diff --git a/Cargo.lock b/Cargo.lock index 10cb3769cb2ad..4329cd69cd1d3 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -5082,8 +5082,6 @@ checksum = "624a8340c38c1b80fd549087862da4ba43e08858af025b236e509b6649fc13d5" [[package]] name = "openssl" version = "0.10.38" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0c7ae222234c30df141154f159066c5093ff73b63204dcda7121eb082fc56a95" dependencies = [ "bitflags", "cfg-if 1.0.0", diff --git a/Cargo.toml b/Cargo.toml index 5d5c19452beee..6cb66243a0cea 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -337,6 +337,7 @@ chrono = { git = "https://github.com/vectordotdev/chrono.git", branch = "no-defa aws-config = { path = "patch/aws-config" } aws-sigv4 = { path = "patch/aws-sigv4" } hyper-openssl = { path = "patch/hyper-openssl" } +openssl = { path = "patch/openssl" } [features] ocp-logging = [ diff --git a/Dockerfile.unit b/Dockerfile.unit index f790a735fde6d..52b74dc49253b 100644 --- a/Dockerfile.unit +++ b/Dockerfile.unit @@ -1,8 +1,9 @@ -FROM registry.redhat.io/ubi8:6-754 as builder +FROM registry.redhat.io/ubi8:8.6-754 as builder RUN INSTALL_PKGS=" \ cmake \ libarchive \ + gcc-c++ \ make \ git \ openssl-devel \ diff --git a/vendor/openssl/.cargo-checksum.json b/patch/openssl/.cargo-checksum.json similarity index 100% rename from vendor/openssl/.cargo-checksum.json rename to patch/openssl/.cargo-checksum.json diff --git a/vendor/openssl/CHANGELOG.md b/patch/openssl/CHANGELOG.md similarity index 100% rename from vendor/openssl/CHANGELOG.md rename to patch/openssl/CHANGELOG.md diff --git a/vendor/openssl/Cargo.lock b/patch/openssl/Cargo.lock similarity index 100% rename from vendor/openssl/Cargo.lock rename to patch/openssl/Cargo.lock diff --git a/vendor/openssl/Cargo.toml b/patch/openssl/Cargo.toml similarity index 100% rename from vendor/openssl/Cargo.toml rename to patch/openssl/Cargo.toml diff --git a/vendor/openssl/LICENSE b/patch/openssl/LICENSE similarity index 100% rename from vendor/openssl/LICENSE rename to patch/openssl/LICENSE diff --git a/vendor/openssl/README.md b/patch/openssl/README.md similarity index 100% rename from vendor/openssl/README.md rename to patch/openssl/README.md diff --git a/vendor/openssl/build.rs b/patch/openssl/build.rs similarity index 100% rename from vendor/openssl/build.rs rename to patch/openssl/build.rs diff --git a/vendor/openssl/examples/mk_certs.rs b/patch/openssl/examples/mk_certs.rs similarity index 100% rename from vendor/openssl/examples/mk_certs.rs rename to patch/openssl/examples/mk_certs.rs diff --git a/vendor/openssl/src/aes.rs b/patch/openssl/src/aes.rs similarity index 100% rename from vendor/openssl/src/aes.rs rename to patch/openssl/src/aes.rs diff --git a/vendor/openssl/src/asn1.rs b/patch/openssl/src/asn1.rs similarity index 100% rename from vendor/openssl/src/asn1.rs rename to patch/openssl/src/asn1.rs diff --git a/vendor/openssl/src/base64.rs b/patch/openssl/src/base64.rs similarity index 100% rename from vendor/openssl/src/base64.rs rename to patch/openssl/src/base64.rs diff --git a/vendor/openssl/src/bio.rs b/patch/openssl/src/bio.rs similarity index 100% rename from vendor/openssl/src/bio.rs rename to patch/openssl/src/bio.rs diff --git a/vendor/openssl/src/bn.rs b/patch/openssl/src/bn.rs similarity index 100% rename from vendor/openssl/src/bn.rs rename to patch/openssl/src/bn.rs diff --git a/vendor/openssl/src/cms.rs b/patch/openssl/src/cms.rs similarity index 100% rename from vendor/openssl/src/cms.rs rename to patch/openssl/src/cms.rs diff --git a/vendor/openssl/src/conf.rs b/patch/openssl/src/conf.rs similarity index 100% rename from vendor/openssl/src/conf.rs rename to patch/openssl/src/conf.rs diff --git a/vendor/openssl/src/derive.rs b/patch/openssl/src/derive.rs similarity index 100% rename from vendor/openssl/src/derive.rs rename to patch/openssl/src/derive.rs diff --git a/vendor/openssl/src/dh.rs b/patch/openssl/src/dh.rs similarity index 100% rename from vendor/openssl/src/dh.rs rename to patch/openssl/src/dh.rs diff --git a/vendor/openssl/src/dsa.rs b/patch/openssl/src/dsa.rs similarity index 100% rename from vendor/openssl/src/dsa.rs rename to patch/openssl/src/dsa.rs diff --git a/vendor/openssl/src/ec.rs b/patch/openssl/src/ec.rs similarity index 100% rename from vendor/openssl/src/ec.rs rename to patch/openssl/src/ec.rs diff --git a/vendor/openssl/src/ecdsa.rs b/patch/openssl/src/ecdsa.rs similarity index 100% rename from vendor/openssl/src/ecdsa.rs rename to patch/openssl/src/ecdsa.rs diff --git a/vendor/openssl/src/encrypt.rs b/patch/openssl/src/encrypt.rs similarity index 100% rename from vendor/openssl/src/encrypt.rs rename to patch/openssl/src/encrypt.rs diff --git a/vendor/openssl/src/envelope.rs b/patch/openssl/src/envelope.rs similarity index 100% rename from vendor/openssl/src/envelope.rs rename to patch/openssl/src/envelope.rs diff --git a/vendor/openssl/src/error.rs b/patch/openssl/src/error.rs similarity index 100% rename from vendor/openssl/src/error.rs rename to patch/openssl/src/error.rs diff --git a/vendor/openssl/src/ex_data.rs b/patch/openssl/src/ex_data.rs similarity index 100% rename from vendor/openssl/src/ex_data.rs rename to patch/openssl/src/ex_data.rs diff --git a/vendor/openssl/src/fips.rs b/patch/openssl/src/fips.rs similarity index 100% rename from vendor/openssl/src/fips.rs rename to patch/openssl/src/fips.rs diff --git a/vendor/openssl/src/hash.rs b/patch/openssl/src/hash.rs similarity index 100% rename from vendor/openssl/src/hash.rs rename to patch/openssl/src/hash.rs diff --git a/vendor/openssl/src/lib.rs b/patch/openssl/src/lib.rs similarity index 100% rename from vendor/openssl/src/lib.rs rename to patch/openssl/src/lib.rs diff --git a/vendor/openssl/src/macros.rs b/patch/openssl/src/macros.rs similarity index 100% rename from vendor/openssl/src/macros.rs rename to patch/openssl/src/macros.rs diff --git a/vendor/openssl/src/memcmp.rs b/patch/openssl/src/memcmp.rs similarity index 100% rename from vendor/openssl/src/memcmp.rs rename to patch/openssl/src/memcmp.rs diff --git a/vendor/openssl/src/nid.rs b/patch/openssl/src/nid.rs similarity index 100% rename from vendor/openssl/src/nid.rs rename to patch/openssl/src/nid.rs diff --git a/vendor/openssl/src/ocsp.rs b/patch/openssl/src/ocsp.rs similarity index 100% rename from vendor/openssl/src/ocsp.rs rename to patch/openssl/src/ocsp.rs diff --git a/vendor/openssl/src/pkcs12.rs b/patch/openssl/src/pkcs12.rs similarity index 100% rename from vendor/openssl/src/pkcs12.rs rename to patch/openssl/src/pkcs12.rs diff --git a/vendor/openssl/src/pkcs5.rs b/patch/openssl/src/pkcs5.rs similarity index 100% rename from vendor/openssl/src/pkcs5.rs rename to patch/openssl/src/pkcs5.rs diff --git a/vendor/openssl/src/pkcs7.rs b/patch/openssl/src/pkcs7.rs similarity index 100% rename from vendor/openssl/src/pkcs7.rs rename to patch/openssl/src/pkcs7.rs diff --git a/vendor/openssl/src/pkey.rs b/patch/openssl/src/pkey.rs similarity index 100% rename from vendor/openssl/src/pkey.rs rename to patch/openssl/src/pkey.rs diff --git a/vendor/openssl/src/rand.rs b/patch/openssl/src/rand.rs similarity index 100% rename from vendor/openssl/src/rand.rs rename to patch/openssl/src/rand.rs diff --git a/vendor/openssl/src/rsa.rs b/patch/openssl/src/rsa.rs similarity index 100% rename from vendor/openssl/src/rsa.rs rename to patch/openssl/src/rsa.rs diff --git a/vendor/openssl/src/sha.rs b/patch/openssl/src/sha.rs similarity index 100% rename from vendor/openssl/src/sha.rs rename to patch/openssl/src/sha.rs diff --git a/vendor/openssl/src/sign.rs b/patch/openssl/src/sign.rs similarity index 100% rename from vendor/openssl/src/sign.rs rename to patch/openssl/src/sign.rs diff --git a/vendor/openssl/src/srtp.rs b/patch/openssl/src/srtp.rs similarity index 100% rename from vendor/openssl/src/srtp.rs rename to patch/openssl/src/srtp.rs diff --git a/vendor/openssl/src/ssl/bio.rs b/patch/openssl/src/ssl/bio.rs similarity index 100% rename from vendor/openssl/src/ssl/bio.rs rename to patch/openssl/src/ssl/bio.rs diff --git a/vendor/openssl/src/ssl/callbacks.rs b/patch/openssl/src/ssl/callbacks.rs similarity index 100% rename from vendor/openssl/src/ssl/callbacks.rs rename to patch/openssl/src/ssl/callbacks.rs diff --git a/vendor/openssl/src/ssl/connector.rs b/patch/openssl/src/ssl/connector.rs similarity index 95% rename from vendor/openssl/src/ssl/connector.rs rename to patch/openssl/src/ssl/connector.rs index 1d2d2c643cf0a..58870d357eadb 100644 --- a/vendor/openssl/src/ssl/connector.rs +++ b/patch/openssl/src/ssl/connector.rs @@ -6,7 +6,7 @@ use crate::dh::Dh; use crate::error::ErrorStack; use crate::ssl::{ HandshakeError, Ssl, SslContext, SslContextBuilder, SslContextRef, SslMethod, SslMode, - SslOptions, SslRef, SslStream, SslVerifyMode, + SslOptions, SslRef, SslStream, SslVerifyMode, SslVersion, }; use crate::version; @@ -217,6 +217,28 @@ impl DerefMut for ConnectConfiguration { pub struct SslAcceptor(SslContext); impl SslAcceptor { + pub fn custom(method: SslMethod, min_tls_version: &String, ciphersuites: &String) -> Result { + let mut ctx = ctx(method)?; + let min_proto_version: SslVersion; + match min_tls_version.as_str() { + "VersionTLS10" => min_proto_version = SslVersion::TLS1, + "VersionTLS11" => min_proto_version = SslVersion::TLS1_1, + "VersionTLS12" => min_proto_version = SslVersion::TLS1_2, + "VersionTLS13" => min_proto_version = SslVersion::TLS1_3, + _ => min_proto_version = SslVersion::TLS1, + } + ctx.set_min_proto_version(Some(min_proto_version))?; + let dh = Dh::params_from_pem(FFDHE_2048.as_bytes())?; + ctx.set_tmp_dh(&dh)?; + setup_curves(&mut ctx)?; + ctx.set_cipher_list(ciphersuites.replace(",", ":").as_str())?; + #[cfg(ossl111)] + ctx.set_ciphersuites( + "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256", + )?; + Ok(SslAcceptorBuilder(ctx)) + } + /// Creates a new builder configured to connect to non-legacy clients. This should generally be /// considered a reasonable default choice. /// diff --git a/vendor/openssl/src/ssl/error.rs b/patch/openssl/src/ssl/error.rs similarity index 100% rename from vendor/openssl/src/ssl/error.rs rename to patch/openssl/src/ssl/error.rs diff --git a/vendor/openssl/src/ssl/mod.rs b/patch/openssl/src/ssl/mod.rs similarity index 100% rename from vendor/openssl/src/ssl/mod.rs rename to patch/openssl/src/ssl/mod.rs diff --git a/vendor/openssl/src/ssl/test/mod.rs b/patch/openssl/src/ssl/test/mod.rs similarity index 100% rename from vendor/openssl/src/ssl/test/mod.rs rename to patch/openssl/src/ssl/test/mod.rs diff --git a/vendor/openssl/src/ssl/test/server.rs b/patch/openssl/src/ssl/test/server.rs similarity index 100% rename from vendor/openssl/src/ssl/test/server.rs rename to patch/openssl/src/ssl/test/server.rs diff --git a/vendor/openssl/src/stack.rs b/patch/openssl/src/stack.rs similarity index 100% rename from vendor/openssl/src/stack.rs rename to patch/openssl/src/stack.rs diff --git a/vendor/openssl/src/string.rs b/patch/openssl/src/string.rs similarity index 100% rename from vendor/openssl/src/string.rs rename to patch/openssl/src/string.rs diff --git a/vendor/openssl/src/symm.rs b/patch/openssl/src/symm.rs similarity index 100% rename from vendor/openssl/src/symm.rs rename to patch/openssl/src/symm.rs diff --git a/vendor/openssl/src/util.rs b/patch/openssl/src/util.rs similarity index 100% rename from vendor/openssl/src/util.rs rename to patch/openssl/src/util.rs diff --git a/vendor/openssl/src/version.rs b/patch/openssl/src/version.rs similarity index 100% rename from vendor/openssl/src/version.rs rename to patch/openssl/src/version.rs diff --git a/vendor/openssl/src/x509/extension.rs b/patch/openssl/src/x509/extension.rs similarity index 100% rename from vendor/openssl/src/x509/extension.rs rename to patch/openssl/src/x509/extension.rs diff --git a/vendor/openssl/src/x509/mod.rs b/patch/openssl/src/x509/mod.rs similarity index 100% rename from vendor/openssl/src/x509/mod.rs rename to patch/openssl/src/x509/mod.rs diff --git a/vendor/openssl/src/x509/store.rs b/patch/openssl/src/x509/store.rs similarity index 100% rename from vendor/openssl/src/x509/store.rs rename to patch/openssl/src/x509/store.rs diff --git a/vendor/openssl/src/x509/tests.rs b/patch/openssl/src/x509/tests.rs similarity index 100% rename from vendor/openssl/src/x509/tests.rs rename to patch/openssl/src/x509/tests.rs diff --git a/vendor/openssl/src/x509/verify.rs b/patch/openssl/src/x509/verify.rs similarity index 100% rename from vendor/openssl/src/x509/verify.rs rename to patch/openssl/src/x509/verify.rs diff --git a/vendor/openssl/test/aia_test_cert.pem b/patch/openssl/test/aia_test_cert.pem similarity index 100% rename from vendor/openssl/test/aia_test_cert.pem rename to patch/openssl/test/aia_test_cert.pem diff --git a/vendor/openssl/test/alt_name_cert.pem b/patch/openssl/test/alt_name_cert.pem similarity index 100% rename from vendor/openssl/test/alt_name_cert.pem rename to patch/openssl/test/alt_name_cert.pem diff --git a/vendor/openssl/test/cert.pem b/patch/openssl/test/cert.pem similarity index 100% rename from vendor/openssl/test/cert.pem rename to patch/openssl/test/cert.pem diff --git a/vendor/openssl/test/certs.pem b/patch/openssl/test/certs.pem similarity index 100% rename from vendor/openssl/test/certs.pem rename to patch/openssl/test/certs.pem diff --git a/vendor/openssl/test/cms.p12 b/patch/openssl/test/cms.p12 similarity index 100% rename from vendor/openssl/test/cms.p12 rename to patch/openssl/test/cms.p12 diff --git a/vendor/openssl/test/cms_pubkey.der b/patch/openssl/test/cms_pubkey.der similarity index 100% rename from vendor/openssl/test/cms_pubkey.der rename to patch/openssl/test/cms_pubkey.der diff --git a/vendor/openssl/test/dhparams.pem b/patch/openssl/test/dhparams.pem similarity index 100% rename from vendor/openssl/test/dhparams.pem rename to patch/openssl/test/dhparams.pem diff --git a/vendor/openssl/test/dsa.pem b/patch/openssl/test/dsa.pem similarity index 100% rename from vendor/openssl/test/dsa.pem rename to patch/openssl/test/dsa.pem diff --git a/vendor/openssl/test/dsa.pem.pub b/patch/openssl/test/dsa.pem.pub similarity index 100% rename from vendor/openssl/test/dsa.pem.pub rename to patch/openssl/test/dsa.pem.pub diff --git a/vendor/openssl/test/dsaparam.pem b/patch/openssl/test/dsaparam.pem similarity index 100% rename from vendor/openssl/test/dsaparam.pem rename to patch/openssl/test/dsaparam.pem diff --git a/vendor/openssl/test/identity.p12 b/patch/openssl/test/identity.p12 similarity index 100% rename from vendor/openssl/test/identity.p12 rename to patch/openssl/test/identity.p12 diff --git a/vendor/openssl/test/key.der b/patch/openssl/test/key.der similarity index 100% rename from vendor/openssl/test/key.der rename to patch/openssl/test/key.der diff --git a/vendor/openssl/test/key.der.pub b/patch/openssl/test/key.der.pub similarity index 100% rename from vendor/openssl/test/key.der.pub rename to patch/openssl/test/key.der.pub diff --git a/vendor/openssl/test/key.pem b/patch/openssl/test/key.pem similarity index 100% rename from vendor/openssl/test/key.pem rename to patch/openssl/test/key.pem diff --git a/vendor/openssl/test/key.pem.pub b/patch/openssl/test/key.pem.pub similarity index 100% rename from vendor/openssl/test/key.pem.pub rename to patch/openssl/test/key.pem.pub diff --git a/vendor/openssl/test/keystore-empty-chain.p12 b/patch/openssl/test/keystore-empty-chain.p12 similarity index 100% rename from vendor/openssl/test/keystore-empty-chain.p12 rename to patch/openssl/test/keystore-empty-chain.p12 diff --git a/vendor/openssl/test/nid_test_cert.pem b/patch/openssl/test/nid_test_cert.pem similarity index 100% rename from vendor/openssl/test/nid_test_cert.pem rename to patch/openssl/test/nid_test_cert.pem diff --git a/vendor/openssl/test/nid_uid_test_cert.pem b/patch/openssl/test/nid_uid_test_cert.pem similarity index 100% rename from vendor/openssl/test/nid_uid_test_cert.pem rename to patch/openssl/test/nid_uid_test_cert.pem diff --git a/vendor/openssl/test/pkcs1.pem.pub b/patch/openssl/test/pkcs1.pem.pub similarity index 100% rename from vendor/openssl/test/pkcs1.pem.pub rename to patch/openssl/test/pkcs1.pem.pub diff --git a/vendor/openssl/test/pkcs8-nocrypt.der b/patch/openssl/test/pkcs8-nocrypt.der similarity index 100% rename from vendor/openssl/test/pkcs8-nocrypt.der rename to patch/openssl/test/pkcs8-nocrypt.der diff --git a/vendor/openssl/test/pkcs8.der b/patch/openssl/test/pkcs8.der similarity index 100% rename from vendor/openssl/test/pkcs8.der rename to patch/openssl/test/pkcs8.der diff --git a/vendor/openssl/test/root-ca.key b/patch/openssl/test/root-ca.key similarity index 100% rename from vendor/openssl/test/root-ca.key rename to patch/openssl/test/root-ca.key diff --git a/vendor/openssl/test/root-ca.pem b/patch/openssl/test/root-ca.pem similarity index 100% rename from vendor/openssl/test/root-ca.pem rename to patch/openssl/test/root-ca.pem diff --git a/vendor/openssl/test/rsa-encrypted.pem b/patch/openssl/test/rsa-encrypted.pem similarity index 100% rename from vendor/openssl/test/rsa-encrypted.pem rename to patch/openssl/test/rsa-encrypted.pem diff --git a/vendor/openssl/test/rsa.pem b/patch/openssl/test/rsa.pem similarity index 100% rename from vendor/openssl/test/rsa.pem rename to patch/openssl/test/rsa.pem diff --git a/vendor/openssl/test/rsa.pem.pub b/patch/openssl/test/rsa.pem.pub similarity index 100% rename from vendor/openssl/test/rsa.pem.pub rename to patch/openssl/test/rsa.pem.pub diff --git a/src/tls/incoming.rs b/src/tls/incoming.rs index 106493743cf2c..61b417e7bd9f3 100644 --- a/src/tls/incoming.rs +++ b/src/tls/incoming.rs @@ -30,6 +30,14 @@ impl TlsSettings { match self.identity { None => Err(TlsError::MissingRequiredIdentity), Some(_) => { + if let Some(min_tls_version) = &self.min_tls_version { + if let Some (ciphersuites) = &self.ciphersuites { + let mut acceptor = SslAcceptor::custom(SslMethod::tls(), min_tls_version, ciphersuites) + .context(CreateAcceptorSnafu)?; + self.apply_context(&mut acceptor)?; + return Ok(acceptor.build()) + } + } let mut acceptor = SslAcceptor::mozilla_intermediate_v5(SslMethod::tls()) .context(CreateAcceptorSnafu)?; self.apply_context(&mut acceptor)?; diff --git a/src/tls/settings.rs b/src/tls/settings.rs index c6b1720e1321b..63410006d97cb 100644 --- a/src/tls/settings.rs +++ b/src/tls/settings.rs @@ -68,6 +68,8 @@ pub struct TlsOptions { #[serde(alias = "key_path")] pub key_file: Option, pub key_pass: Option, + pub min_tls_version: Option, + pub ciphersuites: Option, } impl TlsOptions { @@ -89,6 +91,8 @@ pub struct TlsSettings { pub(super) verify_hostname: bool, authorities: Vec, pub(super) identity: Option, // openssl::pkcs12::ParsedPkcs12 doesn't impl Clone yet + pub min_tls_version: Option, + pub ciphersuites: Option, } #[derive(Clone)] @@ -125,6 +129,8 @@ impl TlsSettings { verify_hostname: options.verify_hostname.unwrap_or(!for_server), authorities: options.load_authorities()?, identity: options.load_identity()?, + min_tls_version: options.min_tls_version.clone(), + ciphersuites: options.ciphersuites.clone(), }) }