1 /*
2  * Copyright (c) 2021, 2022 Omar Polo <op@omarpolo.com>
3  * Copyright (c) 2018 Florian Obser <florian@openbsd.org>
4  * Copyright (c) 2004, 2005 Claudio Jeker <claudio@openbsd.org>
5  * Copyright (c) 2004 Esben Norby <norby@openbsd.org>
6  * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
7  *
8  * Permission to use, copy, modify, and distribute this software for any
9  * purpose with or without fee is hereby granted, provided that the above
10  * copyright notice and this permission notice appear in all copies.
11  *
12  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
13  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
14  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
15  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
16  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19  */
20 
21 #include "compat.h"
22 
23 #include <sys/socket.h>
24 #include <sys/types.h>
25 #include <sys/uio.h>
26 
27 #include <errno.h>
28 #include <inttypes.h>
29 #include <pwd.h>
30 #include <signal.h>
31 #include <stdint.h>
32 #include <stdio.h>
33 #include <stdlib.h>
34 #include <string.h>
35 #include <syslog.h>
36 #include <unistd.h>
37 
38 #include "control.h"
39 #include "kami.h"
40 #include "kamid.h"
41 #include "listener.h"
42 #include "log.h"
43 #include "sandbox.h"
44 #include "utils.h"
45 
46 #define IMSG_MAXSIZE (MAX_IMSGSIZE - IMSG_HEADER_SIZE)
47 
48 static struct kd_conf	*listener_conf;
49 static struct imsgev	*iev_main;
50 
51 static void	listener_sig_handler(int, short, void *);
52 __dead void	listener_shutdown(void);
53 
54 SPLAY_HEAD(clients_tree_id, client) clients;
55 
56 struct client {
57 	uint32_t		 id;
58 	uint32_t		 lid;
59 	uint32_t		 lflags;
60 	uint32_t		 msize;
61 	uint32_t		 left;
62 	int			 fd;
63 	struct tls		*ctx;
64 	struct event		 event;
65 	struct imsgev		 iev;
66 	struct bufferevent	*bev;
67 	SPLAY_ENTRY(client)	 sp_entry;
68 };
69 
70 static void	listener_imsg_event_add(struct imsgev *, void *);
71 static void	listener_dispatch_client(int, short, void *);
72 static int	listener_imsg_compose_client(struct client *, int,
73     uint32_t, const void *, uint16_t);
74 
75 static void	apply_config(struct kd_conf *);
76 static void	handle_accept(int, short, void *);
77 
78 static void	handle_handshake(int, short, void *);
79 static void	client_read(struct bufferevent *, void *);
80 static void	client_write(struct bufferevent *, void *);
81 static void	client_error(struct bufferevent *, short, void *);
82 static void	client_tls_readcb(int, short, void *);
83 static void	client_tls_writecb(int, short, void *);
84 static void	close_conn(struct client *);
85 static void	handle_close(int, short, void *);
86 
87 static inline int
88 clients_tree_cmp(struct client *a, struct client *b)
89 {
90 	if (a->id == b->id)
91 		return 0;
92 	else if (a->id < b->id)
93 		return -1;
94 	else
95 		return +1;
96 }
97 
98 SPLAY_PROTOTYPE(clients_tree_id, client, sp_entry, clients_tree_cmp);
99 SPLAY_GENERATE(clients_tree_id, client, sp_entry, clients_tree_cmp)
100 
101 static void
102 listener_sig_handler(int sig, short event, void *d)
103 {
104 	/*
105 	 * Normal signal handler rules don't apply because libevent
106 	 * decouples for us.
107 	 */
108 
109 	switch (sig) {
110 	case SIGINT:
111 	case SIGTERM:
112 		listener_shutdown();
113 	default:
114 		fatalx("unexpected signal %d", sig);
115 	}
116 }
117 
118 void
119 listener(int debug, int verbose)
120 {
121 	struct event		 ev_sigint, ev_sigterm;
122 	struct passwd		*pw;
123 
124 	/* listener_conf = config_new_empty(); */
125 
126 	log_init(debug, LOG_DAEMON);
127 	log_setverbose(verbose);
128 
129 	if ((pw = getpwnam(KD_USER)) == NULL)
130 		fatal("getpwnam");
131 
132 	if (chroot(pw->pw_dir) == -1)
133 		fatal("chroot");
134 	if (chdir("/") == -1)
135 		fatal("chdir(\"/\")");
136 
137 	setproctitle("listener");
138 	log_procinit("listener");
139 
140 	if (setgroups(1, &pw->pw_gid) ||
141 	    setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) ||
142 	    setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid))
143 		fatal("can't drop privileges");
144 
145 	event_init();
146 
147 	/* Setup signal handlers(s). */
148 	signal_set(&ev_sigint, SIGINT, listener_sig_handler, NULL);
149 	signal_set(&ev_sigterm, SIGTERM, listener_sig_handler, NULL);
150 
151 	signal_add(&ev_sigint, NULL);
152 	signal_add(&ev_sigterm, NULL);
153 
154 	signal(SIGPIPE, SIG_IGN);
155 	signal(SIGHUP, SIG_IGN);
156 
157 	/* Setup pipe and event handler to the main process. */
158 	if ((iev_main = malloc(sizeof(*iev_main))) == NULL)
159 		fatal(NULL);
160 
161 	imsg_init(&iev_main->ibuf, 3);
162 	iev_main->handler = listener_dispatch_main;
163 
164 	/* Setup event handlers. */
165 	iev_main->events = EV_READ;
166 	event_set(&iev_main->ev, iev_main->ibuf.fd, iev_main->events,
167 	    iev_main->handler, iev_main);
168 	event_add(&iev_main->ev, NULL);
169 
170 	sandbox_listener();
171 	event_dispatch();
172 	listener_shutdown();
173 }
174 
175 __dead void
176 listener_shutdown(void)
177 {
178 	msgbuf_clear(&iev_main->ibuf.w);
179 	close(iev_main->ibuf.fd);
180 
181 	clear_config(listener_conf);
182 
183 	free(iev_main);
184 
185 	log_info("listener exiting");
186 	exit(0);
187 }
188 
189 static void
190 listener_receive_config(struct imsg *imsg, struct kd_conf **nconf,
191     struct kd_pki_conf **pki)
192 {
193 	struct kd_listen_conf *listen;
194 	char *t;
195 
196 	switch (imsg->hdr.type) {
197 	case IMSG_RECONF_CONF:
198 		if (*nconf != NULL)
199 			fatalx("%s: IMSG_RECONF_CONF already in "
200 			    "progress", __func__);
201 
202 		if (IMSG_DATA_SIZE(*imsg) != sizeof(struct kd_conf))
203 			fatalx("%s: IMSG_RECONF_CONF wrong length: %lu",
204 			    __func__, IMSG_DATA_SIZE(*imsg));
205 		if ((*nconf = malloc(sizeof(**nconf))) == NULL)
206 			fatal(NULL);
207 		memcpy(*nconf, imsg->data, sizeof(**nconf));
208 		STAILQ_INIT(&(*nconf)->pki_head);
209 		STAILQ_INIT(&(*nconf)->table_head);
210 		STAILQ_INIT(&(*nconf)->listen_head);
211 		break;
212 	case IMSG_RECONF_PKI:
213 		if (*nconf == NULL)
214 			fatalx("%s: IMSG_RECONF_PKI without "
215 			    "IMSG_RECONF_CONF", __func__);
216 		*pki = xcalloc(1, sizeof(**pki));
217 		t = imsg->data;
218 		t[IMSG_DATA_SIZE(*imsg)-1] = '\0';
219 		strlcpy((*pki)->name, t, sizeof((*pki)->name));
220 		break;
221 	case IMSG_RECONF_PKI_CERT:
222 		if (*pki == NULL)
223 			fatalx("%s: IMSG_RECONF_PKI_CERT without "
224 			    "IMSG_RECONF_PKI", __func__);
225 		(*pki)->certlen = IMSG_DATA_SIZE(*imsg);
226 		(*pki)->cert = xmemdup(imsg->data, (*pki)->certlen);
227 		break;
228 	case IMSG_RECONF_PKI_KEY:
229 		if (*pki == NULL)
230 			fatalx("%s: IMSG_RECONF_PKI_KEY without "
231 			    "IMSG_RECONF_PKI", __func__);
232 		(*pki)->keylen = IMSG_DATA_SIZE(*imsg);
233 		(*pki)->key = xmemdup(imsg->data, (*pki)->keylen);
234 		STAILQ_INSERT_HEAD(&(*nconf)->pki_head, *pki, entry);
235 		pki = NULL;
236 		break;
237 	case IMSG_RECONF_LISTEN:
238 		if (*nconf == NULL)
239 			fatalx("%s: IMSG_RECONF_LISTEN without "
240 			    "IMSG_RECONF_CONF", __func__);
241 		if (IMSG_DATA_SIZE(*imsg) != sizeof(*listen))
242 			fatalx("%s: IMSG_RECONF_LISTEN wrong length: %lu",
243 			    __func__, IMSG_DATA_SIZE(*imsg));
244 		listen = xcalloc(1, sizeof(*listen));
245 		memcpy(listen, imsg->data, sizeof(*listen));
246 		memset(&listen->entry, 0, sizeof(listen->entry));
247 		if ((listen->fd = imsg->fd) == -1)
248 			fatalx("%s: IMSG_RECONF_LISTEN no fd",
249 			    __func__);
250 		listen->auth_table = NULL;
251 		memset(&listen->ev, 0, sizeof(listen->ev));
252 		STAILQ_INSERT_HEAD(&(*nconf)->listen_head, listen, entry);
253 		break;
254 	case IMSG_RECONF_END:
255 		if (*nconf == NULL)
256 			fatalx("%s: IMSG_RECONF_END without "
257 			    "IMSG_RECONF_CONF", __func__);
258 		apply_config(*nconf);
259 		*nconf = NULL;
260 		break;
261 	}
262 }
263 
264 void
265 listener_dispatch_main(int fd, short event, void *d)
266 {
267 	static struct kd_conf		*nconf;
268 	static struct kd_pki_conf	*pki;
269 	struct client			*client, find;
270 	struct imsg			 imsg;
271 	struct imsgev			*iev = d;
272 	struct imsgbuf			*ibuf;
273 	ssize_t				 n;
274 	int				 shut = 0;
275 
276 	ibuf = &iev->ibuf;
277 
278 	if (event & EV_READ) {
279 		if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN)
280 			fatal("imsg_read error");
281 		if (n == 0)	/* Connection closed. */
282 			shut = 1;
283 	}
284 	if (event & EV_WRITE) {
285 		if ((n = msgbuf_write(&ibuf->w)) == -1 && errno != EAGAIN)
286 			fatal("msgbuf_write");
287 		if (n == 0)	/* Connection closed. */
288 			shut = 1;
289 	}
290 
291 	for (;;) {
292 		if ((n = imsg_get(ibuf, &imsg)) == -1)
293 			fatal("%s: imsg_get error", __func__);
294 		if (n == 0)	/* No more messages. */
295 			break;
296 
297 		switch (imsg.hdr.type) {
298 		case IMSG_CTL_LOG_VERBOSE:
299 			if (IMSG_DATA_SIZE(imsg) != sizeof(verbose))
300 				fatalx("wrong size for IMSG_CTL_LOG_VERBOSE");
301 			memcpy(&verbose, imsg.data, sizeof(verbose));
302 			log_setverbose(verbose);
303 			SPLAY_FOREACH(client, clients_tree_id, &clients)
304 				listener_imsg_compose_client(client,
305 				    imsg.hdr.type, 0,
306 				    &verbose, sizeof(verbose));
307 			break;
308 		case IMSG_CTL_DEBUG:
309 			if (SPLAY_EMPTY(&clients))
310 				listener_imsg_compose_main(IMSG_CTL_DEBUG_END,
311 				    imsg.hdr.peerid, NULL, 0);
312 			SPLAY_FOREACH(client, clients_tree_id, &clients)
313 				listener_imsg_compose_client(client,
314 				    imsg.hdr.type, imsg.hdr.peerid,
315 				    imsg.data, IMSG_DATA_SIZE(imsg));
316 			break;
317 		case IMSG_RECONF_CONF:
318 		case IMSG_RECONF_PKI:
319 		case IMSG_RECONF_PKI_CERT:
320 		case IMSG_RECONF_PKI_KEY:
321 		case IMSG_RECONF_LISTEN:
322 		case IMSG_RECONF_END:
323 			listener_receive_config(&imsg, &nconf, &pki);
324 			break;
325 		case IMSG_AUTH:
326 			if (IMSG_DATA_SIZE(imsg) != sizeof(struct kd_auth_proc))
327 				fatalx("mismatching size for IMSG_AUTH");
328 
329 			find.id = imsg.hdr.peerid;
330 			client = SPLAY_FIND(clients_tree_id, &clients, &find);
331 			if (client == NULL) {
332 				if (imsg.fd != -1)
333 					close(imsg.fd);
334 				break;
335 			}
336 			if (imsg.fd == -1) {
337 				log_info("got fd = -1, auth failed?");
338 				close_conn(client);
339 				break;
340 			}
341 			imsg_init(&client->iev.ibuf, imsg.fd);
342 			client->iev.events = EV_READ;
343 			client->iev.handler = listener_dispatch_client;
344 			event_set(&client->iev.ev, client->iev.ibuf.fd,
345 			    client->iev.events, client->iev.handler, client);
346 			listener_imsg_compose_client(client, IMSG_AUTH,
347 			    client->id, imsg.data, IMSG_DATA_SIZE(imsg));
348 
349 			client->bev = bufferevent_new(client->fd,
350 			    client_read, client_write, client_error,
351 			    client);
352 			if (client->bev == NULL) {
353 				log_info("failed to allocate client buffer");
354 				close_conn(client);
355 				return;
356 			}
357 
358 #if HAVE_EVENT2
359 			evbuffer_unfreeze(client->bev->input, 0);
360 			evbuffer_unfreeze(client->bev->output, 1);
361 #endif
362 
363 			if (client->lflags & L_TLS) {
364 				event_set(&client->bev->ev_read, client->fd,
365 				    EV_READ, client_tls_readcb, client->bev);
366 				event_set(&client->bev->ev_write, client->fd,
367 				    EV_WRITE, client_tls_writecb, client->bev);
368 			}
369 
370 			/*
371 			 * Read or write at least a header before
372 			 * firing the callbacks.  High watermark of 0
373 			 * to never stop reading/writing; probably to
374 			 * be revisited.
375 			 */
376 			/* bufferevent_setwatermark(client->bev, EV_READ|EV_WRITE, */
377 			    /* sizeof(struct np_msg_header), 0); */
378 			bufferevent_enable(client->bev, EV_READ|EV_WRITE);
379 			break;
380 
381 		default:
382 			log_debug("%s: unexpected imsg %d", __func__,
383 			    imsg.hdr.type);
384 			break;
385 		}
386 		imsg_free(&imsg);
387 	}
388 
389 	if (!shut)
390 		listener_imsg_event_add(iev, d);
391 	else {
392 		/* This pipe is dead.  Remove its event handler. */
393 		event_del(&iev->ev);
394 		log_warnx("pipe closed, shutting down...");
395 		event_loopexit(NULL);
396 	}
397 }
398 
399 int
400 listener_imsg_compose_main(int type, uint32_t peerid, const void *data,
401     uint16_t datalen)
402 {
403 	return imsg_compose_event(iev_main, type, peerid, 0, -1, data,
404 	    datalen);
405 }
406 
407 static void
408 listener_imsg_event_add(struct imsgev *iev, void *d)
409 {
410 	iev->events = EV_READ;
411 	if (iev->ibuf.w.queued)
412 		iev->events |= EV_WRITE;
413 
414 	event_del(&iev->ev);
415 	event_set(&iev->ev, iev->ibuf.fd, iev->events, iev->handler, d);
416 	event_add(&iev->ev, NULL);
417 }
418 
419 static void
420 listener_dispatch_client(int fd, short event, void *d)
421 {
422         struct client	 find, *client = d;
423 	struct imsg	 imsg;
424 	struct imsgev	*iev;
425 	struct imsgbuf	*ibuf;
426 	ssize_t		 n;
427 	int		 r, shut = 0;
428 
429 	iev = &client->iev;
430 	ibuf = &iev->ibuf;
431 
432 	if (event & EV_READ) {
433 		if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN)
434 			fatal("imsg_read error");
435 		if (n == 0)	/* Connection closed */
436 			shut = 1;
437 	}
438 
439 	if (event & EV_WRITE) {
440 		if ((n = msgbuf_write(&ibuf->w)) == -1 && errno != EAGAIN)
441 			fatal("msgbuf_write");
442 		if (n == 0)	/* Connection closed. */
443 			shut = 1;
444 	}
445 
446 	for (;;) {
447 		if ((n = imsg_get(ibuf, &imsg)) == -1)
448 			fatal("%s: imsg_get error", __func__);
449 		if (n == 0)	/* No more messages. */
450 			break;
451 
452 		switch (imsg.hdr.type) {
453 		case IMSG_CTL_DEBUG_BACK:
454 		case IMSG_CTL_DEBUG_END:
455 			listener_imsg_compose_main(imsg.hdr.type,
456 			    imsg.hdr.peerid, imsg.data, IMSG_DATA_SIZE(imsg));
457 			break;
458 
459 		case IMSG_BUF:
460 			find.id = imsg.hdr.peerid;
461 			client = SPLAY_FIND(clients_tree_id, &clients, &find);
462 			if (client == NULL) {
463 				log_info("got IMSG_BUF but client %d gone",
464 				    imsg.hdr.peerid);
465 				break;
466 			}
467 			r = bufferevent_write(client->bev, imsg.data,
468 			    IMSG_DATA_SIZE(imsg));
469 			if (r == -1) {
470 				log_warn("%s: bufferevent_write failed",
471 				    __func__);
472 				close_conn(client);
473 				break;
474 			}
475 			break;
476 
477 		case IMSG_MSIZE:
478 			if (IMSG_DATA_SIZE(imsg) != sizeof(client->msize))
479 				fatal("IMSG_MSIZE size mismatch: "
480 				    "got %zu want %zu", IMSG_DATA_SIZE(imsg),
481 				    sizeof(client->msize));
482 
483 			memcpy(&client->msize, imsg.data,
484 			    sizeof(client->msize));
485 
486 			if (client->msize == 0)
487 				fatal("IMSG_MSIZE got msize = 0");
488 			log_debug("set msize to %d", client->msize);
489 			break;
490 
491 		case IMSG_CLOSE:
492 			/*
493 			 * Both EVBUFFER_READ or EVBUFFER_WRITE should
494 			 * be fine.
495 			 */
496 			client_error(client->bev, EVBUFFER_READ, client);
497 			break;
498 
499 		default:
500 			log_debug("%s: unexpected imsg %d", __func__,
501 			    imsg.hdr.type);
502 			break;
503 		}
504 		imsg_free(&imsg);
505 	}
506 
507 	if (!shut)
508 		listener_imsg_event_add(iev, d);
509 	else {
510 		/* This pipe is dead.  Remove its handler */
511 		log_debug("client proc vanished");
512                 close_conn(client);
513 	}
514 }
515 
516 static int
517 listener_imsg_compose_client(struct client *client, int type,
518     uint32_t peerid, const void *data, uint16_t len)
519 {
520 	int ret;
521 
522 	if ((ret = imsg_compose(&client->iev.ibuf, type, peerid, 0, -1,
523 	    data, len)) != -1)
524 		listener_imsg_event_add(&client->iev, client);
525 
526 	return ret;
527 }
528 
529 static inline struct kd_pki_conf *
530 pki_by_name(const char *name)
531 {
532         struct kd_pki_conf *pki;
533 
534 	STAILQ_FOREACH(pki, &listener_conf->pki_head, entry) {
535 		if (!strcmp(name, pki->name))
536 			return pki;
537 	}
538 
539 	return NULL;
540 }
541 
542 static void
543 apply_config(struct kd_conf *conf)
544 {
545 	struct kd_pki_conf *pki;
546 	struct kd_listen_conf *listen;
547 	struct client *c;
548 
549 	/* drop any pre-auth inflight connections */
550 	SPLAY_FOREACH(c, clients_tree_id, &clients) {
551 		/*
552 		 * c->event is set only during the handshake and the teardown
553 		 * of the connection; c->bev is set only after auth.  Checking
554 		 * for both ensures we drop only incoming connection in the
555 		 * pre-auth state.
556 		 */
557 		if (event_pending(&c->event, EV_READ|EV_WRITE, NULL) &&
558 		    c->bev == NULL) {
559 			log_warn("closing in-flight connection due to reload");
560 			close_conn(c);
561 		}
562 	}
563 
564 	/* swap the now config with the current one */
565 	clear_config(listener_conf);
566 	listener_conf = conf;
567 
568 	/* prepare the various tls_config */
569 	STAILQ_FOREACH(pki, &listener_conf->pki_head, entry) {
570 		if ((pki->tlsconf = tls_config_new()) == NULL)
571 			fatal("tls_config_new");
572 		tls_config_verify_client_optional(pki->tlsconf);
573 		tls_config_insecure_noverifycert(pki->tlsconf);
574 		if (tls_config_set_keypair_mem(pki->tlsconf,
575 		    pki->cert, pki->certlen,
576 		    pki->key, pki->keylen) == -1)
577 			fatalx("tls_config_set_keypair_mem: %s",
578 			    tls_config_error(pki->tlsconf));
579 	}
580 
581 	/* prepare and kickoff the listeners */
582 	STAILQ_FOREACH(listen, &listener_conf->listen_head, entry) {
583 		if ((listen->ctx = tls_server()) == NULL)
584 			fatal("tls_server");
585 
586 		pki = pki_by_name(listen->pki);
587 		if (tls_configure(listen->ctx, pki->tlsconf) == -1)
588 			fatalx("tls_configure: %s",
589 			    tls_config_error(pki->tlsconf));
590 
591 		event_set(&listen->ev, listen->fd, EV_READ|EV_PERSIST,
592 		    handle_accept, listen);
593 		event_add(&listen->ev, NULL);
594 	}
595 }
596 
597 static inline void
598 yield_r(struct client *c, void (*fn)(int, short, void *))
599 {
600 	if (event_pending(&c->event, EV_WRITE|EV_READ, NULL))
601 		event_del(&c->event);
602 	event_set(&c->event, c->fd, EV_READ, fn, c);
603 	event_add(&c->event, NULL);
604 }
605 
606 static inline void
607 yield_w(struct client *c, void (*fn)(int, short, void *))
608 {
609 	if (event_pending(&c->event, EV_WRITE|EV_READ, NULL))
610 		event_del(&c->event);
611 	event_set(&c->event, c->fd, EV_WRITE, fn, c);
612 	event_add(&c->event, NULL);
613 }
614 
615 static void
616 handle_accept(int fd, short ev, void *data)
617 {
618 	static uint32_t counter;
619 	struct kd_listen_conf *listen = data;
620 	struct client *c;
621 	int s;
622 
623 	if ((s = accept(fd, NULL, NULL)) == -1) {
624 		log_warn("accept");
625 		return;
626 	}
627 
628 	c = xcalloc(1, sizeof(*c));
629 	c->msize = MSIZE9P;
630 	c->lid = listen->id;
631 	c->lflags = listen->flags;
632 	c->iev.ibuf.fd = -1;
633 
634 	if (tls_accept_socket(listen->ctx, &c->ctx, s) == -1) {
635 		log_warnx("tls_accept_socket: %s",
636 		    tls_error(listen->ctx));
637 		free(c);
638 		close(s);
639 		return;
640 	}
641 
642 	c->fd = s;
643 	c->id = counter++;
644 
645 	SPLAY_INSERT(clients_tree_id, &clients, c);
646 
647 	/* initialize the event */
648 	event_set(&c->event, c->fd, EV_READ, NULL, NULL);
649 
650 	yield_r(c, handle_handshake);
651 }
652 
653 static void
654 handle_handshake(int fd, short ev, void *data)
655 {
656 	struct client *c = data;
657 	struct kd_auth_req auth;
658 	ssize_t r;
659 	const char *hash;
660 
661 	switch (r = tls_handshake(c->ctx)) {
662 	case TLS_WANT_POLLIN:
663 		yield_r(c, handle_handshake);
664 		return;
665 	case TLS_WANT_POLLOUT:
666 		yield_w(c, handle_handshake);
667 		return;
668 	case -1:
669 		log_debug("handhsake failed: %s", tls_error(c->ctx));
670 		close_conn(c);
671 		return;
672 	}
673 
674 	if ((hash = tls_peer_cert_hash(c->ctx)) == NULL) {
675 		log_warnx("client didn't provide certificate");
676 		close_conn(c);
677 		return;
678 	}
679 
680 	memset(&auth, 0, sizeof(auth));
681 	auth.listen_id = c->lid;
682 	strlcpy(auth.hash, hash, sizeof(auth.hash));
683 	log_debug("sending hash %s", auth.hash);
684 
685 	listener_imsg_compose_main(IMSG_AUTH_TLS, c->id,
686 	    &auth, sizeof(auth));
687 }
688 
689 static void
690 client_read(struct bufferevent *bev, void *d)
691 {
692 	struct client	*client = d;
693 	struct evbuffer	*src = EVBUFFER_INPUT(bev);
694 	size_t evlen;
695 	uint32_t len;
696 
697 	for (;;) {
698 		evlen = EVBUFFER_LENGTH(src);
699 
700 		if (client->left != 0) {
701 			/* wait to fill a whole imsg if possible */
702 			if (client->left >= IMSG_MAXSIZE &&
703 			    evlen < IMSG_MAXSIZE)
704 				return;
705 
706 			len = MIN(client->left, evlen);
707 			len = MIN(len, IMSG_MAXSIZE);
708 
709 			listener_imsg_compose_client(client, IMSG_BUF_CONT,
710 			    client->id, EVBUFFER_DATA(src), len);
711 			evbuffer_drain(src, len);
712 			client->left -= len;
713 			continue;
714 		}
715 
716 		if (evlen < 4)
717 			return;
718 
719 		memcpy(&len, EVBUFFER_DATA(src), sizeof(len));
720 		len = le32toh(len);
721 		log_debug("expecting a message %"PRIu32" bytes long "
722 		    "(of wich %zu already read)", len, evlen);
723 
724 		if (len < HEADERSIZE) {
725 			log_warnx("invalid message size %d (too low)", len);
726 			client_error(bev, EVBUFFER_READ, client);
727 			return;
728 		}
729 
730 		if (len > client->msize) {
731 			log_warnx("incoming message bigger than msize "
732 			    "(%"PRIu32" vs %"PRIu32")", len, client->msize);
733 			client_error(bev, EVBUFFER_READ, client);
734 			return;
735 		}
736 
737 		if (len > IMSG_MAXSIZE && evlen >= len) {
738 			listener_imsg_compose_client(client, IMSG_BUF,
739 			    client->id, EVBUFFER_DATA(src), IMSG_MAXSIZE);
740 			evbuffer_drain(src, IMSG_MAXSIZE);
741 			client->left = len - IMSG_MAXSIZE;
742 			continue;
743 		}
744 
745 		if (len > evlen)
746 			return;
747 
748 		listener_imsg_compose_client(client, IMSG_BUF, client->id,
749 		    EVBUFFER_DATA(src), len);
750 		evbuffer_drain(src, len);
751 	}
752 }
753 
754 static void
755 client_write(struct bufferevent *bev, void *d)
756 {
757 	/*
758 	 * here we can do some fancy logic like deciding when to call
759 	 *
760 	 *	(*bev->errorcb)(bev, EVBUFFER_WRITE, bev->cbarg)
761 	 *
762 	 * to signal the end of the transaction.
763 	 */
764 
765 	return;
766 }
767 
768 static void
769 client_error(struct bufferevent *bev, short err, void *d)
770 {
771 	struct client	*client = d;
772 	struct evbuffer	*buf;
773 
774         if (err & EVBUFFER_ERROR) {
775 		if (errno == EFBIG) {
776 			bufferevent_enable(bev, EV_READ);
777 			return;
778 		}
779 		log_debug("buffer event error");
780                 close_conn(client);
781 		return;
782 	}
783 
784 	if (err & EVBUFFER_EOF) {
785                 close_conn(client);
786 		return;
787 	}
788 
789 	if (err & (EVBUFFER_READ|EVBUFFER_WRITE)) {
790 		bufferevent_disable(bev, EV_READ|EV_WRITE);
791 
792 		buf = EVBUFFER_OUTPUT(client->bev);
793 		if (EVBUFFER_LENGTH(buf) != 0) {
794 			/* finish writing all the data first */
795 			bufferevent_enable(client->bev, EV_WRITE);
796 			return;
797 		}
798 
799 		close_conn(client);
800 		return;
801 	}
802 
803 	log_warnx("unknown event error, closing client connection");
804 	close_conn(client);
805 }
806 
807 static void
808 client_tls_readcb(int fd, short event, void *d)
809 {
810 	struct bufferevent	*bufev = d;
811 	struct client		*client = bufev->cbarg;
812 	char			 buf[IBUF_READ_SIZE];
813 	int			 what = EVBUFFER_READ;
814 	int			 howmuch = IBUF_READ_SIZE;
815 	ssize_t			 ret;
816 	size_t			 len;
817 
818 	if (event == EV_TIMEOUT) {
819 		what |= EVBUFFER_TIMEOUT;
820 		goto err;
821 	}
822 
823 	if (bufev->wm_read.high != 0)
824 		howmuch = MIN(sizeof(buf), bufev->wm_read.high);
825 
826         switch (ret = tls_read(client->ctx, buf, howmuch)) {
827 	case TLS_WANT_POLLIN:
828 	case TLS_WANT_POLLOUT:
829 		goto retry;
830 	case -1:
831 		what |= EVBUFFER_ERROR;
832 		goto err;
833 	}
834 	len = ret;
835 
836 	if (len == 0) {
837 		what |= EVBUFFER_EOF;
838 		goto err;
839 	}
840 
841 	if (evbuffer_add(bufev->input, buf, len) == -1) {
842 		what |= EVBUFFER_ERROR;
843 		goto err;
844 	}
845 
846 	event_add(&bufev->ev_read, NULL);
847 
848 	len = EVBUFFER_LENGTH(bufev->input);
849 	if (bufev->wm_read.low != 0 && len < bufev->wm_read.low)
850 		return;
851 	if (bufev->wm_read.high != 0 && len > bufev->wm_read.high) {
852 		/*
853 		 * here we could implement some read pressure
854 		 * mechanism.
855 		 */
856 	}
857 
858 	if (bufev->readcb != NULL)
859 		(*bufev->readcb)(bufev, bufev->cbarg);
860 
861 	return;
862 
863 retry:
864 	event_add(&bufev->ev_read, NULL);
865 	return;
866 
867 err:
868 	(*bufev->errorcb)(bufev, what, bufev->cbarg);
869 }
870 
871 static void
872 client_tls_writecb(int fd, short event, void *d)
873 {
874 	struct bufferevent	*bufev = d;
875 	struct client		*client = bufev->cbarg;
876 	ssize_t			 ret;
877 	size_t			 len;
878 	short			 what = EVBUFFER_WRITE;
879 
880 	if (event == EV_TIMEOUT) {
881 		what |= EVBUFFER_TIMEOUT;
882 		goto err;
883 	}
884 
885 	if (EVBUFFER_LENGTH(bufev->output) != 0) {
886 		ret = tls_write(client->ctx,
887 		    EVBUFFER_DATA(bufev->output),
888 		    EVBUFFER_LENGTH(bufev->output));
889 		switch (ret) {
890 		case TLS_WANT_POLLIN:
891 		case TLS_WANT_POLLOUT:
892 			goto retry;
893 		case -1:
894 			what |= EVBUFFER_ERROR;
895 			goto err;
896 		}
897 		len = ret;
898 		evbuffer_drain(bufev->output, len);
899 	}
900 
901 	if (EVBUFFER_LENGTH(bufev->output) != 0)
902 		event_add(&bufev->ev_write, NULL);
903 
904 	if (bufev->writecb != NULL &&
905 	    EVBUFFER_LENGTH(bufev->output) <= bufev->wm_write.low)
906 		(*bufev->writecb)(bufev, bufev->cbarg);
907 	return;
908 
909 retry:
910 	event_add(&bufev->ev_write, NULL);
911 	return;
912 
913 err:
914 	(*bufev->errorcb)(bufev, what, bufev->cbarg);
915 }
916 
917 static void
918 close_conn(struct client *c)
919 {
920 	log_debug("closing connection");
921 
922 	SPLAY_REMOVE(clients_tree_id, &clients, c);
923 
924 	if (c->iev.ibuf.fd != -1) {
925 		listener_imsg_compose_client(c, IMSG_CONN_GONE, 0, NULL, 0);
926 		imsg_flush(&c->iev.ibuf);
927 		msgbuf_clear(&c->iev.ibuf.w);
928 		event_del(&c->iev.ev);
929 		close(c->iev.ibuf.fd);
930 	}
931 
932 	handle_close(c->fd, 0, c);
933 }
934 
935 static void
936 handle_close(int fd, short ev, void *d)
937 {
938 	struct client *c = d;
939 
940 	switch (tls_close(c->ctx)) {
941 	case TLS_WANT_POLLIN:
942 		yield_r(c, handle_close);
943 		return;
944 	case TLS_WANT_POLLOUT:
945 		yield_w(c, handle_close);
946 		return;
947 	}
948 
949 	event_del(&c->event);
950 	tls_free(c->ctx);
951 	close(c->fd);
952 	free(c);
953 }