[exim-cvs] OpenSSL: enable use of TLS 1.3 (with OpenSSL 1.1.…

Inizio della pagina
Questo messaggio è parte di questo thread:
Mil thread completo ordinato per data
 
 
Delete this message
Reply to this message
Autore: Exim Git Commits Mailing List
Data:  
To: exim-cvs
Oggetto: [exim-cvs] OpenSSL: enable use of TLS 1.3 (with OpenSSL 1.1.0 and later)
Gitweb: https://git.exim.org/exim.git/commitdiff/7a8b95190c22a8176c583985a41beb3e9ae831cd
Commit:     7a8b95190c22a8176c583985a41beb3e9ae831cd
Parent:     61e3f250a2ac9944f9dd1a99bd60d859c995cc9a
Author:     Jeremy Harris <jgh146exb@???>
AuthorDate: Thu Jun 14 21:28:19 2018 +0100
Committer:  Jeremy Harris <jgh146exb@???>
CommitDate: Thu Jun 14 21:34:05 2018 +0100


    OpenSSL: enable use of TLS 1.3  (with OpenSSL 1.1.0 and later)
---
 doc/doc-txt/ChangeLog |  5 +++++
 src/src/tls-openssl.c | 28 +++++++++++++++++++---------
 2 files changed, 24 insertions(+), 9 deletions(-)


diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 3ebc925..5303b2d 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -61,6 +61,11 @@ JH/11 Bug 2264: Exim now only follows CNAME chains one step by default. We'd

JH/12 Add client-ip info to non-pass iprev ${authres } lines. 

+JH/13 For receent Openssl versions (1.1 onward) use modern generic protocol
+      methods.  These should support TLS 1.3; they arrived with TLS 1.3 and the
+      now-deprecated earlier definitions used only specified the range up to TLS
+      1.2 (in the older-version library docs).
+


 Exim version 4.91
 -----------------
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index db48c94..7e6524d 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -70,6 +70,7 @@ functions from the OpenSSL library. */
 # if OPENSSL_VERSION_NUMBER >= 0x010100000L
 #  define EXIM_HAVE_OPENSSL_CHECKHOST
 #  define EXIM_HAVE_OPENSSL_DH_BITS
+#  define EXIM_HAVE_OPENSSL_TLS_METHOD
 # endif
 # if OPENSSL_VERSION_NUMBER >= 0x010000000L \
     && (OPENSSL_VERSION_NUMBER & 0x0000ff000L) >= 0x000002000L
@@ -1216,7 +1217,11 @@ if (!reexpand_tls_files_for_sni)
 not confident that memcpy wouldn't break some internal reference counting.
 Especially since there's a references struct member, which would be off. */


+#ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
+if (!(server_sni = SSL_CTX_new(TLS_server_method())))
+#else
if (!(server_sni = SSL_CTX_new(SSLv23_server_method())))
+#endif
{
ERR_error_string(ERR_get_error(), ssl_errstring);
DEBUG(D_tls) debug_printf("SSL_CTX_new() failed: %s\n", ssl_errstring);
@@ -1545,7 +1550,11 @@ when OpenSSL is built without SSLv2 support.
By disabling with openssl_options, we can let admins re-enable with the
existing knob. */

+#ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
+if (!(ctx = SSL_CTX_new(host ? TLS_client_method() : TLS_server_method())))
+#else
if (!(ctx = SSL_CTX_new(host ? SSLv23_client_method() : SSLv23_server_method())))
+#endif
return tls_error(US"SSL_CTX_new", host, NULL, errstr); 

 /* It turns out that we need to seed the random number generator this early in
@@ -1635,7 +1644,7 @@ if ((rc = tls_expand_session_files(ctx, cbinfo, errstr)) != OK)
     }
 # endif


-if (host == NULL)        /* server */
+if (!host)        /* server */
   {
 # ifndef DISABLE_OCSP
   /* We check u_ocsp.server.file, not server.response, because we care about if
@@ -1704,15 +1713,13 @@ Returns:    nothing
 static void
 construct_cipher_name(SSL *ssl, uschar *cipherbuf, int bsize, int *bits)
 {
-/* With OpenSSL 1.0.0a, this needs to be const but the documentation doesn't
+/* With OpenSSL 1.0.0a, 'c' needs to be const but the documentation doesn't
 yet reflect that.  It should be a safe change anyway, even 0.9.8 versions have
 the accessor functions use const in the prototype. */
-const SSL_CIPHER *c;
-const uschar *ver;


-ver = (const uschar *)SSL_get_version(ssl);
+const uschar * ver = CUS SSL_get_version(ssl);
+const SSL_CIPHER * c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);

-c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
SSL_CIPHER_get_bits(c, bits); 

 string_format(cipherbuf, bsize, "%s:%s:%u", ver,
@@ -2360,7 +2367,7 @@ else
       client_static_cbinfo, errstr)) != OK)
     return rc;


-if ((client_ssl = SSL_new(client_ctx)) == NULL)
+if (!(client_ssl = SSL_new(client_ctx)))
return tls_error(US"SSL_new", host, NULL, errstr);
SSL_set_session_id_context(client_ssl, sid_ctx, Ustrlen(sid_ctx));
SSL_set_fd(client_ssl, fd);
@@ -2847,8 +2854,11 @@ while (*s != 0) { if (*s == '_') *s = '-'; s++; }

err = NULL;

-ctx = SSL_CTX_new(SSLv23_server_method());
-if (!ctx)
+#ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
+if (!(ctx = SSL_CTX_new(TLS_server_method())))
+#else
+if (!(ctx = SSL_CTX_new(SSLv23_server_method())))
+#endif
{
ERR_error_string(ERR_get_error(), ssl_errstring);
return string_sprintf("SSL_CTX_new() failed: %s", ssl_errstring);

Questo messaggio è stato inviato alle seguenti mailing lists:
exim-cvs
Informazioni sulla Mailing List | Messaggi correlati		<-[exim-cvs] Add client-ip info to non-pass iprev ${authres } lines[exim-cvs] OpenSSL: TLSv1.3 notes->
Tahini and Hummus and Cumin Development Archives amministrato da cumin AdminsLurker (versione 2.3)