X-Git-Url: https://git.netwichtig.de/gitweb/?a=blobdiff_plain;f=src%2Fmodules%2Fextra%2Fm_ssl_openssl.cpp;h=d8ea16bdf0dcc281a2d2ae5cb86fbd52df855b22;hb=acccaa39641500b8a691db4136e6571102a438ed;hp=962350e1c38cf6adfdbc7b40f76c9276f070df74;hpb=99f79a4e5c3abbe91a03216824e7659051872054;p=user%2Fhenk%2Fcode%2Finspircd.git

diff --git a/src/modules/extra/m_ssl_openssl.cpp b/src/modules/extra/m_ssl_openssl.cpp
index 962350e1c..d8ea16bdf 100644
--- a/src/modules/extra/m_ssl_openssl.cpp
+++ b/src/modules/extra/m_ssl_openssl.cpp
@@ -21,20 +21,18 @@
  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  */
 
- /* HACK: This prevents OpenSSL on OS X 10.7 and later from spewing deprecation
-  * warnings for every single function call. As far as I (SaberUK) know, Apple
-  * have no plans to remove OpenSSL so this warning just causes needless spam.
-  */
-#ifdef __APPLE__
-# define __AVAILABILITYMACROS__
-# define DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER
-#endif
 
 #include "inspircd.h"
 #include "iohook.h"
+#include "modules/ssl.h"
+
+// Ignore OpenSSL deprecation warnings on OS X Lion and newer.
+#if defined __APPLE__
+# pragma GCC diagnostic ignored "-Wdeprecated-declarations"
+#endif
+
 #include <openssl/ssl.h>
 #include <openssl/err.h>
-#include "modules/ssl.h"
 
 #ifdef _WIN32
 # pragma comment(lib, "libcrypto.lib")
@@ -44,11 +42,9 @@
 # pragma comment(lib, "libgcc.lib")
 # pragma comment(lib, "libmingwex.lib")
 # pragma comment(lib, "gdi32.lib")
-# undef MAX_DESCRIPTORS
-# define MAX_DESCRIPTORS 10000
 #endif
 
-/* $CompileFlags: pkgconfversion("openssl","0.9.7") pkgconfincludes("openssl","/openssl/ssl.h","") -Wno-pedantic */
+/* $CompileFlags: pkgconfversion("openssl","0.9.7") pkgconfincludes("openssl","/openssl/ssl.h","") */
 /* $LinkerFlags: rpath("pkg-config --libs openssl") pkgconflibs("openssl","/libssl.so","-lssl -lcrypto") */
 
 enum issl_status { ISSL_NONE, ISSL_HANDSHAKING, ISSL_OPEN };
@@ -107,8 +103,14 @@ namespace OpenSSL
 		Context(SSL_CTX* context)
 			: ctx(context)
 		{
+			// Sane default options for OpenSSL see https://www.openssl.org/docs/ssl/SSL_CTX_set_options.html
+			// and when choosing a cipher, use the server's preferences instead of the client preferences.
+			SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION | SSL_OP_CIPHER_SERVER_PREFERENCE);
 			SSL_CTX_set_mode(ctx, SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
 			SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, OnVerify);
+
+			const unsigned char session_id[] = "inspircd";
+			SSL_CTX_set_session_id_context(ctx, session_id, sizeof(session_id) - 1);
 		}
 
 		~Context()
@@ -273,13 +275,13 @@ class OpenSSLIOHook : public SSLIOHook
 
 			if (err == SSL_ERROR_WANT_READ)
 			{
-				ServerInstance->SE->ChangeEventMask(user, FD_WANT_POLL_READ | FD_WANT_NO_WRITE);
+				SocketEngine::ChangeEventMask(user, FD_WANT_POLL_READ | FD_WANT_NO_WRITE);
 				this->status = ISSL_HANDSHAKING;
 				return true;
 			}
 			else if (err == SSL_ERROR_WANT_WRITE)
 			{
-				ServerInstance->SE->ChangeEventMask(user, FD_WANT_NO_READ | FD_WANT_SINGLE_WRITE);
+				SocketEngine::ChangeEventMask(user, FD_WANT_NO_READ | FD_WANT_SINGLE_WRITE);
 				this->status = ISSL_HANDSHAKING;
 				return true;
 			}
@@ -297,7 +299,7 @@ class OpenSSLIOHook : public SSLIOHook
 
 			status = ISSL_OPEN;
 
-			ServerInstance->SE->ChangeEventMask(user, FD_WANT_POLL_READ | FD_WANT_NO_WRITE | FD_ADD_TRIAL_WRITE);
+			SocketEngine::ChangeEventMask(user, FD_WANT_POLL_READ | FD_WANT_NO_WRITE | FD_ADD_TRIAL_WRITE);
 
 			return true;
 		}
@@ -352,8 +354,11 @@ class OpenSSLIOHook : public SSLIOHook
 			certinfo->trusted = false;
 		}
 
-		certinfo->dn = X509_NAME_oneline(X509_get_subject_name(cert),0,0);
-		certinfo->issuer = X509_NAME_oneline(X509_get_issuer_name(cert),0,0);
+		char buf[512];
+		X509_NAME_oneline(X509_get_subject_name(cert), buf, sizeof(buf));
+		certinfo->dn = buf;
+		X509_NAME_oneline(X509_get_issuer_name(cert), buf, sizeof(buf));
+		certinfo->issuer = buf;
 
 		if (!X509_digest(cert, profile->GetDigest(), md, &n))
 		{
@@ -427,7 +432,7 @@ class OpenSSLIOHook : public SSLIOHook
 			{
 				recvq.append(buffer, ret);
 				if (data_to_write)
-					ServerInstance->SE->ChangeEventMask(user, FD_WANT_POLL_READ | FD_WANT_SINGLE_WRITE);
+					SocketEngine::ChangeEventMask(user, FD_WANT_POLL_READ | FD_WANT_SINGLE_WRITE);
 				return 1;
 			}
 			else if (ret == 0)
@@ -443,12 +448,12 @@ class OpenSSLIOHook : public SSLIOHook
 
 				if (err == SSL_ERROR_WANT_READ)
 				{
-					ServerInstance->SE->ChangeEventMask(user, FD_WANT_POLL_READ);
+					SocketEngine::ChangeEventMask(user, FD_WANT_POLL_READ);
 					return 0;
 				}
 				else if (err == SSL_ERROR_WANT_WRITE)
 				{
-					ServerInstance->SE->ChangeEventMask(user, FD_WANT_NO_READ | FD_WANT_SINGLE_WRITE);
+					SocketEngine::ChangeEventMask(user, FD_WANT_NO_READ | FD_WANT_SINGLE_WRITE);
 					return 0;
 				}
 				else
@@ -489,13 +494,13 @@ class OpenSSLIOHook : public SSLIOHook
 			if (ret == (int)buffer.length())
 			{
 				data_to_write = false;
-				ServerInstance->SE->ChangeEventMask(user, FD_WANT_POLL_READ | FD_WANT_NO_WRITE);
+				SocketEngine::ChangeEventMask(user, FD_WANT_POLL_READ | FD_WANT_NO_WRITE);
 				return 1;
 			}
 			else if (ret > 0)
 			{
 				buffer = buffer.substr(ret);
-				ServerInstance->SE->ChangeEventMask(user, FD_WANT_SINGLE_WRITE);
+				SocketEngine::ChangeEventMask(user, FD_WANT_SINGLE_WRITE);
 				return 0;
 			}
 			else if (ret == 0)
@@ -509,12 +514,12 @@ class OpenSSLIOHook : public SSLIOHook
 
 				if (err == SSL_ERROR_WANT_WRITE)
 				{
-					ServerInstance->SE->ChangeEventMask(user, FD_WANT_SINGLE_WRITE);
+					SocketEngine::ChangeEventMask(user, FD_WANT_SINGLE_WRITE);
 					return 0;
 				}
 				else if (err == SSL_ERROR_WANT_READ)
 				{
-					ServerInstance->SE->ChangeEventMask(user, FD_WANT_POLL_READ);
+					SocketEngine::ChangeEventMask(user, FD_WANT_POLL_READ);
 					return 0;
 				}
 				else
@@ -573,7 +578,6 @@ class ModuleSSLOpenSSL : public Module
 {
 	typedef std::vector<reference<OpenSSLIOHookProvider> > ProfileList;
 
-	std::string sslports;
 	ProfileList profiles;
 
 	void ReadProfiles()
@@ -640,45 +644,6 @@ class ModuleSSLOpenSSL : public Module
 		ReadProfiles();
 	}
 
-	void ReadConfig(ConfigStatus& status) CXX11_OVERRIDE
-	{
-		sslports.clear();
-
-		ConfigTag* Conf = ServerInstance->Config->ConfValue("openssl");
-
-		if (Conf->getBool("showports", true))
-		{
-			sslports = Conf->getString("advertisedports");
-			if (!sslports.empty())
-				return;
-
-			for (size_t i = 0; i < ServerInstance->ports.size(); i++)
-			{
-				ListenSocket* port = ServerInstance->ports[i];
-				if (port->bind_tag->getString("ssl") != "openssl")
-					continue;
-
-				const std::string& portid = port->bind_desc;
-				ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "Enabling SSL for port %s", portid.c_str());
-
-				if (port->bind_tag->getString("type", "clients") == "clients" && port->bind_addr != "127.0.0.1")
-				{
-					/*
-					 * Found an SSL port for clients that is not bound to 127.0.0.1 and handled by us, display
-					 * the IP:port in ISUPPORT.
-					 *
-					 * We used to advertise all ports seperated by a ';' char that matched the above criteria,
-					 * but this resulted in too long ISUPPORT lines if there were lots of ports to be displayed.
-					 * To solve this by default we now only display the first IP:port found and let the user
-					 * configure the exact value for the 005 token, if necessary.
-					 */
-					sslports = portid;
-					break;
-				}
-			}
-		}
-	}
-
 	void OnModuleRehash(User* user, const std::string &param) CXX11_OVERRIDE
 	{
 		if (param != "ssl")
@@ -694,12 +659,6 @@ class ModuleSSLOpenSSL : public Module
 		}
 	}
 
-	void On005Numeric(std::map<std::string, std::string>& tokens) CXX11_OVERRIDE
-	{
-		if (!sslports.empty())
-			tokens["SSL"] = sslports;
-	}
-
 	void OnUserConnect(LocalUser* user) CXX11_OVERRIDE
 	{
 		IOHook* hook = user->eh.GetIOHook();