static gboolean
rspamd_map_check_sig_pk_mem (const guchar *sig,
gsize siglen,
struct rspamd_map *map,
const guchar *input,
gsize inlen,
struct rspamd_cryptobox_pubkey *pk)
{
GString *b32_key;
gboolean ret = TRUE;
if (siglen != rspamd_cryptobox_signature_bytes (RSPAMD_CRYPTOBOX_MODE_25519)) {
msg_err_map ("can't open signature for %s: invalid size: %z", map->name, siglen);
ret = FALSE;
}
if (ret && !rspamd_cryptobox_verify (sig, input, inlen,
rspamd_pubkey_get_pk (pk, NULL), RSPAMD_CRYPTOBOX_MODE_25519)) {
msg_err_map ("can't verify signature for %s: incorrect signature", map->name);
ret = FALSE;
}
if (ret) {
b32_key = rspamd_pubkey_print (pk,
RSPAMD_KEYPAIR_BASE32|RSPAMD_KEYPAIR_PUBKEY);
msg_info_map ("verified signature for %s using trusted key %v",
map->name, b32_key);
g_string_free (b32_key, TRUE);
}
return ret;
}
static gboolean
rspamd_map_check_file_sig (const char *fname,
struct rspamd_map *map,
struct rspamd_map_backend *bk,
const guchar *input,
gsize inlen)
{
gchar fpath[PATH_MAX];
guchar *data;
struct rspamd_cryptobox_pubkey *pk = NULL;
GString *b32_key;
gboolean ret;
gsize len = 0;
if (bk->trusted_pubkey == NULL) {
/* Try to load and check pubkey */
rspamd_snprintf (fpath, sizeof (fpath), "%s.pub", fname);
data = rspamd_file_xmap (fpath, PROT_READ, &len);
if (data == NULL) {
msg_err_map ("can't open pubkey %s: %s", fpath, strerror (errno));
return FALSE;
}
pk = rspamd_pubkey_from_base32 (data, len, RSPAMD_KEYPAIR_SIGN,
RSPAMD_CRYPTOBOX_MODE_25519);
munmap (data, len);
if (pk == NULL) {
msg_err_map ("can't load pubkey %s", fpath);
return FALSE;
}
/* We just check pk against the trusted db of keys */
b32_key = rspamd_pubkey_print (pk,
RSPAMD_KEYPAIR_BASE32|RSPAMD_KEYPAIR_PUBKEY);
g_assert (b32_key != NULL);
if (g_hash_table_lookup (map->cfg->trusted_keys, b32_key->str) == NULL) {
msg_err_map ("pubkey loaded from %s is untrusted: %v", fpath,
b32_key);
g_string_free (b32_key, TRUE);
rspamd_pubkey_unref (pk);
return FALSE;
}
g_string_free (b32_key, TRUE);
}
else {
pk = rspamd_pubkey_ref (bk->trusted_pubkey);
}
ret = rspamd_map_check_sig_pk (fname, map, input, inlen, pk);
rspamd_pubkey_unref (pk);
return ret;
}
static int
http_map_read (struct rspamd_http_connection *conn,
struct rspamd_http_message *msg,
const gchar *chunk,
gsize len)
{
struct http_callback_data *cbd = conn->ud;
struct rspamd_map *map;
if (msg->code != 200 || len == 0) {
/* Ignore not full replies */
return 0;
}
map = cbd->map;
if (write (cbd->out_fd, chunk, len) == -1) {
msg_err_map ("cannot write to %s: %s", cbd->tmpfile, strerror (errno));
MAP_RELEASE (cbd);
return -1;
}
return 0;
}
static gboolean
rspamd_map_check_sig_pk (const char *fname,
struct rspamd_map *map,
const guchar *input,
gsize inlen,
struct rspamd_cryptobox_pubkey *pk)
{
gchar fpath[PATH_MAX];
guchar *data;
GString *b32_key;
gsize len = 0;
/* Now load signature */
rspamd_snprintf (fpath, sizeof (fpath), "%s.sig", fname);
data = rspamd_file_xmap (fpath, PROT_READ, &len);
if (data == NULL) {
msg_err_map ("can't open signature %s: %s", fpath, strerror (errno));
return FALSE;
}
if (len != rspamd_cryptobox_signature_bytes (RSPAMD_CRYPTOBOX_MODE_25519)) {
msg_err_map ("can't open signature %s: invalid signature", fpath);
munmap (data, len);
return FALSE;
}
if (!rspamd_cryptobox_verify (data, input, inlen,
rspamd_pubkey_get_pk (pk, NULL), RSPAMD_CRYPTOBOX_MODE_25519)) {
msg_err_map ("can't verify signature %s: incorrect signature", fpath);
munmap (data, len);
return FALSE;
}
b32_key = rspamd_pubkey_print (pk,
RSPAMD_KEYPAIR_BASE32|RSPAMD_KEYPAIR_PUBKEY);
msg_info_map ("verified signature in file %s using trusted key %v",
fpath, b32_key);
g_string_free (b32_key, TRUE);
munmap (data, len);
return TRUE;
}
/**
* Write HTTP request
*/
static void
write_http_request (struct http_callback_data *cbd)
{
gchar datebuf[128];
struct rspamd_http_message *msg;
struct rspamd_map *map;
map = cbd->map;
if (cbd->fd != -1) {
close (cbd->fd);
}
cbd->fd = rspamd_inet_address_connect (cbd->addr, SOCK_STREAM, TRUE);
if (cbd->fd != -1) {
msg = rspamd_http_new_message (HTTP_REQUEST);
if (cbd->bk->protocol == MAP_PROTO_HTTPS) {
msg->flags |= RSPAMD_HTTP_FLAG_SSL;
}
if (cbd->check) {
msg->method = HTTP_HEAD;
}
if (cbd->stage == map_load_file) {
msg->url = rspamd_fstring_new_init (cbd->data->path, strlen (cbd->data->path));
if (cbd->check &&
cbd->data->last_checked != 0 && cbd->stage == map_load_file) {
rspamd_http_date_format (datebuf, sizeof (datebuf),
cbd->data->last_checked);
rspamd_http_message_add_header (msg, "If-Modified-Since", datebuf);
}
}
else if (cbd->stage == map_load_pubkey) {
msg->url = rspamd_fstring_new_init (cbd->data->path, strlen (cbd->data->path));
msg->url = rspamd_fstring_append (msg->url, ".pub", 4);
}
else if (cbd->stage == map_load_signature) {
msg->url = rspamd_fstring_new_init (cbd->data->path, strlen (cbd->data->path));
msg->url = rspamd_fstring_append (msg->url, ".sig", 4);
}
else {
g_assert_not_reached ();
}
rspamd_http_connection_write_message (cbd->conn, msg, cbd->data->host,
NULL, cbd, cbd->fd, &cbd->tv, cbd->ev_base);
MAP_RETAIN (cbd, "http_callback_data");
}
else {
msg_err_map ("cannot connect to %s: %s", cbd->data->host,
strerror (errno));
cbd->periodic->errored = TRUE;
}
}
static void
rspamd_map_dns_callback (struct rdns_reply *reply, void *arg)
{
struct http_callback_data *cbd = arg;
struct rspamd_map *map;
guint flags = RSPAMD_HTTP_CLIENT_SIMPLE|RSPAMD_HTTP_CLIENT_SHARED;
map = cbd->map;
if (reply->code == RDNS_RC_NOERROR) {
/*
* We just get the first address hoping that a resolver performs
* round-robin rotation well
*/
if (cbd->addr == NULL) {
cbd->addr = rspamd_inet_address_from_rnds (reply->entries);
if (cbd->addr != NULL) {
rspamd_inet_address_set_port (cbd->addr, cbd->data->port);
/* Try to open a socket */
cbd->fd = rspamd_inet_address_connect (cbd->addr, SOCK_STREAM,
TRUE);
if (cbd->fd != -1) {
cbd->stage = map_load_file;
cbd->conn = rspamd_http_connection_new (NULL,
http_map_error,
http_map_finish,
flags,
RSPAMD_HTTP_CLIENT,
NULL,
cbd->map->cfg->libs_ctx->ssl_ctx);
write_http_request (cbd);
}
else {
rspamd_inet_address_destroy (cbd->addr);
cbd->addr = NULL;
}
}
}
}
else if (cbd->stage < map_load_file) {
if (cbd->stage == map_resolve_host2) {
/* We have still one request pending */
cbd->stage = map_resolve_host1;
}
else {
/* We could not resolve host, so cowardly fail here */
msg_err_map ("cannot resolve %s", cbd->data->host);
}
}
MAP_RELEASE (cbd, "http_callback_data");
}
/**
* Callback for reading data from file
*/
static gboolean
read_map_file (struct rspamd_map *map, struct file_map_data *data,
struct rspamd_map_backend *bk, struct map_periodic_cbdata *periodic)
{
guchar *bytes;
gsize len;
if (map->read_callback == NULL || map->fin_callback == NULL) {
msg_err_map ("bad callback for reading map file");
return FALSE;
}
if (access (data->filename, R_OK) == -1) {
/* File does not exist, skipping */
msg_err_map ("map file is unavailable for reading");
return TRUE;
}
bytes = rspamd_file_xmap (data->filename, PROT_READ, &len);
if (bytes == NULL) {
msg_err_map ("can't open map %s: %s", data->filename, strerror (errno));
return FALSE;
}
if (bk->is_signed) {
if (!rspamd_map_check_file_sig (data->filename, map, bk, bytes, len)) {
munmap (bytes, len);
return FALSE;
}
}
if (len > 0) {
map->read_callback (bytes, len, &periodic->cbdata, TRUE);
}
munmap (bytes, len);
return TRUE;
}
/*
* HTTP callbacks
*/
static void
http_map_error (struct rspamd_http_connection *conn,
GError *err)
{
struct http_callback_data *cbd = conn->ud;
struct rspamd_map *map;
map = cbd->map;
cbd->periodic->errored = TRUE;
msg_err_map ("connection with http server terminated incorrectly: %e", err);
rspamd_map_periodic_callback (-1, EV_TIMEOUT, cbd->periodic);
MAP_RELEASE (cbd, "http_callback_data");
}
static int
http_map_finish (struct rspamd_http_connection *conn,
struct rspamd_http_message *msg)
{
struct http_callback_data *cbd = conn->ud;
struct rspamd_map *map;
struct rspamd_map_backend *bk;
guchar *aux_data, *in = NULL;
gsize inlen = 0, dlen = 0;
map = cbd->map;
bk = cbd->bk;
if (msg->code == 200) {
if (cbd->check) {
cbd->periodic->need_modify = TRUE;
/* Reset the whole chain */
cbd->periodic->cur_backend = 0;
rspamd_map_periodic_callback (-1, EV_TIMEOUT, cbd->periodic);
MAP_RELEASE (cbd, "http_callback_data");
return 0;
}
if (cbd->stage == map_load_file) {
if (msg->last_modified) {
cbd->data->last_checked = msg->last_modified;
}
else {
cbd->data->last_checked = msg->date;
}
/* Maybe we need to check signature ? */
if (bk->is_signed) {
if (bk->trusted_pubkey) {
/* No need to load key */
cbd->stage = map_load_signature;
cbd->pk = rspamd_pubkey_ref (bk->trusted_pubkey);
}
else {
cbd->stage = map_load_pubkey;
}
cbd->shmem_data = rspamd_http_message_shmem_ref (msg);
cbd->data_len = msg->body_buf.len;
rspamd_http_connection_reset (cbd->conn);
write_http_request (cbd);
MAP_RELEASE (cbd, "http_callback_data");
return 0;
}
else {
/* Unsinged version - just open file */
cbd->shmem_data = rspamd_http_message_shmem_ref (msg);
cbd->data_len = msg->body_buf.len;
goto read_data;
}
}
else if (cbd->stage == map_load_pubkey) {
/* We now can load pubkey */
cbd->shmem_pubkey = rspamd_http_message_shmem_ref (msg);
cbd->pubkey_len = msg->body_buf.len;
aux_data = rspamd_shmem_xmap (cbd->shmem_pubkey->shm_name,
PROT_READ, &inlen);
if (aux_data == NULL) {
msg_err_map ("cannot map pubkey file %s: %s",
cbd->shmem_pubkey->shm_name, strerror (errno));
goto err;
}
if (inlen < cbd->pubkey_len) {
msg_err_map ("cannot map pubkey file %s: %s",
cbd->shmem_pubkey->shm_name, strerror (errno));
munmap (aux_data, inlen);
goto err;
}
cbd->pk = rspamd_pubkey_from_base32 (aux_data, cbd->pubkey_len,
RSPAMD_KEYPAIR_SIGN, RSPAMD_CRYPTOBOX_MODE_25519);
munmap (aux_data, inlen);
if (cbd->pk == NULL) {
msg_err_map ("cannot load pubkey file %s: bad pubkey",
cbd->shmem_pubkey->shm_name);
goto err;
}
cbd->stage = map_load_signature;
rspamd_http_connection_reset (cbd->conn);
write_http_request (cbd);
MAP_RELEASE (cbd, "http_callback_data");
return 0;
}
else if (cbd->stage == map_load_signature) {
/* We can now check signature */
cbd->shmem_sig = rspamd_http_message_shmem_ref (msg);
cbd->sig_len = msg->body_buf.len;
aux_data = rspamd_shmem_xmap (cbd->shmem_sig->shm_name,
PROT_READ, &inlen);
if (aux_data == NULL) {
msg_err_map ("cannot map signature file %s: %s",
cbd->shmem_sig->shm_name, strerror (errno));
goto err;
}
if (inlen < cbd->sig_len) {
msg_err_map ("cannot map pubkey file %s: %s",
cbd->shmem_pubkey->shm_name, strerror (errno));
munmap (aux_data, inlen);
goto err;
}
in = rspamd_shmem_xmap (cbd->shmem_data->shm_name, PROT_READ, &dlen);
if (in == NULL) {
msg_err_map ("cannot read tempfile %s: %s",
cbd->shmem_data->shm_name,
strerror (errno));
munmap (aux_data, inlen);
goto err;
}
if (!rspamd_map_check_sig_pk_mem (aux_data, cbd->sig_len, map, in,
cbd->data_len, cbd->pk)) {
munmap (aux_data, inlen);
munmap (in, dlen);
goto err;
}
munmap (in, dlen);
}
read_data:
g_assert (cbd->shmem_data != NULL);
in = rspamd_shmem_xmap (cbd->shmem_data->shm_name, PROT_READ, &dlen);
if (in == NULL) {
msg_err_map ("cannot read tempfile %s: %s",
cbd->shmem_data->shm_name,
strerror (errno));
goto err;
}
map->read_callback (in, cbd->data_len, &cbd->periodic->cbdata, TRUE);
msg_info_map ("read map data from %s", cbd->data->host);
/*
* We know that a map is in the locked state
*/
if (g_atomic_int_compare_and_exchange (&map->cache->available, 0, 1)) {
/* Store cached data */
struct rspamd_http_map_cached_cbdata *cache_cbd;
struct timeval tv;
rspamd_strlcpy (map->cache->shmem_name, cbd->shmem_data->shm_name,
sizeof (map->cache->shmem_name));
map->cache->len = cbd->data_len;
map->cache->last_checked = cbd->data->last_checked;
cache_cbd = g_slice_alloc0 (sizeof (*cache_cbd));
cache_cbd->shm = cbd->shmem_data;
cache_cbd->map = map;
MAP_RETAIN (cache_cbd->shm, "shmem_data");
event_set (&cache_cbd->timeout, -1, EV_TIMEOUT, rspamd_map_cache_cb,
cache_cbd);
event_base_set (cbd->ev_base, &cache_cbd->timeout);
double_to_tv (map->poll_timeout, &tv);
event_add (&cache_cbd->timeout, &tv);
}
cbd->periodic->cur_backend ++;
munmap (in, dlen);
rspamd_map_periodic_callback (-1, EV_TIMEOUT, cbd->periodic);
}
else if (msg->code == 304 && (cbd->check && cbd->stage == map_load_file)) {
msg_debug_map ("data is not modified for server %s",
cbd->data->host);
if (msg->last_modified) {
cbd->data->last_checked = msg->last_modified;
}
else {
cbd->data->last_checked = msg->date;
}
cbd->periodic->cur_backend ++;
rspamd_map_periodic_callback (-1, EV_TIMEOUT, cbd->periodic);
}
else {
msg_info_map ("cannot load map %s from %s: HTTP error %d",
bk->uri, cbd->data->host, msg->code);
}
MAP_RELEASE (cbd, "http_callback_data");
return 0;
err:
cbd->periodic->errored = 1;
rspamd_map_periodic_callback (-1, EV_TIMEOUT, cbd->periodic);
MAP_RELEASE (cbd, "http_callback_data");
return 0;
}
/**
* Async HTTP callback
*/
static void
rspamd_map_common_http_callback (struct rspamd_map *map, struct rspamd_map_backend *bk,
struct map_periodic_cbdata *periodic, gboolean check)
{
struct http_map_data *data;
struct http_callback_data *cbd;
gchar tmpbuf[PATH_MAX];
data = bk->data.hd;
cbd = g_slice_alloc0 (sizeof (struct http_callback_data));
rspamd_snprintf (tmpbuf, sizeof (tmpbuf),
"%s" G_DIR_SEPARATOR_S "rspamd_map%d-XXXXXX",
map->cfg->temp_dir, map->id);
cbd->out_fd = mkstemp (tmpbuf);
if (cbd->out_fd == -1) {
msg_err_map ("cannot create tempfile: %s", strerror (errno));
g_atomic_int_set (map->locked, 0);
g_slice_free1 (sizeof (*cbd), cbd);
periodic->errored = TRUE;
rspamd_map_periodic_callback (-1, EV_TIMEOUT, periodic);
return;
}
cbd->tmpfile = g_strdup (tmpbuf);
cbd->ev_base = map->ev_base;
cbd->map = map;
cbd->data = data;
cbd->fd = -1;
cbd->check = check;
cbd->periodic = periodic;
MAP_RETAIN (periodic);
cbd->bk = bk;
MAP_RETAIN (bk);
cbd->stage = map_resolve_host2;
double_to_tv (map->cfg->map_timeout, &cbd->tv);
REF_INIT_RETAIN (cbd, free_http_cbdata);
msg_debug_map ("%s map data from %s", check ? "checking" : "reading",
data->host);
/* Send both A and AAAA requests */
if (map->r->r) {
if (rdns_make_request_full (map->r->r, rspamd_map_dns_callback, cbd,
map->cfg->dns_timeout, map->cfg->dns_retransmits, 1,
data->host, RDNS_REQUEST_A)) {
MAP_RETAIN (cbd);
}
if (rdns_make_request_full (map->r->r, rspamd_map_dns_callback, cbd,
map->cfg->dns_timeout, map->cfg->dns_retransmits, 1,
data->host, RDNS_REQUEST_AAAA)) {
MAP_RETAIN (cbd);
}
map->dtor = free_http_cbdata_dtor;
map->dtor_data = cbd;
}
else {
msg_warn_map ("cannot load map: DNS resolver is not initialized");
cbd->periodic->errored = TRUE;
}
/* We don't need own ref as it is now ref counted by DNS handlers */
MAP_RELEASE (cbd);
}
static int
http_map_finish (struct rspamd_http_connection *conn,
struct rspamd_http_message *msg)
{
struct http_callback_data *cbd = conn->ud;
struct rspamd_map *map;
struct rspamd_map_backend *bk;
char fpath[PATH_MAX];
guchar *aux_data, *in = NULL;
gsize inlen = 0;
struct stat st;
map = cbd->map;
bk = cbd->bk;
if (msg->code == 200) {
if (cbd->check) {
cbd->periodic->need_modify = TRUE;
/* Reset the whole chain */
cbd->periodic->cur_backend = 0;
rspamd_map_periodic_callback (-1, EV_TIMEOUT, cbd->periodic);
MAP_RELEASE (cbd);
return 0;
}
if (cbd->stage == map_load_file) {
if (msg->last_modified) {
cbd->data->last_checked = msg->last_modified;
}
else {
cbd->data->last_checked = msg->date;
}
/* Maybe we need to check signature ? */
if (bk->is_signed) {
close (cbd->out_fd);
if (bk->trusted_pubkey) {
/* No need to load key */
cbd->stage = map_load_signature;
cbd->pk = rspamd_pubkey_ref (bk->trusted_pubkey);
rspamd_snprintf (fpath, sizeof (fpath), "%s.sig",
cbd->tmpfile);
}
else {
rspamd_snprintf (fpath, sizeof (fpath), "%s.pub",
cbd->tmpfile);
cbd->stage = map_load_pubkey;
}
cbd->out_fd = rspamd_file_xopen (fpath, O_RDWR|O_CREAT, 00644);
if (cbd->out_fd == -1) {
msg_err_map ("cannot open pubkey file %s for writing: %s",
fpath, strerror (errno));
goto err;
}
rspamd_http_connection_reset (cbd->conn);
write_http_request (cbd);
MAP_RELEASE (cbd);
return 0;
}
else {
/* Unsinged version - just open file */
in = rspamd_file_xmap (cbd->tmpfile, PROT_READ, &inlen);
if (in == NULL) {
msg_err_map ("cannot read tempfile %s: %s", cbd->tmpfile,
strerror (errno));
goto err;
}
}
}
else if (cbd->stage == map_load_pubkey) {
/* We now can load pubkey */
(void)lseek (cbd->out_fd, 0, SEEK_SET);
if (fstat (cbd->out_fd, &st) == -1) {
msg_err_map ("cannot stat pubkey file %s: %s",
fpath, strerror (errno));
goto err;
}
aux_data = mmap (NULL, st.st_size, PROT_READ, MAP_SHARED,
cbd->out_fd, 0);
close (cbd->out_fd);
cbd->out_fd = -1;
if (aux_data == MAP_FAILED) {
msg_err_map ("cannot map pubkey file %s: %s",
fpath, strerror (errno));
goto err;
}
cbd->pk = rspamd_pubkey_from_base32 (aux_data, st.st_size,
RSPAMD_KEYPAIR_SIGN, RSPAMD_CRYPTOBOX_MODE_25519);
munmap (aux_data, st.st_size);
if (cbd->pk == NULL) {
msg_err_map ("cannot load pubkey file %s: bad pubkey",
fpath);
goto err;
}
rspamd_snprintf (fpath, sizeof (fpath), "%s.sig", cbd->tmpfile);
cbd->out_fd = rspamd_file_xopen (fpath, O_RDWR|O_CREAT, 00644);
if (cbd->out_fd == -1) {
msg_err_map ("cannot open signature file %s for writing: %s",
fpath, strerror (errno));
goto err;
}
cbd->stage = map_load_signature;
rspamd_http_connection_reset (cbd->conn);
write_http_request (cbd);
MAP_RELEASE (cbd);
return 0;
}
else if (cbd->stage == map_load_signature) {
/* We can now check signature */
close (cbd->out_fd);
cbd->out_fd = -1;
in = rspamd_file_xmap (cbd->tmpfile, PROT_READ, &inlen);
if (in == NULL) {
msg_err_map ("cannot read tempfile %s: %s", cbd->tmpfile,
strerror (errno));
goto err;
}
if (!rspamd_map_check_sig_pk (cbd->tmpfile, map, in, inlen, cbd->pk)) {
goto err;
}
}
g_assert (in != NULL);
map->read_callback (in, inlen, &cbd->periodic->cbdata, TRUE);
msg_info_map ("read map data from %s", cbd->data->host);
cbd->periodic->cur_backend ++;
rspamd_map_periodic_callback (-1, EV_TIMEOUT, cbd->periodic);
}
else if (msg->code == 304 && (cbd->check && cbd->stage == map_load_file)) {
msg_debug_map ("data is not modified for server %s",
cbd->data->host);
if (msg->last_modified) {
cbd->data->last_checked = msg->last_modified;
}
else {
cbd->data->last_checked = msg->date;
}
}
else {
msg_info_map ("cannot load map %s from %s: HTTP error %d",
bk->uri, cbd->data->host, msg->code);
}
MAP_RELEASE (cbd);
return 0;
err:
cbd->periodic->errored = 1;
rspamd_map_periodic_callback (-1, EV_TIMEOUT, cbd->periodic);
MAP_RELEASE (cbd);
return 0;
}
