summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPeter Powell <petpow@saberuk.com>2017-10-15 16:43:12 +0100
committerPeter Powell <petpow@saberuk.com>2017-10-15 17:19:38 +0100
commit243b0dd12033dc86049b52b2ae0027652b524b80 (patch)
tree2a42cb174d2a27956758bb3753dac8358e40c1eb
parent8fb067d2cca22c3568c352a2b6f98084916fafb3 (diff)
Add support for WEBIRC blocks authenticating using client certs.
-rw-r--r--src/modules/m_cgiirc.cpp20
1 files changed, 14 insertions, 6 deletions
diff --git a/src/modules/m_cgiirc.cpp b/src/modules/m_cgiirc.cpp
index 51638855c..9574b313b 100644
--- a/src/modules/m_cgiirc.cpp
+++ b/src/modules/m_cgiirc.cpp
@@ -24,8 +24,8 @@
#include "inspircd.h"
-#include "xline.h"
#include "modules/dns.h"
+#include "modules/ssl.h"
enum
{
@@ -45,12 +45,14 @@ class WebIRCHost
{
private:
const std::string hostmask;
+ const std::string fingerprint;
const std::string password;
const std::string passhash;
public:
- WebIRCHost(const std::string& mask, const std::string& pass, const std::string& hash)
+ WebIRCHost(const std::string& mask, const std::string& fp, const std::string& pass, const std::string& hash)
: hostmask(mask)
+ , fingerprint(fp)
, password(pass)
, passhash(hash)
{
@@ -59,7 +61,12 @@ class WebIRCHost
bool Matches(LocalUser* user, const std::string& pass) const
{
// Did the user send a valid password?
- if (!ServerInstance->PassCompare(user, password, pass, passhash))
+ if (!password.empty() && !ServerInstance->PassCompare(user, password, pass, passhash))
+ return false;
+
+ // Does the user have a valid fingerprint?
+ const std::string fp = SSLClientCert::GetFingerprint(&user->eh);
+ if (!fingerprint.empty() && fp != fingerprint)
return false;
// Does the user's hostname match our hostmask?
@@ -293,13 +300,14 @@ public:
else if (stdalgo::string::equalsci(type, "webirc"))
{
// The IP address will be received via the WEBIRC command.
+ const std::string fingerprint = tag->getString("fingerprint");
const std::string password = tag->getString("password");
// WebIRC blocks require a password.
- if (password.empty())
- throw ModuleException("When using <cgihost type=\"webirc\"> the password field is required, at " + tag->getTagLocation());
+ if (fingerprint.empty() && password.empty())
+ throw ModuleException("When using <cgihost type=\"webirc\"> either the fingerprint or password field is required, at " + tag->getTagLocation());
- webirchosts.push_back(WebIRCHost(mask, password, tag->getString("hash")));
+ webirchosts.push_back(WebIRCHost(mask, fingerprint, password, tag->getString("hash")));
}
else
{