* | Inspire Internet Relay Chat Daemon |
* +------------------------------------+
*
- * InspIRCd: (C) 2002-2009 InspIRCd Development Team
+ * InspIRCd: (C) 2002-2010 InspIRCd Development Team
* See: http://wiki.inspircd.org/Credits
*
* This program is free but copyrighted software; see
/* $ModDesc: Provides SSL support for clients */
/* $CompileFlags: pkgconfincludes("gnutls","/gnutls/gnutls.h","") */
/* $LinkerFlags: rpath("pkg-config --libs gnutls") pkgconflibs("gnutls","/libgnutls.so","-lgnutls") */
-/* $ModDep: transport.h */
-/* $CopyInstall: conf/key.pem $(CONPATH) */
-/* $CopyInstall: conf/cert.pem $(CONPATH) */
enum issl_status { ISSL_NONE, ISSL_HANDSHAKING_READ, ISSL_HANDSHAKING_WRITE, ISSL_HANDSHAKEN, ISSL_CLOSING, ISSL_CLOSED };
class issl_session
{
public:
- issl_session()
- {
- sess = NULL;
- }
-
gnutls_session_t sess;
issl_status status;
+ reference<ssl_cert> cert;
+ issl_session() : sess(NULL) {}
};
class CommandStartTLS : public SplitCommand
if (!user->eh.GetIOHook())
{
user->WriteNumeric(670, "%s :STARTTLS successful, go ahead with TLS handshake", user->nick.c_str());
+ /* We need to flush the write buffer prior to adding the IOHook,
+ * otherwise we'll be sending this line inside the SSL session - which
+ * won't start its handshake until the client gets this line. Currently,
+ * we assume the write will not block here; this is usually safe, as
+ * STARTTLS is sent very early on in the registration phase, where the
+ * user hasn't built up much sendq. Handling a blocked write here would
+ * be very annoying.
+ */
+ user->eh.DoWrite();
user->eh.AddIOHook(creator);
creator->OnStreamSocketAccept(&user->eh, NULL, NULL);
}
gnutls_certificate_credentials x509_cred;
gnutls_dh_params dh_params;
+ gnutls_digest_algorithm_t hash;
- std::string keyfile;
- std::string certfile;
-
- std::string cafile;
- std::string crlfile;
std::string sslports;
int dh_bits;
CommandStartTLS starttls;
GenericCap capHandler;
+ ServiceProvider iohook;
public:
ModuleSSLGnuTLS()
- : starttls(this), capHandler(this, "tls")
+ : starttls(this), capHandler(this, "tls"), iohook(this, "ssl/gnutls", SERVICE_IOHOOK)
{
- ServerInstance->Modules->PublishInterface("BufferedSocketHook", this);
-
sessions = new issl_session[ServerInstance->SE->GetMaxFds()];
gnutls_global_init(); // This must be called once in the program
gnutls_x509_privkey_init(&x509_key);
cred_alloc = false;
+ }
+
+ void init()
+ {
// Needs the flag as it ignores a plain /rehash
OnModuleRehash(NULL,"ssl");
I_OnEvent, I_OnHookIO };
ServerInstance->Modules->Attach(eventlist, this, sizeof(eventlist)/sizeof(Implementation));
+ ServerInstance->Modules->AddService(iohook);
ServerInstance->AddCommand(&starttls);
}
void OnRehash(User* user)
{
- ConfigReader Conf;
-
sslports.clear();
for (size_t i = 0; i < ServerInstance->ports.size(); i++)
if(param != "ssl")
return;
+ std::string keyfile;
+ std::string certfile;
+ std::string cafile;
+ std::string crlfile;
OnRehash(user);
- ConfigReader Conf;
+ ConfigTag* Conf = ServerInstance->Config->ConfValue("gnutls");
- cafile = Conf.ReadValue("gnutls", "cafile", 0);
- crlfile = Conf.ReadValue("gnutls", "crlfile", 0);
- certfile = Conf.ReadValue("gnutls", "certfile", 0);
- keyfile = Conf.ReadValue("gnutls", "keyfile", 0);
- dh_bits = Conf.ReadInteger("gnutls", "dhbits", 0, false);
-
- // Set all the default values needed.
- if (cafile.empty())
- cafile = "conf/ca.pem";
-
- if (crlfile.empty())
- crlfile = "conf/crl.pem";
-
- if (certfile.empty())
- certfile = "conf/cert.pem";
-
- if (keyfile.empty())
- keyfile = "conf/key.pem";
+ cafile = Conf->getString("cafile", "conf/ca.pem");
+ crlfile = Conf->getString("crlfile", "conf/crl.pem");
+ certfile = Conf->getString("certfile", "conf/cert.pem");
+ keyfile = Conf->getString("keyfile", "conf/key.pem");
+ dh_bits = Conf->getInt("dhbits");
+ std::string hashname = Conf->getString("hash", "md5");
if((dh_bits != 768) && (dh_bits != 1024) && (dh_bits != 2048) && (dh_bits != 3072) && (dh_bits != 4096))
dh_bits = 1024;
+ if (hashname == "md5")
+ hash = GNUTLS_DIG_MD5;
+ else if (hashname == "sha1")
+ hash = GNUTLS_DIG_SHA1;
+ else
+ throw ModuleException("Unknown hash type " + hashname);
+
+
int ret;
if (cred_alloc)
{
gnutls_x509_crt_deinit(x509_cert);
gnutls_x509_privkey_deinit(x509_key);
- gnutls_dh_params_deinit(dh_params);
- gnutls_certificate_free_credentials(x509_cred);
+ if (cred_alloc)
+ {
+ gnutls_dh_params_deinit(dh_params);
+ gnutls_certificate_free_credentials(x509_cred);
+ }
gnutls_global_deinit();
- ServerInstance->Modules->UnpublishInterface("BufferedSocketHook", this);
delete[] sessions;
}
void OnRequest(Request& request)
{
- Module* sslinfo = ServerInstance->Modules->Find("m_sslinfo.so");
- if (sslinfo)
- sslinfo->OnRequest(request);
- }
+ if (strcmp("GET_SSL_CERT", request.id) == 0)
+ {
+ SocketCertificateRequest& req = static_cast<SocketCertificateRequest&>(request);
+ int fd = req.sock->GetFd();
+ issl_session* session = &sessions[fd];
+ req.cert = session->cert;
+ }
+ }
void OnStreamSocketAccept(StreamSocket* user, irc::sockets::sockaddrs* client, irc::sockets::sockaddrs* server)
{
void OnUserConnect(LocalUser* user)
{
- if (user->GetIOHook() == this)
+ if (user->eh.GetIOHook() == this)
{
if (sessions[user->GetFd()].sess)
{
+ ssl_cert* cert = sessions[user->GetFd()].cert;
+ SSLCertSubmission(user, this, ServerInstance->Modules->Find("m_sslinfo.so"), cert);
std::string cipher = gnutls_kx_get_name(gnutls_kx_get(sessions[user->GetFd()].sess));
cipher.append("-").append(gnutls_cipher_get_name(gnutls_cipher_get(sessions[user->GetFd()].sess))).append("-");
cipher.append(gnutls_mac_get_name(gnutls_mac_get(sessions[user->GetFd()].sess)));
- user->WriteServ("NOTICE %s :*** You are connected using SSL cipher \"%s\"", user->nick.c_str(), cipher.c_str());
+ if (cert->fingerprint.empty())
+ user->WriteServ("NOTICE %s :*** You are connected using SSL cipher \"%s\"", user->nick.c_str(), cipher.c_str());
+ else
+ user->WriteServ("NOTICE %s :*** You are connected using SSL cipher \"%s\""
+ " and your SSL fingerprint is %s", user->nick.c_str(), cipher.c_str(), cert->fingerprint.c_str());
}
}
}
void CloseSession(issl_session* session)
{
- if(session->sess)
+ if (session->sess)
{
gnutls_bye(session->sess, GNUTLS_SHUT_WR);
gnutls_deinit(session->sess);
}
-
session->sess = NULL;
+ session->cert = NULL;
session->status = ISSL_NONE;
}
- void VerifyCertificate(issl_session* session, Extensible* user)
+ void VerifyCertificate(issl_session* session, StreamSocket* user)
{
- if (!session->sess || !user)
- return;
-
- Module* sslinfo = ServerInstance->Modules->Find("m_sslinfo.so");
- if (!sslinfo)
+ if (!session->sess || !user || session->cert)
return;
unsigned int status;
size_t digest_size = sizeof(digest);
size_t name_size = sizeof(name);
ssl_cert* certinfo = new ssl_cert;
+ session->cert = certinfo;
/* This verification function uses the trusted CAs in the credentials
* structure. So you must have installed one or more CA certificates.
if (ret < 0)
{
certinfo->error = std::string(gnutls_strerror(ret));
- goto info_done;
+ return;
}
certinfo->invalid = (status & GNUTLS_CERT_INVALID);
if (gnutls_certificate_type_get(session->sess) != GNUTLS_CRT_X509)
{
certinfo->error = "No X509 keys sent";
- goto info_done;
+ return;
}
ret = gnutls_x509_crt_init(&cert);
if (ret < 0)
{
certinfo->error = gnutls_strerror(ret);
- goto info_done;
+ return;
}
cert_list_size = 0;
gnutls_x509_crt_get_issuer_dn(cert, name, &name_size);
certinfo->issuer = name;
- if ((ret = gnutls_x509_crt_get_fingerprint(cert, GNUTLS_DIG_MD5, digest, &digest_size)) < 0)
+ if ((ret = gnutls_x509_crt_get_fingerprint(cert, hash, digest, &digest_size)) < 0)
{
certinfo->error = gnutls_strerror(ret);
}
info_done_dealloc:
gnutls_x509_crt_deinit(cert);
-info_done:
- SSLCertSubmission(user, this, sslinfo, certinfo);
}
void OnEvent(Event& ev)
projects / user / henk / code / inspircd.git / blobdiff