4 files changed, 117 insertions, 14 deletions
diff --git a/docs/conf/helpop-full.conf.example b/docs/conf/helpop-full.conf.example
index 3e8360e55..d60e4add7 100644
--- a/docs/conf/helpop-full.conf.example
+++ b/docs/conf/helpop-full.conf.example
@@ -810,6 +810,8 @@ using their cloak when they quit.">
               (requires services account module).
  w            Receives wallops messages.
  x            Gives a cloaked hostname (requires cloaking module).
+ z            Only allow private messages from SSL users (requires
+              sslmode module).
  B            Marks as a bot (requires botmode module).
  G            Censors messages sent to the user based on filters
               configured for the network (requires censor module).
diff --git a/docs/conf/helpop.conf.example b/docs/conf/helpop.conf.example
index 68328272e..cb8b87a77 100644
--- a/docs/conf/helpop.conf.example
+++ b/docs/conf/helpop.conf.example
@@ -94,6 +94,8 @@ LOCKSERV       UNLOCKSERV">
               (requires services account module).
  w            Receives wallops messages.
  x            Gives a cloaked hostname (requires cloaking module).
+ z            Only allow private messages from SSL users (requires
+              sslmode module).
  B            Marks as a bot (requires botmode module).
  G            Censors messages sent to the user based on filters
               configured for the network (requires censor module).
diff --git a/docs/conf/modules.conf.example b/docs/conf/modules.conf.example
index 65bb3b9cb..ea658867c 100644
--- a/docs/conf/modules.conf.example
+++ b/docs/conf/modules.conf.example
@@ -1882,12 +1882,17 @@
 #<shun enabledcommands="ADMIN PING PONG QUIT PART JOIN" notifyuser="yes" affectopers="no">
 
 #-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
-# SSL channel mode module: Adds support for SSL-only channels via
-# channel mode +z and the 'z' extban which matches SSL client
-# certificate fingerprints.
+# SSL mode module: Adds support for SSL-only channels via the '+z'
+# channel mode, SSL-only private messages via the '+z' user mode and
+# the 'z:' extban which matches SSL client certificate fingerprints.
+#
 # Does not do anything useful without a working SSL module and the
 # sslinfo module (see below).
 #<module name="sslmodes">
+#
+# The +z user mode is not enabled by default to enable link compatibility
+# with 2.0 servers. You can enable it by uncommenting this:
+#<sslmodes enableumode="yes">
 
 #-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
 # GnuTLS SSL module: Adds support for SSL connections using GnuTLS,
diff --git a/src/modules/m_sslmodes.cpp b/src/modules/m_sslmodes.cpp
index 6d1d62782..688fe70ce 100644
--- a/src/modules/m_sslmodes.cpp
+++ b/src/modules/m_sslmodes.cpp
@@ -1,6 +1,7 @@
 /*
  * InspIRCd -- Internet Relay Chat Daemon
  *
+ *   Copyright (C) 2013 Shawn Smith <shawn@inspircd.org>
  *   Copyright (C) 2009 Daniel De Graaf <danieldg@inspircd.org>
  *   Copyright (C) 2007 Robin Burchell <robin+git@viroteck.net>
  *   Copyright (C) 2007 Dennis Friis <peavey@inspircd.org>
@@ -30,16 +31,29 @@ enum
 	ERR_SECUREONLYCHAN = 489
 };
 
+namespace
+{
+	bool IsSSLUser(UserCertificateAPI& api, User* user)
+	{
+		if (!api)
+			return false;
+
+		ssl_cert* cert = api->GetCertificate(user);
+		return (cert != NULL);
+	}
+}
+
 /** Handle channel mode +z
  */
 class SSLMode : public ModeHandler
 {
- public:
-	UserCertificateAPI API;
+ private:
+	UserCertificateAPI& API;
 
-	SSLMode(Module* Creator)
+ public:
+	SSLMode(Module* Creator, UserCertificateAPI& api)
 		: ModeHandler(Creator, "sslonly", 'z', PARAM_NONE, MODETYPE_CHANNEL)
-		, API(Creator)
+		, API(api)
 	{
 	}
 
@@ -86,14 +100,60 @@ class SSLMode : public ModeHandler
 	}
 };
 
-class ModuleSSLModes : public Module
+/** Handle user mode +z
+*/
+class SSLModeUser : public ModeHandler
 {
+ private:
+	UserCertificateAPI& API;
+
+ public:
+	SSLModeUser(Module* Creator, UserCertificateAPI& api)
+		: ModeHandler(Creator, "sslqueries", 'z', PARAM_NONE, MODETYPE_USER)
+		, API(api)
+	{
+		if (!ServerInstance->Config->ConfValue("sslmodes")->getBool("enableumode"))
+			DisableAutoRegister();
+	}
+
+	ModeAction OnModeChange(User* user, User* dest, Channel* channel, std::string& parameter, bool adding) CXX11_OVERRIDE
+	{
+		if (adding)
+		{
+			if (!dest->IsModeSet(this))
+			{
+				if (!IsSSLUser(API, user))
+					return MODEACTION_DENY;
+
+				dest->SetMode(this, true);
+				return MODEACTION_ALLOW;
+			}
+		}
+		else
+		{
+			if (dest->IsModeSet(this))
+			{
+				dest->SetMode(this, false);
+				return MODEACTION_ALLOW;
+			}
+		}
 
+		return MODEACTION_DENY;
+	}
+};
+
+class ModuleSSLModes : public Module
+{
+ private:
+	UserCertificateAPI api;
 	SSLMode sslm;
+	SSLModeUser sslquery;
 
  public:
 	ModuleSSLModes()
-		: sslm(this)
+		: api(this)
+		, sslm(this, api)
+		, sslquery(this, api)
 	{
 	}
 
@@ -101,10 +161,10 @@ class ModuleSSLModes : public Module
 	{
 		if(chan && chan->IsModeSet(sslm))
 		{
-			if (!sslm.API)
+			if (!api)
 				return MOD_RES_DENY;
 
-			ssl_cert* cert = sslm.API->GetCertificate(user);
+			ssl_cert* cert = api->GetCertificate(user);
 			if (cert)
 			{
 				// Let them in
@@ -121,14 +181,48 @@ class ModuleSSLModes : public Module
 		return MOD_RES_PASSTHRU;
 	}
 
+	ModResult OnUserPreMessage(User* user, const MessageTarget& msgtarget, MessageDetails& details) CXX11_OVERRIDE
+	{
+		if (msgtarget.type != MessageTarget::TYPE_USER)
+			return MOD_RES_PASSTHRU;
+
+		User* target = msgtarget.Get<User>();
+
+		/* If one or more of the parties involved is a ulined service, we wont stop it. */
+		if (user->server->IsULine() || target->server->IsULine())
+			return MOD_RES_PASSTHRU;
+
+		/* If the target is +z */
+		if (target->IsModeSet(sslquery))
+		{
+			if (!IsSSLUser(api, user))
+			{
+				/* The sending user is not on an SSL connection */
+				user->WriteNumeric(ERR_CANTSENDTOUSER, target->nick, "You are not permitted to send private messages to this user (+z set)");
+				return MOD_RES_DENY;
+			}
+		}
+		/* If the user is +z */
+		else if (user->IsModeSet(sslquery))
+		{
+			if (!IsSSLUser(api, target))
+			{
+				user->WriteNumeric(ERR_CANTSENDTOUSER, target->nick, "You must remove usermode 'z' before you are able to send private messages to a non-ssl user.");
+				return MOD_RES_DENY;
+			}
+		}
+
+		return MOD_RES_PASSTHRU;
+	}
+
 	ModResult OnCheckBan(User *user, Channel *c, const std::string& mask) CXX11_OVERRIDE
 	{
 		if ((mask.length() > 2) && (mask[0] == 'z') && (mask[1] == ':'))
 		{
-			if (!sslm.API)
+			if (!api)
 				return MOD_RES_DENY;
 
-			ssl_cert* cert = sslm.API->GetCertificate(user);
+			ssl_cert* cert = api->GetCertificate(user);
 			if (cert && InspIRCd::Match(cert->GetFingerprint(), mask.substr(2)))
 				return MOD_RES_DENY;
 		}
@@ -142,7 +236,7 @@ class ModuleSSLModes : public Module
 
 	Version GetVersion() CXX11_OVERRIDE
 	{
-		return Version("Provides channel mode +z to allow for Secure/SSL only channels", VF_VENDOR);
+		return Version("Provides user and channel mode +z to allow for SSL-only channels, queries and notices.", VF_VENDOR);
 	}
 };