Reworked EAP-TLS 1.3 to account for RFC9190, implemented searching by certificate instead of certificate CN

src/Mayaqua/CMakeLists.txt

@@ -22,8 +22,10 @@ include(CheckSymbolExists)
 
 set(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR})
 set(CMAKE_REQUIRED_LIBRARIES OpenSSL::Crypto)
+set(CMAKE_REQUIRED_LIBRARIES OpenSSL::SSL)
 
 check_symbol_exists(EVP_PKEY_get_raw_public_key "openssl/evp.h" HAVE_EVP_PKEY_GET_RAW_PUBLIC_KEY)
+check_symbol_exists(SSL_CTX_set_num_tickets "openssl/ssl.h" HAVE_SSL_CTX_SET_NUM_TICKETS)
 
 unset(CMAKE_REQUIRED_INCLUDES)
 unset(CMAKE_REQUIRED_LIBRARIES)
@@ -32,6 +34,12 @@ if(NOT HAVE_EVP_PKEY_GET_RAW_PUBLIC_KEY)
   message(FATAL_ERROR "Required EVP_PKEY_get_raw_public_key() not found in OpenSSL library!")
 endif()
 
+if (HAVE_SSL_CTX_SET_NUM_TICKETS)
+  add_compile_definitions(HAVE_SSL_CTX_SET_NUM_TICKETS)
+endif()
+
+
+
 find_package(ZLIB REQUIRED)
 
 # Required because we include <openssl/opensslv.h> in Encrypt.h.

src/Mayaqua/Network.c

@@ -5716,10 +5716,10 @@ SSL_PIPE *NewSslPipeEx(bool server_mode, X *x, K *k, DH_CTX *dh, bool verify_pee
 
 SSL_PIPE* NewSslPipeEx2(bool server_mode, X* x, K* k, LIST* chain, DH_CTX* dh, bool verify_peer, struct SslClientCertInfo* clientcert)
 {
-	return NewSslPipeEx3(server_mode, x, k, chain, dh, verify_peer, clientcert, false, false);
+	return NewSslPipeEx3(server_mode, x, k, chain, dh, verify_peer, clientcert, 2, false); // 2 TLS 1.3 tickets is an OpenSSL default hardcoded in the library
 }
 
-SSL_PIPE *NewSslPipeEx3(bool server_mode, X *x, K *k, LIST *chain, DH_CTX *dh, bool verify_peer, struct SslClientCertInfo *clientcert, bool disableTls13Tickets, bool disableTls13)
+SSL_PIPE *NewSslPipeEx3(bool server_mode, X *x, K *k, LIST *chain, DH_CTX *dh, bool verify_peer, struct SslClientCertInfo *clientcert, int tls13ticketscnt, bool disableTls13)
 {
 	SSL_PIPE *s;
 	SSL *ssl;
@@ -5791,11 +5791,9 @@ SSL_PIPE *NewSslPipeEx3(bool server_mode, X *x, K *k, LIST *chain, DH_CTX *dh, b
 		{
 			SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_3);
 		}
-
-		if (disableTls13Tickets)
-		{
-			SSL_CTX_set_num_tickets(ssl_ctx, 0);
-		}
+#endif
+#ifdef HAVE_SSL_CTX_SET_NUM_TICKETS
+		SSL_CTX_set_num_tickets(ssl_ctx, tls13ticketscnt);
 #endif
 
 		ssl = SSL_new(ssl_ctx);
@@ -5846,6 +5844,8 @@ SSL_PIPE *NewSslPipeEx3(bool server_mode, X *x, K *k, LIST *chain, DH_CTX *dh, b
 bool SyncSslPipe(SSL_PIPE *s)
 {
 	UINT i;
+	SSL_SESSION* sess;
+
 	// Validate arguments
 	if (s == NULL || s->IsDisconnected)
 	{
@@ -5876,6 +5876,8 @@ bool SyncSslPipe(SSL_PIPE *s)
 		}
 	}
 
+	s->SslVersion = SSL_version(s->ssl);
+
 	return true;
 }
 

src/Mayaqua/Network.h

@@ -11,6 +11,8 @@
 #include "Encrypt.h"
 #include "Mayaqua.h"
 
+#include <openssl/ssl.h> // This is needed only for the SSL/TLS version defines
+
 #ifdef OS_UNIX
 #include <netinet/in.h>
 
@@ -537,6 +539,7 @@ struct SSL_PIPE
 {
 	bool ServerMode;					// Whether it's in the server mode
 	bool IsDisconnected;				// Disconnected
+	int SslVersion;
 	SSL *ssl;							// SSL object
 	struct ssl_ctx_st *ssl_ctx;			// SSL_CTX
 	SSL_BIO *SslInOut;					// I/O BIO for the data in the SSL tunnel
@@ -1407,7 +1410,7 @@ struct SslClientCertInfo {
 SSL_PIPE *NewSslPipe(bool server_mode, X *x, K *k, DH_CTX *dh);
 SSL_PIPE *NewSslPipeEx(bool server_mode, X *x, K *k, DH_CTX *dh, bool verify_peer, struct SslClientCertInfo *clientcert);
 SSL_PIPE *NewSslPipeEx2(bool server_mode, X *x, K *k, LIST *chain, DH_CTX *dh, bool verify_peer, struct SslClientCertInfo *clientcert);
-SSL_PIPE* NewSslPipeEx3(bool server_mode, X* x, K* k, LIST* chain, DH_CTX* dh, bool verify_peer, struct SslClientCertInfo* clientcert, bool disableTls13Tickets, bool disableTls13);
+SSL_PIPE* NewSslPipeEx3(bool server_mode, X* x, K* k, LIST* chain, DH_CTX* dh, bool verify_peer, struct SslClientCertInfo* clientcert, int tls13ticketscnt, bool disableTls13);
 void FreeSslPipe(SSL_PIPE *s);
 bool SyncSslPipe(SSL_PIPE *s);