aboutsummaryrefslogtreecommitdiff
path: root/modules/haproxy.cpp
diff options
context:
space:
mode:
authorGravatar Sadie Powell2026-04-03 23:06:38 +0100
committerGravatar Sadie Powell2026-04-03 23:50:56 +0100
commit4f2054f9ce5aeb8c30d8364da09edd9f154116ae (patch)
treed4babbaaf8a288e178adb1269635dc375ca9b3a5 /modules/haproxy.cpp
parentAdd the new TLS API. (diff)
Switch modules over to the new TLS API.
Diffstat (limited to 'modules/haproxy.cpp')
-rw-r--r--modules/haproxy.cpp38
1 files changed, 19 insertions, 19 deletions
diff --git a/modules/haproxy.cpp b/modules/haproxy.cpp
index 46769220a..ee650892b 100644
--- a/modules/haproxy.cpp
+++ b/modules/haproxy.cpp
@@ -20,8 +20,7 @@
#include "inspircd.h"
-#include "iohook.h"
-#include "modules/ssl.h"
+#include "modules/tls.h"
enum
{
@@ -107,16 +106,25 @@ struct HAProxyHeader final
uint16_t length;
};
+struct HAProxyCertificate final
+ : public TLS::Certificate
+{
+ HAProxyCertificate()
+ {
+ this->error ="HAProxy does not forward client TLS certificates";
+ }
+};
+
class HAProxyHookProvider final
: public IOHookProvider
{
private:
- UserCertificateAPI sslapi;
+ TLS::API tlsapi;
public:
HAProxyHookProvider(const WeakModulePtr& mod)
: IOHookProvider(mod, "haproxy", true)
- , sslapi(mod)
+ , tlsapi(mod)
{
}
@@ -148,7 +156,7 @@ private:
irc::sockets::sockaddrs server;
// The API for interacting with user TLS internals.
- UserCertificateAPI& sslapi;
+ TLS::API& tlsapi;
// The current state of the PROXY parser.
HAProxyState state = HPS_WAITING_FOR_HEADER;
@@ -199,7 +207,7 @@ private:
// If the sslinfo module is not loaded we can't
// do anything with this TLV.
- if (!sslapi)
+ if (!tlsapi)
return true;
// If the client is not connecting via TLS the rest of this TLV is irrelevant.
@@ -207,19 +215,11 @@ private:
if ((recvq[start_index] & PP2_CLIENT_SSL) == 0)
return true;
- // Create a fake ssl_cert for the user. Ideally we should use the user's
+ // Create a fake TLS cert for the user. Ideally we should use the user's
// TLS client certificate here but as of 2018-10-16 this is not forwarded
// by HAProxy.
- auto cert = std::make_shared<ssl_cert>();
- cert->error = "HAProxy does not forward client TLS certificates";
- cert->invalid = true;
- cert->revoked = true;
- cert->trusted = false;
- cert->unknownsigner = true;
-
- // Extract the user for this socket and set their certificate.
auto* luser = sock->GetData<LocalUserIO>()->user;
- sslapi->SetCertificate(luser, cert);
+ tlsapi->SetCertificate(luser, std::make_shared<HAProxyCertificate>());
return true;
}
@@ -377,9 +377,9 @@ private:
}
public:
- HAProxyHook(const std::shared_ptr<IOHookProvider>& Prov, StreamSocket* sock, UserCertificateAPI& api)
+ HAProxyHook(const std::shared_ptr<IOHookProvider>& Prov, StreamSocket* sock, TLS::API& api)
: IOHookMiddle(Prov)
- , sslapi(api)
+ , tlsapi(api)
{
sock->AddIOHook(this);
}
@@ -417,7 +417,7 @@ public:
void HAProxyHookProvider::OnAccept(StreamSocket* sock, const irc::sockets::sockaddrs& client, const irc::sockets::sockaddrs& server)
{
- new HAProxyHook(shared_from_this(), sock, sslapi);
+ new HAProxyHook(shared_from_this(), sock, tlsapi);
}
class ModuleHAProxy final