]> git.netwichtig.de Git - user/henk/code/inspircd.git/blob - src/modules/extra/m_ssl_gnutls.cpp
Automatically apply +P to all permanent channels.
[user/henk/code/inspircd.git] / src / modules / extra / m_ssl_gnutls.cpp
1 /*
2  * InspIRCd -- Internet Relay Chat Daemon
3  *
4  *   Copyright (C) 2009-2010 Daniel De Graaf <danieldg@inspircd.org>
5  *   Copyright (C) 2008 John Brooks <john.brooks@dereferenced.net>
6  *   Copyright (C) 2006-2008 Craig Edwards <craigedwards@brainbox.cc>
7  *   Copyright (C) 2007 Dennis Friis <peavey@inspircd.org>
8  *   Copyright (C) 2006 Oliver Lupton <oliverlupton@gmail.com>
9  *
10  * This file is part of InspIRCd.  InspIRCd is free software: you can
11  * redistribute it and/or modify it under the terms of the GNU General Public
12  * License as published by the Free Software Foundation, version 2.
13  *
14  * This program is distributed in the hope that it will be useful, but WITHOUT
15  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
16  * FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
17  * details.
18  *
19  * You should have received a copy of the GNU General Public License
20  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
21  */
22
23 /// $CompilerFlags: find_compiler_flags("gnutls")
24 /// $CompilerFlags: require_version("gnutls" "1.0" "2.12") execute("libgcrypt-config --cflags" "LIBGCRYPT_CXXFLAGS")
25
26 /// $LinkerFlags: find_linker_flags("gnutls" "-lgnutls")
27 /// $LinkerFlags: require_version("gnutls" "1.0" "2.12") execute("libgcrypt-config --libs" "LIBGCRYPT_LDFLAGS")
28
29 /// $PackageInfo: require_system("centos") gnutls-devel pkgconfig
30 /// $PackageInfo: require_system("darwin") gnutls pkg-config
31 /// $PackageInfo: require_system("ubuntu" "1.0" "13.10") libgcrypt11-dev
32 /// $PackageInfo: require_system("ubuntu" "14.04") gnutls-bin libgnutls-dev pkg-config
33
34 #include "inspircd.h"
35 #include "modules/ssl.h"
36 #include <memory>
37
38 // Fix warnings about the use of commas at end of enumerator lists on C++03.
39 #if defined __clang__
40 # pragma clang diagnostic ignored "-Wc++11-extensions"
41 #elif defined __GNUC__
42 # if __GNUC__ < 6
43 #  pragma GCC diagnostic ignored "-pedantic"
44 # else
45 #  pragma GCC diagnostic ignored "-Wdeprecated-declarations"
46 # endif
47 #endif
48
49 #include <gnutls/gnutls.h>
50 #include <gnutls/x509.h>
51
52 #ifndef GNUTLS_VERSION_NUMBER
53 #define GNUTLS_VERSION_NUMBER LIBGNUTLS_VERSION_NUMBER
54 #define GNUTLS_VERSION LIBGNUTLS_VERSION
55 #endif
56
57 // Check if the GnuTLS library is at least version major.minor.patch
58 #define INSPIRCD_GNUTLS_HAS_VERSION(major, minor, patch) (GNUTLS_VERSION_NUMBER >= ((major << 16) | (minor << 8) | patch))
59
60 #if INSPIRCD_GNUTLS_HAS_VERSION(2, 9, 8)
61 #define GNUTLS_HAS_MAC_GET_ID
62 #include <gnutls/crypto.h>
63 #endif
64
65 #if INSPIRCD_GNUTLS_HAS_VERSION(2, 12, 0)
66 # define GNUTLS_HAS_RND
67 #else
68 # include <gcrypt.h>
69 #endif
70
71 #ifdef _WIN32
72 # pragma comment(lib, "libgnutls-30.lib")
73 #endif
74
75 // These don't exist in older GnuTLS versions
76 #if INSPIRCD_GNUTLS_HAS_VERSION(2, 1, 7)
77 #define GNUTLS_NEW_PRIO_API
78 #endif
79
80 #if (!INSPIRCD_GNUTLS_HAS_VERSION(2, 0, 0))
81 typedef gnutls_certificate_credentials_t gnutls_certificate_credentials;
82 typedef gnutls_dh_params_t gnutls_dh_params;
83 #endif
84
85 enum issl_status { ISSL_NONE, ISSL_HANDSHAKING, ISSL_HANDSHAKEN };
86
87 #if INSPIRCD_GNUTLS_HAS_VERSION(2, 12, 0)
88 #define INSPIRCD_GNUTLS_HAS_VECTOR_PUSH
89 #define GNUTLS_NEW_CERT_CALLBACK_API
90 typedef gnutls_retr2_st cert_cb_last_param_type;
91 #else
92 typedef gnutls_retr_st cert_cb_last_param_type;
93 #endif
94
95 #if INSPIRCD_GNUTLS_HAS_VERSION(3, 3, 5)
96 #define INSPIRCD_GNUTLS_HAS_RECV_PACKET
97 #endif
98
99 #if INSPIRCD_GNUTLS_HAS_VERSION(2, 99, 0)
100 // The second parameter of gnutls_init() has changed in 2.99.0 from gnutls_connection_end_t to unsigned int
101 // (it became a general flags parameter) and the enum has been deprecated and generates a warning on use.
102 typedef unsigned int inspircd_gnutls_session_init_flags_t;
103 #else
104 typedef gnutls_connection_end_t inspircd_gnutls_session_init_flags_t;
105 #endif
106
107 #if INSPIRCD_GNUTLS_HAS_VERSION(3, 1, 9)
108 #define INSPIRCD_GNUTLS_HAS_CORK
109 #endif
110
111 static Module* thismod;
112
113 class RandGen : public HandlerBase2<void, char*, size_t>
114 {
115  public:
116         void Call(char* buffer, size_t len)
117         {
118 #ifdef GNUTLS_HAS_RND
119                 gnutls_rnd(GNUTLS_RND_RANDOM, buffer, len);
120 #else
121                 gcry_randomize(buffer, len, GCRY_STRONG_RANDOM);
122 #endif
123         }
124 };
125
126 namespace GnuTLS
127 {
128         class Init
129         {
130          public:
131                 Init() { gnutls_global_init(); }
132                 ~Init() { gnutls_global_deinit(); }
133         };
134
135         class Exception : public ModuleException
136         {
137          public:
138                 Exception(const std::string& reason)
139                         : ModuleException(reason) { }
140         };
141
142         void ThrowOnError(int errcode, const char* msg)
143         {
144                 if (errcode < 0)
145                 {
146                         std::string reason = msg;
147                         reason.append(" :").append(gnutls_strerror(errcode));
148                         throw Exception(reason);
149                 }
150         }
151
152         /** Used to create a gnutls_datum_t* from a std::string
153          */
154         class Datum
155         {
156                 gnutls_datum_t datum;
157
158          public:
159                 Datum(const std::string& dat)
160                 {
161                         datum.data = (unsigned char*)dat.data();
162                         datum.size = static_cast<unsigned int>(dat.length());
163                 }
164
165                 const gnutls_datum_t* get() const { return &datum; }
166         };
167
168         class Hash
169         {
170                 gnutls_digest_algorithm_t hash;
171
172          public:
173                 // Nothing to deallocate, constructor may throw freely
174                 Hash(const std::string& hashname)
175                 {
176                         // As older versions of gnutls can't do this, let's disable it where needed.
177 #ifdef GNUTLS_HAS_MAC_GET_ID
178                         // As gnutls_digest_algorithm_t and gnutls_mac_algorithm_t are mapped 1:1, we can do this
179                         // There is no gnutls_dig_get_id() at the moment, but it may come later
180                         hash = (gnutls_digest_algorithm_t)gnutls_mac_get_id(hashname.c_str());
181                         if (hash == GNUTLS_DIG_UNKNOWN)
182                                 throw Exception("Unknown hash type " + hashname);
183
184                         // Check if the user is giving us something that is a valid MAC but not digest
185                         gnutls_hash_hd_t is_digest;
186                         if (gnutls_hash_init(&is_digest, hash) < 0)
187                                 throw Exception("Unknown hash type " + hashname);
188                         gnutls_hash_deinit(is_digest, NULL);
189 #else
190                         if (hashname == "md5")
191                                 hash = GNUTLS_DIG_MD5;
192                         else if (hashname == "sha1")
193                                 hash = GNUTLS_DIG_SHA1;
194 #ifdef INSPIRCD_GNUTLS_ENABLE_SHA256_FINGERPRINT
195                         else if (hashname == "sha256")
196                                 hash = GNUTLS_DIG_SHA256;
197 #endif
198                         else
199                                 throw Exception("Unknown hash type " + hashname);
200 #endif
201                 }
202
203                 gnutls_digest_algorithm_t get() const { return hash; }
204         };
205
206         class DHParams
207         {
208                 gnutls_dh_params_t dh_params;
209
210                 DHParams()
211                 {
212                         ThrowOnError(gnutls_dh_params_init(&dh_params), "gnutls_dh_params_init() failed");
213                 }
214
215          public:
216                 /** Import */
217                 static std::auto_ptr<DHParams> Import(const std::string& dhstr)
218                 {
219                         std::auto_ptr<DHParams> dh(new DHParams);
220                         int ret = gnutls_dh_params_import_pkcs3(dh->dh_params, Datum(dhstr).get(), GNUTLS_X509_FMT_PEM);
221                         ThrowOnError(ret, "Unable to import DH params");
222                         return dh;
223                 }
224
225                 ~DHParams()
226                 {
227                         gnutls_dh_params_deinit(dh_params);
228                 }
229
230                 const gnutls_dh_params_t& get() const { return dh_params; }
231         };
232
233         class X509Key
234         {
235                 /** Ensure that the key is deinited in case the constructor of X509Key throws
236                  */
237                 class RAIIKey
238                 {
239                  public:
240                         gnutls_x509_privkey_t key;
241
242                         RAIIKey()
243                         {
244                                 ThrowOnError(gnutls_x509_privkey_init(&key), "gnutls_x509_privkey_init() failed");
245                         }
246
247                         ~RAIIKey()
248                         {
249                                 gnutls_x509_privkey_deinit(key);
250                         }
251                 } key;
252
253          public:
254                 /** Import */
255                 X509Key(const std::string& keystr)
256                 {
257                         int ret = gnutls_x509_privkey_import(key.key, Datum(keystr).get(), GNUTLS_X509_FMT_PEM);
258                         ThrowOnError(ret, "Unable to import private key");
259                 }
260
261                 gnutls_x509_privkey_t& get() { return key.key; }
262         };
263
264         class X509CertList
265         {
266                 std::vector<gnutls_x509_crt_t> certs;
267
268          public:
269                 /** Import */
270                 X509CertList(const std::string& certstr)
271                 {
272                         unsigned int certcount = 3;
273                         certs.resize(certcount);
274                         Datum datum(certstr);
275
276                         int ret = gnutls_x509_crt_list_import(raw(), &certcount, datum.get(), GNUTLS_X509_FMT_PEM, GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED);
277                         if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER)
278                         {
279                                 // the buffer wasn't big enough to hold all certs but gnutls changed certcount to the number of available certs,
280                                 // try again with a bigger buffer
281                                 certs.resize(certcount);
282                                 ret = gnutls_x509_crt_list_import(raw(), &certcount, datum.get(), GNUTLS_X509_FMT_PEM, GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED);
283                         }
284
285                         ThrowOnError(ret, "Unable to load certificates");
286
287                         // Resize the vector to the actual number of certs because we rely on its size being correct
288                         // when deallocating the certs
289                         certs.resize(certcount);
290                 }
291
292                 ~X509CertList()
293                 {
294                         for (std::vector<gnutls_x509_crt_t>::iterator i = certs.begin(); i != certs.end(); ++i)
295                                 gnutls_x509_crt_deinit(*i);
296                 }
297
298                 gnutls_x509_crt_t* raw() { return &certs[0]; }
299                 unsigned int size() const { return certs.size(); }
300         };
301
302         class X509CRL : public refcountbase
303         {
304                 class RAIICRL
305                 {
306                  public:
307                         gnutls_x509_crl_t crl;
308
309                         RAIICRL()
310                         {
311                                 ThrowOnError(gnutls_x509_crl_init(&crl), "gnutls_x509_crl_init() failed");
312                         }
313
314                         ~RAIICRL()
315                         {
316                                 gnutls_x509_crl_deinit(crl);
317                         }
318                 } crl;
319
320          public:
321                 /** Import */
322                 X509CRL(const std::string& crlstr)
323                 {
324                         int ret = gnutls_x509_crl_import(get(), Datum(crlstr).get(), GNUTLS_X509_FMT_PEM);
325                         ThrowOnError(ret, "Unable to load certificate revocation list");
326                 }
327
328                 gnutls_x509_crl_t& get() { return crl.crl; }
329         };
330
331 #ifdef GNUTLS_NEW_PRIO_API
332         class Priority
333         {
334                 gnutls_priority_t priority;
335
336          public:
337                 Priority(const std::string& priorities)
338                 {
339                         // Try to set the priorities for ciphers, kex methods etc. to the user supplied string
340                         // If the user did not supply anything then the string is already set to "NORMAL"
341                         const char* priocstr = priorities.c_str();
342                         const char* prioerror;
343
344                         int ret = gnutls_priority_init(&priority, priocstr, &prioerror);
345                         if (ret < 0)
346                         {
347                                 // gnutls did not understand the user supplied string
348                                 throw Exception("Unable to initialize priorities to \"" + priorities + "\": " + gnutls_strerror(ret) + " Syntax error at position " + ConvToStr((unsigned int) (prioerror - priocstr)));
349                         }
350                 }
351
352                 ~Priority()
353                 {
354                         gnutls_priority_deinit(priority);
355                 }
356
357                 void SetupSession(gnutls_session_t sess)
358                 {
359                         gnutls_priority_set(sess, priority);
360                 }
361
362                 static const char* GetDefault()
363                 {
364                         return "NORMAL:%SERVER_PRECEDENCE:-VERS-SSL3.0";
365                 }
366
367                 static std::string RemoveUnknownTokens(const std::string& prio)
368                 {
369                         std::string ret;
370                         irc::sepstream ss(prio, ':');
371                         for (std::string token; ss.GetToken(token); )
372                         {
373                                 // Save current position so we can revert later if needed
374                                 const std::string::size_type prevpos = ret.length();
375                                 // Append next token
376                                 if (!ret.empty())
377                                         ret.push_back(':');
378                                 ret.append(token);
379
380                                 gnutls_priority_t test;
381                                 if (gnutls_priority_init(&test, ret.c_str(), NULL) < 0)
382                                 {
383                                         // The new token broke the priority string, revert to the previously working one
384                                         ServerInstance->Logs->Log(MODNAME, LOG_DEBUG, "Priority string token not recognized: \"%s\"", token.c_str());
385                                         ret.erase(prevpos);
386                                 }
387                                 else
388                                 {
389                                         // Worked
390                                         gnutls_priority_deinit(test);
391                                 }
392                         }
393                         return ret;
394                 }
395         };
396 #else
397         /** Dummy class, used when gnutls_priority_set() is not available
398          */
399         class Priority
400         {
401          public:
402                 Priority(const std::string& priorities)
403                 {
404                         if (priorities != GetDefault())
405                                 throw Exception("You've set a non-default priority string, but GnuTLS lacks support for it");
406                 }
407
408                 static void SetupSession(gnutls_session_t sess)
409                 {
410                         // Always set the default priorities
411                         gnutls_set_default_priority(sess);
412                 }
413
414                 static const char* GetDefault()
415                 {
416                         return "NORMAL";
417                 }
418
419                 static std::string RemoveUnknownTokens(const std::string& prio)
420                 {
421                         // We don't do anything here because only NORMAL is accepted
422                         return prio;
423                 }
424         };
425 #endif
426
427         class CertCredentials
428         {
429                 /** DH parameters associated with these credentials
430                  */
431                 std::auto_ptr<DHParams> dh;
432
433          protected:
434                 gnutls_certificate_credentials_t cred;
435
436          public:
437                 CertCredentials()
438                 {
439                         ThrowOnError(gnutls_certificate_allocate_credentials(&cred), "Cannot allocate certificate credentials");
440                 }
441
442                 ~CertCredentials()
443                 {
444                         gnutls_certificate_free_credentials(cred);
445                 }
446
447                 /** Associates these credentials with the session
448                  */
449                 void SetupSession(gnutls_session_t sess)
450                 {
451                         gnutls_credentials_set(sess, GNUTLS_CRD_CERTIFICATE, cred);
452                 }
453
454                 /** Set the given DH parameters to be used with these credentials
455                  */
456                 void SetDH(std::auto_ptr<DHParams>& DH)
457                 {
458                         dh = DH;
459                         gnutls_certificate_set_dh_params(cred, dh->get());
460                 }
461         };
462
463         class X509Credentials : public CertCredentials
464         {
465                 /** Private key
466                  */
467                 X509Key key;
468
469                 /** Certificate list, presented to the peer
470                  */
471                 X509CertList certs;
472
473                 /** Trusted CA, may be NULL
474                  */
475                 std::auto_ptr<X509CertList> trustedca;
476
477                 /** Certificate revocation list, may be NULL
478                  */
479                 std::auto_ptr<X509CRL> crl;
480
481                 static int cert_callback(gnutls_session_t session, const gnutls_datum_t* req_ca_rdn, int nreqs, const gnutls_pk_algorithm_t* sign_algos, int sign_algos_length, cert_cb_last_param_type* st);
482
483          public:
484                 X509Credentials(const std::string& certstr, const std::string& keystr)
485                         : key(keystr)
486                         , certs(certstr)
487                 {
488                         // Throwing is ok here, the destructor of Credentials is called in that case
489                         int ret = gnutls_certificate_set_x509_key(cred, certs.raw(), certs.size(), key.get());
490                         ThrowOnError(ret, "Unable to set cert/key pair");
491
492 #ifdef GNUTLS_NEW_CERT_CALLBACK_API
493                         gnutls_certificate_set_retrieve_function(cred, cert_callback);
494 #else
495                         gnutls_certificate_client_set_retrieve_function(cred, cert_callback);
496 #endif
497                 }
498
499                 /** Sets the trusted CA and the certificate revocation list
500                  * to use when verifying certificates
501                  */
502                 void SetCA(std::auto_ptr<X509CertList>& certlist, std::auto_ptr<X509CRL>& CRL)
503                 {
504                         // Do nothing if certlist is NULL
505                         if (certlist.get())
506                         {
507                                 int ret = gnutls_certificate_set_x509_trust(cred, certlist->raw(), certlist->size());
508                                 ThrowOnError(ret, "gnutls_certificate_set_x509_trust() failed");
509
510                                 if (CRL.get())
511                                 {
512                                         ret = gnutls_certificate_set_x509_crl(cred, &CRL->get(), 1);
513                                         ThrowOnError(ret, "gnutls_certificate_set_x509_crl() failed");
514                                 }
515
516                                 trustedca = certlist;
517                                 crl = CRL;
518                         }
519                 }
520         };
521
522         class DataReader
523         {
524                 int retval;
525 #ifdef INSPIRCD_GNUTLS_HAS_RECV_PACKET
526                 gnutls_packet_t packet;
527
528          public:
529                 DataReader(gnutls_session_t sess)
530                 {
531                         // Using the packet API avoids the final copy of the data which GnuTLS does if we supply
532                         // our own buffer. Instead, we get the buffer containing the data from GnuTLS and copy it
533                         // to the recvq directly from there in appendto().
534                         retval = gnutls_record_recv_packet(sess, &packet);
535                 }
536
537                 void appendto(std::string& recvq)
538                 {
539                         // Copy data from GnuTLS buffers to recvq
540                         gnutls_datum_t datum;
541                         gnutls_packet_get(packet, &datum, NULL);
542                         recvq.append(reinterpret_cast<const char*>(datum.data), datum.size);
543
544                         gnutls_packet_deinit(packet);
545                 }
546 #else
547                 char* const buffer;
548
549          public:
550                 DataReader(gnutls_session_t sess)
551                         : buffer(ServerInstance->GetReadBuffer())
552                 {
553                         // Read data from GnuTLS buffers into ReadBuffer
554                         retval = gnutls_record_recv(sess, buffer, ServerInstance->Config->NetBufferSize);
555                 }
556
557                 void appendto(std::string& recvq)
558                 {
559                         // Copy data from ReadBuffer to recvq
560                         recvq.append(buffer, retval);
561                 }
562 #endif
563
564                 int ret() const { return retval; }
565         };
566
567         class Profile : public refcountbase
568         {
569                 /** Name of this profile
570                  */
571                 const std::string name;
572
573                 /** X509 certificate(s) and key
574                  */
575                 X509Credentials x509cred;
576
577                 /** The minimum length in bits for the DH prime to be accepted as a client
578                  */
579                 unsigned int min_dh_bits;
580
581                 /** Hashing algorithm to use when generating certificate fingerprints
582                  */
583                 Hash hash;
584
585                 /** Priorities for ciphers, compression methods, etc.
586                  */
587                 Priority priority;
588
589                 /** Rough max size of records to send
590                  */
591                 const unsigned int outrecsize;
592
593                 /** True to request a client certificate as a server
594                  */
595                 const bool requestclientcert;
596
597                 Profile(const std::string& profilename, const std::string& certstr, const std::string& keystr,
598                                 std::auto_ptr<DHParams>& DH, unsigned int mindh, const std::string& hashstr,
599                                 const std::string& priostr, std::auto_ptr<X509CertList>& CA, std::auto_ptr<X509CRL>& CRL,
600                                 unsigned int recsize, bool Requestclientcert)
601                         : name(profilename)
602                         , x509cred(certstr, keystr)
603                         , min_dh_bits(mindh)
604                         , hash(hashstr)
605                         , priority(priostr)
606                         , outrecsize(recsize)
607                         , requestclientcert(Requestclientcert)
608                 {
609                         x509cred.SetDH(DH);
610                         x509cred.SetCA(CA, CRL);
611                 }
612
613                 static std::string ReadFile(const std::string& filename)
614                 {
615                         FileReader reader(filename);
616                         std::string ret = reader.GetString();
617                         if (ret.empty())
618                                 throw Exception("Cannot read file " + filename);
619                         return ret;
620                 }
621
622                 static std::string GetPrioStr(const std::string& profilename, ConfigTag* tag)
623                 {
624                         // Use default priority string if this tag does not specify one
625                         std::string priostr = GnuTLS::Priority::GetDefault();
626                         bool found = tag->readString("priority", priostr);
627                         // If the prio string isn't set in the config don't be strict about the default one because it doesn't work on all versions of GnuTLS
628                         if (!tag->getBool("strictpriority", found))
629                         {
630                                 std::string stripped = GnuTLS::Priority::RemoveUnknownTokens(priostr);
631                                 if (stripped.empty())
632                                 {
633                                         // Stripping failed, act as if a prio string wasn't set
634                                         stripped = GnuTLS::Priority::RemoveUnknownTokens(GnuTLS::Priority::GetDefault());
635                                         ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "Priority string for profile \"%s\" contains unknown tokens and stripping it didn't yield a working one either, falling back to \"%s\"", profilename.c_str(), stripped.c_str());
636                                 }
637                                 else if ((found) && (stripped != priostr))
638                                 {
639                                         // Prio string was set in the config and we ended up with something that works but different
640                                         ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "Priority string for profile \"%s\" contains unknown tokens, stripped to \"%s\"", profilename.c_str(), stripped.c_str());
641                                 }
642                                 priostr.swap(stripped);
643                         }
644                         return priostr;
645                 }
646
647          public:
648                 static reference<Profile> Create(const std::string& profilename, ConfigTag* tag)
649                 {
650                         std::string certstr = ReadFile(tag->getString("certfile", "cert.pem"));
651                         std::string keystr = ReadFile(tag->getString("keyfile", "key.pem"));
652
653                         std::auto_ptr<DHParams> dh = DHParams::Import(ReadFile(tag->getString("dhfile", "dhparams.pem")));
654
655                         std::string priostr = GetPrioStr(profilename, tag);
656                         unsigned int mindh = tag->getInt("mindhbits", 1024);
657                         std::string hashstr = tag->getString("hash", "md5");
658
659                         // Load trusted CA and revocation list, if set
660                         std::auto_ptr<X509CertList> ca;
661                         std::auto_ptr<X509CRL> crl;
662                         std::string filename = tag->getString("cafile");
663                         if (!filename.empty())
664                         {
665                                 ca.reset(new X509CertList(ReadFile(filename)));
666
667                                 filename = tag->getString("crlfile");
668                                 if (!filename.empty())
669                                         crl.reset(new X509CRL(ReadFile(filename)));
670                         }
671
672 #ifdef INSPIRCD_GNUTLS_HAS_CORK
673                         // If cork support is available outrecsize represents the (rough) max amount of data we give GnuTLS while corked
674                         unsigned int outrecsize = tag->getInt("outrecsize", 2048, 512);
675 #else
676                         unsigned int outrecsize = tag->getInt("outrecsize", 2048, 512, 16384);
677 #endif
678
679                         const bool requestclientcert = tag->getBool("requestclientcert", true);
680
681                         return new Profile(profilename, certstr, keystr, dh, mindh, hashstr, priostr, ca, crl, outrecsize, requestclientcert);
682                 }
683
684                 /** Set up the given session with the settings in this profile
685                  */
686                 void SetupSession(gnutls_session_t sess)
687                 {
688                         priority.SetupSession(sess);
689                         x509cred.SetupSession(sess);
690                         gnutls_dh_set_prime_bits(sess, min_dh_bits);
691
692                         // Request client certificate if enabled and we are a server, no-op if we're a client
693                         if (requestclientcert)
694                                 gnutls_certificate_server_set_request(sess, GNUTLS_CERT_REQUEST);
695                 }
696
697                 const std::string& GetName() const { return name; }
698                 X509Credentials& GetX509Credentials() { return x509cred; }
699                 gnutls_digest_algorithm_t GetHash() const { return hash.get(); }
700                 unsigned int GetOutgoingRecordSize() const { return outrecsize; }
701         };
702 }
703
704 class GnuTLSIOHook : public SSLIOHook
705 {
706  private:
707         gnutls_session_t sess;
708         issl_status status;
709         reference<GnuTLS::Profile> profile;
710 #ifdef INSPIRCD_GNUTLS_HAS_CORK
711         size_t gbuffersize;
712 #endif
713
714         void CloseSession()
715         {
716                 if (this->sess)
717                 {
718                         gnutls_bye(this->sess, GNUTLS_SHUT_WR);
719                         gnutls_deinit(this->sess);
720                 }
721                 sess = NULL;
722                 certificate = NULL;
723                 status = ISSL_NONE;
724         }
725
726         // Returns 1 if handshake succeeded, 0 if it is still in progress, -1 if it failed
727         int Handshake(StreamSocket* user)
728         {
729                 int ret = gnutls_handshake(this->sess);
730
731                 if (ret < 0)
732                 {
733                         if(ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED)
734                         {
735                                 // Handshake needs resuming later, read() or write() would have blocked.
736                                 this->status = ISSL_HANDSHAKING;
737
738                                 if (gnutls_record_get_direction(this->sess) == 0)
739                                 {
740                                         // gnutls_handshake() wants to read() again.
741                                         SocketEngine::ChangeEventMask(user, FD_WANT_POLL_READ | FD_WANT_NO_WRITE);
742                                 }
743                                 else
744                                 {
745                                         // gnutls_handshake() wants to write() again.
746                                         SocketEngine::ChangeEventMask(user, FD_WANT_NO_READ | FD_WANT_SINGLE_WRITE);
747                                 }
748
749                                 return 0;
750                         }
751                         else
752                         {
753                                 user->SetError("Handshake Failed - " + std::string(gnutls_strerror(ret)));
754                                 CloseSession();
755                                 return -1;
756                         }
757                 }
758                 else
759                 {
760                         // Change the seesion state
761                         this->status = ISSL_HANDSHAKEN;
762
763                         VerifyCertificate();
764
765                         // Finish writing, if any left
766                         SocketEngine::ChangeEventMask(user, FD_WANT_POLL_READ | FD_WANT_NO_WRITE | FD_ADD_TRIAL_WRITE);
767
768                         return 1;
769                 }
770         }
771
772         void VerifyCertificate()
773         {
774                 unsigned int certstatus;
775                 const gnutls_datum_t* cert_list;
776                 int ret;
777                 unsigned int cert_list_size;
778                 gnutls_x509_crt_t cert;
779                 char str[512];
780                 unsigned char digest[512];
781                 size_t digest_size = sizeof(digest);
782                 size_t name_size = sizeof(str);
783                 ssl_cert* certinfo = new ssl_cert;
784                 this->certificate = certinfo;
785
786                 /* This verification function uses the trusted CAs in the credentials
787                  * structure. So you must have installed one or more CA certificates.
788                  */
789                 ret = gnutls_certificate_verify_peers2(this->sess, &certstatus);
790
791                 if (ret < 0)
792                 {
793                         certinfo->error = std::string(gnutls_strerror(ret));
794                         return;
795                 }
796
797                 certinfo->invalid = (certstatus & GNUTLS_CERT_INVALID);
798                 certinfo->unknownsigner = (certstatus & GNUTLS_CERT_SIGNER_NOT_FOUND);
799                 certinfo->revoked = (certstatus & GNUTLS_CERT_REVOKED);
800                 certinfo->trusted = !(certstatus & GNUTLS_CERT_SIGNER_NOT_CA);
801
802                 /* Up to here the process is the same for X.509 certificates and
803                  * OpenPGP keys. From now on X.509 certificates are assumed. This can
804                  * be easily extended to work with openpgp keys as well.
805                  */
806                 if (gnutls_certificate_type_get(this->sess) != GNUTLS_CRT_X509)
807                 {
808                         certinfo->error = "No X509 keys sent";
809                         return;
810                 }
811
812                 ret = gnutls_x509_crt_init(&cert);
813                 if (ret < 0)
814                 {
815                         certinfo->error = gnutls_strerror(ret);
816                         return;
817                 }
818
819                 cert_list_size = 0;
820                 cert_list = gnutls_certificate_get_peers(this->sess, &cert_list_size);
821                 if (cert_list == NULL)
822                 {
823                         certinfo->error = "No certificate was found";
824                         goto info_done_dealloc;
825                 }
826
827                 /* This is not a real world example, since we only check the first
828                  * certificate in the given chain.
829                  */
830
831                 ret = gnutls_x509_crt_import(cert, &cert_list[0], GNUTLS_X509_FMT_DER);
832                 if (ret < 0)
833                 {
834                         certinfo->error = gnutls_strerror(ret);
835                         goto info_done_dealloc;
836                 }
837
838                 if (gnutls_x509_crt_get_dn(cert, str, &name_size) == 0)
839                 {
840                         std::string& dn = certinfo->dn;
841                         dn = str;
842                         // Make sure there are no chars in the string that we consider invalid
843                         if (dn.find_first_of("\r\n") != std::string::npos)
844                                 dn.clear();
845                 }
846
847                 name_size = sizeof(str);
848                 if (gnutls_x509_crt_get_issuer_dn(cert, str, &name_size) == 0)
849                 {
850                         std::string& issuer = certinfo->issuer;
851                         issuer = str;
852                         if (issuer.find_first_of("\r\n") != std::string::npos)
853                                 issuer.clear();
854                 }
855
856                 if ((ret = gnutls_x509_crt_get_fingerprint(cert, profile->GetHash(), digest, &digest_size)) < 0)
857                 {
858                         certinfo->error = gnutls_strerror(ret);
859                 }
860                 else
861                 {
862                         certinfo->fingerprint = BinToHex(digest, digest_size);
863                 }
864
865                 /* Beware here we do not check for errors.
866                  */
867                 if ((gnutls_x509_crt_get_expiration_time(cert) < ServerInstance->Time()) || (gnutls_x509_crt_get_activation_time(cert) > ServerInstance->Time()))
868                 {
869                         certinfo->error = "Not activated, or expired certificate";
870                 }
871
872 info_done_dealloc:
873                 gnutls_x509_crt_deinit(cert);
874         }
875
876         // Returns 1 if application I/O should proceed, 0 if it must wait for the underlying protocol to progress, -1 on fatal error
877         int PrepareIO(StreamSocket* sock)
878         {
879                 if (status == ISSL_HANDSHAKEN)
880                         return 1;
881                 else if (status == ISSL_HANDSHAKING)
882                 {
883                         // The handshake isn't finished, try to finish it
884                         return Handshake(sock);
885                 }
886
887                 CloseSession();
888                 sock->SetError("No SSL session");
889                 return -1;
890         }
891
892 #ifdef INSPIRCD_GNUTLS_HAS_CORK
893         int FlushBuffer(StreamSocket* sock)
894         {
895                 // If GnuTLS has some data buffered, write it
896                 if (gbuffersize)
897                         return HandleWriteRet(sock, gnutls_record_uncork(this->sess, 0));
898                 return 1;
899         }
900 #endif
901
902         int HandleWriteRet(StreamSocket* sock, int ret)
903         {
904                 if (ret > 0)
905                 {
906 #ifdef INSPIRCD_GNUTLS_HAS_CORK
907                         gbuffersize -= ret;
908                         if (gbuffersize)
909                         {
910                                 SocketEngine::ChangeEventMask(sock, FD_WANT_SINGLE_WRITE);
911                                 return 0;
912                         }
913 #endif
914                         return ret;
915                 }
916                 else if (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED || ret == 0)
917                 {
918                         SocketEngine::ChangeEventMask(sock, FD_WANT_SINGLE_WRITE);
919                         return 0;
920                 }
921                 else // (ret < 0)
922                 {
923                         sock->SetError(gnutls_strerror(ret));
924                         CloseSession();
925                         return -1;
926                 }
927         }
928
929         static const char* UnknownIfNULL(const char* str)
930         {
931                 return str ? str : "UNKNOWN";
932         }
933
934         static ssize_t gnutls_pull_wrapper(gnutls_transport_ptr_t session_wrap, void* buffer, size_t size)
935         {
936                 StreamSocket* sock = reinterpret_cast<StreamSocket*>(session_wrap);
937 #ifdef _WIN32
938                 GnuTLSIOHook* session = static_cast<GnuTLSIOHook*>(sock->GetModHook(thismod));
939 #endif
940
941                 if (sock->GetEventMask() & FD_READ_WILL_BLOCK)
942                 {
943 #ifdef _WIN32
944                         gnutls_transport_set_errno(session->sess, EAGAIN);
945 #else
946                         errno = EAGAIN;
947 #endif
948                         return -1;
949                 }
950
951                 int rv = SocketEngine::Recv(sock, reinterpret_cast<char *>(buffer), size, 0);
952
953 #ifdef _WIN32
954                 if (rv < 0)
955                 {
956                         /* Windows doesn't use errno, but gnutls does, so check SocketEngine::IgnoreError()
957                          * and then set errno appropriately.
958                          * The gnutls library may also have a different errno variable than us, see
959                          * gnutls_transport_set_errno(3).
960                          */
961                         gnutls_transport_set_errno(session->sess, SocketEngine::IgnoreError() ? EAGAIN : errno);
962                 }
963 #endif
964
965                 if (rv < (int)size)
966                         SocketEngine::ChangeEventMask(sock, FD_READ_WILL_BLOCK);
967                 return rv;
968         }
969
970 #ifdef INSPIRCD_GNUTLS_HAS_VECTOR_PUSH
971         static ssize_t VectorPush(gnutls_transport_ptr_t transportptr, const giovec_t* iov, int iovcnt)
972         {
973                 StreamSocket* sock = reinterpret_cast<StreamSocket*>(transportptr);
974 #ifdef _WIN32
975                 GnuTLSIOHook* session = static_cast<GnuTLSIOHook*>(sock->GetModHook(thismod));
976 #endif
977
978                 if (sock->GetEventMask() & FD_WRITE_WILL_BLOCK)
979                 {
980 #ifdef _WIN32
981                         gnutls_transport_set_errno(session->sess, EAGAIN);
982 #else
983                         errno = EAGAIN;
984 #endif
985                         return -1;
986                 }
987
988                 // Cast the giovec_t to iovec not to IOVector so the correct function is called on Windows
989                 int ret = SocketEngine::WriteV(sock, reinterpret_cast<const iovec*>(iov), iovcnt);
990 #ifdef _WIN32
991                 // See the function above for more info about the usage of gnutls_transport_set_errno() on Windows
992                 if (ret < 0)
993                         gnutls_transport_set_errno(session->sess, SocketEngine::IgnoreError() ? EAGAIN : errno);
994 #endif
995
996                 int size = 0;
997                 for (int i = 0; i < iovcnt; i++)
998                         size += iov[i].iov_len;
999
1000                 if (ret < size)
1001                         SocketEngine::ChangeEventMask(sock, FD_WRITE_WILL_BLOCK);
1002                 return ret;
1003         }
1004
1005 #else // INSPIRCD_GNUTLS_HAS_VECTOR_PUSH
1006         static ssize_t gnutls_push_wrapper(gnutls_transport_ptr_t session_wrap, const void* buffer, size_t size)
1007         {
1008                 StreamSocket* sock = reinterpret_cast<StreamSocket*>(session_wrap);
1009 #ifdef _WIN32
1010                 GnuTLSIOHook* session = static_cast<GnuTLSIOHook*>(sock->GetModHook(thismod));
1011 #endif
1012
1013                 if (sock->GetEventMask() & FD_WRITE_WILL_BLOCK)
1014                 {
1015 #ifdef _WIN32
1016                         gnutls_transport_set_errno(session->sess, EAGAIN);
1017 #else
1018                         errno = EAGAIN;
1019 #endif
1020                         return -1;
1021                 }
1022
1023                 int rv = SocketEngine::Send(sock, reinterpret_cast<const char *>(buffer), size, 0);
1024
1025 #ifdef _WIN32
1026                 if (rv < 0)
1027                 {
1028                         /* Windows doesn't use errno, but gnutls does, so check SocketEngine::IgnoreError()
1029                          * and then set errno appropriately.
1030                          * The gnutls library may also have a different errno variable than us, see
1031                          * gnutls_transport_set_errno(3).
1032                          */
1033                         gnutls_transport_set_errno(session->sess, SocketEngine::IgnoreError() ? EAGAIN : errno);
1034                 }
1035 #endif
1036
1037                 if (rv < (int)size)
1038                         SocketEngine::ChangeEventMask(sock, FD_WRITE_WILL_BLOCK);
1039                 return rv;
1040         }
1041 #endif // INSPIRCD_GNUTLS_HAS_VECTOR_PUSH
1042
1043  public:
1044         GnuTLSIOHook(IOHookProvider* hookprov, StreamSocket* sock, inspircd_gnutls_session_init_flags_t flags, const reference<GnuTLS::Profile>& sslprofile)
1045                 : SSLIOHook(hookprov)
1046                 , sess(NULL)
1047                 , status(ISSL_NONE)
1048                 , profile(sslprofile)
1049 #ifdef INSPIRCD_GNUTLS_HAS_CORK
1050                 , gbuffersize(0)
1051 #endif
1052         {
1053                 gnutls_init(&sess, flags);
1054                 gnutls_transport_set_ptr(sess, reinterpret_cast<gnutls_transport_ptr_t>(sock));
1055 #ifdef INSPIRCD_GNUTLS_HAS_VECTOR_PUSH
1056                 gnutls_transport_set_vec_push_function(sess, VectorPush);
1057 #else
1058                 gnutls_transport_set_push_function(sess, gnutls_push_wrapper);
1059 #endif
1060                 gnutls_transport_set_pull_function(sess, gnutls_pull_wrapper);
1061                 profile->SetupSession(sess);
1062
1063                 sock->AddIOHook(this);
1064                 Handshake(sock);
1065         }
1066
1067         void OnStreamSocketClose(StreamSocket* user) CXX11_OVERRIDE
1068         {
1069                 CloseSession();
1070         }
1071
1072         int OnStreamSocketRead(StreamSocket* user, std::string& recvq) CXX11_OVERRIDE
1073         {
1074                 // Finish handshake if needed
1075                 int prepret = PrepareIO(user);
1076                 if (prepret <= 0)
1077                         return prepret;
1078
1079                 // If we resumed the handshake then this->status will be ISSL_HANDSHAKEN.
1080                 {
1081                         GnuTLS::DataReader reader(sess);
1082                         int ret = reader.ret();
1083                         if (ret > 0)
1084                         {
1085                                 reader.appendto(recvq);
1086                                 // Schedule a read if there is still data in the GnuTLS buffer
1087                                 if (gnutls_record_check_pending(sess) > 0)
1088                                         SocketEngine::ChangeEventMask(user, FD_ADD_TRIAL_READ);
1089                                 return 1;
1090                         }
1091                         else if (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED)
1092                         {
1093                                 return 0;
1094                         }
1095                         else if (ret == 0)
1096                         {
1097                                 user->SetError("Connection closed");
1098                                 CloseSession();
1099                                 return -1;
1100                         }
1101                         else
1102                         {
1103                                 user->SetError(gnutls_strerror(ret));
1104                                 CloseSession();
1105                                 return -1;
1106                         }
1107                 }
1108         }
1109
1110         int OnStreamSocketWrite(StreamSocket* user, StreamSocket::SendQueue& sendq) CXX11_OVERRIDE
1111         {
1112                 // Finish handshake if needed
1113                 int prepret = PrepareIO(user);
1114                 if (prepret <= 0)
1115                         return prepret;
1116
1117                 // Session is ready for transferring application data
1118
1119 #ifdef INSPIRCD_GNUTLS_HAS_CORK
1120                 while (true)
1121                 {
1122                         // If there is something in the GnuTLS buffer try to send() it
1123                         int ret = FlushBuffer(user);
1124                         if (ret <= 0)
1125                                 return ret; // Couldn't flush entire buffer, retry later (or close on error)
1126
1127                         // GnuTLS buffer is empty, if the sendq is empty as well then break to set FD_WANT_NO_WRITE
1128                         if (sendq.empty())
1129                                 break;
1130
1131                         // GnuTLS buffer is empty but sendq is not, begin sending data from the sendq
1132                         gnutls_record_cork(this->sess);
1133                         while ((!sendq.empty()) && (gbuffersize < profile->GetOutgoingRecordSize()))
1134                         {
1135                                 const StreamSocket::SendQueue::Element& elem = sendq.front();
1136                                 gbuffersize += elem.length();
1137                                 ret = gnutls_record_send(this->sess, elem.data(), elem.length());
1138                                 if (ret < 0)
1139                                 {
1140                                         CloseSession();
1141                                         return -1;
1142                                 }
1143                                 sendq.pop_front();
1144                         }
1145                 }
1146 #else
1147                 int ret = 0;
1148
1149                 while (!sendq.empty())
1150                 {
1151                         FlattenSendQueue(sendq, profile->GetOutgoingRecordSize());
1152                         const StreamSocket::SendQueue::Element& buffer = sendq.front();
1153                         ret = HandleWriteRet(user, gnutls_record_send(this->sess, buffer.data(), buffer.length()));
1154
1155                         if (ret <= 0)
1156                                 return ret;
1157                         else if (ret < (int)buffer.length())
1158                         {
1159                                 sendq.erase_front(ret);
1160                                 SocketEngine::ChangeEventMask(user, FD_WANT_SINGLE_WRITE);
1161                                 return 0;
1162                         }
1163
1164                         // Wrote entire record, continue sending
1165                         sendq.pop_front();
1166                 }
1167 #endif
1168
1169                 SocketEngine::ChangeEventMask(user, FD_WANT_NO_WRITE);
1170                 return 1;
1171         }
1172
1173         void GetCiphersuite(std::string& out) const CXX11_OVERRIDE
1174         {
1175                 if (!IsHandshakeDone())
1176                         return;
1177                 out.append(UnknownIfNULL(gnutls_protocol_get_name(gnutls_protocol_get_version(sess)))).push_back('-');
1178                 out.append(UnknownIfNULL(gnutls_kx_get_name(gnutls_kx_get(sess)))).push_back('-');
1179                 out.append(UnknownIfNULL(gnutls_cipher_get_name(gnutls_cipher_get(sess)))).push_back('-');
1180                 out.append(UnknownIfNULL(gnutls_mac_get_name(gnutls_mac_get(sess))));
1181         }
1182
1183         GnuTLS::Profile* GetProfile() { return profile; }
1184         bool IsHandshakeDone() const { return (status == ISSL_HANDSHAKEN); }
1185 };
1186
1187 int GnuTLS::X509Credentials::cert_callback(gnutls_session_t sess, const gnutls_datum_t* req_ca_rdn, int nreqs, const gnutls_pk_algorithm_t* sign_algos, int sign_algos_length, cert_cb_last_param_type* st)
1188 {
1189 #ifndef GNUTLS_NEW_CERT_CALLBACK_API
1190         st->type = GNUTLS_CRT_X509;
1191 #else
1192         st->cert_type = GNUTLS_CRT_X509;
1193         st->key_type = GNUTLS_PRIVKEY_X509;
1194 #endif
1195         StreamSocket* sock = reinterpret_cast<StreamSocket*>(gnutls_transport_get_ptr(sess));
1196         GnuTLS::X509Credentials& cred = static_cast<GnuTLSIOHook*>(sock->GetModHook(thismod))->GetProfile()->GetX509Credentials();
1197
1198         st->ncerts = cred.certs.size();
1199         st->cert.x509 = cred.certs.raw();
1200         st->key.x509 = cred.key.get();
1201         st->deinit_all = 0;
1202
1203         return 0;
1204 }
1205
1206 class GnuTLSIOHookProvider : public refcountbase, public IOHookProvider
1207 {
1208         reference<GnuTLS::Profile> profile;
1209
1210  public:
1211         GnuTLSIOHookProvider(Module* mod, reference<GnuTLS::Profile>& prof)
1212                 : IOHookProvider(mod, "ssl/" + prof->GetName(), IOHookProvider::IOH_SSL)
1213                 , profile(prof)
1214         {
1215                 ServerInstance->Modules->AddService(*this);
1216         }
1217
1218         ~GnuTLSIOHookProvider()
1219         {
1220                 ServerInstance->Modules->DelService(*this);
1221         }
1222
1223         void OnAccept(StreamSocket* sock, irc::sockets::sockaddrs* client, irc::sockets::sockaddrs* server) CXX11_OVERRIDE
1224         {
1225                 new GnuTLSIOHook(this, sock, GNUTLS_SERVER, profile);
1226         }
1227
1228         void OnConnect(StreamSocket* sock) CXX11_OVERRIDE
1229         {
1230                 new GnuTLSIOHook(this, sock, GNUTLS_CLIENT, profile);
1231         }
1232 };
1233
1234 class ModuleSSLGnuTLS : public Module
1235 {
1236         typedef std::vector<reference<GnuTLSIOHookProvider> > ProfileList;
1237
1238         // First member of the class, gets constructed first and destructed last
1239         GnuTLS::Init libinit;
1240         RandGen randhandler;
1241         ProfileList profiles;
1242
1243         void ReadProfiles()
1244         {
1245                 // First, store all profiles in a new, temporary container. If no problems occur, swap the two
1246                 // containers; this way if something goes wrong we can go back and continue using the current profiles,
1247                 // avoiding unpleasant situations where no new SSL connections are possible.
1248                 ProfileList newprofiles;
1249
1250                 ConfigTagList tags = ServerInstance->Config->ConfTags("sslprofile");
1251                 if (tags.first == tags.second)
1252                 {
1253                         // No <sslprofile> tags found, create a profile named "gnutls" from settings in the <gnutls> block
1254                         const std::string defname = "gnutls";
1255                         ConfigTag* tag = ServerInstance->Config->ConfValue(defname);
1256                         ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "No <sslprofile> tags found; using settings from the <gnutls> tag");
1257
1258                         try
1259                         {
1260                                 reference<GnuTLS::Profile> profile(GnuTLS::Profile::Create(defname, tag));
1261                                 newprofiles.push_back(new GnuTLSIOHookProvider(this, profile));
1262                         }
1263                         catch (CoreException& ex)
1264                         {
1265                                 throw ModuleException("Error while initializing the default SSL profile - " + ex.GetReason());
1266                         }
1267                 }
1268
1269                 for (ConfigIter i = tags.first; i != tags.second; ++i)
1270                 {
1271                         ConfigTag* tag = i->second;
1272                         if (tag->getString("provider") != "gnutls")
1273                                 continue;
1274
1275                         std::string name = tag->getString("name");
1276                         if (name.empty())
1277                         {
1278                                 ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "Ignoring <sslprofile> tag without name at " + tag->getTagLocation());
1279                                 continue;
1280                         }
1281
1282                         reference<GnuTLS::Profile> profile;
1283                         try
1284                         {
1285                                 profile = GnuTLS::Profile::Create(name, tag);
1286                         }
1287                         catch (CoreException& ex)
1288                         {
1289                                 throw ModuleException("Error while initializing SSL profile \"" + name + "\" at " + tag->getTagLocation() + " - " + ex.GetReason());
1290                         }
1291
1292                         newprofiles.push_back(new GnuTLSIOHookProvider(this, profile));
1293                 }
1294
1295                 // New profiles are ok, begin using them
1296                 // Old profiles are deleted when their refcount drops to zero
1297                 profiles.swap(newprofiles);
1298         }
1299
1300  public:
1301         ModuleSSLGnuTLS()
1302         {
1303 #ifndef GNUTLS_HAS_RND
1304                 gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0);
1305 #endif
1306                 thismod = this;
1307         }
1308
1309         void init() CXX11_OVERRIDE
1310         {
1311                 ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "GnuTLS lib version %s module was compiled for " GNUTLS_VERSION, gnutls_check_version(NULL));
1312                 ReadProfiles();
1313                 ServerInstance->GenRandom = &randhandler;
1314         }
1315
1316         void OnModuleRehash(User* user, const std::string &param) CXX11_OVERRIDE
1317         {
1318                 if(param != "ssl")
1319                         return;
1320
1321                 try
1322                 {
1323                         ReadProfiles();
1324                 }
1325                 catch (ModuleException& ex)
1326                 {
1327                         ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, ex.GetReason() + " Not applying settings.");
1328                 }
1329         }
1330
1331         ~ModuleSSLGnuTLS()
1332         {
1333                 ServerInstance->GenRandom = &ServerInstance->HandleGenRandom;
1334         }
1335
1336         void OnCleanup(int target_type, void* item) CXX11_OVERRIDE
1337         {
1338                 if(target_type == TYPE_USER)
1339                 {
1340                         LocalUser* user = IS_LOCAL(static_cast<User*>(item));
1341
1342                         if ((user) && (user->eh.GetModHook(this)))
1343                         {
1344                                 // User is using SSL, they're a local user, and they're using one of *our* SSL ports.
1345                                 // Potentially there could be multiple SSL modules loaded at once on different ports.
1346                                 ServerInstance->Users->QuitUser(user, "SSL module unloading");
1347                         }
1348                 }
1349         }
1350
1351         Version GetVersion() CXX11_OVERRIDE
1352         {
1353                 return Version("Provides SSL support for clients", VF_VENDOR);
1354         }
1355
1356         ModResult OnCheckReady(LocalUser* user) CXX11_OVERRIDE
1357         {
1358                 const GnuTLSIOHook* const iohook = static_cast<GnuTLSIOHook*>(user->eh.GetModHook(this));
1359                 if ((iohook) && (!iohook->IsHandshakeDone()))
1360                         return MOD_RES_DENY;
1361                 return MOD_RES_PASSTHRU;
1362         }
1363 };
1364
1365 MODULE_INIT(ModuleSSLGnuTLS)