X-Git-Url: https://git.netwichtig.de/gitweb/?a=blobdiff_plain;ds=inline;f=src%2Fmodules%2Fextra%2Fm_ssl_openssl.cpp;h=3ebc8e4d91685b258e9961220790ad3c2a0f7ef4;hb=e59cb85871f75b7603c63c6cd274d57536cf6794;hp=8843c34f6a9a118b668749fa6979a97619416c50;hpb=bdfde49fb6d9a8787c072b759d4af27584308e1b;p=user%2Fhenk%2Fcode%2Finspircd.git diff --git a/src/modules/extra/m_ssl_openssl.cpp b/src/modules/extra/m_ssl_openssl.cpp index 8843c34f6..3ebc8e4d9 100644 --- a/src/modules/extra/m_ssl_openssl.cpp +++ b/src/modules/extra/m_ssl_openssl.cpp @@ -24,8 +24,10 @@ /// $CompilerFlags: find_compiler_flags("openssl") /// $LinkerFlags: find_linker_flags("openssl" "-lssl -lcrypto") +/// $PackageInfo: require_system("centos") openssl-devel pkgconfig /// $PackageInfo: require_system("darwin") openssl pkg-config -/// $PackageInfo: require_system("ubuntu" "16.04") libssl-dev openssl pkg-config +/// $PackageInfo: require_system("debian") libssl-dev openssl pkg-config +/// $PackageInfo: require_system("ubuntu") libssl-dev openssl pkg-config #include "inspircd.h" @@ -46,15 +48,34 @@ #include #include +#include #ifdef _WIN32 # pragma comment(lib, "ssleay32.lib") # pragma comment(lib, "libeay32.lib") #endif -#if ((OPENSSL_VERSION_NUMBER >= 0x10000000L) && (!(defined(OPENSSL_NO_ECDH)))) -// OpenSSL 0.9.8 includes some ECC support, but it's unfinished. Enable only for 1.0.0 and later. -#define INSPIRCD_OPENSSL_ENABLE_ECDH +// Compatibility layer to allow OpenSSL 1.0 to use the 1.1 API. +#if ((defined LIBRESSL_VERSION_NUMBER) || (OPENSSL_VERSION_NUMBER < 0x10100000L)) + +// BIO is opaque in OpenSSL 1.1 but the access API does not exist in 1.0. +# define BIO_get_data(BIO) BIO->ptr +# define BIO_set_data(BIO, VALUE) BIO->ptr = VALUE; +# define BIO_set_init(BIO, VALUE) BIO->init = VALUE; + +// These functions have been renamed in OpenSSL 1.1. +# define OpenSSL_version SSLeay_version +# define X509_getm_notAfter X509_get_notAfter +# define X509_getm_notBefore X509_get_notBefore +# define OPENSSL_init_ssl(OPTIONS, SETTINGS) \ + SSL_library_init(); \ + SSL_load_error_strings(); + +// These macros have been renamed in OpenSSL 1.1. +# define OPENSSL_VERSION SSLEAY_VERSION + +#else +# define INSPIRCD_OPENSSL_OPAQUE_BIO #endif enum issl_status { ISSL_NONE, ISSL_HANDSHAKING, ISSL_OPEN }; @@ -119,7 +140,7 @@ namespace OpenSSL { // Sane default options for OpenSSL see https://www.openssl.org/docs/ssl/SSL_CTX_set_options.html // and when choosing a cipher, use the server's preferences instead of the client preferences. - long opts = SSL_OP_NO_SSLv2 | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION | SSL_OP_CIPHER_SERVER_PREFERENCE | SSL_OP_SINGLE_DH_USE; + long opts = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION | SSL_OP_CIPHER_SERVER_PREFERENCE | SSL_OP_SINGLE_DH_USE; // Only turn options on if they exist #ifdef SSL_OP_SINGLE_ECDH_USE opts |= SSL_OP_SINGLE_ECDH_USE; @@ -151,7 +172,7 @@ namespace OpenSSL return (SSL_CTX_set_tmp_dh(ctx, dh.get()) >= 0); } -#ifdef INSPIRCD_OPENSSL_ENABLE_ECDH +#ifndef OPENSSL_NO_ECDH void SetECDH(const std::string& curvename) { int nid = OBJ_sn2nid(curvename.c_str()); @@ -194,6 +215,45 @@ namespace OpenSSL return SSL_CTX_load_verify_locations(ctx, filename.c_str(), 0); } + void SetCRL(const std::string& crlfile, const std::string& crlpath, const std::string& crlmode) + { + if (crlfile.empty() && crlpath.empty()) + return; + + /* Set CRL mode */ + unsigned long crlflags = X509_V_FLAG_CRL_CHECK; + if (stdalgo::string::equalsci(crlmode, "chain")) + { + crlflags |= X509_V_FLAG_CRL_CHECK_ALL; + } + else if (!stdalgo::string::equalsci(crlmode, "leaf")) + { + throw ModuleException("Unknown mode '" + crlmode + "'; expected either 'chain' (default) or 'leaf'"); + } + + /* Load CRL files */ + X509_STORE* store = SSL_CTX_get_cert_store(ctx); + if (!store) + { + throw ModuleException("Unable to get X509_STORE from SSL context; this should never happen"); + } + ERR_clear_error(); + if (!X509_STORE_load_locations(store, + crlfile.empty() ? NULL : crlfile.c_str(), + crlpath.empty() ? NULL : crlpath.c_str())) + { + int err = ERR_get_error(); + throw ModuleException("Unable to load CRL file '" + crlfile + "' or CRL path '" + crlpath + "': '" + (err ? ERR_error_string(err, NULL) : "unknown") + "'"); + } + + /* Set CRL mode */ + if (X509_STORE_set_flags(store, crlflags) != 1) + { + throw ModuleException("Unable to set X509 CRL flags"); + } + } + + long GetDefaultContextOptions() const { return ctx_options; @@ -229,7 +289,7 @@ namespace OpenSSL } }; - class Profile : public refcountbase + class Profile { /** Name of this profile */ @@ -274,15 +334,14 @@ namespace OpenSSL */ void SetContextOptions(const std::string& ctxname, ConfigTag* tag, Context& context) { - long setoptions = tag->getInt(ctxname + "setoptions"); - long clearoptions = tag->getInt(ctxname + "clearoptions"); + long setoptions = tag->getInt(ctxname + "setoptions", 0); + long clearoptions = tag->getInt(ctxname + "clearoptions", 0); #ifdef SSL_OP_NO_COMPRESSION if (!tag->getBool("compression", false)) // Disable compression by default setoptions |= SSL_OP_NO_COMPRESSION; #endif - if (!tag->getBool("sslv3", false)) // Disable SSLv3 by default - setoptions |= SSL_OP_NO_SSLv3; - if (!tag->getBool("tlsv1", true)) + // Disable TLSv1.0 by default. + if (!tag->getBool("tlsv1", false)) setoptions |= SSL_OP_NO_TLSv1; if (!setoptions && !clearoptions) @@ -296,11 +355,11 @@ namespace OpenSSL public: Profile(const std::string& profilename, ConfigTag* tag) : name(profilename) - , dh(ServerInstance->Config->Paths.PrependConfig(tag->getString("dhfile", "dh.pem"))) + , dh(ServerInstance->Config->Paths.PrependConfig(tag->getString("dhfile", "dhparams.pem"))) , ctx(SSL_CTX_new(SSLv23_server_method())) , clictx(SSL_CTX_new(SSLv23_client_method())) , allowrenego(tag->getBool("renegotiation")) // Disallow by default - , outrecsize(tag->getInt("outrecsize", 2048, 512, 16384)) + , outrecsize(tag->getUInt("outrecsize", 2048, 512, 16384)) { if ((!ctx.SetDH(dh)) || (!clictx.SetDH(dh))) throw Exception("Couldn't set DH parameters"); @@ -320,7 +379,7 @@ namespace OpenSSL } } -#ifdef INSPIRCD_OPENSSL_ENABLE_ECDH +#ifndef OPENSSL_NO_ECDH std::string curvename = tag->getString("ecdhcurve", "prime256v1"); if (!curvename.empty()) ctx.SetECDH(curvename); @@ -354,6 +413,12 @@ namespace OpenSSL ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "Can't read CA list from %s. This is only a problem if you want to verify client certificates, otherwise it's safe to ignore this message. Error: %s", filename.c_str(), lasterr.c_str()); } + // Load the CRLs. + std::string crlfile = tag->getString("crlfile"); + std::string crlpath = tag->getString("crlpath"); + std::string crlmode = tag->getString("crlmode", "chain"); + ctx.SetCRL(crlfile, crlpath, crlmode); + clictx.SetVerifyCert(); if (tag->getBool("requestclientcert", true)) ctx.SetVerifyCert(); @@ -371,7 +436,7 @@ namespace OpenSSL { static int create(BIO* bio) { - bio->init = 1; + BIO_set_init(bio, 1); return 1; } @@ -392,9 +457,25 @@ namespace OpenSSL static int read(BIO* bio, char* buf, int len); static int write(BIO* bio, const char* buf, int len); + +#ifdef INSPIRCD_OPENSSL_OPAQUE_BIO + static BIO_METHOD* alloc() + { + BIO_METHOD* meth = BIO_meth_new(100 | BIO_TYPE_SOURCE_SINK, "inspircd"); + BIO_meth_set_write(meth, OpenSSL::BIOMethod::write); + BIO_meth_set_read(meth, OpenSSL::BIOMethod::read); + BIO_meth_set_ctrl(meth, OpenSSL::BIOMethod::ctrl); + BIO_meth_set_create(meth, OpenSSL::BIOMethod::create); + BIO_meth_set_destroy(meth, OpenSSL::BIOMethod::destroy); + return meth; + } +#endif } } +// BIO_METHOD is opaque in OpenSSL 1.1 so we can't do this. +// See OpenSSL::BIOMethod::alloc for the new method. +#ifndef INSPIRCD_OPENSSL_OPAQUE_BIO static BIO_METHOD biomethods = { (100 | BIO_TYPE_SOURCE_SINK), @@ -408,6 +489,9 @@ static BIO_METHOD biomethods = OpenSSL::BIOMethod::destroy, // destroy, does nothing, see function body for more info NULL // callback_ctrl }; +#else +static BIO_METHOD* biomethods; +#endif static int OnVerify(int preverify_ok, X509_STORE_CTX *ctx) { @@ -429,7 +513,6 @@ class OpenSSLIOHook : public SSLIOHook SSL* sess; issl_status status; bool data_to_write; - reference profile; // Returns 1 if handshake succeeded, 0 if it is still in progress, -1 if it failed int Handshake(StreamSocket* user) @@ -529,7 +612,7 @@ class OpenSSLIOHook : public SSLIOHook if (certinfo->issuer.find_first_of("\r\n") != std::string::npos) certinfo->issuer.clear(); - if (!X509_digest(cert, profile->GetDigest(), md, &n)) + if (!X509_digest(cert, GetProfile().GetDigest(), md, &n)) { certinfo->error = "Out of memory generating fingerprint"; } @@ -538,7 +621,7 @@ class OpenSSLIOHook : public SSLIOHook certinfo->fingerprint = BinToHex(md, n); } - if ((ASN1_UTCTIME_cmp_time_t(X509_get_notAfter(cert), ServerInstance->Time()) == -1) || (ASN1_UTCTIME_cmp_time_t(X509_get_notBefore(cert), ServerInstance->Time()) == 0)) + if ((ASN1_UTCTIME_cmp_time_t(X509_getm_notAfter(cert), ServerInstance->Time()) == -1) || (ASN1_UTCTIME_cmp_time_t(X509_getm_notBefore(cert), ServerInstance->Time()) == 0)) { certinfo->error = "Not activated, or expired certificate"; } @@ -550,14 +633,14 @@ class OpenSSLIOHook : public SSLIOHook { if ((where & SSL_CB_HANDSHAKE_START) && (status == ISSL_OPEN)) { - if (profile->AllowRenegotiation()) + if (GetProfile().AllowRenegotiation()) return; // The other side is trying to renegotiate, kill the connection and change status // to ISSL_NONE so CheckRenego() closes the session status = ISSL_NONE; BIO* bio = SSL_get_rbio(sess); - EventHandler* eh = static_cast(bio->ptr); + EventHandler* eh = static_cast(BIO_get_data(bio)); SocketEngine::Shutdown(eh, 2); } } @@ -592,16 +675,19 @@ class OpenSSLIOHook : public SSLIOHook friend void StaticSSLInfoCallback(const SSL* ssl, int where, int rc); public: - OpenSSLIOHook(IOHookProvider* hookprov, StreamSocket* sock, SSL* session, const reference& sslprofile) + OpenSSLIOHook(IOHookProvider* hookprov, StreamSocket* sock, SSL* session) : SSLIOHook(hookprov) , sess(session) , status(ISSL_NONE) , data_to_write(false) - , profile(sslprofile) { // Create BIO instance and store a pointer to the socket in it which will be used by the read and write functions +#ifdef INSPIRCD_OPENSSL_OPAQUE_BIO + BIO* bio = BIO_new(biomethods); +#else BIO* bio = BIO_new(&biomethods); - bio->ptr = sock; +#endif + BIO_set_data(bio, sock); SSL_set_bio(sess, bio, bio); SSL_set_ex_data(sess, exdataindex, this); @@ -687,7 +773,7 @@ class OpenSSLIOHook : public SSLIOHook while (!sendq.empty()) { ERR_clear_error(); - FlattenSendQueue(sendq, profile->GetOutgoingRecordSize()); + FlattenSendQueue(sendq, GetProfile().GetOutgoingRecordSize()); const StreamSocket::SendQueue::Element& buffer = sendq.front(); int ret = SSL_write(sess, buffer.data(), buffer.size()); @@ -745,7 +831,18 @@ class OpenSSLIOHook : public SSLIOHook out.append(SSL_get_cipher(sess)); } + bool GetServerName(std::string& out) const CXX11_OVERRIDE + { + const char* name = SSL_get_servername(sess, TLSEXT_NAMETYPE_host_name); + if (!name) + return false; + + out.append(name); + return true; + } + bool IsHandshakeDone() const { return (status == ISSL_OPEN); } + OpenSSL::Profile& GetProfile(); }; static void StaticSSLInfoCallback(const SSL* ssl, int where, int rc) @@ -758,7 +855,7 @@ static int OpenSSL::BIOMethod::write(BIO* bio, const char* buffer, int size) { BIO_clear_retry_flags(bio); - StreamSocket* sock = static_cast(bio->ptr); + StreamSocket* sock = static_cast(BIO_get_data(bio)); if (sock->GetEventMask() & FD_WRITE_WILL_BLOCK) { // Writes blocked earlier, don't retry syscall @@ -781,7 +878,7 @@ static int OpenSSL::BIOMethod::read(BIO* bio, char* buffer, int size) { BIO_clear_retry_flags(bio); - StreamSocket* sock = static_cast(bio->ptr); + StreamSocket* sock = static_cast(BIO_get_data(bio)); if (sock->GetEventMask() & FD_READ_WILL_BLOCK) { // Reads blocked earlier, don't retry syscall @@ -800,14 +897,14 @@ static int OpenSSL::BIOMethod::read(BIO* bio, char* buffer, int size) return ret; } -class OpenSSLIOHookProvider : public refcountbase, public IOHookProvider +class OpenSSLIOHookProvider : public IOHookProvider { - reference profile; + OpenSSL::Profile profile; public: - OpenSSLIOHookProvider(Module* mod, reference& prof) - : IOHookProvider(mod, "ssl/" + prof->GetName(), IOHookProvider::IOH_SSL) - , profile(prof) + OpenSSLIOHookProvider(Module* mod, const std::string& profilename, ConfigTag* tag) + : IOHookProvider(mod, "ssl/" + profilename, IOHookProvider::IOH_SSL) + , profile(profilename, tag) { ServerInstance->Modules->AddService(*this); } @@ -819,15 +916,23 @@ class OpenSSLIOHookProvider : public refcountbase, public IOHookProvider void OnAccept(StreamSocket* sock, irc::sockets::sockaddrs* client, irc::sockets::sockaddrs* server) CXX11_OVERRIDE { - new OpenSSLIOHook(this, sock, profile->CreateServerSession(), profile); + new OpenSSLIOHook(this, sock, profile.CreateServerSession()); } void OnConnect(StreamSocket* sock) CXX11_OVERRIDE { - new OpenSSLIOHook(this, sock, profile->CreateClientSession(), profile); + new OpenSSLIOHook(this, sock, profile.CreateClientSession()); } + + OpenSSL::Profile& GetProfile() { return profile; } }; +OpenSSL::Profile& OpenSSLIOHook::GetProfile() +{ + IOHookProvider* hookprov = prov; + return static_cast(hookprov)->GetProfile(); +} + class ModuleSSLOpenSSL : public Module { typedef std::vector > ProfileList; @@ -847,8 +952,7 @@ class ModuleSSLOpenSSL : public Module try { - reference profile(new OpenSSL::Profile(defname, tag)); - newprofiles.push_back(new OpenSSLIOHookProvider(this, profile)); + newprofiles.push_back(new OpenSSLIOHookProvider(this, defname, tag)); } catch (OpenSSL::Exception& ex) { @@ -859,7 +963,7 @@ class ModuleSSLOpenSSL : public Module for (ConfigIter i = tags.first; i != tags.second; ++i) { ConfigTag* tag = i->second; - if (tag->getString("provider") != "openssl") + if (!stdalgo::string::equalsci(tag->getString("provider"), "openssl")) continue; std::string name = tag->getString("name"); @@ -869,17 +973,23 @@ class ModuleSSLOpenSSL : public Module continue; } - reference profile; + reference prov; try { - profile = new OpenSSL::Profile(name, tag); + prov = new OpenSSLIOHookProvider(this, name, tag); } catch (CoreException& ex) { throw ModuleException("Error while initializing SSL profile \"" + name + "\" at " + tag->getTagLocation() + " - " + ex.GetReason()); } - newprofiles.push_back(new OpenSSLIOHookProvider(this, profile)); + newprofiles.push_back(prov); + } + + for (ProfileList::iterator i = profiles.begin(); i != profiles.end(); ++i) + { + OpenSSLIOHookProvider& prov = **i; + ServerInstance->Modules.DelService(prov); } profiles.swap(newprofiles); @@ -889,13 +999,20 @@ class ModuleSSLOpenSSL : public Module ModuleSSLOpenSSL() { // Initialize OpenSSL - SSL_library_init(); - SSL_load_error_strings(); + OPENSSL_init_ssl(0, NULL); +#ifdef INSPIRCD_OPENSSL_OPAQUE_BIO + biomethods = OpenSSL::BIOMethod::alloc(); + } + + ~ModuleSSLOpenSSL() + { + BIO_meth_free(biomethods); +#endif } void init() CXX11_OVERRIDE { - ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "OpenSSL lib version \"%s\" module was compiled for \"" OPENSSL_VERSION_TEXT "\"", SSLeay_version(SSLEAY_VERSION)); + ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "OpenSSL lib version \"%s\" module was compiled for \"" OPENSSL_VERSION_TEXT "\"", OpenSSL_version(OPENSSL_VERSION)); // Register application specific data char exdatastr[] = "inspircd"; @@ -921,9 +1038,9 @@ class ModuleSSLOpenSSL : public Module } } - void OnCleanup(int target_type, void* item) CXX11_OVERRIDE + void OnCleanup(ExtensionItem::ExtensibleType type, Extensible* item) CXX11_OVERRIDE { - if (target_type == TYPE_USER) + if (type == ExtensionItem::EXT_USER) { LocalUser* user = IS_LOCAL((User*)item); @@ -946,7 +1063,7 @@ class ModuleSSLOpenSSL : public Module Version GetVersion() CXX11_OVERRIDE { - return Version("Provides SSL support for clients", VF_VENDOR); + return Version("Provides SSL support via OpenSSL", VF_VENDOR); } };