X-Git-Url: https://git.netwichtig.de/gitweb/?a=blobdiff_plain;f=src%2Fmodules%2Fm_sslinfo.cpp;h=083ac0f0448486a212bfc53ad61adfc57a3389ed;hb=a5d110282a864fd2e91b51ce360a977cd0643657;hp=fb1a0066641cfedcd0e1ab2c880a4bfae05414b3;hpb=5af5707b6dc5d216e9bef043f9a37ae640e46a3e;p=user%2Fhenk%2Fcode%2Finspircd.git diff --git a/src/modules/m_sslinfo.cpp b/src/modules/m_sslinfo.cpp index fb1a00666..083ac0f04 100644 --- a/src/modules/m_sslinfo.cpp +++ b/src/modules/m_sslinfo.cpp @@ -1,88 +1,262 @@ -/* +------------------------------------+ - * | Inspire Internet Relay Chat Daemon | - * +------------------------------------+ +/* + * InspIRCd -- Internet Relay Chat Daemon * - * InspIRCd: (C) 2002-2009 InspIRCd Development Team - * See: http://wiki.inspircd.org/Credits + * Copyright (C) 2009-2010 Daniel De Graaf * - * This program is free but copyrighted software; see - * the file COPYING for details. + * This file is part of InspIRCd. InspIRCd is free software: you can + * redistribute it and/or modify it under the terms of the GNU General Public + * License as published by the Free Software Foundation, version 2. * - * --------------------------------------------------- + * This program is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS + * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more + * details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . */ + #include "inspircd.h" -#include "transport.h" +#include "ssl.h" + +/* $ModDesc: Provides SSL metadata, including /WHOIS information and /SSLINFO command */ + +class SSLCertExt : public ExtensionItem { + public: + SSLCertExt(Module* parent) : ExtensionItem("ssl_cert", parent) {} + ssl_cert* get(const Extensible* item) const + { + return static_cast(get_raw(item)); + } + void set(Extensible* item, ssl_cert* value) + { + value->refcount_inc(); + ssl_cert* old = static_cast(set_raw(item, value)); + if (old && old->refcount_dec()) + delete old; + } + + std::string serialize(SerializeFormat format, const Extensible* container, void* item) const + { + return static_cast(item)->GetMetaLine(); + } -/* $ModDesc: Provides /sslinfo command used to test who a mask matches */ -/* $ModDep: transport.h */ + void unserialize(SerializeFormat format, Extensible* container, const std::string& value) + { + ssl_cert* cert = new ssl_cert; + set(container, cert); + + std::stringstream s(value); + std::string v; + getline(s,v,' '); + + cert->invalid = (v.find('v') != std::string::npos); + cert->trusted = (v.find('T') != std::string::npos); + cert->revoked = (v.find('R') != std::string::npos); + cert->unknownsigner = (v.find('s') != std::string::npos); + if (v.find('E') != std::string::npos) + { + getline(s,cert->error,'\n'); + } + else + { + getline(s,cert->fingerprint,' '); + getline(s,cert->dn,' '); + getline(s,cert->issuer,'\n'); + } + } + + void free(void* item) + { + ssl_cert* old = static_cast(item); + if (old && old->refcount_dec()) + delete old; + } +}; /** Handle /SSLINFO */ class CommandSSLInfo : public Command { public: - CommandSSLInfo (InspIRCd* Instance) : Command(Instance,"SSLINFO", 0, 1) + SSLCertExt CertExt; + + CommandSSLInfo(Module* Creator) : Command(Creator, "SSLINFO", 1), CertExt(Creator) { - this->source = "m_sslinfo.so"; this->syntax = ""; } CmdResult Handle (const std::vector ¶meters, User *user) { - User* target = ServerInstance->FindNick(parameters[0]); - ssl_cert* cert; + User* target = ServerInstance->FindNickOnly(parameters[0]); + + if ((!target) || (target->registered != REG_ALL)) + { + user->WriteNumeric(ERR_NOSUCHNICK, "%s %s :No such nickname", user->nick.c_str(), parameters[0].c_str()); + return CMD_FAILURE; + } + bool operonlyfp = ServerInstance->Config->ConfValue("sslinfo")->getBool("operonly"); + if (operonlyfp && !IS_OPER(user) && target != user) + { + user->WriteServ("NOTICE %s :*** You cannot view SSL certificate information for other users", user->nick.c_str()); + return CMD_FAILURE; + } + ssl_cert* cert = CertExt.get(target); + if (!cert) + { + user->WriteServ("NOTICE %s :*** No SSL certificate for this user", user->nick.c_str()); + } + else if (cert->GetError().length()) + { + user->WriteServ("NOTICE %s :*** No SSL certificate information for this user (%s).", user->nick.c_str(), cert->GetError().c_str()); + } + else + { + user->WriteServ("NOTICE %s :*** Distinguished Name: %s", user->nick.c_str(), cert->GetDN().c_str()); + user->WriteServ("NOTICE %s :*** Issuer: %s", user->nick.c_str(), cert->GetIssuer().c_str()); + user->WriteServ("NOTICE %s :*** Key Fingerprint: %s", user->nick.c_str(), cert->GetFingerprint().c_str()); + } + return CMD_SUCCESS; + } +}; + +class ModuleSSLInfo : public Module +{ + CommandSSLInfo cmd; + + public: + ModuleSSLInfo() : cmd(this) + { + } + + void init() + { + ServerInstance->Modules->AddService(cmd); + + ServerInstance->Modules->AddService(cmd.CertExt); + + Implementation eventlist[] = { I_OnWhois, I_OnPreCommand, I_OnSetConnectClass, I_OnUserConnect, I_OnPostConnect }; + ServerInstance->Modules->Attach(eventlist, this, sizeof(eventlist)/sizeof(Implementation)); + } + + Version GetVersion() + { + return Version("SSL Certificate Utilities", VF_VENDOR); + } - if (target) + void OnWhois(User* source, User* dest) + { + ssl_cert* cert = cmd.CertExt.get(dest); + if (cert) + { + ServerInstance->SendWhoisLine(source, dest, 671, "%s %s :is using a secure connection", source->nick.c_str(), dest->nick.c_str()); + bool operonlyfp = ServerInstance->Config->ConfValue("sslinfo")->getBool("operonly"); + if ((!operonlyfp || source == dest || IS_OPER(source)) && !cert->fingerprint.empty()) + ServerInstance->SendWhoisLine(source, dest, 276, "%s %s :has client certificate fingerprint %s", + source->nick.c_str(), dest->nick.c_str(), cert->fingerprint.c_str()); + } + } + + bool OneOfMatches(const char* host, const char* ip, const char* hostlist) + { + std::stringstream hl(hostlist); + std::string xhost; + while (hl >> xhost) + { + if (InspIRCd::Match(host, xhost, ascii_case_insensitive_map) || InspIRCd::MatchCIDR(ip, xhost, ascii_case_insensitive_map)) + { + return true; + } + } + return false; + } + + ModResult OnPreCommand(std::string &command, std::vector ¶meters, LocalUser *user, bool validated, const std::string &original_line) + { + if ((command == "OPER") && (validated)) { - if (target->GetExt("ssl_cert", cert)) + OperIndex::iterator i = ServerInstance->Config->oper_blocks.find(parameters[0]); + if (i != ServerInstance->Config->oper_blocks.end()) { - if (cert->GetError().length()) + OperInfo* ifo = i->second; + if (!ifo->oper_block) + return MOD_RES_PASSTHRU; + + ssl_cert* cert = cmd.CertExt.get(user); + + if (ifo->oper_block->getBool("sslonly") && !cert) { - user->WriteServ("NOTICE %s :*** No SSL certificate information for this user (%s).", user->nick.c_str(), cert->GetError().c_str()); + user->WriteNumeric(491, "%s :This oper login requires an SSL connection.", user->nick.c_str()); + user->CommandFloodPenalty += 10000; + return MOD_RES_DENY; } - else + + std::string fingerprint; + if (ifo->oper_block->readString("fingerprint", fingerprint) && (!cert || cert->GetFingerprint() != fingerprint)) { - user->WriteServ("NOTICE %s :*** Distinguised Name: %s", user->nick.c_str(), cert->GetDN().c_str()); - user->WriteServ("NOTICE %s :*** Issuer: %s", user->nick.c_str(), cert->GetIssuer().c_str()); - user->WriteServ("NOTICE %s :*** Key Fingerprint: %s", user->nick.c_str(), cert->GetFingerprint().c_str()); + user->WriteNumeric(491, "%s :This oper login requires a matching SSL fingerprint.",user->nick.c_str()); + user->CommandFloodPenalty += 10000; + return MOD_RES_DENY; } - return CMD_LOCALONLY; - } - else - { - user->WriteServ("NOTICE %s :*** No SSL certificate information for this user.", user->nick.c_str()); - return CMD_FAILURE; } } - else - user->WriteNumeric(ERR_NOSUCHNICK, "%s %s :No such nickname", user->nick.c_str(), parameters[0].c_str()); - return CMD_FAILURE; + // Let core handle it for extra stuff + return MOD_RES_PASSTHRU; } -}; -class ModuleSSLInfo : public Module -{ - CommandSSLInfo* newcommand; - public: - ModuleSSLInfo(InspIRCd* Me) - : Module(Me) + void OnUserConnect(LocalUser* user) { + SocketCertificateRequest req(&user->eh, this); + if (!req.cert) + return; + cmd.CertExt.set(user, req.cert); + } - newcommand = new CommandSSLInfo(ServerInstance); - ServerInstance->AddCommand(newcommand); + void OnPostConnect(User* user) + { + ssl_cert *cert = cmd.CertExt.get(user); + if (!cert || cert->fingerprint.empty()) + return; + // find an auto-oper block for this user + for(OperIndex::iterator i = ServerInstance->Config->oper_blocks.begin(); i != ServerInstance->Config->oper_blocks.end(); i++) + { + OperInfo* ifo = i->second; + if (!ifo->oper_block) + continue; + std::string fp = ifo->oper_block->getString("fingerprint"); + if (fp == cert->fingerprint && ifo->oper_block->getBool("autologin")) + user->Oper(ifo); + } } - - virtual ~ModuleSSLInfo() + ModResult OnSetConnectClass(LocalUser* user, ConnectClass* myclass) { + SocketCertificateRequest req(&user->eh, this); + bool ok = true; + if (myclass->config->getString("requiressl") == "trusted") + { + ok = (req.cert && req.cert->IsCAVerified()); + } + else if (myclass->config->getBool("requiressl")) + { + ok = (req.cert != NULL); + } + + if (!ok) + return MOD_RES_DENY; + return MOD_RES_PASSTHRU; } - virtual Version GetVersion() + void OnRequest(Request& request) { - return Version("$Id$", VF_VENDOR, API_VERSION); + if (strcmp("GET_USER_CERT", request.id) == 0) + { + UserCertificateRequest& req = static_cast(request); + req.cert = cmd.CertExt.get(req.user); + } } };