librb/src/openssl_ratbox.h

   1 /*
   2  *  libratbox: a library used by ircd-ratbox and other things
   3  *  openssl_ratbox.h: OpenSSL backend data
   4  *
   5  *  Copyright (C) 2015-2016 Aaron Jones <aaronmdjones@gmail.com>
   6  *
   7  *  This program is free software; you can redistribute it and/or modify
   8  *  it under the terms of the GNU General Public License as published by
   9  *  the Free Software Foundation; either version 2 of the License, or
  10  *  (at your option) any later version.
  11  *
  12  *  This program is distributed in the hope that it will be useful,
  13  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
  14  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  15  *  GNU General Public License for more details.
  16  *
  17  *  You should have received a copy of the GNU General Public License
  18  *  along with this program; if not, write to the Free Software
  19  *  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301
  20  *  USA
  21  *
  22  */
  23
  24 #ifndef LRB_OPENSSL_H_INC
  25 #define LRB_OPENSSL_H_INC 1
  26
  27 #include <openssl/dh.h>
  28 #include <openssl/ec.h>
  29 #include <openssl/err.h>
  30 #include <openssl/evp.h>
  31 #include <openssl/rand.h>
  32 #include <openssl/ssl.h>
  33
  34 #include <openssl/opensslv.h>
  35
  36 /*
  37  * A long time ago, in a world far away, OpenSSL had a well-established mechanism for ensuring compatibility with
  38  * regards to added, changed, and removed functions, by having an SSLEAY_VERSION_NUMBER macro. This was then
  39  * renamed to OPENSSL_VERSION_NUMBER, but the old macro was kept around for compatibility until OpenSSL version
  40  * 1.1.0.
  41  *
  42  * Then the OpenBSD developers decided that having OpenSSL in their codebase was a bad idea. They forked it to
  43  * create LibreSSL, gutted all of the functionality they didn't want or need, and generally improved the library
  44  * a lot. Then, as the OpenBSD developers are want to do, they packaged up LibreSSL for release to other
  45  * operating systems, as LibreSSL Portable. Think along the lines of OpenSSH where they have also done this.
  46  *
  47  * The fun part of this story ends there. LibreSSL has an OPENSSL_VERSION_NUMBER macro, but they have set it to a
  48  * stupidly high value, version 2.0. OpenSSL version 2.0 does not exist, and LibreSSL 2.2 does not implement
  49  * everything OpenSSL 1.0.2 or 1.1.0 do. This completely breaks the entire purpose of the macro.
  50  *
  51  * The ifdef soup below is for LibreSSL compatibility. Please find whoever thought setting OPENSSL_VERSION_NUMBER
  52  * to a version that does not exist was a good idea. Encourage them to realise that it is not.   -- amdj
  53  */
  54
  55 #if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10100000L)
  56 #  define LRB_SSL_NO_EXPLICIT_INIT      1
  57 #endif
  58
  59 #if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10002000L)
  60 #  define LRB_HAVE_TLS_SET_CURVES       1
  61 #  if (OPENSSL_VERSION_NUMBER < 0x10100000L)
  62 #    define LRB_HAVE_TLS_ECDH_AUTO      1
  63 #  endif
  64 #endif
  65
  66 #if defined(LIBRESSL_VERSION_NUMBER) && (LIBRESSL_VERSION_NUMBER >= 0x20020002L)
  67 #  define LRB_HAVE_TLS_METHOD_API       1
  68 #else
  69 #  if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10100000L)
  70 #    define LRB_HAVE_TLS_METHOD_API     1
  71 #  endif
  72 #endif
  73
  74 #if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10100000L)
  75 #  define LRB_SSL_VTEXT_COMPILETIME     OPENSSL_VERSION_TEXT
  76 #  define LRB_SSL_VTEXT_RUNTIME         OpenSSL_version(OPENSSL_VERSION)
  77 #  define LRB_SSL_VNUM_COMPILETIME      OPENSSL_VERSION_NUMBER
  78 #  define LRB_SSL_VNUM_RUNTIME          OpenSSL_version_num()
  79 #  define LRB_SSL_FULL_VERSION_INFO     1
  80 #else
  81 #  if defined(LIBRESSL_VERSION_NUMBER) && (LIBRESSL_VERSION_NUMBER >= 0x20200000L)
  82 #    define LRB_SSL_VTEXT_RUNTIME       SSLeay_version(SSLEAY_VERSION)
  83 #    define LRB_SSL_VNUM_COMPILETIME    LIBRESSL_VERSION_NUMBER
  84 #  else
  85 #    define LRB_SSL_VTEXT_RUNTIME       SSLeay_version(SSLEAY_VERSION)
  86 #    define LRB_SSL_VNUM_COMPILETIME    SSLEAY_VERSION_NUMBER
  87 #  endif
  88 #endif
  89
  90
  91
  92 /*
  93  * Default supported ciphersuites (if the user does not provide any) and
  94  * curves (OpenSSL 1.0.2+). Hardcoded secp384r1 (NIST P-384) is used on
  95  * OpenSSL 1.0.0 and 1.0.1 (if available).
  96  *
  97  * We prefer AEAD ciphersuites first in order of strength, then SHA2
  98  * ciphersuites, then remaining suites.
  99  */
 100
 101 static const char rb_default_ciphers[] = ""
 102         "aECDSA+kEECDH+CHACHA20:"
 103         "aRSA+kEECDH+CHACHA20:"
 104         "aRSA+kEDH+CHACHA20:"
 105         "aECDSA+kEECDH+AESGCM:"
 106         "aRSA+kEECDH+AESGCM:"
 107         "aRSA+kEDH+AESGCM:"
 108         "aECDSA+kEECDH+AESCCM:"
 109         "aRSA+kEECDH+AESCCM:"
 110         "aRSA+kEDH+AESCCM:"
 111         "@STRENGTH:"
 112         "aECDSA+kEECDH+HIGH+SHA384:"
 113         "aRSA+kEECDH+HIGH+SHA384:"
 114         "aRSA+kEDH+HIGH+SHA384:"
 115         "aECDSA+kEECDH+HIGH+SHA256:"
 116         "aRSA+kEECDH+HIGH+SHA256:"
 117         "aRSA+kEDH+HIGH+SHA256:"
 118         "aECDSA+kEECDH+HIGH:"
 119         "aRSA+kEECDH+HIGH:"
 120         "aRSA+kEDH+HIGH:"
 121         "HIGH:"
 122         "!3DES:"
 123         "!aNULL";
 124
 125 #ifdef LRB_HAVE_TLS_SET_CURVES
 126 static const char rb_default_curves[] = "P-521:P-384:P-256";
 127 #endif
 128
 129 #endif /* LRB_OPENSSL_H_INC */