Merge branch 'poco-1.9.1' of https://github.com/pocoproject/poco.git into poco-1.9.1

Crypto/include/Poco/Crypto/Crypto.h

@@ -120,8 +120,13 @@ enum RSAPaddingMode
 			#endif
 		#elif defined(POCO_EXTERNAL_OPENSSL)
 			#if POCO_EXTERNAL_OPENSSL == POCO_EXTERNAL_OPENSSL_SLPRO
+				#if defined(POCO_DLL)
+					#pragma comment(lib, "libeay32.lib")
+					#pragma comment(lib, "ssleay32.lib")
+			  	#else
 					#pragma comment(lib, "libeay32" POCO_LIB_SUFFIX)
 					#pragma comment(lib, "ssleay32" POCO_LIB_SUFFIX)
+				#endif
 			#elif POCO_EXTERNAL_OPENSSL == POCO_EXTERNAL_OPENSSL_DEFAULT
 				#pragma comment(lib, "libeay32.lib")
 				#pragma comment(lib, "ssleay32.lib")

NetSSL_OpenSSL/include/Poco/Net/Context.h

@@ -42,6 +42,23 @@ class NetSSL_API Context: public Poco::RefCountedObject
 	///
 	/// The Context class is also used to control
 	/// SSL session caching on the server and client side.
+	///
+	/// A Note Regarding TLSv1.3 Support:
+	///
+	/// TLSv1.3 support requires at least OpenSSL version 1.1.1.
+	/// In order to enable TLSv1.3 support, specify TLSV1_3_CLIENT_USE
+	/// or TLSV1_3_SERVER_USE and make sure that the TLSv1.3
+	/// cipher suites are enabled:
+	///
+	///   - TLS_AES_256_GCM_SHA384
+	///   - TLS_CHACHA20_POLY1305_SHA256
+	///   - TLS_AES_128_GCM_SHA256
+	///   - TLS_AES_128_CCM_8_SHA256
+	///   - TLS_AES_128_CCM_SHA256
+	///
+	/// The first three of the above cipher suites should be enabled
+	/// by default in OpenSSL if you do not provide an explicit
+	/// cipher configuration (cipherList).
 {
 public:
 	typedef Poco::AutoPtr<Context> Ptr;
@@ -55,7 +72,9 @@ public:
 		TLSV1_1_CLIENT_USE, /// Context is used by a client requiring TLSv1.1 (OpenSSL 1.0.0 or newer).
 		TLSV1_1_SERVER_USE, /// Context is used by a server requiring TLSv1.1 (OpenSSL 1.0.0 or newer).
 		TLSV1_2_CLIENT_USE, /// Context is used by a client requiring TLSv1.2 (OpenSSL 1.0.1 or newer).
-		TLSV1_2_SERVER_USE  /// Context is used by a server requiring TLSv1.2 (OpenSSL 1.0.1 or newer).
+		TLSV1_2_SERVER_USE, /// Context is used by a server requiring TLSv1.2 (OpenSSL 1.0.1 or newer).
+		TLSV1_3_CLIENT_USE, /// Context is used by a client requiring TLSv1.3 (OpenSSL 1.1.1 or newer).
+		TLSV1_3_SERVER_USE  /// Context is used by a server requiring TLSv1.3 (OpenSSL 1.1.1 or newer).
 	};
 
 	enum VerificationMode
@@ -101,7 +120,8 @@ public:
 		PROTO_SSLV3   = 0x02,
 		PROTO_TLSV1   = 0x04,
 		PROTO_TLSV1_1 = 0x08,
-		PROTO_TLSV1_2 = 0x10
+		PROTO_TLSV1_2 = 0x10,
+		PROTO_TLSV1_3 = 0x20
 	};
 
 	struct NetSSL_API Params

NetSSL_OpenSSL/include/Poco/Net/SSLManager.h

@@ -93,7 +93,8 @@ class NetSSL_API SSLManager
 	///            <requireTLSv1>true|false</requireTLSv1>
 	///            <requireTLSv1_1>true|false</requireTLSv1_1>
 	///            <requireTLSv1_2>true|false</requireTLSv1_2>
-	///            <disableProtocols>sslv2,sslv3,tlsv1,tlsv1_1,tlsv1_2</disableProtocols>
+	///            <requireTLSv1_3>true|false</requireTLSv1_3>
+	///            <disableProtocols>sslv2,sslv3,tlsv1,tlsv1_1,tlsv1_2,tlsv1_3</disableProtocols>
 	///            <dhParamsFile>dh.pem</dhParamsFile>
 	///            <ecdhCurve>prime256v1</ecdhCurve>
 	///          </server|client>
@@ -143,14 +144,17 @@ class NetSSL_API SSLManager
 	///    - requireTLSv1 (boolean): Require a TLSv1 connection.
 	///    - requireTLSv1_1 (boolean): Require a TLSv1.1 connection.
 	///    - requireTLSv1_2 (boolean): Require a TLSv1.2 connection.
+	///    - requireTLSv1_3 (boolean): Require a TLSv1.3 connection
 	///    - disableProtocols (string): A comma-separated list of protocols that should be
-	///      disabled. Valid protocol names are sslv2, sslv3, tlsv1, tlsv1_1, tlsv1_2.
+	///      disabled. Valid protocol names are sslv2, sslv3, tlsv1, tlsv1_1, tlsv1_2, tlsv1_3.
 	///    - dhParamsFile (string): Specifies a file containing Diffie-Hellman parameters.
 	///      If not specified or empty, the default parameters are used.
 	///    - ecdhCurve (string): Specifies the name of the curve to use for ECDH, based
 	///      on the curve names specified in RFC 4492. Defaults to "prime256v1".
 	///    - fips: Enable or disable OpenSSL FIPS mode. Only supported if the OpenSSL version
 	///      that this library is built against supports FIPS mode.
+	///
+	/// Please see the Context class documentation regarding TLSv1.3 support.
 {
 public:
 	typedef Poco::SharedPtr<PrivateKeyPassphraseHandler> PrivateKeyPassphraseHandlerPtr;
@@ -333,6 +337,7 @@ private:
 	static const std::string CFG_REQUIRE_TLSV1;
 	static const std::string CFG_REQUIRE_TLSV1_1;
 	static const std::string CFG_REQUIRE_TLSV1_2;
+	static const std::string CFG_REQUIRE_TLSV1_3;
 	static const std::string CFG_DISABLE_PROTOCOLS;
 	static const std::string CFG_DH_PARAMS_FILE;
 	static const std::string CFG_ECDH_CURVE;

NetSSL_OpenSSL/include/Poco/Net/SecureServerSocketImpl.h

@@ -63,7 +63,7 @@ public:
 		///
 		/// Throws a Poco::InvalidAccessException.
 	
-	void bind(const SocketAddress& address, bool reuseAddress = false);
+	void bind(const SocketAddress& address, bool reuseAddress = false, bool reusePort = false);
 		/// Bind a local address to the socket.
 		///
 		/// This is usually only done when establishing a server
@@ -72,6 +72,10 @@ public:
 		///
 		/// If reuseAddress is true, sets the SO_REUSEADDR
 		/// socket option.
+		///
+		/// If reusePort is true, sets the SO_REUSEPORT
+		/// socket option.
+
 		
 	void listen(int backlog = 64);
 		/// Puts the socket into listening state.

NetSSL_OpenSSL/include/Poco/Net/SecureSocketImpl.h

@@ -78,7 +78,7 @@ public:
 		/// the TCP server at the given address. Prior to opening the
 		/// connection the socket is set to nonblocking mode.
 
-	void bind(const SocketAddress& address, bool reuseAddress = false);
+	void bind(const SocketAddress& address, bool reuseAddress = false, bool reusePort = false);
 		/// Bind a local address to the socket.
 		///
 		/// This is usually only done when establishing a server
@@ -87,6 +87,9 @@ public:
 		///
 		/// If reuseAddress is true, sets the SO_REUSEADDR
 		/// socket option.
+		///
+		/// If reusePort is true, sets the SO_REUSEPORT
+		/// socket option.
 		
 	void listen(int backlog = 64);
 		/// Puts the socket into listening state.

NetSSL_OpenSSL/src/Context.cpp

@@ -372,6 +372,12 @@ void Context::disableProtocols(int protocols)
 	{
 #if defined(SSL_OP_NO_TLSv1_2)
 		SSL_CTX_set_options(_pSSLContext, SSL_OP_NO_TLSv1_2);
+#endif
+	}
+	if (protocols & PROTO_TLSV1_3)
+	{
+#if defined(SSL_OP_NO_TLSv1_3)
+		SSL_CTX_set_options(_pSSLContext, SSL_OP_NO_TLSv1_3);
 #endif
 	}
 }
@@ -436,6 +442,14 @@ void Context::createSSLContext()
         case TLSV1_2_SERVER_USE:
             _pSSLContext = SSL_CTX_new(TLSv1_2_server_method());
             break;
+#endif
+#if defined(SSL_OP_NO_TLSv1_3) && !defined(OPENSSL_NO_TLS1)
+        case TLSV1_3_CLIENT_USE:
+            _pSSLContext = SSL_CTX_new(TLS_client_method());
+            break;
+        case TLSV1_3_SERVER_USE:
+            _pSSLContext = SSL_CTX_new(TLS_server_method());
+            break;
 #endif
 		default:
 			throw Poco::InvalidArgumentException("Invalid or unsupported usage");

NetSSL_OpenSSL/src/SSLManager.cpp

@@ -57,6 +57,7 @@ const std::string SSLManager::CFG_EXTENDED_VERIFICATION("extendedVerification");
 const std::string SSLManager::CFG_REQUIRE_TLSV1("requireTLSv1");
 const std::string SSLManager::CFG_REQUIRE_TLSV1_1("requireTLSv1_1");
 const std::string SSLManager::CFG_REQUIRE_TLSV1_2("requireTLSv1_2");
+const std::string SSLManager::CFG_REQUIRE_TLSV1_3("requireTLSv1_3");
 const std::string SSLManager::CFG_DISABLE_PROTOCOLS("disableProtocols");
 const std::string SSLManager::CFG_DH_PARAMS_FILE("dhParamsFile");
 const std::string SSLManager::CFG_ECDH_CURVE("ecdhCurve");
@@ -278,6 +279,7 @@ void SSLManager::initDefaultContext(bool server)
 	bool requireTLSv1 = config.getBool(prefix + CFG_REQUIRE_TLSV1, false);
 	bool requireTLSv1_1 = config.getBool(prefix + CFG_REQUIRE_TLSV1_1, false);
 	bool requireTLSv1_2 = config.getBool(prefix + CFG_REQUIRE_TLSV1_2, false);
+	bool requireTLSv1_3 = config.getBool(prefix + CFG_REQUIRE_TLSV1_3, false);
 
 	params.dhParamsFile = config.getString(prefix + CFG_DH_PARAMS_FILE, "");
 	params.ecdhCurve    = config.getString(prefix + CFG_ECDH_CURVE, "");
@@ -286,7 +288,9 @@ void SSLManager::initDefaultContext(bool server)
 
 	if (server)
 	{
-		if (requireTLSv1_2)
+		if (requireTLSv1_3)
+			usage = Context::TLSV1_3_SERVER_USE;
+		else if (requireTLSv1_2)
 			usage = Context::TLSV1_2_SERVER_USE;
 		else if (requireTLSv1_1)
 			usage = Context::TLSV1_1_SERVER_USE;
@@ -298,7 +302,9 @@ void SSLManager::initDefaultContext(bool server)
 	}
 	else
 	{
-		if (requireTLSv1_2)
+		if (requireTLSv1_3)
+			usage = Context::TLSV1_3_CLIENT_USE;
+		else if (requireTLSv1_2)
 			usage = Context::TLSV1_2_CLIENT_USE;
 		else if (requireTLSv1_1)
 			usage = Context::TLSV1_1_CLIENT_USE;
@@ -324,6 +330,8 @@ void SSLManager::initDefaultContext(bool server)
 			disabledProtocols |= Context::PROTO_TLSV1_1;
 		else if (*it == "tlsv1_2")
 			disabledProtocols |= Context::PROTO_TLSV1_2;
+		else if (*it == "tlsv1_3")
+			disabledProtocols |= Context::PROTO_TLSV1_3;
 	}
 	if (server)
 		_ptrDefaultServerContext->disableProtocols(disabledProtocols);

NetSSL_OpenSSL/src/SecureServerSocketImpl.cpp

@@ -62,9 +62,9 @@ void SecureServerSocketImpl::connectNB(const SocketAddress& address)
 }
 	
 
-void SecureServerSocketImpl::bind(const SocketAddress& address, bool reuseAddress)
+void SecureServerSocketImpl::bind(const SocketAddress& address, bool reuseAddress, bool reusePort)
 {
-	_impl.bind(address, reuseAddress);
+	_impl.bind(address, reuseAddress, reusePort);
 	reset(_impl.sockfd());
 }
 

NetSSL_OpenSSL/src/SecureSocketImpl.cpp

@@ -192,11 +192,11 @@ void SecureSocketImpl::connectSSL(bool performHandshake)
 }
 
 
-void SecureSocketImpl::bind(const SocketAddress& address, bool reuseAddress)
+void SecureSocketImpl::bind(const SocketAddress& address, bool reuseAddress, bool reusePort)
 {
 	poco_check_ptr (_pSocket);
 
-	_pSocket->bind(address, reuseAddress);
+	_pSocket->bind(address, reuseAddress, reusePort);
 }