Add initial support for client certificate fingerprints

Networks such as Freenode and OFTC use client certificates to identify users and servers, not only for services, but also for server operator status and auth blocks. This allows us to use stronger certificates for authentication rather than passwords.
author: Russell King <rmk+kernel@arm.linux.org.uk> 2016-06-05 14:43:34 +0100
committer: Russell King <rmk+kernel@armlinux.org.uk> 2016-06-05 17:47:57 +0100
commit: c9c9ffd06f4751e9ffd714d80ab492316000c3ce (patch)
tree: b286cd210a50f470538d02b812f3f0570dc00f2e /src/s_serv.c
parent: 38b49b8eb23738f78776db1e3263175e760b66c2 (diff)
1 files changed, 4 insertions, 2 deletions
diff --git a/src/s_serv.c b/src/s_serv.c
index c516fd9..66919bb 100644
--- a/src/s_serv.c
+++ b/src/s_serv.c
@@ -398,7 +398,9 @@ check_server(const char *name, struct Client *client_p)
     {
       error = -2;
 
-      if (!match_conf_password(client_p->localClient->passwd, conf))
+      /* If no password configured, accept any (use fingerprint) */
+      if (!EmptyString(conf->passwd) &&
+          !match_conf_password(client_p->localClient->passwd, conf))
         return -2;
 
       if (!EmptyString(conf->certfp))
@@ -900,7 +902,7 @@ ssl_server_handshake(fde_t *fd, struct Client *client_p)
     {
       unsigned int i = 0, n = 0;
 
-      if (X509_digest(cert, EVP_sha256(), md, &n))
+      if (X509_digest(cert, EVP_sha1(), md, &n))
       {
         for (; i < n; ++i)
           snprintf(buf + 2 * i, 3, "%02X", md[i]);
author	Russell King <rmk+kernel@arm.linux.org.uk>	2016-06-05 14:43:34 +0100
committer	Russell King <rmk+kernel@armlinux.org.uk>	2016-06-05 17:47:57 +0100
commit	c9c9ffd06f4751e9ffd714d80ab492316000c3ce (patch)
tree	b286cd210a50f470538d02b812f3f0570dc00f2e /src/s_serv.c
parent	38b49b8eb23738f78776db1e3263175e760b66c2 (diff)