/* * libratbox: a library used by ircd-ratbox and other things * openssl_ratbox.h: OpenSSL backend data * * Copyright (C) 2015-2016 Aaron Jones * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 * USA * */ #ifndef LRB_OPENSSL_H_INC #define LRB_OPENSSL_H_INC 1 #include #include #include #include #include #include #include /* * A long time ago, in a world far away, OpenSSL had a well-established mechanism for ensuring compatibility with * regards to added, changed, and removed functions, by having an SSLEAY_VERSION_NUMBER macro. This was then * renamed to OPENSSL_VERSION_NUMBER, but the old macro was kept around for compatibility until OpenSSL version * 1.1.0. * * Then the OpenBSD developers decided that having OpenSSL in their codebase was a bad idea. They forked it to * create LibreSSL, gutted all of the functionality they didn't want or need, and generally improved the library * a lot. Then, as the OpenBSD developers are want to do, they packaged up LibreSSL for release to other * operating systems, as LibreSSL Portable. Think along the lines of OpenSSH where they have also done this. * * The fun part of this story ends there. LibreSSL has an OPENSSL_VERSION_NUMBER macro, but they have set it to a * stupidly high value, version 2.0. OpenSSL version 2.0 does not exist, and LibreSSL 2.2 does not implement * everything OpenSSL 1.0.2 or 1.1.0 do. This completely breaks the entire purpose of the macro. * * The ifdef soup below is for LibreSSL compatibility. Please find whoever thought setting OPENSSL_VERSION_NUMBER * to a version that does not exist was a good idea. Encourage them to realise that it is not. -- amdj */ #if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10100000L) # define LRB_SSL_NO_EXPLICIT_INIT 1 #endif #if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10002000L) # define LRB_HAVE_TLS_SET_CURVES 1 # if (OPENSSL_VERSION_NUMBER < 0x10100000L) # define LRB_HAVE_TLS_ECDH_AUTO 1 # endif #endif #if defined(LIBRESSL_VERSION_NUMBER) && (LIBRESSL_VERSION_NUMBER >= 0x20020002L) # define LRB_HAVE_TLS_METHOD_API 1 #else # if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10100000L) # define LRB_HAVE_TLS_METHOD_API 1 # endif #endif #if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10100000L) # define LRB_SSL_VTEXT_COMPILETIME OPENSSL_VERSION_TEXT # define LRB_SSL_VTEXT_RUNTIME OpenSSL_version(OPENSSL_VERSION) # define LRB_SSL_VNUM_COMPILETIME OPENSSL_VERSION_NUMBER # define LRB_SSL_VNUM_RUNTIME OpenSSL_version_num() # define LRB_SSL_FULL_VERSION_INFO 1 #else # if defined(LIBRESSL_VERSION_NUMBER) && (LIBRESSL_VERSION_NUMBER >= 0x20200000L) # define LRB_SSL_VTEXT_RUNTIME SSLeay_version(SSLEAY_VERSION) # define LRB_SSL_VNUM_COMPILETIME LIBRESSL_VERSION_NUMBER # else # define LRB_SSL_VTEXT_RUNTIME SSLeay_version(SSLEAY_VERSION) # define LRB_SSL_VNUM_COMPILETIME SSLEAY_VERSION_NUMBER # endif #endif #if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER > 0x10101000L) # define LRB_HAVE_TLS_ECDH_X25519 1 #else # if defined(LIBRESSL_VERSION_NUMBER) && (LIBRESSL_VERSION_NUMBER > 0x2050100fL) # define LRB_HAVE_TLS_ECDH_X25519 1 # endif #endif #if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10101000L) # define LRB_HAVE_TLS13 1 #endif /* * Default supported ciphersuites (if the user does not provide any) and * curves (OpenSSL 1.0.2+). Hardcoded secp384r1 (NIST P-384) is used on * OpenSSL 1.0.0 and 1.0.1 (if available). * * We prefer AEAD ciphersuites first in order of strength, then SHA2 * ciphersuites, then remaining suites. */ static const char rb_default_ciphers[] = "" #ifdef LRB_HAVE_TLS13 "TLS_AES_256_GCM_SHA384:" "TLS_CHACHA20_POLY1305_SHA256:" "TLS_AES_128_GCM_SHA256:" #endif "aECDSA+kEECDH+CHACHA20:" "aRSA+kEECDH+CHACHA20:" "aRSA+kEDH+CHACHA20:" "aECDSA+kEECDH+AESGCM:" "aRSA+kEECDH+AESGCM:" "aRSA+kEDH+AESGCM:" "aECDSA+kEECDH+AESCCM:" "aRSA+kEECDH+AESCCM:" "aRSA+kEDH+AESCCM:" "@STRENGTH:" "aECDSA+kEECDH+HIGH+SHA384:" "aRSA+kEECDH+HIGH+SHA384:" "aRSA+kEDH+HIGH+SHA384:" "aECDSA+kEECDH+HIGH+SHA256:" "aRSA+kEECDH+HIGH+SHA256:" "aRSA+kEDH+HIGH+SHA256:" "aECDSA+kEECDH+HIGH:" "aRSA+kEECDH+HIGH:" "aRSA+kEDH+HIGH:" "HIGH:" "!3DES:" "!aNULL"; #ifdef LRB_HAVE_TLS_SET_CURVES # ifdef LRB_HAVE_TLS_ECDH_X25519 static char rb_default_curves[] = "X25519:P-521:P-384:P-256"; # else static char rb_default_curves[] = "P-521:P-384:P-256"; # endif #endif #endif /* LRB_OPENSSL_H_INC */