Add support for client certificate fingerprints in o:lines.
This commit is contained in:
parent
5155c03c96
commit
ff31db8473
5 changed files with 39 additions and 0 deletions
|
@ -240,6 +240,12 @@ operator "god" {
|
|||
*/
|
||||
#umodes = locops, servnotice, operwall, wallop;
|
||||
|
||||
/* fingerprint: if specified, the oper's client certificate
|
||||
* fingerprint will be checked against the specified fingerprint
|
||||
* below.
|
||||
*/
|
||||
#fingerprint = "c77106576abf7f9f90cca0f63874a60f2e40a64b";
|
||||
|
||||
/* snomask: specific server notice mask on oper up.
|
||||
* If this is specified an oper will not be given oper_snomask.
|
||||
*/
|
||||
|
|
|
@ -441,6 +441,12 @@ operator "god" {
|
|||
*/
|
||||
#rsa_public_key_file = "/usr/local/ircd/etc/oper.pub";
|
||||
|
||||
/* fingerprint: if specified, the oper's client certificate
|
||||
* fingerprint will be checked against the specified fingerprint
|
||||
* below.
|
||||
*/
|
||||
#fingerprint = "c77106576abf7f9f90cca0f63874a60f2e40a64b";
|
||||
|
||||
/* umodes: the specific umodes this oper gets when they oper.
|
||||
* If this is specified an oper will not be given oper_umodes
|
||||
* These are described above oper_only_umodes in general {};
|
||||
|
|
|
@ -112,6 +112,7 @@ struct oper_conf
|
|||
char *username;
|
||||
char *host;
|
||||
char *passwd;
|
||||
char *certfp;
|
||||
|
||||
int flags;
|
||||
int umodes;
|
||||
|
|
|
@ -115,6 +115,25 @@ m_oper(struct Client *client_p, struct Client *source_p, int parc, const char *p
|
|||
return 0;
|
||||
}
|
||||
|
||||
if (oper_p->certfp != NULL)
|
||||
{
|
||||
if (source_p->certfp == NULL || strcasecmp(source_p->certfp, oper_p->certfp))
|
||||
{
|
||||
sendto_one(source_p, form_str(ERR_NOOPERHOST), me.name, source_p->name);
|
||||
ilog(L_FOPER, "FAILED OPER (%s) by (%s!%s@%s) (%s) -- client certificate fingerprint mismatch",
|
||||
name, source_p->name,
|
||||
source_p->username, source_p->host, source_p->sockhost);
|
||||
|
||||
if(ConfigFileEntry.failed_oper_notice)
|
||||
{
|
||||
sendto_realops_snomask(SNO_GENERAL, L_ALL,
|
||||
"Failed OPER attempt - client certificate fingerprint mismatch by %s (%s@%s)",
|
||||
source_p->name, source_p->username, source_p->host);
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
|
||||
if(match_oper_password(password, oper_p))
|
||||
{
|
||||
oper_up(source_p, oper_p);
|
||||
|
|
|
@ -615,6 +615,12 @@ conf_set_oper_flags(void *data)
|
|||
set_modes_from_table(&yy_oper->flags, "flag", oper_table, args);
|
||||
}
|
||||
|
||||
static void
|
||||
conf_set_oper_fingerprint(void *data)
|
||||
{
|
||||
yy_oper->certfp = rb_strdup((char *) data);
|
||||
}
|
||||
|
||||
static void
|
||||
conf_set_oper_privset(void *data)
|
||||
{
|
||||
|
@ -2039,6 +2045,7 @@ static struct ConfEntry conf_operator_table[] =
|
|||
{ "snomask", CF_QSTRING, conf_set_oper_snomask, 0, NULL },
|
||||
{ "user", CF_QSTRING, conf_set_oper_user, 0, NULL },
|
||||
{ "password", CF_QSTRING, conf_set_oper_password, 0, NULL },
|
||||
{ "fingerprint", CF_QSTRING, conf_set_oper_fingerprint, 0, NULL },
|
||||
{ "\0", 0, NULL, 0, NULL }
|
||||
};
|
||||
|
||||
|
|
Loading…
Reference in a new issue