RFC: implement TLS auto-detection

lib/logproto/logproto-auto-server.c

@@ -25,43 +25,107 @@
 #include "logproto-framed-server.h"
 #include "messages.h"
 
+enum
+{
+  LPAS_FAILURE,
+  LPAS_NEED_MORE_DATA,
+  LPAS_SUCCESS,
+};
+
 typedef struct _LogProtoAutoServer
 {
   LogProtoServer super;
+
+  gboolean tls_detected;
 } LogProtoAutoServer;
 
 static LogProtoServer *
 _construct_detected_proto(LogProtoAutoServer *self, const gchar *detect_buffer, gsize detect_buffer_len)
 {
-  LogTransport *transport = log_transport_stack_get_active(&self->super.transport_stack);
+  gint fd = self->super.transport_stack.fd;
 
   if (g_ascii_isdigit(detect_buffer[0]))
     {
-      msg_debug("Auto-detected octet-counted-framing on RFC6587 connection, using framed protocol",
-                evt_tag_int("fd", transport->fd));
+      msg_debug("Auto-detected octet-counted-framing, using framed protocol",
+                evt_tag_int("fd", fd));
       return log_proto_framed_server_new(NULL, self->super.options);
     }
   if (detect_buffer[0] == '<')
     {
-      msg_debug("Auto-detected non-transparent-framing on RFC6587 connection, using simple text protocol",
-                evt_tag_int("fd", transport->fd));
+      msg_debug("Auto-detected non-transparent-framing, using simple text protocol",
+                evt_tag_int("fd", fd));
     }
   else
     {
-      msg_debug("Unable to detect framing on RFC6587 connection, falling back to simple text transport",
-                evt_tag_int("fd", transport->fd),
+      msg_debug("Unable to detect framing, falling back to simple text transport",
+                evt_tag_int("fd", fd),
                 evt_tag_mem("detect_buffer", detect_buffer, detect_buffer_len));
     }
   return log_proto_text_server_new(NULL, self->super.options);
 }
 
+static gint
+_is_tls_client_hello(const gchar *buf, gsize buf_len)
+{
+  /*
+   * The first message on a TLS connection must be the client_hello, which
+   * is a type of handshake record, and it cannot be compressed or
+   * encrypted.  A plaintext record has this format:
+   *
+   *       0      byte    record_type      // 0x16 = handshake
+   *       1      byte    major            // major protocol version
+   *       2      byte    minor            // minor protocol version
+   *     3-4      uint16  length           // size of the payload
+   *       5      byte    handshake_type   // 0x01 = client_hello
+   *       6      uint24  length           // size of the ClientHello
+   *       9      byte    major            // major protocol version
+   *      10      byte    minor            // minor protocol version
+   *      11      uint32  gmt_unix_time
+   *      15      byte    random_bytes[28]
+   *              ...
+   */
+  if (buf_len < 1)
+    return LPAS_NEED_MORE_DATA;
+
+  /* 0x16 indicates a TLS handshake */
+  if (buf[0] != 0x16)
+    return LPAS_FAILURE;
+
+  if (buf_len < 5)
+    return LPAS_NEED_MORE_DATA;
+
+  guint32 record_len = (buf[3] << 8) + buf[4];
+
+  /* client_hello is at least 34 bytes */
+  if (record_len < 34)
+    return LPAS_FAILURE;
+
+  if (buf_len < 6)
+    return LPAS_NEED_MORE_DATA;
+
+  /* is the handshake_type 0x01 == client_hello */
+  if (buf[5] != 0x01)
+    return FALSE;
+
+  if (buf_len < 9)
+    return LPAS_NEED_MORE_DATA;
+
+  guint32 payload_size = (buf[6] << 16) + (buf[7] << 8) + buf[8];
+
+  /* The message payload can't be bigger than the enclosing record */
+  if (payload_size + 4 > record_len)
+    return LPAS_FAILURE;
+  return LPAS_SUCCESS;
+}
+
 static LogProtoPrepareAction
-log_proto_auto_server_prepare(LogProtoServer *s, GIOCondition *cond, gint *timeout G_GNUC_UNUSED)
+log_proto_auto_server_poll_prepare(LogProtoServer *s, GIOCondition *cond, gint *timeout G_GNUC_UNUSED)
 {
   LogProtoAutoServer *self = (LogProtoAutoServer *) s;
-  LogTransport *transport = log_transport_stack_get_active(&self->super.transport_stack);
 
-  *cond = transport->cond;
+  if (log_transport_stack_poll_prepare(&self->super.transport_stack, cond))
+    return LPPA_FORCE_SCHEDULE_FETCH;
+
   if (*cond == 0)
     *cond = G_IO_IN;
 
@@ -72,12 +136,11 @@ static LogProtoStatus
 log_proto_auto_handshake(LogProtoServer *s, gboolean *handshake_finished, LogProtoServer **proto_replacement)
 {
   LogProtoAutoServer *self = (LogProtoAutoServer *) s;
-  LogTransport *transport = log_transport_stack_get_active(&self->super.transport_stack);
-  gchar detect_buffer[8];
+  gchar detect_buffer[16];
   gboolean moved_forward;
   gint rc;
 
-  rc = log_transport_read_ahead(transport, detect_buffer, sizeof(detect_buffer), &moved_forward);
+  rc = log_transport_stack_read_ahead(&self->super.transport_stack, detect_buffer, sizeof(detect_buffer), &moved_forward);
   if (rc == 0)
     return LPS_EOF;
   else if (rc < 0)
@@ -87,6 +150,32 @@ log_proto_auto_handshake(LogProtoServer *s, gboolean *handshake_finished, LogPro
       return LPS_ERROR;
     }
 
+  if (!self->tls_detected)
+    {
+      switch (_is_tls_client_hello(detect_buffer, rc))
+        {
+        case LPAS_NEED_MORE_DATA:
+          if (moved_forward)
+            return LPS_AGAIN;
+          break;
+        case LPAS_SUCCESS:
+          self->tls_detected = TRUE;
+          /* this is a TLS handshake! let's switch to TLS */
+          if (log_transport_stack_switch(&self->super.transport_stack, LOG_TRANSPORT_TLS))
+            {
+              msg_debug("TLS handshake detected, switching to TLS");
+              return LPS_AGAIN;
+            }
+          else
+            {
+              msg_error("TLS handshake detected, unable to switch to TLS, no tls() options specified");
+              return LPS_ERROR;
+            }
+          break;
+        default:
+          break;
+        }
+    }
   *proto_replacement = _construct_detected_proto(self, detect_buffer, rc);
   return LPS_SUCCESS;
 }
@@ -101,6 +190,6 @@ log_proto_auto_server_new(LogTransport *transport, const LogProtoServerOptions *
 
   log_proto_server_init(&self->super, transport, options);
   self->super.handshake = log_proto_auto_handshake;
-  self->super.prepare = log_proto_auto_server_prepare;
+  self->super.poll_prepare = log_proto_auto_server_poll_prepare;
   return &self->super;
 }

lib/logproto/logproto-buffered-server.c

@@ -179,10 +179,9 @@ log_proto_buffered_server_apply_state(LogProtoBufferedServer *self, PersistEntry
   struct stat st;
   gint64 ofs = 0;
   LogProtoBufferedServerState *state;
-  LogTransport *transport = log_transport_stack_get_active(&self->super.transport_stack);
   gint fd;
 
-  fd = transport->fd;
+  fd = self->super.transport_stack.fd;
   self->persist_handle = handle;
 
   if (fstat(fd, &st) < 0)
@@ -255,7 +254,7 @@ log_proto_buffered_server_apply_state(LogProtoBufferedServer *self, PersistEntry
           raw_buffer = g_alloca(state->raw_buffer_size);
         }
 
-      rc = log_transport_read(transport, raw_buffer, state->raw_buffer_size, NULL);
+      rc = log_transport_stack_read(&self->super.transport_stack, raw_buffer, state->raw_buffer_size, NULL);
       if (rc != state->raw_buffer_size)
         {
           msg_notice("Error re-reading buffer contents of the file to be continued, restarting from the beginning",
@@ -584,12 +583,12 @@ log_proto_buffered_server_restart_with_state(LogProtoServer *s, PersistState *pe
 }
 
 LogProtoPrepareAction
-log_proto_buffered_server_prepare(LogProtoServer *s, GIOCondition *cond, gint *timeout G_GNUC_UNUSED)
+log_proto_buffered_server_poll_prepare(LogProtoServer *s, GIOCondition *cond, gint *timeout G_GNUC_UNUSED)
 {
   LogProtoBufferedServer *self = (LogProtoBufferedServer *) s;
-  LogTransport *transport = log_transport_stack_get_active(&self->super.transport_stack);
 
-  *cond = transport->cond;
+  if (log_transport_stack_poll_prepare(&self->super.transport_stack, cond))
+    return LPPA_FORCE_SCHEDULE_FETCH;
 
   /* if there's no pending I/O in the transport layer, then we want to do a read */
   if (*cond == 0)
@@ -602,9 +601,7 @@ static gint
 log_proto_buffered_server_read_data_method(LogProtoBufferedServer *self, guchar *buf, gsize len,
                                            LogTransportAuxData *aux)
 {
-  LogTransport *transport = log_transport_stack_get_active(&self->super.transport_stack);
-
-  return log_transport_read(transport, buf, len, aux);
+  return log_transport_stack_read(&self->super.transport_stack, buf, len, aux);
 }
 
 static void
@@ -1081,7 +1078,7 @@ log_proto_buffered_server_init(LogProtoBufferedServer *self, LogTransport *trans
                                const LogProtoServerOptions *options)
 {
   log_proto_server_init(&self->super, transport, options);
-  self->super.prepare = log_proto_buffered_server_prepare;
+  self->super.poll_prepare = log_proto_buffered_server_poll_prepare;
   self->super.fetch = log_proto_buffered_server_fetch;
   self->super.free_fn = log_proto_buffered_server_free_method;
   self->super.restart_with_state = log_proto_buffered_server_restart_with_state;

lib/logproto/logproto-buffered-server.h

@@ -114,8 +114,8 @@ log_proto_buffered_server_cue_flush(LogProtoBufferedServer *self)
   self->flush_partial_message = TRUE;
 }
 
-LogProtoPrepareAction log_proto_buffered_server_prepare(LogProtoServer *s, GIOCondition *cond,
-                                                        gint *timeout G_GNUC_UNUSED);
+LogProtoPrepareAction log_proto_buffered_server_poll_prepare(LogProtoServer *s, GIOCondition *cond,
+    gint *timeout G_GNUC_UNUSED);
 LogProtoBufferedServerState *log_proto_buffered_server_get_state(LogProtoBufferedServer *self);
 void log_proto_buffered_server_put_state(LogProtoBufferedServer *self);
 gboolean log_proto_buffered_server_restart_with_state(LogProtoServer *s,

lib/logproto/logproto-client.h

@@ -67,8 +67,7 @@ struct _LogProtoClient
   LogProtoStatus status;
   const LogProtoClientOptions *options;
   LogTransportStack transport_stack;
-  /* FIXME: rename to something else */
-  gboolean (*prepare)(LogProtoClient *s, gint *fd, GIOCondition *cond, gint *timeout);
+  gboolean (*poll_prepare)(LogProtoClient *s, gint *fd, GIOCondition *cond, gint *timeout);
   LogProtoStatus (*post)(LogProtoClient *s, LogMessage *logmsg, guchar *msg, gsize msg_len, gboolean *consumed);
   LogProtoStatus (*process_in)(LogProtoClient *s);
   LogProtoStatus (*flush)(LogProtoClient *s);
@@ -124,9 +123,9 @@ log_proto_client_handshake(LogProtoClient *s, gboolean *handshake_finished)
 }
 
 static inline gboolean
-log_proto_client_prepare(LogProtoClient *s, gint *fd, GIOCondition *cond, gint *timeout)
+log_proto_client_poll_prepare(LogProtoClient *s, gint *fd, GIOCondition *cond, gint *timeout)
 {
-  gboolean result = s->prepare(s, fd, cond, timeout);
+  gboolean result = s->poll_prepare(s, fd, cond, timeout);
 
   if (!result && *timeout < 0)
     *timeout = s->options->idle_timeout;

lib/logproto/logproto-framed-server.c

@@ -66,12 +66,12 @@ typedef struct _LogProtoFramedServer
 } LogProtoFramedServer;
 
 static LogProtoPrepareAction
-log_proto_framed_server_prepare(LogProtoServer *s, GIOCondition *cond, gint *timeout G_GNUC_UNUSED)
+log_proto_framed_server_poll_prepare(LogProtoServer *s, GIOCondition *cond, gint *timeout G_GNUC_UNUSED)
 {
   LogProtoFramedServer *self = (LogProtoFramedServer *) s;
-  LogTransport *transport = log_transport_stack_get_active(&self->super.transport_stack);
 
-  *cond = transport->cond;
+  if (log_transport_stack_poll_prepare(&self->super.transport_stack, cond))
+    return LPPA_FORCE_SCHEDULE_FETCH;
 
   /* there is a half message in our buffer so try to wait */
   if (!self->half_message_in_buffer)
@@ -97,7 +97,6 @@ static gboolean
 log_proto_framed_server_fetch_data(LogProtoFramedServer *self, gboolean *may_read,
                                    LogProtoStatus *status)
 {
-  LogTransport *transport = log_transport_stack_get_active(&self->super.transport_stack);
   gint rc;
   *status = LPS_SUCCESS;
 
@@ -111,15 +110,16 @@ log_proto_framed_server_fetch_data(LogProtoFramedServer *self, gboolean *may_rea
     return FALSE;
 
   log_transport_aux_data_reinit(&self->buffer_aux);
-  rc = log_transport_read(transport, &self->buffer[self->buffer_end], self->buffer_size - self->buffer_end,
-                          &self->buffer_aux);
+  rc = log_transport_stack_read(&self->super.transport_stack,
+                                &self->buffer[self->buffer_end], self->buffer_size - self->buffer_end,
+                                &self->buffer_aux);
 
   if (rc < 0)
     {
       if (errno != EAGAIN)
         {
           msg_error("Error reading RFC6587 style framed data",
-                    evt_tag_int("fd", transport->fd),
+                    evt_tag_int("fd", self->super.transport_stack.fd),
                     evt_tag_error("error"));
           *status = LPS_ERROR;
         }
@@ -134,7 +134,7 @@ log_proto_framed_server_fetch_data(LogProtoFramedServer *self, gboolean *may_rea
   if (rc == 0)
     {
       msg_trace("EOF occurred while reading",
-                evt_tag_int(EVT_TAG_FD, transport->fd));
+                evt_tag_int(EVT_TAG_FD, self->super.transport_stack.fd));
       *status = LPS_EOF;
       return FALSE;
     }
@@ -430,7 +430,7 @@ log_proto_framed_server_new(LogTransport *transport, const LogProtoServerOptions
   LogProtoFramedServer *self = g_new0(LogProtoFramedServer, 1);
 
   log_proto_server_init(&self->super, transport, options);
-  self->super.prepare = log_proto_framed_server_prepare;
+  self->super.poll_prepare = log_proto_framed_server_poll_prepare;
   self->super.fetch = log_proto_framed_server_fetch;
   self->super.free_fn = log_proto_framed_server_free;
   self->half_message_in_buffer = FALSE;

lib/logproto/logproto-record-server.c

@@ -54,17 +54,16 @@ static gint
 log_proto_record_server_read_data(LogProtoBufferedServer *s, guchar *buf, gsize len, LogTransportAuxData *aux)
 {
   LogProtoRecordServer *self = (LogProtoRecordServer *) s;
-  LogTransport *transport = log_transport_stack_get_active(&self->super.super.transport_stack);
   gint rc;
 
   /* assert that we have enough space in the buffer to read record_size bytes */
   g_assert(len >= self->record_size);
   len = self->record_size;
-  rc = log_transport_read(transport, buf, len, aux);
+  rc = log_transport_stack_read(&s->super.transport_stack, buf, len, aux);
   if (rc > 0 && rc != self->record_size)
     {
       msg_error("Record size was set, and couldn't read enough bytes",
-                evt_tag_int(EVT_TAG_FD, transport->fd),
+                evt_tag_int(EVT_TAG_FD, s->super.transport_stack.fd),
                 evt_tag_int("record_size", self->record_size),
                 evt_tag_int("read", rc));
       errno = EIO;

lib/logproto/logproto-server.h

@@ -83,8 +83,7 @@ struct _LogProtoServer
   AckTracker *ack_tracker;
 
   LogProtoServerWakeupCallback wakeup_callback;
-  /* FIXME: rename to something else */
-  LogProtoPrepareAction (*prepare)(LogProtoServer *s, GIOCondition *cond, gint *timeout);
+  LogProtoPrepareAction (*poll_prepare)(LogProtoServer *s, GIOCondition *cond, gint *timeout);
   gboolean (*restart_with_state)(LogProtoServer *s, PersistState *state, const gchar *persist_name);
   LogProtoStatus (*fetch)(LogProtoServer *s, const guchar **msg, gsize *msg_len, gboolean *may_read,
                           LogTransportAuxData *aux, Bookmark *bookmark);
@@ -125,9 +124,9 @@ log_proto_server_set_options(LogProtoServer *self, const LogProtoServerOptions *
 }
 
 static inline LogProtoPrepareAction
-log_proto_server_prepare(LogProtoServer *s, GIOCondition *cond, gint *timeout)
+log_proto_server_poll_prepare(LogProtoServer *s, GIOCondition *cond, gint *timeout)
 {
-  LogProtoPrepareAction result = s->prepare(s, cond, timeout);
+  LogProtoPrepareAction result = s->poll_prepare(s, cond, timeout);
 
   if (result == LPPA_POLL_IO && *timeout < 0)
     *timeout = s->options->idle_timeout;