ssl: allow cipher list to be overridden (closes #67)

[solanum.git] / libratbox / src / openssl.c

diff --git a/libratbox/src/openssl.c b/libratbox/src/openssl.c
index 911dbb61a6b95bcba6d8ac06d1b3cfe159dfa5fa..ab3e3400a71d8b0327ce30fad56093bd5e91ae68 100644 (file)
--- a/libratbox/src/openssl.c
+++ b/libratbox/src/openssl.c
@@ -35,6 +35,19 @@
 #include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/rand.h>
+#include <openssl/opensslv.h>
+
+/*
+ * This is a mess but what can you do when the library authors
+ * refuse to play ball with established conventions?
+ */
+#if defined(LIBRESSL_VERSION_NUMBER) && (LIBRESSL_VERSION_NUMBER >= 0x20020002L)
+#  define LRB_HAVE_TLS_METHOD_API 1
+#else
+#  if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10100000L)
+#    define LRB_HAVE_TLS_METHOD_API 1
+#  endif
+#endif
 
 static SSL_CTX *ssl_server_ctx;
 static SSL_CTX *ssl_client_ctx;
@@ -307,7 +320,7 @@ rb_init_ssl(void)
        SSL_library_init();
        libratbox_index = SSL_get_ex_new_index(0, libratbox_data, NULL, NULL, NULL);
 
-#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
+#ifndef LRB_HAVE_TLS_METHOD_API
        ssl_server_ctx = SSL_CTX_new(SSLv23_server_method());
 #else
        ssl_server_ctx = SSL_CTX_new(TLS_server_method());
@@ -322,7 +335,7 @@ rb_init_ssl(void)
 
        long server_options = SSL_CTX_get_options(ssl_server_ctx);
 
-#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
+#ifndef LRB_HAVE_TLS_METHOD_API
        server_options |= SSL_OP_NO_SSLv2;
        server_options |= SSL_OP_NO_SSLv3;
 #endif
@@ -356,8 +369,8 @@ rb_init_ssl(void)
                }
        #endif
 
-#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
-       ssl_client_ctx = SSL_CTX_new(TLSv1_client_method());
+#ifndef LRB_HAVE_TLS_METHOD_API
+       ssl_client_ctx = SSL_CTX_new(SSLv23_client_method());
 #else
        ssl_client_ctx = SSL_CTX_new(TLS_client_method());
 #endif
@@ -369,6 +382,10 @@ rb_init_ssl(void)
                ret = 0;
        }
 
+#ifndef LRB_HAVE_TLS_METHOD_API
+       SSL_CTX_set_options(ssl_client_ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
+#endif
+
 #ifdef SSL_OP_NO_TICKET
        SSL_CTX_set_options(ssl_client_ctx, SSL_OP_NO_TICKET);
 #endif
@@ -380,7 +397,7 @@ rb_init_ssl(void)
 
 
 int
-rb_setup_ssl_server(const char *cert, const char *keyfile, const char *dhfile)
+rb_setup_ssl_server(const char *cert, const char *keyfile, const char *dhfile, const char *cipher_list)
 {
        DH *dh;
        unsigned long err;
@@ -438,6 +455,12 @@ rb_setup_ssl_server(const char *cert, const char *keyfile, const char *dhfile)
                                   dhfile, get_ssl_error(err));
                }
        }
+
+       if (cipher_list != NULL)
+       {
+               SSL_CTX_set_cipher_list(ssl_server_ctx, cipher_list);
+       }
+
        return 1;
 }
 
@@ -657,16 +680,6 @@ rb_get_random(void *buf, size_t length)
        return ret;
 }
 
-int
-rb_get_pseudo_random(void *buf, size_t length)
-{
-       int ret;
-       ret = RAND_pseudo_bytes(buf, length);
-       if(ret < 0)
-               return 0;
-       return 1;
-}
-
 const char *
 rb_get_ssl_strerror(rb_fde_t *F)
 {
@@ -674,7 +687,7 @@ rb_get_ssl_strerror(rb_fde_t *F)
 }
 
 int
-rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN])
+rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN], int method)
 {
        X509 *cert;
        int res;
@@ -693,10 +706,30 @@ rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN])
                        res == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT ||
                        res == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
                {
-                       unsigned int certfp_length = RB_SSL_CERTFP_LEN;
-                       X509_digest(cert, EVP_sha1(), certfp, &certfp_length);
+                       const EVP_MD *evp;
+                       unsigned int len;
+
+                       switch(method)
+                       {
+                       case RB_SSL_CERTFP_METH_SHA1:
+                               evp = EVP_sha1();
+                               len = RB_SSL_CERTFP_LEN_SHA1;
+                               break;
+                       case RB_SSL_CERTFP_METH_SHA256:
+                               evp = EVP_sha256();
+                               len = RB_SSL_CERTFP_LEN_SHA256;
+                               break;
+                       case RB_SSL_CERTFP_METH_SHA512:
+                               evp = EVP_sha512();
+                               len = RB_SSL_CERTFP_LEN_SHA512;
+                               break;
+                       default:
+                               return 0;
+                       }
+
+                       X509_digest(cert, evp, certfp, &len);
                        X509_free(cert);
-                       return 1;
+                       return len;
                }
                X509_free(cert);
        }
@@ -718,5 +751,18 @@ rb_get_ssl_info(char *buf, size_t len)
                    (long)OPENSSL_VERSION_NUMBER, SSLeay());
 }
 
+const char *
+rb_ssl_get_cipher(rb_fde_t *F)
+{
+       const SSL_CIPHER *sslciph;
+
+       if(F == NULL || F->ssl == NULL)
+               return NULL;
+
+       if((sslciph = SSL_get_current_cipher(F->ssl)) == NULL)
+               return NULL;
+
+       return SSL_CIPHER_get_name(sslciph);
+}
 
 #endif /* HAVE_OPESSL */