1 /* $OpenBSD: relay.c,v 1.214 2016/09/23 12:06:15 jsg Exp $ */ 2 3 /* 4 * Copyright (c) 2006 - 2014 Reyk Floeter <reyk@openbsd.org> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19 #include <sys/types.h> 20 #include <sys/queue.h> 21 #include <sys/time.h> 22 #include <sys/stat.h> 23 #include <sys/socket.h> 24 #include <sys/tree.h> 25 26 #include <netinet/in.h> 27 #include <netinet/tcp.h> 28 #include <arpa/inet.h> 29 30 #include <limits.h> 31 #include <poll.h> 32 #include <stdio.h> 33 #include <stdlib.h> 34 #include <errno.h> 35 #include <fcntl.h> 36 #include <string.h> 37 #include <unistd.h> 38 #include <event.h> 39 #include <siphash.h> 40 #include <imsg.h> 41 42 #include <openssl/dh.h> 43 #include <openssl/ssl.h> 44 45 #include "relayd.h" 46 47 #define MINIMUM(a, b) (((a) < (b)) ? (a) : (b)) 48 49 void relay_statistics(int, short, void *); 50 int relay_dispatch_parent(int, struct privsep_proc *, 51 struct imsg *); 52 int relay_dispatch_pfe(int, struct privsep_proc *, 53 struct imsg *); 54 int relay_dispatch_ca(int, struct privsep_proc *, 55 struct imsg *); 56 int relay_dispatch_hce(int, struct privsep_proc *, 57 struct imsg *); 58 void relay_shutdown(void); 59 60 void relay_protodebug(struct relay *); 61 void relay_ruledebug(struct relay_rule *); 62 void relay_init(struct privsep *, struct privsep_proc *p, void *); 63 void relay_launch(void); 64 int relay_socket(struct sockaddr_storage *, in_port_t, 65 struct protocol *, int, int); 66 int relay_socket_listen(struct sockaddr_storage *, in_port_t, 67 struct protocol *); 68 int relay_socket_connect(struct sockaddr_storage *, in_port_t, 69 struct protocol *, int); 70 71 void relay_accept(int, short, void *); 72 void relay_input(struct rsession *); 73 74 void relay_hash_addr(SIPHASH_CTX *, struct sockaddr_storage *, int); 75 76 DH * relay_tls_get_dhparams(int); 77 void relay_tls_callback_info(const SSL *, int, int); 78 DH *relay_tls_callback_dh(SSL *, int, int); 79 SSL_CTX *relay_tls_ctx_create(struct relay *); 80 void relay_tls_transaction(struct rsession *, 81 struct ctl_relay_event *); 82 void relay_tls_accept(int, short, void *); 83 void relay_connect_retry(int, short, void *); 84 void relay_tls_connect(int, short, void *); 85 void relay_tls_connected(struct ctl_relay_event *); 86 void relay_tls_readcb(int, short, void *); 87 void relay_tls_writecb(int, short, void *); 88 89 struct tls_ticket *relay_get_ticket_key(unsigned char *); 90 int relay_tls_session_ticket(SSL *, unsigned char *, 91 unsigned char *, EVP_CIPHER_CTX *, HMAC_CTX *, int); 92 93 char *relay_load_file(const char *, off_t *); 94 extern void bufferevent_read_pressure_cb(struct evbuffer *, size_t, 95 size_t, void *); 96 97 volatile int relay_sessions; 98 volatile int relay_inflight = 0; 99 objid_t relay_conid; 100 101 static struct relayd *env = NULL; 102 103 static struct privsep_proc procs[] = { 104 { "parent", PROC_PARENT, relay_dispatch_parent }, 105 { "pfe", PROC_PFE, relay_dispatch_pfe }, 106 { "ca", PROC_CA, relay_dispatch_ca }, 107 { "hce", PROC_HCE, relay_dispatch_hce }, 108 }; 109 110 void 111 relay(struct privsep *ps, struct privsep_proc *p) 112 { 113 env = ps->ps_env; 114 proc_run(ps, p, procs, nitems(procs), relay_init, NULL); 115 relay_http(env); 116 } 117 118 void 119 relay_shutdown(void) 120 { 121 config_purge(env, CONFIG_ALL); 122 usleep(200); /* XXX relay needs to shutdown last */ 123 } 124 125 void 126 relay_ruledebug(struct relay_rule *rule) 127 { 128 struct kv *kv = NULL; 129 u_int i; 130 131 fprintf(stderr, "\t\t"); 132 133 switch (rule->rule_action) { 134 case RULE_ACTION_MATCH: 135 fprintf(stderr, "match "); 136 break; 137 case RULE_ACTION_BLOCK: 138 fprintf(stderr, "block "); 139 break; 140 case RULE_ACTION_PASS: 141 fprintf(stderr, "pass "); 142 break; 143 } 144 145 switch (rule->rule_dir) { 146 case RELAY_DIR_ANY: 147 break; 148 case RELAY_DIR_REQUEST: 149 fprintf(stderr, "request "); 150 break; 151 case RELAY_DIR_RESPONSE: 152 fprintf(stderr, "response "); 153 break; 154 default: 155 return; 156 /* NOTREACHED */ 157 break; 158 } 159 160 if (rule->rule_flags & RULE_FLAG_QUICK) 161 fprintf(stderr, "quick "); 162 163 for (i = 1; i < KEY_TYPE_MAX; i++) { 164 kv = &rule->rule_kv[i]; 165 if (kv->kv_type != i) 166 continue; 167 168 switch (kv->kv_type) { 169 case KEY_TYPE_COOKIE: 170 fprintf(stderr, "cookie "); 171 break; 172 case KEY_TYPE_HEADER: 173 fprintf(stderr, "header "); 174 break; 175 case KEY_TYPE_PATH: 176 fprintf(stderr, "path "); 177 break; 178 case KEY_TYPE_QUERY: 179 fprintf(stderr, "query "); 180 break; 181 case KEY_TYPE_URL: 182 fprintf(stderr, "url "); 183 break; 184 default: 185 continue; 186 } 187 188 switch (kv->kv_option) { 189 case KEY_OPTION_APPEND: 190 fprintf(stderr, "append "); 191 break; 192 case KEY_OPTION_SET: 193 fprintf(stderr, "set "); 194 break; 195 case KEY_OPTION_REMOVE: 196 fprintf(stderr, "remove "); 197 break; 198 case KEY_OPTION_HASH: 199 fprintf(stderr, "hash "); 200 break; 201 case KEY_OPTION_LOG: 202 fprintf(stderr, "log "); 203 break; 204 case KEY_OPTION_NONE: 205 break; 206 } 207 208 switch (kv->kv_digest) { 209 case DIGEST_SHA1: 210 case DIGEST_MD5: 211 fprintf(stderr, "digest "); 212 break; 213 default: 214 break; 215 } 216 217 fprintf(stderr, "%s%s%s%s%s%s ", 218 kv->kv_key == NULL ? "" : "\"", 219 kv->kv_key == NULL ? "" : kv->kv_key, 220 kv->kv_key == NULL ? "" : "\"", 221 kv->kv_value == NULL ? "" : " value \"", 222 kv->kv_value == NULL ? "" : kv->kv_value, 223 kv->kv_value == NULL ? "" : "\""); 224 } 225 226 if (rule->rule_tablename[0]) 227 fprintf(stderr, "forward to <%s> ", rule->rule_tablename); 228 229 if (rule->rule_tag == -1) 230 fprintf(stderr, "no tag "); 231 else if (rule->rule_tag && rule->rule_tagname[0]) 232 fprintf(stderr, "tag \"%s\" ", 233 rule->rule_tagname); 234 235 if (rule->rule_tagged && rule->rule_taggedname[0]) 236 fprintf(stderr, "tagged \"%s\" ", 237 rule->rule_taggedname); 238 239 if (rule->rule_label == -1) 240 fprintf(stderr, "no label "); 241 else if (rule->rule_label && rule->rule_labelname[0]) 242 fprintf(stderr, "label \"%s\" ", 243 rule->rule_labelname); 244 245 fprintf(stderr, "\n"); 246 } 247 248 void 249 relay_protodebug(struct relay *rlay) 250 { 251 struct protocol *proto = rlay->rl_proto; 252 struct relay_rule *rule = NULL; 253 254 fprintf(stderr, "protocol %d: name %s\n", 255 proto->id, proto->name); 256 fprintf(stderr, "\tflags: %s, relay flags: %s\n", 257 printb_flags(proto->flags, F_BITS), 258 printb_flags(rlay->rl_conf.flags, F_BITS)); 259 if (proto->tcpflags) 260 fprintf(stderr, "\ttcp flags: %s\n", 261 printb_flags(proto->tcpflags, TCPFLAG_BITS)); 262 if ((rlay->rl_conf.flags & (F_TLS|F_TLSCLIENT)) && proto->tlsflags) 263 fprintf(stderr, "\ttls flags: %s\n", 264 printb_flags(proto->tlsflags, TLSFLAG_BITS)); 265 fprintf(stderr, "\ttls session tickets: %s\n", 266 (proto->tickets > -1) ? "enabled" : "disabled"); 267 fprintf(stderr, "\ttype: "); 268 switch (proto->type) { 269 case RELAY_PROTO_TCP: 270 fprintf(stderr, "tcp\n"); 271 break; 272 case RELAY_PROTO_HTTP: 273 fprintf(stderr, "http\n"); 274 break; 275 case RELAY_PROTO_DNS: 276 fprintf(stderr, "dns\n"); 277 break; 278 } 279 280 rule = TAILQ_FIRST(&proto->rules); 281 while (rule != NULL) { 282 relay_ruledebug(rule); 283 rule = TAILQ_NEXT(rule, rule_entry); 284 } 285 } 286 287 int 288 relay_privinit(struct relay *rlay) 289 { 290 extern int debug; 291 292 log_debug("%s: adding relay %s", __func__, rlay->rl_conf.name); 293 294 if (debug) 295 relay_protodebug(rlay); 296 297 switch (rlay->rl_proto->type) { 298 case RELAY_PROTO_DNS: 299 relay_udp_privinit(env, rlay); 300 break; 301 case RELAY_PROTO_TCP: 302 break; 303 case RELAY_PROTO_HTTP: 304 break; 305 } 306 307 if (rlay->rl_conf.flags & F_UDP) 308 rlay->rl_s = relay_udp_bind(&rlay->rl_conf.ss, 309 rlay->rl_conf.port, rlay->rl_proto); 310 else 311 rlay->rl_s = relay_socket_listen(&rlay->rl_conf.ss, 312 rlay->rl_conf.port, rlay->rl_proto); 313 if (rlay->rl_s == -1) 314 return (-1); 315 316 return (0); 317 } 318 319 void 320 relay_init(struct privsep *ps, struct privsep_proc *p, void *arg) 321 { 322 struct timeval tv; 323 324 if (config_init(ps->ps_env) == -1) 325 fatal("failed to initialize configuration"); 326 327 /* We use a custom shutdown callback */ 328 p->p_shutdown = relay_shutdown; 329 330 /* Unlimited file descriptors (use system limits) */ 331 socket_rlimit(-1); 332 333 if (pledge("stdio recvfd inet", NULL) == -1) 334 fatal("pledge"); 335 336 /* Schedule statistics timer */ 337 evtimer_set(&env->sc_statev, relay_statistics, ps); 338 bcopy(&env->sc_conf.statinterval, &tv, sizeof(tv)); 339 evtimer_add(&env->sc_statev, &tv); 340 } 341 342 void 343 relay_session_publish(struct rsession *s) 344 { 345 proc_compose(env->sc_ps, PROC_PFE, IMSG_SESS_PUBLISH, s, sizeof(*s)); 346 } 347 348 void 349 relay_session_unpublish(struct rsession *s) 350 { 351 proc_compose(env->sc_ps, PROC_PFE, IMSG_SESS_UNPUBLISH, 352 &s->se_id, sizeof(s->se_id)); 353 } 354 355 void 356 relay_statistics(int fd, short events, void *arg) 357 { 358 struct privsep *ps = arg; 359 struct relay *rlay; 360 struct ctl_stats crs, *cur; 361 struct timeval tv, tv_now; 362 int resethour = 0, resetday = 0; 363 struct rsession *con, *next_con; 364 365 /* 366 * This is a hack to calculate some average statistics. 367 * It doesn't try to be very accurate, but could be improved... 368 */ 369 370 timerclear(&tv); 371 getmonotime(&tv_now); 372 373 TAILQ_FOREACH(rlay, env->sc_relays, rl_entry) { 374 bzero(&crs, sizeof(crs)); 375 resethour = resetday = 0; 376 377 cur = &rlay->rl_stats[ps->ps_instance]; 378 cur->cnt += cur->last; 379 cur->tick++; 380 cur->avg = (cur->last + cur->avg) / 2; 381 cur->last_hour += cur->last; 382 if ((cur->tick % 383 (3600 / env->sc_conf.statinterval.tv_sec)) == 0) { 384 cur->avg_hour = (cur->last_hour + cur->avg_hour) / 2; 385 resethour++; 386 } 387 cur->last_day += cur->last; 388 if ((cur->tick % 389 (86400 / env->sc_conf.statinterval.tv_sec)) == 0) { 390 cur->avg_day = (cur->last_day + cur->avg_day) / 2; 391 resethour++; 392 } 393 bcopy(cur, &crs, sizeof(crs)); 394 395 cur->last = 0; 396 if (resethour) 397 cur->last_hour = 0; 398 if (resetday) 399 cur->last_day = 0; 400 401 crs.id = rlay->rl_conf.id; 402 crs.proc = ps->ps_instance; 403 proc_compose(env->sc_ps, PROC_PFE, IMSG_STATISTICS, 404 &crs, sizeof(crs)); 405 406 for (con = SPLAY_ROOT(&rlay->rl_sessions); 407 con != NULL; con = next_con) { 408 next_con = SPLAY_NEXT(session_tree, 409 &rlay->rl_sessions, con); 410 timersub(&tv_now, &con->se_tv_last, &tv); 411 if (timercmp(&tv, &rlay->rl_conf.timeout, >=)) 412 relay_close(con, "hard timeout"); 413 } 414 } 415 416 /* Schedule statistics timer */ 417 evtimer_set(&env->sc_statev, relay_statistics, ps); 418 bcopy(&env->sc_conf.statinterval, &tv, sizeof(tv)); 419 evtimer_add(&env->sc_statev, &tv); 420 } 421 422 void 423 relay_launch(void) 424 { 425 void (*callback)(int, short, void *); 426 struct relay *rlay; 427 struct host *host; 428 struct relay_table *rlt; 429 430 TAILQ_FOREACH(rlay, env->sc_relays, rl_entry) { 431 if ((rlay->rl_conf.flags & (F_TLS|F_TLSCLIENT)) && 432 (rlay->rl_ssl_ctx = relay_tls_ctx_create(rlay)) == NULL) 433 fatal("relay_init: failed to create TLS context"); 434 435 TAILQ_FOREACH(rlt, &rlay->rl_tables, rlt_entry) { 436 /* 437 * set rule->rule_table in advance and save time 438 * looking up for this later on rule/connection 439 * evalution 440 */ 441 rule_settable(&rlay->rl_proto->rules, rlt); 442 443 rlt->rlt_index = 0; 444 rlt->rlt_nhosts = 0; 445 TAILQ_FOREACH(host, &rlt->rlt_table->hosts, entry) { 446 if (rlt->rlt_nhosts >= RELAY_MAXHOSTS) 447 fatal("relay_init: " 448 "too many hosts in table"); 449 host->idx = rlt->rlt_nhosts; 450 rlt->rlt_host[rlt->rlt_nhosts++] = host; 451 } 452 log_info("adding %d hosts from table %s%s", 453 rlt->rlt_nhosts, rlt->rlt_table->conf.name, 454 rlt->rlt_table->conf.check ? "" : " (no check)"); 455 } 456 457 switch (rlay->rl_proto->type) { 458 case RELAY_PROTO_DNS: 459 relay_udp_init(rlay); 460 break; 461 case RELAY_PROTO_TCP: 462 case RELAY_PROTO_HTTP: 463 relay_http_init(rlay); 464 /* Use defaults */ 465 break; 466 } 467 468 log_debug("%s: running relay %s", __func__, 469 rlay->rl_conf.name); 470 471 rlay->rl_up = HOST_UP; 472 473 if (rlay->rl_conf.flags & F_UDP) 474 callback = relay_udp_server; 475 else 476 callback = relay_accept; 477 478 event_set(&rlay->rl_ev, rlay->rl_s, EV_READ, 479 callback, rlay); 480 event_add(&rlay->rl_ev, NULL); 481 evtimer_set(&rlay->rl_evt, callback, rlay); 482 } 483 } 484 485 int 486 relay_socket_af(struct sockaddr_storage *ss, in_port_t port) 487 { 488 switch (ss->ss_family) { 489 case AF_INET: 490 ((struct sockaddr_in *)ss)->sin_port = port; 491 ((struct sockaddr_in *)ss)->sin_len = 492 sizeof(struct sockaddr_in); 493 break; 494 case AF_INET6: 495 ((struct sockaddr_in6 *)ss)->sin6_port = port; 496 ((struct sockaddr_in6 *)ss)->sin6_len = 497 sizeof(struct sockaddr_in6); 498 break; 499 default: 500 return (-1); 501 } 502 503 return (0); 504 } 505 506 in_port_t 507 relay_socket_getport(struct sockaddr_storage *ss) 508 { 509 switch (ss->ss_family) { 510 case AF_INET: 511 return (((struct sockaddr_in *)ss)->sin_port); 512 case AF_INET6: 513 return (((struct sockaddr_in6 *)ss)->sin6_port); 514 default: 515 return (0); 516 } 517 518 /* NOTREACHED */ 519 return (0); 520 } 521 522 int 523 relay_socket(struct sockaddr_storage *ss, in_port_t port, 524 struct protocol *proto, int fd, int reuseport) 525 { 526 struct linger lng; 527 int s = -1, val; 528 529 if (relay_socket_af(ss, port) == -1) 530 goto bad; 531 532 s = fd == -1 ? socket(ss->ss_family, 533 SOCK_STREAM | SOCK_NONBLOCK, IPPROTO_TCP) : fd; 534 if (s == -1) 535 goto bad; 536 537 /* 538 * Socket options 539 */ 540 bzero(&lng, sizeof(lng)); 541 if (setsockopt(s, SOL_SOCKET, SO_LINGER, &lng, sizeof(lng)) == -1) 542 goto bad; 543 if (reuseport) { 544 val = 1; 545 if (setsockopt(s, SOL_SOCKET, SO_REUSEPORT, &val, 546 sizeof(int)) == -1) 547 goto bad; 548 } 549 if (proto->tcpflags & TCPFLAG_BUFSIZ) { 550 val = proto->tcpbufsiz; 551 if (setsockopt(s, SOL_SOCKET, SO_RCVBUF, 552 &val, sizeof(val)) == -1) 553 goto bad; 554 val = proto->tcpbufsiz; 555 if (setsockopt(s, SOL_SOCKET, SO_SNDBUF, 556 &val, sizeof(val)) == -1) 557 goto bad; 558 } 559 560 /* 561 * IP options 562 */ 563 if (proto->tcpflags & TCPFLAG_IPTTL) { 564 val = (int)proto->tcpipttl; 565 if (setsockopt(s, IPPROTO_IP, IP_TTL, 566 &val, sizeof(val)) == -1) 567 goto bad; 568 } 569 if (proto->tcpflags & TCPFLAG_IPMINTTL) { 570 val = (int)proto->tcpipminttl; 571 if (setsockopt(s, IPPROTO_IP, IP_MINTTL, 572 &val, sizeof(val)) == -1) 573 goto bad; 574 } 575 576 /* 577 * TCP options 578 */ 579 if (proto->tcpflags & (TCPFLAG_NODELAY|TCPFLAG_NNODELAY)) { 580 if (proto->tcpflags & TCPFLAG_NNODELAY) 581 val = 0; 582 else 583 val = 1; 584 if (setsockopt(s, IPPROTO_TCP, TCP_NODELAY, 585 &val, sizeof(val)) == -1) 586 goto bad; 587 } 588 if (proto->tcpflags & (TCPFLAG_SACK|TCPFLAG_NSACK)) { 589 if (proto->tcpflags & TCPFLAG_NSACK) 590 val = 0; 591 else 592 val = 1; 593 if (setsockopt(s, IPPROTO_TCP, TCP_SACK_ENABLE, 594 &val, sizeof(val)) == -1) 595 goto bad; 596 } 597 598 return (s); 599 600 bad: 601 if (s != -1) 602 close(s); 603 return (-1); 604 } 605 606 int 607 relay_socket_connect(struct sockaddr_storage *ss, in_port_t port, 608 struct protocol *proto, int fd) 609 { 610 int s; 611 612 if ((s = relay_socket(ss, port, proto, fd, 0)) == -1) 613 return (-1); 614 615 if (connect(s, (struct sockaddr *)ss, ss->ss_len) == -1) { 616 if (errno != EINPROGRESS) 617 goto bad; 618 } 619 620 return (s); 621 622 bad: 623 close(s); 624 return (-1); 625 } 626 627 int 628 relay_socket_listen(struct sockaddr_storage *ss, in_port_t port, 629 struct protocol *proto) 630 { 631 int s; 632 633 if ((s = relay_socket(ss, port, proto, -1, 1)) == -1) 634 return (-1); 635 636 if (bind(s, (struct sockaddr *)ss, ss->ss_len) == -1) 637 goto bad; 638 if (listen(s, proto->tcpbacklog) == -1) 639 goto bad; 640 641 return (s); 642 643 bad: 644 close(s); 645 return (-1); 646 } 647 648 void 649 relay_connected(int fd, short sig, void *arg) 650 { 651 struct rsession *con = arg; 652 struct relay *rlay = con->se_relay; 653 struct protocol *proto = rlay->rl_proto; 654 evbuffercb outrd = relay_read; 655 evbuffercb outwr = relay_write; 656 struct bufferevent *bev; 657 struct ctl_relay_event *out = &con->se_out; 658 socklen_t len; 659 int error; 660 661 if (sig == EV_TIMEOUT) { 662 relay_abort_http(con, 504, "connect timeout", 0); 663 return; 664 } 665 666 len = sizeof(error); 667 if (getsockopt(fd, SOL_SOCKET, SO_ERROR, &error, 668 &len) == -1 || error) { 669 if (error) 670 errno = error; 671 relay_abort_http(con, 500, "socket error", 0); 672 return; 673 } 674 675 if ((rlay->rl_conf.flags & F_TLSCLIENT) && (out->ssl == NULL)) { 676 relay_tls_transaction(con, out); 677 return; 678 } 679 680 DPRINTF("%s: session %d: successful", __func__, con->se_id); 681 682 switch (rlay->rl_proto->type) { 683 case RELAY_PROTO_HTTP: 684 if (relay_httpdesc_init(out) == -1) { 685 relay_close(con, 686 "failed to allocate http descriptor"); 687 return; 688 } 689 con->se_out.toread = TOREAD_HTTP_HEADER; 690 outrd = relay_read_http; 691 break; 692 case RELAY_PROTO_TCP: 693 /* Use defaults */ 694 break; 695 default: 696 fatalx("relay_connected: unknown protocol"); 697 } 698 699 /* 700 * Relay <-> Server 701 */ 702 bev = bufferevent_new(fd, outrd, outwr, relay_error, &con->se_out); 703 if (bev == NULL) { 704 relay_abort_http(con, 500, 705 "failed to allocate output buffer event", 0); 706 return; 707 } 708 evbuffer_free(bev->output); 709 bev->output = con->se_out.output; 710 if (bev->output == NULL) 711 fatal("relay_connected: invalid output buffer"); 712 con->se_out.bev = bev; 713 714 /* Initialize the TLS wrapper */ 715 if ((rlay->rl_conf.flags & F_TLSCLIENT) && (out->ssl != NULL)) 716 relay_tls_connected(out); 717 718 bufferevent_settimeout(bev, 719 rlay->rl_conf.timeout.tv_sec, rlay->rl_conf.timeout.tv_sec); 720 bufferevent_setwatermark(bev, EV_WRITE, 721 RELAY_MIN_PREFETCHED * proto->tcpbufsiz, 0); 722 bufferevent_enable(bev, EV_READ|EV_WRITE); 723 if (con->se_in.bev) 724 bufferevent_enable(con->se_in.bev, EV_READ); 725 726 if (relay_splice(&con->se_out) == -1) 727 relay_close(con, strerror(errno)); 728 } 729 730 void 731 relay_input(struct rsession *con) 732 { 733 struct relay *rlay = con->se_relay; 734 struct protocol *proto = rlay->rl_proto; 735 evbuffercb inrd = relay_read; 736 evbuffercb inwr = relay_write; 737 738 switch (rlay->rl_proto->type) { 739 case RELAY_PROTO_HTTP: 740 if (relay_httpdesc_init(&con->se_in) == -1) { 741 relay_close(con, 742 "failed to allocate http descriptor"); 743 return; 744 } 745 con->se_in.toread = TOREAD_HTTP_HEADER; 746 inrd = relay_read_http; 747 break; 748 case RELAY_PROTO_TCP: 749 /* Use defaults */ 750 break; 751 default: 752 fatalx("relay_input: unknown protocol"); 753 } 754 755 /* 756 * Client <-> Relay 757 */ 758 con->se_in.bev = bufferevent_new(con->se_in.s, inrd, inwr, 759 relay_error, &con->se_in); 760 if (con->se_in.bev == NULL) { 761 relay_close(con, "failed to allocate input buffer event"); 762 return; 763 } 764 765 /* Initialize the TLS wrapper */ 766 if ((rlay->rl_conf.flags & F_TLS) && con->se_in.ssl != NULL) 767 relay_tls_connected(&con->se_in); 768 769 bufferevent_settimeout(con->se_in.bev, 770 rlay->rl_conf.timeout.tv_sec, rlay->rl_conf.timeout.tv_sec); 771 bufferevent_setwatermark(con->se_in.bev, EV_WRITE, 772 RELAY_MIN_PREFETCHED * proto->tcpbufsiz, 0); 773 bufferevent_enable(con->se_in.bev, EV_READ|EV_WRITE); 774 775 if (relay_splice(&con->se_in) == -1) 776 relay_close(con, strerror(errno)); 777 } 778 779 void 780 relay_write(struct bufferevent *bev, void *arg) 781 { 782 struct ctl_relay_event *cre = arg; 783 struct rsession *con = cre->con; 784 785 getmonotime(&con->se_tv_last); 786 787 if (con->se_done) 788 goto done; 789 if (relay_splice(cre->dst) == -1) 790 goto fail; 791 if (cre->dst->bev) 792 bufferevent_enable(cre->dst->bev, EV_READ); 793 794 return; 795 done: 796 relay_close(con, "last write (done)"); 797 return; 798 fail: 799 relay_close(con, strerror(errno)); 800 } 801 802 void 803 relay_dump(struct ctl_relay_event *cre, const void *buf, size_t len) 804 { 805 if (!len) 806 return; 807 808 /* 809 * This function will dump the specified message directly 810 * to the underlying session, without waiting for success 811 * of non-blocking events etc. This is useful to print an 812 * error message before gracefully closing the session. 813 */ 814 if (cre->ssl != NULL) 815 (void)SSL_write(cre->ssl, buf, len); 816 else 817 (void)write(cre->s, buf, len); 818 } 819 820 void 821 relay_read(struct bufferevent *bev, void *arg) 822 { 823 struct ctl_relay_event *cre = arg; 824 struct rsession *con = cre->con; 825 struct protocol *proto = con->se_relay->rl_proto; 826 struct evbuffer *src = EVBUFFER_INPUT(bev); 827 828 getmonotime(&con->se_tv_last); 829 cre->timedout = 0; 830 831 if (!EVBUFFER_LENGTH(src)) 832 return; 833 if (relay_bufferevent_write_buffer(cre->dst, src) == -1) 834 goto fail; 835 if (con->se_done) 836 goto done; 837 if (cre->dst->bev) 838 bufferevent_enable(cre->dst->bev, EV_READ); 839 if (cre->dst->bev && EVBUFFER_LENGTH(EVBUFFER_OUTPUT(cre->dst->bev)) > 840 (size_t)RELAY_MAX_PREFETCH * proto->tcpbufsiz) 841 bufferevent_disable(bev, EV_READ); 842 843 return; 844 done: 845 relay_close(con, "last read (done)"); 846 return; 847 fail: 848 relay_close(con, strerror(errno)); 849 } 850 851 /* 852 * Splice sockets from cre to cre->dst if applicable. Returns: 853 * -1 socket splicing has failed 854 * 0 socket splicing is currently not possible 855 * 1 socket splicing was successful 856 */ 857 int 858 relay_splice(struct ctl_relay_event *cre) 859 { 860 struct rsession *con = cre->con; 861 struct relay *rlay = con->se_relay; 862 struct protocol *proto = rlay->rl_proto; 863 struct splice sp; 864 865 if ((rlay->rl_conf.flags & (F_TLS|F_TLSCLIENT)) || 866 (proto->tcpflags & TCPFLAG_NSPLICE)) 867 return (0); 868 869 if (cre->splicelen >= 0) 870 return (0); 871 872 /* still not connected */ 873 if (cre->bev == NULL || cre->dst->bev == NULL) 874 return (0); 875 876 if (!(cre->toread == TOREAD_UNLIMITED || cre->toread > 0)) { 877 DPRINTF("%s: session %d: splice dir %d, nothing to read %lld", 878 __func__, con->se_id, cre->dir, cre->toread); 879 return (0); 880 } 881 882 /* do not splice before buffers have not been completely flushed */ 883 if (EVBUFFER_LENGTH(cre->bev->input) || 884 EVBUFFER_LENGTH(cre->dst->bev->output)) { 885 DPRINTF("%s: session %d: splice dir %d, dirty buffer", 886 __func__, con->se_id, cre->dir); 887 bufferevent_disable(cre->bev, EV_READ); 888 return (0); 889 } 890 891 bzero(&sp, sizeof(sp)); 892 sp.sp_fd = cre->dst->s; 893 sp.sp_max = cre->toread > 0 ? cre->toread : 0; 894 bcopy(&rlay->rl_conf.timeout, &sp.sp_idle, sizeof(sp.sp_idle)); 895 if (setsockopt(cre->s, SOL_SOCKET, SO_SPLICE, &sp, sizeof(sp)) == -1) { 896 log_debug("%s: session %d: splice dir %d failed: %s", 897 __func__, con->se_id, cre->dir, strerror(errno)); 898 return (-1); 899 } 900 cre->splicelen = 0; 901 bufferevent_enable(cre->bev, EV_READ); 902 903 DPRINTF("%s: session %d: splice dir %d, maximum %lld, successful", 904 __func__, con->se_id, cre->dir, cre->toread); 905 906 return (1); 907 } 908 909 int 910 relay_splicelen(struct ctl_relay_event *cre) 911 { 912 struct rsession *con = cre->con; 913 off_t len; 914 socklen_t optlen; 915 916 if (cre->splicelen < 0) 917 return (0); 918 919 optlen = sizeof(len); 920 if (getsockopt(cre->s, SOL_SOCKET, SO_SPLICE, &len, &optlen) == -1) { 921 log_debug("%s: session %d: splice dir %d get length failed: %s", 922 __func__, con->se_id, cre->dir, strerror(errno)); 923 return (-1); 924 } 925 926 DPRINTF("%s: session %d: splice dir %d, length %lld", 927 __func__, con->se_id, cre->dir, len); 928 929 if (len > cre->splicelen) { 930 getmonotime(&con->se_tv_last); 931 932 cre->splicelen = len; 933 return (1); 934 } 935 936 return (0); 937 } 938 939 int 940 relay_spliceadjust(struct ctl_relay_event *cre) 941 { 942 if (cre->splicelen < 0) 943 return (0); 944 if (relay_splicelen(cre) == -1) 945 return (-1); 946 if (cre->splicelen > 0 && cre->toread > 0) 947 cre->toread -= cre->splicelen; 948 cre->splicelen = -1; 949 950 return (0); 951 } 952 953 void 954 relay_error(struct bufferevent *bev, short error, void *arg) 955 { 956 struct ctl_relay_event *cre = arg; 957 struct rsession *con = cre->con; 958 struct evbuffer *dst; 959 960 if (error & EVBUFFER_TIMEOUT) { 961 if (cre->splicelen >= 0) { 962 bufferevent_enable(bev, EV_READ); 963 } else if (cre->dst->splicelen >= 0) { 964 switch (relay_splicelen(cre->dst)) { 965 case -1: 966 goto fail; 967 case 0: 968 relay_close(con, "buffer event timeout"); 969 break; 970 case 1: 971 cre->timedout = 1; 972 bufferevent_enable(bev, EV_READ); 973 break; 974 } 975 } else { 976 relay_close(con, "buffer event timeout"); 977 } 978 return; 979 } 980 if (error & EVBUFFER_ERROR && errno == ETIMEDOUT) { 981 if (cre->dst->splicelen >= 0) { 982 switch (relay_splicelen(cre->dst)) { 983 case -1: 984 goto fail; 985 case 0: 986 relay_close(con, "splice timeout"); 987 return; 988 case 1: 989 bufferevent_enable(bev, EV_READ); 990 break; 991 } 992 } else if (cre->dst->timedout) { 993 relay_close(con, "splice timeout"); 994 return; 995 } 996 if (relay_spliceadjust(cre) == -1) 997 goto fail; 998 if (relay_splice(cre) == -1) 999 goto fail; 1000 return; 1001 } 1002 if (error & EVBUFFER_ERROR && errno == EFBIG) { 1003 if (relay_spliceadjust(cre) == -1) 1004 goto fail; 1005 bufferevent_enable(cre->bev, EV_READ); 1006 return; 1007 } 1008 if (error & (EVBUFFER_READ|EVBUFFER_WRITE|EVBUFFER_EOF)) { 1009 bufferevent_disable(bev, EV_READ|EV_WRITE); 1010 1011 con->se_done = 1; 1012 if (cre->dst->bev != NULL) { 1013 dst = EVBUFFER_OUTPUT(cre->dst->bev); 1014 if (EVBUFFER_LENGTH(dst)) 1015 return; 1016 } else if (cre->toread == TOREAD_UNLIMITED || cre->toread == 0) 1017 return; 1018 1019 relay_close(con, "done"); 1020 return; 1021 } 1022 relay_close(con, "buffer event error"); 1023 return; 1024 fail: 1025 relay_close(con, strerror(errno)); 1026 } 1027 1028 void 1029 relay_accept(int fd, short event, void *arg) 1030 { 1031 struct privsep *ps = env->sc_ps; 1032 struct relay *rlay = arg; 1033 struct rsession *con = NULL; 1034 struct ctl_natlook *cnl = NULL; 1035 socklen_t slen; 1036 struct timeval tv; 1037 struct sockaddr_storage ss; 1038 int s = -1; 1039 1040 event_add(&rlay->rl_ev, NULL); 1041 if ((event & EV_TIMEOUT)) 1042 return; 1043 1044 slen = sizeof(ss); 1045 if ((s = accept_reserve(fd, (struct sockaddr *)&ss, 1046 &slen, FD_RESERVE, &relay_inflight)) == -1) { 1047 /* 1048 * Pause accept if we are out of file descriptors, or 1049 * libevent will haunt us here too. 1050 */ 1051 if (errno == ENFILE || errno == EMFILE) { 1052 struct timeval evtpause = { 1, 0 }; 1053 1054 event_del(&rlay->rl_ev); 1055 evtimer_add(&rlay->rl_evt, &evtpause); 1056 log_debug("%s: deferring connections", __func__); 1057 } 1058 return; 1059 } 1060 if (relay_sessions >= RELAY_MAX_SESSIONS || 1061 rlay->rl_conf.flags & F_DISABLE) 1062 goto err; 1063 1064 if ((con = calloc(1, sizeof(*con))) == NULL) 1065 goto err; 1066 1067 /* Pre-allocate log buffer */ 1068 con->se_haslog = 0; 1069 con->se_log = evbuffer_new(); 1070 if (con->se_log == NULL) 1071 goto err; 1072 1073 con->se_in.s = s; 1074 con->se_in.ssl = NULL; 1075 con->se_out.s = -1; 1076 con->se_out.ssl = NULL; 1077 con->se_in.dst = &con->se_out; 1078 con->se_out.dst = &con->se_in; 1079 con->se_in.con = con; 1080 con->se_out.con = con; 1081 con->se_in.splicelen = -1; 1082 con->se_out.splicelen = -1; 1083 con->se_in.toread = TOREAD_UNLIMITED; 1084 con->se_out.toread = TOREAD_UNLIMITED; 1085 con->se_relay = rlay; 1086 con->se_id = ++relay_conid; 1087 con->se_relayid = rlay->rl_conf.id; 1088 con->se_pid = getpid(); 1089 con->se_in.dir = RELAY_DIR_REQUEST; 1090 con->se_out.dir = RELAY_DIR_RESPONSE; 1091 con->se_retry = rlay->rl_conf.dstretry; 1092 con->se_bnds = -1; 1093 con->se_out.port = rlay->rl_conf.dstport; 1094 switch (ss.ss_family) { 1095 case AF_INET: 1096 con->se_in.port = ((struct sockaddr_in *)&ss)->sin_port; 1097 break; 1098 case AF_INET6: 1099 con->se_in.port = ((struct sockaddr_in6 *)&ss)->sin6_port; 1100 break; 1101 } 1102 bcopy(&ss, &con->se_in.ss, sizeof(con->se_in.ss)); 1103 1104 getmonotime(&con->se_tv_start); 1105 bcopy(&con->se_tv_start, &con->se_tv_last, sizeof(con->se_tv_last)); 1106 1107 if (rlay->rl_conf.flags & F_HASHKEY) { 1108 SipHash24_Init(&con->se_siphashctx, 1109 &rlay->rl_conf.hashkey.siphashkey); 1110 } 1111 1112 relay_sessions++; 1113 SPLAY_INSERT(session_tree, &rlay->rl_sessions, con); 1114 relay_session_publish(con); 1115 1116 /* Increment the per-relay session counter */ 1117 rlay->rl_stats[ps->ps_instance].last++; 1118 1119 /* Pre-allocate output buffer */ 1120 con->se_out.output = evbuffer_new(); 1121 if (con->se_out.output == NULL) { 1122 relay_close(con, "failed to allocate output buffer"); 1123 return; 1124 } 1125 1126 if (rlay->rl_conf.flags & F_DIVERT) { 1127 slen = sizeof(con->se_out.ss); 1128 if (getsockname(s, (struct sockaddr *)&con->se_out.ss, 1129 &slen) == -1) { 1130 relay_close(con, "peer lookup failed"); 1131 return; 1132 } 1133 con->se_out.port = relay_socket_getport(&con->se_out.ss); 1134 1135 /* Detect loop and fall back to the alternate forward target */ 1136 if (bcmp(&rlay->rl_conf.ss, &con->se_out.ss, 1137 sizeof(con->se_out.ss)) == 0 && 1138 con->se_out.port == rlay->rl_conf.port) 1139 con->se_out.ss.ss_family = AF_UNSPEC; 1140 } else if (rlay->rl_conf.flags & F_NATLOOK) { 1141 if ((cnl = calloc(1, sizeof(*cnl))) == NULL) { 1142 relay_close(con, "failed to allocate nat lookup"); 1143 return; 1144 } 1145 1146 con->se_cnl = cnl; 1147 bzero(cnl, sizeof(*cnl)); 1148 cnl->in = -1; 1149 cnl->id = con->se_id; 1150 cnl->proc = ps->ps_instance; 1151 cnl->proto = IPPROTO_TCP; 1152 1153 bcopy(&con->se_in.ss, &cnl->src, sizeof(cnl->src)); 1154 slen = sizeof(cnl->dst); 1155 if (getsockname(s, 1156 (struct sockaddr *)&cnl->dst, &slen) == -1) { 1157 relay_close(con, "failed to get local address"); 1158 return; 1159 } 1160 1161 proc_compose(env->sc_ps, PROC_PFE, IMSG_NATLOOK, 1162 cnl, sizeof(*cnl)); 1163 1164 /* Schedule timeout */ 1165 evtimer_set(&con->se_ev, relay_natlook, con); 1166 bcopy(&rlay->rl_conf.timeout, &tv, sizeof(tv)); 1167 evtimer_add(&con->se_ev, &tv); 1168 return; 1169 } 1170 1171 if (rlay->rl_conf.flags & F_TLSINSPECT) { 1172 relay_preconnect(con); 1173 return; 1174 } 1175 1176 relay_session(con); 1177 return; 1178 err: 1179 if (s != -1) { 1180 close(s); 1181 free(con); 1182 /* 1183 * the session struct was not completely set up, but still 1184 * counted as an inflight session. account for this. 1185 */ 1186 relay_inflight--; 1187 log_debug("%s: inflight decremented, now %d", 1188 __func__, relay_inflight); 1189 } 1190 } 1191 1192 void 1193 relay_hash_addr(SIPHASH_CTX *ctx, struct sockaddr_storage *ss, int portset) 1194 { 1195 struct sockaddr_in *sin4; 1196 struct sockaddr_in6 *sin6; 1197 in_port_t port; 1198 1199 if (ss->ss_family == AF_INET) { 1200 sin4 = (struct sockaddr_in *)ss; 1201 SipHash24_Update(ctx, &sin4->sin_addr, 1202 sizeof(struct in_addr)); 1203 } else { 1204 sin6 = (struct sockaddr_in6 *)ss; 1205 SipHash24_Update(ctx, &sin6->sin6_addr, 1206 sizeof(struct in6_addr)); 1207 } 1208 1209 if (portset != -1) { 1210 port = (in_port_t)portset; 1211 SipHash24_Update(ctx, &port, sizeof(port)); 1212 } 1213 } 1214 1215 int 1216 relay_from_table(struct rsession *con) 1217 { 1218 struct relay *rlay = con->se_relay; 1219 struct host *host = NULL; 1220 struct relay_table *rlt = NULL; 1221 struct table *table = NULL; 1222 int idx = -1; 1223 int cnt = 0; 1224 int maxtries; 1225 u_int64_t p = 0; 1226 1227 /* the table is already selected */ 1228 if (con->se_table != NULL) { 1229 rlt = con->se_table; 1230 table = rlt->rlt_table; 1231 if (table->conf.check && !table->up) 1232 table = NULL; 1233 goto gottable; 1234 } 1235 1236 /* otherwise grep the first active table */ 1237 TAILQ_FOREACH(rlt, &rlay->rl_tables, rlt_entry) { 1238 table = rlt->rlt_table; 1239 if ((rlt->rlt_flags & F_USED) == 0 || 1240 (table->conf.check && !table->up)) 1241 table = NULL; 1242 else 1243 break; 1244 } 1245 1246 gottable: 1247 if (table == NULL) { 1248 log_debug("%s: session %d: no active hosts", 1249 __func__, con->se_id); 1250 return (-1); 1251 } 1252 1253 switch (rlt->rlt_mode) { 1254 case RELAY_DSTMODE_ROUNDROBIN: 1255 if ((int)rlt->rlt_index >= rlt->rlt_nhosts) 1256 rlt->rlt_index = 0; 1257 idx = (int)rlt->rlt_index; 1258 break; 1259 case RELAY_DSTMODE_RANDOM: 1260 idx = (int)arc4random_uniform(rlt->rlt_nhosts); 1261 break; 1262 case RELAY_DSTMODE_SRCHASH: 1263 /* Source IP address without port */ 1264 relay_hash_addr(&con->se_siphashctx, &con->se_in.ss, -1); 1265 break; 1266 case RELAY_DSTMODE_LOADBALANCE: 1267 /* Source IP address without port */ 1268 relay_hash_addr(&con->se_siphashctx, &con->se_in.ss, -1); 1269 /* FALLTHROUGH */ 1270 case RELAY_DSTMODE_HASH: 1271 /* Local "destination" IP address and port */ 1272 relay_hash_addr(&con->se_siphashctx, &rlay->rl_conf.ss, 1273 rlay->rl_conf.port); 1274 break; 1275 default: 1276 fatalx("relay_from_table: unsupported mode"); 1277 /* NOTREACHED */ 1278 } 1279 if (idx == -1) { 1280 /* handle all hashing algorithms */ 1281 p = SipHash24_End(&con->se_siphashctx); 1282 1283 /* Reset hash context */ 1284 SipHash24_Init(&con->se_siphashctx, 1285 &rlay->rl_conf.hashkey.siphashkey); 1286 1287 maxtries = (rlt->rlt_nhosts < RELAY_MAX_HASH_RETRIES ? 1288 rlt->rlt_nhosts : RELAY_MAX_HASH_RETRIES); 1289 for (cnt = 0; cnt < maxtries; cnt++) { 1290 if ((idx = p % rlt->rlt_nhosts) >= RELAY_MAXHOSTS) 1291 return (-1); 1292 1293 host = rlt->rlt_host[idx]; 1294 1295 DPRINTF("%s: session %d: table %s host %s, " 1296 "p 0x%016llx, idx %d, cnt %d, max %d", 1297 __func__, con->se_id, table->conf.name, 1298 host->conf.name, p, idx, cnt, maxtries); 1299 1300 if (!table->conf.check || host->up == HOST_UP) 1301 goto found; 1302 p = p >> 1; 1303 } 1304 } else { 1305 /* handle all non-hashing algorithms */ 1306 host = rlt->rlt_host[idx]; 1307 DPRINTF("%s: session %d: table %s host %s, p 0x%016llx, idx %d", 1308 __func__, con->se_id, table->conf.name, host->conf.name, p, idx); 1309 } 1310 1311 while (host != NULL) { 1312 DPRINTF("%s: session %d: host %s", __func__, 1313 con->se_id, host->conf.name); 1314 if (!table->conf.check || host->up == HOST_UP) 1315 goto found; 1316 host = TAILQ_NEXT(host, entry); 1317 } 1318 TAILQ_FOREACH(host, &table->hosts, entry) { 1319 DPRINTF("%s: session %d: next host %s", 1320 __func__, con->se_id, host->conf.name); 1321 if (!table->conf.check || host->up == HOST_UP) 1322 goto found; 1323 } 1324 1325 /* Should not happen */ 1326 fatalx("relay_from_table: no active hosts, desynchronized"); 1327 1328 found: 1329 if (rlt->rlt_mode == RELAY_DSTMODE_ROUNDROBIN) 1330 rlt->rlt_index = host->idx + 1; 1331 con->se_retry = host->conf.retry; 1332 con->se_out.port = table->conf.port; 1333 bcopy(&host->conf.ss, &con->se_out.ss, sizeof(con->se_out.ss)); 1334 1335 return (0); 1336 } 1337 1338 void 1339 relay_natlook(int fd, short event, void *arg) 1340 { 1341 struct rsession *con = arg; 1342 struct relay *rlay = con->se_relay; 1343 struct ctl_natlook *cnl = con->se_cnl; 1344 1345 if (cnl == NULL) 1346 fatalx("invalid NAT lookup"); 1347 1348 if (con->se_out.ss.ss_family == AF_UNSPEC && cnl->in == -1 && 1349 rlay->rl_conf.dstss.ss_family == AF_UNSPEC && 1350 TAILQ_EMPTY(&rlay->rl_tables)) { 1351 relay_close(con, "session NAT lookup failed"); 1352 return; 1353 } 1354 if (cnl->in != -1) { 1355 bcopy(&cnl->rdst, &con->se_out.ss, sizeof(con->se_out.ss)); 1356 con->se_out.port = cnl->rdport; 1357 } 1358 free(con->se_cnl); 1359 con->se_cnl = NULL; 1360 1361 relay_session(con); 1362 } 1363 1364 void 1365 relay_session(struct rsession *con) 1366 { 1367 struct relay *rlay = con->se_relay; 1368 struct ctl_relay_event *in = &con->se_in, *out = &con->se_out; 1369 1370 if (bcmp(&rlay->rl_conf.ss, &out->ss, sizeof(out->ss)) == 0 && 1371 out->port == rlay->rl_conf.port) { 1372 log_debug("%s: session %d: looping", __func__, con->se_id); 1373 relay_close(con, "session aborted"); 1374 return; 1375 } 1376 1377 if (rlay->rl_conf.flags & F_UDP) { 1378 /* 1379 * Call the UDP protocol-specific handler 1380 */ 1381 if (rlay->rl_proto->request == NULL) 1382 fatalx("invalide UDP session"); 1383 if ((*rlay->rl_proto->request)(con) == -1) 1384 relay_close(con, "session failed"); 1385 return; 1386 } 1387 1388 if ((rlay->rl_conf.flags & F_TLS) && (in->ssl == NULL)) { 1389 relay_tls_transaction(con, in); 1390 return; 1391 } 1392 1393 if (rlay->rl_proto->type != RELAY_PROTO_HTTP) { 1394 if (rlay->rl_conf.fwdmode == FWD_TRANS) 1395 relay_bindanyreq(con, 0, IPPROTO_TCP); 1396 else if (relay_connect(con) == -1) { 1397 relay_close(con, "session failed"); 1398 return; 1399 } 1400 } 1401 1402 relay_input(con); 1403 } 1404 1405 void 1406 relay_bindanyreq(struct rsession *con, in_port_t port, int proto) 1407 { 1408 struct privsep *ps = env->sc_ps; 1409 struct relay *rlay = con->se_relay; 1410 struct ctl_bindany bnd; 1411 struct timeval tv; 1412 1413 bzero(&bnd, sizeof(bnd)); 1414 bnd.bnd_id = con->se_id; 1415 bnd.bnd_proc = ps->ps_instance; 1416 bnd.bnd_port = port; 1417 bnd.bnd_proto = proto; 1418 bcopy(&con->se_in.ss, &bnd.bnd_ss, sizeof(bnd.bnd_ss)); 1419 proc_compose(env->sc_ps, PROC_PARENT, IMSG_BINDANY, 1420 &bnd, sizeof(bnd)); 1421 1422 /* Schedule timeout */ 1423 evtimer_set(&con->se_ev, relay_bindany, con); 1424 bcopy(&rlay->rl_conf.timeout, &tv, sizeof(tv)); 1425 evtimer_add(&con->se_ev, &tv); 1426 } 1427 1428 void 1429 relay_bindany(int fd, short event, void *arg) 1430 { 1431 struct rsession *con = arg; 1432 1433 if (con->se_bnds == -1) { 1434 relay_close(con, "bindany failed, invalid socket"); 1435 return; 1436 } 1437 if (relay_connect(con) == -1) 1438 relay_close(con, "session failed"); 1439 } 1440 1441 void 1442 relay_connect_retry(int fd, short sig, void *arg) 1443 { 1444 struct timeval evtpause = { 1, 0 }; 1445 struct rsession *con = arg; 1446 struct relay *rlay = con->se_relay; 1447 int bnds = -1; 1448 1449 if (relay_inflight < 1) { 1450 log_warnx("relay_connect_retry: no connection in flight"); 1451 relay_inflight = 1; 1452 } 1453 1454 DPRINTF("%s: retry %d of %d, inflight: %d",__func__, 1455 con->se_retrycount, con->se_retry, relay_inflight); 1456 1457 if (sig != EV_TIMEOUT) 1458 fatalx("relay_connect_retry: called without timeout"); 1459 1460 evtimer_del(&con->se_inflightevt); 1461 1462 /* 1463 * XXX we might want to check if the inbound socket is still 1464 * available: client could have closed it while we were waiting? 1465 */ 1466 1467 DPRINTF("%s: got EV_TIMEOUT", __func__); 1468 1469 if (getdtablecount() + FD_RESERVE + 1470 relay_inflight > getdtablesize()) { 1471 if (con->se_retrycount < RELAY_OUTOF_FD_RETRIES) { 1472 evtimer_add(&con->se_inflightevt, &evtpause); 1473 return; 1474 } 1475 /* we waited for RELAY_OUTOF_FD_RETRIES seconds, give up */ 1476 event_add(&rlay->rl_ev, NULL); 1477 relay_abort_http(con, 504, "connection timed out", 0); 1478 return; 1479 } 1480 1481 if (rlay->rl_conf.fwdmode == FWD_TRANS) { 1482 /* con->se_bnds cannot be unset */ 1483 bnds = con->se_bnds; 1484 } 1485 1486 retry: 1487 if ((con->se_out.s = relay_socket_connect(&con->se_out.ss, 1488 con->se_out.port, rlay->rl_proto, bnds)) == -1) { 1489 log_debug("%s: session %d: " 1490 "forward failed: %s, %s", __func__, 1491 con->se_id, strerror(errno), 1492 con->se_retry ? "next retry" : "last retry"); 1493 1494 con->se_retrycount++; 1495 1496 if ((errno == ENFILE || errno == EMFILE) && 1497 (con->se_retrycount < con->se_retry)) { 1498 event_del(&rlay->rl_ev); 1499 evtimer_add(&con->se_inflightevt, &evtpause); 1500 evtimer_add(&rlay->rl_evt, &evtpause); 1501 return; 1502 } else if (con->se_retrycount < con->se_retry) 1503 goto retry; 1504 event_add(&rlay->rl_ev, NULL); 1505 relay_abort_http(con, 504, "connect failed", 0); 1506 return; 1507 } 1508 1509 if (rlay->rl_conf.flags & F_TLSINSPECT) 1510 con->se_out.state = STATE_PRECONNECT; 1511 else 1512 con->se_out.state = STATE_CONNECTED; 1513 relay_inflight--; 1514 DPRINTF("%s: inflight decremented, now %d",__func__, relay_inflight); 1515 1516 event_add(&rlay->rl_ev, NULL); 1517 1518 if (errno == EINPROGRESS) 1519 event_again(&con->se_ev, con->se_out.s, EV_WRITE|EV_TIMEOUT, 1520 relay_connected, &con->se_tv_start, &rlay->rl_conf.timeout, 1521 con); 1522 else 1523 relay_connected(con->se_out.s, EV_WRITE, con); 1524 1525 return; 1526 } 1527 1528 int 1529 relay_preconnect(struct rsession *con) 1530 { 1531 int rv; 1532 1533 log_debug("%s: session %d: process %d", __func__, 1534 con->se_id, privsep_process); 1535 rv = relay_connect(con); 1536 if (con->se_out.state == STATE_CONNECTED) 1537 con->se_out.state = STATE_PRECONNECT; 1538 return (rv); 1539 } 1540 1541 int 1542 relay_connect(struct rsession *con) 1543 { 1544 struct relay *rlay = con->se_relay; 1545 struct timeval evtpause = { 1, 0 }; 1546 int bnds = -1, ret; 1547 1548 /* relay_connect should only be called once per relay */ 1549 if (con->se_out.state == STATE_CONNECTED) { 1550 log_debug("%s: connect already called once", __func__); 1551 return (0); 1552 } 1553 1554 /* Connection is already established but session not active */ 1555 if ((rlay->rl_conf.flags & F_TLSINSPECT) && 1556 con->se_out.state == STATE_PRECONNECT) { 1557 if (con->se_out.ssl == NULL) { 1558 log_debug("%s: tls connect failed", __func__); 1559 return (-1); 1560 } 1561 relay_connected(con->se_out.s, EV_WRITE, con); 1562 con->se_out.state = STATE_CONNECTED; 1563 return (0); 1564 } 1565 1566 if (relay_inflight < 1) { 1567 log_warnx("relay_connect: no connection in flight"); 1568 relay_inflight = 1; 1569 } 1570 1571 getmonotime(&con->se_tv_start); 1572 1573 if (!TAILQ_EMPTY(&rlay->rl_tables)) { 1574 if (relay_from_table(con) != 0) 1575 return (-1); 1576 } else if (con->se_out.ss.ss_family == AF_UNSPEC) { 1577 bcopy(&rlay->rl_conf.dstss, &con->se_out.ss, 1578 sizeof(con->se_out.ss)); 1579 con->se_out.port = rlay->rl_conf.dstport; 1580 } 1581 1582 if (rlay->rl_conf.fwdmode == FWD_TRANS) { 1583 if (con->se_bnds == -1) { 1584 log_debug("%s: could not bind any sock", __func__); 1585 return (-1); 1586 } 1587 bnds = con->se_bnds; 1588 } 1589 1590 /* Do the IPv4-to-IPv6 or IPv6-to-IPv4 translation if requested */ 1591 if (rlay->rl_conf.dstaf.ss_family != AF_UNSPEC) { 1592 if (con->se_out.ss.ss_family == AF_INET && 1593 rlay->rl_conf.dstaf.ss_family == AF_INET6) 1594 ret = map4to6(&con->se_out.ss, &rlay->rl_conf.dstaf); 1595 else if (con->se_out.ss.ss_family == AF_INET6 && 1596 rlay->rl_conf.dstaf.ss_family == AF_INET) 1597 ret = map6to4(&con->se_out.ss); 1598 else 1599 ret = 0; 1600 if (ret != 0) { 1601 log_debug("%s: mapped to invalid address", __func__); 1602 return (-1); 1603 } 1604 } 1605 1606 retry: 1607 if ((con->se_out.s = relay_socket_connect(&con->se_out.ss, 1608 con->se_out.port, rlay->rl_proto, bnds)) == -1) { 1609 if (errno == ENFILE || errno == EMFILE) { 1610 log_debug("%s: session %d: forward failed: %s", 1611 __func__, con->se_id, strerror(errno)); 1612 evtimer_set(&con->se_inflightevt, relay_connect_retry, 1613 con); 1614 event_del(&rlay->rl_ev); 1615 evtimer_add(&con->se_inflightevt, &evtpause); 1616 evtimer_add(&rlay->rl_evt, &evtpause); 1617 1618 /* this connect is pending */ 1619 con->se_out.state = STATE_PENDING; 1620 return (0); 1621 } else { 1622 if (con->se_retry) { 1623 con->se_retry--; 1624 log_debug("%s: session %d: " 1625 "forward failed: %s, %s", __func__, 1626 con->se_id, strerror(errno), 1627 con->se_retry ? 1628 "next retry" : "last retry"); 1629 goto retry; 1630 } 1631 log_debug("%s: session %d: forward failed: %s", 1632 __func__, con->se_id, strerror(errno)); 1633 return (-1); 1634 } 1635 } 1636 1637 con->se_out.state = STATE_CONNECTED; 1638 relay_inflight--; 1639 DPRINTF("%s: inflight decremented, now %d",__func__, 1640 relay_inflight); 1641 1642 if (errno == EINPROGRESS) 1643 event_again(&con->se_ev, con->se_out.s, EV_WRITE|EV_TIMEOUT, 1644 relay_connected, &con->se_tv_start, &rlay->rl_conf.timeout, 1645 con); 1646 else 1647 relay_connected(con->se_out.s, EV_WRITE, con); 1648 1649 return (0); 1650 } 1651 1652 void 1653 relay_close(struct rsession *con, const char *msg) 1654 { 1655 char ibuf[128], obuf[128], *ptr = NULL; 1656 struct relay *rlay = con->se_relay; 1657 struct protocol *proto = rlay->rl_proto; 1658 1659 SPLAY_REMOVE(session_tree, &rlay->rl_sessions, con); 1660 relay_session_unpublish(con); 1661 1662 event_del(&con->se_ev); 1663 if (con->se_in.bev != NULL) 1664 bufferevent_disable(con->se_in.bev, EV_READ|EV_WRITE); 1665 if (con->se_out.bev != NULL) 1666 bufferevent_disable(con->se_out.bev, EV_READ|EV_WRITE); 1667 1668 if ((env->sc_conf.opts & RELAYD_OPT_LOGUPDATE) && msg != NULL) { 1669 bzero(&ibuf, sizeof(ibuf)); 1670 bzero(&obuf, sizeof(obuf)); 1671 (void)print_host(&con->se_in.ss, ibuf, sizeof(ibuf)); 1672 (void)print_host(&con->se_out.ss, obuf, sizeof(obuf)); 1673 if (EVBUFFER_LENGTH(con->se_log) && 1674 evbuffer_add_printf(con->se_log, "\r\n") != -1) 1675 ptr = evbuffer_readline(con->se_log); 1676 log_info("relay %s, " 1677 "session %d (%d active), %s, %s -> %s:%d, " 1678 "%s%s%s", rlay->rl_conf.name, con->se_id, relay_sessions, 1679 con->se_tag != 0 ? tag_id2name(con->se_tag) : "0", ibuf, 1680 obuf, ntohs(con->se_out.port), msg, ptr == NULL ? "" : ",", 1681 ptr == NULL ? "" : ptr); 1682 free(ptr); 1683 } 1684 1685 if (proto->close != NULL) 1686 (*proto->close)(con); 1687 1688 free(con->se_priv); 1689 if (con->se_in.bev != NULL) 1690 bufferevent_free(con->se_in.bev); 1691 else if (con->se_in.output != NULL) 1692 evbuffer_free(con->se_in.output); 1693 if (con->se_in.ssl != NULL) { 1694 /* XXX handle non-blocking shutdown */ 1695 if (SSL_shutdown(con->se_in.ssl) == 0) 1696 SSL_shutdown(con->se_in.ssl); 1697 SSL_free(con->se_in.ssl); 1698 } 1699 if (con->se_in.tlscert != NULL) 1700 X509_free(con->se_in.tlscert); 1701 if (con->se_in.s != -1) { 1702 close(con->se_in.s); 1703 if (con->se_out.s == -1) { 1704 /* 1705 * the output was never connected, 1706 * thus this was an inflight session. 1707 */ 1708 relay_inflight--; 1709 log_debug("%s: sessions inflight decremented, now %d", 1710 __func__, relay_inflight); 1711 } 1712 } 1713 free(con->se_in.buf); 1714 1715 if (con->se_out.bev != NULL) 1716 bufferevent_free(con->se_out.bev); 1717 else if (con->se_out.output != NULL) 1718 evbuffer_free(con->se_out.output); 1719 if (con->se_out.ssl != NULL) { 1720 /* XXX handle non-blocking shutdown */ 1721 if (SSL_shutdown(con->se_out.ssl) == 0) 1722 SSL_shutdown(con->se_out.ssl); 1723 SSL_free(con->se_out.ssl); 1724 } 1725 if (con->se_out.tlscert != NULL) 1726 X509_free(con->se_out.tlscert); 1727 if (con->se_out.s != -1) { 1728 close(con->se_out.s); 1729 1730 /* Some file descriptors are available again. */ 1731 if (evtimer_pending(&rlay->rl_evt, NULL)) { 1732 evtimer_del(&rlay->rl_evt); 1733 event_add(&rlay->rl_ev, NULL); 1734 } 1735 } 1736 con->se_out.state = STATE_INIT; 1737 1738 free(con->se_out.buf); 1739 1740 if (con->se_log != NULL) 1741 evbuffer_free(con->se_log); 1742 1743 if (con->se_cnl != NULL) { 1744 #if 0 1745 proc_compose_imsg(env->sc_ps, PROC_PFE, -1, IMSG_KILLSTATES, -1, 1746 cnl, sizeof(*cnl)); 1747 #endif 1748 free(con->se_cnl); 1749 } 1750 1751 free(con); 1752 relay_sessions--; 1753 } 1754 1755 int 1756 relay_dispatch_pfe(int fd, struct privsep_proc *p, struct imsg *imsg) 1757 { 1758 struct relay *rlay; 1759 struct rsession *con, se; 1760 struct ctl_natlook cnl; 1761 struct timeval tv; 1762 struct host *host; 1763 struct table *table; 1764 struct ctl_status st; 1765 objid_t id; 1766 int cid; 1767 1768 switch (imsg->hdr.type) { 1769 case IMSG_HOST_DISABLE: 1770 memcpy(&id, imsg->data, sizeof(id)); 1771 if ((host = host_find(env, id)) == NULL) 1772 fatalx("relay_dispatch_pfe: desynchronized"); 1773 if ((table = table_find(env, host->conf.tableid)) == 1774 NULL) 1775 fatalx("relay_dispatch_pfe: invalid table id"); 1776 if (host->up == HOST_UP) 1777 table->up--; 1778 host->flags |= F_DISABLE; 1779 host->up = HOST_UNKNOWN; 1780 break; 1781 case IMSG_HOST_ENABLE: 1782 memcpy(&id, imsg->data, sizeof(id)); 1783 if ((host = host_find(env, id)) == NULL) 1784 fatalx("relay_dispatch_pfe: desynchronized"); 1785 host->flags &= ~(F_DISABLE); 1786 host->up = HOST_UNKNOWN; 1787 break; 1788 case IMSG_TABLE_DISABLE: 1789 memcpy(&id, imsg->data, sizeof(id)); 1790 if ((table = table_find(env, id)) == NULL) 1791 fatalx("relay_dispatch_pfe: desynchronized"); 1792 table->conf.flags |= F_DISABLE; 1793 table->up = 0; 1794 TAILQ_FOREACH(host, &table->hosts, entry) 1795 host->up = HOST_UNKNOWN; 1796 break; 1797 case IMSG_TABLE_ENABLE: 1798 memcpy(&id, imsg->data, sizeof(id)); 1799 if ((table = table_find(env, id)) == NULL) 1800 fatalx("relay_dispatch_pfe: desynchronized"); 1801 table->conf.flags &= ~(F_DISABLE); 1802 table->up = 0; 1803 TAILQ_FOREACH(host, &table->hosts, entry) 1804 host->up = HOST_UNKNOWN; 1805 break; 1806 case IMSG_HOST_STATUS: 1807 IMSG_SIZE_CHECK(imsg, &st); 1808 memcpy(&st, imsg->data, sizeof(st)); 1809 if ((host = host_find(env, st.id)) == NULL) 1810 fatalx("relay_dispatch_pfe: invalid host id"); 1811 if (host->flags & F_DISABLE) 1812 break; 1813 if (host->up == st.up) { 1814 log_debug("%s: host %d => %d", __func__, 1815 host->conf.id, host->up); 1816 fatalx("relay_dispatch_pfe: desynchronized"); 1817 } 1818 1819 if ((table = table_find(env, host->conf.tableid)) 1820 == NULL) 1821 fatalx("relay_dispatch_pfe: invalid table id"); 1822 1823 DPRINTF("%s: [%d] state %d for " 1824 "host %u %s", __func__, ps->ps_instance, st.up, 1825 host->conf.id, host->conf.name); 1826 1827 if ((st.up == HOST_UNKNOWN && host->up == HOST_DOWN) || 1828 (st.up == HOST_DOWN && host->up == HOST_UNKNOWN)) { 1829 host->up = st.up; 1830 break; 1831 } 1832 if (st.up == HOST_UP) 1833 table->up++; 1834 else 1835 table->up--; 1836 host->up = st.up; 1837 break; 1838 case IMSG_NATLOOK: 1839 bcopy(imsg->data, &cnl, sizeof(cnl)); 1840 if ((con = session_find(env, cnl.id)) == NULL || 1841 con->se_cnl == NULL) { 1842 log_debug("%s: session %d: expired", 1843 __func__, cnl.id); 1844 break; 1845 } 1846 bcopy(&cnl, con->se_cnl, sizeof(*con->se_cnl)); 1847 evtimer_del(&con->se_ev); 1848 evtimer_set(&con->se_ev, relay_natlook, con); 1849 bzero(&tv, sizeof(tv)); 1850 evtimer_add(&con->se_ev, &tv); 1851 break; 1852 case IMSG_CTL_SESSION: 1853 IMSG_SIZE_CHECK(imsg, &cid); 1854 memcpy(&cid, imsg->data, sizeof(cid)); 1855 TAILQ_FOREACH(rlay, env->sc_relays, rl_entry) { 1856 SPLAY_FOREACH(con, session_tree, 1857 &rlay->rl_sessions) { 1858 memcpy(&se, con, sizeof(se)); 1859 se.se_cid = cid; 1860 proc_compose(env->sc_ps, p->p_id, 1861 IMSG_CTL_SESSION, &se, sizeof(se)); 1862 } 1863 } 1864 proc_compose(env->sc_ps, p->p_id, IMSG_CTL_END, 1865 &cid, sizeof(cid)); 1866 break; 1867 default: 1868 return (-1); 1869 } 1870 1871 return (0); 1872 } 1873 1874 int 1875 relay_dispatch_ca(int fd, struct privsep_proc *p, struct imsg *imsg) 1876 { 1877 return (-1); 1878 } 1879 1880 int 1881 relay_dispatch_parent(int fd, struct privsep_proc *p, struct imsg *imsg) 1882 { 1883 struct rsession *con; 1884 struct timeval tv; 1885 objid_t id; 1886 1887 switch (imsg->hdr.type) { 1888 case IMSG_BINDANY: 1889 bcopy(imsg->data, &id, sizeof(id)); 1890 if ((con = session_find(env, id)) == NULL) { 1891 log_debug("%s: session %d: expired", 1892 __func__, id); 1893 break; 1894 } 1895 1896 /* Will validate the result later */ 1897 con->se_bnds = imsg->fd; 1898 1899 evtimer_del(&con->se_ev); 1900 evtimer_set(&con->se_ev, relay_bindany, con); 1901 bzero(&tv, sizeof(tv)); 1902 evtimer_add(&con->se_ev, &tv); 1903 break; 1904 case IMSG_CFG_TABLE: 1905 config_gettable(env, imsg); 1906 break; 1907 case IMSG_CFG_HOST: 1908 config_gethost(env, imsg); 1909 break; 1910 case IMSG_CFG_PROTO: 1911 config_getproto(env, imsg); 1912 break; 1913 case IMSG_CFG_RULE: 1914 config_getrule(env, imsg); 1915 break; 1916 case IMSG_CFG_RELAY: 1917 config_getrelay(env, imsg); 1918 break; 1919 case IMSG_CFG_RELAY_TABLE: 1920 config_getrelaytable(env, imsg); 1921 break; 1922 case IMSG_CFG_DONE: 1923 config_getcfg(env, imsg); 1924 break; 1925 case IMSG_CTL_START: 1926 relay_launch(); 1927 break; 1928 case IMSG_CTL_RESET: 1929 config_getreset(env, imsg); 1930 break; 1931 case IMSG_TLSTICKET_REKEY: 1932 IMSG_SIZE_CHECK(imsg, (&env->sc_tls_ticket)); 1933 /* rotate keys */ 1934 memcpy(&env->sc_tls_ticket_bak, &env->sc_tls_ticket, 1935 sizeof(env->sc_tls_ticket)); 1936 env->sc_tls_ticket_bak.tt_backup = 1; 1937 memcpy(&env->sc_tls_ticket, imsg->data, 1938 sizeof(env->sc_tls_ticket)); 1939 break; 1940 default: 1941 return (-1); 1942 } 1943 1944 return (0); 1945 } 1946 1947 void 1948 relay_tls_callback_info(const SSL *ssl, int where, int rc) 1949 { 1950 struct ctl_relay_event *cre; 1951 int tls_state; 1952 1953 cre = (struct ctl_relay_event *)SSL_get_app_data(ssl); 1954 1955 if (cre == NULL || cre->tlsreneg_state == TLSRENEG_ALLOW) 1956 return; 1957 1958 tls_state = SSL_get_state(ssl); 1959 1960 /* Check renegotiations */ 1961 if ((where & SSL_CB_ACCEPT_LOOP) && 1962 (cre->tlsreneg_state == TLSRENEG_DENY)) { 1963 if ((tls_state == SSL3_ST_SR_CLNT_HELLO_A) || 1964 (tls_state == SSL23_ST_SR_CLNT_HELLO_A)) { 1965 /* 1966 * This is a client initiated renegotiation 1967 * that we do not allow 1968 */ 1969 cre->tlsreneg_state = TLSRENEG_ABORT; 1970 } 1971 } else if ((where & SSL_CB_HANDSHAKE_DONE) && 1972 (cre->tlsreneg_state == TLSRENEG_INIT)) { 1973 /* 1974 * This is right after the first handshake, 1975 * disallow any further negotiations. 1976 */ 1977 cre->tlsreneg_state = TLSRENEG_DENY; 1978 } 1979 } 1980 1981 DH * 1982 relay_tls_get_dhparams(int keylen) 1983 { 1984 DH *dh; 1985 BIGNUM *(*prime)(BIGNUM *); 1986 const char *gen; 1987 1988 gen = "2"; 1989 if (keylen >= 8192) 1990 prime = get_rfc3526_prime_8192; 1991 else if (keylen >= 4096) 1992 prime = get_rfc3526_prime_4096; 1993 else if (keylen >= 3072) 1994 prime = get_rfc3526_prime_3072; 1995 else if (keylen >= 2048) 1996 prime = get_rfc3526_prime_2048; 1997 else if (keylen >= 1536) 1998 prime = get_rfc3526_prime_1536; 1999 else 2000 prime = get_rfc2409_prime_1024; 2001 2002 if ((dh = DH_new()) == NULL) 2003 return (NULL); 2004 2005 dh->p = (*prime)(NULL); 2006 BN_dec2bn(&dh->g, gen); 2007 2008 if (dh->p == NULL || dh->g == NULL) { 2009 DH_free(dh); 2010 return (NULL); 2011 } 2012 2013 return (dh); 2014 } 2015 2016 DH * 2017 relay_tls_callback_dh(SSL *ssl, int export, int keylen) 2018 { 2019 struct ctl_relay_event *cre; 2020 EVP_PKEY *pkey; 2021 int keytype, maxlen; 2022 DH *dh = NULL; 2023 2024 /* Get maximum key length from config */ 2025 if ((cre = (struct ctl_relay_event *)SSL_get_app_data(ssl)) == NULL) 2026 return (NULL); 2027 maxlen = cre->con->se_relay->rl_proto->tlsdhparams; 2028 2029 /* Get the private key length from the cert */ 2030 if ((pkey = SSL_get_privatekey(ssl))) { 2031 keytype = EVP_PKEY_type(pkey->type); 2032 if (keytype == EVP_PKEY_RSA || keytype == EVP_PKEY_DSA) 2033 keylen = EVP_PKEY_bits(pkey); 2034 else 2035 return (NULL); 2036 } 2037 2038 /* get built-in params based on the shorter key length */ 2039 dh = relay_tls_get_dhparams(MINIMUM(keylen, maxlen)); 2040 2041 return (dh); 2042 } 2043 2044 int 2045 relay_dispatch_hce(int fd, struct privsep_proc *p, struct imsg *imsg) 2046 { 2047 switch (imsg->hdr.type) { 2048 default: 2049 break; 2050 } 2051 2052 return (-1); 2053 } 2054 2055 SSL_CTX * 2056 relay_tls_ctx_create(struct relay *rlay) 2057 { 2058 struct protocol *proto = rlay->rl_proto; 2059 SSL_CTX *ctx; 2060 EC_KEY *ecdhkey; 2061 2062 ctx = SSL_CTX_new(SSLv23_method()); 2063 if (ctx == NULL) 2064 goto err; 2065 2066 /* 2067 * Disable the session cache by default. 2068 * Everything modern uses tickets 2069 */ 2070 SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF); 2071 2072 2073 /* Set callback for TLS session tickets if enabled */ 2074 if (proto->tickets == -1) 2075 SSL_CTX_set_options(ctx, SSL_OP_NO_TICKET); 2076 else { 2077 if (!SSL_CTX_set_tlsext_ticket_key_cb(ctx, 2078 relay_tls_session_ticket)) 2079 log_warnx("could not set the TLS ticket callback"); 2080 /* set timeout to the ticket rekey time */ 2081 SSL_CTX_set_timeout(ctx, TLS_TICKET_REKEY_TIME); 2082 } 2083 2084 /* Enable all workarounds and set SSL options */ 2085 SSL_CTX_set_options(ctx, SSL_OP_ALL); 2086 SSL_CTX_set_options(ctx, 2087 SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION); 2088 if (proto->tlsflags & TLSFLAG_CIPHER_SERVER_PREF) 2089 SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); 2090 2091 /* Set the allowed SSL protocols */ 2092 SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2); 2093 SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3); 2094 if ((proto->tlsflags & TLSFLAG_SSLV3) == 0) 2095 SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3); 2096 SSL_CTX_clear_options(ctx, SSL_OP_NO_TLSv1); 2097 if ((proto->tlsflags & TLSFLAG_TLSV1_0) == 0) 2098 SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1); 2099 SSL_CTX_clear_options(ctx, SSL_OP_NO_TLSv1_1); 2100 if ((proto->tlsflags & TLSFLAG_TLSV1_1) == 0) 2101 SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_1); 2102 SSL_CTX_clear_options(ctx, SSL_OP_NO_TLSv1_2); 2103 if ((proto->tlsflags & TLSFLAG_TLSV1_2) == 0) 2104 SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_2); 2105 2106 /* add the SSL info callback */ 2107 SSL_CTX_set_info_callback(ctx, relay_tls_callback_info); 2108 2109 if (proto->tlsecdhcurve > 0) { 2110 /* Enable ECDHE support for TLS perfect forward secrecy */ 2111 if ((ecdhkey = 2112 EC_KEY_new_by_curve_name(proto->tlsecdhcurve)) == NULL) 2113 goto err; 2114 SSL_CTX_set_tmp_ecdh(ctx, ecdhkey); 2115 SSL_CTX_set_options(ctx, SSL_OP_SINGLE_ECDH_USE); 2116 EC_KEY_free(ecdhkey); 2117 } 2118 2119 if (proto->tlsdhparams > 0) { 2120 /* Enable EDH params (forward secrecy for older clients) */ 2121 SSL_CTX_set_tmp_dh_callback(ctx, relay_tls_callback_dh); 2122 } 2123 2124 if (!SSL_CTX_set_cipher_list(ctx, proto->tlsciphers)) 2125 goto err; 2126 2127 /* Verify the server certificate if we have a CA chain */ 2128 if ((rlay->rl_conf.flags & F_TLSCLIENT) && 2129 (rlay->rl_tls_ca != NULL)) { 2130 if (!SSL_CTX_load_verify_mem(ctx, 2131 rlay->rl_tls_ca, rlay->rl_conf.tls_ca_len)) 2132 goto err; 2133 SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL); 2134 } 2135 2136 if ((rlay->rl_conf.flags & F_TLS) == 0) 2137 return (ctx); 2138 2139 log_debug("%s: loading certificate", __func__); 2140 if (!SSL_CTX_use_certificate_chain_mem(ctx, 2141 rlay->rl_tls_cert, rlay->rl_conf.tls_cert_len)) 2142 goto err; 2143 2144 log_debug("%s: loading private key", __func__); 2145 if (!ssl_ctx_fake_private_key(ctx, 2146 &rlay->rl_conf.tls_keyid, sizeof(rlay->rl_conf.tls_keyid), 2147 rlay->rl_tls_cert, rlay->rl_conf.tls_cert_len, 2148 &rlay->rl_tls_x509, &rlay->rl_tls_pkey)) 2149 goto err; 2150 2151 if (!SSL_CTX_check_private_key(ctx)) 2152 goto err; 2153 2154 if (rlay->rl_conf.tls_cacert_len) { 2155 log_debug("%s: loading CA private key", __func__); 2156 if (!ssl_load_pkey(&rlay->rl_conf.tls_cakeyid, 2157 sizeof(rlay->rl_conf.tls_cakeyid), 2158 rlay->rl_tls_cacert, rlay->rl_conf.tls_cacert_len, 2159 &rlay->rl_tls_cacertx509, &rlay->rl_tls_capkey)) 2160 goto err; 2161 } 2162 2163 /* 2164 * Set session ID context to a random value. It needs to be the 2165 * same accross all relay processes or session caching will fail. 2166 */ 2167 if (!SSL_CTX_set_session_id_context(ctx, env->sc_conf.tls_sid, 2168 sizeof(env->sc_conf.tls_sid))) 2169 goto err; 2170 2171 /* The text versions of the keys/certs are not needed anymore */ 2172 purge_key(&rlay->rl_tls_cert, rlay->rl_conf.tls_cert_len); 2173 purge_key(&rlay->rl_tls_cacert, rlay->rl_conf.tls_cacert_len); 2174 2175 return (ctx); 2176 2177 err: 2178 SSL_CTX_free(ctx); 2179 ssl_error(rlay->rl_conf.name, "relay_tls_ctx_create"); 2180 return (NULL); 2181 } 2182 2183 void 2184 relay_tls_transaction(struct rsession *con, struct ctl_relay_event *cre) 2185 { 2186 struct relay *rlay = con->se_relay; 2187 struct protocol *proto = rlay->rl_proto; 2188 SSL *ssl; 2189 const SSL_METHOD *method; 2190 void (*cb)(int, short, void *); 2191 u_int flag; 2192 2193 ssl = SSL_new(rlay->rl_ssl_ctx); 2194 if (ssl == NULL) 2195 goto err; 2196 2197 if (cre->dir == RELAY_DIR_REQUEST) { 2198 cb = relay_tls_accept; 2199 method = SSLv23_server_method(); 2200 flag = EV_READ; 2201 2202 /* Use session-specific certificate for TLS inspection. */ 2203 if (cre->tlscert != NULL) 2204 SSL_use_certificate(ssl, cre->tlscert); 2205 } else { 2206 cb = relay_tls_connect; 2207 method = SSLv23_client_method(); 2208 flag = EV_WRITE; 2209 } 2210 2211 if (!SSL_set_ssl_method(ssl, method)) 2212 goto err; 2213 if (!SSL_set_fd(ssl, cre->s)) 2214 goto err; 2215 2216 if (cre->dir == RELAY_DIR_REQUEST) { 2217 if ((proto->tlsflags & TLSFLAG_CLIENT_RENEG) == 0) 2218 /* Only allow negotiation during the first handshake */ 2219 cre->tlsreneg_state = TLSRENEG_INIT; 2220 else 2221 /* Allow client initiated renegotiations */ 2222 cre->tlsreneg_state = TLSRENEG_ALLOW; 2223 SSL_set_accept_state(ssl); 2224 } else { 2225 /* Always allow renegotiations if we're the client */ 2226 cre->tlsreneg_state = TLSRENEG_ALLOW; 2227 SSL_set_connect_state(ssl); 2228 } 2229 2230 SSL_set_app_data(ssl, cre); 2231 cre->ssl = ssl; 2232 2233 DPRINTF("%s: session %d: scheduling on %s", __func__, con->se_id, 2234 (flag == EV_READ) ? "EV_READ" : "EV_WRITE"); 2235 event_again(&con->se_ev, cre->s, EV_TIMEOUT|flag, cb, 2236 &con->se_tv_start, &rlay->rl_conf.timeout, con); 2237 return; 2238 2239 err: 2240 SSL_free(ssl); 2241 ssl_error(rlay->rl_conf.name, "relay_tls_transaction"); 2242 relay_close(con, "session tls failed"); 2243 } 2244 2245 void 2246 relay_tls_accept(int fd, short event, void *arg) 2247 { 2248 struct rsession *con = arg; 2249 struct relay *rlay = con->se_relay; 2250 int retry_flag = 0; 2251 int tls_err = 0; 2252 int ret; 2253 2254 if (event == EV_TIMEOUT) { 2255 relay_close(con, "TLS accept timeout"); 2256 return; 2257 } 2258 2259 ret = SSL_accept(con->se_in.ssl); 2260 if (ret <= 0) { 2261 tls_err = SSL_get_error(con->se_in.ssl, ret); 2262 2263 switch (tls_err) { 2264 case SSL_ERROR_WANT_READ: 2265 retry_flag = EV_READ; 2266 goto retry; 2267 case SSL_ERROR_WANT_WRITE: 2268 retry_flag = EV_WRITE; 2269 goto retry; 2270 case SSL_ERROR_ZERO_RETURN: 2271 case SSL_ERROR_SYSCALL: 2272 if (ret == 0) { 2273 relay_close(con, "closed"); 2274 return; 2275 } 2276 /* FALLTHROUGH */ 2277 default: 2278 ssl_error(rlay->rl_conf.name, "relay_tls_accept"); 2279 relay_close(con, "TLS accept error"); 2280 return; 2281 } 2282 } 2283 2284 2285 #ifdef DEBUG 2286 log_info( 2287 #else 2288 log_debug( 2289 #endif 2290 "relay %s, session %d established (%d active)", 2291 rlay->rl_conf.name, con->se_id, relay_sessions); 2292 2293 relay_session(con); 2294 return; 2295 2296 retry: 2297 DPRINTF("%s: session %d: scheduling on %s", __func__, con->se_id, 2298 (retry_flag == EV_READ) ? "EV_READ" : "EV_WRITE"); 2299 event_again(&con->se_ev, fd, EV_TIMEOUT|retry_flag, relay_tls_accept, 2300 &con->se_tv_start, &rlay->rl_conf.timeout, con); 2301 } 2302 2303 void 2304 relay_tls_connect(int fd, short event, void *arg) 2305 { 2306 struct rsession *con = arg; 2307 struct relay *rlay = con->se_relay; 2308 int retry_flag = 0; 2309 int tls_err = 0; 2310 int ret; 2311 X509 *servercert = NULL; 2312 2313 if (event == EV_TIMEOUT) { 2314 relay_close(con, "TLS connect timeout"); 2315 return; 2316 } 2317 2318 ret = SSL_connect(con->se_out.ssl); 2319 if (ret <= 0) { 2320 tls_err = SSL_get_error(con->se_out.ssl, ret); 2321 2322 switch (tls_err) { 2323 case SSL_ERROR_WANT_READ: 2324 retry_flag = EV_READ; 2325 goto retry; 2326 case SSL_ERROR_WANT_WRITE: 2327 retry_flag = EV_WRITE; 2328 goto retry; 2329 case SSL_ERROR_ZERO_RETURN: 2330 case SSL_ERROR_SYSCALL: 2331 if (ret == 0) { 2332 relay_close(con, "closed"); 2333 return; 2334 } 2335 /* FALLTHROUGH */ 2336 default: 2337 ssl_error(rlay->rl_conf.name, "relay_tls_connect"); 2338 relay_close(con, "TLS connect error"); 2339 return; 2340 } 2341 } 2342 2343 #ifdef DEBUG 2344 log_info( 2345 #else 2346 log_debug( 2347 #endif 2348 "relay %s, tls session %d connected (%d active)", 2349 rlay->rl_conf.name, con->se_id, relay_sessions); 2350 2351 if (rlay->rl_conf.flags & F_TLSINSPECT) { 2352 if ((servercert = 2353 SSL_get_peer_certificate(con->se_out.ssl)) != NULL) { 2354 con->se_in.tlscert = 2355 ssl_update_certificate(servercert, 2356 rlay->rl_tls_pkey, rlay->rl_tls_capkey, 2357 rlay->rl_tls_cacertx509); 2358 } else 2359 con->se_in.tlscert = NULL; 2360 if (servercert != NULL) 2361 X509_free(servercert); 2362 if (con->se_in.tlscert == NULL) 2363 relay_close(con, "could not create certificate"); 2364 else 2365 relay_session(con); 2366 return; 2367 } 2368 2369 relay_connected(fd, EV_WRITE, con); 2370 return; 2371 2372 retry: 2373 DPRINTF("%s: session %d: scheduling on %s", __func__, con->se_id, 2374 (retry_flag == EV_READ) ? "EV_READ" : "EV_WRITE"); 2375 event_again(&con->se_ev, fd, EV_TIMEOUT|retry_flag, relay_tls_connect, 2376 &con->se_tv_start, &rlay->rl_conf.timeout, con); 2377 } 2378 2379 void 2380 relay_tls_connected(struct ctl_relay_event *cre) 2381 { 2382 /* 2383 * Hack libevent - we overwrite the internal bufferevent I/O 2384 * functions to handle the TLS abstraction. 2385 */ 2386 event_set(&cre->bev->ev_read, cre->s, EV_READ, 2387 relay_tls_readcb, cre->bev); 2388 event_set(&cre->bev->ev_write, cre->s, EV_WRITE, 2389 relay_tls_writecb, cre->bev); 2390 } 2391 2392 void 2393 relay_tls_readcb(int fd, short event, void *arg) 2394 { 2395 char rbuf[IBUF_READ_SIZE]; 2396 struct bufferevent *bufev = arg; 2397 struct ctl_relay_event *cre = bufev->cbarg; 2398 struct rsession *con = cre->con; 2399 struct relay *rlay = con->se_relay; 2400 int ret = 0, tls_err = 0; 2401 short what = EVBUFFER_READ; 2402 int howmuch = IBUF_READ_SIZE; 2403 size_t len; 2404 2405 if (event == EV_TIMEOUT) { 2406 what |= EVBUFFER_TIMEOUT; 2407 goto err; 2408 } 2409 2410 if (cre->tlsreneg_state == TLSRENEG_ABORT) { 2411 what |= EVBUFFER_ERROR; 2412 goto err; 2413 } 2414 2415 if (bufev->wm_read.high != 0) 2416 howmuch = MINIMUM(sizeof(rbuf), bufev->wm_read.high); 2417 2418 ret = SSL_read(cre->ssl, rbuf, howmuch); 2419 if (ret <= 0) { 2420 tls_err = SSL_get_error(cre->ssl, ret); 2421 2422 switch (tls_err) { 2423 case SSL_ERROR_WANT_READ: 2424 DPRINTF("%s: session %d: want read", 2425 __func__, con->se_id); 2426 goto retry; 2427 case SSL_ERROR_WANT_WRITE: 2428 DPRINTF("%s: session %d: want write", 2429 __func__, con->se_id); 2430 goto retry; 2431 default: 2432 if (ret == 0) 2433 what |= EVBUFFER_EOF; 2434 else { 2435 ssl_error(rlay->rl_conf.name, 2436 "relay_tls_readcb"); 2437 what |= EVBUFFER_ERROR; 2438 } 2439 goto err; 2440 } 2441 } 2442 2443 if (evbuffer_add(bufev->input, rbuf, ret) == -1) { 2444 what |= EVBUFFER_ERROR; 2445 goto err; 2446 } 2447 2448 relay_bufferevent_add(&bufev->ev_read, bufev->timeout_read); 2449 2450 len = EVBUFFER_LENGTH(bufev->input); 2451 if (bufev->wm_read.low != 0 && len < bufev->wm_read.low) 2452 return; 2453 if (bufev->wm_read.high != 0 && len > bufev->wm_read.high) { 2454 struct evbuffer *buf = bufev->input; 2455 event_del(&bufev->ev_read); 2456 evbuffer_setcb(buf, bufferevent_read_pressure_cb, bufev); 2457 return; 2458 } 2459 2460 if (bufev->readcb != NULL) 2461 (*bufev->readcb)(bufev, bufev->cbarg); 2462 return; 2463 2464 retry: 2465 relay_bufferevent_add(&bufev->ev_read, bufev->timeout_read); 2466 return; 2467 2468 err: 2469 (*bufev->errorcb)(bufev, what, bufev->cbarg); 2470 } 2471 2472 void 2473 relay_tls_writecb(int fd, short event, void *arg) 2474 { 2475 struct bufferevent *bufev = arg; 2476 struct ctl_relay_event *cre = bufev->cbarg; 2477 struct rsession *con = cre->con; 2478 struct relay *rlay = con->se_relay; 2479 int ret = 0, tls_err; 2480 short what = EVBUFFER_WRITE; 2481 2482 if (event == EV_TIMEOUT) { 2483 what |= EVBUFFER_TIMEOUT; 2484 goto err; 2485 } 2486 2487 if (cre->tlsreneg_state == TLSRENEG_ABORT) { 2488 what |= EVBUFFER_ERROR; 2489 goto err; 2490 } 2491 2492 if (EVBUFFER_LENGTH(bufev->output)) { 2493 if (cre->buf == NULL) { 2494 cre->buflen = EVBUFFER_LENGTH(bufev->output); 2495 if ((cre->buf = malloc(cre->buflen)) == NULL) { 2496 what |= EVBUFFER_ERROR; 2497 goto err; 2498 } 2499 bcopy(EVBUFFER_DATA(bufev->output), 2500 cre->buf, cre->buflen); 2501 } 2502 2503 ret = SSL_write(cre->ssl, cre->buf, cre->buflen); 2504 if (ret <= 0) { 2505 tls_err = SSL_get_error(cre->ssl, ret); 2506 2507 switch (tls_err) { 2508 case SSL_ERROR_WANT_READ: 2509 DPRINTF("%s: session %d: want read", 2510 __func__, con->se_id); 2511 goto retry; 2512 case SSL_ERROR_WANT_WRITE: 2513 DPRINTF("%s: session %d: want write", 2514 __func__, con->se_id); 2515 goto retry; 2516 default: 2517 if (ret == 0) 2518 what |= EVBUFFER_EOF; 2519 else { 2520 ssl_error(rlay->rl_conf.name, 2521 "relay_tls_writecb"); 2522 what |= EVBUFFER_ERROR; 2523 } 2524 goto err; 2525 } 2526 } 2527 evbuffer_drain(bufev->output, ret); 2528 } 2529 if (cre->buf != NULL) { 2530 free(cre->buf); 2531 cre->buf = NULL; 2532 cre->buflen = 0; 2533 } 2534 2535 if (EVBUFFER_LENGTH(bufev->output) != 0) 2536 relay_bufferevent_add(&bufev->ev_write, bufev->timeout_write); 2537 2538 if (bufev->writecb != NULL && 2539 EVBUFFER_LENGTH(bufev->output) <= bufev->wm_write.low) 2540 (*bufev->writecb)(bufev, bufev->cbarg); 2541 return; 2542 2543 retry: 2544 if (cre->buflen != 0) 2545 relay_bufferevent_add(&bufev->ev_write, bufev->timeout_write); 2546 return; 2547 2548 err: 2549 if (cre->buf != NULL) { 2550 free(cre->buf); 2551 cre->buf = NULL; 2552 cre->buflen = 0; 2553 } 2554 (*bufev->errorcb)(bufev, what, bufev->cbarg); 2555 } 2556 2557 struct tls_ticket * 2558 relay_get_ticket_key(unsigned char *keyname) 2559 { 2560 if (keyname) { 2561 if (timingsafe_memcmp(keyname, 2562 env->sc_tls_ticket_bak.tt_key_name, 2563 sizeof(env->sc_tls_ticket_bak.tt_key_name)) == 0) 2564 return &env->sc_tls_ticket_bak; 2565 if (timingsafe_memcmp(keyname, 2566 env->sc_tls_ticket.tt_key_name, 2567 sizeof(env->sc_tls_ticket.tt_key_name)) == 0) 2568 return &env->sc_tls_ticket; 2569 return NULL; 2570 } 2571 return &env->sc_tls_ticket; 2572 } 2573 2574 int 2575 relay_tls_session_ticket(SSL *ssl, unsigned char *keyname, unsigned char *iv, 2576 EVP_CIPHER_CTX *ctx, HMAC_CTX *hctx, int mode) 2577 { 2578 struct tls_ticket *key; 2579 2580 if (mode == 1) { 2581 /* create new session */ 2582 key = relay_get_ticket_key(NULL); 2583 memcpy(keyname, key->tt_key_name, sizeof(key->tt_key_name)); 2584 arc4random_buf(iv, EVP_MAX_IV_LENGTH); 2585 EVP_EncryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, 2586 key->tt_aes_key, iv); 2587 HMAC_Init_ex(hctx, key->tt_hmac_key, sizeof(key->tt_hmac_key), 2588 EVP_sha256(), NULL); 2589 return 0; 2590 } else { 2591 /* get key by name */ 2592 key = relay_get_ticket_key(keyname); 2593 if (!key) 2594 return 0; 2595 2596 EVP_DecryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, 2597 key->tt_aes_key, iv); 2598 HMAC_Init_ex(hctx, key->tt_hmac_key, sizeof(key->tt_hmac_key), 2599 EVP_sha256(), NULL); 2600 2601 /* time to renew the ticket? */ 2602 if (key->tt_backup) { 2603 return 2; 2604 } 2605 return 1; 2606 } 2607 } 2608 2609 int 2610 relay_bufferevent_add(struct event *ev, int timeout) 2611 { 2612 struct timeval tv, *ptv = NULL; 2613 2614 if (timeout) { 2615 timerclear(&tv); 2616 tv.tv_sec = timeout; 2617 ptv = &tv; 2618 } 2619 2620 return (event_add(ev, ptv)); 2621 } 2622 2623 #ifdef notyet 2624 int 2625 relay_bufferevent_printf(struct ctl_relay_event *cre, const char *fmt, ...) 2626 { 2627 int ret; 2628 va_list ap; 2629 2630 va_start(ap, fmt); 2631 ret = evbuffer_add_vprintf(cre->output, fmt, ap); 2632 va_end(ap); 2633 2634 if (cre->bev != NULL && 2635 ret != -1 && EVBUFFER_LENGTH(cre->output) > 0 && 2636 (cre->bev->enabled & EV_WRITE)) 2637 bufferevent_enable(cre->bev, EV_WRITE); 2638 2639 return (ret); 2640 } 2641 #endif 2642 2643 int 2644 relay_bufferevent_print(struct ctl_relay_event *cre, const char *str) 2645 { 2646 if (cre->bev == NULL) 2647 return (evbuffer_add(cre->output, str, strlen(str))); 2648 return (bufferevent_write(cre->bev, str, strlen(str))); 2649 } 2650 2651 int 2652 relay_bufferevent_write_buffer(struct ctl_relay_event *cre, 2653 struct evbuffer *buf) 2654 { 2655 if (cre->bev == NULL) 2656 return (evbuffer_add_buffer(cre->output, buf)); 2657 return (bufferevent_write_buffer(cre->bev, buf)); 2658 } 2659 2660 int 2661 relay_bufferevent_write_chunk(struct ctl_relay_event *cre, 2662 struct evbuffer *buf, size_t size) 2663 { 2664 int ret; 2665 ret = relay_bufferevent_write(cre, buf->buffer, size); 2666 if (ret != -1) 2667 evbuffer_drain(buf, size); 2668 return (ret); 2669 } 2670 2671 int 2672 relay_bufferevent_write(struct ctl_relay_event *cre, void *data, size_t size) 2673 { 2674 if (cre->bev == NULL) 2675 return (evbuffer_add(cre->output, data, size)); 2676 return (bufferevent_write(cre->bev, data, size)); 2677 } 2678 2679 int 2680 relay_cmp_af(struct sockaddr_storage *a, struct sockaddr_storage *b) 2681 { 2682 int ret = -1; 2683 struct sockaddr_in ia, ib; 2684 struct sockaddr_in6 ia6, ib6; 2685 2686 switch (a->ss_family) { 2687 case AF_INET: 2688 bcopy(a, &ia, sizeof(struct sockaddr_in)); 2689 bcopy(b, &ib, sizeof(struct sockaddr_in)); 2690 2691 ret = memcmp(&ia.sin_addr, &ib.sin_addr, 2692 sizeof(ia.sin_addr)); 2693 if (ret == 0) 2694 ret = memcmp(&ia.sin_port, &ib.sin_port, 2695 sizeof(ia.sin_port)); 2696 break; 2697 case AF_INET6: 2698 bcopy(a, &ia6, sizeof(struct sockaddr_in6)); 2699 bcopy(b, &ib6, sizeof(struct sockaddr_in6)); 2700 2701 ret = memcmp(&ia6.sin6_addr, &ib6.sin6_addr, 2702 sizeof(ia6.sin6_addr)); 2703 if (ret == 0) 2704 ret = memcmp(&ia6.sin6_port, &ib6.sin6_port, 2705 sizeof(ia6.sin6_port)); 2706 break; 2707 default: 2708 break; 2709 } 2710 2711 return (ret); 2712 } 2713 2714 char * 2715 relay_load_file(const char *name, off_t *len) 2716 { 2717 struct stat st; 2718 off_t size; 2719 u_int8_t *buf = NULL; 2720 int fd; 2721 2722 if ((fd = open(name, O_RDONLY)) == -1) 2723 return (NULL); 2724 if (fstat(fd, &st) != 0) 2725 goto fail; 2726 size = st.st_size; 2727 if ((buf = calloc(1, size + 1)) == NULL) 2728 goto fail; 2729 if (read(fd, buf, size) != size) 2730 goto fail; 2731 2732 close(fd); 2733 2734 *len = size; 2735 return (buf); 2736 2737 fail: 2738 free(buf); 2739 close(fd); 2740 return (NULL); 2741 } 2742 2743 int 2744 relay_load_certfiles(struct relay *rlay) 2745 { 2746 char certfile[PATH_MAX]; 2747 char hbuf[sizeof("ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255")]; 2748 struct protocol *proto = rlay->rl_proto; 2749 int useport = htons(rlay->rl_conf.port); 2750 2751 if (rlay->rl_conf.flags & F_TLSCLIENT) { 2752 if (strlen(proto->tlsca)) { 2753 if ((rlay->rl_tls_ca = 2754 relay_load_file(proto->tlsca, 2755 &rlay->rl_conf.tls_ca_len)) == NULL) 2756 return (-1); 2757 log_debug("%s: using ca %s", __func__, proto->tlsca); 2758 } 2759 if (strlen(proto->tlscacert)) { 2760 if ((rlay->rl_tls_cacert = 2761 relay_load_file(proto->tlscacert, 2762 &rlay->rl_conf.tls_cacert_len)) == NULL) 2763 return (-1); 2764 log_debug("%s: using ca certificate %s", __func__, 2765 proto->tlscacert); 2766 } 2767 if (strlen(proto->tlscakey) && proto->tlscapass != NULL) { 2768 if ((rlay->rl_tls_cakey = 2769 ssl_load_key(env, proto->tlscakey, 2770 &rlay->rl_conf.tls_cakey_len, 2771 proto->tlscapass)) == NULL) 2772 return (-1); 2773 log_debug("%s: using ca key %s", __func__, 2774 proto->tlscakey); 2775 } 2776 } 2777 2778 if ((rlay->rl_conf.flags & F_TLS) == 0) 2779 return (0); 2780 2781 if (print_host(&rlay->rl_conf.ss, hbuf, sizeof(hbuf)) == NULL) 2782 return (-1); 2783 2784 if (snprintf(certfile, sizeof(certfile), 2785 "/etc/ssl/%s:%u.crt", hbuf, useport) == -1) 2786 return (-1); 2787 if ((rlay->rl_tls_cert = relay_load_file(certfile, 2788 &rlay->rl_conf.tls_cert_len)) == NULL) { 2789 if (snprintf(certfile, sizeof(certfile), 2790 "/etc/ssl/%s.crt", hbuf) == -1) 2791 return (-1); 2792 if ((rlay->rl_tls_cert = relay_load_file(certfile, 2793 &rlay->rl_conf.tls_cert_len)) == NULL) 2794 return (-1); 2795 useport = 0; 2796 } 2797 log_debug("%s: using certificate %s", __func__, certfile); 2798 2799 if (useport) { 2800 if (snprintf(certfile, sizeof(certfile), 2801 "/etc/ssl/private/%s:%u.key", hbuf, useport) == -1) 2802 return -1; 2803 } else { 2804 if (snprintf(certfile, sizeof(certfile), 2805 "/etc/ssl/private/%s.key", hbuf) == -1) 2806 return -1; 2807 } 2808 if ((rlay->rl_tls_key = ssl_load_key(env, certfile, 2809 &rlay->rl_conf.tls_key_len, NULL)) == NULL) 2810 return (-1); 2811 log_debug("%s: using private key %s", __func__, certfile); 2812 2813 return (0); 2814 } 2815 2816 int 2817 relay_session_cmp(struct rsession *a, struct rsession *b) 2818 { 2819 struct relay *rlay = b->se_relay; 2820 struct protocol *proto = rlay->rl_proto; 2821 2822 if (proto != NULL && proto->cmp != NULL) 2823 return ((*proto->cmp)(a, b)); 2824 2825 return ((int)a->se_id - b->se_id); 2826 } 2827 2828 void 2829 relay_log(struct rsession *con, char *msg) 2830 { 2831 if (con->se_haslog && con->se_log != NULL) { 2832 evbuffer_add(con->se_log, msg, strlen(msg)); 2833 } 2834 } 2835 2836 SPLAY_GENERATE(session_tree, rsession, se_nodes, relay_session_cmp); 2837