X-Git-Url: https://git.netwichtig.de/gitweb/?a=blobdiff_plain;f=src%2Fmodules%2Fextra%2Fm_ssl_openssl.cpp;h=9a5fa98af96458f0b2344a40aa04243b1fc31ecc;hb=bb39d78be61e45555cdd87985e26ea07b725fabf;hp=7cff5da8aca309d418afe3fbec7a08e4d3817d60;hpb=fcd538761adad5834c0b6c4c14b43bea9f8bfd6d;p=user%2Fhenk%2Fcode%2Finspircd.git diff --git a/src/modules/extra/m_ssl_openssl.cpp b/src/modules/extra/m_ssl_openssl.cpp index 7cff5da8a..9a5fa98af 100644 --- a/src/modules/extra/m_ssl_openssl.cpp +++ b/src/modules/extra/m_ssl_openssl.cpp @@ -1,12 +1,19 @@ /* * InspIRCd -- Internet Relay Chat Daemon * + * Copyright (C) 2019 linuxdaemon + * Copyright (C) 2019 Matt Schatz + * Copyright (C) 2017 Wade Cline + * Copyright (C) 2014, 2016 Adam + * Copyright (C) 2014 Julien Vehent + * Copyright (C) 2013-2014, 2016-2019 Sadie Powell + * Copyright (C) 2012-2017 Attila Molnar + * Copyright (C) 2012, 2019 Robby + * Copyright (C) 2012 ChrisTX * Copyright (C) 2009-2010 Daniel De Graaf - * Copyright (C) 2008 Pippijn van Steenhoven - * Copyright (C) 2006-2008 Craig Edwards - * Copyright (C) 2008 Thomas Stagner + * Copyright (C) 2008 Robin Burchell + * Copyright (C) 2007-2008, 2010 Craig Edwards * Copyright (C) 2007 Dennis Friis - * Copyright (C) 2006 Oliver Lupton * * This file is part of InspIRCd. InspIRCd is free software: you can * redistribute it and/or modify it under the terms of the GNU General Public @@ -24,15 +31,21 @@ /// $CompilerFlags: find_compiler_flags("openssl") /// $LinkerFlags: find_linker_flags("openssl" "-lssl -lcrypto") +/// $PackageInfo: require_system("arch") openssl pkgconf /// $PackageInfo: require_system("centos") openssl-devel pkgconfig /// $PackageInfo: require_system("darwin") openssl pkg-config -/// $PackageInfo: require_system("ubuntu" "16.04") libssl-dev openssl pkg-config +/// $PackageInfo: require_system("debian") libssl-dev openssl pkg-config +/// $PackageInfo: require_system("ubuntu") libssl-dev openssl pkg-config #include "inspircd.h" #include "iohook.h" #include "modules/ssl.h" +#ifdef __GNUC__ +# pragma GCC diagnostic push +#endif + // Ignore OpenSSL deprecation warnings on OS X Lion and newer. #if defined __APPLE__ # pragma GCC diagnostic ignored "-Wdeprecated-declarations" @@ -47,15 +60,38 @@ #include #include +#include + +#ifdef __GNUC__ +# pragma GCC diagnostic pop +#endif #ifdef _WIN32 # pragma comment(lib, "ssleay32.lib") # pragma comment(lib, "libeay32.lib") #endif -#if ((OPENSSL_VERSION_NUMBER >= 0x10000000L) && (!(defined(OPENSSL_NO_ECDH)))) -// OpenSSL 0.9.8 includes some ECC support, but it's unfinished. Enable only for 1.0.0 and later. -#define INSPIRCD_OPENSSL_ENABLE_ECDH +// Compatibility layer to allow OpenSSL 1.0 to use the 1.1 API. +#if ((defined LIBRESSL_VERSION_NUMBER) || (OPENSSL_VERSION_NUMBER < 0x10100000L)) + +// BIO is opaque in OpenSSL 1.1 but the access API does not exist in 1.0. +# define BIO_get_data(BIO) BIO->ptr +# define BIO_set_data(BIO, VALUE) BIO->ptr = VALUE; +# define BIO_set_init(BIO, VALUE) BIO->init = VALUE; + +// These functions have been renamed in OpenSSL 1.1. +# define OpenSSL_version SSLeay_version +# define X509_getm_notAfter X509_get_notAfter +# define X509_getm_notBefore X509_get_notBefore +# define OPENSSL_init_ssl(OPTIONS, SETTINGS) \ + SSL_library_init(); \ + SSL_load_error_strings(); + +// These macros have been renamed in OpenSSL 1.1. +# define OPENSSL_VERSION SSLEAY_VERSION + +#else +# define INSPIRCD_OPENSSL_OPAQUE_BIO #endif enum issl_status { ISSL_NONE, ISSL_HANDSHAKING, ISSL_OPEN }; @@ -120,7 +156,7 @@ namespace OpenSSL { // Sane default options for OpenSSL see https://www.openssl.org/docs/ssl/SSL_CTX_set_options.html // and when choosing a cipher, use the server's preferences instead of the client preferences. - long opts = SSL_OP_NO_SSLv2 | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION | SSL_OP_CIPHER_SERVER_PREFERENCE | SSL_OP_SINGLE_DH_USE; + long opts = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION | SSL_OP_CIPHER_SERVER_PREFERENCE | SSL_OP_SINGLE_DH_USE; // Only turn options on if they exist #ifdef SSL_OP_SINGLE_ECDH_USE opts |= SSL_OP_SINGLE_ECDH_USE; @@ -152,7 +188,7 @@ namespace OpenSSL return (SSL_CTX_set_tmp_dh(ctx, dh.get()) >= 0); } -#ifdef INSPIRCD_OPENSSL_ENABLE_ECDH +#ifndef OPENSSL_NO_ECDH void SetECDH(const std::string& curvename) { int nid = OBJ_sn2nid(curvename.c_str()); @@ -195,6 +231,45 @@ namespace OpenSSL return SSL_CTX_load_verify_locations(ctx, filename.c_str(), 0); } + void SetCRL(const std::string& crlfile, const std::string& crlpath, const std::string& crlmode) + { + if (crlfile.empty() && crlpath.empty()) + return; + + /* Set CRL mode */ + unsigned long crlflags = X509_V_FLAG_CRL_CHECK; + if (stdalgo::string::equalsci(crlmode, "chain")) + { + crlflags |= X509_V_FLAG_CRL_CHECK_ALL; + } + else if (!stdalgo::string::equalsci(crlmode, "leaf")) + { + throw ModuleException("Unknown mode '" + crlmode + "'; expected either 'chain' (default) or 'leaf'"); + } + + /* Load CRL files */ + X509_STORE* store = SSL_CTX_get_cert_store(ctx); + if (!store) + { + throw ModuleException("Unable to get X509_STORE from SSL context; this should never happen"); + } + ERR_clear_error(); + if (!X509_STORE_load_locations(store, + crlfile.empty() ? NULL : crlfile.c_str(), + crlpath.empty() ? NULL : crlpath.c_str())) + { + int err = ERR_get_error(); + throw ModuleException("Unable to load CRL file '" + crlfile + "' or CRL path '" + crlpath + "': '" + (err ? ERR_error_string(err, NULL) : "unknown") + "'"); + } + + /* Set CRL mode */ + if (X509_STORE_set_flags(store, crlflags) != 1) + { + throw ModuleException("Unable to set X509 CRL flags"); + } + } + + long GetDefaultContextOptions() const { return ctx_options; @@ -230,7 +305,7 @@ namespace OpenSSL } }; - class Profile : public refcountbase + class Profile { /** Name of this profile */ @@ -275,17 +350,31 @@ namespace OpenSSL */ void SetContextOptions(const std::string& ctxname, ConfigTag* tag, Context& context) { - long setoptions = tag->getInt(ctxname + "setoptions"); - long clearoptions = tag->getInt(ctxname + "clearoptions"); + long setoptions = tag->getInt(ctxname + "setoptions", 0); + long clearoptions = tag->getInt(ctxname + "clearoptions", 0); + #ifdef SSL_OP_NO_COMPRESSION - if (!tag->getBool("compression", false)) // Disable compression by default + // Disable compression by default + if (!tag->getBool("compression", false)) setoptions |= SSL_OP_NO_COMPRESSION; #endif - if (!tag->getBool("sslv3", false)) // Disable SSLv3 by default - setoptions |= SSL_OP_NO_SSLv3; - if (!tag->getBool("tlsv1", true)) + + // Disable TLSv1.0 by default. + if (!tag->getBool("tlsv1", false)) setoptions |= SSL_OP_NO_TLSv1; +#ifdef SSL_OP_NO_TLSv1_1 + // Enable TLSv1.1 by default. + if (!tag->getBool("tlsv11", true)) + setoptions |= SSL_OP_NO_TLSv1_1; +#endif + +#ifdef SSL_OP_NO_TLSv1_2 + // Enable TLSv1.2 by default. + if (!tag->getBool("tlsv12", true)) + setoptions |= SSL_OP_NO_TLSv1_2; +#endif + if (!setoptions && !clearoptions) return; // Nothing to do @@ -297,16 +386,16 @@ namespace OpenSSL public: Profile(const std::string& profilename, ConfigTag* tag) : name(profilename) - , dh(ServerInstance->Config->Paths.PrependConfig(tag->getString("dhfile", "dh.pem"))) + , dh(ServerInstance->Config->Paths.PrependConfig(tag->getString("dhfile", "dhparams.pem", 1))) , ctx(SSL_CTX_new(SSLv23_server_method())) , clictx(SSL_CTX_new(SSLv23_client_method())) , allowrenego(tag->getBool("renegotiation")) // Disallow by default - , outrecsize(tag->getInt("outrecsize", 2048, 512, 16384)) + , outrecsize(tag->getUInt("outrecsize", 2048, 512, 16384)) { if ((!ctx.SetDH(dh)) || (!clictx.SetDH(dh))) throw Exception("Couldn't set DH parameters"); - std::string hash = tag->getString("hash", "md5"); + const std::string hash = tag->getString("hash", "md5", 1); digest = EVP_get_digestbyname(hash.c_str()); if (digest == NULL) throw Exception("Unknown hash type " + hash); @@ -321,8 +410,8 @@ namespace OpenSSL } } -#ifdef INSPIRCD_OPENSSL_ENABLE_ECDH - std::string curvename = tag->getString("ecdhcurve", "prime256v1"); +#ifndef OPENSSL_NO_ECDH + const std::string curvename = tag->getString("ecdhcurve", "prime256v1", 1); if (!curvename.empty()) ctx.SetECDH(curvename); #endif @@ -333,14 +422,14 @@ namespace OpenSSL /* Load our keys and certificates * NOTE: OpenSSL's error logging API sucks, don't blame us for this clusterfuck. */ - std::string filename = ServerInstance->Config->Paths.PrependConfig(tag->getString("certfile", "cert.pem")); + std::string filename = ServerInstance->Config->Paths.PrependConfig(tag->getString("certfile", "cert.pem", 1)); if ((!ctx.SetCerts(filename)) || (!clictx.SetCerts(filename))) { ERR_print_errors_cb(error_callback, this); throw Exception("Can't read certificate file: " + lasterr); } - filename = ServerInstance->Config->Paths.PrependConfig(tag->getString("keyfile", "key.pem")); + filename = ServerInstance->Config->Paths.PrependConfig(tag->getString("keyfile", "key.pem", 1)); if ((!ctx.SetPrivateKey(filename)) || (!clictx.SetPrivateKey(filename))) { ERR_print_errors_cb(error_callback, this); @@ -348,13 +437,19 @@ namespace OpenSSL } // Load the CAs we trust - filename = ServerInstance->Config->Paths.PrependConfig(tag->getString("cafile", "ca.pem")); + filename = ServerInstance->Config->Paths.PrependConfig(tag->getString("cafile", "ca.pem", 1)); if ((!ctx.SetCA(filename)) || (!clictx.SetCA(filename))) { ERR_print_errors_cb(error_callback, this); ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "Can't read CA list from %s. This is only a problem if you want to verify client certificates, otherwise it's safe to ignore this message. Error: %s", filename.c_str(), lasterr.c_str()); } + // Load the CRLs. + const std::string crlfile = tag->getString("crlfile"); + const std::string crlpath = tag->getString("crlpath"); + const std::string crlmode = tag->getString("crlmode", "chain", 1); + ctx.SetCRL(crlfile, crlpath, crlmode); + clictx.SetVerifyCert(); if (tag->getBool("requestclientcert", true)) ctx.SetVerifyCert(); @@ -372,7 +467,7 @@ namespace OpenSSL { static int create(BIO* bio) { - bio->init = 1; + BIO_set_init(bio, 1); return 1; } @@ -393,9 +488,25 @@ namespace OpenSSL static int read(BIO* bio, char* buf, int len); static int write(BIO* bio, const char* buf, int len); + +#ifdef INSPIRCD_OPENSSL_OPAQUE_BIO + static BIO_METHOD* alloc() + { + BIO_METHOD* meth = BIO_meth_new(100 | BIO_TYPE_SOURCE_SINK, "inspircd"); + BIO_meth_set_write(meth, OpenSSL::BIOMethod::write); + BIO_meth_set_read(meth, OpenSSL::BIOMethod::read); + BIO_meth_set_ctrl(meth, OpenSSL::BIOMethod::ctrl); + BIO_meth_set_create(meth, OpenSSL::BIOMethod::create); + BIO_meth_set_destroy(meth, OpenSSL::BIOMethod::destroy); + return meth; + } +#endif } } +// BIO_METHOD is opaque in OpenSSL 1.1 so we can't do this. +// See OpenSSL::BIOMethod::alloc for the new method. +#ifndef INSPIRCD_OPENSSL_OPAQUE_BIO static BIO_METHOD biomethods = { (100 | BIO_TYPE_SOURCE_SINK), @@ -409,6 +520,9 @@ static BIO_METHOD biomethods = OpenSSL::BIOMethod::destroy, // destroy, does nothing, see function body for more info NULL // callback_ctrl }; +#else +static BIO_METHOD* biomethods; +#endif static int OnVerify(int preverify_ok, X509_STORE_CTX *ctx) { @@ -430,7 +544,6 @@ class OpenSSLIOHook : public SSLIOHook SSL* sess; issl_status status; bool data_to_write; - reference profile; // Returns 1 if handshake succeeded, 0 if it is still in progress, -1 if it failed int Handshake(StreamSocket* user) @@ -530,7 +643,7 @@ class OpenSSLIOHook : public SSLIOHook if (certinfo->issuer.find_first_of("\r\n") != std::string::npos) certinfo->issuer.clear(); - if (!X509_digest(cert, profile->GetDigest(), md, &n)) + if (!X509_digest(cert, GetProfile().GetDigest(), md, &n)) { certinfo->error = "Out of memory generating fingerprint"; } @@ -539,7 +652,7 @@ class OpenSSLIOHook : public SSLIOHook certinfo->fingerprint = BinToHex(md, n); } - if ((ASN1_UTCTIME_cmp_time_t(X509_get_notAfter(cert), ServerInstance->Time()) == -1) || (ASN1_UTCTIME_cmp_time_t(X509_get_notBefore(cert), ServerInstance->Time()) == 0)) + if ((ASN1_UTCTIME_cmp_time_t(X509_getm_notAfter(cert), ServerInstance->Time()) == -1) || (ASN1_UTCTIME_cmp_time_t(X509_getm_notBefore(cert), ServerInstance->Time()) == 0)) { certinfo->error = "Not activated, or expired certificate"; } @@ -551,14 +664,14 @@ class OpenSSLIOHook : public SSLIOHook { if ((where & SSL_CB_HANDSHAKE_START) && (status == ISSL_OPEN)) { - if (profile->AllowRenegotiation()) + if (GetProfile().AllowRenegotiation()) return; // The other side is trying to renegotiate, kill the connection and change status // to ISSL_NONE so CheckRenego() closes the session status = ISSL_NONE; BIO* bio = SSL_get_rbio(sess); - EventHandler* eh = static_cast(bio->ptr); + EventHandler* eh = static_cast(BIO_get_data(bio)); SocketEngine::Shutdown(eh, 2); } } @@ -593,16 +706,19 @@ class OpenSSLIOHook : public SSLIOHook friend void StaticSSLInfoCallback(const SSL* ssl, int where, int rc); public: - OpenSSLIOHook(IOHookProvider* hookprov, StreamSocket* sock, SSL* session, const reference& sslprofile) + OpenSSLIOHook(IOHookProvider* hookprov, StreamSocket* sock, SSL* session) : SSLIOHook(hookprov) , sess(session) , status(ISSL_NONE) , data_to_write(false) - , profile(sslprofile) { // Create BIO instance and store a pointer to the socket in it which will be used by the read and write functions +#ifdef INSPIRCD_OPENSSL_OPAQUE_BIO + BIO* bio = BIO_new(biomethods); +#else BIO* bio = BIO_new(&biomethods); - bio->ptr = sock; +#endif + BIO_set_data(bio, sock); SSL_set_bio(sess, bio, bio); SSL_set_ex_data(sess, exdataindex, this); @@ -688,7 +804,7 @@ class OpenSSLIOHook : public SSLIOHook while (!sendq.empty()) { ERR_clear_error(); - FlattenSendQueue(sendq, profile->GetOutgoingRecordSize()); + FlattenSendQueue(sendq, GetProfile().GetOutgoingRecordSize()); const StreamSocket::SendQueue::Element& buffer = sendq.front(); int ret = SSL_write(sess, buffer.data(), buffer.size()); @@ -746,7 +862,18 @@ class OpenSSLIOHook : public SSLIOHook out.append(SSL_get_cipher(sess)); } + bool GetServerName(std::string& out) const CXX11_OVERRIDE + { + const char* name = SSL_get_servername(sess, TLSEXT_NAMETYPE_host_name); + if (!name) + return false; + + out.append(name); + return true; + } + bool IsHandshakeDone() const { return (status == ISSL_OPEN); } + OpenSSL::Profile& GetProfile(); }; static void StaticSSLInfoCallback(const SSL* ssl, int where, int rc) @@ -759,7 +886,7 @@ static int OpenSSL::BIOMethod::write(BIO* bio, const char* buffer, int size) { BIO_clear_retry_flags(bio); - StreamSocket* sock = static_cast(bio->ptr); + StreamSocket* sock = static_cast(BIO_get_data(bio)); if (sock->GetEventMask() & FD_WRITE_WILL_BLOCK) { // Writes blocked earlier, don't retry syscall @@ -782,7 +909,7 @@ static int OpenSSL::BIOMethod::read(BIO* bio, char* buffer, int size) { BIO_clear_retry_flags(bio); - StreamSocket* sock = static_cast(bio->ptr); + StreamSocket* sock = static_cast(BIO_get_data(bio)); if (sock->GetEventMask() & FD_READ_WILL_BLOCK) { // Reads blocked earlier, don't retry syscall @@ -801,14 +928,14 @@ static int OpenSSL::BIOMethod::read(BIO* bio, char* buffer, int size) return ret; } -class OpenSSLIOHookProvider : public refcountbase, public IOHookProvider +class OpenSSLIOHookProvider : public IOHookProvider { - reference profile; + OpenSSL::Profile profile; public: - OpenSSLIOHookProvider(Module* mod, reference& prof) - : IOHookProvider(mod, "ssl/" + prof->GetName(), IOHookProvider::IOH_SSL) - , profile(prof) + OpenSSLIOHookProvider(Module* mod, const std::string& profilename, ConfigTag* tag) + : IOHookProvider(mod, "ssl/" + profilename, IOHookProvider::IOH_SSL) + , profile(profilename, tag) { ServerInstance->Modules->AddService(*this); } @@ -820,15 +947,23 @@ class OpenSSLIOHookProvider : public refcountbase, public IOHookProvider void OnAccept(StreamSocket* sock, irc::sockets::sockaddrs* client, irc::sockets::sockaddrs* server) CXX11_OVERRIDE { - new OpenSSLIOHook(this, sock, profile->CreateServerSession(), profile); + new OpenSSLIOHook(this, sock, profile.CreateServerSession()); } void OnConnect(StreamSocket* sock) CXX11_OVERRIDE { - new OpenSSLIOHook(this, sock, profile->CreateClientSession(), profile); + new OpenSSLIOHook(this, sock, profile.CreateClientSession()); } + + OpenSSL::Profile& GetProfile() { return profile; } }; +OpenSSL::Profile& OpenSSLIOHook::GetProfile() +{ + IOHookProvider* hookprov = prov; + return static_cast(hookprov)->GetProfile(); +} + class ModuleSSLOpenSSL : public Module { typedef std::vector > ProfileList; @@ -848,8 +983,7 @@ class ModuleSSLOpenSSL : public Module try { - reference profile(new OpenSSL::Profile(defname, tag)); - newprofiles.push_back(new OpenSSLIOHookProvider(this, profile)); + newprofiles.push_back(new OpenSSLIOHookProvider(this, defname, tag)); } catch (OpenSSL::Exception& ex) { @@ -860,7 +994,7 @@ class ModuleSSLOpenSSL : public Module for (ConfigIter i = tags.first; i != tags.second; ++i) { ConfigTag* tag = i->second; - if (tag->getString("provider") != "openssl") + if (!stdalgo::string::equalsci(tag->getString("provider"), "openssl")) continue; std::string name = tag->getString("name"); @@ -870,17 +1004,23 @@ class ModuleSSLOpenSSL : public Module continue; } - reference profile; + reference prov; try { - profile = new OpenSSL::Profile(name, tag); + prov = new OpenSSLIOHookProvider(this, name, tag); } catch (CoreException& ex) { throw ModuleException("Error while initializing SSL profile \"" + name + "\" at " + tag->getTagLocation() + " - " + ex.GetReason()); } - newprofiles.push_back(new OpenSSLIOHookProvider(this, profile)); + newprofiles.push_back(prov); + } + + for (ProfileList::iterator i = profiles.begin(); i != profiles.end(); ++i) + { + OpenSSLIOHookProvider& prov = **i; + ServerInstance->Modules.DelService(prov); } profiles.swap(newprofiles); @@ -890,13 +1030,20 @@ class ModuleSSLOpenSSL : public Module ModuleSSLOpenSSL() { // Initialize OpenSSL - SSL_library_init(); - SSL_load_error_strings(); + OPENSSL_init_ssl(0, NULL); +#ifdef INSPIRCD_OPENSSL_OPAQUE_BIO + biomethods = OpenSSL::BIOMethod::alloc(); + } + + ~ModuleSSLOpenSSL() + { + BIO_meth_free(biomethods); +#endif } void init() CXX11_OVERRIDE { - ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "OpenSSL lib version \"%s\" module was compiled for \"" OPENSSL_VERSION_TEXT "\"", SSLeay_version(SSLEAY_VERSION)); + ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "OpenSSL lib version \"%s\" module was compiled for \"" OPENSSL_VERSION_TEXT "\"", OpenSSL_version(OPENSSL_VERSION)); // Register application specific data char exdatastr[] = "inspircd"; @@ -909,12 +1056,13 @@ class ModuleSSLOpenSSL : public Module void OnModuleRehash(User* user, const std::string ¶m) CXX11_OVERRIDE { - if (param != "ssl") + if (!irc::equals(param, "ssl")) return; try { ReadProfiles(); + ServerInstance->SNO->WriteToSnoMask('a', "SSL module %s rehashed.", MODNAME); } catch (ModuleException& ex) { @@ -922,9 +1070,9 @@ class ModuleSSLOpenSSL : public Module } } - void OnCleanup(int target_type, void* item) CXX11_OVERRIDE + void OnCleanup(ExtensionItem::ExtensibleType type, Extensible* item) CXX11_OVERRIDE { - if (target_type == TYPE_USER) + if (type == ExtensionItem::EXT_USER) { LocalUser* user = IS_LOCAL((User*)item); @@ -947,7 +1095,7 @@ class ModuleSSLOpenSSL : public Module Version GetVersion() CXX11_OVERRIDE { - return Version("Provides SSL support for clients", VF_VENDOR); + return Version("Provides SSL support via OpenSSL", VF_VENDOR); } };