1 /* $OpenBSD: relayd.c,v 1.192 2024/10/28 19:56:18 tb Exp $ */
2
3 /*
4 * Copyright (c) 2007 - 2016 Reyk Floeter <reyk@openbsd.org>
5 * Copyright (c) 2006 Pierre-Yves Ritschard <pyr@openbsd.org>
6 *
7 * Permission to use, copy, modify, and distribute this software for any
8 * purpose with or without fee is hereby granted, provided that the above
9 * copyright notice and this permission notice appear in all copies.
10 *
11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 */
19
20 #include <sys/types.h>
21 #include <sys/queue.h>
22 #include <sys/socket.h>
23 #include <sys/stat.h>
24 #include <sys/wait.h>
25 #include <sys/resource.h>
26
27 #include <netinet/in.h>
28 #include <arpa/inet.h>
29
30 #include <signal.h>
31 #include <string.h>
32 #include <stdio.h>
33 #include <stdlib.h>
34 #include <fcntl.h>
35 #include <getopt.h>
36 #include <fnmatch.h>
37 #include <syslog.h>
38 #include <err.h>
39 #include <errno.h>
40 #include <event.h>
41 #include <unistd.h>
42 #include <ctype.h>
43 #include <pwd.h>
44 #include <sha1.h>
45 #include <md5.h>
46
47 #include <tls.h>
48
49 #include "relayd.h"
50
51 #define MAXIMUM(a, b) (((a) > (b)) ? (a) : (b))
52
53 __dead void usage(void);
54
55 int parent_configure(struct relayd *);
56 void parent_configure_done(struct relayd *);
57 void parent_reload(struct relayd *, u_int, const char *);
58 void parent_sig_handler(int, short, void *);
59 void parent_shutdown(struct relayd *);
60 int parent_dispatch_pfe(int, struct privsep_proc *, struct imsg *);
61 int parent_dispatch_hce(int, struct privsep_proc *, struct imsg *);
62 int parent_dispatch_relay(int, struct privsep_proc *,
63 struct imsg *);
64 int parent_dispatch_ca(int, struct privsep_proc *,
65 struct imsg *);
66 int bindany(struct ctl_bindany *);
67 void parent_tls_ticket_rekey(int, short, void *);
68
69 struct relayd *relayd_env;
70
71 static struct privsep_proc procs[] = {
72 { "pfe", PROC_PFE, parent_dispatch_pfe, pfe },
73 { "hce", PROC_HCE, parent_dispatch_hce, hce },
74 { "relay", PROC_RELAY, parent_dispatch_relay, relay },
75 { "ca", PROC_CA, parent_dispatch_ca, ca }
76 };
77
78 enum privsep_procid privsep_process;
79
80 void
parent_sig_handler(int sig,short event,void * arg)81 parent_sig_handler(int sig, short event, void *arg)
82 {
83 struct privsep *ps = arg;
84
85 switch (sig) {
86 case SIGTERM:
87 case SIGINT:
88 parent_shutdown(ps->ps_env);
89 break;
90 case SIGHUP:
91 log_info("%s: reload requested with SIGHUP", __func__);
92
93 /*
94 * This is safe because libevent uses async signal handlers
95 * that run in the event loop and not in signal context.
96 */
97 parent_reload(ps->ps_env, CONFIG_RELOAD, NULL);
98 break;
99 case SIGPIPE:
100 case SIGUSR1:
101 /* ignore */
102 break;
103 default:
104 fatalx("unexpected signal");
105 }
106 }
107
108 __dead void
usage(void)109 usage(void)
110 {
111 extern char *__progname;
112
113 fprintf(stderr, "usage: %s [-dnv] [-D macro=value] [-f file]\n",
114 __progname);
115 exit(1);
116 }
117
118 int
main(int argc,char * argv[])119 main(int argc, char *argv[])
120 {
121 int c;
122 int debug = 0, verbose = 0;
123 u_int32_t opts = 0;
124 struct relayd *env;
125 struct privsep *ps;
126 const char *conffile = CONF_FILE;
127 enum privsep_procid proc_id = PROC_PARENT;
128 int proc_instance = 0;
129 const char *errp, *title = NULL;
130 int argc0 = argc;
131
132 while ((c = getopt(argc, argv, "dD:nI:P:f:v")) != -1) {
133 switch (c) {
134 case 'd':
135 debug = 2;
136 break;
137 case 'D':
138 if (cmdline_symset(optarg) < 0)
139 log_warnx("could not parse macro definition %s",
140 optarg);
141 break;
142 case 'n':
143 debug = 2;
144 opts |= RELAYD_OPT_NOACTION;
145 break;
146 case 'f':
147 conffile = optarg;
148 break;
149 case 'v':
150 verbose++;
151 opts |= RELAYD_OPT_VERBOSE;
152 break;
153 case 'P':
154 title = optarg;
155 proc_id = proc_getid(procs, nitems(procs), title);
156 if (proc_id == PROC_MAX)
157 fatalx("invalid process name");
158 break;
159 case 'I':
160 proc_instance = strtonum(optarg, 0,
161 PROC_MAX_INSTANCES, &errp);
162 if (errp)
163 fatalx("invalid process instance");
164 break;
165 default:
166 usage();
167 }
168 }
169
170 /* log to stderr until daemonized */
171 log_init(debug ? debug : 1, LOG_DAEMON);
172
173 argc -= optind;
174 if (argc > 0)
175 usage();
176
177 if ((env = calloc(1, sizeof(*env))) == NULL ||
178 (ps = calloc(1, sizeof(*ps))) == NULL)
179 exit(1);
180
181 relayd_env = env;
182 env->sc_ps = ps;
183 ps->ps_env = env;
184 TAILQ_INIT(&ps->ps_rcsocks);
185 env->sc_conffile = conffile;
186 env->sc_conf.opts = opts;
187 TAILQ_INIT(&env->sc_hosts);
188 TAILQ_INIT(&env->sc_sessions);
189 env->sc_rtable = getrtable();
190 /* initialize the TLS session id to a random key for all relay procs */
191 arc4random_buf(env->sc_conf.tls_sid, sizeof(env->sc_conf.tls_sid));
192
193 if (parse_config(env->sc_conffile, env) == -1)
194 exit(1);
195
196 if (debug)
197 env->sc_conf.opts |= RELAYD_OPT_LOGUPDATE;
198
199 if (geteuid())
200 errx(1, "need root privileges");
201
202 if ((ps->ps_pw = getpwnam(RELAYD_USER)) == NULL)
203 errx(1, "unknown user %s", RELAYD_USER);
204
205 log_init(debug, LOG_DAEMON);
206 log_setverbose(verbose);
207
208 if (env->sc_conf.opts & RELAYD_OPT_NOACTION)
209 ps->ps_noaction = 1;
210
211 ps->ps_instances[PROC_RELAY] = env->sc_conf.prefork_relay;
212 ps->ps_instances[PROC_CA] = env->sc_conf.prefork_relay;
213 ps->ps_instance = proc_instance;
214 if (title != NULL)
215 ps->ps_title[proc_id] = title;
216
217 /* only the parent returns */
218 proc_init(ps, procs, nitems(procs), debug, argc0, argv, proc_id);
219
220 log_procinit("parent");
221
222 if (ps->ps_noaction == 0)
223 log_info("startup");
224
225 if (unveil("/", "rx") == -1)
226 err(1, "unveil /");
227 if (unveil(NULL, NULL) == -1)
228 err(1, "unveil");
229
230 event_init();
231
232 signal_set(&ps->ps_evsigint, SIGINT, parent_sig_handler, ps);
233 signal_set(&ps->ps_evsigterm, SIGTERM, parent_sig_handler, ps);
234 signal_set(&ps->ps_evsighup, SIGHUP, parent_sig_handler, ps);
235 signal_set(&ps->ps_evsigpipe, SIGPIPE, parent_sig_handler, ps);
236 signal_set(&ps->ps_evsigusr1, SIGUSR1, parent_sig_handler, ps);
237
238 signal_add(&ps->ps_evsigint, NULL);
239 signal_add(&ps->ps_evsigterm, NULL);
240 signal_add(&ps->ps_evsighup, NULL);
241 signal_add(&ps->ps_evsigpipe, NULL);
242 signal_add(&ps->ps_evsigusr1, NULL);
243
244 proc_connect(ps);
245
246 relay_http(NULL);
247 if (load_config(env->sc_conffile, env) == -1) {
248 proc_kill(env->sc_ps);
249 exit(1);
250 }
251
252 if (env->sc_conf.opts & RELAYD_OPT_NOACTION) {
253 fprintf(stderr, "configuration OK\n");
254 proc_kill(env->sc_ps);
255 exit(0);
256 }
257
258 /* rekey the TLS tickets before pushing the config */
259 parent_tls_ticket_rekey(0, 0, env);
260 if (parent_configure(env) == -1)
261 fatalx("configuration failed");
262
263 init_routes(env);
264
265 event_dispatch();
266
267 parent_shutdown(env);
268 /* NOTREACHED */
269
270 return (0);
271 }
272
273 int
parent_configure(struct relayd * env)274 parent_configure(struct relayd *env)
275 {
276 struct table *tb;
277 struct rdr *rdr;
278 struct router *rt;
279 struct protocol *proto;
280 struct relay *rlay;
281 int id;
282 int ret = -1;
283
284 TAILQ_FOREACH(tb, env->sc_tables, entry)
285 config_settable(env, tb);
286 TAILQ_FOREACH(rdr, env->sc_rdrs, entry)
287 config_setrdr(env, rdr);
288 TAILQ_FOREACH(rt, env->sc_rts, rt_entry)
289 config_setrt(env, rt);
290 TAILQ_FOREACH(proto, env->sc_protos, entry)
291 config_setproto(env, proto);
292 TAILQ_FOREACH(proto, env->sc_protos, entry)
293 config_setrule(env, proto);
294 TAILQ_FOREACH(rlay, env->sc_relays, rl_entry) {
295 /* Check for TLS Inspection */
296 if ((rlay->rl_conf.flags & (F_TLS|F_TLSCLIENT)) ==
297 (F_TLS|F_TLSCLIENT) && rlay->rl_tls_cacert_fd != -1)
298 rlay->rl_conf.flags |= F_TLSINSPECT;
299
300 config_setrelay(env, rlay);
301 }
302
303 /* HCE, PFE, CA and the relays need to reload their config. */
304 env->sc_reload = 2 + (2 * env->sc_conf.prefork_relay);
305
306 for (id = 0; id < PROC_MAX; id++) {
307 if (id == privsep_process)
308 continue;
309 proc_compose_imsg(env->sc_ps, id, -1, IMSG_CFG_DONE, -1,
310 -1, &env->sc_conf, sizeof(env->sc_conf));
311 }
312
313 ret = 0;
314
315 config_purge(env, CONFIG_ALL & ~CONFIG_RELAYS);
316 return (ret);
317 }
318
319 void
parent_reload(struct relayd * env,u_int reset,const char * filename)320 parent_reload(struct relayd *env, u_int reset, const char *filename)
321 {
322 if (env->sc_reload) {
323 log_debug("%s: already in progress: %d pending",
324 __func__, env->sc_reload);
325 return;
326 }
327
328 /* Switch back to the default config file */
329 if (filename == NULL || *filename == '\0')
330 filename = env->sc_conffile;
331
332 log_debug("%s: level %d config file %s", __func__, reset, filename);
333
334 config_purge(env, CONFIG_ALL);
335
336 if (reset == CONFIG_RELOAD) {
337 if (load_config(filename, env) == -1) {
338 log_debug("%s: failed to load config file %s",
339 __func__, filename);
340 }
341
342 config_setreset(env, CONFIG_ALL);
343
344 if (parent_configure(env) == -1) {
345 log_debug("%s: failed to commit config from %s",
346 __func__, filename);
347 }
348 } else
349 config_setreset(env, reset);
350 }
351
352 void
parent_configure_done(struct relayd * env)353 parent_configure_done(struct relayd *env)
354 {
355 int id;
356
357 if (env->sc_reload == 0) {
358 log_warnx("%s: configuration already finished", __func__);
359 return;
360 }
361
362 env->sc_reload--;
363 if (env->sc_reload == 0) {
364 for (id = 0; id < PROC_MAX; id++) {
365 if (id == privsep_process)
366 continue;
367
368 proc_compose(env->sc_ps, id, IMSG_CTL_START, NULL, 0);
369 }
370 }
371 }
372
373 void
parent_shutdown(struct relayd * env)374 parent_shutdown(struct relayd *env)
375 {
376 config_purge(env, CONFIG_ALL);
377
378 proc_kill(env->sc_ps);
379 control_cleanup(&env->sc_ps->ps_csock);
380 carp_demote_shutdown();
381
382 free(env->sc_ps);
383 free(env);
384
385 log_info("parent terminating, pid %d", getpid());
386
387 exit(0);
388 }
389
390 int
parent_dispatch_pfe(int fd,struct privsep_proc * p,struct imsg * imsg)391 parent_dispatch_pfe(int fd, struct privsep_proc *p, struct imsg *imsg)
392 {
393 struct privsep *ps = p->p_ps;
394 struct relayd *env = ps->ps_env;
395 struct ctl_demote demote;
396 struct ctl_netroute crt;
397 u_int v;
398 char *str = NULL;
399
400 switch (imsg->hdr.type) {
401 case IMSG_DEMOTE:
402 IMSG_SIZE_CHECK(imsg, &demote);
403 memcpy(&demote, imsg->data, sizeof(demote));
404 carp_demote_set(demote.group, demote.level);
405 break;
406 case IMSG_RTMSG:
407 IMSG_SIZE_CHECK(imsg, &crt);
408 memcpy(&crt, imsg->data, sizeof(crt));
409 pfe_route(env, &crt);
410 break;
411 case IMSG_CTL_RESET:
412 IMSG_SIZE_CHECK(imsg, &v);
413 memcpy(&v, imsg->data, sizeof(v));
414 parent_reload(env, v, NULL);
415 break;
416 case IMSG_CTL_RELOAD:
417 if (IMSG_DATA_SIZE(imsg) > 0)
418 str = get_string(imsg->data, IMSG_DATA_SIZE(imsg));
419 parent_reload(env, CONFIG_RELOAD, str);
420 free(str);
421 break;
422 case IMSG_CTL_SHUTDOWN:
423 parent_shutdown(env);
424 break;
425 case IMSG_CFG_DONE:
426 parent_configure_done(env);
427 break;
428 case IMSG_AGENTXSOCK:
429 agentx_setsock(env, p->p_id);
430 break;
431 default:
432 return (-1);
433 }
434
435 return (0);
436 }
437
438 int
parent_dispatch_hce(int fd,struct privsep_proc * p,struct imsg * imsg)439 parent_dispatch_hce(int fd, struct privsep_proc *p, struct imsg *imsg)
440 {
441 struct privsep *ps = p->p_ps;
442 struct relayd *env = ps->ps_env;
443 struct ctl_script scr;
444
445 switch (imsg->hdr.type) {
446 case IMSG_SCRIPT:
447 IMSG_SIZE_CHECK(imsg, &scr);
448 bcopy(imsg->data, &scr, sizeof(scr));
449 scr.retval = script_exec(env, &scr);
450 proc_compose(ps, PROC_HCE, IMSG_SCRIPT, &scr, sizeof(scr));
451 break;
452 case IMSG_CFG_DONE:
453 parent_configure_done(env);
454 break;
455 default:
456 return (-1);
457 }
458
459 return (0);
460 }
461
462 int
parent_dispatch_relay(int fd,struct privsep_proc * p,struct imsg * imsg)463 parent_dispatch_relay(int fd, struct privsep_proc *p, struct imsg *imsg)
464 {
465 struct privsep *ps = p->p_ps;
466 struct relayd *env = ps->ps_env;
467 struct ctl_bindany bnd;
468 int s;
469
470 switch (imsg->hdr.type) {
471 case IMSG_BINDANY:
472 IMSG_SIZE_CHECK(imsg, &bnd);
473 bcopy(imsg->data, &bnd, sizeof(bnd));
474 if (bnd.bnd_proc > env->sc_conf.prefork_relay)
475 fatalx("%s: invalid relay proc", __func__);
476 switch (bnd.bnd_proto) {
477 case IPPROTO_TCP:
478 case IPPROTO_UDP:
479 break;
480 default:
481 fatalx("%s: requested socket "
482 "for invalid protocol", __func__);
483 /* NOTREACHED */
484 }
485 s = bindany(&bnd);
486 proc_compose_imsg(ps, PROC_RELAY, bnd.bnd_proc,
487 IMSG_BINDANY, -1, s, &bnd.bnd_id, sizeof(bnd.bnd_id));
488 break;
489 case IMSG_CFG_DONE:
490 parent_configure_done(env);
491 break;
492 default:
493 return (-1);
494 }
495
496 return (0);
497 }
498
499 int
parent_dispatch_ca(int fd,struct privsep_proc * p,struct imsg * imsg)500 parent_dispatch_ca(int fd, struct privsep_proc *p, struct imsg *imsg)
501 {
502 struct privsep *ps = p->p_ps;
503 struct relayd *env = ps->ps_env;
504
505 switch (imsg->hdr.type) {
506 case IMSG_CFG_DONE:
507 parent_configure_done(env);
508 break;
509 default:
510 return (-1);
511 }
512
513 return (0);
514 }
515
516 void
purge_table(struct relayd * env,struct tablelist * head,struct table * table)517 purge_table(struct relayd *env, struct tablelist *head, struct table *table)
518 {
519 struct host *host;
520
521 while ((host = TAILQ_FIRST(&table->hosts)) != NULL) {
522 TAILQ_REMOVE(&table->hosts, host, entry);
523 TAILQ_REMOVE(&env->sc_hosts, host, globalentry);
524 if (event_initialized(&host->cte.ev)) {
525 event_del(&host->cte.ev);
526 close(host->cte.s);
527 }
528 ibuf_free(host->cte.buf);
529 tls_free(host->cte.tls);
530 free(host);
531 }
532 free(table->sendbuf);
533 ibuf_free(table->sendbinbuf);
534 tls_config_free(table->tls_cfg);
535
536 if (head != NULL)
537 TAILQ_REMOVE(head, table, entry);
538 free(table);
539 }
540
541 void
purge_key(char ** key,off_t len)542 purge_key(char **key, off_t len)
543 {
544 freezero(*key, len);
545
546 *key = NULL;
547 }
548
549 void
purge_relay(struct relayd * env,struct relay * rlay)550 purge_relay(struct relayd *env, struct relay *rlay)
551 {
552 struct rsession *con;
553 struct relay_table *rlt;
554 struct relay_cert *cert, *tmpcert;
555
556 /* shutdown and remove relay */
557 if (event_initialized(&rlay->rl_ev))
558 event_del(&rlay->rl_ev);
559 close(rlay->rl_s);
560 TAILQ_REMOVE(env->sc_relays, rlay, rl_entry);
561
562 /* cleanup sessions */
563 while ((con =
564 SPLAY_ROOT(&rlay->rl_sessions)) != NULL)
565 relay_close(con, NULL, 0);
566
567 /* cleanup relay */
568 if (rlay->rl_bev != NULL)
569 bufferevent_free(rlay->rl_bev);
570 if (rlay->rl_dstbev != NULL)
571 bufferevent_free(rlay->rl_dstbev);
572
573 purge_key(&rlay->rl_tls_cakey, rlay->rl_conf.tls_cakey_len);
574
575 if (rlay->rl_tls_pkey != NULL) {
576 EVP_PKEY_free(rlay->rl_tls_pkey);
577 rlay->rl_tls_pkey = NULL;
578 }
579 if (rlay->rl_tls_cacertx509 != NULL) {
580 X509_free(rlay->rl_tls_cacertx509);
581 rlay->rl_tls_cacertx509 = NULL;
582 }
583 if (rlay->rl_tls_capkey != NULL) {
584 EVP_PKEY_free(rlay->rl_tls_capkey);
585 rlay->rl_tls_capkey = NULL;
586 }
587
588 tls_free(rlay->rl_tls_ctx);
589 tls_config_free(rlay->rl_tls_cfg);
590 tls_config_free(rlay->rl_tls_client_cfg);
591
592 while ((rlt = TAILQ_FIRST(&rlay->rl_tables))) {
593 TAILQ_REMOVE(&rlay->rl_tables, rlt, rlt_entry);
594 free(rlt);
595 }
596
597 TAILQ_FOREACH_SAFE(cert, env->sc_certs, cert_entry, tmpcert) {
598 if (rlay->rl_conf.id != cert->cert_relayid)
599 continue;
600 if (cert->cert_fd != -1)
601 close(cert->cert_fd);
602 if (cert->cert_key_fd != -1)
603 close(cert->cert_key_fd);
604 if (cert->cert_ocsp_fd != -1)
605 close(cert->cert_ocsp_fd);
606 if (cert->cert_pkey != NULL)
607 EVP_PKEY_free(cert->cert_pkey);
608 TAILQ_REMOVE(env->sc_certs, cert, cert_entry);
609 free(cert);
610 }
611
612 free(rlay);
613 }
614
615 struct kv *
kv_add(struct kvtree * keys,char * key,char * value,int unique)616 kv_add(struct kvtree *keys, char *key, char *value, int unique)
617 {
618 struct kv *kv, *oldkv;
619
620 if (key == NULL)
621 return (NULL);
622 if ((kv = calloc(1, sizeof(*kv))) == NULL)
623 return (NULL);
624 if ((kv->kv_key = strdup(key)) == NULL)
625 goto fail;
626 if (value != NULL &&
627 (kv->kv_value = strdup(value)) == NULL)
628 goto fail;
629 TAILQ_INIT(&kv->kv_children);
630
631 if ((oldkv = RB_INSERT(kvtree, keys, kv)) != NULL) {
632 /*
633 * return error if the key should occur only once,
634 * or add it to a list attached to the key's node.
635 */
636 if (unique)
637 goto fail;
638 TAILQ_INSERT_TAIL(&oldkv->kv_children, kv, kv_entry);
639 kv->kv_parent = oldkv;
640 }
641
642 return (kv);
643 fail:
644 free(kv->kv_key);
645 free(kv->kv_value);
646 free(kv);
647 return (NULL);
648 }
649
650 int
kv_set(struct kv * kv,char * fmt,...)651 kv_set(struct kv *kv, char *fmt, ...)
652 {
653 va_list ap;
654 char *value = NULL;
655 struct kv *ckv;
656 int ret;
657
658 va_start(ap, fmt);
659 ret = vasprintf(&value, fmt, ap);
660 va_end(ap);
661 if (ret == -1)
662 return (-1);
663
664 /* Remove all children */
665 while ((ckv = TAILQ_FIRST(&kv->kv_children)) != NULL) {
666 TAILQ_REMOVE(&kv->kv_children, ckv, kv_entry);
667 kv_free(ckv);
668 free(ckv);
669 }
670
671 /* Set the new value */
672 free(kv->kv_value);
673 kv->kv_value = value;
674
675 return (0);
676 }
677
678 int
kv_setkey(struct kv * kv,char * fmt,...)679 kv_setkey(struct kv *kv, char *fmt, ...)
680 {
681 va_list ap;
682 char *key = NULL;
683 int ret;
684
685 va_start(ap, fmt);
686 ret = vasprintf(&key, fmt, ap);
687 va_end(ap);
688 if (ret == -1)
689 return (-1);
690
691 free(kv->kv_key);
692 kv->kv_key = key;
693
694 return (0);
695 }
696
697 void
kv_delete(struct kvtree * keys,struct kv * kv)698 kv_delete(struct kvtree *keys, struct kv *kv)
699 {
700 struct kv *ckv;
701
702 RB_REMOVE(kvtree, keys, kv);
703
704 /* Remove all children */
705 while ((ckv = TAILQ_FIRST(&kv->kv_children)) != NULL) {
706 TAILQ_REMOVE(&kv->kv_children, ckv, kv_entry);
707 kv_free(ckv);
708 free(ckv);
709 }
710
711 kv_free(kv);
712 free(kv);
713 }
714
715 struct kv *
kv_extend(struct kvtree * keys,struct kv * kv,char * value)716 kv_extend(struct kvtree *keys, struct kv *kv, char *value)
717 {
718 char *newvalue;
719
720 if (kv == NULL) {
721 return (NULL);
722 } else if (kv->kv_value != NULL) {
723 if (asprintf(&newvalue, "%s%s", kv->kv_value, value) == -1)
724 return (NULL);
725
726 free(kv->kv_value);
727 kv->kv_value = newvalue;
728 } else if ((kv->kv_value = strdup(value)) == NULL)
729 return (NULL);
730
731 return (kv);
732 }
733
734 void
kv_purge(struct kvtree * keys)735 kv_purge(struct kvtree *keys)
736 {
737 struct kv *kv;
738
739 while ((kv = RB_MIN(kvtree, keys)) != NULL)
740 kv_delete(keys, kv);
741 }
742
743 void
kv_free(struct kv * kv)744 kv_free(struct kv *kv)
745 {
746 /*
747 * This function does not clear memory referenced by
748 * kv_children or stuff on the tailqs. Use kv_delete() instead.
749 */
750
751 free(kv->kv_key);
752 free(kv->kv_value);
753 memset(kv, 0, sizeof(*kv));
754 }
755
756 struct kv *
kv_inherit(struct kv * dst,struct kv * src)757 kv_inherit(struct kv *dst, struct kv *src)
758 {
759 memset(dst, 0, sizeof(*dst));
760 memcpy(dst, src, sizeof(*dst));
761 TAILQ_INIT(&dst->kv_children);
762
763 if (src->kv_key != NULL) {
764 if ((dst->kv_key = strdup(src->kv_key)) == NULL) {
765 kv_free(dst);
766 return (NULL);
767 }
768 }
769 if (src->kv_value != NULL) {
770 if ((dst->kv_value = strdup(src->kv_value)) == NULL) {
771 kv_free(dst);
772 return (NULL);
773 }
774 }
775
776 if (src->kv_match != NULL)
777 dst->kv_match = src->kv_match;
778 if (src->kv_matchtree != NULL)
779 dst->kv_matchtree = src->kv_matchtree;
780
781 return (dst);
782 }
783
784 int
kv_log(struct rsession * con,struct kv * kv,u_int16_t labelid,enum direction dir)785 kv_log(struct rsession *con, struct kv *kv, u_int16_t labelid,
786 enum direction dir)
787 {
788 char *msg;
789
790 if (con->se_log == NULL)
791 return (0);
792 if (asprintf(&msg, " %s%s%s%s%s%s%s",
793 dir == RELAY_DIR_REQUEST ? "[" : "{",
794 labelid == 0 ? "" : label_id2name(labelid),
795 labelid == 0 ? "" : ", ",
796 kv->kv_key == NULL ? "(unknown)" : kv->kv_key,
797 kv->kv_value == NULL ? "" : ": ",
798 kv->kv_value == NULL ? "" : kv->kv_value,
799 dir == RELAY_DIR_REQUEST ? "]" : "}") == -1)
800 return (-1);
801 if (evbuffer_add(con->se_log, msg, strlen(msg)) == -1) {
802 free(msg);
803 return (-1);
804 }
805 free(msg);
806 con->se_haslog = 1;
807 return (0);
808 }
809
810 struct kv *
kv_find(struct kvtree * keys,struct kv * kv)811 kv_find(struct kvtree *keys, struct kv *kv)
812 {
813 struct kv *match;
814 const char *key;
815
816 if (kv->kv_flags & KV_FLAG_GLOBBING) {
817 /* Test header key using shell globbing rules */
818 key = kv->kv_key == NULL ? "" : kv->kv_key;
819 RB_FOREACH(match, kvtree, keys) {
820 if (fnmatch(key, match->kv_key, FNM_CASEFOLD) == 0)
821 break;
822 }
823 } else {
824 /* Fast tree-based lookup only works without globbing */
825 match = RB_FIND(kvtree, keys, kv);
826 }
827
828 return (match);
829 }
830
831 struct kv *
kv_find_value(struct kvtree * keys,char * key,const char * value,const char * delim)832 kv_find_value(struct kvtree *keys, char *key, const char *value,
833 const char *delim)
834 {
835 struct kv *match, kv;
836 char *val = NULL, *next, *ptr;
837 size_t len;
838
839 kv.kv_key = key;
840 if ((match = RB_FIND(kvtree, keys, &kv)) == NULL)
841 return (NULL);
842
843 if (match->kv_value == NULL)
844 return (NULL);
845
846 if (delim == NULL) {
847 if (strcasecmp(match->kv_value, value) == 0)
848 goto done;
849 } else {
850 if ((val = strdup(match->kv_value)) == NULL)
851 return (NULL);
852 for (next = ptr = val; ptr != NULL;
853 ptr = strsep(&next, delim)) {
854 /* strip whitespace */
855 ptr += strspn(ptr, " \t");
856 len = strcspn(ptr, " \t");
857 if (strncasecmp(ptr, value, len) == 0)
858 goto done;
859 }
860 }
861
862 /* not matched */
863 match = NULL;
864 done:
865 #ifdef DEBUG
866 if (match != NULL)
867 DPRINTF("%s: matched %s: %s", __func__, key, value);
868 #endif
869 free(val);
870 return (match);
871 }
872
873 int
kv_cmp(struct kv * a,struct kv * b)874 kv_cmp(struct kv *a, struct kv *b)
875 {
876 return (strcasecmp(a->kv_key, b->kv_key));
877 }
878
879 RB_GENERATE(kvtree, kv, kv_node, kv_cmp);
880
881 int
rule_add(struct protocol * proto,struct relay_rule * rule,const char * rulefile)882 rule_add(struct protocol *proto, struct relay_rule *rule, const char *rulefile)
883 {
884 struct relay_rule *r = NULL;
885 struct kv *kv = NULL;
886 FILE *fp = NULL;
887 char buf[BUFSIZ];
888 int ret = -1;
889 u_int i;
890
891 for (i = 0; i < KEY_TYPE_MAX; i++) {
892 kv = &rule->rule_kv[i];
893 if (kv->kv_type != i)
894 continue;
895
896 switch (kv->kv_option) {
897 case KEY_OPTION_LOG:
898 /* log action needs a key or a file to be specified */
899 if (kv->kv_key == NULL && rulefile == NULL &&
900 (kv->kv_key = strdup("*")) == NULL)
901 goto fail;
902 break;
903 default:
904 break;
905 }
906
907 switch (kv->kv_type) {
908 case KEY_TYPE_QUERY:
909 case KEY_TYPE_PATH:
910 case KEY_TYPE_URL:
911 if (rule->rule_dir != RELAY_DIR_REQUEST)
912 goto fail;
913 break;
914 default:
915 break;
916 }
917
918 if (kv->kv_value != NULL && strchr(kv->kv_value, '$') != NULL)
919 kv->kv_flags |= KV_FLAG_MACRO;
920 if (kv->kv_key != NULL && strpbrk(kv->kv_key, "*?[") != NULL)
921 kv->kv_flags |= KV_FLAG_GLOBBING;
922 }
923
924 if (rulefile == NULL) {
925 TAILQ_INSERT_TAIL(&proto->rules, rule, rule_entry);
926 return (0);
927 }
928
929 if ((fp = fopen(rulefile, "r")) == NULL)
930 goto fail;
931
932 while (fgets(buf, sizeof(buf), fp) != NULL) {
933 /* strip whitespace and newline characters */
934 buf[strcspn(buf, "\r\n\t ")] = '\0';
935 if (!strlen(buf) || buf[0] == '#')
936 continue;
937
938 if ((r = rule_inherit(rule)) == NULL)
939 goto fail;
940
941 for (i = 0; i < KEY_TYPE_MAX; i++) {
942 kv = &r->rule_kv[i];
943 if (kv->kv_type != i)
944 continue;
945 free(kv->kv_key);
946 if ((kv->kv_key = strdup(buf)) == NULL) {
947 rule_free(r);
948 free(r);
949 goto fail;
950 }
951 }
952
953 TAILQ_INSERT_TAIL(&proto->rules, r, rule_entry);
954 }
955
956 ret = 0;
957 rule_free(rule);
958 free(rule);
959
960 fail:
961 if (fp != NULL)
962 fclose(fp);
963 return (ret);
964 }
965
966 struct relay_rule *
rule_inherit(struct relay_rule * rule)967 rule_inherit(struct relay_rule *rule)
968 {
969 struct relay_rule *r;
970 u_int i;
971 struct kv *kv;
972
973 if ((r = calloc(1, sizeof(*r))) == NULL)
974 return (NULL);
975 memcpy(r, rule, sizeof(*r));
976
977 for (i = 0; i < KEY_TYPE_MAX; i++) {
978 kv = &rule->rule_kv[i];
979 if (kv->kv_type != i)
980 continue;
981 if (kv_inherit(&r->rule_kv[i], kv) == NULL) {
982 free(r);
983 return (NULL);
984 }
985 }
986
987 if (r->rule_label > 0)
988 label_ref(r->rule_label);
989 if (r->rule_tag > 0)
990 tag_ref(r->rule_tag);
991 if (r->rule_tagged > 0)
992 tag_ref(r->rule_tagged);
993
994 return (r);
995 }
996
997 void
rule_free(struct relay_rule * rule)998 rule_free(struct relay_rule *rule)
999 {
1000 u_int i;
1001
1002 for (i = 0; i < KEY_TYPE_MAX; i++)
1003 kv_free(&rule->rule_kv[i]);
1004 if (rule->rule_label > 0)
1005 label_unref(rule->rule_label);
1006 if (rule->rule_tag > 0)
1007 tag_unref(rule->rule_tag);
1008 if (rule->rule_tagged > 0)
1009 tag_unref(rule->rule_tagged);
1010 }
1011
1012 void
rule_delete(struct relay_rules * rules,struct relay_rule * rule)1013 rule_delete(struct relay_rules *rules, struct relay_rule *rule)
1014 {
1015 TAILQ_REMOVE(rules, rule, rule_entry);
1016 rule_free(rule);
1017 free(rule);
1018 }
1019
1020 void
rule_settable(struct relay_rules * rules,struct relay_table * rlt)1021 rule_settable(struct relay_rules *rules, struct relay_table *rlt)
1022 {
1023 struct relay_rule *r;
1024 char pname[TABLE_NAME_SIZE];
1025
1026 if (rlt->rlt_table == NULL || strlcpy(pname, rlt->rlt_table->conf.name,
1027 sizeof(pname)) >= sizeof(pname))
1028 return;
1029
1030 pname[strcspn(pname, ":")] = '\0';
1031
1032 TAILQ_FOREACH(r, rules, rule_entry) {
1033 if (r->rule_tablename[0] &&
1034 strcmp(pname, r->rule_tablename) == 0)
1035 r->rule_table = rlt;
1036 }
1037 }
1038
1039 /*
1040 * Utility functions
1041 */
1042
1043 struct host *
host_find(struct relayd * env,objid_t id)1044 host_find(struct relayd *env, objid_t id)
1045 {
1046 struct table *table;
1047 struct host *host;
1048
1049 TAILQ_FOREACH(table, env->sc_tables, entry)
1050 TAILQ_FOREACH(host, &table->hosts, entry)
1051 if (host->conf.id == id)
1052 return (host);
1053 return (NULL);
1054 }
1055
1056 struct table *
table_find(struct relayd * env,objid_t id)1057 table_find(struct relayd *env, objid_t id)
1058 {
1059 struct table *table;
1060
1061 TAILQ_FOREACH(table, env->sc_tables, entry)
1062 if (table->conf.id == id)
1063 return (table);
1064 return (NULL);
1065 }
1066
1067 struct rdr *
rdr_find(struct relayd * env,objid_t id)1068 rdr_find(struct relayd *env, objid_t id)
1069 {
1070 struct rdr *rdr;
1071
1072 TAILQ_FOREACH(rdr, env->sc_rdrs, entry)
1073 if (rdr->conf.id == id)
1074 return (rdr);
1075 return (NULL);
1076 }
1077
1078 struct relay *
relay_find(struct relayd * env,objid_t id)1079 relay_find(struct relayd *env, objid_t id)
1080 {
1081 struct relay *rlay;
1082
1083 TAILQ_FOREACH(rlay, env->sc_relays, rl_entry)
1084 if (rlay->rl_conf.id == id)
1085 return (rlay);
1086 return (NULL);
1087 }
1088
1089 struct protocol *
proto_find(struct relayd * env,objid_t id)1090 proto_find(struct relayd *env, objid_t id)
1091 {
1092 struct protocol *p;
1093
1094 TAILQ_FOREACH(p, env->sc_protos, entry)
1095 if (p->id == id)
1096 return (p);
1097 return (NULL);
1098 }
1099
1100 struct rsession *
session_find(struct relayd * env,objid_t id)1101 session_find(struct relayd *env, objid_t id)
1102 {
1103 struct relay *rlay;
1104 struct rsession *con;
1105
1106 TAILQ_FOREACH(rlay, env->sc_relays, rl_entry)
1107 SPLAY_FOREACH(con, session_tree, &rlay->rl_sessions)
1108 if (con->se_id == id)
1109 return (con);
1110 return (NULL);
1111 }
1112
1113 struct netroute *
route_find(struct relayd * env,objid_t id)1114 route_find(struct relayd *env, objid_t id)
1115 {
1116 struct netroute *nr;
1117
1118 TAILQ_FOREACH(nr, env->sc_routes, nr_route)
1119 if (nr->nr_conf.id == id)
1120 return (nr);
1121 return (NULL);
1122 }
1123
1124 struct router *
router_find(struct relayd * env,objid_t id)1125 router_find(struct relayd *env, objid_t id)
1126 {
1127 struct router *rt;
1128
1129 TAILQ_FOREACH(rt, env->sc_rts, rt_entry)
1130 if (rt->rt_conf.id == id)
1131 return (rt);
1132 return (NULL);
1133 }
1134
1135 struct host *
host_findbyname(struct relayd * env,const char * name)1136 host_findbyname(struct relayd *env, const char *name)
1137 {
1138 struct table *table;
1139 struct host *host;
1140
1141 TAILQ_FOREACH(table, env->sc_tables, entry)
1142 TAILQ_FOREACH(host, &table->hosts, entry)
1143 if (strcmp(host->conf.name, name) == 0)
1144 return (host);
1145 return (NULL);
1146 }
1147
1148 struct table *
table_findbyname(struct relayd * env,const char * name)1149 table_findbyname(struct relayd *env, const char *name)
1150 {
1151 struct table *table;
1152
1153 TAILQ_FOREACH(table, env->sc_tables, entry)
1154 if (strcmp(table->conf.name, name) == 0)
1155 return (table);
1156 return (NULL);
1157 }
1158
1159 struct table *
table_findbyconf(struct relayd * env,struct table * tb)1160 table_findbyconf(struct relayd *env, struct table *tb)
1161 {
1162 struct table *table;
1163 struct table_config a, b;
1164
1165 bcopy(&tb->conf, &a, sizeof(a));
1166 a.id = a.rdrid = 0;
1167 a.flags &= ~(F_USED|F_BACKUP);
1168
1169 TAILQ_FOREACH(table, env->sc_tables, entry) {
1170 bcopy(&table->conf, &b, sizeof(b));
1171 b.id = b.rdrid = 0;
1172 b.flags &= ~(F_USED|F_BACKUP);
1173
1174 /*
1175 * Compare two tables and return the existing table if
1176 * the configuration seems to be the same.
1177 */
1178 if (bcmp(&a, &b, sizeof(b)) == 0 &&
1179 ((tb->sendbuf == NULL && table->sendbuf == NULL) ||
1180 (tb->sendbuf != NULL && table->sendbuf != NULL &&
1181 strcmp(tb->sendbuf, table->sendbuf) == 0)))
1182 return (table);
1183 }
1184 return (NULL);
1185 }
1186
1187 struct rdr *
rdr_findbyname(struct relayd * env,const char * name)1188 rdr_findbyname(struct relayd *env, const char *name)
1189 {
1190 struct rdr *rdr;
1191
1192 TAILQ_FOREACH(rdr, env->sc_rdrs, entry)
1193 if (strcmp(rdr->conf.name, name) == 0)
1194 return (rdr);
1195 return (NULL);
1196 }
1197
1198 struct relay *
relay_findbyname(struct relayd * env,const char * name)1199 relay_findbyname(struct relayd *env, const char *name)
1200 {
1201 struct relay *rlay;
1202
1203 TAILQ_FOREACH(rlay, env->sc_relays, rl_entry)
1204 if (strcmp(rlay->rl_conf.name, name) == 0)
1205 return (rlay);
1206 return (NULL);
1207 }
1208
1209 struct relay *
relay_findbyaddr(struct relayd * env,struct relay_config * rc)1210 relay_findbyaddr(struct relayd *env, struct relay_config *rc)
1211 {
1212 struct relay *rlay;
1213
1214 TAILQ_FOREACH(rlay, env->sc_relays, rl_entry)
1215 if (bcmp(&rlay->rl_conf.ss, &rc->ss, sizeof(rc->ss)) == 0 &&
1216 rlay->rl_conf.port == rc->port)
1217 return (rlay);
1218 return (NULL);
1219 }
1220
1221 EVP_PKEY *
pkey_find(struct relayd * env,char * hash)1222 pkey_find(struct relayd *env, char * hash)
1223 {
1224 struct ca_pkey *pkey;
1225
1226 TAILQ_FOREACH(pkey, env->sc_pkeys, pkey_entry)
1227 if (strcmp(hash, pkey->pkey_hash) == 0)
1228 return (pkey->pkey);
1229 return (NULL);
1230 }
1231
1232 struct ca_pkey *
pkey_add(struct relayd * env,EVP_PKEY * pkey,char * hash)1233 pkey_add(struct relayd *env, EVP_PKEY *pkey, char *hash)
1234 {
1235 struct ca_pkey *ca_pkey;
1236
1237 if (env->sc_pkeys == NULL)
1238 fatalx("pkeys");
1239
1240 if ((ca_pkey = calloc(1, sizeof(*ca_pkey))) == NULL)
1241 return (NULL);
1242
1243 ca_pkey->pkey = pkey;
1244 if (strlcpy(ca_pkey->pkey_hash, hash, sizeof(ca_pkey->pkey_hash)) >=
1245 sizeof(ca_pkey->pkey_hash)) {
1246 free(ca_pkey);
1247 return (NULL);
1248 }
1249
1250 TAILQ_INSERT_TAIL(env->sc_pkeys, ca_pkey, pkey_entry);
1251
1252 return (ca_pkey);
1253 }
1254
1255 struct relay_cert *
cert_add(struct relayd * env,objid_t id)1256 cert_add(struct relayd *env, objid_t id)
1257 {
1258 static objid_t last_cert_id = 0;
1259 struct relay_cert *cert;
1260
1261 if ((cert = calloc(1, sizeof(*cert))) == NULL)
1262 return (NULL);
1263
1264 if (id == 0)
1265 id = ++last_cert_id;
1266 if (id == INT_MAX) {
1267 log_warnx("too many tls keypairs defined");
1268 free(cert);
1269 return (NULL);
1270 }
1271
1272 cert->cert_id = id;
1273 cert->cert_fd = -1;
1274 cert->cert_key_fd = -1;
1275 cert->cert_ocsp_fd = -1;
1276
1277 TAILQ_INSERT_TAIL(env->sc_certs, cert, cert_entry);
1278
1279 return (cert);
1280 }
1281
1282 struct relay_cert *
cert_find(struct relayd * env,objid_t id)1283 cert_find(struct relayd *env, objid_t id)
1284 {
1285 struct relay_cert *cert;
1286
1287 TAILQ_FOREACH(cert, env->sc_certs, cert_entry)
1288 if (cert->cert_id == id)
1289 return (cert);
1290 return (NULL);
1291 }
1292
1293 char *
relay_load_fd(int fd,off_t * len)1294 relay_load_fd(int fd, off_t *len)
1295 {
1296 char *buf = NULL;
1297 struct stat st;
1298 off_t size;
1299 ssize_t rv;
1300 int err;
1301
1302 if (fstat(fd, &st) != 0)
1303 goto fail;
1304 size = st.st_size;
1305 if ((buf = calloc(1, size + 1)) == NULL)
1306 goto fail;
1307 if ((rv = pread(fd, buf, size, 0)) != size)
1308 goto fail;
1309
1310 close(fd);
1311
1312 *len = size;
1313 return (buf);
1314
1315 fail:
1316 err = errno;
1317 free(buf);
1318 close(fd);
1319 errno = err;
1320 return (NULL);
1321 }
1322
1323 int
relay_load_certfiles(struct relayd * env,struct relay * rlay,const char * name)1324 relay_load_certfiles(struct relayd *env, struct relay *rlay, const char *name)
1325 {
1326 char certfile[PATH_MAX];
1327 char hbuf[PATH_MAX];
1328 struct protocol *proto = rlay->rl_proto;
1329 struct relay_cert *cert;
1330 int useport = htons(rlay->rl_conf.port);
1331 int cert_fd = -1, key_fd = -1, ocsp_fd = -1;
1332
1333 if (rlay->rl_conf.flags & F_TLSCLIENT) {
1334 if (strlen(proto->tlsca) && rlay->rl_tls_ca_fd == -1) {
1335 if ((rlay->rl_tls_ca_fd =
1336 open(proto->tlsca, O_RDONLY)) == -1)
1337 return (-1);
1338 log_debug("%s: using ca %s", __func__, proto->tlsca);
1339 }
1340 if (strlen(proto->tlscacert) && rlay->rl_tls_cacert_fd == -1) {
1341 if ((rlay->rl_tls_cacert_fd =
1342 open(proto->tlscacert, O_RDONLY)) == -1)
1343 return (-1);
1344 log_debug("%s: using ca certificate %s", __func__,
1345 proto->tlscacert);
1346 }
1347 if (strlen(proto->tlscakey) && !rlay->rl_conf.tls_cakey_len &&
1348 proto->tlscapass != NULL) {
1349 if ((rlay->rl_tls_cakey =
1350 ssl_load_key(env, proto->tlscakey,
1351 &rlay->rl_conf.tls_cakey_len,
1352 proto->tlscapass)) == NULL)
1353 return (-1);
1354 log_debug("%s: using ca key %s", __func__,
1355 proto->tlscakey);
1356 }
1357 }
1358
1359 if ((rlay->rl_conf.flags & F_TLS) == 0)
1360 return (0);
1361
1362 if (strlen(proto->tlsclientca) && rlay->rl_tls_client_ca_fd == -1) {
1363 if ((rlay->rl_tls_client_ca_fd =
1364 open(proto->tlsclientca, O_RDONLY)) == -1)
1365 return (-1);
1366 log_debug("%s: using client ca %s", __func__,
1367 proto->tlsclientca);
1368 }
1369
1370 if (name == NULL &&
1371 print_host(&rlay->rl_conf.ss, hbuf, sizeof(hbuf)) == NULL)
1372 goto fail;
1373 else if (name != NULL &&
1374 strlcpy(hbuf, name, sizeof(hbuf)) >= sizeof(hbuf))
1375 goto fail;
1376
1377 if (snprintf(certfile, sizeof(certfile),
1378 "/etc/ssl/%s:%u.crt", hbuf, useport) == -1)
1379 goto fail;
1380 if ((cert_fd = open(certfile, O_RDONLY)) == -1) {
1381 if (snprintf(certfile, sizeof(certfile),
1382 "/etc/ssl/%s.crt", hbuf) == -1)
1383 goto fail;
1384 if ((cert_fd = open(certfile, O_RDONLY)) == -1)
1385 goto fail;
1386 useport = 0;
1387 }
1388 log_debug("%s: using certificate %s", __func__, certfile);
1389
1390 if (useport) {
1391 if (snprintf(certfile, sizeof(certfile),
1392 "/etc/ssl/private/%s:%u.key", hbuf, useport) == -1)
1393 goto fail;
1394 } else {
1395 if (snprintf(certfile, sizeof(certfile),
1396 "/etc/ssl/private/%s.key", hbuf) == -1)
1397 goto fail;
1398 }
1399 if ((key_fd = open(certfile, O_RDONLY)) == -1)
1400 goto fail;
1401 log_debug("%s: using private key %s", __func__, certfile);
1402
1403 if (useport) {
1404 if (snprintf(certfile, sizeof(certfile),
1405 "/etc/ssl/%s:%u.ocsp", hbuf, useport) == -1)
1406 goto fail;
1407 } else {
1408 if (snprintf(certfile, sizeof(certfile),
1409 "/etc/ssl/%s.ocsp", hbuf) == -1)
1410 goto fail;
1411 }
1412 if ((ocsp_fd = open(certfile, O_RDONLY)) != -1)
1413 log_debug("%s: using OCSP staple file %s", __func__, certfile);
1414
1415 if ((cert = cert_add(env, 0)) == NULL)
1416 goto fail;
1417
1418 cert->cert_relayid = rlay->rl_conf.id;
1419 cert->cert_fd = cert_fd;
1420 cert->cert_key_fd = key_fd;
1421 cert->cert_ocsp_fd = ocsp_fd;
1422
1423 return (0);
1424
1425 fail:
1426 if (cert_fd != -1)
1427 close(cert_fd);
1428 if (key_fd != -1)
1429 close(key_fd);
1430 if (ocsp_fd != -1)
1431 close(ocsp_fd);
1432
1433 return (-1);
1434 }
1435
1436 void
event_again(struct event * ev,int fd,short event,void (* fn)(int,short,void *),struct timeval * start,struct timeval * end,void * arg)1437 event_again(struct event *ev, int fd, short event,
1438 void (*fn)(int, short, void *),
1439 struct timeval *start, struct timeval *end, void *arg)
1440 {
1441 struct timeval tv_next, tv_now, tv;
1442
1443 getmonotime(&tv_now);
1444 bcopy(end, &tv_next, sizeof(tv_next));
1445 timersub(&tv_now, start, &tv_now);
1446 timersub(&tv_next, &tv_now, &tv_next);
1447
1448 bzero(&tv, sizeof(tv));
1449 if (timercmp(&tv_next, &tv, >))
1450 bcopy(&tv_next, &tv, sizeof(tv));
1451
1452 event_del(ev);
1453 event_set(ev, fd, event, fn, arg);
1454 event_add(ev, &tv);
1455 }
1456
1457 int
expand_string(char * label,size_t len,const char * srch,const char * repl)1458 expand_string(char *label, size_t len, const char *srch, const char *repl)
1459 {
1460 char *tmp;
1461 char *p, *q;
1462
1463 if ((tmp = calloc(1, len)) == NULL) {
1464 log_debug("%s: calloc", __func__);
1465 return (-1);
1466 }
1467 p = q = label;
1468 while ((q = strstr(p, srch)) != NULL) {
1469 *q = '\0';
1470 if ((strlcat(tmp, p, len) >= len) ||
1471 (strlcat(tmp, repl, len) >= len)) {
1472 log_debug("%s: string too long", __func__);
1473 free(tmp);
1474 return (-1);
1475 }
1476 q += strlen(srch);
1477 p = q;
1478 }
1479 if (strlcat(tmp, p, len) >= len) {
1480 log_debug("%s: string too long", __func__);
1481 free(tmp);
1482 return (-1);
1483 }
1484 (void)strlcpy(label, tmp, len); /* always fits */
1485 free(tmp);
1486
1487 return (0);
1488 }
1489
1490 void
translate_string(char * str)1491 translate_string(char *str)
1492 {
1493 char *reader;
1494 char *writer;
1495
1496 reader = writer = str;
1497
1498 while (*reader) {
1499 if (*reader == '\\') {
1500 reader++;
1501 switch (*reader) {
1502 case 'n':
1503 *writer++ = '\n';
1504 break;
1505 case 'r':
1506 *writer++ = '\r';
1507 break;
1508 default:
1509 *writer++ = *reader;
1510 }
1511 } else
1512 *writer++ = *reader;
1513 reader++;
1514 }
1515 *writer = '\0';
1516 }
1517
1518 char *
digeststr(enum digest_type type,const u_int8_t * data,size_t len,char * buf)1519 digeststr(enum digest_type type, const u_int8_t *data, size_t len, char *buf)
1520 {
1521 switch (type) {
1522 case DIGEST_SHA1:
1523 return (SHA1Data(data, len, buf));
1524 break;
1525 case DIGEST_MD5:
1526 return (MD5Data(data, len, buf));
1527 break;
1528 default:
1529 break;
1530 }
1531 return (NULL);
1532 }
1533
1534 const char *
canonicalize_host(const char * host,char * name,size_t len)1535 canonicalize_host(const char *host, char *name, size_t len)
1536 {
1537 struct sockaddr_in sin4;
1538 struct sockaddr_in6 sin6;
1539 size_t i, j;
1540 size_t plen;
1541 char c;
1542
1543 if (len < 2)
1544 goto fail;
1545
1546 /*
1547 * Canonicalize an IPv4/6 address
1548 */
1549 if (inet_pton(AF_INET, host, &sin4) == 1)
1550 return (inet_ntop(AF_INET, &sin4, name, len));
1551 if (inet_pton(AF_INET6, host, &sin6) == 1)
1552 return (inet_ntop(AF_INET6, &sin6, name, len));
1553
1554 /*
1555 * Canonicalize a hostname
1556 */
1557
1558 /* 1. remove repeated dots and convert upper case to lower case */
1559 plen = strlen(host);
1560 bzero(name, len);
1561 for (i = j = 0; i < plen; i++) {
1562 if (j >= (len - 1))
1563 goto fail;
1564 c = tolower((unsigned char)host[i]);
1565 if ((c == '.') && (j == 0 || name[j - 1] == '.'))
1566 continue;
1567 name[j++] = c;
1568 }
1569
1570 /* 2. remove trailing dots */
1571 for (i = j; i > 0; i--) {
1572 if (name[i - 1] != '.')
1573 break;
1574 name[i - 1] = '\0';
1575 j--;
1576 }
1577 if (j <= 0)
1578 goto fail;
1579
1580 return (name);
1581
1582 fail:
1583 errno = EINVAL;
1584 return (NULL);
1585 }
1586
1587 int
parse_url(const char * url,char ** protoptr,char ** hostptr,char ** pathptr)1588 parse_url(const char *url, char **protoptr, char **hostptr, char **pathptr)
1589 {
1590 char *p, *proto = NULL, *host = NULL, *path = NULL;
1591
1592 /* return error if it is not a URL */
1593 if ((p = strstr(url, ":/")) == NULL ||
1594 (strcspn(url, ":/") != (size_t)(p - url)))
1595 return (-1);
1596
1597 /* get protocol */
1598 if ((proto = strdup(url)) == NULL)
1599 goto fail;
1600 p = proto + (p - url);
1601
1602 /* get host */
1603 p += strspn(p, ":/");
1604 if (*p == '\0' || (host = strdup(p)) == NULL)
1605 goto fail;
1606 *p = '\0';
1607
1608 /* find and copy path or default to "/" */
1609 if ((p = strchr(host, '/')) == NULL)
1610 p = "/";
1611 if ((path = strdup(p)) == NULL)
1612 goto fail;
1613
1614 /* strip path after host */
1615 host[strcspn(host, "/")] = '\0';
1616
1617 DPRINTF("%s: %s proto %s, host %s, path %s", __func__,
1618 url, proto, host, path);
1619
1620 *protoptr = proto;
1621 *hostptr = host;
1622 *pathptr = path;
1623
1624 return (0);
1625
1626 fail:
1627 free(proto);
1628 free(host);
1629 free(path);
1630 return (-1);
1631 }
1632
1633 int
bindany(struct ctl_bindany * bnd)1634 bindany(struct ctl_bindany *bnd)
1635 {
1636 int s, v;
1637
1638 s = -1;
1639 v = 1;
1640
1641 if (relay_socket_af(&bnd->bnd_ss, bnd->bnd_port) == -1)
1642 goto fail;
1643 if ((s = socket(bnd->bnd_ss.ss_family,
1644 bnd->bnd_proto == IPPROTO_TCP ? SOCK_STREAM : SOCK_DGRAM,
1645 bnd->bnd_proto)) == -1)
1646 goto fail;
1647 if (setsockopt(s, SOL_SOCKET, SO_BINDANY,
1648 &v, sizeof(v)) == -1)
1649 goto fail;
1650 if (bind(s, (struct sockaddr *)&bnd->bnd_ss,
1651 bnd->bnd_ss.ss_len) == -1)
1652 goto fail;
1653
1654 return (s);
1655
1656 fail:
1657 if (s != -1)
1658 close(s);
1659 return (-1);
1660 }
1661
1662 int
map6to4(struct sockaddr_storage * in6)1663 map6to4(struct sockaddr_storage *in6)
1664 {
1665 struct sockaddr_storage out4;
1666 struct sockaddr_in *sin4 = (struct sockaddr_in *)&out4;
1667 struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)in6;
1668
1669 bzero(sin4, sizeof(*sin4));
1670 sin4->sin_len = sizeof(*sin4);
1671 sin4->sin_family = AF_INET;
1672 sin4->sin_port = sin6->sin6_port;
1673
1674 bcopy(&sin6->sin6_addr.s6_addr[12], &sin4->sin_addr.s_addr,
1675 sizeof(sin4->sin_addr));
1676
1677 if (sin4->sin_addr.s_addr == INADDR_ANY ||
1678 sin4->sin_addr.s_addr == INADDR_BROADCAST ||
1679 IN_MULTICAST(ntohl(sin4->sin_addr.s_addr)))
1680 return (-1);
1681
1682 bcopy(&out4, in6, sizeof(*in6));
1683
1684 return (0);
1685 }
1686
1687 int
map4to6(struct sockaddr_storage * in4,struct sockaddr_storage * map)1688 map4to6(struct sockaddr_storage *in4, struct sockaddr_storage *map)
1689 {
1690 struct sockaddr_storage out6;
1691 struct sockaddr_in *sin4 = (struct sockaddr_in *)in4;
1692 struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)&out6;
1693 struct sockaddr_in6 *map6 = (struct sockaddr_in6 *)map;
1694
1695 if (sin4->sin_addr.s_addr == INADDR_ANY ||
1696 sin4->sin_addr.s_addr == INADDR_BROADCAST ||
1697 IN_MULTICAST(ntohl(sin4->sin_addr.s_addr)))
1698 return (-1);
1699
1700 bcopy(map6, sin6, sizeof(*sin6));
1701 sin6->sin6_len = sizeof(*sin6);
1702 sin6->sin6_family = AF_INET6;
1703 sin6->sin6_port = sin4->sin_port;
1704
1705 bcopy(&sin4->sin_addr.s_addr, &sin6->sin6_addr.s6_addr[12],
1706 sizeof(sin4->sin_addr));
1707
1708 bcopy(&out6, in4, sizeof(*in4));
1709
1710 return (0);
1711 }
1712
1713 void
socket_rlimit(int maxfd)1714 socket_rlimit(int maxfd)
1715 {
1716 struct rlimit rl;
1717
1718 if (getrlimit(RLIMIT_NOFILE, &rl) == -1)
1719 fatal("%s: failed to get resource limit", __func__);
1720 log_debug("%s: max open files %llu", __func__, rl.rlim_max);
1721
1722 /*
1723 * Allow the maximum number of open file descriptors for this
1724 * login class (which should be the class "daemon" by default).
1725 */
1726 if (maxfd == -1)
1727 rl.rlim_cur = rl.rlim_max;
1728 else
1729 rl.rlim_cur = MAXIMUM(rl.rlim_max, (rlim_t)maxfd);
1730 if (setrlimit(RLIMIT_NOFILE, &rl) == -1)
1731 fatal("%s: failed to set resource limit", __func__);
1732 }
1733
1734 char *
get_string(u_int8_t * ptr,size_t len)1735 get_string(u_int8_t *ptr, size_t len)
1736 {
1737 size_t i;
1738
1739 for (i = 0; i < len; i++)
1740 if (!(isprint((unsigned char)ptr[i]) ||
1741 isspace((unsigned char)ptr[i])))
1742 break;
1743
1744 return strndup(ptr, i);
1745 }
1746
1747 void *
get_data(u_int8_t * ptr,size_t len)1748 get_data(u_int8_t *ptr, size_t len)
1749 {
1750 u_int8_t *data;
1751
1752 if ((data = malloc(len)) == NULL)
1753 return (NULL);
1754 memcpy(data, ptr, len);
1755
1756 return (data);
1757 }
1758
1759 int
sockaddr_cmp(struct sockaddr * a,struct sockaddr * b,int prefixlen)1760 sockaddr_cmp(struct sockaddr *a, struct sockaddr *b, int prefixlen)
1761 {
1762 struct sockaddr_in *a4, *b4;
1763 struct sockaddr_in6 *a6, *b6;
1764 u_int32_t av[4], bv[4], mv[4];
1765
1766 if (a->sa_family == AF_UNSPEC || b->sa_family == AF_UNSPEC)
1767 return (0);
1768 else if (a->sa_family > b->sa_family)
1769 return (1);
1770 else if (a->sa_family < b->sa_family)
1771 return (-1);
1772
1773 if (prefixlen == -1)
1774 memset(&mv, 0xff, sizeof(mv));
1775
1776 switch (a->sa_family) {
1777 case AF_INET:
1778 a4 = (struct sockaddr_in *)a;
1779 b4 = (struct sockaddr_in *)b;
1780
1781 av[0] = a4->sin_addr.s_addr;
1782 bv[0] = b4->sin_addr.s_addr;
1783 if (prefixlen != -1)
1784 mv[0] = prefixlen2mask(prefixlen);
1785
1786 if ((av[0] & mv[0]) > (bv[0] & mv[0]))
1787 return (1);
1788 if ((av[0] & mv[0]) < (bv[0] & mv[0]))
1789 return (-1);
1790 break;
1791 case AF_INET6:
1792 a6 = (struct sockaddr_in6 *)a;
1793 b6 = (struct sockaddr_in6 *)b;
1794
1795 memcpy(&av, &a6->sin6_addr.s6_addr, 16);
1796 memcpy(&bv, &b6->sin6_addr.s6_addr, 16);
1797 if (prefixlen != -1)
1798 prefixlen2mask6(prefixlen, mv);
1799
1800 if ((av[3] & mv[3]) > (bv[3] & mv[3]))
1801 return (1);
1802 if ((av[3] & mv[3]) < (bv[3] & mv[3]))
1803 return (-1);
1804 if ((av[2] & mv[2]) > (bv[2] & mv[2]))
1805 return (1);
1806 if ((av[2] & mv[2]) < (bv[2] & mv[2]))
1807 return (-1);
1808 if ((av[1] & mv[1]) > (bv[1] & mv[1]))
1809 return (1);
1810 if ((av[1] & mv[1]) < (bv[1] & mv[1]))
1811 return (-1);
1812 if ((av[0] & mv[0]) > (bv[0] & mv[0]))
1813 return (1);
1814 if ((av[0] & mv[0]) < (bv[0] & mv[0]))
1815 return (-1);
1816 break;
1817 }
1818
1819 return (0);
1820 }
1821
1822 u_int32_t
prefixlen2mask(u_int8_t prefixlen)1823 prefixlen2mask(u_int8_t prefixlen)
1824 {
1825 if (prefixlen == 0)
1826 return (0);
1827
1828 if (prefixlen > 32)
1829 prefixlen = 32;
1830
1831 return (htonl(0xffffffff << (32 - prefixlen)));
1832 }
1833
1834 struct in6_addr *
prefixlen2mask6(u_int8_t prefixlen,u_int32_t * mask)1835 prefixlen2mask6(u_int8_t prefixlen, u_int32_t *mask)
1836 {
1837 static struct in6_addr s6;
1838 int i;
1839
1840 if (prefixlen > 128)
1841 prefixlen = 128;
1842
1843 bzero(&s6, sizeof(s6));
1844 for (i = 0; i < prefixlen / 8; i++)
1845 s6.s6_addr[i] = 0xff;
1846 i = prefixlen % 8;
1847 if (i)
1848 s6.s6_addr[prefixlen / 8] = 0xff00 >> i;
1849
1850 memcpy(mask, &s6, sizeof(s6));
1851
1852 return (&s6);
1853 }
1854
1855 int
accept_reserve(int sockfd,struct sockaddr * addr,socklen_t * addrlen,int reserve,volatile int * counter)1856 accept_reserve(int sockfd, struct sockaddr *addr, socklen_t *addrlen,
1857 int reserve, volatile int *counter)
1858 {
1859 int ret;
1860 if (getdtablecount() + reserve +
1861 *counter >= getdtablesize()) {
1862 errno = EMFILE;
1863 return (-1);
1864 }
1865
1866 if ((ret = accept4(sockfd, addr, addrlen, SOCK_NONBLOCK)) > -1) {
1867 (*counter)++;
1868 DPRINTF("%s: inflight incremented, now %d",__func__, *counter);
1869 }
1870 return (ret);
1871 }
1872
1873 void
parent_tls_ticket_rekey(int fd,short events,void * arg)1874 parent_tls_ticket_rekey(int fd, short events, void *arg)
1875 {
1876 static struct event rekeyev;
1877 struct relayd *env = arg;
1878 struct timeval tv;
1879 struct relay_ticket_key key;
1880
1881 log_debug("%s: rekeying tickets", __func__);
1882
1883 key.tt_keyrev = arc4random();
1884 arc4random_buf(key.tt_key, sizeof(key.tt_key));
1885
1886 proc_compose_imsg(env->sc_ps, PROC_RELAY, -1, IMSG_TLSTICKET_REKEY,
1887 -1, -1, &key, sizeof(key));
1888
1889 evtimer_set(&rekeyev, parent_tls_ticket_rekey, env);
1890 timerclear(&tv);
1891 tv.tv_sec = TLS_SESSION_LIFETIME / 4;
1892 evtimer_add(&rekeyev, &tv);
1893 }
1894