Implement support for WebIRC gateways sending client fingerprints.

2025-03-09 10:39:02 -04:00 · 2021-11-10 13:10:40 +00:00 · 2021-11-10 13:10:40 +00:00 · fddef325ba
commit fddef325ba
parent e504cbd413
2 changed files with 30 additions and 7 deletions
--- a/docs/conf/modules.conf.example
+++ b/docs/conf/modules.conf.example
@ -2287,8 +2287,11 @@
 #<module name="sslinfo">
 #
 # If you want to prevent users from viewing TLS (SSL) certificate information
-# and fingerprints of other users, set operonly to yes.
-#<sslinfo operonly="no">
+# and fingerprints of other users, set operonly to yes. You can also set hash
+# to an IANA Hash Function Textual Name to use the SSL fingerprint sent by a
+# WebIRC gateway (requires the cgiirc module).
+#<sslinfo operonly="no"
+#         hash="sha-256">

 #-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
 # mbedTLS TLS (SSL) module: Adds support for TLS (SSL) connections using mbedTLS.
--- a/src/modules/m_sslinfo.cpp
+++ b/src/modules/m_sslinfo.cpp
@ -252,6 +252,7 @@ class ModuleSSLInfo
 {
 private:
 	CommandSSLInfo cmd;
+	std::string hash;

 	bool MatchFP(ssl_cert* const cert, const std::string& fp) const
 	{
@ -271,6 +272,7 @@ class ModuleSSLInfo
 	{
 		ConfigTag* tag = ServerInstance->Config->ConfValue("sslinfo");
 		cmd.operonlyfp = tag->getBool("operonly");
+		hash = tag->getString("hash");
 	}

 	Version GetVersion() CXX11_OVERRIDE
@ -436,11 +438,29 @@ class ModuleSSLInfo

 		// Create a fake ssl_cert for the user.
 		ssl_cert* cert = new ssl_cert;
-		cert->error = "WebIRC users can not specify valid certs yet";
-		cert->invalid = true;
-		cert->revoked = true;
-		cert->trusted = false;
-		cert->unknownsigner = true;
+		if (!hash.empty())
+		{
+			iter = flags->find("certfp-" + hash);
+			if (iter != flags->end() && !iter->second.empty())
+			{
+				// If the gateway specifies this flag we put all trust onto them
+				// for having validated the client certificate. This is probably
+				// ill-advised but there's not much else we can do.
+				cert->fingerprint = iter->second;
+				cert->dn = "(unknown)";
+				cert->invalid = false;
+				cert->issuer = "(unknown)";
+				cert->trusted = true;
+				cert->unknownsigner = false;
+			}
+		}
+
+		if (cert->fingerprint.empty())
+		{
+			cert->error = "WebIRC gateway did not send a client fingerprint";
+			cert->revoked = true;
+		}
+
 		cmd.sslapi.SetCertificate(user, cert);
 	}
 };