X-Git-Url: https://jfr.im/git/solanum.git/blobdiff_plain/918d73d562e8b74fa1a5fa3332fe92f77bca8834..55abcbb20aeabcf2e878a9c65c9697210dd10079:/libratbox/src/openssl.c diff --git a/libratbox/src/openssl.c b/libratbox/src/openssl.c index 86df0b5d..4b255256 100644 --- a/libratbox/src/openssl.c +++ b/libratbox/src/openssl.c @@ -14,7 +14,7 @@ * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. - * + * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 @@ -312,8 +312,28 @@ rb_init_ssl(void) ret = 0; } /* Disable SSLv2, make the client use our settings */ - SSL_CTX_set_options(ssl_server_ctx, SSL_OP_NO_SSLv2 | SSL_OP_CIPHER_SERVER_PREFERENCE); + SSL_CTX_set_options(ssl_server_ctx, SSL_OP_NO_SSLv2 | SSL_OP_CIPHER_SERVER_PREFERENCE +#ifdef SSL_OP_SINGLE_DH_USE + | SSL_OP_SINGLE_DH_USE +#endif + ); SSL_CTX_set_verify(ssl_server_ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, verify_accept_all_cb); + SSL_CTX_set_session_id_context(ssl_server_ctx, + (const unsigned char *)"libratbox", 9); + SSL_CTX_set_cipher_list(ssl_server_ctx, "EECDH+HIGH:EDH+HIGH:HIGH:!aNULL"); + + /* Set ECDHE on OpenSSL 1.00+, but make sure it's actually available because redhat are dicks + and bastardise their OpenSSL for stupid reasons... */ + #if (OPENSSL_VERSION_NUMBER >= 0x10000000) && defined(NID_secp384r1) + EC_KEY *key = EC_KEY_new_by_curve_name(NID_secp384r1); + if (key) { + SSL_CTX_set_tmp_ecdh(ssl_server_ctx, key); + EC_KEY_free(key); + } +#ifdef SSL_OP_SINGLE_ECDH_USE + SSL_CTX_set_options(ssl_server_ctx, SSL_OP_SINGLE_ECDH_USE); +#endif + #endif ssl_client_ctx = SSL_CTX_new(TLSv1_client_method()); @@ -337,7 +357,7 @@ rb_setup_ssl_server(const char *cert, const char *keyfile, const char *dhfile) rb_lib_log("rb_setup_ssl_server: No certificate file"); return 0; } - if(!SSL_CTX_use_certificate_chain_file(ssl_server_ctx, cert)) + if(!SSL_CTX_use_certificate_chain_file(ssl_server_ctx, cert) || !SSL_CTX_use_certificate_chain_file(ssl_client_ctx, cert)) { err = ERR_get_error(); rb_lib_log("rb_setup_ssl_server: Error loading certificate file [%s]: %s", cert, @@ -352,7 +372,7 @@ rb_setup_ssl_server(const char *cert, const char *keyfile, const char *dhfile) } - if(!SSL_CTX_use_PrivateKey_file(ssl_server_ctx, keyfile, SSL_FILETYPE_PEM)) + if(!SSL_CTX_use_PrivateKey_file(ssl_server_ctx, keyfile, SSL_FILETYPE_PEM) || !SSL_CTX_use_PrivateKey_file(ssl_client_ctx, keyfile, SSL_FILETYPE_PEM)) { err = ERR_get_error(); rb_lib_log("rb_setup_ssl_server: Error loading keyfile [%s]: %s", keyfile, @@ -390,10 +410,14 @@ rb_setup_ssl_server(const char *cert, const char *keyfile, const char *dhfile) } int -rb_ssl_listen(rb_fde_t *F, int backlog) +rb_ssl_listen(rb_fde_t *F, int backlog, int defer_accept) { + int result; + + result = rb_listen(F, backlog, defer_accept); F->type = RB_FD_SOCKET | RB_FD_LISTEN | RB_FD_SSL; - return listen(F->fd, backlog); + + return result; } struct ssl_connect @@ -640,6 +664,7 @@ rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN]) res == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) { memcpy(certfp, cert->sha1_hash, RB_SSL_CERTFP_LEN); + X509_free(cert); return 1; } X509_free(cert); @@ -657,8 +682,9 @@ rb_supports_ssl(void) void rb_get_ssl_info(char *buf, size_t len) { - rb_snprintf(buf, len, "Using SSL: %s compiled: 0x%lx, library 0x%lx", - SSLeay_version(SSLEAY_VERSION), OPENSSL_VERSION_NUMBER, SSLeay()); + rb_snprintf(buf, len, "Using SSL: %s compiled: 0x%lx, library 0x%lx", + SSLeay_version(SSLEAY_VERSION), + (long)OPENSSL_VERSION_NUMBER, SSLeay()); }