Commits

Anonymous committed e5ce7ff

Add support for client certificate fingerprints in o:lines.

Comments (0)

Files changed (5)

 	 */
 	#umodes = locops, servnotice, operwall, wallop;
 
+	/* fingerprint: if specified, the oper's client certificate
+	 * fingerprint will be checked against the specified fingerprint
+	 * below.
+	 */
+	#fingerprint = "c77106576abf7f9f90cca0f63874a60f2e40a64b";
+
 	/* snomask: specific server notice mask on oper up.
 	 * If this is specified an oper will not be given oper_snomask.
 	 */

doc/reference.conf

 	 */
 	#rsa_public_key_file = "/usr/local/ircd/etc/oper.pub";
 
+	/* fingerprint: if specified, the oper's client certificate
+	 * fingerprint will be checked against the specified fingerprint
+	 * below.
+	 */
+	#fingerprint = "c77106576abf7f9f90cca0f63874a60f2e40a64b";
+
 	/* umodes: the specific umodes this oper gets when they oper.
 	 * If this is specified an oper will not be given oper_umodes
 	 * These are described above oper_only_umodes in general {};

include/s_newconf.h

 	char *username;
 	char *host;
 	char *passwd;
+	char *certfp;
 
 	int flags;
 	int umodes;
 		return 0;
 	}
 
+	if (oper_p->certfp != NULL)
+	{
+		if (source_p->certfp == NULL || strcasecmp(source_p->certfp, oper_p->certfp))
+		{
+			sendto_one(source_p, form_str(ERR_NOOPERHOST), me.name, source_p->name);
+			ilog(L_FOPER, "FAILED OPER (%s) by (%s!%s@%s) (%s) -- client certificate fingerprint mismatch",
+			     name, source_p->name,
+			     source_p->username, source_p->host, source_p->sockhost);
+
+			if(ConfigFileEntry.failed_oper_notice)
+			{
+				sendto_realops_snomask(SNO_GENERAL, L_ALL,
+						     "Failed OPER attempt - client certificate fingerprint mismatch by %s (%s@%s)",
+						     source_p->name, source_p->username, source_p->host);
+			}
+			return 0;
+		}
+	}
+
 	if(match_oper_password(password, oper_p))
 	{
 		oper_up(source_p, oper_p);
 }
 
 static void
+conf_set_oper_fingerprint(void *data)
+{
+	yy_oper->certfp = rb_strdup((char *) data);
+}
+
+static void
 conf_set_oper_privset(void *data)
 {
 	yy_oper->privset = privilegeset_get((char *) data);
 	{ "snomask",    CF_QSTRING, conf_set_oper_snomask,      0, NULL },
 	{ "user",	CF_QSTRING, conf_set_oper_user,		0, NULL },
 	{ "password",	CF_QSTRING, conf_set_oper_password,	0, NULL },
+	{ "fingerprint",	CF_QSTRING, conf_set_oper_fingerprint,	0, NULL },
 	{ "\0",	0, NULL, 0, NULL }
 };