aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/modules/m_spanningtree/hmac.cpp31
1 files changed, 27 insertions, 4 deletions
diff --git a/src/modules/m_spanningtree/hmac.cpp b/src/modules/m_spanningtree/hmac.cpp
index 996d69e96..38ce3cb70 100644
--- a/src/modules/m_spanningtree/hmac.cpp
+++ b/src/modules/m_spanningtree/hmac.cpp
@@ -73,15 +73,38 @@ bool TreeSocket::ComparePass(const Link& link, const std::string& theirs)
capab->auth_fingerprint = !link.Fingerprint.empty();
capab->auth_challenge = !capab->ourchallenge.empty() && !capab->theirchallenge.empty();
- std::string fp = SSLClientCert::GetFingerprint(this);
+ std::string fp;
if (capab->auth_fingerprint)
{
+ std::string badfps;
+ auto foundfp = false;
+
+ auto* sslhook = SSLIOHook::IsSSL(this);
+ auto* sslcert = sslhook ? sslhook->GetCertificate() : nullptr;
+ if (sslcert && sslcert->IsUsable())
+ {
+ for (const auto& fingerprint : sslcert->GetFingerprints())
+ {
+ if (InspIRCd::TimingSafeCompare(link.Fingerprint, fingerprint))
+ {
+ fp = fingerprint;
+ foundfp = true;
+ break;
+ }
+
+ badfps.append(badfps.empty() ? "" : ", ").append(fingerprint);
+ }
+ }
+
/* Require fingerprint to exist and match */
- if (!InspIRCd::TimingSafeCompare(link.Fingerprint, fp))
+ if (!foundfp)
{
+ if (badfps.empty())
+ badfps = "(none)";
+
ServerInstance->SNO.WriteToSnoMask('l', "Invalid TLS certificate fingerprint on link {}: need \"{}\" got \"{}\"",
- link.Name, link.Fingerprint, fp);
- SendError("Invalid TLS certificate fingerprint " + fp + " - expected " + link.Fingerprint);
+ link.Name, link.Fingerprint, badfps);
+ SendError("Invalid TLS certificate fingerprint: " + badfps);
return false;
}
}