/*
* InspIRCd -- Internet Relay Chat Daemon
*
- * Copyright (C) 2016 Attila Molnar <attilamolnar@hush.com>
+ * Copyright (C) 2020 Matt Schatz <genius3000@g3k.solutions>
+ * Copyright (C) 2016-2021 Sadie Powell <sadie@witchery.services>
+ * Copyright (C) 2016-2017 Attila Molnar <attilamolnar@hush.com>
*
* This file is part of InspIRCd. InspIRCd is free software: you can
* redistribute it and/or modify it under the terms of the GNU General Public
/// $LinkerFlags: -lmbedtls
+/// $PackageInfo: require_system("arch") mbedtls
/// $PackageInfo: require_system("darwin") mbedtls
/// $PackageInfo: require_system("debian" "9.0") libmbedtls-dev
/// $PackageInfo: require_system("ubuntu" "16.04") libmbedtls-dev
#include "inspircd.h"
#include "modules/ssl.h"
+// Fix warnings about the use of commas at end of enumerator lists on C++03.
+#if defined __clang__
+# pragma clang diagnostic ignored "-Wc++11-extensions"
+#elif defined __GNUC__
+# if (__GNUC__ > 4) || ((__GNUC__ == 4) && (__GNUC_MINOR__ >= 8))
+# pragma GCC diagnostic ignored "-Wpedantic"
+# else
+# pragma GCC diagnostic ignored "-pedantic"
+# endif
+#endif
+
#include <mbedtls/ctr_drbg.h>
#include <mbedtls/dhm.h>
#include <mbedtls/ecp.h>
Config(const std::string& profilename, ConfigTag* tag, CTRDRBG& ctr_drbg)
: name(profilename)
, ctrdrbg(ctr_drbg)
- , certstr(ReadFile(tag->getString("certfile", "cert.pem")))
- , keystr(ReadFile(tag->getString("keyfile", "key.pem")))
- , dhstr(ReadFile(tag->getString("dhfile", "dhparams.pem")))
+ , certstr(ReadFile(tag->getString("certfile", "cert.pem", 1)))
+ , keystr(ReadFile(tag->getString("keyfile", "key.pem", 1)))
+ , dhstr(ReadFile(tag->getString("dhfile", "dhparams.pem", 1)))
, ciphersuitestr(tag->getString("ciphersuites"))
, curvestr(tag->getString("curves"))
, mindh(tag->getUInt("mindhbits", 2048))
- , hashstr(tag->getString("hash", "sha256"))
+ , hashstr(tag->getString("hash", "sha256", 1))
, castr(tag->getString("cafile"))
, minver(tag->getUInt("minver", 0))
, maxver(tag->getUInt("maxver", 0))
}
CloseSession();
- sock->SetError("No SSL session");
+ sock->SetError("No TLS (SSL) session");
return -1;
}
bool IsHandshakeDone() const { return (status == ISSL_HANDSHAKEN); }
};
-class mbedTLSIOHookProvider : public IOHookProvider
+class mbedTLSIOHookProvider : public SSLIOHookProvider
{
mbedTLS::Profile profile;
public:
- mbedTLSIOHookProvider(Module* mod, mbedTLS::Profile::Config& config)
- : IOHookProvider(mod, "ssl/" + config.name, IOHookProvider::IOH_SSL)
+ mbedTLSIOHookProvider(Module* mod, mbedTLS::Profile::Config& config)
+ : SSLIOHookProvider(mod, config.name)
, profile(config)
{
ServerInstance->Modules->AddService(*this);
{
// First, store all profiles in a new, temporary container. If no problems occur, swap the two
// containers; this way if something goes wrong we can go back and continue using the current profiles,
- // avoiding unpleasant situations where no new SSL connections are possible.
+ // avoiding unpleasant situations where no new TLS (SSL) connections are possible.
ProfileList newprofiles;
ConfigTagList tags = ServerInstance->Config->ConfTags("sslprofile");
// No <sslprofile> tags found, create a profile named "mbedtls" from settings in the <mbedtls> block
const std::string defname = "mbedtls";
ConfigTag* tag = ServerInstance->Config->ConfValue(defname);
- ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "No <sslprofile> tags found; using settings from the <mbedtls> tag");
+ ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "No <sslprofile> tags found; using settings from the deprecated <mbedtls> tag");
try
{
}
catch (CoreException& ex)
{
- throw ModuleException("Error while initializing the default SSL profile - " + ex.GetReason());
+ throw ModuleException("Error while initializing the default TLS (SSL) profile - " + ex.GetReason());
}
}
-
- for (ConfigIter i = tags.first; i != tags.second; ++i)
+ else
{
- ConfigTag* tag = i->second;
- if (tag->getString("provider") != "mbedtls")
- continue;
-
- std::string name = tag->getString("name");
- if (name.empty())
+ ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "You have defined an <sslprofile> tag; you should use this in place of \"mbedtls\" when configuring TLS (SSL) connections in <bind:sslprofile> or <link:sslprofile>");
+ for (ConfigIter i = tags.first; i != tags.second; ++i)
{
- ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "Ignoring <sslprofile> tag without name at " + tag->getTagLocation());
- continue;
- }
+ ConfigTag* tag = i->second;
+ if (!stdalgo::string::equalsci(tag->getString("provider"), "mbedtls"))
+ {
+ ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "Ignoring non-mbedTLS <sslprofile> tag at " + tag->getTagLocation());
+ continue;
+ }
- reference<mbedTLSIOHookProvider> prov;
- try
- {
- mbedTLS::Profile::Config profileconfig(name, tag, ctr_drbg);
- prov = new mbedTLSIOHookProvider(this, profileconfig);
- }
- catch (CoreException& ex)
- {
- throw ModuleException("Error while initializing SSL profile \"" + name + "\" at " + tag->getTagLocation() + " - " + ex.GetReason());
- }
+ std::string name = tag->getString("name");
+ if (name.empty())
+ {
+ ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "Ignoring <sslprofile> tag without name at " + tag->getTagLocation());
+ continue;
+ }
- newprofiles.push_back(prov);
+ reference<mbedTLSIOHookProvider> prov;
+ try
+ {
+ mbedTLS::Profile::Config profileconfig(name, tag, ctr_drbg);
+ prov = new mbedTLSIOHookProvider(this, profileconfig);
+ }
+ catch (CoreException& ex)
+ {
+ throw ModuleException("Error while initializing TLS (SSL) profile \"" + name + "\" at " + tag->getTagLocation() + " - " + ex.GetReason());
+ }
+
+ newprofiles.push_back(prov);
+ }
}
// New profiles are ok, begin using them
void OnModuleRehash(User* user, const std::string ¶m) CXX11_OVERRIDE
{
- if (param != "ssl")
+ if (!irc::equals(param, "tls") && !irc::equals(param, "ssl"))
return;
try
{
ReadProfiles();
+ ServerInstance->SNO->WriteToSnoMask('a', "mbedTLS TLS (SSL) profiles have been reloaded.");
}
catch (ModuleException& ex)
{
LocalUser* user = IS_LOCAL(static_cast<User*>(item));
if ((user) && (user->eh.GetModHook(this)))
{
- // User is using SSL, they're a local user, and they're using our IOHook.
- // Potentially there could be multiple SSL modules loaded at once on different ports.
- ServerInstance->Users.QuitUser(user, "SSL module unloading");
+ // User is using TLS (SSL), they're a local user, and they're using our IOHook.
+ // Potentially there could be multiple TLS (SSL) modules loaded at once on different ports.
+ ServerInstance->Users.QuitUser(user, "mbedTLS module unloading");
}
}
Version GetVersion() CXX11_OVERRIDE
{
- return Version("Provides SSL support via mbedTLS (PolarSSL)", VF_VENDOR);
+ return Version("Allows TLS (SSL) encrypted connections using the mbedTLS library.", VF_VENDOR);
}
};
projects / user / henk / code / inspircd.git / blobdiff