summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authordanieldg <danieldg@e03df62e-2008-0410-955e-edbf42e46eb7>2010-02-02 23:24:30 +0000
committerdanieldg <danieldg@e03df62e-2008-0410-955e-edbf42e46eb7>2010-02-02 23:24:30 +0000
commit05c75aba6b4bf77a8731cd017149b8a40c9182b9 (patch)
tree161b2a40f82fc12a921b962421a306616710e4d4 /src
parent7487030d1e9120b3ffcecde064740ba36de9d8d0 (diff)
Allow SSL fingerprint hash to be specified, and show fingerprint to client on connect
git-svn-id: http://svn.inspircd.org/repository/trunk/inspircd@12357 e03df62e-2008-0410-955e-edbf42e46eb7
Diffstat (limited to 'src')
-rw-r--r--src/modules/extra/m_ssl_gnutls.cpp51
-rw-r--r--src/modules/extra/m_ssl_openssl.cpp44
-rw-r--r--src/modules/m_sasl.cpp4
3 files changed, 48 insertions, 51 deletions
diff --git a/src/modules/extra/m_ssl_gnutls.cpp b/src/modules/extra/m_ssl_gnutls.cpp
index df3709f10..374431752 100644
--- a/src/modules/extra/m_ssl_gnutls.cpp
+++ b/src/modules/extra/m_ssl_gnutls.cpp
@@ -122,12 +122,8 @@ class ModuleSSLGnuTLS : public Module
gnutls_certificate_credentials x509_cred;
gnutls_dh_params dh_params;
+ gnutls_digest_algorithm_t hash;
- std::string keyfile;
- std::string certfile;
-
- std::string cafile;
- std::string crlfile;
std::string sslports;
int dh_bits;
@@ -192,32 +188,32 @@ class ModuleSSLGnuTLS : public Module
if(param != "ssl")
return;
+ std::string keyfile;
+ std::string certfile;
+ std::string cafile;
+ std::string crlfile;
OnRehash(user);
ConfigTag* Conf = ServerInstance->Config->ConfValue("gnutls");
- cafile = Conf->getString("cafile");
- crlfile = Conf->getString("crlfile");
- certfile = Conf->getString("certfile");
- keyfile = Conf->getString("keyfile");
+ cafile = Conf->getString("cafile", "conf/ca.pem");
+ crlfile = Conf->getString("crlfile", "conf/crl.pem");
+ certfile = Conf->getString("certfile", "conf/cert.pem");
+ keyfile = Conf->getString("keyfile", "conf/key.pem");
dh_bits = Conf->getInt("dhbits");
-
- // Set all the default values needed.
- if (cafile.empty())
- cafile = "conf/ca.pem";
-
- if (crlfile.empty())
- crlfile = "conf/crl.pem";
-
- if (certfile.empty())
- certfile = "conf/cert.pem";
-
- if (keyfile.empty())
- keyfile = "conf/key.pem";
+ std::string hashname = Conf->getString("hash", "md5");
if((dh_bits != 768) && (dh_bits != 1024) && (dh_bits != 2048) && (dh_bits != 3072) && (dh_bits != 4096))
dh_bits = 1024;
+ if (hashname == "md5")
+ hash = GNUTLS_DIG_MD5;
+ else if (hashname == "sha1")
+ hash = GNUTLS_DIG_SHA1;
+ else
+ throw ModuleException("Unknown hash type " + hashname);
+
+
int ret;
if (cred_alloc)
@@ -556,11 +552,16 @@ class ModuleSSLGnuTLS : public Module
{
if (sessions[user->GetFd()].sess)
{
- SSLCertSubmission(user, this, ServerInstance->Modules->Find("m_sslinfo.so"), sessions[user->GetFd()].cert);
+ ssl_cert* cert = sessions[user->GetFd()].cert;
+ SSLCertSubmission(user, this, ServerInstance->Modules->Find("m_sslinfo.so"), cert);
std::string cipher = gnutls_kx_get_name(gnutls_kx_get(sessions[user->GetFd()].sess));
cipher.append("-").append(gnutls_cipher_get_name(gnutls_cipher_get(sessions[user->GetFd()].sess))).append("-");
cipher.append(gnutls_mac_get_name(gnutls_mac_get(sessions[user->GetFd()].sess)));
- user->WriteServ("NOTICE %s :*** You are connected using SSL cipher \"%s\"", user->nick.c_str(), cipher.c_str());
+ if (cert->fingerprint.empty())
+ user->WriteServ("NOTICE %s :*** You are connected using SSL cipher \"%s\"", user->nick.c_str(), cipher.c_str());
+ else
+ user->WriteServ("NOTICE %s :*** You are connected using SSL cipher \"%s\""
+ " and your SSL fingerprint is %s", user->nick.c_str(), cipher.c_str(), cert->fingerprint.c_str());
}
}
}
@@ -652,7 +653,7 @@ class ModuleSSLGnuTLS : public Module
gnutls_x509_crt_get_issuer_dn(cert, name, &name_size);
certinfo->issuer = name;
- if ((ret = gnutls_x509_crt_get_fingerprint(cert, GNUTLS_DIG_MD5, digest, &digest_size)) < 0)
+ if ((ret = gnutls_x509_crt_get_fingerprint(cert, hash, digest, &digest_size)) < 0)
{
certinfo->error = gnutls_strerror(ret);
}
diff --git a/src/modules/extra/m_ssl_openssl.cpp b/src/modules/extra/m_ssl_openssl.cpp
index c46b93117..261105969 100644
--- a/src/modules/extra/m_ssl_openssl.cpp
+++ b/src/modules/extra/m_ssl_openssl.cpp
@@ -89,12 +89,8 @@ class ModuleSSLOpenSSL : public Module
char cipher[MAXBUF];
- std::string keyfile;
- std::string certfile;
- std::string cafile;
- // std::string crlfile;
- std::string dhfile;
std::string sslports;
+ bool use_sha;
ServiceProvider iohook;
public:
@@ -168,27 +164,23 @@ class ModuleSSLOpenSSL : public Module
if (param != "ssl")
return;
+ std::string keyfile;
+ std::string certfile;
+ std::string cafile;
+ std::string dhfile;
OnRehash(user);
- ConfigReader Conf;
-
- cafile = Conf.ReadValue("openssl", "cafile", 0);
- certfile = Conf.ReadValue("openssl", "certfile", 0);
- keyfile = Conf.ReadValue("openssl", "keyfile", 0);
- dhfile = Conf.ReadValue("openssl", "dhfile", 0);
-
- // Set all the default values needed.
- if (cafile.empty())
- cafile = "conf/ca.pem";
+ ConfigTag* conf = ServerInstance->Config->ConfValue("openssl");
- if (certfile.empty())
- certfile = "conf/cert.pem";
+ cafile = conf->getString("cafile", "conf/ca.pem");
+ certfile = conf->getString("certfile", "conf/cert.pem");
+ keyfile = conf->getString("keyfile", "conf/key.pem");
+ dhfile = conf->getString("dhfile", "conf/dhparams.pem");
+ std::string hash = conf->getString("hash", "md5");
+ if (hash != "sha1" && hash != "md5")
+ throw ModuleException("Unknown hash type " + hash);
+ use_sha = (hash == "sha1");
- if (keyfile.empty())
- keyfile = "conf/key.pem";
-
- if (dhfile.empty())
- dhfile = "conf/dhparams.pem";
/* Load our keys and certificates
* NOTE: OpenSSL's error logging API sucks, don't blame us for this clusterfuck.
@@ -253,6 +245,10 @@ class ModuleSSLOpenSSL : public Module
if (sessions[user->GetFd()].sess)
{
SSLCertSubmission(user, this, ServerInstance->Modules->Find("m_sslinfo.so"), sessions[user->GetFd()].cert);
+
+ if (!sessions[user->GetFd()].cert->fingerprint.empty())
+ user->WriteServ("NOTICE %s :*** You are connected using SSL fingerprint %s",
+ user->nick.c_str(), sessions[user->GetFd()].cert->fingerprint.c_str());
}
}
}
@@ -382,7 +378,7 @@ class ModuleSSLOpenSSL : public Module
char* buffer = ServerInstance->GetReadBuffer();
size_t bufsiz = ServerInstance->Config->NetBufferSize;
int ret = SSL_read(session->sess, buffer, bufsiz);
-
+
if (ret > 0)
{
recvq.append(buffer, ret);
@@ -563,7 +559,7 @@ class ModuleSSLOpenSSL : public Module
session->cert = certinfo;
unsigned int n;
unsigned char md[EVP_MAX_MD_SIZE];
- const EVP_MD *digest = EVP_md5();
+ const EVP_MD *digest = use_sha ? EVP_sha1() : EVP_md5();
cert = SSL_get_peer_certificate((SSL*)session->sess);
diff --git a/src/modules/m_sasl.cpp b/src/modules/m_sasl.cpp
index 4dcb350bc..3c3b1d2a0 100644
--- a/src/modules/m_sasl.cpp
+++ b/src/modules/m_sasl.cpp
@@ -252,8 +252,8 @@ class ModuleSASL : public Module
{
if (myclass->config->getBool("requiresasl"))
{
- AccountExtItem* ext = GetAccountExtItem();
- if (ext && !ext.get(user))
+ const AccountExtItem* ext = GetAccountExtItem();
+ if (ext && !ext->get(user))
return MOD_RES_DENY;
}
return MOD_RES_PASSTHRU;