![[BACK]](/icons/back.gif){kind=icon}
Up to [local] / src / usr.sbin / relayd
Request diff between arbitrary revisions
Default branch: MAIN
Revision 1.45 / (download) - annotate - [select for diffs], Wed Jan 17 10:01:24 2024 UTC (4 months, 2 weeks ago) by claudio
Branch: MAIN
CVS Tags: OPENBSD_7_5_BASE,
OPENBSD_7_5,
HEAD
Changes since 1.44: +7 -7 lines
Diff to previous 1.44 (colored)
Use imsg_get_fd() As usual proc_forward_imsg() is never forwarding a file descriptor so just use -1 there. This should be replaced by imsg_forward(). All other changes are simple conversions. OK tb@
Revision 1.44 / (download) - annotate - [select for diffs], Sun Jun 25 08:07:38 2023 UTC (11 months, 1 week ago) by op
Branch: MAIN
CVS Tags: OPENBSD_7_4_BASE,
OPENBSD_7_4
Changes since 1.43: +1 -2 lines
Diff to previous 1.43 (colored)
remove ssl_init() it's a noop; nowadays both LibreSSL and OpenSSL libcrypto and libssl initialize themselves automatically before doing anything. ok tb
Revision 1.43 / (download) - annotate - [select for diffs], Sun Dec 5 13:48:14 2021 UTC (2 years, 5 months ago) by jsg
Branch: MAIN
CVS Tags: OPENBSD_7_3_BASE,
OPENBSD_7_3,
OPENBSD_7_2_BASE,
OPENBSD_7_2,
OPENBSD_7_1_BASE,
OPENBSD_7_1
Changes since 1.42: +2 -2 lines
Diff to previous 1.42 (colored)
fix use after free ok tb@
Revision 1.42 / (download) - annotate - [select for diffs], Wed Jul 14 13:33:57 2021 UTC (2 years, 10 months ago) by kn
Branch: MAIN
CVS Tags: OPENBSD_7_0_BASE,
OPENBSD_7_0
Changes since 1.41: +1 -3 lines
Diff to previous 1.41 (colored)
Remove unneeded calls to tls_init(3) As per the manual and lib/libtls/tls.c revision 1.79 from 2018 "Automatically handle library initialisation for libtls." initialisation is handled automatically by other tls_*(3) functions. Remove explicit tls_init() calls from base to not give the impression of it being needed. Feedback tb OK Tests mestre
Revision 1.41 / (download) - annotate - [select for diffs], Sun Sep 15 19:23:29 2019 UTC (4 years, 8 months ago) by rob
Branch: MAIN
CVS Tags: OPENBSD_6_9_BASE,
OPENBSD_6_9,
OPENBSD_6_8_BASE,
OPENBSD_6_8,
OPENBSD_6_7_BASE,
OPENBSD_6_7,
OPENBSD_6_6_BASE,
OPENBSD_6_6
Changes since 1.40: +8 -1 lines
Diff to previous 1.40 (colored)
Add support for binary protocol health checking. Feedback and guidance from benno@ and reky@. Man page tweaks from jmc@. ok benno@
Revision 1.40 / (download) - annotate - [select for diffs], Wed Jun 26 12:13:47 2019 UTC (4 years, 11 months ago) by reyk
Branch: MAIN
Changes since 1.39: +19 -1 lines
Diff to previous 1.39 (colored)
Add support for OCSP stapling Many thanks to Bruno Flueckiger who independently sent a very similar patch. He also tested the one I'm committing that it works as expected. OK tb@
Revision 1.39 / (download) - annotate - [select for diffs], Sat Jun 1 09:54:19 2019 UTC (5 years ago) by reyk
Branch: MAIN
Changes since 1.38: +9 -1 lines
Diff to previous 1.38 (colored)
Make sure that the IMSG_CTL_RESET message is sent immediately. This fixes an issue that might better be solved in imsg itself. The problem is that IMSG_CTL_RESET does not include an fd while the following messages (IMSG_CFG_RELAY and IMSG_CFG_RELAY_FD) do contain fds. If the receiver gets them in one buffer (via recvmsg), the first fd might be wrongly associated to the IMSG_CTL_RESET message. This is theoretically taken care of by the imsg API, so it is either a bug in relayd's API usage or in imsg itself. "sure" claudio@ as a temporary fix.
Revision 1.38 / (download) - annotate - [select for diffs], Fri May 31 15:25:57 2019 UTC (5 years ago) by reyk
Branch: MAIN
Changes since 1.37: +10 -1 lines
Diff to previous 1.37 (colored)
Add support for SNI with new "tls keypair" option to load additional certs. Tested by many (thanks!) Feedback & OK rob@
Revision 1.37 / (download) - annotate - [select for diffs], Fri May 31 15:15:37 2019 UTC (5 years ago) by reyk
Branch: MAIN
Changes since 1.36: +74 -40 lines
Diff to previous 1.36 (colored)
Move the relay keys/certs into a separate global list and look them up by id. Moving the certs out of the relay struct will help to add multiple SNI certs. Tested by many users (thanks!) Feedback & OK rob@
Revision 1.36 / (download) - annotate - [select for diffs], Wed Nov 29 15:24:50 2017 UTC (6 years, 6 months ago) by benno
Branch: MAIN
CVS Tags: OPENBSD_6_5_BASE,
OPENBSD_6_5,
OPENBSD_6_4_BASE,
OPENBSD_6_4,
OPENBSD_6_3_BASE,
OPENBSD_6_3
Changes since 1.35: +2 -1 lines
Diff to previous 1.35 (colored)
add options to specify the control socket in relayd and relayctl. From Kapetanakis Giannis, thanks. ok claudio@
Revision 1.35 / (download) - annotate - [select for diffs], Mon Nov 27 23:21:16 2017 UTC (6 years, 6 months ago) by claudio
Branch: MAIN
Changes since 1.34: +4 -4 lines
Diff to previous 1.34 (colored)
Change the ecdhe curve configuration to the same way httpd is doing it. This removes 'no ecdh' and renames 'ecdh curve auto' to ecdhe default. The code uses now tls_config_set_ecdhecurves(3) so it is possible to specify multiple curves now. If people specified curves in their config they need to adjust their config now. OK beck@
Revision 1.34 / (download) - annotate - [select for diffs], Mon Nov 27 21:06:26 2017 UTC (6 years, 6 months ago) by claudio
Branch: MAIN
Changes since 1.33: +122 -42 lines
Diff to previous 1.33 (colored)
Use file descriptor passing to load certificates into the relays. Especially the ca file (having all the trusted certs in them) can be so big that loading via imsg fails. OK beck@
Revision 1.33 / (download) - annotate - [select for diffs], Thu Sep 14 08:59:54 2017 UTC (6 years, 8 months ago) by jsg
Branch: MAIN
CVS Tags: OPENBSD_6_2_BASE,
OPENBSD_6_2
Changes since 1.32: +4 -3 lines
Diff to previous 1.32 (colored)
Differentiate between a style string not being specified and an empty style string by including NUL in imsg and set the pointer in the struct passed over imsg to NULL in the receiving process to be sure nothing tries to use it. Avoids a crash when specifying an empty style string reported by Karl-Andre' Skevik. ok bluhm@
Revision 1.32 / (download) - annotate - [select for diffs], Sat May 27 08:33:25 2017 UTC (7 years ago) by claudio
Branch: MAIN
Changes since 1.31: +9 -3 lines
Diff to previous 1.31 (colored)
Migrate relayd to use libtls for TLS. Still does the TLS privsep via the engine but at least we can use a sane API for new features. Going in now so it is possible to work with this in tree. General agreement at d2k17.
Revision 1.31 / (download) - annotate - [select for diffs], Thu Nov 24 21:01:18 2016 UTC (7 years, 6 months ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_6_1_BASE,
OPENBSD_6_1
Changes since 1.30: +28 -6 lines
Diff to previous 1.30 (colored)
The new fork+exec mode used too many fds in the parent process on startup, for a short time, so we needed a rlimit hack in relayd.c. Sync the fix from httpd: rzalamena@ has fixed proc.c and I added the proc_flush_imsg() mechanism that makes sure that each fd is immediately closed after forwarding it to a child process instead of queueing it up. OK rzalamena@ jca@ benno@
Revision 1.30 / (download) - annotate - [select for diffs], Fri Sep 2 14:45:51 2016 UTC (7 years, 9 months ago) by reyk
Branch: MAIN
Changes since 1.29: +10 -13 lines
Diff to previous 1.29 (colored)
Split "struct relayd" into two structs: "struct relayd" and "struct relayd_config". This way we can send all the relevant global configuration to the children, not just the flags and the opts. With input from and OK claudio@ benno@
Revision 1.29 / (download) - annotate - [select for diffs], Fri Sep 2 13:09:21 2016 UTC (7 years, 9 months ago) by reyk
Branch: MAIN
Changes since 1.28: +8 -8 lines
Diff to previous 1.28 (colored)
As done in httpd, (re-)initialize ps_what in all processes. This is no functional change at this point.
Revision 1.28 / (download) - annotate - [select for diffs], Thu Sep 1 10:49:48 2016 UTC (7 years, 9 months ago) by claudio
Branch: MAIN
Changes since 1.27: +1 -2 lines
Diff to previous 1.27 (colored)
Switch from the not really working session cache (because of the multiprocess nature of relayd) to tls session tickets to do TLS session resumption. TLS session tickets do not need to store SSL session data in the server but instead send an encrypted ticket to the clients that allows to resume the session. This is mostly stateless (apart from the encryption keys). relayd now ensures that all relay processes use the same key to encrypt the tickets. Keys are rotated every 2h and there is a primary and backup key. The tls session timeout is set to 2h to hint to the clients how long the session tickets is supposed to be alive. Input and OK benno@, reyk@
Revision 1.27 / (download) - annotate - [select for diffs], Mon Dec 7 04:03:27 2015 UTC (8 years, 5 months ago) by mmcc
Branch: MAIN
CVS Tags: OPENBSD_6_0_BASE,
OPENBSD_6_0,
OPENBSD_5_9_BASE,
OPENBSD_5_9
Changes since 1.26: +7 -13 lines
Diff to previous 1.26 (colored)
Remove NULL-checks before free(). No functional change.
Revision 1.26 / (download) - annotate - [select for diffs], Wed Dec 2 13:41:27 2015 UTC (8 years, 6 months ago) by reyk
Branch: MAIN
Changes since 1.25: +14 -19 lines
Diff to previous 1.25 (colored)
In most cases we don't need all arguments of proc_compose*_imsg(), so add a shortcut proc_compose*() that skips all of them. Only use the full argument list if needed. The functions with full argument lists can eventually be replaced with a nicer transaction-based approach later. OK benno@
Revision 1.24.2.1 / (download) - annotate - [select for diffs], Sun Sep 20 11:20:16 2015 UTC (8 years, 8 months ago) by benno
Branch: OPENBSD_5_7
Changes since 1.24: +2 -2 lines
Diff to previous 1.24 (colored) next main 1.25 (colored)
maintainance diff for relayd MFC the following changes - Missing free(3) in error path (ssl.c,v 1.29) - fix a memory leak. (pfe.c,v 1.80) - allocate se_log evbuffer before loging errors with relay_close() (relay.c,v 1.192) - fix a file descriptor leak in http protocol handling (relay.c,v 1.193 and relay_http.c,v 1.44) - Fix obvious problems with relayd config reload (ca.c,v 1.13; config.c,v 1.25; parse.y,v 1.204; relayd.c,v 1.139; relayd.h,v 1.209) - http protocol: you cannot append to the previous key-value before line three of a request (relay_http.c,v 1.45) - fix a crash / use after free (relay.c,v 1.194; relay_http.c,v 1.46) - fix a non safe use of TAILQ_FOREACH with TAILQ_REMOVE (relay_http.c,v 1.47) - Plug a memory leak by simplifying kv_free() (relayd.c,v 1.141) - Fix memory leak in error case (relay_http.c,v 1.48) - track the connection state of a session and stops doing double opens in certain situations (relay.c,v 1.195; relay_http.c,v 1.49; relayd.h,v 1.210) - coding style (relay.c,v 1.196; relay_http.c,v 1.50; relayd.h,v 1.212) ok claudio@, sthen@ and feedback tedu@
Revision 1.25 / (download) - annotate - [select for diffs], Sat May 2 13:15:24 2015 UTC (9 years, 1 month ago) by claudio
Branch: MAIN
CVS Tags: OPENBSD_5_8_BASE,
OPENBSD_5_8
Changes since 1.24: +2 -2 lines
Diff to previous 1.24 (colored)
Fix obvious problems with relayd config reload. - fix a TAILQ corruption because of a use after free - do not reinit the SSL engine since that fails OK sthen, benno
Revision 1.24 / (download) - annotate - [select for diffs], Thu Jan 22 17:42:09 2015 UTC (9 years, 4 months ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_5_7_BASE
Branch point for: OPENBSD_5_7
Changes since 1.23: +5 -18 lines
Diff to previous 1.23 (colored)
Clean up the relayd headers with help of include-what-you-use and some manual review. Based on common practice, relayd.h now includes the necessary headers for itself. OK benno@
Revision 1.23 / (download) - annotate - [select for diffs], Wed Jan 21 21:50:33 2015 UTC (9 years, 4 months ago) by deraadt
Branch: MAIN
Changes since 1.22: +2 -3 lines
Diff to previous 1.22 (colored)
Include <netinet/in.h> before <net/pfvar.h>. In a future change when ports is ready, <net/pfvar.h> will stop including a pile of balony.
Revision 1.22 / (download) - annotate - [select for diffs], Sun Dec 21 00:54:49 2014 UTC (9 years, 5 months ago) by guenther
Branch: MAIN
Changes since 1.21: +1 -3 lines
Diff to previous 1.21 (colored)
Stop pulling in <arpa/inet.h> or <arpa/nameser.h> when unnecessary.
*Do* pull it in when in_{port,addr}_h is needed and <netinet/in.h> isn't.
ok reyk@
Revision 1.21 / (download) - annotate - [select for diffs], Fri Dec 12 10:05:09 2014 UTC (9 years, 5 months ago) by reyk
Branch: MAIN
Changes since 1.20: +60 -60 lines
Diff to previous 1.20 (colored)
Change the keyword "ssl" to "tls" to reflect reality since we effectively disabled support for the SSL protocols. SSL remains a common term describing SSL/TLS, there is some controvery about this change, and the name really doesn't matter, but I feel confident about it now. (btw., sthen@ pointed out some historical context: http://tim.dierks.org/2014/05/security-standards-and-name-changes-in.html) OK benno@, with input from tedu@
Revision 1.20 / (download) - annotate - [select for diffs], Sat Nov 22 00:24:22 2014 UTC (9 years, 6 months ago) by tedu
Branch: MAIN
Changes since 1.19: +2 -2 lines
Diff to previous 1.19 (colored)
use size_t where appropriate. ok deraadt reyk
Revision 1.19 / (download) - annotate - [select for diffs], Wed Nov 19 10:24:40 2014 UTC (9 years, 6 months ago) by blambert
Branch: MAIN
Changes since 1.18: +2 -1 lines
Diff to previous 1.18 (colored)
Support exporting relayd statistics via AgentX/snmpd This should be equivalent to the statistics available via the various relaydctl show commands okay benno@ reyk@
Revision 1.18 / (download) - annotate - [select for diffs], Fri Jul 11 16:59:38 2014 UTC (9 years, 10 months ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_5_6_BASE,
OPENBSD_5_6
Changes since 1.17: +2 -1 lines
Diff to previous 1.17 (colored)
Add support for EDH to provide perfect forward secrecy for older SSL clients. Additionally, add options for disallowing client-initiated renegotiations and to prefer the server's cipher list over the client's preferences. This work is based on a diff by Markus Gebert at hostpoint.ch, and was discussed with jsing@ resulting in a few different defaults. ok benno@
Revision 1.17 / (download) - annotate - [select for diffs], Fri Jul 11 11:48:50 2014 UTC (9 years, 10 months ago) by reyk
Branch: MAIN
Changes since 1.16: +2 -1 lines
Diff to previous 1.16 (colored)
Simplify the code that handles the HTTP headers by using an RB tree with associated lists instead of the complicated lookup table and "others" list. This might add a little malloc overhead for common headers but also fixes some issues like the handling of repeated headers - for example, handling of multiple "Set-Cookie" headers. ok bluhm@ (regress part) ok benno@
Revision 1.16 / (download) - annotate - [select for diffs], Wed Jul 9 23:30:34 2014 UTC (9 years, 10 months ago) by reyk
Branch: MAIN
Changes since 1.15: +2 -1 lines
Diff to previous 1.15 (colored)
When copying structures via imsg, the contents should not contain bogus pointer values - make sure to zero the first rule_kv element. awesome benno@
Revision 1.15 / (download) - annotate - [select for diffs], Wed Jul 9 16:42:05 2014 UTC (9 years, 10 months ago) by reyk
Branch: MAIN
Changes since 1.14: +113 -142 lines
Diff to previous 1.14 (colored)
Replace the protocol directives for HTTP with a new generic filtering language. The grammar is inspired by pf and allows to write versatile last-matching filter rules in protocol sections starting with the "pass", "block" or "match" keywords. This work was started almost two years ago and replaces large parts of relayd(8)'s HTTP and filtering code. The initial version reimplements and extends HTTP filtering, but will be improved to support generic TCP and other protocols later. With some testing, feedback, and help from benno@ and andre@. OK benno@
Revision 1.14 / (download) - annotate - [select for diffs], Sun May 4 16:38:19 2014 UTC (10 years, 1 month ago) by reyk
Branch: MAIN
Changes since 1.13: +3 -4 lines
Diff to previous 1.13 (colored)
Create a new default RSA engine instead of patching the existing one if none is available. Fixes SSL/TLS and a possible fatalx() on machines without a default RSA engine. Thanks to Bjorn Ketelaars for reporting and testing. ok gilles@ (for the relayd part)
Revision 1.13 / (download) - annotate - [select for diffs], Tue Apr 22 08:04:23 2014 UTC (10 years, 1 month ago) by reyk
Branch: MAIN
Changes since 1.12: +16 -3 lines
Diff to previous 1.12 (colored)
Support the CA key for SSL inspection in the ca process. Instead of looking up the keys by relay id, add all keys to a list and look them up by key id. ok benno@
Revision 1.12 / (download) - annotate - [select for diffs], Fri Apr 18 13:55:26 2014 UTC (10 years, 1 month ago) by reyk
Branch: MAIN
Changes since 1.11: +39 -21 lines
Diff to previous 1.11 (colored)
Introduce privsep for private keys: - Move RSA private keys to a new separate process instead of copying them to the relays. A custom RSA engine is used by the SSL/TLS code of the relay processes to send RSA private key encryption/decryption (also used for sign/verify) requests to the new "ca" processes instead of operating on the private key directly. - Each relay process gets its own related ca process. Setting "prefork 5" in the config file will spawn 10 processes (5 relay, 5 ca). This diff also reduces the default number of relay processes from 5 to 3 which should be suitable in most installations without a very heavy load. - Don't keep text versions of the keys in memory, parse them once and keep the binary representation. This might still be the case in OpenSSL's internals but will be fixed in the library. This diff doesn't prevent something like "heartbleed" but adds an additional mitigation to prevent leakage of the private keys from the processes doing SSL/TLS. With feedback from many ok benno@
Revision 1.11 / (download) - annotate - [select for diffs], Mon Feb 24 06:55:11 2014 UTC (10 years, 3 months ago) by jsg
Branch: MAIN
CVS Tags: OPENBSD_5_5_BASE,
OPENBSD_5_5
Changes since 1.10: +2 -2 lines
Diff to previous 1.10 (colored)
fix a buffer overflow of an array introduced with the ssl inspection commit ok reyk@ deraadt@
Revision 1.10 / (download) - annotate - [select for diffs], Mon Sep 9 17:57:44 2013 UTC (10 years, 8 months ago) by reyk
Branch: MAIN
Changes since 1.9: +2 -1 lines
Diff to previous 1.9 (colored)
Add support for ECDHE (Elliptic curve Diffie-Hellman) to enable TLS/SSL Perfect Forward Secrecy (PFS). ok djm@
Revision 1.9 / (download) - annotate - [select for diffs], Thu May 30 20:17:12 2013 UTC (11 years ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_5_4_BASE,
OPENBSD_5_4
Changes since 1.8: +27 -2 lines
Diff to previous 1.8 (colored)
Support SSL inspection, the ability to transparently filter in SSL/TLS connections (eg. HTTPS) by using a local CA that is accepted by the clients. See the "SSL RELAYS" and "EXAMPLES" sections in the relayd.conf(5) manpage for more details. ok benno@, manpage bits jmc@
Revision 1.8 / (download) - annotate - [select for diffs], Tue Dec 18 15:57:16 2012 UTC (11 years, 5 months ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_5_3_BASE,
OPENBSD_5_3
Changes since 1.7: +1 -3 lines
Diff to previous 1.7 (colored)
remove unused variable
Revision 1.7 / (download) - annotate - [select for diffs], Tue Nov 27 05:00:28 2012 UTC (11 years, 6 months ago) by guenther
Branch: MAIN
Changes since 1.6: +2 -2 lines
Diff to previous 1.6 (colored)
Add format attributes to the proper functions and then fix the warnings that gcc then reports when compiling with -DDEBUG=2 ok reyk@ benno@
Revision 1.6 / (download) - annotate - [select for diffs], Thu Oct 4 20:53:30 2012 UTC (11 years, 7 months ago) by reyk
Branch: MAIN
Changes since 1.5: +7 -4 lines
Diff to previous 1.5 (colored)
spacing
Revision 1.5 / (download) - annotate - [select for diffs], Wed Oct 3 08:40:40 2012 UTC (11 years, 8 months ago) by reyk
Branch: MAIN
Changes since 1.4: +3 -1 lines
Diff to previous 1.4 (colored)
Inherit and pass the relay table flags correctly.
Revision 1.4 / (download) - annotate - [select for diffs], Wed Oct 3 08:33:31 2012 UTC (11 years, 8 months ago) by reyk
Branch: MAIN
Changes since 1.3: +67 -21 lines
Diff to previous 1.3 (colored)
Support more than one relay backup table. Instead of duplicating the code for main and backup table all over the place, turn the relay tables into a list attached to the relay. This improves the code and allows some other tricks with multiple tables later.
Revision 1.3 / (download) - annotate - [select for diffs], Tue May 8 15:10:15 2012 UTC (12 years ago) by benno
Branch: MAIN
CVS Tags: OPENBSD_5_2_BASE,
OPENBSD_5_2
Changes since 1.2: +21 -3 lines
Diff to previous 1.2 (colored)
fix "label string" in http protocol. problem found by giovanni. ok giovanni@, henning@
Revision 1.2 / (download) - annotate - [select for diffs], Thu May 19 09:13:07 2011 UTC (13 years ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_5_1_BASE,
OPENBSD_5_1,
OPENBSD_5_0_BASE,
OPENBSD_5_0
Changes since 1.1: +34 -10 lines
Diff to previous 1.1 (colored)
Add a few missing checks of return values of memory allocations.
Revision 1.1 / (download) - annotate - [select for diffs], Thu May 19 08:56:49 2011 UTC (13 years ago) by reyk
Branch: MAIN
Fix reload support in relayd(8) by reimplementing large parts of the daemon infrastructure. The previous design made it fairly hard to reload the complex data structures, especially relays and protocols. One of the reasons was that the privsep'd relayd processes had two ways of getting their configuration: 1) from memory after forking from the parent process and 2) and (partially) via imsgs after reload. The new implementation first forks the privsep'd children before the parents loads the configuration and sends it via imsgs to them; so it is only like 2) before. It is based on an approach that I first implemented for iked(8) and I also fixed many bugs in the code. Thanks to many testers including dlg@ sthen@ phessler@ ok pyr@ dlg@ sthen@