X-Git-Url: https://git.netwichtig.de/gitweb/?a=blobdiff_plain;f=src%2Fmodules%2Fextra%2Fm_ssl_openssl.cpp;h=c9ae14e11bad0b31547494d3b19cd9d3a052d199;hb=a71f34e4b17420cacc4a50c5af64fe15811a8148;hp=debc179534551991f91cb8e0ce8b85978e6139e8;hpb=06eb88c10cb7a57ea800e0204b48277de9cb02ca;p=user%2Fhenk%2Fcode%2Finspircd.git

diff --git a/src/modules/extra/m_ssl_openssl.cpp b/src/modules/extra/m_ssl_openssl.cpp
index debc17953..c9ae14e11 100644
--- a/src/modules/extra/m_ssl_openssl.cpp
+++ b/src/modules/extra/m_ssl_openssl.cpp
@@ -49,6 +49,11 @@
 /* $CompileFlags: pkgconfversion("openssl","0.9.7") pkgconfincludes("openssl","/openssl/ssl.h","") */
 /* $LinkerFlags: rpath("pkg-config --libs openssl") pkgconflibs("openssl","/libssl.so","-lssl -lcrypto") */
 
+#if ((OPENSSL_VERSION_NUMBER >= 0x10000000L) && (!(defined(OPENSSL_NO_ECDH))))
+// OpenSSL 0.9.8 includes some ECC support, but it's unfinished. Enable only for 1.0.0 and later.
+#define INSPIRCD_OPENSSL_ENABLE_ECDH
+#endif
+
 enum issl_status { ISSL_NONE, ISSL_HANDSHAKING, ISSL_OPEN };
 
 static bool SelfSigned = false;
@@ -121,7 +126,12 @@ namespace OpenSSL
 #endif
 
 			ctx_options = SSL_CTX_set_options(ctx, opts);
-			SSL_CTX_set_mode(ctx, SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
+
+			long mode = SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER;
+#ifdef SSL_MODE_RELEASE_BUFFERS
+			mode |= SSL_MODE_RELEASE_BUFFERS;
+#endif
+			SSL_CTX_set_mode(ctx, mode);
 			SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, OnVerify);
 			SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
 			SSL_CTX_set_info_callback(ctx, StaticSSLInfoCallback);
@@ -238,6 +248,10 @@ namespace OpenSSL
 		 */
 		const bool allowrenego;
 
+		/** Rough max size of records to send
+		 */
+		const unsigned int outrecsize;
+
 		static int error_callback(const char* str, size_t len, void* u)
 		{
 			Profile* profile = reinterpret_cast<Profile*>(u);
@@ -255,10 +269,10 @@ namespace OpenSSL
 			long setoptions = tag->getInt(ctxname + "setoptions");
 			long clearoptions = tag->getInt(ctxname + "clearoptions");
 #ifdef SSL_OP_NO_COMPRESSION
-			if (!tag->getBool("compression", true))
+			if (!tag->getBool("compression", false)) // Disable compression by default
 				setoptions |= SSL_OP_NO_COMPRESSION;
 #endif
-			if (!tag->getBool("sslv3", true))
+			if (!tag->getBool("sslv3", false)) // Disable SSLv3 by default
 				setoptions |= SSL_OP_NO_SSLv3;
 			if (!tag->getBool("tlsv1", true))
 				setoptions |= SSL_OP_NO_TLSv1;
@@ -277,7 +291,8 @@ namespace OpenSSL
 			, dh(ServerInstance->Config->Paths.PrependConfig(tag->getString("dhfile", "dh.pem")))
 			, ctx(SSL_CTX_new(SSLv23_server_method()))
 			, clictx(SSL_CTX_new(SSLv23_client_method()))
-			, allowrenego(tag->getBool("renegotiation", true))
+			, allowrenego(tag->getBool("renegotiation")) // Disallow by default
+			, outrecsize(tag->getInt("outrecsize", 2048, 512, 16384))
 		{
 			if ((!ctx.SetDH(dh)) || (!clictx.SetDH(dh)))
 				throw Exception("Couldn't set DH parameters");
@@ -337,9 +352,51 @@ namespace OpenSSL
 		SSL* CreateClientSession() { return clictx.CreateClientSession(); }
 		const EVP_MD* GetDigest() { return digest; }
 		bool AllowRenegotiation() const { return allowrenego; }
+		unsigned int GetOutgoingRecordSize() const { return outrecsize; }
 	};
+
+	namespace BIOMethod
+	{
+		static int create(BIO* bio)
+		{
+			bio->init = 1;
+			return 1;
+		}
+
+		static int destroy(BIO* bio)
+		{
+			// XXX: Dummy function to avoid a memory leak in OpenSSL.
+			// The memory leak happens in BIO_free() (bio_lib.c) when the destroy func of the BIO is NULL.
+			// This is fixed in OpenSSL but some distros still ship the unpatched version hence we provide this workaround.
+			return 1;
+		}
+
+		static long ctrl(BIO* bio, int cmd, long num, void* ptr)
+		{
+			if (cmd == BIO_CTRL_FLUSH)
+				return 1;
+			return 0;
+		}
+
+		static int read(BIO* bio, char* buf, int len);
+		static int write(BIO* bio, const char* buf, int len);
+	}
 }
 
+static BIO_METHOD biomethods =
+{
+	(100 | BIO_TYPE_SOURCE_SINK),
+	"inspircd",
+	OpenSSL::BIOMethod::write,
+	OpenSSL::BIOMethod::read,
+	NULL, // puts
+	NULL, // gets
+	OpenSSL::BIOMethod::ctrl,
+	OpenSSL::BIOMethod::create,
+	OpenSSL::BIOMethod::destroy, // destroy, does nothing, see function body for more info
+	NULL // callback_ctrl
+};
+
 static int OnVerify(int preverify_ok, X509_STORE_CTX *ctx)
 {
 	/* XXX: This will allow self signed certificates.
@@ -359,7 +416,6 @@ class OpenSSLIOHook : public SSLIOHook
  private:
 	SSL* sess;
 	issl_status status;
-	const bool outbound;
 	bool data_to_write;
 	reference<OpenSSL::Profile> profile;
 
@@ -478,7 +534,6 @@ class OpenSSLIOHook : public SSLIOHook
 		X509_free(cert);
 	}
 
-#ifdef INSPIRCD_OPENSSL_ENABLE_RENEGO_DETECTION
 	void SSLInfoCallback(int where, int rc)
 	{
 		if ((where & SSL_CB_HANDSHAKE_START) && (status == ISSL_OPEN))
@@ -489,7 +544,9 @@ class OpenSSLIOHook : public SSLIOHook
 			// The other side is trying to renegotiate, kill the connection and change status
 			// to ISSL_NONE so CheckRenego() closes the session
 			status = ISSL_NONE;
-			SocketEngine::Shutdown(SSL_get_fd(sess), 2);
+			BIO* bio = SSL_get_rbio(sess);
+			EventHandler* eh = static_cast<StreamSocket*>(bio->ptr);
+			SocketEngine::Shutdown(eh, 2);
 		}
 	}
 
@@ -503,7 +560,6 @@ class OpenSSLIOHook : public SSLIOHook
 		sock->SetError("Renegotiation is not allowed");
 		return false;
 	}
-#endif
 
 	// Returns 1 if application I/O should proceed, 0 if it must wait for the underlying protocol to progress, -1 on fatal error
 	int PrepareIO(StreamSocket* sock)
@@ -524,18 +580,17 @@ class OpenSSLIOHook : public SSLIOHook
 	friend void StaticSSLInfoCallback(const SSL* ssl, int where, int rc);
 
  public:
-	OpenSSLIOHook(IOHookProvider* hookprov, StreamSocket* sock, bool is_outbound, SSL* session, const reference<OpenSSL::Profile>& sslprofile)
+	OpenSSLIOHook(IOHookProvider* hookprov, StreamSocket* sock, SSL* session, const reference<OpenSSL::Profile>& sslprofile)
 		: SSLIOHook(hookprov)
 		, sess(session)
 		, status(ISSL_NONE)
-		, outbound(is_outbound)
 		, data_to_write(false)
 		, profile(sslprofile)
 	{
-		if (sess == NULL)
-			return;
-		if (SSL_set_fd(sess, sock->GetFd()) == 0)
-			throw ModuleException("Can't set fd with SSL_set_fd: " + ConvToStr(sock->GetFd()));
+		// Create BIO instance and store a pointer to the socket in it which will be used by the read and write functions
+		BIO* bio = BIO_new(&biomethods);
+		bio->ptr = sock;
+		SSL_set_bio(sess, bio, bio);
 
 		SSL_set_ex_data(sess, exdataindex, this);
 		sock->AddIOHook(this);
@@ -561,10 +616,8 @@ class OpenSSLIOHook : public SSLIOHook
 			size_t bufsiz = ServerInstance->Config->NetBufferSize;
 			int ret = SSL_read(sess, buffer, bufsiz);
 
-#ifdef INSPIRCD_OPENSSL_ENABLE_RENEGO_DETECTION
 			if (!CheckRenego(user))
 				return -1;
-#endif
 
 			if (ret > 0)
 			{
@@ -603,7 +656,7 @@ class OpenSSLIOHook : public SSLIOHook
 		}
 	}
 
-	int OnStreamSocketWrite(StreamSocket* user, std::string& buffer) CXX11_OVERRIDE
+	int OnStreamSocketWrite(StreamSocket* user) CXX11_OVERRIDE
 	{
 		// Finish handshake if needed
 		int prepret = PrepareIO(user);
@@ -613,24 +666,25 @@ class OpenSSLIOHook : public SSLIOHook
 		data_to_write = true;
 
 		// Session is ready for transferring application data
+		StreamSocket::SendQueue& sendq = user->GetSendQ();
+		while (!sendq.empty())
 		{
 			ERR_clear_error();
+			FlattenSendQueue(sendq, profile->GetOutgoingRecordSize());
+			const StreamSocket::SendQueue::Element& buffer = sendq.front();
 			int ret = SSL_write(sess, buffer.data(), buffer.size());
 
-#ifdef INSPIRCD_OPENSSL_ENABLE_RENEGO_DETECTION
 			if (!CheckRenego(user))
 				return -1;
-#endif
 
 			if (ret == (int)buffer.length())
 			{
-				data_to_write = false;
-				SocketEngine::ChangeEventMask(user, FD_WANT_POLL_READ | FD_WANT_NO_WRITE);
-				return 1;
+				// Wrote entire record, continue sending
+				sendq.pop_front();
 			}
 			else if (ret > 0)
 			{
-				buffer.erase(0, ret);
+				sendq.erase_front(ret);
 				SocketEngine::ChangeEventMask(user, FD_WANT_SINGLE_WRITE);
 				return 0;
 			}
@@ -660,6 +714,10 @@ class OpenSSLIOHook : public SSLIOHook
 				}
 			}
 		}
+
+		data_to_write = false;
+		SocketEngine::ChangeEventMask(user, FD_WANT_POLL_READ | FD_WANT_NO_WRITE);
+		return 1;
 	}
 
 	void TellCiphersAndFingerprint(LocalUser* user)
@@ -682,14 +740,60 @@ class OpenSSLIOHook : public SSLIOHook
 		out.append(SSL_get_version(sess)).push_back('-');
 		out.append(SSL_get_cipher(sess));
 	}
+
+	bool IsHandshakeDone() const { return (status == ISSL_OPEN); }
 };
 
 static void StaticSSLInfoCallback(const SSL* ssl, int where, int rc)
 {
-#ifdef INSPIRCD_OPENSSL_ENABLE_RENEGO_DETECTION
 	OpenSSLIOHook* hook = static_cast<OpenSSLIOHook*>(SSL_get_ex_data(ssl, exdataindex));
 	hook->SSLInfoCallback(where, rc);
-#endif
+}
+
+static int OpenSSL::BIOMethod::write(BIO* bio, const char* buffer, int size)
+{
+	BIO_clear_retry_flags(bio);
+
+	StreamSocket* sock = static_cast<StreamSocket*>(bio->ptr);
+	if (sock->GetEventMask() & FD_WRITE_WILL_BLOCK)
+	{
+		// Writes blocked earlier, don't retry syscall
+		BIO_set_retry_write(bio);
+		return -1;
+	}
+
+	int ret = SocketEngine::Send(sock, buffer, size, 0);
+	if ((ret < size) && ((ret > 0) || (SocketEngine::IgnoreError())))
+	{
+		// Blocked, set retry flag for OpenSSL
+		SocketEngine::ChangeEventMask(sock, FD_WRITE_WILL_BLOCK);
+		BIO_set_retry_write(bio);
+	}
+
+	return ret;
+}
+
+static int OpenSSL::BIOMethod::read(BIO* bio, char* buffer, int size)
+{
+	BIO_clear_retry_flags(bio);
+
+	StreamSocket* sock = static_cast<StreamSocket*>(bio->ptr);
+	if (sock->GetEventMask() & FD_READ_WILL_BLOCK)
+	{
+		// Reads blocked earlier, don't retry syscall
+		BIO_set_retry_read(bio);
+		return -1;
+	}
+
+	int ret = SocketEngine::Recv(sock, buffer, size, 0);
+	if ((ret < size) && ((ret > 0) || (SocketEngine::IgnoreError())))
+	{
+		// Blocked, set retry flag for OpenSSL
+		SocketEngine::ChangeEventMask(sock, FD_READ_WILL_BLOCK);
+		BIO_set_retry_read(bio);
+	}
+
+	return ret;
 }
 
 class OpenSSLIOHookProvider : public refcountbase, public IOHookProvider
@@ -711,12 +815,12 @@ class OpenSSLIOHookProvider : public refcountbase, public IOHookProvider
 
 	void OnAccept(StreamSocket* sock, irc::sockets::sockaddrs* client, irc::sockets::sockaddrs* server) CXX11_OVERRIDE
 	{
-		new OpenSSLIOHook(this, sock, false, profile->CreateServerSession(), profile);
+		new OpenSSLIOHook(this, sock, profile->CreateServerSession(), profile);
 	}
 
 	void OnConnect(StreamSocket* sock) CXX11_OVERRIDE
 	{
-		new OpenSSLIOHook(this, sock, true, profile->CreateClientSession(), profile);
+		new OpenSSLIOHook(this, sock, profile->CreateClientSession(), profile);
 	}
 };
 
@@ -787,6 +891,8 @@ class ModuleSSLOpenSSL : public Module
 
 	void init() CXX11_OVERRIDE
 	{
+		ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "OpenSSL lib version \"%s\" module was compiled for \"" OPENSSL_VERSION_TEXT "\"", SSLeay_version(SSLEAY_VERSION));
+
 		// Register application specific data
 		char exdatastr[] = "inspircd";
 		exdataindex = SSL_get_ex_new_index(0, exdatastr, NULL, NULL, NULL);
@@ -833,6 +939,18 @@ class ModuleSSLOpenSSL : public Module
 		}
 	}
 
+	ModResult OnCheckReady(LocalUser* user) CXX11_OVERRIDE
+	{
+		if ((user->eh.GetIOHook()) && (user->eh.GetIOHook()->prov->creator == this))
+		{
+			OpenSSLIOHook* iohook = static_cast<OpenSSLIOHook*>(user->eh.GetIOHook());
+			if (!iohook->IsHandshakeDone())
+				return MOD_RES_DENY;
+		}
+
+		return MOD_RES_PASSTHRU;
+	}
+
 	Version GetVersion() CXX11_OVERRIDE
 	{
 		return Version("Provides SSL support for clients", VF_VENDOR);