ouch/inspircd
2
0
Fork 0
mirror of https://github.com/inspircd/inspircd.git synced 2025-03-10 02:59:01 -04:00
Code Issues Packages Projects Releases Wiki Activity

Add user mode +z for ssl-only private messages.

Browse Source 
Closes #468.
This commit is contained in:
Shawn Smith 2013-04-03 10:59:12 -04:00 committed by Peter Powell
parent aa78793b3a
commit cd43acedc9
4 changed files with 117 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
docs/conf/helpop-full.conf.example
View File

@ -810,6 +810,8 @@ using their cloak when they quit.">
(requires services account module). (requires services account module).
w Receives wallops messages. w Receives wallops messages.
x Gives a cloaked hostname (requires cloaking module). x Gives a cloaked hostname (requires cloaking module).
z Only allow private messages from SSL users (requires
sslmode module).
B Marks as a bot (requires botmode module). B Marks as a bot (requires botmode module).
G Censors messages sent to the user based on filters G Censors messages sent to the user based on filters
configured for the network (requires censor module). configured for the network (requires censor module).

2
docs/conf/helpop.conf.example
View File

@ -94,6 +94,8 @@ LOCKSERV UNLOCKSERV">
(requires services account module). (requires services account module).
w Receives wallops messages. w Receives wallops messages.
x Gives a cloaked hostname (requires cloaking module). x Gives a cloaked hostname (requires cloaking module).
z Only allow private messages from SSL users (requires
sslmode module).
B Marks as a bot (requires botmode module). B Marks as a bot (requires botmode module).
G Censors messages sent to the user based on filters G Censors messages sent to the user based on filters
configured for the network (requires censor module). configured for the network (requires censor module).

11
docs/conf/modules.conf.example
View File

@ -1882,12 +1882,17 @@
#<shun enabledcommands="ADMIN PING PONG QUIT PART JOIN" notifyuser="yes" affectopers="no"> #<shun enabledcommands="ADMIN PING PONG QUIT PART JOIN" notifyuser="yes" affectopers="no">
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-# #-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
# SSL channel mode module: Adds support for SSL-only channels via # SSL mode module: Adds support for SSL-only channels via the '+z'
# channel mode +z and the 'z' extban which matches SSL client # channel mode, SSL-only private messages via the '+z' user mode and
# certificate fingerprints. # the 'z:' extban which matches SSL client certificate fingerprints.
#
# Does not do anything useful without a working SSL module and the # Does not do anything useful without a working SSL module and the
# sslinfo module (see below). # sslinfo module (see below).
#<module name="sslmodes"> #<module name="sslmodes">
#
# The +z user mode is not enabled by default to enable link compatibility
# with 2.0 servers. You can enable it by uncommenting this:
#<sslmodes enableumode="yes">
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-# #-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
# GnuTLS SSL module: Adds support for SSL connections using GnuTLS, # GnuTLS SSL module: Adds support for SSL connections using GnuTLS,

116
src/modules/m_sslmodes.cpp
View File

@ -1,6 +1,7 @@
/* /*
* InspIRCd -- Internet Relay Chat Daemon * InspIRCd -- Internet Relay Chat Daemon
* *
* Copyright (C) 2013 Shawn Smith <shawn@inspircd.org>
* Copyright (C) 2009 Daniel De Graaf <danieldg@inspircd.org> * Copyright (C) 2009 Daniel De Graaf <danieldg@inspircd.org>
* Copyright (C) 2007 Robin Burchell <robin+git@viroteck.net> * Copyright (C) 2007 Robin Burchell <robin+git@viroteck.net>
* Copyright (C) 2007 Dennis Friis <peavey@inspircd.org> * Copyright (C) 2007 Dennis Friis <peavey@inspircd.org>
@ -30,16 +31,29 @@ enum
ERR_SECUREONLYCHAN = 489 ERR_SECUREONLYCHAN = 489
}; };
namespace
{
bool IsSSLUser(UserCertificateAPI& api, User* user)
{
if (!api)
return false;
ssl_cert* cert = api->GetCertificate(user);
return (cert != NULL);
}
}
/** Handle channel mode +z /** Handle channel mode +z
*/ */
class SSLMode : public ModeHandler class SSLMode : public ModeHandler
{ {
public: private:
UserCertificateAPI API; UserCertificateAPI& API;
SSLMode(Module* Creator) public:
SSLMode(Module* Creator, UserCertificateAPI& api)
: ModeHandler(Creator, "sslonly", 'z', PARAM_NONE, MODETYPE_CHANNEL) : ModeHandler(Creator, "sslonly", 'z', PARAM_NONE, MODETYPE_CHANNEL)
, API(Creator) , API(api)
{ {
} }
@ -86,14 +100,60 @@ class SSLMode : public ModeHandler
} }
}; };
/** Handle user mode +z
*/
class SSLModeUser : public ModeHandler
{
private:
UserCertificateAPI& API;
public:
SSLModeUser(Module* Creator, UserCertificateAPI& api)
: ModeHandler(Creator, "sslqueries", 'z', PARAM_NONE, MODETYPE_USER)
, API(api)
{
if (!ServerInstance->Config->ConfValue("sslmodes")->getBool("enableumode"))
DisableAutoRegister();
}
ModeAction OnModeChange(User* user, User* dest, Channel* channel, std::string& parameter, bool adding) CXX11_OVERRIDE
{
if (adding)
{
if (!dest->IsModeSet(this))
{
if (!IsSSLUser(API, user))
return MODEACTION_DENY;
dest->SetMode(this, true);
return MODEACTION_ALLOW;
}
}
else
{
if (dest->IsModeSet(this))
{
dest->SetMode(this, false);
return MODEACTION_ALLOW;
}
}
return MODEACTION_DENY;
}
};
class ModuleSSLModes : public Module class ModuleSSLModes : public Module
{ {
private:
UserCertificateAPI api;
SSLMode sslm; SSLMode sslm;
SSLModeUser sslquery;
public: public:
ModuleSSLModes() ModuleSSLModes()
: sslm(this) : api(this)
, sslm(this, api)
, sslquery(this, api)
{ {
} }
@ -101,10 +161,10 @@ class ModuleSSLModes : public Module
{ {
if(chan && chan->IsModeSet(sslm)) if(chan && chan->IsModeSet(sslm))
{ {
if (!sslm.API) if (!api)
return MOD_RES_DENY; return MOD_RES_DENY;
ssl_cert* cert = sslm.API->GetCertificate(user); ssl_cert* cert = api->GetCertificate(user);
if (cert) if (cert)
{ {
// Let them in // Let them in
@ -121,14 +181,48 @@ class ModuleSSLModes : public Module
return MOD_RES_PASSTHRU; return MOD_RES_PASSTHRU;
} }
ModResult OnUserPreMessage(User* user, const MessageTarget& msgtarget, MessageDetails& details) CXX11_OVERRIDE
{
if (msgtarget.type != MessageTarget::TYPE_USER)
return MOD_RES_PASSTHRU;
User* target = msgtarget.Get<User>();
/* If one or more of the parties involved is a ulined service, we wont stop it. */
if (user->server->IsULine() || target->server->IsULine())
return MOD_RES_PASSTHRU;
/* If the target is +z */
if (target->IsModeSet(sslquery))
{
if (!IsSSLUser(api, user))
{
/* The sending user is not on an SSL connection */
user->WriteNumeric(ERR_CANTSENDTOUSER, target->nick, "You are not permitted to send private messages to this user (+z set)");
return MOD_RES_DENY;
}
}
/* If the user is +z */
else if (user->IsModeSet(sslquery))
{
if (!IsSSLUser(api, target))
{
user->WriteNumeric(ERR_CANTSENDTOUSER, target->nick, "You must remove usermode 'z' before you are able to send private messages to a non-ssl user.");
return MOD_RES_DENY;
}
}
return MOD_RES_PASSTHRU;
}
ModResult OnCheckBan(User *user, Channel *c, const std::string& mask) CXX11_OVERRIDE ModResult OnCheckBan(User *user, Channel *c, const std::string& mask) CXX11_OVERRIDE
{ {
if ((mask.length() > 2) && (mask[0] == 'z') && (mask[1] == ':')) if ((mask.length() > 2) && (mask[0] == 'z') && (mask[1] == ':'))
{ {
if (!sslm.API) if (!api)
return MOD_RES_DENY; return MOD_RES_DENY;
ssl_cert* cert = sslm.API->GetCertificate(user); ssl_cert* cert = api->GetCertificate(user);
if (cert && InspIRCd::Match(cert->GetFingerprint(), mask.substr(2))) if (cert && InspIRCd::Match(cert->GetFingerprint(), mask.substr(2)))
return MOD_RES_DENY; return MOD_RES_DENY;
} }
@ -142,7 +236,7 @@ class ModuleSSLModes : public Module
Version GetVersion() CXX11_OVERRIDE Version GetVersion() CXX11_OVERRIDE
{ {
return Version("Provides channel mode +z to allow for Secure/SSL only channels", VF_VENDOR); return Version("Provides user and channel mode +z to allow for SSL-only channels, queries and notices.", VF_VENDOR);
} }
}; };