Add an option that allows the enabled SSL protocols to be explicitly

configured. Discussed with several. ok bcook@
author: jsing <> 2014-09-29 15:11:29 +0000
committer: jsing <> 2014-09-29 15:11:29 +0000
commit: 605cec093155820780caa252b95043bde782b7d0 (patch)
tree: 50bbaa9e38aefb427b0f0162ccd9eefee6d46b85
parent: ed345a015da09482b25daba22e3fffaf60583b83 (diff)
download: openbsd-605cec093155820780caa252b95043bde782b7d0.tar.gz
openbsd-605cec093155820780caa252b95043bde782b7d0.tar.bz2
openbsd-605cec093155820780caa252b95043bde782b7d0.zip
6 files changed, 51 insertions, 9 deletions
diff --git a/src/lib/libressl/ressl.c b/src/lib/libressl/ressl.c
index f01448b8f4..516afa53d6 100644
--- a/src/lib/libressl/ressl.c
+++ b/src/lib/libressl/ressl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ressl.c,v 1.14 2014/09/28 14:45:48 reyk Exp $ */
+/* $OpenBSD: ressl.c,v 1.15 2014/09/29 15:11:29 jsing Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
@@ -168,6 +168,23 @@ err:
        return (1);
 }
+int
+ressl_configure_ssl(struct ressl *ctx)
+{
+        SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_SSLv2);
+        if ((ctx->config->protocols & RESSL_PROTOCOL_SSLv3) == 0)
+                SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_SSLv3);
+        if ((ctx->config->protocols & RESSL_PROTOCOL_TLSv1_0) == 0)
+                SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1);
+        if ((ctx->config->protocols & RESSL_PROTOCOL_TLSv1_1) == 0)
+                SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_1);
+        if ((ctx->config->protocols & RESSL_PROTOCOL_TLSv1_2) == 0)
+                SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_2);
+        return (0);
+}
 void
 ressl_free(struct ressl *ctx)
 {
diff --git a/src/lib/libressl/ressl.h b/src/lib/libressl/ressl.h
index 90b51dc7fc..5d980f1f75 100644
--- a/src/lib/libressl/ressl.h
+++ b/src/lib/libressl/ressl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ressl.h,v 1.16 2014/09/28 15:08:01 jsing Exp $ */
+/* $OpenBSD: ressl.h,v 1.17 2014/09/29 15:11:29 jsing Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
@@ -18,6 +18,15 @@
 #ifndef HEADER_RESSL_H
 #define HEADER_RESSL_H
+#define RESSL_PROTOCOL_SSLv3    (1 << 0)
+#define RESSL_PROTOCOL_TLSv1_0  (1 << 1)
+#define RESSL_PROTOCOL_TLSv1_1  (1 << 2)
+#define RESSL_PROTOCOL_TLSv1_2  (1 << 3)
+#define RESSL_PROTOCOL_TLSv1 \
+        (RESSL_PROTOCOL_TLSv1_0|RESSL_PROTOCOL_TLSv1_1|RESSL_PROTOCOL_TLSv1_2)
+#define RESSL_PROTOCOLS_DEFAULT \
+        (RESSL_PROTOCOL_SSLv3|RESSL_PROTOCOL_TLSv1)
 #define RESSL_READ_AGAIN        -2
 #define RESSL_WRITE_AGAIN       -3
@@ -43,6 +52,8 @@ int ressl_config_set_key_file(struct ressl_config *config,
    const char *key_file);
 int ressl_config_set_key_mem(struct ressl_config *config, const uint8_t *key,
    size_t len);
+void ressl_config_set_protocols(struct ressl_config *config,
+    uint32_t protocols);
 void ressl_config_set_verify_depth(struct ressl_config *config,
    int verify_depth);
diff --git a/src/lib/libressl/ressl_client.c b/src/lib/libressl/ressl_client.c
index 5969a104f7..8723a35ae0 100644
--- a/src/lib/libressl/ressl_client.c
+++ b/src/lib/libressl/ressl_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ressl_client.c,v 1.3 2014/08/05 12:46:16 jsing Exp $ */
+/* $OpenBSD: ressl_client.c,v 1.4 2014/09/29 15:11:29 jsing Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
@@ -134,11 +134,14 @@ ressl_connect_socket(struct ressl *ctx, int socket, const char *hostname)
        ctx->socket = socket;
-        /* XXX - add a configuration option to control versions. */
        if ((ctx->ssl_ctx = SSL_CTX_new(SSLv23_client_method())) == NULL) {
                ressl_set_error(ctx, "ssl context failure");
                goto err;
        }
+        if (ressl_configure_ssl(ctx) != 0)
+                goto err;
        if (ctx->config->verify) {
                if (hostname == NULL) {
                        ressl_set_error(ctx, "server name not specified");
diff --git a/src/lib/libressl/ressl_config.c b/src/lib/libressl/ressl_config.c
index 106527c109..c92886330e 100644
--- a/src/lib/libressl/ressl_config.c
+++ b/src/lib/libressl/ressl_config.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ressl_config.c,v 1.11 2014/09/29 09:30:31 jsing Exp $ */
+/* $OpenBSD: ressl_config.c,v 1.12 2014/09/29 15:11:29 jsing Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
@@ -71,11 +71,13 @@ ressl_config_new(void)
                ressl_config_free(config);
                return (NULL);
        }
-        ressl_config_verify(config);
+        ressl_config_set_protocols(config, RESSL_PROTOCOLS_DEFAULT);
        ressl_config_set_verify_depth(config, 6);
        /* ? use function ? */
        config->ecdhcurve = NID_X9_62_prime256v1;
        
+        ressl_config_verify(config);
        return (config);
 }
@@ -164,6 +166,12 @@ ressl_config_set_key_mem(struct ressl_config *config, const uint8_t *key,
 }
 void
+ressl_config_set_protocols(struct ressl_config *config, uint32_t protocols)
+{
+        config->protocols = protocols;
+}
+void
 ressl_config_set_verify_depth(struct ressl_config *config, int verify_depth)
 {
        config->verify_depth = verify_depth;
diff --git a/src/lib/libressl/ressl_internal.h b/src/lib/libressl/ressl_internal.h
index 02dded3e7e..f37b5718d9 100644
--- a/src/lib/libressl/ressl_internal.h
+++ b/src/lib/libressl/ressl_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ressl_internal.h,v 1.10 2014/08/27 10:46:53 reyk Exp $ */
+/* $OpenBSD: ressl_internal.h,v 1.11 2014/09/29 15:11:29 jsing Exp $ */
 /*
 * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
@@ -36,6 +36,7 @@ struct ressl_config {
        const char *key_file;
        char *key_mem;
        size_t key_len;
+        uint32_t protocols;
        int verify;
        int verify_depth;
 };
@@ -63,6 +64,7 @@ struct ressl *ressl_server_conn(struct ressl *ctx);
 int ressl_check_hostname(X509 *cert, const char *host);
 int ressl_configure_keypair(struct ressl *ctx);
 int ressl_configure_server(struct ressl *ctx);
+int ressl_configure_ssl(struct ressl *ctx);
 int ressl_host_port(const char *hostport, char **host, char **port);
 int ressl_set_error(struct ressl *ctx, char *fmt, ...);
diff --git a/src/lib/libressl/ressl_server.c b/src/lib/libressl/ressl_server.c
index 24b54ad0d0..e2dc7cf088 100644
--- a/src/lib/libressl/ressl_server.c
+++ b/src/lib/libressl/ressl_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ressl_server.c,v 1.7 2014/08/27 10:46:53 reyk Exp $ */
+/* $OpenBSD: ressl_server.c,v 1.8 2014/09/29 15:11:29 jsing Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
@@ -52,12 +52,13 @@ ressl_configure_server(struct ressl *ctx)
 {
        EC_KEY *ecdh_key;
-        /* XXX - add a configuration option to control versions. */
        if ((ctx->ssl_ctx = SSL_CTX_new(SSLv23_server_method())) == NULL) {
                ressl_set_error(ctx, "ssl context failure");
                goto err;
        }
+        if (ressl_configure_ssl(ctx) != 0)
+                goto err;
        if (ressl_configure_keypair(ctx) != 0)
                goto err;
author	jsing <>	2014-09-29 15:11:29 +0000
committer	jsing <>	2014-09-29 15:11:29 +0000
commit	605cec093155820780caa252b95043bde782b7d0 (patch)
tree	50bbaa9e38aefb427b0f0162ccd9eefee6d46b85
parent	ed345a015da09482b25daba22e3fffaf60583b83 (diff)
download	openbsd-605cec093155820780caa252b95043bde782b7d0.tar.gz openbsd-605cec093155820780caa252b95043bde782b7d0.tar.bz2 openbsd-605cec093155820780caa252b95043bde782b7d0.zip