summaryrefslogtreecommitdiff
path: root/usr.sbin/relayd
AgeCommit message (Collapse)Author
2022-11-10In case RSA_meth_new fails, errstr would be passed to fatalx withoutMoritz Buhl
initialization. OK tb
2022-11-10always call va_end.Moritz Buhl
ok tb
2022-09-03Move the daemon() call in the parent process from after forking theSebastian Benoit
children to just before. That way the parent disasociates from its controling terminal and shell, but not from its children. Remove the dup2() bits that were copied from daemon() to solve the problem that the children still had the stdio fds open. This is now done in the parent earlier. Remove the setsid() and setpgid(). It is unclear what their intent was, but they dont seem to make sense, as daemon() covers this as well and there seems to be no reason the cildren procs need to do that. ok claudio@ bluhm@
2022-08-31relayd(8): change agentx_getsock to return voidDave Voutila
Only has one return value and it's never checked. ok martijn@, tb@
2022-06-03Check tls_config_new() for NULL returnTheo Buehler
This way we don't crash in tls_config_insecure_noverify_cert(). From Mateusz Piotrowski on bugs ok claudio
2022-03-31man pages: add missing commas between subordinate and main clausesChristian Weisgerber
jmc@ dislikes a comma before "then" in a conditional, so leave those untouched. ok jmc@
2022-02-06remove please from manual pagesJonathan Gray
ok jmc@ sthen@ millert@
2022-01-20catch poll() returning EINTR.Sebastian Benoit
ok millert@ claudio@
2022-01-11Convert relayd for opaque RSA_METHODTheo Buehler
This is a mostly mechanical diff which will hopefully be superseded soon by work in libtls. ok jsing
2021-12-30relayd(8): don't create sockets between CAs and RELAYs.Dave Voutila
CA and RELAY process types don't need to communicate with other CA or RELAY processes respectively, so don't create and distribute ipc socketpairs. Tested by and ok denis@
2021-12-08relayd/ssl.c: Remove a workaround that uses a copy of the oldTheo Buehler
certificate instead of using it directly because BIO_new_mem_buf() used to take an non-const buffer. This was changed in 2018, so we can now remove an XXX and simplify the code. ok bluhm
2021-12-08zap a stray spaceTheo Buehler
2021-12-05fix use after freeJonathan Gray
ok tb@
2021-10-23do not duplicate "Connection: close" headers and only add it if itsSebastian Benoit
not a websockets response. Reported by Marcus MERIGHI and Jonathon Fletcher, this fix is by Jonathon, Thanks! ok claudio@
2021-10-15Don't declare variables as "unsigned char *" that are passed toChristian Weisgerber
functions that take "char *" arguments. Where such chars are assigned to int or passed to ctype functions, explicitly cast them to unsigned char. For OpenBSD's clang, -Wpointer-sign has been disabled by default, but when the parse.y code was built elsewhere, the compiler would complain. With help from millert@ ok benno@ deraadt@
2021-09-18check_send_expect() does some nasty ibuf magic to allow fn_match()Claudio Jeker
to work with a buffer that is not a real string. The wpos is decremented in the wrong spot and would affect both binary and non binary checks. Simplify this code by using strndup. OK rob@ benno@
2021-08-31Make "relayctl reload" when agentx enabling is toggled in relayd.conf workMartijn van Duren
consistently. OK benno@
2021-07-25The output of server_root_strip() is a string. Use the correct formatSebastian Benoit
"%s". Same for the output of relay_expand_http(). with and ok claudio@ Found by Cedric Tessier, thanks!
2021-07-14Remove unneeded calls to tls_init(3)kn
As per the manual and lib/libtls/tls.c revision 1.79 from 2018 "Automatically handle library initialisation for libtls." initialisation is handled automatically by other tls_*(3) functions. Remove explicit tls_init() calls from base to not give the impression of it being needed. Feedback tb OK Tests mestre
2021-07-12Change the error reporting pattern throughout the tree when unveilBob Beck
fails to report the path that the failure occured on. Suggested by deraadt@ after some tech discussion. Work done and verified by Ashton Fagg <ashton@fagg.id.au> ok deraadt@ semarie@ claudio@
2021-04-20Move TAILQ initialization to files where they are used.dv
These priv-sep daemons all follow a similar design and use TAILQs for tracking control process connections. In most cases, the TAILQs are initialized separate from where they are used. Since the scope of use is generally confined to a specific control process file, this commit also removes any extern definitions and exposing the TAILQ structures to other compilation units. ok bluhm@, tb@
2021-03-24Responses to HEAD requests must not have a message body (even though they haveSebastian Benoit
a Content-Length header). HTTP RFC 7231 section 4.3.2. found by niklas@, claudio@ agrees.
2021-03-23Timed out RSA key ops, may leave uncalled for responses in the imsg returnClaudio Jeker
path. These have to be dropped or every subsequent call will cause decrypt errors. Use a sequence number cookie to keep the systems in sync. Diff from niklas@ with some minor adjustments by myself.
2021-02-22Use the F_CHECK_SENT and F_CHECK_DONE flags to determine whether aJonathan Matthew
previous attempt at running a check script has finished yet, so we can avoid building up a backlog of check requests. ok dlg@ tb@ giovanni@
2021-01-27remove bogus key hack now that it's handled by libtlsEric Faurot
no objection claudio@ ok tb@ jsing@
2021-01-27these programs (with common ancestry) had a -fno-common problem relatedTheo de Raadt
to privsep_procid. ok mortimer
2021-01-17Don't leak host address. Found with clang static analyzer.rob
OK tb@
2021-01-11Stop deleting the control socket on daemon shutdown, like we did on otherRicardo Mestre
daemons. This avoids giving an additional permission (in this case unveil(2) "c") to the daemon just to be able to delete the socket and we already discussed in the past that leaving that file behind doesn't cause any problems. Discussed with deraadt@ rob@ florian@ OK rob@ benno@ deraadt@
2021-01-09Add 'strip' directivedenis
Feedback by Olivier Cherrier, Hiltjo Posthuma, Mischa OK benno@
2020-12-29getifaddrs() can return entries where ifa_addr is NULL. Check for thisSebastian Benoit
before accessing anything in ifa_addr. ok claudio@
2020-10-30Use metrics instead of statistics. Also point people where in the treeMartijn van Duren
they might be able to find said metrics. OK denis@ jmc@
2020-10-30Remove deprecated snmp keyword.Martijn van Duren
OK denis@
2020-10-27Add some additional INT32_MAX overflow checks. These are unlikely to hit,Martijn van Duren
but better safe then sorry. OK tb@
2020-10-26Let relayd make use of libagentx. No functional change intended.Martijn van Duren
OK tb@ Enthousiasm from Mischa Peters
2020-10-25Remove trailing spaces & tabsdenis
2020-10-22support for session resumption in TLS1.3 does not exist yet, asSebastian Benoit
confirmed by tb@. While there remove the "no" in front of the statement. text from tb@
2020-10-22session tickets are disabled by default, correct the manpage.Sebastian Benoit
ok claudio
2020-09-30Sync with libagentxMartijn van Duren
2020-09-29Sync with libagentxMartijn van Duren
2020-09-15s/sizeof(ipaddress)/sizeof(*ipaddress)/gMartijn van Duren
This is no issue, since a pointer is always >= 4 bytes, but incorrect is incorrect. Found by tb's static analyzer. OK beck@
2020-09-15Fix a dead store and a wrong-level NULL-check.Martijn van Duren
Found the static analyzer from tb@ OK beck@
2020-09-14Rewrite the agentx code of relayd. This new framework should allow usMartijn van Duren
to add new objects easier if so desired and should handle a lot more corner-cases. This commit should also fix the following: - On most (all) tables it omits the *Entry elements, making it not map to OPENBSD-RELAYD-MIB.txt. - sstolen returns the size of the sockaddr_in{,6}, instead of the sin{,6}_addr resulting in garbage data to be put in the ip-field. - relaydSessionPortIn and relaydSessionPortOut are swapped - relaydSessions only uses relaydSessionIndex, while OPENBSD-RELAYD-MIB.txt says it should have 2 indices - miscellaneous minor things related to the AGENTX-protocol, like wonky index handeling and returning NOSUCHINSTANCE where NOSUCHOBJECT should be returned, etc. This commit does remove traps, but it's large enough as is and I intent on adding it soon(tm). It also deprecates the snmp keyword in favour of an agentx keyword. The snmp keyword is still available, but will be removed in the future. Tweaks and OK denis@ on the relayd parts Tweaks and OK claudio@ on the agentx parts "Get it in" deraadt@
2020-09-04Replace TAILQ concatenation loop with TAILQ_CONCATbket
OK millert@, florian@
2020-08-19add unveil(2) againRicardo Mestre
this allows reading from anywhere in the filesystem (in order to read the config file and those ones included from it), but also executing, which I missed from my last attempt, because it's required for "check script(s)". even though it's a broad permission, and the main proc cannot be pledged due to forbidden ioctls, then this at least prevents it from creating/writing/deleting files which is not required here. OK benno@ a long time ago
2020-07-01Remove references to snmpd(8) now that agentx support has been removed.Martijn van Duren
Prodded by and OK jmc@
2020-06-30Allow relayd to compile without reaching back into snmpd directory forMartijn van Duren
agentx header. OK denis@
2020-06-05Remove redundant codedenis
Reported by Prof. Dr. Steffen Wendzel <wendzel @ hs-worms . de>, thanks! OK martijn@ sthen@
2020-05-14Enable TLSv1.3 support in relayd(8)pvk
with the help from tb@ jsing@; ok tb@
2020-05-02Repair the description of "edh [params (none|auto|legacy)]" toSebastian Benoit
configure EDH-based cipher suites with Perfect Forward Secrecy (PFS) for older clients that do not support ECDHE. Problem noticed and initial diff by Jesper Wallin, thanks! ok kn@
2020-04-23 ce examples of "Ar arg Ar arg" with "Ar arg arg" and stop the spread;Jason McIntyre