X-Git-Url: https://git.netwichtig.de/gitweb/?a=blobdiff_plain;f=src%2Fmodules%2Fextra%2Fm_ssl_openssl.cpp;h=fb965a5abcc29670941794046a3d1c461ec7c53a;hb=7cfeb971666b3a6709fe61bd01478697e6433f50;hp=c27626639932d2efd5ccc65c014e0a9cffbc5d2b;hpb=aa692dc1039b63deef7886e914ec499abe7facaf;p=user%2Fhenk%2Fcode%2Finspircd.git diff --git a/src/modules/extra/m_ssl_openssl.cpp b/src/modules/extra/m_ssl_openssl.cpp index c27626639..fb965a5ab 100644 --- a/src/modules/extra/m_ssl_openssl.cpp +++ b/src/modules/extra/m_ssl_openssl.cpp @@ -1,19 +1,20 @@ /* * InspIRCd -- Internet Relay Chat Daemon * + * Copyright (C) 2020 Matt Schatz * Copyright (C) 2019 linuxdaemon - * Copyright (C) 2019 Matt Schatz * Copyright (C) 2017 Wade Cline * Copyright (C) 2014, 2016 Adam * Copyright (C) 2014 Julien Vehent - * Copyright (C) 2013-2014, 2016-2019 Sadie Powell + * Copyright (C) 2013-2014, 2016-2021 Sadie Powell * Copyright (C) 2012-2017 Attila Molnar - * Copyright (C) 2012, 2019 Robby + * Copyright (C) 2012 Robby * Copyright (C) 2012 ChrisTX * Copyright (C) 2009-2010 Daniel De Graaf * Copyright (C) 2008 Robin Burchell - * Copyright (C) 2007-2008, 2010 Craig Edwards * Copyright (C) 2007 Dennis Friis + * Copyright (C) 2006-2008, 2010 Craig Edwards + * Copyright (C) 2006 Oliver Lupton * * This file is part of InspIRCd. InspIRCd is free software: you can * redistribute it and/or modify it under the terms of the GNU General Public @@ -28,7 +29,7 @@ * along with this program. If not, see . */ -/// $CompilerFlags: find_compiler_flags("openssl") +/// $CompilerFlags: find_compiler_flags("openssl" "") /// $LinkerFlags: find_linker_flags("openssl" "-lssl -lcrypto") /// $PackageInfo: require_system("arch") openssl pkgconf @@ -51,6 +52,13 @@ # pragma GCC diagnostic ignored "-Wdeprecated-declarations" #endif +// LibreSSL lies about the version of OpenSSL it is compatible with and is a general pain +// to support. Support for it was removed in the master branch at the same time that +// support for OpenSSL pre-1.1 was. +#if defined __GNUC__ && defined LIBRESSL_VERSION_NUMBER +# warning LibreSSL support will be discontinued in the future. Consider using the ssl_gnutls or ssl_mbedtls modules instead. +#endif + // Fix warnings about the use of `long long` on C++03. #if defined __clang__ # pragma clang diagnostic ignored "-Wc++11-long-long" @@ -251,7 +259,7 @@ namespace OpenSSL X509_STORE* store = SSL_CTX_get_cert_store(ctx); if (!store) { - throw ModuleException("Unable to get X509_STORE from SSL context; this should never happen"); + throw ModuleException("Unable to get X509_STORE from TLS (SSL) context; this should never happen"); } ERR_clear_error(); if (!X509_STORE_load_locations(store, @@ -386,7 +394,7 @@ namespace OpenSSL public: Profile(const std::string& profilename, ConfigTag* tag) : name(profilename) - , dh(ServerInstance->Config->Paths.PrependConfig(tag->getString("dhfile", "dhparams.pem"))) + , dh(ServerInstance->Config->Paths.PrependConfig(tag->getString("dhfile", "dhparams.pem", 1))) , ctx(SSL_CTX_new(SSLv23_server_method())) , clictx(SSL_CTX_new(SSLv23_client_method())) , allowrenego(tag->getBool("renegotiation")) // Disallow by default @@ -395,7 +403,7 @@ namespace OpenSSL if ((!ctx.SetDH(dh)) || (!clictx.SetDH(dh))) throw Exception("Couldn't set DH parameters"); - std::string hash = tag->getString("hash", "md5"); + const std::string hash = tag->getString("hash", "md5", 1); digest = EVP_get_digestbyname(hash.c_str()); if (digest == NULL) throw Exception("Unknown hash type " + hash); @@ -411,7 +419,7 @@ namespace OpenSSL } #ifndef OPENSSL_NO_ECDH - std::string curvename = tag->getString("ecdhcurve", "prime256v1"); + const std::string curvename = tag->getString("ecdhcurve", "prime256v1", 1); if (!curvename.empty()) ctx.SetECDH(curvename); #endif @@ -422,14 +430,14 @@ namespace OpenSSL /* Load our keys and certificates * NOTE: OpenSSL's error logging API sucks, don't blame us for this clusterfuck. */ - std::string filename = ServerInstance->Config->Paths.PrependConfig(tag->getString("certfile", "cert.pem")); + std::string filename = ServerInstance->Config->Paths.PrependConfig(tag->getString("certfile", "cert.pem", 1)); if ((!ctx.SetCerts(filename)) || (!clictx.SetCerts(filename))) { ERR_print_errors_cb(error_callback, this); throw Exception("Can't read certificate file: " + lasterr); } - filename = ServerInstance->Config->Paths.PrependConfig(tag->getString("keyfile", "key.pem")); + filename = ServerInstance->Config->Paths.PrependConfig(tag->getString("keyfile", "key.pem", 1)); if ((!ctx.SetPrivateKey(filename)) || (!clictx.SetPrivateKey(filename))) { ERR_print_errors_cb(error_callback, this); @@ -437,7 +445,7 @@ namespace OpenSSL } // Load the CAs we trust - filename = ServerInstance->Config->Paths.PrependConfig(tag->getString("cafile", "ca.pem")); + filename = ServerInstance->Config->Paths.PrependConfig(tag->getString("cafile", "ca.pem", 1)); if ((!ctx.SetCA(filename)) || (!clictx.SetCA(filename))) { ERR_print_errors_cb(error_callback, this); @@ -445,9 +453,9 @@ namespace OpenSSL } // Load the CRLs. - std::string crlfile = tag->getString("crlfile"); - std::string crlpath = tag->getString("crlpath"); - std::string crlmode = tag->getString("crlmode", "chain"); + const std::string crlfile = tag->getString("crlfile"); + const std::string crlpath = tag->getString("crlpath"); + const std::string crlmode = tag->getString("crlmode", "chain", 1); ctx.SetCRL(crlfile, crlpath, crlmode); clictx.SetVerifyCert(); @@ -928,13 +936,13 @@ static int OpenSSL::BIOMethod::read(BIO* bio, char* buffer, int size) return ret; } -class OpenSSLIOHookProvider : public IOHookProvider +class OpenSSLIOHookProvider : public SSLIOHookProvider { OpenSSL::Profile profile; public: OpenSSLIOHookProvider(Module* mod, const std::string& profilename, ConfigTag* tag) - : IOHookProvider(mod, "ssl/" + profilename, IOHookProvider::IOH_SSL) + : SSLIOHookProvider(mod, profilename) , profile(profilename, tag) { ServerInstance->Modules->AddService(*this); @@ -979,7 +987,7 @@ class ModuleSSLOpenSSL : public Module // Create a default profile named "openssl" const std::string defname = "openssl"; ConfigTag* tag = ServerInstance->Config->ConfValue(defname); - ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "No tags found, using settings from the tag"); + ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "No tags found, using settings from the deprecated tag"); try { @@ -987,34 +995,40 @@ class ModuleSSLOpenSSL : public Module } catch (OpenSSL::Exception& ex) { - throw ModuleException("Error while initializing the default SSL profile - " + ex.GetReason()); + throw ModuleException("Error while initializing the default TLS (SSL) profile - " + ex.GetReason()); } } - - for (ConfigIter i = tags.first; i != tags.second; ++i) + else { - ConfigTag* tag = i->second; - if (!stdalgo::string::equalsci(tag->getString("provider"), "openssl")) - continue; - - std::string name = tag->getString("name"); - if (name.empty()) + ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "You have defined an tag; you should use this in place of \"openssl\" when configuring TLS (SSL) connections in or "); + for (ConfigIter i = tags.first; i != tags.second; ++i) { - ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "Ignoring tag without name at " + tag->getTagLocation()); - continue; - } + ConfigTag* tag = i->second; + if (!stdalgo::string::equalsci(tag->getString("provider"), "openssl")) + { + ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "Ignoring non-OpenSSL tag at " + tag->getTagLocation()); + continue; + } - reference prov; - try - { - prov = new OpenSSLIOHookProvider(this, name, tag); - } - catch (CoreException& ex) - { - throw ModuleException("Error while initializing SSL profile \"" + name + "\" at " + tag->getTagLocation() + " - " + ex.GetReason()); - } + std::string name = tag->getString("name"); + if (name.empty()) + { + ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "Ignoring tag without name at " + tag->getTagLocation()); + continue; + } + + reference prov; + try + { + prov = new OpenSSLIOHookProvider(this, name, tag); + } + catch (CoreException& ex) + { + throw ModuleException("Error while initializing TLS (SSL) profile \"" + name + "\" at " + tag->getTagLocation() + " - " + ex.GetReason()); + } - newprofiles.push_back(prov); + newprofiles.push_back(prov); + } } for (ProfileList::iterator i = profiles.begin(); i != profiles.end(); ++i) @@ -1056,13 +1070,13 @@ class ModuleSSLOpenSSL : public Module void OnModuleRehash(User* user, const std::string ¶m) CXX11_OVERRIDE { - if (!irc::equals(param, "ssl")) + if (!irc::equals(param, "tls") && !irc::equals(param, "ssl")) return; try { ReadProfiles(); - ServerInstance->SNO->WriteToSnoMask('a', "SSL module %s rehashed.", MODNAME); + ServerInstance->SNO->WriteToSnoMask('a', "OpenSSL TLS (SSL) profiles have been reloaded."); } catch (ModuleException& ex) { @@ -1078,9 +1092,9 @@ class ModuleSSLOpenSSL : public Module if ((user) && (user->eh.GetModHook(this))) { - // User is using SSL, they're a local user, and they're using one of *our* SSL ports. - // Potentially there could be multiple SSL modules loaded at once on different ports. - ServerInstance->Users->QuitUser(user, "SSL module unloading"); + // User is using TLS (SSL), they're a local user, and they're using one of *our* TLS (SSL) ports. + // Potentially there could be multiple TLS (SSL) modules loaded at once on different ports. + ServerInstance->Users->QuitUser(user, "OpenSSL module unloading"); } } } @@ -1095,7 +1109,7 @@ class ModuleSSLOpenSSL : public Module Version GetVersion() CXX11_OVERRIDE { - return Version("Provides SSL support via OpenSSL", VF_VENDOR); + return Version("Allows TLS (SSL) encrypted connections using the OpenSSL library.", VF_VENDOR); } };