From 01bd04a8ffa9903cd3997d44de292bc214d2ef4c Mon Sep 17 00:00:00 2001
From: Shivaram Lingamneni <slingamn@cs.stanford.edu>
Date: Sun, 21 Jun 2020 15:46:08 -0400
Subject: [PATCH] fix #1050

---
 conventional.yaml |  4 ++--
 default.yaml      |  4 ++--
 irc/client.go     |  2 +-
 irc/config.go     | 29 +++++++++++++++++------------
 irc/gateways.go   | 32 ++++++++++++++++++++------------
 irc/handlers.go   |  6 +++---
 6 files changed, 45 insertions(+), 32 deletions(-)

diff --git a/conventional.yaml b/conventional.yaml
index 574b6997..cc0a18d0 100644
--- a/conventional.yaml
+++ b/conventional.yaml
@@ -149,7 +149,7 @@ server:
         -
             # SHA-256 fingerprint of the TLS certificate the gateway must use to connect
             # (comment this out to use passwords only)
-            fingerprint: "abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789"
+            certfp: "abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789"
 
             # password the gateway uses to connect, made with oragono genpasswd
             password: "$2a$04$abcdef0123456789abcdef0123456789abcdef0123456789abcde"
@@ -574,7 +574,7 @@ opers:
         # if a SHA-256 certificate fingerprint is configured here, then it will be
         # required to /OPER. if you comment out the password hash above, then you can
         # /OPER without a password.
-        #fingerprint: "abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789"
+        #certfp: "abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789"
         # if 'auto' is set (and no password hash is set), operator permissions will be
         # granted automatically as soon as you connect with the right fingerprint.
         #auto: true
diff --git a/default.yaml b/default.yaml
index d161462c..a7db127c 100644
--- a/default.yaml
+++ b/default.yaml
@@ -175,7 +175,7 @@ server:
         -
             # SHA-256 fingerprint of the TLS certificate the gateway must use to connect
             # (comment this out to use passwords only)
-            fingerprint: "abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789"
+            certfp: "abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789"
 
             # password the gateway uses to connect, made with oragono genpasswd
             password: "$2a$04$abcdef0123456789abcdef0123456789abcdef0123456789abcde"
@@ -600,7 +600,7 @@ opers:
         # if a SHA-256 certificate fingerprint is configured here, then it will be
         # required to /OPER. if you comment out the password hash above, then you can
         # /OPER without a password.
-        #fingerprint: "abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789"
+        #certfp: "abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789"
         # if 'auto' is set (and no password hash is set), operator permissions will be
         # granted automatically as soon as you connect with the right fingerprint.
         #auto: true
diff --git a/irc/client.go b/irc/client.go
index 4a36e926..4a01cb60 100644
--- a/irc/client.go
+++ b/irc/client.go
@@ -1646,7 +1646,7 @@ func (client *Client) attemptAutoOper(session *Session) {
 		return
 	}
 	for _, oper := range client.server.Config().operators {
-		if oper.Auto && oper.Pass == nil && oper.Fingerprint != "" && oper.Fingerprint == session.certfp {
+		if oper.Auto && oper.Pass == nil && oper.Certfp != "" && oper.Certfp == session.certfp {
 			rb := NewResponseBuffer(session)
 			applyOper(client, oper, rb)
 			rb.Send(true)
diff --git a/irc/config.go b/irc/config.go
index 3e8723f4..bd002316 100644
--- a/irc/config.go
+++ b/irc/config.go
@@ -408,7 +408,8 @@ type OperConfig struct {
 	Vhost       string
 	WhoisLine   string `yaml:"whois-line"`
 	Password    string
-	Fingerprint string
+	Fingerprint *string // legacy name for certfp, #1050
+	Certfp      string
 	Auto        bool
 	Modes       string
 }
@@ -695,14 +696,14 @@ func (conf *Config) OperatorClasses() (map[string]*OperClass, error) {
 
 // Oper represents a single assembled operator's config.
 type Oper struct {
-	Name        string
-	Class       *OperClass
-	WhoisLine   string
-	Vhost       string
-	Pass        []byte
-	Fingerprint string
-	Auto        bool
-	Modes       []modes.ModeChange
+	Name      string
+	Class     *OperClass
+	WhoisLine string
+	Vhost     string
+	Pass      []byte
+	Certfp    string
+	Auto      bool
+	Modes     []modes.ModeChange
 }
 
 // Operators returns a map of operator configs from the given OperClass and config.
@@ -724,15 +725,19 @@ func (conf *Config) Operators(oc map[string]*OperClass) (map[string]*Oper, error
 				return nil, fmt.Errorf("Oper %s has an invalid password hash: %s", oper.Name, err.Error())
 			}
 		}
-		if opConf.Fingerprint != "" {
-			oper.Fingerprint, err = utils.NormalizeCertfp(opConf.Fingerprint)
+		certfp := opConf.Certfp
+		if certfp == "" && opConf.Fingerprint != nil {
+			certfp = *opConf.Fingerprint
+		}
+		if certfp != "" {
+			oper.Certfp, err = utils.NormalizeCertfp(certfp)
 			if err != nil {
 				return nil, fmt.Errorf("Oper %s has an invalid fingerprint: %s", oper.Name, err.Error())
 			}
 		}
 		oper.Auto = opConf.Auto
 
-		if oper.Pass == nil && oper.Fingerprint == "" {
+		if oper.Pass == nil && oper.Certfp == "" {
 			return nil, fmt.Errorf("Oper %s has neither a password nor a fingerprint", name)
 		}
 
diff --git a/irc/gateways.go b/irc/gateways.go
index 57140b89..ecc7899c 100644
--- a/irc/gateways.go
+++ b/irc/gateways.go
@@ -26,31 +26,39 @@ const (
 )
 
 type webircConfig struct {
-	PasswordString string `yaml:"password"`
-	Password       []byte `yaml:"password-bytes"`
-	Fingerprint    string
+	PasswordString string  `yaml:"password"`
+	Password       []byte  `yaml:"password-bytes"`
+	Fingerprint    *string // legacy name for certfp, #1050
+	Certfp         string
 	Hosts          []string
 	allowedNets    []net.IPNet
 }
 
 // Populate fills out our password or fingerprint.
 func (wc *webircConfig) Populate() (err error) {
-	if wc.Fingerprint == "" && wc.PasswordString == "" {
-		err = ErrNoFingerprintOrPassword
-	}
-
-	if err == nil && wc.PasswordString != "" {
+	if wc.PasswordString != "" {
 		wc.Password, err = decodeLegacyPasswordHash(wc.PasswordString)
+		if err != nil {
+			return
+		}
 	}
 
-	if err == nil && wc.Fingerprint != "" {
-		wc.Fingerprint, err = utils.NormalizeCertfp(wc.Fingerprint)
+	certfp := wc.Certfp
+	if certfp == "" && wc.Fingerprint != nil {
+		certfp = *wc.Fingerprint
+	}
+	if certfp != "" {
+		wc.Certfp, err = utils.NormalizeCertfp(certfp)
+	}
+	if err != nil {
+		return
 	}
 
-	if err == nil {
-		wc.allowedNets, err = utils.ParseNetList(wc.Hosts)
+	if wc.Certfp == "" && wc.PasswordString == "" {
+		return ErrNoFingerprintOrPassword
 	}
 
+	wc.allowedNets, err = utils.ParseNetList(wc.Hosts)
 	return err
 }
 
diff --git a/irc/handlers.go b/irc/handlers.go
index c4f9d515..e6aa53db 100644
--- a/irc/handlers.go
+++ b/irc/handlers.go
@@ -2164,8 +2164,8 @@ func operHandler(server *Server, client *Client, msg ircmsg.IrcMessage, rb *Resp
 	var checkPassed, checkFailed, passwordFailed bool
 	oper := server.GetOperator(msg.Params[0])
 	if oper != nil {
-		if oper.Fingerprint != "" {
-			if oper.Fingerprint == rb.session.certfp {
+		if oper.Certfp != "" {
+			if oper.Certfp == rb.session.certfp {
 				checkPassed = true
 			} else {
 				checkFailed = true
@@ -2737,7 +2737,7 @@ func webircHandler(server *Server, client *Client, msg ircmsg.IrcMessage, rb *Re
 			if 0 < len(info.Password) && bcrypt.CompareHashAndPassword(info.Password, givenPassword) != nil {
 				continue
 			}
-			if info.Fingerprint != "" && info.Fingerprint != rb.session.certfp {
+			if info.Certfp != "" && info.Certfp != rb.session.certfp {
 				continue
 			}