Allow the user to specify any hashing mechanism supported by the underlying SSL library

2 files changed, 25 insertions, 5 deletions

diff --git a/src/modules/extra/m_ssl_gnutls.cpp b/src/modules/extra/m_ssl_gnutls.cpp
index f6268c8d6..c303aa98f 100644
--- a/src/modules/extra/m_ssl_gnutls.cpp
+++ b/src/modules/extra/m_ssl_gnutls.cpp
@@ -28,6 +28,11 @@
 #include "modules/ssl.h"
 #include "modules/cap.h"
 
+#if ((GNUTLS_VERSION_MAJOR > 2) || (GNUTLS_VERSION_MAJOR == 2 && GNUTLS_VERSION_MINOR > 9) || (GNUTLS_VERSION_MAJOR == 2 && GNUTLS_VERSION_MINOR == 9 && GNUTLS_VERSION_PATCH >= 8))
+#define GNUTLS_HAS_MAC_GET_ID
+#include <gnutls/crypto.h>
+#endif
+
 #ifdef _WIN32
 # pragma comment(lib, "libgnutls.lib")
 # pragma comment(lib, "libgcrypt.lib")
@@ -701,13 +706,28 @@ class ModuleSSLGnuTLS : public Module
 
 		iohook.dh_bits = dh_bits;
 
+		// As older versions of gnutls can't do this, let's disable it where needed.
+#ifdef GNUTLS_HAS_MAC_GET_ID
+		// As gnutls_digest_algorithm_t and gnutls_mac_algorithm_t are mapped 1:1, we can do this
+		// There is no gnutls_dig_get_id() at the moment, but it may come later
+		iohook.hash = (gnutls_digest_algorithm_t)gnutls_mac_get_id(hashname.c_str());
+		if (iohook.hash == GNUTLS_DIG_UNKNOWN)
+			throw ModuleException("Unknown hash type " + hashname);
+
+		// Check if the user is walking around with their head in the ass,
+		// giving us something that is a valid MAC but not digest
+		gnutls_hash_hd_t is_digest;
+		if (gnutls_hash_init(&is_digest, iohook.hash) < 0)
+			throw ModuleException("Unknown hash type " + hashname);
+		gnutls_hash_deinit(is_digest, NULL);
+#else
 		if (hashname == "md5")
 			iohook.hash = GNUTLS_DIG_MD5;
 		else if (hashname == "sha1")
 			iohook.hash = GNUTLS_DIG_SHA1;
 		else
 			throw ModuleException("Unknown hash type " + hashname);
-
+#endif
 
 		int ret;
 
diff --git a/src/modules/extra/m_ssl_openssl.cpp b/src/modules/extra/m_ssl_openssl.cpp
index 8a516b7ae..ddecb8d00 100644
--- a/src/modules/extra/m_ssl_openssl.cpp
+++ b/src/modules/extra/m_ssl_openssl.cpp
@@ -177,7 +177,6 @@ class OpenSSLIOHook : public SSLIOHook
 		session->cert = certinfo;
 		unsigned int n;
 		unsigned char md[EVP_MAX_MD_SIZE];
-		const EVP_MD *digest = use_sha ? EVP_sha1() : EVP_md5();
 
 		cert = SSL_get_peer_certificate((SSL*)session->sess);
 
@@ -224,7 +223,7 @@ class OpenSSLIOHook : public SSLIOHook
 	issl_session* sessions;
 	SSL_CTX* ctx;
 	SSL_CTX* clictx;
-	bool use_sha;
+	const EVP_MD *digest;
 
 	OpenSSLIOHook(Module* mod)
 		: SSLIOHook(mod, "ssl/openssl")
@@ -566,9 +565,10 @@ class ModuleSSLOpenSSL : public Module
 		keyfile	 = conf->getString("keyfile", CONFIG_PATH "/key.pem");
 		dhfile	 = conf->getString("dhfile", CONFIG_PATH "/dhparams.pem");
 		std::string hash = conf->getString("hash", "md5");
-		if (hash != "sha1" && hash != "md5")
+
+		iohook.digest = EVP_get_digestbyname(hash.c_str());
+		if (iohook.digest == NULL)
 			throw ModuleException("Unknown hash type " + hash);
-		iohook.use_sha = (hash == "sha1");
 
 		std::string ciphers = conf->getString("ciphers", "");