mr_server: Report certificate fingerprint mismatches

Log the received certificate fingerprint when it causes a server to be
rejected.
This commit is contained in:
Simon Arlott 2016-04-23 17:32:24 +01:00
parent b49efe577c
commit 84e3e445aa
No known key found for this signature in database
GPG key ID: C8975F2043CA5D24
2 changed files with 27 additions and 3 deletions

View file

@ -347,6 +347,9 @@ check_server(const char *name, struct Client *client_p)
rb_dlink_node *ptr; rb_dlink_node *ptr;
int error = -1; int error = -1;
const char *encr; const char *encr;
bool name_matched = false;
bool host_matched = false;
bool certfp_failed = false;
s_assert(NULL != client_p); s_assert(NULL != client_p);
if(client_p == NULL) if(client_p == NULL)
@ -368,14 +371,14 @@ check_server(const char *name, struct Client *client_p)
if(!match(tmp_p->name, name)) if(!match(tmp_p->name, name))
continue; continue;
error = -3; name_matched = true;
/* XXX: Fix me for IPv6 */ /* XXX: Fix me for IPv6 */
/* XXX sockhost is the IPv4 ip as a string */ /* XXX sockhost is the IPv4 ip as a string */
if(match(tmp_p->host, client_p->host) || if(match(tmp_p->host, client_p->host) ||
match(tmp_p->host, client_p->sockhost)) match(tmp_p->host, client_p->sockhost))
{ {
error = -2; host_matched = true;
if(tmp_p->passwd) if(tmp_p->passwd)
{ {
@ -397,9 +400,11 @@ check_server(const char *name, struct Client *client_p)
if(tmp_p->certfp) if(tmp_p->certfp)
{ {
if(!client_p->certfp || rb_strcasecmp(tmp_p->certfp, client_p->certfp) != 0) if(!client_p->certfp || rb_strcasecmp(tmp_p->certfp, client_p->certfp) != 0) {
certfp_failed = true;
continue; continue;
} }
}
server_p = tmp_p; server_p = tmp_p;
break; break;
@ -407,7 +412,17 @@ check_server(const char *name, struct Client *client_p)
} }
if(server_p == NULL) if(server_p == NULL)
{
/* return the most specific error */
if(certfp_failed)
error = -6;
else if(host_matched)
error = -2;
else if(name_matched)
error = -3;
return error; return error;
}
if(ServerConfSSL(server_p) && client_p->localClient->ssl_ctl == NULL) if(ServerConfSSL(server_p) && client_p->localClient->ssl_ctl == NULL)
{ {

View file

@ -188,6 +188,15 @@ mr_server(struct MsgBuf *msgbuf_p, struct Client *client_p, struct Client *sourc
exit_client(client_p, client_p, client_p, "Access denied, requires SSL/TLS but is plaintext"); exit_client(client_p, client_p, client_p, "Access denied, requires SSL/TLS but is plaintext");
return; return;
case -6:
sendto_realops_snomask(SNO_GENERAL, L_ALL,
"Connection from servername %s has invalid certificate fingerprint %s",
name, client_p->certfp);
ilog(L_SERVER, "Access denied, invalid certificate fingerprint %s from %s",
client_p->certfp, log_client_name(client_p, SHOW_IP));
exit_client(client_p, client_p, client_p, "Invalid fingerprint.");
return;
default: default:
sendto_realops_snomask(SNO_GENERAL, L_ALL, sendto_realops_snomask(SNO_GENERAL, L_ALL,
"Connection from servername %s rejected, unknown error %d", "Connection from servername %s rejected, unknown error %d",