Add support for client certificate fingerprints in o:lines.
This commit is contained in:
parent
5155c03c96
commit
ff31db8473
5 changed files with 39 additions and 0 deletions
|
@ -240,6 +240,12 @@ operator "god" {
|
||||||
*/
|
*/
|
||||||
#umodes = locops, servnotice, operwall, wallop;
|
#umodes = locops, servnotice, operwall, wallop;
|
||||||
|
|
||||||
|
/* fingerprint: if specified, the oper's client certificate
|
||||||
|
* fingerprint will be checked against the specified fingerprint
|
||||||
|
* below.
|
||||||
|
*/
|
||||||
|
#fingerprint = "c77106576abf7f9f90cca0f63874a60f2e40a64b";
|
||||||
|
|
||||||
/* snomask: specific server notice mask on oper up.
|
/* snomask: specific server notice mask on oper up.
|
||||||
* If this is specified an oper will not be given oper_snomask.
|
* If this is specified an oper will not be given oper_snomask.
|
||||||
*/
|
*/
|
||||||
|
|
|
@ -441,6 +441,12 @@ operator "god" {
|
||||||
*/
|
*/
|
||||||
#rsa_public_key_file = "/usr/local/ircd/etc/oper.pub";
|
#rsa_public_key_file = "/usr/local/ircd/etc/oper.pub";
|
||||||
|
|
||||||
|
/* fingerprint: if specified, the oper's client certificate
|
||||||
|
* fingerprint will be checked against the specified fingerprint
|
||||||
|
* below.
|
||||||
|
*/
|
||||||
|
#fingerprint = "c77106576abf7f9f90cca0f63874a60f2e40a64b";
|
||||||
|
|
||||||
/* umodes: the specific umodes this oper gets when they oper.
|
/* umodes: the specific umodes this oper gets when they oper.
|
||||||
* If this is specified an oper will not be given oper_umodes
|
* If this is specified an oper will not be given oper_umodes
|
||||||
* These are described above oper_only_umodes in general {};
|
* These are described above oper_only_umodes in general {};
|
||||||
|
|
|
@ -112,6 +112,7 @@ struct oper_conf
|
||||||
char *username;
|
char *username;
|
||||||
char *host;
|
char *host;
|
||||||
char *passwd;
|
char *passwd;
|
||||||
|
char *certfp;
|
||||||
|
|
||||||
int flags;
|
int flags;
|
||||||
int umodes;
|
int umodes;
|
||||||
|
|
|
@ -115,6 +115,25 @@ m_oper(struct Client *client_p, struct Client *source_p, int parc, const char *p
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (oper_p->certfp != NULL)
|
||||||
|
{
|
||||||
|
if (source_p->certfp == NULL || strcasecmp(source_p->certfp, oper_p->certfp))
|
||||||
|
{
|
||||||
|
sendto_one(source_p, form_str(ERR_NOOPERHOST), me.name, source_p->name);
|
||||||
|
ilog(L_FOPER, "FAILED OPER (%s) by (%s!%s@%s) (%s) -- client certificate fingerprint mismatch",
|
||||||
|
name, source_p->name,
|
||||||
|
source_p->username, source_p->host, source_p->sockhost);
|
||||||
|
|
||||||
|
if(ConfigFileEntry.failed_oper_notice)
|
||||||
|
{
|
||||||
|
sendto_realops_snomask(SNO_GENERAL, L_ALL,
|
||||||
|
"Failed OPER attempt - client certificate fingerprint mismatch by %s (%s@%s)",
|
||||||
|
source_p->name, source_p->username, source_p->host);
|
||||||
|
}
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if(match_oper_password(password, oper_p))
|
if(match_oper_password(password, oper_p))
|
||||||
{
|
{
|
||||||
oper_up(source_p, oper_p);
|
oper_up(source_p, oper_p);
|
||||||
|
|
|
@ -615,6 +615,12 @@ conf_set_oper_flags(void *data)
|
||||||
set_modes_from_table(&yy_oper->flags, "flag", oper_table, args);
|
set_modes_from_table(&yy_oper->flags, "flag", oper_table, args);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static void
|
||||||
|
conf_set_oper_fingerprint(void *data)
|
||||||
|
{
|
||||||
|
yy_oper->certfp = rb_strdup((char *) data);
|
||||||
|
}
|
||||||
|
|
||||||
static void
|
static void
|
||||||
conf_set_oper_privset(void *data)
|
conf_set_oper_privset(void *data)
|
||||||
{
|
{
|
||||||
|
@ -2039,6 +2045,7 @@ static struct ConfEntry conf_operator_table[] =
|
||||||
{ "snomask", CF_QSTRING, conf_set_oper_snomask, 0, NULL },
|
{ "snomask", CF_QSTRING, conf_set_oper_snomask, 0, NULL },
|
||||||
{ "user", CF_QSTRING, conf_set_oper_user, 0, NULL },
|
{ "user", CF_QSTRING, conf_set_oper_user, 0, NULL },
|
||||||
{ "password", CF_QSTRING, conf_set_oper_password, 0, NULL },
|
{ "password", CF_QSTRING, conf_set_oper_password, 0, NULL },
|
||||||
|
{ "fingerprint", CF_QSTRING, conf_set_oper_fingerprint, 0, NULL },
|
||||||
{ "\0", 0, NULL, 0, NULL }
|
{ "\0", 0, NULL, 0, NULL }
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue