* | Inspire Internet Relay Chat Daemon |
* +------------------------------------+
*
- * InspIRCd: (C) 2002-2009 InspIRCd Development Team
+ * InspIRCd: (C) 2002-2010 InspIRCd Development Team
* See: http://wiki.inspircd.org/Credits
*
* This program is free but copyrighted software; see
#include "inspircd.h"
#include <gnutls/gnutls.h>
#include <gnutls/x509.h>
-#include "transport.h"
+#include "ssl.h"
#include "m_cap.h"
#ifdef WINDOWS
/* $ModDesc: Provides SSL support for clients */
/* $CompileFlags: pkgconfincludes("gnutls","/gnutls/gnutls.h","") */
/* $LinkerFlags: rpath("pkg-config --libs gnutls") pkgconflibs("gnutls","/libgnutls.so","-lgnutls") */
-/* $ModDep: transport.h */
-/* $CopyInstall: conf/key.pem $(CONPATH) */
-/* $CopyInstall: conf/cert.pem $(CONPATH) */
+/* $CopyInstall: conf/key.pem $(CONPATH) -m 0400 -o $(INSTUID) */
+/* $CopyInstall: conf/cert.pem $(CONPATH) -m 0444 */
enum issl_status { ISSL_NONE, ISSL_HANDSHAKING_READ, ISSL_HANDSHAKING_WRITE, ISSL_HANDSHAKEN, ISSL_CLOSING, ISSL_CLOSED };
/** Represents an SSL user's extra data
*/
-class issl_session : public classbase
+class issl_session
{
public:
- issl_session()
- {
- sess = NULL;
- }
-
gnutls_session_t sess;
issl_status status;
+ reference<ssl_cert> cert;
+ issl_session() : sess(NULL) {}
};
-class CommandStartTLS : public Command
+class CommandStartTLS : public SplitCommand
{
public:
- CommandStartTLS (Module* mod) : Command(mod, "STARTTLS")
+ CommandStartTLS (Module* mod) : SplitCommand(mod, "STARTTLS")
{
works_before_reg = true;
}
- CmdResult Handle (const std::vector<std::string> ¶meters, User *user)
+ CmdResult HandleLocal(const std::vector<std::string> ¶meters, LocalUser *user)
{
/* changed from == REG_ALL to catch clients sending STARTTLS
* after NICK and USER but before OnUserConnect completes and
}
else
{
- if (!user->GetIOHook())
+ if (!user->eh.GetIOHook())
{
user->WriteNumeric(670, "%s :STARTTLS successful, go ahead with TLS handshake", user->nick.c_str());
- user->AddIOHook(creator);
- creator->OnStreamSocketAccept(user, NULL, NULL);
+ user->eh.AddIOHook(creator);
+ creator->OnStreamSocketAccept(&user->eh, NULL, NULL);
}
else
user->WriteNumeric(691, "%s :STARTTLS failure", user->nick.c_str());
class ModuleSSLGnuTLS : public Module
{
- std::set<ListenSocketBase*> listenports;
-
issl_session* sessions;
gnutls_certificate_credentials x509_cred;
std::string keyfile;
std::string certfile;
+
std::string cafile;
std::string crlfile;
std::string sslports;
CommandStartTLS starttls;
GenericCap capHandler;
+ ServiceProvider iohook;
public:
- ModuleSSLGnuTLS(InspIRCd* Me)
- : Module(Me), starttls(this), capHandler(this, "tls")
+ ModuleSSLGnuTLS()
+ : starttls(this), capHandler(this, "tls"), iohook(this, "ssl/gnutls", SERVICE_IOHOOK)
{
- ServerInstance->Modules->PublishInterface("BufferedSocketHook", this);
-
sessions = new issl_session[ServerInstance->SE->GetMaxFds()];
gnutls_global_init(); // This must be called once in the program
gnutls_x509_privkey_init(&x509_key);
cred_alloc = false;
+ }
+
+ void init()
+ {
// Needs the flag as it ignores a plain /rehash
OnModuleRehash(NULL,"ssl");
// Void return, guess we assume success
gnutls_certificate_set_dh_params(x509_cred, dh_params);
- Implementation eventlist[] = { I_On005Numeric, I_OnRequest, I_OnRehash, I_OnModuleRehash, I_OnPostConnect,
+ Implementation eventlist[] = { I_On005Numeric, I_OnRehash, I_OnModuleRehash, I_OnUserConnect,
I_OnEvent, I_OnHookIO };
ServerInstance->Modules->Attach(eventlist, this, sizeof(eventlist)/sizeof(Implementation));
+ ServerInstance->Modules->AddService(iohook);
ServerInstance->AddCommand(&starttls);
}
void OnRehash(User* user)
{
- ConfigReader Conf(ServerInstance);
-
- listenports.clear();
sslports.clear();
for (size_t i = 0; i < ServerInstance->ports.size(); i++)
{
- ListenSocketBase* port = ServerInstance->ports[i];
- std::string desc = port->GetDescription();
- if (desc != "gnutls")
+ ListenSocket* port = ServerInstance->ports[i];
+ if (port->bind_tag->getString("ssl") != "gnutls")
continue;
- listenports.insert(port);
- std::string portid = port->GetBindDesc();
-
+ const std::string& portid = port->bind_desc;
ServerInstance->Logs->Log("m_ssl_gnutls", DEFAULT, "m_ssl_gnutls.so: Enabling SSL for port %s", portid.c_str());
- if (port->GetIP() != "127.0.0.1")
+
+ if (port->bind_tag->getString("type", "clients") == "clients" && port->bind_addr != "127.0.0.1")
sslports.append(portid).append(";");
}
OnRehash(user);
- ConfigReader Conf(ServerInstance);
-
- std::string confdir(ServerInstance->ConfigFileName);
- // +1 so we the path ends with a /
- confdir = confdir.substr(0, confdir.find_last_of('/') + 1);
+ ConfigTag* Conf = ServerInstance->Config->ConfValue("gnutls");
- cafile = Conf.ReadValue("gnutls", "cafile", 0);
- crlfile = Conf.ReadValue("gnutls", "crlfile", 0);
- certfile = Conf.ReadValue("gnutls", "certfile", 0);
- keyfile = Conf.ReadValue("gnutls", "keyfile", 0);
- dh_bits = Conf.ReadInteger("gnutls", "dhbits", 0, false);
+ cafile = Conf->getString("cafile");
+ crlfile = Conf->getString("crlfile");
+ certfile = Conf->getString("certfile");
+ keyfile = Conf->getString("keyfile");
+ dh_bits = Conf->getInt("dhbits");
// Set all the default values needed.
if (cafile.empty())
- cafile = "ca.pem";
+ cafile = "conf/ca.pem";
if (crlfile.empty())
- crlfile = "crl.pem";
+ crlfile = "conf/crl.pem";
if (certfile.empty())
- certfile = "cert.pem";
+ certfile = "conf/cert.pem";
if (keyfile.empty())
- keyfile = "key.pem";
+ keyfile = "conf/key.pem";
if((dh_bits != 768) && (dh_bits != 1024) && (dh_bits != 2048) && (dh_bits != 3072) && (dh_bits != 4096))
dh_bits = 1024;
- // Prepend relative paths with the path to the config directory.
- if ((cafile[0] != '/') && (!ServerInstance->Config->StartsWithWindowsDriveLetter(cafile)))
- cafile = confdir + cafile;
-
- if ((crlfile[0] != '/') && (!ServerInstance->Config->StartsWithWindowsDriveLetter(crlfile)))
- crlfile = confdir + crlfile;
-
- if ((certfile[0] != '/') && (!ServerInstance->Config->StartsWithWindowsDriveLetter(certfile)))
- certfile = confdir + certfile;
-
- if ((keyfile[0] != '/') && (!ServerInstance->Config->StartsWithWindowsDriveLetter(keyfile)))
- keyfile = confdir + keyfile;
-
int ret;
if (cred_alloc)
if((ret = gnutls_certificate_set_x509_crl_file (x509_cred, crlfile.c_str(), GNUTLS_X509_FMT_PEM)) < 0)
ServerInstance->Logs->Log("m_ssl_gnutls",DEBUG, "m_ssl_gnutls.so: Failed to set X.509 CRL file '%s': %s", crlfile.c_str(), gnutls_strerror(ret));
- FileReader reader(ServerInstance);
+ FileReader reader;
reader.LoadFile(certfile);
std::string cert_string = reader.Contents();
{
gnutls_x509_crt_deinit(x509_cert);
gnutls_x509_privkey_deinit(x509_key);
- gnutls_dh_params_deinit(dh_params);
- gnutls_certificate_free_credentials(x509_cred);
+ if (cred_alloc)
+ {
+ gnutls_dh_params_deinit(dh_params);
+ gnutls_certificate_free_credentials(x509_cred);
+ }
gnutls_global_deinit();
- ServerInstance->Modules->UnpublishInterface("BufferedSocketHook", this);
delete[] sessions;
}
{
if(target_type == TYPE_USER)
{
- User* user = static_cast<User*>(item);
+ LocalUser* user = IS_LOCAL(static_cast<User*>(item));
- if (user->GetIOHook() == this)
+ if (user && user->eh.GetIOHook() == this)
{
// User is using SSL, they're a local user, and they're using one of *our* SSL ports.
// Potentially there could be multiple SSL modules loaded at once on different ports.
ServerInstance->Users->QuitUser(user, "SSL module unloading");
- user->DelIOHook();
}
}
}
Version GetVersion()
{
- return Version("Provides SSL support for clients", VF_VENDOR, API_VERSION);
+ return Version("Provides SSL support for clients", VF_VENDOR);
}
output.append(" STARTTLS");
}
- void OnHookIO(StreamSocket* user, ListenSocketBase* lsb)
+ void OnHookIO(StreamSocket* user, ListenSocket* lsb)
{
- if (!user->GetIOHook() && listenports.find(lsb) != listenports.end())
+ if (!user->GetIOHook() && lsb->bind_tag->getString("ssl") == "gnutls")
{
/* Hook the user with our module */
user->AddIOHook(this);
}
}
- const char* OnRequest(Request* request)
+ void OnRequest(Request& request)
{
- ISHRequest* ISR = static_cast<ISHRequest*>(request);
- if (strcmp("IS_NAME", request->GetId()) == 0)
+ if (strcmp("GET_SSL_CERT", request.id) == 0)
{
- return "gnutls";
- }
- else if (strcmp("IS_HOOK", request->GetId()) == 0)
- {
- ISR->Sock->AddIOHook(this);
- return "OK";
- }
- else if (strcmp("IS_UNHOOK", request->GetId()) == 0)
- {
- ISR->Sock->DelIOHook();
- return "OK";
- }
- else if (strcmp("IS_HSDONE", request->GetId()) == 0)
- {
- if (ISR->Sock->GetFd() < 0)
- return "OK";
+ SocketCertificateRequest& req = static_cast<SocketCertificateRequest&>(request);
+ int fd = req.sock->GetFd();
+ issl_session* session = &sessions[fd];
- issl_session* session = &sessions[ISR->Sock->GetFd()];
- return (session->status == ISSL_HANDSHAKING_READ || session->status == ISSL_HANDSHAKING_WRITE) ? NULL : "OK";
- }
- else if (strcmp("IS_ATTACH", request->GetId()) == 0)
- {
- if (ISR->Sock->GetFd() > -1)
- {
- issl_session* session = &sessions[ISR->Sock->GetFd()];
- if (session->sess)
- {
- if (static_cast<Extensible*>(ServerInstance->SE->GetRef(ISR->Sock->GetFd())) == static_cast<Extensible*>(ISR->Sock))
- {
- return "OK";
- }
- }
- }
- }
- else if (strcmp("GET_CERT", request->GetId()) == 0)
- {
- Module* sslinfo = ServerInstance->Modules->Find("m_sslinfo.so");
- if (sslinfo)
- return sslinfo->OnRequest(request);
+ req.cert = session->cert;
}
- return NULL;
}
-
void OnStreamSocketAccept(StreamSocket* user, irc::sockets::sockaddrs* client, irc::sockets::sockaddrs* server)
{
int fd = user->GetFd();
{
if (session->status != ISSL_CLOSING)
return 0;
- user->SetError("Handshake Failed");
return -1;
}
}
Handshake(session, user);
if (session->status != ISSL_CLOSING)
return 0;
- user->SetError("Handshake Failed");
return -1;
}
else if (ret > 0)
{
sendq = sendq.substr(ret);
- ServerInstance->SE->ChangeEventMask(user, FD_WANT_POLL_WRITE);
+ ServerInstance->SE->ChangeEventMask(user, FD_WANT_SINGLE_WRITE);
return 0;
}
else if (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED)
{
- ServerInstance->SE->ChangeEventMask(user, FD_WANT_POLL_WRITE);
+ ServerInstance->SE->ChangeEventMask(user, FD_WANT_SINGLE_WRITE);
return 0;
}
else if (ret == 0)
{
// gnutls_handshake() wants to write() again.
session->status = ISSL_HANDSHAKING_WRITE;
- ServerInstance->SE->ChangeEventMask(user, FD_WANT_NO_READ | FD_WANT_POLL_WRITE);
+ ServerInstance->SE->ChangeEventMask(user, FD_WANT_NO_READ | FD_WANT_SINGLE_WRITE);
}
}
else
{
+ user->SetError(std::string("Handshake Failed - ") + gnutls_strerror(ret));
CloseSession(session);
session->status = ISSL_CLOSING;
}
}
}
- void OnPostConnect(User* user)
+ void OnUserConnect(LocalUser* user)
{
- // This occurs AFTER OnUserConnect so we can be sure the
- // protocol module has propagated the NICK message.
- if (user->GetIOHook() == this && (IS_LOCAL(user)))
+ if (user->eh.GetIOHook() == this)
{
if (sessions[user->GetFd()].sess)
{
+ SSLCertSubmission(user, this, ServerInstance->Modules->Find("m_sslinfo.so"), sessions[user->GetFd()].cert);
std::string cipher = gnutls_kx_get_name(gnutls_kx_get(sessions[user->GetFd()].sess));
cipher.append("-").append(gnutls_cipher_get_name(gnutls_cipher_get(sessions[user->GetFd()].sess))).append("-");
cipher.append(gnutls_mac_get_name(gnutls_mac_get(sessions[user->GetFd()].sess)));
void CloseSession(issl_session* session)
{
- if(session->sess)
+ if (session->sess)
{
gnutls_bye(session->sess, GNUTLS_SHUT_WR);
gnutls_deinit(session->sess);
}
-
session->sess = NULL;
+ session->cert = NULL;
session->status = ISSL_NONE;
}
- void VerifyCertificate(issl_session* session, Extensible* user)
+ void VerifyCertificate(issl_session* session, StreamSocket* user)
{
- if (!session->sess || !user)
- return;
-
- Module* sslinfo = ServerInstance->Modules->Find("m_sslinfo.so");
- if (!sslinfo)
+ if (!session->sess || !user || session->cert)
return;
unsigned int status;
size_t digest_size = sizeof(digest);
size_t name_size = sizeof(name);
ssl_cert* certinfo = new ssl_cert;
+ session->cert = certinfo;
/* This verification function uses the trusted CAs in the credentials
* structure. So you must have installed one or more CA certificates.
if (ret < 0)
{
certinfo->error = std::string(gnutls_strerror(ret));
- goto info_done;
+ return;
}
certinfo->invalid = (status & GNUTLS_CERT_INVALID);
if (gnutls_certificate_type_get(session->sess) != GNUTLS_CRT_X509)
{
certinfo->error = "No X509 keys sent";
- goto info_done;
+ return;
}
ret = gnutls_x509_crt_init(&cert);
if (ret < 0)
{
certinfo->error = gnutls_strerror(ret);
- goto info_done;
+ return;
}
cert_list_size = 0;
info_done_dealloc:
gnutls_x509_crt_deinit(cert);
-info_done:
- BufferedSocketFingerprintSubmission(user, this, sslinfo, certinfo).Send();
}
- void OnEvent(Event* ev)
+ void OnEvent(Event& ev)
{
capHandler.HandleEvent(ev);
}