diff options
| author | 2023-02-11 09:27:46 +0000 | |
|---|---|---|
| committer | 2023-02-11 09:30:22 +0000 | |
| commit | 416661d17d6797c439d80afb0681e75a3573ff80 (patch) | |
| tree | 569201242d1875e9ff14995ed319fbb94ce86b77 /src | |
| parent | Add more action types to the repeat module. (diff) | |
Add an option so local non-SSL users can be seen as securely connected.
Diffstat (limited to 'src')
| -rw-r--r-- | src/modules/m_sasl.cpp | 9 | ||||
| -rw-r--r-- | src/modules/m_sslinfo.cpp | 18 | ||||
| -rw-r--r-- | src/modules/m_sslmodes.cpp | 11 |
3 files changed, 25 insertions, 13 deletions
diff --git a/src/modules/m_sasl.cpp b/src/modules/m_sasl.cpp index 85aba2d0f..2ecd38640 100644 --- a/src/modules/m_sasl.cpp +++ b/src/modules/m_sasl.cpp @@ -114,17 +114,14 @@ private: bool OnRequest(LocalUser* user, bool adding) override { - if (requiressl && sslapi && !sslapi->GetCertificate(user)) - return false; - // Servers MUST NAK any sasl capability request if the authentication layer // is unavailable. - return servertracker.IsOnline(); + return OnList(user); } bool OnList(LocalUser* user) override { - if (requiressl && sslapi && !sslapi->GetCertificate(user)) + if (requiressl && sslapi && !sslapi->IsSecure(user)) return false; // Servers MUST NOT advertise the sasl capability if the authentication layer @@ -189,7 +186,7 @@ private: params.reserve(3); params.push_back(user->GetRealHost()); params.push_back(user->GetAddress()); - params.emplace_back(sslapi && sslapi->GetCertificate(user) ? "S" : "P"); + params.emplace_back(sslapi && sslapi->IsSecure(user) ? "S" : "P"); SendSASL(user, "*", 'H', params); } diff --git a/src/modules/m_sslinfo.cpp b/src/modules/m_sslinfo.cpp index 5341f5c96..2531c5201 100644 --- a/src/modules/m_sslinfo.cpp +++ b/src/modules/m_sslinfo.cpp @@ -136,6 +136,7 @@ class UserCertificateAPIImpl final public: BoolExtItem nosslext; SSLCertExt sslext; + bool localsecure; UserCertificateAPIImpl(Module* mod) : UserCertificateAPIBase(mod) @@ -162,6 +163,18 @@ public: return cert; } + bool IsSecure(User* user) override + { + auto* cert = GetCertificate(user); + if (cert) + return !!cert; + + if (localsecure) + return user->client_sa.is_local(); + + return false; + } + void SetCertificate(User* user, ssl_cert* cert) override { ServerInstance->Logs.Debug(MODNAME, "Setting TLS client certificate for {}: {}", @@ -307,15 +320,18 @@ public: { const auto& tag = ServerInstance->Config->ConfValue("sslinfo"); cmd.operonlyfp = tag->getBool("operonly"); + cmd.sslapi.localsecure = tag->getBool("localsecure", true); hash = tag->getString("hash"); } void OnWhois(Whois::Context& whois) override { + if (cmd.sslapi.IsSecure(whois.GetTarget())) + whois.SendLine(RPL_WHOISSECURE, "is using a secure connection"); + ssl_cert* cert = cmd.sslapi.GetCertificate(whois.GetTarget()); if (cert) { - whois.SendLine(RPL_WHOISSECURE, "is using a secure connection"); if ((!cmd.operonlyfp || whois.IsSelfWhois() || whois.GetSource()->IsOper()) && !cert->fingerprint.empty()) whois.SendLine(RPL_WHOISCERTFP, INSP_FORMAT("has TLS client certificate fingerprint {}", cert->fingerprint)); } diff --git a/src/modules/m_sslmodes.cpp b/src/modules/m_sslmodes.cpp index 150aca0b5..44723038d 100644 --- a/src/modules/m_sslmodes.cpp +++ b/src/modules/m_sslmodes.cpp @@ -93,8 +93,7 @@ public: size_t nonssl = 0; for (const auto& [u, _] : channel->GetUsers()) { - ssl_cert* cert = API->GetCertificate(u); - if (!cert && !u->server->IsService()) + if (!API->IsSecure(u) && !u->server->IsService()) nonssl++; } @@ -146,7 +145,7 @@ public: if (change.adding == dest->IsModeSet(this)) return false; - if (change.adding && IS_LOCAL(user) && (!API || !API->GetCertificate(user))) + if (change.adding && IS_LOCAL(user) && (!API || !API->IsSecure(user))) return false; dest->SetMode(this, change.adding); @@ -185,7 +184,7 @@ public: return MOD_RES_DENY; } - if (!api->GetCertificate(user)) + if (!api->IsSecure(user)) { user->WriteNumeric(ERR_SECUREONLYCHAN, cname, "Cannot join channel; TLS users only (+z is set)"); return MOD_RES_DENY; @@ -209,7 +208,7 @@ public: /* If the target is +z */ if (target->IsModeSet(sslquery)) { - if (!api || !api->GetCertificate(user)) + if (!api || !api->IsSecure(user)) { /* The sending user is not on an TLS connection */ user->WriteNumeric(Numerics::CannotSendTo(target, "messages", &sslquery)); @@ -219,7 +218,7 @@ public: /* If the user is +z */ else if (user->IsModeSet(sslquery)) { - if (!api || !api->GetCertificate(target)) + if (!api || !api->IsSecure(target)) { user->WriteNumeric(Numerics::CannotSendTo(target, "messages", &sslquery, true)); return MOD_RES_DENY; |
