static void disable_SSL_compression(void) { STACK_OF(SSL_COMP) *ssl_comp_methods; ssl_comp_methods = SSL_COMP_get_compression_methods(); int n = sk_SSL_COMP_num(ssl_comp_methods); for (int i = 0; i < n; i++) { (void) sk_SSL_COMP_pop(ssl_comp_methods); } }
NOEXPORT int compression_init(GLOBAL_OPTIONS *global) { STACK_OF(SSL_COMP) *methods; methods=SSL_COMP_get_compression_methods(); if(!methods) { if(global->compression==COMP_NONE) { s_log(LOG_NOTICE, "Failed to get compression methods"); return 0; /* ignore */ } else { s_log(LOG_ERR, "Failed to get compression methods"); return 1; } } if(global->compression==COMP_NONE || SSLeay()<0x00908051L /* 0.9.8e-beta1 */) { /* delete OpenSSL defaults (empty the SSL_COMP stack) */ /* cannot use sk_SSL_COMP_pop_free, * as it also destroys the stack itself */ /* only leave the standard RFC 1951 (DEFLATE) algorithm, * if any of the private algorithms is enabled */ /* only allow DEFLATE with OpenSSL 0.9.8 or later * with OpenSSL #1468 zlib memory leak fixed */ while(sk_SSL_COMP_num(methods)) #if OPENSSL_VERSION_NUMBER>=0x10100000L /* FIXME: remove when sk_SSL_COMP_pop() works again */ OPENSSL_free(sk_pop((void *)methods)); #else OPENSSL_free(sk_SSL_COMP_pop(methods)); #endif } if(global->compression==COMP_NONE) { s_log(LOG_DEBUG, "Compression disabled"); return 0; /* success */ } /* also insert the obsolete ZLIB algorithm */ if(global->compression==COMP_ZLIB) { /* 224 - within the private range (193 to 255) */ COMP_METHOD *meth=COMP_zlib(); #if OPENSSL_VERSION_NUMBER>=0x10100000L if(!meth || COMP_get_type(meth)==NID_undef) { #else if(!meth || meth->type==NID_undef) { #endif s_log(LOG_ERR, "ZLIB compression is not supported"); return 1; } SSL_COMP_add_compression_method(0xe0, meth); } s_log(LOG_INFO, "Compression enabled: %d method(s)", sk_SSL_COMP_num(methods)); return 0; /* success */ } #endif /* OPENSSL_NO_COMP */ NOEXPORT int prng_init(GLOBAL_OPTIONS *global) { int totbytes=0; char filename[256]; #ifndef USE_WIN32 int bytes; #endif filename[0]='\0'; /* if they specify a rand file on the command line we assume that they really do want it, so try it first */ if(global->rand_file) { totbytes+=add_rand_file(global, global->rand_file); if(RAND_status()) return 0; /* success */ } /* try the $RANDFILE or $HOME/.rnd files */ RAND_file_name(filename, 256); if(filename[0]) { totbytes+=add_rand_file(global, filename); if(RAND_status()) return 0; /* success */ } #ifdef RANDOM_FILE totbytes+=add_rand_file(global, RANDOM_FILE); if(RAND_status()) return 0; /* success */ #endif #ifdef USE_WIN32 RAND_screen(); if(RAND_status()) { s_log(LOG_DEBUG, "Seeded PRNG with RAND_screen"); return 0; /* success */ } s_log(LOG_DEBUG, "RAND_screen failed to sufficiently seed PRNG"); #else if(global->egd_sock) { if((bytes=RAND_egd(global->egd_sock))==-1) { s_log(LOG_WARNING, "EGD Socket %s failed", global->egd_sock); bytes=0; } else { totbytes+=bytes; s_log(LOG_DEBUG, "Snagged %d random bytes from EGD Socket %s", bytes, global->egd_sock); return 0; /* OpenSSL always gets what it needs or fails, so no need to check if seeded sufficiently */ } } /* try the good-old default /dev/urandom, if available */ totbytes+=add_rand_file(global, "/dev/urandom"); if(RAND_status()) return 0; /* success */ #endif /* USE_WIN32 */ /* random file specified during configure */ s_log(LOG_ERR, "PRNG seeded with %d bytes total", totbytes); s_log(LOG_ERR, "PRNG was not seeded with enough random bytes"); return 1; /* FAILED */ }
int ssl_init(void) { hlog(LOG_INFO, "Initializing OpenSSL, built against %s ...", OPENSSL_VERSION_TEXT); OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); ssl_thread_setup(); OpenSSL_add_all_algorithms(); load_tqsl_custom_objects(); #if OPENSSL_VERSION_NUMBER >= 0x0090800fL #ifndef SSL_OP_NO_COMPRESSION { /* * Disable gzip compression in OpenSSL prior to 1.0.0 version, * this saves about 522K per connection. */ int n; STACK_OF(SSL_COMP) *ssl_comp_methods; ssl_comp_methods = SSL_COMP_get_compression_methods(); n = sk_SSL_COMP_num(ssl_comp_methods); while (n--) { (void) sk_SSL_COMP_pop(ssl_comp_methods); } } #endif #endif ssl_connection_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); if (ssl_connection_index == -1) { ssl_error(LOG_ERR, "SSL_get_ex_new_index for connection"); return -1; } ssl_server_conf_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, NULL); if (ssl_server_conf_index == -1) { ssl_error(LOG_ERR, "SSL_CTX_get_ex_new_index for conf"); return -1; } ssl_session_cache_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, NULL); if (ssl_session_cache_index == -1) { ssl_error(LOG_ERR, "SSL_CTX_get_ex_new_index for session cache"); return -1; } ssl_available = 1; return 0; }