Commit graph

65 commits

Author SHA1 Message Date
Aaron Jones
485b5b8084
OpenSSL: Import the callback/handshake logic from the MbedTLS backend 2016-09-15 20:12:21 +00:00
Aaron Jones
9114e3a2dc
OpenSSL: Improve rb_setup_ssl_server()
* Move file/data assignments to the top of the function

* Don't attempt to set a hardcoded P-384 ECDH key if we have the new
  SSL_CTX_set1_curves_list() function (OpenSSL 1.0.2+)

* Rename variables consistent with other backends and wrap the function
  arguments.

* Disable OpenSSL's disabling of TLS 1/n-1 record splitting.
  In other words, enable TLS 1/n-1 record splitting.

* Other misc cleanups.
2016-09-15 20:12:21 +00:00
Aaron Jones
47d51fe3ac
OpenSSL: Use C99 __func__ declaration instead of writing function names 2016-09-15 20:12:21 +00:00
Aaron Jones
cc04fbe3f9
OpenSSL: Fix up rb_init_ssl() to use proper define from openssl_ratbox.h 2016-09-15 20:12:21 +00:00
Aaron Jones
62fc0eab03
OpenSSL: Rename error functions consistent with other backends. 2016-09-15 20:12:21 +00:00
Aaron Jones
4e9441a1cb
OpenSSL: Add generic direction enum for negotiation setup.
Also define an SSL_P(x) macro as in other backends and use that to refer
to the client session context.
2016-09-15 20:12:21 +00:00
Aaron Jones
e569720fe1
OpenSSL: Misc code cleanups
Make use of C99 for loop initialisers, declarations with immediate
rvalues, etc.
2016-09-15 20:12:20 +00:00
Aaron Jones
a61e06e1d1
OpenSSL: Add const-correctness to function and variable declarations. 2016-09-15 20:12:20 +00:00
Aaron Jones
1c39c519fe
OpenSSL: Reorder functions in line with the MbedTLS backend.
The diff for this commit will look like I have changed a lot of code;
in reality, nothing was changed, just whole functions moved up or down.
2016-09-15 20:12:20 +00:00
Aaron Jones
1c7d295320
OpenSSL: Move connect structure declaration to top of file 2016-09-15 20:12:20 +00:00
Aaron Jones
8a40573369
OpenSSL: Remove context duplication
OpenSSL is perfectly capable of having a single context that is shared
by both client and server sessions alike; one simply needs to call
SSL_set_accept_state (for server) or SSL_set_connect_state (for client)
before attempting handshaking.
2016-09-15 20:12:20 +00:00
Aaron Jones
2aec9b6d68
OpenSSL: Remove unnecessary handshake info callback 2016-09-15 20:12:20 +00:00
Aaron Jones
1f30c8943b
OpenSSL: Tidy up headers
Move all the header includes to a single header file, rename said file.
2016-09-15 20:12:20 +00:00
Aaron Jones
f92b4d81d4
OpenSSL: Initialise if LibreSSL
LibreSSL's definition of OPENSSL_VERSION_NUMBER bites us in the ass,
*again*.
2016-09-01 19:28:18 +00:00
Aaron Jones
07b6e728b5
OpenSSL: Initialise one context at a time
If initialising the server context fails, but the client one succeeds,
we will not only leak memory, but the error message reported for
initialising the server context might not make sense, because we
initialise the client context after and that could erase or change the
list of queued errors.

This scenario is considered rare. Nevertheless, we now initialise the
client context after *successfully* initialising the server context.
2016-08-30 10:21:46 +00:00
Aaron Jones
f70b6f55f9
TLS Backends: Harmomise the rb_ssl_get_cipher() function
The GNUTLS backend reports the version in use for the client as well
as its ciphersuite -- do the same for the other 2 backends.
2016-08-20 04:08:30 +01:00
Aaron Jones
0bd2f0b710
openssl: Avoid use-after-free when rehashing fails to load new files
Commit 5c8da48 introduced a fix for issue #186 by freeing the old SSL_CTX
structure before constructing a new one, which could disconnect existing
clients otherwise.

Unfortunately, the freeing is done first, which means that if setting up
a new structure fails for any reason, there will be no usable structures
left, but they are still referenced.

This fix moves the freeing to the end of the function, using intermediate
new variables in the meantime. This problem was discovered while testing
against OpenSSL 1.1.0 RC6.
2016-08-12 13:29:02 +00:00
Aaron Jones
03e6030ed2
openssl: More LibreSSL compatibility
LibreSSL does not have the new version macros & functions that OpenSSL
1.1.0 implements. This causes a compile-time failure against LibreSSL.

Further, the runtime function for returning the library version returns
the wrong number (the hardcoded constant number SSLEAY_VERSION_NUMBER
aka OPENSSL_VERSION_NUMBER, instead of LIBRESSL_VERSION_NUMBER).

Add more ifdef soup to remedy the situation.
2016-06-01 17:45:36 +00:00
Aaron Jones
82d827469c
openssl: change how we load DH parameters
The code already assumes the presence of fopen(3) and errno, and, by
extension, fclose(3) and strerror(3), so just use those instead of the
BIO wrappers.

Additionally, don't fail to initialise if the DH file does exist but
parsing it fails, as per the pre-existing comment about them being
optional.
2016-05-25 21:53:09 +00:00
Aaron Jones
d35caf56cb
[TLS backends] Make version strings more useful and consistent 2016-05-04 00:20:07 +00:00
Aaron Jones
5c8da48264
Backport more TLS backend and ssld fixes & improvements from 3.6
openssl:
 * Don't manually initialise libssl 1.1.0 -- it does this automatically
 * SSL_library_init() should be called first otherwise
 * Move SSL_CTX construction to rb_setup_ssl_server()
 * Test for all required files (certificate & key) before doing anything
 * Free the old CTX before constructing a new one (Fixes #186)
 * Properly abort rb_setup_ssl_server() on CTX construction failures
 * Support ECDHE on more than one curve on OpenSSL 1.0.2 and above
 * Clean up ifdef indentation
 * Fix DH parameters memory leak

mbedtls:
 * Fix certificate fingerprint generation
 * Fix library linking order
 * Fix incorrect printf()-esque argument count
 * Return digest length for fingerprints instead of 1, consistent
   with the other backends

sslproc / ssld:
 * Fingerprint methods have no assocated file descriptors
 * Send TLS information (cipher, fingerprint) before data
 * Use correct header length for fingerprint method

Authored-by: Aaron Jones <aaronmdjones@gmail.com>
Authored-by: William Pitcock <nenolod@dereferenced.org>
Authored-by: Simon Arlott <sa.me.uk>
2016-04-30 21:39:05 +00:00
William Pitcock
c1725bda3c ssl: allow cipher list to be overridden (closes #67) 2015-12-12 07:50:48 -06:00
William Pitcock
833b2f9cbf libratbox: implement rb_get_ssl_cipher() 2015-12-11 08:32:02 -06:00
Elizabeth Myers
e6bbb41030 Add ability to change CertFP hash.
Presently this only supports SHA1, as the machinery to actually change
the cipher is not hooked up to anything yet.
2015-12-07 01:14:02 -06:00
Aaron Jones
0b05d1aad5
[libratbox] Remove an unused random function
Nothing in the Charybdis or libratbox code calls rb_get_pseudo_random
and under OpenSSL it uses RAND_pseudo_bytes() which is both dangerous
and removed in OpenSSL version 1.1.0.
2015-10-25 16:04:57 +00:00
Aaron Jones
25f7ee7dd6
Improve the versions of TLS used for server to server linking
When building against current OpenSSL (<= 1.0.2) or old LibreSSL
(< 2.2.2) the server will use TLSv1.0 only when connecting to other
servers.

This patch corrects that.
2015-10-23 16:08:15 +00:00
Aaron Jones
3ae24413ca
Use new TLS method APIs with new LibreSSL
OpenBSD 5.8 includes LibreSSL 2.2.2, which finally brings the API up to
what they claim it is by implementing the new TLS client and server
method APIs. Therefore, in furtherance of commits a4c8c827 and 1a4e224a
we can build with the new APIs if building against (real) OpenSSL 1.1.0
or LibreSSL 2.2.2.

Reported-by: Juuso Lapinlampi <wub@partyvan.eu>
2015-10-23 16:05:33 +00:00
Aaron Jones
1a4e224a4e LibreSSL have far advanced OPENSSL_VERSION_NUMBER beyond the
feature set they support (2.0 even!), deliberately breaking
backward compatibility. Therefore, in order to fix a regression
introduced by commit a4c8c827 with regard to LibreSSL's stupidity,
unconditionally use the old TLS API if building against LibreSSL.
2015-06-25 13:57:07 +00:00
Aaron Jones
cb266283f8 libratbox/openssl: Set explicit cipher list for the client context aswell
This is in furtherance of commits 9799bea4 and 1f384464 and addresses
any potential vulnerability to LogJam <https://weakdh.org/>
2015-05-20 16:41:34 +00:00
Aaron Jones
c86f11da1c Fix regression introduced by previous commit
I really shouldn't copy and paste code.
2015-05-20 10:39:04 +00:00
Aaron Jones
a4c8c82703 Tidy up OpenSSL options code, support new version-agnostic client and server APIs 2015-05-20 02:27:59 +00:00
Aaron Jones
614502a63c Generate fingerprints for chained certificates with an unknown root 2015-03-24 05:25:38 +00:00
Aaron Jones
d3806d0503 Use X509_digest() instead of memcpy() to obtain cert fingerprint
This will continue to work even if the OpenSSL developers make the
X509* structure opaque, the current approach will not.
2015-03-24 05:22:25 +00:00
Aaron Jones
1f384464fa Update ciphersuite string to prohibit RC4
This is in accordance with RFC 7465
<https://tools.ietf.org/html/rfc7465>

Also correct the key exchange mechanism strings; these should be
prefixed with 'k'.
2015-03-22 06:14:39 +00:00
William Pitcock
e861902fd9 libratbox: remove RB_PRNG_EGD in its entirety (closes #85) 2015-03-01 01:05:14 -06:00
Attila Molnar
989652e7a8 openssl: Disable session caching 2015-02-09 21:19:09 +01:00
Attila Molnar
6b6a579925 openssl: Disable session tickets 2015-02-09 21:18:32 +01:00
Patrick Godschalk
d072eb2350 Explicitly drop SSLv3 connections (SSL_OP_NO_SSLv3) - might break TLS-capable clients that still depend on SSLv23 handshake 2014-10-26 13:15:30 +01:00
Keith Buck
55abcbb20a Remove trailing whitespace from all .c and .h files.
3134 bytes were removed.
2014-03-03 04:25:47 +00:00
Keith Buck
9e26f0008b libratbox openssl: Don't leak EC_KEY structures. 2014-03-03 01:43:33 +00:00
Keith Buck
784ce5c1cc Remove SSL_OP_NO_COMPRESSION from openssl initialization.
SSL_OP_NO_COMPRESSION was presumably added in an attempt to prevent
information leakage in a manner similar to recent attacks on HTTPS.
However, assuming that IRC is vulnerable to the same class of attacks is
incorrect: the behavior of the IRC protocol (a single long-running
connection) is not the same as that of HTTPS (multiple ephemeral
connections). HTTPS's use of ephemeral connections means that certain
assumptions can be made about the contents of the compression
algorithm's dictionaries and the content exchanged between the client
and server (e.g. the content being nearly the same for each connection),
which is not true for IRC. Additionally, they rely on the attacker being
able to coerce the client into creating many HTTPS connections (and
resending some secret token belonging to the user, along with
attacker-controlled data) each time, none of which is possible with IRC.
Lastly, since compression is no longer performed, this option will
result in leaking the lengths of messages transmitted to and from the
client. This option does reduce CPU utilization on Charybdis servers but
also increases bandwidth consumed.
2014-02-21 09:17:29 +00:00
Jilles Tjoelker
362ef2d9ee openssl: Improve security using options recommanded by Argure.
Note that these are not available in old versions of OpenSSL (like FreeBSD
9.x base OpenSSL), so allow them to be missing.

A side effect may be slightly higher CPU consumption and network traffic.
2014-01-15 22:25:26 +01:00
Jilles Tjoelker
9799bea4a1 openssl: Use cipher list suggested by Argure. 2014-01-15 22:13:47 +01:00
Jilles Tjoelker
cee842a829 openssl: Fix compiler warning. 2014-01-15 22:09:57 +01:00
Jilles Tjoelker
fabc3174fe openssl: Set some sort of session id context.
Without a session id context and if client certificates are used, OpenSSL
fails the handshake if an attempt is made to reuse an old session. Various
clients could not reconnect after a disconnection because of this.

See https://bugzilla.mozilla.org/show_bug.cgi?id=858394#c34 for a bug
report.
2014-01-15 22:04:12 +01:00
William Pitcock
b6e799f5df libratbox/openssl: check that ECDHE is really available on redhat derivatives (closes #43) 2013-11-30 19:55:01 +00:00
Patrick Godschalk
31d2201519 Have OpenSSL version check use cpp 2013-09-06 20:05:49 +02:00
Patrick Godschalk
81998134b7 Set ECDHE on OpenSSL 1.00+. 2013-09-03 14:16:57 +02:00
Quora Dodrill
97b0e99e2a libratbox/openssl: Fix possible memory leak with SSL certificate fingerprints 2013-08-14 09:54:57 -07:00
Quora Dodrill
f997930e7c Revert "libratbox/openssl: Fix possible memory leak with SSL dertificate fingerprints"
This reverts commit 6ecd598ec0.
2013-08-14 09:54:18 -07:00