1 /* $OpenBSD: relayd.c,v 1.182 2019/09/15 19:23:29 rob Exp $ */ 2 3 /* 4 * Copyright (c) 2007 - 2016 Reyk Floeter <reyk@openbsd.org> 5 * Copyright (c) 2006 Pierre-Yves Ritschard <pyr@openbsd.org> 6 * 7 * Permission to use, copy, modify, and distribute this software for any 8 * purpose with or without fee is hereby granted, provided that the above 9 * copyright notice and this permission notice appear in all copies. 10 * 11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 */ 19 20 #include <sys/types.h> 21 #include <sys/queue.h> 22 #include <sys/socket.h> 23 #include <sys/stat.h> 24 #include <sys/wait.h> 25 #include <sys/resource.h> 26 27 #include <netinet/in.h> 28 #include <arpa/inet.h> 29 30 #include <signal.h> 31 #include <string.h> 32 #include <stdio.h> 33 #include <stdlib.h> 34 #include <fcntl.h> 35 #include <getopt.h> 36 #include <fnmatch.h> 37 #include <syslog.h> 38 #include <err.h> 39 #include <errno.h> 40 #include <event.h> 41 #include <unistd.h> 42 #include <ctype.h> 43 #include <pwd.h> 44 #include <sha1.h> 45 #include <md5.h> 46 47 #include <tls.h> 48 49 #include "relayd.h" 50 51 #define MAXIMUM(a, b) (((a) > (b)) ? (a) : (b)) 52 53 __dead void usage(void); 54 55 int parent_configure(struct relayd *); 56 void parent_configure_done(struct relayd *); 57 void parent_reload(struct relayd *, u_int, const char *); 58 void parent_sig_handler(int, short, void *); 59 void parent_shutdown(struct relayd *); 60 int parent_dispatch_pfe(int, struct privsep_proc *, struct imsg *); 61 int parent_dispatch_hce(int, struct privsep_proc *, struct imsg *); 62 int parent_dispatch_relay(int, struct privsep_proc *, 63 struct imsg *); 64 int parent_dispatch_ca(int, struct privsep_proc *, 65 struct imsg *); 66 int bindany(struct ctl_bindany *); 67 void parent_tls_ticket_rekey(int, short, void *); 68 69 struct relayd *relayd_env; 70 71 static struct privsep_proc procs[] = { 72 { "pfe", PROC_PFE, parent_dispatch_pfe, pfe }, 73 { "hce", PROC_HCE, parent_dispatch_hce, hce }, 74 { "relay", PROC_RELAY, parent_dispatch_relay, relay }, 75 { "ca", PROC_CA, parent_dispatch_ca, ca } 76 }; 77 78 void 79 parent_sig_handler(int sig, short event, void *arg) 80 { 81 struct privsep *ps = arg; 82 83 switch (sig) { 84 case SIGTERM: 85 case SIGINT: 86 parent_shutdown(ps->ps_env); 87 break; 88 case SIGHUP: 89 log_info("%s: reload requested with SIGHUP", __func__); 90 91 /* 92 * This is safe because libevent uses async signal handlers 93 * that run in the event loop and not in signal context. 94 */ 95 parent_reload(ps->ps_env, CONFIG_RELOAD, NULL); 96 break; 97 case SIGPIPE: 98 case SIGUSR1: 99 /* ignore */ 100 break; 101 default: 102 fatalx("unexpected signal"); 103 } 104 } 105 106 __dead void 107 usage(void) 108 { 109 extern char *__progname; 110 111 fprintf(stderr, "usage: %s [-dnv] [-D macro=value] [-f file]\n", 112 __progname); 113 exit(1); 114 } 115 116 int 117 main(int argc, char *argv[]) 118 { 119 int c; 120 int debug = 0, verbose = 0; 121 u_int32_t opts = 0; 122 struct relayd *env; 123 struct privsep *ps; 124 const char *conffile = CONF_FILE; 125 enum privsep_procid proc_id = PROC_PARENT; 126 int proc_instance = 0; 127 const char *errp, *title = NULL; 128 int argc0 = argc; 129 130 while ((c = getopt(argc, argv, "dD:nI:P:f:v")) != -1) { 131 switch (c) { 132 case 'd': 133 debug = 2; 134 break; 135 case 'D': 136 if (cmdline_symset(optarg) < 0) 137 log_warnx("could not parse macro definition %s", 138 optarg); 139 break; 140 case 'n': 141 debug = 2; 142 opts |= RELAYD_OPT_NOACTION; 143 break; 144 case 'f': 145 conffile = optarg; 146 break; 147 case 'v': 148 verbose++; 149 opts |= RELAYD_OPT_VERBOSE; 150 break; 151 case 'P': 152 title = optarg; 153 proc_id = proc_getid(procs, nitems(procs), title); 154 if (proc_id == PROC_MAX) 155 fatalx("invalid process name"); 156 break; 157 case 'I': 158 proc_instance = strtonum(optarg, 0, 159 PROC_MAX_INSTANCES, &errp); 160 if (errp) 161 fatalx("invalid process instance"); 162 break; 163 default: 164 usage(); 165 } 166 } 167 168 /* log to stderr until daemonized */ 169 log_init(debug ? debug : 1, LOG_DAEMON); 170 171 argc -= optind; 172 if (argc > 0) 173 usage(); 174 175 if ((env = calloc(1, sizeof(*env))) == NULL || 176 (ps = calloc(1, sizeof(*ps))) == NULL) 177 exit(1); 178 179 relayd_env = env; 180 env->sc_ps = ps; 181 ps->ps_env = env; 182 TAILQ_INIT(&ps->ps_rcsocks); 183 env->sc_conffile = conffile; 184 env->sc_conf.opts = opts; 185 TAILQ_INIT(&env->sc_hosts); 186 TAILQ_INIT(&env->sc_sessions); 187 env->sc_rtable = getrtable(); 188 env->sc_snmp = -1; 189 /* initialize the TLS session id to a random key for all relay procs */ 190 arc4random_buf(env->sc_conf.tls_sid, sizeof(env->sc_conf.tls_sid)); 191 192 if (parse_config(env->sc_conffile, env) == -1) 193 exit(1); 194 195 if (debug) 196 env->sc_conf.opts |= RELAYD_OPT_LOGUPDATE; 197 198 if (geteuid()) 199 errx(1, "need root privileges"); 200 201 if ((ps->ps_pw = getpwnam(RELAYD_USER)) == NULL) 202 errx(1, "unknown user %s", RELAYD_USER); 203 204 log_init(debug, LOG_DAEMON); 205 log_setverbose(verbose); 206 207 if (env->sc_conf.opts & RELAYD_OPT_NOACTION) 208 ps->ps_noaction = 1; 209 210 ps->ps_instances[PROC_RELAY] = env->sc_conf.prefork_relay; 211 ps->ps_instances[PROC_CA] = env->sc_conf.prefork_relay; 212 ps->ps_instance = proc_instance; 213 if (title != NULL) 214 ps->ps_title[proc_id] = title; 215 216 /* only the parent returns */ 217 proc_init(ps, procs, nitems(procs), debug, argc0, argv, proc_id); 218 219 log_procinit("parent"); 220 if (!debug && daemon(1, 0) == -1) 221 err(1, "failed to daemonize"); 222 223 if (ps->ps_noaction == 0) 224 log_info("startup"); 225 226 event_init(); 227 228 signal_set(&ps->ps_evsigint, SIGINT, parent_sig_handler, ps); 229 signal_set(&ps->ps_evsigterm, SIGTERM, parent_sig_handler, ps); 230 signal_set(&ps->ps_evsighup, SIGHUP, parent_sig_handler, ps); 231 signal_set(&ps->ps_evsigpipe, SIGPIPE, parent_sig_handler, ps); 232 signal_set(&ps->ps_evsigusr1, SIGUSR1, parent_sig_handler, ps); 233 234 signal_add(&ps->ps_evsigint, NULL); 235 signal_add(&ps->ps_evsigterm, NULL); 236 signal_add(&ps->ps_evsighup, NULL); 237 signal_add(&ps->ps_evsigpipe, NULL); 238 signal_add(&ps->ps_evsigusr1, NULL); 239 240 proc_connect(ps); 241 242 relay_http(NULL); 243 if (load_config(env->sc_conffile, env) == -1) { 244 proc_kill(env->sc_ps); 245 exit(1); 246 } 247 248 if (env->sc_conf.opts & RELAYD_OPT_NOACTION) { 249 fprintf(stderr, "configuration OK\n"); 250 proc_kill(env->sc_ps); 251 exit(0); 252 } 253 254 if (env->sc_conf.flags & (F_TLS|F_TLSCLIENT)) 255 ssl_init(env); 256 257 /* rekey the TLS tickets before pushing the config */ 258 parent_tls_ticket_rekey(0, 0, env); 259 if (parent_configure(env) == -1) 260 fatalx("configuration failed"); 261 262 init_routes(env); 263 264 event_dispatch(); 265 266 parent_shutdown(env); 267 /* NOTREACHED */ 268 269 return (0); 270 } 271 272 int 273 parent_configure(struct relayd *env) 274 { 275 struct table *tb; 276 struct rdr *rdr; 277 struct router *rt; 278 struct protocol *proto; 279 struct relay *rlay; 280 int id; 281 int ret = -1; 282 283 TAILQ_FOREACH(tb, env->sc_tables, entry) 284 config_settable(env, tb); 285 TAILQ_FOREACH(rdr, env->sc_rdrs, entry) 286 config_setrdr(env, rdr); 287 TAILQ_FOREACH(rt, env->sc_rts, rt_entry) 288 config_setrt(env, rt); 289 TAILQ_FOREACH(proto, env->sc_protos, entry) 290 config_setproto(env, proto); 291 TAILQ_FOREACH(proto, env->sc_protos, entry) 292 config_setrule(env, proto); 293 TAILQ_FOREACH(rlay, env->sc_relays, rl_entry) { 294 /* Check for TLS Inspection */ 295 if ((rlay->rl_conf.flags & (F_TLS|F_TLSCLIENT)) == 296 (F_TLS|F_TLSCLIENT) && rlay->rl_tls_cacert_fd != -1) 297 rlay->rl_conf.flags |= F_TLSINSPECT; 298 299 config_setrelay(env, rlay); 300 } 301 302 /* HCE, PFE, CA and the relays need to reload their config. */ 303 env->sc_reload = 2 + (2 * env->sc_conf.prefork_relay); 304 305 for (id = 0; id < PROC_MAX; id++) { 306 if (id == privsep_process) 307 continue; 308 proc_compose_imsg(env->sc_ps, id, -1, IMSG_CFG_DONE, -1, 309 -1, &env->sc_conf, sizeof(env->sc_conf)); 310 } 311 312 ret = 0; 313 314 config_purge(env, CONFIG_ALL & ~CONFIG_RELAYS); 315 return (ret); 316 } 317 318 void 319 parent_reload(struct relayd *env, u_int reset, const char *filename) 320 { 321 if (env->sc_reload) { 322 log_debug("%s: already in progress: %d pending", 323 __func__, env->sc_reload); 324 return; 325 } 326 327 /* Switch back to the default config file */ 328 if (filename == NULL || *filename == '\0') 329 filename = env->sc_conffile; 330 331 log_debug("%s: level %d config file %s", __func__, reset, filename); 332 333 config_purge(env, CONFIG_ALL); 334 335 if (reset == CONFIG_RELOAD) { 336 if (load_config(filename, env) == -1) { 337 log_debug("%s: failed to load config file %s", 338 __func__, filename); 339 } 340 341 config_setreset(env, CONFIG_ALL); 342 343 if (parent_configure(env) == -1) { 344 log_debug("%s: failed to commit config from %s", 345 __func__, filename); 346 } 347 } else 348 config_setreset(env, reset); 349 } 350 351 void 352 parent_configure_done(struct relayd *env) 353 { 354 int id; 355 356 if (env->sc_reload == 0) { 357 log_warnx("%s: configuration already finished", __func__); 358 return; 359 } 360 361 env->sc_reload--; 362 if (env->sc_reload == 0) { 363 for (id = 0; id < PROC_MAX; id++) { 364 if (id == privsep_process) 365 continue; 366 367 proc_compose(env->sc_ps, id, IMSG_CTL_START, NULL, 0); 368 } 369 } 370 } 371 372 void 373 parent_shutdown(struct relayd *env) 374 { 375 config_purge(env, CONFIG_ALL); 376 377 proc_kill(env->sc_ps); 378 control_cleanup(&env->sc_ps->ps_csock); 379 (void)unlink(env->sc_ps->ps_csock.cs_name); 380 carp_demote_shutdown(); 381 382 free(env->sc_ps); 383 free(env); 384 385 log_info("parent terminating, pid %d", getpid()); 386 387 exit(0); 388 } 389 390 int 391 parent_dispatch_pfe(int fd, struct privsep_proc *p, struct imsg *imsg) 392 { 393 struct privsep *ps = p->p_ps; 394 struct relayd *env = ps->ps_env; 395 struct ctl_demote demote; 396 struct ctl_netroute crt; 397 u_int v; 398 char *str = NULL; 399 400 switch (imsg->hdr.type) { 401 case IMSG_DEMOTE: 402 IMSG_SIZE_CHECK(imsg, &demote); 403 memcpy(&demote, imsg->data, sizeof(demote)); 404 carp_demote_set(demote.group, demote.level); 405 break; 406 case IMSG_RTMSG: 407 IMSG_SIZE_CHECK(imsg, &crt); 408 memcpy(&crt, imsg->data, sizeof(crt)); 409 pfe_route(env, &crt); 410 break; 411 case IMSG_CTL_RESET: 412 IMSG_SIZE_CHECK(imsg, &v); 413 memcpy(&v, imsg->data, sizeof(v)); 414 parent_reload(env, v, NULL); 415 break; 416 case IMSG_CTL_RELOAD: 417 if (IMSG_DATA_SIZE(imsg) > 0) 418 str = get_string(imsg->data, IMSG_DATA_SIZE(imsg)); 419 parent_reload(env, CONFIG_RELOAD, str); 420 free(str); 421 break; 422 case IMSG_CTL_SHUTDOWN: 423 parent_shutdown(env); 424 break; 425 case IMSG_CFG_DONE: 426 parent_configure_done(env); 427 break; 428 case IMSG_SNMPSOCK: 429 (void)snmp_setsock(env, p->p_id); 430 break; 431 default: 432 return (-1); 433 } 434 435 return (0); 436 } 437 438 int 439 parent_dispatch_hce(int fd, struct privsep_proc *p, struct imsg *imsg) 440 { 441 struct privsep *ps = p->p_ps; 442 struct relayd *env = ps->ps_env; 443 struct ctl_script scr; 444 445 switch (imsg->hdr.type) { 446 case IMSG_SCRIPT: 447 IMSG_SIZE_CHECK(imsg, &scr); 448 bcopy(imsg->data, &scr, sizeof(scr)); 449 scr.retval = script_exec(env, &scr); 450 proc_compose(ps, PROC_HCE, IMSG_SCRIPT, &scr, sizeof(scr)); 451 break; 452 case IMSG_CFG_DONE: 453 parent_configure_done(env); 454 break; 455 default: 456 return (-1); 457 } 458 459 return (0); 460 } 461 462 int 463 parent_dispatch_relay(int fd, struct privsep_proc *p, struct imsg *imsg) 464 { 465 struct privsep *ps = p->p_ps; 466 struct relayd *env = ps->ps_env; 467 struct ctl_bindany bnd; 468 int s; 469 470 switch (imsg->hdr.type) { 471 case IMSG_BINDANY: 472 IMSG_SIZE_CHECK(imsg, &bnd); 473 bcopy(imsg->data, &bnd, sizeof(bnd)); 474 if (bnd.bnd_proc > env->sc_conf.prefork_relay) 475 fatalx("%s: invalid relay proc", __func__); 476 switch (bnd.bnd_proto) { 477 case IPPROTO_TCP: 478 case IPPROTO_UDP: 479 break; 480 default: 481 fatalx("%s: requested socket " 482 "for invalid protocol", __func__); 483 /* NOTREACHED */ 484 } 485 s = bindany(&bnd); 486 proc_compose_imsg(ps, PROC_RELAY, bnd.bnd_proc, 487 IMSG_BINDANY, -1, s, &bnd.bnd_id, sizeof(bnd.bnd_id)); 488 break; 489 case IMSG_CFG_DONE: 490 parent_configure_done(env); 491 break; 492 default: 493 return (-1); 494 } 495 496 return (0); 497 } 498 499 int 500 parent_dispatch_ca(int fd, struct privsep_proc *p, struct imsg *imsg) 501 { 502 struct privsep *ps = p->p_ps; 503 struct relayd *env = ps->ps_env; 504 505 switch (imsg->hdr.type) { 506 case IMSG_CFG_DONE: 507 parent_configure_done(env); 508 break; 509 default: 510 return (-1); 511 } 512 513 return (0); 514 } 515 516 void 517 purge_table(struct relayd *env, struct tablelist *head, struct table *table) 518 { 519 struct host *host; 520 521 while ((host = TAILQ_FIRST(&table->hosts)) != NULL) { 522 TAILQ_REMOVE(&table->hosts, host, entry); 523 TAILQ_REMOVE(&env->sc_hosts, host, globalentry); 524 if (event_initialized(&host->cte.ev)) { 525 event_del(&host->cte.ev); 526 close(host->cte.s); 527 } 528 ibuf_free(host->cte.buf); 529 tls_free(host->cte.tls); 530 free(host); 531 } 532 free(table->sendbuf); 533 ibuf_free(table->sendbinbuf); 534 tls_config_free(table->tls_cfg); 535 536 if (head != NULL) 537 TAILQ_REMOVE(head, table, entry); 538 free(table); 539 } 540 541 void 542 purge_key(char **key, off_t len) 543 { 544 freezero(*key, len); 545 546 *key = NULL; 547 } 548 549 void 550 purge_relay(struct relayd *env, struct relay *rlay) 551 { 552 struct rsession *con; 553 struct relay_table *rlt; 554 struct relay_cert *cert, *tmpcert; 555 556 /* shutdown and remove relay */ 557 if (event_initialized(&rlay->rl_ev)) 558 event_del(&rlay->rl_ev); 559 close(rlay->rl_s); 560 TAILQ_REMOVE(env->sc_relays, rlay, rl_entry); 561 562 /* cleanup sessions */ 563 while ((con = 564 SPLAY_ROOT(&rlay->rl_sessions)) != NULL) 565 relay_close(con, NULL, 0); 566 567 /* cleanup relay */ 568 if (rlay->rl_bev != NULL) 569 bufferevent_free(rlay->rl_bev); 570 if (rlay->rl_dstbev != NULL) 571 bufferevent_free(rlay->rl_dstbev); 572 573 purge_key(&rlay->rl_tls_cakey, rlay->rl_conf.tls_cakey_len); 574 575 if (rlay->rl_tls_pkey != NULL) { 576 EVP_PKEY_free(rlay->rl_tls_pkey); 577 rlay->rl_tls_pkey = NULL; 578 } 579 if (rlay->rl_tls_cacertx509 != NULL) { 580 X509_free(rlay->rl_tls_cacertx509); 581 rlay->rl_tls_cacertx509 = NULL; 582 } 583 if (rlay->rl_tls_capkey != NULL) { 584 EVP_PKEY_free(rlay->rl_tls_capkey); 585 rlay->rl_tls_capkey = NULL; 586 } 587 588 tls_free(rlay->rl_tls_ctx); 589 tls_config_free(rlay->rl_tls_cfg); 590 tls_config_free(rlay->rl_tls_client_cfg); 591 592 while ((rlt = TAILQ_FIRST(&rlay->rl_tables))) { 593 TAILQ_REMOVE(&rlay->rl_tables, rlt, rlt_entry); 594 free(rlt); 595 } 596 597 TAILQ_FOREACH_SAFE(cert, env->sc_certs, cert_entry, tmpcert) { 598 if (rlay->rl_conf.id != cert->cert_relayid) 599 continue; 600 if (cert->cert_fd != -1) 601 close(cert->cert_fd); 602 if (cert->cert_key_fd != -1) 603 close(cert->cert_key_fd); 604 if (cert->cert_ocsp_fd != -1) 605 close(cert->cert_ocsp_fd); 606 if (cert->cert_pkey != NULL) 607 EVP_PKEY_free(cert->cert_pkey); 608 TAILQ_REMOVE(env->sc_certs, cert, cert_entry); 609 free(cert); 610 } 611 612 free(rlay); 613 } 614 615 struct kv * 616 kv_add(struct kvtree *keys, char *key, char *value, int unique) 617 { 618 struct kv *kv, *oldkv; 619 620 if (key == NULL) 621 return (NULL); 622 if ((kv = calloc(1, sizeof(*kv))) == NULL) 623 return (NULL); 624 if ((kv->kv_key = strdup(key)) == NULL) 625 goto fail; 626 if (value != NULL && 627 (kv->kv_value = strdup(value)) == NULL) 628 goto fail; 629 TAILQ_INIT(&kv->kv_children); 630 631 if ((oldkv = RB_INSERT(kvtree, keys, kv)) != NULL) { 632 /* 633 * return error if the key should occur only once, 634 * or add it to a list attached to the key's node. 635 */ 636 if (unique) 637 goto fail; 638 TAILQ_INSERT_TAIL(&oldkv->kv_children, kv, kv_entry); 639 kv->kv_parent = oldkv; 640 } 641 642 return (kv); 643 fail: 644 free(kv->kv_key); 645 free(kv->kv_value); 646 free(kv); 647 return (NULL); 648 } 649 650 int 651 kv_set(struct kv *kv, char *fmt, ...) 652 { 653 va_list ap; 654 char *value = NULL; 655 struct kv *ckv; 656 657 va_start(ap, fmt); 658 if (vasprintf(&value, fmt, ap) == -1) 659 return (-1); 660 va_end(ap); 661 662 /* Remove all children */ 663 while ((ckv = TAILQ_FIRST(&kv->kv_children)) != NULL) { 664 TAILQ_REMOVE(&kv->kv_children, ckv, kv_entry); 665 kv_free(ckv); 666 free(ckv); 667 } 668 669 /* Set the new value */ 670 free(kv->kv_value); 671 kv->kv_value = value; 672 673 return (0); 674 } 675 676 int 677 kv_setkey(struct kv *kv, char *fmt, ...) 678 { 679 va_list ap; 680 char *key = NULL; 681 682 va_start(ap, fmt); 683 if (vasprintf(&key, fmt, ap) == -1) 684 return (-1); 685 va_end(ap); 686 687 free(kv->kv_key); 688 kv->kv_key = key; 689 690 return (0); 691 } 692 693 void 694 kv_delete(struct kvtree *keys, struct kv *kv) 695 { 696 struct kv *ckv; 697 698 RB_REMOVE(kvtree, keys, kv); 699 700 /* Remove all children */ 701 while ((ckv = TAILQ_FIRST(&kv->kv_children)) != NULL) { 702 TAILQ_REMOVE(&kv->kv_children, ckv, kv_entry); 703 kv_free(ckv); 704 free(ckv); 705 } 706 707 kv_free(kv); 708 free(kv); 709 } 710 711 struct kv * 712 kv_extend(struct kvtree *keys, struct kv *kv, char *value) 713 { 714 char *newvalue; 715 716 if (kv == NULL) { 717 return (NULL); 718 } else if (kv->kv_value != NULL) { 719 if (asprintf(&newvalue, "%s%s", kv->kv_value, value) == -1) 720 return (NULL); 721 722 free(kv->kv_value); 723 kv->kv_value = newvalue; 724 } else if ((kv->kv_value = strdup(value)) == NULL) 725 return (NULL); 726 727 return (kv); 728 } 729 730 void 731 kv_purge(struct kvtree *keys) 732 { 733 struct kv *kv; 734 735 while ((kv = RB_MIN(kvtree, keys)) != NULL) 736 kv_delete(keys, kv); 737 } 738 739 void 740 kv_free(struct kv *kv) 741 { 742 /* 743 * This function does not clear memory referenced by 744 * kv_children or stuff on the tailqs. Use kv_delete() instead. 745 */ 746 747 free(kv->kv_key); 748 free(kv->kv_value); 749 memset(kv, 0, sizeof(*kv)); 750 } 751 752 struct kv * 753 kv_inherit(struct kv *dst, struct kv *src) 754 { 755 memset(dst, 0, sizeof(*dst)); 756 memcpy(dst, src, sizeof(*dst)); 757 TAILQ_INIT(&dst->kv_children); 758 759 if (src->kv_key != NULL) { 760 if ((dst->kv_key = strdup(src->kv_key)) == NULL) { 761 kv_free(dst); 762 return (NULL); 763 } 764 } 765 if (src->kv_value != NULL) { 766 if ((dst->kv_value = strdup(src->kv_value)) == NULL) { 767 kv_free(dst); 768 return (NULL); 769 } 770 } 771 772 if (src->kv_match != NULL) 773 dst->kv_match = src->kv_match; 774 if (src->kv_matchtree != NULL) 775 dst->kv_matchtree = src->kv_matchtree; 776 777 return (dst); 778 } 779 780 int 781 kv_log(struct rsession *con, struct kv *kv, u_int16_t labelid, 782 enum direction dir) 783 { 784 char *msg; 785 786 if (con->se_log == NULL) 787 return (0); 788 if (asprintf(&msg, " %s%s%s%s%s%s%s", 789 dir == RELAY_DIR_REQUEST ? "[" : "{", 790 labelid == 0 ? "" : label_id2name(labelid), 791 labelid == 0 ? "" : ", ", 792 kv->kv_key == NULL ? "(unknown)" : kv->kv_key, 793 kv->kv_value == NULL ? "" : ": ", 794 kv->kv_value == NULL ? "" : kv->kv_value, 795 dir == RELAY_DIR_REQUEST ? "]" : "}") == -1) 796 return (-1); 797 if (evbuffer_add(con->se_log, msg, strlen(msg)) == -1) { 798 free(msg); 799 return (-1); 800 } 801 free(msg); 802 con->se_haslog = 1; 803 return (0); 804 } 805 806 struct kv * 807 kv_find(struct kvtree *keys, struct kv *kv) 808 { 809 struct kv *match; 810 const char *key; 811 812 if (kv->kv_flags & KV_FLAG_GLOBBING) { 813 /* Test header key using shell globbing rules */ 814 key = kv->kv_key == NULL ? "" : kv->kv_key; 815 RB_FOREACH(match, kvtree, keys) { 816 if (fnmatch(key, match->kv_key, FNM_CASEFOLD) == 0) 817 break; 818 } 819 } else { 820 /* Fast tree-based lookup only works without globbing */ 821 match = RB_FIND(kvtree, keys, kv); 822 } 823 824 return (match); 825 } 826 827 struct kv * 828 kv_find_value(struct kvtree *keys, char *key, const char *value, 829 const char *delim) 830 { 831 struct kv *match, kv; 832 char *val = NULL, *next, *ptr; 833 size_t len; 834 835 kv.kv_key = key; 836 if ((match = RB_FIND(kvtree, keys, &kv)) == NULL) 837 return (NULL); 838 839 if (match->kv_value == NULL) 840 return (NULL); 841 842 if (delim == NULL) { 843 if (strcasecmp(match->kv_value, value) == 0) 844 goto done; 845 } else { 846 if ((val = strdup(match->kv_value)) == NULL) 847 return (NULL); 848 for (next = ptr = val; ptr != NULL; 849 ptr = strsep(&next, delim)) { 850 /* strip whitespace */ 851 ptr += strspn(ptr, " \t"); 852 len = strcspn(ptr, " \t"); 853 if (strncasecmp(ptr, value, len) == 0) 854 goto done; 855 } 856 } 857 858 /* not matched */ 859 match = NULL; 860 done: 861 #ifdef DEBUG 862 if (match != NULL) 863 DPRINTF("%s: matched %s: %s", __func__, key, value); 864 #endif 865 free(val); 866 return (match); 867 } 868 869 int 870 kv_cmp(struct kv *a, struct kv *b) 871 { 872 return (strcasecmp(a->kv_key, b->kv_key)); 873 } 874 875 RB_GENERATE(kvtree, kv, kv_node, kv_cmp); 876 877 int 878 rule_add(struct protocol *proto, struct relay_rule *rule, const char *rulefile) 879 { 880 struct relay_rule *r = NULL; 881 struct kv *kv = NULL; 882 FILE *fp = NULL; 883 char buf[BUFSIZ]; 884 int ret = -1; 885 u_int i; 886 887 for (i = 0; i < KEY_TYPE_MAX; i++) { 888 kv = &rule->rule_kv[i]; 889 if (kv->kv_type != i) 890 continue; 891 892 switch (kv->kv_option) { 893 case KEY_OPTION_LOG: 894 /* log action needs a key or a file to be specified */ 895 if (kv->kv_key == NULL && rulefile == NULL && 896 (kv->kv_key = strdup("*")) == NULL) 897 goto fail; 898 break; 899 default: 900 break; 901 } 902 903 switch (kv->kv_type) { 904 case KEY_TYPE_QUERY: 905 case KEY_TYPE_PATH: 906 case KEY_TYPE_URL: 907 if (rule->rule_dir != RELAY_DIR_REQUEST) 908 goto fail; 909 break; 910 default: 911 break; 912 } 913 914 if (kv->kv_value != NULL && strchr(kv->kv_value, '$') != NULL) 915 kv->kv_flags |= KV_FLAG_MACRO; 916 if (kv->kv_key != NULL && strpbrk(kv->kv_key, "*?[") != NULL) 917 kv->kv_flags |= KV_FLAG_GLOBBING; 918 } 919 920 if (rulefile == NULL) { 921 TAILQ_INSERT_TAIL(&proto->rules, rule, rule_entry); 922 return (0); 923 } 924 925 if ((fp = fopen(rulefile, "r")) == NULL) 926 goto fail; 927 928 while (fgets(buf, sizeof(buf), fp) != NULL) { 929 /* strip whitespace and newline characters */ 930 buf[strcspn(buf, "\r\n\t ")] = '\0'; 931 if (!strlen(buf) || buf[0] == '#') 932 continue; 933 934 if ((r = rule_inherit(rule)) == NULL) 935 goto fail; 936 937 for (i = 0; i < KEY_TYPE_MAX; i++) { 938 kv = &r->rule_kv[i]; 939 if (kv->kv_type != i) 940 continue; 941 free(kv->kv_key); 942 if ((kv->kv_key = strdup(buf)) == NULL) { 943 rule_free(r); 944 free(r); 945 goto fail; 946 } 947 } 948 949 TAILQ_INSERT_TAIL(&proto->rules, r, rule_entry); 950 } 951 952 ret = 0; 953 rule_free(rule); 954 free(rule); 955 956 fail: 957 if (fp != NULL) 958 fclose(fp); 959 return (ret); 960 } 961 962 struct relay_rule * 963 rule_inherit(struct relay_rule *rule) 964 { 965 struct relay_rule *r; 966 u_int i; 967 struct kv *kv; 968 969 if ((r = calloc(1, sizeof(*r))) == NULL) 970 return (NULL); 971 memcpy(r, rule, sizeof(*r)); 972 973 for (i = 0; i < KEY_TYPE_MAX; i++) { 974 kv = &rule->rule_kv[i]; 975 if (kv->kv_type != i) 976 continue; 977 if (kv_inherit(&r->rule_kv[i], kv) == NULL) { 978 free(r); 979 return (NULL); 980 } 981 } 982 983 if (r->rule_label > 0) 984 label_ref(r->rule_label); 985 if (r->rule_tag > 0) 986 tag_ref(r->rule_tag); 987 if (r->rule_tagged > 0) 988 tag_ref(r->rule_tagged); 989 990 return (r); 991 } 992 993 void 994 rule_free(struct relay_rule *rule) 995 { 996 u_int i; 997 998 for (i = 0; i < KEY_TYPE_MAX; i++) 999 kv_free(&rule->rule_kv[i]); 1000 if (rule->rule_label > 0) 1001 label_unref(rule->rule_label); 1002 if (rule->rule_tag > 0) 1003 tag_unref(rule->rule_tag); 1004 if (rule->rule_tagged > 0) 1005 tag_unref(rule->rule_tagged); 1006 } 1007 1008 void 1009 rule_delete(struct relay_rules *rules, struct relay_rule *rule) 1010 { 1011 TAILQ_REMOVE(rules, rule, rule_entry); 1012 rule_free(rule); 1013 free(rule); 1014 } 1015 1016 void 1017 rule_settable(struct relay_rules *rules, struct relay_table *rlt) 1018 { 1019 struct relay_rule *r; 1020 char pname[TABLE_NAME_SIZE]; 1021 1022 if (rlt->rlt_table == NULL || strlcpy(pname, rlt->rlt_table->conf.name, 1023 sizeof(pname)) >= sizeof(pname)) 1024 return; 1025 1026 pname[strcspn(pname, ":")] = '\0'; 1027 1028 TAILQ_FOREACH(r, rules, rule_entry) { 1029 if (r->rule_tablename[0] && 1030 strcmp(pname, r->rule_tablename) == 0) 1031 r->rule_table = rlt; 1032 } 1033 } 1034 1035 /* 1036 * Utility functions 1037 */ 1038 1039 struct host * 1040 host_find(struct relayd *env, objid_t id) 1041 { 1042 struct table *table; 1043 struct host *host; 1044 1045 TAILQ_FOREACH(table, env->sc_tables, entry) 1046 TAILQ_FOREACH(host, &table->hosts, entry) 1047 if (host->conf.id == id) 1048 return (host); 1049 return (NULL); 1050 } 1051 1052 struct table * 1053 table_find(struct relayd *env, objid_t id) 1054 { 1055 struct table *table; 1056 1057 TAILQ_FOREACH(table, env->sc_tables, entry) 1058 if (table->conf.id == id) 1059 return (table); 1060 return (NULL); 1061 } 1062 1063 struct rdr * 1064 rdr_find(struct relayd *env, objid_t id) 1065 { 1066 struct rdr *rdr; 1067 1068 TAILQ_FOREACH(rdr, env->sc_rdrs, entry) 1069 if (rdr->conf.id == id) 1070 return (rdr); 1071 return (NULL); 1072 } 1073 1074 struct relay * 1075 relay_find(struct relayd *env, objid_t id) 1076 { 1077 struct relay *rlay; 1078 1079 TAILQ_FOREACH(rlay, env->sc_relays, rl_entry) 1080 if (rlay->rl_conf.id == id) 1081 return (rlay); 1082 return (NULL); 1083 } 1084 1085 struct protocol * 1086 proto_find(struct relayd *env, objid_t id) 1087 { 1088 struct protocol *p; 1089 1090 TAILQ_FOREACH(p, env->sc_protos, entry) 1091 if (p->id == id) 1092 return (p); 1093 return (NULL); 1094 } 1095 1096 struct rsession * 1097 session_find(struct relayd *env, objid_t id) 1098 { 1099 struct relay *rlay; 1100 struct rsession *con; 1101 1102 TAILQ_FOREACH(rlay, env->sc_relays, rl_entry) 1103 SPLAY_FOREACH(con, session_tree, &rlay->rl_sessions) 1104 if (con->se_id == id) 1105 return (con); 1106 return (NULL); 1107 } 1108 1109 struct netroute * 1110 route_find(struct relayd *env, objid_t id) 1111 { 1112 struct netroute *nr; 1113 1114 TAILQ_FOREACH(nr, env->sc_routes, nr_route) 1115 if (nr->nr_conf.id == id) 1116 return (nr); 1117 return (NULL); 1118 } 1119 1120 struct router * 1121 router_find(struct relayd *env, objid_t id) 1122 { 1123 struct router *rt; 1124 1125 TAILQ_FOREACH(rt, env->sc_rts, rt_entry) 1126 if (rt->rt_conf.id == id) 1127 return (rt); 1128 return (NULL); 1129 } 1130 1131 struct host * 1132 host_findbyname(struct relayd *env, const char *name) 1133 { 1134 struct table *table; 1135 struct host *host; 1136 1137 TAILQ_FOREACH(table, env->sc_tables, entry) 1138 TAILQ_FOREACH(host, &table->hosts, entry) 1139 if (strcmp(host->conf.name, name) == 0) 1140 return (host); 1141 return (NULL); 1142 } 1143 1144 struct table * 1145 table_findbyname(struct relayd *env, const char *name) 1146 { 1147 struct table *table; 1148 1149 TAILQ_FOREACH(table, env->sc_tables, entry) 1150 if (strcmp(table->conf.name, name) == 0) 1151 return (table); 1152 return (NULL); 1153 } 1154 1155 struct table * 1156 table_findbyconf(struct relayd *env, struct table *tb) 1157 { 1158 struct table *table; 1159 struct table_config a, b; 1160 1161 bcopy(&tb->conf, &a, sizeof(a)); 1162 a.id = a.rdrid = 0; 1163 a.flags &= ~(F_USED|F_BACKUP); 1164 1165 TAILQ_FOREACH(table, env->sc_tables, entry) { 1166 bcopy(&table->conf, &b, sizeof(b)); 1167 b.id = b.rdrid = 0; 1168 b.flags &= ~(F_USED|F_BACKUP); 1169 1170 /* 1171 * Compare two tables and return the existing table if 1172 * the configuration seems to be the same. 1173 */ 1174 if (bcmp(&a, &b, sizeof(b)) == 0 && 1175 ((tb->sendbuf == NULL && table->sendbuf == NULL) || 1176 (tb->sendbuf != NULL && table->sendbuf != NULL && 1177 strcmp(tb->sendbuf, table->sendbuf) == 0))) 1178 return (table); 1179 } 1180 return (NULL); 1181 } 1182 1183 struct rdr * 1184 rdr_findbyname(struct relayd *env, const char *name) 1185 { 1186 struct rdr *rdr; 1187 1188 TAILQ_FOREACH(rdr, env->sc_rdrs, entry) 1189 if (strcmp(rdr->conf.name, name) == 0) 1190 return (rdr); 1191 return (NULL); 1192 } 1193 1194 struct relay * 1195 relay_findbyname(struct relayd *env, const char *name) 1196 { 1197 struct relay *rlay; 1198 1199 TAILQ_FOREACH(rlay, env->sc_relays, rl_entry) 1200 if (strcmp(rlay->rl_conf.name, name) == 0) 1201 return (rlay); 1202 return (NULL); 1203 } 1204 1205 struct relay * 1206 relay_findbyaddr(struct relayd *env, struct relay_config *rc) 1207 { 1208 struct relay *rlay; 1209 1210 TAILQ_FOREACH(rlay, env->sc_relays, rl_entry) 1211 if (bcmp(&rlay->rl_conf.ss, &rc->ss, sizeof(rc->ss)) == 0 && 1212 rlay->rl_conf.port == rc->port) 1213 return (rlay); 1214 return (NULL); 1215 } 1216 1217 EVP_PKEY * 1218 pkey_find(struct relayd *env, char * hash) 1219 { 1220 struct ca_pkey *pkey; 1221 1222 TAILQ_FOREACH(pkey, env->sc_pkeys, pkey_entry) 1223 if (strcmp(hash, pkey->pkey_hash) == 0) 1224 return (pkey->pkey); 1225 return (NULL); 1226 } 1227 1228 struct ca_pkey * 1229 pkey_add(struct relayd *env, EVP_PKEY *pkey, char *hash) 1230 { 1231 struct ca_pkey *ca_pkey; 1232 1233 if (env->sc_pkeys == NULL) 1234 fatalx("pkeys"); 1235 1236 if ((ca_pkey = calloc(1, sizeof(*ca_pkey))) == NULL) 1237 return (NULL); 1238 1239 ca_pkey->pkey = pkey; 1240 if (strlcpy(ca_pkey->pkey_hash, hash, sizeof(ca_pkey->pkey_hash)) >= 1241 sizeof(ca_pkey->pkey_hash)) { 1242 free(ca_pkey); 1243 return (NULL); 1244 } 1245 1246 TAILQ_INSERT_TAIL(env->sc_pkeys, ca_pkey, pkey_entry); 1247 1248 return (ca_pkey); 1249 } 1250 1251 struct relay_cert * 1252 cert_add(struct relayd *env, objid_t id) 1253 { 1254 static objid_t last_cert_id = 0; 1255 struct relay_cert *cert; 1256 1257 if ((cert = calloc(1, sizeof(*cert))) == NULL) 1258 return (NULL); 1259 1260 if (id == 0) 1261 id = ++last_cert_id; 1262 if (id == INT_MAX) { 1263 log_warnx("too many tls keypairs defined"); 1264 free(cert); 1265 return (NULL); 1266 } 1267 1268 cert->cert_id = id; 1269 cert->cert_fd = -1; 1270 cert->cert_key_fd = -1; 1271 cert->cert_ocsp_fd = -1; 1272 1273 TAILQ_INSERT_TAIL(env->sc_certs, cert, cert_entry); 1274 1275 return (cert); 1276 } 1277 1278 struct relay_cert * 1279 cert_find(struct relayd *env, objid_t id) 1280 { 1281 struct relay_cert *cert; 1282 1283 TAILQ_FOREACH(cert, env->sc_certs, cert_entry) 1284 if (cert->cert_id == id) 1285 return (cert); 1286 return (NULL); 1287 } 1288 1289 char * 1290 relay_load_fd(int fd, off_t *len) 1291 { 1292 char *buf = NULL; 1293 struct stat st; 1294 off_t size; 1295 ssize_t rv; 1296 int err; 1297 1298 if (fstat(fd, &st) != 0) 1299 goto fail; 1300 size = st.st_size; 1301 if ((buf = calloc(1, size + 1)) == NULL) 1302 goto fail; 1303 if ((rv = pread(fd, buf, size, 0)) != size) 1304 goto fail; 1305 1306 close(fd); 1307 1308 *len = size; 1309 return (buf); 1310 1311 fail: 1312 err = errno; 1313 free(buf); 1314 close(fd); 1315 errno = err; 1316 return (NULL); 1317 } 1318 1319 int 1320 relay_load_certfiles(struct relayd *env, struct relay *rlay, const char *name) 1321 { 1322 char certfile[PATH_MAX]; 1323 char hbuf[PATH_MAX]; 1324 struct protocol *proto = rlay->rl_proto; 1325 struct relay_cert *cert; 1326 int useport = htons(rlay->rl_conf.port); 1327 int cert_fd = -1, key_fd = -1, ocsp_fd = -1; 1328 1329 if (rlay->rl_conf.flags & F_TLSCLIENT) { 1330 if (strlen(proto->tlsca) && rlay->rl_tls_ca_fd == -1) { 1331 if ((rlay->rl_tls_ca_fd = 1332 open(proto->tlsca, O_RDONLY)) == -1) 1333 return (-1); 1334 log_debug("%s: using ca %s", __func__, proto->tlsca); 1335 } 1336 if (strlen(proto->tlscacert) && rlay->rl_tls_cacert_fd == -1) { 1337 if ((rlay->rl_tls_cacert_fd = 1338 open(proto->tlscacert, O_RDONLY)) == -1) 1339 return (-1); 1340 log_debug("%s: using ca certificate %s", __func__, 1341 proto->tlscacert); 1342 } 1343 if (strlen(proto->tlscakey) && !rlay->rl_conf.tls_cakey_len && 1344 proto->tlscapass != NULL) { 1345 if ((rlay->rl_tls_cakey = 1346 ssl_load_key(env, proto->tlscakey, 1347 &rlay->rl_conf.tls_cakey_len, 1348 proto->tlscapass)) == NULL) 1349 return (-1); 1350 log_debug("%s: using ca key %s", __func__, 1351 proto->tlscakey); 1352 } 1353 } 1354 1355 if ((rlay->rl_conf.flags & F_TLS) == 0) 1356 return (0); 1357 1358 if (name == NULL && 1359 print_host(&rlay->rl_conf.ss, hbuf, sizeof(hbuf)) == NULL) 1360 goto fail; 1361 else if (name != NULL && 1362 strlcpy(hbuf, name, sizeof(hbuf)) >= sizeof(hbuf)) 1363 goto fail; 1364 1365 if (snprintf(certfile, sizeof(certfile), 1366 "/etc/ssl/%s:%u.crt", hbuf, useport) == -1) 1367 goto fail; 1368 if ((cert_fd = open(certfile, O_RDONLY)) == -1) { 1369 if (snprintf(certfile, sizeof(certfile), 1370 "/etc/ssl/%s.crt", hbuf) == -1) 1371 goto fail; 1372 if ((cert_fd = open(certfile, O_RDONLY)) == -1) 1373 goto fail; 1374 useport = 0; 1375 } 1376 log_debug("%s: using certificate %s", __func__, certfile); 1377 1378 if (useport) { 1379 if (snprintf(certfile, sizeof(certfile), 1380 "/etc/ssl/private/%s:%u.key", hbuf, useport) == -1) 1381 goto fail; 1382 } else { 1383 if (snprintf(certfile, sizeof(certfile), 1384 "/etc/ssl/private/%s.key", hbuf) == -1) 1385 goto fail; 1386 } 1387 if ((key_fd = open(certfile, O_RDONLY)) == -1) 1388 goto fail; 1389 log_debug("%s: using private key %s", __func__, certfile); 1390 1391 if (useport) { 1392 if (snprintf(certfile, sizeof(certfile), 1393 "/etc/ssl/%s:%u.ocsp", hbuf, useport) == -1) 1394 goto fail; 1395 } else { 1396 if (snprintf(certfile, sizeof(certfile), 1397 "/etc/ssl/%s.ocsp", hbuf) == -1) 1398 goto fail; 1399 } 1400 if ((ocsp_fd = open(certfile, O_RDONLY)) != -1) 1401 log_debug("%s: using OCSP staple file %s", __func__, certfile); 1402 1403 if ((cert = cert_add(env, 0)) == NULL) 1404 goto fail; 1405 1406 cert->cert_relayid = rlay->rl_conf.id; 1407 cert->cert_fd = cert_fd; 1408 cert->cert_key_fd = key_fd; 1409 cert->cert_ocsp_fd = ocsp_fd; 1410 1411 return (0); 1412 1413 fail: 1414 if (cert_fd != -1) 1415 close(cert_fd); 1416 if (key_fd != -1) 1417 close(key_fd); 1418 if (ocsp_fd != -1) 1419 close(ocsp_fd); 1420 1421 return (-1); 1422 } 1423 1424 void 1425 event_again(struct event *ev, int fd, short event, 1426 void (*fn)(int, short, void *), 1427 struct timeval *start, struct timeval *end, void *arg) 1428 { 1429 struct timeval tv_next, tv_now, tv; 1430 1431 getmonotime(&tv_now); 1432 bcopy(end, &tv_next, sizeof(tv_next)); 1433 timersub(&tv_now, start, &tv_now); 1434 timersub(&tv_next, &tv_now, &tv_next); 1435 1436 bzero(&tv, sizeof(tv)); 1437 if (timercmp(&tv_next, &tv, >)) 1438 bcopy(&tv_next, &tv, sizeof(tv)); 1439 1440 event_del(ev); 1441 event_set(ev, fd, event, fn, arg); 1442 event_add(ev, &tv); 1443 } 1444 1445 int 1446 expand_string(char *label, size_t len, const char *srch, const char *repl) 1447 { 1448 char *tmp; 1449 char *p, *q; 1450 1451 if ((tmp = calloc(1, len)) == NULL) { 1452 log_debug("%s: calloc", __func__); 1453 return (-1); 1454 } 1455 p = q = label; 1456 while ((q = strstr(p, srch)) != NULL) { 1457 *q = '\0'; 1458 if ((strlcat(tmp, p, len) >= len) || 1459 (strlcat(tmp, repl, len) >= len)) { 1460 log_debug("%s: string too long", __func__); 1461 free(tmp); 1462 return (-1); 1463 } 1464 q += strlen(srch); 1465 p = q; 1466 } 1467 if (strlcat(tmp, p, len) >= len) { 1468 log_debug("%s: string too long", __func__); 1469 free(tmp); 1470 return (-1); 1471 } 1472 (void)strlcpy(label, tmp, len); /* always fits */ 1473 free(tmp); 1474 1475 return (0); 1476 } 1477 1478 void 1479 translate_string(char *str) 1480 { 1481 char *reader; 1482 char *writer; 1483 1484 reader = writer = str; 1485 1486 while (*reader) { 1487 if (*reader == '\\') { 1488 reader++; 1489 switch (*reader) { 1490 case 'n': 1491 *writer++ = '\n'; 1492 break; 1493 case 'r': 1494 *writer++ = '\r'; 1495 break; 1496 default: 1497 *writer++ = *reader; 1498 } 1499 } else 1500 *writer++ = *reader; 1501 reader++; 1502 } 1503 *writer = '\0'; 1504 } 1505 1506 char * 1507 digeststr(enum digest_type type, const u_int8_t *data, size_t len, char *buf) 1508 { 1509 switch (type) { 1510 case DIGEST_SHA1: 1511 return (SHA1Data(data, len, buf)); 1512 break; 1513 case DIGEST_MD5: 1514 return (MD5Data(data, len, buf)); 1515 break; 1516 default: 1517 break; 1518 } 1519 return (NULL); 1520 } 1521 1522 const char * 1523 canonicalize_host(const char *host, char *name, size_t len) 1524 { 1525 struct sockaddr_in sin4; 1526 struct sockaddr_in6 sin6; 1527 size_t i, j; 1528 size_t plen; 1529 char c; 1530 1531 if (len < 2) 1532 goto fail; 1533 1534 /* 1535 * Canonicalize an IPv4/6 address 1536 */ 1537 if (inet_pton(AF_INET, host, &sin4) == 1) 1538 return (inet_ntop(AF_INET, &sin4, name, len)); 1539 if (inet_pton(AF_INET6, host, &sin6) == 1) 1540 return (inet_ntop(AF_INET6, &sin6, name, len)); 1541 1542 /* 1543 * Canonicalize a hostname 1544 */ 1545 1546 /* 1. remove repeated dots and convert upper case to lower case */ 1547 plen = strlen(host); 1548 bzero(name, len); 1549 for (i = j = 0; i < plen; i++) { 1550 if (j >= (len - 1)) 1551 goto fail; 1552 c = tolower((unsigned char)host[i]); 1553 if ((c == '.') && (j == 0 || name[j - 1] == '.')) 1554 continue; 1555 name[j++] = c; 1556 } 1557 1558 /* 2. remove trailing dots */ 1559 for (i = j; i > 0; i--) { 1560 if (name[i - 1] != '.') 1561 break; 1562 name[i - 1] = '\0'; 1563 j--; 1564 } 1565 if (j <= 0) 1566 goto fail; 1567 1568 return (name); 1569 1570 fail: 1571 errno = EINVAL; 1572 return (NULL); 1573 } 1574 1575 int 1576 parse_url(const char *url, char **protoptr, char **hostptr, char **pathptr) 1577 { 1578 char *p, *proto = NULL, *host = NULL, *path = NULL; 1579 1580 /* return error if it is not a URL */ 1581 if ((p = strstr(url, ":/")) == NULL || 1582 (strcspn(url, ":/") != (size_t)(p - url))) 1583 return (-1); 1584 1585 /* get protocol */ 1586 if ((proto = strdup(url)) == NULL) 1587 goto fail; 1588 p = proto + (p - url); 1589 1590 /* get host */ 1591 p += strspn(p, ":/"); 1592 if (*p == '\0' || (host = strdup(p)) == NULL) 1593 goto fail; 1594 *p = '\0'; 1595 1596 /* find and copy path or default to "/" */ 1597 if ((p = strchr(host, '/')) == NULL) 1598 p = "/"; 1599 if ((path = strdup(p)) == NULL) 1600 goto fail; 1601 1602 /* strip path after host */ 1603 host[strcspn(host, "/")] = '\0'; 1604 1605 DPRINTF("%s: %s proto %s, host %s, path %s", __func__, 1606 url, proto, host, path); 1607 1608 *protoptr = proto; 1609 *hostptr = host; 1610 *pathptr = path; 1611 1612 return (0); 1613 1614 fail: 1615 free(proto); 1616 free(host); 1617 free(path); 1618 return (-1); 1619 } 1620 1621 int 1622 bindany(struct ctl_bindany *bnd) 1623 { 1624 int s, v; 1625 1626 s = -1; 1627 v = 1; 1628 1629 if (relay_socket_af(&bnd->bnd_ss, bnd->bnd_port) == -1) 1630 goto fail; 1631 if ((s = socket(bnd->bnd_ss.ss_family, 1632 bnd->bnd_proto == IPPROTO_TCP ? SOCK_STREAM : SOCK_DGRAM, 1633 bnd->bnd_proto)) == -1) 1634 goto fail; 1635 if (setsockopt(s, SOL_SOCKET, SO_BINDANY, 1636 &v, sizeof(v)) == -1) 1637 goto fail; 1638 if (bind(s, (struct sockaddr *)&bnd->bnd_ss, 1639 bnd->bnd_ss.ss_len) == -1) 1640 goto fail; 1641 1642 return (s); 1643 1644 fail: 1645 if (s != -1) 1646 close(s); 1647 return (-1); 1648 } 1649 1650 int 1651 map6to4(struct sockaddr_storage *in6) 1652 { 1653 struct sockaddr_storage out4; 1654 struct sockaddr_in *sin4 = (struct sockaddr_in *)&out4; 1655 struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)in6; 1656 1657 bzero(sin4, sizeof(*sin4)); 1658 sin4->sin_len = sizeof(*sin4); 1659 sin4->sin_family = AF_INET; 1660 sin4->sin_port = sin6->sin6_port; 1661 1662 bcopy(&sin6->sin6_addr.s6_addr[12], &sin4->sin_addr.s_addr, 1663 sizeof(sin4->sin_addr)); 1664 1665 if (sin4->sin_addr.s_addr == INADDR_ANY || 1666 sin4->sin_addr.s_addr == INADDR_BROADCAST || 1667 IN_MULTICAST(ntohl(sin4->sin_addr.s_addr))) 1668 return (-1); 1669 1670 bcopy(&out4, in6, sizeof(*in6)); 1671 1672 return (0); 1673 } 1674 1675 int 1676 map4to6(struct sockaddr_storage *in4, struct sockaddr_storage *map) 1677 { 1678 struct sockaddr_storage out6; 1679 struct sockaddr_in *sin4 = (struct sockaddr_in *)in4; 1680 struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)&out6; 1681 struct sockaddr_in6 *map6 = (struct sockaddr_in6 *)map; 1682 1683 if (sin4->sin_addr.s_addr == INADDR_ANY || 1684 sin4->sin_addr.s_addr == INADDR_BROADCAST || 1685 IN_MULTICAST(ntohl(sin4->sin_addr.s_addr))) 1686 return (-1); 1687 1688 bcopy(map6, sin6, sizeof(*sin6)); 1689 sin6->sin6_len = sizeof(*sin6); 1690 sin6->sin6_family = AF_INET6; 1691 sin6->sin6_port = sin4->sin_port; 1692 1693 bcopy(&sin4->sin_addr.s_addr, &sin6->sin6_addr.s6_addr[12], 1694 sizeof(sin4->sin_addr)); 1695 1696 bcopy(&out6, in4, sizeof(*in4)); 1697 1698 return (0); 1699 } 1700 1701 void 1702 socket_rlimit(int maxfd) 1703 { 1704 struct rlimit rl; 1705 1706 if (getrlimit(RLIMIT_NOFILE, &rl) == -1) 1707 fatal("%s: failed to get resource limit", __func__); 1708 log_debug("%s: max open files %llu", __func__, rl.rlim_max); 1709 1710 /* 1711 * Allow the maximum number of open file descriptors for this 1712 * login class (which should be the class "daemon" by default). 1713 */ 1714 if (maxfd == -1) 1715 rl.rlim_cur = rl.rlim_max; 1716 else 1717 rl.rlim_cur = MAXIMUM(rl.rlim_max, (rlim_t)maxfd); 1718 if (setrlimit(RLIMIT_NOFILE, &rl) == -1) 1719 fatal("%s: failed to set resource limit", __func__); 1720 } 1721 1722 char * 1723 get_string(u_int8_t *ptr, size_t len) 1724 { 1725 size_t i; 1726 1727 for (i = 0; i < len; i++) 1728 if (!(isprint((unsigned char)ptr[i]) || 1729 isspace((unsigned char)ptr[i]))) 1730 break; 1731 1732 return strndup(ptr, i); 1733 } 1734 1735 void * 1736 get_data(u_int8_t *ptr, size_t len) 1737 { 1738 u_int8_t *data; 1739 1740 if ((data = malloc(len)) == NULL) 1741 return (NULL); 1742 memcpy(data, ptr, len); 1743 1744 return (data); 1745 } 1746 1747 int 1748 sockaddr_cmp(struct sockaddr *a, struct sockaddr *b, int prefixlen) 1749 { 1750 struct sockaddr_in *a4, *b4; 1751 struct sockaddr_in6 *a6, *b6; 1752 u_int32_t av[4], bv[4], mv[4]; 1753 1754 if (a->sa_family == AF_UNSPEC || b->sa_family == AF_UNSPEC) 1755 return (0); 1756 else if (a->sa_family > b->sa_family) 1757 return (1); 1758 else if (a->sa_family < b->sa_family) 1759 return (-1); 1760 1761 if (prefixlen == -1) 1762 memset(&mv, 0xff, sizeof(mv)); 1763 1764 switch (a->sa_family) { 1765 case AF_INET: 1766 a4 = (struct sockaddr_in *)a; 1767 b4 = (struct sockaddr_in *)b; 1768 1769 av[0] = a4->sin_addr.s_addr; 1770 bv[0] = b4->sin_addr.s_addr; 1771 if (prefixlen != -1) 1772 mv[0] = prefixlen2mask(prefixlen); 1773 1774 if ((av[0] & mv[0]) > (bv[0] & mv[0])) 1775 return (1); 1776 if ((av[0] & mv[0]) < (bv[0] & mv[0])) 1777 return (-1); 1778 break; 1779 case AF_INET6: 1780 a6 = (struct sockaddr_in6 *)a; 1781 b6 = (struct sockaddr_in6 *)b; 1782 1783 memcpy(&av, &a6->sin6_addr.s6_addr, 16); 1784 memcpy(&bv, &b6->sin6_addr.s6_addr, 16); 1785 if (prefixlen != -1) 1786 prefixlen2mask6(prefixlen, mv); 1787 1788 if ((av[3] & mv[3]) > (bv[3] & mv[3])) 1789 return (1); 1790 if ((av[3] & mv[3]) < (bv[3] & mv[3])) 1791 return (-1); 1792 if ((av[2] & mv[2]) > (bv[2] & mv[2])) 1793 return (1); 1794 if ((av[2] & mv[2]) < (bv[2] & mv[2])) 1795 return (-1); 1796 if ((av[1] & mv[1]) > (bv[1] & mv[1])) 1797 return (1); 1798 if ((av[1] & mv[1]) < (bv[1] & mv[1])) 1799 return (-1); 1800 if ((av[0] & mv[0]) > (bv[0] & mv[0])) 1801 return (1); 1802 if ((av[0] & mv[0]) < (bv[0] & mv[0])) 1803 return (-1); 1804 break; 1805 } 1806 1807 return (0); 1808 } 1809 1810 u_int32_t 1811 prefixlen2mask(u_int8_t prefixlen) 1812 { 1813 if (prefixlen == 0) 1814 return (0); 1815 1816 if (prefixlen > 32) 1817 prefixlen = 32; 1818 1819 return (htonl(0xffffffff << (32 - prefixlen))); 1820 } 1821 1822 struct in6_addr * 1823 prefixlen2mask6(u_int8_t prefixlen, u_int32_t *mask) 1824 { 1825 static struct in6_addr s6; 1826 int i; 1827 1828 if (prefixlen > 128) 1829 prefixlen = 128; 1830 1831 bzero(&s6, sizeof(s6)); 1832 for (i = 0; i < prefixlen / 8; i++) 1833 s6.s6_addr[i] = 0xff; 1834 i = prefixlen % 8; 1835 if (i) 1836 s6.s6_addr[prefixlen / 8] = 0xff00 >> i; 1837 1838 memcpy(mask, &s6, sizeof(s6)); 1839 1840 return (&s6); 1841 } 1842 1843 int 1844 accept_reserve(int sockfd, struct sockaddr *addr, socklen_t *addrlen, 1845 int reserve, volatile int *counter) 1846 { 1847 int ret; 1848 if (getdtablecount() + reserve + 1849 *counter >= getdtablesize()) { 1850 errno = EMFILE; 1851 return (-1); 1852 } 1853 1854 if ((ret = accept4(sockfd, addr, addrlen, SOCK_NONBLOCK)) > -1) { 1855 (*counter)++; 1856 DPRINTF("%s: inflight incremented, now %d",__func__, *counter); 1857 } 1858 return (ret); 1859 } 1860 1861 void 1862 parent_tls_ticket_rekey(int fd, short events, void *arg) 1863 { 1864 static struct event rekeyev; 1865 struct relayd *env = arg; 1866 struct timeval tv; 1867 struct relay_ticket_key key; 1868 1869 log_debug("%s: rekeying tickets", __func__); 1870 1871 key.tt_keyrev = arc4random(); 1872 arc4random_buf(key.tt_key, sizeof(key.tt_key)); 1873 1874 proc_compose_imsg(env->sc_ps, PROC_RELAY, -1, IMSG_TLSTICKET_REKEY, 1875 -1, -1, &key, sizeof(key)); 1876 1877 evtimer_set(&rekeyev, parent_tls_ticket_rekey, env); 1878 timerclear(&tv); 1879 tv.tv_sec = TLS_SESSION_LIFETIME / 4; 1880 evtimer_add(&rekeyev, &tv); 1881 } 1882