diff options
Diffstat (limited to 'util/net_help.c')
| -rw-r--r-- | util/net_help.c | 40 |
1 files changed, 37 insertions, 3 deletions
diff --git a/util/net_help.c b/util/net_help.c index 13bcdf8085bff..9747b5d55a781 100644 --- a/util/net_help.c +++ b/util/net_help.c @@ -698,10 +698,19 @@ void log_crypto_err(const char* str) { #ifdef HAVE_SSL + log_crypto_err_code(str, ERR_get_error()); +#else + (void)str; +#endif /* HAVE_SSL */ +} + +void log_crypto_err_code(const char* str, unsigned long err) +{ +#ifdef HAVE_SSL /* error:[error code]:[library name]:[function name]:[reason string] */ char buf[128]; unsigned long e; - ERR_error_string_n(ERR_get_error(), buf, sizeof(buf)); + ERR_error_string_n(err, buf, sizeof(buf)); log_err("%s crypto %s", str, buf); while( (e=ERR_get_error()) ) { ERR_error_string_n(e, buf, sizeof(buf)); @@ -709,6 +718,7 @@ log_crypto_err(const char* str) } #else (void)str; + (void)err; #endif /* HAVE_SSL */ } @@ -744,6 +754,14 @@ listen_sslctx_setup(void* ctxt) return 0; } #endif +#if defined(SSL_OP_NO_RENEGOTIATION) + /* disable client renegotiation */ + if((SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION) & + SSL_OP_NO_RENEGOTIATION) != SSL_OP_NO_RENEGOTIATION) { + log_crypto_err("could not set SSL_OP_NO_RENEGOTIATION"); + return 0; + } +#endif #if defined(SHA256_DIGEST_LENGTH) && defined(USE_ECDSA) /* if we have sha256, set the cipher list to have no known vulns */ if(!SSL_CTX_set_cipher_list(ctx, "TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256")) @@ -962,6 +980,14 @@ void* connect_sslctx_create(char* key, char* pem, char* verifypem, int wincert) SSL_CTX_free(ctx); return NULL; } +#if defined(SSL_OP_NO_RENEGOTIATION) + /* disable client renegotiation */ + if((SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION) & + SSL_OP_NO_RENEGOTIATION) != SSL_OP_NO_RENEGOTIATION) { + log_crypto_err("could not set SSL_OP_NO_RENEGOTIATION"); + return 0; + } +#endif if(key && key[0]) { if(!SSL_CTX_use_certificate_chain_file(ctx, pem)) { log_err("error in client certificate %s", pem); @@ -1019,7 +1045,7 @@ void* incoming_ssl_fd(void* sslctx, int fd) return NULL; } SSL_set_accept_state(ssl); - (void)SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY); + (void)SSL_set_mode(ssl, (long)SSL_MODE_AUTO_RETRY); if(!SSL_set_fd(ssl, fd)) { log_crypto_err("could not SSL_set_fd"); SSL_free(ssl); @@ -1041,7 +1067,7 @@ void* outgoing_ssl_fd(void* sslctx, int fd) return NULL; } SSL_set_connect_state(ssl); - (void)SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY); + (void)SSL_set_mode(ssl, (long)SSL_MODE_AUTO_RETRY); if(!SSL_set_fd(ssl, fd)) { log_crypto_err("could not SSL_set_fd"); SSL_free(ssl); @@ -1197,10 +1223,14 @@ int tls_session_ticket_key_cb(void *ATTR_UNUSED(sslctx), unsigned char* key_name verbose(VERB_CLIENT, "EVP_EncryptInit_ex failed"); return -1; } +#ifndef HMAC_INIT_EX_RETURNS_VOID if (HMAC_Init_ex(hmac_ctx, ticket_keys->hmac_key, 32, digest, NULL) != 1) { verbose(VERB_CLIENT, "HMAC_Init_ex failed"); return -1; } +#else + HMAC_Init_ex(hmac_ctx, ticket_keys->hmac_key, 32, digest, NULL); +#endif return 1; } else if (enc == 0) { /* decrypt */ @@ -1217,10 +1247,14 @@ int tls_session_ticket_key_cb(void *ATTR_UNUSED(sslctx), unsigned char* key_name return 0; } +#ifndef HMAC_INIT_EX_RETURNS_VOID if (HMAC_Init_ex(hmac_ctx, key->hmac_key, 32, digest, NULL) != 1) { verbose(VERB_CLIENT, "HMAC_Init_ex failed"); return -1; } +#else + HMAC_Init_ex(hmac_ctx, key->hmac_key, 32, digest, NULL); +#endif if (EVP_DecryptInit_ex(evp_sctx, cipher, NULL, key->aes_key, iv) != 1) { log_err("EVP_DecryptInit_ex failed"); return -1; |