diff options
| -rw-r--r-- | usr.sbin/httpd/config.c | 4 | ||||
| -rw-r--r-- | usr.sbin/httpd/httpd.conf.5 | 7 | ||||
| -rw-r--r-- | usr.sbin/httpd/httpd.h | 8 | ||||
| -rw-r--r-- | usr.sbin/httpd/parse.y | 10 | ||||
| -rw-r--r-- | usr.sbin/httpd/server_http.c | 18 |
5 files changed, 31 insertions, 16 deletions
diff --git a/usr.sbin/httpd/config.c b/usr.sbin/httpd/config.c index 2829bed563f..15560ed0587 100644 --- a/usr.sbin/httpd/config.c +++ b/usr.sbin/httpd/config.c @@ -1,4 +1,4 @@ -/* $OpenBSD: config.c,v 1.41 2015/07/18 06:00:43 reyk Exp $ */ +/* $OpenBSD: config.c,v 1.42 2015/07/19 05:17:27 reyk Exp $ */ /* * Copyright (c) 2011 - 2015 Reyk Floeter <reyk@openbsd.org> @@ -446,7 +446,7 @@ config_getserver_config(struct httpd *env, struct server *srv, f = SRVFLAG_SERVER_HSTS; srv_conf->flags |= parent->flags & f; srv_conf->hsts_max_age = parent->hsts_max_age; - srv_conf->hsts_subdomains = parent->hsts_subdomains; + srv_conf->hsts_flags = parent->hsts_flags; memcpy(&srv_conf->timeout, &parent->timeout, sizeof(srv_conf->timeout)); diff --git a/usr.sbin/httpd/httpd.conf.5 b/usr.sbin/httpd/httpd.conf.5 index 11dc3cdb560..785f7266f70 100644 --- a/usr.sbin/httpd/httpd.conf.5 +++ b/usr.sbin/httpd/httpd.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: httpd.conf.5,v 1.67 2015/07/18 09:29:47 jmc Exp $ +.\" $OpenBSD: httpd.conf.5,v 1.68 2015/07/19 05:17:27 reyk Exp $ .\" .\" Copyright (c) 2014, 2015 Reyk Floeter <reyk@openbsd.org> .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: July 18 2015 $ +.Dd $Mdocdate: July 19 2015 $ .Dt HTTPD.CONF 5 .Os .Sh NAME @@ -282,6 +282,9 @@ Valid options are: Set the maximum time in seconds a receiving user agent should regard this host as an HSTS host. The default is one year. +.It Ic preload +Confirm and authenticate that the site is permitted to be included in +a browser's preload list. .It Ic subdomains Signal to the receiving user agent that this host and all sub domains of the host's domain should be considered HSTS hosts. diff --git a/usr.sbin/httpd/httpd.h b/usr.sbin/httpd/httpd.h index fa0ff935994..f951d7bba24 100644 --- a/usr.sbin/httpd/httpd.h +++ b/usr.sbin/httpd/httpd.h @@ -1,4 +1,4 @@ -/* $OpenBSD: httpd.h,v 1.91 2015/07/18 22:19:50 reyk Exp $ */ +/* $OpenBSD: httpd.h,v 1.92 2015/07/19 05:17:27 reyk Exp $ */ /* * Copyright (c) 2006 - 2015 Reyk Floeter <reyk@openbsd.org> @@ -375,6 +375,10 @@ SPLAY_HEAD(client_tree, client); "\10\01NODELAY\02NO_NODELAY\03SACK\04NO_SACK" \ "\05SOCKET_BUFFER_SIZE\06IP_TTL\07IP_MINTTL\10NO_SPLICE" +#define HSTSFLAG_SUBDOMAINS 0x01 +#define HSTSFLAG_PRELOAD 0x02 +#define HSTSFLAG_BITS "\10\01SUBDOMAINS\02PRELOAD" + enum log_format { LOG_FORMAT_COMMON, LOG_FORMAT_COMBINED, @@ -456,7 +460,7 @@ struct server_config { off_t return_uri_len; int hsts_max_age; - int hsts_subdomains; + u_int8_t hsts_flags; TAILQ_ENTRY(server_config) entry; }; diff --git a/usr.sbin/httpd/parse.y b/usr.sbin/httpd/parse.y index 7b8da0e35a3..cbb13740160 100644 --- a/usr.sbin/httpd/parse.y +++ b/usr.sbin/httpd/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.72 2015/07/18 06:00:43 reyk Exp $ */ +/* $OpenBSD: parse.y,v 1.73 2015/07/19 05:17:27 reyk Exp $ */ /* * Copyright (c) 2007 - 2015 Reyk Floeter <reyk@openbsd.org> @@ -133,7 +133,7 @@ typedef struct { %token COMBINED CONNECTION DHE DIRECTORY ECDHE ERR FCGI INDEX IP KEY LISTEN %token LOCATION LOG LOGDIR MATCH MAXIMUM NO NODELAY ON PORT PREFORK PROTOCOLS %token REQUEST REQUESTS ROOT SACK SERVER SOCKET STRIP STYLE SYSLOG TCP TIMEOUT -%token TLS TYPE TYPES HSTS MAXAGE SUBDOMAINS DEFAULT +%token TLS TYPE TYPES HSTS MAXAGE SUBDOMAINS DEFAULT PRELOAD %token ERROR INCLUDE AUTHENTICATE WITH BLOCK DROP RETURN PASS %token <v.string> STRING %token <v.number> NUMBER @@ -593,7 +593,10 @@ hstsflags : MAXAGE NUMBER { srv_conf->hsts_max_age = $2; } | SUBDOMAINS { - srv->srv_conf.hsts_subdomains = 1; + srv->srv_conf.hsts_flags |= HSTSFLAG_SUBDOMAINS; + } + | PRELOAD { + srv->srv_conf.hsts_flags |= HSTSFLAG_PRELOAD; } ; @@ -1176,6 +1179,7 @@ lookup(char *s) { "pass", PASS }, { "port", PORT }, { "prefork", PREFORK }, + { "preload", PRELOAD }, { "protocols", PROTOCOLS }, { "request", REQUEST }, { "requests", REQUESTS }, diff --git a/usr.sbin/httpd/server_http.c b/usr.sbin/httpd/server_http.c index d51359f609b..b025684b77f 100644 --- a/usr.sbin/httpd/server_http.c +++ b/usr.sbin/httpd/server_http.c @@ -1,4 +1,4 @@ -/* $OpenBSD: server_http.c,v 1.91 2015/07/18 06:00:43 reyk Exp $ */ +/* $OpenBSD: server_http.c,v 1.92 2015/07/19 05:17:27 reyk Exp $ */ /* * Copyright (c) 2006 - 2015 Reyk Floeter <reyk@openbsd.org> @@ -829,9 +829,11 @@ server_abort_http(struct client *clt, u_int code, const char *msg) if (srv_conf->flags & SRVFLAG_SERVER_HSTS) { if (asprintf(&hstsheader, "Strict-Transport-Security: " - "max-age=%d%s\r\n", srv_conf->hsts_max_age, - srv_conf->hsts_subdomains == 0 ? "" : - " ; includeSubDomains") == -1) + "max-age=%d%s%s\r\n", srv_conf->hsts_max_age, + srv_conf->hsts_flags & HSTSFLAG_SUBDOMAINS ? + "; includeSubDomains" : "", + srv_conf->hsts_flags & HSTSFLAG_PRELOAD ? + "; preload" : "") == -1) goto done; } @@ -1272,9 +1274,11 @@ server_response_http(struct client *clt, u_int code, if ((cl = kv_add(&resp->http_headers, "Strict-Transport-Security", NULL)) == NULL || - kv_set(cl, "max-age=%d%s", srv_conf->hsts_max_age, - srv_conf->hsts_subdomains == 0 ? "" : - " ; includeSubDomains") == -1) + kv_set(cl, "max-age=%d%s%s%s", srv_conf->hsts_max_age, + srv_conf->hsts_flags & HSTSFLAG_SUBDOMAINS ? + "; includeSubDomains" : "", + srv_conf->hsts_flags & HSTSFLAG_PRELOAD ? + "; preload" : "") == -1) return (-1); } |