]> git.netwichtig.de Git - user/henk/code/inspircd.git/blob - src/modules/m_sslinfo.cpp
projects / user / henk / code / inspircd.git / blob
? search:


4623b318fdc3ec92bd49662042e62918c2ceceb8
[user/henk/code/inspircd.git] / src / modules / m_sslinfo.cpp
1 /*
2  * InspIRCd -- Internet Relay Chat Daemon
3  *
4  *   Copyright (C) 2020 Matt Schatz <genius3000@g3k.solutions>
5  *   Copyright (C) 2019 linuxdaemon <linuxdaemon.irc@gmail.com>
6  *   Copyright (C) 2013, 2017-2020 Sadie Powell <sadie@witchery.services>
7  *   Copyright (C) 2012-2016 Attila Molnar <attilamolnar@hush.com>
8  *   Copyright (C) 2012 Robby <robby@chatbelgie.be>
9  *   Copyright (C) 2010 Adam <Adam@anope.org>
10  *   Copyright (C) 2009-2010 Daniel De Graaf <danieldg@inspircd.org>
11  *   Copyright (C) 2008 Robin Burchell <robin+git@viroteck.net>
12  *   Copyright (C) 2007 Dennis Friis <peavey@inspircd.org>
13  *   Copyright (C) 2006-2007, 2009-2010 Craig Edwards <brain@inspircd.org>
14  *
15  * This file is part of InspIRCd.  InspIRCd is free software: you can
16  * redistribute it and/or modify it under the terms of the GNU General Public
17  * License as published by the Free Software Foundation, version 2.
18  *
19  * This program is distributed in the hope that it will be useful, but WITHOUT
20  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
21  * FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
22  * details.
23  *
24  * You should have received a copy of the GNU General Public License
25  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
26  */
27
28
29 #include "inspircd.h"
30 #include "modules/ssl.h"
31 #include "modules/webirc.h"
32 #include "modules/whois.h"
33 #include "modules/who.h"
34
35 enum
36 {
37         // From oftc-hybrid.
38         RPL_WHOISCERTFP = 276,
39
40         // From UnrealIRCd.
41         RPL_WHOISSECURE = 671
42 };
43
44 class SSLCertExt : public ExtensionItem
45 {
46  public:
47         SSLCertExt(Module* parent)
48                 : ExtensionItem("ssl_cert", ExtensionItem::EXT_USER, parent)
49         {
50         }
51
52         ssl_cert* get(const Extensible* item) const
53         {
54                 return static_cast<ssl_cert*>(get_raw(item));
55         }
56
57         void set(Extensible* item, ssl_cert* value)
58         {
59                 value->refcount_inc();
60                 ssl_cert* old = static_cast<ssl_cert*>(set_raw(item, value));
61                 if (old && old->refcount_dec())
62                         delete old;
63         }
64
65         void unset(Extensible* container)
66         {
67                 free(container, unset_raw(container));
68         }
69
70         std::string ToNetwork(const Extensible* container, void* item) const CXX11_OVERRIDE
71         {
72                 return static_cast<ssl_cert*>(item)->GetMetaLine();
73         }
74
75         void FromNetwork(Extensible* container, const std::string& value) CXX11_OVERRIDE
76         {
77                 ssl_cert* cert = new ssl_cert;
78                 set(container, cert);
79
80                 std::stringstream s(value);
81                 std::string v;
82                 getline(s,v,' ');
83
84                 cert->invalid = (v.find('v') != std::string::npos);
85                 cert->trusted = (v.find('T') != std::string::npos);
86                 cert->revoked = (v.find('R') != std::string::npos);
87                 cert->unknownsigner = (v.find('s') != std::string::npos);
88                 if (v.find('E') != std::string::npos)
89                 {
90                         getline(s,cert->error,'\n');
91                 }
92                 else
93                 {
94                         getline(s,cert->fingerprint,' ');
95                         getline(s,cert->dn,' ');
96                         getline(s,cert->issuer,'\n');
97                 }
98         }
99
100         void free(Extensible* container, void* item) CXX11_OVERRIDE
101         {
102                 ssl_cert* old = static_cast<ssl_cert*>(item);
103                 if (old && old->refcount_dec())
104                         delete old;
105         }
106 };
107
108 class UserCertificateAPIImpl : public UserCertificateAPIBase
109 {
110  public:
111         LocalIntExt nosslext;
112         SSLCertExt sslext;
113
114         UserCertificateAPIImpl(Module* mod)
115                 : UserCertificateAPIBase(mod)
116                 , nosslext("no_ssl_cert", ExtensionItem::EXT_USER, mod)
117                 , sslext(mod)
118         {
119         }
120
121         ssl_cert* GetCertificate(User* user) CXX11_OVERRIDE
122         {
123                 ssl_cert* cert = sslext.get(user);
124                 if (cert)
125                         return cert;
126
127                 LocalUser* luser = IS_LOCAL(user);
128                 if (!luser || nosslext.get(luser))
129                         return NULL;
130
131                 cert = SSLClientCert::GetCertificate(&luser->eh);
132                 if (!cert)
133                         return NULL;
134
135                 SetCertificate(user, cert);
136                 return cert;
137         }
138
139         void SetCertificate(User* user, ssl_cert* cert) CXX11_OVERRIDE
140         {
141                 ServerInstance->Logs->Log(MODNAME, LOG_DEBUG, "Setting TLS (SSL) client certificate for %s: %s",
142                         user->GetFullHost().c_str(), cert->GetMetaLine().c_str());
143                 sslext.set(user, cert);
144         }
145 };
146
147 class CommandSSLInfo : public SplitCommand
148 {
149  public:
150         UserCertificateAPIImpl sslapi;
151         bool operonlyfp;
152
153         CommandSSLInfo(Module* Creator)
154                 : SplitCommand(Creator, "SSLINFO", 1)
155                 , sslapi(Creator)
156         {
157                 allow_empty_last_param = false;
158                 syntax = "<nick>";
159         }
160
161         CmdResult HandleLocal(LocalUser* user, const Params& parameters) CXX11_OVERRIDE
162         {
163                 User* target = ServerInstance->FindNickOnly(parameters[0]);
164                 if ((!target) || (target->registered != REG_ALL))
165                 {
166                         user->WriteNumeric(Numerics::NoSuchNick(parameters[0]));
167                         return CMD_FAILURE;
168                 }
169
170                 if (operonlyfp && !user->IsOper() && target != user)
171                 {
172                         user->WriteNotice("*** You cannot view TLS (SSL) client certificate information for other users");
173                         return CMD_FAILURE;
174                 }
175
176                 ssl_cert* cert = sslapi.GetCertificate(target);
177                 if (!cert)
178                 {
179                         user->WriteNotice(InspIRCd::Format("*** %s is not connected using TLS (SSL).", target->nick.c_str()));
180                 }
181                 else if (cert->GetError().length())
182                 {
183                         user->WriteNotice(InspIRCd::Format("*** %s is connected using TLS (SSL) but has not specified a valid client certificate (%s).",
184                                 target->nick.c_str(), cert->GetError().c_str()));
185                 }
186                 else
187                 {
188                         user->WriteNotice("*** Distinguished Name: " + cert->GetDN());
189                         user->WriteNotice("*** Issuer:             " + cert->GetIssuer());
190                         user->WriteNotice("*** Key Fingerprint:    " + cert->GetFingerprint());
191                 }
192
193                 return CMD_SUCCESS;
194         }
195 };
196
197 class ModuleSSLInfo
198         : public Module
199         , public WebIRC::EventListener
200         , public Whois::EventListener
201         , public Who::EventListener
202 {
203  private:
204         CommandSSLInfo cmd;
205
206         bool MatchFP(ssl_cert* const cert, const std::string& fp) const
207         {
208                 return irc::spacesepstream(fp).Contains(cert->GetFingerprint());
209         }
210
211  public:
212         ModuleSSLInfo()
213                 : WebIRC::EventListener(this)
214                 , Whois::EventListener(this)
215                 , Who::EventListener(this)
216                 , cmd(this)
217         {
218         }
219
220         void ReadConfig(ConfigStatus& status) CXX11_OVERRIDE
221         {
222                 ConfigTag* tag = ServerInstance->Config->ConfValue("sslinfo");
223                 cmd.operonlyfp = tag->getBool("operonly");
224         }
225
226         Version GetVersion() CXX11_OVERRIDE
227         {
228                 return Version("Adds user facing TLS (SSL) information, various TLS (SSL) configuration options, and the /SSLINFO command to look up TLS (SSL) certificate information for other users.", VF_VENDOR);
229         }
230
231         void OnWhois(Whois::Context& whois) CXX11_OVERRIDE
232         {
233                 ssl_cert* cert = cmd.sslapi.GetCertificate(whois.GetTarget());
234                 if (cert)
235                 {
236                         whois.SendLine(RPL_WHOISSECURE, "is using a secure connection");
237                         if ((!cmd.operonlyfp || whois.IsSelfWhois() || whois.GetSource()->IsOper()) && !cert->fingerprint.empty())
238                                 whois.SendLine(RPL_WHOISCERTFP, InspIRCd::Format("has TLS (SSL) client certificate fingerprint %s", cert->fingerprint.c_str()));
239                 }
240         }
241
242         ModResult OnWhoLine(const Who::Request& request, LocalUser* source, User* user, Membership* memb, Numeric::Numeric& numeric) CXX11_OVERRIDE
243         {
244                 size_t flag_index;
245                 if (!request.GetFieldIndex('f', flag_index))
246                         return MOD_RES_PASSTHRU;
247
248                 ssl_cert* cert = cmd.sslapi.GetCertificate(user);
249                 if (cert)
250                         numeric.GetParams()[flag_index].push_back('s');
251
252                 return MOD_RES_PASSTHRU;
253         }
254
255         ModResult OnPreCommand(std::string& command, CommandBase::Params& parameters, LocalUser* user, bool validated) CXX11_OVERRIDE
256         {
257                 if ((command == "OPER") && (validated))
258                 {
259                         ServerConfig::OperIndex::const_iterator i = ServerInstance->Config->oper_blocks.find(parameters[0]);
260                         if (i != ServerInstance->Config->oper_blocks.end())
261                         {
262                                 OperInfo* ifo = i->second;
263                                 ssl_cert* cert = cmd.sslapi.GetCertificate(user);
264
265                                 if (ifo->oper_block->getBool("sslonly") && !cert)
266                                 {
267                                         user->WriteNumeric(ERR_NOOPERHOST, "Invalid oper credentials");
268                                         user->CommandFloodPenalty += 10000;
269                                         ServerInstance->SNO->WriteGlobalSno('o', "WARNING! Failed oper attempt by %s using login '%s': a secure connection is required.", user->GetFullRealHost().c_str(), parameters[0].c_str());
270                                         return MOD_RES_DENY;
271                                 }
272
273                                 std::string fingerprint;
274                                 if (ifo->oper_block->readString("fingerprint", fingerprint) && (!cert || !MatchFP(cert, fingerprint)))
275                                 {
276                                         user->WriteNumeric(ERR_NOOPERHOST, "Invalid oper credentials");
277                                         user->CommandFloodPenalty += 10000;
278                                         ServerInstance->SNO->WriteGlobalSno('o', "WARNING! Failed oper attempt by %s using login '%s': their TLS (SSL) client certificate fingerprint does not match.", user->GetFullRealHost().c_str(), parameters[0].c_str());
279                                         return MOD_RES_DENY;
280                                 }
281                         }
282                 }
283
284                 // Let core handle it for extra stuff
285                 return MOD_RES_PASSTHRU;
286         }
287
288         void OnPostConnect(User* user) CXX11_OVERRIDE
289         {
290                 LocalUser* const localuser = IS_LOCAL(user);
291                 if (!localuser)
292                         return;
293
294                 const SSLIOHook* const ssliohook = SSLIOHook::IsSSL(&localuser->eh);
295                 if (!ssliohook || cmd.sslapi.nosslext.get(localuser))
296                         return;
297
298                 ssl_cert* const cert = ssliohook->GetCertificate();
299
300                 std::string text = "*** You are connected to ";
301                 if (!ssliohook->GetServerName(text))
302                         text.append(ServerInstance->Config->GetServerName());
303                 text.append(" using TLS (SSL) cipher '");
304                 ssliohook->GetCiphersuite(text);
305                 text.push_back('\'');
306                 if (cert && !cert->GetFingerprint().empty())
307                         text.append(" and your TLS (SSL) client certificate fingerprint is ").append(cert->GetFingerprint());
308                 user->WriteNotice(text);
309
310                 if (!cert)
311                         return;
312
313                 // Find an auto-oper block for this user
314                 for (ServerConfig::OperIndex::const_iterator i = ServerInstance->Config->oper_blocks.begin(); i != ServerInstance->Config->oper_blocks.end(); ++i)
315                 {
316                         OperInfo* ifo = i->second;
317                         std::string fp = ifo->oper_block->getString("fingerprint");
318                         if (MatchFP(cert, fp) && ifo->oper_block->getBool("autologin"))
319                                 user->Oper(ifo);
320                 }
321         }
322
323         ModResult OnSetConnectClass(LocalUser* user, ConnectClass* myclass) CXX11_OVERRIDE
324         {
325                 ssl_cert* cert = cmd.sslapi.GetCertificate(user);
326                 const char* error = NULL;
327                 const std::string requiressl = myclass->config->getString("requiressl");
328                 if (stdalgo::string::equalsci(requiressl, "trusted"))
329                 {
330                         if (!cert || !cert->IsCAVerified())
331                                 error = "a trusted TLS (SSL) client certificate";
332                 }
333                 else if (myclass->config->getBool("requiressl"))
334                 {
335                         if (!cert)
336                                 error = "a TLS (SSL) connection";
337                 }
338
339                 if (error)
340                 {
341                         ServerInstance->Logs->Log("CONNECTCLASS", LOG_DEBUG, "The %s connect class is not suitable as it requires %s",
342                                 myclass->GetName().c_str(), error);
343                         return MOD_RES_DENY;
344                 }
345
346                 return MOD_RES_PASSTHRU;
347         }
348
349         void OnWebIRCAuth(LocalUser* user, const WebIRC::FlagMap* flags) CXX11_OVERRIDE
350         {
351                 // We are only interested in connection flags. If none have been
352                 // given then we have nothing to do.
353                 if (!flags)
354                         return;
355
356                 // We only care about the tls connection flag if the connection
357                 // between the gateway and the server is secure.
358                 if (!cmd.sslapi.GetCertificate(user))
359                         return;
360
361                 WebIRC::FlagMap::const_iterator iter = flags->find("secure");
362                 if (iter == flags->end())
363                 {
364                         // If this is not set then the connection between the client and
365                         // the gateway is not secure.
366                         cmd.sslapi.nosslext.set(user, 1);
367                         cmd.sslapi.sslext.unset(user);
368                         return;
369                 }
370
371                 // Create a fake ssl_cert for the user.
372                 ssl_cert* cert = new ssl_cert;
373                 cert->error = "WebIRC users can not specify valid certs yet";
374                 cert->invalid = true;
375                 cert->revoked = true;
376                 cert->trusted = false;
377                 cert->unknownsigner = true;
378                 cmd.sslapi.SetCertificate(user, cert);
379         }
380 };
381
382 MODULE_INIT(ModuleSSLInfo)