AMajor/SoftEtherVPN
1
0
Fork 0
mirror of https://github.com/SoftEtherVPN/SoftEtherVPN.git synced 2025-07-06 07:44:57 +03:00
Code Releases Activity

Remove SSLv3 support

Browse Source
This commit is contained in:
Davide Beatrici
2018-07-30 09:03:07 +02:00
parent 19a917adc1
commit 02db806181
22 changed files with 59 additions and 114 deletions
Download Patch File Download Diff File Expand all files Collapse all files

65
src/Mayaqua/Network.c
View File

@ -831,7 +831,7 @@ bool GetIPViaDnsProxyForJapanFlets(IP *ip_ret, char *hostname, bool ipv6, UINT t
Format(connect_hostname2, sizeof(connect_hostname2), "[%s]", connect_hostname);
}
s = ConnectEx3(connect_hostname, BFLETS_DNS_PROXY_PORT, timeout, cancel, NULL, NULL, false, false, false);
s = ConnectEx3(connect_hostname, BFLETS_DNS_PROXY_PORT, timeout, cancel, NULL, NULL, false, false);
if (s == NULL)
{
@ -849,7 +849,7 @@ bool GetIPViaDnsProxyForJapanFlets(IP *ip_ret, char *hostname, bool ipv6, UINT t
SetTimeout(s, timeout);
// Start the SSL
if (StartSSLEx(s, NULL, NULL, true, 0, NULL) && (*cancel == false))
if (StartSSLEx(s, NULL, NULL, 0, NULL) && (*cancel == false))
{
UCHAR hash[SHA1_SIZE];
BUF *hash2 = StrToBin(BFLETS_DNS_PROXY_CERT_HASH);
@ -12143,9 +12143,9 @@ bool AddChainSslCert(struct ssl_ctx_st *ctx, X *x)
// Start a TCP-SSL communication
bool StartSSL(SOCK *sock, X *x, K *priv)
{
return StartSSLEx(sock, x, priv, true, 0, NULL);
return StartSSLEx(sock, x, priv, 0, NULL);
}
bool StartSSLEx(SOCK *sock, X *x, K *priv, bool client_tls, UINT ssl_timeout, char *sni_hostname)
bool StartSSLEx(SOCK *sock, X *x, K *priv, UINT ssl_timeout, char *sni_hostname)
{
X509 *x509;
EVP_PKEY *key;
@ -12205,39 +12205,32 @@ bool StartSSLEx(SOCK *sock, X *x, K *priv, bool client_tls, UINT ssl_timeout, ch
{
if (sock->ServerMode)
{
SSL_CTX_set_ssl_version(ssl_ctx, SSLv23_method());
SSL_CTX_set_ssl_version(ssl_ctx, SSLv23_server_method());
#ifdef SSL_OP_NO_SSLv2
SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv2);
#endif // SSL_OP_NO_SSLv2
if (sock->SslAcceptSettings.AcceptOnlyTls)
{
#ifdef SSL_OP_NO_SSLv3
SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv3);
SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv3);
#endif // SSL_OP_NO_SSLv3
}
#ifdef SSL_OP_NO_TLSv1
if (sock->SslAcceptSettings.Tls_Disable1_0)
{
#ifdef SSL_OP_NO_TLSv1
SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1);
#endif // SSL_OP_NO_TLSv1
}
#endif // SSL_OP_NO_TLSv1
#ifdef SSL_OP_NO_TLSv1_1
if (sock->SslAcceptSettings.Tls_Disable1_1)
{
#ifdef SSL_OP_NO_TLSv1_1
SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_1);
#endif // SSL_OP_NO_TLSv1_1
}
#endif // SSL_OP_NO_TLSv1_1
#ifdef SSL_OP_NO_TLSv1_2
if (sock->SslAcceptSettings.Tls_Disable1_2)
{
#ifdef SSL_OP_NO_TLSv1_2
SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_2);
#endif // SSL_OP_NO_TLSv1_2
}
#endif // SSL_OP_NO_TLSv1_2
Unlock(openssl_lock);
AddChainSslCertOnDirectory(ssl_ctx);
@ -12245,24 +12238,18 @@ bool StartSSLEx(SOCK *sock, X *x, K *priv, bool client_tls, UINT ssl_timeout, ch
}
else
{
if (client_tls == false)
{
#if OPENSSL_VERSION_NUMBER < 0x10100000L
SSL_CTX_set_ssl_version(ssl_ctx, SSLv3_method());
#else
SSL_CTX_set_ssl_version(ssl_ctx, SSLv23_method());
#endif
}
else
{
SSL_CTX_set_ssl_version(ssl_ctx, SSLv23_client_method());
}
SSL_CTX_set_ssl_version(ssl_ctx, SSLv23_client_method());
#ifdef SSL_OP_NO_SSLv3
SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv3);
#endif // SSL_OP_NO_SSLv3
}
sock->ssl = SSL_new(ssl_ctx);
SSL_set_fd(sock->ssl, (int)sock->socket);
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
if (sock->ServerMode == false && client_tls)
if (sock->ServerMode == false)
{
if (IsEmptyStr(sni_hostname) == false)
{
@ -14281,7 +14268,7 @@ void ConnectThreadForTcp(THREAD *thread, void *param)
// Connecting process
IPToStr(hostname, sizeof(hostname), &p->Ip);
sock = ConnectEx3(hostname, p->Port, p->Timeout, p->CancelFlag, NULL, NULL, false, false, true);
sock = ConnectEx3(hostname, p->Port, p->Timeout, p->CancelFlag, NULL, NULL, false, true);
if (sock != NULL && p->Tcp_TryStartSsl)
{
@ -14306,7 +14293,7 @@ void ConnectThreadForTcp(THREAD *thread, void *param)
Unlock(p->CancelLock);
// Start the SSL communication
ssl_ret = StartSSLEx(sock, NULL, NULL, p->Tcp_SslNoTls, 0, p->Hostname);
ssl_ret = StartSSLEx(sock, NULL, NULL, 0, p->Hostname);
if (ssl_ret)
{
@ -14419,14 +14406,13 @@ SOCK *ConnectEx(char *hostname, UINT port, UINT timeout)
}
SOCK *ConnectEx2(char *hostname, UINT port, UINT timeout, bool *cancel_flag)
{
return ConnectEx3(hostname, port, timeout, cancel_flag, NULL, NULL, false, false, true);
return ConnectEx3(hostname, port, timeout, cancel_flag, NULL, NULL, false, true);
}
SOCK *ConnectEx3(char *hostname, UINT port, UINT timeout, bool *cancel_flag, char *nat_t_svc_name, UINT *nat_t_error_code, bool try_start_ssl, bool ssl_no_tls, bool no_get_hostname)
SOCK *ConnectEx3(char *hostname, UINT port, UINT timeout, bool *cancel_flag, char *nat_t_svc_name, UINT *nat_t_error_code, bool try_start_ssl, bool no_get_hostname)
{
return ConnectEx4(hostname, port, timeout, cancel_flag, nat_t_svc_name, nat_t_error_code, try_start_ssl, ssl_no_tls,
no_get_hostname, NULL);
return ConnectEx4(hostname, port, timeout, cancel_flag, nat_t_svc_name, nat_t_error_code, try_start_ssl, no_get_hostname, NULL);
}
SOCK *ConnectEx4(char *hostname, UINT port, UINT timeout, bool *cancel_flag, char *nat_t_svc_name, UINT *nat_t_error_code, bool try_start_ssl, bool ssl_no_tls, bool no_get_hostname, IP *ret_ip)
SOCK *ConnectEx4(char *hostname, UINT port, UINT timeout, bool *cancel_flag, char *nat_t_svc_name, UINT *nat_t_error_code, bool try_start_ssl, bool no_get_hostname, IP *ret_ip)
{
SOCK *sock;
SOCKET s;
@ -14605,7 +14591,6 @@ SOCK *ConnectEx4(char *hostname, UINT port, UINT timeout, bool *cancel_flag, cha
p1.CancelFlag = &cancel_flag2;
p1.FinishEvent = finish_event;
p1.Tcp_TryStartSsl = try_start_ssl;
p1.Tcp_SslNoTls = ssl_no_tls;
p1.CancelLock = NewLock();
// p2: NAT-T

8
src/Mayaqua/Network.h
View File

@ -250,7 +250,6 @@ struct SOCK_EVENT
// SSL Accept Settings
struct SSL_ACCEPT_SETTINGS
{
bool AcceptOnlyTls;
bool Tls_Disable1_0;
bool Tls_Disable1_1;
bool Tls_Disable1_2;
@ -927,7 +926,6 @@ struct CONNECT_TCP_RUDP_PARAM
UINT RUdpProtocol;
UINT Delay;
bool Tcp_TryStartSsl;
bool Tcp_SslNoTls;
LOCK *CancelLock;
SOCK *CancelDisconnectSock;
bool Tcp_InNegotiation;
@ -1271,8 +1269,8 @@ void CleanupSock(SOCK *s);
SOCK *Connect(char *hostname, UINT port);
SOCK *ConnectEx(char *hostname, UINT port, UINT timeout);
SOCK *ConnectEx2(char *hostname, UINT port, UINT timeout, bool *cancel_flag);
SOCK *ConnectEx3(char *hostname, UINT port, UINT timeout, bool *cancel_flag, char *nat_t_svc_name, UINT *nat_t_error_code, bool try_start_ssl, bool ssl_no_tls, bool no_get_hostname);
SOCK *ConnectEx4(char *hostname, UINT port, UINT timeout, bool *cancel_flag, char *nat_t_svc_name, UINT *nat_t_error_code, bool try_start_ssl, bool ssl_no_tls, bool no_get_hostname, IP *ret_ip);
SOCK *ConnectEx3(char *hostname, UINT port, UINT timeout, bool *cancel_flag, char *nat_t_svc_name, UINT *nat_t_error_code, bool try_start_ssl, bool no_get_hostname);
SOCK *ConnectEx4(char *hostname, UINT port, UINT timeout, bool *cancel_flag, char *nat_t_svc_name, UINT *nat_t_error_code, bool try_start_ssl, bool no_get_hostname, IP *ret_ip);
SOCKET ConnectTimeoutIPv4(IP *ip, UINT port, UINT timeout, bool *cancel_flag);
void SetSocketSendRecvBufferSize(SOCKET s, UINT size);
bool SetSocketBufferSize(SOCKET s, bool send, UINT size);
@ -1295,7 +1293,7 @@ void SetNoNeedToRead(SOCK *sock);
UINT SecureSend(SOCK *sock, void *data, UINT size);
UINT SecureRecv(SOCK *sock, void *data, UINT size);
bool StartSSL(SOCK *sock, X *x, K *priv);
bool StartSSLEx(SOCK *sock, X *x, K *priv, bool client_tls, UINT ssl_timeout, char *sni_hostname);
bool StartSSLEx(SOCK *sock, X *x, K *priv, UINT ssl_timeout, char *sni_hostname);
bool AddChainSslCert(struct ssl_ctx_st *ctx, X *x);
void AddChainSslCertOnDirectory(struct ssl_ctx_st *ctx);
bool SendAll(SOCK *sock, void *data, UINT size, bool secure);