X-Git-Url: https://git.netwichtig.de/gitweb/?a=blobdiff_plain;f=src%2Fmodules%2Fm_sslinfo.cpp;h=c354e4e0ecfcc4794f6b972574cabafc0e615d01;hb=9d72ec55ae98960bf996dd3d92c29598a5e3c825;hp=55a0dc7faafcd8fba68294e6c36b92d18acf2c84;hpb=245e29085b0f5c2c1bbdcb9fef26d0c9476a791e;p=user%2Fhenk%2Fcode%2Finspircd.git

diff --git a/src/modules/m_sslinfo.cpp b/src/modules/m_sslinfo.cpp
index 55a0dc7fa..c354e4e0e 100644
--- a/src/modules/m_sslinfo.cpp
+++ b/src/modules/m_sslinfo.cpp
@@ -1,163 +1,239 @@
-/*       +------------------------------------+
- *       | Inspire Internet Relay Chat Daemon |
- *       +------------------------------------+
+/*
+ * InspIRCd -- Internet Relay Chat Daemon
  *
- *  InspIRCd: (C) 2002-2009 InspIRCd Development Team
- * See: http://wiki.inspircd.org/Credits
+ *   Copyright (C) 2009-2010 Daniel De Graaf <danieldg@inspircd.org>
  *
- * This program is free but copyrighted software; see
- *            the file COPYING for details.
+ * This file is part of InspIRCd.  InspIRCd is free software: you can
+ * redistribute it and/or modify it under the terms of the GNU General Public
+ * License as published by the Free Software Foundation, version 2.
  *
- * ---------------------------------------------------
+ * This program is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  */
 
+
 #include "inspircd.h"
-#include "transport.h"
+#include "modules/ssl.h"
+
+class SSLCertExt : public ExtensionItem {
+ public:
+	SSLCertExt(Module* parent) : ExtensionItem("ssl_cert", parent) {}
+	ssl_cert* get(const Extensible* item) const
+	{
+		return static_cast<ssl_cert*>(get_raw(item));
+	}
+	void set(Extensible* item, ssl_cert* value)
+	{
+		value->refcount_inc();
+		ssl_cert* old = static_cast<ssl_cert*>(set_raw(item, value));
+		if (old && old->refcount_dec())
+			delete old;
+	}
+
+	std::string serialize(SerializeFormat format, const Extensible* container, void* item) const
+	{
+		return static_cast<ssl_cert*>(item)->GetMetaLine();
+	}
+
+	void unserialize(SerializeFormat format, Extensible* container, const std::string& value)
+	{
+		ssl_cert* cert = new ssl_cert;
+		set(container, cert);
+
+		std::stringstream s(value);
+		std::string v;
+		getline(s,v,' ');
+
+		cert->invalid = (v.find('v') != std::string::npos);
+		cert->trusted = (v.find('T') != std::string::npos);
+		cert->revoked = (v.find('R') != std::string::npos);
+		cert->unknownsigner = (v.find('s') != std::string::npos);
+		if (v.find('E') != std::string::npos)
+		{
+			getline(s,cert->error,'\n');
+		}
+		else
+		{
+			getline(s,cert->fingerprint,' ');
+			getline(s,cert->dn,' ');
+			getline(s,cert->issuer,'\n');
+		}
+	}
 
-/* $ModDesc: Provides SSL metadata, including /WHOIS information and /SSLINFO command */
+	void free(void* item)
+	{
+		ssl_cert* old = static_cast<ssl_cert*>(item);
+		if (old && old->refcount_dec())
+			delete old;
+	}
+};
 
 /** Handle /SSLINFO
  */
 class CommandSSLInfo : public Command
 {
  public:
-	CommandSSLInfo (InspIRCd* Instance) : Command(Instance,"SSLINFO", 0, 1)
+	SSLCertExt CertExt;
+
+	CommandSSLInfo(Module* Creator) : Command(Creator, "SSLINFO", 1), CertExt(Creator)
 	{
-		this->source = "m_sslinfo.so";
 		this->syntax = "<nick>";
 	}
 
 	CmdResult Handle (const std::vector<std::string> &parameters, User *user)
 	{
-		User* target = ServerInstance->FindNick(parameters[0]);
-		ssl_cert* cert;
+		User* target = ServerInstance->FindNickOnly(parameters[0]);
 
-		if (target)
+		if ((!target) || (target->registered != REG_ALL))
 		{
-			if (target->GetExt("ssl_cert", cert))
-			{
-				if (cert->GetError().length())
-				{
-					user->WriteServ("NOTICE %s :*** No SSL certificate information for this user (%s).", user->nick.c_str(), cert->GetError().c_str());
-				}
-				else
-				{
-					user->WriteServ("NOTICE %s :*** Distinguised Name: %s", user->nick.c_str(), cert->GetDN().c_str());
-					user->WriteServ("NOTICE %s :*** Issuer:            %s", user->nick.c_str(), cert->GetIssuer().c_str());
-					user->WriteServ("NOTICE %s :*** Key Fingerprint:   %s", user->nick.c_str(), cert->GetFingerprint().c_str());
-				}
-				return CMD_LOCALONLY;
-			}
-			else
-			{
-				user->WriteServ("NOTICE %s :*** No SSL certificate information for this user.", user->nick.c_str());
-				return CMD_FAILURE;
-			}
+			user->WriteNumeric(ERR_NOSUCHNICK, "%s :No such nickname", parameters[0].c_str());
+			return CMD_FAILURE;
+		}
+		bool operonlyfp = ServerInstance->Config->ConfValue("sslinfo")->getBool("operonly");
+		if (operonlyfp && !user->IsOper() && target != user)
+		{
+			user->WriteNotice("*** You cannot view SSL certificate information for other users");
+			return CMD_FAILURE;
+		}
+		ssl_cert* cert = CertExt.get(target);
+		if (!cert)
+		{
+			user->WriteNotice("*** No SSL certificate for this user");
+		}
+		else if (cert->GetError().length())
+		{
+			user->WriteNotice("*** No SSL certificate information for this user (" + cert->GetError() + ").");
 		}
 		else
-			user->WriteNumeric(ERR_NOSUCHNICK, "%s %s :No such nickname", user->nick.c_str(), parameters[0].c_str());
-
-		return CMD_FAILURE;
+		{
+			user->WriteNotice("*** Distinguished Name: " + cert->GetDN());
+			user->WriteNotice("*** Issuer:             " + cert->GetIssuer());
+			user->WriteNotice("*** Key Fingerprint:    " + cert->GetFingerprint());
+		}
+		return CMD_SUCCESS;
 	}
 };
 
-class ModuleSSLInfo : public Module
+class UserCertificateAPIImpl : public UserCertificateAPIBase
 {
-	CommandSSLInfo* newcommand;
+	SSLCertExt& ext;
+
  public:
-	ModuleSSLInfo(InspIRCd* Me)
-		: Module(Me)
+	UserCertificateAPIImpl(Module* mod, SSLCertExt& certext)
+		: UserCertificateAPIBase(mod), ext(certext)
 	{
-		newcommand = new CommandSSLInfo(ServerInstance);
-		ServerInstance->AddCommand(newcommand);
-
-		Implementation eventlist[] = { I_OnSyncUserMetaData, I_OnDecodeMetaData, I_OnWhois };
-		ServerInstance->Modules->Attach(eventlist, this, 3);
 	}
 
+ 	ssl_cert* GetCertificate(User* user) CXX11_OVERRIDE
+ 	{
+ 		return ext.get(user);
+ 	}
+};
+
+class ModuleSSLInfo : public Module
+{
+	CommandSSLInfo cmd;
+	UserCertificateAPIImpl APIImpl;
 
-	virtual ~ModuleSSLInfo()
+ public:
+	ModuleSSLInfo()
+		: cmd(this), APIImpl(this, cmd.CertExt)
 	{
 	}
 
-	virtual Version GetVersion()
+	Version GetVersion() CXX11_OVERRIDE
 	{
-		return Version("$Id$", VF_VENDOR, API_VERSION);
+		return Version("SSL Certificate Utilities", VF_VENDOR);
 	}
 
-	virtual void OnWhois(User* source, User* dest)
+	void OnWhois(User* source, User* dest) CXX11_OVERRIDE
 	{
-		if(dest->GetExt("ssl"))
+		ssl_cert* cert = cmd.CertExt.get(dest);
+		if (cert)
 		{
-			ServerInstance->SendWhoisLine(source, dest, 320, "%s %s :is using a secure connection", source->nick.c_str(), dest->nick.c_str());
+			ServerInstance->SendWhoisLine(source, dest, 671, "%s :is using a secure connection", dest->nick.c_str());
+			bool operonlyfp = ServerInstance->Config->ConfValue("sslinfo")->getBool("operonly");
+			if ((!operonlyfp || source == dest || source->IsOper()) && !cert->fingerprint.empty())
+				ServerInstance->SendWhoisLine(source, dest, 276, "%s :has client certificate fingerprint %s",
+					dest->nick.c_str(), cert->fingerprint.c_str());
 		}
 	}
 
-	virtual void OnSyncUserMetaData(User* user, Module* proto, void* opaque, const std::string &extname, bool displayable)
+	ModResult OnPreCommand(std::string &command, std::vector<std::string> &parameters, LocalUser *user, bool validated, const std::string &original_line) CXX11_OVERRIDE
 	{
-		// check if the linking module wants to know about OUR metadata
-		if (extname == "ssl")
+		if ((command == "OPER") && (validated))
 		{
-			// check if this user has an ssl field to send
-			if (!user->GetExt(extname))
-				return;
+			ServerConfig::OperIndex::const_iterator i = ServerInstance->Config->oper_blocks.find(parameters[0]);
+			if (i != ServerInstance->Config->oper_blocks.end())
+			{
+				OperInfo* ifo = i->second;
+				ssl_cert* cert = cmd.CertExt.get(user);
 
-			// call this function in the linking module, let it format the data how it
-			// sees fit, and send it on its way. We dont need or want to know how.
-			proto->ProtoSendMetaData(opaque, TYPE_USER, user, extname, displayable ? "Enabled" : "ON");
+				if (ifo->oper_block->getBool("sslonly") && !cert)
+				{
+					user->WriteNumeric(491, ":This oper login requires an SSL connection.");
+					user->CommandFloodPenalty += 10000;
+					return MOD_RES_DENY;
+				}
+
+				std::string fingerprint;
+				if (ifo->oper_block->readString("fingerprint", fingerprint) && (!cert || cert->GetFingerprint() != fingerprint))
+				{
+					user->WriteNumeric(491, ":This oper login requires a matching SSL certificate fingerprint.");
+					user->CommandFloodPenalty += 10000;
+					return MOD_RES_DENY;
+				}
+			}
 		}
-		else if (extname == "ssl_cert")
-		{
-			ssl_cert* cert;
-			if (!user->GetExt("ssl_cert", cert))
-				return;
 
-			proto->ProtoSendMetaData(opaque, TYPE_USER, user, extname, cert->GetMetaLine().c_str());
+		// Let core handle it for extra stuff
+		return MOD_RES_PASSTHRU;
+	}
+
+	void OnUserConnect(LocalUser* user) CXX11_OVERRIDE
+	{
+		ssl_cert* cert = SSLClientCert::GetCertificate(&user->eh);
+		if (cert)
+			cmd.CertExt.set(user, cert);
+	}
+
+	void OnPostConnect(User* user) CXX11_OVERRIDE
+	{
+		ssl_cert *cert = cmd.CertExt.get(user);
+		if (!cert || cert->fingerprint.empty())
+			return;
+		// find an auto-oper block for this user
+		for (ServerConfig::OperIndex::const_iterator i = ServerInstance->Config->oper_blocks.begin(); i != ServerInstance->Config->oper_blocks.end(); ++i)
+		{
+			OperInfo* ifo = i->second;
+			std::string fp = ifo->oper_block->getString("fingerprint");
+			if (fp == cert->fingerprint && ifo->oper_block->getBool("autologin"))
+				user->Oper(ifo);
 		}
 	}
 
-	virtual void OnDecodeMetaData(int target_type, void* target, const std::string &extname, const std::string &extdata)
+	ModResult OnSetConnectClass(LocalUser* user, ConnectClass* myclass) CXX11_OVERRIDE
 	{
-		// check if its our metadata key, and its associated with a user
-		if ((target_type == TYPE_USER) && (extname == "ssl"))
+		ssl_cert* cert = SSLClientCert::GetCertificate(&user->eh);
+		bool ok = true;
+		if (myclass->config->getString("requiressl") == "trusted")
 		{
-			User* dest = static_cast<User*>(target);
-			// if they dont already have an ssl flag, accept the remote server's
-			if (!dest->GetExt(extname))
-			{
-				dest->Extend(extname);
-			}
+			ok = (cert && cert->IsCAVerified());
 		}
-		else if ((target_type == TYPE_USER) && (extname == "ssl_cert"))
+		else if (myclass->config->getBool("requiressl"))
 		{
-			User* dest = static_cast<User*>(target);
-			if (dest->GetExt(extname))
-				return;
-
-			ssl_cert* cert = new ssl_cert;
-			dest->Extend(extname, cert);
-
-			std::stringstream s(extdata);
-			std::string v;
-			getline(s,v,' ');
-
-			cert->invalid = (v.find('v') != std::string::npos);
-			cert->trusted = (v.find('T') != std::string::npos);
-			cert->revoked = (v.find('R') != std::string::npos);
-			cert->unknownsigner = (v.find('s') != std::string::npos);
-			if (v.find('E') != std::string::npos)
-			{
-				getline(s,cert->error,'\n');
-			}
-			else
-			{
-				getline(s,cert->fingerprint,' ');
-				getline(s,cert->dn,' ');
-				getline(s,cert->issuer,'\n');
-			}
+			ok = (cert != NULL);
 		}
+
+		if (!ok)
+			return MOD_RES_DENY;
+		return MOD_RES_PASSTHRU;
 	}
 };
 
 MODULE_INIT(ModuleSSLInfo)
-