diff options
Diffstat (limited to 'httpd/parse.y')
-rw-r--r-- | httpd/parse.y | 97 |
1 files changed, 74 insertions, 23 deletions
diff --git a/httpd/parse.y b/httpd/parse.y index 6900bc6..203ddd1 100644 --- a/httpd/parse.y +++ b/httpd/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.80 2016/08/15 16:12:34 jsing Exp $ */ +/* $OpenBSD: parse.y,v 1.91 2017/08/11 18:48:56 jsing Exp $ */ /* * Copyright (c) 2007 - 2015 Reyk Floeter <reyk@openbsd.org> @@ -130,10 +130,10 @@ typedef struct { %} %token ACCESS ALIAS AUTO BACKLOG BODY BUFFER CERTIFICATE CHROOT CIPHERS COMMON -%token COMBINED CONNECTION DHE DIRECTORY ECDHE ERR FCGI INDEX IP KEY LISTEN -%token LOCATION LOG LOGDIR MATCH MAXIMUM NO NODELAY ON PORT PREFORK PROTOCOLS -%token REQUEST REQUESTS ROOT SACK SERVER SOCKET STRIP STYLE SYSLOG TCP TIMEOUT -%token TLS TYPE TYPES HSTS MAXAGE SUBDOMAINS DEFAULT PRELOAD +%token COMBINED CONNECTION DHE DIRECTORY ECDHE ERR FCGI INDEX IP KEY LIFETIME +%token LISTEN LOCATION LOG LOGDIR MATCH MAXIMUM NO NODELAY OCSP ON PORT PREFORK +%token PROTOCOLS REQUESTS ROOT SACK SERVER SOCKET STRIP STYLE SYSLOG TCP TICKET +%token TIMEOUT TLS TYPE TYPES HSTS MAXAGE SUBDOMAINS DEFAULT PRELOAD REQUEST %token ERROR INCLUDE AUTHENTICATE WITH BLOCK DROP RETURN PASS %token <v.string> STRING %token <v.number> NUMBER @@ -193,7 +193,7 @@ opttls : /*empty*/ { $$ = 0; } main : PREFORK NUMBER { if (loadcfg) break; - if ($2 <= 0 || $2 > SERVER_MAXPROC) { + if ($2 <= 0 || $2 > PROC_MAX_INSTANCES) { yyerror("invalid number of preforked " "servers: %lld", $2); YYERROR; @@ -245,6 +245,8 @@ server : SERVER optmatch STRING { s->srv_conf.parent_id = s->srv_conf.id; s->srv_s = -1; s->srv_conf.timeout.tv_sec = SERVER_TIMEOUT; + s->srv_conf.requesttimeout.tv_sec = + SERVER_REQUESTTIMEOUT; s->srv_conf.maxrequests = SERVER_MAXREQUESTS; s->srv_conf.maxrequestbody = SERVER_MAXREQUESTBODY; s->srv_conf.flags = SRVFLAG_LOG; @@ -264,9 +266,9 @@ server : SERVER optmatch STRING { strlcpy(s->srv_conf.tls_dhe_params, HTTPD_TLS_DHE_PARAMS, sizeof(s->srv_conf.tls_dhe_params)); - strlcpy(s->srv_conf.tls_ecdhe_curve, - HTTPD_TLS_ECDHE_CURVE, - sizeof(s->srv_conf.tls_ecdhe_curve)); + strlcpy(s->srv_conf.tls_ecdhe_curves, + HTTPD_TLS_ECDHE_CURVES, + sizeof(s->srv_conf.tls_ecdhe_curves)); s->srv_conf.hsts_max_age = SERVER_HSTS_DEFAULT_AGE; @@ -314,7 +316,7 @@ server : SERVER optmatch STRING { free(srv); YYERROR; } - if (server_tls_cmp(s, srv) != 0) { + if (server_tls_cmp(s, srv, 0) != 0) { yyerror("server \"%s\": tls " "configuration mismatch on same " "address/port", @@ -342,6 +344,14 @@ server : SERVER optmatch STRING { YYERROR; } + if (server_tls_load_ocsp(srv) == -1) { + yyerror("server \"%s\": failed to load " + "ocsp staple", srv->srv_conf.name); + serverconfig_free(srv_conf); + free(srv); + YYERROR; + } + DPRINTF("adding server \"%s[%u]\"", srv->srv_conf.name, srv->srv_conf.id); @@ -678,6 +688,10 @@ conflags : TIMEOUT timeout { memcpy(&srv_conf->timeout, &$2, sizeof(struct timeval)); } + | REQUEST TIMEOUT timeout { + memcpy(&srv_conf->requesttimeout, &$3, + sizeof(struct timeval)); + } | MAXIMUM REQUESTS NUMBER { srv_conf->maxrequests = $3; } @@ -706,6 +720,13 @@ tlsopts : CERTIFICATE STRING { fatal("out of memory"); free($2); } + | OCSP STRING { + free(srv_conf->tls_ocsp_staple_file); + if ((srv_conf->tls_ocsp_staple_file = strdup($2)) + == NULL) + fatal("out of memory"); + free($2); + } | CIPHERS STRING { if (strlcpy(srv_conf->tls_ciphers, $2, sizeof(srv_conf->tls_ciphers)) >= @@ -727,9 +748,9 @@ tlsopts : CERTIFICATE STRING { free($2); } | ECDHE STRING { - if (strlcpy(srv_conf->tls_ecdhe_curve, $2, - sizeof(srv_conf->tls_ecdhe_curve)) >= - sizeof(srv_conf->tls_ecdhe_curve)) { + if (strlcpy(srv_conf->tls_ecdhe_curves, $2, + sizeof(srv_conf->tls_ecdhe_curves)) >= + sizeof(srv_conf->tls_ecdhe_curves)) { yyerror("ecdhe too long"); free($2); YYERROR; @@ -745,6 +766,23 @@ tlsopts : CERTIFICATE STRING { } free($2); } + | TICKET LIFETIME DEFAULT { + srv_conf->tls_ticket_lifetime = SERVER_DEF_TLS_LIFETIME; + } + | TICKET LIFETIME NUMBER { + if ($3 != 0 && $3 < SERVER_MIN_TLS_LIFETIME) { + yyerror("ticket lifetime too small"); + YYERROR; + } + if ($3 > SERVER_MAX_TLS_LIFETIME) { + yyerror("ticket lifetime too large"); + YYERROR; + } + srv_conf->tls_ticket_lifetime = $3; + } + | NO TICKET { + srv_conf->tls_ticket_lifetime = 0; + } ; root : ROOT rootflags @@ -1197,6 +1235,7 @@ lookup(char *s) { "index", INDEX }, { "ip", IP }, { "key", KEY }, + { "lifetime", LIFETIME }, { "listen", LISTEN }, { "location", LOCATION }, { "log", LOG }, @@ -1206,6 +1245,7 @@ lookup(char *s) { "max-age", MAXAGE }, { "no", NO }, { "nodelay", NODELAY }, + { "ocsp", OCSP }, { "on", ON }, { "pass", PASS }, { "port", PORT }, @@ -1224,6 +1264,7 @@ lookup(char *s) { "subdomains", SUBDOMAINS }, { "syslog", SYSLOG }, { "tcp", TCP }, + { "ticket", TICKET }, { "timeout", TIMEOUT }, { "tls", TLS }, { "type", TYPE }, @@ -1582,8 +1623,7 @@ parse_config(const char *filename, struct httpd *x_conf) endprotoent(); /* Free macros */ - for (sym = TAILQ_FIRST(&symhead); sym != NULL; sym = next) { - next = TAILQ_NEXT(sym, entry); + TAILQ_FOREACH_SAFE(sym, &symhead, entry, next) { if (!sym->persist) { free(sym->nam); free(sym->val); @@ -1673,9 +1713,10 @@ symset(const char *nam, const char *val, int persist) { struct sym *sym; - for (sym = TAILQ_FIRST(&symhead); sym && strcmp(nam, sym->nam); - sym = TAILQ_NEXT(sym, entry)) - ; /* nothing */ + TAILQ_FOREACH(sym, &symhead, entry) { + if (strcmp(nam, sym->nam) == 0) + break; + } if (sym != NULL) { if (sym->persist == 1) @@ -1734,11 +1775,12 @@ symget(const char *nam) { struct sym *sym; - TAILQ_FOREACH(sym, &symhead, entry) + TAILQ_FOREACH(sym, &symhead, entry) { if (strcmp(nam, sym->nam) == 0) { sym->used = 1; return (sym->val); } + } return (NULL); } @@ -2007,10 +2049,11 @@ server_inherit(struct server *src, struct server_config *alias, if ((dst->srv_conf.tls_key_file = strdup(src->srv_conf.tls_key_file)) == NULL) fatal("out of memory"); - dst->srv_conf.tls_cert = NULL; - dst->srv_conf.tls_key = NULL; - dst->srv_conf.tls_cert_len = 0; - dst->srv_conf.tls_key_len = 0; + if (src->srv_conf.tls_ocsp_staple_file != NULL) { + if ((dst->srv_conf.tls_ocsp_staple_file = + strdup(src->srv_conf.tls_ocsp_staple_file)) == NULL) + fatal("out of memory"); + } if (src->srv_conf.return_uri != NULL && (dst->srv_conf.return_uri = @@ -2050,6 +2093,14 @@ server_inherit(struct server *src, struct server_config *alias, return (NULL); } + if (server_tls_load_ocsp(dst) == -1) { + yyerror("failed to load ocsp staple " + "for server %s", dst->srv_conf.name); + serverconfig_free(&dst->srv_conf); + free(dst); + return (NULL); + } + /* Check if the new server already exists */ if (server_match(dst, 1) != NULL) { yyerror("server \"%s\" defined twice", |