int
dnsproc(int nfd)
{
int rc, cc;
char *look, *last;
struct addr v[MAX_SERVERS_DNS];
long lval;
size_t i;
ssize_t vsz;
enum dnsop op;
rc = 0;
look = last = NULL;
vsz = 0;
/*
* Why don't we chroot() here?
* On OpenBSD, the pledge(2) takes care of our constraining the
* environment to DNS resolution only, so the chroot(2) is
* unnecessary.
* On Mac OS X, we can't chroot(2): we'd need to have an mdns
* responder thing in each jail.
* On Linux, forget it. getaddrinfo(2) pulls on all sorts of
* mystery meat.
*/
if ( ! sandbox_before())
goto out;
else if ( ! dropprivs())
goto out;
else if ( ! sandbox_after())
goto out;
/*
* This is simple: just loop on a request operation, and each
* time we write back zero or more entries.
* Also do a simple trick and cache the last lookup.
*/
for (;;) {
op = DNS__MAX;
if (0 == (lval = readop(nfd, COMM_DNS)))
op = DNS_STOP;
else if (DNS_LOOKUP == lval)
op = lval;
if (DNS__MAX == op) {
warnx("unknown operation from netproc");
goto out;
} else if (DNS_STOP == op)
break;
if (NULL == (look = readstr(nfd, COMM_DNSQ)))
goto out;
/*
* Check if we're asked to repeat the lookup.
* If not, request it from host_dns().
*/
if (NULL == last || strcmp(look, last)) {
if ((vsz = host_dns(look, v)) < 0)
goto out;
free(last);
last = look;
look = NULL;
} else {
doddbg("%s: cached", look);
free(look);
look = NULL;
}
if (0 == (cc = writeop(nfd, COMM_DNSLEN, vsz)))
break;
else if (cc < 0)
goto out;
for (i = 0; i < (size_t)vsz; i++) {
if (writeop(nfd, COMM_DNSF, v[i].family) <= 0)
goto out;
if (writestr(nfd, COMM_DNSA, v[i].ip) <= 0)
goto out;
}
}
rc = 1;
out:
close(nfd);
free(look);
free(last);
return(rc);
}
int
certproc(int netsock, int filesock)
{
char *csr, *chain, *url;
unsigned char *csrcp, *chaincp;
size_t csrsz, chainsz;
int i, rc, idx, cc;
enum certop op;
long lval;
X509 *x, *chainx;
X509_EXTENSION *ext;
X509V3_EXT_METHOD *method;
void *entries;
STACK_OF(CONF_VALUE) *val;
CONF_VALUE *nval;
ext = NULL;
idx = -1;
method = NULL;
chain = csr = url = NULL;
rc = 0;
x = chainx = NULL;
/* File-system and sandbox jailing. */
if ( ! sandbox_before())
goto out;
ERR_load_crypto_strings();
if ( ! dropfs(PATH_VAR_EMPTY))
goto out;
else if ( ! dropprivs())
goto out;
else if ( ! sandbox_after())
goto out;
/* Read what the netproc wants us to do. */
op = CERT__MAX;
if (0 == (lval = readop(netsock, COMM_CSR_OP)))
op = CERT_STOP;
else if (CERT_REVOKE == lval || CERT_UPDATE == lval)
op = lval;
if (CERT_STOP == op) {
rc = 1;
goto out;
} else if (CERT__MAX == op) {
warnx("unknown operation from netproc");
goto out;
}
/*
* Pass revocation right through to fileproc.
* If the reader is terminated, ignore it.
*/
if (CERT_REVOKE == op) {
if (writeop(filesock, COMM_CHAIN_OP, FILE_REMOVE) >= 0)
rc = 1;
goto out;
}
/*
* Wait until we receive the DER encoded (signed) certificate
* from the network process.
* Then convert the DER encoding into an X509 certificate.
*/
if (NULL == (csr = readbuf(netsock, COMM_CSR, &csrsz)))
goto out;
csrcp = (u_char *)csr;
x = d2i_X509(NULL, (const u_char **)&csrcp, csrsz);
if (NULL == x) {
warnx("d2i_X509");
goto out;
}
/*
* Extract the CA Issuers from its NID.
* TODO: I have no idea what I'm doing.
*/
idx = X509_get_ext_by_NID(x, NID_info_access, idx);
if (idx >= 0 && NULL != (ext = X509_get_ext(x, idx)))
method = (X509V3_EXT_METHOD *)X509V3_EXT_get(ext);
entries = X509_get_ext_d2i(x, NID_info_access, 0, 0);
if (NULL != method && NULL != entries) {
val = method->i2v(method, entries, 0);
for (i = 0; i < sk_CONF_VALUE_num(val); i++) {
nval = sk_CONF_VALUE_value(val, i);
if (strcmp(nval->name, "CA Issuers - URI"))
continue;
url = strdup(nval->value);
if (NULL == url) {
warn("strdup");
goto out;
}
break;
}
}
if (NULL == url) {
warnx("no CA issuer registered with certificate");
goto out;
}
/* Write the CA issuer to the netsock. */
if (writestr(netsock, COMM_ISSUER, url) <= 0)
goto out;
/* Read the full-chain back from the netsock. */
if (NULL == (chain = readbuf(netsock, COMM_CHAIN, &chainsz)))
goto out;
/*
* Then check if the chain is PEM-encoded by looking to see if
* it begins with the PEM marker.
* If so, ship it as-is; otherwise, convert to a PEM encoded
* buffer and ship that.
* FIXME: if PEM, re-parse it.
*/
if (chainsz <= strlen(MARKER) ||
strncmp(chain, MARKER, strlen(MARKER))) {
chaincp = (u_char *)chain;
chainx = d2i_X509(NULL,
(const u_char **)&chaincp, chainsz);
if (NULL == chainx) {
warnx("d2i_X509");
goto out;
}
free(chain);
if (NULL == (chain = x509buf(chainx, &chainsz)))
goto out;
}
/* Allow reader termination to just push us out. */
if (0 == (cc = writeop(filesock, COMM_CHAIN_OP, FILE_CREATE)))
rc = 1;
if (cc <= 0)
goto out;
if (0 == (cc = writebuf(filesock, COMM_CHAIN, chain, chainsz)))
rc = 1;
if (cc <= 0)
goto out;
/*
* Next, convert the X509 to a buffer and send that.
* Reader failure doesn't change anything.
*/
free(chain);
if (NULL == (chain = x509buf(x, &chainsz)))
goto out;
if (writebuf(filesock, COMM_CSR, chain, chainsz) < 0)
goto out;
rc = 1;
out:
close(netsock);
close(filesock);
if (NULL != x)
X509_free(x);
if (NULL != chainx)
X509_free(chainx);
free(csr);
free(url);
free(chain);
ERR_print_errors_fp(stderr);
ERR_free_strings();
return(rc);
}
int main( int argc, char *argv[] ) {
sigset_t newmask;
char c;
extern char *optarg;
extern int optind, opterr, optopt;
char *cfgfile = HTUN_DEFAULT_CFGFILE;
char *tunfile = NULL;
char *logfile = NULL;
unsigned short port=0;
int foreground = 0;
int dont_route = 0;
int config_test_only = 0;
int debug = 0;
unsigned int logflags = 0;
dropprivs("");
while( (c=getopt(argc, argv, "rdfc:vht:l:p:o")) != -1 ) {
switch(c) {
case 'r':
dont_route = 1;
break;
/* #ifdef _DEBUG */
case 'd':
debug = 1;
break;
/* #endif */
case 'o':
debug = 1;
config_test_only = 1;
break;
case 'f':
foreground = 1;
break;
case 'c':
cfgfile = optarg;
break;
case 'v':
fprintf( stderr,
"HTun " VERSION "\n"
"(c) 2002 Moshe Jacobson <*****@*****.**>\n"
" and Ola Nordstrom <*****@*****.**>\n"
"This program is distributed under the GNU General Public License.\n"
"for details, see the LICENSE file packaged with htun.\n");
return EXIT_SUCCESS;
case 't':
tunfile = optarg;
break;
case 'l':
logfile = optarg;
break;
case 'p':
port = htons((unsigned short)strtoul(optarg,NULL,0));
if(!port) {
fprintf( stderr, "Invalid port specified: %s.\n",
argv[optind] );
return EXIT_FAILURE;
}
break;
case 'h':
usage();
return EXIT_SUCCESS;
default:
usage();
return EXIT_FAILURE;
}
}
/* Read the config */
if( (config=read_config(cfgfile)) == NULL ) {
fprintf( stderr, "Fatal: Reading cfgfile \"%s\": %s\n",
cfgfile, strerror(errno) );
return EXIT_FAILURE;
}
if( config_test_only == 1 ) {
log = log_open("-", LOG_STDERR|LOG_NODATE|LOG_DEBUG|LOG_NOLVL|LOG_FUNC);
print_config(config);
log_close(log);
return EXIT_SUCCESS;
}
/* Now override config values with cmdline values */
strcpy(config->cfgfile,cfgfile);
if( tunfile ) strncpy(config->tunfile,tunfile,PATH_MAX);
if( logfile ) strncpy(config->logfile,logfile,PATH_MAX);
if( port ) {
if( config->is_server )
config->u.s.server_ports[0] = htons(port);
else
config->u.c.proxy_port = (port);
}
if( dont_route ) config->u.c.do_routing = 0;
if( debug ) config->debug = 1;
/* Open the log file */
if( config->debug ) logflags |= LOG_DEBUG;
logflags |= LOG_FUNC;
getprivs("opening logfile");
if( !(log=log_open( config->logfile, logflags )) ) {
fprintf( stderr, "Warning: Could not open logfile %s: %s\n",
config->logfile, strerror(errno) );
}
dropprivs("logfile opened");
/* Daemonize unless -f or -l - have been specified */
if( !foreground && strcmp(config->logfile,"-") ) daemonize();
lprintf( log, INFO, "HTun " VERSION " started." );
init_signames();
/* Ignore SIGPIPE. We will use errno=EPIPE instead. */
signal(SIGPIPE,SIG_IGN);
signal(SIGWINCH,SIG_IGN);
/* Mask TERM, HUP, INT, and USR1 */
sigemptyset(&newmask);
sigaddset(&newmask, SIGINT);
sigaddset(&newmask, SIGHUP);
sigaddset(&newmask, SIGTERM);
sigaddset(&newmask, SIGUSR1);
sigaddset(&newmask, SIGUSR2);
sigaddset(&newmask, SIGALRM);
sigaddset(&newmask, SIGCONT);
sigaddset(&newmask, SIGTSTP);
sigaddset(&newmask, SIGWINCH);
sigprocmask( SIG_BLOCK, &newmask, NULL );
return config->is_server ? server_main() : client_main();
}
/*
* Here we communicate with the letsencrypt server.
* For this, we'll need the certificate we want to upload and our
* account key information.
*/
int
netproc(int kfd, int afd, int Cfd, int cfd, int dfd, int rfd,
int newacct, int revoke, int staging,
const char *const *alts, size_t altsz)
{
int rc;
size_t i;
char *cert, *thumb, *url;
struct conn c;
struct capaths paths;
struct chng *chngs;
long lval;
rc = 0;
memset(&paths, 0, sizeof(struct capaths));
memset(&c, 0, sizeof(struct conn));
url = cert = thumb = NULL;
chngs = NULL;
/* File-system, user, and sandbox jail. */
if ( ! sandbox_before())
goto out;
else if ( ! dropfs(PATH_VAR_EMPTY))
goto out;
else if ( ! dropprivs())
goto out;
else if ( ! sandbox_after())
goto out;
/*
* Wait until the acctproc, keyproc, and revokeproc have started
* up and are ready to serve us data.
* There's no point in running if these don't work.
* Then check whether revokeproc indicates that the certificate
* on file (if any) can be updated.
*/
if (0 == (lval = readop(afd, COMM_ACCT_STAT))) {
rc = 1;
goto out;
} else if (ACCT_READY != lval) {
warnx("unknown operation from acctproc");
goto out;
}
if (0 == (lval = readop(kfd, COMM_KEY_STAT))) {
rc = 1;
goto out;
} else if (KEY_READY != lval) {
warnx("unknown operation from keyproc");
goto out;
}
if (0 == (lval = readop(rfd, COMM_REVOKE_RESP))) {
rc = 1;
goto out;
} else if (REVOKE_EXP != lval && REVOKE_OK != lval) {
warnx("unknown operation from revokeproc");
goto out;
}
/* If our certificate is up-to-date, return now. */
if (REVOKE_OK == lval) {
rc = 1;
goto out;
}
/* Allocate main state. */
chngs = calloc(altsz, sizeof(struct chng));
if (NULL == chngs) {
warn("calloc");
goto out;
}
c.dfd = dfd;
c.fd = afd;
c.na = staging ? URL_STAGE_CA : URL_REAL_CA;
/*
* Look up the domain of the ACME server.
* We'll use this ourselves instead of having libcurl do the DNS
* resolution itself.
*/
if ( ! dodirs(&c, c.na, &paths))
goto out;
/*
* If we're meant to revoke, then wait for revokeproc to send us
* the certificate (if it's found at all).
* Following that, submit the request to the CA then notify the
* certproc, which will in turn notify the fileproc.
*/
if (revoke) {
if (NULL == (cert = readstr(rfd, COMM_CSR)))
goto out;
if ( ! dorevoke(&c, paths.revokecert, cert))
goto out;
else if (writeop(cfd, COMM_CSR_OP, CERT_REVOKE) > 0)
rc = 1;
goto out;
}
/* If new, register with the CA server. */
if (newacct && ! donewreg(&c, &paths))
goto out;
/* Pre-authorise all domains with CA server. */
for (i = 0; i < altsz; i++)
if ( ! dochngreq(&c, alts[i], &chngs[i], &paths))
goto out;
/*
* We now have our challenges.
* We need to ask the acctproc for the thumbprint.
* We'll combine this to the challenge to create our response,
* which will be orchestrated by the chngproc.
*/
if (writeop(afd, COMM_ACCT, ACCT_THUMBPRINT) <= 0)
goto out;
else if (NULL == (thumb = readstr(afd, COMM_THUMB)))
goto out;
/* We'll now ask chngproc to build the challenge. */
for (i = 0; i < altsz; i++) {
if (writeop(Cfd, COMM_CHNG_OP, CHNG_SYN) <= 0)
goto out;
else if (writestr(Cfd, COMM_THUMB, thumb) <= 0)
goto out;
else if (writestr(Cfd, COMM_TOK, chngs[i].token) <= 0)
goto out;
/* Read that the challenge has been made. */
if (CHNG_ACK != readop(Cfd, COMM_CHNG_ACK))
goto out;
/* Write to the CA that it's ready. */
if ( ! dochngresp(&c, &chngs[i], thumb))
goto out;
}
/*
* We now wait on the ACME server for each domain.
* Connect to the server (assume it's the same server) once
* every five seconds.
*/
for (i = 0; i < altsz; i++) {
if (1 == chngs[i].status)
continue;
if (chngs[i].retry++ >= RETRY_MAX) {
warnx("%s: too many tries", chngs[i].uri);
goto out;
}
/* Sleep before every attempt. */
sleep(RETRY_DELAY);
if ( ! dochngcheck(&c, &chngs[i]))
goto out;
}
/*
* Write our acknowledgement that the challenges are over.
* The challenge process will remove all of the files.
*/
if (writeop(Cfd, COMM_CHNG_OP, CHNG_STOP) <= 0)
goto out;
/* Wait to receive the certificate itself. */
if (NULL == (cert = readstr(kfd, COMM_CERT)))
goto out;
/*
* Otherwise, submit the CA for signing, download the signed
* copy, and ship that into the certificate process for copying.
*/
if ( ! docert(&c, paths.newcert, cert))
goto out;
else if (writeop(cfd, COMM_CSR_OP, CERT_UPDATE) <= 0)
goto out;
else if (writebuf(cfd, COMM_CSR, c.buf.buf, c.buf.sz) <= 0)
goto out;
/*
* Read back the issuer from the certproc.
* Then contact the issuer to get the certificate chain.
* Write this chain directly back to the certproc.
*/
if (NULL == (url = readstr(cfd, COMM_ISSUER)))
goto out;
else if ( ! dofullchain(&c, url))
goto out;
else if (writebuf(cfd, COMM_CHAIN, c.buf.buf, c.buf.sz) <= 0)
goto out;
rc = 1;
out:
close(cfd);
close(kfd);
close(afd);
close(Cfd);
close(dfd);
close(rfd);
free(cert);
free(url);
free(thumb);
free(c.buf.buf);
if (NULL != chngs)
for (i = 0; i < altsz; i++)
json_free_challenge(&chngs[i]);
free(chngs);
json_free_capaths(&paths);
return(rc);
}
