Merge branch 'sonertari-develop' into develop

author: Daniel Roethlisberger <[email protected]> 2018-03-25 15:51:15 +0200
committer: Daniel Roethlisberger <[email protected]> 2018-03-25 15:51:15 +0200
commit: 79dc2fd76bcb3fd2fa27a32a4de2d51c539979bd (patch)
tree: 9183f3ddeee3a5352359a5668b38080b61a14152
parent: 3e407d4d6e4abf0daa215a653549c70fff4e9d40 (diff)
parent: 7280b6815cb2749484f4028950039bc35860c1fd (diff)
3 files changed, 72 insertions, 1 deletions
diff --git a/opts.c b/opts.c
index ec1065b..053112d 100644
--- a/opts.c
+++ b/opts.c
@@ -164,11 +164,16 @@ opts_has_dns_spec(opts_t *opts)
 void
 opts_proto_force(opts_t *opts, const char *optarg, const char *argv0)
 {
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
 	if (opts->sslmethod != SSLv23_method) {
+#else /* OPENSSL_VERSION_NUMBER >= 0x10100000L */
+	if (opts->sslversion) {
+#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */
 		fprintf(stderr, "%s: cannot use -r multiple times\n", argv0);
 		exit(EXIT_FAILURE);
 	}
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
 #ifdef HAVE_SSLV2
 	if (!strcmp(optarg, "ssl2")) {
 		opts->sslmethod = SSLv2_method;
@@ -194,6 +199,33 @@ opts_proto_force(opts_t *opts, const char *optarg, const char *argv0)
 		opts->sslmethod = TLSv1_2_method;
 	} else
 #endif /* HAVE_TLSV12 */
+#else /* OPENSSL_VERSION_NUMBER >= 0x10100000L */
+/*
+ * Support for SSLv2 and the corresponding SSLv2_method(),
+ * SSLv2_server_method() and SSLv2_client_method() functions were
+ * removed in OpenSSL 1.1.0.
+ */
+#ifdef HAVE_SSLV3
+	if (!strcmp(optarg, "ssl3")) {
+		opts->sslversion = SSL3_VERSION;
+	} else
+#endif /* HAVE_SSLV3 */
+#ifdef HAVE_TLSV10
+	if (!strcmp(optarg, "tls10") || !strcmp(optarg, "tls1")) {
+		opts->sslversion = TLS1_VERSION;
+	} else
+#endif /* HAVE_TLSV10 */
+#ifdef HAVE_TLSV11
+	if (!strcmp(optarg, "tls11")) {
+		opts->sslversion = TLS1_1_VERSION;
+	} else
+#endif /* HAVE_TLSV11 */
+#ifdef HAVE_TLSV12
+	if (!strcmp(optarg, "tls12")) {
+		opts->sslversion = TLS1_2_VERSION;
+	} else
+#endif /* HAVE_TLSV12 */
+#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */
 	{
 		fprintf(stderr, "%s: Unsupported SSL/TLS protocol '%s'\n",
 		                argv0, optarg);
@@ -247,8 +279,9 @@ void
 opts_proto_dbg_dump(opts_t *opts)
 {
 	log_dbg_printf("SSL/TLS protocol: %s%s%s%s%s%s\n",
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
 #ifdef HAVE_SSLV2
-	               (opts->sslmethod == SSLv2_method) ? "nossl2" :
+	               (opts->sslmethod == SSLv2_method) ? "ssl2" :
 #endif /* HAVE_SSLV2 */
 #ifdef HAVE_SSLV3
 	               (opts->sslmethod == SSLv3_method) ? "ssl3" :
@@ -262,6 +295,20 @@ opts_proto_dbg_dump(opts_t *opts)
 #ifdef HAVE_TLSV12
 	               (opts->sslmethod == TLSv1_2_method) ? "tls12" :
 #endif /* HAVE_TLSV12 */
+#else /* OPENSSL_VERSION_NUMBER >= 0x10100000L */
+#ifdef HAVE_SSLV3
+	               (opts->sslversion == SSL3_VERSION) ? "ssl3" :
+#endif /* HAVE_SSLV3 */
+#ifdef HAVE_TLSV10
+	               (opts->sslversion == TLS1_VERSION) ? "tls10" :
+#endif /* HAVE_TLSV10 */
+#ifdef HAVE_TLSV11
+	               (opts->sslversion == TLS1_1_VERSION) ? "tls11" :
+#endif /* HAVE_TLSV11 */
+#ifdef HAVE_TLSV12
+	               (opts->sslversion == TLS1_2_VERSION) ? "tls12" :
+#endif /* HAVE_TLSV12 */
+#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */
 	               "negotiate",
 #ifdef HAVE_SSLV2
 	               opts->no_ssl2 ? " -ssl2" :
diff --git a/opts.h b/opts.h
index 0594c6b..f5e9f27 100644
--- a/opts.h
+++ b/opts.h
@@ -95,6 +95,9 @@ typedef struct opts {
 	char *contentlog_basedir; /* static part of logspec, for privsep srv */
 	char *masterkeylog;
 	CONST_SSL_METHOD *(*sslmethod)(void);
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+	int sslversion;
+#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */
 	X509 *cacrt;
 	EVP_PKEY *cakey;
 	EVP_PKEY *key;
diff --git a/pxyconn.c b/pxyconn.c
index 03e24ba..c9540a2 100644
--- a/pxyconn.c
+++ b/pxyconn.c
@@ -725,6 +725,16 @@ pxy_srcsslctx_create(pxy_conn_ctx_t *ctx, X509 *crt, STACK_OF(X509) *chain,
 
 	pxy_sslctx_setoptions(sslctx, ctx);
 
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+	if (ctx->opts->sslversion) {
+		if (SSL_CTX_set_min_proto_version(sslctx, ctx->opts->sslversion) == 0 ||
+			SSL_CTX_set_max_proto_version(sslctx, ctx->opts->sslversion) == 0) {
+			SSL_CTX_free(sslctx);
+			return NULL;
+		}
+	}
+#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */
+
 	SSL_CTX_sess_set_new_cb(sslctx, pxy_ossl_sessnew_cb);
 	SSL_CTX_sess_set_remove_cb(sslctx, pxy_ossl_sessremove_cb);
 	SSL_CTX_sess_set_get_cb(sslctx, pxy_ossl_sessget_cb);
@@ -1114,6 +1124,17 @@ pxy_dstssl_create(pxy_conn_ctx_t *ctx)
 
 	pxy_sslctx_setoptions(sslctx, ctx);
 
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+	if (ctx->opts->sslversion) {
+		if (SSL_CTX_set_min_proto_version(sslctx, ctx->opts->sslversion) == 0 ||
+			SSL_CTX_set_max_proto_version(sslctx, ctx->opts->sslversion) == 0) {
+			SSL_CTX_free(sslctx);
+			ctx->enomem = 1;
+			return NULL;
+		}
+	}
+#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */
+
 	SSL_CTX_set_verify(sslctx, SSL_VERIFY_NONE, NULL);
 
 	ssl = SSL_new(sslctx);
author	Daniel Roethlisberger <[email protected]>	2018-03-25 15:51:15 +0200
committer	Daniel Roethlisberger <[email protected]>	2018-03-25 15:51:15 +0200
commit	79dc2fd76bcb3fd2fa27a32a4de2d51c539979bd (patch)
tree	9183f3ddeee3a5352359a5668b38080b61a14152
parent	3e407d4d6e4abf0daa215a653549c70fff4e9d40 (diff)
parent	7280b6815cb2749484f4028950039bc35860c1fd (diff)