unrealircd

- supernets unrealircd source & configuration
git clone git://git.acid.vegas/unrealircd.git
Log | Files | Refs | Archive | README | LICENSE

certfp.c (3222B)

      1 /*
      2  * Extended ban to ban/exempt by certificate fingerprint (+b ~S:certfp)
      3  * (C) Copyright 2015 The UnrealIRCd Team
      4  *
      5  * This program is free software; you can redistribute it and/or modify
      6  * it under the terms of the GNU General Public License as published by
      7  * the Free Software Foundation; either version 1, or (at your option)
      8  * any later version.
      9  *
     10  * This program is distributed in the hope that it will be useful,
     11  * but WITHOUT ANY WARRANTY; without even the implied warranty of
     12  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     13  * GNU General Public License for more details.
     14  *
     15  * You should have received a copy of the GNU General Public License
     16  * along with this program; if not, write to the Free Software
     17  * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
     18  */
     19 #include "unrealircd.h"
     20 
     21 ModuleHeader MOD_HEADER
     22 = {
     23 	"extbans/certfp",
     24 	"4.2",
     25 	"ExtBan ~S - Ban/exempt by SHA256 TLS certificate fingerprint",
     26 	"UnrealIRCd Team",
     27 	"unrealircd-6",
     28 };
     29 
     30 /* Forward declarations */
     31 int extban_certfp_is_ok(BanContext *b);
     32 const char *extban_certfp_conv_param(BanContext *b, Extban *extban);
     33 int extban_certfp_is_banned(BanContext *b);
     34 
     35 Extban *register_certfp_extban(ModuleInfo *modinfo)
     36 {
     37 	ExtbanInfo req;
     38 
     39 	memset(&req, 0, sizeof(req));
     40 	req.letter = 'S';
     41 	req.name = "certfp";
     42 	req.is_ok = extban_certfp_is_ok;
     43 	req.conv_param = extban_certfp_conv_param;
     44 	req.is_banned = extban_certfp_is_banned;
     45 	req.is_banned_events = BANCHK_ALL|BANCHK_TKL;
     46 	req.options = EXTBOPT_INVEX|EXTBOPT_TKL;
     47 	return ExtbanAdd(modinfo->handle, req);
     48 }
     49 
     50 /* Called upon module test */
     51 MOD_TEST()
     52 {
     53 	if (!register_certfp_extban(modinfo))
     54 	{
     55 		config_error("could not register extended ban type");
     56 		return MOD_FAILED;
     57 	}
     58 
     59 	return MOD_SUCCESS;
     60 }
     61 
     62 /* Called upon module init */
     63 MOD_INIT()
     64 {
     65 	if (!register_certfp_extban(modinfo))
     66 	{
     67 		config_error("could not register extended ban type");
     68 		return MOD_FAILED;
     69 	}
     70 
     71 	MARK_AS_OFFICIAL_MODULE(modinfo);
     72 
     73 	return MOD_SUCCESS;
     74 }
     75 
     76 /* Called upon module load */
     77 MOD_LOAD()
     78 {
     79 	return MOD_SUCCESS;
     80 }
     81 
     82 /* Called upon unload */
     83 MOD_UNLOAD()
     84 {
     85 	return MOD_SUCCESS;
     86 }
     87 
     88 #define CERT_FP_LEN 64
     89 
     90 int extban_certfp_usage(Client *client)
     91 {
     92 	sendnotice(client, "ERROR: ExtBan ~S expects an SHA256 fingerprint in hexadecimal format (no colons). "
     93 					 "For example: +e ~S:1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef)");
     94 	return EX_DENY;
     95 }
     96 
     97 int extban_certfp_is_ok(BanContext *b)
     98 {
     99 	if (b->is_ok_check == EXCHK_PARAM)
    100 	{
    101 		const char *p;
    102 
    103 		if (strlen(b->banstr) != CERT_FP_LEN)
    104 			return extban_certfp_usage(b->client);
    105 
    106 		for (p = b->banstr; *p; p++)
    107 			if (!isxdigit(*p))
    108 				return extban_certfp_usage(b->client);
    109 
    110 		return EX_ALLOW;
    111 	}
    112 	return EX_ALLOW;
    113 }
    114 
    115 /* Obtain targeted certfp from the ban string */
    116 const char *extban_certfp_conv_param(BanContext *b, Extban *extban)
    117 {
    118 	static char retbuf[EVP_MAX_MD_SIZE * 2 + 1];
    119 	char *p;
    120 
    121 	strlcpy(retbuf, b->banstr, sizeof(retbuf));
    122 
    123 	for (p = retbuf; *p; p++)
    124 	{
    125 		*p = tolower(*p);
    126 	}
    127 
    128 	return retbuf;
    129 }
    130 
    131 int extban_certfp_is_banned(BanContext *b)
    132 {
    133 	const char *fp = moddata_client_get(b->client, "certfp");
    134 
    135 	if (!fp)
    136 		return 0; /* not using TLS */
    137 
    138 	if (!strcmp(b->banstr, fp))
    139 		return 1;
    140 
    141 	return 0;
    142 }