mirror of
https://github.com/unrealircd/unrealircd.git
synced 2026-07-07 18:03:12 +02:00
Fix ecdh-curve X25519 missing when using the defaults.
In config.h we had a: #if OPENSSL_VERSION_NUMBER >= 0x10100000L #define UNREALIRCD_DEFAULT_ECDH_CURVES "X25519:secp521r1:secp384r1:prime256v1" #else #define UNREALIRCD_DEFAULT_ECDH_CURVES "secp521r1:secp384r1:prime256v1" #endif ...which is fine in theory, but openssl headers are not included at that point, so OPENSSL_VERSION_NUMBER was not defined. From now on, we have: #define UNREALIRCD_DEFAULT_ECDH_CURVES_PRIMARY "X25519:secp521r1:secp384r1:prime256v1" #define UNREALIRCD_DEFAULT_ECDH_CURVES_SECONDARY "secp521r1:secp384r1:prime256v1" ...and we try them in that order. If both fail, we exit with an error (like before). This because X25519 is not available in OpenSSL before 1.1.0 (so really old) and may also not be available when running in FIPS mode.
This commit is contained in:
@@ -1792,9 +1792,6 @@ void config_setdefaultsettings(Configuration *i)
|
||||
safe_strdup(i->tls_options->ciphers, UNREALIRCD_DEFAULT_CIPHERS);
|
||||
safe_strdup(i->tls_options->ciphersuites, UNREALIRCD_DEFAULT_CIPHERSUITES);
|
||||
i->tls_options->protocols = TLS_PROTOCOL_TLSV1_2|TLS_PROTOCOL_TLSV1_3; /* TLSv1.2 & TLSv1.3 */
|
||||
#ifdef HAS_SSL_CTX_SET1_CURVES_LIST
|
||||
safe_strdup(i->tls_options->ecdh_curves, UNREALIRCD_DEFAULT_ECDH_CURVES);
|
||||
#endif
|
||||
safe_strdup(i->tls_options->outdated_protocols, "TLSv1,TLSv1.1");
|
||||
/* the following may look strange but "AES*" matches all
|
||||
* AES ciphersuites that do not have Forward Secrecy.
|
||||
|
||||
@@ -412,15 +412,35 @@ SSL_CTX *init_ctx(TLSOptions *tlsoptions, int server)
|
||||
* do anything then, since auto ecdh is the default.
|
||||
*/
|
||||
#endif
|
||||
/* Let's see if we need to (and can) set specific curves */
|
||||
if (tlsoptions->ecdh_curves)
|
||||
{
|
||||
#ifdef HAS_SSL_CTX_SET1_CURVES_LIST
|
||||
/* Let's see if we need to (and can) set specific curves */
|
||||
if (tlsoptions->ecdh_curves == NULL)
|
||||
{
|
||||
/* This means try the defaults.. */
|
||||
if (!SSL_CTX_set1_curves_list(ctx, UNREALIRCD_DEFAULT_ECDH_CURVES_PRIMARY))
|
||||
{
|
||||
if (!SSL_CTX_set1_curves_list(ctx, UNREALIRCD_DEFAULT_ECDH_CURVES_SECONDARY))
|
||||
{
|
||||
unreal_log(ULOG_ERROR, "config", "TLS_INVALID_ECDH_CURVES_LIST", NULL,
|
||||
"Failed to set ecdh-curves to either "
|
||||
"'$ecdh_curves_list_primary' or '$ecdh_curves_list_secondary'.\n"
|
||||
"$tls_error.all\n"
|
||||
"It's strange that neither curves list worked. "
|
||||
"Please report at https://bugs.unrealircd.org/ !",
|
||||
log_data_string("ecdh_curves_list_primary", UNREALIRCD_DEFAULT_ECDH_CURVES_PRIMARY),
|
||||
log_data_string("ecdh_curves_list_secondary", UNREALIRCD_DEFAULT_ECDH_CURVES_SECONDARY),
|
||||
log_data_tls_error());
|
||||
goto fail;
|
||||
}
|
||||
}
|
||||
} else
|
||||
{
|
||||
/* Config-specified curves */
|
||||
if (!SSL_CTX_set1_curves_list(ctx, tlsoptions->ecdh_curves))
|
||||
{
|
||||
unreal_log(ULOG_ERROR, "config", "TLS_INVALID_ECDH_CURVES_LIST", NULL,
|
||||
"Failed to set ecdh-curves '$ecdh_curves_list'\n$tls_error.all\n"
|
||||
"HINT: o get a list of supported curves with the appropriate names, "
|
||||
"HINT: To get a list of supported curves with the appropriate names, "
|
||||
"run 'openssl ecparam -list_curves' on the server. "
|
||||
"Separate multiple curves by colon, for example: "
|
||||
"ecdh-curves \"secp521r1:secp384r1\".",
|
||||
@@ -428,15 +448,18 @@ SSL_CTX *init_ctx(TLSOptions *tlsoptions, int server)
|
||||
log_data_tls_error());
|
||||
goto fail;
|
||||
}
|
||||
}
|
||||
#else
|
||||
if (tlsoptions->ecdh_curves)
|
||||
{
|
||||
/* We try to avoid this in the config code, but better have
|
||||
* it here too than be sorry if someone screws up:
|
||||
*/
|
||||
unreal_log(ULOG_ERROR, "config", "BUG_ECDH_CURVES", NULL,
|
||||
"ecdh-curves specified but not supported by library -- BAD!");
|
||||
goto fail;
|
||||
#endif
|
||||
}
|
||||
#endif
|
||||
/* We really want the ECDHE/ECDHE to be generated per-session.
|
||||
* Added in 2015 for safety. Seems OpenSSL was smart enough
|
||||
* to make this the default in 2016 after a security advisory.
|
||||
|
||||
Reference in New Issue
Block a user