X-Git-Url: https://git.netwichtig.de/gitweb/?a=blobdiff_plain;f=src%2Fmodules%2Fextra%2Fm_ssl_gnutls.cpp;h=59397e000613b49860d68ff41619eb3d225b1bba;hb=4e6997fddf8eba872584830e0d56c8de83b76aab;hp=93fdcc8a14daa3615d8f565e53f34c1424e76e93;hpb=73b5d276db1903256c7432e333b4db8d01d58d05;p=user%2Fhenk%2Fcode%2Finspircd.git diff --git a/src/modules/extra/m_ssl_gnutls.cpp b/src/modules/extra/m_ssl_gnutls.cpp index 93fdcc8a1..59397e000 100644 --- a/src/modules/extra/m_ssl_gnutls.cpp +++ b/src/modules/extra/m_ssl_gnutls.cpp @@ -12,17 +12,8 @@ */ #include "inspircd.h" - #include #include - -#include "inspircd_config.h" -#include "configreader.h" -#include "users.h" -#include "channels.h" -#include "modules.h" -#include "socket.h" -#include "hashcomp.h" #include "transport.h" #include "m_cap.h" @@ -55,6 +46,11 @@ bool isin(const std::string &host, int port, const std::vector &por class issl_session : public classbase { public: + issl_session() + { + sess = NULL; + } + gnutls_session_t sess; issl_status status; std::string outbuf; @@ -75,20 +71,24 @@ class CommandStartTLS : public Command CmdResult Handle (const std::vector ¶meters, User *user) { - if (user->registered == REG_ALL) + /* changed from == REG_ALL to catch clients sending STARTTLS + * after NICK and USER but before OnUserConnect completes and + * give a proper error message (see bug #645) - dz + */ + if (user->registered != REG_NONE) { - ServerInstance->Users->QuitUser(user, "STARTTLS not allowed after client registration"); + ServerInstance->Users->QuitUser(user, "STARTTLS is not permitted after client registration has started"); } else { - if (!user->io) + if (!user->GetIOHook()) { user->WriteNumeric(670, "%s :STARTTLS successful, go ahead with TLS handshake", user->nick.c_str()); - user->io = Caller; + user->AddIOHook(Caller); Caller->OnRawSocketAccept(user->GetFd(), user->GetIPString(), user->GetPort()); } else - user->WriteNumeric(671, "%s :STARTTLS failure", user->nick.c_str()); + user->WriteNumeric(691, "%s :STARTTLS failure", user->nick.c_str()); } return CMD_FAILURE; @@ -266,7 +266,7 @@ class ModuleSSLGnuTLS : public Module if((ret = gnutls_certificate_set_x509_key_file (x509_cred, certfile.c_str(), keyfile.c_str(), GNUTLS_X509_FMT_PEM)) < 0) { // If this fails, no SSL port will work. At all. So, do the smart thing - throw a ModuleException - throw ModuleException("Unable to load GnuTLS server certificate: " + std::string(gnutls_strerror(ret))); + throw ModuleException("Unable to load GnuTLS server certificate (" + std::string(certfile) + ", key: " + keyfile + "): " + std::string(gnutls_strerror(ret))); } // This may be on a large (once a day or week) timer eventually. @@ -303,12 +303,12 @@ class ModuleSSLGnuTLS : public Module { User* user = (User*)item; - if (user->io == this) + if (user->GetIOHook() == this) { // User is using SSL, they're a local user, and they're using one of *our* SSL ports. // Potentially there could be multiple SSL modules loaded at once on different ports. ServerInstance->Users->QuitUser(user, "SSL module unloading"); - user->io = NULL; + user->DelIOHook(); } if (user->GetExt("ssl_cert", dummy)) { @@ -346,10 +346,10 @@ class ModuleSSLGnuTLS : public Module virtual void OnHookUserIO(User* user, const std::string &targetip) { - if (!user->io && isin(targetip,user->GetPort(),listenports)) + if (!user->GetIOHook() && isin(targetip,user->GetPort(),listenports)) { /* Hook the user with our module */ - user->io = this; + user->AddIOHook(this); } } @@ -538,6 +538,9 @@ class ModuleSSLGnuTLS : public Module } else { + ServerInstance->Logs->Log("m_ssl_gnutls", DEFAULT, + "m_ssl_gnutls.so: Error while reading on fd %d: %s", + session->fd, gnutls_strerror(ret)); readresult = 0; CloseSession(session); } @@ -618,6 +621,9 @@ class ModuleSSLGnuTLS : public Module { if(ret != GNUTLS_E_AGAIN && ret != GNUTLS_E_INTERRUPTED) { + ServerInstance->Logs->Log("m_ssl_gnutls", DEFAULT, + "m_ssl_gnutls.so: Error while writing to fd %d: %s", + session->fd, gnutls_strerror(ret)); CloseSession(session); } else @@ -646,7 +652,7 @@ class ModuleSSLGnuTLS : public Module return; // Bugfix, only send this numeric for *our* SSL users - if (dest->GetExt("ssl", dummy) || ((IS_LOCAL(dest) && (dest->io == this)))) + if (dest->GetExt("ssl", dummy) || ((IS_LOCAL(dest) && (dest->GetIOHook() == this)))) { ServerInstance->SendWhoisLine(source, dest, 320, "%s %s :is using a secure connection", source->nick.c_str(), dest->nick.c_str()); } @@ -706,6 +712,9 @@ class ModuleSSLGnuTLS : public Module else { // Handshake failed. + ServerInstance->Logs->Log("m_ssl_gnutls", DEFAULT, + "m_ssl_gnutls.so: Handshake failed on fd %d: %s", + session->fd, gnutls_strerror(ret)); CloseSession(session); session->status = ISSL_CLOSING; } @@ -907,7 +916,7 @@ class ModuleSSLGnuTLS : public Module /* Beware here we do not check for errors. */ - if ((gnutls_x509_crt_get_expiration_time(cert) < time(0)) || (gnutls_x509_crt_get_activation_time(cert) > time(0))) + if ((gnutls_x509_crt_get_expiration_time(cert) < ServerInstance->Time()) || (gnutls_x509_crt_get_activation_time(cert) > ServerInstance->Time())) { certinfo->data.insert(std::make_pair("error","Not activated, or expired certificate")); } @@ -920,20 +929,6 @@ class ModuleSSLGnuTLS : public Module void OnEvent(Event* ev) { GenericCapHandler(ev, "tls", "tls"); - if (ev->GetEventID() == "cap_req") - { - /* GenericCapHandler() Extends("tls") a user if it does - * CAP REQ tls. Check if this was done. - */ - CapData *data = (CapData *) ev->GetData(); - if (data->user->Shrink("tls")) - { - /* Not in our spec?!?! */ - data->user->io = this; - OnRawSocketAccept(data->user->GetFd(), data->user->GetIPString(), - data->user->GetPort()); - } - } } void Prioritize()