Subject: [Boost-commit] svn:boost r84486 - in trunk/boost/asio/ssl: . detail detail/impl impl
From: chris_at_[hidden]
Date: 2013-05-25 07:50:53
Author: chris_kohlhoff
Date: 2013-05-25 07:50:52 EDT (Sat, 25 May 2013)
New Revision: 84486
URL: http://svn.boost.org/trac/boost/changeset/84486
Log:
Automatically disable SSL compression.
To mitigate the risk of certain attacks, SSL compression is now disabled
by default. To enable, you can use the new ssl::context::clear_options()
function like so:
my_context.clear_options(asio::ssl::context::no_compression);
Text files modified:
trunk/boost/asio/ssl/context.hpp | 29 +++++++++++++++++++++++++++++
trunk/boost/asio/ssl/context_base.hpp | 8 ++++++++
trunk/boost/asio/ssl/detail/impl/openssl_init.ipp | 36 ++++++++++++++++++++++++++++++++++++
trunk/boost/asio/ssl/detail/openssl_init.hpp | 15 +++++++++++++++
trunk/boost/asio/ssl/impl/context.ipp | 39 +++++++++++++++++++++++++++++++++++++++
5 files changed, 127 insertions(+), 0 deletions(-)
Modified: trunk/boost/asio/ssl/context.hpp
==============================================================================
--- trunk/boost/asio/ssl/context.hpp (original)
+++ trunk/boost/asio/ssl/context.hpp 2013-05-25 07:50:52 EDT (Sat, 25 May 2013)
@@ -110,6 +110,35 @@
*/
BOOST_ASIO_DECL impl_type impl();
+ /// Clear options on the context.
+ /**
+ * This function may be used to configure the SSL options used by the context.
+ *
+ * @param o A bitmask of options. The available option values are defined in
+ * the context_base class. The specified options, if currently enabled on the
+ * context, are cleared.
+ *
+ * @throws boost::system::system_error Thrown on failure.
+ *
+ * @note Calls @c SSL_CTX_clear_options.
+ */
+ BOOST_ASIO_DECL void clear_options(options o);
+
+ /// Clear options on the context.
+ /**
+ * This function may be used to configure the SSL options used by the context.
+ *
+ * @param o A bitmask of options. The available option values are defined in
+ * the context_base class. The specified options, if currently enabled on the
+ * context, are cleared.
+ *
+ * @param ec Set to indicate what error occurred, if any.
+ *
+ * @note Calls @c SSL_CTX_clear_options.
+ */
+ BOOST_ASIO_DECL boost::system::error_code clear_options(options o,
+ boost::system::error_code& ec);
+
/// Set options on the context.
/**
* This function may be used to configure the SSL options used by the context.
Modified: trunk/boost/asio/ssl/context_base.hpp
==============================================================================
--- trunk/boost/asio/ssl/context_base.hpp (original)
+++ trunk/boost/asio/ssl/context_base.hpp 2013-05-25 07:50:52 EDT (Sat, 25 May 2013)
@@ -105,12 +105,20 @@
/// Disable TLS v1.
static const long no_tlsv1 = implementation_defined;
+
+ /// Disable compression. Compression is disabled by default.
+ static const long no_compression = implementation_defined;
#else
BOOST_ASIO_STATIC_CONSTANT(long, default_workarounds = SSL_OP_ALL);
BOOST_ASIO_STATIC_CONSTANT(long, single_dh_use = SSL_OP_SINGLE_DH_USE);
BOOST_ASIO_STATIC_CONSTANT(long, no_sslv2 = SSL_OP_NO_SSLv2);
BOOST_ASIO_STATIC_CONSTANT(long, no_sslv3 = SSL_OP_NO_SSLv3);
BOOST_ASIO_STATIC_CONSTANT(long, no_tlsv1 = SSL_OP_NO_TLSv1);
+# if defined(SSL_OP_NO_COMPRESSION)
+ BOOST_ASIO_STATIC_CONSTANT(long, no_compression = SSL_OP_NO_COMPRESSION);
+# else // defined(SSL_OP_NO_COMPRESSION)
+ BOOST_ASIO_STATIC_CONSTANT(long, no_compression = 0x20000L);
+# endif // defined(SSL_OP_NO_COMPRESSION)
#endif
/// File format types.
Modified: trunk/boost/asio/ssl/detail/impl/openssl_init.ipp
==============================================================================
--- trunk/boost/asio/ssl/detail/impl/openssl_init.ipp (original)
+++ trunk/boost/asio/ssl/detail/impl/openssl_init.ipp 2013-05-25 07:50:52 EDT (Sat, 25 May 2013)
@@ -45,10 +45,22 @@
mutexes_[i].reset(new boost::asio::detail::mutex);
::CRYPTO_set_locking_callback(&do_init::openssl_locking_func);
::CRYPTO_set_id_callback(&do_init::openssl_id_func);
+
+#if !defined(SSL_OP_NO_COMPRESSION) \
+ && (OPENSSL_VERSION_NUMBER >= 0x00908000L)
+ null_compression_methods_ = sk_SSL_COMP_new_null();
+#endif // !defined(SSL_OP_NO_COMPRESSION)
+ // && (OPENSSL_VERSION_NUMBER >= 0x00908000L)
}
~do_init()
{
+#if !defined(SSL_OP_NO_COMPRESSION) \
+ && (OPENSSL_VERSION_NUMBER >= 0x00908000L)
+ sk_SSL_COMP_free(null_compression_methods_);
+#endif // !defined(SSL_OP_NO_COMPRESSION)
+ // && (OPENSSL_VERSION_NUMBER >= 0x00908000L)
+
::CRYPTO_set_id_callback(0);
::CRYPTO_set_locking_callback(0);
::ERR_free_strings();
@@ -61,6 +73,15 @@
#endif // !defined(OPENSSL_NO_ENGINE)
}
+#if !defined(SSL_OP_NO_COMPRESSION) \
+ && (OPENSSL_VERSION_NUMBER >= 0x00908000L)
+ STACK_OF(SSL_COMP)* get_null_compression_methods() const
+ {
+ return null_compression_methods_;
+ }
+#endif // !defined(SSL_OP_NO_COMPRESSION)
+ // && (OPENSSL_VERSION_NUMBER >= 0x00908000L)
+
private:
static unsigned long openssl_id_func()
{
@@ -92,6 +113,12 @@
// The thread identifiers to be used by openssl.
boost::asio::detail::tss_ptr<void> thread_id_;
#endif // !defined(BOOST_ASIO_WINDOWS) && !defined(__CYGWIN__)
+
+#if !defined(SSL_OP_NO_COMPRESSION) \
+ && (OPENSSL_VERSION_NUMBER >= 0x00908000L)
+ STACK_OF(SSL_COMP)* null_compression_methods_;
+#endif // !defined(SSL_OP_NO_COMPRESSION)
+ // && (OPENSSL_VERSION_NUMBER >= 0x00908000L)
};
boost::asio::detail::shared_ptr<openssl_init_base::do_init>
@@ -101,6 +128,15 @@
return init;
}
+#if !defined(SSL_OP_NO_COMPRESSION) \
+ && (OPENSSL_VERSION_NUMBER >= 0x00908000L)
+STACK_OF(SSL_COMP)* openssl_init_base::get_null_compression_methods()
+{
+ return instance()->get_null_compression_methods();
+}
+#endif // !defined(SSL_OP_NO_COMPRESSION)
+ // && (OPENSSL_VERSION_NUMBER >= 0x00908000L)
+
} // namespace detail
} // namespace ssl
} // namespace asio
Modified: trunk/boost/asio/ssl/detail/openssl_init.hpp
==============================================================================
--- trunk/boost/asio/ssl/detail/openssl_init.hpp (original)
+++ trunk/boost/asio/ssl/detail/openssl_init.hpp 2013-05-25 07:50:52 EDT (Sat, 25 May 2013)
@@ -19,6 +19,7 @@
#include <cstring>
#include <boost/asio/detail/noncopyable.hpp>
#include <boost/asio/detail/shared_ptr.hpp>
+#include <boost/asio/ssl/detail/openssl_types.hpp>
#include <boost/asio/detail/push_options.hpp>
@@ -40,6 +41,14 @@
// instance must be static in this function to ensure that it gets
// initialised before any other global objects try to use it.
BOOST_ASIO_DECL static boost::asio::detail::shared_ptr<do_init> instance();
+
+#if !defined(SSL_OP_NO_COMPRESSION) \
+ && (OPENSSL_VERSION_NUMBER >= 0x00908000L)
+ // Get an empty stack of compression methods, to be used when disabling
+ // compression.
+ BOOST_ASIO_DECL static STACK_OF(SSL_COMP)* get_null_compression_methods();
+#endif // !defined(SSL_OP_NO_COMPRESSION)
+ // && (OPENSSL_VERSION_NUMBER >= 0x00908000L)
};
template <bool Do_Init = true>
@@ -62,6 +71,12 @@
{
}
+#if !defined(SSL_OP_NO_COMPRESSION) \
+ && (OPENSSL_VERSION_NUMBER >= 0x00908000L)
+ using openssl_init_base::get_null_compression_methods;
+#endif // !defined(SSL_OP_NO_COMPRESSION)
+ // && (OPENSSL_VERSION_NUMBER >= 0x00908000L)
+
private:
// Instance to force initialisation of openssl at global scope.
static openssl_init instance_;
Modified: trunk/boost/asio/ssl/impl/context.ipp
==============================================================================
--- trunk/boost/asio/ssl/impl/context.ipp (original)
+++ trunk/boost/asio/ssl/impl/context.ipp 2013-05-25 07:50:52 EDT (Sat, 25 May 2013)
@@ -162,6 +162,8 @@
boost::asio::error::get_ssl_category());
boost::asio::detail::throw_error(ec, "context");
}
+
+ set_options(no_compression);
}
context::context(boost::asio::io_service&, context::method m)
@@ -224,6 +226,32 @@
return handle_;
}
+void context::clear_options(context::options o)
+{
+ boost::system::error_code ec;
+ clear_options(o, ec);
+ boost::asio::detail::throw_error(ec, "clear_options");
+}
+
+boost::system::error_code context::clear_options(
+ context::options o, boost::system::error_code& ec)
+{
+#if !defined(SSL_OP_NO_COMPRESSION)
+ if ((o & context::no_compression) != 0)
+ {
+#if (OPENSSL_VERSION_NUMBER >= 0x00908000L)
+ handle_->comp_methods = SSL_COMP_get_compression_methods();
+#endif // (OPENSSL_VERSION_NUMBER >= 0x00908000L)
+ o ^= context::no_compression;
+ }
+#endif // !defined(SSL_OP_NO_COMPRESSION)
+
+ ::SSL_CTX_clear_options(handle_, o);
+
+ ec = boost::system::error_code();
+ return ec;
+}
+
void context::set_options(context::options o)
{
boost::system::error_code ec;
@@ -234,6 +262,17 @@
boost::system::error_code context::set_options(
context::options o, boost::system::error_code& ec)
{
+#if !defined(SSL_OP_NO_COMPRESSION)
+ if ((o & context::no_compression) != 0)
+ {
+#if (OPENSSL_VERSION_NUMBER >= 0x00908000L)
+ handle_->comp_methods =
+ boost::asio::ssl::detail::openssl_init<>::get_null_compression_methods();
+#endif // (OPENSSL_VERSION_NUMBER >= 0x00908000L)
+ o ^= context::no_compression;
+ }
+#endif // !defined(SSL_OP_NO_COMPRESSION)
+
::SSL_CTX_set_options(handle_, o);
ec = boost::system::error_code();