diff --git a/README.md b/README.md index b43fe94..54ab6e0 100644 --- a/README.md +++ b/README.md @@ -114,7 +114,9 @@ Detail about the entire set of options can be found by invoking `stud -h`: -n --workers=NUM Number of worker processes (Default: 1) -B --backlog=NUM Set listen backlog size (Default: 100) -k --keepalive=SECS TCP keepalive on client socket (Default: 3600) - + --tcp-user-timeout=MSECS Milliseconds to wait for ACK packets. Only available + in Linux since 2.6.37. Disabled = 0 (Default: 0) + SECURITY: -r --chroot=DIR Sets chroot directory (Default: "") diff --git a/configuration.c b/configuration.c index 25fead7..78b5b4e 100644 --- a/configuration.c +++ b/configuration.c @@ -18,6 +18,9 @@ #include #include #include +#ifdef __linux__ +#include +#endif #include "configuration.h" #include "version.h" @@ -30,11 +33,15 @@ #define CFG_CIPHERS "ciphers" #define CFG_SSL_ENGINE "ssl-engine" #define CFG_PREFER_SERVER_CIPHERS "prefer-server-ciphers" +#define CFG_NAMED_CURVE "named-curve" +#define CFG_SESSION_TIMEOUT "session-timeout" +#define CFG_SSL_CACHE_SIZE "openssl-cache-size" #define CFG_BACKEND "backend" #define CFG_FRONTEND "frontend" #define CFG_WORKERS "workers" #define CFG_BACKLOG "backlog" #define CFG_KEEPALIVE "keepalive" +#define CFG_TCP_USER_TIMEOUT "tcp-user-timeout" #define CFG_CHROOT "chroot" #define CFG_USER "user" #define CFG_GROUP "group" @@ -121,13 +128,17 @@ stud_config * config_new (void) { r->GID = 0; r->FRONT_IP = NULL; r->FRONT_PORT = strdup("8443"); - r->BACK_IP = strdup("127.0.0.1"); - r->BACK_PORT = strdup("8000"); + r->BACKENDS_COUNT = 0; + r->BACKENDS[0].BACK_IP = strdup("127.0.0.1"); + r->BACKENDS[0].BACK_PORT = strdup("8000"); r->NCORES = 1; r->CERT_FILES = NULL; r->CIPHER_SUITE = NULL; + r->NAMED_CURVE = NULL; r->ENGINE = NULL; r->BACKLOG = 100; + r->SESSION_TIMEOUT = -1; + r->SSL_CACHE_SIZE = -1; #ifdef USE_SHARED_CACHE r->SHARED_CACHE = 0; @@ -145,6 +156,7 @@ stud_config * config_new (void) { r->SYSLOG = 0; r->SYSLOG_FACILITY = LOG_DAEMON; r->TCP_KEEPALIVE_TIME = 3600; + r->TCP_USER_TIMEOUT_MS= 0; r->DAEMONIZE = 0; r->PREFER_SERVER_CIPHERS = 0; @@ -159,8 +171,10 @@ void config_destroy (stud_config *cfg) { if (cfg->CHROOT != NULL) free(cfg->CHROOT); if (cfg->FRONT_IP != NULL) free(cfg->FRONT_IP); if (cfg->FRONT_PORT != NULL) free(cfg->FRONT_PORT); - if (cfg->BACK_IP != NULL) free(cfg->BACK_IP); - if (cfg->BACK_PORT != NULL) free(cfg->BACK_PORT); + for (int i = 0; i < cfg->BACKENDS_COUNT; i++) { + if (cfg->BACKENDS[i].BACK_IP != NULL) free(cfg->BACKENDS[i].BACK_IP); + if (cfg->BACKENDS[i].BACK_PORT != NULL) free(cfg->BACKENDS[i].BACK_PORT); + } if (cfg->CERT_FILES != NULL) { struct cert_files *curr = cfg->CERT_FILES, *next; while (cfg->CERT_FILES != NULL) { @@ -170,6 +184,7 @@ void config_destroy (stud_config *cfg) { } } if (cfg->CIPHER_SUITE != NULL) free(cfg->CIPHER_SUITE); + if (cfg->NAMED_CURVE != NULL) free(cfg->NAMED_CURVE); if (cfg->ENGINE != NULL) free(cfg->ENGINE); #ifdef USE_SHARED_CACHE @@ -548,7 +563,11 @@ void config_param_validate (char *k, char *v, stud_config *cfg, char *file, int config_assign_str(&cfg->CIPHER_SUITE, v); } } - else if (strcmp(k, CFG_SSL_ENGINE) == 0) { + else if (strcmp(k, CFG_NAMED_CURVE) == 0) { + if (v != NULL && strlen(v) > 0) { + config_assign_str(&cfg->NAMED_CURVE, v); + } + } else if (strcmp(k, CFG_SSL_ENGINE) == 0) { if (v != NULL && strlen(v) > 0) { config_assign_str(&cfg->ENGINE, v); } @@ -556,11 +575,20 @@ void config_param_validate (char *k, char *v, stud_config *cfg, char *file, int else if (strcmp(k, CFG_PREFER_SERVER_CIPHERS) == 0) { r = config_param_val_bool(v, &cfg->PREFER_SERVER_CIPHERS); } + else if (strcmp(k, CFG_SESSION_TIMEOUT) == 0) { + r = config_param_val_intl(v, &cfg->SESSION_TIMEOUT); + if (r && cfg->SESSION_TIMEOUT < -1) cfg->SESSION_TIMEOUT = -1; + } + else if (strcmp(k, CFG_SSL_CACHE_SIZE) == 0) { + r = config_param_val_int(v, &cfg->SSL_CACHE_SIZE); + if (r && cfg->SSL_CACHE_SIZE < -1) cfg->SSL_CACHE_SIZE = -1; + } else if (strcmp(k, CFG_FRONTEND) == 0) { r = config_param_host_port_wildcard(v, &cfg->FRONT_IP, &cfg->FRONT_PORT, 1); } else if (strcmp(k, CFG_BACKEND) == 0) { - r = config_param_host_port(v, &cfg->BACK_IP, &cfg->BACK_PORT); + r = config_param_host_port(v, &cfg->BACKENDS[cfg->BACKENDS_COUNT].BACK_IP, &cfg->BACKENDS[cfg->BACKENDS_COUNT].BACK_PORT); + cfg->BACKENDS_COUNT++; } else if (strcmp(k, CFG_WORKERS) == 0) { r = config_param_val_intl_pos(v, &cfg->NCORES); @@ -572,6 +600,56 @@ void config_param_validate (char *k, char *v, stud_config *cfg, char *file, int else if (strcmp(k, CFG_KEEPALIVE) == 0) { r = config_param_val_int_pos(v, &cfg->TCP_KEEPALIVE_TIME); } + else if (strcmp(k, CFG_TCP_USER_TIMEOUT) == 0) { +#ifdef __linux__ + int can_use_option = 0; + struct utsname info; + + /* This option is supported in Linux since 2.6.37 */ + if (uname(&info) == 0) { + int major, minor, patch; + if (sscanf(info.release, "%d.%d.%d", &major, &minor, &patch) == 3) { + if (major > 2) { + can_use_option = 1; + } + else if (major == 2) { + if (minor > 6) { + can_use_option = 1; + } + else if (minor == 6) { + if (patch >= 37) { + can_use_option = 1; + } + } + } + } + } + + r = config_param_val_int(v, &cfg->TCP_USER_TIMEOUT_MS); + + if (cfg->TCP_USER_TIMEOUT_MS < 0) { + config_error_set("The option TCP_USER_TIMEOUT must be positive"); + r = 0; + } + else if (r && !can_use_option && cfg->TCP_USER_TIMEOUT_MS != 0) { + /* As this is only a warning, not an error, it won't be shown using config_error_set, so we print it to stderr directly */ + fprintf(stderr, "TCP_USER_TIMEOUT option can only be used in Linux since 2.6.37, your version is %s. Option disabled.\n", info.release); + cfg->TCP_USER_TIMEOUT_MS = 0; + } +#else + r = config_param_val_int(v, &cfg->TCP_USER_TIMEOUT_MS); + + if (cfg->TCP_USER_TIMEOUT_MS < 0) { + config_error_set("The option TCP_USER_TIMEOUT must be positive"); + r = 0; + } + else if (r && cfg->TCP_USER_TIMEOUT_MS != 0) { + /* As this is only a warning, not an error, it won't be shown using config_error_set, so we print it to stderr directly */ + fprintf(stderr, "TCP_USER_TIMEOUT option can only be used in Linux since 2.6.37. Option disabled.\n"); + cfg->TCP_USER_TIMEOUT_MS = 0; + } +#endif + } #ifdef USE_SHARED_CACHE else if (strcmp(k, CFG_SHARED_CACHE) == 0) { r = config_param_val_int(v, &cfg->SHARED_CACHE); @@ -870,11 +948,14 @@ void config_print_usage_fd (char *prog, stud_config *cfg, FILE *out) { fprintf(out, " -c --ciphers=SUITE Sets allowed ciphers (Default: \"%s\")\n", config_disp_str(cfg->CIPHER_SUITE)); fprintf(out, " -e --ssl-engine=NAME Sets OpenSSL engine (Default: \"%s\")\n", config_disp_str(cfg->ENGINE)); fprintf(out, " -O --prefer-server-ciphers Prefer server list order\n"); + fprintf(out, " -N --named-curve=NAME Named curve for ECDH (Default: prime256v1, see openssl ecparams -list_curves)\n"); + fprintf(out, " -x --session-timeout=SECONDS Session timeout in seconds\n"); + fprintf(out, " -y --openssl-cache-size Sets OpenSSL library cache size (0 to disable it)\n"); fprintf(out, "\n"); fprintf(out, "SOCKET:\n"); fprintf(out, "\n"); fprintf(out, " --client Enable client proxy mode\n"); - fprintf(out, " -b --backend=HOST,PORT Backend [connect] (default is \"%s\")\n", config_disp_hostport(cfg->BACK_IP, cfg->BACK_PORT)); + fprintf(out, " -b --backend=HOST,PORT Backend [connect] (can be given multiple times) (default is \"%s\")\n", config_disp_hostport(cfg->BACKENDS[0].BACK_IP, cfg->BACKENDS[0].BACK_PORT)); fprintf(out, " -f --frontend=HOST,PORT Frontend [bind] (default is \"%s\")\n", config_disp_hostport(cfg->FRONT_IP, cfg->FRONT_PORT)); #ifdef USE_SHARED_CACHE @@ -895,6 +976,8 @@ void config_print_usage_fd (char *prog, stud_config *cfg, FILE *out) { fprintf(out, " -n --workers=NUM Number of worker processes (Default: %ld)\n", cfg->NCORES); fprintf(out, " -B --backlog=NUM Set listen backlog size (Default: %d)\n", cfg->BACKLOG); fprintf(out, " -k --keepalive=SECS TCP keepalive on client socket (Default: %d)\n", cfg->TCP_KEEPALIVE_TIME); + fprintf(out, " --tcp-user-timeout=MSECS Milliseconds to wait for ACK packets. Only available\n"); + fprintf(out, " in Linux since 2.6.37. Disabled = 0 (Default: %d)\n", cfg->TCP_USER_TIMEOUT_MS); #ifdef USE_SHARED_CACHE fprintf(out, " -C --session-cache=NUM Enable and set SSL session cache to specified number\n"); @@ -953,7 +1036,12 @@ void config_print_default (FILE *fd, stud_config *cfg) { fprintf(fd, "#\n"); fprintf(fd, "# type: string\n"); fprintf(fd, "# syntax: [HOST]:PORT.\n"); - fprintf(fd, FMT_QSTR, CFG_BACKEND, config_disp_hostport(cfg->BACK_IP, cfg->BACK_PORT)); + if (cfg->BACKENDS_COUNT == 0) { + fprintf(fd, FMT_QSTR, CFG_BACKEND, config_disp_hostport(cfg->BACKENDS[0].BACK_IP, cfg->BACKENDS[0].BACK_PORT)); + } else { + for (int i = 0; i < cfg->BACKENDS_COUNT; i++) + fprintf(fd, FMT_QSTR, CFG_BACKEND, config_disp_hostport(cfg->BACKENDS[i].BACK_IP, cfg->BACKENDS[i].BACK_PORT)); + } fprintf(fd, "\n"); fprintf(fd, "# SSL x509 certificate file. REQUIRED.\n"); @@ -1006,6 +1094,15 @@ void config_print_default (FILE *fd, stud_config *cfg) { fprintf(fd, "# type: integer\n"); fprintf(fd, FMT_ISTR, CFG_KEEPALIVE, cfg->TCP_KEEPALIVE_TIME); fprintf(fd, "\n"); + +#ifdef __linux__ + fprintf(fd, "# TCP socket TCP_USER_TIMEOUT option in milliseconds\n"); + fprintf(fd, "#\n"); + fprintf(fd, "# type: integer\n"); + fprintf(fd, "# Value 0 means disabled\n"); + fprintf(fd, FMT_ISTR, CFG_TCP_USER_TIMEOUT, cfg->TCP_USER_TIMEOUT_MS); + fprintf(fd, "\n"); +#endif #ifdef USE_SHARED_CACHE fprintf(fd, "# SSL session cache size\n"); @@ -1143,7 +1240,10 @@ void config_parse_cli(int argc, char **argv, stud_config *cfg) { { "client", 0, &client, 1}, { CFG_CIPHERS, 1, NULL, 'c' }, { CFG_PREFER_SERVER_CIPHERS, 0, NULL, 'O' }, + { CFG_NAMED_CURVE, 1, NULL, 'N' }, { CFG_BACKEND, 1, NULL, 'b' }, + { CFG_SESSION_TIMEOUT, required_argument, NULL, 'x'}, + { CFG_SSL_CACHE_SIZE, required_argument, NULL, 'y'}, { CFG_FRONTEND, 1, NULL, 'f' }, { CFG_WORKERS, 1, NULL, 'n' }, { CFG_BACKLOG, 1, NULL, 'B' }, @@ -1154,6 +1254,7 @@ void config_parse_cli(int argc, char **argv, stud_config *cfg) { { CFG_SHARED_CACHE_MCASTIF, 1, NULL, 'M' }, #endif { CFG_KEEPALIVE, 1, NULL, 'k' }, + { CFG_TCP_USER_TIMEOUT, 1, NULL, 'T'}, { CFG_CHROOT, 1, NULL, 'r' }, { CFG_USER, 1, NULL, 'u' }, { CFG_GROUP, 1, NULL, 'g' }, @@ -1175,7 +1276,7 @@ void config_parse_cli(int argc, char **argv, stud_config *cfg) { int option_index = 0; c = getopt_long( argc, argv, - "c:e:Ob:f:n:B:C:U:P:M:k:r:u:g:qstVh", + "c:N:e:Ob:f:n:B:C:U:P:M:k:r:u:g:x:y:qstVh", long_options, &option_index ); @@ -1201,12 +1302,21 @@ void config_parse_cli(int argc, char **argv, stud_config *cfg) { case 'c': config_param_validate(CFG_CIPHERS, optarg, cfg, NULL, 0); break; + case 'N': + config_param_validate(CFG_NAMED_CURVE, optarg, cfg, NULL, 0); + break; case 'e': config_param_validate(CFG_SSL_ENGINE, optarg, cfg, NULL, 0); break; case 'O': config_param_validate(CFG_PREFER_SERVER_CIPHERS, CFG_BOOL_ON, cfg, NULL, 0); break; + case 'x': + config_param_validate(CFG_SESSION_TIMEOUT, optarg, cfg, NULL, 0); + break; + case 'y': + config_param_validate(CFG_SSL_CACHE_SIZE, optarg, cfg, NULL, 0); + break; case 'b': config_param_validate(CFG_BACKEND, optarg, cfg, NULL, 0); break; @@ -1236,6 +1346,9 @@ void config_parse_cli(int argc, char **argv, stud_config *cfg) { case 'k': config_param_validate(CFG_KEEPALIVE, optarg, cfg, NULL, 0); break; + case 'T': + config_param_validate(CFG_TCP_USER_TIMEOUT, optarg, cfg, NULL, 0); + break; case 'r': config_param_validate(CFG_CHROOT, optarg, cfg, NULL, 0); break; @@ -1321,4 +1434,8 @@ void config_parse_cli(int argc, char **argv, stud_config *cfg) { printf("%s configuration looks ok.\n", basename(prog)); exit(0); } + + // if no backend option given, use default + if (cfg->BACKENDS_COUNT == 0) + cfg->BACKENDS_COUNT = 1; } diff --git a/configuration.h b/configuration.h index 3ea68b0..f0a6ea6 100644 --- a/configuration.h +++ b/configuration.h @@ -21,6 +21,8 @@ typedef struct shcupd_peer_opt { #endif +#define BACKENDS_MAX 32 + typedef enum { ENC_TLS, ENC_SSL @@ -36,6 +38,13 @@ struct cert_files { struct cert_files *NEXT; }; +struct __stud_backend { + char *BACK_IP; + char *BACK_PORT; +}; + +typedef struct __stud_backend stud_backend; + /* configuration structure */ struct __stud_config { ENC_TYPE ETYPE; @@ -48,13 +57,16 @@ struct __stud_config { gid_t GID; char *FRONT_IP; char *FRONT_PORT; - char *BACK_IP; - char *BACK_PORT; + int BACKENDS_COUNT; + stud_backend BACKENDS[BACKENDS_MAX]; long NCORES; struct cert_files *CERT_FILES; char *CIPHER_SUITE; + char *NAMED_CURVE; char *ENGINE; int BACKLOG; + long SESSION_TIMEOUT; + int SSL_CACHE_SIZE; #ifdef USE_SHARED_CACHE int SHARED_CACHE; char *SHCUPD_IP; @@ -67,6 +79,7 @@ struct __stud_config { int SYSLOG; int SYSLOG_FACILITY; int TCP_KEEPALIVE_TIME; + int TCP_USER_TIMEOUT_MS; int DAEMONIZE; int PREFER_SERVER_CIPHERS; }; diff --git a/debian/changelog b/debian/changelog index c4d45a5..8378d4b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,48 @@ +stud (0.3~0.2014111901~wheezy) unstable; urgency=low + + * Doc -y and --openssl-cache-size in usage + + -- Stefan Wehner Wed, 19 Nov 2014 10:27:48 +0000 + +stud (0.3~0.2014101501~wheezy) unstable; urgency=low + + * Added the option to disable SSLv3. + + -- Alfredo Beaumont Wed, 15 Oct 2014 10:39:49 +0000 + +stud (0.3~0.2014091601~wheezy) unstable; urgency=low + + * Added -x and --session-timeout parameters in order to control OpenSSL TLS + session timeout which is 300 seconds by default. + + -- Ricardo Bartolome Mendez Tue, 16 Sep 2014 09:45:15 +0000 + +stud (0.3~0.2014062401~wheezy) unstable; urgency=low + + * Merged ecdh_named_curves from https://github.com/b/stud + + -- Ricardo Bartolome Mendez Tue, 24 Jun 2014 12:44:13 +0000 + +stud (0.3~0.2014042801~wheezy) unstable; urgency=low + + * Build for Debian Wheezy + + -- Ricardo Bartolome Mendez Mon, 28 Apr 2014 12:50:35 +0000 + +stud (0.3~0.2014042801~squeeze) unstable; urgency=low + + * Rev 150c3545458f1a40939854890ee6d5eb31a1383b linked against ebtree 6.0.8 + * Built for Debian Squeeze + + -- Ricardo Bartolome Mendez Mon, 28 Apr 2014 12:44:52 +0000 + +stud (0.3~0.20140428) unstable; urgency=low + + * Non-maintainer upload. + * Built revision 150c3545458f1a40939854890ee6d5eb31a1383b + + -- Ricardo Bartolome Mendez Mon, 28 Apr 2014 12:32:20 +0000 + stud (0.3~0.20111212) unstable; urgency=low * Initial release. diff --git a/debian/rules b/debian/rules index aa6b51e..c9cc0bf 100755 --- a/debian/rules +++ b/debian/rules @@ -8,8 +8,8 @@ override_dh_auto_clean: make clean override_dh_auto_configure: - if [ ! -f ebtree-6.0.6.tar.gz ]; then wget http://1wt.eu/tools/ebtree/ebtree-6.0.6.tar.gz; fi - if [ ! -d ebtree ]; then tar zxpf ebtree-6.0.6.tar.gz; mv ebtree-6.0.6 ebtree; fi + if [ ! -f ebtree-6.0.8.tar.gz ]; then wget http://1wt.eu/tools/ebtree/ebtree-6.0.8.tar.gz; fi + if [ ! -d ebtree ]; then tar zxpf ebtree-6.0.8.tar.gz; mv ebtree-6.0.8 ebtree; fi override_dh_auto_build: make USE_SHARED_CACHE=1 PREFIX=/usr diff --git a/shctx.c b/shctx.c index 3a82560..e477406 100644 --- a/shctx.c +++ b/shctx.c @@ -335,9 +335,10 @@ void shsess_set_new_cbk(void (*func)(unsigned char *, unsigned int, long)) { /* Init shared memory context if not allocated and set SSL context callbacks * size is the max number of stored session + * ssl_cache_size is the size of the openssl cache (-1 default, 0 disable internal cache) * Returns: -1 on alloc failure, size if performs context alloc, and 0 if just perform * callbacks registration */ -int shared_context_init(SSL_CTX *ctx, int size) +int shared_context_init(SSL_CTX *ctx, int size, int ssl_cache_size) { int ret = 0; @@ -383,8 +384,14 @@ int shared_context_init(SSL_CTX *ctx, int size) ret = size; } - /* set SSL internal cache size to external cache / 8 + 123 */ - SSL_CTX_sess_set_cache_size(ctx, size >> 3 | 0x3ff); + if (ssl_cache_size < 0) { + /* set SSL internal cache size to external cache / 8 + 123 */ + SSL_CTX_sess_set_cache_size(ctx, size >> 3 | 0x3ff); + } else if (ssl_cache_size == 0) { + SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER | SSL_SESS_CACHE_NO_INTERNAL); + } else { + SSL_CTX_sess_set_cache_size(ctx, ssl_cache_size); + } /* Set callbacks */ SSL_CTX_sess_set_new_cb(ctx, shctx_new_cb); diff --git a/shctx.h b/shctx.h index 42a600c..b075281 100644 --- a/shctx.h +++ b/shctx.h @@ -45,9 +45,10 @@ void shsess_set_new_cbk(void (*func)(unsigned char *session, unsigned int len, l void shctx_sess_add(const unsigned char *session, unsigned int session_len, long cdate); /* Init shared memory context if not allocated and set SSL context callbacks + * ssl_cache_size is the size of the openssl cache (-1 default, 0 disable internal cache) * size is the max number of stored session * Returns: -1 on alloc failure, size if performs context alloc, and 0 if just * perform callbacks registration */ -int shared_context_init(SSL_CTX *ctx, int size); +int shared_context_init(SSL_CTX *ctx, int size, int ssl_cache_size); #endif /* SHCTX_H */ diff --git a/stud.c b/stud.c index 1e83617..82bcd17 100644 --- a/stud.c +++ b/stud.c @@ -33,7 +33,11 @@ #include #include #include +#ifdef __linux__ +#include +#else #include +#endif #include #include #include @@ -92,7 +96,8 @@ /* Globals */ static struct ev_loop *loop; -static struct addrinfo *backaddr; +static struct addrinfo *backaddr[BACKENDS_MAX]; +static int backend_index; static pid_t master_pid; static ev_io listener; static int listener_socket; @@ -171,6 +176,7 @@ typedef struct proxystate { SSL *ssl; /* OpenSSL SSL state */ struct sockaddr_storage remote_ip; /* Remote ip returned from `accept` */ + int backend_index; /* Index of the backend to connect */ } proxystate; #define LOG(...) \ @@ -212,6 +218,21 @@ static void settcpkeepalive(int fd) { #endif } +/* set the TCP_USER_TIMEOUT tcp socket option */ +static void settcpusertimeout(int fd) { + +#if defined(__linux__) && defined(TCP_USER_TIMEOUT) + if (CONFIG->TCP_USER_TIMEOUT_MS > 0) { + int optval = CONFIG->TCP_USER_TIMEOUT_MS; + socklen_t optlen = sizeof(optval); + + if(setsockopt(fd, SOL_TCP, TCP_USER_TIMEOUT, &optval, optlen) < 0) { + ERR("Error setting TCP_USER_TIMEOUT on client socket: %s", strerror(errno)); + } + } +#endif +} + static void fail(const char* s) { perror(s); exit(1); @@ -251,18 +272,36 @@ static int init_dh(SSL_CTX *ctx, const char *cert) { LOG("{core} DH initialized with %d bit key\n", 8*DH_size(dh)); DH_free(dh); + return 0; +} + #ifndef OPENSSL_NO_EC -#ifdef NID_X9_62_prime256v1 +static int init_ecdh(SSL_CTX *ctx, const char *named_curve) { EC_KEY *ecdh = NULL; - ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); - SSL_CTX_set_tmp_ecdh(ctx, ecdh); + int nid = 0; + + if (named_curve) { + nid = OBJ_sn2nid(named_curve); + } else { + nid = OBJ_sn2nid("prime256v1"); + } + if (nid == 0) { + LOG("{core} ECDH initialization failed: unknown curve %s\n", named_curve); + return -1; + } + ecdh = EC_KEY_new_by_curve_name(nid); + if (ecdh == NULL) { + ERR("{core} ECDH initialization failed for curve %s\n", named_curve); + return -1; + } + SSL_CTX_set_tmp_ecdh(ctx,ecdh); EC_KEY_free(ecdh); - LOG("{core} ECDH Initialized with NIST P-256\n"); -#endif /* NID_X9_62_prime256v1 */ -#endif /* OPENSSL_NO_EC */ + LOG("{core} ECDH initialized with %s\n", named_curve); - return 0; + return 0; } +#endif /* OPENSSL_NO_EC */ + #endif /* OPENSSL_NO_DH */ /* This callback function is executed while OpenSSL processes the SSL @@ -590,7 +629,7 @@ SSL_CTX *make_ctx(const char *pemfile) { SSL_CTX *ctx; RSA *rsa; - long ssloptions = SSL_OP_NO_SSLv2 | SSL_OP_ALL | + long ssloptions = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_ALL | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION; #ifdef SSL_OP_NO_COMPRESSION @@ -644,6 +683,9 @@ SSL_CTX *make_ctx(const char *pemfile) { #ifndef OPENSSL_NO_DH init_dh(ctx, pemfile); +#ifndef OPENSSL_NO_EC + init_ecdh(ctx, CONFIG->NAMED_CURVE); +#endif /* OPENSSL_NO_EC */ #endif /* OPENSSL_NO_DH */ #ifndef OPENSSL_NO_TLSEXT @@ -654,7 +696,10 @@ SSL_CTX *make_ctx(const char *pemfile) { #ifdef USE_SHARED_CACHE if (CONFIG->SHARED_CACHE) { - if (shared_context_init(ctx, CONFIG->SHARED_CACHE) < 0) { + if (CONFIG->SSL_CACHE_SIZE >= 0) { + LOG("{core} Forcing OpenSSL cache size to: %d\n", CONFIG->SSL_CACHE_SIZE); + } + if (shared_context_init(ctx, CONFIG->SHARED_CACHE, CONFIG->SSL_CACHE_SIZE) < 0) { ERR("Unable to alloc memory for shared cache.\n"); exit(1); } @@ -674,6 +719,10 @@ SSL_CTX *make_ctx(const char *pemfile) { } #endif + if (CONFIG->SESSION_TIMEOUT != -1) { + SSL_CTX_set_timeout(ctx, CONFIG->SESSION_TIMEOUT); + } + RSA_free(rsa); return ctx; } @@ -850,8 +899,8 @@ static int create_main_socket() { /* Initiate a clear-text nonblocking connect() to the backend IP on behalf * of a newly connected upstream (encrypted) client*/ -static int create_back_socket() { - int s = socket(backaddr->ai_family, SOCK_STREAM, IPPROTO_TCP); +static int create_back_socket(int backend_index) { + int s = socket(backaddr[backend_index]->ai_family, SOCK_STREAM, IPPROTO_TCP); if (s == -1) return -1; @@ -921,7 +970,7 @@ static void handle_socket_errno(proxystate *ps, int backend) { /* Start connect to backend */ static void start_connect(proxystate *ps) { int t = 1; - t = connect(ps->fd_down, backaddr->ai_addr, backaddr->ai_addrlen); + t = connect(ps->fd_down, backaddr[ps->backend_index]->ai_addr, backaddr[ps->backend_index]->ai_addrlen); if (t == 0 || errno == EINPROGRESS || errno == EINTR) { ev_io_start(loop, &ps->ev_w_connect); return ; @@ -1006,7 +1055,7 @@ static void handle_connect(struct ev_loop *loop, ev_io *w, int revents) { (void) revents; int t; proxystate *ps = (proxystate *)w->data; - t = connect(ps->fd_down, backaddr->ai_addr, backaddr->ai_addrlen); + t = connect(ps->fd_down, backaddr[ps->backend_index]->ai_addr, backaddr[ps->backend_index]->ai_addrlen); if (!t || errno == EISCONN || !errno) { ev_io_stop(loop, &ps->ev_w_connect); @@ -1333,8 +1382,9 @@ static void handle_accept(struct ev_loop *loop, ev_io *w, int revents) { setnonblocking(client); settcpkeepalive(client); + settcpusertimeout(client); - int back = create_back_socket(); + int back = create_back_socket(backend_index); if (back == -1) { close(client); @@ -1362,6 +1412,9 @@ static void handle_accept(struct ev_loop *loop, ev_io *w, int revents) { ps->handshaked = 0; ps->renegotiation = 0; ps->remote_ip = addr; + ps->backend_index = backend_index++; + if (backend_index >= CONFIG->BACKENDS_COUNT) + backend_index = 0; ringbuffer_init(&ps->ring_clear2ssl); ringbuffer_init(&ps->ring_ssl2clear); @@ -1450,8 +1503,9 @@ static void handle_clear_accept(struct ev_loop *loop, ev_io *w, int revents) { setnonblocking(client); settcpkeepalive(client); + settcpusertimeout(client); - int back = create_back_socket(); + int back = create_back_socket(backend_index); if (back == -1) { close(client); @@ -1481,6 +1535,9 @@ static void handle_clear_accept(struct ev_loop *loop, ev_io *w, int revents) { ps->handshaked = 0; ps->renegotiation = 0; ps->remote_ip = addr; + ps->backend_index = backend_index++; + if (backend_index >= CONFIG->BACKENDS_COUNT) + backend_index = 0; ringbuffer_init(&ps->ring_clear2ssl); ringbuffer_init(&ps->ring_ssl2clear); @@ -1570,12 +1627,15 @@ void init_globals() { hints.ai_family = AF_UNSPEC; hints.ai_socktype = SOCK_STREAM; hints.ai_flags = 0; - const int gai_err = getaddrinfo(CONFIG->BACK_IP, CONFIG->BACK_PORT, - &hints, &backaddr); - if (gai_err != 0) { - ERR("{getaddrinfo}: [%s]", gai_strerror(gai_err)); - exit(1); + for (int i = 0; i < CONFIG->BACKENDS_COUNT; i++) { + const int gai_err = getaddrinfo(CONFIG->BACKENDS[i].BACK_IP, CONFIG->BACKENDS[i].BACK_PORT, + &hints, &backaddr[i]); + if (gai_err != 0) { + ERR("{getaddrinfo}: [%s]", gai_strerror(gai_err)); + exit(1); + } } + backend_index = 0; #ifdef USE_SHARED_CACHE if (CONFIG->SHARED_CACHE) {