- Implement CERTFP

git-svn-id: svn://svn.ircd-hybrid.org/svnroot/ircd-hybrid/branches/8.1.x@2237 82007160-df01-0410-b94d-b575c5fd34c7

7 files changed, 68 insertions, 16 deletions

diff --git a/modules/Makefile.am b/modules/Makefile.am
index 2b81b97..3d12351 100644
--- a/modules/Makefile.am
+++ b/modules/Makefile.am
@@ -10,6 +10,7 @@ modules_LTLIBRARIES = m_accept.la    \
                       m_away.la      \
                       m_capab.la     \
                       m_cap.la       \
+                      m_certfp.la    \
                       m_challenge.la \
                       m_close.la     \
                       m_connect.la   \
@@ -66,12 +67,13 @@ modules_LTLIBRARIES = m_accept.la    \
                       m_xline.la
 
 
-m_challenge_la_LDFLAGS = $(MODULE_FLAGS)
 m_accept_la_LDFLAGS = $(MODULE_FLAGS)
 m_admin_la_LDFLAGS = $(MODULE_FLAGS)
 m_away_la_LDFLAGS = $(MODULE_FLAGS)
 m_capab_la_LDFLAGS = $(MODULE_FLAGS)
 m_cap_la_LDFLAGS = $(MODULE_FLAGS)
+m_certfp_la_LDFLAGS = $(MODULE_FLAGS)
+m_challenge_la_LDFLAGS = $(MODULE_FLAGS)
 m_close_la_LDFLAGS = $(MODULE_FLAGS)
 m_connect_la_LDFLAGS = $(MODULE_FLAGS)
 m_dline_la_LDFLAGS = $(MODULE_FLAGS)
@@ -131,6 +133,7 @@ m_admin_la_SOURCES = m_admin.c
 m_away_la_SOURCES = m_away.c
 m_capab_la_SOURCES = m_capab.c
 m_cap_la_SOURCES = m_cap.c
+m_certfp_la_SOURCES = m_certfp.c
 m_challenge_la_SOURCES = m_challenge.c
 m_close_la_SOURCES = m_close.c
 m_connect_la_SOURCES = m_connect.c
diff --git a/modules/Makefile.in b/modules/Makefile.in
index 71528c9..c220fee 100644
--- a/modules/Makefile.in
+++ b/modules/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.13.3 from Makefile.am.
+# Makefile.in generated by automake 1.13.4 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994-2013 Free Software Foundation, Inc.
@@ -153,6 +153,12 @@ m_capab_la_OBJECTS = $(am_m_capab_la_OBJECTS)
 m_capab_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
 	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
 	$(m_capab_la_LDFLAGS) $(LDFLAGS) -o $@
+m_certfp_la_LIBADD =
+am_m_certfp_la_OBJECTS = m_certfp.lo
+m_certfp_la_OBJECTS = $(am_m_certfp_la_OBJECTS)
+m_certfp_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(m_certfp_la_LDFLAGS) $(LDFLAGS) -o $@
 m_challenge_la_LIBADD =
 am_m_challenge_la_OBJECTS = m_challenge.lo
 m_challenge_la_OBJECTS = $(am_m_challenge_la_OBJECTS)
@@ -514,12 +520,12 @@ am__v_CCLD_0 = @echo "  CCLD    " $@;
 am__v_CCLD_1 = 
 SOURCES = $(m_accept_la_SOURCES) $(m_admin_la_SOURCES) \
 	$(m_away_la_SOURCES) $(m_cap_la_SOURCES) $(m_capab_la_SOURCES) \
-	$(m_challenge_la_SOURCES) $(m_close_la_SOURCES) \
-	$(m_connect_la_SOURCES) $(m_dline_la_SOURCES) \
-	$(m_encap_la_SOURCES) $(m_eob_la_SOURCES) \
-	$(m_etrace_la_SOURCES) $(m_gline_la_SOURCES) \
-	$(m_globops_la_SOURCES) $(m_hash_la_SOURCES) \
-	$(m_help_la_SOURCES) $(m_info_la_SOURCES) \
+	$(m_certfp_la_SOURCES) $(m_challenge_la_SOURCES) \
+	$(m_close_la_SOURCES) $(m_connect_la_SOURCES) \
+	$(m_dline_la_SOURCES) $(m_encap_la_SOURCES) \
+	$(m_eob_la_SOURCES) $(m_etrace_la_SOURCES) \
+	$(m_gline_la_SOURCES) $(m_globops_la_SOURCES) \
+	$(m_hash_la_SOURCES) $(m_help_la_SOURCES) $(m_info_la_SOURCES) \
 	$(m_invite_la_SOURCES) $(m_ison_la_SOURCES) \
 	$(m_kline_la_SOURCES) $(m_knock_la_SOURCES) \
 	$(m_links_la_SOURCES) $(m_list_la_SOURCES) \
@@ -543,12 +549,12 @@ SOURCES = $(m_accept_la_SOURCES) $(m_admin_la_SOURCES) \
 	$(m_xline_la_SOURCES)
 DIST_SOURCES = $(m_accept_la_SOURCES) $(m_admin_la_SOURCES) \
 	$(m_away_la_SOURCES) $(m_cap_la_SOURCES) $(m_capab_la_SOURCES) \
-	$(m_challenge_la_SOURCES) $(m_close_la_SOURCES) \
-	$(m_connect_la_SOURCES) $(m_dline_la_SOURCES) \
-	$(m_encap_la_SOURCES) $(m_eob_la_SOURCES) \
-	$(m_etrace_la_SOURCES) $(m_gline_la_SOURCES) \
-	$(m_globops_la_SOURCES) $(m_hash_la_SOURCES) \
-	$(m_help_la_SOURCES) $(m_info_la_SOURCES) \
+	$(m_certfp_la_SOURCES) $(m_challenge_la_SOURCES) \
+	$(m_close_la_SOURCES) $(m_connect_la_SOURCES) \
+	$(m_dline_la_SOURCES) $(m_encap_la_SOURCES) \
+	$(m_eob_la_SOURCES) $(m_etrace_la_SOURCES) \
+	$(m_gline_la_SOURCES) $(m_globops_la_SOURCES) \
+	$(m_hash_la_SOURCES) $(m_help_la_SOURCES) $(m_info_la_SOURCES) \
 	$(m_invite_la_SOURCES) $(m_ison_la_SOURCES) \
 	$(m_kline_la_SOURCES) $(m_knock_la_SOURCES) \
 	$(m_links_la_SOURCES) $(m_list_la_SOURCES) \
@@ -788,6 +794,7 @@ modules_LTLIBRARIES = m_accept.la    \
                       m_away.la      \
                       m_capab.la     \
                       m_cap.la       \
+                      m_certfp.la    \
                       m_challenge.la \
                       m_close.la     \
                       m_connect.la   \
@@ -843,12 +850,13 @@ modules_LTLIBRARIES = m_accept.la    \
                       m_whowas.la    \
                       m_xline.la
 
-m_challenge_la_LDFLAGS = $(MODULE_FLAGS)
 m_accept_la_LDFLAGS = $(MODULE_FLAGS)
 m_admin_la_LDFLAGS = $(MODULE_FLAGS)
 m_away_la_LDFLAGS = $(MODULE_FLAGS)
 m_capab_la_LDFLAGS = $(MODULE_FLAGS)
 m_cap_la_LDFLAGS = $(MODULE_FLAGS)
+m_certfp_la_LDFLAGS = $(MODULE_FLAGS)
+m_challenge_la_LDFLAGS = $(MODULE_FLAGS)
 m_close_la_LDFLAGS = $(MODULE_FLAGS)
 m_connect_la_LDFLAGS = $(MODULE_FLAGS)
 m_dline_la_LDFLAGS = $(MODULE_FLAGS)
@@ -907,6 +915,7 @@ m_admin_la_SOURCES = m_admin.c
 m_away_la_SOURCES = m_away.c
 m_capab_la_SOURCES = m_capab.c
 m_cap_la_SOURCES = m_cap.c
+m_certfp_la_SOURCES = m_certfp.c
 m_challenge_la_SOURCES = m_challenge.c
 m_close_la_SOURCES = m_close.c
 m_connect_la_SOURCES = m_connect.c
@@ -1046,6 +1055,9 @@ m_cap.la: $(m_cap_la_OBJECTS) $(m_cap_la_DEPENDENCIES) $(EXTRA_m_cap_la_DEPENDEN
 m_capab.la: $(m_capab_la_OBJECTS) $(m_capab_la_DEPENDENCIES) $(EXTRA_m_capab_la_DEPENDENCIES) 
 	$(AM_V_CCLD)$(m_capab_la_LINK) -rpath $(modulesdir) $(m_capab_la_OBJECTS) $(m_capab_la_LIBADD) $(LIBS)
 
+m_certfp.la: $(m_certfp_la_OBJECTS) $(m_certfp_la_DEPENDENCIES) $(EXTRA_m_certfp_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(m_certfp_la_LINK) -rpath $(modulesdir) $(m_certfp_la_OBJECTS) $(m_certfp_la_LIBADD) $(LIBS)
+
 m_challenge.la: $(m_challenge_la_OBJECTS) $(m_challenge_la_DEPENDENCIES) $(EXTRA_m_challenge_la_DEPENDENCIES) 
 	$(AM_V_CCLD)$(m_challenge_la_LINK) -rpath $(modulesdir) $(m_challenge_la_OBJECTS) $(m_challenge_la_LIBADD) $(LIBS)
 
@@ -1219,6 +1231,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/m_away.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/m_cap.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/m_capab.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/m_certfp.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/m_challenge.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/m_close.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/m_connect.Plo@am__quote@
diff --git a/modules/core/Makefile.in b/modules/core/Makefile.in
index 749a81f..5233c93 100644
--- a/modules/core/Makefile.in
+++ b/modules/core/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.13.3 from Makefile.am.
+# Makefile.in generated by automake 1.13.4 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994-2013 Free Software Foundation, Inc.
diff --git a/modules/core/m_server.c b/modules/core/m_server.c
index f869a37..8ede844 100644
--- a/modules/core/m_server.c
+++ b/modules/core/m_server.c
@@ -161,6 +161,17 @@ mr_server(struct Client *client_p, struct Client *source_p,
 
       exit_client(client_p, client_p, "Invalid host.");
       return;
+    case -4:
+      sendto_realops_flags(UMODE_ALL, L_ADMIN, SEND_NOTICE,
+           "Unauthorized server connection attempt from %s: Invalid certificate fingerprint "
+           "for server %s", get_client_name(client_p, HIDE_IP), name);
+
+      sendto_realops_flags(UMODE_ALL, L_OPER, SEND_NOTICE,
+           "Unauthorized server connection attempt from %s: Invalid certificate fingerprint "
+           "for server %s", get_client_name(client_p, MASK_IP), name);
+
+      exit_client(client_p, client_p, "Invalid certificate fingerprint.");
+      return;
       /* NOT REACHED */
       break;
   }
diff --git a/modules/m_challenge.c b/modules/m_challenge.c
index 89b903f..83fa9ea 100644
--- a/modules/m_challenge.c
+++ b/modules/m_challenge.c
@@ -144,6 +144,16 @@ m_challenge(struct Client *client_p, struct Client *source_p,
     return;
   }
 
+  if (!EmptyString(conf->certfp))
+  {
+    if (EmptyString(source_p->certfp) || strcasecmp(source_p->certfp, conf->certfp))
+    {
+      sendto_one(source_p, form_str(ERR_NOOPERHOST), me.name, source_p->name);
+      failed_challenge_notice(source_p, conf->name, "client certificate fingerprint mismatch");
+      return;
+    }
+  }
+
   if (!generate_challenge(&challenge, &(source_p->localClient->response),
                           conf->rsa_public_key))
     sendto_one(source_p, form_str(RPL_RSACHALLENGE),
diff --git a/modules/m_oper.c b/modules/m_oper.c
index ea26190..52d4033 100644
--- a/modules/m_oper.c
+++ b/modules/m_oper.c
@@ -95,6 +95,16 @@ m_oper(struct Client *client_p, struct Client *source_p,
     return;
   }
 
+  if (!EmptyString(conf->certfp))
+  {
+    if (EmptyString(source_p->certfp) || strcasecmp(source_p->certfp, conf->certfp))
+    {
+      sendto_one(source_p, form_str(ERR_NOOPERHOST), me.name, source_p->name);
+      failed_oper_notice(source_p, name, "client certificate fingerprint mismatch");
+      return;
+    }
+  }
+
   if (match_conf_password(password, conf))
   {
     if (attach_conf(source_p, conf) != 0)
diff --git a/modules/m_whois.c b/modules/m_whois.c
index b34135e..85531a2 100644
--- a/modules/m_whois.c
+++ b/modules/m_whois.c
@@ -136,6 +136,11 @@ whois_person(struct Client *source_p, struct Client *target_p)
                show_ip ? target_p->sockhost : "255.255.255.255");
   }
 
+  if (!EmptyString(target_p->certfp))
+    if (target_p == source_p || HasUMode(source_p, UMODE_OPER))
+      sendto_one(source_p, form_str(RPL_WHOISCERTFP), me.name,
+                 source_p->name, target_p->name, target_p->certfp);
+
   if (MyConnect(target_p))
   {
 #ifdef HAVE_LIBCRYPTO