From 0211c1396ff6d4dc401cabef56c2af3202f043f9 Mon Sep 17 00:00:00 2001 From: jsing <> Date: Mon, 29 Sep 2014 15:11:29 +0000 Subject: Add an option that allows the enabled SSL protocols to be explicitly configured. Discussed with several. ok bcook@ --- src/lib/libressl/ressl.c | 19 ++++++++++++++++++- src/lib/libressl/ressl.h | 13 ++++++++++++- src/lib/libressl/ressl_client.c | 7 +++++-- src/lib/libressl/ressl_config.c | 12 ++++++++++-- src/lib/libressl/ressl_internal.h | 4 +++- src/lib/libressl/ressl_server.c | 5 +++-- 6 files changed, 51 insertions(+), 9 deletions(-) (limited to 'src') diff --git a/src/lib/libressl/ressl.c b/src/lib/libressl/ressl.c index f01448b8f4..516afa53d6 100644 --- a/src/lib/libressl/ressl.c +++ b/src/lib/libressl/ressl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ressl.c,v 1.14 2014/09/28 14:45:48 reyk Exp $ */ +/* $OpenBSD: ressl.c,v 1.15 2014/09/29 15:11:29 jsing Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -168,6 +168,23 @@ err: return (1); } +int +ressl_configure_ssl(struct ressl *ctx) +{ + SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_SSLv2); + + if ((ctx->config->protocols & RESSL_PROTOCOL_SSLv3) == 0) + SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_SSLv3); + if ((ctx->config->protocols & RESSL_PROTOCOL_TLSv1_0) == 0) + SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1); + if ((ctx->config->protocols & RESSL_PROTOCOL_TLSv1_1) == 0) + SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_1); + if ((ctx->config->protocols & RESSL_PROTOCOL_TLSv1_2) == 0) + SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_2); + + return (0); +} + void ressl_free(struct ressl *ctx) { diff --git a/src/lib/libressl/ressl.h b/src/lib/libressl/ressl.h index 90b51dc7fc..5d980f1f75 100644 --- a/src/lib/libressl/ressl.h +++ b/src/lib/libressl/ressl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ressl.h,v 1.16 2014/09/28 15:08:01 jsing Exp $ */ +/* $OpenBSD: ressl.h,v 1.17 2014/09/29 15:11:29 jsing Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -18,6 +18,15 @@ #ifndef HEADER_RESSL_H #define HEADER_RESSL_H +#define RESSL_PROTOCOL_SSLv3 (1 << 0) +#define RESSL_PROTOCOL_TLSv1_0 (1 << 1) +#define RESSL_PROTOCOL_TLSv1_1 (1 << 2) +#define RESSL_PROTOCOL_TLSv1_2 (1 << 3) +#define RESSL_PROTOCOL_TLSv1 \ + (RESSL_PROTOCOL_TLSv1_0|RESSL_PROTOCOL_TLSv1_1|RESSL_PROTOCOL_TLSv1_2) +#define RESSL_PROTOCOLS_DEFAULT \ + (RESSL_PROTOCOL_SSLv3|RESSL_PROTOCOL_TLSv1) + #define RESSL_READ_AGAIN -2 #define RESSL_WRITE_AGAIN -3 @@ -43,6 +52,8 @@ int ressl_config_set_key_file(struct ressl_config *config, const char *key_file); int ressl_config_set_key_mem(struct ressl_config *config, const uint8_t *key, size_t len); +void ressl_config_set_protocols(struct ressl_config *config, + uint32_t protocols); void ressl_config_set_verify_depth(struct ressl_config *config, int verify_depth); diff --git a/src/lib/libressl/ressl_client.c b/src/lib/libressl/ressl_client.c index 5969a104f7..8723a35ae0 100644 --- a/src/lib/libressl/ressl_client.c +++ b/src/lib/libressl/ressl_client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ressl_client.c,v 1.3 2014/08/05 12:46:16 jsing Exp $ */ +/* $OpenBSD: ressl_client.c,v 1.4 2014/09/29 15:11:29 jsing Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -134,11 +134,14 @@ ressl_connect_socket(struct ressl *ctx, int socket, const char *hostname) ctx->socket = socket; - /* XXX - add a configuration option to control versions. */ if ((ctx->ssl_ctx = SSL_CTX_new(SSLv23_client_method())) == NULL) { ressl_set_error(ctx, "ssl context failure"); goto err; } + + if (ressl_configure_ssl(ctx) != 0) + goto err; + if (ctx->config->verify) { if (hostname == NULL) { ressl_set_error(ctx, "server name not specified"); diff --git a/src/lib/libressl/ressl_config.c b/src/lib/libressl/ressl_config.c index 106527c109..c92886330e 100644 --- a/src/lib/libressl/ressl_config.c +++ b/src/lib/libressl/ressl_config.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ressl_config.c,v 1.11 2014/09/29 09:30:31 jsing Exp $ */ +/* $OpenBSD: ressl_config.c,v 1.12 2014/09/29 15:11:29 jsing Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -71,11 +71,13 @@ ressl_config_new(void) ressl_config_free(config); return (NULL); } - ressl_config_verify(config); + ressl_config_set_protocols(config, RESSL_PROTOCOLS_DEFAULT); ressl_config_set_verify_depth(config, 6); /* ? use function ? */ config->ecdhcurve = NID_X9_62_prime256v1; + ressl_config_verify(config); + return (config); } @@ -163,6 +165,12 @@ ressl_config_set_key_mem(struct ressl_config *config, const uint8_t *key, return set_mem(&config->key_mem, &config->key_len, key, len); } +void +ressl_config_set_protocols(struct ressl_config *config, uint32_t protocols) +{ + config->protocols = protocols; +} + void ressl_config_set_verify_depth(struct ressl_config *config, int verify_depth) { diff --git a/src/lib/libressl/ressl_internal.h b/src/lib/libressl/ressl_internal.h index 02dded3e7e..f37b5718d9 100644 --- a/src/lib/libressl/ressl_internal.h +++ b/src/lib/libressl/ressl_internal.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ressl_internal.h,v 1.10 2014/08/27 10:46:53 reyk Exp $ */ +/* $OpenBSD: ressl_internal.h,v 1.11 2014/09/29 15:11:29 jsing Exp $ */ /* * Copyright (c) 2014 Jeremie Courreges-Anglas * Copyright (c) 2014 Joel Sing @@ -36,6 +36,7 @@ struct ressl_config { const char *key_file; char *key_mem; size_t key_len; + uint32_t protocols; int verify; int verify_depth; }; @@ -63,6 +64,7 @@ struct ressl *ressl_server_conn(struct ressl *ctx); int ressl_check_hostname(X509 *cert, const char *host); int ressl_configure_keypair(struct ressl *ctx); int ressl_configure_server(struct ressl *ctx); +int ressl_configure_ssl(struct ressl *ctx); int ressl_host_port(const char *hostport, char **host, char **port); int ressl_set_error(struct ressl *ctx, char *fmt, ...); diff --git a/src/lib/libressl/ressl_server.c b/src/lib/libressl/ressl_server.c index 24b54ad0d0..e2dc7cf088 100644 --- a/src/lib/libressl/ressl_server.c +++ b/src/lib/libressl/ressl_server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ressl_server.c,v 1.7 2014/08/27 10:46:53 reyk Exp $ */ +/* $OpenBSD: ressl_server.c,v 1.8 2014/09/29 15:11:29 jsing Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -52,12 +52,13 @@ ressl_configure_server(struct ressl *ctx) { EC_KEY *ecdh_key; - /* XXX - add a configuration option to control versions. */ if ((ctx->ssl_ctx = SSL_CTX_new(SSLv23_server_method())) == NULL) { ressl_set_error(ctx, "ssl context failure"); goto err; } + if (ressl_configure_ssl(ctx) != 0) + goto err; if (ressl_configure_keypair(ctx) != 0) goto err; -- cgit v1.2.3-55-g6feb