allow certfp method to be configured

doc/ircd.conf.example

@@ -536,6 +536,7 @@ general {
 	throttle_count = 4;
 	max_ratelimit_tokens = 30;
 	away_interval = 30;
+	certfp_method = sha1;
 };
 
 modules {

doc/reference.conf

@@ -1294,6 +1294,12 @@ general {
 	 * counts.
 	 */
 	away_interval = 30;
+
+	/* certfp_method: the method that should be used for computing certificate fingerprints.
+	 * Acceptable options are sha1, sha256 and sha512.  Networks running versions of charybdis
+	 * prior to charybdis 3.5 MUST use sha1 for certfp_method.
+	 */
+	certfp_method = sha1;
 };
 
 modules {

include/s_conf.h

@@ -234,6 +234,7 @@ struct config_file_entry
 	int client_flood_message_num;
 
 	unsigned int nicklen;
+	int certfp_method;
 };
 
 struct config_channel_entry

src/newconf.c

@@ -1644,6 +1644,24 @@ conf_set_general_oper_umodes(void *data)
 	set_modes_from_table(&ConfigFileEntry.oper_umodes, "umode", umode_table, data);
 }
 
+static void
+conf_set_general_certfp_method(void *data)
+{
+	char *method = data;
+
+	if (!strcasecmp(method, "sha1"))
+		ConfigFileEntry.certfp_method = RB_SSL_CERTFP_METH_SHA1;
+	else if (!strcasecmp(method, "sha256"))
+		ConfigFileEntry.certfp_method = RB_SSL_CERTFP_METH_SHA256;
+	else if (!strcasecmp(method, "sha512"))
+		ConfigFileEntry.certfp_method = RB_SSL_CERTFP_METH_SHA512;
+	else
+	{
+		ConfigFileEntry.certfp_method = RB_SSL_CERTFP_METH_SHA1;
+		conf_report_error("Ignoring general::certfp_method -- bogus certfp method %s", method);
+	}
+}
+
 static void
 conf_set_general_oper_only_umodes(void *data)
 {
@@ -2376,6 +2394,7 @@ static struct ConfEntry conf_general_table[] =
 	{ "client_flood_message_time",	CF_INT,   NULL, 0, &ConfigFileEntry.client_flood_message_time	},
 	{ "max_ratelimit_tokens",	CF_INT,   NULL, 0, &ConfigFileEntry.max_ratelimit_tokens	},
 	{ "away_interval",		CF_INT,   NULL, 0, &ConfigFileEntry.away_interval		},
+	{ "certfp_method",	CF_STRING, conf_set_general_certfp_method, 0, NULL },
 	{ "\0", 		0, 	  NULL, 0, NULL }
 };
 

src/s_conf.c

@@ -819,6 +819,7 @@ set_default_conf(void)
 	ServerInfo.default_max_clients = MAXCONNECTIONS;
 
 	ConfigFileEntry.nicklen = NICKLEN;
+	ConfigFileEntry.certfp_method = RB_SSL_CERTFP_METH_SHA1;
 
 	if (!alias_dict)
 		alias_dict = irc_dictionary_create(strcasecmp);

src/sslproc.c

@@ -72,6 +72,7 @@ struct _ssl_ctl
 static void send_new_ssl_certs_one(ssl_ctl_t * ctl, const char *ssl_cert,
 				   const char *ssl_private_key, const char *ssl_dh_params);
 static void send_init_prng(ssl_ctl_t * ctl, prng_seed_t seedtype, const char *path);
+static void send_certfp_method(ssl_ctl_t *ctl, int method);
 
 
 static rb_dlink_list ssl_daemons;
@@ -306,10 +307,14 @@ start_ssldaemon(int count, const char *ssl_cert, const char *ssl_private_key, co
 		rb_close(P1);
 		ctl = allocate_ssl_daemon(F1, P2, pid);
 		if(ssl_ok)
+		{
 			send_init_prng(ctl, RB_PRNG_DEFAULT, NULL);
-		if(ssl_ok && ssl_cert != NULL && ssl_private_key != NULL)
-			send_new_ssl_certs_one(ctl, ssl_cert, ssl_private_key,
-					       ssl_dh_params != NULL ? ssl_dh_params : "");
+			send_certfp_method(ctl, ConfigFileEntry.certfp_method);
+
+			if(ssl_cert != NULL && ssl_private_key != NULL)
+				send_new_ssl_certs_one(ctl, ssl_cert, ssl_private_key,
+						       ssl_dh_params != NULL ? ssl_dh_params : "");
+		}
 		ssl_read_ctl(ctl->F, ctl);
 		ssl_do_pipe(P2, ctl);
 
@@ -627,6 +632,16 @@ send_init_prng(ssl_ctl_t * ctl, prng_seed_t seedtype, const char *path)
 	ssl_cmd_write_queue(ctl, NULL, 0, tmpbuf, len);
 }
 
+static void
+send_certfp_method(ssl_ctl_t *ctl, int method)
+{
+	char buf[5];
+
+	buf[0] = 'F';
+	int32_to_buf(&buf[1], method);
+	ssl_cmd_write_queue(ctl, NULL, 0, buf, sizeof(buf));
+}
+
 void
 send_new_ssl_certs(const char *ssl_cert, const char *ssl_private_key, const char *ssl_dh_params)
 {