From f8e5c55a036f0e2e2a958e30456270f3f9eba933 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sat, 27 Apr 2024 14:52:13 +0200 Subject: Adding upstream version 1.9.5p2. Signed-off-by: Daniel Baumann --- logsrvd/logsrvd.c | 2042 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 2042 insertions(+) create mode 100644 logsrvd/logsrvd.c (limited to 'logsrvd/logsrvd.c') diff --git a/logsrvd/logsrvd.c b/logsrvd/logsrvd.c new file mode 100644 index 0000000..66b84c2 --- /dev/null +++ b/logsrvd/logsrvd.c @@ -0,0 +1,2042 @@ +/* + * SPDX-License-Identifier: ISC + * + * Copyright (c) 2019-2020 Todd C. Miller + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include "config.h" + +#include +#include +#include +#include +#include +#include + +#include +#include +#include +#ifdef HAVE_STDBOOL_H +# include +#else +# include "compat/stdbool.h" +#endif /* HAVE_STDBOOL_H */ +#if defined(HAVE_STDINT_H) +# include +#elif defined(HAVE_INTTYPES_H) +# include +#endif +#include +#include +#include +#include +#include +#ifdef HAVE_GETOPT_LONG +# include +# else +# include "compat/getopt.h" +#endif /* HAVE_GETOPT_LONG */ + +#if defined(HAVE_OPENSSL) +# include +# include +#endif + +#define NEED_INET_NTOP /* to expose sudo_inet_ntop in sudo_compat.h */ + +#include "pathnames.h" +#include "sudo_compat.h" +#include "sudo_conf.h" +#include "sudo_debug.h" +#include "sudo_event.h" +#include "sudo_eventlog.h" +#include "sudo_fatal.h" +#include "sudo_gettext.h" +#include "sudo_json.h" +#include "sudo_iolog.h" +#include "sudo_queue.h" +#include "sudo_rand.h" +#include "sudo_util.h" + +#include "log_server.pb-c.h" +#include "hostcheck.h" +#include "logsrvd.h" + +#if defined(HAVE_OPENSSL) +# define LOGSRVD_DEFAULT_CIPHER_LST12 "HIGH:!aNULL" +# define LOGSRVD_DEFAULT_CIPHER_LST13 "TLS_AES_256_GCM_SHA384" +#endif + +#ifndef O_NOFOLLOW +# define O_NOFOLLOW 0 +#endif + +/* + * Sudo I/O audit server. + */ +static int logsrvd_debug_instance = SUDO_DEBUG_INSTANCE_INITIALIZER; +TAILQ_HEAD(connection_list, connection_closure); +static struct connection_list connections = TAILQ_HEAD_INITIALIZER(connections); +static struct listener_list listeners = TAILQ_HEAD_INITIALIZER(listeners); +static const char server_id[] = "Sudo Audit Server " PACKAGE_VERSION; +static const char *conf_file = _PATH_SUDO_LOGSRVD_CONF; +static double random_drop; + +/* Server callback may redirect to client callback for TLS. */ +static void client_msg_cb(int fd, int what, void *v); + +/* + * Free a struct connection_closure container and its contents. + */ +static void +connection_closure_free(struct connection_closure *closure) +{ + debug_decl(connection_closure_free, SUDO_DEBUG_UTIL); + + if (closure != NULL) { + bool shutting_down = closure->state == SHUTDOWN; + struct sudo_event_base *evbase = closure->evbase; + + TAILQ_REMOVE(&connections, closure, entries); +#if defined(HAVE_OPENSSL) + if (closure->tls) { + SSL_shutdown(closure->ssl); + SSL_free(closure->ssl); + } +#endif + close(closure->sock); + iolog_close_all(closure); + sudo_ev_free(closure->commit_ev); + sudo_ev_free(closure->read_ev); + sudo_ev_free(closure->write_ev); +#if defined(HAVE_OPENSSL) + sudo_ev_free(closure->ssl_accept_ev); +#endif + eventlog_free(closure->evlog); + free(closure->read_buf.data); + free(closure->write_buf.data); + free(closure); + + if (shutting_down && TAILQ_EMPTY(&connections)) + sudo_ev_loopbreak(evbase); + } + + debug_return; +} + +static bool +fmt_server_message(struct connection_buffer *buf, ServerMessage *msg) +{ + uint32_t msg_len; + bool ret = false; + size_t len; + debug_decl(fmt_server_message, SUDO_DEBUG_UTIL); + + if (buf->len != 0) { + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, + "pending write, unable to format ServerMessage"); + debug_return_bool(false); + } + + len = server_message__get_packed_size(msg); + if (len > MESSAGE_SIZE_MAX) { + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, + "server message too large: %zu", len); + goto done; + } + + /* Wire message size is used for length encoding, precedes message. */ + msg_len = htonl((uint32_t)len); + len += sizeof(msg_len); + + /* Resize buffer as needed. */ + if (len > buf->size) { + free(buf->data); + buf->size = sudo_pow2_roundup(len); + if ((buf->data = malloc(buf->size)) == NULL) { + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, + "unable to malloc %u", buf->size); + buf->size = 0; + goto done; + } + } + sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO, + "size + server message %zu bytes", len); + + memcpy(buf->data, &msg_len, sizeof(msg_len)); + server_message__pack(msg, buf->data + sizeof(msg_len)); + buf->len = len; + ret = true; + +done: + debug_return_bool(ret); +} + +static bool +fmt_hello_message(struct connection_buffer *buf, bool tls) +{ + ServerMessage msg = SERVER_MESSAGE__INIT; + ServerHello hello = SERVER_HELLO__INIT; + debug_decl(fmt_hello_message, SUDO_DEBUG_UTIL); + + /* TODO: implement redirect and servers array. */ + hello.server_id = (char *)server_id; + msg.u.hello = &hello; + msg.type_case = SERVER_MESSAGE__TYPE_HELLO; + + debug_return_bool(fmt_server_message(buf, &msg)); +} + +static bool +fmt_log_id_message(const char *id, struct connection_buffer *buf) +{ + ServerMessage msg = SERVER_MESSAGE__INIT; + debug_decl(fmt_log_id_message, SUDO_DEBUG_UTIL); + + msg.u.log_id = (char *)id; + msg.type_case = SERVER_MESSAGE__TYPE_LOG_ID; + + debug_return_bool(fmt_server_message(buf, &msg)); +} + +static bool +fmt_error_message(const char *errstr, struct connection_buffer *buf) +{ + ServerMessage msg = SERVER_MESSAGE__INIT; + debug_decl(fmt_error_message, SUDO_DEBUG_UTIL); + + msg.u.error = (char *)errstr; + msg.type_case = SERVER_MESSAGE__TYPE_ERROR; + + debug_return_bool(fmt_server_message(buf, &msg)); +} + +struct logsrvd_info_closure { + InfoMessage **info_msgs; + size_t infolen; +}; + +static bool +logsrvd_json_log_cb(struct json_container *json, void *v) +{ + struct logsrvd_info_closure *closure = v; + struct json_value json_value; + size_t idx; + debug_decl(logsrvd_json_log_cb, SUDO_DEBUG_UTIL); + + for (idx = 0; idx < closure->infolen; idx++) { + InfoMessage *info = closure->info_msgs[idx]; + + switch (info->value_case) { + case INFO_MESSAGE__VALUE_NUMVAL: + json_value.type = JSON_NUMBER; + json_value.u.number = info->u.numval; + if (!sudo_json_add_value(json, info->key, &json_value)) + goto bad; + break; + case INFO_MESSAGE__VALUE_STRVAL: + json_value.type = JSON_STRING; + json_value.u.string = info->u.strval; + if (!sudo_json_add_value(json, info->key, &json_value)) + goto bad; + break; + case INFO_MESSAGE__VALUE_STRLISTVAL: { + InfoMessage__StringList *strlist = info->u.strlistval; + size_t n; + + if (!sudo_json_open_array(json, info->key)) + goto bad; + for (n = 0; n < strlist->n_strings; n++) { + json_value.type = JSON_STRING; + json_value.u.string = strlist->strings[n]; + if (!sudo_json_add_value(json, NULL, &json_value)) + goto bad; + } + if (!sudo_json_close_array(json)) + goto bad; + break; + } + default: + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, + "unexpected value case %d", info->value_case); + goto bad; + } + } + debug_return_bool(true); +bad: + debug_return_bool(false); +} + +/* + * Parse an AcceptMessage + */ +static bool +handle_accept(AcceptMessage *msg, struct connection_closure *closure) +{ + struct logsrvd_info_closure info = { msg->info_msgs, msg->n_info_msgs }; + debug_decl(handle_accept, SUDO_DEBUG_UTIL); + + if (closure->state != INITIAL) { + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, + "unexpected state %d", closure->state); + closure->errstr = _("state machine error"); + debug_return_bool(false); + } + + /* Check that message is valid. */ + if (msg->submit_time == NULL || msg->n_info_msgs == 0) { + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, + "invalid AcceptMessage, submit_time: %p, n_info_msgs: %zu", + msg->submit_time, msg->n_info_msgs); + closure->errstr = _("invalid AcceptMessage"); + debug_return_bool(false); + } + sudo_debug_printf(SUDO_DEBUG_INFO, "%s: received AcceptMessage", __func__); + + closure->evlog = evlog_new(msg->submit_time, msg->info_msgs, + msg->n_info_msgs); + if (closure->evlog == NULL) { + closure->errstr = _("error parsing AcceptMessage"); + debug_return_bool(false); + } + + /* Create I/O log info file and parent directories. */ + if (msg->expect_iobufs) { + if (!iolog_init(msg, closure)) { + closure->errstr = _("error creating I/O log"); + debug_return_bool(false); + } + closure->log_io = true; + } + + if (!eventlog_accept(closure->evlog, 0, logsrvd_json_log_cb, &info)) { + closure->errstr = _("error logging accept event"); + debug_return_bool(false); + } + + if (msg->expect_iobufs) { + /* Send log ID to client for restarting connections. */ + if (!fmt_log_id_message(closure->evlog->iolog_path, &closure->write_buf)) + debug_return_bool(false); + if (sudo_ev_add(closure->evbase, closure->write_ev, + logsrvd_conf_get_sock_timeout(), false) == -1) { + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, + "unable to add server write event"); + debug_return_bool(false); + } + } + + closure->state = RUNNING; + debug_return_bool(true); +} + +/* + * Parse a RejectMessage + */ +static bool +handle_reject(RejectMessage *msg, struct connection_closure *closure) +{ + struct logsrvd_info_closure info = { msg->info_msgs, msg->n_info_msgs }; + debug_decl(handle_reject, SUDO_DEBUG_UTIL); + + if (closure->state != INITIAL) { + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, + "unexpected state %d", closure->state); + closure->errstr = _("state machine error"); + debug_return_bool(false); + } + + /* Check that message is valid. */ + if (msg->submit_time == NULL || msg->n_info_msgs == 0) { + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, + "invalid RejectMessage, submit_time: %p, n_info_msgs: %zu", + msg->submit_time, msg->n_info_msgs); + closure->errstr = _("invalid RejectMessage"); + debug_return_bool(false); + } + sudo_debug_printf(SUDO_DEBUG_INFO, "%s: received RejectMessage", __func__); + + closure->evlog = evlog_new(msg->submit_time, msg->info_msgs, + msg->n_info_msgs); + if (closure->evlog == NULL) { + closure->errstr = _("error parsing RejectMessage"); + debug_return_bool(false); + } + + if (!eventlog_reject(closure->evlog, 0, msg->reason, + logsrvd_json_log_cb, &info)) { + closure->errstr = _("error logging reject event"); + debug_return_bool(false); + } + + closure->state = FINISHED; + debug_return_bool(true); +} + +static bool +handle_exit(ExitMessage *msg, struct connection_closure *closure) +{ + struct timespec tv = { 0, 0 }; + mode_t mode; + debug_decl(handle_exit, SUDO_DEBUG_UTIL); + + if (closure->state != RUNNING) { + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, + "unexpected state %d", closure->state); + closure->errstr = _("state machine error"); + debug_return_bool(false); + } + + sudo_debug_printf(SUDO_DEBUG_INFO, "%s: received ExitMessage", __func__); + + /* Sudo I/O logs don't store this info. */ + if (msg->signal != NULL && msg->signal[0] != '\0') { + sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO, + "command was killed by SIG%s%s", msg->signal, + msg->dumped_core ? " (core dumped)" : ""); + } else { + sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO, + "command exited with %d", msg->exit_value); + } + + if (closure->log_io) { + /* No more data, command exited. */ + closure->state = EXITED; + sudo_ev_del(closure->evbase, closure->read_ev); + + sudo_debug_printf(SUDO_DEBUG_INFO, "%s: elapsed time: %lld, %ld", + __func__, (long long)closure->elapsed_time.tv_sec, + closure->elapsed_time.tv_nsec); + + /* Clear write bits from I/O timing file to indicate completion. */ + mode = logsrvd_conf_iolog_mode(); + CLR(mode, S_IWUSR|S_IWGRP|S_IWOTH); + if (fchmodat(closure->iolog_dir_fd, "timing", mode, 0) == -1) { + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO|SUDO_DEBUG_ERRNO, + "unable to fchmodat timing file"); + } + + /* Schedule the final commit point event immediately. */ + if (sudo_ev_add(closure->evbase, closure->commit_ev, &tv, false) == -1) { + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, + "unable to add commit point event"); + debug_return_bool(false); + } + } else { + /* Command exited, no I/O logs to flush. */ + closure->state = FINISHED; + } + + debug_return_bool(true); +} + +static bool +handle_restart(RestartMessage *msg, struct connection_closure *closure) +{ + debug_decl(handle_restart, SUDO_DEBUG_UTIL); + + if (closure->state != INITIAL) { + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, + "unexpected state %d", closure->state); + closure->errstr = _("state machine error"); + debug_return_bool(false); + } + sudo_debug_printf(SUDO_DEBUG_INFO, "%s: received RestartMessage for %s", + __func__, msg->log_id); + + if (!iolog_restart(msg, closure)) { + sudo_debug_printf(SUDO_DEBUG_WARN, "%s: unable to restart I/O log", __func__); + /* XXX - structured error message so client can send from beginning */ + if (!fmt_error_message(closure->errstr, &closure->write_buf)) + debug_return_bool(false); + sudo_ev_del(closure->evbase, closure->read_ev); + if (sudo_ev_add(closure->evbase, closure->write_ev, + logsrvd_conf_get_sock_timeout(), false) == -1) { + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, + "unable to add server write event"); + debug_return_bool(false); + } + closure->state = ERROR; + debug_return_bool(true); + } + + closure->state = RUNNING; + debug_return_bool(true); +} + +static bool +handle_alert(AlertMessage *msg, struct connection_closure *closure) +{ + struct timespec alert_time; + debug_decl(handle_alert, SUDO_DEBUG_UTIL); + + /* Check that message is valid. */ + if (msg->alert_time == NULL || msg->reason == NULL) { + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, + "invalid AlertMessage, alert_time: %p, reason: %p", + msg->alert_time, msg->reason); + closure->errstr = _("invalid AlertMessage"); + debug_return_bool(false); + } + sudo_debug_printf(SUDO_DEBUG_INFO, "%s: received AlertMessage", __func__); + + if (msg->info_msgs != NULL && msg->n_info_msgs != 0) { + closure->evlog = evlog_new(NULL, msg->info_msgs, msg->n_info_msgs); + if (closure->evlog == NULL) { + closure->errstr = _("error parsing AlertMessage"); + debug_return_bool(false); + } + } + + alert_time.tv_sec = msg->alert_time->tv_sec; + alert_time.tv_nsec = msg->alert_time->tv_nsec; + if (!eventlog_alert(closure->evlog, 0, &alert_time, msg->reason, NULL)) { + closure->errstr = _("error logging alert event"); + debug_return_bool(false); + } + + debug_return_bool(true); +} + +static bool +handle_iobuf(int iofd, IoBuffer *msg, struct connection_closure *closure) +{ + debug_decl(handle_iobuf, SUDO_DEBUG_UTIL); + + if (closure->state != RUNNING) { + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, + "unexpected state %d", closure->state); + closure->errstr = _("state machine error"); + debug_return_bool(false); + } + if (!closure->log_io) { + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, + "not logging I/O"); + closure->errstr = _("protocol error"); + debug_return_bool(false); + } + + sudo_debug_printf(SUDO_DEBUG_INFO, "%s: received IoBuffer", __func__); + + /* Store IoBuffer in log. */ + if (store_iobuf(iofd, msg, closure) == -1) { + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, + "failed to store IoBuffer"); + closure->errstr = _("error writing IoBuffer"); + debug_return_bool(false); + } + + /* Random drop is a debugging tool to test client restart. */ + if (random_drop > 0.0) { + double randval = arc4random() / (double)UINT32_MAX; + if (randval < random_drop) { + sudo_debug_printf(SUDO_DEBUG_WARN|SUDO_DEBUG_LINENO, + "randomly dropping connection (%f < %f)", randval, random_drop); + debug_return_bool(false); + } + } + + /* Schedule a commit point in 10 sec if one is not already pending. */ + if (!ISSET(closure->commit_ev->flags, SUDO_EVQ_INSERTED)) { + struct timespec tv = { ACK_FREQUENCY, 0 }; + if (sudo_ev_add(closure->evbase, closure->commit_ev, &tv, false) == -1) { + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, + "unable to add commit point event"); + debug_return_bool(false); + } + } + + debug_return_bool(true); +} + +static bool +handle_winsize(ChangeWindowSize *msg, struct connection_closure *closure) +{ + debug_decl(handle_winsize, SUDO_DEBUG_UTIL); + + if (closure->state != RUNNING) { + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, + "unexpected state %d", closure->state); + closure->errstr = _("state machine error"); + debug_return_bool(false); + } + if (!closure->log_io) { + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, + "not logging I/O"); + closure->errstr = _("protocol error"); + debug_return_bool(false); + } + + sudo_debug_printf(SUDO_DEBUG_INFO, "%s: received ChangeWindowSize", + __func__); + + /* Store new window size in log. */ + if (store_winsize(msg, closure) == -1) { + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, + "failed to store ChangeWindowSize"); + closure->errstr = _("error writing ChangeWindowSize"); + debug_return_bool(false); + } + + debug_return_bool(true); +} + +static bool +handle_suspend(CommandSuspend *msg, struct connection_closure *closure) +{ + debug_decl(handle_suspend, SUDO_DEBUG_UTIL); + + if (closure->state != RUNNING) { + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, + "unexpected state %d", closure->state); + closure->errstr = _("state machine error"); + debug_return_bool(false); + } + if (!closure->log_io) { + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, + "not logging I/O"); + closure->errstr = _("protocol error"); + debug_return_bool(false); + } + + sudo_debug_printf(SUDO_DEBUG_INFO, "%s: received CommandSuspend", + __func__); + + /* Store suspend signal in log. */ + if (store_suspend(msg, closure) == -1) { + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, + "failed to store CommandSuspend"); + closure->errstr = _("error writing CommandSuspend"); + debug_return_bool(false); + } + + debug_return_bool(true); +} + +static bool +handle_client_hello(ClientHello *msg, struct connection_closure *closure) +{ + debug_decl(handle_client_hello, SUDO_DEBUG_UTIL); + + if (closure->state != INITIAL) { + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, + "unexpected state %d", closure->state); + closure->errstr = _("state machine error"); + debug_return_bool(false); + } + + sudo_debug_printf(SUDO_DEBUG_INFO, "%s: received ClientHello", + __func__); + sudo_debug_printf(SUDO_DEBUG_INFO, "%s: client ID %s", + __func__, msg->client_id); + + debug_return_bool(true); +} + +static bool +handle_client_message(uint8_t *buf, size_t len, + struct connection_closure *closure) +{ + ClientMessage *msg; + bool ret = false; + debug_decl(handle_client_message, SUDO_DEBUG_UTIL); + + msg = client_message__unpack(NULL, len, buf); + if (msg == NULL) { + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, + "unable to unpack ClientMessage size %zu", len); + debug_return_bool(false); + } + + switch (msg->type_case) { + case CLIENT_MESSAGE__TYPE_ACCEPT_MSG: + ret = handle_accept(msg->u.accept_msg, closure); + break; + case CLIENT_MESSAGE__TYPE_REJECT_MSG: + ret = handle_reject(msg->u.reject_msg, closure); + break; + case CLIENT_MESSAGE__TYPE_EXIT_MSG: + ret = handle_exit(msg->u.exit_msg, closure); + break; + case CLIENT_MESSAGE__TYPE_RESTART_MSG: + ret = handle_restart(msg->u.restart_msg, closure); + break; + case CLIENT_MESSAGE__TYPE_ALERT_MSG: + ret = handle_alert(msg->u.alert_msg, closure); + break; + case CLIENT_MESSAGE__TYPE_TTYIN_BUF: + ret = handle_iobuf(IOFD_TTYIN, msg->u.ttyin_buf, closure); + break; + case CLIENT_MESSAGE__TYPE_TTYOUT_BUF: + ret = handle_iobuf(IOFD_TTYOUT, msg->u.ttyout_buf, closure); + break; + case CLIENT_MESSAGE__TYPE_STDIN_BUF: + ret = handle_iobuf(IOFD_STDIN, msg->u.stdin_buf, closure); + break; + case CLIENT_MESSAGE__TYPE_STDOUT_BUF: + ret = handle_iobuf(IOFD_STDOUT, msg->u.stdout_buf, closure); + break; + case CLIENT_MESSAGE__TYPE_STDERR_BUF: + ret = handle_iobuf(IOFD_STDERR, msg->u.stderr_buf, closure); + break; + case CLIENT_MESSAGE__TYPE_WINSIZE_EVENT: + ret = handle_winsize(msg->u.winsize_event, closure); + break; + case CLIENT_MESSAGE__TYPE_SUSPEND_EVENT: + ret = handle_suspend(msg->u.suspend_event, closure); + break; + case CLIENT_MESSAGE__TYPE_HELLO_MSG: + ret = handle_client_hello(msg->u.hello_msg, closure); + break; + default: + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, + "unexpected type_case value %d", msg->type_case); + closure->errstr = _("unrecognized ClientMessage type"); + break; + } + client_message__free_unpacked(msg, NULL); + + debug_return_bool(ret); +} + +static void +shutdown_cb(int unused, int what, void *v) +{ + struct sudo_event_base *base = v; + debug_decl(shutdown_cb, SUDO_DEBUG_UTIL); + +#if defined(HAVE_OPENSSL) + /* deallocate server's SSL context object */ + struct logsrvd_tls_runtime *tls_runtime = logsrvd_get_tls_runtime(); + if (tls_runtime != NULL) { + SSL_CTX_free(tls_runtime->ssl_ctx); + } +#endif + sudo_ev_loopbreak(base); + + debug_return; +} + +/* + * Shut down active client connections if any, or exit immediately. + */ +static void +server_shutdown(struct sudo_event_base *base) +{ + struct connection_closure *closure, *next; + struct sudo_event *ev; + struct timespec tv = { 0, 0 }; + debug_decl(server_shutdown, SUDO_DEBUG_UTIL); + + if (TAILQ_EMPTY(&connections)) { + sudo_ev_loopbreak(base); + debug_return; + } + + TAILQ_FOREACH_SAFE(closure, &connections, entries, next) { + closure->state = SHUTDOWN; + sudo_ev_del(base, closure->read_ev); + if (closure->log_io) { + /* Schedule final commit point for the connection. */ + if (sudo_ev_add(base, closure->commit_ev, &tv, false) == -1) { + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, + "unable to add commit point event"); + } + } else { + /* No commit point, close connection immediately. */ + sudo_ev_del(closure->evbase, closure->write_ev); + connection_closure_free(closure); + } + } + + if (!TAILQ_EMPTY(&connections)) { + /* We need a timed event to exit even if clients time out. */ + ev = sudo_ev_alloc(-1, SUDO_EV_TIMEOUT, shutdown_cb, base); + if (ev != NULL) { + tv.tv_sec = SHUTDOWN_TIMEO; + if (sudo_ev_add(base, ev, &tv, false) == -1) { + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, + "unable to add shutdown event"); + } + } + } + + debug_return; +} + +/* + * Send a server message to the client. + */ +static void +server_msg_cb(int fd, int what, void *v) +{ + struct connection_closure *closure = v; + struct connection_buffer *buf = &closure->write_buf; + ssize_t nwritten; + debug_decl(server_msg_cb, SUDO_DEBUG_UTIL); + + /* For TLS we may need to write as part of SSL_read(). */ + if (closure->read_instead_of_write) { + closure->read_instead_of_write = false; + /* Delete write event if it was only due to SSL_read(). */ + if (closure->temporary_write_event) { + closure->temporary_write_event = false; + sudo_ev_del(closure->evbase, closure->write_ev); + } + client_msg_cb(fd, what, v); + debug_return; + } + + if (what == SUDO_EV_TIMEOUT) { + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, + "Writing to client timed out"); + goto finished; + } + + sudo_debug_printf(SUDO_DEBUG_INFO, "%s: sending %u bytes to client", + __func__, buf->len - buf->off); + +#if defined(HAVE_OPENSSL) + if (closure->tls) { + nwritten = SSL_write(closure->ssl, buf->data + buf->off, + buf->len - buf->off); + if (nwritten <= 0) { + int err = SSL_get_error(closure->ssl, nwritten); + switch (err) { + case SSL_ERROR_WANT_READ: + /* ssl wants to read, read event always active */ + sudo_debug_printf(SUDO_DEBUG_NOTICE|SUDO_DEBUG_LINENO, + "SSL_write returns SSL_ERROR_WANT_READ"); + /* Redirect persistent read event to finish SSL_write() */ + closure->write_instead_of_read = true; + debug_return; + case SSL_ERROR_WANT_WRITE: + /* ssl wants to write more, write event remains active */ + sudo_debug_printf(SUDO_DEBUG_NOTICE|SUDO_DEBUG_LINENO, + "SSL_write returns SSL_ERROR_WANT_WRITE"); + debug_return; + case SSL_ERROR_SYSCALL: + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, + "unexpected error during SSL_write(): %d (%s)", + err, strerror(errno)); + goto finished; + default: + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, + "unexpected error during SSL_write(): %d (%s)", + err, ERR_error_string(ERR_get_error(), NULL)); + goto finished; + } + } + } else +#endif + { + nwritten = send(fd, buf->data + buf->off, buf->len - buf->off, 0); + } + + if (nwritten == -1) { + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO|SUDO_DEBUG_ERRNO, + "unable to send %u bytes", buf->len - buf->off); + goto finished; + } + buf->off += nwritten; + + if (buf->off == buf->len) { + /* sent entire message */ + sudo_debug_printf(SUDO_DEBUG_INFO, + "%s: finished sending %u bytes to client", __func__, buf->len); + buf->off = 0; + buf->len = 0; + sudo_ev_del(closure->evbase, closure->write_ev); + if (closure->state == FINISHED || closure->state == SHUTDOWN || + closure->state == ERROR) + goto finished; + } + debug_return; + +finished: + connection_closure_free(closure); + debug_return; +} + +/* + * Receive client message(s). + */ +static void +client_msg_cb(int fd, int what, void *v) +{ + struct connection_closure *closure = v; + struct connection_buffer *buf = &closure->read_buf; + uint32_t msg_len; + ssize_t nread; + debug_decl(client_msg_cb, SUDO_DEBUG_UTIL); + + /* For TLS we may need to read as part of SSL_write(). */ + if (closure->write_instead_of_read) { + closure->write_instead_of_read = false; + server_msg_cb(fd, what, v); + debug_return; + } + + if (what == SUDO_EV_TIMEOUT) { + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, + "Reading from client timed out"); + goto finished; + } + +#if defined(HAVE_OPENSSL) + if (closure->tls) { + nread = SSL_read(closure->ssl, buf->data + buf->len, buf->size); + if (nread <= 0) { + int err = SSL_get_error(closure->ssl, nread); + switch (err) { + case SSL_ERROR_ZERO_RETURN: + /* ssl connection shutdown cleanly */ + nread = 0; + break; + case SSL_ERROR_WANT_READ: + /* ssl wants to read more, read event is always active */ + sudo_debug_printf(SUDO_DEBUG_NOTICE|SUDO_DEBUG_LINENO, + "SSL_read returns SSL_ERROR_WANT_READ"); + /* Read event is always active. */ + debug_return; + case SSL_ERROR_WANT_WRITE: + /* ssl wants to write, schedule a write if not pending */ + sudo_debug_printf(SUDO_DEBUG_NOTICE|SUDO_DEBUG_LINENO, + "SSL_read returns SSL_ERROR_WANT_WRITE"); + if (!sudo_ev_pending(closure->write_ev, SUDO_EV_WRITE, NULL)) { + /* Enable a temporary write event. */ + if (sudo_ev_add(closure->evbase, closure->write_ev, + logsrvd_conf_get_sock_timeout(), false) == -1) { + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, + "unable to add event to queue"); + goto finished; + } + closure->temporary_write_event = true; + } + /* Redirect write event to finish SSL_read() */ + closure->read_instead_of_write = true; + debug_return; + case SSL_ERROR_SYSCALL: + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, + "unexpected error during SSL_read(): %d (%s)", + err, strerror(errno)); + goto finished; + default: + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, + "unexpected error during SSL_read(): %d (%s)", + err, ERR_error_string(ERR_get_error(), NULL)); + goto finished; + } + } + } else +#endif + { + nread = recv(fd, buf->data + buf->len, buf->size - buf->len, 0); + } + + sudo_debug_printf(SUDO_DEBUG_INFO, "%s: received %zd bytes from client", + __func__, nread); + switch (nread) { + case -1: + if (errno == EAGAIN) + debug_return; + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO|SUDO_DEBUG_ERRNO, + "unable to receive %u bytes", buf->size - buf->len); + goto finished; + case 0: + if (closure->state != FINISHED) { + sudo_debug_printf(SUDO_DEBUG_WARN|SUDO_DEBUG_LINENO, + "unexpected EOF"); + } + goto finished; + default: + break; + } + buf->len += nread; + + while (buf->len - buf->off >= sizeof(msg_len)) { + /* Read wire message size (uint32_t in network byte order). */ + memcpy(&msg_len, buf->data + buf->off, sizeof(msg_len)); + msg_len = ntohl(msg_len); + + if (msg_len > MESSAGE_SIZE_MAX) { + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, + "client message too large: %u", msg_len); + closure->errstr = _("client message too large"); + goto send_error; + } + + if (msg_len + sizeof(msg_len) > buf->len - buf->off) { + /* Incomplete message, we'll read the rest next time. */ + if (!expand_buf(buf, msg_len + sizeof(msg_len))) + goto finished; + debug_return; + } + + /* Parse ClientMessage, could be zero bytes. */ + sudo_debug_printf(SUDO_DEBUG_INFO, + "%s: parsing ClientMessage, size %u", __func__, msg_len); + buf->off += sizeof(msg_len); + if (!handle_client_message(buf->data + buf->off, msg_len, closure)) { + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, + "unable to parse ClientMessage, size %u", msg_len); + goto send_error; + } + buf->off += msg_len; + } + buf->len -= buf->off; + buf->off = 0; + + if (closure->state == FINISHED) + goto finished; + + debug_return; +send_error: + if (closure->errstr == NULL) + goto finished; + if (fmt_error_message(closure->errstr, &closure->write_buf)) { + sudo_ev_del(closure->evbase, closure->read_ev); + if (sudo_ev_add(closure->evbase, closure->write_ev, + logsrvd_conf_get_sock_timeout(), false) == -1) { + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, + "unable to add server write event"); + } + } +finished: + connection_closure_free(closure); + debug_return; +} + +/* + * Format and schedule a commit_point message. + */ +static void +server_commit_cb(int unused, int what, void *v) +{ + ServerMessage msg = SERVER_MESSAGE__INIT; + TimeSpec commit_point = TIME_SPEC__INIT; + struct connection_closure *closure = v; + + debug_decl(server_commit_cb, SUDO_DEBUG_UTIL); + + /* Send the client an acknowledgement of what has been committed to disk. */ + commit_point.tv_sec = closure->elapsed_time.tv_sec; + commit_point.tv_nsec = closure->elapsed_time.tv_nsec; + msg.u.commit_point = &commit_point; + msg.type_case = SERVER_MESSAGE__TYPE_COMMIT_POINT; + + sudo_debug_printf(SUDO_DEBUG_INFO, "%s: sending commit point [%lld, %ld]", + __func__, (long long)closure->elapsed_time.tv_sec, + closure->elapsed_time.tv_nsec); + + /* XXX - assumes no other server message pending, use a queue instead? */ + if (!fmt_server_message(&closure->write_buf, &msg)) { + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, + "unable to format ServerMessage (commit point)"); + goto bad; + } + if (sudo_ev_add(closure->evbase, closure->write_ev, + logsrvd_conf_get_sock_timeout(), false) == -1) { + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, + "unable to add server write event"); + goto bad; + } + + if (closure->state == EXITED) + closure->state = FINISHED; + debug_return; +bad: + connection_closure_free(closure); + debug_return; +} + +/* + * Begin the sudo logserver protocol. + * When we enter the event loop the ServerHello message will be written + * and any pending ClientMessage will be read. + */ +static bool +start_protocol(struct connection_closure *closure) +{ + const struct timespec *timeout = logsrvd_conf_get_sock_timeout(); + debug_decl(start_protocol, SUDO_DEBUG_UTIL); + + if (!fmt_hello_message(&closure->write_buf, closure->tls)) + debug_return_bool(false); + + if (sudo_ev_add(closure->evbase, closure->write_ev, timeout, false) == -1) + debug_return_bool(false); + + /* No read timeout, client messages may happen at arbitrary times. */ + if (sudo_ev_add(closure->evbase, closure->read_ev, NULL, false) == -1) + debug_return_bool(false); + + debug_return_bool(true); +} + +#if defined(HAVE_OPENSSL) +static int +verify_peer_identity(int preverify_ok, X509_STORE_CTX *ctx) +{ + HostnameValidationResult result; + struct connection_closure *closure; + SSL *ssl; + X509 *current_cert; + X509 *peer_cert; + debug_decl(verify_peer_identity, SUDO_DEBUG_UTIL); + + /* if pre-verification of the cert failed, just propagate that result back */ + if (preverify_ok != 1) { + debug_return_int(0); + } + + /* since this callback is called for each cert in the chain, + * check that current cert is the peer's certificate + */ + current_cert = X509_STORE_CTX_get_current_cert(ctx); + peer_cert = X509_STORE_CTX_get0_cert(ctx); + + if (current_cert != peer_cert) { + debug_return_int(1); + } + + /* read out the attached object (closure) from the ssl connection object */ + ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx()); + closure = (struct connection_closure *)SSL_get_ex_data(ssl, 1); + + result = validate_hostname(peer_cert, closure->ipaddr, closure->ipaddr, 1); + + switch(result) + { + case MatchFound: + debug_return_int(1); + default: + sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO, + "hostname validation failed"); + debug_return_int(0); + } +} + +static bool +verify_server_cert(SSL_CTX *ctx, const struct logsrvd_tls_config *tls_config) +{ +#ifdef HAVE_SSL_CTX_GET0_CERTIFICATE + bool ret = false; + X509_STORE_CTX *store_ctx = NULL; + X509_STORE *ca_store; + STACK_OF(X509) *chain_certs; + X509 *x509; + debug_decl(verify_server_cert, SUDO_DEBUG_UTIL); + + if ((x509 = SSL_CTX_get0_certificate(ctx)) == NULL) { + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, + "unable to get X509 object from SSL_CTX: %s", + ERR_error_string(ERR_get_error(), NULL)); + goto exit; + } + + if ((store_ctx = X509_STORE_CTX_new()) == NULL) { + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, + "unable to allocate X509_STORE_CTX object: %s", + ERR_error_string(ERR_get_error(), NULL)); + goto exit; + } + + if (!SSL_CTX_get0_chain_certs(ctx, &chain_certs)) { + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, + "unable to get chain certs: %s", + ERR_error_string(ERR_get_error(), NULL)); + goto exit; + } + + if ((ca_store = SSL_CTX_get_cert_store(ctx)) != NULL) + X509_STORE_set_flags(ca_store, X509_V_FLAG_X509_STRICT); + + if (!X509_STORE_CTX_init(store_ctx, ca_store, x509, chain_certs)) { + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, + "unable to initialize X509_STORE_CTX object: %s", + ERR_error_string(ERR_get_error(), NULL)); + goto exit; + } + + if (X509_verify_cert(store_ctx) <= 0) { + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, + "unable to verify cert %s: %s", tls_config->cert_path, + ERR_error_string(ERR_get_error(), NULL)); + goto exit; + } + + ret = true; +exit: + X509_STORE_CTX_free(store_ctx); + + debug_return_bool(ret); +#else + /* TODO: verify server cert with old OpenSSL */ + return true; +#endif /* HAVE_SSL_CTX_GET0_CERTIFICATE */ +} + +static bool +init_tls_ciphersuites(SSL_CTX *ctx, const struct logsrvd_tls_config *tls_config) +{ + const char *errstr; + int success = 0; + debug_decl(init_tls_ciphersuites, SUDO_DEBUG_UTIL); + + if (tls_config->ciphers_v12) { + /* try to set TLS v1.2 ciphersuite list from config if given */ + success = SSL_CTX_set_cipher_list(ctx, tls_config->ciphers_v12); + if (success) { + sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO, + "TLS 1.2 ciphersuite list set to %s", tls_config->ciphers_v12); + } else { + errstr = ERR_reason_error_string(ERR_get_error()); + sudo_warnx(U_("unable to set TLS 1.2 ciphersuite to %s: %s"), + tls_config->ciphers_v12, errstr); + } + } + if (!success) { + /* fallback to default ciphersuites for TLS v1.2 */ + if (SSL_CTX_set_cipher_list(ctx, LOGSRVD_DEFAULT_CIPHER_LST12) <= 0) { + errstr = ERR_reason_error_string(ERR_get_error()); + sudo_warnx(U_("unable to set TLS 1.2 ciphersuite to %s: %s"), + LOGSRVD_DEFAULT_CIPHER_LST12, errstr); + debug_return_bool(false); + } else { + sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO, + "TLS v1.2 ciphersuite list set to %s (default)", + LOGSRVD_DEFAULT_CIPHER_LST12); + } + } + +# if defined(HAVE_SSL_CTX_SET_CIPHERSUITES) + success = 0; + if (tls_config->ciphers_v13) { + /* try to set TLSv1.3 ciphersuite list from config */ + success = SSL_CTX_set_ciphersuites(ctx, tls_config->ciphers_v13); + if (success) { + sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO, + "TLS v1.3 ciphersuite list set to %s", tls_config->ciphers_v13); + } else { + errstr = ERR_reason_error_string(ERR_get_error()); + sudo_warnx(U_("unable to set TLS 1.3 ciphersuite to %s: %s"), + tls_config->ciphers_v13, errstr); + } + } + if (!success) { + /* fallback to default ciphersuites for TLS v1.3 */ + if (SSL_CTX_set_ciphersuites(ctx, LOGSRVD_DEFAULT_CIPHER_LST13) <= 0) { + errstr = ERR_reason_error_string(ERR_get_error()); + sudo_warnx(U_("unable to set TLS 1.3 ciphersuite to %s: %s"), + LOGSRVD_DEFAULT_CIPHER_LST13, errstr); + debug_return_bool(false); + } else { + sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO, + "TLS v1.3 ciphersuite list set to %s (default)", + LOGSRVD_DEFAULT_CIPHER_LST13); + } + } +# endif + + debug_return_bool(true); +} + +/* + * Calls series of openssl initialization functions in order to + * be able to establish configured network connections over TLS + */ +static bool +init_tls_server_context(void) +{ + const SSL_METHOD *method; + FILE *dhparam_file = NULL; + SSL_CTX *ctx = NULL; + struct logsrvd_tls_runtime *tls_runtime = logsrvd_get_tls_runtime(); + const struct logsrvd_tls_config *tls_config = logsrvd_get_tls_config(); + bool ca_bundle_required = tls_config->verify | tls_config->check_peer; + const char *errstr; + debug_decl(init_tls_server_context, SUDO_DEBUG_UTIL); + + SSL_library_init(); + OpenSSL_add_all_algorithms(); + SSL_load_error_strings(); + + if ((method = TLS_server_method()) == NULL) { + errstr = ERR_reason_error_string(ERR_get_error()); + sudo_warnx(U_("unable to get TLS server method: %s"), errstr); + goto bad; + } + if ((ctx = SSL_CTX_new(method)) == NULL) { + errstr = ERR_reason_error_string(ERR_get_error()); + sudo_warnx(U_("unable to create TLS context: %s"), errstr); + goto bad; + } + + if (SSL_CTX_use_certificate_chain_file(ctx, tls_config->cert_path) <= 0) { + errstr = ERR_reason_error_string(ERR_get_error()); + sudo_warnx(U_("%s: %s"), tls_config->cert_path, errstr); + sudo_warnx(U_("unable to load certificate %s"), tls_config->cert_path); + goto bad; + } + + /* if server or client authentication is required, CA bundle file has to be prepared */ + if (ca_bundle_required) { + if (tls_config->cacert_path != NULL) { + STACK_OF(X509_NAME) *cacerts = + SSL_load_client_CA_file(tls_config->cacert_path); + + if (cacerts == NULL) { + errstr = ERR_reason_error_string(ERR_get_error()); + sudo_warnx(U_("%s: %s"), tls_config->cacert_path, errstr); + sudo_warnx(U_("unable to load certificate authority bundle %s"), + tls_config->cacert_path); + goto bad; + } + SSL_CTX_set_client_CA_list(ctx, cacerts); + + /* set the location of the CA bundle file for verification */ + if (SSL_CTX_load_verify_locations(ctx, tls_config->cacert_path, NULL) <= 0) { + errstr = ERR_reason_error_string(ERR_get_error()); + sudo_warnx("SSL_CTX_load_verify_locations: %s", errstr); + goto bad; + } + } else { + if (!SSL_CTX_set_default_verify_paths(ctx)) { + errstr = ERR_reason_error_string(ERR_get_error()); + sudo_warnx("SSL_CTX_set_default_verify_paths: %s", errstr); + goto bad; + } + } + + /* only verify server cert if it is set in the configuration */ + if (tls_config->verify) { + if (!verify_server_cert(ctx, tls_config)) + goto bad; + } else { + sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO, + "skipping server cert check"); + } + } + + /* if peer authentication is enabled, verify client cert during TLS handshake + * The last parameter is a callback, where identity validation (hostname/ip) + * will be performed, because it is not automatically done by openssl. + */ + if (tls_config->check_peer) { + SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_peer_identity); + } + + /* if private key file was not set, assume that the cert file contains the private key */ + char* pkey = (tls_config->pkey_path == NULL ? tls_config->cert_path : tls_config->pkey_path); + + if (!SSL_CTX_use_PrivateKey_file(ctx, pkey, SSL_FILETYPE_PEM) || + !SSL_CTX_check_private_key(ctx)) { + errstr = ERR_reason_error_string(ERR_get_error()); + sudo_warnx(U_("%s: %s"), pkey, errstr); + sudo_warnx(U_("unable to load private key %s"), pkey); + goto bad; + } + + /* initialize TLSv1.2 and TLSv1.3 ciphersuites */ + if (!init_tls_ciphersuites(ctx, tls_config)) { + goto bad; + } + + /* try to load and set diffie-hellman parameters */ + if (tls_config->dhparams_path != NULL) + dhparam_file = fopen(tls_config->dhparams_path, "r"); + if (dhparam_file != NULL) { + DH *dhparams = PEM_read_DHparams(dhparam_file, NULL, NULL, NULL); + if (dhparams != NULL) { + if (!SSL_CTX_set_tmp_dh(ctx, dhparams)) { + errstr = ERR_reason_error_string(ERR_get_error()); + sudo_warnx(U_("unable to set diffie-hellman parameters: %s"), + errstr); + DH_free(dhparams); + } else { + sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO, + "diffie-hellman parameters are loaded"); + } + } else { + errstr = ERR_reason_error_string(ERR_get_error()); + sudo_warnx(U_("unable to set diffie-hellman parameters: %s"), + errstr); + } + fclose(dhparam_file); + } else { + sudo_debug_printf(SUDO_DEBUG_WARN|SUDO_DEBUG_LINENO, + "dhparam file not found, will use default parameters"); + } + + /* audit server supports TLS version 1.2 or higher */ +#ifdef HAVE_SSL_CTX_SET_MIN_PROTO_VERSION + if (!SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION)) { + errstr = ERR_reason_error_string(ERR_get_error()); + sudo_warnx(U_("unable to set minimum protocol version to TLS 1.2: %s"), + errstr); + goto bad; + } +#else + SSL_CTX_set_options(ctx, + SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1|SSL_OP_NO_TLSv1_1); +#endif + + tls_runtime->ssl_ctx = ctx; + + debug_return_bool(true); + +bad: + SSL_CTX_free(ctx); + + debug_return_bool(false); +} + +static void +tls_handshake_cb(int fd, int what, void *v) +{ + struct connection_closure *closure = v; + debug_decl(tls_handshake_cb, SUDO_DEBUG_UTIL); + + if (what == SUDO_EV_TIMEOUT) { + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, + "TLS handshake timed out"); + goto bad; + } + + int handshake_status = SSL_accept(closure->ssl); + int err = SSL_ERROR_NONE; + switch (err = SSL_get_error(closure->ssl, handshake_status)) { + case SSL_ERROR_NONE: + /* ssl handshake was successful */ + sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO, + "TLS handshake successful"); + break; + case SSL_ERROR_WANT_READ: + /* ssl handshake is ongoing, re-schedule the SSL_accept() call */ + sudo_debug_printf(SUDO_DEBUG_NOTICE|SUDO_DEBUG_LINENO, + "SSL_accept returns SSL_ERROR_WANT_READ"); + if (what != SUDO_EV_READ) { + if (sudo_ev_set(closure->ssl_accept_ev, closure->sock, + SUDO_EV_READ, tls_handshake_cb, closure) == -1) { + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, + "unable to set ssl_accept_ev to SUDO_EV_READ"); + goto bad; + } + } + if (sudo_ev_add(closure->evbase, closure->ssl_accept_ev, + logsrvd_conf_get_sock_timeout(), false) == -1) { + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, + "unable to add ssl_accept_ev to queue"); + goto bad; + } + debug_return; + case SSL_ERROR_WANT_WRITE: + /* ssl handshake is ongoing, re-schedule the SSL_accept() call */ + sudo_debug_printf(SUDO_DEBUG_NOTICE|SUDO_DEBUG_LINENO, + "SSL_accept returns SSL_ERROR_WANT_WRITE"); + if (what != SUDO_EV_WRITE) { + if (sudo_ev_set(closure->ssl_accept_ev, closure->sock, + SUDO_EV_WRITE, tls_handshake_cb, closure) == -1) { + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, + "unable to set ssl_accept_ev to SUDO_EV_WRITE"); + goto bad; + } + } + if (sudo_ev_add(closure->evbase, closure->ssl_accept_ev, + logsrvd_conf_get_sock_timeout(), false) == -1) { + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, + "unable to add ssl_accept_ev to queue"); + goto bad; + } + debug_return; + case SSL_ERROR_SYSCALL: + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, + "unexpected error during TLS handshake: %d (%s)", + err, strerror(errno)); + goto bad; + default: + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, + "unexpected error during TLS handshake: %d (%s)", + err, ERR_error_string(ERR_get_error(), NULL)); + goto bad; + } + + sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO, + "TLS version: %s, negotiated cipher suite: %s", + SSL_get_version(closure->ssl), + SSL_get_cipher(closure->ssl)); + + /* Start the actual protocol now that the TLS handshake is complete. */ + if (!start_protocol(closure)) + goto bad; + + debug_return; +bad: + connection_closure_free(closure); + debug_return; +} +#endif /* HAVE_OPENSSL */ + +/* + * Allocate a new connection closure. + */ +static struct connection_closure * +connection_closure_alloc(int sock, bool tls, struct sudo_event_base *base) +{ + struct connection_closure *closure; + debug_decl(connection_closure_alloc, SUDO_DEBUG_UTIL); + + if ((closure = calloc(1, sizeof(*closure))) == NULL) + debug_return_ptr(NULL); + + closure->iolog_dir_fd = -1; + closure->sock = sock; + closure->tls = tls; + closure->evbase = base; + + TAILQ_INSERT_TAIL(&connections, closure, entries); + + closure->read_buf.size = 64 * 1024; + closure->read_buf.data = malloc(closure->read_buf.size); + if (closure->read_buf.data == NULL) + goto bad; + + closure->commit_ev = sudo_ev_alloc(-1, SUDO_EV_TIMEOUT, + server_commit_cb, closure); + if (closure->commit_ev == NULL) + goto bad; + + closure->read_ev = sudo_ev_alloc(sock, SUDO_EV_READ|SUDO_EV_PERSIST, + client_msg_cb, closure); + if (closure->read_ev == NULL) + goto bad; + + closure->write_ev = sudo_ev_alloc(sock, SUDO_EV_WRITE|SUDO_EV_PERSIST, + server_msg_cb, closure); + if (closure->write_ev == NULL) + goto bad; + +#if defined(HAVE_OPENSSL) + if (tls) { + closure->ssl_accept_ev = sudo_ev_alloc(sock, SUDO_EV_READ, + tls_handshake_cb, closure); + if (closure->ssl_accept_ev == NULL) + goto bad; + } +#endif + + debug_return_ptr(closure); +bad: + connection_closure_free(closure); + debug_return_ptr(NULL); +} + +/* + * New connection. + * Allocate a connection closure and optionally perform TLS handshake. + */ +static bool +new_connection(int sock, bool tls, const struct sockaddr *sa, + struct sudo_event_base *evbase) +{ + struct connection_closure *closure; + debug_decl(new_connection, SUDO_DEBUG_UTIL); + + if ((closure = connection_closure_alloc(sock, tls, evbase)) == NULL) + goto bad; + + /* store the peer's IP address in the closure object */ + if (sa->sa_family == AF_INET) { + struct sockaddr_in *sin = (struct sockaddr_in *)sa; + inet_ntop(AF_INET, &sin->sin_addr, closure->ipaddr, + sizeof(closure->ipaddr)); +#if defined(HAVE_STRUCT_IN6_ADDR) + } else if (sa->sa_family == AF_INET6) { + struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)sa; + inet_ntop(AF_INET6, &sin6->sin6_addr, closure->ipaddr, + sizeof(closure->ipaddr)); +#endif /* HAVE_STRUCT_IN6_ADDR */ + } else { + sudo_fatal("%s", U_("unable to get remote IP addr")); + goto bad; + } + sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO, + "connection from %s", closure->ipaddr); + +#if defined(HAVE_OPENSSL) + /* If TLS is enabled, perform the TLS handshake first. */ + if (tls) { + /* Create the SSL object for the closure and attach it to the socket */ + if ((closure->ssl = SSL_new(logsrvd_get_tls_runtime()->ssl_ctx)) == NULL) { + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, + "unable to create new ssl object: %s", + ERR_error_string(ERR_get_error(), NULL)); + goto bad; + } + + if (SSL_set_fd(closure->ssl, closure->sock) != 1) { + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, + "unable to set fd for TLS: %s", + ERR_error_string(ERR_get_error(), NULL)); + goto bad; + } + + /* attach the closure object to the ssl connection object to make it + available during hostname matching + */ + if (SSL_set_ex_data(closure->ssl, 1, closure) <= 0) { + sudo_warnx(U_("Unable to attach user data to the ssl object: %s"), + ERR_error_string(ERR_get_error(), NULL)); + goto bad; + } + + /* Enable SSL_accept to begin handshake with client. */ + if (sudo_ev_add(evbase, closure->ssl_accept_ev, + logsrvd_conf_get_sock_timeout(), false) == -1) { + sudo_fatal("%s", U_("unable to add event to queue")); + goto bad; + } + } +#endif + /* If no TLS handshake, start the protocol immediately. */ + if (!tls) { + if (!start_protocol(closure)) + goto bad; + } + + debug_return_bool(true); +bad: + connection_closure_free(closure); + debug_return_bool(false); +} + +static int +create_listener(struct listen_address *addr) +{ + int flags, on, sock; + const char *family = "inet4"; + debug_decl(create_listener, SUDO_DEBUG_UTIL); + + if ((sock = socket(addr->sa_un.sa.sa_family, SOCK_STREAM, 0)) == -1) { + sudo_warn("socket"); + goto bad; + } + on = 1; +#ifdef HAVE_STRUCT_IN6_ADDR + if (addr->sa_un.sa.sa_family == AF_INET6) { + family = "inet6"; +# ifdef IPV6_V6ONLY + /* Disable IPv4-mapped IPv6 addresses. */ + if (setsockopt(sock, IPPROTO_IPV6, IPV6_V6ONLY, &on, sizeof(on)) == -1) + sudo_warn("IPV6_V6ONLY"); +# endif + } +#endif + if (setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on)) == -1) + sudo_warn("SO_REUSEADDR"); + if (bind(sock, &addr->sa_un.sa, addr->sa_size) == -1) { + /* TODO: only warn once for IPv4 and IPv6 or disambiguate */ + sudo_warn("%s (%s)", addr->sa_str, family); + goto bad; + } + if (listen(sock, SOMAXCONN) == -1) { + sudo_warn("listen"); + goto bad; + } + flags = fcntl(sock, F_GETFL, 0); + if (flags == -1 || fcntl(sock, F_SETFL, flags | O_NONBLOCK) == -1) { + sudo_warn("fcntl(O_NONBLOCK)"); + goto bad; + } + sudo_debug_printf(SUDO_DEBUG_INFO, "listening on %s (%s)", addr->sa_str, + family); + + debug_return_int(sock); +bad: + if (sock != -1) + close(sock); + debug_return_int(-1); +} + +static void +listener_cb(int fd, int what, void *v) +{ + struct listener *l = v; + struct sudo_event_base *evbase = sudo_ev_get_base(l->ev); + union sockaddr_union s_un; + socklen_t salen = sizeof(s_un); + int sock; + debug_decl(listener_cb, SUDO_DEBUG_UTIL); + + sock = accept(fd, &s_un.sa, &salen); + if (sock != -1) { + /* set keepalive socket option on socket returned by accept */ + if (logsrvd_conf_tcp_keepalive()) { + int keepalive = 1; + if (setsockopt(sock, SOL_SOCKET, SO_KEEPALIVE, &keepalive, + sizeof(keepalive)) == -1) { + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO|SUDO_DEBUG_ERRNO, + "unable to set SO_KEEPALIVE option"); + } + } + if (!new_connection(sock, l->tls, &s_un.sa, evbase)) { + /* TODO: pause accepting on ENOMEM */ + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, + "unable to start new connection"); + } + } else { + if (errno != EAGAIN) { + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO|SUDO_DEBUG_ERRNO, + "unable to accept new connection"); + } + /* TODO: pause accepting on ENFILE and EMFILE */ + } + + debug_return; +} + +static bool +register_listener(struct listen_address *addr, struct sudo_event_base *evbase) +{ + struct listener *l; + int sock; + debug_decl(register_listener, SUDO_DEBUG_UTIL); + + sock = create_listener(addr); + if (sock == -1) + debug_return_bool(false); + + /* TODO: make non-fatal */ + if ((l = malloc(sizeof(*l))) == NULL) + sudo_fatal(NULL); + l->sock = sock; + l->tls = addr->tls; + l->ev = sudo_ev_alloc(sock, SUDO_EV_READ|SUDO_EV_PERSIST, listener_cb, l); + if (l->ev == NULL) + sudo_fatal(NULL); + if (sudo_ev_add(evbase, l->ev, NULL, false) == -1) + sudo_fatal("%s", U_("unable to add event to queue")); + TAILQ_INSERT_TAIL(&listeners, l, entries); + + debug_return_bool(true); +} + +/* + * Register listeners and init the TLS context. + */ +static bool +server_setup(struct sudo_event_base *base) +{ + struct listen_address *addr; + struct listener *l; + int nlisteners = 0; + bool ret, config_tls = false; + debug_decl(server_setup, SUDO_DEBUG_UTIL); + + /* Free old listeners (if any) and register new ones. */ + while ((l = TAILQ_FIRST(&listeners)) != NULL) { + TAILQ_REMOVE(&listeners, l, entries); + sudo_ev_free(l->ev); + close(l->sock); + free(l); + } + TAILQ_FOREACH(addr, logsrvd_conf_listen_address(), entries) { + nlisteners += register_listener(addr, base); + if (addr->tls) + config_tls = true; + } + ret = nlisteners > 0; + + if (ret && config_tls) { +#if defined(HAVE_OPENSSL) + if (!init_tls_server_context()) + ret = false; +#endif + } + + debug_return_bool(ret); +} + +/* + * Reload config and re-initialize listeners and TLS context. + */ +static void +server_reload(struct sudo_event_base *base) +{ + debug_decl(server_reload, SUDO_DEBUG_UTIL); + + sudo_debug_printf(SUDO_DEBUG_INFO, "reloading server config"); + if (logsrvd_conf_read(conf_file)) { + /* Re-initialize listeners and TLS context. */ + if (!server_setup(base)) + sudo_fatalx("%s", U_("unable setup listen socket")); + + /* Re-read sudo.conf and re-initialize debugging. */ + sudo_debug_deregister(logsrvd_debug_instance); + logsrvd_debug_instance = SUDO_DEBUG_INSTANCE_INITIALIZER; + if (sudo_conf_read(NULL, SUDO_CONF_DEBUG) != -1) { + logsrvd_debug_instance = sudo_debug_register(getprogname(), + NULL, NULL, sudo_conf_debug_files(getprogname())); + } + } + + debug_return; +} + +static void +signal_cb(int signo, int what, void *v) +{ + struct sudo_event_base *base = v; + debug_decl(signal_cb, SUDO_DEBUG_UTIL); + + switch (signo) { + case SIGHUP: + server_reload(base); + break; + case SIGINT: + case SIGTERM: + /* Shut down active connections. */ + server_shutdown(base); + break; + default: + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, + "unexpected signal %d", signo); + break; + } + + debug_return; +} + +static void +register_signal(int signo, struct sudo_event_base *base) +{ + struct sudo_event *ev; + debug_decl(register_signal, SUDO_DEBUG_UTIL); + + ev = sudo_ev_alloc(signo, SUDO_EV_SIGNAL, signal_cb, base); + if (ev == NULL) + sudo_fatal(NULL); + if (sudo_ev_add(base, ev, NULL, false) == -1) + sudo_fatal("%s", U_("unable to add event to queue")); + + debug_return; +} + +static void +logsrvd_cleanup(void) +{ + /* TODO: cleanup like on signal */ + return; +} + +/* + * Write the process ID into a file, typically /var/run/sudo/sudo_logsrvd.pid. + * If the parent directory doesn't exist, it will be created. + */ +static void +write_pidfile(void) +{ + FILE *fp; + int fd; + bool success; + char *pid_file = (char *)logsrvd_conf_pid_file(); + debug_decl(write_pidfile, SUDO_DEBUG_UTIL); + + if (pid_file == NULL) + debug_return; + + /* sudo_mkdir_parents() modifies the path but restores it before return. */ + success = sudo_mkdir_parents(pid_file, ROOT_UID, ROOT_GID, + S_IRWXU|S_IXGRP|S_IXOTH, false); + if (success) { + fd = open(pid_file, O_WRONLY|O_CREAT|O_NOFOLLOW, 0644); + if (fd == -1 || (fp = fdopen(fd, "w")) == NULL) { + sudo_warn("%s", pid_file); + if (fd != -1) + close(fd); + } else { + fprintf(fp, "%u\n", (unsigned int)getpid()); + fflush(fp); + if (ferror(fp)) + sudo_warn("%s", pid_file); + fclose(fp); + } + } + debug_return; +} + +/* + * Fork, detach from the terminal and write pid file unless nofork set. + */ +static void +daemonize(bool nofork) +{ + int fd; + debug_decl(daemonize, SUDO_DEBUG_UTIL); + + if (!nofork) { + switch (fork()) { + case -1: + sudo_fatal("fork"); + case 0: + /* child */ + break; + default: + /* parent, exit */ + _exit(EXIT_SUCCESS); + } + + /* detach from terminal and write pid file. */ + if (setsid() == -1) + sudo_fatal("setsid"); + write_pidfile(); + } + + if (chdir("/") == -1) + sudo_warn("chdir(\"/\")"); + if ((fd = open(_PATH_DEVNULL, O_RDWR)) != -1) { + (void) dup2(fd, STDIN_FILENO); + (void) dup2(fd, STDOUT_FILENO); + (void) dup2(fd, STDERR_FILENO); + if (fd > STDERR_FILENO) + (void) close(fd); + } + + debug_return; +} + +static void +usage(bool fatal) +{ + fprintf(stderr, "usage: %s [-n] [-f conf_file] [-R percentage]\n", + getprogname()); + if (fatal) + exit(EXIT_FAILURE); +} + +static void +help(void) +{ + (void)printf(_("%s - send sudo I/O log to remote server\n\n"), + getprogname()); + usage(false); + (void)puts(_("\nOptions:\n" + " -f, --file path to configuration file\n" + " -h --help display help message and exit\n" + " -n, --no-fork do not fork, run in the foreground\n" + " -R, --random-drop percent chance connections will drop\n" + " -V, --version display version information and exit\n")); + exit(EXIT_SUCCESS); +} + +static const char short_opts[] = "f:hnR:V"; +static struct option long_opts[] = { + { "file", required_argument, NULL, 'f' }, + { "help", no_argument, NULL, 'h' }, + { "no-fork", no_argument, NULL, 'n' }, + { "random-drop", required_argument, NULL, 'R' }, + { "version", no_argument, NULL, 'V' }, + { NULL, no_argument, NULL, 0 }, +}; + +sudo_dso_public int main(int argc, char *argv[]); + +int +main(int argc, char *argv[]) +{ + struct sudo_event_base *evbase; + bool nofork = false; + char *ep; + int ch; + debug_decl_vars(main, SUDO_DEBUG_MAIN); + +#if defined(SUDO_DEVEL) && defined(__OpenBSD__) + { + extern char *malloc_options; + malloc_options = "S"; + } +#endif + + initprogname(argc > 0 ? argv[0] : "sudo_logsrvd"); + setlocale(LC_ALL, ""); + bindtextdomain("sudo", LOCALEDIR); /* XXX - add logsrvd domain */ + textdomain("sudo"); + + /* Register fatal/fatalx callback. */ + sudo_fatal_callback_register(logsrvd_cleanup); + + /* Read sudo.conf and initialize the debug subsystem. */ + if (sudo_conf_read(NULL, SUDO_CONF_DEBUG) == -1) + exit(EXIT_FAILURE); + logsrvd_debug_instance = sudo_debug_register(getprogname(), NULL, NULL, + sudo_conf_debug_files(getprogname())); + + if (protobuf_c_version_number() < 1003000) + sudo_fatalx("%s", U_("Protobuf-C version 1.3 or higher required")); + + while ((ch = getopt_long(argc, argv, short_opts, long_opts, NULL)) != -1) { + switch (ch) { + case 'f': + conf_file = optarg; + break; + case 'h': + help(); + break; + case 'n': + nofork = true; + break; + case 'R': + /* random connection drop probability as a percentage (debug) */ + errno = 0; + random_drop = strtod(optarg, &ep); + if (*ep != '\0' || errno != 0) + sudo_fatalx(U_("invalid random drop value: %s"), optarg); + random_drop /= 100.0; /* convert from percentage */ + break; + case 'V': + (void)printf(_("%s version %s\n"), getprogname(), + PACKAGE_VERSION); + return 0; + default: + usage(true); + } + } + + /* Read sudo_logsrvd.conf */ + if (!logsrvd_conf_read(conf_file)) + exit(EXIT_FAILURE); + + if ((evbase = sudo_ev_base_alloc()) == NULL) + sudo_fatal(NULL); + + /* Initialize listeners and TLS context. */ + if (!server_setup(evbase)) + sudo_fatalx("%s", U_("unable setup listen socket")); + + register_signal(SIGHUP, evbase); + register_signal(SIGINT, evbase); + register_signal(SIGTERM, evbase); + + /* Point of no return. */ + daemonize(nofork); + signal(SIGPIPE, SIG_IGN); + + sudo_ev_dispatch(evbase); + if (!nofork && logsrvd_conf_pid_file() != NULL) + unlink(logsrvd_conf_pid_file()); + + debug_return_int(1); +} -- cgit v1.2.3