SSL support for UnrealIRCD!

Author: stskeeps

.RELEASE.NOTES

@@ -15,9 +15,8 @@ Unreal3.1-Silverheart Release Notes
   Where 20 is the numeric. Numerics are 1-255, 0 means no numeric (bad),
   and no server must have same numeric
 
-* We have introduced encrypted irc connections, and we will soon have a
-  client out for it (this is not SSL). Stay tuned in #UnrealIRCd for more
-   information
+* We have introduced encrypted irc connections, using SSL
+
 
 * NOTE, in #UnrealIRCD we don't help with Services etc.
 

Config

@@ -504,8 +504,8 @@ else
 	echo 'not found (good!)'
 fi
 
-echo $n "...Looking for /usr/include/openssl/blowfish.h...$c"
-if [ -r /usr/include/openssl/blowfish.h ] ; then
+echo $n "...Looking for /usr/include/openssl/ssl.h...$c"
+if [ -r /usr/include/openssl/ssl.h ] ; then
 	OPENSSL=define
 	echo 'found!'
 else
@@ -793,28 +793,6 @@ else
 	fi
 fi
 $RM -f $EXEC $TMP
-
-echo $n "Do we have an broken /usr/include/string.h ... $c"
-cat > $TMP <<__EOF__
-#include <string.h>
-main()
-{
-	char	*s = "moocows";
-	char	*p = "moocows";
-
-	if (strcasecmp(s, p))
-		exit(0);
-	exit(0);
-}
-__EOF__
-$COMP >/dev/null 2>&1
-if [ $? -ne 0 ] ; then
-	echo " no$c"
-	STRCASECMP=undef
-else
-	echo "yes"
-	STRCASECMP=define
-fi
 #
 # what do we need that isn't here already ?
 #
@@ -1015,8 +993,25 @@ if [ $? -ne 0 ] ; then
 	echo $n " inet_netof$c"
 	NINETNETOF=define
 fi
-$RM -f $EXEC $TMP
 echo " "
+$RM -f $EXEC $TMP
+cat > $TMP << __EOF__
+#include <string.h>
+main()
+{
+	strcasecmp("moo", "moo");
+}
+__EOF__
+$COMP 
+# >/dev/null 2>&1
+if [ $? -ne 0 ] ; then
+	echo $n " strcasecmp $c "
+	STRCASECMP=undef
+else
+	STRCASECMP=define
+fi
+$RM -f $EXEC $TMP
+
 #
 #
 #
@@ -1096,7 +1091,7 @@ cat > $SETUP  <<__EOF__
 #$NINETNETOF	NEED_INET_NETOF
 #$GETTIMEOFDAY	GETTIMEOFDAY
 #$LRAND48	LRAND48
-#$STRCASECMP    GOT_STRCASECMP
+#$STRCASECMP GOT_STRCASECMP
 __EOF__
 if [ "$MALLOCH" = "undef" ] ; then
 	echo "#undef	MALLOCH" >> $SETUP
@@ -1304,7 +1299,7 @@ while [ -z "$FOO" ] ; do
 	FOO="No"
     fi
     echo ""
-    echo "Do you want to support encrypted connections"
+    echo "Do you want to support SSL (Secure Sockets Layer) connections"
     echo $n "[$FOO] -> $c"
     if [ -z "$AUTO_CONFIG" -o -n "$runonce" ] ; then
 	read cc
@@ -1318,7 +1313,7 @@ while [ -z "$FOO" ] ; do
     case "$cc" in
 	[Yy]*)
 	    CRYPTOIRCD="1"
-	    CRYPTOLIB="-lcrypto"
+	    CRYPTOLIB="-lssl -lcrypto"
 	    ;;
 	[Nn]*)
 	    CRYPTOIRCD=""
@@ -1779,9 +1774,9 @@ else
     echo "#undef CRYPT_OPER_PASSWORD" >> $OPTIONS_H
 fi
 if [ -n "$CRYPTOIRCD" ] ; then
-    echo "#define CRYPTOIRCD 1" >> $OPTIONS_H
+    echo "#define USE_SSL 1" >> $OPTIONS_H
 else
-    echo "#undef CRYPTOIRCD" >> $OPTIONS_H
+    echo "#undef USE_SSL" >> $OPTIONS_H
 fi
 if [ -n "$CRYPT_LINK_PASSWORD" ] ; then
     echo "#define CRYPT_LINK_PASSWORD 1" >> $OPTIONS_H
@@ -1857,6 +1852,10 @@ if [ "$OSNAME" = "Linux (with GLIBC 2.x or greater)" ]; then
    echo ""
 fi
 
+if [ -n "$CRYPTOIRCD" ] ; then
+    make pem
+fi
+
 cat << __EOF__
 
  _____________________________________________________________________

Makefile.dist

@@ -210,3 +210,8 @@ depend:
 install: all
 	@echo "Now install by hand; make install is broken."
 
+pem:	src/ssl.cnf
+	/usr/local/ssl/bin/openssl req -new -x509 -days 365 -nodes \
+                -config src/ssl.cnf -out server.pem -keyout server.pem
+	/usr/local/ssl/bin/openssl x509 -subject -dates -fingerprint -noout \
+		-in server.pem

TODO

@@ -52,3 +52,7 @@ Assigned to DrBin:
 * Make a is_chan_op, is_chanprot, is_chanowner all-in-one function
 * Split up Link (SLink)
 * Add Dlink (DSLink)
+
+
+
+-----------------------------------------------------

include/config.h

@@ -422,7 +422,7 @@
  * Would you like all clients to see the progress of their connections?
  */
 
-#define SHOWCONNECTINFO
+#undef SHOWCONNECTINFO
 
 /*
  * SOCKS proxy checker

include/ssl.h

@@ -0,0 +1,10 @@
+/* Make these what you want for cert & key files */
+#define CERTF  "server.pem"
+#define KEYF  "server.pem"
+
+
+extern   SSL_CTX * ctx;
+extern   SSL_METHOD *meth;
+extern   void init_ssl();
+extern   int ssl_handshake(aClient *);   /* Handshake the accpeted con.*/
+extern   int ssl_client_handshake(aClient *); /* and the initiated con.*/

include/struct.h

@@ -49,7 +49,14 @@
 #ifdef CRYPTOIRCD
 #include <openssl/blowfish.h>
 #endif
-
+#ifdef USE_SSL
+#include <openssl/rsa.h>       /* SSL stuff */
+#include <openssl/crypto.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+#include <openssl/ssl.h>
+#include <openssl/err.h>    
+#endif
 typedef struct t_fline aFline;
 typedef struct t_crline aCRline;
 typedef struct t_vhline aVHline;
@@ -217,9 +224,12 @@ typedef unsigned int u_int32_t;	/* XXX Hope this works! */
 #ifdef CRYPTOIRCD
 #define FLAGS_SECURE	0x8000000
 #endif
+#ifdef USE_SSL
+#define FLAGS_SSL	 0x10000000
+#define FLAGS_SSL_HSHAKE 0x20000000
+#endif
 
 #define FLAGS_MAP       0x80000000	/* Show this entry in /map */
-
 /* Dec 26th, 1997 - added flags2 when I ran out of room in flags -DuffJ */
 
 /* Dec 26th, 1997 - having a go at
@@ -250,7 +260,7 @@ typedef unsigned int u_int32_t;	/* XXX Hope this works! */
 #define UMODE_WHOIS    0x100000	/* gets notice on /whois */
 #define UMODE_KIX      0x200000	/* usermode +q */
 #define UMODE_BOT       0x400000	/* User is a bot */
-#define UMODE_CODER	0x800000	/* User is a network coder */
+#define UMODE_SECURE	0x800000	/* User is a secure connect */
 #define UMODE_FCLIENT  0x1000000	/* recieve client on far connects.. */
 #define UMODE_HIDING   0x2000000	/* Totally invisible .. */
 #define	UMODE_VICTIM   0x8000000	/* Intentional Victim */
@@ -259,7 +269,7 @@ typedef unsigned int u_int32_t;	/* XXX Hope this works! */
 #define UMODE_SETHOST    0x40000000	/* used sethost */
 #define UMODE_STRIPBADWORDS 0x80000000	/* */
 
-#define	SEND_UMODES	(UMODE_INVISIBLE|UMODE_OPER|UMODE_WALLOP|UMODE_FAILOP|UMODE_HELPOP|UMODE_REGNICK|UMODE_SADMIN|UMODE_NETADMIN|UMODE_TECHADMIN|UMODE_COADMIN|UMODE_ADMIN|UMODE_SERVICES|UMODE_HIDE|UMODE_EYES|UMODE_WHOIS|UMODE_KIX|UMODE_BOT|UMODE_CODER|UMODE_FCLIENT|UMODE_HIDING|UMODE_DEAF|UMODE_VICTIM|UMODE_HIDEOPER|UMODE_SETHOST|UMODE_STRIPBADWORDS)
+#define	SEND_UMODES	(UMODE_INVISIBLE|UMODE_OPER|UMODE_WALLOP|UMODE_FAILOP|UMODE_HELPOP|UMODE_REGNICK|UMODE_SADMIN|UMODE_NETADMIN|UMODE_TECHADMIN|UMODE_COADMIN|UMODE_ADMIN|UMODE_SERVICES|UMODE_HIDE|UMODE_EYES|UMODE_WHOIS|UMODE_KIX|UMODE_BOT|UMODE_SECURE|UMODE_FCLIENT|UMODE_HIDING|UMODE_DEAF|UMODE_VICTIM|UMODE_HIDEOPER|UMODE_SETHOST|UMODE_STRIPBADWORDS)
 #define	ALL_UMODES (SEND_UMODES|UMODE_SERVNOTICE|UMODE_LOCOP|UMODE_KILLS|UMODE_CLIENT|UMODE_FLOOD|UMODE_CHATOP|UMODE_SERVICES|UMODE_EYES)
 #define	FLAGS_ID	(FLAGS_DOID|FLAGS_GOTID)
 
@@ -329,8 +339,13 @@ typedef unsigned int u_int32_t;	/* XXX Hope this works! */
 #define IsSecure(x)		((x)->flags & FLAGS_SECURE)
 #define SetSecure(x)		((x)->flags |= FLAGS_SECURE)
 #define ClearSecure(x)		((x)->flags &= ~FLAGS_SECURE)
+#else
+#ifdef USE_SSL
+#define IsSecure(x)		((x)->flags & FLAGS_SSL)
+#else
+#define IsSecure(x)		(0)
+#endif
 #endif
-
 
 #define IsHybNotice(x)		((x)->flags & FLAGS_HYBNOTICE)
 #define SetHybNotice(x)         ((x)->flags |= FLAGS_HYBNOTICE)
@@ -792,6 +807,7 @@ struct t_vhline {
 #define LISTENER_REMOTEADMIN	0x000008
 #define LISTENER_JAVACLIENT	0x000010
 #define LISTENER_MASK		0x000020
+#define LISTENER_SSL		0x000040
 
 struct Client {
 	struct Client *next, *prev, *hnext;
@@ -842,6 +858,10 @@ struct Client {
 #ifdef CRYPTOIRCD
 	aCryptInfo *cryptinfo;	/* crypt */
 #endif
+#ifdef USE_SSL
+	struct	SSL	*ssl;
+	struct X509	*client_cert;	
+#endif
 #ifndef NO_FDLIST
 	long lastrecvM;		/* to check for activity --Mika */
 	int  priority;
@@ -1073,6 +1093,7 @@ struct Channel {
 #endif
 #define MODE_NOCTCP		0x10000000
 #define MODE_AUDITORIUM		0x20000000
+#define MODE_ONLYSECURE		0x40000000
 
 #define is_halfop is_half_op
 /*
@@ -1164,5 +1185,8 @@ extern char *gnulicense[];
 
 #define	FLUSH_BUFFER	-2
 #define	COMMA		","
+#ifdef USE_SSL
+#include "ssl.h"
+#endif
 
 #endif /* __struct_include__ */

include/sys.h

@@ -53,7 +53,9 @@
 # include <string.h>
 # endif
 #endif
-
+#ifdef SSL
+#include <openssl/ssl.h>
+#endif
 #ifndef GOT_STRCASECMP
 #define	strcasecmp	mycmp
 #define	strncasecmp	myncmp

networks/unrealircd.conf

@@ -8,7 +8,7 @@ Exp $
 # 
 # change the filename to what network header file you use
 # relative to DPATH
-Include .................: networks/unreal-test.network
+Include .................: networks/roxnet.network
 
 #
 # What K:Line address can K:lined users mail at?

src/Makefile

@@ -27,7 +27,7 @@ OBJS=agent.o aln.o badwords.o bsd.o channel.o class.o cloak.o crule.o dbuf.o dyn
 	fdlist.o hash.o help.o ircd.o ircsprintf.o list.o lusers.o \
 	match.o packet.o parse.o $(REGEX) res.o $(RES) s_auth.o \
 	s_bsd.o s_conf.o s_debug.o s_err.o s_extra.o s_kline.o \
-	s_misc.o s_numeric.o s_serv.o s_socks.o $(STRTOUL) s_unreal.o \
+	s_misc.o s_numeric.o s_serv.o s_socks.o $(STRTOUL) ssl.o s_unreal.o \
 	s_user.o scache.o send.o support.o userload.o version.o webtv.o \
 	whowas.o zip.o
 
@@ -59,7 +59,8 @@ version.o: version.c ../include/version.h
 	$(CC) $(CFLAGS) -c version.c
 
 ircd: $(OBJS) 
-	$(CC) $(CFLAGS) -o ircd $(OBJS) $(LDFLAGS) $(IRCDLIBS) $(CRYPTOLIB)
+#	$(CC) $(CFLAGS) $(CRYPTOLIB) -o ircd $(OBJS) $(LDFLAGS) $(IRCDLIBS) -lssl
+	$(CC) $(CFLAGS) -o ircd $(CRYPTOLIB) $(OBJS) $(LDFLAGS) $(IRCDLIBS) $(CRYPTOLIB)
 	chmod $(IRCDMODE) ircd
 
 chkconf: ../include/struct.h ../include/config.h ../include/settings.h ../include/sys.h \
@@ -102,6 +103,9 @@ send.o: send.c $(INCLUDES)
 webtv.o: webtv.c $(INCLUDES)
 	$(CC) $(CFLAGS) -c webtv.c
 
+ssl.o: ssl.c $(INCLUDES)
+	$(CC) $(CFLAGS) -c ssl.c
+
 match.o: match.c $(INCLUDES)
 	$(CC) $(CFLAGS) -c match.c
 

src/bsd.c

@@ -118,10 +118,18 @@ int  deliver_it(cptr, str, len)
 		    cptr->name, cptr->status, IsDead(cptr) ? "DEAD" : "", str);
 		return -1;
 	}
+
+#ifdef USE_SSL
+	if (cptr->flags & FLAGS_SSL)
+		 retval = SSL_write((SSL *)cptr->ssl, str, len);	
+	else
+		retval = send(cptr->fd, str, len, 0);
+#else
 #ifndef INET6
 	retval = send(cptr->fd, str, len, 0);
 #else
 	retval = sendto(cptr->fd, str, len, 0, 0, 0);
+#endif
 #endif
 	/*
 	   ** Convert WOULDBLOCK to a return of "0 bytes moved". This

src/channel.c

@@ -148,6 +148,7 @@ aCtab cFlagTab[] = {
 #endif
 	{MODE_NOCTCP, 'C', 0, 0},	/* no CTCPs */
 	{MODE_AUDITORIUM, 'u', 0, 0},
+	{MODE_ONLYSECURE, 'z', 0, 0},
 	{0x0, 0x0, 0x0}
 };
 #endif
@@ -1583,6 +1584,7 @@ int  do_mode_char(chptr, modetype, modechar, param, what, cptr, pcount, pvar,
 	  case MODE_STRIPBADWORDS:
 #endif
 	  case MODE_NOCTCP:
+	  case MODE_ONLYSECURE:
 	  case MODE_NOINVITE:
 		setthephuckingmode:
 		  /* +sp bugfix.. */
@@ -2246,6 +2248,11 @@ static int can_join(cptr, sptr, chptr, key, link, parv)
 /*    if ((chptr->mode.mode & MODE_OPERONLY) && IsOper(sptr)) {
     	goto admok;
     } */
+	if ((chptr->mode.mode & MODE_ONLYSECURE) &&
+		!(sptr->umodes & UMODE_SECURE))
+	{
+		return (ERR_BANNEDFROMCHAN);	
+	}
 	if ((chptr->mode.mode & MODE_OPERONLY) && !IsOper(sptr))
 	{
 		return (ERR_OPERONLY);
@@ -2259,7 +2266,7 @@ static int can_join(cptr, sptr, chptr, key, link, parv)
 	if ((chptr->mode.mode & MODE_NOHIDING) && IsHiding(sptr))
 		return (ERR_NOHIDING);
 
-	if ((IsOper(sptr) && !(chptr->mode.mode & MODE_ADMONLY)))
+	if ((IsOper(sptr) && !((chptr->mode.mode & MODE_ADMONLY))))
 	{
 		return 0;	/* may override */
 	}

src/ircd.c

@@ -1125,7 +1125,9 @@ int  InitwIRCD(argc, argv)
 #endif
 	check_class();
 	write_pidfile();
-
+#ifdef USE_SSL
+	init_ssl();
+#endif
 	Debug((DEBUG_NOTICE, "Server ready..."));
 #ifdef USE_SYSLOG
 	syslog(LOG_NOTICE, "Server Ready");