/*
* InspIRCd -- Internet Relay Chat Daemon
*
* Copyright (C) 2013 Shawn Smith <shawn@inspircd.org>
* Copyright (C) 2009 Daniel De Graaf <danieldg@inspircd.org>
* Copyright (C) 2007 Robin Burchell <robin+git@viroteck.net>
* Copyright (C) 2007 Dennis Friis <peavey@inspircd.org>
* Copyright (C) 2006 Craig Edwards <craigedwards@brainbox.cc>
* Copyright (C) 2006 Oliver Lupton <oliverlupton@gmail.com>
*
* This file is part of InspIRCd. InspIRCd is free software: you can
* redistribute it and/or modify it under the terms of the GNU General Public
* License as published by the Free Software Foundation, version 2.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "inspircd.h"
#include "modules/ssl.h"
enum
{
// From UnrealIRCd.
ERR_SECUREONLYCHAN = 489,
ERR_ALLMUSTSSL = 490
};
namespace
{
bool IsSSLUser(UserCertificateAPI& api, User* user)
{
if (!api)
return false;
ssl_cert* cert = api->GetCertificate(user);
return (cert != NULL);
}
}
/** Handle channel mode +z
*/
class SSLMode : public ModeHandler
{
private:
UserCertificateAPI& API;
public:
SSLMode(Module* Creator, UserCertificateAPI& api)
: ModeHandler(Creator, "sslonly", 'z', PARAM_NONE, MODETYPE_CHANNEL)
, API(api)
{
}
ModeAction OnModeChange(User* source, User* dest, Channel* channel, std::string& parameter, bool adding) CXX11_OVERRIDE
{
if (adding)
{
if (!channel->IsModeSet(this))
{
if (IS_LOCAL(source))
{
if (!API)
return MODEACTION_DENY;
const Channel::MemberMap& userlist = channel->GetUsers();
for (Channel::MemberMap::const_iterator i = userlist.begin(); i != userlist.end(); ++i)
{
ssl_cert* cert = API->GetCertificate(i->first);
if (!cert && !i->first->server->IsULine())
{
source->WriteNumeric(ERR_ALLMUSTSSL, channel->name, "all members of the channel must be connected via SSL");
return MODEACTION_DENY;
}
}
}
channel->SetMode(this, true);
return MODEACTION_ALLOW;
}
else
{
return MODEACTION_DENY;
}
}
else
{
if (channel->IsModeSet(this))
{
channel->SetMode(this, false);
return MODEACTION_ALLOW;
}
return MODEACTION_DENY;
}
}
};
/** Handle user mode +z
*/
class SSLModeUser : public ModeHandler
{
private:
UserCertificateAPI& API;
public:
SSLModeUser(Module* Creator, UserCertificateAPI& api)
: ModeHandler(Creator, "sslqueries", 'z', PARAM_NONE, MODETYPE_USER)
, API(api)
{
if (!ServerInstance->Config->ConfValue("sslmodes")->getBool("enableumode"))
DisableAutoRegister();
}
ModeAction OnModeChange(User* user, User* dest, Channel* channel, std::string& parameter, bool adding) CXX11_OVERRIDE
{
if (adding)
{
if (!dest->IsModeSet(this))
{
if (!IsSSLUser(API, user))
return MODEACTION_DENY;
dest->SetMode(this, true);
return MODEACTION_ALLOW;
}
}
else
{
if (dest->IsModeSet(this))
{
dest->SetMode(this, false);
return MODEACTION_ALLOW;
}
}
return MODEACTION_DENY;
}
};
class ModuleSSLModes : public Module
{
private:
UserCertificateAPI api;
SSLMode sslm;
SSLModeUser sslquery;
public:
ModuleSSLModes()
: api(this)
, sslm(this, api)
, sslquery(this, api)
{
}
ModResult OnUserPreJoin(LocalUser* user, Channel* chan, const std::string& cname, std::string& privs, const std::string& keygiven) CXX11_OVERRIDE
{
if(chan && chan->IsModeSet(sslm))
{
if (!api)
return MOD_RES_DENY;
ssl_cert* cert = api->GetCertificate(user);
if (cert)
{
// Let them in
return MOD_RES_PASSTHRU;
}
else
{
// Deny
user->WriteNumeric(ERR_SECUREONLYCHAN, cname, "Cannot join channel; SSL users only (+z)");
return MOD_RES_DENY;
}
}
return MOD_RES_PASSTHRU;
}
ModResult OnUserPreMessage(User* user, const MessageTarget& msgtarget, MessageDetails& details) CXX11_OVERRIDE
{
if (msgtarget.type != MessageTarget::TYPE_USER)
return MOD_RES_PASSTHRU;
User* target = msgtarget.Get<User>();
/* If one or more of the parties involved is a ulined service, we wont stop it. */
if (user->server->IsULine() || target->server->IsULine())
return MOD_RES_PASSTHRU;
/* If the target is +z */
if (target->IsModeSet(sslquery))
{
if (!IsSSLUser(api, user))
{
/* The sending user is not on an SSL connection */
user->WriteNumeric(ERR_CANTSENDTOUSER, target->nick, "You are not permitted to send private messages to this user (+z set)");
return MOD_RES_DENY;
}
}
/* If the user is +z */
else if (user->IsModeSet(sslquery))
{
if (!IsSSLUser(api, target))
{
user->WriteNumeric(ERR_CANTSENDTOUSER, target->nick, "You must remove usermode 'z' before you are able to send private messages to a non-ssl user.");
return MOD_RES_DENY;
}
}
return MOD_RES_PASSTHRU;
}
ModResult OnCheckBan(User *user, Channel *c, const std::string& mask) CXX11_OVERRIDE
{
if ((mask.length() > 2) && (mask[0] == 'z') && (mask[1] == ':'))
{
if (!api)
return MOD_RES_DENY;
ssl_cert* cert = api->GetCertificate(user);
if (cert && InspIRCd::Match(cert->GetFingerprint(), mask.substr(2)))
return MOD_RES_DENY;
}
return MOD_RES_PASSTHRU;
}
void On005Numeric(std::map<std::string, std::string>& tokens) CXX11_OVERRIDE
{
tokens["EXTBAN"].push_back('z');
}
Version GetVersion() CXX11_OVERRIDE
{
return Version("Provides user and channel mode +z to allow for SSL-only channels, queries and notices.", VF_VENDOR);
}
};
MODULE_INIT(ModuleSSLModes)