aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorGravatar Sadie Powell2023-02-11 09:27:46 +0000
committerGravatar Sadie Powell2023-02-11 09:30:22 +0000
commit416661d17d6797c439d80afb0681e75a3573ff80 (patch)
tree569201242d1875e9ff14995ed319fbb94ce86b77 /src
parentAdd more action types to the repeat module. (diff)
Add an option so local non-SSL users can be seen as securely connected.
Diffstat (limited to 'src')
-rw-r--r--src/modules/m_sasl.cpp9
-rw-r--r--src/modules/m_sslinfo.cpp18
-rw-r--r--src/modules/m_sslmodes.cpp11
3 files changed, 25 insertions, 13 deletions
diff --git a/src/modules/m_sasl.cpp b/src/modules/m_sasl.cpp
index 85aba2d0f..2ecd38640 100644
--- a/src/modules/m_sasl.cpp
+++ b/src/modules/m_sasl.cpp
@@ -114,17 +114,14 @@ private:
bool OnRequest(LocalUser* user, bool adding) override
{
- if (requiressl && sslapi && !sslapi->GetCertificate(user))
- return false;
-
// Servers MUST NAK any sasl capability request if the authentication layer
// is unavailable.
- return servertracker.IsOnline();
+ return OnList(user);
}
bool OnList(LocalUser* user) override
{
- if (requiressl && sslapi && !sslapi->GetCertificate(user))
+ if (requiressl && sslapi && !sslapi->IsSecure(user))
return false;
// Servers MUST NOT advertise the sasl capability if the authentication layer
@@ -189,7 +186,7 @@ private:
params.reserve(3);
params.push_back(user->GetRealHost());
params.push_back(user->GetAddress());
- params.emplace_back(sslapi && sslapi->GetCertificate(user) ? "S" : "P");
+ params.emplace_back(sslapi && sslapi->IsSecure(user) ? "S" : "P");
SendSASL(user, "*", 'H', params);
}
diff --git a/src/modules/m_sslinfo.cpp b/src/modules/m_sslinfo.cpp
index 5341f5c96..2531c5201 100644
--- a/src/modules/m_sslinfo.cpp
+++ b/src/modules/m_sslinfo.cpp
@@ -136,6 +136,7 @@ class UserCertificateAPIImpl final
public:
BoolExtItem nosslext;
SSLCertExt sslext;
+ bool localsecure;
UserCertificateAPIImpl(Module* mod)
: UserCertificateAPIBase(mod)
@@ -162,6 +163,18 @@ public:
return cert;
}
+ bool IsSecure(User* user) override
+ {
+ auto* cert = GetCertificate(user);
+ if (cert)
+ return !!cert;
+
+ if (localsecure)
+ return user->client_sa.is_local();
+
+ return false;
+ }
+
void SetCertificate(User* user, ssl_cert* cert) override
{
ServerInstance->Logs.Debug(MODNAME, "Setting TLS client certificate for {}: {}",
@@ -307,15 +320,18 @@ public:
{
const auto& tag = ServerInstance->Config->ConfValue("sslinfo");
cmd.operonlyfp = tag->getBool("operonly");
+ cmd.sslapi.localsecure = tag->getBool("localsecure", true);
hash = tag->getString("hash");
}
void OnWhois(Whois::Context& whois) override
{
+ if (cmd.sslapi.IsSecure(whois.GetTarget()))
+ whois.SendLine(RPL_WHOISSECURE, "is using a secure connection");
+
ssl_cert* cert = cmd.sslapi.GetCertificate(whois.GetTarget());
if (cert)
{
- whois.SendLine(RPL_WHOISSECURE, "is using a secure connection");
if ((!cmd.operonlyfp || whois.IsSelfWhois() || whois.GetSource()->IsOper()) && !cert->fingerprint.empty())
whois.SendLine(RPL_WHOISCERTFP, INSP_FORMAT("has TLS client certificate fingerprint {}", cert->fingerprint));
}
diff --git a/src/modules/m_sslmodes.cpp b/src/modules/m_sslmodes.cpp
index 150aca0b5..44723038d 100644
--- a/src/modules/m_sslmodes.cpp
+++ b/src/modules/m_sslmodes.cpp
@@ -93,8 +93,7 @@ public:
size_t nonssl = 0;
for (const auto& [u, _] : channel->GetUsers())
{
- ssl_cert* cert = API->GetCertificate(u);
- if (!cert && !u->server->IsService())
+ if (!API->IsSecure(u) && !u->server->IsService())
nonssl++;
}
@@ -146,7 +145,7 @@ public:
if (change.adding == dest->IsModeSet(this))
return false;
- if (change.adding && IS_LOCAL(user) && (!API || !API->GetCertificate(user)))
+ if (change.adding && IS_LOCAL(user) && (!API || !API->IsSecure(user)))
return false;
dest->SetMode(this, change.adding);
@@ -185,7 +184,7 @@ public:
return MOD_RES_DENY;
}
- if (!api->GetCertificate(user))
+ if (!api->IsSecure(user))
{
user->WriteNumeric(ERR_SECUREONLYCHAN, cname, "Cannot join channel; TLS users only (+z is set)");
return MOD_RES_DENY;
@@ -209,7 +208,7 @@ public:
/* If the target is +z */
if (target->IsModeSet(sslquery))
{
- if (!api || !api->GetCertificate(user))
+ if (!api || !api->IsSecure(user))
{
/* The sending user is not on an TLS connection */
user->WriteNumeric(Numerics::CannotSendTo(target, "messages", &sslquery));
@@ -219,7 +218,7 @@ public:
/* If the user is +z */
else if (user->IsModeSet(sslquery))
{
- if (!api || !api->GetCertificate(target))
+ if (!api || !api->IsSecure(target))
{
user->WriteNumeric(Numerics::CannotSendTo(target, "messages", &sslquery, true));
return MOD_RES_DENY;