From 8700f497160cfc2cce8918c8cd8922b7320c510a Mon Sep 17 00:00:00 2001 From: RincewindsHat <12514511+RincewindsHat@users.noreply.github.com> Date: Sun, 12 Mar 2023 20:44:42 +0100 Subject: Replace deprecated TLS client functions --- plugins/sslutils.c | 77 +++++++++++++++++++++++------------------------------- 1 file changed, 33 insertions(+), 44 deletions(-) diff --git a/plugins/sslutils.c b/plugins/sslutils.c index 666a0120..6bc0ba81 100644 --- a/plugins/sslutils.c +++ b/plugins/sslutils.c @@ -31,9 +31,8 @@ #include "netutils.h" #ifdef HAVE_SSL -static SSL_CTX *c=NULL; +static SSL_CTX *ctx=NULL; static SSL *s=NULL; -static int initialized=0; int np_net_ssl_init(int sd) { return np_net_ssl_init_with_hostname(sd, NULL); @@ -48,24 +47,24 @@ int np_net_ssl_init_with_hostname_and_version(int sd, char *host_name, int versi } int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int version, char *cert, char *privkey) { - const SSL_METHOD *method = NULL; long options = 0; + if ((ctx = SSL_CTX_new(TLS_client_method())) == NULL) { + printf("%s\n", _("CRITICAL - Cannot create SSL context.")); + return STATE_CRITICAL; + } + switch (version) { case MP_SSLv2: /* SSLv2 protocol */ -#if defined(USE_GNUTLS) || defined(OPENSSL_NO_SSL2) printf("%s\n", _("UNKNOWN - SSL protocol version 2 is not supported by your SSL library.")); return STATE_UNKNOWN; -#else - method = SSLv2_client_method(); - break; -#endif case MP_SSLv3: /* SSLv3 protocol */ #if defined(OPENSSL_NO_SSL3) printf("%s\n", _("UNKNOWN - SSL protocol version 3 is not supported by your SSL library.")); return STATE_UNKNOWN; #else - method = SSLv3_client_method(); + SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION); + SSL_CTX_set_max_proto_version(ctx, SSL3_VERSION); break; #endif case MP_TLSv1: /* TLSv1 protocol */ @@ -73,7 +72,8 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int printf("%s\n", _("UNKNOWN - TLS protocol version 1 is not supported by your SSL library.")); return STATE_UNKNOWN; #else - method = TLSv1_client_method(); + SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION); + SSL_CTX_set_max_proto_version(ctx, TLS1_VERSION); break; #endif case MP_TLSv1_1: /* TLSv1.1 protocol */ @@ -81,7 +81,8 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int printf("%s\n", _("UNKNOWN - TLS protocol version 1.1 is not supported by your SSL library.")); return STATE_UNKNOWN; #else - method = TLSv1_1_client_method(); + SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION); + SSL_CTX_set_max_proto_version(ctx, TLS1_1_VERSION); break; #endif case MP_TLSv1_2: /* TLSv1.2 protocol */ @@ -89,7 +90,8 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int printf("%s\n", _("UNKNOWN - TLS protocol version 1.2 is not supported by your SSL library.")); return STATE_UNKNOWN; #else - method = TLSv1_2_client_method(); + SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION); + SSL_CTX_set_max_proto_version(ctx, TLS1_2_VERSION); break; #endif case MP_TLSv1_2_OR_NEWER: @@ -97,56 +99,43 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int printf("%s\n", _("UNKNOWN - Disabling TLSv1.1 is not supported by your SSL library.")); return STATE_UNKNOWN; #else - options |= SSL_OP_NO_TLSv1_1; + SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION); + break; #endif - /* FALLTHROUGH */ case MP_TLSv1_1_OR_NEWER: #if !defined(SSL_OP_NO_TLSv1) printf("%s\n", _("UNKNOWN - Disabling TLSv1 is not supported by your SSL library.")); return STATE_UNKNOWN; #else - options |= SSL_OP_NO_TLSv1; + SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION); + break; #endif - /* FALLTHROUGH */ case MP_TLSv1_OR_NEWER: #if defined(SSL_OP_NO_SSLv3) - options |= SSL_OP_NO_SSLv3; + SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION); + break; #endif - /* FALLTHROUGH */ case MP_SSLv3_OR_NEWER: #if defined(SSL_OP_NO_SSLv2) - options |= SSL_OP_NO_SSLv2; + SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION); + break; #endif - case MP_SSLv2_OR_NEWER: - /* FALLTHROUGH */ - default: /* Default to auto negotiation */ - method = SSLv23_client_method(); - } - if (!initialized) { - /* Initialize SSL context */ - SSLeay_add_ssl_algorithms(); - SSL_load_error_strings(); - OpenSSL_add_all_algorithms(); - initialized = 1; - } - if ((c = SSL_CTX_new(method)) == NULL) { - printf("%s\n", _("CRITICAL - Cannot create SSL context.")); - return STATE_CRITICAL; } + if (cert && privkey) { #ifdef USE_OPENSSL - if (!SSL_CTX_use_certificate_chain_file(c, cert)) { + if (!SSL_CTX_use_certificate_chain_file(ctx, cert)) { #elif USE_GNUTLS - if (!SSL_CTX_use_certificate_file(c, cert, SSL_FILETYPE_PEM)) { + if (!SSL_CTX_use_certificate_file(ctx, cert, SSL_FILETYPE_PEM)) { #else #error Unported for unknown SSL library #endif printf ("%s\n", _("CRITICAL - Unable to open certificate chain file!\n")); return STATE_CRITICAL; } - SSL_CTX_use_PrivateKey_file(c, privkey, SSL_FILETYPE_PEM); + SSL_CTX_use_PrivateKey_file(ctx, privkey, SSL_FILETYPE_PEM); #ifdef USE_OPENSSL - if (!SSL_CTX_check_private_key(c)) { + if (!SSL_CTX_check_private_key(ctx)) { printf ("%s\n", _("CRITICAL - Private key does not seem to match certificate!\n")); return STATE_CRITICAL; } @@ -155,9 +144,9 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int #ifdef SSL_OP_NO_TICKET options |= SSL_OP_NO_TICKET; #endif - SSL_CTX_set_options(c, options); - SSL_CTX_set_mode(c, SSL_MODE_AUTO_RETRY); - if ((s = SSL_new(c)) != NULL) { + SSL_CTX_set_options(ctx, options); + SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY); + if ((s = SSL_new(ctx)) != NULL) { #ifdef SSL_set_tlsext_host_name if (host_name != NULL) SSL_set_tlsext_host_name(s, host_name); @@ -184,9 +173,9 @@ void np_net_ssl_cleanup() { #endif SSL_shutdown(s); SSL_free(s); - if (c) { - SSL_CTX_free(c); - c=NULL; + if (ctx) { + SSL_CTX_free(ctx); + ctx=NULL; } s=NULL; } -- cgit v1.2.3-74-g34f1