From 5bc3c98ed4e25bc68a72dd6cd6676b25d2cdf9cd Mon Sep 17 00:00:00 2001
From: Omar Polo <op@omarpolo.com>
Date: Fri, 15 Jan 2021 18:55:05 +0000
Subject: add protocols to the config

---
 ChangeLog   | 2 ++
 gmid.c      | 4 ++--
 gmid.h      | 1 +
 lex.l       | 1 +
 parse.y     | 6 +++++-
 sample.conf | 3 +++
 6 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 90245b9..f45d772 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,7 @@
 2021-01-15  Omar Polo  <op@omarpolo.com>
 
+	* parse.y (option): add ability to specify the tls versions with "protocols"
+
 	* gmid.c (handle_open_conn): ensure the port number of the request matches
 
 	* sandbox.c (sandbox): sandbox on OpenBSD (pledge/unveil, as before) and on FreeBSD (capsicum) too
diff --git a/gmid.c b/gmid.c
index ded80cd..a648ad9 100644
--- a/gmid.c
+++ b/gmid.c
@@ -979,6 +979,7 @@ main(int argc, char **argv)
 	conf.foreground = 1;
 	conf.port = 1965;
 	conf.ipv6 = 0;
+	conf.protos = TLS_PROTOCOL_TLSv1_2 | TLS_PROTOCOL_TLSv1_3;
 
 	connected_clients = 0;
 
@@ -1067,8 +1068,7 @@ main(int argc, char **argv)
 	tls_config_verify_client_optional(tlsconf);
 	tls_config_insecure_noverifycert(tlsconf);
 
-	if (tls_config_set_protocols(tlsconf,
-	    TLS_PROTOCOL_TLSv1_2 | TLS_PROTOCOL_TLSv1_3) == -1)
+	if (tls_config_set_protocols(tlsconf, conf.protos) == -1)
 		err(1, "tls_config_set_protocols");
 
 	load_vhosts(tlsconf);
diff --git a/gmid.h b/gmid.h
index 9ef38a4..7818787 100644
--- a/gmid.h
+++ b/gmid.h
@@ -68,6 +68,7 @@ struct conf {
 	int	foreground;
 	int	port;
 	int	ipv6;
+	uint32_t protos;
 };
 
 extern struct conf conf;
diff --git a/lex.l b/lex.l
index 083c440..4b6cf88 100644
--- a/lex.l
+++ b/lex.l
@@ -54,6 +54,7 @@ off		yylval.num = 0; return TBOOL;
 daemon		return TDAEMON;
 ipv6		return TIPV6;
 port		return TPORT;
+protocols	return TPROTOCOLS;
 server		return TSERVER;
 
 cert		return TCERT;
diff --git a/parse.y b/parse.y
index 9e6b63a..f4a21cf 100644
--- a/parse.y
+++ b/parse.y
@@ -43,7 +43,7 @@ extern void yyerror(const char*);
 }
 
 %token TBOOL TSTRING TNUM
-%token TDAEMON TIPV6 TPORT TSERVER
+%token TDAEMON TIPV6 TPORT TPROTOCOLS TSERVER
 %token TCERT TKEY TROOT TCGI
 %token TERR
 
@@ -62,6 +62,10 @@ options		: /* empty */
 option		: TDAEMON TBOOL		{ conf.foreground = !$2; }
 		| TIPV6 TBOOL		{ conf.ipv6 = $2; }
 		| TPORT TNUM		{ conf.port = $2; }
+		| TPROTOCOLS TSTRING {
+			if (tls_config_parse_protocols(&conf.protos, $2) == -1)
+				errx(1, "invalid protocols string \"%s\"", $2);
+		}
 		;
 
 vhosts		: /* empty */
diff --git a/sample.conf b/sample.conf
index 86252da..646b930 100644
--- a/sample.conf
+++ b/sample.conf
@@ -1,6 +1,9 @@
 ipv6 on         # enable ipv6
 daemon on       # enable daemon mode
 
+# decomment to allow only TLSv1.3
+#protocols "tlsv1.3"
+
 # server block example
 server "example.com" {
 	cert "/path/to/cert.pem"
-- 
cgit v1.2.3