File: | src/usr.sbin/relayd/relay.c |
Warning: | line 1635, column 3 Use of memory after it is freed |
Press '?' to see keyboard shortcuts
Keyboard shortcuts:
1 | /* $OpenBSD: relay.c,v 1.254 2021/03/24 20:59:53 benno Exp $ */ | |||
2 | ||||
3 | /* | |||
4 | * Copyright (c) 2006 - 2014 Reyk Floeter <reyk@openbsd.org> | |||
5 | * | |||
6 | * Permission to use, copy, modify, and distribute this software for any | |||
7 | * purpose with or without fee is hereby granted, provided that the above | |||
8 | * copyright notice and this permission notice appear in all copies. | |||
9 | * | |||
10 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES | |||
11 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF | |||
12 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR | |||
13 | * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES | |||
14 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN | |||
15 | * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF | |||
16 | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. | |||
17 | */ | |||
18 | ||||
19 | #include <sys/types.h> | |||
20 | #include <sys/queue.h> | |||
21 | #include <sys/time.h> | |||
22 | #include <sys/socket.h> | |||
23 | #include <sys/tree.h> | |||
24 | ||||
25 | #include <netinet/in.h> | |||
26 | #include <netinet/tcp.h> | |||
27 | #include <arpa/inet.h> | |||
28 | ||||
29 | #include <limits.h> | |||
30 | #include <netdb.h> | |||
31 | #include <poll.h> | |||
32 | #include <stdio.h> | |||
33 | #include <stdlib.h> | |||
34 | #include <errno(*__errno()).h> | |||
35 | #include <fcntl.h> | |||
36 | #include <string.h> | |||
37 | #include <unistd.h> | |||
38 | #include <event.h> | |||
39 | #include <siphash.h> | |||
40 | #include <imsg.h> | |||
41 | ||||
42 | #include <tls.h> | |||
43 | ||||
44 | #include "relayd.h" | |||
45 | ||||
46 | #define MINIMUM(a, b)(((a) < (b)) ? (a) : (b)) (((a) < (b)) ? (a) : (b)) | |||
47 | ||||
48 | void relay_statistics(int, short, void *); | |||
49 | int relay_dispatch_parent(int, struct privsep_proc *, | |||
50 | struct imsg *); | |||
51 | int relay_dispatch_pfe(int, struct privsep_proc *, | |||
52 | struct imsg *); | |||
53 | int relay_dispatch_ca(int, struct privsep_proc *, | |||
54 | struct imsg *); | |||
55 | int relay_dispatch_hce(int, struct privsep_proc *, | |||
56 | struct imsg *); | |||
57 | void relay_shutdown(void); | |||
58 | ||||
59 | void relay_protodebug(struct relay *); | |||
60 | void relay_ruledebug(struct relay_rule *); | |||
61 | void relay_init(struct privsep *, struct privsep_proc *p, void *); | |||
62 | void relay_launch(void); | |||
63 | int relay_socket(struct sockaddr_storage *, in_port_t, | |||
64 | struct protocol *, int, int); | |||
65 | int relay_socket_listen(struct sockaddr_storage *, in_port_t, | |||
66 | struct protocol *); | |||
67 | int relay_socket_connect(struct sockaddr_storage *, in_port_t, | |||
68 | struct protocol *, int); | |||
69 | ||||
70 | void relay_accept(int, short, void *); | |||
71 | void relay_input(struct rsession *); | |||
72 | ||||
73 | void relay_hash_addr(SIPHASH_CTX *, struct sockaddr_storage *, int); | |||
74 | ||||
75 | int relay_tls_ctx_create(struct relay *); | |||
76 | void relay_tls_transaction(struct rsession *, | |||
77 | struct ctl_relay_event *); | |||
78 | void relay_tls_handshake(int, short, void *); | |||
79 | void relay_tls_connected(struct ctl_relay_event *); | |||
80 | void relay_tls_readcb(int, short, void *); | |||
81 | void relay_tls_writecb(int, short, void *); | |||
82 | ||||
83 | void relay_connect_retry(int, short, void *); | |||
84 | void relay_connect_state(struct rsession *, | |||
85 | struct ctl_relay_event *, enum relay_state); | |||
86 | ||||
87 | extern void bufferevent_read_pressure_cb(struct evbuffer *, size_t, | |||
88 | size_t, void *); | |||
89 | ||||
90 | volatile int relay_sessions; | |||
91 | volatile int relay_inflight = 0; | |||
92 | objid_t relay_conid; | |||
93 | ||||
94 | static struct relayd *env = NULL((void*)0); | |||
95 | ||||
96 | static struct privsep_proc procs[] = { | |||
97 | { "parent", PROC_PARENT, relay_dispatch_parent }, | |||
98 | { "pfe", PROC_PFE, relay_dispatch_pfe }, | |||
99 | { "ca", PROC_CA, relay_dispatch_ca }, | |||
100 | { "hce", PROC_HCE, relay_dispatch_hce }, | |||
101 | }; | |||
102 | ||||
103 | void | |||
104 | relay(struct privsep *ps, struct privsep_proc *p) | |||
105 | { | |||
106 | env = ps->ps_env; | |||
107 | proc_run(ps, p, procs, nitems(procs)(sizeof((procs)) / sizeof((procs)[0])), relay_init, NULL((void*)0)); | |||
108 | relay_http(env); | |||
109 | } | |||
110 | ||||
111 | void | |||
112 | relay_shutdown(void) | |||
113 | { | |||
114 | config_purge(env, CONFIG_ALL0xff); | |||
115 | usleep(200); /* XXX relay needs to shutdown last */ | |||
116 | } | |||
117 | ||||
118 | void | |||
119 | relay_ruledebug(struct relay_rule *rule) | |||
120 | { | |||
121 | struct kv *kv = NULL((void*)0); | |||
122 | u_int i; | |||
123 | char buf[NI_MAXHOST256]; | |||
124 | ||||
125 | fprintf(stderr(&__sF[2]), "\t\t"); | |||
126 | ||||
127 | switch (rule->rule_action) { | |||
128 | case RULE_ACTION_MATCH: | |||
129 | fprintf(stderr(&__sF[2]), "match "); | |||
130 | break; | |||
131 | case RULE_ACTION_BLOCK: | |||
132 | fprintf(stderr(&__sF[2]), "block "); | |||
133 | break; | |||
134 | case RULE_ACTION_PASS: | |||
135 | fprintf(stderr(&__sF[2]), "pass "); | |||
136 | break; | |||
137 | } | |||
138 | ||||
139 | switch (rule->rule_dir) { | |||
140 | case RELAY_DIR_ANY: | |||
141 | break; | |||
142 | case RELAY_DIR_REQUEST: | |||
143 | fprintf(stderr(&__sF[2]), "request "); | |||
144 | break; | |||
145 | case RELAY_DIR_RESPONSE: | |||
146 | fprintf(stderr(&__sF[2]), "response "); | |||
147 | break; | |||
148 | default: | |||
149 | return; | |||
150 | /* NOTREACHED */ | |||
151 | break; | |||
152 | } | |||
153 | ||||
154 | if (rule->rule_flags & RULE_FLAG_QUICK0x01) | |||
155 | fprintf(stderr(&__sF[2]), "quick "); | |||
156 | ||||
157 | switch (rule->rule_af) { | |||
158 | case AF_INET2: | |||
159 | fprintf(stderr(&__sF[2]), "inet "); | |||
160 | break; | |||
161 | case AF_INET624: | |||
162 | fprintf(stderr(&__sF[2]), "inet6 "); | |||
163 | break; | |||
164 | } | |||
165 | ||||
166 | if (rule->rule_src.addr.ss_family != AF_UNSPEC0) | |||
167 | fprintf(stderr(&__sF[2]), "from %s/%d ", | |||
168 | print_host(&rule->rule_src.addr, buf, sizeof(buf)), | |||
169 | rule->rule_src.addr_mask); | |||
170 | ||||
171 | if (rule->rule_dst.addr.ss_family != AF_UNSPEC0) | |||
172 | fprintf(stderr(&__sF[2]), "to %s/%d ", | |||
173 | print_host(&rule->rule_dst.addr, buf, sizeof(buf)), | |||
174 | rule->rule_dst.addr_mask); | |||
175 | ||||
176 | for (i = 1; i < KEY_TYPE_MAX; i++) { | |||
177 | kv = &rule->rule_kv[i]; | |||
178 | if (kv->kv_type != i) | |||
179 | continue; | |||
180 | ||||
181 | switch (kv->kv_type) { | |||
182 | case KEY_TYPE_COOKIE: | |||
183 | fprintf(stderr(&__sF[2]), "cookie "); | |||
184 | break; | |||
185 | case KEY_TYPE_HEADER: | |||
186 | fprintf(stderr(&__sF[2]), "header "); | |||
187 | break; | |||
188 | case KEY_TYPE_PATH: | |||
189 | fprintf(stderr(&__sF[2]), "path "); | |||
190 | break; | |||
191 | case KEY_TYPE_QUERY: | |||
192 | fprintf(stderr(&__sF[2]), "query "); | |||
193 | break; | |||
194 | case KEY_TYPE_URL: | |||
195 | fprintf(stderr(&__sF[2]), "url "); | |||
196 | break; | |||
197 | default: | |||
198 | continue; | |||
199 | } | |||
200 | ||||
201 | switch (kv->kv_option) { | |||
202 | case KEY_OPTION_APPEND: | |||
203 | fprintf(stderr(&__sF[2]), "append "); | |||
204 | break; | |||
205 | case KEY_OPTION_SET: | |||
206 | fprintf(stderr(&__sF[2]), "set "); | |||
207 | break; | |||
208 | case KEY_OPTION_REMOVE: | |||
209 | fprintf(stderr(&__sF[2]), "remove "); | |||
210 | break; | |||
211 | case KEY_OPTION_HASH: | |||
212 | fprintf(stderr(&__sF[2]), "hash "); | |||
213 | break; | |||
214 | case KEY_OPTION_LOG: | |||
215 | fprintf(stderr(&__sF[2]), "log "); | |||
216 | break; | |||
217 | case KEY_OPTION_STRIP: | |||
218 | fprintf(stderr(&__sF[2]), "strip "); | |||
219 | break; | |||
220 | case KEY_OPTION_NONE: | |||
221 | break; | |||
222 | } | |||
223 | ||||
224 | switch (kv->kv_digest) { | |||
225 | case DIGEST_SHA1: | |||
226 | case DIGEST_MD5: | |||
227 | fprintf(stderr(&__sF[2]), "digest "); | |||
228 | break; | |||
229 | default: | |||
230 | break; | |||
231 | } | |||
232 | ||||
233 | int kvv = (kv->kv_option == KEY_OPTION_STRIP || | |||
234 | kv->kv_value == NULL((void*)0)); | |||
235 | fprintf(stderr(&__sF[2]), "%s%s%s%s%s%s ", | |||
236 | kv->kv_key == NULL((void*)0) ? "" : "\"", | |||
237 | kv->kv_key == NULL((void*)0) ? "" : kv->kv_key, | |||
238 | kv->kv_key == NULL((void*)0) ? "" : "\"", | |||
239 | kvv ? "" : " value \"", | |||
240 | kv->kv_value == NULL((void*)0) ? "" : kv->kv_value, | |||
241 | kvv ? "" : "\""); | |||
242 | } | |||
243 | ||||
244 | if (rule->rule_tablename[0]) | |||
245 | fprintf(stderr(&__sF[2]), "forward to <%s> ", rule->rule_tablename); | |||
246 | ||||
247 | if (rule->rule_tag == -1) | |||
248 | fprintf(stderr(&__sF[2]), "no tag "); | |||
249 | else if (rule->rule_tag && rule->rule_tagname[0]) | |||
250 | fprintf(stderr(&__sF[2]), "tag \"%s\" ", | |||
251 | rule->rule_tagname); | |||
252 | ||||
253 | if (rule->rule_tagged && rule->rule_taggedname[0]) | |||
254 | fprintf(stderr(&__sF[2]), "tagged \"%s\" ", | |||
255 | rule->rule_taggedname); | |||
256 | ||||
257 | if (rule->rule_label == -1) | |||
258 | fprintf(stderr(&__sF[2]), "no label "); | |||
259 | else if (rule->rule_label && rule->rule_labelname[0]) | |||
260 | fprintf(stderr(&__sF[2]), "label \"%s\" ", | |||
261 | rule->rule_labelname); | |||
262 | ||||
263 | fprintf(stderr(&__sF[2]), "\n"); | |||
264 | } | |||
265 | ||||
266 | void | |||
267 | relay_protodebug(struct relay *rlay) | |||
268 | { | |||
269 | struct protocol *proto = rlay->rl_proto; | |||
270 | struct relay_rule *rule = NULL((void*)0); | |||
271 | ||||
272 | fprintf(stderr(&__sF[2]), "protocol %d: name %s\n", | |||
273 | proto->id, proto->name); | |||
274 | fprintf(stderr(&__sF[2]), "\tflags: %s, relay flags: %s\n", | |||
275 | printb_flags(proto->flags, F_BITS"\10\01DISABLE\02BACKUP\03USED\04DOWN\05ADD\06DEL\07CHANGED" "\10STICKY-ADDRESS\11CHECK_DONE\12ACTIVE_RULESET\13CHECK_SENT" "\14TLS\15NAT_LOOKUP\16DEMOTE\17LOOKUP_PATH\20DEMOTED\21UDP" "\22RETURN\23TRAP\24NEEDPF\25PORT\26TLS_CLIENT\27NEEDRT" "\30MATCH\31DIVERT\32SCRIPT\33TLS_INSPECT\34HASHKEY" "\35AGENTX_TRAPONLY"), | |||
276 | printb_flags(rlay->rl_conf.flags, F_BITS"\10\01DISABLE\02BACKUP\03USED\04DOWN\05ADD\06DEL\07CHANGED" "\10STICKY-ADDRESS\11CHECK_DONE\12ACTIVE_RULESET\13CHECK_SENT" "\14TLS\15NAT_LOOKUP\16DEMOTE\17LOOKUP_PATH\20DEMOTED\21UDP" "\22RETURN\23TRAP\24NEEDPF\25PORT\26TLS_CLIENT\27NEEDRT" "\30MATCH\31DIVERT\32SCRIPT\33TLS_INSPECT\34HASHKEY" "\35AGENTX_TRAPONLY")); | |||
277 | if (proto->tcpflags) | |||
278 | fprintf(stderr(&__sF[2]), "\ttcp flags: %s\n", | |||
279 | printb_flags(proto->tcpflags, TCPFLAG_BITS"\10\01NODELAY\02NO_NODELAY\03SACK\04NO_SACK" "\05SOCKET_BUFFER_SIZE\06IP_TTL\07IP_MINTTL\10NO_SPLICE")); | |||
280 | if ((rlay->rl_conf.flags & (F_TLS0x00000800|F_TLSCLIENT0x00200000)) && proto->tlsflags) | |||
281 | fprintf(stderr(&__sF[2]), "\ttls flags: %s\n", | |||
282 | printb_flags(proto->tlsflags, TLSFLAG_BITS"\06\01sslv3\02tlsv1.0\03tlsv1.1\04tlsv1.2\05tlsv1.3" "\06cipher-server-preference\07client-renegotiation")); | |||
283 | fprintf(stderr(&__sF[2]), "\ttls session tickets: %s\n", | |||
284 | (proto->tickets == 1) ? "enabled" : "disabled"); | |||
285 | fprintf(stderr(&__sF[2]), "\ttype: "); | |||
286 | switch (proto->type) { | |||
287 | case RELAY_PROTO_TCP: | |||
288 | fprintf(stderr(&__sF[2]), "tcp\n"); | |||
289 | break; | |||
290 | case RELAY_PROTO_HTTP: | |||
291 | fprintf(stderr(&__sF[2]), "http\n"); | |||
292 | break; | |||
293 | case RELAY_PROTO_DNS: | |||
294 | fprintf(stderr(&__sF[2]), "dns\n"); | |||
295 | break; | |||
296 | } | |||
297 | ||||
298 | rule = TAILQ_FIRST(&proto->rules)((&proto->rules)->tqh_first); | |||
299 | while (rule != NULL((void*)0)) { | |||
300 | relay_ruledebug(rule); | |||
301 | rule = TAILQ_NEXT(rule, rule_entry)((rule)->rule_entry.tqe_next); | |||
302 | } | |||
303 | } | |||
304 | ||||
305 | int | |||
306 | relay_privinit(struct relay *rlay) | |||
307 | { | |||
308 | log_debug("%s: adding relay %s", __func__, rlay->rl_conf.name); | |||
309 | ||||
310 | if (log_getverbose() > 1) | |||
311 | relay_protodebug(rlay); | |||
312 | ||||
313 | switch (rlay->rl_proto->type) { | |||
314 | case RELAY_PROTO_DNS: | |||
315 | relay_udp_privinit(rlay); | |||
316 | break; | |||
317 | case RELAY_PROTO_TCP: | |||
318 | break; | |||
319 | case RELAY_PROTO_HTTP: | |||
320 | break; | |||
321 | } | |||
322 | ||||
323 | if (rlay->rl_conf.flags & F_UDP0x00010000) | |||
324 | rlay->rl_s = relay_udp_bind(&rlay->rl_conf.ss, | |||
325 | rlay->rl_conf.port, rlay->rl_proto); | |||
326 | else | |||
327 | rlay->rl_s = relay_socket_listen(&rlay->rl_conf.ss, | |||
328 | rlay->rl_conf.port, rlay->rl_proto); | |||
329 | if (rlay->rl_s == -1) | |||
330 | return (-1); | |||
331 | ||||
332 | return (0); | |||
333 | } | |||
334 | ||||
335 | void | |||
336 | relay_init(struct privsep *ps, struct privsep_proc *p, void *arg) | |||
337 | { | |||
338 | struct timeval tv; | |||
339 | ||||
340 | if (config_init(ps->ps_env) == -1) | |||
341 | fatal("failed to initialize configuration"); | |||
342 | ||||
343 | /* We use a custom shutdown callback */ | |||
344 | p->p_shutdown = relay_shutdown; | |||
345 | ||||
346 | /* Unlimited file descriptors (use system limits) */ | |||
347 | socket_rlimit(-1); | |||
348 | ||||
349 | if (pledge("stdio recvfd inet", NULL((void*)0)) == -1) | |||
350 | fatal("pledge"); | |||
351 | ||||
352 | /* Schedule statistics timer */ | |||
353 | evtimer_set(&env->sc_statev, relay_statistics, ps)event_set(&env->sc_statev, -1, 0, relay_statistics, ps ); | |||
354 | bcopy(&env->sc_conf.statinterval, &tv, sizeof(tv)); | |||
355 | evtimer_add(&env->sc_statev, &tv)event_add(&env->sc_statev, &tv); | |||
356 | } | |||
357 | ||||
358 | void | |||
359 | relay_session_publish(struct rsession *s) | |||
360 | { | |||
361 | proc_compose(env->sc_ps, PROC_PFE, IMSG_SESS_PUBLISH, s, sizeof(*s)); | |||
362 | } | |||
363 | ||||
364 | void | |||
365 | relay_session_unpublish(struct rsession *s) | |||
366 | { | |||
367 | proc_compose(env->sc_ps, PROC_PFE, IMSG_SESS_UNPUBLISH, | |||
368 | &s->se_id, sizeof(s->se_id)); | |||
369 | } | |||
370 | ||||
371 | void | |||
372 | relay_statistics(int fd, short events, void *arg) | |||
373 | { | |||
374 | struct privsep *ps = arg; | |||
375 | struct relay *rlay; | |||
376 | struct ctl_stats crs, *cur; | |||
377 | struct timeval tv, tv_now; | |||
378 | int resethour = 0, resetday = 0; | |||
379 | struct rsession *con, *next_con; | |||
380 | ||||
381 | /* | |||
382 | * This is a hack to calculate some average statistics. | |||
383 | * It doesn't try to be very accurate, but could be improved... | |||
384 | */ | |||
385 | ||||
386 | timerclear(&tv)(&tv)->tv_sec = (&tv)->tv_usec = 0; | |||
387 | getmonotime(&tv_now); | |||
388 | ||||
389 | TAILQ_FOREACH(rlay, env->sc_relays, rl_entry)for((rlay) = ((env->sc_relays)->tqh_first); (rlay) != ( (void*)0); (rlay) = ((rlay)->rl_entry.tqe_next)) { | |||
390 | bzero(&crs, sizeof(crs)); | |||
391 | resethour = resetday = 0; | |||
392 | ||||
393 | cur = &rlay->rl_stats[ps->ps_instance]; | |||
394 | cur->cnt += cur->last; | |||
395 | cur->tick++; | |||
396 | cur->avg = (cur->last + cur->avg) / 2; | |||
397 | cur->last_hour += cur->last; | |||
398 | if ((cur->tick % | |||
399 | (3600 / env->sc_conf.statinterval.tv_sec)) == 0) { | |||
400 | cur->avg_hour = (cur->last_hour + cur->avg_hour) / 2; | |||
401 | resethour++; | |||
402 | } | |||
403 | cur->last_day += cur->last; | |||
404 | if ((cur->tick % | |||
405 | (86400 / env->sc_conf.statinterval.tv_sec)) == 0) { | |||
406 | cur->avg_day = (cur->last_day + cur->avg_day) / 2; | |||
407 | resethour++; | |||
408 | } | |||
409 | bcopy(cur, &crs, sizeof(crs)); | |||
410 | ||||
411 | cur->last = 0; | |||
412 | if (resethour) | |||
413 | cur->last_hour = 0; | |||
414 | if (resetday) | |||
415 | cur->last_day = 0; | |||
416 | ||||
417 | crs.id = rlay->rl_conf.id; | |||
418 | crs.proc = ps->ps_instance; | |||
419 | proc_compose(env->sc_ps, PROC_PFE, IMSG_STATISTICS, | |||
420 | &crs, sizeof(crs)); | |||
421 | ||||
422 | for (con = SPLAY_ROOT(&rlay->rl_sessions)(&rlay->rl_sessions)->sph_root; | |||
423 | con != NULL((void*)0); con = next_con) { | |||
424 | next_con = SPLAY_NEXT(session_tree,session_tree_SPLAY_NEXT(&rlay->rl_sessions, con) | |||
425 | &rlay->rl_sessions, con)session_tree_SPLAY_NEXT(&rlay->rl_sessions, con); | |||
426 | timersub(&tv_now, &con->se_tv_last, &tv)do { (&tv)->tv_sec = (&tv_now)->tv_sec - (& con->se_tv_last)->tv_sec; (&tv)->tv_usec = (& tv_now)->tv_usec - (&con->se_tv_last)->tv_usec; if ((&tv)->tv_usec < 0) { (&tv)->tv_sec--; (& tv)->tv_usec += 1000000; } } while (0); | |||
427 | if (timercmp(&tv, &rlay->rl_conf.timeout, >=)(((&tv)->tv_sec == (&rlay->rl_conf.timeout)-> tv_sec) ? ((&tv)->tv_usec >= (&rlay->rl_conf .timeout)->tv_usec) : ((&tv)->tv_sec >= (&rlay ->rl_conf.timeout)->tv_sec))) | |||
428 | relay_close(con, "hard timeout", 1); | |||
429 | } | |||
430 | } | |||
431 | ||||
432 | /* Schedule statistics timer */ | |||
433 | evtimer_set(&env->sc_statev, relay_statistics, ps)event_set(&env->sc_statev, -1, 0, relay_statistics, ps ); | |||
434 | bcopy(&env->sc_conf.statinterval, &tv, sizeof(tv)); | |||
435 | evtimer_add(&env->sc_statev, &tv)event_add(&env->sc_statev, &tv); | |||
436 | } | |||
437 | ||||
438 | void | |||
439 | relay_launch(void) | |||
440 | { | |||
441 | void (*callback)(int, short, void *); | |||
442 | struct relay *rlay; | |||
443 | struct host *host; | |||
444 | struct relay_table *rlt; | |||
445 | ||||
446 | TAILQ_FOREACH(rlay, env->sc_relays, rl_entry)for((rlay) = ((env->sc_relays)->tqh_first); (rlay) != ( (void*)0); (rlay) = ((rlay)->rl_entry.tqe_next)) { | |||
447 | if ((rlay->rl_conf.flags & (F_TLS0x00000800|F_TLSCLIENT0x00200000)) && | |||
448 | relay_tls_ctx_create(rlay) == -1) | |||
449 | fatalx("%s: failed to create TLS context", __func__); | |||
450 | ||||
451 | TAILQ_FOREACH(rlt, &rlay->rl_tables, rlt_entry)for((rlt) = ((&rlay->rl_tables)->tqh_first); (rlt) != ((void*)0); (rlt) = ((rlt)->rlt_entry.tqe_next)) { | |||
452 | /* | |||
453 | * set rule->rule_table in advance and save time | |||
454 | * looking up for this later on rule/connection | |||
455 | * evalution | |||
456 | */ | |||
457 | rule_settable(&rlay->rl_proto->rules, rlt); | |||
458 | ||||
459 | rlt->rlt_index = 0; | |||
460 | rlt->rlt_nhosts = 0; | |||
461 | TAILQ_FOREACH(host, &rlt->rlt_table->hosts, entry)for((host) = ((&rlt->rlt_table->hosts)->tqh_first ); (host) != ((void*)0); (host) = ((host)->entry.tqe_next) ) { | |||
462 | if (rlt->rlt_nhosts >= RELAY_MAXHOSTS32) | |||
463 | fatal("%s: too many hosts in table", | |||
464 | __func__); | |||
465 | host->idx = rlt->rlt_nhosts; | |||
466 | rlt->rlt_host[rlt->rlt_nhosts++] = host; | |||
467 | } | |||
468 | log_info("adding %d hosts from table %s%s", | |||
469 | rlt->rlt_nhosts, rlt->rlt_table->conf.name, | |||
470 | rlt->rlt_table->conf.check ? "" : " (no check)"); | |||
471 | } | |||
472 | ||||
473 | switch (rlay->rl_proto->type) { | |||
474 | case RELAY_PROTO_DNS: | |||
475 | relay_udp_init(env, rlay); | |||
476 | break; | |||
477 | case RELAY_PROTO_TCP: | |||
478 | case RELAY_PROTO_HTTP: | |||
479 | relay_http_init(rlay); | |||
480 | /* Use defaults */ | |||
481 | break; | |||
482 | } | |||
483 | ||||
484 | log_debug("%s: running relay %s", __func__, | |||
485 | rlay->rl_conf.name); | |||
486 | ||||
487 | rlay->rl_up = HOST_UP; | |||
488 | ||||
489 | if (rlay->rl_conf.flags & F_UDP0x00010000) | |||
490 | callback = relay_udp_server; | |||
491 | else | |||
492 | callback = relay_accept; | |||
493 | ||||
494 | event_set(&rlay->rl_ev, rlay->rl_s, EV_READ0x02, | |||
495 | callback, rlay); | |||
496 | event_add(&rlay->rl_ev, NULL((void*)0)); | |||
497 | evtimer_set(&rlay->rl_evt, callback, rlay)event_set(&rlay->rl_evt, -1, 0, callback, rlay); | |||
498 | } | |||
499 | } | |||
500 | ||||
501 | int | |||
502 | relay_socket_af(struct sockaddr_storage *ss, in_port_t port) | |||
503 | { | |||
504 | switch (ss->ss_family) { | |||
505 | case AF_INET2: | |||
506 | ((struct sockaddr_in *)ss)->sin_port = port; | |||
507 | ((struct sockaddr_in *)ss)->sin_len = | |||
508 | sizeof(struct sockaddr_in); | |||
509 | break; | |||
510 | case AF_INET624: | |||
511 | ((struct sockaddr_in6 *)ss)->sin6_port = port; | |||
512 | ((struct sockaddr_in6 *)ss)->sin6_len = | |||
513 | sizeof(struct sockaddr_in6); | |||
514 | break; | |||
515 | default: | |||
516 | return (-1); | |||
517 | } | |||
518 | ||||
519 | return (0); | |||
520 | } | |||
521 | ||||
522 | in_port_t | |||
523 | relay_socket_getport(struct sockaddr_storage *ss) | |||
524 | { | |||
525 | switch (ss->ss_family) { | |||
526 | case AF_INET2: | |||
527 | return (((struct sockaddr_in *)ss)->sin_port); | |||
528 | case AF_INET624: | |||
529 | return (((struct sockaddr_in6 *)ss)->sin6_port); | |||
530 | default: | |||
531 | return (0); | |||
532 | } | |||
533 | ||||
534 | /* NOTREACHED */ | |||
535 | return (0); | |||
536 | } | |||
537 | ||||
538 | int | |||
539 | relay_socket(struct sockaddr_storage *ss, in_port_t port, | |||
540 | struct protocol *proto, int fd, int reuseport) | |||
541 | { | |||
542 | struct linger lng; | |||
543 | int s = -1, val; | |||
544 | ||||
545 | if (relay_socket_af(ss, port) == -1) | |||
546 | goto bad; | |||
547 | ||||
548 | s = fd == -1 ? socket(ss->ss_family, | |||
549 | SOCK_STREAM1 | SOCK_NONBLOCK0x4000, IPPROTO_TCP6) : fd; | |||
550 | if (s == -1) | |||
551 | goto bad; | |||
552 | ||||
553 | /* | |||
554 | * Socket options | |||
555 | */ | |||
556 | bzero(&lng, sizeof(lng)); | |||
557 | if (setsockopt(s, SOL_SOCKET0xffff, SO_LINGER0x0080, &lng, sizeof(lng)) == -1) | |||
558 | goto bad; | |||
559 | if (reuseport) { | |||
560 | val = 1; | |||
561 | if (setsockopt(s, SOL_SOCKET0xffff, SO_REUSEPORT0x0200, &val, | |||
562 | sizeof(int)) == -1) | |||
563 | goto bad; | |||
564 | } | |||
565 | if (proto->tcpflags & TCPFLAG_BUFSIZ0x10) { | |||
566 | val = proto->tcpbufsiz; | |||
567 | if (setsockopt(s, SOL_SOCKET0xffff, SO_RCVBUF0x1002, | |||
568 | &val, sizeof(val)) == -1) | |||
569 | goto bad; | |||
570 | val = proto->tcpbufsiz; | |||
571 | if (setsockopt(s, SOL_SOCKET0xffff, SO_SNDBUF0x1001, | |||
572 | &val, sizeof(val)) == -1) | |||
573 | goto bad; | |||
574 | } | |||
575 | ||||
576 | /* | |||
577 | * IP options | |||
578 | */ | |||
579 | if (proto->tcpflags & TCPFLAG_IPTTL0x20) { | |||
580 | val = (int)proto->tcpipttl; | |||
581 | switch (ss->ss_family) { | |||
582 | case AF_INET2: | |||
583 | if (setsockopt(s, IPPROTO_IP0, IP_TTL4, | |||
584 | &val, sizeof(val)) == -1) | |||
585 | goto bad; | |||
586 | break; | |||
587 | case AF_INET624: | |||
588 | if (setsockopt(s, IPPROTO_IPV641, IPV6_UNICAST_HOPS4, | |||
589 | &val, sizeof(val)) == -1) | |||
590 | goto bad; | |||
591 | break; | |||
592 | } | |||
593 | } | |||
594 | if (proto->tcpflags & TCPFLAG_IPMINTTL0x40) { | |||
595 | val = (int)proto->tcpipminttl; | |||
596 | switch (ss->ss_family) { | |||
597 | case AF_INET2: | |||
598 | if (setsockopt(s, IPPROTO_IP0, IP_MINTTL32, | |||
599 | &val, sizeof(val)) == -1) | |||
600 | goto bad; | |||
601 | break; | |||
602 | case AF_INET624: | |||
603 | if (setsockopt(s, IPPROTO_IPV641, IPV6_MINHOPCOUNT65, | |||
604 | &val, sizeof(val)) == -1) | |||
605 | goto bad; | |||
606 | break; | |||
607 | } | |||
608 | } | |||
609 | ||||
610 | /* | |||
611 | * TCP options | |||
612 | */ | |||
613 | if (proto->tcpflags & (TCPFLAG_NODELAY0x01|TCPFLAG_NNODELAY0x02)) { | |||
614 | if (proto->tcpflags & TCPFLAG_NNODELAY0x02) | |||
615 | val = 0; | |||
616 | else | |||
617 | val = 1; | |||
618 | if (setsockopt(s, IPPROTO_TCP6, TCP_NODELAY0x01, | |||
619 | &val, sizeof(val)) == -1) | |||
620 | goto bad; | |||
621 | } | |||
622 | if (proto->tcpflags & (TCPFLAG_SACK0x04|TCPFLAG_NSACK0x08)) { | |||
623 | if (proto->tcpflags & TCPFLAG_NSACK0x08) | |||
624 | val = 0; | |||
625 | else | |||
626 | val = 1; | |||
627 | if (setsockopt(s, IPPROTO_TCP6, TCP_SACK_ENABLE0x08, | |||
628 | &val, sizeof(val)) == -1) | |||
629 | goto bad; | |||
630 | } | |||
631 | ||||
632 | return (s); | |||
633 | ||||
634 | bad: | |||
635 | if (s != -1) | |||
636 | close(s); | |||
637 | return (-1); | |||
638 | } | |||
639 | ||||
640 | int | |||
641 | relay_socket_connect(struct sockaddr_storage *ss, in_port_t port, | |||
642 | struct protocol *proto, int fd) | |||
643 | { | |||
644 | int s; | |||
645 | ||||
646 | if ((s = relay_socket(ss, port, proto, fd, 0)) == -1) | |||
647 | return (-1); | |||
648 | ||||
649 | if (connect(s, (struct sockaddr *)ss, ss->ss_len) == -1) { | |||
650 | if (errno(*__errno()) != EINPROGRESS36) | |||
651 | goto bad; | |||
652 | } | |||
653 | ||||
654 | return (s); | |||
655 | ||||
656 | bad: | |||
657 | close(s); | |||
658 | return (-1); | |||
659 | } | |||
660 | ||||
661 | int | |||
662 | relay_socket_listen(struct sockaddr_storage *ss, in_port_t port, | |||
663 | struct protocol *proto) | |||
664 | { | |||
665 | int s; | |||
666 | ||||
667 | if ((s = relay_socket(ss, port, proto, -1, 1)) == -1) | |||
668 | return (-1); | |||
669 | ||||
670 | if (bind(s, (struct sockaddr *)ss, ss->ss_len) == -1) | |||
671 | goto bad; | |||
672 | if (listen(s, proto->tcpbacklog) == -1) | |||
673 | goto bad; | |||
674 | ||||
675 | return (s); | |||
676 | ||||
677 | bad: | |||
678 | close(s); | |||
679 | return (-1); | |||
680 | } | |||
681 | ||||
682 | void | |||
683 | relay_connected(int fd, short sig, void *arg) | |||
684 | { | |||
685 | char obuf[128]; | |||
686 | struct rsession *con = arg; | |||
687 | struct relay *rlay = con->se_relay; | |||
688 | struct protocol *proto = rlay->rl_proto; | |||
689 | evbuffercb outrd = relay_read; | |||
690 | evbuffercb outwr = relay_write; | |||
691 | struct bufferevent *bev; | |||
692 | struct ctl_relay_event *out = &con->se_out; | |||
693 | char *msg; | |||
694 | socklen_t len; | |||
695 | int error; | |||
696 | ||||
697 | if (sig
| |||
698 | relay_abort_http(con, 504, "connect timeout", 0); | |||
699 | return; | |||
700 | } | |||
701 | ||||
702 | len = sizeof(error); | |||
703 | if (getsockopt(fd, SOL_SOCKET0xffff, SO_ERROR0x1007, &error, &len) == -1) { | |||
704 | relay_abort_http(con, 500, "getsockopt failed", 0); | |||
705 | return; | |||
706 | } | |||
707 | if (error) { | |||
708 | errno(*__errno()) = error; | |||
709 | if (asprintf(&msg, "socket error: %s", | |||
710 | strerror(error)) >= 0) { | |||
711 | relay_abort_http(con, 500, msg, 0); | |||
712 | free(msg); | |||
713 | return; | |||
714 | } else { | |||
715 | relay_abort_http(con, 500, | |||
716 | "socket error and asprintf failed", 0); | |||
717 | return; | |||
718 | } | |||
719 | } | |||
720 | ||||
721 | if ((rlay->rl_conf.flags & F_TLSCLIENT0x00200000) && (out->tls == NULL((void*)0))) { | |||
722 | relay_tls_transaction(con, out); | |||
723 | return; | |||
724 | } | |||
725 | ||||
726 | DPRINTF("%s: session %d: successful", __func__, con->se_id)do {} while(0); | |||
727 | ||||
728 | /* Log destination if it was changed in a keep-alive connection */ | |||
729 | if ((con->se_table != con->se_table0) && | |||
730 | (env->sc_conf.opts & (RELAYD_OPT_LOGCON0x20|RELAYD_OPT_LOGCONERR0x40))) { | |||
731 | con->se_table0 = con->se_table; | |||
732 | memset(&obuf, 0, sizeof(obuf)); | |||
733 | (void)print_host(&con->se_out.ss, obuf, sizeof(obuf)); | |||
734 | if (asprintf(&msg, " -> %s:%d", | |||
735 | obuf, ntohs(con->se_out.port)(__uint16_t)(__builtin_constant_p(con->se_out.port) ? (__uint16_t )(((__uint16_t)(con->se_out.port) & 0xffU) << 8 | ((__uint16_t)(con->se_out.port) & 0xff00U) >> 8 ) : __swap16md(con->se_out.port))) == -1) { | |||
736 | relay_abort_http(con, 500, | |||
737 | "connection changed and asprintf failed", 0); | |||
738 | return; | |||
739 | } | |||
740 | relay_log(con, msg); | |||
741 | free(msg); | |||
742 | } | |||
743 | ||||
744 | switch (rlay->rl_proto->type) { | |||
745 | case RELAY_PROTO_HTTP: | |||
746 | if (relay_httpdesc_init(out) == -1) { | |||
747 | relay_close(con, | |||
748 | "failed to allocate http descriptor", 1); | |||
749 | return; | |||
750 | } | |||
751 | con->se_out.toread = TOREAD_HTTP_HEADER; | |||
752 | outrd = relay_read_http; | |||
753 | break; | |||
754 | case RELAY_PROTO_TCP: | |||
755 | /* Use defaults */ | |||
756 | break; | |||
757 | default: | |||
758 | fatalx("%s: unknown protocol", __func__); | |||
759 | } | |||
760 | ||||
761 | /* | |||
762 | * Relay <-> Server | |||
763 | */ | |||
764 | bev = bufferevent_new(fd, outrd, outwr, relay_error, &con->se_out); | |||
765 | if (bev == NULL((void*)0)) { | |||
766 | relay_abort_http(con, 500, | |||
767 | "failed to allocate output buffer event", 0); | |||
768 | return; | |||
769 | } | |||
770 | /* write pending output buffer now */ | |||
771 | if (bufferevent_write_buffer(bev, con->se_out.output)) { | |||
772 | relay_abort_http(con, 500, strerror(errno(*__errno())), 0); | |||
773 | return; | |||
774 | } | |||
775 | con->se_out.bev = bev; | |||
776 | ||||
777 | /* Initialize the TLS wrapper */ | |||
778 | if ((rlay->rl_conf.flags & F_TLSCLIENT0x00200000) && (out->tls != NULL((void*)0))) | |||
779 | relay_tls_connected(out); | |||
780 | ||||
781 | bufferevent_settimeout(bev, | |||
782 | rlay->rl_conf.timeout.tv_sec, rlay->rl_conf.timeout.tv_sec); | |||
783 | bufferevent_setwatermark(bev, EV_WRITE0x04, | |||
784 | RELAY_MIN_PREFETCHED32 * proto->tcpbufsiz, 0); | |||
785 | bufferevent_enable(bev, EV_READ0x02|EV_WRITE0x04); | |||
786 | if (con->se_in.bev) | |||
787 | bufferevent_enable(con->se_in.bev, EV_READ0x02); | |||
788 | ||||
789 | if (relay_splice(&con->se_out) == -1) | |||
790 | relay_close(con, strerror(errno(*__errno())), 1); | |||
791 | } | |||
792 | ||||
793 | void | |||
794 | relay_input(struct rsession *con) | |||
795 | { | |||
796 | struct relay *rlay = con->se_relay; | |||
797 | struct protocol *proto = rlay->rl_proto; | |||
798 | evbuffercb inrd = relay_read; | |||
799 | evbuffercb inwr = relay_write; | |||
800 | ||||
801 | switch (rlay->rl_proto->type) { | |||
802 | case RELAY_PROTO_HTTP: | |||
803 | if (relay_http_priv_init(con) == -1) { | |||
804 | relay_close(con, | |||
805 | "failed to allocate http descriptor", 1); | |||
806 | return; | |||
807 | } | |||
808 | con->se_in.toread = TOREAD_HTTP_HEADER; | |||
809 | inrd = relay_read_http; | |||
810 | break; | |||
811 | case RELAY_PROTO_TCP: | |||
812 | /* Use defaults */ | |||
813 | break; | |||
814 | default: | |||
815 | fatalx("%s: unknown protocol", __func__); | |||
816 | } | |||
817 | ||||
818 | /* | |||
819 | * Client <-> Relay | |||
820 | */ | |||
821 | con->se_in.bev = bufferevent_new(con->se_in.s, inrd, inwr, | |||
822 | relay_error, &con->se_in); | |||
823 | if (con->se_in.bev == NULL((void*)0)) { | |||
824 | relay_close(con, "failed to allocate input buffer event", 1); | |||
825 | return; | |||
826 | } | |||
827 | ||||
828 | /* Initialize the TLS wrapper */ | |||
829 | if ((rlay->rl_conf.flags & F_TLS0x00000800) && con->se_in.tls != NULL((void*)0)) | |||
830 | relay_tls_connected(&con->se_in); | |||
831 | ||||
832 | bufferevent_settimeout(con->se_in.bev, | |||
833 | rlay->rl_conf.timeout.tv_sec, rlay->rl_conf.timeout.tv_sec); | |||
834 | bufferevent_setwatermark(con->se_in.bev, EV_WRITE0x04, | |||
835 | RELAY_MIN_PREFETCHED32 * proto->tcpbufsiz, 0); | |||
836 | bufferevent_enable(con->se_in.bev, EV_READ0x02|EV_WRITE0x04); | |||
837 | ||||
838 | if (relay_splice(&con->se_in) == -1) | |||
839 | relay_close(con, strerror(errno(*__errno())), 1); | |||
840 | } | |||
841 | ||||
842 | void | |||
843 | relay_write(struct bufferevent *bev, void *arg) | |||
844 | { | |||
845 | struct ctl_relay_event *cre = arg; | |||
846 | struct rsession *con = cre->con; | |||
847 | ||||
848 | getmonotime(&con->se_tv_last); | |||
849 | ||||
850 | if (con->se_done && EVBUFFER_LENGTH(EVBUFFER_OUTPUT(bev))((bev)->output)->off == 0) | |||
851 | goto done; | |||
852 | if (cre->dst->bev) | |||
853 | bufferevent_enable(cre->dst->bev, EV_READ0x02); | |||
854 | if (relay_splice(cre->dst) == -1) | |||
855 | goto fail; | |||
856 | ||||
857 | return; | |||
858 | done: | |||
859 | relay_close(con, "last write (done)", 0); | |||
860 | return; | |||
861 | fail: | |||
862 | relay_close(con, strerror(errno(*__errno())), 1); | |||
863 | } | |||
864 | ||||
865 | void | |||
866 | relay_dump(struct ctl_relay_event *cre, const void *buf, size_t len) | |||
867 | { | |||
868 | if (!len) | |||
869 | return; | |||
870 | ||||
871 | /* | |||
872 | * This function will dump the specified message directly | |||
873 | * to the underlying session, without waiting for success | |||
874 | * of non-blocking events etc. This is useful to print an | |||
875 | * error message before gracefully closing the session. | |||
876 | */ | |||
877 | if (cre->tls != NULL((void*)0)) | |||
878 | (void)tls_write(cre->tls, buf, len); | |||
879 | else | |||
880 | (void)write(cre->s, buf, len); | |||
881 | } | |||
882 | ||||
883 | void | |||
884 | relay_read(struct bufferevent *bev, void *arg) | |||
885 | { | |||
886 | struct ctl_relay_event *cre = arg; | |||
887 | struct rsession *con = cre->con; | |||
888 | struct protocol *proto = con->se_relay->rl_proto; | |||
889 | struct evbuffer *src = EVBUFFER_INPUT(bev)(bev)->input; | |||
890 | ||||
891 | getmonotime(&con->se_tv_last); | |||
892 | cre->timedout = 0; | |||
893 | ||||
894 | if (!EVBUFFER_LENGTH(src)(src)->off) | |||
895 | return; | |||
896 | if (relay_bufferevent_write_buffer(cre->dst, src) == -1) | |||
897 | goto fail; | |||
898 | if (con->se_done) | |||
899 | goto done; | |||
900 | if (cre->dst->bev) | |||
901 | bufferevent_enable(cre->dst->bev, EV_READ0x02); | |||
902 | if (cre->dst->bev && EVBUFFER_LENGTH(EVBUFFER_OUTPUT(cre->dst->bev))((cre->dst->bev)->output)->off > | |||
903 | (size_t)RELAY_MAX_PREFETCH256 * proto->tcpbufsiz) | |||
904 | bufferevent_disable(bev, EV_READ0x02); | |||
905 | ||||
906 | return; | |||
907 | done: | |||
908 | relay_close(con, "last read (done)", 0); | |||
909 | return; | |||
910 | fail: | |||
911 | relay_close(con, strerror(errno(*__errno())), 1); | |||
912 | } | |||
913 | ||||
914 | /* | |||
915 | * Splice sockets from cre to cre->dst if applicable. Returns: | |||
916 | * -1 socket splicing has failed | |||
917 | * 0 socket splicing is currently not possible | |||
918 | * 1 socket splicing was successful | |||
919 | */ | |||
920 | int | |||
921 | relay_splice(struct ctl_relay_event *cre) | |||
922 | { | |||
923 | struct rsession *con = cre->con; | |||
924 | struct relay *rlay = con->se_relay; | |||
925 | struct protocol *proto = rlay->rl_proto; | |||
926 | struct splice sp; | |||
927 | ||||
928 | if ((rlay->rl_conf.flags & (F_TLS0x00000800|F_TLSCLIENT0x00200000)) || | |||
929 | (proto->tcpflags & TCPFLAG_NSPLICE0x80)) | |||
930 | return (0); | |||
931 | ||||
932 | if (cre->splicelen >= 0) | |||
933 | return (0); | |||
934 | ||||
935 | /* still not connected */ | |||
936 | if (cre->bev == NULL((void*)0) || cre->dst->bev == NULL((void*)0)) | |||
937 | return (0); | |||
938 | ||||
939 | if (!(cre->toread == TOREAD_UNLIMITED || cre->toread > 0)) { | |||
940 | DPRINTF("%s: session %d: splice dir %d, nothing to read %lld",do {} while(0) | |||
941 | __func__, con->se_id, cre->dir, cre->toread)do {} while(0); | |||
942 | return (0); | |||
943 | } | |||
944 | ||||
945 | /* do not splice before buffers have not been completely flushed */ | |||
946 | if (EVBUFFER_LENGTH(cre->bev->input)(cre->bev->input)->off || | |||
947 | EVBUFFER_LENGTH(cre->dst->bev->output)(cre->dst->bev->output)->off) { | |||
948 | DPRINTF("%s: session %d: splice dir %d, dirty buffer",do {} while(0) | |||
949 | __func__, con->se_id, cre->dir)do {} while(0); | |||
950 | bufferevent_disable(cre->bev, EV_READ0x02); | |||
951 | return (0); | |||
952 | } | |||
953 | ||||
954 | bzero(&sp, sizeof(sp)); | |||
955 | sp.sp_fd = cre->dst->s; | |||
956 | sp.sp_max = cre->toread > 0 ? cre->toread : 0; | |||
957 | bcopy(&rlay->rl_conf.timeout, &sp.sp_idle, sizeof(sp.sp_idle)); | |||
958 | if (setsockopt(cre->s, SOL_SOCKET0xffff, SO_SPLICE0x1023, &sp, sizeof(sp)) == -1) { | |||
959 | log_debug("%s: session %d: splice dir %d failed: %s", | |||
960 | __func__, con->se_id, cre->dir, strerror(errno(*__errno()))); | |||
961 | return (-1); | |||
962 | } | |||
963 | cre->splicelen = 0; | |||
964 | bufferevent_enable(cre->bev, EV_READ0x02); | |||
965 | ||||
966 | DPRINTF("%s: session %d: splice dir %d, maximum %lld, successful",do {} while(0) | |||
967 | __func__, con->se_id, cre->dir, cre->toread)do {} while(0); | |||
968 | ||||
969 | return (1); | |||
970 | } | |||
971 | ||||
972 | int | |||
973 | relay_splicelen(struct ctl_relay_event *cre) | |||
974 | { | |||
975 | struct rsession *con = cre->con; | |||
976 | off_t len; | |||
977 | socklen_t optlen; | |||
978 | ||||
979 | if (cre->splicelen < 0) | |||
980 | return (0); | |||
981 | ||||
982 | optlen = sizeof(len); | |||
983 | if (getsockopt(cre->s, SOL_SOCKET0xffff, SO_SPLICE0x1023, &len, &optlen) == -1) { | |||
984 | log_debug("%s: session %d: splice dir %d get length failed: %s", | |||
985 | __func__, con->se_id, cre->dir, strerror(errno(*__errno()))); | |||
986 | return (-1); | |||
987 | } | |||
988 | ||||
989 | DPRINTF("%s: session %d: splice dir %d, length %lld",do {} while(0) | |||
990 | __func__, con->se_id, cre->dir, len)do {} while(0); | |||
991 | ||||
992 | if (len > cre->splicelen) { | |||
993 | getmonotime(&con->se_tv_last); | |||
994 | ||||
995 | cre->splicelen = len; | |||
996 | return (1); | |||
997 | } | |||
998 | ||||
999 | return (0); | |||
1000 | } | |||
1001 | ||||
1002 | int | |||
1003 | relay_spliceadjust(struct ctl_relay_event *cre) | |||
1004 | { | |||
1005 | if (cre->splicelen < 0) | |||
1006 | return (0); | |||
1007 | if (relay_splicelen(cre) == -1) | |||
1008 | return (-1); | |||
1009 | if (cre->splicelen > 0 && cre->toread > 0) | |||
1010 | cre->toread -= cre->splicelen; | |||
1011 | cre->splicelen = -1; | |||
1012 | ||||
1013 | return (0); | |||
1014 | } | |||
1015 | ||||
1016 | void | |||
1017 | relay_error(struct bufferevent *bev, short error, void *arg) | |||
1018 | { | |||
1019 | struct ctl_relay_event *cre = arg; | |||
1020 | struct rsession *con = cre->con; | |||
1021 | struct evbuffer *dst; | |||
1022 | ||||
1023 | DPRINTF("%s: session %d: dir %d state %d to read %lld event error %x",do {} while(0) | |||
1024 | __func__, con->se_id, cre->dir, cre->state, cre->toread, error)do {} while(0); | |||
1025 | if (error & EVBUFFER_TIMEOUT0x40) { | |||
1026 | if (cre->splicelen >= 0) { | |||
1027 | bufferevent_enable(bev, EV_READ0x02); | |||
1028 | } else if (cre->dst->splicelen >= 0) { | |||
1029 | switch (relay_splicelen(cre->dst)) { | |||
1030 | case -1: | |||
1031 | goto fail; | |||
1032 | case 0: | |||
1033 | relay_close(con, "buffer event timeout", 1); | |||
1034 | break; | |||
1035 | case 1: | |||
1036 | cre->timedout = 1; | |||
1037 | bufferevent_enable(bev, EV_READ0x02); | |||
1038 | break; | |||
1039 | } | |||
1040 | } else { | |||
1041 | relay_close(con, "buffer event timeout", 1); | |||
1042 | } | |||
1043 | return; | |||
1044 | } | |||
1045 | if (error & EVBUFFER_ERROR0x20 && errno(*__errno()) == ETIMEDOUT60) { | |||
1046 | if (cre->dst->splicelen >= 0) { | |||
1047 | switch (relay_splicelen(cre->dst)) { | |||
1048 | case -1: | |||
1049 | goto fail; | |||
1050 | case 0: | |||
1051 | relay_close(con, "splice timeout", 1); | |||
1052 | return; | |||
1053 | case 1: | |||
1054 | bufferevent_enable(bev, EV_READ0x02); | |||
1055 | break; | |||
1056 | } | |||
1057 | } else if (cre->dst->timedout) { | |||
1058 | relay_close(con, "splice timeout", 1); | |||
1059 | return; | |||
1060 | } | |||
1061 | if (relay_spliceadjust(cre) == -1) | |||
1062 | goto fail; | |||
1063 | if (relay_splice(cre) == -1) | |||
1064 | goto fail; | |||
1065 | return; | |||
1066 | } | |||
1067 | if (error & EVBUFFER_ERROR0x20 && errno(*__errno()) == EFBIG27) { | |||
1068 | if (relay_spliceadjust(cre) == -1) | |||
1069 | goto fail; | |||
1070 | bufferevent_enable(cre->bev, EV_READ0x02); | |||
1071 | return; | |||
1072 | } | |||
1073 | if (error & (EVBUFFER_READ0x01|EVBUFFER_WRITE0x02|EVBUFFER_EOF0x10)) { | |||
1074 | bufferevent_disable(bev, EV_READ0x02|EV_WRITE0x04); | |||
1075 | ||||
1076 | con->se_done = 1; | |||
1077 | if (cre->dst->bev != NULL((void*)0)) { | |||
1078 | dst = EVBUFFER_OUTPUT(cre->dst->bev)(cre->dst->bev)->output; | |||
1079 | if (EVBUFFER_LENGTH(dst)(dst)->off) | |||
1080 | return; | |||
1081 | } else if (cre->toread == TOREAD_UNLIMITED || cre->toread == 0) | |||
1082 | return; | |||
1083 | ||||
1084 | relay_close(con, "done", 0); | |||
1085 | return; | |||
1086 | } | |||
1087 | relay_close(con, "buffer event error", 1); | |||
1088 | return; | |||
1089 | fail: | |||
1090 | relay_close(con, strerror(errno(*__errno())), 1); | |||
1091 | } | |||
1092 | ||||
1093 | void | |||
1094 | relay_accept(int fd, short event, void *arg) | |||
1095 | { | |||
1096 | struct privsep *ps = env->sc_ps; | |||
1097 | struct relay *rlay = arg; | |||
1098 | struct rsession *con = NULL((void*)0); | |||
1099 | struct ctl_natlook *cnl = NULL((void*)0); | |||
1100 | socklen_t slen; | |||
1101 | struct timeval tv; | |||
1102 | struct sockaddr_storage ss; | |||
1103 | int s = -1; | |||
1104 | ||||
1105 | event_add(&rlay->rl_ev, NULL((void*)0)); | |||
1106 | if ((event & EV_TIMEOUT0x01)) | |||
1107 | return; | |||
1108 | ||||
1109 | slen = sizeof(ss); | |||
1110 | if ((s = accept_reserve(fd, (struct sockaddr *)&ss, | |||
1111 | &slen, FD_RESERVE5, &relay_inflight)) == -1) { | |||
1112 | /* | |||
1113 | * Pause accept if we are out of file descriptors, or | |||
1114 | * libevent will haunt us here too. | |||
1115 | */ | |||
1116 | if (errno(*__errno()) == ENFILE23 || errno(*__errno()) == EMFILE24) { | |||
1117 | struct timeval evtpause = { 1, 0 }; | |||
1118 | ||||
1119 | event_del(&rlay->rl_ev); | |||
1120 | evtimer_add(&rlay->rl_evt, &evtpause)event_add(&rlay->rl_evt, &evtpause); | |||
1121 | log_debug("%s: deferring connections", __func__); | |||
1122 | } | |||
1123 | return; | |||
1124 | } | |||
1125 | if (rlay->rl_conf.flags & F_DISABLE0x00000001) | |||
1126 | goto err; | |||
1127 | ||||
1128 | if ((con = calloc(1, sizeof(*con))) == NULL((void*)0)) | |||
1129 | goto err; | |||
1130 | ||||
1131 | /* Pre-allocate log buffer */ | |||
1132 | con->se_haslog = 0; | |||
1133 | con->se_log = evbuffer_new(); | |||
1134 | if (con->se_log == NULL((void*)0)) | |||
1135 | goto err; | |||
1136 | ||||
1137 | con->se_in.s = s; | |||
1138 | con->se_in.tls = NULL((void*)0); | |||
1139 | con->se_out.s = -1; | |||
1140 | con->se_out.tls = NULL((void*)0); | |||
1141 | con->se_in.dst = &con->se_out; | |||
1142 | con->se_out.dst = &con->se_in; | |||
1143 | con->se_in.con = con; | |||
1144 | con->se_out.con = con; | |||
1145 | con->se_in.splicelen = -1; | |||
1146 | con->se_out.splicelen = -1; | |||
1147 | con->se_in.toread = TOREAD_UNLIMITED; | |||
1148 | con->se_out.toread = TOREAD_UNLIMITED; | |||
1149 | con->se_relay = rlay; | |||
1150 | con->se_id = ++relay_conid; | |||
1151 | con->se_relayid = rlay->rl_conf.id; | |||
1152 | con->se_pid = getpid(); | |||
1153 | con->se_in.dir = RELAY_DIR_REQUEST; | |||
1154 | con->se_out.dir = RELAY_DIR_RESPONSE; | |||
1155 | con->se_retry = rlay->rl_conf.dstretry; | |||
1156 | con->se_bnds = -1; | |||
1157 | con->se_out.port = rlay->rl_conf.dstport; | |||
1158 | switch (ss.ss_family) { | |||
1159 | case AF_INET2: | |||
1160 | con->se_in.port = ((struct sockaddr_in *)&ss)->sin_port; | |||
1161 | break; | |||
1162 | case AF_INET624: | |||
1163 | con->se_in.port = ((struct sockaddr_in6 *)&ss)->sin6_port; | |||
1164 | break; | |||
1165 | } | |||
1166 | memcpy(&con->se_in.ss, &ss, sizeof(con->se_in.ss)); | |||
1167 | ||||
1168 | slen = sizeof(con->se_sockname); | |||
1169 | if (getsockname(s, (struct sockaddr *)&con->se_sockname, &slen) == -1) { | |||
1170 | relay_close(con, "sockname lookup failed", 1); | |||
1171 | return; | |||
1172 | } | |||
1173 | ||||
1174 | getmonotime(&con->se_tv_start); | |||
1175 | bcopy(&con->se_tv_start, &con->se_tv_last, sizeof(con->se_tv_last)); | |||
1176 | ||||
1177 | if (rlay->rl_conf.flags & F_HASHKEY0x08000000) { | |||
1178 | SipHash24_Init(&con->se_siphashctx,SipHash_Init((&con->se_siphashctx), (&rlay->rl_conf .hashkey.siphashkey)) | |||
1179 | &rlay->rl_conf.hashkey.siphashkey)SipHash_Init((&con->se_siphashctx), (&rlay->rl_conf .hashkey.siphashkey)); | |||
1180 | } | |||
1181 | ||||
1182 | relay_sessions++; | |||
1183 | SPLAY_INSERT(session_tree, &rlay->rl_sessions, con)session_tree_SPLAY_INSERT(&rlay->rl_sessions, con); | |||
1184 | relay_session_publish(con); | |||
1185 | ||||
1186 | /* Increment the per-relay session counter */ | |||
1187 | rlay->rl_stats[ps->ps_instance].last++; | |||
1188 | ||||
1189 | /* Pre-allocate output buffer */ | |||
1190 | con->se_out.output = evbuffer_new(); | |||
1191 | if (con->se_out.output == NULL((void*)0)) { | |||
1192 | relay_close(con, "failed to allocate output buffer", 1); | |||
1193 | return; | |||
1194 | } | |||
1195 | ||||
1196 | if (rlay->rl_conf.flags & F_DIVERT0x01000000) { | |||
1197 | memcpy(&con->se_out.ss, &con->se_sockname, | |||
1198 | sizeof(con->se_out.ss)); | |||
1199 | con->se_out.port = relay_socket_getport(&con->se_out.ss); | |||
1200 | ||||
1201 | /* Detect loop and fall back to the alternate forward target */ | |||
1202 | if (bcmp(&rlay->rl_conf.ss, &con->se_out.ss, | |||
1203 | sizeof(con->se_out.ss)) == 0 && | |||
1204 | con->se_out.port == rlay->rl_conf.port) | |||
1205 | con->se_out.ss.ss_family = AF_UNSPEC0; | |||
1206 | } else if (rlay->rl_conf.flags & F_NATLOOK0x00001000) { | |||
1207 | if ((cnl = calloc(1, sizeof(*cnl))) == NULL((void*)0)) { | |||
1208 | relay_close(con, "failed to allocate nat lookup", 1); | |||
1209 | return; | |||
1210 | } | |||
1211 | ||||
1212 | con->se_cnl = cnl; | |||
1213 | bzero(cnl, sizeof(*cnl)); | |||
1214 | cnl->in = -1; | |||
1215 | cnl->id = con->se_id; | |||
1216 | cnl->proc = ps->ps_instance; | |||
1217 | cnl->proto = IPPROTO_TCP6; | |||
1218 | ||||
1219 | memcpy(&cnl->src, &con->se_in.ss, sizeof(cnl->src)); | |||
1220 | memcpy(&cnl->dst, &con->se_sockname, sizeof(cnl->dst)); | |||
1221 | ||||
1222 | proc_compose(env->sc_ps, PROC_PFE, IMSG_NATLOOK, | |||
1223 | cnl, sizeof(*cnl)); | |||
1224 | ||||
1225 | /* Schedule timeout */ | |||
1226 | evtimer_set(&con->se_ev, relay_natlook, con)event_set(&con->se_ev, -1, 0, relay_natlook, con); | |||
1227 | bcopy(&rlay->rl_conf.timeout, &tv, sizeof(tv)); | |||
1228 | evtimer_add(&con->se_ev, &tv)event_add(&con->se_ev, &tv); | |||
1229 | return; | |||
1230 | } | |||
1231 | ||||
1232 | if (rlay->rl_conf.flags & F_TLSINSPECT0x04000000) { | |||
1233 | relay_preconnect(con); | |||
1234 | return; | |||
1235 | } | |||
1236 | ||||
1237 | relay_session(con); | |||
1238 | return; | |||
1239 | err: | |||
1240 | if (s != -1) { | |||
1241 | close(s); | |||
1242 | free(con); | |||
1243 | /* | |||
1244 | * the session struct was not completely set up, but still | |||
1245 | * counted as an inflight session. account for this. | |||
1246 | */ | |||
1247 | relay_inflight--; | |||
1248 | log_debug("%s: inflight decremented, now %d", | |||
1249 | __func__, relay_inflight); | |||
1250 | } | |||
1251 | } | |||
1252 | ||||
1253 | void | |||
1254 | relay_hash_addr(SIPHASH_CTX *ctx, struct sockaddr_storage *ss, int portset) | |||
1255 | { | |||
1256 | struct sockaddr_in *sin4; | |||
1257 | struct sockaddr_in6 *sin6; | |||
1258 | in_port_t port; | |||
1259 | ||||
1260 | if (ss->ss_family == AF_INET2) { | |||
1261 | sin4 = (struct sockaddr_in *)ss; | |||
1262 | SipHash24_Update(ctx, &sin4->sin_addr,SipHash_Update((ctx), 2, 4, (&sin4->sin_addr), (sizeof (struct in_addr))) | |||
1263 | sizeof(struct in_addr))SipHash_Update((ctx), 2, 4, (&sin4->sin_addr), (sizeof (struct in_addr))); | |||
1264 | } else { | |||
1265 | sin6 = (struct sockaddr_in6 *)ss; | |||
1266 | SipHash24_Update(ctx, &sin6->sin6_addr,SipHash_Update((ctx), 2, 4, (&sin6->sin6_addr), (sizeof (struct in6_addr))) | |||
1267 | sizeof(struct in6_addr))SipHash_Update((ctx), 2, 4, (&sin6->sin6_addr), (sizeof (struct in6_addr))); | |||
1268 | } | |||
1269 | ||||
1270 | if (portset != -1) { | |||
1271 | port = (in_port_t)portset; | |||
1272 | SipHash24_Update(ctx, &port, sizeof(port))SipHash_Update((ctx), 2, 4, (&port), (sizeof(port))); | |||
1273 | } | |||
1274 | } | |||
1275 | ||||
1276 | int | |||
1277 | relay_from_table(struct rsession *con) | |||
1278 | { | |||
1279 | struct relay *rlay = con->se_relay; | |||
1280 | struct host *host = NULL((void*)0); | |||
1281 | struct relay_table *rlt = NULL((void*)0); | |||
1282 | struct table *table = NULL((void*)0); | |||
1283 | int idx = -1; | |||
1284 | int cnt = 0; | |||
1285 | int maxtries; | |||
1286 | u_int64_t p = 0; | |||
1287 | ||||
1288 | /* the table is already selected */ | |||
1289 | if (con->se_table != NULL((void*)0)) { | |||
1290 | rlt = con->se_table; | |||
1291 | table = rlt->rlt_table; | |||
1292 | if (table->conf.check && !table->up) | |||
1293 | table = NULL((void*)0); | |||
1294 | goto gottable; | |||
1295 | } | |||
1296 | ||||
1297 | /* otherwise grep the first active table */ | |||
1298 | TAILQ_FOREACH(rlt, &rlay->rl_tables, rlt_entry)for((rlt) = ((&rlay->rl_tables)->tqh_first); (rlt) != ((void*)0); (rlt) = ((rlt)->rlt_entry.tqe_next)) { | |||
1299 | table = rlt->rlt_table; | |||
1300 | if ((rlt->rlt_flags & F_USED0x00000004) == 0 || | |||
1301 | (table->conf.check && !table->up)) | |||
1302 | table = NULL((void*)0); | |||
1303 | else | |||
1304 | break; | |||
1305 | } | |||
1306 | ||||
1307 | gottable: | |||
1308 | if (table == NULL((void*)0)) { | |||
1309 | log_debug("%s: session %d: no active hosts", | |||
1310 | __func__, con->se_id); | |||
1311 | return (-1); | |||
1312 | } | |||
1313 | ||||
1314 | switch (rlt->rlt_mode) { | |||
1315 | case RELAY_DSTMODE_ROUNDROBIN: | |||
1316 | if ((int)rlt->rlt_index >= rlt->rlt_nhosts) | |||
1317 | rlt->rlt_index = 0; | |||
1318 | idx = (int)rlt->rlt_index; | |||
1319 | break; | |||
1320 | case RELAY_DSTMODE_RANDOM: | |||
1321 | idx = (int)arc4random_uniform(rlt->rlt_nhosts); | |||
1322 | break; | |||
1323 | case RELAY_DSTMODE_SRCHASH: | |||
1324 | /* Source IP address without port */ | |||
1325 | relay_hash_addr(&con->se_siphashctx, &con->se_in.ss, -1); | |||
1326 | break; | |||
1327 | case RELAY_DSTMODE_LOADBALANCE: | |||
1328 | /* Source IP address without port */ | |||
1329 | relay_hash_addr(&con->se_siphashctx, &con->se_in.ss, -1); | |||
1330 | /* FALLTHROUGH */ | |||
1331 | case RELAY_DSTMODE_HASH: | |||
1332 | /* Local "destination" IP address and port */ | |||
1333 | relay_hash_addr(&con->se_siphashctx, &rlay->rl_conf.ss, | |||
1334 | rlay->rl_conf.port); | |||
1335 | break; | |||
1336 | default: | |||
1337 | fatalx("%s: unsupported mode", __func__); | |||
1338 | /* NOTREACHED */ | |||
1339 | } | |||
1340 | if (idx == -1) { | |||
1341 | /* handle all hashing algorithms */ | |||
1342 | p = SipHash24_End(&con->se_siphashctx)SipHash_End((&con->se_siphashctx), 2, 4); | |||
1343 | ||||
1344 | /* Reset hash context */ | |||
1345 | SipHash24_Init(&con->se_siphashctx,SipHash_Init((&con->se_siphashctx), (&rlay->rl_conf .hashkey.siphashkey)) | |||
1346 | &rlay->rl_conf.hashkey.siphashkey)SipHash_Init((&con->se_siphashctx), (&rlay->rl_conf .hashkey.siphashkey)); | |||
1347 | ||||
1348 | maxtries = (rlt->rlt_nhosts < RELAY_MAX_HASH_RETRIES5 ? | |||
1349 | rlt->rlt_nhosts : RELAY_MAX_HASH_RETRIES5); | |||
1350 | for (cnt = 0; cnt < maxtries; cnt++) { | |||
1351 | if ((idx = p % rlt->rlt_nhosts) >= RELAY_MAXHOSTS32) | |||
1352 | return (-1); | |||
1353 | ||||
1354 | host = rlt->rlt_host[idx]; | |||
1355 | ||||
1356 | DPRINTF("%s: session %d: table %s host %s, "do {} while(0) | |||
1357 | "p 0x%016llx, idx %d, cnt %d, max %d",do {} while(0) | |||
1358 | __func__, con->se_id, table->conf.name,do {} while(0) | |||
1359 | host->conf.name, p, idx, cnt, maxtries)do {} while(0); | |||
1360 | ||||
1361 | if (!table->conf.check || host->up == HOST_UP) | |||
1362 | goto found; | |||
1363 | p = p >> 1; | |||
1364 | } | |||
1365 | } else { | |||
1366 | /* handle all non-hashing algorithms */ | |||
1367 | host = rlt->rlt_host[idx]; | |||
1368 | DPRINTF("%s: session %d: table %s host %s, p 0x%016llx, idx %d",do {} while(0) | |||
1369 | __func__, con->se_id, table->conf.name, host->conf.name,do {} while(0) | |||
1370 | p, idx)do {} while(0); | |||
1371 | } | |||
1372 | ||||
1373 | while (host != NULL((void*)0)) { | |||
1374 | DPRINTF("%s: session %d: host %s", __func__,do {} while(0) | |||
1375 | con->se_id, host->conf.name)do {} while(0); | |||
1376 | if (!table->conf.check || host->up == HOST_UP) | |||
1377 | goto found; | |||
1378 | host = TAILQ_NEXT(host, entry)((host)->entry.tqe_next); | |||
1379 | } | |||
1380 | TAILQ_FOREACH(host, &table->hosts, entry)for((host) = ((&table->hosts)->tqh_first); (host) != ((void*)0); (host) = ((host)->entry.tqe_next)) { | |||
1381 | DPRINTF("%s: session %d: next host %s",do {} while(0) | |||
1382 | __func__, con->se_id, host->conf.name)do {} while(0); | |||
1383 | if (!table->conf.check || host->up == HOST_UP) | |||
1384 | goto found; | |||
1385 | } | |||
1386 | ||||
1387 | /* Should not happen */ | |||
1388 | fatalx("%s: no active hosts, desynchronized", __func__); | |||
1389 | ||||
1390 | found: | |||
1391 | if (rlt->rlt_mode == RELAY_DSTMODE_ROUNDROBIN) | |||
1392 | rlt->rlt_index = host->idx + 1; | |||
1393 | con->se_retry = host->conf.retry; | |||
1394 | con->se_out.port = table->conf.port; | |||
1395 | bcopy(&host->conf.ss, &con->se_out.ss, sizeof(con->se_out.ss)); | |||
1396 | ||||
1397 | return (0); | |||
1398 | } | |||
1399 | ||||
1400 | void | |||
1401 | relay_natlook(int fd, short event, void *arg) | |||
1402 | { | |||
1403 | struct rsession *con = arg; | |||
1404 | struct relay *rlay = con->se_relay; | |||
1405 | struct ctl_natlook *cnl = con->se_cnl; | |||
1406 | ||||
1407 | if (cnl == NULL((void*)0)) | |||
1408 | fatalx("invalid NAT lookup"); | |||
1409 | ||||
1410 | if (con->se_out.ss.ss_family == AF_UNSPEC0 && cnl->in == -1 && | |||
1411 | rlay->rl_conf.dstss.ss_family == AF_UNSPEC0 && | |||
1412 | TAILQ_EMPTY(&rlay->rl_tables)(((&rlay->rl_tables)->tqh_first) == ((void*)0))) { | |||
1413 | relay_close(con, "session NAT lookup failed", 1); | |||
1414 | return; | |||
1415 | } | |||
1416 | if (cnl->in != -1) { | |||
1417 | bcopy(&cnl->rdst, &con->se_out.ss, sizeof(con->se_out.ss)); | |||
1418 | con->se_out.port = cnl->rdport; | |||
1419 | } | |||
1420 | free(con->se_cnl); | |||
1421 | con->se_cnl = NULL((void*)0); | |||
1422 | ||||
1423 | relay_session(con); | |||
1424 | } | |||
1425 | ||||
1426 | void | |||
1427 | relay_session(struct rsession *con) | |||
1428 | { | |||
1429 | struct relay *rlay = con->se_relay; | |||
1430 | struct ctl_relay_event *in = &con->se_in, *out = &con->se_out; | |||
1431 | ||||
1432 | if (bcmp(&rlay->rl_conf.ss, &out->ss, sizeof(out->ss)) == 0 && | |||
1433 | out->port == rlay->rl_conf.port) { | |||
1434 | log_debug("%s: session %d: looping", __func__, con->se_id); | |||
1435 | relay_close(con, "session aborted", 1); | |||
1436 | return; | |||
1437 | } | |||
1438 | ||||
1439 | if (rlay->rl_conf.flags & F_UDP0x00010000) { | |||
1440 | /* | |||
1441 | * Call the UDP protocol-specific handler | |||
1442 | */ | |||
1443 | if (rlay->rl_proto->request == NULL((void*)0)) | |||
1444 | fatalx("invalide UDP session"); | |||
1445 | if ((*rlay->rl_proto->request)(con) == -1) | |||
1446 | relay_close(con, "session failed", 1); | |||
1447 | return; | |||
1448 | } | |||
1449 | ||||
1450 | if ((rlay->rl_conf.flags & F_TLS0x00000800) && (in->tls == NULL((void*)0))) { | |||
1451 | relay_tls_transaction(con, in); | |||
1452 | return; | |||
1453 | } | |||
1454 | ||||
1455 | if (rlay->rl_proto->type != RELAY_PROTO_HTTP) { | |||
1456 | if (rlay->rl_conf.fwdmode == FWD_TRANS) | |||
1457 | relay_bindanyreq(con, 0, IPPROTO_TCP6); | |||
1458 | else if (relay_connect(con) == -1) { | |||
1459 | relay_close(con, "session failed", 1); | |||
1460 | return; | |||
1461 | } | |||
1462 | } | |||
1463 | ||||
1464 | relay_input(con); | |||
1465 | } | |||
1466 | ||||
1467 | void | |||
1468 | relay_bindanyreq(struct rsession *con, in_port_t port, int proto) | |||
1469 | { | |||
1470 | struct privsep *ps = env->sc_ps; | |||
1471 | struct relay *rlay = con->se_relay; | |||
1472 | struct ctl_bindany bnd; | |||
1473 | struct timeval tv; | |||
1474 | ||||
1475 | bzero(&bnd, sizeof(bnd)); | |||
1476 | bnd.bnd_id = con->se_id; | |||
1477 | bnd.bnd_proc = ps->ps_instance; | |||
1478 | bnd.bnd_port = port; | |||
1479 | bnd.bnd_proto = proto; | |||
1480 | bcopy(&con->se_in.ss, &bnd.bnd_ss, sizeof(bnd.bnd_ss)); | |||
1481 | proc_compose(env->sc_ps, PROC_PARENT, IMSG_BINDANY, | |||
1482 | &bnd, sizeof(bnd)); | |||
1483 | ||||
1484 | /* Schedule timeout */ | |||
1485 | evtimer_set(&con->se_ev, relay_bindany, con)event_set(&con->se_ev, -1, 0, relay_bindany, con); | |||
1486 | bcopy(&rlay->rl_conf.timeout, &tv, sizeof(tv)); | |||
1487 | evtimer_add(&con->se_ev, &tv)event_add(&con->se_ev, &tv); | |||
1488 | } | |||
1489 | ||||
1490 | void | |||
1491 | relay_bindany(int fd, short event, void *arg) | |||
1492 | { | |||
1493 | struct rsession *con = arg; | |||
1494 | ||||
1495 | if (con->se_bnds == -1) { | |||
1496 | relay_close(con, "bindany failed, invalid socket", 1); | |||
1497 | return; | |||
1498 | } | |||
1499 | if (relay_connect(con) == -1) | |||
1500 | relay_close(con, "session failed", 1); | |||
1501 | } | |||
1502 | ||||
1503 | void | |||
1504 | relay_connect_state(struct rsession *con, struct ctl_relay_event *cre, | |||
1505 | enum relay_state new) | |||
1506 | { | |||
1507 | DPRINTF("%s: session %d: %s state %s -> %s",do {} while(0) | |||
1508 | __func__, con->se_id,do {} while(0) | |||
1509 | cre->dir == RELAY_DIR_REQUEST ? "accept" : "connect",do {} while(0) | |||
1510 | relay_state(cre->state), relay_state(new))do {} while(0); | |||
1511 | cre->state = new; | |||
1512 | } | |||
1513 | ||||
1514 | void | |||
1515 | relay_connect_retry(int fd, short sig, void *arg) | |||
1516 | { | |||
1517 | struct timeval evtpause = { 1, 0 }; | |||
1518 | struct rsession *con = arg; | |||
1519 | struct relay *rlay = con->se_relay; | |||
1520 | int bnds = -1; | |||
1521 | ||||
1522 | if (relay_inflight < 1) { | |||
1523 | log_warnx("%s: no connection in flight", __func__); | |||
1524 | relay_inflight = 1; | |||
1525 | } | |||
1526 | ||||
1527 | DPRINTF("%s: retry %d of %d, inflight: %d",__func__,do {} while(0) | |||
1528 | con->se_retrycount, con->se_retry, relay_inflight)do {} while(0); | |||
1529 | ||||
1530 | if (sig != EV_TIMEOUT0x01) | |||
1531 | fatalx("%s: called without timeout", __func__); | |||
1532 | ||||
1533 | evtimer_del(&con->se_inflightevt)event_del(&con->se_inflightevt); | |||
1534 | ||||
1535 | /* | |||
1536 | * XXX we might want to check if the inbound socket is still | |||
1537 | * available: client could have closed it while we were waiting? | |||
1538 | */ | |||
1539 | ||||
1540 | DPRINTF("%s: got EV_TIMEOUT", __func__)do {} while(0); | |||
1541 | ||||
1542 | if (getdtablecount() + FD_RESERVE5 + | |||
1543 | relay_inflight > getdtablesize()) { | |||
1544 | if (con->se_retrycount < RELAY_OUTOF_FD_RETRIES5) { | |||
1545 | evtimer_add(&con->se_inflightevt, &evtpause)event_add(&con->se_inflightevt, &evtpause); | |||
1546 | return; | |||
1547 | } | |||
1548 | /* we waited for RELAY_OUTOF_FD_RETRIES seconds, give up */ | |||
1549 | event_add(&rlay->rl_ev, NULL((void*)0)); | |||
1550 | relay_abort_http(con, 504, "connection timed out", 0); | |||
1551 | return; | |||
1552 | } | |||
1553 | ||||
1554 | if (rlay->rl_conf.fwdmode == FWD_TRANS) { | |||
1555 | /* con->se_bnds cannot be unset */ | |||
1556 | bnds = con->se_bnds; | |||
1557 | } | |||
1558 | ||||
1559 | retry: | |||
1560 | if ((con->se_out.s = relay_socket_connect(&con->se_out.ss, | |||
1561 | con->se_out.port, rlay->rl_proto, bnds)) == -1) { | |||
1562 | log_debug("%s: session %d: " | |||
1563 | "forward failed: %s, %s", __func__, | |||
1564 | con->se_id, strerror(errno(*__errno())), | |||
1565 | con->se_retry ? "next retry" : "last retry"); | |||
1566 | ||||
1567 | con->se_retrycount++; | |||
1568 | ||||
1569 | if ((errno(*__errno()) == ENFILE23 || errno(*__errno()) == EMFILE24) && | |||
1570 | (con->se_retrycount < con->se_retry)) { | |||
1571 | event_del(&rlay->rl_ev); | |||
1572 | evtimer_add(&con->se_inflightevt, &evtpause)event_add(&con->se_inflightevt, &evtpause); | |||
1573 | evtimer_add(&rlay->rl_evt, &evtpause)event_add(&rlay->rl_evt, &evtpause); | |||
1574 | return; | |||
1575 | } else if (con->se_retrycount < con->se_retry) | |||
1576 | goto retry; | |||
1577 | event_add(&rlay->rl_ev, NULL((void*)0)); | |||
1578 | relay_abort_http(con, 504, "connect failed", 0); | |||
1579 | return; | |||
1580 | } | |||
1581 | ||||
1582 | if (rlay->rl_conf.flags & F_TLSINSPECT0x04000000) | |||
1583 | relay_connect_state(con, &con->se_out, STATE_PRECONNECT); | |||
1584 | else | |||
1585 | relay_connect_state(con, &con->se_out, STATE_CONNECTED); | |||
1586 | relay_inflight--; | |||
1587 | DPRINTF("%s: inflight decremented, now %d",__func__, relay_inflight)do {} while(0); | |||
1588 | ||||
1589 | event_add(&rlay->rl_ev, NULL((void*)0)); | |||
1590 | ||||
1591 | if (errno(*__errno()) == EINPROGRESS36) | |||
1592 | event_again(&con->se_ev, con->se_out.s, EV_WRITE0x04|EV_TIMEOUT0x01, | |||
1593 | relay_connected, &con->se_tv_start, &rlay->rl_conf.timeout, | |||
1594 | con); | |||
1595 | else | |||
1596 | relay_connected(con->se_out.s, EV_WRITE0x04, con); | |||
1597 | ||||
1598 | return; | |||
1599 | } | |||
1600 | ||||
1601 | int | |||
1602 | relay_preconnect(struct rsession *con) | |||
1603 | { | |||
1604 | int rv; | |||
1605 | ||||
1606 | log_debug("%s: session %d: process %d", __func__, | |||
1607 | con->se_id, privsep_process); | |||
1608 | rv = relay_connect(con); | |||
1609 | if (con->se_out.state == STATE_CONNECTED) | |||
1610 | relay_connect_state(con, &con->se_out, STATE_PRECONNECT); | |||
1611 | return (rv); | |||
1612 | } | |||
1613 | ||||
1614 | int | |||
1615 | relay_connect(struct rsession *con) | |||
1616 | { | |||
1617 | struct relay *rlay = con->se_relay; | |||
1618 | struct timeval evtpause = { 1, 0 }; | |||
1619 | int bnds = -1, ret; | |||
1620 | ||||
1621 | /* relay_connect should only be called once per relay */ | |||
1622 | if (con->se_out.state == STATE_CONNECTED) { | |||
1623 | log_debug("%s: connect already called once", __func__); | |||
1624 | return (0); | |||
1625 | } | |||
1626 | ||||
1627 | /* Connection is already established but session not active */ | |||
1628 | if ((rlay->rl_conf.flags & F_TLSINSPECT0x04000000) && | |||
1629 | con->se_out.state == STATE_PRECONNECT) { | |||
1630 | if (con->se_out.tls == NULL((void*)0)) { | |||
1631 | log_debug("%s: tls connect failed", __func__); | |||
1632 | return (-1); | |||
1633 | } | |||
1634 | relay_connected(con->se_out.s, EV_WRITE0x04, con); | |||
1635 | relay_connect_state(con, &con->se_out, STATE_CONNECTED); | |||
| ||||
1636 | return (0); | |||
1637 | } | |||
1638 | ||||
1639 | if (relay_inflight < 1) { | |||
1640 | log_warnx("relay_connect: no connection in flight"); | |||
1641 | relay_inflight = 1; | |||
1642 | } | |||
1643 | ||||
1644 | getmonotime(&con->se_tv_start); | |||
1645 | ||||
1646 | if (con->se_out.ss.ss_family == AF_UNSPEC0 && | |||
1647 | !TAILQ_EMPTY(&rlay->rl_tables)(((&rlay->rl_tables)->tqh_first) == ((void*)0))) { | |||
1648 | if (relay_from_table(con) != 0) | |||
1649 | return (-1); | |||
1650 | } else if (con->se_out.ss.ss_family == AF_UNSPEC0) { | |||
1651 | bcopy(&rlay->rl_conf.dstss, &con->se_out.ss, | |||
1652 | sizeof(con->se_out.ss)); | |||
1653 | con->se_out.port = rlay->rl_conf.dstport; | |||
1654 | } | |||
1655 | ||||
1656 | if (rlay->rl_conf.fwdmode == FWD_TRANS) { | |||
1657 | if (con->se_bnds == -1) { | |||
1658 | log_debug("%s: could not bind any sock", __func__); | |||
1659 | return (-1); | |||
1660 | } | |||
1661 | bnds = con->se_bnds; | |||
1662 | } | |||
1663 | ||||
1664 | /* Do the IPv4-to-IPv6 or IPv6-to-IPv4 translation if requested */ | |||
1665 | if (rlay->rl_conf.dstaf.ss_family != AF_UNSPEC0) { | |||
1666 | if (con->se_out.ss.ss_family == AF_INET2 && | |||
1667 | rlay->rl_conf.dstaf.ss_family == AF_INET624) | |||
1668 | ret = map4to6(&con->se_out.ss, &rlay->rl_conf.dstaf); | |||
1669 | else if (con->se_out.ss.ss_family == AF_INET624 && | |||
1670 | rlay->rl_conf.dstaf.ss_family == AF_INET2) | |||
1671 | ret = map6to4(&con->se_out.ss); | |||
1672 | else | |||
1673 | ret = 0; | |||
1674 | if (ret != 0) { | |||
1675 | log_debug("%s: mapped to invalid address", __func__); | |||
1676 | return (-1); | |||
1677 | } | |||
1678 | } | |||
1679 | ||||
1680 | retry: | |||
1681 | if ((con->se_out.s = relay_socket_connect(&con->se_out.ss, | |||
1682 | con->se_out.port, rlay->rl_proto, bnds)) == -1) { | |||
1683 | if (errno(*__errno()) == ENFILE23 || errno(*__errno()) == EMFILE24) { | |||
1684 | log_debug("%s: session %d: forward failed: %s", | |||
1685 | __func__, con->se_id, strerror(errno(*__errno()))); | |||
1686 | evtimer_set(&con->se_inflightevt, relay_connect_retry,event_set(&con->se_inflightevt, -1, 0, relay_connect_retry , con) | |||
1687 | con)event_set(&con->se_inflightevt, -1, 0, relay_connect_retry , con); | |||
1688 | event_del(&rlay->rl_ev); | |||
1689 | evtimer_add(&con->se_inflightevt, &evtpause)event_add(&con->se_inflightevt, &evtpause); | |||
1690 | evtimer_add(&rlay->rl_evt, &evtpause)event_add(&rlay->rl_evt, &evtpause); | |||
1691 | ||||
1692 | /* this connect is pending */ | |||
1693 | relay_connect_state(con, &con->se_out, STATE_PENDING); | |||
1694 | return (0); | |||
1695 | } else { | |||
1696 | if (con->se_retry) { | |||
1697 | con->se_retry--; | |||
1698 | log_debug("%s: session %d: " | |||
1699 | "forward failed: %s, %s", __func__, | |||
1700 | con->se_id, strerror(errno(*__errno())), | |||
1701 | con->se_retry ? | |||
1702 | "next retry" : "last retry"); | |||
1703 | goto retry; | |||
1704 | } | |||
1705 | log_debug("%s: session %d: forward failed: %s", | |||
1706 | __func__, con->se_id, strerror(errno(*__errno()))); | |||
1707 | return (-1); | |||
1708 | } | |||
1709 | } | |||
1710 | ||||
1711 | relay_connect_state(con, &con->se_out, STATE_CONNECTED); | |||
1712 | relay_inflight--; | |||
1713 | DPRINTF("%s: inflight decremented, now %d",__func__,do {} while(0) | |||
1714 | relay_inflight)do {} while(0); | |||
1715 | ||||
1716 | if (errno(*__errno()) == EINPROGRESS36) | |||
1717 | event_again(&con->se_ev, con->se_out.s, EV_WRITE0x04|EV_TIMEOUT0x01, | |||
1718 | relay_connected, &con->se_tv_start, &rlay->rl_conf.timeout, | |||
1719 | con); | |||
1720 | else | |||
1721 | relay_connected(con->se_out.s, EV_WRITE0x04, con); | |||
1722 | ||||
1723 | return (0); | |||
1724 | } | |||
1725 | ||||
1726 | void | |||
1727 | relay_close(struct rsession *con, const char *msg, int err) | |||
1728 | { | |||
1729 | char ibuf[128], obuf[128], *ptr = NULL((void*)0); | |||
1730 | struct relay *rlay = con->se_relay; | |||
1731 | struct protocol *proto = rlay->rl_proto; | |||
1732 | ||||
1733 | SPLAY_REMOVE(session_tree, &rlay->rl_sessions, con)session_tree_SPLAY_REMOVE(&rlay->rl_sessions, con); | |||
1734 | relay_session_unpublish(con); | |||
1735 | ||||
1736 | event_del(&con->se_ev); | |||
1737 | ||||
1738 | if ((env->sc_conf.opts & (RELAYD_OPT_LOGCON0x20|RELAYD_OPT_LOGCONERR0x40)) && | |||
1739 | msg != NULL((void*)0)) { | |||
1740 | bzero(&ibuf, sizeof(ibuf)); | |||
1741 | bzero(&obuf, sizeof(obuf)); | |||
1742 | (void)print_host(&con->se_in.ss, ibuf, sizeof(ibuf)); | |||
1743 | (void)print_host(&con->se_out.ss, obuf, sizeof(obuf)); | |||
1744 | if (EVBUFFER_LENGTH(con->se_log)(con->se_log)->off && | |||
1745 | evbuffer_add_printf(con->se_log, "\r\n") != -1) { | |||
1746 | ptr = evbuffer_readln(con->se_log, NULL((void*)0), | |||
1747 | EVBUFFER_EOL_CRLF); | |||
1748 | } | |||
1749 | if (err == 0 && (env->sc_conf.opts & RELAYD_OPT_LOGCON0x20)) | |||
1750 | log_info("relay %s, " | |||
1751 | "session %d (%d active), %s, %s -> %s:%d, " | |||
1752 | "%s%s%s", rlay->rl_conf.name, con->se_id, | |||
1753 | relay_sessions, con->se_tag != 0 ? | |||
1754 | tag_id2name(con->se_tag) : "0", ibuf, obuf, | |||
1755 | ntohs(con->se_out.port)(__uint16_t)(__builtin_constant_p(con->se_out.port) ? (__uint16_t )(((__uint16_t)(con->se_out.port) & 0xffU) << 8 | ((__uint16_t)(con->se_out.port) & 0xff00U) >> 8 ) : __swap16md(con->se_out.port)), msg, ptr == NULL((void*)0) ? | |||
1756 | "" : ",", ptr == NULL((void*)0) ? "" : ptr); | |||
1757 | if (err == 1 && (env->sc_conf.opts & RELAYD_OPT_LOGCONERR0x40)) | |||
1758 | log_warn("relay %s, " | |||
1759 | "session %d (%d active), %s, %s -> %s:%d, " | |||
1760 | "%s%s%s", rlay->rl_conf.name, con->se_id, | |||
1761 | relay_sessions, con->se_tag != 0 ? | |||
1762 | tag_id2name(con->se_tag) : "0", ibuf, obuf, | |||
1763 | ntohs(con->se_out.port)(__uint16_t)(__builtin_constant_p(con->se_out.port) ? (__uint16_t )(((__uint16_t)(con->se_out.port) & 0xffU) << 8 | ((__uint16_t)(con->se_out.port) & 0xff00U) >> 8 ) : __swap16md(con->se_out.port)), msg, ptr == NULL((void*)0) ? | |||
1764 | "" : ",", ptr == NULL((void*)0) ? "" : ptr); | |||
1765 | free(ptr); | |||
1766 | } | |||
1767 | ||||
1768 | if (proto->close != NULL((void*)0)) | |||
1769 | (*proto->close)(con); | |||
1770 | ||||
1771 | free(con->se_priv); | |||
1772 | ||||
1773 | relay_connect_state(con, &con->se_in, STATE_DONE); | |||
1774 | if (relay_reset_event(con, &con->se_in)) { | |||
1775 | if (con->se_out.s == -1) { | |||
1776 | /* | |||
1777 | * the output was never connected, | |||
1778 | * thus this was an inflight session. | |||
1779 | */ | |||
1780 | relay_inflight--; | |||
1781 | log_debug("%s: sessions inflight decremented, now %d", | |||
1782 | __func__, relay_inflight); | |||
1783 | } | |||
1784 | } | |||
1785 | if (con->se_in.output != NULL((void*)0)) | |||
1786 | evbuffer_free(con->se_in.output); | |||
1787 | ||||
1788 | relay_connect_state(con, &con->se_out, STATE_DONE); | |||
1789 | if (relay_reset_event(con, &con->se_out)) { | |||
1790 | /* Some file descriptors are available again. */ | |||
1791 | if (evtimer_pending(&rlay->rl_evt, NULL)event_pending(&rlay->rl_evt, 0x01, ((void*)0))) { | |||
1792 | evtimer_del(&rlay->rl_evt)event_del(&rlay->rl_evt); | |||
1793 | event_add(&rlay->rl_ev, NULL((void*)0)); | |||
1794 | } | |||
1795 | } | |||
1796 | if (con->se_out.output != NULL((void*)0)) | |||
1797 | evbuffer_free(con->se_out.output); | |||
1798 | ||||
1799 | if (con->se_log != NULL((void*)0)) | |||
1800 | evbuffer_free(con->se_log); | |||
1801 | ||||
1802 | if (con->se_cnl != NULL((void*)0)) { | |||
1803 | #if 0 | |||
1804 | proc_compose_imsg(env->sc_ps, PROC_PFE, -1, IMSG_KILLSTATES, -1, | |||
1805 | cnl, sizeof(*cnl)); | |||
1806 | #endif | |||
1807 | free(con->se_cnl); | |||
1808 | } | |||
1809 | ||||
1810 | free(con); | |||
1811 | relay_sessions--; | |||
1812 | } | |||
1813 | ||||
1814 | int | |||
1815 | relay_reset_event(struct rsession *con, struct ctl_relay_event *cre) | |||
1816 | { | |||
1817 | int rv = 0; | |||
1818 | ||||
1819 | if (cre->state != STATE_DONE) | |||
1820 | relay_connect_state(con, cre, STATE_CLOSED); | |||
1821 | if (cre->bev != NULL((void*)0)) { | |||
1822 | bufferevent_disable(cre->bev, EV_READ0x02|EV_WRITE0x04); | |||
1823 | bufferevent_free(cre->bev); | |||
1824 | } | |||
1825 | if (cre->tls != NULL((void*)0)) | |||
1826 | tls_close(cre->tls); | |||
1827 | tls_free(cre->tls); | |||
1828 | tls_free(cre->tls_ctx); | |||
1829 | tls_config_free(cre->tls_cfg); | |||
1830 | free(cre->tlscert); | |||
1831 | if (cre->s != -1) { | |||
1832 | close(cre->s); | |||
1833 | rv = 1; | |||
1834 | } | |||
1835 | cre->bev = NULL((void*)0); | |||
1836 | cre->tls = NULL((void*)0); | |||
1837 | cre->tls_cfg = NULL((void*)0); | |||
1838 | cre->tlscert = NULL((void*)0); | |||
1839 | cre->s = -1; | |||
1840 | ||||
1841 | return (rv); | |||
1842 | } | |||
1843 | ||||
1844 | int | |||
1845 | relay_dispatch_pfe(int fd, struct privsep_proc *p, struct imsg *imsg) | |||
1846 | { | |||
1847 | struct relay *rlay; | |||
1848 | struct rsession *con, se; | |||
1849 | struct ctl_natlook cnl; | |||
1850 | struct timeval tv; | |||
1851 | struct host *host; | |||
1852 | struct table *table; | |||
1853 | struct ctl_status st; | |||
1854 | objid_t id; | |||
1855 | int cid; | |||
1856 | ||||
1857 | switch (imsg->hdr.type) { | |||
1858 | case IMSG_HOST_DISABLE: | |||
1859 | memcpy(&id, imsg->data, sizeof(id)); | |||
1860 | if ((host = host_find(env, id)) == NULL((void*)0)) | |||
1861 | fatalx("%s: desynchronized", __func__); | |||
1862 | if ((table = table_find(env, host->conf.tableid)) == | |||
1863 | NULL((void*)0)) | |||
1864 | fatalx("%s: invalid table id", __func__); | |||
1865 | if (host->up == HOST_UP) | |||
1866 | table->up--; | |||
1867 | host->flags |= F_DISABLE0x00000001; | |||
1868 | host->up = HOST_UNKNOWN; | |||
1869 | break; | |||
1870 | case IMSG_HOST_ENABLE: | |||
1871 | memcpy(&id, imsg->data, sizeof(id)); | |||
1872 | if ((host = host_find(env, id)) == NULL((void*)0)) | |||
1873 | fatalx("%s: desynchronized", __func__); | |||
1874 | host->flags &= ~(F_DISABLE0x00000001); | |||
1875 | host->up = HOST_UNKNOWN; | |||
1876 | break; | |||
1877 | case IMSG_TABLE_DISABLE: | |||
1878 | memcpy(&id, imsg->data, sizeof(id)); | |||
1879 | if ((table = table_find(env, id)) == NULL((void*)0)) | |||
1880 | fatalx("%s: desynchronized", __func__); | |||
1881 | table->conf.flags |= F_DISABLE0x00000001; | |||
1882 | table->up = 0; | |||
1883 | TAILQ_FOREACH(host, &table->hosts, entry)for((host) = ((&table->hosts)->tqh_first); (host) != ((void*)0); (host) = ((host)->entry.tqe_next)) | |||
1884 | host->up = HOST_UNKNOWN; | |||
1885 | break; | |||
1886 | case IMSG_TABLE_ENABLE: | |||
1887 | memcpy(&id, imsg->data, sizeof(id)); | |||
1888 | if ((table = table_find(env, id)) == NULL((void*)0)) | |||
1889 | fatalx("%s: desynchronized", __func__); | |||
1890 | table->conf.flags &= ~(F_DISABLE0x00000001); | |||
1891 | table->up = 0; | |||
1892 | TAILQ_FOREACH(host, &table->hosts, entry)for((host) = ((&table->hosts)->tqh_first); (host) != ((void*)0); (host) = ((host)->entry.tqe_next)) | |||
1893 | host->up = HOST_UNKNOWN; | |||
1894 | break; | |||
1895 | case IMSG_HOST_STATUS: | |||
1896 | IMSG_SIZE_CHECK(imsg, &st)do { if (((imsg)->hdr.len - sizeof(struct imsg_hdr)) < sizeof (*&st)) fatalx("bad length imsg received"); } while (0); | |||
1897 | memcpy(&st, imsg->data, sizeof(st)); | |||
1898 | if ((host = host_find(env, st.id)) == NULL((void*)0)) | |||
1899 | fatalx("%s: invalid host id", __func__); | |||
1900 | if (host->flags & F_DISABLE0x00000001) | |||
1901 | break; | |||
1902 | if (host->up == st.up) { | |||
1903 | log_debug("%s: host %d => %d", __func__, | |||
1904 | host->conf.id, host->up); | |||
1905 | fatalx("%s: desynchronized", __func__); | |||
1906 | } | |||
1907 | ||||
1908 | if ((table = table_find(env, host->conf.tableid)) | |||
1909 | == NULL((void*)0)) | |||
1910 | fatalx("%s: invalid table id", __func__); | |||
1911 | ||||
1912 | DPRINTF("%s: [%d] state %d for "do {} while(0) | |||
1913 | "host %u %s", __func__, p->p_ps->ps_instance, st.up,do {} while(0) | |||
1914 | host->conf.id, host->conf.name)do {} while(0); | |||
1915 | ||||
1916 | if ((st.up == HOST_UNKNOWN && host->up == HOST_DOWN) || | |||
1917 | (st.up == HOST_DOWN && host->up == HOST_UNKNOWN)) { | |||
1918 | host->up = st.up; | |||
1919 | break; | |||
1920 | } | |||
1921 | if (st.up == HOST_UP) | |||
1922 | table->up++; | |||
1923 | else | |||
1924 | table->up--; | |||
1925 | host->up = st.up; | |||
1926 | break; | |||
1927 | case IMSG_NATLOOK: | |||
1928 | bcopy(imsg->data, &cnl, sizeof(cnl)); | |||
1929 | if ((con = session_find(env, cnl.id)) == NULL((void*)0) || | |||
1930 | con->se_cnl == NULL((void*)0)) { | |||
1931 | log_debug("%s: session %d: expired", | |||
1932 | __func__, cnl.id); | |||
1933 | break; | |||
1934 | } | |||
1935 | bcopy(&cnl, con->se_cnl, sizeof(*con->se_cnl)); | |||
1936 | evtimer_del(&con->se_ev)event_del(&con->se_ev); | |||
1937 | evtimer_set(&con->se_ev, relay_natlook, con)event_set(&con->se_ev, -1, 0, relay_natlook, con); | |||
1938 | bzero(&tv, sizeof(tv)); | |||
1939 | evtimer_add(&con->se_ev, &tv)event_add(&con->se_ev, &tv); | |||
1940 | break; | |||
1941 | case IMSG_CTL_SESSION: | |||
1942 | IMSG_SIZE_CHECK(imsg, &cid)do { if (((imsg)->hdr.len - sizeof(struct imsg_hdr)) < sizeof (*&cid)) fatalx("bad length imsg received"); } while (0); | |||
1943 | memcpy(&cid, imsg->data, sizeof(cid)); | |||
1944 | TAILQ_FOREACH(rlay, env->sc_relays, rl_entry)for((rlay) = ((env->sc_relays)->tqh_first); (rlay) != ( (void*)0); (rlay) = ((rlay)->rl_entry.tqe_next)) { | |||
1945 | SPLAY_FOREACH(con, session_tree,for ((con) = (((&rlay->rl_sessions)->sph_root == (( void*)0)) ? ((void*)0) : session_tree_SPLAY_MIN_MAX(&rlay ->rl_sessions, -1)); (con) != ((void*)0); (con) = session_tree_SPLAY_NEXT (&rlay->rl_sessions, con)) | |||
1946 | &rlay->rl_sessions)for ((con) = (((&rlay->rl_sessions)->sph_root == (( void*)0)) ? ((void*)0) : session_tree_SPLAY_MIN_MAX(&rlay ->rl_sessions, -1)); (con) != ((void*)0); (con) = session_tree_SPLAY_NEXT (&rlay->rl_sessions, con)) { | |||
1947 | memcpy(&se, con, sizeof(se)); | |||
1948 | se.se_cid = cid; | |||
1949 | proc_compose(env->sc_ps, p->p_id, | |||
1950 | IMSG_CTL_SESSION, &se, sizeof(se)); | |||
1951 | } | |||
1952 | } | |||
1953 | proc_compose(env->sc_ps, p->p_id, IMSG_CTL_END, | |||
1954 | &cid, sizeof(cid)); | |||
1955 | break; | |||
1956 | default: | |||
1957 | return (-1); | |||
1958 | } | |||
1959 | ||||
1960 | return (0); | |||
1961 | } | |||
1962 | ||||
1963 | int | |||
1964 | relay_dispatch_ca(int fd, struct privsep_proc *p, struct imsg *imsg) | |||
1965 | { | |||
1966 | switch (imsg->hdr.type) { | |||
1967 | case IMSG_CA_PRIVENC: | |||
1968 | case IMSG_CA_PRIVDEC: | |||
1969 | log_warnx("%s: priv%s result after timeout", __func__, | |||
1970 | imsg->hdr.type == IMSG_CA_PRIVENC ? "enc" : "dec"); | |||
1971 | return (0); | |||
1972 | } | |||
1973 | ||||
1974 | return (-1); | |||
1975 | } | |||
1976 | ||||
1977 | int | |||
1978 | relay_dispatch_parent(int fd, struct privsep_proc *p, struct imsg *imsg) | |||
1979 | { | |||
1980 | struct relay_ticket_key ticket; | |||
1981 | struct relay *rlay; | |||
1982 | struct rsession *con; | |||
1983 | struct timeval tv; | |||
1984 | objid_t id; | |||
1985 | ||||
1986 | switch (imsg->hdr.type) { | |||
1987 | case IMSG_BINDANY: | |||
1988 | bcopy(imsg->data, &id, sizeof(id)); | |||
1989 | if ((con = session_find(env, id)) == NULL((void*)0)) { | |||
1990 | log_debug("%s: session %d: expired", | |||
1991 | __func__, id); | |||
1992 | break; | |||
1993 | } | |||
1994 | ||||
1995 | /* Will validate the result later */ | |||
1996 | con->se_bnds = imsg->fd; | |||
1997 | ||||
1998 | evtimer_del(&con->se_ev)event_del(&con->se_ev); | |||
1999 | evtimer_set(&con->se_ev, relay_bindany, con)event_set(&con->se_ev, -1, 0, relay_bindany, con); | |||
2000 | bzero(&tv, sizeof(tv)); | |||
2001 | evtimer_add(&con->se_ev, &tv)event_add(&con->se_ev, &tv); | |||
2002 | break; | |||
2003 | case IMSG_CFG_TABLE: | |||
2004 | config_gettable(env, imsg); | |||
2005 | break; | |||
2006 | case IMSG_CFG_HOST: | |||
2007 | config_gethost(env, imsg); | |||
2008 | break; | |||
2009 | case IMSG_CFG_PROTO: | |||
2010 | config_getproto(env, imsg); | |||
2011 | break; | |||
2012 | case IMSG_CFG_RULE: | |||
2013 | config_getrule(env, imsg); | |||
2014 | break; | |||
2015 | case IMSG_CFG_RELAY: | |||
2016 | config_getrelay(env, imsg); | |||
2017 | break; | |||
2018 | case IMSG_CFG_RELAY_TABLE: | |||
2019 | config_getrelaytable(env, imsg); | |||
2020 | break; | |||
2021 | case IMSG_CFG_RELAY_FD: | |||
2022 | config_getrelayfd(env, imsg); | |||
2023 | break; | |||
2024 | case IMSG_CFG_DONE: | |||
2025 | config_getcfg(env, imsg); | |||
2026 | break; | |||
2027 | case IMSG_CTL_START: | |||
2028 | relay_launch(); | |||
2029 | break; | |||
2030 | case IMSG_CTL_RESET: | |||
2031 | config_getreset(env, imsg); | |||
2032 | break; | |||
2033 | case IMSG_TLSTICKET_REKEY: | |||
2034 | IMSG_SIZE_CHECK(imsg, (&ticket))do { if (((imsg)->hdr.len - sizeof(struct imsg_hdr)) < sizeof (*(&ticket))) fatalx("bad length imsg received"); } while (0); | |||
2035 | memcpy(&env->sc_ticket, imsg->data, sizeof(env->sc_ticket)); | |||
2036 | TAILQ_FOREACH(rlay, env->sc_relays, rl_entry)for((rlay) = ((env->sc_relays)->tqh_first); (rlay) != ( (void*)0); (rlay) = ((rlay)->rl_entry.tqe_next)) { | |||
2037 | if (rlay->rl_conf.flags & F_TLS0x00000800) | |||
2038 | tls_config_add_ticket_key(rlay->rl_tls_cfg, | |||
2039 | env->sc_ticket.tt_keyrev, | |||
2040 | env->sc_ticket.tt_key, | |||
2041 | sizeof(env->sc_ticket.tt_key)); | |||
2042 | } | |||
2043 | break; | |||
2044 | default: | |||
2045 | return (-1); | |||
2046 | } | |||
2047 | ||||
2048 | return (0); | |||
2049 | } | |||
2050 | ||||
2051 | int | |||
2052 | relay_dispatch_hce(int fd, struct privsep_proc *p, struct imsg *imsg) | |||
2053 | { | |||
2054 | switch (imsg->hdr.type) { | |||
2055 | default: | |||
2056 | break; | |||
2057 | } | |||
2058 | ||||
2059 | return (-1); | |||
2060 | } | |||
2061 | ||||
2062 | static int | |||
2063 | relay_tls_ctx_create_proto(struct protocol *proto, struct tls_config *tls_cfg) | |||
2064 | { | |||
2065 | uint32_t protocols = 0; | |||
2066 | ||||
2067 | /* Set the allowed SSL protocols */ | |||
2068 | if (proto->tlsflags & TLSFLAG_TLSV1_00x02) | |||
2069 | protocols |= TLS_PROTOCOL_TLSv1_0(1 << 1); | |||
2070 | if (proto->tlsflags & TLSFLAG_TLSV1_10x04) | |||
2071 | protocols |= TLS_PROTOCOL_TLSv1_1(1 << 2); | |||
2072 | if (proto->tlsflags & TLSFLAG_TLSV1_20x08) | |||
2073 | protocols |= TLS_PROTOCOL_TLSv1_2(1 << 3); | |||
2074 | if (proto->tlsflags & TLSFLAG_TLSV1_30x10) | |||
2075 | protocols |= TLS_PROTOCOL_TLSv1_3(1 << 4); | |||
2076 | if (tls_config_set_protocols(tls_cfg, protocols) == -1) { | |||
2077 | log_warnx("could not set the TLS protocol: %s", | |||
2078 | tls_config_error(tls_cfg)); | |||
2079 | return (-1); | |||
2080 | } | |||
2081 | ||||
2082 | if (tls_config_set_ciphers(tls_cfg, proto->tlsciphers)) { | |||
2083 | log_warnx("could not set the TLS cypers: %s", | |||
2084 | tls_config_error(tls_cfg)); | |||
2085 | return (-1); | |||
2086 | } | |||
2087 | ||||
2088 | if ((proto->tlsflags & TLSFLAG_CIPHER_SERVER_PREF0x20) == 0) | |||
2089 | tls_config_prefer_ciphers_client(tls_cfg); | |||
2090 | ||||
2091 | /* | |||
2092 | * Set session ID context to a random value. It needs to be the | |||
2093 | * same accross all relay processes or session caching will fail. | |||
2094 | */ | |||
2095 | if (tls_config_set_session_id(tls_cfg, env->sc_conf.tls_sid, | |||
2096 | sizeof(env->sc_conf.tls_sid)) == -1) { | |||
2097 | log_warnx("could not set the TLS session ID: %s", | |||
2098 | tls_config_error(tls_cfg)); | |||
2099 | return (-1); | |||
2100 | } | |||
2101 | ||||
2102 | /* Set callback for TLS session tickets if enabled */ | |||
2103 | if (proto->tickets == 1) { | |||
2104 | /* set timeout to the ticket rekey time */ | |||
2105 | tls_config_set_session_lifetime(tls_cfg, TLS_SESSION_LIFETIME(2 * 3600)); | |||
2106 | ||||
2107 | tls_config_add_ticket_key(tls_cfg, | |||
2108 | env->sc_ticket.tt_keyrev, env->sc_ticket.tt_key, | |||
2109 | sizeof(env->sc_ticket.tt_key)); | |||
2110 | } | |||
2111 | ||||
2112 | if (tls_config_set_ecdhecurves(tls_cfg, proto->tlsecdhecurves) != 0) { | |||
2113 | log_warnx("failed to set ecdhe curves %s: %s", | |||
2114 | proto->tlsecdhecurves, tls_config_error(tls_cfg)); | |||
2115 | return (-1); | |||
2116 | } | |||
2117 | ||||
2118 | if (tls_config_set_dheparams(tls_cfg, proto->tlsdhparams) != 0) { | |||
2119 | log_warnx("failed to set dh params %s: %s", | |||
2120 | proto->tlsdhparams, tls_config_error(tls_cfg)); | |||
2121 | return (-1); | |||
2122 | } | |||
2123 | ||||
2124 | return (0); | |||
2125 | } | |||
2126 | ||||
2127 | /* | |||
2128 | * This function is not publicy exported because it is a hack until libtls | |||
2129 | * has a proper privsep setup | |||
2130 | */ | |||
2131 | void tls_config_use_fake_private_key(struct tls_config *config); | |||
2132 | ||||
2133 | int | |||
2134 | relay_tls_ctx_create(struct relay *rlay) | |||
2135 | { | |||
2136 | struct tls_config *tls_cfg, *tls_client_cfg; | |||
2137 | struct tls *tls = NULL((void*)0); | |||
2138 | struct relay_cert *cert; | |||
2139 | int keyfound = 0; | |||
2140 | char *buf = NULL((void*)0), *cabuf = NULL((void*)0), *ocspbuf = NULL((void*)0); | |||
2141 | off_t len = 0, calen = 0, ocsplen = 0; | |||
2142 | ||||
2143 | if ((tls_cfg = tls_config_new()) == NULL((void*)0)) { | |||
2144 | log_warnx("unable to allocate TLS config"); | |||
2145 | return (-1); | |||
2146 | } | |||
2147 | if ((tls_client_cfg = tls_config_new()) == NULL((void*)0)) { | |||
2148 | log_warnx("unable to allocate TLS config"); | |||
2149 | return (-1); | |||
2150 | } | |||
2151 | ||||
2152 | if (relay_tls_ctx_create_proto(rlay->rl_proto, tls_cfg) == -1) | |||
2153 | goto err; | |||
2154 | if (relay_tls_ctx_create_proto(rlay->rl_proto, tls_client_cfg) == -1) | |||
2155 | goto err; | |||
2156 | ||||
2157 | /* Verify the server certificate if we have a CA chain */ | |||
2158 | if (rlay->rl_conf.flags & F_TLSCLIENT0x00200000) { | |||
2159 | /* | |||
2160 | * Currently relayd can't verify the name of certs and changing | |||
2161 | * this is non trivial. For now just disable name verification. | |||
2162 | */ | |||
2163 | tls_config_insecure_noverifyname(tls_client_cfg); | |||
2164 | ||||
2165 | if (rlay->rl_tls_ca_fd != -1) { | |||
2166 | if ((buf = relay_load_fd(rlay->rl_tls_ca_fd, &len)) == | |||
2167 | NULL((void*)0)) { | |||
2168 | log_warn("failed to read root certificates"); | |||
2169 | goto err; | |||
2170 | } | |||
2171 | rlay->rl_tls_ca_fd = -1; | |||
2172 | ||||
2173 | if (tls_config_set_ca_mem(tls_client_cfg, buf, len) != | |||
2174 | 0) { | |||
2175 | log_warnx("failed to set root certificates: %s", | |||
2176 | tls_config_error(tls_client_cfg)); | |||
2177 | goto err; | |||
2178 | } | |||
2179 | purge_key(&buf, len); | |||
2180 | } else { | |||
2181 | /* No root cert available so disable the checking */ | |||
2182 | tls_config_insecure_noverifycert(tls_client_cfg); | |||
2183 | } | |||
2184 | ||||
2185 | rlay->rl_tls_client_cfg = tls_client_cfg; | |||
2186 | } | |||
2187 | ||||
2188 | if (rlay->rl_conf.flags & F_TLS0x00000800) { | |||
2189 | log_debug("%s: loading certificate", __func__); | |||
2190 | /* | |||
2191 | * Use the public key as the "private" key - the secret key | |||
2192 | * parameters are hidden in an extra process that will be | |||
2193 | * contacted by the RSA engine. The SSL/TLS library needs at | |||
2194 | * least the public key parameters in the current process. | |||
2195 | */ | |||
2196 | tls_config_use_fake_private_key(tls_cfg); | |||
2197 | ||||
2198 | TAILQ_FOREACH(cert, env->sc_certs, cert_entry)for((cert) = ((env->sc_certs)->tqh_first); (cert) != (( void*)0); (cert) = ((cert)->cert_entry.tqe_next)) { | |||
2199 | if (cert->cert_relayid != rlay->rl_conf.id || | |||
2200 | cert->cert_fd == -1) | |||
2201 | continue; | |||
2202 | keyfound++; | |||
2203 | ||||
2204 | if ((buf = relay_load_fd(cert->cert_fd, | |||
2205 | &len)) == NULL((void*)0)) { | |||
2206 | log_warn("failed to load tls certificate"); | |||
2207 | goto err; | |||
2208 | } | |||
2209 | cert->cert_fd = -1; | |||
2210 | ||||
2211 | if (cert->cert_ocsp_fd != -1 && | |||
2212 | (ocspbuf = relay_load_fd(cert->cert_ocsp_fd, | |||
2213 | &ocsplen)) == NULL((void*)0)) { | |||
2214 | log_warn("failed to load OCSP staplefile"); | |||
2215 | goto err; | |||
2216 | } | |||
2217 | if (ocsplen == 0) | |||
2218 | purge_key(&ocspbuf, ocsplen); | |||
2219 | cert->cert_ocsp_fd = -1; | |||
2220 | ||||
2221 | if (keyfound == 1 && | |||
2222 | tls_config_set_keypair_ocsp_mem(tls_cfg, buf, len, | |||
2223 | NULL((void*)0), 0, ocspbuf, ocsplen) != 0) { | |||
2224 | log_warnx("failed to set tls certificate: %s", | |||
2225 | tls_config_error(tls_cfg)); | |||
2226 | goto err; | |||
2227 | } | |||
2228 | ||||
2229 | /* loading certificate public key */ | |||
2230 | if (keyfound == 1 && | |||
2231 | !ssl_load_pkey(buf, len, NULL((void*)0), &rlay->rl_tls_pkey)) | |||
2232 | goto err; | |||
2233 | ||||
2234 | if (tls_config_add_keypair_ocsp_mem(tls_cfg, buf, len, | |||
2235 | NULL((void*)0), 0, ocspbuf, ocsplen) != 0) { | |||
2236 | log_warnx("failed to add tls certificate: %s", | |||
2237 | tls_config_error(tls_cfg)); | |||
2238 | goto err; | |||
2239 | } | |||
2240 | ||||
2241 | purge_key(&buf, len); | |||
2242 | purge_key(&ocspbuf, ocsplen); | |||
2243 | } | |||
2244 | ||||
2245 | if (rlay->rl_tls_cacert_fd != -1) { | |||
2246 | if ((cabuf = relay_load_fd(rlay->rl_tls_cacert_fd, | |||
2247 | &calen)) == NULL((void*)0)) { | |||
2248 | log_warn("failed to load tls CA certificate"); | |||
2249 | goto err; | |||
2250 | } | |||
2251 | log_debug("%s: loading CA certificate", __func__); | |||
2252 | if (!ssl_load_pkey(cabuf, calen, | |||
2253 | &rlay->rl_tls_cacertx509, &rlay->rl_tls_capkey)) | |||
2254 | goto err; | |||
2255 | } | |||
2256 | rlay->rl_tls_cacert_fd = -1; | |||
2257 | ||||
2258 | tls = tls_server(); | |||
2259 | if (tls == NULL((void*)0)) { | |||
2260 | log_warnx("unable to allocate TLS context"); | |||
2261 | goto err; | |||
2262 | } | |||
2263 | if (tls_configure(tls, tls_cfg) == -1) { | |||
2264 | log_warnx("could not configure the TLS context: %s", | |||
2265 | tls_error(tls)); | |||
2266 | tls_free(tls); | |||
2267 | goto err; | |||
2268 | } | |||
2269 | rlay->rl_tls_cfg = tls_cfg; | |||
2270 | rlay->rl_tls_ctx = tls; | |||
2271 | ||||
2272 | purge_key(&cabuf, calen); | |||
2273 | } | |||
2274 | ||||
2275 | if (rlay->rl_tls_client_cfg == NULL((void*)0)) | |||
2276 | tls_config_free(tls_client_cfg); | |||
2277 | if (rlay->rl_tls_cfg == NULL((void*)0)) | |||
2278 | tls_config_free(tls_cfg); | |||
2279 | ||||
2280 | return (0); | |||
2281 | err: | |||
2282 | purge_key(&ocspbuf, ocsplen); | |||
2283 | purge_key(&cabuf, calen); | |||
2284 | purge_key(&buf, len); | |||
2285 | ||||
2286 | tls_config_free(tls_client_cfg); | |||
2287 | tls_config_free(tls_cfg); | |||
2288 | return (-1); | |||
2289 | } | |||
2290 | ||||
2291 | static struct tls * | |||
2292 | relay_tls_inspect_create(struct relay *rlay, struct ctl_relay_event *cre) | |||
2293 | { | |||
2294 | struct tls_config *tls_cfg; | |||
2295 | struct tls *tls = NULL((void*)0); | |||
2296 | ||||
2297 | /* TLS inspection: use session-specific certificate */ | |||
2298 | if ((tls_cfg = tls_config_new()) == NULL((void*)0)) { | |||
2299 | log_warnx("unable to allocate TLS config"); | |||
2300 | goto err; | |||
2301 | } | |||
2302 | if (relay_tls_ctx_create_proto(rlay->rl_proto, tls_cfg) == -1) { | |||
2303 | /* error already printed */ | |||
2304 | goto err; | |||
2305 | } | |||
2306 | ||||
2307 | tls_config_use_fake_private_key(tls_cfg); | |||
2308 | ||||
2309 | if (tls_config_set_keypair_ocsp_mem(tls_cfg, | |||
2310 | cre->tlscert, cre->tlscert_len, NULL((void*)0), 0, NULL((void*)0), 0) != 0) { | |||
2311 | log_warnx("failed to set tls certificate: %s", | |||
2312 | tls_config_error(tls_cfg)); | |||
2313 | goto err; | |||
2314 | } | |||
2315 | ||||
2316 | tls = tls_server(); | |||
2317 | if (tls == NULL((void*)0)) { | |||
2318 | log_warnx("unable to allocate TLS context"); | |||
2319 | goto err; | |||
2320 | } | |||
2321 | if (tls_configure(tls, tls_cfg) == -1) { | |||
2322 | log_warnx("could not configure the TLS context: %s", | |||
2323 | tls_error(tls)); | |||
2324 | tls_free(tls); | |||
2325 | goto err; | |||
2326 | } | |||
2327 | ||||
2328 | cre->tls_cfg = tls_cfg; | |||
2329 | cre->tls_ctx = tls; | |||
2330 | return (tls); | |||
2331 | err: | |||
2332 | tls_config_free(tls_cfg); | |||
2333 | return (NULL((void*)0)); | |||
2334 | } | |||
2335 | ||||
2336 | void | |||
2337 | relay_tls_transaction(struct rsession *con, struct ctl_relay_event *cre) | |||
2338 | { | |||
2339 | struct relay *rlay = con->se_relay; | |||
2340 | struct tls *tls_server; | |||
2341 | const char *errstr; | |||
2342 | u_int flag; | |||
2343 | ||||
2344 | if (cre->dir == RELAY_DIR_REQUEST) { | |||
2345 | if (cre->tlscert != NULL((void*)0)) | |||
2346 | tls_server = relay_tls_inspect_create(rlay, cre); | |||
2347 | else | |||
2348 | tls_server = rlay->rl_tls_ctx; | |||
2349 | if (tls_server == NULL((void*)0)) { | |||
2350 | errstr = "no TLS server context available"; | |||
2351 | goto err; | |||
2352 | } | |||
2353 | ||||
2354 | if (tls_accept_socket(tls_server, &cre->tls, cre->s) == -1) { | |||
2355 | errstr = "could not accept the TLS connection"; | |||
2356 | goto err; | |||
2357 | } | |||
2358 | flag = EV_READ0x02; | |||
2359 | } else { | |||
2360 | cre->tls = tls_client(); | |||
2361 | if (cre->tls == NULL((void*)0) || | |||
2362 | tls_configure(cre->tls, rlay->rl_tls_client_cfg) == -1) { | |||
2363 | errstr = "could not configure the TLS client context"; | |||
2364 | goto err; | |||
2365 | } | |||
2366 | if (tls_connect_socket(cre->tls, cre->s, NULL((void*)0)) == -1) { | |||
2367 | errstr = "could not connect the TLS connection"; | |||
2368 | goto err; | |||
2369 | } | |||
2370 | flag = EV_WRITE0x04; | |||
2371 | } | |||
2372 | ||||
2373 | log_debug("%s: session %d: scheduling on %s", __func__, con->se_id, | |||
2374 | (flag == EV_READ0x02) ? "EV_READ" : "EV_WRITE"); | |||
2375 | event_again(&con->se_ev, cre->s, EV_TIMEOUT0x01|flag, relay_tls_handshake, | |||
2376 | &con->se_tv_start, &rlay->rl_conf.timeout, cre); | |||
2377 | return; | |||
2378 | ||||
2379 | err: | |||
2380 | relay_close(con, errstr, 1); | |||
2381 | } | |||
2382 | ||||
2383 | void | |||
2384 | relay_tls_handshake(int fd, short event, void *arg) | |||
2385 | { | |||
2386 | struct ctl_relay_event *cre = arg; | |||
2387 | struct rsession *con = cre->con; | |||
2388 | struct relay *rlay = con->se_relay; | |||
2389 | int retry_flag = 0; | |||
2390 | int ret; | |||
2391 | char *msg; | |||
2392 | ||||
2393 | if (event == EV_TIMEOUT0x01) { | |||
| ||||
2394 | relay_close(con, "TLS handshake timeout", 1); | |||
2395 | return; | |||
2396 | } | |||
2397 | ||||
2398 | ret = tls_handshake(cre->tls); | |||
2399 | if (ret == 0) { | |||
2400 | #ifdef DEBUG | |||
2401 | log_info( | |||
2402 | #else | |||
2403 | log_debug( | |||
2404 | #endif | |||
2405 | "relay %s, tls session %d %s (%d active)", | |||
2406 | rlay->rl_conf.name, con->se_id, | |||
2407 | cre->dir == RELAY_DIR_REQUEST ? "established" : "connected", | |||
2408 | relay_sessions); | |||
2409 | ||||
2410 | if (cre->dir
| |||
2411 | relay_session(con); | |||
2412 | return; | |||
2413 | } | |||
2414 | ||||
2415 | if (rlay->rl_conf.flags & F_TLSINSPECT0x04000000) { | |||
2416 | const uint8_t *servercert; | |||
2417 | size_t len; | |||
2418 | ||||
2419 | servercert = tls_peer_cert_chain_pem(con->se_out.tls, | |||
2420 | &len); | |||
2421 | if (servercert != NULL((void*)0)) { | |||
2422 | con->se_in.tlscert = ssl_update_certificate( | |||
2423 | servercert, len, | |||
2424 | rlay->rl_tls_pkey, rlay->rl_tls_capkey, | |||
2425 | rlay->rl_tls_cacertx509, | |||
2426 | &con->se_in.tlscert_len); | |||
2427 | } else | |||
2428 | con->se_in.tlscert = NULL((void*)0); | |||
2429 | if (con->se_in.tlscert == NULL((void*)0)) | |||
2430 | relay_close(con, | |||
2431 | "could not create certificate", 1); | |||
2432 | else | |||
2433 | relay_session(con); | |||
2434 | return; | |||
2435 | } | |||
2436 | relay_connected(fd, EV_WRITE0x04, con); | |||
2437 | return; | |||
2438 | } else if (ret == TLS_WANT_POLLIN-2) { | |||
2439 | retry_flag = EV_READ0x02; | |||
2440 | } else if (ret == TLS_WANT_POLLOUT-3) { | |||
2441 | retry_flag = EV_WRITE0x04; | |||
2442 | } else { | |||
2443 | if (asprintf(&msg, "TLS handshake error: %s", | |||
2444 | tls_error(cre->tls)) >= 0) { | |||
2445 | relay_close(con, msg, 1); | |||
2446 | free(msg); | |||
2447 | } else { | |||
2448 | relay_close(con, "TLS handshake error", 1); | |||
2449 | } | |||
2450 | return; | |||
2451 | } | |||
2452 | ||||
2453 | DPRINTF("%s: session %d: scheduling on %s", __func__, con->se_id,do {} while(0) | |||
2454 | (retry_flag == EV_READ) ? "EV_READ" : "EV_WRITE")do {} while(0); | |||
2455 | event_again(&con->se_ev, fd, EV_TIMEOUT0x01|retry_flag, relay_tls_handshake, | |||
2456 | &con->se_tv_start, &rlay->rl_conf.timeout, cre); | |||
2457 | } | |||
2458 | ||||
2459 | void | |||
2460 | relay_tls_connected(struct ctl_relay_event *cre) | |||
2461 | { | |||
2462 | /* | |||
2463 | * Hack libevent - we overwrite the internal bufferevent I/O | |||
2464 | * functions to handle the TLS abstraction. | |||
2465 | */ | |||
2466 | event_del(&cre->bev->ev_read); | |||
2467 | event_del(&cre->bev->ev_write); | |||
2468 | ||||
2469 | event_set(&cre->bev->ev_read, cre->s, EV_READ0x02, | |||
2470 | relay_tls_readcb, cre->bev); | |||
2471 | event_set(&cre->bev->ev_write, cre->s, EV_WRITE0x04, | |||
2472 | relay_tls_writecb, cre->bev); | |||
2473 | } | |||
2474 | ||||
2475 | void | |||
2476 | relay_tls_readcb(int fd, short event, void *arg) | |||
2477 | { | |||
2478 | char rbuf[IBUF_READ_SIZE65535]; | |||
2479 | struct bufferevent *bufev = arg; | |||
2480 | struct ctl_relay_event *cre = bufev->cbarg; | |||
2481 | short what = EVBUFFER_READ0x01; | |||
2482 | int howmuch = IBUF_READ_SIZE65535; | |||
2483 | ssize_t ret; | |||
2484 | size_t len; | |||
2485 | ||||
2486 | if (event == EV_TIMEOUT0x01) { | |||
2487 | what |= EVBUFFER_TIMEOUT0x40; | |||
2488 | goto err; | |||
2489 | } | |||
2490 | ||||
2491 | if (bufev->wm_read.high != 0) | |||
2492 | howmuch = MINIMUM(sizeof(rbuf), bufev->wm_read.high)(((sizeof(rbuf)) < (bufev->wm_read.high)) ? (sizeof(rbuf )) : (bufev->wm_read.high)); | |||
2493 | ||||
2494 | ret = tls_read(cre->tls, rbuf, howmuch); | |||
2495 | if (ret == TLS_WANT_POLLIN-2 || ret == TLS_WANT_POLLOUT-3) { | |||
2496 | goto retry; | |||
2497 | } else if (ret == -1) { | |||
2498 | what |= EVBUFFER_ERROR0x20; | |||
2499 | goto err; | |||
2500 | } | |||
2501 | len = ret; | |||
2502 | ||||
2503 | if (len == 0) { | |||
2504 | what |= EVBUFFER_EOF0x10; | |||
2505 | goto err; | |||
2506 | } | |||
2507 | ||||
2508 | if (evbuffer_add(bufev->input, rbuf, ret) == -1) { | |||
2509 | what |= EVBUFFER_ERROR0x20; | |||
2510 | goto err; | |||
2511 | } | |||
2512 | ||||
2513 | relay_bufferevent_add(&bufev->ev_read, bufev->timeout_read); | |||
2514 | ||||
2515 | len = EVBUFFER_LENGTH(bufev->input)(bufev->input)->off; | |||
2516 | if (bufev->wm_read.low != 0 && len < bufev->wm_read.low) | |||
2517 | return; | |||
2518 | if (bufev->wm_read.high != 0 && len > bufev->wm_read.high) { | |||
2519 | struct evbuffer *buf = bufev->input; | |||
2520 | event_del(&bufev->ev_read); | |||
2521 | evbuffer_setcb(buf, bufferevent_read_pressure_cb, bufev); | |||
2522 | return; | |||
2523 | } | |||
2524 | ||||
2525 | if (bufev->readcb != NULL((void*)0)) | |||
2526 | (*bufev->readcb)(bufev, bufev->cbarg); | |||
2527 | return; | |||
2528 | ||||
2529 | retry: | |||
2530 | relay_bufferevent_add(&bufev->ev_read, bufev->timeout_read); | |||
2531 | return; | |||
2532 | ||||
2533 | err: | |||
2534 | (*bufev->errorcb)(bufev, what, bufev->cbarg); | |||
2535 | } | |||
2536 | ||||
2537 | void | |||
2538 | relay_tls_writecb(int fd, short event, void *arg) | |||
2539 | { | |||
2540 | struct bufferevent *bufev = arg; | |||
2541 | struct ctl_relay_event *cre = bufev->cbarg; | |||
2542 | ssize_t ret; | |||
2543 | size_t len; | |||
2544 | short what = EVBUFFER_WRITE0x02; | |||
2545 | ||||
2546 | if (event == EV_TIMEOUT0x01) { | |||
2547 | what |= EVBUFFER_TIMEOUT0x40; | |||
2548 | goto err; | |||
2549 | } | |||
2550 | ||||
2551 | if (EVBUFFER_LENGTH(bufev->output)(bufev->output)->off) { | |||
2552 | ret = tls_write(cre->tls, EVBUFFER_DATA(bufev->output)(bufev->output)->buffer, | |||
2553 | EVBUFFER_LENGTH(bufev->output)(bufev->output)->off); | |||
2554 | if (ret == TLS_WANT_POLLIN-2 || ret == TLS_WANT_POLLOUT-3) { | |||
2555 | goto retry; | |||
2556 | } else if (ret == -1) { | |||
2557 | what |= EVBUFFER_ERROR0x20; | |||
2558 | goto err; | |||
2559 | } | |||
2560 | len = ret; | |||
2561 | evbuffer_drain(bufev->output, len); | |||
2562 | } | |||
2563 | ||||
2564 | if (EVBUFFER_LENGTH(bufev->output)(bufev->output)->off != 0) | |||
2565 | relay_bufferevent_add(&bufev->ev_write, bufev->timeout_write); | |||
2566 | ||||
2567 | if (bufev->writecb != NULL((void*)0) && | |||
2568 | EVBUFFER_LENGTH(bufev->output)(bufev->output)->off <= bufev->wm_write.low) | |||
2569 | (*bufev->writecb)(bufev, bufev->cbarg); | |||
2570 | return; | |||
2571 | ||||
2572 | retry: | |||
2573 | relay_bufferevent_add(&bufev->ev_write, bufev->timeout_write); | |||
2574 | return; | |||
2575 | ||||
2576 | err: | |||
2577 | (*bufev->errorcb)(bufev, what, bufev->cbarg); | |||
2578 | } | |||
2579 | ||||
2580 | int | |||
2581 | relay_bufferevent_add(struct event *ev, int timeout) | |||
2582 | { | |||
2583 | struct timeval tv, *ptv = NULL((void*)0); | |||
2584 | ||||
2585 | if (timeout) { | |||
2586 | timerclear(&tv)(&tv)->tv_sec = (&tv)->tv_usec = 0; | |||
2587 | tv.tv_sec = timeout; | |||
2588 | ptv = &tv; | |||
2589 | } | |||
2590 | ||||
2591 | return (event_add(ev, ptv)); | |||
2592 | } | |||
2593 | ||||
2594 | #ifdef notyet | |||
2595 | int | |||
2596 | relay_bufferevent_printf(struct ctl_relay_event *cre, const char *fmt, ...) | |||
2597 | { | |||
2598 | int ret; | |||
2599 | va_list ap; | |||
2600 | ||||
2601 | va_start(ap, fmt)__builtin_va_start(ap, fmt); | |||
2602 | ret = evbuffer_add_vprintf(cre->output, fmt, ap); | |||
2603 | va_end(ap)__builtin_va_end(ap); | |||
2604 | ||||
2605 | if (cre->bev != NULL((void*)0) && | |||
2606 | ret != -1 && EVBUFFER_LENGTH(cre->output)(cre->output)->off > 0 && | |||
2607 | (cre->bev->enabled & EV_WRITE0x04)) | |||
2608 | bufferevent_enable(cre->bev, EV_WRITE0x04); | |||
2609 | ||||
2610 | return (ret); | |||
2611 | } | |||
2612 | #endif | |||
2613 | ||||
2614 | int | |||
2615 | relay_bufferevent_print(struct ctl_relay_event *cre, const char *str) | |||
2616 | { | |||
2617 | if (cre->bev == NULL((void*)0)) | |||
2618 | return (evbuffer_add(cre->output, str, strlen(str))); | |||
2619 | return (bufferevent_write(cre->bev, str, strlen(str))); | |||
2620 | } | |||
2621 | ||||
2622 | int | |||
2623 | relay_bufferevent_write_buffer(struct ctl_relay_event *cre, | |||
2624 | struct evbuffer *buf) | |||
2625 | { | |||
2626 | if (cre->bev == NULL((void*)0)) | |||
2627 | return (evbuffer_add_buffer(cre->output, buf)); | |||
2628 | return (bufferevent_write_buffer(cre->bev, buf)); | |||
2629 | } | |||
2630 | ||||
2631 | int | |||
2632 | relay_bufferevent_write_chunk(struct ctl_relay_event *cre, | |||
2633 | struct evbuffer *buf, size_t size) | |||
2634 | { | |||
2635 | int ret; | |||
2636 | ret = relay_bufferevent_write(cre, buf->buffer, size); | |||
2637 | if (ret != -1) | |||
2638 | evbuffer_drain(buf, size); | |||
2639 | return (ret); | |||
2640 | } | |||
2641 | ||||
2642 | int | |||
2643 | relay_bufferevent_write(struct ctl_relay_event *cre, void *data, size_t size) | |||
2644 | { | |||
2645 | if (cre->bev == NULL((void*)0)) | |||
2646 | return (evbuffer_add(cre->output, data, size)); | |||
2647 | return (bufferevent_write(cre->bev, data, size)); | |||
2648 | } | |||
2649 | ||||
2650 | int | |||
2651 | relay_cmp_af(struct sockaddr_storage *a, struct sockaddr_storage *b) | |||
2652 | { | |||
2653 | int ret = -1; | |||
2654 | struct sockaddr_in ia, ib; | |||
2655 | struct sockaddr_in6 ia6, ib6; | |||
2656 | ||||
2657 | switch (a->ss_family) { | |||
2658 | case AF_INET2: | |||
2659 | bcopy(a, &ia, sizeof(struct sockaddr_in)); | |||
2660 | bcopy(b, &ib, sizeof(struct sockaddr_in)); | |||
2661 | ||||
2662 | ret = memcmp(&ia.sin_addr, &ib.sin_addr, | |||
2663 | sizeof(ia.sin_addr)); | |||
2664 | if (ret == 0) | |||
2665 | ret = memcmp(&ia.sin_port, &ib.sin_port, | |||
2666 | sizeof(ia.sin_port)); | |||
2667 | break; | |||
2668 | case AF_INET624: | |||
2669 | bcopy(a, &ia6, sizeof(struct sockaddr_in6)); | |||
2670 | bcopy(b, &ib6, sizeof(struct sockaddr_in6)); | |||
2671 | ||||
2672 | ret = memcmp(&ia6.sin6_addr, &ib6.sin6_addr, | |||
2673 | sizeof(ia6.sin6_addr)); | |||
2674 | if (ret == 0) | |||
2675 | ret = memcmp(&ia6.sin6_port, &ib6.sin6_port, | |||
2676 | sizeof(ia6.sin6_port)); | |||
2677 | break; | |||
2678 | default: | |||
2679 | break; | |||
2680 | } | |||
2681 | ||||
2682 | return (ret); | |||
2683 | } | |||
2684 | ||||
2685 | int | |||
2686 | relay_session_cmp(struct rsession *a, struct rsession *b) | |||
2687 | { | |||
2688 | struct relay *rlay = b->se_relay; | |||
2689 | struct protocol *proto = rlay->rl_proto; | |||
2690 | ||||
2691 | if (proto != NULL((void*)0) && proto->cmp != NULL((void*)0)) | |||
2692 | return ((*proto->cmp)(a, b)); | |||
2693 | ||||
2694 | return ((int)a->se_id - b->se_id); | |||
2695 | } | |||
2696 | ||||
2697 | void | |||
2698 | relay_log(struct rsession *con, char *msg) | |||
2699 | { | |||
2700 | if (con->se_haslog && con->se_log != NULL((void*)0)) { | |||
2701 | evbuffer_add(con->se_log, msg, strlen(msg)); | |||
2702 | } | |||
2703 | } | |||
2704 | ||||
2705 | SPLAY_GENERATE(session_tree, rsession, se_nodes, relay_session_cmp)struct rsession * session_tree_SPLAY_INSERT(struct session_tree *head, struct rsession *elm) { if (((head)->sph_root == ( (void*)0))) { (elm)->se_nodes.spe_left = (elm)->se_nodes .spe_right = ((void*)0); } else { int __comp; session_tree_SPLAY (head, elm); __comp = (relay_session_cmp)(elm, (head)->sph_root ); if(__comp < 0) { (elm)->se_nodes.spe_left = ((head)-> sph_root)->se_nodes.spe_left; (elm)->se_nodes.spe_right = (head)->sph_root; ((head)->sph_root)->se_nodes.spe_left = ((void*)0); } else if (__comp > 0) { (elm)->se_nodes .spe_right = ((head)->sph_root)->se_nodes.spe_right; (elm )->se_nodes.spe_left = (head)->sph_root; ((head)->sph_root )->se_nodes.spe_right = ((void*)0); } else return ((head)-> sph_root); } (head)->sph_root = (elm); return (((void*)0)) ; } struct rsession * session_tree_SPLAY_REMOVE(struct session_tree *head, struct rsession *elm) { struct rsession *__tmp; if (( (head)->sph_root == ((void*)0))) return (((void*)0)); session_tree_SPLAY (head, elm); if ((relay_session_cmp)(elm, (head)->sph_root ) == 0) { if (((head)->sph_root)->se_nodes.spe_left == ( (void*)0)) { (head)->sph_root = ((head)->sph_root)-> se_nodes.spe_right; } else { __tmp = ((head)->sph_root)-> se_nodes.spe_right; (head)->sph_root = ((head)->sph_root )->se_nodes.spe_left; session_tree_SPLAY(head, elm); ((head )->sph_root)->se_nodes.spe_right = __tmp; } return (elm ); } return (((void*)0)); } void session_tree_SPLAY(struct session_tree *head, struct rsession *elm) { struct rsession __node, *__left , *__right, *__tmp; int __comp; (&__node)->se_nodes.spe_left = (&__node)->se_nodes.spe_right = ((void*)0); __left = __right = &__node; while ((__comp = (relay_session_cmp)( elm, (head)->sph_root))) { if (__comp < 0) { __tmp = (( head)->sph_root)->se_nodes.spe_left; if (__tmp == ((void *)0)) break; if ((relay_session_cmp)(elm, __tmp) < 0){ do { ((head)->sph_root)->se_nodes.spe_left = (__tmp)->se_nodes .spe_right; (__tmp)->se_nodes.spe_right = (head)->sph_root ; (head)->sph_root = __tmp; } while (0); if (((head)->sph_root )->se_nodes.spe_left == ((void*)0)) break; } do { (__right )->se_nodes.spe_left = (head)->sph_root; __right = (head )->sph_root; (head)->sph_root = ((head)->sph_root)-> se_nodes.spe_left; } while (0); } else if (__comp > 0) { __tmp = ((head)->sph_root)->se_nodes.spe_right; if (__tmp == ((void*)0)) break; if ((relay_session_cmp)(elm, __tmp) > 0 ){ do { ((head)->sph_root)->se_nodes.spe_right = (__tmp )->se_nodes.spe_left; (__tmp)->se_nodes.spe_left = (head )->sph_root; (head)->sph_root = __tmp; } while (0); if ( ((head)->sph_root)->se_nodes.spe_right == ((void*)0)) break ; } do { (__left)->se_nodes.spe_right = (head)->sph_root ; __left = (head)->sph_root; (head)->sph_root = ((head) ->sph_root)->se_nodes.spe_right; } while (0); } } do { ( __left)->se_nodes.spe_right = ((head)->sph_root)->se_nodes .spe_left; (__right)->se_nodes.spe_left = ((head)->sph_root )->se_nodes.spe_right; ((head)->sph_root)->se_nodes. spe_left = (&__node)->se_nodes.spe_right; ((head)-> sph_root)->se_nodes.spe_right = (&__node)->se_nodes .spe_left; } while (0); } void session_tree_SPLAY_MINMAX(struct session_tree *head, int __comp) { struct rsession __node, *__left , *__right, *__tmp; (&__node)->se_nodes.spe_left = (& __node)->se_nodes.spe_right = ((void*)0); __left = __right = &__node; while (1) { if (__comp < 0) { __tmp = ((head )->sph_root)->se_nodes.spe_left; if (__tmp == ((void*)0 )) break; if (__comp < 0){ do { ((head)->sph_root)-> se_nodes.spe_left = (__tmp)->se_nodes.spe_right; (__tmp)-> se_nodes.spe_right = (head)->sph_root; (head)->sph_root = __tmp; } while (0); if (((head)->sph_root)->se_nodes .spe_left == ((void*)0)) break; } do { (__right)->se_nodes .spe_left = (head)->sph_root; __right = (head)->sph_root ; (head)->sph_root = ((head)->sph_root)->se_nodes.spe_left ; } while (0); } else if (__comp > 0) { __tmp = ((head)-> sph_root)->se_nodes.spe_right; if (__tmp == ((void*)0)) break ; if (__comp > 0) { do { ((head)->sph_root)->se_nodes .spe_right = (__tmp)->se_nodes.spe_left; (__tmp)->se_nodes .spe_left = (head)->sph_root; (head)->sph_root = __tmp; } while (0); if (((head)->sph_root)->se_nodes.spe_right == ((void*)0)) break; } do { (__left)->se_nodes.spe_right = (head)->sph_root; __left = (head)->sph_root; (head)-> sph_root = ((head)->sph_root)->se_nodes.spe_right; } while (0); } } do { (__left)->se_nodes.spe_right = ((head)-> sph_root)->se_nodes.spe_left; (__right)->se_nodes.spe_left = ((head)->sph_root)->se_nodes.spe_right; ((head)-> sph_root)->se_nodes.spe_left = (&__node)->se_nodes. spe_right; ((head)->sph_root)->se_nodes.spe_right = (& __node)->se_nodes.spe_left; } while (0); }; |