X-Git-Url: https://git.netwichtig.de/gitweb/?a=blobdiff_plain;f=include%2Fmodules%2Fssl.h;h=6fc2379ff42c00bf13461af81340f95832741719;hb=714284aa306f2912eaca0c28d779d227db62a96b;hp=0f58e0b7bfce4bf43d6c3357b052e6e900ae420c;hpb=99f79a4e5c3abbe91a03216824e7659051872054;p=user%2Fhenk%2Fcode%2Finspircd.git diff --git a/include/modules/ssl.h b/include/modules/ssl.h index 0f58e0b7b..6fc2379ff 100644 --- a/include/modules/ssl.h +++ b/include/modules/ssl.h @@ -112,9 +112,21 @@ class ssl_cert : public refcountbase return revoked; } + /** Get certificate usability + * @return True if the certificate is not expired nor revoked + */ + bool IsUsable() + { + return !invalid && !revoked && error.empty(); + } + + /** Get CA trust status + * @return True if the certificate is issued by a CA + * and valid. + */ bool IsCAVerified() { - return trusted && !invalid && !revoked && !unknownsigner && error.empty(); + return IsUsable() && trusted && !unknownsigner; } std::string GetMetaLine() @@ -138,7 +150,40 @@ class SSLIOHook : public IOHook */ reference certificate; + /** Reduce elements in a send queue by appending later elements to the first element until there are no more + * elements to append or a desired length is reached + * @param sendq SendQ to work on + * @param targetsize Target size of the front element + */ + static void FlattenSendQueue(StreamSocket::SendQueue& sendq, size_t targetsize) + { + if ((sendq.size() <= 1) || (sendq.front().length() >= targetsize)) + return; + + // Avoid multiple repeated SSL encryption invocations + // This adds a single copy of the queue, but avoids + // much more overhead in terms of system calls invoked + // by an IOHook. + std::string tmp; + tmp.reserve(std::min(targetsize, sendq.bytes())+1); + do + { + tmp.append(sendq.front()); + sendq.pop_front(); + } + while (!sendq.empty() && tmp.length() < targetsize); + sendq.push_front(tmp); + } + public: + static SSLIOHook* IsSSL(StreamSocket* sock) + { + IOHook* const iohook = sock->GetIOHook(); + if ((iohook) && ((iohook->prov->type == IOHookProvider::IOH_SSL))) + return static_cast(iohook); + return NULL; + } + SSLIOHook(IOHookProvider* hookprov) : IOHook(hookprov) { @@ -148,7 +193,7 @@ class SSLIOHook : public IOHook * Get the certificate sent by this peer * @return The SSL certificate sent by the peer, NULL if no cert was sent */ - ssl_cert* GetCertificate() const + virtual ssl_cert* GetCertificate() const { return certificate; } @@ -158,13 +203,26 @@ class SSLIOHook : public IOHook * @return The fingerprint of the SSL client certificate sent by the peer, * empty if no cert was sent */ - std::string GetFingerprint() const + virtual std::string GetFingerprint() const { ssl_cert* cert = GetCertificate(); - if (cert) + if (cert && cert->IsUsable()) return cert->GetFingerprint(); return ""; } + + /** + * Get the ciphersuite negotiated with the peer + * @param out String where the ciphersuite string will be appended to + */ + virtual void GetCiphersuite(std::string& out) const = 0; + + + /** Retrieves the name of the SSL connection which is sent via SNI. + * @param out String that the server name will be appended to. + * returns True if the server name was retrieved; otherwise, false. + */ + virtual bool GetServerName(std::string& out) const = 0; }; /** Helper functions for obtaining SSL client certificates and key fingerprints @@ -180,11 +238,10 @@ class SSLClientCert */ static ssl_cert* GetCertificate(StreamSocket* sock) { - IOHook* iohook = sock->GetIOHook(); - if ((!iohook) || (iohook->prov->type != IOHookProvider::IOH_SSL)) + SSLIOHook* ssliohook = SSLIOHook::IsSSL(sock); + if (!ssliohook) return NULL; - SSLIOHook* ssliohook = static_cast(iohook); return ssliohook->GetCertificate(); } @@ -218,6 +275,12 @@ class UserCertificateAPIBase : public DataProvider */ virtual ssl_cert* GetCertificate(User* user) = 0; + /** Set the SSL certificate of a user. + * @param user The user whose certificate to set. + * @param cert The SSL certificate to set for the user. + */ + virtual void SetCertificate(User* user, ssl_cert* cert) = 0; + /** Get the key fingerprint from a user's certificate * @param user The user whose key fingerprint to get, user may be remote * @return The key fingerprint from the user's SSL certificate or an empty string