X-Git-Url: https://git.netwichtig.de/gitweb/?a=blobdiff_plain;f=src%2Fmodules%2Fextra%2Fm_ssl_openssl.cpp;h=0f4e2d71397dfa5c618fabdd02eef71a3e8467bc;hb=d848034590bc402277da975b7efdbc78ce1722fc;hp=bda9180b7e892db3985891e15fb6970dd6e567d8;hpb=596c41702569b4ffe7360dbb123f14b4fc57caed;p=user%2Fhenk%2Fcode%2Finspircd.git diff --git a/src/modules/extra/m_ssl_openssl.cpp b/src/modules/extra/m_ssl_openssl.cpp index bda9180b7..0f4e2d713 100644 --- a/src/modules/extra/m_ssl_openssl.cpp +++ b/src/modules/extra/m_ssl_openssl.cpp @@ -1,12 +1,20 @@ /* * InspIRCd -- Internet Relay Chat Daemon * + * Copyright (C) 2020 Matt Schatz + * Copyright (C) 2019 linuxdaemon + * Copyright (C) 2017 Wade Cline + * Copyright (C) 2014, 2016 Adam + * Copyright (C) 2014 Julien Vehent + * Copyright (C) 2013-2014, 2016-2021 Sadie Powell + * Copyright (C) 2012-2017 Attila Molnar + * Copyright (C) 2012 Robby + * Copyright (C) 2012 ChrisTX * Copyright (C) 2009-2010 Daniel De Graaf - * Copyright (C) 2008 Pippijn van Steenhoven - * Copyright (C) 2006-2008 Craig Edwards - * Copyright (C) 2008 Thomas Stagner + * Copyright (C) 2008 Robin Burchell * Copyright (C) 2007 Dennis Friis - * Copyright (C) 2006 Oliver Lupton + * Copyright (C) 2006-2008, 2010 Craig Edwards + * Copyright (C) 2006 Oliver Lupton * * This file is part of InspIRCd. InspIRCd is free software: you can * redistribute it and/or modify it under the terms of the GNU General Public @@ -21,23 +29,36 @@ * along with this program. If not, see . */ -/// $CompilerFlags: find_compiler_flags("openssl") +/// $CompilerFlags: find_compiler_flags("openssl" "") /// $LinkerFlags: find_linker_flags("openssl" "-lssl -lcrypto") +/// $PackageInfo: require_system("arch") openssl pkgconf /// $PackageInfo: require_system("centos") openssl-devel pkgconfig /// $PackageInfo: require_system("darwin") openssl pkg-config -/// $PackageInfo: require_system("ubuntu" "16.04") libssl-dev openssl pkg-config +/// $PackageInfo: require_system("debian") libssl-dev openssl pkg-config +/// $PackageInfo: require_system("ubuntu") libssl-dev openssl pkg-config #include "inspircd.h" #include "iohook.h" #include "modules/ssl.h" +#ifdef __GNUC__ +# pragma GCC diagnostic push +#endif + // Ignore OpenSSL deprecation warnings on OS X Lion and newer. #if defined __APPLE__ # pragma GCC diagnostic ignored "-Wdeprecated-declarations" #endif +// LibreSSL lies about the version of OpenSSL it is compatible with and is a general pain +// to support. Support for it was removed in the master branch at the same time that +// support for OpenSSL pre-1.1 was. +#if defined __GNUC__ && defined LIBRESSL_VERSION_NUMBER +# warning LibreSSL support will be discontinued in the future. Consider using the ssl_gnutls or ssl_mbedtls modules instead. +#endif + // Fix warnings about the use of `long long` on C++03. #if defined __clang__ # pragma clang diagnostic ignored "-Wc++11-long-long" @@ -47,22 +68,36 @@ #include #include +#include + +#ifdef __GNUC__ +# pragma GCC diagnostic pop +#endif #ifdef _WIN32 # pragma comment(lib, "ssleay32.lib") # pragma comment(lib, "libeay32.lib") #endif -#if ((OPENSSL_VERSION_NUMBER >= 0x10000000L) && (!(defined(OPENSSL_NO_ECDH)))) -// OpenSSL 0.9.8 includes some ECC support, but it's unfinished. Enable only for 1.0.0 and later. -#define INSPIRCD_OPENSSL_ENABLE_ECDH -#endif - -// BIO is opaque in OpenSSL 1.1 but the access API does not exist in 1.0 and older. +// Compatibility layer to allow OpenSSL 1.0 to use the 1.1 API. #if ((defined LIBRESSL_VERSION_NUMBER) || (OPENSSL_VERSION_NUMBER < 0x10100000L)) + +// BIO is opaque in OpenSSL 1.1 but the access API does not exist in 1.0. # define BIO_get_data(BIO) BIO->ptr # define BIO_set_data(BIO, VALUE) BIO->ptr = VALUE; # define BIO_set_init(BIO, VALUE) BIO->init = VALUE; + +// These functions have been renamed in OpenSSL 1.1. +# define OpenSSL_version SSLeay_version +# define X509_getm_notAfter X509_get_notAfter +# define X509_getm_notBefore X509_get_notBefore +# define OPENSSL_init_ssl(OPTIONS, SETTINGS) \ + SSL_library_init(); \ + SSL_load_error_strings(); + +// These macros have been renamed in OpenSSL 1.1. +# define OPENSSL_VERSION SSLEAY_VERSION + #else # define INSPIRCD_OPENSSL_OPAQUE_BIO #endif @@ -129,7 +164,7 @@ namespace OpenSSL { // Sane default options for OpenSSL see https://www.openssl.org/docs/ssl/SSL_CTX_set_options.html // and when choosing a cipher, use the server's preferences instead of the client preferences. - long opts = SSL_OP_NO_SSLv2 | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION | SSL_OP_CIPHER_SERVER_PREFERENCE | SSL_OP_SINGLE_DH_USE; + long opts = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION | SSL_OP_CIPHER_SERVER_PREFERENCE | SSL_OP_SINGLE_DH_USE; // Only turn options on if they exist #ifdef SSL_OP_SINGLE_ECDH_USE opts |= SSL_OP_SINGLE_ECDH_USE; @@ -161,7 +196,7 @@ namespace OpenSSL return (SSL_CTX_set_tmp_dh(ctx, dh.get()) >= 0); } -#ifdef INSPIRCD_OPENSSL_ENABLE_ECDH +#ifndef OPENSSL_NO_ECDH void SetECDH(const std::string& curvename) { int nid = OBJ_sn2nid(curvename.c_str()); @@ -204,6 +239,45 @@ namespace OpenSSL return SSL_CTX_load_verify_locations(ctx, filename.c_str(), 0); } + void SetCRL(const std::string& crlfile, const std::string& crlpath, const std::string& crlmode) + { + if (crlfile.empty() && crlpath.empty()) + return; + + /* Set CRL mode */ + unsigned long crlflags = X509_V_FLAG_CRL_CHECK; + if (stdalgo::string::equalsci(crlmode, "chain")) + { + crlflags |= X509_V_FLAG_CRL_CHECK_ALL; + } + else if (!stdalgo::string::equalsci(crlmode, "leaf")) + { + throw ModuleException("Unknown mode '" + crlmode + "'; expected either 'chain' (default) or 'leaf'"); + } + + /* Load CRL files */ + X509_STORE* store = SSL_CTX_get_cert_store(ctx); + if (!store) + { + throw ModuleException("Unable to get X509_STORE from TLS (SSL) context; this should never happen"); + } + ERR_clear_error(); + if (!X509_STORE_load_locations(store, + crlfile.empty() ? NULL : crlfile.c_str(), + crlpath.empty() ? NULL : crlpath.c_str())) + { + int err = ERR_get_error(); + throw ModuleException("Unable to load CRL file '" + crlfile + "' or CRL path '" + crlpath + "': '" + (err ? ERR_error_string(err, NULL) : "unknown") + "'"); + } + + /* Set CRL mode */ + if (X509_STORE_set_flags(store, crlflags) != 1) + { + throw ModuleException("Unable to set X509 CRL flags"); + } + } + + long GetDefaultContextOptions() const { return ctx_options; @@ -239,7 +313,7 @@ namespace OpenSSL } }; - class Profile : public refcountbase + class Profile { /** Name of this profile */ @@ -284,17 +358,31 @@ namespace OpenSSL */ void SetContextOptions(const std::string& ctxname, ConfigTag* tag, Context& context) { - long setoptions = tag->getInt(ctxname + "setoptions"); - long clearoptions = tag->getInt(ctxname + "clearoptions"); + long setoptions = tag->getInt(ctxname + "setoptions", 0); + long clearoptions = tag->getInt(ctxname + "clearoptions", 0); + #ifdef SSL_OP_NO_COMPRESSION - if (!tag->getBool("compression", false)) // Disable compression by default + // Disable compression by default + if (!tag->getBool("compression", false)) setoptions |= SSL_OP_NO_COMPRESSION; #endif - if (!tag->getBool("sslv3", false)) // Disable SSLv3 by default - setoptions |= SSL_OP_NO_SSLv3; - if (!tag->getBool("tlsv1", true)) + + // Disable TLSv1.0 by default. + if (!tag->getBool("tlsv1", false)) setoptions |= SSL_OP_NO_TLSv1; +#ifdef SSL_OP_NO_TLSv1_1 + // Enable TLSv1.1 by default. + if (!tag->getBool("tlsv11", true)) + setoptions |= SSL_OP_NO_TLSv1_1; +#endif + +#ifdef SSL_OP_NO_TLSv1_2 + // Enable TLSv1.2 by default. + if (!tag->getBool("tlsv12", true)) + setoptions |= SSL_OP_NO_TLSv1_2; +#endif + if (!setoptions && !clearoptions) return; // Nothing to do @@ -306,16 +394,16 @@ namespace OpenSSL public: Profile(const std::string& profilename, ConfigTag* tag) : name(profilename) - , dh(ServerInstance->Config->Paths.PrependConfig(tag->getString("dhfile", "dh.pem"))) + , dh(ServerInstance->Config->Paths.PrependConfig(tag->getString("dhfile", "dhparams.pem", 1))) , ctx(SSL_CTX_new(SSLv23_server_method())) , clictx(SSL_CTX_new(SSLv23_client_method())) , allowrenego(tag->getBool("renegotiation")) // Disallow by default - , outrecsize(tag->getInt("outrecsize", 2048, 512, 16384)) + , outrecsize(tag->getUInt("outrecsize", 2048, 512, 16384)) { if ((!ctx.SetDH(dh)) || (!clictx.SetDH(dh))) throw Exception("Couldn't set DH parameters"); - std::string hash = tag->getString("hash", "md5"); + const std::string hash = tag->getString("hash", "md5", 1); digest = EVP_get_digestbyname(hash.c_str()); if (digest == NULL) throw Exception("Unknown hash type " + hash); @@ -330,8 +418,8 @@ namespace OpenSSL } } -#ifdef INSPIRCD_OPENSSL_ENABLE_ECDH - std::string curvename = tag->getString("ecdhcurve", "prime256v1"); +#ifndef OPENSSL_NO_ECDH + const std::string curvename = tag->getString("ecdhcurve", "prime256v1", 1); if (!curvename.empty()) ctx.SetECDH(curvename); #endif @@ -342,14 +430,14 @@ namespace OpenSSL /* Load our keys and certificates * NOTE: OpenSSL's error logging API sucks, don't blame us for this clusterfuck. */ - std::string filename = ServerInstance->Config->Paths.PrependConfig(tag->getString("certfile", "cert.pem")); + std::string filename = ServerInstance->Config->Paths.PrependConfig(tag->getString("certfile", "cert.pem", 1)); if ((!ctx.SetCerts(filename)) || (!clictx.SetCerts(filename))) { ERR_print_errors_cb(error_callback, this); throw Exception("Can't read certificate file: " + lasterr); } - filename = ServerInstance->Config->Paths.PrependConfig(tag->getString("keyfile", "key.pem")); + filename = ServerInstance->Config->Paths.PrependConfig(tag->getString("keyfile", "key.pem", 1)); if ((!ctx.SetPrivateKey(filename)) || (!clictx.SetPrivateKey(filename))) { ERR_print_errors_cb(error_callback, this); @@ -357,13 +445,19 @@ namespace OpenSSL } // Load the CAs we trust - filename = ServerInstance->Config->Paths.PrependConfig(tag->getString("cafile", "ca.pem")); + filename = ServerInstance->Config->Paths.PrependConfig(tag->getString("cafile", "ca.pem", 1)); if ((!ctx.SetCA(filename)) || (!clictx.SetCA(filename))) { ERR_print_errors_cb(error_callback, this); ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "Can't read CA list from %s. This is only a problem if you want to verify client certificates, otherwise it's safe to ignore this message. Error: %s", filename.c_str(), lasterr.c_str()); } + // Load the CRLs. + const std::string crlfile = tag->getString("crlfile"); + const std::string crlpath = tag->getString("crlpath"); + const std::string crlmode = tag->getString("crlmode", "chain", 1); + ctx.SetCRL(crlfile, crlpath, crlmode); + clictx.SetVerifyCert(); if (tag->getBool("requestclientcert", true)) ctx.SetVerifyCert(); @@ -458,7 +552,6 @@ class OpenSSLIOHook : public SSLIOHook SSL* sess; issl_status status; bool data_to_write; - reference profile; // Returns 1 if handshake succeeded, 0 if it is still in progress, -1 if it failed int Handshake(StreamSocket* user) @@ -558,7 +651,7 @@ class OpenSSLIOHook : public SSLIOHook if (certinfo->issuer.find_first_of("\r\n") != std::string::npos) certinfo->issuer.clear(); - if (!X509_digest(cert, profile->GetDigest(), md, &n)) + if (!X509_digest(cert, GetProfile().GetDigest(), md, &n)) { certinfo->error = "Out of memory generating fingerprint"; } @@ -567,7 +660,7 @@ class OpenSSLIOHook : public SSLIOHook certinfo->fingerprint = BinToHex(md, n); } - if ((ASN1_UTCTIME_cmp_time_t(X509_get_notAfter(cert), ServerInstance->Time()) == -1) || (ASN1_UTCTIME_cmp_time_t(X509_get_notBefore(cert), ServerInstance->Time()) == 0)) + if ((ASN1_UTCTIME_cmp_time_t(X509_getm_notAfter(cert), ServerInstance->Time()) == -1) || (ASN1_UTCTIME_cmp_time_t(X509_getm_notBefore(cert), ServerInstance->Time()) == 0)) { certinfo->error = "Not activated, or expired certificate"; } @@ -579,7 +672,7 @@ class OpenSSLIOHook : public SSLIOHook { if ((where & SSL_CB_HANDSHAKE_START) && (status == ISSL_OPEN)) { - if (profile->AllowRenegotiation()) + if (GetProfile().AllowRenegotiation()) return; // The other side is trying to renegotiate, kill the connection and change status @@ -621,12 +714,11 @@ class OpenSSLIOHook : public SSLIOHook friend void StaticSSLInfoCallback(const SSL* ssl, int where, int rc); public: - OpenSSLIOHook(IOHookProvider* hookprov, StreamSocket* sock, SSL* session, const reference& sslprofile) + OpenSSLIOHook(IOHookProvider* hookprov, StreamSocket* sock, SSL* session) : SSLIOHook(hookprov) , sess(session) , status(ISSL_NONE) , data_to_write(false) - , profile(sslprofile) { // Create BIO instance and store a pointer to the socket in it which will be used by the read and write functions #ifdef INSPIRCD_OPENSSL_OPAQUE_BIO @@ -720,7 +812,7 @@ class OpenSSLIOHook : public SSLIOHook while (!sendq.empty()) { ERR_clear_error(); - FlattenSendQueue(sendq, profile->GetOutgoingRecordSize()); + FlattenSendQueue(sendq, GetProfile().GetOutgoingRecordSize()); const StreamSocket::SendQueue::Element& buffer = sendq.front(); int ret = SSL_write(sess, buffer.data(), buffer.size()); @@ -778,7 +870,18 @@ class OpenSSLIOHook : public SSLIOHook out.append(SSL_get_cipher(sess)); } + bool GetServerName(std::string& out) const CXX11_OVERRIDE + { + const char* name = SSL_get_servername(sess, TLSEXT_NAMETYPE_host_name); + if (!name) + return false; + + out.append(name); + return true; + } + bool IsHandshakeDone() const { return (status == ISSL_OPEN); } + OpenSSL::Profile& GetProfile(); }; static void StaticSSLInfoCallback(const SSL* ssl, int where, int rc) @@ -833,14 +936,14 @@ static int OpenSSL::BIOMethod::read(BIO* bio, char* buffer, int size) return ret; } -class OpenSSLIOHookProvider : public refcountbase, public IOHookProvider +class OpenSSLIOHookProvider : public SSLIOHookProvider { - reference profile; + OpenSSL::Profile profile; public: - OpenSSLIOHookProvider(Module* mod, reference& prof) - : IOHookProvider(mod, "ssl/" + prof->GetName(), IOHookProvider::IOH_SSL) - , profile(prof) + OpenSSLIOHookProvider(Module* mod, const std::string& profilename, ConfigTag* tag) + : SSLIOHookProvider(mod, profilename) + , profile(profilename, tag) { ServerInstance->Modules->AddService(*this); } @@ -852,15 +955,23 @@ class OpenSSLIOHookProvider : public refcountbase, public IOHookProvider void OnAccept(StreamSocket* sock, irc::sockets::sockaddrs* client, irc::sockets::sockaddrs* server) CXX11_OVERRIDE { - new OpenSSLIOHook(this, sock, profile->CreateServerSession(), profile); + new OpenSSLIOHook(this, sock, profile.CreateServerSession()); } void OnConnect(StreamSocket* sock) CXX11_OVERRIDE { - new OpenSSLIOHook(this, sock, profile->CreateClientSession(), profile); + new OpenSSLIOHook(this, sock, profile.CreateClientSession()); } + + OpenSSL::Profile& GetProfile() { return profile; } }; +OpenSSL::Profile& OpenSSLIOHook::GetProfile() +{ + IOHookProvider* hookprov = prov; + return static_cast(hookprov)->GetProfile(); +} + class ModuleSSLOpenSSL : public Module { typedef std::vector > ProfileList; @@ -876,43 +987,54 @@ class ModuleSSLOpenSSL : public Module // Create a default profile named "openssl" const std::string defname = "openssl"; ConfigTag* tag = ServerInstance->Config->ConfValue(defname); - ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "No tags found, using settings from the tag"); + ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "No tags found, using settings from the deprecated tag"); try { - reference profile(new OpenSSL::Profile(defname, tag)); - newprofiles.push_back(new OpenSSLIOHookProvider(this, profile)); + newprofiles.push_back(new OpenSSLIOHookProvider(this, defname, tag)); } catch (OpenSSL::Exception& ex) { - throw ModuleException("Error while initializing the default SSL profile - " + ex.GetReason()); + throw ModuleException("Error while initializing the default TLS (SSL) profile - " + ex.GetReason()); } } - - for (ConfigIter i = tags.first; i != tags.second; ++i) + else { - ConfigTag* tag = i->second; - if (tag->getString("provider") != "openssl") - continue; - - std::string name = tag->getString("name"); - if (name.empty()) + ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "You have defined an tag; you should use this in place of \"openssl\" when configuring TLS (SSL) connections in or "); + for (ConfigIter i = tags.first; i != tags.second; ++i) { - ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "Ignoring tag without name at " + tag->getTagLocation()); - continue; - } + ConfigTag* tag = i->second; + if (!stdalgo::string::equalsci(tag->getString("provider"), "openssl")) + { + ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "Ignoring non-OpenSSL tag at " + tag->getTagLocation()); + continue; + } - reference profile; - try - { - profile = new OpenSSL::Profile(name, tag); - } - catch (CoreException& ex) - { - throw ModuleException("Error while initializing SSL profile \"" + name + "\" at " + tag->getTagLocation() + " - " + ex.GetReason()); + std::string name = tag->getString("name"); + if (name.empty()) + { + ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "Ignoring tag without name at " + tag->getTagLocation()); + continue; + } + + reference prov; + try + { + prov = new OpenSSLIOHookProvider(this, name, tag); + } + catch (CoreException& ex) + { + throw ModuleException("Error while initializing TLS (SSL) profile \"" + name + "\" at " + tag->getTagLocation() + " - " + ex.GetReason()); + } + + newprofiles.push_back(prov); } + } - newprofiles.push_back(new OpenSSLIOHookProvider(this, profile)); + for (ProfileList::iterator i = profiles.begin(); i != profiles.end(); ++i) + { + OpenSSLIOHookProvider& prov = **i; + ServerInstance->Modules.DelService(prov); } profiles.swap(newprofiles); @@ -922,8 +1044,7 @@ class ModuleSSLOpenSSL : public Module ModuleSSLOpenSSL() { // Initialize OpenSSL - SSL_library_init(); - SSL_load_error_strings(); + OPENSSL_init_ssl(0, NULL); #ifdef INSPIRCD_OPENSSL_OPAQUE_BIO biomethods = OpenSSL::BIOMethod::alloc(); } @@ -936,7 +1057,7 @@ class ModuleSSLOpenSSL : public Module void init() CXX11_OVERRIDE { - ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "OpenSSL lib version \"%s\" module was compiled for \"" OPENSSL_VERSION_TEXT "\"", SSLeay_version(SSLEAY_VERSION)); + ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "OpenSSL lib version \"%s\" module was compiled for \"" OPENSSL_VERSION_TEXT "\"", OpenSSL_version(OPENSSL_VERSION)); // Register application specific data char exdatastr[] = "inspircd"; @@ -949,12 +1070,13 @@ class ModuleSSLOpenSSL : public Module void OnModuleRehash(User* user, const std::string ¶m) CXX11_OVERRIDE { - if (param != "ssl") + if (!irc::equals(param, "tls") && !irc::equals(param, "ssl")) return; try { ReadProfiles(); + ServerInstance->SNO->WriteToSnoMask('a', "OpenSSL TLS (SSL) profiles have been reloaded."); } catch (ModuleException& ex) { @@ -962,17 +1084,17 @@ class ModuleSSLOpenSSL : public Module } } - void OnCleanup(int target_type, void* item) CXX11_OVERRIDE + void OnCleanup(ExtensionItem::ExtensibleType type, Extensible* item) CXX11_OVERRIDE { - if (target_type == TYPE_USER) + if (type == ExtensionItem::EXT_USER) { LocalUser* user = IS_LOCAL((User*)item); if ((user) && (user->eh.GetModHook(this))) { - // User is using SSL, they're a local user, and they're using one of *our* SSL ports. - // Potentially there could be multiple SSL modules loaded at once on different ports. - ServerInstance->Users->QuitUser(user, "SSL module unloading"); + // User is using TLS (SSL), they're a local user, and they're using one of *our* TLS (SSL) ports. + // Potentially there could be multiple TLS (SSL) modules loaded at once on different ports. + ServerInstance->Users->QuitUser(user, "OpenSSL module unloading"); } } } @@ -987,7 +1109,7 @@ class ModuleSSLOpenSSL : public Module Version GetVersion() CXX11_OVERRIDE { - return Version("Provides SSL support for clients", VF_VENDOR); + return Version("Allows TLS (SSL) encrypted connections using the OpenSSL library.", VF_VENDOR); } };