* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
- *
+ *
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301
#include <openssl/ssl.h>
#include <openssl/dh.h>
#include <openssl/err.h>
+#include <openssl/evp.h>
#include <openssl/rand.h>
+#include <openssl/opensslv.h>
+
+/*
+ * This is a mess but what can you do when the library authors
+ * refuse to play ball with established conventions?
+ */
+#if defined(LIBRESSL_VERSION_NUMBER) && (LIBRESSL_VERSION_NUMBER >= 0x20020002L)
+# define LRB_HAVE_TLS_METHOD_API 1
+#else
+# if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10100000L)
+# define LRB_HAVE_TLS_METHOD_API 1
+# endif
+#endif
static SSL_CTX *ssl_server_ctx;
static SSL_CTX *ssl_client_ctx;
{
int ret = 1;
char libratbox_data[] = "libratbox data";
+ const char libratbox_ciphers[] = "kEECDH+HIGH:kEDH+HIGH:HIGH:!RC4:!aNULL";
SSL_load_error_strings();
SSL_library_init();
libratbox_index = SSL_get_ex_new_index(0, libratbox_data, NULL, NULL, NULL);
+
+#ifndef LRB_HAVE_TLS_METHOD_API
ssl_server_ctx = SSL_CTX_new(SSLv23_server_method());
+#else
+ ssl_server_ctx = SSL_CTX_new(TLS_server_method());
+#endif
+
if(ssl_server_ctx == NULL)
{
rb_lib_log("rb_init_openssl: Unable to initialize OpenSSL server context: %s",
get_ssl_error(ERR_get_error()));
ret = 0;
}
- /* Disable SSLv2, make the client use our settings */
- SSL_CTX_set_options(ssl_server_ctx, SSL_OP_NO_SSLv2 | SSL_OP_CIPHER_SERVER_PREFERENCE);
+
+ long server_options = SSL_CTX_get_options(ssl_server_ctx);
+
+#ifndef LRB_HAVE_TLS_METHOD_API
+ server_options |= SSL_OP_NO_SSLv2;
+ server_options |= SSL_OP_NO_SSLv3;
+#endif
+
+#ifdef SSL_OP_SINGLE_DH_USE
+ server_options |= SSL_OP_SINGLE_DH_USE;
+#endif
+
+#ifdef SSL_OP_SINGLE_ECDH_USE
+ server_options |= SSL_OP_SINGLE_ECDH_USE;
+#endif
+
+#ifdef SSL_OP_NO_TICKET
+ server_options |= SSL_OP_NO_TICKET;
+#endif
+
+ server_options |= SSL_OP_CIPHER_SERVER_PREFERENCE;
+
+ SSL_CTX_set_options(ssl_server_ctx, server_options);
SSL_CTX_set_verify(ssl_server_ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, verify_accept_all_cb);
+ SSL_CTX_set_session_cache_mode(ssl_server_ctx, SSL_SESS_CACHE_OFF);
+ SSL_CTX_set_cipher_list(ssl_server_ctx, libratbox_ciphers);
+
+ /* Set ECDHE on OpenSSL 1.00+, but make sure it's actually available because redhat are dicks
+ and bastardise their OpenSSL for stupid reasons... */
+ #if (OPENSSL_VERSION_NUMBER >= 0x10000000L) && defined(NID_secp384r1)
+ EC_KEY *key = EC_KEY_new_by_curve_name(NID_secp384r1);
+ if (key) {
+ SSL_CTX_set_tmp_ecdh(ssl_server_ctx, key);
+ EC_KEY_free(key);
+ }
+ #endif
- ssl_client_ctx = SSL_CTX_new(TLSv1_client_method());
+#ifndef LRB_HAVE_TLS_METHOD_API
+ ssl_client_ctx = SSL_CTX_new(SSLv23_client_method());
+#else
+ ssl_client_ctx = SSL_CTX_new(TLS_client_method());
+#endif
if(ssl_client_ctx == NULL)
{
get_ssl_error(ERR_get_error()));
ret = 0;
}
+
+#ifndef LRB_HAVE_TLS_METHOD_API
+ SSL_CTX_set_options(ssl_client_ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
+#endif
+
+#ifdef SSL_OP_NO_TICKET
+ SSL_CTX_set_options(ssl_client_ctx, SSL_OP_NO_TICKET);
+#endif
+
+ SSL_CTX_set_cipher_list(ssl_client_ctx, libratbox_ciphers);
+
return ret;
}
int
-rb_setup_ssl_server(const char *cert, const char *keyfile, const char *dhfile)
+rb_setup_ssl_server(const char *cert, const char *keyfile, const char *dhfile, const char *cipher_list)
{
DH *dh;
unsigned long err;
rb_lib_log("rb_setup_ssl_server: No certificate file");
return 0;
}
- if(!SSL_CTX_use_certificate_chain_file(ssl_server_ctx, cert))
+ if(!SSL_CTX_use_certificate_chain_file(ssl_server_ctx, cert) || !SSL_CTX_use_certificate_chain_file(ssl_client_ctx, cert))
{
err = ERR_get_error();
rb_lib_log("rb_setup_ssl_server: Error loading certificate file [%s]: %s", cert,
}
- if(!SSL_CTX_use_PrivateKey_file(ssl_server_ctx, keyfile, SSL_FILETYPE_PEM))
+ if(!SSL_CTX_use_PrivateKey_file(ssl_server_ctx, keyfile, SSL_FILETYPE_PEM) || !SSL_CTX_use_PrivateKey_file(ssl_client_ctx, keyfile, SSL_FILETYPE_PEM))
{
err = ERR_get_error();
rb_lib_log("rb_setup_ssl_server: Error loading keyfile [%s]: %s", keyfile,
dhfile, get_ssl_error(err));
}
}
+
+ if (cipher_list != NULL)
+ {
+ SSL_CTX_set_cipher_list(ssl_server_ctx, cipher_list);
+ }
+
return 1;
}
int
-rb_ssl_listen(rb_fde_t *F, int backlog)
+rb_ssl_listen(rb_fde_t *F, int backlog, int defer_accept)
{
+ int result;
+
+ result = rb_listen(F, backlog, defer_accept);
F->type = RB_FD_SOCKET | RB_FD_LISTEN | RB_FD_SSL;
- return listen(F->fd, backlog);
+
+ return result;
}
struct ssl_connect
switch (seed_type)
{
- case RB_PRNG_EGD:
- if(RAND_egd(path) == -1)
- return -1;
- break;
case RB_PRNG_FILE:
if(RAND_load_file(path, -1) == -1)
return -1;
return ret;
}
-int
-rb_get_pseudo_random(void *buf, size_t length)
-{
- int ret;
- ret = RAND_pseudo_bytes(buf, length);
- if(ret < 0)
- return 0;
- return 1;
-}
-
const char *
rb_get_ssl_strerror(rb_fde_t *F)
{
}
int
-rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN])
+rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN], int method)
{
X509 *cert;
int res;
if(cert != NULL)
{
res = SSL_get_verify_result((SSL *) F->ssl);
- if(res == X509_V_OK ||
- res == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN ||
- res == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE ||
- res == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT)
+ if(
+ res == X509_V_OK ||
+ res == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN ||
+ res == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE ||
+ res == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT ||
+ res == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
{
- memcpy(certfp, cert->sha1_hash, RB_SSL_CERTFP_LEN);
- return 1;
+ const EVP_MD *evp;
+ unsigned int len;
+
+ switch(method)
+ {
+ case RB_SSL_CERTFP_METH_SHA1:
+ evp = EVP_sha1();
+ len = RB_SSL_CERTFP_LEN_SHA1;
+ break;
+ case RB_SSL_CERTFP_METH_SHA256:
+ evp = EVP_sha256();
+ len = RB_SSL_CERTFP_LEN_SHA256;
+ break;
+ case RB_SSL_CERTFP_METH_SHA512:
+ evp = EVP_sha512();
+ len = RB_SSL_CERTFP_LEN_SHA512;
+ break;
+ default:
+ return 0;
+ }
+
+ X509_digest(cert, evp, certfp, &len);
+ X509_free(cert);
+ return len;
}
X509_free(cert);
}
void
rb_get_ssl_info(char *buf, size_t len)
{
- rb_snprintf(buf, len, "Using SSL: %s compiled: 0x%lx, library 0x%lx",
- SSLeay_version(SSLEAY_VERSION), OPENSSL_VERSION_NUMBER, SSLeay());
+ rb_snprintf(buf, len, "Using SSL: %s compiled: 0x%lx, library 0x%lx",
+ SSLeay_version(SSLEAY_VERSION),
+ (long)OPENSSL_VERSION_NUMBER, SSLeay());
}
+const char *
+rb_ssl_get_cipher(rb_fde_t *F)
+{
+ const SSL_CIPHER *sslciph;
+
+ if(F == NULL || F->ssl == NULL)
+ return NULL;
+
+ if((sslciph = SSL_get_current_cipher(F->ssl)) == NULL)
+ return NULL;
+
+ return SSL_CIPHER_get_name(sslciph);
+}
#endif /* HAVE_OPESSL */
projects / solanum.git / blobdiff