diff options
author | Peter Powell <petpow@saberuk.com> | 2017-10-15 16:43:12 +0100 |
---|---|---|
committer | Peter Powell <petpow@saberuk.com> | 2017-10-15 17:19:38 +0100 |
commit | 243b0dd12033dc86049b52b2ae0027652b524b80 (patch) | |
tree | 2a42cb174d2a27956758bb3753dac8358e40c1eb | |
parent | 8fb067d2cca22c3568c352a2b6f98084916fafb3 (diff) |
Add support for WEBIRC blocks authenticating using client certs.
-rw-r--r-- | src/modules/m_cgiirc.cpp | 20 |
1 files changed, 14 insertions, 6 deletions
diff --git a/src/modules/m_cgiirc.cpp b/src/modules/m_cgiirc.cpp index 51638855c..9574b313b 100644 --- a/src/modules/m_cgiirc.cpp +++ b/src/modules/m_cgiirc.cpp @@ -24,8 +24,8 @@ #include "inspircd.h" -#include "xline.h" #include "modules/dns.h" +#include "modules/ssl.h" enum { @@ -45,12 +45,14 @@ class WebIRCHost { private: const std::string hostmask; + const std::string fingerprint; const std::string password; const std::string passhash; public: - WebIRCHost(const std::string& mask, const std::string& pass, const std::string& hash) + WebIRCHost(const std::string& mask, const std::string& fp, const std::string& pass, const std::string& hash) : hostmask(mask) + , fingerprint(fp) , password(pass) , passhash(hash) { @@ -59,7 +61,12 @@ class WebIRCHost bool Matches(LocalUser* user, const std::string& pass) const { // Did the user send a valid password? - if (!ServerInstance->PassCompare(user, password, pass, passhash)) + if (!password.empty() && !ServerInstance->PassCompare(user, password, pass, passhash)) + return false; + + // Does the user have a valid fingerprint? + const std::string fp = SSLClientCert::GetFingerprint(&user->eh); + if (!fingerprint.empty() && fp != fingerprint) return false; // Does the user's hostname match our hostmask? @@ -293,13 +300,14 @@ public: else if (stdalgo::string::equalsci(type, "webirc")) { // The IP address will be received via the WEBIRC command. + const std::string fingerprint = tag->getString("fingerprint"); const std::string password = tag->getString("password"); // WebIRC blocks require a password. - if (password.empty()) - throw ModuleException("When using <cgihost type=\"webirc\"> the password field is required, at " + tag->getTagLocation()); + if (fingerprint.empty() && password.empty()) + throw ModuleException("When using <cgihost type=\"webirc\"> either the fingerprint or password field is required, at " + tag->getTagLocation()); - webirchosts.push_back(WebIRCHost(mask, password, tag->getString("hash"))); + webirchosts.push_back(WebIRCHost(mask, fingerprint, password, tag->getString("hash"))); } else { |