You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2018/10/09 17:19:33 UTC
svn commit: r1843313 - in /tomcat/native/trunk: native/include/ssl_private.h
native/src/sslcontext.c native/src/sslutils.c
xdocs/miscellaneous/changelog.xml
Author: markt
Date: Tue Oct 9 17:19:33 2018
New Revision: 1843313
URL: http://svn.apache.org/viewvc?rev=1843313&view=rev
Log:
Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=62748
Add TLS 1.3 support (CLIENT-CERT untested)
Modified:
tomcat/native/trunk/native/include/ssl_private.h
tomcat/native/trunk/native/src/sslcontext.c
tomcat/native/trunk/native/src/sslutils.c
tomcat/native/trunk/xdocs/miscellaneous/changelog.xml
Modified: tomcat/native/trunk/native/include/ssl_private.h
URL: http://svn.apache.org/viewvc/tomcat/native/trunk/native/include/ssl_private.h?rev=1843313&r1=1843312&r2=1843313&view=diff
==============================================================================
--- tomcat/native/trunk/native/include/ssl_private.h (original)
+++ tomcat/native/trunk/native/include/ssl_private.h Tue Oct 9 17:19:33 2018
@@ -84,6 +84,7 @@
#define SSL_PROTOCOL_TLSV1 (1<<2)
#define SSL_PROTOCOL_TLSV1_1 (1<<3)
#define SSL_PROTOCOL_TLSV1_2 (1<<4)
+#define SSL_PROTOCOL_TLSV1_3 (1<<5)
#define SSL_MODE_CLIENT (0)
#define SSL_MODE_SERVER (1)
@@ -180,6 +181,10 @@
#define HAVE_TLSV1_2
#endif
+#if defined(SSL_OP_NO_TLSv1_3)
+#define HAVE_TLSV1_3
+#endif
+
/* Check for SSL_CONF support */
#if defined(SSL_CONF_FLAG_FILE)
#define HAVE_SSL_CONF_CMD
Modified: tomcat/native/trunk/native/src/sslcontext.c
URL: http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/sslcontext.c?rev=1843313&r1=1843312&r2=1843313&view=diff
==============================================================================
--- tomcat/native/trunk/native/src/sslcontext.c (original)
+++ tomcat/native/trunk/native/src/sslcontext.c Tue Oct 9 17:19:33 2018
@@ -152,7 +152,16 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, ma
}
#if OPENSSL_VERSION_NUMBER < 0x10100000L
- if (protocol == SSL_PROTOCOL_TLSV1_2) {
+ if (protocol == SSL_PROTOCOL_TLSV1_3) {
+#ifdef HAVE_TLSV1_3
+ if (mode == SSL_MODE_CLIENT)
+ ctx = SSL_CTX_new(TLSv1_3_client_method());
+ else if (mode == SSL_MODE_SERVER)
+ ctx = SSL_CTX_new(TLSv1_3_server_method());
+ else
+ ctx = SSL_CTX_new(TLSv1_3_method());
+#endif
+ } else if (protocol == SSL_PROTOCOL_TLSV1_2) {
#ifdef HAVE_TLSV1_2
if (mode == SSL_MODE_CLIENT)
ctx = SSL_CTX_new(TLSv1_2_client_method());
@@ -186,6 +195,10 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, ma
ctx = SSL_CTX_new(SSLv3_method());
} else if (protocol == SSL_PROTOCOL_SSLV2) {
/* requested but not supported */
+#ifndef HAVE_TLSV1_3
+ } else if (protocol & SSL_PROTOCOL_TLSV1_3) {
+ /* requested but not supported */
+#endif
#ifndef HAVE_TLSV1_2
} else if (protocol & SSL_PROTOCOL_TLSV1_2) {
/* requested but not supported */
@@ -241,9 +254,19 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, ma
if (!(protocol & SSL_PROTOCOL_TLSV1_2))
SSL_CTX_set_options(c->ctx, SSL_OP_NO_TLSv1_2);
#endif
+#ifdef HAVE_TLSV1_3
+ if (!(protocol & SSL_PROTOCOL_TLSV1_3))
+ SSL_CTX_set_options(c->ctx, SSL_OP_NO_TLSv1_3);
+#endif
#else /* if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) */
/* We first determine the maximum protocol version we should provide */
+#ifdef HAVE_TLSV1_3
+ if (protocol & SSL_PROTOCOL_TLSV1_3) {
+ prot = TLS1_3_VERSION;
+ } else
+/* NOTE the dangling else above: take care to preserve it */
+#endif
if (protocol & SSL_PROTOCOL_TLSV1_2) {
prot = TLS1_2_VERSION;
} else if (protocol & SSL_PROTOCOL_TLSV1_1) {
@@ -261,6 +284,12 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, ma
/* Next we scan for the minimal protocol version we should provide,
* but we do not allow holes between max and min */
+#ifdef HAVE_TLSV1_3
+ if (prot == TLS1_3_VERSION && protocol & SSL_PROTOCOL_TLSV1_2) {
+ prot = TLS1_2_VERSION;
+ } else
+/* NOTE the dangling else above: take care to preserve it */
+#endif
if (prot == TLS1_2_VERSION && protocol & SSL_PROTOCOL_TLSV1_1) {
prot = TLS1_1_VERSION;
}
Modified: tomcat/native/trunk/native/src/sslutils.c
URL: http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/sslutils.c?rev=1843313&r1=1843312&r2=1843313&view=diff
==============================================================================
--- tomcat/native/trunk/native/src/sslutils.c (original)
+++ tomcat/native/trunk/native/src/sslutils.c Tue Oct 9 17:19:33 2018
@@ -386,12 +386,24 @@ int SSL_callback_SSL_verify(int ok, X509
void SSL_callback_handshake(const SSL *ssl, int where, int rc)
{
tcn_ssl_conn_t *con = (tcn_ssl_conn_t *)SSL_get_app_data(ssl);
+#ifdef HAVE_TLSV1_3
+ const SSL_SESSION *session = SSL_get_session(ssl);
+#endif
/* Retrieve the conn_rec and the associated SSLConnRec. */
if (con == NULL) {
return;
}
+#ifdef HAVE_TLSV1_3
+ /* TLS 1.3 does not use renegotiation so do not update the renegotiation
+ * state once we know we are using TLS 1.3. */
+ if (session != NULL) {
+ if (SSL_SESSION_get_protocol_version(session) == TLS1_3_VERSION) {
+ return;
+ }
+ }
+#endif
/* If the reneg state is to reject renegotiations, check the SSL
* state machine and move to ABORT if a Client Hello is being
@@ -405,7 +417,6 @@ void SSL_callback_handshake(const SSL *s
else if ((where & SSL_CB_HANDSHAKE_DONE) && con->reneg_state == RENEG_INIT) {
con->reneg_state = RENEG_REJECT;
}
-
}
int SSL_callback_next_protos(SSL *ssl, const unsigned char **data,
@@ -595,7 +606,7 @@ static int parse_asn1_length(unsigned ch
// Single byte length
*len = **asn1;
}
-
+
(*asn1)++;
return 0;
Modified: tomcat/native/trunk/xdocs/miscellaneous/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/native/trunk/xdocs/miscellaneous/changelog.xml?rev=1843313&r1=1843312&r2=1843313&view=diff
==============================================================================
--- tomcat/native/trunk/xdocs/miscellaneous/changelog.xml (original)
+++ tomcat/native/trunk/xdocs/miscellaneous/changelog.xml Tue Oct 9 17:19:33 2018
@@ -43,6 +43,9 @@
Remove support for Netware as there has not been a supported Netware
platform for a number of years. (markt)
</scode>
+ <add>
+ <bug>62748</bug>: Add support for TLS 1.3. (schultz/markt)
+ </add>
</changelog>
</section>
<section name="Changes in 1.2.17">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org