2 * InspIRCd -- Internet Relay Chat Daemon
4 * Copyright (C) 2019 B00mX0r <b00mx0r@aureus.pw>
5 * Copyright (C) 2018 Dylan Frank <b00mx0r@aureus.pw>
6 * Copyright (C) 2013, 2017-2019 Sadie Powell <sadie@witchery.services>
7 * Copyright (C) 2013, 2015-2016 Attila Molnar <attilamolnar@hush.com>
8 * Copyright (C) 2012 Robby <robby@chatbelgie.be>
9 * Copyright (C) 2012 ChrisTX <xpipe@hotmail.de>
10 * Copyright (C) 2009-2010 Daniel De Graaf <danieldg@inspircd.org>
11 * Copyright (C) 2007 Dennis Friis <peavey@inspircd.org>
12 * Copyright (C) 2006 Craig Edwards <brain@inspircd.org>
14 * This file is part of InspIRCd. InspIRCd is free software: you can
15 * redistribute it and/or modify it under the terms of the GNU General Public
16 * License as published by the Free Software Foundation, version 2.
18 * This program is distributed in the hope that it will be useful, but WITHOUT
19 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
20 * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
23 * You should have received a copy of the GNU General Public License
24 * along with this program. If not, see <http://www.gnu.org/licenses/>.
33 /** ssl_cert is a class which abstracts SSL certificate
34 * and key information.
36 * Because gnutls and openssl represent key information in
37 * wildly different ways, this class allows it to be accessed
38 * in a unified manner. These classes are attached to ssl-
39 * connected local users using SSLCertExt
41 class ssl_cert : public refcountbase
47 std::string fingerprint;
48 bool trusted, invalid, unknownsigner, revoked;
50 ssl_cert() : trusted(false), invalid(true), unknownsigner(true), revoked(false) {}
52 /** Get certificate distinguished name
53 * @return Certificate DN
55 const std::string& GetDN()
60 /** Get Certificate issuer
61 * @return Certificate issuer
63 const std::string& GetIssuer()
68 /** Get error string if an error has occured
69 * @return The error associated with this users certificate,
70 * or an empty string if there is no error.
72 const std::string& GetError()
77 /** Get key fingerprint.
78 * @return The key fingerprint as a hex string.
80 const std::string& GetFingerprint()
86 * @return True if this is a trusted certificate
87 * (the certificate chain validates)
94 /** Get validity status
95 * @return True if the certificate itself is
103 /** Get signer status
104 * @return True if the certificate appears to be
107 bool IsUnknownSigner()
109 return unknownsigner;
112 /** Get revokation status.
113 * @return True if the certificate is revoked.
114 * Note that this only works properly for GnuTLS
122 /** Get certificate usability
123 * @return True if the certificate is not expired nor revoked
127 return !invalid && !revoked && error.empty();
130 /** Get CA trust status
131 * @return True if the certificate is issued by a CA
136 return IsUsable() && trusted && !unknownsigner;
139 std::string GetMetaLine()
141 std::stringstream value;
142 bool hasError = !error.empty();
143 value << (IsInvalid() ? "v" : "V") << (IsTrusted() ? "T" : "t") << (IsRevoked() ? "R" : "r")
144 << (IsUnknownSigner() ? "s" : "S") << (hasError ? "E" : "e") << " ";
148 value << GetFingerprint() << " " << GetDN() << " " << GetIssuer();
153 class SSLIOHook : public IOHook
156 /** Peer SSL certificate, set by the SSL module
158 reference<ssl_cert> certificate;
160 /** Reduce elements in a send queue by appending later elements to the first element until there are no more
161 * elements to append or a desired length is reached
162 * @param sendq SendQ to work on
163 * @param targetsize Target size of the front element
165 static void FlattenSendQueue(StreamSocket::SendQueue& sendq, size_t targetsize)
167 if ((sendq.size() <= 1) || (sendq.front().length() >= targetsize))
170 // Avoid multiple repeated SSL encryption invocations
171 // This adds a single copy of the queue, but avoids
172 // much more overhead in terms of system calls invoked
175 tmp.reserve(std::min(targetsize, sendq.bytes())+1);
178 tmp.append(sendq.front());
181 while (!sendq.empty() && tmp.length() < targetsize);
182 sendq.push_front(tmp);
186 static SSLIOHook* IsSSL(StreamSocket* sock)
188 IOHook* const iohook = sock->GetIOHook();
189 if ((iohook) && ((iohook->prov->type == IOHookProvider::IOH_SSL)))
190 return static_cast<SSLIOHook*>(iohook);
194 SSLIOHook(IOHookProvider* hookprov)
200 * Get the certificate sent by this peer
201 * @return The SSL certificate sent by the peer, NULL if no cert was sent
203 virtual ssl_cert* GetCertificate() const
209 * Get the fingerprint of the peer's certificate
210 * @return The fingerprint of the SSL client certificate sent by the peer,
211 * empty if no cert was sent
213 virtual std::string GetFingerprint() const
215 ssl_cert* cert = GetCertificate();
216 if (cert && cert->IsUsable())
217 return cert->GetFingerprint();
222 * Get the ciphersuite negotiated with the peer
223 * @param out String where the ciphersuite string will be appended to
225 virtual void GetCiphersuite(std::string& out) const = 0;
228 /** Retrieves the name of the SSL connection which is sent via SNI.
229 * @param out String that the server name will be appended to.
230 * returns True if the server name was retrieved; otherwise, false.
232 virtual bool GetServerName(std::string& out) const = 0;
235 /** Helper functions for obtaining SSL client certificates and key fingerprints
242 * Get the client certificate from a socket
243 * @param sock The socket to get the certificate from, the socket does not have to use SSL
244 * @return The SSL client certificate information, NULL if the peer is not using SSL
246 static ssl_cert* GetCertificate(StreamSocket* sock)
248 SSLIOHook* ssliohook = SSLIOHook::IsSSL(sock);
252 return ssliohook->GetCertificate();
256 * Get the fingerprint of a client certificate from a socket
257 * @param sock The socket to get the certificate fingerprint from, the
258 * socket does not have to use SSL
259 * @return The key fingerprint from the SSL certificate sent by the peer,
260 * empty if no cert was sent or the peer is not using SSL
262 static std::string GetFingerprint(StreamSocket* sock)
264 ssl_cert* cert = SSLClientCert::GetCertificate(sock);
266 return cert->GetFingerprint();
271 class UserCertificateAPIBase : public DataProvider
274 UserCertificateAPIBase(Module* parent)
275 : DataProvider(parent, "m_sslinfo_api")
279 /** Get the SSL certificate of a user
280 * @param user The user whose certificate to get, user may be remote
281 * @return The SSL certificate of the user or NULL if the user is not using SSL
283 virtual ssl_cert* GetCertificate(User* user) = 0;
285 /** Set the SSL certificate of a user.
286 * @param user The user whose certificate to set.
287 * @param cert The SSL certificate to set for the user.
289 virtual void SetCertificate(User* user, ssl_cert* cert) = 0;
291 /** Get the key fingerprint from a user's certificate
292 * @param user The user whose key fingerprint to get, user may be remote
293 * @return The key fingerprint from the user's SSL certificate or an empty string
294 * if the user is not using SSL or did not provide a client certificate
296 std::string GetFingerprint(User* user)
298 ssl_cert* cert = GetCertificate(user);
300 return cert->GetFingerprint();
305 /** API implemented by m_sslinfo that allows modules to retrive the SSL certificate
306 * information of local and remote users. It can also be used to find out whether a
307 * user is using SSL or not.
309 class UserCertificateAPI : public dynamic_reference<UserCertificateAPIBase>
312 UserCertificateAPI(Module* parent)
313 : dynamic_reference<UserCertificateAPIBase>(parent, "m_sslinfo_api")