1 files changed, 191 insertions, 55 deletions
diff --git a/modules/extra/m_ssl.cpp b/modules/extra/m_ssl.cpp
index 5e081c193..9fefb942a 100644
--- a/modules/extra/m_ssl.cpp
+++ b/modules/extra/m_ssl.cpp
@@ -1,6 +1,7 @@
 /* RequiredLibraries: ssl,crypt */
 
 #include "module.h"
+#include "ssl.h"
 
 #define OPENSSL_NO_SHA512
 #include <openssl/bio.h>
@@ -12,74 +13,98 @@
 #define CERTFILE "anope.cert"
 #define KEYFILE "anope.key"
 
-static SSL_CTX *ctx;
+static SSL_CTX *server_ctx, *client_ctx;
 
-class SSLSocket : public ClientSocket
+class MySSLService : public SSLService
 {
- private:
-	SSL *sslsock;
-
-	int RecvInternal(char *buf, size_t sz) const
-	{
-		return SSL_read(sslsock, buf, sz);
-	}
-
-	int SendInternal(const Anope::string &buf) const
-	{
-		return SSL_write(sslsock, buf.c_str(), buf.length());
-	}
  public:
-	SSLSocket(const Anope::string &nTargetHost, int nPort, const Anope::string &nBindHost = "", bool nIPv6 = false) : ClientSocket(nTargetHost, nPort, nBindHost, nIPv6)
-	{
-		this->SetBlocking();
+ 	MySSLService(Module *o, const Anope::string &n);
 
-		sslsock = SSL_new(ctx);
+	/** Initialize a socket to use SSL
+	 * @param s The socket
+	 */
+	void Init(Socket *s);
+};
 
-		if (!sslsock)
-			throw CoreException("Unable to initialize SSL socket");
+class SSLSocketIO : public SocketIO
+{
+ public:
+	/* The SSL socket for this socket */
+	SSL *sslsock;
 
-		SSL_set_connect_state(sslsock);
-		SSL_set_fd(sslsock, Sock);
-		SSL_connect(sslsock);
+	/** Constructor
+	 */
+	SSLSocketIO();
 
-		UplinkSock = this;
+	/** Really receive something from the buffer
+ 	 * @param s The socket
+	 * @param buf The buf to read to
+	 * @param sz How much to read
+	 * @return Number of bytes received
+	 */
+	int Recv(Socket *s, char *buf, size_t sz) const;
 
-		this->SetNonBlocking();
-	}
+	/** Really write something to the socket
+ 	 * @param s The socket
+	 * @param buf What to write
+	 * @return Number of bytes written
+	 */
+	int Send(Socket *s, const Anope::string &buf) const;
 
-	~SSLSocket()
-	{
-		SSL_shutdown(sslsock);
-		SSL_free(sslsock);
+	/** Accept a connection from a socket
+	 * @param s The socket
+	 */
+	void Accept(ListenSocket *s);
 
-		UplinkSock = NULL;
-	}
+	/** Connect the socket
+	 * @param s THe socket
+	 * @param target IP to connect to
+	 * @param port to connect to
+	 * @param bindip IP to bind to, if any
+	 */
+	void Connect(ConnectionSocket *s, const Anope::string &target, int port, const Anope::string &bindip = "");
 
-	bool Read(const Anope::string &buf)
-	{
-		process(buf);
-		return true;
-	}
+	/** Called when the socket is destructing
+	 */
+	void Destroy();
 };
 
+class SSLModule;
+static SSLModule *me;
 class SSLModule : public Module
 {
+	static int AlwaysAccept(int, X509_STORE_CTX *)
+	{
+		return 1;
+	}
+
  public:
-	SSLModule(const Anope::string &modname, const Anope::string &creator) : Module(modname, creator)
+	MySSLService service;
+
+	SSLModule(const Anope::string &modname, const Anope::string &creator) : Module(modname, creator), service(this, "ssl")
 	{
+		me = this;
+
+		this->SetAuthor("Anope");
+		this->SetType(SUPPORTED);
+		this->SetPermanent(true);
+
+		SSL_library_init();
 		SSL_load_error_strings();
 		SSLeay_add_ssl_algorithms();
 
-		ctx = SSL_CTX_new(SSLv23_client_method());
+		client_ctx = SSL_CTX_new(SSLv23_client_method());
+		server_ctx = SSL_CTX_new(SSLv23_server_method());
 
-		if (!ctx)
+		if (!client_ctx || !server_ctx)
 			throw ModuleException("Error initializing SSL CTX");
 
 		if (IsFile(CERTFILE))
 		{
-			if (!SSL_CTX_use_certificate_file(ctx, CERTFILE, SSL_FILETYPE_PEM))
+			if (!SSL_CTX_use_certificate_file(client_ctx, CERTFILE, SSL_FILETYPE_PEM) || !SSL_CTX_use_certificate_file(server_ctx, CERTFILE, SSL_FILETYPE_PEM))
 			{
-				SSL_CTX_free(ctx);
+				SSL_CTX_free(client_ctx);
+				SSL_CTX_free(server_ctx);
 				throw ModuleException("Error loading certificate");
 			}
 		}
@@ -88,9 +113,10 @@ class SSLModule : public Module
 
 		if (IsFile(KEYFILE))
 		{
-			if (!SSL_CTX_use_PrivateKey_file(ctx, KEYFILE, SSL_FILETYPE_PEM))
+			if (!SSL_CTX_use_PrivateKey_file(client_ctx, KEYFILE, SSL_FILETYPE_PEM) || !SSL_CTX_use_PrivateKey_file(server_ctx, KEYFILE, SSL_FILETYPE_PEM))
 			{
-				SSL_CTX_free(ctx);
+				SSL_CTX_free(client_ctx);
+				SSL_CTX_free(server_ctx);
 				throw ModuleException("Error loading private key");
 			}
 		}
@@ -98,26 +124,29 @@ class SSLModule : public Module
 		{
 			if (IsFile(CERTFILE))
 			{
-				SSL_CTX_free(ctx);
+				SSL_CTX_free(client_ctx);
+				SSL_CTX_free(server_ctx);
 				throw ModuleException("Error loading private key - file not found");
 			}
 			else
 				Log() << "m_ssl: No private key found";
 		}
 
-		this->SetAuthor("Anope");
-		this->SetType(SUPPORTED);
-		this->SetPermanent(true);
+		SSL_CTX_set_mode(client_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
+		SSL_CTX_set_mode(server_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
 
-		SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
-		SSL_CTX_set_options(ctx, SSL_OP_TLS_ROLLBACK_BUG | SSL_OP_ALL);
+		SSL_CTX_set_verify(client_ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, SSLModule::AlwaysAccept);
+		SSL_CTX_set_verify(server_ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, SSLModule::AlwaysAccept);
+
+		ModuleManager::RegisterService(&this->service);
 
 		ModuleManager::Attach(I_OnPreServerConnect, this);
 	}
 
 	~SSLModule()
 	{
-		SSL_CTX_free(ctx);
+		SSL_CTX_free(client_ctx);
+		SSL_CTX_free(server_ctx);
 	}
 
 	EventReturn OnPreServerConnect(Uplink *u, int Number)
@@ -128,19 +157,126 @@ class SSLModule : public Module
 		{
 			try
 			{
-				new SSLSocket(u->host, u->port, Config->LocalHost, u->ipv6);
-				Log() << "Connected to Server " << Number << " (" << u->host << ":" << u->port << ")";
+				new UplinkSocket(uplink_server->ipv6);
+				this->service.Init(UplinkSock);
+				UplinkSock->Connect(uplink_server->host, uplink_server->port, Config->LocalHost);
+
+				Log() << "Connected to server " << Number << " (" << u->host << ":" << u->port << ") with SSL";
+				return EVENT_ALLOW;
 			}
 			catch (const SocketException &ex)
 			{
-				Log() << "Unable to connect with SSL to server" << Number << " (" << u->host << ":" << u->port << "), " << ex.GetReason();
+				Log() << "Unable to connect with SSL to server " << Number << " (" << u->host << ":" << u->port << "), " << ex.GetReason();
 			}
 
-			return EVENT_ALLOW;
+			return EVENT_STOP;
 		}
 
 		return EVENT_CONTINUE;
 	}
 };
 
+MySSLService::MySSLService(Module *o, const Anope::string &n) : SSLService(o, n)
+{
+}
+
+void MySSLService::Init(Socket *s)
+{
+	if (s->IO != &normalSocketIO)
+		throw CoreException("Socket initializing SSL twice");
+	
+	s->IO = new SSLSocketIO();
+}
+
+SSLSocketIO::SSLSocketIO()
+{
+	this->sslsock = NULL;
+}
+
+int SSLSocketIO::Recv(Socket *s, char *buf, size_t sz) const
+{
+	size_t i = SSL_read(this->sslsock, buf, sz);
+	TotalRead += i;
+	return i;
+}
+
+int SSLSocketIO::Send(Socket *s, const Anope::string &buf) const
+{
+	size_t i = SSL_write(this->sslsock, buf.c_str(), buf.length());
+	TotalWritten += i;
+	return i;
+}
+
+void SSLSocketIO::Accept(ListenSocket *s)
+{
+	sockaddrs conaddr;
+
+	socklen_t size = conaddr.size();
+	int newsock = accept(s->GetFD(), &conaddr.sa, &size);
+
+#ifndef INVALID_SOCKET
+# define INVALID_SOCKET -1
+#endif
+	if (newsock <= 0 || newsock == INVALID_SOCKET)
+		throw SocketException("Unable to accept SSL socket: " + Anope::LastError());
+
+	ClientSocket *newsocket = s->OnAccept(newsock, conaddr);
+	me->service.Init(newsocket);
+	SSLSocketIO *IO = debug_cast<SSLSocketIO *>(newsocket->IO);
+
+	IO->sslsock = SSL_new(server_ctx);
+	if (!IO->sslsock)
+		throw SocketException("Unable to initialize SSL socket");
+
+	SSL_set_accept_state(IO->sslsock);
+
+	if (!SSL_set_fd(IO->sslsock, newsock))
+		throw SocketException("Unable to set SSL fd");
+
+	int ret = SSL_accept(IO->sslsock);
+	if (ret <= 0)
+	{
+		int error = SSL_get_error(IO->sslsock, ret);
+
+		if (ret != -1 || (error != SSL_ERROR_WANT_READ && error != SSL_ERROR_WANT_READ))
+			throw SocketException("Unable to accept new SSL connection: " + Anope::string(ERR_error_string(ERR_get_error(), NULL)));
+	}
+}
+
+void SSLSocketIO::Connect(ConnectionSocket *s, const Anope::string &TargetHost, int Port, const Anope::string &BindHost)
+{
+	if (s->IO == &normalSocketIO)
+		throw SocketException("Attempting to connect uninitialized socket with SQL");
+	
+	normalSocketIO.Connect(s, TargetHost, Port, BindHost);
+
+	SSLSocketIO *IO = debug_cast<SSLSocketIO *>(s->IO);
+
+	IO->sslsock = SSL_new(client_ctx);
+	if (!IO->sslsock)
+		throw SocketException("Unable to initialize SSL socket");
+
+	if (!SSL_set_fd(IO->sslsock, s->GetFD()))
+		throw SocketException("Unable to set SSL fd");
+
+	int ret = SSL_connect(IO->sslsock);
+		
+	if (ret <= 0)
+	{
+		int error = SSL_get_error(IO->sslsock, ret);
+
+		if (ret != -1 || (error != SSL_ERROR_WANT_READ && error != SSL_ERROR_WANT_READ))
+			throw SocketException("Unable to connect to server: " + Anope::string(ERR_error_string(ERR_get_error(), NULL)));
+	}
+}
+
+void SSLSocketIO::Destroy()
+{
+	if (this->sslsock)
+	{
+		SSL_shutdown(this->sslsock);
+		SSL_free(this->sslsock);
+	}
+}
+
 MODULE_INIT(SSLModule)