Fix OpenSSL error, wrong initialization order.

2019-04-24 10:32:01 +02:00 · 2019-04-24 10:32:01 +02:00 · 076e75897b
parent bc8974b9a3
commit 076e75897b
1 changed files with 38 additions and 34 deletions
--- a/src/network/openssl.c
+++ b/src/network/openssl.c
@ -129,51 +129,49 @@ static void add_io_stats(struct net_ssl_openssl* handle)
 	}
 }

-static const SSL_METHOD* get_ssl_method(const struct net_context_openssl* ctx, const char* tls_version)
+static const SSL_METHOD* get_ssl_method(const char* tls_version, long* flags)
 {
+        if (!flags)
+        {
+            LOG_ERROR("flags is null");
+            return 0;
+        }
+
 	if (!tls_version || !*tls_version)
 	{
-		LOG_ERROR("tls_version is not set.");
-		return 0;
+            LOG_ERROR("tls_version is not set.");
+            return 0;
 	}

-	/* Disable SSLv2 */
-	SSL_CTX_set_options(ctx->ssl, SSL_OP_NO_SSLv2);
+	*flags = 0;
+	*flags |= SSL_OP_NO_SSLv2;
+        *flags |= SSL_OP_NO_SSLv3;

-	/* Disable SSLv3 */
-	SSL_CTX_set_options(ctx->ssl, SSL_OP_NO_SSLv3);
-
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
 	if (!strcmp(tls_version, "1.0"))
-	  return TLSv1_method();
-	if (!strcmp(tls_version, "1.1"))
-	  return TLSv1_1_method();
-	if (!strcmp(tls_version, "1.2"))
-	  return TLSv1_2_method();
-
-	LOG_ERROR("Unable to recognize tls_version.");
-	return 0;
-#else
-        if (!strcmp(tls_version, "1.0"))
        {
-            // Not much to do - allow TLS 1.0 and above.
+            // not much to do.
        }
-
-        if (!strcmp(tls_version, "1.1"))
+        else if (!strcmp(tls_version, "1.1"))
        {
-            // Disable anything below TLS 1.1
-            SSL_CTX_set_options(ctx->ssl, SSL_OP_NO_TLSv1);
+            *flags |= SSL_OP_NO_TLSv1;
        }
-
-        if (!strcmp(tls_version, "1.2"))
+        else if (!strcmp(tls_version, "1.2"))
        {
-            // Disable anything below TLS 1.2
-            SSL_CTX_set_options(ctx->ssl, SSL_OP_NO_TLSv1);
-            SSL_CTX_set_options(ctx->ssl, SSL_OP_NO_TLSv1_1);
+            *flags |= SSL_OP_NO_TLSv1;
+            *flags |= SSL_OP_NO_TLSv1_1;
+        }
+        else if (!strcmp(tls_version, "1.3"))
+        {
+            *flags |= SSL_OP_NO_TLSv1;
+            *flags |= SSL_OP_NO_TLSv1_1;
+            *flags |= SSL_OP_NO_TLSv1_2;
+        }
+        else
+        {
+            LOG_ERROR("Unable to recognize tls_version: %s", tls_version);
+            return 0;
        }
-
 	return TLS_method();
-#endif
 }

 /**
@ -208,7 +206,8 @@ static int alpn_server_select_protocol(SSL *ssl, const unsigned char **out, unsi
 struct ssl_context_handle* net_ssl_context_create(const char* tls_version, const char* tls_ciphersuite)
 {
 	struct net_context_openssl* ctx = (struct net_context_openssl*) hub_malloc_zero(sizeof(struct net_context_openssl));
-	const SSL_METHOD* ssl_method = get_ssl_method(ctx, tls_version);
+        long flags = 0;
+	const SSL_METHOD* ssl_method = get_ssl_method(tls_version, &flags);

 	if (!ssl_method)
 	{
@ -224,9 +223,12 @@ struct ssl_context_handle* net_ssl_context_create(const char* tls_version, const
 #ifdef SSL_OP_NO_COMPRESSION
 	/* Disable compression */
 	LOG_TRACE("Disabling SSL compression."); /* "CRIME" attack */
-	SSL_CTX_set_options(ctx->ssl, SSL_OP_NO_COMPRESSION);
+	flags |= SSL_OP_NO_COMPRESSION;
 #endif

+        // Set flags
+        SSL_CTX_set_options(ctx->ssl, flags);
+
 	/* Set preferred cipher suite */
 	if (SSL_CTX_set_cipher_list(ctx->ssl, tls_ciphersuite) != 1)
 	{
@ -352,7 +354,9 @@ ssize_t net_con_ssl_connect(struct net_connection* con)
 	}
 	
 	ret = handle_openssl_error(con, ret, tls_st_connecting);
-	LOG_ERROR("net_con_ssl_connect: ret=%d", ret);
+	
+        if (ret != 0)
+            LOG_ERROR("net_con_ssl_connect: ret=%d", ret);
 	return ret;
 }