summaryrefslogtreecommitdiff
path: root/src/modules/extra
diff options
context:
space:
mode:
Diffstat (limited to 'src/modules/extra')
-rw-r--r--src/modules/extra/m_ssl_gnutls.cpp87
-rw-r--r--src/modules/extra/m_ssl_openssl.cpp59
2 files changed, 39 insertions, 107 deletions
diff --git a/src/modules/extra/m_ssl_gnutls.cpp b/src/modules/extra/m_ssl_gnutls.cpp
index f5133a1dc..97a5ebe0e 100644
--- a/src/modules/extra/m_ssl_gnutls.cpp
+++ b/src/modules/extra/m_ssl_gnutls.cpp
@@ -98,10 +98,11 @@ class ModuleSSLGnuTLS : public Module
CommandStartTLS starttls;
+ GenericCap capHandler;
public:
ModuleSSLGnuTLS(InspIRCd* Me)
- : Module(Me), starttls(Me, this)
+ : Module(Me), starttls(Me, this), capHandler(this, "tls")
{
ServerInstance->Modules->PublishInterface("BufferedSocketHook", this);
@@ -266,13 +267,6 @@ class ModuleSSLGnuTLS : public Module
ServerInstance->Users->QuitUser(user, "SSL module unloading");
user->DelIOHook();
}
- if (user->GetExt("ssl_cert"))
- {
- ssl_cert* tofree;
- user->GetExt("ssl_cert", tofree);
- delete tofree;
- user->Shrink("ssl_cert");
- }
}
}
@@ -339,25 +333,16 @@ class ModuleSSLGnuTLS : public Module
{
if (static_cast<Extensible*>(ServerInstance->SE->GetRef(ISR->Sock->GetFd())) == static_cast<Extensible*>(ISR->Sock))
{
- VerifyCertificate(session, ISR->Sock);
return "OK";
}
}
}
}
- else if (strcmp("GET_FP", request->GetId()) == 0)
+ else if (strcmp("GET_CERT", request->GetId()) == 0)
{
- if (ISR->Sock->GetFd() > -1)
- {
- issl_session* session = &sessions[ISR->Sock->GetFd()];
- if (session->sess)
- {
- Extensible* ext = ISR->Sock;
- ssl_cert* certinfo;
- if (ext->GetExt("ssl_cert",certinfo))
- return certinfo->GetFingerprint().c_str();
- }
- }
+ Module* sslinfo = ServerInstance->Modules->Find("m_sslinfo.so");
+ if (sslinfo)
+ return sslinfo->OnRequest(request);
}
return NULL;
}
@@ -413,16 +398,6 @@ class ModuleSSLGnuTLS : public Module
return;
CloseSession(&sessions[fd]);
-
- EventHandler* user = ServerInstance->SE->GetRef(fd);
-
- if ((user) && (user->GetExt("ssl_cert")))
- {
- ssl_cert* tofree;
- user->GetExt("ssl_cert", tofree);
- delete tofree;
- user->Shrink("ssl_cert");
- }
}
virtual int OnRawSocketRead(int fd, char* buffer, unsigned int count, int &readresult)
@@ -606,17 +581,13 @@ class ModuleSSLGnuTLS : public Module
}
else
{
- // Handshake complete.
- // This will do for setting the ssl flag...it could be done earlier if it's needed. But this seems neater.
- EventHandler *extendme = ServerInstance->SE->GetRef(fd);
- if (extendme)
- {
- extendme->Extend("ssl");
- }
-
// Change the seesion state
session->status = ISSL_HANDSHAKEN;
+ EventHandler* user = ServerInstance->SE->GetRef(fd);
+
+ VerifyCertificate(session,user);
+
// Finish writing, if any left
MakePollWrite(fd);
@@ -630,7 +601,6 @@ class ModuleSSLGnuTLS : public Module
// protocol module has propagated the NICK message.
if (user->GetIOHook() == this && (IS_LOCAL(user)))
{
- ssl_cert* certdata = VerifyCertificate(&sessions[user->GetFd()],user);
if (sessions[user->GetFd()].sess)
{
std::string cipher = gnutls_kx_get_name(gnutls_kx_get(sessions[user->GetFd()].sess));
@@ -638,10 +608,6 @@ class ModuleSSLGnuTLS : public Module
cipher.append(gnutls_mac_get_name(gnutls_mac_get(sessions[user->GetFd()].sess)));
user->WriteServ("NOTICE %s :*** You are connected using SSL cipher \"%s\"", user->nick.c_str(), cipher.c_str());
}
-
- ServerInstance->PI->SendMetaData(user, "ssl", "ON");
- if (certdata)
- ServerInstance->PI->SendMetaData(user, "ssl_cert", certdata->GetMetaLine().c_str());
}
}
@@ -676,10 +642,14 @@ class ModuleSSLGnuTLS : public Module
session->status = ISSL_NONE;
}
- ssl_cert* VerifyCertificate(issl_session* session, Extensible* user)
+ void VerifyCertificate(issl_session* session, Extensible* user)
{
if (!session->sess || !user)
- return NULL;
+ return;
+
+ Module* sslinfo = ServerInstance->Modules->Find("m_sslinfo.so");
+ if (!sslinfo)
+ return;
unsigned int status;
const gnutls_datum_t* cert_list;
@@ -692,8 +662,6 @@ class ModuleSSLGnuTLS : public Module
size_t name_size = sizeof(name);
ssl_cert* certinfo = new ssl_cert;
- user->Extend("ssl_cert",certinfo);
-
/* This verification function uses the trusted CAs in the credentials
* structure. So you must have installed one or more CA certificates.
*/
@@ -702,7 +670,7 @@ class ModuleSSLGnuTLS : public Module
if (ret < 0)
{
certinfo->error = std::string(gnutls_strerror(ret));
- return certinfo;
+ goto info_done;
}
certinfo->invalid = (status & GNUTLS_CERT_INVALID);
@@ -717,14 +685,14 @@ class ModuleSSLGnuTLS : public Module
if (gnutls_certificate_type_get(session->sess) != GNUTLS_CRT_X509)
{
certinfo->error = "No X509 keys sent";
- return certinfo;
+ goto info_done;
}
ret = gnutls_x509_crt_init(&cert);
if (ret < 0)
{
certinfo->error = gnutls_strerror(ret);
- return certinfo;
+ goto info_done;
}
cert_list_size = 0;
@@ -732,7 +700,7 @@ class ModuleSSLGnuTLS : public Module
if (cert_list == NULL)
{
certinfo->error = "No certificate was found";
- return certinfo;
+ goto info_done_dealloc;
}
/* This is not a real world example, since we only check the first
@@ -743,7 +711,7 @@ class ModuleSSLGnuTLS : public Module
if (ret < 0)
{
certinfo->error = gnutls_strerror(ret);
- return certinfo;
+ goto info_done_dealloc;
}
gnutls_x509_crt_get_dn(cert, name, &name_size);
@@ -768,20 +736,15 @@ class ModuleSSLGnuTLS : public Module
certinfo->error = "Not activated, or expired certificate";
}
+info_done_dealloc:
gnutls_x509_crt_deinit(cert);
-
- return certinfo;
+info_done:
+ BufferedSocketFingerprintSubmission(user, this, sslinfo, certinfo).Send();
}
void OnEvent(Event* ev)
{
- GenericCapHandler(ev, "tls", "tls");
- }
-
- void Prioritize()
- {
- Module* server = ServerInstance->Modules->Find("m_spanningtree.so");
- ServerInstance->Modules->SetPriority(this, I_OnPostConnect, PRIORITY_AFTER, &server);
+ capHandler.HandleEvent(ev);
}
};
diff --git a/src/modules/extra/m_ssl_openssl.cpp b/src/modules/extra/m_ssl_openssl.cpp
index a8043457b..a33cf6bc2 100644
--- a/src/modules/extra/m_ssl_openssl.cpp
+++ b/src/modules/extra/m_ssl_openssl.cpp
@@ -293,13 +293,6 @@ class ModuleSSLOpenSSL : public Module
ServerInstance->Users->QuitUser(user, "SSL module unloading");
user->DelIOHook();
}
- if (user->GetExt("ssl_cert", dummy))
- {
- ssl_cert* tofree;
- user->GetExt("ssl_cert", tofree);
- delete tofree;
- user->Shrink("ssl_cert");
- }
}
}
@@ -347,23 +340,14 @@ class ModuleSSLOpenSSL : public Module
issl_session* session = &sessions[ISR->Sock->GetFd()];
if (session->sess)
{
- VerifyCertificate(session, (BufferedSocket*)ISR->Sock);
return "OK";
}
}
- else if (strcmp("GET_FP", request->GetId()) == 0)
+ else if (strcmp("GET_CERT", request->GetId()) == 0)
{
- if (ISR->Sock->GetFd() > -1)
- {
- issl_session* session = &sessions[ISR->Sock->GetFd()];
- if (session->sess)
- {
- Extensible* ext = ISR->Sock;
- ssl_cert* certinfo;
- if (ext->GetExt("ssl_cert",certinfo))
- return certinfo->GetFingerprint().c_str();
- }
- }
+ Module* sslinfo = ServerInstance->Modules->Find("m_sslinfo.so");
+ if (sslinfo)
+ return sslinfo->OnRequest(request);
}
return NULL;
}
@@ -430,16 +414,6 @@ class ModuleSSLOpenSSL : public Module
return;
CloseSession(&sessions[fd]);
-
- EventHandler* user = ServerInstance->SE->GetRef(fd);
-
- if ((user) && (user->GetExt("ssl_cert", dummy)))
- {
- ssl_cert* tofree;
- user->GetExt("ssl_cert", tofree);
- delete tofree;
- user->Shrink("ssl_cert");
- }
}
virtual int OnRawSocketRead(int fd, char* buffer, unsigned int count, int &readresult)
@@ -691,10 +665,7 @@ class ModuleSSLOpenSSL : public Module
// Handshake complete.
// This will do for setting the ssl flag...it could be done earlier if it's needed. But this seems neater.
EventHandler *u = ServerInstance->SE->GetRef(session->fd);
- if (u)
- {
- u->Extend("ssl");
- }
+ VerifyCertificate(session, u);
session->status = ISSL_OPEN;
@@ -717,13 +688,8 @@ class ModuleSSLOpenSSL : public Module
// protocol module has propagated the NICK message.
if ((user->GetIOHook() == this) && (IS_LOCAL(user)))
{
- ssl_cert* certdata = VerifyCertificate(&sessions[user->GetFd()], user);
if (sessions[user->GetFd()].sess)
user->WriteServ("NOTICE %s :*** You are connected using SSL cipher \"%s\"", user->nick.c_str(), SSL_get_cipher(sessions[user->GetFd()].sess));
-
- ServerInstance->PI->SendMetaData(user, "ssl", "ON");
- if (certdata)
- ServerInstance->PI->SendMetaData(user, "ssl_cert", certdata->GetMetaLine().c_str());
}
}
@@ -767,10 +733,14 @@ class ModuleSSLOpenSSL : public Module
errno = EIO;
}
- ssl_cert* VerifyCertificate(issl_session* session, Extensible* user)
+ void VerifyCertificate(issl_session* session, Extensible* user)
{
if (!session->sess || !user)
- return NULL;
+ return;
+
+ Module* sslinfo = ServerInstance->Modules->Find("m_sslinfo.so");
+ if (!sslinfo)
+ return;
X509* cert;
ssl_cert* certinfo = new ssl_cert;
@@ -778,14 +748,13 @@ class ModuleSSLOpenSSL : public Module
unsigned char md[EVP_MAX_MD_SIZE];
const EVP_MD *digest = EVP_md5();
- user->Extend("ssl_cert",certinfo);
-
cert = SSL_get_peer_certificate((SSL*)session->sess);
if (!cert)
{
certinfo->error = "Could not get peer certificate: "+std::string(get_error());
- return certinfo;
+ BufferedSocketFingerprintSubmission(user, this, sslinfo, certinfo).Send();
+ return;
}
certinfo->invalid = (SSL_get_verify_result(session->sess) != X509_V_OK);
@@ -819,7 +788,7 @@ class ModuleSSLOpenSSL : public Module
}
X509_free(cert);
- return certinfo;
+ BufferedSocketFingerprintSubmission(user, this, sslinfo, certinfo).Send();
}
void Prioritize()