/*
* InspIRCd -- Internet Relay Chat Daemon
*
- * Copyright (C) 2009 Daniel De Graaf <danieldg@inspircd.org>
- * Copyright (C) 2006 Craig Edwards <craigedwards@brainbox.cc>
+ * Copyright (C) 2020 Matt Schatz <genius3000@g3k.solutions>
+ * Copyright (C) 2019 B00mX0r <b00mx0r@aureus.pw>
+ * Copyright (C) 2018 Dylan Frank <b00mx0r@aureus.pw>
+ * Copyright (C) 2013, 2017-2019 Sadie Powell <sadie@witchery.services>
+ * Copyright (C) 2013, 2015-2016 Attila Molnar <attilamolnar@hush.com>
+ * Copyright (C) 2012 Robby <robby@chatbelgie.be>
+ * Copyright (C) 2012 ChrisTX <xpipe@hotmail.de>
+ * Copyright (C) 2009-2010 Daniel De Graaf <danieldg@inspircd.org>
+ * Copyright (C) 2007 Dennis Friis <peavey@inspircd.org>
+ * Copyright (C) 2006 Craig Edwards <brain@inspircd.org>
*
* This file is part of InspIRCd. InspIRCd is free software: you can
* redistribute it and/or modify it under the terms of the GNU General Public
#include <string>
#include "iohook.h"
-/** ssl_cert is a class which abstracts SSL certificate
+/** ssl_cert is a class which abstracts TLS (SSL) certificate
* and key information.
*
* Because gnutls and openssl represent key information in
return issuer;
}
- /** Get error string if an error has occured
+ /** Get error string if an error has occurred
* @return The error associated with this users certificate,
* or an empty string if there is no error.
*/
return revoked;
}
+ /** Get certificate usability
+ * @return True if the certificate is not expired nor revoked
+ */
+ bool IsUsable()
+ {
+ return !invalid && !revoked && error.empty();
+ }
+
+ /** Get CA trust status
+ * @return True if the certificate is issued by a CA
+ * and valid.
+ */
bool IsCAVerified()
{
- return trusted && !invalid && !revoked && !unknownsigner && error.empty();
+ return IsUsable() && trusted && !unknownsigner;
}
std::string GetMetaLine()
}
};
+/** I/O hook provider for SSL modules. */
+class SSLIOHookProvider : public IOHookProvider
+{
+public:
+ SSLIOHookProvider(Module* mod, const std::string& Name)
+ : IOHookProvider(mod, "ssl/" + Name, IOH_SSL)
+ {
+ }
+};
+
class SSLIOHook : public IOHook
{
protected:
- /** Peer SSL certificate, set by the SSL module
+ /** Peer TLS (SSL) certificate, set by the TLS (SSL) module
*/
reference<ssl_cert> certificate;
+ /** Reduce elements in a send queue by appending later elements to the first element until there are no more
+ * elements to append or a desired length is reached
+ * @param sendq SendQ to work on
+ * @param targetsize Target size of the front element
+ */
+ static void FlattenSendQueue(StreamSocket::SendQueue& sendq, size_t targetsize)
+ {
+ if ((sendq.size() <= 1) || (sendq.front().length() >= targetsize))
+ return;
+
+ // Avoid multiple repeated TLS (SSL) encryption invocations
+ // This adds a single copy of the queue, but avoids
+ // much more overhead in terms of system calls invoked
+ // by an IOHook.
+ std::string tmp;
+ tmp.reserve(std::min(targetsize, sendq.bytes())+1);
+ do
+ {
+ tmp.append(sendq.front());
+ sendq.pop_front();
+ }
+ while (!sendq.empty() && tmp.length() < targetsize);
+ sendq.push_front(tmp);
+ }
+
public:
+ static SSLIOHook* IsSSL(StreamSocket* sock)
+ {
+ IOHook* const lasthook = sock->GetLastHook();
+ if (lasthook && (lasthook->prov->type == IOHookProvider::IOH_SSL))
+ return static_cast<SSLIOHook*>(lasthook);
+
+ return NULL;
+ }
+
SSLIOHook(IOHookProvider* hookprov)
: IOHook(hookprov)
{
/**
* Get the certificate sent by this peer
- * @return The SSL certificate sent by the peer, NULL if no cert was sent
+ * @return The TLS (SSL) certificate sent by the peer, NULL if no cert was sent
*/
- ssl_cert* GetCertificate() const
+ virtual ssl_cert* GetCertificate() const
{
return certificate;
}
/**
* Get the fingerprint of the peer's certificate
- * @return The fingerprint of the SSL client certificate sent by the peer,
+ * @return The fingerprint of the TLS (SSL) client certificate sent by the peer,
* empty if no cert was sent
*/
- std::string GetFingerprint() const
+ virtual std::string GetFingerprint() const
{
ssl_cert* cert = GetCertificate();
- if (cert)
+ if (cert && cert->IsUsable())
return cert->GetFingerprint();
return "";
}
+
+ /**
+ * Get the ciphersuite negotiated with the peer
+ * @param out String where the ciphersuite string will be appended to
+ */
+ virtual void GetCiphersuite(std::string& out) const = 0;
+
+
+ /** Retrieves the name of the TLS (SSL) connection which is sent via SNI.
+ * @param out String that the server name will be appended to.
+ * returns True if the server name was retrieved; otherwise, false.
+ */
+ virtual bool GetServerName(std::string& out) const = 0;
};
-/** Helper functions for obtaining SSL client certificates and key fingerprints
+/** Helper functions for obtaining TLS (SSL) client certificates and key fingerprints
* from StreamSockets
*/
class SSLClientCert
public:
/**
* Get the client certificate from a socket
- * @param sock The socket to get the certificate from, the socket does not have to use SSL
- * @return The SSL client certificate information, NULL if the peer is not using SSL
+ * @param sock The socket to get the certificate from, the socket does not have to use TLS (SSL)
+ * @return The TLS (SSL) client certificate information, NULL if the peer is not using TLS (SSL)
*/
static ssl_cert* GetCertificate(StreamSocket* sock)
{
- IOHook* iohook = sock->GetIOHook();
- if ((!iohook) || (iohook->prov->type != IOHookProvider::IOH_SSL))
+ SSLIOHook* ssliohook = SSLIOHook::IsSSL(sock);
+ if (!ssliohook)
return NULL;
- SSLIOHook* ssliohook = static_cast<SSLIOHook*>(iohook);
return ssliohook->GetCertificate();
}
/**
* Get the fingerprint of a client certificate from a socket
* @param sock The socket to get the certificate fingerprint from, the
- * socket does not have to use SSL
- * @return The key fingerprint from the SSL certificate sent by the peer,
- * empty if no cert was sent or the peer is not using SSL
+ * socket does not have to use TLS (SSL)
+ * @return The key fingerprint from the TLS (SSL) certificate sent by the peer,
+ * empty if no cert was sent or the peer is not using TLS (SSL)
*/
static std::string GetFingerprint(StreamSocket* sock)
{
{
}
- /** Get the SSL certificate of a user
+ /** Get the TLS (SSL) certificate of a user
* @param user The user whose certificate to get, user may be remote
- * @return The SSL certificate of the user or NULL if the user is not using SSL
+ * @return The TLS (SSL) certificate of the user or NULL if the user is not using TLS (SSL)
*/
virtual ssl_cert* GetCertificate(User* user) = 0;
+ /** Set the TLS (SSL) certificate of a user.
+ * @param user The user whose certificate to set.
+ * @param cert The TLS (SSL) certificate to set for the user.
+ */
+ virtual void SetCertificate(User* user, ssl_cert* cert) = 0;
+
/** Get the key fingerprint from a user's certificate
* @param user The user whose key fingerprint to get, user may be remote
- * @return The key fingerprint from the user's SSL certificate or an empty string
- * if the user is not using SSL or did not provide a client certificate
+ * @return The key fingerprint from the user's TLS (SSL) certificate or an empty string
+ * if the user is not using TLS (SSL) or did not provide a client certificate
*/
std::string GetFingerprint(User* user)
{
}
};
-/** API implemented by m_sslinfo that allows modules to retrive the SSL certificate
+/** API implemented by m_sslinfo that allows modules to retrieve the TLS (SSL) certificate
* information of local and remote users. It can also be used to find out whether a
- * user is using SSL or not.
+ * user is using TLS (SSL) or not.
*/
class UserCertificateAPI : public dynamic_reference<UserCertificateAPIBase>
{
projects / user / henk / code / inspircd.git / blobdiff