summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--usr.sbin/relayd/config.c20
-rw-r--r--usr.sbin/relayd/relay.c22
-rw-r--r--usr.sbin/relayd/relayd.c22
-rw-r--r--usr.sbin/relayd/relayd.conf.514
-rw-r--r--usr.sbin/relayd/relayd.h6
5 files changed, 72 insertions, 12 deletions
diff --git a/usr.sbin/relayd/config.c b/usr.sbin/relayd/config.c
index ce1eb2bfe0d..2b8a308a969 100644
--- a/usr.sbin/relayd/config.c
+++ b/usr.sbin/relayd/config.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: config.c,v 1.39 2019/06/01 09:54:19 reyk Exp $ */
+/* $OpenBSD: config.c,v 1.40 2019/06/26 12:13:47 reyk Exp $ */
/*
* Copyright (c) 2011 - 2014 Reyk Floeter <reyk@openbsd.org>
@@ -903,6 +903,16 @@ config_setrelay(struct relayd *env, struct relay *rlay)
rlay->rl_conf.name);
return (-1);
}
+ if (id == PROC_RELAY &&
+ cert->cert_ocsp_fd != -1 &&
+ config_setrelayfd(ps, id, n,
+ cert->cert_id, cert->cert_relayid,
+ RELAY_FD_OCSP, cert->cert_ocsp_fd) == -1) {
+ log_warn("%s: fd passing failed for "
+ "`%s'", __func__,
+ rlay->rl_conf.name);
+ return (-1);
+ }
if (id == PROC_CA &&
cert->cert_key_fd != -1 &&
config_setrelayfd(ps, id, n,
@@ -992,6 +1002,10 @@ config_setrelay(struct relayd *env, struct relay *rlay)
close(cert->cert_key_fd);
cert->cert_key_fd = -1;
}
+ if (cert->cert_ocsp_fd != -1) {
+ close(cert->cert_ocsp_fd);
+ cert->cert_ocsp_fd = -1;
+ }
}
return (0);
@@ -1113,6 +1127,7 @@ config_getrelayfd(struct relayd *env, struct imsg *imsg)
switch (crfd.type) {
case RELAY_FD_CERT:
case RELAY_FD_KEY:
+ case RELAY_FD_OCSP:
if ((cert = cert_find(env, crfd.id)) == NULL) {
if ((cert = cert_add(env, crfd.id)) == NULL)
return (-1);
@@ -1134,6 +1149,9 @@ config_getrelayfd(struct relayd *env, struct imsg *imsg)
case RELAY_FD_KEY:
cert->cert_key_fd = imsg->fd;
break;
+ case RELAY_FD_OCSP:
+ cert->cert_ocsp_fd = imsg->fd;
+ break;
case RELAY_FD_CACERT:
rlay->rl_tls_ca_fd = imsg->fd;
break;
diff --git a/usr.sbin/relayd/relay.c b/usr.sbin/relayd/relay.c
index 2148fdf3817..7ec8f0ec41a 100644
--- a/usr.sbin/relayd/relay.c
+++ b/usr.sbin/relayd/relay.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: relay.c,v 1.247 2019/05/31 15:15:37 reyk Exp $ */
+/* $OpenBSD: relay.c,v 1.248 2019/06/26 12:13:47 reyk Exp $ */
/*
* Copyright (c) 2006 - 2014 Reyk Floeter <reyk@openbsd.org>
@@ -2130,8 +2130,8 @@ relay_tls_ctx_create(struct relay *rlay)
struct relay_cert *cert;
const char *fake_key;
int fake_keylen, keyfound = 0;
- char *buf = NULL, *cabuf = NULL;
- off_t len = 0, calen = 0;
+ char *buf = NULL, *cabuf = NULL, *ocspbuf = NULL;
+ off_t len = 0, calen = 0, ocsplen = 0;
if ((tls_cfg = tls_config_new()) == NULL) {
log_warnx("unable to allocate TLS config");
@@ -2203,6 +2203,16 @@ relay_tls_ctx_create(struct relay *rlay)
}
cert->cert_fd = -1;
+ if (cert->cert_ocsp_fd != -1 &&
+ (ocspbuf = relay_load_fd(cert->cert_ocsp_fd,
+ &ocsplen)) == NULL) {
+ log_warn("failed to load OCSP staplefile");
+ goto err;
+ }
+ if (ocsplen == 0)
+ purge_key(&ocspbuf, ocsplen);
+ cert->cert_ocsp_fd = -1;
+
if ((fake_keylen = ssl_ctx_fake_private_key(buf, len,
&fake_key)) == -1) {
/* error already printed */
@@ -2211,7 +2221,7 @@ relay_tls_ctx_create(struct relay *rlay)
if (keyfound == 1 &&
tls_config_set_keypair_ocsp_mem(tls_cfg, buf, len,
- fake_key, fake_keylen, NULL, 0) != 0) {
+ fake_key, fake_keylen, ocspbuf, ocsplen) != 0) {
log_warnx("failed to set tls certificate: %s",
tls_config_error(tls_cfg));
goto err;
@@ -2223,13 +2233,14 @@ relay_tls_ctx_create(struct relay *rlay)
goto err;
if (tls_config_add_keypair_ocsp_mem(tls_cfg, buf, len,
- fake_key, fake_keylen, NULL, 0) != 0) {
+ fake_key, fake_keylen, ocspbuf, ocsplen) != 0) {
log_warnx("failed to add tls certificate: %s",
tls_config_error(tls_cfg));
goto err;
}
purge_key(&buf, len);
+ purge_key(&ocspbuf, ocsplen);
}
if (rlay->rl_tls_cacert_fd != -1) {
@@ -2269,6 +2280,7 @@ relay_tls_ctx_create(struct relay *rlay)
return (0);
err:
+ purge_key(&ocspbuf, ocsplen);
purge_key(&cabuf, calen);
purge_key(&buf, len);
diff --git a/usr.sbin/relayd/relayd.c b/usr.sbin/relayd/relayd.c
index 47edff9e077..622a447b003 100644
--- a/usr.sbin/relayd/relayd.c
+++ b/usr.sbin/relayd/relayd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: relayd.c,v 1.179 2019/05/31 15:25:57 reyk Exp $ */
+/* $OpenBSD: relayd.c,v 1.180 2019/06/26 12:13:47 reyk Exp $ */
/*
* Copyright (c) 2007 - 2016 Reyk Floeter <reyk@openbsd.org>
@@ -605,6 +605,8 @@ purge_relay(struct relayd *env, struct relay *rlay)
close(cert->cert_fd);
if (cert->cert_key_fd != -1)
close(cert->cert_key_fd);
+ if (cert->cert_ocsp_fd != -1)
+ close(cert->cert_ocsp_fd);
if (cert->cert_pkey != NULL)
EVP_PKEY_free(cert->cert_pkey);
TAILQ_REMOVE(env->sc_certs, cert, cert_entry);
@@ -1270,6 +1272,7 @@ cert_add(struct relayd *env, objid_t id)
cert->cert_id = id;
cert->cert_fd = -1;
cert->cert_key_fd = -1;
+ cert->cert_ocsp_fd = -1;
TAILQ_INSERT_TAIL(env->sc_certs, cert, cert_entry);
@@ -1325,7 +1328,7 @@ relay_load_certfiles(struct relayd *env, struct relay *rlay, const char *name)
struct protocol *proto = rlay->rl_proto;
struct relay_cert *cert;
int useport = htons(rlay->rl_conf.port);
- int cert_fd = -1, key_fd = -1;
+ int cert_fd = -1, key_fd = -1, ocsp_fd = -1;
if (rlay->rl_conf.flags & F_TLSCLIENT) {
if (strlen(proto->tlsca) && rlay->rl_tls_ca_fd == -1) {
@@ -1389,12 +1392,25 @@ relay_load_certfiles(struct relayd *env, struct relay *rlay, const char *name)
goto fail;
log_debug("%s: using private key %s", __func__, certfile);
+ if (useport) {
+ if (snprintf(certfile, sizeof(certfile),
+ "/etc/ssl/%s:%u.ocsp", hbuf, useport) == -1)
+ goto fail;
+ } else {
+ if (snprintf(certfile, sizeof(certfile),
+ "/etc/ssl/%s.ocsp", hbuf) == -1)
+ goto fail;
+ }
+ if ((ocsp_fd = open(certfile, O_RDONLY)) != -1)
+ log_debug("%s: using OCSP staple file %s", __func__, certfile);
+
if ((cert = cert_add(env, 0)) == NULL)
goto fail;
cert->cert_relayid = rlay->rl_conf.id;
cert->cert_fd = cert_fd;
cert->cert_key_fd = key_fd;
+ cert->cert_ocsp_fd = ocsp_fd;
return (0);
@@ -1403,6 +1419,8 @@ relay_load_certfiles(struct relayd *env, struct relay *rlay, const char *name)
close(cert_fd);
if (key_fd != -1)
close(key_fd);
+ if (ocsp_fd != -1)
+ close(ocsp_fd);
return (-1);
}
diff --git a/usr.sbin/relayd/relayd.conf.5 b/usr.sbin/relayd/relayd.conf.5
index 9421661e8bc..e5c8fa97df6 100644
--- a/usr.sbin/relayd/relayd.conf.5
+++ b/usr.sbin/relayd/relayd.conf.5
@@ -1,4 +1,4 @@
-.\" $OpenBSD: relayd.conf.5,v 1.190 2019/05/31 15:25:57 reyk Exp $
+.\" $OpenBSD: relayd.conf.5,v 1.191 2019/06/26 12:13:47 reyk Exp $
.\"
.\" Copyright (c) 2006 - 2016 Reyk Floeter <reyk@openbsd.org>
.\" Copyright (c) 2006, 2007 Pierre-Yves Ritschard <pyr@openbsd.org>
@@ -15,7 +15,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
-.Dd $Mdocdate: May 31 2019 $
+.Dd $Mdocdate: June 26 2019 $
.Dt RELAYD.CONF 5
.Os
.Sh NAME
@@ -965,6 +965,15 @@ a keypair will be loaded using the specified IP address of the relay as
See
.Xr ssl 8
for details about SSL/TLS server certificates.
+.Pp
+An optional OCSP staple file will be used during TLS handshakes with
+this server if it is found as a non-empty file in
+.Pa /etc/ssl/name:port.ocsp
+or
+.Pa /etc/ssl/name.ocsp .
+The file should contain a DER-format OCSP response retrieved from an
+OCSP server for the certificate in use, and can be created using
+.Xr ocspcheck 8 .
.It Ic no cipher-server-preference
Prefer the client's cipher list over the server's preferences when
choosing a cipher for the connection.
@@ -1594,6 +1603,7 @@ router "uplinks" {
}
.Ed
.Sh SEE ALSO
+.Xr ocspcheck 8 ,
.Xr relayctl 8 ,
.Xr relayd 8 ,
.Xr snmpd 8 ,
diff --git a/usr.sbin/relayd/relayd.h b/usr.sbin/relayd/relayd.h
index 4314cec0a6b..ba841ddfcd3 100644
--- a/usr.sbin/relayd/relayd.h
+++ b/usr.sbin/relayd/relayd.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: relayd.h,v 1.258 2019/05/31 15:25:57 reyk Exp $ */
+/* $OpenBSD: relayd.h,v 1.259 2019/06/26 12:13:47 reyk Exp $ */
/*
* Copyright (c) 2006 - 2016 Reyk Floeter <reyk@openbsd.org>
@@ -141,7 +141,8 @@ enum fd_type {
RELAY_FD_CERT = 1,
RELAY_FD_CACERT = 2,
RELAY_FD_CAFILE = 3,
- RELAY_FD_KEY = 4
+ RELAY_FD_KEY = 4,
+ RELAY_FD_OCSP = 5
};
struct ctl_relayfd {
@@ -781,6 +782,7 @@ struct relay_cert {
objid_t cert_relayid;
int cert_fd;
int cert_key_fd;
+ int cert_ocsp_fd;
EVP_PKEY *cert_pkey;
TAILQ_ENTRY(relay_cert) cert_entry;
};
generated by cgit v1.2.3 (git 2.25.1) at 2024-12-18 04:40:51 +0000