/*
* InspIRCd -- Internet Relay Chat Daemon
*
- * Copyright (C) 2015 Attila Molnar <attilamolnar@hush.com>
- * Copyright (C) 2017 Peter Powell <petpow@saberuk.com>
+ * Copyright (C) 2020 Matt Schatz <genius3000@g3k.solutions>
+ * Copyright (C) 2017-2020 Sadie Powell <sadie@witchery.services>
*
* This file is part of InspIRCd. InspIRCd is free software: you can
* redistribute it and/or modify it under the terms of the GNU General Public
if (GetProtocol(user) == Cap::CAP_LEGACY)
return false;
+ // Don't send the cap to clients in a class which has STS disabled.
+ if (!user->GetClass()->config->getBool("usests", true))
+ return false;
+
// Plaintext listeners have their own policy.
SSLIOHook* sslhook = SSLIOHook::IsSSL(&user->eh);
if (!sslhook)
STSCap(Module* mod)
: Cap::Capability(mod, "sts")
{
+ DisableAutoRegister();
}
~STSCap()
private:
STSCap cap;
- // The IRCv3 STS specification requires that the server is listening using SSL using a valid certificate.
+ // The IRCv3 STS specification requires that the server is listening using TLS (SSL) using a valid certificate.
bool HasValidSSLPort(unsigned int port)
{
for (std::vector<ListenSocket*>::const_iterator iter = ServerInstance->ports.begin(); iter != ServerInstance->ports.end(); ++iter)
{
ListenSocket* ls = *iter;
-
+
// Is this listener on the right port?
unsigned int saport = ls->bind_sa.port();
if (saport != port)
continue;
- // Is this listener using SSL?
- if (ls->bind_tag->getString("ssl").empty())
+ // Is this listener using TLS (SSL)?
+ if (ls->bind_tag->getString("sslprofile", ls->bind_tag->getString("ssl")).empty())
continue;
// TODO: Add a way to check if a listener's TLS cert is CA-verified.
if (host.empty())
throw ModuleException("<sts:host> must contain a hostname, at " + tag->getTagLocation());
- unsigned int port = tag->getInt("port", 0, 0, UINT16_MAX);
+ unsigned int port = tag->getUInt("port", 0, 0, UINT16_MAX);
if (!HasValidSSLPort(port))
throw ModuleException("<sts:port> must be a TLS port, at " + tag->getTagLocation());
- unsigned long duration = tag->getDuration("duration", 60*60*24*30*2);
+ unsigned long duration = tag->getDuration("duration", 5*60, 60);
bool preload = tag->getBool("preload");
cap.SetPolicy(host, duration, port, preload);
+
+ if (!cap.IsRegistered())
+ ServerInstance->Modules->AddService(cap);
}
Version GetVersion() CXX11_OVERRIDE
{
- return Version("Provides IRCv3 Strict Transport Security policy advertisement", VF_OPTCOMMON);
+ return Version("Adds support for the IRCv3 Strict Transport Security specification.", VF_OPTCOMMON|VF_VENDOR);
}
};