From 05c75aba6b4bf77a8731cd017149b8a40c9182b9 Mon Sep 17 00:00:00 2001
From: danieldg <danieldg@e03df62e-2008-0410-955e-edbf42e46eb7>
Date: Tue, 2 Feb 2010 23:24:30 +0000
Subject: [PATCH] Allow SSL fingerprint hash to be specified, and show
 fingerprint to client on connect

git-svn-id: http://svn.inspircd.org/repository/trunk/inspircd@12357 e03df62e-2008-0410-955e-edbf42e46eb7
---
 src/modules/extra/m_ssl_gnutls.cpp  | 51 +++++++++++++++--------------
 src/modules/extra/m_ssl_openssl.cpp | 44 +++++++++++--------------
 src/modules/m_sasl.cpp              |  4 +--
 3 files changed, 48 insertions(+), 51 deletions(-)

diff --git a/src/modules/extra/m_ssl_gnutls.cpp b/src/modules/extra/m_ssl_gnutls.cpp
index df3709f10..374431752 100644
--- a/src/modules/extra/m_ssl_gnutls.cpp
+++ b/src/modules/extra/m_ssl_gnutls.cpp
@@ -122,12 +122,8 @@ class ModuleSSLGnuTLS : public Module
 
 	gnutls_certificate_credentials x509_cred;
 	gnutls_dh_params dh_params;
+	gnutls_digest_algorithm_t hash;
 
-	std::string keyfile;
-	std::string certfile;
-
-	std::string cafile;
-	std::string crlfile;
 	std::string sslports;
 	int dh_bits;
 
@@ -192,32 +188,32 @@ class ModuleSSLGnuTLS : public Module
 		if(param != "ssl")
 			return;
 
+		std::string keyfile;
+		std::string certfile;
+		std::string cafile;
+		std::string crlfile;
 		OnRehash(user);
 
 		ConfigTag* Conf = ServerInstance->Config->ConfValue("gnutls");
 
-		cafile = Conf->getString("cafile");
-		crlfile	= Conf->getString("crlfile");
-		certfile = Conf->getString("certfile");
-		keyfile	= Conf->getString("keyfile");
+		cafile = Conf->getString("cafile", "conf/ca.pem");
+		crlfile	= Conf->getString("crlfile", "conf/crl.pem");
+		certfile = Conf->getString("certfile", "conf/cert.pem");
+		keyfile	= Conf->getString("keyfile", "conf/key.pem");
 		dh_bits	= Conf->getInt("dhbits");
-
-		// Set all the default values needed.
-		if (cafile.empty())
-			cafile = "conf/ca.pem";
-
-		if (crlfile.empty())
-			crlfile = "conf/crl.pem";
-
-		if (certfile.empty())
-			certfile = "conf/cert.pem";
-
-		if (keyfile.empty())
-			keyfile = "conf/key.pem";
+		std::string hashname = Conf->getString("hash", "md5");
 
 		if((dh_bits != 768) && (dh_bits != 1024) && (dh_bits != 2048) && (dh_bits != 3072) && (dh_bits != 4096))
 			dh_bits = 1024;
 
+		if (hashname == "md5")
+			hash = GNUTLS_DIG_MD5;
+		else if (hashname == "sha1")
+			hash = GNUTLS_DIG_SHA1;
+		else
+			throw ModuleException("Unknown hash type " + hashname);
+
+
 		int ret;
 
 		if (cred_alloc)
@@ -556,11 +552,16 @@ class ModuleSSLGnuTLS : public Module
 		{
 			if (sessions[user->GetFd()].sess)
 			{
-				SSLCertSubmission(user, this, ServerInstance->Modules->Find("m_sslinfo.so"), sessions[user->GetFd()].cert);
+				ssl_cert* cert = sessions[user->GetFd()].cert;
+				SSLCertSubmission(user, this, ServerInstance->Modules->Find("m_sslinfo.so"), cert);
 				std::string cipher = gnutls_kx_get_name(gnutls_kx_get(sessions[user->GetFd()].sess));
 				cipher.append("-").append(gnutls_cipher_get_name(gnutls_cipher_get(sessions[user->GetFd()].sess))).append("-");
 				cipher.append(gnutls_mac_get_name(gnutls_mac_get(sessions[user->GetFd()].sess)));
-				user->WriteServ("NOTICE %s :*** You are connected using SSL cipher \"%s\"", user->nick.c_str(), cipher.c_str());
+				if (cert->fingerprint.empty())
+					user->WriteServ("NOTICE %s :*** You are connected using SSL cipher \"%s\"", user->nick.c_str(), cipher.c_str());
+				else
+					user->WriteServ("NOTICE %s :*** You are connected using SSL cipher \"%s\""
+						" and your SSL fingerprint is %s", user->nick.c_str(), cipher.c_str(), cert->fingerprint.c_str());
 			}
 		}
 	}
@@ -652,7 +653,7 @@ class ModuleSSLGnuTLS : public Module
 		gnutls_x509_crt_get_issuer_dn(cert, name, &name_size);
 		certinfo->issuer = name;
 
-		if ((ret = gnutls_x509_crt_get_fingerprint(cert, GNUTLS_DIG_MD5, digest, &digest_size)) < 0)
+		if ((ret = gnutls_x509_crt_get_fingerprint(cert, hash, digest, &digest_size)) < 0)
 		{
 			certinfo->error = gnutls_strerror(ret);
 		}
diff --git a/src/modules/extra/m_ssl_openssl.cpp b/src/modules/extra/m_ssl_openssl.cpp
index c46b93117..261105969 100644
--- a/src/modules/extra/m_ssl_openssl.cpp
+++ b/src/modules/extra/m_ssl_openssl.cpp
@@ -89,12 +89,8 @@ class ModuleSSLOpenSSL : public Module
 
 	char cipher[MAXBUF];
 
-	std::string keyfile;
-	std::string certfile;
-	std::string cafile;
-	// std::string crlfile;
-	std::string dhfile;
 	std::string sslports;
+	bool use_sha;
 
 	ServiceProvider iohook;
  public:
@@ -168,27 +164,23 @@ class ModuleSSLOpenSSL : public Module
 		if (param != "ssl")
 			return;
 
+		std::string keyfile;
+		std::string certfile;
+		std::string cafile;
+		std::string dhfile;
 		OnRehash(user);
 
-		ConfigReader Conf;
-
-		cafile	 = Conf.ReadValue("openssl", "cafile", 0);
-		certfile = Conf.ReadValue("openssl", "certfile", 0);
-		keyfile	 = Conf.ReadValue("openssl", "keyfile", 0);
-		dhfile	 = Conf.ReadValue("openssl", "dhfile", 0);
-
-		// Set all the default values needed.
-		if (cafile.empty())
-			cafile = "conf/ca.pem";
+		ConfigTag* conf = ServerInstance->Config->ConfValue("openssl");
 
-		if (certfile.empty())
-			certfile = "conf/cert.pem";
+		cafile	 = conf->getString("cafile", "conf/ca.pem");
+		certfile = conf->getString("certfile", "conf/cert.pem");
+		keyfile	 = conf->getString("keyfile", "conf/key.pem");
+		dhfile	 = conf->getString("dhfile", "conf/dhparams.pem");
+		std::string hash = conf->getString("hash", "md5");
+		if (hash != "sha1" && hash != "md5")
+			throw ModuleException("Unknown hash type " + hash);
+		use_sha = (hash == "sha1");
 
-		if (keyfile.empty())
-			keyfile = "conf/key.pem";
-
-		if (dhfile.empty())
-			dhfile = "conf/dhparams.pem";
 
 		/* Load our keys and certificates
 		 * NOTE: OpenSSL's error logging API sucks, don't blame us for this clusterfuck.
@@ -253,6 +245,10 @@ class ModuleSSLOpenSSL : public Module
 			if (sessions[user->GetFd()].sess)
 			{
 				SSLCertSubmission(user, this, ServerInstance->Modules->Find("m_sslinfo.so"), sessions[user->GetFd()].cert);
+
+				if (!sessions[user->GetFd()].cert->fingerprint.empty())
+					user->WriteServ("NOTICE %s :*** You are connected using SSL fingerprint %s",
+						user->nick.c_str(), sessions[user->GetFd()].cert->fingerprint.c_str());
 			}
 		}
 	}
@@ -382,7 +378,7 @@ class ModuleSSLOpenSSL : public Module
 			char* buffer = ServerInstance->GetReadBuffer();
 			size_t bufsiz = ServerInstance->Config->NetBufferSize;
 			int ret = SSL_read(session->sess, buffer, bufsiz);
-			
+
 			if (ret > 0)
 			{
 				recvq.append(buffer, ret);
@@ -563,7 +559,7 @@ class ModuleSSLOpenSSL : public Module
 		session->cert = certinfo;
 		unsigned int n;
 		unsigned char md[EVP_MAX_MD_SIZE];
-		const EVP_MD *digest = EVP_md5();
+		const EVP_MD *digest = use_sha ? EVP_sha1() : EVP_md5();
 
 		cert = SSL_get_peer_certificate((SSL*)session->sess);
 
diff --git a/src/modules/m_sasl.cpp b/src/modules/m_sasl.cpp
index 4dcb350bc..3c3b1d2a0 100644
--- a/src/modules/m_sasl.cpp
+++ b/src/modules/m_sasl.cpp
@@ -252,8 +252,8 @@ class ModuleSASL : public Module
 	{
 		if (myclass->config->getBool("requiresasl"))
 		{
-			AccountExtItem* ext = GetAccountExtItem();
-			if (ext && !ext.get(user))
+			const AccountExtItem* ext = GetAccountExtItem();
+			if (ext && !ext->get(user))
 				return MOD_RES_DENY;
 		}
 		return MOD_RES_PASSTHRU;
-- 
2.39.5