X-Git-Url: https://git.netwichtig.de/gitweb/?a=blobdiff_plain;f=src%2Fmodules%2Fextra%2Fm_ssl_gnutls.cpp;h=df3709f10a6d457100bf4103701ba1d65374a809;hb=e77259697ecfc82c58ba358a1efe25f288414c7e;hp=25b47c2fe7a44cec067191c5d25c65abf181804f;hpb=d221de88276b9e33a108281a9cd0a58875032fc6;p=user%2Fhenk%2Fcode%2Finspircd.git

diff --git a/src/modules/extra/m_ssl_gnutls.cpp b/src/modules/extra/m_ssl_gnutls.cpp
index 25b47c2fe..df3709f10 100644
--- a/src/modules/extra/m_ssl_gnutls.cpp
+++ b/src/modules/extra/m_ssl_gnutls.cpp
@@ -2,7 +2,7 @@
  *       | Inspire Internet Relay Chat Daemon |
  *       +------------------------------------+
  *
- *  InspIRCd: (C) 2002-2009 InspIRCd Development Team
+ *  InspIRCd: (C) 2002-2010 InspIRCd Development Team
  * See: http://wiki.inspircd.org/Credits
  *
  * This program is free but copyrighted software; see
@@ -24,9 +24,8 @@
 /* $ModDesc: Provides SSL support for clients */
 /* $CompileFlags: pkgconfincludes("gnutls","/gnutls/gnutls.h","") */
 /* $LinkerFlags: rpath("pkg-config --libs gnutls") pkgconflibs("gnutls","/libgnutls.so","-lgnutls") */
-/* $ModDep: transport.h */
-/* $CopyInstall: conf/key.pem $(CONPATH) */
-/* $CopyInstall: conf/cert.pem $(CONPATH) */
+/* $CopyInstall: conf/key.pem $(CONPATH) -m 0400 -o $(INSTUID) */
+/* $CopyInstall: conf/cert.pem $(CONPATH) -m 0444 */
 
 enum issl_status { ISSL_NONE, ISSL_HANDSHAKING_READ, ISSL_HANDSHAKING_WRITE, ISSL_HANDSHAKEN, ISSL_CLOSING, ISSL_CLOSED };
 
@@ -77,24 +76,21 @@ static ssize_t gnutls_push_wrapper(gnutls_transport_ptr_t user_wrap, const void*
 class issl_session
 {
 public:
-	issl_session()
-	{
-		sess = NULL;
-	}
-
 	gnutls_session_t sess;
 	issl_status status;
+	reference<ssl_cert> cert;
+	issl_session() : sess(NULL) {}
 };
 
-class CommandStartTLS : public Command
+class CommandStartTLS : public SplitCommand
 {
  public:
-	CommandStartTLS (Module* mod) : Command(mod, "STARTTLS")
+	CommandStartTLS (Module* mod) : SplitCommand(mod, "STARTTLS")
 	{
 		works_before_reg = true;
 	}
 
-	CmdResult Handle (const std::vector<std::string> &parameters, User *user)
+	CmdResult HandleLocal(const std::vector<std::string> &parameters, LocalUser *user)
 	{
 		/* changed from == REG_ALL to catch clients sending STARTTLS
 		 * after NICK and USER but before OnUserConnect completes and
@@ -106,11 +102,11 @@ class CommandStartTLS : public Command
 		}
 		else
 		{
-			if (!user->GetIOHook())
+			if (!user->eh.GetIOHook())
 			{
 				user->WriteNumeric(670, "%s :STARTTLS successful, go ahead with TLS handshake", user->nick.c_str());
-				user->AddIOHook(creator);
-				creator->OnStreamSocketAccept(user, NULL, NULL);
+				user->eh.AddIOHook(creator);
+				creator->OnStreamSocketAccept(&user->eh, NULL, NULL);
 			}
 			else
 				user->WriteNumeric(691, "%s :STARTTLS failure", user->nick.c_str());
@@ -129,6 +125,7 @@ class ModuleSSLGnuTLS : public Module
 
 	std::string keyfile;
 	std::string certfile;
+
 	std::string cafile;
 	std::string crlfile;
 	std::string sslports;
@@ -139,13 +136,12 @@ class ModuleSSLGnuTLS : public Module
 	CommandStartTLS starttls;
 
 	GenericCap capHandler;
+	ServiceProvider iohook;
  public:
 
 	ModuleSSLGnuTLS()
-		: starttls(this), capHandler(this, "tls")
+		: starttls(this), capHandler(this, "tls"), iohook(this, "ssl/gnutls", SERVICE_IOHOOK)
 	{
-		ServerInstance->Modules->PublishInterface("BufferedSocketHook", this);
-
 		sessions = new issl_session[ServerInstance->SE->GetMaxFds()];
 
 		gnutls_global_init(); // This must be called once in the program
@@ -153,22 +149,25 @@ class ModuleSSLGnuTLS : public Module
 		gnutls_x509_privkey_init(&x509_key);
 
 		cred_alloc = false;
+	}
+
+	void init()
+	{
 		// Needs the flag as it ignores a plain /rehash
 		OnModuleRehash(NULL,"ssl");
 
 		// Void return, guess we assume success
 		gnutls_certificate_set_dh_params(x509_cred, dh_params);
-		Implementation eventlist[] = { I_On005Numeric, I_OnRehash, I_OnModuleRehash, I_OnPostConnect,
+		Implementation eventlist[] = { I_On005Numeric, I_OnRehash, I_OnModuleRehash, I_OnUserConnect,
 			I_OnEvent, I_OnHookIO };
 		ServerInstance->Modules->Attach(eventlist, this, sizeof(eventlist)/sizeof(Implementation));
 
+		ServerInstance->Modules->AddService(iohook);
 		ServerInstance->AddCommand(&starttls);
 	}
 
 	void OnRehash(User* user)
 	{
-		ConfigReader Conf;
-
 		sslports.clear();
 
 		for (size_t i = 0; i < ServerInstance->ports.size(); i++)
@@ -195,13 +194,13 @@ class ModuleSSLGnuTLS : public Module
 
 		OnRehash(user);
 
-		ConfigReader Conf;
+		ConfigTag* Conf = ServerInstance->Config->ConfValue("gnutls");
 
-		cafile = Conf.ReadValue("gnutls", "cafile", 0);
-		crlfile	= Conf.ReadValue("gnutls", "crlfile", 0);
-		certfile = Conf.ReadValue("gnutls", "certfile", 0);
-		keyfile	= Conf.ReadValue("gnutls", "keyfile", 0);
-		dh_bits	= Conf.ReadInteger("gnutls", "dhbits", 0, false);
+		cafile = Conf->getString("cafile");
+		crlfile	= Conf->getString("crlfile");
+		certfile = Conf->getString("certfile");
+		keyfile	= Conf->getString("keyfile");
+		dh_bits	= Conf->getInt("dhbits");
 
 		// Set all the default values needed.
 		if (cafile.empty())
@@ -285,10 +284,12 @@ class ModuleSSLGnuTLS : public Module
 	{
 		gnutls_x509_crt_deinit(x509_cert);
 		gnutls_x509_privkey_deinit(x509_key);
-		gnutls_dh_params_deinit(dh_params);
-		gnutls_certificate_free_credentials(x509_cred);
+		if (cred_alloc)
+		{
+			gnutls_dh_params_deinit(dh_params);
+			gnutls_certificate_free_credentials(x509_cred);
+		}
 		gnutls_global_deinit();
-		ServerInstance->Modules->UnpublishInterface("BufferedSocketHook", this);
 		delete[] sessions;
 	}
 
@@ -296,14 +297,13 @@ class ModuleSSLGnuTLS : public Module
 	{
 		if(target_type == TYPE_USER)
 		{
-			User* user = static_cast<User*>(item);
+			LocalUser* user = IS_LOCAL(static_cast<User*>(item));
 
-			if (user->GetIOHook() == this)
+			if (user && user->eh.GetIOHook() == this)
 			{
 				// User is using SSL, they're a local user, and they're using one of *our* SSL ports.
 				// Potentially there could be multiple SSL modules loaded at once on different ports.
 				ServerInstance->Users->QuitUser(user, "SSL module unloading");
-				user->DelIOHook();
 			}
 		}
 	}
@@ -332,11 +332,15 @@ class ModuleSSLGnuTLS : public Module
 
 	void OnRequest(Request& request)
 	{
-		Module* sslinfo = ServerInstance->Modules->Find("m_sslinfo.so");
-		if (sslinfo)
-			sslinfo->OnRequest(request);
-	}
+		if (strcmp("GET_SSL_CERT", request.id) == 0)
+		{
+			SocketCertificateRequest& req = static_cast<SocketCertificateRequest&>(request);
+			int fd = req.sock->GetFd();
+			issl_session* session = &sessions[fd];
 
+			req.cert = session->cert;
+		}
+	}
 
 	void OnStreamSocketAccept(StreamSocket* user, irc::sockets::sockaddrs* client, irc::sockets::sockaddrs* server)
 	{
@@ -402,7 +406,6 @@ class ModuleSSLGnuTLS : public Module
 			{
 				if (session->status != ISSL_CLOSING)
 					return 0;
-				user->SetError("Handshake Failed");
 				return -1;
 			}
 		}
@@ -459,7 +462,6 @@ class ModuleSSLGnuTLS : public Module
 			Handshake(session, user);
 			if (session->status != ISSL_CLOSING)
 				return 0;
-			user->SetError("Handshake Failed");
 			return -1;
 		}
 
@@ -527,6 +529,7 @@ class ModuleSSLGnuTLS : public Module
 			}
 			else
 			{
+				user->SetError(std::string("Handshake Failed - ") + gnutls_strerror(ret));
 				CloseSession(session);
 				session->status = ISSL_CLOSING;
 			}
@@ -547,14 +550,13 @@ class ModuleSSLGnuTLS : public Module
 		}
 	}
 
-	void OnPostConnect(User* user)
+	void OnUserConnect(LocalUser* user)
 	{
-		// This occurs AFTER OnUserConnect so we can be sure the
-		// protocol module has propagated the NICK message.
-		if (user->GetIOHook() == this)
+		if (user->eh.GetIOHook() == this)
 		{
 			if (sessions[user->GetFd()].sess)
 			{
+				SSLCertSubmission(user, this, ServerInstance->Modules->Find("m_sslinfo.so"), sessions[user->GetFd()].cert);
 				std::string cipher = gnutls_kx_get_name(gnutls_kx_get(sessions[user->GetFd()].sess));
 				cipher.append("-").append(gnutls_cipher_get_name(gnutls_cipher_get(sessions[user->GetFd()].sess))).append("-");
 				cipher.append(gnutls_mac_get_name(gnutls_mac_get(sessions[user->GetFd()].sess)));
@@ -565,23 +567,19 @@ class ModuleSSLGnuTLS : public Module
 
 	void CloseSession(issl_session* session)
 	{
-		if(session->sess)
+		if (session->sess)
 		{
 			gnutls_bye(session->sess, GNUTLS_SHUT_WR);
 			gnutls_deinit(session->sess);
 		}
-
 		session->sess = NULL;
+		session->cert = NULL;
 		session->status = ISSL_NONE;
 	}
 
-	void VerifyCertificate(issl_session* session, Extensible* user)
+	void VerifyCertificate(issl_session* session, StreamSocket* user)
 	{
-		if (!session->sess || !user)
-			return;
-
-		Module* sslinfo = ServerInstance->Modules->Find("m_sslinfo.so");
-		if (!sslinfo)
+		if (!session->sess || !user || session->cert)
 			return;
 
 		unsigned int status;
@@ -594,6 +592,7 @@ class ModuleSSLGnuTLS : public Module
 		size_t digest_size = sizeof(digest);
 		size_t name_size = sizeof(name);
 		ssl_cert* certinfo = new ssl_cert;
+		session->cert = certinfo;
 
 		/* This verification function uses the trusted CAs in the credentials
 		 * structure. So you must have installed one or more CA certificates.
@@ -603,7 +602,7 @@ class ModuleSSLGnuTLS : public Module
 		if (ret < 0)
 		{
 			certinfo->error = std::string(gnutls_strerror(ret));
-			goto info_done;
+			return;
 		}
 
 		certinfo->invalid = (status & GNUTLS_CERT_INVALID);
@@ -618,14 +617,14 @@ class ModuleSSLGnuTLS : public Module
 		if (gnutls_certificate_type_get(session->sess) != GNUTLS_CRT_X509)
 		{
 			certinfo->error = "No X509 keys sent";
-			goto info_done;
+			return;
 		}
 
 		ret = gnutls_x509_crt_init(&cert);
 		if (ret < 0)
 		{
 			certinfo->error = gnutls_strerror(ret);
-			goto info_done;
+			return;
 		}
 
 		cert_list_size = 0;
@@ -671,8 +670,6 @@ class ModuleSSLGnuTLS : public Module
 
 info_done_dealloc:
 		gnutls_x509_crt_deinit(cert);
-info_done:
-		SSLCertSubmission(user, this, sslinfo, certinfo);
 	}
 
 	void OnEvent(Event& ev)