diff --git a/.RELEASE.NOTES b/.RELEASE.NOTES index 5f4669796..5777bfe4a 100644 --- a/.RELEASE.NOTES +++ b/.RELEASE.NOTES @@ -15,9 +15,8 @@ Unreal3.1-Silverheart Release Notes Where 20 is the numeric. Numerics are 1-255, 0 means no numeric (bad), and no server must have same numeric -* We have introduced encrypted irc connections, and we will soon have a - client out for it (this is not SSL). Stay tuned in #UnrealIRCd for more - information +* We have introduced encrypted irc connections, using SSL + * NOTE, in #UnrealIRCD we don't help with Services etc. diff --git a/Config b/Config index 30f39e300..7a89f172f 100755 --- a/Config +++ b/Config @@ -504,8 +504,8 @@ else echo 'not found (good!)' fi -echo $n "...Looking for /usr/include/openssl/blowfish.h...$c" -if [ -r /usr/include/openssl/blowfish.h ] ; then +echo $n "...Looking for /usr/include/openssl/ssl.h...$c" +if [ -r /usr/include/openssl/ssl.h ] ; then OPENSSL=define echo 'found!' else @@ -793,28 +793,6 @@ else fi fi $RM -f $EXEC $TMP - -echo $n "Do we have an broken /usr/include/string.h ... $c" -cat > $TMP <<__EOF__ -#include -main() -{ - char *s = "moocows"; - char *p = "moocows"; - - if (strcasecmp(s, p)) - exit(0); - exit(0); -} -__EOF__ -$COMP >/dev/null 2>&1 -if [ $? -ne 0 ] ; then - echo " no$c" - STRCASECMP=undef -else - echo "yes" - STRCASECMP=define -fi # # what do we need that isn't here already ? # @@ -1015,8 +993,25 @@ if [ $? -ne 0 ] ; then echo $n " inet_netof$c" NINETNETOF=define fi -$RM -f $EXEC $TMP echo " " +$RM -f $EXEC $TMP +cat > $TMP << __EOF__ +#include +main() +{ + strcasecmp("moo", "moo"); +} +__EOF__ +$COMP +# >/dev/null 2>&1 +if [ $? -ne 0 ] ; then + echo $n " strcasecmp $c " + STRCASECMP=undef +else + STRCASECMP=define +fi +$RM -f $EXEC $TMP + # # # @@ -1096,7 +1091,7 @@ cat > $SETUP <<__EOF__ #$NINETNETOF NEED_INET_NETOF #$GETTIMEOFDAY GETTIMEOFDAY #$LRAND48 LRAND48 -#$STRCASECMP GOT_STRCASECMP +#$STRCASECMP GOT_STRCASECMP __EOF__ if [ "$MALLOCH" = "undef" ] ; then echo "#undef MALLOCH" >> $SETUP @@ -1304,7 +1299,7 @@ while [ -z "$FOO" ] ; do FOO="No" fi echo "" - echo "Do you want to support encrypted connections" + echo "Do you want to support SSL (Secure Sockets Layer) connections" echo $n "[$FOO] -> $c" if [ -z "$AUTO_CONFIG" -o -n "$runonce" ] ; then read cc @@ -1318,7 +1313,7 @@ while [ -z "$FOO" ] ; do case "$cc" in [Yy]*) CRYPTOIRCD="1" - CRYPTOLIB="-lcrypto" + CRYPTOLIB="-lssl -lcrypto" ;; [Nn]*) CRYPTOIRCD="" @@ -1779,9 +1774,9 @@ else echo "#undef CRYPT_OPER_PASSWORD" >> $OPTIONS_H fi if [ -n "$CRYPTOIRCD" ] ; then - echo "#define CRYPTOIRCD 1" >> $OPTIONS_H + echo "#define USE_SSL 1" >> $OPTIONS_H else - echo "#undef CRYPTOIRCD" >> $OPTIONS_H + echo "#undef USE_SSL" >> $OPTIONS_H fi if [ -n "$CRYPT_LINK_PASSWORD" ] ; then echo "#define CRYPT_LINK_PASSWORD 1" >> $OPTIONS_H @@ -1857,6 +1852,10 @@ if [ "$OSNAME" = "Linux (with GLIBC 2.x or greater)" ]; then echo "" fi +if [ -n "$CRYPTOIRCD" ] ; then + make pem +fi + cat << __EOF__ _____________________________________________________________________ diff --git a/Makefile.dist b/Makefile.dist index aaddfe0e6..816d8043a 100644 --- a/Makefile.dist +++ b/Makefile.dist @@ -210,3 +210,8 @@ depend: install: all @echo "Now install by hand; make install is broken." +pem: src/ssl.cnf + /usr/local/ssl/bin/openssl req -new -x509 -days 365 -nodes \ + -config src/ssl.cnf -out server.pem -keyout server.pem + /usr/local/ssl/bin/openssl x509 -subject -dates -fingerprint -noout \ + -in server.pem diff --git a/TODO b/TODO index c856e98d3..bd19d6c3e 100644 --- a/TODO +++ b/TODO @@ -52,3 +52,7 @@ Assigned to DrBin: * Make a is_chan_op, is_chanprot, is_chanowner all-in-one function * Split up Link (SLink) * Add Dlink (DSLink) + + + +----------------------------------------------------- diff --git a/include/config.h b/include/config.h index 001473399..db933dc01 100644 --- a/include/config.h +++ b/include/config.h @@ -422,7 +422,7 @@ * Would you like all clients to see the progress of their connections? */ -#define SHOWCONNECTINFO +#undef SHOWCONNECTINFO /* * SOCKS proxy checker diff --git a/include/ssl.h b/include/ssl.h new file mode 100644 index 000000000..6b8e73362 --- /dev/null +++ b/include/ssl.h @@ -0,0 +1,10 @@ +/* Make these what you want for cert & key files */ +#define CERTF "server.pem" +#define KEYF "server.pem" + + +extern SSL_CTX * ctx; +extern SSL_METHOD *meth; +extern void init_ssl(); +extern int ssl_handshake(aClient *); /* Handshake the accpeted con.*/ +extern int ssl_client_handshake(aClient *); /* and the initiated con.*/ diff --git a/include/struct.h b/include/struct.h index 7408b99b1..99cb29e74 100644 --- a/include/struct.h +++ b/include/struct.h @@ -49,7 +49,14 @@ #ifdef CRYPTOIRCD #include #endif - +#ifdef USE_SSL +#include /* SSL stuff */ +#include +#include +#include +#include +#include +#endif typedef struct t_fline aFline; typedef struct t_crline aCRline; typedef struct t_vhline aVHline; @@ -217,9 +224,12 @@ typedef unsigned int u_int32_t; /* XXX Hope this works! */ #ifdef CRYPTOIRCD #define FLAGS_SECURE 0x8000000 #endif +#ifdef USE_SSL +#define FLAGS_SSL 0x10000000 +#define FLAGS_SSL_HSHAKE 0x20000000 +#endif #define FLAGS_MAP 0x80000000 /* Show this entry in /map */ - /* Dec 26th, 1997 - added flags2 when I ran out of room in flags -DuffJ */ /* Dec 26th, 1997 - having a go at @@ -250,7 +260,7 @@ typedef unsigned int u_int32_t; /* XXX Hope this works! */ #define UMODE_WHOIS 0x100000 /* gets notice on /whois */ #define UMODE_KIX 0x200000 /* usermode +q */ #define UMODE_BOT 0x400000 /* User is a bot */ -#define UMODE_CODER 0x800000 /* User is a network coder */ +#define UMODE_SECURE 0x800000 /* User is a secure connect */ #define UMODE_FCLIENT 0x1000000 /* recieve client on far connects.. */ #define UMODE_HIDING 0x2000000 /* Totally invisible .. */ #define UMODE_VICTIM 0x8000000 /* Intentional Victim */ @@ -259,7 +269,7 @@ typedef unsigned int u_int32_t; /* XXX Hope this works! */ #define UMODE_SETHOST 0x40000000 /* used sethost */ #define UMODE_STRIPBADWORDS 0x80000000 /* */ -#define SEND_UMODES (UMODE_INVISIBLE|UMODE_OPER|UMODE_WALLOP|UMODE_FAILOP|UMODE_HELPOP|UMODE_REGNICK|UMODE_SADMIN|UMODE_NETADMIN|UMODE_TECHADMIN|UMODE_COADMIN|UMODE_ADMIN|UMODE_SERVICES|UMODE_HIDE|UMODE_EYES|UMODE_WHOIS|UMODE_KIX|UMODE_BOT|UMODE_CODER|UMODE_FCLIENT|UMODE_HIDING|UMODE_DEAF|UMODE_VICTIM|UMODE_HIDEOPER|UMODE_SETHOST|UMODE_STRIPBADWORDS) +#define SEND_UMODES (UMODE_INVISIBLE|UMODE_OPER|UMODE_WALLOP|UMODE_FAILOP|UMODE_HELPOP|UMODE_REGNICK|UMODE_SADMIN|UMODE_NETADMIN|UMODE_TECHADMIN|UMODE_COADMIN|UMODE_ADMIN|UMODE_SERVICES|UMODE_HIDE|UMODE_EYES|UMODE_WHOIS|UMODE_KIX|UMODE_BOT|UMODE_SECURE|UMODE_FCLIENT|UMODE_HIDING|UMODE_DEAF|UMODE_VICTIM|UMODE_HIDEOPER|UMODE_SETHOST|UMODE_STRIPBADWORDS) #define ALL_UMODES (SEND_UMODES|UMODE_SERVNOTICE|UMODE_LOCOP|UMODE_KILLS|UMODE_CLIENT|UMODE_FLOOD|UMODE_CHATOP|UMODE_SERVICES|UMODE_EYES) #define FLAGS_ID (FLAGS_DOID|FLAGS_GOTID) @@ -329,8 +339,13 @@ typedef unsigned int u_int32_t; /* XXX Hope this works! */ #define IsSecure(x) ((x)->flags & FLAGS_SECURE) #define SetSecure(x) ((x)->flags |= FLAGS_SECURE) #define ClearSecure(x) ((x)->flags &= ~FLAGS_SECURE) +#else +#ifdef USE_SSL +#define IsSecure(x) ((x)->flags & FLAGS_SSL) +#else +#define IsSecure(x) (0) +#endif #endif - #define IsHybNotice(x) ((x)->flags & FLAGS_HYBNOTICE) #define SetHybNotice(x) ((x)->flags |= FLAGS_HYBNOTICE) @@ -792,6 +807,7 @@ struct t_vhline { #define LISTENER_REMOTEADMIN 0x000008 #define LISTENER_JAVACLIENT 0x000010 #define LISTENER_MASK 0x000020 +#define LISTENER_SSL 0x000040 struct Client { struct Client *next, *prev, *hnext; @@ -842,6 +858,10 @@ struct Client { #ifdef CRYPTOIRCD aCryptInfo *cryptinfo; /* crypt */ #endif +#ifdef USE_SSL + struct SSL *ssl; + struct X509 *client_cert; +#endif #ifndef NO_FDLIST long lastrecvM; /* to check for activity --Mika */ int priority; @@ -1073,6 +1093,7 @@ struct Channel { #endif #define MODE_NOCTCP 0x10000000 #define MODE_AUDITORIUM 0x20000000 +#define MODE_ONLYSECURE 0x40000000 #define is_halfop is_half_op /* @@ -1164,5 +1185,8 @@ extern char *gnulicense[]; #define FLUSH_BUFFER -2 #define COMMA "," +#ifdef USE_SSL +#include "ssl.h" +#endif #endif /* __struct_include__ */ diff --git a/include/sys.h b/include/sys.h index c4a9a3536..9f9c96086 100644 --- a/include/sys.h +++ b/include/sys.h @@ -53,7 +53,9 @@ # include # endif #endif - +#ifdef SSL +#include +#endif #ifndef GOT_STRCASECMP #define strcasecmp mycmp #define strncasecmp myncmp diff --git a/networks/unrealircd.conf b/networks/unrealircd.conf index 8e53febcb..161bf6be4 100644 --- a/networks/unrealircd.conf +++ b/networks/unrealircd.conf @@ -8,7 +8,7 @@ Exp $ # # change the filename to what network header file you use # relative to DPATH -Include .................: networks/unreal-test.network +Include .................: networks/roxnet.network # # What K:Line address can K:lined users mail at? diff --git a/src/Makefile b/src/Makefile index b3b52d301..f08b376c0 100644 --- a/src/Makefile +++ b/src/Makefile @@ -27,7 +27,7 @@ OBJS=agent.o aln.o badwords.o bsd.o channel.o class.o cloak.o crule.o dbuf.o dyn fdlist.o hash.o help.o ircd.o ircsprintf.o list.o lusers.o \ match.o packet.o parse.o $(REGEX) res.o $(RES) s_auth.o \ s_bsd.o s_conf.o s_debug.o s_err.o s_extra.o s_kline.o \ - s_misc.o s_numeric.o s_serv.o s_socks.o $(STRTOUL) s_unreal.o \ + s_misc.o s_numeric.o s_serv.o s_socks.o $(STRTOUL) ssl.o s_unreal.o \ s_user.o scache.o send.o support.o userload.o version.o webtv.o \ whowas.o zip.o @@ -59,7 +59,8 @@ version.o: version.c ../include/version.h $(CC) $(CFLAGS) -c version.c ircd: $(OBJS) - $(CC) $(CFLAGS) -o ircd $(OBJS) $(LDFLAGS) $(IRCDLIBS) $(CRYPTOLIB) +# $(CC) $(CFLAGS) $(CRYPTOLIB) -o ircd $(OBJS) $(LDFLAGS) $(IRCDLIBS) -lssl + $(CC) $(CFLAGS) -o ircd $(CRYPTOLIB) $(OBJS) $(LDFLAGS) $(IRCDLIBS) $(CRYPTOLIB) chmod $(IRCDMODE) ircd chkconf: ../include/struct.h ../include/config.h ../include/settings.h ../include/sys.h \ @@ -102,6 +103,9 @@ send.o: send.c $(INCLUDES) webtv.o: webtv.c $(INCLUDES) $(CC) $(CFLAGS) -c webtv.c +ssl.o: ssl.c $(INCLUDES) + $(CC) $(CFLAGS) -c ssl.c + match.o: match.c $(INCLUDES) $(CC) $(CFLAGS) -c match.c diff --git a/src/bsd.c b/src/bsd.c index 9f6646729..95a8030d0 100644 --- a/src/bsd.c +++ b/src/bsd.c @@ -118,10 +118,18 @@ int deliver_it(cptr, str, len) cptr->name, cptr->status, IsDead(cptr) ? "DEAD" : "", str); return -1; } + +#ifdef USE_SSL + if (cptr->flags & FLAGS_SSL) + retval = SSL_write((SSL *)cptr->ssl, str, len); + else + retval = send(cptr->fd, str, len, 0); +#else #ifndef INET6 retval = send(cptr->fd, str, len, 0); #else retval = sendto(cptr->fd, str, len, 0, 0, 0); +#endif #endif /* ** Convert WOULDBLOCK to a return of "0 bytes moved". This diff --git a/src/channel.c b/src/channel.c index 168a42bce..2562968c8 100644 --- a/src/channel.c +++ b/src/channel.c @@ -148,6 +148,7 @@ aCtab cFlagTab[] = { #endif {MODE_NOCTCP, 'C', 0, 0}, /* no CTCPs */ {MODE_AUDITORIUM, 'u', 0, 0}, + {MODE_ONLYSECURE, 'z', 0, 0}, {0x0, 0x0, 0x0} }; #endif @@ -1583,6 +1584,7 @@ int do_mode_char(chptr, modetype, modechar, param, what, cptr, pcount, pvar, case MODE_STRIPBADWORDS: #endif case MODE_NOCTCP: + case MODE_ONLYSECURE: case MODE_NOINVITE: setthephuckingmode: /* +sp bugfix.. */ @@ -2246,6 +2248,11 @@ static int can_join(cptr, sptr, chptr, key, link, parv) /* if ((chptr->mode.mode & MODE_OPERONLY) && IsOper(sptr)) { goto admok; } */ + if ((chptr->mode.mode & MODE_ONLYSECURE) && + !(sptr->umodes & UMODE_SECURE)) + { + return (ERR_BANNEDFROMCHAN); + } if ((chptr->mode.mode & MODE_OPERONLY) && !IsOper(sptr)) { return (ERR_OPERONLY); @@ -2259,7 +2266,7 @@ static int can_join(cptr, sptr, chptr, key, link, parv) if ((chptr->mode.mode & MODE_NOHIDING) && IsHiding(sptr)) return (ERR_NOHIDING); - if ((IsOper(sptr) && !(chptr->mode.mode & MODE_ADMONLY))) + if ((IsOper(sptr) && !((chptr->mode.mode & MODE_ADMONLY)))) { return 0; /* may override */ } diff --git a/src/ircd.c b/src/ircd.c index 516ce9c27..bf08983f9 100644 --- a/src/ircd.c +++ b/src/ircd.c @@ -1125,7 +1125,9 @@ int InitwIRCD(argc, argv) #endif check_class(); write_pidfile(); - +#ifdef USE_SSL + init_ssl(); +#endif Debug((DEBUG_NOTICE, "Server ready...")); #ifdef USE_SYSLOG syslog(LOG_NOTICE, "Server Ready"); diff --git a/src/s_bsd.c b/src/s_bsd.c index dff35e01b..22358eed5 100644 --- a/src/s_bsd.c +++ b/src/s_bsd.c @@ -390,6 +390,9 @@ int add_listener(aconf) case 'S': cptr->umodes |= LISTENER_SERVERSONLY; break; + case 's': + cptr->umodes |= LISTENER_SSL; + break; case 'R': cptr->umodes |= LISTENER_REMOTEADMIN; break; @@ -1068,7 +1071,10 @@ void close_connection(cptr) #else (void)closesocket(cptr->authfd); #endif - +#ifdef USE_SSL + if (cptr->flags & FLAGS_SSL) + SSL_shutdown((SSL *)cptr->ssl); +#endif #ifdef SOCKSPORT if (cptr->socksfd >= 0) #ifndef _WIN32 @@ -1448,6 +1454,13 @@ aClient *add_connection(cptr, fd) highest_fd = fd; local[fd] = acptr; acptr->acpt = cptr; +#ifdef USE_SSL + if (cptr->umodes & LISTENER_SSL) + { + ssl_handshake(acptr); + acptr->flags |= FLAGS_SSL; + } +#endif add_client_to_list(acptr); set_non_blocking(acptr->fd, acptr); set_sock_opts(acptr->fd, acptr); @@ -1488,7 +1501,15 @@ static int read_packet(cptr, rfd) #ifdef INET6 length = recvfrom(cptr->fd, readbuf, sizeof(readbuf), 0, 0, 0); #else +#ifndef USE_SSL length = recv(cptr->fd, readbuf, sizeof(readbuf), 0); +#else + if (cptr->flags & FLAGS_SSL) + length = SSL_read((SSL *)cptr->ssl, readbuf, sizeof(readbuf)); + else + length = recv(cptr->fd, readbuf, sizeof(readbuf), 0); + +#endif #endif cptr->lasttime = now; @@ -1665,8 +1686,15 @@ static int read_packet(aClient *cptr) { errno = 0; +#ifndef USE_SSL length = recv(cptr->fd, readbuf, sizeof(readbuf), 0); - +#else + if (cptr->flags & FLAGS_SSL) + length = SSL_read((SSL *)cptr->ssl, readbuf, sizeof(readbuf)); + else + length = recv(cptr->fd, readbuf, sizeof(readbuf), 0); + +#endif cptr->lasttime = now; if (cptr->lasttime > cptr->since) cptr->since = cptr->lasttime; diff --git a/src/s_conf.c b/src/s_conf.c index 97fc69e43..f9706490b 100644 --- a/src/s_conf.c +++ b/src/s_conf.c @@ -873,7 +873,7 @@ int m_svsnoop(cptr, sptr, parc, parv) ~(UMODE_NETADMIN | UMODE_TECHADMIN | UMODE_CLIENT | UMODE_FLOOD | UMODE_EYES | UMODE_CHATOP | UMODE_WHOIS); acptr->umodes &= - ~(UMODE_KIX | UMODE_FCLIENT | UMODE_HIDING | UMODE_CODER | + ~(UMODE_KIX | UMODE_FCLIENT | UMODE_HIDING | UMODE_DEAF | UMODE_HIDEOPER); acptr->oflag = 0; diff --git a/src/s_unreal.c b/src/s_unreal.c index c7d102bd6..b29edb720 100644 --- a/src/s_unreal.c +++ b/src/s_unreal.c @@ -1107,9 +1107,10 @@ int m_sendumode(cptr, sptr, parc, parv) case 'A': sendto_umode(UMODE_ADMIN, "%s", parv[2]); break; - case '1': +/* case '1': sendto_umode(UMODE_CODER, "%s", parv[2]); break; +*/ case 'I': sendto_umode(UMODE_HIDING, "%s", parv[2]); break; @@ -1296,7 +1297,7 @@ int m_svso(cptr, sptr, parc, parv) ~(UMODE_NETADMIN | UMODE_TECHADMIN | UMODE_CLIENT | UMODE_FLOOD | UMODE_EYES | UMODE_CHATOP | UMODE_WHOIS); acptr->umodes &= - ~(UMODE_KIX | UMODE_FCLIENT | UMODE_HIDING | UMODE_CODER | + ~(UMODE_KIX | UMODE_FCLIENT | UMODE_HIDING | UMODE_DEAF | UMODE_HIDEOPER); acptr->oflag = 0; send_umode_out(acptr, acptr, fLag); diff --git a/src/s_user.c b/src/s_user.c index 04d305050..d0e014ad0 100644 --- a/src/s_user.c +++ b/src/s_user.c @@ -91,8 +91,7 @@ static int user_modes[] = { UMODE_OPER, 'o', UMODE_BOT, 'B', UMODE_FCLIENT, 'F', UMODE_HIDING, 'I', - /* UMODE_AGENT, 'Z', */ - UMODE_CODER, '1', + UMODE_SECURE, 'z', UMODE_DEAF, 'd', UMODE_VICTIM, 'v', UMODE_SETHOST, 't', @@ -887,6 +886,8 @@ static int register_user(cptr, sptr, nick, username, umode, virthost) #endif nextping = TStime(); sendto_connectnotice(nick, user, sptr); + if (IsSecure(sptr)) + sptr->umodes |= UMODE_SECURE; } else if (IsServer(cptr)) { @@ -2786,11 +2787,11 @@ int m_whois(cptr, sptr, parc, parv) sendto_one(sptr, rpl_str(RPL_WHOISBOT), me.name, parv[0], name, ircnetwork); } - if (acptr->umodes & UMODE_CODER && (!IsHideOper(acptr) || sptr == acptr || IsAnOper(sptr))) + if (acptr->umodes & UMODE_SECURE) { - sendto_one(sptr, rpl_str(RPL_WHOISOPERATOR), - me.name, parv[0], name, "a Coder", - ircnetwork); + sendto_one(sptr, ":%s %d %s %s :%s %s",me.name, + RPL_WHOISSPECIAL, + parv[0], name, "is a \2Secure Connection\2"); } if (acptr->user->swhois) { @@ -4331,9 +4332,9 @@ int m_umode(cptr, sptr, parc, parv) if ((sptr->umodes & UMODE_HIDING) && !(sptr->oflag & OFLAG_INVISIBLE)) sptr->umodes &= ~UMODE_HIDING; - if (MyClient(sptr) && (sptr->umodes & UMODE_CODER) - && !IsAnOper(sptr)) - sptr->umodes &= ~UMODE_CODER; + if (MyClient(sptr) && (sptr->umodes & UMODE_SECURE) + && !IsSecure(sptr)) + sptr->umodes &= ~UMODE_SECURE; } @@ -4381,9 +4382,9 @@ int m_umode(cptr, sptr, parc, parv) if ((sptr->umodes & UMODE_HIDING) && !(sptr->oflag & OFLAG_INVISIBLE)) sptr->umodes &= ~UMODE_HIDING; - if (MyClient(sptr) && (sptr->umodes & UMODE_CODER) - && !IsAnOper(sptr)) - sptr->umodes &= ~UMODE_CODER; + if (MyClient(sptr) && (sptr->umodes & UMODE_SECURE) + && !IsSecure(sptr)) + sptr->umodes &= ~UMODE_SECURE; if ((sptr->umodes & (UMODE_HIDING)) && !(setflags & UMODE_HIDING)) diff --git a/src/send.c b/src/send.c index d4a76955a..bff5cb7aa 100644 --- a/src/send.c +++ b/src/send.c @@ -1636,7 +1636,7 @@ void sendto_connectnotice(nick, user, sptr) ircsprintf(connectd, "*** Notice -- Client connecting on port %d: %s (%s@%s) %s", sptr->acpt->port, nick, user->username, user->realhost, -#ifdef CRYPTOIRCD +#if defined(CRYPTOIRCD) || defined(USE_SSL) IsSecure(sptr) ? "[secure]" : ""); #else ""); diff --git a/src/ssl.c b/src/ssl.c new file mode 100644 index 000000000..bf668b876 --- /dev/null +++ b/src/ssl.c @@ -0,0 +1,150 @@ +/* + This was originally done by the hq.alert.sk implementation + Modified by Stskeeps +*/ +#include "config.h" +#ifdef USE_SSL + +#include "struct.h" + +/* The SSL structures */ +SSL_CTX* ctx; +SSL_METHOD* meth; + +void init_ssl() { + /* SSL preliminaries. We keep the certificate and key with the context. */ + + SSL_load_error_strings(); + SSLeay_add_ssl_algorithms(); + meth = SSLv23_server_method(); + ctx = SSL_CTX_new (meth); + if (!ctx) + { + ircd_log("Failed to do SSL CTX new"); + exit (2); + } + + if (SSL_CTX_use_certificate_file (ctx, CERTF, SSL_FILETYPE_PEM) <= 0) + { + ircd_log("Failed to load SSL certificate %s", CERTF); + exit (3); + } + if (SSL_CTX_use_PrivateKey_file (ctx, KEYF, SSL_FILETYPE_PEM) <= 0) + { + ircd_log("Failed to load SSL private key %s", KEYF); + exit (4); + } + + if (!SSL_CTX_check_private_key (ctx)) + { + ircd_log("Failed to check SSL private key"); + exit (5); + } + +} + +#define CHK_NULL(x) if ((x)==NULL) {\ + ircd_log("Lost connection to %s:Error in SSL", \ + get_client_name(cptr, TRUE)); \ + return 0;\ + } + +int ssl_handshake(aClient *cptr) +{ + char *str; + int err; + + cptr->ssl = (struct SSL*) SSL_new (ctx); + CHK_NULL (cptr->ssl); + SSL_set_fd ((SSL *)cptr->ssl, cptr->fd); + err = SSL_accept ((SSL *)cptr->ssl); + if ((err)==-1) { + ircd_log("Lost connection to %s:Error in SSL_accept()", + get_client_name(cptr, TRUE)); + return 0; + } + + /* Get the cipher - opt */ + + ircd_log("SSL connection using %s\n", SSL_get_cipher ((SSL *)cptr->ssl)); + + /* Get client's certificate (note: beware of dynamic + * allocation) - opt */ + + cptr->client_cert = (struct X509*)SSL_get_peer_certificate ((SSL *)cptr->ssl); + + if (cptr->client_cert != NULL) + { + // log (L_DEBUG,"Client certificate:\n"); + + str = X509_NAME_oneline (X509_get_subject_name ((X509*)cptr->client_cert), 0, 0); + CHK_NULL (str); + // log (L_DEBUG, "\t subject: %s\n", str); + Free (str); + + str = X509_NAME_oneline (X509_get_issuer_name ((X509*)cptr->client_cert), 0, 0); + CHK_NULL (str); + // log (L_DEBUG, "\t issuer: %s\n", str); + Free (str); + + /* We could do all sorts of certificate + * verification stuff here before + * deallocating the certificate. */ + + X509_free ((X509*)cptr->client_cert); + } + else + { + // log (L_DEBUG, "Client does not have certificate.\n"); + } + return 0; + +} + +int ssl_client_handshake(struct Client *cptr) { + + char *str; + int err; + + cptr->ssl = (struct SSL*)SSL_new (ctx); CHK_NULL(cptr->ssl); + SSL_set_fd ((SSL*)cptr->ssl, cptr->fd); + // set_blocking(cptr->fd); + err = SSL_connect ((SSL*)cptr->ssl); + set_non_blocking(cptr->fd); + if ((err)==-1) { + ircd_log("Could connect to %s:Error in SSL_connect()", + get_client_name(cptr, TRUE)); + return 0; + } + + /* Following two steps are optional and not required for + data exchange to be successful. */ + + /* Get the cipher - opt */ +// set_blocking(cptr->fd); + ircd_log("SSL connection using %s\n", SSL_get_cipher ((SSL*)cptr->ssl)); + + /* Get server's certificate (note: beware of dynamic allocation) - opt */ + + cptr->client_cert = (struct X509*)SSL_get_peer_certificate ((SSL *)cptr->ssl); + set_non_blocking(cptr->fd); + CHK_NULL(cptr->client_cert); + // log (L_NOTICE,"Server certificate:\n"); + + str = X509_NAME_oneline (X509_get_subject_name ((X509*)cptr->client_cert),0,0); + CHK_NULL(str); +// log (L_NOTICE, "\t subject: %s\n", str); + Free (str); + + str = X509_NAME_oneline (X509_get_issuer_name ((X509*)cptr->client_cert),0,0); + CHK_NULL(str); +// log (L_NOTICE, "\t issuer: %s\n", str); + Free (str); + + /* We could do all sorts of certificate verification stuff here before + deallocating the certificate. */ + + X509_free ((X509*)cptr->client_cert); + return 1; +} +#endif diff --git a/src/ssl.cnf b/src/ssl.cnf new file mode 100644 index 000000000..15f2669f6 --- /dev/null +++ b/src/ssl.cnf @@ -0,0 +1,35 @@ +# create RSA certs - Server + +RANDFILE = src/ssl.rnd + +[ req ] +default_bits = 1024 +encrypt_key = yes +distinguished_name = req_dn +x509_extensions = cert_type + +[ req_dn ] +countryName = US +countryName_default = US +countryName_min = 2 +countryName_max = 2 + +stateOrProvinceName = City +stateOrProvinceName_default = City + +localityName = Locality Name (eg, city) + +0.organizationName = Organization Name (eg, company) +0.organizationName_default = Organization Name (eg. company) + +organizationalUnitName = Organizational Unit Name (eg, section) +#organizationalUnitName_default = + +0.commonName = Common Name (FQDN of your server) + +1.commonName = Common Name (default) +1.commonName_value = localhost + +[ cert_type ] +nsCertType = server + diff --git a/src/ssl.rnd b/src/ssl.rnd new file mode 100644 index 000000000..c88597596 Binary files /dev/null and b/src/ssl.rnd differ diff --git a/src/webtv.c b/src/webtv.c index bf42a647a..a20cc6df9 100644 --- a/src/webtv.c +++ b/src/webtv.c @@ -351,10 +351,10 @@ int w_whois(aClient *cptr, aClient *sptr, int parc, char *parv[]) sendto_one(sptr, ":IRC PRIVMSG %s :%s is an Bot on %s", sptr->name, name, ircnetwork); } - if (acptr->umodes & UMODE_CODER && (!IsHideOper(acptr) || sptr == acptr || IsAnOper(sptr))) + if (acptr->umodes & UMODE_SECURE) { - sendto_one(sptr, ":IRC PRIVMSG %s :%s is a Coder on %s", - sptr->name, acptr->name, ircnetwork); + sendto_one(sptr, ":IRC PRIVMSG %s :%s is a Secure Connection", + sptr->name, acptr->name); } if (acptr->user->swhois) {