From 8f6f04eb21276f28b81695dd0d3df57c7b8f43e4 Mon Sep 17 00:00:00 2001 From: Aki Tuomi Date: Mon, 29 Jul 2019 16:08:07 +0300 Subject: [PATCH] lib-ssl-iostream: Support TLSv1.3 ciphersuites --- m4/ssl.m4 | 3 +++ src/lib-ssl-iostream/iostream-openssl-context.c | 8 ++++++++ src/lib-ssl-iostream/iostream-openssl.c | 11 +++++++++++ src/lib-ssl-iostream/iostream-ssl.c | 1 + src/lib-ssl-iostream/iostream-ssl.h | 1 + src/lib-ssl-iostream/test-iostream-ssl.c | 2 ++ 6 files changed, 26 insertions(+) diff --git a/m4/ssl.m4 b/m4/ssl.m4 index faf9cb1c4e..b9329a642e 100644 --- a/m4/ssl.m4 +++ b/m4/ssl.m4 @@ -212,6 +212,9 @@ AC_DEFUN([DOVECOT_SSL], [ AC_CHECK_LIB(ssl, EVP_PKEY_get0_RSA, [ AC_DEFINE(HAVE_EVP_PKEY_get0,, [Build with EVP_PKEY_get0_*() support]) ],, $SSL_LIBS) + AC_CHECK_LIB(ssl, SSL_CTX_set_ciphersuites, [ + AC_DEFINE(HAVE_SSL_CTX_SET_CIPHERSUITES,, [Build with SSL_CTX_set_ciphersuites() support]) + ],, $SSL_LIBS) AC_CHECK_LIB(ssl, [EVP_PKEY_CTX_new_id], [have_evp_pkey_ctx_new_id="yes"],, $SSL_LIBS) AC_CHECK_LIB(ssl, [EC_KEY_new], [have_ec_key_new="yes"],, $SSL_LIBS) if test "$have_evp_pkey_ctx_new_id" = "yes" && test "$have_ec_key_new" = "yes"; then diff --git a/src/lib-ssl-iostream/iostream-openssl-context.c b/src/lib-ssl-iostream/iostream-openssl-context.c index c4a614f65b..3824ddda01 100644 --- a/src/lib-ssl-iostream/iostream-openssl-context.c +++ b/src/lib-ssl-iostream/iostream-openssl-context.c @@ -387,6 +387,14 @@ ssl_iostream_context_set(struct ssl_iostream_context *ctx, set->curve_list); return -1; } +#endif +#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES + if (set->ciphersuites != NULL && + SSL_CTX_set_ciphersuites(ctx->ssl_ctx, set->ciphersuites) == 0) { + *error_r = t_strdup_printf("Can't set ciphersuites to '%s': %s", + set->cipher_list, openssl_iostream_error()); + return -1; + } #endif if (set->prefer_server_ciphers) { SSL_CTX_set_options(ctx->ssl_ctx, diff --git a/src/lib-ssl-iostream/iostream-openssl.c b/src/lib-ssl-iostream/iostream-openssl.c index 5b87ee68d6..5b2d8c7a8a 100644 --- a/src/lib-ssl-iostream/iostream-openssl.c +++ b/src/lib-ssl-iostream/iostream-openssl.c @@ -180,6 +180,17 @@ openssl_iostream_set(struct ssl_iostream *ssl_io, return -1; } } +#endif +#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES + if (set->ciphersuites != NULL && + strcmp(ctx_set->ciphersuites, set->ciphersuites) != 0) { + if (SSL_set_ciphersuites(ssl_io->ssl, set->ciphersuites) == 0) { + *error_r = t_strdup_printf( + "Can't set ciphersuites to '%s': %s", + set->ciphersuites, openssl_iostream_error()); + return -1; + } + } #endif if (set->prefer_server_ciphers) SSL_set_options(ssl_io->ssl, SSL_OP_CIPHER_SERVER_PREFERENCE); diff --git a/src/lib-ssl-iostream/iostream-ssl.c b/src/lib-ssl-iostream/iostream-ssl.c index f857ec9f88..f62c80d37f 100644 --- a/src/lib-ssl-iostream/iostream-ssl.c +++ b/src/lib-ssl-iostream/iostream-ssl.c @@ -8,6 +8,7 @@ static const size_t ssl_iostream_settings_string_offsets[] = { OFFSET(min_protocol), OFFSET(cipher_list), + OFFSET(ciphersuites), OFFSET(curve_list), OFFSET(ca), OFFSET(ca_file), diff --git a/src/lib-ssl-iostream/iostream-ssl.h b/src/lib-ssl-iostream/iostream-ssl.h index 7ef4ef003b..322448691f 100644 --- a/src/lib-ssl-iostream/iostream-ssl.h +++ b/src/lib-ssl-iostream/iostream-ssl.h @@ -16,6 +16,7 @@ struct ssl_iostream_settings { ssl_iostream_settings_drop_stream_only() */ const char *min_protocol; /* both */ const char *cipher_list; /* both */ + const char *ciphersuites; /* both, TLSv1.3 only */ const char *curve_list; /* both */ const char *ca, *ca_file, *ca_dir; /* context-only */ /* alternative cert is for providing certificate using diff --git a/src/lib-ssl-iostream/test-iostream-ssl.c b/src/lib-ssl-iostream/test-iostream-ssl.c index c3418bfcc5..a87c97f7c2 100644 --- a/src/lib-ssl-iostream/test-iostream-ssl.c +++ b/src/lib-ssl-iostream/test-iostream-ssl.c @@ -327,6 +327,8 @@ static void test_iostream_ssl_handshake(void) ssl_iostream_test_settings_client(&client_set); server_set.cipher_list = "ECDSA"; client_set.cipher_list = "RSA"; + server_set.ciphersuites = "TLS_CHACHA20_POLY1305_SHA256"; + client_set.ciphersuites = "TLS_AES_128_CCM_SHA256"; client_set.prefer_server_ciphers = TRUE; client_set.verify_remote_cert = TRUE; test_expect_error_string("client(127.0.0.1): SSL certificate not received"); -- 2.47.3