diff options
| author | Jose <jose@zeroc.com> | 2019-01-15 12:00:51 +0100 |
|---|---|---|
| committer | Jose <jose@zeroc.com> | 2019-01-15 12:00:51 +0100 |
| commit | 8249fd248844bc45ff5088f12268b09bf4a8a851 (patch) | |
| tree | 6812f2d95e1773a91f61a80b75d282d0c23c213b /cpp/src | |
| parent | Revert "Enable tracing for allTests.py to investigate iOS failures" (diff) | |
| download | ice-8249fd248844bc45ff5088f12268b09bf4a8a851.tar.bz2 ice-8249fd248844bc45ff5088f12268b09bf4a8a851.tar.xz ice-8249fd248844bc45ff5088f12268b09bf4a8a851.zip | |
IceSSL TLSv1.3 preliminary support
Diffstat (limited to 'cpp/src')
| -rw-r--r-- | cpp/src/IceSSL/OpenSSLEngine.cpp | 64 | ||||
| -rw-r--r-- | cpp/src/IceSSL/OpenSSLEngine.h | 2 | ||||
| -rw-r--r-- | cpp/src/IceSSL/SChannelEngine.cpp | 25 | ||||
| -rw-r--r-- | cpp/src/IceSSL/SecureTransportEngine.cpp | 31 |
4 files changed, 108 insertions, 14 deletions
diff --git a/cpp/src/IceSSL/OpenSSLEngine.cpp b/cpp/src/IceSSL/OpenSSLEngine.cpp index 133d98ee465..e008094afb6 100644 --- a/cpp/src/IceSSL/OpenSSLEngine.cpp +++ b/cpp/src/IceSSL/OpenSSLEngine.cpp @@ -399,9 +399,21 @@ OpenSSL::SSLEngine::initialize() // TLS1.1 and TLS1.2 to avoid security issues with SSLv3 // vector<string> defaultProtocols; +#if defined(TLS1_VERSION) && !defined(OPENSSL_NO_TLS1_METHOD) defaultProtocols.push_back("tls1_0"); +#endif + +#if defined(TLS1_1_VERSION) && !defined(OPENSSL_NO_TLS1_1_METHOD) defaultProtocols.push_back("tls1_1"); +#endif + +#if defined(TLS1_2_VERSION) && !defined(OPENSSL_NO_TLS1_2_METHOD) defaultProtocols.push_back("tls1_2"); +#endif + +#if defined(TLS1_3_VERSION) && !defined(OPENSSL_NO_TLS1_3_METHOD) + defaultProtocols.push_back("tls1_3"); +#endif const int protocols = parseProtocols(properties->getPropertyAsListWithDefault(propPrefix + "Protocols", defaultProtocols)); @@ -541,8 +553,9 @@ OpenSSL::SSLEngine::initialize() vector<string> files; if(!IceUtilInternal::splitString(certFile, IceUtilInternal::pathsep, files) || files.size() > 2) { - PluginInitializationException ex(__FILE__, __LINE__, - "IceSSL: invalid value for " + propPrefix + "CertFile:\n" + certFile); + throw PluginInitializationException(__FILE__, __LINE__, + "IceSSL: invalid value for " + propPrefix + "CertFile:\n" + + certFile); } numCerts = files.size(); for(vector<string>::iterator p = files.begin(); p != files.end(); ++p) @@ -551,8 +564,8 @@ OpenSSL::SSLEngine::initialize() string resolved; if(!checkPath(file, defaultDir, false, resolved)) { - PluginInitializationException ex(__FILE__, __LINE__, - "IceSSL: certificate file not found:\n" + file); + throw PluginInitializationException(__FILE__, __LINE__, + "IceSSL: certificate file not found:\n" + file); } file = resolved; @@ -963,19 +976,48 @@ OpenSSL::SSLEngine::parseProtocols(const StringSeq& protocols) const string prot = IceUtilInternal::toUpper(*p); if(prot == "SSL3" || prot == "SSLV3") { +#if defined(OPENSSL_NO_SSL3_METHOD) || !defined(SSL3_VERSION) + throw PluginInitializationException(__FILE__, __LINE__, + "IceSSL: OpenSSL was build without SSLv3 support"); +#else v |= SSLv3; +#endif } else if(prot == "TLS" || prot == "TLS1" || prot == "TLSV1" || prot == "TLS1_0" || prot == "TLSV1_0") { +#if defined(OPENSSL_NO_TLS1_METHOD) || !defined(TLS1_VERSION) + throw PluginInitializationException(__FILE__, __LINE__, + "IceSSL: OpenSSL was build without TLS 1.0 support"); +#else v |= TLSv1_0; +#endif } else if(prot == "TLS1_1" || prot == "TLSV1_1") { +#if defined(OPENSSL_NO_TLS1_1_METHOD) || !defined(TLS1_1_VERSION) + throw PluginInitializationException(__FILE__, __LINE__, + "IceSSL: OpenSSL was build without TLS 1.1 support"); +#else v |= TLSv1_1; +#endif } else if(prot == "TLS1_2" || prot == "TLSV1_2") { +#if defined(OPENSSL_NO_TLS1_2_METHOD) || !defined(TLS1_2_VERSION) + throw PluginInitializationException(__FILE__, __LINE__, + "IceSSL: OpenSSL was build without TLS 1.2 support"); +#else v |= TLSv1_2; +#endif + } + else if(prot == "TLS1_3" || prot == "TLSV1_3") + { +#if defined(OPENSSL_NO_TLS1_3_METHOD) || !defined(TLS1_3_VERSION) + throw PluginInitializationException(__FILE__, __LINE__, + "IceSSL: OpenSSL was build without TLS 1.3 support"); +#else + v |= TLSv1_3; +#endif } else { @@ -1014,14 +1056,21 @@ void OpenSSL::SSLEngine::setOptions(int protocols) { long opts = SSL_OP_NO_SSLv2; // SSLv2 is not supported. + +#ifdef SSL_OP_NO_SSLv3 if(!(protocols & SSLv3)) { opts |= SSL_OP_NO_SSLv3; } +#endif + +#ifdef SSL_OP_NO_TLSv1 if(!(protocols & TLSv1_0)) { opts |= SSL_OP_NO_TLSv1; } +#endif + #ifdef SSL_OP_NO_TLSv1_1 if(!(protocols & TLSv1_1)) { @@ -1042,5 +1091,12 @@ OpenSSL::SSLEngine::setOptions(int protocols) opts |= SSL_OP_NO_TLSv1_2; } #endif + +#ifdef SSL_OP_NO_TLSv1_3 + if(!(protocols & TLSv1_3)) + { + opts |= SSL_OP_NO_TLSv1_3; + } +#endif SSL_CTX_set_options(_ctx, opts); } diff --git a/cpp/src/IceSSL/OpenSSLEngine.h b/cpp/src/IceSSL/OpenSSLEngine.h index 681648dd2ba..2fad7263ca9 100644 --- a/cpp/src/IceSSL/OpenSSLEngine.h +++ b/cpp/src/IceSSL/OpenSSLEngine.h @@ -45,7 +45,7 @@ private: void cleanup(); SSL_METHOD* getMethod(int); void setOptions(int); - enum Protocols { SSLv3 = 0x01, TLSv1_0 = 0x02, TLSv1_1 = 0x04, TLSv1_2 = 0x08 }; + enum Protocols { SSLv3 = 1, TLSv1_0 = 2, TLSv1_1 = 4, TLSv1_2 = 8, TLSv1_3 = 16 }; int parseProtocols(const Ice::StringSeq&) const; SSL_CTX* _ctx; diff --git a/cpp/src/IceSSL/SChannelEngine.cpp b/cpp/src/IceSSL/SChannelEngine.cpp index 19a50c49631..1dbbf390fd2 100644 --- a/cpp/src/IceSSL/SChannelEngine.cpp +++ b/cpp/src/IceSSL/SChannelEngine.cpp @@ -22,6 +22,15 @@ #include <wincrypt.h> // +// SP_PROT_TLS1_3 is new in v10.0.15021 SDK +// +#ifndef SP_PROT_TLS1_3 +# define SP_PROT_TLS1_3_SERVER 0x00001000 +# define SP_PROT_TLS1_3_CLIENT 0x00002000 +# define SP_PROT_TLS1_3 (SP_PROT_TLS1_3_SERVER | SP_PROT_TLS1_3_CLIENT) +#endif + +// // CALG_ECDH_EPHEM algorithm constant is not defined in older version of the SDK headers // // https://msdn.microsoft.com/en-us/library/windows/desktop/aa375549(v=vs.85).aspx @@ -417,23 +426,23 @@ parseProtocols(const StringSeq& protocols) if(prot == "SSL3" || prot == "SSLV3") { - v |= SP_PROT_SSL3_SERVER; - v |= SP_PROT_SSL3_CLIENT; + v |= SP_PROT_SSL3; } else if(prot == "TLS" || prot == "TLS1" || prot == "TLSV1" || prot == "TLS1_0" || prot == "TLSV1_0") { - v |= SP_PROT_TLS1_SERVER; - v |= SP_PROT_TLS1_CLIENT; + v |= SP_PROT_TLS1; } else if(prot == "TLS1_1" || prot == "TLSV1_1") { - v |= SP_PROT_TLS1_1_SERVER; - v |= SP_PROT_TLS1_1_CLIENT; + v |= SP_PROT_TLS1_1; } else if(prot == "TLS1_2" || prot == "TLSV1_2") { - v |= SP_PROT_TLS1_2_SERVER; - v |= SP_PROT_TLS1_2_CLIENT; + v |= SP_PROT_TLS1_2; + } + else if (prot == "TLS1_3" || prot == "TLSV1_2") + { + v |= SP_PROT_TLS1_3; } else { diff --git a/cpp/src/IceSSL/SecureTransportEngine.cpp b/cpp/src/IceSSL/SecureTransportEngine.cpp index 80f28129bf7..a3304676bfe 100644 --- a/cpp/src/IceSSL/SecureTransportEngine.cpp +++ b/cpp/src/IceSSL/SecureTransportEngine.cpp @@ -129,7 +129,7 @@ CiphersHelper::initialize() _ciphers["RSA_EXPORT_WITH_RC4_40_MD5"] = SSL_RSA_EXPORT_WITH_RC4_40_MD5; _ciphers["RSA_WITH_RC4_128_MD5"] = SSL_RSA_WITH_RC4_128_MD5; _ciphers["RSA_WITH_RC4_128_SHA"] = SSL_RSA_WITH_RC4_128_SHA; - _ciphers["RSA_EXPORT_WITH_RC2_CBC_40_MD5"] = SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5; + _ciphers["RSA_EXPORT_WITH_RC2_CBC_40_MD5"] = SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5; _ciphers["RSA_WITH_IDEA_CBC_SHA"] = SSL_RSA_WITH_IDEA_CBC_SHA; _ciphers["RSA_EXPORT_WITH_DES40_CBC_SHA"] = SSL_RSA_EXPORT_WITH_DES40_CBC_SHA; _ciphers["RSA_WITH_DES_CBC_SHA"] = SSL_RSA_WITH_DES_CBC_SHA; @@ -341,6 +341,16 @@ CiphersHelper::initialize() _ciphers["RSA_WITH_DES_CBC_MD5"] = SSL_RSA_WITH_DES_CBC_MD5; _ciphers["RSA_WITH_3DES_EDE_CBC_MD5"] = SSL_RSA_WITH_3DES_EDE_CBC_MD5; _ciphers["NO_SUCH_CIPHERSUITE"] = SSL_NO_SUCH_CIPHERSUITE; + + // + // TLS 1.3 standard cipher suites + // + _ciphers["TLS_AES_128_GCM_SHA256"] = TLS_AES_128_GCM_SHA256; + _ciphers["TLS_AES_256_GCM_SHA384"] = TLS_AES_256_GCM_SHA384; + _ciphers["TLS_CHACHA20_POLY1305_SHA256"] = TLS_CHACHA20_POLY1305_SHA256; + _ciphers["TLS_AES_128_CCM_SHA256"] = TLS_AES_128_CCM_SHA256; + _ciphers["TLS_AES_128_CCM_8_SHA256"] = TLS_AES_128_CCM_8_SHA256; + } } @@ -741,6 +751,21 @@ CiphersHelper::cipherName(SSLCipherSuite cipher) return "RSA_WITH_DES_CBC_MD5"; case SSL_RSA_WITH_3DES_EDE_CBC_MD5: return "RSA_WITH_3DES_EDE_CBC_MD5"; + + // + //TLS 1.3 standard cipher suites + // + case TLS_AES_128_GCM_SHA256: + return "TLS_AES_128_GCM_SHA256"; + case TLS_AES_256_GCM_SHA384: + return "TLS_AES_256_GCM_SHA384"; + case TLS_CHACHA20_POLY1305_SHA256: + return "TLS_CHACHA20_POLY1305_SHA256"; + case TLS_AES_128_CCM_SHA256: + return "TLS_AES_128_CCM_SHA256"; + case TLS_AES_128_CCM_8_SHA256: + return "TLS_AES_128_CCM_8_SHA256"; + default: return ""; } @@ -772,6 +797,10 @@ parseProtocol(const string& p) { return kTLSProtocol12; } + else if(prot == "TLS1_3" || prot == "TLSV1_3") + { + return kTLSProtocol13; + } else { throw PluginInitializationException(__FILE__, __LINE__, "IceSSL: unrecognized protocol `" + p + "'"); |