CPP-786 - Disable TLS v1.3 support in mockssandra (#262)

Author: Michael Fero

cpp-driver/gtests/src/unit/mockssandra.cpp

@@ -40,8 +40,66 @@ using datastax::internal::core::UuidGen;
 #define DSE_VERSION "6.7.1"
 #define DSE_CASSANDRA_VERSION "4.0.0.671"
 
+#if defined(OPENSSL_VERSION_NUMBER) && \
+    !defined(LIBRESSL_VERSION_NUMBER) // Required as OPENSSL_VERSION_NUMBER for LibreSSL is defined
+                                      // as 2.0.0
+#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
+#define SSL_SERVER_METHOD TLS_server_method
+#else
+#define SSL_SERVER_METHOD SSLv23_server_method
+#endif
+#else
+#if (LIBRESSL_VERSION_NUMBER >= 0x20302000L)
+#define SSL_SERVER_METHOD TLS_server_method
+#else
+#define SSL_SERVER_METHOD SSLv23_server_method
+#endif
+#endif
+
 namespace mockssandra {
 
+/*
+ * The following function was generated using the libressl utility, using
+ * the command : "openssl dhparam -dsaparam -C 512"
+ */
+#ifdef LIBRESSL_VERSION_NUMBER
+#ifndef HEADER_DH_H
+#include <openssl/dh.h>
+#endif
+DH* get_dh512() {
+  static unsigned char dh512_p[] = {
+    0xBF, 0xA0, 0x2D, 0x47, 0x30, 0xB2, 0x81, 0x13, 0xEC, 0xC5, 0xB8, 0x79, 0xE1, 0x16, 0x6F, 0x2E,
+    0x19, 0xB5, 0xC1, 0xE6, 0xCE, 0x15, 0x7E, 0x94, 0x00, 0x9D, 0x71, 0x4D, 0xB9, 0x73, 0xC8, 0x31,
+    0xE3, 0xFB, 0xDF, 0x37, 0x6A, 0x7B, 0xD6, 0x1D, 0xA8, 0xB3, 0x78, 0x7A, 0x23, 0xE4, 0x1D, 0x91,
+    0x34, 0x23, 0x74, 0x58, 0x96, 0xD2, 0x20, 0xEC, 0x61, 0xAC, 0x37, 0x96, 0x18, 0x33, 0xE6, 0x05,
+  };
+  static unsigned char dh512_g[] = {
+    0x08, 0x5E, 0x84, 0x3B, 0xC2, 0xD1, 0xEA, 0xB9, 0x39, 0xFA, 0xA4, 0x2A, 0x91, 0x79, 0xA3, 0x18,
+    0x1E, 0x24, 0x7C, 0x4C, 0x0F, 0xFD, 0x2F, 0x5C, 0x38, 0xFB, 0xC4, 0xA4, 0x1B, 0xF3, 0xE8, 0xB7,
+    0x61, 0x9E, 0xA1, 0x4F, 0x8E, 0xE3, 0xF8, 0x4B, 0x9C, 0xA7, 0xDD, 0xA5, 0x72, 0x01, 0x17, 0xF0,
+    0xBF, 0x65, 0x53, 0xAB, 0x07, 0xFB, 0x07, 0xF4, 0xD8, 0xFA, 0x4D, 0xEB, 0x1A, 0x0E, 0x29, 0x0A,
+  };
+  DH* dh;
+
+  if ((dh = DH_new()) == NULL) return (NULL);
+  dh->p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL);
+  dh->g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL);
+  if ((dh->p == NULL) || (dh->g == NULL)) {
+    DH_free(dh);
+    return (NULL);
+  }
+  dh->length = 160;
+  return (dh);
+}
+/*
+-----BEGIN DH PARAMETERS-----
+MIGJAkEAv6AtRzCygRPsxbh54RZvLhm1webOFX6UAJ1xTblzyDHj+983anvWHaiz
+eHoj5B2RNCN0WJbSIOxhrDeWGDPmBQJACF6EO8LR6rk5+qQqkXmjGB4kfEwP/S9c
+OPvEpBvz6LdhnqFPjuP4S5yn3aVyARfwv2VTqwf7B/TY+k3rGg4pCgICAKA=
+-----END DH PARAMETERS-----
+*/
+#endif
+
 String Ssl::generate_key() {
   EVP_PKEY* pkey = NULL;
   EVP_PKEY_CTX* pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, NULL);
@@ -374,10 +432,13 @@ bool ServerConnection::use_ssl(const String& key, const String& cert, const Stri
     SSL_CTX_free(ssl_context_);
   }
 
-  if ((ssl_context_ = SSL_CTX_new(SSLv23_server_method())) == NULL) {
+  if ((ssl_context_ = SSL_CTX_new(SSL_SERVER_METHOD())) == NULL) {
     print_ssl_error();
     return false;
   }
+#ifdef SSL_OP_NO_TLSv1_3
+  SSL_CTX_set_options(ssl_context_, SSL_OP_NO_TLSv1_3);
+#endif
 
   SSL_CTX_set_default_passwd_cb_userdata(ssl_context_, (void*)password.c_str());
   SSL_CTX_set_default_passwd_cb(ssl_context_, on_password);
@@ -418,9 +479,28 @@ bool ServerConnection::use_ssl(const String& key, const String& cert, const Stri
   }
   EVP_PKEY_free(pkey);
 
-  RSA* rsa = RSA_generate_key(512, RSA_F4, NULL, NULL);
-  SSL_CTX_set_tmp_rsa(ssl_context_, rsa);
+#ifdef LIBRESSL_VERSION_NUMBER // SSL_CTX_set_tmp_rsa is a no-op on LibreSSL
+  DH* dh512 = get_dh512();
+  if (!SSL_CTX_set_tmp_dh(ssl_context_, dh512)) {
+    print_ssl_error();
+    DH_free(dh512);
+    return false;
+  }
+  DH_free(dh512);
+#else
+  BIGNUM* factor = BN_new();
+  BN_set_word(factor, RSA_F4);
+  RSA* rsa = RSA_new();
+  RSA_generate_key_ex(rsa, 512, factor, NULL);
+  if (!SSL_CTX_set_tmp_rsa(ssl_context_, rsa)) {
+    print_ssl_error();
+    BN_free(factor);
+    RSA_free(rsa);
+    return false;
+  }
+  BN_free(factor);
   RSA_free(rsa);
+#endif
 
   SSL_CTX_set_verify(ssl_context_, SSL_VERIFY_NONE, 0);
 
@@ -777,7 +857,7 @@ const char* decode_query_params_v1(const char* input, const char* end, bool is_e
 }
 
 const char* decode_query_params_v2(const char* input, const char* end, QueryParameters* params) {
-  int8_t flags;
+  int8_t flags = 0;
   const char* pos = input;
   pos = decode_uint16(pos, end, &params->consistency);
   pos = decode_int8(pos, end, &flags);
@@ -798,7 +878,7 @@ const char* decode_query_params_v2(const char* input, const char* end, QueryPara
 }
 
 const char* decode_query_params_v3v4(const char* input, const char* end, QueryParameters* params) {
-  int8_t flags;
+  int8_t flags = 0;
   const char* pos = input;
   pos = decode_uint16(pos, end, &params->consistency);
   pos = decode_int8(pos, end, &flags);

cpp-driver/src/ssl/ssl_openssl_impl.cpp

@@ -36,6 +36,22 @@
 #define SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE SSL_F_USE_CERTIFICATE_CHAIN_FILE
 #endif
 
+#if defined(OPENSSL_VERSION_NUMBER) && \
+    !defined(LIBRESSL_VERSION_NUMBER) // Required as OPENSSL_VERSION_NUMBER for LibreSSL is defined
+                                      // as 2.0.0
+#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
+#define SSL_CLIENT_METHOD TLS_client_method
+#else
+#define SSL_CLIENT_METHOD SSLv23_client_method
+#endif
+#else
+#if (LIBRESSL_VERSION_NUMBER >= 0x20302000L)
+#define SSL_CLIENT_METHOD TLS_client_method
+#else
+#define SSL_CLIENT_METHOD SSLv23_client_method
+#endif
+#endif
+
 using namespace datastax;
 using namespace datastax::internal;
 using namespace datastax::internal::core;
@@ -516,7 +532,7 @@ void OpenSslSession::check_error(int rc) {
 }
 
 OpenSslContext::OpenSslContext()
-    : ssl_ctx_(SSL_CTX_new(SSLv23_client_method()))
+    : ssl_ctx_(SSL_CTX_new(SSL_CLIENT_METHOD()))
     , trusted_store_(X509_STORE_new()) {
   SSL_CTX_set_cert_store(ssl_ctx_, trusted_store_);
 }