From c01b8aab83eafc1186494f92fe3ec780479b60df Mon Sep 17 00:00:00 2001 From: brain Date: Sun, 3 Sep 2006 20:20:51 +0000 Subject: [PATCH] OpenSSL gets certs and populates the ssl_cert* now! (NOTE: This is not finished by a long shot, because openssl and gnutls generate slightly different format of DN - although, the fingerprint will always match if its the same user :)) git-svn-id: http://svn.inspircd.org/repository/trunk/inspircd@5126 e03df62e-2008-0410-955e-edbf42e46eb7 --- src/modules/extra/m_ssl_openssl.cpp | 61 +++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+) diff --git a/src/modules/extra/m_ssl_openssl.cpp b/src/modules/extra/m_ssl_openssl.cpp index 812198b88..071c1d961 100644 --- a/src/modules/extra/m_ssl_openssl.cpp +++ b/src/modules/extra/m_ssl_openssl.cpp @@ -59,6 +59,11 @@ public: } }; +static int OnVerify(int preverify_ok, X509_STORE_CTX *ctx) +{ + return 1; +} + class ModuleSSLOpenSSL : public Module { @@ -100,6 +105,8 @@ class ModuleSSLOpenSSL : public Module /* Build our SSL context*/ ctx = SSL_CTX_new( SSLv23_server_method() ); + SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, OnVerify); + // Needs the flag as it ignores a plain /rehash OnRehash("ssl"); } @@ -240,6 +247,13 @@ class ModuleSSLOpenSSL : public Module ServerInstance->Log(DEBUG, "m_ssl_openssl.so: Adding user %s to cull list", user->nick); culllist->AddItem(user, "SSL module unloading"); } + if (user->GetExt("ssl_cert", dummy) && isin(user->GetPort(), listenports)) + { + ssl_cert* tofree; + user->GetExt("ssl_cert", tofree); + delete tofree; + user->Shrink("ssl_cert"); + } } } @@ -633,6 +647,8 @@ class ModuleSSLOpenSSL : public Module event->Send(ServerInstance); // Trigger the event. We don't care what module picks it up. DELETE(event); DELETE(metadata); + + VerifyCertificate(&sessions[user->GetFd()], user); } } @@ -662,9 +678,54 @@ class ModuleSSLOpenSSL : public Module void VerifyCertificate(issl_session* session, userrec* user) { + X509* cert; + ssl_cert* certinfo = new ssl_cert; + unsigned int n; + unsigned char md[EVP_MAX_MD_SIZE]; + const EVP_MD *digest = EVP_md5(); + //char* buf; + user->Extend("ssl_cert",certinfo); + cert = SSL_get_peer_certificate((SSL*)session->sess); + if (!cert) + { + certinfo->data.insert(std::make_pair("error","Could not get peer certificate: "+std::string(get_error()))); + return; + } + + /*if (!X509_verify_cert(cert)) + { + certinfo->data.insert(std::make_pair("invalid",ConvToStr(1))); + } + else + { + certinfo->data.insert(std::make_pair("invalid",ConvToStr(0))); + }*/ + + //X509_NAME_oneline(nm, 0, 0); + certinfo->data.insert(std::make_pair("dn",std::string(X509_NAME_oneline(X509_get_subject_name(cert),0,0)))); + certinfo->data.insert(std::make_pair("issuer",std::string(X509_NAME_oneline(X509_get_issuer_name(cert),0,0)))); + + if (!X509_digest(cert, digest, md, &n)) + { + certinfo->data.insert(std::make_pair("error","Out of memory generating fingerprint")); + } + else + { + certinfo->data.insert(std::make_pair("fingerprint",irc::hex(md, n))); + } + + if ((ASN1_UTCTIME_cmp_time_t(X509_get_notAfter(cert), time(NULL)) == -1) || (ASN1_UTCTIME_cmp_time_t(X509_get_notBefore(cert), time(NULL)) == -1)) + { + certinfo->data.insert(std::make_pair("error","Not activated, or expired certificate")); + } + + /*if (cert->name) + { + certinfo->data.insert(std::make_pair("dn",cert->name)); + }*/ } }; -- 2.39.2