projects
/
umurmur.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
Bump to 0.2.17rc1
[umurmur.git]
/
src
/
ssli_openssl.c
diff --git
a/src/ssli_openssl.c
b/src/ssli_openssl.c
index 65a21deab05b09296e4f6cc1b03e701a234c4259..009119d6280dddda18d0b46d754e029e3970f8f7 100644
(file)
--- a/
src/ssli_openssl.c
+++ b/
src/ssli_openssl.c
@@
-33,6
+33,7
@@
#include "conf.h"
#include "log.h"
#include "conf.h"
#include "log.h"
+#include "memory.h"
#include "ssl.h"
/*
#include "ssl.h"
/*
@@
-48,6
+49,8
@@
static RSA *rsa;
static SSL_CTX *context;
static EVP_PKEY *pkey;
static SSL_CTX *context;
static EVP_PKEY *pkey;
+static char const * ciphers = "EECDH+CHACHA20:EECDH+AESGCM:EECDH+AES+TLSv1.2:EECDH+AES:AESGCM:AES:!aNULL:!DHE:!kECDH";
+
static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx);
static int SSL_add_ext(X509 * crt, int nid, char *value) {
static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx);
static int SSL_add_ext(X509 * crt, int nid, char *value) {
@@
-158,7
+161,7
@@
static void SSL_initializeCert() {
char *key = (char *)getStrConf(KEY);
if (context) {
char *key = (char *)getStrConf(KEY);
if (context) {
- bool did_load_cert = SSL_CTX_use_certificate_chain_file(context, crt);
+ bool
_t
did_load_cert = SSL_CTX_use_certificate_chain_file(context, crt);
rsa = SSL_readprivatekey(key);
if (!rsa || !did_load_cert) {
rsa = SSL_readprivatekey(key);
if (!rsa || !did_load_cert) {
@@
-220,12
+223,21
@@
void SSLi_init(void)
ERR_load_crypto_strings();
context = SSL_CTX_new(SSLv23_server_method());
ERR_load_crypto_strings();
context = SSL_CTX_new(SSLv23_server_method());
+ SSL_CTX_set_options(context, SSL_OP_NO_SSLv2);
+ SSL_CTX_set_options(context, SSL_OP_NO_SSLv3);
+ SSL_CTX_set_options(context, SSL_OP_CIPHER_SERVER_PREFERENCE);
if (context == NULL)
{
ERR_print_errors_fp(stderr);
abort();
}
if (context == NULL)
{
ERR_print_errors_fp(stderr);
abort();
}
+ SSL_CTX_set_cipher_list(context, ciphers);
+
+ EC_KEY *ecdhkey = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
+ SSL_CTX_set_tmp_ecdh(context, ecdhkey);
+ EC_KEY_free(ecdhkey);
+
char const * sslCAPath = getStrConf(CAPATH);
if(sslCAPath != NULL)
{
char const * sslCAPath = getStrConf(CAPATH);
if(sslCAPath != NULL)
{
@@
-250,9
+262,7
@@
void SSLi_init(void)
Log_debug("%s", SSL_CIPHER_get_name(cipher));
cipherstringlen += strlen(SSL_CIPHER_get_name(cipher)) + 1;
}
Log_debug("%s", SSL_CIPHER_get_name(cipher));
cipherstringlen += strlen(SSL_CIPHER_get_name(cipher)) + 1;
}
- cipherstring = malloc(cipherstringlen + 1);
- if (cipherstring == NULL)
- Log_fatal("Out of memory");
+ cipherstring = Memory_safeMalloc(1, cipherstringlen + 1);
for (i = 0; (cipher = sk_SSL_CIPHER_value(cipherlist_new, i)) != NULL; i++) {
offset += sprintf(cipherstring + offset, "%s:", SSL_CIPHER_get_name(cipher));
}
for (i = 0; (cipher = sk_SSL_CIPHER_value(cipherlist_new, i)) != NULL; i++) {
offset += sprintf(cipherstring + offset, "%s:", SSL_CIPHER_get_name(cipher));
}
@@
-328,10
+338,7
@@
bool_t SSLi_getSHA1Hash(SSL_handle_t *ssl, uint8_t *hash)
}
len = i2d_X509(x509, NULL);
}
len = i2d_X509(x509, NULL);
- buf = malloc(len);
- if (buf == NULL) {
- Log_fatal("malloc");
- }
+ buf = Memory_safeMalloc(1, len);
p = buf;
i2d_X509(x509, &p);
p = buf;
i2d_X509(x509, &p);