1 /*-
88 /* PID file handle. */
98 	errx(EX_USAGE, "[-dFhl] [-c config] [-P pidfile]");  in usage()
107 	TAILQ_FOREACH(adh, &adcfg->adc_hosts, adh_next) {  in descriptors_cleanup()
110 		if (adh->adh_remote != NULL) {  in descriptors_cleanup()
111 			proto_close(adh->adh_remote);  in descriptors_cleanup()
112 			adh->adh_remote = NULL;  in descriptors_cleanup()
115 	TAILQ_FOREACH(lst, &adcfg->adc_listen, adl_next) {  in descriptors_cleanup()
116 		if (lst->adl_conn != NULL)  in descriptors_cleanup()
117 			proto_close(lst->adl_conn);  in descriptors_cleanup()
127 	if (adhost->adh_conn != NULL) {  in child_cleanup()
128 		PJDLOG_ASSERT(adhost->adh_role == ADIST_ROLE_SENDER);  in child_cleanup()
129 		proto_close(adhost->adh_conn);  in child_cleanup()
130 		adhost->adh_conn = NULL;  in child_cleanup()
132 	adhost->adh_worker_pid = 0;  in child_cleanup()
136 child_exit_log(const char *type, unsigned int pid, int status)  in child_exit_log()  argument
140 		pjdlog_debug(1, "%s process exited gracefully (pid=%u).",  in child_exit_log()
141 		    type, pid);  in child_exit_log()
143 		pjdlog_error("%s process killed (pid=%u, signal=%d).",  in child_exit_log()
144 		    type, pid, WTERMSIG(status));  in child_exit_log()
146 		pjdlog_error("%s process exited ungracefully (pid=%u, exitcode=%d).",  in child_exit_log()
147 		    type, pid, WIFEXITED(status) ? WEXITSTATUS(status) : -1);  in child_exit_log()
157 	pid_t pid;  in child_exit()  local
160 	while ((pid = wait3(&status, WNOHANG, NULL)) > 0) {  in child_exit()
162 		TAILQ_FOREACH(adhost, &adcfg->adc_hosts, adh_next) {  in child_exit()
163 			if (pid == adhost->adh_worker_pid)  in child_exit()
167 			child_exit_log("Sandbox", pid, status);  in child_exit()
169 			if (adhost->adh_role == ADIST_ROLE_SENDER)  in child_exit()
171 			pjdlog_prefix_set("[%s] (%s) ", adhost->adh_name,  in child_exit()
172 			    role2str(adhost->adh_role));  in child_exit()
173 			child_exit_log("Worker", pid, status);  in child_exit()
182 	TAILQ_FOREACH(adhost, &adcfg->adc_hosts, adh_next) {  in child_exit()
183 		if (adhost->adh_role != ADIST_ROLE_SENDER)  in child_exit()
185 		if (adhost->adh_worker_pid != 0)  in child_exit()
187 		pjdlog_prefix_set("[%s] (%s) ", adhost->adh_name,  in child_exit()
188 		    role2str(adhost->adh_role));  in child_exit()
209 	TAILQ_FOREACH(adhost, &adcfg->adc_hosts, adh_next) {  in terminate_workers()
210 		if (adhost->adh_worker_pid == 0)  in terminate_workers()
212 		pjdlog_info("Terminating worker process (adhost=%s, role=%s, pid=%u).",  in terminate_workers()
213 		    adhost->adh_name, role2str(adhost->adh_role),  in terminate_workers()
214 		    adhost->adh_worker_pid);  in terminate_workers()
215 		if (kill(adhost->adh_worker_pid, SIGTERM) == 0)  in terminate_workers()
218 		    "Unable to send signal to worker process (adhost=%s, role=%s, pid=%u).",  in terminate_workers()
219 		    adhost->adh_name, role2str(adhost->adh_role),  in terminate_workers()
220 		    adhost->adh_worker_pid);  in terminate_workers()
234 	pid_t pid;  in listen_accept()  local
236 	proto_local_address(lst->adl_conn, laddr, sizeof(laddr));  in listen_accept()
239 	if (proto_accept(lst->adl_conn, &conn) == -1) {  in listen_accept()
254 	 * Before receiving any data see if remote host is known.  in listen_accept()
256 	TAILQ_FOREACH(adhost, &adcfg->adc_hosts, adh_next) {  in listen_accept()
257 		if (adhost->adh_role != ADIST_ROLE_RECEIVER)  in listen_accept()
259 		if (!proto_address_match(conn, adhost->adh_remoteaddr))  in listen_accept()
267 	/* Ok, remote host is known. */  in listen_accept()
271 	if (proto_recv(conn, welcome, sizeof(welcome)) == -1) {  in listen_accept()
274 		    adhost->adh_remoteaddr);  in listen_accept()
280 		    adhost->adh_remoteaddr);  in listen_accept()
287 	if (proto_send(conn, welcome, sizeof(welcome)) == -1) {  in listen_accept()
290 		    adhost->adh_remoteaddr);  in listen_accept()
294 	if (proto_recv(conn, adname, sizeof(adhost->adh_name)) < 0) {  in listen_accept()
301 	TAILQ_FOREACH(adhost, &adcfg->adc_hosts, adh_next) {  in listen_accept()
302 		if (adhost->adh_role != ADIST_ROLE_RECEIVER)  in listen_accept()
304 		if (!proto_address_match(conn, adhost->adh_remoteaddr))  in listen_accept()
306 		if (strcmp(adhost->adh_name, adname) != 0)  in listen_accept()
316 	adhost->adh_version = version;  in listen_accept()
317 	pjdlog_debug(1, "Version %d negotiated with %s.", adhost->adh_version,  in listen_accept()
318 	    adhost->adh_remoteaddr);  in listen_accept()
321 	pjdlog_prefix_set("[%s] (%s) ", adhost->adh_name,  in listen_accept()
322 	    role2str(adhost->adh_role));  in listen_accept()
324 	if (adist_random(rnd, sizeof(rnd)) == -1) {  in listen_accept()
330 	if (proto_send(conn, rnd, sizeof(rnd)) == -1) {  in listen_accept()
332 		    adhost->adh_remoteaddr);  in listen_accept()
337 	if (proto_recv(conn, resp, sizeof(resp)) == -1) {  in listen_accept()
339 		    adhost->adh_remoteaddr);  in listen_accept()
344 	if (HMAC(EVP_sha256(), adhost->adh_password,  in listen_accept()
345 	    (int)strlen(adhost->adh_password), rnd, (int)sizeof(rnd), hash,  in listen_accept()
354 		    adhost->adh_remoteaddr);  in listen_accept()
359 	if (proto_recv(conn, rnd, sizeof(rnd)) == -1) {  in listen_accept()
361 		    adhost->adh_remoteaddr);  in listen_accept()
366 	if (HMAC(EVP_sha256(), adhost->adh_password,  in listen_accept()
367 	    (int)strlen(adhost->adh_password), rnd, (int)sizeof(rnd), hash,  in listen_accept()
374 	if (proto_send(conn, hash, sizeof(hash)) == -1) {  in listen_accept()
376 		    adhost->adh_remoteaddr);  in listen_accept()
381 	if (adhost->adh_worker_pid != 0) {  in listen_accept()
383 		    "Receiver process exists (pid=%u), stopping it.",  in listen_accept()
384 		    (unsigned int)adhost->adh_worker_pid);  in listen_accept()
386 		if (kill(adhost->adh_worker_pid, SIGINT) == -1) {  in listen_accept()
388 			    "Unable to stop worker process (pid=%u)",  in listen_accept()
389 			    (unsigned int)adhost->adh_worker_pid);  in listen_accept()
392 			 * ignore it - nothing smart to do.  in listen_accept()
396 		else if ((pid = waitpid(adhost->adh_worker_pid,  in listen_accept()
397 		    &status, 0)) != adhost->adh_worker_pid) {  in listen_accept()
400 			    "Waiting for worker process (pid=%u) failed",  in listen_accept()
401 			    (unsigned int)adhost->adh_worker_pid);  in listen_accept()
403 			child_exit_log("Worker", adhost->adh_worker_pid,  in listen_accept()
409 	adhost->adh_remote = conn;  in listen_accept()
425 	pjdlog_prefix_set("[%s] (%s) ", adhost->adh_name,  in connection_migrate()
426 	    role2str(adhost->adh_role));  in connection_migrate()
428 	PJDLOG_ASSERT(adhost->adh_role == ADIST_ROLE_SENDER);  in connection_migrate()
430 	if (proto_recv(adhost->adh_conn, &val, sizeof(val)) < 0) {  in connection_migrate()
435 	if (proto_set("tls:fingerprint", adhost->adh_fingerprint) == -1) {  in connection_migrate()
440 	if (proto_connect(adhost->adh_localaddr[0] != '\0' ?  in connection_migrate()
441 	    adhost->adh_localaddr : NULL,  in connection_migrate()
442 	    adhost->adh_remoteaddr, -1, &conn) < 0) {  in connection_migrate()
445 		    adhost->adh_remoteaddr);  in connection_migrate()
450 	if (proto_send(adhost->adh_conn, &val, sizeof(val)) < 0) {  in connection_migrate()
454 	if (val == 0 && proto_connection_send(adhost->adh_conn, conn) < 0)  in connection_migrate()
476 	while ((signo = sigtimedwait(&mask, NULL, &sigtimeout)) != -1) {  in check_signals()
515 		maxfd = -1;  in main_loop()
516 		TAILQ_FOREACH(lst, &adcfg->adc_listen, adl_next) {  in main_loop()
517 			if (lst->adl_conn == NULL)  in main_loop()
519 			fd = proto_descriptor(lst->adl_conn);  in main_loop()
524 		TAILQ_FOREACH(adhost, &adcfg->adc_hosts, adh_next) {  in main_loop()
525 			if (adhost->adh_role == ADIST_ROLE_SENDER) {  in main_loop()
527 				PJDLOG_ASSERT(adhost->adh_conn != NULL);  in main_loop()
528 				fd = proto_descriptor(adhost->adh_conn);  in main_loop()
533 				PJDLOG_ASSERT(adhost->adh_conn == NULL);  in main_loop()
545 		} else if (ret == -1) {  in main_loop()
559 		TAILQ_FOREACH(lst, &adcfg->adc_listen, adl_next) {  in main_loop()
560 			if (lst->adl_conn == NULL)  in main_loop()
562 			if (FD_ISSET(proto_descriptor(lst->adl_conn), &rfds))  in main_loop()
565 		TAILQ_FOREACH(adhost, &adcfg->adc_hosts, adh_next) {  in main_loop()
566 			if (adhost->adh_role == ADIST_ROLE_SENDER) {  in main_loop()
567 				PJDLOG_ASSERT(adhost->adh_conn != NULL);  in main_loop()
568 				if (FD_ISSET(proto_descriptor(adhost->adh_conn),  in main_loop()
573 				PJDLOG_ASSERT(adhost->adh_conn == NULL);  in main_loop()
587 	pjdlog_debug(2, "    pidfile: %s", cfg->adc_pidfile);  in adist_config_dump()
588 	pjdlog_debug(2, "    timeout: %d", cfg->adc_timeout);  in adist_config_dump()
589 	if (TAILQ_EMPTY(&cfg->adc_listen)) {  in adist_config_dump()
593 		TAILQ_FOREACH(lst, &cfg->adc_listen, adl_next) {  in adist_config_dump()
594 			pjdlog_debug(2, "    listen: %s", lst->adl_addr);  in adist_config_dump()
595 			pjdlog_debug(2, "    conn: %p", lst->adl_conn);  in adist_config_dump()
599 	TAILQ_FOREACH(adhost, &cfg->adc_hosts, adh_next) {  in adist_config_dump()
600 		pjdlog_debug(2, "    name: %s", adhost->adh_name);  in adist_config_dump()
601 		pjdlog_debug(2, "      role: %s", role2str(adhost->adh_role));  in adist_config_dump()
602 		pjdlog_debug(2, "      version: %d", adhost->adh_version);  in adist_config_dump()
603 		pjdlog_debug(2, "      localaddr: %s", adhost->adh_localaddr);  in adist_config_dump()
604 		pjdlog_debug(2, "      remoteaddr: %s", adhost->adh_remoteaddr);  in adist_config_dump()
605 		pjdlog_debug(2, "      remote: %p", adhost->adh_remote);  in adist_config_dump()
606 		pjdlog_debug(2, "      directory: %s", adhost->adh_directory);  in adist_config_dump()
607 		pjdlog_debug(2, "      compression: %d", adhost->adh_compression);  in adist_config_dump()
608 		pjdlog_debug(2, "      checksum: %d", adhost->adh_checksum);  in adist_config_dump()
609 		pjdlog_debug(2, "      pid: %ld", (long)adhost->adh_worker_pid);  in adist_config_dump()
610 		pjdlog_debug(2, "      conn: %p", adhost->adh_conn);  in adist_config_dump()
641 		argc -= 2;  in main()
643 		if (proto_exec(argc, argv) == -1)  in main()
656 		if (ch == -1)  in main()
679 	argc -= optind;  in main()
685 	if (proto_set("execpath", execpath) == -1)  in main()
687 	if (proto_set("user", ADIST_USER) == -1)  in main()
689 	if (proto_set("tcp:port", ADIST_TCP_PORT) == -1)  in main()
712 	if (proto_set("tls:certfile", adcfg->adc_certfile) == -1)  in main()
714 	if (proto_set("tls:keyfile", adcfg->adc_keyfile) == -1)  in main()
718 		if (strlcpy(adcfg->adc_pidfile, pidfile,  in main()
719 		    sizeof(adcfg->adc_pidfile)) >=  in main()
720 		    sizeof(adcfg->adc_pidfile)) {  in main()
727 		pfh = pidfile_open(adcfg->adc_pidfile, 0600, &otherpid);  in main()
731 				    "Another auditdistd is already running, pid: %jd.",  in main()
740 			    adcfg->adc_pidfile);  in main()
764 	/* Listen for remote connections. */  in main()
765 	TAILQ_FOREACH(lst, &adcfg->adc_listen, adl_next) {  in main()
766 		if (proto_server(lst->adl_addr, &lst->adl_conn) == -1) {  in main()
769 			    lst->adl_addr);  in main()
774 		if (!launchd && daemon(0, 0) == -1) {  in main()
783 		/* Write PID to a file. */  in main()
786 			    "Unable to write PID to a file");  in main()
790 	TAILQ_FOREACH(adhost, &adcfg->adc_hosts, adh_next) {  in main()
791 		if (adhost->adh_role == ADIST_ROLE_SENDER)  in main()