[ViewVC] Diff of: svn/ircd-hybrid/trunk/src/tls

Comparing ircd-hybrid/trunk/src/tls_openssl.c (file contents):
Revision 7708 by michael, Fri Sep 23 16:46:01 2016 UTC vs.
Revision 9149 by michael, Sun Jan 12 10:59:03 2020 UTC

+ *  Copyright (c) 2015 Attila Molnar <attilamolnar@hush.com>
+ *  Copyright (c) 2015 Adam <Adam@anope.org>
-<
+ *  Copyright (c) 2005-2016 ircd-hybrid development team
->
+ *  Copyright (c) 2005-2020 ircd-hybrid development team
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+#include "memory.h"
+#ifdef HAVE_TLS_OPENSSL
-+
+#if OPENSSL_VERSION_NUMBER < 0x1010100fL
-+
+#error "OpenSSL 1.1.1 and above is required to build this module"
-+
+#endif
-<
+static int TLS_initialized;
->
+static bool TLS_initialized;
+/*
+ * report_crypto_errors - Dump crypto error list to log
+static void
+report_crypto_errors(void)
-<
+  unsigned long e = 0;
->
+  unsigned long e;
+  while ((e = ERR_get_error()))
+    ilog(LOG_TYPE_IRCD, "SSL error: %s", ERR_error_string(e, 0));
+  return 1;
-<
+int
->
+bool
+tls_is_initialized(void)
+  return TLS_initialized;
+void
+tls_init(void)
-<
+  SSL_load_error_strings();
-<
+  SSLeay_add_ssl_algorithms();
-<
-<
+  if (!(ConfigServerInfo.tls_ctx.server_ctx = SSL_CTX_new(SSLv23_server_method())))
->
+  if ((ConfigServerInfo.tls_ctx.server_ctx = SSL_CTX_new(TLS_server_method())) == NULL)
+    const char *s = ERR_lib_error_string(ERR_get_error());
-<
+    ilog(LOG_TYPE_IRCD, "ERROR: Could not initialize the TLS Server context -- %s", s);
->
+    ilog(LOG_TYPE_IRCD, "ERROR: Could not initialize the TLS server context -- %s", s);
+    exit(EXIT_FAILURE);
+    return;  /* Not reached */
-<
+  SSL_CTX_set_options(ConfigServerInfo.tls_ctx.server_ctx, SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TICKET);
-<
+  SSL_CTX_set_options(ConfigServerInfo.tls_ctx.server_ctx, SSL_OP_SINGLE_DH_USE|SSL_OP_CIPHER_SERVER_PREFERENCE);
-<
+  SSL_CTX_set_verify(ConfigServerInfo.tls_ctx.server_ctx, SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE,
-<
+                     always_accept_verify_cb);
->
+  SSL_CTX_set_min_proto_version(ConfigServerInfo.tls_ctx.server_ctx, TLS1_2_VERSION);
->
+  SSL_CTX_set_options(ConfigServerInfo.tls_ctx.server_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE|SSL_OP_NO_TICKET);
->
+  SSL_CTX_set_verify(ConfigServerInfo.tls_ctx.server_ctx, SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE, always_accept_verify_cb);
+  SSL_CTX_set_session_cache_mode(ConfigServerInfo.tls_ctx.server_ctx, SSL_SESS_CACHE_OFF);
+  SSL_CTX_set_cipher_list(ConfigServerInfo.tls_ctx.server_ctx, "EECDH+HIGH:EDH+HIGH:HIGH:!aNULL");
-<
+#ifndef OPENSSL_NO_ECDH
-<
+  EC_KEY *key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
-<
-<
+  if (key)
-<
+  {
-<
+    SSL_CTX_set_tmp_ecdh(ConfigServerInfo.tls_ctx.server_ctx, key);
-<
+    EC_KEY_free(key);
-<
+  }
-<
-<
+  SSL_CTX_set_options(ConfigServerInfo.tls_ctx.server_ctx, SSL_OP_SINGLE_ECDH_USE);
-<
+#endif
-<
-<
+  if (!(ConfigServerInfo.tls_ctx.client_ctx = SSL_CTX_new(SSLv23_client_method())))
->
+  if ((ConfigServerInfo.tls_ctx.client_ctx = SSL_CTX_new(TLS_client_method())) == NULL)
+    const char *s = ERR_lib_error_string(ERR_get_error());
-<
+    ilog(LOG_TYPE_IRCD, "ERROR: Could not initialize the TLS Client context -- %s", s);
->
+    ilog(LOG_TYPE_IRCD, "ERROR: Could not initialize the TLS client context -- %s", s);
+    exit(EXIT_FAILURE);
+    return;  /* Not reached */
-<
+  SSL_CTX_set_options(ConfigServerInfo.tls_ctx.client_ctx, SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TICKET);
-<
+  SSL_CTX_set_options(ConfigServerInfo.tls_ctx.client_ctx, SSL_OP_SINGLE_DH_USE);
-<
+  SSL_CTX_set_verify(ConfigServerInfo.tls_ctx.client_ctx, SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE,
-<
+                     always_accept_verify_cb);
->
+  SSL_CTX_set_min_proto_version(ConfigServerInfo.tls_ctx.client_ctx, TLS1_2_VERSION);
->
+  SSL_CTX_set_options(ConfigServerInfo.tls_ctx.client_ctx, SSL_OP_NO_TICKET);
->
+  SSL_CTX_set_verify(ConfigServerInfo.tls_ctx.client_ctx, SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE, always_accept_verify_cb);
+  SSL_CTX_set_session_cache_mode(ConfigServerInfo.tls_ctx.client_ctx, SSL_SESS_CACHE_OFF);
-<
+int
->
+bool
+tls_new_cred(void)
-<
+  TLS_initialized = 0;
->
+  TLS_initialized = false;
-<
+  if (!ConfigServerInfo.ssl_certificate_file || !ConfigServerInfo.rsa_private_key_file)
-<
+    return 1;
->
+  if (!ConfigServerInfo.tls_certificate_file || !ConfigServerInfo.rsa_private_key_file)
->
+    return true;
-<
+  if (SSL_CTX_use_certificate_chain_file(ConfigServerInfo.tls_ctx.server_ctx, ConfigServerInfo.ssl_certificate_file) <= 0 ||
-<
+      SSL_CTX_use_certificate_chain_file(ConfigServerInfo.tls_ctx.client_ctx, ConfigServerInfo.ssl_certificate_file) <= 0)
->
+  if (SSL_CTX_use_certificate_chain_file(ConfigServerInfo.tls_ctx.server_ctx, ConfigServerInfo.tls_certificate_file) <= 0 ||
->
+      SSL_CTX_use_certificate_chain_file(ConfigServerInfo.tls_ctx.client_ctx, ConfigServerInfo.tls_certificate_file) <= 0)
+    report_crypto_errors();
-<
+    return 0;
->
+    return false;
+  if (SSL_CTX_use_PrivateKey_file(ConfigServerInfo.tls_ctx.server_ctx, ConfigServerInfo.rsa_private_key_file, SSL_FILETYPE_PEM) <= 0 ||
+      SSL_CTX_use_PrivateKey_file(ConfigServerInfo.tls_ctx.client_ctx, ConfigServerInfo.rsa_private_key_file, SSL_FILETYPE_PEM) <= 0)
+    report_crypto_errors();
-<
+    return 0;
->
+    return false;
+  if (!SSL_CTX_check_private_key(ConfigServerInfo.tls_ctx.server_ctx) ||
+      !SSL_CTX_check_private_key(ConfigServerInfo.tls_ctx.client_ctx))
+    report_crypto_errors();
-<
+    return 0;
->
+    return false;
-<
+  if (ConfigServerInfo.ssl_dh_param_file)
->
+  if (ConfigServerInfo.tls_dh_param_file)
-<
+    BIO *file = BIO_new_file(ConfigServerInfo.ssl_dh_param_file, "r");
->
+    BIO *file = BIO_new_file(ConfigServerInfo.tls_dh_param_file, "r");
+    if (file)
+    else
-<
+      ilog(LOG_TYPE_IRCD, "Ignoring serverinfo::ssl_dh_param_file -- could not open/read Diffie-Hellman parameter file");
->
+      ilog(LOG_TYPE_IRCD, "Ignoring serverinfo::tls_dh_param_file -- could not open/read Diffie-Hellman parameter file");
-<
+#ifndef OPENSSL_NO_ECDH
-<
+  if (ConfigServerInfo.ssl_dh_elliptic_curve)
->
+  if (ConfigServerInfo.tls_supported_groups == NULL)
->
+    SSL_CTX_set1_groups_list(ConfigServerInfo.tls_ctx.server_ctx, "X25519:P-256");
->
+  else if (SSL_CTX_set1_groups_list(ConfigServerInfo.tls_ctx.server_ctx, ConfigServerInfo.tls_supported_groups) == 0)
-<
+    int nid = 0;
-<
+    EC_KEY *key = NULL;
-<
-<
+    if ((nid = OBJ_sn2nid(ConfigServerInfo.ssl_dh_elliptic_curve)) == 0)
-<
+      goto set_default_curve;
-<
-<
+    if ((key = EC_KEY_new_by_curve_name(nid)) == NULL)
-<
+      goto set_default_curve;
-<
-<
+    SSL_CTX_set_tmp_ecdh(ConfigServerInfo.tls_ctx.server_ctx, key);
-<
+    EC_KEY_free(key);
-<
+  }
-<
+  else
-<
+  {
-<
+    EC_KEY *key;
-<
-<
+set_default_curve:
-<
-<
+    key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
-<
-<
+    if (key)
-<
+    {
-<
+      SSL_CTX_set_tmp_ecdh(ConfigServerInfo.tls_ctx.server_ctx, key);
-<
+      EC_KEY_free(key);
-<
+    }
->
+    ilog(LOG_TYPE_IRCD, "Ignoring serverinfo::tls_supported_groups -- could not set supported group(s)");
->
+    SSL_CTX_set1_groups_list(ConfigServerInfo.tls_ctx.server_ctx, "X25519:P-256");
-–
+#endif
-<
+  if (ConfigServerInfo.ssl_message_digest_algorithm == NULL)
->
+  if (ConfigServerInfo.tls_message_digest_algorithm == NULL)
+    ConfigServerInfo.message_digest_algorithm = EVP_sha256();
+  else
-<
+    ConfigServerInfo.message_digest_algorithm = EVP_get_digestbyname(ConfigServerInfo.ssl_message_digest_algorithm);
->
+    ConfigServerInfo.message_digest_algorithm = EVP_get_digestbyname(ConfigServerInfo.tls_message_digest_algorithm);
+    if (ConfigServerInfo.message_digest_algorithm == NULL)
+      ConfigServerInfo.message_digest_algorithm = EVP_sha256();
-<
+      ilog(LOG_TYPE_IRCD, "Ignoring serverinfo::ssl_message_digest_algorithm -- unknown message digest algorithm");
->
+      ilog(LOG_TYPE_IRCD, "Ignoring serverinfo::tls_message_digest_algorithm -- unknown message digest algorithm");
-<
+  if (ConfigServerInfo.ssl_cipher_list)
-<
+    SSL_CTX_set_cipher_list(ConfigServerInfo.tls_ctx.server_ctx, ConfigServerInfo.ssl_cipher_list);
->
+  if (ConfigServerInfo.tls_cipher_list)
->
+    if (SSL_CTX_set_cipher_list(ConfigServerInfo.tls_ctx.server_ctx, ConfigServerInfo.tls_cipher_list) == 0)
->
+      ilog(LOG_TYPE_IRCD, "Ignoring serverinfo::tls_cipher_list -- could not set supported cipher(s)");
->
->
+#ifndef LIBRESSL_VERSION_NUMBER
->
+  if (ConfigServerInfo.tls_cipher_suites == NULL)
->
+    /* Default to TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 */
->
+    SSL_CTX_set_ciphersuites(ConfigServerInfo.tls_ctx.server_ctx, "");
->
+  else if (SSL_CTX_set_ciphersuites(ConfigServerInfo.tls_ctx.server_ctx, ConfigServerInfo.tls_cipher_suites) == 0)
->
+  {
->
+    ilog(LOG_TYPE_IRCD, "Ignoring serverinfo::tls_cipher_suites -- could not set supported cipher suite(s)");
->
+    SSL_CTX_set_ciphersuites(ConfigServerInfo.tls_ctx.server_ctx, "");
->
+  }
->
+#endif
-<
+  TLS_initialized = 1;
-<
+  return 1;
->
+  TLS_initialized = true;
->
+  return true;
+const char *
+tls_get_cipher(const tls_data_t *tls_data)
+  static char buffer[IRCD_BUFSIZE];
-–
+  int bits = 0;
+  SSL *ssl = *tls_data;
-<
+  SSL_CIPHER_get_bits(SSL_get_current_cipher(ssl), &bits);
-<
-<
+  snprintf(buffer, sizeof(buffer), "%s-%s-%d", SSL_get_version(ssl),
-<
+           SSL_get_cipher(ssl), bits);
->
+  snprintf(buffer, sizeof(buffer), "%s-%s", SSL_get_version(ssl), SSL_get_cipher(ssl));
+  return buffer;
+  static char buf[IRCD_BUFSIZE];
+  snprintf(buf, sizeof(buf), "OpenSSL version: library: %s, header: %s",
-<
+           SSLeay_version(SSLEAY_VERSION), OPENSSL_VERSION_TEXT);
->
+           OpenSSL_version(OPENSSL_VERSION), OPENSSL_VERSION_TEXT);
+  return buf;
-<
+int
->
+bool
+tls_isusing(tls_data_t *tls_data)
+  SSL *ssl = *tls_data;
+  *tls_data = NULL;
-<
+int
-<
+tls_read(tls_data_t *tls_data, char *buf, size_t bufsize, int *want_write)
->
+ssize_t
->
+tls_read(tls_data_t *tls_data, char *buf, size_t bufsize, bool *want_write)
+  SSL *ssl = *tls_data;
-<
+  int length = SSL_read(ssl, buf, bufsize);
->
+  ssize_t length = SSL_read(ssl, buf, bufsize);
+  /* Translate openssl error codes, sigh */
+  if (length < 0)
+      case SSL_ERROR_WANT_WRITE:
+        /* OpenSSL wants to write, we signal this to the caller and do nothing about that here */
-<
+        *want_write = 1;
->
+        *want_write = true;
+        break;
+      case SSL_ERROR_WANT_READ:
+  return length;
-<
+int
-<
+tls_write(tls_data_t *tls_data, const char *buf, size_t bufsize, int *want_read)
->
+ssize_t
->
+tls_write(tls_data_t *tls_data, const char *buf, size_t bufsize, bool *want_read)
+  SSL *ssl = *tls_data;
-<
+  int retlen = SSL_write(ssl, buf, bufsize);
->
+  ssize_t retlen = SSL_write(ssl, buf, bufsize);
+  /* Translate openssl error codes, sigh */
+  if (retlen < 0)
+    switch (SSL_get_error(ssl, retlen))
+      case SSL_ERROR_WANT_READ:
-<
+        *want_read = 1;
->
+        *want_read = true;
+        break;  /* Retry later, don't register for write events */
+      case SSL_ERROR_WANT_WRITE:
+        errno = EWOULDBLOCK;
+  SSL_set_shutdown(ssl, SSL_RECEIVED_SHUTDOWN);
-<
+  if (!SSL_shutdown(ssl))
->
+  if (SSL_shutdown(ssl) == 0)
+    SSL_shutdown(ssl);
-<
+int
->
+bool
+tls_new(tls_data_t *tls_data, int fd, tls_role_t role)
+  SSL *ssl;
-<
+  if (!TLS_initialized)
-<
+    return 0;
->
+  if (TLS_initialized == false)
->
+    return false;
+  if (role == TLS_ROLE_SERVER)
+    ssl = SSL_new(ConfigServerInfo.tls_ctx.server_ctx);
+  else
+    ssl = SSL_new(ConfigServerInfo.tls_ctx.client_ctx);
-<
+  if (!ssl)
->
+  if (ssl == NULL)
+    ilog(LOG_TYPE_IRCD, "SSL_new() ERROR! -- %s",
+         ERR_error_string(ERR_get_error(), NULL));
-<
+    return 0;
->
+    return false;
+  *tls_data = ssl;
+  SSL_set_fd(ssl, fd);
-<
+  return 1;
->
+  return true;
-<
+int
->
+bool
+tls_set_ciphers(tls_data_t *tls_data, const char *cipher_list)
+  SSL_set_cipher_list(*tls_data, cipher_list);
-<
+  return 1;
->
+  return true;
+tls_handshake_status_t
-<
+int
->
+bool
+tls_verify_cert(tls_data_t *tls_data, tls_md_t digest, char **fingerprint)
+  SSL *ssl = *tls_data;
-–
+  X509 *cert = SSL_get_peer_certificate(ssl);
+  unsigned int n;
+  char buf[EVP_MAX_MD_SIZE * 2 + 1];
+  unsigned char md[EVP_MAX_MD_SIZE];
-<
+  int ret = 0;
->
+  bool ret = false;
+  /* Accept NULL return from SSL_get_peer_certificate */
-<
+  if (!cert)
-<
+    return 1;
->
+  X509 *cert = SSL_get_peer_certificate(ssl);
->
+  if (cert == NULL)
->
+    return true;
-<
+  int res = SSL_get_verify_result(ssl);
-<
+  if (res == X509_V_OK || res == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN ||
-<
+      res == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE ||
-<
+      res == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT)
->
+  switch (SSL_get_verify_result(ssl))
-<
+    ret = 1;
->
+    case X509_V_OK:
->
+    case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
->
+    case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
->
+    case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
->
+      ret = true;
-<
+    if (X509_digest(cert, digest, md, &n))
-<
+    {
-<
+      binary_to_hex(md, buf, n);
-<
+      *fingerprint = xstrdup(buf);
-<
+    }
->
+      if (X509_digest(cert, digest, md, &n))
->
+      {
->
+        binary_to_hex(md, buf, n);
->
+        *fingerprint = xstrdup(buf);
->
+      }
->
+    default:
->
+      break;
+  X509_free(cert);

Diff Legend

-–
+Removed lines
-+
+Added lines
-<
+Changed lines (old)
->
+Changed lines (new)

Comparing ircd-hybrid/trunk/src/tls_openssl.c (file contents): Revision 7708 by michael, Fri Sep 23 16:46:01 2016 UTC vs. Revision 9149 by michael, Sun Jan 12 10:59:03 2020 UTC

Diff Legend

Comparing ircd-hybrid/trunk/src/tls_openssl.c (file contents):
Revision 7708 by michael, Fri Sep 23 16:46:01 2016 UTC vs.
Revision 9149 by michael, Sun Jan 12 10:59:03 2020 UTC