| #
668e5ba9 |
| 21-Nov-2024 |
claudio <claudio@openbsd.org> |
Convert the common imsgbuf_read calls to the post EAGAIN world.
OK tb@
|
| #
dd7efffe |
| 21-Nov-2024 |
claudio <claudio@openbsd.org> |
Rename imsg_init, imsg_clear, imsg_read, imsg_write and imsg_flush to
imsgbuf_init, imsgbuf_clear, imsgbuf_read, imsgbuf_write and imsgbuf_flush.
This separates the imsgbuf API from the per-imsg API
Rename imsg_init, imsg_clear, imsg_read, imsg_write and imsg_flush to
imsgbuf_init, imsgbuf_clear, imsgbuf_read, imsgbuf_write and imsgbuf_flush.
This separates the imsgbuf API from the per-imsg API.
OK tb@
show more ...
|
| #
27f65520 |
| 16-Jul-2023 |
tb <tb@openbsd.org> |
relayd: remove ENGINE dependency
What is achieved here through ENGINE can be done in a much simpler way
by setting the default RSA implementation. Drop a number of indirections
that only add a bit o
relayd: remove ENGINE dependency
What is achieved here through ENGINE can be done in a much simpler way
by setting the default RSA implementation. Drop a number of indirections
that only add a bit of logging. This removes a lot of boiler plate and
shows where the actual magic happens more clearly.
ok op tobhe
show more ...
|
| #
7078bf6a |
| 11-Jun-2023 |
op <op@openbsd.org> |
fix typo: 'hash buffer to small' -> too small
|
| #
f1b4a8a5 |
| 26-Mar-2023 |
tb <tb@openbsd.org> |
Add missing #include <openssl/err.h>
|
| #
3b59bd4a |
| 10-Nov-2022 |
mbuhl <mbuhl@openbsd.org> |
In case RSA_meth_new fails, errstr would be passed to fatalx without
initialization.
OK tb
|
| #
5fa7fa1a |
| 20-Jan-2022 |
benno <benno@openbsd.org> |
catch poll() returning EINTR.
ok millert@ claudio@
|
| #
ad3e8fb5 |
| 11-Jan-2022 |
tb <tb@openbsd.org> |
Convert relayd for opaque RSA_METHOD
This is a mostly mechanical diff which will hopefully be superseded
soon by work in libtls.
ok jsing
|
| #
4c23ab60 |
| 08-Dec-2021 |
tb <tb@openbsd.org> |
zap a stray space
|
| #
c7e61995 |
| 23-Mar-2021 |
claudio <claudio@openbsd.org> |
Timed out RSA key ops, may leave uncalled for responses in the imsg return
path. These have to be dropped or every subsequent call will cause decrypt
errors. Use a sequence number cookie to keep the
Timed out RSA key ops, may leave uncalled for responses in the imsg return
path. These have to be dropped or every subsequent call will cause decrypt
errors. Use a sequence number cookie to keep the systems in sync.
Diff from niklas@ with some minor adjustments by myself.
show more ...
|
| #
f2f4e153 |
| 31-May-2019 |
reyk <reyk@openbsd.org> |
Move the relay keys/certs into a separate global list and look them up by id.
Moving the certs out of the relay struct will help to add multiple SNI certs.
Tested by many users (thanks!)
Feedback
Move the relay keys/certs into a separate global list and look them up by id.
Moving the certs out of the relay struct will help to add multiple SNI certs.
Tested by many users (thanks!)
Feedback & OK rob@
show more ...
|
| #
917ba595 |
| 19-Sep-2018 |
reyk <reyk@openbsd.org> |
Do not abort when the ca privenc runs into a timeout.
OK claudio@
|
| #
7084d095 |
| 24-Jan-2018 |
claudio <claudio@openbsd.org> |
Log some more errors in the ca code, since there seems to be still a bug
hidden somewhere. Also return after a poll timeout, there is no reason to
wait longer than a second for the answer of the ca p
Log some more errors in the ca code, since there seems to be still a bug
hidden somewhere. Also return after a poll timeout, there is no reason to
wait longer than a second for the answer of the ca process.
OK jsing@
show more ...
|
| #
e45fc33a |
| 01-Jan-2018 |
claudio <claudio@openbsd.org> |
RSA_private_{en,de}crypt() can fail and will return -1 in that case.
Check for this in the ca process and return a valid answer to the
relay process. This fixes rsae_send_imsg poll timeouts blocking
RSA_private_{en,de}crypt() can fail and will return -1 in that case.
Check for this in the ca process and return a valid answer to the
relay process. This fixes rsae_send_imsg poll timeouts blocking relay
processes as seen by Mischa Peters and myself.
OK benno@
show more ...
|
| #
0987b10d |
| 28-Nov-2017 |
claudio <claudio@openbsd.org> |
relay_load_fd() is no longer clobering errno in the error case so use
fatal() instead of fatalx()
|
| #
a7c0a300 |
| 27-Nov-2017 |
bluhm <bluhm@openbsd.org> |
Make ca_launch error messages unique.
OK claudio@
|
| #
114ce177 |
| 27-Nov-2017 |
claudio <claudio@openbsd.org> |
Use file descriptor passing to load certificates into the relays. Especially
the ca file (having all the trusted certs in them) can be so big that loading
via imsg fails.
OK beck@
|
| #
23276981 |
| 09-Aug-2017 |
claudio <claudio@openbsd.org> |
Use X509_pubkey_digest() like libtls to hash the keys for the TLS privsep
code. This fixes interception mode (since there we rewrite the CERT which
would alter the hash of the cert but the keys still
Use X509_pubkey_digest() like libtls to hash the keys for the TLS privsep
code. This fixes interception mode (since there we rewrite the CERT which
would alter the hash of the cert but the keys still remain the same).
OK bluhm@ and jsing@
show more ...
|
| #
f8a1e24f |
| 28-Jul-2017 |
bluhm <bluhm@openbsd.org> |
Always calculate the hash value of the x509 cert in ssl_load_pkey().
Check whether TLS server object is available before using it. With
these fixes the ssl inspect regress test just fails and does n
Always calculate the hash value of the x509 cert in ssl_load_pkey().
Check whether TLS server object is available before using it. With
these fixes the ssl inspect regress test just fails and does not
crash relayd.
OK claudio@
show more ...
|
| #
efc39811 |
| 28-May-2017 |
benno <benno@openbsd.org> |
use __func__ in log messages. fix some whitespace while here.
From Hiltjo Posthuma hiltjo -AT codemadness -DOT- org, thanks!
ok florian, claudio
|
| #
85e5f500 |
| 27-May-2017 |
claudio <claudio@openbsd.org> |
Migrate relayd to use libtls for TLS. Still does the TLS privsep via the
engine but at least we can use a sane API for new features.
Going in now so it is possible to work with this in tree.
General
Migrate relayd to use libtls for TLS. Still does the TLS privsep via the
engine but at least we can use a sane API for new features.
Going in now so it is possible to work with this in tree.
General agreement at d2k17.
show more ...
|
| #
910da3cf |
| 06-Apr-2017 |
gsoares <gsoares@openbsd.org> |
fix format string found by clang -Wformat-security
OK deraadt millert
|
| #
f9b0f55c |
| 28-Sep-2016 |
reyk <reyk@openbsd.org> |
Add -Wcast-qual and cast away one false positive where we use a const
u_char * variable for an iovec from within the libcrypto engine callback.
OK millert@
|
| #
3d6ff6ed |
| 03-Sep-2016 |
reyk <reyk@openbsd.org> |
Use the fork+exec privsep model in relayd; based on rzalamena@'s work
for httpd with some (current and previous) changes for relayd. Once
again, both daemons now share the same proc.c where most of
Use the fork+exec privsep model in relayd; based on rzalamena@'s work
for httpd with some (current and previous) changes for relayd. Once
again, both daemons now share the same proc.c where most of the
privsep "magic" happens.
OK benno@ rzalamena@
show more ...
|
| #
586b5f8a |
| 02-Sep-2016 |
reyk <reyk@openbsd.org> |
Split "struct relayd" into two structs: "struct relayd" and "struct
relayd_config". This way we can send all the relevant global
configuration to the children, not just the flags and the opts.
With
Split "struct relayd" into two structs: "struct relayd" and "struct
relayd_config". This way we can send all the relevant global
configuration to the children, not just the flags and the opts.
With input from and
OK claudio@ benno@
show more ...
|