Age | Commit message (Collapse) | Author |
|
pf's rule names are limited by 32 characters, so lower the length bounds
for redirect names and tags that relayd accepts as valid config but would
later fail to load into pf. Also display the offending name on error.
from Mark Johnston
ok florian
|
|
erroneously rejected as malformed.
ok chrisz@
|
|
ok millert@
|
|
|
|
|
|
When relayd(8) handles 'host disable/enable' command issued by relayctl(8),
it disables redirect it finds in tables for particular host. However there can
be multiple redirect instances which use the same host in relayd(8) tables.
This change makes relayd(8) to walk through all tables and disable all redirects
which match the host.
OK giovanni@, OK sashan@
|
|
the option to set corresponding `log` action in pf(4) rules it generates
to handle network traffic.
The patch comes from Giannis Kapetanakis (bilias _from_ edu.physics.uoc.gr).
OK sashan@
|
|
|
|
As usual proc_forward_imsg() is never forwarding a file descriptor so
just use -1 there. This should be replaced by imsg_forward().
All other changes are simple conversions.
OK tb@
|
|
We should not forward Content-Length if the body is not also forwarded.
|
|
Wait until we have a complete line before parsing the Content-Length,
Transfer-Encoding and Host headers. This prevents potential request
smuggling attacks. Filtering already happens after header line
continuation has been performed. Reported by Ben Kallus.
OK claudio@
|
|
1) reject headers with embedded NULs
2) reject headers with invalid characters in the name
3) reject Transfer-Encoding with values other than "chunked"
4) reject chunk values containing non-hex characters
5) reject Content-Length values of "+0" or "-0"
6) reject requests without a ' ' and headers without a ':'
Reported by Ben Kallus, OK bluhm@
|
|
Switch "ssl" to "tls" in relayd.conf(5) if you haven't done so in the last
ten years, "ssl" is now an error.
Say "TLS" not "SSL/TLS" and drop the primer in the TLS RELAYS section.
OK benno
|
|
|
|
|
|
|
|
What is achieved here through ENGINE can be done in a much simpler way
by setting the default RSA implementation. Drop a number of indirections
that only add a bit of logging. This removes a lot of boiler plate and
shows where the actual magic happens more clearly.
ok op tobhe
|
|
OK tb@
|
|
unexpectedly via call to fatal()
OK claudio@
|
|
from florian@
|
|
special. One can not define a struct for the route message since there is
different padding between 32 and 64 bit systems for struct sockaddr_in6.
Instead do what all other daemons do and use struct sockaddr_storage,
iovec and writev.
Problem reported by Joerg Streckfuss (streckfuss at dfn-cert.de)
OK tb@
|
|
it's a noop; nowadays both LibreSSL and OpenSSL libcrypto and libssl
initialize themselves automatically before doing anything.
ok tb
|
|
mix of types used in these functions make this rather hard.
The expected data checks are still not great but a step in the right
direction.
OK tb@
|
|
extra buffer first.
OK tb@
|
|
Same thing but far less nasty.
OK tb@
|
|
|
|
Also document that fact, and that the existing ssl3 option
does nothing. This changes relayd to no longer request tls1.0
or tls1.1 in preparation for the upcoming deprecation of these
out of data protocols
ok jsing@ bluhm@ tb@ claudio@ benno@
|
|
|
|
ok miod@ millert@
|
|
ok florian@ bluhm@
ok for vmd mlarkin@
|
|
|
|
any parts of his diff not taken are noted on tech
|
|
initialization.
OK tb
|
|
ok tb
|
|
children to just before. That way the parent disasociates from its
controling terminal and shell, but not from its children.
Remove the dup2() bits that were copied from daemon() to solve the
problem that the children still had the stdio fds open. This is now
done in the parent earlier.
Remove the setsid() and setpgid(). It is unclear what their intent
was, but they dont seem to make sense, as daemon() covers this as well
and there seems to be no reason the cildren procs need to do that.
ok claudio@ bluhm@
|
|
Only has one return value and it's never checked.
ok martijn@, tb@
|
|
This way we don't crash in tls_config_insecure_noverify_cert().
From Mateusz Piotrowski on bugs
ok claudio
|
|
jmc@ dislikes a comma before "then" in a conditional, so leave those
untouched.
ok jmc@
|
|
ok jmc@ sthen@ millert@
|
|
ok millert@ claudio@
|
|
This is a mostly mechanical diff which will hopefully be superseded
soon by work in libtls.
ok jsing
|
|
CA and RELAY process types don't need to communicate with other CA
or RELAY processes respectively, so don't create and distribute ipc
socketpairs.
Tested by and ok denis@
|
|
certificate instead of using it directly because BIO_new_mem_buf()
used to take an non-const buffer. This was changed in 2018, so we
can now remove an XXX and simplify the code.
ok bluhm
|
|
|
|
ok tb@
|
|
not a websockets response.
Reported by Marcus MERIGHI and Jonathon Fletcher, this fix is by Jonathon, Thanks!
ok claudio@
|
|
functions that take "char *" arguments. Where such chars are
assigned to int or passed to ctype functions, explicitly cast them
to unsigned char.
For OpenBSD's clang, -Wpointer-sign has been disabled by default,
but when the parse.y code was built elsewhere, the compiler would
complain.
With help from millert@
ok benno@ deraadt@
|
|
to work with a buffer that is not a real string.
The wpos is decremented in the wrong spot and would affect both
binary and non binary checks.
Simplify this code by using strndup.
OK rob@ benno@
|
|
consistently.
OK benno@
|
|
"%s". Same for the output of relay_expand_http().
with and ok claudio@
Found by Cedric Tessier, thanks!
|