2 * InspIRCd -- Internet Relay Chat Daemon
4 * Copyright (C) 2009-2010 Daniel De Graaf <danieldg@inspircd.org>
5 * Copyright (C) 2008 John Brooks <john.brooks@dereferenced.net>
6 * Copyright (C) 2006-2008 Craig Edwards <craigedwards@brainbox.cc>
7 * Copyright (C) 2007 Dennis Friis <peavey@inspircd.org>
8 * Copyright (C) 2006 Oliver Lupton <oliverlupton@gmail.com>
10 * This file is part of InspIRCd. InspIRCd is free software: you can
11 * redistribute it and/or modify it under the terms of the GNU General Public
12 * License as published by the Free Software Foundation, version 2.
14 * This program is distributed in the hope that it will be useful, but WITHOUT
15 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
16 * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
19 * You should have received a copy of the GNU General Public License
20 * along with this program. If not, see <http://www.gnu.org/licenses/>.
25 #include "modules/ssl.h"
28 // Fix warnings about the use of commas at end of enumerator lists on C++03.
30 # pragma clang diagnostic ignored "-Wc++11-extensions"
31 #elif defined __GNUC__
32 # pragma GCC diagnostic ignored "-pedantic"
35 #include <gnutls/gnutls.h>
36 #include <gnutls/x509.h>
38 #ifndef GNUTLS_VERSION_NUMBER
39 #define GNUTLS_VERSION_NUMBER LIBGNUTLS_VERSION_NUMBER
40 #define GNUTLS_VERSION LIBGNUTLS_VERSION
43 // Check if the GnuTLS library is at least version major.minor.patch
44 #define INSPIRCD_GNUTLS_HAS_VERSION(major, minor, patch) (GNUTLS_VERSION_NUMBER >= ((major << 16) | (minor << 8) | patch))
46 #if INSPIRCD_GNUTLS_HAS_VERSION(2, 9, 8)
47 #define GNUTLS_HAS_MAC_GET_ID
48 #include <gnutls/crypto.h>
51 #if INSPIRCD_GNUTLS_HAS_VERSION(2, 12, 0)
52 # define GNUTLS_HAS_RND
58 # pragma comment(lib, "libgnutls-28.lib")
61 /* $CompileFlags: pkgconfincludes("gnutls","/gnutls/gnutls.h","") eval("print `libgcrypt-config --cflags | tr -d \r` if `pkg-config --modversion gnutls 2>/dev/null | tr -d \r` lt '2.12'") */
62 /* $LinkerFlags: rpath("pkg-config --libs gnutls") pkgconflibs("gnutls","/libgnutls.so","-lgnutls") eval("print `libgcrypt-config --libs | tr -d \r` if `pkg-config --modversion gnutls 2>/dev/null | tr -d \r` lt '2.12'") */
64 // These don't exist in older GnuTLS versions
65 #if INSPIRCD_GNUTLS_HAS_VERSION(2, 1, 7)
66 #define GNUTLS_NEW_PRIO_API
69 #if (!INSPIRCD_GNUTLS_HAS_VERSION(2, 0, 0))
70 typedef gnutls_certificate_credentials_t gnutls_certificate_credentials;
71 typedef gnutls_dh_params_t gnutls_dh_params;
74 enum issl_status { ISSL_NONE, ISSL_HANDSHAKING, ISSL_HANDSHAKEN };
76 #if INSPIRCD_GNUTLS_HAS_VERSION(2, 12, 0)
77 #define INSPIRCD_GNUTLS_HAS_VECTOR_PUSH
78 #define GNUTLS_NEW_CERT_CALLBACK_API
79 typedef gnutls_retr2_st cert_cb_last_param_type;
81 typedef gnutls_retr_st cert_cb_last_param_type;
84 #if INSPIRCD_GNUTLS_HAS_VERSION(3, 3, 5)
85 #define INSPIRCD_GNUTLS_HAS_RECV_PACKET
88 #if INSPIRCD_GNUTLS_HAS_VERSION(2, 99, 0)
89 // The second parameter of gnutls_init() has changed in 2.99.0 from gnutls_connection_end_t to unsigned int
90 // (it became a general flags parameter) and the enum has been deprecated and generates a warning on use.
91 typedef unsigned int inspircd_gnutls_session_init_flags_t;
93 typedef gnutls_connection_end_t inspircd_gnutls_session_init_flags_t;
96 #if INSPIRCD_GNUTLS_HAS_VERSION(3, 1, 9)
97 #define INSPIRCD_GNUTLS_HAS_CORK
100 class RandGen : public HandlerBase2<void, char*, size_t>
103 void Call(char* buffer, size_t len)
105 #ifdef GNUTLS_HAS_RND
106 gnutls_rnd(GNUTLS_RND_RANDOM, buffer, len);
108 gcry_randomize(buffer, len, GCRY_STRONG_RANDOM);
118 Init() { gnutls_global_init(); }
119 ~Init() { gnutls_global_deinit(); }
122 class Exception : public ModuleException
125 Exception(const std::string& reason)
126 : ModuleException(reason) { }
129 void ThrowOnError(int errcode, const char* msg)
133 std::string reason = msg;
134 reason.append(" :").append(gnutls_strerror(errcode));
135 throw Exception(reason);
139 /** Used to create a gnutls_datum_t* from a std::string
143 gnutls_datum_t datum;
146 Datum(const std::string& dat)
148 datum.data = (unsigned char*)dat.data();
149 datum.size = static_cast<unsigned int>(dat.length());
152 const gnutls_datum_t* get() const { return &datum; }
157 gnutls_digest_algorithm_t hash;
160 // Nothing to deallocate, constructor may throw freely
161 Hash(const std::string& hashname)
163 // As older versions of gnutls can't do this, let's disable it where needed.
164 #ifdef GNUTLS_HAS_MAC_GET_ID
165 // As gnutls_digest_algorithm_t and gnutls_mac_algorithm_t are mapped 1:1, we can do this
166 // There is no gnutls_dig_get_id() at the moment, but it may come later
167 hash = (gnutls_digest_algorithm_t)gnutls_mac_get_id(hashname.c_str());
168 if (hash == GNUTLS_DIG_UNKNOWN)
169 throw Exception("Unknown hash type " + hashname);
171 // Check if the user is giving us something that is a valid MAC but not digest
172 gnutls_hash_hd_t is_digest;
173 if (gnutls_hash_init(&is_digest, hash) < 0)
174 throw Exception("Unknown hash type " + hashname);
175 gnutls_hash_deinit(is_digest, NULL);
177 if (hashname == "md5")
178 hash = GNUTLS_DIG_MD5;
179 else if (hashname == "sha1")
180 hash = GNUTLS_DIG_SHA1;
181 #ifdef INSPIRCD_GNUTLS_ENABLE_SHA256_FINGERPRINT
182 else if (hashname == "sha256")
183 hash = GNUTLS_DIG_SHA256;
186 throw Exception("Unknown hash type " + hashname);
190 gnutls_digest_algorithm_t get() const { return hash; }
195 gnutls_dh_params_t dh_params;
199 ThrowOnError(gnutls_dh_params_init(&dh_params), "gnutls_dh_params_init() failed");
204 static std::auto_ptr<DHParams> Import(const std::string& dhstr)
206 std::auto_ptr<DHParams> dh(new DHParams);
207 int ret = gnutls_dh_params_import_pkcs3(dh->dh_params, Datum(dhstr).get(), GNUTLS_X509_FMT_PEM);
208 ThrowOnError(ret, "Unable to import DH params");
213 static std::auto_ptr<DHParams> Generate(unsigned int bits)
215 std::auto_ptr<DHParams> dh(new DHParams);
216 ThrowOnError(gnutls_dh_params_generate2(dh->dh_params, bits), "Unable to generate DH params");
222 gnutls_dh_params_deinit(dh_params);
225 const gnutls_dh_params_t& get() const { return dh_params; }
230 /** Ensure that the key is deinited in case the constructor of X509Key throws
235 gnutls_x509_privkey_t key;
239 ThrowOnError(gnutls_x509_privkey_init(&key), "gnutls_x509_privkey_init() failed");
244 gnutls_x509_privkey_deinit(key);
250 X509Key(const std::string& keystr)
252 int ret = gnutls_x509_privkey_import(key.key, Datum(keystr).get(), GNUTLS_X509_FMT_PEM);
253 ThrowOnError(ret, "Unable to import private key");
256 gnutls_x509_privkey_t& get() { return key.key; }
261 std::vector<gnutls_x509_crt_t> certs;
265 X509CertList(const std::string& certstr)
267 unsigned int certcount = 3;
268 certs.resize(certcount);
269 Datum datum(certstr);
271 int ret = gnutls_x509_crt_list_import(raw(), &certcount, datum.get(), GNUTLS_X509_FMT_PEM, GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED);
272 if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER)
274 // the buffer wasn't big enough to hold all certs but gnutls changed certcount to the number of available certs,
275 // try again with a bigger buffer
276 certs.resize(certcount);
277 ret = gnutls_x509_crt_list_import(raw(), &certcount, datum.get(), GNUTLS_X509_FMT_PEM, GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED);
280 ThrowOnError(ret, "Unable to load certificates");
282 // Resize the vector to the actual number of certs because we rely on its size being correct
283 // when deallocating the certs
284 certs.resize(certcount);
289 for (std::vector<gnutls_x509_crt_t>::iterator i = certs.begin(); i != certs.end(); ++i)
290 gnutls_x509_crt_deinit(*i);
293 gnutls_x509_crt_t* raw() { return &certs[0]; }
294 unsigned int size() const { return certs.size(); }
297 class X509CRL : public refcountbase
302 gnutls_x509_crl_t crl;
306 ThrowOnError(gnutls_x509_crl_init(&crl), "gnutls_x509_crl_init() failed");
311 gnutls_x509_crl_deinit(crl);
317 X509CRL(const std::string& crlstr)
319 int ret = gnutls_x509_crl_import(get(), Datum(crlstr).get(), GNUTLS_X509_FMT_PEM);
320 ThrowOnError(ret, "Unable to load certificate revocation list");
323 gnutls_x509_crl_t& get() { return crl.crl; }
326 #ifdef GNUTLS_NEW_PRIO_API
329 gnutls_priority_t priority;
332 Priority(const std::string& priorities)
334 // Try to set the priorities for ciphers, kex methods etc. to the user supplied string
335 // If the user did not supply anything then the string is already set to "NORMAL"
336 const char* priocstr = priorities.c_str();
337 const char* prioerror;
339 int ret = gnutls_priority_init(&priority, priocstr, &prioerror);
342 // gnutls did not understand the user supplied string
343 throw Exception("Unable to initialize priorities to \"" + priorities + "\": " + gnutls_strerror(ret) + " Syntax error at position " + ConvToStr((unsigned int) (prioerror - priocstr)));
349 gnutls_priority_deinit(priority);
352 void SetupSession(gnutls_session_t sess)
354 gnutls_priority_set(sess, priority);
358 /** Dummy class, used when gnutls_priority_set() is not available
363 Priority(const std::string& priorities)
365 if (priorities != "NORMAL")
366 throw Exception("You've set a non-default priority string, but GnuTLS lacks support for it");
369 static void SetupSession(gnutls_session_t sess)
371 // Always set the default priorities
372 gnutls_set_default_priority(sess);
377 class CertCredentials
379 /** DH parameters associated with these credentials
381 std::auto_ptr<DHParams> dh;
384 gnutls_certificate_credentials_t cred;
389 ThrowOnError(gnutls_certificate_allocate_credentials(&cred), "Cannot allocate certificate credentials");
394 gnutls_certificate_free_credentials(cred);
397 /** Associates these credentials with the session
399 void SetupSession(gnutls_session_t sess)
401 gnutls_credentials_set(sess, GNUTLS_CRD_CERTIFICATE, cred);
404 /** Set the given DH parameters to be used with these credentials
406 void SetDH(std::auto_ptr<DHParams>& DH)
409 gnutls_certificate_set_dh_params(cred, dh->get());
413 class X509Credentials : public CertCredentials
419 /** Certificate list, presented to the peer
423 /** Trusted CA, may be NULL
425 std::auto_ptr<X509CertList> trustedca;
427 /** Certificate revocation list, may be NULL
429 std::auto_ptr<X509CRL> crl;
431 static int cert_callback(gnutls_session_t session, const gnutls_datum_t* req_ca_rdn, int nreqs, const gnutls_pk_algorithm_t* sign_algos, int sign_algos_length, cert_cb_last_param_type* st);
434 X509Credentials(const std::string& certstr, const std::string& keystr)
438 // Throwing is ok here, the destructor of Credentials is called in that case
439 int ret = gnutls_certificate_set_x509_key(cred, certs.raw(), certs.size(), key.get());
440 ThrowOnError(ret, "Unable to set cert/key pair");
442 #ifdef GNUTLS_NEW_CERT_CALLBACK_API
443 gnutls_certificate_set_retrieve_function(cred, cert_callback);
445 gnutls_certificate_client_set_retrieve_function(cred, cert_callback);
449 /** Sets the trusted CA and the certificate revocation list
450 * to use when verifying certificates
452 void SetCA(std::auto_ptr<X509CertList>& certlist, std::auto_ptr<X509CRL>& CRL)
454 // Do nothing if certlist is NULL
457 int ret = gnutls_certificate_set_x509_trust(cred, certlist->raw(), certlist->size());
458 ThrowOnError(ret, "gnutls_certificate_set_x509_trust() failed");
462 ret = gnutls_certificate_set_x509_crl(cred, &CRL->get(), 1);
463 ThrowOnError(ret, "gnutls_certificate_set_x509_crl() failed");
466 trustedca = certlist;
475 #ifdef INSPIRCD_GNUTLS_HAS_RECV_PACKET
476 gnutls_packet_t packet;
479 DataReader(gnutls_session_t sess)
481 // Using the packet API avoids the final copy of the data which GnuTLS does if we supply
482 // our own buffer. Instead, we get the buffer containing the data from GnuTLS and copy it
483 // to the recvq directly from there in appendto().
484 retval = gnutls_record_recv_packet(sess, &packet);
487 void appendto(std::string& recvq)
489 // Copy data from GnuTLS buffers to recvq
490 gnutls_datum_t datum;
491 gnutls_packet_get(packet, &datum, NULL);
492 recvq.append(reinterpret_cast<const char*>(datum.data), datum.size);
494 gnutls_packet_deinit(packet);
500 DataReader(gnutls_session_t sess)
501 : buffer(ServerInstance->GetReadBuffer())
503 // Read data from GnuTLS buffers into ReadBuffer
504 retval = gnutls_record_recv(sess, buffer, ServerInstance->Config->NetBufferSize);
507 void appendto(std::string& recvq)
509 // Copy data from ReadBuffer to recvq
510 recvq.append(buffer, retval);
514 int ret() const { return retval; }
517 class Profile : public refcountbase
519 /** Name of this profile
521 const std::string name;
523 /** X509 certificate(s) and key
525 X509Credentials x509cred;
527 /** The minimum length in bits for the DH prime to be accepted as a client
529 unsigned int min_dh_bits;
531 /** Hashing algorithm to use when generating certificate fingerprints
535 /** Priorities for ciphers, compression methods, etc.
539 /** Rough max size of records to send
541 const unsigned int outrecsize;
543 Profile(const std::string& profilename, const std::string& certstr, const std::string& keystr,
544 std::auto_ptr<DHParams>& DH, unsigned int mindh, const std::string& hashstr,
545 const std::string& priostr, std::auto_ptr<X509CertList>& CA, std::auto_ptr<X509CRL>& CRL,
546 unsigned int recsize)
548 , x509cred(certstr, keystr)
552 , outrecsize(recsize)
555 x509cred.SetCA(CA, CRL);
558 static std::string ReadFile(const std::string& filename)
560 FileReader reader(filename);
561 std::string ret = reader.GetString();
563 throw Exception("Cannot read file " + filename);
568 static reference<Profile> Create(const std::string& profilename, ConfigTag* tag)
570 std::string certstr = ReadFile(tag->getString("certfile", "cert.pem"));
571 std::string keystr = ReadFile(tag->getString("keyfile", "key.pem"));
573 std::auto_ptr<DHParams> dh;
574 int gendh = tag->getInt("gendh");
577 gendh = (gendh < 1024 ? 1024 : gendh);
578 dh = DHParams::Generate(gendh);
581 dh = DHParams::Import(ReadFile(tag->getString("dhfile", "dhparams.pem")));
583 // Use default priority string if this tag does not specify one
584 std::string priostr = tag->getString("priority", "NORMAL");
585 unsigned int mindh = tag->getInt("mindhbits", 1024);
586 std::string hashstr = tag->getString("hash", "md5");
588 // Load trusted CA and revocation list, if set
589 std::auto_ptr<X509CertList> ca;
590 std::auto_ptr<X509CRL> crl;
591 std::string filename = tag->getString("cafile");
592 if (!filename.empty())
594 ca.reset(new X509CertList(ReadFile(filename)));
596 filename = tag->getString("crlfile");
597 if (!filename.empty())
598 crl.reset(new X509CRL(ReadFile(filename)));
601 #ifdef INSPIRCD_GNUTLS_HAS_CORK
602 // If cork support is available outrecsize represents the (rough) max amount of data we give GnuTLS while corked
603 unsigned int outrecsize = tag->getInt("outrecsize", 2048, 512);
605 unsigned int outrecsize = tag->getInt("outrecsize", 2048, 512, 16384);
607 return new Profile(profilename, certstr, keystr, dh, mindh, hashstr, priostr, ca, crl, outrecsize);
610 /** Set up the given session with the settings in this profile
612 void SetupSession(gnutls_session_t sess)
614 priority.SetupSession(sess);
615 x509cred.SetupSession(sess);
616 gnutls_dh_set_prime_bits(sess, min_dh_bits);
618 // Request client certificate if we are a server, no-op if we're a client
619 gnutls_certificate_server_set_request(sess, GNUTLS_CERT_REQUEST);
622 const std::string& GetName() const { return name; }
623 X509Credentials& GetX509Credentials() { return x509cred; }
624 gnutls_digest_algorithm_t GetHash() const { return hash.get(); }
625 unsigned int GetOutgoingRecordSize() const { return outrecsize; }
629 class GnuTLSIOHook : public SSLIOHook
632 gnutls_session_t sess;
634 reference<GnuTLS::Profile> profile;
635 #ifdef INSPIRCD_GNUTLS_HAS_CORK
643 gnutls_bye(this->sess, GNUTLS_SHUT_WR);
644 gnutls_deinit(this->sess);
651 // Returns 1 if handshake succeeded, 0 if it is still in progress, -1 if it failed
652 int Handshake(StreamSocket* user)
654 int ret = gnutls_handshake(this->sess);
658 if(ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED)
660 // Handshake needs resuming later, read() or write() would have blocked.
661 this->status = ISSL_HANDSHAKING;
663 if (gnutls_record_get_direction(this->sess) == 0)
665 // gnutls_handshake() wants to read() again.
666 SocketEngine::ChangeEventMask(user, FD_WANT_POLL_READ | FD_WANT_NO_WRITE);
670 // gnutls_handshake() wants to write() again.
671 SocketEngine::ChangeEventMask(user, FD_WANT_NO_READ | FD_WANT_SINGLE_WRITE);
678 user->SetError("Handshake Failed - " + std::string(gnutls_strerror(ret)));
685 // Change the seesion state
686 this->status = ISSL_HANDSHAKEN;
690 // Finish writing, if any left
691 SocketEngine::ChangeEventMask(user, FD_WANT_POLL_READ | FD_WANT_NO_WRITE | FD_ADD_TRIAL_WRITE);
697 void VerifyCertificate()
699 unsigned int certstatus;
700 const gnutls_datum_t* cert_list;
702 unsigned int cert_list_size;
703 gnutls_x509_crt_t cert;
705 unsigned char digest[512];
706 size_t digest_size = sizeof(digest);
707 size_t name_size = sizeof(str);
708 ssl_cert* certinfo = new ssl_cert;
709 this->certificate = certinfo;
711 /* This verification function uses the trusted CAs in the credentials
712 * structure. So you must have installed one or more CA certificates.
714 ret = gnutls_certificate_verify_peers2(this->sess, &certstatus);
718 certinfo->error = std::string(gnutls_strerror(ret));
722 certinfo->invalid = (certstatus & GNUTLS_CERT_INVALID);
723 certinfo->unknownsigner = (certstatus & GNUTLS_CERT_SIGNER_NOT_FOUND);
724 certinfo->revoked = (certstatus & GNUTLS_CERT_REVOKED);
725 certinfo->trusted = !(certstatus & GNUTLS_CERT_SIGNER_NOT_CA);
727 /* Up to here the process is the same for X.509 certificates and
728 * OpenPGP keys. From now on X.509 certificates are assumed. This can
729 * be easily extended to work with openpgp keys as well.
731 if (gnutls_certificate_type_get(this->sess) != GNUTLS_CRT_X509)
733 certinfo->error = "No X509 keys sent";
737 ret = gnutls_x509_crt_init(&cert);
740 certinfo->error = gnutls_strerror(ret);
745 cert_list = gnutls_certificate_get_peers(this->sess, &cert_list_size);
746 if (cert_list == NULL)
748 certinfo->error = "No certificate was found";
749 goto info_done_dealloc;
752 /* This is not a real world example, since we only check the first
753 * certificate in the given chain.
756 ret = gnutls_x509_crt_import(cert, &cert_list[0], GNUTLS_X509_FMT_DER);
759 certinfo->error = gnutls_strerror(ret);
760 goto info_done_dealloc;
763 if (gnutls_x509_crt_get_dn(cert, str, &name_size) == 0)
765 std::string& dn = certinfo->dn;
767 // Make sure there are no chars in the string that we consider invalid
768 if (dn.find_first_of("\r\n") != std::string::npos)
772 name_size = sizeof(str);
773 if (gnutls_x509_crt_get_issuer_dn(cert, str, &name_size) == 0)
775 std::string& issuer = certinfo->issuer;
777 if (issuer.find_first_of("\r\n") != std::string::npos)
781 if ((ret = gnutls_x509_crt_get_fingerprint(cert, profile->GetHash(), digest, &digest_size)) < 0)
783 certinfo->error = gnutls_strerror(ret);
787 certinfo->fingerprint = BinToHex(digest, digest_size);
790 /* Beware here we do not check for errors.
792 if ((gnutls_x509_crt_get_expiration_time(cert) < ServerInstance->Time()) || (gnutls_x509_crt_get_activation_time(cert) > ServerInstance->Time()))
794 certinfo->error = "Not activated, or expired certificate";
798 gnutls_x509_crt_deinit(cert);
801 // Returns 1 if application I/O should proceed, 0 if it must wait for the underlying protocol to progress, -1 on fatal error
802 int PrepareIO(StreamSocket* sock)
804 if (status == ISSL_HANDSHAKEN)
806 else if (status == ISSL_HANDSHAKING)
808 // The handshake isn't finished, try to finish it
809 return Handshake(sock);
813 sock->SetError("No SSL session");
817 #ifdef INSPIRCD_GNUTLS_HAS_CORK
818 int FlushBuffer(StreamSocket* sock)
820 // If GnuTLS has some data buffered, write it
822 return HandleWriteRet(sock, gnutls_record_uncork(this->sess, 0));
827 int HandleWriteRet(StreamSocket* sock, int ret)
831 #ifdef INSPIRCD_GNUTLS_HAS_CORK
835 SocketEngine::ChangeEventMask(sock, FD_WANT_SINGLE_WRITE);
841 else if (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED || ret == 0)
843 SocketEngine::ChangeEventMask(sock, FD_WANT_SINGLE_WRITE);
848 sock->SetError(gnutls_strerror(ret));
854 static const char* UnknownIfNULL(const char* str)
856 return str ? str : "UNKNOWN";
859 static ssize_t gnutls_pull_wrapper(gnutls_transport_ptr_t session_wrap, void* buffer, size_t size)
861 StreamSocket* sock = reinterpret_cast<StreamSocket*>(session_wrap);
863 GnuTLSIOHook* session = static_cast<GnuTLSIOHook*>(sock->GetIOHook());
866 if (sock->GetEventMask() & FD_READ_WILL_BLOCK)
869 gnutls_transport_set_errno(session->sess, EAGAIN);
876 int rv = SocketEngine::Recv(sock, reinterpret_cast<char *>(buffer), size, 0);
881 /* Windows doesn't use errno, but gnutls does, so check SocketEngine::IgnoreError()
882 * and then set errno appropriately.
883 * The gnutls library may also have a different errno variable than us, see
884 * gnutls_transport_set_errno(3).
886 gnutls_transport_set_errno(session->sess, SocketEngine::IgnoreError() ? EAGAIN : errno);
891 SocketEngine::ChangeEventMask(sock, FD_READ_WILL_BLOCK);
895 #ifdef INSPIRCD_GNUTLS_HAS_VECTOR_PUSH
896 static ssize_t VectorPush(gnutls_transport_ptr_t transportptr, const giovec_t* iov, int iovcnt)
898 StreamSocket* sock = reinterpret_cast<StreamSocket*>(transportptr);
900 GnuTLSIOHook* session = static_cast<GnuTLSIOHook*>(sock->GetIOHook());
903 if (sock->GetEventMask() & FD_WRITE_WILL_BLOCK)
906 gnutls_transport_set_errno(session->sess, EAGAIN);
913 // Cast the giovec_t to iovec not to IOVector so the correct function is called on Windows
914 int ret = SocketEngine::WriteV(sock, reinterpret_cast<const iovec*>(iov), iovcnt);
916 // See the function above for more info about the usage of gnutls_transport_set_errno() on Windows
918 gnutls_transport_set_errno(session->sess, SocketEngine::IgnoreError() ? EAGAIN : errno);
922 for (int i = 0; i < iovcnt; i++)
923 size += iov[i].iov_len;
926 SocketEngine::ChangeEventMask(sock, FD_WRITE_WILL_BLOCK);
930 #else // INSPIRCD_GNUTLS_HAS_VECTOR_PUSH
931 static ssize_t gnutls_push_wrapper(gnutls_transport_ptr_t session_wrap, const void* buffer, size_t size)
933 StreamSocket* sock = reinterpret_cast<StreamSocket*>(session_wrap);
935 GnuTLSIOHook* session = static_cast<GnuTLSIOHook*>(sock->GetIOHook());
938 if (sock->GetEventMask() & FD_WRITE_WILL_BLOCK)
941 gnutls_transport_set_errno(session->sess, EAGAIN);
948 int rv = SocketEngine::Send(sock, reinterpret_cast<const char *>(buffer), size, 0);
953 /* Windows doesn't use errno, but gnutls does, so check SocketEngine::IgnoreError()
954 * and then set errno appropriately.
955 * The gnutls library may also have a different errno variable than us, see
956 * gnutls_transport_set_errno(3).
958 gnutls_transport_set_errno(session->sess, SocketEngine::IgnoreError() ? EAGAIN : errno);
963 SocketEngine::ChangeEventMask(sock, FD_WRITE_WILL_BLOCK);
966 #endif // INSPIRCD_GNUTLS_HAS_VECTOR_PUSH
969 GnuTLSIOHook(IOHookProvider* hookprov, StreamSocket* sock, inspircd_gnutls_session_init_flags_t flags, const reference<GnuTLS::Profile>& sslprofile)
970 : SSLIOHook(hookprov)
973 , profile(sslprofile)
974 #ifdef INSPIRCD_GNUTLS_HAS_CORK
978 gnutls_init(&sess, flags);
979 gnutls_transport_set_ptr(sess, reinterpret_cast<gnutls_transport_ptr_t>(sock));
980 #ifdef INSPIRCD_GNUTLS_HAS_VECTOR_PUSH
981 gnutls_transport_set_vec_push_function(sess, VectorPush);
983 gnutls_transport_set_push_function(sess, gnutls_push_wrapper);
985 gnutls_transport_set_pull_function(sess, gnutls_pull_wrapper);
986 profile->SetupSession(sess);
988 sock->AddIOHook(this);
992 void OnStreamSocketClose(StreamSocket* user) CXX11_OVERRIDE
997 int OnStreamSocketRead(StreamSocket* user, std::string& recvq) CXX11_OVERRIDE
999 // Finish handshake if needed
1000 int prepret = PrepareIO(user);
1004 // If we resumed the handshake then this->status will be ISSL_HANDSHAKEN.
1006 GnuTLS::DataReader reader(sess);
1007 int ret = reader.ret();
1010 reader.appendto(recvq);
1013 else if (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED)
1019 user->SetError("Connection closed");
1025 user->SetError(gnutls_strerror(ret));
1032 int OnStreamSocketWrite(StreamSocket* user) CXX11_OVERRIDE
1034 // Finish handshake if needed
1035 int prepret = PrepareIO(user);
1039 // Session is ready for transferring application data
1040 StreamSocket::SendQueue& sendq = user->GetSendQ();
1042 #ifdef INSPIRCD_GNUTLS_HAS_CORK
1045 // If there is something in the GnuTLS buffer try to send() it
1046 int ret = FlushBuffer(user);
1048 return ret; // Couldn't flush entire buffer, retry later (or close on error)
1050 // GnuTLS buffer is empty, if the sendq is empty as well then break to set FD_WANT_NO_WRITE
1054 // GnuTLS buffer is empty but sendq is not, begin sending data from the sendq
1055 gnutls_record_cork(this->sess);
1056 while ((!sendq.empty()) && (gbuffersize < profile->GetOutgoingRecordSize()))
1058 const StreamSocket::SendQueue::Element& elem = sendq.front();
1059 gbuffersize += elem.length();
1060 ret = gnutls_record_send(this->sess, elem.data(), elem.length());
1072 while (!sendq.empty())
1074 FlattenSendQueue(sendq, profile->GetOutgoingRecordSize());
1075 const StreamSocket::SendQueue::Element& buffer = sendq.front();
1076 ret = HandleWriteRet(user, gnutls_record_send(this->sess, buffer.data(), buffer.length()));
1080 else if (ret < (int)buffer.length())
1082 sendq.erase_front(ret);
1083 SocketEngine::ChangeEventMask(user, FD_WANT_SINGLE_WRITE);
1087 // Wrote entire record, continue sending
1092 SocketEngine::ChangeEventMask(user, FD_WANT_NO_WRITE);
1096 void TellCiphersAndFingerprint(LocalUser* user)
1100 std::string text = "*** You are connected using SSL cipher '";
1101 GetCiphersuite(text);
1103 if (!certificate->fingerprint.empty())
1104 text += " and your SSL certificate fingerprint is " + certificate->fingerprint;
1106 user->WriteNotice(text);
1110 void GetCiphersuite(std::string& out) const
1112 out.append(UnknownIfNULL(gnutls_protocol_get_name(gnutls_protocol_get_version(sess)))).push_back('-');
1113 out.append(UnknownIfNULL(gnutls_kx_get_name(gnutls_kx_get(sess)))).push_back('-');
1114 out.append(UnknownIfNULL(gnutls_cipher_get_name(gnutls_cipher_get(sess)))).push_back('-');
1115 out.append(UnknownIfNULL(gnutls_mac_get_name(gnutls_mac_get(sess))));
1118 GnuTLS::Profile* GetProfile() { return profile; }
1119 bool IsHandshakeDone() const { return (status == ISSL_HANDSHAKEN); }
1122 int GnuTLS::X509Credentials::cert_callback(gnutls_session_t sess, const gnutls_datum_t* req_ca_rdn, int nreqs, const gnutls_pk_algorithm_t* sign_algos, int sign_algos_length, cert_cb_last_param_type* st)
1124 #ifndef GNUTLS_NEW_CERT_CALLBACK_API
1125 st->type = GNUTLS_CRT_X509;
1127 st->cert_type = GNUTLS_CRT_X509;
1128 st->key_type = GNUTLS_PRIVKEY_X509;
1130 StreamSocket* sock = reinterpret_cast<StreamSocket*>(gnutls_transport_get_ptr(sess));
1131 GnuTLS::X509Credentials& cred = static_cast<GnuTLSIOHook*>(sock->GetIOHook())->GetProfile()->GetX509Credentials();
1133 st->ncerts = cred.certs.size();
1134 st->cert.x509 = cred.certs.raw();
1135 st->key.x509 = cred.key.get();
1141 class GnuTLSIOHookProvider : public refcountbase, public IOHookProvider
1143 reference<GnuTLS::Profile> profile;
1146 GnuTLSIOHookProvider(Module* mod, reference<GnuTLS::Profile>& prof)
1147 : IOHookProvider(mod, "ssl/" + prof->GetName(), IOHookProvider::IOH_SSL)
1150 ServerInstance->Modules->AddService(*this);
1153 ~GnuTLSIOHookProvider()
1155 ServerInstance->Modules->DelService(*this);
1158 void OnAccept(StreamSocket* sock, irc::sockets::sockaddrs* client, irc::sockets::sockaddrs* server) CXX11_OVERRIDE
1160 new GnuTLSIOHook(this, sock, GNUTLS_SERVER, profile);
1163 void OnConnect(StreamSocket* sock) CXX11_OVERRIDE
1165 new GnuTLSIOHook(this, sock, GNUTLS_CLIENT, profile);
1169 class ModuleSSLGnuTLS : public Module
1171 typedef std::vector<reference<GnuTLSIOHookProvider> > ProfileList;
1173 // First member of the class, gets constructed first and destructed last
1174 GnuTLS::Init libinit;
1175 RandGen randhandler;
1176 ProfileList profiles;
1180 // First, store all profiles in a new, temporary container. If no problems occur, swap the two
1181 // containers; this way if something goes wrong we can go back and continue using the current profiles,
1182 // avoiding unpleasant situations where no new SSL connections are possible.
1183 ProfileList newprofiles;
1185 ConfigTagList tags = ServerInstance->Config->ConfTags("sslprofile");
1186 if (tags.first == tags.second)
1188 // No <sslprofile> tags found, create a profile named "gnutls" from settings in the <gnutls> block
1189 const std::string defname = "gnutls";
1190 ConfigTag* tag = ServerInstance->Config->ConfValue(defname);
1191 ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "No <sslprofile> tags found; using settings from the <gnutls> tag");
1195 reference<GnuTLS::Profile> profile(GnuTLS::Profile::Create(defname, tag));
1196 newprofiles.push_back(new GnuTLSIOHookProvider(this, profile));
1198 catch (CoreException& ex)
1200 throw ModuleException("Error while initializing the default SSL profile - " + ex.GetReason());
1204 for (ConfigIter i = tags.first; i != tags.second; ++i)
1206 ConfigTag* tag = i->second;
1207 if (tag->getString("provider") != "gnutls")
1210 std::string name = tag->getString("name");
1213 ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "Ignoring <sslprofile> tag without name at " + tag->getTagLocation());
1217 reference<GnuTLS::Profile> profile;
1220 profile = GnuTLS::Profile::Create(name, tag);
1222 catch (CoreException& ex)
1224 throw ModuleException("Error while initializing SSL profile \"" + name + "\" at " + tag->getTagLocation() + " - " + ex.GetReason());
1227 newprofiles.push_back(new GnuTLSIOHookProvider(this, profile));
1230 // New profiles are ok, begin using them
1231 // Old profiles are deleted when their refcount drops to zero
1232 profiles.swap(newprofiles);
1238 #ifndef GNUTLS_HAS_RND
1239 gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0);
1243 void init() CXX11_OVERRIDE
1245 ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "GnuTLS lib version %s module was compiled for " GNUTLS_VERSION, gnutls_check_version(NULL));
1247 ServerInstance->GenRandom = &randhandler;
1250 void OnModuleRehash(User* user, const std::string ¶m) CXX11_OVERRIDE
1259 catch (ModuleException& ex)
1261 ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, ex.GetReason() + " Not applying settings.");
1267 ServerInstance->GenRandom = &ServerInstance->HandleGenRandom;
1270 void OnCleanup(int target_type, void* item) CXX11_OVERRIDE
1272 if(target_type == TYPE_USER)
1274 LocalUser* user = IS_LOCAL(static_cast<User*>(item));
1276 if (user && user->eh.GetIOHook() && user->eh.GetIOHook()->prov->creator == this)
1278 // User is using SSL, they're a local user, and they're using one of *our* SSL ports.
1279 // Potentially there could be multiple SSL modules loaded at once on different ports.
1280 ServerInstance->Users->QuitUser(user, "SSL module unloading");
1285 Version GetVersion() CXX11_OVERRIDE
1287 return Version("Provides SSL support for clients", VF_VENDOR);
1290 void OnUserConnect(LocalUser* user) CXX11_OVERRIDE
1292 IOHook* hook = user->eh.GetIOHook();
1293 if (hook && hook->prov->creator == this)
1294 static_cast<GnuTLSIOHook*>(hook)->TellCiphersAndFingerprint(user);
1297 ModResult OnCheckReady(LocalUser* user) CXX11_OVERRIDE
1299 if ((user->eh.GetIOHook()) && (user->eh.GetIOHook()->prov->creator == this))
1301 GnuTLSIOHook* iohook = static_cast<GnuTLSIOHook*>(user->eh.GetIOHook());
1302 if (!iohook->IsHandshakeDone())
1303 return MOD_RES_DENY;
1306 return MOD_RES_PASSTHRU;
1310 MODULE_INIT(ModuleSSLGnuTLS)