]> git.netwichtig.de Git - user/henk/code/inspircd.git/commitdiff
projects / user / henk / code / inspircd.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: d4af574)
OpenSSL gets certs and populates the ssl_cert* now!
authorbrain <brain@e03df62e-2008-0410-955e-edbf42e46eb7>
Sun, 3 Sep 2006 20:20:51 +0000 (20:20 +0000)
committerbrain <brain@e03df62e-2008-0410-955e-edbf42e46eb7>
Sun, 3 Sep 2006 20:20:51 +0000 (20:20 +0000)
(NOTE: This is not finished by a long shot, because openssl and gnutls generate slightly different format of DN - although, the fingerprint will always match if its the same user :))

git-svn-id: http://svn.inspircd.org/repository/trunk/inspircd@5126 e03df62e-2008-0410-955e-edbf42e46eb7

src/modules/extra/m_ssl_openssl.cpp patch | blob | history

diff --git a/src/modules/extra/m_ssl_openssl.cpp b/src/modules/extra/m_ssl_openssl.cpp
index 812198b88755bc5982275ce9960d420df18bbcd0..071c1d961cbee301004a99bfe86905eaefff64fd 100644 (file)
--- a/src/modules/extra/m_ssl_openssl.cpp
+++ b/src/modules/extra/m_ssl_openssl.cpp
@@ -59,6 +59,11 @@ public:
        }
 };
 
+static int OnVerify(int preverify_ok, X509_STORE_CTX *ctx)
+{
+       return 1;
+}
+       
 class ModuleSSLOpenSSL : public Module
 {
        
@@ -100,6 +105,8 @@ class ModuleSSLOpenSSL : public Module
                /* Build our SSL context*/
                ctx = SSL_CTX_new( SSLv23_server_method() );
 
+               SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, OnVerify);
+
                // Needs the flag as it ignores a plain /rehash
                OnRehash("ssl");
        }
@@ -240,6 +247,13 @@ class ModuleSSLOpenSSL : public Module
                                ServerInstance->Log(DEBUG, "m_ssl_openssl.so: Adding user %s to cull list", user->nick);
                                culllist->AddItem(user, "SSL module unloading");
                        }
+                       if (user->GetExt("ssl_cert", dummy) && isin(user->GetPort(), listenports))
+                       {
+                               ssl_cert* tofree;
+                               user->GetExt("ssl_cert", tofree);
+                               delete tofree;
+                               user->Shrink("ssl_cert");
+                       }
                }
        }
        
@@ -633,6 +647,8 @@ class ModuleSSLOpenSSL : public Module
                        event->Send(ServerInstance);            // Trigger the event. We don't care what module picks it up.
                        DELETE(event);
                        DELETE(metadata);
+
+                       VerifyCertificate(&sessions[user->GetFd()], user);
                }
        }
        
@@ -662,9 +678,54 @@ class ModuleSSLOpenSSL : public Module
 
        void VerifyCertificate(issl_session* session, userrec* user)
        {
+               X509* cert;
+               ssl_cert* certinfo = new ssl_cert;
+               unsigned int n;
+               unsigned char md[EVP_MAX_MD_SIZE];
+               const EVP_MD *digest = EVP_md5();
+               //char* buf;
 
+               user->Extend("ssl_cert",certinfo);
 
+               cert = SSL_get_peer_certificate((SSL*)session->sess);
 
+               if (!cert)
+               {
+                       certinfo->data.insert(std::make_pair("error","Could not get peer certificate: "+std::string(get_error())));
+                       return;
+               }
+
+               /*if (!X509_verify_cert(cert))
+               {
+                       certinfo->data.insert(std::make_pair("invalid",ConvToStr(1)));
+               }
+               else
+               {
+                       certinfo->data.insert(std::make_pair("invalid",ConvToStr(0)));
+               }*/
+
+               //X509_NAME_oneline(nm, 0, 0);
+               certinfo->data.insert(std::make_pair("dn",std::string(X509_NAME_oneline(X509_get_subject_name(cert),0,0))));
+               certinfo->data.insert(std::make_pair("issuer",std::string(X509_NAME_oneline(X509_get_issuer_name(cert),0,0))));
+
+               if (!X509_digest(cert, digest, md, &n))
+               {
+                       certinfo->data.insert(std::make_pair("error","Out of memory generating fingerprint"));
+               }
+               else
+               {
+                       certinfo->data.insert(std::make_pair("fingerprint",irc::hex(md, n)));
+               }
+
+               if ((ASN1_UTCTIME_cmp_time_t(X509_get_notAfter(cert), time(NULL)) == -1) || (ASN1_UTCTIME_cmp_time_t(X509_get_notBefore(cert), time(NULL)) == -1))
+               {
+                       certinfo->data.insert(std::make_pair("error","Not activated, or expired certificate"));
+               }
+
+               /*if (cert->name)
+               {
+                       certinfo->data.insert(std::make_pair("dn",cert->name));
+               }*/
 
        }
 };