1 /* $OpenBSD: relay.c,v 1.207 2016/09/01 10:49:48 claudio Exp $ */ 2 3 /* 4 * Copyright (c) 2006 - 2014 Reyk Floeter <reyk@openbsd.org> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19 #include <sys/types.h> 20 #include <sys/queue.h> 21 #include <sys/time.h> 22 #include <sys/stat.h> 23 #include <sys/socket.h> 24 #include <sys/tree.h> 25 26 #include <netinet/in.h> 27 #include <netinet/tcp.h> 28 #include <arpa/inet.h> 29 30 #include <limits.h> 31 #include <poll.h> 32 #include <stdio.h> 33 #include <stdlib.h> 34 #include <errno.h> 35 #include <fcntl.h> 36 #include <string.h> 37 #include <unistd.h> 38 #include <event.h> 39 #include <siphash.h> 40 #include <imsg.h> 41 42 #include <openssl/dh.h> 43 #include <openssl/ssl.h> 44 45 #include "relayd.h" 46 47 #define MINIMUM(a, b) (((a) < (b)) ? (a) : (b)) 48 49 void relay_statistics(int, short, void *); 50 int relay_dispatch_parent(int, struct privsep_proc *, 51 struct imsg *); 52 int relay_dispatch_pfe(int, struct privsep_proc *, 53 struct imsg *); 54 int relay_dispatch_ca(int, struct privsep_proc *, 55 struct imsg *); 56 int relay_dispatch_hce(int, struct privsep_proc *, 57 struct imsg *); 58 void relay_shutdown(void); 59 60 void relay_protodebug(struct relay *); 61 void relay_ruledebug(struct relay_rule *); 62 void relay_init(struct privsep *, struct privsep_proc *p, void *); 63 void relay_launch(void); 64 int relay_socket(struct sockaddr_storage *, in_port_t, 65 struct protocol *, int, int); 66 int relay_socket_listen(struct sockaddr_storage *, in_port_t, 67 struct protocol *); 68 int relay_socket_connect(struct sockaddr_storage *, in_port_t, 69 struct protocol *, int); 70 71 void relay_accept(int, short, void *); 72 void relay_input(struct rsession *); 73 74 void relay_hash_addr(SIPHASH_CTX *, struct sockaddr_storage *, int); 75 76 DH * relay_tls_get_dhparams(int); 77 void relay_tls_callback_info(const SSL *, int, int); 78 DH *relay_tls_callback_dh(SSL *, int, int); 79 SSL_CTX *relay_tls_ctx_create(struct relay *); 80 void relay_tls_transaction(struct rsession *, 81 struct ctl_relay_event *); 82 void relay_tls_accept(int, short, void *); 83 void relay_connect_retry(int, short, void *); 84 void relay_tls_connect(int, short, void *); 85 void relay_tls_connected(struct ctl_relay_event *); 86 void relay_tls_readcb(int, short, void *); 87 void relay_tls_writecb(int, short, void *); 88 89 struct tls_ticket *relay_get_ticket_key(unsigned char [16]); 90 int relay_tls_session_ticket(SSL *, unsigned char [16], 91 unsigned char *, EVP_CIPHER_CTX *, HMAC_CTX *, int); 92 93 char *relay_load_file(const char *, off_t *); 94 extern void bufferevent_read_pressure_cb(struct evbuffer *, size_t, 95 size_t, void *); 96 97 volatile int relay_sessions; 98 volatile int relay_inflight = 0; 99 objid_t relay_conid; 100 101 static struct relayd *env = NULL; 102 int proc_id; 103 104 static struct privsep_proc procs[] = { 105 { "parent", PROC_PARENT, relay_dispatch_parent }, 106 { "pfe", PROC_PFE, relay_dispatch_pfe }, 107 { "ca", PROC_CA, relay_dispatch_ca }, 108 { "hce", PROC_HCE, relay_dispatch_hce }, 109 }; 110 111 pid_t 112 relay(struct privsep *ps, struct privsep_proc *p) 113 { 114 pid_t pid; 115 116 env = ps->ps_env; 117 pid = proc_run(ps, p, procs, nitems(procs), relay_init, NULL); 118 relay_http(env); 119 return (pid); 120 } 121 122 void 123 relay_shutdown(void) 124 { 125 config_purge(env, CONFIG_ALL); 126 usleep(200); /* XXX relay needs to shutdown last */ 127 } 128 129 void 130 relay_ruledebug(struct relay_rule *rule) 131 { 132 struct kv *kv = NULL; 133 u_int i; 134 135 fprintf(stderr, "\t\t"); 136 137 switch (rule->rule_action) { 138 case RULE_ACTION_MATCH: 139 fprintf(stderr, "match "); 140 break; 141 case RULE_ACTION_BLOCK: 142 fprintf(stderr, "block "); 143 break; 144 case RULE_ACTION_PASS: 145 fprintf(stderr, "pass "); 146 break; 147 } 148 149 switch (rule->rule_dir) { 150 case RELAY_DIR_ANY: 151 break; 152 case RELAY_DIR_REQUEST: 153 fprintf(stderr, "request "); 154 break; 155 case RELAY_DIR_RESPONSE: 156 fprintf(stderr, "response "); 157 break; 158 default: 159 return; 160 /* NOTREACHED */ 161 break; 162 } 163 164 if (rule->rule_flags & RULE_FLAG_QUICK) 165 fprintf(stderr, "quick "); 166 167 for (i = 1; i < KEY_TYPE_MAX; i++) { 168 kv = &rule->rule_kv[i]; 169 if (kv->kv_type != i) 170 continue; 171 172 switch (kv->kv_type) { 173 case KEY_TYPE_COOKIE: 174 fprintf(stderr, "cookie "); 175 break; 176 case KEY_TYPE_HEADER: 177 fprintf(stderr, "header "); 178 break; 179 case KEY_TYPE_PATH: 180 fprintf(stderr, "path "); 181 break; 182 case KEY_TYPE_QUERY: 183 fprintf(stderr, "query "); 184 break; 185 case KEY_TYPE_URL: 186 fprintf(stderr, "url "); 187 break; 188 default: 189 continue; 190 } 191 192 switch (kv->kv_option) { 193 case KEY_OPTION_APPEND: 194 fprintf(stderr, "append "); 195 break; 196 case KEY_OPTION_SET: 197 fprintf(stderr, "set "); 198 break; 199 case KEY_OPTION_REMOVE: 200 fprintf(stderr, "remove "); 201 break; 202 case KEY_OPTION_HASH: 203 fprintf(stderr, "hash "); 204 break; 205 case KEY_OPTION_LOG: 206 fprintf(stderr, "log "); 207 break; 208 case KEY_OPTION_NONE: 209 break; 210 } 211 212 switch (kv->kv_digest) { 213 case DIGEST_SHA1: 214 case DIGEST_MD5: 215 fprintf(stderr, "digest "); 216 break; 217 default: 218 break; 219 } 220 221 fprintf(stderr, "%s%s%s%s%s%s ", 222 kv->kv_key == NULL ? "" : "\"", 223 kv->kv_key == NULL ? "" : kv->kv_key, 224 kv->kv_key == NULL ? "" : "\"", 225 kv->kv_value == NULL ? "" : " value \"", 226 kv->kv_value == NULL ? "" : kv->kv_value, 227 kv->kv_value == NULL ? "" : "\""); 228 } 229 230 if (rule->rule_tablename[0]) 231 fprintf(stderr, "forward to <%s> ", rule->rule_tablename); 232 233 if (rule->rule_tag == -1) 234 fprintf(stderr, "no tag "); 235 else if (rule->rule_tag && rule->rule_tagname[0]) 236 fprintf(stderr, "tag \"%s\" ", 237 rule->rule_tagname); 238 239 if (rule->rule_tagged && rule->rule_taggedname[0]) 240 fprintf(stderr, "tagged \"%s\" ", 241 rule->rule_taggedname); 242 243 if (rule->rule_label == -1) 244 fprintf(stderr, "no label "); 245 else if (rule->rule_label && rule->rule_labelname[0]) 246 fprintf(stderr, "label \"%s\" ", 247 rule->rule_labelname); 248 249 fprintf(stderr, "\n"); 250 } 251 252 void 253 relay_protodebug(struct relay *rlay) 254 { 255 struct protocol *proto = rlay->rl_proto; 256 struct relay_rule *rule = NULL; 257 258 fprintf(stderr, "protocol %d: name %s\n", 259 proto->id, proto->name); 260 fprintf(stderr, "\tflags: %s, relay flags: %s\n", 261 printb_flags(proto->flags, F_BITS), 262 printb_flags(rlay->rl_conf.flags, F_BITS)); 263 if (proto->tcpflags) 264 fprintf(stderr, "\ttcp flags: %s\n", 265 printb_flags(proto->tcpflags, TCPFLAG_BITS)); 266 if ((rlay->rl_conf.flags & (F_TLS|F_TLSCLIENT)) && proto->tlsflags) 267 fprintf(stderr, "\ttls flags: %s\n", 268 printb_flags(proto->tlsflags, TLSFLAG_BITS)); 269 fprintf(stderr, "\ttls session tickets: %s\n", 270 (proto->tickets > -1) ? "enabled" : "disabled"); 271 fprintf(stderr, "\ttype: "); 272 switch (proto->type) { 273 case RELAY_PROTO_TCP: 274 fprintf(stderr, "tcp\n"); 275 break; 276 case RELAY_PROTO_HTTP: 277 fprintf(stderr, "http\n"); 278 break; 279 case RELAY_PROTO_DNS: 280 fprintf(stderr, "dns\n"); 281 break; 282 } 283 284 rule = TAILQ_FIRST(&proto->rules); 285 while (rule != NULL) { 286 relay_ruledebug(rule); 287 rule = TAILQ_NEXT(rule, rule_entry); 288 } 289 } 290 291 int 292 relay_privinit(struct relay *rlay) 293 { 294 extern int debug; 295 296 log_debug("%s: adding relay %s", __func__, rlay->rl_conf.name); 297 298 if (debug) 299 relay_protodebug(rlay); 300 301 switch (rlay->rl_proto->type) { 302 case RELAY_PROTO_DNS: 303 relay_udp_privinit(env, rlay); 304 break; 305 case RELAY_PROTO_TCP: 306 break; 307 case RELAY_PROTO_HTTP: 308 break; 309 } 310 311 if (rlay->rl_conf.flags & F_UDP) 312 rlay->rl_s = relay_udp_bind(&rlay->rl_conf.ss, 313 rlay->rl_conf.port, rlay->rl_proto); 314 else 315 rlay->rl_s = relay_socket_listen(&rlay->rl_conf.ss, 316 rlay->rl_conf.port, rlay->rl_proto); 317 if (rlay->rl_s == -1) 318 return (-1); 319 320 return (0); 321 } 322 323 void 324 relay_init(struct privsep *ps, struct privsep_proc *p, void *arg) 325 { 326 struct timeval tv; 327 328 if (config_init(ps->ps_env) == -1) 329 fatal("failed to initialize configuration"); 330 331 /* Set to current prefork id */ 332 proc_id = p->p_instance; 333 334 /* We use a custom shutdown callback */ 335 p->p_shutdown = relay_shutdown; 336 337 /* Unlimited file descriptors (use system limits) */ 338 socket_rlimit(-1); 339 340 if (pledge("stdio recvfd inet", NULL) == -1) 341 fatal("pledge"); 342 343 /* Schedule statistics timer */ 344 evtimer_set(&env->sc_statev, relay_statistics, NULL); 345 bcopy(&env->sc_statinterval, &tv, sizeof(tv)); 346 evtimer_add(&env->sc_statev, &tv); 347 } 348 349 void 350 relay_session_publish(struct rsession *s) 351 { 352 proc_compose(env->sc_ps, PROC_PFE, IMSG_SESS_PUBLISH, s, sizeof(*s)); 353 } 354 355 void 356 relay_session_unpublish(struct rsession *s) 357 { 358 proc_compose(env->sc_ps, PROC_PFE, IMSG_SESS_UNPUBLISH, 359 &s->se_id, sizeof(s->se_id)); 360 } 361 362 void 363 relay_statistics(int fd, short events, void *arg) 364 { 365 struct relay *rlay; 366 struct ctl_stats crs, *cur; 367 struct timeval tv, tv_now; 368 int resethour = 0, resetday = 0; 369 struct rsession *con, *next_con; 370 371 /* 372 * This is a hack to calculate some average statistics. 373 * It doesn't try to be very accurate, but could be improved... 374 */ 375 376 timerclear(&tv); 377 getmonotime(&tv_now); 378 379 TAILQ_FOREACH(rlay, env->sc_relays, rl_entry) { 380 bzero(&crs, sizeof(crs)); 381 resethour = resetday = 0; 382 383 cur = &rlay->rl_stats[proc_id]; 384 cur->cnt += cur->last; 385 cur->tick++; 386 cur->avg = (cur->last + cur->avg) / 2; 387 cur->last_hour += cur->last; 388 if ((cur->tick % (3600 / env->sc_statinterval.tv_sec)) == 0) { 389 cur->avg_hour = (cur->last_hour + cur->avg_hour) / 2; 390 resethour++; 391 } 392 cur->last_day += cur->last; 393 if ((cur->tick % (86400 / env->sc_statinterval.tv_sec)) == 0) { 394 cur->avg_day = (cur->last_day + cur->avg_day) / 2; 395 resethour++; 396 } 397 bcopy(cur, &crs, sizeof(crs)); 398 399 cur->last = 0; 400 if (resethour) 401 cur->last_hour = 0; 402 if (resetday) 403 cur->last_day = 0; 404 405 crs.id = rlay->rl_conf.id; 406 crs.proc = proc_id; 407 proc_compose(env->sc_ps, PROC_PFE, IMSG_STATISTICS, 408 &crs, sizeof(crs)); 409 410 for (con = SPLAY_ROOT(&rlay->rl_sessions); 411 con != NULL; con = next_con) { 412 next_con = SPLAY_NEXT(session_tree, 413 &rlay->rl_sessions, con); 414 timersub(&tv_now, &con->se_tv_last, &tv); 415 if (timercmp(&tv, &rlay->rl_conf.timeout, >=)) 416 relay_close(con, "hard timeout"); 417 } 418 } 419 420 /* Schedule statistics timer */ 421 evtimer_set(&env->sc_statev, relay_statistics, NULL); 422 bcopy(&env->sc_statinterval, &tv, sizeof(tv)); 423 evtimer_add(&env->sc_statev, &tv); 424 } 425 426 void 427 relay_launch(void) 428 { 429 void (*callback)(int, short, void *); 430 struct relay *rlay; 431 struct host *host; 432 struct relay_table *rlt; 433 434 TAILQ_FOREACH(rlay, env->sc_relays, rl_entry) { 435 if ((rlay->rl_conf.flags & (F_TLS|F_TLSCLIENT)) && 436 (rlay->rl_ssl_ctx = relay_tls_ctx_create(rlay)) == NULL) 437 fatal("relay_init: failed to create TLS context"); 438 439 TAILQ_FOREACH(rlt, &rlay->rl_tables, rlt_entry) { 440 /* 441 * set rule->rule_table in advance and save time 442 * looking up for this later on rule/connection 443 * evalution 444 */ 445 rule_settable(&rlay->rl_proto->rules, rlt); 446 447 rlt->rlt_index = 0; 448 rlt->rlt_nhosts = 0; 449 TAILQ_FOREACH(host, &rlt->rlt_table->hosts, entry) { 450 if (rlt->rlt_nhosts >= RELAY_MAXHOSTS) 451 fatal("relay_init: " 452 "too many hosts in table"); 453 host->idx = rlt->rlt_nhosts; 454 rlt->rlt_host[rlt->rlt_nhosts++] = host; 455 } 456 log_info("adding %d hosts from table %s%s", 457 rlt->rlt_nhosts, rlt->rlt_table->conf.name, 458 rlt->rlt_table->conf.check ? "" : " (no check)"); 459 } 460 461 switch (rlay->rl_proto->type) { 462 case RELAY_PROTO_DNS: 463 relay_udp_init(rlay); 464 break; 465 case RELAY_PROTO_TCP: 466 case RELAY_PROTO_HTTP: 467 relay_http_init(rlay); 468 /* Use defaults */ 469 break; 470 } 471 472 log_debug("%s: running relay %s", __func__, 473 rlay->rl_conf.name); 474 475 rlay->rl_up = HOST_UP; 476 477 if (rlay->rl_conf.flags & F_UDP) 478 callback = relay_udp_server; 479 else 480 callback = relay_accept; 481 482 event_set(&rlay->rl_ev, rlay->rl_s, EV_READ, 483 callback, rlay); 484 event_add(&rlay->rl_ev, NULL); 485 evtimer_set(&rlay->rl_evt, callback, rlay); 486 } 487 } 488 489 int 490 relay_socket_af(struct sockaddr_storage *ss, in_port_t port) 491 { 492 switch (ss->ss_family) { 493 case AF_INET: 494 ((struct sockaddr_in *)ss)->sin_port = port; 495 ((struct sockaddr_in *)ss)->sin_len = 496 sizeof(struct sockaddr_in); 497 break; 498 case AF_INET6: 499 ((struct sockaddr_in6 *)ss)->sin6_port = port; 500 ((struct sockaddr_in6 *)ss)->sin6_len = 501 sizeof(struct sockaddr_in6); 502 break; 503 default: 504 return (-1); 505 } 506 507 return (0); 508 } 509 510 in_port_t 511 relay_socket_getport(struct sockaddr_storage *ss) 512 { 513 switch (ss->ss_family) { 514 case AF_INET: 515 return (((struct sockaddr_in *)ss)->sin_port); 516 case AF_INET6: 517 return (((struct sockaddr_in6 *)ss)->sin6_port); 518 default: 519 return (0); 520 } 521 522 /* NOTREACHED */ 523 return (0); 524 } 525 526 int 527 relay_socket(struct sockaddr_storage *ss, in_port_t port, 528 struct protocol *proto, int fd, int reuseport) 529 { 530 struct linger lng; 531 int s = -1, val; 532 533 if (relay_socket_af(ss, port) == -1) 534 goto bad; 535 536 s = fd == -1 ? socket(ss->ss_family, 537 SOCK_STREAM | SOCK_NONBLOCK, IPPROTO_TCP) : fd; 538 if (s == -1) 539 goto bad; 540 541 /* 542 * Socket options 543 */ 544 bzero(&lng, sizeof(lng)); 545 if (setsockopt(s, SOL_SOCKET, SO_LINGER, &lng, sizeof(lng)) == -1) 546 goto bad; 547 if (reuseport) { 548 val = 1; 549 if (setsockopt(s, SOL_SOCKET, SO_REUSEPORT, &val, 550 sizeof(int)) == -1) 551 goto bad; 552 } 553 if (proto->tcpflags & TCPFLAG_BUFSIZ) { 554 val = proto->tcpbufsiz; 555 if (setsockopt(s, SOL_SOCKET, SO_RCVBUF, 556 &val, sizeof(val)) == -1) 557 goto bad; 558 val = proto->tcpbufsiz; 559 if (setsockopt(s, SOL_SOCKET, SO_SNDBUF, 560 &val, sizeof(val)) == -1) 561 goto bad; 562 } 563 564 /* 565 * IP options 566 */ 567 if (proto->tcpflags & TCPFLAG_IPTTL) { 568 val = (int)proto->tcpipttl; 569 if (setsockopt(s, IPPROTO_IP, IP_TTL, 570 &val, sizeof(val)) == -1) 571 goto bad; 572 } 573 if (proto->tcpflags & TCPFLAG_IPMINTTL) { 574 val = (int)proto->tcpipminttl; 575 if (setsockopt(s, IPPROTO_IP, IP_MINTTL, 576 &val, sizeof(val)) == -1) 577 goto bad; 578 } 579 580 /* 581 * TCP options 582 */ 583 if (proto->tcpflags & (TCPFLAG_NODELAY|TCPFLAG_NNODELAY)) { 584 if (proto->tcpflags & TCPFLAG_NNODELAY) 585 val = 0; 586 else 587 val = 1; 588 if (setsockopt(s, IPPROTO_TCP, TCP_NODELAY, 589 &val, sizeof(val)) == -1) 590 goto bad; 591 } 592 if (proto->tcpflags & (TCPFLAG_SACK|TCPFLAG_NSACK)) { 593 if (proto->tcpflags & TCPFLAG_NSACK) 594 val = 0; 595 else 596 val = 1; 597 if (setsockopt(s, IPPROTO_TCP, TCP_SACK_ENABLE, 598 &val, sizeof(val)) == -1) 599 goto bad; 600 } 601 602 return (s); 603 604 bad: 605 if (s != -1) 606 close(s); 607 return (-1); 608 } 609 610 int 611 relay_socket_connect(struct sockaddr_storage *ss, in_port_t port, 612 struct protocol *proto, int fd) 613 { 614 int s; 615 616 if ((s = relay_socket(ss, port, proto, fd, 0)) == -1) 617 return (-1); 618 619 if (connect(s, (struct sockaddr *)ss, ss->ss_len) == -1) { 620 if (errno != EINPROGRESS) 621 goto bad; 622 } 623 624 return (s); 625 626 bad: 627 close(s); 628 return (-1); 629 } 630 631 int 632 relay_socket_listen(struct sockaddr_storage *ss, in_port_t port, 633 struct protocol *proto) 634 { 635 int s; 636 637 if ((s = relay_socket(ss, port, proto, -1, 1)) == -1) 638 return (-1); 639 640 if (bind(s, (struct sockaddr *)ss, ss->ss_len) == -1) 641 goto bad; 642 if (listen(s, proto->tcpbacklog) == -1) 643 goto bad; 644 645 return (s); 646 647 bad: 648 close(s); 649 return (-1); 650 } 651 652 void 653 relay_connected(int fd, short sig, void *arg) 654 { 655 struct rsession *con = arg; 656 struct relay *rlay = con->se_relay; 657 struct protocol *proto = rlay->rl_proto; 658 evbuffercb outrd = relay_read; 659 evbuffercb outwr = relay_write; 660 struct bufferevent *bev; 661 struct ctl_relay_event *out = &con->se_out; 662 socklen_t len; 663 int error; 664 665 if (sig == EV_TIMEOUT) { 666 relay_abort_http(con, 504, "connect timeout", 0); 667 return; 668 } 669 670 len = sizeof(error); 671 if (getsockopt(fd, SOL_SOCKET, SO_ERROR, &error, 672 &len) == -1 || error) { 673 if (error) 674 errno = error; 675 relay_abort_http(con, 500, "socket error", 0); 676 return; 677 } 678 679 if ((rlay->rl_conf.flags & F_TLSCLIENT) && (out->ssl == NULL)) { 680 relay_tls_transaction(con, out); 681 return; 682 } 683 684 DPRINTF("%s: session %d: successful", __func__, con->se_id); 685 686 switch (rlay->rl_proto->type) { 687 case RELAY_PROTO_HTTP: 688 if (relay_httpdesc_init(out) == -1) { 689 relay_close(con, 690 "failed to allocate http descriptor"); 691 return; 692 } 693 con->se_out.toread = TOREAD_HTTP_HEADER; 694 outrd = relay_read_http; 695 break; 696 case RELAY_PROTO_TCP: 697 /* Use defaults */ 698 break; 699 default: 700 fatalx("relay_connected: unknown protocol"); 701 } 702 703 /* 704 * Relay <-> Server 705 */ 706 bev = bufferevent_new(fd, outrd, outwr, relay_error, &con->se_out); 707 if (bev == NULL) { 708 relay_abort_http(con, 500, 709 "failed to allocate output buffer event", 0); 710 return; 711 } 712 evbuffer_free(bev->output); 713 bev->output = con->se_out.output; 714 if (bev->output == NULL) 715 fatal("relay_connected: invalid output buffer"); 716 con->se_out.bev = bev; 717 718 /* Initialize the TLS wrapper */ 719 if ((rlay->rl_conf.flags & F_TLSCLIENT) && (out->ssl != NULL)) 720 relay_tls_connected(out); 721 722 bufferevent_settimeout(bev, 723 rlay->rl_conf.timeout.tv_sec, rlay->rl_conf.timeout.tv_sec); 724 bufferevent_setwatermark(bev, EV_WRITE, 725 RELAY_MIN_PREFETCHED * proto->tcpbufsiz, 0); 726 bufferevent_enable(bev, EV_READ|EV_WRITE); 727 if (con->se_in.bev) 728 bufferevent_enable(con->se_in.bev, EV_READ); 729 730 if (relay_splice(&con->se_out) == -1) 731 relay_close(con, strerror(errno)); 732 } 733 734 void 735 relay_input(struct rsession *con) 736 { 737 struct relay *rlay = con->se_relay; 738 struct protocol *proto = rlay->rl_proto; 739 evbuffercb inrd = relay_read; 740 evbuffercb inwr = relay_write; 741 742 switch (rlay->rl_proto->type) { 743 case RELAY_PROTO_HTTP: 744 if (relay_httpdesc_init(&con->se_in) == -1) { 745 relay_close(con, 746 "failed to allocate http descriptor"); 747 return; 748 } 749 con->se_in.toread = TOREAD_HTTP_HEADER; 750 inrd = relay_read_http; 751 break; 752 case RELAY_PROTO_TCP: 753 /* Use defaults */ 754 break; 755 default: 756 fatalx("relay_input: unknown protocol"); 757 } 758 759 /* 760 * Client <-> Relay 761 */ 762 con->se_in.bev = bufferevent_new(con->se_in.s, inrd, inwr, 763 relay_error, &con->se_in); 764 if (con->se_in.bev == NULL) { 765 relay_close(con, "failed to allocate input buffer event"); 766 return; 767 } 768 769 /* Initialize the TLS wrapper */ 770 if ((rlay->rl_conf.flags & F_TLS) && con->se_in.ssl != NULL) 771 relay_tls_connected(&con->se_in); 772 773 bufferevent_settimeout(con->se_in.bev, 774 rlay->rl_conf.timeout.tv_sec, rlay->rl_conf.timeout.tv_sec); 775 bufferevent_setwatermark(con->se_in.bev, EV_WRITE, 776 RELAY_MIN_PREFETCHED * proto->tcpbufsiz, 0); 777 bufferevent_enable(con->se_in.bev, EV_READ|EV_WRITE); 778 779 if (relay_splice(&con->se_in) == -1) 780 relay_close(con, strerror(errno)); 781 } 782 783 void 784 relay_write(struct bufferevent *bev, void *arg) 785 { 786 struct ctl_relay_event *cre = arg; 787 struct rsession *con = cre->con; 788 789 getmonotime(&con->se_tv_last); 790 791 if (con->se_done) 792 goto done; 793 if (relay_splice(cre->dst) == -1) 794 goto fail; 795 if (cre->dst->bev) 796 bufferevent_enable(cre->dst->bev, EV_READ); 797 798 return; 799 done: 800 relay_close(con, "last write (done)"); 801 return; 802 fail: 803 relay_close(con, strerror(errno)); 804 } 805 806 void 807 relay_dump(struct ctl_relay_event *cre, const void *buf, size_t len) 808 { 809 if (!len) 810 return; 811 812 /* 813 * This function will dump the specified message directly 814 * to the underlying session, without waiting for success 815 * of non-blocking events etc. This is useful to print an 816 * error message before gracefully closing the session. 817 */ 818 if (cre->ssl != NULL) 819 (void)SSL_write(cre->ssl, buf, len); 820 else 821 (void)write(cre->s, buf, len); 822 } 823 824 void 825 relay_read(struct bufferevent *bev, void *arg) 826 { 827 struct ctl_relay_event *cre = arg; 828 struct rsession *con = cre->con; 829 struct protocol *proto = con->se_relay->rl_proto; 830 struct evbuffer *src = EVBUFFER_INPUT(bev); 831 832 getmonotime(&con->se_tv_last); 833 cre->timedout = 0; 834 835 if (!EVBUFFER_LENGTH(src)) 836 return; 837 if (relay_bufferevent_write_buffer(cre->dst, src) == -1) 838 goto fail; 839 if (con->se_done) 840 goto done; 841 if (cre->dst->bev) 842 bufferevent_enable(cre->dst->bev, EV_READ); 843 if (cre->dst->bev && EVBUFFER_LENGTH(EVBUFFER_OUTPUT(cre->dst->bev)) > 844 (size_t)RELAY_MAX_PREFETCH * proto->tcpbufsiz) 845 bufferevent_disable(bev, EV_READ); 846 847 return; 848 done: 849 relay_close(con, "last read (done)"); 850 return; 851 fail: 852 relay_close(con, strerror(errno)); 853 } 854 855 /* 856 * Splice sockets from cre to cre->dst if applicable. Returns: 857 * -1 socket splicing has failed 858 * 0 socket splicing is currently not possible 859 * 1 socket splicing was successful 860 */ 861 int 862 relay_splice(struct ctl_relay_event *cre) 863 { 864 struct rsession *con = cre->con; 865 struct relay *rlay = con->se_relay; 866 struct protocol *proto = rlay->rl_proto; 867 struct splice sp; 868 869 if ((rlay->rl_conf.flags & (F_TLS|F_TLSCLIENT)) || 870 (proto->tcpflags & TCPFLAG_NSPLICE)) 871 return (0); 872 873 if (cre->splicelen >= 0) 874 return (0); 875 876 /* still not connected */ 877 if (cre->bev == NULL || cre->dst->bev == NULL) 878 return (0); 879 880 if (!(cre->toread == TOREAD_UNLIMITED || cre->toread > 0)) { 881 DPRINTF("%s: session %d: splice dir %d, nothing to read %lld", 882 __func__, con->se_id, cre->dir, cre->toread); 883 return (0); 884 } 885 886 /* do not splice before buffers have not been completely flushed */ 887 if (EVBUFFER_LENGTH(cre->bev->input) || 888 EVBUFFER_LENGTH(cre->dst->bev->output)) { 889 DPRINTF("%s: session %d: splice dir %d, dirty buffer", 890 __func__, con->se_id, cre->dir); 891 bufferevent_disable(cre->bev, EV_READ); 892 return (0); 893 } 894 895 bzero(&sp, sizeof(sp)); 896 sp.sp_fd = cre->dst->s; 897 sp.sp_max = cre->toread > 0 ? cre->toread : 0; 898 bcopy(&rlay->rl_conf.timeout, &sp.sp_idle, sizeof(sp.sp_idle)); 899 if (setsockopt(cre->s, SOL_SOCKET, SO_SPLICE, &sp, sizeof(sp)) == -1) { 900 log_debug("%s: session %d: splice dir %d failed: %s", 901 __func__, con->se_id, cre->dir, strerror(errno)); 902 return (-1); 903 } 904 cre->splicelen = 0; 905 bufferevent_enable(cre->bev, EV_READ); 906 907 DPRINTF("%s: session %d: splice dir %d, maximum %lld, successful", 908 __func__, con->se_id, cre->dir, cre->toread); 909 910 return (1); 911 } 912 913 int 914 relay_splicelen(struct ctl_relay_event *cre) 915 { 916 struct rsession *con = cre->con; 917 off_t len; 918 socklen_t optlen; 919 920 if (cre->splicelen < 0) 921 return (0); 922 923 optlen = sizeof(len); 924 if (getsockopt(cre->s, SOL_SOCKET, SO_SPLICE, &len, &optlen) == -1) { 925 log_debug("%s: session %d: splice dir %d get length failed: %s", 926 __func__, con->se_id, cre->dir, strerror(errno)); 927 return (-1); 928 } 929 930 DPRINTF("%s: session %d: splice dir %d, length %lld", 931 __func__, con->se_id, cre->dir, len); 932 933 if (len > cre->splicelen) { 934 getmonotime(&con->se_tv_last); 935 936 cre->splicelen = len; 937 return (1); 938 } 939 940 return (0); 941 } 942 943 int 944 relay_spliceadjust(struct ctl_relay_event *cre) 945 { 946 if (cre->splicelen < 0) 947 return (0); 948 if (relay_splicelen(cre) == -1) 949 return (-1); 950 if (cre->splicelen > 0 && cre->toread > 0) 951 cre->toread -= cre->splicelen; 952 cre->splicelen = -1; 953 954 return (0); 955 } 956 957 void 958 relay_error(struct bufferevent *bev, short error, void *arg) 959 { 960 struct ctl_relay_event *cre = arg; 961 struct rsession *con = cre->con; 962 struct evbuffer *dst; 963 964 if (error & EVBUFFER_TIMEOUT) { 965 if (cre->splicelen >= 0) { 966 bufferevent_enable(bev, EV_READ); 967 } else if (cre->dst->splicelen >= 0) { 968 switch (relay_splicelen(cre->dst)) { 969 case -1: 970 goto fail; 971 case 0: 972 relay_close(con, "buffer event timeout"); 973 break; 974 case 1: 975 cre->timedout = 1; 976 bufferevent_enable(bev, EV_READ); 977 break; 978 } 979 } else { 980 relay_close(con, "buffer event timeout"); 981 } 982 return; 983 } 984 if (error & EVBUFFER_ERROR && errno == ETIMEDOUT) { 985 if (cre->dst->splicelen >= 0) { 986 switch (relay_splicelen(cre->dst)) { 987 case -1: 988 goto fail; 989 case 0: 990 relay_close(con, "splice timeout"); 991 return; 992 case 1: 993 bufferevent_enable(bev, EV_READ); 994 break; 995 } 996 } else if (cre->dst->timedout) { 997 relay_close(con, "splice timeout"); 998 return; 999 } 1000 if (relay_spliceadjust(cre) == -1) 1001 goto fail; 1002 if (relay_splice(cre) == -1) 1003 goto fail; 1004 return; 1005 } 1006 if (error & EVBUFFER_ERROR && errno == EFBIG) { 1007 if (relay_spliceadjust(cre) == -1) 1008 goto fail; 1009 bufferevent_enable(cre->bev, EV_READ); 1010 return; 1011 } 1012 if (error & (EVBUFFER_READ|EVBUFFER_WRITE|EVBUFFER_EOF)) { 1013 bufferevent_disable(bev, EV_READ|EV_WRITE); 1014 1015 con->se_done = 1; 1016 if (cre->dst->bev != NULL) { 1017 dst = EVBUFFER_OUTPUT(cre->dst->bev); 1018 if (EVBUFFER_LENGTH(dst)) 1019 return; 1020 } else if (cre->toread == TOREAD_UNLIMITED || cre->toread == 0) 1021 return; 1022 1023 relay_close(con, "done"); 1024 return; 1025 } 1026 relay_close(con, "buffer event error"); 1027 return; 1028 fail: 1029 relay_close(con, strerror(errno)); 1030 } 1031 1032 void 1033 relay_accept(int fd, short event, void *arg) 1034 { 1035 struct relay *rlay = arg; 1036 struct rsession *con = NULL; 1037 struct ctl_natlook *cnl = NULL; 1038 socklen_t slen; 1039 struct timeval tv; 1040 struct sockaddr_storage ss; 1041 int s = -1; 1042 1043 event_add(&rlay->rl_ev, NULL); 1044 if ((event & EV_TIMEOUT)) 1045 return; 1046 1047 slen = sizeof(ss); 1048 if ((s = accept_reserve(fd, (struct sockaddr *)&ss, 1049 &slen, FD_RESERVE, &relay_inflight)) == -1) { 1050 /* 1051 * Pause accept if we are out of file descriptors, or 1052 * libevent will haunt us here too. 1053 */ 1054 if (errno == ENFILE || errno == EMFILE) { 1055 struct timeval evtpause = { 1, 0 }; 1056 1057 event_del(&rlay->rl_ev); 1058 evtimer_add(&rlay->rl_evt, &evtpause); 1059 log_debug("%s: deferring connections", __func__); 1060 } 1061 return; 1062 } 1063 if (relay_sessions >= RELAY_MAX_SESSIONS || 1064 rlay->rl_conf.flags & F_DISABLE) 1065 goto err; 1066 1067 if ((con = calloc(1, sizeof(*con))) == NULL) 1068 goto err; 1069 1070 /* Pre-allocate log buffer */ 1071 con->se_haslog = 0; 1072 con->se_log = evbuffer_new(); 1073 if (con->se_log == NULL) 1074 goto err; 1075 1076 con->se_in.s = s; 1077 con->se_in.ssl = NULL; 1078 con->se_out.s = -1; 1079 con->se_out.ssl = NULL; 1080 con->se_in.dst = &con->se_out; 1081 con->se_out.dst = &con->se_in; 1082 con->se_in.con = con; 1083 con->se_out.con = con; 1084 con->se_in.splicelen = -1; 1085 con->se_out.splicelen = -1; 1086 con->se_in.toread = TOREAD_UNLIMITED; 1087 con->se_out.toread = TOREAD_UNLIMITED; 1088 con->se_relay = rlay; 1089 con->se_id = ++relay_conid; 1090 con->se_relayid = rlay->rl_conf.id; 1091 con->se_pid = getpid(); 1092 con->se_in.dir = RELAY_DIR_REQUEST; 1093 con->se_out.dir = RELAY_DIR_RESPONSE; 1094 con->se_retry = rlay->rl_conf.dstretry; 1095 con->se_bnds = -1; 1096 con->se_out.port = rlay->rl_conf.dstport; 1097 switch (ss.ss_family) { 1098 case AF_INET: 1099 con->se_in.port = ((struct sockaddr_in *)&ss)->sin_port; 1100 break; 1101 case AF_INET6: 1102 con->se_in.port = ((struct sockaddr_in6 *)&ss)->sin6_port; 1103 break; 1104 } 1105 bcopy(&ss, &con->se_in.ss, sizeof(con->se_in.ss)); 1106 1107 getmonotime(&con->se_tv_start); 1108 bcopy(&con->se_tv_start, &con->se_tv_last, sizeof(con->se_tv_last)); 1109 1110 if (rlay->rl_conf.flags & F_HASHKEY) { 1111 SipHash24_Init(&con->se_siphashctx, 1112 &rlay->rl_conf.hashkey.siphashkey); 1113 } 1114 1115 relay_sessions++; 1116 SPLAY_INSERT(session_tree, &rlay->rl_sessions, con); 1117 relay_session_publish(con); 1118 1119 /* Increment the per-relay session counter */ 1120 rlay->rl_stats[proc_id].last++; 1121 1122 /* Pre-allocate output buffer */ 1123 con->se_out.output = evbuffer_new(); 1124 if (con->se_out.output == NULL) { 1125 relay_close(con, "failed to allocate output buffer"); 1126 return; 1127 } 1128 1129 if (rlay->rl_conf.flags & F_DIVERT) { 1130 slen = sizeof(con->se_out.ss); 1131 if (getsockname(s, (struct sockaddr *)&con->se_out.ss, 1132 &slen) == -1) { 1133 relay_close(con, "peer lookup failed"); 1134 return; 1135 } 1136 con->se_out.port = relay_socket_getport(&con->se_out.ss); 1137 1138 /* Detect loop and fall back to the alternate forward target */ 1139 if (bcmp(&rlay->rl_conf.ss, &con->se_out.ss, 1140 sizeof(con->se_out.ss)) == 0 && 1141 con->se_out.port == rlay->rl_conf.port) 1142 con->se_out.ss.ss_family = AF_UNSPEC; 1143 } else if (rlay->rl_conf.flags & F_NATLOOK) { 1144 if ((cnl = calloc(1, sizeof(*cnl))) == NULL) { 1145 relay_close(con, "failed to allocate nat lookup"); 1146 return; 1147 } 1148 1149 con->se_cnl = cnl; 1150 bzero(cnl, sizeof(*cnl)); 1151 cnl->in = -1; 1152 cnl->id = con->se_id; 1153 cnl->proc = proc_id; 1154 cnl->proto = IPPROTO_TCP; 1155 1156 bcopy(&con->se_in.ss, &cnl->src, sizeof(cnl->src)); 1157 slen = sizeof(cnl->dst); 1158 if (getsockname(s, 1159 (struct sockaddr *)&cnl->dst, &slen) == -1) { 1160 relay_close(con, "failed to get local address"); 1161 return; 1162 } 1163 1164 proc_compose(env->sc_ps, PROC_PFE, IMSG_NATLOOK, 1165 cnl, sizeof(*cnl)); 1166 1167 /* Schedule timeout */ 1168 evtimer_set(&con->se_ev, relay_natlook, con); 1169 bcopy(&rlay->rl_conf.timeout, &tv, sizeof(tv)); 1170 evtimer_add(&con->se_ev, &tv); 1171 return; 1172 } 1173 1174 if (rlay->rl_conf.flags & F_TLSINSPECT) { 1175 relay_preconnect(con); 1176 return; 1177 } 1178 1179 relay_session(con); 1180 return; 1181 err: 1182 if (s != -1) { 1183 close(s); 1184 free(con); 1185 /* 1186 * the session struct was not completely set up, but still 1187 * counted as an inflight session. account for this. 1188 */ 1189 relay_inflight--; 1190 log_debug("%s: inflight decremented, now %d", 1191 __func__, relay_inflight); 1192 } 1193 } 1194 1195 void 1196 relay_hash_addr(SIPHASH_CTX *ctx, struct sockaddr_storage *ss, int portset) 1197 { 1198 struct sockaddr_in *sin4; 1199 struct sockaddr_in6 *sin6; 1200 in_port_t port; 1201 1202 if (ss->ss_family == AF_INET) { 1203 sin4 = (struct sockaddr_in *)ss; 1204 SipHash24_Update(ctx, &sin4->sin_addr, 1205 sizeof(struct in_addr)); 1206 } else { 1207 sin6 = (struct sockaddr_in6 *)ss; 1208 SipHash24_Update(ctx, &sin6->sin6_addr, 1209 sizeof(struct in6_addr)); 1210 } 1211 1212 if (portset != -1) { 1213 port = (in_port_t)portset; 1214 SipHash24_Update(ctx, &port, sizeof(port)); 1215 } 1216 } 1217 1218 int 1219 relay_from_table(struct rsession *con) 1220 { 1221 struct relay *rlay = con->se_relay; 1222 struct host *host = NULL; 1223 struct relay_table *rlt = NULL; 1224 struct table *table = NULL; 1225 int idx = -1; 1226 int cnt = 0; 1227 int maxtries; 1228 u_int64_t p = 0; 1229 1230 /* the table is already selected */ 1231 if (con->se_table != NULL) { 1232 rlt = con->se_table; 1233 table = rlt->rlt_table; 1234 if (table->conf.check && !table->up) 1235 table = NULL; 1236 goto gottable; 1237 } 1238 1239 /* otherwise grep the first active table */ 1240 TAILQ_FOREACH(rlt, &rlay->rl_tables, rlt_entry) { 1241 table = rlt->rlt_table; 1242 if ((rlt->rlt_flags & F_USED) == 0 || 1243 (table->conf.check && !table->up)) 1244 table = NULL; 1245 else 1246 break; 1247 } 1248 1249 gottable: 1250 if (table == NULL) { 1251 log_debug("%s: session %d: no active hosts", 1252 __func__, con->se_id); 1253 return (-1); 1254 } 1255 1256 switch (rlt->rlt_mode) { 1257 case RELAY_DSTMODE_ROUNDROBIN: 1258 if ((int)rlt->rlt_index >= rlt->rlt_nhosts) 1259 rlt->rlt_index = 0; 1260 idx = (int)rlt->rlt_index; 1261 break; 1262 case RELAY_DSTMODE_RANDOM: 1263 idx = (int)arc4random_uniform(rlt->rlt_nhosts); 1264 break; 1265 case RELAY_DSTMODE_SRCHASH: 1266 /* Source IP address without port */ 1267 relay_hash_addr(&con->se_siphashctx, &con->se_in.ss, -1); 1268 break; 1269 case RELAY_DSTMODE_LOADBALANCE: 1270 /* Source IP address without port */ 1271 relay_hash_addr(&con->se_siphashctx, &con->se_in.ss, -1); 1272 /* FALLTHROUGH */ 1273 case RELAY_DSTMODE_HASH: 1274 /* Local "destination" IP address and port */ 1275 relay_hash_addr(&con->se_siphashctx, &rlay->rl_conf.ss, 1276 rlay->rl_conf.port); 1277 break; 1278 default: 1279 fatalx("relay_from_table: unsupported mode"); 1280 /* NOTREACHED */ 1281 } 1282 if (idx == -1) { 1283 /* handle all hashing algorithms */ 1284 p = SipHash24_End(&con->se_siphashctx); 1285 1286 /* Reset hash context */ 1287 SipHash24_Init(&con->se_siphashctx, 1288 &rlay->rl_conf.hashkey.siphashkey); 1289 1290 maxtries = (rlt->rlt_nhosts < RELAY_MAX_HASH_RETRIES ? 1291 rlt->rlt_nhosts : RELAY_MAX_HASH_RETRIES); 1292 for (cnt = 0; cnt < maxtries; cnt++) { 1293 if ((idx = p % rlt->rlt_nhosts) >= RELAY_MAXHOSTS) 1294 return (-1); 1295 1296 host = rlt->rlt_host[idx]; 1297 1298 DPRINTF("%s: session %d: table %s host %s, " 1299 "p 0x%016llx, idx %d, cnt %d, max %d", 1300 __func__, con->se_id, table->conf.name, 1301 host->conf.name, p, idx, cnt, maxtries); 1302 1303 if (!table->conf.check || host->up == HOST_UP) 1304 goto found; 1305 p = p >> 1; 1306 } 1307 } else { 1308 /* handle all non-hashing algorithms */ 1309 host = rlt->rlt_host[idx]; 1310 DPRINTF("%s: session %d: table %s host %s, p 0x%016llx, idx %d", 1311 __func__, con->se_id, table->conf.name, host->conf.name, p, idx); 1312 } 1313 1314 while (host != NULL) { 1315 DPRINTF("%s: session %d: host %s", __func__, 1316 con->se_id, host->conf.name); 1317 if (!table->conf.check || host->up == HOST_UP) 1318 goto found; 1319 host = TAILQ_NEXT(host, entry); 1320 } 1321 TAILQ_FOREACH(host, &table->hosts, entry) { 1322 DPRINTF("%s: session %d: next host %s", 1323 __func__, con->se_id, host->conf.name); 1324 if (!table->conf.check || host->up == HOST_UP) 1325 goto found; 1326 } 1327 1328 /* Should not happen */ 1329 fatalx("relay_from_table: no active hosts, desynchronized"); 1330 1331 found: 1332 if (rlt->rlt_mode == RELAY_DSTMODE_ROUNDROBIN) 1333 rlt->rlt_index = host->idx + 1; 1334 con->se_retry = host->conf.retry; 1335 con->se_out.port = table->conf.port; 1336 bcopy(&host->conf.ss, &con->se_out.ss, sizeof(con->se_out.ss)); 1337 1338 return (0); 1339 } 1340 1341 void 1342 relay_natlook(int fd, short event, void *arg) 1343 { 1344 struct rsession *con = arg; 1345 struct relay *rlay = con->se_relay; 1346 struct ctl_natlook *cnl = con->se_cnl; 1347 1348 if (cnl == NULL) 1349 fatalx("invalid NAT lookup"); 1350 1351 if (con->se_out.ss.ss_family == AF_UNSPEC && cnl->in == -1 && 1352 rlay->rl_conf.dstss.ss_family == AF_UNSPEC && 1353 TAILQ_EMPTY(&rlay->rl_tables)) { 1354 relay_close(con, "session NAT lookup failed"); 1355 return; 1356 } 1357 if (cnl->in != -1) { 1358 bcopy(&cnl->rdst, &con->se_out.ss, sizeof(con->se_out.ss)); 1359 con->se_out.port = cnl->rdport; 1360 } 1361 free(con->se_cnl); 1362 con->se_cnl = NULL; 1363 1364 relay_session(con); 1365 } 1366 1367 void 1368 relay_session(struct rsession *con) 1369 { 1370 struct relay *rlay = con->se_relay; 1371 struct ctl_relay_event *in = &con->se_in, *out = &con->se_out; 1372 1373 if (bcmp(&rlay->rl_conf.ss, &out->ss, sizeof(out->ss)) == 0 && 1374 out->port == rlay->rl_conf.port) { 1375 log_debug("%s: session %d: looping", __func__, con->se_id); 1376 relay_close(con, "session aborted"); 1377 return; 1378 } 1379 1380 if (rlay->rl_conf.flags & F_UDP) { 1381 /* 1382 * Call the UDP protocol-specific handler 1383 */ 1384 if (rlay->rl_proto->request == NULL) 1385 fatalx("invalide UDP session"); 1386 if ((*rlay->rl_proto->request)(con) == -1) 1387 relay_close(con, "session failed"); 1388 return; 1389 } 1390 1391 if ((rlay->rl_conf.flags & F_TLS) && (in->ssl == NULL)) { 1392 relay_tls_transaction(con, in); 1393 return; 1394 } 1395 1396 if (rlay->rl_proto->type != RELAY_PROTO_HTTP) { 1397 if (rlay->rl_conf.fwdmode == FWD_TRANS) 1398 relay_bindanyreq(con, 0, IPPROTO_TCP); 1399 else if (relay_connect(con) == -1) { 1400 relay_close(con, "session failed"); 1401 return; 1402 } 1403 } 1404 1405 relay_input(con); 1406 } 1407 1408 void 1409 relay_bindanyreq(struct rsession *con, in_port_t port, int proto) 1410 { 1411 struct relay *rlay = con->se_relay; 1412 struct ctl_bindany bnd; 1413 struct timeval tv; 1414 1415 bzero(&bnd, sizeof(bnd)); 1416 bnd.bnd_id = con->se_id; 1417 bnd.bnd_proc = proc_id; 1418 bnd.bnd_port = port; 1419 bnd.bnd_proto = proto; 1420 bcopy(&con->se_in.ss, &bnd.bnd_ss, sizeof(bnd.bnd_ss)); 1421 proc_compose(env->sc_ps, PROC_PARENT, IMSG_BINDANY, 1422 &bnd, sizeof(bnd)); 1423 1424 /* Schedule timeout */ 1425 evtimer_set(&con->se_ev, relay_bindany, con); 1426 bcopy(&rlay->rl_conf.timeout, &tv, sizeof(tv)); 1427 evtimer_add(&con->se_ev, &tv); 1428 } 1429 1430 void 1431 relay_bindany(int fd, short event, void *arg) 1432 { 1433 struct rsession *con = arg; 1434 1435 if (con->se_bnds == -1) { 1436 relay_close(con, "bindany failed, invalid socket"); 1437 return; 1438 } 1439 if (relay_connect(con) == -1) 1440 relay_close(con, "session failed"); 1441 } 1442 1443 void 1444 relay_connect_retry(int fd, short sig, void *arg) 1445 { 1446 struct timeval evtpause = { 1, 0 }; 1447 struct rsession *con = arg; 1448 struct relay *rlay = con->se_relay; 1449 int bnds = -1; 1450 1451 if (relay_inflight < 1) { 1452 log_warnx("relay_connect_retry: no connection in flight"); 1453 relay_inflight = 1; 1454 } 1455 1456 DPRINTF("%s: retry %d of %d, inflight: %d",__func__, 1457 con->se_retrycount, con->se_retry, relay_inflight); 1458 1459 if (sig != EV_TIMEOUT) 1460 fatalx("relay_connect_retry: called without timeout"); 1461 1462 evtimer_del(&con->se_inflightevt); 1463 1464 /* 1465 * XXX we might want to check if the inbound socket is still 1466 * available: client could have closed it while we were waiting? 1467 */ 1468 1469 DPRINTF("%s: got EV_TIMEOUT", __func__); 1470 1471 if (getdtablecount() + FD_RESERVE + 1472 relay_inflight > getdtablesize()) { 1473 if (con->se_retrycount < RELAY_OUTOF_FD_RETRIES) { 1474 evtimer_add(&con->se_inflightevt, &evtpause); 1475 return; 1476 } 1477 /* we waited for RELAY_OUTOF_FD_RETRIES seconds, give up */ 1478 event_add(&rlay->rl_ev, NULL); 1479 relay_abort_http(con, 504, "connection timed out", 0); 1480 return; 1481 } 1482 1483 if (rlay->rl_conf.fwdmode == FWD_TRANS) { 1484 /* con->se_bnds cannot be unset */ 1485 bnds = con->se_bnds; 1486 } 1487 1488 retry: 1489 if ((con->se_out.s = relay_socket_connect(&con->se_out.ss, 1490 con->se_out.port, rlay->rl_proto, bnds)) == -1) { 1491 log_debug("%s: session %d: " 1492 "forward failed: %s, %s", __func__, 1493 con->se_id, strerror(errno), 1494 con->se_retry ? "next retry" : "last retry"); 1495 1496 con->se_retrycount++; 1497 1498 if ((errno == ENFILE || errno == EMFILE) && 1499 (con->se_retrycount < con->se_retry)) { 1500 event_del(&rlay->rl_ev); 1501 evtimer_add(&con->se_inflightevt, &evtpause); 1502 evtimer_add(&rlay->rl_evt, &evtpause); 1503 return; 1504 } else if (con->se_retrycount < con->se_retry) 1505 goto retry; 1506 event_add(&rlay->rl_ev, NULL); 1507 relay_abort_http(con, 504, "connect failed", 0); 1508 return; 1509 } 1510 1511 if (rlay->rl_conf.flags & F_TLSINSPECT) 1512 con->se_out.state = STATE_PRECONNECT; 1513 else 1514 con->se_out.state = STATE_CONNECTED; 1515 relay_inflight--; 1516 DPRINTF("%s: inflight decremented, now %d",__func__, relay_inflight); 1517 1518 event_add(&rlay->rl_ev, NULL); 1519 1520 if (errno == EINPROGRESS) 1521 event_again(&con->se_ev, con->se_out.s, EV_WRITE|EV_TIMEOUT, 1522 relay_connected, &con->se_tv_start, &rlay->rl_conf.timeout, 1523 con); 1524 else 1525 relay_connected(con->se_out.s, EV_WRITE, con); 1526 1527 return; 1528 } 1529 1530 int 1531 relay_preconnect(struct rsession *con) 1532 { 1533 int rv; 1534 1535 log_debug("%s: session %d: process %d", __func__, 1536 con->se_id, privsep_process); 1537 rv = relay_connect(con); 1538 if (con->se_out.state == STATE_CONNECTED) 1539 con->se_out.state = STATE_PRECONNECT; 1540 return (rv); 1541 } 1542 1543 int 1544 relay_connect(struct rsession *con) 1545 { 1546 struct relay *rlay = con->se_relay; 1547 struct timeval evtpause = { 1, 0 }; 1548 int bnds = -1, ret; 1549 1550 /* relay_connect should only be called once per relay */ 1551 if (con->se_out.state == STATE_CONNECTED) { 1552 log_debug("%s: connect already called once", __func__); 1553 return (0); 1554 } 1555 1556 /* Connection is already established but session not active */ 1557 if ((rlay->rl_conf.flags & F_TLSINSPECT) && 1558 con->se_out.state == STATE_PRECONNECT) { 1559 if (con->se_out.ssl == NULL) { 1560 log_debug("%s: tls connect failed", __func__); 1561 return (-1); 1562 } 1563 relay_connected(con->se_out.s, EV_WRITE, con); 1564 con->se_out.state = STATE_CONNECTED; 1565 return (0); 1566 } 1567 1568 if (relay_inflight < 1) { 1569 log_warnx("relay_connect: no connection in flight"); 1570 relay_inflight = 1; 1571 } 1572 1573 getmonotime(&con->se_tv_start); 1574 1575 if (!TAILQ_EMPTY(&rlay->rl_tables)) { 1576 if (relay_from_table(con) != 0) 1577 return (-1); 1578 } else if (con->se_out.ss.ss_family == AF_UNSPEC) { 1579 bcopy(&rlay->rl_conf.dstss, &con->se_out.ss, 1580 sizeof(con->se_out.ss)); 1581 con->se_out.port = rlay->rl_conf.dstport; 1582 } 1583 1584 if (rlay->rl_conf.fwdmode == FWD_TRANS) { 1585 if (con->se_bnds == -1) { 1586 log_debug("%s: could not bind any sock", __func__); 1587 return (-1); 1588 } 1589 bnds = con->se_bnds; 1590 } 1591 1592 /* Do the IPv4-to-IPv6 or IPv6-to-IPv4 translation if requested */ 1593 if (rlay->rl_conf.dstaf.ss_family != AF_UNSPEC) { 1594 if (con->se_out.ss.ss_family == AF_INET && 1595 rlay->rl_conf.dstaf.ss_family == AF_INET6) 1596 ret = map4to6(&con->se_out.ss, &rlay->rl_conf.dstaf); 1597 else if (con->se_out.ss.ss_family == AF_INET6 && 1598 rlay->rl_conf.dstaf.ss_family == AF_INET) 1599 ret = map6to4(&con->se_out.ss); 1600 else 1601 ret = 0; 1602 if (ret != 0) { 1603 log_debug("%s: mapped to invalid address", __func__); 1604 return (-1); 1605 } 1606 } 1607 1608 retry: 1609 if ((con->se_out.s = relay_socket_connect(&con->se_out.ss, 1610 con->se_out.port, rlay->rl_proto, bnds)) == -1) { 1611 if (errno == ENFILE || errno == EMFILE) { 1612 log_debug("%s: session %d: forward failed: %s", 1613 __func__, con->se_id, strerror(errno)); 1614 evtimer_set(&con->se_inflightevt, relay_connect_retry, 1615 con); 1616 event_del(&rlay->rl_ev); 1617 evtimer_add(&con->se_inflightevt, &evtpause); 1618 evtimer_add(&rlay->rl_evt, &evtpause); 1619 1620 /* this connect is pending */ 1621 con->se_out.state = STATE_PENDING; 1622 return (0); 1623 } else { 1624 if (con->se_retry) { 1625 con->se_retry--; 1626 log_debug("%s: session %d: " 1627 "forward failed: %s, %s", __func__, 1628 con->se_id, strerror(errno), 1629 con->se_retry ? 1630 "next retry" : "last retry"); 1631 goto retry; 1632 } 1633 log_debug("%s: session %d: forward failed: %s", 1634 __func__, con->se_id, strerror(errno)); 1635 return (-1); 1636 } 1637 } 1638 1639 con->se_out.state = STATE_CONNECTED; 1640 relay_inflight--; 1641 DPRINTF("%s: inflight decremented, now %d",__func__, 1642 relay_inflight); 1643 1644 if (errno == EINPROGRESS) 1645 event_again(&con->se_ev, con->se_out.s, EV_WRITE|EV_TIMEOUT, 1646 relay_connected, &con->se_tv_start, &rlay->rl_conf.timeout, 1647 con); 1648 else 1649 relay_connected(con->se_out.s, EV_WRITE, con); 1650 1651 return (0); 1652 } 1653 1654 void 1655 relay_close(struct rsession *con, const char *msg) 1656 { 1657 char ibuf[128], obuf[128], *ptr = NULL; 1658 struct relay *rlay = con->se_relay; 1659 struct protocol *proto = rlay->rl_proto; 1660 1661 SPLAY_REMOVE(session_tree, &rlay->rl_sessions, con); 1662 relay_session_unpublish(con); 1663 1664 event_del(&con->se_ev); 1665 if (con->se_in.bev != NULL) 1666 bufferevent_disable(con->se_in.bev, EV_READ|EV_WRITE); 1667 if (con->se_out.bev != NULL) 1668 bufferevent_disable(con->se_out.bev, EV_READ|EV_WRITE); 1669 1670 if ((env->sc_opts & RELAYD_OPT_LOGUPDATE) && msg != NULL) { 1671 bzero(&ibuf, sizeof(ibuf)); 1672 bzero(&obuf, sizeof(obuf)); 1673 (void)print_host(&con->se_in.ss, ibuf, sizeof(ibuf)); 1674 (void)print_host(&con->se_out.ss, obuf, sizeof(obuf)); 1675 if (EVBUFFER_LENGTH(con->se_log) && 1676 evbuffer_add_printf(con->se_log, "\r\n") != -1) 1677 ptr = evbuffer_readline(con->se_log); 1678 log_info("relay %s, " 1679 "session %d (%d active), %s, %s -> %s:%d, " 1680 "%s%s%s", rlay->rl_conf.name, con->se_id, relay_sessions, 1681 con->se_tag != 0 ? tag_id2name(con->se_tag) : "0", ibuf, 1682 obuf, ntohs(con->se_out.port), msg, ptr == NULL ? "" : ",", 1683 ptr == NULL ? "" : ptr); 1684 free(ptr); 1685 } 1686 1687 if (proto->close != NULL) 1688 (*proto->close)(con); 1689 1690 free(con->se_priv); 1691 if (con->se_in.bev != NULL) 1692 bufferevent_free(con->se_in.bev); 1693 else if (con->se_in.output != NULL) 1694 evbuffer_free(con->se_in.output); 1695 if (con->se_in.ssl != NULL) { 1696 /* XXX handle non-blocking shutdown */ 1697 if (SSL_shutdown(con->se_in.ssl) == 0) 1698 SSL_shutdown(con->se_in.ssl); 1699 SSL_free(con->se_in.ssl); 1700 } 1701 if (con->se_in.tlscert != NULL) 1702 X509_free(con->se_in.tlscert); 1703 if (con->se_in.s != -1) { 1704 close(con->se_in.s); 1705 if (con->se_out.s == -1) { 1706 /* 1707 * the output was never connected, 1708 * thus this was an inflight session. 1709 */ 1710 relay_inflight--; 1711 log_debug("%s: sessions inflight decremented, now %d", 1712 __func__, relay_inflight); 1713 } 1714 } 1715 free(con->se_in.buf); 1716 1717 if (con->se_out.bev != NULL) 1718 bufferevent_free(con->se_out.bev); 1719 else if (con->se_out.output != NULL) 1720 evbuffer_free(con->se_out.output); 1721 if (con->se_out.ssl != NULL) { 1722 /* XXX handle non-blocking shutdown */ 1723 if (SSL_shutdown(con->se_out.ssl) == 0) 1724 SSL_shutdown(con->se_out.ssl); 1725 SSL_free(con->se_out.ssl); 1726 } 1727 if (con->se_out.tlscert != NULL) 1728 X509_free(con->se_out.tlscert); 1729 if (con->se_out.s != -1) { 1730 close(con->se_out.s); 1731 1732 /* Some file descriptors are available again. */ 1733 if (evtimer_pending(&rlay->rl_evt, NULL)) { 1734 evtimer_del(&rlay->rl_evt); 1735 event_add(&rlay->rl_ev, NULL); 1736 } 1737 } 1738 con->se_out.state = STATE_INIT; 1739 1740 free(con->se_out.buf); 1741 1742 if (con->se_log != NULL) 1743 evbuffer_free(con->se_log); 1744 1745 if (con->se_cnl != NULL) { 1746 #if 0 1747 proc_compose_imsg(env->sc_ps, PROC_PFE, -1, IMSG_KILLSTATES, -1, 1748 cnl, sizeof(*cnl)); 1749 #endif 1750 free(con->se_cnl); 1751 } 1752 1753 free(con); 1754 relay_sessions--; 1755 } 1756 1757 int 1758 relay_dispatch_pfe(int fd, struct privsep_proc *p, struct imsg *imsg) 1759 { 1760 struct relay *rlay; 1761 struct rsession *con, se; 1762 struct ctl_natlook cnl; 1763 struct timeval tv; 1764 struct host *host; 1765 struct table *table; 1766 struct ctl_status st; 1767 objid_t id; 1768 int cid; 1769 1770 switch (imsg->hdr.type) { 1771 case IMSG_HOST_DISABLE: 1772 memcpy(&id, imsg->data, sizeof(id)); 1773 if ((host = host_find(env, id)) == NULL) 1774 fatalx("relay_dispatch_pfe: desynchronized"); 1775 if ((table = table_find(env, host->conf.tableid)) == 1776 NULL) 1777 fatalx("relay_dispatch_pfe: invalid table id"); 1778 if (host->up == HOST_UP) 1779 table->up--; 1780 host->flags |= F_DISABLE; 1781 host->up = HOST_UNKNOWN; 1782 break; 1783 case IMSG_HOST_ENABLE: 1784 memcpy(&id, imsg->data, sizeof(id)); 1785 if ((host = host_find(env, id)) == NULL) 1786 fatalx("relay_dispatch_pfe: desynchronized"); 1787 host->flags &= ~(F_DISABLE); 1788 host->up = HOST_UNKNOWN; 1789 break; 1790 case IMSG_TABLE_DISABLE: 1791 memcpy(&id, imsg->data, sizeof(id)); 1792 if ((table = table_find(env, id)) == NULL) 1793 fatalx("relay_dispatch_pfe: desynchronized"); 1794 table->conf.flags |= F_DISABLE; 1795 table->up = 0; 1796 TAILQ_FOREACH(host, &table->hosts, entry) 1797 host->up = HOST_UNKNOWN; 1798 break; 1799 case IMSG_TABLE_ENABLE: 1800 memcpy(&id, imsg->data, sizeof(id)); 1801 if ((table = table_find(env, id)) == NULL) 1802 fatalx("relay_dispatch_pfe: desynchronized"); 1803 table->conf.flags &= ~(F_DISABLE); 1804 table->up = 0; 1805 TAILQ_FOREACH(host, &table->hosts, entry) 1806 host->up = HOST_UNKNOWN; 1807 break; 1808 case IMSG_HOST_STATUS: 1809 IMSG_SIZE_CHECK(imsg, &st); 1810 memcpy(&st, imsg->data, sizeof(st)); 1811 if ((host = host_find(env, st.id)) == NULL) 1812 fatalx("relay_dispatch_pfe: invalid host id"); 1813 if (host->flags & F_DISABLE) 1814 break; 1815 if (host->up == st.up) { 1816 log_debug("%s: host %d => %d", __func__, 1817 host->conf.id, host->up); 1818 fatalx("relay_dispatch_pfe: desynchronized"); 1819 } 1820 1821 if ((table = table_find(env, host->conf.tableid)) 1822 == NULL) 1823 fatalx("relay_dispatch_pfe: invalid table id"); 1824 1825 DPRINTF("%s: [%d] state %d for " 1826 "host %u %s", __func__, proc_id, st.up, 1827 host->conf.id, host->conf.name); 1828 1829 if ((st.up == HOST_UNKNOWN && host->up == HOST_DOWN) || 1830 (st.up == HOST_DOWN && host->up == HOST_UNKNOWN)) { 1831 host->up = st.up; 1832 break; 1833 } 1834 if (st.up == HOST_UP) 1835 table->up++; 1836 else 1837 table->up--; 1838 host->up = st.up; 1839 break; 1840 case IMSG_NATLOOK: 1841 bcopy(imsg->data, &cnl, sizeof(cnl)); 1842 if ((con = session_find(env, cnl.id)) == NULL || 1843 con->se_cnl == NULL) { 1844 log_debug("%s: session %d: expired", 1845 __func__, cnl.id); 1846 break; 1847 } 1848 bcopy(&cnl, con->se_cnl, sizeof(*con->se_cnl)); 1849 evtimer_del(&con->se_ev); 1850 evtimer_set(&con->se_ev, relay_natlook, con); 1851 bzero(&tv, sizeof(tv)); 1852 evtimer_add(&con->se_ev, &tv); 1853 break; 1854 case IMSG_CTL_SESSION: 1855 IMSG_SIZE_CHECK(imsg, &cid); 1856 memcpy(&cid, imsg->data, sizeof(cid)); 1857 TAILQ_FOREACH(rlay, env->sc_relays, rl_entry) { 1858 SPLAY_FOREACH(con, session_tree, 1859 &rlay->rl_sessions) { 1860 memcpy(&se, con, sizeof(se)); 1861 se.se_cid = cid; 1862 proc_compose(env->sc_ps, p->p_id, 1863 IMSG_CTL_SESSION, &se, sizeof(se)); 1864 } 1865 } 1866 proc_compose(env->sc_ps, p->p_id, IMSG_CTL_END, 1867 &cid, sizeof(cid)); 1868 break; 1869 default: 1870 return (-1); 1871 } 1872 1873 return (0); 1874 } 1875 1876 int 1877 relay_dispatch_ca(int fd, struct privsep_proc *p, struct imsg *imsg) 1878 { 1879 return (-1); 1880 } 1881 1882 int 1883 relay_dispatch_parent(int fd, struct privsep_proc *p, struct imsg *imsg) 1884 { 1885 struct rsession *con; 1886 struct timeval tv; 1887 objid_t id; 1888 1889 switch (imsg->hdr.type) { 1890 case IMSG_BINDANY: 1891 bcopy(imsg->data, &id, sizeof(id)); 1892 if ((con = session_find(env, id)) == NULL) { 1893 log_debug("%s: session %d: expired", 1894 __func__, id); 1895 break; 1896 } 1897 1898 /* Will validate the result later */ 1899 con->se_bnds = imsg->fd; 1900 1901 evtimer_del(&con->se_ev); 1902 evtimer_set(&con->se_ev, relay_bindany, con); 1903 bzero(&tv, sizeof(tv)); 1904 evtimer_add(&con->se_ev, &tv); 1905 break; 1906 case IMSG_CFG_TABLE: 1907 config_gettable(env, imsg); 1908 break; 1909 case IMSG_CFG_HOST: 1910 config_gethost(env, imsg); 1911 break; 1912 case IMSG_CFG_PROTO: 1913 config_getproto(env, imsg); 1914 break; 1915 case IMSG_CFG_RULE: 1916 config_getrule(env, imsg); 1917 break; 1918 case IMSG_CFG_RELAY: 1919 config_getrelay(env, imsg); 1920 break; 1921 case IMSG_CFG_RELAY_TABLE: 1922 config_getrelaytable(env, imsg); 1923 break; 1924 case IMSG_CFG_DONE: 1925 config_getcfg(env, imsg); 1926 break; 1927 case IMSG_CTL_START: 1928 relay_launch(); 1929 break; 1930 case IMSG_CTL_RESET: 1931 config_getreset(env, imsg); 1932 break; 1933 case IMSG_TLSTICKET_REKEY: 1934 IMSG_SIZE_CHECK(imsg, (&env->sc_tls_ticket)); 1935 /* rotate keys */ 1936 memcpy(&env->sc_tls_ticket_bak, &env->sc_tls_ticket, 1937 sizeof(env->sc_tls_ticket)); 1938 env->sc_tls_ticket_bak.tt_backup = 1; 1939 memcpy(&env->sc_tls_ticket, imsg->data, 1940 sizeof(env->sc_tls_ticket)); 1941 break; 1942 default: 1943 return (-1); 1944 } 1945 1946 return (0); 1947 } 1948 1949 void 1950 relay_tls_callback_info(const SSL *ssl, int where, int rc) 1951 { 1952 struct ctl_relay_event *cre; 1953 int tls_state; 1954 1955 cre = (struct ctl_relay_event *)SSL_get_app_data(ssl); 1956 1957 if (cre == NULL || cre->tlsreneg_state == TLSRENEG_ALLOW) 1958 return; 1959 1960 tls_state = SSL_get_state(ssl); 1961 1962 /* Check renegotiations */ 1963 if ((where & SSL_CB_ACCEPT_LOOP) && 1964 (cre->tlsreneg_state == TLSRENEG_DENY)) { 1965 if ((tls_state == SSL3_ST_SR_CLNT_HELLO_A) || 1966 (tls_state == SSL23_ST_SR_CLNT_HELLO_A)) { 1967 /* 1968 * This is a client initiated renegotiation 1969 * that we do not allow 1970 */ 1971 cre->tlsreneg_state = TLSRENEG_ABORT; 1972 } 1973 } else if ((where & SSL_CB_HANDSHAKE_DONE) && 1974 (cre->tlsreneg_state == TLSRENEG_INIT)) { 1975 /* 1976 * This is right after the first handshake, 1977 * disallow any further negotiations. 1978 */ 1979 cre->tlsreneg_state = TLSRENEG_DENY; 1980 } 1981 } 1982 1983 DH * 1984 relay_tls_get_dhparams(int keylen) 1985 { 1986 DH *dh; 1987 BIGNUM *(*prime)(BIGNUM *); 1988 const char *gen; 1989 1990 gen = "2"; 1991 if (keylen >= 8192) 1992 prime = get_rfc3526_prime_8192; 1993 else if (keylen >= 4096) 1994 prime = get_rfc3526_prime_4096; 1995 else if (keylen >= 3072) 1996 prime = get_rfc3526_prime_3072; 1997 else if (keylen >= 2048) 1998 prime = get_rfc3526_prime_2048; 1999 else if (keylen >= 1536) 2000 prime = get_rfc3526_prime_1536; 2001 else 2002 prime = get_rfc2409_prime_1024; 2003 2004 if ((dh = DH_new()) == NULL) 2005 return (NULL); 2006 2007 dh->p = (*prime)(NULL); 2008 BN_dec2bn(&dh->g, gen); 2009 2010 if (dh->p == NULL || dh->g == NULL) { 2011 DH_free(dh); 2012 return (NULL); 2013 } 2014 2015 return (dh); 2016 } 2017 2018 DH * 2019 relay_tls_callback_dh(SSL *ssl, int export, int keylen) 2020 { 2021 struct ctl_relay_event *cre; 2022 EVP_PKEY *pkey; 2023 int keytype, maxlen; 2024 DH *dh = NULL; 2025 2026 /* Get maximum key length from config */ 2027 if ((cre = (struct ctl_relay_event *)SSL_get_app_data(ssl)) == NULL) 2028 return (NULL); 2029 maxlen = cre->con->se_relay->rl_proto->tlsdhparams; 2030 2031 /* Get the private key length from the cert */ 2032 if ((pkey = SSL_get_privatekey(ssl))) { 2033 keytype = EVP_PKEY_type(pkey->type); 2034 if (keytype == EVP_PKEY_RSA || keytype == EVP_PKEY_DSA) 2035 keylen = EVP_PKEY_bits(pkey); 2036 else 2037 return (NULL); 2038 } 2039 2040 /* get built-in params based on the shorter key length */ 2041 dh = relay_tls_get_dhparams(MINIMUM(keylen, maxlen)); 2042 2043 return (dh); 2044 } 2045 2046 int 2047 relay_dispatch_hce(int fd, struct privsep_proc *p, struct imsg *imsg) 2048 { 2049 switch (imsg->hdr.type) { 2050 default: 2051 break; 2052 } 2053 2054 return (-1); 2055 } 2056 2057 SSL_CTX * 2058 relay_tls_ctx_create(struct relay *rlay) 2059 { 2060 struct protocol *proto = rlay->rl_proto; 2061 SSL_CTX *ctx; 2062 EC_KEY *ecdhkey; 2063 2064 ctx = SSL_CTX_new(SSLv23_method()); 2065 if (ctx == NULL) 2066 goto err; 2067 2068 /* 2069 * Disable the session cache by default. 2070 * Everything modern uses tickets 2071 */ 2072 SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF); 2073 2074 2075 /* Set callback for TLS session tickets if enabled */ 2076 if (proto->tickets == -1) 2077 SSL_CTX_set_options(ctx, SSL_OP_NO_TICKET); 2078 else { 2079 if (!SSL_CTX_set_tlsext_ticket_key_cb(ctx, 2080 relay_tls_session_ticket)) 2081 log_warnx("could not set the TLS ticket callback"); 2082 /* set timeout to the ticket rekey time */ 2083 SSL_CTX_set_timeout(ctx, TLS_TICKET_REKEY_TIME); 2084 } 2085 2086 /* Enable all workarounds and set SSL options */ 2087 SSL_CTX_set_options(ctx, SSL_OP_ALL); 2088 SSL_CTX_set_options(ctx, 2089 SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION); 2090 if (proto->tlsflags & TLSFLAG_CIPHER_SERVER_PREF) 2091 SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); 2092 2093 /* Set the allowed SSL protocols */ 2094 SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2); 2095 SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3); 2096 if ((proto->tlsflags & TLSFLAG_SSLV3) == 0) 2097 SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3); 2098 SSL_CTX_clear_options(ctx, SSL_OP_NO_TLSv1); 2099 if ((proto->tlsflags & TLSFLAG_TLSV1_0) == 0) 2100 SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1); 2101 SSL_CTX_clear_options(ctx, SSL_OP_NO_TLSv1_1); 2102 if ((proto->tlsflags & TLSFLAG_TLSV1_1) == 0) 2103 SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_1); 2104 SSL_CTX_clear_options(ctx, SSL_OP_NO_TLSv1_2); 2105 if ((proto->tlsflags & TLSFLAG_TLSV1_2) == 0) 2106 SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_2); 2107 2108 /* add the SSL info callback */ 2109 SSL_CTX_set_info_callback(ctx, relay_tls_callback_info); 2110 2111 if (proto->tlsecdhcurve > 0) { 2112 /* Enable ECDHE support for TLS perfect forward secrecy */ 2113 if ((ecdhkey = 2114 EC_KEY_new_by_curve_name(proto->tlsecdhcurve)) == NULL) 2115 goto err; 2116 SSL_CTX_set_tmp_ecdh(ctx, ecdhkey); 2117 SSL_CTX_set_options(ctx, SSL_OP_SINGLE_ECDH_USE); 2118 EC_KEY_free(ecdhkey); 2119 } 2120 2121 if (proto->tlsdhparams > 0) { 2122 /* Enable EDH params (forward secrecy for older clients) */ 2123 SSL_CTX_set_tmp_dh_callback(ctx, relay_tls_callback_dh); 2124 } 2125 2126 if (!SSL_CTX_set_cipher_list(ctx, proto->tlsciphers)) 2127 goto err; 2128 2129 /* Verify the server certificate if we have a CA chain */ 2130 if ((rlay->rl_conf.flags & F_TLSCLIENT) && 2131 (rlay->rl_tls_ca != NULL)) { 2132 if (!SSL_CTX_load_verify_mem(ctx, 2133 rlay->rl_tls_ca, rlay->rl_conf.tls_ca_len)) 2134 goto err; 2135 SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL); 2136 } 2137 2138 if ((rlay->rl_conf.flags & F_TLS) == 0) 2139 return (ctx); 2140 2141 log_debug("%s: loading certificate", __func__); 2142 if (!SSL_CTX_use_certificate_chain_mem(ctx, 2143 rlay->rl_tls_cert, rlay->rl_conf.tls_cert_len)) 2144 goto err; 2145 2146 log_debug("%s: loading private key", __func__); 2147 if (!ssl_ctx_fake_private_key(ctx, 2148 &rlay->rl_conf.tls_keyid, sizeof(rlay->rl_conf.tls_keyid), 2149 rlay->rl_tls_cert, rlay->rl_conf.tls_cert_len, 2150 &rlay->rl_tls_x509, &rlay->rl_tls_pkey)) 2151 goto err; 2152 2153 if (!SSL_CTX_check_private_key(ctx)) 2154 goto err; 2155 2156 if (rlay->rl_conf.tls_cacert_len) { 2157 log_debug("%s: loading CA private key", __func__); 2158 if (!ssl_load_pkey(&rlay->rl_conf.tls_cakeyid, 2159 sizeof(rlay->rl_conf.tls_cakeyid), 2160 rlay->rl_tls_cacert, rlay->rl_conf.tls_cacert_len, 2161 &rlay->rl_tls_cacertx509, &rlay->rl_tls_capkey)) 2162 goto err; 2163 } 2164 2165 /* 2166 * Set session ID context to a random value. It needs to be the 2167 * same accross all relay processes or session caching will fail. 2168 */ 2169 if (!SSL_CTX_set_session_id_context(ctx, env->sc_tls_sid, 2170 sizeof(env->sc_tls_sid))) 2171 goto err; 2172 2173 /* The text versions of the keys/certs are not needed anymore */ 2174 purge_key(&rlay->rl_tls_cert, rlay->rl_conf.tls_cert_len); 2175 purge_key(&rlay->rl_tls_cacert, rlay->rl_conf.tls_cacert_len); 2176 2177 return (ctx); 2178 2179 err: 2180 SSL_CTX_free(ctx); 2181 ssl_error(rlay->rl_conf.name, "relay_tls_ctx_create"); 2182 return (NULL); 2183 } 2184 2185 void 2186 relay_tls_transaction(struct rsession *con, struct ctl_relay_event *cre) 2187 { 2188 struct relay *rlay = con->se_relay; 2189 struct protocol *proto = rlay->rl_proto; 2190 SSL *ssl; 2191 const SSL_METHOD *method; 2192 void (*cb)(int, short, void *); 2193 u_int flag; 2194 2195 ssl = SSL_new(rlay->rl_ssl_ctx); 2196 if (ssl == NULL) 2197 goto err; 2198 2199 if (cre->dir == RELAY_DIR_REQUEST) { 2200 cb = relay_tls_accept; 2201 method = SSLv23_server_method(); 2202 flag = EV_READ; 2203 2204 /* Use session-specific certificate for TLS inspection. */ 2205 if (cre->tlscert != NULL) 2206 SSL_use_certificate(ssl, cre->tlscert); 2207 } else { 2208 cb = relay_tls_connect; 2209 method = SSLv23_client_method(); 2210 flag = EV_WRITE; 2211 } 2212 2213 if (!SSL_set_ssl_method(ssl, method)) 2214 goto err; 2215 if (!SSL_set_fd(ssl, cre->s)) 2216 goto err; 2217 2218 if (cre->dir == RELAY_DIR_REQUEST) { 2219 if ((proto->tlsflags & TLSFLAG_CLIENT_RENEG) == 0) 2220 /* Only allow negotiation during the first handshake */ 2221 cre->tlsreneg_state = TLSRENEG_INIT; 2222 else 2223 /* Allow client initiated renegotiations */ 2224 cre->tlsreneg_state = TLSRENEG_ALLOW; 2225 SSL_set_accept_state(ssl); 2226 } else { 2227 /* Always allow renegotiations if we're the client */ 2228 cre->tlsreneg_state = TLSRENEG_ALLOW; 2229 SSL_set_connect_state(ssl); 2230 } 2231 2232 SSL_set_app_data(ssl, cre); 2233 cre->ssl = ssl; 2234 2235 DPRINTF("%s: session %d: scheduling on %s", __func__, con->se_id, 2236 (flag == EV_READ) ? "EV_READ" : "EV_WRITE"); 2237 event_again(&con->se_ev, cre->s, EV_TIMEOUT|flag, cb, 2238 &con->se_tv_start, &rlay->rl_conf.timeout, con); 2239 return; 2240 2241 err: 2242 SSL_free(ssl); 2243 ssl_error(rlay->rl_conf.name, "relay_tls_transaction"); 2244 relay_close(con, "session tls failed"); 2245 } 2246 2247 void 2248 relay_tls_accept(int fd, short event, void *arg) 2249 { 2250 struct rsession *con = arg; 2251 struct relay *rlay = con->se_relay; 2252 int retry_flag = 0; 2253 int tls_err = 0; 2254 int ret; 2255 2256 if (event == EV_TIMEOUT) { 2257 relay_close(con, "TLS accept timeout"); 2258 return; 2259 } 2260 2261 ret = SSL_accept(con->se_in.ssl); 2262 if (ret <= 0) { 2263 tls_err = SSL_get_error(con->se_in.ssl, ret); 2264 2265 switch (tls_err) { 2266 case SSL_ERROR_WANT_READ: 2267 retry_flag = EV_READ; 2268 goto retry; 2269 case SSL_ERROR_WANT_WRITE: 2270 retry_flag = EV_WRITE; 2271 goto retry; 2272 case SSL_ERROR_ZERO_RETURN: 2273 case SSL_ERROR_SYSCALL: 2274 if (ret == 0) { 2275 relay_close(con, "closed"); 2276 return; 2277 } 2278 /* FALLTHROUGH */ 2279 default: 2280 ssl_error(rlay->rl_conf.name, "relay_tls_accept"); 2281 relay_close(con, "TLS accept error"); 2282 return; 2283 } 2284 } 2285 2286 2287 #ifdef DEBUG 2288 log_info( 2289 #else 2290 log_debug( 2291 #endif 2292 "relay %s, session %d established (%d active)", 2293 rlay->rl_conf.name, con->se_id, relay_sessions); 2294 2295 relay_session(con); 2296 return; 2297 2298 retry: 2299 DPRINTF("%s: session %d: scheduling on %s", __func__, con->se_id, 2300 (retry_flag == EV_READ) ? "EV_READ" : "EV_WRITE"); 2301 event_again(&con->se_ev, fd, EV_TIMEOUT|retry_flag, relay_tls_accept, 2302 &con->se_tv_start, &rlay->rl_conf.timeout, con); 2303 } 2304 2305 void 2306 relay_tls_connect(int fd, short event, void *arg) 2307 { 2308 struct rsession *con = arg; 2309 struct relay *rlay = con->se_relay; 2310 int retry_flag = 0; 2311 int tls_err = 0; 2312 int ret; 2313 X509 *servercert = NULL; 2314 2315 if (event == EV_TIMEOUT) { 2316 relay_close(con, "TLS connect timeout"); 2317 return; 2318 } 2319 2320 ret = SSL_connect(con->se_out.ssl); 2321 if (ret <= 0) { 2322 tls_err = SSL_get_error(con->se_out.ssl, ret); 2323 2324 switch (tls_err) { 2325 case SSL_ERROR_WANT_READ: 2326 retry_flag = EV_READ; 2327 goto retry; 2328 case SSL_ERROR_WANT_WRITE: 2329 retry_flag = EV_WRITE; 2330 goto retry; 2331 case SSL_ERROR_ZERO_RETURN: 2332 case SSL_ERROR_SYSCALL: 2333 if (ret == 0) { 2334 relay_close(con, "closed"); 2335 return; 2336 } 2337 /* FALLTHROUGH */ 2338 default: 2339 ssl_error(rlay->rl_conf.name, "relay_tls_connect"); 2340 relay_close(con, "TLS connect error"); 2341 return; 2342 } 2343 } 2344 2345 #ifdef DEBUG 2346 log_info( 2347 #else 2348 log_debug( 2349 #endif 2350 "relay %s, tls session %d connected (%d active)", 2351 rlay->rl_conf.name, con->se_id, relay_sessions); 2352 2353 if (rlay->rl_conf.flags & F_TLSINSPECT) { 2354 if ((servercert = 2355 SSL_get_peer_certificate(con->se_out.ssl)) != NULL) { 2356 con->se_in.tlscert = 2357 ssl_update_certificate(servercert, 2358 rlay->rl_tls_pkey, rlay->rl_tls_capkey, 2359 rlay->rl_tls_cacertx509); 2360 } else 2361 con->se_in.tlscert = NULL; 2362 if (servercert != NULL) 2363 X509_free(servercert); 2364 if (con->se_in.tlscert == NULL) 2365 relay_close(con, "could not create certificate"); 2366 else 2367 relay_session(con); 2368 return; 2369 } 2370 2371 relay_connected(fd, EV_WRITE, con); 2372 return; 2373 2374 retry: 2375 DPRINTF("%s: session %d: scheduling on %s", __func__, con->se_id, 2376 (retry_flag == EV_READ) ? "EV_READ" : "EV_WRITE"); 2377 event_again(&con->se_ev, fd, EV_TIMEOUT|retry_flag, relay_tls_connect, 2378 &con->se_tv_start, &rlay->rl_conf.timeout, con); 2379 } 2380 2381 void 2382 relay_tls_connected(struct ctl_relay_event *cre) 2383 { 2384 /* 2385 * Hack libevent - we overwrite the internal bufferevent I/O 2386 * functions to handle the TLS abstraction. 2387 */ 2388 event_set(&cre->bev->ev_read, cre->s, EV_READ, 2389 relay_tls_readcb, cre->bev); 2390 event_set(&cre->bev->ev_write, cre->s, EV_WRITE, 2391 relay_tls_writecb, cre->bev); 2392 } 2393 2394 void 2395 relay_tls_readcb(int fd, short event, void *arg) 2396 { 2397 char rbuf[IBUF_READ_SIZE]; 2398 struct bufferevent *bufev = arg; 2399 struct ctl_relay_event *cre = bufev->cbarg; 2400 struct rsession *con = cre->con; 2401 struct relay *rlay = con->se_relay; 2402 int ret = 0, tls_err = 0; 2403 short what = EVBUFFER_READ; 2404 int howmuch = IBUF_READ_SIZE; 2405 size_t len; 2406 2407 if (event == EV_TIMEOUT) { 2408 what |= EVBUFFER_TIMEOUT; 2409 goto err; 2410 } 2411 2412 if (cre->tlsreneg_state == TLSRENEG_ABORT) { 2413 what |= EVBUFFER_ERROR; 2414 goto err; 2415 } 2416 2417 if (bufev->wm_read.high != 0) 2418 howmuch = MINIMUM(sizeof(rbuf), bufev->wm_read.high); 2419 2420 ret = SSL_read(cre->ssl, rbuf, howmuch); 2421 if (ret <= 0) { 2422 tls_err = SSL_get_error(cre->ssl, ret); 2423 2424 switch (tls_err) { 2425 case SSL_ERROR_WANT_READ: 2426 DPRINTF("%s: session %d: want read", 2427 __func__, con->se_id); 2428 goto retry; 2429 case SSL_ERROR_WANT_WRITE: 2430 DPRINTF("%s: session %d: want write", 2431 __func__, con->se_id); 2432 goto retry; 2433 default: 2434 if (ret == 0) 2435 what |= EVBUFFER_EOF; 2436 else { 2437 ssl_error(rlay->rl_conf.name, 2438 "relay_tls_readcb"); 2439 what |= EVBUFFER_ERROR; 2440 } 2441 goto err; 2442 } 2443 } 2444 2445 if (evbuffer_add(bufev->input, rbuf, ret) == -1) { 2446 what |= EVBUFFER_ERROR; 2447 goto err; 2448 } 2449 2450 relay_bufferevent_add(&bufev->ev_read, bufev->timeout_read); 2451 2452 len = EVBUFFER_LENGTH(bufev->input); 2453 if (bufev->wm_read.low != 0 && len < bufev->wm_read.low) 2454 return; 2455 if (bufev->wm_read.high != 0 && len > bufev->wm_read.high) { 2456 struct evbuffer *buf = bufev->input; 2457 event_del(&bufev->ev_read); 2458 evbuffer_setcb(buf, bufferevent_read_pressure_cb, bufev); 2459 return; 2460 } 2461 2462 if (bufev->readcb != NULL) 2463 (*bufev->readcb)(bufev, bufev->cbarg); 2464 return; 2465 2466 retry: 2467 relay_bufferevent_add(&bufev->ev_read, bufev->timeout_read); 2468 return; 2469 2470 err: 2471 (*bufev->errorcb)(bufev, what, bufev->cbarg); 2472 } 2473 2474 void 2475 relay_tls_writecb(int fd, short event, void *arg) 2476 { 2477 struct bufferevent *bufev = arg; 2478 struct ctl_relay_event *cre = bufev->cbarg; 2479 struct rsession *con = cre->con; 2480 struct relay *rlay = con->se_relay; 2481 int ret = 0, tls_err; 2482 short what = EVBUFFER_WRITE; 2483 2484 if (event == EV_TIMEOUT) { 2485 what |= EVBUFFER_TIMEOUT; 2486 goto err; 2487 } 2488 2489 if (cre->tlsreneg_state == TLSRENEG_ABORT) { 2490 what |= EVBUFFER_ERROR; 2491 goto err; 2492 } 2493 2494 if (EVBUFFER_LENGTH(bufev->output)) { 2495 if (cre->buf == NULL) { 2496 cre->buflen = EVBUFFER_LENGTH(bufev->output); 2497 if ((cre->buf = malloc(cre->buflen)) == NULL) { 2498 what |= EVBUFFER_ERROR; 2499 goto err; 2500 } 2501 bcopy(EVBUFFER_DATA(bufev->output), 2502 cre->buf, cre->buflen); 2503 } 2504 2505 ret = SSL_write(cre->ssl, cre->buf, cre->buflen); 2506 if (ret <= 0) { 2507 tls_err = SSL_get_error(cre->ssl, ret); 2508 2509 switch (tls_err) { 2510 case SSL_ERROR_WANT_READ: 2511 DPRINTF("%s: session %d: want read", 2512 __func__, con->se_id); 2513 goto retry; 2514 case SSL_ERROR_WANT_WRITE: 2515 DPRINTF("%s: session %d: want write", 2516 __func__, con->se_id); 2517 goto retry; 2518 default: 2519 if (ret == 0) 2520 what |= EVBUFFER_EOF; 2521 else { 2522 ssl_error(rlay->rl_conf.name, 2523 "relay_tls_writecb"); 2524 what |= EVBUFFER_ERROR; 2525 } 2526 goto err; 2527 } 2528 } 2529 evbuffer_drain(bufev->output, ret); 2530 } 2531 if (cre->buf != NULL) { 2532 free(cre->buf); 2533 cre->buf = NULL; 2534 cre->buflen = 0; 2535 } 2536 2537 if (EVBUFFER_LENGTH(bufev->output) != 0) 2538 relay_bufferevent_add(&bufev->ev_write, bufev->timeout_write); 2539 2540 if (bufev->writecb != NULL && 2541 EVBUFFER_LENGTH(bufev->output) <= bufev->wm_write.low) 2542 (*bufev->writecb)(bufev, bufev->cbarg); 2543 return; 2544 2545 retry: 2546 if (cre->buflen != 0) 2547 relay_bufferevent_add(&bufev->ev_write, bufev->timeout_write); 2548 return; 2549 2550 err: 2551 if (cre->buf != NULL) { 2552 free(cre->buf); 2553 cre->buf = NULL; 2554 cre->buflen = 0; 2555 } 2556 (*bufev->errorcb)(bufev, what, bufev->cbarg); 2557 } 2558 2559 struct tls_ticket * 2560 relay_get_ticket_key(unsigned char keyname[16]) 2561 { 2562 if (keyname) { 2563 if (timingsafe_memcmp(keyname, 2564 env->sc_tls_ticket_bak.tt_key_name, sizeof(keyname)) == 0) 2565 return &env->sc_tls_ticket_bak; 2566 if (timingsafe_memcmp(keyname, 2567 env->sc_tls_ticket.tt_key_name, sizeof(keyname)) == 0) 2568 return &env->sc_tls_ticket; 2569 return NULL; 2570 } 2571 return &env->sc_tls_ticket; 2572 } 2573 2574 int 2575 relay_tls_session_ticket(SSL *ssl, unsigned char keyname[16], unsigned char *iv, 2576 EVP_CIPHER_CTX *ctx, HMAC_CTX *hctx, int mode) 2577 { 2578 struct tls_ticket *key; 2579 2580 if (mode == 1) { 2581 /* create new session */ 2582 key = relay_get_ticket_key(NULL); 2583 memcpy(keyname, key->tt_key_name, 16); 2584 arc4random_buf(iv, EVP_MAX_IV_LENGTH); 2585 EVP_EncryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, 2586 key->tt_aes_key, iv); 2587 HMAC_Init_ex(hctx, key->tt_hmac_key, 16, EVP_sha256(), NULL); 2588 return 0; 2589 } else { 2590 /* get key by name */ 2591 key = relay_get_ticket_key(keyname); 2592 if (!key) 2593 return 0; 2594 2595 EVP_DecryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, 2596 key->tt_aes_key, iv); 2597 HMAC_Init_ex(hctx, key->tt_hmac_key, 16, EVP_sha256(), NULL); 2598 2599 /* time to renew the ticket? */ 2600 if (key->tt_backup) { 2601 return 2; 2602 } 2603 return 1; 2604 } 2605 } 2606 2607 int 2608 relay_bufferevent_add(struct event *ev, int timeout) 2609 { 2610 struct timeval tv, *ptv = NULL; 2611 2612 if (timeout) { 2613 timerclear(&tv); 2614 tv.tv_sec = timeout; 2615 ptv = &tv; 2616 } 2617 2618 return (event_add(ev, ptv)); 2619 } 2620 2621 #ifdef notyet 2622 int 2623 relay_bufferevent_printf(struct ctl_relay_event *cre, const char *fmt, ...) 2624 { 2625 int ret; 2626 va_list ap; 2627 2628 va_start(ap, fmt); 2629 ret = evbuffer_add_vprintf(cre->output, fmt, ap); 2630 va_end(ap); 2631 2632 if (cre->bev != NULL && 2633 ret != -1 && EVBUFFER_LENGTH(cre->output) > 0 && 2634 (cre->bev->enabled & EV_WRITE)) 2635 bufferevent_enable(cre->bev, EV_WRITE); 2636 2637 return (ret); 2638 } 2639 #endif 2640 2641 int 2642 relay_bufferevent_print(struct ctl_relay_event *cre, const char *str) 2643 { 2644 if (cre->bev == NULL) 2645 return (evbuffer_add(cre->output, str, strlen(str))); 2646 return (bufferevent_write(cre->bev, str, strlen(str))); 2647 } 2648 2649 int 2650 relay_bufferevent_write_buffer(struct ctl_relay_event *cre, 2651 struct evbuffer *buf) 2652 { 2653 if (cre->bev == NULL) 2654 return (evbuffer_add_buffer(cre->output, buf)); 2655 return (bufferevent_write_buffer(cre->bev, buf)); 2656 } 2657 2658 int 2659 relay_bufferevent_write_chunk(struct ctl_relay_event *cre, 2660 struct evbuffer *buf, size_t size) 2661 { 2662 int ret; 2663 ret = relay_bufferevent_write(cre, buf->buffer, size); 2664 if (ret != -1) 2665 evbuffer_drain(buf, size); 2666 return (ret); 2667 } 2668 2669 int 2670 relay_bufferevent_write(struct ctl_relay_event *cre, void *data, size_t size) 2671 { 2672 if (cre->bev == NULL) 2673 return (evbuffer_add(cre->output, data, size)); 2674 return (bufferevent_write(cre->bev, data, size)); 2675 } 2676 2677 int 2678 relay_cmp_af(struct sockaddr_storage *a, struct sockaddr_storage *b) 2679 { 2680 int ret = -1; 2681 struct sockaddr_in ia, ib; 2682 struct sockaddr_in6 ia6, ib6; 2683 2684 switch (a->ss_family) { 2685 case AF_INET: 2686 bcopy(a, &ia, sizeof(struct sockaddr_in)); 2687 bcopy(b, &ib, sizeof(struct sockaddr_in)); 2688 2689 ret = memcmp(&ia.sin_addr, &ib.sin_addr, 2690 sizeof(ia.sin_addr)); 2691 if (ret == 0) 2692 ret = memcmp(&ia.sin_port, &ib.sin_port, 2693 sizeof(ia.sin_port)); 2694 break; 2695 case AF_INET6: 2696 bcopy(a, &ia6, sizeof(struct sockaddr_in6)); 2697 bcopy(b, &ib6, sizeof(struct sockaddr_in6)); 2698 2699 ret = memcmp(&ia6.sin6_addr, &ib6.sin6_addr, 2700 sizeof(ia6.sin6_addr)); 2701 if (ret == 0) 2702 ret = memcmp(&ia6.sin6_port, &ib6.sin6_port, 2703 sizeof(ia6.sin6_port)); 2704 break; 2705 default: 2706 break; 2707 } 2708 2709 return (ret); 2710 } 2711 2712 char * 2713 relay_load_file(const char *name, off_t *len) 2714 { 2715 struct stat st; 2716 off_t size; 2717 u_int8_t *buf = NULL; 2718 int fd; 2719 2720 if ((fd = open(name, O_RDONLY)) == -1) 2721 return (NULL); 2722 if (fstat(fd, &st) != 0) 2723 goto fail; 2724 size = st.st_size; 2725 if ((buf = calloc(1, size + 1)) == NULL) 2726 goto fail; 2727 if (read(fd, buf, size) != size) 2728 goto fail; 2729 2730 close(fd); 2731 2732 *len = size; 2733 return (buf); 2734 2735 fail: 2736 free(buf); 2737 close(fd); 2738 return (NULL); 2739 } 2740 2741 int 2742 relay_load_certfiles(struct relay *rlay) 2743 { 2744 char certfile[PATH_MAX]; 2745 char hbuf[sizeof("ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255")]; 2746 struct protocol *proto = rlay->rl_proto; 2747 int useport = htons(rlay->rl_conf.port); 2748 2749 if (rlay->rl_conf.flags & F_TLSCLIENT) { 2750 if (strlen(proto->tlsca)) { 2751 if ((rlay->rl_tls_ca = 2752 relay_load_file(proto->tlsca, 2753 &rlay->rl_conf.tls_ca_len)) == NULL) 2754 return (-1); 2755 log_debug("%s: using ca %s", __func__, proto->tlsca); 2756 } 2757 if (strlen(proto->tlscacert)) { 2758 if ((rlay->rl_tls_cacert = 2759 relay_load_file(proto->tlscacert, 2760 &rlay->rl_conf.tls_cacert_len)) == NULL) 2761 return (-1); 2762 log_debug("%s: using ca certificate %s", __func__, 2763 proto->tlscacert); 2764 } 2765 if (strlen(proto->tlscakey) && proto->tlscapass != NULL) { 2766 if ((rlay->rl_tls_cakey = 2767 ssl_load_key(env, proto->tlscakey, 2768 &rlay->rl_conf.tls_cakey_len, 2769 proto->tlscapass)) == NULL) 2770 return (-1); 2771 log_debug("%s: using ca key %s", __func__, 2772 proto->tlscakey); 2773 } 2774 } 2775 2776 if ((rlay->rl_conf.flags & F_TLS) == 0) 2777 return (0); 2778 2779 if (print_host(&rlay->rl_conf.ss, hbuf, sizeof(hbuf)) == NULL) 2780 return (-1); 2781 2782 if (snprintf(certfile, sizeof(certfile), 2783 "/etc/ssl/%s:%u.crt", hbuf, useport) == -1) 2784 return (-1); 2785 if ((rlay->rl_tls_cert = relay_load_file(certfile, 2786 &rlay->rl_conf.tls_cert_len)) == NULL) { 2787 if (snprintf(certfile, sizeof(certfile), 2788 "/etc/ssl/%s.crt", hbuf) == -1) 2789 return (-1); 2790 if ((rlay->rl_tls_cert = relay_load_file(certfile, 2791 &rlay->rl_conf.tls_cert_len)) == NULL) 2792 return (-1); 2793 useport = 0; 2794 } 2795 log_debug("%s: using certificate %s", __func__, certfile); 2796 2797 if (useport) { 2798 if (snprintf(certfile, sizeof(certfile), 2799 "/etc/ssl/private/%s:%u.key", hbuf, useport) == -1) 2800 return -1; 2801 } else { 2802 if (snprintf(certfile, sizeof(certfile), 2803 "/etc/ssl/private/%s.key", hbuf) == -1) 2804 return -1; 2805 } 2806 if ((rlay->rl_tls_key = ssl_load_key(env, certfile, 2807 &rlay->rl_conf.tls_key_len, NULL)) == NULL) 2808 return (-1); 2809 log_debug("%s: using private key %s", __func__, certfile); 2810 2811 return (0); 2812 } 2813 2814 int 2815 relay_session_cmp(struct rsession *a, struct rsession *b) 2816 { 2817 struct relay *rlay = b->se_relay; 2818 struct protocol *proto = rlay->rl_proto; 2819 2820 if (proto != NULL && proto->cmp != NULL) 2821 return ((*proto->cmp)(a, b)); 2822 2823 return ((int)a->se_id - b->se_id); 2824 } 2825 2826 void 2827 relay_log(struct rsession *con, char *msg) 2828 { 2829 if (con->se_haslog && con->se_log != NULL) { 2830 evbuffer_add(con->se_log, msg, strlen(msg)); 2831 } 2832 } 2833 2834 SPLAY_GENERATE(session_tree, rsession, se_nodes, relay_session_cmp); 2835