LibreSSL have far advanced OPENSSL_VERSION_NUMBER beyond the

[solanum.git] / libratbox / src / openssl.c

diff --git a/libratbox/src/openssl.c b/libratbox/src/openssl.c
index 4544ad6bdd2bd8bcc7fc24fa6a19d57b71d2793b..874c5bf11ee4e94695e6e8b35ef9adcdf3c6bae2 100644 (file)
--- a/libratbox/src/openssl.c
+++ b/libratbox/src/openssl.c
@@ -302,43 +302,65 @@ rb_init_ssl(void)
 {
        int ret = 1;
        char libratbox_data[] = "libratbox data";
+       const char libratbox_ciphers[] = "kEECDH+HIGH:kEDH+HIGH:HIGH:!RC4:!aNULL";
        SSL_load_error_strings();
        SSL_library_init();
        libratbox_index = SSL_get_ex_new_index(0, libratbox_data, NULL, NULL, NULL);
+
+#if defined(LIBRESSL_VERSION_NUMBER) || (OPENSSL_VERSION_NUMBER < 0x10100000L)
        ssl_server_ctx = SSL_CTX_new(SSLv23_server_method());
+#else
+       ssl_server_ctx = SSL_CTX_new(TLS_server_method());
+#endif
+
        if(ssl_server_ctx == NULL)
        {
                rb_lib_log("rb_init_openssl: Unable to initialize OpenSSL server context: %s",
                           get_ssl_error(ERR_get_error()));
                ret = 0;
        }
-       /* Disable SSLv2, make the client use our settings */
-       SSL_CTX_set_options(ssl_server_ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_CIPHER_SERVER_PREFERENCE
+
+       long server_options = SSL_CTX_get_options(ssl_server_ctx);
+
+#if defined(LIBRESSL_VERSION_NUMBER) || (OPENSSL_VERSION_NUMBER < 0x10100000L)
+       server_options |= SSL_OP_NO_SSLv2;
+       server_options |= SSL_OP_NO_SSLv3;
+#endif
+
 #ifdef SSL_OP_SINGLE_DH_USE
-                       | SSL_OP_SINGLE_DH_USE
+       server_options |= SSL_OP_SINGLE_DH_USE;
 #endif
+
+#ifdef SSL_OP_SINGLE_ECDH_USE
+       server_options |= SSL_OP_SINGLE_ECDH_USE;
+#endif
+
 #ifdef SSL_OP_NO_TICKET
-                       | SSL_OP_NO_TICKET
+       server_options |= SSL_OP_NO_TICKET;
 #endif
-                       );
+
+       server_options |= SSL_OP_CIPHER_SERVER_PREFERENCE;
+
+       SSL_CTX_set_options(ssl_server_ctx, server_options);
        SSL_CTX_set_verify(ssl_server_ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, verify_accept_all_cb);
        SSL_CTX_set_session_cache_mode(ssl_server_ctx, SSL_SESS_CACHE_OFF);
-       SSL_CTX_set_cipher_list(ssl_server_ctx, "kEECDH+HIGH:kEDH+HIGH:HIGH:!RC4:!aNULL");
+       SSL_CTX_set_cipher_list(ssl_server_ctx, libratbox_ciphers);
 
        /* Set ECDHE on OpenSSL 1.00+, but make sure it's actually available because redhat are dicks
           and bastardise their OpenSSL for stupid reasons... */
-       #if (OPENSSL_VERSION_NUMBER >= 0x10000000) && defined(NID_secp384r1)
+       #if (OPENSSL_VERSION_NUMBER >= 0x10000000L) && defined(NID_secp384r1)
                EC_KEY *key = EC_KEY_new_by_curve_name(NID_secp384r1);
                if (key) {
                        SSL_CTX_set_tmp_ecdh(ssl_server_ctx, key);
                        EC_KEY_free(key);
                }
-#ifdef SSL_OP_SINGLE_ECDH_USE
-               SSL_CTX_set_options(ssl_server_ctx, SSL_OP_SINGLE_ECDH_USE);
-#endif
        #endif
 
+#if defined(LIBRESSL_VERSION_NUMBER) || (OPENSSL_VERSION_NUMBER < 0x10100000L)
        ssl_client_ctx = SSL_CTX_new(TLSv1_client_method());
+#else
+       ssl_client_ctx = SSL_CTX_new(TLS_client_method());
+#endif
 
        if(ssl_client_ctx == NULL)
        {
@@ -351,6 +373,8 @@ rb_init_ssl(void)
        SSL_CTX_set_options(ssl_client_ctx, SSL_OP_NO_TICKET);
 #endif
 
+       SSL_CTX_set_cipher_list(ssl_client_ctx, libratbox_ciphers);
+
        return ret;
 }
 
@@ -662,10 +686,12 @@ rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN])
        if(cert != NULL)
        {
                res = SSL_get_verify_result((SSL *) F->ssl);
-               if(res == X509_V_OK ||
-                               res == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN ||
-                               res == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE ||
-                               res == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT)
+               if(
+                       res == X509_V_OK ||
+                       res == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN ||
+                       res == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE ||
+                       res == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT ||
+                       res == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
                {
                        unsigned int certfp_length = RB_SSL_CERTFP_LEN;
                        X509_digest(cert, EVP_sha1(), certfp, &certfp_length);