X-Git-Url: http://git.code-monkey.de/?p=umurmur.git;a=blobdiff_plain;f=src%2Fssli_openssl.c;h=c35e1f82b4ef64338c7e4b6267d8b08a3463635c;hp=65a21deab05b09296e4f6cc1b03e701a234c4259;hb=efd42f362847308b4b7aef9a5e94b72f0320629b;hpb=82e80f8f18cbb6fed903621751ba9751dc2b80a2 diff --git a/src/ssli_openssl.c b/src/ssli_openssl.c index 65a21de..c35e1f8 100644 --- a/src/ssli_openssl.c +++ b/src/ssli_openssl.c @@ -33,6 +33,7 @@ #include "conf.h" #include "log.h" +#include "memory.h" #include "ssl.h" /* @@ -48,6 +49,8 @@ static RSA *rsa; static SSL_CTX *context; static EVP_PKEY *pkey; +static char const * ciphers = "EECDH+CHACHA20:EECDH+AESGCM:EECDH+AES+TLSv1.2:EECDH+AES:AESGCM:AES:!aNULL:!DHE:!kECDH"; + static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx); static int SSL_add_ext(X509 * crt, int nid, char *value) { @@ -64,32 +67,6 @@ static int SSL_add_ext(X509 * crt, int nid, char *value) { return 1; } -static X509 *SSL_readcert(char *certfile) -{ - FILE *fp; - X509 *x509; - - /* open the certificate file */ - fp = fopen(certfile, "r"); - if (fp == NULL) { - Log_warn("Unable to open the X509 file %s for reading.", certfile); - return NULL; - } - - /* allocate memory for the cert structure */ - x509 = X509_new(); - - if (PEM_read_X509(fp, &x509, NULL, NULL) == 0) { - /* error reading the x509 information - check the error stack */ - Log_warn("Error trying to read X509 info."); - fclose(fp); - X509_free(x509); - return NULL; - } - fclose(fp); - return x509; -} - static RSA *SSL_readprivatekey(char *keyfile) { FILE *fp; @@ -158,7 +135,7 @@ static void SSL_initializeCert() { char *key = (char *)getStrConf(KEY); if (context) { - bool did_load_cert = SSL_CTX_use_certificate_chain_file(context, crt); + bool_t did_load_cert = SSL_CTX_use_certificate_chain_file(context, crt); rsa = SSL_readprivatekey(key); if (!rsa || !did_load_cert) { @@ -211,8 +188,8 @@ void SSLi_init(void) SSL *ssl; int i, offset = 0, cipherstringlen = 0; STACK_OF(SSL_CIPHER) *cipherlist = NULL, *cipherlist_new = NULL; - SSL_CIPHER *cipher; - char *cipherstring; + const SSL_CIPHER *cipher; + char *cipherstring = NULL; SSL_library_init(); OpenSSL_add_all_algorithms(); @@ -220,12 +197,21 @@ void SSLi_init(void) ERR_load_crypto_strings(); context = SSL_CTX_new(SSLv23_server_method()); + SSL_CTX_set_options(context, SSL_OP_NO_SSLv2); + SSL_CTX_set_options(context, SSL_OP_NO_SSLv3); + SSL_CTX_set_options(context, SSL_OP_CIPHER_SERVER_PREFERENCE); if (context == NULL) { ERR_print_errors_fp(stderr); abort(); } + SSL_CTX_set_cipher_list(context, ciphers); + + EC_KEY *ecdhkey = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); + SSL_CTX_set_tmp_ecdh(context, ecdhkey); + EC_KEY_free(ecdhkey); + char const * sslCAPath = getStrConf(CAPATH); if(sslCAPath != NULL) { @@ -250,9 +236,7 @@ void SSLi_init(void) Log_debug("%s", SSL_CIPHER_get_name(cipher)); cipherstringlen += strlen(SSL_CIPHER_get_name(cipher)) + 1; } - cipherstring = malloc(cipherstringlen + 1); - if (cipherstring == NULL) - Log_fatal("Out of memory"); + cipherstring = Memory_safeMalloc(1, cipherstringlen + 1); for (i = 0; (cipher = sk_SSL_CIPHER_value(cipherlist_new, i)) != NULL; i++) { offset += sprintf(cipherstring + offset, "%s:", SSL_CIPHER_get_name(cipher)); } @@ -261,7 +245,7 @@ void SSLi_init(void) if (cipherlist_new) sk_SSL_CIPHER_free(cipherlist_new); - if (strlen(cipherstring) == 0) + if (!cipherstring || !*cipherstring) Log_fatal("No suitable ciphers found!"); if (SSL_CTX_set_cipher_list(context, cipherstring) == 0) @@ -328,10 +312,7 @@ bool_t SSLi_getSHA1Hash(SSL_handle_t *ssl, uint8_t *hash) } len = i2d_X509(x509, NULL); - buf = malloc(len); - if (buf == NULL) { - Log_fatal("malloc"); - } + buf = Memory_safeMalloc(1, len); p = buf; i2d_X509(x509, &p); @@ -404,7 +385,7 @@ static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx) * it for something special */ if (!preverify_ok && (err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT)) { - X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert), buf, 256); + X509_NAME_oneline(X509_get_issuer_name(err_cert), buf, 256); Log_warn("issuer= %s", buf); } return 1;