X-Git-Url: https://git.netwichtig.de/gitweb/?a=blobdiff_plain;f=src%2Fmodules%2Fextra%2Fm_ssl_openssl.cpp;h=0957b5912f16c7a444b01f01e455b211b64eac84;hb=c202dea024542b9c6c6b771bb9a3a081d9eacdc5;hp=0c7362e6e09fd268d1748929aba9af0b30530d52;hpb=79db1cf848c64ba50bebadef4c683ae4237080b7;p=user%2Fhenk%2Fcode%2Finspircd.git diff --git a/src/modules/extra/m_ssl_openssl.cpp b/src/modules/extra/m_ssl_openssl.cpp index 0c7362e6e..0957b5912 100644 --- a/src/modules/extra/m_ssl_openssl.cpp +++ b/src/modules/extra/m_ssl_openssl.cpp @@ -48,14 +48,8 @@ # define MAX_DESCRIPTORS 10000 #endif -/* $ModDesc: Provides SSL support for clients */ - -/* $LinkerFlags: if("USE_FREEBSD_BASE_SSL") -lssl -lcrypto */ -/* $CompileFlags: if(!"USE_FREEBSD_BASE_SSL") pkgconfversion("openssl","0.9.7") pkgconfincludes("openssl","/openssl/ssl.h","") */ -/* $LinkerFlags: if(!"USE_FREEBSD_BASE_SSL") rpath("pkg-config --libs openssl") pkgconflibs("openssl","/libssl.so","-lssl -lcrypto -ldl") */ - -/* $NoPedantic */ - +/* $CompileFlags: pkgconfversion("openssl","0.9.7") pkgconfincludes("openssl","/openssl/ssl.h","") -Wno-pedantic */ +/* $LinkerFlags: rpath("pkg-config --libs openssl") pkgconflibs("openssl","/libssl.so","-lssl -lcrypto") */ enum issl_status { ISSL_NONE, ISSL_HANDSHAKING, ISSL_OPEN }; @@ -101,7 +95,7 @@ static int OnVerify(int preverify_ok, X509_STORE_CTX *ctx) return 1; } -class OpenSSLIOHook : public IOHook +class OpenSSLIOHook : public SSLIOHook { private: bool Handshake(StreamSocket* user, issl_session* session) @@ -179,7 +173,6 @@ class OpenSSLIOHook : public IOHook session->cert = certinfo; unsigned int n; unsigned char md[EVP_MAX_MD_SIZE]; - const EVP_MD *digest = use_sha ? EVP_sha1() : EVP_md5(); cert = SSL_get_peer_certificate((SSL*)session->sess); @@ -191,7 +184,7 @@ class OpenSSLIOHook : public IOHook certinfo->invalid = (SSL_get_verify_result(session->sess) != X509_V_OK); - if (SelfSigned) + if (!SelfSigned) { certinfo->unknownsigner = false; certinfo->trusted = true; @@ -226,10 +219,10 @@ class OpenSSLIOHook : public IOHook issl_session* sessions; SSL_CTX* ctx; SSL_CTX* clictx; - bool use_sha; + const EVP_MD *digest; OpenSSLIOHook(Module* mod) - : IOHook(mod, "ssl/openssl") + : SSLIOHook(mod, "ssl/openssl") { sessions = new issl_session[ServerInstance->SE->GetMaxFds()]; } @@ -255,7 +248,7 @@ class OpenSSLIOHook : public IOHook if (SSL_set_fd(session->sess, fd) == 0) { - ServerInstance->Logs->Log("m_ssl_openssl", LOG_DEBUG, "BUG: Can't set fd with SSL_set_fd: %d", fd); + ServerInstance->Logs->Log(MODNAME, LOG_DEBUG, "BUG: Can't set fd with SSL_set_fd: %d", fd); return; } @@ -280,7 +273,7 @@ class OpenSSLIOHook : public IOHook if (SSL_set_fd(session->sess, fd) == 0) { - ServerInstance->Logs->Log("m_ssl_openssl", LOG_DEBUG, "BUG: Can't set fd with SSL_set_fd: %d", fd); + ServerInstance->Logs->Log(MODNAME, LOG_DEBUG, "BUG: Can't set fd with SSL_set_fd: %d", fd); return; } @@ -440,6 +433,13 @@ class OpenSSLIOHook : public IOHook return 0; } + ssl_cert* GetCertificate(StreamSocket* sock) CXX11_OVERRIDE + { + int fd = sock->GetFd(); + issl_session* session = &sessions[fd]; + return session->cert; + } + void TellCiphersAndFingerprint(LocalUser* user) { issl_session& s = sessions[user->eh.GetFd()]; @@ -490,8 +490,6 @@ class ModuleSSLOpenSSL : public Module { // Needs the flag as it ignores a plain /rehash OnModuleRehash(NULL,"ssl"); - Implementation eventlist[] = { I_On005Numeric, I_OnRehash, I_OnModuleRehash, I_OnHookIO, I_OnUserConnect }; - ServerInstance->Modules->Attach(eventlist, this, sizeof(eventlist)/sizeof(Implementation)); ServerInstance->Modules->AddService(iohook); } @@ -504,7 +502,7 @@ class ModuleSSLOpenSSL : public Module } } - void OnRehash(User* user) CXX11_OVERRIDE + void ReadConfig(ConfigStatus& status) CXX11_OVERRIDE { sslports.clear(); @@ -523,7 +521,7 @@ class ModuleSSLOpenSSL : public Module continue; const std::string& portid = port->bind_desc; - ServerInstance->Logs->Log("m_ssl_openssl", LOG_DEFAULT, "m_ssl_openssl.so: Enabling SSL for port %s", portid.c_str()); + ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "Enabling SSL for port %s", portid.c_str()); if (port->bind_tag->getString("type", "clients") == "clients" && port->bind_addr != "127.0.0.1") { @@ -552,18 +550,18 @@ class ModuleSSLOpenSSL : public Module std::string certfile; std::string cafile; std::string dhfile; - OnRehash(user); ConfigTag* conf = ServerInstance->Config->ConfValue("openssl"); - cafile = conf->getString("cafile", CONFIG_PATH "/ca.pem"); - certfile = conf->getString("certfile", CONFIG_PATH "/cert.pem"); - keyfile = conf->getString("keyfile", CONFIG_PATH "/key.pem"); - dhfile = conf->getString("dhfile", CONFIG_PATH "/dhparams.pem"); + cafile = ServerInstance->Config->Paths.PrependConfig(conf->getString("cafile", "ca.pem")); + certfile = ServerInstance->Config->Paths.PrependConfig(conf->getString("certfile", "cert.pem")); + keyfile = ServerInstance->Config->Paths.PrependConfig(conf->getString("keyfile", "key.pem")); + dhfile = ServerInstance->Config->Paths.PrependConfig(conf->getString("dhfile", "dhparams.pem")); std::string hash = conf->getString("hash", "md5"); - if (hash != "sha1" && hash != "md5") + + iohook.digest = EVP_get_digestbyname(hash.c_str()); + if (iohook.digest == NULL) throw ModuleException("Unknown hash type " + hash); - iohook.use_sha = (hash == "sha1"); std::string ciphers = conf->getString("ciphers", ""); @@ -574,7 +572,7 @@ class ModuleSSLOpenSSL : public Module { if ((!SSL_CTX_set_cipher_list(ctx, ciphers.c_str())) || (!SSL_CTX_set_cipher_list(clictx, ciphers.c_str()))) { - ServerInstance->Logs->Log("m_ssl_openssl", LOG_DEFAULT, "m_ssl_openssl.so: Can't set cipher list to %s.", ciphers.c_str()); + ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "Can't set cipher list to %s.", ciphers.c_str()); ERR_print_errors_cb(error_callback, this); } } @@ -584,20 +582,20 @@ class ModuleSSLOpenSSL : public Module */ if ((!SSL_CTX_use_certificate_chain_file(ctx, certfile.c_str())) || (!SSL_CTX_use_certificate_chain_file(clictx, certfile.c_str()))) { - ServerInstance->Logs->Log("m_ssl_openssl", LOG_DEFAULT, "m_ssl_openssl.so: Can't read certificate file %s. %s", certfile.c_str(), strerror(errno)); + ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "Can't read certificate file %s. %s", certfile.c_str(), strerror(errno)); ERR_print_errors_cb(error_callback, this); } if (((!SSL_CTX_use_PrivateKey_file(ctx, keyfile.c_str(), SSL_FILETYPE_PEM))) || (!SSL_CTX_use_PrivateKey_file(clictx, keyfile.c_str(), SSL_FILETYPE_PEM))) { - ServerInstance->Logs->Log("m_ssl_openssl", LOG_DEFAULT, "m_ssl_openssl.so: Can't read key file %s. %s", keyfile.c_str(), strerror(errno)); + ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "Can't read key file %s. %s", keyfile.c_str(), strerror(errno)); ERR_print_errors_cb(error_callback, this); } /* Load the CAs we trust*/ if (((!SSL_CTX_load_verify_locations(ctx, cafile.c_str(), 0))) || (!SSL_CTX_load_verify_locations(clictx, cafile.c_str(), 0))) { - ServerInstance->Logs->Log("m_ssl_openssl",LOG_DEFAULT, "m_ssl_openssl.so: Can't read CA list from %s. This is only a problem if you want to verify client certificates, otherwise it's safe to ignore this message. Error: %s", cafile.c_str(), strerror(errno)); + ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "Can't read CA list from %s. This is only a problem if you want to verify client certificates, otherwise it's safe to ignore this message. Error: %s", cafile.c_str(), strerror(errno)); ERR_print_errors_cb(error_callback, this); } @@ -606,7 +604,7 @@ class ModuleSSLOpenSSL : public Module if (dhpfile == NULL) { - ServerInstance->Logs->Log("m_ssl_openssl", LOG_DEFAULT, "m_ssl_openssl.so Couldn't open DH file %s: %s", dhfile.c_str(), strerror(errno)); + ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "Couldn't open DH file %s: %s", dhfile.c_str(), strerror(errno)); throw ModuleException("Couldn't open DH file " + dhfile + ": " + strerror(errno)); } else @@ -614,7 +612,7 @@ class ModuleSSLOpenSSL : public Module ret = PEM_read_DHparams(dhpfile, NULL, NULL, NULL); if ((SSL_CTX_set_tmp_dh(ctx, ret) < 0) || (SSL_CTX_set_tmp_dh(clictx, ret) < 0)) { - ServerInstance->Logs->Log("m_ssl_openssl", LOG_DEFAULT, "m_ssl_openssl.so: Couldn't set DH parameters %s. SSL errors follow:", dhfile.c_str()); + ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "Couldn't set DH parameters %s. SSL errors follow:", dhfile.c_str()); ERR_print_errors_cb(error_callback, this); } } @@ -653,23 +651,11 @@ class ModuleSSLOpenSSL : public Module { return Version("Provides SSL support for clients", VF_VENDOR); } - - void OnRequest(Request& request) CXX11_OVERRIDE - { - if (strcmp("GET_SSL_CERT", request.id) == 0) - { - SocketCertificateRequest& req = static_cast(request); - int fd = req.sock->GetFd(); - issl_session* session = &iohook.sessions[fd]; - - req.cert = session->cert; - } - } }; static int error_callback(const char *str, size_t len, void *u) { - ServerInstance->Logs->Log("m_ssl_openssl", LOG_DEFAULT, "SSL error: " + std::string(str, len - 1)); + ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "SSL error: " + std::string(str, len - 1)); // // XXX: Remove this line, it causes valgrind warnings...