diff options
| author | Pierre-Yves Ritschard <pyr@cvs.openbsd.org> | 2007-10-22 16:53:31 +0000 |
|---|---|---|
| committer | Pierre-Yves Ritschard <pyr@cvs.openbsd.org> | 2007-10-22 16:53:31 +0000 |
| commit | 862f47d32e95c459a45a285376f8a7b4a728f7a3 (patch) | |
| tree | cb0fa67a7d43a820929b8b2239524e87a7d462b6 | |
| parent | 5eb411e19f010eadeb4e61f51da2e7f589ac4fc2 (diff) | |
load certificates text at parse time. then load them in relay processes.
this separation will ease reload a bit more.
ok reyk@ who spotted a stupid mistake again...
| -rw-r--r-- | usr.sbin/hoststated/hoststated.h | 3 | ||||
| -rw-r--r-- | usr.sbin/hoststated/parse.y | 7 | ||||
| -rw-r--r-- | usr.sbin/hoststated/relay.c | 118 | ||||
| -rw-r--r-- | usr.sbin/relayd/parse.y | 7 | ||||
| -rw-r--r-- | usr.sbin/relayd/relay.c | 118 | ||||
| -rw-r--r-- | usr.sbin/relayd/relayd.h | 3 |
6 files changed, 152 insertions, 104 deletions
diff --git a/usr.sbin/hoststated/hoststated.h b/usr.sbin/hoststated/hoststated.h index 2197cd61c70..04c6a66fe02 100644 --- a/usr.sbin/hoststated/hoststated.h +++ b/usr.sbin/hoststated/hoststated.h @@ -1,4 +1,4 @@ -/* $OpenBSD: hoststated.h,v 1.70 2007/10/19 14:15:14 pyr Exp $ */ +/* $OpenBSD: hoststated.h,v 1.71 2007/10/22 16:53:30 pyr Exp $ */ /* * Copyright (c) 2006, 2007 Pierre-Yves Ritschard <pyr@openbsd.org> @@ -713,6 +713,7 @@ pid_t relay(struct hoststated *, int [2], int [2], int [RELAY_MAXPROC][2], int [2], int [RELAY_MAXPROC][2]); void relay_notify_done(struct host *, const char *); int relay_session_cmp(struct session *, struct session *); +int relay_load_certfiles(struct relay *); RB_PROTOTYPE(proto_tree, protonode, nodes, relay_proto_cmp); SPLAY_PROTOTYPE(session_tree, session, nodes, relay_session_cmp); diff --git a/usr.sbin/hoststated/parse.y b/usr.sbin/hoststated/parse.y index 02fbd69e545..8f1b36beb0e 100644 --- a/usr.sbin/hoststated/parse.y +++ b/usr.sbin/hoststated/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.74 2007/10/22 12:18:15 reyk Exp $ */ +/* $OpenBSD: parse.y,v 1.75 2007/10/22 16:53:30 pyr Exp $ */ /* * Copyright (c) 2006 Pierre-Yves Ritschard <pyr@openbsd.org> @@ -944,6 +944,11 @@ relay : RELAY STRING { rlay->proto = &conf->proto_default; rlay->conf.proto = conf->proto_default.id; } + if (relay_load_certfiles(rlay) == -1) { + yyerror("cannot load certificates for relay %s", + rlay->conf.name); + YYERROR; + } conf->relaycount++; SPLAY_INIT(&rlay->sessions); TAILQ_INSERT_HEAD(conf->relays, rlay, entry); diff --git a/usr.sbin/hoststated/relay.c b/usr.sbin/hoststated/relay.c index 1ff02bfd089..040c0743add 100644 --- a/usr.sbin/hoststated/relay.c +++ b/usr.sbin/hoststated/relay.c @@ -1,4 +1,4 @@ -/* $OpenBSD: relay.c,v 1.51 2007/10/19 14:15:14 pyr Exp $ */ +/* $OpenBSD: relay.c,v 1.52 2007/10/22 16:53:30 pyr Exp $ */ /* * Copyright (c) 2006, 2007 Reyk Floeter <reyk@openbsd.org> @@ -91,7 +91,6 @@ void relay_read_httpchunks(struct bufferevent *, void *); char *relay_expand_http(struct ctl_relay_event *, char *, char *, size_t); -int relay_ssl_ctx_init(struct relay *); SSL_CTX *relay_ssl_ctx_create(struct relay *); void relay_ssl_transaction(struct session *); void relay_ssl_accept(int, short, void *); @@ -384,10 +383,6 @@ relay_privinit(void) break; } - if ((rlay->conf.flags & F_SSL) && - relay_ssl_ctx_init(rlay) == -1) - fatal("relay_launch: could not open certificates"); - if (rlay->conf.flags & F_UDP) rlay->s = relay_udp_bind(&rlay->conf.ss, rlay->conf.port, rlay->proto); @@ -2015,48 +2010,6 @@ relay_dispatch_parent(int fd, short event, void * ptr) imsg_event_add(ibuf); } -int -relay_ssl_ctx_init(struct relay *rlay) -{ - int fd; - off_t len; - char certfile[PATH_MAX]; - char hbuf[sizeof("ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255")]; - - if (print_host(&rlay->conf.ss, hbuf, sizeof(hbuf)) == NULL) - return -1; - - if (snprintf(certfile, sizeof(certfile), - "/etc/ssl/%s.crt", hbuf) == -1) - return -1; - if ((fd = open(certfile, O_RDONLY|O_NONBLOCK)) == -1) - return -1; - if ((len = lseek(fd, 0, SEEK_END)) == -1) - return -1; - if ((rlay->ssl_cert = mmap(NULL, len, PROT_READ, MAP_FILE|MAP_PRIVATE, - fd, 0)) == MAP_FAILED) - return -1; - rlay->ssl_cert_len = len; - close(fd); - log_debug("relay_ssl_ctx_init: using certificate %s", certfile); - - if (snprintf(certfile, sizeof(certfile), - "/etc/ssl/private/%s.key", hbuf) == -1) - return -1; - if ((fd = open(certfile, O_RDONLY|O_NONBLOCK)) == -1) - return -1; - if ((len = lseek(fd, 0, SEEK_END)) == -1) - return -1; - if ((rlay->ssl_key = mmap(NULL, len, PROT_READ, MAP_FILE|MAP_PRIVATE, - fd, 0)) == MAP_FAILED) - return -1; - rlay->ssl_key_len = len; - close(fd); - log_debug("relay_ssl_ctx_init: using private key %s", certfile); - - return (0); -} - SSL_CTX * relay_ssl_ctx_create(struct relay *rlay) { @@ -2097,12 +2050,10 @@ relay_ssl_ctx_create(struct relay *rlay) if (!ssl_ctx_use_certificate_chain(ctx, rlay->ssl_cert, rlay->ssl_cert_len)) goto err; - munmap(rlay->ssl_cert, rlay->ssl_cert_len); log_debug("relay_ssl_ctx_create: loading private key"); if (!ssl_ctx_use_private_key(ctx, rlay->ssl_key, rlay->ssl_key_len)) goto err; - munmap(rlay->ssl_key, rlay->ssl_key_len); if (!SSL_CTX_check_private_key(ctx)) goto err; @@ -2474,6 +2425,73 @@ relay_cmp_af(struct sockaddr_storage *a, struct sockaddr_storage *b) } } +int +relay_load_certfiles(struct relay *rlay) +{ + int fd; + off_t len; + char certfile[PATH_MAX]; + char hbuf[sizeof("ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255")]; + char *str; + + if (!(rlay->conf.flags & F_SSL)) + return 0; + + if (print_host(&rlay->conf.ss, hbuf, sizeof(hbuf)) == NULL) + return -1; + + if (snprintf(certfile, sizeof(certfile), + "/etc/ssl/%s.crt", hbuf) == -1) + return -1; + if ((fd = open(certfile, O_RDONLY|O_NONBLOCK)) == -1) + return -1; + if ((len = lseek(fd, 0, SEEK_END)) == -1) { + close(fd); + return -1; + } + rlay->ssl_cert_len = len + 1; + if ((rlay->ssl_cert = calloc(1, rlay->ssl_cert_len)) == NULL) { + close(fd); + return -1; + } + if ((str = mmap(NULL, len, PROT_READ, MAP_FILE|MAP_PRIVATE, + fd, 0)) == MAP_FAILED) { + close(fd); + return -1; + } + close(fd); + rlay->ssl_cert_len = len; + (void)strlcpy(rlay->ssl_cert, str, rlay->ssl_cert_len); + munmap(str, rlay->ssl_cert_len); + log_debug("relay_load_certfile: using certificate %s", certfile); + + if (snprintf(certfile, sizeof(certfile), + "/etc/ssl/private/%s.key", hbuf) == -1) + return -1; + if ((fd = open(certfile, O_RDONLY|O_NONBLOCK)) == -1) + return -1; + if ((len = lseek(fd, 0, SEEK_END)) == -1) { + close(fd); + return -1; + } + rlay->ssl_key_len = len + 1; + if ((rlay->ssl_key = calloc(1, rlay->ssl_key_len)) == NULL) { + close(fd); + return -1; + } + if ((str = mmap(NULL, len, PROT_READ, MAP_FILE|MAP_PRIVATE, + fd, 0)) == MAP_FAILED) { + close(fd); + return -1; + } + close(fd); + (void)strlcpy(rlay->ssl_key, str, rlay->ssl_key_len); + munmap(str, rlay->ssl_key_len); + log_debug("relay_load_certfile: using private key %s", certfile); + + return (0); +} + static __inline int relay_proto_cmp(struct protonode *a, struct protonode *b) { diff --git a/usr.sbin/relayd/parse.y b/usr.sbin/relayd/parse.y index 02fbd69e545..8f1b36beb0e 100644 --- a/usr.sbin/relayd/parse.y +++ b/usr.sbin/relayd/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.74 2007/10/22 12:18:15 reyk Exp $ */ +/* $OpenBSD: parse.y,v 1.75 2007/10/22 16:53:30 pyr Exp $ */ /* * Copyright (c) 2006 Pierre-Yves Ritschard <pyr@openbsd.org> @@ -944,6 +944,11 @@ relay : RELAY STRING { rlay->proto = &conf->proto_default; rlay->conf.proto = conf->proto_default.id; } + if (relay_load_certfiles(rlay) == -1) { + yyerror("cannot load certificates for relay %s", + rlay->conf.name); + YYERROR; + } conf->relaycount++; SPLAY_INIT(&rlay->sessions); TAILQ_INSERT_HEAD(conf->relays, rlay, entry); diff --git a/usr.sbin/relayd/relay.c b/usr.sbin/relayd/relay.c index 1ff02bfd089..040c0743add 100644 --- a/usr.sbin/relayd/relay.c +++ b/usr.sbin/relayd/relay.c @@ -1,4 +1,4 @@ -/* $OpenBSD: relay.c,v 1.51 2007/10/19 14:15:14 pyr Exp $ */ +/* $OpenBSD: relay.c,v 1.52 2007/10/22 16:53:30 pyr Exp $ */ /* * Copyright (c) 2006, 2007 Reyk Floeter <reyk@openbsd.org> @@ -91,7 +91,6 @@ void relay_read_httpchunks(struct bufferevent *, void *); char *relay_expand_http(struct ctl_relay_event *, char *, char *, size_t); -int relay_ssl_ctx_init(struct relay *); SSL_CTX *relay_ssl_ctx_create(struct relay *); void relay_ssl_transaction(struct session *); void relay_ssl_accept(int, short, void *); @@ -384,10 +383,6 @@ relay_privinit(void) break; } - if ((rlay->conf.flags & F_SSL) && - relay_ssl_ctx_init(rlay) == -1) - fatal("relay_launch: could not open certificates"); - if (rlay->conf.flags & F_UDP) rlay->s = relay_udp_bind(&rlay->conf.ss, rlay->conf.port, rlay->proto); @@ -2015,48 +2010,6 @@ relay_dispatch_parent(int fd, short event, void * ptr) imsg_event_add(ibuf); } -int -relay_ssl_ctx_init(struct relay *rlay) -{ - int fd; - off_t len; - char certfile[PATH_MAX]; - char hbuf[sizeof("ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255")]; - - if (print_host(&rlay->conf.ss, hbuf, sizeof(hbuf)) == NULL) - return -1; - - if (snprintf(certfile, sizeof(certfile), - "/etc/ssl/%s.crt", hbuf) == -1) - return -1; - if ((fd = open(certfile, O_RDONLY|O_NONBLOCK)) == -1) - return -1; - if ((len = lseek(fd, 0, SEEK_END)) == -1) - return -1; - if ((rlay->ssl_cert = mmap(NULL, len, PROT_READ, MAP_FILE|MAP_PRIVATE, - fd, 0)) == MAP_FAILED) - return -1; - rlay->ssl_cert_len = len; - close(fd); - log_debug("relay_ssl_ctx_init: using certificate %s", certfile); - - if (snprintf(certfile, sizeof(certfile), - "/etc/ssl/private/%s.key", hbuf) == -1) - return -1; - if ((fd = open(certfile, O_RDONLY|O_NONBLOCK)) == -1) - return -1; - if ((len = lseek(fd, 0, SEEK_END)) == -1) - return -1; - if ((rlay->ssl_key = mmap(NULL, len, PROT_READ, MAP_FILE|MAP_PRIVATE, - fd, 0)) == MAP_FAILED) - return -1; - rlay->ssl_key_len = len; - close(fd); - log_debug("relay_ssl_ctx_init: using private key %s", certfile); - - return (0); -} - SSL_CTX * relay_ssl_ctx_create(struct relay *rlay) { @@ -2097,12 +2050,10 @@ relay_ssl_ctx_create(struct relay *rlay) if (!ssl_ctx_use_certificate_chain(ctx, rlay->ssl_cert, rlay->ssl_cert_len)) goto err; - munmap(rlay->ssl_cert, rlay->ssl_cert_len); log_debug("relay_ssl_ctx_create: loading private key"); if (!ssl_ctx_use_private_key(ctx, rlay->ssl_key, rlay->ssl_key_len)) goto err; - munmap(rlay->ssl_key, rlay->ssl_key_len); if (!SSL_CTX_check_private_key(ctx)) goto err; @@ -2474,6 +2425,73 @@ relay_cmp_af(struct sockaddr_storage *a, struct sockaddr_storage *b) } } +int +relay_load_certfiles(struct relay *rlay) +{ + int fd; + off_t len; + char certfile[PATH_MAX]; + char hbuf[sizeof("ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255")]; + char *str; + + if (!(rlay->conf.flags & F_SSL)) + return 0; + + if (print_host(&rlay->conf.ss, hbuf, sizeof(hbuf)) == NULL) + return -1; + + if (snprintf(certfile, sizeof(certfile), + "/etc/ssl/%s.crt", hbuf) == -1) + return -1; + if ((fd = open(certfile, O_RDONLY|O_NONBLOCK)) == -1) + return -1; + if ((len = lseek(fd, 0, SEEK_END)) == -1) { + close(fd); + return -1; + } + rlay->ssl_cert_len = len + 1; + if ((rlay->ssl_cert = calloc(1, rlay->ssl_cert_len)) == NULL) { + close(fd); + return -1; + } + if ((str = mmap(NULL, len, PROT_READ, MAP_FILE|MAP_PRIVATE, + fd, 0)) == MAP_FAILED) { + close(fd); + return -1; + } + close(fd); + rlay->ssl_cert_len = len; + (void)strlcpy(rlay->ssl_cert, str, rlay->ssl_cert_len); + munmap(str, rlay->ssl_cert_len); + log_debug("relay_load_certfile: using certificate %s", certfile); + + if (snprintf(certfile, sizeof(certfile), + "/etc/ssl/private/%s.key", hbuf) == -1) + return -1; + if ((fd = open(certfile, O_RDONLY|O_NONBLOCK)) == -1) + return -1; + if ((len = lseek(fd, 0, SEEK_END)) == -1) { + close(fd); + return -1; + } + rlay->ssl_key_len = len + 1; + if ((rlay->ssl_key = calloc(1, rlay->ssl_key_len)) == NULL) { + close(fd); + return -1; + } + if ((str = mmap(NULL, len, PROT_READ, MAP_FILE|MAP_PRIVATE, + fd, 0)) == MAP_FAILED) { + close(fd); + return -1; + } + close(fd); + (void)strlcpy(rlay->ssl_key, str, rlay->ssl_key_len); + munmap(str, rlay->ssl_key_len); + log_debug("relay_load_certfile: using private key %s", certfile); + + return (0); +} + static __inline int relay_proto_cmp(struct protonode *a, struct protonode *b) { diff --git a/usr.sbin/relayd/relayd.h b/usr.sbin/relayd/relayd.h index d247e6834f1..6b9515aae16 100644 --- a/usr.sbin/relayd/relayd.h +++ b/usr.sbin/relayd/relayd.h @@ -1,4 +1,4 @@ -/* $OpenBSD: relayd.h,v 1.70 2007/10/19 14:15:14 pyr Exp $ */ +/* $OpenBSD: relayd.h,v 1.71 2007/10/22 16:53:30 pyr Exp $ */ /* * Copyright (c) 2006, 2007 Pierre-Yves Ritschard <pyr@openbsd.org> @@ -713,6 +713,7 @@ pid_t relay(struct hoststated *, int [2], int [2], int [RELAY_MAXPROC][2], int [2], int [RELAY_MAXPROC][2]); void relay_notify_done(struct host *, const char *); int relay_session_cmp(struct session *, struct session *); +int relay_load_certfiles(struct relay *); RB_PROTOTYPE(proto_tree, protonode, nodes, relay_proto_cmp); SPLAY_PROTOTYPE(session_tree, session, nodes, relay_session_cmp); |