]>
Commit | Line | Data |
---|---|---|
1 | /* | |
2 | * libratbox: a library used by ircd-ratbox and other things | |
3 | * openssl_ratbox.h: OpenSSL backend data | |
4 | * | |
5 | * Copyright (C) 2015-2016 Aaron Jones <aaronmdjones@gmail.com> | |
6 | * | |
7 | * This program is free software; you can redistribute it and/or modify | |
8 | * it under the terms of the GNU General Public License as published by | |
9 | * the Free Software Foundation; either version 2 of the License, or | |
10 | * (at your option) any later version. | |
11 | * | |
12 | * This program is distributed in the hope that it will be useful, | |
13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
15 | * GNU General Public License for more details. | |
16 | * | |
17 | * You should have received a copy of the GNU General Public License | |
18 | * along with this program; if not, write to the Free Software | |
19 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 | |
20 | * USA | |
21 | * | |
22 | */ | |
23 | ||
24 | #ifndef LRB_OPENSSL_H_INC | |
25 | #define LRB_OPENSSL_H_INC 1 | |
26 | ||
27 | #include <openssl/dh.h> | |
28 | #include <openssl/ec.h> | |
29 | #include <openssl/err.h> | |
30 | #include <openssl/evp.h> | |
31 | #include <openssl/rand.h> | |
32 | #include <openssl/ssl.h> | |
33 | ||
34 | #include <openssl/opensslv.h> | |
35 | ||
36 | /* | |
37 | * A long time ago, in a world far away, OpenSSL had a well-established mechanism for ensuring compatibility with | |
38 | * regards to added, changed, and removed functions, by having an SSLEAY_VERSION_NUMBER macro. This was then | |
39 | * renamed to OPENSSL_VERSION_NUMBER, but the old macro was kept around for compatibility until OpenSSL version | |
40 | * 1.1.0. | |
41 | * | |
42 | * Then the OpenBSD developers decided that having OpenSSL in their codebase was a bad idea. They forked it to | |
43 | * create LibreSSL, gutted all of the functionality they didn't want or need, and generally improved the library | |
44 | * a lot. Then, as the OpenBSD developers are want to do, they packaged up LibreSSL for release to other | |
45 | * operating systems, as LibreSSL Portable. Think along the lines of OpenSSH where they have also done this. | |
46 | * | |
47 | * The fun part of this story ends there. LibreSSL has an OPENSSL_VERSION_NUMBER macro, but they have set it to a | |
48 | * stupidly high value, version 2.0. OpenSSL version 2.0 does not exist, and LibreSSL 2.2 does not implement | |
49 | * everything OpenSSL 1.0.2 or 1.1.0 do. This completely breaks the entire purpose of the macro. | |
50 | * | |
51 | * The ifdef soup below is for LibreSSL compatibility. Please find whoever thought setting OPENSSL_VERSION_NUMBER | |
52 | * to a version that does not exist was a good idea. Encourage them to realise that it is not. -- amdj | |
53 | */ | |
54 | ||
55 | #if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10100000L) | |
56 | # define LRB_SSL_NO_EXPLICIT_INIT 1 | |
57 | #endif | |
58 | ||
59 | #if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10002000L) | |
60 | # define LRB_HAVE_TLS_SET_CURVES 1 | |
61 | # if (OPENSSL_VERSION_NUMBER < 0x10100000L) | |
62 | # define LRB_HAVE_TLS_ECDH_AUTO 1 | |
63 | # endif | |
64 | #endif | |
65 | ||
66 | #if defined(LIBRESSL_VERSION_NUMBER) && (LIBRESSL_VERSION_NUMBER >= 0x20020002L) | |
67 | # define LRB_HAVE_TLS_METHOD_API 1 | |
68 | #else | |
69 | # if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10100000L) | |
70 | # define LRB_HAVE_TLS_METHOD_API 1 | |
71 | # endif | |
72 | #endif | |
73 | ||
74 | #if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10100000L) | |
75 | # define LRB_SSL_VTEXT_COMPILETIME OPENSSL_VERSION_TEXT | |
76 | # define LRB_SSL_VTEXT_RUNTIME OpenSSL_version(OPENSSL_VERSION) | |
77 | # define LRB_SSL_VNUM_COMPILETIME OPENSSL_VERSION_NUMBER | |
78 | # define LRB_SSL_VNUM_RUNTIME OpenSSL_version_num() | |
79 | # define LRB_SSL_FULL_VERSION_INFO 1 | |
80 | #else | |
81 | # if defined(LIBRESSL_VERSION_NUMBER) && (LIBRESSL_VERSION_NUMBER >= 0x20200000L) | |
82 | # define LRB_SSL_VTEXT_RUNTIME SSLeay_version(SSLEAY_VERSION) | |
83 | # define LRB_SSL_VNUM_COMPILETIME LIBRESSL_VERSION_NUMBER | |
84 | # else | |
85 | # define LRB_SSL_VTEXT_RUNTIME SSLeay_version(SSLEAY_VERSION) | |
86 | # define LRB_SSL_VNUM_COMPILETIME SSLEAY_VERSION_NUMBER | |
87 | # endif | |
88 | #endif | |
89 | ||
90 | #if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER > 0x10101000L) | |
91 | # define LRB_HAVE_TLS_ECDH_X25519 1 | |
92 | #else | |
93 | # if defined(LIBRESSL_VERSION_NUMBER) && (LIBRESSL_VERSION_NUMBER > 0x2050100fL) | |
94 | # define LRB_HAVE_TLS_ECDH_X25519 1 | |
95 | # endif | |
96 | #endif | |
97 | ||
98 | #if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10101000L) | |
99 | # define LRB_HAVE_TLS13 1 | |
100 | #endif | |
101 | ||
102 | ||
103 | ||
104 | /* | |
105 | * Default supported ciphersuites (if the user does not provide any) and | |
106 | * curves (OpenSSL 1.0.2+). Hardcoded secp384r1 (NIST P-384) is used on | |
107 | * OpenSSL 1.0.0 and 1.0.1 (if available). | |
108 | * | |
109 | * We prefer AEAD ciphersuites first in order of strength, then SHA2 | |
110 | * ciphersuites, then remaining suites. | |
111 | */ | |
112 | ||
113 | static const char rb_default_ciphers[] = "" | |
114 | #ifdef LRB_HAVE_TLS13 | |
115 | "TLS_AES_256_GCM_SHA384:" | |
116 | "TLS_CHACHA20_POLY1305_SHA256:" | |
117 | "TLS_AES_128_GCM_SHA256:" | |
118 | #endif | |
119 | "aECDSA+kEECDH+CHACHA20:" | |
120 | "aRSA+kEECDH+CHACHA20:" | |
121 | "aRSA+kEDH+CHACHA20:" | |
122 | "aECDSA+kEECDH+AESGCM:" | |
123 | "aRSA+kEECDH+AESGCM:" | |
124 | "aRSA+kEDH+AESGCM:" | |
125 | "aECDSA+kEECDH+AESCCM:" | |
126 | "aRSA+kEECDH+AESCCM:" | |
127 | "aRSA+kEDH+AESCCM:" | |
128 | "@STRENGTH:" | |
129 | "aECDSA+kEECDH+HIGH+SHA384:" | |
130 | "aRSA+kEECDH+HIGH+SHA384:" | |
131 | "aRSA+kEDH+HIGH+SHA384:" | |
132 | "aECDSA+kEECDH+HIGH+SHA256:" | |
133 | "aRSA+kEECDH+HIGH+SHA256:" | |
134 | "aRSA+kEDH+HIGH+SHA256:" | |
135 | "aECDSA+kEECDH+HIGH:" | |
136 | "aRSA+kEECDH+HIGH:" | |
137 | "aRSA+kEDH+HIGH:" | |
138 | "HIGH:" | |
139 | "!3DES:" | |
140 | "!aNULL"; | |
141 | ||
142 | #ifdef LRB_HAVE_TLS_SET_CURVES | |
143 | # ifdef LRB_HAVE_TLS_ECDH_X25519 | |
144 | static char rb_default_curves[] = "X25519:P-521:P-384:P-256"; | |
145 | # else | |
146 | static char rb_default_curves[] = "P-521:P-384:P-256"; | |
147 | # endif | |
148 | #endif | |
149 | ||
150 | #endif /* LRB_OPENSSL_H_INC */ |