X-Git-Url: https://git.netwichtig.de/gitweb/?a=blobdiff_plain;f=src%2Fmodules%2Fextra%2Fm_ssl_openssl.cpp;h=fb965a5abcc29670941794046a3d1c461ec7c53a;hb=7cfeb971666b3a6709fe61bd01478697e6433f50;hp=4937e7cb00f536fc4dda031c004fa81d3c496233;hpb=df9ca5115b64bc5b7888dee3123d0bf6527c496d;p=user%2Fhenk%2Fcode%2Finspircd.git diff --git a/src/modules/extra/m_ssl_openssl.cpp b/src/modules/extra/m_ssl_openssl.cpp index 4937e7cb0..fb965a5ab 100644 --- a/src/modules/extra/m_ssl_openssl.cpp +++ b/src/modules/extra/m_ssl_openssl.cpp @@ -1,12 +1,20 @@ /* * InspIRCd -- Internet Relay Chat Daemon * + * Copyright (C) 2020 Matt Schatz + * Copyright (C) 2019 linuxdaemon + * Copyright (C) 2017 Wade Cline + * Copyright (C) 2014, 2016 Adam + * Copyright (C) 2014 Julien Vehent + * Copyright (C) 2013-2014, 2016-2021 Sadie Powell + * Copyright (C) 2012-2017 Attila Molnar + * Copyright (C) 2012 Robby + * Copyright (C) 2012 ChrisTX * Copyright (C) 2009-2010 Daniel De Graaf - * Copyright (C) 2008 Pippijn van Steenhoven - * Copyright (C) 2006-2008 Craig Edwards - * Copyright (C) 2008 Thomas Stagner + * Copyright (C) 2008 Robin Burchell * Copyright (C) 2007 Dennis Friis - * Copyright (C) 2006 Oliver Lupton + * Copyright (C) 2006-2008, 2010 Craig Edwards + * Copyright (C) 2006 Oliver Lupton * * This file is part of InspIRCd. InspIRCd is free software: you can * redistribute it and/or modify it under the terms of the GNU General Public @@ -21,9 +29,10 @@ * along with this program. If not, see . */ -/// $CompilerFlags: find_compiler_flags("openssl") +/// $CompilerFlags: find_compiler_flags("openssl" "") /// $LinkerFlags: find_linker_flags("openssl" "-lssl -lcrypto") +/// $PackageInfo: require_system("arch") openssl pkgconf /// $PackageInfo: require_system("centos") openssl-devel pkgconfig /// $PackageInfo: require_system("darwin") openssl pkg-config /// $PackageInfo: require_system("debian") libssl-dev openssl pkg-config @@ -34,11 +43,22 @@ #include "iohook.h" #include "modules/ssl.h" +#ifdef __GNUC__ +# pragma GCC diagnostic push +#endif + // Ignore OpenSSL deprecation warnings on OS X Lion and newer. #if defined __APPLE__ # pragma GCC diagnostic ignored "-Wdeprecated-declarations" #endif +// LibreSSL lies about the version of OpenSSL it is compatible with and is a general pain +// to support. Support for it was removed in the master branch at the same time that +// support for OpenSSL pre-1.1 was. +#if defined __GNUC__ && defined LIBRESSL_VERSION_NUMBER +# warning LibreSSL support will be discontinued in the future. Consider using the ssl_gnutls or ssl_mbedtls modules instead. +#endif + // Fix warnings about the use of `long long` on C++03. #if defined __clang__ # pragma clang diagnostic ignored "-Wc++11-long-long" @@ -50,6 +70,10 @@ #include #include +#ifdef __GNUC__ +# pragma GCC diagnostic pop +#endif + #ifdef _WIN32 # pragma comment(lib, "ssleay32.lib") # pragma comment(lib, "libeay32.lib") @@ -235,7 +259,7 @@ namespace OpenSSL X509_STORE* store = SSL_CTX_get_cert_store(ctx); if (!store) { - throw ModuleException("Unable to get X509_STORE from SSL context; this should never happen"); + throw ModuleException("Unable to get X509_STORE from TLS (SSL) context; this should never happen"); } ERR_clear_error(); if (!X509_STORE_load_locations(store, @@ -370,7 +394,7 @@ namespace OpenSSL public: Profile(const std::string& profilename, ConfigTag* tag) : name(profilename) - , dh(ServerInstance->Config->Paths.PrependConfig(tag->getString("dhfile", "dhparams.pem"))) + , dh(ServerInstance->Config->Paths.PrependConfig(tag->getString("dhfile", "dhparams.pem", 1))) , ctx(SSL_CTX_new(SSLv23_server_method())) , clictx(SSL_CTX_new(SSLv23_client_method())) , allowrenego(tag->getBool("renegotiation")) // Disallow by default @@ -379,7 +403,7 @@ namespace OpenSSL if ((!ctx.SetDH(dh)) || (!clictx.SetDH(dh))) throw Exception("Couldn't set DH parameters"); - std::string hash = tag->getString("hash", "md5"); + const std::string hash = tag->getString("hash", "md5", 1); digest = EVP_get_digestbyname(hash.c_str()); if (digest == NULL) throw Exception("Unknown hash type " + hash); @@ -395,7 +419,7 @@ namespace OpenSSL } #ifndef OPENSSL_NO_ECDH - std::string curvename = tag->getString("ecdhcurve", "prime256v1"); + const std::string curvename = tag->getString("ecdhcurve", "prime256v1", 1); if (!curvename.empty()) ctx.SetECDH(curvename); #endif @@ -406,14 +430,14 @@ namespace OpenSSL /* Load our keys and certificates * NOTE: OpenSSL's error logging API sucks, don't blame us for this clusterfuck. */ - std::string filename = ServerInstance->Config->Paths.PrependConfig(tag->getString("certfile", "cert.pem")); + std::string filename = ServerInstance->Config->Paths.PrependConfig(tag->getString("certfile", "cert.pem", 1)); if ((!ctx.SetCerts(filename)) || (!clictx.SetCerts(filename))) { ERR_print_errors_cb(error_callback, this); throw Exception("Can't read certificate file: " + lasterr); } - filename = ServerInstance->Config->Paths.PrependConfig(tag->getString("keyfile", "key.pem")); + filename = ServerInstance->Config->Paths.PrependConfig(tag->getString("keyfile", "key.pem", 1)); if ((!ctx.SetPrivateKey(filename)) || (!clictx.SetPrivateKey(filename))) { ERR_print_errors_cb(error_callback, this); @@ -421,7 +445,7 @@ namespace OpenSSL } // Load the CAs we trust - filename = ServerInstance->Config->Paths.PrependConfig(tag->getString("cafile", "ca.pem")); + filename = ServerInstance->Config->Paths.PrependConfig(tag->getString("cafile", "ca.pem", 1)); if ((!ctx.SetCA(filename)) || (!clictx.SetCA(filename))) { ERR_print_errors_cb(error_callback, this); @@ -429,9 +453,9 @@ namespace OpenSSL } // Load the CRLs. - std::string crlfile = tag->getString("crlfile"); - std::string crlpath = tag->getString("crlpath"); - std::string crlmode = tag->getString("crlmode", "chain"); + const std::string crlfile = tag->getString("crlfile"); + const std::string crlpath = tag->getString("crlpath"); + const std::string crlmode = tag->getString("crlmode", "chain", 1); ctx.SetCRL(crlfile, crlpath, crlmode); clictx.SetVerifyCert(); @@ -912,13 +936,13 @@ static int OpenSSL::BIOMethod::read(BIO* bio, char* buffer, int size) return ret; } -class OpenSSLIOHookProvider : public IOHookProvider +class OpenSSLIOHookProvider : public SSLIOHookProvider { OpenSSL::Profile profile; public: OpenSSLIOHookProvider(Module* mod, const std::string& profilename, ConfigTag* tag) - : IOHookProvider(mod, "ssl/" + profilename, IOHookProvider::IOH_SSL) + : SSLIOHookProvider(mod, profilename) , profile(profilename, tag) { ServerInstance->Modules->AddService(*this); @@ -963,7 +987,7 @@ class ModuleSSLOpenSSL : public Module // Create a default profile named "openssl" const std::string defname = "openssl"; ConfigTag* tag = ServerInstance->Config->ConfValue(defname); - ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "No tags found, using settings from the tag"); + ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "No tags found, using settings from the deprecated tag"); try { @@ -971,34 +995,40 @@ class ModuleSSLOpenSSL : public Module } catch (OpenSSL::Exception& ex) { - throw ModuleException("Error while initializing the default SSL profile - " + ex.GetReason()); + throw ModuleException("Error while initializing the default TLS (SSL) profile - " + ex.GetReason()); } } - - for (ConfigIter i = tags.first; i != tags.second; ++i) + else { - ConfigTag* tag = i->second; - if (!stdalgo::string::equalsci(tag->getString("provider"), "openssl")) - continue; - - std::string name = tag->getString("name"); - if (name.empty()) + ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "You have defined an tag; you should use this in place of \"openssl\" when configuring TLS (SSL) connections in or "); + for (ConfigIter i = tags.first; i != tags.second; ++i) { - ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "Ignoring tag without name at " + tag->getTagLocation()); - continue; - } + ConfigTag* tag = i->second; + if (!stdalgo::string::equalsci(tag->getString("provider"), "openssl")) + { + ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "Ignoring non-OpenSSL tag at " + tag->getTagLocation()); + continue; + } - reference prov; - try - { - prov = new OpenSSLIOHookProvider(this, name, tag); - } - catch (CoreException& ex) - { - throw ModuleException("Error while initializing SSL profile \"" + name + "\" at " + tag->getTagLocation() + " - " + ex.GetReason()); - } + std::string name = tag->getString("name"); + if (name.empty()) + { + ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "Ignoring tag without name at " + tag->getTagLocation()); + continue; + } - newprofiles.push_back(prov); + reference prov; + try + { + prov = new OpenSSLIOHookProvider(this, name, tag); + } + catch (CoreException& ex) + { + throw ModuleException("Error while initializing TLS (SSL) profile \"" + name + "\" at " + tag->getTagLocation() + " - " + ex.GetReason()); + } + + newprofiles.push_back(prov); + } } for (ProfileList::iterator i = profiles.begin(); i != profiles.end(); ++i) @@ -1040,12 +1070,13 @@ class ModuleSSLOpenSSL : public Module void OnModuleRehash(User* user, const std::string ¶m) CXX11_OVERRIDE { - if (param != "ssl") + if (!irc::equals(param, "tls") && !irc::equals(param, "ssl")) return; try { ReadProfiles(); + ServerInstance->SNO->WriteToSnoMask('a', "OpenSSL TLS (SSL) profiles have been reloaded."); } catch (ModuleException& ex) { @@ -1061,9 +1092,9 @@ class ModuleSSLOpenSSL : public Module if ((user) && (user->eh.GetModHook(this))) { - // User is using SSL, they're a local user, and they're using one of *our* SSL ports. - // Potentially there could be multiple SSL modules loaded at once on different ports. - ServerInstance->Users->QuitUser(user, "SSL module unloading"); + // User is using TLS (SSL), they're a local user, and they're using one of *our* TLS (SSL) ports. + // Potentially there could be multiple TLS (SSL) modules loaded at once on different ports. + ServerInstance->Users->QuitUser(user, "OpenSSL module unloading"); } } } @@ -1078,7 +1109,7 @@ class ModuleSSLOpenSSL : public Module Version GetVersion() CXX11_OVERRIDE { - return Version("Provides SSL support via OpenSSL", VF_VENDOR); + return Version("Allows TLS (SSL) encrypted connections using the OpenSSL library.", VF_VENDOR); } };