diff -rupN Unreal3.2.10-rc1/include/msg.h Unreal3.2.10-rc1-new/include/msg.h --- Unreal3.2.10-rc1/include/msg.h 2012-10-17 14:05:38.000000000 +0100 +++ Unreal3.2.10-rc1-new/include/msg.h 2012-10-24 22:11:49.000000000 +0100 @@ -280,6 +280,8 @@ #define MSG_INFOSERV "INFOSERV" #define MSG_IS "IS" #define TOK_INFOSERV "BO" +#define MSG_FINGERPRINT "FINGERPRINT" +#define TOK_FINGERPRINT "FP" /* For synching client fingerprints */ #define MSG_BOTSERV "BOTSERV" #define TOK_BOTSERV "BS" diff -rupN Unreal3.2.10-rc1/include/struct.h Unreal3.2.10-rc1-new/include/struct.h --- Unreal3.2.10-rc1/include/struct.h 2012-10-17 14:05:38.000000000 +0100 +++ Unreal3.2.10-rc1-new/include/struct.h 2012-10-24 23:03:24.000000000 +0100 @@ -1042,6 +1042,7 @@ struct Client { #endif #ifdef USE_SSL SSL *ssl; + char sslfingerprint[EVP_MAX_MD_SIZE * 2 + 1]; /* Fingerprint hexstring for this client -Nath */ #elif defined(_WIN32) void *ssl_NOTUSED; /* (win32 binary compatability) */ #endif diff -rupN Unreal3.2.10-rc1/src/auth.c Unreal3.2.10-rc1-new/src/auth.c --- Unreal3.2.10-rc1/src/auth.c 2012-10-17 14:05:38.000000000 +0100 +++ Unreal3.2.10-rc1-new/src/auth.c 2012-10-24 23:26:31.000000000 +0100 @@ -478,15 +478,10 @@ int Auth_Check(aClient *cptr, anAuthStru FILE *x509_f = NULL; #endif #ifdef AUTHENABLE_SSL_CLIENTCERTFP - unsigned int n; unsigned int i; - unsigned int j; unsigned int k; - unsigned char md[EVP_MAX_MD_SIZE]; - char hex[EVP_MAX_MD_SIZE * 2 + 1]; - char hexc[EVP_MAX_MD_SIZE * 3 + 1]; - char hexchars[16] = "0123456789abcdef"; - const EVP_MD *digest = EVP_sha256(); + char hexcolon[EVP_MAX_MD_SIZE * 3 + 1]; + char hexcopy[EVP_MAX_MD_SIZE * 2 + 1]; #endif if (!as) @@ -565,29 +560,21 @@ int Auth_Check(aClient *cptr, anAuthStru return -1; if (!cptr->ssl) return -1; - x509_clientcert = SSL_get_peer_certificate((SSL *)cptr->ssl); - if (!x509_clientcert) - return -1; - if (!X509_digest(x509_clientcert, digest, md, &n)) { - X509_free(x509_clientcert); + if (BadPtr(cptr->sslfingerprint)) return -1; - } - j = 0; + strcpy(hexcopy, cptr->sslfingerprint); + /* Make a colon version so that we keep in line with + previous versions -Nath */ k = 0; - for (i=0; i> 4) & 0xF]; - hex[j++] = hexchars[md[i] & 0xF]; - hexc[k++] = hexchars[(md[i] >> 4) & 0xF]; - hexc[k++] = hexchars[md[i] & 0xF]; - hexc[k++] = ':'; + for (i=0; idata, hex) && strcasecmp(as->data, hexc)) { - X509_free(x509_clientcert); + hexcolon[k] = '\0'; + if (strcasecmp(as->data, hexcolon) && strcasecmp(as->data, hexcopy)) { return -1; } - X509_free(x509_clientcert); return 2; #endif } diff -rupN Unreal3.2.10-rc1/src/modules/l_commands.c Unreal3.2.10-rc1-new/src/modules/l_commands.c --- Unreal3.2.10-rc1/src/modules/l_commands.c 2012-10-17 14:05:38.000000000 +0100 +++ Unreal3.2.10-rc1-new/src/modules/l_commands.c 2012-10-24 22:06:58.000000000 +0100 @@ -128,6 +128,7 @@ extern int m_nopost_Init(ModuleInfo *mod extern int m_issecure_Init(ModuleInfo *modinfo); extern int m_cap_Init(ModuleInfo *modinfo); extern int m_sasl_Init(ModuleInfo *modinfo); +extern int m_fingerprint_Init(ModuleInfo *modinfo); #ifdef GUEST extern int m_guest_Init(ModuleInfo *modinfo); #endif @@ -182,6 +183,7 @@ extern int m_nopost_Load(int module_load extern int m_issecure_Load(int module_load); extern int m_cap_Load(int module_load); extern int m_sasl_Load(int module_load); +extern int m_fingerprint_Load(int module_load); #ifdef GUEST extern int m_guest_Load(int module_load); #endif @@ -223,6 +225,7 @@ extern int m_nopost_Unload(); extern int m_issecure_Unload(); extern int m_cap_Unload(); extern int m_sasl_Unload(); +extern int m_fingerprint_Unload(); #ifdef GUEST extern int m_guest_Unload(); #endif @@ -370,6 +373,7 @@ int l_commands_Init(ModuleInfo *modin m_issecure_Init(ModCmdsInfo); m_cap_Init(ModCmdsInfo); m_sasl_Init(ModCmdsInfo); + m_fingerprint_Init(ModCmdsInfo); #ifdef GUEST m_guest_Init(ModCmdsInfo); #endif @@ -487,6 +491,7 @@ int l_commands_Load(int module_load) m_issecure_Load(module_load); m_cap_Load(module_load); m_sasl_Load(module_load); + m_fingerprint_Load(module_load); #ifdef GUEST m_guest_Load(module_load); #endif @@ -604,6 +609,7 @@ int l_commands_Unload(int module_unload) m_issecure_Unload(); m_cap_Unload(); m_sasl_Unload(); + m_fingerprint_Unload(); #ifdef GUEST m_guest_Unload(); #endif diff -rupN Unreal3.2.10-rc1/src/modules/Makefile.in Unreal3.2.10-rc1-new/src/modules/Makefile.in --- Unreal3.2.10-rc1/src/modules/Makefile.in 2012-10-17 14:05:38.000000000 +0100 +++ Unreal3.2.10-rc1-new/src/modules/Makefile.in 2012-10-24 22:04:18.000000000 +0100 @@ -55,7 +55,7 @@ R_MODULES= \ m_mode.so m_watch.so m_part.so m_join.so m_motd.so m_opermotd.so \ m_botmotd.so m_lusers.so m_names.so m_svsnolag.so m_addmotd.so \ m_svslusers.so m_starttls.so m_nopost.so m_issecure.so m_cap.so \ - m_sasl.so + m_sasl.so m_fingerprint.so #note change of .c to .o COMMANDS=m_sethost.o m_chghost.o m_chgident.o m_setname.o m_setident.o \ @@ -78,7 +78,7 @@ COMMANDS=m_sethost.o m_chghost.o m_chgid m_connect.o m_dccallow.o m_userip.o m_nick.o m_user.o \ m_mode.o m_watch.o m_part.o m_join.o m_motd.o m_opermotd.o \ m_botmotd.o m_lusers.o m_names.o m_svsnolag.o m_starttls.o \ - m_nopost.o m_issecure.o m_cap.o m_sasl.o + m_nopost.o m_issecure.o m_cap.o m_sasl.o m_fingerprint.o MODULES=commands.so cloak.so $(R_MODULES) @@ -426,6 +426,9 @@ m_cap.o: m_cap.c $(INCLUDES) m_sasl.o: m_sasl.c $(INCLUDES) $(CC) $(CFLAGS) $(MODULEFLAGS) -c m_sasl.c +m_fingerprint.o: m_fingerprint.c $(INCLUDES) + $(CC) $(CFLAGS) $(MODULEFLAGS) -c m_fingerprint.c + ############################################################################# # .so's section ############################################################################# @@ -858,6 +861,10 @@ m_sasl.so: m_sasl.c $(INCLUDES) $(CC) $(CFLAGS) $(MODULEFLAGS) -DDYNAMIC_LINKING \ -o m_sasl.so m_sasl.c +m_fingerprint.so: m_fingerprint.c $(INCLUDES) + $(CC) $(CFLAGS) $(MODULEFLAGS) -DDYNAMIC_LINKING \ + -o m_fingerprint.so m_fingerprint.c + ############################################################################# # and now the remaining modules... ############################################################################# diff -rupN Unreal3.2.10-rc1/src/modules/m_fingerprint.c Unreal3.2.10-rc1-new/src/modules/m_fingerprint.c --- Unreal3.2.10-rc1/src/modules/m_fingerprint.c 1970-01-01 01:00:00.000000000 +0100 +++ Unreal3.2.10-rc1-new/src/modules/m_fingerprint.c 2012-10-24 22:01:35.000000000 +0100 @@ -0,0 +1,110 @@ +/* + * IRC - Internet Relay Chat, src/modules/m_fingerprint.c + * (C) 2001 The UnrealIRCd Team + * + * Server to server FINGERPRINT command + * + * See file AUTHORS in IRC package for additional names of + * the programmers. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 1, or (at your option) + * any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + */ +#include "config.h" +#include "struct.h" +#include "common.h" +#include "sys.h" +#include "numeric.h" +#include "msg.h" +#include "channel.h" +#include +#include +#include +#include +#include +#ifdef _WIN32 +#include +#endif +#include +#include "h.h" +#include "proto.h" +#ifdef STRIPBADWORDS +#include "badwords.h" +#endif +#ifdef _WIN32 +#include "version.h" +#endif + +DLLFUNC int m_fingerprint(aClient *cptr, aClient *sptr, int parc, char *parv[]); + +#define MSG_FINGERPRINT "FINGERPRINT" +#define TOK_FINGERPRINT "FP" + +ModuleHeader MOD_HEADER(m_fingerprint) + = { + "m_fingerprint", + "$Id: m_fingerprint.c,v 1.1.2.15 2010-12-3 20:20:23 -Nath Exp $", + "Server to Server FINGERPRINT command", + "3.2-b8-1", + NULL + }; + +DLLFUNC int MOD_INIT(m_fingerprint)(ModuleInfo *modinfo) +{ + add_Command(MSG_FINGERPRINT, TOK_FINGERPRINT, m_fingerprint, MAXPARA); + MARK_AS_OFFICIAL_MODULE(modinfo); + return MOD_SUCCESS; +} + +DLLFUNC int MOD_LOAD(m_fingerprint)(int module_load) +{ + return MOD_SUCCESS; +} + +DLLFUNC int MOD_UNLOAD(m_fingerprint)(int module_unload) +{ + if (del_Command(MSG_FINGERPRINT, TOK_FINGERPRINT, m_fingerprint) < 0) + { + sendto_realops("Failed to delete commands when unloading %s", + MOD_HEADER(m_fingerprint).name); + } + return MOD_SUCCESS; +} +/* + * m_fingerprint + * parv[1] = nickname + * parv[2] = fingerprint + * +*/ + +int m_fingerprint(aClient *cptr, aClient *sptr, int parc, char *parv[]) +{ + aClient *acptr; + + if (!IsServer(sptr)) + return 0; + + if (parc < 3) + return 0; + + acptr = find_person(parv[1], (aClient *)NULL); + if (!acptr) + return 0; + + strcpy(acptr->sslfingerprint, parv[2]); + + sendto_serv_butone_token(cptr, sptr->name, + MSG_FINGERPRINT, TOK_FINGERPRINT, "%s :%s", parv[1], parv[2]); + return 0; +} diff -rupN Unreal3.2.10-rc1/src/modules/m_nick.c Unreal3.2.10-rc1-new/src/modules/m_nick.c --- Unreal3.2.10-rc1/src/modules/m_nick.c 2012-10-17 14:05:38.000000000 +0100 +++ Unreal3.2.10-rc1-new/src/modules/m_nick.c 2012-10-24 22:50:31.000000000 +0100 @@ -1078,11 +1078,24 @@ int _register_user(aClient *cptr, aClien } #ifdef USE_SSL if (sptr->flags & FLAGS_SSL) + { if (sptr->ssl) + { sendto_one(sptr, ":%s NOTICE %s :*** You are connected to %s with %s", me.name, sptr->name, me.name, ssl_get_cipher(sptr->ssl)); + /* Handle fingerprint stuff -Nath */ + if (!BadPtr(sptr->sslfingerprint)) + { + sendto_one(sptr, + ":%s NOTICE %s :*** Your SSL fingerprint is %s", + me.name, sptr->name, sptr->sslfingerprint); + sendto_serv_butone_token(cptr, me.name, + MSG_FINGERPRINT, TOK_FINGERPRINT, "%s :%s", sptr->name, sptr->sslfingerprint); + } + } + } #endif do_cmd(sptr, sptr, "LUSERS", 1, parv); short_motd(sptr); diff -rupN Unreal3.2.10-rc1/src/modules/m_server.c Unreal3.2.10-rc1-new/src/modules/m_server.c --- Unreal3.2.10-rc1/src/modules/m_server.c 2012-10-17 14:05:38.000000000 +0100 +++ Unreal3.2.10-rc1-new/src/modules/m_server.c 2012-10-24 22:55:31.000000000 +0100 @@ -987,6 +987,11 @@ int m_server_synch(aClient *cptr, long n (IsToken(cptr) ? TOK_SWHOIS : MSG_SWHOIS), acptr->name, acptr->user->swhois); + if (!BadPtr(acptr->sslfingerprint)) + sendto_one(cptr, "%s %s :%s", + (IsToken(cptr) ? TOK_FINGERPRINT : + MSG_FINGERPRINT), acptr->name, + acptr->sslfingerprint); if (!SupportSJOIN(cptr)) send_user_joins(cptr, acptr); diff -rupN Unreal3.2.10-rc1/src/modules/m_whois.c Unreal3.2.10-rc1-new/src/modules/m_whois.c --- Unreal3.2.10-rc1/src/modules/m_whois.c 2012-10-17 14:05:38.000000000 +0100 +++ Unreal3.2.10-rc1-new/src/modules/m_whois.c 2012-10-24 18:51:09.000000000 +0100 @@ -313,13 +313,19 @@ DLLFUNC int m_whois(aClient *cptr, aCli sendto_one(sptr, rpl_str(RPL_WHOISBOT), me.name, parv[0], name, ircnetwork); if (acptr->umodes & UMODE_SECURE) + { sendto_one(sptr, rpl_str(RPL_WHOISSECURE), me.name, parv[0], name, "is using a Secure Connection"); + if (!BadPtr(acptr->sslfingerprint)) + sendto_one(sptr, ":%s 276 %s: %s's ssl fingerprint is %s", me.name, + parv[0], name, acptr->sslfingerprint); + } if (!BadPtr(user->swhois) && !hideoper) sendto_one(sptr, ":%s %d %s %s :%s", me.name, RPL_WHOISSPECIAL, parv[0], name, acptr->user->swhois); + /* * display services account name if it's actually a services account name and diff -rupN Unreal3.2.10-rc1/src/s_bsd.c Unreal3.2.10-rc1-new/src/s_bsd.c --- Unreal3.2.10-rc1/src/s_bsd.c 2012-10-17 14:05:38.000000000 +0100 +++ Unreal3.2.10-rc1-new/src/s_bsd.c 2012-10-24 22:41:08.000000000 +0100 @@ -909,6 +909,17 @@ int completed_connection(aClient *cptr) ConfigItem_link *aconf = cptr->serv ? cptr->serv->conf : NULL; extern char serveropts[]; SetHandshake(cptr); +#ifdef USE_SSL + unsigned int n; + unsigned int l; + unsigned int j; + unsigned char md[EVP_MAX_MD_SIZE]; + char hex[EVP_MAX_MD_SIZE * 2 + 1]; + char hexc[EVP_MAX_MD_SIZE * 3 + 1]; + char hexchars[16] = "0123456789abcdef"; + const EVP_MD *digest = EVP_sha256(); + X509 *x509_clientcert = NULL; +#endif if (!aconf) { @@ -935,7 +946,26 @@ int completed_connection(aClient *cptr) send_server_message(cptr); } if (!IsDead(cptr)) + { +#ifdef USE_SSL + /* Get the client's certificate fingerprint if they have one for outgoing connections -Nath */ + x509_clientcert = SSL_get_peer_certificate((SSL *)cptr->ssl); + if (x509_clientcert) + { + if (X509_digest(x509_clientcert, digest, md, &n)) { + j = 0; + for (l=0; l> 4) & 0xF]; + hex[j++] = hexchars[md[l] & 0xF]; + } + hex[j] = '\0'; + strcpy(cptr->sslfingerprint, hex); + } + X509_free(x509_clientcert); + } +#endif start_auth(cptr); + } return (IsDead(cptr)) ? -1 : 0; } @@ -1458,7 +1488,18 @@ static int dns_special_flag = 0; /* This void start_of_normal_client_handshake(aClient *acptr) { -struct hostent *he; + struct hostent *he; +#ifdef USE_SSL + unsigned int n; + unsigned int l; + unsigned int j; + unsigned char md[EVP_MAX_MD_SIZE]; + char hex[EVP_MAX_MD_SIZE * 2 + 1]; + char hexc[EVP_MAX_MD_SIZE * 3 + 1]; + char hexchars[16] = "0123456789abcdef"; + const EVP_MD *digest = EVP_sha256(); + X509 *x509_clientcert = NULL; +#endif acptr->status = STAT_UNKNOWN; @@ -1488,6 +1529,23 @@ struct hostent *he; } doauth: +#ifdef USE_SSL + /* Get the client's certificate fingerprint if they have one for incoming connections -Nath */ + x509_clientcert = SSL_get_peer_certificate((SSL *)acptr->ssl); + if (x509_clientcert) + { + if (X509_digest(x509_clientcert, digest, md, &n)) { + j = 0; + for (l=0; l> 4) & 0xF]; + hex[j++] = hexchars[md[l] & 0xF]; + } + hex[j] = '\0'; + strcpy(acptr->sslfingerprint, hex); + } + X509_free(x509_clientcert); + } +#endif start_auth(acptr); }