From 6d075c9c2ba9c71223c51357751cbead87fb71d3 Mon Sep 17 00:00:00 2001 From: Attila Molnar Date: Fri, 11 Apr 2014 01:03:36 +0200 Subject: m_ssl_openssl Avoid Applink on Windows by calling PEM_read_bio_DHparams() instead of PEM_read_DHparams() --- src/modules/extra/m_ssl_openssl.cpp | 11 +++++++++++ 1 file changed, 11 insertions(+) (limited to 'src/modules/extra') diff --git a/src/modules/extra/m_ssl_openssl.cpp b/src/modules/extra/m_ssl_openssl.cpp index 9a54ff80b..91a3d7269 100644 --- a/src/modules/extra/m_ssl_openssl.cpp +++ b/src/modules/extra/m_ssl_openssl.cpp @@ -249,7 +249,11 @@ class ModuleSSLOpenSSL : public Module ERR_print_errors_cb(error_callback, this); } +#ifdef _WIN32 + BIO* dhpfile = BIO_new_file(dhfile.c_str(), "r"); +#else FILE* dhpfile = fopen(dhfile.c_str(), "r"); +#endif DH* ret; if (dhpfile == NULL) @@ -259,7 +263,12 @@ class ModuleSSLOpenSSL : public Module } else { +#ifdef _WIN32 + ret = PEM_read_bio_DHparams(dhpfile, NULL, NULL, NULL); + BIO_free(dhpfile); +#else ret = PEM_read_DHparams(dhpfile, NULL, NULL, NULL); +#endif if ((SSL_CTX_set_tmp_dh(ctx, ret) < 0) || (SSL_CTX_set_tmp_dh(clictx, ret) < 0)) { ServerInstance->Logs->Log("m_ssl_openssl",DEFAULT, "m_ssl_openssl.so: Couldn't set DH parameters %s. SSL errors follow:", dhfile.c_str()); @@ -268,7 +277,9 @@ class ModuleSSLOpenSSL : public Module DH_free(ret); } +#ifndef _WIN32 fclose(dhpfile); +#endif } void On005Numeric(std::string &output) -- cgit v1.2.3 From 88dccdd5f04e9244323de0eb197590ab8e7292fd Mon Sep 17 00:00:00 2001 From: Adam Date: Sat, 12 Apr 2014 21:46:19 -0400 Subject: Change Windows libraries to be dynamically linked --- src/modules/extra/m_ldapauth.cpp | 4 ++-- src/modules/extra/m_ldapoper.cpp | 4 ++-- src/modules/extra/m_mysql.cpp | 4 +--- src/modules/extra/m_ssl_gnutls.cpp | 24 ++++++++++++++++-------- src/modules/extra/m_ssl_openssl.cpp | 9 ++------- win/inspircd_win32wrapper.h | 2 ++ 6 files changed, 25 insertions(+), 22 deletions(-) (limited to 'src/modules/extra') diff --git a/src/modules/extra/m_ldapauth.cpp b/src/modules/extra/m_ldapauth.cpp index 5b3f1e7cc..6c765fb2e 100644 --- a/src/modules/extra/m_ldapauth.cpp +++ b/src/modules/extra/m_ldapauth.cpp @@ -31,8 +31,8 @@ #include #ifdef _WIN32 -# pragma comment(lib, "ldap.lib") -# pragma comment(lib, "lber.lib") +# pragma comment(lib, "libldap.lib") +# pragma comment(lib, "liblber.lib") #endif /* $ModDesc: Allow/Deny connections based upon answer from LDAP server */ diff --git a/src/modules/extra/m_ldapoper.cpp b/src/modules/extra/m_ldapoper.cpp index 53896878c..1f46361d4 100644 --- a/src/modules/extra/m_ldapoper.cpp +++ b/src/modules/extra/m_ldapoper.cpp @@ -28,8 +28,8 @@ #include #ifdef _WIN32 -# pragma comment(lib, "ldap.lib") -# pragma comment(lib, "lber.lib") +# pragma comment(lib, "libldap.lib") +# pragma comment(lib, "liblber.lib") #endif /* $ModDesc: Adds the ability to authenticate opers via LDAP */ diff --git a/src/modules/extra/m_mysql.cpp b/src/modules/extra/m_mysql.cpp index 22cf5f3f4..01b1553b0 100644 --- a/src/modules/extra/m_mysql.cpp +++ b/src/modules/extra/m_mysql.cpp @@ -28,9 +28,7 @@ #include "sql.h" #ifdef _WIN32 -# pragma comment(lib, "mysqlclient.lib") -# pragma comment(lib, "advapi32.lib") -# pragma comment(linker, "/NODEFAULTLIB:LIBCMT") +# pragma comment(lib, "libmysql.lib") #endif /* VERSION 3 API: With nonblocking (threaded) requests */ diff --git a/src/modules/extra/m_ssl_gnutls.cpp b/src/modules/extra/m_ssl_gnutls.cpp index 1f1297ef9..03673d7a0 100644 --- a/src/modules/extra/m_ssl_gnutls.cpp +++ b/src/modules/extra/m_ssl_gnutls.cpp @@ -22,21 +22,16 @@ #include "inspircd.h" +#ifndef _WIN32 #include +#endif #include #include #include "ssl.h" #include "m_cap.h" #ifdef _WIN32 -# pragma comment(lib, "libgnutls.lib") -# pragma comment(lib, "libgcrypt.lib") -# pragma comment(lib, "libgpg-error.lib") -# pragma comment(lib, "user32.lib") -# pragma comment(lib, "advapi32.lib") -# pragma comment(lib, "libgcc.lib") -# pragma comment(lib, "libmingwex.lib") -# pragma comment(lib, "gdi32.lib") +# pragma comment(lib, "libgnutls-28.lib") #endif /* $ModDesc: Provides SSL support for clients */ @@ -60,6 +55,13 @@ typedef gnutls_certificate_credentials_t gnutls_certificate_credentials; typedef gnutls_dh_params_t gnutls_dh_params; #endif +#if (defined(_WIN32) && (GNUTLS_VERSION_MAJOR > 2 || (GNUTLS_VERSION_MAJOR == 2 && GNUTLS_VERSION_MINOR >= 12))) +# define GNUTLS_HAS_RND +# include +#else +# include +#endif + enum issl_status { ISSL_NONE, ISSL_HANDSHAKING_READ, ISSL_HANDSHAKING_WRITE, ISSL_HANDSHAKEN, ISSL_CLOSING, ISSL_CLOSED }; static std::vector x509_certs; @@ -89,7 +91,11 @@ class RandGen : public HandlerBase2 RandGen() {} void Call(char* buffer, size_t len) { +#ifdef GNUTLS_HAS_RND + gnutls_rnd(GNUTLS_RND_RANDOM, buffer, len); +#else gcry_randomize(buffer, len, GCRY_STRONG_RANDOM); +#endif } }; @@ -250,7 +256,9 @@ class ModuleSSLGnuTLS : public Module ModuleSSLGnuTLS() : starttls(this), capHandler(this, "tls"), iohook(this, "ssl/gnutls", SERVICE_IOHOOK) { +#ifndef GNUTLS_HAS_RND gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); +#endif sessions = new issl_session[ServerInstance->SE->GetMaxFds()]; diff --git a/src/modules/extra/m_ssl_openssl.cpp b/src/modules/extra/m_ssl_openssl.cpp index 91a3d7269..60c90988a 100644 --- a/src/modules/extra/m_ssl_openssl.cpp +++ b/src/modules/extra/m_ssl_openssl.cpp @@ -36,13 +36,8 @@ #include "ssl.h" #ifdef _WIN32 -# pragma comment(lib, "libcrypto.lib") -# pragma comment(lib, "libssl.lib") -# pragma comment(lib, "user32.lib") -# pragma comment(lib, "advapi32.lib") -# pragma comment(lib, "libgcc.lib") -# pragma comment(lib, "libmingwex.lib") -# pragma comment(lib, "gdi32.lib") +# pragma comment(lib, "ssleay32.lib") +# pragma comment(lib, "libeay32.lib") # undef MAX_DESCRIPTORS # define MAX_DESCRIPTORS 10000 #endif diff --git a/win/inspircd_win32wrapper.h b/win/inspircd_win32wrapper.h index 75404ef8b..be437d4a3 100644 --- a/win/inspircd_win32wrapper.h +++ b/win/inspircd_win32wrapper.h @@ -78,6 +78,8 @@ #define strcasecmp _stricmp #define strncasecmp _strnicmp +typedef int ssize_t; + /* Convert formatted (xxx.xxx.xxx.xxx) string to in_addr struct */ CoreExport int insp_inet_pton(int af, const char * src, void * dst); -- cgit v1.2.3 From de78843144d40b991cefc652532c03dd8c56e5cc Mon Sep 17 00:00:00 2001 From: Attila Molnar Date: Tue, 22 Jul 2014 20:05:10 +0200 Subject: Make sure the DN strings obtained from the SSL mods are always valid --- src/modules/extra/m_ssl_gnutls.cpp | 20 ++++++++++++++++---- src/modules/extra/m_ssl_openssl.cpp | 6 ++++++ 2 files changed, 22 insertions(+), 4 deletions(-) (limited to 'src/modules/extra') diff --git a/src/modules/extra/m_ssl_gnutls.cpp b/src/modules/extra/m_ssl_gnutls.cpp index 03673d7a0..6a6a7923a 100644 --- a/src/modules/extra/m_ssl_gnutls.cpp +++ b/src/modules/extra/m_ssl_gnutls.cpp @@ -880,11 +880,23 @@ class ModuleSSLGnuTLS : public Module goto info_done_dealloc; } - gnutls_x509_crt_get_dn(cert, name, &name_size); - certinfo->dn = name; + if (gnutls_x509_crt_get_dn(cert, name, &name_size) == 0) + { + std::string& dn = certinfo->dn; + dn = name; + // Make sure there are no chars in the string that we consider invalid + if (dn.find_first_of("\r\n") != std::string::npos) + dn.clear(); + } - gnutls_x509_crt_get_issuer_dn(cert, name, &name_size); - certinfo->issuer = name; + name_size = sizeof(name); + if (gnutls_x509_crt_get_issuer_dn(cert, name, &name_size) == 0) + { + std::string& issuer = certinfo->issuer; + issuer = name; + if (issuer.find_first_of("\r\n") != std::string::npos) + issuer.clear(); + } if ((ret = gnutls_x509_crt_get_fingerprint(cert, hash, digest, &digest_size)) < 0) { diff --git a/src/modules/extra/m_ssl_openssl.cpp b/src/modules/extra/m_ssl_openssl.cpp index 60c90988a..33f848798 100644 --- a/src/modules/extra/m_ssl_openssl.cpp +++ b/src/modules/extra/m_ssl_openssl.cpp @@ -639,8 +639,14 @@ class ModuleSSLOpenSSL : public Module char buf[512]; X509_NAME_oneline(X509_get_subject_name(cert), buf, sizeof(buf)); certinfo->dn = buf; + // Make sure there are no chars in the string that we consider invalid + if (certinfo->dn.find_first_of("\r\n") != std::string::npos) + certinfo->dn.clear(); + X509_NAME_oneline(X509_get_issuer_name(cert), buf, sizeof(buf)); certinfo->issuer = buf; + if (certinfo->issuer.find_first_of("\r\n") != std::string::npos) + certinfo->issuer.clear(); if (!X509_digest(cert, digest, md, &n)) { -- cgit v1.2.3