Boost logo

Boost-Commit :

Subject: [Boost-commit] svn:boost r84486 - in trunk/boost/asio/ssl: . detail detail/impl impl
From: chris_at_[hidden]
Date: 2013-05-25 07:50:53


Author: chris_kohlhoff
Date: 2013-05-25 07:50:52 EDT (Sat, 25 May 2013)
New Revision: 84486
URL: http://svn.boost.org/trac/boost/changeset/84486

Log:
Automatically disable SSL compression.

To mitigate the risk of certain attacks, SSL compression is now disabled
by default. To enable, you can use the new ssl::context::clear_options()
function like so:

  my_context.clear_options(asio::ssl::context::no_compression);

Text files modified:
   trunk/boost/asio/ssl/context.hpp | 29 +++++++++++++++++++++++++++++
   trunk/boost/asio/ssl/context_base.hpp | 8 ++++++++
   trunk/boost/asio/ssl/detail/impl/openssl_init.ipp | 36 ++++++++++++++++++++++++++++++++++++
   trunk/boost/asio/ssl/detail/openssl_init.hpp | 15 +++++++++++++++
   trunk/boost/asio/ssl/impl/context.ipp | 39 +++++++++++++++++++++++++++++++++++++++
   5 files changed, 127 insertions(+), 0 deletions(-)

Modified: trunk/boost/asio/ssl/context.hpp
==============================================================================
--- trunk/boost/asio/ssl/context.hpp (original)
+++ trunk/boost/asio/ssl/context.hpp 2013-05-25 07:50:52 EDT (Sat, 25 May 2013)
@@ -110,6 +110,35 @@
    */
   BOOST_ASIO_DECL impl_type impl();
 
+ /// Clear options on the context.
+ /**
+ * This function may be used to configure the SSL options used by the context.
+ *
+ * @param o A bitmask of options. The available option values are defined in
+ * the context_base class. The specified options, if currently enabled on the
+ * context, are cleared.
+ *
+ * @throws boost::system::system_error Thrown on failure.
+ *
+ * @note Calls @c SSL_CTX_clear_options.
+ */
+ BOOST_ASIO_DECL void clear_options(options o);
+
+ /// Clear options on the context.
+ /**
+ * This function may be used to configure the SSL options used by the context.
+ *
+ * @param o A bitmask of options. The available option values are defined in
+ * the context_base class. The specified options, if currently enabled on the
+ * context, are cleared.
+ *
+ * @param ec Set to indicate what error occurred, if any.
+ *
+ * @note Calls @c SSL_CTX_clear_options.
+ */
+ BOOST_ASIO_DECL boost::system::error_code clear_options(options o,
+ boost::system::error_code& ec);
+
   /// Set options on the context.
   /**
    * This function may be used to configure the SSL options used by the context.

Modified: trunk/boost/asio/ssl/context_base.hpp
==============================================================================
--- trunk/boost/asio/ssl/context_base.hpp (original)
+++ trunk/boost/asio/ssl/context_base.hpp 2013-05-25 07:50:52 EDT (Sat, 25 May 2013)
@@ -105,12 +105,20 @@
 
   /// Disable TLS v1.
   static const long no_tlsv1 = implementation_defined;
+
+ /// Disable compression. Compression is disabled by default.
+ static const long no_compression = implementation_defined;
 #else
   BOOST_ASIO_STATIC_CONSTANT(long, default_workarounds = SSL_OP_ALL);
   BOOST_ASIO_STATIC_CONSTANT(long, single_dh_use = SSL_OP_SINGLE_DH_USE);
   BOOST_ASIO_STATIC_CONSTANT(long, no_sslv2 = SSL_OP_NO_SSLv2);
   BOOST_ASIO_STATIC_CONSTANT(long, no_sslv3 = SSL_OP_NO_SSLv3);
   BOOST_ASIO_STATIC_CONSTANT(long, no_tlsv1 = SSL_OP_NO_TLSv1);
+# if defined(SSL_OP_NO_COMPRESSION)
+ BOOST_ASIO_STATIC_CONSTANT(long, no_compression = SSL_OP_NO_COMPRESSION);
+# else // defined(SSL_OP_NO_COMPRESSION)
+ BOOST_ASIO_STATIC_CONSTANT(long, no_compression = 0x20000L);
+# endif // defined(SSL_OP_NO_COMPRESSION)
 #endif
 
   /// File format types.

Modified: trunk/boost/asio/ssl/detail/impl/openssl_init.ipp
==============================================================================
--- trunk/boost/asio/ssl/detail/impl/openssl_init.ipp (original)
+++ trunk/boost/asio/ssl/detail/impl/openssl_init.ipp 2013-05-25 07:50:52 EDT (Sat, 25 May 2013)
@@ -45,10 +45,22 @@
       mutexes_[i].reset(new boost::asio::detail::mutex);
     ::CRYPTO_set_locking_callback(&do_init::openssl_locking_func);
     ::CRYPTO_set_id_callback(&do_init::openssl_id_func);
+
+#if !defined(SSL_OP_NO_COMPRESSION) \
+ && (OPENSSL_VERSION_NUMBER >= 0x00908000L)
+ null_compression_methods_ = sk_SSL_COMP_new_null();
+#endif // !defined(SSL_OP_NO_COMPRESSION)
+ // && (OPENSSL_VERSION_NUMBER >= 0x00908000L)
   }
 
   ~do_init()
   {
+#if !defined(SSL_OP_NO_COMPRESSION) \
+ && (OPENSSL_VERSION_NUMBER >= 0x00908000L)
+ sk_SSL_COMP_free(null_compression_methods_);
+#endif // !defined(SSL_OP_NO_COMPRESSION)
+ // && (OPENSSL_VERSION_NUMBER >= 0x00908000L)
+
     ::CRYPTO_set_id_callback(0);
     ::CRYPTO_set_locking_callback(0);
     ::ERR_free_strings();
@@ -61,6 +73,15 @@
 #endif // !defined(OPENSSL_NO_ENGINE)
   }
 
+#if !defined(SSL_OP_NO_COMPRESSION) \
+ && (OPENSSL_VERSION_NUMBER >= 0x00908000L)
+ STACK_OF(SSL_COMP)* get_null_compression_methods() const
+ {
+ return null_compression_methods_;
+ }
+#endif // !defined(SSL_OP_NO_COMPRESSION)
+ // && (OPENSSL_VERSION_NUMBER >= 0x00908000L)
+
 private:
   static unsigned long openssl_id_func()
   {
@@ -92,6 +113,12 @@
   // The thread identifiers to be used by openssl.
   boost::asio::detail::tss_ptr<void> thread_id_;
 #endif // !defined(BOOST_ASIO_WINDOWS) && !defined(__CYGWIN__)
+
+#if !defined(SSL_OP_NO_COMPRESSION) \
+ && (OPENSSL_VERSION_NUMBER >= 0x00908000L)
+ STACK_OF(SSL_COMP)* null_compression_methods_;
+#endif // !defined(SSL_OP_NO_COMPRESSION)
+ // && (OPENSSL_VERSION_NUMBER >= 0x00908000L)
 };
 
 boost::asio::detail::shared_ptr<openssl_init_base::do_init>
@@ -101,6 +128,15 @@
   return init;
 }
 
+#if !defined(SSL_OP_NO_COMPRESSION) \
+ && (OPENSSL_VERSION_NUMBER >= 0x00908000L)
+STACK_OF(SSL_COMP)* openssl_init_base::get_null_compression_methods()
+{
+ return instance()->get_null_compression_methods();
+}
+#endif // !defined(SSL_OP_NO_COMPRESSION)
+ // && (OPENSSL_VERSION_NUMBER >= 0x00908000L)
+
 } // namespace detail
 } // namespace ssl
 } // namespace asio

Modified: trunk/boost/asio/ssl/detail/openssl_init.hpp
==============================================================================
--- trunk/boost/asio/ssl/detail/openssl_init.hpp (original)
+++ trunk/boost/asio/ssl/detail/openssl_init.hpp 2013-05-25 07:50:52 EDT (Sat, 25 May 2013)
@@ -19,6 +19,7 @@
 #include <cstring>
 #include <boost/asio/detail/noncopyable.hpp>
 #include <boost/asio/detail/shared_ptr.hpp>
+#include <boost/asio/ssl/detail/openssl_types.hpp>
 
 #include <boost/asio/detail/push_options.hpp>
 
@@ -40,6 +41,14 @@
   // instance must be static in this function to ensure that it gets
   // initialised before any other global objects try to use it.
   BOOST_ASIO_DECL static boost::asio::detail::shared_ptr<do_init> instance();
+
+#if !defined(SSL_OP_NO_COMPRESSION) \
+ && (OPENSSL_VERSION_NUMBER >= 0x00908000L)
+ // Get an empty stack of compression methods, to be used when disabling
+ // compression.
+ BOOST_ASIO_DECL static STACK_OF(SSL_COMP)* get_null_compression_methods();
+#endif // !defined(SSL_OP_NO_COMPRESSION)
+ // && (OPENSSL_VERSION_NUMBER >= 0x00908000L)
 };
 
 template <bool Do_Init = true>
@@ -62,6 +71,12 @@
   {
   }
 
+#if !defined(SSL_OP_NO_COMPRESSION) \
+ && (OPENSSL_VERSION_NUMBER >= 0x00908000L)
+ using openssl_init_base::get_null_compression_methods;
+#endif // !defined(SSL_OP_NO_COMPRESSION)
+ // && (OPENSSL_VERSION_NUMBER >= 0x00908000L)
+
 private:
   // Instance to force initialisation of openssl at global scope.
   static openssl_init instance_;

Modified: trunk/boost/asio/ssl/impl/context.ipp
==============================================================================
--- trunk/boost/asio/ssl/impl/context.ipp (original)
+++ trunk/boost/asio/ssl/impl/context.ipp 2013-05-25 07:50:52 EDT (Sat, 25 May 2013)
@@ -162,6 +162,8 @@
         boost::asio::error::get_ssl_category());
     boost::asio::detail::throw_error(ec, "context");
   }
+
+ set_options(no_compression);
 }
 
 context::context(boost::asio::io_service&, context::method m)
@@ -224,6 +226,32 @@
   return handle_;
 }
 
+void context::clear_options(context::options o)
+{
+ boost::system::error_code ec;
+ clear_options(o, ec);
+ boost::asio::detail::throw_error(ec, "clear_options");
+}
+
+boost::system::error_code context::clear_options(
+ context::options o, boost::system::error_code& ec)
+{
+#if !defined(SSL_OP_NO_COMPRESSION)
+ if ((o & context::no_compression) != 0)
+ {
+#if (OPENSSL_VERSION_NUMBER >= 0x00908000L)
+ handle_->comp_methods = SSL_COMP_get_compression_methods();
+#endif // (OPENSSL_VERSION_NUMBER >= 0x00908000L)
+ o ^= context::no_compression;
+ }
+#endif // !defined(SSL_OP_NO_COMPRESSION)
+
+ ::SSL_CTX_clear_options(handle_, o);
+
+ ec = boost::system::error_code();
+ return ec;
+}
+
 void context::set_options(context::options o)
 {
   boost::system::error_code ec;
@@ -234,6 +262,17 @@
 boost::system::error_code context::set_options(
     context::options o, boost::system::error_code& ec)
 {
+#if !defined(SSL_OP_NO_COMPRESSION)
+ if ((o & context::no_compression) != 0)
+ {
+#if (OPENSSL_VERSION_NUMBER >= 0x00908000L)
+ handle_->comp_methods =
+ boost::asio::ssl::detail::openssl_init<>::get_null_compression_methods();
+#endif // (OPENSSL_VERSION_NUMBER >= 0x00908000L)
+ o ^= context::no_compression;
+ }
+#endif // !defined(SSL_OP_NO_COMPRESSION)
+
   ::SSL_CTX_set_options(handle_, o);
 
   ec = boost::system::error_code();


Boost-Commit list run by bdawes at acm.org, david.abrahams at rcn.com, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk