Add support for client certificate fingerprints in o:lines.

This commit is contained in:
William Pitcock 2010-02-17 06:41:41 -06:00
parent 5155c03c96
commit ff31db8473
5 changed files with 39 additions and 0 deletions

View file

@ -240,6 +240,12 @@ operator "god" {
*/ */
#umodes = locops, servnotice, operwall, wallop; #umodes = locops, servnotice, operwall, wallop;
/* fingerprint: if specified, the oper's client certificate
* fingerprint will be checked against the specified fingerprint
* below.
*/
#fingerprint = "c77106576abf7f9f90cca0f63874a60f2e40a64b";
/* snomask: specific server notice mask on oper up. /* snomask: specific server notice mask on oper up.
* If this is specified an oper will not be given oper_snomask. * If this is specified an oper will not be given oper_snomask.
*/ */

View file

@ -441,6 +441,12 @@ operator "god" {
*/ */
#rsa_public_key_file = "/usr/local/ircd/etc/oper.pub"; #rsa_public_key_file = "/usr/local/ircd/etc/oper.pub";
/* fingerprint: if specified, the oper's client certificate
* fingerprint will be checked against the specified fingerprint
* below.
*/
#fingerprint = "c77106576abf7f9f90cca0f63874a60f2e40a64b";
/* umodes: the specific umodes this oper gets when they oper. /* umodes: the specific umodes this oper gets when they oper.
* If this is specified an oper will not be given oper_umodes * If this is specified an oper will not be given oper_umodes
* These are described above oper_only_umodes in general {}; * These are described above oper_only_umodes in general {};

View file

@ -112,6 +112,7 @@ struct oper_conf
char *username; char *username;
char *host; char *host;
char *passwd; char *passwd;
char *certfp;
int flags; int flags;
int umodes; int umodes;

View file

@ -115,6 +115,25 @@ m_oper(struct Client *client_p, struct Client *source_p, int parc, const char *p
return 0; return 0;
} }
if (oper_p->certfp != NULL)
{
if (source_p->certfp == NULL || strcasecmp(source_p->certfp, oper_p->certfp))
{
sendto_one(source_p, form_str(ERR_NOOPERHOST), me.name, source_p->name);
ilog(L_FOPER, "FAILED OPER (%s) by (%s!%s@%s) (%s) -- client certificate fingerprint mismatch",
name, source_p->name,
source_p->username, source_p->host, source_p->sockhost);
if(ConfigFileEntry.failed_oper_notice)
{
sendto_realops_snomask(SNO_GENERAL, L_ALL,
"Failed OPER attempt - client certificate fingerprint mismatch by %s (%s@%s)",
source_p->name, source_p->username, source_p->host);
}
return 0;
}
}
if(match_oper_password(password, oper_p)) if(match_oper_password(password, oper_p))
{ {
oper_up(source_p, oper_p); oper_up(source_p, oper_p);

View file

@ -615,6 +615,12 @@ conf_set_oper_flags(void *data)
set_modes_from_table(&yy_oper->flags, "flag", oper_table, args); set_modes_from_table(&yy_oper->flags, "flag", oper_table, args);
} }
static void
conf_set_oper_fingerprint(void *data)
{
yy_oper->certfp = rb_strdup((char *) data);
}
static void static void
conf_set_oper_privset(void *data) conf_set_oper_privset(void *data)
{ {
@ -2039,6 +2045,7 @@ static struct ConfEntry conf_operator_table[] =
{ "snomask", CF_QSTRING, conf_set_oper_snomask, 0, NULL }, { "snomask", CF_QSTRING, conf_set_oper_snomask, 0, NULL },
{ "user", CF_QSTRING, conf_set_oper_user, 0, NULL }, { "user", CF_QSTRING, conf_set_oper_user, 0, NULL },
{ "password", CF_QSTRING, conf_set_oper_password, 0, NULL }, { "password", CF_QSTRING, conf_set_oper_password, 0, NULL },
{ "fingerprint", CF_QSTRING, conf_set_oper_fingerprint, 0, NULL },
{ "\0", 0, NULL, 0, NULL } { "\0", 0, NULL, 0, NULL }
}; };