lib-ssl-iostream: Support TLSv1.3 ciphersuites

author Aki Tuomi <aki.tuomi@open-xchange.com>

Mon, 29 Jul 2019 13:08:07 +0000 (16:08 +0300)

committer Ville Savolainen <ville.savolainen@dovecot.fi>

Tue, 10 Sep 2019 07:02:07 +0000 (10:02 +0300)
author Aki Tuomi <aki.tuomi@open-xchange.com>
Mon, 29 Jul 2019 13:08:07 +0000 (16:08 +0300)
committer Ville Savolainen <ville.savolainen@dovecot.fi>
Tue, 10 Sep 2019 07:02:07 +0000 (10:02 +0300)
diff --git a/m4/ssl.m4 b/m4/ssl.m4

index faf9cb1c4ef833ff33ef4d2a6d16708000556d9a..b9329a642ebfdf104ad423741b7a34a9775da073 100644 (file)
--- a/m4/ssl.m4
+++ b/m4/ssl.m4
@@ -212,6 +212,9 @@ AC_DEFUN([DOVECOT_SSL], [
        AC_CHECK_LIB(ssl, EVP_PKEY_get0_RSA, [
          AC_DEFINE(HAVE_EVP_PKEY_get0,, [Build with EVP_PKEY_get0_*() support])
        ],, $SSL_LIBS)
+      AC_CHECK_LIB(ssl, SSL_CTX_set_ciphersuites, [
+        AC_DEFINE(HAVE_SSL_CTX_SET_CIPHERSUITES,, [Build with SSL_CTX_set_ciphersuites() support])
+      ],, $SSL_LIBS)
        AC_CHECK_LIB(ssl, [EVP_PKEY_CTX_new_id], [have_evp_pkey_ctx_new_id="yes"],, $SSL_LIBS)
        AC_CHECK_LIB(ssl, [EC_KEY_new], [have_ec_key_new="yes"],, $SSL_LIBS)
        if test "$have_evp_pkey_ctx_new_id" = "yes" && test "$have_ec_key_new" = "yes"; then
diff --git a/src/lib-ssl-iostream/iostream-openssl-context.c b/src/lib-ssl-iostream/iostream-openssl-context.c

index c4a614f65bfaa8094429ff2323bc01be91f577dc..3824ddda01eeb11806ef1abd487fa85df55d68c7 100644 (file)
--- a/src/lib-ssl-iostream/iostream-openssl-context.c
+++ b/src/lib-ssl-iostream/iostream-openssl-context.c
@@ -387,6 +387,14 @@ ssl_iostream_context_set(struct ssl_iostream_context *ctx,
                                            set->curve_list);
                 return -1;
         }
+#endif
+#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
+       if (set->ciphersuites != NULL &&
+           SSL_CTX_set_ciphersuites(ctx->ssl_ctx, set->ciphersuites) == 0) {
+               *error_r = t_strdup_printf("Can't set ciphersuites to '%s': %s",
+                       set->cipher_list, openssl_iostream_error());
+               return -1;
+       }
  #endif
         if (set->prefer_server_ciphers) {
                 SSL_CTX_set_options(ctx->ssl_ctx,
diff --git a/src/lib-ssl-iostream/iostream-openssl.c b/src/lib-ssl-iostream/iostream-openssl.c

index 5b87ee68d60d6509a204b4677c7cd35f1a2204fc..5b2d8c7a8a82cd55ea3e8de1c6f0d3af85821c2d 100644 (file)
--- a/src/lib-ssl-iostream/iostream-openssl.c
+++ b/src/lib-ssl-iostream/iostream-openssl.c
@@ -180,6 +180,17 @@ openssl_iostream_set(struct ssl_iostream *ssl_io,
                         return -1;
                 }
         }
+#endif
+#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
+        if (set->ciphersuites != NULL &&
+           strcmp(ctx_set->ciphersuites, set->ciphersuites) != 0) {
+               if (SSL_set_ciphersuites(ssl_io->ssl, set->ciphersuites) == 0) {
+                       *error_r = t_strdup_printf(
+                               "Can't set ciphersuites to '%s': %s",
+                               set->ciphersuites, openssl_iostream_error());
+                       return -1;
+               }
+       }
  #endif
         if (set->prefer_server_ciphers)
                 SSL_set_options(ssl_io->ssl, SSL_OP_CIPHER_SERVER_PREFERENCE);
diff --git a/src/lib-ssl-iostream/iostream-ssl.c b/src/lib-ssl-iostream/iostream-ssl.c

index f857ec9f88b76a0db5997be4202cd7ac23032054..f62c80d37f07ec947336d276fb4831c6c1524dad 100644 (file)
--- a/src/lib-ssl-iostream/iostream-ssl.c
+++ b/src/lib-ssl-iostream/iostream-ssl.c
@@ -8,6 +8,7 @@
  static const size_t ssl_iostream_settings_string_offsets[] = {
         OFFSET(min_protocol),
         OFFSET(cipher_list),
+       OFFSET(ciphersuites),
         OFFSET(curve_list),
         OFFSET(ca),
         OFFSET(ca_file),
diff --git a/src/lib-ssl-iostream/iostream-ssl.h b/src/lib-ssl-iostream/iostream-ssl.h

index 7ef4ef003b4185fcc0edbf354b7e25a75ec57897..322448691fefca8d0b6e6f67d185329b8d42eab6 100644 (file)
--- a/src/lib-ssl-iostream/iostream-ssl.h
+++ b/src/lib-ssl-iostream/iostream-ssl.h
@@ -16,6 +16,7 @@ struct ssl_iostream_settings {
            ssl_iostream_settings_drop_stream_only() */
         const char *min_protocol; /* both */
         const char *cipher_list; /* both */
+       const char *ciphersuites; /* both, TLSv1.3 only */
         const char *curve_list; /* both */
         const char *ca, *ca_file, *ca_dir; /* context-only */
         /* alternative cert is for providing certificate using
diff --git a/src/lib-ssl-iostream/test-iostream-ssl.c b/src/lib-ssl-iostream/test-iostream-ssl.c

index c3418bfcc5b95a977d583804c0fd9a1a60ca5fde..a87c97f7c2fb75367103e937e8a8205899c143c8 100644 (file)
--- a/src/lib-ssl-iostream/test-iostream-ssl.c
+++ b/src/lib-ssl-iostream/test-iostream-ssl.c
@@ -327,6 +327,8 @@ static void test_iostream_ssl_handshake(void)
         ssl_iostream_test_settings_client(&client_set);
         server_set.cipher_list = "ECDSA";
         client_set.cipher_list = "RSA";
+       server_set.ciphersuites = "TLS_CHACHA20_POLY1305_SHA256";
+       client_set.ciphersuites = "TLS_AES_128_CCM_SHA256";
         client_set.prefer_server_ciphers = TRUE;
         client_set.verify_remote_cert = TRUE;
         test_expect_error_string("client(127.0.0.1): SSL certificate not received");
author	Aki Tuomi <aki.tuomi@open-xchange.com>
	Mon, 29 Jul 2019 13:08:07 +0000 (16:08 +0300)
committer	Ville Savolainen <ville.savolainen@dovecot.fi>
	Tue, 10 Sep 2019 07:02:07 +0000 (10:02 +0300)
m4/ssl.m4		patch \| blob \| blame \| history
src/lib-ssl-iostream/iostream-openssl-context.c		patch \| blob \| blame \| history
src/lib-ssl-iostream/iostream-openssl.c		patch \| blob \| blame \| history
src/lib-ssl-iostream/iostream-ssl.c		patch \| blob \| blame \| history
src/lib-ssl-iostream/iostream-ssl.h		patch \| blob \| blame \| history
src/lib-ssl-iostream/test-iostream-ssl.c		patch \| blob \| blame \| history