Add support for client certificate fingerprints in o:lines.

2010-02-17 06:41:41 -06:00 · 2010-02-17 06:41:41 -06:00 · d8a023eddd
parent 04a611e26e
commit d8a023eddd
5 changed files with 39 additions and 0 deletions
--- a/doc/example.conf
+++ b/doc/example.conf
@ -240,6 +240,12 @@ operator "god" {
 	 */
 	#umodes = locops, servnotice, operwall, wallop;

+	/* fingerprint: if specified, the oper's client certificate
+	 * fingerprint will be checked against the specified fingerprint
+	 * below.
+	 */
+	#fingerprint = "c77106576abf7f9f90cca0f63874a60f2e40a64b";
+
 	/* snomask: specific server notice mask on oper up.
 	 * If this is specified an oper will not be given oper_snomask.
 	 */
--- a/doc/reference.conf
+++ b/doc/reference.conf
@ -441,6 +441,12 @@ operator "god" {
 	 */
 	#rsa_public_key_file = "/usr/local/ircd/etc/oper.pub";

+	/* fingerprint: if specified, the oper's client certificate
+	 * fingerprint will be checked against the specified fingerprint
+	 * below.
+	 */
+	#fingerprint = "c77106576abf7f9f90cca0f63874a60f2e40a64b";
+
 	/* umodes: the specific umodes this oper gets when they oper.
 	 * If this is specified an oper will not be given oper_umodes
 	 * These are described above oper_only_umodes in general {};
--- a/include/s_newconf.h
+++ b/include/s_newconf.h
@ -112,6 +112,7 @@ struct oper_conf
 	char *username;
 	char *host;
 	char *passwd;
+	char *certfp;

 	int flags;
 	int umodes;
--- a/modules/m_oper.c
+++ b/modules/m_oper.c
@ -115,6 +115,25 @@ m_oper(struct Client *client_p, struct Client *source_p, int parc, const char *p
 		return 0;
 	}

+	if (oper_p->certfp != NULL)
+	{
+		if (source_p->certfp == NULL || strcasecmp(source_p->certfp, oper_p->certfp))
+		{
+			sendto_one(source_p, form_str(ERR_NOOPERHOST), me.name, source_p->name);
+			ilog(L_FOPER, "FAILED OPER (%s) by (%s!%s@%s) (%s) -- client certificate fingerprint mismatch",
+			     name, source_p->name,
+			     source_p->username, source_p->host, source_p->sockhost);
+
+			if(ConfigFileEntry.failed_oper_notice)
+			{
+				sendto_realops_snomask(SNO_GENERAL, L_ALL,
+						     "Failed OPER attempt - client certificate fingerprint mismatch by %s (%s@%s)",
+						     source_p->name, source_p->username, source_p->host);
+			}
+			return 0;
+		}
+	}
+
 	if(match_oper_password(password, oper_p))
 	{
 		oper_up(source_p, oper_p);
--- a/src/newconf.c
+++ b/src/newconf.c
@ -615,6 +615,12 @@ conf_set_oper_flags(void *data)
 	set_modes_from_table(&yy_oper->flags, "flag", oper_table, args);
 }

+static void
+conf_set_oper_fingerprint(void *data)
+{
+	yy_oper->certfp = rb_strdup((char *) data);
+}
+
 static void
 conf_set_oper_privset(void *data)
 {
@ -2039,6 +2045,7 @@ static struct ConfEntry conf_operator_table[] =
 	{ "snomask",    CF_QSTRING, conf_set_oper_snomask,      0, NULL },
 	{ "user",	CF_QSTRING, conf_set_oper_user,		0, NULL },
 	{ "password",	CF_QSTRING, conf_set_oper_password,	0, NULL },
+	{ "fingerprint",	CF_QSTRING, conf_set_oper_fingerprint,	0, NULL },
 	{ "\0",	0, NULL, 0, NULL }
 };