X-Git-Url: https://git.netwichtig.de/gitweb/?a=blobdiff_plain;f=src%2Fmodules%2Fextra%2Fm_ssl_gnutls.cpp;h=a8a35fa78ee45bdcd4fd0abd9b608fb630cb62c7;hb=ac7defcd3e52695dcf5e5150e9fe3e1624205e64;hp=7d8e9581e35c880dc667367781afedd1285129d7;hpb=388e4ff40931dda5870ddef149e54bdcc6c5a711;p=user%2Fhenk%2Fcode%2Finspircd.git

diff --git a/src/modules/extra/m_ssl_gnutls.cpp b/src/modules/extra/m_ssl_gnutls.cpp
index 7d8e9581e..a8a35fa78 100644
--- a/src/modules/extra/m_ssl_gnutls.cpp
+++ b/src/modules/extra/m_ssl_gnutls.cpp
@@ -28,7 +28,7 @@
 #include "ssl.h"
 #include "m_cap.h"
 
-#ifdef WINDOWS
+#ifdef _WIN32
 # pragma comment(lib, "libgnutls.lib")
 # pragma comment(lib, "libgcrypt.lib")
 # pragma comment(lib, "libgpg-error.lib")
@@ -40,17 +40,31 @@
 #endif
 
 /* $ModDesc: Provides SSL support for clients */
-/* $CompileFlags: pkgconfincludes("gnutls","/gnutls/gnutls.h","") -Wno-deprecated-declarations */
-/* $LinkerFlags: rpath("pkg-config --libs gnutls") pkgconflibs("gnutls","/libgnutls.so","-lgnutls") -lgcrypt */
+/* $CompileFlags: pkgconfincludes("gnutls","/gnutls/gnutls.h","") exec("libgcrypt-config --cflags") */
+/* $LinkerFlags: rpath("pkg-config --libs gnutls") pkgconflibs("gnutls","/libgnutls.so","-lgnutls") exec("libgcrypt-config --libs") */
+/* $NoPedantic */
+
+// These don't exist in older GnuTLS versions
+#if(GNUTLS_VERSION_MAJOR < 2)
+typedef gnutls_certificate_credentials_t gnutls_certificate_credentials;
+typedef gnutls_dh_params_t gnutls_dh_params;
+#endif
 
 enum issl_status { ISSL_NONE, ISSL_HANDSHAKING_READ, ISSL_HANDSHAKING_WRITE, ISSL_HANDSHAKEN, ISSL_CLOSING, ISSL_CLOSED };
 
 static std::vector<gnutls_x509_crt_t> x509_certs;
 static gnutls_x509_privkey_t x509_key;
+#if(GNUTLS_VERSION_MAJOR < 2 || ( GNUTLS_VERSION_MAJOR == 2 && GNUTLS_VERSION_MINOR < 12 ) )
 static int cert_callback (gnutls_session_t session, const gnutls_datum_t * req_ca_rdn, int nreqs,
 	const gnutls_pk_algorithm_t * sign_algos, int sign_algos_length, gnutls_retr_st * st) {
 
 	st->type = GNUTLS_CRT_X509;
+#else
+static int cert_callback (gnutls_session_t session, const gnutls_datum_t * req_ca_rdn, int nreqs,
+	const gnutls_pk_algorithm_t * sign_algos, int sign_algos_length, gnutls_retr2_st * st) {
+	st->cert_type = GNUTLS_CRT_X509;
+	st->key_type = GNUTLS_PRIVKEY_X509;
+#endif
 	st->ncerts = x509_certs.size();
 	st->cert.x509 = &x509_certs[0];
 	st->key.x509 = x509_key;
@@ -159,8 +173,8 @@ class ModuleSSLGnuTLS : public Module
 {
 	issl_session* sessions;
 
-	gnutls_certificate_credentials x509_cred;
-	gnutls_dh_params dh_params;
+	gnutls_certificate_credentials_t x509_cred;
+	gnutls_dh_params_t dh_params;
 	gnutls_digest_algorithm_t hash;
 	gnutls_priority_t priority;
 
@@ -180,6 +194,8 @@ class ModuleSSLGnuTLS : public Module
 	ModuleSSLGnuTLS()
 		: starttls(this), capHandler(this, "tls"), iohook(this, "ssl/gnutls", SERVICE_IOHOOK)
 	{
+		gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0);
+
 		sessions = new issl_session[ServerInstance->SE->GetMaxFds()];
 
 		gnutls_global_init(); // This must be called once in the program
@@ -261,10 +277,10 @@ class ModuleSSLGnuTLS : public Module
 
 		ConfigTag* Conf = ServerInstance->Config->ConfValue("gnutls");
 
-		cafile = Conf->getString("cafile", "conf/ca.pem");
-		crlfile	= Conf->getString("crlfile", "conf/crl.pem");
-		certfile = Conf->getString("certfile", "conf/cert.pem");
-		keyfile	= Conf->getString("keyfile", "conf/key.pem");
+		cafile = Conf->getString("cafile", CONFIG_PATH "/ca.pem");
+		crlfile	= Conf->getString("crlfile", CONFIG_PATH "/crl.pem");
+		certfile = Conf->getString("certfile", CONFIG_PATH "/cert.pem");
+		keyfile	= Conf->getString("keyfile", CONFIG_PATH "/key.pem");
 		dh_bits	= Conf->getInt("dhbits");
 		std::string hashname = Conf->getString("hash", "md5");
 
@@ -319,19 +335,30 @@ class ModuleSSLGnuTLS : public Module
 
 		reader.LoadFile(certfile);
 		std::string cert_string = reader.Contents();
-		gnutls_datum_t cert_datum = { (unsigned char*)cert_string.data(), cert_string.length() };
+		gnutls_datum_t cert_datum = { (unsigned char*)cert_string.data(), static_cast<unsigned int>(cert_string.length()) };
 
 		reader.LoadFile(keyfile);
 		std::string key_string = reader.Contents();
-		gnutls_datum_t key_datum = { (unsigned char*)key_string.data(), key_string.length() };
+		gnutls_datum_t key_datum = { (unsigned char*)key_string.data(), static_cast<unsigned int>(key_string.length()) };
 
 		// If this fails, no SSL port will work. At all. So, do the smart thing - throw a ModuleException
-		unsigned int certcount = Conf->getInt("certcount", 3);
+		unsigned int certcount = 3;
 		x509_certs.resize(certcount);
 		ret = gnutls_x509_crt_list_import(&x509_certs[0], &certcount, &cert_datum, GNUTLS_X509_FMT_PEM, GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED);
-		if (ret < 0)
-			throw ModuleException("Unable to load GnuTLS server certificate (" + certfile + "): " + std::string(gnutls_strerror(ret)));
-		x509_certs.resize(certcount);
+		if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER)
+		{
+			// the buffer wasn't big enough to hold all certs but gnutls updated certcount to the number of available certs, try again with a bigger buffer
+			x509_certs.resize(certcount);
+			ret = gnutls_x509_crt_list_import(&x509_certs[0], &certcount, &cert_datum, GNUTLS_X509_FMT_PEM, GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED);
+		}
+
+		if (ret <= 0)
+		{
+			// clear the vector so we won't call gnutls_x509_crt_deinit() on the (uninited) certs later
+			x509_certs.clear();
+			throw ModuleException("Unable to load GnuTLS server certificate (" + certfile + "): " + ((ret < 0) ? (std::string(gnutls_strerror(ret))) : "No certs could be read"));
+		}
+		x509_certs.resize(ret);
 
 		if((ret = gnutls_x509_privkey_import(x509_key, &key_datum, GNUTLS_X509_FMT_PEM)) < 0)
 			throw ModuleException("Unable to load GnuTLS server private key (" + keyfile + "): " + std::string(gnutls_strerror(ret)));
@@ -350,12 +377,15 @@ class ModuleSSLGnuTLS : public Module
 		if ((ret = gnutls_priority_init(&priority, priocstr, &prioerror)) < 0)
 		{
 			// gnutls did not understand the user supplied string, log and fall back to the default priorities
-			ServerInstance->Logs->Log("m_ssl_gnutls",DEFAULT, "m_ssl_gnutls.so: Failed to set priorities to \"%s\": %s Syntax error at position %d, falling back to default (NORMAL)", priorities.c_str(), gnutls_strerror(ret), (prioerror - priocstr));
+			ServerInstance->Logs->Log("m_ssl_gnutls",DEFAULT, "m_ssl_gnutls.so: Failed to set priorities to \"%s\": %s Syntax error at position %u, falling back to default (NORMAL)", priorities.c_str(), gnutls_strerror(ret), (unsigned int) (prioerror - priocstr));
 			gnutls_priority_init(&priority, "NORMAL", NULL);
 		}
 
+		#if(GNUTLS_VERSION_MAJOR < 2 || ( GNUTLS_VERSION_MAJOR == 2 && GNUTLS_VERSION_MINOR < 12 ) )
 		gnutls_certificate_client_set_retrieve_function (x509_cred, cert_callback);
-
+		#else
+		gnutls_certificate_set_retrieve_function (x509_cred, cert_callback);
+		#endif
 		ret = gnutls_dh_params_init(&dh_params);
 		dh_alloc = (ret >= 0);
 		if (!dh_alloc)
@@ -530,7 +560,7 @@ class ModuleSSLGnuTLS : public Module
 			}
 			else if (ret == 0)
 			{
-				user->SetError("SSL Connection closed");
+				user->SetError("Connection closed");
 				CloseSession(session);
 				return -1;
 			}
@@ -625,7 +655,7 @@ class ModuleSSLGnuTLS : public Module
 			}
 			else
 			{
-				user->SetError(std::string("Handshake Failed - ") + gnutls_strerror(ret));
+				user->SetError("Handshake Failed - " + std::string(gnutls_strerror(ret)));
 				CloseSession(session);
 				session->status = ISSL_CLOSING;
 			}