summaryrefslogtreecommitdiff
path: root/src/modules
diff options
context:
space:
mode:
authorbrain <brain@e03df62e-2008-0410-955e-edbf42e46eb7>2006-09-03 17:29:29 +0000
committerbrain <brain@e03df62e-2008-0410-955e-edbf42e46eb7>2006-09-03 17:29:29 +0000
commitb02af8b2a9787c3fad7e317540dbfef72610d53e (patch)
treea8561af8ae59f008360ff05ea616b4b1b2e92aaa /src/modules
parent13aeb82ad2462d3eb2952365fd944c8837d55ea8 (diff)
Obtaining of ssl cert in gnutls module and placing it into a class which is extended to the user, type ssl_cert.
In a while the openssl module will also populate this same high level class with data git-svn-id: http://svn.inspircd.org/repository/trunk/inspircd@5123 e03df62e-2008-0410-955e-edbf42e46eb7
Diffstat (limited to 'src/modules')
-rw-r--r--src/modules/extra/m_ssl_gnutls.cpp158
-rw-r--r--src/modules/extra/ssl_cert.h93
2 files changed, 238 insertions, 13 deletions
diff --git a/src/modules/extra/m_ssl_gnutls.cpp b/src/modules/extra/m_ssl_gnutls.cpp
index d39a1cc78..1ce19b29f 100644
--- a/src/modules/extra/m_ssl_gnutls.cpp
+++ b/src/modules/extra/m_ssl_gnutls.cpp
@@ -2,6 +2,7 @@
#include <vector>
#include <gnutls/gnutls.h>
+#include <gnutls/x509.h>
#include "inspircd_config.h"
#include "configreader.h"
@@ -13,6 +14,8 @@
#include "hashcomp.h"
#include "inspircd.h"
+#include "ssl_cert.h"
+
/* $ModDesc: Provides SSL support for clients */
/* $CompileFlags: `libgnutls-config --cflags` */
/* $LinkerFlags: `libgnutls-config --libs` `perl ../gnutls_rpath.pl` */
@@ -214,6 +217,13 @@ class ModuleSSLGnuTLS : public Module
ServerInstance->Log(DEBUG, "m_ssl_gnutls.so: Adding user %s to cull list", user->nick);
culllist->AddItem(user, "SSL module unloading");
}
+ if (user->GetExt("ssl_cert", dummy) && isin(user->GetPort(), listenports))
+ {
+ ssl_cert* tofree;
+ user->GetExt("ssl_cert", tofree);
+ delete tofree;
+ user->Shrink("ssl_cert");
+ }
}
}
@@ -265,7 +275,7 @@ class ModuleSSLGnuTLS : public Module
*/
gnutls_transport_set_ptr(session->sess, (gnutls_transport_ptr_t) fd); // Give gnutls the fd for the socket.
-
+
Handshake(session);
}
@@ -273,13 +283,23 @@ class ModuleSSLGnuTLS : public Module
{
ServerInstance->Log(DEBUG, "OnRawSocketClose: %d", fd);
CloseSession(&sessions[fd]);
+
+ EventHandler* user = ServerInstance->SE->GetRef(fd);
+
+ if ((user) && (user->GetExt("ssl_cert", dummy)))
+ {
+ ssl_cert* tofree;
+ user->GetExt("ssl_cert", tofree);
+ delete tofree;
+ user->Shrink("ssl_cert");
+ }
}
virtual int OnRawSocketRead(int fd, char* buffer, unsigned int count, int &readresult)
{
issl_session* session = &sessions[fd];
- if(!session->sess)
+ if (!session->sess)
{
ServerInstance->Log(DEBUG, "m_ssl_gnutls.so: OnRawSocketRead: No session to read from");
readresult = 0;
@@ -289,7 +309,7 @@ class ModuleSSLGnuTLS : public Module
ServerInstance->Log(DEBUG, "m_ssl_gnutls.so: OnRawSocketRead(%d, buffer, %u, %d)", fd, count, readresult);
- if(session->status == ISSL_HANDSHAKING_READ)
+ if (session->status == ISSL_HANDSHAKING_READ)
{
// The handshake isn't finished, try to finish it.
@@ -305,7 +325,7 @@ class ModuleSSLGnuTLS : public Module
return -1;
}
}
- else if(session->status == ISSL_HANDSHAKING_WRITE)
+ else if (session->status == ISSL_HANDSHAKING_WRITE)
{
ServerInstance->Log(DEBUG, "m_ssl_gnutls.so: OnRawSocketRead: handshake wants to write data but we are currently reading");
return -1;
@@ -313,7 +333,7 @@ class ModuleSSLGnuTLS : public Module
// If we resumed the handshake then session->status will be ISSL_HANDSHAKEN.
- if(session->status == ISSL_HANDSHAKEN)
+ if (session->status == ISSL_HANDSHAKEN)
{
// Is this right? Not sure if the unencrypted data is garaunteed to be the same length.
// Read into the inbuffer, offset from the beginning by the amount of data we have that insp hasn't taken yet.
@@ -321,7 +341,7 @@ class ModuleSSLGnuTLS : public Module
int ret = gnutls_record_recv(session->sess, session->inbuf + session->inbufoffset, inbufsize - session->inbufoffset);
- if(ret == 0)
+ if (ret == 0)
{
// Client closed connection.
ServerInstance->Log(DEBUG, "m_ssl_gnutls.so: Client closed the connection");
@@ -329,9 +349,9 @@ class ModuleSSLGnuTLS : public Module
CloseSession(session);
return 1;
}
- else if(ret < 0)
+ else if (ret < 0)
{
- if(ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED)
+ if (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED)
{
ServerInstance->Log(DEBUG, "m_ssl_gnutls.so: OnRawSocketRead: Not all SSL data read: %s", gnutls_strerror(ret));
return -1;
@@ -350,8 +370,6 @@ class ModuleSSLGnuTLS : public Module
// 'buffer' is 'count' long
unsigned int length = ret + session->inbufoffset;
-
- ServerInstance->Log(DEBUG, "m_ssl_gnutls.so: OnRawSocketRead: Read %d bytes, now have %d waiting to be passed up", ret, length);
if(count <= length)
{
@@ -415,7 +433,6 @@ class ModuleSSLGnuTLS : public Module
ServerInstance->Log(DEBUG, "m_ssl_gnutls.so: OnRawSocketWrite: handshake wants to read data but we are currently writing");
}
- ServerInstance->Log(DEBUG, "m_ssl_gnutls.so: OnRawSocketWrite: Adding %d bytes to the outgoing buffer", count);
session->outbuf.append(sendbuffer, count);
sendbuffer = session->outbuf.c_str();
count = session->outbuf.size();
@@ -443,7 +460,6 @@ class ModuleSSLGnuTLS : public Module
}
else
{
- ServerInstance->Log(DEBUG, "m_ssl_gnutls.so: OnRawSocketWrite: Successfully wrote %d bytes", ret);
session->outbuf = session->outbuf.substr(ret);
}
}
@@ -498,7 +514,7 @@ class ModuleSSLGnuTLS : public Module
{
int ret = gnutls_handshake(session->sess);
- if(ret < 0)
+ if(ret < 0)
{
if(ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED)
{
@@ -566,6 +582,8 @@ class ModuleSSLGnuTLS : public Module
event->Send(ServerInstance); // Trigger the event. We don't care what module picks it up.
DELETE(event);
DELETE(metadata);
+
+ VerifyCertificate(&sessions[user->GetFd()],user);
}
}
@@ -592,6 +610,120 @@ class ModuleSSLGnuTLS : public Module
session->sess = NULL;
session->status = ISSL_NONE;
}
+
+ void VerifyCertificate(issl_session* session, userrec* user)
+ {
+ unsigned int status;
+ const gnutls_datum_t* cert_list;
+ int ret;
+ unsigned int cert_list_size, name_size;
+ gnutls_x509_crt_t cert;
+ char name[MAXBUF];
+ ssl_cert* certinfo = new ssl_cert;
+
+ user->Extend("ssl_cert",certinfo);
+
+ /* This verification function uses the trusted CAs in the credentials
+ * structure. So you must have installed one or more CA certificates.
+ */
+ ret = gnutls_certificate_verify_peers2(session->sess, &status);
+
+ if (ret < 0)
+ {
+ certinfo->data.insert(std::make_pair("error",std::string(gnutls_strerror(ret))));
+ return;
+ }
+
+ if (status & GNUTLS_CERT_INVALID)
+ {
+ certinfo->data.insert(std::make_pair("invalid",ConvToStr(1)));
+ }
+ else
+ {
+ certinfo->data.insert(std::make_pair("invalid",ConvToStr(0)));
+ }
+ if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
+ {
+ certinfo->data.insert(std::make_pair("unknownsigner",ConvToStr(1)));
+ }
+ else
+ {
+ certinfo->data.insert(std::make_pair("unknownsigner",ConvToStr(0)));
+ }
+ if (status & GNUTLS_CERT_REVOKED)
+ {
+ certinfo->data.insert(std::make_pair("revoked",ConvToStr(1)));
+ }
+ else
+ {
+ certinfo->data.insert(std::make_pair("revoked",ConvToStr(0)));
+ }
+ if (status & GNUTLS_CERT_SIGNER_NOT_CA)
+ {
+ certinfo->data.insert(std::make_pair("trusted",ConvToStr(0)));
+ }
+ else
+ {
+ certinfo->data.insert(std::make_pair("trusted",ConvToStr(1)));
+ }
+
+ /* Up to here the process is the same for X.509 certificates and
+ * OpenPGP keys. From now on X.509 certificates are assumed. This can
+ * be easily extended to work with openpgp keys as well.
+ */
+ if (gnutls_certificate_type_get(session->sess) != GNUTLS_CRT_X509)
+ {
+ certinfo->data.insert(std::make_pair("error","No X509 keys sent"));
+ return;
+ }
+
+ ret = gnutls_x509_crt_init(&cert);
+ if (ret < 0)
+ {
+ certinfo->data.insert(std::make_pair("error",gnutls_strerror(ret)));
+ return;
+ }
+
+ cert_list = gnutls_certificate_get_peers(session->sess, &cert_list_size);
+ if (cert_list == NULL)
+ {
+ certinfo->data.insert(std::make_pair("error","No certificate was found"));
+ return;
+ }
+
+ /* This is not a real world example, since we only check the first
+ * certificate in the given chain.
+ */
+
+ ret = gnutls_x509_crt_import(cert, &cert_list[0], GNUTLS_X509_FMT_DER);
+ if (ret < 0)
+ {
+ certinfo->data.insert(std::make_pair("error",gnutls_strerror(ret)));
+ return;
+ }
+
+ name_size = sizeof(name);
+ gnutls_x509_crt_get_dn(cert, name, &name_size);
+
+ certinfo->data.insert(std::make_pair("dn",name));
+
+ name_size = sizeof(name);
+ gnutls_x509_crt_get_issuer_dn(cert, name, &name_size);
+
+ certinfo->data.insert(std::make_pair("issuer",name));
+
+ /* Beware here we do not check for errors.
+ */
+ if ((gnutls_x509_crt_get_expiration_time(cert) < time(0)) || (gnutls_x509_crt_get_activation_time(cert) > time(0)))
+ {
+ certinfo->data.insert(std::make_pair("error","Not activated, or expired certificate"));
+ }
+
+ gnutls_x509_crt_deinit(cert);
+
+ return;
+ }
+
};
class ModuleSSLGnuTLSFactory : public ModuleFactory
diff --git a/src/modules/extra/ssl_cert.h b/src/modules/extra/ssl_cert.h
new file mode 100644
index 000000000..fbbd821ac
--- /dev/null
+++ b/src/modules/extra/ssl_cert.h
@@ -0,0 +1,93 @@
+#ifndef __SSL_CERT_H__
+#define __SSL_CERT_H__
+
+#include <map>
+#include <string>
+
+typedef std::map<std::string,std::string> ssl_data;
+typedef ssl_data::iterator ssl_data_iter;
+
+class ssl_cert
+{
+ const std::string empty;
+
+ public:
+ ssl_data data;
+
+ ssl_cert() : empty("")
+ {
+ }
+
+ const std::string& GetDN()
+ {
+ ssl_data_iter ssldi = data.find("dn");
+
+ if (ssldi != data.end())
+ return ssldi->second;
+ else
+ return empty;
+ }
+
+ const std::string& GetIssuer()
+ {
+ ssl_data_iter ssldi = data.find("issuer");
+
+ if (ssldi != data.end())
+ return ssldi->second;
+ else
+ return empty;
+ }
+
+ const std::string& GetError()
+ {
+ ssl_data_iter ssldi = data.find("error");
+
+ if (ssldi != data.end())
+ return ssldi->second;
+ else
+ return empty;
+ }
+
+ bool IsTrusted()
+ {
+ ssl_data_iter ssldi = data.find("trusted");
+
+ if (ssldi != data.end())
+ return (ssldi->second == "1");
+ else
+ return false;
+ }
+
+ bool IsInvalid()
+ {
+ ssl_data_iter ssldi = data.find("invalid");
+
+ if (ssldi != data.end())
+ return (ssldi->second == "1");
+ else
+ return false;
+ }
+
+ bool IsUnknownSigner()
+ {
+ ssl_data_iter ssldi = data.find("unknownsigner");
+
+ if (ssldi != data.end())
+ return (ssldi->second == "1");
+ else
+ return false;
+ }
+
+ bool IsRevoked()
+ {
+ ssl_data_iter ssldi = data.find("revoked");
+
+ if (ssldi != data.end())
+ return (ssldi->second == "1");
+ else
+ return false;
+ }
+};
+
+#endif
+