You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2018/10/09 17:19:33 UTC

svn commit: r1843313 - in /tomcat/native/trunk: native/include/ssl_private.h native/src/sslcontext.c native/src/sslutils.c xdocs/miscellaneous/changelog.xml

Author: markt
Date: Tue Oct  9 17:19:33 2018
New Revision: 1843313

URL: http://svn.apache.org/viewvc?rev=1843313&view=rev
Log:
Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=62748
Add TLS 1.3 support (CLIENT-CERT untested)

Modified:
    tomcat/native/trunk/native/include/ssl_private.h
    tomcat/native/trunk/native/src/sslcontext.c
    tomcat/native/trunk/native/src/sslutils.c
    tomcat/native/trunk/xdocs/miscellaneous/changelog.xml

Modified: tomcat/native/trunk/native/include/ssl_private.h
URL: http://svn.apache.org/viewvc/tomcat/native/trunk/native/include/ssl_private.h?rev=1843313&r1=1843312&r2=1843313&view=diff
==============================================================================
--- tomcat/native/trunk/native/include/ssl_private.h (original)
+++ tomcat/native/trunk/native/include/ssl_private.h Tue Oct  9 17:19:33 2018
@@ -84,6 +84,7 @@
 #define SSL_PROTOCOL_TLSV1      (1<<2)
 #define SSL_PROTOCOL_TLSV1_1    (1<<3)
 #define SSL_PROTOCOL_TLSV1_2    (1<<4)
+#define SSL_PROTOCOL_TLSV1_3    (1<<5)
 
 #define SSL_MODE_CLIENT         (0)
 #define SSL_MODE_SERVER         (1)
@@ -180,6 +181,10 @@
 #define HAVE_TLSV1_2
 #endif
 
+#if defined(SSL_OP_NO_TLSv1_3)
+#define HAVE_TLSV1_3
+#endif
+
 /* Check for SSL_CONF support */
 #if defined(SSL_CONF_FLAG_FILE)
 #define HAVE_SSL_CONF_CMD

Modified: tomcat/native/trunk/native/src/sslcontext.c
URL: http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/sslcontext.c?rev=1843313&r1=1843312&r2=1843313&view=diff
==============================================================================
--- tomcat/native/trunk/native/src/sslcontext.c (original)
+++ tomcat/native/trunk/native/src/sslcontext.c Tue Oct  9 17:19:33 2018
@@ -152,7 +152,16 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, ma
     }
 
 #if OPENSSL_VERSION_NUMBER < 0x10100000L
-    if (protocol == SSL_PROTOCOL_TLSV1_2) {
+    if (protocol == SSL_PROTOCOL_TLSV1_3) {
+#ifdef HAVE_TLSV1_3
+        if (mode == SSL_MODE_CLIENT)
+            ctx = SSL_CTX_new(TLSv1_3_client_method());
+        else if (mode == SSL_MODE_SERVER)
+            ctx = SSL_CTX_new(TLSv1_3_server_method());
+        else
+            ctx = SSL_CTX_new(TLSv1_3_method());
+#endif
+    } else if (protocol == SSL_PROTOCOL_TLSV1_2) {
 #ifdef HAVE_TLSV1_2
         if (mode == SSL_MODE_CLIENT)
             ctx = SSL_CTX_new(TLSv1_2_client_method());
@@ -186,6 +195,10 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, ma
             ctx = SSL_CTX_new(SSLv3_method());
     } else if (protocol == SSL_PROTOCOL_SSLV2) {
         /* requested but not supported */
+#ifndef HAVE_TLSV1_3
+    } else if (protocol & SSL_PROTOCOL_TLSV1_3) {
+        /* requested but not supported */
+#endif
 #ifndef HAVE_TLSV1_2
     } else if (protocol & SSL_PROTOCOL_TLSV1_2) {
         /* requested but not supported */
@@ -241,9 +254,19 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, ma
     if (!(protocol & SSL_PROTOCOL_TLSV1_2))
         SSL_CTX_set_options(c->ctx, SSL_OP_NO_TLSv1_2);
 #endif
+#ifdef HAVE_TLSV1_3
+    if (!(protocol & SSL_PROTOCOL_TLSV1_3))
+        SSL_CTX_set_options(c->ctx, SSL_OP_NO_TLSv1_3);
+#endif
 
 #else /* if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) */
     /* We first determine the maximum protocol version we should provide */
+#ifdef HAVE_TLSV1_3
+    if (protocol & SSL_PROTOCOL_TLSV1_3) {
+        prot = TLS1_3_VERSION;
+    } else
+/* NOTE the dangling else above: take care to preserve it */
+#endif
     if (protocol & SSL_PROTOCOL_TLSV1_2) {
         prot = TLS1_2_VERSION;
     } else if (protocol & SSL_PROTOCOL_TLSV1_1) {
@@ -261,6 +284,12 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, ma
 
     /* Next we scan for the minimal protocol version we should provide,
      * but we do not allow holes between max and min */
+#ifdef HAVE_TLSV1_3
+    if (prot == TLS1_3_VERSION && protocol & SSL_PROTOCOL_TLSV1_2) {
+        prot = TLS1_2_VERSION;
+    } else
+/* NOTE the dangling else above: take care to preserve it */
+#endif
     if (prot == TLS1_2_VERSION && protocol & SSL_PROTOCOL_TLSV1_1) {
         prot = TLS1_1_VERSION;
     }

Modified: tomcat/native/trunk/native/src/sslutils.c
URL: http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/sslutils.c?rev=1843313&r1=1843312&r2=1843313&view=diff
==============================================================================
--- tomcat/native/trunk/native/src/sslutils.c (original)
+++ tomcat/native/trunk/native/src/sslutils.c Tue Oct  9 17:19:33 2018
@@ -386,12 +386,24 @@ int SSL_callback_SSL_verify(int ok, X509
 void SSL_callback_handshake(const SSL *ssl, int where, int rc)
 {
     tcn_ssl_conn_t *con = (tcn_ssl_conn_t *)SSL_get_app_data(ssl);
+#ifdef HAVE_TLSV1_3
+    const SSL_SESSION *session = SSL_get_session(ssl);
+#endif
 
     /* Retrieve the conn_rec and the associated SSLConnRec. */
     if (con == NULL) {
         return;
     }
 
+#ifdef HAVE_TLSV1_3
+    /* TLS 1.3 does not use renegotiation so do not update the renegotiation
+     * state once we know we are using TLS 1.3. */
+    if (session != NULL) {
+        if (SSL_SESSION_get_protocol_version(session) == TLS1_3_VERSION) {
+            return;
+        }
+    }
+#endif
 
     /* If the reneg state is to reject renegotiations, check the SSL
      * state machine and move to ABORT if a Client Hello is being
@@ -405,7 +417,6 @@ void SSL_callback_handshake(const SSL *s
     else if ((where & SSL_CB_HANDSHAKE_DONE) && con->reneg_state == RENEG_INIT) {
         con->reneg_state = RENEG_REJECT;
     }
-
 }
 
 int SSL_callback_next_protos(SSL *ssl, const unsigned char **data,
@@ -595,7 +606,7 @@ static int parse_asn1_length(unsigned ch
         // Single byte length
         *len = **asn1;
     }
-    
+
     (*asn1)++;
 
     return 0;

Modified: tomcat/native/trunk/xdocs/miscellaneous/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/native/trunk/xdocs/miscellaneous/changelog.xml?rev=1843313&r1=1843312&r2=1843313&view=diff
==============================================================================
--- tomcat/native/trunk/xdocs/miscellaneous/changelog.xml (original)
+++ tomcat/native/trunk/xdocs/miscellaneous/changelog.xml Tue Oct  9 17:19:33 2018
@@ -43,6 +43,9 @@
       Remove support for Netware as there has not been a supported Netware
       platform for a number of years. (markt)
     </scode>
+    <add>
+      <bug>62748</bug>: Add support for TLS 1.3. (schultz/markt)
+    </add>
   </changelog>
 </section>
 <section name="Changes in 1.2.17">



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org