diff options
author | pvk <pvk@openbsd.org> | 2020-05-14 17:27:38 +0000 |
---|---|---|
committer | pvk <pvk@openbsd.org> | 2020-05-14 17:27:38 +0000 |
commit | b06d93a473d71fb61881819d9138dc49acabf270 (patch) | |
tree | 8e90d1d9b84a9cc7f6f2f3a72ab45cdb3cf46d10 /usr.sbin/relayd | |
parent | The dwctwo(4) FDT glue is now identical on armv7 and arm64. Move it to (diff) | |
download | wireguard-openbsd-b06d93a473d71fb61881819d9138dc49acabf270.tar.xz wireguard-openbsd-b06d93a473d71fb61881819d9138dc49acabf270.zip |
Enable TLSv1.3 support in relayd(8)
with the help from tb@ jsing@; ok tb@
Diffstat (limited to 'usr.sbin/relayd')
-rw-r--r-- | usr.sbin/relayd/parse.y | 4 | ||||
-rw-r--r-- | usr.sbin/relayd/relay.c | 4 | ||||
-rw-r--r-- | usr.sbin/relayd/relayd.conf.5 | 10 | ||||
-rw-r--r-- | usr.sbin/relayd/relayd.h | 9 |
4 files changed, 18 insertions, 9 deletions
diff --git a/usr.sbin/relayd/parse.y b/usr.sbin/relayd/parse.y index c1af15690c6..114c5d7aec9 100644 --- a/usr.sbin/relayd/parse.y +++ b/usr.sbin/relayd/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.244 2020/02/12 21:15:44 benno Exp $ */ +/* $OpenBSD: parse.y,v 1.245 2020/05/14 17:27:38 pvk Exp $ */ /* * Copyright (c) 2007 - 2014 Reyk Floeter <reyk@openbsd.org> @@ -1355,6 +1355,8 @@ flag : STRING { $$ = TLSFLAG_TLSV1_1; else if (strcmp("tlsv1.2", $1) == 0) $$ = TLSFLAG_TLSV1_2; + else if (strcmp("tlsv1.3", $1) == 0) + $$ = TLSFLAG_TLSV1_3; else if (strcmp("cipher-server-preference", $1) == 0) $$ = TLSFLAG_CIPHER_SERVER_PREF; else if (strcmp("client-renegotiation", $1) == 0) diff --git a/usr.sbin/relayd/relay.c b/usr.sbin/relayd/relay.c index 21efe259e05..43b5c377fa5 100644 --- a/usr.sbin/relayd/relay.c +++ b/usr.sbin/relayd/relay.c @@ -1,4 +1,4 @@ -/* $OpenBSD: relay.c,v 1.250 2019/07/13 06:53:00 chrisz Exp $ */ +/* $OpenBSD: relay.c,v 1.251 2020/05/14 17:27:38 pvk Exp $ */ /* * Copyright (c) 2006 - 2014 Reyk Floeter <reyk@openbsd.org> @@ -2066,6 +2066,8 @@ relay_tls_ctx_create_proto(struct protocol *proto, struct tls_config *tls_cfg) protocols |= TLS_PROTOCOL_TLSv1_1; if (proto->tlsflags & TLSFLAG_TLSV1_2) protocols |= TLS_PROTOCOL_TLSv1_2; + if (proto->tlsflags & TLSFLAG_TLSV1_3) + protocols |= TLS_PROTOCOL_TLSv1_3; if (tls_config_set_protocols(tls_cfg, protocols) == -1) { log_warnx("could not set the TLS protocol: %s", tls_config_error(tls_cfg)); diff --git a/usr.sbin/relayd/relayd.conf.5 b/usr.sbin/relayd/relayd.conf.5 index 501691d4b1e..03bf28a73fe 100644 --- a/usr.sbin/relayd/relayd.conf.5 +++ b/usr.sbin/relayd/relayd.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: relayd.conf.5,v 1.196 2020/05/02 19:02:57 benno Exp $ +.\" $OpenBSD: relayd.conf.5,v 1.197 2020/05/14 17:27:39 pvk Exp $ .\" .\" Copyright (c) 2006 - 2016 Reyk Floeter <reyk@openbsd.org> .\" Copyright (c) 2006, 2007 Pierre-Yves Ritschard <pyr@openbsd.org> @@ -15,7 +15,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: May 2 2020 $ +.Dd $Mdocdate: May 14 2020 $ .Dt RELAYD.CONF 5 .Os .Sh NAME @@ -1015,6 +1015,9 @@ Disable TLS session tickets. supports stateless TLS session tickets (RFC 5077) to implement TLS session resumption. The default is to enable session tickets. +.It Ic no tlsv1.3 +Disable the TLSv1.3 protocol. +The default is to enable TLSv1.3. .It Ic no tlsv1.2 Disable the TLSv1.2 protocol. The default is to enable TLSv1.2. @@ -1027,8 +1030,9 @@ Enable all TLSv1 protocols. This is an alias that includes .Ic tlsv1.0 , .Ic tlsv1.1 , +.Ic tlsv1.2 , and -.Ic tlsv1.2 . +.Ic tlsv1.3 . The default is .Ic no tlsv1 . .It Ic tlsv1.0 diff --git a/usr.sbin/relayd/relayd.h b/usr.sbin/relayd/relayd.h index d5ddbc143e2..393a13c55a5 100644 --- a/usr.sbin/relayd/relayd.h +++ b/usr.sbin/relayd/relayd.h @@ -1,4 +1,4 @@ -/* $OpenBSD: relayd.h,v 1.260 2019/09/15 19:23:29 rob Exp $ */ +/* $OpenBSD: relayd.h,v 1.261 2020/05/14 17:27:39 pvk Exp $ */ /* * Copyright (c) 2006 - 2016 Reyk Floeter <reyk@openbsd.org> @@ -695,15 +695,16 @@ TAILQ_HEAD(relay_rules, relay_rule); #define TLSFLAG_TLSV1_0 0x02 #define TLSFLAG_TLSV1_1 0x04 #define TLSFLAG_TLSV1_2 0x08 -#define TLSFLAG_TLSV1 0x0e +#define TLSFLAG_TLSV1_3 0x10 +#define TLSFLAG_TLSV1 0x1e #define TLSFLAG_VERSION 0x1f #define TLSFLAG_CIPHER_SERVER_PREF 0x20 #define TLSFLAG_CLIENT_RENEG 0x40 #define TLSFLAG_DEFAULT \ - (TLSFLAG_TLSV1_2|TLSFLAG_CIPHER_SERVER_PREF) + (TLSFLAG_TLSV1_2|TLSFLAG_TLSV1_3|TLSFLAG_CIPHER_SERVER_PREF) #define TLSFLAG_BITS \ - "\06\01sslv3\02tlsv1.0\03tlsv1.1\04tlsv1.2" \ + "\06\01sslv3\02tlsv1.0\03tlsv1.1\04tlsv1.2\05tlsv1.3" \ "\06cipher-server-preference\07client-renegotiation" #define TLSCIPHERS_DEFAULT "HIGH:!aNULL" |