Obtaining of ssl cert in gnutls module and placing it into a class which is extended to the user, type ssl_cert.

In a while the openssl module will also populate this same high level class with data git-svn-id: http://svn.inspircd.org/repository/trunk/inspircd@5123 e03df62e-2008-0410-955e-edbf42e46eb7
author: brain <brain@e03df62e-2008-0410-955e-edbf42e46eb7> 2006-09-03 17:29:29 +0000
committer: brain <brain@e03df62e-2008-0410-955e-edbf42e46eb7> 2006-09-03 17:29:29 +0000
commit: b02af8b2a9787c3fad7e317540dbfef72610d53e (patch)
tree: a8561af8ae59f008360ff05ea616b4b1b2e92aaa /src/modules
parent: 13aeb82ad2462d3eb2952365fd944c8837d55ea8 (diff)
2 files changed, 238 insertions, 13 deletions
diff --git a/src/modules/extra/m_ssl_gnutls.cpp b/src/modules/extra/m_ssl_gnutls.cpp
index d39a1cc78..1ce19b29f 100644
--- a/src/modules/extra/m_ssl_gnutls.cpp
+++ b/src/modules/extra/m_ssl_gnutls.cpp
@@ -2,6 +2,7 @@
 #include <vector>
 
 #include <gnutls/gnutls.h>
+#include <gnutls/x509.h>
 
 #include "inspircd_config.h"
 #include "configreader.h"
@@ -13,6 +14,8 @@
 #include "hashcomp.h"
 #include "inspircd.h"
 
+#include "ssl_cert.h"
+
 /* $ModDesc: Provides SSL support for clients */
 /* $CompileFlags: `libgnutls-config --cflags` */
 /* $LinkerFlags: `libgnutls-config --libs` `perl ../gnutls_rpath.pl` */
@@ -214,6 +217,13 @@ class ModuleSSLGnuTLS : public Module
 				ServerInstance->Log(DEBUG, "m_ssl_gnutls.so: Adding user %s to cull list", user->nick);
 				culllist->AddItem(user, "SSL module unloading");
 			}
+			if (user->GetExt("ssl_cert", dummy) && isin(user->GetPort(), listenports))
+			{
+				ssl_cert* tofree;
+				user->GetExt("ssl_cert", tofree);
+				delete tofree;
+				user->Shrink("ssl_cert");
+			}
 		}
 	}
 	
@@ -265,7 +275,7 @@ class ModuleSSLGnuTLS : public Module
 		 */
 		
 		gnutls_transport_set_ptr(session->sess, (gnutls_transport_ptr_t) fd); // Give gnutls the fd for the socket.
-		
+
 		Handshake(session);
 	}
 
@@ -273,13 +283,23 @@ class ModuleSSLGnuTLS : public Module
 	{
 		ServerInstance->Log(DEBUG, "OnRawSocketClose: %d", fd);
 		CloseSession(&sessions[fd]);
+
+		EventHandler* user = ServerInstance->SE->GetRef(fd);
+
+		if ((user) && (user->GetExt("ssl_cert", dummy)))
+		{
+			ssl_cert* tofree;
+			user->GetExt("ssl_cert", tofree);
+			delete tofree;
+			user->Shrink("ssl_cert");
+		}
 	}
 	
 	virtual int OnRawSocketRead(int fd, char* buffer, unsigned int count, int &readresult)
 	{
 		issl_session* session = &sessions[fd];
 		
-		if(!session->sess)
+		if (!session->sess)
 		{
 			ServerInstance->Log(DEBUG, "m_ssl_gnutls.so: OnRawSocketRead: No session to read from");
 			readresult = 0;
@@ -289,7 +309,7 @@ class ModuleSSLGnuTLS : public Module
 		
 		ServerInstance->Log(DEBUG, "m_ssl_gnutls.so: OnRawSocketRead(%d, buffer, %u, %d)", fd, count, readresult);
 		
-		if(session->status == ISSL_HANDSHAKING_READ)
+		if (session->status == ISSL_HANDSHAKING_READ)
 		{
 			// The handshake isn't finished, try to finish it.
 			
@@ -305,7 +325,7 @@ class ModuleSSLGnuTLS : public Module
 				return -1;
 			}
 		}
-		else if(session->status == ISSL_HANDSHAKING_WRITE)
+		else if (session->status == ISSL_HANDSHAKING_WRITE)
 		{
 			ServerInstance->Log(DEBUG, "m_ssl_gnutls.so: OnRawSocketRead: handshake wants to write data but we are currently reading");
 			return -1;
@@ -313,7 +333,7 @@ class ModuleSSLGnuTLS : public Module
 		
 		// If we resumed the handshake then session->status will be ISSL_HANDSHAKEN.
 		
-		if(session->status == ISSL_HANDSHAKEN)
+		if (session->status == ISSL_HANDSHAKEN)
 		{
 			// Is this right? Not sure if the unencrypted data is garaunteed to be the same length.
 			// Read into the inbuffer, offset from the beginning by the amount of data we have that insp hasn't taken yet.
@@ -321,7 +341,7 @@ class ModuleSSLGnuTLS : public Module
 			
 			int ret = gnutls_record_recv(session->sess, session->inbuf + session->inbufoffset, inbufsize - session->inbufoffset);
 
-			if(ret == 0)
+			if (ret == 0)
 			{
 				// Client closed connection.
 				ServerInstance->Log(DEBUG, "m_ssl_gnutls.so: Client closed the connection");
@@ -329,9 +349,9 @@ class ModuleSSLGnuTLS : public Module
 				CloseSession(session);
 				return 1;
 			}
-			else if(ret < 0)
+			else if (ret < 0)
 			{
-				if(ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED)
+				if (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED)
 				{
 					ServerInstance->Log(DEBUG, "m_ssl_gnutls.so: OnRawSocketRead: Not all SSL data read: %s", gnutls_strerror(ret));
 					return -1;
@@ -350,8 +370,6 @@ class ModuleSSLGnuTLS : public Module
 				// 'buffer' is 'count' long
 				
 				unsigned int length = ret + session->inbufoffset;
-		
-				ServerInstance->Log(DEBUG, "m_ssl_gnutls.so: OnRawSocketRead: Read %d bytes, now have %d waiting to be passed up", ret, length);
 						
 				if(count <= length)
 				{
@@ -415,7 +433,6 @@ class ModuleSSLGnuTLS : public Module
 			ServerInstance->Log(DEBUG, "m_ssl_gnutls.so: OnRawSocketWrite: handshake wants to read data but we are currently writing");
 		}
 
-		ServerInstance->Log(DEBUG, "m_ssl_gnutls.so: OnRawSocketWrite: Adding %d bytes to the outgoing buffer", count);		
 		session->outbuf.append(sendbuffer, count);
 		sendbuffer = session->outbuf.c_str();
 		count = session->outbuf.size();
@@ -443,7 +460,6 @@ class ModuleSSLGnuTLS : public Module
 			}
 			else
 			{
-				ServerInstance->Log(DEBUG, "m_ssl_gnutls.so: OnRawSocketWrite: Successfully wrote %d bytes", ret);
 				session->outbuf = session->outbuf.substr(ret);
 			}
 		}
@@ -498,7 +514,7 @@ class ModuleSSLGnuTLS : public Module
 	{		
 		int ret = gnutls_handshake(session->sess);
       
-      if(ret < 0)
+		if(ret < 0)
 		{
 			if(ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED)
 			{
@@ -566,6 +582,8 @@ class ModuleSSLGnuTLS : public Module
 			event->Send(ServerInstance);		// Trigger the event. We don't care what module picks it up.
 			DELETE(event);
 			DELETE(metadata);
+
+			VerifyCertificate(&sessions[user->GetFd()],user);
 		}
 	}
 	
@@ -592,6 +610,120 @@ class ModuleSSLGnuTLS : public Module
 		session->sess = NULL;
 		session->status = ISSL_NONE;
 	}
+
+	void VerifyCertificate(issl_session* session, userrec* user)
+	{
+		unsigned int status;
+		const gnutls_datum_t* cert_list;
+		int ret;
+		unsigned int cert_list_size, name_size;
+		gnutls_x509_crt_t cert;
+		char name[MAXBUF];
+		ssl_cert* certinfo = new ssl_cert;
+
+		user->Extend("ssl_cert",certinfo);
+
+		/* This verification function uses the trusted CAs in the credentials
+		 * structure. So you must have installed one or more CA certificates.
+		 */
+		ret = gnutls_certificate_verify_peers2(session->sess, &status);
+
+		if (ret < 0)
+		{
+			certinfo->data.insert(std::make_pair("error",std::string(gnutls_strerror(ret))));
+			return;
+		}
+
+		if (status & GNUTLS_CERT_INVALID)
+		{
+			certinfo->data.insert(std::make_pair("invalid",ConvToStr(1)));
+		}
+		else
+		{
+			certinfo->data.insert(std::make_pair("invalid",ConvToStr(0)));
+		}
+		if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
+		{
+			certinfo->data.insert(std::make_pair("unknownsigner",ConvToStr(1)));
+		}
+		else
+		{
+			certinfo->data.insert(std::make_pair("unknownsigner",ConvToStr(0)));
+		}
+		if (status & GNUTLS_CERT_REVOKED)
+		{
+			certinfo->data.insert(std::make_pair("revoked",ConvToStr(1)));
+		}
+		else
+		{
+			certinfo->data.insert(std::make_pair("revoked",ConvToStr(0)));
+		}
+		if (status & GNUTLS_CERT_SIGNER_NOT_CA)
+		{
+			certinfo->data.insert(std::make_pair("trusted",ConvToStr(0)));
+		}
+		else
+		{
+			certinfo->data.insert(std::make_pair("trusted",ConvToStr(1)));
+		}
+	
+		/* Up to here the process is the same for X.509 certificates and
+		 * OpenPGP keys. From now on X.509 certificates are assumed. This can
+		 * be easily extended to work with openpgp keys as well.
+		 */
+		if (gnutls_certificate_type_get(session->sess) != GNUTLS_CRT_X509)
+		{
+			certinfo->data.insert(std::make_pair("error","No X509 keys sent"));
+			return;
+		}
+
+		ret = gnutls_x509_crt_init(&cert);
+		if (ret < 0)
+		{
+			certinfo->data.insert(std::make_pair("error",gnutls_strerror(ret)));
+			return;
+		}
+
+		cert_list = gnutls_certificate_get_peers(session->sess, &cert_list_size);
+		if (cert_list == NULL)
+		{
+			certinfo->data.insert(std::make_pair("error","No certificate was found"));
+			return;
+		}
+
+		/* This is not a real world example, since we only check the first 
+		 * certificate in the given chain.
+		 */
+
+		ret = gnutls_x509_crt_import(cert, &cert_list[0], GNUTLS_X509_FMT_DER);
+		if (ret < 0)
+		{
+			certinfo->data.insert(std::make_pair("error",gnutls_strerror(ret)));
+			return;
+		}
+
+		name_size = sizeof(name);
+		gnutls_x509_crt_get_dn(cert, name, &name_size);
+
+		certinfo->data.insert(std::make_pair("dn",name));
+
+		name_size = sizeof(name);
+		gnutls_x509_crt_get_issuer_dn(cert, name, &name_size);
+
+		certinfo->data.insert(std::make_pair("issuer",name));
+
+		/* Beware here we do not check for errors.
+		 */
+		if ((gnutls_x509_crt_get_expiration_time(cert) < time(0)) || (gnutls_x509_crt_get_activation_time(cert) > time(0)))
+		{
+			certinfo->data.insert(std::make_pair("error","Not activated, or expired certificate"));
+		}
+
+		gnutls_x509_crt_deinit(cert);
+
+		return;
+	}
+
 };
 
 class ModuleSSLGnuTLSFactory : public ModuleFactory
diff --git a/src/modules/extra/ssl_cert.h b/src/modules/extra/ssl_cert.h
new file mode 100644
index 000000000..fbbd821ac
--- /dev/null
+++ b/src/modules/extra/ssl_cert.h
@@ -0,0 +1,93 @@
+#ifndef __SSL_CERT_H__
+#define __SSL_CERT_H__
+
+#include <map>
+#include <string>
+
+typedef std::map<std::string,std::string> ssl_data;
+typedef ssl_data::iterator ssl_data_iter;
+
+class ssl_cert
+{
+	const std::string empty;
+
+ public:
+	ssl_data data;
+
+	ssl_cert() : empty("")
+	{
+	}
+
+	const std::string& GetDN()
+	{
+		ssl_data_iter ssldi = data.find("dn");
+
+		if (ssldi != data.end())
+			return ssldi->second;
+		else
+			return empty;
+	}
+
+	const std::string& GetIssuer()
+	{
+		ssl_data_iter ssldi = data.find("issuer");
+
+		if (ssldi != data.end())
+			return ssldi->second;
+		else
+			return empty;
+	}
+
+	const std::string& GetError()
+	{
+		ssl_data_iter ssldi = data.find("error");
+
+		if (ssldi != data.end())
+			return ssldi->second;
+		else
+			return empty;
+	}
+
+	bool IsTrusted()
+	{
+		ssl_data_iter ssldi = data.find("trusted");
+
+		if (ssldi != data.end())
+			return (ssldi->second == "1");
+		else
+			return false;
+	}
+
+	bool IsInvalid()
+	{
+		ssl_data_iter ssldi = data.find("invalid");
+
+		if (ssldi != data.end())
+			return (ssldi->second == "1");
+		else
+			return false;
+	}
+
+	bool IsUnknownSigner()
+	{
+		ssl_data_iter ssldi = data.find("unknownsigner");
+
+		if (ssldi != data.end())
+			return (ssldi->second == "1");
+		else
+			return false;
+	}
+
+	bool IsRevoked()
+	{
+		ssl_data_iter ssldi = data.find("revoked");
+
+		if (ssldi != data.end())
+			return (ssldi->second == "1");
+		else
+			return false;
+	}
+};
+
+#endif
+
author	brain <brain@e03df62e-2008-0410-955e-edbf42e46eb7>	2006-09-03 17:29:29 +0000
committer	brain <brain@e03df62e-2008-0410-955e-edbf42e46eb7>	2006-09-03 17:29:29 +0000
commit	b02af8b2a9787c3fad7e317540dbfef72610d53e (patch)
tree	a8561af8ae59f008360ff05ea616b4b1b2e92aaa /src/modules
parent	13aeb82ad2462d3eb2952365fd944c8837d55ea8 (diff)