[Openvpn-devel,2/3] Add support for TLS 1.3 in --tls-version-{min, max}

Message ID 20171126141555.25930-2-steffan@karger.me
State Accepted
Headers show
Series
  • [Openvpn-devel,1/3] Fix --tls-version-min and --tls-version-max for OpenSSL 1.1+
Related show

Commit Message

Steffan Karger Nov. 26, 2017, 2:15 p.m.
Tested with the current openssl master branch for TLS 1.3 support.

mbed TLS has no public builds with TLS 1.3 support yet, so nothing to do
there right now.

Signed-off-by: Steffan Karger <steffan@karger.me>
---
 src/openvpn/ssl.c         |  4 ++++
 src/openvpn/ssl_backend.h |  1 +
 src/openvpn/ssl_openssl.c | 10 +++++++++-
 3 files changed, 14 insertions(+), 1 deletion(-)

Comments

Gert Doering Jan. 20, 2018, 1:07 p.m. | #1
Acked-by: Gert Doering <gert@greenie.muc.de>

Straightforward extention of the current code to add another branch
for 1.3.  Since it's really trivial, does not change existing code paths,
and we want 2.4 to be "ready for TLS 1.3 when it shows up", applied to 2.4 
as well.

Your patch has been applied to the master and release/2.4 branch.

commit 8ca9eda119638a88863118affd69dfaf8b867c92 (master)
commit 59dbb8602f30d278bd152a4a736c2af8345368eb (release/2.4)
Author: Steffan Karger
Date:   Sun Nov 26 15:15:54 2017 +0100

     Add support for TLS 1.3 in --tls-version-{min, max}

     Signed-off-by: Steffan Karger <steffan@karger.me>
     Acked-by: Gert Doering <gert@greenie.muc.de>
     Message-Id: <20171126141555.25930-2-steffan@karger.me>
     URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15932.html
     Signed-off-by: Gert Doering <gert@greenie.muc.de>


--
kind regards,

Gert Doering


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

Patch

diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 843bc393..d61688c5 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -530,6 +530,10 @@  tls_version_parse(const char *vstr, const char *extra)
     {
         return TLS_VER_1_2;
     }
+    else if (!strcmp(vstr, "1.3") && TLS_VER_1_3 <= max_version)
+    {
+        return TLS_VER_1_3;
+    }
     else if (extra && !strcmp(extra, "or-highest"))
     {
         return max_version;
diff --git a/src/openvpn/ssl_backend.h b/src/openvpn/ssl_backend.h
index f588110c..7f6057e6 100644
--- a/src/openvpn/ssl_backend.h
+++ b/src/openvpn/ssl_backend.h
@@ -114,6 +114,7 @@  void tls_clear_error(void);
 #define TLS_VER_1_0     1
 #define TLS_VER_1_1     2
 #define TLS_VER_1_2     3
+#define TLS_VER_1_3     4
 int tls_version_parse(const char *vstr, const char *extra);
 
 /**
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index b645b469..18c0ba5f 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -206,7 +206,9 @@  info_callback(INFO_CALLBACK_SSL_CONST SSL *s, int where, int ret)
 int
 tls_version_max(void)
 {
-#if defined(TLS1_2_VERSION) || defined(SSL_OP_NO_TLSv1_2)
+#if defined(TLS1_3_VERSION)
+    return TLS_VER_1_3;
+#elif defined(TLS1_2_VERSION) || defined(SSL_OP_NO_TLSv1_2)
     return TLS_VER_1_2;
 #elif defined(TLS1_1_VERSION) || defined(SSL_OP_NO_TLSv1_1)
     return TLS_VER_1_1;
@@ -231,6 +233,12 @@  openssl_tls_version(int ver)
     {
         return TLS1_2_VERSION;
     }
+#if defined(TLS1_3_VERSION)
+    else if (ver == TLS_VER_1_3)
+    {
+        return TLS1_3_VERSION;
+    }
+#endif
     return 0;
 }