Show SSL fingerprint in /WHOIS line, allow fingerprints to be hidden from non-opers...

[user/henk/code/inspircd.git] / src / modules / m_sslinfo.cpp
diff --git a/src/modules/m_sslinfo.cpp b/src/modules/m_sslinfo.cpp

index b67498072426a2e8ec6e38dc6443584ac3c2ab70..b9e9fb1461438eb90e5519075097be79efe6d4b0 100644 (file)
--- a/src/modules/m_sslinfo.cpp
+++ b/src/modules/m_sslinfo.cpp
@@ -85,33 +85,33 @@ class CommandSSLInfo : public Command
         {
                 User* target = ServerInstance->FindNick(parameters[0]);
  
-               if (target)
+               if (!target)
                 {
-                       ssl_cert* cert = CertExt.get(target);
-                       if (cert)
-                       {
-                               if (cert->GetError().length())
-                               {
-                                       user->WriteServ("NOTICE %s :*** No SSL certificate information for this user (%s).", user->nick.c_str(), cert->GetError().c_str());
-                               }
-                               else
-                               {
-                                       user->WriteServ("NOTICE %s :*** Distinguised Name: %s", user->nick.c_str(), cert->GetDN().c_str());
-                                       user->WriteServ("NOTICE %s :*** Issuer:            %s", user->nick.c_str(), cert->GetIssuer().c_str());
-                                       user->WriteServ("NOTICE %s :*** Key Fingerprint:   %s", user->nick.c_str(), cert->GetFingerprint().c_str());
-                               }
-                               return CMD_SUCCESS;
-                       }
-                       else
-                       {
-                               user->WriteServ("NOTICE %s :*** No SSL certificate information for this user.", user->nick.c_str());
-                               return CMD_FAILURE;
-                       }
+                       user->WriteNumeric(ERR_NOSUCHNICK, "%s %s :No such nickname", user->nick.c_str(), parameters[0].c_str());
+                       return CMD_FAILURE;
+               }
+               bool operonlyfp = ServerInstance->Config->ConfValue("sslinfo")->getBool("operonly");
+               if (operonlyfp && !IS_OPER(user) && target != user)
+               {
+                       user->WriteServ("NOTICE %s :*** You cannot view SSL certificate information for other users", user->nick.c_str());
+                       return CMD_FAILURE;
+               }
+               ssl_cert* cert = CertExt.get(target);
+               if (!cert)
+               {
+                       user->WriteServ("NOTICE %s :*** No SSL certificate for this user", user->nick.c_str());
+               }
+               else if (cert->GetError().length())
+               {
+                       user->WriteServ("NOTICE %s :*** No SSL certificate information for this user (%s).", user->nick.c_str(), cert->GetError().c_str());
                 }
                 else
-                       user->WriteNumeric(ERR_NOSUCHNICK, "%s %s :No such nickname", user->nick.c_str(), parameters[0].c_str());
-
-               return CMD_FAILURE;
+               {
+                       user->WriteServ("NOTICE %s :*** Distinguished Name: %s", user->nick.c_str(), cert->GetDN().c_str());
+                       user->WriteServ("NOTICE %s :*** Issuer:             %s", user->nick.c_str(), cert->GetIssuer().c_str());
+                       user->WriteServ("NOTICE %s :*** Key Fingerprint:    %s", user->nick.c_str(), cert->GetFingerprint().c_str());
+               }
+               return CMD_SUCCESS;
         }
  };
  
@@ -120,8 +120,11 @@ class ModuleSSLInfo : public Module
         CommandSSLInfo cmd;
  
   public:
-       ModuleSSLInfo()
-               : cmd(this)
+       ModuleSSLInfo() : cmd(this)
+       {
+       }
+
+       void init()
         {
                 ServerInstance->AddCommand(&cmd);
  
@@ -138,9 +141,14 @@ class ModuleSSLInfo : public Module
  
         void OnWhois(User* source, User* dest)
         {
-               if (cmd.CertExt.get(dest))
+               ssl_cert* cert = cmd.CertExt.get(dest);
+               if (cert)
                 {
                         ServerInstance->SendWhoisLine(source, dest, 320, "%s %s :is using a secure connection", source->nick.c_str(), dest->nick.c_str());
+                       bool operonlyfp = ServerInstance->Config->ConfValue("sslinfo")->getBool("operonly");
+                       if ((!operonlyfp || source == dest || IS_OPER(source)) && !cert->fingerprint.empty())
+                               ServerInstance->SendWhoisLine(source, dest, 276, "%s %s :has client certificate fingerprint %s",
+                                       source->nick.c_str(), dest->nick.c_str(), cert->fingerprint.c_str());
                 }
         }
  
@@ -193,7 +201,19 @@ class ModuleSSLInfo : public Module
  
         ModResult OnSetConnectClass(LocalUser* user, ConnectClass* myclass)
         {
-               if (myclass->config->getBool("requiressl") && !cmd.CertExt.get(user))
+               SocketCertificateRequest req(&user->eh, this);
+               req.Send();
+               bool ok = true;
+               if (myclass->config->getBool("requiressl"))
+               {
+                       ok = (req.cert != NULL);
+               }
+               else if (myclass->config->getString("requiressl") == "trusted")
+               {
+                       ok = (req.cert && req.cert->IsCAVerified());
+               }
+
+               if (!ok)
                         return MOD_RES_DENY;
                 return MOD_RES_PASSTHRU;
         }