GCC Code Coverage Report
Directory: ./ Exec Total Coverage
File: usr.sbin/relayd/relay.c Lines: 185 1342 13.8 %
Date: 2017-11-13 Branches: 98 884 11.1 %

Line Branch Exec Source
1
/*	$OpenBSD: relay.c,v 1.227 2017/09/23 11:56:57 bluhm Exp $	*/
2
3
/*
4
 * Copyright (c) 2006 - 2014 Reyk Floeter <reyk@openbsd.org>
5
 *
6
 * Permission to use, copy, modify, and distribute this software for any
7
 * purpose with or without fee is hereby granted, provided that the above
8
 * copyright notice and this permission notice appear in all copies.
9
 *
10
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17
 */
18
19
#include <sys/types.h>
20
#include <sys/queue.h>
21
#include <sys/time.h>
22
#include <sys/stat.h>
23
#include <sys/socket.h>
24
#include <sys/tree.h>
25
26
#include <netinet/in.h>
27
#include <netinet/tcp.h>
28
#include <arpa/inet.h>
29
30
#include <limits.h>
31
#include <poll.h>
32
#include <stdio.h>
33
#include <stdlib.h>
34
#include <errno.h>
35
#include <fcntl.h>
36
#include <string.h>
37
#include <unistd.h>
38
#include <event.h>
39
#include <siphash.h>
40
#include <imsg.h>
41
42
#include <tls.h>
43
44
#include "relayd.h"
45
46
#define MINIMUM(a, b)	(((a) < (b)) ? (a) : (b))
47
48
void		 relay_statistics(int, short, void *);
49
int		 relay_dispatch_parent(int, struct privsep_proc *,
50
		    struct imsg *);
51
int		 relay_dispatch_pfe(int, struct privsep_proc *,
52
		    struct imsg *);
53
int		 relay_dispatch_ca(int, struct privsep_proc *,
54
		    struct imsg *);
55
int		 relay_dispatch_hce(int, struct privsep_proc *,
56
		    struct imsg *);
57
void		 relay_shutdown(void);
58
59
void		 relay_protodebug(struct relay *);
60
void		 relay_ruledebug(struct relay_rule *);
61
void		 relay_init(struct privsep *, struct privsep_proc *p, void *);
62
void		 relay_launch(void);
63
int		 relay_socket(struct sockaddr_storage *, in_port_t,
64
		    struct protocol *, int, int);
65
int		 relay_socket_listen(struct sockaddr_storage *, in_port_t,
66
		    struct protocol *);
67
int		 relay_socket_connect(struct sockaddr_storage *, in_port_t,
68
		    struct protocol *, int);
69
70
void		 relay_accept(int, short, void *);
71
void		 relay_input(struct rsession *);
72
73
void		 relay_hash_addr(SIPHASH_CTX *, struct sockaddr_storage *, int);
74
75
int		 relay_tls_ctx_create(struct relay *);
76
void		 relay_tls_transaction(struct rsession *,
77
		    struct ctl_relay_event *);
78
void		 relay_tls_handshake(int, short, void *);
79
void		 relay_connect_retry(int, short, void *);
80
void		 relay_tls_connected(struct ctl_relay_event *);
81
void		 relay_tls_readcb(int, short, void *);
82
void		 relay_tls_writecb(int, short, void *);
83
84
char		*relay_load_file(const char *, off_t *);
85
extern void	 bufferevent_read_pressure_cb(struct evbuffer *, size_t,
86
		    size_t, void *);
87
88
volatile int relay_sessions;
89
volatile int relay_inflight = 0;
90
objid_t relay_conid;
91
92
static struct relayd		*env = NULL;
93
94
static struct privsep_proc procs[] = {
95
	{ "parent",	PROC_PARENT,	relay_dispatch_parent },
96
	{ "pfe",	PROC_PFE,	relay_dispatch_pfe },
97
	{ "ca",		PROC_CA,	relay_dispatch_ca },
98
	{ "hce",	PROC_HCE,	relay_dispatch_hce },
99
};
100
101
void
102
relay(struct privsep *ps, struct privsep_proc *p)
103
{
104
	env = ps->ps_env;
105
	proc_run(ps, p, procs, nitems(procs), relay_init, NULL);
106
	relay_http(env);
107
}
108
109
void
110
relay_shutdown(void)
111
{
112
	config_purge(env, CONFIG_ALL);
113
	usleep(200);	/* XXX relay needs to shutdown last */
114
}
115
116
void
117
relay_ruledebug(struct relay_rule *rule)
118
{
119
	struct kv	*kv = NULL;
120
	u_int		 i;
121
122
2436
	fprintf(stderr, "\t\t");
123
124

1624
	switch (rule->rule_action) {
125
	case RULE_ACTION_MATCH:
126
620
		fprintf(stderr, "match ");
127
620
		break;
128
	case RULE_ACTION_BLOCK:
129
136
		fprintf(stderr, "block ");
130
136
		break;
131
	case RULE_ACTION_PASS:
132
56
		fprintf(stderr, "pass ");
133
56
		break;
134
	}
135
136

1624
	switch (rule->rule_dir) {
137
	case RELAY_DIR_ANY:
138
		break;
139
	case RELAY_DIR_REQUEST:
140
582
		fprintf(stderr, "request ");
141
582
		break;
142
	case RELAY_DIR_RESPONSE:
143
230
		fprintf(stderr, "response ");
144
230
		break;
145
	default:
146
		return;
147
		/* NOTREACHED */
148
		break;
149
	}
150
151
812
	if (rule->rule_flags & RULE_FLAG_QUICK)
152
8
		fprintf(stderr, "quick ");
153
154
9744
	for (i = 1; i < KEY_TYPE_MAX; i++) {
155
4060
		kv = &rule->rule_kv[i];
156
4060
		if (kv->kv_type != i)
157
			continue;
158
159

748
		switch (kv->kv_type) {
160
		case KEY_TYPE_COOKIE:
161
24
			fprintf(stderr, "cookie ");
162
24
			break;
163
		case KEY_TYPE_HEADER:
164
508
			fprintf(stderr, "header ");
165
508
			break;
166
		case KEY_TYPE_PATH:
167
136
			fprintf(stderr, "path ");
168
136
			break;
169
		case KEY_TYPE_QUERY:
170
32
			fprintf(stderr, "query ");
171
32
			break;
172
		case KEY_TYPE_URL:
173
48
			fprintf(stderr, "url ");
174
48
			break;
175
		default:
176
			continue;
177
		}
178
179

1400
		switch (kv->kv_option) {
180
		case KEY_OPTION_APPEND:
181
40
			fprintf(stderr, "append ");
182
40
			break;
183
		case KEY_OPTION_SET:
184
56
			fprintf(stderr, "set ");
185
56
			break;
186
		case KEY_OPTION_REMOVE:
187
8
			fprintf(stderr, "remove ");
188
8
			break;
189
		case KEY_OPTION_HASH:
190
8
			fprintf(stderr, "hash ");
191
8
			break;
192
		case KEY_OPTION_LOG:
193
540
			fprintf(stderr, "log ");
194
540
			break;
195
		case KEY_OPTION_NONE:
196
			break;
197
		}
198
199
748
		switch (kv->kv_digest) {
200
		case DIGEST_SHA1:
201
		case DIGEST_MD5:
202
8
			fprintf(stderr, "digest ");
203
8
			break;
204
		default:
205
			break;
206
		}
207
208
748
		fprintf(stderr, "%s%s%s%s%s%s ",
209
748
		    kv->kv_key == NULL ? "" : "\"",
210
2244
		    kv->kv_key == NULL ? "" : kv->kv_key,
211
748
		    kv->kv_key == NULL ? "" : "\"",
212
748
		    kv->kv_value == NULL ? "" : " value \"",
213
2220
		    kv->kv_value == NULL ? "" : kv->kv_value,
214
748
		    kv->kv_value == NULL ? "" : "\"");
215
748
	}
216
217
812
	if (rule->rule_tablename[0])
218
		fprintf(stderr, "forward to <%s> ", rule->rule_tablename);
219
220
812
	if (rule->rule_tag == -1)
221
		fprintf(stderr, "no tag ");
222

860
	else if (rule->rule_tag && rule->rule_tagname[0])
223
48
		fprintf(stderr, "tag \"%s\" ",
224
48
		    rule->rule_tagname);
225
226

852
	if (rule->rule_tagged && rule->rule_taggedname[0])
227
40
		fprintf(stderr, "tagged \"%s\" ",
228
40
		    rule->rule_taggedname);
229
230
812
	if (rule->rule_label == -1)
231
		fprintf(stderr, "no label ");
232

844
	else if (rule->rule_label && rule->rule_labelname[0])
233
32
		fprintf(stderr, "label \"%s\" ",
234
32
		    rule->rule_labelname);
235
236
812
	fprintf(stderr, "\n");
237
1624
}
238
239
void
240
relay_protodebug(struct relay *rlay)
241
{
242
1096
	struct protocol		*proto = rlay->rl_proto;
243
	struct relay_rule	*rule = NULL;
244
245
548
	fprintf(stderr, "protocol %d: name %s\n",
246
548
	    proto->id, proto->name);
247
548
	fprintf(stderr, "\tflags: %s, relay flags: %s\n",
248
548
	    printb_flags(proto->flags, F_BITS),
249
548
	    printb_flags(rlay->rl_conf.flags, F_BITS));
250
548
	if (proto->tcpflags)
251
280
		fprintf(stderr, "\ttcp flags: %s\n",
252
280
		    printb_flags(proto->tcpflags, TCPFLAG_BITS));
253

688
	if ((rlay->rl_conf.flags & (F_TLS|F_TLSCLIENT)) && proto->tlsflags)
254
140
		fprintf(stderr, "\ttls flags: %s\n",
255
140
		    printb_flags(proto->tlsflags, TLSFLAG_BITS));
256
1096
	fprintf(stderr, "\ttls session tickets: %s\n",
257
1096
	    (proto->tickets == 1) ? "enabled" : "disabled");
258
1096
	fprintf(stderr, "\ttype: ");
259

1096
	switch (proto->type) {
260
	case RELAY_PROTO_TCP:
261
70
		fprintf(stderr, "tcp\n");
262
70
		break;
263
	case RELAY_PROTO_HTTP:
264
478
		fprintf(stderr, "http\n");
265
478
		break;
266
	case RELAY_PROTO_DNS:
267
		fprintf(stderr, "dns\n");
268
		break;
269
	}
270
271
548
	rule = TAILQ_FIRST(&proto->rules);
272
2720
	while (rule != NULL) {
273
812
		relay_ruledebug(rule);
274
812
		rule = TAILQ_NEXT(rule, rule_entry);
275
	}
276
548
}
277
278
int
279
relay_privinit(struct relay *rlay)
280
{
281
1096
	log_debug("%s: adding relay %s", __func__, rlay->rl_conf.name);
282
283
548
	if (log_getverbose() > 1)
284
548
		relay_protodebug(rlay);
285
286
548
	switch (rlay->rl_proto->type) {
287
	case RELAY_PROTO_DNS:
288
		relay_udp_privinit(rlay);
289
		break;
290
	case RELAY_PROTO_TCP:
291
		break;
292
	case RELAY_PROTO_HTTP:
293
		break;
294
	}
295
296
548
	if (rlay->rl_conf.flags & F_UDP)
297
		rlay->rl_s = relay_udp_bind(&rlay->rl_conf.ss,
298
		    rlay->rl_conf.port, rlay->rl_proto);
299
	else
300
548
		rlay->rl_s = relay_socket_listen(&rlay->rl_conf.ss,
301
		    rlay->rl_conf.port, rlay->rl_proto);
302
548
	if (rlay->rl_s == -1)
303
		return (-1);
304
305
548
	return (0);
306
548
}
307
308
void
309
relay_init(struct privsep *ps, struct privsep_proc *p, void *arg)
310
{
311
	struct timeval	 tv;
312
313
	if (config_init(ps->ps_env) == -1)
314
		fatal("failed to initialize configuration");
315
316
	/* We use a custom shutdown callback */
317
	p->p_shutdown = relay_shutdown;
318
319
	/* Unlimited file descriptors (use system limits) */
320
	socket_rlimit(-1);
321
322
	if (pledge("stdio recvfd inet flock rpath cpath wpath", NULL) == -1)
323
		fatal("pledge");
324
325
	/* Schedule statistics timer */
326
	evtimer_set(&env->sc_statev, relay_statistics, ps);
327
	bcopy(&env->sc_conf.statinterval, &tv, sizeof(tv));
328
	evtimer_add(&env->sc_statev, &tv);
329
}
330
331
void
332
relay_session_publish(struct rsession *s)
333
{
334
	proc_compose(env->sc_ps, PROC_PFE, IMSG_SESS_PUBLISH, s, sizeof(*s));
335
}
336
337
void
338
relay_session_unpublish(struct rsession *s)
339
{
340
	proc_compose(env->sc_ps, PROC_PFE, IMSG_SESS_UNPUBLISH,
341
	    &s->se_id, sizeof(s->se_id));
342
}
343
344
void
345
relay_statistics(int fd, short events, void *arg)
346
{
347
	struct privsep		*ps = arg;
348
	struct relay		*rlay;
349
	struct ctl_stats	 crs, *cur;
350
	struct timeval		 tv, tv_now;
351
	int			 resethour = 0, resetday = 0;
352
	struct rsession		*con, *next_con;
353
354
	/*
355
	 * This is a hack to calculate some average statistics.
356
	 * It doesn't try to be very accurate, but could be improved...
357
	 */
358
359
	timerclear(&tv);
360
	getmonotime(&tv_now);
361
362
	TAILQ_FOREACH(rlay, env->sc_relays, rl_entry) {
363
		bzero(&crs, sizeof(crs));
364
		resethour = resetday = 0;
365
366
		cur = &rlay->rl_stats[ps->ps_instance];
367
		cur->cnt += cur->last;
368
		cur->tick++;
369
		cur->avg = (cur->last + cur->avg) / 2;
370
		cur->last_hour += cur->last;
371
		if ((cur->tick %
372
		    (3600 / env->sc_conf.statinterval.tv_sec)) == 0) {
373
			cur->avg_hour = (cur->last_hour + cur->avg_hour) / 2;
374
			resethour++;
375
		}
376
		cur->last_day += cur->last;
377
		if ((cur->tick %
378
		    (86400 / env->sc_conf.statinterval.tv_sec)) == 0) {
379
			cur->avg_day = (cur->last_day + cur->avg_day) / 2;
380
			resethour++;
381
		}
382
		bcopy(cur, &crs, sizeof(crs));
383
384
		cur->last = 0;
385
		if (resethour)
386
			cur->last_hour = 0;
387
		if (resetday)
388
			cur->last_day = 0;
389
390
		crs.id = rlay->rl_conf.id;
391
		crs.proc = ps->ps_instance;
392
		proc_compose(env->sc_ps, PROC_PFE, IMSG_STATISTICS,
393
		    &crs, sizeof(crs));
394
395
		for (con = SPLAY_ROOT(&rlay->rl_sessions);
396
		    con != NULL; con = next_con) {
397
			next_con = SPLAY_NEXT(session_tree,
398
			    &rlay->rl_sessions, con);
399
			timersub(&tv_now, &con->se_tv_last, &tv);
400
			if (timercmp(&tv, &rlay->rl_conf.timeout, >=))
401
				relay_close(con, "hard timeout");
402
		}
403
	}
404
405
	/* Schedule statistics timer */
406
	evtimer_set(&env->sc_statev, relay_statistics, ps);
407
	bcopy(&env->sc_conf.statinterval, &tv, sizeof(tv));
408
	evtimer_add(&env->sc_statev, &tv);
409
}
410
411
void
412
relay_launch(void)
413
{
414
	void			(*callback)(int, short, void *);
415
	struct relay		*rlay;
416
	struct host		*host;
417
	struct relay_table	*rlt;
418
419
	TAILQ_FOREACH(rlay, env->sc_relays, rl_entry) {
420
		if ((rlay->rl_conf.flags & (F_TLS|F_TLSCLIENT)) &&
421
		    relay_tls_ctx_create(rlay) == -1)
422
			fatalx("%s: failed to create TLS context", __func__);
423
424
		TAILQ_FOREACH(rlt, &rlay->rl_tables, rlt_entry) {
425
			/*
426
			 * set rule->rule_table in advance and save time
427
			 * looking up for this later on rule/connection
428
			 * evalution
429
			 */
430
			rule_settable(&rlay->rl_proto->rules, rlt);
431
432
			rlt->rlt_index = 0;
433
			rlt->rlt_nhosts = 0;
434
			TAILQ_FOREACH(host, &rlt->rlt_table->hosts, entry) {
435
				if (rlt->rlt_nhosts >= RELAY_MAXHOSTS)
436
					fatal("%s: too many hosts in table",
437
					    __func__);
438
				host->idx = rlt->rlt_nhosts;
439
				rlt->rlt_host[rlt->rlt_nhosts++] = host;
440
			}
441
			log_info("adding %d hosts from table %s%s",
442
			    rlt->rlt_nhosts, rlt->rlt_table->conf.name,
443
			    rlt->rlt_table->conf.check ? "" : " (no check)");
444
		}
445
446
		switch (rlay->rl_proto->type) {
447
		case RELAY_PROTO_DNS:
448
			relay_udp_init(env, rlay);
449
			break;
450
		case RELAY_PROTO_TCP:
451
		case RELAY_PROTO_HTTP:
452
			relay_http_init(rlay);
453
			/* Use defaults */
454
			break;
455
		}
456
457
		log_debug("%s: running relay %s", __func__,
458
		    rlay->rl_conf.name);
459
460
		rlay->rl_up = HOST_UP;
461
462
		if (rlay->rl_conf.flags & F_UDP)
463
			callback = relay_udp_server;
464
		else
465
			callback = relay_accept;
466
467
		event_set(&rlay->rl_ev, rlay->rl_s, EV_READ,
468
		    callback, rlay);
469
		event_add(&rlay->rl_ev, NULL);
470
		evtimer_set(&rlay->rl_evt, callback, rlay);
471
	}
472
}
473
474
int
475
relay_socket_af(struct sockaddr_storage *ss, in_port_t port)
476
{
477
1096
	switch (ss->ss_family) {
478
	case AF_INET:
479
548
		((struct sockaddr_in *)ss)->sin_port = port;
480
548
		((struct sockaddr_in *)ss)->sin_len =
481
		    sizeof(struct sockaddr_in);
482
548
		break;
483
	case AF_INET6:
484
		((struct sockaddr_in6 *)ss)->sin6_port = port;
485
		((struct sockaddr_in6 *)ss)->sin6_len =
486
		    sizeof(struct sockaddr_in6);
487
		break;
488
	default:
489
		return (-1);
490
	}
491
492
548
	return (0);
493
548
}
494
495
in_port_t
496
relay_socket_getport(struct sockaddr_storage *ss)
497
{
498
	switch (ss->ss_family) {
499
	case AF_INET:
500
		return (((struct sockaddr_in *)ss)->sin_port);
501
	case AF_INET6:
502
		return (((struct sockaddr_in6 *)ss)->sin6_port);
503
	default:
504
		return (0);
505
	}
506
507
	/* NOTREACHED */
508
	return (0);
509
}
510
511
int
512
relay_socket(struct sockaddr_storage *ss, in_port_t port,
513
    struct protocol *proto, int fd, int reuseport)
514
{
515
1096
	struct linger	lng;
516
548
	int		s = -1, val;
517
518
548
	if (relay_socket_af(ss, port) == -1)
519
		goto bad;
520
521
1644
	s = fd == -1 ? socket(ss->ss_family,
522
	    SOCK_STREAM | SOCK_NONBLOCK, IPPROTO_TCP) : fd;
523
548
	if (s == -1)
524
		goto bad;
525
526
	/*
527
	 * Socket options
528
	 */
529
548
	bzero(&lng, sizeof(lng));
530
548
	if (setsockopt(s, SOL_SOCKET, SO_LINGER, &lng, sizeof(lng)) == -1)
531
		goto bad;
532
548
	if (reuseport) {
533
548
		val = 1;
534
1096
		if (setsockopt(s, SOL_SOCKET, SO_REUSEPORT, &val,
535
548
			sizeof(int)) == -1)
536
			goto bad;
537
	}
538
548
	if (proto->tcpflags & TCPFLAG_BUFSIZ) {
539
8
		val = proto->tcpbufsiz;
540
16
		if (setsockopt(s, SOL_SOCKET, SO_RCVBUF,
541
8
		    &val, sizeof(val)) == -1)
542
			goto bad;
543
8
		val = proto->tcpbufsiz;
544
16
		if (setsockopt(s, SOL_SOCKET, SO_SNDBUF,
545
8
		    &val, sizeof(val)) == -1)
546
			goto bad;
547
	}
548
549
	/*
550
	 * IP options
551
	 */
552
548
	if (proto->tcpflags & TCPFLAG_IPTTL) {
553
		val = (int)proto->tcpipttl;
554
		switch (ss->ss_family) {
555
		case AF_INET:
556
			if (setsockopt(s, IPPROTO_IP, IP_TTL,
557
			    &val, sizeof(val)) == -1)
558
				goto bad;
559
			break;
560
		case AF_INET6:
561
			if (setsockopt(s, IPPROTO_IPV6, IPV6_UNICAST_HOPS,
562
			    &val, sizeof(val)) == -1)
563
				goto bad;
564
			break;
565
		}
566
	}
567
548
	if (proto->tcpflags & TCPFLAG_IPMINTTL) {
568
		val = (int)proto->tcpipminttl;
569
		switch (ss->ss_family) {
570
		case AF_INET:
571
			if (setsockopt(s, IPPROTO_IP, IP_MINTTL,
572
			    &val, sizeof(val)) == -1)
573
				goto bad;
574
			break;
575
		case AF_INET6:
576
			if (setsockopt(s, IPPROTO_IPV6, IPV6_MINHOPCOUNT,
577
			    &val, sizeof(val)) == -1)
578
				goto bad;
579
			break;
580
		}
581
	}
582
583
	/*
584
	 * TCP options
585
	 */
586
548
	if (proto->tcpflags & (TCPFLAG_NODELAY|TCPFLAG_NNODELAY)) {
587
		if (proto->tcpflags & TCPFLAG_NNODELAY)
588
			val = 0;
589
		else
590
			val = 1;
591
		if (setsockopt(s, IPPROTO_TCP, TCP_NODELAY,
592
		    &val, sizeof(val)) == -1)
593
			goto bad;
594
	}
595
548
	if (proto->tcpflags & (TCPFLAG_SACK|TCPFLAG_NSACK)) {
596
		if (proto->tcpflags & TCPFLAG_NSACK)
597
			val = 0;
598
		else
599
			val = 1;
600
		if (setsockopt(s, IPPROTO_TCP, TCP_SACK_ENABLE,
601
		    &val, sizeof(val)) == -1)
602
			goto bad;
603
	}
604
605
548
	return (s);
606
607
 bad:
608
	if (s != -1)
609
		close(s);
610
	return (-1);
611
548
}
612
613
int
614
relay_socket_connect(struct sockaddr_storage *ss, in_port_t port,
615
    struct protocol *proto, int fd)
616
{
617
	int	s;
618
619
	if ((s = relay_socket(ss, port, proto, fd, 0)) == -1)
620
		return (-1);
621
622
	if (connect(s, (struct sockaddr *)ss, ss->ss_len) == -1) {
623
		if (errno != EINPROGRESS)
624
			goto bad;
625
	}
626
627
	return (s);
628
629
 bad:
630
	close(s);
631
	return (-1);
632
}
633
634
int
635
relay_socket_listen(struct sockaddr_storage *ss, in_port_t port,
636
    struct protocol *proto)
637
{
638
	int s;
639
640
1096
	if ((s = relay_socket(ss, port, proto, -1, 1)) == -1)
641
		return (-1);
642
643
548
	if (bind(s, (struct sockaddr *)ss, ss->ss_len) == -1)
644
		goto bad;
645
548
	if (listen(s, proto->tcpbacklog) == -1)
646
		goto bad;
647
648
548
	return (s);
649
650
 bad:
651
	close(s);
652
	return (-1);
653
548
}
654
655
void
656
relay_connected(int fd, short sig, void *arg)
657
{
658
	struct rsession		*con = arg;
659
	struct relay		*rlay = con->se_relay;
660
	struct protocol		*proto = rlay->rl_proto;
661
	evbuffercb		 outrd = relay_read;
662
	evbuffercb		 outwr = relay_write;
663
	struct bufferevent	*bev;
664
	struct ctl_relay_event	*out = &con->se_out;
665
	socklen_t		 len;
666
	int			 error;
667
668
	if (sig == EV_TIMEOUT) {
669
		relay_abort_http(con, 504, "connect timeout", 0);
670
		return;
671
	}
672
673
	len = sizeof(error);
674
	if (getsockopt(fd, SOL_SOCKET, SO_ERROR, &error,
675
	    &len) == -1 || error) {
676
		if (error)
677
			errno = error;
678
		relay_abort_http(con, 500, "socket error", 0);
679
		return;
680
	}
681
682
	if ((rlay->rl_conf.flags & F_TLSCLIENT) && (out->tls == NULL)) {
683
		relay_tls_transaction(con, out);
684
		return;
685
	}
686
687
	DPRINTF("%s: session %d: successful", __func__, con->se_id);
688
689
	switch (rlay->rl_proto->type) {
690
	case RELAY_PROTO_HTTP:
691
		if (relay_httpdesc_init(out) == -1) {
692
			relay_close(con,
693
			    "failed to allocate http descriptor");
694
			return;
695
		}
696
		con->se_out.toread = TOREAD_HTTP_HEADER;
697
		outrd = relay_read_http;
698
		break;
699
	case RELAY_PROTO_TCP:
700
		/* Use defaults */
701
		break;
702
	default:
703
		fatalx("%s: unknown protocol", __func__);
704
	}
705
706
	/*
707
	 * Relay <-> Server
708
	 */
709
	bev = bufferevent_new(fd, outrd, outwr, relay_error, &con->se_out);
710
	if (bev == NULL) {
711
		relay_abort_http(con, 500,
712
		    "failed to allocate output buffer event", 0);
713
		return;
714
	}
715
	evbuffer_free(bev->output);
716
	bev->output = con->se_out.output;
717
	if (bev->output == NULL)
718
		fatal("%s: invalid output buffer", __func__);
719
	con->se_out.bev = bev;
720
721
	/* Initialize the TLS wrapper */
722
	if ((rlay->rl_conf.flags & F_TLSCLIENT) && (out->tls != NULL))
723
		relay_tls_connected(out);
724
725
	bufferevent_settimeout(bev,
726
	    rlay->rl_conf.timeout.tv_sec, rlay->rl_conf.timeout.tv_sec);
727
	bufferevent_setwatermark(bev, EV_WRITE,
728
		RELAY_MIN_PREFETCHED * proto->tcpbufsiz, 0);
729
	bufferevent_enable(bev, EV_READ|EV_WRITE);
730
	if (con->se_in.bev)
731
		bufferevent_enable(con->se_in.bev, EV_READ);
732
733
	if (relay_splice(&con->se_out) == -1)
734
		relay_close(con, strerror(errno));
735
}
736
737
void
738
relay_input(struct rsession *con)
739
{
740
	struct relay	*rlay = con->se_relay;
741
	struct protocol	*proto = rlay->rl_proto;
742
	evbuffercb	 inrd = relay_read;
743
	evbuffercb	 inwr = relay_write;
744
745
	switch (rlay->rl_proto->type) {
746
	case RELAY_PROTO_HTTP:
747
		if (relay_httpdesc_init(&con->se_in) == -1) {
748
			relay_close(con,
749
			    "failed to allocate http descriptor");
750
			return;
751
		}
752
		con->se_in.toread = TOREAD_HTTP_HEADER;
753
		inrd = relay_read_http;
754
		break;
755
	case RELAY_PROTO_TCP:
756
		/* Use defaults */
757
		break;
758
	default:
759
		fatalx("%s: unknown protocol", __func__);
760
	}
761
762
	/*
763
	 * Client <-> Relay
764
	 */
765
	con->se_in.bev = bufferevent_new(con->se_in.s, inrd, inwr,
766
	    relay_error, &con->se_in);
767
	if (con->se_in.bev == NULL) {
768
		relay_close(con, "failed to allocate input buffer event");
769
		return;
770
	}
771
772
	/* Initialize the TLS wrapper */
773
	if ((rlay->rl_conf.flags & F_TLS) && con->se_in.tls != NULL)
774
		relay_tls_connected(&con->se_in);
775
776
	bufferevent_settimeout(con->se_in.bev,
777
	    rlay->rl_conf.timeout.tv_sec, rlay->rl_conf.timeout.tv_sec);
778
	bufferevent_setwatermark(con->se_in.bev, EV_WRITE,
779
		RELAY_MIN_PREFETCHED * proto->tcpbufsiz, 0);
780
	bufferevent_enable(con->se_in.bev, EV_READ|EV_WRITE);
781
782
	if (relay_splice(&con->se_in) == -1)
783
		relay_close(con, strerror(errno));
784
}
785
786
void
787
relay_write(struct bufferevent *bev, void *arg)
788
{
789
	struct ctl_relay_event	*cre = arg;
790
	struct rsession		*con = cre->con;
791
792
	getmonotime(&con->se_tv_last);
793
794
	if (con->se_done && EVBUFFER_LENGTH(EVBUFFER_OUTPUT(bev)) == 0)
795
		goto done;
796
	if (cre->dst->bev)
797
		bufferevent_enable(cre->dst->bev, EV_READ);
798
	if (relay_splice(cre->dst) == -1)
799
		goto fail;
800
801
	return;
802
 done:
803
	relay_close(con, "last write (done)");
804
	return;
805
 fail:
806
	relay_close(con, strerror(errno));
807
}
808
809
void
810
relay_dump(struct ctl_relay_event *cre, const void *buf, size_t len)
811
{
812
	if (!len)
813
		return;
814
815
	/*
816
	 * This function will dump the specified message directly
817
	 * to the underlying session, without waiting for success
818
	 * of non-blocking events etc. This is useful to print an
819
	 * error message before gracefully closing the session.
820
	 */
821
	if (cre->tls != NULL)
822
		(void)tls_write(cre->tls, buf, len);
823
	else
824
		(void)write(cre->s, buf, len);
825
}
826
827
void
828
relay_read(struct bufferevent *bev, void *arg)
829
{
830
	struct ctl_relay_event	*cre = arg;
831
	struct rsession		*con = cre->con;
832
	struct protocol		*proto = con->se_relay->rl_proto;
833
	struct evbuffer		*src = EVBUFFER_INPUT(bev);
834
835
	getmonotime(&con->se_tv_last);
836
	cre->timedout = 0;
837
838
	if (!EVBUFFER_LENGTH(src))
839
		return;
840
	if (relay_bufferevent_write_buffer(cre->dst, src) == -1)
841
		goto fail;
842
	if (con->se_done)
843
		goto done;
844
	if (cre->dst->bev)
845
		bufferevent_enable(cre->dst->bev, EV_READ);
846
	if (cre->dst->bev && EVBUFFER_LENGTH(EVBUFFER_OUTPUT(cre->dst->bev)) >
847
	    (size_t)RELAY_MAX_PREFETCH * proto->tcpbufsiz)
848
		bufferevent_disable(bev, EV_READ);
849
850
	return;
851
 done:
852
	relay_close(con, "last read (done)");
853
	return;
854
 fail:
855
	relay_close(con, strerror(errno));
856
}
857
858
/*
859
 * Splice sockets from cre to cre->dst if applicable.  Returns:
860
 * -1 socket splicing has failed
861
 * 0 socket splicing is currently not possible
862
 * 1 socket splicing was successful
863
 */
864
int
865
relay_splice(struct ctl_relay_event *cre)
866
{
867
	struct rsession		*con = cre->con;
868
	struct relay		*rlay = con->se_relay;
869
	struct protocol		*proto = rlay->rl_proto;
870
	struct splice		 sp;
871
872
	if ((rlay->rl_conf.flags & (F_TLS|F_TLSCLIENT)) ||
873
	    (proto->tcpflags & TCPFLAG_NSPLICE))
874
		return (0);
875
876
	if (cre->splicelen >= 0)
877
		return (0);
878
879
	/* still not connected */
880
	if (cre->bev == NULL || cre->dst->bev == NULL)
881
		return (0);
882
883
	if (!(cre->toread == TOREAD_UNLIMITED || cre->toread > 0)) {
884
		DPRINTF("%s: session %d: splice dir %d, nothing to read %lld",
885
		    __func__, con->se_id, cre->dir, cre->toread);
886
		return (0);
887
	}
888
889
	/* do not splice before buffers have not been completely flushed */
890
	if (EVBUFFER_LENGTH(cre->bev->input) ||
891
	    EVBUFFER_LENGTH(cre->dst->bev->output)) {
892
		DPRINTF("%s: session %d: splice dir %d, dirty buffer",
893
		    __func__, con->se_id, cre->dir);
894
		bufferevent_disable(cre->bev, EV_READ);
895
		return (0);
896
	}
897
898
	bzero(&sp, sizeof(sp));
899
	sp.sp_fd = cre->dst->s;
900
	sp.sp_max = cre->toread > 0 ? cre->toread : 0;
901
	bcopy(&rlay->rl_conf.timeout, &sp.sp_idle, sizeof(sp.sp_idle));
902
	if (setsockopt(cre->s, SOL_SOCKET, SO_SPLICE, &sp, sizeof(sp)) == -1) {
903
		log_debug("%s: session %d: splice dir %d failed: %s",
904
		    __func__, con->se_id, cre->dir, strerror(errno));
905
		return (-1);
906
	}
907
	cre->splicelen = 0;
908
	bufferevent_enable(cre->bev, EV_READ);
909
910
	DPRINTF("%s: session %d: splice dir %d, maximum %lld, successful",
911
	    __func__, con->se_id, cre->dir, cre->toread);
912
913
	return (1);
914
}
915
916
int
917
relay_splicelen(struct ctl_relay_event *cre)
918
{
919
	struct rsession		*con = cre->con;
920
	off_t			 len;
921
	socklen_t		 optlen;
922
923
	if (cre->splicelen < 0)
924
		return (0);
925
926
	optlen = sizeof(len);
927
	if (getsockopt(cre->s, SOL_SOCKET, SO_SPLICE, &len, &optlen) == -1) {
928
		log_debug("%s: session %d: splice dir %d get length failed: %s",
929
		    __func__, con->se_id, cre->dir, strerror(errno));
930
		return (-1);
931
	}
932
933
	DPRINTF("%s: session %d: splice dir %d, length %lld",
934
	    __func__, con->se_id, cre->dir, len);
935
936
	if (len > cre->splicelen) {
937
		getmonotime(&con->se_tv_last);
938
939
		cre->splicelen = len;
940
		return (1);
941
	}
942
943
	return (0);
944
}
945
946
int
947
relay_spliceadjust(struct ctl_relay_event *cre)
948
{
949
	if (cre->splicelen < 0)
950
		return (0);
951
	if (relay_splicelen(cre) == -1)
952
		return (-1);
953
	if (cre->splicelen > 0 && cre->toread > 0)
954
		cre->toread -= cre->splicelen;
955
	cre->splicelen = -1;
956
957
	return (0);
958
}
959
960
void
961
relay_error(struct bufferevent *bev, short error, void *arg)
962
{
963
	struct ctl_relay_event	*cre = arg;
964
	struct rsession		*con = cre->con;
965
	struct evbuffer		*dst;
966
967
	if (error & EVBUFFER_TIMEOUT) {
968
		if (cre->splicelen >= 0) {
969
			bufferevent_enable(bev, EV_READ);
970
		} else if (cre->dst->splicelen >= 0) {
971
			switch (relay_splicelen(cre->dst)) {
972
			case -1:
973
				goto fail;
974
			case 0:
975
				relay_close(con, "buffer event timeout");
976
				break;
977
			case 1:
978
				cre->timedout = 1;
979
				bufferevent_enable(bev, EV_READ);
980
				break;
981
			}
982
		} else {
983
			relay_close(con, "buffer event timeout");
984
		}
985
		return;
986
	}
987
	if (error & EVBUFFER_ERROR && errno == ETIMEDOUT) {
988
		if (cre->dst->splicelen >= 0) {
989
			switch (relay_splicelen(cre->dst)) {
990
			case -1:
991
				goto fail;
992
			case 0:
993
				relay_close(con, "splice timeout");
994
				return;
995
			case 1:
996
				bufferevent_enable(bev, EV_READ);
997
				break;
998
			}
999
		} else if (cre->dst->timedout) {
1000
			relay_close(con, "splice timeout");
1001
			return;
1002
		}
1003
		if (relay_spliceadjust(cre) == -1)
1004
			goto fail;
1005
		if (relay_splice(cre) == -1)
1006
			goto fail;
1007
		return;
1008
	}
1009
	if (error & EVBUFFER_ERROR && errno == EFBIG) {
1010
		if (relay_spliceadjust(cre) == -1)
1011
			goto fail;
1012
		bufferevent_enable(cre->bev, EV_READ);
1013
		return;
1014
	}
1015
	if (error & (EVBUFFER_READ|EVBUFFER_WRITE|EVBUFFER_EOF)) {
1016
		bufferevent_disable(bev, EV_READ|EV_WRITE);
1017
1018
		con->se_done = 1;
1019
		if (cre->dst->bev != NULL) {
1020
			dst = EVBUFFER_OUTPUT(cre->dst->bev);
1021
			if (EVBUFFER_LENGTH(dst))
1022
				return;
1023
		} else if (cre->toread == TOREAD_UNLIMITED || cre->toread == 0)
1024
			return;
1025
1026
		relay_close(con, "done");
1027
		return;
1028
	}
1029
	relay_close(con, "buffer event error");
1030
	return;
1031
 fail:
1032
	relay_close(con, strerror(errno));
1033
}
1034
1035
void
1036
relay_accept(int fd, short event, void *arg)
1037
{
1038
	struct privsep		*ps = env->sc_ps;
1039
	struct relay		*rlay = arg;
1040
	struct rsession		*con = NULL;
1041
	struct ctl_natlook	*cnl = NULL;
1042
	socklen_t		 slen;
1043
	struct timeval		 tv;
1044
	struct sockaddr_storage	 ss;
1045
	int			 s = -1;
1046
1047
	event_add(&rlay->rl_ev, NULL);
1048
	if ((event & EV_TIMEOUT))
1049
		return;
1050
1051
	slen = sizeof(ss);
1052
	if ((s = accept_reserve(fd, (struct sockaddr *)&ss,
1053
	    &slen, FD_RESERVE, &relay_inflight)) == -1) {
1054
		/*
1055
		 * Pause accept if we are out of file descriptors, or
1056
		 * libevent will haunt us here too.
1057
		 */
1058
		if (errno == ENFILE || errno == EMFILE) {
1059
			struct timeval evtpause = { 1, 0 };
1060
1061
			event_del(&rlay->rl_ev);
1062
			evtimer_add(&rlay->rl_evt, &evtpause);
1063
			log_debug("%s: deferring connections", __func__);
1064
		}
1065
		return;
1066
	}
1067
	if (relay_sessions >= RELAY_MAX_SESSIONS ||
1068
	    rlay->rl_conf.flags & F_DISABLE)
1069
		goto err;
1070
1071
	if ((con = calloc(1, sizeof(*con))) == NULL)
1072
		goto err;
1073
1074
	/* Pre-allocate log buffer */
1075
	con->se_haslog = 0;
1076
	con->se_log = evbuffer_new();
1077
	if (con->se_log == NULL)
1078
		goto err;
1079
1080
	con->se_in.s = s;
1081
	con->se_in.tls = NULL;
1082
	con->se_out.s = -1;
1083
	con->se_out.tls = NULL;
1084
	con->se_in.dst = &con->se_out;
1085
	con->se_out.dst = &con->se_in;
1086
	con->se_in.con = con;
1087
	con->se_out.con = con;
1088
	con->se_in.splicelen = -1;
1089
	con->se_out.splicelen = -1;
1090
	con->se_in.toread = TOREAD_UNLIMITED;
1091
	con->se_out.toread = TOREAD_UNLIMITED;
1092
	con->se_relay = rlay;
1093
	con->se_id = ++relay_conid;
1094
	con->se_relayid = rlay->rl_conf.id;
1095
	con->se_pid = getpid();
1096
	con->se_in.dir = RELAY_DIR_REQUEST;
1097
	con->se_out.dir = RELAY_DIR_RESPONSE;
1098
	con->se_retry = rlay->rl_conf.dstretry;
1099
	con->se_bnds = -1;
1100
	con->se_out.port = rlay->rl_conf.dstport;
1101
	switch (ss.ss_family) {
1102
	case AF_INET:
1103
		con->se_in.port = ((struct sockaddr_in *)&ss)->sin_port;
1104
		break;
1105
	case AF_INET6:
1106
		con->se_in.port = ((struct sockaddr_in6 *)&ss)->sin6_port;
1107
		break;
1108
	}
1109
	bcopy(&ss, &con->se_in.ss, sizeof(con->se_in.ss));
1110
1111
	getmonotime(&con->se_tv_start);
1112
	bcopy(&con->se_tv_start, &con->se_tv_last, sizeof(con->se_tv_last));
1113
1114
	if (rlay->rl_conf.flags & F_HASHKEY) {
1115
		SipHash24_Init(&con->se_siphashctx,
1116
		    &rlay->rl_conf.hashkey.siphashkey);
1117
	}
1118
1119
	relay_sessions++;
1120
	SPLAY_INSERT(session_tree, &rlay->rl_sessions, con);
1121
	relay_session_publish(con);
1122
1123
	/* Increment the per-relay session counter */
1124
	rlay->rl_stats[ps->ps_instance].last++;
1125
1126
	/* Pre-allocate output buffer */
1127
	con->se_out.output = evbuffer_new();
1128
	if (con->se_out.output == NULL) {
1129
		relay_close(con, "failed to allocate output buffer");
1130
		return;
1131
	}
1132
1133
	if (rlay->rl_conf.flags & F_DIVERT) {
1134
		slen = sizeof(con->se_out.ss);
1135
		if (getsockname(s, (struct sockaddr *)&con->se_out.ss,
1136
		    &slen) == -1) {
1137
			relay_close(con, "peer lookup failed");
1138
			return;
1139
		}
1140
		con->se_out.port = relay_socket_getport(&con->se_out.ss);
1141
1142
		/* Detect loop and fall back to the alternate forward target */
1143
		if (bcmp(&rlay->rl_conf.ss, &con->se_out.ss,
1144
		    sizeof(con->se_out.ss)) == 0 &&
1145
		    con->se_out.port == rlay->rl_conf.port)
1146
			con->se_out.ss.ss_family = AF_UNSPEC;
1147
	} else if (rlay->rl_conf.flags & F_NATLOOK) {
1148
		if ((cnl = calloc(1, sizeof(*cnl))) == NULL) {
1149
			relay_close(con, "failed to allocate nat lookup");
1150
			return;
1151
		}
1152
1153
		con->se_cnl = cnl;
1154
		bzero(cnl, sizeof(*cnl));
1155
		cnl->in = -1;
1156
		cnl->id = con->se_id;
1157
		cnl->proc = ps->ps_instance;
1158
		cnl->proto = IPPROTO_TCP;
1159
1160
		bcopy(&con->se_in.ss, &cnl->src, sizeof(cnl->src));
1161
		slen = sizeof(cnl->dst);
1162
		if (getsockname(s,
1163
		    (struct sockaddr *)&cnl->dst, &slen) == -1) {
1164
			relay_close(con, "failed to get local address");
1165
			return;
1166
		}
1167
1168
		proc_compose(env->sc_ps, PROC_PFE, IMSG_NATLOOK,
1169
		    cnl, sizeof(*cnl));
1170
1171
		/* Schedule timeout */
1172
		evtimer_set(&con->se_ev, relay_natlook, con);
1173
		bcopy(&rlay->rl_conf.timeout, &tv, sizeof(tv));
1174
		evtimer_add(&con->se_ev, &tv);
1175
		return;
1176
	}
1177
1178
	if (rlay->rl_conf.flags & F_TLSINSPECT) {
1179
		relay_preconnect(con);
1180
		return;
1181
	}
1182
1183
	relay_session(con);
1184
	return;
1185
 err:
1186
	if (s != -1) {
1187
		close(s);
1188
		free(con);
1189
		/*
1190
		 * the session struct was not completely set up, but still
1191
		 * counted as an inflight session. account for this.
1192
		 */
1193
		relay_inflight--;
1194
		log_debug("%s: inflight decremented, now %d",
1195
		    __func__, relay_inflight);
1196
	}
1197
}
1198
1199
void
1200
relay_hash_addr(SIPHASH_CTX *ctx, struct sockaddr_storage *ss, int portset)
1201
{
1202
	struct sockaddr_in	*sin4;
1203
	struct sockaddr_in6	*sin6;
1204
	in_port_t		 port;
1205
1206
	if (ss->ss_family == AF_INET) {
1207
		sin4 = (struct sockaddr_in *)ss;
1208
		SipHash24_Update(ctx, &sin4->sin_addr,
1209
		    sizeof(struct in_addr));
1210
	} else {
1211
		sin6 = (struct sockaddr_in6 *)ss;
1212
		SipHash24_Update(ctx, &sin6->sin6_addr,
1213
		    sizeof(struct in6_addr));
1214
	}
1215
1216
	if (portset != -1) {
1217
		port = (in_port_t)portset;
1218
		SipHash24_Update(ctx, &port, sizeof(port));
1219
	}
1220
}
1221
1222
int
1223
relay_from_table(struct rsession *con)
1224
{
1225
	struct relay		*rlay = con->se_relay;
1226
	struct host		*host = NULL;
1227
	struct relay_table	*rlt = NULL;
1228
	struct table		*table = NULL;
1229
	int			 idx = -1;
1230
	int			 cnt = 0;
1231
	int			 maxtries;
1232
	u_int64_t		 p = 0;
1233
1234
	/* the table is already selected */
1235
	if (con->se_table != NULL) {
1236
		rlt = con->se_table;
1237
		table = rlt->rlt_table;
1238
		if (table->conf.check && !table->up)
1239
			table = NULL;
1240
		goto gottable;
1241
	}
1242
1243
	/* otherwise grep the first active table */
1244
	TAILQ_FOREACH(rlt, &rlay->rl_tables, rlt_entry) {
1245
		table = rlt->rlt_table;
1246
		if ((rlt->rlt_flags & F_USED) == 0 ||
1247
		    (table->conf.check && !table->up))
1248
			table = NULL;
1249
		else
1250
			break;
1251
	}
1252
1253
 gottable:
1254
	if (table == NULL) {
1255
		log_debug("%s: session %d: no active hosts",
1256
		    __func__, con->se_id);
1257
		return (-1);
1258
	}
1259
1260
	switch (rlt->rlt_mode) {
1261
	case RELAY_DSTMODE_ROUNDROBIN:
1262
		if ((int)rlt->rlt_index >= rlt->rlt_nhosts)
1263
			rlt->rlt_index = 0;
1264
		idx = (int)rlt->rlt_index;
1265
		break;
1266
	case RELAY_DSTMODE_RANDOM:
1267
		idx = (int)arc4random_uniform(rlt->rlt_nhosts);
1268
		break;
1269
	case RELAY_DSTMODE_SRCHASH:
1270
		/* Source IP address without port */
1271
		relay_hash_addr(&con->se_siphashctx, &con->se_in.ss, -1);
1272
		break;
1273
	case RELAY_DSTMODE_LOADBALANCE:
1274
		/* Source IP address without port */
1275
		relay_hash_addr(&con->se_siphashctx, &con->se_in.ss, -1);
1276
		/* FALLTHROUGH */
1277
	case RELAY_DSTMODE_HASH:
1278
		/* Local "destination" IP address and port */
1279
		relay_hash_addr(&con->se_siphashctx, &rlay->rl_conf.ss,
1280
		    rlay->rl_conf.port);
1281
		break;
1282
	default:
1283
		fatalx("%s: unsupported mode", __func__);
1284
		/* NOTREACHED */
1285
	}
1286
	if (idx == -1) {
1287
		/* handle all hashing algorithms */
1288
		p = SipHash24_End(&con->se_siphashctx);
1289
1290
		/* Reset hash context */
1291
		SipHash24_Init(&con->se_siphashctx,
1292
		    &rlay->rl_conf.hashkey.siphashkey);
1293
1294
		maxtries = (rlt->rlt_nhosts < RELAY_MAX_HASH_RETRIES ?
1295
		    rlt->rlt_nhosts : RELAY_MAX_HASH_RETRIES);
1296
		for (cnt = 0; cnt < maxtries; cnt++) {
1297
			if ((idx = p % rlt->rlt_nhosts) >= RELAY_MAXHOSTS)
1298
				return (-1);
1299
1300
			host = rlt->rlt_host[idx];
1301
1302
			DPRINTF("%s: session %d: table %s host %s, "
1303
			    "p 0x%016llx, idx %d, cnt %d, max %d",
1304
			    __func__, con->se_id, table->conf.name,
1305
			    host->conf.name, p, idx, cnt, maxtries);
1306
1307
			if (!table->conf.check || host->up == HOST_UP)
1308
				goto found;
1309
			p = p >> 1;
1310
		}
1311
	} else {
1312
		/* handle all non-hashing algorithms */
1313
		host = rlt->rlt_host[idx];
1314
		DPRINTF("%s: session %d: table %s host %s, p 0x%016llx, idx %d",
1315
		    __func__, con->se_id, table->conf.name, host->conf.name,
1316
		    p, idx);
1317
	}
1318
1319
	while (host != NULL) {
1320
		DPRINTF("%s: session %d: host %s", __func__,
1321
		    con->se_id, host->conf.name);
1322
		if (!table->conf.check || host->up == HOST_UP)
1323
			goto found;
1324
		host = TAILQ_NEXT(host, entry);
1325
	}
1326
	TAILQ_FOREACH(host, &table->hosts, entry) {
1327
		DPRINTF("%s: session %d: next host %s",
1328
		    __func__, con->se_id, host->conf.name);
1329
		if (!table->conf.check || host->up == HOST_UP)
1330
			goto found;
1331
	}
1332
1333
	/* Should not happen */
1334
	fatalx("%s: no active hosts, desynchronized", __func__);
1335
1336
 found:
1337
	if (rlt->rlt_mode == RELAY_DSTMODE_ROUNDROBIN)
1338
		rlt->rlt_index = host->idx + 1;
1339
	con->se_retry = host->conf.retry;
1340
	con->se_out.port = table->conf.port;
1341
	bcopy(&host->conf.ss, &con->se_out.ss, sizeof(con->se_out.ss));
1342
1343
	return (0);
1344
}
1345
1346
void
1347
relay_natlook(int fd, short event, void *arg)
1348
{
1349
	struct rsession		*con = arg;
1350
	struct relay		*rlay = con->se_relay;
1351
	struct ctl_natlook	*cnl = con->se_cnl;
1352
1353
	if (cnl == NULL)
1354
		fatalx("invalid NAT lookup");
1355
1356
	if (con->se_out.ss.ss_family == AF_UNSPEC && cnl->in == -1 &&
1357
	    rlay->rl_conf.dstss.ss_family == AF_UNSPEC &&
1358
	    TAILQ_EMPTY(&rlay->rl_tables)) {
1359
		relay_close(con, "session NAT lookup failed");
1360
		return;
1361
	}
1362
	if (cnl->in != -1) {
1363
		bcopy(&cnl->rdst, &con->se_out.ss, sizeof(con->se_out.ss));
1364
		con->se_out.port = cnl->rdport;
1365
	}
1366
	free(con->se_cnl);
1367
	con->se_cnl = NULL;
1368
1369
	relay_session(con);
1370
}
1371
1372
void
1373
relay_session(struct rsession *con)
1374
{
1375
	struct relay		*rlay = con->se_relay;
1376
	struct ctl_relay_event	*in = &con->se_in, *out = &con->se_out;
1377
1378
	if (bcmp(&rlay->rl_conf.ss, &out->ss, sizeof(out->ss)) == 0 &&
1379
	    out->port == rlay->rl_conf.port) {
1380
		log_debug("%s: session %d: looping", __func__, con->se_id);
1381
		relay_close(con, "session aborted");
1382
		return;
1383
	}
1384
1385
	if (rlay->rl_conf.flags & F_UDP) {
1386
		/*
1387
		 * Call the UDP protocol-specific handler
1388
		 */
1389
		if (rlay->rl_proto->request == NULL)
1390
			fatalx("invalide UDP session");
1391
		if ((*rlay->rl_proto->request)(con) == -1)
1392
			relay_close(con, "session failed");
1393
		return;
1394
	}
1395
1396
	if ((rlay->rl_conf.flags & F_TLS) && (in->tls == NULL)) {
1397
		relay_tls_transaction(con, in);
1398
		return;
1399
	}
1400
1401
	if (rlay->rl_proto->type != RELAY_PROTO_HTTP) {
1402
		if (rlay->rl_conf.fwdmode == FWD_TRANS)
1403
			relay_bindanyreq(con, 0, IPPROTO_TCP);
1404
		else if (relay_connect(con) == -1) {
1405
			relay_close(con, "session failed");
1406
			return;
1407
		}
1408
	}
1409
1410
	relay_input(con);
1411
}
1412
1413
void
1414
relay_bindanyreq(struct rsession *con, in_port_t port, int proto)
1415
{
1416
	struct privsep		*ps = env->sc_ps;
1417
	struct relay		*rlay = con->se_relay;
1418
	struct ctl_bindany	 bnd;
1419
	struct timeval		 tv;
1420
1421
	bzero(&bnd, sizeof(bnd));
1422
	bnd.bnd_id = con->se_id;
1423
	bnd.bnd_proc = ps->ps_instance;
1424
	bnd.bnd_port = port;
1425
	bnd.bnd_proto = proto;
1426
	bcopy(&con->se_in.ss, &bnd.bnd_ss, sizeof(bnd.bnd_ss));
1427
	proc_compose(env->sc_ps, PROC_PARENT, IMSG_BINDANY,
1428
	    &bnd, sizeof(bnd));
1429
1430
	/* Schedule timeout */
1431
	evtimer_set(&con->se_ev, relay_bindany, con);
1432
	bcopy(&rlay->rl_conf.timeout, &tv, sizeof(tv));
1433
	evtimer_add(&con->se_ev, &tv);
1434
}
1435
1436
void
1437
relay_bindany(int fd, short event, void *arg)
1438
{
1439
	struct rsession	*con = arg;
1440
1441
	if (con->se_bnds == -1) {
1442
		relay_close(con, "bindany failed, invalid socket");
1443
		return;
1444
	}
1445
	if (relay_connect(con) == -1)
1446
		relay_close(con, "session failed");
1447
}
1448
1449
void
1450
relay_connect_retry(int fd, short sig, void *arg)
1451
{
1452
	struct timeval	 evtpause = { 1, 0 };
1453
	struct rsession	*con = arg;
1454
	struct relay	*rlay = con->se_relay;
1455
	int		 bnds = -1;
1456
1457
	if (relay_inflight < 1) {
1458
		log_warnx("%s: no connection in flight", __func__);
1459
		relay_inflight = 1;
1460
	}
1461
1462
	DPRINTF("%s: retry %d of %d, inflight: %d",__func__,
1463
	    con->se_retrycount, con->se_retry, relay_inflight);
1464
1465
	if (sig != EV_TIMEOUT)
1466
		fatalx("%s: called without timeout", __func__);
1467
1468
	evtimer_del(&con->se_inflightevt);
1469
1470
	/*
1471
	 * XXX we might want to check if the inbound socket is still
1472
	 * available: client could have closed it while we were waiting?
1473
	 */
1474
1475
	DPRINTF("%s: got EV_TIMEOUT", __func__);
1476
1477
	if (getdtablecount() + FD_RESERVE +
1478
	    relay_inflight > getdtablesize()) {
1479
		if (con->se_retrycount < RELAY_OUTOF_FD_RETRIES) {
1480
			evtimer_add(&con->se_inflightevt, &evtpause);
1481
			return;
1482
		}
1483
		/* we waited for RELAY_OUTOF_FD_RETRIES seconds, give up */
1484
		event_add(&rlay->rl_ev, NULL);
1485
		relay_abort_http(con, 504, "connection timed out", 0);
1486
		return;
1487
	}
1488
1489
	if (rlay->rl_conf.fwdmode == FWD_TRANS) {
1490
		/* con->se_bnds cannot be unset */
1491
		bnds = con->se_bnds;
1492
	}
1493
1494
 retry:
1495
	if ((con->se_out.s = relay_socket_connect(&con->se_out.ss,
1496
	    con->se_out.port, rlay->rl_proto, bnds)) == -1) {
1497
		log_debug("%s: session %d: "
1498
		    "forward failed: %s, %s", __func__,
1499
		    con->se_id, strerror(errno),
1500
		    con->se_retry ? "next retry" : "last retry");
1501
1502
		con->se_retrycount++;
1503
1504
		if ((errno == ENFILE || errno == EMFILE) &&
1505
		    (con->se_retrycount < con->se_retry)) {
1506
			event_del(&rlay->rl_ev);
1507
			evtimer_add(&con->se_inflightevt, &evtpause);
1508
			evtimer_add(&rlay->rl_evt, &evtpause);
1509
			return;
1510
		} else if (con->se_retrycount < con->se_retry)
1511
			goto retry;
1512
		event_add(&rlay->rl_ev, NULL);
1513
		relay_abort_http(con, 504, "connect failed", 0);
1514
		return;
1515
	}
1516
1517
	if (rlay->rl_conf.flags & F_TLSINSPECT)
1518
		con->se_out.state = STATE_PRECONNECT;
1519
	else
1520
		con->se_out.state = STATE_CONNECTED;
1521
	relay_inflight--;
1522
	DPRINTF("%s: inflight decremented, now %d",__func__, relay_inflight);
1523
1524
	event_add(&rlay->rl_ev, NULL);
1525
1526
	if (errno == EINPROGRESS)
1527
		event_again(&con->se_ev, con->se_out.s, EV_WRITE|EV_TIMEOUT,
1528
		    relay_connected, &con->se_tv_start, &rlay->rl_conf.timeout,
1529
		    con);
1530
	else
1531
		relay_connected(con->se_out.s, EV_WRITE, con);
1532
1533
	return;
1534
}
1535
1536
int
1537
relay_preconnect(struct rsession *con)
1538
{
1539
	int rv;
1540
1541
	log_debug("%s: session %d: process %d", __func__,
1542
	    con->se_id, privsep_process);
1543
	rv = relay_connect(con);
1544
	if (con->se_out.state == STATE_CONNECTED)
1545
		con->se_out.state = STATE_PRECONNECT;
1546
	return (rv);
1547
}
1548
1549
int
1550
relay_connect(struct rsession *con)
1551
{
1552
	struct relay	*rlay = con->se_relay;
1553
	struct timeval	 evtpause = { 1, 0 };
1554
	int		 bnds = -1, ret;
1555
1556
	/* relay_connect should only be called once per relay */
1557
	if (con->se_out.state == STATE_CONNECTED) {
1558
		log_debug("%s: connect already called once", __func__);
1559
		return (0);
1560
	}
1561
1562
	/* Connection is already established but session not active */
1563
	if ((rlay->rl_conf.flags & F_TLSINSPECT) &&
1564
	    con->se_out.state == STATE_PRECONNECT) {
1565
		if (con->se_out.tls == NULL) {
1566
			log_debug("%s: tls connect failed", __func__);
1567
			return (-1);
1568
		}
1569
		relay_connected(con->se_out.s, EV_WRITE, con);
1570
		con->se_out.state = STATE_CONNECTED;
1571
		return (0);
1572
	}
1573
1574
	if (relay_inflight < 1) {
1575
		log_warnx("relay_connect: no connection in flight");
1576
		relay_inflight = 1;
1577
	}
1578
1579
	getmonotime(&con->se_tv_start);
1580
1581
	if (!TAILQ_EMPTY(&rlay->rl_tables)) {
1582
		if (relay_from_table(con) != 0)
1583
			return (-1);
1584
	} else if (con->se_out.ss.ss_family == AF_UNSPEC) {
1585
		bcopy(&rlay->rl_conf.dstss, &con->se_out.ss,
1586
		    sizeof(con->se_out.ss));
1587
		con->se_out.port = rlay->rl_conf.dstport;
1588
	}
1589
1590
	if (rlay->rl_conf.fwdmode == FWD_TRANS) {
1591
		if (con->se_bnds == -1) {
1592
			log_debug("%s: could not bind any sock", __func__);
1593
			return (-1);
1594
		}
1595
		bnds = con->se_bnds;
1596
	}
1597
1598
	/* Do the IPv4-to-IPv6 or IPv6-to-IPv4 translation if requested */
1599
	if (rlay->rl_conf.dstaf.ss_family != AF_UNSPEC) {
1600
		if (con->se_out.ss.ss_family == AF_INET &&
1601
		    rlay->rl_conf.dstaf.ss_family == AF_INET6)
1602
			ret = map4to6(&con->se_out.ss, &rlay->rl_conf.dstaf);
1603
		else if (con->se_out.ss.ss_family == AF_INET6 &&
1604
		    rlay->rl_conf.dstaf.ss_family == AF_INET)
1605
			ret = map6to4(&con->se_out.ss);
1606
		else
1607
			ret = 0;
1608
		if (ret != 0) {
1609
			log_debug("%s: mapped to invalid address", __func__);
1610
			return (-1);
1611
		}
1612
	}
1613
1614
 retry:
1615
	if ((con->se_out.s = relay_socket_connect(&con->se_out.ss,
1616
	    con->se_out.port, rlay->rl_proto, bnds)) == -1) {
1617
		if (errno == ENFILE || errno == EMFILE) {
1618
			log_debug("%s: session %d: forward failed: %s",
1619
			    __func__, con->se_id, strerror(errno));
1620
			evtimer_set(&con->se_inflightevt, relay_connect_retry,
1621
			    con);
1622
			event_del(&rlay->rl_ev);
1623
			evtimer_add(&con->se_inflightevt, &evtpause);
1624
			evtimer_add(&rlay->rl_evt, &evtpause);
1625
1626
			/* this connect is pending */
1627
			con->se_out.state = STATE_PENDING;
1628
			return (0);
1629
		} else {
1630
			if (con->se_retry) {
1631
				con->se_retry--;
1632
				log_debug("%s: session %d: "
1633
				    "forward failed: %s, %s", __func__,
1634
				    con->se_id, strerror(errno),
1635
				    con->se_retry ?
1636
				    "next retry" : "last retry");
1637
				goto retry;
1638
			}
1639
			log_debug("%s: session %d: forward failed: %s",
1640
			    __func__, con->se_id, strerror(errno));
1641
			return (-1);
1642
		}
1643
	}
1644
1645
	con->se_out.state = STATE_CONNECTED;
1646
	relay_inflight--;
1647
	DPRINTF("%s: inflight decremented, now %d",__func__,
1648
	    relay_inflight);
1649
1650
	if (errno == EINPROGRESS)
1651
		event_again(&con->se_ev, con->se_out.s, EV_WRITE|EV_TIMEOUT,
1652
		    relay_connected, &con->se_tv_start, &rlay->rl_conf.timeout,
1653
		    con);
1654
	else
1655
		relay_connected(con->se_out.s, EV_WRITE, con);
1656
1657
	return (0);
1658
}
1659
1660
void
1661
relay_close(struct rsession *con, const char *msg)
1662
{
1663
	char		 ibuf[128], obuf[128], *ptr = NULL;
1664
	struct relay	*rlay = con->se_relay;
1665
	struct protocol	*proto = rlay->rl_proto;
1666
1667
	SPLAY_REMOVE(session_tree, &rlay->rl_sessions, con);
1668
	relay_session_unpublish(con);
1669
1670
	event_del(&con->se_ev);
1671
	if (con->se_in.bev != NULL)
1672
		bufferevent_disable(con->se_in.bev, EV_READ|EV_WRITE);
1673
	if (con->se_out.bev != NULL)
1674
		bufferevent_disable(con->se_out.bev, EV_READ|EV_WRITE);
1675
1676
	if ((env->sc_conf.opts & RELAYD_OPT_LOGUPDATE) && msg != NULL) {
1677
		bzero(&ibuf, sizeof(ibuf));
1678
		bzero(&obuf, sizeof(obuf));
1679
		(void)print_host(&con->se_in.ss, ibuf, sizeof(ibuf));
1680
		(void)print_host(&con->se_out.ss, obuf, sizeof(obuf));
1681
		if (EVBUFFER_LENGTH(con->se_log) &&
1682
		    evbuffer_add_printf(con->se_log, "\r\n") != -1) {
1683
			ptr = evbuffer_readln(con->se_log, NULL,
1684
			    EVBUFFER_EOL_CRLF);
1685
		}
1686
		log_info("relay %s, "
1687
		    "session %d (%d active), %s, %s -> %s:%d, "
1688
		    "%s%s%s", rlay->rl_conf.name, con->se_id, relay_sessions,
1689
		    con->se_tag != 0 ? tag_id2name(con->se_tag) : "0", ibuf,
1690
		    obuf, ntohs(con->se_out.port), msg, ptr == NULL ? "" : ",",
1691
		    ptr == NULL ? "" : ptr);
1692
		free(ptr);
1693
	}
1694
1695
	if (proto->close != NULL)
1696
		(*proto->close)(con);
1697
1698
	free(con->se_priv);
1699
	if (con->se_in.bev != NULL)
1700
		bufferevent_free(con->se_in.bev);
1701
	else if (con->se_in.output != NULL)
1702
		evbuffer_free(con->se_in.output);
1703
	if (con->se_in.tls != NULL)
1704
		tls_close(con->se_in.tls);
1705
	tls_free(con->se_in.tls);
1706
	tls_config_free(con->se_in.tls_cfg);
1707
	free(con->se_in.tlscert);
1708
	if (con->se_in.s != -1) {
1709
		close(con->se_in.s);
1710
		if (con->se_out.s == -1) {
1711
			/*
1712
			 * the output was never connected,
1713
			 * thus this was an inflight session.
1714
			 */
1715
			relay_inflight--;
1716
			log_debug("%s: sessions inflight decremented, now %d",
1717
			    __func__, relay_inflight);
1718
		}
1719
	}
1720
1721
	if (con->se_out.bev != NULL)
1722
		bufferevent_free(con->se_out.bev);
1723
	else if (con->se_out.output != NULL)
1724
		evbuffer_free(con->se_out.output);
1725
	if (con->se_out.tls != NULL)
1726
		tls_close(con->se_out.tls);
1727
	tls_free(con->se_out.tls);
1728
	tls_config_free(con->se_out.tls_cfg);
1729
	free(con->se_out.tlscert);
1730
	if (con->se_out.s != -1) {
1731
		close(con->se_out.s);
1732
1733
		/* Some file descriptors are available again. */
1734
		if (evtimer_pending(&rlay->rl_evt, NULL)) {
1735
			evtimer_del(&rlay->rl_evt);
1736
			event_add(&rlay->rl_ev, NULL);
1737
		}
1738
	}
1739
	con->se_out.state = STATE_INIT;
1740
1741
	if (con->se_log != NULL)
1742
		evbuffer_free(con->se_log);
1743
1744
	if (con->se_cnl != NULL) {
1745
#if 0
1746
		proc_compose_imsg(env->sc_ps, PROC_PFE, -1, IMSG_KILLSTATES, -1,
1747
		    cnl, sizeof(*cnl));
1748
#endif
1749
		free(con->se_cnl);
1750
	}
1751
1752
	free(con);
1753
	relay_sessions--;
1754
}
1755
1756
int
1757
relay_dispatch_pfe(int fd, struct privsep_proc *p, struct imsg *imsg)
1758
{
1759
	struct relay		*rlay;
1760
	struct rsession		*con, se;
1761
	struct ctl_natlook	 cnl;
1762
	struct timeval		 tv;
1763
	struct host		*host;
1764
	struct table		*table;
1765
	struct ctl_status	 st;
1766
	objid_t			 id;
1767
	int			 cid;
1768
1769
	switch (imsg->hdr.type) {
1770
	case IMSG_HOST_DISABLE:
1771
		memcpy(&id, imsg->data, sizeof(id));
1772
		if ((host = host_find(env, id)) == NULL)
1773
			fatalx("%s: desynchronized", __func__);
1774
		if ((table = table_find(env, host->conf.tableid)) ==
1775
		    NULL)
1776
			fatalx("%s: invalid table id", __func__);
1777
		if (host->up == HOST_UP)
1778
			table->up--;
1779
		host->flags |= F_DISABLE;
1780
		host->up = HOST_UNKNOWN;
1781
		break;
1782
	case IMSG_HOST_ENABLE:
1783
		memcpy(&id, imsg->data, sizeof(id));
1784
		if ((host = host_find(env, id)) == NULL)
1785
			fatalx("%s: desynchronized", __func__);
1786
		host->flags &= ~(F_DISABLE);
1787
		host->up = HOST_UNKNOWN;
1788
		break;
1789
	case IMSG_TABLE_DISABLE:
1790
		memcpy(&id, imsg->data, sizeof(id));
1791
		if ((table = table_find(env, id)) == NULL)
1792
			fatalx("%s: desynchronized", __func__);
1793
		table->conf.flags |= F_DISABLE;
1794
		table->up = 0;
1795
		TAILQ_FOREACH(host, &table->hosts, entry)
1796
			host->up = HOST_UNKNOWN;
1797
		break;
1798
	case IMSG_TABLE_ENABLE:
1799
		memcpy(&id, imsg->data, sizeof(id));
1800
		if ((table = table_find(env, id)) == NULL)
1801
			fatalx("%s: desynchronized", __func__);
1802
		table->conf.flags &= ~(F_DISABLE);
1803
		table->up = 0;
1804
		TAILQ_FOREACH(host, &table->hosts, entry)
1805
			host->up = HOST_UNKNOWN;
1806
		break;
1807
	case IMSG_HOST_STATUS:
1808
		IMSG_SIZE_CHECK(imsg, &st);
1809
		memcpy(&st, imsg->data, sizeof(st));
1810
		if ((host = host_find(env, st.id)) == NULL)
1811
			fatalx("%s: invalid host id", __func__);
1812
		if (host->flags & F_DISABLE)
1813
			break;
1814
		if (host->up == st.up) {
1815
			log_debug("%s: host %d => %d", __func__,
1816
			    host->conf.id, host->up);
1817
			fatalx("%s: desynchronized", __func__);
1818
		}
1819
1820
		if ((table = table_find(env, host->conf.tableid))
1821
		    == NULL)
1822
			fatalx("%s: invalid table id", __func__);
1823
1824
		DPRINTF("%s: [%d] state %d for "
1825
		    "host %u %s", __func__, p->p_ps->ps_instance, st.up,
1826
		    host->conf.id, host->conf.name);
1827
1828
		if ((st.up == HOST_UNKNOWN && host->up == HOST_DOWN) ||
1829
		    (st.up == HOST_DOWN && host->up == HOST_UNKNOWN)) {
1830
			host->up = st.up;
1831
			break;
1832
		}
1833
		if (st.up == HOST_UP)
1834
			table->up++;
1835
		else
1836
			table->up--;
1837
		host->up = st.up;
1838
		break;
1839
	case IMSG_NATLOOK:
1840
		bcopy(imsg->data, &cnl, sizeof(cnl));
1841
		if ((con = session_find(env, cnl.id)) == NULL ||
1842
		    con->se_cnl == NULL) {
1843
			log_debug("%s: session %d: expired",
1844
			    __func__, cnl.id);
1845
			break;
1846
		}
1847
		bcopy(&cnl, con->se_cnl, sizeof(*con->se_cnl));
1848
		evtimer_del(&con->se_ev);
1849
		evtimer_set(&con->se_ev, relay_natlook, con);
1850
		bzero(&tv, sizeof(tv));
1851
		evtimer_add(&con->se_ev, &tv);
1852
		break;
1853
	case IMSG_CTL_SESSION:
1854
		IMSG_SIZE_CHECK(imsg, &cid);
1855
		memcpy(&cid, imsg->data, sizeof(cid));
1856
		TAILQ_FOREACH(rlay, env->sc_relays, rl_entry) {
1857
			SPLAY_FOREACH(con, session_tree,
1858
			    &rlay->rl_sessions) {
1859
				memcpy(&se, con, sizeof(se));
1860
				se.se_cid = cid;
1861
				proc_compose(env->sc_ps, p->p_id,
1862
				    IMSG_CTL_SESSION, &se, sizeof(se));
1863
			}
1864
		}
1865
		proc_compose(env->sc_ps, p->p_id, IMSG_CTL_END,
1866
		    &cid, sizeof(cid));
1867
		break;
1868
	default:
1869
		return (-1);
1870
	}
1871
1872
	return (0);
1873
}
1874
1875
int
1876
relay_dispatch_ca(int fd, struct privsep_proc *p, struct imsg *imsg)
1877
{
1878
	return (-1);
1879
}
1880
1881
int
1882
relay_dispatch_parent(int fd, struct privsep_proc *p, struct imsg *imsg)
1883
{
1884
	struct relay_ticket_key	 ticket;
1885
	struct relay		*rlay;
1886
	struct rsession		*con;
1887
	struct timeval		 tv;
1888
	objid_t			 id;
1889
1890
	switch (imsg->hdr.type) {
1891
	case IMSG_BINDANY:
1892
		bcopy(imsg->data, &id, sizeof(id));
1893
		if ((con = session_find(env, id)) == NULL) {
1894
			log_debug("%s: session %d: expired",
1895
			    __func__, id);
1896
			break;
1897
		}
1898
1899
		/* Will validate the result later */
1900
		con->se_bnds = imsg->fd;
1901
1902
		evtimer_del(&con->se_ev);
1903
		evtimer_set(&con->se_ev, relay_bindany, con);
1904
		bzero(&tv, sizeof(tv));
1905
		evtimer_add(&con->se_ev, &tv);
1906
		break;
1907
	case IMSG_CFG_TABLE:
1908
		config_gettable(env, imsg);
1909
		break;
1910
	case IMSG_CFG_HOST:
1911
		config_gethost(env, imsg);
1912
		break;
1913
	case IMSG_CFG_PROTO:
1914
		config_getproto(env, imsg);
1915
		break;
1916
	case IMSG_CFG_RULE:
1917
		config_getrule(env, imsg);
1918
		break;
1919
	case IMSG_CFG_RELAY:
1920
		config_getrelay(env, imsg);
1921
		break;
1922
	case IMSG_CFG_RELAY_TABLE:
1923
		config_getrelaytable(env, imsg);
1924
		break;
1925
	case IMSG_CFG_DONE:
1926
		config_getcfg(env, imsg);
1927
		break;
1928
	case IMSG_CTL_START:
1929
		relay_launch();
1930
		break;
1931
	case IMSG_CTL_RESET:
1932
		config_getreset(env, imsg);
1933
		break;
1934
	case IMSG_TLSTICKET_REKEY:
1935
		IMSG_SIZE_CHECK(imsg, (&ticket));
1936
		memcpy(&env->sc_ticket, imsg->data, sizeof(env->sc_ticket));
1937
		TAILQ_FOREACH(rlay, env->sc_relays, rl_entry) {
1938
			if (rlay->rl_conf.flags & F_TLS)
1939
				tls_config_add_ticket_key(rlay->rl_tls_cfg,
1940
				    env->sc_ticket.tt_keyrev,
1941
				    env->sc_ticket.tt_key,
1942
				    sizeof(env->sc_ticket.tt_key));
1943
		}
1944
		break;
1945
	default:
1946
		return (-1);
1947
	}
1948
1949
	return (0);
1950
}
1951
1952
int
1953
relay_dispatch_hce(int fd, struct privsep_proc *p, struct imsg *imsg)
1954
{
1955
	switch (imsg->hdr.type) {
1956
	default:
1957
		break;
1958
	}
1959
1960
	return (-1);
1961
}
1962
1963
static int
1964
relay_tls_ctx_create_proto(struct protocol *proto, struct tls_config *tls_cfg)
1965
{
1966
	uint32_t		 protocols = 0;
1967
1968
	/* Set the allowed SSL protocols */
1969
	if (proto->tlsflags & TLSFLAG_TLSV1_0)
1970
		protocols |= TLS_PROTOCOL_TLSv1_0;
1971
	if (proto->tlsflags & TLSFLAG_TLSV1_1)
1972
		protocols |= TLS_PROTOCOL_TLSv1_1;
1973
	if (proto->tlsflags & TLSFLAG_TLSV1_2)
1974
		protocols |= TLS_PROTOCOL_TLSv1_2;
1975
	if (tls_config_set_protocols(tls_cfg, protocols) == -1) {
1976
		log_warnx("could not set the TLS protocol: %s",
1977
		    tls_config_error(tls_cfg));
1978
		return (-1);
1979
	}
1980
1981
	if (tls_config_set_ciphers(tls_cfg, proto->tlsciphers)) {
1982
		log_warnx("could not set the TLS cypers: %s",
1983
		    tls_config_error(tls_cfg));
1984
		return (-1);
1985
	}
1986
1987
	if ((proto->tlsflags & TLSFLAG_CIPHER_SERVER_PREF) == 0)
1988
		tls_config_prefer_ciphers_client(tls_cfg);
1989
1990
	/*
1991
	 * Set session ID context to a random value. It needs to be the
1992
	 * same accross all relay processes or session caching will fail.
1993
	 */
1994
	if (tls_config_set_session_id(tls_cfg, env->sc_conf.tls_sid,
1995
	    sizeof(env->sc_conf.tls_sid)) == -1) {
1996
		log_warnx("could not set the TLS session ID: %s",
1997
		    tls_config_error(tls_cfg));
1998
		return (-1);
1999
	}
2000
2001
	/* Set callback for TLS session tickets if enabled */
2002
	if (proto->tickets == 1) {
2003
		/* set timeout to the ticket rekey time */
2004
		tls_config_set_session_lifetime(tls_cfg, TLS_SESSION_LIFETIME);
2005
2006
		tls_config_add_ticket_key(tls_cfg,
2007
		    env->sc_ticket.tt_keyrev, env->sc_ticket.tt_key,
2008
		    sizeof(env->sc_ticket.tt_key));
2009
	}
2010
2011
	if (tls_config_set_ecdhecurve(tls_cfg, proto->tlsecdhcurve) != 0) {
2012
		log_warnx("failed to set ecdh curve %s: %s",
2013
		    proto->tlsecdhcurve, tls_config_error(tls_cfg));
2014
		return (-1);
2015
	}
2016
2017
	if (tls_config_set_dheparams(tls_cfg, proto->tlsdhparams) != 0) {
2018
		log_warnx("failed to set dh params %s: %s",
2019
		    proto->tlsdhparams, tls_config_error(tls_cfg));
2020
		return (-1);
2021
	}
2022
2023
	return (0);
2024
}
2025
2026
/*
2027
 * This function is not publicy exported because it is a hack until libtls
2028
 * has a proper privsep setup
2029
 */
2030
void tls_config_skip_private_key_check(struct tls_config *config);
2031
2032
int
2033
relay_tls_ctx_create(struct relay *rlay)
2034
{
2035
	struct tls_config	*tls_cfg, *tls_client_cfg;
2036
	struct tls		*tls = NULL;
2037
	const char		*fake_key;
2038
	int			 fake_keylen;
2039
2040
	if ((tls_cfg = tls_config_new()) == NULL) {
2041
		log_warnx("unable to allocate TLS config");
2042
		return (-1);
2043
	}
2044
	if ((tls_client_cfg = tls_config_new()) == NULL) {
2045
		log_warnx("unable to allocate TLS config");
2046
		return (-1);
2047
	}
2048
2049
	if (relay_tls_ctx_create_proto(rlay->rl_proto, tls_cfg) == -1)
2050
		goto err;
2051
	if (relay_tls_ctx_create_proto(rlay->rl_proto, tls_client_cfg) == -1)
2052
		goto err;
2053
2054
	/* Verify the server certificate if we have a CA chain */
2055
	if (rlay->rl_conf.flags & F_TLSCLIENT) {
2056
		/*
2057
		 * Currently relayd can't verify the name of certs and changing
2058
		 * this is non trivial. For now just disable name verification.
2059
		 */
2060
		tls_config_insecure_noverifyname(tls_client_cfg);
2061
2062
		if (rlay->rl_tls_ca != NULL) {
2063
			if (tls_config_set_ca_mem(tls_client_cfg,
2064
			    rlay->rl_tls_ca, rlay->rl_conf.tls_ca_len) != 0) {
2065
				log_warnx("failed to set root certificates: %s",
2066
				    tls_config_error(tls_client_cfg));
2067
				goto err;
2068
			}
2069
		} else {
2070
			/* No root cert available so disable the checking */
2071
			tls_config_insecure_noverifycert(tls_client_cfg);
2072
		}
2073
2074
		rlay->rl_tls_client_cfg = tls_client_cfg;
2075
	}
2076
2077
	if (rlay->rl_conf.flags & F_TLS) {
2078
		log_debug("%s: loading certificate", __func__);
2079
		/*
2080
		 * Use the public key as the "private" key - the secret key
2081
		 * parameters are hidden in an extra process that will be
2082
		 * contacted by the RSA engine.  The SSL/TLS library needs at
2083
		 * least the public key parameters in the current process.
2084
		 * For this we need to skip the private key check done by
2085
		 * libtls.
2086
		 */
2087
		tls_config_skip_private_key_check(tls_cfg);
2088
2089
		if ((fake_keylen = ssl_ctx_fake_private_key(rlay->rl_tls_cert,
2090
		    rlay->rl_conf.tls_cert_len, &fake_key)) == -1) {
2091
			/* error already printed */
2092
			goto err;
2093
		}
2094
2095
		if (tls_config_set_keypair_ocsp_mem(tls_cfg,
2096
		    rlay->rl_tls_cert, rlay->rl_conf.tls_cert_len,
2097
		    fake_key, fake_keylen, NULL, 0) != 0) {
2098
			log_warnx("failed to set tls certificate: %s",
2099
			    tls_config_error(tls_cfg));
2100
			goto err;
2101
		}
2102
2103
		if (rlay->rl_conf.tls_cacert_len) {
2104
			log_debug("%s: loading CA certificate", __func__);
2105
			if (!ssl_load_pkey(
2106
			    rlay->rl_tls_cacert, rlay->rl_conf.tls_cacert_len,
2107
			    &rlay->rl_tls_cacertx509, &rlay->rl_tls_capkey))
2108
				goto err;
2109
			/* loading certificate public key */
2110
			log_debug("%s: loading certificate", __func__);
2111
			if (!ssl_load_pkey(
2112
			    rlay->rl_tls_cert, rlay->rl_conf.tls_cert_len,
2113
			    NULL, &rlay->rl_tls_pkey))
2114
				goto err;
2115
		}
2116
2117
		tls = tls_server();
2118
		if (tls == NULL) {
2119
			log_warnx("unable to allocate TLS context");
2120
			goto err;
2121
		}
2122
		if (tls_configure(tls, tls_cfg) == -1) {
2123
			log_warnx("could not configure the TLS context: %s",
2124
			    tls_error(tls));
2125
			tls_free(tls);
2126
			goto err;
2127
		}
2128
		rlay->rl_tls_cfg = tls_cfg;
2129
		rlay->rl_tls_ctx = tls;
2130
	}
2131
2132
	/* The text versions of the keys/certs are not needed anymore */
2133
	purge_key(&rlay->rl_tls_cert, rlay->rl_conf.tls_cert_len);
2134
	purge_key(&rlay->rl_tls_cacert, rlay->rl_conf.tls_cacert_len);
2135
2136
	if (rlay->rl_tls_client_cfg == NULL)
2137
		tls_config_free(tls_client_cfg);
2138
	if (rlay->rl_tls_cfg == NULL)
2139
		tls_config_free(tls_cfg);
2140
2141
	return (0);
2142
 err:
2143
	tls_config_free(tls_client_cfg);
2144
	tls_config_free(tls_cfg);
2145
	return (-1);
2146
}
2147
2148
static struct tls *
2149
relay_tls_inspect_create(struct relay *rlay, struct ctl_relay_event *cre)
2150
{
2151
	struct tls_config	*tls_cfg;
2152
	struct tls		*tls;
2153
	const char		*fake_key;
2154
	int			 fake_keylen;
2155
2156
	/* TLS inspection: use session-specific certificate */
2157
	if ((tls_cfg = tls_config_new()) == NULL) {
2158
		log_warnx("unable to allocate TLS config");
2159
		goto err;
2160
	}
2161
	if (relay_tls_ctx_create_proto(rlay->rl_proto, tls_cfg) == -1) {
2162
		/* error already printed */
2163
		goto err;
2164
	}
2165
2166
	tls_config_skip_private_key_check(tls_cfg);
2167
2168
	log_debug("%s: loading intercepted certificate", __func__);
2169
	if ((fake_keylen = ssl_ctx_fake_private_key(cre->tlscert,
2170
	    cre->tlscert_len, &fake_key)) == -1) {
2171
		/* error already printed */
2172
		goto err;
2173
	}
2174
	if (tls_config_set_keypair_ocsp_mem(tls_cfg,
2175
	    cre->tlscert, cre->tlscert_len, fake_key, fake_keylen,
2176
	    NULL, 0) != 0) {
2177
		log_warnx("failed to set tls certificate: %s",
2178
		    tls_config_error(tls_cfg));
2179
		goto err;
2180
	}
2181
2182
	tls = tls_server();
2183
	if (tls == NULL) {
2184
		log_warnx("unable to allocate TLS context");
2185
		goto err;
2186
	}
2187
	if (tls_configure(tls, tls_cfg) == -1) {
2188
		log_warnx("could not configure the TLS context: %s",
2189
		    tls_error(tls));
2190
		tls_free(tls);
2191
		goto err;
2192
	}
2193
2194
	cre->tls_cfg = tls_cfg;
2195
	return (tls);
2196
 err:
2197
	tls_config_free(tls_cfg);
2198
	return (NULL);
2199
}
2200
2201
void
2202
relay_tls_transaction(struct rsession *con, struct ctl_relay_event *cre)
2203
{
2204
	struct relay		*rlay = con->se_relay;
2205
	struct tls		*tls_server;
2206
	const char		*errstr;
2207
	u_int			 flag;
2208
2209
	if (cre->dir == RELAY_DIR_REQUEST) {
2210
		if (cre->tlscert != NULL)
2211
			tls_server = relay_tls_inspect_create(rlay, cre);
2212
		else
2213
			tls_server = rlay->rl_tls_ctx;
2214
		if (tls_server == NULL) {
2215
			errstr = "no TLS server context available";
2216
			goto err;
2217
		}
2218
2219
		if (tls_accept_socket(tls_server, &cre->tls, cre->s) == -1) {
2220
			errstr = "could not accept the TLS connection";
2221
			goto err;
2222
		}
2223
		if (cre->tlscert != NULL)
2224
			tls_free(tls_server);
2225
		flag = EV_READ;
2226
	} else {
2227
		cre->tls = tls_client();
2228
		if (cre->tls == NULL ||
2229
		    tls_configure(cre->tls, rlay->rl_tls_client_cfg) == -1) {
2230
			errstr = "could not configure the TLS client context";
2231
			goto err;
2232
		}
2233
		if (tls_connect_socket(cre->tls, cre->s, NULL) == -1) {
2234
			errstr = "could not connect the TLS connection";
2235
			goto err;
2236
		}
2237
		flag = EV_WRITE;
2238
	}
2239
2240
	log_debug("%s: session %d: scheduling on %s", __func__, con->se_id,
2241
	    (flag == EV_READ) ? "EV_READ" : "EV_WRITE");
2242
	event_again(&con->se_ev, cre->s, EV_TIMEOUT|flag, relay_tls_handshake,
2243
	    &con->se_tv_start, &rlay->rl_conf.timeout, cre);
2244
	return;
2245
2246
 err:
2247
	relay_close(con, errstr);
2248
}
2249
2250
void
2251
relay_tls_handshake(int fd, short event, void *arg)
2252
{
2253
	struct ctl_relay_event	*cre = arg;
2254
	struct rsession		*con = cre->con;
2255
	struct relay		*rlay = con->se_relay;
2256
	int			 retry_flag = 0;
2257
	int			 ret;
2258
2259
	if (event == EV_TIMEOUT) {
2260
		relay_close(con, "TLS handshake timeout");
2261
		return;
2262
	}
2263
2264
	ret = tls_handshake(cre->tls);
2265
	if (ret == 0) {
2266
#ifdef DEBUG
2267
		log_info(
2268
#else
2269
		log_debug(
2270
#endif
2271
		    "relay %s, tls session %d %s (%d active)",
2272
		    rlay->rl_conf.name, con->se_id,
2273
		    cre->dir == RELAY_DIR_REQUEST ? "established" : "connected",
2274
		    relay_sessions);
2275
2276
		if (cre->dir == RELAY_DIR_REQUEST) {
2277
			relay_session(con);
2278
			return;
2279
		}
2280
2281
		if (rlay->rl_conf.flags & F_TLSINSPECT) {
2282
			const uint8_t	*servercert;
2283
			size_t		 len;
2284
2285
			servercert = tls_peer_cert_chain_pem(con->se_out.tls,
2286
			    &len);
2287
			if (servercert != NULL) {
2288
				con->se_in.tlscert = ssl_update_certificate(
2289
				    servercert, len,
2290
				    rlay->rl_tls_pkey, rlay->rl_tls_capkey,
2291
				    rlay->rl_tls_cacertx509,
2292
				    &con->se_in.tlscert_len);
2293
			} else
2294
				con->se_in.tlscert = NULL;
2295
			if (con->se_in.tlscert == NULL)
2296
				relay_close(con,
2297
				    "could not create certificate");
2298
			else
2299
				relay_session(con);
2300
			return;
2301
		}
2302
		relay_connected(fd, EV_WRITE, con);
2303
		return;
2304
	} else if (ret == TLS_WANT_POLLIN) {
2305
		retry_flag = EV_READ;
2306
	} else if (ret == TLS_WANT_POLLOUT) {
2307
		retry_flag = EV_WRITE;
2308
	} else {
2309
		log_debug("TLS handshake failed: %s: %s: %s",
2310
		    rlay->rl_conf.name, __func__,
2311
		    tls_error(cre->tls));
2312
		relay_close(con, "TLS handshake error");
2313
		return;
2314
	}
2315
2316
	DPRINTF("%s: session %d: scheduling on %s", __func__, con->se_id,
2317
	    (retry_flag == EV_READ) ? "EV_READ" : "EV_WRITE");
2318
	event_again(&con->se_ev, fd, EV_TIMEOUT|retry_flag, relay_tls_handshake,
2319
	    &con->se_tv_start, &rlay->rl_conf.timeout, cre);
2320
}
2321
2322
void
2323
relay_tls_connected(struct ctl_relay_event *cre)
2324
{
2325
	/*
2326
	 * Hack libevent - we overwrite the internal bufferevent I/O
2327
	 * functions to handle the TLS abstraction.
2328
	 */
2329
	event_set(&cre->bev->ev_read, cre->s, EV_READ,
2330
	    relay_tls_readcb, cre->bev);
2331
	event_set(&cre->bev->ev_write, cre->s, EV_WRITE,
2332
	    relay_tls_writecb, cre->bev);
2333
}
2334
2335
void
2336
relay_tls_readcb(int fd, short event, void *arg)
2337
{
2338
	char			 rbuf[IBUF_READ_SIZE];
2339
	struct bufferevent	*bufev = arg;
2340
	struct ctl_relay_event	*cre = bufev->cbarg;
2341
	short			 what = EVBUFFER_READ;
2342
	int			 howmuch = IBUF_READ_SIZE;
2343
	ssize_t			 ret;
2344
	size_t			 len;
2345
2346
	if (event == EV_TIMEOUT) {
2347
		what |= EVBUFFER_TIMEOUT;
2348
		goto err;
2349
	}
2350
2351
	if (bufev->wm_read.high != 0)
2352
		howmuch = MINIMUM(sizeof(rbuf), bufev->wm_read.high);
2353
2354
	ret = tls_read(cre->tls, rbuf, howmuch);
2355
	if (ret == TLS_WANT_POLLIN || ret == TLS_WANT_POLLOUT) {
2356
		goto retry;
2357
	} else if (ret < 0) {
2358
		what |= EVBUFFER_ERROR;
2359
		goto err;
2360
	}
2361
	len = ret;
2362
2363
	if (len == 0) {
2364
		what |= EVBUFFER_EOF;
2365
		goto err;
2366
	}
2367
2368
	if (evbuffer_add(bufev->input, rbuf, ret) == -1) {
2369
		what |= EVBUFFER_ERROR;
2370
		goto err;
2371
	}
2372
2373
	relay_bufferevent_add(&bufev->ev_read, bufev->timeout_read);
2374
2375
	len = EVBUFFER_LENGTH(bufev->input);
2376
	if (bufev->wm_read.low != 0 && len < bufev->wm_read.low)
2377
		return;
2378
	if (bufev->wm_read.high != 0 && len > bufev->wm_read.high) {
2379
		struct evbuffer *buf = bufev->input;
2380
		event_del(&bufev->ev_read);
2381
		evbuffer_setcb(buf, bufferevent_read_pressure_cb, bufev);
2382
		return;
2383
	}
2384
2385
	if (bufev->readcb != NULL)
2386
		(*bufev->readcb)(bufev, bufev->cbarg);
2387
	return;
2388
2389
 retry:
2390
	relay_bufferevent_add(&bufev->ev_read, bufev->timeout_read);
2391
	return;
2392
2393
 err:
2394
	(*bufev->errorcb)(bufev, what, bufev->cbarg);
2395
}
2396
2397
void
2398
relay_tls_writecb(int fd, short event, void *arg)
2399
{
2400
	struct bufferevent	*bufev = arg;
2401
	struct ctl_relay_event	*cre = bufev->cbarg;
2402
	ssize_t			 ret;
2403
	size_t			 len;
2404
	short			 what = EVBUFFER_WRITE;
2405
2406
	if (event == EV_TIMEOUT) {
2407
		what |= EVBUFFER_TIMEOUT;
2408
		goto err;
2409
	}
2410
2411
	if (EVBUFFER_LENGTH(bufev->output)) {
2412
		ret = tls_write(cre->tls, EVBUFFER_DATA(bufev->output),
2413
		    EVBUFFER_LENGTH(bufev->output));
2414
		if (ret == TLS_WANT_POLLIN || ret == TLS_WANT_POLLOUT) {
2415
			goto retry;
2416
		} else if (ret < 0) {
2417
			what |= EVBUFFER_ERROR;
2418
			goto err;
2419
		}
2420
		len = ret;
2421
		evbuffer_drain(bufev->output, len);
2422
	}
2423
2424
	if (EVBUFFER_LENGTH(bufev->output) != 0)
2425
		relay_bufferevent_add(&bufev->ev_write, bufev->timeout_write);
2426
2427
	if (bufev->writecb != NULL &&
2428
	    EVBUFFER_LENGTH(bufev->output) <= bufev->wm_write.low)
2429
		(*bufev->writecb)(bufev, bufev->cbarg);
2430
	return;
2431
2432
 retry:
2433
	relay_bufferevent_add(&bufev->ev_write, bufev->timeout_write);
2434
	return;
2435
2436
 err:
2437
	(*bufev->errorcb)(bufev, what, bufev->cbarg);
2438
}
2439
2440
int
2441
relay_bufferevent_add(struct event *ev, int timeout)
2442
{
2443
	struct timeval tv, *ptv = NULL;
2444
2445
	if (timeout) {
2446
		timerclear(&tv);
2447
		tv.tv_sec = timeout;
2448
		ptv = &tv;
2449
	}
2450
2451
	return (event_add(ev, ptv));
2452
}
2453
2454
#ifdef notyet
2455
int
2456
relay_bufferevent_printf(struct ctl_relay_event *cre, const char *fmt, ...)
2457
{
2458
	int	ret;
2459
	va_list	ap;
2460
2461
	va_start(ap, fmt);
2462
	ret = evbuffer_add_vprintf(cre->output, fmt, ap);
2463
	va_end(ap);
2464
2465
	if (cre->bev != NULL &&
2466
	    ret != -1 && EVBUFFER_LENGTH(cre->output) > 0 &&
2467
	    (cre->bev->enabled & EV_WRITE))
2468
		bufferevent_enable(cre->bev, EV_WRITE);
2469
2470
	return (ret);
2471
}
2472
#endif
2473
2474
int
2475
relay_bufferevent_print(struct ctl_relay_event *cre, const char *str)
2476
{
2477
	if (cre->bev == NULL)
2478
		return (evbuffer_add(cre->output, str, strlen(str)));
2479
	return (bufferevent_write(cre->bev, str, strlen(str)));
2480
}
2481
2482
int
2483
relay_bufferevent_write_buffer(struct ctl_relay_event *cre,
2484
    struct evbuffer *buf)
2485
{
2486
	if (cre->bev == NULL)
2487
		return (evbuffer_add_buffer(cre->output, buf));
2488
	return (bufferevent_write_buffer(cre->bev, buf));
2489
}
2490
2491
int
2492
relay_bufferevent_write_chunk(struct ctl_relay_event *cre,
2493
    struct evbuffer *buf, size_t size)
2494
{
2495
	int ret;
2496
	ret = relay_bufferevent_write(cre, buf->buffer, size);
2497
	if (ret != -1)
2498
		evbuffer_drain(buf, size);
2499
	return (ret);
2500
}
2501
2502
int
2503
relay_bufferevent_write(struct ctl_relay_event *cre, void *data, size_t size)
2504
{
2505
	if (cre->bev == NULL)
2506
		return (evbuffer_add(cre->output, data, size));
2507
	return (bufferevent_write(cre->bev, data, size));
2508
}
2509
2510
int
2511
relay_cmp_af(struct sockaddr_storage *a, struct sockaddr_storage *b)
2512
{
2513
	int			ret = -1;
2514
	struct sockaddr_in	ia, ib;
2515
	struct sockaddr_in6	ia6, ib6;
2516
2517
	switch (a->ss_family) {
2518
	case AF_INET:
2519
		bcopy(a, &ia, sizeof(struct sockaddr_in));
2520
		bcopy(b, &ib, sizeof(struct sockaddr_in));
2521
2522
		ret = memcmp(&ia.sin_addr, &ib.sin_addr,
2523
		    sizeof(ia.sin_addr));
2524
		if (ret == 0)
2525
			ret = memcmp(&ia.sin_port, &ib.sin_port,
2526
			    sizeof(ia.sin_port));
2527
		break;
2528
	case AF_INET6:
2529
		bcopy(a, &ia6, sizeof(struct sockaddr_in6));
2530
		bcopy(b, &ib6, sizeof(struct sockaddr_in6));
2531
2532
		ret = memcmp(&ia6.sin6_addr, &ib6.sin6_addr,
2533
		    sizeof(ia6.sin6_addr));
2534
		if (ret == 0)
2535
			ret = memcmp(&ia6.sin6_port, &ib6.sin6_port,
2536
			    sizeof(ia6.sin6_port));
2537
		break;
2538
	default:
2539
		break;
2540
	}
2541
2542
	return (ret);
2543
}
2544
2545
char *
2546
relay_load_file(const char *name, off_t *len)
2547
{
2548
560
	struct stat	 st;
2549
	off_t		 size;
2550
	u_int8_t	*buf = NULL;
2551
	int		 fd;
2552
2553
280
	if ((fd = open(name, O_RDONLY)) == -1)
2554
132
		return (NULL);
2555
148
	if (fstat(fd, &st) != 0)
2556
		goto fail;
2557
148
	size = st.st_size;
2558
148
	if ((buf = calloc(1, size + 1)) == NULL)
2559
		goto fail;
2560
148
	if (read(fd, buf, size) != size)
2561
		goto fail;
2562
2563
148
	close(fd);
2564
2565
148
	*len = size;
2566
148
	return (buf);
2567
2568
 fail:
2569
	free(buf);
2570
	close(fd);
2571
	return (NULL);
2572
280
}
2573
2574
int
2575
relay_load_certfiles(struct relay *rlay)
2576
{
2577
1096
	char	 certfile[PATH_MAX];
2578
548
	char	 hbuf[sizeof("ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255")];
2579
548
	struct protocol *proto = rlay->rl_proto;
2580
548
	int	 useport = htons(rlay->rl_conf.port);
2581
2582
548
	if (rlay->rl_conf.flags & F_TLSCLIENT) {
2583
132
		if (strlen(proto->tlsca)) {
2584
			if ((rlay->rl_tls_ca =
2585
			    relay_load_file(proto->tlsca,
2586
			    &rlay->rl_conf.tls_ca_len)) == NULL)
2587
				return (-1);
2588
			log_debug("%s: using ca %s", __func__, proto->tlsca);
2589
		}
2590
132
		if (strlen(proto->tlscacert)) {
2591
32
			if ((rlay->rl_tls_cacert =
2592
16
			    relay_load_file(proto->tlscacert,
2593
32
			    &rlay->rl_conf.tls_cacert_len)) == NULL)
2594
				return (-1);
2595
16
			log_debug("%s: using ca certificate %s", __func__,
2596
			    proto->tlscacert);
2597
16
		}
2598

148
		if (strlen(proto->tlscakey) && proto->tlscapass != NULL) {
2599
32
			if ((rlay->rl_tls_cakey =
2600
32
			    ssl_load_key(env, proto->tlscakey,
2601
16
			    &rlay->rl_conf.tls_cakey_len,
2602
16
			    proto->tlscapass)) == NULL)
2603
				return (-1);
2604
16
			log_debug("%s: using ca key %s", __func__,
2605
			    proto->tlscakey);
2606
16
		}
2607
	}
2608
2609
548
	if ((rlay->rl_conf.flags & F_TLS) == 0)
2610
416
		return (0);
2611
2612
132
	if (print_host(&rlay->rl_conf.ss, hbuf, sizeof(hbuf)) == NULL)
2613
		return (-1);
2614
2615
264
	if (snprintf(certfile, sizeof(certfile),
2616
132
	    "/etc/ssl/%s:%u.crt", hbuf, useport) == -1)
2617
		return (-1);
2618
264
	if ((rlay->rl_tls_cert = relay_load_file(certfile,
2619
264
	    &rlay->rl_conf.tls_cert_len)) == NULL) {
2620
264
		if (snprintf(certfile, sizeof(certfile),
2621
132
		    "/etc/ssl/%s.crt", hbuf) == -1)
2622
			return (-1);
2623
264
		if ((rlay->rl_tls_cert = relay_load_file(certfile,
2624
132
		    &rlay->rl_conf.tls_cert_len)) == NULL)
2625
			return (-1);
2626
		useport = 0;
2627
132
	}
2628
132
	log_debug("%s: using certificate %s", __func__, certfile);
2629
2630
132
	if (useport) {
2631
		if (snprintf(certfile, sizeof(certfile),
2632
		    "/etc/ssl/private/%s:%u.key", hbuf, useport) == -1)
2633
			return -1;
2634
	} else {
2635
264
		if (snprintf(certfile, sizeof(certfile),
2636
132
		    "/etc/ssl/private/%s.key", hbuf) == -1)
2637
			return -1;
2638
	}
2639
396
	if ((rlay->rl_tls_key = ssl_load_key(env, certfile,
2640
264
	    &rlay->rl_conf.tls_key_len, NULL)) == NULL)
2641
		return (-1);
2642
132
	log_debug("%s: using private key %s", __func__, certfile);
2643
2644
132
	return (0);
2645
548
}
2646
2647
int
2648
relay_session_cmp(struct rsession *a, struct rsession *b)
2649
{
2650
	struct relay	*rlay = b->se_relay;
2651
	struct protocol	*proto = rlay->rl_proto;
2652
2653
	if (proto != NULL && proto->cmp != NULL)
2654
		return ((*proto->cmp)(a, b));
2655
2656
	return ((int)a->se_id - b->se_id);
2657
}
2658
2659
void
2660
relay_log(struct rsession *con, char *msg)
2661
{
2662
	if (con->se_haslog && con->se_log != NULL) {
2663
		evbuffer_add(con->se_log, msg, strlen(msg));
2664
	}
2665
}
2666
2667
SPLAY_GENERATE(session_tree, rsession, se_nodes, relay_session_cmp);