summaryrefslogtreecommitdiff
path: root/usr.sbin/relayd
AgeCommit message (Collapse)Author
2024-08-10relayd: improve config validation with -nTheo Buehler
pf's rule names are limited by 32 characters, so lower the length bounds for redirect names and tags that relayd accepts as valid config but would later fail to load into pf. Also display the offending name on error. from Mark Johnston ok florian
2024-07-20Fix regression introduced in previous causing HEAD requests to beAnton Lindqvist
erroneously rejected as malformed. ok chrisz@
2024-07-19Keep Content-length header in HEAD responses.Christopher Zimmermann
ok millert@
2024-07-14new sentence, new lineJonathan Gray
2024-07-08cleanup unused variableFlorian Obser
2024-06-17The fix comes from Giannis Kapetanakis (bilias _from_ edu.physics.uoc.gr).Alexandr Nedvedicky
When relayd(8) handles 'host disable/enable' command issued by relayctl(8), it disables redirect it finds in tables for particular host. However there can be multiple redirect instances which use the same host in relayd(8) tables. This change makes relayd(8) to walk through all tables and disable all redirects which match the host. OK giovanni@, OK sashan@
2024-06-17Change adds a 'log' option to relayd.conf(5) rule. The relayd(8) then usesAlexandr Nedvedicky
the option to set corresponding `log` action in pf(4) rules it generates to handle network traffic. The patch comes from Giannis Kapetanakis (bilias _from_ edu.physics.uoc.gr). OK sashan@
2024-05-18remove prototypes with no matching functionJonathan Gray
2024-01-17Use imsg_get_fd()Claudio Jeker
As usual proc_forward_imsg() is never forwarding a file descriptor so just use -1 there. This should be replaced by imsg_forward(). All other changes are simple conversions. OK tb@
2023-12-01relay_read_http: strip out Content-Length if we strip the body tooTodd C. Miller
We should not forward Content-Length if the body is not also forwarded.
2023-11-29relay_read_http: defer header parsing until after line continuationTodd C. Miller
Wait until we have a complete line before parsing the Content-Length, Transfer-Encoding and Host headers. This prevents potential request smuggling attacks. Filtering already happens after header line continuation has been performed. Reported by Ben Kallus. OK claudio@
2023-11-28relay_read_http: tighten up header parsingTodd C. Miller
1) reject headers with embedded NULs 2) reject headers with invalid characters in the name 3) reject Transfer-Encoding with values other than "chunked" 4) reject chunk values containing non-hex characters 5) reject Content-Length values of "+0" or "-0" 6) reject requests without a ' ' and headers without a ':' Reported by Ben Kallus, OK bluhm@
2023-10-29Unmention/don't explain SSL, drop 9y old "ssl" keyword/deprecation warningKlemens Nanni
Switch "ssl" to "tls" in relayd.conf(5) if you haven't done so in the last ten years, "ssl" is now an error. Say "TLS" not "SSL/TLS" and drop the primer in the TLS RELAYS section. OK benno
2023-09-14Revert the previous. It was committed by my mistake.YASUOKA Masahiko
2023-09-14Clarify the interval after 30sec.YASUOKA Masahiko
2023-09-03Use EVBUFFER_DATA instead of reaching into struct evbuffer. ok tbNicholas Marriott
2023-07-16relayd: remove ENGINE dependencyTheo Buehler
What is achieved here through ENGINE can be done in a much simpler way by setting the default RSA implementation. Drop a number of indirections that only add a bit of logging. This removes a lot of boiler plate and shows where the actual magic happens more clearly. ok op tobhe
2023-07-03Use ibuf_data() instead of accessing ibuf->buf directly.Claudio Jeker
OK tb@
2023-06-30let check_table() also print table@anchor when it exitsAlexandr Nedvedicky
unexpectedly via call to fatal() OK claudio@
2023-06-29Spaces vs tabsClaudio Jeker
from florian@
2023-06-29Rewrite pfe_route() to actually work on 64bit archs since IPv6 had to beClaudio Jeker
special. One can not define a struct for the route message since there is different padding between 32 and 64 bit systems for struct sockaddr_in6. Instead do what all other daemons do and use struct sockaddr_storage, iovec and writev. Problem reported by Joerg Streckfuss (streckfuss at dfn-cert.de) OK tb@
2023-06-25remove ssl_init()Omar Polo
it's a noop; nowadays both LibreSSL and OpenSSL libcrypto and libssl initialize themselves automatically before doing anything. ok tb
2023-06-21Simplify and clean up the code. Try to use more ibuf idioms but theClaudio Jeker
mix of types used in these functions make this rather hard. The expected data checks are still not great but a step in the right direction. OK tb@
2023-06-21Convert string2binary() to use new ibuf api instead of working with anClaudio Jeker
extra buffer first. OK tb@
2023-06-20Replace a ibuf_reserve() dance to add a NUL byte with ibuf_add_zero(buf, 1).Claudio Jeker
Same thing but far less nasty. OK tb@
2023-06-11fix typo: 'hash buffer to small' -> too smallOmar Polo
2023-06-06Make the tlsv1.0 and tlsv1.1 options in relayd do nothingBob Beck
Also document that fact, and that the existing ssl3 option does nothing. This changes relayd to no longer request tls1.0 or tls1.1 in preparation for the upcoming deprecation of these out of data protocols ok jsing@ bluhm@ tb@ claudio@ benno@
2023-03-26Add missing #include <openssl/err.h>Theo Buehler
2023-03-08Delete obsolete /* ARGSUSED */ lint comments.Philip Guenther
ok miod@ millert@
2023-02-15proc_ispeer() is not used anywhere anymore so remove it everywhere.Tobias Heider
ok florian@ bluhm@ ok for vmd mlarkin@
2022-12-28{en,de}queing -> {en,de}queuing; from paul tagliamonteJason McIntyre
2022-12-28spelling fixes; from paul tagliamonteJason McIntyre
any parts of his diff not taken are noted on tech
2022-11-10In case RSA_meth_new fails, errstr would be passed to fatalx withoutMoritz Buhl
initialization. OK tb
2022-11-10always call va_end.Moritz Buhl
ok tb
2022-09-03Move the daemon() call in the parent process from after forking theSebastian Benoit
children to just before. That way the parent disasociates from its controling terminal and shell, but not from its children. Remove the dup2() bits that were copied from daemon() to solve the problem that the children still had the stdio fds open. This is now done in the parent earlier. Remove the setsid() and setpgid(). It is unclear what their intent was, but they dont seem to make sense, as daemon() covers this as well and there seems to be no reason the cildren procs need to do that. ok claudio@ bluhm@
2022-08-31relayd(8): change agentx_getsock to return voidDave Voutila
Only has one return value and it's never checked. ok martijn@, tb@
2022-06-03Check tls_config_new() for NULL returnTheo Buehler
This way we don't crash in tls_config_insecure_noverify_cert(). From Mateusz Piotrowski on bugs ok claudio
2022-03-31man pages: add missing commas between subordinate and main clausesChristian Weisgerber
jmc@ dislikes a comma before "then" in a conditional, so leave those untouched. ok jmc@
2022-02-06remove please from manual pagesJonathan Gray
ok jmc@ sthen@ millert@
2022-01-20catch poll() returning EINTR.Sebastian Benoit
ok millert@ claudio@
2022-01-11Convert relayd for opaque RSA_METHODTheo Buehler
This is a mostly mechanical diff which will hopefully be superseded soon by work in libtls. ok jsing
2021-12-30relayd(8): don't create sockets between CAs and RELAYs.Dave Voutila
CA and RELAY process types don't need to communicate with other CA or RELAY processes respectively, so don't create and distribute ipc socketpairs. Tested by and ok denis@
2021-12-08relayd/ssl.c: Remove a workaround that uses a copy of the oldTheo Buehler
certificate instead of using it directly because BIO_new_mem_buf() used to take an non-const buffer. This was changed in 2018, so we can now remove an XXX and simplify the code. ok bluhm
2021-12-08zap a stray spaceTheo Buehler
2021-12-05fix use after freeJonathan Gray
ok tb@
2021-10-23do not duplicate "Connection: close" headers and only add it if itsSebastian Benoit
not a websockets response. Reported by Marcus MERIGHI and Jonathon Fletcher, this fix is by Jonathon, Thanks! ok claudio@
2021-10-15Don't declare variables as "unsigned char *" that are passed toChristian Weisgerber
functions that take "char *" arguments. Where such chars are assigned to int or passed to ctype functions, explicitly cast them to unsigned char. For OpenBSD's clang, -Wpointer-sign has been disabled by default, but when the parse.y code was built elsewhere, the compiler would complain. With help from millert@ ok benno@ deraadt@
2021-09-18check_send_expect() does some nasty ibuf magic to allow fn_match()Claudio Jeker
to work with a buffer that is not a real string. The wpos is decremented in the wrong spot and would affect both binary and non binary checks. Simplify this code by using strndup. OK rob@ benno@
2021-08-31Make "relayctl reload" when agentx enabling is toggled in relayd.conf workMartijn van Duren
consistently. OK benno@
2021-07-25The output of server_root_strip() is a string. Use the correct formatSebastian Benoit
"%s". Same for the output of relay_expand_http(). with and ok claudio@ Found by Cedric Tessier, thanks!