1 /* $OpenBSD: relayd.c,v 1.184 2020/09/14 11:30:25 martijn Exp $ */ 2 3 /* 4 * Copyright (c) 2007 - 2016 Reyk Floeter <reyk@openbsd.org> 5 * Copyright (c) 2006 Pierre-Yves Ritschard <pyr@openbsd.org> 6 * 7 * Permission to use, copy, modify, and distribute this software for any 8 * purpose with or without fee is hereby granted, provided that the above 9 * copyright notice and this permission notice appear in all copies. 10 * 11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 */ 19 20 #include <sys/types.h> 21 #include <sys/queue.h> 22 #include <sys/socket.h> 23 #include <sys/stat.h> 24 #include <sys/wait.h> 25 #include <sys/resource.h> 26 27 #include <netinet/in.h> 28 #include <arpa/inet.h> 29 30 #include <signal.h> 31 #include <string.h> 32 #include <stdio.h> 33 #include <stdlib.h> 34 #include <fcntl.h> 35 #include <getopt.h> 36 #include <fnmatch.h> 37 #include <syslog.h> 38 #include <err.h> 39 #include <errno.h> 40 #include <event.h> 41 #include <unistd.h> 42 #include <ctype.h> 43 #include <pwd.h> 44 #include <sha1.h> 45 #include <md5.h> 46 47 #include <tls.h> 48 49 #include "relayd.h" 50 51 #define MAXIMUM(a, b) (((a) > (b)) ? (a) : (b)) 52 53 __dead void usage(void); 54 55 int parent_configure(struct relayd *); 56 void parent_configure_done(struct relayd *); 57 void parent_reload(struct relayd *, u_int, const char *); 58 void parent_sig_handler(int, short, void *); 59 void parent_shutdown(struct relayd *); 60 int parent_dispatch_pfe(int, struct privsep_proc *, struct imsg *); 61 int parent_dispatch_hce(int, struct privsep_proc *, struct imsg *); 62 int parent_dispatch_relay(int, struct privsep_proc *, 63 struct imsg *); 64 int parent_dispatch_ca(int, struct privsep_proc *, 65 struct imsg *); 66 int bindany(struct ctl_bindany *); 67 void parent_tls_ticket_rekey(int, short, void *); 68 69 struct relayd *relayd_env; 70 71 static struct privsep_proc procs[] = { 72 { "pfe", PROC_PFE, parent_dispatch_pfe, pfe }, 73 { "hce", PROC_HCE, parent_dispatch_hce, hce }, 74 { "relay", PROC_RELAY, parent_dispatch_relay, relay }, 75 { "ca", PROC_CA, parent_dispatch_ca, ca } 76 }; 77 78 void 79 parent_sig_handler(int sig, short event, void *arg) 80 { 81 struct privsep *ps = arg; 82 83 switch (sig) { 84 case SIGTERM: 85 case SIGINT: 86 parent_shutdown(ps->ps_env); 87 break; 88 case SIGHUP: 89 log_info("%s: reload requested with SIGHUP", __func__); 90 91 /* 92 * This is safe because libevent uses async signal handlers 93 * that run in the event loop and not in signal context. 94 */ 95 parent_reload(ps->ps_env, CONFIG_RELOAD, NULL); 96 break; 97 case SIGPIPE: 98 case SIGUSR1: 99 /* ignore */ 100 break; 101 default: 102 fatalx("unexpected signal"); 103 } 104 } 105 106 __dead void 107 usage(void) 108 { 109 extern char *__progname; 110 111 fprintf(stderr, "usage: %s [-dnv] [-D macro=value] [-f file]\n", 112 __progname); 113 exit(1); 114 } 115 116 int 117 main(int argc, char *argv[]) 118 { 119 int c; 120 int debug = 0, verbose = 0; 121 u_int32_t opts = 0; 122 struct relayd *env; 123 struct privsep *ps; 124 const char *conffile = CONF_FILE; 125 enum privsep_procid proc_id = PROC_PARENT; 126 int proc_instance = 0; 127 const char *errp, *title = NULL; 128 int argc0 = argc; 129 130 while ((c = getopt(argc, argv, "dD:nI:P:f:v")) != -1) { 131 switch (c) { 132 case 'd': 133 debug = 2; 134 break; 135 case 'D': 136 if (cmdline_symset(optarg) < 0) 137 log_warnx("could not parse macro definition %s", 138 optarg); 139 break; 140 case 'n': 141 debug = 2; 142 opts |= RELAYD_OPT_NOACTION; 143 break; 144 case 'f': 145 conffile = optarg; 146 break; 147 case 'v': 148 verbose++; 149 opts |= RELAYD_OPT_VERBOSE; 150 break; 151 case 'P': 152 title = optarg; 153 proc_id = proc_getid(procs, nitems(procs), title); 154 if (proc_id == PROC_MAX) 155 fatalx("invalid process name"); 156 break; 157 case 'I': 158 proc_instance = strtonum(optarg, 0, 159 PROC_MAX_INSTANCES, &errp); 160 if (errp) 161 fatalx("invalid process instance"); 162 break; 163 default: 164 usage(); 165 } 166 } 167 168 /* log to stderr until daemonized */ 169 log_init(debug ? debug : 1, LOG_DAEMON); 170 171 argc -= optind; 172 if (argc > 0) 173 usage(); 174 175 if ((env = calloc(1, sizeof(*env))) == NULL || 176 (ps = calloc(1, sizeof(*ps))) == NULL) 177 exit(1); 178 179 relayd_env = env; 180 env->sc_ps = ps; 181 ps->ps_env = env; 182 TAILQ_INIT(&ps->ps_rcsocks); 183 env->sc_conffile = conffile; 184 env->sc_conf.opts = opts; 185 TAILQ_INIT(&env->sc_hosts); 186 TAILQ_INIT(&env->sc_sessions); 187 env->sc_rtable = getrtable(); 188 /* initialize the TLS session id to a random key for all relay procs */ 189 arc4random_buf(env->sc_conf.tls_sid, sizeof(env->sc_conf.tls_sid)); 190 191 if (parse_config(env->sc_conffile, env) == -1) 192 exit(1); 193 194 if (debug) 195 env->sc_conf.opts |= RELAYD_OPT_LOGUPDATE; 196 197 if (geteuid()) 198 errx(1, "need root privileges"); 199 200 if ((ps->ps_pw = getpwnam(RELAYD_USER)) == NULL) 201 errx(1, "unknown user %s", RELAYD_USER); 202 203 log_init(debug, LOG_DAEMON); 204 log_setverbose(verbose); 205 206 if (env->sc_conf.opts & RELAYD_OPT_NOACTION) 207 ps->ps_noaction = 1; 208 209 ps->ps_instances[PROC_RELAY] = env->sc_conf.prefork_relay; 210 ps->ps_instances[PROC_CA] = env->sc_conf.prefork_relay; 211 ps->ps_instance = proc_instance; 212 if (title != NULL) 213 ps->ps_title[proc_id] = title; 214 215 /* only the parent returns */ 216 proc_init(ps, procs, nitems(procs), debug, argc0, argv, proc_id); 217 218 log_procinit("parent"); 219 if (!debug && daemon(1, 0) == -1) 220 err(1, "failed to daemonize"); 221 222 if (ps->ps_noaction == 0) 223 log_info("startup"); 224 225 if (unveil("/", "rx") == -1) 226 err(1, "unveil"); 227 if (unveil(NULL, NULL) == -1) 228 err(1, "unveil"); 229 230 event_init(); 231 232 signal_set(&ps->ps_evsigint, SIGINT, parent_sig_handler, ps); 233 signal_set(&ps->ps_evsigterm, SIGTERM, parent_sig_handler, ps); 234 signal_set(&ps->ps_evsighup, SIGHUP, parent_sig_handler, ps); 235 signal_set(&ps->ps_evsigpipe, SIGPIPE, parent_sig_handler, ps); 236 signal_set(&ps->ps_evsigusr1, SIGUSR1, parent_sig_handler, ps); 237 238 signal_add(&ps->ps_evsigint, NULL); 239 signal_add(&ps->ps_evsigterm, NULL); 240 signal_add(&ps->ps_evsighup, NULL); 241 signal_add(&ps->ps_evsigpipe, NULL); 242 signal_add(&ps->ps_evsigusr1, NULL); 243 244 proc_connect(ps); 245 246 relay_http(NULL); 247 if (load_config(env->sc_conffile, env) == -1) { 248 proc_kill(env->sc_ps); 249 exit(1); 250 } 251 252 if (env->sc_conf.opts & RELAYD_OPT_NOACTION) { 253 fprintf(stderr, "configuration OK\n"); 254 proc_kill(env->sc_ps); 255 exit(0); 256 } 257 258 if (env->sc_conf.flags & (F_TLS|F_TLSCLIENT)) 259 ssl_init(env); 260 261 /* rekey the TLS tickets before pushing the config */ 262 parent_tls_ticket_rekey(0, 0, env); 263 if (parent_configure(env) == -1) 264 fatalx("configuration failed"); 265 266 init_routes(env); 267 268 event_dispatch(); 269 270 parent_shutdown(env); 271 /* NOTREACHED */ 272 273 return (0); 274 } 275 276 int 277 parent_configure(struct relayd *env) 278 { 279 struct table *tb; 280 struct rdr *rdr; 281 struct router *rt; 282 struct protocol *proto; 283 struct relay *rlay; 284 int id; 285 int ret = -1; 286 287 TAILQ_FOREACH(tb, env->sc_tables, entry) 288 config_settable(env, tb); 289 TAILQ_FOREACH(rdr, env->sc_rdrs, entry) 290 config_setrdr(env, rdr); 291 TAILQ_FOREACH(rt, env->sc_rts, rt_entry) 292 config_setrt(env, rt); 293 TAILQ_FOREACH(proto, env->sc_protos, entry) 294 config_setproto(env, proto); 295 TAILQ_FOREACH(proto, env->sc_protos, entry) 296 config_setrule(env, proto); 297 TAILQ_FOREACH(rlay, env->sc_relays, rl_entry) { 298 /* Check for TLS Inspection */ 299 if ((rlay->rl_conf.flags & (F_TLS|F_TLSCLIENT)) == 300 (F_TLS|F_TLSCLIENT) && rlay->rl_tls_cacert_fd != -1) 301 rlay->rl_conf.flags |= F_TLSINSPECT; 302 303 config_setrelay(env, rlay); 304 } 305 306 /* HCE, PFE, CA and the relays need to reload their config. */ 307 env->sc_reload = 2 + (2 * env->sc_conf.prefork_relay); 308 309 for (id = 0; id < PROC_MAX; id++) { 310 if (id == privsep_process) 311 continue; 312 proc_compose_imsg(env->sc_ps, id, -1, IMSG_CFG_DONE, -1, 313 -1, &env->sc_conf, sizeof(env->sc_conf)); 314 } 315 316 ret = 0; 317 318 config_purge(env, CONFIG_ALL & ~CONFIG_RELAYS); 319 return (ret); 320 } 321 322 void 323 parent_reload(struct relayd *env, u_int reset, const char *filename) 324 { 325 if (env->sc_reload) { 326 log_debug("%s: already in progress: %d pending", 327 __func__, env->sc_reload); 328 return; 329 } 330 331 /* Switch back to the default config file */ 332 if (filename == NULL || *filename == '\0') 333 filename = env->sc_conffile; 334 335 log_debug("%s: level %d config file %s", __func__, reset, filename); 336 337 config_purge(env, CONFIG_ALL); 338 339 if (reset == CONFIG_RELOAD) { 340 if (load_config(filename, env) == -1) { 341 log_debug("%s: failed to load config file %s", 342 __func__, filename); 343 } 344 345 config_setreset(env, CONFIG_ALL); 346 347 if (parent_configure(env) == -1) { 348 log_debug("%s: failed to commit config from %s", 349 __func__, filename); 350 } 351 } else 352 config_setreset(env, reset); 353 } 354 355 void 356 parent_configure_done(struct relayd *env) 357 { 358 int id; 359 360 if (env->sc_reload == 0) { 361 log_warnx("%s: configuration already finished", __func__); 362 return; 363 } 364 365 env->sc_reload--; 366 if (env->sc_reload == 0) { 367 for (id = 0; id < PROC_MAX; id++) { 368 if (id == privsep_process) 369 continue; 370 371 proc_compose(env->sc_ps, id, IMSG_CTL_START, NULL, 0); 372 } 373 } 374 } 375 376 void 377 parent_shutdown(struct relayd *env) 378 { 379 config_purge(env, CONFIG_ALL); 380 381 proc_kill(env->sc_ps); 382 control_cleanup(&env->sc_ps->ps_csock); 383 (void)unlink(env->sc_ps->ps_csock.cs_name); 384 carp_demote_shutdown(); 385 386 free(env->sc_ps); 387 free(env); 388 389 log_info("parent terminating, pid %d", getpid()); 390 391 exit(0); 392 } 393 394 int 395 parent_dispatch_pfe(int fd, struct privsep_proc *p, struct imsg *imsg) 396 { 397 struct privsep *ps = p->p_ps; 398 struct relayd *env = ps->ps_env; 399 struct ctl_demote demote; 400 struct ctl_netroute crt; 401 u_int v; 402 char *str = NULL; 403 404 switch (imsg->hdr.type) { 405 case IMSG_DEMOTE: 406 IMSG_SIZE_CHECK(imsg, &demote); 407 memcpy(&demote, imsg->data, sizeof(demote)); 408 carp_demote_set(demote.group, demote.level); 409 break; 410 case IMSG_RTMSG: 411 IMSG_SIZE_CHECK(imsg, &crt); 412 memcpy(&crt, imsg->data, sizeof(crt)); 413 pfe_route(env, &crt); 414 break; 415 case IMSG_CTL_RESET: 416 IMSG_SIZE_CHECK(imsg, &v); 417 memcpy(&v, imsg->data, sizeof(v)); 418 parent_reload(env, v, NULL); 419 break; 420 case IMSG_CTL_RELOAD: 421 if (IMSG_DATA_SIZE(imsg) > 0) 422 str = get_string(imsg->data, IMSG_DATA_SIZE(imsg)); 423 parent_reload(env, CONFIG_RELOAD, str); 424 free(str); 425 break; 426 case IMSG_CTL_SHUTDOWN: 427 parent_shutdown(env); 428 break; 429 case IMSG_CFG_DONE: 430 parent_configure_done(env); 431 break; 432 case IMSG_AGENTXSOCK: 433 (void)agentx_setsock(env, p->p_id); 434 break; 435 default: 436 return (-1); 437 } 438 439 return (0); 440 } 441 442 int 443 parent_dispatch_hce(int fd, struct privsep_proc *p, struct imsg *imsg) 444 { 445 struct privsep *ps = p->p_ps; 446 struct relayd *env = ps->ps_env; 447 struct ctl_script scr; 448 449 switch (imsg->hdr.type) { 450 case IMSG_SCRIPT: 451 IMSG_SIZE_CHECK(imsg, &scr); 452 bcopy(imsg->data, &scr, sizeof(scr)); 453 scr.retval = script_exec(env, &scr); 454 proc_compose(ps, PROC_HCE, IMSG_SCRIPT, &scr, sizeof(scr)); 455 break; 456 case IMSG_CFG_DONE: 457 parent_configure_done(env); 458 break; 459 default: 460 return (-1); 461 } 462 463 return (0); 464 } 465 466 int 467 parent_dispatch_relay(int fd, struct privsep_proc *p, struct imsg *imsg) 468 { 469 struct privsep *ps = p->p_ps; 470 struct relayd *env = ps->ps_env; 471 struct ctl_bindany bnd; 472 int s; 473 474 switch (imsg->hdr.type) { 475 case IMSG_BINDANY: 476 IMSG_SIZE_CHECK(imsg, &bnd); 477 bcopy(imsg->data, &bnd, sizeof(bnd)); 478 if (bnd.bnd_proc > env->sc_conf.prefork_relay) 479 fatalx("%s: invalid relay proc", __func__); 480 switch (bnd.bnd_proto) { 481 case IPPROTO_TCP: 482 case IPPROTO_UDP: 483 break; 484 default: 485 fatalx("%s: requested socket " 486 "for invalid protocol", __func__); 487 /* NOTREACHED */ 488 } 489 s = bindany(&bnd); 490 proc_compose_imsg(ps, PROC_RELAY, bnd.bnd_proc, 491 IMSG_BINDANY, -1, s, &bnd.bnd_id, sizeof(bnd.bnd_id)); 492 break; 493 case IMSG_CFG_DONE: 494 parent_configure_done(env); 495 break; 496 default: 497 return (-1); 498 } 499 500 return (0); 501 } 502 503 int 504 parent_dispatch_ca(int fd, struct privsep_proc *p, struct imsg *imsg) 505 { 506 struct privsep *ps = p->p_ps; 507 struct relayd *env = ps->ps_env; 508 509 switch (imsg->hdr.type) { 510 case IMSG_CFG_DONE: 511 parent_configure_done(env); 512 break; 513 default: 514 return (-1); 515 } 516 517 return (0); 518 } 519 520 void 521 purge_table(struct relayd *env, struct tablelist *head, struct table *table) 522 { 523 struct host *host; 524 525 while ((host = TAILQ_FIRST(&table->hosts)) != NULL) { 526 TAILQ_REMOVE(&table->hosts, host, entry); 527 TAILQ_REMOVE(&env->sc_hosts, host, globalentry); 528 if (event_initialized(&host->cte.ev)) { 529 event_del(&host->cte.ev); 530 close(host->cte.s); 531 } 532 ibuf_free(host->cte.buf); 533 tls_free(host->cte.tls); 534 free(host); 535 } 536 free(table->sendbuf); 537 ibuf_free(table->sendbinbuf); 538 tls_config_free(table->tls_cfg); 539 540 if (head != NULL) 541 TAILQ_REMOVE(head, table, entry); 542 free(table); 543 } 544 545 void 546 purge_key(char **key, off_t len) 547 { 548 freezero(*key, len); 549 550 *key = NULL; 551 } 552 553 void 554 purge_relay(struct relayd *env, struct relay *rlay) 555 { 556 struct rsession *con; 557 struct relay_table *rlt; 558 struct relay_cert *cert, *tmpcert; 559 560 /* shutdown and remove relay */ 561 if (event_initialized(&rlay->rl_ev)) 562 event_del(&rlay->rl_ev); 563 close(rlay->rl_s); 564 TAILQ_REMOVE(env->sc_relays, rlay, rl_entry); 565 566 /* cleanup sessions */ 567 while ((con = 568 SPLAY_ROOT(&rlay->rl_sessions)) != NULL) 569 relay_close(con, NULL, 0); 570 571 /* cleanup relay */ 572 if (rlay->rl_bev != NULL) 573 bufferevent_free(rlay->rl_bev); 574 if (rlay->rl_dstbev != NULL) 575 bufferevent_free(rlay->rl_dstbev); 576 577 purge_key(&rlay->rl_tls_cakey, rlay->rl_conf.tls_cakey_len); 578 579 if (rlay->rl_tls_pkey != NULL) { 580 EVP_PKEY_free(rlay->rl_tls_pkey); 581 rlay->rl_tls_pkey = NULL; 582 } 583 if (rlay->rl_tls_cacertx509 != NULL) { 584 X509_free(rlay->rl_tls_cacertx509); 585 rlay->rl_tls_cacertx509 = NULL; 586 } 587 if (rlay->rl_tls_capkey != NULL) { 588 EVP_PKEY_free(rlay->rl_tls_capkey); 589 rlay->rl_tls_capkey = NULL; 590 } 591 592 tls_free(rlay->rl_tls_ctx); 593 tls_config_free(rlay->rl_tls_cfg); 594 tls_config_free(rlay->rl_tls_client_cfg); 595 596 while ((rlt = TAILQ_FIRST(&rlay->rl_tables))) { 597 TAILQ_REMOVE(&rlay->rl_tables, rlt, rlt_entry); 598 free(rlt); 599 } 600 601 TAILQ_FOREACH_SAFE(cert, env->sc_certs, cert_entry, tmpcert) { 602 if (rlay->rl_conf.id != cert->cert_relayid) 603 continue; 604 if (cert->cert_fd != -1) 605 close(cert->cert_fd); 606 if (cert->cert_key_fd != -1) 607 close(cert->cert_key_fd); 608 if (cert->cert_ocsp_fd != -1) 609 close(cert->cert_ocsp_fd); 610 if (cert->cert_pkey != NULL) 611 EVP_PKEY_free(cert->cert_pkey); 612 TAILQ_REMOVE(env->sc_certs, cert, cert_entry); 613 free(cert); 614 } 615 616 free(rlay); 617 } 618 619 struct kv * 620 kv_add(struct kvtree *keys, char *key, char *value, int unique) 621 { 622 struct kv *kv, *oldkv; 623 624 if (key == NULL) 625 return (NULL); 626 if ((kv = calloc(1, sizeof(*kv))) == NULL) 627 return (NULL); 628 if ((kv->kv_key = strdup(key)) == NULL) 629 goto fail; 630 if (value != NULL && 631 (kv->kv_value = strdup(value)) == NULL) 632 goto fail; 633 TAILQ_INIT(&kv->kv_children); 634 635 if ((oldkv = RB_INSERT(kvtree, keys, kv)) != NULL) { 636 /* 637 * return error if the key should occur only once, 638 * or add it to a list attached to the key's node. 639 */ 640 if (unique) 641 goto fail; 642 TAILQ_INSERT_TAIL(&oldkv->kv_children, kv, kv_entry); 643 kv->kv_parent = oldkv; 644 } 645 646 return (kv); 647 fail: 648 free(kv->kv_key); 649 free(kv->kv_value); 650 free(kv); 651 return (NULL); 652 } 653 654 int 655 kv_set(struct kv *kv, char *fmt, ...) 656 { 657 va_list ap; 658 char *value = NULL; 659 struct kv *ckv; 660 661 va_start(ap, fmt); 662 if (vasprintf(&value, fmt, ap) == -1) 663 return (-1); 664 va_end(ap); 665 666 /* Remove all children */ 667 while ((ckv = TAILQ_FIRST(&kv->kv_children)) != NULL) { 668 TAILQ_REMOVE(&kv->kv_children, ckv, kv_entry); 669 kv_free(ckv); 670 free(ckv); 671 } 672 673 /* Set the new value */ 674 free(kv->kv_value); 675 kv->kv_value = value; 676 677 return (0); 678 } 679 680 int 681 kv_setkey(struct kv *kv, char *fmt, ...) 682 { 683 va_list ap; 684 char *key = NULL; 685 686 va_start(ap, fmt); 687 if (vasprintf(&key, fmt, ap) == -1) 688 return (-1); 689 va_end(ap); 690 691 free(kv->kv_key); 692 kv->kv_key = key; 693 694 return (0); 695 } 696 697 void 698 kv_delete(struct kvtree *keys, struct kv *kv) 699 { 700 struct kv *ckv; 701 702 RB_REMOVE(kvtree, keys, kv); 703 704 /* Remove all children */ 705 while ((ckv = TAILQ_FIRST(&kv->kv_children)) != NULL) { 706 TAILQ_REMOVE(&kv->kv_children, ckv, kv_entry); 707 kv_free(ckv); 708 free(ckv); 709 } 710 711 kv_free(kv); 712 free(kv); 713 } 714 715 struct kv * 716 kv_extend(struct kvtree *keys, struct kv *kv, char *value) 717 { 718 char *newvalue; 719 720 if (kv == NULL) { 721 return (NULL); 722 } else if (kv->kv_value != NULL) { 723 if (asprintf(&newvalue, "%s%s", kv->kv_value, value) == -1) 724 return (NULL); 725 726 free(kv->kv_value); 727 kv->kv_value = newvalue; 728 } else if ((kv->kv_value = strdup(value)) == NULL) 729 return (NULL); 730 731 return (kv); 732 } 733 734 void 735 kv_purge(struct kvtree *keys) 736 { 737 struct kv *kv; 738 739 while ((kv = RB_MIN(kvtree, keys)) != NULL) 740 kv_delete(keys, kv); 741 } 742 743 void 744 kv_free(struct kv *kv) 745 { 746 /* 747 * This function does not clear memory referenced by 748 * kv_children or stuff on the tailqs. Use kv_delete() instead. 749 */ 750 751 free(kv->kv_key); 752 free(kv->kv_value); 753 memset(kv, 0, sizeof(*kv)); 754 } 755 756 struct kv * 757 kv_inherit(struct kv *dst, struct kv *src) 758 { 759 memset(dst, 0, sizeof(*dst)); 760 memcpy(dst, src, sizeof(*dst)); 761 TAILQ_INIT(&dst->kv_children); 762 763 if (src->kv_key != NULL) { 764 if ((dst->kv_key = strdup(src->kv_key)) == NULL) { 765 kv_free(dst); 766 return (NULL); 767 } 768 } 769 if (src->kv_value != NULL) { 770 if ((dst->kv_value = strdup(src->kv_value)) == NULL) { 771 kv_free(dst); 772 return (NULL); 773 } 774 } 775 776 if (src->kv_match != NULL) 777 dst->kv_match = src->kv_match; 778 if (src->kv_matchtree != NULL) 779 dst->kv_matchtree = src->kv_matchtree; 780 781 return (dst); 782 } 783 784 int 785 kv_log(struct rsession *con, struct kv *kv, u_int16_t labelid, 786 enum direction dir) 787 { 788 char *msg; 789 790 if (con->se_log == NULL) 791 return (0); 792 if (asprintf(&msg, " %s%s%s%s%s%s%s", 793 dir == RELAY_DIR_REQUEST ? "[" : "{", 794 labelid == 0 ? "" : label_id2name(labelid), 795 labelid == 0 ? "" : ", ", 796 kv->kv_key == NULL ? "(unknown)" : kv->kv_key, 797 kv->kv_value == NULL ? "" : ": ", 798 kv->kv_value == NULL ? "" : kv->kv_value, 799 dir == RELAY_DIR_REQUEST ? "]" : "}") == -1) 800 return (-1); 801 if (evbuffer_add(con->se_log, msg, strlen(msg)) == -1) { 802 free(msg); 803 return (-1); 804 } 805 free(msg); 806 con->se_haslog = 1; 807 return (0); 808 } 809 810 struct kv * 811 kv_find(struct kvtree *keys, struct kv *kv) 812 { 813 struct kv *match; 814 const char *key; 815 816 if (kv->kv_flags & KV_FLAG_GLOBBING) { 817 /* Test header key using shell globbing rules */ 818 key = kv->kv_key == NULL ? "" : kv->kv_key; 819 RB_FOREACH(match, kvtree, keys) { 820 if (fnmatch(key, match->kv_key, FNM_CASEFOLD) == 0) 821 break; 822 } 823 } else { 824 /* Fast tree-based lookup only works without globbing */ 825 match = RB_FIND(kvtree, keys, kv); 826 } 827 828 return (match); 829 } 830 831 struct kv * 832 kv_find_value(struct kvtree *keys, char *key, const char *value, 833 const char *delim) 834 { 835 struct kv *match, kv; 836 char *val = NULL, *next, *ptr; 837 size_t len; 838 839 kv.kv_key = key; 840 if ((match = RB_FIND(kvtree, keys, &kv)) == NULL) 841 return (NULL); 842 843 if (match->kv_value == NULL) 844 return (NULL); 845 846 if (delim == NULL) { 847 if (strcasecmp(match->kv_value, value) == 0) 848 goto done; 849 } else { 850 if ((val = strdup(match->kv_value)) == NULL) 851 return (NULL); 852 for (next = ptr = val; ptr != NULL; 853 ptr = strsep(&next, delim)) { 854 /* strip whitespace */ 855 ptr += strspn(ptr, " \t"); 856 len = strcspn(ptr, " \t"); 857 if (strncasecmp(ptr, value, len) == 0) 858 goto done; 859 } 860 } 861 862 /* not matched */ 863 match = NULL; 864 done: 865 #ifdef DEBUG 866 if (match != NULL) 867 DPRINTF("%s: matched %s: %s", __func__, key, value); 868 #endif 869 free(val); 870 return (match); 871 } 872 873 int 874 kv_cmp(struct kv *a, struct kv *b) 875 { 876 return (strcasecmp(a->kv_key, b->kv_key)); 877 } 878 879 RB_GENERATE(kvtree, kv, kv_node, kv_cmp); 880 881 int 882 rule_add(struct protocol *proto, struct relay_rule *rule, const char *rulefile) 883 { 884 struct relay_rule *r = NULL; 885 struct kv *kv = NULL; 886 FILE *fp = NULL; 887 char buf[BUFSIZ]; 888 int ret = -1; 889 u_int i; 890 891 for (i = 0; i < KEY_TYPE_MAX; i++) { 892 kv = &rule->rule_kv[i]; 893 if (kv->kv_type != i) 894 continue; 895 896 switch (kv->kv_option) { 897 case KEY_OPTION_LOG: 898 /* log action needs a key or a file to be specified */ 899 if (kv->kv_key == NULL && rulefile == NULL && 900 (kv->kv_key = strdup("*")) == NULL) 901 goto fail; 902 break; 903 default: 904 break; 905 } 906 907 switch (kv->kv_type) { 908 case KEY_TYPE_QUERY: 909 case KEY_TYPE_PATH: 910 case KEY_TYPE_URL: 911 if (rule->rule_dir != RELAY_DIR_REQUEST) 912 goto fail; 913 break; 914 default: 915 break; 916 } 917 918 if (kv->kv_value != NULL && strchr(kv->kv_value, '$') != NULL) 919 kv->kv_flags |= KV_FLAG_MACRO; 920 if (kv->kv_key != NULL && strpbrk(kv->kv_key, "*?[") != NULL) 921 kv->kv_flags |= KV_FLAG_GLOBBING; 922 } 923 924 if (rulefile == NULL) { 925 TAILQ_INSERT_TAIL(&proto->rules, rule, rule_entry); 926 return (0); 927 } 928 929 if ((fp = fopen(rulefile, "r")) == NULL) 930 goto fail; 931 932 while (fgets(buf, sizeof(buf), fp) != NULL) { 933 /* strip whitespace and newline characters */ 934 buf[strcspn(buf, "\r\n\t ")] = '\0'; 935 if (!strlen(buf) || buf[0] == '#') 936 continue; 937 938 if ((r = rule_inherit(rule)) == NULL) 939 goto fail; 940 941 for (i = 0; i < KEY_TYPE_MAX; i++) { 942 kv = &r->rule_kv[i]; 943 if (kv->kv_type != i) 944 continue; 945 free(kv->kv_key); 946 if ((kv->kv_key = strdup(buf)) == NULL) { 947 rule_free(r); 948 free(r); 949 goto fail; 950 } 951 } 952 953 TAILQ_INSERT_TAIL(&proto->rules, r, rule_entry); 954 } 955 956 ret = 0; 957 rule_free(rule); 958 free(rule); 959 960 fail: 961 if (fp != NULL) 962 fclose(fp); 963 return (ret); 964 } 965 966 struct relay_rule * 967 rule_inherit(struct relay_rule *rule) 968 { 969 struct relay_rule *r; 970 u_int i; 971 struct kv *kv; 972 973 if ((r = calloc(1, sizeof(*r))) == NULL) 974 return (NULL); 975 memcpy(r, rule, sizeof(*r)); 976 977 for (i = 0; i < KEY_TYPE_MAX; i++) { 978 kv = &rule->rule_kv[i]; 979 if (kv->kv_type != i) 980 continue; 981 if (kv_inherit(&r->rule_kv[i], kv) == NULL) { 982 free(r); 983 return (NULL); 984 } 985 } 986 987 if (r->rule_label > 0) 988 label_ref(r->rule_label); 989 if (r->rule_tag > 0) 990 tag_ref(r->rule_tag); 991 if (r->rule_tagged > 0) 992 tag_ref(r->rule_tagged); 993 994 return (r); 995 } 996 997 void 998 rule_free(struct relay_rule *rule) 999 { 1000 u_int i; 1001 1002 for (i = 0; i < KEY_TYPE_MAX; i++) 1003 kv_free(&rule->rule_kv[i]); 1004 if (rule->rule_label > 0) 1005 label_unref(rule->rule_label); 1006 if (rule->rule_tag > 0) 1007 tag_unref(rule->rule_tag); 1008 if (rule->rule_tagged > 0) 1009 tag_unref(rule->rule_tagged); 1010 } 1011 1012 void 1013 rule_delete(struct relay_rules *rules, struct relay_rule *rule) 1014 { 1015 TAILQ_REMOVE(rules, rule, rule_entry); 1016 rule_free(rule); 1017 free(rule); 1018 } 1019 1020 void 1021 rule_settable(struct relay_rules *rules, struct relay_table *rlt) 1022 { 1023 struct relay_rule *r; 1024 char pname[TABLE_NAME_SIZE]; 1025 1026 if (rlt->rlt_table == NULL || strlcpy(pname, rlt->rlt_table->conf.name, 1027 sizeof(pname)) >= sizeof(pname)) 1028 return; 1029 1030 pname[strcspn(pname, ":")] = '\0'; 1031 1032 TAILQ_FOREACH(r, rules, rule_entry) { 1033 if (r->rule_tablename[0] && 1034 strcmp(pname, r->rule_tablename) == 0) 1035 r->rule_table = rlt; 1036 } 1037 } 1038 1039 /* 1040 * Utility functions 1041 */ 1042 1043 struct host * 1044 host_find(struct relayd *env, objid_t id) 1045 { 1046 struct table *table; 1047 struct host *host; 1048 1049 TAILQ_FOREACH(table, env->sc_tables, entry) 1050 TAILQ_FOREACH(host, &table->hosts, entry) 1051 if (host->conf.id == id) 1052 return (host); 1053 return (NULL); 1054 } 1055 1056 struct table * 1057 table_find(struct relayd *env, objid_t id) 1058 { 1059 struct table *table; 1060 1061 TAILQ_FOREACH(table, env->sc_tables, entry) 1062 if (table->conf.id == id) 1063 return (table); 1064 return (NULL); 1065 } 1066 1067 struct rdr * 1068 rdr_find(struct relayd *env, objid_t id) 1069 { 1070 struct rdr *rdr; 1071 1072 TAILQ_FOREACH(rdr, env->sc_rdrs, entry) 1073 if (rdr->conf.id == id) 1074 return (rdr); 1075 return (NULL); 1076 } 1077 1078 struct relay * 1079 relay_find(struct relayd *env, objid_t id) 1080 { 1081 struct relay *rlay; 1082 1083 TAILQ_FOREACH(rlay, env->sc_relays, rl_entry) 1084 if (rlay->rl_conf.id == id) 1085 return (rlay); 1086 return (NULL); 1087 } 1088 1089 struct protocol * 1090 proto_find(struct relayd *env, objid_t id) 1091 { 1092 struct protocol *p; 1093 1094 TAILQ_FOREACH(p, env->sc_protos, entry) 1095 if (p->id == id) 1096 return (p); 1097 return (NULL); 1098 } 1099 1100 struct rsession * 1101 session_find(struct relayd *env, objid_t id) 1102 { 1103 struct relay *rlay; 1104 struct rsession *con; 1105 1106 TAILQ_FOREACH(rlay, env->sc_relays, rl_entry) 1107 SPLAY_FOREACH(con, session_tree, &rlay->rl_sessions) 1108 if (con->se_id == id) 1109 return (con); 1110 return (NULL); 1111 } 1112 1113 struct netroute * 1114 route_find(struct relayd *env, objid_t id) 1115 { 1116 struct netroute *nr; 1117 1118 TAILQ_FOREACH(nr, env->sc_routes, nr_route) 1119 if (nr->nr_conf.id == id) 1120 return (nr); 1121 return (NULL); 1122 } 1123 1124 struct router * 1125 router_find(struct relayd *env, objid_t id) 1126 { 1127 struct router *rt; 1128 1129 TAILQ_FOREACH(rt, env->sc_rts, rt_entry) 1130 if (rt->rt_conf.id == id) 1131 return (rt); 1132 return (NULL); 1133 } 1134 1135 struct host * 1136 host_findbyname(struct relayd *env, const char *name) 1137 { 1138 struct table *table; 1139 struct host *host; 1140 1141 TAILQ_FOREACH(table, env->sc_tables, entry) 1142 TAILQ_FOREACH(host, &table->hosts, entry) 1143 if (strcmp(host->conf.name, name) == 0) 1144 return (host); 1145 return (NULL); 1146 } 1147 1148 struct table * 1149 table_findbyname(struct relayd *env, const char *name) 1150 { 1151 struct table *table; 1152 1153 TAILQ_FOREACH(table, env->sc_tables, entry) 1154 if (strcmp(table->conf.name, name) == 0) 1155 return (table); 1156 return (NULL); 1157 } 1158 1159 struct table * 1160 table_findbyconf(struct relayd *env, struct table *tb) 1161 { 1162 struct table *table; 1163 struct table_config a, b; 1164 1165 bcopy(&tb->conf, &a, sizeof(a)); 1166 a.id = a.rdrid = 0; 1167 a.flags &= ~(F_USED|F_BACKUP); 1168 1169 TAILQ_FOREACH(table, env->sc_tables, entry) { 1170 bcopy(&table->conf, &b, sizeof(b)); 1171 b.id = b.rdrid = 0; 1172 b.flags &= ~(F_USED|F_BACKUP); 1173 1174 /* 1175 * Compare two tables and return the existing table if 1176 * the configuration seems to be the same. 1177 */ 1178 if (bcmp(&a, &b, sizeof(b)) == 0 && 1179 ((tb->sendbuf == NULL && table->sendbuf == NULL) || 1180 (tb->sendbuf != NULL && table->sendbuf != NULL && 1181 strcmp(tb->sendbuf, table->sendbuf) == 0))) 1182 return (table); 1183 } 1184 return (NULL); 1185 } 1186 1187 struct rdr * 1188 rdr_findbyname(struct relayd *env, const char *name) 1189 { 1190 struct rdr *rdr; 1191 1192 TAILQ_FOREACH(rdr, env->sc_rdrs, entry) 1193 if (strcmp(rdr->conf.name, name) == 0) 1194 return (rdr); 1195 return (NULL); 1196 } 1197 1198 struct relay * 1199 relay_findbyname(struct relayd *env, const char *name) 1200 { 1201 struct relay *rlay; 1202 1203 TAILQ_FOREACH(rlay, env->sc_relays, rl_entry) 1204 if (strcmp(rlay->rl_conf.name, name) == 0) 1205 return (rlay); 1206 return (NULL); 1207 } 1208 1209 struct relay * 1210 relay_findbyaddr(struct relayd *env, struct relay_config *rc) 1211 { 1212 struct relay *rlay; 1213 1214 TAILQ_FOREACH(rlay, env->sc_relays, rl_entry) 1215 if (bcmp(&rlay->rl_conf.ss, &rc->ss, sizeof(rc->ss)) == 0 && 1216 rlay->rl_conf.port == rc->port) 1217 return (rlay); 1218 return (NULL); 1219 } 1220 1221 EVP_PKEY * 1222 pkey_find(struct relayd *env, char * hash) 1223 { 1224 struct ca_pkey *pkey; 1225 1226 TAILQ_FOREACH(pkey, env->sc_pkeys, pkey_entry) 1227 if (strcmp(hash, pkey->pkey_hash) == 0) 1228 return (pkey->pkey); 1229 return (NULL); 1230 } 1231 1232 struct ca_pkey * 1233 pkey_add(struct relayd *env, EVP_PKEY *pkey, char *hash) 1234 { 1235 struct ca_pkey *ca_pkey; 1236 1237 if (env->sc_pkeys == NULL) 1238 fatalx("pkeys"); 1239 1240 if ((ca_pkey = calloc(1, sizeof(*ca_pkey))) == NULL) 1241 return (NULL); 1242 1243 ca_pkey->pkey = pkey; 1244 if (strlcpy(ca_pkey->pkey_hash, hash, sizeof(ca_pkey->pkey_hash)) >= 1245 sizeof(ca_pkey->pkey_hash)) { 1246 free(ca_pkey); 1247 return (NULL); 1248 } 1249 1250 TAILQ_INSERT_TAIL(env->sc_pkeys, ca_pkey, pkey_entry); 1251 1252 return (ca_pkey); 1253 } 1254 1255 struct relay_cert * 1256 cert_add(struct relayd *env, objid_t id) 1257 { 1258 static objid_t last_cert_id = 0; 1259 struct relay_cert *cert; 1260 1261 if ((cert = calloc(1, sizeof(*cert))) == NULL) 1262 return (NULL); 1263 1264 if (id == 0) 1265 id = ++last_cert_id; 1266 if (id == INT_MAX) { 1267 log_warnx("too many tls keypairs defined"); 1268 free(cert); 1269 return (NULL); 1270 } 1271 1272 cert->cert_id = id; 1273 cert->cert_fd = -1; 1274 cert->cert_key_fd = -1; 1275 cert->cert_ocsp_fd = -1; 1276 1277 TAILQ_INSERT_TAIL(env->sc_certs, cert, cert_entry); 1278 1279 return (cert); 1280 } 1281 1282 struct relay_cert * 1283 cert_find(struct relayd *env, objid_t id) 1284 { 1285 struct relay_cert *cert; 1286 1287 TAILQ_FOREACH(cert, env->sc_certs, cert_entry) 1288 if (cert->cert_id == id) 1289 return (cert); 1290 return (NULL); 1291 } 1292 1293 char * 1294 relay_load_fd(int fd, off_t *len) 1295 { 1296 char *buf = NULL; 1297 struct stat st; 1298 off_t size; 1299 ssize_t rv; 1300 int err; 1301 1302 if (fstat(fd, &st) != 0) 1303 goto fail; 1304 size = st.st_size; 1305 if ((buf = calloc(1, size + 1)) == NULL) 1306 goto fail; 1307 if ((rv = pread(fd, buf, size, 0)) != size) 1308 goto fail; 1309 1310 close(fd); 1311 1312 *len = size; 1313 return (buf); 1314 1315 fail: 1316 err = errno; 1317 free(buf); 1318 close(fd); 1319 errno = err; 1320 return (NULL); 1321 } 1322 1323 int 1324 relay_load_certfiles(struct relayd *env, struct relay *rlay, const char *name) 1325 { 1326 char certfile[PATH_MAX]; 1327 char hbuf[PATH_MAX]; 1328 struct protocol *proto = rlay->rl_proto; 1329 struct relay_cert *cert; 1330 int useport = htons(rlay->rl_conf.port); 1331 int cert_fd = -1, key_fd = -1, ocsp_fd = -1; 1332 1333 if (rlay->rl_conf.flags & F_TLSCLIENT) { 1334 if (strlen(proto->tlsca) && rlay->rl_tls_ca_fd == -1) { 1335 if ((rlay->rl_tls_ca_fd = 1336 open(proto->tlsca, O_RDONLY)) == -1) 1337 return (-1); 1338 log_debug("%s: using ca %s", __func__, proto->tlsca); 1339 } 1340 if (strlen(proto->tlscacert) && rlay->rl_tls_cacert_fd == -1) { 1341 if ((rlay->rl_tls_cacert_fd = 1342 open(proto->tlscacert, O_RDONLY)) == -1) 1343 return (-1); 1344 log_debug("%s: using ca certificate %s", __func__, 1345 proto->tlscacert); 1346 } 1347 if (strlen(proto->tlscakey) && !rlay->rl_conf.tls_cakey_len && 1348 proto->tlscapass != NULL) { 1349 if ((rlay->rl_tls_cakey = 1350 ssl_load_key(env, proto->tlscakey, 1351 &rlay->rl_conf.tls_cakey_len, 1352 proto->tlscapass)) == NULL) 1353 return (-1); 1354 log_debug("%s: using ca key %s", __func__, 1355 proto->tlscakey); 1356 } 1357 } 1358 1359 if ((rlay->rl_conf.flags & F_TLS) == 0) 1360 return (0); 1361 1362 if (name == NULL && 1363 print_host(&rlay->rl_conf.ss, hbuf, sizeof(hbuf)) == NULL) 1364 goto fail; 1365 else if (name != NULL && 1366 strlcpy(hbuf, name, sizeof(hbuf)) >= sizeof(hbuf)) 1367 goto fail; 1368 1369 if (snprintf(certfile, sizeof(certfile), 1370 "/etc/ssl/%s:%u.crt", hbuf, useport) == -1) 1371 goto fail; 1372 if ((cert_fd = open(certfile, O_RDONLY)) == -1) { 1373 if (snprintf(certfile, sizeof(certfile), 1374 "/etc/ssl/%s.crt", hbuf) == -1) 1375 goto fail; 1376 if ((cert_fd = open(certfile, O_RDONLY)) == -1) 1377 goto fail; 1378 useport = 0; 1379 } 1380 log_debug("%s: using certificate %s", __func__, certfile); 1381 1382 if (useport) { 1383 if (snprintf(certfile, sizeof(certfile), 1384 "/etc/ssl/private/%s:%u.key", hbuf, useport) == -1) 1385 goto fail; 1386 } else { 1387 if (snprintf(certfile, sizeof(certfile), 1388 "/etc/ssl/private/%s.key", hbuf) == -1) 1389 goto fail; 1390 } 1391 if ((key_fd = open(certfile, O_RDONLY)) == -1) 1392 goto fail; 1393 log_debug("%s: using private key %s", __func__, certfile); 1394 1395 if (useport) { 1396 if (snprintf(certfile, sizeof(certfile), 1397 "/etc/ssl/%s:%u.ocsp", hbuf, useport) == -1) 1398 goto fail; 1399 } else { 1400 if (snprintf(certfile, sizeof(certfile), 1401 "/etc/ssl/%s.ocsp", hbuf) == -1) 1402 goto fail; 1403 } 1404 if ((ocsp_fd = open(certfile, O_RDONLY)) != -1) 1405 log_debug("%s: using OCSP staple file %s", __func__, certfile); 1406 1407 if ((cert = cert_add(env, 0)) == NULL) 1408 goto fail; 1409 1410 cert->cert_relayid = rlay->rl_conf.id; 1411 cert->cert_fd = cert_fd; 1412 cert->cert_key_fd = key_fd; 1413 cert->cert_ocsp_fd = ocsp_fd; 1414 1415 return (0); 1416 1417 fail: 1418 if (cert_fd != -1) 1419 close(cert_fd); 1420 if (key_fd != -1) 1421 close(key_fd); 1422 if (ocsp_fd != -1) 1423 close(ocsp_fd); 1424 1425 return (-1); 1426 } 1427 1428 void 1429 event_again(struct event *ev, int fd, short event, 1430 void (*fn)(int, short, void *), 1431 struct timeval *start, struct timeval *end, void *arg) 1432 { 1433 struct timeval tv_next, tv_now, tv; 1434 1435 getmonotime(&tv_now); 1436 bcopy(end, &tv_next, sizeof(tv_next)); 1437 timersub(&tv_now, start, &tv_now); 1438 timersub(&tv_next, &tv_now, &tv_next); 1439 1440 bzero(&tv, sizeof(tv)); 1441 if (timercmp(&tv_next, &tv, >)) 1442 bcopy(&tv_next, &tv, sizeof(tv)); 1443 1444 event_del(ev); 1445 event_set(ev, fd, event, fn, arg); 1446 event_add(ev, &tv); 1447 } 1448 1449 int 1450 expand_string(char *label, size_t len, const char *srch, const char *repl) 1451 { 1452 char *tmp; 1453 char *p, *q; 1454 1455 if ((tmp = calloc(1, len)) == NULL) { 1456 log_debug("%s: calloc", __func__); 1457 return (-1); 1458 } 1459 p = q = label; 1460 while ((q = strstr(p, srch)) != NULL) { 1461 *q = '\0'; 1462 if ((strlcat(tmp, p, len) >= len) || 1463 (strlcat(tmp, repl, len) >= len)) { 1464 log_debug("%s: string too long", __func__); 1465 free(tmp); 1466 return (-1); 1467 } 1468 q += strlen(srch); 1469 p = q; 1470 } 1471 if (strlcat(tmp, p, len) >= len) { 1472 log_debug("%s: string too long", __func__); 1473 free(tmp); 1474 return (-1); 1475 } 1476 (void)strlcpy(label, tmp, len); /* always fits */ 1477 free(tmp); 1478 1479 return (0); 1480 } 1481 1482 void 1483 translate_string(char *str) 1484 { 1485 char *reader; 1486 char *writer; 1487 1488 reader = writer = str; 1489 1490 while (*reader) { 1491 if (*reader == '\\') { 1492 reader++; 1493 switch (*reader) { 1494 case 'n': 1495 *writer++ = '\n'; 1496 break; 1497 case 'r': 1498 *writer++ = '\r'; 1499 break; 1500 default: 1501 *writer++ = *reader; 1502 } 1503 } else 1504 *writer++ = *reader; 1505 reader++; 1506 } 1507 *writer = '\0'; 1508 } 1509 1510 char * 1511 digeststr(enum digest_type type, const u_int8_t *data, size_t len, char *buf) 1512 { 1513 switch (type) { 1514 case DIGEST_SHA1: 1515 return (SHA1Data(data, len, buf)); 1516 break; 1517 case DIGEST_MD5: 1518 return (MD5Data(data, len, buf)); 1519 break; 1520 default: 1521 break; 1522 } 1523 return (NULL); 1524 } 1525 1526 const char * 1527 canonicalize_host(const char *host, char *name, size_t len) 1528 { 1529 struct sockaddr_in sin4; 1530 struct sockaddr_in6 sin6; 1531 size_t i, j; 1532 size_t plen; 1533 char c; 1534 1535 if (len < 2) 1536 goto fail; 1537 1538 /* 1539 * Canonicalize an IPv4/6 address 1540 */ 1541 if (inet_pton(AF_INET, host, &sin4) == 1) 1542 return (inet_ntop(AF_INET, &sin4, name, len)); 1543 if (inet_pton(AF_INET6, host, &sin6) == 1) 1544 return (inet_ntop(AF_INET6, &sin6, name, len)); 1545 1546 /* 1547 * Canonicalize a hostname 1548 */ 1549 1550 /* 1. remove repeated dots and convert upper case to lower case */ 1551 plen = strlen(host); 1552 bzero(name, len); 1553 for (i = j = 0; i < plen; i++) { 1554 if (j >= (len - 1)) 1555 goto fail; 1556 c = tolower((unsigned char)host[i]); 1557 if ((c == '.') && (j == 0 || name[j - 1] == '.')) 1558 continue; 1559 name[j++] = c; 1560 } 1561 1562 /* 2. remove trailing dots */ 1563 for (i = j; i > 0; i--) { 1564 if (name[i - 1] != '.') 1565 break; 1566 name[i - 1] = '\0'; 1567 j--; 1568 } 1569 if (j <= 0) 1570 goto fail; 1571 1572 return (name); 1573 1574 fail: 1575 errno = EINVAL; 1576 return (NULL); 1577 } 1578 1579 int 1580 parse_url(const char *url, char **protoptr, char **hostptr, char **pathptr) 1581 { 1582 char *p, *proto = NULL, *host = NULL, *path = NULL; 1583 1584 /* return error if it is not a URL */ 1585 if ((p = strstr(url, ":/")) == NULL || 1586 (strcspn(url, ":/") != (size_t)(p - url))) 1587 return (-1); 1588 1589 /* get protocol */ 1590 if ((proto = strdup(url)) == NULL) 1591 goto fail; 1592 p = proto + (p - url); 1593 1594 /* get host */ 1595 p += strspn(p, ":/"); 1596 if (*p == '\0' || (host = strdup(p)) == NULL) 1597 goto fail; 1598 *p = '\0'; 1599 1600 /* find and copy path or default to "/" */ 1601 if ((p = strchr(host, '/')) == NULL) 1602 p = "/"; 1603 if ((path = strdup(p)) == NULL) 1604 goto fail; 1605 1606 /* strip path after host */ 1607 host[strcspn(host, "/")] = '\0'; 1608 1609 DPRINTF("%s: %s proto %s, host %s, path %s", __func__, 1610 url, proto, host, path); 1611 1612 *protoptr = proto; 1613 *hostptr = host; 1614 *pathptr = path; 1615 1616 return (0); 1617 1618 fail: 1619 free(proto); 1620 free(host); 1621 free(path); 1622 return (-1); 1623 } 1624 1625 int 1626 bindany(struct ctl_bindany *bnd) 1627 { 1628 int s, v; 1629 1630 s = -1; 1631 v = 1; 1632 1633 if (relay_socket_af(&bnd->bnd_ss, bnd->bnd_port) == -1) 1634 goto fail; 1635 if ((s = socket(bnd->bnd_ss.ss_family, 1636 bnd->bnd_proto == IPPROTO_TCP ? SOCK_STREAM : SOCK_DGRAM, 1637 bnd->bnd_proto)) == -1) 1638 goto fail; 1639 if (setsockopt(s, SOL_SOCKET, SO_BINDANY, 1640 &v, sizeof(v)) == -1) 1641 goto fail; 1642 if (bind(s, (struct sockaddr *)&bnd->bnd_ss, 1643 bnd->bnd_ss.ss_len) == -1) 1644 goto fail; 1645 1646 return (s); 1647 1648 fail: 1649 if (s != -1) 1650 close(s); 1651 return (-1); 1652 } 1653 1654 int 1655 map6to4(struct sockaddr_storage *in6) 1656 { 1657 struct sockaddr_storage out4; 1658 struct sockaddr_in *sin4 = (struct sockaddr_in *)&out4; 1659 struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)in6; 1660 1661 bzero(sin4, sizeof(*sin4)); 1662 sin4->sin_len = sizeof(*sin4); 1663 sin4->sin_family = AF_INET; 1664 sin4->sin_port = sin6->sin6_port; 1665 1666 bcopy(&sin6->sin6_addr.s6_addr[12], &sin4->sin_addr.s_addr, 1667 sizeof(sin4->sin_addr)); 1668 1669 if (sin4->sin_addr.s_addr == INADDR_ANY || 1670 sin4->sin_addr.s_addr == INADDR_BROADCAST || 1671 IN_MULTICAST(ntohl(sin4->sin_addr.s_addr))) 1672 return (-1); 1673 1674 bcopy(&out4, in6, sizeof(*in6)); 1675 1676 return (0); 1677 } 1678 1679 int 1680 map4to6(struct sockaddr_storage *in4, struct sockaddr_storage *map) 1681 { 1682 struct sockaddr_storage out6; 1683 struct sockaddr_in *sin4 = (struct sockaddr_in *)in4; 1684 struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)&out6; 1685 struct sockaddr_in6 *map6 = (struct sockaddr_in6 *)map; 1686 1687 if (sin4->sin_addr.s_addr == INADDR_ANY || 1688 sin4->sin_addr.s_addr == INADDR_BROADCAST || 1689 IN_MULTICAST(ntohl(sin4->sin_addr.s_addr))) 1690 return (-1); 1691 1692 bcopy(map6, sin6, sizeof(*sin6)); 1693 sin6->sin6_len = sizeof(*sin6); 1694 sin6->sin6_family = AF_INET6; 1695 sin6->sin6_port = sin4->sin_port; 1696 1697 bcopy(&sin4->sin_addr.s_addr, &sin6->sin6_addr.s6_addr[12], 1698 sizeof(sin4->sin_addr)); 1699 1700 bcopy(&out6, in4, sizeof(*in4)); 1701 1702 return (0); 1703 } 1704 1705 void 1706 socket_rlimit(int maxfd) 1707 { 1708 struct rlimit rl; 1709 1710 if (getrlimit(RLIMIT_NOFILE, &rl) == -1) 1711 fatal("%s: failed to get resource limit", __func__); 1712 log_debug("%s: max open files %llu", __func__, rl.rlim_max); 1713 1714 /* 1715 * Allow the maximum number of open file descriptors for this 1716 * login class (which should be the class "daemon" by default). 1717 */ 1718 if (maxfd == -1) 1719 rl.rlim_cur = rl.rlim_max; 1720 else 1721 rl.rlim_cur = MAXIMUM(rl.rlim_max, (rlim_t)maxfd); 1722 if (setrlimit(RLIMIT_NOFILE, &rl) == -1) 1723 fatal("%s: failed to set resource limit", __func__); 1724 } 1725 1726 char * 1727 get_string(u_int8_t *ptr, size_t len) 1728 { 1729 size_t i; 1730 1731 for (i = 0; i < len; i++) 1732 if (!(isprint((unsigned char)ptr[i]) || 1733 isspace((unsigned char)ptr[i]))) 1734 break; 1735 1736 return strndup(ptr, i); 1737 } 1738 1739 void * 1740 get_data(u_int8_t *ptr, size_t len) 1741 { 1742 u_int8_t *data; 1743 1744 if ((data = malloc(len)) == NULL) 1745 return (NULL); 1746 memcpy(data, ptr, len); 1747 1748 return (data); 1749 } 1750 1751 int 1752 sockaddr_cmp(struct sockaddr *a, struct sockaddr *b, int prefixlen) 1753 { 1754 struct sockaddr_in *a4, *b4; 1755 struct sockaddr_in6 *a6, *b6; 1756 u_int32_t av[4], bv[4], mv[4]; 1757 1758 if (a->sa_family == AF_UNSPEC || b->sa_family == AF_UNSPEC) 1759 return (0); 1760 else if (a->sa_family > b->sa_family) 1761 return (1); 1762 else if (a->sa_family < b->sa_family) 1763 return (-1); 1764 1765 if (prefixlen == -1) 1766 memset(&mv, 0xff, sizeof(mv)); 1767 1768 switch (a->sa_family) { 1769 case AF_INET: 1770 a4 = (struct sockaddr_in *)a; 1771 b4 = (struct sockaddr_in *)b; 1772 1773 av[0] = a4->sin_addr.s_addr; 1774 bv[0] = b4->sin_addr.s_addr; 1775 if (prefixlen != -1) 1776 mv[0] = prefixlen2mask(prefixlen); 1777 1778 if ((av[0] & mv[0]) > (bv[0] & mv[0])) 1779 return (1); 1780 if ((av[0] & mv[0]) < (bv[0] & mv[0])) 1781 return (-1); 1782 break; 1783 case AF_INET6: 1784 a6 = (struct sockaddr_in6 *)a; 1785 b6 = (struct sockaddr_in6 *)b; 1786 1787 memcpy(&av, &a6->sin6_addr.s6_addr, 16); 1788 memcpy(&bv, &b6->sin6_addr.s6_addr, 16); 1789 if (prefixlen != -1) 1790 prefixlen2mask6(prefixlen, mv); 1791 1792 if ((av[3] & mv[3]) > (bv[3] & mv[3])) 1793 return (1); 1794 if ((av[3] & mv[3]) < (bv[3] & mv[3])) 1795 return (-1); 1796 if ((av[2] & mv[2]) > (bv[2] & mv[2])) 1797 return (1); 1798 if ((av[2] & mv[2]) < (bv[2] & mv[2])) 1799 return (-1); 1800 if ((av[1] & mv[1]) > (bv[1] & mv[1])) 1801 return (1); 1802 if ((av[1] & mv[1]) < (bv[1] & mv[1])) 1803 return (-1); 1804 if ((av[0] & mv[0]) > (bv[0] & mv[0])) 1805 return (1); 1806 if ((av[0] & mv[0]) < (bv[0] & mv[0])) 1807 return (-1); 1808 break; 1809 } 1810 1811 return (0); 1812 } 1813 1814 u_int32_t 1815 prefixlen2mask(u_int8_t prefixlen) 1816 { 1817 if (prefixlen == 0) 1818 return (0); 1819 1820 if (prefixlen > 32) 1821 prefixlen = 32; 1822 1823 return (htonl(0xffffffff << (32 - prefixlen))); 1824 } 1825 1826 struct in6_addr * 1827 prefixlen2mask6(u_int8_t prefixlen, u_int32_t *mask) 1828 { 1829 static struct in6_addr s6; 1830 int i; 1831 1832 if (prefixlen > 128) 1833 prefixlen = 128; 1834 1835 bzero(&s6, sizeof(s6)); 1836 for (i = 0; i < prefixlen / 8; i++) 1837 s6.s6_addr[i] = 0xff; 1838 i = prefixlen % 8; 1839 if (i) 1840 s6.s6_addr[prefixlen / 8] = 0xff00 >> i; 1841 1842 memcpy(mask, &s6, sizeof(s6)); 1843 1844 return (&s6); 1845 } 1846 1847 int 1848 accept_reserve(int sockfd, struct sockaddr *addr, socklen_t *addrlen, 1849 int reserve, volatile int *counter) 1850 { 1851 int ret; 1852 if (getdtablecount() + reserve + 1853 *counter >= getdtablesize()) { 1854 errno = EMFILE; 1855 return (-1); 1856 } 1857 1858 if ((ret = accept4(sockfd, addr, addrlen, SOCK_NONBLOCK)) > -1) { 1859 (*counter)++; 1860 DPRINTF("%s: inflight incremented, now %d",__func__, *counter); 1861 } 1862 return (ret); 1863 } 1864 1865 void 1866 parent_tls_ticket_rekey(int fd, short events, void *arg) 1867 { 1868 static struct event rekeyev; 1869 struct relayd *env = arg; 1870 struct timeval tv; 1871 struct relay_ticket_key key; 1872 1873 log_debug("%s: rekeying tickets", __func__); 1874 1875 key.tt_keyrev = arc4random(); 1876 arc4random_buf(key.tt_key, sizeof(key.tt_key)); 1877 1878 proc_compose_imsg(env->sc_ps, PROC_RELAY, -1, IMSG_TLSTICKET_REKEY, 1879 -1, -1, &key, sizeof(key)); 1880 1881 evtimer_set(&rekeyev, parent_tls_ticket_rekey, env); 1882 timerclear(&tv); 1883 tv.tv_sec = TLS_SESSION_LIFETIME / 4; 1884 evtimer_add(&rekeyev, &tv); 1885 } 1886