Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / a5ec06de2c2bb71bbd16050512e08b5b05749163 / . / contrib / modsecurity / spoa.c
blob: 506ff8245d2c8beb0facb7e16368488519e7fc5b [file] [log] [blame]
Thierry FOURNIERa5ec06d2017-04-10 23:47:23 +0200[diff] [blame^]1/*
2 * Modsecurity wrapper for haproxy
3 *
4 * This file contains the bootstrap for laucnching and scheduling modsecurity
5 * for working with HAProxy SPOE protocol.
6 *
7 * Copyright 2016 OZON, Thierry Fournier <thierry.fournier@ozon.io>
8 *
9 * This file is inherited from "A Random IP reputation service acting as a Stream
10 * Processing Offload Agent"
11 *
12 * Copyright 2016 HAProxy Technologies, Christopher Faulet <cfaulet@haproxy.com>
13 *
14 * This program is free software; you can redistribute it and/or
15 * modify it under the terms of the GNU General Public License
16 * as published by the Free Software Foundation; either version
17 * 2 of the License, or (at your option) any later version.
18 *
19 */
20#include <unistd.h>
21#include <stdlib.h>
22#include <string.h>
23#include <stdbool.h>
24#include <errno.h>
25#include <stdio.h>
26#include <signal.h>
27#include <netinet/in.h>
28#include <sys/socket.h>
29#include <err.h>
30#include <ctype.h>
31
32#include <pthread.h>
33
34#include <event2/util.h>
35#include <event2/event.h>
36#include <event2/event_struct.h>
37#include <event2/thread.h>
38
39#include <common/mini-clist.h>
40#include <common/chunk.h>
41
42#include <proto/spoe.h>
43
44#include "spoa.h"
45#include "modsec_wrapper.h"
46
47#define DEFAULT_PORT 12345
48#define CONNECTION_BACKLOG 10
49#define NUM_WORKERS 10
50#define MAX_FRAME_SIZE 16384
51#define SPOP_VERSION "1.0"
52
53#define SLEN(str) (sizeof(str)-1)
54
55#define DEBUG(x...) \
56 do { \
57 if (debug) \
58 LOG(x); \
59 } while (0)
60
61
62enum spoa_state {
63 SPOA_ST_CONNECTING = 0,
64 SPOA_ST_PROCESSING,
65 SPOA_ST_DISCONNECTING,
66};
67
68enum spoa_frame_type {
69 SPOA_FRM_T_UNKNOWN = 0,
70 SPOA_FRM_T_HAPROXY,
71 SPOA_FRM_T_AGENT,
72};
73
74struct spoe_engine {
75 char *id;
76
77 struct list processing_frames;
78 struct list outgoing_frames;
79
80 struct list clients;
81 struct list list;
82};
83
84struct spoe_frame {
85 enum spoa_frame_type type;
86 char *buf;
87 unsigned int offset;
88 unsigned int len;
89
90 unsigned int stream_id;
91 unsigned int frame_id;
92 unsigned int flags;
93 bool hcheck; /* true is the CONNECT frame is a healthcheck */
94 bool fragmented; /* true if the frame is fragmented */
95 int modsec_code; /* modsecurity return code. -1 if unset, 0 if none, other it returns http code. */
96
97 struct event process_frame_event;
98 struct worker *worker;
99 struct spoe_engine *engine;
100 struct client *client;
101 struct list list;
102
103 char *frag_buf; /* used to accumulate payload of a fragmented frame */
104 unsigned int frag_len;
105
106 char data[0];
107};
108
109struct client {
110 int fd;
111 unsigned long id;
112 enum spoa_state state;
113
114 struct event read_frame_event;
115 struct event write_frame_event;
116
117 struct spoe_frame *incoming_frame;
118 struct spoe_frame *outgoing_frame;
119
120 struct list processing_frames;
121 struct list outgoing_frames;
122
123 unsigned int max_frame_size;
124 int status_code;
125
126 char *engine_id;
127 struct spoe_engine *engine;
128 bool pipelining;
129 bool async;
130 bool fragmentation;
131
132 struct worker *worker;
133 struct list by_worker;
134 struct list by_engine;
135};
136
137/* Globals */
138static struct worker *workers = NULL;
139 struct worker null_worker = { .id = 0 };
140static unsigned long clicount = 0;
141static int server_port = DEFAULT_PORT;
142static int num_workers = NUM_WORKERS;
143static unsigned int max_frame_size = MAX_FRAME_SIZE;
144struct timeval processing_delay = {0, 0};
145static bool debug = false;
146static bool pipelining = false;
147static bool async = false;
148static bool fragmentation = false;
149
150
151static const char *spoe_frm_err_reasons[SPOE_FRM_ERRS] = {
152 [SPOE_FRM_ERR_NONE] = "normal",
153 [SPOE_FRM_ERR_IO] = "I/O error",
154 [SPOE_FRM_ERR_TOUT] = "a timeout occurred",
155 [SPOE_FRM_ERR_TOO_BIG] = "frame is too big",
156 [SPOE_FRM_ERR_INVALID] = "invalid frame received",
157 [SPOE_FRM_ERR_NO_VSN] = "version value not found",
158 [SPOE_FRM_ERR_NO_FRAME_SIZE] = "max-frame-size value not found",
159 [SPOE_FRM_ERR_NO_CAP] = "capabilities value not found",
160 [SPOE_FRM_ERR_BAD_VSN] = "unsupported version",
161 [SPOE_FRM_ERR_BAD_FRAME_SIZE] = "max-frame-size too big or too small",
162 [SPOE_FRM_ERR_FRAG_NOT_SUPPORTED] = "fragmentation not supported",
163 [SPOE_FRM_ERR_INTERLACED_FRAMES] = "invalid interlaced frames",
164 [SPOE_FRM_ERR_FRAMEID_NOTFOUND] = "frame-id not found",
165 [SPOE_FRM_ERR_RES] = "resource allocation error",
166 [SPOE_FRM_ERR_UNKNOWN] = "an unknown error occurred",
167};
168
169static void signal_cb(evutil_socket_t, short, void *);
170static void accept_cb(evutil_socket_t, short, void *);
171static void worker_monitor_cb(evutil_socket_t, short, void *);
172static void process_frame_cb(evutil_socket_t, short, void *);
173static void read_frame_cb(evutil_socket_t, short, void *);
174static void write_frame_cb(evutil_socket_t, short, void *);
175
176static void use_spoe_engine(struct client *);
177static void unuse_spoe_engine(struct client *);
178static void release_frame(struct spoe_frame *);
179static void release_client(struct client *);
180
181/* Check the protocol version. It returns -1 if an error occurred, the number of
182 * read bytes otherwise. */
183static int
184check_proto_version(struct spoe_frame *frame, char **buf, char *end)
185{
186 char *str, *p = *buf;
187 uint64_t sz;
188 int ret;
189
190 /* Get the list of all supported versions by HAProxy */
191 if ((*p++ & SPOE_DATA_T_MASK) != SPOE_DATA_T_STR)
192 return -1;
193 ret = spoe_decode_buffer(&p, end, &str, &sz);
194 if (ret == -1 || !str)
195 return -1;
196
197 DEBUG(frame->worker, "<%lu> Supported versions : %.*s",
198 frame->client->id, (int)sz, str);
199
200 /* TODO: Find the right verion in supported ones */
201
202 ret = (p - *buf);
203 *buf = p;
204 return ret;
205}
206
207/* Check max frame size value. It returns -1 if an error occurred, the number of
208 * read bytes otherwise. */
209static int
210check_max_frame_size(struct spoe_frame *frame, char **buf, char *end)
211{
212 char *p = *buf;
213 uint64_t sz;
214 int type, ret;
215
216 /* Get the max-frame-size value of HAProxy */
217 type = *p++;
218 if ((type & SPOE_DATA_T_MASK) != SPOE_DATA_T_INT32 &&
219 (type & SPOE_DATA_T_MASK) != SPOE_DATA_T_INT64 &&
220 (type & SPOE_DATA_T_MASK) != SPOE_DATA_T_UINT32 &&
221 (type & SPOE_DATA_T_MASK) != SPOE_DATA_T_UINT64)
222 return -1;
223 if (decode_varint(&p, end, &sz) == -1)
224 return -1;
225
226 /* Keep the lower value */
227 if (sz < frame->client->max_frame_size)
228 frame->client->max_frame_size = sz;
229
230 DEBUG(frame->worker, "<%lu> HAProxy maximum frame size : %u",
231 frame->client->id, (unsigned int)sz);
232
233 ret = (p - *buf);
234 *buf = p;
235 return ret;
236}
237
238/* Check healthcheck value. It returns -1 if an error occurred, the number of
239 * read bytes otherwise. */
240static int
241check_healthcheck(struct spoe_frame *frame, char **buf, char *end)
242{
243 char *p = *buf;
244 int type, ret;
245
246 /* Get the "healthcheck" value */
247 type = *p++;
248 if ((type & SPOE_DATA_T_MASK) != SPOE_DATA_T_BOOL)
249 return -1;
250 frame->hcheck = ((type & SPOE_DATA_FL_TRUE) == SPOE_DATA_FL_TRUE);
251
252 DEBUG(frame->worker, "<%lu> HELLO healthcheck : %s",
253 frame->client->id, (frame->hcheck ? "true" : "false"));
254
255 ret = (p - *buf);
256 *buf = p;
257 return ret;
258}
259
260/* Check capabilities value. It returns -1 if an error occurred, the number of
261 * read bytes otherwise. */
262static int
263check_capabilities(struct spoe_frame *frame, char **buf, char *end)
264{
265 struct client *client = frame->client;
266 char *str, *p = *buf;
267 uint64_t sz;
268 int ret;
269
270 if ((*p++ & SPOE_DATA_T_MASK) != SPOE_DATA_T_STR)
271 return -1;
272 if (spoe_decode_buffer(&p, end, &str, &sz) == -1)
273 return -1;
274 if (str == NULL) /* this is not an error */
275 goto end;
276
277 DEBUG(frame->worker, "<%lu> HAProxy capabilities : %.*s",
278 client->id, (int)sz, str);
279
280 while (sz) {
281 char *delim;
282
283 /* Skip leading spaces */
284 for (; isspace(*str) && sz; sz--);
285
286 if (sz >= 10 && !strncmp(str, "pipelining", 10)) {
287 str += 10; sz -= 10;
288 if (!sz || isspace(*str) || *str == ',') {
289 DEBUG(frame->worker,
290 "<%lu> HAProxy supports frame pipelining",
291 client->id);
292 client->pipelining = true;
293 }
294 }
295 else if (sz >= 5 && !strncmp(str, "async", 5)) {
296 str += 5; sz -= 5;
297 if (!sz || isspace(*str) || *str == ',') {
298 DEBUG(frame->worker,
299 "<%lu> HAProxy supports asynchronous frame",
300 client->id);
301 client->async = true;
302 }
303 }
304 else if (sz >= 13 && !strncmp(str, "fragmentation", 13)) {
305 str += 13; sz -= 13;
306 if (!sz || isspace(*str) || *str == ',') {
307 DEBUG(frame->worker,
308 "<%lu> HAProxy supports fragmented frame",
309 client->id);
310 client->fragmentation = true;
311 }
312 }
313
314 if (!sz || (delim = memchr(str, ',', sz)) == NULL)
315 break;
316 delim++;
317 sz -= (delim - str);
318 str = delim;
319 }
320 end:
321 ret = (p - *buf);
322 *buf = p;
323 return ret;
324}
325
326/* Check engine-id value. It returns -1 if an error occurred, the number of
327 * read bytes otherwise. */
328static int
329check_engine_id(struct spoe_frame *frame, char **buf, char *end)
330{
331 struct client *client = frame->client;
332 char *str, *p = *buf;
333 uint64_t sz;
334 int ret;
335
336 if ((*p++ & SPOE_DATA_T_MASK) != SPOE_DATA_T_STR)
337 return -1;
338
339 if (spoe_decode_buffer(&p, end, &str, &sz) == -1)
340 return -1;
341 if (str == NULL) /* this is not an error */
342 goto end;
343
344 if (client->engine != NULL)
345 goto end;
346
347 DEBUG(frame->worker, "<%lu> HAProxy engine id : %.*s",
348 client->id, (int)sz, str);
349
350 client->engine_id = strndup(str, (int)sz);
351 end:
352 ret = (p - *buf);
353 *buf = p;
354 return ret;
355}
356
357static int
358acc_payload(struct spoe_frame *frame)
359{
360 struct client *client = frame->client;
361 char *buf;
362 size_t len = frame->len - frame->offset;
363 int ret = frame->offset;
364
365 /* No need to accumulation payload */
366 if (frame->fragmented == false)
367 return ret;
368
369 buf = realloc(frame->frag_buf, frame->frag_len + len);
370 if (buf == NULL) {
371 client->status_code = SPOE_FRM_ERR_RES;
372 return -1;
373 }
374 memcpy(buf + frame->frag_len, frame->buf + frame->offset, len);
375 frame->frag_buf = buf;
376 frame->frag_len += len;
377
378 if (!(frame->flags & SPOE_FRM_FL_FIN)) {
379 /* Wait for next parts */
380 frame->buf = (char *)(frame->data);
381 frame->offset = 0;
382 frame->len = 0;
383 frame->flags = 0;
384 return 1;
385 }
386
387 frame->buf = frame->frag_buf;
388 frame->len = frame->frag_len;
389 frame->offset = 0;
390 return ret;
391}
392
393/* Check disconnect status code. It returns -1 if an error occurred, the number
394 * of read bytes otherwise. */
395static int
396check_discon_status_code(struct spoe_frame *frame, char **buf, char *end)
397{
398 char *p = *buf;
399 uint64_t sz;
400 int type, ret;
401
402 /* Get the "status-code" value */
403 type = *p++;
404 if ((type & SPOE_DATA_T_MASK) != SPOE_DATA_T_INT32 &&
405 (type & SPOE_DATA_T_MASK) != SPOE_DATA_T_INT64 &&
406 (type & SPOE_DATA_T_MASK) != SPOE_DATA_T_UINT32 &&
407 (type & SPOE_DATA_T_MASK) != SPOE_DATA_T_UINT64)
408 return -1;
409 if (decode_varint(&p, end, &sz) == -1)
410 return -1;
411
412 frame->client->status_code = (unsigned int)sz;
413
414 DEBUG(frame->worker, "<%lu> Disconnect status code : %u",
415 frame->client->id, frame->client->status_code);
416
417 ret = (p - *buf);
418 *buf = p;
419 return ret;
420}
421
422/* Check the disconnect message. It returns -1 if an error occurred, the number
423 * of read bytes otherwise. */
424static int
425check_discon_message(struct spoe_frame *frame, char **buf, char *end)
426{
427 char *str, *p = *buf;
428 uint64_t sz;
429 int ret;
430
431 /* Get the "message" value */
432 if ((*p++ & SPOE_DATA_T_MASK) != SPOE_DATA_T_STR)
433 return -1;
434 ret = spoe_decode_buffer(&p, end, &str, &sz);
435 if (ret == -1 || !str)
436 return -1;
437
438 DEBUG(frame->worker, "<%lu> Disconnect message : %.*s",
439 frame->client->id, (int)sz, str);
440
441 ret = (p - *buf);
442 *buf = p;
443 return ret;
444}
445
446
447
448/* Decode a HELLO frame received from HAProxy. It returns -1 if an error
449 * occurred, otherwise the number of read bytes. HELLO frame cannot be
450 * ignored and having another frame than a HELLO frame is an error. */
451static int
452handle_hahello(struct spoe_frame *frame)
453{
454 struct client *client = frame->client;
455 char *p, *end;
456
457 p = frame->buf;
458 end = frame->buf + frame->len;
459
460 /* Check frame type: we really want a HELLO frame */
461 if (*p++ != SPOE_FRM_T_HAPROXY_HELLO)
462 goto error;
463
464 DEBUG(frame->worker, "<%lu> Decode HAProxy HELLO frame", client->id);
465
466 /* Retrieve flags */
467 memcpy((char *)&(frame->flags), p, 4);
468 p += 4;
469
470 /* Fragmentation is not supported for HELLO frame */
471 if (!(frame->flags & SPOE_FRM_FL_FIN)) {
472 client->status_code = SPOE_FRM_ERR_FRAG_NOT_SUPPORTED;
473 goto error;
474 }
475
476 /* stream-id and frame-id must be cleared */
477 if (*p != 0 || *(p+1) != 0) {
478 client->status_code = SPOE_FRM_ERR_INVALID;
479 goto error;
480 }
481 p += 2;
482
483 /* Loop on K/V items */
484 while (p < end) {
485 char *str;
486 uint64_t sz;
487
488 /* Decode the item name */
489 spoe_decode_buffer(&p, end, &str, &sz);
490 if (!str) {
491 client->status_code = SPOE_FRM_ERR_INVALID;
492 goto error;
493 }
494
495 /* Check "supported-versions" K/V item */
496 if (!memcmp(str, "supported-versions", sz)) {
497 if (check_proto_version(frame, &p, end) == -1) {
498 client->status_code = SPOE_FRM_ERR_INVALID;
499 goto error;
500 }
501 }
502 /* Check "max-frame-size" K/V item */
503 else if (!memcmp(str, "max-frame-size", sz)) {
504 if (check_max_frame_size(frame, &p, end) == -1) {
505 client->status_code = SPOE_FRM_ERR_INVALID;
506 goto error;
507 }
508 }
509 /* Check "healthcheck" K/V item */
510 else if (!memcmp(str, "healthcheck", sz)) {
511 if (check_healthcheck(frame, &p, end) == -1) {
512 client->status_code = SPOE_FRM_ERR_INVALID;
513 goto error;
514 }
515 }
516 /* Check "capabilities" K/V item */
517 else if (!memcmp(str, "capabilities", sz)) {
518 if (check_capabilities(frame, &p, end) == -1) {
519 client->status_code = SPOE_FRM_ERR_INVALID;
520 goto error;
521 }
522 }
523 /* Check "engine-id" K/V item */
524 else if (!memcmp(str, "engine-id", sz)) {
525 if (check_engine_id(frame, &p, end) == -1) {
526 client->status_code = SPOE_FRM_ERR_INVALID;
527 goto error;
528 }
529 }
530 else {
531 DEBUG(frame->worker, "<%lu> Skip K/V item : key=%.*s",
532 client->id, (int)sz, str);
533
534 /* Silently ignore unknown item */
535 if (spoe_skip_data(&p, end) == -1) {
536 client->status_code = SPOE_FRM_ERR_INVALID;
537 goto error;
538 }
539 }
540 }
541
542 if (async == false || client->engine_id == NULL)
543 client->async = false;
544 if (pipelining == false)
545 client->pipelining = false;
546
547 if (client->async == true)
548 use_spoe_engine(client);
549
550 return (p - frame->buf);
551 error:
552 return -1;
553}
554
555/* Decode a DISCONNECT frame received from HAProxy. It returns -1 if an error
556 * occurred, otherwise the number of read bytes. DISCONNECT frame cannot be
557 * ignored and having another frame than a DISCONNECT frame is an error.*/
558static int
559handle_hadiscon(struct spoe_frame *frame)
560{
561 struct client *client = frame->client;
562 char *p, *end;
563
564 p = frame->buf;
565 end = frame->buf + frame->len;
566
567 /* Check frame type: we really want a DISCONNECT frame */
568 if (*p++ != SPOE_FRM_T_HAPROXY_DISCON)
569 goto error;
570
571 DEBUG(frame->worker, "<%lu> Decode HAProxy DISCONNECT frame", client->id);
572
573 /* Retrieve flags */
574 memcpy((char *)&(frame->flags), p, 4);
575 p += 4;
576
577 /* Fragmentation is not supported for DISCONNECT frame */
578 if (!(frame->flags & SPOE_FRM_FL_FIN)) {
579 client->status_code = SPOE_FRM_ERR_FRAG_NOT_SUPPORTED;
580 goto error;
581 }
582
583 /* stream-id and frame-id must be cleared */
584 if (*p != 0 || *(p+1) != 0) {
585 client->status_code = SPOE_FRM_ERR_INVALID;
586 goto error;
587 }
588 p += 2;
589
590 client->status_code = SPOE_FRM_ERR_NONE;
591
592 /* Loop on K/V items */
593 while (p < end) {
594 char *str;
595 uint64_t sz;
596
597 /* Decode item key */
598 spoe_decode_buffer(&p, end, &str, &sz);
599 if (!str) {
600 client->status_code = SPOE_FRM_ERR_INVALID;
601 goto error;
602 }
603
604 /* Check "status-code" K/V item */
605 if (!memcmp(str, "status-code", sz)) {
606 if (check_discon_status_code(frame, &p, end) == -1) {
607 client->status_code = SPOE_FRM_ERR_INVALID;
608 goto error;
609 }
610 }
611 /* Check "message" K/V item */
612 else if (!memcmp(str, "message", sz)) {
613 if (check_discon_message(frame, &p, end) == -1) {
614 client->status_code = SPOE_FRM_ERR_INVALID;
615 goto error;
616 }
617 }
618 else {
619 DEBUG(frame->worker, "<%lu> Skip K/V item : key=%.*s",
620 client->id, (int)sz, str);
621
622 /* Silently ignore unknown item */
623 if (spoe_skip_data(&p, end) == -1) {
624 client->status_code = SPOE_FRM_ERR_INVALID;
625 goto error;
626 }
627 }
628 }
629
630 return (p - frame->buf);
631 error:
632 return -1;
633}
634
635/* Decode a NOTIFY frame received from HAProxy. It returns -1 if an error
636 * occurred, 0 if it must be must be ignored, otherwise the number of read
637 * bytes. */
638static int
639handle_hanotify(struct spoe_frame *frame)
640{
641 struct client *client = frame->client;
642 char *p, *end;
643 uint64_t stream_id, frame_id;
644
645 p = frame->buf;
646 end = frame->buf + frame->len;
647
648 /* Check frame type */
649 if (*p++ != SPOE_FRM_T_HAPROXY_NOTIFY)
650 goto ignore;
651
652 DEBUG(frame->worker, "<%lu> Decode HAProxy NOTIFY frame", client->id);
653
654 /* Retrieve flags */
655 memcpy((char *)&(frame->flags), p, 4);
656 p += 4;
657
658 /* Fragmentation is not supported */
659 if (!(frame->flags & SPOE_FRM_FL_FIN) && fragmentation == false) {
660 client->status_code = SPOE_FRM_ERR_FRAG_NOT_SUPPORTED;
661 goto error;
662 }
663
664 /* Read the stream-id and frame-id */
665 if (decode_varint(&p, end, &stream_id) == -1)
666 goto ignore;
667 if (decode_varint(&p, end, &frame_id) == -1)
668 goto ignore;
669
670 frame->stream_id = (unsigned int)stream_id;
671 frame->frame_id = (unsigned int)frame_id;
672
673 DEBUG(frame->worker, "<%lu> STREAM-ID=%u - FRAME-ID=%u"
674 " - %s frame received"
675 " - frag_len=%u - len=%u - offset=%ld",
676 client->id, frame->stream_id, frame->frame_id,
677 (frame->flags & SPOE_FRM_FL_FIN) ? "unfragmented" : "fragmented",
678 frame->frag_len, frame->len, p - frame->buf);
679
680 frame->fragmented = !(frame->flags & SPOE_FRM_FL_FIN);
681 frame->offset = (p - frame->buf);
682 return acc_payload(frame);
683
684 ignore:
685 return 0;
686
687 error:
688 return -1;
689}
690
691/* Decode next part of a fragmented frame received from HAProxy. It returns -1
692 * if an error occurred, 0 if it must be must be ignored, otherwise the number
693 * of read bytes. */
694static int
695handle_hafrag(struct spoe_frame *frame)
696{
697 struct client *client = frame->client;
698 char *p, *end;
699 uint64_t stream_id, frame_id;
700
701 p = frame->buf;
702 end = frame->buf + frame->len;
703
704 /* Check frame type */
705 if (*p++ != SPOE_FRM_T_UNSET)
706 goto ignore;
707
708 DEBUG(frame->worker, "<%lu> Decode Next part of a fragmented frame", client->id);
709
710 /* Fragmentation is not supported */
711 if (fragmentation == false) {
712 client->status_code = SPOE_FRM_ERR_FRAG_NOT_SUPPORTED;
713 goto error;
714 }
715
716 /* Retrieve flags */
717 memcpy((char *)&(frame->flags), p, 4);
718 p+= 4;
719
720 /* Read the stream-id and frame-id */
721 if (decode_varint(&p, end, &stream_id) == -1)
722 goto ignore;
723 if (decode_varint(&p, end, &frame_id) == -1)
724 goto ignore;
725
726 if (frame->fragmented == false ||
727 frame->stream_id != (unsigned int)stream_id ||
728 frame->frame_id != (unsigned int)frame_id) {
729 client->status_code = SPOE_FRM_ERR_INTERLACED_FRAMES;
730 goto error;
731 }
732
733 if (frame->flags & SPOE_FRM_FL_ABRT) {
734 DEBUG(frame->worker, "<%lu> STREAM-ID=%u - FRAME-ID=%u"
735 " - Abort processing of a fragmented frame"
736 " - frag_len=%u - len=%u - offset=%ld",
737 client->id, frame->stream_id, frame->frame_id,
738 frame->frag_len, frame->len, p - frame->buf);
739 goto ignore;
740 }
741
742 DEBUG(frame->worker, "<%lu> STREAM-ID=%u - FRAME-ID=%u"
743 " - %s fragment of a fragmented frame received"
744 " - frag_len=%u - len=%u - offset=%ld",
745 client->id, frame->stream_id, frame->frame_id,
746 (frame->flags & SPOE_FRM_FL_FIN) ? "last" : "next",
747 frame->frag_len, frame->len, p - frame->buf);
748
749 frame->offset = (p - frame->buf);
750 return acc_payload(frame);
751
752 ignore:
753 return 0;
754
755 error:
756 return -1;
757}
758
759/* Encode a HELLO frame to send it to HAProxy. It returns the number of written
760 * bytes. */
761static int
762prepare_agenthello(struct spoe_frame *frame)
763{
764 struct client *client = frame->client;
765 char *p, *end;
766 char capabilities[64];
767 int n;
768 unsigned int flags = SPOE_FRM_FL_FIN;
769
770 DEBUG(frame->worker, "<%lu> Encode Agent HELLO frame", client->id);
771 frame->type = SPOA_FRM_T_AGENT;
772
773 p = frame->buf;
774 end = frame->buf+max_frame_size;
775
776 /* Frame Type */
777 *p++ = SPOE_FRM_T_AGENT_HELLO;
778
779 /* Set flags */
780 memcpy(p, (char *)&flags, 4);
781 p += 4;
782
783 /* No stream-id and frame-id for HELLO frames */
784 *p++ = 0;
785 *p++ = 0;
786
787 /* "version" K/V item */
788 spoe_encode_buffer("version", 7, &p, end);
789 *p++ = SPOE_DATA_T_STR;
790 spoe_encode_buffer(SPOP_VERSION, SLEN(SPOP_VERSION), &p, end);
791 DEBUG(frame->worker, "<%lu> Agent version : %s",
792 client->id, SPOP_VERSION);
793
794
795 /* "max-frame-size" K/V item */
796 spoe_encode_buffer("max-frame-size", 14, &p ,end);
797 *p++ = SPOE_DATA_T_UINT32;
798 encode_varint(client->max_frame_size, &p, end);
799 DEBUG(frame->worker, "<%lu> Agent maximum frame size : %u",
800 client->id, client->max_frame_size);
801
802 /* "capabilities" K/V item */
803 spoe_encode_buffer("capabilities", 12, &p, end);
804 *p++ = SPOE_DATA_T_STR;
805
806 memset(capabilities, 0, sizeof(capabilities));
807 n = 0;
808
809 /* 1. Fragmentation capability ? */
810 if (fragmentation == true) {
811 memcpy(capabilities, "fragmentation", 13);
812 n += 13;
813 }
814 /* 2. Pipelining capability ? */
815 if (client->pipelining == true) {
816 if (n) capabilities[n++] = ',';
817 memcpy(capabilities + n, "pipelining", 10);
818 n += 10;
819 }
820 /* 3. Async capability ? */
821 if (client->async == true) {
822 if (n) capabilities[n++] = ',';
823 memcpy(capabilities + n, "async", 5);
824 n += 5;
825 }
826 spoe_encode_buffer(capabilities, n, &p, end);
827
828 DEBUG(frame->worker, "<%lu> Agent capabilities : %.*s",
829 client->id, n, capabilities);
830
831 frame->len = (p - frame->buf);
832 return frame->len;
833}
834
835/* Encode a DISCONNECT frame to send it to HAProxy. It returns the number of
836 * written bytes. */
837static int
838prepare_agentdicon(struct spoe_frame *frame)
839{
840 struct client *client = frame->client;
841 char *p, *end;
842 const char *reason;
843 int rlen;
844 unsigned int flags = SPOE_FRM_FL_FIN;
845
846 DEBUG(frame->worker, "<%lu> Encode Agent DISCONNECT frame", client->id);
847 frame->type = SPOA_FRM_T_AGENT;
848
849 p = frame->buf;
850 end = frame->buf+max_frame_size;
851
852 if (client->status_code >= SPOE_FRM_ERRS)
853 client->status_code = SPOE_FRM_ERR_UNKNOWN;
854 reason = spoe_frm_err_reasons[client->status_code];
855 rlen = strlen(reason);
856
857 /* Frame type */
858 *p++ = SPOE_FRM_T_AGENT_DISCON;
859
860 /* Set flags */
861 memcpy(p, (char *)&flags, 4);
862 p += 4;
863
864 /* No stream-id and frame-id for DISCONNECT frames */
865 *p++ = 0;
866 *p++ = 0;
867
868 /* There are 2 mandatory items: "status-code" and "message" */
869
870 /* "status-code" K/V item */
871 spoe_encode_buffer("status-code", 11, &p, end);
872 *p++ = SPOE_DATA_T_UINT32;
873 encode_varint(client->status_code, &p, end);
874 DEBUG(frame->worker, "<%lu> Disconnect status code : %u",
875 client->id, client->status_code);
876
877 /* "message" K/V item */
878 spoe_encode_buffer("message", 7, &p, end);
879 *p++ = SPOE_DATA_T_STR;
880 spoe_encode_buffer(reason, rlen, &p, end);
881 DEBUG(frame->worker, "<%lu> Disconnect message : %s",
882 client->id, reason);
883
884 frame->len = (p - frame->buf);
885 return frame->len;
886}
887
888/* Encode a ACK frame to send it to HAProxy. It returns the number of written
889 * bytes. */
890static int
891prepare_agentack(struct spoe_frame *frame)
892{
893 char *p, *end;
894 unsigned int flags = SPOE_FRM_FL_FIN;
895
896 /* Be careful here, in async mode, frame->client can be NULL */
897
898 DEBUG(frame->worker, "Encode Agent ACK frame");
899 frame->type = SPOA_FRM_T_AGENT;
900
901 p = frame->buf;
902 end = frame->buf+max_frame_size;
903
904 /* Frame type */
905 *p++ = SPOE_FRM_T_AGENT_ACK;
906
907 /* Set flags */
908 memcpy(p, (char *)&flags, 4);
909 p += 4;
910
911 /* Set stream-id and frame-id for ACK frames */
912 encode_varint(frame->stream_id, &p, end);
913 encode_varint(frame->frame_id, &p, end);
914
915 DEBUG(frame->worker, "STREAM-ID=%u - FRAME-ID=%u",
916 frame->stream_id, frame->frame_id);
917
918 frame->len = (p - frame->buf);
919 return frame->len;
920}
921
922static int
923create_server_socket(void)
924{
925 struct sockaddr_in listen_addr;
926 int fd, yes = 1;
927
928 fd = socket(AF_INET, SOCK_STREAM, 0);
929 if (fd < 0) {
930 LOG(&null_worker, "Failed to create service socket : %m");
931 return -1;
932 }
933
934 memset(&listen_addr, 0, sizeof(listen_addr));
935 listen_addr.sin_family = AF_INET;
936 listen_addr.sin_addr.s_addr = INADDR_ANY;
937 listen_addr.sin_port = htons(server_port);
938
939 if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &yes, sizeof(yes)) < 0 ||
940 setsockopt(fd, IPPROTO_TCP, TCP_NODELAY, &yes, sizeof(yes)) < 0) {
941 LOG(&null_worker, "Failed to set option on server socket : %m");
942 return -1;
943 }
944
945 if (bind(fd, (struct sockaddr *) &listen_addr, sizeof(listen_addr)) < 0) {
946 LOG(&null_worker, "Failed to bind server socket : %m");
947 return -1;
948 }
949
950 if (listen(fd, CONNECTION_BACKLOG) < 0) {
951 LOG(&null_worker, "Failed to listen on server socket : %m");
952 return -1;
953 }
954
955 return fd;
956}
957
958static void
959release_frame(struct spoe_frame *frame)
960{
961 struct worker *worker;
962
963 if (frame == NULL)
964 return;
965
966 if (event_pending(&frame->process_frame_event, EV_TIMEOUT, NULL))
967 event_del(&frame->process_frame_event);
968
969 worker = frame->worker;
970 LIST_DEL(&frame->list);
971 if (frame->frag_buf)
972 free(frame->frag_buf);
973 memset(frame, 0, sizeof(*frame)+max_frame_size+4);
974 LIST_ADDQ(&worker->frames, &frame->list);
975}
976
977static void
978release_client(struct client *c)
979{
980 struct spoe_frame *frame, *back;
981
982 if (c == NULL)
983 return;
984
985 DEBUG(c->worker, "<%lu> Release client", c->id);
986
987 LIST_DEL(&c->by_worker);
988 c->worker->nbclients--;
989
990 unuse_spoe_engine(c);
991 free(c->engine_id);
992
993 if (event_pending(&c->read_frame_event, EV_READ, NULL))
994 event_del(&c->read_frame_event);
995 if (event_pending(&c->write_frame_event, EV_WRITE, NULL))
996 event_del(&c->write_frame_event);
997
998 release_frame(c->incoming_frame);
999 release_frame(c->outgoing_frame);
1000 list_for_each_entry_safe(frame, back, &c->processing_frames, list) {
1001 release_frame(frame);
1002 }
1003 list_for_each_entry_safe(frame, back, &c->outgoing_frames, list) {
1004 release_frame(frame);
1005 }
1006
1007 if (c->fd >= 0)
1008 close(c->fd);
1009
1010 free(c);
1011}
1012
1013static void
1014reset_frame(struct spoe_frame *frame)
1015{
1016 if (frame == NULL)
1017 return;
1018
1019 if (frame->frag_buf)
1020 free(frame->frag_buf);
1021
1022 frame->type = SPOA_FRM_T_UNKNOWN;
1023 frame->buf = (char *)(frame->data);
1024 frame->offset = 0;
1025 frame->len = 0;
1026 frame->stream_id = 0;
1027 frame->frame_id = 0;
1028 frame->flags = 0;
1029 frame->hcheck = false;
1030 frame->fragmented = false;
1031 frame->modsec_code = -1;
1032 frame->frag_buf = NULL;
1033 frame->frag_len = 0;
1034 LIST_INIT(&frame->list);
1035}
1036
1037static void
1038use_spoe_engine(struct client *client)
1039{
1040 struct spoe_engine *eng;
1041
1042 if (client->engine_id == NULL)
1043 return;
1044
1045 list_for_each_entry(eng, &client->worker->engines, list) {
1046 if (!strcmp(eng->id, client->engine_id))
1047 goto end;
1048 }
1049
1050 if ((eng = malloc(sizeof(*eng))) == NULL) {
1051 client->async = false;
1052 return;
1053 }
1054
1055 eng->id = strdup(client->engine_id);
1056 LIST_INIT(&eng->clients);
1057 LIST_INIT(&eng->processing_frames);
1058 LIST_INIT(&eng->outgoing_frames);
1059 LIST_ADDQ(&client->worker->engines, &eng->list);
1060 LOG(client->worker, "Add new SPOE engine '%s'", eng->id);
1061
1062 end:
1063 client->engine = eng;
1064 LIST_ADDQ(&eng->clients, &client->by_engine);
1065}
1066
1067static void
1068unuse_spoe_engine(struct client *client)
1069{
1070 struct spoe_engine *eng;
1071 struct spoe_frame *frame, *back;
1072
1073 if (client == NULL || client->engine == NULL)
1074 return;
1075
1076 eng = client->engine;
1077 client->engine = NULL;
1078 LIST_DEL(&client->by_engine);
1079 if (!LIST_ISEMPTY(&eng->clients))
1080 return;
1081
1082 LOG(client->worker, "Remove SPOE engine '%s'", eng->id);
1083 LIST_DEL(&eng->list);
1084
1085 list_for_each_entry_safe(frame, back, &eng->processing_frames, list) {
1086 release_frame(frame);
1087 }
1088 list_for_each_entry_safe(frame, back, &eng->outgoing_frames, list) {
1089 release_frame(frame);
1090 }
1091 free(eng->id);
1092 free(eng);
1093}
1094
1095
1096static struct spoe_frame *
1097acquire_incoming_frame(struct client *client)
1098{
1099 struct spoe_frame *frame;
1100
1101 frame = client->incoming_frame;
1102 if (frame != NULL)
1103 return frame;
1104
1105 if (LIST_ISEMPTY(&client->worker->frames)) {
1106 if ((frame = calloc(1, sizeof(*frame)+max_frame_size+4)) == NULL) {
1107 LOG(client->worker, "Failed to allocate new frame : %m");
1108 return NULL;
1109 }
1110 }
1111 else {
1112 frame = LIST_NEXT(&client->worker->frames, typeof(frame), list);
1113 LIST_DEL(&frame->list);
1114 }
1115
1116 reset_frame(frame);
1117 frame->worker = client->worker;
1118 frame->engine = client->engine;
1119 frame->client = client;
1120
1121 if (event_assign(&frame->process_frame_event, client->worker->base, -1,
1122 EV_TIMEOUT|EV_PERSIST, process_frame_cb, frame) < 0) {
1123 LOG(client->worker, "Failed to create frame event");
1124 return NULL;
1125 }
1126
1127 client->incoming_frame = frame;
1128 return frame;
1129}
1130
1131static struct spoe_frame *
1132acquire_outgoing_frame(struct client *client)
1133{
1134 struct spoe_engine *engine = client->engine;
1135 struct spoe_frame *frame = NULL;
1136
1137 if (client->outgoing_frame != NULL)
1138 frame = client->outgoing_frame;
1139 else if (!LIST_ISEMPTY(&client->outgoing_frames)) {
1140 frame = LIST_NEXT(&client->outgoing_frames, typeof(frame), list);
1141 LIST_DEL(&frame->list);
1142 client->outgoing_frame = frame;
1143 }
1144 else if (engine!= NULL && !LIST_ISEMPTY(&engine->outgoing_frames)) {
1145 frame = LIST_NEXT(&engine->outgoing_frames, typeof(frame), list);
1146 LIST_DEL(&frame->list);
1147 client->outgoing_frame = frame;
1148 }
1149 return frame;
1150}
1151
1152static void
1153write_frame(struct client *client, struct spoe_frame *frame)
1154{
1155 uint32_t netint;
1156
1157 LIST_DEL(&frame->list);
1158
1159 frame->buf = (char *)(frame->data);
1160 frame->offset = 0;
1161 netint = htonl(frame->len);
1162 memcpy(frame->buf, &netint, 4);
1163
1164 if (client != NULL) { /* HELLO or DISCONNECT frames */
1165 event_add(&client->write_frame_event, NULL);
1166
1167 /* Try to process the frame as soon as possible, and always
1168 * attach it to the client */
1169 if (client->async || client->pipelining) {
1170 if (client->outgoing_frame == NULL)
1171 client->outgoing_frame = frame;
1172 else
1173 LIST_ADD(&client->outgoing_frames, &frame->list);
1174 }
1175 else {
1176 client->outgoing_frame = frame;
1177 event_del(&client->read_frame_event);
1178 }
1179 }
1180 else { /* for all other frames */
1181 if (frame->client == NULL) { /* async mode ! */
1182 LIST_ADDQ(&frame->engine->outgoing_frames, &frame->list);
1183 list_for_each_entry(client, &frame->engine->clients, by_engine)
1184 event_add(&client->write_frame_event, NULL);
1185 }
1186 else if (frame->client->pipelining) {
1187 LIST_ADDQ(&frame->client->outgoing_frames, &frame->list);
1188 event_add(&frame->client->write_frame_event, NULL);
1189 }
1190 else {
1191 frame->client->outgoing_frame = frame;
1192 event_add(&frame->client->write_frame_event, NULL);
1193 event_del(&frame->client->read_frame_event);
1194 }
1195 }
1196}
1197
1198static void
1199process_incoming_frame(struct spoe_frame *frame)
1200{
1201 struct client *client = frame->client;
1202
1203 if (event_add(&frame->process_frame_event, &processing_delay) < 0) {
1204 LOG(client->worker, "Failed to process incoming frame");
1205 release_frame(frame);
1206 return;
1207 }
1208
1209 if (client->async) {
1210 frame->client = NULL;
1211 LIST_ADDQ(&frame->engine->processing_frames, &frame->list);
1212 }
1213 else if (client->pipelining)
1214 LIST_ADDQ(&client->processing_frames, &frame->list);
1215 else
1216 event_del(&client->read_frame_event);
1217}
1218
1219static void
1220signal_cb(evutil_socket_t sig, short events, void *user_data)
1221{
1222 struct event_base *base = user_data;
1223 int i;
1224
1225 DEBUG(&null_worker, "Stopping the server");
1226
1227 event_base_loopbreak(base);
1228 DEBUG(&null_worker, "Main event loop stopped");
1229
1230 for (i = 0; i < num_workers; i++) {
1231 event_base_loopbreak(workers[i].base);
1232 DEBUG(&null_worker, "Event loop stopped for worker %02d",
1233 workers[i].id);
1234 }
1235}
1236
1237static void
1238worker_monitor_cb(evutil_socket_t fd, short events, void *arg)
1239{
1240 struct worker *worker = arg;
1241
1242 LOG(worker, "%u clients connected", worker->nbclients);
1243}
1244
1245static void
1246process_frame_cb(evutil_socket_t fd, short events, void *arg)
1247{
1248 struct spoe_frame *frame = arg;
1249 char *p, *end;
1250 int ret;
1251
1252 DEBUG(frame->worker,
1253 "Process frame messages : STREAM-ID=%u - FRAME-ID=%u - length=%u bytes",
1254 frame->stream_id, frame->frame_id, frame->len - frame->offset);
1255
1256 p = frame->buf + frame->offset;
1257 end = frame->buf + frame->len;
1258
1259 /* Loop on messages */
1260 while (p < end) {
1261 char *str;
1262 uint64_t sz;
1263 int nbargs;
1264
1265 /* Decode the message name */
1266 spoe_decode_buffer(&p, end, &str, &sz);
1267 if (!str)
1268 goto stop_processing;
1269
1270 DEBUG(frame->worker, "Process SPOE Message '%.*s'", (int)sz, str);
1271
1272 nbargs = *p++; /* Get the number of arguments */
1273 frame->offset = (p - frame->buf); /* Save index to handle errors and skip args */
1274 if (!memcmp(str, "check-request", sz)) {
1275 struct modsecurity_parameters params;
1276
1277 memset(&params, 0, sizeof(params));
1278
1279 if (nbargs != 8)
1280 goto skip_message;
1281
1282 /* Decode parameter name. */
1283 if (spoe_decode_buffer(&p, end, &str, &sz) == -1)
1284 goto stop_processing;
1285
1286 /* Decode unique id. */
1287 if (spoe_decode_data(&p, end, &params.uniqueid) == -1)
1288 goto skip_message;
1289
1290 /* Decode parameter name. */
1291 if (spoe_decode_buffer(&p, end, &str, &sz) == -1)
1292 goto stop_processing;
1293
1294 /* Decode method. */
1295 if (spoe_decode_data(&p, end, &params.method) == -1)
1296 goto skip_message;
1297
1298 /* Decode parameter name. */
1299 if (spoe_decode_buffer(&p, end, &str, &sz) == -1)
1300 goto stop_processing;
1301
1302 /* Decode path. */
1303 if (spoe_decode_data(&p, end, &params.path) == -1)
1304 goto skip_message;
1305
1306 /* Decode parameter name. */
1307 if (spoe_decode_buffer(&p, end, &str, &sz) == -1)
1308 goto stop_processing;
1309
1310 /* Decode query. */
1311 if (spoe_decode_data(&p, end, &params.query) == -1)
1312 goto skip_message;
1313
1314 /* Decode parameter name. */
1315 if (spoe_decode_buffer(&p, end, &str, &sz) == -1)
1316 goto stop_processing;
1317
1318 /* Decode protocol version. */
1319 if (spoe_decode_data(&p, end, &params.vers) == -1)
1320 goto skip_message;
1321
1322 /* Decode parameter name. */
1323 if (spoe_decode_buffer(&p, end, &str, &sz) == -1)
1324 goto stop_processing;
1325
1326 /* Decode hdrs. */
1327 if (spoe_decode_data(&p, end, &params.hdrs_bin) == -1)
1328 goto skip_message;
1329
1330 /* Decode parameter name. */
1331 if (spoe_decode_buffer(&p, end, &str, &sz) == -1)
1332 goto stop_processing;
1333
1334 /* Decode body length. */
1335 if (spoe_decode_data(&p, end, &params.body_length) == -1)
1336 goto skip_message;
1337
1338 /* Decode parameter name. */
1339 if (spoe_decode_buffer(&p, end, &str, &sz) == -1)
1340 goto stop_processing;
1341
1342 /* Decode body. */
1343 if (spoe_decode_data(&p, end, &params.body) == -1)
1344 goto skip_message;
1345
1346 frame->modsec_code = modsecurity_process(frame->worker, &params);
1347 }
1348 else {
1349 skip_message:
1350 p = frame->buf + frame->offset; /* Restore index */
1351
1352 while (nbargs-- > 0) {
1353 /* Silently ignore argument: its name and its value */
1354 if (spoe_decode_buffer(&p, end, &str, &sz) == -1)
1355 goto stop_processing;
1356 if (spoe_skip_data(&p, end) == -1)
1357 goto stop_processing;
1358 }
1359 }
1360 }
1361
1362 stop_processing:
1363 /* Prepare agent ACK frame */
1364 frame->buf = (char *)(frame->data) + 4;
1365 frame->offset = 0;
1366 frame->len = 0;
1367 frame->flags = 0;
1368
1369 ret = prepare_agentack(frame);
1370 p = frame->buf + ret;
1371
1372 if (frame->modsec_code != -1) {
1373 DEBUG(frame->worker, "Add action : set variable code=%u",
1374 frame->modsec_code);
1375
1376 *p++ = SPOE_ACT_T_SET_VAR; /* Action type */
1377 *p++ = 3; /* Number of args */
1378 *p++ = SPOE_SCOPE_TXN; /* Arg 1: the scope */
1379 spoe_encode_buffer("code", 8, &p, end); /* Arg 2: variable name */
1380 *p++ = SPOE_DATA_T_UINT32;
1381 encode_varint(frame->modsec_code, &p, end); /* Arg 3: variable value */
1382 frame->len = (p - frame->buf);
1383 }
1384 write_frame(NULL, frame);
1385}
1386
1387static void
1388read_frame_cb(evutil_socket_t fd, short events, void *arg)
1389{
1390 struct client *client = arg;
1391 struct spoe_frame *frame;
1392 uint32_t netint;
1393 int n;
1394
1395 DEBUG(client->worker, "<%lu> %s", client->id, __FUNCTION__);
1396 if ((frame = acquire_incoming_frame(client)) == NULL)
1397 goto close;
1398
1399 frame->type = SPOA_FRM_T_HAPROXY;
1400 if (frame->buf == (char *)(frame->data)) {
1401 /* Read the frame length: frame->buf points on length part (frame->data) */
1402 n = read(client->fd, frame->buf+frame->offset, 4-frame->offset);
1403 if (n <= 0) {
1404 if (n < 0)
1405 LOG(client->worker, "Failed to read frame length : %m");
1406 goto close;
1407 }
1408 frame->offset += n;
1409 if (frame->offset != 4)
1410 return;
1411 memcpy(&netint, frame->buf, 4);
1412 frame->buf += 4;
1413 frame->offset = 0;
1414 frame->len = ntohl(netint);
1415 }
1416
1417 /* Read the frame: frame->buf points on frame part (frame->data+4)*/
1418 n = read(client->fd, frame->buf + frame->offset,
1419 frame->len - frame->offset);
1420 if (n <= 0) {
1421 if (n < 0) {
1422 LOG(client->worker, "Frame to read frame : %m");
1423 goto close;
1424 }
1425 return;
1426 }
1427 frame->offset += n;
1428 if (frame->offset != frame->len)
1429 return;
1430 frame->offset = 0;
1431
1432 DEBUG(client->worker, "<%lu> New Frame of %u bytes received",
1433 client->id, frame->len);
1434
1435 switch (client->state) {
1436 case SPOA_ST_CONNECTING:
1437 if (handle_hahello(frame) < 0) {
1438 LOG(client->worker, "Failed to decode HELLO frame");
1439 goto disconnect;
1440 }
1441 prepare_agenthello(frame);
1442 goto write_frame;
1443
1444 case SPOA_ST_PROCESSING:
1445 if (frame->buf[0] == SPOE_FRM_T_HAPROXY_DISCON) {
1446 client->state = SPOA_ST_DISCONNECTING;
1447 goto disconnecting;
1448 }
1449 if (frame->buf[0] == SPOE_FRM_T_UNSET)
1450 n = handle_hafrag(frame);
1451 else
1452 n = handle_hanotify(frame);
1453
1454 if (n < 0) {
1455 LOG(client->worker, "Failed to decode frame: %s",
1456 spoe_frm_err_reasons[client->status_code]);
1457 goto disconnect;
1458 }
1459 else if (n == 0) {
1460 LOG(client->worker, "Ignore invalid/unknown/aborted frame");
1461 goto ignore_frame;
1462 }
1463 else if (n == 1)
1464 goto noop;
1465 else
1466 goto process_frame;
1467
1468 case SPOA_ST_DISCONNECTING:
1469 disconnecting:
1470 if (handle_hadiscon(frame) < 0) {
1471 LOG(client->worker, "Failed to decode DISCONNECT frame");
1472 goto disconnect;
1473 }
1474 if (client->status_code != SPOE_FRM_ERR_NONE)
1475 LOG(client->worker, "<%lu> Peer closed connection: %s",
1476 client->id, spoe_frm_err_reasons[client->status_code]);
1477 client->status_code = SPOE_FRM_ERR_NONE;
1478 goto disconnect;
1479 }
1480
1481 noop:
1482 return;
1483
1484 ignore_frame:
1485 reset_frame(frame);
1486 return;
1487
1488 process_frame:
1489 process_incoming_frame(frame);
1490 client->incoming_frame = NULL;
1491 return;
1492
1493 write_frame:
1494 write_frame(client, frame);
1495 client->incoming_frame = NULL;
1496 return;
1497
1498 disconnect:
1499 client->state = SPOA_ST_DISCONNECTING;
1500 if (prepare_agentdicon(frame) < 0) {
1501 LOG(client->worker, "Failed to encode DISCONNECT frame");
1502 goto close;
1503 }
1504 goto write_frame;
1505
1506 close:
1507 release_client(client);
1508}
1509
1510static void
1511write_frame_cb(evutil_socket_t fd, short events, void *arg)
1512{
1513 struct client *client = arg;
1514 struct spoe_frame *frame;
1515 int n;
1516
1517 DEBUG(client->worker, "<%lu> %s", client->id, __FUNCTION__);
1518 if ((frame = acquire_outgoing_frame(client)) == NULL) {
1519 event_del(&client->write_frame_event);
1520 return;
1521 }
1522
1523 if (frame->buf == (char *)(frame->data)) {
1524 /* Write the frame length: frame->buf points on length part (frame->data) */
1525 n = write(client->fd, frame->buf+frame->offset, 4-frame->offset);
1526 if (n <= 0) {
1527 if (n < 0)
1528 LOG(client->worker, "Failed to write frame length : %m");
1529 goto close;
1530 }
1531 frame->offset += n;
1532 if (frame->offset != 4)
1533 return;
1534 frame->buf += 4;
1535 frame->offset = 0;
1536 }
1537
1538 /* Write the frame: frame->buf points on frame part (frame->data+4)*/
1539 n = write(client->fd, frame->buf + frame->offset,
1540 frame->len - frame->offset);
1541 if (n <= 0) {
1542 if (n < 0) {
1543 LOG(client->worker, "Failed to write frame : %m");
1544 goto close;
1545 }
1546 return;
1547 }
1548 frame->offset += n;
1549 if (frame->offset != frame->len)
1550 return;
1551
1552 DEBUG(client->worker, "<%lu> Frame of %u bytes send",
1553 client->id, frame->len);
1554
1555 switch (client->state) {
1556 case SPOA_ST_CONNECTING:
1557 if (frame->hcheck == true) {
1558 DEBUG(client->worker,
1559 "<%lu> Close client after healthcheck",
1560 client->id);
1561 goto close;
1562 }
1563 client->state = SPOA_ST_PROCESSING;
1564 break;
1565
1566 case SPOA_ST_PROCESSING:
1567 break;
1568
1569 case SPOA_ST_DISCONNECTING:
1570 goto close;
1571 }
1572
1573 release_frame(frame);
1574 client->outgoing_frame = NULL;
1575 if (!client->async && !client->pipelining) {
1576 event_del(&client->write_frame_event);
1577 event_add(&client->read_frame_event, NULL);
1578 }
1579 return;
1580
1581 close:
1582 release_client(client);
1583}
1584
1585static void
1586accept_cb(int listener, short event, void *arg)
1587{
1588 struct worker *worker;
1589 struct client *client;
1590 int fd;
1591
1592 worker = &workers[clicount++ % num_workers];
1593
1594 if ((fd = accept(listener, NULL, NULL)) < 0) {
1595 if (errno != EAGAIN && errno != EWOULDBLOCK)
1596 LOG(worker, "Failed to accept client connection : %m");
1597 return;
1598 }
1599
1600 DEBUG(&null_worker,
1601 "<%lu> New Client connection accepted and assigned to worker %02d",
1602 clicount, worker->id);
1603
1604 if (evutil_make_socket_nonblocking(fd) < 0) {
1605 LOG(&null_worker, "Failed to set client socket to non-blocking : %m");
1606 close(fd);
1607 return;
1608 }
1609
1610 if ((client = calloc(1, sizeof(*client))) == NULL) {
1611 LOG(&null_worker, "Failed to allocate memory for client state : %m");
1612 close(fd);
1613 return;
1614 }
1615
1616 client->id = clicount;
1617 client->fd = fd;
1618 client->worker = worker;
1619 client->state = SPOA_ST_CONNECTING;
1620 client->status_code = SPOE_FRM_ERR_NONE;
1621 client->max_frame_size = max_frame_size;
1622 client->engine = NULL;
1623 client->pipelining = false;
1624 client->async = false;
1625 client->incoming_frame = NULL;
1626 client->outgoing_frame = NULL;
1627 LIST_INIT(&client->processing_frames);
1628 LIST_INIT(&client->outgoing_frames);
1629
1630 LIST_ADDQ(&worker->clients, &client->by_worker);
1631
1632 worker->nbclients++;
1633
1634 if (event_assign(&client->read_frame_event, worker->base, fd,
1635 EV_READ|EV_PERSIST, read_frame_cb, client) < 0 ||
1636 event_assign(&client->write_frame_event, worker->base, fd,
1637 EV_WRITE|EV_PERSIST, write_frame_cb, client) < 0) {
1638 LOG(&null_worker, "Failed to create client events");
1639 release_client(client);
1640 return;
1641 }
1642 event_add(&client->read_frame_event, NULL);
1643}
1644
1645static void *
1646worker_function(void *data)
1647{
1648 struct client *client, *cback;
1649 struct spoe_frame *frame, *fback;
1650 struct worker *worker = data;
1651
1652 DEBUG(worker, "Worker ready to process client messages");
1653 event_base_dispatch(worker->base);
1654
1655 list_for_each_entry_safe(client, cback, &worker->clients, by_worker) {
1656 release_client(client);
1657 }
1658
1659 list_for_each_entry_safe(frame, fback, &worker->frames, list) {
1660 LIST_DEL(&frame->list);
1661 free(frame);
1662 }
1663
1664 event_free(worker->monitor_event);
1665 event_base_free(worker->base);
1666 DEBUG(worker, "Worker is stopped");
1667 pthread_exit(&null_worker);
1668}
1669
1670
1671static int
1672parse_processing_delay(const char *str)
1673{
1674 unsigned long value;
1675
1676 value = 0;
1677 while (1) {
1678 unsigned int j;
1679
1680 j = *str - '0';
1681 if (j > 9)
1682 break;
1683 str++;
1684 value *= 10;
1685 value += j;
1686 }
1687
1688 switch (*str) {
1689 case '\0': /* no unit = millisecond */
1690 value *= 1000;
1691 break;
1692 case 's': /* second */
1693 value *= 1000000;
1694 str++;
1695 break;
1696 case 'm': /* millisecond : "ms" */
1697 if (str[1] != 's')
1698 return -1;
1699 value *= 1000;
1700 str += 2;
1701 break;
1702 case 'u': /* microsecond : "us" */
1703 if (str[1] != 's')
1704 return -1;
1705 str += 2;
1706 break;
1707 default:
1708 return -1;
1709 }
1710 if (*str)
1711 return -1;
1712
1713 processing_delay.tv_sec = (time_t)(value / 1000000);
1714 processing_delay.tv_usec = (suseconds_t)(value % 1000000);
1715 return 0;
1716}
1717
1718
1719static void
1720usage(char *prog)
1721{
1722 fprintf(stderr,
1723 "Usage : %s [OPTION]...\n"
1724 " -h Print this message\n"
1725 " -d Enable the debug mode\n"
1726 " -f <config-file> ModSecurity configuration file\n"
1727 " -m <max-frame-size> Specify the maximum frame size (default : %u)\n"
1728 " -p <port> Specify the port to listen on (default : %d)\n"
1729 " -n <num-workers> Specify the number of workers (default : %d)\n"
1730 " -c <capability> Enable the support of the specified capability\n"
1731 " -t <time> Set a delay to process a message (default: 0)\n"
1732 " The value is specified in milliseconds by default,\n"
1733 " but can be in any other unit if the number is suffixed\n"
1734 " by a unit (us, ms, s)\n"
1735 "\n"
1736 " Supported capabilities: fragmentation, pipelining, async\n",
1737 prog, MAX_FRAME_SIZE, DEFAULT_PORT, NUM_WORKERS);
1738}
1739
1740int
1741main(int argc, char **argv)
1742{
1743 struct event_base *base = NULL;
1744 struct event *signal_event = NULL, *accept_event = NULL;
1745 int opt, i, fd = -1;
1746 const char *configuration_file = NULL;
1747
1748 // TODO: add '-t <processing-time>' option
1749 while ((opt = getopt(argc, argv, "hdm:n:p:c:t:f:")) != -1) {
1750 switch (opt) {
1751 case 'h':
1752 usage(argv[0]);
1753 return EXIT_SUCCESS;
1754 case 'd':
1755 debug = true;
1756 break;
1757 case 'm':
1758 max_frame_size = atoi(optarg);
1759 break;
1760 case 'n':
1761 num_workers = atoi(optarg);
1762 break;
1763 case 'p':
1764 server_port = atoi(optarg);
1765 break;
1766 case 'f':
1767 configuration_file = optarg;
1768 break;
1769 case 'c':
1770 if (!strcmp(optarg, "pipelining"))
1771 pipelining = true;
1772 else if (!strcmp(optarg, "async"))
1773 async = true;
1774 else if (!strcmp(optarg, "fragmentation"))
1775 fragmentation = true;
1776 else
1777 fprintf(stderr, "WARNING: unsupported capability '%s'\n", optarg);
1778 break;
1779 case 't':
1780 if (!parse_processing_delay(optarg))
1781 break;
1782 fprintf(stderr, "%s: failed to parse time '%s'.\n", argv[0], optarg);
1783 fprintf(stderr, "Try '%s -h' for more information.\n", argv[0]);
1784 return EXIT_FAILURE;
1785 default:
1786 usage(argv[0]);
1787 return EXIT_FAILURE;
1788 }
1789 }
1790
1791 if (!configuration_file) {
1792 LOG(&null_worker, "ModSecurity configuration is required.\n");
1793 goto error;
1794 }
1795
1796 if (modsecurity_load(configuration_file) == -1)
1797 goto error;
1798
1799 if (num_workers <= 0) {
1800 LOG(&null_worker, "%s : Invalid number of workers '%d'\n",
1801 argv[0], num_workers);
1802 goto error;
1803 }
1804
1805 if (server_port <= 0) {
1806 LOG(&null_worker, "%s : Invalid port '%d'\n",
1807 argv[0], server_port);
1808 goto error;
1809 }
1810
1811
1812 if (evthread_use_pthreads() < 0) {
1813 LOG(&null_worker, "No pthreads support for libevent");
1814 goto error;
1815 }
1816
1817 if ((base = event_base_new()) == NULL) {
1818 LOG(&null_worker, "Failed to initialize libevent : %m");
1819 goto error;
1820 }
1821
1822 signal(SIGPIPE, SIG_IGN);
1823
1824 if ((fd = create_server_socket()) < 0) {
1825 LOG(&null_worker, "Failed to create server socket");
1826 goto error;
1827 }
1828 if (evutil_make_socket_nonblocking(fd) < 0) {
1829 LOG(&null_worker, "Failed to set server socket to non-blocking");
1830 goto error;
1831 }
1832
1833 if ((workers = calloc(num_workers, sizeof(*workers))) == NULL) {
1834 LOG(&null_worker, "Failed to set allocate memory for workers");
1835 goto error;
1836 }
1837
1838 for (i = 0; i < num_workers; ++i) {
1839 struct worker *w = &workers[i];
1840
1841 w->id = i+1;
1842 w->nbclients = 0;
1843 LIST_INIT(&w->engines);
1844 LIST_INIT(&w->clients);
1845 LIST_INIT(&w->frames);
1846
1847 if ((w->base = event_base_new()) == NULL) {
1848 LOG(&null_worker,
1849 "Failed to initialize libevent for worker %02d : %m",
1850 w->id);
1851 goto error;
1852 }
1853
1854 w->monitor_event = event_new(w->base, fd, EV_PERSIST,
1855 worker_monitor_cb, (void *)w);
1856 if (w->monitor_event == NULL ||
1857 event_add(w->monitor_event, (struct timeval[]){{5,0}}) < 0) {
1858 LOG(&null_worker,
1859 "Failed to create monitor event for worker %02d",
1860 w->id);
1861 goto error;
1862 }
1863
1864 if (pthread_create(&w->thread, NULL, worker_function, (void *)w)) {
1865 LOG(&null_worker,
1866 "Failed to start thread for worker %02d : %m",
1867 w->id);
1868 }
1869 DEBUG(&null_worker, "Worker %02d initialized", w->id);
1870 }
1871
1872 accept_event = event_new(base, fd, EV_READ|EV_PERSIST, accept_cb,
1873 (void *)base);
1874 if (accept_event == NULL || event_add(accept_event, NULL) < 0) {
1875 LOG(&null_worker, "Failed to create accept event : %m");
1876 }
1877
1878 signal_event = evsignal_new(base, SIGINT, signal_cb, (void *)base);
1879 if (signal_event == NULL || event_add(signal_event, NULL) < 0) {
1880 LOG(&null_worker, "Failed to create signal event : %m");
1881 }
1882
1883 DEBUG(&null_worker,
1884 "Server is ready"
1885 " [fragmentation=%s - pipelining=%s - async=%s - debug=%s - max-frame-size=%u]",
1886 (fragmentation?"true":"false"), (pipelining?"true":"false"), (async?"true":"false"),
1887 (debug?"true":"false"), max_frame_size);
1888 event_base_dispatch(base);
1889
1890 for (i = 0; i < num_workers; i++) {
1891 struct worker *w = &workers[i];
1892
1893 pthread_join(w->thread, NULL);
1894 DEBUG(&null_worker, "Worker %02d terminated", w->id);
1895 }
1896
1897 free(workers);
1898 event_free(signal_event);
1899 event_free(accept_event);
1900 event_base_free(base);
1901 close(fd);
1902 return EXIT_SUCCESS;
1903
1904 error:
1905 if (workers != NULL)
1906 free(workers);
1907 if (signal_event != NULL)
1908 event_free(signal_event);
1909 if (accept_event != NULL)
1910 event_free(accept_event);
1911 if (base != NULL)
1912 event_base_free(base);
1913 if (fd != -1)
1914 close(fd);
1915 return EXIT_FAILURE;
1916}