From 85bd27a84087397c8ac7e4e026f4187888931262 Mon Sep 17 00:00:00 2001 From: Matt Schatz Date: Tue, 14 Apr 2020 04:51:05 -0600 Subject: Minor cleanup and documentation improvements. - Only show a generic failure message to the user upon oper failure due to not having a secure connection or matching cert. fingerprint. - Update the comment about oper:fingerprint as it can be a space separated list of fingerprints and not just one. - Improve a few code comments and formatting. --- src/coremods/core_oper/cmd_oper.cpp | 3 +-- src/modules/m_sslinfo.cpp | 35 ++++++++++++++++++----------------- 2 files changed, 19 insertions(+), 19 deletions(-) (limited to 'src') diff --git a/src/coremods/core_oper/cmd_oper.cpp b/src/coremods/core_oper/cmd_oper.cpp index 391c7f41f..f1da883e8 100644 --- a/src/coremods/core_oper/cmd_oper.cpp +++ b/src/coremods/core_oper/cmd_oper.cpp @@ -53,7 +53,6 @@ CmdResult CommandOper::HandleLocal(LocalUser* user, const Params& parameters) if (match_pass && match_hosts) { - /* found this oper's opertype */ user->Oper(ifo); return CMD_SUCCESS; } @@ -68,7 +67,7 @@ CmdResult CommandOper::HandleLocal(LocalUser* user, const Params& parameters) fields.append("hosts "); fields.erase(fields.length() - 1, 1); - // tell them they suck, and lag them up to help prevent brute-force attacks + // Tell them they failed (generically) and lag them up to help prevent brute-force attacks user->WriteNumeric(ERR_NOOPERHOST, "Invalid oper credentials"); user->CommandFloodPenalty += 10000; diff --git a/src/modules/m_sslinfo.cpp b/src/modules/m_sslinfo.cpp index 885ae6f74..477785bea 100644 --- a/src/modules/m_sslinfo.cpp +++ b/src/modules/m_sslinfo.cpp @@ -153,7 +153,7 @@ class CommandSSLInfo : public Command : Command(Creator, "SSLINFO", 1) , sslapi(Creator) { - this->syntax = ""; + syntax = ""; } CmdResult Handle(User* user, const Params& parameters) CXX11_OVERRIDE @@ -188,6 +188,7 @@ class CommandSSLInfo : public Command user->WriteNotice("*** Issuer: " + cert->GetIssuer()); user->WriteNotice("*** Key Fingerprint: " + cert->GetFingerprint()); } + return CMD_SUCCESS; } }; @@ -257,18 +258,18 @@ class ModuleSSLInfo if (ifo->oper_block->getBool("sslonly") && !cert) { - user->WriteNumeric(ERR_NOOPERHOST, "This oper login requires an SSL connection."); + user->WriteNumeric(ERR_NOOPERHOST, "Invalid oper credentials"); user->CommandFloodPenalty += 10000; - ServerInstance->SNO->WriteGlobalSno('o', "WARNING! Failed oper attempt by %s using login '%s': secure connection required.", user->GetFullRealHost().c_str(), parameters[0].c_str()); + ServerInstance->SNO->WriteGlobalSno('o', "WARNING! Failed oper attempt by %s using login '%s': a secure connection is required.", user->GetFullRealHost().c_str(), parameters[0].c_str()); return MOD_RES_DENY; } std::string fingerprint; if (ifo->oper_block->readString("fingerprint", fingerprint) && (!cert || !MatchFP(cert, fingerprint))) { - user->WriteNumeric(ERR_NOOPERHOST, "This oper login requires a matching SSL certificate fingerprint."); + user->WriteNumeric(ERR_NOOPERHOST, "Invalid oper credentials"); user->CommandFloodPenalty += 10000; - ServerInstance->SNO->WriteGlobalSno('o', "WARNING! Failed oper attempt by %s using login '%s': client certificate fingerprint does not match.", user->GetFullRealHost().c_str(), parameters[0].c_str()); + ServerInstance->SNO->WriteGlobalSno('o', "WARNING! Failed oper attempt by %s using login '%s': their TLS (SSL) client certificate fingerprint does not match.", user->GetFullRealHost().c_str(), parameters[0].c_str()); return MOD_RES_DENY; } } @@ -290,21 +291,20 @@ class ModuleSSLInfo ssl_cert* const cert = ssliohook->GetCertificate(); - { - std::string text = "*** You are connected to "; - if (!ssliohook->GetServerName(text)) - text.append(ServerInstance->Config->ServerName); - text.append(" using SSL cipher '"); - ssliohook->GetCiphersuite(text); - text.push_back('\''); - if ((cert) && (!cert->GetFingerprint().empty())) - text.append(" and your SSL certificate fingerprint is ").append(cert->GetFingerprint()); - user->WriteNotice(text); - } + std::string text = "*** You are connected to "; + if (!ssliohook->GetServerName(text)) + text.append(ServerInstance->Config->ServerName); + text.append(" using TLS (SSL) cipher '"); + ssliohook->GetCiphersuite(text); + text.push_back('\''); + if (cert && !cert->GetFingerprint().empty()) + text.append(" and your TLS (SSL) client certificate fingerprint is ").append(cert->GetFingerprint()); + user->WriteNotice(text); if (!cert) return; - // find an auto-oper block for this user + + // Find an auto-oper block for this user for (ServerConfig::OperIndex::const_iterator i = ServerInstance->Config->oper_blocks.begin(); i != ServerInstance->Config->oper_blocks.end(); ++i) { OperInfo* ifo = i->second; @@ -332,6 +332,7 @@ class ModuleSSLInfo if (!ok) return MOD_RES_DENY; + return MOD_RES_PASSTHRU; } -- cgit v1.2.3