X-Git-Url: https://git.netwichtig.de/gitweb/?a=blobdiff_plain;f=src%2Fmodules%2Fextra%2Fm_ssl_gnutls.cpp;h=1ebec075bd7400bebfff7c729951e6808de7e747;hb=b5965b08c23e3e89404b481386f2e56ce7cb7ce2;hp=bd22404b3ad1493bc2bd9851cb63d2452eb1fc54;hpb=a26502ff51141c3cd74c078876d3322b49a3833c;p=user%2Fhenk%2Fcode%2Finspircd.git diff --git a/src/modules/extra/m_ssl_gnutls.cpp b/src/modules/extra/m_ssl_gnutls.cpp index bd22404b3..1ebec075b 100644 --- a/src/modules/extra/m_ssl_gnutls.cpp +++ b/src/modules/extra/m_ssl_gnutls.cpp @@ -2,7 +2,7 @@ * | Inspire Internet Relay Chat Daemon | * +------------------------------------+ * - * InspIRCd: (C) 2002-2009 InspIRCd Development Team + * InspIRCd: (C) 2002-2010 InspIRCd Development Team * See: http://wiki.inspircd.org/Credits * * This program is free but copyrighted software; see @@ -24,9 +24,8 @@ /* $ModDesc: Provides SSL support for clients */ /* $CompileFlags: pkgconfincludes("gnutls","/gnutls/gnutls.h","") */ /* $LinkerFlags: rpath("pkg-config --libs gnutls") pkgconflibs("gnutls","/libgnutls.so","-lgnutls") */ -/* $ModDep: transport.h */ -/* $CopyInstall: conf/key.pem $(CONPATH) */ -/* $CopyInstall: conf/cert.pem $(CONPATH) */ +/* $CopyInstall: conf/key.pem $(CONPATH) -m 0400 -o $(INSTUID) */ +/* $CopyInstall: conf/cert.pem $(CONPATH) -m 0444 */ enum issl_status { ISSL_NONE, ISSL_HANDSHAKING_READ, ISSL_HANDSHAKING_WRITE, ISSL_HANDSHAKEN, ISSL_CLOSING, ISSL_CLOSED }; @@ -77,13 +76,10 @@ static ssize_t gnutls_push_wrapper(gnutls_transport_ptr_t user_wrap, const void* class issl_session { public: - issl_session() - { - sess = NULL; - } - gnutls_session_t sess; issl_status status; + reference cert; + issl_session() : sess(NULL) {} }; class CommandStartTLS : public SplitCommand @@ -140,13 +136,12 @@ class ModuleSSLGnuTLS : public Module CommandStartTLS starttls; GenericCap capHandler; + ServiceProvider iohook; public: ModuleSSLGnuTLS() - : starttls(this), capHandler(this, "tls") + : starttls(this), capHandler(this, "tls"), iohook(this, "ssl/gnutls", SERVICE_IOHOOK) { - ServerInstance->Modules->PublishInterface("BufferedSocketHook", this); - sessions = new issl_session[ServerInstance->SE->GetMaxFds()]; gnutls_global_init(); // This must be called once in the program @@ -154,6 +149,10 @@ class ModuleSSLGnuTLS : public Module gnutls_x509_privkey_init(&x509_key); cred_alloc = false; + } + + void init() + { // Needs the flag as it ignores a plain /rehash OnModuleRehash(NULL,"ssl"); @@ -163,6 +162,7 @@ class ModuleSSLGnuTLS : public Module I_OnEvent, I_OnHookIO }; ServerInstance->Modules->Attach(eventlist, this, sizeof(eventlist)/sizeof(Implementation)); + ServerInstance->Modules->AddService(iohook); ServerInstance->AddCommand(&starttls); } @@ -286,10 +286,12 @@ class ModuleSSLGnuTLS : public Module { gnutls_x509_crt_deinit(x509_cert); gnutls_x509_privkey_deinit(x509_key); - gnutls_dh_params_deinit(dh_params); - gnutls_certificate_free_credentials(x509_cred); + if (cred_alloc) + { + gnutls_dh_params_deinit(dh_params); + gnutls_certificate_free_credentials(x509_cred); + } gnutls_global_deinit(); - ServerInstance->Modules->UnpublishInterface("BufferedSocketHook", this); delete[] sessions; } @@ -332,11 +334,15 @@ class ModuleSSLGnuTLS : public Module void OnRequest(Request& request) { - Module* sslinfo = ServerInstance->Modules->Find("m_sslinfo.so"); - if (sslinfo) - sslinfo->OnRequest(request); - } + if (strcmp("GET_SSL_CERT", request.id) == 0) + { + SocketCertificateRequest& req = static_cast(request); + int fd = req.sock->GetFd(); + issl_session* session = &sessions[fd]; + req.cert = session->cert; + } + } void OnStreamSocketAccept(StreamSocket* user, irc::sockets::sockaddrs* client, irc::sockets::sockaddrs* server) { @@ -548,10 +554,11 @@ class ModuleSSLGnuTLS : public Module void OnUserConnect(LocalUser* user) { - if (user->GetIOHook() == this) + if (user->eh.GetIOHook() == this) { if (sessions[user->GetFd()].sess) { + SSLCertSubmission(user, this, ServerInstance->Modules->Find("m_sslinfo.so"), sessions[user->GetFd()].cert); std::string cipher = gnutls_kx_get_name(gnutls_kx_get(sessions[user->GetFd()].sess)); cipher.append("-").append(gnutls_cipher_get_name(gnutls_cipher_get(sessions[user->GetFd()].sess))).append("-"); cipher.append(gnutls_mac_get_name(gnutls_mac_get(sessions[user->GetFd()].sess))); @@ -562,23 +569,19 @@ class ModuleSSLGnuTLS : public Module void CloseSession(issl_session* session) { - if(session->sess) + if (session->sess) { gnutls_bye(session->sess, GNUTLS_SHUT_WR); gnutls_deinit(session->sess); } - session->sess = NULL; + session->cert = NULL; session->status = ISSL_NONE; } - void VerifyCertificate(issl_session* session, Extensible* user) + void VerifyCertificate(issl_session* session, StreamSocket* user) { - if (!session->sess || !user) - return; - - Module* sslinfo = ServerInstance->Modules->Find("m_sslinfo.so"); - if (!sslinfo) + if (!session->sess || !user || session->cert) return; unsigned int status; @@ -591,6 +594,7 @@ class ModuleSSLGnuTLS : public Module size_t digest_size = sizeof(digest); size_t name_size = sizeof(name); ssl_cert* certinfo = new ssl_cert; + session->cert = certinfo; /* This verification function uses the trusted CAs in the credentials * structure. So you must have installed one or more CA certificates. @@ -600,7 +604,7 @@ class ModuleSSLGnuTLS : public Module if (ret < 0) { certinfo->error = std::string(gnutls_strerror(ret)); - goto info_done; + return; } certinfo->invalid = (status & GNUTLS_CERT_INVALID); @@ -615,14 +619,14 @@ class ModuleSSLGnuTLS : public Module if (gnutls_certificate_type_get(session->sess) != GNUTLS_CRT_X509) { certinfo->error = "No X509 keys sent"; - goto info_done; + return; } ret = gnutls_x509_crt_init(&cert); if (ret < 0) { certinfo->error = gnutls_strerror(ret); - goto info_done; + return; } cert_list_size = 0; @@ -668,8 +672,6 @@ class ModuleSSLGnuTLS : public Module info_done_dealloc: gnutls_x509_crt_deinit(cert); -info_done: - SSLCertSubmission(user, this, sslinfo, certinfo); } void OnEvent(Event& ev)