1 /* $OpenBSD: relayd.c,v 1.160 2016/09/03 14:09:04 reyk Exp $ */ 2 3 /* 4 * Copyright (c) 2007 - 2016 Reyk Floeter <reyk@openbsd.org> 5 * Copyright (c) 2006 Pierre-Yves Ritschard <pyr@openbsd.org> 6 * 7 * Permission to use, copy, modify, and distribute this software for any 8 * purpose with or without fee is hereby granted, provided that the above 9 * copyright notice and this permission notice appear in all copies. 10 * 11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 */ 19 20 #include <sys/types.h> 21 #include <sys/queue.h> 22 #include <sys/socket.h> 23 #include <sys/wait.h> 24 #include <sys/resource.h> 25 26 #include <netinet/in.h> 27 #include <arpa/inet.h> 28 29 #include <signal.h> 30 #include <string.h> 31 #include <stdio.h> 32 #include <stdlib.h> 33 #include <fcntl.h> 34 #include <getopt.h> 35 #include <fnmatch.h> 36 #include <syslog.h> 37 #include <err.h> 38 #include <errno.h> 39 #include <event.h> 40 #include <unistd.h> 41 #include <ctype.h> 42 #include <pwd.h> 43 #include <sha1.h> 44 #include <md5.h> 45 46 #include <openssl/ssl.h> 47 48 #include "relayd.h" 49 50 #define MAXIMUM(a, b) (((a) > (b)) ? (a) : (b)) 51 52 __dead void usage(void); 53 54 int parent_configure(struct relayd *); 55 void parent_configure_done(struct relayd *); 56 void parent_reload(struct relayd *, u_int, const char *); 57 void parent_sig_handler(int, short, void *); 58 void parent_shutdown(struct relayd *); 59 int parent_dispatch_pfe(int, struct privsep_proc *, struct imsg *); 60 int parent_dispatch_hce(int, struct privsep_proc *, struct imsg *); 61 int parent_dispatch_relay(int, struct privsep_proc *, 62 struct imsg *); 63 int parent_dispatch_ca(int, struct privsep_proc *, 64 struct imsg *); 65 int bindany(struct ctl_bindany *); 66 void parent_tls_ticket_rekey(int, short, void *); 67 68 struct relayd *relayd_env; 69 70 static struct privsep_proc procs[] = { 71 { "pfe", PROC_PFE, parent_dispatch_pfe, pfe }, 72 { "hce", PROC_HCE, parent_dispatch_hce, hce }, 73 { "relay", PROC_RELAY, parent_dispatch_relay, relay }, 74 { "ca", PROC_CA, parent_dispatch_ca, ca } 75 }; 76 77 void 78 parent_sig_handler(int sig, short event, void *arg) 79 { 80 struct privsep *ps = arg; 81 82 switch (sig) { 83 case SIGTERM: 84 case SIGINT: 85 parent_shutdown(ps->ps_env); 86 break; 87 case SIGHUP: 88 log_info("%s: reload requested with SIGHUP", __func__); 89 90 /* 91 * This is safe because libevent uses async signal handlers 92 * that run in the event loop and not in signal context. 93 */ 94 parent_reload(ps->ps_env, CONFIG_RELOAD, NULL); 95 break; 96 case SIGPIPE: 97 case SIGUSR1: 98 /* ignore */ 99 break; 100 default: 101 fatalx("unexpected signal"); 102 } 103 } 104 105 __dead void 106 usage(void) 107 { 108 extern char *__progname; 109 110 fprintf(stderr, "usage: %s [-dnv] [-D macro=value] [-f file]\n", 111 __progname); 112 exit(1); 113 } 114 115 int 116 main(int argc, char *argv[]) 117 { 118 int c; 119 int debug = 0, verbose = 0; 120 u_int32_t opts = 0; 121 struct relayd *env; 122 struct privsep *ps; 123 const char *conffile = CONF_FILE; 124 enum privsep_procid proc_id = PROC_PARENT; 125 int proc_instance = 0; 126 const char *errp, *title = NULL; 127 int argc0 = argc; 128 129 while ((c = getopt(argc, argv, "dD:nI:P:f:v")) != -1) { 130 switch (c) { 131 case 'd': 132 debug = 2; 133 break; 134 case 'D': 135 if (cmdline_symset(optarg) < 0) 136 log_warnx("could not parse macro definition %s", 137 optarg); 138 break; 139 case 'n': 140 debug = 2; 141 opts |= RELAYD_OPT_NOACTION; 142 break; 143 case 'f': 144 conffile = optarg; 145 break; 146 case 'v': 147 verbose++; 148 opts |= RELAYD_OPT_VERBOSE; 149 break; 150 case 'P': 151 title = optarg; 152 proc_id = proc_getid(procs, nitems(procs), title); 153 if (proc_id == PROC_MAX) 154 fatalx("invalid process name"); 155 break; 156 case 'I': 157 proc_instance = strtonum(optarg, 0, 158 PROC_MAX_INSTANCES, &errp); 159 if (errp) 160 fatalx("invalid process instance"); 161 break; 162 default: 163 usage(); 164 } 165 } 166 167 /* log to stderr until daemonized */ 168 log_init(debug ? debug : 1, LOG_DAEMON); 169 170 argc -= optind; 171 if (argc > 0) 172 usage(); 173 174 if ((env = calloc(1, sizeof(*env))) == NULL || 175 (ps = calloc(1, sizeof(*ps))) == NULL) 176 exit(1); 177 178 relayd_env = env; 179 env->sc_ps = ps; 180 ps->ps_env = env; 181 TAILQ_INIT(&ps->ps_rcsocks); 182 env->sc_conffile = conffile; 183 env->sc_conf.opts = opts; 184 TAILQ_INIT(&env->sc_hosts); 185 TAILQ_INIT(&env->sc_sessions); 186 env->sc_rtable = getrtable(); 187 /* initialize the TLS session id to a random key for all relay procs */ 188 arc4random_buf(env->sc_conf.tls_sid, sizeof(env->sc_conf.tls_sid)); 189 190 if (parse_config(env->sc_conffile, env) == -1) 191 exit(1); 192 193 if (debug) 194 env->sc_conf.opts |= RELAYD_OPT_LOGUPDATE; 195 196 if (geteuid()) 197 errx(1, "need root privileges"); 198 199 if ((ps->ps_pw = getpwnam(RELAYD_USER)) == NULL) 200 errx(1, "unknown user %s", RELAYD_USER); 201 202 /* Configure the control socket */ 203 ps->ps_csock.cs_name = RELAYD_SOCKET; 204 205 log_init(debug, LOG_DAEMON); 206 log_verbose(verbose); 207 208 if (env->sc_conf.opts & RELAYD_OPT_NOACTION) 209 ps->ps_noaction = 1; 210 211 ps->ps_instances[PROC_RELAY] = env->sc_conf.prefork_relay; 212 ps->ps_instances[PROC_CA] = env->sc_conf.prefork_relay; 213 ps->ps_instance = proc_instance; 214 if (title != NULL) 215 ps->ps_title[proc_id] = title; 216 217 if (proc_id == PROC_PARENT) { 218 /* XXX the parent opens too many fds in proc_open() */ 219 socket_rlimit(-1); 220 } 221 222 /* only the parent returns */ 223 proc_init(ps, procs, nitems(procs), argc0, argv, proc_id); 224 225 log_procinit("parent"); 226 if (!debug && daemon(1, 0) == -1) 227 err(1, "failed to daemonize"); 228 229 if (ps->ps_noaction == 0) 230 log_info("startup"); 231 232 event_init(); 233 234 signal_set(&ps->ps_evsigint, SIGINT, parent_sig_handler, ps); 235 signal_set(&ps->ps_evsigterm, SIGTERM, parent_sig_handler, ps); 236 signal_set(&ps->ps_evsighup, SIGHUP, parent_sig_handler, ps); 237 signal_set(&ps->ps_evsigpipe, SIGPIPE, parent_sig_handler, ps); 238 signal_set(&ps->ps_evsigusr1, SIGUSR1, parent_sig_handler, ps); 239 240 signal_add(&ps->ps_evsigint, NULL); 241 signal_add(&ps->ps_evsigterm, NULL); 242 signal_add(&ps->ps_evsighup, NULL); 243 signal_add(&ps->ps_evsigpipe, NULL); 244 signal_add(&ps->ps_evsigusr1, NULL); 245 246 proc_connect(ps); 247 248 if (load_config(env->sc_conffile, env) == -1) { 249 proc_kill(env->sc_ps); 250 exit(1); 251 } 252 253 if (env->sc_conf.opts & RELAYD_OPT_NOACTION) { 254 fprintf(stderr, "configuration OK\n"); 255 proc_kill(env->sc_ps); 256 exit(0); 257 } 258 259 if (env->sc_conf.flags & (F_TLS|F_TLSCLIENT)) 260 ssl_init(env); 261 262 /* rekey the TLS tickets before pushing the config */ 263 parent_tls_ticket_rekey(0, 0, env); 264 if (parent_configure(env) == -1) 265 fatalx("configuration failed"); 266 267 init_routes(env); 268 269 event_dispatch(); 270 271 parent_shutdown(env); 272 /* NOTREACHED */ 273 274 return (0); 275 } 276 277 int 278 parent_configure(struct relayd *env) 279 { 280 struct table *tb; 281 struct rdr *rdr; 282 struct router *rt; 283 struct protocol *proto; 284 struct relay *rlay; 285 int id; 286 int s, ret = -1; 287 288 TAILQ_FOREACH(tb, env->sc_tables, entry) 289 config_settable(env, tb); 290 TAILQ_FOREACH(rdr, env->sc_rdrs, entry) 291 config_setrdr(env, rdr); 292 TAILQ_FOREACH(rt, env->sc_rts, rt_entry) 293 config_setrt(env, rt); 294 TAILQ_FOREACH(proto, env->sc_protos, entry) 295 config_setproto(env, proto); 296 TAILQ_FOREACH(proto, env->sc_protos, entry) 297 config_setrule(env, proto); 298 TAILQ_FOREACH(rlay, env->sc_relays, rl_entry) { 299 /* Check for TLS Inspection */ 300 if ((rlay->rl_conf.flags & (F_TLS|F_TLSCLIENT)) == 301 (F_TLS|F_TLSCLIENT) && 302 rlay->rl_conf.tls_cacert_len && 303 rlay->rl_conf.tls_cakey_len) 304 rlay->rl_conf.flags |= F_TLSINSPECT; 305 306 config_setrelay(env, rlay); 307 } 308 309 /* HCE, PFE, CA and the relays need to reload their config. */ 310 env->sc_reload = 2 + (2 * env->sc_conf.prefork_relay); 311 312 for (id = 0; id < PROC_MAX; id++) { 313 if (id == privsep_process) 314 continue; 315 316 if ((env->sc_conf.flags & F_NEEDPF) && id == PROC_PFE) { 317 /* Send pf socket to the pf engine */ 318 if ((s = open(PF_SOCKET, O_RDWR)) == -1) { 319 log_debug("%s: cannot open pf socket", 320 __func__); 321 goto done; 322 } 323 } else 324 s = -1; 325 326 proc_compose_imsg(env->sc_ps, id, -1, IMSG_CFG_DONE, -1, 327 s, &env->sc_conf, sizeof(env->sc_conf)); 328 } 329 330 ret = 0; 331 332 done: 333 config_purge(env, CONFIG_ALL & ~CONFIG_RELAYS); 334 return (ret); 335 } 336 337 void 338 parent_reload(struct relayd *env, u_int reset, const char *filename) 339 { 340 if (env->sc_reload) { 341 log_debug("%s: already in progress: %d pending", 342 __func__, env->sc_reload); 343 return; 344 } 345 346 /* Switch back to the default config file */ 347 if (filename == NULL || *filename == '\0') 348 filename = env->sc_conffile; 349 350 log_debug("%s: level %d config file %s", __func__, reset, filename); 351 352 config_purge(env, CONFIG_ALL); 353 354 if (reset == CONFIG_RELOAD) { 355 if (load_config(filename, env) == -1) { 356 log_debug("%s: failed to load config file %s", 357 __func__, filename); 358 } 359 360 config_setreset(env, CONFIG_ALL); 361 362 if (parent_configure(env) == -1) { 363 log_debug("%s: failed to commit config from %s", 364 __func__, filename); 365 } 366 } else 367 config_setreset(env, reset); 368 } 369 370 void 371 parent_configure_done(struct relayd *env) 372 { 373 int id; 374 375 if (env->sc_reload == 0) { 376 log_warnx("%s: configuration already finished", __func__); 377 return; 378 } 379 380 env->sc_reload--; 381 if (env->sc_reload == 0) { 382 for (id = 0; id < PROC_MAX; id++) { 383 if (id == privsep_process) 384 continue; 385 386 proc_compose(env->sc_ps, id, IMSG_CTL_START, NULL, 0); 387 } 388 } 389 } 390 391 void 392 parent_shutdown(struct relayd *env) 393 { 394 config_purge(env, CONFIG_ALL); 395 396 proc_kill(env->sc_ps); 397 control_cleanup(&env->sc_ps->ps_csock); 398 (void)unlink(env->sc_ps->ps_csock.cs_name); 399 carp_demote_shutdown(); 400 401 free(env->sc_ps); 402 free(env); 403 404 log_info("parent terminating, pid %d", getpid()); 405 406 exit(0); 407 } 408 409 int 410 parent_dispatch_pfe(int fd, struct privsep_proc *p, struct imsg *imsg) 411 { 412 struct relayd *env = p->p_env; 413 struct ctl_demote demote; 414 struct ctl_netroute crt; 415 u_int v; 416 char *str = NULL; 417 418 switch (imsg->hdr.type) { 419 case IMSG_DEMOTE: 420 IMSG_SIZE_CHECK(imsg, &demote); 421 memcpy(&demote, imsg->data, sizeof(demote)); 422 carp_demote_set(demote.group, demote.level); 423 break; 424 case IMSG_RTMSG: 425 IMSG_SIZE_CHECK(imsg, &crt); 426 memcpy(&crt, imsg->data, sizeof(crt)); 427 pfe_route(env, &crt); 428 break; 429 case IMSG_CTL_RESET: 430 IMSG_SIZE_CHECK(imsg, &v); 431 memcpy(&v, imsg->data, sizeof(v)); 432 parent_reload(env, v, NULL); 433 break; 434 case IMSG_CTL_RELOAD: 435 if (IMSG_DATA_SIZE(imsg) > 0) 436 str = get_string(imsg->data, IMSG_DATA_SIZE(imsg)); 437 parent_reload(env, CONFIG_RELOAD, str); 438 free(str); 439 break; 440 case IMSG_CTL_SHUTDOWN: 441 parent_shutdown(env); 442 break; 443 case IMSG_CFG_DONE: 444 parent_configure_done(env); 445 break; 446 case IMSG_SNMPSOCK: 447 (void)snmp_setsock(env, p->p_id); 448 break; 449 default: 450 return (-1); 451 } 452 453 return (0); 454 } 455 456 int 457 parent_dispatch_hce(int fd, struct privsep_proc *p, struct imsg *imsg) 458 { 459 struct relayd *env = p->p_env; 460 struct privsep *ps = env->sc_ps; 461 struct ctl_script scr; 462 463 switch (imsg->hdr.type) { 464 case IMSG_SCRIPT: 465 IMSG_SIZE_CHECK(imsg, &scr); 466 bcopy(imsg->data, &scr, sizeof(scr)); 467 scr.retval = script_exec(env, &scr); 468 proc_compose(ps, PROC_HCE, IMSG_SCRIPT, &scr, sizeof(scr)); 469 break; 470 case IMSG_CFG_DONE: 471 parent_configure_done(env); 472 break; 473 default: 474 return (-1); 475 } 476 477 return (0); 478 } 479 480 int 481 parent_dispatch_relay(int fd, struct privsep_proc *p, struct imsg *imsg) 482 { 483 struct relayd *env = p->p_env; 484 struct privsep *ps = env->sc_ps; 485 struct ctl_bindany bnd; 486 int s; 487 488 switch (imsg->hdr.type) { 489 case IMSG_BINDANY: 490 IMSG_SIZE_CHECK(imsg, &bnd); 491 bcopy(imsg->data, &bnd, sizeof(bnd)); 492 if (bnd.bnd_proc > env->sc_conf.prefork_relay) 493 fatalx("pfe_dispatch_relay: " 494 "invalid relay proc"); 495 switch (bnd.bnd_proto) { 496 case IPPROTO_TCP: 497 case IPPROTO_UDP: 498 break; 499 default: 500 fatalx("pfe_dispatch_relay: requested socket " 501 "for invalid protocol"); 502 /* NOTREACHED */ 503 } 504 s = bindany(&bnd); 505 proc_compose_imsg(ps, PROC_RELAY, bnd.bnd_proc, 506 IMSG_BINDANY, -1, s, &bnd.bnd_id, sizeof(bnd.bnd_id)); 507 break; 508 case IMSG_CFG_DONE: 509 parent_configure_done(env); 510 break; 511 default: 512 return (-1); 513 } 514 515 return (0); 516 } 517 518 int 519 parent_dispatch_ca(int fd, struct privsep_proc *p, struct imsg *imsg) 520 { 521 struct relayd *env = p->p_env; 522 523 switch (imsg->hdr.type) { 524 case IMSG_CFG_DONE: 525 parent_configure_done(env); 526 break; 527 default: 528 return (-1); 529 } 530 531 return (0); 532 } 533 534 void 535 purge_table(struct relayd *env, struct tablelist *head, struct table *table) 536 { 537 struct host *host; 538 539 while ((host = TAILQ_FIRST(&table->hosts)) != NULL) { 540 TAILQ_REMOVE(&table->hosts, host, entry); 541 TAILQ_REMOVE(&env->sc_hosts, host, globalentry); 542 if (event_initialized(&host->cte.ev)) { 543 event_del(&host->cte.ev); 544 close(host->cte.s); 545 } 546 ibuf_free(host->cte.buf); 547 SSL_free(host->cte.ssl); 548 free(host); 549 } 550 free(table->sendbuf); 551 if (table->conf.flags & F_TLS) 552 SSL_CTX_free(table->ssl_ctx); 553 554 if (head != NULL) 555 TAILQ_REMOVE(head, table, entry); 556 free(table); 557 } 558 559 void 560 purge_key(char **ptr, off_t len) 561 { 562 char *key = *ptr; 563 564 if (key == NULL || len == 0) 565 return; 566 567 explicit_bzero(key, len); 568 free(key); 569 570 *ptr = NULL; 571 } 572 573 void 574 purge_relay(struct relayd *env, struct relay *rlay) 575 { 576 struct rsession *con; 577 struct relay_table *rlt; 578 579 /* shutdown and remove relay */ 580 if (event_initialized(&rlay->rl_ev)) 581 event_del(&rlay->rl_ev); 582 close(rlay->rl_s); 583 TAILQ_REMOVE(env->sc_relays, rlay, rl_entry); 584 585 /* cleanup sessions */ 586 while ((con = 587 SPLAY_ROOT(&rlay->rl_sessions)) != NULL) 588 relay_close(con, NULL); 589 590 /* cleanup relay */ 591 if (rlay->rl_bev != NULL) 592 bufferevent_free(rlay->rl_bev); 593 if (rlay->rl_dstbev != NULL) 594 bufferevent_free(rlay->rl_dstbev); 595 596 purge_key(&rlay->rl_tls_cert, rlay->rl_conf.tls_cert_len); 597 purge_key(&rlay->rl_tls_key, rlay->rl_conf.tls_key_len); 598 purge_key(&rlay->rl_tls_ca, rlay->rl_conf.tls_ca_len); 599 purge_key(&rlay->rl_tls_cakey, rlay->rl_conf.tls_cakey_len); 600 601 if (rlay->rl_tls_x509 != NULL) { 602 X509_free(rlay->rl_tls_x509); 603 rlay->rl_tls_x509 = NULL; 604 } 605 if (rlay->rl_tls_pkey != NULL) { 606 EVP_PKEY_free(rlay->rl_tls_pkey); 607 rlay->rl_tls_pkey = NULL; 608 } 609 if (rlay->rl_tls_cacertx509 != NULL) { 610 X509_free(rlay->rl_tls_cacertx509); 611 rlay->rl_tls_cacertx509 = NULL; 612 } 613 if (rlay->rl_tls_capkey != NULL) { 614 EVP_PKEY_free(rlay->rl_tls_capkey); 615 rlay->rl_tls_capkey = NULL; 616 } 617 618 SSL_CTX_free(rlay->rl_ssl_ctx); 619 620 while ((rlt = TAILQ_FIRST(&rlay->rl_tables))) { 621 TAILQ_REMOVE(&rlay->rl_tables, rlt, rlt_entry); 622 free(rlt); 623 } 624 625 free(rlay); 626 } 627 628 struct kv * 629 kv_add(struct kvtree *keys, char *key, char *value, int unique) 630 { 631 struct kv *kv, *oldkv; 632 633 if (key == NULL) 634 return (NULL); 635 if ((kv = calloc(1, sizeof(*kv))) == NULL) 636 return (NULL); 637 if ((kv->kv_key = strdup(key)) == NULL) 638 goto fail; 639 if (value != NULL && 640 (kv->kv_value = strdup(value)) == NULL) 641 goto fail; 642 TAILQ_INIT(&kv->kv_children); 643 644 if ((oldkv = RB_INSERT(kvtree, keys, kv)) != NULL) { 645 /* 646 * return error if the key should occur only once, 647 * or add it to a list attached to the key's node. 648 */ 649 if (unique) 650 goto fail; 651 TAILQ_INSERT_TAIL(&oldkv->kv_children, kv, kv_entry); 652 kv->kv_parent = oldkv; 653 } 654 655 return (kv); 656 fail: 657 free(kv->kv_key); 658 free(kv->kv_value); 659 free(kv); 660 return (NULL); 661 } 662 663 int 664 kv_set(struct kv *kv, char *fmt, ...) 665 { 666 va_list ap; 667 char *value = NULL; 668 struct kv *ckv; 669 670 va_start(ap, fmt); 671 if (vasprintf(&value, fmt, ap) == -1) 672 return (-1); 673 va_end(ap); 674 675 /* Remove all children */ 676 while ((ckv = TAILQ_FIRST(&kv->kv_children)) != NULL) { 677 TAILQ_REMOVE(&kv->kv_children, ckv, kv_entry); 678 kv_free(ckv); 679 free(ckv); 680 } 681 682 /* Set the new value */ 683 free(kv->kv_value); 684 kv->kv_value = value; 685 686 return (0); 687 } 688 689 int 690 kv_setkey(struct kv *kv, char *fmt, ...) 691 { 692 va_list ap; 693 char *key = NULL; 694 695 va_start(ap, fmt); 696 if (vasprintf(&key, fmt, ap) == -1) 697 return (-1); 698 va_end(ap); 699 700 free(kv->kv_key); 701 kv->kv_key = key; 702 703 return (0); 704 } 705 706 void 707 kv_delete(struct kvtree *keys, struct kv *kv) 708 { 709 struct kv *ckv; 710 711 RB_REMOVE(kvtree, keys, kv); 712 713 /* Remove all children */ 714 while ((ckv = TAILQ_FIRST(&kv->kv_children)) != NULL) { 715 TAILQ_REMOVE(&kv->kv_children, ckv, kv_entry); 716 kv_free(ckv); 717 free(ckv); 718 } 719 720 kv_free(kv); 721 free(kv); 722 } 723 724 struct kv * 725 kv_extend(struct kvtree *keys, struct kv *kv, char *value) 726 { 727 char *newvalue; 728 729 if (kv == NULL) { 730 return (NULL); 731 } else if (kv->kv_value != NULL) { 732 if (asprintf(&newvalue, "%s%s", kv->kv_value, value) == -1) 733 return (NULL); 734 735 free(kv->kv_value); 736 kv->kv_value = newvalue; 737 } else if ((kv->kv_value = strdup(value)) == NULL) 738 return (NULL); 739 740 return (kv); 741 } 742 743 void 744 kv_purge(struct kvtree *keys) 745 { 746 struct kv *kv; 747 748 while ((kv = RB_MIN(kvtree, keys)) != NULL) 749 kv_delete(keys, kv); 750 } 751 752 void 753 kv_free(struct kv *kv) 754 { 755 /* 756 * This function does not clear memory referenced by 757 * kv_children or stuff on the tailqs. Use kv_delete() instead. 758 */ 759 760 free(kv->kv_key); 761 free(kv->kv_value); 762 memset(kv, 0, sizeof(*kv)); 763 } 764 765 struct kv * 766 kv_inherit(struct kv *dst, struct kv *src) 767 { 768 memset(dst, 0, sizeof(*dst)); 769 memcpy(dst, src, sizeof(*dst)); 770 TAILQ_INIT(&dst->kv_children); 771 772 if (src->kv_key != NULL) { 773 if ((dst->kv_key = strdup(src->kv_key)) == NULL) { 774 kv_free(dst); 775 return (NULL); 776 } 777 } 778 if (src->kv_value != NULL) { 779 if ((dst->kv_value = strdup(src->kv_value)) == NULL) { 780 kv_free(dst); 781 return (NULL); 782 } 783 } 784 785 if (src->kv_match != NULL) 786 dst->kv_match = src->kv_match; 787 if (src->kv_matchtree != NULL) 788 dst->kv_matchtree = src->kv_matchtree; 789 790 return (dst); 791 } 792 793 int 794 kv_log(struct rsession *con, struct kv *kv, u_int16_t labelid, 795 enum direction dir) 796 { 797 char *msg; 798 799 if (con->se_log == NULL) 800 return (0); 801 if (asprintf(&msg, " %s%s%s%s%s%s%s", 802 dir == RELAY_DIR_REQUEST ? "[" : "{", 803 labelid == 0 ? "" : label_id2name(labelid), 804 labelid == 0 ? "" : ", ", 805 kv->kv_key == NULL ? "(unknown)" : kv->kv_key, 806 kv->kv_value == NULL ? "" : ": ", 807 kv->kv_value == NULL ? "" : kv->kv_value, 808 dir == RELAY_DIR_REQUEST ? "]" : "}") == -1) 809 return (-1); 810 if (evbuffer_add(con->se_log, msg, strlen(msg)) == -1) { 811 free(msg); 812 return (-1); 813 } 814 free(msg); 815 con->se_haslog = 1; 816 return (0); 817 } 818 819 struct kv * 820 kv_find(struct kvtree *keys, struct kv *kv) 821 { 822 struct kv *match; 823 const char *key; 824 825 if (kv->kv_flags & KV_FLAG_GLOBBING) { 826 /* Test header key using shell globbing rules */ 827 key = kv->kv_key == NULL ? "" : kv->kv_key; 828 RB_FOREACH(match, kvtree, keys) { 829 if (fnmatch(key, match->kv_key, FNM_CASEFOLD) == 0) 830 break; 831 } 832 } else { 833 /* Fast tree-based lookup only works without globbing */ 834 match = RB_FIND(kvtree, keys, kv); 835 } 836 837 return (match); 838 } 839 840 int 841 kv_cmp(struct kv *a, struct kv *b) 842 { 843 return (strcasecmp(a->kv_key, b->kv_key)); 844 } 845 846 RB_GENERATE(kvtree, kv, kv_node, kv_cmp); 847 848 int 849 rule_add(struct protocol *proto, struct relay_rule *rule, const char *rulefile) 850 { 851 struct relay_rule *r = NULL; 852 struct kv *kv = NULL; 853 FILE *fp = NULL; 854 char buf[BUFSIZ]; 855 int ret = -1; 856 u_int i; 857 858 for (i = 0; i < KEY_TYPE_MAX; i++) { 859 kv = &rule->rule_kv[i]; 860 if (kv->kv_type != i) 861 continue; 862 863 switch (kv->kv_option) { 864 case KEY_OPTION_LOG: 865 /* log action needs a key or a file to be specified */ 866 if (kv->kv_key == NULL && rulefile == NULL && 867 (kv->kv_key = strdup("*")) == NULL) 868 goto fail; 869 break; 870 default: 871 break; 872 } 873 874 switch (kv->kv_type) { 875 case KEY_TYPE_QUERY: 876 case KEY_TYPE_PATH: 877 case KEY_TYPE_URL: 878 if (rule->rule_dir != RELAY_DIR_REQUEST) 879 goto fail; 880 break; 881 default: 882 break; 883 } 884 885 if (kv->kv_value != NULL && strchr(kv->kv_value, '$') != NULL) 886 kv->kv_flags |= KV_FLAG_MACRO; 887 if (kv->kv_key != NULL && strpbrk(kv->kv_key, "*?[") != NULL) 888 kv->kv_flags |= KV_FLAG_GLOBBING; 889 } 890 891 if (rulefile == NULL) { 892 TAILQ_INSERT_TAIL(&proto->rules, rule, rule_entry); 893 return (0); 894 } 895 896 if ((fp = fopen(rulefile, "r")) == NULL) 897 goto fail; 898 899 while (fgets(buf, sizeof(buf), fp) != NULL) { 900 /* strip whitespace and newline characters */ 901 buf[strcspn(buf, "\r\n\t ")] = '\0'; 902 if (!strlen(buf) || buf[0] == '#') 903 continue; 904 905 if ((r = rule_inherit(rule)) == NULL) 906 goto fail; 907 908 for (i = 0; i < KEY_TYPE_MAX; i++) { 909 kv = &r->rule_kv[i]; 910 if (kv->kv_type != i) 911 continue; 912 free(kv->kv_key); 913 if ((kv->kv_key = strdup(buf)) == NULL) { 914 rule_free(r); 915 free(r); 916 goto fail; 917 } 918 } 919 920 TAILQ_INSERT_TAIL(&proto->rules, r, rule_entry); 921 } 922 923 ret = 0; 924 rule_free(rule); 925 free(rule); 926 927 fail: 928 if (fp != NULL) 929 fclose(fp); 930 return (ret); 931 } 932 933 struct relay_rule * 934 rule_inherit(struct relay_rule *rule) 935 { 936 struct relay_rule *r; 937 u_int i; 938 struct kv *kv; 939 940 if ((r = calloc(1, sizeof(*r))) == NULL) 941 return (NULL); 942 memcpy(r, rule, sizeof(*r)); 943 944 for (i = 0; i < KEY_TYPE_MAX; i++) { 945 kv = &rule->rule_kv[i]; 946 if (kv->kv_type != i) 947 continue; 948 if (kv_inherit(&r->rule_kv[i], kv) == NULL) { 949 free(r); 950 return (NULL); 951 } 952 } 953 954 if (r->rule_label > 0) 955 label_ref(r->rule_label); 956 if (r->rule_tag > 0) 957 tag_ref(r->rule_tag); 958 if (r->rule_tagged > 0) 959 tag_ref(r->rule_tagged); 960 961 return (r); 962 } 963 964 void 965 rule_free(struct relay_rule *rule) 966 { 967 u_int i; 968 969 for (i = 0; i < KEY_TYPE_MAX; i++) 970 kv_free(&rule->rule_kv[i]); 971 if (rule->rule_label > 0) 972 label_unref(rule->rule_label); 973 if (rule->rule_tag > 0) 974 tag_unref(rule->rule_tag); 975 if (rule->rule_tagged > 0) 976 tag_unref(rule->rule_tagged); 977 } 978 979 void 980 rule_delete(struct relay_rules *rules, struct relay_rule *rule) 981 { 982 TAILQ_REMOVE(rules, rule, rule_entry); 983 rule_free(rule); 984 free(rule); 985 } 986 987 void 988 rule_settable(struct relay_rules *rules, struct relay_table *rlt) 989 { 990 struct relay_rule *r; 991 char pname[TABLE_NAME_SIZE]; 992 993 if (rlt->rlt_table == NULL || strlcpy(pname, rlt->rlt_table->conf.name, 994 sizeof(pname)) >= sizeof(pname)) 995 return; 996 997 pname[strcspn(pname, ":")] = '\0'; 998 999 TAILQ_FOREACH(r, rules, rule_entry) { 1000 if (r->rule_tablename[0] && 1001 strcmp(pname, r->rule_tablename) == 0) 1002 r->rule_table = rlt; 1003 } 1004 } 1005 1006 /* 1007 * Utility functions 1008 */ 1009 1010 struct host * 1011 host_find(struct relayd *env, objid_t id) 1012 { 1013 struct table *table; 1014 struct host *host; 1015 1016 TAILQ_FOREACH(table, env->sc_tables, entry) 1017 TAILQ_FOREACH(host, &table->hosts, entry) 1018 if (host->conf.id == id) 1019 return (host); 1020 return (NULL); 1021 } 1022 1023 struct table * 1024 table_find(struct relayd *env, objid_t id) 1025 { 1026 struct table *table; 1027 1028 TAILQ_FOREACH(table, env->sc_tables, entry) 1029 if (table->conf.id == id) 1030 return (table); 1031 return (NULL); 1032 } 1033 1034 struct rdr * 1035 rdr_find(struct relayd *env, objid_t id) 1036 { 1037 struct rdr *rdr; 1038 1039 TAILQ_FOREACH(rdr, env->sc_rdrs, entry) 1040 if (rdr->conf.id == id) 1041 return (rdr); 1042 return (NULL); 1043 } 1044 1045 struct relay * 1046 relay_find(struct relayd *env, objid_t id) 1047 { 1048 struct relay *rlay; 1049 1050 TAILQ_FOREACH(rlay, env->sc_relays, rl_entry) 1051 if (rlay->rl_conf.id == id) 1052 return (rlay); 1053 return (NULL); 1054 } 1055 1056 struct protocol * 1057 proto_find(struct relayd *env, objid_t id) 1058 { 1059 struct protocol *p; 1060 1061 TAILQ_FOREACH(p, env->sc_protos, entry) 1062 if (p->id == id) 1063 return (p); 1064 return (NULL); 1065 } 1066 1067 struct rsession * 1068 session_find(struct relayd *env, objid_t id) 1069 { 1070 struct relay *rlay; 1071 struct rsession *con; 1072 1073 TAILQ_FOREACH(rlay, env->sc_relays, rl_entry) 1074 SPLAY_FOREACH(con, session_tree, &rlay->rl_sessions) 1075 if (con->se_id == id) 1076 return (con); 1077 return (NULL); 1078 } 1079 1080 struct netroute * 1081 route_find(struct relayd *env, objid_t id) 1082 { 1083 struct netroute *nr; 1084 1085 TAILQ_FOREACH(nr, env->sc_routes, nr_route) 1086 if (nr->nr_conf.id == id) 1087 return (nr); 1088 return (NULL); 1089 } 1090 1091 struct router * 1092 router_find(struct relayd *env, objid_t id) 1093 { 1094 struct router *rt; 1095 1096 TAILQ_FOREACH(rt, env->sc_rts, rt_entry) 1097 if (rt->rt_conf.id == id) 1098 return (rt); 1099 return (NULL); 1100 } 1101 1102 struct host * 1103 host_findbyname(struct relayd *env, const char *name) 1104 { 1105 struct table *table; 1106 struct host *host; 1107 1108 TAILQ_FOREACH(table, env->sc_tables, entry) 1109 TAILQ_FOREACH(host, &table->hosts, entry) 1110 if (strcmp(host->conf.name, name) == 0) 1111 return (host); 1112 return (NULL); 1113 } 1114 1115 struct table * 1116 table_findbyname(struct relayd *env, const char *name) 1117 { 1118 struct table *table; 1119 1120 TAILQ_FOREACH(table, env->sc_tables, entry) 1121 if (strcmp(table->conf.name, name) == 0) 1122 return (table); 1123 return (NULL); 1124 } 1125 1126 struct table * 1127 table_findbyconf(struct relayd *env, struct table *tb) 1128 { 1129 struct table *table; 1130 struct table_config a, b; 1131 1132 bcopy(&tb->conf, &a, sizeof(a)); 1133 a.id = a.rdrid = 0; 1134 a.flags &= ~(F_USED|F_BACKUP); 1135 1136 TAILQ_FOREACH(table, env->sc_tables, entry) { 1137 bcopy(&table->conf, &b, sizeof(b)); 1138 b.id = b.rdrid = 0; 1139 b.flags &= ~(F_USED|F_BACKUP); 1140 1141 /* 1142 * Compare two tables and return the existing table if 1143 * the configuration seems to be the same. 1144 */ 1145 if (bcmp(&a, &b, sizeof(b)) == 0 && 1146 ((tb->sendbuf == NULL && table->sendbuf == NULL) || 1147 (tb->sendbuf != NULL && table->sendbuf != NULL && 1148 strcmp(tb->sendbuf, table->sendbuf) == 0))) 1149 return (table); 1150 } 1151 return (NULL); 1152 } 1153 1154 struct rdr * 1155 rdr_findbyname(struct relayd *env, const char *name) 1156 { 1157 struct rdr *rdr; 1158 1159 TAILQ_FOREACH(rdr, env->sc_rdrs, entry) 1160 if (strcmp(rdr->conf.name, name) == 0) 1161 return (rdr); 1162 return (NULL); 1163 } 1164 1165 struct relay * 1166 relay_findbyname(struct relayd *env, const char *name) 1167 { 1168 struct relay *rlay; 1169 1170 TAILQ_FOREACH(rlay, env->sc_relays, rl_entry) 1171 if (strcmp(rlay->rl_conf.name, name) == 0) 1172 return (rlay); 1173 return (NULL); 1174 } 1175 1176 struct relay * 1177 relay_findbyaddr(struct relayd *env, struct relay_config *rc) 1178 { 1179 struct relay *rlay; 1180 1181 TAILQ_FOREACH(rlay, env->sc_relays, rl_entry) 1182 if (bcmp(&rlay->rl_conf.ss, &rc->ss, sizeof(rc->ss)) == 0 && 1183 rlay->rl_conf.port == rc->port) 1184 return (rlay); 1185 return (NULL); 1186 } 1187 1188 EVP_PKEY * 1189 pkey_find(struct relayd *env, objid_t id) 1190 { 1191 struct ca_pkey *pkey; 1192 1193 TAILQ_FOREACH(pkey, env->sc_pkeys, pkey_entry) 1194 if (pkey->pkey_id == id) 1195 return (pkey->pkey); 1196 return (NULL); 1197 } 1198 1199 struct ca_pkey * 1200 pkey_add(struct relayd *env, EVP_PKEY *pkey, objid_t id) 1201 { 1202 struct ca_pkey *ca_pkey; 1203 1204 if (env->sc_pkeys == NULL) 1205 fatalx("pkeys"); 1206 1207 if ((ca_pkey = calloc(1, sizeof(*ca_pkey))) == NULL) 1208 return (NULL); 1209 1210 ca_pkey->pkey = pkey; 1211 ca_pkey->pkey_id = id; 1212 1213 TAILQ_INSERT_TAIL(env->sc_pkeys, ca_pkey, pkey_entry); 1214 1215 return (ca_pkey); 1216 } 1217 1218 void 1219 event_again(struct event *ev, int fd, short event, 1220 void (*fn)(int, short, void *), 1221 struct timeval *start, struct timeval *end, void *arg) 1222 { 1223 struct timeval tv_next, tv_now, tv; 1224 1225 getmonotime(&tv_now); 1226 bcopy(end, &tv_next, sizeof(tv_next)); 1227 timersub(&tv_now, start, &tv_now); 1228 timersub(&tv_next, &tv_now, &tv_next); 1229 1230 bzero(&tv, sizeof(tv)); 1231 if (timercmp(&tv_next, &tv, >)) 1232 bcopy(&tv_next, &tv, sizeof(tv)); 1233 1234 event_del(ev); 1235 event_set(ev, fd, event, fn, arg); 1236 event_add(ev, &tv); 1237 } 1238 1239 int 1240 expand_string(char *label, size_t len, const char *srch, const char *repl) 1241 { 1242 char *tmp; 1243 char *p, *q; 1244 1245 if ((tmp = calloc(1, len)) == NULL) { 1246 log_debug("%s: calloc", __func__); 1247 return (-1); 1248 } 1249 p = q = label; 1250 while ((q = strstr(p, srch)) != NULL) { 1251 *q = '\0'; 1252 if ((strlcat(tmp, p, len) >= len) || 1253 (strlcat(tmp, repl, len) >= len)) { 1254 log_debug("%s: string too long", __func__); 1255 free(tmp); 1256 return (-1); 1257 } 1258 q += strlen(srch); 1259 p = q; 1260 } 1261 if (strlcat(tmp, p, len) >= len) { 1262 log_debug("%s: string too long", __func__); 1263 free(tmp); 1264 return (-1); 1265 } 1266 (void)strlcpy(label, tmp, len); /* always fits */ 1267 free(tmp); 1268 1269 return (0); 1270 } 1271 1272 void 1273 translate_string(char *str) 1274 { 1275 char *reader; 1276 char *writer; 1277 1278 reader = writer = str; 1279 1280 while (*reader) { 1281 if (*reader == '\\') { 1282 reader++; 1283 switch (*reader) { 1284 case 'n': 1285 *writer++ = '\n'; 1286 break; 1287 case 'r': 1288 *writer++ = '\r'; 1289 break; 1290 default: 1291 *writer++ = *reader; 1292 } 1293 } else 1294 *writer++ = *reader; 1295 reader++; 1296 } 1297 *writer = '\0'; 1298 } 1299 1300 char * 1301 digeststr(enum digest_type type, const u_int8_t *data, size_t len, char *buf) 1302 { 1303 switch (type) { 1304 case DIGEST_SHA1: 1305 return (SHA1Data(data, len, buf)); 1306 break; 1307 case DIGEST_MD5: 1308 return (MD5Data(data, len, buf)); 1309 break; 1310 default: 1311 break; 1312 } 1313 return (NULL); 1314 } 1315 1316 const char * 1317 canonicalize_host(const char *host, char *name, size_t len) 1318 { 1319 struct sockaddr_in sin4; 1320 struct sockaddr_in6 sin6; 1321 size_t i, j; 1322 size_t plen; 1323 char c; 1324 1325 if (len < 2) 1326 goto fail; 1327 1328 /* 1329 * Canonicalize an IPv4/6 address 1330 */ 1331 if (inet_pton(AF_INET, host, &sin4) == 1) 1332 return (inet_ntop(AF_INET, &sin4, name, len)); 1333 if (inet_pton(AF_INET6, host, &sin6) == 1) 1334 return (inet_ntop(AF_INET6, &sin6, name, len)); 1335 1336 /* 1337 * Canonicalize a hostname 1338 */ 1339 1340 /* 1. remove repeated dots and convert upper case to lower case */ 1341 plen = strlen(host); 1342 bzero(name, len); 1343 for (i = j = 0; i < plen; i++) { 1344 if (j >= (len - 1)) 1345 goto fail; 1346 c = tolower((unsigned char)host[i]); 1347 if ((c == '.') && (j == 0 || name[j - 1] == '.')) 1348 continue; 1349 name[j++] = c; 1350 } 1351 1352 /* 2. remove trailing dots */ 1353 for (i = j; i > 0; i--) { 1354 if (name[i - 1] != '.') 1355 break; 1356 name[i - 1] = '\0'; 1357 j--; 1358 } 1359 if (j <= 0) 1360 goto fail; 1361 1362 return (name); 1363 1364 fail: 1365 errno = EINVAL; 1366 return (NULL); 1367 } 1368 1369 int 1370 parse_url(const char *url, char **protoptr, char **hostptr, char **pathptr) 1371 { 1372 char *p, *proto = NULL, *host = NULL, *path = NULL; 1373 1374 /* return error if it is not a URL */ 1375 if ((p = strstr(url, ":/")) == NULL || 1376 (strcspn(url, ":/") != (size_t)(p - url))) 1377 return (-1); 1378 1379 /* get protocol */ 1380 if ((proto = strdup(url)) == NULL) 1381 goto fail; 1382 p = proto + (p - url); 1383 1384 /* get host */ 1385 p += strspn(p, ":/"); 1386 if (*p == '\0' || (host = strdup(p)) == NULL) 1387 goto fail; 1388 *p = '\0'; 1389 1390 /* find and copy path or default to "/" */ 1391 if ((p = strchr(host, '/')) == NULL) 1392 p = "/"; 1393 if ((path = strdup(p)) == NULL) 1394 goto fail; 1395 1396 /* strip path after host */ 1397 host[strcspn(host, "/")] = '\0'; 1398 1399 DPRINTF("%s: %s proto %s, host %s, path %s", __func__, 1400 url, proto, host, path); 1401 1402 *protoptr = proto; 1403 *hostptr = host; 1404 *pathptr = path; 1405 1406 return (0); 1407 1408 fail: 1409 free(proto); 1410 free(host); 1411 free(path); 1412 return (-1); 1413 } 1414 1415 int 1416 bindany(struct ctl_bindany *bnd) 1417 { 1418 int s, v; 1419 1420 s = -1; 1421 v = 1; 1422 1423 if (relay_socket_af(&bnd->bnd_ss, bnd->bnd_port) == -1) 1424 goto fail; 1425 if ((s = socket(bnd->bnd_ss.ss_family, 1426 bnd->bnd_proto == IPPROTO_TCP ? SOCK_STREAM : SOCK_DGRAM, 1427 bnd->bnd_proto)) == -1) 1428 goto fail; 1429 if (setsockopt(s, SOL_SOCKET, SO_BINDANY, 1430 &v, sizeof(v)) == -1) 1431 goto fail; 1432 if (bind(s, (struct sockaddr *)&bnd->bnd_ss, 1433 bnd->bnd_ss.ss_len) == -1) 1434 goto fail; 1435 1436 return (s); 1437 1438 fail: 1439 if (s != -1) 1440 close(s); 1441 return (-1); 1442 } 1443 1444 int 1445 map6to4(struct sockaddr_storage *in6) 1446 { 1447 struct sockaddr_storage out4; 1448 struct sockaddr_in *sin4 = (struct sockaddr_in *)&out4; 1449 struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)in6; 1450 1451 bzero(sin4, sizeof(*sin4)); 1452 sin4->sin_len = sizeof(*sin4); 1453 sin4->sin_family = AF_INET; 1454 sin4->sin_port = sin6->sin6_port; 1455 1456 bcopy(&sin6->sin6_addr.s6_addr[12], &sin4->sin_addr.s_addr, 1457 sizeof(sin4->sin_addr)); 1458 1459 if (sin4->sin_addr.s_addr == INADDR_ANY || 1460 sin4->sin_addr.s_addr == INADDR_BROADCAST || 1461 IN_MULTICAST(ntohl(sin4->sin_addr.s_addr))) 1462 return (-1); 1463 1464 bcopy(&out4, in6, sizeof(*in6)); 1465 1466 return (0); 1467 } 1468 1469 int 1470 map4to6(struct sockaddr_storage *in4, struct sockaddr_storage *map) 1471 { 1472 struct sockaddr_storage out6; 1473 struct sockaddr_in *sin4 = (struct sockaddr_in *)in4; 1474 struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)&out6; 1475 struct sockaddr_in6 *map6 = (struct sockaddr_in6 *)map; 1476 1477 if (sin4->sin_addr.s_addr == INADDR_ANY || 1478 sin4->sin_addr.s_addr == INADDR_BROADCAST || 1479 IN_MULTICAST(ntohl(sin4->sin_addr.s_addr))) 1480 return (-1); 1481 1482 bcopy(map6, sin6, sizeof(*sin6)); 1483 sin6->sin6_len = sizeof(*sin6); 1484 sin6->sin6_family = AF_INET6; 1485 sin6->sin6_port = sin4->sin_port; 1486 1487 bcopy(&sin4->sin_addr.s_addr, &sin6->sin6_addr.s6_addr[12], 1488 sizeof(sin4->sin_addr)); 1489 1490 bcopy(&out6, in4, sizeof(*in4)); 1491 1492 return (0); 1493 } 1494 1495 void 1496 socket_rlimit(int maxfd) 1497 { 1498 struct rlimit rl; 1499 1500 if (getrlimit(RLIMIT_NOFILE, &rl) == -1) 1501 fatal("socket_rlimit: failed to get resource limit"); 1502 log_debug("%s: max open files %llu", __func__, rl.rlim_max); 1503 1504 /* 1505 * Allow the maximum number of open file descriptors for this 1506 * login class (which should be the class "daemon" by default). 1507 */ 1508 if (maxfd == -1) 1509 rl.rlim_cur = rl.rlim_max; 1510 else 1511 rl.rlim_cur = MAXIMUM(rl.rlim_max, (rlim_t)maxfd); 1512 if (setrlimit(RLIMIT_NOFILE, &rl) == -1) 1513 fatal("socket_rlimit: failed to set resource limit"); 1514 } 1515 1516 char * 1517 get_string(u_int8_t *ptr, size_t len) 1518 { 1519 size_t i; 1520 1521 for (i = 0; i < len; i++) 1522 if (!(isprint((unsigned char)ptr[i]) || 1523 isspace((unsigned char)ptr[i]))) 1524 break; 1525 1526 return strndup(ptr, i); 1527 } 1528 1529 void * 1530 get_data(u_int8_t *ptr, size_t len) 1531 { 1532 u_int8_t *data; 1533 1534 if ((data = malloc(len)) == NULL) 1535 return (NULL); 1536 memcpy(data, ptr, len); 1537 1538 return (data); 1539 } 1540 1541 int 1542 sockaddr_cmp(struct sockaddr *a, struct sockaddr *b, int prefixlen) 1543 { 1544 struct sockaddr_in *a4, *b4; 1545 struct sockaddr_in6 *a6, *b6; 1546 u_int32_t av[4], bv[4], mv[4]; 1547 1548 if (a->sa_family == AF_UNSPEC || b->sa_family == AF_UNSPEC) 1549 return (0); 1550 else if (a->sa_family > b->sa_family) 1551 return (1); 1552 else if (a->sa_family < b->sa_family) 1553 return (-1); 1554 1555 if (prefixlen == -1) 1556 memset(&mv, 0xff, sizeof(mv)); 1557 1558 switch (a->sa_family) { 1559 case AF_INET: 1560 a4 = (struct sockaddr_in *)a; 1561 b4 = (struct sockaddr_in *)b; 1562 1563 av[0] = a4->sin_addr.s_addr; 1564 bv[0] = b4->sin_addr.s_addr; 1565 if (prefixlen != -1) 1566 mv[0] = prefixlen2mask(prefixlen); 1567 1568 if ((av[0] & mv[0]) > (bv[0] & mv[0])) 1569 return (1); 1570 if ((av[0] & mv[0]) < (bv[0] & mv[0])) 1571 return (-1); 1572 break; 1573 case AF_INET6: 1574 a6 = (struct sockaddr_in6 *)a; 1575 b6 = (struct sockaddr_in6 *)b; 1576 1577 memcpy(&av, &a6->sin6_addr.s6_addr, 16); 1578 memcpy(&bv, &b6->sin6_addr.s6_addr, 16); 1579 if (prefixlen != -1) 1580 prefixlen2mask6(prefixlen, mv); 1581 1582 if ((av[3] & mv[3]) > (bv[3] & mv[3])) 1583 return (1); 1584 if ((av[3] & mv[3]) < (bv[3] & mv[3])) 1585 return (-1); 1586 if ((av[2] & mv[2]) > (bv[2] & mv[2])) 1587 return (1); 1588 if ((av[2] & mv[2]) < (bv[2] & mv[2])) 1589 return (-1); 1590 if ((av[1] & mv[1]) > (bv[1] & mv[1])) 1591 return (1); 1592 if ((av[1] & mv[1]) < (bv[1] & mv[1])) 1593 return (-1); 1594 if ((av[0] & mv[0]) > (bv[0] & mv[0])) 1595 return (1); 1596 if ((av[0] & mv[0]) < (bv[0] & mv[0])) 1597 return (-1); 1598 break; 1599 } 1600 1601 return (0); 1602 } 1603 1604 u_int32_t 1605 prefixlen2mask(u_int8_t prefixlen) 1606 { 1607 if (prefixlen == 0) 1608 return (0); 1609 1610 if (prefixlen > 32) 1611 prefixlen = 32; 1612 1613 return (htonl(0xffffffff << (32 - prefixlen))); 1614 } 1615 1616 struct in6_addr * 1617 prefixlen2mask6(u_int8_t prefixlen, u_int32_t *mask) 1618 { 1619 static struct in6_addr s6; 1620 int i; 1621 1622 if (prefixlen > 128) 1623 prefixlen = 128; 1624 1625 bzero(&s6, sizeof(s6)); 1626 for (i = 0; i < prefixlen / 8; i++) 1627 s6.s6_addr[i] = 0xff; 1628 i = prefixlen % 8; 1629 if (i) 1630 s6.s6_addr[prefixlen / 8] = 0xff00 >> i; 1631 1632 memcpy(mask, &s6, sizeof(s6)); 1633 1634 return (&s6); 1635 } 1636 1637 int 1638 accept_reserve(int sockfd, struct sockaddr *addr, socklen_t *addrlen, 1639 int reserve, volatile int *counter) 1640 { 1641 int ret; 1642 if (getdtablecount() + reserve + 1643 *counter >= getdtablesize()) { 1644 errno = EMFILE; 1645 return (-1); 1646 } 1647 1648 if ((ret = accept4(sockfd, addr, addrlen, SOCK_NONBLOCK)) > -1) { 1649 (*counter)++; 1650 DPRINTF("%s: inflight incremented, now %d",__func__, *counter); 1651 } 1652 return (ret); 1653 } 1654 1655 void 1656 parent_tls_ticket_rekey(int fd, short events, void *arg) 1657 { 1658 static struct event rekeyev; 1659 struct relayd *env = arg; 1660 struct timeval tv; 1661 struct tls_ticket key; 1662 1663 log_debug("relayd_tls_ticket_rekey: rekeying tickets"); 1664 1665 arc4random_buf(key.tt_key_name, sizeof(key.tt_key_name)); 1666 arc4random_buf(key.tt_hmac_key, sizeof(key.tt_hmac_key)); 1667 arc4random_buf(key.tt_aes_key, sizeof(key.tt_aes_key)); 1668 key.tt_backup = 0; 1669 1670 proc_compose_imsg(env->sc_ps, PROC_RELAY, -1, IMSG_TLSTICKET_REKEY, 1671 -1, -1, &key, sizeof(key)); 1672 1673 evtimer_set(&rekeyev, parent_tls_ticket_rekey, env); 1674 timerclear(&tv); 1675 tv.tv_sec = TLS_TICKET_REKEY_TIME; 1676 evtimer_add(&rekeyev, &tv); 1677 } 1678