From 78ba3dfdbf1b5e0747f4e9258f48c8adc2a5482d Mon Sep 17 00:00:00 2001 From: Vsevolod Stakhov Date: Sat, 11 Jun 2016 12:40:25 +0100 Subject: [PATCH] [Feature] Initialize ssl library to use SSL connections --- CMakeLists.txt | 11 +++++------ src/libutil/util.c | 21 +++++++++++++++++++++ src/rspamd.h | 2 ++ 3 files changed, 28 insertions(+), 6 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 219fdce41..0b5331bb3 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -613,7 +613,6 @@ IF(CMAKE_SYSTEM_NAME STREQUAL "SunOS") LIST(APPEND CMAKE_REQUIRED_LIBRARIES socket) LIST(APPEND CMAKE_REQUIRED_LIBRARIES umem) # Ugly hack, but FindOpenSSL on Solaris does not link with libcrypto - LIST(APPEND CMAKE_REQUIRED_LIBRARIES crypto) SET(CMAKE_VERBOSE_MAKEFILE ON) SET(CMAKE_INSTALL_RPATH_USE_LINK_PATH FALSE) SET(CMAKE_INSTALL_RPATH "${CMAKE_INSTALL_PREFIX}/lib:${RSPAMD_LIBDIR}") @@ -671,8 +670,10 @@ ProcessPackage(SQLITE3 LIBRARY sqlite3 INCLUDE sqlite3.h INCLUDE_SUFFIXES includ ROOT ${SQLITE3_ROOT_DIR} MODULES sqlite3 sqlite) ProcessPackage(ICONV LIBRARY iconv libiconv libiconv-2 c INCLUDE iconv.h INCLUDE_SUFFIXES include/libiconv ROOT ${ICONV_ROOT_DIR} MODULES iconv) -ProcessPackage(OPENSSL LIBRARY crypto INCLUDE err.h INCLUDE_SUFFIXES include/openssl - ROOT ${OPENSSL_ROOT_DIR} MODULES openssl) +ProcessPackage(LIBCRYPT LIBRARY crypto INCLUDE err.h INCLUDE_SUFFIXES include/openssl + ROOT ${OPENSSL_ROOT_DIR} MODULES openssl libcrypt) +ProcessPackage(LIBSSL LIBRARY ssl INCLUDE ssl.h INCLUDE_SUFFIXES include/openssl + ROOT ${OPENSSL_ROOT_DIR} MODULES openssl libssl) ProcessPackage(MAGIC LIBRARY magic INCLUDE magic.h INCLUDE_SUFFIXES include/libmagic ROOT ${LIBMAGIC_ROOT_DIR} MODULES magic) @@ -690,9 +691,7 @@ IF (ENABLE_FANN MATCHES "ON") ENDIF () #Check for openssl (required for dkim) -IF(WITH_OPENSSL) - SET(HAVE_OPENSSL 1) -ENDIF(WITH_OPENSSL) +SET(HAVE_OPENSSL 1) IF(GMIME2_VERSION VERSION_GREATER "2.4.0" OR NOT GMIME2_VERSION) SET(GMIME24 1) diff --git a/src/libutil/util.c b/src/libutil/util.c index 3b0203f9f..10753ec93 100644 --- a/src/libutil/util.c +++ b/src/libutil/util.c @@ -28,6 +28,7 @@ #include #include #include +#include #endif #ifdef HAVE_TERMIOS_H @@ -1971,6 +1972,7 @@ rspamd_init_libs (void) struct rlimit rlim; struct rspamd_external_libs_ctx *ctx; struct ottery_config *ottery_cfg; + static const char secure_ciphers[] = "HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4"; ctx = g_slice_alloc0 (sizeof (*ctx)); ctx->crypto_ctx = rspamd_cryptobox_init (); @@ -2007,6 +2009,24 @@ rspamd_init_libs (void) OpenSSL_add_all_algorithms (); OpenSSL_add_all_digests (); OpenSSL_add_all_ciphers (); + SSL_library_init (); + SSL_load_error_strings (); + + if (RAND_poll () == 0) { + guchar seed[128]; + + /* Try to use ottery to seed rand */ + ottery_rand_bytes (seed, sizeof (seed)); + RAND_seed (seed, sizeof (seed)); + rspamd_explicit_memzero (seed, sizeof (seed)); + } + + ctx->ssl_ctx = SSL_CTX_new (SSLv23_method ()); + SSL_CTX_set_verify (ctx->ssl_ctx, SSL_VERIFY_PEER, NULL); + SSL_CTX_set_verify_depth (ctx->ssl_ctx, 4); + SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_COMPRESSION); + /* Default settings */ + SSL_CTX_set_cipher_list (ctx->ssl_ctx, secure_ciphers); #endif g_random_set_seed (ottery_rand_uint32 ()); @@ -2067,6 +2087,7 @@ rspamd_deinit_libs (struct rspamd_external_libs_ctx *ctx) #ifdef HAVE_OPENSSL EVP_cleanup (); ERR_free_strings (); + SSL_CTX_free (ctx->ssl_ctx); #endif rspamd_inet_library_destroy (); } diff --git a/src/rspamd.h b/src/rspamd.h index c0c60185d..6a24370aa 100644 --- a/src/rspamd.h +++ b/src/rspamd.h @@ -19,6 +19,7 @@ #include "libserver/events.h" #include "libserver/roll_history.h" #include "libserver/task.h" +#include #include @@ -295,6 +296,7 @@ struct rspamd_external_libs_ctx { void **local_addrs; struct rspamd_cryptobox_library_ctx *crypto_ctx; struct ottery_config *ottery_cfg; + SSL_CTX *ssl_ctx; ref_entry_t ref; }; -- 2.39.5