add support for TLS 1.3

2025-10-29 04:17:55 +01:00 · 2020-01-10 11:41:49 +01:00
parent a2f8f8fbe1
commit e3d1d03c54
7 changed files with 197 additions and 36 deletions
--- a/NetSSL_Win/src/Context.cpp
+++ b/NetSSL_Win/src/Context.cpp
@@ -46,6 +46,7 @@ Context::Context(Usage usage,
 	_usage(usage),
 	_mode(verMode),
 	_options(options),
+	_disabledProtocols(0),
 	_extendedCertificateVerification(true),
 	_certNameOrPath(certNameOrPath),
 	_certStoreName(certStore),
@@ -312,15 +313,15 @@ void Context::acquireSchannelCredentials(CredHandle& credHandle) const
 	TimeStamp tsExpiry;
 	tsExpiry.LowPart = tsExpiry.HighPart = 0;
 	SECURITY_STATUS status = _securityFunctions.AcquireCredentialsHandleW(
-										NULL,
-										UNISP_NAME_W,
-										isForServerUse() ? SECPKG_CRED_INBOUND : SECPKG_CRED_OUTBOUND,
-										NULL,
-										&schannelCred,
-										NULL,
-										NULL,
-										&credHandle,
-										&tsExpiry);
+		NULL,
+		UNISP_NAME_W,
+		isForServerUse() ? SECPKG_CRED_INBOUND : SECPKG_CRED_OUTBOUND,
+		NULL,
+		&schannelCred,
+		NULL,
+		NULL,
+		&credHandle,
+		&tsExpiry);

 	if (status != SEC_E_OK)
 	{
@@ -331,69 +332,190 @@ void Context::acquireSchannelCredentials(CredHandle& credHandle) const

 DWORD Context::proto() const
 {
+	DWORD result = 0;
 	switch (_usage)
 	{
+	case Context::TLS_CLIENT_USE:
 	case Context::CLIENT_USE:
-		return SP_PROT_SSL3_CLIENT
+		result = SP_PROT_SSL3_CLIENT
 			| SP_PROT_TLS1_CLIENT
 #if defined(SP_PROT_TLS1_1)
 			| SP_PROT_TLS1_1_CLIENT
 #endif
 #if defined(SP_PROT_TLS1_2)
 			| SP_PROT_TLS1_2_CLIENT
+#endif
+#if defined(SP_PROT_TLS1_3)
+			| SP_PROT_TLS1_3_CLIENT
 #endif
 			;
+			break;
+
+	case Context::TLS_SERVER_USE:
 	case Context::SERVER_USE:
-		return SP_PROT_SSL3_SERVER
+		result = SP_PROT_SSL3_SERVER
 			| SP_PROT_TLS1_SERVER
 #if defined(SP_PROT_TLS1_1)
 			| SP_PROT_TLS1_1_SERVER
 #endif
 #if defined(SP_PROT_TLS1_2)
 			| SP_PROT_TLS1_2_SERVER
+#endif
+#if defined(SP_PROT_TLS1_3)
+			| SP_PROT_TLS1_3_SERVER
 #endif
 			;
+			break;
+
 	case Context::TLSV1_CLIENT_USE:
-		return SP_PROT_TLS1_CLIENT
+		result = SP_PROT_TLS1_CLIENT
 #if defined(SP_PROT_TLS1_1)
 			| SP_PROT_TLS1_1_CLIENT
 #endif
 #if defined(SP_PROT_TLS1_2)
 			| SP_PROT_TLS1_2_CLIENT
+#endif
+#if defined(SP_PROT_TLS1_3)
+			| SP_PROT_TLS1_3_CLIENT
 #endif
 			;
+			break;
+
 	case Context::TLSV1_SERVER_USE:
-		return SP_PROT_TLS1_SERVER
+		result = SP_PROT_TLS1_SERVER
 #if defined(SP_PROT_TLS1_1)
 			| SP_PROT_TLS1_1_SERVER
 #endif
 #if defined(SP_PROT_TLS1_2)
 			| SP_PROT_TLS1_2_SERVER
+#endif
+#if defined(SP_PROT_TLS1_3)
+			| SP_PROT_TLS1_3_SERVER
 #endif
 			;
+			break;
+
 #if defined(SP_PROT_TLS1_1)
 	case Context::TLSV1_1_CLIENT_USE:
-		return SP_PROT_TLS1_1_CLIENT
+		result = SP_PROT_TLS1_1_CLIENT
 #if defined(SP_PROT_TLS1_2)
 			| SP_PROT_TLS1_2_CLIENT
+#endif
+#if defined(SP_PROT_TLS1_3)
+			| SP_PROT_TLS1_3_CLIENT
 #endif
 			;
+			break;
+
 	case Context::TLSV1_1_SERVER_USE:
-		return SP_PROT_TLS1_1_SERVER
+		result = SP_PROT_TLS1_1_SERVER
 #if defined(SP_PROT_TLS1_2)
 			| SP_PROT_TLS1_2_SERVER
 #endif
-			;
+#if defined(SP_PROT_TLS1_3)
+			| SP_PROT_TLS1_3_SERVER
 #endif
+			;
+			break;
+#endif
+
 #if defined(SP_PROT_TLS1_2)
 	case Context::TLSV1_2_CLIENT_USE:
-		return SP_PROT_TLS1_2_CLIENT;
-	case Context::TLSV1_2_SERVER_USE:
-		return SP_PROT_TLS1_2_SERVER;
+		result = SP_PROT_TLS1_2_CLIENT
+#if defined(SP_PROT_TLS1_3)
+			| SP_PROT_TLS1_3_CLIENT
 #endif
+			;
+			break;
+
+	case Context::TLSV1_2_SERVER_USE:
+		result = SP_PROT_TLS1_2_SERVER
+#if defined(SP_PROT_TLS1_3)
+			| SP_PROT_TLS1_3_SERVER
+#endif
+			;
+			break;
+#endif
+
+#if defined(SP_PROT_TLS1_3)
+	case Context::TLSV1_3_CLIENT_USE:
+		result = SP_PROT_TLS1_3_CLIENT;
+		break;
+
+	case Context::TLSV1_3_SERVER_USE:
+		result = SP_PROT_TLS1_3_SERVER;
+		break;
+#endif
+
 	default:
 		throw Poco::InvalidArgumentException("Unsupported SSL/TLS protocol version");
 	}
+
+	return result & enabledProtocols();
 }

+
+DWORD Context::enabledProtocols() const
+{
+	DWORD result = 0;
+	if (!(_disabledProtocols & PROTO_SSLV3))
+	{
+		result |= SP_PROT_SSL3_CLIENT | SP_PROT_SSL3_SERVER;
+	}
+	if (!(_disabledProtocols & PROTO_TLSV1))
+	{
+		result |= SP_PROT_TLS1_CLIENT | SP_PROT_TLS1_SERVER;
+	}
+	if (!(_disabledProtocols & PROTO_TLSV1_1))
+	{
+#ifdef SP_PROT_TLS1_1_CLIENT
+		result |= SP_PROT_TLS1_1_CLIENT | SP_PROT_TLS1_1_SERVER;
+#endif
+	}
+	if (!(_disabledProtocols & PROTO_TLSV1_2))
+	{
+#ifdef SP_PROT_TLS1_2_CLIENT
+		result |= SP_PROT_TLS1_2_CLIENT | SP_PROT_TLS1_2_SERVER;
+#endif
+	}
+	if (!(_disabledProtocols & PROTO_TLSV1_3))
+	{
+#ifdef SP_PROT_TLS1_3_CLIENT
+		result |= SP_PROT_TLS1_3_CLIENT | SP_PROT_TLS1_3_SERVER;
+#endif
+	}
+	return result;
+}
+
+
+void Context::disableProtocols(int protocols)
+{
+	_disabledProtocols = protocols;
+}
+
+
+void Context::requireMinimumProtocol(Protocols protocol)
+{
+	_disabledProtocols = 0;
+	switch (protocol)
+	{
+	case PROTO_SSLV3:
+		_disabledProtocols = PROTO_SSLV2;
+		break;
+	case PROTO_TLSV1:  
+		_disabledProtocols = PROTO_SSLV2 | PROTO_SSLV3;
+		break;
+	case PROTO_TLSV1_1: 
+		_disabledProtocols = PROTO_SSLV2 | PROTO_SSLV3 | PROTO_TLSV1;
+		break;
+	case PROTO_TLSV1_2: 
+		_disabledProtocols = PROTO_SSLV2 | PROTO_SSLV3 | PROTO_TLSV1 | PROTO_TLSV1_1;
+		break;
+	case PROTO_TLSV1_3: 
+		_disabledProtocols = PROTO_SSLV2 | PROTO_SSLV3 | PROTO_TLSV1 | PROTO_TLSV1_1 | PROTO_TLSV1_2;
+		break;
+	}
+}
+
+
 } } // namespace Poco::Net
--- a/NetSSL_Win/src/SSLManager.cpp
+++ b/NetSSL_Win/src/SSLManager.cpp
@@ -52,6 +52,7 @@ const std::string SSLManager::CFG_CLIENT_PREFIX("schannel.client.");
 const std::string SSLManager::CFG_REQUIRE_TLSV1("requireTLSv1");
 const std::string SSLManager::CFG_REQUIRE_TLSV1_1("requireTLSv1_1");
 const std::string SSLManager::CFG_REQUIRE_TLSV1_2("requireTLSv1_2");
+const std::string SSLManager::CFG_REQUIRE_TLSV1_3("requireTLSv1_3");


 SSLManager::SSLManager():
@@ -195,6 +196,7 @@ void SSLManager::initDefaultContext(bool server)
 	bool requireTLSv1 = config.getBool(prefix + CFG_REQUIRE_TLSV1, false);
 	bool requireTLSv1_1 = config.getBool(prefix + CFG_REQUIRE_TLSV1_1, false);
 	bool requireTLSv1_2 = config.getBool(prefix + CFG_REQUIRE_TLSV1_2, false);
+	bool requireTLSv1_3 = config.getBool(prefix + CFG_REQUIRE_TLSV1_3, false);

 	// optional options for which we have defaults defined
 	Context::VerificationMode verMode = VAL_VER_MODE;
@@ -223,7 +225,9 @@ void SSLManager::initDefaultContext(bool server)
 	Context::Usage usage;
 	if (server)
 	{
-		if (requireTLSv1_2)
+		if (requireTLSv1_3)
+			usage = Context::TLSV1_3_SERVER_USE;
+		else if (requireTLSv1_2)
 			usage = Context::TLSV1_2_SERVER_USE;
 		else if (requireTLSv1_1)
 			usage = Context::TLSV1_1_SERVER_USE;
@@ -235,7 +239,9 @@ void SSLManager::initDefaultContext(bool server)
 	}
 	else
 	{
-		if (requireTLSv1_2)
+		if (requireTLSv1_3)
+			usage = Context::TLSV1_3_CLIENT_USE;
+		else if (requireTLSv1_2)
 			usage = Context::TLSV1_2_CLIENT_USE;
 		else if (requireTLSv1_1)
 			usage = Context::TLSV1_1_CLIENT_USE;