Simplify Nsock SSL init API

Replaced nsock_pool_ssl_init_max_speed() by a NSOCK_SSL_MAX_SPEED
flag to be passed to nsock_pool_ssl_init(). Default (flag=0) means
secure.

ncat/ncat_connect.c

@@ -889,7 +889,7 @@ int ncat_connect(void)
     nsock_pool_set_broadcast(mypool, 1);
 
 #ifdef HAVE_OPENSSL
-    set_ssl_ctx_options((SSL_CTX *) nsock_pool_ssl_init(mypool));
+    set_ssl_ctx_options((SSL_CTX *) nsock_pool_ssl_init(mypool, 0));
 #endif
 
     if (!o.proxytype) {

nse_nsock.cc

@@ -1110,7 +1110,7 @@ LUALIB_API int luaopen_nsock (lua_State *L)
 
 #if HAVE_OPENSSL
   /* Value speed over security in SSL connections. */
-  nsock_pool_ssl_init_max_speed(nsp);
+  nsock_pool_ssl_init(nsp, NSOCK_SSL_MAX_SPEED);
 #endif
 
   luaL_newlibtable(L, l_nsock);

nsock/include/nsock.h

@@ -230,13 +230,24 @@ void nsock_pool_set_device(nsock_pool nsp, const char *device);
 
 /* Initializes an Nsock pool to create SSL connections. This sets an internal
  * SSL_CTX, which is like a template that sets options for all connections that
- * are made from it. Returns the SSL_CTX so you can set your own options. */
-nsock_ssl_ctx nsock_pool_ssl_init(nsock_pool ms_pool);
-
-/* Initializes an Nsock pool to create SSL connections that emphasize speed over
- * security. Insecure ciphers are used when they are faster and no certificate
- * verification is done. Returns the SSL_CTX so you can set your own options. */
-nsock_ssl_ctx nsock_pool_ssl_init_max_speed(nsock_pool ms_pool);
+ * are made from it. Returns the SSL_CTX so you can set your own options.
+ *
+ * Use the NSOCK_SSL_MAX_SPEED to emphasize speed over security.
+ * Insecure ciphers are used when they are faster and no certificate
+ * verification is done.
+ *
+ * Returns the SSL_CTX so you can set your own options.
+ * By default, do no server certificate verification. To enable it, do
+ * something like:
+ *    SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
+ *
+ *  on the SSL_CTX returned. If you do, it is then up to the application to
+ *  load trusted certificates with SSL_CTX_load_verify_locations or
+ *  SSL_CTX_set_default_verify_paths, or else every connection will fail. It
+ *  is also up to the application to do any further checks such as domain name
+ *  validation. */
+#define NSOCK_SSL_MAX_SPEED (1 << 0)
+nsock_ssl_ctx nsock_pool_ssl_init(nsock_pool ms_pool, int flags);
 
 /* Enforce use of a given IO engine.
  * The engine parameter is a zero-terminated string that will be

nsock/src/nsock_connect.c

@@ -397,7 +397,7 @@ nsock_event_id nsock_connect_ssl(nsock_pool nsp, nsock_iod nsiod, nsock_ev_handl
   struct nevent *nse;
 
   if (!ms->sslctx)
-    nsock_pool_ssl_init(ms);
+    nsock_pool_ssl_init(ms, 0);
 
   assert(nsi->state == NSIOD_STATE_INITIAL || nsi->state == NSIOD_STATE_UNKNOWN);
 
@@ -435,7 +435,7 @@ nsock_event_id nsock_reconnect_ssl(nsock_pool nsp, nsock_iod nsiod, nsock_ev_han
   struct nevent *nse;
 
   if (!ms->sslctx)
-    nsock_pool_ssl_init(ms);
+    nsock_pool_ssl_init(ms, 0);
 
   nse = event_new(ms, NSE_TYPE_CONNECT_SSL, nsi, timeout_msecs, handler, userdata);
   assert(nse);

nsock/src/nsock_ssl.c

@@ -80,8 +80,7 @@
 
 extern struct timeval nsock_tod;
 
-/* Create an SSL_CTX and do initialization that is common to nsock_pool_ssl_init and
- * nsock_pool_ssl_init_max_speed. */
+/* Create an SSL_CTX and do initialization that is common to all init modes. */
 static SSL_CTX *ssl_init_common() {
   SSL_CTX *ctx;
 
@@ -109,65 +108,38 @@ static SSL_CTX *ssl_init_common() {
  * are made from it. The connections made from this context will use only secure
  * ciphers but no server certificate verification is done. Returns the SSL_CTX
  * so you can set your own options. */
-nsock_ssl_ctx nsock_pool_ssl_init(nsock_pool ms_pool) {
+nsock_ssl_ctx nsock_pool_ssl_init(nsock_pool ms_pool, int flags) {
   struct npool *ms = (struct npool *)ms_pool;
   char rndbuf[128];
 
   if (ms->sslctx == NULL)
     ms->sslctx = ssl_init_common();
 
-  /* get_random_bytes may or may not provide high-quality randomness. Add it to
+  /* Get_random_bytes may or may not provide high-quality randomness. Add it to
    * the entropy pool without increasing the entropy estimate (third argument of
    * RAND_add is 0). We rely on OpenSSL's entropy gathering, called implicitly
    * by RAND_status, to give us what we need, or else bail out if it fails. */
   get_random_bytes(rndbuf, sizeof(rndbuf));
   RAND_add(rndbuf, sizeof(rndbuf), 0);
-  if (!RAND_status())
-    fatal("nsock_pool_ssl_init: Failed to seed OpenSSL PRNG (RAND_status returned false).");
 
-  /* By default, do no server certificate verification. To enable it, do
-   * something like:
-   *    SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
-   *
-   *  on the SSL_CTX returned. If you do, it is then up to the application to
-   *  load trusted certificates with SSL_CTX_load_verify_locations or
-   *  SSL_CTX_set_default_verify_paths, or else every connection will fail. It
-   *  is also up to the application to do any further checks such as domain name
-   *  validation. */
-  SSL_CTX_set_verify(ms->sslctx, SSL_VERIFY_NONE, NULL);
+  if (!(flags & NSOCK_SSL_MAX_SPEED)) {
+    if (!RAND_status())
+      fatal("%s: Failed to seed OpenSSL PRNG"
+            " (RAND_status returned false).", __func__);
+  }
 
   /* SSL_OP_ALL sets bug-compatibility for pretty much everything.
    * SSL_OP_NO_SSLv2 disables the less-secure SSLv2 while allowing us to use the
    * SSLv2-compatible SSLv23_client_method. */
-  SSL_CTX_set_options(ms->sslctx, SSL_OP_ALL|SSL_OP_NO_SSLv2);
-
-  if (!SSL_CTX_set_cipher_list(ms->sslctx, CIPHERS_SECURE)) {
-    fatal("Unable to set OpenSSL cipher list: %s",
-          ERR_error_string(ERR_get_error(), NULL));
-  }
-  return ms->sslctx;
-}
-
-/* Initializes an Nsock pool to create SSL connections that emphasize speed over
- * security. Insecure ciphers are used when they are faster and no certificate
- * verification is done. Returns the SSL_CTX so you can set your own options. */
-nsock_ssl_ctx nsock_pool_ssl_init_max_speed(nsock_pool ms_pool) {
-  struct npool *ms = (struct npool *)ms_pool;
-  char rndbuf[128];
-
-  if (ms->sslctx == NULL)
-    ms->sslctx = ssl_init_common();
-
-  /* get_random_bytes may or may not provide high-quality randomness. */
-  get_random_bytes(rndbuf, sizeof(rndbuf));
-  RAND_seed(rndbuf, sizeof(rndbuf));
-
   SSL_CTX_set_verify(ms->sslctx, SSL_VERIFY_NONE, NULL);
-  SSL_CTX_set_options(ms->sslctx, SSL_OP_ALL);
-  if (!SSL_CTX_set_cipher_list(ms->sslctx, CIPHERS_FAST)) {
+  SSL_CTX_set_options(ms->sslctx, flags & NSOCK_SSL_MAX_SPEED ?
+                                  SSL_OP_ALL : SSL_OP_ALL|SSL_OP_NO_SSLv2);
+
+  if (!SSL_CTX_set_cipher_list(ms->sslctx, flags & NSOCK_SSL_MAX_SPEED ?
+                                           CIPHERS_FAST : CIPHERS_SECURE))
     fatal("Unable to set OpenSSL cipher list: %s",
           ERR_error_string(ERR_get_error(), NULL));
-  }
+
   return ms->sslctx;
 }
 
@@ -201,11 +173,7 @@ int nsi_ssl_post_connect_verify(const nsock_iod nsockiod) {
 
 #else /* NOT HAVE_OPENSSL */
 
-nsock_ssl_ctx nsock_pool_ssl_init(nsock_pool ms_pool) {
-  fatal("%s called with no OpenSSL support", __func__);
-}
-
-nsock_ssl_ctx nsock_pool_ssl_init_max_speed(nsock_pool ms_pool) {
+nsock_ssl_ctx nsock_pool_ssl_init(nsock_pool ms_pool, int flags) {
   fatal("%s called with no OpenSSL support", __func__);
 }
 

service_scan.cc

@@ -2766,7 +2766,7 @@ int service_scan(std::vector<Target *> &Targets) {
 
 #if HAVE_OPENSSL
   /* We don't care about connection security in version detection. */
-  nsock_pool_ssl_init_max_speed(nsp);
+  nsock_pool_ssl_init(nsp, NSOCK_SSL_MAX_SPEED);
 #endif
 
   launchSomeServiceProbes(nsp, SG);