diff options
author | Sadie Powell <sadie@witchery.services> | 2020-02-21 20:27:05 +0000 |
---|---|---|
committer | Sadie Powell <sadie@witchery.services> | 2020-02-21 20:27:05 +0000 |
commit | b31a4aea1b68f9fd27d4bf30440948056af2edce (patch) | |
tree | 3465ef60bef5baa8a89427c8301a74674a329bd9 | |
parent | 77a2f04c41410a0e9780d048134bc57f66990c9f (diff) |
Add support for requiring users to use SSL in order to use SASL.
-rw-r--r-- | docs/conf/modules.conf.example | 5 | ||||
-rw-r--r-- | src/modules/m_sasl.cpp | 15 |
2 files changed, 18 insertions, 2 deletions
diff --git a/docs/conf/modules.conf.example b/docs/conf/modules.conf.example index 9f8c46d05..1b26182e4 100644 --- a/docs/conf/modules.conf.example +++ b/docs/conf/modules.conf.example @@ -1951,7 +1951,10 @@ # You must define <sasl:target> to the name of your services server so # that InspIRCd knows where to send SASL authentication messages and # when it should enable the SASL capability. -#<sasl target="services.mynetwork.com"> +# You can also define <sasl:requiressl> to require users to use SSL in +# order to be able to use SASL. +#<sasl target="services.mynetwork.com" +# requiressl="yes"> #-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-# # Secure list module: Prevent /LIST in the first minute of connection, diff --git a/src/modules/m_sasl.cpp b/src/modules/m_sasl.cpp index 9fe270567..19b2c9f50 100644 --- a/src/modules/m_sasl.cpp +++ b/src/modules/m_sasl.cpp @@ -109,11 +109,16 @@ class ServerTracker class SASLCap : public Cap::Capability { + private: std::string mechlist; const ServerTracker& servertracker; + UserCertificateAPI sslapi; bool OnRequest(LocalUser* user, bool adding) CXX11_OVERRIDE { + if (requiressl && sslapi && !sslapi->GetCertificate(user)) + return false; + // Servers MUST NAK any sasl capability request if the authentication layer // is unavailable. return servertracker.IsOnline(); @@ -121,6 +126,9 @@ class SASLCap : public Cap::Capability bool OnList(LocalUser* user) CXX11_OVERRIDE { + if (requiressl && sslapi && !sslapi->GetCertificate(user)) + return false; + // Servers MUST NOT advertise the sasl capability if the authentication layer // is unavailable. return servertracker.IsOnline(); @@ -132,9 +140,11 @@ class SASLCap : public Cap::Capability } public: + bool requiressl; SASLCap(Module* mod, const ServerTracker& tracker) : Cap::Capability(mod, "sasl") , servertracker(tracker) + , sslapi(mod) { } @@ -426,10 +436,13 @@ class ModuleSASL : public Module void ReadConfig(ConfigStatus& status) CXX11_OVERRIDE { - std::string target = ServerInstance->Config->ConfValue("sasl")->getString("target"); + ConfigTag* tag = ServerInstance->Config->ConfValue("sasl"); + + const std::string target = tag->getString("target"); if (target.empty()) throw ModuleException("<sasl:target> must be set to the name of your services server!"); + cap.requiressl = tag->getBool("requiressl"); sasl_target = target; servertracker.Reset(); } |