1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
|
/* RequiredLibraries: ssl,crypt */
#include "module.h"
#include "ssl.h"
#define OPENSSL_NO_SHA512
#include <openssl/bio.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <openssl/crypto.h>
#include <openssl/evp.h>
#define CERTFILE "anope.cert"
#define KEYFILE "anope.key"
static SSL_CTX *server_ctx, *client_ctx;
class MySSLService : public SSLService
{
public:
MySSLService(Module *o, const Anope::string &n);
/** Initialize a socket to use SSL
* @param s The socket
*/
void Init(Socket *s);
};
class SSLSocketIO : public SocketIO
{
public:
/* The SSL socket for this socket */
SSL *sslsock;
/** Constructor
*/
SSLSocketIO();
/** Really receive something from the buffer
* @param s The socket
* @param buf The buf to read to
* @param sz How much to read
* @return Number of bytes received
*/
int Recv(Socket *s, char *buf, size_t sz) const;
/** Really write something to the socket
* @param s The socket
* @param buf What to write
* @return Number of bytes written
*/
int Send(Socket *s, const Anope::string &buf) const;
/** Accept a connection from a socket
* @param s The socket
*/
void Accept(ListenSocket *s);
/** Connect the socket
* @param s THe socket
* @param target IP to connect to
* @param port to connect to
* @param bindip IP to bind to, if any
*/
void Connect(ConnectionSocket *s, const Anope::string &target, int port, const Anope::string &bindip = "");
/** Called when the socket is destructing
*/
void Destroy();
};
class SSLModule;
static SSLModule *me;
class SSLModule : public Module
{
static int AlwaysAccept(int, X509_STORE_CTX *)
{
return 1;
}
public:
MySSLService service;
SSLModule(const Anope::string &modname, const Anope::string &creator) : Module(modname, creator), service(this, "ssl")
{
me = this;
this->SetAuthor("Anope");
this->SetType(SUPPORTED);
this->SetPermanent(true);
SSL_library_init();
SSL_load_error_strings();
SSLeay_add_ssl_algorithms();
client_ctx = SSL_CTX_new(SSLv23_client_method());
server_ctx = SSL_CTX_new(SSLv23_server_method());
if (!client_ctx || !server_ctx)
throw ModuleException("Error initializing SSL CTX");
if (IsFile(CERTFILE))
{
if (!SSL_CTX_use_certificate_file(client_ctx, CERTFILE, SSL_FILETYPE_PEM) || !SSL_CTX_use_certificate_file(server_ctx, CERTFILE, SSL_FILETYPE_PEM))
{
SSL_CTX_free(client_ctx);
SSL_CTX_free(server_ctx);
throw ModuleException("Error loading certificate");
}
}
else
Log() << "m_ssl: No certificate file found";
if (IsFile(KEYFILE))
{
if (!SSL_CTX_use_PrivateKey_file(client_ctx, KEYFILE, SSL_FILETYPE_PEM) || !SSL_CTX_use_PrivateKey_file(server_ctx, KEYFILE, SSL_FILETYPE_PEM))
{
SSL_CTX_free(client_ctx);
SSL_CTX_free(server_ctx);
throw ModuleException("Error loading private key");
}
}
else
{
if (IsFile(CERTFILE))
{
SSL_CTX_free(client_ctx);
SSL_CTX_free(server_ctx);
throw ModuleException("Error loading private key - file not found");
}
else
Log() << "m_ssl: No private key found";
}
SSL_CTX_set_mode(client_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
SSL_CTX_set_mode(server_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
SSL_CTX_set_verify(client_ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, SSLModule::AlwaysAccept);
SSL_CTX_set_verify(server_ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, SSLModule::AlwaysAccept);
ModuleManager::RegisterService(&this->service);
ModuleManager::Attach(I_OnPreServerConnect, this);
}
~SSLModule()
{
SSL_CTX_free(client_ctx);
SSL_CTX_free(server_ctx);
}
EventReturn OnPreServerConnect(Uplink *u, int Number)
{
ConfigReader config;
if (config.ReadFlag("uplink", "ssl", "no", Number - 1))
{
DNSRecord req = DNSManager::BlockingQuery(uplink_server->host, uplink_server->ipv6 ? DNS_QUERY_AAAA : DNS_QUERY_A);
if (!req)
Log() << "Unable to connect to server " << uplink_server->host << ":" << uplink_server->port << " using SSL: Invalid hostname/IP";
else
{
try
{
new UplinkSocket(uplink_server->ipv6);
this->service.Init(UplinkSock);
UplinkSock->Connect(req.result, uplink_server->port, Config->LocalHost);
Log() << "Connected to server " << Number << " (" << u->host << ":" << u->port << ") with SSL";
return EVENT_ALLOW;
}
catch (const SocketException &ex)
{
Log() << "Unable to connect with SSL to server " << Number << " (" << u->host << ":" << u->port << "), " << ex.GetReason();
}
}
return EVENT_STOP;
}
return EVENT_CONTINUE;
}
};
MySSLService::MySSLService(Module *o, const Anope::string &n) : SSLService(o, n)
{
}
void MySSLService::Init(Socket *s)
{
if (s->IO != &normalSocketIO)
throw CoreException("Socket initializing SSL twice");
s->IO = new SSLSocketIO();
}
SSLSocketIO::SSLSocketIO()
{
this->sslsock = NULL;
}
int SSLSocketIO::Recv(Socket *s, char *buf, size_t sz) const
{
int i = SSL_read(this->sslsock, buf, sz);
TotalRead += i;
return i;
}
int SSLSocketIO::Send(Socket *s, const Anope::string &buf) const
{
int i = SSL_write(this->sslsock, buf.c_str(), buf.length());
TotalWritten += i;
return i;
}
void SSLSocketIO::Accept(ListenSocket *s)
{
sockaddrs conaddr;
socklen_t size = conaddr.size();
int newsock = accept(s->GetFD(), &conaddr.sa, &size);
#ifndef INVALID_SOCKET
# define INVALID_SOCKET -1
#endif
if (newsock <= 0 || newsock == INVALID_SOCKET)
throw SocketException("Unable to accept SSL socket: " + Anope::LastError());
ClientSocket *newsocket = s->OnAccept(newsock, conaddr);
me->service.Init(newsocket);
SSLSocketIO *IO = debug_cast<SSLSocketIO *>(newsocket->IO);
IO->sslsock = SSL_new(server_ctx);
if (!IO->sslsock)
throw SocketException("Unable to initialize SSL socket");
SSL_set_accept_state(IO->sslsock);
if (!SSL_set_fd(IO->sslsock, newsock))
throw SocketException("Unable to set SSL fd");
int ret = SSL_accept(IO->sslsock);
if (ret <= 0)
{
int error = SSL_get_error(IO->sslsock, ret);
if (ret != -1 || (error != SSL_ERROR_WANT_READ && error != SSL_ERROR_WANT_READ))
throw SocketException("Unable to accept new SSL connection: " + Anope::string(ERR_error_string(ERR_get_error(), NULL)));
}
}
void SSLSocketIO::Connect(ConnectionSocket *s, const Anope::string &TargetHost, int Port, const Anope::string &BindHost)
{
if (s->IO == &normalSocketIO)
throw SocketException("Attempting to connect uninitialized socket with SQL");
normalSocketIO.Connect(s, TargetHost, Port, BindHost);
SSLSocketIO *IO = debug_cast<SSLSocketIO *>(s->IO);
IO->sslsock = SSL_new(client_ctx);
if (!IO->sslsock)
throw SocketException("Unable to initialize SSL socket");
if (!SSL_set_fd(IO->sslsock, s->GetFD()))
throw SocketException("Unable to set SSL fd");
int ret = SSL_connect(IO->sslsock);
if (ret <= 0)
{
int error = SSL_get_error(IO->sslsock, ret);
if (ret != -1 || (error != SSL_ERROR_WANT_READ && error != SSL_ERROR_WANT_READ))
throw SocketException("Unable to connect to server: " + Anope::string(ERR_error_string(ERR_get_error(), NULL)));
}
}
void SSLSocketIO::Destroy()
{
if (this->sslsock)
{
SSL_shutdown(this->sslsock);
SSL_free(this->sslsock);
}
}
MODULE_INIT(SSLModule)
|
