1 /* $OpenBSD: relay.c,v 1.206 2015/12/30 16:00:57 benno Exp $ */ 2 3 /* 4 * Copyright (c) 2006 - 2014 Reyk Floeter <reyk@openbsd.org> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19 #include <sys/types.h> 20 #include <sys/queue.h> 21 #include <sys/time.h> 22 #include <sys/stat.h> 23 #include <sys/socket.h> 24 #include <sys/tree.h> 25 26 #include <netinet/in.h> 27 #include <netinet/tcp.h> 28 #include <arpa/inet.h> 29 30 #include <limits.h> 31 #include <stdio.h> 32 #include <stdlib.h> 33 #include <errno.h> 34 #include <fcntl.h> 35 #include <string.h> 36 #include <unistd.h> 37 #include <event.h> 38 #include <siphash.h> 39 #include <imsg.h> 40 41 #include <openssl/dh.h> 42 #include <openssl/ssl.h> 43 44 #include "relayd.h" 45 46 #define MINIMUM(a, b) (((a) < (b)) ? (a) : (b)) 47 48 void relay_statistics(int, short, void *); 49 int relay_dispatch_parent(int, struct privsep_proc *, 50 struct imsg *); 51 int relay_dispatch_pfe(int, struct privsep_proc *, 52 struct imsg *); 53 int relay_dispatch_ca(int, struct privsep_proc *, 54 struct imsg *); 55 int relay_dispatch_hce(int, struct privsep_proc *, 56 struct imsg *); 57 void relay_shutdown(void); 58 59 void relay_protodebug(struct relay *); 60 void relay_ruledebug(struct relay_rule *); 61 void relay_init(struct privsep *, struct privsep_proc *p, void *); 62 void relay_launch(void); 63 int relay_socket(struct sockaddr_storage *, in_port_t, 64 struct protocol *, int, int); 65 int relay_socket_listen(struct sockaddr_storage *, in_port_t, 66 struct protocol *); 67 int relay_socket_connect(struct sockaddr_storage *, in_port_t, 68 struct protocol *, int); 69 70 void relay_accept(int, short, void *); 71 void relay_input(struct rsession *); 72 73 void relay_hash_addr(SIPHASH_CTX *, struct sockaddr_storage *, int); 74 75 DH * relay_tls_get_dhparams(int); 76 void relay_tls_callback_info(const SSL *, int, int); 77 DH *relay_tls_callback_dh(SSL *, int, int); 78 SSL_CTX *relay_tls_ctx_create(struct relay *); 79 void relay_tls_transaction(struct rsession *, 80 struct ctl_relay_event *); 81 void relay_tls_accept(int, short, void *); 82 void relay_connect_retry(int, short, void *); 83 void relay_tls_connect(int, short, void *); 84 void relay_tls_connected(struct ctl_relay_event *); 85 void relay_tls_readcb(int, short, void *); 86 void relay_tls_writecb(int, short, void *); 87 88 char *relay_load_file(const char *, off_t *); 89 extern void bufferevent_read_pressure_cb(struct evbuffer *, size_t, 90 size_t, void *); 91 92 volatile int relay_sessions; 93 volatile int relay_inflight = 0; 94 objid_t relay_conid; 95 96 static struct relayd *env = NULL; 97 int proc_id; 98 99 static struct privsep_proc procs[] = { 100 { "parent", PROC_PARENT, relay_dispatch_parent }, 101 { "pfe", PROC_PFE, relay_dispatch_pfe }, 102 { "ca", PROC_CA, relay_dispatch_ca }, 103 { "hce", PROC_HCE, relay_dispatch_hce }, 104 }; 105 106 pid_t 107 relay(struct privsep *ps, struct privsep_proc *p) 108 { 109 pid_t pid; 110 env = ps->ps_env; 111 pid = proc_run(ps, p, procs, nitems(procs), relay_init, NULL); 112 relay_http(env); 113 return (pid); 114 } 115 116 void 117 relay_shutdown(void) 118 { 119 config_purge(env, CONFIG_ALL); 120 usleep(200); /* XXX relay needs to shutdown last */ 121 } 122 123 void 124 relay_ruledebug(struct relay_rule *rule) 125 { 126 struct kv *kv = NULL; 127 u_int i; 128 129 fprintf(stderr, "\t\t"); 130 131 switch (rule->rule_action) { 132 case RULE_ACTION_MATCH: 133 fprintf(stderr, "match "); 134 break; 135 case RULE_ACTION_BLOCK: 136 fprintf(stderr, "block "); 137 break; 138 case RULE_ACTION_PASS: 139 fprintf(stderr, "pass "); 140 break; 141 } 142 143 switch (rule->rule_dir) { 144 case RELAY_DIR_ANY: 145 break; 146 case RELAY_DIR_REQUEST: 147 fprintf(stderr, "request "); 148 break; 149 case RELAY_DIR_RESPONSE: 150 fprintf(stderr, "response "); 151 break; 152 default: 153 return; 154 /* NOTREACHED */ 155 break; 156 } 157 158 if (rule->rule_flags & RULE_FLAG_QUICK) 159 fprintf(stderr, "quick "); 160 161 for (i = 1; i < KEY_TYPE_MAX; i++) { 162 kv = &rule->rule_kv[i]; 163 if (kv->kv_type != i) 164 continue; 165 166 switch (kv->kv_type) { 167 case KEY_TYPE_COOKIE: 168 fprintf(stderr, "cookie "); 169 break; 170 case KEY_TYPE_HEADER: 171 fprintf(stderr, "header "); 172 break; 173 case KEY_TYPE_PATH: 174 fprintf(stderr, "path "); 175 break; 176 case KEY_TYPE_QUERY: 177 fprintf(stderr, "query "); 178 break; 179 case KEY_TYPE_URL: 180 fprintf(stderr, "url "); 181 break; 182 default: 183 continue; 184 } 185 186 switch (kv->kv_option) { 187 case KEY_OPTION_APPEND: 188 fprintf(stderr, "append "); 189 break; 190 case KEY_OPTION_SET: 191 fprintf(stderr, "set "); 192 break; 193 case KEY_OPTION_REMOVE: 194 fprintf(stderr, "remove "); 195 break; 196 case KEY_OPTION_HASH: 197 fprintf(stderr, "hash "); 198 break; 199 case KEY_OPTION_LOG: 200 fprintf(stderr, "log "); 201 break; 202 case KEY_OPTION_NONE: 203 break; 204 } 205 206 switch (kv->kv_digest) { 207 case DIGEST_SHA1: 208 case DIGEST_MD5: 209 fprintf(stderr, "digest "); 210 break; 211 default: 212 break; 213 } 214 215 fprintf(stderr, "%s%s%s%s%s%s ", 216 kv->kv_key == NULL ? "" : "\"", 217 kv->kv_key == NULL ? "" : kv->kv_key, 218 kv->kv_key == NULL ? "" : "\"", 219 kv->kv_value == NULL ? "" : " value \"", 220 kv->kv_value == NULL ? "" : kv->kv_value, 221 kv->kv_value == NULL ? "" : "\""); 222 } 223 224 if (rule->rule_tablename[0]) 225 fprintf(stderr, "forward to <%s> ", rule->rule_tablename); 226 227 if (rule->rule_tag == -1) 228 fprintf(stderr, "no tag "); 229 else if (rule->rule_tag && rule->rule_tagname[0]) 230 fprintf(stderr, "tag \"%s\" ", 231 rule->rule_tagname); 232 233 if (rule->rule_tagged && rule->rule_taggedname[0]) 234 fprintf(stderr, "tagged \"%s\" ", 235 rule->rule_taggedname); 236 237 if (rule->rule_label == -1) 238 fprintf(stderr, "no label "); 239 else if (rule->rule_label && rule->rule_labelname[0]) 240 fprintf(stderr, "label \"%s\" ", 241 rule->rule_labelname); 242 243 fprintf(stderr, "\n"); 244 } 245 246 void 247 relay_protodebug(struct relay *rlay) 248 { 249 struct protocol *proto = rlay->rl_proto; 250 struct relay_rule *rule = NULL; 251 252 fprintf(stderr, "protocol %d: name %s\n", 253 proto->id, proto->name); 254 fprintf(stderr, "\tflags: %s, relay flags: %s\n", 255 printb_flags(proto->flags, F_BITS), 256 printb_flags(rlay->rl_conf.flags, F_BITS)); 257 if (proto->tcpflags) 258 fprintf(stderr, "\ttcp flags: %s\n", 259 printb_flags(proto->tcpflags, TCPFLAG_BITS)); 260 if ((rlay->rl_conf.flags & (F_TLS|F_TLSCLIENT)) && proto->tlsflags) 261 fprintf(stderr, "\ttls flags: %s\n", 262 printb_flags(proto->tlsflags, TLSFLAG_BITS)); 263 if (proto->cache != -1) 264 fprintf(stderr, "\ttls session cache: %d\n", proto->cache); 265 fprintf(stderr, "\ttype: "); 266 switch (proto->type) { 267 case RELAY_PROTO_TCP: 268 fprintf(stderr, "tcp\n"); 269 break; 270 case RELAY_PROTO_HTTP: 271 fprintf(stderr, "http\n"); 272 break; 273 case RELAY_PROTO_DNS: 274 fprintf(stderr, "dns\n"); 275 break; 276 } 277 278 rule = TAILQ_FIRST(&proto->rules); 279 while (rule != NULL) { 280 relay_ruledebug(rule); 281 rule = TAILQ_NEXT(rule, rule_entry); 282 } 283 } 284 285 int 286 relay_privinit(struct relay *rlay) 287 { 288 extern int debug; 289 290 log_debug("%s: adding relay %s", __func__, rlay->rl_conf.name); 291 292 if (debug) 293 relay_protodebug(rlay); 294 295 switch (rlay->rl_proto->type) { 296 case RELAY_PROTO_DNS: 297 relay_udp_privinit(env, rlay); 298 break; 299 case RELAY_PROTO_TCP: 300 break; 301 case RELAY_PROTO_HTTP: 302 break; 303 } 304 305 if (rlay->rl_conf.flags & F_UDP) 306 rlay->rl_s = relay_udp_bind(&rlay->rl_conf.ss, 307 rlay->rl_conf.port, rlay->rl_proto); 308 else 309 rlay->rl_s = relay_socket_listen(&rlay->rl_conf.ss, 310 rlay->rl_conf.port, rlay->rl_proto); 311 if (rlay->rl_s == -1) 312 return (-1); 313 314 return (0); 315 } 316 317 void 318 relay_init(struct privsep *ps, struct privsep_proc *p, void *arg) 319 { 320 struct timeval tv; 321 322 if (config_init(ps->ps_env) == -1) 323 fatal("failed to initialize configuration"); 324 325 /* Set to current prefork id */ 326 proc_id = p->p_instance; 327 328 /* We use a custom shutdown callback */ 329 p->p_shutdown = relay_shutdown; 330 331 /* Unlimited file descriptors (use system limits) */ 332 socket_rlimit(-1); 333 334 if (pledge("stdio recvfd inet", NULL) == -1) 335 fatal("pledge"); 336 337 /* Schedule statistics timer */ 338 evtimer_set(&env->sc_statev, relay_statistics, NULL); 339 bcopy(&env->sc_statinterval, &tv, sizeof(tv)); 340 evtimer_add(&env->sc_statev, &tv); 341 } 342 343 void 344 relay_session_publish(struct rsession *s) 345 { 346 proc_compose(env->sc_ps, PROC_PFE, IMSG_SESS_PUBLISH, s, sizeof(*s)); 347 } 348 349 void 350 relay_session_unpublish(struct rsession *s) 351 { 352 proc_compose(env->sc_ps, PROC_PFE, IMSG_SESS_UNPUBLISH, 353 &s->se_id, sizeof(s->se_id)); 354 } 355 356 void 357 relay_statistics(int fd, short events, void *arg) 358 { 359 struct relay *rlay; 360 struct ctl_stats crs, *cur; 361 struct timeval tv, tv_now; 362 int resethour = 0, resetday = 0; 363 struct rsession *con, *next_con; 364 365 /* 366 * This is a hack to calculate some average statistics. 367 * It doesn't try to be very accurate, but could be improved... 368 */ 369 370 timerclear(&tv); 371 getmonotime(&tv_now); 372 373 TAILQ_FOREACH(rlay, env->sc_relays, rl_entry) { 374 bzero(&crs, sizeof(crs)); 375 resethour = resetday = 0; 376 377 cur = &rlay->rl_stats[proc_id]; 378 cur->cnt += cur->last; 379 cur->tick++; 380 cur->avg = (cur->last + cur->avg) / 2; 381 cur->last_hour += cur->last; 382 if ((cur->tick % (3600 / env->sc_statinterval.tv_sec)) == 0) { 383 cur->avg_hour = (cur->last_hour + cur->avg_hour) / 2; 384 resethour++; 385 } 386 cur->last_day += cur->last; 387 if ((cur->tick % (86400 / env->sc_statinterval.tv_sec)) == 0) { 388 cur->avg_day = (cur->last_day + cur->avg_day) / 2; 389 resethour++; 390 } 391 bcopy(cur, &crs, sizeof(crs)); 392 393 cur->last = 0; 394 if (resethour) 395 cur->last_hour = 0; 396 if (resetday) 397 cur->last_day = 0; 398 399 crs.id = rlay->rl_conf.id; 400 crs.proc = proc_id; 401 proc_compose(env->sc_ps, PROC_PFE, IMSG_STATISTICS, 402 &crs, sizeof(crs)); 403 404 for (con = SPLAY_ROOT(&rlay->rl_sessions); 405 con != NULL; con = next_con) { 406 next_con = SPLAY_NEXT(session_tree, 407 &rlay->rl_sessions, con); 408 timersub(&tv_now, &con->se_tv_last, &tv); 409 if (timercmp(&tv, &rlay->rl_conf.timeout, >=)) 410 relay_close(con, "hard timeout"); 411 } 412 } 413 414 /* Schedule statistics timer */ 415 evtimer_set(&env->sc_statev, relay_statistics, NULL); 416 bcopy(&env->sc_statinterval, &tv, sizeof(tv)); 417 evtimer_add(&env->sc_statev, &tv); 418 } 419 420 void 421 relay_launch(void) 422 { 423 void (*callback)(int, short, void *); 424 struct relay *rlay; 425 struct host *host; 426 struct relay_table *rlt; 427 428 TAILQ_FOREACH(rlay, env->sc_relays, rl_entry) { 429 if ((rlay->rl_conf.flags & (F_TLS|F_TLSCLIENT)) && 430 (rlay->rl_ssl_ctx = relay_tls_ctx_create(rlay)) == NULL) 431 fatal("relay_init: failed to create TLS context"); 432 433 TAILQ_FOREACH(rlt, &rlay->rl_tables, rlt_entry) { 434 /* 435 * set rule->rule_table in advance and save time 436 * looking up for this later on rule/connection 437 * evalution 438 */ 439 rule_settable(&rlay->rl_proto->rules, rlt); 440 441 rlt->rlt_index = 0; 442 rlt->rlt_nhosts = 0; 443 TAILQ_FOREACH(host, &rlt->rlt_table->hosts, entry) { 444 if (rlt->rlt_nhosts >= RELAY_MAXHOSTS) 445 fatal("relay_init: " 446 "too many hosts in table"); 447 host->idx = rlt->rlt_nhosts; 448 rlt->rlt_host[rlt->rlt_nhosts++] = host; 449 } 450 log_info("adding %d hosts from table %s%s", 451 rlt->rlt_nhosts, rlt->rlt_table->conf.name, 452 rlt->rlt_table->conf.check ? "" : " (no check)"); 453 } 454 455 switch (rlay->rl_proto->type) { 456 case RELAY_PROTO_DNS: 457 relay_udp_init(rlay); 458 break; 459 case RELAY_PROTO_TCP: 460 case RELAY_PROTO_HTTP: 461 relay_http_init(rlay); 462 /* Use defaults */ 463 break; 464 } 465 466 log_debug("%s: running relay %s", __func__, 467 rlay->rl_conf.name); 468 469 rlay->rl_up = HOST_UP; 470 471 if (rlay->rl_conf.flags & F_UDP) 472 callback = relay_udp_server; 473 else 474 callback = relay_accept; 475 476 event_set(&rlay->rl_ev, rlay->rl_s, EV_READ, 477 callback, rlay); 478 event_add(&rlay->rl_ev, NULL); 479 evtimer_set(&rlay->rl_evt, callback, rlay); 480 } 481 } 482 483 int 484 relay_socket_af(struct sockaddr_storage *ss, in_port_t port) 485 { 486 switch (ss->ss_family) { 487 case AF_INET: 488 ((struct sockaddr_in *)ss)->sin_port = port; 489 ((struct sockaddr_in *)ss)->sin_len = 490 sizeof(struct sockaddr_in); 491 break; 492 case AF_INET6: 493 ((struct sockaddr_in6 *)ss)->sin6_port = port; 494 ((struct sockaddr_in6 *)ss)->sin6_len = 495 sizeof(struct sockaddr_in6); 496 break; 497 default: 498 return (-1); 499 } 500 501 return (0); 502 } 503 504 in_port_t 505 relay_socket_getport(struct sockaddr_storage *ss) 506 { 507 switch (ss->ss_family) { 508 case AF_INET: 509 return (((struct sockaddr_in *)ss)->sin_port); 510 case AF_INET6: 511 return (((struct sockaddr_in6 *)ss)->sin6_port); 512 default: 513 return (0); 514 } 515 516 /* NOTREACHED */ 517 return (0); 518 } 519 520 int 521 relay_socket(struct sockaddr_storage *ss, in_port_t port, 522 struct protocol *proto, int fd, int reuseport) 523 { 524 struct linger lng; 525 int s = -1, val; 526 527 if (relay_socket_af(ss, port) == -1) 528 goto bad; 529 530 s = fd == -1 ? socket(ss->ss_family, 531 SOCK_STREAM | SOCK_NONBLOCK, IPPROTO_TCP) : fd; 532 if (s == -1) 533 goto bad; 534 535 /* 536 * Socket options 537 */ 538 bzero(&lng, sizeof(lng)); 539 if (setsockopt(s, SOL_SOCKET, SO_LINGER, &lng, sizeof(lng)) == -1) 540 goto bad; 541 if (reuseport) { 542 val = 1; 543 if (setsockopt(s, SOL_SOCKET, SO_REUSEPORT, &val, 544 sizeof(int)) == -1) 545 goto bad; 546 } 547 if (proto->tcpflags & TCPFLAG_BUFSIZ) { 548 val = proto->tcpbufsiz; 549 if (setsockopt(s, SOL_SOCKET, SO_RCVBUF, 550 &val, sizeof(val)) == -1) 551 goto bad; 552 val = proto->tcpbufsiz; 553 if (setsockopt(s, SOL_SOCKET, SO_SNDBUF, 554 &val, sizeof(val)) == -1) 555 goto bad; 556 } 557 558 /* 559 * IP options 560 */ 561 if (proto->tcpflags & TCPFLAG_IPTTL) { 562 val = (int)proto->tcpipttl; 563 if (setsockopt(s, IPPROTO_IP, IP_TTL, 564 &val, sizeof(val)) == -1) 565 goto bad; 566 } 567 if (proto->tcpflags & TCPFLAG_IPMINTTL) { 568 val = (int)proto->tcpipminttl; 569 if (setsockopt(s, IPPROTO_IP, IP_MINTTL, 570 &val, sizeof(val)) == -1) 571 goto bad; 572 } 573 574 /* 575 * TCP options 576 */ 577 if (proto->tcpflags & (TCPFLAG_NODELAY|TCPFLAG_NNODELAY)) { 578 if (proto->tcpflags & TCPFLAG_NNODELAY) 579 val = 0; 580 else 581 val = 1; 582 if (setsockopt(s, IPPROTO_TCP, TCP_NODELAY, 583 &val, sizeof(val)) == -1) 584 goto bad; 585 } 586 if (proto->tcpflags & (TCPFLAG_SACK|TCPFLAG_NSACK)) { 587 if (proto->tcpflags & TCPFLAG_NSACK) 588 val = 0; 589 else 590 val = 1; 591 if (setsockopt(s, IPPROTO_TCP, TCP_SACK_ENABLE, 592 &val, sizeof(val)) == -1) 593 goto bad; 594 } 595 596 return (s); 597 598 bad: 599 if (s != -1) 600 close(s); 601 return (-1); 602 } 603 604 int 605 relay_socket_connect(struct sockaddr_storage *ss, in_port_t port, 606 struct protocol *proto, int fd) 607 { 608 int s; 609 610 if ((s = relay_socket(ss, port, proto, fd, 0)) == -1) 611 return (-1); 612 613 if (connect(s, (struct sockaddr *)ss, ss->ss_len) == -1) { 614 if (errno != EINPROGRESS) 615 goto bad; 616 } 617 618 return (s); 619 620 bad: 621 close(s); 622 return (-1); 623 } 624 625 int 626 relay_socket_listen(struct sockaddr_storage *ss, in_port_t port, 627 struct protocol *proto) 628 { 629 int s; 630 631 if ((s = relay_socket(ss, port, proto, -1, 1)) == -1) 632 return (-1); 633 634 if (bind(s, (struct sockaddr *)ss, ss->ss_len) == -1) 635 goto bad; 636 if (listen(s, proto->tcpbacklog) == -1) 637 goto bad; 638 639 return (s); 640 641 bad: 642 close(s); 643 return (-1); 644 } 645 646 void 647 relay_connected(int fd, short sig, void *arg) 648 { 649 struct rsession *con = arg; 650 struct relay *rlay = con->se_relay; 651 struct protocol *proto = rlay->rl_proto; 652 evbuffercb outrd = relay_read; 653 evbuffercb outwr = relay_write; 654 struct bufferevent *bev; 655 struct ctl_relay_event *out = &con->se_out; 656 socklen_t len; 657 int error; 658 659 if (sig == EV_TIMEOUT) { 660 relay_abort_http(con, 504, "connect timeout", 0); 661 return; 662 } 663 664 len = sizeof(error); 665 if (getsockopt(fd, SOL_SOCKET, SO_ERROR, &error, 666 &len) == -1 || error) { 667 if (error) 668 errno = error; 669 relay_abort_http(con, 500, "socket error", 0); 670 return; 671 } 672 673 if ((rlay->rl_conf.flags & F_TLSCLIENT) && (out->ssl == NULL)) { 674 relay_tls_transaction(con, out); 675 return; 676 } 677 678 DPRINTF("%s: session %d: successful", __func__, con->se_id); 679 680 switch (rlay->rl_proto->type) { 681 case RELAY_PROTO_HTTP: 682 if (relay_httpdesc_init(out) == -1) { 683 relay_close(con, 684 "failed to allocate http descriptor"); 685 return; 686 } 687 con->se_out.toread = TOREAD_HTTP_HEADER; 688 outrd = relay_read_http; 689 break; 690 case RELAY_PROTO_TCP: 691 /* Use defaults */ 692 break; 693 default: 694 fatalx("relay_connected: unknown protocol"); 695 } 696 697 /* 698 * Relay <-> Server 699 */ 700 bev = bufferevent_new(fd, outrd, outwr, relay_error, &con->se_out); 701 if (bev == NULL) { 702 relay_abort_http(con, 500, 703 "failed to allocate output buffer event", 0); 704 return; 705 } 706 evbuffer_free(bev->output); 707 bev->output = con->se_out.output; 708 if (bev->output == NULL) 709 fatal("relay_connected: invalid output buffer"); 710 con->se_out.bev = bev; 711 712 /* Initialize the TLS wrapper */ 713 if ((rlay->rl_conf.flags & F_TLSCLIENT) && (out->ssl != NULL)) 714 relay_tls_connected(out); 715 716 bufferevent_settimeout(bev, 717 rlay->rl_conf.timeout.tv_sec, rlay->rl_conf.timeout.tv_sec); 718 bufferevent_setwatermark(bev, EV_WRITE, 719 RELAY_MIN_PREFETCHED * proto->tcpbufsiz, 0); 720 bufferevent_enable(bev, EV_READ|EV_WRITE); 721 if (con->se_in.bev) 722 bufferevent_enable(con->se_in.bev, EV_READ); 723 724 if (relay_splice(&con->se_out) == -1) 725 relay_close(con, strerror(errno)); 726 } 727 728 void 729 relay_input(struct rsession *con) 730 { 731 struct relay *rlay = con->se_relay; 732 struct protocol *proto = rlay->rl_proto; 733 evbuffercb inrd = relay_read; 734 evbuffercb inwr = relay_write; 735 736 switch (rlay->rl_proto->type) { 737 case RELAY_PROTO_HTTP: 738 if (relay_httpdesc_init(&con->se_in) == -1) { 739 relay_close(con, 740 "failed to allocate http descriptor"); 741 return; 742 } 743 con->se_in.toread = TOREAD_HTTP_HEADER; 744 inrd = relay_read_http; 745 break; 746 case RELAY_PROTO_TCP: 747 /* Use defaults */ 748 break; 749 default: 750 fatalx("relay_input: unknown protocol"); 751 } 752 753 /* 754 * Client <-> Relay 755 */ 756 con->se_in.bev = bufferevent_new(con->se_in.s, inrd, inwr, 757 relay_error, &con->se_in); 758 if (con->se_in.bev == NULL) { 759 relay_close(con, "failed to allocate input buffer event"); 760 return; 761 } 762 763 /* Initialize the TLS wrapper */ 764 if ((rlay->rl_conf.flags & F_TLS) && con->se_in.ssl != NULL) 765 relay_tls_connected(&con->se_in); 766 767 bufferevent_settimeout(con->se_in.bev, 768 rlay->rl_conf.timeout.tv_sec, rlay->rl_conf.timeout.tv_sec); 769 bufferevent_setwatermark(con->se_in.bev, EV_WRITE, 770 RELAY_MIN_PREFETCHED * proto->tcpbufsiz, 0); 771 bufferevent_enable(con->se_in.bev, EV_READ|EV_WRITE); 772 773 if (relay_splice(&con->se_in) == -1) 774 relay_close(con, strerror(errno)); 775 } 776 777 void 778 relay_write(struct bufferevent *bev, void *arg) 779 { 780 struct ctl_relay_event *cre = arg; 781 struct rsession *con = cre->con; 782 783 getmonotime(&con->se_tv_last); 784 785 if (con->se_done) 786 goto done; 787 if (relay_splice(cre->dst) == -1) 788 goto fail; 789 if (cre->dst->bev) 790 bufferevent_enable(cre->dst->bev, EV_READ); 791 792 return; 793 done: 794 relay_close(con, "last write (done)"); 795 return; 796 fail: 797 relay_close(con, strerror(errno)); 798 } 799 800 void 801 relay_dump(struct ctl_relay_event *cre, const void *buf, size_t len) 802 { 803 if (!len) 804 return; 805 806 /* 807 * This function will dump the specified message directly 808 * to the underlying session, without waiting for success 809 * of non-blocking events etc. This is useful to print an 810 * error message before gracefully closing the session. 811 */ 812 if (cre->ssl != NULL) 813 (void)SSL_write(cre->ssl, buf, len); 814 else 815 (void)write(cre->s, buf, len); 816 } 817 818 void 819 relay_read(struct bufferevent *bev, void *arg) 820 { 821 struct ctl_relay_event *cre = arg; 822 struct rsession *con = cre->con; 823 struct protocol *proto = con->se_relay->rl_proto; 824 struct evbuffer *src = EVBUFFER_INPUT(bev); 825 826 getmonotime(&con->se_tv_last); 827 cre->timedout = 0; 828 829 if (!EVBUFFER_LENGTH(src)) 830 return; 831 if (relay_bufferevent_write_buffer(cre->dst, src) == -1) 832 goto fail; 833 if (con->se_done) 834 goto done; 835 if (cre->dst->bev) 836 bufferevent_enable(cre->dst->bev, EV_READ); 837 if (cre->dst->bev && EVBUFFER_LENGTH(EVBUFFER_OUTPUT(cre->dst->bev)) > 838 (size_t)RELAY_MAX_PREFETCH * proto->tcpbufsiz) 839 bufferevent_disable(bev, EV_READ); 840 841 return; 842 done: 843 relay_close(con, "last read (done)"); 844 return; 845 fail: 846 relay_close(con, strerror(errno)); 847 } 848 849 /* 850 * Splice sockets from cre to cre->dst if applicable. Returns: 851 * -1 socket splicing has failed 852 * 0 socket splicing is currently not possible 853 * 1 socket splicing was successful 854 */ 855 int 856 relay_splice(struct ctl_relay_event *cre) 857 { 858 struct rsession *con = cre->con; 859 struct relay *rlay = con->se_relay; 860 struct protocol *proto = rlay->rl_proto; 861 struct splice sp; 862 863 if ((rlay->rl_conf.flags & (F_TLS|F_TLSCLIENT)) || 864 (proto->tcpflags & TCPFLAG_NSPLICE)) 865 return (0); 866 867 if (cre->splicelen >= 0) 868 return (0); 869 870 /* still not connected */ 871 if (cre->bev == NULL || cre->dst->bev == NULL) 872 return (0); 873 874 if (!(cre->toread == TOREAD_UNLIMITED || cre->toread > 0)) { 875 DPRINTF("%s: session %d: splice dir %d, nothing to read %lld", 876 __func__, con->se_id, cre->dir, cre->toread); 877 return (0); 878 } 879 880 /* do not splice before buffers have not been completely flushed */ 881 if (EVBUFFER_LENGTH(cre->bev->input) || 882 EVBUFFER_LENGTH(cre->dst->bev->output)) { 883 DPRINTF("%s: session %d: splice dir %d, dirty buffer", 884 __func__, con->se_id, cre->dir); 885 bufferevent_disable(cre->bev, EV_READ); 886 return (0); 887 } 888 889 bzero(&sp, sizeof(sp)); 890 sp.sp_fd = cre->dst->s; 891 sp.sp_max = cre->toread > 0 ? cre->toread : 0; 892 bcopy(&rlay->rl_conf.timeout, &sp.sp_idle, sizeof(sp.sp_idle)); 893 if (setsockopt(cre->s, SOL_SOCKET, SO_SPLICE, &sp, sizeof(sp)) == -1) { 894 log_debug("%s: session %d: splice dir %d failed: %s", 895 __func__, con->se_id, cre->dir, strerror(errno)); 896 return (-1); 897 } 898 cre->splicelen = 0; 899 bufferevent_enable(cre->bev, EV_READ); 900 901 DPRINTF("%s: session %d: splice dir %d, maximum %lld, successful", 902 __func__, con->se_id, cre->dir, cre->toread); 903 904 return (1); 905 } 906 907 int 908 relay_splicelen(struct ctl_relay_event *cre) 909 { 910 struct rsession *con = cre->con; 911 off_t len; 912 socklen_t optlen; 913 914 if (cre->splicelen < 0) 915 return (0); 916 917 optlen = sizeof(len); 918 if (getsockopt(cre->s, SOL_SOCKET, SO_SPLICE, &len, &optlen) == -1) { 919 log_debug("%s: session %d: splice dir %d get length failed: %s", 920 __func__, con->se_id, cre->dir, strerror(errno)); 921 return (-1); 922 } 923 924 DPRINTF("%s: session %d: splice dir %d, length %lld", 925 __func__, con->se_id, cre->dir, len); 926 927 if (len > cre->splicelen) { 928 getmonotime(&con->se_tv_last); 929 930 cre->splicelen = len; 931 return (1); 932 } 933 934 return (0); 935 } 936 937 int 938 relay_spliceadjust(struct ctl_relay_event *cre) 939 { 940 if (cre->splicelen < 0) 941 return (0); 942 if (relay_splicelen(cre) == -1) 943 return (-1); 944 if (cre->splicelen > 0 && cre->toread > 0) 945 cre->toread -= cre->splicelen; 946 cre->splicelen = -1; 947 948 return (0); 949 } 950 951 void 952 relay_error(struct bufferevent *bev, short error, void *arg) 953 { 954 struct ctl_relay_event *cre = arg; 955 struct rsession *con = cre->con; 956 struct evbuffer *dst; 957 958 if (error & EVBUFFER_TIMEOUT) { 959 if (cre->splicelen >= 0) { 960 bufferevent_enable(bev, EV_READ); 961 } else if (cre->dst->splicelen >= 0) { 962 switch (relay_splicelen(cre->dst)) { 963 case -1: 964 goto fail; 965 case 0: 966 relay_close(con, "buffer event timeout"); 967 break; 968 case 1: 969 cre->timedout = 1; 970 bufferevent_enable(bev, EV_READ); 971 break; 972 } 973 } else { 974 relay_close(con, "buffer event timeout"); 975 } 976 return; 977 } 978 if (error & EVBUFFER_ERROR && errno == ETIMEDOUT) { 979 if (cre->dst->splicelen >= 0) { 980 switch (relay_splicelen(cre->dst)) { 981 case -1: 982 goto fail; 983 case 0: 984 relay_close(con, "splice timeout"); 985 return; 986 case 1: 987 bufferevent_enable(bev, EV_READ); 988 break; 989 } 990 } else if (cre->dst->timedout) { 991 relay_close(con, "splice timeout"); 992 return; 993 } 994 if (relay_spliceadjust(cre) == -1) 995 goto fail; 996 if (relay_splice(cre) == -1) 997 goto fail; 998 return; 999 } 1000 if (error & EVBUFFER_ERROR && errno == EFBIG) { 1001 if (relay_spliceadjust(cre) == -1) 1002 goto fail; 1003 bufferevent_enable(cre->bev, EV_READ); 1004 return; 1005 } 1006 if (error & (EVBUFFER_READ|EVBUFFER_WRITE|EVBUFFER_EOF)) { 1007 bufferevent_disable(bev, EV_READ|EV_WRITE); 1008 1009 con->se_done = 1; 1010 if (cre->dst->bev != NULL) { 1011 dst = EVBUFFER_OUTPUT(cre->dst->bev); 1012 if (EVBUFFER_LENGTH(dst)) 1013 return; 1014 } else if (cre->toread == TOREAD_UNLIMITED || cre->toread == 0) 1015 return; 1016 1017 relay_close(con, "done"); 1018 return; 1019 } 1020 relay_close(con, "buffer event error"); 1021 return; 1022 fail: 1023 relay_close(con, strerror(errno)); 1024 } 1025 1026 void 1027 relay_accept(int fd, short event, void *arg) 1028 { 1029 struct relay *rlay = arg; 1030 struct rsession *con = NULL; 1031 struct ctl_natlook *cnl = NULL; 1032 socklen_t slen; 1033 struct timeval tv; 1034 struct sockaddr_storage ss; 1035 int s = -1; 1036 1037 event_add(&rlay->rl_ev, NULL); 1038 if ((event & EV_TIMEOUT)) 1039 return; 1040 1041 slen = sizeof(ss); 1042 if ((s = accept_reserve(fd, (struct sockaddr *)&ss, 1043 &slen, FD_RESERVE, &relay_inflight)) == -1) { 1044 /* 1045 * Pause accept if we are out of file descriptors, or 1046 * libevent will haunt us here too. 1047 */ 1048 if (errno == ENFILE || errno == EMFILE) { 1049 struct timeval evtpause = { 1, 0 }; 1050 1051 event_del(&rlay->rl_ev); 1052 evtimer_add(&rlay->rl_evt, &evtpause); 1053 log_debug("%s: deferring connections", __func__); 1054 } 1055 return; 1056 } 1057 if (relay_sessions >= RELAY_MAX_SESSIONS || 1058 rlay->rl_conf.flags & F_DISABLE) 1059 goto err; 1060 1061 if ((con = calloc(1, sizeof(*con))) == NULL) 1062 goto err; 1063 1064 /* Pre-allocate log buffer */ 1065 con->se_haslog = 0; 1066 con->se_log = evbuffer_new(); 1067 if (con->se_log == NULL) 1068 goto err; 1069 1070 con->se_in.s = s; 1071 con->se_in.ssl = NULL; 1072 con->se_out.s = -1; 1073 con->se_out.ssl = NULL; 1074 con->se_in.dst = &con->se_out; 1075 con->se_out.dst = &con->se_in; 1076 con->se_in.con = con; 1077 con->se_out.con = con; 1078 con->se_in.splicelen = -1; 1079 con->se_out.splicelen = -1; 1080 con->se_in.toread = TOREAD_UNLIMITED; 1081 con->se_out.toread = TOREAD_UNLIMITED; 1082 con->se_relay = rlay; 1083 con->se_id = ++relay_conid; 1084 con->se_relayid = rlay->rl_conf.id; 1085 con->se_pid = getpid(); 1086 con->se_in.dir = RELAY_DIR_REQUEST; 1087 con->se_out.dir = RELAY_DIR_RESPONSE; 1088 con->se_retry = rlay->rl_conf.dstretry; 1089 con->se_bnds = -1; 1090 con->se_out.port = rlay->rl_conf.dstport; 1091 switch (ss.ss_family) { 1092 case AF_INET: 1093 con->se_in.port = ((struct sockaddr_in *)&ss)->sin_port; 1094 break; 1095 case AF_INET6: 1096 con->se_in.port = ((struct sockaddr_in6 *)&ss)->sin6_port; 1097 break; 1098 } 1099 bcopy(&ss, &con->se_in.ss, sizeof(con->se_in.ss)); 1100 1101 getmonotime(&con->se_tv_start); 1102 bcopy(&con->se_tv_start, &con->se_tv_last, sizeof(con->se_tv_last)); 1103 1104 if (rlay->rl_conf.flags & F_HASHKEY) { 1105 SipHash24_Init(&con->se_siphashctx, 1106 &rlay->rl_conf.hashkey.siphashkey); 1107 } 1108 1109 relay_sessions++; 1110 SPLAY_INSERT(session_tree, &rlay->rl_sessions, con); 1111 relay_session_publish(con); 1112 1113 /* Increment the per-relay session counter */ 1114 rlay->rl_stats[proc_id].last++; 1115 1116 /* Pre-allocate output buffer */ 1117 con->se_out.output = evbuffer_new(); 1118 if (con->se_out.output == NULL) { 1119 relay_close(con, "failed to allocate output buffer"); 1120 return; 1121 } 1122 1123 if (rlay->rl_conf.flags & F_DIVERT) { 1124 slen = sizeof(con->se_out.ss); 1125 if (getsockname(s, (struct sockaddr *)&con->se_out.ss, 1126 &slen) == -1) { 1127 relay_close(con, "peer lookup failed"); 1128 return; 1129 } 1130 con->se_out.port = relay_socket_getport(&con->se_out.ss); 1131 1132 /* Detect loop and fall back to the alternate forward target */ 1133 if (bcmp(&rlay->rl_conf.ss, &con->se_out.ss, 1134 sizeof(con->se_out.ss)) == 0 && 1135 con->se_out.port == rlay->rl_conf.port) 1136 con->se_out.ss.ss_family = AF_UNSPEC; 1137 } else if (rlay->rl_conf.flags & F_NATLOOK) { 1138 if ((cnl = calloc(1, sizeof(*cnl))) == NULL) { 1139 relay_close(con, "failed to allocate nat lookup"); 1140 return; 1141 } 1142 1143 con->se_cnl = cnl; 1144 bzero(cnl, sizeof(*cnl)); 1145 cnl->in = -1; 1146 cnl->id = con->se_id; 1147 cnl->proc = proc_id; 1148 cnl->proto = IPPROTO_TCP; 1149 1150 bcopy(&con->se_in.ss, &cnl->src, sizeof(cnl->src)); 1151 slen = sizeof(cnl->dst); 1152 if (getsockname(s, 1153 (struct sockaddr *)&cnl->dst, &slen) == -1) { 1154 relay_close(con, "failed to get local address"); 1155 return; 1156 } 1157 1158 proc_compose(env->sc_ps, PROC_PFE, IMSG_NATLOOK, 1159 cnl, sizeof(*cnl)); 1160 1161 /* Schedule timeout */ 1162 evtimer_set(&con->se_ev, relay_natlook, con); 1163 bcopy(&rlay->rl_conf.timeout, &tv, sizeof(tv)); 1164 evtimer_add(&con->se_ev, &tv); 1165 return; 1166 } 1167 1168 if (rlay->rl_conf.flags & F_TLSINSPECT) { 1169 relay_preconnect(con); 1170 return; 1171 } 1172 1173 relay_session(con); 1174 return; 1175 err: 1176 if (s != -1) { 1177 close(s); 1178 free(con); 1179 /* 1180 * the session struct was not completely set up, but still 1181 * counted as an inflight session. account for this. 1182 */ 1183 relay_inflight--; 1184 log_debug("%s: inflight decremented, now %d", 1185 __func__, relay_inflight); 1186 } 1187 } 1188 1189 void 1190 relay_hash_addr(SIPHASH_CTX *ctx, struct sockaddr_storage *ss, int portset) 1191 { 1192 struct sockaddr_in *sin4; 1193 struct sockaddr_in6 *sin6; 1194 in_port_t port; 1195 1196 if (ss->ss_family == AF_INET) { 1197 sin4 = (struct sockaddr_in *)ss; 1198 SipHash24_Update(ctx, &sin4->sin_addr, 1199 sizeof(struct in_addr)); 1200 } else { 1201 sin6 = (struct sockaddr_in6 *)ss; 1202 SipHash24_Update(ctx, &sin6->sin6_addr, 1203 sizeof(struct in6_addr)); 1204 } 1205 1206 if (portset != -1) { 1207 port = (in_port_t)portset; 1208 SipHash24_Update(ctx, &port, sizeof(port)); 1209 } 1210 } 1211 1212 int 1213 relay_from_table(struct rsession *con) 1214 { 1215 struct relay *rlay = con->se_relay; 1216 struct host *host = NULL; 1217 struct relay_table *rlt = NULL; 1218 struct table *table = NULL; 1219 int idx = -1; 1220 int cnt = 0; 1221 int maxtries; 1222 u_int64_t p = 0; 1223 1224 /* the table is already selected */ 1225 if (con->se_table != NULL) { 1226 rlt = con->se_table; 1227 table = rlt->rlt_table; 1228 if (table->conf.check && !table->up) 1229 table = NULL; 1230 goto gottable; 1231 } 1232 1233 /* otherwise grep the first active table */ 1234 TAILQ_FOREACH(rlt, &rlay->rl_tables, rlt_entry) { 1235 table = rlt->rlt_table; 1236 if ((rlt->rlt_flags & F_USED) == 0 || 1237 (table->conf.check && !table->up)) 1238 table = NULL; 1239 else 1240 break; 1241 } 1242 1243 gottable: 1244 if (table == NULL) { 1245 log_debug("%s: session %d: no active hosts", 1246 __func__, con->se_id); 1247 return (-1); 1248 } 1249 1250 switch (rlt->rlt_mode) { 1251 case RELAY_DSTMODE_ROUNDROBIN: 1252 if ((int)rlt->rlt_index >= rlt->rlt_nhosts) 1253 rlt->rlt_index = 0; 1254 idx = (int)rlt->rlt_index; 1255 break; 1256 case RELAY_DSTMODE_RANDOM: 1257 idx = (int)arc4random_uniform(rlt->rlt_nhosts); 1258 break; 1259 case RELAY_DSTMODE_SRCHASH: 1260 /* Source IP address without port */ 1261 relay_hash_addr(&con->se_siphashctx, &con->se_in.ss, -1); 1262 break; 1263 case RELAY_DSTMODE_LOADBALANCE: 1264 /* Source IP address without port */ 1265 relay_hash_addr(&con->se_siphashctx, &con->se_in.ss, -1); 1266 /* FALLTHROUGH */ 1267 case RELAY_DSTMODE_HASH: 1268 /* Local "destination" IP address and port */ 1269 relay_hash_addr(&con->se_siphashctx, &rlay->rl_conf.ss, 1270 rlay->rl_conf.port); 1271 break; 1272 default: 1273 fatalx("relay_from_table: unsupported mode"); 1274 /* NOTREACHED */ 1275 } 1276 if (idx == -1) { 1277 /* handle all hashing algorithms */ 1278 p = SipHash24_End(&con->se_siphashctx); 1279 1280 /* Reset hash context */ 1281 SipHash24_Init(&con->se_siphashctx, 1282 &rlay->rl_conf.hashkey.siphashkey); 1283 1284 maxtries = (rlt->rlt_nhosts < RELAY_MAX_HASH_RETRIES ? 1285 rlt->rlt_nhosts : RELAY_MAX_HASH_RETRIES); 1286 for (cnt = 0; cnt < maxtries; cnt++) { 1287 if ((idx = p % rlt->rlt_nhosts) >= RELAY_MAXHOSTS) 1288 return (-1); 1289 1290 host = rlt->rlt_host[idx]; 1291 1292 DPRINTF("%s: session %d: table %s host %s, " 1293 "p 0x%016llx, idx %d, cnt %d, max %d", 1294 __func__, con->se_id, table->conf.name, 1295 host->conf.name, p, idx, cnt, maxtries); 1296 1297 if (!table->conf.check || host->up == HOST_UP) 1298 goto found; 1299 p = p >> 1; 1300 } 1301 } else { 1302 /* handle all non-hashing algorithms */ 1303 host = rlt->rlt_host[idx]; 1304 DPRINTF("%s: session %d: table %s host %s, p 0x%016llx, idx %d", 1305 __func__, con->se_id, table->conf.name, host->conf.name, p, idx); 1306 } 1307 1308 while (host != NULL) { 1309 DPRINTF("%s: session %d: host %s", __func__, 1310 con->se_id, host->conf.name); 1311 if (!table->conf.check || host->up == HOST_UP) 1312 goto found; 1313 host = TAILQ_NEXT(host, entry); 1314 } 1315 TAILQ_FOREACH(host, &table->hosts, entry) { 1316 DPRINTF("%s: session %d: next host %s", 1317 __func__, con->se_id, host->conf.name); 1318 if (!table->conf.check || host->up == HOST_UP) 1319 goto found; 1320 } 1321 1322 /* Should not happen */ 1323 fatalx("relay_from_table: no active hosts, desynchronized"); 1324 1325 found: 1326 if (rlt->rlt_mode == RELAY_DSTMODE_ROUNDROBIN) 1327 rlt->rlt_index = host->idx + 1; 1328 con->se_retry = host->conf.retry; 1329 con->se_out.port = table->conf.port; 1330 bcopy(&host->conf.ss, &con->se_out.ss, sizeof(con->se_out.ss)); 1331 1332 return (0); 1333 } 1334 1335 void 1336 relay_natlook(int fd, short event, void *arg) 1337 { 1338 struct rsession *con = arg; 1339 struct relay *rlay = con->se_relay; 1340 struct ctl_natlook *cnl = con->se_cnl; 1341 1342 if (cnl == NULL) 1343 fatalx("invalid NAT lookup"); 1344 1345 if (con->se_out.ss.ss_family == AF_UNSPEC && cnl->in == -1 && 1346 rlay->rl_conf.dstss.ss_family == AF_UNSPEC && 1347 TAILQ_EMPTY(&rlay->rl_tables)) { 1348 relay_close(con, "session NAT lookup failed"); 1349 return; 1350 } 1351 if (cnl->in != -1) { 1352 bcopy(&cnl->rdst, &con->se_out.ss, sizeof(con->se_out.ss)); 1353 con->se_out.port = cnl->rdport; 1354 } 1355 free(con->se_cnl); 1356 con->se_cnl = NULL; 1357 1358 relay_session(con); 1359 } 1360 1361 void 1362 relay_session(struct rsession *con) 1363 { 1364 struct relay *rlay = con->se_relay; 1365 struct ctl_relay_event *in = &con->se_in, *out = &con->se_out; 1366 1367 if (bcmp(&rlay->rl_conf.ss, &out->ss, sizeof(out->ss)) == 0 && 1368 out->port == rlay->rl_conf.port) { 1369 log_debug("%s: session %d: looping", __func__, con->se_id); 1370 relay_close(con, "session aborted"); 1371 return; 1372 } 1373 1374 if (rlay->rl_conf.flags & F_UDP) { 1375 /* 1376 * Call the UDP protocol-specific handler 1377 */ 1378 if (rlay->rl_proto->request == NULL) 1379 fatalx("invalide UDP session"); 1380 if ((*rlay->rl_proto->request)(con) == -1) 1381 relay_close(con, "session failed"); 1382 return; 1383 } 1384 1385 if ((rlay->rl_conf.flags & F_TLS) && (in->ssl == NULL)) { 1386 relay_tls_transaction(con, in); 1387 return; 1388 } 1389 1390 if (rlay->rl_proto->type != RELAY_PROTO_HTTP) { 1391 if (rlay->rl_conf.fwdmode == FWD_TRANS) 1392 relay_bindanyreq(con, 0, IPPROTO_TCP); 1393 else if (relay_connect(con) == -1) { 1394 relay_close(con, "session failed"); 1395 return; 1396 } 1397 } 1398 1399 relay_input(con); 1400 } 1401 1402 void 1403 relay_bindanyreq(struct rsession *con, in_port_t port, int proto) 1404 { 1405 struct relay *rlay = con->se_relay; 1406 struct ctl_bindany bnd; 1407 struct timeval tv; 1408 1409 bzero(&bnd, sizeof(bnd)); 1410 bnd.bnd_id = con->se_id; 1411 bnd.bnd_proc = proc_id; 1412 bnd.bnd_port = port; 1413 bnd.bnd_proto = proto; 1414 bcopy(&con->se_in.ss, &bnd.bnd_ss, sizeof(bnd.bnd_ss)); 1415 proc_compose(env->sc_ps, PROC_PARENT, IMSG_BINDANY, 1416 &bnd, sizeof(bnd)); 1417 1418 /* Schedule timeout */ 1419 evtimer_set(&con->se_ev, relay_bindany, con); 1420 bcopy(&rlay->rl_conf.timeout, &tv, sizeof(tv)); 1421 evtimer_add(&con->se_ev, &tv); 1422 } 1423 1424 void 1425 relay_bindany(int fd, short event, void *arg) 1426 { 1427 struct rsession *con = arg; 1428 1429 if (con->se_bnds == -1) { 1430 relay_close(con, "bindany failed, invalid socket"); 1431 return; 1432 } 1433 if (relay_connect(con) == -1) 1434 relay_close(con, "session failed"); 1435 } 1436 1437 void 1438 relay_connect_retry(int fd, short sig, void *arg) 1439 { 1440 struct timeval evtpause = { 1, 0 }; 1441 struct rsession *con = arg; 1442 struct relay *rlay = con->se_relay; 1443 int bnds = -1; 1444 1445 if (relay_inflight < 1) { 1446 log_warnx("relay_connect_retry: no connection in flight"); 1447 relay_inflight = 1; 1448 } 1449 1450 DPRINTF("%s: retry %d of %d, inflight: %d",__func__, 1451 con->se_retrycount, con->se_retry, relay_inflight); 1452 1453 if (sig != EV_TIMEOUT) 1454 fatalx("relay_connect_retry: called without timeout"); 1455 1456 evtimer_del(&con->se_inflightevt); 1457 1458 /* 1459 * XXX we might want to check if the inbound socket is still 1460 * available: client could have closed it while we were waiting? 1461 */ 1462 1463 DPRINTF("%s: got EV_TIMEOUT", __func__); 1464 1465 if (getdtablecount() + FD_RESERVE + 1466 relay_inflight > getdtablesize()) { 1467 if (con->se_retrycount < RELAY_OUTOF_FD_RETRIES) { 1468 evtimer_add(&con->se_inflightevt, &evtpause); 1469 return; 1470 } 1471 /* we waited for RELAY_OUTOF_FD_RETRIES seconds, give up */ 1472 event_add(&rlay->rl_ev, NULL); 1473 relay_abort_http(con, 504, "connection timed out", 0); 1474 return; 1475 } 1476 1477 if (rlay->rl_conf.fwdmode == FWD_TRANS) { 1478 /* con->se_bnds cannot be unset */ 1479 bnds = con->se_bnds; 1480 } 1481 1482 retry: 1483 if ((con->se_out.s = relay_socket_connect(&con->se_out.ss, 1484 con->se_out.port, rlay->rl_proto, bnds)) == -1) { 1485 log_debug("%s: session %d: " 1486 "forward failed: %s, %s", __func__, 1487 con->se_id, strerror(errno), 1488 con->se_retry ? "next retry" : "last retry"); 1489 1490 con->se_retrycount++; 1491 1492 if ((errno == ENFILE || errno == EMFILE) && 1493 (con->se_retrycount < con->se_retry)) { 1494 event_del(&rlay->rl_ev); 1495 evtimer_add(&con->se_inflightevt, &evtpause); 1496 evtimer_add(&rlay->rl_evt, &evtpause); 1497 return; 1498 } else if (con->se_retrycount < con->se_retry) 1499 goto retry; 1500 event_add(&rlay->rl_ev, NULL); 1501 relay_abort_http(con, 504, "connect failed", 0); 1502 return; 1503 } 1504 1505 if (rlay->rl_conf.flags & F_TLSINSPECT) 1506 con->se_out.state = STATE_PRECONNECT; 1507 else 1508 con->se_out.state = STATE_CONNECTED; 1509 relay_inflight--; 1510 DPRINTF("%s: inflight decremented, now %d",__func__, relay_inflight); 1511 1512 event_add(&rlay->rl_ev, NULL); 1513 1514 if (errno == EINPROGRESS) 1515 event_again(&con->se_ev, con->se_out.s, EV_WRITE|EV_TIMEOUT, 1516 relay_connected, &con->se_tv_start, &rlay->rl_conf.timeout, 1517 con); 1518 else 1519 relay_connected(con->se_out.s, EV_WRITE, con); 1520 1521 return; 1522 } 1523 1524 int 1525 relay_preconnect(struct rsession *con) 1526 { 1527 int rv; 1528 1529 log_debug("%s: session %d: process %d", __func__, 1530 con->se_id, privsep_process); 1531 rv = relay_connect(con); 1532 if (con->se_out.state == STATE_CONNECTED) 1533 con->se_out.state = STATE_PRECONNECT; 1534 return (rv); 1535 } 1536 1537 int 1538 relay_connect(struct rsession *con) 1539 { 1540 struct relay *rlay = con->se_relay; 1541 struct timeval evtpause = { 1, 0 }; 1542 int bnds = -1, ret; 1543 1544 /* relay_connect should only be called once per relay */ 1545 if (con->se_out.state == STATE_CONNECTED) { 1546 log_debug("%s: connect already called once", __func__); 1547 return (0); 1548 } 1549 1550 /* Connection is already established but session not active */ 1551 if ((rlay->rl_conf.flags & F_TLSINSPECT) && 1552 con->se_out.state == STATE_PRECONNECT) { 1553 if (con->se_out.ssl == NULL) { 1554 log_debug("%s: tls connect failed", __func__); 1555 return (-1); 1556 } 1557 relay_connected(con->se_out.s, EV_WRITE, con); 1558 con->se_out.state = STATE_CONNECTED; 1559 return (0); 1560 } 1561 1562 if (relay_inflight < 1) { 1563 log_warnx("relay_connect: no connection in flight"); 1564 relay_inflight = 1; 1565 } 1566 1567 getmonotime(&con->se_tv_start); 1568 1569 if (!TAILQ_EMPTY(&rlay->rl_tables)) { 1570 if (relay_from_table(con) != 0) 1571 return (-1); 1572 } else if (con->se_out.ss.ss_family == AF_UNSPEC) { 1573 bcopy(&rlay->rl_conf.dstss, &con->se_out.ss, 1574 sizeof(con->se_out.ss)); 1575 con->se_out.port = rlay->rl_conf.dstport; 1576 } 1577 1578 if (rlay->rl_conf.fwdmode == FWD_TRANS) { 1579 if (con->se_bnds == -1) { 1580 log_debug("%s: could not bind any sock", __func__); 1581 return (-1); 1582 } 1583 bnds = con->se_bnds; 1584 } 1585 1586 /* Do the IPv4-to-IPv6 or IPv6-to-IPv4 translation if requested */ 1587 if (rlay->rl_conf.dstaf.ss_family != AF_UNSPEC) { 1588 if (con->se_out.ss.ss_family == AF_INET && 1589 rlay->rl_conf.dstaf.ss_family == AF_INET6) 1590 ret = map4to6(&con->se_out.ss, &rlay->rl_conf.dstaf); 1591 else if (con->se_out.ss.ss_family == AF_INET6 && 1592 rlay->rl_conf.dstaf.ss_family == AF_INET) 1593 ret = map6to4(&con->se_out.ss); 1594 else 1595 ret = 0; 1596 if (ret != 0) { 1597 log_debug("%s: mapped to invalid address", __func__); 1598 return (-1); 1599 } 1600 } 1601 1602 retry: 1603 if ((con->se_out.s = relay_socket_connect(&con->se_out.ss, 1604 con->se_out.port, rlay->rl_proto, bnds)) == -1) { 1605 if (errno == ENFILE || errno == EMFILE) { 1606 log_debug("%s: session %d: forward failed: %s", 1607 __func__, con->se_id, strerror(errno)); 1608 evtimer_set(&con->se_inflightevt, relay_connect_retry, 1609 con); 1610 event_del(&rlay->rl_ev); 1611 evtimer_add(&con->se_inflightevt, &evtpause); 1612 evtimer_add(&rlay->rl_evt, &evtpause); 1613 1614 /* this connect is pending */ 1615 con->se_out.state = STATE_PENDING; 1616 return (0); 1617 } else { 1618 if (con->se_retry) { 1619 con->se_retry--; 1620 log_debug("%s: session %d: " 1621 "forward failed: %s, %s", __func__, 1622 con->se_id, strerror(errno), 1623 con->se_retry ? 1624 "next retry" : "last retry"); 1625 goto retry; 1626 } 1627 log_debug("%s: session %d: forward failed: %s", 1628 __func__, con->se_id, strerror(errno)); 1629 return (-1); 1630 } 1631 } 1632 1633 con->se_out.state = STATE_CONNECTED; 1634 relay_inflight--; 1635 DPRINTF("%s: inflight decremented, now %d",__func__, 1636 relay_inflight); 1637 1638 if (errno == EINPROGRESS) 1639 event_again(&con->se_ev, con->se_out.s, EV_WRITE|EV_TIMEOUT, 1640 relay_connected, &con->se_tv_start, &rlay->rl_conf.timeout, 1641 con); 1642 else 1643 relay_connected(con->se_out.s, EV_WRITE, con); 1644 1645 return (0); 1646 } 1647 1648 void 1649 relay_close(struct rsession *con, const char *msg) 1650 { 1651 char ibuf[128], obuf[128], *ptr = NULL; 1652 struct relay *rlay = con->se_relay; 1653 struct protocol *proto = rlay->rl_proto; 1654 1655 SPLAY_REMOVE(session_tree, &rlay->rl_sessions, con); 1656 relay_session_unpublish(con); 1657 1658 event_del(&con->se_ev); 1659 if (con->se_in.bev != NULL) 1660 bufferevent_disable(con->se_in.bev, EV_READ|EV_WRITE); 1661 if (con->se_out.bev != NULL) 1662 bufferevent_disable(con->se_out.bev, EV_READ|EV_WRITE); 1663 1664 if ((env->sc_opts & RELAYD_OPT_LOGUPDATE) && msg != NULL) { 1665 bzero(&ibuf, sizeof(ibuf)); 1666 bzero(&obuf, sizeof(obuf)); 1667 (void)print_host(&con->se_in.ss, ibuf, sizeof(ibuf)); 1668 (void)print_host(&con->se_out.ss, obuf, sizeof(obuf)); 1669 if (EVBUFFER_LENGTH(con->se_log) && 1670 evbuffer_add_printf(con->se_log, "\r\n") != -1) 1671 ptr = evbuffer_readline(con->se_log); 1672 log_info("relay %s, " 1673 "session %d (%d active), %s, %s -> %s:%d, " 1674 "%s%s%s", rlay->rl_conf.name, con->se_id, relay_sessions, 1675 con->se_tag != 0 ? tag_id2name(con->se_tag) : "0", ibuf, 1676 obuf, ntohs(con->se_out.port), msg, ptr == NULL ? "" : ",", 1677 ptr == NULL ? "" : ptr); 1678 free(ptr); 1679 } 1680 1681 if (proto->close != NULL) 1682 (*proto->close)(con); 1683 1684 free(con->se_priv); 1685 if (con->se_in.bev != NULL) 1686 bufferevent_free(con->se_in.bev); 1687 else if (con->se_in.output != NULL) 1688 evbuffer_free(con->se_in.output); 1689 if (con->se_in.ssl != NULL) { 1690 /* XXX handle non-blocking shutdown */ 1691 if (SSL_shutdown(con->se_in.ssl) == 0) 1692 SSL_shutdown(con->se_in.ssl); 1693 SSL_free(con->se_in.ssl); 1694 } 1695 if (con->se_in.tlscert != NULL) 1696 X509_free(con->se_in.tlscert); 1697 if (con->se_in.s != -1) { 1698 close(con->se_in.s); 1699 if (con->se_out.s == -1) { 1700 /* 1701 * the output was never connected, 1702 * thus this was an inflight session. 1703 */ 1704 relay_inflight--; 1705 log_debug("%s: sessions inflight decremented, now %d", 1706 __func__, relay_inflight); 1707 } 1708 } 1709 free(con->se_in.buf); 1710 1711 if (con->se_out.bev != NULL) 1712 bufferevent_free(con->se_out.bev); 1713 else if (con->se_out.output != NULL) 1714 evbuffer_free(con->se_out.output); 1715 if (con->se_out.ssl != NULL) { 1716 /* XXX handle non-blocking shutdown */ 1717 if (SSL_shutdown(con->se_out.ssl) == 0) 1718 SSL_shutdown(con->se_out.ssl); 1719 SSL_free(con->se_out.ssl); 1720 } 1721 if (con->se_out.tlscert != NULL) 1722 X509_free(con->se_out.tlscert); 1723 if (con->se_out.s != -1) { 1724 close(con->se_out.s); 1725 1726 /* Some file descriptors are available again. */ 1727 if (evtimer_pending(&rlay->rl_evt, NULL)) { 1728 evtimer_del(&rlay->rl_evt); 1729 event_add(&rlay->rl_ev, NULL); 1730 } 1731 } 1732 con->se_out.state = STATE_INIT; 1733 1734 free(con->se_out.buf); 1735 1736 if (con->se_log != NULL) 1737 evbuffer_free(con->se_log); 1738 1739 if (con->se_cnl != NULL) { 1740 #if 0 1741 proc_compose_imsg(env->sc_ps, PROC_PFE, -1, IMSG_KILLSTATES, -1, 1742 cnl, sizeof(*cnl)); 1743 #endif 1744 free(con->se_cnl); 1745 } 1746 1747 free(con); 1748 relay_sessions--; 1749 } 1750 1751 int 1752 relay_dispatch_pfe(int fd, struct privsep_proc *p, struct imsg *imsg) 1753 { 1754 struct relay *rlay; 1755 struct rsession *con, se; 1756 struct ctl_natlook cnl; 1757 struct timeval tv; 1758 struct host *host; 1759 struct table *table; 1760 struct ctl_status st; 1761 objid_t id; 1762 int cid; 1763 1764 switch (imsg->hdr.type) { 1765 case IMSG_HOST_DISABLE: 1766 memcpy(&id, imsg->data, sizeof(id)); 1767 if ((host = host_find(env, id)) == NULL) 1768 fatalx("relay_dispatch_pfe: desynchronized"); 1769 if ((table = table_find(env, host->conf.tableid)) == 1770 NULL) 1771 fatalx("relay_dispatch_pfe: invalid table id"); 1772 if (host->up == HOST_UP) 1773 table->up--; 1774 host->flags |= F_DISABLE; 1775 host->up = HOST_UNKNOWN; 1776 break; 1777 case IMSG_HOST_ENABLE: 1778 memcpy(&id, imsg->data, sizeof(id)); 1779 if ((host = host_find(env, id)) == NULL) 1780 fatalx("relay_dispatch_pfe: desynchronized"); 1781 host->flags &= ~(F_DISABLE); 1782 host->up = HOST_UNKNOWN; 1783 break; 1784 case IMSG_TABLE_DISABLE: 1785 memcpy(&id, imsg->data, sizeof(id)); 1786 if ((table = table_find(env, id)) == NULL) 1787 fatalx("relay_dispatch_pfe: desynchronized"); 1788 table->conf.flags |= F_DISABLE; 1789 table->up = 0; 1790 TAILQ_FOREACH(host, &table->hosts, entry) 1791 host->up = HOST_UNKNOWN; 1792 break; 1793 case IMSG_TABLE_ENABLE: 1794 memcpy(&id, imsg->data, sizeof(id)); 1795 if ((table = table_find(env, id)) == NULL) 1796 fatalx("relay_dispatch_pfe: desynchronized"); 1797 table->conf.flags &= ~(F_DISABLE); 1798 table->up = 0; 1799 TAILQ_FOREACH(host, &table->hosts, entry) 1800 host->up = HOST_UNKNOWN; 1801 break; 1802 case IMSG_HOST_STATUS: 1803 IMSG_SIZE_CHECK(imsg, &st); 1804 memcpy(&st, imsg->data, sizeof(st)); 1805 if ((host = host_find(env, st.id)) == NULL) 1806 fatalx("relay_dispatch_pfe: invalid host id"); 1807 if (host->flags & F_DISABLE) 1808 break; 1809 if (host->up == st.up) { 1810 log_debug("%s: host %d => %d", __func__, 1811 host->conf.id, host->up); 1812 fatalx("relay_dispatch_pfe: desynchronized"); 1813 } 1814 1815 if ((table = table_find(env, host->conf.tableid)) 1816 == NULL) 1817 fatalx("relay_dispatch_pfe: invalid table id"); 1818 1819 DPRINTF("%s: [%d] state %d for " 1820 "host %u %s", __func__, proc_id, st.up, 1821 host->conf.id, host->conf.name); 1822 1823 if ((st.up == HOST_UNKNOWN && host->up == HOST_DOWN) || 1824 (st.up == HOST_DOWN && host->up == HOST_UNKNOWN)) { 1825 host->up = st.up; 1826 break; 1827 } 1828 if (st.up == HOST_UP) 1829 table->up++; 1830 else 1831 table->up--; 1832 host->up = st.up; 1833 break; 1834 case IMSG_NATLOOK: 1835 bcopy(imsg->data, &cnl, sizeof(cnl)); 1836 if ((con = session_find(env, cnl.id)) == NULL || 1837 con->se_cnl == NULL) { 1838 log_debug("%s: session %d: expired", 1839 __func__, cnl.id); 1840 break; 1841 } 1842 bcopy(&cnl, con->se_cnl, sizeof(*con->se_cnl)); 1843 evtimer_del(&con->se_ev); 1844 evtimer_set(&con->se_ev, relay_natlook, con); 1845 bzero(&tv, sizeof(tv)); 1846 evtimer_add(&con->se_ev, &tv); 1847 break; 1848 case IMSG_CTL_SESSION: 1849 IMSG_SIZE_CHECK(imsg, &cid); 1850 memcpy(&cid, imsg->data, sizeof(cid)); 1851 TAILQ_FOREACH(rlay, env->sc_relays, rl_entry) { 1852 SPLAY_FOREACH(con, session_tree, 1853 &rlay->rl_sessions) { 1854 memcpy(&se, con, sizeof(se)); 1855 se.se_cid = cid; 1856 proc_compose(env->sc_ps, p->p_id, 1857 IMSG_CTL_SESSION, &se, sizeof(se)); 1858 } 1859 } 1860 proc_compose(env->sc_ps, p->p_id, IMSG_CTL_END, 1861 &cid, sizeof(cid)); 1862 break; 1863 default: 1864 return (-1); 1865 } 1866 1867 return (0); 1868 } 1869 1870 int 1871 relay_dispatch_ca(int fd, struct privsep_proc *p, struct imsg *imsg) 1872 { 1873 return (-1); 1874 } 1875 1876 int 1877 relay_dispatch_parent(int fd, struct privsep_proc *p, struct imsg *imsg) 1878 { 1879 struct rsession *con; 1880 struct timeval tv; 1881 objid_t id; 1882 1883 switch (imsg->hdr.type) { 1884 case IMSG_BINDANY: 1885 bcopy(imsg->data, &id, sizeof(id)); 1886 if ((con = session_find(env, id)) == NULL) { 1887 log_debug("%s: session %d: expired", 1888 __func__, id); 1889 break; 1890 } 1891 1892 /* Will validate the result later */ 1893 con->se_bnds = imsg->fd; 1894 1895 evtimer_del(&con->se_ev); 1896 evtimer_set(&con->se_ev, relay_bindany, con); 1897 bzero(&tv, sizeof(tv)); 1898 evtimer_add(&con->se_ev, &tv); 1899 break; 1900 case IMSG_CFG_TABLE: 1901 config_gettable(env, imsg); 1902 break; 1903 case IMSG_CFG_HOST: 1904 config_gethost(env, imsg); 1905 break; 1906 case IMSG_CFG_PROTO: 1907 config_getproto(env, imsg); 1908 break; 1909 case IMSG_CFG_RULE: 1910 config_getrule(env, imsg); 1911 break; 1912 case IMSG_CFG_RELAY: 1913 config_getrelay(env, imsg); 1914 break; 1915 case IMSG_CFG_RELAY_TABLE: 1916 config_getrelaytable(env, imsg); 1917 break; 1918 case IMSG_CFG_DONE: 1919 config_getcfg(env, imsg); 1920 break; 1921 case IMSG_CTL_START: 1922 relay_launch(); 1923 break; 1924 case IMSG_CTL_RESET: 1925 config_getreset(env, imsg); 1926 break; 1927 default: 1928 return (-1); 1929 } 1930 1931 return (0); 1932 } 1933 1934 void 1935 relay_tls_callback_info(const SSL *ssl, int where, int rc) 1936 { 1937 struct ctl_relay_event *cre; 1938 int tls_state; 1939 1940 cre = (struct ctl_relay_event *)SSL_get_app_data(ssl); 1941 1942 if (cre == NULL || cre->tlsreneg_state == TLSRENEG_ALLOW) 1943 return; 1944 1945 tls_state = SSL_get_state(ssl); 1946 1947 /* Check renegotiations */ 1948 if ((where & SSL_CB_ACCEPT_LOOP) && 1949 (cre->tlsreneg_state == TLSRENEG_DENY)) { 1950 if ((tls_state == SSL3_ST_SR_CLNT_HELLO_A) || 1951 (tls_state == SSL23_ST_SR_CLNT_HELLO_A)) { 1952 /* 1953 * This is a client initiated renegotiation 1954 * that we do not allow 1955 */ 1956 cre->tlsreneg_state = TLSRENEG_ABORT; 1957 } 1958 } else if ((where & SSL_CB_HANDSHAKE_DONE) && 1959 (cre->tlsreneg_state == TLSRENEG_INIT)) { 1960 /* 1961 * This is right after the first handshake, 1962 * disallow any further negotiations. 1963 */ 1964 cre->tlsreneg_state = TLSRENEG_DENY; 1965 } 1966 } 1967 1968 DH * 1969 relay_tls_get_dhparams(int keylen) 1970 { 1971 DH *dh; 1972 BIGNUM *(*prime)(BIGNUM *); 1973 const char *gen; 1974 1975 gen = "2"; 1976 if (keylen >= 8192) 1977 prime = get_rfc3526_prime_8192; 1978 else if (keylen >= 4096) 1979 prime = get_rfc3526_prime_4096; 1980 else if (keylen >= 3072) 1981 prime = get_rfc3526_prime_3072; 1982 else if (keylen >= 2048) 1983 prime = get_rfc3526_prime_2048; 1984 else if (keylen >= 1536) 1985 prime = get_rfc3526_prime_1536; 1986 else 1987 prime = get_rfc2409_prime_1024; 1988 1989 if ((dh = DH_new()) == NULL) 1990 return (NULL); 1991 1992 dh->p = (*prime)(NULL); 1993 BN_dec2bn(&dh->g, gen); 1994 1995 if (dh->p == NULL || dh->g == NULL) { 1996 DH_free(dh); 1997 return (NULL); 1998 } 1999 2000 return (dh); 2001 } 2002 2003 DH * 2004 relay_tls_callback_dh(SSL *ssl, int export, int keylen) 2005 { 2006 struct ctl_relay_event *cre; 2007 EVP_PKEY *pkey; 2008 int keytype, maxlen; 2009 DH *dh = NULL; 2010 2011 /* Get maximum key length from config */ 2012 if ((cre = (struct ctl_relay_event *)SSL_get_app_data(ssl)) == NULL) 2013 return (NULL); 2014 maxlen = cre->con->se_relay->rl_proto->tlsdhparams; 2015 2016 /* Get the private key length from the cert */ 2017 if ((pkey = SSL_get_privatekey(ssl))) { 2018 keytype = EVP_PKEY_type(pkey->type); 2019 if (keytype == EVP_PKEY_RSA || keytype == EVP_PKEY_DSA) 2020 keylen = EVP_PKEY_bits(pkey); 2021 else 2022 return (NULL); 2023 } 2024 2025 /* get built-in params based on the shorter key length */ 2026 dh = relay_tls_get_dhparams(MINIMUM(keylen, maxlen)); 2027 2028 return (dh); 2029 } 2030 2031 int 2032 relay_dispatch_hce(int fd, struct privsep_proc *p, struct imsg *imsg) 2033 { 2034 switch (imsg->hdr.type) { 2035 default: 2036 break; 2037 } 2038 2039 return (-1); 2040 } 2041 2042 SSL_CTX * 2043 relay_tls_ctx_create(struct relay *rlay) 2044 { 2045 struct protocol *proto = rlay->rl_proto; 2046 SSL_CTX *ctx; 2047 EC_KEY *ecdhkey; 2048 u_int8_t sid[SSL_MAX_SID_CTX_LENGTH]; 2049 2050 ctx = SSL_CTX_new(SSLv23_method()); 2051 if (ctx == NULL) 2052 goto err; 2053 2054 /* Modify session timeout and cache size*/ 2055 SSL_CTX_set_timeout(ctx, 2056 (long)MINIMUM(rlay->rl_conf.timeout.tv_sec, LONG_MAX)); 2057 if (proto->cache < -1) { 2058 SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF); 2059 } else if (proto->cache >= -1) { 2060 SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER); 2061 if (proto->cache >= 0) 2062 SSL_CTX_sess_set_cache_size(ctx, proto->cache); 2063 } 2064 2065 /* Enable all workarounds and set SSL options */ 2066 SSL_CTX_set_options(ctx, SSL_OP_ALL); 2067 SSL_CTX_set_options(ctx, 2068 SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION); 2069 if (proto->tlsflags & TLSFLAG_CIPHER_SERVER_PREF) 2070 SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); 2071 2072 /* Set the allowed SSL protocols */ 2073 SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2); 2074 SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3); 2075 if ((proto->tlsflags & TLSFLAG_SSLV3) == 0) 2076 SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3); 2077 SSL_CTX_clear_options(ctx, SSL_OP_NO_TLSv1); 2078 if ((proto->tlsflags & TLSFLAG_TLSV1_0) == 0) 2079 SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1); 2080 SSL_CTX_clear_options(ctx, SSL_OP_NO_TLSv1_1); 2081 if ((proto->tlsflags & TLSFLAG_TLSV1_1) == 0) 2082 SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_1); 2083 SSL_CTX_clear_options(ctx, SSL_OP_NO_TLSv1_2); 2084 if ((proto->tlsflags & TLSFLAG_TLSV1_2) == 0) 2085 SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_2); 2086 2087 /* add the SSL info callback */ 2088 SSL_CTX_set_info_callback(ctx, relay_tls_callback_info); 2089 2090 if (proto->tlsecdhcurve > 0) { 2091 /* Enable ECDHE support for TLS perfect forward secrecy */ 2092 if ((ecdhkey = 2093 EC_KEY_new_by_curve_name(proto->tlsecdhcurve)) == NULL) 2094 goto err; 2095 SSL_CTX_set_tmp_ecdh(ctx, ecdhkey); 2096 SSL_CTX_set_options(ctx, SSL_OP_SINGLE_ECDH_USE); 2097 EC_KEY_free(ecdhkey); 2098 } 2099 2100 if (proto->tlsdhparams > 0) { 2101 /* Enable EDH params (forward secrecy for older clients) */ 2102 SSL_CTX_set_tmp_dh_callback(ctx, relay_tls_callback_dh); 2103 } 2104 2105 if (!SSL_CTX_set_cipher_list(ctx, proto->tlsciphers)) 2106 goto err; 2107 2108 /* Verify the server certificate if we have a CA chain */ 2109 if ((rlay->rl_conf.flags & F_TLSCLIENT) && 2110 (rlay->rl_tls_ca != NULL)) { 2111 if (!SSL_CTX_load_verify_mem(ctx, 2112 rlay->rl_tls_ca, rlay->rl_conf.tls_ca_len)) 2113 goto err; 2114 SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL); 2115 } 2116 2117 if ((rlay->rl_conf.flags & F_TLS) == 0) 2118 return (ctx); 2119 2120 log_debug("%s: loading certificate", __func__); 2121 if (!SSL_CTX_use_certificate_chain_mem(ctx, 2122 rlay->rl_tls_cert, rlay->rl_conf.tls_cert_len)) 2123 goto err; 2124 2125 log_debug("%s: loading private key", __func__); 2126 if (!ssl_ctx_fake_private_key(ctx, 2127 &rlay->rl_conf.tls_keyid, sizeof(rlay->rl_conf.tls_keyid), 2128 rlay->rl_tls_cert, rlay->rl_conf.tls_cert_len, 2129 &rlay->rl_tls_x509, &rlay->rl_tls_pkey)) 2130 goto err; 2131 2132 if (!SSL_CTX_check_private_key(ctx)) 2133 goto err; 2134 2135 if (rlay->rl_conf.tls_cacert_len) { 2136 log_debug("%s: loading CA private key", __func__); 2137 if (!ssl_load_pkey(&rlay->rl_conf.tls_cakeyid, 2138 sizeof(rlay->rl_conf.tls_cakeyid), 2139 rlay->rl_tls_cacert, rlay->rl_conf.tls_cacert_len, 2140 &rlay->rl_tls_cacertx509, &rlay->rl_tls_capkey)) 2141 goto err; 2142 } 2143 2144 /* 2145 * Set session ID context to a random value. We don't support 2146 * persistent caching of sessions so it is OK to set a temporary 2147 * session ID context that is valid during run time. 2148 */ 2149 arc4random_buf(sid, sizeof(sid)); 2150 if (!SSL_CTX_set_session_id_context(ctx, sid, sizeof(sid))) 2151 goto err; 2152 2153 /* The text versions of the keys/certs are not needed anymore */ 2154 purge_key(&rlay->rl_tls_cert, rlay->rl_conf.tls_cert_len); 2155 purge_key(&rlay->rl_tls_cacert, rlay->rl_conf.tls_cacert_len); 2156 2157 return (ctx); 2158 2159 err: 2160 SSL_CTX_free(ctx); 2161 ssl_error(rlay->rl_conf.name, "relay_tls_ctx_create"); 2162 return (NULL); 2163 } 2164 2165 void 2166 relay_tls_transaction(struct rsession *con, struct ctl_relay_event *cre) 2167 { 2168 struct relay *rlay = con->se_relay; 2169 struct protocol *proto = rlay->rl_proto; 2170 SSL *ssl; 2171 const SSL_METHOD *method; 2172 void (*cb)(int, short, void *); 2173 u_int flag; 2174 2175 ssl = SSL_new(rlay->rl_ssl_ctx); 2176 if (ssl == NULL) 2177 goto err; 2178 2179 if (cre->dir == RELAY_DIR_REQUEST) { 2180 cb = relay_tls_accept; 2181 method = SSLv23_server_method(); 2182 flag = EV_READ; 2183 2184 /* Use session-specific certificate for TLS inspection. */ 2185 if (cre->tlscert != NULL) 2186 SSL_use_certificate(ssl, cre->tlscert); 2187 } else { 2188 cb = relay_tls_connect; 2189 method = SSLv23_client_method(); 2190 flag = EV_WRITE; 2191 } 2192 2193 if (!SSL_set_ssl_method(ssl, method)) 2194 goto err; 2195 if (!SSL_set_fd(ssl, cre->s)) 2196 goto err; 2197 2198 if (cre->dir == RELAY_DIR_REQUEST) { 2199 if ((proto->tlsflags & TLSFLAG_CLIENT_RENEG) == 0) 2200 /* Only allow negotiation during the first handshake */ 2201 cre->tlsreneg_state = TLSRENEG_INIT; 2202 else 2203 /* Allow client initiated renegotiations */ 2204 cre->tlsreneg_state = TLSRENEG_ALLOW; 2205 SSL_set_accept_state(ssl); 2206 } else { 2207 /* Always allow renegotiations if we're the client */ 2208 cre->tlsreneg_state = TLSRENEG_ALLOW; 2209 SSL_set_connect_state(ssl); 2210 } 2211 2212 SSL_set_app_data(ssl, cre); 2213 cre->ssl = ssl; 2214 2215 DPRINTF("%s: session %d: scheduling on %s", __func__, con->se_id, 2216 (flag == EV_READ) ? "EV_READ" : "EV_WRITE"); 2217 event_again(&con->se_ev, cre->s, EV_TIMEOUT|flag, cb, 2218 &con->se_tv_start, &rlay->rl_conf.timeout, con); 2219 return; 2220 2221 err: 2222 SSL_free(ssl); 2223 ssl_error(rlay->rl_conf.name, "relay_tls_transaction"); 2224 relay_close(con, "session tls failed"); 2225 } 2226 2227 void 2228 relay_tls_accept(int fd, short event, void *arg) 2229 { 2230 struct rsession *con = arg; 2231 struct relay *rlay = con->se_relay; 2232 int retry_flag = 0; 2233 int tls_err = 0; 2234 int ret; 2235 2236 if (event == EV_TIMEOUT) { 2237 relay_close(con, "TLS accept timeout"); 2238 return; 2239 } 2240 2241 ret = SSL_accept(con->se_in.ssl); 2242 if (ret <= 0) { 2243 tls_err = SSL_get_error(con->se_in.ssl, ret); 2244 2245 switch (tls_err) { 2246 case SSL_ERROR_WANT_READ: 2247 retry_flag = EV_READ; 2248 goto retry; 2249 case SSL_ERROR_WANT_WRITE: 2250 retry_flag = EV_WRITE; 2251 goto retry; 2252 case SSL_ERROR_ZERO_RETURN: 2253 case SSL_ERROR_SYSCALL: 2254 if (ret == 0) { 2255 relay_close(con, "closed"); 2256 return; 2257 } 2258 /* FALLTHROUGH */ 2259 default: 2260 ssl_error(rlay->rl_conf.name, "relay_tls_accept"); 2261 relay_close(con, "TLS accept error"); 2262 return; 2263 } 2264 } 2265 2266 2267 #ifdef DEBUG 2268 log_info( 2269 #else 2270 log_debug( 2271 #endif 2272 "relay %s, session %d established (%d active)", 2273 rlay->rl_conf.name, con->se_id, relay_sessions); 2274 2275 relay_session(con); 2276 return; 2277 2278 retry: 2279 DPRINTF("%s: session %d: scheduling on %s", __func__, con->se_id, 2280 (retry_flag == EV_READ) ? "EV_READ" : "EV_WRITE"); 2281 event_again(&con->se_ev, fd, EV_TIMEOUT|retry_flag, relay_tls_accept, 2282 &con->se_tv_start, &rlay->rl_conf.timeout, con); 2283 } 2284 2285 void 2286 relay_tls_connect(int fd, short event, void *arg) 2287 { 2288 struct rsession *con = arg; 2289 struct relay *rlay = con->se_relay; 2290 int retry_flag = 0; 2291 int tls_err = 0; 2292 int ret; 2293 X509 *servercert = NULL; 2294 2295 if (event == EV_TIMEOUT) { 2296 relay_close(con, "TLS connect timeout"); 2297 return; 2298 } 2299 2300 ret = SSL_connect(con->se_out.ssl); 2301 if (ret <= 0) { 2302 tls_err = SSL_get_error(con->se_out.ssl, ret); 2303 2304 switch (tls_err) { 2305 case SSL_ERROR_WANT_READ: 2306 retry_flag = EV_READ; 2307 goto retry; 2308 case SSL_ERROR_WANT_WRITE: 2309 retry_flag = EV_WRITE; 2310 goto retry; 2311 case SSL_ERROR_ZERO_RETURN: 2312 case SSL_ERROR_SYSCALL: 2313 if (ret == 0) { 2314 relay_close(con, "closed"); 2315 return; 2316 } 2317 /* FALLTHROUGH */ 2318 default: 2319 ssl_error(rlay->rl_conf.name, "relay_tls_connect"); 2320 relay_close(con, "TLS connect error"); 2321 return; 2322 } 2323 } 2324 2325 #ifdef DEBUG 2326 log_info( 2327 #else 2328 log_debug( 2329 #endif 2330 "relay %s, tls session %d connected (%d active)", 2331 rlay->rl_conf.name, con->se_id, relay_sessions); 2332 2333 if (rlay->rl_conf.flags & F_TLSINSPECT) { 2334 if ((servercert = 2335 SSL_get_peer_certificate(con->se_out.ssl)) != NULL) { 2336 con->se_in.tlscert = 2337 ssl_update_certificate(servercert, 2338 rlay->rl_tls_pkey, rlay->rl_tls_capkey, 2339 rlay->rl_tls_cacertx509); 2340 } else 2341 con->se_in.tlscert = NULL; 2342 if (servercert != NULL) 2343 X509_free(servercert); 2344 if (con->se_in.tlscert == NULL) 2345 relay_close(con, "could not create certificate"); 2346 else 2347 relay_session(con); 2348 return; 2349 } 2350 2351 relay_connected(fd, EV_WRITE, con); 2352 return; 2353 2354 retry: 2355 DPRINTF("%s: session %d: scheduling on %s", __func__, con->se_id, 2356 (retry_flag == EV_READ) ? "EV_READ" : "EV_WRITE"); 2357 event_again(&con->se_ev, fd, EV_TIMEOUT|retry_flag, relay_tls_connect, 2358 &con->se_tv_start, &rlay->rl_conf.timeout, con); 2359 } 2360 2361 void 2362 relay_tls_connected(struct ctl_relay_event *cre) 2363 { 2364 /* 2365 * Hack libevent - we overwrite the internal bufferevent I/O 2366 * functions to handle the TLS abstraction. 2367 */ 2368 event_set(&cre->bev->ev_read, cre->s, EV_READ, 2369 relay_tls_readcb, cre->bev); 2370 event_set(&cre->bev->ev_write, cre->s, EV_WRITE, 2371 relay_tls_writecb, cre->bev); 2372 } 2373 2374 void 2375 relay_tls_readcb(int fd, short event, void *arg) 2376 { 2377 char rbuf[IBUF_READ_SIZE]; 2378 struct bufferevent *bufev = arg; 2379 struct ctl_relay_event *cre = bufev->cbarg; 2380 struct rsession *con = cre->con; 2381 struct relay *rlay = con->se_relay; 2382 int ret = 0, tls_err = 0; 2383 short what = EVBUFFER_READ; 2384 int howmuch = IBUF_READ_SIZE; 2385 size_t len; 2386 2387 if (event == EV_TIMEOUT) { 2388 what |= EVBUFFER_TIMEOUT; 2389 goto err; 2390 } 2391 2392 if (cre->tlsreneg_state == TLSRENEG_ABORT) { 2393 what |= EVBUFFER_ERROR; 2394 goto err; 2395 } 2396 2397 if (bufev->wm_read.high != 0) 2398 howmuch = MINIMUM(sizeof(rbuf), bufev->wm_read.high); 2399 2400 ret = SSL_read(cre->ssl, rbuf, howmuch); 2401 if (ret <= 0) { 2402 tls_err = SSL_get_error(cre->ssl, ret); 2403 2404 switch (tls_err) { 2405 case SSL_ERROR_WANT_READ: 2406 DPRINTF("%s: session %d: want read", 2407 __func__, con->se_id); 2408 goto retry; 2409 case SSL_ERROR_WANT_WRITE: 2410 DPRINTF("%s: session %d: want write", 2411 __func__, con->se_id); 2412 goto retry; 2413 default: 2414 if (ret == 0) 2415 what |= EVBUFFER_EOF; 2416 else { 2417 ssl_error(rlay->rl_conf.name, 2418 "relay_tls_readcb"); 2419 what |= EVBUFFER_ERROR; 2420 } 2421 goto err; 2422 } 2423 } 2424 2425 if (evbuffer_add(bufev->input, rbuf, ret) == -1) { 2426 what |= EVBUFFER_ERROR; 2427 goto err; 2428 } 2429 2430 relay_bufferevent_add(&bufev->ev_read, bufev->timeout_read); 2431 2432 len = EVBUFFER_LENGTH(bufev->input); 2433 if (bufev->wm_read.low != 0 && len < bufev->wm_read.low) 2434 return; 2435 if (bufev->wm_read.high != 0 && len > bufev->wm_read.high) { 2436 struct evbuffer *buf = bufev->input; 2437 event_del(&bufev->ev_read); 2438 evbuffer_setcb(buf, bufferevent_read_pressure_cb, bufev); 2439 return; 2440 } 2441 2442 if (bufev->readcb != NULL) 2443 (*bufev->readcb)(bufev, bufev->cbarg); 2444 return; 2445 2446 retry: 2447 relay_bufferevent_add(&bufev->ev_read, bufev->timeout_read); 2448 return; 2449 2450 err: 2451 (*bufev->errorcb)(bufev, what, bufev->cbarg); 2452 } 2453 2454 void 2455 relay_tls_writecb(int fd, short event, void *arg) 2456 { 2457 struct bufferevent *bufev = arg; 2458 struct ctl_relay_event *cre = bufev->cbarg; 2459 struct rsession *con = cre->con; 2460 struct relay *rlay = con->se_relay; 2461 int ret = 0, tls_err; 2462 short what = EVBUFFER_WRITE; 2463 2464 if (event == EV_TIMEOUT) { 2465 what |= EVBUFFER_TIMEOUT; 2466 goto err; 2467 } 2468 2469 if (cre->tlsreneg_state == TLSRENEG_ABORT) { 2470 what |= EVBUFFER_ERROR; 2471 goto err; 2472 } 2473 2474 if (EVBUFFER_LENGTH(bufev->output)) { 2475 if (cre->buf == NULL) { 2476 cre->buflen = EVBUFFER_LENGTH(bufev->output); 2477 if ((cre->buf = malloc(cre->buflen)) == NULL) { 2478 what |= EVBUFFER_ERROR; 2479 goto err; 2480 } 2481 bcopy(EVBUFFER_DATA(bufev->output), 2482 cre->buf, cre->buflen); 2483 } 2484 2485 ret = SSL_write(cre->ssl, cre->buf, cre->buflen); 2486 if (ret <= 0) { 2487 tls_err = SSL_get_error(cre->ssl, ret); 2488 2489 switch (tls_err) { 2490 case SSL_ERROR_WANT_READ: 2491 DPRINTF("%s: session %d: want read", 2492 __func__, con->se_id); 2493 goto retry; 2494 case SSL_ERROR_WANT_WRITE: 2495 DPRINTF("%s: session %d: want write", 2496 __func__, con->se_id); 2497 goto retry; 2498 default: 2499 if (ret == 0) 2500 what |= EVBUFFER_EOF; 2501 else { 2502 ssl_error(rlay->rl_conf.name, 2503 "relay_tls_writecb"); 2504 what |= EVBUFFER_ERROR; 2505 } 2506 goto err; 2507 } 2508 } 2509 evbuffer_drain(bufev->output, ret); 2510 } 2511 if (cre->buf != NULL) { 2512 free(cre->buf); 2513 cre->buf = NULL; 2514 cre->buflen = 0; 2515 } 2516 2517 if (EVBUFFER_LENGTH(bufev->output) != 0) 2518 relay_bufferevent_add(&bufev->ev_write, bufev->timeout_write); 2519 2520 if (bufev->writecb != NULL && 2521 EVBUFFER_LENGTH(bufev->output) <= bufev->wm_write.low) 2522 (*bufev->writecb)(bufev, bufev->cbarg); 2523 return; 2524 2525 retry: 2526 if (cre->buflen != 0) 2527 relay_bufferevent_add(&bufev->ev_write, bufev->timeout_write); 2528 return; 2529 2530 err: 2531 if (cre->buf != NULL) { 2532 free(cre->buf); 2533 cre->buf = NULL; 2534 cre->buflen = 0; 2535 } 2536 (*bufev->errorcb)(bufev, what, bufev->cbarg); 2537 } 2538 2539 int 2540 relay_bufferevent_add(struct event *ev, int timeout) 2541 { 2542 struct timeval tv, *ptv = NULL; 2543 2544 if (timeout) { 2545 timerclear(&tv); 2546 tv.tv_sec = timeout; 2547 ptv = &tv; 2548 } 2549 2550 return (event_add(ev, ptv)); 2551 } 2552 2553 #ifdef notyet 2554 int 2555 relay_bufferevent_printf(struct ctl_relay_event *cre, const char *fmt, ...) 2556 { 2557 int ret; 2558 va_list ap; 2559 2560 va_start(ap, fmt); 2561 ret = evbuffer_add_vprintf(cre->output, fmt, ap); 2562 va_end(ap); 2563 2564 if (cre->bev != NULL && 2565 ret != -1 && EVBUFFER_LENGTH(cre->output) > 0 && 2566 (cre->bev->enabled & EV_WRITE)) 2567 bufferevent_enable(cre->bev, EV_WRITE); 2568 2569 return (ret); 2570 } 2571 #endif 2572 2573 int 2574 relay_bufferevent_print(struct ctl_relay_event *cre, const char *str) 2575 { 2576 if (cre->bev == NULL) 2577 return (evbuffer_add(cre->output, str, strlen(str))); 2578 return (bufferevent_write(cre->bev, str, strlen(str))); 2579 } 2580 2581 int 2582 relay_bufferevent_write_buffer(struct ctl_relay_event *cre, 2583 struct evbuffer *buf) 2584 { 2585 if (cre->bev == NULL) 2586 return (evbuffer_add_buffer(cre->output, buf)); 2587 return (bufferevent_write_buffer(cre->bev, buf)); 2588 } 2589 2590 int 2591 relay_bufferevent_write_chunk(struct ctl_relay_event *cre, 2592 struct evbuffer *buf, size_t size) 2593 { 2594 int ret; 2595 ret = relay_bufferevent_write(cre, buf->buffer, size); 2596 if (ret != -1) 2597 evbuffer_drain(buf, size); 2598 return (ret); 2599 } 2600 2601 int 2602 relay_bufferevent_write(struct ctl_relay_event *cre, void *data, size_t size) 2603 { 2604 if (cre->bev == NULL) 2605 return (evbuffer_add(cre->output, data, size)); 2606 return (bufferevent_write(cre->bev, data, size)); 2607 } 2608 2609 int 2610 relay_cmp_af(struct sockaddr_storage *a, struct sockaddr_storage *b) 2611 { 2612 int ret = -1; 2613 struct sockaddr_in ia, ib; 2614 struct sockaddr_in6 ia6, ib6; 2615 2616 switch (a->ss_family) { 2617 case AF_INET: 2618 bcopy(a, &ia, sizeof(struct sockaddr_in)); 2619 bcopy(b, &ib, sizeof(struct sockaddr_in)); 2620 2621 ret = memcmp(&ia.sin_addr, &ib.sin_addr, 2622 sizeof(ia.sin_addr)); 2623 if (ret == 0) 2624 ret = memcmp(&ia.sin_port, &ib.sin_port, 2625 sizeof(ia.sin_port)); 2626 break; 2627 case AF_INET6: 2628 bcopy(a, &ia6, sizeof(struct sockaddr_in6)); 2629 bcopy(b, &ib6, sizeof(struct sockaddr_in6)); 2630 2631 ret = memcmp(&ia6.sin6_addr, &ib6.sin6_addr, 2632 sizeof(ia6.sin6_addr)); 2633 if (ret == 0) 2634 ret = memcmp(&ia6.sin6_port, &ib6.sin6_port, 2635 sizeof(ia6.sin6_port)); 2636 break; 2637 default: 2638 break; 2639 } 2640 2641 return (ret); 2642 } 2643 2644 char * 2645 relay_load_file(const char *name, off_t *len) 2646 { 2647 struct stat st; 2648 off_t size; 2649 u_int8_t *buf = NULL; 2650 int fd; 2651 2652 if ((fd = open(name, O_RDONLY)) == -1) 2653 return (NULL); 2654 if (fstat(fd, &st) != 0) 2655 goto fail; 2656 size = st.st_size; 2657 if ((buf = calloc(1, size + 1)) == NULL) 2658 goto fail; 2659 if (read(fd, buf, size) != size) 2660 goto fail; 2661 2662 close(fd); 2663 2664 *len = size; 2665 return (buf); 2666 2667 fail: 2668 free(buf); 2669 close(fd); 2670 return (NULL); 2671 } 2672 2673 int 2674 relay_load_certfiles(struct relay *rlay) 2675 { 2676 char certfile[PATH_MAX]; 2677 char hbuf[sizeof("ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255")]; 2678 struct protocol *proto = rlay->rl_proto; 2679 int useport = htons(rlay->rl_conf.port); 2680 2681 if (rlay->rl_conf.flags & F_TLSCLIENT) { 2682 if (strlen(proto->tlsca)) { 2683 if ((rlay->rl_tls_ca = 2684 relay_load_file(proto->tlsca, 2685 &rlay->rl_conf.tls_ca_len)) == NULL) 2686 return (-1); 2687 log_debug("%s: using ca %s", __func__, proto->tlsca); 2688 } 2689 if (strlen(proto->tlscacert)) { 2690 if ((rlay->rl_tls_cacert = 2691 relay_load_file(proto->tlscacert, 2692 &rlay->rl_conf.tls_cacert_len)) == NULL) 2693 return (-1); 2694 log_debug("%s: using ca certificate %s", __func__, 2695 proto->tlscacert); 2696 } 2697 if (strlen(proto->tlscakey) && proto->tlscapass != NULL) { 2698 if ((rlay->rl_tls_cakey = 2699 ssl_load_key(env, proto->tlscakey, 2700 &rlay->rl_conf.tls_cakey_len, 2701 proto->tlscapass)) == NULL) 2702 return (-1); 2703 log_debug("%s: using ca key %s", __func__, 2704 proto->tlscakey); 2705 } 2706 } 2707 2708 if ((rlay->rl_conf.flags & F_TLS) == 0) 2709 return (0); 2710 2711 if (print_host(&rlay->rl_conf.ss, hbuf, sizeof(hbuf)) == NULL) 2712 return (-1); 2713 2714 if (snprintf(certfile, sizeof(certfile), 2715 "/etc/ssl/%s:%u.crt", hbuf, useport) == -1) 2716 return (-1); 2717 if ((rlay->rl_tls_cert = relay_load_file(certfile, 2718 &rlay->rl_conf.tls_cert_len)) == NULL) { 2719 if (snprintf(certfile, sizeof(certfile), 2720 "/etc/ssl/%s.crt", hbuf) == -1) 2721 return (-1); 2722 if ((rlay->rl_tls_cert = relay_load_file(certfile, 2723 &rlay->rl_conf.tls_cert_len)) == NULL) 2724 return (-1); 2725 useport = 0; 2726 } 2727 log_debug("%s: using certificate %s", __func__, certfile); 2728 2729 if (useport) { 2730 if (snprintf(certfile, sizeof(certfile), 2731 "/etc/ssl/private/%s:%u.key", hbuf, useport) == -1) 2732 return -1; 2733 } else { 2734 if (snprintf(certfile, sizeof(certfile), 2735 "/etc/ssl/private/%s.key", hbuf) == -1) 2736 return -1; 2737 } 2738 if ((rlay->rl_tls_key = ssl_load_key(env, certfile, 2739 &rlay->rl_conf.tls_key_len, NULL)) == NULL) 2740 return (-1); 2741 log_debug("%s: using private key %s", __func__, certfile); 2742 2743 return (0); 2744 } 2745 2746 int 2747 relay_session_cmp(struct rsession *a, struct rsession *b) 2748 { 2749 struct relay *rlay = b->se_relay; 2750 struct protocol *proto = rlay->rl_proto; 2751 2752 if (proto != NULL && proto->cmp != NULL) 2753 return ((*proto->cmp)(a, b)); 2754 2755 return ((int)a->se_id - b->se_id); 2756 } 2757 2758 void 2759 relay_log(struct rsession *con, char *msg) 2760 { 2761 if (con->se_haslog && con->se_log != NULL) { 2762 evbuffer_add(con->se_log, msg, strlen(msg)); 2763 } 2764 } 2765 2766 SPLAY_GENERATE(session_tree, rsession, se_nodes, relay_session_cmp); 2767