2 * InspIRCd -- Internet Relay Chat Daemon
4 * Copyright (C) 2016 Attila Molnar <attilamolnar@hush.com>
6 * This file is part of InspIRCd. InspIRCd is free software: you can
7 * redistribute it and/or modify it under the terms of the GNU General Public
8 * License as published by the Free Software Foundation, version 2.
10 * This program is distributed in the hope that it will be useful, but WITHOUT
11 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
12 * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
15 * You should have received a copy of the GNU General Public License
16 * along with this program. If not, see <http://www.gnu.org/licenses/>.
20 /* $LinkerFlags: -lmbedtls */
23 #include "modules/ssl.h"
25 #include <mbedtls/ctr_drbg.h>
26 #include <mbedtls/dhm.h>
27 #include <mbedtls/ecp.h>
28 #include <mbedtls/entropy.h>
29 #include <mbedtls/error.h>
30 #include <mbedtls/md.h>
31 #include <mbedtls/pk.h>
32 #include <mbedtls/ssl.h>
33 #include <mbedtls/ssl_ciphersuites.h>
34 #include <mbedtls/version.h>
35 #include <mbedtls/x509.h>
36 #include <mbedtls/x509_crt.h>
37 #include <mbedtls/x509_crl.h>
39 #ifdef INSPIRCD_MBEDTLS_LIBRARY_DEBUG
40 #include <mbedtls/debug.h>
45 class Exception : public ModuleException
48 Exception(const std::string& reason)
49 : ModuleException(reason) { }
52 std::string ErrorToString(int errcode)
55 mbedtls_strerror(errcode, buf, sizeof(buf));
59 void ThrowOnError(int errcode, const char* msg)
63 std::string reason = msg;
64 reason.append(" :").append(ErrorToString(errcode));
65 throw Exception(reason);
69 template <typename T, void (*init)(T*), void (*deinit)(T*)>
85 T* get() { return &obj; }
86 const T* get() const { return &obj; }
89 typedef RAIIObj<mbedtls_entropy_context, mbedtls_entropy_init, mbedtls_entropy_free> Entropy;
91 class CTRDRBG : private RAIIObj<mbedtls_ctr_drbg_context, mbedtls_ctr_drbg_init, mbedtls_ctr_drbg_free>
94 bool Seed(Entropy& entropy)
96 return (mbedtls_ctr_drbg_seed(get(), mbedtls_entropy_func, entropy.get(), NULL, 0) == 0);
99 void SetupConf(mbedtls_ssl_config* conf)
101 mbedtls_ssl_conf_rng(conf, mbedtls_ctr_drbg_random, get());
105 class DHParams : public RAIIObj<mbedtls_dhm_context, mbedtls_dhm_init, mbedtls_dhm_free>
108 void set(const std::string& dhstr)
110 // Last parameter is buffer size, must include the terminating null
111 int ret = mbedtls_dhm_parse_dhm(get(), reinterpret_cast<const unsigned char*>(dhstr.c_str()), dhstr.size()+1);
112 ThrowOnError(ret, "Unable to import DH params");
116 class X509Key : public RAIIObj<mbedtls_pk_context, mbedtls_pk_init, mbedtls_pk_free>
120 X509Key(const std::string& keystr)
122 int ret = mbedtls_pk_parse_key(get(), reinterpret_cast<const unsigned char*>(keystr.c_str()), keystr.size()+1, NULL, 0);
123 ThrowOnError(ret, "Unable to import private key");
129 std::vector<int> list;
132 Ciphersuites(const std::string& str)
134 // mbedTLS uses the ciphersuite format "TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256" internally.
135 // This is a bit verbose, so we make life a bit simpler for admins by not requiring them to supply the static parts.
136 irc::sepstream ss(str, ':');
137 for (std::string token; ss.GetToken(token); )
139 // Prepend "TLS-" if not there
140 if (token.compare(0, 4, "TLS-", 4))
141 token.insert(0, "TLS-");
143 const int id = mbedtls_ssl_get_ciphersuite_id(token.c_str());
145 throw Exception("Unknown ciphersuite " + token);
151 const int* get() const { return &list.front(); }
152 bool empty() const { return (list.size() <= 1); }
157 std::vector<mbedtls_ecp_group_id> list;
160 Curves(const std::string& str)
162 irc::sepstream ss(str, ':');
163 for (std::string token; ss.GetToken(token); )
165 const mbedtls_ecp_curve_info* curve = mbedtls_ecp_curve_info_from_name(token.c_str());
167 throw Exception("Unknown curve " + token);
168 list.push_back(curve->grp_id);
170 list.push_back(MBEDTLS_ECP_DP_NONE);
173 const mbedtls_ecp_group_id* get() const { return &list.front(); }
174 bool empty() const { return (list.size() <= 1); }
177 class X509CertList : public RAIIObj<mbedtls_x509_crt, mbedtls_x509_crt_init, mbedtls_x509_crt_free>
180 /** Import or create empty */
181 X509CertList(const std::string& certstr, bool allowempty = false)
183 if ((allowempty) && (certstr.empty()))
185 int ret = mbedtls_x509_crt_parse(get(), reinterpret_cast<const unsigned char*>(certstr.c_str()), certstr.size()+1);
186 ThrowOnError(ret, "Unable to load certificates");
189 bool empty() const { return (get()->raw.p != NULL); }
192 class X509CRL : public RAIIObj<mbedtls_x509_crl, mbedtls_x509_crl_init, mbedtls_x509_crl_free>
195 X509CRL(const std::string& crlstr)
199 int ret = mbedtls_x509_crl_parse(get(), reinterpret_cast<const unsigned char*>(crlstr.c_str()), crlstr.size()+1);
200 ThrowOnError(ret, "Unable to load CRL");
204 class X509Credentials
210 /** Certificate list, presented to the peer
215 X509Credentials(const std::string& certstr, const std::string& keystr)
219 // Verify that one of the certs match the private key
221 for (mbedtls_x509_crt* cert = certs.get(); cert; cert = cert->next)
223 if (mbedtls_pk_check_pair(&cert->pk, key.get()) == 0)
230 throw Exception("Public/private key pair does not match");
233 mbedtls_pk_context* getkey() { return key.get(); }
234 mbedtls_x509_crt* getcerts() { return certs.get(); }
239 mbedtls_ssl_config conf;
241 #ifdef INSPIRCD_MBEDTLS_LIBRARY_DEBUG
242 static void DebugLogFunc(void* userptr, int level, const char* file, int line, const char* msg)
244 // Remove trailing \n
245 size_t len = strlen(msg);
246 if ((len > 0) && (msg[len-1] == '\n'))
248 ServerInstance->Logs->Log(MODNAME, LOG_DEBUG, "%s:%d %.*s", file, line, len, msg);
253 Context(CTRDRBG& ctrdrbg, unsigned int endpoint)
255 mbedtls_ssl_config_init(&conf);
256 #ifdef INSPIRCD_MBEDTLS_LIBRARY_DEBUG
257 mbedtls_debug_set_threshold(INT_MAX);
258 mbedtls_ssl_conf_dbg(&conf, DebugLogFunc, NULL);
261 // TODO: check ret of mbedtls_ssl_config_defaults
262 mbedtls_ssl_config_defaults(&conf, endpoint, MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT);
263 ctrdrbg.SetupConf(&conf);
268 mbedtls_ssl_config_free(&conf);
271 void SetMinDHBits(unsigned int mindh)
273 mbedtls_ssl_conf_dhm_min_bitlen(&conf, mindh);
276 void SetDHParams(DHParams& dh)
278 mbedtls_ssl_conf_dh_param_ctx(&conf, dh.get());
281 void SetX509CertAndKey(X509Credentials& x509cred)
283 mbedtls_ssl_conf_own_cert(&conf, x509cred.getcerts(), x509cred.getkey());
286 void SetCiphersuites(const Ciphersuites& ciphersuites)
288 mbedtls_ssl_conf_ciphersuites(&conf, ciphersuites.get());
291 void SetCurves(const Curves& curves)
293 mbedtls_ssl_conf_curves(&conf, curves.get());
296 void SetVersion(int minver, int maxver)
298 // SSL v3 support cannot be enabled
300 mbedtls_ssl_conf_min_version(&conf, MBEDTLS_SSL_MAJOR_VERSION_3, minver);
302 mbedtls_ssl_conf_max_version(&conf, MBEDTLS_SSL_MAJOR_VERSION_3, maxver);
305 void SetCA(X509CertList& certs, X509CRL& crl)
307 mbedtls_ssl_conf_ca_chain(&conf, certs.get(), crl.get());
310 void SetOptionalVerifyCert()
312 mbedtls_ssl_conf_authmode(&conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
315 const mbedtls_ssl_config* GetConf() const { return &conf; }
320 const mbedtls_md_info_t* md;
322 /** Buffer where cert hashes are written temporarily
324 mutable std::vector<unsigned char> buf;
327 Hash(std::string hashstr)
329 std::transform(hashstr.begin(), hashstr.end(), hashstr.begin(), ::toupper);
330 md = mbedtls_md_info_from_string(hashstr.c_str());
332 throw Exception("Unknown hash: " + hashstr);
334 buf.resize(mbedtls_md_get_size(md));
337 std::string hash(const unsigned char* input, size_t length) const
339 mbedtls_md(md, input, length, &buf.front());
340 return BinToHex(&buf.front(), buf.size());
344 class Profile : public refcountbase
346 /** Name of this profile
348 const std::string name;
350 X509Credentials x509cred;
352 /** Ciphersuites to use
354 Ciphersuites ciphersuites;
356 /** Curves accepted for use in ECDHE and in the peer's end-entity certificate
365 X509CertList cacerts;
369 /** Hashing algorithm to use when generating certificate fingerprints
373 /** Rough max size of records to send
375 const unsigned int outrecsize;
377 Profile(const std::string& profilename, const std::string& certstr, const std::string& keystr,
378 const std::string& dhstr, unsigned int mindh, const std::string& hashstr,
379 const std::string& ciphersuitestr, const std::string& curvestr,
380 const std::string& castr, const std::string& crlstr,
381 unsigned int recsize,
383 int minver, int maxver,
384 bool requestclientcert
387 , x509cred(certstr, keystr)
388 , ciphersuites(ciphersuitestr)
390 , serverctx(ctrdrbg, MBEDTLS_SSL_IS_SERVER)
391 , clientctx(ctrdrbg, MBEDTLS_SSL_IS_CLIENT)
392 , cacerts(castr, true)
395 , outrecsize(recsize)
397 serverctx.SetX509CertAndKey(x509cred);
398 clientctx.SetX509CertAndKey(x509cred);
399 clientctx.SetMinDHBits(mindh);
401 if (!ciphersuites.empty())
403 serverctx.SetCiphersuites(ciphersuites);
404 clientctx.SetCiphersuites(ciphersuites);
409 serverctx.SetCurves(curves);
410 clientctx.SetCurves(curves);
413 serverctx.SetVersion(minver, maxver);
414 clientctx.SetVersion(minver, maxver);
419 serverctx.SetDHParams(dhparams);
422 clientctx.SetOptionalVerifyCert();
423 // The default for servers is to not request a client certificate from the peer
424 if (requestclientcert)
426 serverctx.SetOptionalVerifyCert();
427 serverctx.SetCA(cacerts, crl);
431 static std::string ReadFile(const std::string& filename)
433 FileReader reader(filename);
434 std::string ret = reader.GetString();
436 throw Exception("Cannot read file " + filename);
441 static reference<Profile> Create(const std::string& profilename, ConfigTag* tag, CTRDRBG& ctr_drbg)
443 const std::string certstr = ReadFile(tag->getString("certfile", "cert.pem"));
444 const std::string keystr = ReadFile(tag->getString("keyfile", "key.pem"));
445 const std::string dhstr = ReadFile(tag->getString("dhfile", "dhparams.pem"));
447 const std::string ciphersuitestr = tag->getString("ciphersuites");
448 const std::string curvestr = tag->getString("curves");
449 unsigned int mindh = tag->getInt("mindhbits", 2048);
450 std::string hashstr = tag->getString("hash", "sha256");
453 std::string castr = tag->getString("cafile");
456 castr = ReadFile(castr);
457 crlstr = tag->getString("crlfile");
459 crlstr = ReadFile(crlstr);
462 int minver = tag->getInt("minver");
463 int maxver = tag->getInt("maxver");
464 unsigned int outrecsize = tag->getInt("outrecsize", 2048, 512, 16384);
465 const bool requestclientcert = tag->getBool("requestclientcert", true);
466 return new Profile(profilename, certstr, keystr, dhstr, mindh, hashstr, ciphersuitestr, curvestr, castr, crlstr, outrecsize, ctr_drbg, minver, maxver, requestclientcert);
469 /** Set up the given session with the settings in this profile
471 void SetupClientSession(mbedtls_ssl_context* sess)
473 mbedtls_ssl_setup(sess, clientctx.GetConf());
476 void SetupServerSession(mbedtls_ssl_context* sess)
478 mbedtls_ssl_setup(sess, serverctx.GetConf());
481 const std::string& GetName() const { return name; }
482 X509Credentials& GetX509Credentials() { return x509cred; }
483 unsigned int GetOutgoingRecordSize() const { return outrecsize; }
484 const Hash& GetHash() const { return hash; }
488 class mbedTLSIOHook : public SSLIOHook
497 mbedtls_ssl_context sess;
499 reference<mbedTLS::Profile> profile;
503 if (status == ISSL_NONE)
506 mbedtls_ssl_close_notify(&sess);
507 mbedtls_ssl_free(&sess);
512 // Returns 1 if handshake succeeded, 0 if it is still in progress, -1 if it failed
513 int Handshake(StreamSocket* sock)
515 int ret = mbedtls_ssl_handshake(&sess);
518 // Change the seesion state
519 this->status = ISSL_HANDSHAKEN;
523 // Finish writing, if any left
524 SocketEngine::ChangeEventMask(sock, FD_WANT_POLL_READ | FD_WANT_NO_WRITE | FD_ADD_TRIAL_WRITE);
529 this->status = ISSL_HANDSHAKING;
530 if (ret == MBEDTLS_ERR_SSL_WANT_READ)
532 SocketEngine::ChangeEventMask(sock, FD_WANT_POLL_READ | FD_WANT_NO_WRITE);
535 else if (ret == MBEDTLS_ERR_SSL_WANT_WRITE)
537 SocketEngine::ChangeEventMask(sock, FD_WANT_NO_READ | FD_WANT_SINGLE_WRITE);
541 sock->SetError("Handshake Failed - " + mbedTLS::ErrorToString(ret));
546 // Returns 1 if application I/O should proceed, 0 if it must wait for the underlying protocol to progress, -1 on fatal error
547 int PrepareIO(StreamSocket* sock)
549 if (status == ISSL_HANDSHAKEN)
551 else if (status == ISSL_HANDSHAKING)
553 // The handshake isn't finished, try to finish it
554 return Handshake(sock);
558 sock->SetError("No SSL session");
562 void VerifyCertificate()
564 this->certificate = new ssl_cert;
565 const mbedtls_x509_crt* const cert = mbedtls_ssl_get_peer_cert(&sess);
568 certificate->error = "No client certificate sent";
572 // If there is a certificate we can always generate a fingerprint
573 certificate->fingerprint = profile->GetHash().hash(cert->raw.p, cert->raw.len);
575 // At this point mbedTLS verified the cert already, we just need to check the results
576 const uint32_t flags = mbedtls_ssl_get_verify_result(&sess);
577 if (flags == 0xFFFFFFFF)
579 certificate->error = "Internal error during verification";
585 // Verification succeeded
586 certificate->trusted = true;
590 // Verification failed
591 certificate->trusted = false;
592 if ((flags & MBEDTLS_X509_BADCERT_EXPIRED) || (flags & MBEDTLS_X509_BADCERT_FUTURE))
593 certificate->error = "Not activated, or expired certificate";
596 certificate->unknownsigner = (flags & MBEDTLS_X509_BADCERT_NOT_TRUSTED);
597 certificate->revoked = (flags & MBEDTLS_X509_BADCERT_REVOKED);
598 certificate->invalid = ((flags & MBEDTLS_X509_BADCERT_BAD_KEY) || (flags & MBEDTLS_X509_BADCERT_BAD_MD) || (flags & MBEDTLS_X509_BADCERT_BAD_PK));
600 GetDNString(&cert->subject, certificate->dn);
601 GetDNString(&cert->issuer, certificate->issuer);
604 static void GetDNString(const mbedtls_x509_name* x509name, std::string& out)
607 const int ret = mbedtls_x509_dn_gets(buf, sizeof(buf), x509name);
611 out.assign(buf, ret);
614 static int Pull(void* userptr, unsigned char* buffer, size_t size)
616 StreamSocket* const sock = reinterpret_cast<StreamSocket*>(userptr);
617 if (sock->GetEventMask() & FD_READ_WILL_BLOCK)
618 return MBEDTLS_ERR_SSL_WANT_READ;
620 const int ret = SocketEngine::Recv(sock, reinterpret_cast<char*>(buffer), size, 0);
623 SocketEngine::ChangeEventMask(sock, FD_READ_WILL_BLOCK);
624 if ((ret == -1) && (SocketEngine::IgnoreError()))
625 return MBEDTLS_ERR_SSL_WANT_READ;
630 static int Push(void* userptr, const unsigned char* buffer, size_t size)
632 StreamSocket* const sock = reinterpret_cast<StreamSocket*>(userptr);
633 if (sock->GetEventMask() & FD_WRITE_WILL_BLOCK)
634 return MBEDTLS_ERR_SSL_WANT_WRITE;
636 const int ret = SocketEngine::Send(sock, buffer, size, 0);
639 SocketEngine::ChangeEventMask(sock, FD_WRITE_WILL_BLOCK);
640 if ((ret == -1) && (SocketEngine::IgnoreError()))
641 return MBEDTLS_ERR_SSL_WANT_WRITE;
647 mbedTLSIOHook(IOHookProvider* hookprov, StreamSocket* sock, bool isserver, mbedTLS::Profile* sslprofile)
648 : SSLIOHook(hookprov)
650 , profile(sslprofile)
652 mbedtls_ssl_init(&sess);
654 profile->SetupServerSession(&sess);
656 profile->SetupClientSession(&sess);
658 mbedtls_ssl_set_bio(&sess, reinterpret_cast<void*>(sock), Push, Pull, NULL);
660 sock->AddIOHook(this);
664 void OnStreamSocketClose(StreamSocket* sock) CXX11_OVERRIDE
669 int OnStreamSocketRead(StreamSocket* sock, std::string& recvq) CXX11_OVERRIDE
671 // Finish handshake if needed
672 int prepret = PrepareIO(sock);
676 // If we resumed the handshake then this->status will be ISSL_HANDSHAKEN.
677 char* const readbuf = ServerInstance->GetReadBuffer();
678 const size_t readbufsize = ServerInstance->Config->NetBufferSize;
679 int ret = mbedtls_ssl_read(&sess, reinterpret_cast<unsigned char*>(readbuf), readbufsize);
682 recvq.append(readbuf, ret);
684 // Schedule a read if there is still data in the mbedTLS buffer
685 if (mbedtls_ssl_get_bytes_avail(&sess) > 0)
686 SocketEngine::ChangeEventMask(sock, FD_ADD_TRIAL_READ);
689 else if (ret == MBEDTLS_ERR_SSL_WANT_READ)
691 SocketEngine::ChangeEventMask(sock, FD_WANT_POLL_READ);
694 else if (ret == MBEDTLS_ERR_SSL_WANT_WRITE)
696 SocketEngine::ChangeEventMask(sock, FD_WANT_NO_READ | FD_WANT_SINGLE_WRITE);
701 sock->SetError("Connection closed");
705 else // error or MBEDTLS_ERR_SSL_CLIENT_RECONNECT which we treat as an error
707 sock->SetError(mbedTLS::ErrorToString(ret));
713 int OnStreamSocketWrite(StreamSocket* sock, StreamSocket::SendQueue& sendq) CXX11_OVERRIDE
715 // Finish handshake if needed
716 int prepret = PrepareIO(sock);
720 // Session is ready for transferring application data
721 while (!sendq.empty())
723 FlattenSendQueue(sendq, profile->GetOutgoingRecordSize());
724 const StreamSocket::SendQueue::Element& buffer = sendq.front();
725 int ret = mbedtls_ssl_write(&sess, reinterpret_cast<const unsigned char*>(buffer.data()), buffer.length());
726 if (ret == (int)buffer.length())
728 // Wrote entire record, continue sending
733 sendq.erase_front(ret);
734 SocketEngine::ChangeEventMask(sock, FD_WANT_SINGLE_WRITE);
739 sock->SetError("Connection closed");
743 else if (ret == MBEDTLS_ERR_SSL_WANT_WRITE)
745 SocketEngine::ChangeEventMask(sock, FD_WANT_SINGLE_WRITE);
748 else if (ret == MBEDTLS_ERR_SSL_WANT_READ)
750 SocketEngine::ChangeEventMask(sock, FD_WANT_POLL_READ);
755 sock->SetError(mbedTLS::ErrorToString(ret));
761 SocketEngine::ChangeEventMask(sock, FD_WANT_NO_WRITE);
765 void GetCiphersuite(std::string& out) const CXX11_OVERRIDE
767 if (!IsHandshakeDone())
769 out.append(mbedtls_ssl_get_version(&sess)).push_back('-');
771 // All mbedTLS ciphersuite names currently begin with "TLS-" which provides no useful information so skip it, but be prepared if it changes
772 const char* const ciphersuitestr = mbedtls_ssl_get_ciphersuite(&sess);
773 const char prefix[] = "TLS-";
774 unsigned int skip = sizeof(prefix)-1;
775 if (strncmp(ciphersuitestr, prefix, sizeof(prefix)-1))
777 out.append(ciphersuitestr + skip);
780 bool IsHandshakeDone() const { return (status == ISSL_HANDSHAKEN); }
783 class mbedTLSIOHookProvider : public refcountbase, public IOHookProvider
785 reference<mbedTLS::Profile> profile;
788 mbedTLSIOHookProvider(Module* mod, mbedTLS::Profile* prof)
789 : IOHookProvider(mod, "ssl/" + prof->GetName(), IOHookProvider::IOH_SSL)
792 ServerInstance->Modules->AddService(*this);
795 ~mbedTLSIOHookProvider()
797 ServerInstance->Modules->DelService(*this);
800 void OnAccept(StreamSocket* sock, irc::sockets::sockaddrs* client, irc::sockets::sockaddrs* server) CXX11_OVERRIDE
802 new mbedTLSIOHook(this, sock, true, profile);
805 void OnConnect(StreamSocket* sock) CXX11_OVERRIDE
807 new mbedTLSIOHook(this, sock, false, profile);
811 class ModuleSSLmbedTLS : public Module
813 typedef std::vector<reference<mbedTLSIOHookProvider> > ProfileList;
815 mbedTLS::Entropy entropy;
816 mbedTLS::CTRDRBG ctr_drbg;
817 ProfileList profiles;
821 // First, store all profiles in a new, temporary container. If no problems occur, swap the two
822 // containers; this way if something goes wrong we can go back and continue using the current profiles,
823 // avoiding unpleasant situations where no new SSL connections are possible.
824 ProfileList newprofiles;
826 ConfigTagList tags = ServerInstance->Config->ConfTags("sslprofile");
827 if (tags.first == tags.second)
829 // No <sslprofile> tags found, create a profile named "mbedtls" from settings in the <mbedtls> block
830 const std::string defname = "mbedtls";
831 ConfigTag* tag = ServerInstance->Config->ConfValue(defname);
832 ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "No <sslprofile> tags found; using settings from the <mbedtls> tag");
836 reference<mbedTLS::Profile> profile(mbedTLS::Profile::Create(defname, tag, ctr_drbg));
837 newprofiles.push_back(new mbedTLSIOHookProvider(this, profile));
839 catch (CoreException& ex)
841 throw ModuleException("Error while initializing the default SSL profile - " + ex.GetReason());
845 for (ConfigIter i = tags.first; i != tags.second; ++i)
847 ConfigTag* tag = i->second;
848 if (tag->getString("provider") != "mbedtls")
851 std::string name = tag->getString("name");
854 ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "Ignoring <sslprofile> tag without name at " + tag->getTagLocation());
858 reference<mbedTLS::Profile> profile;
861 profile = mbedTLS::Profile::Create(name, tag, ctr_drbg);
863 catch (CoreException& ex)
865 throw ModuleException("Error while initializing SSL profile \"" + name + "\" at " + tag->getTagLocation() + " - " + ex.GetReason());
868 newprofiles.push_back(new mbedTLSIOHookProvider(this, profile));
871 // New profiles are ok, begin using them
872 // Old profiles are deleted when their refcount drops to zero
873 profiles.swap(newprofiles);
877 void init() CXX11_OVERRIDE
879 char verbuf[16]; // Should be at least 9 bytes in size
880 mbedtls_version_get_string(verbuf);
881 ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "mbedTLS lib version %s module was compiled for " MBEDTLS_VERSION_STRING, verbuf);
883 if (!ctr_drbg.Seed(entropy))
884 throw ModuleException("CTR DRBG seed failed");
888 void OnModuleRehash(User* user, const std::string ¶m) CXX11_OVERRIDE
897 catch (ModuleException& ex)
899 ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, ex.GetReason() + " Not applying settings.");
903 void OnCleanup(int target_type, void* item) CXX11_OVERRIDE
905 if (target_type != TYPE_USER)
908 LocalUser* user = IS_LOCAL(static_cast<User*>(item));
909 if ((user) && (user->eh.GetModHook(this)))
911 // User is using SSL, they're a local user, and they're using our IOHook.
912 // Potentially there could be multiple SSL modules loaded at once on different ports.
913 ServerInstance->Users.QuitUser(user, "SSL module unloading");
917 ModResult OnCheckReady(LocalUser* user) CXX11_OVERRIDE
919 const mbedTLSIOHook* const iohook = static_cast<mbedTLSIOHook*>(user->eh.GetModHook(this));
920 if ((iohook) && (!iohook->IsHandshakeDone()))
922 return MOD_RES_PASSTHRU;
925 Version GetVersion() CXX11_OVERRIDE
927 return Version("Provides SSL support via mbedTLS (PolarSSL)", VF_VENDOR);
931 MODULE_INIT(ModuleSSLmbedTLS)
projects / user / henk / code / inspircd.git / blob