X-Git-Url: https://git.netwichtig.de/gitweb/?a=blobdiff_plain;f=include%2Fmodules%2Fssl.h;h=930cb6dc605a73373bc2ea52561e5a953671c4f3;hb=35b70631f0532a5828b04a8e0c02092a285f331a;hp=0f58e0b7bfce4bf43d6c3357b052e6e900ae420c;hpb=6fe1f4e1136f2ab95a88e68af1894bf6002d03f4;p=user%2Fhenk%2Fcode%2Finspircd.git diff --git a/include/modules/ssl.h b/include/modules/ssl.h index 0f58e0b7b..930cb6dc6 100644 --- a/include/modules/ssl.h +++ b/include/modules/ssl.h @@ -112,9 +112,21 @@ class ssl_cert : public refcountbase return revoked; } + /** Get certificate usability + * @return True if the certificate is not expired nor revoked + */ + bool IsUsable() + { + return !invalid && !revoked && error.empty(); + } + + /** Get CA trust status + * @return True if the certificate is issued by a CA + * and valid. + */ bool IsCAVerified() { - return trusted && !invalid && !revoked && !unknownsigner && error.empty(); + return IsUsable() && trusted && !unknownsigner; } std::string GetMetaLine() @@ -138,7 +150,40 @@ class SSLIOHook : public IOHook */ reference certificate; + /** Reduce elements in a send queue by appending later elements to the first element until there are no more + * elements to append or a desired length is reached + * @param sendq SendQ to work on + * @param targetsize Target size of the front element + */ + static void FlattenSendQueue(StreamSocket::SendQueue& sendq, size_t targetsize) + { + if ((sendq.size() <= 1) || (sendq.front().length() >= targetsize)) + return; + + // Avoid multiple repeated SSL encryption invocations + // This adds a single copy of the queue, but avoids + // much more overhead in terms of system calls invoked + // by an IOHook. + std::string tmp; + tmp.reserve(std::min(targetsize, sendq.bytes())+1); + do + { + tmp.append(sendq.front()); + sendq.pop_front(); + } + while (!sendq.empty() && tmp.length() < targetsize); + sendq.push_front(tmp); + } + public: + static SSLIOHook* IsSSL(StreamSocket* sock) + { + IOHook* const iohook = sock->GetIOHook(); + if ((iohook) && ((iohook->prov->type == IOHookProvider::IOH_SSL))) + return static_cast(iohook); + return NULL; + } + SSLIOHook(IOHookProvider* hookprov) : IOHook(hookprov) { @@ -150,7 +195,9 @@ class SSLIOHook : public IOHook */ ssl_cert* GetCertificate() const { - return certificate; + if (certificate && certificate->IsUsable()) + return certificate; + return NULL; } /** @@ -165,6 +212,19 @@ class SSLIOHook : public IOHook return cert->GetFingerprint(); return ""; } + + /** + * Get the ciphersuite negotiated with the peer + * @param out String where the ciphersuite string will be appended to + */ + virtual void GetCiphersuite(std::string& out) const = 0; + + + /** Retrieves the name of the SSL connection which is sent via SNI. + * @param out String that the server name will be appended to. + * returns True if the server name was retrieved; otherwise, false. + */ + virtual bool GetServerName(std::string& out) const = 0; }; /** Helper functions for obtaining SSL client certificates and key fingerprints @@ -180,11 +240,10 @@ class SSLClientCert */ static ssl_cert* GetCertificate(StreamSocket* sock) { - IOHook* iohook = sock->GetIOHook(); - if ((!iohook) || (iohook->prov->type != IOHookProvider::IOH_SSL)) + SSLIOHook* ssliohook = SSLIOHook::IsSSL(sock); + if (!ssliohook) return NULL; - SSLIOHook* ssliohook = static_cast(iohook); return ssliohook->GetCertificate(); }