aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorVsevolod Stakhov <vsevolod@highsecure.ru>2016-06-11 12:40:25 +0100
committerVsevolod Stakhov <vsevolod@highsecure.ru>2016-06-11 12:40:25 +0100
commit78ba3dfdbf1b5e0747f4e9258f48c8adc2a5482d (patch)
tree7ea9703a9ee419f450b6180b87d25f75e1416652
parentc5064c42570b60b5687004de82ce14993085dafd (diff)
downloadrspamd-78ba3dfdbf1b5e0747f4e9258f48c8adc2a5482d.tar.gz
rspamd-78ba3dfdbf1b5e0747f4e9258f48c8adc2a5482d.zip
[Feature] Initialize ssl library to use SSL connections
-rw-r--r--CMakeLists.txt11
-rw-r--r--src/libutil/util.c21
-rw-r--r--src/rspamd.h2
3 files changed, 28 insertions, 6 deletions
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 219fdce41..0b5331bb3 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -613,7 +613,6 @@ IF(CMAKE_SYSTEM_NAME STREQUAL "SunOS")
LIST(APPEND CMAKE_REQUIRED_LIBRARIES socket)
LIST(APPEND CMAKE_REQUIRED_LIBRARIES umem)
# Ugly hack, but FindOpenSSL on Solaris does not link with libcrypto
- LIST(APPEND CMAKE_REQUIRED_LIBRARIES crypto)
SET(CMAKE_VERBOSE_MAKEFILE ON)
SET(CMAKE_INSTALL_RPATH_USE_LINK_PATH FALSE)
SET(CMAKE_INSTALL_RPATH "${CMAKE_INSTALL_PREFIX}/lib:${RSPAMD_LIBDIR}")
@@ -671,8 +670,10 @@ ProcessPackage(SQLITE3 LIBRARY sqlite3 INCLUDE sqlite3.h INCLUDE_SUFFIXES includ
ROOT ${SQLITE3_ROOT_DIR} MODULES sqlite3 sqlite)
ProcessPackage(ICONV LIBRARY iconv libiconv libiconv-2 c INCLUDE iconv.h INCLUDE_SUFFIXES include/libiconv
ROOT ${ICONV_ROOT_DIR} MODULES iconv)
-ProcessPackage(OPENSSL LIBRARY crypto INCLUDE err.h INCLUDE_SUFFIXES include/openssl
- ROOT ${OPENSSL_ROOT_DIR} MODULES openssl)
+ProcessPackage(LIBCRYPT LIBRARY crypto INCLUDE err.h INCLUDE_SUFFIXES include/openssl
+ ROOT ${OPENSSL_ROOT_DIR} MODULES openssl libcrypt)
+ProcessPackage(LIBSSL LIBRARY ssl INCLUDE ssl.h INCLUDE_SUFFIXES include/openssl
+ ROOT ${OPENSSL_ROOT_DIR} MODULES openssl libssl)
ProcessPackage(MAGIC LIBRARY magic INCLUDE magic.h INCLUDE_SUFFIXES include/libmagic
ROOT ${LIBMAGIC_ROOT_DIR} MODULES magic)
@@ -690,9 +691,7 @@ IF (ENABLE_FANN MATCHES "ON")
ENDIF ()
#Check for openssl (required for dkim)
-IF(WITH_OPENSSL)
- SET(HAVE_OPENSSL 1)
-ENDIF(WITH_OPENSSL)
+SET(HAVE_OPENSSL 1)
IF(GMIME2_VERSION VERSION_GREATER "2.4.0" OR NOT GMIME2_VERSION)
SET(GMIME24 1)
diff --git a/src/libutil/util.c b/src/libutil/util.c
index 3b0203f9f..10753ec93 100644
--- a/src/libutil/util.c
+++ b/src/libutil/util.c
@@ -28,6 +28,7 @@
#include <openssl/rand.h>
#include <openssl/err.h>
#include <openssl/evp.h>
+#include <openssl/ssl.h>
#endif
#ifdef HAVE_TERMIOS_H
@@ -1971,6 +1972,7 @@ rspamd_init_libs (void)
struct rlimit rlim;
struct rspamd_external_libs_ctx *ctx;
struct ottery_config *ottery_cfg;
+ static const char secure_ciphers[] = "HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4";
ctx = g_slice_alloc0 (sizeof (*ctx));
ctx->crypto_ctx = rspamd_cryptobox_init ();
@@ -2007,6 +2009,24 @@ rspamd_init_libs (void)
OpenSSL_add_all_algorithms ();
OpenSSL_add_all_digests ();
OpenSSL_add_all_ciphers ();
+ SSL_library_init ();
+ SSL_load_error_strings ();
+
+ if (RAND_poll () == 0) {
+ guchar seed[128];
+
+ /* Try to use ottery to seed rand */
+ ottery_rand_bytes (seed, sizeof (seed));
+ RAND_seed (seed, sizeof (seed));
+ rspamd_explicit_memzero (seed, sizeof (seed));
+ }
+
+ ctx->ssl_ctx = SSL_CTX_new (SSLv23_method ());
+ SSL_CTX_set_verify (ctx->ssl_ctx, SSL_VERIFY_PEER, NULL);
+ SSL_CTX_set_verify_depth (ctx->ssl_ctx, 4);
+ SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_COMPRESSION);
+ /* Default settings */
+ SSL_CTX_set_cipher_list (ctx->ssl_ctx, secure_ciphers);
#endif
g_random_set_seed (ottery_rand_uint32 ());
@@ -2067,6 +2087,7 @@ rspamd_deinit_libs (struct rspamd_external_libs_ctx *ctx)
#ifdef HAVE_OPENSSL
EVP_cleanup ();
ERR_free_strings ();
+ SSL_CTX_free (ctx->ssl_ctx);
#endif
rspamd_inet_library_destroy ();
}
diff --git a/src/rspamd.h b/src/rspamd.h
index c0c60185d..6a24370aa 100644
--- a/src/rspamd.h
+++ b/src/rspamd.h
@@ -19,6 +19,7 @@
#include "libserver/events.h"
#include "libserver/roll_history.h"
#include "libserver/task.h"
+#include <openssl/ssl.h>
#include <magic.h>
@@ -295,6 +296,7 @@ struct rspamd_external_libs_ctx {
void **local_addrs;
struct rspamd_cryptobox_library_ctx *crypto_ctx;
struct ottery_config *ottery_cfg;
+ SSL_CTX *ssl_ctx;
ref_entry_t ref;
};