X-Git-Url: https://git.netwichtig.de/gitweb/?a=blobdiff_plain;f=src%2Fmodules%2Fm_sslinfo.cpp;h=0054e3ed7d46ec4e91aff47a311adad2dcf65de8;hb=3151d60c1ecc9462e4c335282ee6c31672f45111;hp=885ae6f74f90a5e9bdb159e5565a55f6e8a520a6;hpb=ccebfe6e637b420bef05e8e0faf29bb19f1883d9;p=user%2Fhenk%2Fcode%2Finspircd.git diff --git a/src/modules/m_sslinfo.cpp b/src/modules/m_sslinfo.cpp index 885ae6f74..0054e3ed7 100644 --- a/src/modules/m_sslinfo.cpp +++ b/src/modules/m_sslinfo.cpp @@ -1,9 +1,9 @@ /* * InspIRCd -- Internet Relay Chat Daemon * + * Copyright (C) 2020 Matt Schatz * Copyright (C) 2019 linuxdaemon - * Copyright (C) 2013, 2017-2019 Sadie Powell - * Copyright (C) 2013 Christopher 'm4z' Holm + * Copyright (C) 2013, 2017-2020 Sadie Powell * Copyright (C) 2012-2016 Attila Molnar * Copyright (C) 2012 Robby * Copyright (C) 2010 Adam @@ -153,7 +153,7 @@ class CommandSSLInfo : public Command : Command(Creator, "SSLINFO", 1) , sslapi(Creator) { - this->syntax = ""; + syntax = ""; } CmdResult Handle(User* user, const Params& parameters) CXX11_OVERRIDE @@ -176,11 +176,12 @@ class CommandSSLInfo : public Command ssl_cert* cert = sslapi.GetCertificate(target); if (!cert) { - user->WriteNotice("*** No TLS (SSL) client certificate for this user"); + user->WriteNotice(InspIRCd::Format("*** %s is not connected using TLS (SSL).", target->nick.c_str())); } else if (cert->GetError().length()) { - user->WriteNotice("*** No TLS (SSL) client certificate information for this user (" + cert->GetError() + ")."); + user->WriteNotice(InspIRCd::Format("*** %s is connected using TLS (SSL) but has not specified a valid client certificate (%s).", + target->nick.c_str(), cert->GetError().c_str())); } else { @@ -188,6 +189,7 @@ class CommandSSLInfo : public Command user->WriteNotice("*** Issuer: " + cert->GetIssuer()); user->WriteNotice("*** Key Fingerprint: " + cert->GetFingerprint()); } + return CMD_SUCCESS; } }; @@ -257,18 +259,18 @@ class ModuleSSLInfo if (ifo->oper_block->getBool("sslonly") && !cert) { - user->WriteNumeric(ERR_NOOPERHOST, "This oper login requires an SSL connection."); + user->WriteNumeric(ERR_NOOPERHOST, "Invalid oper credentials"); user->CommandFloodPenalty += 10000; - ServerInstance->SNO->WriteGlobalSno('o', "WARNING! Failed oper attempt by %s using login '%s': secure connection required.", user->GetFullRealHost().c_str(), parameters[0].c_str()); + ServerInstance->SNO->WriteGlobalSno('o', "WARNING! Failed oper attempt by %s using login '%s': a secure connection is required.", user->GetFullRealHost().c_str(), parameters[0].c_str()); return MOD_RES_DENY; } std::string fingerprint; if (ifo->oper_block->readString("fingerprint", fingerprint) && (!cert || !MatchFP(cert, fingerprint))) { - user->WriteNumeric(ERR_NOOPERHOST, "This oper login requires a matching SSL certificate fingerprint."); + user->WriteNumeric(ERR_NOOPERHOST, "Invalid oper credentials"); user->CommandFloodPenalty += 10000; - ServerInstance->SNO->WriteGlobalSno('o', "WARNING! Failed oper attempt by %s using login '%s': client certificate fingerprint does not match.", user->GetFullRealHost().c_str(), parameters[0].c_str()); + ServerInstance->SNO->WriteGlobalSno('o', "WARNING! Failed oper attempt by %s using login '%s': their TLS (SSL) client certificate fingerprint does not match.", user->GetFullRealHost().c_str(), parameters[0].c_str()); return MOD_RES_DENY; } } @@ -290,21 +292,20 @@ class ModuleSSLInfo ssl_cert* const cert = ssliohook->GetCertificate(); - { - std::string text = "*** You are connected to "; - if (!ssliohook->GetServerName(text)) - text.append(ServerInstance->Config->ServerName); - text.append(" using SSL cipher '"); - ssliohook->GetCiphersuite(text); - text.push_back('\''); - if ((cert) && (!cert->GetFingerprint().empty())) - text.append(" and your SSL certificate fingerprint is ").append(cert->GetFingerprint()); - user->WriteNotice(text); - } + std::string text = "*** You are connected to "; + if (!ssliohook->GetServerName(text)) + text.append(ServerInstance->Config->ServerName); + text.append(" using TLS (SSL) cipher '"); + ssliohook->GetCiphersuite(text); + text.push_back('\''); + if (cert && !cert->GetFingerprint().empty()) + text.append(" and your TLS (SSL) client certificate fingerprint is ").append(cert->GetFingerprint()); + user->WriteNotice(text); if (!cert) return; - // find an auto-oper block for this user + + // Find an auto-oper block for this user for (ServerConfig::OperIndex::const_iterator i = ServerInstance->Config->oper_blocks.begin(); i != ServerInstance->Config->oper_blocks.end(); ++i) { OperInfo* ifo = i->second; @@ -317,21 +318,26 @@ class ModuleSSLInfo ModResult OnSetConnectClass(LocalUser* user, ConnectClass* myclass) CXX11_OVERRIDE { ssl_cert* cert = cmd.sslapi.GetCertificate(user); - bool ok = true; + const char* error = NULL; const std::string requiressl = myclass->config->getString("requiressl"); if (stdalgo::string::equalsci(requiressl, "trusted")) { - ok = (cert && cert->IsCAVerified()); - ServerInstance->Logs->Log("CONNECTCLASS", LOG_DEBUG, "Class requires a trusted TLS (SSL) client certificate. Client %s one.", (ok ? "has" : "does not have")); + if (!cert || !cert->IsCAVerified()) + error = "a trusted TLS (SSL) client certificate"; } else if (myclass->config->getBool("requiressl")) { - ok = (cert != NULL); - ServerInstance->Logs->Log("CONNECTCLASS", LOG_DEBUG, "Class requires a secure connection. Client %s on a secure connection.", (ok ? "is" : "is not")); + if (!cert) + error = "a TLS (SSL) connection"; } - if (!ok) + if (error) + { + ServerInstance->Logs->Log("CONNECTCLASS", LOG_DEBUG, "The %s connect class is not suitable as it requires %s", + myclass->GetName().c_str(), error); return MOD_RES_DENY; + } + return MOD_RES_PASSTHRU; }