]> git.netwichtig.de Git - user/henk/code/inspircd.git/blobdiff - src/modules/extra/m_ssl_mbedtls.cpp
projects / user / henk / code / inspircd.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Convert a bunch of time-related config options to getDuration.
[user/henk/code/inspircd.git] / src / modules / extra / m_ssl_mbedtls.cpp
diff --git a/src/modules/extra/m_ssl_mbedtls.cpp b/src/modules/extra/m_ssl_mbedtls.cpp
index 845d02aa3fb2ad266559cb7e27edc2544d14a8d3..f3b5adfd5e1d8713cbf85dbfab9a8b92c05f0308 100644 (file)
--- a/src/modules/extra/m_ssl_mbedtls.cpp
+++ b/src/modules/extra/m_ssl_mbedtls.cpp
@@ -16,8 +16,11 @@
  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  */
 
+/// $LinkerFlags: -lmbedtls
+
+/// $PackageInfo: require_system("darwin") mbedtls
+/// $PackageInfo: require_system("ubuntu" "16.04") libmbedtls-dev
 
-/* $LinkerFlags: -lmbedtls */
 
 #include "inspircd.h"
 #include "modules/ssl.h"
@@ -257,7 +260,6 @@ namespace mbedTLS
                        mbedtls_debug_set_threshold(INT_MAX);
                        mbedtls_ssl_conf_dbg(&conf, DebugLogFunc, NULL);
 #endif
-                       mbedtls_ssl_conf_authmode(&conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
 
                        // TODO: check ret of mbedtls_ssl_config_defaults
                        mbedtls_ssl_config_defaults(&conf, endpoint, MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT);
@@ -308,6 +310,11 @@ namespace mbedTLS
                        mbedtls_ssl_conf_ca_chain(&conf, certs.get(), crl.get());
                }
 
+               void SetOptionalVerifyCert()
+               {
+                       mbedtls_ssl_conf_authmode(&conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
+               }
+
                const mbedtls_ssl_config* GetConf() const { return &conf; }
        };
 
@@ -376,7 +383,8 @@ namespace mbedTLS
                                const std::string& castr, const std::string& crlstr,
                                unsigned int recsize,
                                CTRDRBG& ctrdrbg,
-                               int minver, int maxver
+                               int minver, int maxver,
+                               bool requestclientcert
                                )
                        : name(profilename)
                        , x509cred(certstr, keystr)
@@ -414,7 +422,14 @@ namespace mbedTLS
                                serverctx.SetDHParams(dhparams);
                        }
 
-                       serverctx.SetCA(cacerts, crl);
+                       clientctx.SetOptionalVerifyCert();
+                       clientctx.SetCA(cacerts, crl);
+                       // The default for servers is to not request a client certificate from the peer
+                       if (requestclientcert)
+                       {
+                               serverctx.SetOptionalVerifyCert();
+                               serverctx.SetCA(cacerts, crl);
+                       }
                }
 
                static std::string ReadFile(const std::string& filename)
@@ -451,7 +466,8 @@ namespace mbedTLS
                        int minver = tag->getInt("minver");
                        int maxver = tag->getInt("maxver");
                        unsigned int outrecsize = tag->getInt("outrecsize", 2048, 512, 16384);
-                       return new Profile(profilename, certstr, keystr, dhstr, mindh, hashstr, ciphersuitestr, curvestr, castr, crlstr, outrecsize, ctr_drbg, minver, maxver);
+                       const bool requestclientcert = tag->getBool("requestclientcert", true);
+                       return new Profile(profilename, certstr, keystr, dhstr, mindh, hashstr, ciphersuitestr, curvestr, castr, crlstr, outrecsize, ctr_drbg, minver, maxver, requestclientcert);
                }
 
                /** Set up the given session with the settings in this profile