Backport more TLS backend and ssld fixes & improvements from 3.6
openssl: * Don't manually initialise libssl 1.1.0 -- it does this automatically * SSL_library_init() should be called first otherwise * Move SSL_CTX construction to rb_setup_ssl_server() * Test for all required files (certificate & key) before doing anything * Free the old CTX before constructing a new one (Fixes #186) * Properly abort rb_setup_ssl_server() on CTX construction failures * Support ECDHE on more than one curve on OpenSSL 1.0.2 and above * Clean up ifdef indentation * Fix DH parameters memory leak mbedtls: * Fix certificate fingerprint generation * Fix library linking order * Fix incorrect printf()-esque argument count * Return digest length for fingerprints instead of 1, consistent with the other backends sslproc / ssld: * Fingerprint methods have no assocated file descriptors * Send TLS information (cipher, fingerprint) before data * Use correct header length for fingerprint method Authored-by: Aaron Jones <aaronmdjones@gmail.com> Authored-by: William Pitcock <nenolod@dereferenced.org> Authored-by: Simon Arlott <sa.me.uk>
This commit is contained in:
parent
1d2ba176ea
commit
5c8da48264
6 changed files with 175 additions and 151 deletions
4
libratbox/configure
vendored
4
libratbox/configure
vendored
|
@ -14986,7 +14986,7 @@ if ${ac_cv_lib_mbedtls_mbedtls_ssl_init+:} false; then :
|
||||||
$as_echo_n "(cached) " >&6
|
$as_echo_n "(cached) " >&6
|
||||||
else
|
else
|
||||||
ac_check_lib_save_LIBS=$LIBS
|
ac_check_lib_save_LIBS=$LIBS
|
||||||
LIBS="-lmbedtls -lmbedcrypto -lmbedx509 $LIBS"
|
LIBS="-lmbedtls -lmbedx509 -lmbedcrypto $LIBS"
|
||||||
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
|
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
|
||||||
/* end confdefs.h. */
|
/* end confdefs.h. */
|
||||||
|
|
||||||
|
@ -15018,7 +15018,7 @@ fi
|
||||||
$as_echo "$ac_cv_lib_mbedtls_mbedtls_ssl_init" >&6; }
|
$as_echo "$ac_cv_lib_mbedtls_mbedtls_ssl_init" >&6; }
|
||||||
if test "x$ac_cv_lib_mbedtls_mbedtls_ssl_init" = xyes; then :
|
if test "x$ac_cv_lib_mbedtls_mbedtls_ssl_init" = xyes; then :
|
||||||
|
|
||||||
MBEDTLS_LIBS="$MBEDTLS_LIBS -lmbedtls -lmbedcrypto -lmbedx509"
|
MBEDTLS_LIBS="$MBEDTLS_LIBS -lmbedtls -lmbedx509 -lmbedcrypto"
|
||||||
cf_enable_mbedtls=yes
|
cf_enable_mbedtls=yes
|
||||||
|
|
||||||
else
|
else
|
||||||
|
|
|
@ -351,9 +351,9 @@ if test "$cf_enable_mbedtls" != no; then
|
||||||
save_LIBS="$LIBS"
|
save_LIBS="$LIBS"
|
||||||
LIBS="$LIBS $MBEDTLS_LIBS"
|
LIBS="$LIBS $MBEDTLS_LIBS"
|
||||||
AC_CHECK_LIB(mbedtls, mbedtls_ssl_init, [
|
AC_CHECK_LIB(mbedtls, mbedtls_ssl_init, [
|
||||||
MBEDTLS_LIBS="$MBEDTLS_LIBS -lmbedtls -lmbedcrypto -lmbedx509"
|
MBEDTLS_LIBS="$MBEDTLS_LIBS -lmbedtls -lmbedx509 -lmbedcrypto"
|
||||||
cf_enable_mbedtls=yes
|
cf_enable_mbedtls=yes
|
||||||
], [cf_enable_mbedtls=no], [-lmbedcrypto -lmbedx509])
|
], [cf_enable_mbedtls=no], [-lmbedx509 -lmbedcrypto])
|
||||||
fi
|
fi
|
||||||
|
|
||||||
dnl GnuTLS support
|
dnl GnuTLS support
|
||||||
|
|
|
@ -552,12 +552,15 @@ rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN], int method)
|
||||||
case RB_SSL_CERTFP_METH_SHA1:
|
case RB_SSL_CERTFP_METH_SHA1:
|
||||||
md_type = MBEDTLS_MD_SHA1;
|
md_type = MBEDTLS_MD_SHA1;
|
||||||
hashlen = RB_SSL_CERTFP_LEN_SHA1;
|
hashlen = RB_SSL_CERTFP_LEN_SHA1;
|
||||||
|
break;
|
||||||
case RB_SSL_CERTFP_METH_SHA256:
|
case RB_SSL_CERTFP_METH_SHA256:
|
||||||
md_type = MBEDTLS_MD_SHA256;
|
md_type = MBEDTLS_MD_SHA256;
|
||||||
hashlen = RB_SSL_CERTFP_LEN_SHA256;
|
hashlen = RB_SSL_CERTFP_LEN_SHA256;
|
||||||
|
break;
|
||||||
case RB_SSL_CERTFP_METH_SHA512:
|
case RB_SSL_CERTFP_METH_SHA512:
|
||||||
md_type = MBEDTLS_MD_SHA512;
|
md_type = MBEDTLS_MD_SHA512;
|
||||||
hashlen = RB_SSL_CERTFP_LEN_SHA512;
|
hashlen = RB_SSL_CERTFP_LEN_SHA512;
|
||||||
|
break;
|
||||||
default:
|
default:
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
@ -572,13 +575,13 @@ rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN], int method)
|
||||||
|
|
||||||
if ((ret = mbedtls_md(md_info, peer_cert->raw.p, peer_cert->raw.len, hash)) != 0)
|
if ((ret = mbedtls_md(md_info, peer_cert->raw.p, peer_cert->raw.len, hash)) != 0)
|
||||||
{
|
{
|
||||||
rb_lib_log("rb_get_ssl_certfp: unable to get certfp for F: %p, -0x%x", -ret);
|
rb_lib_log("rb_get_ssl_certfp: unable to get certfp for F: %p, -0x%x", F, -ret);
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
memcpy(certfp, hash, hashlen);
|
memcpy(certfp, hash, hashlen);
|
||||||
|
|
||||||
return 1;
|
return (int) hashlen;
|
||||||
}
|
}
|
||||||
|
|
||||||
int
|
int
|
||||||
|
|
|
@ -49,8 +49,20 @@
|
||||||
# endif
|
# endif
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
static SSL_CTX *ssl_server_ctx;
|
/*
|
||||||
static SSL_CTX *ssl_client_ctx;
|
* Use SSL_CTX_set_ecdh_auto() in OpenSSL 1.0.2 only
|
||||||
|
* Use SSL_CTX_set1_curves_list() in OpenSSL 1.0.2 and above
|
||||||
|
* TODO: Merge this into the block above if LibreSSL implements them
|
||||||
|
*/
|
||||||
|
#if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10002000L)
|
||||||
|
# define LRB_HAVE_TLS_SET_CURVES 1
|
||||||
|
# if (OPENSSL_VERSION_NUMBER < 0x10100000L)
|
||||||
|
# define LRB_HAVE_TLS_ECDH_AUTO 1
|
||||||
|
# endif
|
||||||
|
#endif
|
||||||
|
|
||||||
|
static SSL_CTX *ssl_server_ctx = NULL;
|
||||||
|
static SSL_CTX *ssl_client_ctx = NULL;
|
||||||
static int libratbox_index = -1;
|
static int libratbox_index = -1;
|
||||||
|
|
||||||
static unsigned long
|
static unsigned long
|
||||||
|
@ -313,106 +325,35 @@ get_ssl_error(unsigned long err)
|
||||||
int
|
int
|
||||||
rb_init_ssl(void)
|
rb_init_ssl(void)
|
||||||
{
|
{
|
||||||
int ret = 1;
|
|
||||||
char libratbox_data[] = "libratbox data";
|
char libratbox_data[] = "libratbox data";
|
||||||
const char libratbox_ciphers[] = "kEECDH+HIGH:kEDH+HIGH:HIGH:!RC4:!aNULL";
|
|
||||||
SSL_load_error_strings();
|
#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
|
||||||
|
/*
|
||||||
|
* OpenSSL 1.1.0 and above automatically initialises itself with sane defaults
|
||||||
|
*/
|
||||||
SSL_library_init();
|
SSL_library_init();
|
||||||
|
SSL_load_error_strings();
|
||||||
|
#endif
|
||||||
|
|
||||||
libratbox_index = SSL_get_ex_new_index(0, libratbox_data, NULL, NULL, NULL);
|
libratbox_index = SSL_get_ex_new_index(0, libratbox_data, NULL, NULL, NULL);
|
||||||
|
|
||||||
#ifndef LRB_HAVE_TLS_METHOD_API
|
return 1;
|
||||||
ssl_server_ctx = SSL_CTX_new(SSLv23_server_method());
|
|
||||||
#else
|
|
||||||
ssl_server_ctx = SSL_CTX_new(TLS_server_method());
|
|
||||||
#endif
|
|
||||||
|
|
||||||
if(ssl_server_ctx == NULL)
|
|
||||||
{
|
|
||||||
rb_lib_log("rb_init_openssl: Unable to initialize OpenSSL server context: %s",
|
|
||||||
get_ssl_error(ERR_get_error()));
|
|
||||||
ret = 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
long server_options = SSL_CTX_get_options(ssl_server_ctx);
|
|
||||||
|
|
||||||
#ifndef LRB_HAVE_TLS_METHOD_API
|
|
||||||
server_options |= SSL_OP_NO_SSLv2;
|
|
||||||
server_options |= SSL_OP_NO_SSLv3;
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#ifdef SSL_OP_SINGLE_DH_USE
|
|
||||||
server_options |= SSL_OP_SINGLE_DH_USE;
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#ifdef SSL_OP_SINGLE_ECDH_USE
|
|
||||||
server_options |= SSL_OP_SINGLE_ECDH_USE;
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#ifdef SSL_OP_NO_TICKET
|
|
||||||
server_options |= SSL_OP_NO_TICKET;
|
|
||||||
#endif
|
|
||||||
|
|
||||||
server_options |= SSL_OP_CIPHER_SERVER_PREFERENCE;
|
|
||||||
|
|
||||||
SSL_CTX_set_options(ssl_server_ctx, server_options);
|
|
||||||
SSL_CTX_set_verify(ssl_server_ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, verify_accept_all_cb);
|
|
||||||
SSL_CTX_set_session_cache_mode(ssl_server_ctx, SSL_SESS_CACHE_OFF);
|
|
||||||
SSL_CTX_set_cipher_list(ssl_server_ctx, libratbox_ciphers);
|
|
||||||
|
|
||||||
/* Set ECDHE on OpenSSL 1.00+, but make sure it's actually available because redhat are dicks
|
|
||||||
and bastardise their OpenSSL for stupid reasons... */
|
|
||||||
#if (OPENSSL_VERSION_NUMBER >= 0x10000000L) && defined(NID_secp384r1)
|
|
||||||
EC_KEY *key = EC_KEY_new_by_curve_name(NID_secp384r1);
|
|
||||||
if (key) {
|
|
||||||
SSL_CTX_set_tmp_ecdh(ssl_server_ctx, key);
|
|
||||||
EC_KEY_free(key);
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#ifndef LRB_HAVE_TLS_METHOD_API
|
|
||||||
ssl_client_ctx = SSL_CTX_new(SSLv23_client_method());
|
|
||||||
#else
|
|
||||||
ssl_client_ctx = SSL_CTX_new(TLS_client_method());
|
|
||||||
#endif
|
|
||||||
|
|
||||||
if(ssl_client_ctx == NULL)
|
|
||||||
{
|
|
||||||
rb_lib_log("rb_init_openssl: Unable to initialize OpenSSL client context: %s",
|
|
||||||
get_ssl_error(ERR_get_error()));
|
|
||||||
ret = 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
#ifndef LRB_HAVE_TLS_METHOD_API
|
|
||||||
SSL_CTX_set_options(ssl_client_ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#ifdef SSL_OP_NO_TICKET
|
|
||||||
SSL_CTX_set_options(ssl_client_ctx, SSL_OP_NO_TICKET);
|
|
||||||
#endif
|
|
||||||
|
|
||||||
SSL_CTX_set_cipher_list(ssl_client_ctx, libratbox_ciphers);
|
|
||||||
|
|
||||||
return ret;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
int
|
int
|
||||||
rb_setup_ssl_server(const char *cert, const char *keyfile, const char *dhfile, const char *cipher_list)
|
rb_setup_ssl_server(const char *cert, const char *keyfile, const char *dhfile, const char *cipher_list)
|
||||||
{
|
{
|
||||||
DH *dh;
|
const char libratbox_ciphers[] = "kEECDH+HIGH:kEDH+HIGH:HIGH:!aNULL";
|
||||||
unsigned long err;
|
|
||||||
|
#ifdef LRB_HAVE_TLS_SET_CURVES
|
||||||
|
const char libratbox_curves[] = "P-521:P-384:P-256";
|
||||||
|
#endif
|
||||||
|
|
||||||
if(cert == NULL)
|
if(cert == NULL)
|
||||||
{
|
{
|
||||||
rb_lib_log("rb_setup_ssl_server: No certificate file");
|
rb_lib_log("rb_setup_ssl_server: No certificate file");
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
if(!SSL_CTX_use_certificate_chain_file(ssl_server_ctx, cert) || !SSL_CTX_use_certificate_chain_file(ssl_client_ctx, cert))
|
|
||||||
{
|
|
||||||
err = ERR_get_error();
|
|
||||||
rb_lib_log("rb_setup_ssl_server: Error loading certificate file [%s]: %s", cert,
|
|
||||||
get_ssl_error(err));
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
if(keyfile == NULL)
|
if(keyfile == NULL)
|
||||||
{
|
{
|
||||||
|
@ -420,12 +361,96 @@ rb_setup_ssl_server(const char *cert, const char *keyfile, const char *dhfile, c
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if(cipher_list == NULL)
|
||||||
|
cipher_list = libratbox_ciphers;
|
||||||
|
|
||||||
|
if(ssl_server_ctx)
|
||||||
|
SSL_CTX_free(ssl_server_ctx);
|
||||||
|
|
||||||
|
if(ssl_client_ctx)
|
||||||
|
SSL_CTX_free(ssl_client_ctx);
|
||||||
|
|
||||||
|
#ifdef LRB_HAVE_TLS_METHOD_API
|
||||||
|
ssl_server_ctx = SSL_CTX_new(TLS_server_method());
|
||||||
|
ssl_client_ctx = SSL_CTX_new(TLS_client_method());
|
||||||
|
#else
|
||||||
|
ssl_server_ctx = SSL_CTX_new(SSLv23_server_method());
|
||||||
|
ssl_client_ctx = SSL_CTX_new(SSLv23_client_method());
|
||||||
|
#endif
|
||||||
|
|
||||||
|
if(ssl_server_ctx == NULL)
|
||||||
|
{
|
||||||
|
rb_lib_log("rb_init_openssl: Unable to initialize OpenSSL server context: %s",
|
||||||
|
get_ssl_error(ERR_get_error()));
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
if(ssl_client_ctx == NULL)
|
||||||
|
{
|
||||||
|
rb_lib_log("rb_init_openssl: Unable to initialize OpenSSL client context: %s",
|
||||||
|
get_ssl_error(ERR_get_error()));
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
#ifndef LRB_HAVE_TLS_METHOD_API
|
||||||
|
SSL_CTX_set_options(ssl_server_ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
|
||||||
|
SSL_CTX_set_options(ssl_client_ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#ifdef SSL_OP_SINGLE_DH_USE
|
||||||
|
SSL_CTX_set_options(ssl_server_ctx, SSL_OP_SINGLE_DH_USE);
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#ifdef SSL_OP_SINGLE_ECDH_USE
|
||||||
|
SSL_CTX_set_options(ssl_server_ctx, SSL_OP_SINGLE_ECDH_USE);
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#ifdef SSL_OP_NO_TICKET
|
||||||
|
SSL_CTX_set_options(ssl_server_ctx, SSL_OP_NO_TICKET);
|
||||||
|
SSL_CTX_set_options(ssl_client_ctx, SSL_OP_NO_TICKET);
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
|
||||||
|
SSL_CTX_set_options(ssl_server_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#ifdef LRB_HAVE_TLS_ECDH_AUTO
|
||||||
|
SSL_CTX_set_ecdh_auto(ssl_server_ctx, 1);
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#ifdef LRB_HAVE_TLS_SET_CURVES
|
||||||
|
SSL_CTX_set1_curves_list(ssl_server_ctx, libratbox_curves);
|
||||||
|
SSL_CTX_set1_curves_list(ssl_client_ctx, libratbox_curves);
|
||||||
|
#endif
|
||||||
|
|
||||||
|
SSL_CTX_set_verify(ssl_server_ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, verify_accept_all_cb);
|
||||||
|
SSL_CTX_set_session_cache_mode(ssl_server_ctx, SSL_SESS_CACHE_OFF);
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Set manual ECDHE curve on OpenSSL 1.0.0 & 1.0.1, but make sure it's actually available
|
||||||
|
*/
|
||||||
|
#if (OPENSSL_VERSION_NUMBER >= 0x10000000L) && (OPENSSL_VERSION_NUMBER < 0x10002000L) && !defined(OPENSSL_NO_ECDH)
|
||||||
|
EC_KEY *key = EC_KEY_new_by_curve_name(NID_secp384r1);
|
||||||
|
if(key) {
|
||||||
|
SSL_CTX_set_tmp_ecdh(ssl_server_ctx, key);
|
||||||
|
EC_KEY_free(key);
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
SSL_CTX_set_cipher_list(ssl_server_ctx, cipher_list);
|
||||||
|
SSL_CTX_set_cipher_list(ssl_client_ctx, cipher_list);
|
||||||
|
|
||||||
|
if(!SSL_CTX_use_certificate_chain_file(ssl_server_ctx, cert) || !SSL_CTX_use_certificate_chain_file(ssl_client_ctx, cert))
|
||||||
|
{
|
||||||
|
rb_lib_log("rb_setup_ssl_server: Error loading certificate file [%s]: %s", cert,
|
||||||
|
get_ssl_error(ERR_get_error()));
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
if(!SSL_CTX_use_PrivateKey_file(ssl_server_ctx, keyfile, SSL_FILETYPE_PEM) || !SSL_CTX_use_PrivateKey_file(ssl_client_ctx, keyfile, SSL_FILETYPE_PEM))
|
if(!SSL_CTX_use_PrivateKey_file(ssl_server_ctx, keyfile, SSL_FILETYPE_PEM) || !SSL_CTX_use_PrivateKey_file(ssl_client_ctx, keyfile, SSL_FILETYPE_PEM))
|
||||||
{
|
{
|
||||||
err = ERR_get_error();
|
|
||||||
rb_lib_log("rb_setup_ssl_server: Error loading keyfile [%s]: %s", keyfile,
|
rb_lib_log("rb_setup_ssl_server: Error loading keyfile [%s]: %s", keyfile,
|
||||||
get_ssl_error(err));
|
get_ssl_error(ERR_get_error()));
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -435,32 +460,26 @@ rb_setup_ssl_server(const char *cert, const char *keyfile, const char *dhfile, c
|
||||||
BIO *bio = BIO_new_file(dhfile, "r");
|
BIO *bio = BIO_new_file(dhfile, "r");
|
||||||
if(bio != NULL)
|
if(bio != NULL)
|
||||||
{
|
{
|
||||||
dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
|
DH *dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
|
||||||
if(dh == NULL)
|
if(dh == NULL)
|
||||||
{
|
{
|
||||||
err = ERR_get_error();
|
|
||||||
rb_lib_log
|
rb_lib_log
|
||||||
("rb_setup_ssl_server: Error loading DH params file [%s]: %s",
|
("rb_setup_ssl_server: Error loading DH params file [%s]: %s",
|
||||||
dhfile, get_ssl_error(err));
|
dhfile, get_ssl_error(ERR_get_error()));
|
||||||
BIO_free(bio);
|
BIO_free(bio);
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
BIO_free(bio);
|
BIO_free(bio);
|
||||||
SSL_CTX_set_tmp_dh(ssl_server_ctx, dh);
|
SSL_CTX_set_tmp_dh(ssl_server_ctx, dh);
|
||||||
|
DH_free(dh);
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
err = ERR_get_error();
|
|
||||||
rb_lib_log("rb_setup_ssl_server: Error loading DH params file [%s]: %s",
|
rb_lib_log("rb_setup_ssl_server: Error loading DH params file [%s]: %s",
|
||||||
dhfile, get_ssl_error(err));
|
dhfile, get_ssl_error(ERR_get_error()));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if (cipher_list != NULL)
|
|
||||||
{
|
|
||||||
SSL_CTX_set_cipher_list(ssl_server_ctx, cipher_list);
|
|
||||||
}
|
|
||||||
|
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -689,52 +708,55 @@ rb_get_ssl_strerror(rb_fde_t *F)
|
||||||
int
|
int
|
||||||
rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN], int method)
|
rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN], int method)
|
||||||
{
|
{
|
||||||
|
const EVP_MD *evp;
|
||||||
|
unsigned int len;
|
||||||
X509 *cert;
|
X509 *cert;
|
||||||
int res;
|
int res;
|
||||||
|
|
||||||
if (F->ssl == NULL)
|
if(F->ssl == NULL)
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
cert = SSL_get_peer_certificate((SSL *) F->ssl);
|
switch(method)
|
||||||
if(cert != NULL)
|
|
||||||
{
|
{
|
||||||
res = SSL_get_verify_result((SSL *) F->ssl);
|
case RB_SSL_CERTFP_METH_SHA1:
|
||||||
if(
|
evp = EVP_sha1();
|
||||||
res == X509_V_OK ||
|
len = RB_SSL_CERTFP_LEN_SHA1;
|
||||||
res == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN ||
|
break;
|
||||||
res == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE ||
|
case RB_SSL_CERTFP_METH_SHA256:
|
||||||
res == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT ||
|
evp = EVP_sha256();
|
||||||
res == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
|
len = RB_SSL_CERTFP_LEN_SHA256;
|
||||||
{
|
break;
|
||||||
const EVP_MD *evp;
|
case RB_SSL_CERTFP_METH_SHA512:
|
||||||
unsigned int len;
|
evp = EVP_sha512();
|
||||||
|
len = RB_SSL_CERTFP_LEN_SHA512;
|
||||||
switch(method)
|
break;
|
||||||
{
|
default:
|
||||||
case RB_SSL_CERTFP_METH_SHA1:
|
return 0;
|
||||||
evp = EVP_sha1();
|
|
||||||
len = RB_SSL_CERTFP_LEN_SHA1;
|
|
||||||
break;
|
|
||||||
case RB_SSL_CERTFP_METH_SHA256:
|
|
||||||
evp = EVP_sha256();
|
|
||||||
len = RB_SSL_CERTFP_LEN_SHA256;
|
|
||||||
break;
|
|
||||||
case RB_SSL_CERTFP_METH_SHA512:
|
|
||||||
evp = EVP_sha512();
|
|
||||||
len = RB_SSL_CERTFP_LEN_SHA512;
|
|
||||||
break;
|
|
||||||
default:
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
X509_digest(cert, evp, certfp, &len);
|
|
||||||
X509_free(cert);
|
|
||||||
return len;
|
|
||||||
}
|
|
||||||
X509_free(cert);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
return 0;
|
cert = SSL_get_peer_certificate((SSL *) F->ssl);
|
||||||
|
if(cert == NULL)
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
res = SSL_get_verify_result((SSL *) F->ssl);
|
||||||
|
switch(res)
|
||||||
|
{
|
||||||
|
case X509_V_OK:
|
||||||
|
case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
|
||||||
|
case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
|
||||||
|
case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
|
||||||
|
case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
|
||||||
|
case X509_V_ERR_CERT_UNTRUSTED:
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
X509_free(cert);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
X509_digest(cert, evp, certfp, &len);
|
||||||
|
X509_free(cert);
|
||||||
|
|
||||||
|
return (int) len;
|
||||||
}
|
}
|
||||||
|
|
||||||
int
|
int
|
||||||
|
|
|
@ -422,7 +422,7 @@ ssl_process_certfp(ssl_ctl_t * ctl, ssl_ctl_buf_t * ctl_buf)
|
||||||
char *certfp_string;
|
char *certfp_string;
|
||||||
int i;
|
int i;
|
||||||
|
|
||||||
if(ctl_buf->buflen > 5 + RB_SSL_CERTFP_LEN)
|
if(ctl_buf->buflen > 9 + RB_SSL_CERTFP_LEN)
|
||||||
return; /* bogus message..drop it.. XXX should warn here */
|
return; /* bogus message..drop it.. XXX should warn here */
|
||||||
|
|
||||||
fd = buf_to_uint32(&ctl_buf->buf[1]);
|
fd = buf_to_uint32(&ctl_buf->buf[1]);
|
||||||
|
@ -759,7 +759,6 @@ start_zlib_session(void *data)
|
||||||
rb_fde_t *F[2];
|
rb_fde_t *F[2];
|
||||||
rb_fde_t *xF1, *xF2;
|
rb_fde_t *xF1, *xF2;
|
||||||
char *buf;
|
char *buf;
|
||||||
char buf2[9];
|
|
||||||
void *recvq_start;
|
void *recvq_start;
|
||||||
|
|
||||||
size_t hdr = (sizeof(uint8_t) * 2) + sizeof(uint32_t);
|
size_t hdr = (sizeof(uint8_t) * 2) + sizeof(uint32_t);
|
||||||
|
|
10
ssld/ssld.c
10
ssld/ssld.c
|
@ -708,10 +708,10 @@ ssl_process_accept_cb(rb_fde_t *F, int status, struct sockaddr *addr, rb_socklen
|
||||||
|
|
||||||
if(status == RB_OK)
|
if(status == RB_OK)
|
||||||
{
|
{
|
||||||
conn_mod_read_cb(conn->mod_fd, conn);
|
|
||||||
conn_plain_read_cb(conn->plain_fd, conn);
|
|
||||||
ssl_send_cipher(conn);
|
ssl_send_cipher(conn);
|
||||||
ssl_send_certfp(conn);
|
ssl_send_certfp(conn);
|
||||||
|
conn_mod_read_cb(conn->mod_fd, conn);
|
||||||
|
conn_plain_read_cb(conn->plain_fd, conn);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
/* ircd doesn't care about the reason for this */
|
/* ircd doesn't care about the reason for this */
|
||||||
|
@ -726,10 +726,10 @@ ssl_process_connect_cb(rb_fde_t *F, int status, void *data)
|
||||||
|
|
||||||
if(status == RB_OK)
|
if(status == RB_OK)
|
||||||
{
|
{
|
||||||
conn_mod_read_cb(conn->mod_fd, conn);
|
|
||||||
conn_plain_read_cb(conn->plain_fd, conn);
|
|
||||||
ssl_send_cipher(conn);
|
ssl_send_cipher(conn);
|
||||||
ssl_send_certfp(conn);
|
ssl_send_certfp(conn);
|
||||||
|
conn_mod_read_cb(conn->mod_fd, conn);
|
||||||
|
conn_plain_read_cb(conn->plain_fd, conn);
|
||||||
}
|
}
|
||||||
else if(status == RB_ERR_TIMEOUT)
|
else if(status == RB_ERR_TIMEOUT)
|
||||||
close_conn(conn, WAIT_PLAIN, "SSL handshake timed out");
|
close_conn(conn, WAIT_PLAIN, "SSL handshake timed out");
|
||||||
|
@ -1032,7 +1032,7 @@ mod_process_cmd_recv(mod_ctl_t * ctl)
|
||||||
}
|
}
|
||||||
case 'F':
|
case 'F':
|
||||||
{
|
{
|
||||||
if (ctl_buf->nfds != 2 || ctl_buf->buflen != 5)
|
if (ctl_buf->buflen != 5)
|
||||||
{
|
{
|
||||||
cleanup_bad_message(ctl, ctl_buf);
|
cleanup_bad_message(ctl, ctl_buf);
|
||||||
break;
|
break;
|
||||||
|
|
Loading…
Reference in a new issue