Update openssl_options values to 1.1.1c

author Phil Pennock <pdp@exim.org>

Fri, 17 Jan 2020 15:40:51 +0000 (10:40 -0500)

committer Phil Pennock <pdp@exim.org>

Fri, 17 Jan 2020 15:40:51 +0000 (10:40 -0500)
author Phil Pennock <pdp@exim.org>
Fri, 17 Jan 2020 15:40:51 +0000 (10:40 -0500)
committer Phil Pennock <pdp@exim.org>
Fri, 17 Jan 2020 15:40:51 +0000 (10:40 -0500)
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog

index f0dccdc62943f9abfbc764bf8530191eab5da30b..43b306d3b8d787989746c3cc3844a0bbc4205fd0 100644 (file)
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -108,6 +108,11 @@ JH/22 Taint checking: move to a hybrid approach for checking.  Previously, one
        where these assumptions do not hold.  The new implementation tests for
        the situation arising and actively switches over from fast to safe mode.
  
+PP/01 Update the openssl_options possible values through OpenSSL 1.1.1c.
+      New values supported, if defined on system where compiled:
+      allow_no_dhe_kex, cryptopro_tlsext_bug, enable_middlebox_compat,
+      no_anti_replay, no_encrypt_then_mac, prioritize_chacha, tlsext_padding
+
  
  Exim version 4.93
  -----------------
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c

index c97dc1bff2f48a19d4bd1ebe7ce3c85c9d68db03..99d3f87f4795803adee75965bd7ab42016f18589 100644 (file)
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -148,13 +148,10 @@ all options unless explicitly for DTLS, let the administrator choose which
  to apply.
  
  This list is current as of:
-  ==>  1.0.1b  <==
-Plus SSL_OP_SAFARI_ECDHE_ECDSA_BUG from 2013-June patch/discussion on openssl-dev
-Plus SSL_OP_NO_TLSv1_3 for 1.1.2-dev
-Plus SSL_OP_NO_RENEGOTIATION for 1.1.1
+  ==>  1.1.1c  <==
  
  XXX could we autobuild this list, as with predefined-macros?
-Seems just parsing ssl.h for SSL_OP_.* would be enough.
+Seems just parsing ssl.h for SSL_OP_.* would be enough (except to exclude DTLS).
  Also allow a numeric literal?
  */
  static exim_openssl_option exim_openssl_options[] = {
@@ -162,15 +159,24 @@ static exim_openssl_option exim_openssl_options[] = {
  #ifdef SSL_OP_ALL
    { US"all", (long) SSL_OP_ALL },
  #endif
+#ifdef SSL_OP_ALLOW_NO_DHE_KEX
+  { US"allow_no_dhe_kex", SSL_OP_ALLOW_NO_DHE_KEX },
+#endif
  #ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
    { US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
  #endif
  #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
    { US"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE },
  #endif
+#ifdef SSL_OP_CRYPTOPRO_TLSEXT_BUG
+  { US"cryptopro_tlsext_bug", SSL_OP_CRYPTOPRO_TLSEXT_BUG },
+#endif
  #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
    { US"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS },
  #endif
+#ifdef SSL_OP_ENABLE_MIDDLEBOX_COMPAT
+  { US"enable_middlebox_compat", SSL_OP_ENABLE_MIDDLEBOX_COMPAT },
+#endif
  #ifdef SSL_OP_EPHEMERAL_RSA
    { US"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA },
  #endif
@@ -192,9 +198,15 @@ static exim_openssl_option exim_openssl_options[] = {
  #ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
    { US"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG },
  #endif
+#ifdef SSL_OP_NO_ANTI_REPLAY
+  { US"no_anti_replay", SSL_OP_NO_ANTI_REPLAY },
+#endif
  #ifdef SSL_OP_NO_COMPRESSION
    { US"no_compression", SSL_OP_NO_COMPRESSION },
  #endif
+#ifdef SSL_OP_NO_ENCRYPT_THEN_MAC
+  { US"no_encrypt_then_mac", SSL_OP_NO_ENCRYPT_THEN_MAC },
+#endif
  #ifdef SSL_OP_NO_RENEGOTIATION
    { US"no_renegotiation", SSL_OP_NO_RENEGOTIATION },
  #endif
@@ -227,6 +239,9 @@ static exim_openssl_option exim_openssl_options[] = {
  #ifdef SSL_OP_NO_TLSv1_3
    { US"no_tlsv1_3", SSL_OP_NO_TLSv1_3 },
  #endif
+#ifdef SSL_OP_PRIORITIZE_CHACHA
+  { US"prioritize_chacha", SSL_OP_PRIORITIZE_CHACHA },
+#endif
  #ifdef SSL_OP_SAFARI_ECDHE_ECDSA_BUG
    { US"safari_ecdhe_ecdsa_bug", SSL_OP_SAFARI_ECDHE_ECDSA_BUG },
  #endif
@@ -251,6 +266,9 @@ static exim_openssl_option exim_openssl_options[] = {
  #ifdef SSL_OP_TLS_ROLLBACK_BUG
    { US"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG },
  #endif
+#ifdef SSL_OP_TLSEXT_PADDING
+  { US"tlsext_padding", SSL_OP_TLSEXT_PADDING },
+#endif
  };
  
  #ifndef MACRO_PREDEF
@@ -2829,7 +2847,7 @@ See description in https://paquier.xyz/postgresql-2/channel-binding-openssl/ */
    uschar c, * s;
    size_t len = SSL_get_peer_finished(server_ssl, &c, 0);
    int old_pool = store_pool;
-  
+
    SSL_get_peer_finished(server_ssl, s = store_get((int)len, FALSE), len);
    store_pool = POOL_PERM;
      tls_in.channelbinding = b64encode_taint(CUS s, (int)len, FALSE);
@@ -3408,7 +3426,7 @@ tlsp->cipher_stdname = cipher_stdname_ssl(exim_client_ctx->ssl);
    uschar c, * s;
    size_t len = SSL_get_finished(exim_client_ctx->ssl, &c, 0);
    int old_pool = store_pool;
-  
+
    SSL_get_finished(exim_client_ctx->ssl, s = store_get((int)len, TRUE), len);
    store_pool = POOL_PERM;
      tlsp->channelbinding = b64encode_taint(CUS s, (int)len, TRUE);
author	Phil Pennock <pdp@exim.org>
	Fri, 17 Jan 2020 15:40:51 +0000 (10:40 -0500)
committer	Phil Pennock <pdp@exim.org>
	Fri, 17 Jan 2020 15:40:51 +0000 (10:40 -0500)
doc/doc-txt/ChangeLog		patch \| blob \| history
src/src/tls-openssl.c		patch \| blob \| history