diff options
| author |   reyk <reyk@openbsd.org> | 2014-12-12 10:05:09 +0000 |
|---|---|---|
| committer | reyk <reyk@openbsd.org> | 2014-12-12 10:05:09 +0000 |
| commit | 7bb522285fb064a17f4f12e81c68bf328b980e15 (patch) | |
| tree | 0c4f3428b4a0aad1e4dab97c9bf8a396c685e670 | |
| parent | put global_ptrace here too so users know how to spell it. poke by jmc (diff) | |
| download | wireguard-openbsd-7bb522285fb064a17f4f12e81c68bf328b980e15.tar.xz wireguard-openbsd-7bb522285fb064a17f4f12e81c68bf328b980e15.zip | |
Change the keyword "ssl" to "tls" to reflect reality since we
effectively disabled support for the SSL protocols. SSL remains a
common term describing SSL/TLS, there is some controvery about this
change, and the name really doesn't matter, but I feel confident about
it now.
(btw., sthen@ pointed out some historical context:
http://tim.dierks.org/2014/05/security-standards-and-name-changes-in.html)
OK benno@, with input from tedu@
| -rw-r--r-- | etc/examples/relayd.conf | 18 | ||||
| -rw-r--r-- | usr.sbin/relayctl/relayctl.8 | 22 | ||||
| -rw-r--r-- | usr.sbin/relayd/ca.c | 46 | ||||
| -rw-r--r-- | usr.sbin/relayd/check_tcp.c | 6 | ||||
| -rw-r--r-- | usr.sbin/relayd/config.c | 118 | ||||
| -rw-r--r-- | usr.sbin/relayd/hce.c | 10 | ||||
| -rw-r--r-- | usr.sbin/relayd/log.c | 34 | ||||
| -rw-r--r-- | usr.sbin/relayd/parse.y | 178 | ||||
| -rw-r--r-- | usr.sbin/relayd/relay.c | 306 | ||||
| -rw-r--r-- | usr.sbin/relayd/relay_udp.c | 6 | ||||
| -rw-r--r-- | usr.sbin/relayd/relayd.c | 50 | ||||
| -rw-r--r-- | usr.sbin/relayd/relayd.conf.5 | 251 | ||||
| -rw-r--r-- | usr.sbin/relayd/relayd.h | 142 | ||||
| -rw-r--r-- | usr.sbin/relayd/ssl.c | 38 |
14 files changed, 616 insertions, 609 deletions
diff --git a/etc/examples/relayd.conf b/etc/examples/relayd.conf index 4de1d27cd63..f9e56d37daa 100644 --- a/etc/examples/relayd.conf +++ b/etc/examples/relayd.conf @@ -1,4 +1,4 @@ -# $OpenBSD: relayd.conf,v 1.2 2014/10/21 02:29:54 lteo Exp $ +# $OpenBSD: relayd.conf,v 1.3 2014/12/12 10:05:09 reyk Exp $ # # Macros # @@ -34,9 +34,9 @@ redirect www { } # -# Relay and protocol for HTTP layer 7 loadbalancing and SSL acceleration +# Relay and protocol for HTTP layer 7 loadbalancing and SSL/TLS acceleration # -http protocol httpssl { +http protocol https { match request header append "X-Forwarded-For" value "$REMOTE_ADDR" match request header append "X-Forwarded-By" \ value "$SERVER_ADDR:$SERVER_PORT" @@ -45,14 +45,14 @@ http protocol httpssl { # Various TCP performance options tcp { nodelay, sack, socket buffer 65536, backlog 128 } -# ssl { no tlsv1.0, ciphers HIGH } -# ssl session cache disable +# tls { no tlsv1.0, ciphers HIGH } +# tls session cache disable } -relay wwwssl { - # Run as a SSL accelerator - listen on $ext_addr port 443 ssl - protocol httpssl +relay wwwtls { + # Run as a SSL/TLS accelerator + listen on $ext_addr port 443 tls + protocol https # Forward to hosts in the webhosts table using a src/dst hash forward to <webhosts> port http mode loadbalance \ diff --git a/usr.sbin/relayctl/relayctl.8 b/usr.sbin/relayctl/relayctl.8 index 3278153e885..b271baafe72 100644 --- a/usr.sbin/relayctl/relayctl.8 +++ b/usr.sbin/relayctl/relayctl.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: relayctl.8,v 1.29 2014/06/25 11:12:45 reyk Exp $ +.\" $OpenBSD: relayctl.8,v 1.30 2014/12/12 10:05:10 reyk Exp $ .\" .\" Copyright (c) 2007 - 2013 Reyk Floeter <reyk@openbsd.org> .\" Copyright (c) 2006 Pierre-Yves Ritschard <pyr@openbsd.org> @@ -15,7 +15,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: June 25 2014 $ +.Dd $Mdocdate: December 12 2014 $ .Dt RELAYCTL 8 .Os .Sh NAME @@ -131,23 +131,23 @@ option in .Xr relayd.conf 5 . .Pp .It Em icmp read timeout -.It Em ssl read timeout +.It Em tls read timeout .It Em tcp read timeout The check failed because the remote host did not send a reply within the configured timeout. .Pp .It Em icmp write timeout -.It Em ssl write timeout +.It Em tls write timeout .It Em tcp write timeout -.It Em ssl connect timeout +.It Em tls connect timeout .It Em tcp connect timeout The check failed because .Xr relayd 8 was not ready to send the request within the configured timeout. .Pp -.It Em ssl connect error -.It Em ssl read error -.It Em ssl write error +.It Em tls connect error +.It Em tls read error +.It Em tls write error .It Em tcp connect error .It Em tcp read failed .It Em tcp write failed @@ -156,10 +156,10 @@ This indicates that .Xr relayd 8 was running low on resources, file descriptors, or was too busy to run the request. -It can also indicate that an SSL/TCP protocol error occurred or that the -connection was unexpectedly aborted. +It can also indicate that an TLS or TCP protocol error occurred or +that the connection was unexpectedly aborted. .Pp -.It Em ssl connect failed +.It Em tls connect failed .It Em tcp connect failed The check failed because the protocol handshake did not succeed in opening a stateful connection with the remote host. diff --git a/usr.sbin/relayd/ca.c b/usr.sbin/relayd/ca.c index cad9deb2bd5..137d503fc31 100644 --- a/usr.sbin/relayd/ca.c +++ b/usr.sbin/relayd/ca.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ca.c,v 1.9 2014/10/02 19:16:31 gilles Exp $ */ +/* $OpenBSD: ca.c,v 1.10 2014/12/12 10:05:09 reyk Exp $ */ /* * Copyright (c) 2014 Reyk Floeter <reyk@openbsd.org> @@ -94,12 +94,12 @@ ca_launch(void) struct relay *rlay; TAILQ_FOREACH(rlay, env->sc_relays, rl_entry) { - if ((rlay->rl_conf.flags & (F_SSL|F_SSLCLIENT)) == 0) + if ((rlay->rl_conf.flags & (F_TLS|F_TLSCLIENT)) == 0) continue; - if (rlay->rl_conf.ssl_key_len) { - if ((in = BIO_new_mem_buf(rlay->rl_ssl_key, - rlay->rl_conf.ssl_key_len)) == NULL) + if (rlay->rl_conf.tls_key_len) { + if ((in = BIO_new_mem_buf(rlay->rl_tls_key, + rlay->rl_conf.tls_key_len)) == NULL) fatalx("ca_launch: key"); if ((pkey = PEM_read_bio_PrivateKey(in, @@ -107,22 +107,22 @@ ca_launch(void) fatalx("ca_launch: PEM"); BIO_free(in); - rlay->rl_ssl_pkey = pkey; + rlay->rl_tls_pkey = pkey; if (pkey_add(env, pkey, - rlay->rl_conf.ssl_keyid) == NULL) - fatalx("ssl pkey"); + rlay->rl_conf.tls_keyid) == NULL) + fatalx("tls pkey"); - purge_key(&rlay->rl_ssl_key, - rlay->rl_conf.ssl_key_len); + purge_key(&rlay->rl_tls_key, + rlay->rl_conf.tls_key_len); } - if (rlay->rl_conf.ssl_cert_len) { - purge_key(&rlay->rl_ssl_cert, - rlay->rl_conf.ssl_cert_len); + if (rlay->rl_conf.tls_cert_len) { + purge_key(&rlay->rl_tls_cert, + rlay->rl_conf.tls_cert_len); } - if (rlay->rl_conf.ssl_cakey_len) { - if ((in = BIO_new_mem_buf(rlay->rl_ssl_cakey, - rlay->rl_conf.ssl_cakey_len)) == NULL) + if (rlay->rl_conf.tls_cakey_len) { + if ((in = BIO_new_mem_buf(rlay->rl_tls_cakey, + rlay->rl_conf.tls_cakey_len)) == NULL) fatalx("ca_launch: key"); if ((pkey = PEM_read_bio_PrivateKey(in, @@ -130,18 +130,18 @@ ca_launch(void) fatalx("ca_launch: PEM"); BIO_free(in); - rlay->rl_ssl_capkey = pkey; + rlay->rl_tls_capkey = pkey; if (pkey_add(env, pkey, - rlay->rl_conf.ssl_cakeyid) == NULL) + rlay->rl_conf.tls_cakeyid) == NULL) fatalx("ca pkey"); - purge_key(&rlay->rl_ssl_cakey, - rlay->rl_conf.ssl_cakey_len); + purge_key(&rlay->rl_tls_cakey, + rlay->rl_conf.tls_cakey_len); } - if (rlay->rl_conf.ssl_cacert_len) { - purge_key(&rlay->rl_ssl_cacert, - rlay->rl_conf.ssl_cacert_len); + if (rlay->rl_conf.tls_cacert_len) { + purge_key(&rlay->rl_tls_cacert, + rlay->rl_conf.tls_cacert_len); } } } diff --git a/usr.sbin/relayd/check_tcp.c b/usr.sbin/relayd/check_tcp.c index 2ddc47f3f80..4e2553ee7e4 100644 --- a/usr.sbin/relayd/check_tcp.c +++ b/usr.sbin/relayd/check_tcp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: check_tcp.c,v 1.43 2014/05/15 07:56:26 reyk Exp $ */ +/* $OpenBSD: check_tcp.c,v 1.44 2014/12/12 10:05:09 reyk Exp $ */ /* * Copyright (c) 2006 Pierre-Yves Ritschard <pyr@openbsd.org> @@ -156,7 +156,7 @@ tcp_host_up(struct ctl_tcp_event *cte) { switch (cte->table->conf.check) { case CHECK_TCP: - if (cte->table->conf.flags & F_SSL) + if (cte->table->conf.flags & F_TLS) break; tcp_close(cte, 0); hce_notify_done(cte->host, HCE_TCP_CONNECT_OK); @@ -175,7 +175,7 @@ tcp_host_up(struct ctl_tcp_event *cte) break; } - if (cte->table->conf.flags & F_SSL) { + if (cte->table->conf.flags & F_TLS) { ssl_transaction(cte); return; } diff --git a/usr.sbin/relayd/config.c b/usr.sbin/relayd/config.c index 97447b7abbe..4aab8c445f3 100644 --- a/usr.sbin/relayd/config.c +++ b/usr.sbin/relayd/config.c @@ -1,4 +1,4 @@ -/* $OpenBSD: config.c,v 1.20 2014/11/22 00:24:22 tedu Exp $ */ +/* $OpenBSD: config.c,v 1.21 2014/12/12 10:05:09 reyk Exp $ */ /* * Copyright (c) 2011 - 2014 Reyk Floeter <reyk@openbsd.org> @@ -113,12 +113,12 @@ config_init(struct relayd *env) env->sc_proto_default.cache = RELAY_CACHESIZE; env->sc_proto_default.tcpflags = TCPFLAG_DEFAULT; env->sc_proto_default.tcpbacklog = RELAY_BACKLOG; - env->sc_proto_default.sslflags = SSLFLAG_DEFAULT; - (void)strlcpy(env->sc_proto_default.sslciphers, - SSLCIPHERS_DEFAULT, - sizeof(env->sc_proto_default.sslciphers)); - env->sc_proto_default.sslecdhcurve = SSLECDHCURVE_DEFAULT; - env->sc_proto_default.ssldhparams = SSLDHPARAMS_DEFAULT; + env->sc_proto_default.tlsflags = TLSFLAG_DEFAULT; + (void)strlcpy(env->sc_proto_default.tlsciphers, + TLSCIPHERS_DEFAULT, + sizeof(env->sc_proto_default.tlsciphers)); + env->sc_proto_default.tlsecdhcurve = TLSECDHCURVE_DEFAULT; + env->sc_proto_default.tlsdhparams = TLSDHPARAMS_DEFAULT; env->sc_proto_default.type = RELAY_PROTO_TCP; (void)strlcpy(env->sc_proto_default.name, "default", sizeof(env->sc_proto_default.name)); @@ -196,8 +196,8 @@ config_purge(struct relayd *env, u_int reset) TAILQ_REMOVE(env->sc_protos, proto, entry); if (proto->style != NULL) free(proto->style); - if (proto->sslcapass != NULL) - free(proto->sslcapass); + if (proto->tlscapass != NULL) + free(proto->tlscapass); free(proto); } env->sc_protocount = 0; @@ -288,7 +288,7 @@ config_getcfg(struct relayd *env, struct imsg *imsg) } } - if (env->sc_flags & (F_SSL|F_SSLCLIENT)) { + if (env->sc_flags & (F_TLS|F_TLSCLIENT)) { ssl_init(env); if (what & CONFIG_CA_ENGINE) ca_engine_init(env); @@ -707,7 +707,7 @@ config_getproto(struct relayd *env, struct imsg *imsg) } TAILQ_INIT(&proto->rules); - proto->sslcapass = NULL; + proto->tlscapass = NULL; TAILQ_INSERT_TAIL(env->sc_protos, proto, entry); @@ -820,30 +820,30 @@ config_setrelay(struct relayd *env, struct relay *rlay) c = 0; iov[c].iov_base = &rl; iov[c++].iov_len = sizeof(rl); - if (rl.ssl_cert_len) { - iov[c].iov_base = rlay->rl_ssl_cert; - iov[c++].iov_len = rl.ssl_cert_len; + if (rl.tls_cert_len) { + iov[c].iov_base = rlay->rl_tls_cert; + iov[c++].iov_len = rl.tls_cert_len; } if ((what & CONFIG_CA_ENGINE) == 0 && - rl.ssl_key_len) { - iov[c].iov_base = rlay->rl_ssl_key; - iov[c++].iov_len = rl.ssl_key_len; + rl.tls_key_len) { + iov[c].iov_base = rlay->rl_tls_key; + iov[c++].iov_len = rl.tls_key_len; } else - rl.ssl_key_len = 0; - if (rl.ssl_ca_len) { - iov[c].iov_base = rlay->rl_ssl_ca; - iov[c++].iov_len = rl.ssl_ca_len; + rl.tls_key_len = 0; + if (rl.tls_ca_len) { + iov[c].iov_base = rlay->rl_tls_ca; + iov[c++].iov_len = rl.tls_ca_len; } - if (rl.ssl_cacert_len) { - iov[c].iov_base = rlay->rl_ssl_cacert; - iov[c++].iov_len = rl.ssl_cacert_len; + if (rl.tls_cacert_len) { + iov[c].iov_base = rlay->rl_tls_cacert; + iov[c++].iov_len = rl.tls_cacert_len; } if ((what & CONFIG_CA_ENGINE) == 0 && - rl.ssl_cakey_len) { - iov[c].iov_base = rlay->rl_ssl_cakey; - iov[c++].iov_len = rl.ssl_cakey_len; + rl.tls_cakey_len) { + iov[c].iov_base = rlay->rl_tls_cakey; + iov[c++].iov_len = rl.tls_cakey_len; } else - rl.ssl_cakey_len = 0; + rl.tls_cakey_len = 0; if (id == PROC_RELAY) { /* XXX imsg code will close the fd after 1st call */ @@ -913,44 +913,44 @@ config_getrelay(struct relayd *env, struct imsg *imsg) } if ((off_t)(IMSG_DATA_SIZE(imsg) - s) < - (rlay->rl_conf.ssl_cert_len + - rlay->rl_conf.ssl_key_len + - rlay->rl_conf.ssl_ca_len + - rlay->rl_conf.ssl_cacert_len + - rlay->rl_conf.ssl_cakey_len)) { + (rlay->rl_conf.tls_cert_len + + rlay->rl_conf.tls_key_len + + rlay->rl_conf.tls_ca_len + + rlay->rl_conf.tls_cacert_len + + rlay->rl_conf.tls_cakey_len)) { log_debug("%s: invalid message length", __func__); goto fail; } - if (rlay->rl_conf.ssl_cert_len) { - if ((rlay->rl_ssl_cert = get_data(p + s, - rlay->rl_conf.ssl_cert_len)) == NULL) + if (rlay->rl_conf.tls_cert_len) { + if ((rlay->rl_tls_cert = get_data(p + s, + rlay->rl_conf.tls_cert_len)) == NULL) goto fail; - s += rlay->rl_conf.ssl_cert_len; + s += rlay->rl_conf.tls_cert_len; } - if (rlay->rl_conf.ssl_key_len) { - if ((rlay->rl_ssl_key = get_data(p + s, - rlay->rl_conf.ssl_key_len)) == NULL) + if (rlay->rl_conf.tls_key_len) { + if ((rlay->rl_tls_key = get_data(p + s, + rlay->rl_conf.tls_key_len)) == NULL) goto fail; - s += rlay->rl_conf.ssl_key_len; + s += rlay->rl_conf.tls_key_len; } - if (rlay->rl_conf.ssl_ca_len) { - if ((rlay->rl_ssl_ca = get_data(p + s, - rlay->rl_conf.ssl_ca_len)) == NULL) + if (rlay->rl_conf.tls_ca_len) { + if ((rlay->rl_tls_ca = get_data(p + s, + rlay->rl_conf.tls_ca_len)) == NULL) goto fail; - s += rlay->rl_conf.ssl_ca_len; + s += rlay->rl_conf.tls_ca_len; } - if (rlay->rl_conf.ssl_cacert_len) { - if ((rlay->rl_ssl_cacert = get_data(p + s, - rlay->rl_conf.ssl_cacert_len)) == NULL) + if (rlay->rl_conf.tls_cacert_len) { + if ((rlay->rl_tls_cacert = get_data(p + s, + rlay->rl_conf.tls_cacert_len)) == NULL) goto fail; - s += rlay->rl_conf.ssl_cacert_len; + s += rlay->rl_conf.tls_cacert_len; } - if (rlay->rl_conf.ssl_cakey_len) { - if ((rlay->rl_ssl_cakey = get_data(p + s, - rlay->rl_conf.ssl_cakey_len)) == NULL) + if (rlay->rl_conf.tls_cakey_len) { + if ((rlay->rl_tls_cakey = get_data(p + s, + rlay->rl_conf.tls_cakey_len)) == NULL) goto fail; - s += rlay->rl_conf.ssl_cakey_len; + s += rlay->rl_conf.tls_cakey_len; } TAILQ_INIT(&rlay->rl_tables); @@ -965,12 +965,12 @@ config_getrelay(struct relayd *env, struct imsg *imsg) return (0); fail: - if (rlay->rl_ssl_cert) - free(rlay->rl_ssl_cert); - if (rlay->rl_ssl_key) - free(rlay->rl_ssl_key); - if (rlay->rl_ssl_ca) - free(rlay->rl_ssl_ca); + if (rlay->rl_tls_cert) + free(rlay->rl_tls_cert); + if (rlay->rl_tls_key) + free(rlay->rl_tls_key); + if (rlay->rl_tls_ca) + free(rlay->rl_tls_ca); close(rlay->rl_s); free(rlay); return (-1); diff --git a/usr.sbin/relayd/hce.c b/usr.sbin/relayd/hce.c index a541a631db5..5459e834617 100644 --- a/usr.sbin/relayd/hce.c +++ b/usr.sbin/relayd/hce.c @@ -1,4 +1,4 @@ -/* $OpenBSD: hce.c,v 1.66 2014/11/19 10:24:40 blambert Exp $ */ +/* $OpenBSD: hce.c,v 1.67 2014/12/12 10:05:09 reyk Exp $ */ /* * Copyright (c) 2006 Pierre-Yves Ritschard <pyr@openbsd.org> @@ -95,9 +95,9 @@ hce_setup_events(void) evtimer_add(&env->sc_ev, &tv); } - if (env->sc_flags & F_SSL) { + if (env->sc_flags & F_TLS) { TAILQ_FOREACH(table, env->sc_tables, entry) { - if (!(table->conf.flags & F_SSL) || + if (!(table->conf.flags & F_TLS) || table->ssl_ctx != NULL) continue; table->ssl_ctx = ssl_ctx_create(env); @@ -220,7 +220,7 @@ hce_notify_done(struct host *host, enum host_error he) log_info("host %s, check %s%s (ignoring result, " "host disabled)", host->conf.name, table_check(table->conf.check), - (table->conf.flags & F_SSL) ? " use ssl" : ""); + (table->conf.flags & F_TLS) ? " use tls" : ""); } host->flags |= (F_CHECK_SENT|F_CHECK_DONE); return; @@ -269,7 +269,7 @@ hce_notify_done(struct host *host, enum host_error he) log_info("host %s, check %s%s (%lums), state %s -> %s, " "availability %s", host->conf.name, table_check(table->conf.check), - (table->conf.flags & F_SSL) ? " use ssl" : "", duration, + (table->conf.flags & F_TLS) ? " use tls" : "", duration, host_status(host->last_up), host_status(host->up), print_availability(host->check_cnt, host->up_cnt)); } diff --git a/usr.sbin/relayd/log.c b/usr.sbin/relayd/log.c index 7d385c3d4d7..4dbc0527332 100644 --- a/usr.sbin/relayd/log.c +++ b/usr.sbin/relayd/log.c @@ -1,4 +1,4 @@ -/* $OpenBSD: log.c,v 1.24 2014/10/25 03:23:49 lteo Exp $ */ +/* $OpenBSD: log.c,v 1.25 2014/12/12 10:05:09 reyk Exp $ */ /* * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org> @@ -234,29 +234,29 @@ host_error(enum host_error he) case HCE_SCRIPT_FAIL: return ("script failed"); break; - case HCE_SSL_CONNECT_OK: - return ("ssl connect ok"); + case HCE_TLS_CONNECT_OK: + return ("tls connect ok"); break; - case HCE_SSL_CONNECT_FAIL: - return ("ssl connect failed"); + case HCE_TLS_CONNECT_FAIL: + return ("tls connect failed"); break; - case HCE_SSL_CONNECT_TIMEOUT: - return ("ssl connect timeout"); + case HCE_TLS_CONNECT_TIMEOUT: + return ("tls connect timeout"); break; - case HCE_SSL_CONNECT_ERROR: - return ("ssl connect error"); + case HCE_TLS_CONNECT_ERROR: + return ("tls connect error"); break; - case HCE_SSL_READ_TIMEOUT: - return ("ssl read timeout"); + case HCE_TLS_READ_TIMEOUT: + return ("tls read timeout"); break; - case HCE_SSL_WRITE_TIMEOUT: - return ("ssl write timeout"); + case HCE_TLS_WRITE_TIMEOUT: + return ("tls write timeout"); break; - case HCE_SSL_READ_ERROR: - return ("ssl read error"); + case HCE_TLS_READ_ERROR: + return ("tls read error"); break; - case HCE_SSL_WRITE_ERROR: - return ("ssl write error"); + case HCE_TLS_WRITE_ERROR: + return ("tls write error"); break; case HCE_SEND_EXPECT_FAIL: return ("send/expect failed"); diff --git a/usr.sbin/relayd/parse.y b/usr.sbin/relayd/parse.y index f00d3343792..f014e298058 100644 --- a/usr.sbin/relayd/parse.y +++ b/usr.sbin/relayd/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.195 2014/11/20 05:51:20 jsg Exp $ */ +/* $OpenBSD: parse.y,v 1.196 2014/12/12 10:05:09 reyk Exp $ */ /* * Copyright (c) 2007 - 2014 Reyk Floeter <reyk@openbsd.org> @@ -165,7 +165,7 @@ typedef struct { %token NO DESTINATION NODELAY NOTHING ON PARENT PATH PFTAG PORT PREFORK %token PRIORITY PROTO QUERYSTR REAL REDIRECT RELAY REMOVE REQUEST RESPONSE %token RETRY QUICK RETURN ROUNDROBIN ROUTE SACK SCRIPT SEND SESSION SNMP -%token SOCKET SPLICE SSL STICKYADDR STYLE TABLE TAG TAGGED TCP TIMEOUT TO +%token SOCKET SPLICE SSL STICKYADDR STYLE TABLE TAG TAGGED TCP TIMEOUT TLS TO %token ROUTER RTLABEL TRANSPARENT TRAP UPDATES URL VIRTUAL WITH TTL RTABLE %token MATCH PARAMS RANDOM LEASTSTATES SRCHASH KEY CERTIFICATE PASSWORD ECDH %token EDH CURVE @@ -174,10 +174,10 @@ typedef struct { %type <v.string> hostname interface table value optstring %type <v.number> http_type loglevel quick trap %type <v.number> dstmode flag forwardmode retry -%type <v.number> optssl optsslclient sslcache +%type <v.number> opttls opttlsclient tlscache %type <v.number> redirect_proto relay_proto match %type <v.number> action ruleaf key_option -%type <v.number> ssldhparams sslecdhcurve +%type <v.number> tlsdhparams tlsecdhcurve %type <v.port> port %type <v.host> host %type <v.addr> address @@ -216,12 +216,21 @@ include : INCLUDE STRING { } ; -optssl : /*empty*/ { $$ = 0; } - | SSL { $$ = 1; } +ssltls : SSL { + log_warnx("%s:%d: %s", + file->name, yylval.lineno, + "please use the \"tls\" keyword" + " instead of \"ssl\""); + } + | TLS + ; + +opttls : /*empty*/ { $$ = 0; } + | ssltls { $$ = 1; } ; -optsslclient : /*empty*/ { $$ = 0; } - | WITH SSL { $$ = 1; } +opttlsclient : /*empty*/ { $$ = 0; } + | WITH ssltls { $$ = 1; } ; http_type : STRING { @@ -757,15 +766,15 @@ tableopts : CHECK tablecheck tablecheck : ICMP { table->conf.check = CHECK_ICMP; } | TCP { table->conf.check = CHECK_TCP; } - | SSL { + | ssltls { table->conf.check = CHECK_TCP; - conf->sc_flags |= F_SSL; - table->conf.flags |= F_SSL; + conf->sc_flags |= F_TLS; + table->conf.flags |= F_TLS; } | http_type STRING hostname CODE NUMBER { if ($1) { - conf->sc_flags |= F_SSL; - table->conf.flags |= F_SSL; + conf->sc_flags |= F_TLS; + table->conf.flags |= F_TLS; } table->conf.check = CHECK_HTTP_CODE; if ((table->conf.retcode = $5) <= 0) { @@ -785,8 +794,8 @@ tablecheck : ICMP { table->conf.check = CHECK_ICMP; } } | http_type STRING hostname digest { if ($1) { - conf->sc_flags |= F_SSL; - table->conf.flags |= F_SSL; + conf->sc_flags |= F_TLS; + table->conf.flags |= F_TLS; } table->conf.check = CHECK_HTTP_DIGEST; if (asprintf(&table->sendbuf, @@ -807,11 +816,11 @@ tablecheck : ICMP { table->conf.check = CHECK_ICMP; } table->conf.digest_type = $4.type; free($4.digest); } - | SEND sendbuf EXPECT STRING optssl { + | SEND sendbuf EXPECT STRING opttls { table->conf.check = CHECK_SEND_EXPECT; if ($5) { - conf->sc_flags |= F_SSL; - table->conf.flags |= F_SSL; + conf->sc_flags |= F_TLS; + table->conf.flags |= F_TLS; } if (strlcpy(table->conf.exbuf, $4, sizeof(table->conf.exbuf)) @@ -900,13 +909,13 @@ proto : relay_proto PROTO STRING { p->type = $1; p->cache = RELAY_CACHESIZE; p->tcpflags = TCPFLAG_DEFAULT; - p->sslflags = SSLFLAG_DEFAULT; + p->tlsflags = TLSFLAG_DEFAULT; p->tcpbacklog = RELAY_BACKLOG; TAILQ_INIT(&p->rules); - (void)strlcpy(p->sslciphers, SSLCIPHERS_DEFAULT, - sizeof(p->sslciphers)); - p->ssldhparams = SSLDHPARAMS_DEFAULT; - p->sslecdhcurve = SSLECDHCURVE_DEFAULT; + (void)strlcpy(p->tlsciphers, TLSCIPHERS_DEFAULT, + sizeof(p->tlsciphers)); + p->tlsdhparams = TLSDHPARAMS_DEFAULT; + p->tlsecdhcurve = TLSECDHCURVE_DEFAULT; if (last_proto_id == INT_MAX) { yyerror("too many protocols defined"); free(p); @@ -916,8 +925,8 @@ proto : relay_proto PROTO STRING { } protopts_n { conf->sc_protocount++; - if ((proto->sslflags & SSLFLAG_VERSION) == 0) { - yyerror("invalid SSL protocol"); + if ((proto->tlsflags & TLSFLAG_VERSION) == 0) { + yyerror("invalid TLS protocol"); YYERROR; } @@ -934,8 +943,8 @@ protopts_l : protopts_l protoptsl nl | protoptsl optnl ; -protoptsl : SSL sslflags - | SSL '{' sslflags_l '}' +protoptsl : ssltls tlsflags + | ssltls '{' tlsflags_l '}' | TCP tcpflags | TCP '{' tcpflags_l '}' | RETURN ERROR opteflags { proto->flags |= F_RETURN; } @@ -989,54 +998,54 @@ tcpflags : SACK { proto->tcpflags |= TCPFLAG_SACK; } } ; -sslflags_l : sslflags comma sslflags_l - | sslflags +tlsflags_l : tlsflags comma tlsflags_l + | tlsflags ; -sslflags : SESSION CACHE sslcache { proto->cache = $3; } +tlsflags : SESSION CACHE tlscache { proto->cache = $3; } | CIPHERS STRING { - if (strlcpy(proto->sslciphers, $2, - sizeof(proto->sslciphers)) >= - sizeof(proto->sslciphers)) { - yyerror("sslciphers truncated"); + if (strlcpy(proto->tlsciphers, $2, + sizeof(proto->tlsciphers)) >= + sizeof(proto->tlsciphers)) { + yyerror("tlsciphers truncated"); free($2); YYERROR; } free($2); } | NO EDH { - proto->ssldhparams = SSLDHPARAMS_NONE; + proto->tlsdhparams = TLSDHPARAMS_NONE; } - | EDH ssldhparams { - proto->ssldhparams = $2; + | EDH tlsdhparams { + proto->tlsdhparams = $2; } | NO ECDH { - proto->sslecdhcurve = 0; + proto->tlsecdhcurve = 0; } - | ECDH sslecdhcurve { - proto->sslecdhcurve = $2; + | ECDH tlsecdhcurve { + proto->tlsecdhcurve = $2; } | CA FILENAME STRING { - if (strlcpy(proto->sslca, $3, - sizeof(proto->sslca)) >= - sizeof(proto->sslca)) { - yyerror("sslca truncated"); + if (strlcpy(proto->tlsca, $3, + sizeof(proto->tlsca)) >= + sizeof(proto->tlsca)) { + yyerror("tlsca truncated"); free($3); YYERROR; } free($3); } | CA KEY STRING PASSWORD STRING { - if (strlcpy(proto->sslcakey, $3, - sizeof(proto->sslcakey)) >= - sizeof(proto->sslcakey)) { - yyerror("sslcakey truncated"); + if (strlcpy(proto->tlscakey, $3, + sizeof(proto->tlscakey)) >= + sizeof(proto->tlscakey)) { + yyerror("tlscakey truncated"); free($3); free($5); YYERROR; } - if ((proto->sslcapass = strdup($5)) == NULL) { - yyerror("sslcapass"); + if ((proto->tlscapass = strdup($5)) == NULL) { + yyerror("tlscapass"); free($3); free($5); YYERROR; @@ -1045,36 +1054,36 @@ sslflags : SESSION CACHE sslcache { proto->cache = $3; } free($5); } | CA CERTIFICATE STRING { - if (strlcpy(proto->sslcacert, $3, - sizeof(proto->sslcacert)) >= - sizeof(proto->sslcacert)) { - yyerror("sslcacert truncated"); + if (strlcpy(proto->tlscacert, $3, + sizeof(proto->tlscacert)) >= + sizeof(proto->tlscacert)) { + yyerror("tlscacert truncated"); free($3); YYERROR; } free($3); } - | NO flag { proto->sslflags &= ~($2); } - | flag { proto->sslflags |= $1; } + | NO flag { proto->tlsflags &= ~($2); } + | flag { proto->tlsflags |= $1; } ; flag : STRING { if (strcmp("sslv3", $1) == 0) - $$ = SSLFLAG_SSLV3; + $$ = TLSFLAG_SSLV3; else if (strcmp("tlsv1", $1) == 0) - $$ = SSLFLAG_TLSV1; + $$ = TLSFLAG_TLSV1; else if (strcmp("tlsv1.0", $1) == 0) - $$ = SSLFLAG_TLSV1_0; + $$ = TLSFLAG_TLSV1_0; else if (strcmp("tlsv1.1", $1) == 0) - $$ = SSLFLAG_TLSV1_1; + $$ = TLSFLAG_TLSV1_1; else if (strcmp("tlsv1.2", $1) == 0) - $$ = SSLFLAG_TLSV1_2; + $$ = TLSFLAG_TLSV1_2; else if (strcmp("cipher-server-preference", $1) == 0) - $$ = SSLFLAG_CIPHER_SERVER_PREF; + $$ = TLSFLAG_CIPHER_SERVER_PREF; else if (strcmp("client-renegotiation", $1) == 0) - $$ = SSLFLAG_CLIENT_RENEG; + $$ = TLSFLAG_CLIENT_RENEG; else { - yyerror("invalid SSL flag: %s", $1); + yyerror("invalid TLS flag: %s", $1); free($1); YYERROR; } @@ -1082,9 +1091,9 @@ flag : STRING { } ; -sslcache : NUMBER { +tlscache : NUMBER { if ($1 < 0) { - yyerror("invalid sslcache value: %d", $1); + yyerror("invalid tlscache value: %d", $1); YYERROR; } $$ = $1; @@ -1463,9 +1472,9 @@ key_option : /* empty */ { $$ = KEY_OPTION_NONE; } | LOG { $$ = KEY_OPTION_LOG; } ; -ssldhparams : /* empty */ { $$ = SSLDHPARAMS_MIN; } +tlsdhparams : /* empty */ { $$ = TLSDHPARAMS_MIN; } | PARAMS NUMBER { - if ($2 < SSLDHPARAMS_MIN) { + if ($2 < TLSDHPARAMS_MIN) { yyerror("EDH params not supported: %d", $2); YYERROR; } @@ -1473,11 +1482,11 @@ ssldhparams : /* empty */ { $$ = SSLDHPARAMS_MIN; } } ; -sslecdhcurve : /* empty */ { $$ = SSLECDHCURVE_DEFAULT; } +tlsecdhcurve : /* empty */ { $$ = TLSECDHCURVE_DEFAULT; } | CURVE STRING { if (strcmp("none", $2) == 0) $$ = 0; - else if ((proto->sslecdhcurve = OBJ_sn2nid($2)) == 0) { + else if ((proto->tlsecdhcurve = OBJ_sn2nid($2)) == 0) { yyerror("ECDH curve not supported"); free($2); YYERROR; @@ -1583,7 +1592,7 @@ relayopts_l : relayopts_l relayoptsl nl | relayoptsl optnl ; -relayoptsl : LISTEN ON STRING port optssl { +relayoptsl : LISTEN ON STRING port opttls { struct addresslist al; struct address *h; struct relay *r; @@ -1611,21 +1620,21 @@ relayoptsl : LISTEN ON STRING port optssl { bcopy(&h->ss, &r->rl_conf.ss, sizeof(r->rl_conf.ss)); r->rl_conf.port = h->port.val[0]; if ($5) { - r->rl_conf.flags |= F_SSL; - conf->sc_flags |= F_SSL; + r->rl_conf.flags |= F_TLS; + conf->sc_flags |= F_TLS; } tableport = h->port.val[0]; host_free(&al); } - | forwardmode optsslclient TO forwardspec dstaf { + | forwardmode opttlsclient TO forwardspec dstaf { rlay->rl_conf.fwdmode = $1; if ($1 == FWD_ROUTE) { yyerror("no route for relays"); YYERROR; } if ($2) { - rlay->rl_conf.flags |= F_SSLCLIENT; - conf->sc_flags |= F_SSLCLIENT; + rlay->rl_conf.flags |= F_TLSCLIENT; + conf->sc_flags |= F_TLSCLIENT; } } | SESSION TIMEOUT NUMBER { @@ -2148,6 +2157,7 @@ lookup(char *s) { "tagged", TAGGED }, { "tcp", TCP }, { "timeout", TIMEOUT }, + { "tls", TLS }, { "to", TO }, { "transparent", TRANSPARENT }, { "trap", TRAP }, @@ -3038,8 +3048,8 @@ int relay_id(struct relay *rl) { rl->rl_conf.id = ++last_relay_id; - rl->rl_conf.ssl_keyid = ++last_key_id; - rl->rl_conf.ssl_cakeyid = ++last_key_id; + rl->rl_conf.tls_keyid = ++last_key_id; + rl->rl_conf.tls_cakeyid = ++last_key_id; if (last_relay_id == INT_MAX || last_key_id == INT_MAX) return (-1); @@ -3059,12 +3069,12 @@ relay_inherit(struct relay *ra, struct relay *rb) bcopy(&rc.ss, &rb->rl_conf.ss, sizeof(rb->rl_conf.ss)); rb->rl_conf.port = rc.port; rb->rl_conf.flags = - (ra->rl_conf.flags & ~F_SSL) | (rc.flags & F_SSL); - if (!(rb->rl_conf.flags & F_SSL)) { - rb->rl_ssl_cert = NULL; - rb->rl_conf.ssl_cert_len = 0; - rb->rl_ssl_key = NULL; - rb->rl_conf.ssl_key_len = 0; + (ra->rl_conf.flags & ~F_TLS) | (rc.flags & F_TLS); + if (!(rb->rl_conf.flags & F_TLS)) { + rb->rl_tls_cert = NULL; + rb->rl_conf.tls_cert_len = 0; + rb->rl_tls_key = NULL; + rb->rl_conf.tls_key_len = 0; } TAILQ_INIT(&rb->rl_tables); diff --git a/usr.sbin/relayd/relay.c b/usr.sbin/relayd/relay.c index b405d717b02..34c5be4372e 100644 --- a/usr.sbin/relayd/relay.c +++ b/usr.sbin/relayd/relay.c @@ -1,4 +1,4 @@ -/* $OpenBSD: relay.c,v 1.181 2014/11/19 10:24:40 blambert Exp $ */ +/* $OpenBSD: relay.c,v 1.182 2014/12/12 10:05:09 reyk Exp $ */ /* * Copyright (c) 2006 - 2014 Reyk Floeter <reyk@openbsd.org> @@ -74,18 +74,18 @@ void relay_input(struct rsession *); u_int32_t relay_hash_addr(struct sockaddr_storage *, u_int32_t); -DH * relay_ssl_get_dhparams(int); -void relay_ssl_callback_info(const SSL *, int, int); -DH *relay_ssl_callback_dh(SSL *, int, int); -SSL_CTX *relay_ssl_ctx_create(struct relay *); -void relay_ssl_transaction(struct rsession *, +DH * relay_tls_get_dhparams(int); +void relay_tls_callback_info(const SSL *, int, int); +DH *relay_tls_callback_dh(SSL *, int, int); +SSL_CTX *relay_tls_ctx_create(struct relay *); +void relay_tls_transaction(struct rsession *, struct ctl_relay_event *); -void relay_ssl_accept(int, short, void *); +void relay_tls_accept(int, short, void *); void relay_connect_retry(int, short, void *); -void relay_ssl_connect(int, short, void *); -void relay_ssl_connected(struct ctl_relay_event *); -void relay_ssl_readcb(int, short, void *); -void relay_ssl_writecb(int, short, void *); +void relay_tls_connect(int, short, void *); +void relay_tls_connected(struct ctl_relay_event *); +void relay_tls_readcb(int, short, void *); +void relay_tls_writecb(int, short, void *); char *relay_load_file(const char *, off_t *); extern void bufferevent_read_pressure_cb(struct evbuffer *, size_t, @@ -259,11 +259,11 @@ relay_protodebug(struct relay *rlay) if (proto->tcpflags) fprintf(stderr, "\ttcp flags: %s\n", printb_flags(proto->tcpflags, TCPFLAG_BITS)); - if ((rlay->rl_conf.flags & (F_SSL|F_SSLCLIENT)) && proto->sslflags) - fprintf(stderr, "\tssl flags: %s\n", - printb_flags(proto->sslflags, SSLFLAG_BITS)); + if ((rlay->rl_conf.flags & (F_TLS|F_TLSCLIENT)) && proto->tlsflags) + fprintf(stderr, "\ttls flags: %s\n", + printb_flags(proto->tlsflags, TLSFLAG_BITS)); if (proto->cache != -1) - fprintf(stderr, "\tssl session cache: %d\n", proto->cache); + fprintf(stderr, "\ttls session cache: %d\n", proto->cache); fprintf(stderr, "\ttype: "); switch (proto->type) { case RELAY_PROTO_TCP: @@ -426,9 +426,9 @@ relay_launch(void) struct relay_table *rlt; TAILQ_FOREACH(rlay, env->sc_relays, rl_entry) { - if ((rlay->rl_conf.flags & (F_SSL|F_SSLCLIENT)) && - (rlay->rl_ssl_ctx = relay_ssl_ctx_create(rlay)) == NULL) - fatal("relay_init: failed to create SSL context"); + if ((rlay->rl_conf.flags & (F_TLS|F_TLSCLIENT)) && + (rlay->rl_ssl_ctx = relay_tls_ctx_create(rlay)) == NULL) + fatal("relay_init: failed to create TLS context"); TAILQ_FOREACH(rlt, &rlay->rl_tables, rlt_entry) { /* @@ -684,8 +684,8 @@ relay_connected(int fd, short sig, void *arg) return; } - if ((rlay->rl_conf.flags & F_SSLCLIENT) && (out->ssl == NULL)) { - relay_ssl_transaction(con, out); + if ((rlay->rl_conf.flags & F_TLSCLIENT) && (out->ssl == NULL)) { + relay_tls_transaction(con, out); return; } @@ -723,9 +723,9 @@ relay_connected(int fd, short sig, void *arg) fatal("relay_connected: invalid output buffer"); con->se_out.bev = bev; - /* Initialize the SSL wrapper */ - if ((rlay->rl_conf.flags & F_SSLCLIENT) && (out->ssl != NULL)) - relay_ssl_connected(out); + /* Initialize the TLS wrapper */ + if ((rlay->rl_conf.flags & F_TLSCLIENT) && (out->ssl != NULL)) + relay_tls_connected(out); bufferevent_settimeout(bev, rlay->rl_conf.timeout.tv_sec, rlay->rl_conf.timeout.tv_sec); @@ -769,9 +769,9 @@ relay_input(struct rsession *con) return; } - /* Initialize the SSL wrapper */ - if ((rlay->rl_conf.flags & F_SSL) && con->se_in.ssl != NULL) - relay_ssl_connected(&con->se_in); + /* Initialize the TLS wrapper */ + if ((rlay->rl_conf.flags & F_TLS) && con->se_in.ssl != NULL) + relay_tls_connected(&con->se_in); bufferevent_settimeout(con->se_in.bev, rlay->rl_conf.timeout.tv_sec, rlay->rl_conf.timeout.tv_sec); @@ -853,7 +853,7 @@ relay_splice(struct ctl_relay_event *cre) struct protocol *proto = rlay->rl_proto; struct splice sp; - if ((rlay->rl_conf.flags & (F_SSL|F_SSLCLIENT)) || + if ((rlay->rl_conf.flags & (F_TLS|F_TLSCLIENT)) || (proto->tcpflags & TCPFLAG_NSPLICE)) return (0); @@ -1158,7 +1158,7 @@ relay_accept(int fd, short event, void *arg) return; } - if (rlay->rl_conf.flags & F_SSLINSPECT) { + if (rlay->rl_conf.flags & F_TLSINSPECT) { relay_preconnect(con); return; } @@ -1347,8 +1347,8 @@ relay_session(struct rsession *con) return; } - if ((rlay->rl_conf.flags & F_SSL) && (in->ssl == NULL)) { - relay_ssl_transaction(con, in); + if ((rlay->rl_conf.flags & F_TLS) && (in->ssl == NULL)) { + relay_tls_transaction(con, in); return; } @@ -1496,9 +1496,9 @@ relay_connect(struct rsession *con) int bnds = -1, ret; /* Connection is already established but session not active */ - if ((rlay->rl_conf.flags & F_SSLINSPECT) && con->se_out.s != -1) { + if ((rlay->rl_conf.flags & F_TLSINSPECT) && con->se_out.s != -1) { if (con->se_out.ssl == NULL) { - log_debug("%s: ssl connect failed", __func__); + log_debug("%s: tls connect failed", __func__); return (-1); } relay_connected(con->se_out.s, EV_WRITE, con); @@ -1634,8 +1634,8 @@ relay_close(struct rsession *con, const char *msg) SSL_shutdown(con->se_in.ssl); SSL_free(con->se_in.ssl); } - if (con->se_in.sslcert != NULL) - X509_free(con->se_in.sslcert); + if (con->se_in.tlscert != NULL) + X509_free(con->se_in.tlscert); if (con->se_in.s != -1) { close(con->se_in.s); if (con->se_out.s == -1) { @@ -1661,8 +1661,8 @@ relay_close(struct rsession *con, const char *msg) SSL_shutdown(con->se_out.ssl); SSL_free(con->se_out.ssl); } - if (con->se_out.sslcert != NULL) - X509_free(con->se_out.sslcert); + if (con->se_out.tlscert != NULL) + X509_free(con->se_out.tlscert); if (con->se_out.s != -1) { close(con->se_out.s); @@ -1876,41 +1876,41 @@ relay_dispatch_parent(int fd, struct privsep_proc *p, struct imsg *imsg) } void -relay_ssl_callback_info(const SSL *ssl, int where, int rc) +relay_tls_callback_info(const SSL *ssl, int where, int rc) { struct ctl_relay_event *cre; - int ssl_state; + int tls_state; cre = (struct ctl_relay_event *)SSL_get_app_data(ssl); - if (cre == NULL || cre->sslreneg_state == SSLRENEG_ALLOW) + if (cre == NULL || cre->tlsreneg_state == TLSRENEG_ALLOW) return; - ssl_state = SSL_get_state(ssl); + tls_state = SSL_get_state(ssl); /* Check renegotiations */ if ((where & SSL_CB_ACCEPT_LOOP) && - (cre->sslreneg_state == SSLRENEG_DENY)) { - if ((ssl_state == SSL3_ST_SR_CLNT_HELLO_A) || - (ssl_state == SSL23_ST_SR_CLNT_HELLO_A)) { + (cre->tlsreneg_state == TLSRENEG_DENY)) { + if ((tls_state == SSL3_ST_SR_CLNT_HELLO_A) || + (tls_state == SSL23_ST_SR_CLNT_HELLO_A)) { /* * This is a client initiated renegotiation * that we do not allow */ - cre->sslreneg_state = SSLRENEG_ABORT; + cre->tlsreneg_state = TLSRENEG_ABORT; } } else if ((where & SSL_CB_HANDSHAKE_DONE) && - (cre->sslreneg_state == SSLRENEG_INIT)) { + (cre->tlsreneg_state == TLSRENEG_INIT)) { /* * This is right after the first handshake, * disallow any further negotiations. */ - cre->sslreneg_state = SSLRENEG_DENY; + cre->tlsreneg_state = TLSRENEG_DENY; } } DH * -relay_ssl_get_dhparams(int keylen) +relay_tls_get_dhparams(int keylen) { DH *dh; BIGNUM *(*prime)(BIGNUM *); @@ -1945,7 +1945,7 @@ relay_ssl_get_dhparams(int keylen) } DH * -relay_ssl_callback_dh(SSL *ssl, int export, int keylen) +relay_tls_callback_dh(SSL *ssl, int export, int keylen) { struct ctl_relay_event *cre; EVP_PKEY *pkey; @@ -1955,7 +1955,7 @@ relay_ssl_callback_dh(SSL *ssl, int export, int keylen) /* Get maximum key length from config */ if ((cre = (struct ctl_relay_event *)SSL_get_app_data(ssl)) == NULL) return (NULL); - maxlen = cre->con->se_relay->rl_proto->ssldhparams; + maxlen = cre->con->se_relay->rl_proto->tlsdhparams; /* Get the private key length from the cert */ if ((pkey = SSL_get_privatekey(ssl))) { @@ -1967,7 +1967,7 @@ relay_ssl_callback_dh(SSL *ssl, int export, int keylen) } /* get built-in params based on the shorter key length */ - dh = relay_ssl_get_dhparams(MIN(keylen, maxlen)); + dh = relay_tls_get_dhparams(MIN(keylen, maxlen)); return (dh); } @@ -1984,7 +1984,7 @@ relay_dispatch_hce(int fd, struct privsep_proc *p, struct imsg *imsg) } SSL_CTX * -relay_ssl_ctx_create(struct relay *rlay) +relay_tls_ctx_create(struct relay *rlay) { struct protocol *proto = rlay->rl_proto; SSL_CTX *ctx; @@ -2009,78 +2009,78 @@ relay_ssl_ctx_create(struct relay *rlay) SSL_CTX_set_options(ctx, SSL_OP_ALL); SSL_CTX_set_options(ctx, SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION); - if (proto->sslflags & SSLFLAG_CIPHER_SERVER_PREF) + if (proto->tlsflags & TLSFLAG_CIPHER_SERVER_PREF) SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); /* Set the allowed SSL protocols */ SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2); SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3); - if ((proto->sslflags & SSLFLAG_SSLV3) == 0) + if ((proto->tlsflags & TLSFLAG_SSLV3) == 0) SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3); SSL_CTX_clear_options(ctx, SSL_OP_NO_TLSv1); - if ((proto->sslflags & SSLFLAG_TLSV1_0) == 0) + if ((proto->tlsflags & TLSFLAG_TLSV1_0) == 0) SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1); SSL_CTX_clear_options(ctx, SSL_OP_NO_TLSv1_1); - if ((proto->sslflags & SSLFLAG_TLSV1_1) == 0) + if ((proto->tlsflags & TLSFLAG_TLSV1_1) == 0) SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_1); SSL_CTX_clear_options(ctx, SSL_OP_NO_TLSv1_2); - if ((proto->sslflags & SSLFLAG_TLSV1_2) == 0) + if ((proto->tlsflags & TLSFLAG_TLSV1_2) == 0) SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_2); /* add the SSL info callback */ - SSL_CTX_set_info_callback(ctx, relay_ssl_callback_info); + SSL_CTX_set_info_callback(ctx, relay_tls_callback_info); - if (proto->sslecdhcurve > 0) { + if (proto->tlsecdhcurve > 0) { /* Enable ECDHE support for TLS perfect forward secrecy */ if ((ecdhkey = - EC_KEY_new_by_curve_name(proto->sslecdhcurve)) == NULL) + EC_KEY_new_by_curve_name(proto->tlsecdhcurve)) == NULL) goto err; SSL_CTX_set_tmp_ecdh(ctx, ecdhkey); SSL_CTX_set_options(ctx, SSL_OP_SINGLE_ECDH_USE); EC_KEY_free(ecdhkey); } - if (proto->ssldhparams > 0) { + if (proto->tlsdhparams > 0) { /* Enable EDH params (forward secrecy for older clients) */ - SSL_CTX_set_tmp_dh_callback(ctx, relay_ssl_callback_dh); + SSL_CTX_set_tmp_dh_callback(ctx, relay_tls_callback_dh); } - if (!SSL_CTX_set_cipher_list(ctx, proto->sslciphers)) + if (!SSL_CTX_set_cipher_list(ctx, proto->tlsciphers)) goto err; /* Verify the server certificate if we have a CA chain */ - if ((rlay->rl_conf.flags & F_SSLCLIENT) && - (rlay->rl_ssl_ca != NULL)) { + if ((rlay->rl_conf.flags & F_TLSCLIENT) && + (rlay->rl_tls_ca != NULL)) { if (!ssl_ctx_load_verify_memory(ctx, - rlay->rl_ssl_ca, rlay->rl_conf.ssl_ca_len)) + rlay->rl_tls_ca, rlay->rl_conf.tls_ca_len)) goto err; SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL); } - if ((rlay->rl_conf.flags & F_SSL) == 0) + if ((rlay->rl_conf.flags & F_TLS) == 0) return (ctx); log_debug("%s: loading certificate", __func__); if (!ssl_ctx_use_certificate_chain(ctx, - rlay->rl_ssl_cert, rlay->rl_conf.ssl_cert_len)) + rlay->rl_tls_cert, rlay->rl_conf.tls_cert_len)) goto err; log_debug("%s: loading private key", __func__); if (!ssl_ctx_fake_private_key(ctx, - &rlay->rl_conf.ssl_keyid, sizeof(rlay->rl_conf.ssl_keyid), - rlay->rl_ssl_cert, rlay->rl_conf.ssl_cert_len, - &rlay->rl_ssl_x509, &rlay->rl_ssl_pkey)) + &rlay->rl_conf.tls_keyid, sizeof(rlay->rl_conf.tls_keyid), + rlay->rl_tls_cert, rlay->rl_conf.tls_cert_len, + &rlay->rl_tls_x509, &rlay->rl_tls_pkey)) goto err; if (!SSL_CTX_check_private_key(ctx)) goto err; - if (rlay->rl_conf.ssl_cacert_len) { + if (rlay->rl_conf.tls_cacert_len) { log_debug("%s: loading CA private key", __func__); - if (!ssl_load_pkey(&rlay->rl_conf.ssl_cakeyid, - sizeof(rlay->rl_conf.ssl_cakeyid), - rlay->rl_ssl_cacert, rlay->rl_conf.ssl_cacert_len, - &rlay->rl_ssl_cacertx509, &rlay->rl_ssl_capkey)) + if (!ssl_load_pkey(&rlay->rl_conf.tls_cakeyid, + sizeof(rlay->rl_conf.tls_cakeyid), + rlay->rl_tls_cacert, rlay->rl_conf.tls_cacert_len, + &rlay->rl_tls_cacertx509, &rlay->rl_tls_capkey)) goto err; } @@ -2090,20 +2090,20 @@ relay_ssl_ctx_create(struct relay *rlay) goto err; /* The text versions of the keys/certs are not needed anymore */ - purge_key(&rlay->rl_ssl_cert, rlay->rl_conf.ssl_cert_len); - purge_key(&rlay->rl_ssl_cacert, rlay->rl_conf.ssl_cacert_len); + purge_key(&rlay->rl_tls_cert, rlay->rl_conf.tls_cert_len); + purge_key(&rlay->rl_tls_cacert, rlay->rl_conf.tls_cacert_len); return (ctx); err: if (ctx != NULL) SSL_CTX_free(ctx); - ssl_error(rlay->rl_conf.name, "relay_ssl_ctx_create"); + ssl_error(rlay->rl_conf.name, "relay_tls_ctx_create"); return (NULL); } void -relay_ssl_transaction(struct rsession *con, struct ctl_relay_event *cre) +relay_tls_transaction(struct rsession *con, struct ctl_relay_event *cre) { struct relay *rlay = con->se_relay; struct protocol *proto = rlay->rl_proto; @@ -2117,15 +2117,15 @@ relay_ssl_transaction(struct rsession *con, struct ctl_relay_event *cre) goto err; if (cre->dir == RELAY_DIR_REQUEST) { - cb = relay_ssl_accept; + cb = relay_tls_accept; method = SSLv23_server_method(); flag = EV_READ; - /* Use session-specific certificate for SSL inspection. */ - if (cre->sslcert != NULL) - SSL_use_certificate(ssl, cre->sslcert); + /* Use session-specific certificate for TLS inspection. */ + if (cre->tlscert != NULL) + SSL_use_certificate(ssl, cre->tlscert); } else { - cb = relay_ssl_connect; + cb = relay_tls_connect; method = SSLv23_client_method(); flag = EV_WRITE; } @@ -2136,16 +2136,16 @@ relay_ssl_transaction(struct rsession *con, struct ctl_relay_event *cre) goto err; if (cre->dir == RELAY_DIR_REQUEST) { - if ((proto->sslflags & SSLFLAG_CLIENT_RENEG) == 0) + if ((proto->tlsflags & TLSFLAG_CLIENT_RENEG) == 0) /* Only allow negotiation during the first handshake */ - cre->sslreneg_state = SSLRENEG_INIT; + cre->tlsreneg_state = TLSRENEG_INIT; else /* Allow client initiated renegotiations */ - cre->sslreneg_state = SSLRENEG_ALLOW; + cre->tlsreneg_state = TLSRENEG_ALLOW; SSL_set_accept_state(ssl); } else { /* Always allow renegotiations if we're the client */ - cre->sslreneg_state = SSLRENEG_ALLOW; + cre->tlsreneg_state = TLSRENEG_ALLOW; SSL_set_connect_state(ssl); } @@ -2161,29 +2161,29 @@ relay_ssl_transaction(struct rsession *con, struct ctl_relay_event *cre) err: if (ssl != NULL) SSL_free(ssl); - ssl_error(rlay->rl_conf.name, "relay_ssl_transaction"); - relay_close(con, "session ssl failed"); + ssl_error(rlay->rl_conf.name, "relay_tls_transaction"); + relay_close(con, "session tls failed"); } void -relay_ssl_accept(int fd, short event, void *arg) +relay_tls_accept(int fd, short event, void *arg) { struct rsession *con = arg; struct relay *rlay = con->se_relay; int retry_flag = 0; - int ssl_err = 0; + int tls_err = 0; int ret; if (event == EV_TIMEOUT) { - relay_close(con, "SSL accept timeout"); + relay_close(con, "TLS accept timeout"); return; } ret = SSL_accept(con->se_in.ssl); if (ret <= 0) { - ssl_err = SSL_get_error(con->se_in.ssl, ret); + tls_err = SSL_get_error(con->se_in.ssl, ret); - switch (ssl_err) { + switch (tls_err) { case SSL_ERROR_WANT_READ: retry_flag = EV_READ; goto retry; @@ -2198,8 +2198,8 @@ relay_ssl_accept(int fd, short event, void *arg) } /* FALLTHROUGH */ default: - ssl_error(rlay->rl_conf.name, "relay_ssl_accept"); - relay_close(con, "SSL accept error"); + ssl_error(rlay->rl_conf.name, "relay_tls_accept"); + relay_close(con, "TLS accept error"); return; } } @@ -2219,30 +2219,30 @@ relay_ssl_accept(int fd, short event, void *arg) retry: DPRINTF("%s: session %d: scheduling on %s", __func__, con->se_id, (retry_flag == EV_READ) ? "EV_READ" : "EV_WRITE"); - event_again(&con->se_ev, fd, EV_TIMEOUT|retry_flag, relay_ssl_accept, + event_again(&con->se_ev, fd, EV_TIMEOUT|retry_flag, relay_tls_accept, &con->se_tv_start, &rlay->rl_conf.timeout, con); } void -relay_ssl_connect(int fd, short event, void *arg) +relay_tls_connect(int fd, short event, void *arg) { struct rsession *con = arg; struct relay *rlay = con->se_relay; int retry_flag = 0; - int ssl_err = 0; + int tls_err = 0; int ret; X509 *servercert = NULL; if (event == EV_TIMEOUT) { - relay_close(con, "SSL connect timeout"); + relay_close(con, "TLS connect timeout"); return; } ret = SSL_connect(con->se_out.ssl); if (ret <= 0) { - ssl_err = SSL_get_error(con->se_out.ssl, ret); + tls_err = SSL_get_error(con->se_out.ssl, ret); - switch (ssl_err) { + switch (tls_err) { case SSL_ERROR_WANT_READ: retry_flag = EV_READ; goto retry; @@ -2257,8 +2257,8 @@ relay_ssl_connect(int fd, short event, void *arg) } /* FALLTHROUGH */ default: - ssl_error(rlay->rl_conf.name, "relay_ssl_connect"); - relay_close(con, "SSL connect error"); + ssl_error(rlay->rl_conf.name, "relay_tls_connect"); + relay_close(con, "TLS connect error"); return; } } @@ -2268,21 +2268,21 @@ relay_ssl_connect(int fd, short event, void *arg) #else log_debug( #endif - "relay %s, ssl session %d connected (%d active)", + "relay %s, tls session %d connected (%d active)", rlay->rl_conf.name, con->se_id, relay_sessions); - if (rlay->rl_conf.flags & F_SSLINSPECT) { + if (rlay->rl_conf.flags & F_TLSINSPECT) { if ((servercert = SSL_get_peer_certificate(con->se_out.ssl)) != NULL) { - con->se_in.sslcert = + con->se_in.tlscert = ssl_update_certificate(servercert, - rlay->rl_ssl_pkey, rlay->rl_ssl_capkey, - rlay->rl_ssl_cacertx509); + rlay->rl_tls_pkey, rlay->rl_tls_capkey, + rlay->rl_tls_cacertx509); } else - con->se_in.sslcert = NULL; + con->se_in.tlscert = NULL; if (servercert != NULL) X509_free(servercert); - if (con->se_in.sslcert == NULL) + if (con->se_in.tlscert == NULL) relay_close(con, "could not create certificate"); else relay_session(con); @@ -2295,32 +2295,32 @@ relay_ssl_connect(int fd, short event, void *arg) retry: DPRINTF("%s: session %d: scheduling on %s", __func__, con->se_id, (retry_flag == EV_READ) ? "EV_READ" : "EV_WRITE"); - event_again(&con->se_ev, fd, EV_TIMEOUT|retry_flag, relay_ssl_connect, + event_again(&con->se_ev, fd, EV_TIMEOUT|retry_flag, relay_tls_connect, &con->se_tv_start, &rlay->rl_conf.timeout, con); } void -relay_ssl_connected(struct ctl_relay_event *cre) +relay_tls_connected(struct ctl_relay_event *cre) { /* * Hack libevent - we overwrite the internal bufferevent I/O - * functions to handle the SSL abstraction. + * functions to handle the TLS abstraction. */ event_set(&cre->bev->ev_read, cre->s, EV_READ, - relay_ssl_readcb, cre->bev); + relay_tls_readcb, cre->bev); event_set(&cre->bev->ev_write, cre->s, EV_WRITE, - relay_ssl_writecb, cre->bev); + relay_tls_writecb, cre->bev); } void -relay_ssl_readcb(int fd, short event, void *arg) +relay_tls_readcb(int fd, short event, void *arg) { char rbuf[IBUF_READ_SIZE]; struct bufferevent *bufev = arg; struct ctl_relay_event *cre = bufev->cbarg; struct rsession *con = cre->con; struct relay *rlay = con->se_relay; - int ret = 0, ssl_err = 0; + int ret = 0, tls_err = 0; short what = EVBUFFER_READ; int howmuch = IBUF_READ_SIZE; size_t len; @@ -2330,7 +2330,7 @@ relay_ssl_readcb(int fd, short event, void *arg) goto err; } - if (cre->sslreneg_state == SSLRENEG_ABORT) { + if (cre->tlsreneg_state == TLSRENEG_ABORT) { what |= EVBUFFER_ERROR; goto err; } @@ -2340,9 +2340,9 @@ relay_ssl_readcb(int fd, short event, void *arg) ret = SSL_read(cre->ssl, rbuf, howmuch); if (ret <= 0) { - ssl_err = SSL_get_error(cre->ssl, ret); + tls_err = SSL_get_error(cre->ssl, ret); - switch (ssl_err) { + switch (tls_err) { case SSL_ERROR_WANT_READ: DPRINTF("%s: session %d: want read", __func__, con->se_id); @@ -2356,7 +2356,7 @@ relay_ssl_readcb(int fd, short event, void *arg) what |= EVBUFFER_EOF; else { ssl_error(rlay->rl_conf.name, - "relay_ssl_readcb"); + "relay_tls_readcb"); what |= EVBUFFER_ERROR; } goto err; @@ -2393,13 +2393,13 @@ relay_ssl_readcb(int fd, short event, void *arg) } void -relay_ssl_writecb(int fd, short event, void *arg) +relay_tls_writecb(int fd, short event, void *arg) { struct bufferevent *bufev = arg; struct ctl_relay_event *cre = bufev->cbarg; struct rsession *con = cre->con; struct relay *rlay = con->se_relay; - int ret = 0, ssl_err; + int ret = 0, tls_err; short what = EVBUFFER_WRITE; if (event == EV_TIMEOUT) { @@ -2407,7 +2407,7 @@ relay_ssl_writecb(int fd, short event, void *arg) goto err; } - if (cre->sslreneg_state == SSLRENEG_ABORT) { + if (cre->tlsreneg_state == TLSRENEG_ABORT) { what |= EVBUFFER_ERROR; goto err; } @@ -2425,9 +2425,9 @@ relay_ssl_writecb(int fd, short event, void *arg) ret = SSL_write(cre->ssl, cre->buf, cre->buflen); if (ret <= 0) { - ssl_err = SSL_get_error(cre->ssl, ret); + tls_err = SSL_get_error(cre->ssl, ret); - switch (ssl_err) { + switch (tls_err) { case SSL_ERROR_WANT_READ: DPRINTF("%s: session %d: want read", __func__, con->se_id); @@ -2441,7 +2441,7 @@ relay_ssl_writecb(int fd, short event, void *arg) what |= EVBUFFER_EOF; else { ssl_error(rlay->rl_conf.name, - "relay_ssl_writecb"); + "relay_tls_writecb"); what |= EVBUFFER_ERROR; } goto err; @@ -2620,34 +2620,34 @@ relay_load_certfiles(struct relay *rlay) struct protocol *proto = rlay->rl_proto; int useport = htons(rlay->rl_conf.port); - if (rlay->rl_conf.flags & F_SSLCLIENT) { - if (strlen(proto->sslca)) { - if ((rlay->rl_ssl_ca = - relay_load_file(proto->sslca, - &rlay->rl_conf.ssl_ca_len)) == NULL) + if (rlay->rl_conf.flags & F_TLSCLIENT) { + if (strlen(proto->tlsca)) { + if ((rlay->rl_tls_ca = + relay_load_file(proto->tlsca, + &rlay->rl_conf.tls_ca_len)) == NULL) return (-1); - log_debug("%s: using ca %s", __func__, proto->sslca); + log_debug("%s: using ca %s", __func__, proto->tlsca); } - if (strlen(proto->sslcacert)) { - if ((rlay->rl_ssl_cacert = - relay_load_file(proto->sslcacert, - &rlay->rl_conf.ssl_cacert_len)) == NULL) + if (strlen(proto->tlscacert)) { + if ((rlay->rl_tls_cacert = + relay_load_file(proto->tlscacert, + &rlay->rl_conf.tls_cacert_len)) == NULL) return (-1); log_debug("%s: using ca certificate %s", __func__, - proto->sslcacert); + proto->tlscacert); } - if (strlen(proto->sslcakey) && proto->sslcapass != NULL) { - if ((rlay->rl_ssl_cakey = - ssl_load_key(env, proto->sslcakey, - &rlay->rl_conf.ssl_cakey_len, - proto->sslcapass)) == NULL) + if (strlen(proto->tlscakey) && proto->tlscapass != NULL) { + if ((rlay->rl_tls_cakey = + ssl_load_key(env, proto->tlscakey, + &rlay->rl_conf.tls_cakey_len, + proto->tlscapass)) == NULL) return (-1); log_debug("%s: using ca key %s", __func__, - proto->sslcakey); + proto->tlscakey); } } - if ((rlay->rl_conf.flags & F_SSL) == 0) + if ((rlay->rl_conf.flags & F_TLS) == 0) return (0); if (print_host(&rlay->rl_conf.ss, hbuf, sizeof(hbuf)) == NULL) @@ -2656,13 +2656,13 @@ relay_load_certfiles(struct relay *rlay) if (snprintf(certfile, sizeof(certfile), "/etc/ssl/%s:%u.crt", hbuf, useport) == -1) return (-1); - if ((rlay->rl_ssl_cert = relay_load_file(certfile, - &rlay->rl_conf.ssl_cert_len)) == NULL) { + if ((rlay->rl_tls_cert = relay_load_file(certfile, + &rlay->rl_conf.tls_cert_len)) == NULL) { if (snprintf(certfile, sizeof(certfile), "/etc/ssl/%s.crt", hbuf) == -1) return (-1); - if ((rlay->rl_ssl_cert = relay_load_file(certfile, - &rlay->rl_conf.ssl_cert_len)) == NULL) + if ((rlay->rl_tls_cert = relay_load_file(certfile, + &rlay->rl_conf.tls_cert_len)) == NULL) return (-1); useport = 0; } @@ -2677,8 +2677,8 @@ relay_load_certfiles(struct relay *rlay) "/etc/ssl/private/%s.key", hbuf) == -1) return -1; } - if ((rlay->rl_ssl_key = ssl_load_key(env, certfile, - &rlay->rl_conf.ssl_key_len, NULL)) == NULL) + if ((rlay->rl_tls_key = ssl_load_key(env, certfile, + &rlay->rl_conf.tls_key_len, NULL)) == NULL) return (-1); log_debug("%s: using private key %s", __func__, certfile); diff --git a/usr.sbin/relayd/relay_udp.c b/usr.sbin/relayd/relay_udp.c index 2f1269660db..62b32702e01 100644 --- a/usr.sbin/relayd/relay_udp.c +++ b/usr.sbin/relayd/relay_udp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: relay_udp.c,v 1.34 2014/11/19 10:24:40 blambert Exp $ */ +/* $OpenBSD: relay_udp.c,v 1.35 2014/12/12 10:05:09 reyk Exp $ */ /* * Copyright (c) 2007 - 2013 Reyk Floeter <reyk@openbsd.org> @@ -74,8 +74,8 @@ relay_udp_privinit(struct relayd *x_env, struct relay *rlay) if (env == NULL) env = x_env; - if (rlay->rl_conf.flags & F_SSL) - fatalx("ssl over udp is not supported"); + if (rlay->rl_conf.flags & F_TLS) + fatalx("tls over udp is not supported"); rlay->rl_conf.flags |= F_UDP; } diff --git a/usr.sbin/relayd/relayd.c b/usr.sbin/relayd/relayd.c index 125d5c272da..c1e61f29760 100644 --- a/usr.sbin/relayd/relayd.c +++ b/usr.sbin/relayd/relayd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: relayd.c,v 1.133 2014/11/22 00:24:22 tedu Exp $ */ +/* $OpenBSD: relayd.c,v 1.134 2014/12/12 10:05:09 reyk Exp $ */ /* * Copyright (c) 2007 - 2014 Reyk Floeter <reyk@openbsd.org> @@ -266,7 +266,7 @@ main(int argc, char *argv[]) exit(0); } - if (env->sc_flags & (F_SSL|F_SSLCLIENT)) + if (env->sc_flags & (F_TLS|F_TLSCLIENT)) ssl_init(env); if (parent_configure(env) == -1) @@ -305,12 +305,12 @@ parent_configure(struct relayd *env) TAILQ_FOREACH(proto, env->sc_protos, entry) config_setrule(env, proto); TAILQ_FOREACH(rlay, env->sc_relays, rl_entry) { - /* Check for SSL Inspection */ - if ((rlay->rl_conf.flags & (F_SSL|F_SSLCLIENT)) == - (F_SSL|F_SSLCLIENT) && - rlay->rl_conf.ssl_cacert_len && - rlay->rl_conf.ssl_cakey_len) - rlay->rl_conf.flags |= F_SSLINSPECT; + /* Check for TLS Inspection */ + if ((rlay->rl_conf.flags & (F_TLS|F_TLSCLIENT)) == + (F_TLS|F_TLSCLIENT) && + rlay->rl_conf.tls_cacert_len && + rlay->rl_conf.tls_cakey_len) + rlay->rl_conf.flags |= F_TLSINSPECT; config_setrelay(env, rlay); } @@ -563,7 +563,7 @@ purge_table(struct tablelist *head, struct table *table) } if (table->sendbuf != NULL) free(table->sendbuf); - if (table->conf.flags & F_SSL) + if (table->conf.flags & F_TLS) SSL_CTX_free(table->ssl_ctx); if (head != NULL) @@ -608,26 +608,26 @@ purge_relay(struct relayd *env, struct relay *rlay) if (rlay->rl_dstbev != NULL) bufferevent_free(rlay->rl_dstbev); - purge_key(&rlay->rl_ssl_cert, rlay->rl_conf.ssl_cert_len); - purge_key(&rlay->rl_ssl_key, rlay->rl_conf.ssl_key_len); - purge_key(&rlay->rl_ssl_ca, rlay->rl_conf.ssl_ca_len); - purge_key(&rlay->rl_ssl_cakey, rlay->rl_conf.ssl_cakey_len); + purge_key(&rlay->rl_tls_cert, rlay->rl_conf.tls_cert_len); + purge_key(&rlay->rl_tls_key, rlay->rl_conf.tls_key_len); + purge_key(&rlay->rl_tls_ca, rlay->rl_conf.tls_ca_len); + purge_key(&rlay->rl_tls_cakey, rlay->rl_conf.tls_cakey_len); - if (rlay->rl_ssl_x509 != NULL) { - X509_free(rlay->rl_ssl_x509); - rlay->rl_ssl_x509 = NULL; + if (rlay->rl_tls_x509 != NULL) { + X509_free(rlay->rl_tls_x509); + rlay->rl_tls_x509 = NULL; } - if (rlay->rl_ssl_pkey != NULL) { - EVP_PKEY_free(rlay->rl_ssl_pkey); - rlay->rl_ssl_pkey = NULL; + if (rlay->rl_tls_pkey != NULL) { + EVP_PKEY_free(rlay->rl_tls_pkey); + rlay->rl_tls_pkey = NULL; } - if (rlay->rl_ssl_cacertx509 != NULL) { - X509_free(rlay->rl_ssl_cacertx509); - rlay->rl_ssl_cacertx509 = NULL; + if (rlay->rl_tls_cacertx509 != NULL) { + X509_free(rlay->rl_tls_cacertx509); + rlay->rl_tls_cacertx509 = NULL; } - if (rlay->rl_ssl_capkey != NULL) { - EVP_PKEY_free(rlay->rl_ssl_capkey); - rlay->rl_ssl_capkey = NULL; + if (rlay->rl_tls_capkey != NULL) { + EVP_PKEY_free(rlay->rl_tls_capkey); + rlay->rl_tls_capkey = NULL; } if (rlay->rl_ssl_ctx != NULL) diff --git a/usr.sbin/relayd/relayd.conf.5 b/usr.sbin/relayd/relayd.conf.5 index c983660146d..e570fc80c32 100644 --- a/usr.sbin/relayd/relayd.conf.5 +++ b/usr.sbin/relayd/relayd.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: relayd.conf.5,v 1.152 2014/11/07 13:48:06 jsing Exp $ +.\" $OpenBSD: relayd.conf.5,v 1.153 2014/12/12 10:05:09 reyk Exp $ .\" .\" Copyright (c) 2006 - 2014 Reyk Floeter <reyk@openbsd.org> .\" Copyright (c) 2006, 2007 Pierre-Yves Ritschard <pyr@openbsd.org> @@ -15,7 +15,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: November 7 2014 $ +.Dd $Mdocdate: December 12 2014 $ .Dt RELAYD.CONF 5 .Os .Sh NAME @@ -51,7 +51,7 @@ Redirections are translated to rdr-to rules for stateful forwarding to a target host from a health-checked table on layer 3. .It Sy Relays -Relays allow application layer load balancing, SSL acceleration, and +Relays allow application layer load balancing, TLS acceleration, and general purpose TCP proxying on layer 7. .It Sy Protocols Protocols are predefined settings and filter rules for relays. @@ -277,7 +277,7 @@ HTTP/1.1 200 OK .Op Ic host Ar hostname .Ic code Ar number .Xc -This has the same effect as above but wraps the HTTP request in SSL. +This has the same effect as above but wraps the HTTP request in TLS. .It Xo .Ic check http Ar path .Op Ic host Ar hostname @@ -313,7 +313,7 @@ a9993e36476816aba3e25717850c26c9cd0d89d .Op Ic host Ar hostname .Ic digest Ar string .Xc -This has the same effect as above but wraps the HTTP request in SSL. +This has the same effect as above but wraps the HTTP request in TLS. .It Ic check icmp Ping hosts in this table to determine whether they are up or not. This method will automatically use ICMP or ICMPV6 depending on the @@ -338,7 +338,7 @@ milliseconds. .Ar data .Ic expect .Ar pattern -.Op Ic ssl +.Op Ic tls .Xc For each host in the table, a TCP connection is established on the port specified, then @@ -356,13 +356,13 @@ read. This can be useful with protocols that output a banner like SMTP, NNTP, and FTP. If the -.Ic ssl +.Ic tls keyword is present, -the transaction will occur in an SSL tunnel. -.It Ic check ssl -Perform a complete SSL handshake with each host to check their availability. +the transaction will occur in an TLS tunnel. .It Ic check tcp Use a simple TCP connect to check that hosts are up. +.It Ic check tls +Perform a complete TLS handshake with each host to check their availability. .El .Pp The following general table options are available: @@ -544,7 +544,7 @@ A relay is also called an application layer gateway or layer 7 proxy. .Pp The main purpose of a relay is to provide advanced load balancing functionality based on specified protocol characteristics, such as -HTTP headers, to provide SSL acceleration and to allow +HTTP headers, to provide TLS acceleration and to allow basic handling of the underlying application protocol. .Pp The @@ -556,7 +556,7 @@ Start the relay but immediately close any accepted connections. .It Xo .Op Ic transparent .Ic forward -.Op Ic with ssl +.Op Ic with tls .Ic to .Ar address .Op Ic port Ar port @@ -574,8 +574,8 @@ keyword to enable fully-transparent mode; the source address of the client will be retained in this case. .Pp The -.Ic with ssl -directive enables client-side SSL mode to connect to the remote host. +.Ic with tls +directive enables client-side TLS mode to connect to the remote host. Verification of server certificates can be enabled by setting the .Ic ca file option in the protocol section. @@ -646,7 +646,7 @@ Like the previous directive, but for redirections with rdr-to in .It Xo .Ic listen on Ar address .Op Ic port Ar port -.Op Ic ssl +.Op Ic tls .Xc Specify the address and port for the relay to listen on. The relay will accept incoming connections to the specified address. @@ -657,9 +657,9 @@ option is not specified, the port from the directive will be used. .Pp If the -.Ic ssl +.Ic tls keyword is present, the relay will accept connections using the -encrypted SSL protocol. +encrypted TLS protocol. The relay will attempt to look up a private key in .Pa /etc/ssl/private/address:port.key and a public certificate in @@ -675,7 +675,7 @@ and .Pa /etc/ssl/address.crt . See .Xr ssl 8 -for details about SSL server certificates. +for details about SSL/TLS server certificates. .It Ic protocol Ar name Use the specified protocol definition for the relay. The generic TCP protocol options will be used by default; @@ -687,54 +687,53 @@ Specify the inactivity timeout in seconds for accepted sessions. The default timeout is 600 seconds (10 minutes). The maximum is 2147483647 seconds (68 years). .El -.Sh SSL RELAYS +.Sh TLS RELAYS In addition to plain TCP, .Xr relayd 8 -supports the Secure Sockets Layer (SSL) and Transport Layer Security -(TLS) cryptographic protocols for authenticated and encrypted relays. -TLS is the successor of the original SSL protocol but the term SSL can -refer to either of the protocols in -.Nm . +supports the Transport Layer Security (TLS) cryptographic protocol for +authenticated and encrypted relays. +TLS is the successor of the original Secure Sockets Layer (SSL) protocol, +but the term SSL is sometimes still used in modern TLS-based applications. .Xr relayd 8 -can operate as an SSL client or server to offer a variety of options -for different use cases related to SSL. +can operate as an TLS client or server to offer a variety of options +for different use cases related to TLS. .Bl -tag -width Ds -.It Ic SSL client +.It Ic TLS client When configuring the relay .Ic forward statements with the -.Ic with ssl +.Ic with tls directive, .Xr relayd 8 -will enable client-side SSL to connect to the remote host. -This is commonly used for SSL tunneling and transparent encapsulation +will enable client-side TLS to connect to the remote host. +This is commonly used for TLS tunneling and transparent encapsulation of plain TCP connections. See the .Ic forward to description in the .Sx RELAYS section for more details. -.It Ic SSL server +.It Ic TLS server When specifying the -.Ic ssl +.Ic tls keyword in the relay .Ic listen statements, .Xr relayd 8 -will accept connections from clients as an SSL server. +will accept connections from clients as an TLS server. This mode is also known as -.Dq SSL acceleration . +.Dq SSL/TLS acceleration . See the .Ic listen on description in the .Sx RELAYS section for more details. -.It Ic SSL client and server -When combining both modes, SSL server and client, +.It Ic TLS client and server +When combining both modes, TLS server and client, .Xr relayd 8 -can filter SSL connections as a man-in-the-middle. +can filter TLS connections as a man-in-the-middle. This combined mode is also called -.Dq SSL inspection . +.Dq TLS inspection . The configuration requires additional X.509 certificate settings; see the .Ic ca key @@ -744,16 +743,16 @@ section for more details. .El .Pp When configured for -.Dq SSL inspection +.Dq TLS inspection mode, .Xr relayd 8 will listen for incoming connections which have been diverted to the local socket by PF. -Before accepting and negotiating the incoming SSL connection as a +Before accepting and negotiating the incoming TLS connection as a server, it will look up the original destination address on the -diverted socket, and pre-connect to the target server as an SSL client -to obtain the remote SSL certificate. -It will update or patch the obtained SSL certificate by replacing the +diverted socket, and pre-connect to the target server as an TLS client +to obtain the remote TLS certificate. +It will update or patch the obtained TLS certificate by replacing the included public key with its local server key because it doesn't have the private key of the remote server certificate. It also updates the X.509 issuer name to the local CA subject name and @@ -761,12 +760,12 @@ signs the certificate with its local CA key. This way it keeps all the other X.509 attributes that are already present in the server certificate, including the "green bar" extended validation attributes. -Now it finally accepts the SSL connection from the diverted client +Now it finally accepts the TLS connection from the diverted client using the updated certificate and continues to handle the connection and to connect to the remote server. .Sh PROTOCOLS Protocols are templates defining settings and rules for relays. -They allow setting generic TCP options, SSL settings, and rules +They allow setting generic TCP options, TLS settings, and rules for the selected application layer protocol. .Pp The protocol directive is available for a number of different @@ -784,7 +783,7 @@ replaces these IDs with random values to compensate for predictable values generated by some hosts. .It Ic http protocol Handle the HyperText Transfer Protocol -(HTTP, or "HTTPS" if encapsulated in an SSL tunnel). +(HTTP, or "HTTPS" if encapsulated in an TLS tunnel). .It Xo .Op Ic tcp .Ic protocol @@ -819,43 +818,88 @@ HTTP error pages, for example: body { background: #a00000; color: white; } .Ed .El -.It Ic ssl Ar option -Set the SSL options and session settings. -This is only used if SSL is enabled in the relay. +.It Ic tcp Ar option +Enable or disable the specified TCP/IP options; see +.Xr tcp 4 +and +.Xr ip 4 +for more information about the options. +Valid options are: +.Bl -tag -width Ds +.It Ic backlog Ar number +Set the maximum length the queue of pending connections may grow to. +The backlog option is 10 by default and is limited by the +.Ic kern.somaxconn +.Xr sysctl 8 +variable. +.It Ic ip minttl Ar number +This option for the underlying IP connection may be used to discard packets +with a TTL lower than the specified value. +This can be used to implement the +.Ar Generalized TTL Security Mechanism (GTSM) +according to RFC 5082. +.It Ic ip ttl Ar number +Change the default time-to-live value in the IP headers. +.It Xo +.Op Ic no +.Ic nodelay +.Xc +Enable the TCP NODELAY option for this connection. +This is recommended to avoid delays in the relayed data stream, +e.g. for SSH connections. +.It Xo +.Op Ic no +.Ic sack +.Xc +Use selective acknowledgements for this connection. +.It Ic socket buffer Ar number +Set the socket-level buffer size for input and output for this +connection. +This will affect the TCP window size. +.It Xo +.Op Ic no +.Ic splice +.Xc +Use socket splicing for zero-copy data transfer. +This option is enabled by default. +.El +.It Ic tls Ar option +Set the TLS options and session settings. +This is only used if TLS is enabled in the relay. Valid options are: .Bl -tag -width Ds .It Ic ca cert Ar path -Specify a CA certificate for SSL inspection. +Specify a CA certificate for TLS inspection. For more information, see the .Ic ca key option below. .It Ic ca file Ar path -This option enables CA verification in SSL client mode. +This option enables CA verification in TLS client mode. The daemon will load the CA (Certificate Authority) certificates from the specified path to verify the server certificates. .Ox provides a default CA bundle in .Pa /etc/ssl/cert.pem . .It Ic ca key Ar path Ic password Ar password -Specify a CA key for SSL inspection. +Specify a CA key for TLS inspection. The .Ar password argument will specify the password to decrypt the CA key (typically an RSA key). -This option will enable SSL inspection if the following conditions +This option will enable TLS inspection if the following conditions are true: .Pp .Bl -bullet -compact -offset indent .It -SSL client mode is enabled by the +TLS client mode is enabled by the .Ic listen directive: -.Ic listen on ... ssl . +.Ic listen on ... tls . .It -SSL server mode and divert lookups are enabled by the +TLS server mode and divert lookups are enabled by the .Ic forward directive: -.Ic forward with ssl to destination . +.Ic forward with tls to destination . .It The .Ic ca cert @@ -866,13 +910,13 @@ The option is specified. .El .It Ic ciphers Ar string -Set the string defining the SSL cipher suite. +Set the string defining the TLS cipher suite. If not specified, the default value .Ar HIGH:!aNULL will be used (strong crypto cipher suites without anonymous DH). See the CIPHERS section of .Xr openssl 1 -for information about SSL cipher suites and preference lists. +for information about SSL/TLS cipher suites and preference lists. .It Oo Ic no Oc Ic cipher-server-preference Prefer the server's cipher list over the client's preferences when choosing a cipher for the connection; @@ -908,18 +952,18 @@ Other possible values are numbers between 1024 and 8192, including or .Ar 8192 . Values higher than 1024 bits can cause incompatibilities with older -SSL clients. +TLS clients. .It Ic no edh Disable EDH support. This is the default. .It Ic session cache Ar value -Set the maximum size of the SSL session cache. +Set the maximum size of the TLS session cache. If the .Ar value -is zero, the default size defined by the SSL library will be used. +is zero, the default size defined by the TLS library will be used. A positive number will set the maximum size in bytes and the keyword .Ic disable -will disable the SSL session cache. +will disable the TLS session cache. .It Xo .Op Ic no .Ic sslv3 @@ -956,51 +1000,6 @@ enabled by default. Disable the TLSv1.2 protocol; enabled by default. .El -.It Ic tcp Ar option -Enable or disable the specified TCP/IP options; see -.Xr tcp 4 -and -.Xr ip 4 -for more information about the options. -Valid options are: -.Bl -tag -width Ds -.It Ic backlog Ar number -Set the maximum length the queue of pending connections may grow to. -The backlog option is 10 by default and is limited by the -.Ic kern.somaxconn -.Xr sysctl 8 -variable. -.It Ic ip minttl Ar number -This option for the underlying IP connection may be used to discard packets -with a TTL lower than the specified value. -This can be used to implement the -.Ar Generalized TTL Security Mechanism (GTSM) -according to RFC 5082. -.It Ic ip ttl Ar number -Change the default time-to-live value in the IP headers. -.It Xo -.Op Ic no -.Ic nodelay -.Xc -Enable the TCP NODELAY option for this connection. -This is recommended to avoid delays in the relayed data stream, -e.g. for SSH connections. -.It Xo -.Op Ic no -.Ic sack -.Xc -Use selective acknowledgements for this connection. -.It Ic socket buffer Ar number -Set the socket-level buffer size for input and output for this -connection. -This will affect the TCP window size. -.It Xo -.Op Ic no -.Ic splice -.Xc -Use socket splicing for zero-copy data transfer. -This option is enabled by default. -.El .El .Sh FILTER RULES Relays have the ability to filter connections based @@ -1389,7 +1388,7 @@ Service name database. .It Pa /etc/ssl/address:port.crt .It Pa /etc/ssl/private/address.key .It Pa /etc/ssl/private/address:port.key -Location of the relay SSL server certificates, where +Location of the relay TLS server certificates, where .Ar address is the configured IP address and @@ -1444,7 +1443,7 @@ The following configuration would add a relay to forward secure HTTPS connections to a pool of HTTP webservers using the .Ic loadbalance -mode (SSL acceleration and layer 7 load balancing). +mode (TLS acceleration and layer 7 load balancing). The HTTP protocol definition will add two HTTP headers containing address information of the client and the server, set the .Dq Keep-Alive @@ -1453,7 +1452,7 @@ and include the .Dq sessid variable in the hash to calculate the target host: .Bd -literal -offset indent -http protocol "http_ssl" { +http protocol "https" { match header append "X-Forwarded-For" \e value "$REMOTE_ADDR" match header append "X-Forwarded-By" \e @@ -1466,12 +1465,12 @@ http protocol "http_ssl" { pass block path "/cgi-bin/index.cgi" value "*command=*" - ssl { no tlsv1.0, ciphers "HIGH" } + tls { no tlsv1.0, ciphers "HIGH" } } -relay "sslaccel" { - listen on www.example.com port 443 ssl - protocol "http_ssl" +relay "tlsaccel" { + listen on www.example.com port 443 tls + protocol "https" forward to \*(Ltphphosts\*(Gt port 8080 mode loadbalance check tcp } .Ed @@ -1497,9 +1496,9 @@ relay "sshforward" { .Ed .Pp The following relay example will configure -.Dq SSL inspection +.Dq TLS inspection as described in the -.Sx SSL RELAYS +.Sx TLS RELAYS section. To start, first generate a new local CA key and certificate: .Bd -literal -offset indent @@ -1507,7 +1506,7 @@ To start, first generate a new local CA key and certificate: -keyout /etc/ssl/private/ca.key -out /etc/ssl/ca.crt .Ed .Pp -An SSL server key and self-signed cert for 127.0.0.1 are also required; +An TLS server key and self-signed cert for 127.0.0.1 are also required; see .Ic listen on in the @@ -1521,7 +1520,7 @@ pass in on vlan1 inet proto tcp to port 443 \e divert-to localhost port 8443 .Ed .Pp -And finally configure the SSL inspection in +And finally configure the TLS inspection in .Nm : .Bd -literal -offset indent http protocol httpfilter { @@ -1531,15 +1530,15 @@ http protocol httpfilter { match label "Prohibited!" block url "social.network.example.com/" - # New configuration directives for SSL Interception - ssl ca key "/etc/ssl/private/ca.key" password "password123" - ssl ca cert "/etc/ssl/ca.crt" + # New configuration directives for SSL/TLS Interception + tls ca key "/etc/ssl/private/ca.key" password "password123" + tls ca cert "/etc/ssl/ca.crt" } -relay sslinspect { - listen on 127.0.0.1 port 8443 ssl +relay tlsinspect { + listen on 127.0.0.1 port 8443 tls protocol httpfilter - forward with ssl to destination + forward with tls to destination } .Ed .Pp @@ -1578,7 +1577,7 @@ and .An Reyk Floeter Aq Mt reyk@openbsd.org . .Sh CAVEATS .Xr relayd 8 -Verification of SSL server certificates is based on a static CA bundle +Verification of TLS server certificates is based on a static CA bundle and .Xr relayd 8 currently does not support CRLs (Certificate Revocation Lists). diff --git a/usr.sbin/relayd/relayd.h b/usr.sbin/relayd/relayd.h index 39eecf483c8..5a64b177913 100644 --- a/usr.sbin/relayd/relayd.h +++ b/usr.sbin/relayd/relayd.h @@ -1,4 +1,4 @@ -/* $OpenBSD: relayd.h,v 1.197 2014/11/19 10:24:40 blambert Exp $ */ +/* $OpenBSD: relayd.h,v 1.198 2014/12/12 10:05:09 reyk Exp $ */ /* * Copyright (c) 2006 - 2014 Reyk Floeter <reyk@openbsd.org> @@ -49,7 +49,7 @@ #define SRV_NAME_SIZE 64 #define MAX_NAME_SIZE 64 #define SRV_MAX_VIRTS 16 -#define SSL_NAME_SIZE 512 +#define TLS_NAME_SIZE 512 #define FD_RESERVE 5 @@ -152,7 +152,8 @@ struct ctl_tcp_event { struct event ev; int (*validate_read)(struct ctl_tcp_event *); int (*validate_close)(struct ctl_tcp_event *); - SSL *ssl; + + SSL *ssl; /* libssl object */ }; enum direction { @@ -162,11 +163,11 @@ enum direction { RELAY_DIR_RESPONSE = 2 }; -enum sslreneg_state { - SSLRENEG_INIT = 0, /* first/next negotiation is allowed */ - SSLRENEG_ALLOW = 1, /* all (re-)negotiations are allowed */ - SSLRENEG_DENY = 2, /* next renegotiation must be denied */ - SSLRENEG_ABORT = 3 /* the connection should be aborted */ +enum tlsreneg_state { + TLSRENEG_INIT = 0, /* first/next negotiation is allowed */ + TLSRENEG_ALLOW = 1, /* all (re-)negotiations are allowed */ + TLSRENEG_DENY = 2, /* next renegotiation must be denied */ + TLSRENEG_ABORT = 3 /* the connection should be aborted */ }; struct ctl_relay_event { @@ -178,9 +179,10 @@ struct ctl_relay_event { struct ctl_relay_event *dst; struct rsession *con; - SSL *ssl; - X509 *sslcert; - enum sslreneg_state sslreneg_state; + SSL *ssl; /* libssl object */ + + X509 *tlscert; + enum tlsreneg_state tlsreneg_state; off_t splicelen; off_t toread; @@ -341,7 +343,7 @@ TAILQ_HEAD(addresslist, address); #define F_CHECK_DONE 0x00000100 #define F_ACTIVE_RULESET 0x00000200 #define F_CHECK_SENT 0x00000400 -#define F_SSL 0x00000800 +#define F_TLS 0x00000800 #define F_NATLOOK 0x00001000 #define F_DEMOTE 0x00002000 #define F_LOOKUP_PATH 0x00004000 @@ -351,18 +353,18 @@ TAILQ_HEAD(addresslist, address); #define F_SNMP 0x00040000 #define F_NEEDPF 0x00080000 #define F_PORT 0x00100000 -#define F_SSLCLIENT 0x00200000 +#define F_TLSCLIENT 0x00200000 #define F_NEEDRT 0x00400000 #define F_MATCH 0x00800000 #define F_DIVERT 0x01000000 #define F_SCRIPT 0x02000000 -#define F_SSLINSPECT 0x04000000 +#define F_TLSINSPECT 0x04000000 #define F_BITS \ "\10\01DISABLE\02BACKUP\03USED\04DOWN\05ADD\06DEL\07CHANGED" \ "\10STICKY-ADDRESS\11CHECK_DONE\12ACTIVE_RULESET\13CHECK_SENT" \ - "\14SSL\15NAT_LOOKUP\16DEMOTE\17LOOKUP_PATH\20DEMOTED\21UDP" \ - "\22RETURN\23TRAP\24NEEDPF\25PORT\26SSL_CLIENT\27NEEDRT" \ + "\14TLS\15NAT_LOOKUP\16DEMOTE\17LOOKUP_PATH\20DEMOTED\21UDP" \ + "\22RETURN\23TRAP\24NEEDPF\25PORT\26TLS_CLIENT\27NEEDRT" \ "\30MATCH\31DIVERT\32SCRIPT" enum forwardmode { @@ -420,14 +422,14 @@ enum host_error { HCE_TCP_READ_FAIL, HCE_SCRIPT_OK, HCE_SCRIPT_FAIL, - HCE_SSL_CONNECT_ERROR, - HCE_SSL_CONNECT_FAIL, - HCE_SSL_CONNECT_OK, - HCE_SSL_CONNECT_TIMEOUT, - HCE_SSL_READ_TIMEOUT, - HCE_SSL_WRITE_TIMEOUT, - HCE_SSL_READ_ERROR, - HCE_SSL_WRITE_ERROR, + HCE_TLS_CONNECT_ERROR, + HCE_TLS_CONNECT_FAIL, + HCE_TLS_CONNECT_OK, + HCE_TLS_CONNECT_TIMEOUT, + HCE_TLS_READ_TIMEOUT, + HCE_TLS_WRITE_TIMEOUT, + HCE_TLS_READ_ERROR, + HCE_TLS_WRITE_ERROR, HCE_SEND_EXPECT_FAIL, HCE_SEND_EXPECT_OK, HCE_HTTP_CODE_ERROR, @@ -471,7 +473,7 @@ struct table { int up; int skipped; struct hostlist hosts; - SSL_CTX *ssl_ctx; + SSL_CTX *ssl_ctx; /* libssl context */ char *sendbuf; }; TAILQ_HEAD(tablelist, table); @@ -638,27 +640,27 @@ TAILQ_HEAD(relay_rules, relay_rule); "\10\01NODELAY\02NO_NODELAY\03SACK\04NO_SACK" \ "\05SOCKET_BUFFER_SIZE\06IP_TTL\07IP_MINTTL\10NO_SPLICE" -#define SSLFLAG_SSLV3 0x01 -#define SSLFLAG_TLSV1_0 0x02 -#define SSLFLAG_TLSV1_1 0x04 -#define SSLFLAG_TLSV1_2 0x08 -#define SSLFLAG_TLSV1 0x0e -#define SSLFLAG_VERSION 0x1f -#define SSLFLAG_CIPHER_SERVER_PREF 0x20 -#define SSLFLAG_CLIENT_RENEG 0x40 -#define SSLFLAG_DEFAULT \ - (SSLFLAG_TLSV1|SSLFLAG_CLIENT_RENEG) - -#define SSLFLAG_BITS \ +#define TLSFLAG_SSLV3 0x01 +#define TLSFLAG_TLSV1_0 0x02 +#define TLSFLAG_TLSV1_1 0x04 +#define TLSFLAG_TLSV1_2 0x08 +#define TLSFLAG_TLSV1 0x0e +#define TLSFLAG_VERSION 0x1f +#define TLSFLAG_CIPHER_SERVER_PREF 0x20 +#define TLSFLAG_CLIENT_RENEG 0x40 +#define TLSFLAG_DEFAULT \ + (TLSFLAG_TLSV1|TLSFLAG_CLIENT_RENEG) + +#define TLSFLAG_BITS \ "\06\01sslv3\02tlsv1.0\03tlsv1.1\04tlsv1.2" \ "\06cipher-server-preference\07client-renegotiation" -#define SSLCIPHERS_DEFAULT "HIGH:!aNULL" -#define SSLECDHCURVE_DEFAULT NID_X9_62_prime256v1 +#define TLSCIPHERS_DEFAULT "HIGH:!aNULL" +#define TLSECDHCURVE_DEFAULT NID_X9_62_prime256v1 -#define SSLDHPARAMS_NONE 0 -#define SSLDHPARAMS_DEFAULT 0 -#define SSLDHPARAMS_MIN 1024 +#define TLSDHPARAMS_NONE 0 +#define TLSDHPARAMS_DEFAULT 0 +#define TLSDHPARAMS_MIN 1024 struct protocol { objid_t id; @@ -668,14 +670,14 @@ struct protocol { int tcpbacklog; u_int8_t tcpipttl; u_int8_t tcpipminttl; - u_int8_t sslflags; - char sslciphers[768]; - int ssldhparams; - int sslecdhcurve; - char sslca[MAXPATHLEN]; - char sslcacert[MAXPATHLEN]; - char sslcakey[MAXPATHLEN]; - char *sslcapass; + u_int8_t tlsflags; + char tlsciphers[768]; + int tlsdhparams; + int tlsecdhcurve; + char tlsca[MAXPATHLEN]; + char tlscacert[MAXPATHLEN]; + char tlscakey[MAXPATHLEN]; + char *tlscapass; char name[MAX_NAME_SIZE]; int cache; enum prototype type; @@ -726,13 +728,13 @@ struct relay_config { struct sockaddr_storage dstaf; struct timeval timeout; enum forwardmode fwdmode; - off_t ssl_cert_len; - off_t ssl_key_len; - objid_t ssl_keyid; - off_t ssl_ca_len; - off_t ssl_cacert_len; - off_t ssl_cakey_len; - objid_t ssl_cakeyid; + off_t tls_cert_len; + off_t tls_key_len; + objid_t tls_keyid; + off_t tls_ca_len; + off_t tls_cacert_len; + off_t tls_cakey_len; + objid_t tls_cakeyid; }; struct relay { @@ -752,21 +754,17 @@ struct relay { struct event rl_ev; struct event rl_evt; - SSL_CTX *rl_ssl_ctx; - - char *rl_ssl_cert; - X509 *rl_ssl_x509; - - char *rl_ssl_key; - EVP_PKEY *rl_ssl_pkey; - - char *rl_ssl_ca; - - char *rl_ssl_cacert; - X509 *rl_ssl_cacertx509; - - char *rl_ssl_cakey; - EVP_PKEY *rl_ssl_capkey; + SSL_CTX *rl_ssl_ctx; /* libssl context */ + + char *rl_tls_cert; + X509 *rl_tls_x509; + char *rl_tls_key; + EVP_PKEY *rl_tls_pkey; + char *rl_tls_ca; + char *rl_tls_cacert; + X509 *rl_tls_cacertx509; + char *rl_tls_cakey; + EVP_PKEY *rl_tls_capkey; struct ctl_stats rl_stats[RELAY_MAXPROC + 1]; diff --git a/usr.sbin/relayd/ssl.c b/usr.sbin/relayd/ssl.c index ace19c4fbce..93f7b1e40ea 100644 --- a/usr.sbin/relayd/ssl.c +++ b/usr.sbin/relayd/ssl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl.c,v 1.25 2014/07/10 12:50:05 jsg Exp $ */ +/* $OpenBSD: ssl.c,v 1.26 2014/12/12 10:05:09 reyk Exp $ */ /* * Copyright (c) 2007 - 2014 Reyk Floeter <reyk@openbsd.org> @@ -51,13 +51,13 @@ ssl_read(int s, short event, void *arg) char rbuf[SMALL_READ_BUF_SIZE]; struct ctl_tcp_event *cte = arg; int retry_flag = EV_READ; - int ssl_err = 0; + int tls_err = 0; int ret; if (event == EV_TIMEOUT) { cte->host->up = HOST_DOWN; ssl_cleanup(cte); - hce_notify_done(cte->host, HCE_SSL_READ_TIMEOUT); + hce_notify_done(cte->host, HCE_TLS_READ_TIMEOUT); return; } @@ -65,8 +65,8 @@ ssl_read(int s, short event, void *arg) ret = SSL_read(cte->ssl, rbuf, sizeof(rbuf)); if (ret <= 0) { - ssl_err = SSL_get_error(cte->ssl, ret); - switch (ssl_err) { + tls_err = SSL_get_error(cte->ssl, ret); + switch (tls_err) { case SSL_ERROR_WANT_READ: retry_flag = EV_READ; goto retry; @@ -87,7 +87,7 @@ ssl_read(int s, short event, void *arg) cte->host->up = HOST_DOWN; ssl_error(cte->host->conf.name, "cannot read"); ssl_cleanup(cte); - hce_notify_done(cte->host, HCE_SSL_READ_ERROR); + hce_notify_done(cte->host, HCE_TLS_READ_ERROR); break; } return; @@ -114,14 +114,14 @@ ssl_write(int s, short event, void *arg) { struct ctl_tcp_event *cte = arg; int retry_flag = EV_WRITE; - int ssl_err = 0; + int tls_err = 0; int len; int ret; if (event == EV_TIMEOUT) { cte->host->up = HOST_DOWN; ssl_cleanup(cte); - hce_notify_done(cte->host, HCE_SSL_WRITE_TIMEOUT); + hce_notify_done(cte->host, HCE_TLS_WRITE_TIMEOUT); return; } @@ -129,8 +129,8 @@ ssl_write(int s, short event, void *arg) ret = SSL_write(cte->ssl, cte->table->sendbuf, len); if (ret <= 0) { - ssl_err = SSL_get_error(cte->ssl, ret); - switch (ssl_err) { + tls_err = SSL_get_error(cte->ssl, ret); + switch (tls_err) { case SSL_ERROR_WANT_READ: retry_flag = EV_READ; goto retry; @@ -141,7 +141,7 @@ ssl_write(int s, short event, void *arg) cte->host->up = HOST_DOWN; ssl_error(cte->host->conf.name, "cannot write"); ssl_cleanup(cte); - hce_notify_done(cte->host, HCE_SSL_WRITE_ERROR); + hce_notify_done(cte->host, HCE_TLS_WRITE_ERROR); return; } } @@ -161,20 +161,20 @@ ssl_connect(int s, short event, void *arg) { struct ctl_tcp_event *cte = arg; int retry_flag = 0; - int ssl_err = 0; + int tls_err = 0; int ret; if (event == EV_TIMEOUT) { cte->host->up = HOST_DOWN; - hce_notify_done(cte->host, HCE_SSL_CONNECT_TIMEOUT); + hce_notify_done(cte->host, HCE_TLS_CONNECT_TIMEOUT); ssl_cleanup(cte); return; } ret = SSL_connect(cte->ssl); if (ret <= 0) { - ssl_err = SSL_get_error(cte->ssl, ret); - switch (ssl_err) { + tls_err = SSL_get_error(cte->ssl, ret); + switch (tls_err) { case SSL_ERROR_WANT_READ: retry_flag = EV_READ; goto retry; @@ -184,7 +184,7 @@ ssl_connect(int s, short event, void *arg) default: cte->host->up = HOST_DOWN; ssl_error(cte->host->conf.name, "cannot connect"); - hce_notify_done(cte->host, HCE_SSL_CONNECT_FAIL); + hce_notify_done(cte->host, HCE_TLS_CONNECT_FAIL); ssl_cleanup(cte); return; } @@ -192,7 +192,7 @@ ssl_connect(int s, short event, void *arg) if (cte->table->conf.check == CHECK_TCP) { cte->host->up = HOST_UP; - hce_notify_done(cte->host, HCE_SSL_CONNECT_OK); + hce_notify_done(cte->host, HCE_TLS_CONNECT_OK); ssl_cleanup(cte); return; } @@ -275,7 +275,7 @@ ssl_transaction(struct ctl_tcp_event *cte) cte->host->up = HOST_UNKNOWN; ssl_error(cte->host->conf.name, "cannot set fd"); ssl_cleanup(cte); - hce_notify_done(cte->host, HCE_SSL_CONNECT_ERROR); + hce_notify_done(cte->host, HCE_TLS_CONNECT_ERROR); return; } SSL_set_connect_state(cte->ssl); @@ -367,7 +367,7 @@ X509 * ssl_update_certificate(X509 *oldcert, EVP_PKEY *pkey, EVP_PKEY *capkey, X509 *cacert) { - char name[2][SSL_NAME_SIZE]; + char name[2][TLS_NAME_SIZE]; X509 *cert = NULL; name[0][0] = name[1][0] = '\0'; |