Enable TLSv1.3 support in relayd(8)

with the help from tb@ jsing@; ok tb@

4 files changed, 18 insertions, 9 deletions

diff --git a/usr.sbin/relayd/parse.y b/usr.sbin/relayd/parse.y
index c1af15690c6..114c5d7aec9 100644
--- a/usr.sbin/relayd/parse.y
+++ b/usr.sbin/relayd/parse.y
@@ -1,4 +1,4 @@
-/*	$OpenBSD: parse.y,v 1.244 2020/02/12 21:15:44 benno Exp $	*/
+/*	$OpenBSD: parse.y,v 1.245 2020/05/14 17:27:38 pvk Exp $	*/
 
 /*
  * Copyright (c) 2007 - 2014 Reyk Floeter <reyk@openbsd.org>
@@ -1355,6 +1355,8 @@ flag		: STRING			{
 				$$ = TLSFLAG_TLSV1_1;
 			else if (strcmp("tlsv1.2", $1) == 0)
 				$$ = TLSFLAG_TLSV1_2;
+			else if (strcmp("tlsv1.3", $1) == 0)
+				$$ = TLSFLAG_TLSV1_3;
 			else if (strcmp("cipher-server-preference", $1) == 0)
 				$$ = TLSFLAG_CIPHER_SERVER_PREF;
 			else if (strcmp("client-renegotiation", $1) == 0)
diff --git a/usr.sbin/relayd/relay.c b/usr.sbin/relayd/relay.c
index 21efe259e05..43b5c377fa5 100644
--- a/usr.sbin/relayd/relay.c
+++ b/usr.sbin/relayd/relay.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: relay.c,v 1.250 2019/07/13 06:53:00 chrisz Exp $	*/
+/*	$OpenBSD: relay.c,v 1.251 2020/05/14 17:27:38 pvk Exp $	*/
 
 /*
  * Copyright (c) 2006 - 2014 Reyk Floeter <reyk@openbsd.org>
@@ -2066,6 +2066,8 @@ relay_tls_ctx_create_proto(struct protocol *proto, struct tls_config *tls_cfg)
 		protocols |= TLS_PROTOCOL_TLSv1_1;
 	if (proto->tlsflags & TLSFLAG_TLSV1_2)
 		protocols |= TLS_PROTOCOL_TLSv1_2;
+	if (proto->tlsflags & TLSFLAG_TLSV1_3)
+		protocols |= TLS_PROTOCOL_TLSv1_3;
 	if (tls_config_set_protocols(tls_cfg, protocols) == -1) {
 		log_warnx("could not set the TLS protocol: %s",
 		    tls_config_error(tls_cfg));
diff --git a/usr.sbin/relayd/relayd.conf.5 b/usr.sbin/relayd/relayd.conf.5
index 501691d4b1e..03bf28a73fe 100644
--- a/usr.sbin/relayd/relayd.conf.5
+++ b/usr.sbin/relayd/relayd.conf.5
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: relayd.conf.5,v 1.196 2020/05/02 19:02:57 benno Exp $
+.\"	$OpenBSD: relayd.conf.5,v 1.197 2020/05/14 17:27:39 pvk Exp $
 .\"
 .\" Copyright (c) 2006 - 2016 Reyk Floeter <reyk@openbsd.org>
 .\" Copyright (c) 2006, 2007 Pierre-Yves Ritschard <pyr@openbsd.org>
@@ -15,7 +15,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: May 2 2020 $
+.Dd $Mdocdate: May 14 2020 $
 .Dt RELAYD.CONF 5
 .Os
 .Sh NAME
@@ -1015,6 +1015,9 @@ Disable TLS session tickets.
 supports stateless TLS session tickets (RFC 5077) to implement TLS session
 resumption.
 The default is to enable session tickets.
+.It Ic no tlsv1.3
+Disable the TLSv1.3 protocol.
+The default is to enable TLSv1.3.
 .It Ic no tlsv1.2
 Disable the TLSv1.2 protocol.
 The default is to enable TLSv1.2.
@@ -1027,8 +1030,9 @@ Enable all TLSv1 protocols.
 This is an alias that includes
 .Ic tlsv1.0 ,
 .Ic tlsv1.1 ,
+.Ic tlsv1.2 ,
 and
-.Ic tlsv1.2 .
+.Ic tlsv1.3 .
 The default is
 .Ic no tlsv1 .
 .It Ic tlsv1.0
diff --git a/usr.sbin/relayd/relayd.h b/usr.sbin/relayd/relayd.h
index d5ddbc143e2..393a13c55a5 100644
--- a/usr.sbin/relayd/relayd.h
+++ b/usr.sbin/relayd/relayd.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: relayd.h,v 1.260 2019/09/15 19:23:29 rob Exp $	*/
+/*	$OpenBSD: relayd.h,v 1.261 2020/05/14 17:27:39 pvk Exp $	*/
 
 /*
  * Copyright (c) 2006 - 2016 Reyk Floeter <reyk@openbsd.org>
@@ -695,15 +695,16 @@ TAILQ_HEAD(relay_rules, relay_rule);
 #define TLSFLAG_TLSV1_0				0x02
 #define TLSFLAG_TLSV1_1				0x04
 #define TLSFLAG_TLSV1_2				0x08
-#define TLSFLAG_TLSV1				0x0e
+#define TLSFLAG_TLSV1_3				0x10
+#define TLSFLAG_TLSV1				0x1e
 #define TLSFLAG_VERSION				0x1f
 #define TLSFLAG_CIPHER_SERVER_PREF		0x20
 #define TLSFLAG_CLIENT_RENEG			0x40
 #define TLSFLAG_DEFAULT				\
-	(TLSFLAG_TLSV1_2|TLSFLAG_CIPHER_SERVER_PREF)
+	(TLSFLAG_TLSV1_2|TLSFLAG_TLSV1_3|TLSFLAG_CIPHER_SERVER_PREF)
 
 #define TLSFLAG_BITS						\
-	"\06\01sslv3\02tlsv1.0\03tlsv1.1\04tlsv1.2"	\
+	"\06\01sslv3\02tlsv1.0\03tlsv1.1\04tlsv1.2\05tlsv1.3"	\
 	"\06cipher-server-preference\07client-renegotiation"
 
 #define TLSCIPHERS_DEFAULT	"HIGH:!aNULL"