Changeset: 7fa2dcb15167 for MonetDB
URL: https://dev.monetdb.org/hg/MonetDB/rev/7fa2dcb15167
Modified Files:
common/stream/tls_stream.c
tools/merovingian/daemon/proxy.c
Branch: smapi
Log Message:
Proxy UNIX sockets for TLS connections
diffs (206 lines):
diff --git a/common/stream/tls_stream.c b/common/stream/tls_stream.c
--- a/common/stream/tls_stream.c
+++ b/common/stream/tls_stream.c
@@ -27,6 +27,22 @@ typedef struct ssl_wrapper {
SSL *cSSL;
} ssl_wrapper;
+#ifndef STREAM_DEBUG
+static void
+print_buffer(const void *restrict buf, size_t len)
+{
+ char *ptr = (char *)buf;
+ for(size_t i = 0; i < len; i++) {
+ char c = ptr[i];
+ if (isprint(c))
+ fprintf(stderr, "%c", c);
+ else
+ fprintf(stderr, "<%hhu>", c);
+ }
+ fprintf(stderr, "\n");
+ fflush(stderr);
+}
+#endif // STREAM_DEBUG
static ssize_t
tls_write(stream *restrict s, const void *restrict buf, size_t elmsize, size_t
cnt)
@@ -36,7 +52,10 @@ tls_write(stream *restrict s, const void
size_t retries = 5;
int ssl_err = SSL_ERROR_NONE;
+#ifndef STREAM_DEBUG
fprintf(stderr, "SSL stream write %zu bytes\n", elmsize*cnt);
+ print_buffer(buf, elmsize*cnt);
+#endif // STREAM_DEBUG
ERR_clear_error();
@@ -69,7 +88,9 @@ tls_write(stream *restrict s, const void
}
return -1;
}
+#ifndef STREAM_DEBUG
fprintf(stderr, "SSL stream write wrote %zd bytes\n", ret);
+#endif // STREAM_DEBUG
return ret/elmsize;
}
@@ -80,7 +101,9 @@ tls_read(stream *restrict s, void *restr
ssl_wrapper *w = (ssl_wrapper *)s->stream_data.p;
ssize_t ret;
+#ifndef STREAM_DEBUG
fprintf(stderr, "SSL stream read\n");
+#endif // STREAM_DEBUG
ret = SSL_read(w->cSSL, buf, elmsize*cnt);
if (ret < 0) {
@@ -89,7 +112,10 @@ tls_read(stream *restrict s, void *restr
return -1;
}
+#ifndef STREAM_DEBUG
fprintf(stderr, "SSL stream read got %zd bytes\n", ret);
+ print_buffer(buf, elmsize*cnt);
+#endif // STREAM_DEBUG
if (ret == 0) {
s->eof = true;
@@ -103,6 +129,10 @@ tls_close(stream *s)
/* TODO properly shutdown */
ssl_wrapper *w = (ssl_wrapper *)s->stream_data.p;
SSL_shutdown(w->cSSL);
+#ifndef STREAM_DEBUG
+ fprintf(stderr, "Closing TLS stream\n");
+#endif // STREAM_DEBUG
+
}
static stream *
diff --git a/tools/merovingian/daemon/proxy.c b/tools/merovingian/daemon/proxy.c
--- a/tools/merovingian/daemon/proxy.c
+++ b/tools/merovingian/daemon/proxy.c
@@ -141,8 +141,7 @@ startProxy(int psock, stream *cfdin, str
* I therefore need to correctly open the UNIX socket in case
* of TLS connection.
* */
- if (ssock != -1 && !use_tls) {
- /* UNIX socket connect, don't proxy, but pass socket fd */
+ if (ssock != -1 ) {
struct sockaddr_un server;
struct msghdr msg;
char ccmsg[CMSG_SPACE(sizeof(ssock))];
@@ -171,52 +170,70 @@ startProxy(int psock, stream *cfdin, str
return(newErr("cannot connect: %s", strerror(errno)));
}
- /* send first byte, nothing special to happen */
- msg.msg_name = NULL;
- msg.msg_namelen = 0;
- *buf = '1'; /* pass fd */
- vec.iov_base = buf;
- vec.iov_len = 1;
- msg.msg_iov = &vec;
- msg.msg_iovlen = 1;
- msg.msg_control = ccmsg;
- msg.msg_controllen = sizeof(ccmsg);
- cmsg = CMSG_FIRSTHDR(&msg);
- cmsg->cmsg_level = SOL_SOCKET;
- cmsg->cmsg_type = SCM_RIGHTS;
- cmsg->cmsg_len = CMSG_LEN(sizeof(psock));
- /* HACK to avoid
- * "dereferencing type-punned pointer will break
strict-aliasing rules"
- * (with gcc 4.5.1 on Fedora 14)
- */
- c_d = (int *)CMSG_DATA(cmsg);
- *c_d = psock;
- msg.msg_controllen = cmsg->cmsg_len;
- msg.msg_flags = 0;
+ /* UNIX socket connect and not tls, don't proxy, but pass
socket fd */
+ if (!use_tls) {
+ /* send first byte, nothing special to happen */
+ msg.msg_name = NULL;
+ msg.msg_namelen = 0;
+ *buf = '1'; /* pass fd */
+ vec.iov_base = buf;
+ vec.iov_len = 1;
+ msg.msg_iov = &vec;
+ msg.msg_iovlen = 1;
+ msg.msg_control = ccmsg;
+ msg.msg_controllen = sizeof(ccmsg);
+ cmsg = CMSG_FIRSTHDR(&msg);
+ cmsg->cmsg_level = SOL_SOCKET;
+ cmsg->cmsg_type = SCM_RIGHTS;
+ cmsg->cmsg_len = CMSG_LEN(sizeof(psock));
+ /* HACK to avoid
+ * "dereferencing type-punned pointer will break
strict-aliasing rules"
+ * (with gcc 4.5.1 on Fedora 14)
+ */
+ c_d = (int *)CMSG_DATA(cmsg);
+ *c_d = psock;
+ msg.msg_controllen = cmsg->cmsg_len;
+ msg.msg_flags = 0;
- Mlevelfprintf(DEBUG, stdout, "target connection is on local
UNIX domain socket, "
- "passing on filedescriptor instead of
proxying\n");
- if (sendmsg(ssock, &msg, 0) < 0) {
+ Mlevelfprintf(DEBUG, stdout, "target connection is on
local UNIX domain socket, "
+ "passing on filedescriptor instead of
proxying\n");
+ if (sendmsg(ssock, &msg, 0) < 0) {
+ closesocket(ssock);
+ return(newErr("could not send initial byte:
%s", strerror(errno)));
+ }
+ /* block until the server acknowledges that it has psock
+ * connected with itself */
+ if (recv(ssock, buf, 1, 0) == -1) {
+ closesocket(ssock);
+ return(newErr("could not receive initial byte:
%s", strerror(errno)));
+ }
+ shutdown(ssock, SHUT_RDWR);
closesocket(ssock);
- return(newErr("could not send initial byte: %s",
strerror(errno)));
- }
- /* block until the server acknowledges that it has psock
- * connected with itself */
- if (recv(ssock, buf, 1, 0) == -1) {
- closesocket(ssock);
- return(newErr("could not receive initial byte: %s",
strerror(errno)));
+ /* psock is the underlying socket of cfdin/cfout which
we
+ * passed on to the client; we need to close the
socket, but
+ * not call shutdown() on it, which would happen if we
called
+ * close_stream(), so we call closesocket to close the
socket
+ * and mnstr_destroy to free memory */
+ closesocket(psock);
+ mnstr_destroy(cfdin);
+ mnstr_destroy(cfout);
+ return(NO_ERR);
+ } else {
+ *buf = '0'; /* no data */
+
+ Mlevelfprintf(DEBUG, stdout, "target connection is on
local UNIX domain socket, "
+ "and using TLS. Send byte '0' to start
communication.\n");
+ if (send(ssock, buf, 1, 0) < 0) {
+ closesocket(ssock);
+ return(newErr("could not send initial byte:
%s", strerror(errno)));
+ }
+ /* block until the server acknowledges that it has psock
+ * connected with itself */
+ if (recv(ssock, buf, 1, 0) == -1) {
+ closesocket(ssock);
+ return(newErr("could not receive initial byte:
%s", strerror(errno)));
+ }
}
- shutdown(ssock, SHUT_RDWR);
- closesocket(ssock);
- /* psock is the underlying socket of cfdin/cfout which we
- * passed on to the client; we need to close the socket, but
- * not call shutdown() on it, which would happen if we called
- * close_stream(), so we call closesocket to close the socket
- * and mnstr_destroy to free memory */
- closesocket(psock);
- mnstr_destroy(cfdin);
- mnstr_destroy(cfout);
- return(NO_ERR);
} else {
int check;
struct addrinfo *results, *rp, hints = (struct addrinfo) {
_______________________________________________
checkin-list mailing list -- checkin-list@monetdb.org
To unsubscribe send an email to checkin-list-le...@monetdb.org
