X-Git-Url: https://git.netwichtig.de/gitweb/?a=blobdiff_plain;f=src%2Fmodules%2Fextra%2Fm_ssl_openssl.cpp;h=b21091d3fddc6f2b6c5ca53bdd26ebd3a0b95c70;hb=571714e28b26cc59cbc8d27098a5ba981240ee2d;hp=1d4ebd7fda737fd01fcc1e45bd8ad842d0bb14ba;hpb=5de7651ebeee56e6deca4d5e357b22869719bb8f;p=user%2Fhenk%2Fcode%2Finspircd.git diff --git a/src/modules/extra/m_ssl_openssl.cpp b/src/modules/extra/m_ssl_openssl.cpp index 1d4ebd7fd..b21091d3f 100644 --- a/src/modules/extra/m_ssl_openssl.cpp +++ b/src/modules/extra/m_ssl_openssl.cpp @@ -1,26 +1,45 @@ -/* +------------------------------------+ - * | Inspire Internet Relay Chat Daemon | - * +------------------------------------+ +/* + * InspIRCd -- Internet Relay Chat Daemon * - * InspIRCd: (C) 2002-2010 InspIRCd Development Team - * See: http://wiki.inspircd.org/Credits + * Copyright (C) 2009-2010 Daniel De Graaf + * Copyright (C) 2008 Pippijn van Steenhoven + * Copyright (C) 2006-2008 Craig Edwards + * Copyright (C) 2008 Thomas Stagner + * Copyright (C) 2007 Dennis Friis + * Copyright (C) 2006 Oliver Lupton * - * This program is free but copyrighted software; see - * the file COPYING for details. + * This file is part of InspIRCd. InspIRCd is free software: you can + * redistribute it and/or modify it under the terms of the GNU General Public + * License as published by the Free Software Foundation, version 2. * - * --------------------------------------------------- + * This program is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS + * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more + * details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . */ + /* HACK: This prevents OpenSSL on OS X 10.7 and later from spewing deprecation + * warnings for every single function call. As far as I (SaberUK) know, Apple + * have no plans to remove OpenSSL so this warning just causes needless spam. + */ +#ifdef __APPLE__ +# define __AVAILABILITYMACROS__ +# define DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER +#endif + #include "inspircd.h" #include #include #include "ssl.h" -#ifdef WINDOWS -#pragma comment(lib, "libeay32MTd") -#pragma comment(lib, "ssleay32MTd") -#undef MAX_DESCRIPTORS -#define MAX_DESCRIPTORS 10000 +#ifdef _WIN32 +# pragma comment(lib, "ssleay32.lib") +# pragma comment(lib, "libeay32.lib") +# undef MAX_DESCRIPTORS +# define MAX_DESCRIPTORS 10000 #endif /* $ModDesc: Provides SSL support for clients */ @@ -30,14 +49,18 @@ /* $LinkerFlags: if(!"USE_FREEBSD_BASE_SSL") rpath("pkg-config --libs openssl") pkgconflibs("openssl","/libssl.so","-lssl -lcrypto -ldl") */ /* $NoPedantic */ -/* $CopyInstall: conf/key.pem $(CONPATH) -m 0400 -o $(INSTUID) */ -/* $CopyInstall: conf/cert.pem $(CONPATH) -m 0444 */ +class ModuleSSLOpenSSL; + enum issl_status { ISSL_NONE, ISSL_HANDSHAKING, ISSL_OPEN }; static bool SelfSigned = false; +#ifdef INSPIRCD_OPENSSL_ENABLE_RENEGO_DETECTION +static ModuleSSLOpenSSL* opensslmod = NULL; +#endif + char* get_error() { return ERR_error_string(ERR_get_error(), NULL); @@ -54,11 +77,12 @@ public: issl_status status; reference cert; - int fd; bool outbound; bool data_to_write; issl_session() + : sess(NULL) + , status(ISSL_NONE) { outbound = false; data_to_write = false; @@ -81,32 +105,116 @@ static int OnVerify(int preverify_ok, X509_STORE_CTX *ctx) class ModuleSSLOpenSSL : public Module { - int inbufsize; issl_session* sessions; SSL_CTX* ctx; SSL_CTX* clictx; - char cipher[MAXBUF]; + long ctx_options; + long clictx_options; - std::string keyfile; - std::string certfile; - std::string cafile; - // std::string crlfile; - std::string dhfile; std::string sslports; + bool use_sha; ServiceProvider iohook; + + static void SetContextOptions(SSL_CTX* ctx, long defoptions, const std::string& ctxname, ConfigTag* tag) + { + long setoptions = tag->getInt(ctxname + "setoptions"); + // User-friendly config options for setting context options +#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE + if (tag->getBool("cipherserverpref")) + setoptions |= SSL_OP_CIPHER_SERVER_PREFERENCE; +#endif +#ifdef SSL_OP_NO_COMPRESSION + if (!tag->getBool("compression", true)) + setoptions |= SSL_OP_NO_COMPRESSION; +#endif + if (!tag->getBool("sslv3", true)) + setoptions |= SSL_OP_NO_SSLv3; + if (!tag->getBool("tlsv1", true)) + setoptions |= SSL_OP_NO_TLSv1; + + long clearoptions = tag->getInt(ctxname + "clearoptions"); + ServerInstance->Logs->Log("m_ssl_openssl", DEBUG, "Setting OpenSSL %s context options, default: %ld set: %ld clear: %ld", ctxname.c_str(), defoptions, setoptions, clearoptions); + + // Clear everything + SSL_CTX_clear_options(ctx, SSL_CTX_get_options(ctx)); + + // Set the default options and what is in the conf + SSL_CTX_set_options(ctx, defoptions | setoptions); + long final = SSL_CTX_clear_options(ctx, clearoptions); + ServerInstance->Logs->Log("m_ssl_openssl", DEFAULT, "OpenSSL %s context options: %ld", ctxname.c_str(), final); + } + +#ifdef INSPIRCD_OPENSSL_ENABLE_ECDH + void SetupECDH(ConfigTag* tag) + { + std::string curvename = tag->getString("ecdhcurve", "prime256v1"); + if (curvename.empty()) + return; + + int nid = OBJ_sn2nid(curvename.c_str()); + if (nid == 0) + { + ServerInstance->Logs->Log("m_ssl_openssl", DEFAULT, "m_ssl_openssl.so: Unknown curve: \"%s\"", curvename.c_str()); + return; + } + + EC_KEY* eckey = EC_KEY_new_by_curve_name(nid); + if (!eckey) + { + ServerInstance->Logs->Log("m_ssl_openssl", DEFAULT, "m_ssl_openssl.so: Unable to create EC key object"); + return; + } + + ERR_clear_error(); + if (SSL_CTX_set_tmp_ecdh(ctx, eckey) < 0) + { + ServerInstance->Logs->Log("m_ssl_openssl", DEFAULT, "m_ssl_openssl.so: Couldn't set ECDH parameters"); + ERR_print_errors_cb(error_callback, this); + } + + EC_KEY_free(eckey); + } +#endif + +#ifdef INSPIRCD_OPENSSL_ENABLE_RENEGO_DETECTION + static void SSLInfoCallback(const SSL* ssl, int where, int rc) + { + int fd = SSL_get_fd(const_cast(ssl)); + issl_session& session = opensslmod->sessions[fd]; + + if ((where & SSL_CB_HANDSHAKE_START) && (session.status == ISSL_OPEN)) + { + // The other side is trying to renegotiate, kill the connection and change status + // to ISSL_NONE so CheckRenego() closes the session + session.status = ISSL_NONE; + ServerInstance->SE->Shutdown(fd, 2); + } + } + + bool CheckRenego(StreamSocket* sock, issl_session* session) + { + if (session->status != ISSL_NONE) + return true; + + ServerInstance->Logs->Log("m_ssl_openssl", DEBUG, "Session %p killed, attempted to renegotiate", (void*)session->sess); + CloseSession(session); + sock->SetError("Renegotiation is not allowed"); + return false; + } +#endif + public: ModuleSSLOpenSSL() : iohook(this, "ssl/openssl", SERVICE_IOHOOK) { - +#ifdef INSPIRCD_OPENSSL_ENABLE_RENEGO_DETECTION + opensslmod = this; +#endif sessions = new issl_session[ServerInstance->SE->GetMaxFds()]; - // Not rehashable...because I cba to reduce all the sizes of existing buffers. - inbufsize = ServerInstance->Config->NetBufferSize; - /* Global SSL library initialization*/ SSL_library_init(); SSL_load_error_strings(); @@ -123,6 +231,24 @@ class ModuleSSLOpenSSL : public Module SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, OnVerify); SSL_CTX_set_verify(clictx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, OnVerify); + SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF); + SSL_CTX_set_session_cache_mode(clictx, SSL_SESS_CACHE_OFF); + + long opts = SSL_OP_NO_SSLv2 | SSL_OP_SINGLE_DH_USE; + // Only turn options on if they exist +#ifdef SSL_OP_SINGLE_ECDH_USE + opts |= SSL_OP_SINGLE_ECDH_USE; +#endif +#ifdef SSL_OP_NO_TICKET + opts |= SSL_OP_NO_TICKET; +#endif + + ctx_options = SSL_CTX_set_options(ctx, opts); + clictx_options = SSL_CTX_set_options(clictx, opts); + } + + void init() + { // Needs the flag as it ignores a plain /rehash OnModuleRehash(NULL,"ssl"); Implementation eventlist[] = { I_On005Numeric, I_OnRehash, I_OnModuleRehash, I_OnHookIO, I_OnUserConnect }; @@ -141,24 +267,55 @@ class ModuleSSLOpenSSL : public Module void OnRehash(User* user) { - ConfigReader Conf; - sslports.clear(); - for (size_t i = 0; i < ServerInstance->ports.size(); i++) - { - ListenSocket* port = ServerInstance->ports[i]; - if (port->bind_tag->getString("ssl") != "openssl") - continue; + ConfigTag* Conf = ServerInstance->Config->ConfValue("openssl"); - std::string portid = port->bind_desc; - ServerInstance->Logs->Log("m_ssl_openssl", DEFAULT, "m_ssl_openssl.so: Enabling SSL for port %s", portid.c_str()); - if (port->bind_tag->getString("type", "clients") == "clients" && port->bind_addr != "127.0.0.1") - sslports.append(portid).append(";"); +#ifdef INSPIRCD_OPENSSL_ENABLE_RENEGO_DETECTION + // Set the callback if we are not allowing renegotiations, unset it if we do + if (Conf->getBool("renegotiation", true)) + { + SSL_CTX_set_info_callback(ctx, NULL); + SSL_CTX_set_info_callback(clictx, NULL); } + else + { + SSL_CTX_set_info_callback(ctx, SSLInfoCallback); + SSL_CTX_set_info_callback(clictx, SSLInfoCallback); + } +#endif - if (!sslports.empty()) - sslports.erase(sslports.end() - 1); + if (Conf->getBool("showports", true)) + { + sslports = Conf->getString("advertisedports"); + if (!sslports.empty()) + return; + + for (size_t i = 0; i < ServerInstance->ports.size(); i++) + { + ListenSocket* port = ServerInstance->ports[i]; + if (port->bind_tag->getString("ssl") != "openssl") + continue; + + const std::string& portid = port->bind_desc; + ServerInstance->Logs->Log("m_ssl_openssl", DEFAULT, "m_ssl_openssl.so: Enabling SSL for port %s", portid.c_str()); + + if (port->bind_tag->getString("type", "clients") == "clients" && port->bind_addr != "127.0.0.1") + { + /* + * Found an SSL port for clients that is not bound to 127.0.0.1 and handled by us, display + * the IP:port in ISUPPORT. + * + * We used to advertise all ports seperated by a ';' char that matched the above criteria, + * but this resulted in too long ISUPPORT lines if there were lots of ports to be displayed. + * To solve this by default we now only display the first IP:port found and let the user + * configure the exact value for the 005 token, if necessary. + */ + sslports = portid; + break; + } + } + } } void OnModuleRehash(User* user, const std::string ¶m) @@ -166,37 +323,52 @@ class ModuleSSLOpenSSL : public Module if (param != "ssl") return; + std::string keyfile; + std::string certfile; + std::string cafile; + std::string dhfile; OnRehash(user); - ConfigReader Conf; - - cafile = Conf.ReadValue("openssl", "cafile", 0); - certfile = Conf.ReadValue("openssl", "certfile", 0); - keyfile = Conf.ReadValue("openssl", "keyfile", 0); - dhfile = Conf.ReadValue("openssl", "dhfile", 0); + ConfigTag* conf = ServerInstance->Config->ConfValue("openssl"); - // Set all the default values needed. - if (cafile.empty()) - cafile = "conf/ca.pem"; + cafile = conf->getString("cafile", CONFIG_PATH "/ca.pem"); + certfile = conf->getString("certfile", CONFIG_PATH "/cert.pem"); + keyfile = conf->getString("keyfile", CONFIG_PATH "/key.pem"); + dhfile = conf->getString("dhfile", CONFIG_PATH "/dhparams.pem"); + std::string hash = conf->getString("hash", "md5"); + if (hash != "sha1" && hash != "md5") + throw ModuleException("Unknown hash type " + hash); + use_sha = (hash == "sha1"); - if (certfile.empty()) - certfile = "conf/cert.pem"; + if (conf->getBool("customcontextoptions")) + { + SetContextOptions(ctx, ctx_options, "server", conf); + SetContextOptions(clictx, clictx_options, "client", conf); + } - if (keyfile.empty()) - keyfile = "conf/key.pem"; + std::string ciphers = conf->getString("ciphers", ""); - if (dhfile.empty()) - dhfile = "conf/dhparams.pem"; + if (!ciphers.empty()) + { + ERR_clear_error(); + if ((!SSL_CTX_set_cipher_list(ctx, ciphers.c_str())) || (!SSL_CTX_set_cipher_list(clictx, ciphers.c_str()))) + { + ServerInstance->Logs->Log("m_ssl_openssl",DEFAULT, "m_ssl_openssl.so: Can't set cipher list to %s.", ciphers.c_str()); + ERR_print_errors_cb(error_callback, this); + } + } /* Load our keys and certificates * NOTE: OpenSSL's error logging API sucks, don't blame us for this clusterfuck. */ + ERR_clear_error(); if ((!SSL_CTX_use_certificate_chain_file(ctx, certfile.c_str())) || (!SSL_CTX_use_certificate_chain_file(clictx, certfile.c_str()))) { ServerInstance->Logs->Log("m_ssl_openssl",DEFAULT, "m_ssl_openssl.so: Can't read certificate file %s. %s", certfile.c_str(), strerror(errno)); ERR_print_errors_cb(error_callback, this); } + ERR_clear_error(); if (((!SSL_CTX_use_PrivateKey_file(ctx, keyfile.c_str(), SSL_FILETYPE_PEM))) || (!SSL_CTX_use_PrivateKey_file(clictx, keyfile.c_str(), SSL_FILETYPE_PEM))) { ServerInstance->Logs->Log("m_ssl_openssl",DEFAULT, "m_ssl_openssl.so: Can't read key file %s. %s", keyfile.c_str(), strerror(errno)); @@ -204,13 +376,18 @@ class ModuleSSLOpenSSL : public Module } /* Load the CAs we trust*/ + ERR_clear_error(); if (((!SSL_CTX_load_verify_locations(ctx, cafile.c_str(), 0))) || (!SSL_CTX_load_verify_locations(clictx, cafile.c_str(), 0))) { - ServerInstance->Logs->Log("m_ssl_openssl",DEFAULT, "m_ssl_openssl.so: Can't read CA list from %s. %s", cafile.c_str(), strerror(errno)); + ServerInstance->Logs->Log("m_ssl_openssl",DEFAULT, "m_ssl_openssl.so: Can't read CA list from %s. This is only a problem if you want to verify client certificates, otherwise it's safe to ignore this message. Error: %s", cafile.c_str(), strerror(errno)); ERR_print_errors_cb(error_callback, this); } +#ifdef _WIN32 + BIO* dhpfile = BIO_new_file(dhfile.c_str(), "r"); +#else FILE* dhpfile = fopen(dhfile.c_str(), "r"); +#endif DH* ret; if (dhpfile == NULL) @@ -220,15 +397,29 @@ class ModuleSSLOpenSSL : public Module } else { +#ifdef _WIN32 + ret = PEM_read_bio_DHparams(dhpfile, NULL, NULL, NULL); + BIO_free(dhpfile); +#else ret = PEM_read_DHparams(dhpfile, NULL, NULL, NULL); +#endif + + ERR_clear_error(); if ((SSL_CTX_set_tmp_dh(ctx, ret) < 0) || (SSL_CTX_set_tmp_dh(clictx, ret) < 0)) { ServerInstance->Logs->Log("m_ssl_openssl",DEFAULT, "m_ssl_openssl.so: Couldn't set DH parameters %s. SSL errors follow:", dhfile.c_str()); ERR_print_errors_cb(error_callback, this); } + DH_free(ret); } +#ifndef _WIN32 fclose(dhpfile); +#endif + +#ifdef INSPIRCD_OPENSSL_ENABLE_ECDH + SetupECDH(conf); +#endif } void On005Numeric(std::string &output) @@ -248,9 +439,13 @@ class ModuleSSLOpenSSL : public Module { if (user->eh.GetIOHook() == this) { - if (sessions[user->GetFd()].sess) + if (sessions[user->eh.GetFd()].sess) { - SSLCertSubmission(user, this, ServerInstance->Modules->Find("m_sslinfo.so"), sessions[user->GetFd()].cert); + if (!sessions[user->eh.GetFd()].cert->fingerprint.empty()) + user->WriteServ("NOTICE %s :*** You are connected using SSL cipher \"%s\"" + " and your SSL fingerprint is %s", user->nick.c_str(), SSL_get_cipher(sessions[user->eh.GetFd()].sess), sessions[user->eh.GetFd()].cert->fingerprint.c_str()); + else + user->WriteServ("NOTICE %s :*** You are connected using SSL cipher \"%s\"", user->nick.c_str(), SSL_get_cipher(sessions[user->eh.GetFd()].sess)); } } } @@ -285,6 +480,12 @@ class ModuleSSLOpenSSL : public Module req.cert = session->cert; } + else if (!strcmp("GET_RAW_SSL_SESSION", request.id)) + { + SSLRawSessionRequest& req = static_cast(request); + if ((req.fd >= 0) && (req.fd < ServerInstance->SE->GetMaxFds())) + req.data = reinterpret_cast(sessions[req.fd].sess); + } } void OnStreamSocketAccept(StreamSocket* user, irc::sockets::sockaddrs* client, irc::sockets::sockaddrs* server) @@ -293,10 +494,10 @@ class ModuleSSLOpenSSL : public Module issl_session* session = &sessions[fd]; - session->fd = fd; session->sess = SSL_new(ctx); session->status = ISSL_NONE; session->outbound = false; + session->data_to_write = false; if (session->sess == NULL) return; @@ -319,10 +520,10 @@ class ModuleSSLOpenSSL : public Module issl_session* session = &sessions[fd]; - session->fd = fd; session->sess = SSL_new(clictx); session->status = ISSL_NONE; session->outbound = true; + session->data_to_write = false; if (session->sess == NULL) return; @@ -377,19 +578,28 @@ class ModuleSSLOpenSSL : public Module if (session->status == ISSL_OPEN) { + ERR_clear_error(); char* buffer = ServerInstance->GetReadBuffer(); size_t bufsiz = ServerInstance->Config->NetBufferSize; int ret = SSL_read(session->sess, buffer, bufsiz); - + +#ifdef INSPIRCD_OPENSSL_ENABLE_RENEGO_DETECTION + if (!CheckRenego(user, session)) + return -1; +#endif + if (ret > 0) { recvq.append(buffer, ret); + if (session->data_to_write) + ServerInstance->SE->ChangeEventMask(user, FD_WANT_POLL_READ | FD_WANT_SINGLE_WRITE); return 1; } else if (ret == 0) { // Client closed connection. CloseSession(session); + user->SetError("Connection closed"); return -1; } else if (ret < 0) @@ -444,7 +654,14 @@ class ModuleSSLOpenSSL : public Module if (session->status == ISSL_OPEN) { + ERR_clear_error(); int ret = SSL_write(session->sess, buffer.data(), buffer.size()); + +#ifdef INSPIRCD_OPENSSL_ENABLE_RENEGO_DETECTION + if (!CheckRenego(user, session)) + return -1; +#endif + if (ret == (int)buffer.length()) { session->data_to_write = false; @@ -473,7 +690,7 @@ class ModuleSSLOpenSSL : public Module } else if (err == SSL_ERROR_WANT_READ) { - ServerInstance->SE->ChangeEventMask(user, FD_WANT_POLL_READ | FD_WANT_NO_WRITE); + ServerInstance->SE->ChangeEventMask(user, FD_WANT_POLL_READ); return 0; } else @@ -490,6 +707,7 @@ class ModuleSSLOpenSSL : public Module { int ret; + ERR_clear_error(); if (session->outbound) ret = SSL_connect(session->sess); else @@ -532,10 +750,8 @@ class ModuleSSLOpenSSL : public Module else if (ret == 0) { CloseSession(session); - return true; } - - return true; + return false; } void CloseSession(issl_session* session) @@ -548,12 +764,12 @@ class ModuleSSLOpenSSL : public Module session->sess = NULL; session->status = ISSL_NONE; - errno = EIO; + session->cert = NULL; } void VerifyCertificate(issl_session* session, StreamSocket* user) { - if (!session->sess || !user || session->cert) + if (!session->sess || !user) return; X509* cert; @@ -561,7 +777,7 @@ class ModuleSSLOpenSSL : public Module session->cert = certinfo; unsigned int n; unsigned char md[EVP_MAX_MD_SIZE]; - const EVP_MD *digest = EVP_md5(); + const EVP_MD *digest = use_sha ? EVP_sha1() : EVP_md5(); cert = SSL_get_peer_certificate((SSL*)session->sess); @@ -573,7 +789,7 @@ class ModuleSSLOpenSSL : public Module certinfo->invalid = (SSL_get_verify_result(session->sess) != X509_V_OK); - if (SelfSigned) + if (!SelfSigned) { certinfo->unknownsigner = false; certinfo->trusted = true; @@ -584,8 +800,17 @@ class ModuleSSLOpenSSL : public Module certinfo->trusted = false; } - certinfo->dn = X509_NAME_oneline(X509_get_subject_name(cert),0,0); - certinfo->issuer = X509_NAME_oneline(X509_get_issuer_name(cert),0,0); + char buf[512]; + X509_NAME_oneline(X509_get_subject_name(cert), buf, sizeof(buf)); + certinfo->dn = buf; + // Make sure there are no chars in the string that we consider invalid + if (certinfo->dn.find_first_of("\r\n") != std::string::npos) + certinfo->dn.clear(); + + X509_NAME_oneline(X509_get_issuer_name(cert), buf, sizeof(buf)); + certinfo->issuer = buf; + if (certinfo->issuer.find_first_of("\r\n") != std::string::npos) + certinfo->issuer.clear(); if (!X509_digest(cert, digest, md, &n)) {