QuasarApp/openssl
4
0
Fork 0
mirror of https://github.com/QuasarApp/openssl.git synced 2025-05-07 06:59:41 +00:00
Code Issues Projects Releases Wiki Activity

Suport TLSv1.3 draft 28

Browse Source 
Also retains support for drafts 27 and 26

Fixes #6257

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6258)
This commit is contained in:
Matt Caswell 2018-05-14 18:35:30 +01:00
parent ba8b48e98d
commit 73cc84a132
8 changed files with 50 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
include/openssl/tls1.h
View File

@ -30,9 +30,13 @@ extern "C" {
# define TLS1_3_VERSION 0x0304 # define TLS1_3_VERSION 0x0304
# define TLS_MAX_VERSION TLS1_3_VERSION # define TLS_MAX_VERSION TLS1_3_VERSION
/* TODO(TLS1.3) REMOVE ME: Version indicator for draft -26 */ /* TODO(TLS1.3) REMOVE ME: Version indicators for draft version */
# define TLS1_3_VERSION_DRAFT 0x7f1a # define TLS1_3_VERSION_DRAFT_26 0x7f1a
# define TLS1_3_VERSION_DRAFT_TXT "TLS 1.3 (draft 26)" # define TLS1_3_VERSION_DRAFT_27 0x7f1b
# define TLS1_3_VERSION_DRAFT 0x7f1c
# define TLS1_3_VERSION_DRAFT_TXT_26 "TLS 1.3 (draft 26)"
# define TLS1_3_VERSION_DRAFT_TXT_27 "TLS 1.3 (draft 27)"
# define TLS1_3_VERSION_DRAFT_TXT "TLS 1.3 (draft 28)"
/* Special value for method supporting multiple versions */ /* Special value for method supporting multiple versions */
# define TLS_ANY_VERSION 0x10000 # define TLS_ANY_VERSION 0x10000

2
ssl/ssl_locl.h
View File

@ -1057,6 +1057,8 @@ struct ssl_st {
* DTLS1_VERSION) * DTLS1_VERSION)
*/ */
int version; int version;
/* TODO(TLS1.3): Remove this before release */
int version_draft;
/* SSLv3 */ /* SSLv3 */
const SSL_METHOD *method; const SSL_METHOD *method;
/* /*

8
ssl/statem/extensions_clnt.c
View File

@ -538,7 +538,9 @@ EXT_RETURN tls_construct_ctos_supported_versions(SSL *s, WPACKET *pkt,
for (currv = max_version; currv >= min_version; currv--) { for (currv = max_version; currv >= min_version; currv--) {
/* TODO(TLS1.3): Remove this first if clause prior to release!! */ /* TODO(TLS1.3): Remove this first if clause prior to release!! */
if (currv == TLS1_3_VERSION) { if (currv == TLS1_3_VERSION) {
if (!WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION_DRAFT)) { if (!WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION_DRAFT)
|| !WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION_DRAFT_27)
|| !WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION_DRAFT_26)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS, SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS,
ERR_R_INTERNAL_ERROR); ERR_R_INTERNAL_ERROR);
@ -1789,7 +1791,9 @@ int tls_parse_stoc_supported_versions(SSL *s, PACKET *pkt, unsigned int context,
} }
/* TODO(TLS1.3): Remove this before release */ /* TODO(TLS1.3): Remove this before release */
if (version == TLS1_3_VERSION_DRAFT) if (version == TLS1_3_VERSION_DRAFT
|| version == TLS1_3_VERSION_DRAFT_27
|| version == TLS1_3_VERSION_DRAFT_26)
version = TLS1_3_VERSION; version = TLS1_3_VERSION;
/* /*

4
ssl/statem/extensions_srvr.c
View File

@ -892,7 +892,7 @@ int tls_parse_ctos_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_supported_versions) if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_supported_versions)
|| !WPACKET_start_sub_packet_u16(&hrrpkt) || !WPACKET_start_sub_packet_u16(&hrrpkt)
/* TODO(TLS1.3): Fix this before release */ /* TODO(TLS1.3): Fix this before release */
|| !WPACKET_put_bytes_u16(&hrrpkt, TLS1_3_VERSION_DRAFT) || !WPACKET_put_bytes_u16(&hrrpkt, s->version_draft)
|| !WPACKET_close(&hrrpkt)) { || !WPACKET_close(&hrrpkt)) {
WPACKET_cleanup(&hrrpkt); WPACKET_cleanup(&hrrpkt);
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE, SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
@ -1606,7 +1606,7 @@ EXT_RETURN tls_construct_stoc_supported_versions(SSL *s, WPACKET *pkt,
if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions) if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions)
|| !WPACKET_start_sub_packet_u16(pkt) || !WPACKET_start_sub_packet_u16(pkt)
/* TODO(TLS1.3): Update to remove the TLSv1.3 draft indicator */ /* TODO(TLS1.3): Update to remove the TLSv1.3 draft indicator */
|| !WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION_DRAFT) || !WPACKET_put_bytes_u16(pkt, s->version_draft)
|| !WPACKET_close(pkt)) { || !WPACKET_close(pkt)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_VERSIONS, SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_VERSIONS,

17
ssl/statem/statem_lib.c
View File

@ -1695,6 +1695,8 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
unsigned int best_vers = 0; unsigned int best_vers = 0;
const SSL_METHOD *best_method = NULL; const SSL_METHOD *best_method = NULL;
PACKET versionslist; PACKET versionslist;
/* TODO(TLS1.3): Remove this before release */
unsigned int orig_candidate = 0;
suppversions->parsed = 1; suppversions->parsed = 1;
@ -1705,8 +1707,18 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
while (PACKET_get_net_2(&versionslist, &candidate_vers)) { while (PACKET_get_net_2(&versionslist, &candidate_vers)) {
/* TODO(TLS1.3): Remove this before release */ /* TODO(TLS1.3): Remove this before release */
if (candidate_vers == TLS1_3_VERSION_DRAFT) if (candidate_vers == TLS1_3_VERSION_DRAFT
|| candidate_vers == TLS1_3_VERSION_DRAFT_27
|| candidate_vers == TLS1_3_VERSION_DRAFT_26) {
if (best_vers == TLS1_3_VERSION
&& orig_candidate > candidate_vers)
continue;
orig_candidate = candidate_vers;
candidate_vers = TLS1_3_VERSION; candidate_vers = TLS1_3_VERSION;
} else if (candidate_vers == TLS1_3_VERSION) {
/* Don't actually accept real TLSv1.3 */
continue;
}
/* /*
* TODO(TLS1.3): There is some discussion on the TLS list about * TODO(TLS1.3): There is some discussion on the TLS list about
* whether to ignore versions <TLS1.2 in supported_versions. At the * whether to ignore versions <TLS1.2 in supported_versions. At the
@ -1745,6 +1757,9 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
} }
check_for_downgrade(s, best_vers, dgrd); check_for_downgrade(s, best_vers, dgrd);
s->version = best_vers; s->version = best_vers;
/* TODO(TLS1.3): Remove this before release */
if (best_vers == TLS1_3_VERSION)
s->version_draft = orig_candidate;
s->method = best_method; s->method = best_method;
return 0; return 0;
} }

14
ssl/t1_trce.c
View File

@ -65,7 +65,9 @@ static const ssl_trace_tbl ssl_version_tbl[] = {
{TLS1_1_VERSION, "TLS 1.1"}, {TLS1_1_VERSION, "TLS 1.1"},
{TLS1_2_VERSION, "TLS 1.2"}, {TLS1_2_VERSION, "TLS 1.2"},
{TLS1_3_VERSION, "TLS 1.3"}, {TLS1_3_VERSION, "TLS 1.3"},
/* TODO(TLS1.3): Remove this line before release */ /* TODO(TLS1.3): Remove these lines before release */
{TLS1_3_VERSION_DRAFT_26, TLS1_3_VERSION_DRAFT_TXT_26},
{TLS1_3_VERSION_DRAFT_27, TLS1_3_VERSION_DRAFT_TXT_27},
{TLS1_3_VERSION_DRAFT, TLS1_3_VERSION_DRAFT_TXT}, {TLS1_3_VERSION_DRAFT, TLS1_3_VERSION_DRAFT_TXT},
{DTLS1_VERSION, "DTLS 1.0"}, {DTLS1_VERSION, "DTLS 1.0"},
{DTLS1_2_VERSION, "DTLS 1.2"}, {DTLS1_2_VERSION, "DTLS 1.2"},
@ -642,7 +644,15 @@ static int ssl_print_version(BIO *bio, int indent, const char *name,
vers = ((*pmsg)[0] << 8) | (*pmsg)[1]; vers = ((*pmsg)[0] << 8) | (*pmsg)[1];
if (version != NULL) { if (version != NULL) {
/* TODO(TLS1.3): Remove the draft conditional here before release */ /* TODO(TLS1.3): Remove the draft conditional here before release */
*version = (vers == TLS1_3_VERSION_DRAFT) ? TLS1_3_VERSION : vers; switch(vers) {
case TLS1_3_VERSION_DRAFT_26:
case TLS1_3_VERSION_DRAFT_27:
case TLS1_3_VERSION_DRAFT:
*version = TLS1_3_VERSION;
break;
default:
*version = vers;
}
} }
BIO_indent(bio, indent, 80); BIO_indent(bio, indent, 80);
BIO_printf(bio, "%s=0x%x (%s)\n", BIO_printf(bio, "%s=0x%x (%s)\n",

7
test/recipes/70-test_sslversions.t
View File

@ -138,7 +138,8 @@ sub modify_supported_versions_filter
$ext = pack "C5", $ext = pack "C5",
0x04, # Length 0x04, # Length
0x03, 0x03, #TLSv1.2 0x03, 0x03, #TLSv1.2
0x03, 0x04; #TLSv1.3 #TODO(TLS1.3): Fix before release
0x7f, 0x1c; #TLSv1.3 (draft 28)
} elsif ($testtype == UNRECOGNISED_VERSIONS) { } elsif ($testtype == UNRECOGNISED_VERSIONS) {
$ext = pack "C5", $ext = pack "C5",
0x04, # Length 0x04, # Length
@ -152,8 +153,8 @@ sub modify_supported_versions_filter
} elsif ($testtype == WITH_TLS1_4) { } elsif ($testtype == WITH_TLS1_4) {
$ext = pack "C5", $ext = pack "C5",
0x04, # Length 0x04, # Length
0x03, 0x05, #TLSv1.4 #TODO(TLS1.3): Fix before release
0x03, 0x04; #TLSv1.3 0x7f, 0x1c; #TLSv1.3 (draft 28)
} }
if ($testtype == REVERSE_ORDER_VERSIONS if ($testtype == REVERSE_ORDER_VERSIONS
|| $testtype == UNRECOGNISED_VERSIONS || $testtype == UNRECOGNISED_VERSIONS

2
util/perl/TLSProxy/Record.pm
View File

@ -36,7 +36,7 @@ my %record_type = (
use constant { use constant {
VERS_TLS_1_4 => 0x0305, VERS_TLS_1_4 => 0x0305,
VERS_TLS_1_3_DRAFT => 0x7f1a, VERS_TLS_1_3_DRAFT => 0x7f1c,
VERS_TLS_1_3 => 0x0304, VERS_TLS_1_3 => 0x0304,
VERS_TLS_1_2 => 0x0303, VERS_TLS_1_2 => 0x0303,
VERS_TLS_1_1 => 0x0302, VERS_TLS_1_1 => 0x0302,