src/modules/m_sslinfo.cpp

   1 /*
   2  * InspIRCd -- Internet Relay Chat Daemon
   3  *
   4  *   Copyright (C) 2009-2010 Daniel De Graaf <danieldg@inspircd.org>
   5  *
   6  * This file is part of InspIRCd.  InspIRCd is free software: you can
   7  * redistribute it and/or modify it under the terms of the GNU General Public
   8  * License as published by the Free Software Foundation, version 2.
   9  *
  10  * This program is distributed in the hope that it will be useful, but WITHOUT
  11  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
  12  * FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
  13  * details.
  14  *
  15  * You should have received a copy of the GNU General Public License
  16  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  17  */
  18
  19
  20 #include "inspircd.h"
  21 #include "modules/ssl.h"
  22
  23 class SSLCertExt : public ExtensionItem {
  24  public:
  25         SSLCertExt(Module* parent) : ExtensionItem("ssl_cert", parent) {}
  26         ssl_cert* get(const Extensible* item) const
  27         {
  28                 return static_cast<ssl_cert*>(get_raw(item));
  29         }
  30         void set(Extensible* item, ssl_cert* value)
  31         {
  32                 value->refcount_inc();
  33                 ssl_cert* old = static_cast<ssl_cert*>(set_raw(item, value));
  34                 if (old && old->refcount_dec())
  35                         delete old;
  36         }
  37
  38         std::string serialize(SerializeFormat format, const Extensible* container, void* item) const
  39         {
  40                 return static_cast<ssl_cert*>(item)->GetMetaLine();
  41         }
  42
  43         void unserialize(SerializeFormat format, Extensible* container, const std::string& value)
  44         {
  45                 ssl_cert* cert = new ssl_cert;
  46                 set(container, cert);
  47
  48                 std::stringstream s(value);
  49                 std::string v;
  50                 getline(s,v,' ');
  51
  52                 cert->invalid = (v.find('v') != std::string::npos);
  53                 cert->trusted = (v.find('T') != std::string::npos);
  54                 cert->revoked = (v.find('R') != std::string::npos);
  55                 cert->unknownsigner = (v.find('s') != std::string::npos);
  56                 if (v.find('E') != std::string::npos)
  57                 {
  58                         getline(s,cert->error,'\n');
  59                 }
  60                 else
  61                 {
  62                         getline(s,cert->fingerprint,' ');
  63                         getline(s,cert->dn,' ');
  64                         getline(s,cert->issuer,'\n');
  65                 }
  66         }
  67
  68         void free(void* item)
  69         {
  70                 ssl_cert* old = static_cast<ssl_cert*>(item);
  71                 if (old && old->refcount_dec())
  72                         delete old;
  73         }
  74 };
  75
  76 /** Handle /SSLINFO
  77  */
  78 class CommandSSLInfo : public Command
  79 {
  80  public:
  81         SSLCertExt CertExt;
  82
  83         CommandSSLInfo(Module* Creator) : Command(Creator, "SSLINFO", 1), CertExt(Creator)
  84         {
  85                 this->syntax = "<nick>";
  86         }
  87
  88         CmdResult Handle (const std::vector<std::string> &parameters, User *user)
  89         {
  90                 User* target = ServerInstance->FindNickOnly(parameters[0]);
  91
  92                 if ((!target) || (target->registered != REG_ALL))
  93                 {
  94                         user->WriteNumeric(ERR_NOSUCHNICK, "%s %s :No such nickname", user->nick.c_str(), parameters[0].c_str());
  95                         return CMD_FAILURE;
  96                 }
  97                 bool operonlyfp = ServerInstance->Config->ConfValue("sslinfo")->getBool("operonly");
  98                 if (operonlyfp && !user->IsOper() && target != user)
  99                 {
 100                         user->WriteNotice("*** You cannot view SSL certificate information for other users");
 101                         return CMD_FAILURE;
 102                 }
 103                 ssl_cert* cert = CertExt.get(target);
 104                 if (!cert)
 105                 {
 106                         user->WriteNotice("*** No SSL certificate for this user");
 107                 }
 108                 else if (cert->GetError().length())
 109                 {
 110                         user->WriteNotice("*** No SSL certificate information for this user (" + cert->GetError() + ").");
 111                 }
 112                 else
 113                 {
 114                         user->WriteNotice("*** Distinguished Name: " + cert->GetDN());
 115                         user->WriteNotice("*** Issuer:             " + cert->GetIssuer());
 116                         user->WriteNotice("*** Key Fingerprint:    " + cert->GetFingerprint());
 117                 }
 118                 return CMD_SUCCESS;
 119         }
 120 };
 121
 122 class UserCertificateAPIImpl : public UserCertificateAPIBase
 123 {
 124         SSLCertExt& ext;
 125
 126  public:
 127         UserCertificateAPIImpl(Module* mod, SSLCertExt& certext)
 128                 : UserCertificateAPIBase(mod), ext(certext)
 129         {
 130         }
 131
 132         ssl_cert* GetCertificate(User* user) CXX11_OVERRIDE
 133         {
 134                 return ext.get(user);
 135         }
 136 };
 137
 138 class ModuleSSLInfo : public Module
 139 {
 140         CommandSSLInfo cmd;
 141         UserCertificateAPIImpl APIImpl;
 142
 143  public:
 144         ModuleSSLInfo()
 145                 : cmd(this), APIImpl(this, cmd.CertExt)
 146         {
 147         }
 148
 149         void init() CXX11_OVERRIDE
 150         {
 151                 ServerInstance->Modules->AddService(APIImpl);
 152                 ServerInstance->Modules->AddService(cmd);
 153                 ServerInstance->Modules->AddService(cmd.CertExt);
 154
 155                 Implementation eventlist[] = { I_OnWhois, I_OnPreCommand, I_OnSetConnectClass, I_OnUserConnect, I_OnPostConnect };
 156                 ServerInstance->Modules->Attach(eventlist, this, sizeof(eventlist)/sizeof(Implementation));
 157         }
 158
 159         Version GetVersion() CXX11_OVERRIDE
 160         {
 161                 return Version("SSL Certificate Utilities", VF_VENDOR);
 162         }
 163
 164         void OnWhois(User* source, User* dest) CXX11_OVERRIDE
 165         {
 166                 ssl_cert* cert = cmd.CertExt.get(dest);
 167                 if (cert)
 168                 {
 169                         ServerInstance->SendWhoisLine(source, dest, 671, "%s %s :is using a secure connection", source->nick.c_str(), dest->nick.c_str());
 170                         bool operonlyfp = ServerInstance->Config->ConfValue("sslinfo")->getBool("operonly");
 171                         if ((!operonlyfp || source == dest || source->IsOper()) && !cert->fingerprint.empty())
 172                                 ServerInstance->SendWhoisLine(source, dest, 276, "%s %s :has client certificate fingerprint %s",
 173                                         source->nick.c_str(), dest->nick.c_str(), cert->fingerprint.c_str());
 174                 }
 175         }
 176
 177         ModResult OnPreCommand(std::string &command, std::vector<std::string> &parameters, LocalUser *user, bool validated, const std::string &original_line) CXX11_OVERRIDE
 178         {
 179                 if ((command == "OPER") && (validated))
 180                 {
 181                         OperIndex::iterator i = ServerInstance->Config->oper_blocks.find(parameters[0]);
 182                         if (i != ServerInstance->Config->oper_blocks.end())
 183                         {
 184                                 OperInfo* ifo = i->second;
 185                                 ssl_cert* cert = cmd.CertExt.get(user);
 186
 187                                 if (ifo->oper_block->getBool("sslonly") && !cert)
 188                                 {
 189                                         user->WriteNumeric(491, "%s :This oper login requires an SSL connection.", user->nick.c_str());
 190                                         user->CommandFloodPenalty += 10000;
 191                                         return MOD_RES_DENY;
 192                                 }
 193
 194                                 std::string fingerprint;
 195                                 if (ifo->oper_block->readString("fingerprint", fingerprint) && (!cert || cert->GetFingerprint() != fingerprint))
 196                                 {
 197                                         user->WriteNumeric(491, "%s :This oper login requires a matching SSL fingerprint.",user->nick.c_str());
 198                                         user->CommandFloodPenalty += 10000;
 199                                         return MOD_RES_DENY;
 200                                 }
 201                         }
 202                 }
 203
 204                 // Let core handle it for extra stuff
 205                 return MOD_RES_PASSTHRU;
 206         }
 207
 208         void OnUserConnect(LocalUser* user) CXX11_OVERRIDE
 209         {
 210                 ssl_cert* cert = SSLClientCert::GetCertificate(&user->eh);
 211                 if (cert)
 212                         cmd.CertExt.set(user, cert);
 213         }
 214
 215         void OnPostConnect(User* user) CXX11_OVERRIDE
 216         {
 217                 ssl_cert *cert = cmd.CertExt.get(user);
 218                 if (!cert || cert->fingerprint.empty())
 219                         return;
 220                 // find an auto-oper block for this user
 221                 for(OperIndex::iterator i = ServerInstance->Config->oper_blocks.begin(); i != ServerInstance->Config->oper_blocks.end(); i++)
 222                 {
 223                         OperInfo* ifo = i->second;
 224                         std::string fp = ifo->oper_block->getString("fingerprint");
 225                         if (fp == cert->fingerprint && ifo->oper_block->getBool("autologin"))
 226                                 user->Oper(ifo);
 227                 }
 228         }
 229
 230         ModResult OnSetConnectClass(LocalUser* user, ConnectClass* myclass) CXX11_OVERRIDE
 231         {
 232                 ssl_cert* cert = SSLClientCert::GetCertificate(&user->eh);
 233                 bool ok = true;
 234                 if (myclass->config->getString("requiressl") == "trusted")
 235                 {
 236                         ok = (cert && cert->IsCAVerified());
 237                 }
 238                 else if (myclass->config->getBool("requiressl"))
 239                 {
 240                         ok = (cert != NULL);
 241                 }
 242
 243                 if (!ok)
 244                         return MOD_RES_DENY;
 245                 return MOD_RES_PASSTHRU;
 246         }
 247 };
 248
 249 MODULE_INIT(ModuleSSLInfo)