- crash: use TLSv1.2 if possible, TLS1 at worst

stealth · Oct 31, 2014 · c0cd85b · c0cd85b
1 parent a1fca54
commit c0cd85b
Show file tree

Hide file tree

Showing 5 changed files with 94 additions and 27 deletions.
diff --git a/crashc.cc b/crashc.cc
@@ -55,6 +55,12 @@ extern "C" {
 
 using namespace std;
 
+#ifdef USE_CCIPHERS
+string ciphers = USE_CCIPHERS;
+#else
+string ciphers = "!LOW:!EXP:!MD5:!CAMELLIA:!RC4:!MEDIUM:!DES:!ADH:!3DES:AES256:AESGCM:SHA256:SHA384:@STRENGTH";
+#endif
+
 
 class client_session {
 
@@ -108,7 +114,7 @@ const size_t client_session::const_message_size = 1024;
 client_session::client_session() :
 	sock_fd(-1), peer_fd(-1), sock(NULL), err(""),
 	ssl_ctx(NULL), ssl_method(NULL), ssl(NULL),
-	pubkey(NULL), privkey(NULL), my_major(1), my_minor(1)
+	pubkey(NULL), privkey(NULL), my_major(1), my_minor(2)
 {
 
 }
@@ -132,11 +138,11 @@ client_session::~client_session()
 
 int client_session::setup()
 {
-        SSL_library_init();
-        SSL_load_error_strings();
-        OpenSSL_add_all_algorithms();
-        OpenSSL_add_all_digests();
-	ssl_method = TLSv1_client_method();
+	SSL_library_init();
+	SSL_load_error_strings();
+	OpenSSL_add_all_algorithms();
+	OpenSSL_add_all_digests();
+	ssl_method = SSLv23_client_method();
 
 	if (tcgetattr(0, &tattr) < 0) {
 		err = "client_session::setup::tcgetattr:";
@@ -146,7 +152,7 @@ int client_session::setup()
 	old_tattr = tattr;
 
 	if (!ssl_method) {
-		err = "client_session::setup::TLSv1_client_method:";
+		err = "client_session::setup::SSLv23_client_method:";
 		err += ERR_error_string(ERR_get_error(), NULL);
 		return -1;
 	}
@@ -157,10 +163,24 @@ int client_session::setup()
 		return -1;
 	}
 
+	long op = SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_SINGLE_DH_USE|SSL_OP_NO_TICKET;
+
 #ifdef SSL_OP_NO_COMPRESSION
-	SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_COMPRESSION);
+	op |= SSL_OP_NO_COMPRESSION;
 #endif
 
+	if ((SSL_CTX_set_options(ssl_ctx, op) & op) != op) {
+		err = "client_session::setup::SSL_CTX_set_options():";
+		err += ERR_error_string(ERR_get_error(), NULL);
+		return -1;
+	}
+
+	if (SSL_CTX_set_cipher_list(ssl_ctx, ciphers.c_str()) != 1) {
+		err = "client_sessions::setup::SSL_CTX_set_cipher_list:";
+		err += ERR_error_string(ERR_get_error(), NULL);
+		return -1;
+	}
+
 	if (!(ssl = SSL_new(ssl_ctx))) {
 		err = "client_session::setup::SSL_new:";
 		err += ERR_error_string(ERR_get_error(), NULL);
@@ -410,8 +430,8 @@ int client_session::authenticate()
 		return -1;
 
 	char sbuf[const_message_size];
-	snprintf(sbuf, sizeof(sbuf), "A:crash-1.001:%32s:%hu:%s:token:%hu:",
-	         config::user.c_str(),
+	snprintf(sbuf, sizeof(sbuf), "A:crash-%hu.%04hu:%32s:%hu:%s:token:%hu:",
+	         my_major, my_minor, config::user.c_str(),
 	         (unsigned short)config::cmd.length(), config::cmd.c_str(),
 	         (unsigned short)resplen);
 	if (resplen > sizeof(sbuf) - strlen(sbuf))

diff --git a/dh1024.cc b/dh1024.cc
@@ -1,7 +1,30 @@
+#ifndef HEADER_DH_H
 #include <openssl/dh.h>
-
+#endif
 DH *get_dh1024()
-{
-	return NULL;
-}
+	{
+	static unsigned char dh1024_p[]={
+		0xF1,0xD3,0xAA,0xE4,0x3A,0x6B,0xAF,0x74,0x93,0x2F,0x5D,0xE8,
+		0x4B,0x46,0xEE,0x7E,0x61,0xB7,0x00,0x52,0x1E,0x0B,0xD7,0x44,
+		0x3A,0x93,0x0B,0x4C,0x31,0xB9,0xBA,0x71,0x2F,0xCD,0x9A,0x6B,
+		0x3C,0x75,0xB4,0x2D,0xDF,0x4C,0xD3,0x86,0xD4,0x89,0x77,0x84,
+		0xAD,0x96,0xD0,0x35,0x24,0x30,0x89,0x79,0xA1,0x8C,0x04,0x47,
+		0x72,0xA8,0x14,0x26,0x0D,0x1A,0xB5,0x95,0xEF,0x28,0xC6,0x59,
+		0xD0,0xF1,0x88,0x4F,0xBA,0xF2,0x34,0xB7,0xA1,0xDE,0x39,0x97,
+		0xEB,0x27,0x68,0xEB,0x30,0x04,0xAD,0x0B,0xDD,0x9D,0xE6,0x69,
+		0x77,0x75,0x66,0x34,0x21,0x09,0xF3,0xA9,0x9D,0x19,0x6D,0x63,
+		0x02,0x97,0x03,0xB1,0x08,0xB0,0x2C,0xF3,0x71,0xBC,0x9D,0x8C,
+		0xA4,0x17,0xCF,0xDC,0x5E,0xC9,0x1C,0xEB,
+		};
+	static unsigned char dh1024_g[]={
+		0x02,
+		};
+	DH *dh;
 
+	if ((dh=DH_new()) == NULL) return(NULL);
+	dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL);
+	dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL);
+	if ((dh->p == NULL) || (dh->g == NULL))
+		{ DH_free(dh); return(NULL); }
+	return(dh);
+	}
diff --git a/dh512.cc b/dh512.cc
@@ -1,7 +1,25 @@
+#ifndef HEADER_DH_H
 #include <openssl/dh.h>
-
+#endif
 DH *get_dh512()
-{
-	return NULL;
-}
+	{
+	static unsigned char dh512_p[]={
+		0x86,0x4F,0x10,0xDF,0xA6,0x89,0x03,0x6C,0x0E,0x71,0x6C,0x5D,
+		0x03,0xA9,0xF6,0x6D,0x6F,0xC2,0x2E,0xE8,0xD4,0xBA,0x7B,0x62,
+		0xD8,0xB6,0x38,0xFC,0xC6,0x7E,0x25,0x72,0xAB,0xB7,0x15,0x25,
+		0xAE,0xB3,0xB9,0x37,0x5A,0x6A,0x16,0x0E,0xC1,0x2C,0xF9,0x5A,
+		0xAD,0x58,0xD2,0x23,0x9C,0x72,0x4A,0x3C,0xF6,0x73,0x9A,0xA7,
+		0x3F,0xDB,0x52,0x8B,
+		};
+	static unsigned char dh512_g[]={
+		0x02,
+		};
+	DH *dh;
 
+	if ((dh=DH_new()) == NULL) return(NULL);
+	dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL);
+	dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL);
+	if ((dh->p == NULL) || (dh->g == NULL))
+		{ DH_free(dh); return(NULL); }
+	return(dh);
+	}
diff --git a/server.cc b/server.cc
@@ -59,10 +59,10 @@ using namespace std;
 unsigned short Server::min_time_between_reconnect = 3;
 
 
-#ifdef USE_CIPHERS
-string ciphers = USE_CIPHERS;
+#ifdef USE_SCIPHERS
+string ciphers = USE_SCIPHERS;
 #else
-string ciphers = "!LOW:!EXP:!MD5:!CAMELLIA:!RC4:!MEDIUM:!DES:!ADH:kDHE:RSA:AES256:SHA256:SHA384:IDEA:@STRENGTH";
+string ciphers = "!LOW:!EXP:!MD5:!CAMELLIA:!RC4:!MEDIUM:!DES:!3DES:!ADH:kDHE:RSA:AES256:AESGCM:SHA256:SHA384:@STRENGTH";
 #endif
 
 extern int enable_dh(SSL_CTX *);
@@ -88,10 +88,10 @@ int Server::setup()
 	SSL_load_error_strings();
 	OpenSSL_add_all_algorithms();
 	OpenSSL_add_all_digests();
-	ssl_method = TLSv1_server_method();
+	ssl_method = SSLv23_server_method();
 
 	if (!ssl_method) {
-		err = "Server::setup::TLSv1_server_method:";
+		err = "Server::setup::SSLv23_server_method:";
 		err += ERR_error_string(ERR_get_error(), NULL);
 		return -1;
 	}
@@ -114,10 +114,18 @@ int Server::setup()
 		return -1;
 	}
 
+	long op = SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_SINGLE_DH_USE|SSL_OP_NO_TICKET;
+
 #ifdef SSL_OP_NO_COMPRESSION
-	SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_COMPRESSION);
+	op |= SSL_OP_NO_COMPRESSION;
 #endif
 
+	if ((SSL_CTX_set_options(ssl_ctx, op) & op) != op) {
+		err = "Server::setup::SSL_CTX_set_options():";
+		err += ERR_error_string(ERR_get_error(), NULL);
+		return -1;
+	}
+
 	// check for DHE and enable it if there are parameters
 	string::size_type dhe = ciphers.find("kDHE");
 	if (dhe != string::npos) {
@@ -131,8 +139,6 @@ int Server::setup()
 		return -1;
 	}
 
-
-
 	if (config::v6)
 		sock = new (nothrow) Socket(PF_INET6);
 	else

diff --git a/session.cc b/session.cc
@@ -58,7 +58,7 @@ extern "C" {
 using namespace std;
 
 // change in client my_major, my_minor accordingly
-string server_session::banner = "1000 crashd-1.001 OK\r\n";
+string server_session::banner = "1000 crashd-1.002 OK\r\n";
 enum {
 	const_message_size = 1024
 };