1
0
mirror of https://github.com/openbsd/src.git synced 2024-12-22 16:42:56 -08:00
Commit Graph

260 Commits

Author SHA1 Message Date
tb
92388deed9 relayd: add support for client certificates
This feature has been requested many times over the years. Various patches
were provided by Asherah Connor, Rivo Nurges, Markus Läll and maybe others.
These patches always stalled for various reasons.

From Sören Tempel, mostly based on Asherah's latest patch.

ok florian tb
2024-10-28 19:56:18 +00:00
claudio
a1416996f1 Use imsg_get_fd()
As usual proc_forward_imsg() is never forwarding a file descriptor so
just use -1 there. This should be replaced by imsg_forward().
All other changes are simple conversions.

OK tb@
2024-01-17 10:01:24 +00:00
kn
f71e4cb7a7 Unmention/don't explain SSL, drop 9y old "ssl" keyword/deprecation warning
Switch "ssl" to "tls" in relayd.conf(5) if you haven't done so in the last
ten years, "ssl" is now an error.

Say "TLS" not "SSL/TLS" and drop the primer in the TLS RELAYS section.

OK benno
2023-10-29 11:27:11 +00:00
nicm
5b9b6c6b8b Use EVBUFFER_DATA instead of reaching into struct evbuffer. ok tb 2023-09-03 10:22:03 +00:00
beck
3cf4eea4fe Make the tlsv1.0 and tlsv1.1 options in relayd do nothing
Also document that fact, and that the existing ssl3 option
does nothing. This changes relayd to no longer request tls1.0
or tls1.1 in preparation for the upcoming deprecation of these
out of data protocols

ok jsing@ bluhm@ tb@ claudio@ benno@
2023-06-06 15:16:52 +00:00
jmc
3a50f0a93a spelling fixes; from paul tagliamonte
any parts of his diff not taken are noted on tech
2022-12-28 21:30:15 +00:00
benno
53e8df0d32 Responses to HEAD requests must not have a message body (even though they have
a Content-Length header).  HTTP RFC 7231 section 4.3.2.
found by niklas@, claudio@ agrees.
2021-03-24 20:59:53 +00:00
eric
a825c52d3c remove bogus key hack now that it's handled by libtls
no objection claudio@
ok tb@ jsing@
2021-01-27 20:33:05 +00:00
denis
eeb1fea4ac Add 'strip' directive
Feedback by Olivier Cherrier, Hiltjo Posthuma, Mischa

OK benno@
2021-01-09 08:53:57 +00:00
pvk
b06d93a473 Enable TLSv1.3 support in relayd(8)
with the help from tb@ jsing@; ok tb@
2020-05-14 17:27:38 +00:00
chrisz
053cc50ec2 Don't "forward to <table>" when a "forward to destination" address is set.
This matches the documented behaviour.
On matching "forward to <table>" filter rules the "forward to destination"
address is unset, so that in that case the "forward to <table>" rule is still
used.

OK benno@, regression tests still passing.
2019-07-13 06:53:00 +00:00
deraadt
df69c215c7 When system calls indicate an error they return -1, not some arbitrary
value < 0.  errno is only updated in this case.  Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.
2019-06-28 13:32:41 +00:00
reyk
31604b98e1 Add support for OCSP stapling
Many thanks to Bruno Flueckiger who independently sent a very similar
patch.  He also tested the one I'm committing that it works as
expected.

OK tb@
2019-06-26 12:13:47 +00:00
reyk
f2f4e153a1 Move the relay keys/certs into a separate global list and look them up by id.
Moving the certs out of the relay struct will help to add multiple SNI certs.

Tested by many users (thanks!)

Feedback & OK rob@
2019-05-31 15:15:37 +00:00
reyk
e938bb13cf Move relay_load_*() functions into relayd.c
Pass the *env as an explicit argument instead of using the global
pointer: The relay_load_certfiles() function is called early before
the *env is set up.  This does not change anything in the current code
as *env is not used by anything in the function (not even
ssl_load_key() that is taking it as an argument) but it will be needed
by upcoming changes for SNI.

Ok rob@
2019-05-29 11:48:28 +00:00
reyk
65f47834f1 Fix filter rules with "forward to" statement in persistent connections.
OK bentley@ mikeb@
2019-05-13 09:54:07 +00:00
reyk
860302f361 Add support for from/to in relay filter rules.
For example,
pass from 10.0.0.0/8 path "/hello/*" forward to <b>

Ok benno@
2019-05-10 09:15:00 +00:00
reyk
a168ef1a3e Fix and tweak websocket upgrade handling.
- Don't expect the Connection header to equal Upgrade, it may include Upgrade
- Reshuffle the code to check the Upgrade/Connection headers in one place

Reported and tested by Rivo Nurges

OK and input from benno@
Cvs: ----------------------------------------------------------------------
2019-05-08 23:22:19 +00:00
benno
e7742cb1e5 Support for rfc 6455 Websockets connection upgrade. Add a new protocol
option 'http { [no] websockets }' to allow such connections (default
is no).  Original diff from Daniel Lamando (dan AT danopia DOT net),
option and header checks by me.  suggestions and ok bluhm@ and earlier
diff claudio@
2019-03-04 21:25:03 +00:00
reyk
917ba595c7 Do not abort when the ca privenc runs into a timeout.
OK claudio@
2018-09-19 11:28:02 +00:00
benno
0be9d00a7c replace the current log options
log updates|all

with

 log state changes
 log host checks
 log connection [errors]

The first two control the logging of host check results: either changes in host state only or
all checks.

The third option controls logging of connections in relay mode:
Either log all connections, or only errors.

Additionaly, errors will be logged with LOG_WARN and good connections
will be logged with LOG_INFO, so they can be differentiated in syslog.

ok and feedback from claudio@
2018-08-06 17:31:31 +00:00
benno
4b9f9c909a When a TLS error occurs, print the tls_error() message as part of the
connection closed log message, not just as debug message.

ok claudio@ reyk@
2018-06-10 20:41:47 +00:00
claudio
ea42f25a15 Remove RELAY_MAX_SESSIONS from relayd, there is no reason to limit relays
to 1024 session per process (esp. with keep-alive). Now the fd limit is
the new maximum and relayd will make sure to not accept too many sessions.
The tcp backlog config maximum is now 512, adjust manpage accordingly.
OK benno@ deraadt@
2018-04-18 12:10:54 +00:00
benno
e432967ff7 log specific error when connect() fails.
ok claudio@, feedback bluhm@
2017-12-27 15:53:30 +00:00
claudio
13561b2de0 Introduce relay_reset_event() which closes and resets a relay connection.
Currently this is only used by relay_close() but will be needed in near
future.
OK benno@
2017-11-28 01:51:47 +00:00
claudio
b0d8ea5fba In TLS inspection mode we also need to keep the server tls object around.
For this we need to add an additional pointer to the ctl_relay_event.
Diff from Petri Mikkila (pmikkila at gmail)
OK benno@
2017-11-28 01:24:22 +00:00
claudio
a96a565eb5 Add space between to and read like in other DPRINTFs. 2017-11-28 00:17:56 +00:00
claudio
353c00bc7c Change the ecdhe curve configuration to the same way httpd is doing it.
This removes 'no ecdh' and renames 'ecdh curve auto' to ecdhe default.
The code uses now tls_config_set_ecdhecurves(3) so it is possible to
specify multiple curves now. If people specified curves in their config
they need to adjust their config now.
OK beck@
2017-11-27 23:21:16 +00:00
claudio
e513baa25b lseek/read is racy when there is multiple consumers. Use pread instead.
Solves the startup issues seen by bluhm@. pread idea from guenther@.
While there save the errno in the error case.
OK bluhm@
2017-11-27 23:04:26 +00:00
claudio
ce7520d060 Add a DPRINTF() in relay_error() that helped me out way too many times. 2017-11-27 21:09:55 +00:00
claudio
114ce177d2 Use file descriptor passing to load certificates into the relays. Especially
the ca file (having all the trusted certs in them) can be so big that loading
via imsg fails.
OK beck@
2017-11-27 21:06:25 +00:00
claudio
9fe0157e24 Do not rip out the output buffer of the bufferevent. Instead just use an
initial bufferevent_write_buffer() to write out the queued up HTTP request.
OK benno@
2017-11-27 17:35:49 +00:00
claudio
8256902949 relay_tls_connected() is playing with the inner bowels of bufferevents.
Be more careful and remove the events before resetting them to the new
backends. This is also what some of the bufferevent functions are doing.
OK benno@
2017-11-27 03:40:04 +00:00
bluhm
536becf694 The relayd regression tests for chunked HTTP traffic were failing
sporadically.  If the \r and \n were read in separate chunks, relayd
got out of sync with the protocol as they were interpreted as two
lines.  Use evbuffer_readln() with EVBUFFER_EOL_CRLF instead of
evbuffer_readline().
OK benno@
2017-09-23 11:56:57 +00:00
bluhm
adb5490d1d Do not close the relay if data is still in the output buffer.
Otherwise data not written could get lost.  Also try to drain the
buffers when socket splicing should be enabled.  The latter was
lost when the expicit bufferevent_enable() was added in relay_write().
bug report, analysis, initial fix, testing Rivo Nurges; OK beck@
2017-08-28 17:31:00 +00:00
claudio
9cb375a5c6 Call tls_config_skip_private_key_check() to disable the key checking in
the inspect case (same is done in the regular server mode).
OK bluhm@ and jsing@
2017-08-09 21:29:17 +00:00
bluhm
950709d296 Fix a double free of the TLS config in the error path.
OK claudio@
2017-07-30 09:33:08 +00:00
bluhm
f8a1e24fcb Always calculate the hash value of the x509 cert in ssl_load_pkey().
Check whether TLS server object is available before using it.  With
these fixes the ssl inspect regress test just fails and does not
crash relayd.
OK claudio@
2017-07-28 13:58:52 +00:00
benno
f164d32f36 make relayd not crash in relay_udp_server() when using a dns relay.
needs revisiting. From Rivo Nurges, thanks.
ok florian@
2017-07-04 19:59:51 +00:00
benno
efc3981145 use __func__ in log messages. fix some whitespace while here.
From Hiltjo Posthuma hiltjo -AT codemadness -DOT- org, thanks!
ok florian, claudio
2017-05-28 10:39:15 +00:00
claudio
85e5f5009f Migrate relayd to use libtls for TLS. Still does the TLS privsep via the
engine but at least we can use a sane API for new features.
Going in now so it is possible to work with this in tree.
General agreement at d2k17.
2017-05-27 08:33:25 +00:00
reyk
dbb03cc582 Disable client-initiated TLS renegotiation by default.
It is rarely needed and imposes a light DoS risk.  LibreSSL's libssl
allows to turn it off with a simple SSL_OP_NO_CLIENT_RENEGOTIATION
option instead of the complicated implementation that was used before.
It now turns it off completely instead of allowing one initial
client-initiated renegotiation.

It can still be enabled with "tls client-renegotiation".

ok benno@ beck@ jsing@
2017-02-02 08:24:16 +00:00
reyk
871fc12c55 Stop accessing verbose and debug variables from log.c directly.
This replaces log_verbose() and "extern int verbose" with the two functions
log_setverbose() and log_getverbose().

Pointed out by benno@
OK krw@ eric@ gilles@ (OK gilles@ for the snmpd bits as well)
2017-01-09 14:49:21 +00:00
jca
829b794569 Fix tcp ip ttl / minttl on IPv6 sockets.
ok florian@
2016-11-10 13:21:58 +00:00
benno
27b47d921a fix DEBUG build after ps->ps_instance change
ok reyk@ bluhm@
2016-09-29 22:04:28 +00:00
reyk
2166201edd spacing 2016-09-26 16:25:16 +00:00
jsg
ebf5acd417 use sizeof instead of constant 16 in function calls
suggested by and ok reyk@
2016-09-23 12:06:15 +00:00
jsg
aad4fa7e1a Change function arguments from "unsigned char keyname[16]" to
"unsigned char *keyname" to make it clear that an array size can not
be inferred.  Suggested by millert@
2016-09-22 07:56:48 +00:00
jsg
50e62dd32f correct invalid use of sizeof
ok krw@ millert@ claudio@
2016-09-22 06:18:58 +00:00
reyk
586b5f8a93 Split "struct relayd" into two structs: "struct relayd" and "struct
relayd_config".  This way we can send all the relevant global
configuration to the children, not just the flags and the opts.

With input from and
OK claudio@ benno@
2016-09-02 14:45:51 +00:00