Commit 66f3b2e2 authored by Marc Dequènes (Duck)'s avatar Marc Dequènes (Duck)

[evol] move 'security' parameter and 'tls' block into server blocks ('inetd'...

[evol] move 'security' parameter and 'tls' block into server blocks ('inetd' or 'daemon') to allow a more fine grained selection and later allow multiple daemon binds (see #233)
parent 19a7a3fb
......@@ -29,9 +29,23 @@ irc {
# 2: daemon fork
type = 2
# Connection security mode
# none/tls/starttls/starttls-mandatory
#security = none
# With 'inetd' modes, set some parameters
inetd {
# Connection security mode
# none/tls/starttls/starttls-mandatory
#security = none
# TLS parameters (if enabled)
#tls {
# cert_file = /etc/minbif/server.crt
# key_file = /etc/minbif/server.key
# priority = PERFORMANCE
#
# # client certificate validation
# trust_file = /etc/ssl/certs/ca.crt
# crl_file = /etc/ssl/certs/ca.crl
#}
}
# With 'daemon' and 'daemon fork' modes, set some
# parameters to listen on network.
......@@ -50,6 +64,21 @@ irc {
# Maximum simultaneous connections
maxcon = 10
# Connection security mode
# none/tls/starttls/starttls-mandatory
#security = none
# TLS parameters (if enabled)
#tls {
# cert_file = /etc/minbif/server.crt
# key_file = /etc/minbif/server.key
# priority = PERFORMANCE
#
# # client certificate validation
# trust_file = /etc/ssl/certs/ca.crt
# crl_file = /etc/ssl/certs/ca.crl
#}
}
# Ping interval in seconds.
......@@ -101,17 +130,6 @@ aaa {
# Enable connection information for authentication/authorization
# (currently only used with TLS client certificates)
#use_connection = false
# TLS parameters (if enabled)
#tls {
# cert_file = /etc/minbif/server.crt
# key_file = /etc/minbif/server.key
# priority = PERFORMANCE
#
# # client certificate validation
# trust_file = /etc/ssl/certs/ca.crt
# crl_file = /etc/ssl/certs/ca.crl
#}
}
file_transfers {
......
......@@ -28,7 +28,6 @@
#include "minbif.h"
#include "sighandler.h"
#include "version.h"
#include "config.h"
#include "log.h"
#include "util.h"
#include "im/im.h"
......@@ -50,6 +49,8 @@ Minbif::Minbif()
server_poll(0)
{
ConfigSection* section;
ConfigSection* sub;
section = conf.AddSection("path", "Path information", MyConfig::NORMAL);
section->AddItem(new ConfigItem_string("users", "Users directory"));
section->AddItem(new ConfigItem_string("motd", "Path to motd", " "));
......@@ -60,13 +61,16 @@ Minbif::Minbif()
section->AddItem(new ConfigItem_int("type", "Type of daemon", 0, 2, "0"));
section->AddItem(new ConfigItem_int("ping", "Ping frequence (s)", 0, 65535, "60"));
section->AddItem(new ConfigItem_string("buddy_icons_url", "URL to display in /WHOIS to get a buddy icon", " "));
section->AddItem(new ConfigItem_string("security", "none/tls/starttls/starttls-mandatory", "none"));
ConfigSection* sub = section->AddSection("daemon", "Daemon information", MyConfig::OPTIONAL);
sub = section->AddSection("inetd", "Inetd information", MyConfig::OPTIONAL);
add_server_block_common_params(sub);
sub = section->AddSection("daemon", "Daemon information", MyConfig::OPTIONAL);
sub->AddItem(new ConfigItem_string("bind", "IP address to listen on"));
sub->AddItem(new ConfigItem_int("port", "Port to listen on", 1, 65535), true);
sub->AddItem(new ConfigItem_bool("background", "Start minbif in background", "true"));
sub->AddItem(new ConfigItem_int("maxcon", "Maximum simultaneous connections", 0, 65535, "0"));
add_server_block_common_params(sub);
sub = section->AddSection("oper", "Define an IRC operator", MyConfig::MULTIPLE);
sub->AddItem(new ConfigItem_string("login", "Nickname of IRC operator"), true);
......@@ -79,14 +83,6 @@ Minbif::Minbif()
section->AddItem(new ConfigItem_bool("use_pam", "Use PAM mechanisms to authenticate/authorize users", "false"));
#endif
section->AddItem(new ConfigItem_bool("use_connection", "Use connection information to authenticate/authorize users", "false"));
#ifdef HAVE_TLS
sub = section->AddSection("tls", "TLS information", MyConfig::OPTIONAL);
sub->AddItem(new ConfigItem_string("trust_file", "CA certificate file for TLS", " "));
sub->AddItem(new ConfigItem_string("crl_file", "CA certificate file for TLS", " "));
sub->AddItem(new ConfigItem_string("cert_file", "Server certificate file for TLS"));
sub->AddItem(new ConfigItem_string("key_file", "Server key file for TLS"));
sub->AddItem(new ConfigItem_string("priority", "Priority list for ciphers, exchange methods, macs and compression methods", "NORMAL"));
#endif
section = conf.AddSection("file_transfers", "File transfers parameters", MyConfig::OPTIONAL);
section->AddItem(new ConfigItem_bool("enabled", "Enable file transfers", "true"));
......@@ -100,6 +96,19 @@ Minbif::Minbif()
}
void Minbif::add_server_block_common_params(ConfigSection* section)
{
section->AddItem(new ConfigItem_string("security", "none/tls/starttls/starttls-mandatory", "none"));
#ifdef HAVE_TLS
ConfigSection* sub = section->AddSection("tls", "TLS information", MyConfig::OPTIONAL);
sub->AddItem(new ConfigItem_string("trust_file", "CA certificate file for TLS", " "));
sub->AddItem(new ConfigItem_string("crl_file", "CA certificate file for TLS", " "));
sub->AddItem(new ConfigItem_string("cert_file", "Server certificate file for TLS"));
sub->AddItem(new ConfigItem_string("key_file", "Server key file for TLS"));
sub->AddItem(new ConfigItem_string("priority", "Priority list for ciphers, exchange methods, macs and compression methods", "NORMAL"));
#endif
}
Minbif::~Minbif()
{
delete server_poll;
......
......@@ -20,6 +20,7 @@
#define MINBIF_H
#include <string>
#include "config.h"
using std::string;
......@@ -32,6 +33,7 @@ class Minbif
ServerPoll* server_poll;
string pidfile;
void add_server_block_common_params(ConfigSection* section);
void usage(int argc, char** argv);
void version(void);
void remove_pidfile(void);
......
......@@ -26,12 +26,10 @@
#include <arpa/inet.h>
#include "daemon_fork.h"
#include "core/config.h"
#include "irc/irc.h"
#include "irc/user.h"
#include "irc/message.h"
#include "irc/replies.h"
#include "core/config.h"
#include "core/callback.h"
#include "core/log.h"
#include "core/minbif.h"
......@@ -39,13 +37,13 @@
#include "sockwrap/sock.h"
#include "sockwrap/sockwrap.h"
DaemonForkServerPoll::DaemonForkServerPoll(Minbif* application)
: ServerPoll(application),
DaemonForkServerPoll::DaemonForkServerPoll(Minbif* application, ConfigSection* config)
: ServerPoll(application, config),
irc(NULL),
sock(-1),
read_cb(NULL)
{
ConfigSection* section = conf.GetSection("irc")->GetSection("daemon");
ConfigSection* section = getConfig();
if(section->Found() == false)
{
b_log[W_ERR] << "Missing section irc/daemon";
......@@ -226,7 +224,7 @@ bool DaemonForkServerPoll::new_client_cb(void*)
try
{
irc = new irc::IRC(this, sock::SockWrapper::Builder(new_socket, new_socket),
irc = new irc::IRC(this, sock::SockWrapper::Builder(getConfig(), new_socket, new_socket),
conf.GetSection("irc")->GetItem("hostname")->String(),
conf.GetSection("irc")->GetItem("ping")->Integer());
}
......
......@@ -100,7 +100,7 @@ class DaemonForkServerPoll : public ServerPoll
public:
DaemonForkServerPoll(Minbif* application);
DaemonForkServerPoll(Minbif* application, ConfigSection* _config);
~DaemonForkServerPoll();
bool new_client_cb(void*);
......
......@@ -22,19 +22,18 @@
#include "inetd.h"
#include "irc/irc.h"
#include "irc/user.h"
#include "core/config.h"
#include "core/callback.h"
#include "core/log.h"
#include "core/minbif.h"
#include "sockwrap/sockwrap.h"
InetdServerPoll::InetdServerPoll(Minbif* application)
: ServerPoll(application),
InetdServerPoll::InetdServerPoll(Minbif* application, ConfigSection* config)
: ServerPoll(application, config),
irc(NULL)
{
try
{
irc = new irc::IRC(this, sock::SockWrapper::Builder(fileno(stdin), fileno(stdout)),
irc = new irc::IRC(this, sock::SockWrapper::Builder(getConfig(), fileno(stdin), fileno(stdout)),
conf.GetSection("irc")->GetItem("hostname")->String(),
conf.GetSection("irc")->GetItem("ping")->Integer());
#ifndef DEBUG
......
......@@ -31,7 +31,7 @@ class InetdServerPoll : public ServerPoll
public:
InetdServerPoll(Minbif* application);
InetdServerPoll(Minbif* application, ConfigSection* _config);
~InetdServerPoll();
void rehash();
......
......@@ -23,12 +23,16 @@
ServerPoll* ServerPoll::build(ServerPoll::poll_type_t type, Minbif* application)
{
ConfigSection* config;
switch(type)
{
case ServerPoll::INETD:
return new InetdServerPoll(application);
config = conf.GetSection("irc")->GetSection("inetd");
return new InetdServerPoll(application, config);
case ServerPoll::DAEMON_FORK:
return new DaemonForkServerPoll(application);
config = conf.GetSection("irc")->GetSection("daemon");
return new DaemonForkServerPoll(application, config);
case ServerPoll::DAEMON:
default:
b_log[W_ERR] << "Type " << type << " is not implemented yet.";
......@@ -37,6 +41,6 @@ ServerPoll* ServerPoll::build(ServerPoll::poll_type_t type, Minbif* application)
throw ServerPollError();
}
ServerPoll::ServerPoll(Minbif* _app)
: application(_app)
ServerPoll::ServerPoll(Minbif* _app, ConfigSection* _config)
: application(_app), config(_config)
{}
......@@ -21,6 +21,7 @@
#include <exception>
#include <string>
#include "core/config.h"
using std::string;
......@@ -37,10 +38,12 @@ class ServerPollError : public std::exception {};
class ServerPoll
{
Minbif* application;
ConfigSection* config;
protected:
Minbif* getApplication() const { return application; }
ConfigSection* getConfig() const { return config; }
public:
......@@ -53,7 +56,7 @@ public:
static ServerPoll* build(poll_type_t type, Minbif* application);
ServerPoll(Minbif* application);
ServerPoll(Minbif* application, ConfigSection* _config);
virtual ~ServerPoll() {}
virtual void kill(irc::IRC* irc) = 0;
......
......@@ -21,13 +21,13 @@
#ifdef HAVE_TLS
# include "sockwrap_tls.h"
#endif
#include "core/config.h"
#include "core/util.h"
namespace sock
{
SockWrapper::SockWrapper(int _recv_fd, int _send_fd) : recv_fd(_recv_fd), send_fd(_send_fd)
SockWrapper::SockWrapper(ConfigSection* _config, int _recv_fd, int _send_fd)
: config(_config), recv_fd(_recv_fd), send_fd(_send_fd)
{
if (recv_fd < 0)
throw SockError::SockError("Wrong input file descriptor");
......@@ -49,14 +49,14 @@ SockWrapper::~SockWrapper()
close(send_fd);
}
SockWrapper* SockWrapper::Builder(int _recv_fd, int _send_fd)
SockWrapper* SockWrapper::Builder(ConfigSection* _config, int _recv_fd, int _send_fd)
{
string sec_mode = conf.GetSection("irc")->GetItem("security")->String();
string sec_mode = _config->GetItem("security")->String();
if (sec_mode.compare("none") == 0)
return new SockWrapperPlain(_recv_fd, _send_fd);
return new SockWrapperPlain(_config, _recv_fd, _send_fd);
#ifdef HAVE_TLS
else if (sec_mode.compare("tls") == 0)
return new SockWrapperTLS(_recv_fd, _send_fd);
return new SockWrapperTLS(_config, _recv_fd, _send_fd);
else if (sec_mode.compare("starttls") == 0)
throw SockError::SockError("Security mode not yet implemented");
else if (sec_mode.compare("starttls-mandatory") == 0)
......
......@@ -21,6 +21,7 @@
#include <string>
#include <vector>
#include "core/log.h"
#include "core/config.h"
#include "core/callback.h"
#ifndef PF_SOCKWRAP_H
......@@ -35,13 +36,16 @@ namespace sock
class SockWrapper
{
ConfigSection* config;
vector<int> callback_ids;
public:
static SockWrapper* Builder(int _recv_fd, int _send_fd);
SockWrapper(int _recv_fd, int _send_fd);
static SockWrapper* Builder(ConfigSection* _config, int _recv_fd, int _send_fd);
SockWrapper(ConfigSection* _config, int _recv_fd, int _send_fd);
virtual ~SockWrapper();
ConfigSection* getConfig() const { return config; }
virtual string Read() = 0;
virtual void Write(string s) = 0;
virtual string GetClientHostname();
......
......@@ -24,7 +24,8 @@
namespace sock
{
SockWrapperPlain::SockWrapperPlain(int _recv_fd, int _send_fd) : SockWrapper(_recv_fd, _send_fd)
SockWrapperPlain::SockWrapperPlain(ConfigSection* _config, int _recv_fd, int _send_fd)
: SockWrapper(_config, _recv_fd, _send_fd)
{
b_log[W_SOCK] << "Plain connection initialized";
}
......
......@@ -27,7 +27,7 @@ namespace sock
class SockWrapperPlain : public SockWrapper
{
public:
SockWrapperPlain(int _recv_fd, int _send_fd);
SockWrapperPlain(ConfigSection* config, int _recv_fd, int _send_fd);
~SockWrapperPlain();
string Read();
......
......@@ -18,7 +18,6 @@
#include "sockwrap_tls.h"
#include "sock.h"
#include "core/config.h"
#include <sys/socket.h>
#include <cstring>
#include "gnutls/x509.h"
......@@ -31,17 +30,15 @@ static void tls_debug_message(int level, const char* message)
b_log[W_SOCK] << "TLS debug: " << message;
}
SockWrapperTLS::SockWrapperTLS(int _recv_fd, int _send_fd) : SockWrapper(_recv_fd, _send_fd)
SockWrapperTLS::SockWrapperTLS(ConfigSection* _config, int _recv_fd, int _send_fd)
: SockWrapper(_config, _recv_fd, _send_fd)
{
tls_ok = false;
trust_check = false;
ConfigSection* c_section = conf.GetSection("aaa");
ConfigSection* c_section = getConfig()->GetSection("tls");
if (!c_section->Found())
throw TLSError::TLSError("Missing section aaa");
c_section = c_section->GetSection("tls");
if (!c_section->Found())
throw TLSError::TLSError("Missing section aaa/tls");
throw TLSError::TLSError("Missing section <inetd|daemon>/tls");
/* GNUTLS init */
b_log[W_SOCK] << "Initializing GNUTLS";
......
......@@ -49,7 +49,7 @@ class SockWrapperTLS : public SockWrapper
void CheckTLSError();
public:
SockWrapperTLS(int _recv_fd, int _send_fd);
SockWrapperTLS(ConfigSection* config, int _recv_fd, int _send_fd);
string Read();
void Write(string s);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment