* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
- *
+ *
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301
#include <openssl/ssl.h>
#include <openssl/dh.h>
#include <openssl/err.h>
+#include <openssl/evp.h>
#include <openssl/rand.h>
static SSL_CTX *ssl_server_ctx;
return rb_ssl_read_or_write(1, F, NULL, buf, count);
}
+static int
+verify_accept_all_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
+{
+ return 1;
+}
+
+static const char *
+get_ssl_error(unsigned long err)
+{
+ static char buf[512];
+
+ ERR_error_string_n(err, buf, sizeof buf);
+ return buf;
+}
+
int
rb_init_ssl(void)
{
int ret = 1;
char libratbox_data[] = "libratbox data";
+ const char libratbox_ciphers[] = "kEECDH+HIGH:kEDH+HIGH:HIGH:!RC4:!aNULL";
SSL_load_error_strings();
SSL_library_init();
libratbox_index = SSL_get_ex_new_index(0, libratbox_data, NULL, NULL, NULL);
+
+#if defined(LIBRESSL_VERSION_NUMBER) || (OPENSSL_VERSION_NUMBER < 0x10100000L)
ssl_server_ctx = SSL_CTX_new(SSLv23_server_method());
+#else
+ ssl_server_ctx = SSL_CTX_new(TLS_server_method());
+#endif
+
if(ssl_server_ctx == NULL)
{
rb_lib_log("rb_init_openssl: Unable to initialize OpenSSL server context: %s",
- ERR_error_string(ERR_get_error(), NULL));
+ get_ssl_error(ERR_get_error()));
ret = 0;
}
- /* Disable SSLv2, make the client use our settings */
- SSL_CTX_set_options(ssl_server_ctx, SSL_OP_NO_SSLv2 | SSL_OP_CIPHER_SERVER_PREFERENCE);
+ long server_options = SSL_CTX_get_options(ssl_server_ctx);
+
+#if defined(LIBRESSL_VERSION_NUMBER) || (OPENSSL_VERSION_NUMBER < 0x10100000L)
+ server_options |= SSL_OP_NO_SSLv2;
+ server_options |= SSL_OP_NO_SSLv3;
+#endif
+
+#ifdef SSL_OP_SINGLE_DH_USE
+ server_options |= SSL_OP_SINGLE_DH_USE;
+#endif
+
+#ifdef SSL_OP_SINGLE_ECDH_USE
+ server_options |= SSL_OP_SINGLE_ECDH_USE;
+#endif
+
+#ifdef SSL_OP_NO_TICKET
+ server_options |= SSL_OP_NO_TICKET;
+#endif
+
+ server_options |= SSL_OP_CIPHER_SERVER_PREFERENCE;
+
+ SSL_CTX_set_options(ssl_server_ctx, server_options);
+ SSL_CTX_set_verify(ssl_server_ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, verify_accept_all_cb);
+ SSL_CTX_set_session_cache_mode(ssl_server_ctx, SSL_SESS_CACHE_OFF);
+ SSL_CTX_set_cipher_list(ssl_server_ctx, libratbox_ciphers);
+
+ /* Set ECDHE on OpenSSL 1.00+, but make sure it's actually available because redhat are dicks
+ and bastardise their OpenSSL for stupid reasons... */
+ #if (OPENSSL_VERSION_NUMBER >= 0x10000000L) && defined(NID_secp384r1)
+ EC_KEY *key = EC_KEY_new_by_curve_name(NID_secp384r1);
+ if (key) {
+ SSL_CTX_set_tmp_ecdh(ssl_server_ctx, key);
+ EC_KEY_free(key);
+ }
+ #endif
+
+#if defined(LIBRESSL_VERSION_NUMBER) || (OPENSSL_VERSION_NUMBER < 0x10100000L)
ssl_client_ctx = SSL_CTX_new(TLSv1_client_method());
+#else
+ ssl_client_ctx = SSL_CTX_new(TLS_client_method());
+#endif
if(ssl_client_ctx == NULL)
{
rb_lib_log("rb_init_openssl: Unable to initialize OpenSSL client context: %s",
- ERR_error_string(ERR_get_error(), NULL));
+ get_ssl_error(ERR_get_error()));
ret = 0;
}
+
+#ifdef SSL_OP_NO_TICKET
+ SSL_CTX_set_options(ssl_client_ctx, SSL_OP_NO_TICKET);
+#endif
+
+ SSL_CTX_set_cipher_list(ssl_client_ctx, libratbox_ciphers);
+
return ret;
}
rb_lib_log("rb_setup_ssl_server: No certificate file");
return 0;
}
- if(!SSL_CTX_use_certificate_chain_file(ssl_server_ctx, cert))
+ if(!SSL_CTX_use_certificate_chain_file(ssl_server_ctx, cert) || !SSL_CTX_use_certificate_chain_file(ssl_client_ctx, cert))
{
err = ERR_get_error();
rb_lib_log("rb_setup_ssl_server: Error loading certificate file [%s]: %s", cert,
- ERR_error_string(err, NULL));
+ get_ssl_error(err));
return 0;
}
}
- if(!SSL_CTX_use_PrivateKey_file(ssl_server_ctx, keyfile, SSL_FILETYPE_PEM))
+ if(!SSL_CTX_use_PrivateKey_file(ssl_server_ctx, keyfile, SSL_FILETYPE_PEM) || !SSL_CTX_use_PrivateKey_file(ssl_client_ctx, keyfile, SSL_FILETYPE_PEM))
{
err = ERR_get_error();
rb_lib_log("rb_setup_ssl_server: Error loading keyfile [%s]: %s", keyfile,
- ERR_error_string(err, NULL));
+ get_ssl_error(err));
return 0;
}
err = ERR_get_error();
rb_lib_log
("rb_setup_ssl_server: Error loading DH params file [%s]: %s",
- dhfile, ERR_error_string(err, NULL));
+ dhfile, get_ssl_error(err));
BIO_free(bio);
return 0;
}
{
err = ERR_get_error();
rb_lib_log("rb_setup_ssl_server: Error loading DH params file [%s]: %s",
- dhfile, ERR_error_string(err, NULL));
+ dhfile, get_ssl_error(err));
}
}
return 1;
}
int
-rb_ssl_listen(rb_fde_t *F, int backlog)
+rb_ssl_listen(rb_fde_t *F, int backlog, int defer_accept)
{
+ int result;
+
+ result = rb_listen(F, backlog, defer_accept);
F->type = RB_FD_SOCKET | RB_FD_LISTEN | RB_FD_SSL;
- return listen(F->fd, backlog);
+
+ return result;
}
struct ssl_connect
switch (seed_type)
{
- case RB_PRNG_EGD:
- if(RAND_egd(path) == -1)
- return -1;
- break;
case RB_PRNG_FILE:
if(RAND_load_file(path, -1) == -1)
return -1;
const char *
rb_get_ssl_strerror(rb_fde_t *F)
{
- return ERR_error_string(F->ssl_errno, NULL);
+ return get_ssl_error(F->ssl_errno);
+}
+
+int
+rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN])
+{
+ X509 *cert;
+ int res;
+
+ if (F->ssl == NULL)
+ return 0;
+
+ cert = SSL_get_peer_certificate((SSL *) F->ssl);
+ if(cert != NULL)
+ {
+ res = SSL_get_verify_result((SSL *) F->ssl);
+ if(
+ res == X509_V_OK ||
+ res == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN ||
+ res == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE ||
+ res == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT ||
+ res == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
+ {
+ unsigned int certfp_length = RB_SSL_CERTFP_LEN;
+ X509_digest(cert, EVP_sha1(), certfp, &certfp_length);
+ X509_free(cert);
+ return 1;
+ }
+ X509_free(cert);
+ }
+
+ return 0;
}
int
void
rb_get_ssl_info(char *buf, size_t len)
{
- rb_snprintf(buf, len, "Using SSL: %s compiled: 0x%lx, library 0x%lx",
- SSLeay_version(SSLEAY_VERSION), OPENSSL_VERSION_NUMBER, SSLeay());
+ rb_snprintf(buf, len, "Using SSL: %s compiled: 0x%lx, library 0x%lx",
+ SSLeay_version(SSLEAY_VERSION),
+ (long)OPENSSL_VERSION_NUMBER, SSLeay());
}
projects / solanum.git / blobdiff