X-Git-Url: https://git.netwichtig.de/gitweb/?a=blobdiff_plain;ds=sidebyside;f=src%2Fmodules%2Fextra%2Fm_ssl_gnutls.cpp;h=df3709f10a6d457100bf4103701ba1d65374a809;hb=e77259697ecfc82c58ba358a1efe25f288414c7e;hp=c65b8528a0c2b9755b086bfdfb0c06306be5eea8;hpb=f0bd730338be67a7c5c8fd65ef8b4d9f851860bb;p=user%2Fhenk%2Fcode%2Finspircd.git

diff --git a/src/modules/extra/m_ssl_gnutls.cpp b/src/modules/extra/m_ssl_gnutls.cpp
index c65b8528a..df3709f10 100644
--- a/src/modules/extra/m_ssl_gnutls.cpp
+++ b/src/modules/extra/m_ssl_gnutls.cpp
@@ -2,7 +2,7 @@
  *       | Inspire Internet Relay Chat Daemon |
  *       +------------------------------------+
  *
- *  InspIRCd: (C) 2002-2009 InspIRCd Development Team
+ *  InspIRCd: (C) 2002-2010 InspIRCd Development Team
  * See: http://wiki.inspircd.org/Credits
  *
  * This program is free but copyrighted software; see
@@ -14,7 +14,7 @@
 #include "inspircd.h"
 #include <gnutls/gnutls.h>
 #include <gnutls/x509.h>
-#include "transport.h"
+#include "ssl.h"
 #include "m_cap.h"
 
 #ifdef WINDOWS
@@ -24,9 +24,8 @@
 /* $ModDesc: Provides SSL support for clients */
 /* $CompileFlags: pkgconfincludes("gnutls","/gnutls/gnutls.h","") */
 /* $LinkerFlags: rpath("pkg-config --libs gnutls") pkgconflibs("gnutls","/libgnutls.so","-lgnutls") */
-/* $ModDep: transport.h */
-/* $CopyInstall: conf/key.pem $(CONPATH) */
-/* $CopyInstall: conf/cert.pem $(CONPATH) */
+/* $CopyInstall: conf/key.pem $(CONPATH) -m 0400 -o $(INSTUID) */
+/* $CopyInstall: conf/cert.pem $(CONPATH) -m 0444 */
 
 enum issl_status { ISSL_NONE, ISSL_HANDSHAKING_READ, ISSL_HANDSHAKING_WRITE, ISSL_HANDSHAKEN, ISSL_CLOSING, ISSL_CLOSED };
 
@@ -74,27 +73,24 @@ static ssize_t gnutls_push_wrapper(gnutls_transport_ptr_t user_wrap, const void*
 
 /** Represents an SSL user's extra data
  */
-class issl_session : public classbase
+class issl_session
 {
 public:
-	issl_session()
-	{
-		sess = NULL;
-	}
-
 	gnutls_session_t sess;
 	issl_status status;
+	reference<ssl_cert> cert;
+	issl_session() : sess(NULL) {}
 };
 
-class CommandStartTLS : public Command
+class CommandStartTLS : public SplitCommand
 {
  public:
-	CommandStartTLS (Module* mod) : Command(mod, "STARTTLS")
+	CommandStartTLS (Module* mod) : SplitCommand(mod, "STARTTLS")
 	{
 		works_before_reg = true;
 	}
 
-	CmdResult Handle (const std::vector<std::string> &parameters, User *user)
+	CmdResult HandleLocal(const std::vector<std::string> &parameters, LocalUser *user)
 	{
 		/* changed from == REG_ALL to catch clients sending STARTTLS
 		 * after NICK and USER but before OnUserConnect completes and
@@ -106,11 +102,11 @@ class CommandStartTLS : public Command
 		}
 		else
 		{
-			if (!user->GetIOHook())
+			if (!user->eh.GetIOHook())
 			{
 				user->WriteNumeric(670, "%s :STARTTLS successful, go ahead with TLS handshake", user->nick.c_str());
-				user->AddIOHook(creator);
-				creator->OnStreamSocketAccept(user, NULL, NULL);
+				user->eh.AddIOHook(creator);
+				creator->OnStreamSocketAccept(&user->eh, NULL, NULL);
 			}
 			else
 				user->WriteNumeric(691, "%s :STARTTLS failure", user->nick.c_str());
@@ -122,8 +118,6 @@ class CommandStartTLS : public Command
 
 class ModuleSSLGnuTLS : public Module
 {
-	std::set<ListenSocketBase*> listenports;
-
 	issl_session* sessions;
 
 	gnutls_certificate_credentials x509_cred;
@@ -131,6 +125,7 @@ class ModuleSSLGnuTLS : public Module
 
 	std::string keyfile;
 	std::string certfile;
+
 	std::string cafile;
 	std::string crlfile;
 	std::string sslports;
@@ -141,13 +136,12 @@ class ModuleSSLGnuTLS : public Module
 	CommandStartTLS starttls;
 
 	GenericCap capHandler;
+	ServiceProvider iohook;
  public:
 
-	ModuleSSLGnuTLS(InspIRCd* Me)
-		: Module(Me), starttls(this), capHandler(this, "tls")
+	ModuleSSLGnuTLS()
+		: starttls(this), capHandler(this, "tls"), iohook(this, "ssl/gnutls", SERVICE_IOHOOK)
 	{
-		ServerInstance->Modules->PublishInterface("BufferedSocketHook", this);
-
 		sessions = new issl_session[ServerInstance->SE->GetMaxFds()];
 
 		gnutls_global_init(); // This must be called once in the program
@@ -155,37 +149,37 @@ class ModuleSSLGnuTLS : public Module
 		gnutls_x509_privkey_init(&x509_key);
 
 		cred_alloc = false;
+	}
+
+	void init()
+	{
 		// Needs the flag as it ignores a plain /rehash
 		OnModuleRehash(NULL,"ssl");
 
 		// Void return, guess we assume success
 		gnutls_certificate_set_dh_params(x509_cred, dh_params);
-		Implementation eventlist[] = { I_On005Numeric, I_OnRequest, I_OnRehash, I_OnModuleRehash, I_OnPostConnect,
+		Implementation eventlist[] = { I_On005Numeric, I_OnRehash, I_OnModuleRehash, I_OnUserConnect,
 			I_OnEvent, I_OnHookIO };
 		ServerInstance->Modules->Attach(eventlist, this, sizeof(eventlist)/sizeof(Implementation));
 
+		ServerInstance->Modules->AddService(iohook);
 		ServerInstance->AddCommand(&starttls);
 	}
 
 	void OnRehash(User* user)
 	{
-		ConfigReader Conf(ServerInstance);
-
-		listenports.clear();
 		sslports.clear();
 
 		for (size_t i = 0; i < ServerInstance->ports.size(); i++)
 		{
-			ListenSocketBase* port = ServerInstance->ports[i];
-			std::string desc = port->GetDescription();
-			if (desc != "gnutls")
+			ListenSocket* port = ServerInstance->ports[i];
+			if (port->bind_tag->getString("ssl") != "gnutls")
 				continue;
 
-			listenports.insert(port);
-			std::string portid = port->GetBindDesc();
-
+			const std::string& portid = port->bind_desc;
 			ServerInstance->Logs->Log("m_ssl_gnutls", DEFAULT, "m_ssl_gnutls.so: Enabling SSL for port %s", portid.c_str());
-			if (port->GetIP() != "127.0.0.1")
+
+			if (port->bind_tag->getString("type", "clients") == "clients" && port->bind_addr != "127.0.0.1")
 				sslports.append(portid).append(";");
 		}
 
@@ -200,47 +194,30 @@ class ModuleSSLGnuTLS : public Module
 
 		OnRehash(user);
 
-		ConfigReader Conf(ServerInstance);
-
-		std::string confdir(ServerInstance->ConfigFileName);
-		// +1 so we the path ends with a /
-		confdir = confdir.substr(0, confdir.find_last_of('/') + 1);
+		ConfigTag* Conf = ServerInstance->Config->ConfValue("gnutls");
 
-		cafile = Conf.ReadValue("gnutls", "cafile", 0);
-		crlfile	= Conf.ReadValue("gnutls", "crlfile", 0);
-		certfile = Conf.ReadValue("gnutls", "certfile", 0);
-		keyfile	= Conf.ReadValue("gnutls", "keyfile", 0);
-		dh_bits	= Conf.ReadInteger("gnutls", "dhbits", 0, false);
+		cafile = Conf->getString("cafile");
+		crlfile	= Conf->getString("crlfile");
+		certfile = Conf->getString("certfile");
+		keyfile	= Conf->getString("keyfile");
+		dh_bits	= Conf->getInt("dhbits");
 
 		// Set all the default values needed.
 		if (cafile.empty())
-			cafile = "ca.pem";
+			cafile = "conf/ca.pem";
 
 		if (crlfile.empty())
-			crlfile = "crl.pem";
+			crlfile = "conf/crl.pem";
 
 		if (certfile.empty())
-			certfile = "cert.pem";
+			certfile = "conf/cert.pem";
 
 		if (keyfile.empty())
-			keyfile = "key.pem";
+			keyfile = "conf/key.pem";
 
 		if((dh_bits != 768) && (dh_bits != 1024) && (dh_bits != 2048) && (dh_bits != 3072) && (dh_bits != 4096))
 			dh_bits = 1024;
 
-		// Prepend relative paths with the path to the config directory.
-		if ((cafile[0] != '/') && (!ServerInstance->Config->StartsWithWindowsDriveLetter(cafile)))
-			cafile = confdir + cafile;
-
-		if ((crlfile[0] != '/') && (!ServerInstance->Config->StartsWithWindowsDriveLetter(crlfile)))
-			crlfile = confdir + crlfile;
-
-		if ((certfile[0] != '/') && (!ServerInstance->Config->StartsWithWindowsDriveLetter(certfile)))
-			certfile = confdir + certfile;
-
-		if ((keyfile[0] != '/') && (!ServerInstance->Config->StartsWithWindowsDriveLetter(keyfile)))
-			keyfile = confdir + keyfile;
-
 		int ret;
 
 		if (cred_alloc)
@@ -261,7 +238,7 @@ class ModuleSSLGnuTLS : public Module
 		if((ret = gnutls_certificate_set_x509_crl_file (x509_cred, crlfile.c_str(), GNUTLS_X509_FMT_PEM)) < 0)
 			ServerInstance->Logs->Log("m_ssl_gnutls",DEBUG, "m_ssl_gnutls.so: Failed to set X.509 CRL file '%s': %s", crlfile.c_str(), gnutls_strerror(ret));
 
-		FileReader reader(ServerInstance);
+		FileReader reader;
 
 		reader.LoadFile(certfile);
 		std::string cert_string = reader.Contents();
@@ -307,10 +284,12 @@ class ModuleSSLGnuTLS : public Module
 	{
 		gnutls_x509_crt_deinit(x509_cert);
 		gnutls_x509_privkey_deinit(x509_key);
-		gnutls_dh_params_deinit(dh_params);
-		gnutls_certificate_free_credentials(x509_cred);
+		if (cred_alloc)
+		{
+			gnutls_dh_params_deinit(dh_params);
+			gnutls_certificate_free_credentials(x509_cred);
+		}
 		gnutls_global_deinit();
-		ServerInstance->Modules->UnpublishInterface("BufferedSocketHook", this);
 		delete[] sessions;
 	}
 
@@ -318,21 +297,20 @@ class ModuleSSLGnuTLS : public Module
 	{
 		if(target_type == TYPE_USER)
 		{
-			User* user = static_cast<User*>(item);
+			LocalUser* user = IS_LOCAL(static_cast<User*>(item));
 
-			if (user->GetIOHook() == this)
+			if (user && user->eh.GetIOHook() == this)
 			{
 				// User is using SSL, they're a local user, and they're using one of *our* SSL ports.
 				// Potentially there could be multiple SSL modules loaded at once on different ports.
 				ServerInstance->Users->QuitUser(user, "SSL module unloading");
-				user->DelIOHook();
 			}
 		}
 	}
 
 	Version GetVersion()
 	{
-		return Version("Provides SSL support for clients", VF_VENDOR, API_VERSION);
+		return Version("Provides SSL support for clients", VF_VENDOR);
 	}
 
 
@@ -343,64 +321,27 @@ class ModuleSSLGnuTLS : public Module
 		output.append(" STARTTLS");
 	}
 
-	void OnHookIO(StreamSocket* user, ListenSocketBase* lsb)
+	void OnHookIO(StreamSocket* user, ListenSocket* lsb)
 	{
-		if (!user->GetIOHook() && listenports.find(lsb) != listenports.end())
+		if (!user->GetIOHook() && lsb->bind_tag->getString("ssl") == "gnutls")
 		{
 			/* Hook the user with our module */
 			user->AddIOHook(this);
 		}
 	}
 
-	const char* OnRequest(Request* request)
+	void OnRequest(Request& request)
 	{
-		ISHRequest* ISR = static_cast<ISHRequest*>(request);
-		if (strcmp("IS_NAME", request->GetId()) == 0)
+		if (strcmp("GET_SSL_CERT", request.id) == 0)
 		{
-			return "gnutls";
-		}
-		else if (strcmp("IS_HOOK", request->GetId()) == 0)
-		{
-			ISR->Sock->AddIOHook(this);
-			return "OK";
-		}
-		else if (strcmp("IS_UNHOOK", request->GetId()) == 0)
-		{
-			ISR->Sock->DelIOHook();
-			return "OK";
-		}
-		else if (strcmp("IS_HSDONE", request->GetId()) == 0)
-		{
-			if (ISR->Sock->GetFd() < 0)
-				return "OK";
+			SocketCertificateRequest& req = static_cast<SocketCertificateRequest&>(request);
+			int fd = req.sock->GetFd();
+			issl_session* session = &sessions[fd];
 
-			issl_session* session = &sessions[ISR->Sock->GetFd()];
-			return (session->status == ISSL_HANDSHAKING_READ || session->status == ISSL_HANDSHAKING_WRITE) ? NULL : "OK";
-		}
-		else if (strcmp("IS_ATTACH", request->GetId()) == 0)
-		{
-			if (ISR->Sock->GetFd() > -1)
-			{
-				issl_session* session = &sessions[ISR->Sock->GetFd()];
-				if (session->sess)
-				{
-					if (static_cast<Extensible*>(ServerInstance->SE->GetRef(ISR->Sock->GetFd())) == static_cast<Extensible*>(ISR->Sock))
-					{
-						return "OK";
-					}
-				}
-			}
-		}
-		else if (strcmp("GET_CERT", request->GetId()) == 0)
-		{
-			Module* sslinfo = ServerInstance->Modules->Find("m_sslinfo.so");
-			if (sslinfo)
-				return sslinfo->OnRequest(request);
+			req.cert = session->cert;
 		}
-		return NULL;
 	}
 
-
 	void OnStreamSocketAccept(StreamSocket* user, irc::sockets::sockaddrs* client, irc::sockets::sockaddrs* server)
 	{
 		int fd = user->GetFd();
@@ -465,7 +406,6 @@ class ModuleSSLGnuTLS : public Module
 			{
 				if (session->status != ISSL_CLOSING)
 					return 0;
-				user->SetError("Handshake Failed");
 				return -1;
 			}
 		}
@@ -522,7 +462,6 @@ class ModuleSSLGnuTLS : public Module
 			Handshake(session, user);
 			if (session->status != ISSL_CLOSING)
 				return 0;
-			user->SetError("Handshake Failed");
 			return -1;
 		}
 
@@ -540,12 +479,12 @@ class ModuleSSLGnuTLS : public Module
 			else if (ret > 0)
 			{
 				sendq = sendq.substr(ret);
-				ServerInstance->SE->ChangeEventMask(user, FD_WANT_POLL_WRITE);
+				ServerInstance->SE->ChangeEventMask(user, FD_WANT_SINGLE_WRITE);
 				return 0;
 			}
 			else if (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED)
 			{
-				ServerInstance->SE->ChangeEventMask(user, FD_WANT_POLL_WRITE);
+				ServerInstance->SE->ChangeEventMask(user, FD_WANT_SINGLE_WRITE);
 				return 0;
 			}
 			else if (ret == 0)
@@ -585,11 +524,12 @@ class ModuleSSLGnuTLS : public Module
 				{
 					// gnutls_handshake() wants to write() again.
 					session->status = ISSL_HANDSHAKING_WRITE;
-					ServerInstance->SE->ChangeEventMask(user, FD_WANT_NO_READ | FD_WANT_POLL_WRITE);
+					ServerInstance->SE->ChangeEventMask(user, FD_WANT_NO_READ | FD_WANT_SINGLE_WRITE);
 				}
 			}
 			else
 			{
+				user->SetError(std::string("Handshake Failed - ") + gnutls_strerror(ret));
 				CloseSession(session);
 				session->status = ISSL_CLOSING;
 			}
@@ -610,14 +550,13 @@ class ModuleSSLGnuTLS : public Module
 		}
 	}
 
-	void OnPostConnect(User* user)
+	void OnUserConnect(LocalUser* user)
 	{
-		// This occurs AFTER OnUserConnect so we can be sure the
-		// protocol module has propagated the NICK message.
-		if (user->GetIOHook() == this && (IS_LOCAL(user)))
+		if (user->eh.GetIOHook() == this)
 		{
 			if (sessions[user->GetFd()].sess)
 			{
+				SSLCertSubmission(user, this, ServerInstance->Modules->Find("m_sslinfo.so"), sessions[user->GetFd()].cert);
 				std::string cipher = gnutls_kx_get_name(gnutls_kx_get(sessions[user->GetFd()].sess));
 				cipher.append("-").append(gnutls_cipher_get_name(gnutls_cipher_get(sessions[user->GetFd()].sess))).append("-");
 				cipher.append(gnutls_mac_get_name(gnutls_mac_get(sessions[user->GetFd()].sess)));
@@ -628,23 +567,19 @@ class ModuleSSLGnuTLS : public Module
 
 	void CloseSession(issl_session* session)
 	{
-		if(session->sess)
+		if (session->sess)
 		{
 			gnutls_bye(session->sess, GNUTLS_SHUT_WR);
 			gnutls_deinit(session->sess);
 		}
-
 		session->sess = NULL;
+		session->cert = NULL;
 		session->status = ISSL_NONE;
 	}
 
-	void VerifyCertificate(issl_session* session, Extensible* user)
+	void VerifyCertificate(issl_session* session, StreamSocket* user)
 	{
-		if (!session->sess || !user)
-			return;
-
-		Module* sslinfo = ServerInstance->Modules->Find("m_sslinfo.so");
-		if (!sslinfo)
+		if (!session->sess || !user || session->cert)
 			return;
 
 		unsigned int status;
@@ -657,6 +592,7 @@ class ModuleSSLGnuTLS : public Module
 		size_t digest_size = sizeof(digest);
 		size_t name_size = sizeof(name);
 		ssl_cert* certinfo = new ssl_cert;
+		session->cert = certinfo;
 
 		/* This verification function uses the trusted CAs in the credentials
 		 * structure. So you must have installed one or more CA certificates.
@@ -666,7 +602,7 @@ class ModuleSSLGnuTLS : public Module
 		if (ret < 0)
 		{
 			certinfo->error = std::string(gnutls_strerror(ret));
-			goto info_done;
+			return;
 		}
 
 		certinfo->invalid = (status & GNUTLS_CERT_INVALID);
@@ -681,14 +617,14 @@ class ModuleSSLGnuTLS : public Module
 		if (gnutls_certificate_type_get(session->sess) != GNUTLS_CRT_X509)
 		{
 			certinfo->error = "No X509 keys sent";
-			goto info_done;
+			return;
 		}
 
 		ret = gnutls_x509_crt_init(&cert);
 		if (ret < 0)
 		{
 			certinfo->error = gnutls_strerror(ret);
-			goto info_done;
+			return;
 		}
 
 		cert_list_size = 0;
@@ -734,11 +670,9 @@ class ModuleSSLGnuTLS : public Module
 
 info_done_dealloc:
 		gnutls_x509_crt_deinit(cert);
-info_done:
-		BufferedSocketFingerprintSubmission(user, this, sslinfo, certinfo).Send();
 	}
 
-	void OnEvent(Event* ev)
+	void OnEvent(Event& ev)
 	{
 		capHandler.HandleEvent(ev);
 	}