1
0
mirror of https://github.com/unrealircd/unrealircd.git synced 2026-07-05 15:53:13 +02:00

SSL support for UnrealIRCD!

This commit is contained in:
stskeeps
2000-10-07 06:33:42 +00:00
parent 5b3b13772b
commit e94bf80328
22 changed files with 345 additions and 66 deletions
+2 -3
View File
@@ -15,9 +15,8 @@ Unreal3.1-Silverheart Release Notes
Where 20 is the numeric. Numerics are 1-255, 0 means no numeric (bad),
and no server must have same numeric
* We have introduced encrypted irc connections, and we will soon have a
client out for it (this is not SSL). Stay tuned in #UnrealIRCd for more
information
* We have introduced encrypted irc connections, using SSL
* NOTE, in #UnrealIRCD we don't help with Services etc.
+29 -30
View File
@@ -504,8 +504,8 @@ else
echo 'not found (good!)'
fi
echo $n "...Looking for /usr/include/openssl/blowfish.h...$c"
if [ -r /usr/include/openssl/blowfish.h ] ; then
echo $n "...Looking for /usr/include/openssl/ssl.h...$c"
if [ -r /usr/include/openssl/ssl.h ] ; then
OPENSSL=define
echo 'found!'
else
@@ -793,28 +793,6 @@ else
fi
fi
$RM -f $EXEC $TMP
echo $n "Do we have an broken /usr/include/string.h ... $c"
cat > $TMP <<__EOF__
#include <string.h>
main()
{
char *s = "moocows";
char *p = "moocows";
if (strcasecmp(s, p))
exit(0);
exit(0);
}
__EOF__
$COMP >/dev/null 2>&1
if [ $? -ne 0 ] ; then
echo " no$c"
STRCASECMP=undef
else
echo "yes"
STRCASECMP=define
fi
#
# what do we need that isn't here already ?
#
@@ -1015,8 +993,25 @@ if [ $? -ne 0 ] ; then
echo $n " inet_netof$c"
NINETNETOF=define
fi
$RM -f $EXEC $TMP
echo " "
$RM -f $EXEC $TMP
cat > $TMP << __EOF__
#include <string.h>
main()
{
strcasecmp("moo", "moo");
}
__EOF__
$COMP
# >/dev/null 2>&1
if [ $? -ne 0 ] ; then
echo $n " strcasecmp $c "
STRCASECMP=undef
else
STRCASECMP=define
fi
$RM -f $EXEC $TMP
#
#
#
@@ -1096,7 +1091,7 @@ cat > $SETUP <<__EOF__
#$NINETNETOF NEED_INET_NETOF
#$GETTIMEOFDAY GETTIMEOFDAY
#$LRAND48 LRAND48
#$STRCASECMP GOT_STRCASECMP
#$STRCASECMP GOT_STRCASECMP
__EOF__
if [ "$MALLOCH" = "undef" ] ; then
echo "#undef MALLOCH" >> $SETUP
@@ -1304,7 +1299,7 @@ while [ -z "$FOO" ] ; do
FOO="No"
fi
echo ""
echo "Do you want to support encrypted connections"
echo "Do you want to support SSL (Secure Sockets Layer) connections"
echo $n "[$FOO] -> $c"
if [ -z "$AUTO_CONFIG" -o -n "$runonce" ] ; then
read cc
@@ -1318,7 +1313,7 @@ while [ -z "$FOO" ] ; do
case "$cc" in
[Yy]*)
CRYPTOIRCD="1"
CRYPTOLIB="-lcrypto"
CRYPTOLIB="-lssl -lcrypto"
;;
[Nn]*)
CRYPTOIRCD=""
@@ -1779,9 +1774,9 @@ else
echo "#undef CRYPT_OPER_PASSWORD" >> $OPTIONS_H
fi
if [ -n "$CRYPTOIRCD" ] ; then
echo "#define CRYPTOIRCD 1" >> $OPTIONS_H
echo "#define USE_SSL 1" >> $OPTIONS_H
else
echo "#undef CRYPTOIRCD" >> $OPTIONS_H
echo "#undef USE_SSL" >> $OPTIONS_H
fi
if [ -n "$CRYPT_LINK_PASSWORD" ] ; then
echo "#define CRYPT_LINK_PASSWORD 1" >> $OPTIONS_H
@@ -1857,6 +1852,10 @@ if [ "$OSNAME" = "Linux (with GLIBC 2.x or greater)" ]; then
echo ""
fi
if [ -n "$CRYPTOIRCD" ] ; then
make pem
fi
cat << __EOF__
_____________________________________________________________________
+5
View File
@@ -210,3 +210,8 @@ depend:
install: all
@echo "Now install by hand; make install is broken."
pem: src/ssl.cnf
/usr/local/ssl/bin/openssl req -new -x509 -days 365 -nodes \
-config src/ssl.cnf -out server.pem -keyout server.pem
/usr/local/ssl/bin/openssl x509 -subject -dates -fingerprint -noout \
-in server.pem
+4
View File
@@ -52,3 +52,7 @@ Assigned to DrBin:
* Make a is_chan_op, is_chanprot, is_chanowner all-in-one function
* Split up Link (SLink)
* Add Dlink (DSLink)
-----------------------------------------------------
+1 -1
View File
@@ -422,7 +422,7 @@
* Would you like all clients to see the progress of their connections?
*/
#define SHOWCONNECTINFO
#undef SHOWCONNECTINFO
/*
* SOCKS proxy checker
+10
View File
@@ -0,0 +1,10 @@
/* Make these what you want for cert & key files */
#define CERTF "server.pem"
#define KEYF "server.pem"
extern SSL_CTX * ctx;
extern SSL_METHOD *meth;
extern void init_ssl();
extern int ssl_handshake(aClient *); /* Handshake the accpeted con.*/
extern int ssl_client_handshake(aClient *); /* and the initiated con.*/
+29 -5
View File
@@ -49,7 +49,14 @@
#ifdef CRYPTOIRCD
#include <openssl/blowfish.h>
#endif
#ifdef USE_SSL
#include <openssl/rsa.h> /* SSL stuff */
#include <openssl/crypto.h>
#include <openssl/x509.h>
#include <openssl/pem.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
#endif
typedef struct t_fline aFline;
typedef struct t_crline aCRline;
typedef struct t_vhline aVHline;
@@ -217,9 +224,12 @@ typedef unsigned int u_int32_t; /* XXX Hope this works! */
#ifdef CRYPTOIRCD
#define FLAGS_SECURE 0x8000000
#endif
#ifdef USE_SSL
#define FLAGS_SSL 0x10000000
#define FLAGS_SSL_HSHAKE 0x20000000
#endif
#define FLAGS_MAP 0x80000000 /* Show this entry in /map */
/* Dec 26th, 1997 - added flags2 when I ran out of room in flags -DuffJ */
/* Dec 26th, 1997 - having a go at
@@ -250,7 +260,7 @@ typedef unsigned int u_int32_t; /* XXX Hope this works! */
#define UMODE_WHOIS 0x100000 /* gets notice on /whois */
#define UMODE_KIX 0x200000 /* usermode +q */
#define UMODE_BOT 0x400000 /* User is a bot */
#define UMODE_CODER 0x800000 /* User is a network coder */
#define UMODE_SECURE 0x800000 /* User is a secure connect */
#define UMODE_FCLIENT 0x1000000 /* recieve client on far connects.. */
#define UMODE_HIDING 0x2000000 /* Totally invisible .. */
#define UMODE_VICTIM 0x8000000 /* Intentional Victim */
@@ -259,7 +269,7 @@ typedef unsigned int u_int32_t; /* XXX Hope this works! */
#define UMODE_SETHOST 0x40000000 /* used sethost */
#define UMODE_STRIPBADWORDS 0x80000000 /* */
#define SEND_UMODES (UMODE_INVISIBLE|UMODE_OPER|UMODE_WALLOP|UMODE_FAILOP|UMODE_HELPOP|UMODE_REGNICK|UMODE_SADMIN|UMODE_NETADMIN|UMODE_TECHADMIN|UMODE_COADMIN|UMODE_ADMIN|UMODE_SERVICES|UMODE_HIDE|UMODE_EYES|UMODE_WHOIS|UMODE_KIX|UMODE_BOT|UMODE_CODER|UMODE_FCLIENT|UMODE_HIDING|UMODE_DEAF|UMODE_VICTIM|UMODE_HIDEOPER|UMODE_SETHOST|UMODE_STRIPBADWORDS)
#define SEND_UMODES (UMODE_INVISIBLE|UMODE_OPER|UMODE_WALLOP|UMODE_FAILOP|UMODE_HELPOP|UMODE_REGNICK|UMODE_SADMIN|UMODE_NETADMIN|UMODE_TECHADMIN|UMODE_COADMIN|UMODE_ADMIN|UMODE_SERVICES|UMODE_HIDE|UMODE_EYES|UMODE_WHOIS|UMODE_KIX|UMODE_BOT|UMODE_SECURE|UMODE_FCLIENT|UMODE_HIDING|UMODE_DEAF|UMODE_VICTIM|UMODE_HIDEOPER|UMODE_SETHOST|UMODE_STRIPBADWORDS)
#define ALL_UMODES (SEND_UMODES|UMODE_SERVNOTICE|UMODE_LOCOP|UMODE_KILLS|UMODE_CLIENT|UMODE_FLOOD|UMODE_CHATOP|UMODE_SERVICES|UMODE_EYES)
#define FLAGS_ID (FLAGS_DOID|FLAGS_GOTID)
@@ -329,8 +339,13 @@ typedef unsigned int u_int32_t; /* XXX Hope this works! */
#define IsSecure(x) ((x)->flags & FLAGS_SECURE)
#define SetSecure(x) ((x)->flags |= FLAGS_SECURE)
#define ClearSecure(x) ((x)->flags &= ~FLAGS_SECURE)
#else
#ifdef USE_SSL
#define IsSecure(x) ((x)->flags & FLAGS_SSL)
#else
#define IsSecure(x) (0)
#endif
#endif
#define IsHybNotice(x) ((x)->flags & FLAGS_HYBNOTICE)
#define SetHybNotice(x) ((x)->flags |= FLAGS_HYBNOTICE)
@@ -792,6 +807,7 @@ struct t_vhline {
#define LISTENER_REMOTEADMIN 0x000008
#define LISTENER_JAVACLIENT 0x000010
#define LISTENER_MASK 0x000020
#define LISTENER_SSL 0x000040
struct Client {
struct Client *next, *prev, *hnext;
@@ -842,6 +858,10 @@ struct Client {
#ifdef CRYPTOIRCD
aCryptInfo *cryptinfo; /* crypt */
#endif
#ifdef USE_SSL
struct SSL *ssl;
struct X509 *client_cert;
#endif
#ifndef NO_FDLIST
long lastrecvM; /* to check for activity --Mika */
int priority;
@@ -1073,6 +1093,7 @@ struct Channel {
#endif
#define MODE_NOCTCP 0x10000000
#define MODE_AUDITORIUM 0x20000000
#define MODE_ONLYSECURE 0x40000000
#define is_halfop is_half_op
/*
@@ -1164,5 +1185,8 @@ extern char *gnulicense[];
#define FLUSH_BUFFER -2
#define COMMA ","
#ifdef USE_SSL
#include "ssl.h"
#endif
#endif /* __struct_include__ */
+3 -1
View File
@@ -53,7 +53,9 @@
# include <string.h>
# endif
#endif
#ifdef SSL
#include <openssl/ssl.h>
#endif
#ifndef GOT_STRCASECMP
#define strcasecmp mycmp
#define strncasecmp myncmp
+1 -1
View File
@@ -8,7 +8,7 @@ Exp $
#
# change the filename to what network header file you use
# relative to DPATH
Include .................: networks/unreal-test.network
Include .................: networks/roxnet.network
#
# What K:Line address can K:lined users mail at?
+6 -2
View File
@@ -27,7 +27,7 @@ OBJS=agent.o aln.o badwords.o bsd.o channel.o class.o cloak.o crule.o dbuf.o dyn
fdlist.o hash.o help.o ircd.o ircsprintf.o list.o lusers.o \
match.o packet.o parse.o $(REGEX) res.o $(RES) s_auth.o \
s_bsd.o s_conf.o s_debug.o s_err.o s_extra.o s_kline.o \
s_misc.o s_numeric.o s_serv.o s_socks.o $(STRTOUL) s_unreal.o \
s_misc.o s_numeric.o s_serv.o s_socks.o $(STRTOUL) ssl.o s_unreal.o \
s_user.o scache.o send.o support.o userload.o version.o webtv.o \
whowas.o zip.o
@@ -59,7 +59,8 @@ version.o: version.c ../include/version.h
$(CC) $(CFLAGS) -c version.c
ircd: $(OBJS)
$(CC) $(CFLAGS) -o ircd $(OBJS) $(LDFLAGS) $(IRCDLIBS) $(CRYPTOLIB)
# $(CC) $(CFLAGS) $(CRYPTOLIB) -o ircd $(OBJS) $(LDFLAGS) $(IRCDLIBS) -lssl
$(CC) $(CFLAGS) -o ircd $(CRYPTOLIB) $(OBJS) $(LDFLAGS) $(IRCDLIBS) $(CRYPTOLIB)
chmod $(IRCDMODE) ircd
chkconf: ../include/struct.h ../include/config.h ../include/settings.h ../include/sys.h \
@@ -102,6 +103,9 @@ send.o: send.c $(INCLUDES)
webtv.o: webtv.c $(INCLUDES)
$(CC) $(CFLAGS) -c webtv.c
ssl.o: ssl.c $(INCLUDES)
$(CC) $(CFLAGS) -c ssl.c
match.o: match.c $(INCLUDES)
$(CC) $(CFLAGS) -c match.c
+8
View File
@@ -118,10 +118,18 @@ int deliver_it(cptr, str, len)
cptr->name, cptr->status, IsDead(cptr) ? "DEAD" : "", str);
return -1;
}
#ifdef USE_SSL
if (cptr->flags & FLAGS_SSL)
retval = SSL_write((SSL *)cptr->ssl, str, len);
else
retval = send(cptr->fd, str, len, 0);
#else
#ifndef INET6
retval = send(cptr->fd, str, len, 0);
#else
retval = sendto(cptr->fd, str, len, 0, 0, 0);
#endif
#endif
/*
** Convert WOULDBLOCK to a return of "0 bytes moved". This
+8 -1
View File
@@ -148,6 +148,7 @@ aCtab cFlagTab[] = {
#endif
{MODE_NOCTCP, 'C', 0, 0}, /* no CTCPs */
{MODE_AUDITORIUM, 'u', 0, 0},
{MODE_ONLYSECURE, 'z', 0, 0},
{0x0, 0x0, 0x0}
};
#endif
@@ -1583,6 +1584,7 @@ int do_mode_char(chptr, modetype, modechar, param, what, cptr, pcount, pvar,
case MODE_STRIPBADWORDS:
#endif
case MODE_NOCTCP:
case MODE_ONLYSECURE:
case MODE_NOINVITE:
setthephuckingmode:
/* +sp bugfix.. */
@@ -2246,6 +2248,11 @@ static int can_join(cptr, sptr, chptr, key, link, parv)
/* if ((chptr->mode.mode & MODE_OPERONLY) && IsOper(sptr)) {
goto admok;
} */
if ((chptr->mode.mode & MODE_ONLYSECURE) &&
!(sptr->umodes & UMODE_SECURE))
{
return (ERR_BANNEDFROMCHAN);
}
if ((chptr->mode.mode & MODE_OPERONLY) && !IsOper(sptr))
{
return (ERR_OPERONLY);
@@ -2259,7 +2266,7 @@ static int can_join(cptr, sptr, chptr, key, link, parv)
if ((chptr->mode.mode & MODE_NOHIDING) && IsHiding(sptr))
return (ERR_NOHIDING);
if ((IsOper(sptr) && !(chptr->mode.mode & MODE_ADMONLY)))
if ((IsOper(sptr) && !((chptr->mode.mode & MODE_ADMONLY))))
{
return 0; /* may override */
}
+3 -1
View File
@@ -1125,7 +1125,9 @@ int InitwIRCD(argc, argv)
#endif
check_class();
write_pidfile();
#ifdef USE_SSL
init_ssl();
#endif
Debug((DEBUG_NOTICE, "Server ready..."));
#ifdef USE_SYSLOG
syslog(LOG_NOTICE, "Server Ready");
+30 -2
View File
@@ -390,6 +390,9 @@ int add_listener(aconf)
case 'S':
cptr->umodes |= LISTENER_SERVERSONLY;
break;
case 's':
cptr->umodes |= LISTENER_SSL;
break;
case 'R':
cptr->umodes |= LISTENER_REMOTEADMIN;
break;
@@ -1068,7 +1071,10 @@ void close_connection(cptr)
#else
(void)closesocket(cptr->authfd);
#endif
#ifdef USE_SSL
if (cptr->flags & FLAGS_SSL)
SSL_shutdown((SSL *)cptr->ssl);
#endif
#ifdef SOCKSPORT
if (cptr->socksfd >= 0)
#ifndef _WIN32
@@ -1448,6 +1454,13 @@ aClient *add_connection(cptr, fd)
highest_fd = fd;
local[fd] = acptr;
acptr->acpt = cptr;
#ifdef USE_SSL
if (cptr->umodes & LISTENER_SSL)
{
ssl_handshake(acptr);
acptr->flags |= FLAGS_SSL;
}
#endif
add_client_to_list(acptr);
set_non_blocking(acptr->fd, acptr);
set_sock_opts(acptr->fd, acptr);
@@ -1488,7 +1501,15 @@ static int read_packet(cptr, rfd)
#ifdef INET6
length = recvfrom(cptr->fd, readbuf, sizeof(readbuf), 0, 0, 0);
#else
#ifndef USE_SSL
length = recv(cptr->fd, readbuf, sizeof(readbuf), 0);
#else
if (cptr->flags & FLAGS_SSL)
length = SSL_read((SSL *)cptr->ssl, readbuf, sizeof(readbuf));
else
length = recv(cptr->fd, readbuf, sizeof(readbuf), 0);
#endif
#endif
cptr->lasttime = now;
@@ -1665,8 +1686,15 @@ static int read_packet(aClient *cptr)
{
errno = 0;
#ifndef USE_SSL
length = recv(cptr->fd, readbuf, sizeof(readbuf), 0);
#else
if (cptr->flags & FLAGS_SSL)
length = SSL_read((SSL *)cptr->ssl, readbuf, sizeof(readbuf));
else
length = recv(cptr->fd, readbuf, sizeof(readbuf), 0);
#endif
cptr->lasttime = now;
if (cptr->lasttime > cptr->since)
cptr->since = cptr->lasttime;
+1 -1
View File
@@ -873,7 +873,7 @@ int m_svsnoop(cptr, sptr, parc, parv)
~(UMODE_NETADMIN | UMODE_TECHADMIN | UMODE_CLIENT |
UMODE_FLOOD | UMODE_EYES | UMODE_CHATOP | UMODE_WHOIS);
acptr->umodes &=
~(UMODE_KIX | UMODE_FCLIENT | UMODE_HIDING | UMODE_CODER |
~(UMODE_KIX | UMODE_FCLIENT | UMODE_HIDING |
UMODE_DEAF | UMODE_HIDEOPER);
acptr->oflag = 0;
+3 -2
View File
@@ -1107,9 +1107,10 @@ int m_sendumode(cptr, sptr, parc, parv)
case 'A':
sendto_umode(UMODE_ADMIN, "%s", parv[2]);
break;
case '1':
/* case '1':
sendto_umode(UMODE_CODER, "%s", parv[2]);
break;
*/
case 'I':
sendto_umode(UMODE_HIDING, "%s", parv[2]);
break;
@@ -1296,7 +1297,7 @@ int m_svso(cptr, sptr, parc, parv)
~(UMODE_NETADMIN | UMODE_TECHADMIN | UMODE_CLIENT |
UMODE_FLOOD | UMODE_EYES | UMODE_CHATOP | UMODE_WHOIS);
acptr->umodes &=
~(UMODE_KIX | UMODE_FCLIENT | UMODE_HIDING | UMODE_CODER |
~(UMODE_KIX | UMODE_FCLIENT | UMODE_HIDING |
UMODE_DEAF | UMODE_HIDEOPER);
acptr->oflag = 0;
send_umode_out(acptr, acptr, fLag);
+13 -12
View File
@@ -91,8 +91,7 @@ static int user_modes[] = { UMODE_OPER, 'o',
UMODE_BOT, 'B',
UMODE_FCLIENT, 'F',
UMODE_HIDING, 'I',
/* UMODE_AGENT, 'Z', */
UMODE_CODER, '1',
UMODE_SECURE, 'z',
UMODE_DEAF, 'd',
UMODE_VICTIM, 'v',
UMODE_SETHOST, 't',
@@ -887,6 +886,8 @@ static int register_user(cptr, sptr, nick, username, umode, virthost)
#endif
nextping = TStime();
sendto_connectnotice(nick, user, sptr);
if (IsSecure(sptr))
sptr->umodes |= UMODE_SECURE;
}
else if (IsServer(cptr))
{
@@ -2786,11 +2787,11 @@ int m_whois(cptr, sptr, parc, parv)
sendto_one(sptr, rpl_str(RPL_WHOISBOT),
me.name, parv[0], name, ircnetwork);
}
if (acptr->umodes & UMODE_CODER && (!IsHideOper(acptr) || sptr == acptr || IsAnOper(sptr)))
if (acptr->umodes & UMODE_SECURE)
{
sendto_one(sptr, rpl_str(RPL_WHOISOPERATOR),
me.name, parv[0], name, "a Coder",
ircnetwork);
sendto_one(sptr, ":%s %d %s %s :%s %s",me.name,
RPL_WHOISSPECIAL,
parv[0], name, "is a \2Secure Connection\2");
}
if (acptr->user->swhois)
{
@@ -4331,9 +4332,9 @@ int m_umode(cptr, sptr, parc, parv)
if ((sptr->umodes & UMODE_HIDING)
&& !(sptr->oflag & OFLAG_INVISIBLE))
sptr->umodes &= ~UMODE_HIDING;
if (MyClient(sptr) && (sptr->umodes & UMODE_CODER)
&& !IsAnOper(sptr))
sptr->umodes &= ~UMODE_CODER;
if (MyClient(sptr) && (sptr->umodes & UMODE_SECURE)
&& !IsSecure(sptr))
sptr->umodes &= ~UMODE_SECURE;
}
@@ -4381,9 +4382,9 @@ int m_umode(cptr, sptr, parc, parv)
if ((sptr->umodes & UMODE_HIDING)
&& !(sptr->oflag & OFLAG_INVISIBLE))
sptr->umodes &= ~UMODE_HIDING;
if (MyClient(sptr) && (sptr->umodes & UMODE_CODER)
&& !IsAnOper(sptr))
sptr->umodes &= ~UMODE_CODER;
if (MyClient(sptr) && (sptr->umodes & UMODE_SECURE)
&& !IsSecure(sptr))
sptr->umodes &= ~UMODE_SECURE;
if ((sptr->umodes & (UMODE_HIDING))
&& !(setflags & UMODE_HIDING))
+1 -1
View File
@@ -1636,7 +1636,7 @@ void sendto_connectnotice(nick, user, sptr)
ircsprintf(connectd,
"*** Notice -- Client connecting on port %d: %s (%s@%s) %s",
sptr->acpt->port, nick, user->username, user->realhost,
#ifdef CRYPTOIRCD
#if defined(CRYPTOIRCD) || defined(USE_SSL)
IsSecure(sptr) ? "[secure]" : "");
#else
"");
+150
View File
@@ -0,0 +1,150 @@
/*
This was originally done by the hq.alert.sk implementation
Modified by Stskeeps
*/
#include "config.h"
#ifdef USE_SSL
#include "struct.h"
/* The SSL structures */
SSL_CTX* ctx;
SSL_METHOD* meth;
void init_ssl() {
/* SSL preliminaries. We keep the certificate and key with the context. */
SSL_load_error_strings();
SSLeay_add_ssl_algorithms();
meth = SSLv23_server_method();
ctx = SSL_CTX_new (meth);
if (!ctx)
{
ircd_log("Failed to do SSL CTX new");
exit (2);
}
if (SSL_CTX_use_certificate_file (ctx, CERTF, SSL_FILETYPE_PEM) <= 0)
{
ircd_log("Failed to load SSL certificate %s", CERTF);
exit (3);
}
if (SSL_CTX_use_PrivateKey_file (ctx, KEYF, SSL_FILETYPE_PEM) <= 0)
{
ircd_log("Failed to load SSL private key %s", KEYF);
exit (4);
}
if (!SSL_CTX_check_private_key (ctx))
{
ircd_log("Failed to check SSL private key");
exit (5);
}
}
#define CHK_NULL(x) if ((x)==NULL) {\
ircd_log("Lost connection to %s:Error in SSL", \
get_client_name(cptr, TRUE)); \
return 0;\
}
int ssl_handshake(aClient *cptr)
{
char *str;
int err;
cptr->ssl = (struct SSL*) SSL_new (ctx);
CHK_NULL (cptr->ssl);
SSL_set_fd ((SSL *)cptr->ssl, cptr->fd);
err = SSL_accept ((SSL *)cptr->ssl);
if ((err)==-1) {
ircd_log("Lost connection to %s:Error in SSL_accept()",
get_client_name(cptr, TRUE));
return 0;
}
/* Get the cipher - opt */
ircd_log("SSL connection using %s\n", SSL_get_cipher ((SSL *)cptr->ssl));
/* Get client's certificate (note: beware of dynamic
* allocation) - opt */
cptr->client_cert = (struct X509*)SSL_get_peer_certificate ((SSL *)cptr->ssl);
if (cptr->client_cert != NULL)
{
// log (L_DEBUG,"Client certificate:\n");
str = X509_NAME_oneline (X509_get_subject_name ((X509*)cptr->client_cert), 0, 0);
CHK_NULL (str);
// log (L_DEBUG, "\t subject: %s\n", str);
Free (str);
str = X509_NAME_oneline (X509_get_issuer_name ((X509*)cptr->client_cert), 0, 0);
CHK_NULL (str);
// log (L_DEBUG, "\t issuer: %s\n", str);
Free (str);
/* We could do all sorts of certificate
* verification stuff here before
* deallocating the certificate. */
X509_free ((X509*)cptr->client_cert);
}
else
{
// log (L_DEBUG, "Client does not have certificate.\n");
}
return 0;
}
int ssl_client_handshake(struct Client *cptr) {
char *str;
int err;
cptr->ssl = (struct SSL*)SSL_new (ctx); CHK_NULL(cptr->ssl);
SSL_set_fd ((SSL*)cptr->ssl, cptr->fd);
// set_blocking(cptr->fd);
err = SSL_connect ((SSL*)cptr->ssl);
set_non_blocking(cptr->fd);
if ((err)==-1) {
ircd_log("Could connect to %s:Error in SSL_connect()",
get_client_name(cptr, TRUE));
return 0;
}
/* Following two steps are optional and not required for
data exchange to be successful. */
/* Get the cipher - opt */
// set_blocking(cptr->fd);
ircd_log("SSL connection using %s\n", SSL_get_cipher ((SSL*)cptr->ssl));
/* Get server's certificate (note: beware of dynamic allocation) - opt */
cptr->client_cert = (struct X509*)SSL_get_peer_certificate ((SSL *)cptr->ssl);
set_non_blocking(cptr->fd);
CHK_NULL(cptr->client_cert);
// log (L_NOTICE,"Server certificate:\n");
str = X509_NAME_oneline (X509_get_subject_name ((X509*)cptr->client_cert),0,0);
CHK_NULL(str);
// log (L_NOTICE, "\t subject: %s\n", str);
Free (str);
str = X509_NAME_oneline (X509_get_issuer_name ((X509*)cptr->client_cert),0,0);
CHK_NULL(str);
// log (L_NOTICE, "\t issuer: %s\n", str);
Free (str);
/* We could do all sorts of certificate verification stuff here before
deallocating the certificate. */
X509_free ((X509*)cptr->client_cert);
return 1;
}
#endif
+35
View File
@@ -0,0 +1,35 @@
# create RSA certs - Server
RANDFILE = src/ssl.rnd
[ req ]
default_bits = 1024
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type
[ req_dn ]
countryName = US
countryName_default = US
countryName_min = 2
countryName_max = 2
stateOrProvinceName = City
stateOrProvinceName_default = City
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Organization Name (eg. company)
organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
0.commonName = Common Name (FQDN of your server)
1.commonName = Common Name (default)
1.commonName_value = localhost
[ cert_type ]
nsCertType = server
BIN
View File
Binary file not shown.
+3 -3
View File
@@ -351,10 +351,10 @@ int w_whois(aClient *cptr, aClient *sptr, int parc, char *parv[])
sendto_one(sptr, ":IRC PRIVMSG %s :%s is an Bot on %s",
sptr->name, name, ircnetwork);
}
if (acptr->umodes & UMODE_CODER && (!IsHideOper(acptr) || sptr == acptr || IsAnOper(sptr)))
if (acptr->umodes & UMODE_SECURE)
{
sendto_one(sptr, ":IRC PRIVMSG %s :%s is a Coder on %s",
sptr->name, acptr->name, ircnetwork);
sendto_one(sptr, ":IRC PRIVMSG %s :%s is a Secure Connection",
sptr->name, acptr->name);
}
if (acptr->user->swhois)
{