Georg/luksrku
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Fix issue with TLSv1.3 negotiation

Browse Source 
TLSv1.3 behaves differently in how PSK identity/PSK identity hints are
exchanged, at least in regards to OpenSSL. This caused the TLS client to
not send their TLS identity to the server, which rejected the connection
(it expected "luksrku v1"). Couldn't solve it with TLSv1.3, so we're now
simply forcing TLSv1.2.
This commit is contained in:
Johannes Bauer 2019-07-22 21:46:18 +02:00
parent aece35134e
commit 2cde43d357
3 changed files with 20 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
client.c
View File

@ -42,24 +42,25 @@
static const struct keydb_t *client_keydb; static const struct keydb_t *client_keydb;
static unsigned int psk_client_callback(SSL *ssl, const char *hint, char *identity, unsigned int max_identity_len, unsigned char *psk, unsigned int max_psk_len) { static unsigned int psk_client_callback(SSL *ssl, const char *hint, char *identity, unsigned int max_identity_len, unsigned char *psk, unsigned int max_psk_len) {
log_msg(LLVL_DEBUG, "psk_client_callback: SSL %p, hint '%s'.", ssl, hint);
if (max_psk_len < PSK_SIZE_BYTES) { if (max_psk_len < PSK_SIZE_BYTES) {
log_msg(LLVL_ERROR, "Client error: max_psk_len too small.\n"); log_msg(LLVL_ERROR, "Client error: max_psk_len too small.");
return 0; return 0;
} }
if (max_identity_len < strlen(CLIENT_PSK_IDENTITY) + 1) { if (max_identity_len < strlen(CLIENT_PSK_IDENTITY) + 1) {
log_msg(LLVL_ERROR, "Client error: max_identity_len too small.\n"); log_msg(LLVL_ERROR, "Client error: max_identity_len too small.");
return 0; return 0;
} }
uint8_t parsed_uuid[16]; uint8_t parsed_uuid[16];
if (!parse_uuid(parsed_uuid, hint)) { if (!parse_uuid(parsed_uuid, hint)) {
log_msg(LLVL_ERROR, "Client error: given hint is not a valid UUID.\n"); log_msg(LLVL_ERROR, "Client error: given hint '%s' is not a valid UUID.", hint);
return 0; return 0;
} }
const struct keyentry_t *entry = keydb_find_entry_by_host_uuid(client_keydb, parsed_uuid); const struct keyentry_t *entry = keydb_find_entry_by_host_uuid(client_keydb, parsed_uuid);
if (!entry) { if (!entry) {
log_msg(LLVL_ERROR, "Client error: server hint '%s' not present in database.\n", hint); log_msg(LLVL_ERROR, "Client error: server hint '%s' not present in database.", hint);
return 0; return 0;
} }

5
openssl.c
View File

@ -79,6 +79,11 @@ bool create_generic_tls_context(struct generic_tls_ctx_t *gctx, bool server) {
return false; return false;
} }
if (!SSL_CTX_set_max_proto_version(gctx->ctx, TLS1_2_VERSION)) {
log_openssl(LLVL_FATAL, "Cannot set TLS generic context maximal version.");
return false;
}
if (!SSL_CTX_set_cipher_list(gctx->ctx, "ECDHE-PSK-CHACHA20-POLY1305")) { if (!SSL_CTX_set_cipher_list(gctx->ctx, "ECDHE-PSK-CHACHA20-POLY1305")) {
log_openssl(LLVL_FATAL, "Cannot set TLS generic context cipher suites."); log_openssl(LLVL_FATAL, "Cannot set TLS generic context cipher suites.");
return false; return false;

3
util.c
View File

@ -116,6 +116,9 @@ int parse_hexstr(const char *hexstr, uint8_t *data, int maxlen) {
bool is_valid_uuid(const char *ascii_uuid) { bool is_valid_uuid(const char *ascii_uuid) {
// e43fff25-5a01-40e8-b437-80b9d56c19ff // e43fff25-5a01-40e8-b437-80b9d56c19ff
// '-' at offsets 8 13 18 23 // '-' at offsets 8 13 18 23
if (!ascii_uuid) {
return false;
}
if (strlen(ascii_uuid) != 36) { if (strlen(ascii_uuid) != 36) {
return false; return false;
} }