diff options
| author |   jsing <jsing@openbsd.org> | 2017-08-11 18:48:56 +0000 |
|---|---|---|
| committer | jsing <jsing@openbsd.org> | 2017-08-11 18:48:56 +0000 |
| commit | 89f7e9973b8f634051268c13accf6e449a53d03c (patch) | |
| tree | 38a44824ce14269a1992f73f5246301197fb4c32 | |
| parent | pledge ctfdump to stdio and rpath (diff) | |
| download | wireguard-openbsd-89f7e9973b8f634051268c13accf6e449a53d03c.tar.xz wireguard-openbsd-89f7e9973b8f634051268c13accf6e449a53d03c.zip | |
Convert httpd to tls_config_set_ecdhecurves(), allowing a list of curves
to be specified, rather than a single curve.
ok beck@
| -rw-r--r-- | usr.sbin/httpd/httpd.conf.5 | 14 | ||||
| -rw-r--r-- | usr.sbin/httpd/httpd.h | 6 | ||||
| -rw-r--r-- | usr.sbin/httpd/parse.y | 14 | ||||
| -rw-r--r-- | usr.sbin/httpd/server.c | 10 |
4 files changed, 23 insertions, 21 deletions
diff --git a/usr.sbin/httpd/httpd.conf.5 b/usr.sbin/httpd/httpd.conf.5 index 80fa225ffc3..21b7e2b4810 100644 --- a/usr.sbin/httpd/httpd.conf.5 +++ b/usr.sbin/httpd/httpd.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: httpd.conf.5,v 1.82 2017/04/09 09:13:28 florian Exp $ +.\" $OpenBSD: httpd.conf.5,v 1.83 2017/08/11 18:48:56 jsing Exp $ .\" .\" Copyright (c) 2014, 2015 Reyk Floeter <reyk@openbsd.org> .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: April 9 2017 $ +.Dd $Mdocdate: August 11 2017 $ .Dt HTTPD.CONF 5 .Os .Sh NAME @@ -532,10 +532,12 @@ Valid parameter values are none, legacy and auto. For legacy a fixed key length of 1024 bits is used, whereas for auto the key length is determined automatically. The default is none, which disables DHE cipher suites. -.It Ic ecdhe Ar curve -Specify the ECDHE curve to use for ECDHE cipher suites. -Valid parameter values are none, auto and the short name of any known curve. -The default is auto. +.It Ic ecdhe Ar curves +Specify a comma separated list of elliptic curves to use for ECDHE cipher suites, +in order of preference. +The special value of "default" will use the default curves, see +.Xr tls_config_set_ecdhecurves 3 +for further details. .It Ic key Ar file Specify the private key to use for this server. The diff --git a/usr.sbin/httpd/httpd.h b/usr.sbin/httpd/httpd.h index 94891f5dae3..05cbb8e3550 100644 --- a/usr.sbin/httpd/httpd.h +++ b/usr.sbin/httpd/httpd.h @@ -1,4 +1,4 @@ -/* $OpenBSD: httpd.h,v 1.133 2017/07/19 17:36:25 jsing Exp $ */ +/* $OpenBSD: httpd.h,v 1.134 2017/08/11 18:48:56 jsing Exp $ */ /* * Copyright (c) 2006 - 2015 Reyk Floeter <reyk@openbsd.org> @@ -59,7 +59,7 @@ #define HTTPD_TLS_KEY "/etc/ssl/private/server.key" #define HTTPD_TLS_CIPHERS "compat" #define HTTPD_TLS_DHE_PARAMS "none" -#define HTTPD_TLS_ECDHE_CURVE "auto" +#define HTTPD_TLS_ECDHE_CURVES "default" #define FD_RESERVE 5 #define SERVER_MAX_CLIENTS 1024 @@ -481,7 +481,7 @@ struct server_config { char *tls_cert_file; char tls_ciphers[NAME_MAX]; char tls_dhe_params[NAME_MAX]; - char tls_ecdhe_curve[NAME_MAX]; + char tls_ecdhe_curves[NAME_MAX]; uint8_t *tls_key; size_t tls_key_len; char *tls_key_file; diff --git a/usr.sbin/httpd/parse.y b/usr.sbin/httpd/parse.y index 41964765f0f..203ddd1b0bb 100644 --- a/usr.sbin/httpd/parse.y +++ b/usr.sbin/httpd/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.90 2017/03/25 17:25:34 claudio Exp $ */ +/* $OpenBSD: parse.y,v 1.91 2017/08/11 18:48:56 jsing Exp $ */ /* * Copyright (c) 2007 - 2015 Reyk Floeter <reyk@openbsd.org> @@ -266,9 +266,9 @@ server : SERVER optmatch STRING { strlcpy(s->srv_conf.tls_dhe_params, HTTPD_TLS_DHE_PARAMS, sizeof(s->srv_conf.tls_dhe_params)); - strlcpy(s->srv_conf.tls_ecdhe_curve, - HTTPD_TLS_ECDHE_CURVE, - sizeof(s->srv_conf.tls_ecdhe_curve)); + strlcpy(s->srv_conf.tls_ecdhe_curves, + HTTPD_TLS_ECDHE_CURVES, + sizeof(s->srv_conf.tls_ecdhe_curves)); s->srv_conf.hsts_max_age = SERVER_HSTS_DEFAULT_AGE; @@ -748,9 +748,9 @@ tlsopts : CERTIFICATE STRING { free($2); } | ECDHE STRING { - if (strlcpy(srv_conf->tls_ecdhe_curve, $2, - sizeof(srv_conf->tls_ecdhe_curve)) >= - sizeof(srv_conf->tls_ecdhe_curve)) { + if (strlcpy(srv_conf->tls_ecdhe_curves, $2, + sizeof(srv_conf->tls_ecdhe_curves)) >= + sizeof(srv_conf->tls_ecdhe_curves)) { yyerror("ecdhe too long"); free($2); YYERROR; diff --git a/usr.sbin/httpd/server.c b/usr.sbin/httpd/server.c index 8270a85d973..1a57d0be055 100644 --- a/usr.sbin/httpd/server.c +++ b/usr.sbin/httpd/server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: server.c,v 1.110 2017/07/19 17:36:25 jsing Exp $ */ +/* $OpenBSD: server.c,v 1.111 2017/08/11 18:48:56 jsing Exp $ */ /* * Copyright (c) 2006 - 2015 Reyk Floeter <reyk@openbsd.org> @@ -142,7 +142,7 @@ server_tls_cmp(struct server *s1, struct server *s2, int match_keypair) return (-1); if (strcmp(sc1->tls_dhe_params, sc2->tls_dhe_params) != 0) return (-1); - if (strcmp(sc1->tls_ecdhe_curve, sc2->tls_ecdhe_curve) != 0) + if (strcmp(sc1->tls_ecdhe_curves, sc2->tls_ecdhe_curves) != 0) return (-1); if (match_keypair) { @@ -237,9 +237,9 @@ server_tls_init(struct server *srv) __func__, tls_config_error(srv->srv_tls_config)); return (-1); } - if (tls_config_set_ecdhecurve(srv->srv_tls_config, - srv->srv_conf.tls_ecdhe_curve) != 0) { - log_warnx("%s: failed to set tls ecdhe curve: %s", + if (tls_config_set_ecdhecurves(srv->srv_tls_config, + srv->srv_conf.tls_ecdhe_curves) != 0) { + log_warnx("%s: failed to set tls ecdhe curves: %s", __func__, tls_config_error(srv->srv_tls_config)); return (-1); } |