Add <connect requiressl="trusted"> to force CA verification for clients on this block

git-svn-id: http://svn.inspircd.org/repository/trunk/inspircd@12401 e03df62e-2008-0410-955e-edbf42e46eb7

2 files changed, 19 insertions, 1 deletions

diff --git a/src/modules/m_sslinfo.cpp b/src/modules/m_sslinfo.cpp
index b67498072..9ad742416 100644
--- a/src/modules/m_sslinfo.cpp
+++ b/src/modules/m_sslinfo.cpp
@@ -193,7 +193,18 @@ class ModuleSSLInfo : public Module
 
 	ModResult OnSetConnectClass(LocalUser* user, ConnectClass* myclass)
 	{
-		if (myclass->config->getBool("requiressl") && !cmd.CertExt.get(user))
+		ssl_cert* cert = cmd.CertExt.get(user);
+		bool ok = true;
+		if (myclass->config->getBool("requiressl"))
+		{
+			ok = (cert != NULL);
+		}
+		else if (myclass->config->getString("requiressl") == "trusted")
+		{
+			ok = (cert && cert->IsCAVerified());
+		}
+
+		if (!ok)
 			return MOD_RES_DENY;
 		return MOD_RES_PASSTHRU;
 	}
diff --git a/src/modules/ssl.h b/src/modules/ssl.h
index 17fa6b3f6..5b1f03627 100644
--- a/src/modules/ssl.h
+++ b/src/modules/ssl.h
@@ -34,6 +34,8 @@ class ssl_cert : public refcountbase
 	std::string fingerprint;
 	bool trusted, invalid, unknownsigner, revoked;
 
+	ssl_cert() : trusted(false), invalid(true), unknownsigner(true), revoked(false) {}
+
 	/** Get certificate distinguished name
 	 * @return Certificate DN
 	 */
@@ -104,6 +106,11 @@ class ssl_cert : public refcountbase
 		return revoked;
 	}
 
+	bool IsCAVerified()
+	{
+		return trusted && !invalid && !revoked && !unknownsigner && error.empty();
+	}
+
 	std::string GetMetaLine()
 	{
 		std::stringstream value;