Add initial support for client certificate fingerprints

Networks such as Freenode and OFTC use client certificates to identify users and servers, not only for services, but also for server operator status and auth blocks. This allows us to use stronger certificates for authentication rather than passwords.
author: Russell King <rmk+kernel@arm.linux.org.uk> 2016-06-05 14:43:34 +0100
committer: Russell King <rmk+kernel@armlinux.org.uk> 2019-07-21 20:59:35 +0100
commit: 3cf1f1d92d1f70d22a5130b8ff9c602acd7f17c8 (patch)
tree: 567a2fbdae892b44ba309c7877cada6328d5e531 /src/hostmask.c
parent: 9b983823e867cfc951ccaa45832bddb5e945cc24 (diff)
1 files changed, 13 insertions, 7 deletions
diff --git a/src/hostmask.c b/src/hostmask.c
index 5d29109..2fa8280 100644
--- a/src/hostmask.c
+++ b/src/hostmask.c
@@ -457,7 +457,8 @@ get_mask_hash(const char *text)
  */
 struct MaskItem *
 find_conf_by_address(const char *name, struct irc_ssaddr *addr, unsigned int type,
-                     int fam, const char *username, const char *password, int do_match)
+                     int fam, const char *username, const char *password, int do_match,
+                     const char *certfp)
 {
   unsigned int hprecv = 0;
   dlink_node *ptr = NULL;
@@ -483,6 +484,7 @@ find_conf_by_address(const char *name, struct irc_ssaddr *addr, unsigned int typ
               arec->masktype == HM_IPV6 &&
               match_ipv6(addr, &arec->Mask.ipa.addr,
                          arec->Mask.ipa.bits) &&
+	      (!arec->conf->certfp || (certfp && !strcmp(arec->conf->certfp, certfp))) &&
               (!username || !cmpfunc(arec->username, username)) &&
               (IsNeedPassword(arec->conf) || arec->conf->passwd == NULL ||
                match_conf_password(password, arec->conf)))
@@ -508,6 +510,7 @@ find_conf_by_address(const char *name, struct irc_ssaddr *addr, unsigned int typ
               arec->masktype == HM_IPV4 &&
               match_ipv4(addr, &arec->Mask.ipa.addr,
                          arec->Mask.ipa.bits) &&
+	      (!arec->conf->certfp || (certfp && !strcmp(arec->conf->certfp, certfp))) &&
               (!username || !cmpfunc(arec->username, username)) &&
               (IsNeedPassword(arec->conf) || arec->conf->passwd == NULL ||
                match_conf_password(password, arec->conf)))
@@ -533,6 +536,7 @@ find_conf_by_address(const char *name, struct irc_ssaddr *addr, unsigned int typ
             arec->precedence > hprecv &&
             (arec->masktype == HM_HOST) &&
             !cmpfunc(arec->Mask.hostname, name) &&
+	    (!arec->conf->certfp || (certfp && !strcmp(arec->conf->certfp, certfp))) &&
             (!username || !cmpfunc(arec->username, username)) &&
             (IsNeedPassword(arec->conf) || arec->conf->passwd == NULL ||
              match_conf_password(password, arec->conf)))
@@ -555,6 +559,7 @@ find_conf_by_address(const char *name, struct irc_ssaddr *addr, unsigned int typ
           arec->precedence > hprecv &&
           arec->masktype == HM_HOST &&
           !cmpfunc(arec->Mask.hostname, name) &&
+          (!arec->conf->certfp || (certfp && !strcmp(arec->conf->certfp, certfp))) &&
           (!username || !cmpfunc(arec->username, username)) &&
           (IsNeedPassword(arec->conf) || arec->conf->passwd == NULL ||
            match_conf_password(password, arec->conf)))
@@ -576,13 +581,14 @@ find_conf_by_address(const char *name, struct irc_ssaddr *addr, unsigned int typ
  */
 struct MaskItem *
 find_address_conf(const char *host, const char *user,
-                  struct irc_ssaddr *ip, int aftype, char *password)
+                  struct irc_ssaddr *ip, int aftype, char *password,
+                  const char *certfp)
 {
   struct MaskItem *authcnf = NULL, *killcnf = NULL;
 
   /* Find the best auth{} block... If none, return NULL -A1kmm */
   if ((authcnf = find_conf_by_address(host, ip, CONF_CLIENT, aftype, user,
-                                      password, 1)) == NULL)
+                                      password, 1, certfp)) == NULL)
     return NULL;
 
   /* If they are exempt from K-lines, return the best auth{} block. -A1kmm */
@@ -590,7 +596,7 @@ find_address_conf(const char *host, const char *user,
     return authcnf;
 
   /* Find the best K-line... -A1kmm */
-  killcnf = find_conf_by_address(host, ip, CONF_KLINE, aftype, user, NULL, 1);
+  killcnf = find_conf_by_address(host, ip, CONF_KLINE, aftype, user, NULL, 1, NULL);
 
   /*
    * If they are K-lined, return the K-line. Otherwise, return the
@@ -602,7 +608,7 @@ find_address_conf(const char *host, const char *user,
   if (IsConfExemptGline(authcnf))
     return authcnf;
 
-  killcnf = find_conf_by_address(host, ip, CONF_GLINE, aftype, user, NULL, 1);
+  killcnf = find_conf_by_address(host, ip, CONF_GLINE, aftype, user, NULL, 1, NULL);
   if (killcnf != NULL)
     return killcnf;
 
@@ -620,11 +626,11 @@ find_dline_conf(struct irc_ssaddr *addr, int aftype)
 {
   struct MaskItem *eline;
 
-  eline = find_conf_by_address(NULL, addr, CONF_EXEMPT, aftype, NULL, NULL, 1);
+  eline = find_conf_by_address(NULL, addr, CONF_EXEMPT, aftype, NULL, NULL, 1, NULL);
   if (eline != NULL)
     return eline;
 
-  return find_conf_by_address(NULL, addr, CONF_DLINE, aftype, NULL, NULL, 1);
+  return find_conf_by_address(NULL, addr, CONF_DLINE, aftype, NULL, NULL, 1, NULL);
 }
 
 /* void add_conf_by_address(int, struct MaskItem *aconf)
author	Russell King <rmk+kernel@arm.linux.org.uk>	2016-06-05 14:43:34 +0100
committer	Russell King <rmk+kernel@armlinux.org.uk>	2019-07-21 20:59:35 +0100
commit	3cf1f1d92d1f70d22a5130b8ff9c602acd7f17c8 (patch)
tree	567a2fbdae892b44ba309c7877cada6328d5e531 /src/hostmask.c
parent	9b983823e867cfc951ccaa45832bddb5e945cc24 (diff)