X-Git-Url: https://git.netwichtig.de/gitweb/?a=blobdiff_plain;f=src%2Fmodules%2Fextra%2Fm_ssl_gnutls.cpp;h=59397e000613b49860d68ff41619eb3d225b1bba;hb=4e6997fddf8eba872584830e0d56c8de83b76aab;hp=ebf46d59592b7d75702baf8256f85535a2cc9b46;hpb=398e82a1142e8d361b206b4a2b15e3f6325a51b2;p=user%2Fhenk%2Fcode%2Finspircd.git diff --git a/src/modules/extra/m_ssl_gnutls.cpp b/src/modules/extra/m_ssl_gnutls.cpp index ebf46d595..59397e000 100644 --- a/src/modules/extra/m_ssl_gnutls.cpp +++ b/src/modules/extra/m_ssl_gnutls.cpp @@ -12,17 +12,8 @@ */ #include "inspircd.h" - #include #include - -#include "inspircd_config.h" -#include "configreader.h" -#include "users.h" -#include "channels.h" -#include "modules.h" -#include "socket.h" -#include "hashcomp.h" #include "transport.h" #include "m_cap.h" @@ -80,9 +71,13 @@ class CommandStartTLS : public Command CmdResult Handle (const std::vector ¶meters, User *user) { - if (user->registered == REG_ALL) + /* changed from == REG_ALL to catch clients sending STARTTLS + * after NICK and USER but before OnUserConnect completes and + * give a proper error message (see bug #645) - dz + */ + if (user->registered != REG_NONE) { - ServerInstance->Users->QuitUser(user, "STARTTLS not allowed after client registration"); + ServerInstance->Users->QuitUser(user, "STARTTLS is not permitted after client registration has started"); } else { @@ -93,7 +88,7 @@ class CommandStartTLS : public Command Caller->OnRawSocketAccept(user->GetFd(), user->GetIPString(), user->GetPort()); } else - user->WriteNumeric(671, "%s :STARTTLS failure", user->nick.c_str()); + user->WriteNumeric(691, "%s :STARTTLS failure", user->nick.c_str()); } return CMD_FAILURE; @@ -271,7 +266,7 @@ class ModuleSSLGnuTLS : public Module if((ret = gnutls_certificate_set_x509_key_file (x509_cred, certfile.c_str(), keyfile.c_str(), GNUTLS_X509_FMT_PEM)) < 0) { // If this fails, no SSL port will work. At all. So, do the smart thing - throw a ModuleException - throw ModuleException("Unable to load GnuTLS server certificate: " + std::string(gnutls_strerror(ret))); + throw ModuleException("Unable to load GnuTLS server certificate (" + std::string(certfile) + ", key: " + keyfile + "): " + std::string(gnutls_strerror(ret))); } // This may be on a large (once a day or week) timer eventually. @@ -543,6 +538,9 @@ class ModuleSSLGnuTLS : public Module } else { + ServerInstance->Logs->Log("m_ssl_gnutls", DEFAULT, + "m_ssl_gnutls.so: Error while reading on fd %d: %s", + session->fd, gnutls_strerror(ret)); readresult = 0; CloseSession(session); } @@ -623,6 +621,9 @@ class ModuleSSLGnuTLS : public Module { if(ret != GNUTLS_E_AGAIN && ret != GNUTLS_E_INTERRUPTED) { + ServerInstance->Logs->Log("m_ssl_gnutls", DEFAULT, + "m_ssl_gnutls.so: Error while writing to fd %d: %s", + session->fd, gnutls_strerror(ret)); CloseSession(session); } else @@ -711,6 +712,9 @@ class ModuleSSLGnuTLS : public Module else { // Handshake failed. + ServerInstance->Logs->Log("m_ssl_gnutls", DEFAULT, + "m_ssl_gnutls.so: Handshake failed on fd %d: %s", + session->fd, gnutls_strerror(ret)); CloseSession(session); session->status = ISSL_CLOSING; } @@ -912,7 +916,7 @@ class ModuleSSLGnuTLS : public Module /* Beware here we do not check for errors. */ - if ((gnutls_x509_crt_get_expiration_time(cert) < time(0)) || (gnutls_x509_crt_get_activation_time(cert) > time(0))) + if ((gnutls_x509_crt_get_expiration_time(cert) < ServerInstance->Time()) || (gnutls_x509_crt_get_activation_time(cert) > ServerInstance->Time())) { certinfo->data.insert(std::make_pair("error","Not activated, or expired certificate")); }