summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSadie Powell <sadie@witchery.services>2020-02-21 20:27:05 +0000
committerSadie Powell <sadie@witchery.services>2020-02-21 20:27:05 +0000
commitb31a4aea1b68f9fd27d4bf30440948056af2edce (patch)
tree3465ef60bef5baa8a89427c8301a74674a329bd9
parent77a2f04c41410a0e9780d048134bc57f66990c9f (diff)
Add support for requiring users to use SSL in order to use SASL.
-rw-r--r--docs/conf/modules.conf.example5
-rw-r--r--src/modules/m_sasl.cpp15
2 files changed, 18 insertions, 2 deletions
diff --git a/docs/conf/modules.conf.example b/docs/conf/modules.conf.example
index 9f8c46d05..1b26182e4 100644
--- a/docs/conf/modules.conf.example
+++ b/docs/conf/modules.conf.example
@@ -1951,7 +1951,10 @@
# You must define <sasl:target> to the name of your services server so
# that InspIRCd knows where to send SASL authentication messages and
# when it should enable the SASL capability.
-#<sasl target="services.mynetwork.com">
+# You can also define <sasl:requiressl> to require users to use SSL in
+# order to be able to use SASL.
+#<sasl target="services.mynetwork.com"
+# requiressl="yes">
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
# Secure list module: Prevent /LIST in the first minute of connection,
diff --git a/src/modules/m_sasl.cpp b/src/modules/m_sasl.cpp
index 9fe270567..19b2c9f50 100644
--- a/src/modules/m_sasl.cpp
+++ b/src/modules/m_sasl.cpp
@@ -109,11 +109,16 @@ class ServerTracker
class SASLCap : public Cap::Capability
{
+ private:
std::string mechlist;
const ServerTracker& servertracker;
+ UserCertificateAPI sslapi;
bool OnRequest(LocalUser* user, bool adding) CXX11_OVERRIDE
{
+ if (requiressl && sslapi && !sslapi->GetCertificate(user))
+ return false;
+
// Servers MUST NAK any sasl capability request if the authentication layer
// is unavailable.
return servertracker.IsOnline();
@@ -121,6 +126,9 @@ class SASLCap : public Cap::Capability
bool OnList(LocalUser* user) CXX11_OVERRIDE
{
+ if (requiressl && sslapi && !sslapi->GetCertificate(user))
+ return false;
+
// Servers MUST NOT advertise the sasl capability if the authentication layer
// is unavailable.
return servertracker.IsOnline();
@@ -132,9 +140,11 @@ class SASLCap : public Cap::Capability
}
public:
+ bool requiressl;
SASLCap(Module* mod, const ServerTracker& tracker)
: Cap::Capability(mod, "sasl")
, servertracker(tracker)
+ , sslapi(mod)
{
}
@@ -426,10 +436,13 @@ class ModuleSASL : public Module
void ReadConfig(ConfigStatus& status) CXX11_OVERRIDE
{
- std::string target = ServerInstance->Config->ConfValue("sasl")->getString("target");
+ ConfigTag* tag = ServerInstance->Config->ConfValue("sasl");
+
+ const std::string target = tag->getString("target");
if (target.empty())
throw ModuleException("<sasl:target> must be set to the name of your services server!");
+ cap.requiressl = tag->getBool("requiressl");
sasl_target = target;
servertracker.Reset();
}