summaryrefslogtreecommitdiff
path: root/src/modules/m_spanningtree
diff options
context:
space:
mode:
authorSadie Powell <sadie@witchery.services>2020-08-29 19:21:06 +0100
committerSadie Powell <sadie@witchery.services>2020-08-29 19:21:06 +0100
commitff766773bc547b03ffa3a15cb1c89896a2a7b8cf (patch)
tree1f8333b12b57d2d261aea64421f86429f4201bd0 /src/modules/m_spanningtree
parent7af6a054be2f23281d717484e1eb17190043b3e5 (diff)
Warn about non-local plaintext server connections.
Diffstat (limited to 'src/modules/m_spanningtree')
-rw-r--r--src/modules/m_spanningtree/server.cpp4
-rw-r--r--src/modules/m_spanningtree/treesocket.h1
-rw-r--r--src/modules/m_spanningtree/treesocket1.cpp18
3 files changed, 19 insertions, 4 deletions
diff --git a/src/modules/m_spanningtree/server.cpp b/src/modules/m_spanningtree/server.cpp
index c635856e3..b55743659 100644
--- a/src/modules/m_spanningtree/server.cpp
+++ b/src/modules/m_spanningtree/server.cpp
@@ -141,6 +141,10 @@ Link* TreeSocket::AuthRemote(const CommandBase::Params& params)
ssliohook->GetCiphersuite(ciphersuite);
ServerInstance->SNO->WriteToSnoMask('l', "Negotiated ciphersuite %s on link %s", ciphersuite.c_str(), x->Name.c_str());
}
+ else if (!irc::sockets::cidr_mask("127.0.0.0/8").match(capab->remotesa) && !irc::sockets::cidr_mask("::1/128").match(capab->remotesa))
+ {
+ ServerInstance->SNO->WriteGlobalSno('l', "Server connection to %s is not using SSL (TLS). This is VERY INSECURE and will not be allowed the next major version of InspIRCd.", x->Name.c_str());
+ }
return x;
}
diff --git a/src/modules/m_spanningtree/treesocket.h b/src/modules/m_spanningtree/treesocket.h
index 046f0eb0a..0d3d515d0 100644
--- a/src/modules/m_spanningtree/treesocket.h
+++ b/src/modules/m_spanningtree/treesocket.h
@@ -80,6 +80,7 @@ struct CapabData
int capab_phase; /* Have sent CAPAB already */
bool auth_fingerprint; /* Did we auth using SSL certificate fingerprint */
bool auth_challenge; /* Did we auth using challenge/response */
+ irc::sockets::sockaddrs remotesa; /* The remote socket address. */
// Data saved from incoming SERVER command, for later use when our credentials have been accepted by the other party
std::string description;
diff --git a/src/modules/m_spanningtree/treesocket1.cpp b/src/modules/m_spanningtree/treesocket1.cpp
index 5bc41ea64..ad69c42fa 100644
--- a/src/modules/m_spanningtree/treesocket1.cpp
+++ b/src/modules/m_spanningtree/treesocket1.cpp
@@ -40,13 +40,18 @@
* and only do minor initialization tasks ourselves.
*/
TreeSocket::TreeSocket(Link* link, Autoconnect* myac, const irc::sockets::sockaddrs& dest)
- : linkID(link->Name), LinkState(CONNECTING), MyRoot(NULL), proto_version(0)
- , burstsent(false), age(ServerInstance->Time())
+ : linkID(link->Name)
+ , LinkState(CONNECTING)
+ , MyRoot(NULL)
+ , proto_version(0)
+ , burstsent(false)
+ , age(ServerInstance->Time())
{
capab = new CapabData;
capab->link = link;
capab->ac = myac;
capab->capab_phase = 0;
+ capab->remotesa = dest;
irc::sockets::sockaddrs bind;
memset(&bind, 0, sizeof(bind));
@@ -77,11 +82,16 @@ TreeSocket::TreeSocket(Link* link, Autoconnect* myac, const irc::sockets::sockad
*/
TreeSocket::TreeSocket(int newfd, ListenSocket* via, irc::sockets::sockaddrs* client, irc::sockets::sockaddrs* server)
: BufferedSocket(newfd)
- , linkID("inbound from " + client->addr()), LinkState(WAIT_AUTH_1), MyRoot(NULL), proto_version(0)
- , burstsent(false), age(ServerInstance->Time())
+ , linkID("inbound from " + client->addr())
+ , LinkState(WAIT_AUTH_1)
+ , MyRoot(NULL)
+ , proto_version(0)
+ , burstsent(false)
+ , age(ServerInstance->Time())
{
capab = new CapabData;
capab->capab_phase = 0;
+ capab->remotesa = *client;
for (ListenSocket::IOHookProvList::iterator i = via->iohookprovs.begin(); i != via->iohookprovs.end(); ++i)
{