Add support for SNI with new "tls keypair" option to load additional certs.

Tested by many (thanks!)

Feedback & OK rob@

1 files changed, 10 insertions, 1 deletions

diff --git a/usr.sbin/relayd/config.c b/usr.sbin/relayd/config.c
index 9b71565d956..50b03744b72 100644
--- a/usr.sbin/relayd/config.c
+++ b/usr.sbin/relayd/config.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: config.c,v 1.37 2019/05/31 15:15:37 reyk Exp $	*/
+/*	$OpenBSD: config.c,v 1.38 2019/05/31 15:25:57 reyk Exp $	*/
 
 /*
  * Copyright (c) 2011 - 2014 Reyk Floeter <reyk@openbsd.org>
@@ -104,6 +104,7 @@ config_init(struct relayd *env)
 		env->sc_proto_default.tcpflags = TCPFLAG_DEFAULT;
 		env->sc_proto_default.tcpbacklog = RELAY_BACKLOG;
 		env->sc_proto_default.tlsflags = TLSFLAG_DEFAULT;
+		TAILQ_INIT(&env->sc_proto_default.tlscerts);
 		(void)strlcpy(env->sc_proto_default.tlsciphers,
 		    TLSCIPHERS_DEFAULT,
 		    sizeof(env->sc_proto_default.tlsciphers));
@@ -146,6 +147,7 @@ config_purge(struct relayd *env, u_int reset)
 	struct netroute		*nr;
 	struct router		*rt;
 	struct ca_pkey		*pkey;
+	struct keyname		*keyname;
 	u_int			 what;
 
 	what = ps->ps_what[privsep_process] & reset;
@@ -191,6 +193,12 @@ config_purge(struct relayd *env, u_int reset)
 			free(proto->style);
 			free(proto->tlscapass);
 			free(proto);
+			while ((keyname =
+			    TAILQ_FIRST(&proto->tlscerts)) != NULL) {
+				TAILQ_REMOVE(&proto->tlscerts, keyname, entry);
+				free(keyname->name);
+				free(keyname);
+			}
 		}
 		env->sc_protocount = 0;
 	}
@@ -696,6 +704,7 @@ config_getproto(struct relayd *env, struct imsg *imsg)
 	}
 
 	TAILQ_INIT(&proto->rules);
+	TAILQ_INIT(&proto->tlscerts);
 	proto->tlscapass = NULL;
 
 	TAILQ_INSERT_TAIL(env->sc_protos, proto, entry);