diff options
| author | Joel Sing <jsing@cvs.openbsd.org> | 2015-02-07 06:26:29 +0000 |
|---|---|---|
| committer | Joel Sing <jsing@cvs.openbsd.org> | 2015-02-07 06:26:29 +0000 |
| commit | 2e4a50205666ffc75a3ae8f818e9bbf73dccb17e (patch) | |
| tree | 00a52d5caaedf428f146ecc1cbf9580e03161d9d /usr.sbin/httpd | |
| parent | e7d11137f5bc8b9e202f79b02a10d5ba2b90cd1b (diff) | |
Add httpd configuration options to allow the specification of DHE
parameters and the ECDHE curve. This primarily allows for DHE cipher suites
to be enabled.
ok reyk@
Diffstat (limited to 'usr.sbin/httpd')
| -rw-r--r-- | usr.sbin/httpd/httpd.h | 6 | ||||
| -rw-r--r-- | usr.sbin/httpd/parse.y | 39 | ||||
| -rw-r--r-- | usr.sbin/httpd/server.c | 13 |
3 files changed, 51 insertions, 7 deletions
diff --git a/usr.sbin/httpd/httpd.h b/usr.sbin/httpd/httpd.h index d2f64699470..b046d04f8b3 100644 --- a/usr.sbin/httpd/httpd.h +++ b/usr.sbin/httpd/httpd.h @@ -1,4 +1,4 @@ -/* $OpenBSD: httpd.h,v 1.75 2015/02/07 01:23:12 reyk Exp $ */ +/* $OpenBSD: httpd.h,v 1.76 2015/02/07 06:26:28 jsing Exp $ */ /* * Copyright (c) 2006 - 2015 Reyk Floeter <reyk@openbsd.org> @@ -48,6 +48,8 @@ #define HTTPD_TLS_CERT "/etc/ssl/server.crt" #define HTTPD_TLS_KEY "/etc/ssl/private/server.key" #define HTTPD_TLS_CIPHERS "HIGH:!aNULL" +#define HTTPD_TLS_DHE_PARAMS "none" +#define HTTPD_TLS_ECDHE_CURVE "auto" #define FD_RESERVE 5 #define SERVER_MAX_CLIENTS 1024 @@ -403,6 +405,8 @@ struct server_config { off_t tls_cert_len; char *tls_cert_file; char tls_ciphers[NAME_MAX]; + char tls_dhe_params[NAME_MAX]; + char tls_ecdhe_curve[NAME_MAX]; char *tls_key; off_t tls_key_len; char *tls_key_file; diff --git a/usr.sbin/httpd/parse.y b/usr.sbin/httpd/parse.y index daf61c2055d..3c4585a24dd 100644 --- a/usr.sbin/httpd/parse.y +++ b/usr.sbin/httpd/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.61 2015/02/07 01:23:12 reyk Exp $ */ +/* $OpenBSD: parse.y,v 1.62 2015/02/07 06:26:28 jsing Exp $ */ /* * Copyright (c) 2007 - 2015 Reyk Floeter <reyk@openbsd.org> @@ -130,9 +130,9 @@ typedef struct { %} %token ACCESS ALIAS AUTO BACKLOG BODY BUFFER CERTIFICATE CHROOT CIPHERS COMMON -%token COMBINED CONNECTION DIRECTORY ERR FCGI INDEX IP KEY LISTEN LOCATION -%token LOG LOGDIR MAXIMUM NO NODELAY ON PORT PREFORK REQUEST REQUESTS ROOT -%token SACK SERVER SOCKET STRIP STYLE SYSLOG TCP TIMEOUT TLS TYPES +%token COMBINED CONNECTION DHE DIRECTORY ECDHE ERR FCGI INDEX IP KEY LISTEN +%token LOCATION LOG LOGDIR MAXIMUM NO NODELAY ON PORT PREFORK REQUEST REQUESTS +%token ROOT SACK SERVER SOCKET STRIP STYLE SYSLOG TCP TIMEOUT TLS TYPES %token ERROR INCLUDE AUTHENTICATE WITH BLOCK DROP RETURN PASS %token <v.string> STRING %token <v.number> NUMBER @@ -242,8 +242,15 @@ server : SERVER STRING { if ((s->srv_conf.tls_key_file = strdup(HTTPD_TLS_KEY)) == NULL) fatal("out of memory"); - strlcpy(s->srv_conf.tls_ciphers, HTTPD_TLS_CIPHERS, + strlcpy(s->srv_conf.tls_ciphers, + HTTPD_TLS_CIPHERS, sizeof(s->srv_conf.tls_ciphers)); + strlcpy(s->srv_conf.tls_dhe_params, + HTTPD_TLS_DHE_PARAMS, + sizeof(s->srv_conf.tls_dhe_params)); + strlcpy(s->srv_conf.tls_ecdhe_curve, + HTTPD_TLS_ECDHE_CURVE, + sizeof(s->srv_conf.tls_ecdhe_curve)); if (last_server_id == INT_MAX) { yyerror("too many servers defined"); @@ -616,6 +623,26 @@ tlsopts : CERTIFICATE STRING { } free($2); } + | DHE STRING { + if (strlcpy(srv_conf->tls_dhe_params, $2, + sizeof(srv_conf->tls_dhe_params)) >= + sizeof(srv_conf->tls_dhe_params)) { + yyerror("dhe too long"); + free($2); + YYERROR; + } + free($2); + } + | ECDHE STRING { + if (strlcpy(srv_conf->tls_ecdhe_curve, $2, + sizeof(srv_conf->tls_ecdhe_curve)) >= + sizeof(srv_conf->tls_ecdhe_curve)) { + yyerror("ecdhe too long"); + free($2); + YYERROR; + } + free($2); + } ; root : ROOT rootflags @@ -1049,8 +1076,10 @@ lookup(char *s) { "combined", COMBINED }, { "common", COMMON }, { "connection", CONNECTION }, + { "dhe", DHE }, { "directory", DIRECTORY }, { "drop", DROP }, + { "ecdhe", ECDHE }, { "error", ERR }, { "fastcgi", FCGI }, { "include", INCLUDE }, diff --git a/usr.sbin/httpd/server.c b/usr.sbin/httpd/server.c index 46f2e5cc73b..a999b4faa15 100644 --- a/usr.sbin/httpd/server.c +++ b/usr.sbin/httpd/server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: server.c,v 1.55 2015/02/07 01:23:12 reyk Exp $ */ +/* $OpenBSD: server.c,v 1.56 2015/02/07 06:26:28 jsing Exp $ */ /* * Copyright (c) 2006 - 2015 Reyk Floeter <reyk@openbsd.org> @@ -207,6 +207,17 @@ server_tls_init(struct server *srv) log_warn("%s: failed to set tls ciphers", __func__); return (-1); } + if (tls_config_set_dheparams(srv->srv_tls_config, + srv->srv_conf.tls_dhe_params) != 0) { + log_warn("%s: failed to set tls dhe params", __func__); + return (-1); + } + if (tls_config_set_ecdhecurve(srv->srv_tls_config, + srv->srv_conf.tls_ecdhe_curve) != 0) { + log_warn("%s: failed to set tls ecdhe curve", __func__); + return (-1); + } + if (tls_config_set_cert_mem(srv->srv_tls_config, srv->srv_conf.tls_cert, srv->srv_conf.tls_cert_len) != 0) { log_warn("%s: failed to set tls cert", __func__); |