From c9c9ffd06f4751e9ffd714d80ab492316000c3ce Mon Sep 17 00:00:00 2001
From: Russell King <rmk+kernel@arm.linux.org.uk>
Date: Sun, 5 Jun 2016 14:43:34 +0100
Subject: Add initial support for client certificate fingerprints

Networks such as Freenode and OFTC use client certificates to identify
users and servers, not only for services, but also for server operator
status and auth blocks.

This allows us to use stronger certificates for authentication rather
than passwords.
---
 modules/m_dline.c  |  2 +-
 modules/m_gline.c  |  2 +-
 modules/m_kline.c  |  4 ++--
 modules/m_oper.c   |  3 ++-
 modules/m_stats.c  | 18 ++++++++++++------
 modules/m_webirc.c |  3 ++-
 6 files changed, 20 insertions(+), 12 deletions(-)

(limited to 'modules')

diff --git a/modules/m_dline.c b/modules/m_dline.c
index 5667d44..2a5a281 100644
--- a/modules/m_dline.c
+++ b/modules/m_dline.c
@@ -114,7 +114,7 @@ remove_dline_match(const char *host)
   else
     piphost = NULL;
 
-  if ((conf = find_conf_by_address(host, piphost, CONF_DLINE, aftype, NULL, NULL, 0)))
+  if ((conf = find_conf_by_address(host, piphost, CONF_DLINE, aftype, NULL, NULL, 0, NULL)))
   {
     if (IsConfDatabase(conf))
     {
diff --git a/modules/m_gline.c b/modules/m_gline.c
index b429351..2068dc6 100644
--- a/modules/m_gline.c
+++ b/modules/m_gline.c
@@ -144,7 +144,7 @@ remove_gline_match(const char *user, const char *host)
   else
     piphost = NULL;
 
-  if ((conf = find_conf_by_address(host, piphost, CONF_GLINE, aftype, user, NULL, 0)))
+  if ((conf = find_conf_by_address(host, piphost, CONF_GLINE, aftype, user, NULL, 0, NULL)))
   {
     if (IsConfDatabase(conf))
     {
diff --git a/modules/m_kline.c b/modules/m_kline.c
index 10b23c0..4a00dda 100644
--- a/modules/m_kline.c
+++ b/modules/m_kline.c
@@ -152,7 +152,7 @@ remove_kline_match(const char *host, const char *user)
   else
     piphost = NULL;
 
-  if ((conf = find_conf_by_address(host, piphost, CONF_KLINE, aftype, user, NULL, 0)))
+  if ((conf = find_conf_by_address(host, piphost, CONF_KLINE, aftype, user, NULL, 0, NULL)))
   {
     if (IsConfDatabase(conf))
     {
@@ -196,7 +196,7 @@ already_placed_kline(struct Client *source_p, const char *luser, const char *lho
   else
     piphost = NULL;
 
-  if ((conf = find_conf_by_address(lhost, piphost, CONF_KLINE, aftype, luser, NULL, 0)))
+  if ((conf = find_conf_by_address(lhost, piphost, CONF_KLINE, aftype, luser, NULL, 0, NULL)))
   {
     if (warn)
     {
diff --git a/modules/m_oper.c b/modules/m_oper.c
index 24a8dac..a12a7e9 100644
--- a/modules/m_oper.c
+++ b/modules/m_oper.c
@@ -114,7 +114,8 @@ m_oper(struct Client *client_p, struct Client *source_p,
     }
   }
 
-  if (match_conf_password(password, conf))
+  /* If we have valid certfp, don't check password */
+  if (!EmptyString(conf->certfp) || match_conf_password(password, conf))
   {
     if (attach_conf(source_p, conf) != 0)
     {
diff --git a/modules/m_stats.c b/modules/m_stats.c
index 023251c..0a760c5 100644
--- a/modules/m_stats.c
+++ b/modules/m_stats.c
@@ -943,10 +943,12 @@ stats_auth(struct Client *source_p, int parc, char *parv[])
                                   &source_p->localClient->ip, CONF_CLIENT,
                                   source_p->localClient->aftype,
                                   source_p->username,
-                                  source_p->localClient->passwd, 1);
+                                  source_p->localClient->passwd, 1,
+                                  source_p->certfp);
     else
       conf = find_conf_by_address(source_p->host, NULL, CONF_CLIENT,
-                                   0, source_p->username, NULL, 1);
+                                   0, source_p->username, NULL, 1,
+                                   source_p->certfp);
 
     if (conf == NULL)
       return;
@@ -1025,10 +1027,12 @@ stats_tklines(struct Client *source_p, int parc, char *parv[])
       conf = find_conf_by_address(source_p->host,
                                   &source_p->localClient->ip, CONF_KLINE,
                                   source_p->localClient->aftype,
-                                  source_p->username, NULL, 1);
+                                  source_p->username, NULL, 1,
+                                  source_p->certfp);
     else
       conf = find_conf_by_address(source_p->host, NULL, CONF_KLINE,
-                                   0, source_p->username, NULL, 1);
+                                   0, source_p->username, NULL, 1,
+                                   source_p->certfp);
 
     if (!conf)
       return;
@@ -1064,10 +1068,12 @@ stats_klines(struct Client *source_p, int parc, char *parv[])
       conf = find_conf_by_address(source_p->host,
                                   &source_p->localClient->ip, CONF_KLINE,
                                   source_p->localClient->aftype,
-                                  source_p->username, NULL, 0);
+                                  source_p->username, NULL, 0,
+                                  source_p->certfp);
     else
       conf = find_conf_by_address(source_p->host, NULL, CONF_KLINE,
-                                   0, source_p->username, NULL, 0);
+                                   0, source_p->username, NULL, 0,
+                                   source_p->certfp);
 
     if (!conf)
       return;
diff --git a/modules/m_webirc.c b/modules/m_webirc.c
index 8a53b6b..635c521 100644
--- a/modules/m_webirc.c
+++ b/modules/m_webirc.c
@@ -63,7 +63,8 @@ mr_webirc(struct Client *client_p, struct Client *source_p, int parc, char *parv
   conf = find_address_conf(source_p->host,
                            IsGotId(source_p) ? source_p->username : "webirc",
                            &source_p->localClient->ip,
-                           source_p->localClient->aftype, parv[1]);
+                           source_p->localClient->aftype, parv[1],
+                           source_p->certfp);
   if (conf == NULL || !IsConfClient(conf))
     return 0;
 
-- 
cgit