#include "ssl.h"
#ifdef WINDOWS
-#pragma comment(lib, "libeay32MTd")
-#pragma comment(lib, "ssleay32MTd")
-#undef MAX_DESCRIPTORS
-#define MAX_DESCRIPTORS 10000
+# pragma comment(lib, "libcrypto.lib")
+# pragma comment(lib, "libssl.lib")
+# pragma comment(lib, "user32.lib")
+# pragma comment(lib, "advapi32.lib")
+# pragma comment(lib, "libgcc.lib")
+# pragma comment(lib, "libmingwex.lib")
+# pragma comment(lib, "gdi32.lib")
+# undef MAX_DESCRIPTORS
+# define MAX_DESCRIPTORS 10000
#endif
/* $ModDesc: Provides SSL support for clients */
/* $CompileFlags: if(!"USE_FREEBSD_BASE_SSL") pkgconfversion("openssl","0.9.7") pkgconfincludes("openssl","/openssl/ssl.h","") */
/* $LinkerFlags: if(!"USE_FREEBSD_BASE_SSL") rpath("pkg-config --libs openssl") pkgconflibs("openssl","/libssl.so","-lssl -lcrypto -ldl") */
-/* $ModDep: transport.h */
/* $NoPedantic */
-/* $CopyInstall: conf/key.pem $(CONPATH) */
-/* $CopyInstall: conf/cert.pem $(CONPATH) */
enum issl_status { ISSL_NONE, ISSL_HANDSHAKING, ISSL_OPEN };
char cipher[MAXBUF];
- std::string keyfile;
- std::string certfile;
- std::string cafile;
- // std::string crlfile;
- std::string dhfile;
std::string sslports;
+ bool use_sha;
ServiceProvider iohook;
public:
ModuleSSLOpenSSL() : iohook(this, "ssl/openssl", SERVICE_IOHOOK)
{
-
sessions = new issl_session[ServerInstance->SE->GetMaxFds()];
// Not rehashable...because I cba to reduce all the sizes of existing buffers.
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, OnVerify);
SSL_CTX_set_verify(clictx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, OnVerify);
+ }
+ void init()
+ {
// Needs the flag as it ignores a plain /rehash
OnModuleRehash(NULL,"ssl");
Implementation eventlist[] = { I_On005Numeric, I_OnRehash, I_OnModuleRehash, I_OnHookIO, I_OnUserConnect };
void OnRehash(User* user)
{
- ConfigReader Conf;
-
sslports.clear();
- for (size_t i = 0; i < ServerInstance->ports.size(); i++)
+ ConfigTag* Conf = ServerInstance->Config->ConfValue("openssl");
+
+ if (Conf->getBool("showports", true))
{
- ListenSocket* port = ServerInstance->ports[i];
- if (port->bind_tag->getString("ssl") != "openssl")
- continue;
-
- std::string portid = port->bind_desc;
- ServerInstance->Logs->Log("m_ssl_openssl", DEFAULT, "m_ssl_openssl.so: Enabling SSL for port %s", portid.c_str());
- if (port->bind_tag->getString("type", "clients") == "clients" && port->bind_addr != "127.0.0.1")
- sslports.append(portid).append(";");
- }
+ for (size_t i = 0; i < ServerInstance->ports.size(); i++)
+ {
+ ListenSocket* port = ServerInstance->ports[i];
+ if (port->bind_tag->getString("ssl") != "openssl")
+ continue;
+
+ std::string portid = port->bind_desc;
+ ServerInstance->Logs->Log("m_ssl_openssl", DEFAULT, "m_ssl_openssl.so: Enabling SSL for port %s", portid.c_str());
+ if (port->bind_tag->getString("type", "clients") == "clients" && port->bind_addr != "127.0.0.1")
+ sslports.append(portid).append(";");
+ }
- if (!sslports.empty())
- sslports.erase(sslports.end() - 1);
+ if (!sslports.empty())
+ sslports.erase(sslports.end() - 1);
+ }
}
void OnModuleRehash(User* user, const std::string ¶m)
if (param != "ssl")
return;
+ std::string keyfile;
+ std::string certfile;
+ std::string cafile;
+ std::string dhfile;
OnRehash(user);
- ConfigReader Conf;
-
- cafile = Conf.ReadValue("openssl", "cafile", 0);
- certfile = Conf.ReadValue("openssl", "certfile", 0);
- keyfile = Conf.ReadValue("openssl", "keyfile", 0);
- dhfile = Conf.ReadValue("openssl", "dhfile", 0);
-
- // Set all the default values needed.
- if (cafile.empty())
- cafile = "conf/ca.pem";
+ ConfigTag* conf = ServerInstance->Config->ConfValue("openssl");
- if (certfile.empty())
- certfile = "conf/cert.pem";
+ cafile = conf->getString("cafile", "conf/ca.pem");
+ certfile = conf->getString("certfile", "conf/cert.pem");
+ keyfile = conf->getString("keyfile", "conf/key.pem");
+ dhfile = conf->getString("dhfile", "conf/dhparams.pem");
+ std::string hash = conf->getString("hash", "md5");
+ if (hash != "sha1" && hash != "md5")
+ throw ModuleException("Unknown hash type " + hash);
+ use_sha = (hash == "sha1");
- if (keyfile.empty())
- keyfile = "conf/key.pem";
-
- if (dhfile.empty())
- dhfile = "conf/dhparams.pem";
/* Load our keys and certificates
* NOTE: OpenSSL's error logging API sucks, don't blame us for this clusterfuck.
{
if (user->eh.GetIOHook() == this)
{
- if (sessions[user->GetFd()].sess)
+ if (sessions[user->eh.GetFd()].sess)
{
- SSLCertSubmission(user, this, ServerInstance->Modules->Find("m_sslinfo.so"), sessions[user->GetFd()].cert);
+ if (!sessions[user->eh.GetFd()].cert->fingerprint.empty())
+ user->WriteServ("NOTICE %s :*** You are connected using SSL fingerprint %s",
+ user->nick.c_str(), sessions[user->eh.GetFd()].cert->fingerprint.c_str());
}
}
}
char* buffer = ServerInstance->GetReadBuffer();
size_t bufsiz = ServerInstance->Config->NetBufferSize;
int ret = SSL_read(session->sess, buffer, bufsiz);
-
+
if (ret > 0)
{
recvq.append(buffer, ret);
+ if (session->data_to_write)
+ ServerInstance->SE->ChangeEventMask(user, FD_WANT_POLL_READ | FD_WANT_SINGLE_WRITE);
return 1;
}
else if (ret == 0)
}
else if (err == SSL_ERROR_WANT_READ)
{
- ServerInstance->SE->ChangeEventMask(user, FD_WANT_POLL_READ | FD_WANT_NO_WRITE);
+ ServerInstance->SE->ChangeEventMask(user, FD_WANT_POLL_READ);
return 0;
}
else
session->cert = certinfo;
unsigned int n;
unsigned char md[EVP_MAX_MD_SIZE];
- const EVP_MD *digest = EVP_md5();
+ const EVP_MD *digest = use_sha ? EVP_sha1() : EVP_md5();
cert = SSL_get_peer_certificate((SSL*)session->sess);