summaryrefslogtreecommitdiffstats
path: root/usr.sbin/relayd/relay.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Responses to HEAD requests must not have a message body (even though they havebenno2021-03-241-2/+2
| | | | | a Content-Length header). HTTP RFC 7231 section 4.3.2. found by niklas@, claudio@ agrees.
* remove bogus key hack now that it's handled by libtlseric2021-01-271-26/+8
| | | | | no objection claudio@ ok tb@ jsing@
* Add 'strip' directivedenis2021-01-091-3/+8
| | | | | | Feedback by Olivier Cherrier, Hiltjo Posthuma, Mischa OK benno@
* Enable TLSv1.3 support in relayd(8)pvk2020-05-141-1/+3
| | | | with the help from tb@ jsing@; ok tb@
* Don't "forward to <table>" when a "forward to destination" address is set.chrisz2019-07-131-2/+3
| | | | | | | | | This matches the documented behaviour. On matching "forward to <table>" filter rules the "forward to destination" address is unset, so that in that case the "forward to <table>" rule is still used. OK benno@, regression tests still passing.
* When system calls indicate an error they return -1, not some arbitraryderaadt2019-06-281-3/+3
| | | | | | value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
* Add support for OCSP staplingreyk2019-06-261-5/+17
| | | | | | | | Many thanks to Bruno Flueckiger who independently sent a very similar patch. He also tested the one I'm committing that it works as expected. OK tb@
* Move the relay keys/certs into a separate global list and look them up by id.reyk2019-05-311-27/+43
| | | | | | | | Moving the certs out of the relay struct will help to add multiple SNI certs. Tested by many users (thanks!) Feedback & OK rob@
* Move relay_load_*() functions into relayd.creyk2019-05-291-101/+1
| | | | | | | | | | | Pass the *env as an explicit argument instead of using the global pointer: The relay_load_certfiles() function is called early before the *env is set up. This does not change anything in the current code as *env is not used by anything in the function (not even ssl_load_key() that is taking it as an argument) but it will be needed by upcoming changes for SNI. Ok rob@
* Fix filter rules with "forward to" statement in persistent connections.reyk2019-05-131-19/+49
| | | | OK bentley@ mikeb@
* Add support for from/to in relay filter rules.reyk2019-05-101-15/+33
| | | | | | | For example, pass from 10.0.0.0/8 path "/hello/*" forward to <b> Ok benno@
* Fix and tweak websocket upgrade handling.reyk2019-05-081-8/+2
| | | | | | | | | | - Don't expect the Connection header to equal Upgrade, it may include Upgrade - Reshuffle the code to check the Upgrade/Connection headers in one place Reported and tested by Rivo Nurges OK and input from benno@ Cvs: ----------------------------------------------------------------------
* Support for rfc 6455 Websockets connection upgrade. Add a new protocolbenno2019-03-041-2/+8
| | | | | | | option 'http { [no] websockets }' to allow such connections (default is no). Original diff from Daniel Lamando (dan AT danopia DOT net), option and header checks by me. suggestions and ok bluhm@ and earlier diff claudio@
* Do not abort when the ca privenc runs into a timeout.reyk2018-09-191-1/+9
| | | | OK claudio@
* replace the current log optionsbenno2018-08-061-41/+52
| | | | | | | | | | | | | | | | | | | | | log updates|all with log state changes log host checks log connection [errors] The first two control the logging of host check results: either changes in host state only or all checks. The third option controls logging of connections in relay mode: Either log all connections, or only errors. Additionaly, errors will be logged with LOG_WARN and good connections will be logged with LOG_INFO, so they can be differentiated in syslog. ok and feedback from claudio@
* When a TLS error occurs, print the tls_error() message as part of thebenno2018-06-101-5/+9
| | | | | | connection closed log message, not just as debug message. ok claudio@ reyk@
* Remove RELAY_MAX_SESSIONS from relayd, there is no reason to limit relaysclaudio2018-04-181-3/+2
| | | | | | | to 1024 session per process (esp. with keep-alive). Now the fd limit is the new maximum and relayd will make sure to not accept too many sessions. The tcp backlog config maximum is now 512, adjust manpage accordingly. OK benno@ deraadt@
* log specific error when connect() fails.benno2017-12-271-6/+17
| | | | ok claudio@, feedback bluhm@
* Introduce relay_reset_event() which closes and resets a relay connection.claudio2017-11-281-27/+37
| | | | | | Currently this is only used by relay_close() but will be needed in near future. OK benno@
* In TLS inspection mode we also need to keep the server tls object around.claudio2017-11-281-4/+5
| | | | | | For this we need to add an additional pointer to the ctl_relay_event. Diff from Petri Mikkila (pmikkila at gmail) OK benno@
* Add space between to and read like in other DPRINTFs.claudio2017-11-281-2/+2
|
* Change the ecdhe curve configuration to the same way httpd is doing it.claudio2017-11-271-4/+4
| | | | | | | | This removes 'no ecdh' and renames 'ecdh curve auto' to ecdhe default. The code uses now tls_config_set_ecdhecurves(3) so it is possible to specify multiple curves now. If people specified curves in their config they need to adjust their config now. OK beck@
* lseek/read is racy when there is multiple consumers. Use pread instead.claudio2017-11-271-4/+5
| | | | | | Solves the startup issues seen by bluhm@. pread idea from guenther@. While there save the errno in the error case. OK bluhm@
* Add a DPRINTF() in relay_error() that helped me out way too many times.claudio2017-11-271-1/+3
|
* Use file descriptor passing to load certificates into the relays. Especiallyclaudio2017-11-271-34/+55
| | | | | | the ca file (having all the trusted certs in them) can be so big that loading via imsg fails. OK beck@
* Do not rip out the output buffer of the bufferevent. Instead just use anclaudio2017-11-271-7/+8
| | | | | initial bufferevent_write_buffer() to write out the queued up HTTP request. OK benno@
* relay_tls_connected() is playing with the inner bowels of bufferevents.claudio2017-11-271-1/+4
| | | | | | Be more careful and remove the events before resetting them to the new backends. This is also what some of the bufferevent functions are doing. OK benno@
* The relayd regression tests for chunked HTTP traffic were failingbluhm2017-09-231-3/+5
| | | | | | | | sporadically. If the \r and \n were read in separate chunks, relayd got out of sync with the protocol as they were interpreted as two lines. Use evbuffer_readln() with EVBUFFER_EOL_CRLF instead of evbuffer_readline(). OK benno@
* Do not close the relay if data is still in the output buffer.bluhm2017-08-281-4/+4
| | | | | | | Otherwise data not written could get lost. Also try to drain the buffers when socket splicing should be enabled. The latter was lost when the expicit bufferevent_enable() was added in relay_write(). bug report, analysis, initial fix, testing Rivo Nurges; OK beck@
* Call tls_config_skip_private_key_check() to disable the key checking inclaudio2017-08-091-1/+4
| | | | | the inspect case (same is done in the regular server mode). OK bluhm@ and jsing@
* Fix a double free of the TLS config in the error path.bluhm2017-07-301-4/+3
| | | | OK claudio@
* Always calculate the hash value of the x509 cert in ssl_load_pkey().bluhm2017-07-281-3/+7
| | | | | | | Check whether TLS server object is available before using it. With these fixes the ssl inspect regress test just fails and does not crash relayd. OK claudio@
* make relayd not crash in relay_udp_server() when using a dns relay.benno2017-07-041-3/+3
| | | | | needs revisiting. From Rivo Nurges, thanks. ok florian@
* use __func__ in log messages. fix some whitespace while here.benno2017-05-281-20/+20
| | | | | From Hiltjo Posthuma hiltjo -AT codemadness -DOT- org, thanks! ok florian, claudio
* Migrate relayd to use libtls for TLS. Still does the TLS privsep via theclaudio2017-05-271-475/+338
| | | | | | engine but at least we can use a sane API for new features. Going in now so it is possible to work with this in tree. General agreement at d2k17.
* Disable client-initiated TLS renegotiation by default.reyk2017-02-021-61/+5
| | | | | | | | | | | | It is rarely needed and imposes a light DoS risk. LibreSSL's libssl allows to turn it off with a simple SSL_OP_NO_CLIENT_RENEGOTIATION option instead of the complicated implementation that was used before. It now turns it off completely instead of allowing one initial client-initiated renegotiation. It can still be enabled with "tls client-renegotiation". ok benno@ beck@ jsing@
* Stop accessing verbose and debug variables from log.c directly.reyk2017-01-091-4/+2
| | | | | | | | This replaces log_verbose() and "extern int verbose" with the two functions log_setverbose() and log_getverbose(). Pointed out by benno@ OK krw@ eric@ gilles@ (OK gilles@ for the snmpd bits as well)
* Fix tcp ip ttl / minttl on IPv6 sockets.jca2016-11-101-7/+25
| | | | ok florian@
* fix DEBUG build after ps->ps_instance changebenno2016-09-291-2/+2
| | | | ok reyk@ bluhm@
* spacingreyk2016-09-261-3/+3
|
* use sizeof instead of constant 16 in function callsjsg2016-09-231-6/+10
| | | | suggested by and ok reyk@
* Change function arguments from "unsigned char keyname[16]" tojsg2016-09-221-5/+5
| | | | | "unsigned char *keyname" to make it clear that an array size can not be inferred. Suggested by millert@
* correct invalid use of sizeofjsg2016-09-221-3/+3
| | | | ok krw@ millert@ claudio@
* Split "struct relayd" into two structs: "struct relayd" and "structreyk2016-09-021-8/+10
| | | | | | | | relayd_config". This way we can send all the relevant global configuration to the children, not just the flags and the opts. With input from and OK claudio@ benno@
* proc_id has been replaced by ps->ps_instance.reyk2016-09-021-10/+12
| | | | OK claudio@
* As done in httpd, remove ps_ninstances and p_instance.reyk2016-09-021-4/+1
| | | | OK benno@ rzalamena@
* Terminate relayd using the socket status instead of watching SIGCHLDreyk2016-09-021-6/+3
| | | | | | or killing child processes. - Based on rzalamena@'s diff for httpd. OK deraadt@ rzalamena@
* Switch from the not really working session cache (because of the multiprocessclaudio2016-09-011-18/+86
| | | | | | | | | | | | nature of relayd) to tls session tickets to do TLS session resumption. TLS session tickets do not need to store SSL session data in the server but instead send an encrypted ticket to the clients that allows to resume the session. This is mostly stateless (apart from the encryption keys). relayd now ensures that all relay processes use the same key to encrypt the tickets. Keys are rotated every 2h and there is a primary and backup key. The tls session timeout is set to 2h to hint to the clients how long the session tickets is supposed to be alive. Input and OK benno@, reyk@
* SSL_CTX_free() and SSL_free() check for null so dont do it in relaydbenno2015-12-301-5/+3
| | | | ok jung@ tedu@ deraadt@
* completly -> completelymmcc2015-12-241-2/+2
|
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.