]> git.netwichtig.de Git - user/henk/code/inspircd.git/blobdiff - src/modules/extra/m_ssl_gnutls.cpp
projects / user / henk / code / inspircd.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
m_ssl_gnutls, m_ssl_openssl Deduplicate Handshake() calling code
[user/henk/code/inspircd.git] / src / modules / extra / m_ssl_gnutls.cpp
diff --git a/src/modules/extra/m_ssl_gnutls.cpp b/src/modules/extra/m_ssl_gnutls.cpp
index 7c19925ddabbe1f64d61c6e0268b2e7ac80f6d03..f8dc85659b1a82c927faef5d3f691c74ab968047 100644 (file)
--- a/src/modules/extra/m_ssl_gnutls.cpp
+++ b/src/modules/extra/m_ssl_gnutls.cpp
@@ -22,66 +22,70 @@
 
 
 #include "inspircd.h"
-#include <gnutls/gnutls.h>
-#include <gnutls/x509.h>
 #include "modules/ssl.h"
-#include "modules/cap.h"
 #include <memory>
 
-#if ((GNUTLS_VERSION_MAJOR > 2) || (GNUTLS_VERSION_MAJOR == 2 && GNUTLS_VERSION_MINOR > 9) || (GNUTLS_VERSION_MAJOR == 2 && GNUTLS_VERSION_MINOR == 9 && GNUTLS_VERSION_PATCH >= 8))
+// Fix warnings about the use of commas at end of enumerator lists on C++03.
+#if defined __clang__
+# pragma clang diagnostic ignored "-Wc++11-extensions"
+#elif defined __GNUC__
+# pragma GCC diagnostic ignored "-pedantic"
+#endif
+
+#include <gnutls/gnutls.h>
+#include <gnutls/x509.h>
+
+#ifndef GNUTLS_VERSION_NUMBER
+#define GNUTLS_VERSION_NUMBER LIBGNUTLS_VERSION_NUMBER
+#endif
+
+// Check if the GnuTLS library is at least version major.minor.patch
+#define INSPIRCD_GNUTLS_HAS_VERSION(major, minor, patch) (GNUTLS_VERSION_NUMBER >= ((major << 16) | (minor << 8) | patch))
+
+#if INSPIRCD_GNUTLS_HAS_VERSION(2, 9, 8)
 #define GNUTLS_HAS_MAC_GET_ID
 #include <gnutls/crypto.h>
 #endif
 
-#if (GNUTLS_VERSION_MAJOR > 2 || GNUTLS_VERSION_MAJOR == 2 && GNUTLS_VERSION_MINOR > 12)
+#if INSPIRCD_GNUTLS_HAS_VERSION(2, 12, 0)
 # define GNUTLS_HAS_RND
 #else
 # include <gcrypt.h>
 #endif
 
 #ifdef _WIN32
-# pragma comment(lib, "libgnutls.lib")
-# pragma comment(lib, "libgcrypt.lib")
-# pragma comment(lib, "libgpg-error.lib")
-# pragma comment(lib, "user32.lib")
-# pragma comment(lib, "advapi32.lib")
-# pragma comment(lib, "libgcc.lib")
-# pragma comment(lib, "libmingwex.lib")
-# pragma comment(lib, "gdi32.lib")
+# pragma comment(lib, "libgnutls-28.lib")
 #endif
 
-/* $CompileFlags: pkgconfincludes("gnutls","/gnutls/gnutls.h","") eval("print `libgcrypt-config --cflags | tr -d \r` if `pkg-config --modversion gnutls 2>/dev/null | tr -d \r` lt '2.12'") -Wno-pedantic */
+/* $CompileFlags: pkgconfincludes("gnutls","/gnutls/gnutls.h","") eval("print `libgcrypt-config --cflags | tr -d \r` if `pkg-config --modversion gnutls 2>/dev/null | tr -d \r` lt '2.12'") */
 /* $LinkerFlags: rpath("pkg-config --libs gnutls") pkgconflibs("gnutls","/libgnutls.so","-lgnutls") eval("print `libgcrypt-config --libs | tr -d \r` if `pkg-config --modversion gnutls 2>/dev/null | tr -d \r` lt '2.12'") */
 
-#ifndef GNUTLS_VERSION_MAJOR
-#define GNUTLS_VERSION_MAJOR LIBGNUTLS_VERSION_MAJOR
-#define GNUTLS_VERSION_MINOR LIBGNUTLS_VERSION_MINOR
-#define GNUTLS_VERSION_PATCH LIBGNUTLS_VERSION_PATCH
-#endif
-
 // These don't exist in older GnuTLS versions
-#if ((GNUTLS_VERSION_MAJOR > 2) || (GNUTLS_VERSION_MAJOR == 2 && GNUTLS_VERSION_MINOR > 1) || (GNUTLS_VERSION_MAJOR == 2 && GNUTLS_VERSION_MINOR == 1 && GNUTLS_VERSION_PATCH >= 7))
+#if INSPIRCD_GNUTLS_HAS_VERSION(2, 1, 7)
 #define GNUTLS_NEW_PRIO_API
 #endif
 
-#if(GNUTLS_VERSION_MAJOR < 2)
+#if (!INSPIRCD_GNUTLS_HAS_VERSION(2, 0, 0))
 typedef gnutls_certificate_credentials_t gnutls_certificate_credentials;
 typedef gnutls_dh_params_t gnutls_dh_params;
 #endif
 
-enum issl_status { ISSL_NONE, ISSL_HANDSHAKING_READ, ISSL_HANDSHAKING_WRITE, ISSL_HANDSHAKEN, ISSL_CLOSING, ISSL_CLOSED };
+enum issl_status { ISSL_NONE, ISSL_HANDSHAKING, ISSL_HANDSHAKEN };
 
-#if (GNUTLS_VERSION_MAJOR > 2 || (GNUTLS_VERSION_MAJOR == 2 && GNUTLS_VERSION_MINOR >= 12))
+#if INSPIRCD_GNUTLS_HAS_VERSION(2, 12, 0)
 #define GNUTLS_NEW_CERT_CALLBACK_API
 typedef gnutls_retr2_st cert_cb_last_param_type;
 #else
 typedef gnutls_retr_st cert_cb_last_param_type;
 #endif
 
+#if INSPIRCD_GNUTLS_HAS_VERSION(3, 3, 5)
+#define INSPIRCD_GNUTLS_HAS_RECV_PACKET
+#endif
+
 class RandGen : public HandlerBase2<void, char*, size_t>
 {
  public:
-       RandGen() {}
        void Call(char* buffer, size_t len)
        {
 #ifdef GNUTLS_HAS_RND
@@ -160,6 +164,10 @@ namespace GnuTLS
                                hash = GNUTLS_DIG_MD5;
                        else if (hashname == "sha1")
                                hash = GNUTLS_DIG_SHA1;
+#ifdef INSPIRCD_GNUTLS_ENABLE_SHA256_FINGERPRINT
+                       else if (hashname == "sha256")
+                               hash = GNUTLS_DIG_SHA256;
+#endif
                        else
                                throw Exception("Unknown hash type " + hashname);
 #endif
@@ -447,6 +455,51 @@ namespace GnuTLS
                }
        };
 
+       class DataReader
+       {
+               int retval;
+#ifdef INSPIRCD_GNUTLS_HAS_RECV_PACKET
+               gnutls_packet_t packet;
+
+        public:
+               DataReader(gnutls_session_t sess)
+               {
+                       // Using the packet API avoids the final copy of the data which GnuTLS does if we supply
+                       // our own buffer. Instead, we get the buffer containing the data from GnuTLS and copy it
+                       // to the recvq directly from there in appendto().
+                       retval = gnutls_record_recv_packet(sess, &packet);
+               }
+
+               void appendto(std::string& recvq)
+               {
+                       // Copy data from GnuTLS buffers to recvq
+                       gnutls_datum_t datum;
+                       gnutls_packet_get(packet, &datum, NULL);
+                       recvq.append(reinterpret_cast<const char*>(datum.data), datum.size);
+
+                       gnutls_packet_deinit(packet);
+               }
+#else
+               char* const buffer;
+
+        public:
+               DataReader(gnutls_session_t sess)
+                       : buffer(ServerInstance->GetReadBuffer())
+               {
+                       // Read data from GnuTLS buffers into ReadBuffer
+                       retval = gnutls_record_recv(sess, buffer, ServerInstance->Config->NetBufferSize);
+               }
+
+               void appendto(std::string& recvq)
+               {
+                       // Copy data from ReadBuffer to recvq
+                       recvq.append(buffer, retval);
+               }
+#endif
+
+               int ret() const { return retval; }
+       };
+
        class Profile : public refcountbase
        {
                /** Name of this profile
@@ -543,107 +596,87 @@ namespace GnuTLS
        };
 }
 
-/** Represents an SSL user's extra data
- */
-class issl_session
+class GnuTLSIOHook : public SSLIOHook
 {
-public:
-       StreamSocket* socket;
+ private:
        gnutls_session_t sess;
        issl_status status;
-       reference<ssl_cert> cert;
        reference<GnuTLS::Profile> profile;
 
-       issl_session() : socket(NULL), sess(NULL) {}
-};
-
-class GnuTLSIOHook : public SSLIOHook
-{
- private:
        void InitSession(StreamSocket* user, bool me_server)
        {
-               issl_session* session = &sessions[user->GetFd()];
-
-               gnutls_init(&session->sess, me_server ? GNUTLS_SERVER : GNUTLS_CLIENT);
-               session->socket = user;
+               gnutls_init(&sess, me_server ? GNUTLS_SERVER : GNUTLS_CLIENT);
 
-               session->profile->SetupSession(session->sess);
-               gnutls_transport_set_ptr(session->sess, reinterpret_cast<gnutls_transport_ptr_t>(session));
-               gnutls_transport_set_push_function(session->sess, gnutls_push_wrapper);
-               gnutls_transport_set_pull_function(session->sess, gnutls_pull_wrapper);
+               profile->SetupSession(sess);
+               gnutls_transport_set_ptr(sess, reinterpret_cast<gnutls_transport_ptr_t>(user));
+               gnutls_transport_set_push_function(sess, gnutls_push_wrapper);
+               gnutls_transport_set_pull_function(sess, gnutls_pull_wrapper);
 
                if (me_server)
-                       gnutls_certificate_server_set_request(session->sess, GNUTLS_CERT_REQUEST); // Request client certificate if any.
-
-               Handshake(session, user);
+                       gnutls_certificate_server_set_request(sess, GNUTLS_CERT_REQUEST); // Request client certificate if any.
        }
 
-       void CloseSession(issl_session* session)
+       void CloseSession()
        {
-               if (session->sess)
+               if (this->sess)
                {
-                       gnutls_bye(session->sess, GNUTLS_SHUT_WR);
-                       gnutls_deinit(session->sess);
+                       gnutls_bye(this->sess, GNUTLS_SHUT_WR);
+                       gnutls_deinit(this->sess);
                }
-               session->socket = NULL;
-               session->sess = NULL;
-               session->cert = NULL;
-               session->profile = NULL;
-               session->status = ISSL_NONE;
+               sess = NULL;
+               certificate = NULL;
+               status = ISSL_NONE;
        }
 
-       bool Handshake(issl_session* session, StreamSocket* user)
+       // Returns 1 if handshake succeeded, 0 if it is still in progress, -1 if it failed
+       int Handshake(StreamSocket* user)
        {
-               int ret = gnutls_handshake(session->sess);
+               int ret = gnutls_handshake(this->sess);
 
                if (ret < 0)
                {
                        if(ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED)
                        {
                                // Handshake needs resuming later, read() or write() would have blocked.
+                               this->status = ISSL_HANDSHAKING;
 
-                               if(gnutls_record_get_direction(session->sess) == 0)
+                               if (gnutls_record_get_direction(this->sess) == 0)
                                {
                                        // gnutls_handshake() wants to read() again.
-                                       session->status = ISSL_HANDSHAKING_READ;
-                                       ServerInstance->SE->ChangeEventMask(user, FD_WANT_POLL_READ | FD_WANT_NO_WRITE);
+                                       SocketEngine::ChangeEventMask(user, FD_WANT_POLL_READ | FD_WANT_NO_WRITE);
                                }
                                else
                                {
                                        // gnutls_handshake() wants to write() again.
-                                       session->status = ISSL_HANDSHAKING_WRITE;
-                                       ServerInstance->SE->ChangeEventMask(user, FD_WANT_NO_READ | FD_WANT_SINGLE_WRITE);
+                                       SocketEngine::ChangeEventMask(user, FD_WANT_NO_READ | FD_WANT_SINGLE_WRITE);
                                }
+
+                               return 0;
                        }
                        else
                        {
                                user->SetError("Handshake Failed - " + std::string(gnutls_strerror(ret)));
-                               CloseSession(session);
-                               session->status = ISSL_CLOSING;
+                               CloseSession();
+                               return -1;
                        }
-
-                       return false;
                }
                else
                {
                        // Change the seesion state
-                       session->status = ISSL_HANDSHAKEN;
+                       this->status = ISSL_HANDSHAKEN;
 
-                       VerifyCertificate(session,user);
+                       VerifyCertificate();
 
                        // Finish writing, if any left
-                       ServerInstance->SE->ChangeEventMask(user, FD_WANT_POLL_READ | FD_WANT_NO_WRITE | FD_ADD_TRIAL_WRITE);
+                       SocketEngine::ChangeEventMask(user, FD_WANT_POLL_READ | FD_WANT_NO_WRITE | FD_ADD_TRIAL_WRITE);
 
-                       return true;
+                       return 1;
                }
        }
 
-       void VerifyCertificate(issl_session* session, StreamSocket* user)
+       void VerifyCertificate()
        {
-               if (!session->sess || !user)
-                       return;
-
-               unsigned int status;
+               unsigned int certstatus;
                const gnutls_datum_t* cert_list;
                int ret;
                unsigned int cert_list_size;
@@ -653,12 +686,12 @@ class GnuTLSIOHook : public SSLIOHook
                size_t digest_size = sizeof(digest);
                size_t name_size = sizeof(str);
                ssl_cert* certinfo = new ssl_cert;
-               session->cert = certinfo;
+               this->certificate = certinfo;
 
                /* This verification function uses the trusted CAs in the credentials
                 * structure. So you must have installed one or more CA certificates.
                 */
-               ret = gnutls_certificate_verify_peers2(session->sess, &status);
+               ret = gnutls_certificate_verify_peers2(this->sess, &certstatus);
 
                if (ret < 0)
                {
@@ -666,16 +699,16 @@ class GnuTLSIOHook : public SSLIOHook
                        return;
                }
 
-               certinfo->invalid = (status & GNUTLS_CERT_INVALID);
-               certinfo->unknownsigner = (status & GNUTLS_CERT_SIGNER_NOT_FOUND);
-               certinfo->revoked = (status & GNUTLS_CERT_REVOKED);
-               certinfo->trusted = !(status & GNUTLS_CERT_SIGNER_NOT_CA);
+               certinfo->invalid = (certstatus & GNUTLS_CERT_INVALID);
+               certinfo->unknownsigner = (certstatus & GNUTLS_CERT_SIGNER_NOT_FOUND);
+               certinfo->revoked = (certstatus & GNUTLS_CERT_REVOKED);
+               certinfo->trusted = !(certstatus & GNUTLS_CERT_SIGNER_NOT_CA);
 
                /* Up to here the process is the same for X.509 certificates and
                 * OpenPGP keys. From now on X.509 certificates are assumed. This can
                 * be easily extended to work with openpgp keys as well.
                 */
-               if (gnutls_certificate_type_get(session->sess) != GNUTLS_CRT_X509)
+               if (gnutls_certificate_type_get(this->sess) != GNUTLS_CRT_X509)
                {
                        certinfo->error = "No X509 keys sent";
                        return;
@@ -689,7 +722,7 @@ class GnuTLSIOHook : public SSLIOHook
                }
 
                cert_list_size = 0;
-               cert_list = gnutls_certificate_get_peers(session->sess, &cert_list_size);
+               cert_list = gnutls_certificate_get_peers(this->sess, &cert_list_size);
                if (cert_list == NULL)
                {
                        certinfo->error = "No certificate was found";
@@ -707,13 +740,25 @@ class GnuTLSIOHook : public SSLIOHook
                        goto info_done_dealloc;
                }
 
-               gnutls_x509_crt_get_dn(cert, str, &name_size);
-               certinfo->dn = str;
+               if (gnutls_x509_crt_get_dn(cert, str, &name_size) == 0)
+               {
+                       std::string& dn = certinfo->dn;
+                       dn = str;
+                       // Make sure there are no chars in the string that we consider invalid
+                       if (dn.find_first_of("\r\n") != std::string::npos)
+                               dn.clear();
+               }
 
-               gnutls_x509_crt_get_issuer_dn(cert, str, &name_size);
-               certinfo->issuer = str;
+               name_size = sizeof(str);
+               if (gnutls_x509_crt_get_issuer_dn(cert, str, &name_size) == 0)
+               {
+                       std::string& issuer = certinfo->issuer;
+                       issuer = str;
+                       if (issuer.find_first_of("\r\n") != std::string::npos)
+                               issuer.clear();
+               }
 
-               if ((ret = gnutls_x509_crt_get_fingerprint(cert, session->profile->GetHash(), digest, &digest_size)) < 0)
+               if ((ret = gnutls_x509_crt_get_fingerprint(cert, profile->GetHash(), digest, &digest_size)) < 0)
                {
                        certinfo->error = gnutls_strerror(ret);
                }
@@ -733,6 +778,22 @@ info_done_dealloc:
                gnutls_x509_crt_deinit(cert);
        }
 
+       // Returns 1 if application I/O should proceed, 0 if it must wait for the underlying protocol to progress, -1 on fatal error
+       int PrepareIO(StreamSocket* sock)
+       {
+               if (status == ISSL_HANDSHAKEN)
+                       return 1;
+               else if (status == ISSL_HANDSHAKING)
+               {
+                       // The handshake isn't finished, try to finish it
+                       return Handshake(sock);
+               }
+
+               CloseSession();
+               sock->SetError("No SSL session");
+               return -1;
+       }
+
        static const char* UnknownIfNULL(const char* str)
        {
                return str ? str : "UNKNOWN";
@@ -740,8 +801,12 @@ info_done_dealloc:
 
        static ssize_t gnutls_pull_wrapper(gnutls_transport_ptr_t session_wrap, void* buffer, size_t size)
        {
-               issl_session* session = reinterpret_cast<issl_session*>(session_wrap);
-               if (session->socket->GetEventMask() & FD_READ_WILL_BLOCK)
+               StreamSocket* sock = reinterpret_cast<StreamSocket*>(session_wrap);
+#ifdef _WIN32
+               GnuTLSIOHook* session = static_cast<GnuTLSIOHook*>(sock->GetIOHook());
+#endif
+
+               if (sock->GetEventMask() & FD_READ_WILL_BLOCK)
                {
 #ifdef _WIN32
                        gnutls_transport_set_errno(session->sess, EAGAIN);
@@ -751,7 +816,7 @@ info_done_dealloc:
                        return -1;
                }
 
-               int rv = ServerInstance->SE->Recv(session->socket, reinterpret_cast<char *>(buffer), size, 0);
+               int rv = SocketEngine::Recv(sock, reinterpret_cast<char *>(buffer), size, 0);
 
 #ifdef _WIN32
                if (rv < 0)
@@ -766,14 +831,18 @@ info_done_dealloc:
 #endif
 
                if (rv < (int)size)
-                       ServerInstance->SE->ChangeEventMask(session->socket, FD_READ_WILL_BLOCK);
+                       SocketEngine::ChangeEventMask(sock, FD_READ_WILL_BLOCK);
                return rv;
        }
 
        static ssize_t gnutls_push_wrapper(gnutls_transport_ptr_t session_wrap, const void* buffer, size_t size)
        {
-               issl_session* session = reinterpret_cast<issl_session*>(session_wrap);
-               if (session->socket->GetEventMask() & FD_WRITE_WILL_BLOCK)
+               StreamSocket* sock = reinterpret_cast<StreamSocket*>(session_wrap);
+#ifdef _WIN32
+               GnuTLSIOHook* session = static_cast<GnuTLSIOHook*>(sock->GetIOHook());
+#endif
+
+               if (sock->GetEventMask() & FD_WRITE_WILL_BLOCK)
                {
 #ifdef _WIN32
                        gnutls_transport_set_errno(session->sess, EAGAIN);
@@ -783,7 +852,7 @@ info_done_dealloc:
                        return -1;
                }
 
-               int rv = ServerInstance->SE->Send(session->socket, reinterpret_cast<const char *>(buffer), size, 0);
+               int rv = SocketEngine::Send(sock, reinterpret_cast<const char *>(buffer), size, 0);
 
 #ifdef _WIN32
                if (rv < 0)
@@ -798,78 +867,41 @@ info_done_dealloc:
 #endif
 
                if (rv < (int)size)
-                       ServerInstance->SE->ChangeEventMask(session->socket, FD_WRITE_WILL_BLOCK);
+                       SocketEngine::ChangeEventMask(sock, FD_WRITE_WILL_BLOCK);
                return rv;
        }
 
  public:
-       issl_session* sessions;
-
-       GnuTLSIOHook(Module* parent)
-               : SSLIOHook(parent, "ssl/gnutls")
-       {
-               sessions = new issl_session[ServerInstance->SE->GetMaxFds()];
-       }
-
-       ~GnuTLSIOHook()
-       {
-               delete[] sessions;
-       }
-
-       void OnStreamSocketAccept(StreamSocket* user, irc::sockets::sockaddrs* client, irc::sockets::sockaddrs* server) CXX11_OVERRIDE
-       {
-               issl_session* session = &sessions[user->GetFd()];
-
-               /* For STARTTLS: Don't try and init a session on a socket that already has a session */
-               if (session->sess)
-                       return;
-
-               InitSession(user, true);
-       }
-
-       void OnStreamSocketConnect(StreamSocket* user) CXX11_OVERRIDE
+       GnuTLSIOHook(IOHookProvider* hookprov, StreamSocket* sock, bool outbound, const reference<GnuTLS::Profile>& sslprofile)
+               : SSLIOHook(hookprov)
+               , sess(NULL)
+               , status(ISSL_NONE)
+               , profile(sslprofile)
        {
-               InitSession(user, false);
+               InitSession(sock, outbound);
+               sock->AddIOHook(this);
+               Handshake(sock);
        }
 
        void OnStreamSocketClose(StreamSocket* user) CXX11_OVERRIDE
        {
-               CloseSession(&sessions[user->GetFd()]);
+               CloseSession();
        }
 
        int OnStreamSocketRead(StreamSocket* user, std::string& recvq) CXX11_OVERRIDE
        {
-               issl_session* session = &sessions[user->GetFd()];
-
-               if (!session->sess)
-               {
-                       CloseSession(session);
-                       user->SetError("No SSL session");
-                       return -1;
-               }
-
-               if (session->status == ISSL_HANDSHAKING_READ || session->status == ISSL_HANDSHAKING_WRITE)
-               {
-                       // The handshake isn't finished, try to finish it.
-
-                       if(!Handshake(session, user))
-                       {
-                               if (session->status != ISSL_CLOSING)
-                                       return 0;
-                               return -1;
-                       }
-               }
-
-               // If we resumed the handshake then session->status will be ISSL_HANDSHAKEN.
+               // Finish handshake if needed
+               int prepret = PrepareIO(user);
+               if (prepret <= 0)
+                       return prepret;
 
-               if (session->status == ISSL_HANDSHAKEN)
+               // If we resumed the handshake then this->status will be ISSL_HANDSHAKEN.
                {
-                       char* buffer = ServerInstance->GetReadBuffer();
-                       size_t bufsiz = ServerInstance->Config->NetBufferSize;
-                       int ret = gnutls_record_recv(session->sess, buffer, bufsiz);
+                       GnuTLS::DataReader reader(sess);
+                       int ret = reader.ret();
                        if (ret > 0)
                        {
-                               recvq.append(buffer, ret);
+                               reader.appendto(recvq);
                                return 1;
                        }
                        else if (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED)
@@ -879,100 +911,79 @@ info_done_dealloc:
                        else if (ret == 0)
                        {
                                user->SetError("Connection closed");
-                               CloseSession(session);
+                               CloseSession();
                                return -1;
                        }
                        else
                        {
                                user->SetError(gnutls_strerror(ret));
-                               CloseSession(session);
+                               CloseSession();
                                return -1;
                        }
                }
-               else if (session->status == ISSL_CLOSING)
-                       return -1;
-
-               return 0;
        }
 
        int OnStreamSocketWrite(StreamSocket* user, std::string& sendq) CXX11_OVERRIDE
        {
-               issl_session* session = &sessions[user->GetFd()];
-
-               if (!session->sess)
-               {
-                       CloseSession(session);
-                       user->SetError("No SSL session");
-                       return -1;
-               }
-
-               if (session->status == ISSL_HANDSHAKING_WRITE || session->status == ISSL_HANDSHAKING_READ)
-               {
-                       // The handshake isn't finished, try to finish it.
-                       Handshake(session, user);
-                       if (session->status != ISSL_CLOSING)
-                               return 0;
-                       return -1;
-               }
+               // Finish handshake if needed
+               int prepret = PrepareIO(user);
+               if (prepret <= 0)
+                       return prepret;
 
+               // Session is ready for transferring application data
                int ret = 0;
 
-               if (session->status == ISSL_HANDSHAKEN)
                {
-                       ret = gnutls_record_send(session->sess, sendq.data(), sendq.length());
+                       ret = gnutls_record_send(this->sess, sendq.data(), sendq.length());
 
                        if (ret == (int)sendq.length())
                        {
-                               ServerInstance->SE->ChangeEventMask(user, FD_WANT_NO_WRITE);
+                               SocketEngine::ChangeEventMask(user, FD_WANT_NO_WRITE);
                                return 1;
                        }
                        else if (ret > 0)
                        {
-                               sendq = sendq.substr(ret);
-                               ServerInstance->SE->ChangeEventMask(user, FD_WANT_SINGLE_WRITE);
+                               sendq.erase(0, ret);
+                               SocketEngine::ChangeEventMask(user, FD_WANT_SINGLE_WRITE);
                                return 0;
                        }
                        else if (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED || ret == 0)
                        {
-                               ServerInstance->SE->ChangeEventMask(user, FD_WANT_SINGLE_WRITE);
+                               SocketEngine::ChangeEventMask(user, FD_WANT_SINGLE_WRITE);
                                return 0;
                        }
                        else // (ret < 0)
                        {
                                user->SetError(gnutls_strerror(ret));
-                               CloseSession(session);
+                               CloseSession();
                                return -1;
                        }
                }
-
-               return 0;
-       }
-
-       ssl_cert* GetCertificate(StreamSocket* sock) CXX11_OVERRIDE
-       {
-               int fd = sock->GetFd();
-               issl_session* session = &sessions[fd];
-               return session->cert;
        }
 
        void TellCiphersAndFingerprint(LocalUser* user)
        {
-               const gnutls_session_t& sess = sessions[user->eh.GetFd()].sess;
                if (sess)
                {
                        std::string text = "*** You are connected using SSL cipher '";
-
-                       text += UnknownIfNULL(gnutls_kx_get_name(gnutls_kx_get(sess)));
-                       text.append("-").append(UnknownIfNULL(gnutls_cipher_get_name(gnutls_cipher_get(sess)))).append("-");
-                       text.append(UnknownIfNULL(gnutls_mac_get_name(gnutls_mac_get(sess)))).append("'");
-
-                       ssl_cert* cert = sessions[user->eh.GetFd()].cert;
-                       if (!cert->fingerprint.empty())
-                               text += " and your SSL fingerprint is " + cert->fingerprint;
+                       GetCiphersuite(text);
+                       text += '\'';
+                       if (!certificate->fingerprint.empty())
+                               text += " and your SSL certificate fingerprint is " + certificate->fingerprint;
 
                        user->WriteNotice(text);
                }
        }
+
+       void GetCiphersuite(std::string& out) const
+       {
+               out.append(UnknownIfNULL(gnutls_protocol_get_name(gnutls_protocol_get_version(sess)))).push_back('-');
+               out.append(UnknownIfNULL(gnutls_kx_get_name(gnutls_kx_get(sess)))).push_back('-');
+               out.append(UnknownIfNULL(gnutls_cipher_get_name(gnutls_cipher_get(sess)))).push_back('-');
+               out.append(UnknownIfNULL(gnutls_mac_get_name(gnutls_mac_get(sess))));
+       }
+
+       GnuTLS::Profile* GetProfile() { return profile; }
 };
 
 int GnuTLS::X509Credentials::cert_callback(gnutls_session_t sess, const gnutls_datum_t* req_ca_rdn, int nreqs, const gnutls_pk_algorithm_t* sign_algos, int sign_algos_length, cert_cb_last_param_type* st)
@@ -983,8 +994,8 @@ int GnuTLS::X509Credentials::cert_callback(gnutls_session_t sess, const gnutls_d
        st->cert_type = GNUTLS_CRT_X509;
        st->key_type = GNUTLS_PRIVKEY_X509;
 #endif
-       issl_session* session = reinterpret_cast<issl_session*>(gnutls_transport_get_ptr(sess));
-       GnuTLS::X509Credentials& cred = session->profile->GetX509Credentials();
+       StreamSocket* sock = reinterpret_cast<StreamSocket*>(gnutls_transport_get_ptr(sess));
+       GnuTLS::X509Credentials& cred = static_cast<GnuTLSIOHook*>(sock->GetIOHook())->GetProfile()->GetX509Credentials();
 
        st->ncerts = cred.certs.size();
        st->cert.x509 = cred.certs.raw();
@@ -994,17 +1005,40 @@ int GnuTLS::X509Credentials::cert_callback(gnutls_session_t sess, const gnutls_d
        return 0;
 }
 
-class ModuleSSLGnuTLS : public Module
+class GnuTLSIOHookProvider : public refcountbase, public IOHookProvider
 {
-       typedef std::vector<reference<GnuTLS::Profile> > ProfileList;
+       reference<GnuTLS::Profile> profile;
 
-       // First member of the class, gets constructed first and destructed last
-       GnuTLS::Init libinit;
+ public:
+       GnuTLSIOHookProvider(Module* mod, reference<GnuTLS::Profile>& prof)
+               : IOHookProvider(mod, "ssl/" + prof->GetName(), IOHookProvider::IOH_SSL)
+               , profile(prof)
+       {
+               ServerInstance->Modules->AddService(*this);
+       }
+
+       ~GnuTLSIOHookProvider()
+       {
+               ServerInstance->Modules->DelService(*this);
+       }
+
+       void OnAccept(StreamSocket* sock, irc::sockets::sockaddrs* client, irc::sockets::sockaddrs* server) CXX11_OVERRIDE
+       {
+               new GnuTLSIOHook(this, sock, true, profile);
+       }
 
-       GnuTLSIOHook iohook;
+       void OnConnect(StreamSocket* sock) CXX11_OVERRIDE
+       {
+               new GnuTLSIOHook(this, sock, false, profile);
+       }
+};
 
-       std::string sslports;
+class ModuleSSLGnuTLS : public Module
+{
+       typedef std::vector<reference<GnuTLSIOHookProvider> > ProfileList;
 
+       // First member of the class, gets constructed first and destructed last
+       GnuTLS::Init libinit;
        RandGen randhandler;
        ProfileList profiles;
 
@@ -1026,7 +1060,7 @@ class ModuleSSLGnuTLS : public Module
                        try
                        {
                                reference<GnuTLS::Profile> profile(GnuTLS::Profile::Create(defname, tag));
-                               newprofiles.push_back(profile);
+                               newprofiles.push_back(new GnuTLSIOHookProvider(this, profile));
                        }
                        catch (CoreException& ex)
                        {
@@ -1057,7 +1091,7 @@ class ModuleSSLGnuTLS : public Module
                                throw ModuleException("Error while initializing SSL profile \"" + name + "\" at " + tag->getTagLocation() + " - " + ex.GetReason());
                        }
 
-                       newprofiles.push_back(profile);
+                       newprofiles.push_back(new GnuTLSIOHookProvider(this, profile));
                }
 
                // New profiles are ok, begin using them
@@ -1066,7 +1100,7 @@ class ModuleSSLGnuTLS : public Module
        }
 
  public:
-       ModuleSSLGnuTLS() : iohook(this)
+       ModuleSSLGnuTLS()
        {
 #ifndef GNUTLS_HAS_RND
                gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0);
@@ -1079,45 +1113,6 @@ class ModuleSSLGnuTLS : public Module
                ServerInstance->GenRandom = &randhandler;
        }
 
-       void ReadConfig(ConfigStatus& status) CXX11_OVERRIDE
-       {
-               sslports.clear();
-
-               ConfigTag* Conf = ServerInstance->Config->ConfValue("gnutls");
-
-               if (Conf->getBool("showports", true))
-               {
-                       sslports = Conf->getString("advertisedports");
-                       if (!sslports.empty())
-                               return;
-
-                       for (size_t i = 0; i < ServerInstance->ports.size(); i++)
-                       {
-                               ListenSocket* port = ServerInstance->ports[i];
-                               if (port->bind_tag->getString("ssl") != "gnutls")
-                                       continue;
-
-                               const std::string& portid = port->bind_desc;
-                               ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "Enabling SSL for port %s", portid.c_str());
-
-                               if (port->bind_tag->getString("type", "clients") == "clients" && port->bind_addr != "127.0.0.1")
-                               {
-                                       /*
-                                        * Found an SSL port for clients that is not bound to 127.0.0.1 and handled by us, display
-                                        * the IP:port in ISUPPORT.
-                                        *
-                                        * We used to advertise all ports seperated by a ';' char that matched the above criteria,
-                                        * but this resulted in too long ISUPPORT lines if there were lots of ports to be displayed.
-                                        * To solve this by default we now only display the first IP:port found and let the user
-                                        * configure the exact value for the 005 token, if necessary.
-                                        */
-                                       sslports = portid;
-                                       break;
-                               }
-                       }
-               }
-       }
-
        void OnModuleRehash(User* user, const std::string &param) CXX11_OVERRIDE
        {
                if(param != "ssl")
@@ -1144,7 +1139,7 @@ class ModuleSSLGnuTLS : public Module
                {
                        LocalUser* user = IS_LOCAL(static_cast<User*>(item));
 
-                       if (user && user->eh.GetIOHook() == &iohook)
+                       if (user && user->eh.GetIOHook() && user->eh.GetIOHook()->prov->creator == this)
                        {
                                // User is using SSL, they're a local user, and they're using one of *our* SSL ports.
                                // Potentially there could be multiple SSL modules loaded at once on different ports.
@@ -1158,33 +1153,11 @@ class ModuleSSLGnuTLS : public Module
                return Version("Provides SSL support for clients", VF_VENDOR);
        }
 
-       void On005Numeric(std::map<std::string, std::string>& tokens) CXX11_OVERRIDE
-       {
-               if (!sslports.empty())
-                       tokens["SSL"] = sslports;
-       }
-
-       void OnHookIO(StreamSocket* user, ListenSocket* lsb) CXX11_OVERRIDE
-       {
-               if (!user->GetIOHook())
-               {
-                       std::string profilename = lsb->bind_tag->getString("ssl");
-                       for (ProfileList::const_iterator i = profiles.begin(); i != profiles.end(); ++i)
-                       {
-                               if ((*i)->GetName() == profilename)
-                               {
-                                       iohook.sessions[user->GetFd()].profile = *i;
-                                       user->AddIOHook(&iohook);
-                                       break;
-                               }
-                       }
-               }
-       }
-
        void OnUserConnect(LocalUser* user) CXX11_OVERRIDE
        {
-               if (user->eh.GetIOHook() == &iohook)
-                       iohook.TellCiphersAndFingerprint(user);
+               IOHook* hook = user->eh.GetIOHook();
+               if (hook && hook->prov->creator == this)
+                       static_cast<GnuTLSIOHook*>(hook)->TellCiphersAndFingerprint(user);
        }
 };