Fix issue with TLSv1.3 negotiation
TLSv1.3 behaves differently in how PSK identity/PSK identity hints are exchanged, at least in regards to OpenSSL. This caused the TLS client to not send their TLS identity to the server, which rejected the connection (it expected "luksrku v1"). Couldn't solve it with TLSv1.3, so we're now simply forcing TLSv1.2.
This commit is contained in:
parent
aece35134e
commit
2cde43d357
9
client.c
9
client.c
@ -42,24 +42,25 @@
|
||||
static const struct keydb_t *client_keydb;
|
||||
|
||||
static unsigned int psk_client_callback(SSL *ssl, const char *hint, char *identity, unsigned int max_identity_len, unsigned char *psk, unsigned int max_psk_len) {
|
||||
log_msg(LLVL_DEBUG, "psk_client_callback: SSL %p, hint '%s'.", ssl, hint);
|
||||
if (max_psk_len < PSK_SIZE_BYTES) {
|
||||
log_msg(LLVL_ERROR, "Client error: max_psk_len too small.\n");
|
||||
log_msg(LLVL_ERROR, "Client error: max_psk_len too small.");
|
||||
return 0;
|
||||
}
|
||||
if (max_identity_len < strlen(CLIENT_PSK_IDENTITY) + 1) {
|
||||
log_msg(LLVL_ERROR, "Client error: max_identity_len too small.\n");
|
||||
log_msg(LLVL_ERROR, "Client error: max_identity_len too small.");
|
||||
return 0;
|
||||
}
|
||||
|
||||
uint8_t parsed_uuid[16];
|
||||
if (!parse_uuid(parsed_uuid, hint)) {
|
||||
log_msg(LLVL_ERROR, "Client error: given hint is not a valid UUID.\n");
|
||||
log_msg(LLVL_ERROR, "Client error: given hint '%s' is not a valid UUID.", hint);
|
||||
return 0;
|
||||
}
|
||||
|
||||
const struct keyentry_t *entry = keydb_find_entry_by_host_uuid(client_keydb, parsed_uuid);
|
||||
if (!entry) {
|
||||
log_msg(LLVL_ERROR, "Client error: server hint '%s' not present in database.\n", hint);
|
||||
log_msg(LLVL_ERROR, "Client error: server hint '%s' not present in database.", hint);
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
@ -79,6 +79,11 @@ bool create_generic_tls_context(struct generic_tls_ctx_t *gctx, bool server) {
|
||||
return false;
|
||||
}
|
||||
|
||||
if (!SSL_CTX_set_max_proto_version(gctx->ctx, TLS1_2_VERSION)) {
|
||||
log_openssl(LLVL_FATAL, "Cannot set TLS generic context maximal version.");
|
||||
return false;
|
||||
}
|
||||
|
||||
if (!SSL_CTX_set_cipher_list(gctx->ctx, "ECDHE-PSK-CHACHA20-POLY1305")) {
|
||||
log_openssl(LLVL_FATAL, "Cannot set TLS generic context cipher suites.");
|
||||
return false;
|
||||
|
3
util.c
3
util.c
@ -116,6 +116,9 @@ int parse_hexstr(const char *hexstr, uint8_t *data, int maxlen) {
|
||||
bool is_valid_uuid(const char *ascii_uuid) {
|
||||
// e43fff25-5a01-40e8-b437-80b9d56c19ff
|
||||
// '-' at offsets 8 13 18 23
|
||||
if (!ascii_uuid) {
|
||||
return false;
|
||||
}
|
||||
if (strlen(ascii_uuid) != 36) {
|
||||
return false;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user