/* * InspIRCd -- Internet Relay Chat Daemon * * Copyright (C) 2015 Attila Molnar * Copyright (C) 2017 Peter Powell * * This file is part of InspIRCd. InspIRCd is free software: you can * redistribute it and/or modify it under the terms of the GNU General Public * License as published by the Free Software Foundation, version 2. * * This program is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more * details. * * You should have received a copy of the GNU General Public License * along with this program. If not, see . */ #include "inspircd.h" #include "modules/cap.h" #include "modules/ssl.h" class STSCap : public Cap::Capability { private: std::string host; std::string plaintextpolicy; std::string securepolicy; bool OnList(LocalUser* user) CXX11_OVERRIDE { // Don't send the cap to clients that only support cap-3.1. if (GetProtocol(user) == Cap::CAP_LEGACY) return false; // Don't send the cap to clients in a class which has STS disabled. if (user->GetClass()->config->getBool("usests", true)) return false; // Plaintext listeners have their own policy. SSLIOHook* sslhook = SSLIOHook::IsSSL(&user->eh); if (!sslhook) return true; // If no hostname has been provided for the connection, an STS persistence policy SHOULD NOT be advertised. std::string snihost; if (!sslhook->GetServerName(snihost)) return false; // Before advertising an STS persistence policy over a secure connection, servers SHOULD verify whether the // hostname provided by clients, for example, via TLS Server Name Indication (SNI), has been whitelisted by // administrators in the server configuration. return InspIRCd::Match(snihost, host, ascii_case_insensitive_map); } bool OnRequest(LocalUser* user, bool adding) CXX11_OVERRIDE { // Clients MUST NOT request this capability with CAP REQ. Servers MAY reply with a CAP NAK message if a // client requests this capability. return false; } const std::string* GetValue(LocalUser* user) const CXX11_OVERRIDE { return SSLIOHook::IsSSL(&user->eh) ? &securepolicy : &plaintextpolicy; } public: STSCap(Module* mod) : Cap::Capability(mod, "sts") { } ~STSCap() { // TODO: Send duration=0 when STS vanishes. } void SetPolicy(const std::string& newhost, unsigned long duration, unsigned int port, bool preload) { // To enforce an STS upgrade policy, servers MUST send this key to insecurely connected clients. Servers // MAY send this key to securely connected clients, but it will be ignored. std::string newplaintextpolicy("port="); newplaintextpolicy.append(ConvToStr(port)); // To enforce an STS persistence policy, servers MUST send this key to securely connected clients. Servers // MAY send this key to all clients, but insecurely connected clients MUST ignore it. std::string newsecurepolicy("duration="); newsecurepolicy.append(ConvToStr(duration)); // Servers MAY send this key to all clients, but insecurely connected clients MUST ignore it. if (preload) newsecurepolicy.append(",preload"); // Apply the new policy. bool changed = false; if (!irc::equals(host, newhost)) { ServerInstance->Logs->Log(MODNAME, LOG_DEBUG, "Changing STS SNI hostname from \"%s\" to \"%s\"", host.c_str(), newhost.c_str()); host = newhost; changed = true; } if (plaintextpolicy != newplaintextpolicy) { ServerInstance->Logs->Log(MODNAME, LOG_DEBUG, "Changing plaintext STS policy from \"%s\" to \"%s\"", plaintextpolicy.c_str(), newplaintextpolicy.c_str()); plaintextpolicy.swap(newplaintextpolicy); changed = true; } if (securepolicy != newsecurepolicy) { ServerInstance->Logs->Log(MODNAME, LOG_DEBUG, "Changing secure STS policy from \"%s\" to \"%s\"", securepolicy.c_str(), newsecurepolicy.c_str()); securepolicy.swap(newsecurepolicy); changed = true; } // If the policy has changed then notify all clients via cap-notify. if (changed) NotifyValueChange(); } }; class ModuleIRCv3STS : public Module { private: STSCap cap; // The IRCv3 STS specification requires that the server is listening using SSL using a valid certificate. bool HasValidSSLPort(unsigned int port) { for (std::vector::const_iterator iter = ServerInstance->ports.begin(); iter != ServerInstance->ports.end(); ++iter) { ListenSocket* ls = *iter; // Is this listener on the right port? unsigned int saport = ls->bind_sa.port(); if (saport != port) continue; // Is this listener using SSL? if (ls->bind_tag->getString("ssl").empty()) continue; // TODO: Add a way to check if a listener's TLS cert is CA-verified. return true; } return false; } public: ModuleIRCv3STS() : cap(this) { } void ReadConfig(ConfigStatus& status) CXX11_OVERRIDE { // TODO: Multiple SNI profiles ConfigTag* tag = ServerInstance->Config->ConfValue("sts"); if (tag == ServerInstance->Config->EmptyTag) throw ModuleException("You must define a STS policy!"); const std::string host = tag->getString("host"); if (host.empty()) throw ModuleException(" must contain a hostname, at " + tag->getTagLocation()); unsigned int port = tag->getUInt("port", 0, 0, UINT16_MAX); if (!HasValidSSLPort(port)) throw ModuleException(" must be a TLS port, at " + tag->getTagLocation()); unsigned long duration = tag->getDuration("duration", 60*60*24*30*2); bool preload = tag->getBool("preload"); cap.SetPolicy(host, duration, port, preload); } Version GetVersion() CXX11_OVERRIDE { return Version("Provides IRCv3 Strict Transport Security policy advertisement", VF_OPTCOMMON|VF_VENDOR); } }; MODULE_INIT(ModuleIRCv3STS)