summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorjsing <>2020-01-20 08:39:21 +0000
committerjsing <>2020-01-20 08:39:21 +0000
commit9ea343cf6ccda35b4aa4c4e74dd80b7a59029076 (patch)
treea99f83fd8ff7de867f80b6db4495ae4033f4de29
parent30f0a4c063ba95ea915d4ead9ad0ea6630bf5271 (diff)
downloadopenbsd-9ea343cf6ccda35b4aa4c4e74dd80b7a59029076.tar.gz
openbsd-9ea343cf6ccda35b4aa4c4e74dd80b7a59029076.tar.bz2
openbsd-9ea343cf6ccda35b4aa4c4e74dd80b7a59029076.zip
Add support for TLSv1.3 as a protocol to libtls.
This makes tls_config_parse_protocols() recognise and handle "tlsv1.3". If TLSv1.3 is enabled libtls will also request libssl to enable it. ok beck@ tb@
Diffstat
-rw-r--r--src/lib/libtls/man/tls_config_set_protocols.313
-rw-r--r--src/lib/libtls/tls.c5
-rw-r--r--src/lib/libtls/tls.h9
-rw-r--r--src/lib/libtls/tls_config.c4
4 files changed, 20 insertions, 11 deletions
diff --git a/src/lib/libtls/man/tls_config_set_protocols.3 b/src/lib/libtls/man/tls_config_set_protocols.3
index 4f5c91a3f0..ec913827c2 100644
--- a/src/lib/libtls/man/tls_config_set_protocols.3
+++ b/src/lib/libtls/man/tls_config_set_protocols.3
@@ -1,4 +1,4 @@
1.\" $OpenBSD: tls_config_set_protocols.3,v 1.6 2017/08/12 04:24:49 jsing Exp $ 1.\" $OpenBSD: tls_config_set_protocols.3,v 1.7 2020/01/20 08:39:21 jsing Exp $
2.\" 2.\"
3.\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org> 3.\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
4.\" Copyright (c) 2015, 2016 Joel Sing <jsing@openbsd.org> 4.\" Copyright (c) 2015, 2016 Joel Sing <jsing@openbsd.org>
@@ -16,7 +16,7 @@
16.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18.\" 18.\"
19.Dd $Mdocdate: August 12 2017 $ 19.Dd $Mdocdate: January 20 2020 $
20.Dt TLS_CONFIG_SET_PROTOCOLS 3 20.Dt TLS_CONFIG_SET_PROTOCOLS 3
21.Os 21.Os
22.Sh NAME 22.Sh NAME
@@ -78,11 +78,12 @@ Possible values are the bitwise OR of:
78.It Dv TLS_PROTOCOL_TLSv1_0 78.It Dv TLS_PROTOCOL_TLSv1_0
79.It Dv TLS_PROTOCOL_TLSv1_1 79.It Dv TLS_PROTOCOL_TLSv1_1
80.It Dv TLS_PROTOCOL_TLSv1_2 80.It Dv TLS_PROTOCOL_TLSv1_2
81.It Dv TLS_PROTOCOL_TLSv1_3
81.El 82.El
82.Pp 83.Pp
83Additionally, the values 84Additionally, the values
84.Dv TLS_PROTOCOL_TLSv1 85.Dv TLS_PROTOCOL_TLSv1
85(TLSv1.0, TLSv1.1 and TLSv1.2), 86(TLSv1.0, TLSv1.1, TLSv1.2, TLSv1.3),
86.Dv TLS_PROTOCOLS_ALL 87.Dv TLS_PROTOCOLS_ALL
87(all supported protocols) and 88(all supported protocols) and
88.Dv TLS_PROTOCOLS_DEFAULT 89.Dv TLS_PROTOCOLS_DEFAULT
@@ -98,9 +99,9 @@ This value can then be passed to the
98.Fn tls_config_set_protocols 99.Fn tls_config_set_protocols
99function. 100function.
100The protocol string is a comma or colon separated list of keywords. 101The protocol string is a comma or colon separated list of keywords.
101Valid keywords are tlsv1.0, tlsv1.1, tlsv1.2, all (all supported protocols), 102Valid keywords are tlsv1.0, tlsv1.1, tlsv1.2, tlsv1.3, all (all supported
102default (an alias for secure), legacy (an alias for all) and secure (currently 103protocols), default (an alias for secure), legacy (an alias for all) and
103TLSv1.2 only). 104secure (currently TLSv1.2 only).
104If a value has a negative prefix (in the form of a leading exclamation mark) 105If a value has a negative prefix (in the form of a leading exclamation mark)
105then it is removed from the list of available protocols, rather than being 106then it is removed from the list of available protocols, rather than being
106added to it. 107added to it.
diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c
index 46ed8180d1..1931f4838a 100644
--- a/src/lib/libtls/tls.c
+++ b/src/lib/libtls/tls.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls.c,v 1.83 2019/04/01 15:58:02 jsing Exp $ */ 1/* $OpenBSD: tls.c,v 1.84 2020/01/20 08:39:21 jsing Exp $ */
2/* 2/*
3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -414,6 +414,7 @@ tls_configure_ssl(struct tls *ctx, SSL_CTX *ssl_ctx)
414 SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TLSv1); 414 SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TLSv1);
415 SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TLSv1_1); 415 SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TLSv1_1);
416 SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TLSv1_2); 416 SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TLSv1_2);
417 SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TLSv1_3);
417 418
418 if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_0) == 0) 419 if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_0) == 0)
419 SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1); 420 SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1);
@@ -421,6 +422,8 @@ tls_configure_ssl(struct tls *ctx, SSL_CTX *ssl_ctx)
421 SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_1); 422 SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_1);
422 if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_2) == 0) 423 if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_2) == 0)
423 SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_2); 424 SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_2);
425 if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_3) == 0)
426 SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_3);
424 427
425 if (ctx->config->alpn != NULL) { 428 if (ctx->config->alpn != NULL) {
426 if (SSL_CTX_set_alpn_protos(ssl_ctx, ctx->config->alpn, 429 if (SSL_CTX_set_alpn_protos(ssl_ctx, ctx->config->alpn,
diff --git a/src/lib/libtls/tls.h b/src/lib/libtls/tls.h
index fee60c7cc8..59e1aac49b 100644
--- a/src/lib/libtls/tls.h
+++ b/src/lib/libtls/tls.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls.h,v 1.56 2019/11/02 13:37:59 jsing Exp $ */ 1/* $OpenBSD: tls.h,v 1.57 2020/01/20 08:39:21 jsing Exp $ */
2/* 2/*
3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -27,13 +27,16 @@ extern "C" {
27#include <stddef.h> 27#include <stddef.h>
28#include <stdint.h> 28#include <stdint.h>
29 29
30#define TLS_API 20180210 30#define TLS_API 20200120
31 31
32#define TLS_PROTOCOL_TLSv1_0 (1 << 1) 32#define TLS_PROTOCOL_TLSv1_0 (1 << 1)
33#define TLS_PROTOCOL_TLSv1_1 (1 << 2) 33#define TLS_PROTOCOL_TLSv1_1 (1 << 2)
34#define TLS_PROTOCOL_TLSv1_2 (1 << 3) 34#define TLS_PROTOCOL_TLSv1_2 (1 << 3)
35#define TLS_PROTOCOL_TLSv1_3 (1 << 4)
36
35#define TLS_PROTOCOL_TLSv1 \ 37#define TLS_PROTOCOL_TLSv1 \
36 (TLS_PROTOCOL_TLSv1_0|TLS_PROTOCOL_TLSv1_1|TLS_PROTOCOL_TLSv1_2) 38 (TLS_PROTOCOL_TLSv1_0|TLS_PROTOCOL_TLSv1_1|\
39 TLS_PROTOCOL_TLSv1_2|TLS_PROTOCOL_TLSv1_3)
37 40
38#define TLS_PROTOCOLS_ALL TLS_PROTOCOL_TLSv1 41#define TLS_PROTOCOLS_ALL TLS_PROTOCOL_TLSv1
39#define TLS_PROTOCOLS_DEFAULT TLS_PROTOCOL_TLSv1_2 42#define TLS_PROTOCOLS_DEFAULT TLS_PROTOCOL_TLSv1_2
diff --git a/src/lib/libtls/tls_config.c b/src/lib/libtls/tls_config.c
index 424fd73c93..ed47170835 100644
--- a/src/lib/libtls/tls_config.c
+++ b/src/lib/libtls/tls_config.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls_config.c,v 1.57 2019/11/16 06:44:33 beck Exp $ */ 1/* $OpenBSD: tls_config.c,v 1.58 2020/01/20 08:39:21 jsing Exp $ */
2/* 2/*
3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -253,6 +253,8 @@ tls_config_parse_protocols(uint32_t *protocols, const char *protostr)
253 proto = TLS_PROTOCOL_TLSv1_1; 253 proto = TLS_PROTOCOL_TLSv1_1;
254 else if (strcasecmp(p, "tlsv1.2") == 0) 254 else if (strcasecmp(p, "tlsv1.2") == 0)
255 proto = TLS_PROTOCOL_TLSv1_2; 255 proto = TLS_PROTOCOL_TLSv1_2;
256 else if (strcasecmp(p, "tlsv1.3") == 0)
257 proto = TLS_PROTOCOL_TLSv1_3;
256 258
257 if (proto == 0) { 259 if (proto == 0) {
258 free(s); 260 free(s);
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-20 17:43:09 +0000