X-Git-Url: https://git.netwichtig.de/gitweb/?a=blobdiff_plain;f=src%2Fmodules%2Fextra%2Fm_ssl_openssl.cpp;h=30cabdf2747d98dc82be6f68d07f03ce665f35e0;hb=ccebfe6e637b420bef05e8e0faf29bb19f1883d9;hp=3ebc8e4d91685b258e9961220790ad3c2a0f7ef4;hpb=87b1461e2a4710a38b32186c2582da9fe9bb3804;p=user%2Fhenk%2Fcode%2Finspircd.git diff --git a/src/modules/extra/m_ssl_openssl.cpp b/src/modules/extra/m_ssl_openssl.cpp index 3ebc8e4d9..30cabdf27 100644 --- a/src/modules/extra/m_ssl_openssl.cpp +++ b/src/modules/extra/m_ssl_openssl.cpp @@ -1,12 +1,19 @@ /* * InspIRCd -- Internet Relay Chat Daemon * + * Copyright (C) 2019 linuxdaemon + * Copyright (C) 2019 Matt Schatz + * Copyright (C) 2017 Wade Cline + * Copyright (C) 2014, 2016 Adam + * Copyright (C) 2014 Julien Vehent + * Copyright (C) 2013-2014, 2016-2019 Sadie Powell + * Copyright (C) 2012-2017 Attila Molnar + * Copyright (C) 2012, 2019 Robby + * Copyright (C) 2012 ChrisTX * Copyright (C) 2009-2010 Daniel De Graaf - * Copyright (C) 2008 Pippijn van Steenhoven - * Copyright (C) 2006-2008 Craig Edwards - * Copyright (C) 2008 Thomas Stagner + * Copyright (C) 2008 Robin Burchell + * Copyright (C) 2007-2008, 2010 Craig Edwards * Copyright (C) 2007 Dennis Friis - * Copyright (C) 2006 Oliver Lupton * * This file is part of InspIRCd. InspIRCd is free software: you can * redistribute it and/or modify it under the terms of the GNU General Public @@ -24,6 +31,7 @@ /// $CompilerFlags: find_compiler_flags("openssl") /// $LinkerFlags: find_linker_flags("openssl" "-lssl -lcrypto") +/// $PackageInfo: require_system("arch") openssl pkgconf /// $PackageInfo: require_system("centos") openssl-devel pkgconfig /// $PackageInfo: require_system("darwin") openssl pkg-config /// $PackageInfo: require_system("debian") libssl-dev openssl pkg-config @@ -34,6 +42,10 @@ #include "iohook.h" #include "modules/ssl.h" +#ifdef __GNUC__ +# pragma GCC diagnostic push +#endif + // Ignore OpenSSL deprecation warnings on OS X Lion and newer. #if defined __APPLE__ # pragma GCC diagnostic ignored "-Wdeprecated-declarations" @@ -50,6 +62,10 @@ #include #include +#ifdef __GNUC__ +# pragma GCC diagnostic pop +#endif + #ifdef _WIN32 # pragma comment(lib, "ssleay32.lib") # pragma comment(lib, "libeay32.lib") @@ -235,7 +251,7 @@ namespace OpenSSL X509_STORE* store = SSL_CTX_get_cert_store(ctx); if (!store) { - throw ModuleException("Unable to get X509_STORE from SSL context; this should never happen"); + throw ModuleException("Unable to get X509_STORE from TLS (SSL) context; this should never happen"); } ERR_clear_error(); if (!X509_STORE_load_locations(store, @@ -336,14 +352,29 @@ namespace OpenSSL { long setoptions = tag->getInt(ctxname + "setoptions", 0); long clearoptions = tag->getInt(ctxname + "clearoptions", 0); + #ifdef SSL_OP_NO_COMPRESSION - if (!tag->getBool("compression", false)) // Disable compression by default + // Disable compression by default + if (!tag->getBool("compression", false)) setoptions |= SSL_OP_NO_COMPRESSION; #endif + // Disable TLSv1.0 by default. if (!tag->getBool("tlsv1", false)) setoptions |= SSL_OP_NO_TLSv1; +#ifdef SSL_OP_NO_TLSv1_1 + // Enable TLSv1.1 by default. + if (!tag->getBool("tlsv11", true)) + setoptions |= SSL_OP_NO_TLSv1_1; +#endif + +#ifdef SSL_OP_NO_TLSv1_2 + // Enable TLSv1.2 by default. + if (!tag->getBool("tlsv12", true)) + setoptions |= SSL_OP_NO_TLSv1_2; +#endif + if (!setoptions && !clearoptions) return; // Nothing to do @@ -355,7 +386,7 @@ namespace OpenSSL public: Profile(const std::string& profilename, ConfigTag* tag) : name(profilename) - , dh(ServerInstance->Config->Paths.PrependConfig(tag->getString("dhfile", "dhparams.pem"))) + , dh(ServerInstance->Config->Paths.PrependConfig(tag->getString("dhfile", "dhparams.pem", 1))) , ctx(SSL_CTX_new(SSLv23_server_method())) , clictx(SSL_CTX_new(SSLv23_client_method())) , allowrenego(tag->getBool("renegotiation")) // Disallow by default @@ -364,7 +395,7 @@ namespace OpenSSL if ((!ctx.SetDH(dh)) || (!clictx.SetDH(dh))) throw Exception("Couldn't set DH parameters"); - std::string hash = tag->getString("hash", "md5"); + const std::string hash = tag->getString("hash", "md5", 1); digest = EVP_get_digestbyname(hash.c_str()); if (digest == NULL) throw Exception("Unknown hash type " + hash); @@ -380,7 +411,7 @@ namespace OpenSSL } #ifndef OPENSSL_NO_ECDH - std::string curvename = tag->getString("ecdhcurve", "prime256v1"); + const std::string curvename = tag->getString("ecdhcurve", "prime256v1", 1); if (!curvename.empty()) ctx.SetECDH(curvename); #endif @@ -391,14 +422,14 @@ namespace OpenSSL /* Load our keys and certificates * NOTE: OpenSSL's error logging API sucks, don't blame us for this clusterfuck. */ - std::string filename = ServerInstance->Config->Paths.PrependConfig(tag->getString("certfile", "cert.pem")); + std::string filename = ServerInstance->Config->Paths.PrependConfig(tag->getString("certfile", "cert.pem", 1)); if ((!ctx.SetCerts(filename)) || (!clictx.SetCerts(filename))) { ERR_print_errors_cb(error_callback, this); throw Exception("Can't read certificate file: " + lasterr); } - filename = ServerInstance->Config->Paths.PrependConfig(tag->getString("keyfile", "key.pem")); + filename = ServerInstance->Config->Paths.PrependConfig(tag->getString("keyfile", "key.pem", 1)); if ((!ctx.SetPrivateKey(filename)) || (!clictx.SetPrivateKey(filename))) { ERR_print_errors_cb(error_callback, this); @@ -406,7 +437,7 @@ namespace OpenSSL } // Load the CAs we trust - filename = ServerInstance->Config->Paths.PrependConfig(tag->getString("cafile", "ca.pem")); + filename = ServerInstance->Config->Paths.PrependConfig(tag->getString("cafile", "ca.pem", 1)); if ((!ctx.SetCA(filename)) || (!clictx.SetCA(filename))) { ERR_print_errors_cb(error_callback, this); @@ -414,9 +445,9 @@ namespace OpenSSL } // Load the CRLs. - std::string crlfile = tag->getString("crlfile"); - std::string crlpath = tag->getString("crlpath"); - std::string crlmode = tag->getString("crlmode", "chain"); + const std::string crlfile = tag->getString("crlfile"); + const std::string crlpath = tag->getString("crlpath"); + const std::string crlmode = tag->getString("crlmode", "chain", 1); ctx.SetCRL(crlfile, crlpath, crlmode); clictx.SetVerifyCert(); @@ -956,7 +987,7 @@ class ModuleSSLOpenSSL : public Module } catch (OpenSSL::Exception& ex) { - throw ModuleException("Error while initializing the default SSL profile - " + ex.GetReason()); + throw ModuleException("Error while initializing the default TLS (SSL) profile - " + ex.GetReason()); } } @@ -980,7 +1011,7 @@ class ModuleSSLOpenSSL : public Module } catch (CoreException& ex) { - throw ModuleException("Error while initializing SSL profile \"" + name + "\" at " + tag->getTagLocation() + " - " + ex.GetReason()); + throw ModuleException("Error while initializing TLS (SSL) profile \"" + name + "\" at " + tag->getTagLocation() + " - " + ex.GetReason()); } newprofiles.push_back(prov); @@ -1025,12 +1056,13 @@ class ModuleSSLOpenSSL : public Module void OnModuleRehash(User* user, const std::string ¶m) CXX11_OVERRIDE { - if (param != "ssl") + if (!irc::equals(param, "ssl")) return; try { ReadProfiles(); + ServerInstance->SNO->WriteToSnoMask('a', "TLS (SSL) module OpenSSL rehashed."); } catch (ModuleException& ex) { @@ -1046,9 +1078,9 @@ class ModuleSSLOpenSSL : public Module if ((user) && (user->eh.GetModHook(this))) { - // User is using SSL, they're a local user, and they're using one of *our* SSL ports. - // Potentially there could be multiple SSL modules loaded at once on different ports. - ServerInstance->Users->QuitUser(user, "SSL module unloading"); + // User is using TLS (SSL), they're a local user, and they're using one of *our* TLS (SSL) ports. + // Potentially there could be multiple TLS (SSL) modules loaded at once on different ports. + ServerInstance->Users->QuitUser(user, "OpenSSL module unloading"); } } } @@ -1063,7 +1095,7 @@ class ModuleSSLOpenSSL : public Module Version GetVersion() CXX11_OVERRIDE { - return Version("Provides SSL support via OpenSSL", VF_VENDOR); + return Version("Allows TLS (SSL) encrypted connections using the OpenSSL library.", VF_VENDOR); } };