X-Git-Url: https://git.netwichtig.de/gitweb/?a=blobdiff_plain;f=include%2Fmodules%2Fssl.h;h=c9229cf9d0a7593365a8458ae008a58e99c287fb;hb=635cb9d65f6d7f6758ae8ed874da00c8d94b6e39;hp=0f58e0b7bfce4bf43d6c3357b052e6e900ae420c;hpb=8f5efbc7aa33b792e02d01e3288f553e6e98ccaa;p=user%2Fhenk%2Fcode%2Finspircd.git

diff --git a/include/modules/ssl.h b/include/modules/ssl.h
index 0f58e0b7b..c9229cf9d 100644
--- a/include/modules/ssl.h
+++ b/include/modules/ssl.h
@@ -1,8 +1,16 @@
 /*
  * InspIRCd -- Internet Relay Chat Daemon
  *
- *   Copyright (C) 2009 Daniel De Graaf <danieldg@inspircd.org>
- *   Copyright (C) 2006 Craig Edwards <craigedwards@brainbox.cc>
+ *   Copyright (C) 2020 Matt Schatz <genius3000@g3k.solutions>
+ *   Copyright (C) 2019 B00mX0r <b00mx0r@aureus.pw>
+ *   Copyright (C) 2018 Dylan Frank <b00mx0r@aureus.pw>
+ *   Copyright (C) 2013, 2017-2019 Sadie Powell <sadie@witchery.services>
+ *   Copyright (C) 2013, 2015-2016 Attila Molnar <attilamolnar@hush.com>
+ *   Copyright (C) 2012 Robby <robby@chatbelgie.be>
+ *   Copyright (C) 2012 ChrisTX <xpipe@hotmail.de>
+ *   Copyright (C) 2009-2010 Daniel De Graaf <danieldg@inspircd.org>
+ *   Copyright (C) 2007 Dennis Friis <peavey@inspircd.org>
+ *   Copyright (C) 2006 Craig Edwards <brain@inspircd.org>
  *
  * This file is part of InspIRCd.  InspIRCd is free software: you can
  * redistribute it and/or modify it under the terms of the GNU General Public
@@ -23,7 +31,7 @@
 #include <string>
 #include "iohook.h"
 
-/** ssl_cert is a class which abstracts SSL certificate
+/** ssl_cert is a class which abstracts TLS (SSL) certificate
  * and key information.
  *
  * Because gnutls and openssl represent key information in
@@ -58,7 +66,7 @@ class ssl_cert : public refcountbase
 		return issuer;
 	}
 
-	/** Get error string if an error has occured
+	/** Get error string if an error has occurred
 	 * @return The error associated with this users certificate,
 	 * or an empty string if there is no error.
 	 */
@@ -112,9 +120,21 @@ class ssl_cert : public refcountbase
 		return revoked;
 	}
 
+	/** Get certificate usability
+	* @return True if the certificate is not expired nor revoked
+	*/
+	bool IsUsable()
+	{
+		return !invalid && !revoked && error.empty();
+	}
+
+	/** Get CA trust status
+	* @return True if the certificate is issued by a CA
+	* and valid.
+	*/
 	bool IsCAVerified()
 	{
-		return trusted && !invalid && !revoked && !unknownsigner && error.empty();
+		return IsUsable() && trusted && !unknownsigner;
 	}
 
 	std::string GetMetaLine()
@@ -131,14 +151,58 @@ class ssl_cert : public refcountbase
 	}
 };
 
+/** I/O hook provider for SSL modules. */
+class SSLIOHookProvider : public IOHookProvider
+{
+public:
+	SSLIOHookProvider(Module* mod, const std::string& Name)
+		: IOHookProvider(mod, "ssl/" + Name, IOH_SSL)
+	{
+	}
+};
+
 class SSLIOHook : public IOHook
 {
  protected:
-	/** Peer SSL certificate, set by the SSL module
+	/** Peer TLS (SSL) certificate, set by the TLS (SSL) module
 	 */
 	reference<ssl_cert> certificate;
 
+	/** Reduce elements in a send queue by appending later elements to the first element until there are no more
+	 * elements to append or a desired length is reached
+	 * @param sendq SendQ to work on
+	 * @param targetsize Target size of the front element
+	 */
+	static void FlattenSendQueue(StreamSocket::SendQueue& sendq, size_t targetsize)
+	{
+		if ((sendq.size() <= 1) || (sendq.front().length() >= targetsize))
+			return;
+
+		// Avoid multiple repeated TLS (SSL) encryption invocations
+		// This adds a single copy of the queue, but avoids
+		// much more overhead in terms of system calls invoked
+		// by an IOHook.
+		std::string tmp;
+		tmp.reserve(std::min(targetsize, sendq.bytes())+1);
+		do
+		{
+			tmp.append(sendq.front());
+			sendq.pop_front();
+		}
+		while (!sendq.empty() && tmp.length() < targetsize);
+		sendq.push_front(tmp);
+	}
+
  public:
+	static SSLIOHook* IsSSL(StreamSocket* sock)
+	{
+		IOHook* const lasthook = sock->GetLastHook();
+		if (lasthook && (lasthook->prov->type == IOHookProvider::IOH_SSL))
+			return static_cast<SSLIOHook*>(lasthook);
+
+		return NULL;
+	}
+
 	SSLIOHook(IOHookProvider* hookprov)
 		: IOHook(hookprov)
 	{
@@ -146,28 +210,41 @@ class SSLIOHook : public IOHook
 
 	/**
 	 * Get the certificate sent by this peer
-	 * @return The SSL certificate sent by the peer, NULL if no cert was sent
+	 * @return The TLS (SSL) certificate sent by the peer, NULL if no cert was sent
 	 */
-	ssl_cert* GetCertificate() const
+	virtual ssl_cert* GetCertificate() const
 	{
 		return certificate;
 	}
 
 	/**
 	 * Get the fingerprint of the peer's certificate
-	 * @return The fingerprint of the SSL client certificate sent by the peer,
+	 * @return The fingerprint of the TLS (SSL) client certificate sent by the peer,
 	 * empty if no cert was sent
 	 */
-	std::string GetFingerprint() const
+	virtual std::string GetFingerprint() const
 	{
 		ssl_cert* cert = GetCertificate();
-		if (cert)
+		if (cert && cert->IsUsable())
 			return cert->GetFingerprint();
 		return "";
 	}
+
+	/**
+	 * Get the ciphersuite negotiated with the peer
+	 * @param out String where the ciphersuite string will be appended to
+	 */
+	virtual void GetCiphersuite(std::string& out) const = 0;
+
+
+	/** Retrieves the name of the TLS (SSL) connection which is sent via SNI.
+	 * @param out String that the server name will be appended to.
+	 * returns True if the server name was retrieved; otherwise, false.
+	 */
+	virtual bool GetServerName(std::string& out) const = 0;
 };
 
-/** Helper functions for obtaining SSL client certificates and key fingerprints
+/** Helper functions for obtaining TLS (SSL) client certificates and key fingerprints
  * from StreamSockets
  */
 class SSLClientCert
@@ -175,25 +252,24 @@ class SSLClientCert
  public:
  	/**
 	 * Get the client certificate from a socket
-	 * @param sock The socket to get the certificate from, the socket does not have to use SSL
-	 * @return The SSL client certificate information, NULL if the peer is not using SSL
+	 * @param sock The socket to get the certificate from, the socket does not have to use TLS (SSL)
+	 * @return The TLS (SSL) client certificate information, NULL if the peer is not using TLS (SSL)
 	 */
 	static ssl_cert* GetCertificate(StreamSocket* sock)
 	{
-		IOHook* iohook = sock->GetIOHook();
-		if ((!iohook) || (iohook->prov->type != IOHookProvider::IOH_SSL))
+		SSLIOHook* ssliohook = SSLIOHook::IsSSL(sock);
+		if (!ssliohook)
 			return NULL;
 
-		SSLIOHook* ssliohook = static_cast<SSLIOHook*>(iohook);
 		return ssliohook->GetCertificate();
 	}
 
 	/**
 	 * Get the fingerprint of a client certificate from a socket
 	 * @param sock The socket to get the certificate fingerprint from, the
-	 * socket does not have to use SSL
-	 * @return The key fingerprint from the SSL certificate sent by the peer,
-	 * empty if no cert was sent or the peer is not using SSL
+	 * socket does not have to use TLS (SSL)
+	 * @return The key fingerprint from the TLS (SSL) certificate sent by the peer,
+	 * empty if no cert was sent or the peer is not using TLS (SSL)
 	 */
 	static std::string GetFingerprint(StreamSocket* sock)
 	{
@@ -212,16 +288,22 @@ class UserCertificateAPIBase : public DataProvider
 	{
 	}
 
-	/** Get the SSL certificate of a user
+	/** Get the TLS (SSL) certificate of a user
 	 * @param user The user whose certificate to get, user may be remote
-	 * @return The SSL certificate of the user or NULL if the user is not using SSL
+	 * @return The TLS (SSL) certificate of the user or NULL if the user is not using TLS (SSL)
 	 */
 	virtual ssl_cert* GetCertificate(User* user) = 0;
 
+	/** Set the TLS (SSL) certificate of a user.
+	 * @param user The user whose certificate to set.
+	 * @param cert The TLS (SSL) certificate to set for the user.
+	 */
+	virtual void SetCertificate(User* user, ssl_cert* cert) = 0;
+
 	/** Get the key fingerprint from a user's certificate
 	 * @param user The user whose key fingerprint to get, user may be remote
-	 * @return The key fingerprint from the user's SSL certificate or an empty string
-	 * if the user is not using SSL or did not provide a client certificate
+	 * @return The key fingerprint from the user's TLS (SSL) certificate or an empty string
+	 * if the user is not using TLS (SSL) or did not provide a client certificate
 	 */
 	std::string GetFingerprint(User* user)
 	{
@@ -232,9 +314,9 @@ class UserCertificateAPIBase : public DataProvider
 	}
 };
 
-/** API implemented by m_sslinfo that allows modules to retrive the SSL certificate
+/** API implemented by m_sslinfo that allows modules to retrieve the TLS (SSL) certificate
  * information of local and remote users. It can also be used to find out whether a
- * user is using SSL or not.
+ * user is using TLS (SSL) or not.
  */
 class UserCertificateAPI : public dynamic_reference<UserCertificateAPIBase>
 {