INN commit: trunk (6 files)

INN Commit rra at isc.org
Sun Dec 10 15:21:26 UTC 2017


    Date: Sunday, December 10, 2017 @ 07:21:26
  Author: iulius
Revision: 10197

Add support for TLS 1.3

Modified:
  trunk/doc/pod/hacking.pod
  trunk/doc/pod/inn.conf.pod
  trunk/doc/pod/news.pod
  trunk/nnrpd/tls.c
  trunk/nnrpd/tls.h
  trunk/samples/inn.conf.in

----------------------+
 doc/pod/hacking.pod  |    7 ++++++
 doc/pod/inn.conf.pod |    8 +++----
 doc/pod/news.pod     |    6 +++++
 nnrpd/tls.c          |   51 +++++++++++++++++++++++++++++--------------------
 nnrpd/tls.h          |    1 
 samples/inn.conf.in  |    2 -
 6 files changed, 50 insertions(+), 25 deletions(-)

Modified: doc/pod/hacking.pod
===================================================================
--- doc/pod/hacking.pod	2017-11-28 20:48:45 UTC (rev 10196)
+++ doc/pod/hacking.pod	2017-12-10 15:21:26 UTC (rev 10197)
@@ -692,6 +692,13 @@
 L<https://ftp.isc.org/pub/usenet/CONFIG/control.ctl> and
 L<http://rosalind.home.xs4all.nl/nocemreg/nocemreg.html>.
 
+=item *
+
+Check whether patches from OpenSSL (F<apps/s_cb.c>, F<apps/s_server.c>
+and F<crypto/bio/b_dump.c>) could be merged into F<nnrpd/tls.c>, as
+well as support for new TLS versions in the F<tlsprotocols> parameter
+in F<inn.conf>.
+
 =back
 
 =item 2.

Modified: doc/pod/inn.conf.pod
===================================================================
--- doc/pod/inn.conf.pod	2017-11-28 20:48:45 UTC (rev 10196)
+++ doc/pod/inn.conf.pod	2017-12-10 15:21:26 UTC (rev 10197)
@@ -1153,14 +1153,14 @@
 =item I<tlsprotocols>
 
 The list of TLS/SSL protocol versions to support.  Valid protocols are
-B<SSLv2>, B<SSLv3>, B<TLSv1>, B<TLSv1.1> and B<TLSv1.2>.  The default
-value is to only allow TLS protocols:
+B<SSLv2>, B<SSLv3>, B<TLSv1>, B<TLSv1.1>, B<TLSv1.2> and B<TLSv1.3>.
+The default value is to only allow TLS protocols:
 
-    tlsprotocols: [ TLSv1 TLSv1.1 TLSv1.2 ]
+    tlsprotocols: [ TLSv1 TLSv1.1 TLSv1.2 TLSv1.3 ]
 
 Note that the listed protocols will be enabled only if the OpenSSL
 library INN has been built with, supports them.  In case OpenSSL supports
-protocols more recent than TLSv1.2, they will be automatically enabled
+protocols more recent than TLSv1.3, they will be automatically enabled
 (which anyway is fine regarding security, as newer protocols are supposed
 to be more secure).
 

Modified: doc/pod/news.pod
===================================================================
--- doc/pod/news.pod	2017-11-28 20:48:45 UTC (rev 10196)
+++ doc/pod/news.pod	2017-12-10 15:21:26 UTC (rev 10197)
@@ -44,6 +44,12 @@
 
 =item *
 
+The I<tlsprotocols> parameter in F<inn.conf> now recognizes the
+C<TLSv1.3> value (for OpenSSL versions implementing S<TLS 1.3>, that
+is to say starting from S<OpenSSL 1.1.1>).
+
+=item *
+
 Other minor bug fixes and documentation improvements.
 
 =back

Modified: nnrpd/tls.c
===================================================================
--- nnrpd/tls.c	2017-11-28 20:48:45 UTC (rev 10196)
+++ nnrpd/tls.c	2017-12-10 15:21:26 UTC (rev 10197)
@@ -81,20 +81,20 @@
 
     if (where & SSL_CB_LOOP) {
 	if (tls_serverengine && (tls_loglevel >= 2))
-	    Printf("%s:%s", str, SSL_state_string_long(s));
+            syslog(L_NOTICE, "%s:%s", str, SSL_state_string_long(s));
     } else if (where & SSL_CB_ALERT) {
 	str = (where & SSL_CB_READ) ? "read" : "write";
 	if ((tls_serverengine && (tls_loglevel >= 2)) ||
 	    ((ret & 0xff) != SSL3_AD_CLOSE_NOTIFY))
-	  Printf("SSL3 alert %s:%s:%s", str,
+            syslog(L_NOTICE, "SSL3 alert %s:%s:%s", str,
 		 SSL_alert_type_string_long(ret),
 		 SSL_alert_desc_string_long(ret));
     } else if (where & SSL_CB_EXIT) {
 	if (ret == 0)
-	    Printf("%s:failed in %s",
+            syslog(L_ERROR, "%s:failed in %s",
 		     str, SSL_state_string_long(s));
 	else if (ret < 0) {
-	    Printf("%s:error in %s",
+            syslog(L_ERROR, "%s:error in %s",
 		     str, SSL_state_string_long(s));
 	}
     }
@@ -244,10 +244,12 @@
     err = X509_STORE_CTX_get_error(ctx);
     depth = X509_STORE_CTX_get_error_depth(ctx);
 
-    if (err_cert != NULL) {
-        X509_NAME_oneline(X509_get_subject_name(err_cert), buf, sizeof(buf));
-        if ((tls_serveractive) && (tls_loglevel >= 1)) {
-            Printf("Peer cert verify depth=%d %s", depth, buf);
+    if ((tls_serveractive) && (tls_loglevel >= 1)) {
+        if (err_cert != NULL) {
+            X509_NAME_oneline(X509_get_subject_name(err_cert), buf, sizeof(buf));
+            syslog(L_NOTICE, "Peer cert verify depth=%d %s", depth, buf);
+        } else {
+            syslog(L_NOTICE, "Peer cert verify depth=%d <no cert>", depth);
         }
     }
     
@@ -280,7 +282,7 @@
 	break;
     }
     if ((tls_serveractive) && (tls_loglevel >= 1))
-      Printf("verify return:%d", ok);
+        syslog(L_NOTICE, "verify return:%d", ok);
 
     return (ok);
 }
@@ -348,7 +350,7 @@
 	/* If this is the last call, then update the ddt_dump thing so that
          * we will move the selection point in the debug window. */
 	if (tls_loglevel>0)
-	  Printf("%s", buf);
+            syslog(L_NOTICE, "%s", buf);
 	ret += strlen(buf);
     }
 #ifdef TRUNCATE
@@ -355,7 +357,7 @@
     if (trunc > 0) {
 	snprintf(buf, sizeof(buf), "%04x - <SPACES/NULS>\n", len+ trunc);
 	if (tls_loglevel>0)
-	  Printf("%s", buf);
+            syslog(L_NOTICE, "%s", buf);
 	ret += strlen(buf);
     }
 #endif
@@ -496,7 +498,7 @@
       return (0);				/* Already running. */
 
     if (tls_loglevel >= 2)
-      Printf("starting TLS engine");
+      syslog(L_NOTICE, "starting TLS engine");
 
 /* New functions have been introduced in OpenSSL 1.1.0. */
 #if OPENSSL_VERSION_NUMBER < 0x010100000L
@@ -530,7 +532,7 @@
     if ((!SSL_CTX_load_verify_locations(CTX, CAfile, CApath)) ||
 	(!SSL_CTX_set_default_verify_paths(CTX))) {
       if (tls_loglevel >= 2)
-	Printf("TLS engine: cannot load CA data\n");
+          syslog(L_ERROR, "TLS engine: cannot load CA data");
       return (-1);
     }
     
@@ -545,7 +547,7 @@
     
     if (!set_cert_stuff(CTX, s_cert_file, s_key_file)) {
       if (tls_loglevel >= 2)
-	Printf("TLS engine: cannot load cert/key data\n");
+          syslog(L_ERROR, "TLS engine: cannot load cert/key data");
       return (-1);
     }
 
@@ -600,6 +602,8 @@
                     tls_protos |= INN_TLS_TLSv1_1;
                 } else if (strcmp(tls_proto_vect->strings[i], "TLSv1.2") == 0) {
                     tls_protos |= INN_TLS_TLSv1_2;
+                } else if (strcmp(tls_proto_vect->strings[i], "TLSv1.3") == 0) {
+                    tls_protos |= INN_TLS_TLSv1_3;
                 } else {
                     syslog(L_ERROR, "TLS engine: unknown protocol '%s' in tlsprotocols",
                            tls_proto_vect->strings[i]);
@@ -608,7 +612,8 @@
         }
     } else {
         /* Default value:  allow only TLS protocols. */
-        tls_protos = (INN_TLS_TLSv1 | INN_TLS_TLSv1_1 | INN_TLS_TLSv1_2);
+        tls_protos = (INN_TLS_TLSv1 | INN_TLS_TLSv1_1 | INN_TLS_TLSv1_2
+                      | INN_TLS_TLSv1_3);
     }
 
     if ((tls_protos & INN_TLS_SSLv2) == 0) {
@@ -635,6 +640,12 @@
 #endif
     }
 
+    if ((tls_protos & INN_TLS_TLSv1_3) == 0) {
+#ifdef SSL_OP_NO_TLSv1_3
+        SSL_CTX_set_options(CTX, SSL_OP_NO_TLSv1_3);
+#endif
+    }
+
     if (tls_ciphers != NULL) {
         if (SSL_CTX_set_cipher_list(CTX, tls_ciphers) == 0) {
             syslog(L_ERROR, "TLS engine: cannot set cipher list");
@@ -728,15 +739,15 @@
 	return (ret);
 
     if (cmd == (BIO_CB_READ | BIO_CB_RETURN)) {
-        Printf("read from %08lX [%08lX] (%d bytes => %ld (0x%X))",
+        syslog(L_NOTICE, "read from %08lX [%08lX] (%d bytes => %ld (0x%lX))",
                (unsigned long) bio, (unsigned long) argp,
-               argi, ret, (unsigned int) ret);
+               argi, ret, (unsigned long) ret);
 	tls_dump(argp, (int) ret);
 	return (ret);
     } else if (cmd == (BIO_CB_WRITE | BIO_CB_RETURN)) {
-        Printf("write to %08lX [%08lX] (%d bytes => %ld (0x%X))",
+        syslog(L_NOTICE, "write to %08lX [%08lX] (%d bytes => %ld (0x%lX))",
                (unsigned long) bio, (unsigned long) argp,
-               argi, ret, (unsigned int) ret);
+               argi, ret, (unsigned long) ret);
 	tls_dump(argp, (int) ret);
     }
     return (ret);
@@ -767,7 +778,7 @@
       return (-1);
     }
     if (tls_loglevel >= 1)
-	Printf("setting up TLS connection");
+	syslog(L_NOTICE, "setting up TLS connection");
 
     if (tls_conn == NULL)
     {

Modified: nnrpd/tls.h
===================================================================
--- nnrpd/tls.h	2017-11-28 20:48:45 UTC (rev 10196)
+++ nnrpd/tls.h	2017-12-10 15:21:26 UTC (rev 10197)
@@ -49,6 +49,7 @@
 #define INN_TLS_TLSv1 4
 #define INN_TLS_TLSv1_1 8
 #define INN_TLS_TLSv1_2 16
+#define INN_TLS_TLSv1_3 32
 
 /* Init TLS engine. */
 int tls_init_serverengine(int verifydepth, /* Depth to verify. */

Modified: samples/inn.conf.in
===================================================================
--- samples/inn.conf.in	2017-11-28 20:48:45 UTC (rev 10196)
+++ samples/inn.conf.in	2017-12-10 15:21:26 UTC (rev 10197)
@@ -144,7 +144,7 @@
 #tlscompression:             false
 #tlseccurve:
 #tlspreferserverciphers:     true
-#tlsprotocols:               [ TLSv1 TLSv1.1 TLSv1.2 ]
+#tlsprotocols:               [ TLSv1 TLSv1.1 TLSv1.2 TLSv1.3 ]
 
 # Monitoring
 



More information about the inn-committers mailing list