znc · an-empty-string · Dec 23, 2017 · Dec 23, 2017 · DarthGandalf · Dec 23, 2017
diff --git a/include/znc/HTTPSock.h b/include/znc/HTTPSock.h
@@ -86,6 +86,7 @@ class CHTTPSock : public CSocket {
     const CString& GetURI() const;
     const CString& GetURIPrefix() const;
     bool IsPost() const;
+    long GetPeerFingerprint(CString& sResult) const override;
     // !Getters
 
     // Parameter access
@@ -118,6 +119,7 @@ class CHTTPSock : public CSocket {
     void WriteFileGzipped(CFile& File);
 
   protected:
+    bool IsTrustedProxy(const CString& sIP);
     void PrintPage(const CString& sPage);
     void Init();
 
@@ -135,6 +137,7 @@ class CHTTPSock : public CSocket {
     CString m_sContentType;
     CString m_sDocRoot;
     CString m_sForwardedIP;
+    CString m_sForwardedCertFP;
     std::map<CString, VCString> m_msvsPOSTParams;
     std::map<CString, VCString> m_msvsGETParams;
     MCString m_msHeaders;

diff --git a/include/znc/Socket.h b/include/znc/Socket.h
@@ -56,6 +56,10 @@ class CZNCSock : public Csock, public CCoreTranslationMixin {
 
     virtual CString GetRemoteIP() const { return Csock::GetRemoteIP(); }
 
+    virtual long GetPeerFingerprint(CS_STRING& sResult) const {
+        return Csock::GetPeerFingerprint(sResult);
+    }
+
   protected:
     // All existing errno codes seem to be in range 1-300
     enum {

diff --git a/modules/certauth.cpp b/modules/certauth.cpp
@@ -219,7 +219,18 @@ class CSSLClientCertMod : public CModule {
 
     CString GetKey(Csock* pSock) {
         CString sRes;
-        long int res = pSock->GetPeerFingerprint(sRes);
+
+        CZNCSock *pZNCSock;
+        long int res;
+        if ((pZNCSock = dynamic_cast<CZNCSock*>(pSock))) {
+            // This up-cast is needed because GetPeerFingerprint is not declared
+            // virtual on Csock, but it is on CZNCSock. This _should_ never
+            // fail, since all the Csocks we care about are also CZNCSocks, but
+            // better safe than sorry.
+            res = pZNCSock->GetPeerFingerprint(sRes);
+        } else {
+            res = pSock->GetPeerFingerprint(sRes);
+        }
 
         DEBUG("GetKey() returned status " << res << " with key " << sRes);
 

diff --git a/src/HTTPSock.cpp b/src/HTTPSock.cpp
@@ -106,6 +106,20 @@ void CHTTPSock::CheckPost() {
     }
 }
 
+bool CHTTPSock::IsTrustedProxy(const CString& sIP) {
+    const VCString& vsTrustedProxies = CZNC::Get().GetTrustedProxies();
+    bool bTrusted = false;
+
+    for (const CString& sTrustedProxy : vsTrustedProxies) {
+        if (CUtils::CheckCIDR(sIP, sTrustedProxy)) {
+            bTrusted = true;
+            break;
+        }
+    }
+
+    return bTrusted;
+}
+
 void CHTTPSock::ReadLine(const CString& sData) {
     if (m_bGotHeader) {
         return;
@@ -152,7 +166,6 @@ void CHTTPSock::ReadLine(const CString& sData) {
     } else if (sName.Equals("X-Forwarded-For:")) {
         // X-Forwarded-For: client, proxy1, proxy2
         if (m_sForwardedIP.empty()) {
-            const VCString& vsTrustedProxies = CZNC::Get().GetTrustedProxies();
             CString sIP = GetRemoteIP();
 
             VCString vsIPs;
@@ -161,13 +174,7 @@ void CHTTPSock::ReadLine(const CString& sData) {
             while (!vsIPs.empty()) {
                 // sIP told us that it got connection from vsIPs.back()
                 // check if sIP is trusted proxy
-                bool bTrusted = false;
-                for (const CString& sTrustedProxy : vsTrustedProxies) {
-                    if (CUtils::CheckCIDR(sIP, sTrustedProxy)) {
-                        bTrusted = true;
-                        break;
-                    }
-                }
+                bool bTrusted = IsTrustedProxy(sIP);
                 if (bTrusted) {
                     // sIP is trusted proxy, so use vsIPs.back() as new sIP
                     sIP = vsIPs.back();
@@ -181,6 +188,12 @@ void CHTTPSock::ReadLine(const CString& sData) {
             // X-Forwarded-For list in both cases use it as the endpoind
             m_sForwardedIP = sIP;
         }
+    } else if (sName.Equals("X-Forwarded-CertFP:")) {
+        if (IsTrustedProxy(GetRemoteIP())) {
+            m_sForwardedCertFP = sLine.Token(1, true);
+            DEBUG(GetSockName()
+                  << " Got a forwarded CertFP '" << m_sForwardedCertFP << "'");
+        }
     } else if (sName.Equals("If-None-Match:")) {
         // this is for proper client cache support (HTTP 304) on static files:
         m_sIfNoneMatch = sLine.Token(1, true);
@@ -540,6 +553,15 @@ const CString& CHTTPSock::GetURI() const { return m_sURI; }
 
 const CString& CHTTPSock::GetURIPrefix() const { return m_sURIPrefix; }
 
+long CHTTPSock::GetPeerFingerprint(CString& sResult) const {
+    if(m_sForwardedCertFP.empty()) {
+        return CSocket::GetPeerFingerprint(sResult);
+    }
+
+    sResult = m_sForwardedCertFP;
+    return X509_V_OK;
+}
+
 bool CHTTPSock::HasParam(const CString& sName, bool bPost) const {
     if (bPost) return (m_msvsPOSTParams.find(sName) != m_msvsPOSTParams.end());
     return (m_msvsGETParams.find(sName) != m_msvsGETParams.end());