src/modules/m_sslinfo.cpp

   1 /*
   2  * InspIRCd -- Internet Relay Chat Daemon
   3  *
   4  *   Copyright (C) 2009-2010 Daniel De Graaf <danieldg@inspircd.org>
   5  *
   6  * This file is part of InspIRCd.  InspIRCd is free software: you can
   7  * redistribute it and/or modify it under the terms of the GNU General Public
   8  * License as published by the Free Software Foundation, version 2.
   9  *
  10  * This program is distributed in the hope that it will be useful, but WITHOUT
  11  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
  12  * FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
  13  * details.
  14  *
  15  * You should have received a copy of the GNU General Public License
  16  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  17  */
  18
  19
  20 #include "inspircd.h"
  21 #include "modules/ssl.h"
  22
  23 class SSLCertExt : public ExtensionItem {
  24  public:
  25         SSLCertExt(Module* parent) : ExtensionItem("ssl_cert", parent) {}
  26         ssl_cert* get(const Extensible* item) const
  27         {
  28                 return static_cast<ssl_cert*>(get_raw(item));
  29         }
  30         void set(Extensible* item, ssl_cert* value)
  31         {
  32                 value->refcount_inc();
  33                 ssl_cert* old = static_cast<ssl_cert*>(set_raw(item, value));
  34                 if (old && old->refcount_dec())
  35                         delete old;
  36         }
  37
  38         std::string serialize(SerializeFormat format, const Extensible* container, void* item) const
  39         {
  40                 return static_cast<ssl_cert*>(item)->GetMetaLine();
  41         }
  42
  43         void unserialize(SerializeFormat format, Extensible* container, const std::string& value)
  44         {
  45                 ssl_cert* cert = new ssl_cert;
  46                 set(container, cert);
  47
  48                 std::stringstream s(value);
  49                 std::string v;
  50                 getline(s,v,' ');
  51
  52                 cert->invalid = (v.find('v') != std::string::npos);
  53                 cert->trusted = (v.find('T') != std::string::npos);
  54                 cert->revoked = (v.find('R') != std::string::npos);
  55                 cert->unknownsigner = (v.find('s') != std::string::npos);
  56                 if (v.find('E') != std::string::npos)
  57                 {
  58                         getline(s,cert->error,'\n');
  59                 }
  60                 else
  61                 {
  62                         getline(s,cert->fingerprint,' ');
  63                         getline(s,cert->dn,' ');
  64                         getline(s,cert->issuer,'\n');
  65                 }
  66         }
  67
  68         void free(void* item)
  69         {
  70                 ssl_cert* old = static_cast<ssl_cert*>(item);
  71                 if (old && old->refcount_dec())
  72                         delete old;
  73         }
  74 };
  75
  76 /** Handle /SSLINFO
  77  */
  78 class CommandSSLInfo : public Command
  79 {
  80  public:
  81         SSLCertExt CertExt;
  82
  83         CommandSSLInfo(Module* Creator) : Command(Creator, "SSLINFO", 1), CertExt(Creator)
  84         {
  85                 this->syntax = "<nick>";
  86         }
  87
  88         CmdResult Handle (const std::vector<std::string> &parameters, User *user)
  89         {
  90                 User* target = ServerInstance->FindNickOnly(parameters[0]);
  91
  92                 if ((!target) || (target->registered != REG_ALL))
  93                 {
  94                         user->WriteNumeric(ERR_NOSUCHNICK, "%s %s :No such nickname", user->nick.c_str(), parameters[0].c_str());
  95                         return CMD_FAILURE;
  96                 }
  97                 bool operonlyfp = ServerInstance->Config->ConfValue("sslinfo")->getBool("operonly");
  98                 if (operonlyfp && !user->IsOper() && target != user)
  99                 {
 100                         user->WriteNotice("*** You cannot view SSL certificate information for other users");
 101                         return CMD_FAILURE;
 102                 }
 103                 ssl_cert* cert = CertExt.get(target);
 104                 if (!cert)
 105                 {
 106                         user->WriteNotice("*** No SSL certificate for this user");
 107                 }
 108                 else if (cert->GetError().length())
 109                 {
 110                         user->WriteNotice("*** No SSL certificate information for this user (" + cert->GetError() + ").");
 111                 }
 112                 else
 113                 {
 114                         user->WriteNotice("*** Distinguished Name: " + cert->GetDN());
 115                         user->WriteNotice("*** Issuer:             " + cert->GetIssuer());
 116                         user->WriteNotice("*** Key Fingerprint:    " + cert->GetFingerprint());
 117                 }
 118                 return CMD_SUCCESS;
 119         }
 120 };
 121
 122 class UserCertificateAPIImpl : public UserCertificateAPIBase
 123 {
 124         SSLCertExt& ext;
 125
 126  public:
 127         UserCertificateAPIImpl(Module* mod, SSLCertExt& certext)
 128                 : UserCertificateAPIBase(mod), ext(certext)
 129         {
 130         }
 131
 132         ssl_cert* GetCertificate(User* user) CXX11_OVERRIDE
 133         {
 134                 return ext.get(user);
 135         }
 136 };
 137
 138 class ModuleSSLInfo : public Module
 139 {
 140         CommandSSLInfo cmd;
 141         UserCertificateAPIImpl APIImpl;
 142
 143  public:
 144         ModuleSSLInfo()
 145                 : cmd(this), APIImpl(this, cmd.CertExt)
 146         {
 147         }
 148
 149         void init() CXX11_OVERRIDE
 150         {
 151                 ServerInstance->Modules->AddService(APIImpl);
 152                 ServerInstance->Modules->AddService(cmd);
 153                 ServerInstance->Modules->AddService(cmd.CertExt);
 154         }
 155
 156         Version GetVersion() CXX11_OVERRIDE
 157         {
 158                 return Version("SSL Certificate Utilities", VF_VENDOR);
 159         }
 160
 161         void OnWhois(User* source, User* dest) CXX11_OVERRIDE
 162         {
 163                 ssl_cert* cert = cmd.CertExt.get(dest);
 164                 if (cert)
 165                 {
 166                         ServerInstance->SendWhoisLine(source, dest, 671, "%s %s :is using a secure connection", source->nick.c_str(), dest->nick.c_str());
 167                         bool operonlyfp = ServerInstance->Config->ConfValue("sslinfo")->getBool("operonly");
 168                         if ((!operonlyfp || source == dest || source->IsOper()) && !cert->fingerprint.empty())
 169                                 ServerInstance->SendWhoisLine(source, dest, 276, "%s %s :has client certificate fingerprint %s",
 170                                         source->nick.c_str(), dest->nick.c_str(), cert->fingerprint.c_str());
 171                 }
 172         }
 173
 174         ModResult OnPreCommand(std::string &command, std::vector<std::string> &parameters, LocalUser *user, bool validated, const std::string &original_line) CXX11_OVERRIDE
 175         {
 176                 if ((command == "OPER") && (validated))
 177                 {
 178                         OperIndex::iterator i = ServerInstance->Config->oper_blocks.find(parameters[0]);
 179                         if (i != ServerInstance->Config->oper_blocks.end())
 180                         {
 181                                 OperInfo* ifo = i->second;
 182                                 ssl_cert* cert = cmd.CertExt.get(user);
 183
 184                                 if (ifo->oper_block->getBool("sslonly") && !cert)
 185                                 {
 186                                         user->WriteNumeric(491, "%s :This oper login requires an SSL connection.", user->nick.c_str());
 187                                         user->CommandFloodPenalty += 10000;
 188                                         return MOD_RES_DENY;
 189                                 }
 190
 191                                 std::string fingerprint;
 192                                 if (ifo->oper_block->readString("fingerprint", fingerprint) && (!cert || cert->GetFingerprint() != fingerprint))
 193                                 {
 194                                         user->WriteNumeric(491, "%s :This oper login requires a matching SSL fingerprint.",user->nick.c_str());
 195                                         user->CommandFloodPenalty += 10000;
 196                                         return MOD_RES_DENY;
 197                                 }
 198                         }
 199                 }
 200
 201                 // Let core handle it for extra stuff
 202                 return MOD_RES_PASSTHRU;
 203         }
 204
 205         void OnUserConnect(LocalUser* user) CXX11_OVERRIDE
 206         {
 207                 ssl_cert* cert = SSLClientCert::GetCertificate(&user->eh);
 208                 if (cert)
 209                         cmd.CertExt.set(user, cert);
 210         }
 211
 212         void OnPostConnect(User* user) CXX11_OVERRIDE
 213         {
 214                 ssl_cert *cert = cmd.CertExt.get(user);
 215                 if (!cert || cert->fingerprint.empty())
 216                         return;
 217                 // find an auto-oper block for this user
 218                 for(OperIndex::iterator i = ServerInstance->Config->oper_blocks.begin(); i != ServerInstance->Config->oper_blocks.end(); i++)
 219                 {
 220                         OperInfo* ifo = i->second;
 221                         std::string fp = ifo->oper_block->getString("fingerprint");
 222                         if (fp == cert->fingerprint && ifo->oper_block->getBool("autologin"))
 223                                 user->Oper(ifo);
 224                 }
 225         }
 226
 227         ModResult OnSetConnectClass(LocalUser* user, ConnectClass* myclass) CXX11_OVERRIDE
 228         {
 229                 ssl_cert* cert = SSLClientCert::GetCertificate(&user->eh);
 230                 bool ok = true;
 231                 if (myclass->config->getString("requiressl") == "trusted")
 232                 {
 233                         ok = (cert && cert->IsCAVerified());
 234                 }
 235                 else if (myclass->config->getBool("requiressl"))
 236                 {
 237                         ok = (cert != NULL);
 238                 }
 239
 240                 if (!ok)
 241                         return MOD_RES_DENY;
 242                 return MOD_RES_PASSTHRU;
 243         }
 244 };
 245
 246 MODULE_INIT(ModuleSSLInfo)