kore

a fork of the worlds most advanced web framework
Log | Files | Refs | README | LICENSE

commit 339df66fd599cd13e12df78f84b0be47571d293d
parent dda2e1fb2c08d5d45903d024ff7349d1305d845a
Author: Joris Vink <joris@coders.se>
Date:   Mon, 29 Oct 2018 20:38:58 +0100

Add support for TLS 1.3 via OpenSSL 1.1.1.

This commit removes TLS 1.0 support no matter what OpenSSL
you are linking against.

Changes the value of tls_version from 1.2 to both. Meaning if
you link with OpenSSL 1.1.1 you will get 1.2 + 1.3.

Diffstat:
Minclude/kore/kore.h | 4++--
Msrc/config.c | 6+++---
Msrc/domain.c | 69++++++++++++++++++++++++++++++++++++++++-----------------------------
Msrc/kore.c | 6+++++-
4 files changed, 50 insertions(+), 35 deletions(-)

diff --git a/include/kore/kore.h b/include/kore/kore.h @@ -69,8 +69,8 @@ extern int daemon(int, int); #define KORE_RESULT_OK 1 #define KORE_RESULT_RETRY 2 -#define KORE_TLS_VERSION_1_2 0 -#define KORE_TLS_VERSION_1_0 1 +#define KORE_TLS_VERSION_1_3 0 +#define KORE_TLS_VERSION_1_2 1 #define KORE_TLS_VERSION_BOTH 2 #define KORE_RESEED_TIME (1800 * 1000) diff --git a/src/config.c b/src/config.c @@ -446,10 +446,10 @@ config_file_write(void) static int configure_tls_version(char *version) { - if (!strcmp(version, "1.2")) { + if (!strcmp(version, "1.3")) { + tls_version = KORE_TLS_VERSION_1_3; + } else if (!strcmp(version, "1.2")) { tls_version = KORE_TLS_VERSION_1_2; - } else if (!strcmp(version, "1.0")) { - tls_version = KORE_TLS_VERSION_1_0; } else if (!strcmp(version, "both")) { tls_version = KORE_TLS_VERSION_BOTH; } else { diff --git a/src/domain.c b/src/domain.c @@ -48,7 +48,7 @@ static u_int8_t keymgr_buf[2048]; static size_t keymgr_buflen = 0; static int keymgr_response = 0; DH *tls_dhparam = NULL; -int tls_version = KORE_TLS_VERSION_1_2; +int tls_version = KORE_TLS_VERSION_BOTH; #endif #if !defined(KORE_NO_TLS) @@ -143,6 +143,9 @@ kore_domain_init(void) } EC_KEY_METHOD_set_sign(keymgr_ec_meth, NULL, NULL, keymgr_ecdsa_sign); +#else + kore_log(LOG_NOTICE, "%s has no TLS 1.3 - will only use TLS 1.2", + OPENSSL_VERSION_TEXT); #endif #endif } @@ -256,7 +259,7 @@ kore_domain_tlsinit(struct kore_domain *dom, const void *pem, size_t pemlen) STACK_OF(X509_NAME) *certs; EC_KEY *eckey; const SSL_METHOD *method; -#if !defined(OPENSSL_NO_EC) +#if defined(LIBRESSL_VERSION_TEXT) || OPENSSL_VERSION_NUMBER < 0x10100000L EC_KEY *ecdh; #endif @@ -267,59 +270,61 @@ kore_domain_tlsinit(struct kore_domain *dom, const void *pem, size_t pemlen) #if !defined(LIBRESSL_VERSION_TEXT) && OPENSSL_VERSION_NUMBER >= 0x10100000L if ((method = TLS_method()) == NULL) - fatal("TLS_method(): %s", ssl_errno_s); + fatalx("TLS_method(): %s", ssl_errno_s); #else switch (tls_version) { case KORE_TLS_VERSION_1_2: method = TLSv1_2_server_method(); break; - case KORE_TLS_VERSION_1_0: - method = TLSv1_server_method(); - break; case KORE_TLS_VERSION_BOTH: - method = SSLv23_server_method(); + method = TLSv1_2_server_method(); break; default: - fatal("unknown tls_version: %d", tls_version); + fatalx("unknown tls_version: %d", tls_version); return; } #endif if ((dom->ssl_ctx = SSL_CTX_new(method)) == NULL) - fatal("SSL_ctx_new(): %s", ssl_errno_s); + fatalx("SSL_ctx_new(): %s", ssl_errno_s); #if !defined(LIBRESSL_VERSION_TEXT) && OPENSSL_VERSION_NUMBER >= 0x10100000L - if (!SSL_CTX_set_min_proto_version(dom->ssl_ctx, TLS1_VERSION)) - fatal("SSL_CTX_set_min_proto_version: %s", ssl_errno_s); - if (!SSL_CTX_set_max_proto_version(dom->ssl_ctx, TLS1_2_VERSION)) - fatal("SSL_CTX_set_max_proto_version: %s", ssl_errno_s); + if (!SSL_CTX_set_min_proto_version(dom->ssl_ctx, TLS1_2_VERSION)) + fatalx("SSL_CTX_set_min_proto_version: %s", ssl_errno_s); + if (!SSL_CTX_set_max_proto_version(dom->ssl_ctx, TLS1_3_VERSION)) + fatalx("SSL_CTX_set_max_proto_version: %s", ssl_errno_s); switch (tls_version) { - case KORE_TLS_VERSION_1_2: + case KORE_TLS_VERSION_1_3: if (!SSL_CTX_set_min_proto_version(dom->ssl_ctx, - TLS1_2_VERSION)) - fatal("SSL_CTX_set_min_proto_version: %s", ssl_errno_s); + TLS1_3_VERSION)) { + fatalx("SSL_CTX_set_min_proto_version: %s", + ssl_errno_s); + } break; - case KORE_TLS_VERSION_1_0: - if (!SSL_CTX_set_max_proto_version(dom->ssl_ctx, TLS1_VERSION)) - fatal("SSL_CTX_set_min_proto_version: %s", ssl_errno_s); + case KORE_TLS_VERSION_1_2: + if (!SSL_CTX_set_max_proto_version(dom->ssl_ctx, + TLS1_2_VERSION)) { + fatalx("SSL_CTX_set_min_proto_version: %s", + ssl_errno_s); + } break; case KORE_TLS_VERSION_BOTH: break; default: - fatal("unknown tls_version: %d", tls_version); + fatalx("unknown tls_version: %d", tls_version); return; } #endif x509 = domain_load_certificate_chain(dom->ssl_ctx, pem, pemlen); if ((pkey = X509_get_pubkey(x509)) == NULL) - fatal("certificate has no public key"); + fatalx("certificate has no public key"); switch (EVP_PKEY_id(pkey)) { case EVP_PKEY_RSA: if ((rsa = EVP_PKEY_get1_RSA(pkey)) == NULL) - fatal("no RSA public key present"); + fatalx("no RSA public key present"); RSA_set_app_data(rsa, dom); #if !defined(LIBRESSL_VERSION_TEXT) && OPENSSL_VERSION_NUMBER >= 0x10100000L RSA_set_method(rsa, keymgr_rsa_meth); @@ -329,7 +334,7 @@ kore_domain_tlsinit(struct kore_domain *dom, const void *pem, size_t pemlen) break; case EVP_PKEY_EC: if ((eckey = EVP_PKEY_get1_EC_KEY(pkey)) == NULL) - fatal("no EC public key present"); + fatalx("no EC public key present"); #if !defined(LIBRESSL_VERSION_TEXT) && OPENSSL_VERSION_NUMBER >= 0x10100000L EC_KEY_set_ex_data(eckey, 0, dom); EC_KEY_set_method(eckey, keymgr_ec_meth); @@ -339,33 +344,38 @@ kore_domain_tlsinit(struct kore_domain *dom, const void *pem, size_t pemlen) #endif break; default: - fatal("unknown public key in certificate"); + fatalx("unknown public key in certificate"); } if (!SSL_CTX_use_PrivateKey(dom->ssl_ctx, pkey)) - fatal("SSL_CTX_use_PrivateKey(): %s", ssl_errno_s); + fatalx("SSL_CTX_use_PrivateKey(): %s", ssl_errno_s); if (!SSL_CTX_check_private_key(dom->ssl_ctx)) - fatal("Public/Private key for %s do not match", dom->domain); + fatalx("Public/Private key for %s do not match", dom->domain); if (tls_dhparam == NULL) - fatal("No DH parameters given"); + fatalx("No DH parameters given"); SSL_CTX_set_tmp_dh(dom->ssl_ctx, tls_dhparam); SSL_CTX_set_options(dom->ssl_ctx, SSL_OP_SINGLE_DH_USE); +#if !defined(LIBRESSL_VERSION_TEXT) && OPENSSL_VERSION_NUMBER >= 0x10100000L + if (!SSL_CTX_set_ecdh_auto(dom->ssl_ctx, 1)) + fatalx("SSL_CTX_set_ecdh_auto: %s", ssl_errno_s); +#else if ((ecdh = EC_KEY_new_by_curve_name(NID_secp384r1)) == NULL) - fatal("EC_KEY_new_by_curve_name: %s", ssl_errno_s); + fatalx("EC_KEY_new_by_curve_name: %s", ssl_errno_s); SSL_CTX_set_tmp_ecdh(dom->ssl_ctx, ecdh); EC_KEY_free(ecdh); +#endif SSL_CTX_set_options(dom->ssl_ctx, SSL_OP_SINGLE_ECDH_USE); SSL_CTX_set_options(dom->ssl_ctx, SSL_OP_NO_COMPRESSION); if (dom->cafile != NULL) { if ((certs = SSL_load_client_CA_file(dom->cafile)) == NULL) { - fatal("SSL_load_client_CA_file(%s): %s", + fatalx("SSL_load_client_CA_file(%s): %s", dom->cafile, ssl_errno_s); } @@ -383,6 +393,7 @@ kore_domain_tlsinit(struct kore_domain *dom, const void *pem, size_t pemlen) if (tls_version == KORE_TLS_VERSION_BOTH) { SSL_CTX_set_options(dom->ssl_ctx, SSL_OP_NO_SSLv2); SSL_CTX_set_options(dom->ssl_ctx, SSL_OP_NO_SSLv3); + SSL_CTX_set_options(dom->ssl_ctx, SSL_OP_NO_TLSv1); SSL_CTX_set_options(dom->ssl_ctx, SSL_OP_NO_TLSv1_1); } diff --git a/src/kore.c b/src/kore.c @@ -287,7 +287,11 @@ kore_tls_info_callback(const SSL *ssl, int flags, int ret) if (flags & SSL_CB_HANDSHAKE_START) { if ((c = SSL_get_app_data(ssl)) == NULL) fatal("no SSL_get_app_data"); - c->tls_reneg++; + +#if defined(TLS1_3_VERSION) + if (SSL_version(ssl) != TLS1_3_VERSION) +#endif + c->tls_reneg++; } } #endif