1 /* $OpenBSD: relayd.c,v 1.192 2024/10/28 19:56:18 tb Exp $ */ 2 3 /* 4 * Copyright (c) 2007 - 2016 Reyk Floeter <reyk@openbsd.org> 5 * Copyright (c) 2006 Pierre-Yves Ritschard <pyr@openbsd.org> 6 * 7 * Permission to use, copy, modify, and distribute this software for any 8 * purpose with or without fee is hereby granted, provided that the above 9 * copyright notice and this permission notice appear in all copies. 10 * 11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 */ 19 20 #include <sys/types.h> 21 #include <sys/queue.h> 22 #include <sys/socket.h> 23 #include <sys/stat.h> 24 #include <sys/wait.h> 25 #include <sys/resource.h> 26 27 #include <netinet/in.h> 28 #include <arpa/inet.h> 29 30 #include <signal.h> 31 #include <string.h> 32 #include <stdio.h> 33 #include <stdlib.h> 34 #include <fcntl.h> 35 #include <getopt.h> 36 #include <fnmatch.h> 37 #include <syslog.h> 38 #include <err.h> 39 #include <errno.h> 40 #include <event.h> 41 #include <unistd.h> 42 #include <ctype.h> 43 #include <pwd.h> 44 #include <sha1.h> 45 #include <md5.h> 46 47 #include <tls.h> 48 49 #include "relayd.h" 50 51 #define MAXIMUM(a, b) (((a) > (b)) ? (a) : (b)) 52 53 __dead void usage(void); 54 55 int parent_configure(struct relayd *); 56 void parent_configure_done(struct relayd *); 57 void parent_reload(struct relayd *, u_int, const char *); 58 void parent_sig_handler(int, short, void *); 59 void parent_shutdown(struct relayd *); 60 int parent_dispatch_pfe(int, struct privsep_proc *, struct imsg *); 61 int parent_dispatch_hce(int, struct privsep_proc *, struct imsg *); 62 int parent_dispatch_relay(int, struct privsep_proc *, 63 struct imsg *); 64 int parent_dispatch_ca(int, struct privsep_proc *, 65 struct imsg *); 66 int bindany(struct ctl_bindany *); 67 void parent_tls_ticket_rekey(int, short, void *); 68 69 struct relayd *relayd_env; 70 71 static struct privsep_proc procs[] = { 72 { "pfe", PROC_PFE, parent_dispatch_pfe, pfe }, 73 { "hce", PROC_HCE, parent_dispatch_hce, hce }, 74 { "relay", PROC_RELAY, parent_dispatch_relay, relay }, 75 { "ca", PROC_CA, parent_dispatch_ca, ca } 76 }; 77 78 enum privsep_procid privsep_process; 79 80 void 81 parent_sig_handler(int sig, short event, void *arg) 82 { 83 struct privsep *ps = arg; 84 85 switch (sig) { 86 case SIGTERM: 87 case SIGINT: 88 parent_shutdown(ps->ps_env); 89 break; 90 case SIGHUP: 91 log_info("%s: reload requested with SIGHUP", __func__); 92 93 /* 94 * This is safe because libevent uses async signal handlers 95 * that run in the event loop and not in signal context. 96 */ 97 parent_reload(ps->ps_env, CONFIG_RELOAD, NULL); 98 break; 99 case SIGPIPE: 100 case SIGUSR1: 101 /* ignore */ 102 break; 103 default: 104 fatalx("unexpected signal"); 105 } 106 } 107 108 __dead void 109 usage(void) 110 { 111 extern char *__progname; 112 113 fprintf(stderr, "usage: %s [-dnv] [-D macro=value] [-f file]\n", 114 __progname); 115 exit(1); 116 } 117 118 int 119 main(int argc, char *argv[]) 120 { 121 int c; 122 int debug = 0, verbose = 0; 123 u_int32_t opts = 0; 124 struct relayd *env; 125 struct privsep *ps; 126 const char *conffile = CONF_FILE; 127 enum privsep_procid proc_id = PROC_PARENT; 128 int proc_instance = 0; 129 const char *errp, *title = NULL; 130 int argc0 = argc; 131 132 while ((c = getopt(argc, argv, "dD:nI:P:f:v")) != -1) { 133 switch (c) { 134 case 'd': 135 debug = 2; 136 break; 137 case 'D': 138 if (cmdline_symset(optarg) < 0) 139 log_warnx("could not parse macro definition %s", 140 optarg); 141 break; 142 case 'n': 143 debug = 2; 144 opts |= RELAYD_OPT_NOACTION; 145 break; 146 case 'f': 147 conffile = optarg; 148 break; 149 case 'v': 150 verbose++; 151 opts |= RELAYD_OPT_VERBOSE; 152 break; 153 case 'P': 154 title = optarg; 155 proc_id = proc_getid(procs, nitems(procs), title); 156 if (proc_id == PROC_MAX) 157 fatalx("invalid process name"); 158 break; 159 case 'I': 160 proc_instance = strtonum(optarg, 0, 161 PROC_MAX_INSTANCES, &errp); 162 if (errp) 163 fatalx("invalid process instance"); 164 break; 165 default: 166 usage(); 167 } 168 } 169 170 /* log to stderr until daemonized */ 171 log_init(debug ? debug : 1, LOG_DAEMON); 172 173 argc -= optind; 174 if (argc > 0) 175 usage(); 176 177 if ((env = calloc(1, sizeof(*env))) == NULL || 178 (ps = calloc(1, sizeof(*ps))) == NULL) 179 exit(1); 180 181 relayd_env = env; 182 env->sc_ps = ps; 183 ps->ps_env = env; 184 TAILQ_INIT(&ps->ps_rcsocks); 185 env->sc_conffile = conffile; 186 env->sc_conf.opts = opts; 187 TAILQ_INIT(&env->sc_hosts); 188 TAILQ_INIT(&env->sc_sessions); 189 env->sc_rtable = getrtable(); 190 /* initialize the TLS session id to a random key for all relay procs */ 191 arc4random_buf(env->sc_conf.tls_sid, sizeof(env->sc_conf.tls_sid)); 192 193 if (parse_config(env->sc_conffile, env) == -1) 194 exit(1); 195 196 if (debug) 197 env->sc_conf.opts |= RELAYD_OPT_LOGUPDATE; 198 199 if (geteuid()) 200 errx(1, "need root privileges"); 201 202 if ((ps->ps_pw = getpwnam(RELAYD_USER)) == NULL) 203 errx(1, "unknown user %s", RELAYD_USER); 204 205 log_init(debug, LOG_DAEMON); 206 log_setverbose(verbose); 207 208 if (env->sc_conf.opts & RELAYD_OPT_NOACTION) 209 ps->ps_noaction = 1; 210 211 ps->ps_instances[PROC_RELAY] = env->sc_conf.prefork_relay; 212 ps->ps_instances[PROC_CA] = env->sc_conf.prefork_relay; 213 ps->ps_instance = proc_instance; 214 if (title != NULL) 215 ps->ps_title[proc_id] = title; 216 217 /* only the parent returns */ 218 proc_init(ps, procs, nitems(procs), debug, argc0, argv, proc_id); 219 220 log_procinit("parent"); 221 222 if (ps->ps_noaction == 0) 223 log_info("startup"); 224 225 if (unveil("/", "rx") == -1) 226 err(1, "unveil /"); 227 if (unveil(NULL, NULL) == -1) 228 err(1, "unveil"); 229 230 event_init(); 231 232 signal_set(&ps->ps_evsigint, SIGINT, parent_sig_handler, ps); 233 signal_set(&ps->ps_evsigterm, SIGTERM, parent_sig_handler, ps); 234 signal_set(&ps->ps_evsighup, SIGHUP, parent_sig_handler, ps); 235 signal_set(&ps->ps_evsigpipe, SIGPIPE, parent_sig_handler, ps); 236 signal_set(&ps->ps_evsigusr1, SIGUSR1, parent_sig_handler, ps); 237 238 signal_add(&ps->ps_evsigint, NULL); 239 signal_add(&ps->ps_evsigterm, NULL); 240 signal_add(&ps->ps_evsighup, NULL); 241 signal_add(&ps->ps_evsigpipe, NULL); 242 signal_add(&ps->ps_evsigusr1, NULL); 243 244 proc_connect(ps); 245 246 relay_http(NULL); 247 if (load_config(env->sc_conffile, env) == -1) { 248 proc_kill(env->sc_ps); 249 exit(1); 250 } 251 252 if (env->sc_conf.opts & RELAYD_OPT_NOACTION) { 253 fprintf(stderr, "configuration OK\n"); 254 proc_kill(env->sc_ps); 255 exit(0); 256 } 257 258 /* rekey the TLS tickets before pushing the config */ 259 parent_tls_ticket_rekey(0, 0, env); 260 if (parent_configure(env) == -1) 261 fatalx("configuration failed"); 262 263 init_routes(env); 264 265 event_dispatch(); 266 267 parent_shutdown(env); 268 /* NOTREACHED */ 269 270 return (0); 271 } 272 273 int 274 parent_configure(struct relayd *env) 275 { 276 struct table *tb; 277 struct rdr *rdr; 278 struct router *rt; 279 struct protocol *proto; 280 struct relay *rlay; 281 int id; 282 int ret = -1; 283 284 TAILQ_FOREACH(tb, env->sc_tables, entry) 285 config_settable(env, tb); 286 TAILQ_FOREACH(rdr, env->sc_rdrs, entry) 287 config_setrdr(env, rdr); 288 TAILQ_FOREACH(rt, env->sc_rts, rt_entry) 289 config_setrt(env, rt); 290 TAILQ_FOREACH(proto, env->sc_protos, entry) 291 config_setproto(env, proto); 292 TAILQ_FOREACH(proto, env->sc_protos, entry) 293 config_setrule(env, proto); 294 TAILQ_FOREACH(rlay, env->sc_relays, rl_entry) { 295 /* Check for TLS Inspection */ 296 if ((rlay->rl_conf.flags & (F_TLS|F_TLSCLIENT)) == 297 (F_TLS|F_TLSCLIENT) && rlay->rl_tls_cacert_fd != -1) 298 rlay->rl_conf.flags |= F_TLSINSPECT; 299 300 config_setrelay(env, rlay); 301 } 302 303 /* HCE, PFE, CA and the relays need to reload their config. */ 304 env->sc_reload = 2 + (2 * env->sc_conf.prefork_relay); 305 306 for (id = 0; id < PROC_MAX; id++) { 307 if (id == privsep_process) 308 continue; 309 proc_compose_imsg(env->sc_ps, id, -1, IMSG_CFG_DONE, -1, 310 -1, &env->sc_conf, sizeof(env->sc_conf)); 311 } 312 313 ret = 0; 314 315 config_purge(env, CONFIG_ALL & ~CONFIG_RELAYS); 316 return (ret); 317 } 318 319 void 320 parent_reload(struct relayd *env, u_int reset, const char *filename) 321 { 322 if (env->sc_reload) { 323 log_debug("%s: already in progress: %d pending", 324 __func__, env->sc_reload); 325 return; 326 } 327 328 /* Switch back to the default config file */ 329 if (filename == NULL || *filename == '\0') 330 filename = env->sc_conffile; 331 332 log_debug("%s: level %d config file %s", __func__, reset, filename); 333 334 config_purge(env, CONFIG_ALL); 335 336 if (reset == CONFIG_RELOAD) { 337 if (load_config(filename, env) == -1) { 338 log_debug("%s: failed to load config file %s", 339 __func__, filename); 340 } 341 342 config_setreset(env, CONFIG_ALL); 343 344 if (parent_configure(env) == -1) { 345 log_debug("%s: failed to commit config from %s", 346 __func__, filename); 347 } 348 } else 349 config_setreset(env, reset); 350 } 351 352 void 353 parent_configure_done(struct relayd *env) 354 { 355 int id; 356 357 if (env->sc_reload == 0) { 358 log_warnx("%s: configuration already finished", __func__); 359 return; 360 } 361 362 env->sc_reload--; 363 if (env->sc_reload == 0) { 364 for (id = 0; id < PROC_MAX; id++) { 365 if (id == privsep_process) 366 continue; 367 368 proc_compose(env->sc_ps, id, IMSG_CTL_START, NULL, 0); 369 } 370 } 371 } 372 373 void 374 parent_shutdown(struct relayd *env) 375 { 376 config_purge(env, CONFIG_ALL); 377 378 proc_kill(env->sc_ps); 379 control_cleanup(&env->sc_ps->ps_csock); 380 carp_demote_shutdown(); 381 382 free(env->sc_ps); 383 free(env); 384 385 log_info("parent terminating, pid %d", getpid()); 386 387 exit(0); 388 } 389 390 int 391 parent_dispatch_pfe(int fd, struct privsep_proc *p, struct imsg *imsg) 392 { 393 struct privsep *ps = p->p_ps; 394 struct relayd *env = ps->ps_env; 395 struct ctl_demote demote; 396 struct ctl_netroute crt; 397 u_int v; 398 char *str = NULL; 399 400 switch (imsg->hdr.type) { 401 case IMSG_DEMOTE: 402 IMSG_SIZE_CHECK(imsg, &demote); 403 memcpy(&demote, imsg->data, sizeof(demote)); 404 carp_demote_set(demote.group, demote.level); 405 break; 406 case IMSG_RTMSG: 407 IMSG_SIZE_CHECK(imsg, &crt); 408 memcpy(&crt, imsg->data, sizeof(crt)); 409 pfe_route(env, &crt); 410 break; 411 case IMSG_CTL_RESET: 412 IMSG_SIZE_CHECK(imsg, &v); 413 memcpy(&v, imsg->data, sizeof(v)); 414 parent_reload(env, v, NULL); 415 break; 416 case IMSG_CTL_RELOAD: 417 if (IMSG_DATA_SIZE(imsg) > 0) 418 str = get_string(imsg->data, IMSG_DATA_SIZE(imsg)); 419 parent_reload(env, CONFIG_RELOAD, str); 420 free(str); 421 break; 422 case IMSG_CTL_SHUTDOWN: 423 parent_shutdown(env); 424 break; 425 case IMSG_CFG_DONE: 426 parent_configure_done(env); 427 break; 428 case IMSG_AGENTXSOCK: 429 agentx_setsock(env, p->p_id); 430 break; 431 default: 432 return (-1); 433 } 434 435 return (0); 436 } 437 438 int 439 parent_dispatch_hce(int fd, struct privsep_proc *p, struct imsg *imsg) 440 { 441 struct privsep *ps = p->p_ps; 442 struct relayd *env = ps->ps_env; 443 struct ctl_script scr; 444 445 switch (imsg->hdr.type) { 446 case IMSG_SCRIPT: 447 IMSG_SIZE_CHECK(imsg, &scr); 448 bcopy(imsg->data, &scr, sizeof(scr)); 449 scr.retval = script_exec(env, &scr); 450 proc_compose(ps, PROC_HCE, IMSG_SCRIPT, &scr, sizeof(scr)); 451 break; 452 case IMSG_CFG_DONE: 453 parent_configure_done(env); 454 break; 455 default: 456 return (-1); 457 } 458 459 return (0); 460 } 461 462 int 463 parent_dispatch_relay(int fd, struct privsep_proc *p, struct imsg *imsg) 464 { 465 struct privsep *ps = p->p_ps; 466 struct relayd *env = ps->ps_env; 467 struct ctl_bindany bnd; 468 int s; 469 470 switch (imsg->hdr.type) { 471 case IMSG_BINDANY: 472 IMSG_SIZE_CHECK(imsg, &bnd); 473 bcopy(imsg->data, &bnd, sizeof(bnd)); 474 if (bnd.bnd_proc > env->sc_conf.prefork_relay) 475 fatalx("%s: invalid relay proc", __func__); 476 switch (bnd.bnd_proto) { 477 case IPPROTO_TCP: 478 case IPPROTO_UDP: 479 break; 480 default: 481 fatalx("%s: requested socket " 482 "for invalid protocol", __func__); 483 /* NOTREACHED */ 484 } 485 s = bindany(&bnd); 486 proc_compose_imsg(ps, PROC_RELAY, bnd.bnd_proc, 487 IMSG_BINDANY, -1, s, &bnd.bnd_id, sizeof(bnd.bnd_id)); 488 break; 489 case IMSG_CFG_DONE: 490 parent_configure_done(env); 491 break; 492 default: 493 return (-1); 494 } 495 496 return (0); 497 } 498 499 int 500 parent_dispatch_ca(int fd, struct privsep_proc *p, struct imsg *imsg) 501 { 502 struct privsep *ps = p->p_ps; 503 struct relayd *env = ps->ps_env; 504 505 switch (imsg->hdr.type) { 506 case IMSG_CFG_DONE: 507 parent_configure_done(env); 508 break; 509 default: 510 return (-1); 511 } 512 513 return (0); 514 } 515 516 void 517 purge_table(struct relayd *env, struct tablelist *head, struct table *table) 518 { 519 struct host *host; 520 521 while ((host = TAILQ_FIRST(&table->hosts)) != NULL) { 522 TAILQ_REMOVE(&table->hosts, host, entry); 523 TAILQ_REMOVE(&env->sc_hosts, host, globalentry); 524 if (event_initialized(&host->cte.ev)) { 525 event_del(&host->cte.ev); 526 close(host->cte.s); 527 } 528 ibuf_free(host->cte.buf); 529 tls_free(host->cte.tls); 530 free(host); 531 } 532 free(table->sendbuf); 533 ibuf_free(table->sendbinbuf); 534 tls_config_free(table->tls_cfg); 535 536 if (head != NULL) 537 TAILQ_REMOVE(head, table, entry); 538 free(table); 539 } 540 541 void 542 purge_key(char **key, off_t len) 543 { 544 freezero(*key, len); 545 546 *key = NULL; 547 } 548 549 void 550 purge_relay(struct relayd *env, struct relay *rlay) 551 { 552 struct rsession *con; 553 struct relay_table *rlt; 554 struct relay_cert *cert, *tmpcert; 555 556 /* shutdown and remove relay */ 557 if (event_initialized(&rlay->rl_ev)) 558 event_del(&rlay->rl_ev); 559 close(rlay->rl_s); 560 TAILQ_REMOVE(env->sc_relays, rlay, rl_entry); 561 562 /* cleanup sessions */ 563 while ((con = 564 SPLAY_ROOT(&rlay->rl_sessions)) != NULL) 565 relay_close(con, NULL, 0); 566 567 /* cleanup relay */ 568 if (rlay->rl_bev != NULL) 569 bufferevent_free(rlay->rl_bev); 570 if (rlay->rl_dstbev != NULL) 571 bufferevent_free(rlay->rl_dstbev); 572 573 purge_key(&rlay->rl_tls_cakey, rlay->rl_conf.tls_cakey_len); 574 575 if (rlay->rl_tls_pkey != NULL) { 576 EVP_PKEY_free(rlay->rl_tls_pkey); 577 rlay->rl_tls_pkey = NULL; 578 } 579 if (rlay->rl_tls_cacertx509 != NULL) { 580 X509_free(rlay->rl_tls_cacertx509); 581 rlay->rl_tls_cacertx509 = NULL; 582 } 583 if (rlay->rl_tls_capkey != NULL) { 584 EVP_PKEY_free(rlay->rl_tls_capkey); 585 rlay->rl_tls_capkey = NULL; 586 } 587 588 tls_free(rlay->rl_tls_ctx); 589 tls_config_free(rlay->rl_tls_cfg); 590 tls_config_free(rlay->rl_tls_client_cfg); 591 592 while ((rlt = TAILQ_FIRST(&rlay->rl_tables))) { 593 TAILQ_REMOVE(&rlay->rl_tables, rlt, rlt_entry); 594 free(rlt); 595 } 596 597 TAILQ_FOREACH_SAFE(cert, env->sc_certs, cert_entry, tmpcert) { 598 if (rlay->rl_conf.id != cert->cert_relayid) 599 continue; 600 if (cert->cert_fd != -1) 601 close(cert->cert_fd); 602 if (cert->cert_key_fd != -1) 603 close(cert->cert_key_fd); 604 if (cert->cert_ocsp_fd != -1) 605 close(cert->cert_ocsp_fd); 606 if (cert->cert_pkey != NULL) 607 EVP_PKEY_free(cert->cert_pkey); 608 TAILQ_REMOVE(env->sc_certs, cert, cert_entry); 609 free(cert); 610 } 611 612 free(rlay); 613 } 614 615 struct kv * 616 kv_add(struct kvtree *keys, char *key, char *value, int unique) 617 { 618 struct kv *kv, *oldkv; 619 620 if (key == NULL) 621 return (NULL); 622 if ((kv = calloc(1, sizeof(*kv))) == NULL) 623 return (NULL); 624 if ((kv->kv_key = strdup(key)) == NULL) 625 goto fail; 626 if (value != NULL && 627 (kv->kv_value = strdup(value)) == NULL) 628 goto fail; 629 TAILQ_INIT(&kv->kv_children); 630 631 if ((oldkv = RB_INSERT(kvtree, keys, kv)) != NULL) { 632 /* 633 * return error if the key should occur only once, 634 * or add it to a list attached to the key's node. 635 */ 636 if (unique) 637 goto fail; 638 TAILQ_INSERT_TAIL(&oldkv->kv_children, kv, kv_entry); 639 kv->kv_parent = oldkv; 640 } 641 642 return (kv); 643 fail: 644 free(kv->kv_key); 645 free(kv->kv_value); 646 free(kv); 647 return (NULL); 648 } 649 650 int 651 kv_set(struct kv *kv, char *fmt, ...) 652 { 653 va_list ap; 654 char *value = NULL; 655 struct kv *ckv; 656 int ret; 657 658 va_start(ap, fmt); 659 ret = vasprintf(&value, fmt, ap); 660 va_end(ap); 661 if (ret == -1) 662 return (-1); 663 664 /* Remove all children */ 665 while ((ckv = TAILQ_FIRST(&kv->kv_children)) != NULL) { 666 TAILQ_REMOVE(&kv->kv_children, ckv, kv_entry); 667 kv_free(ckv); 668 free(ckv); 669 } 670 671 /* Set the new value */ 672 free(kv->kv_value); 673 kv->kv_value = value; 674 675 return (0); 676 } 677 678 int 679 kv_setkey(struct kv *kv, char *fmt, ...) 680 { 681 va_list ap; 682 char *key = NULL; 683 int ret; 684 685 va_start(ap, fmt); 686 ret = vasprintf(&key, fmt, ap); 687 va_end(ap); 688 if (ret == -1) 689 return (-1); 690 691 free(kv->kv_key); 692 kv->kv_key = key; 693 694 return (0); 695 } 696 697 void 698 kv_delete(struct kvtree *keys, struct kv *kv) 699 { 700 struct kv *ckv; 701 702 RB_REMOVE(kvtree, keys, kv); 703 704 /* Remove all children */ 705 while ((ckv = TAILQ_FIRST(&kv->kv_children)) != NULL) { 706 TAILQ_REMOVE(&kv->kv_children, ckv, kv_entry); 707 kv_free(ckv); 708 free(ckv); 709 } 710 711 kv_free(kv); 712 free(kv); 713 } 714 715 struct kv * 716 kv_extend(struct kvtree *keys, struct kv *kv, char *value) 717 { 718 char *newvalue; 719 720 if (kv == NULL) { 721 return (NULL); 722 } else if (kv->kv_value != NULL) { 723 if (asprintf(&newvalue, "%s%s", kv->kv_value, value) == -1) 724 return (NULL); 725 726 free(kv->kv_value); 727 kv->kv_value = newvalue; 728 } else if ((kv->kv_value = strdup(value)) == NULL) 729 return (NULL); 730 731 return (kv); 732 } 733 734 void 735 kv_purge(struct kvtree *keys) 736 { 737 struct kv *kv; 738 739 while ((kv = RB_MIN(kvtree, keys)) != NULL) 740 kv_delete(keys, kv); 741 } 742 743 void 744 kv_free(struct kv *kv) 745 { 746 /* 747 * This function does not clear memory referenced by 748 * kv_children or stuff on the tailqs. Use kv_delete() instead. 749 */ 750 751 free(kv->kv_key); 752 free(kv->kv_value); 753 memset(kv, 0, sizeof(*kv)); 754 } 755 756 struct kv * 757 kv_inherit(struct kv *dst, struct kv *src) 758 { 759 memset(dst, 0, sizeof(*dst)); 760 memcpy(dst, src, sizeof(*dst)); 761 TAILQ_INIT(&dst->kv_children); 762 763 if (src->kv_key != NULL) { 764 if ((dst->kv_key = strdup(src->kv_key)) == NULL) { 765 kv_free(dst); 766 return (NULL); 767 } 768 } 769 if (src->kv_value != NULL) { 770 if ((dst->kv_value = strdup(src->kv_value)) == NULL) { 771 kv_free(dst); 772 return (NULL); 773 } 774 } 775 776 if (src->kv_match != NULL) 777 dst->kv_match = src->kv_match; 778 if (src->kv_matchtree != NULL) 779 dst->kv_matchtree = src->kv_matchtree; 780 781 return (dst); 782 } 783 784 int 785 kv_log(struct rsession *con, struct kv *kv, u_int16_t labelid, 786 enum direction dir) 787 { 788 char *msg; 789 790 if (con->se_log == NULL) 791 return (0); 792 if (asprintf(&msg, " %s%s%s%s%s%s%s", 793 dir == RELAY_DIR_REQUEST ? "[" : "{", 794 labelid == 0 ? "" : label_id2name(labelid), 795 labelid == 0 ? "" : ", ", 796 kv->kv_key == NULL ? "(unknown)" : kv->kv_key, 797 kv->kv_value == NULL ? "" : ": ", 798 kv->kv_value == NULL ? "" : kv->kv_value, 799 dir == RELAY_DIR_REQUEST ? "]" : "}") == -1) 800 return (-1); 801 if (evbuffer_add(con->se_log, msg, strlen(msg)) == -1) { 802 free(msg); 803 return (-1); 804 } 805 free(msg); 806 con->se_haslog = 1; 807 return (0); 808 } 809 810 struct kv * 811 kv_find(struct kvtree *keys, struct kv *kv) 812 { 813 struct kv *match; 814 const char *key; 815 816 if (kv->kv_flags & KV_FLAG_GLOBBING) { 817 /* Test header key using shell globbing rules */ 818 key = kv->kv_key == NULL ? "" : kv->kv_key; 819 RB_FOREACH(match, kvtree, keys) { 820 if (fnmatch(key, match->kv_key, FNM_CASEFOLD) == 0) 821 break; 822 } 823 } else { 824 /* Fast tree-based lookup only works without globbing */ 825 match = RB_FIND(kvtree, keys, kv); 826 } 827 828 return (match); 829 } 830 831 struct kv * 832 kv_find_value(struct kvtree *keys, char *key, const char *value, 833 const char *delim) 834 { 835 struct kv *match, kv; 836 char *val = NULL, *next, *ptr; 837 size_t len; 838 839 kv.kv_key = key; 840 if ((match = RB_FIND(kvtree, keys, &kv)) == NULL) 841 return (NULL); 842 843 if (match->kv_value == NULL) 844 return (NULL); 845 846 if (delim == NULL) { 847 if (strcasecmp(match->kv_value, value) == 0) 848 goto done; 849 } else { 850 if ((val = strdup(match->kv_value)) == NULL) 851 return (NULL); 852 for (next = ptr = val; ptr != NULL; 853 ptr = strsep(&next, delim)) { 854 /* strip whitespace */ 855 ptr += strspn(ptr, " \t"); 856 len = strcspn(ptr, " \t"); 857 if (strncasecmp(ptr, value, len) == 0) 858 goto done; 859 } 860 } 861 862 /* not matched */ 863 match = NULL; 864 done: 865 #ifdef DEBUG 866 if (match != NULL) 867 DPRINTF("%s: matched %s: %s", __func__, key, value); 868 #endif 869 free(val); 870 return (match); 871 } 872 873 int 874 kv_cmp(struct kv *a, struct kv *b) 875 { 876 return (strcasecmp(a->kv_key, b->kv_key)); 877 } 878 879 RB_GENERATE(kvtree, kv, kv_node, kv_cmp); 880 881 int 882 rule_add(struct protocol *proto, struct relay_rule *rule, const char *rulefile) 883 { 884 struct relay_rule *r = NULL; 885 struct kv *kv = NULL; 886 FILE *fp = NULL; 887 char buf[BUFSIZ]; 888 int ret = -1; 889 u_int i; 890 891 for (i = 0; i < KEY_TYPE_MAX; i++) { 892 kv = &rule->rule_kv[i]; 893 if (kv->kv_type != i) 894 continue; 895 896 switch (kv->kv_option) { 897 case KEY_OPTION_LOG: 898 /* log action needs a key or a file to be specified */ 899 if (kv->kv_key == NULL && rulefile == NULL && 900 (kv->kv_key = strdup("*")) == NULL) 901 goto fail; 902 break; 903 default: 904 break; 905 } 906 907 switch (kv->kv_type) { 908 case KEY_TYPE_QUERY: 909 case KEY_TYPE_PATH: 910 case KEY_TYPE_URL: 911 if (rule->rule_dir != RELAY_DIR_REQUEST) 912 goto fail; 913 break; 914 default: 915 break; 916 } 917 918 if (kv->kv_value != NULL && strchr(kv->kv_value, '$') != NULL) 919 kv->kv_flags |= KV_FLAG_MACRO; 920 if (kv->kv_key != NULL && strpbrk(kv->kv_key, "*?[") != NULL) 921 kv->kv_flags |= KV_FLAG_GLOBBING; 922 } 923 924 if (rulefile == NULL) { 925 TAILQ_INSERT_TAIL(&proto->rules, rule, rule_entry); 926 return (0); 927 } 928 929 if ((fp = fopen(rulefile, "r")) == NULL) 930 goto fail; 931 932 while (fgets(buf, sizeof(buf), fp) != NULL) { 933 /* strip whitespace and newline characters */ 934 buf[strcspn(buf, "\r\n\t ")] = '\0'; 935 if (!strlen(buf) || buf[0] == '#') 936 continue; 937 938 if ((r = rule_inherit(rule)) == NULL) 939 goto fail; 940 941 for (i = 0; i < KEY_TYPE_MAX; i++) { 942 kv = &r->rule_kv[i]; 943 if (kv->kv_type != i) 944 continue; 945 free(kv->kv_key); 946 if ((kv->kv_key = strdup(buf)) == NULL) { 947 rule_free(r); 948 free(r); 949 goto fail; 950 } 951 } 952 953 TAILQ_INSERT_TAIL(&proto->rules, r, rule_entry); 954 } 955 956 ret = 0; 957 rule_free(rule); 958 free(rule); 959 960 fail: 961 if (fp != NULL) 962 fclose(fp); 963 return (ret); 964 } 965 966 struct relay_rule * 967 rule_inherit(struct relay_rule *rule) 968 { 969 struct relay_rule *r; 970 u_int i; 971 struct kv *kv; 972 973 if ((r = calloc(1, sizeof(*r))) == NULL) 974 return (NULL); 975 memcpy(r, rule, sizeof(*r)); 976 977 for (i = 0; i < KEY_TYPE_MAX; i++) { 978 kv = &rule->rule_kv[i]; 979 if (kv->kv_type != i) 980 continue; 981 if (kv_inherit(&r->rule_kv[i], kv) == NULL) { 982 free(r); 983 return (NULL); 984 } 985 } 986 987 if (r->rule_label > 0) 988 label_ref(r->rule_label); 989 if (r->rule_tag > 0) 990 tag_ref(r->rule_tag); 991 if (r->rule_tagged > 0) 992 tag_ref(r->rule_tagged); 993 994 return (r); 995 } 996 997 void 998 rule_free(struct relay_rule *rule) 999 { 1000 u_int i; 1001 1002 for (i = 0; i < KEY_TYPE_MAX; i++) 1003 kv_free(&rule->rule_kv[i]); 1004 if (rule->rule_label > 0) 1005 label_unref(rule->rule_label); 1006 if (rule->rule_tag > 0) 1007 tag_unref(rule->rule_tag); 1008 if (rule->rule_tagged > 0) 1009 tag_unref(rule->rule_tagged); 1010 } 1011 1012 void 1013 rule_delete(struct relay_rules *rules, struct relay_rule *rule) 1014 { 1015 TAILQ_REMOVE(rules, rule, rule_entry); 1016 rule_free(rule); 1017 free(rule); 1018 } 1019 1020 void 1021 rule_settable(struct relay_rules *rules, struct relay_table *rlt) 1022 { 1023 struct relay_rule *r; 1024 char pname[TABLE_NAME_SIZE]; 1025 1026 if (rlt->rlt_table == NULL || strlcpy(pname, rlt->rlt_table->conf.name, 1027 sizeof(pname)) >= sizeof(pname)) 1028 return; 1029 1030 pname[strcspn(pname, ":")] = '\0'; 1031 1032 TAILQ_FOREACH(r, rules, rule_entry) { 1033 if (r->rule_tablename[0] && 1034 strcmp(pname, r->rule_tablename) == 0) 1035 r->rule_table = rlt; 1036 } 1037 } 1038 1039 /* 1040 * Utility functions 1041 */ 1042 1043 struct host * 1044 host_find(struct relayd *env, objid_t id) 1045 { 1046 struct table *table; 1047 struct host *host; 1048 1049 TAILQ_FOREACH(table, env->sc_tables, entry) 1050 TAILQ_FOREACH(host, &table->hosts, entry) 1051 if (host->conf.id == id) 1052 return (host); 1053 return (NULL); 1054 } 1055 1056 struct table * 1057 table_find(struct relayd *env, objid_t id) 1058 { 1059 struct table *table; 1060 1061 TAILQ_FOREACH(table, env->sc_tables, entry) 1062 if (table->conf.id == id) 1063 return (table); 1064 return (NULL); 1065 } 1066 1067 struct rdr * 1068 rdr_find(struct relayd *env, objid_t id) 1069 { 1070 struct rdr *rdr; 1071 1072 TAILQ_FOREACH(rdr, env->sc_rdrs, entry) 1073 if (rdr->conf.id == id) 1074 return (rdr); 1075 return (NULL); 1076 } 1077 1078 struct relay * 1079 relay_find(struct relayd *env, objid_t id) 1080 { 1081 struct relay *rlay; 1082 1083 TAILQ_FOREACH(rlay, env->sc_relays, rl_entry) 1084 if (rlay->rl_conf.id == id) 1085 return (rlay); 1086 return (NULL); 1087 } 1088 1089 struct protocol * 1090 proto_find(struct relayd *env, objid_t id) 1091 { 1092 struct protocol *p; 1093 1094 TAILQ_FOREACH(p, env->sc_protos, entry) 1095 if (p->id == id) 1096 return (p); 1097 return (NULL); 1098 } 1099 1100 struct rsession * 1101 session_find(struct relayd *env, objid_t id) 1102 { 1103 struct relay *rlay; 1104 struct rsession *con; 1105 1106 TAILQ_FOREACH(rlay, env->sc_relays, rl_entry) 1107 SPLAY_FOREACH(con, session_tree, &rlay->rl_sessions) 1108 if (con->se_id == id) 1109 return (con); 1110 return (NULL); 1111 } 1112 1113 struct netroute * 1114 route_find(struct relayd *env, objid_t id) 1115 { 1116 struct netroute *nr; 1117 1118 TAILQ_FOREACH(nr, env->sc_routes, nr_route) 1119 if (nr->nr_conf.id == id) 1120 return (nr); 1121 return (NULL); 1122 } 1123 1124 struct router * 1125 router_find(struct relayd *env, objid_t id) 1126 { 1127 struct router *rt; 1128 1129 TAILQ_FOREACH(rt, env->sc_rts, rt_entry) 1130 if (rt->rt_conf.id == id) 1131 return (rt); 1132 return (NULL); 1133 } 1134 1135 struct host * 1136 host_findbyname(struct relayd *env, const char *name) 1137 { 1138 struct table *table; 1139 struct host *host; 1140 1141 TAILQ_FOREACH(table, env->sc_tables, entry) 1142 TAILQ_FOREACH(host, &table->hosts, entry) 1143 if (strcmp(host->conf.name, name) == 0) 1144 return (host); 1145 return (NULL); 1146 } 1147 1148 struct table * 1149 table_findbyname(struct relayd *env, const char *name) 1150 { 1151 struct table *table; 1152 1153 TAILQ_FOREACH(table, env->sc_tables, entry) 1154 if (strcmp(table->conf.name, name) == 0) 1155 return (table); 1156 return (NULL); 1157 } 1158 1159 struct table * 1160 table_findbyconf(struct relayd *env, struct table *tb) 1161 { 1162 struct table *table; 1163 struct table_config a, b; 1164 1165 bcopy(&tb->conf, &a, sizeof(a)); 1166 a.id = a.rdrid = 0; 1167 a.flags &= ~(F_USED|F_BACKUP); 1168 1169 TAILQ_FOREACH(table, env->sc_tables, entry) { 1170 bcopy(&table->conf, &b, sizeof(b)); 1171 b.id = b.rdrid = 0; 1172 b.flags &= ~(F_USED|F_BACKUP); 1173 1174 /* 1175 * Compare two tables and return the existing table if 1176 * the configuration seems to be the same. 1177 */ 1178 if (bcmp(&a, &b, sizeof(b)) == 0 && 1179 ((tb->sendbuf == NULL && table->sendbuf == NULL) || 1180 (tb->sendbuf != NULL && table->sendbuf != NULL && 1181 strcmp(tb->sendbuf, table->sendbuf) == 0))) 1182 return (table); 1183 } 1184 return (NULL); 1185 } 1186 1187 struct rdr * 1188 rdr_findbyname(struct relayd *env, const char *name) 1189 { 1190 struct rdr *rdr; 1191 1192 TAILQ_FOREACH(rdr, env->sc_rdrs, entry) 1193 if (strcmp(rdr->conf.name, name) == 0) 1194 return (rdr); 1195 return (NULL); 1196 } 1197 1198 struct relay * 1199 relay_findbyname(struct relayd *env, const char *name) 1200 { 1201 struct relay *rlay; 1202 1203 TAILQ_FOREACH(rlay, env->sc_relays, rl_entry) 1204 if (strcmp(rlay->rl_conf.name, name) == 0) 1205 return (rlay); 1206 return (NULL); 1207 } 1208 1209 struct relay * 1210 relay_findbyaddr(struct relayd *env, struct relay_config *rc) 1211 { 1212 struct relay *rlay; 1213 1214 TAILQ_FOREACH(rlay, env->sc_relays, rl_entry) 1215 if (bcmp(&rlay->rl_conf.ss, &rc->ss, sizeof(rc->ss)) == 0 && 1216 rlay->rl_conf.port == rc->port) 1217 return (rlay); 1218 return (NULL); 1219 } 1220 1221 EVP_PKEY * 1222 pkey_find(struct relayd *env, char * hash) 1223 { 1224 struct ca_pkey *pkey; 1225 1226 TAILQ_FOREACH(pkey, env->sc_pkeys, pkey_entry) 1227 if (strcmp(hash, pkey->pkey_hash) == 0) 1228 return (pkey->pkey); 1229 return (NULL); 1230 } 1231 1232 struct ca_pkey * 1233 pkey_add(struct relayd *env, EVP_PKEY *pkey, char *hash) 1234 { 1235 struct ca_pkey *ca_pkey; 1236 1237 if (env->sc_pkeys == NULL) 1238 fatalx("pkeys"); 1239 1240 if ((ca_pkey = calloc(1, sizeof(*ca_pkey))) == NULL) 1241 return (NULL); 1242 1243 ca_pkey->pkey = pkey; 1244 if (strlcpy(ca_pkey->pkey_hash, hash, sizeof(ca_pkey->pkey_hash)) >= 1245 sizeof(ca_pkey->pkey_hash)) { 1246 free(ca_pkey); 1247 return (NULL); 1248 } 1249 1250 TAILQ_INSERT_TAIL(env->sc_pkeys, ca_pkey, pkey_entry); 1251 1252 return (ca_pkey); 1253 } 1254 1255 struct relay_cert * 1256 cert_add(struct relayd *env, objid_t id) 1257 { 1258 static objid_t last_cert_id = 0; 1259 struct relay_cert *cert; 1260 1261 if ((cert = calloc(1, sizeof(*cert))) == NULL) 1262 return (NULL); 1263 1264 if (id == 0) 1265 id = ++last_cert_id; 1266 if (id == INT_MAX) { 1267 log_warnx("too many tls keypairs defined"); 1268 free(cert); 1269 return (NULL); 1270 } 1271 1272 cert->cert_id = id; 1273 cert->cert_fd = -1; 1274 cert->cert_key_fd = -1; 1275 cert->cert_ocsp_fd = -1; 1276 1277 TAILQ_INSERT_TAIL(env->sc_certs, cert, cert_entry); 1278 1279 return (cert); 1280 } 1281 1282 struct relay_cert * 1283 cert_find(struct relayd *env, objid_t id) 1284 { 1285 struct relay_cert *cert; 1286 1287 TAILQ_FOREACH(cert, env->sc_certs, cert_entry) 1288 if (cert->cert_id == id) 1289 return (cert); 1290 return (NULL); 1291 } 1292 1293 char * 1294 relay_load_fd(int fd, off_t *len) 1295 { 1296 char *buf = NULL; 1297 struct stat st; 1298 off_t size; 1299 ssize_t rv; 1300 int err; 1301 1302 if (fstat(fd, &st) != 0) 1303 goto fail; 1304 size = st.st_size; 1305 if ((buf = calloc(1, size + 1)) == NULL) 1306 goto fail; 1307 if ((rv = pread(fd, buf, size, 0)) != size) 1308 goto fail; 1309 1310 close(fd); 1311 1312 *len = size; 1313 return (buf); 1314 1315 fail: 1316 err = errno; 1317 free(buf); 1318 close(fd); 1319 errno = err; 1320 return (NULL); 1321 } 1322 1323 int 1324 relay_load_certfiles(struct relayd *env, struct relay *rlay, const char *name) 1325 { 1326 char certfile[PATH_MAX]; 1327 char hbuf[PATH_MAX]; 1328 struct protocol *proto = rlay->rl_proto; 1329 struct relay_cert *cert; 1330 int useport = htons(rlay->rl_conf.port); 1331 int cert_fd = -1, key_fd = -1, ocsp_fd = -1; 1332 1333 if (rlay->rl_conf.flags & F_TLSCLIENT) { 1334 if (strlen(proto->tlsca) && rlay->rl_tls_ca_fd == -1) { 1335 if ((rlay->rl_tls_ca_fd = 1336 open(proto->tlsca, O_RDONLY)) == -1) 1337 return (-1); 1338 log_debug("%s: using ca %s", __func__, proto->tlsca); 1339 } 1340 if (strlen(proto->tlscacert) && rlay->rl_tls_cacert_fd == -1) { 1341 if ((rlay->rl_tls_cacert_fd = 1342 open(proto->tlscacert, O_RDONLY)) == -1) 1343 return (-1); 1344 log_debug("%s: using ca certificate %s", __func__, 1345 proto->tlscacert); 1346 } 1347 if (strlen(proto->tlscakey) && !rlay->rl_conf.tls_cakey_len && 1348 proto->tlscapass != NULL) { 1349 if ((rlay->rl_tls_cakey = 1350 ssl_load_key(env, proto->tlscakey, 1351 &rlay->rl_conf.tls_cakey_len, 1352 proto->tlscapass)) == NULL) 1353 return (-1); 1354 log_debug("%s: using ca key %s", __func__, 1355 proto->tlscakey); 1356 } 1357 } 1358 1359 if ((rlay->rl_conf.flags & F_TLS) == 0) 1360 return (0); 1361 1362 if (strlen(proto->tlsclientca) && rlay->rl_tls_client_ca_fd == -1) { 1363 if ((rlay->rl_tls_client_ca_fd = 1364 open(proto->tlsclientca, O_RDONLY)) == -1) 1365 return (-1); 1366 log_debug("%s: using client ca %s", __func__, 1367 proto->tlsclientca); 1368 } 1369 1370 if (name == NULL && 1371 print_host(&rlay->rl_conf.ss, hbuf, sizeof(hbuf)) == NULL) 1372 goto fail; 1373 else if (name != NULL && 1374 strlcpy(hbuf, name, sizeof(hbuf)) >= sizeof(hbuf)) 1375 goto fail; 1376 1377 if (snprintf(certfile, sizeof(certfile), 1378 "/etc/ssl/%s:%u.crt", hbuf, useport) == -1) 1379 goto fail; 1380 if ((cert_fd = open(certfile, O_RDONLY)) == -1) { 1381 if (snprintf(certfile, sizeof(certfile), 1382 "/etc/ssl/%s.crt", hbuf) == -1) 1383 goto fail; 1384 if ((cert_fd = open(certfile, O_RDONLY)) == -1) 1385 goto fail; 1386 useport = 0; 1387 } 1388 log_debug("%s: using certificate %s", __func__, certfile); 1389 1390 if (useport) { 1391 if (snprintf(certfile, sizeof(certfile), 1392 "/etc/ssl/private/%s:%u.key", hbuf, useport) == -1) 1393 goto fail; 1394 } else { 1395 if (snprintf(certfile, sizeof(certfile), 1396 "/etc/ssl/private/%s.key", hbuf) == -1) 1397 goto fail; 1398 } 1399 if ((key_fd = open(certfile, O_RDONLY)) == -1) 1400 goto fail; 1401 log_debug("%s: using private key %s", __func__, certfile); 1402 1403 if (useport) { 1404 if (snprintf(certfile, sizeof(certfile), 1405 "/etc/ssl/%s:%u.ocsp", hbuf, useport) == -1) 1406 goto fail; 1407 } else { 1408 if (snprintf(certfile, sizeof(certfile), 1409 "/etc/ssl/%s.ocsp", hbuf) == -1) 1410 goto fail; 1411 } 1412 if ((ocsp_fd = open(certfile, O_RDONLY)) != -1) 1413 log_debug("%s: using OCSP staple file %s", __func__, certfile); 1414 1415 if ((cert = cert_add(env, 0)) == NULL) 1416 goto fail; 1417 1418 cert->cert_relayid = rlay->rl_conf.id; 1419 cert->cert_fd = cert_fd; 1420 cert->cert_key_fd = key_fd; 1421 cert->cert_ocsp_fd = ocsp_fd; 1422 1423 return (0); 1424 1425 fail: 1426 if (cert_fd != -1) 1427 close(cert_fd); 1428 if (key_fd != -1) 1429 close(key_fd); 1430 if (ocsp_fd != -1) 1431 close(ocsp_fd); 1432 1433 return (-1); 1434 } 1435 1436 void 1437 event_again(struct event *ev, int fd, short event, 1438 void (*fn)(int, short, void *), 1439 struct timeval *start, struct timeval *end, void *arg) 1440 { 1441 struct timeval tv_next, tv_now, tv; 1442 1443 getmonotime(&tv_now); 1444 bcopy(end, &tv_next, sizeof(tv_next)); 1445 timersub(&tv_now, start, &tv_now); 1446 timersub(&tv_next, &tv_now, &tv_next); 1447 1448 bzero(&tv, sizeof(tv)); 1449 if (timercmp(&tv_next, &tv, >)) 1450 bcopy(&tv_next, &tv, sizeof(tv)); 1451 1452 event_del(ev); 1453 event_set(ev, fd, event, fn, arg); 1454 event_add(ev, &tv); 1455 } 1456 1457 int 1458 expand_string(char *label, size_t len, const char *srch, const char *repl) 1459 { 1460 char *tmp; 1461 char *p, *q; 1462 1463 if ((tmp = calloc(1, len)) == NULL) { 1464 log_debug("%s: calloc", __func__); 1465 return (-1); 1466 } 1467 p = q = label; 1468 while ((q = strstr(p, srch)) != NULL) { 1469 *q = '\0'; 1470 if ((strlcat(tmp, p, len) >= len) || 1471 (strlcat(tmp, repl, len) >= len)) { 1472 log_debug("%s: string too long", __func__); 1473 free(tmp); 1474 return (-1); 1475 } 1476 q += strlen(srch); 1477 p = q; 1478 } 1479 if (strlcat(tmp, p, len) >= len) { 1480 log_debug("%s: string too long", __func__); 1481 free(tmp); 1482 return (-1); 1483 } 1484 (void)strlcpy(label, tmp, len); /* always fits */ 1485 free(tmp); 1486 1487 return (0); 1488 } 1489 1490 void 1491 translate_string(char *str) 1492 { 1493 char *reader; 1494 char *writer; 1495 1496 reader = writer = str; 1497 1498 while (*reader) { 1499 if (*reader == '\\') { 1500 reader++; 1501 switch (*reader) { 1502 case 'n': 1503 *writer++ = '\n'; 1504 break; 1505 case 'r': 1506 *writer++ = '\r'; 1507 break; 1508 default: 1509 *writer++ = *reader; 1510 } 1511 } else 1512 *writer++ = *reader; 1513 reader++; 1514 } 1515 *writer = '\0'; 1516 } 1517 1518 char * 1519 digeststr(enum digest_type type, const u_int8_t *data, size_t len, char *buf) 1520 { 1521 switch (type) { 1522 case DIGEST_SHA1: 1523 return (SHA1Data(data, len, buf)); 1524 break; 1525 case DIGEST_MD5: 1526 return (MD5Data(data, len, buf)); 1527 break; 1528 default: 1529 break; 1530 } 1531 return (NULL); 1532 } 1533 1534 const char * 1535 canonicalize_host(const char *host, char *name, size_t len) 1536 { 1537 struct sockaddr_in sin4; 1538 struct sockaddr_in6 sin6; 1539 size_t i, j; 1540 size_t plen; 1541 char c; 1542 1543 if (len < 2) 1544 goto fail; 1545 1546 /* 1547 * Canonicalize an IPv4/6 address 1548 */ 1549 if (inet_pton(AF_INET, host, &sin4) == 1) 1550 return (inet_ntop(AF_INET, &sin4, name, len)); 1551 if (inet_pton(AF_INET6, host, &sin6) == 1) 1552 return (inet_ntop(AF_INET6, &sin6, name, len)); 1553 1554 /* 1555 * Canonicalize a hostname 1556 */ 1557 1558 /* 1. remove repeated dots and convert upper case to lower case */ 1559 plen = strlen(host); 1560 bzero(name, len); 1561 for (i = j = 0; i < plen; i++) { 1562 if (j >= (len - 1)) 1563 goto fail; 1564 c = tolower((unsigned char)host[i]); 1565 if ((c == '.') && (j == 0 || name[j - 1] == '.')) 1566 continue; 1567 name[j++] = c; 1568 } 1569 1570 /* 2. remove trailing dots */ 1571 for (i = j; i > 0; i--) { 1572 if (name[i - 1] != '.') 1573 break; 1574 name[i - 1] = '\0'; 1575 j--; 1576 } 1577 if (j <= 0) 1578 goto fail; 1579 1580 return (name); 1581 1582 fail: 1583 errno = EINVAL; 1584 return (NULL); 1585 } 1586 1587 int 1588 parse_url(const char *url, char **protoptr, char **hostptr, char **pathptr) 1589 { 1590 char *p, *proto = NULL, *host = NULL, *path = NULL; 1591 1592 /* return error if it is not a URL */ 1593 if ((p = strstr(url, ":/")) == NULL || 1594 (strcspn(url, ":/") != (size_t)(p - url))) 1595 return (-1); 1596 1597 /* get protocol */ 1598 if ((proto = strdup(url)) == NULL) 1599 goto fail; 1600 p = proto + (p - url); 1601 1602 /* get host */ 1603 p += strspn(p, ":/"); 1604 if (*p == '\0' || (host = strdup(p)) == NULL) 1605 goto fail; 1606 *p = '\0'; 1607 1608 /* find and copy path or default to "/" */ 1609 if ((p = strchr(host, '/')) == NULL) 1610 p = "/"; 1611 if ((path = strdup(p)) == NULL) 1612 goto fail; 1613 1614 /* strip path after host */ 1615 host[strcspn(host, "/")] = '\0'; 1616 1617 DPRINTF("%s: %s proto %s, host %s, path %s", __func__, 1618 url, proto, host, path); 1619 1620 *protoptr = proto; 1621 *hostptr = host; 1622 *pathptr = path; 1623 1624 return (0); 1625 1626 fail: 1627 free(proto); 1628 free(host); 1629 free(path); 1630 return (-1); 1631 } 1632 1633 int 1634 bindany(struct ctl_bindany *bnd) 1635 { 1636 int s, v; 1637 1638 s = -1; 1639 v = 1; 1640 1641 if (relay_socket_af(&bnd->bnd_ss, bnd->bnd_port) == -1) 1642 goto fail; 1643 if ((s = socket(bnd->bnd_ss.ss_family, 1644 bnd->bnd_proto == IPPROTO_TCP ? SOCK_STREAM : SOCK_DGRAM, 1645 bnd->bnd_proto)) == -1) 1646 goto fail; 1647 if (setsockopt(s, SOL_SOCKET, SO_BINDANY, 1648 &v, sizeof(v)) == -1) 1649 goto fail; 1650 if (bind(s, (struct sockaddr *)&bnd->bnd_ss, 1651 bnd->bnd_ss.ss_len) == -1) 1652 goto fail; 1653 1654 return (s); 1655 1656 fail: 1657 if (s != -1) 1658 close(s); 1659 return (-1); 1660 } 1661 1662 int 1663 map6to4(struct sockaddr_storage *in6) 1664 { 1665 struct sockaddr_storage out4; 1666 struct sockaddr_in *sin4 = (struct sockaddr_in *)&out4; 1667 struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)in6; 1668 1669 bzero(sin4, sizeof(*sin4)); 1670 sin4->sin_len = sizeof(*sin4); 1671 sin4->sin_family = AF_INET; 1672 sin4->sin_port = sin6->sin6_port; 1673 1674 bcopy(&sin6->sin6_addr.s6_addr[12], &sin4->sin_addr.s_addr, 1675 sizeof(sin4->sin_addr)); 1676 1677 if (sin4->sin_addr.s_addr == INADDR_ANY || 1678 sin4->sin_addr.s_addr == INADDR_BROADCAST || 1679 IN_MULTICAST(ntohl(sin4->sin_addr.s_addr))) 1680 return (-1); 1681 1682 bcopy(&out4, in6, sizeof(*in6)); 1683 1684 return (0); 1685 } 1686 1687 int 1688 map4to6(struct sockaddr_storage *in4, struct sockaddr_storage *map) 1689 { 1690 struct sockaddr_storage out6; 1691 struct sockaddr_in *sin4 = (struct sockaddr_in *)in4; 1692 struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)&out6; 1693 struct sockaddr_in6 *map6 = (struct sockaddr_in6 *)map; 1694 1695 if (sin4->sin_addr.s_addr == INADDR_ANY || 1696 sin4->sin_addr.s_addr == INADDR_BROADCAST || 1697 IN_MULTICAST(ntohl(sin4->sin_addr.s_addr))) 1698 return (-1); 1699 1700 bcopy(map6, sin6, sizeof(*sin6)); 1701 sin6->sin6_len = sizeof(*sin6); 1702 sin6->sin6_family = AF_INET6; 1703 sin6->sin6_port = sin4->sin_port; 1704 1705 bcopy(&sin4->sin_addr.s_addr, &sin6->sin6_addr.s6_addr[12], 1706 sizeof(sin4->sin_addr)); 1707 1708 bcopy(&out6, in4, sizeof(*in4)); 1709 1710 return (0); 1711 } 1712 1713 void 1714 socket_rlimit(int maxfd) 1715 { 1716 struct rlimit rl; 1717 1718 if (getrlimit(RLIMIT_NOFILE, &rl) == -1) 1719 fatal("%s: failed to get resource limit", __func__); 1720 log_debug("%s: max open files %llu", __func__, rl.rlim_max); 1721 1722 /* 1723 * Allow the maximum number of open file descriptors for this 1724 * login class (which should be the class "daemon" by default). 1725 */ 1726 if (maxfd == -1) 1727 rl.rlim_cur = rl.rlim_max; 1728 else 1729 rl.rlim_cur = MAXIMUM(rl.rlim_max, (rlim_t)maxfd); 1730 if (setrlimit(RLIMIT_NOFILE, &rl) == -1) 1731 fatal("%s: failed to set resource limit", __func__); 1732 } 1733 1734 char * 1735 get_string(u_int8_t *ptr, size_t len) 1736 { 1737 size_t i; 1738 1739 for (i = 0; i < len; i++) 1740 if (!(isprint((unsigned char)ptr[i]) || 1741 isspace((unsigned char)ptr[i]))) 1742 break; 1743 1744 return strndup(ptr, i); 1745 } 1746 1747 void * 1748 get_data(u_int8_t *ptr, size_t len) 1749 { 1750 u_int8_t *data; 1751 1752 if ((data = malloc(len)) == NULL) 1753 return (NULL); 1754 memcpy(data, ptr, len); 1755 1756 return (data); 1757 } 1758 1759 int 1760 sockaddr_cmp(struct sockaddr *a, struct sockaddr *b, int prefixlen) 1761 { 1762 struct sockaddr_in *a4, *b4; 1763 struct sockaddr_in6 *a6, *b6; 1764 u_int32_t av[4], bv[4], mv[4]; 1765 1766 if (a->sa_family == AF_UNSPEC || b->sa_family == AF_UNSPEC) 1767 return (0); 1768 else if (a->sa_family > b->sa_family) 1769 return (1); 1770 else if (a->sa_family < b->sa_family) 1771 return (-1); 1772 1773 if (prefixlen == -1) 1774 memset(&mv, 0xff, sizeof(mv)); 1775 1776 switch (a->sa_family) { 1777 case AF_INET: 1778 a4 = (struct sockaddr_in *)a; 1779 b4 = (struct sockaddr_in *)b; 1780 1781 av[0] = a4->sin_addr.s_addr; 1782 bv[0] = b4->sin_addr.s_addr; 1783 if (prefixlen != -1) 1784 mv[0] = prefixlen2mask(prefixlen); 1785 1786 if ((av[0] & mv[0]) > (bv[0] & mv[0])) 1787 return (1); 1788 if ((av[0] & mv[0]) < (bv[0] & mv[0])) 1789 return (-1); 1790 break; 1791 case AF_INET6: 1792 a6 = (struct sockaddr_in6 *)a; 1793 b6 = (struct sockaddr_in6 *)b; 1794 1795 memcpy(&av, &a6->sin6_addr.s6_addr, 16); 1796 memcpy(&bv, &b6->sin6_addr.s6_addr, 16); 1797 if (prefixlen != -1) 1798 prefixlen2mask6(prefixlen, mv); 1799 1800 if ((av[3] & mv[3]) > (bv[3] & mv[3])) 1801 return (1); 1802 if ((av[3] & mv[3]) < (bv[3] & mv[3])) 1803 return (-1); 1804 if ((av[2] & mv[2]) > (bv[2] & mv[2])) 1805 return (1); 1806 if ((av[2] & mv[2]) < (bv[2] & mv[2])) 1807 return (-1); 1808 if ((av[1] & mv[1]) > (bv[1] & mv[1])) 1809 return (1); 1810 if ((av[1] & mv[1]) < (bv[1] & mv[1])) 1811 return (-1); 1812 if ((av[0] & mv[0]) > (bv[0] & mv[0])) 1813 return (1); 1814 if ((av[0] & mv[0]) < (bv[0] & mv[0])) 1815 return (-1); 1816 break; 1817 } 1818 1819 return (0); 1820 } 1821 1822 u_int32_t 1823 prefixlen2mask(u_int8_t prefixlen) 1824 { 1825 if (prefixlen == 0) 1826 return (0); 1827 1828 if (prefixlen > 32) 1829 prefixlen = 32; 1830 1831 return (htonl(0xffffffff << (32 - prefixlen))); 1832 } 1833 1834 struct in6_addr * 1835 prefixlen2mask6(u_int8_t prefixlen, u_int32_t *mask) 1836 { 1837 static struct in6_addr s6; 1838 int i; 1839 1840 if (prefixlen > 128) 1841 prefixlen = 128; 1842 1843 bzero(&s6, sizeof(s6)); 1844 for (i = 0; i < prefixlen / 8; i++) 1845 s6.s6_addr[i] = 0xff; 1846 i = prefixlen % 8; 1847 if (i) 1848 s6.s6_addr[prefixlen / 8] = 0xff00 >> i; 1849 1850 memcpy(mask, &s6, sizeof(s6)); 1851 1852 return (&s6); 1853 } 1854 1855 int 1856 accept_reserve(int sockfd, struct sockaddr *addr, socklen_t *addrlen, 1857 int reserve, volatile int *counter) 1858 { 1859 int ret; 1860 if (getdtablecount() + reserve + 1861 *counter >= getdtablesize()) { 1862 errno = EMFILE; 1863 return (-1); 1864 } 1865 1866 if ((ret = accept4(sockfd, addr, addrlen, SOCK_NONBLOCK)) > -1) { 1867 (*counter)++; 1868 DPRINTF("%s: inflight incremented, now %d",__func__, *counter); 1869 } 1870 return (ret); 1871 } 1872 1873 void 1874 parent_tls_ticket_rekey(int fd, short events, void *arg) 1875 { 1876 static struct event rekeyev; 1877 struct relayd *env = arg; 1878 struct timeval tv; 1879 struct relay_ticket_key key; 1880 1881 log_debug("%s: rekeying tickets", __func__); 1882 1883 key.tt_keyrev = arc4random(); 1884 arc4random_buf(key.tt_key, sizeof(key.tt_key)); 1885 1886 proc_compose_imsg(env->sc_ps, PROC_RELAY, -1, IMSG_TLSTICKET_REKEY, 1887 -1, -1, &key, sizeof(key)); 1888 1889 evtimer_set(&rekeyev, parent_tls_ticket_rekey, env); 1890 timerclear(&tv); 1891 tv.tv_sec = TLS_SESSION_LIFETIME / 4; 1892 evtimer_add(&rekeyev, &tv); 1893 } 1894