qpid-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From astitc...@apache.org
Subject [qpid-proton] branch master updated: PROTON-1989: [c] Support TLSv1.3 with openssl 1.1.1
Date Fri, 22 Feb 2019 21:35:42 GMT
This is an automated email from the ASF dual-hosted git repository.

astitcher pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/qpid-proton.git


The following commit(s) were added to refs/heads/master by this push:
     new 7db4c2c  PROTON-1989: [c] Support TLSv1.3 with openssl 1.1.1
7db4c2c is described below

commit 7db4c2c0b720c567d808ae71e49abeb734f5a6a2
Author: Andrew Stitcher <astitcher@apache.org>
AuthorDate: Fri Feb 22 16:20:07 2019 -0500

    PROTON-1989: [c] Support TLSv1.3 with openssl 1.1.1
---
 c/include/proton/ssl.h |  2 +-
 c/src/ssl/openssl.c    | 16 +++++++++++++---
 c/tests/ssl_test.cpp   | 12 ++++++++++++
 3 files changed, 26 insertions(+), 4 deletions(-)

diff --git a/c/include/proton/ssl.h b/c/include/proton/ssl.h
index 81a17a2..8258e16 100644
--- a/c/include/proton/ssl.h
+++ b/c/include/proton/ssl.h
@@ -232,7 +232,7 @@ PN_EXTERN int pn_ssl_domain_set_peer_authentication(pn_ssl_domain_t *domain,
  * @param[in] domain the ssl domain to configure.
  * @param[in] protocols string representing the protocol list.
  * This list is a space separated string of the allowed TLS protocols,
- * The current possibilities are TLSv1 TLSv1.1 TLSv1.2. None of the earlier SSL
+ * The current possibilities are TLSv1 TLSv1.1 TLSv1.2 TLSv1.3. None of the earlier SSL
  * protocols are allowed for security reason.
  *
  * @note If this API not called then all the TLS protocols are allowed. The API only acts
to
diff --git a/c/src/ssl/openssl.c b/c/src/ssl/openssl.c
index c2b5869..c791b73 100644
--- a/c/src/ssl/openssl.c
+++ b/c/src/ssl/openssl.c
@@ -624,10 +624,20 @@ int pn_ssl_domain_set_protocols(pn_ssl_domain_t *domain, const char
*protocols)
   {
     {"TLSv1",   SSL_OP_NO_TLSv1},
     {"TLSv1.1", SSL_OP_NO_TLSv1_1},
-    {"TLSv1.2", SSL_OP_NO_TLSv1_2}
+    {"TLSv1.2", SSL_OP_NO_TLSv1_2},
+#ifdef SSL_OP_NO_TLSv1_3
+    {"TLSv1.3", SSL_OP_NO_TLSv1_3},
+#endif
   };
   static const char seps[]    = " ,;";
-  static const long all_prots = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2;
+  static const long all_prots =
+    SSL_OP_NO_TLSv1
+    | SSL_OP_NO_TLSv1_1
+    | SSL_OP_NO_TLSv1_2
+#ifdef SSL_OP_NO_TLSv1_3
+    | SSL_OP_NO_TLSv1_3
+#endif
+    ;
 
   // Start with all protocols turned off
   long options = all_prots;
@@ -643,7 +653,7 @@ int pn_ssl_domain_set_protocols(pn_ssl_domain_t *domain, const char *protocols)
     }
     if (tsize==0) break; // No more tokens
 
-    // Linear search the posibilities for the option to set
+    // Linear search the possibilities for the option to set
     for (size_t i = 0; i<sizeof(protocol_options)/sizeof(*protocol_options); ++i) {
       if (strncmp(token, protocol_options[i].name, tsize)==0) {
         options &= ~protocol_options[i].option;
diff --git a/c/tests/ssl_test.cpp b/c/tests/ssl_test.cpp
index bd1e228..122ad4c 100644
--- a/c/tests/ssl_test.cpp
+++ b/c/tests/ssl_test.cpp
@@ -41,12 +41,24 @@ TEST_CASE("ssl_protocols") {
   CHECK(pn_ssl_domain_set_protocols(sd, "TLSv1.1") == 0);
   CHECK(pn_ssl_domain_set_protocols(sd, "TLSv1.2") == 0);
 
+  // Check whether TLS 1.3 is supported
+  bool tls1_3 = (pn_ssl_domain_set_protocols(sd, "TLSv1.3") == 0);
+
   // Multiple protocols
   CHECK(pn_ssl_domain_set_protocols(sd, "TLSv1 TLSv1.1 TLSv1.2") == 0);
   CHECK(pn_ssl_domain_set_protocols(sd, "TLSv1 TLSv1.1") == 0);
   CHECK(pn_ssl_domain_set_protocols(sd, "TLSv1.1 TLSv1.2") == 0);
   CHECK(pn_ssl_domain_set_protocols(sd, "TLSv1 TLSv1.2") == 0);
 
+  // Can only do these if we have tls 1.3
+  if (tls1_3) {
+    CHECK(pn_ssl_domain_set_protocols(sd, "TLSv1 TLSv1.1 TLSv1.2 TLSv1.3") == 0);
+    CHECK(pn_ssl_domain_set_protocols(sd, "TLSv1.2 TLSv1.3") == 0);
+  } else {
+    CHECK(pn_ssl_domain_set_protocols(sd, "TLSv1 TLSv1.1 TLSv1.2 TLSv1.3") == PN_ARG_ERR);
+    CHECK(pn_ssl_domain_set_protocols(sd, "TLSv1.2 TLSv1.3") == PN_ARG_ERR);
+  }
+
   // Illegal separators
   CHECK(pn_ssl_domain_set_protocols(sd, "TLSv1/TLSv1.1 TLSv1.2") == PN_ARG_ERR);
   CHECK(pn_ssl_domain_set_protocols(sd, "TLSv1-TLSv1.1 TLSv1.2") == PN_ARG_ERR);


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org


Mime
View raw message