Implement TLS ticket support in httpd. Off by default. Use

tls ticket lifetime default to turn it on with a 2h ticket lifetime. Rekeying happens after a quarter of that time. OK reky@ and bob@
author: claudio <claudio@openbsd.org> 2017-03-25 17:25:34 +0000
committer: claudio <claudio@openbsd.org> 2017-03-25 17:25:34 +0000
commit: fe006a116d1775efa666fe8afddc5dc84efc24f2 (patch)
tree: 2b6dfe5c61eeeefa0636e444b71eedbb97ad997b /usr.sbin/httpd/parse.y
parent: OpenSSL documented the public function BIO_printf(3) (and friends) (diff)
download: wireguard-openbsd-fe006a116d1775efa666fe8afddc5dc84efc24f2.tar.xz
wireguard-openbsd-fe006a116d1775efa666fe8afddc5dc84efc24f2.zip
1 files changed, 24 insertions, 5 deletions
diff --git a/usr.sbin/httpd/parse.y b/usr.sbin/httpd/parse.y
index f53cfff67bf..41964765f0f 100644
--- a/usr.sbin/httpd/parse.y
+++ b/usr.sbin/httpd/parse.y
@@ -1,4 +1,4 @@
-/*	$OpenBSD: parse.y,v 1.89 2017/02/07 12:27:42 reyk Exp $	*/
+/*	$OpenBSD: parse.y,v 1.90 2017/03/25 17:25:34 claudio Exp $	*/
 
 /*
  * Copyright (c) 2007 - 2015 Reyk Floeter <reyk@openbsd.org>
@@ -130,10 +130,10 @@ typedef struct {
 %}
 
 %token	ACCESS ALIAS AUTO BACKLOG BODY BUFFER CERTIFICATE CHROOT CIPHERS COMMON
-%token	COMBINED CONNECTION DHE DIRECTORY ECDHE ERR FCGI INDEX IP KEY LISTEN
-%token	LOCATION LOG LOGDIR MATCH MAXIMUM NO NODELAY OCSP ON PORT PREFORK
-%token	PROTOCOLS REQUESTS ROOT SACK SERVER SOCKET STRIP STYLE SYSLOG TCP TIMEOUT
-%token	TLS TYPE TYPES HSTS MAXAGE SUBDOMAINS DEFAULT PRELOAD REQUEST
+%token	COMBINED CONNECTION DHE DIRECTORY ECDHE ERR FCGI INDEX IP KEY LIFETIME
+%token	LISTEN LOCATION LOG LOGDIR MATCH MAXIMUM NO NODELAY OCSP ON PORT PREFORK
+%token	PROTOCOLS REQUESTS ROOT SACK SERVER SOCKET STRIP STYLE SYSLOG TCP TICKET
+%token	TIMEOUT TLS TYPE TYPES HSTS MAXAGE SUBDOMAINS DEFAULT PRELOAD REQUEST
 %token	ERROR INCLUDE AUTHENTICATE WITH BLOCK DROP RETURN PASS
 %token	<v.string>	STRING
 %token  <v.number>	NUMBER
@@ -766,6 +766,23 @@ tlsopts		: CERTIFICATE STRING		{
 			}
 			free($2);
 		}
+		| TICKET LIFETIME DEFAULT	{
+			srv_conf->tls_ticket_lifetime = SERVER_DEF_TLS_LIFETIME;
+		}
+		| TICKET LIFETIME NUMBER	{
+			if ($3 != 0 && $3 < SERVER_MIN_TLS_LIFETIME) {
+				yyerror("ticket lifetime too small");
+				YYERROR;
+			}
+			if ($3 > SERVER_MAX_TLS_LIFETIME) {
+				yyerror("ticket lifetime too large");
+				YYERROR;
+			}
+			srv_conf->tls_ticket_lifetime = $3;
+		}
+		| NO TICKET			{
+			srv_conf->tls_ticket_lifetime = 0;
+		}
 		;
 
 root		: ROOT rootflags
@@ -1218,6 +1235,7 @@ lookup(char *s)
 		{ "index",		INDEX },
 		{ "ip",			IP },
 		{ "key",		KEY },
+		{ "lifetime",		LIFETIME },
 		{ "listen",		LISTEN },
 		{ "location",		LOCATION },
 		{ "log",		LOG },
@@ -1246,6 +1264,7 @@ lookup(char *s)
 		{ "subdomains",		SUBDOMAINS },
 		{ "syslog",		SYSLOG },
 		{ "tcp",		TCP },
+		{ "ticket",		TICKET },
 		{ "timeout",		TIMEOUT },
 		{ "tls",		TLS },
 		{ "type",		TYPE },
author	claudio <claudio@openbsd.org>	2017-03-25 17:25:34 +0000
committer	claudio <claudio@openbsd.org>	2017-03-25 17:25:34 +0000
commit	fe006a116d1775efa666fe8afddc5dc84efc24f2 (patch)
tree	2b6dfe5c61eeeefa0636e444b71eedbb97ad997b /usr.sbin/httpd/parse.y
parent	OpenSSL documented the public function BIO_printf(3) (and friends) (diff)
download	wireguard-openbsd-fe006a116d1775efa666fe8afddc5dc84efc24f2.tar.xz wireguard-openbsd-fe006a116d1775efa666fe8afddc5dc84efc24f2.zip