aboutsummaryrefslogtreecommitdiffstats
path: root/src/modules/m_sslinfo.cpp
diff options
context:
space:
mode:
authorGravatar Sadie Powell2021-11-10 18:28:21 +0000
committerGravatar Sadie Powell2021-11-10 18:33:30 +0000
commitf43369b0c4329572eafdfacb36618d5586910a3a (patch)
treea5b5eed7b352a7aa5e7b5697a1bb0cb1ed3e6fbb /src/modules/m_sslinfo.cpp
parentRemove unused time_t field from the timer system. (diff)
parentAllow configuring which options to trust from a WebIRC gateway. (diff)
Merge branch 'insp3' into master.
Diffstat (limited to 'src/modules/m_sslinfo.cpp')
-rw-r--r--src/modules/m_sslinfo.cpp30
1 files changed, 25 insertions, 5 deletions
diff --git a/src/modules/m_sslinfo.cpp b/src/modules/m_sslinfo.cpp
index 48687be7a..9292a1c7a 100644
--- a/src/modules/m_sslinfo.cpp
+++ b/src/modules/m_sslinfo.cpp
@@ -272,6 +272,7 @@ class ModuleSSLInfo final
{
private:
CommandSSLInfo cmd;
+ std::string hash;
bool MatchFP(ssl_cert* const cert, const std::string& fp) const
{
@@ -292,6 +293,7 @@ class ModuleSSLInfo final
{
auto tag = ServerInstance->Config->ConfValue("sslinfo");
cmd.operonlyfp = tag->getBool("operonly");
+ hash = tag->getString("hash");
}
void OnWhois(Whois::Context& whois) override
@@ -443,11 +445,29 @@ class ModuleSSLInfo final
// Create a fake ssl_cert for the user.
ssl_cert* cert = new ssl_cert;
- cert->error = "WebIRC users can not specify valid certs yet";
- cert->invalid = true;
- cert->revoked = true;
- cert->trusted = false;
- cert->unknownsigner = true;
+ if (!hash.empty())
+ {
+ iter = flags->find("certfp-" + hash);
+ if (iter != flags->end() && !iter->second.empty())
+ {
+ // If the gateway specifies this flag we put all trust onto them
+ // for having validated the client certificate. This is probably
+ // ill-advised but there's not much else we can do.
+ cert->fingerprint = iter->second;
+ cert->dn = "(unknown)";
+ cert->invalid = false;
+ cert->issuer = "(unknown)";
+ cert->trusted = true;
+ cert->unknownsigner = false;
+ }
+ }
+
+ if (cert->fingerprint.empty())
+ {
+ cert->error = "WebIRC gateway did not send a client fingerprint";
+ cert->revoked = true;
+ }
+
cmd.sslapi.SetCertificate(user, cert);
}
};