diff options
author | Sadie Powell <sadie@witchery.services> | 2020-08-29 19:21:06 +0100 |
---|---|---|
committer | Sadie Powell <sadie@witchery.services> | 2020-08-29 19:21:06 +0100 |
commit | ff766773bc547b03ffa3a15cb1c89896a2a7b8cf (patch) | |
tree | 1f8333b12b57d2d261aea64421f86429f4201bd0 /src/modules/m_spanningtree | |
parent | 7af6a054be2f23281d717484e1eb17190043b3e5 (diff) |
Warn about non-local plaintext server connections.
Diffstat (limited to 'src/modules/m_spanningtree')
-rw-r--r-- | src/modules/m_spanningtree/server.cpp | 4 | ||||
-rw-r--r-- | src/modules/m_spanningtree/treesocket.h | 1 | ||||
-rw-r--r-- | src/modules/m_spanningtree/treesocket1.cpp | 18 |
3 files changed, 19 insertions, 4 deletions
diff --git a/src/modules/m_spanningtree/server.cpp b/src/modules/m_spanningtree/server.cpp index c635856e3..b55743659 100644 --- a/src/modules/m_spanningtree/server.cpp +++ b/src/modules/m_spanningtree/server.cpp @@ -141,6 +141,10 @@ Link* TreeSocket::AuthRemote(const CommandBase::Params& params) ssliohook->GetCiphersuite(ciphersuite); ServerInstance->SNO->WriteToSnoMask('l', "Negotiated ciphersuite %s on link %s", ciphersuite.c_str(), x->Name.c_str()); } + else if (!irc::sockets::cidr_mask("127.0.0.0/8").match(capab->remotesa) && !irc::sockets::cidr_mask("::1/128").match(capab->remotesa)) + { + ServerInstance->SNO->WriteGlobalSno('l', "Server connection to %s is not using SSL (TLS). This is VERY INSECURE and will not be allowed the next major version of InspIRCd.", x->Name.c_str()); + } return x; } diff --git a/src/modules/m_spanningtree/treesocket.h b/src/modules/m_spanningtree/treesocket.h index 046f0eb0a..0d3d515d0 100644 --- a/src/modules/m_spanningtree/treesocket.h +++ b/src/modules/m_spanningtree/treesocket.h @@ -80,6 +80,7 @@ struct CapabData int capab_phase; /* Have sent CAPAB already */ bool auth_fingerprint; /* Did we auth using SSL certificate fingerprint */ bool auth_challenge; /* Did we auth using challenge/response */ + irc::sockets::sockaddrs remotesa; /* The remote socket address. */ // Data saved from incoming SERVER command, for later use when our credentials have been accepted by the other party std::string description; diff --git a/src/modules/m_spanningtree/treesocket1.cpp b/src/modules/m_spanningtree/treesocket1.cpp index 5bc41ea64..ad69c42fa 100644 --- a/src/modules/m_spanningtree/treesocket1.cpp +++ b/src/modules/m_spanningtree/treesocket1.cpp @@ -40,13 +40,18 @@ * and only do minor initialization tasks ourselves. */ TreeSocket::TreeSocket(Link* link, Autoconnect* myac, const irc::sockets::sockaddrs& dest) - : linkID(link->Name), LinkState(CONNECTING), MyRoot(NULL), proto_version(0) - , burstsent(false), age(ServerInstance->Time()) + : linkID(link->Name) + , LinkState(CONNECTING) + , MyRoot(NULL) + , proto_version(0) + , burstsent(false) + , age(ServerInstance->Time()) { capab = new CapabData; capab->link = link; capab->ac = myac; capab->capab_phase = 0; + capab->remotesa = dest; irc::sockets::sockaddrs bind; memset(&bind, 0, sizeof(bind)); @@ -77,11 +82,16 @@ TreeSocket::TreeSocket(Link* link, Autoconnect* myac, const irc::sockets::sockad */ TreeSocket::TreeSocket(int newfd, ListenSocket* via, irc::sockets::sockaddrs* client, irc::sockets::sockaddrs* server) : BufferedSocket(newfd) - , linkID("inbound from " + client->addr()), LinkState(WAIT_AUTH_1), MyRoot(NULL), proto_version(0) - , burstsent(false), age(ServerInstance->Time()) + , linkID("inbound from " + client->addr()) + , LinkState(WAIT_AUTH_1) + , MyRoot(NULL) + , proto_version(0) + , burstsent(false) + , age(ServerInstance->Time()) { capab = new CapabData; capab->capab_phase = 0; + capab->remotesa = *client; for (ListenSocket::IOHookProvList::iterator i = via->iohookprovs.begin(); i != via->iohookprovs.end(); ++i) { |