2 * InspIRCd -- Internet Relay Chat Daemon
4 * Copyright (C) 2009 Daniel De Graaf <danieldg@inspircd.org>
5 * Copyright (C) 2006 Craig Edwards <craigedwards@brainbox.cc>
7 * This file is part of InspIRCd. InspIRCd is free software: you can
8 * redistribute it and/or modify it under the terms of the GNU General Public
9 * License as published by the Free Software Foundation, version 2.
11 * This program is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
13 * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
16 * You should have received a copy of the GNU General Public License
17 * along with this program. If not, see <http://www.gnu.org/licenses/>.
26 /** ssl_cert is a class which abstracts SSL certificate
27 * and key information.
29 * Because gnutls and openssl represent key information in
30 * wildly different ways, this class allows it to be accessed
31 * in a unified manner. These classes are attached to ssl-
32 * connected local users using SSLCertExt
34 class ssl_cert : public refcountbase
40 std::string fingerprint;
41 bool trusted, invalid, unknownsigner, revoked;
43 ssl_cert() : trusted(false), invalid(true), unknownsigner(true), revoked(false) {}
45 /** Get certificate distinguished name
46 * @return Certificate DN
48 const std::string& GetDN()
53 /** Get Certificate issuer
54 * @return Certificate issuer
56 const std::string& GetIssuer()
61 /** Get error string if an error has occured
62 * @return The error associated with this users certificate,
63 * or an empty string if there is no error.
65 const std::string& GetError()
70 /** Get key fingerprint.
71 * @return The key fingerprint as a hex string.
73 const std::string& GetFingerprint()
79 * @return True if this is a trusted certificate
80 * (the certificate chain validates)
87 /** Get validity status
88 * @return True if the certificate itself is
97 * @return True if the certificate appears to be
100 bool IsUnknownSigner()
102 return unknownsigner;
105 /** Get revokation status.
106 * @return True if the certificate is revoked.
107 * Note that this only works properly for GnuTLS
117 return trusted && !invalid && !revoked && !unknownsigner && error.empty();
120 std::string GetMetaLine()
122 std::stringstream value;
123 bool hasError = !error.empty();
124 value << (IsInvalid() ? "v" : "V") << (IsTrusted() ? "T" : "t") << (IsRevoked() ? "R" : "r")
125 << (IsUnknownSigner() ? "s" : "S") << (hasError ? "E" : "e") << " ";
129 value << GetFingerprint() << " " << GetDN() << " " << GetIssuer();
134 class SSLIOHook : public IOHook
137 /** Peer SSL certificate, set by the SSL module
139 reference<ssl_cert> certificate;
141 /** Reduce elements in a send queue by appending later elements to the first element until there are no more
142 * elements to append or a desired length is reached
143 * @param sendq SendQ to work on
144 * @param targetsize Target size of the front element
146 static void FlattenSendQueue(StreamSocket::SendQueue& sendq, size_t targetsize)
148 if ((sendq.size() <= 1) || (sendq.front().length() >= targetsize))
151 // Avoid multiple repeated SSL encryption invocations
152 // This adds a single copy of the queue, but avoids
153 // much more overhead in terms of system calls invoked
156 tmp.reserve(std::min(targetsize, sendq.bytes())+1);
159 tmp.append(sendq.front());
162 while (!sendq.empty() && tmp.length() < targetsize);
163 sendq.push_front(tmp);
167 static SSLIOHook* IsSSL(StreamSocket* sock)
169 IOHook* const iohook = sock->GetIOHook();
170 if ((iohook) && ((iohook->prov->type == IOHookProvider::IOH_SSL)))
171 return static_cast<SSLIOHook*>(iohook);
175 SSLIOHook(IOHookProvider* hookprov)
181 * Get the certificate sent by this peer
182 * @return The SSL certificate sent by the peer, NULL if no cert was sent
184 ssl_cert* GetCertificate() const
190 * Get the fingerprint of the peer's certificate
191 * @return The fingerprint of the SSL client certificate sent by the peer,
192 * empty if no cert was sent
194 std::string GetFingerprint() const
196 ssl_cert* cert = GetCertificate();
198 return cert->GetFingerprint();
203 * Get the ciphersuite negotiated with the peer
204 * @param out String where the ciphersuite string will be appended to
206 virtual void GetCiphersuite(std::string& out) const = 0;
209 /** Retrieves the name of the SSL connection which is sent via SNI.
210 * @param out String that the server name will be appended to.
211 * returns True if the server name was retrieved; otherwise, false.
213 virtual bool GetServerName(std::string& out) const = 0;
216 /** Helper functions for obtaining SSL client certificates and key fingerprints
223 * Get the client certificate from a socket
224 * @param sock The socket to get the certificate from, the socket does not have to use SSL
225 * @return The SSL client certificate information, NULL if the peer is not using SSL
227 static ssl_cert* GetCertificate(StreamSocket* sock)
229 SSLIOHook* ssliohook = SSLIOHook::IsSSL(sock);
233 return ssliohook->GetCertificate();
237 * Get the fingerprint of a client certificate from a socket
238 * @param sock The socket to get the certificate fingerprint from, the
239 * socket does not have to use SSL
240 * @return The key fingerprint from the SSL certificate sent by the peer,
241 * empty if no cert was sent or the peer is not using SSL
243 static std::string GetFingerprint(StreamSocket* sock)
245 ssl_cert* cert = SSLClientCert::GetCertificate(sock);
247 return cert->GetFingerprint();
252 class UserCertificateAPIBase : public DataProvider
255 UserCertificateAPIBase(Module* parent)
256 : DataProvider(parent, "m_sslinfo_api")
260 /** Get the SSL certificate of a user
261 * @param user The user whose certificate to get, user may be remote
262 * @return The SSL certificate of the user or NULL if the user is not using SSL
264 virtual ssl_cert* GetCertificate(User* user) = 0;
266 /** Get the key fingerprint from a user's certificate
267 * @param user The user whose key fingerprint to get, user may be remote
268 * @return The key fingerprint from the user's SSL certificate or an empty string
269 * if the user is not using SSL or did not provide a client certificate
271 std::string GetFingerprint(User* user)
273 ssl_cert* cert = GetCertificate(user);
275 return cert->GetFingerprint();
280 /** API implemented by m_sslinfo that allows modules to retrive the SSL certificate
281 * information of local and remote users. It can also be used to find out whether a
282 * user is using SSL or not.
284 class UserCertificateAPI : public dynamic_reference<UserCertificateAPIBase>
287 UserCertificateAPI(Module* parent)
288 : dynamic_reference<UserCertificateAPIBase>(parent, "m_sslinfo_api")