# define MAX_DESCRIPTORS 10000
#endif
-/* $ModDesc: Provides SSL support for clients */
-
-/* $LinkerFlags: if("USE_FREEBSD_BASE_SSL") -lssl -lcrypto */
-/* $CompileFlags: if(!"USE_FREEBSD_BASE_SSL") pkgconfversion("openssl","0.9.7") pkgconfincludes("openssl","/openssl/ssl.h","") */
-/* $LinkerFlags: if(!"USE_FREEBSD_BASE_SSL") rpath("pkg-config --libs openssl") pkgconflibs("openssl","/libssl.so","-lssl -lcrypto -ldl") */
-
-/* $NoPedantic */
-
+/* $CompileFlags: pkgconfversion("openssl","0.9.7") pkgconfincludes("openssl","/openssl/ssl.h","") -Wno-pedantic */
+/* $LinkerFlags: rpath("pkg-config --libs openssl") pkgconflibs("openssl","/libssl.so","-lssl -lcrypto") */
enum issl_status { ISSL_NONE, ISSL_HANDSHAKING, ISSL_OPEN };
return 1;
}
-class OpenSSLIOHook : public IOHook
+class OpenSSLIOHook : public SSLIOHook
{
private:
bool Handshake(StreamSocket* user, issl_session* session)
session->cert = certinfo;
unsigned int n;
unsigned char md[EVP_MAX_MD_SIZE];
- const EVP_MD *digest = use_sha ? EVP_sha1() : EVP_md5();
cert = SSL_get_peer_certificate((SSL*)session->sess);
certinfo->invalid = (SSL_get_verify_result(session->sess) != X509_V_OK);
- if (SelfSigned)
+ if (!SelfSigned)
{
certinfo->unknownsigner = false;
certinfo->trusted = true;
issl_session* sessions;
SSL_CTX* ctx;
SSL_CTX* clictx;
- bool use_sha;
+ const EVP_MD *digest;
OpenSSLIOHook(Module* mod)
- : IOHook(mod, "ssl/openssl")
+ : SSLIOHook(mod, "ssl/openssl")
{
sessions = new issl_session[ServerInstance->SE->GetMaxFds()];
}
if (SSL_set_fd(session->sess, fd) == 0)
{
- ServerInstance->Logs->Log("m_ssl_openssl", LOG_DEBUG, "BUG: Can't set fd with SSL_set_fd: %d", fd);
+ ServerInstance->Logs->Log(MODNAME, LOG_DEBUG, "BUG: Can't set fd with SSL_set_fd: %d", fd);
return;
}
if (SSL_set_fd(session->sess, fd) == 0)
{
- ServerInstance->Logs->Log("m_ssl_openssl", LOG_DEBUG, "BUG: Can't set fd with SSL_set_fd: %d", fd);
+ ServerInstance->Logs->Log(MODNAME, LOG_DEBUG, "BUG: Can't set fd with SSL_set_fd: %d", fd);
return;
}
return 0;
}
+ ssl_cert* GetCertificate(StreamSocket* sock) CXX11_OVERRIDE
+ {
+ int fd = sock->GetFd();
+ issl_session* session = &sessions[fd];
+ return session->cert;
+ }
+
void TellCiphersAndFingerprint(LocalUser* user)
{
issl_session& s = sessions[user->eh.GetFd()];
{
// Needs the flag as it ignores a plain /rehash
OnModuleRehash(NULL,"ssl");
- Implementation eventlist[] = { I_On005Numeric, I_OnRehash, I_OnModuleRehash, I_OnHookIO, I_OnUserConnect };
- ServerInstance->Modules->Attach(eventlist, this, sizeof(eventlist)/sizeof(Implementation));
ServerInstance->Modules->AddService(iohook);
}
}
}
- void OnRehash(User* user) CXX11_OVERRIDE
+ void ReadConfig(ConfigStatus& status) CXX11_OVERRIDE
{
sslports.clear();
continue;
const std::string& portid = port->bind_desc;
- ServerInstance->Logs->Log("m_ssl_openssl", LOG_DEFAULT, "m_ssl_openssl.so: Enabling SSL for port %s", portid.c_str());
+ ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "Enabling SSL for port %s", portid.c_str());
if (port->bind_tag->getString("type", "clients") == "clients" && port->bind_addr != "127.0.0.1")
{
std::string certfile;
std::string cafile;
std::string dhfile;
- OnRehash(user);
ConfigTag* conf = ServerInstance->Config->ConfValue("openssl");
- cafile = conf->getString("cafile", CONFIG_PATH "/ca.pem");
- certfile = conf->getString("certfile", CONFIG_PATH "/cert.pem");
- keyfile = conf->getString("keyfile", CONFIG_PATH "/key.pem");
- dhfile = conf->getString("dhfile", CONFIG_PATH "/dhparams.pem");
+ cafile = ServerInstance->Config->Paths.PrependConfig(conf->getString("cafile", "ca.pem"));
+ certfile = ServerInstance->Config->Paths.PrependConfig(conf->getString("certfile", "cert.pem"));
+ keyfile = ServerInstance->Config->Paths.PrependConfig(conf->getString("keyfile", "key.pem"));
+ dhfile = ServerInstance->Config->Paths.PrependConfig(conf->getString("dhfile", "dhparams.pem"));
std::string hash = conf->getString("hash", "md5");
- if (hash != "sha1" && hash != "md5")
+
+ iohook.digest = EVP_get_digestbyname(hash.c_str());
+ if (iohook.digest == NULL)
throw ModuleException("Unknown hash type " + hash);
- iohook.use_sha = (hash == "sha1");
std::string ciphers = conf->getString("ciphers", "");
{
if ((!SSL_CTX_set_cipher_list(ctx, ciphers.c_str())) || (!SSL_CTX_set_cipher_list(clictx, ciphers.c_str())))
{
- ServerInstance->Logs->Log("m_ssl_openssl", LOG_DEFAULT, "m_ssl_openssl.so: Can't set cipher list to %s.", ciphers.c_str());
+ ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "Can't set cipher list to %s.", ciphers.c_str());
ERR_print_errors_cb(error_callback, this);
}
}
*/
if ((!SSL_CTX_use_certificate_chain_file(ctx, certfile.c_str())) || (!SSL_CTX_use_certificate_chain_file(clictx, certfile.c_str())))
{
- ServerInstance->Logs->Log("m_ssl_openssl", LOG_DEFAULT, "m_ssl_openssl.so: Can't read certificate file %s. %s", certfile.c_str(), strerror(errno));
+ ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "Can't read certificate file %s. %s", certfile.c_str(), strerror(errno));
ERR_print_errors_cb(error_callback, this);
}
if (((!SSL_CTX_use_PrivateKey_file(ctx, keyfile.c_str(), SSL_FILETYPE_PEM))) || (!SSL_CTX_use_PrivateKey_file(clictx, keyfile.c_str(), SSL_FILETYPE_PEM)))
{
- ServerInstance->Logs->Log("m_ssl_openssl", LOG_DEFAULT, "m_ssl_openssl.so: Can't read key file %s. %s", keyfile.c_str(), strerror(errno));
+ ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "Can't read key file %s. %s", keyfile.c_str(), strerror(errno));
ERR_print_errors_cb(error_callback, this);
}
/* Load the CAs we trust*/
if (((!SSL_CTX_load_verify_locations(ctx, cafile.c_str(), 0))) || (!SSL_CTX_load_verify_locations(clictx, cafile.c_str(), 0)))
{
- ServerInstance->Logs->Log("m_ssl_openssl",LOG_DEFAULT, "m_ssl_openssl.so: Can't read CA list from %s. This is only a problem if you want to verify client certificates, otherwise it's safe to ignore this message. Error: %s", cafile.c_str(), strerror(errno));
+ ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "Can't read CA list from %s. This is only a problem if you want to verify client certificates, otherwise it's safe to ignore this message. Error: %s", cafile.c_str(), strerror(errno));
ERR_print_errors_cb(error_callback, this);
}
if (dhpfile == NULL)
{
- ServerInstance->Logs->Log("m_ssl_openssl", LOG_DEFAULT, "m_ssl_openssl.so Couldn't open DH file %s: %s", dhfile.c_str(), strerror(errno));
+ ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "Couldn't open DH file %s: %s", dhfile.c_str(), strerror(errno));
throw ModuleException("Couldn't open DH file " + dhfile + ": " + strerror(errno));
}
else
ret = PEM_read_DHparams(dhpfile, NULL, NULL, NULL);
if ((SSL_CTX_set_tmp_dh(ctx, ret) < 0) || (SSL_CTX_set_tmp_dh(clictx, ret) < 0))
{
- ServerInstance->Logs->Log("m_ssl_openssl", LOG_DEFAULT, "m_ssl_openssl.so: Couldn't set DH parameters %s. SSL errors follow:", dhfile.c_str());
+ ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "Couldn't set DH parameters %s. SSL errors follow:", dhfile.c_str());
ERR_print_errors_cb(error_callback, this);
}
}
{
return Version("Provides SSL support for clients", VF_VENDOR);
}
-
- void OnRequest(Request& request) CXX11_OVERRIDE
- {
- if (strcmp("GET_SSL_CERT", request.id) == 0)
- {
- SocketCertificateRequest& req = static_cast<SocketCertificateRequest&>(request);
- int fd = req.sock->GetFd();
- issl_session* session = &iohook.sessions[fd];
-
- req.cert = session->cert;
- }
- }
};
static int error_callback(const char *str, size_t len, void *u)
{
- ServerInstance->Logs->Log("m_ssl_openssl", LOG_DEFAULT, "SSL error: " + std::string(str, len - 1));
+ ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "SSL error: " + std::string(str, len - 1));
//
// XXX: Remove this line, it causes valgrind warnings...
projects / user / henk / code / inspircd.git / blobdiff