diff options
| author |   florian <florian@openbsd.org> | 2015-07-18 05:41:18 +0000 |
|---|---|---|
| committer | florian <florian@openbsd.org> | 2015-07-18 05:41:18 +0000 |
| commit | f5d55328fdd7734f455a1ed893a5e7db6e2d437f (patch) | |
| tree | 8fac9636b258fffef6a9b56354c9ea93a0a56e4d /usr.sbin/httpd/parse.y | |
| parent | Have tftpd provide a block of random data when clients request the file (diff) | |
| download | wireguard-openbsd-f5d55328fdd7734f455a1ed893a5e7db6e2d437f.tar.xz wireguard-openbsd-f5d55328fdd7734f455a1ed893a5e7db6e2d437f.zip | |
Implement HTTP Strict Transport Security (HSTS).
Input & OK reyk
Diffstat (limited to 'usr.sbin/httpd/parse.y')
| -rw-r--r-- | usr.sbin/httpd/parse.y | 37 |
1 files changed, 35 insertions, 2 deletions
diff --git a/usr.sbin/httpd/parse.y b/usr.sbin/httpd/parse.y index 0870819c9e6..b75f8b7b626 100644 --- a/usr.sbin/httpd/parse.y +++ b/usr.sbin/httpd/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.70 2015/07/16 19:05:28 reyk Exp $ */ +/* $OpenBSD: parse.y,v 1.71 2015/07/18 05:41:18 florian Exp $ */ /* * Copyright (c) 2007 - 2015 Reyk Floeter <reyk@openbsd.org> @@ -133,7 +133,7 @@ typedef struct { %token COMBINED CONNECTION DHE DIRECTORY ECDHE ERR FCGI INDEX IP KEY LISTEN %token LOCATION LOG LOGDIR MATCH MAXIMUM NO NODELAY ON PORT PREFORK PROTOCOLS %token REQUEST REQUESTS ROOT SACK SERVER SOCKET STRIP STYLE SYSLOG TCP TIMEOUT -%token TLS TYPES +%token TLS TYPES HSTS MAXAGE SUBDOMAINS %token ERROR INCLUDE AUTHENTICATE WITH BLOCK DROP RETURN PASS %token <v.string> STRING %token <v.number> NUMBER @@ -256,6 +256,8 @@ server : SERVER optmatch STRING { HTTPD_TLS_ECDHE_CURVE, sizeof(s->srv_conf.tls_ecdhe_curve)); + s->srv_conf.hsts_max_age = SERVER_HSTS_DEFAULT_AGE; + if (last_server_id == INT_MAX) { yyerror("too many servers defined"); free(s); @@ -556,6 +558,34 @@ serveroptsl : LISTEN ON STRING opttls port { parentsrv = NULL; } | include + | hsts { + if (parentsrv != NULL) { + yyerror("hsts inside location"); + YYERROR; + } + srv->srv_conf.flags |= SRVFLAG_SERVER_HSTS; + } + ; + +hsts : HSTS '{' optnl hstsflags_l '}' + | HSTS hstsflags + | HSTS + ; + +hstsflags_l : hstsflags optcommanl hstsflags_l + | hstsflags optnl + ; + +hstsflags : MAXAGE NUMBER { + if ($2 < 0 || $2 > INT_MAX) { + yyerror("invalid number of seconds: %lld", $2); + YYERROR; + } + srv_conf->hsts_max_age = $2; + } + | SUBDOMAINS { + srv->srv_conf.hsts_subdomains = 1; + } ; fastcgi : NO FCGI { @@ -1115,6 +1145,7 @@ lookup(char *s) { "ecdhe", ECDHE }, { "error", ERR }, { "fastcgi", FCGI }, + { "hsts", HSTS }, { "include", INCLUDE }, { "index", INDEX }, { "ip", IP }, @@ -1125,6 +1156,7 @@ lookup(char *s) { "logdir", LOGDIR }, { "match", MATCH }, { "max", MAXIMUM }, + { "max-age", MAXAGE }, { "no", NO }, { "nodelay", NODELAY }, { "on", ON }, @@ -1141,6 +1173,7 @@ lookup(char *s) { "socket", SOCKET }, { "strip", STRIP }, { "style", STYLE }, + { "subdomains", SUBDOMAINS }, { "syslog", SYSLOG }, { "tcp", TCP }, { "timeout", TIMEOUT }, |