Add an option that allows the enabled SSL protocols to be explicitly

configured. Discussed with several. ok bcook@
2025-01-10 06:47:55 -08:00 · 2014-09-29 15:11:29 +00:00 · 2014-09-29 15:11:29 +00:00 · e489263756
commit e489263756
parent 046c37ab7d
6 changed files with 51 additions and 9 deletions
--- a/lib/libressl/ressl.c
+++ b/lib/libressl/ressl.c
@ -1,4 +1,4 @@
-/* $OpenBSD: ressl.c,v 1.14 2014/09/28 14:45:48 reyk Exp $ */
+/* $OpenBSD: ressl.c,v 1.15 2014/09/29 15:11:29 jsing Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
@ -168,6 +168,23 @@ err:
 	return (1);
 }

+int
+ressl_configure_ssl(struct ressl *ctx)
+{
+	SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_SSLv2);
+
+	if ((ctx->config->protocols & RESSL_PROTOCOL_SSLv3) == 0)
+		SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_SSLv3);
+	if ((ctx->config->protocols & RESSL_PROTOCOL_TLSv1_0) == 0)
+		SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1);
+	if ((ctx->config->protocols & RESSL_PROTOCOL_TLSv1_1) == 0)
+		SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_1);
+	if ((ctx->config->protocols & RESSL_PROTOCOL_TLSv1_2) == 0)
+		SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_2);
+
+	return (0);
+}
+
 void
 ressl_free(struct ressl *ctx)
 {
--- a/lib/libressl/ressl.h
+++ b/lib/libressl/ressl.h
@ -1,4 +1,4 @@
-/* $OpenBSD: ressl.h,v 1.16 2014/09/28 15:08:01 jsing Exp $ */
+/* $OpenBSD: ressl.h,v 1.17 2014/09/29 15:11:29 jsing Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
@ -18,6 +18,15 @@
 #ifndef HEADER_RESSL_H
 #define HEADER_RESSL_H

+#define RESSL_PROTOCOL_SSLv3	(1 << 0)
+#define RESSL_PROTOCOL_TLSv1_0	(1 << 1)
+#define RESSL_PROTOCOL_TLSv1_1	(1 << 2)
+#define RESSL_PROTOCOL_TLSv1_2	(1 << 3)
+#define RESSL_PROTOCOL_TLSv1 \
+	(RESSL_PROTOCOL_TLSv1_0|RESSL_PROTOCOL_TLSv1_1|RESSL_PROTOCOL_TLSv1_2)
+#define RESSL_PROTOCOLS_DEFAULT \
+	(RESSL_PROTOCOL_SSLv3|RESSL_PROTOCOL_TLSv1)
+
 #define RESSL_READ_AGAIN	-2
 #define RESSL_WRITE_AGAIN	-3

@ -43,6 +52,8 @@ int ressl_config_set_key_file(struct ressl_config *config,
    const char *key_file);
 int ressl_config_set_key_mem(struct ressl_config *config, const uint8_t *key,
    size_t len);
+void ressl_config_set_protocols(struct ressl_config *config,
+    uint32_t protocols);
 void ressl_config_set_verify_depth(struct ressl_config *config,
    int verify_depth);

--- a/lib/libressl/ressl_client.c
+++ b/lib/libressl/ressl_client.c
@ -1,4 +1,4 @@
-/* $OpenBSD: ressl_client.c,v 1.3 2014/08/05 12:46:16 jsing Exp $ */
+/* $OpenBSD: ressl_client.c,v 1.4 2014/09/29 15:11:29 jsing Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
@ -134,11 +134,14 @@ ressl_connect_socket(struct ressl *ctx, int socket, const char *hostname)

 	ctx->socket = socket;

-	/* XXX - add a configuration option to control versions. */
 	if ((ctx->ssl_ctx = SSL_CTX_new(SSLv23_client_method())) == NULL) {
 		ressl_set_error(ctx, "ssl context failure");
 		goto err;
 	}
+
+	if (ressl_configure_ssl(ctx) != 0)
+		goto err;
+
 	if (ctx->config->verify) {
 		if (hostname == NULL) {
 			ressl_set_error(ctx, "server name not specified");
--- a/lib/libressl/ressl_config.c
+++ b/lib/libressl/ressl_config.c
@ -1,4 +1,4 @@
-/* $OpenBSD: ressl_config.c,v 1.11 2014/09/29 09:30:31 jsing Exp $ */
+/* $OpenBSD: ressl_config.c,v 1.12 2014/09/29 15:11:29 jsing Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
@ -71,11 +71,13 @@ ressl_config_new(void)
 		ressl_config_free(config);
 		return (NULL);
 	}
-	ressl_config_verify(config);
+	ressl_config_set_protocols(config, RESSL_PROTOCOLS_DEFAULT);
 	ressl_config_set_verify_depth(config, 6);
 	/* ? use function ? */
 	config->ecdhcurve = NID_X9_62_prime256v1;
 	
+	ressl_config_verify(config);
+
 	return (config);
 }

@ -163,6 +165,12 @@ ressl_config_set_key_mem(struct ressl_config *config, const uint8_t *key,
 	return set_mem(&config->key_mem, &config->key_len, key, len);
 }

+void
+ressl_config_set_protocols(struct ressl_config *config, uint32_t protocols)
+{
+	config->protocols = protocols;
+}
+
 void
 ressl_config_set_verify_depth(struct ressl_config *config, int verify_depth)
 {
--- a/lib/libressl/ressl_internal.h
+++ b/lib/libressl/ressl_internal.h
@ -1,4 +1,4 @@
-/* $OpenBSD: ressl_internal.h,v 1.10 2014/08/27 10:46:53 reyk Exp $ */
+/* $OpenBSD: ressl_internal.h,v 1.11 2014/09/29 15:11:29 jsing Exp $ */
 /*
 * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
@ -36,6 +36,7 @@ struct ressl_config {
 	const char *key_file;
 	char *key_mem;
 	size_t key_len;
+	uint32_t protocols;
 	int verify;
 	int verify_depth;
 };
@ -63,6 +64,7 @@ struct ressl *ressl_server_conn(struct ressl *ctx);
 int ressl_check_hostname(X509 *cert, const char *host);
 int ressl_configure_keypair(struct ressl *ctx);
 int ressl_configure_server(struct ressl *ctx);
+int ressl_configure_ssl(struct ressl *ctx);
 int ressl_host_port(const char *hostport, char **host, char **port);
 int ressl_set_error(struct ressl *ctx, char *fmt, ...);

--- a/lib/libressl/ressl_server.c
+++ b/lib/libressl/ressl_server.c
@ -1,4 +1,4 @@
-/* $OpenBSD: ressl_server.c,v 1.7 2014/08/27 10:46:53 reyk Exp $ */
+/* $OpenBSD: ressl_server.c,v 1.8 2014/09/29 15:11:29 jsing Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
@ -52,12 +52,13 @@ ressl_configure_server(struct ressl *ctx)
 {
 	EC_KEY *ecdh_key;

-	/* XXX - add a configuration option to control versions. */
 	if ((ctx->ssl_ctx = SSL_CTX_new(SSLv23_server_method())) == NULL) {
 		ressl_set_error(ctx, "ssl context failure");
 		goto err;
 	}

+	if (ressl_configure_ssl(ctx) != 0)
+		goto err;
 	if (ressl_configure_keypair(ctx) != 0)
 		goto err;