2 * InspIRCd -- Internet Relay Chat Daemon
4 * Copyright (C) 2009-2010 Daniel De Graaf <danieldg@inspircd.org>
5 * Copyright (C) 2008 John Brooks <john.brooks@dereferenced.net>
6 * Copyright (C) 2006-2008 Craig Edwards <craigedwards@brainbox.cc>
7 * Copyright (C) 2007 Dennis Friis <peavey@inspircd.org>
8 * Copyright (C) 2006 Oliver Lupton <oliverlupton@gmail.com>
10 * This file is part of InspIRCd. InspIRCd is free software: you can
11 * redistribute it and/or modify it under the terms of the GNU General Public
12 * License as published by the Free Software Foundation, version 2.
14 * This program is distributed in the hope that it will be useful, but WITHOUT
15 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
16 * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
19 * You should have received a copy of the GNU General Public License
20 * along with this program. If not, see <http://www.gnu.org/licenses/>.
25 #include <gnutls/gnutls.h>
26 #include <gnutls/x509.h>
27 #include "modules/ssl.h"
28 #include "modules/cap.h"
31 #if ((GNUTLS_VERSION_MAJOR > 2) || (GNUTLS_VERSION_MAJOR == 2 && GNUTLS_VERSION_MINOR > 9) || (GNUTLS_VERSION_MAJOR == 2 && GNUTLS_VERSION_MINOR == 9 && GNUTLS_VERSION_PATCH >= 8))
32 #define GNUTLS_HAS_MAC_GET_ID
33 #include <gnutls/crypto.h>
36 #if (GNUTLS_VERSION_MAJOR > 2 || GNUTLS_VERSION_MAJOR == 2 && GNUTLS_VERSION_MINOR > 12)
37 # define GNUTLS_HAS_RND
43 # pragma comment(lib, "libgnutls.lib")
44 # pragma comment(lib, "libgcrypt.lib")
45 # pragma comment(lib, "libgpg-error.lib")
46 # pragma comment(lib, "user32.lib")
47 # pragma comment(lib, "advapi32.lib")
48 # pragma comment(lib, "libgcc.lib")
49 # pragma comment(lib, "libmingwex.lib")
50 # pragma comment(lib, "gdi32.lib")
53 /* $CompileFlags: pkgconfincludes("gnutls","/gnutls/gnutls.h","") eval("print `libgcrypt-config --cflags | tr -d \r` if `pkg-config --modversion gnutls 2>/dev/null | tr -d \r` lt '2.12'") -Wno-pedantic */
54 /* $LinkerFlags: rpath("pkg-config --libs gnutls") pkgconflibs("gnutls","/libgnutls.so","-lgnutls") eval("print `libgcrypt-config --libs | tr -d \r` if `pkg-config --modversion gnutls 2>/dev/null | tr -d \r` lt '2.12'") */
56 #ifndef GNUTLS_VERSION_MAJOR
57 #define GNUTLS_VERSION_MAJOR LIBGNUTLS_VERSION_MAJOR
58 #define GNUTLS_VERSION_MINOR LIBGNUTLS_VERSION_MINOR
59 #define GNUTLS_VERSION_PATCH LIBGNUTLS_VERSION_PATCH
62 // These don't exist in older GnuTLS versions
63 #if ((GNUTLS_VERSION_MAJOR > 2) || (GNUTLS_VERSION_MAJOR == 2 && GNUTLS_VERSION_MINOR > 1) || (GNUTLS_VERSION_MAJOR == 2 && GNUTLS_VERSION_MINOR == 1 && GNUTLS_VERSION_PATCH >= 7))
64 #define GNUTLS_NEW_PRIO_API
67 #if(GNUTLS_VERSION_MAJOR < 2)
68 typedef gnutls_certificate_credentials_t gnutls_certificate_credentials;
69 typedef gnutls_dh_params_t gnutls_dh_params;
72 enum issl_status { ISSL_NONE, ISSL_HANDSHAKING_READ, ISSL_HANDSHAKING_WRITE, ISSL_HANDSHAKEN, ISSL_CLOSING, ISSL_CLOSED };
74 #if (GNUTLS_VERSION_MAJOR > 2 || (GNUTLS_VERSION_MAJOR == 2 && GNUTLS_VERSION_MINOR >= 12))
75 #define GNUTLS_NEW_CERT_CALLBACK_API
76 typedef gnutls_retr2_st cert_cb_last_param_type;
78 typedef gnutls_retr_st cert_cb_last_param_type;
81 class RandGen : public HandlerBase2<void, char*, size_t>
85 void Call(char* buffer, size_t len)
88 gnutls_rnd(GNUTLS_RND_RANDOM, buffer, len);
90 gcry_randomize(buffer, len, GCRY_STRONG_RANDOM);
100 Init() { gnutls_global_init(); }
101 ~Init() { gnutls_global_deinit(); }
104 class Exception : public ModuleException
107 Exception(const std::string& reason)
108 : ModuleException(reason) { }
111 void ThrowOnError(int errcode, const char* msg)
115 std::string reason = msg;
116 reason.append(" :").append(gnutls_strerror(errcode));
117 throw Exception(reason);
121 /** Used to create a gnutls_datum_t* from a std::string
125 gnutls_datum_t datum;
128 Datum(const std::string& dat)
130 datum.data = (unsigned char*)dat.data();
131 datum.size = static_cast<unsigned int>(dat.length());
134 const gnutls_datum_t* get() const { return &datum; }
139 gnutls_digest_algorithm_t hash;
142 // Nothing to deallocate, constructor may throw freely
143 Hash(const std::string& hashname)
145 // As older versions of gnutls can't do this, let's disable it where needed.
146 #ifdef GNUTLS_HAS_MAC_GET_ID
147 // As gnutls_digest_algorithm_t and gnutls_mac_algorithm_t are mapped 1:1, we can do this
148 // There is no gnutls_dig_get_id() at the moment, but it may come later
149 hash = (gnutls_digest_algorithm_t)gnutls_mac_get_id(hashname.c_str());
150 if (hash == GNUTLS_DIG_UNKNOWN)
151 throw Exception("Unknown hash type " + hashname);
153 // Check if the user is giving us something that is a valid MAC but not digest
154 gnutls_hash_hd_t is_digest;
155 if (gnutls_hash_init(&is_digest, hash) < 0)
156 throw Exception("Unknown hash type " + hashname);
157 gnutls_hash_deinit(is_digest, NULL);
159 if (hashname == "md5")
160 hash = GNUTLS_DIG_MD5;
161 else if (hashname == "sha1")
162 hash = GNUTLS_DIG_SHA1;
164 throw Exception("Unknown hash type " + hashname);
168 gnutls_digest_algorithm_t get() const { return hash; }
173 gnutls_dh_params_t dh_params;
177 ThrowOnError(gnutls_dh_params_init(&dh_params), "gnutls_dh_params_init() failed");
182 static std::auto_ptr<DHParams> Import(const std::string& dhstr)
184 std::auto_ptr<DHParams> dh(new DHParams);
185 int ret = gnutls_dh_params_import_pkcs3(dh->dh_params, Datum(dhstr).get(), GNUTLS_X509_FMT_PEM);
186 ThrowOnError(ret, "Unable to import DH params");
191 static std::auto_ptr<DHParams> Generate(unsigned int bits)
193 std::auto_ptr<DHParams> dh(new DHParams);
194 ThrowOnError(gnutls_dh_params_generate2(dh->dh_params, bits), "Unable to generate DH params");
200 gnutls_dh_params_deinit(dh_params);
203 const gnutls_dh_params_t& get() const { return dh_params; }
208 /** Ensure that the key is deinited in case the constructor of X509Key throws
213 gnutls_x509_privkey_t key;
217 ThrowOnError(gnutls_x509_privkey_init(&key), "gnutls_x509_privkey_init() failed");
222 gnutls_x509_privkey_deinit(key);
228 X509Key(const std::string& keystr)
230 int ret = gnutls_x509_privkey_import(key.key, Datum(keystr).get(), GNUTLS_X509_FMT_PEM);
231 ThrowOnError(ret, "Unable to import private key");
234 gnutls_x509_privkey_t& get() { return key.key; }
239 std::vector<gnutls_x509_crt_t> certs;
243 X509CertList(const std::string& certstr)
245 unsigned int certcount = 3;
246 certs.resize(certcount);
247 Datum datum(certstr);
249 int ret = gnutls_x509_crt_list_import(raw(), &certcount, datum.get(), GNUTLS_X509_FMT_PEM, GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED);
250 if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER)
252 // the buffer wasn't big enough to hold all certs but gnutls changed certcount to the number of available certs,
253 // try again with a bigger buffer
254 certs.resize(certcount);
255 ret = gnutls_x509_crt_list_import(raw(), &certcount, datum.get(), GNUTLS_X509_FMT_PEM, GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED);
258 ThrowOnError(ret, "Unable to load certificates");
260 // Resize the vector to the actual number of certs because we rely on its size being correct
261 // when deallocating the certs
262 certs.resize(certcount);
267 for (std::vector<gnutls_x509_crt_t>::iterator i = certs.begin(); i != certs.end(); ++i)
268 gnutls_x509_crt_deinit(*i);
271 gnutls_x509_crt_t* raw() { return &certs[0]; }
272 unsigned int size() const { return certs.size(); }
275 class X509CRL : public refcountbase
280 gnutls_x509_crl_t crl;
284 ThrowOnError(gnutls_x509_crl_init(&crl), "gnutls_x509_crl_init() failed");
289 gnutls_x509_crl_deinit(crl);
295 X509CRL(const std::string& crlstr)
297 int ret = gnutls_x509_crl_import(get(), Datum(crlstr).get(), GNUTLS_X509_FMT_PEM);
298 ThrowOnError(ret, "Unable to load certificate revocation list");
301 gnutls_x509_crl_t& get() { return crl.crl; }
304 #ifdef GNUTLS_NEW_PRIO_API
307 gnutls_priority_t priority;
310 Priority(const std::string& priorities)
312 // Try to set the priorities for ciphers, kex methods etc. to the user supplied string
313 // If the user did not supply anything then the string is already set to "NORMAL"
314 const char* priocstr = priorities.c_str();
315 const char* prioerror;
317 int ret = gnutls_priority_init(&priority, priocstr, &prioerror);
320 // gnutls did not understand the user supplied string
321 throw Exception("Unable to initialize priorities to \"" + priorities + "\": " + gnutls_strerror(ret) + " Syntax error at position " + ConvToStr((unsigned int) (prioerror - priocstr)));
327 gnutls_priority_deinit(priority);
330 void SetupSession(gnutls_session_t sess)
332 gnutls_priority_set(sess, priority);
336 /** Dummy class, used when gnutls_priority_set() is not available
341 Priority(const std::string& priorities)
343 if (priorities != "NORMAL")
344 throw Exception("You've set a non-default priority string, but GnuTLS lacks support for it");
347 static void SetupSession(gnutls_session_t sess)
349 // Always set the default priorities
350 gnutls_set_default_priority(sess);
355 class CertCredentials
357 /** DH parameters associated with these credentials
359 std::auto_ptr<DHParams> dh;
362 gnutls_certificate_credentials_t cred;
367 ThrowOnError(gnutls_certificate_allocate_credentials(&cred), "Cannot allocate certificate credentials");
372 gnutls_certificate_free_credentials(cred);
375 /** Associates these credentials with the session
377 void SetupSession(gnutls_session_t sess)
379 gnutls_credentials_set(sess, GNUTLS_CRD_CERTIFICATE, cred);
382 /** Set the given DH parameters to be used with these credentials
384 void SetDH(std::auto_ptr<DHParams>& DH)
387 gnutls_certificate_set_dh_params(cred, dh->get());
391 class X509Credentials : public CertCredentials
397 /** Certificate list, presented to the peer
401 /** Trusted CA, may be NULL
403 std::auto_ptr<X509CertList> trustedca;
405 /** Certificate revocation list, may be NULL
407 std::auto_ptr<X509CRL> crl;
409 static int cert_callback(gnutls_session_t session, const gnutls_datum_t* req_ca_rdn, int nreqs, const gnutls_pk_algorithm_t* sign_algos, int sign_algos_length, cert_cb_last_param_type* st);
412 X509Credentials(const std::string& certstr, const std::string& keystr)
416 // Throwing is ok here, the destructor of Credentials is called in that case
417 int ret = gnutls_certificate_set_x509_key(cred, certs.raw(), certs.size(), key.get());
418 ThrowOnError(ret, "Unable to set cert/key pair");
420 #ifdef GNUTLS_NEW_CERT_CALLBACK_API
421 gnutls_certificate_set_retrieve_function(cred, cert_callback);
423 gnutls_certificate_client_set_retrieve_function(cred, cert_callback);
427 /** Sets the trusted CA and the certificate revocation list
428 * to use when verifying certificates
430 void SetCA(std::auto_ptr<X509CertList>& certlist, std::auto_ptr<X509CRL>& CRL)
432 // Do nothing if certlist is NULL
435 int ret = gnutls_certificate_set_x509_trust(cred, certlist->raw(), certlist->size());
436 ThrowOnError(ret, "gnutls_certificate_set_x509_trust() failed");
440 ret = gnutls_certificate_set_x509_crl(cred, &CRL->get(), 1);
441 ThrowOnError(ret, "gnutls_certificate_set_x509_crl() failed");
444 trustedca = certlist;
450 class Profile : public refcountbase
452 /** Name of this profile
454 const std::string name;
456 /** X509 certificate(s) and key
458 X509Credentials x509cred;
460 /** The minimum length in bits for the DH prime to be accepted as a client
462 unsigned int min_dh_bits;
464 /** Hashing algorithm to use when generating certificate fingerprints
468 /** Priorities for ciphers, compression methods, etc.
472 Profile(const std::string& profilename, const std::string& certstr, const std::string& keystr,
473 std::auto_ptr<DHParams>& DH, unsigned int mindh, const std::string& hashstr,
474 const std::string& priostr, std::auto_ptr<X509CertList>& CA, std::auto_ptr<X509CRL>& CRL)
476 , x509cred(certstr, keystr)
482 x509cred.SetCA(CA, CRL);
485 static std::string ReadFile(const std::string& filename)
487 FileReader reader(filename);
488 std::string ret = reader.GetString();
490 throw Exception("Cannot read file " + filename);
495 static reference<Profile> Create(const std::string& profilename, ConfigTag* tag)
497 std::string certstr = ReadFile(tag->getString("certfile", "cert.pem"));
498 std::string keystr = ReadFile(tag->getString("keyfile", "key.pem"));
500 std::auto_ptr<DHParams> dh;
501 int gendh = tag->getInt("gendh");
504 gendh = (gendh < 1024 ? 1024 : gendh);
505 dh = DHParams::Generate(gendh);
508 dh = DHParams::Import(ReadFile(tag->getString("dhfile", "dhparams.pem")));
510 // Use default priority string if this tag does not specify one
511 std::string priostr = tag->getString("priority", "NORMAL");
512 unsigned int mindh = tag->getInt("mindhbits", 1024);
513 std::string hashstr = tag->getString("hash", "md5");
515 // Load trusted CA and revocation list, if set
516 std::auto_ptr<X509CertList> ca;
517 std::auto_ptr<X509CRL> crl;
518 std::string filename = tag->getString("cafile");
519 if (!filename.empty())
521 ca.reset(new X509CertList(ReadFile(filename)));
523 filename = tag->getString("crlfile");
524 if (!filename.empty())
525 crl.reset(new X509CRL(ReadFile(filename)));
528 return new Profile(profilename, certstr, keystr, dh, mindh, hashstr, priostr, ca, crl);
531 /** Set up the given session with the settings in this profile
533 void SetupSession(gnutls_session_t sess)
535 priority.SetupSession(sess);
536 x509cred.SetupSession(sess);
537 gnutls_dh_set_prime_bits(sess, min_dh_bits);
540 const std::string& GetName() const { return name; }
541 X509Credentials& GetX509Credentials() { return x509cred; }
542 gnutls_digest_algorithm_t GetHash() const { return hash.get(); }
546 /** Represents an SSL user's extra data
551 StreamSocket* socket;
552 gnutls_session_t sess;
554 reference<ssl_cert> cert;
555 reference<GnuTLS::Profile> profile;
557 issl_session() : socket(NULL), sess(NULL) {}
560 class GnuTLSIOHook : public SSLIOHook
563 void InitSession(StreamSocket* user, bool me_server)
565 issl_session* session = &sessions[user->GetFd()];
567 gnutls_init(&session->sess, me_server ? GNUTLS_SERVER : GNUTLS_CLIENT);
568 session->socket = user;
570 session->profile->SetupSession(session->sess);
571 gnutls_transport_set_ptr(session->sess, reinterpret_cast<gnutls_transport_ptr_t>(session));
572 gnutls_transport_set_push_function(session->sess, gnutls_push_wrapper);
573 gnutls_transport_set_pull_function(session->sess, gnutls_pull_wrapper);
576 gnutls_certificate_server_set_request(session->sess, GNUTLS_CERT_REQUEST); // Request client certificate if any.
578 Handshake(session, user);
581 void CloseSession(issl_session* session)
585 gnutls_bye(session->sess, GNUTLS_SHUT_WR);
586 gnutls_deinit(session->sess);
588 session->socket = NULL;
589 session->sess = NULL;
590 session->cert = NULL;
591 session->profile = NULL;
592 session->status = ISSL_NONE;
595 bool Handshake(issl_session* session, StreamSocket* user)
597 int ret = gnutls_handshake(session->sess);
601 if(ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED)
603 // Handshake needs resuming later, read() or write() would have blocked.
605 if(gnutls_record_get_direction(session->sess) == 0)
607 // gnutls_handshake() wants to read() again.
608 session->status = ISSL_HANDSHAKING_READ;
609 ServerInstance->SE->ChangeEventMask(user, FD_WANT_POLL_READ | FD_WANT_NO_WRITE);
613 // gnutls_handshake() wants to write() again.
614 session->status = ISSL_HANDSHAKING_WRITE;
615 ServerInstance->SE->ChangeEventMask(user, FD_WANT_NO_READ | FD_WANT_SINGLE_WRITE);
620 user->SetError("Handshake Failed - " + std::string(gnutls_strerror(ret)));
621 CloseSession(session);
622 session->status = ISSL_CLOSING;
629 // Change the seesion state
630 session->status = ISSL_HANDSHAKEN;
632 VerifyCertificate(session,user);
634 // Finish writing, if any left
635 ServerInstance->SE->ChangeEventMask(user, FD_WANT_POLL_READ | FD_WANT_NO_WRITE | FD_ADD_TRIAL_WRITE);
641 void VerifyCertificate(issl_session* session, StreamSocket* user)
643 if (!session->sess || !user)
647 const gnutls_datum_t* cert_list;
649 unsigned int cert_list_size;
650 gnutls_x509_crt_t cert;
652 unsigned char digest[512];
653 size_t digest_size = sizeof(digest);
654 size_t name_size = sizeof(str);
655 ssl_cert* certinfo = new ssl_cert;
656 session->cert = certinfo;
658 /* This verification function uses the trusted CAs in the credentials
659 * structure. So you must have installed one or more CA certificates.
661 ret = gnutls_certificate_verify_peers2(session->sess, &status);
665 certinfo->error = std::string(gnutls_strerror(ret));
669 certinfo->invalid = (status & GNUTLS_CERT_INVALID);
670 certinfo->unknownsigner = (status & GNUTLS_CERT_SIGNER_NOT_FOUND);
671 certinfo->revoked = (status & GNUTLS_CERT_REVOKED);
672 certinfo->trusted = !(status & GNUTLS_CERT_SIGNER_NOT_CA);
674 /* Up to here the process is the same for X.509 certificates and
675 * OpenPGP keys. From now on X.509 certificates are assumed. This can
676 * be easily extended to work with openpgp keys as well.
678 if (gnutls_certificate_type_get(session->sess) != GNUTLS_CRT_X509)
680 certinfo->error = "No X509 keys sent";
684 ret = gnutls_x509_crt_init(&cert);
687 certinfo->error = gnutls_strerror(ret);
692 cert_list = gnutls_certificate_get_peers(session->sess, &cert_list_size);
693 if (cert_list == NULL)
695 certinfo->error = "No certificate was found";
696 goto info_done_dealloc;
699 /* This is not a real world example, since we only check the first
700 * certificate in the given chain.
703 ret = gnutls_x509_crt_import(cert, &cert_list[0], GNUTLS_X509_FMT_DER);
706 certinfo->error = gnutls_strerror(ret);
707 goto info_done_dealloc;
710 gnutls_x509_crt_get_dn(cert, str, &name_size);
713 gnutls_x509_crt_get_issuer_dn(cert, str, &name_size);
714 certinfo->issuer = str;
716 if ((ret = gnutls_x509_crt_get_fingerprint(cert, session->profile->GetHash(), digest, &digest_size)) < 0)
718 certinfo->error = gnutls_strerror(ret);
722 certinfo->fingerprint = BinToHex(digest, digest_size);
725 /* Beware here we do not check for errors.
727 if ((gnutls_x509_crt_get_expiration_time(cert) < ServerInstance->Time()) || (gnutls_x509_crt_get_activation_time(cert) > ServerInstance->Time()))
729 certinfo->error = "Not activated, or expired certificate";
733 gnutls_x509_crt_deinit(cert);
736 static const char* UnknownIfNULL(const char* str)
738 return str ? str : "UNKNOWN";
741 static ssize_t gnutls_pull_wrapper(gnutls_transport_ptr_t session_wrap, void* buffer, size_t size)
743 issl_session* session = reinterpret_cast<issl_session*>(session_wrap);
744 if (session->socket->GetEventMask() & FD_READ_WILL_BLOCK)
747 gnutls_transport_set_errno(session->sess, EAGAIN);
754 int rv = ServerInstance->SE->Recv(session->socket, reinterpret_cast<char *>(buffer), size, 0);
759 /* Windows doesn't use errno, but gnutls does, so check SocketEngine::IgnoreError()
760 * and then set errno appropriately.
761 * The gnutls library may also have a different errno variable than us, see
762 * gnutls_transport_set_errno(3).
764 gnutls_transport_set_errno(session->sess, SocketEngine::IgnoreError() ? EAGAIN : errno);
769 ServerInstance->SE->ChangeEventMask(session->socket, FD_READ_WILL_BLOCK);
773 static ssize_t gnutls_push_wrapper(gnutls_transport_ptr_t session_wrap, const void* buffer, size_t size)
775 issl_session* session = reinterpret_cast<issl_session*>(session_wrap);
776 if (session->socket->GetEventMask() & FD_WRITE_WILL_BLOCK)
779 gnutls_transport_set_errno(session->sess, EAGAIN);
786 int rv = ServerInstance->SE->Send(session->socket, reinterpret_cast<const char *>(buffer), size, 0);
791 /* Windows doesn't use errno, but gnutls does, so check SocketEngine::IgnoreError()
792 * and then set errno appropriately.
793 * The gnutls library may also have a different errno variable than us, see
794 * gnutls_transport_set_errno(3).
796 gnutls_transport_set_errno(session->sess, SocketEngine::IgnoreError() ? EAGAIN : errno);
801 ServerInstance->SE->ChangeEventMask(session->socket, FD_WRITE_WILL_BLOCK);
806 issl_session* sessions;
808 GnuTLSIOHook(Module* parent)
809 : SSLIOHook(parent, "ssl/gnutls")
811 sessions = new issl_session[ServerInstance->SE->GetMaxFds()];
819 void OnStreamSocketAccept(StreamSocket* user, irc::sockets::sockaddrs* client, irc::sockets::sockaddrs* server) CXX11_OVERRIDE
821 issl_session* session = &sessions[user->GetFd()];
823 /* For STARTTLS: Don't try and init a session on a socket that already has a session */
827 InitSession(user, true);
830 void OnStreamSocketConnect(StreamSocket* user) CXX11_OVERRIDE
832 InitSession(user, false);
835 void OnStreamSocketClose(StreamSocket* user) CXX11_OVERRIDE
837 CloseSession(&sessions[user->GetFd()]);
840 int OnStreamSocketRead(StreamSocket* user, std::string& recvq) CXX11_OVERRIDE
842 issl_session* session = &sessions[user->GetFd()];
846 CloseSession(session);
847 user->SetError("No SSL session");
851 if (session->status == ISSL_HANDSHAKING_READ || session->status == ISSL_HANDSHAKING_WRITE)
853 // The handshake isn't finished, try to finish it.
855 if(!Handshake(session, user))
857 if (session->status != ISSL_CLOSING)
863 // If we resumed the handshake then session->status will be ISSL_HANDSHAKEN.
865 if (session->status == ISSL_HANDSHAKEN)
867 char* buffer = ServerInstance->GetReadBuffer();
868 size_t bufsiz = ServerInstance->Config->NetBufferSize;
869 int ret = gnutls_record_recv(session->sess, buffer, bufsiz);
872 recvq.append(buffer, ret);
875 else if (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED)
881 user->SetError("Connection closed");
882 CloseSession(session);
887 user->SetError(gnutls_strerror(ret));
888 CloseSession(session);
892 else if (session->status == ISSL_CLOSING)
898 int OnStreamSocketWrite(StreamSocket* user, std::string& sendq) CXX11_OVERRIDE
900 issl_session* session = &sessions[user->GetFd()];
904 CloseSession(session);
905 user->SetError("No SSL session");
909 if (session->status == ISSL_HANDSHAKING_WRITE || session->status == ISSL_HANDSHAKING_READ)
911 // The handshake isn't finished, try to finish it.
912 Handshake(session, user);
913 if (session->status != ISSL_CLOSING)
920 if (session->status == ISSL_HANDSHAKEN)
922 ret = gnutls_record_send(session->sess, sendq.data(), sendq.length());
924 if (ret == (int)sendq.length())
926 ServerInstance->SE->ChangeEventMask(user, FD_WANT_NO_WRITE);
931 sendq = sendq.substr(ret);
932 ServerInstance->SE->ChangeEventMask(user, FD_WANT_SINGLE_WRITE);
935 else if (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED || ret == 0)
937 ServerInstance->SE->ChangeEventMask(user, FD_WANT_SINGLE_WRITE);
942 user->SetError(gnutls_strerror(ret));
943 CloseSession(session);
951 ssl_cert* GetCertificate(StreamSocket* sock) CXX11_OVERRIDE
953 int fd = sock->GetFd();
954 issl_session* session = &sessions[fd];
955 return session->cert;
958 void TellCiphersAndFingerprint(LocalUser* user)
960 const gnutls_session_t& sess = sessions[user->eh.GetFd()].sess;
963 std::string text = "*** You are connected using SSL cipher '";
965 text += UnknownIfNULL(gnutls_kx_get_name(gnutls_kx_get(sess)));
966 text.append("-").append(UnknownIfNULL(gnutls_cipher_get_name(gnutls_cipher_get(sess)))).append("-");
967 text.append(UnknownIfNULL(gnutls_mac_get_name(gnutls_mac_get(sess)))).append("'");
969 ssl_cert* cert = sessions[user->eh.GetFd()].cert;
970 if (!cert->fingerprint.empty())
971 text += " and your SSL fingerprint is " + cert->fingerprint;
973 user->WriteNotice(text);
978 int GnuTLS::X509Credentials::cert_callback(gnutls_session_t sess, const gnutls_datum_t* req_ca_rdn, int nreqs, const gnutls_pk_algorithm_t* sign_algos, int sign_algos_length, cert_cb_last_param_type* st)
980 #ifndef GNUTLS_NEW_CERT_CALLBACK_API
981 st->type = GNUTLS_CRT_X509;
983 st->cert_type = GNUTLS_CRT_X509;
984 st->key_type = GNUTLS_PRIVKEY_X509;
986 issl_session* session = reinterpret_cast<issl_session*>(gnutls_transport_get_ptr(sess));
987 GnuTLS::X509Credentials& cred = session->profile->GetX509Credentials();
989 st->ncerts = cred.certs.size();
990 st->cert.x509 = cred.certs.raw();
991 st->key.x509 = cred.key.get();
997 class ModuleSSLGnuTLS : public Module
999 typedef std::vector<reference<GnuTLS::Profile> > ProfileList;
1001 // First member of the class, gets constructed first and destructed last
1002 GnuTLS::Init libinit;
1004 GnuTLSIOHook iohook;
1006 std::string sslports;
1008 RandGen randhandler;
1009 ProfileList profiles;
1013 // First, store all profiles in a new, temporary container. If no problems occur, swap the two
1014 // containers; this way if something goes wrong we can go back and continue using the current profiles,
1015 // avoiding unpleasant situations where no new SSL connections are possible.
1016 ProfileList newprofiles;
1018 ConfigTagList tags = ServerInstance->Config->ConfTags("sslprofile");
1019 if (tags.first == tags.second)
1021 // No <sslprofile> tags found, create a profile named "gnutls" from settings in the <gnutls> block
1022 const std::string defname = "gnutls";
1023 ConfigTag* tag = ServerInstance->Config->ConfValue(defname);
1024 ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "No <sslprofile> tags found; using settings from the <gnutls> tag");
1028 reference<GnuTLS::Profile> profile(GnuTLS::Profile::Create(defname, tag));
1029 newprofiles.push_back(profile);
1031 catch (CoreException& ex)
1033 throw ModuleException("Error while initializing the default SSL profile - " + ex.GetReason());
1037 for (ConfigIter i = tags.first; i != tags.second; ++i)
1039 ConfigTag* tag = i->second;
1040 if (tag->getString("provider") != "gnutls")
1043 std::string name = tag->getString("name");
1046 ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "Ignoring <sslprofile> tag without name at " + tag->getTagLocation());
1050 reference<GnuTLS::Profile> profile;
1053 profile = GnuTLS::Profile::Create(name, tag);
1055 catch (CoreException& ex)
1057 throw ModuleException("Error while initializing SSL profile \"" + name + "\" at " + tag->getTagLocation() + " - " + ex.GetReason());
1060 newprofiles.push_back(profile);
1063 // New profiles are ok, begin using them
1064 // Old profiles are deleted when their refcount drops to zero
1065 profiles.swap(newprofiles);
1069 ModuleSSLGnuTLS() : iohook(this)
1071 #ifndef GNUTLS_HAS_RND
1072 gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0);
1076 void init() CXX11_OVERRIDE
1079 ServerInstance->GenRandom = &randhandler;
1082 void ReadConfig(ConfigStatus& status) CXX11_OVERRIDE
1086 ConfigTag* Conf = ServerInstance->Config->ConfValue("gnutls");
1088 if (Conf->getBool("showports", true))
1090 sslports = Conf->getString("advertisedports");
1091 if (!sslports.empty())
1094 for (size_t i = 0; i < ServerInstance->ports.size(); i++)
1096 ListenSocket* port = ServerInstance->ports[i];
1097 if (port->bind_tag->getString("ssl") != "gnutls")
1100 const std::string& portid = port->bind_desc;
1101 ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "Enabling SSL for port %s", portid.c_str());
1103 if (port->bind_tag->getString("type", "clients") == "clients" && port->bind_addr != "127.0.0.1")
1106 * Found an SSL port for clients that is not bound to 127.0.0.1 and handled by us, display
1107 * the IP:port in ISUPPORT.
1109 * We used to advertise all ports seperated by a ';' char that matched the above criteria,
1110 * but this resulted in too long ISUPPORT lines if there were lots of ports to be displayed.
1111 * To solve this by default we now only display the first IP:port found and let the user
1112 * configure the exact value for the 005 token, if necessary.
1121 void OnModuleRehash(User* user, const std::string ¶m) CXX11_OVERRIDE
1130 catch (ModuleException& ex)
1132 ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, ex.GetReason() + " Not applying settings.");
1138 ServerInstance->GenRandom = &ServerInstance->HandleGenRandom;
1141 void OnCleanup(int target_type, void* item) CXX11_OVERRIDE
1143 if(target_type == TYPE_USER)
1145 LocalUser* user = IS_LOCAL(static_cast<User*>(item));
1147 if (user && user->eh.GetIOHook() == &iohook)
1149 // User is using SSL, they're a local user, and they're using one of *our* SSL ports.
1150 // Potentially there could be multiple SSL modules loaded at once on different ports.
1151 ServerInstance->Users->QuitUser(user, "SSL module unloading");
1156 Version GetVersion() CXX11_OVERRIDE
1158 return Version("Provides SSL support for clients", VF_VENDOR);
1161 void On005Numeric(std::map<std::string, std::string>& tokens) CXX11_OVERRIDE
1163 if (!sslports.empty())
1164 tokens["SSL"] = sslports;
1167 void OnHookIO(StreamSocket* user, ListenSocket* lsb) CXX11_OVERRIDE
1169 if (!user->GetIOHook())
1171 std::string profilename = lsb->bind_tag->getString("ssl");
1172 for (ProfileList::const_iterator i = profiles.begin(); i != profiles.end(); ++i)
1174 if ((*i)->GetName() == profilename)
1176 iohook.sessions[user->GetFd()].profile = *i;
1177 user->AddIOHook(&iohook);
1184 void OnUserConnect(LocalUser* user) CXX11_OVERRIDE
1186 if (user->eh.GetIOHook() == &iohook)
1187 iohook.TellCiphersAndFingerprint(user);
1191 MODULE_INIT(ModuleSSLGnuTLS)