2 c68baad2 2023-06-06 op * Copyright (c) 2023 Omar Polo <op@omarpolo.com>
4 c68baad2 2023-06-06 op * Permission to use, copy, modify, and distribute this software for any
5 c68baad2 2023-06-06 op * purpose with or without fee is hereby granted, provided that the above
6 c68baad2 2023-06-06 op * copyright notice and this permission notice appear in all copies.
8 c68baad2 2023-06-06 op * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 c68baad2 2023-06-06 op * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 c68baad2 2023-06-06 op * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 c68baad2 2023-06-06 op * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 c68baad2 2023-06-06 op * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 c68baad2 2023-06-06 op * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 c68baad2 2023-06-06 op * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 c68baad2 2023-06-06 op #include "gmid.h"
19 c26f2460 2023-06-08 op #include <sys/stat.h>
21 3cb7e8d7 2023-08-25 op #include <errno.h>
22 c26f2460 2023-06-08 op #include <fcntl.h>
23 c26f2460 2023-06-08 op #include <limits.h>
24 c68baad2 2023-06-06 op #include <string.h>
25 9abba172 2023-08-07 op #include <syslog.h>
27 86693a33 2023-06-11 op #include <openssl/pem.h>
29 c26f2460 2023-06-08 op #include "log.h"
30 c26f2460 2023-06-08 op #include "proc.h"
33 af1dab18 2023-06-09 op config_new(void)
35 af1dab18 2023-06-09 op struct conf *conf;
37 af1dab18 2023-06-09 op conf = xcalloc(1, sizeof(*conf));
39 af1dab18 2023-06-09 op TAILQ_INIT(&conf->fcgi);
40 af1dab18 2023-06-09 op TAILQ_INIT(&conf->hosts);
41 86693a33 2023-06-11 op TAILQ_INIT(&conf->pkis);
42 509d0509 2023-06-23 op TAILQ_INIT(&conf->addrs);
44 af1dab18 2023-06-09 op conf->protos = TLS_PROTOCOL_TLSv1_2 | TLS_PROTOCOL_TLSv1_3;
46 af1dab18 2023-06-09 op init_mime(&conf->mime);
48 af1dab18 2023-06-09 op conf->prefork = 3;
49 46bcc4ea 2023-07-26 op conf->log_syslog = 1;
50 9abba172 2023-08-07 op conf->log_facility = LOG_DAEMON;
51 f23b7087 2023-08-04 op conf->log_format = LOG_FORMAT_LEGACY;
53 ba290ef3 2023-06-11 op conf->use_privsep_crypto = 1;
59 af1dab18 2023-06-09 op config_purge(struct conf *conf)
61 c26f2460 2023-06-08 op struct privsep *ps;
62 5d22294a 2023-06-09 op struct fcgi *f, *tf;
63 c68baad2 2023-06-06 op struct vhost *h, *th;
64 c68baad2 2023-06-06 op struct location *l, *tl;
65 c68baad2 2023-06-06 op struct proxy *p, *tp;
66 c68baad2 2023-06-06 op struct envlist *e, *te;
67 c68baad2 2023-06-06 op struct alist *a, *ta;
68 86693a33 2023-06-11 op struct pki *pki, *tpki;
69 509d0509 2023-06-23 op struct address *addr, *taddr;
70 26df5098 2023-08-03 op int use_privsep_crypto, log_format;
72 af1dab18 2023-06-09 op ps = conf->ps;
73 ba290ef3 2023-06-11 op use_privsep_crypto = conf->use_privsep_crypto;
74 26df5098 2023-08-03 op log_format = conf->log_format;
76 226f13ec 2023-07-24 op free(conf->log_access);
77 af1dab18 2023-06-09 op free_mime(&conf->mime);
78 af1dab18 2023-06-09 op TAILQ_FOREACH_SAFE(f, &conf->fcgi, fcgi, tf) {
79 af1dab18 2023-06-09 op TAILQ_REMOVE(&conf->fcgi, f, fcgi);
83 af1dab18 2023-06-09 op TAILQ_FOREACH_SAFE(h, &conf->hosts, vhosts, th) {
84 1c6967b3 2023-06-08 op free(h->cert_path);
85 1c6967b3 2023-06-08 op free(h->key_path);
86 1c6967b3 2023-06-08 op free(h->ocsp_path);
87 c26f2460 2023-06-08 op free(h->cert);
89 c26f2460 2023-06-08 op free(h->ocsp);
91 509d0509 2023-06-23 op TAILQ_FOREACH_SAFE(addr, &h->addrs, addrs, taddr) {
92 509d0509 2023-06-23 op TAILQ_REMOVE(&h->addrs, addr, addrs);
96 c68baad2 2023-06-06 op TAILQ_FOREACH_SAFE(l, &h->locations, locations, tl) {
97 c68baad2 2023-06-06 op TAILQ_REMOVE(&h->locations, l, locations);
99 c68baad2 2023-06-06 op if (l->dirfd != -1)
100 c68baad2 2023-06-06 op close(l->dirfd);
102 deadd9e1 2023-06-09 op free(l->reqca_path);
103 deadd9e1 2023-06-09 op X509_STORE_free(l->reqca);
105 a1ba9650 2023-07-23 op TAILQ_FOREACH_SAFE(e, &l->params, envs, te) {
106 a1ba9650 2023-07-23 op TAILQ_REMOVE(&l->params, e, envs);
113 c68baad2 2023-06-06 op TAILQ_FOREACH_SAFE(a, &h->aliases, aliases, ta) {
114 c68baad2 2023-06-06 op TAILQ_REMOVE(&h->aliases, a, aliases);
118 c68baad2 2023-06-06 op TAILQ_FOREACH_SAFE(p, &h->proxies, proxies, tp) {
119 c68baad2 2023-06-06 op TAILQ_REMOVE(&h->proxies, p, proxies);
120 deadd9e1 2023-06-09 op free(p->cert_path);
121 deadd9e1 2023-06-09 op free(p->cert);
122 deadd9e1 2023-06-09 op free(p->key_path);
123 deadd9e1 2023-06-09 op free(p->key);
124 deadd9e1 2023-06-09 op free(p->reqca_path);
125 deadd9e1 2023-06-09 op X509_STORE_free(p->reqca);
129 af1dab18 2023-06-09 op TAILQ_REMOVE(&conf->hosts, h, vhosts);
133 86693a33 2023-06-11 op TAILQ_FOREACH_SAFE(pki, &conf->pkis, pkis, tpki) {
134 86693a33 2023-06-11 op TAILQ_REMOVE(&conf->pkis, pki, pkis);
135 86693a33 2023-06-11 op free(pki->hash);
136 86693a33 2023-06-11 op EVP_PKEY_free(pki->pkey);
140 509d0509 2023-06-23 op TAILQ_FOREACH_SAFE(addr, &conf->addrs, addrs, taddr) {
141 509d0509 2023-06-23 op TAILQ_REMOVE(&conf->addrs, addr, addrs);
142 509d0509 2023-06-23 op if (addr->sock != -1) {
143 509d0509 2023-06-23 op close(addr->sock);
144 509d0509 2023-06-23 op event_del(&addr->evsock);
145 e50f85ad 2023-06-24 op tls_free(addr->ctx);
150 af1dab18 2023-06-09 op memset(conf, 0, sizeof(*conf));
152 af1dab18 2023-06-09 op conf->ps = ps;
153 ba290ef3 2023-06-11 op conf->use_privsep_crypto = use_privsep_crypto;
154 af1dab18 2023-06-09 op conf->protos = TLS_PROTOCOL_TLSv1_2 | TLS_PROTOCOL_TLSv1_3;
155 46bcc4ea 2023-07-26 op conf->log_syslog = 1;
156 9abba172 2023-08-07 op conf->log_facility = LOG_DAEMON;
157 26df5098 2023-08-03 op conf->log_format = log_format;
158 af1dab18 2023-06-09 op init_mime(&conf->mime);
159 af1dab18 2023-06-09 op TAILQ_INIT(&conf->fcgi);
160 af1dab18 2023-06-09 op TAILQ_INIT(&conf->hosts);
161 86693a33 2023-06-11 op TAILQ_INIT(&conf->pkis);
165 2e880a57 2023-06-10 op config_send_file(struct privsep *ps, enum privsep_procid id, int type,
166 2e880a57 2023-06-10 op int fd, void *data, size_t l)
171 c26f2460 2023-06-08 op proc_range(ps, id, &n, &m);
172 c26f2460 2023-06-08 op for (n = 0; n < m; ++n) {
174 deadd9e1 2023-06-09 op if (fd != -1 && (d = dup(fd)) == -1)
175 deadd9e1 2023-06-09 op fatal("dup %d", fd);
176 deadd9e1 2023-06-09 op if (proc_compose_imsg(ps, id, n, type, -1, d, data, l)
181 deadd9e1 2023-06-09 op if (fd != -1)
184 9fda9628 2023-06-24 op /* avoid fd rampage */
185 9fda9628 2023-06-24 op if (proc_flush_imsg(ps, id, -1) == -1) {
186 9fda9628 2023-06-24 op log_warn("%s: proc_fush_imsg", __func__);
194 2e880a57 2023-06-10 op config_open_send(struct privsep *ps, enum privsep_procid id, int type,
195 2e880a57 2023-06-10 op const char *path)
199 deadd9e1 2023-06-09 op log_debug("sending %s", path);
201 deadd9e1 2023-06-09 op if ((fd = open(path, O_RDONLY)) == -1)
202 deadd9e1 2023-06-09 op fatal("can't open %s", path);
204 2e880a57 2023-06-10 op return config_send_file(ps, id, type, fd, NULL, 0);
208 86693a33 2023-06-11 op config_send_kp(struct privsep *ps, int cert_type, int key_type,
209 86693a33 2023-06-11 op const char *cert, const char *key)
211 ba290ef3 2023-06-11 op struct conf *conf = ps->ps_env;
212 ba290ef3 2023-06-11 op int fd, d, key_target;
214 86693a33 2023-06-11 op log_debug("sending %s", cert);
215 86693a33 2023-06-11 op if ((fd = open(cert, O_RDONLY)) == -1)
216 86693a33 2023-06-11 op fatal("can't open %s", cert);
217 86693a33 2023-06-11 op if ((d = dup(fd)) == -1)
220 86693a33 2023-06-11 op if (config_send_file(ps, PROC_SERVER, cert_type, fd, NULL, 0) == -1) {
224 ba290ef3 2023-06-11 op if (conf->use_privsep_crypto &&
225 ba290ef3 2023-06-11 op config_send_file(ps, PROC_CRYPTO, cert_type, d, NULL, 0) == -1)
228 ba290ef3 2023-06-11 op key_target = PROC_CRYPTO;
229 ba290ef3 2023-06-11 op if (!conf->use_privsep_crypto)
230 ba290ef3 2023-06-11 op key_target = PROC_SERVER;
232 89cfcb45 2023-06-12 op if (config_open_send(ps, key_target, key_type, key) == -1)
239 509d0509 2023-06-23 op config_send_socks(struct conf *conf)
241 509d0509 2023-06-23 op struct privsep *ps = conf->ps;
242 509d0509 2023-06-23 op struct address *addr, a;
245 509d0509 2023-06-23 op TAILQ_FOREACH(addr, &conf->addrs, addrs) {
246 509d0509 2023-06-23 op sock = socket(addr->ai_family, addr->ai_socktype,
247 509d0509 2023-06-23 op addr->ai_protocol);
248 3cb7e8d7 2023-08-25 op if (sock == -1) {
249 3cb7e8d7 2023-08-25 op if (errno == EAFNOSUPPORT || errno == EPROTONOSUPPORT)
251 509d0509 2023-06-23 op fatal("socket");
255 509d0509 2023-06-23 op if (setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &v, sizeof(v))
257 509d0509 2023-06-23 op fatal("setsockopt(SO_REUSEADDR)");
260 509d0509 2023-06-23 op if (setsockopt(sock, SOL_SOCKET, SO_REUSEPORT, &v, sizeof(v))
262 509d0509 2023-06-23 op fatal("setsockopt(SO_REUSEPORT)");
264 509d0509 2023-06-23 op mark_nonblock(sock);
266 509d0509 2023-06-23 op if (bind(sock, (struct sockaddr *)&addr->ss, addr->slen)
268 509d0509 2023-06-23 op fatal("bind");
270 509d0509 2023-06-23 op if (listen(sock, 16) == -1)
271 509d0509 2023-06-23 op fatal("listen");
273 509d0509 2023-06-23 op memcpy(&a, addr, sizeof(a));
274 509d0509 2023-06-23 op a.conf = NULL;
276 509d0509 2023-06-23 op memset(&a.evsock, 0, sizeof(a.evsock));
277 509d0509 2023-06-23 op memset(&a.addrs, 0, sizeof(a.addrs));
279 509d0509 2023-06-23 op if (config_send_file(ps, PROC_SERVER, IMSG_RECONF_SOCK, sock,
280 509d0509 2023-06-23 op &a, sizeof(a)) == -1)
288 e45334e6 2023-06-09 op config_send(struct conf *conf)
290 c26f2460 2023-06-08 op struct privsep *ps = conf->ps;
291 c26f2460 2023-06-08 op struct etm *m;
292 5d22294a 2023-06-09 op struct fcgi *fcgi;
293 c26f2460 2023-06-08 op struct vhost *h;
294 c26f2460 2023-06-08 op struct location *l;
295 c26f2460 2023-06-08 op struct proxy *p;
296 c26f2460 2023-06-08 op struct envlist *e;
297 c26f2460 2023-06-08 op struct alist *a;
300 26df5098 2023-08-03 op if (proc_compose(ps, PROC_SERVER, IMSG_RECONF_LOG_FMT,
301 26df5098 2023-08-03 op &conf->log_format, sizeof(conf->log_format)) == -1)
304 c26f2460 2023-06-08 op for (i = 0; i < conf->mime.len; ++i) {
305 c26f2460 2023-06-08 op m = &conf->mime.t[i];
306 c26f2460 2023-06-08 op if (proc_compose(ps, PROC_SERVER, IMSG_RECONF_MIME,
307 c26f2460 2023-06-08 op m, sizeof(*m)) == -1)
311 c26f2460 2023-06-08 op if (proc_compose(ps, PROC_SERVER, IMSG_RECONF_PROTOS,
312 c26f2460 2023-06-08 op &conf->protos, sizeof(conf->protos)) == -1)
315 c26f2460 2023-06-08 op if (config_send_socks(conf) == -1)
318 5d22294a 2023-06-09 op TAILQ_FOREACH(fcgi, &conf->fcgi, fcgi) {
319 5d22294a 2023-06-09 op log_debug("sending fastcgi %s", fcgi->path);
320 c26f2460 2023-06-08 op if (proc_compose(ps, PROC_SERVER, IMSG_RECONF_FCGI,
321 5d22294a 2023-06-09 op fcgi, sizeof(*fcgi)) == -1)
325 e45334e6 2023-06-09 op TAILQ_FOREACH(h, &conf->hosts, vhosts) {
326 1c6967b3 2023-06-08 op struct vhost vcopy;
327 a0a42860 2023-06-24 op struct address *addr, acopy;
329 1c6967b3 2023-06-08 op memcpy(&vcopy, h, sizeof(vcopy));
330 1c6967b3 2023-06-08 op vcopy.cert_path = NULL;
331 1c6967b3 2023-06-08 op vcopy.key_path = NULL;
332 1c6967b3 2023-06-08 op vcopy.ocsp_path = NULL;
334 c26f2460 2023-06-08 op log_debug("sending host %s", h->domain);
336 c26f2460 2023-06-08 op if (proc_compose(ps, PROC_SERVER, IMSG_RECONF_HOST,
337 1c6967b3 2023-06-08 op &vcopy, sizeof(vcopy)) == -1)
340 86693a33 2023-06-11 op if (config_send_kp(ps, IMSG_RECONF_CERT, IMSG_RECONF_KEY,
341 86693a33 2023-06-11 op h->cert_path, h->key_path) == -1)
344 1c6967b3 2023-06-08 op if (h->ocsp_path != NULL) {
345 15e60fdf 2023-06-11 op if (config_open_send(ps, PROC_SERVER, IMSG_RECONF_OCSP,
346 15e60fdf 2023-06-11 op h->ocsp_path) == -1)
350 a0a42860 2023-06-24 op TAILQ_FOREACH(addr, &h->addrs, addrs) {
351 a0a42860 2023-06-24 op memcpy(&acopy, addr, sizeof(acopy));
352 a0a42860 2023-06-24 op memset(&acopy.addrs, 0, sizeof(acopy.addrs));
354 a0a42860 2023-06-24 op if (proc_compose(ps, PROC_SERVER,
355 a0a42860 2023-06-24 op IMSG_RECONF_HOST_ADDR, &acopy, sizeof(acopy))
360 a0a42860 2023-06-24 op if (proc_flush_imsg(ps, PROC_SERVER, -1) == -1) {
361 a0a42860 2023-06-24 op log_warn("%s: proc_fush_imsg", __func__);
365 c26f2460 2023-06-08 op TAILQ_FOREACH(l, &h->locations, locations) {
366 deadd9e1 2023-06-09 op struct location lcopy;
369 deadd9e1 2023-06-09 op memcpy(&lcopy, l, sizeof(lcopy));
370 deadd9e1 2023-06-09 op lcopy.reqca_path = NULL;
371 deadd9e1 2023-06-09 op lcopy.reqca = NULL;
372 deadd9e1 2023-06-09 op lcopy.dirfd = -1;
373 deadd9e1 2023-06-09 op memset(&lcopy.locations, 0, sizeof(lcopy.locations));
375 deadd9e1 2023-06-09 op if (l->reqca_path != NULL &&
376 deadd9e1 2023-06-09 op (fd = open(l->reqca_path, O_RDONLY)) == -1)
377 deadd9e1 2023-06-09 op fatal("can't open %s", l->reqca_path);
379 2e880a57 2023-06-10 op if (config_send_file(ps, PROC_SERVER, IMSG_RECONF_LOC,
380 2e880a57 2023-06-10 op fd, &lcopy, sizeof(lcopy)) == -1)
383 a1ba9650 2023-07-23 op TAILQ_FOREACH(e, &l->params, envs) {
384 a1ba9650 2023-07-23 op if (proc_compose(ps, PROC_SERVER,
385 a1ba9650 2023-07-23 op IMSG_RECONF_ENV, e, sizeof(*e)) == -1)
390 c26f2460 2023-06-08 op if (proc_flush_imsg(ps, PROC_SERVER, -1) == -1)
393 c26f2460 2023-06-08 op TAILQ_FOREACH(a, &h->aliases, aliases) {
394 c26f2460 2023-06-08 op if (proc_compose(ps, PROC_SERVER, IMSG_RECONF_ALIAS,
395 c26f2460 2023-06-08 op a, sizeof(*a)) == -1)
399 c26f2460 2023-06-08 op if (proc_flush_imsg(ps, PROC_SERVER, -1) == -1)
402 c26f2460 2023-06-08 op TAILQ_FOREACH(p, &h->proxies, proxies) {
403 deadd9e1 2023-06-09 op struct proxy pcopy;
406 deadd9e1 2023-06-09 op memcpy(&pcopy, p, sizeof(pcopy));
407 deadd9e1 2023-06-09 op pcopy.cert_path = NULL;
408 deadd9e1 2023-06-09 op pcopy.cert = NULL;
409 deadd9e1 2023-06-09 op pcopy.certlen = 0;
410 deadd9e1 2023-06-09 op pcopy.key_path = NULL;
411 deadd9e1 2023-06-09 op pcopy.key = NULL;
412 deadd9e1 2023-06-09 op pcopy.keylen = 0;
413 deadd9e1 2023-06-09 op pcopy.reqca_path = NULL;
414 deadd9e1 2023-06-09 op pcopy.reqca = NULL;
416 deadd9e1 2023-06-09 op if (p->reqca_path != NULL) {
417 deadd9e1 2023-06-09 op fd = open(p->reqca_path, O_RDONLY);
418 deadd9e1 2023-06-09 op if (fd == -1)
419 deadd9e1 2023-06-09 op fatal("can't open %s", p->reqca_path);
422 2e880a57 2023-06-10 op if (config_send_file(ps, PROC_SERVER, IMSG_RECONF_PROXY,
423 2e880a57 2023-06-10 op fd, &pcopy, sizeof(pcopy)) == -1)
426 86693a33 2023-06-11 op if (p->cert_path == NULL || p->key_path == NULL)
429 86693a33 2023-06-11 op if (config_open_send(ps, PROC_SERVER,
430 86693a33 2023-06-11 op IMSG_RECONF_PROXY_CERT, p->cert_path) == -1 ||
431 2e880a57 2023-06-10 op config_open_send(ps, PROC_SERVER,
432 2e880a57 2023-06-10 op IMSG_RECONF_PROXY_KEY, p->key_path) == -1)
441 c26f2460 2023-06-08 op load_file(int fd, uint8_t **data, size_t *len)
443 c26f2460 2023-06-08 op struct stat sb;
446 c26f2460 2023-06-08 op if (fstat(fd, &sb) == -1)
447 c26f2460 2023-06-08 op fatal("fstat");
449 c26f2460 2023-06-08 op if (sb.st_size < 0 /* || sb.st_size > SIZE_MAX */) {
450 c26f2460 2023-06-08 op log_warnx("file too large");
454 c26f2460 2023-06-08 op *len = sb.st_size;
456 c26f2460 2023-06-08 op if ((*data = malloc(*len)) == NULL)
457 c26f2460 2023-06-08 op fatal("malloc");
459 4ad573d0 2023-06-11 op r = pread(fd, *data, *len, 0);
460 4ad573d0 2023-06-11 op if (r == -1 || (size_t)r != *len) {
461 4ad573d0 2023-06-11 op log_warn("read failed");
472 86693a33 2023-06-11 op config_crypto_recv_kp(struct conf *conf, struct imsg *imsg)
474 86693a33 2023-06-11 op static struct pki *pki;
479 86693a33 2023-06-11 op /* XXX: check for duplicates */
481 b03e976a 2024-01-21 op if ((fd = imsg_get_fd(imsg)) == -1)
482 83a2644b 2024-01-21 op fatalx("%s: no fd for imsg %d", __func__, imsg_get_type(imsg));
484 83a2644b 2024-01-21 op switch (imsg_get_type(imsg)) {
485 86693a33 2023-06-11 op case IMSG_RECONF_CERT:
486 86693a33 2023-06-11 op if (pki != NULL)
487 86693a33 2023-06-11 op fatalx("imsg in wrong order; pki is not NULL");
488 86693a33 2023-06-11 op if ((pki = calloc(1, sizeof(*pki))) == NULL)
489 86693a33 2023-06-11 op fatal("calloc");
490 b03e976a 2024-01-21 op if (load_file(fd, &d, &len) == -1)
491 86693a33 2023-06-11 op fatalx("can't load file");
492 86693a33 2023-06-11 op if ((pki->hash = ssl_pubkey_hash(d, len)) == NULL)
493 86693a33 2023-06-11 op fatalx("failed to compute cert hash");
495 86693a33 2023-06-11 op TAILQ_INSERT_TAIL(&conf->pkis, pki, pkis);
498 86693a33 2023-06-11 op case IMSG_RECONF_KEY:
499 86693a33 2023-06-11 op if (pki == NULL)
500 83a2644b 2024-01-21 op fatalx("%s: RECONF_KEY: got key without cert",
502 b03e976a 2024-01-21 op if (load_file(fd, &d, &len) == -1)
503 86693a33 2023-06-11 op fatalx("failed to load private key");
504 86693a33 2023-06-11 op if ((pki->pkey = ssl_load_pkey(d, len)) == NULL)
505 86693a33 2023-06-11 op fatalx("failed load private key");
518 c26f2460 2023-06-08 op config_recv(struct conf *conf, struct imsg *imsg)
520 c26f2460 2023-06-08 op static struct vhost *h;
521 a1ba9650 2023-07-23 op static struct location *l;
522 deadd9e1 2023-06-09 op static struct proxy *p;
523 c26f2460 2023-06-08 op struct privsep *ps = conf->ps;
524 c26f2460 2023-06-08 op struct etm m;
525 5d22294a 2023-06-09 op struct fcgi *fcgi;
526 c26f2460 2023-06-08 op struct vhost *vh, vht;
527 c26f2460 2023-06-08 op struct location *loc;
528 c26f2460 2023-06-08 op struct envlist *env;
529 c26f2460 2023-06-08 op struct alist *alias;
530 c26f2460 2023-06-08 op struct proxy *proxy;
531 509d0509 2023-06-23 op struct address *addr;
536 83a2644b 2024-01-21 op switch (imsg_get_type(imsg)) {
537 c26f2460 2023-06-08 op case IMSG_RECONF_START:
538 af1dab18 2023-06-09 op config_purge(conf);
543 26df5098 2023-08-03 op case IMSG_RECONF_LOG_FMT:
544 6dec2ad7 2024-01-21 op if (imsg_get_data(imsg, &conf->log_format,
545 6dec2ad7 2024-01-21 op sizeof(conf->log_format)) == -1)
546 6dec2ad7 2024-01-21 op fatalx("bad length imsg LOG_FMT");
549 c26f2460 2023-06-08 op case IMSG_RECONF_MIME:
550 6dec2ad7 2024-01-21 op if (imsg_get_data(imsg, &m, sizeof(m)) == -1)
551 6dec2ad7 2024-01-21 op fatalx("bad length imsg RECONF_MIME");
552 c26f2460 2023-06-08 op if (m.mime[sizeof(m.mime) - 1] != '\0' ||
553 c26f2460 2023-06-08 op m.ext[sizeof(m.ext) - 1] != '\0')
554 c26f2460 2023-06-08 op fatal("received corrupted IMSG_RECONF_MIME");
555 c26f2460 2023-06-08 op if (add_mime(&conf->mime, m.mime, m.ext) == -1)
556 c26f2460 2023-06-08 op fatal("failed to add mime mapping %s -> %s",
557 c26f2460 2023-06-08 op m.mime, m.ext);
560 c26f2460 2023-06-08 op case IMSG_RECONF_PROTOS:
561 6dec2ad7 2024-01-21 op if (imsg_get_data(imsg, &conf->protos, sizeof(conf->protos))
563 6dec2ad7 2024-01-21 op fatalx("bad length imsg RECONF_PROTOS");
566 509d0509 2023-06-23 op case IMSG_RECONF_SOCK:
567 509d0509 2023-06-23 op addr = xcalloc(1, sizeof(*addr));
568 6dec2ad7 2024-01-21 op if (imsg_get_data(imsg, addr, sizeof(*addr)) == -1)
569 6dec2ad7 2024-01-21 op fatalx("bad length imsg RECONF_SOCK");
570 b03e976a 2024-01-21 op if ((fd = imsg_get_fd(imsg)) == -1)
571 35dd3fc8 2023-06-24 op fatalx("missing socket for IMSG_RECONF_SOCK");
572 509d0509 2023-06-23 op addr->conf = conf;
573 b03e976a 2024-01-21 op addr->sock = fd;
574 509d0509 2023-06-23 op event_set(&addr->evsock, addr->sock, EV_READ|EV_PERSIST,
575 71b02f63 2023-07-01 op server_accept, addr);
576 e50f85ad 2023-06-24 op if ((addr->ctx = tls_server()) == NULL)
577 e50f85ad 2023-06-24 op fatal("tls_server failure");
578 509d0509 2023-06-23 op TAILQ_INSERT_HEAD(&conf->addrs, addr, addrs);
581 c26f2460 2023-06-08 op case IMSG_RECONF_FCGI:
582 5d22294a 2023-06-09 op fcgi = xcalloc(1, sizeof(*fcgi));
583 6dec2ad7 2024-01-21 op if (imsg_get_data(imsg, fcgi, sizeof(*fcgi)) == -1)
584 6dec2ad7 2024-01-21 op fatalx("bad length imsg RECONF_FCGI");
585 5d22294a 2023-06-09 op log_debug("received fcgi %s", fcgi->path);
586 5d22294a 2023-06-09 op TAILQ_INSERT_TAIL(&conf->fcgi, fcgi, fcgi);
589 c26f2460 2023-06-08 op case IMSG_RECONF_HOST:
590 6dec2ad7 2024-01-21 op if (imsg_get_data(imsg, &vht, sizeof(vht)) == -1)
591 6dec2ad7 2024-01-21 op fatalx("bad length imsg RECONF_HOST");
592 c26f2460 2023-06-08 op vh = new_vhost();
593 c26f2460 2023-06-08 op strlcpy(vh->domain, vht.domain, sizeof(vh->domain));
595 e45334e6 2023-06-09 op TAILQ_INSERT_TAIL(&conf->hosts, h, vhosts);
597 a1ba9650 2023-07-23 op /* reset location and proxy */
602 c26f2460 2023-06-08 op case IMSG_RECONF_CERT:
603 c26f2460 2023-06-08 op log_debug("receiving cert");
604 86693a33 2023-06-11 op if (privsep_process == PROC_CRYPTO)
605 86693a33 2023-06-11 op return config_crypto_recv_kp(conf, imsg);
606 c26f2460 2023-06-08 op if (h == NULL)
607 c26f2460 2023-06-08 op fatalx("recv'd cert without host");
608 c26f2460 2023-06-08 op if (h->cert != NULL)
609 c26f2460 2023-06-08 op fatalx("cert already received");
610 b03e976a 2024-01-21 op if ((fd = imsg_get_fd(imsg)) == -1)
611 c26f2460 2023-06-08 op fatalx("no fd for IMSG_RECONF_CERT");
612 b03e976a 2024-01-21 op if (load_file(fd, &h->cert, &h->certlen) == -1)
613 c26f2460 2023-06-08 op fatalx("failed to load cert for %s",
617 c26f2460 2023-06-08 op case IMSG_RECONF_KEY:
618 c26f2460 2023-06-08 op log_debug("receiving key");
619 86693a33 2023-06-11 op if (privsep_process == PROC_CRYPTO)
620 86693a33 2023-06-11 op return config_crypto_recv_kp(conf, imsg);
621 c26f2460 2023-06-08 op if (h == NULL)
622 c26f2460 2023-06-08 op fatalx("recv'd key without host");
623 c26f2460 2023-06-08 op if (h->key != NULL)
624 c26f2460 2023-06-08 op fatalx("key already received");
625 b03e976a 2024-01-21 op if ((fd = imsg_get_fd(imsg)) == -1)
626 c26f2460 2023-06-08 op fatalx("no fd for IMSG_RECONF_KEY");
627 b03e976a 2024-01-21 op if (load_file(fd, &h->key, &h->keylen) == -1)
628 c26f2460 2023-06-08 op fatalx("failed to load key for %s",
632 c26f2460 2023-06-08 op case IMSG_RECONF_OCSP:
633 c26f2460 2023-06-08 op log_debug("receiving ocsp");
634 c26f2460 2023-06-08 op if (h == NULL)
635 c26f2460 2023-06-08 op fatalx("recv'd ocsp without host");
636 c26f2460 2023-06-08 op if (h->ocsp != NULL)
637 c26f2460 2023-06-08 op fatalx("ocsp already received");
638 b03e976a 2024-01-21 op if ((fd = imsg_get_fd(imsg)) == -1)
639 c26f2460 2023-06-08 op fatalx("no fd for IMSG_RECONF_OCSP");
640 b03e976a 2024-01-21 op if (load_file(fd, &h->ocsp, &h->ocsplen) == -1)
641 c26f2460 2023-06-08 op fatalx("failed to load ocsp for %s",
645 a0a42860 2023-06-24 op case IMSG_RECONF_HOST_ADDR:
646 a0a42860 2023-06-24 op log_debug("receiving host addr");
647 a0a42860 2023-06-24 op if (h == NULL)
648 a0a42860 2023-06-24 op fatalx("recv'd host address withouth host");
649 a0a42860 2023-06-24 op addr = xcalloc(1, sizeof(*addr));
650 6dec2ad7 2024-01-21 op if (imsg_get_data(imsg, addr, sizeof(*addr)) == -1)
651 6dec2ad7 2024-01-21 op fatalx("bad length imsg RECONF_HOST_ADDR");
652 a0a42860 2023-06-24 op TAILQ_INSERT_TAIL(&h->addrs, addr, addrs);
655 c26f2460 2023-06-08 op case IMSG_RECONF_LOC:
656 c26f2460 2023-06-08 op if (h == NULL)
657 c26f2460 2023-06-08 op fatalx("recv'd location without host");
658 c26f2460 2023-06-08 op loc = xcalloc(1, sizeof(*loc));
659 6dec2ad7 2024-01-21 op if (imsg_get_data(imsg, loc, sizeof(*loc)) == -1)
660 6dec2ad7 2024-01-21 op fatalx("bad length imsg RECONF_LOC");
661 a1ba9650 2023-07-23 op TAILQ_INIT(&loc->params);
663 b03e976a 2024-01-21 op if ((fd = imsg_get_fd(imsg)) != -1) {
664 b03e976a 2024-01-21 op if (load_file(fd, &d, &len) == -1)
665 2cef5cf4 2023-06-12 op fatal("load_file");
666 2cef5cf4 2023-06-12 op loc->reqca = load_ca(d, len);
667 deadd9e1 2023-06-09 op if (loc->reqca == NULL)
668 deadd9e1 2023-06-09 op fatalx("failed to load CA");
673 c26f2460 2023-06-08 op TAILQ_INSERT_TAIL(&h->locations, loc, locations);
676 c26f2460 2023-06-08 op case IMSG_RECONF_ENV:
677 a1ba9650 2023-07-23 op if (l == NULL)
678 a1ba9650 2023-07-23 op fatalx("recv'd env without location");
679 c26f2460 2023-06-08 op env = xcalloc(1, sizeof(*env));
680 6dec2ad7 2024-01-21 op if (imsg_get_data(imsg, env, sizeof(*env)) == -1)
681 6dec2ad7 2024-01-21 op fatalx("bad length imsg RECONF_ENV");
682 a1ba9650 2023-07-23 op TAILQ_INSERT_TAIL(&l->params, env, envs);
685 c26f2460 2023-06-08 op case IMSG_RECONF_ALIAS:
686 c26f2460 2023-06-08 op if (h == NULL)
687 c26f2460 2023-06-08 op fatalx("recv'd alias without host");
688 c26f2460 2023-06-08 op alias = xcalloc(1, sizeof(*alias));
689 6dec2ad7 2024-01-21 op if (imsg_get_data(imsg, alias, sizeof(*alias)) == -1)
690 6dec2ad7 2024-01-21 op fatalx("bad length imsg RECONF_ALIAS");
691 c26f2460 2023-06-08 op TAILQ_INSERT_TAIL(&h->aliases, alias, aliases);
694 c26f2460 2023-06-08 op case IMSG_RECONF_PROXY:
695 c26f2460 2023-06-08 op log_debug("receiving proxy");
696 c26f2460 2023-06-08 op if (h == NULL)
697 c26f2460 2023-06-08 op fatalx("recv'd proxy without host");
698 c26f2460 2023-06-08 op proxy = xcalloc(1, sizeof(*proxy));
699 6dec2ad7 2024-01-21 op if (imsg_get_data(imsg, proxy, sizeof(*proxy)) == -1)
700 6dec2ad7 2024-01-21 op fatalx("bad length imsg RECONF_PROXY");
702 b03e976a 2024-01-21 op if ((fd = imsg_get_fd(imsg)) != -1) {
703 b03e976a 2024-01-21 op if (load_file(fd, &d, &len) == -1)
704 2cef5cf4 2023-06-12 op fatal("load_file");
705 2cef5cf4 2023-06-12 op proxy->reqca = load_ca(d, len);
706 deadd9e1 2023-06-09 op if (proxy->reqca == NULL)
707 deadd9e1 2023-06-09 op fatal("failed to load CA");
711 c26f2460 2023-06-08 op TAILQ_INSERT_TAIL(&h->proxies, proxy, proxies);
715 deadd9e1 2023-06-09 op case IMSG_RECONF_PROXY_CERT:
716 deadd9e1 2023-06-09 op log_debug("receiving proxy cert");
717 deadd9e1 2023-06-09 op if (p == NULL)
718 deadd9e1 2023-06-09 op fatalx("recv'd proxy cert without proxy");
719 deadd9e1 2023-06-09 op if (p->cert != NULL)
720 deadd9e1 2023-06-09 op fatalx("proxy cert already received");
721 b03e976a 2024-01-21 op if ((fd = imsg_get_fd(imsg)) == -1)
722 deadd9e1 2023-06-09 op fatalx("no fd for IMSG_RECONF_PROXY_CERT");
723 b03e976a 2024-01-21 op if (load_file(fd, &p->cert, &p->certlen) == -1)
724 deadd9e1 2023-06-09 op fatalx("failed to load cert for proxy %s of %s",
725 deadd9e1 2023-06-09 op p->host, h->domain);
728 deadd9e1 2023-06-09 op case IMSG_RECONF_PROXY_KEY:
729 deadd9e1 2023-06-09 op log_debug("receiving proxy key");
730 deadd9e1 2023-06-09 op if (p == NULL)
731 deadd9e1 2023-06-09 op fatalx("recv'd proxy key without proxy");
732 deadd9e1 2023-06-09 op if (p->key != NULL)
733 deadd9e1 2023-06-09 op fatalx("proxy key already received");
734 b03e976a 2024-01-21 op if ((fd = imsg_get_fd(imsg)) == -1)
735 deadd9e1 2023-06-09 op fatalx("no fd for IMSG_RECONF_PROXY_KEY");
736 b03e976a 2024-01-21 op if (load_file(fd, &p->key, &p->keylen) == -1)
737 deadd9e1 2023-06-09 op fatalx("failed to load key for proxy %s of %s",
738 deadd9e1 2023-06-09 op p->host, h->domain);
741 c26f2460 2023-06-08 op case IMSG_RECONF_END:
742 c26f2460 2023-06-08 op if (proc_compose(ps, PROC_PARENT, IMSG_RECONF_DONE,
743 c26f2460 2023-06-08 op NULL, 0) == -1)
755 3b431c09 2023-08-07 op config_test(struct conf *conf)
757 3b431c09 2023-08-07 op struct vhost *h;
758 3b431c09 2023-08-07 op struct address *addr;
762 d72ac636 2023-08-07 op * can't use config_crypto_recv_kp() because not on all platforms
763 d72ac636 2023-08-07 op * we're using the privsep crypto engine (yet).
765 d72ac636 2023-08-07 op conf->use_privsep_crypto = 0;
767 d72ac636 2023-08-07 op TAILQ_FOREACH(h, &conf->hosts, vhosts) {
768 3b431c09 2023-08-07 op if ((fd = open(h->cert_path, O_RDONLY)) == -1) {
769 3b431c09 2023-08-07 op log_warn("can't open %s", h->cert_path);
772 d72ac636 2023-08-07 op if (load_file(fd, &h->cert, &h->certlen) == -1) {
773 d72ac636 2023-08-07 op log_warnx("failed to load cert for %s",
778 3b431c09 2023-08-07 op if ((fd = open(h->key_path, O_RDONLY)) == -1) {
779 3b431c09 2023-08-07 op log_warn("can't open %s", h->key_path);
782 d72ac636 2023-08-07 op if (load_file(fd, &h->key, &h->keylen) == -1) {
783 d72ac636 2023-08-07 op log_warnx("failed to load key for %s",
789 3b431c09 2023-08-07 op TAILQ_FOREACH(addr, &conf->addrs, addrs) {
790 3b431c09 2023-08-07 op if ((addr->ctx = tls_server()) == NULL)
791 3b431c09 2023-08-07 op fatal("tls_server failed");
792 3b431c09 2023-08-07 op addr->sock = -1;
795 3b431c09 2023-08-07 op if (server_configure_done(conf))