diff options
author | danieldg <danieldg@e03df62e-2008-0410-955e-edbf42e46eb7> | 2010-02-02 23:24:30 +0000 |
---|---|---|
committer | danieldg <danieldg@e03df62e-2008-0410-955e-edbf42e46eb7> | 2010-02-02 23:24:30 +0000 |
commit | 05c75aba6b4bf77a8731cd017149b8a40c9182b9 (patch) | |
tree | 161b2a40f82fc12a921b962421a306616710e4d4 /src | |
parent | 7487030d1e9120b3ffcecde064740ba36de9d8d0 (diff) |
Allow SSL fingerprint hash to be specified, and show fingerprint to client on connect
git-svn-id: http://svn.inspircd.org/repository/trunk/inspircd@12357 e03df62e-2008-0410-955e-edbf42e46eb7
Diffstat (limited to 'src')
-rw-r--r-- | src/modules/extra/m_ssl_gnutls.cpp | 51 | ||||
-rw-r--r-- | src/modules/extra/m_ssl_openssl.cpp | 44 | ||||
-rw-r--r-- | src/modules/m_sasl.cpp | 4 |
3 files changed, 48 insertions, 51 deletions
diff --git a/src/modules/extra/m_ssl_gnutls.cpp b/src/modules/extra/m_ssl_gnutls.cpp index df3709f10..374431752 100644 --- a/src/modules/extra/m_ssl_gnutls.cpp +++ b/src/modules/extra/m_ssl_gnutls.cpp @@ -122,12 +122,8 @@ class ModuleSSLGnuTLS : public Module gnutls_certificate_credentials x509_cred; gnutls_dh_params dh_params; + gnutls_digest_algorithm_t hash; - std::string keyfile; - std::string certfile; - - std::string cafile; - std::string crlfile; std::string sslports; int dh_bits; @@ -192,32 +188,32 @@ class ModuleSSLGnuTLS : public Module if(param != "ssl") return; + std::string keyfile; + std::string certfile; + std::string cafile; + std::string crlfile; OnRehash(user); ConfigTag* Conf = ServerInstance->Config->ConfValue("gnutls"); - cafile = Conf->getString("cafile"); - crlfile = Conf->getString("crlfile"); - certfile = Conf->getString("certfile"); - keyfile = Conf->getString("keyfile"); + cafile = Conf->getString("cafile", "conf/ca.pem"); + crlfile = Conf->getString("crlfile", "conf/crl.pem"); + certfile = Conf->getString("certfile", "conf/cert.pem"); + keyfile = Conf->getString("keyfile", "conf/key.pem"); dh_bits = Conf->getInt("dhbits"); - - // Set all the default values needed. - if (cafile.empty()) - cafile = "conf/ca.pem"; - - if (crlfile.empty()) - crlfile = "conf/crl.pem"; - - if (certfile.empty()) - certfile = "conf/cert.pem"; - - if (keyfile.empty()) - keyfile = "conf/key.pem"; + std::string hashname = Conf->getString("hash", "md5"); if((dh_bits != 768) && (dh_bits != 1024) && (dh_bits != 2048) && (dh_bits != 3072) && (dh_bits != 4096)) dh_bits = 1024; + if (hashname == "md5") + hash = GNUTLS_DIG_MD5; + else if (hashname == "sha1") + hash = GNUTLS_DIG_SHA1; + else + throw ModuleException("Unknown hash type " + hashname); + + int ret; if (cred_alloc) @@ -556,11 +552,16 @@ class ModuleSSLGnuTLS : public Module { if (sessions[user->GetFd()].sess) { - SSLCertSubmission(user, this, ServerInstance->Modules->Find("m_sslinfo.so"), sessions[user->GetFd()].cert); + ssl_cert* cert = sessions[user->GetFd()].cert; + SSLCertSubmission(user, this, ServerInstance->Modules->Find("m_sslinfo.so"), cert); std::string cipher = gnutls_kx_get_name(gnutls_kx_get(sessions[user->GetFd()].sess)); cipher.append("-").append(gnutls_cipher_get_name(gnutls_cipher_get(sessions[user->GetFd()].sess))).append("-"); cipher.append(gnutls_mac_get_name(gnutls_mac_get(sessions[user->GetFd()].sess))); - user->WriteServ("NOTICE %s :*** You are connected using SSL cipher \"%s\"", user->nick.c_str(), cipher.c_str()); + if (cert->fingerprint.empty()) + user->WriteServ("NOTICE %s :*** You are connected using SSL cipher \"%s\"", user->nick.c_str(), cipher.c_str()); + else + user->WriteServ("NOTICE %s :*** You are connected using SSL cipher \"%s\"" + " and your SSL fingerprint is %s", user->nick.c_str(), cipher.c_str(), cert->fingerprint.c_str()); } } } @@ -652,7 +653,7 @@ class ModuleSSLGnuTLS : public Module gnutls_x509_crt_get_issuer_dn(cert, name, &name_size); certinfo->issuer = name; - if ((ret = gnutls_x509_crt_get_fingerprint(cert, GNUTLS_DIG_MD5, digest, &digest_size)) < 0) + if ((ret = gnutls_x509_crt_get_fingerprint(cert, hash, digest, &digest_size)) < 0) { certinfo->error = gnutls_strerror(ret); } diff --git a/src/modules/extra/m_ssl_openssl.cpp b/src/modules/extra/m_ssl_openssl.cpp index c46b93117..261105969 100644 --- a/src/modules/extra/m_ssl_openssl.cpp +++ b/src/modules/extra/m_ssl_openssl.cpp @@ -89,12 +89,8 @@ class ModuleSSLOpenSSL : public Module char cipher[MAXBUF]; - std::string keyfile; - std::string certfile; - std::string cafile; - // std::string crlfile; - std::string dhfile; std::string sslports; + bool use_sha; ServiceProvider iohook; public: @@ -168,27 +164,23 @@ class ModuleSSLOpenSSL : public Module if (param != "ssl") return; + std::string keyfile; + std::string certfile; + std::string cafile; + std::string dhfile; OnRehash(user); - ConfigReader Conf; - - cafile = Conf.ReadValue("openssl", "cafile", 0); - certfile = Conf.ReadValue("openssl", "certfile", 0); - keyfile = Conf.ReadValue("openssl", "keyfile", 0); - dhfile = Conf.ReadValue("openssl", "dhfile", 0); - - // Set all the default values needed. - if (cafile.empty()) - cafile = "conf/ca.pem"; + ConfigTag* conf = ServerInstance->Config->ConfValue("openssl"); - if (certfile.empty()) - certfile = "conf/cert.pem"; + cafile = conf->getString("cafile", "conf/ca.pem"); + certfile = conf->getString("certfile", "conf/cert.pem"); + keyfile = conf->getString("keyfile", "conf/key.pem"); + dhfile = conf->getString("dhfile", "conf/dhparams.pem"); + std::string hash = conf->getString("hash", "md5"); + if (hash != "sha1" && hash != "md5") + throw ModuleException("Unknown hash type " + hash); + use_sha = (hash == "sha1"); - if (keyfile.empty()) - keyfile = "conf/key.pem"; - - if (dhfile.empty()) - dhfile = "conf/dhparams.pem"; /* Load our keys and certificates * NOTE: OpenSSL's error logging API sucks, don't blame us for this clusterfuck. @@ -253,6 +245,10 @@ class ModuleSSLOpenSSL : public Module if (sessions[user->GetFd()].sess) { SSLCertSubmission(user, this, ServerInstance->Modules->Find("m_sslinfo.so"), sessions[user->GetFd()].cert); + + if (!sessions[user->GetFd()].cert->fingerprint.empty()) + user->WriteServ("NOTICE %s :*** You are connected using SSL fingerprint %s", + user->nick.c_str(), sessions[user->GetFd()].cert->fingerprint.c_str()); } } } @@ -382,7 +378,7 @@ class ModuleSSLOpenSSL : public Module char* buffer = ServerInstance->GetReadBuffer(); size_t bufsiz = ServerInstance->Config->NetBufferSize; int ret = SSL_read(session->sess, buffer, bufsiz); - + if (ret > 0) { recvq.append(buffer, ret); @@ -563,7 +559,7 @@ class ModuleSSLOpenSSL : public Module session->cert = certinfo; unsigned int n; unsigned char md[EVP_MAX_MD_SIZE]; - const EVP_MD *digest = EVP_md5(); + const EVP_MD *digest = use_sha ? EVP_sha1() : EVP_md5(); cert = SSL_get_peer_certificate((SSL*)session->sess); diff --git a/src/modules/m_sasl.cpp b/src/modules/m_sasl.cpp index 4dcb350bc..3c3b1d2a0 100644 --- a/src/modules/m_sasl.cpp +++ b/src/modules/m_sasl.cpp @@ -252,8 +252,8 @@ class ModuleSASL : public Module { if (myclass->config->getBool("requiresasl")) { - AccountExtItem* ext = GetAccountExtItem(); - if (ext && !ext.get(user)) + const AccountExtItem* ext = GetAccountExtItem(); + if (ext && !ext->get(user)) return MOD_RES_DENY; } return MOD_RES_PASSTHRU; |