTHREADS
|
2015-09-01 17:19:32 +02:00
|
|
|
|
|
|
|
return 0;
|
2012-06-05 18:26:04 +02:00
|
|
|
}
|
|
|
|
|
2015-01-08 13:48:39 +01:00
|
|
|
void ConnectionHandler::join_worker() {
|
2014-08-17 11:50:10 +02:00
|
|
|
#ifndef NOTHREADS
|
2014-08-12 15:22:02 +02:00
|
|
|
int n = 0;
|
|
|
|
|
2014-11-27 15:39:04 +01:00
|
|
|
if (LOG_ENABLED(INFO)) {
|
2014-08-12 15:22:02 +02:00
|
|
|
LLOG(INFO, this) << "Waiting for worker thread to join: n="
|
|
|
|
<< workers_.size();
|
|
|
|
}
|
|
|
|
|
2014-11-27 15:39:04 +01:00
|
|
|
for (auto &worker : workers_) {
|
2014-12-27 18:59:06 +01:00
|
|
|
worker->wait();
|
2014-11-27 15:39:04 +01:00
|
|
|
if (LOG_ENABLED(INFO)) {
|
2014-08-12 15:22:02 +02:00
|
|
|
LLOG(INFO, this) << "Thread #" << n << " joined";
|
|
|
|
}
|
|
|
|
++n;
|
|
|
|
}
|
2014-08-17 11:50:10 +02:00
|
|
|
#endif // NOTHREADS
|
2014-08-12 15:22:02 +02:00
|
|
|
}
|
|
|
|
|
2015-01-08 13:48:39 +01:00
|
|
|
void ConnectionHandler::graceful_shutdown_worker() {
|
2017-02-21 14:19:34 +01:00
|
|
|
if (single_worker_) {
|
2014-08-12 15:22:02 +02:00
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2015-01-08 14:23:30 +01:00
|
|
|
if (LOG_ENABLED(INFO)) {
|
|
|
|
LLOG(INFO, this) << "Sending graceful shutdown signal to worker";
|
|
|
|
}
|
|
|
|
|
|
|
|
for (auto &worker : workers_) {
|
2021-08-23 14:40:24 +02:00
|
|
|
WorkerEvent wev{};
|
|
|
|
wev.type = WorkerEventType::GRACEFUL_SHUTDOWN;
|
|
|
|
|
|
|
|
worker->send(std::move(wev));
|
2014-08-12 15:22:02 +02:00
|
|
|
}
|
2015-09-28 17:40:33 +02:00
|
|
|
|
|
|
|
#ifndef NOTHREADS
|
|
|
|
ev_async_start(loop_, &thread_join_asyncev_);
|
|
|
|
|
|
|
|
thread_join_fut_ = std::async(std::launch::async, [this]() {
|
2017-02-16 14:46:22 +01:00
|
|
|
(void)reopen_log_files(get_config()->logging);
|
2015-09-28 17:40:33 +02:00
|
|
|
join_worker();
|
|
|
|
ev_async_send(get_loop(), &thread_join_asyncev_);
|
2017-02-08 14:14:23 +01:00
|
|
|
delete_log_config();
|
2015-09-28 17:40:33 +02:00
|
|
|
});
|
|
|
|
#endif // NOTHREADS
|
2014-08-12 15:22:02 +02:00
|
|
|
}
|
|
|
|
|
2016-01-31 11:41:56 +01:00
|
|
|
int ConnectionHandler::handle_connection(int fd, sockaddr *addr, int addrlen,
|
2016-02-07 09:51:53 +01:00
|
|
|
const UpstreamAddr *faddr) {
|
2014-11-27 15:39:04 +01:00
|
|
|
if (LOG_ENABLED(INFO)) {
|
2016-09-11 16:30:33 +02:00
|
|
|
LLOG(INFO, this) << "Accepted connection from "
|
|
|
|
<< util::numeric_name(addr, addrlen) << ", fd=" << fd;
|
2012-06-04 16:48:31 +02:00
|
|
|
}
|
2014-08-12 15:22:02 +02:00
|
|
|
|
2016-10-08 04:34:23 +02:00
|
|
|
auto config = get_config();
|
|
|
|
|
2017-02-21 14:19:34 +01:00
|
|
|
if (single_worker_) {
|
2016-10-08 04:34:23 +02:00
|
|
|
auto &upstreamconf = config->conn.upstream;
|
2015-02-11 11:18:41 +01:00
|
|
|
if (single_worker_->get_worker_stat()->num_connections >=
|
2016-01-19 08:56:12 +01:00
|
|
|
upstreamconf.worker_connections) {
|
2014-06-26 15:55:22 +02:00
|
|
|
|
2014-11-27 15:39:04 +01:00
|
|
|
if (LOG_ENABLED(INFO)) {
|
2014-12-27 18:59:06 +01:00
|
|
|
LLOG(INFO, this) << "Too many connections >="
|
2016-01-19 08:56:12 +01:00
|
|
|
<< upstreamconf.worker_connections;
|
2014-06-26 15:55:22 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
close(fd);
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
2015-02-11 11:18:41 +01:00
|
|
|
auto client =
|
2017-04-01 08:07:32 +02:00
|
|
|
tls::accept_connection(single_worker_.get(), fd, addr, addrlen, faddr);
|
2014-11-27 15:39:04 +01:00
|
|
|
if (!client) {
|
2013-09-24 16:17:53 +02:00
|
|
|
LLOG(ERROR, this) << "ClientHandler creation failed";
|
2014-06-26 15:55:22 +02:00
|
|
|
|
|
|
|
close(fd);
|
|
|
|
return -1;
|
2013-09-24 16:17:53 +02:00
|
|
|
}
|
2014-06-26 15:55:22 +02:00
|
|
|
|
2014-03-09 06:53:28 +01:00
|
|
|
return 0;
|
|
|
|
}
|
2014-12-27 18:59:06 +01:00
|
|
|
|
2016-06-16 14:22:36 +02:00
|
|
|
Worker *worker;
|
|
|
|
|
2018-10-17 01:38:55 +02:00
|
|
|
if (faddr->alt_mode == UpstreamAltMode::API) {
|
2016-06-16 14:22:36 +02:00
|
|
|
worker = workers_[0].get();
|
|
|
|
|
|
|
|
if (LOG_ENABLED(INFO)) {
|
|
|
|
LOG(INFO) << "Dispatch connection to API worker #0";
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
worker = workers_[worker_round_robin_cnt_].get();
|
|
|
|
|
|
|
|
if (LOG_ENABLED(INFO)) {
|
|
|
|
LOG(INFO) << "Dispatch connection to worker #" << worker_round_robin_cnt_;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (++worker_round_robin_cnt_ == workers_.size()) {
|
2016-10-08 04:34:23 +02:00
|
|
|
auto &apiconf = config->api;
|
2016-06-16 14:22:36 +02:00
|
|
|
|
2016-06-16 17:09:15 +02:00
|
|
|
if (apiconf.enabled) {
|
2016-06-16 14:22:36 +02:00
|
|
|
worker_round_robin_cnt_ = 1;
|
|
|
|
} else {
|
|
|
|
worker_round_robin_cnt_ = 0;
|
|
|
|
}
|
|
|
|
}
|
2015-02-11 11:18:41 +01:00
|
|
|
}
|
2016-06-16 14:22:36 +02:00
|
|
|
|
2015-07-19 10:55:37 +02:00
|
|
|
WorkerEvent wev{};
|
2018-10-17 07:18:07 +02:00
|
|
|
wev.type = WorkerEventType::NEW_CONNECTION;
|
2014-03-09 06:53:28 +01:00
|
|
|
wev.client_fd = fd;
|
|
|
|
memcpy(&wev.client_addr, addr, addrlen);
|
|
|
|
wev.client_addrlen = addrlen;
|
2016-01-31 11:41:56 +01:00
|
|
|
wev.faddr = faddr;
|
2014-12-27 18:59:06 +01:00
|
|
|
|
2021-08-23 14:40:24 +02:00
|
|
|
worker->send(std::move(wev));
|
2014-06-26 15:55:22 +02:00
|
|
|
|
2012-06-04 16:48:31 +02:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2015-01-08 13:48:39 +01:00
|
|
|
struct ev_loop *ConnectionHandler::get_loop() const {
|
2014-12-27 18:59:06 +01:00
|
|
|
return loop_;
|
2012-11-20 17:29:39 +01:00
|
|
|
}
|
|
|
|
|
2015-02-11 11:18:41 +01:00
|
|
|
Worker *ConnectionHandler::get_single_worker() const {
|
|
|
|
return single_worker_.get();
|
2014-08-12 15:22:02 +02:00
|
|
|
}
|
|
|
|
|
2016-01-31 11:41:56 +01:00
|
|
|
void ConnectionHandler::add_acceptor(std::unique_ptr<AcceptHandler> h) {
|
|
|
|
acceptors_.push_back(std::move(h));
|
2015-01-08 13:48:39 +01:00
|
|
|
}
|
2014-08-12 15:22:02 +02:00
|
|
|
|
2018-02-26 14:40:24 +01:00
|
|
|
void ConnectionHandler::delete_acceptor() { acceptors_.clear(); }
|
|
|
|
|
2015-01-08 13:48:39 +01:00
|
|
|
void ConnectionHandler::enable_acceptor() {
|
2016-01-31 11:41:56 +01:00
|
|
|
for (auto &a : acceptors_) {
|
|
|
|
a->enable();
|
2014-08-27 15:34:00 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-01-08 13:48:39 +01:00
|
|
|
void ConnectionHandler::disable_acceptor() {
|
2016-01-31 11:41:56 +01:00
|
|
|
for (auto &a : acceptors_) {
|
|
|
|
a->disable();
|
2014-08-12 15:22:02 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2016-01-19 09:03:01 +01:00
|
|
|
void ConnectionHandler::sleep_acceptor(ev_tstamp t) {
|
2014-12-27 18:59:06 +01:00
|
|
|
if (t == 0. || ev_is_active(&disable_acceptor_timer_)) {
|
2014-08-27 15:34:00 +02:00
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2014-12-27 18:59:06 +01:00
|
|
|
disable_acceptor();
|
2014-08-27 15:34:00 +02:00
|
|
|
|
2014-12-27 18:59:06 +01:00
|
|
|
ev_timer_set(&disable_acceptor_timer_, t, 0.);
|
|
|
|
ev_timer_start(loop_, &disable_acceptor_timer_);
|
2014-08-27 15:34:00 +02:00
|
|
|
}
|
|
|
|
|
2015-01-08 13:48:39 +01:00
|
|
|
void ConnectionHandler::accept_pending_connection() {
|
2016-01-31 11:41:56 +01:00
|
|
|
for (auto &a : acceptors_) {
|
|
|
|
a->accept_connection();
|
2014-08-12 15:22:02 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-11-12 16:53:29 +01:00
|
|
|
void ConnectionHandler::set_ticket_keys(
|
|
|
|
std::shared_ptr<TicketKeys> ticket_keys) {
|
2015-02-11 11:18:41 +01:00
|
|
|
ticket_keys_ = std::move(ticket_keys);
|
|
|
|
if (single_worker_) {
|
|
|
|
single_worker_->set_ticket_keys(ticket_keys_);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
const std::shared_ptr<TicketKeys> &ConnectionHandler::get_ticket_keys() const {
|
|
|
|
return ticket_keys_;
|
|
|
|
}
|
|
|
|
|
2015-02-25 14:53:23 +01:00
|
|
|
void ConnectionHandler::set_graceful_shutdown(bool f) {
|
|
|
|
graceful_shutdown_ = f;
|
|
|
|
if (single_worker_) {
|
|
|
|
single_worker_->set_graceful_shutdown(f);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
bool ConnectionHandler::get_graceful_shutdown() const {
|
|
|
|
return graceful_shutdown_;
|
|
|
|
}
|
|
|
|
|
2015-04-08 17:25:47 +02:00
|
|
|
void ConnectionHandler::cancel_ocsp_update() {
|
2017-05-18 14:11:10 +02:00
|
|
|
enable_acceptor_on_ocsp_completion_ = false;
|
|
|
|
ev_timer_stop(loop_, &ocsp_timer_);
|
|
|
|
|
2016-10-08 08:26:13 +02:00
|
|
|
if (ocsp_.proc.pid == 0) {
|
2015-03-30 16:20:40 +02:00
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2016-11-30 14:59:02 +01:00
|
|
|
int rv;
|
|
|
|
|
|
|
|
rv = kill(ocsp_.proc.pid, SIGTERM);
|
|
|
|
if (rv != 0) {
|
|
|
|
auto error = errno;
|
|
|
|
LOG(ERROR) << "Could not send signal to OCSP query process: errno="
|
|
|
|
<< error;
|
|
|
|
}
|
|
|
|
|
|
|
|
while ((rv = waitpid(ocsp_.proc.pid, nullptr, 0)) == -1 && errno == EINTR)
|
|
|
|
;
|
|
|
|
if (rv == -1) {
|
|
|
|
auto error = errno;
|
|
|
|
LOG(ERROR) << "Error occurred while we were waiting for the completion of "
|
|
|
|
"OCSP query process: errno="
|
|
|
|
<< error;
|
|
|
|
}
|
2015-04-08 17:25:47 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
// inspired by h2o_read_command function from h2o project:
|
|
|
|
// https://github.com/h2o/h2o
|
|
|
|
int ConnectionHandler::start_ocsp_update(const char *cert_file) {
|
|
|
|
int rv;
|
|
|
|
|
2015-04-10 17:08:28 +02:00
|
|
|
if (LOG_ENABLED(INFO)) {
|
|
|
|
LOG(INFO) << "Start ocsp update for " << cert_file;
|
|
|
|
}
|
|
|
|
|
2015-04-08 17:25:47 +02:00
|
|
|
assert(!ev_is_active(&ocsp_.rev));
|
|
|
|
assert(!ev_is_active(&ocsp_.chldev));
|
|
|
|
|
|
|
|
char *const argv[] = {
|
2016-02-14 13:01:54 +01:00
|
|
|
const_cast<char *>(
|
|
|
|
get_config()->tls.ocsp.fetch_ocsp_response_file.c_str()),
|
2015-04-08 17:25:47 +02:00
|
|
|
const_cast<char *>(cert_file), nullptr};
|
|
|
|
|
2016-10-08 08:22:11 +02:00
|
|
|
Process proc;
|
|
|
|
rv = exec_read_command(proc, argv);
|
2015-09-24 16:33:28 +02:00
|
|
|
if (rv != 0) {
|
2015-04-08 17:25:47 +02:00
|
|
|
return -1;
|
2015-03-30 16:20:40 +02:00
|
|
|
}
|
2015-04-08 17:25:47 +02:00
|
|
|
|
2016-10-08 08:26:13 +02:00
|
|
|
ocsp_.proc = proc;
|
2015-04-08 17:25:47 +02:00
|
|
|
|
2016-10-08 08:26:13 +02:00
|
|
|
ev_io_set(&ocsp_.rev, ocsp_.proc.rfd, EV_READ);
|
2015-04-08 17:25:47 +02:00
|
|
|
ev_io_start(loop_, &ocsp_.rev);
|
|
|
|
|
2016-10-08 08:26:13 +02:00
|
|
|
ev_child_set(&ocsp_.chldev, ocsp_.proc.pid, 0);
|
2015-04-08 17:25:47 +02:00
|
|
|
ev_child_start(loop_, &ocsp_.chldev);
|
2015-04-08 17:59:43 +02:00
|
|
|
|
2015-04-08 17:25:47 +02:00
|
|
|
return 0;
|
2015-03-30 16:20:40 +02:00
|
|
|
}
|
|
|
|
|
2015-04-08 17:25:47 +02:00
|
|
|
void ConnectionHandler::read_ocsp_chunk() {
|
2015-06-21 07:32:47 +02:00
|
|
|
std::array<uint8_t, 4_k> buf;
|
2015-04-08 17:25:47 +02:00
|
|
|
for (;;) {
|
|
|
|
ssize_t n;
|
2016-10-08 08:26:13 +02:00
|
|
|
while ((n = read(ocsp_.proc.rfd, buf.data(), buf.size())) == -1 &&
|
|
|
|
errno == EINTR)
|
2015-04-08 17:25:47 +02:00
|
|
|
;
|
|
|
|
|
|
|
|
if (n == -1) {
|
|
|
|
if (errno == EAGAIN || errno == EWOULDBLOCK) {
|
|
|
|
return;
|
2015-03-30 16:20:40 +02:00
|
|
|
}
|
2015-04-08 17:25:47 +02:00
|
|
|
auto error = errno;
|
|
|
|
LOG(WARN) << "Reading from ocsp query command failed: errno=" << error;
|
|
|
|
ocsp_.error = error;
|
2015-03-30 16:20:40 +02:00
|
|
|
|
2015-04-08 17:25:47 +02:00
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (n == 0) {
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
std::copy_n(std::begin(buf), n, std::back_inserter(ocsp_.resp));
|
|
|
|
}
|
|
|
|
|
|
|
|
ev_io_stop(loop_, &ocsp_.rev);
|
2015-03-30 16:20:40 +02:00
|
|
|
}
|
|
|
|
|
2015-04-08 17:25:47 +02:00
|
|
|
void ConnectionHandler::handle_ocsp_complete() {
|
|
|
|
ev_io_stop(loop_, &ocsp_.rev);
|
|
|
|
ev_child_stop(loop_, &ocsp_.chldev);
|
|
|
|
|
2015-04-10 17:08:28 +02:00
|
|
|
assert(ocsp_.next < all_ssl_ctx_.size());
|
2021-08-21 12:00:43 +02:00
|
|
|
#ifdef ENABLE_HTTP3
|
2021-08-15 15:57:26 +02:00
|
|
|
assert(all_ssl_ctx_.size() == quic_all_ssl_ctx_.size());
|
2021-08-21 12:00:43 +02:00
|
|
|
#endif // ENABLE_HTTP3
|
2015-04-10 17:08:28 +02:00
|
|
|
|
|
|
|
auto ssl_ctx = all_ssl_ctx_[ocsp_.next];
|
|
|
|
auto tls_ctx_data =
|
2017-04-01 08:07:32 +02:00
|
|
|
static_cast<tls::TLSContextData *>(SSL_CTX_get_app_data(ssl_ctx));
|
2015-04-10 17:08:28 +02:00
|
|
|
|
2015-04-08 17:25:47 +02:00
|
|
|
auto rstatus = ocsp_.chldev.rstatus;
|
|
|
|
auto status = WEXITSTATUS(rstatus);
|
|
|
|
if (ocsp_.error || !WIFEXITED(rstatus) || status != 0) {
|
2015-04-10 17:08:28 +02:00
|
|
|
LOG(WARN) << "ocsp query command for " << tls_ctx_data->cert_file
|
2018-08-31 14:55:33 +02:00
|
|
|
<< " failed: error=" << ocsp_.error << ", rstatus=" << log::hex
|
|
|
|
<< rstatus << log::dec << ", status=" << status;
|
2015-04-08 17:25:47 +02:00
|
|
|
++ocsp_.next;
|
|
|
|
proceed_next_cert_ocsp();
|
2015-03-30 16:20:40 +02:00
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2015-04-08 17:25:47 +02:00
|
|
|
if (LOG_ENABLED(INFO)) {
|
|
|
|
LOG(INFO) << "ocsp update for " << tls_ctx_data->cert_file
|
|
|
|
<< " finished successfully";
|
2015-03-30 16:20:40 +02:00
|
|
|
}
|
|
|
|
|
2017-05-25 15:12:54 +02:00
|
|
|
auto config = get_config();
|
|
|
|
auto &tlsconf = config->tls;
|
|
|
|
|
|
|
|
if (tlsconf.ocsp.no_verify ||
|
|
|
|
tls::verify_ocsp_response(ssl_ctx, ocsp_.resp.data(),
|
2017-05-24 15:20:08 +02:00
|
|
|
ocsp_.resp.size()) == 0) {
|
2021-08-21 12:00:43 +02:00
|
|
|
#ifdef ENABLE_HTTP3
|
2021-08-15 15:57:26 +02:00
|
|
|
// We have list of SSL_CTX with the same certificate in
|
|
|
|
// quic_all_ssl_ctx_ as well. Some SSL_CTXs are missing there in
|
|
|
|
// that case we get nullptr.
|
|
|
|
auto quic_ssl_ctx = quic_all_ssl_ctx_[ocsp_.next];
|
|
|
|
if (quic_ssl_ctx) {
|
2021-10-15 12:52:01 +02:00
|
|
|
# ifndef OPENSSL_IS_BORINGSSL
|
2021-08-15 15:57:26 +02:00
|
|
|
auto quic_tls_ctx_data = static_cast<tls::TLSContextData *>(
|
|
|
|
SSL_CTX_get_app_data(quic_ssl_ctx));
|
2021-08-21 12:00:43 +02:00
|
|
|
# ifdef HAVE_ATOMIC_STD_SHARED_PTR
|
2021-08-15 15:57:26 +02:00
|
|
|
std::atomic_store_explicit(
|
|
|
|
&quic_tls_ctx_data->ocsp_data,
|
|
|
|
std::make_shared<std::vector<uint8_t>>(ocsp_.resp),
|
|
|
|
std::memory_order_release);
|
2021-08-21 12:00:43 +02:00
|
|
|
# else // !HAVE_ATOMIC_STD_SHARED_PTR
|
2021-08-15 15:57:26 +02:00
|
|
|
std::lock_guard<std::mutex> g(quic_tls_ctx_data->mu);
|
|
|
|
quic_tls_ctx_data->ocsp_data =
|
|
|
|
std::make_shared<std::vector<uint8_t>>(ocsp_.resp);
|
2021-08-21 12:00:43 +02:00
|
|
|
# endif // !HAVE_ATOMIC_STD_SHARED_PTR
|
|
|
|
# else // OPENSSL_IS_BORINGSSL
|
2021-10-15 11:19:07 +02:00
|
|
|
SSL_CTX_set_ocsp_response(quic_ssl_ctx, ocsp_.resp.data(),
|
|
|
|
ocsp_.resp.size());
|
2021-08-21 12:00:43 +02:00
|
|
|
# endif // OPENSSL_IS_BORINGSSL
|
2021-08-15 15:57:26 +02:00
|
|
|
}
|
2021-08-21 12:00:43 +02:00
|
|
|
#endif // ENABLE_HTTP3
|
2021-08-15 15:57:26 +02:00
|
|
|
|
2015-09-29 16:31:50 +02:00
|
|
|
#ifndef OPENSSL_IS_BORINGSSL
|
2018-06-09 09:21:30 +02:00
|
|
|
# ifdef HAVE_ATOMIC_STD_SHARED_PTR
|
2016-09-20 15:24:12 +02:00
|
|
|
std::atomic_store_explicit(
|
|
|
|
&tls_ctx_data->ocsp_data,
|
|
|
|
std::make_shared<std::vector<uint8_t>>(std::move(ocsp_.resp)),
|
|
|
|
std::memory_order_release);
|
2018-06-09 09:21:30 +02:00
|
|
|
# else // !HAVE_ATOMIC_STD_SHARED_PTR
|
2015-04-08 17:25:47 +02:00
|
|
|
std::lock_guard<std::mutex> g(tls_ctx_data->mu);
|
2015-06-12 14:27:12 +02:00
|
|
|
tls_ctx_data->ocsp_data =
|
|
|
|
std::make_shared<std::vector<uint8_t>>(std::move(ocsp_.resp));
|
2018-06-09 09:21:30 +02:00
|
|
|
# endif // !HAVE_ATOMIC_STD_SHARED_PTR
|
|
|
|
#else // OPENSSL_IS_BORINGSSL
|
2017-05-24 15:20:08 +02:00
|
|
|
SSL_CTX_set_ocsp_response(ssl_ctx, ocsp_.resp.data(), ocsp_.resp.size());
|
2018-06-09 09:21:30 +02:00
|
|
|
#endif // OPENSSL_IS_BORINGSSL
|
2017-05-24 15:20:08 +02:00
|
|
|
}
|
2015-03-30 16:20:40 +02:00
|
|
|
|
2015-04-08 17:25:47 +02:00
|
|
|
++ocsp_.next;
|
|
|
|
proceed_next_cert_ocsp();
|
2015-03-30 16:20:40 +02:00
|
|
|
}
|
|
|
|
|
2015-04-08 17:25:47 +02:00
|
|
|
void ConnectionHandler::reset_ocsp() {
|
2016-10-08 08:26:13 +02:00
|
|
|
if (ocsp_.proc.rfd != -1) {
|
|
|
|
close(ocsp_.proc.rfd);
|
2015-04-08 17:25:47 +02:00
|
|
|
}
|
|
|
|
|
2016-10-08 08:26:13 +02:00
|
|
|
ocsp_.proc.rfd = -1;
|
|
|
|
ocsp_.proc.pid = 0;
|
2015-04-08 17:25:47 +02:00
|
|
|
ocsp_.error = 0;
|
|
|
|
ocsp_.resp = std::vector<uint8_t>();
|
|
|
|
}
|
|
|
|
|
|
|
|
void ConnectionHandler::proceed_next_cert_ocsp() {
|
|
|
|
for (;;) {
|
|
|
|
reset_ocsp();
|
|
|
|
if (ocsp_.next == all_ssl_ctx_.size()) {
|
|
|
|
ocsp_.next = 0;
|
|
|
|
// We have updated all ocsp response, and schedule next update.
|
2016-01-18 06:21:09 +01:00
|
|
|
ev_timer_set(&ocsp_timer_, get_config()->tls.ocsp.update_interval, 0.);
|
2015-04-08 17:25:47 +02:00
|
|
|
ev_timer_start(loop_, &ocsp_timer_);
|
2017-05-18 14:11:10 +02:00
|
|
|
|
|
|
|
if (enable_acceptor_on_ocsp_completion_) {
|
|
|
|
enable_acceptor_on_ocsp_completion_ = false;
|
|
|
|
enable_acceptor();
|
|
|
|
}
|
|
|
|
|
2015-04-08 17:25:47 +02:00
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
auto ssl_ctx = all_ssl_ctx_[ocsp_.next];
|
|
|
|
auto tls_ctx_data =
|
2017-04-01 08:07:32 +02:00
|
|
|
static_cast<tls::TLSContextData *>(SSL_CTX_get_app_data(ssl_ctx));
|
2015-06-24 14:31:17 +02:00
|
|
|
|
|
|
|
// client SSL_CTX is also included in all_ssl_ctx_, but has no
|
|
|
|
// tls_ctx_data.
|
|
|
|
if (!tls_ctx_data) {
|
|
|
|
++ocsp_.next;
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
|
2015-04-08 17:25:47 +02:00
|
|
|
auto cert_file = tls_ctx_data->cert_file;
|
|
|
|
|
|
|
|
if (start_ocsp_update(cert_file) != 0) {
|
|
|
|
++ocsp_.next;
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
|
|
|
|
break;
|
2015-03-30 16:20:40 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-07-27 17:54:44 +02:00
|
|
|
void ConnectionHandler::set_tls_ticket_key_memcached_dispatcher(
|
|
|
|
std::unique_ptr<MemcachedDispatcher> dispatcher) {
|
|
|
|
tls_ticket_key_memcached_dispatcher_ = std::move(dispatcher);
|
|
|
|
}
|
|
|
|
|
|
|
|
MemcachedDispatcher *
|
|
|
|
ConnectionHandler::get_tls_ticket_key_memcached_dispatcher() const {
|
|
|
|
return tls_ticket_key_memcached_dispatcher_.get();
|
|
|
|
}
|
|
|
|
|
2016-07-08 16:41:53 +02:00
|
|
|
// Use the similar backoff algorithm described in
|
|
|
|
// https://github.com/grpc/grpc/blob/master/doc/connection-backoff.md
|
|
|
|
namespace {
|
|
|
|
constexpr size_t MAX_BACKOFF_EXP = 10;
|
|
|
|
constexpr auto MULTIPLIER = 3.2;
|
|
|
|
constexpr auto JITTER = 0.2;
|
|
|
|
} // namespace
|
|
|
|
|
2015-07-27 17:54:44 +02:00
|
|
|
void ConnectionHandler::on_tls_ticket_key_network_error(ev_timer *w) {
|
|
|
|
if (++tls_ticket_key_memcached_get_retry_count_ >=
|
2016-01-18 06:21:09 +01:00
|
|
|
get_config()->tls.ticket.memcached.max_retry) {
|
2015-07-27 17:54:44 +02:00
|
|
|
LOG(WARN) << "Memcached: tls ticket get retry all failed "
|
|
|
|
<< tls_ticket_key_memcached_get_retry_count_ << " times.";
|
|
|
|
|
|
|
|
on_tls_ticket_key_not_found(w);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2016-07-08 16:41:53 +02:00
|
|
|
auto base_backoff = util::int_pow(
|
|
|
|
MULTIPLIER,
|
|
|
|
std::min(MAX_BACKOFF_EXP, tls_ticket_key_memcached_get_retry_count_));
|
|
|
|
auto dist = std::uniform_real_distribution<>(-JITTER * base_backoff,
|
|
|
|
JITTER * base_backoff);
|
|
|
|
|
|
|
|
auto backoff = base_backoff + dist(gen_);
|
2015-07-27 17:54:44 +02:00
|
|
|
|
|
|
|
LOG(WARN)
|
|
|
|
<< "Memcached: tls ticket get failed due to network error, retrying in "
|
2016-07-08 16:41:53 +02:00
|
|
|
<< backoff << " seconds";
|
2015-07-27 17:54:44 +02:00
|
|
|
|
2016-07-08 16:41:53 +02:00
|
|
|
ev_timer_set(w, backoff, 0.);
|
2015-07-27 17:54:44 +02:00
|
|
|
ev_timer_start(loop_, w);
|
|
|
|
}
|
|
|
|
|
|
|
|
void ConnectionHandler::on_tls_ticket_key_not_found(ev_timer *w) {
|
|
|
|
tls_ticket_key_memcached_get_retry_count_ = 0;
|
|
|
|
|
|
|
|
if (++tls_ticket_key_memcached_fail_count_ >=
|
2016-01-18 06:21:09 +01:00
|
|
|
get_config()->tls.ticket.memcached.max_fail) {
|
2015-07-27 17:54:44 +02:00
|
|
|
LOG(WARN) << "Memcached: could not get tls ticket; disable tls ticket";
|
|
|
|
|
|
|
|
tls_ticket_key_memcached_fail_count_ = 0;
|
|
|
|
|
|
|
|
set_ticket_keys(nullptr);
|
|
|
|
set_ticket_keys_to_worker(nullptr);
|
|
|
|
}
|
|
|
|
|
|
|
|
LOG(WARN) << "Memcached: tls ticket get failed, schedule next";
|
|
|
|
schedule_next_tls_ticket_key_memcached_get(w);
|
|
|
|
}
|
|
|
|
|
|
|
|
void ConnectionHandler::on_tls_ticket_key_get_success(
|
|
|
|
const std::shared_ptr<TicketKeys> &ticket_keys, ev_timer *w) {
|
2015-07-27 19:19:14 +02:00
|
|
|
LOG(NOTICE) << "Memcached: tls ticket get success";
|
2015-07-27 17:54:44 +02:00
|
|
|
|
|
|
|
tls_ticket_key_memcached_get_retry_count_ = 0;
|
|
|
|
tls_ticket_key_memcached_fail_count_ = 0;
|
|
|
|
|
|
|
|
schedule_next_tls_ticket_key_memcached_get(w);
|
|
|
|
|
|
|
|
if (!ticket_keys || ticket_keys->keys.empty()) {
|
|
|
|
LOG(WARN) << "Memcached: tls ticket keys are empty; tls ticket disabled";
|
|
|
|
set_ticket_keys(nullptr);
|
|
|
|
set_ticket_keys_to_worker(nullptr);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (LOG_ENABLED(INFO)) {
|
|
|
|
LOG(INFO) << "ticket keys get done";
|
|
|
|
LOG(INFO) << 0 << " enc+dec: "
|
|
|
|
<< util::format_hex(ticket_keys->keys[0].data.name);
|
|
|
|
for (size_t i = 1; i < ticket_keys->keys.size(); ++i) {
|
|
|
|
auto &key = ticket_keys->keys[i];
|
|
|
|
LOG(INFO) << i << " dec: " << util::format_hex(key.data.name);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
set_ticket_keys(ticket_keys);
|
|
|
|
set_ticket_keys_to_worker(ticket_keys);
|
|
|
|
}
|
|
|
|
|
2015-11-12 16:53:29 +01:00
|
|
|
void ConnectionHandler::schedule_next_tls_ticket_key_memcached_get(
|
|
|
|
ev_timer *w) {
|
2016-01-18 06:21:09 +01:00
|
|
|
ev_timer_set(w, get_config()->tls.ticket.memcached.interval, 0.);
|
2015-07-27 17:54:44 +02:00
|
|
|
ev_timer_start(loop_, w);
|
|
|
|
}
|
|
|
|
|
2016-02-13 10:17:11 +01:00
|
|
|
SSL_CTX *ConnectionHandler::create_tls_ticket_key_memcached_ssl_ctx() {
|
2016-10-08 04:34:23 +02:00
|
|
|
auto config = get_config();
|
|
|
|
auto &tlsconf = config->tls;
|
|
|
|
auto &memcachedconf = config->tls.ticket.memcached;
|
2016-02-13 10:17:11 +01:00
|
|
|
|
2017-04-01 08:07:32 +02:00
|
|
|
auto ssl_ctx = tls::create_ssl_client_context(
|
2016-02-13 10:17:11 +01:00
|
|
|
#ifdef HAVE_NEVERBLEED
|
2018-08-24 15:15:43 +02:00
|
|
|
nb_,
|
2016-02-13 10:17:11 +01:00
|
|
|
#endif // HAVE_NEVERBLEED
|
2016-10-02 14:22:02 +02:00
|
|
|
tlsconf.cacert, memcachedconf.cert_file, memcachedconf.private_key_file,
|
|
|
|
nullptr);
|
2016-02-13 10:17:11 +01:00
|
|
|
|
|
|
|
all_ssl_ctx_.push_back(ssl_ctx);
|
2021-08-21 12:00:43 +02:00
|
|
|
#ifdef ENABLE_HTTP3
|
2021-08-15 15:57:26 +02:00
|
|
|
quic_all_ssl_ctx_.push_back(nullptr);
|
2021-08-21 12:00:43 +02:00
|
|
|
#endif // ENABLE_HTTP3
|
2016-02-13 10:17:11 +01:00
|
|
|
|
|
|
|
return ssl_ctx;
|
|
|
|
}
|
|
|
|
|
2015-09-23 12:45:53 +02:00
|
|
|
#ifdef HAVE_NEVERBLEED
|
2018-08-24 15:15:43 +02:00
|
|
|
void ConnectionHandler::set_neverbleed(neverbleed_t *nb) { nb_ = nb; }
|
2015-09-23 12:45:53 +02:00
|
|
|
#endif // HAVE_NEVERBLEED
|
|
|
|
|
2016-06-03 18:02:57 +02:00
|
|
|
void ConnectionHandler::handle_serial_event() {
|
|
|
|
std::vector<SerialEvent> q;
|
|
|
|
{
|
|
|
|
std::lock_guard<std::mutex> g(serial_event_mu_);
|
|
|
|
q.swap(serial_events_);
|
|
|
|
}
|
|
|
|
|
|
|
|
for (auto &sev : q) {
|
|
|
|
switch (sev.type) {
|
2018-10-17 01:56:59 +02:00
|
|
|
case SerialEventType::REPLACE_DOWNSTREAM:
|
2016-06-05 16:02:50 +02:00
|
|
|
// Mmake sure that none of worker uses
|
2016-06-03 18:02:57 +02:00
|
|
|
// get_config()->conn.downstream
|
|
|
|
mod_config()->conn.downstream = sev.downstreamconf;
|
|
|
|
|
|
|
|
if (single_worker_) {
|
|
|
|
single_worker_->replace_downstream_config(sev.downstreamconf);
|
|
|
|
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
worker_replace_downstream(sev.downstreamconf);
|
|
|
|
|
2018-10-17 01:56:59 +02:00
|
|
|
break;
|
|
|
|
default:
|
2016-06-03 18:02:57 +02:00
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
void ConnectionHandler::send_replace_downstream(
|
|
|
|
const std::shared_ptr<DownstreamConfig> &downstreamconf) {
|
2018-10-17 01:56:59 +02:00
|
|
|
send_serial_event(
|
|
|
|
SerialEvent(SerialEventType::REPLACE_DOWNSTREAM, downstreamconf));
|
2016-06-03 18:02:57 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
void ConnectionHandler::send_serial_event(SerialEvent ev) {
|
|
|
|
{
|
|
|
|
std::lock_guard<std::mutex> g(serial_event_mu_);
|
|
|
|
|
|
|
|
serial_events_.push_back(std::move(ev));
|
|
|
|
}
|
|
|
|
|
|
|
|
ev_async_send(loop_, &serial_event_asyncev_);
|
|
|
|
}
|
|
|
|
|
2016-06-24 17:28:15 +02:00
|
|
|
SSL_CTX *ConnectionHandler::get_ssl_ctx(size_t idx) const {
|
|
|
|
return all_ssl_ctx_[idx];
|
|
|
|
}
|
|
|
|
|
2017-02-04 10:59:06 +01:00
|
|
|
const std::vector<SSL_CTX *> &
|
|
|
|
ConnectionHandler::get_indexed_ssl_ctx(size_t idx) const {
|
|
|
|
return indexed_ssl_ctx_[idx];
|
|
|
|
}
|
|
|
|
|
2021-08-21 12:00:43 +02:00
|
|
|
#ifdef ENABLE_HTTP3
|
2021-08-15 15:57:26 +02:00
|
|
|
const std::vector<SSL_CTX *> &
|
|
|
|
ConnectionHandler::get_quic_indexed_ssl_ctx(size_t idx) const {
|
|
|
|
return quic_indexed_ssl_ctx_[idx];
|
|
|
|
}
|
2021-08-21 12:00:43 +02:00
|
|
|
#endif // ENABLE_HTTP3
|
2021-08-15 15:57:26 +02:00
|
|
|
|
2017-05-18 14:11:10 +02:00
|
|
|
void ConnectionHandler::set_enable_acceptor_on_ocsp_completion(bool f) {
|
|
|
|
enable_acceptor_on_ocsp_completion_ = f;
|
|
|
|
}
|
|
|
|
|
2021-08-23 14:40:24 +02:00
|
|
|
#ifdef ENABLE_HTTP3
|
2021-11-05 11:19:23 +01:00
|
|
|
int ConnectionHandler::forward_quic_packet(
|
|
|
|
const UpstreamAddr *faddr, const Address &remote_addr,
|
|
|
|
const Address &local_addr, const ngtcp2_pkt_info &pi,
|
|
|
|
const uint8_t *cid_prefix, const uint8_t *data, size_t datalen) {
|
2021-08-23 14:40:24 +02:00
|
|
|
assert(!get_config()->single_thread);
|
|
|
|
|
|
|
|
for (auto &worker : workers_) {
|
|
|
|
if (!std::equal(cid_prefix, cid_prefix + SHRPX_QUIC_CID_PREFIXLEN,
|
|
|
|
worker->get_cid_prefix())) {
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
|
|
|
|
WorkerEvent wev{};
|
|
|
|
wev.type = WorkerEventType::QUIC_PKT_FORWARD;
|
|
|
|
wev.quic_pkt = std::make_unique<QUICPacket>(faddr->index, remote_addr,
|
2021-11-05 11:19:23 +01:00
|
|
|
local_addr, pi, data, datalen);
|
2021-08-23 14:40:24 +02:00
|
|
|
|
|
|
|
worker->send(std::move(wev));
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
return -1;
|
|
|
|
}
|
2021-08-24 14:13:05 +02:00
|
|
|
|
2021-09-22 11:24:50 +02:00
|
|
|
void ConnectionHandler::set_quic_keying_materials(
|
|
|
|
std::shared_ptr<QUICKeyingMaterials> qkms) {
|
|
|
|
quic_keying_materials_ = std::move(qkms);
|
|
|
|
}
|
2021-08-26 07:46:34 +02:00
|
|
|
|
2021-09-22 11:24:50 +02:00
|
|
|
const std::shared_ptr<QUICKeyingMaterials> &
|
|
|
|
ConnectionHandler::get_quic_keying_materials() const {
|
|
|
|
return quic_keying_materials_;
|
2021-08-26 07:46:34 +02:00
|
|
|
}
|
|
|
|
|
2021-08-29 03:18:59 +02:00
|
|
|
void ConnectionHandler::set_cid_prefixes(
|
|
|
|
const std::vector<std::array<uint8_t, SHRPX_QUIC_CID_PREFIXLEN>>
|
|
|
|
&cid_prefixes) {
|
|
|
|
cid_prefixes_ = cid_prefixes;
|
|
|
|
}
|
|
|
|
|
|
|
|
QUICLingeringWorkerProcess *
|
|
|
|
ConnectionHandler::match_quic_lingering_worker_process_cid_prefix(
|
|
|
|
const uint8_t *dcid, size_t dcidlen) {
|
|
|
|
assert(dcidlen >= SHRPX_QUIC_CID_PREFIXLEN);
|
|
|
|
|
|
|
|
for (auto &lwps : quic_lingering_worker_processes_) {
|
|
|
|
for (auto &cid_prefix : lwps.cid_prefixes) {
|
|
|
|
if (std::equal(std::begin(cid_prefix), std::end(cid_prefix), dcid)) {
|
|
|
|
return &lwps;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return nullptr;
|
|
|
|
}
|
|
|
|
|
2021-08-24 14:13:05 +02:00
|
|
|
# ifdef HAVE_LIBBPF
|
|
|
|
std::vector<BPFRef> &ConnectionHandler::get_quic_bpf_refs() {
|
|
|
|
return quic_bpf_refs_;
|
|
|
|
}
|
2021-09-29 12:33:16 +02:00
|
|
|
|
|
|
|
void ConnectionHandler::unload_bpf_objects() {
|
|
|
|
std::array<char, STRERROR_BUFSIZE> errbuf;
|
|
|
|
|
|
|
|
LOG(NOTICE) << "Unloading BPF objects";
|
|
|
|
|
|
|
|
for (auto &ref : quic_bpf_refs_) {
|
|
|
|
if (ref.obj == nullptr) {
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (bpf_object__unload(ref.obj) != 0) {
|
|
|
|
LOG(WARN) << "Failed to unload bpf object: "
|
|
|
|
<< xsi_strerror(errno, errbuf.data(), errbuf.size());
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
|
|
|
|
ref.obj = nullptr;
|
|
|
|
}
|
|
|
|
}
|
2021-08-24 14:13:05 +02:00
|
|
|
# endif // HAVE_LIBBPF
|
|
|
|
|
2021-08-29 03:18:59 +02:00
|
|
|
void ConnectionHandler::set_quic_ipc_fd(int fd) { quic_ipc_fd_ = fd; }
|
|
|
|
|
|
|
|
void ConnectionHandler::set_quic_lingering_worker_processes(
|
|
|
|
const std::vector<QUICLingeringWorkerProcess> &quic_lwps) {
|
|
|
|
quic_lingering_worker_processes_ = quic_lwps;
|
|
|
|
}
|
|
|
|
|
|
|
|
int ConnectionHandler::forward_quic_packet_to_lingering_worker_process(
|
|
|
|
QUICLingeringWorkerProcess *quic_lwp, const Address &remote_addr,
|
2021-11-05 11:19:23 +01:00
|
|
|
const Address &local_addr, const ngtcp2_pkt_info &pi, const uint8_t *data,
|
|
|
|
size_t datalen) {
|
2021-08-29 03:18:59 +02:00
|
|
|
std::array<uint8_t, 512> header;
|
|
|
|
|
2021-11-05 11:19:23 +01:00
|
|
|
assert(header.size() >= 1 + 1 + 1 + 1 + sizeof(sockaddr_storage) * 2);
|
2021-08-29 03:18:59 +02:00
|
|
|
assert(remote_addr.len > 0);
|
|
|
|
assert(local_addr.len > 0);
|
|
|
|
|
|
|
|
auto p = header.data();
|
|
|
|
|
|
|
|
*p++ = static_cast<uint8_t>(QUICIPCType::DGRAM_FORWARD);
|
|
|
|
*p++ = static_cast<uint8_t>(remote_addr.len - 1);
|
|
|
|
p = std::copy_n(reinterpret_cast<const uint8_t *>(&remote_addr.su),
|
|
|
|
remote_addr.len, p);
|
|
|
|
*p++ = static_cast<uint8_t>(local_addr.len - 1);
|
|
|
|
p = std::copy_n(reinterpret_cast<const uint8_t *>(&local_addr.su),
|
|
|
|
local_addr.len, p);
|
2021-11-05 11:19:23 +01:00
|
|
|
*p++ = pi.ecn;
|
2021-08-29 03:18:59 +02:00
|
|
|
|
|
|
|
iovec msg_iov[] = {
|
|
|
|
{
|
|
|
|
.iov_base = header.data(),
|
|
|
|
.iov_len = static_cast<size_t>(p - header.data()),
|
|
|
|
},
|
|
|
|
{
|
|
|
|
.iov_base = const_cast<uint8_t *>(data),
|
|
|
|
.iov_len = datalen,
|
|
|
|
},
|
|
|
|
};
|
|
|
|
|
|
|
|
msghdr msg{};
|
|
|
|
msg.msg_iov = msg_iov;
|
|
|
|
msg.msg_iovlen = array_size(msg_iov);
|
|
|
|
|
|
|
|
ssize_t nwrite;
|
|
|
|
|
|
|
|
while ((nwrite = sendmsg(quic_lwp->quic_ipc_fd, &msg, 0)) == -1 &&
|
|
|
|
errno == EINTR)
|
|
|
|
;
|
|
|
|
|
|
|
|
if (nwrite == -1) {
|
|
|
|
std::array<char, STRERROR_BUFSIZE> errbuf;
|
|
|
|
|
|
|
|
auto error = errno;
|
|
|
|
LOG(ERROR) << "Failed to send QUIC IPC message: "
|
|
|
|
<< xsi_strerror(error, errbuf.data(), errbuf.size());
|
|
|
|
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
int ConnectionHandler::quic_ipc_read() {
|
|
|
|
std::array<uint8_t, 65536> buf;
|
|
|
|
|
|
|
|
ssize_t nread;
|
|
|
|
|
|
|
|
while ((nread = recv(quic_ipc_fd_, buf.data(), buf.size(), 0)) == -1 &&
|
|
|
|
errno == EINTR)
|
|
|
|
;
|
|
|
|
|
|
|
|
if (nread == -1) {
|
|
|
|
std::array<char, STRERROR_BUFSIZE> errbuf;
|
|
|
|
|
|
|
|
auto error = errno;
|
|
|
|
LOG(ERROR) << "Failed to read data from QUIC IPC channel: "
|
|
|
|
<< xsi_strerror(error, errbuf.data(), errbuf.size());
|
|
|
|
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (nread == 0) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2021-11-05 11:19:23 +01:00
|
|
|
size_t len = 1 + 1 + 1 + 1;
|
2021-08-29 03:18:59 +02:00
|
|
|
|
|
|
|
// Wire format:
|
2021-11-05 11:19:23 +01:00
|
|
|
// TYPE(1) REMOTE_ADDRLEN(1) REMOTE_ADDR(N) LOCAL_ADDRLEN(1) LOCAL_ADDR(N)
|
|
|
|
// ECN(1) DGRAM_PAYLOAD(N)
|
2021-08-29 03:18:59 +02:00
|
|
|
//
|
2021-11-05 11:19:23 +01:00
|
|
|
// When encoding, REMOTE_ADDRLEN and LOCAL_ADDRLEN are decremented
|
|
|
|
// by 1.
|
2021-08-29 03:18:59 +02:00
|
|
|
if (static_cast<size_t>(nread) < len) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
auto p = buf.data();
|
|
|
|
if (*p != static_cast<uint8_t>(QUICIPCType::DGRAM_FORWARD)) {
|
|
|
|
LOG(ERROR) << "Unknown QUICIPCType: " << static_cast<uint32_t>(*p);
|
|
|
|
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
++p;
|
|
|
|
|
|
|
|
auto pkt = std::make_unique<QUICPacket>();
|
|
|
|
|
|
|
|
auto remote_addrlen = static_cast<size_t>(*p++) + 1;
|
|
|
|
if (remote_addrlen > sizeof(sockaddr_storage)) {
|
|
|
|
LOG(ERROR) << "The length of remote address is too large: "
|
|
|
|
<< remote_addrlen;
|
|
|
|
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
len += remote_addrlen;
|
|
|
|
|
|
|
|
if (static_cast<size_t>(nread) < len) {
|
|
|
|
LOG(ERROR) << "Insufficient QUIC IPC message length";
|
|
|
|
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
pkt->remote_addr.len = remote_addrlen;
|
|
|
|
memcpy(&pkt->remote_addr.su, p, remote_addrlen);
|
|
|
|
|
|
|
|
p += remote_addrlen;
|
|
|
|
|
|
|
|
auto local_addrlen = static_cast<size_t>(*p++) + 1;
|
|
|
|
if (local_addrlen > sizeof(sockaddr_storage)) {
|
|
|
|
LOG(ERROR) << "The length of local address is too large: " << local_addrlen;
|
|
|
|
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
len += local_addrlen;
|
|
|
|
|
|
|
|
if (static_cast<size_t>(nread) < len) {
|
|
|
|
LOG(ERROR) << "Insufficient QUIC IPC message length";
|
|
|
|
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
pkt->local_addr.len = local_addrlen;
|
|
|
|
memcpy(&pkt->local_addr.su, p, local_addrlen);
|
|
|
|
|
|
|
|
p += local_addrlen;
|
|
|
|
|
2021-11-05 11:19:23 +01:00
|
|
|
pkt->pi.ecn = *p++;
|
|
|
|
|
2021-08-29 03:18:59 +02:00
|
|
|
auto datalen = nread - (p - buf.data());
|
|
|
|
|
|
|
|
pkt->data.assign(p, p + datalen);
|
|
|
|
|
|
|
|
// At the moment, UpstreamAddr index is unknown.
|
|
|
|
pkt->upstream_addr_index = static_cast<size_t>(-1);
|
|
|
|
|
|
|
|
uint32_t version;
|
|
|
|
const uint8_t *dcid;
|
|
|
|
size_t dcidlen;
|
|
|
|
const uint8_t *scid;
|
|
|
|
size_t scidlen;
|
|
|
|
|
|
|
|
auto rv =
|
|
|
|
ngtcp2_pkt_decode_version_cid(&version, &dcid, &dcidlen, &scid, &scidlen,
|
|
|
|
p, datalen, SHRPX_QUIC_SCIDLEN);
|
|
|
|
if (rv < 0) {
|
|
|
|
LOG(ERROR) << "ngtcp2_pkt_decode_version_cid: " << ngtcp2_strerror(rv);
|
|
|
|
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
2021-09-15 13:07:33 +02:00
|
|
|
if (dcidlen != SHRPX_QUIC_SCIDLEN) {
|
|
|
|
LOG(ERROR) << "DCID length is invalid";
|
2021-08-29 03:18:59 +02:00
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (single_worker_) {
|
|
|
|
auto faddr = single_worker_->find_quic_upstream_addr(pkt->local_addr);
|
|
|
|
if (faddr == nullptr) {
|
|
|
|
LOG(ERROR) << "No suitable upstream address found";
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
auto quic_conn_handler = single_worker_->get_quic_connection_handler();
|
|
|
|
|
|
|
|
// Ignore return value
|
|
|
|
quic_conn_handler->handle_packet(faddr, pkt->remote_addr, pkt->local_addr,
|
2021-11-05 11:19:23 +01:00
|
|
|
pkt->pi, pkt->data.data(),
|
|
|
|
pkt->data.size());
|
2021-08-29 03:18:59 +02:00
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2021-09-22 11:24:50 +02:00
|
|
|
auto &qkm = quic_keying_materials_->keying_materials.front();
|
2021-09-15 13:07:33 +02:00
|
|
|
|
|
|
|
std::array<uint8_t, SHRPX_QUIC_DECRYPTED_DCIDLEN> decrypted_dcid;
|
|
|
|
|
2021-09-22 11:24:50 +02:00
|
|
|
if (decrypt_quic_connection_id(decrypted_dcid.data(),
|
|
|
|
dcid + SHRPX_QUIC_CID_PREFIX_OFFSET,
|
|
|
|
qkm.cid_encryption_key.data()) != 0) {
|
2021-09-15 13:07:33 +02:00
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
2021-08-29 03:18:59 +02:00
|
|
|
for (auto &worker : workers_) {
|
2021-09-15 13:07:33 +02:00
|
|
|
if (!std::equal(std::begin(decrypted_dcid),
|
|
|
|
std::begin(decrypted_dcid) + SHRPX_QUIC_CID_PREFIXLEN,
|
2021-08-29 03:18:59 +02:00
|
|
|
worker->get_cid_prefix())) {
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
|
|
|
|
WorkerEvent wev{
|
|
|
|
.type = WorkerEventType::QUIC_PKT_FORWARD,
|
|
|
|
.quic_pkt = std::move(pkt),
|
|
|
|
};
|
|
|
|
worker->send(std::move(wev));
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (LOG_ENABLED(INFO)) {
|
|
|
|
LOG(INFO) << "No worker to match CID prefix";
|
|
|
|
}
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
2021-08-23 14:40:24 +02:00
|
|
|
#endif // ENABLE_HTTP3
|
|
|
|
|
2012-06-04 16:48:31 +02:00
|
|
|
} // namespace shrpx
|