X-Git-Url: https://git.netwichtig.de/gitweb/?a=blobdiff_plain;f=src%2Fmodules%2Fm_sslmodes.cpp;h=fda90c3d8278c9b77cb934c6690cfec7be84cf0b;hb=2688cfbad5e121945f61e0f5f023c904a19c7009;hp=b190cfc3985e55e81d3a3510cb263aebdd3595e2;hpb=1524caf2f799cff54c2de330c9670a0b761ba3d8;p=user%2Fhenk%2Fcode%2Finspircd.git

diff --git a/src/modules/m_sslmodes.cpp b/src/modules/m_sslmodes.cpp
index b190cfc39..fda90c3d8 100644
--- a/src/modules/m_sslmodes.cpp
+++ b/src/modules/m_sslmodes.cpp
@@ -1,49 +1,89 @@
-/*       +------------------------------------+
- *       | Inspire Internet Relay Chat Daemon |
- *       +------------------------------------+
+/*
+ * InspIRCd -- Internet Relay Chat Daemon
  *
- *  InspIRCd: (C) 2002-2009 InspIRCd Development Team
- * See: http://wiki.inspircd.org/Credits
+ *   Copyright (C) 2020 Matt Schatz <genius3000@g3k.solutions>
+ *   Copyright (C) 2013, 2017-2020 Sadie Powell <sadie@witchery.services>
+ *   Copyright (C) 2013 Shawn Smith <ShawnSmith0828@gmail.com>
+ *   Copyright (C) 2012-2014 Attila Molnar <attilamolnar@hush.com>
+ *   Copyright (C) 2012 Robby <robby@chatbelgie.be>
+ *   Copyright (C) 2009-2010 Daniel De Graaf <danieldg@inspircd.org>
+ *   Copyright (C) 2009 Uli Schlachter <psychon@inspircd.org>
+ *   Copyright (C) 2008 Robin Burchell <robin+git@viroteck.net>
+ *   Copyright (C) 2007 Dennis Friis <peavey@inspircd.org>
+ *   Copyright (C) 2006-2007, 2010 Craig Edwards <brain@inspircd.org>
  *
- * This program is free but copyrighted software; see
- *            the file COPYING for details.
+ * This file is part of InspIRCd.  InspIRCd is free software: you can
+ * redistribute it and/or modify it under the terms of the GNU General Public
+ * License as published by the Free Software Foundation, version 2.
  *
- * ---------------------------------------------------
+ * This program is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  */
 
+
 #include "inspircd.h"
-#include "transport.h"
+#include "modules/ctctags.h"
+#include "modules/ssl.h"
 
-/* $ModDesc: Provides support for unreal-style channel mode +z */
+enum
+{
+	// From UnrealIRCd.
+	ERR_SECUREONLYCHAN = 489,
+
+	// InspIRCd-specific.
+	ERR_ALLMUSTSSL = 490
+};
 
 /** Handle channel mode +z
  */
 class SSLMode : public ModeHandler
 {
+ private:
+	UserCertificateAPI& API;
+
  public:
-	SSLMode(InspIRCd* Instance, Module* Creator) : ModeHandler(Creator, 'z', PARAM_NONE, MODETYPE_CHANNEL) { }
+	SSLMode(Module* Creator, UserCertificateAPI& api)
+		: ModeHandler(Creator, "sslonly", 'z', PARAM_NONE, MODETYPE_CHANNEL)
+		, API(api)
+	{
+	}
 
-	ModeAction OnModeChange(User* source, User* dest, Channel* channel, std::string &parameter, bool adding)
+	ModeAction OnModeChange(User* source, User* dest, Channel* channel, std::string& parameter, bool adding) CXX11_OVERRIDE
 	{
 		if (adding)
 		{
-			if (!channel->IsModeSet('z'))
+			if (!channel->IsModeSet(this))
 			{
 				if (IS_LOCAL(source))
 				{
-					const UserMembList* userlist = channel->GetUsers();
-					for(UserMembCIter i = userlist->begin(); i != userlist->end(); i++)
+					if (!API)
+					{
+						source->WriteNumeric(ERR_ALLMUSTSSL, channel->name, "Unable to determine whether all members of the channel are connected via TLS (SSL)");
+						return MODEACTION_DENY;
+					}
+
+					unsigned long nonssl = 0;
+					const Channel::MemberMap& userlist = channel->GetUsers();
+					for (Channel::MemberMap::const_iterator i = userlist.begin(); i != userlist.end(); ++i)
+					{
+						ssl_cert* cert = API->GetCertificate(i->first);
+						if (!cert && !i->first->server->IsULine())
+							nonssl++;
+					}
+
+					if (nonssl)
 					{
-						BufferedSocketCertificateRequest req(i->first, creator, i->first->GetIOHook());
-						req.Send();
-						if(!req.cert && !ServerInstance->ULine(i->first->server))
-						{
-							source->WriteNumeric(ERR_ALLMUSTSSL, "%s %s :all members of the channel must be connected via SSL", source->nick.c_str(), channel->name.c_str());
-							return MODEACTION_DENY;
-						}
+						source->WriteNumeric(ERR_ALLMUSTSSL, channel->name, InspIRCd::Format("All members of the channel must be connected via TLS (SSL) (%lu/%lu are non-TLS (SSL))",
+							nonssl, static_cast<unsigned long>(userlist.size())));
+						return MODEACTION_DENY;
 					}
 				}
-				channel->SetMode('z',true);
+				channel->SetMode(this, true);
 				return MODEACTION_ALLOW;
 			}
 			else
@@ -53,9 +93,9 @@ class SSLMode : public ModeHandler
 		}
 		else
 		{
-			if (channel->IsModeSet('z'))
+			if (channel->IsModeSet(this))
 			{
-				channel->SetMode('z',false);
+				channel->SetMode(this, false);
 				return MODEACTION_ALLOW;
 			}
 
@@ -64,36 +104,66 @@ class SSLMode : public ModeHandler
 	}
 };
 
-class ModuleSSLModes : public Module
+/** Handle user mode +z
+*/
+class SSLModeUser : public ModeHandler
 {
+ private:
+	UserCertificateAPI& API;
 
+ public:
+	SSLModeUser(Module* Creator, UserCertificateAPI& api)
+		: ModeHandler(Creator, "sslqueries", 'z', PARAM_NONE, MODETYPE_USER)
+		, API(api)
+	{
+		if (!ServerInstance->Config->ConfValue("sslmodes")->getBool("enableumode"))
+			DisableAutoRegister();
+	}
+
+	ModeAction OnModeChange(User* user, User* dest, Channel* channel, std::string& parameter, bool adding) CXX11_OVERRIDE
+	{
+		if (adding == dest->IsModeSet(this))
+			return MODEACTION_DENY;
+
+		if (adding && IS_LOCAL(user) && (!API || !API->GetCertificate(user)))
+			return MODEACTION_DENY;
+
+		dest->SetMode(this, adding);
+		return MODEACTION_ALLOW;
+	}
+};
+
+class ModuleSSLModes
+	: public Module
+	, public CTCTags::EventListener
+{
+ private:
+	UserCertificateAPI api;
 	SSLMode sslm;
+	SSLModeUser sslquery;
 
  public:
-	ModuleSSLModes(InspIRCd* Me)
-		: Module(Me), sslm(Me, this)
+	ModuleSSLModes()
+		: CTCTags::EventListener(this)
+		, api(this)
+		, sslm(this, api)
+		, sslquery(this, api)
 	{
-		if (!ServerInstance->Modes->AddMode(&sslm))
-			throw ModuleException("Could not add new modes!");
-		Implementation eventlist[] = { I_OnUserPreJoin, I_OnCheckBan, I_On005Numeric };
-		ServerInstance->Modules->Attach(eventlist, this, 3);
 	}
 
-	ModResult OnUserPreJoin(User* user, Channel* chan, const char* cname, std::string &privs, const std::string &keygiven)
+	ModResult OnUserPreJoin(LocalUser* user, Channel* chan, const std::string& cname, std::string& privs, const std::string& keygiven) CXX11_OVERRIDE
 	{
-		if(chan && chan->IsModeSet('z'))
+		if(chan && chan->IsModeSet(sslm))
 		{
-			BufferedSocketCertificateRequest req(user, this, user->GetIOHook());
-			req.Send();
-			if (req.cert)
+			if (!api)
 			{
-				// Let them in
-				return MOD_RES_PASSTHRU;
+				user->WriteNumeric(ERR_SECUREONLYCHAN, cname, "Cannot join channel; unable to determine if you are a TLS (SSL) user (+z is set)");
+				return MOD_RES_DENY;
 			}
-			else
+
+			if (!api->GetCertificate(user))
 			{
-				// Deny
-				user->WriteServ( "489 %s %s :Cannot join channel; SSL users only (+z)", user->nick.c_str(), cname);
+				user->WriteNumeric(ERR_SECUREONLYCHAN, cname, "Cannot join channel; TLS (SSL) users only (+z is set)");
 				return MOD_RES_DENY;
 			}
 		}
@@ -101,31 +171,70 @@ class ModuleSSLModes : public Module
 		return MOD_RES_PASSTHRU;
 	}
 
-	ModResult OnCheckBan(User *user, Channel *c)
+	ModResult HandleMessage(User* user, const MessageTarget& msgtarget)
 	{
-		BufferedSocketCertificateRequest req(user, this, user->GetIOHook());
-		req.Send();
-		if (req.cert)
-			return c->GetExtBanStatus(req.cert->GetFingerprint(), 'z');
+		if (msgtarget.type != MessageTarget::TYPE_USER)
+			return MOD_RES_PASSTHRU;
+
+		User* target = msgtarget.Get<User>();
+
+		/* If one or more of the parties involved is a ulined service, we won't stop it. */
+		if (user->server->IsULine() || target->server->IsULine())
+			return MOD_RES_PASSTHRU;
+
+		/* If the target is +z */
+		if (target->IsModeSet(sslquery))
+		{
+			if (!api || !api->GetCertificate(user))
+			{
+				/* The sending user is not on an SSL connection */
+				user->WriteNumeric(Numerics::CannotSendTo(target, "messages", &sslquery));
+				return MOD_RES_DENY;
+			}
+		}
+		/* If the user is +z */
+		else if (user->IsModeSet(sslquery))
+		{
+			if (!api || !api->GetCertificate(target))
+			{
+				user->WriteNumeric(Numerics::CannotSendTo(target, "messages", &sslquery, true));
+				return MOD_RES_DENY;
+			}
+		}
+
 		return MOD_RES_PASSTHRU;
 	}
 
-	~ModuleSSLModes()
+	ModResult OnUserPreMessage(User* user, const MessageTarget& target, MessageDetails& details) CXX11_OVERRIDE
 	{
-		ServerInstance->Modes->DelMode(&sslm);
+		return HandleMessage(user, target);
 	}
 
-	void On005Numeric(std::string &output)
+	ModResult OnUserPreTagMessage(User* user, const MessageTarget& target, CTCTags::TagMessageDetails& details) CXX11_OVERRIDE
 	{
-		ServerInstance->AddExtBanChar('z');
+		return HandleMessage(user, target);
 	}
 
-	Version GetVersion()
+	ModResult OnCheckBan(User *user, Channel *c, const std::string& mask) CXX11_OVERRIDE
 	{
-		return Version("$Id$", VF_COMMON | VF_VENDOR, API_VERSION);
+		if ((mask.length() > 2) && (mask[0] == 'z') && (mask[1] == ':'))
+		{
+			const std::string fp = api ? api->GetFingerprint(user) : "";
+			if (!fp.empty() && InspIRCd::Match(fp, mask.substr(2)))
+				return MOD_RES_DENY;
+		}
+		return MOD_RES_PASSTHRU;
 	}
-};
 
+	void On005Numeric(std::map<std::string, std::string>& tokens) CXX11_OVERRIDE
+	{
+		tokens["EXTBAN"].push_back('z');
+	}
 
-MODULE_INIT(ModuleSSLModes)
+	Version GetVersion() CXX11_OVERRIDE
+	{
+		return Version("Adds channel mode z (sslonly) which prevents users who are not connecting using TLS (SSL) from joining the channel and user mode z (sslqueries) to prevent messages from non-TLS (SSL) users.", VF_VENDOR);
+	}
+};
 
+MODULE_INIT(ModuleSSLModes)