From ff766773bc547b03ffa3a15cb1c89896a2a7b8cf Mon Sep 17 00:00:00 2001 From: Sadie Powell Date: Sat, 29 Aug 2020 19:21:06 +0100 Subject: Warn about non-local plaintext server connections. --- src/modules/m_spanningtree/server.cpp | 4 ++++ src/modules/m_spanningtree/treesocket.h | 1 + src/modules/m_spanningtree/treesocket1.cpp | 18 ++++++++++++++---- 3 files changed, 19 insertions(+), 4 deletions(-) (limited to 'src/modules/m_spanningtree') diff --git a/src/modules/m_spanningtree/server.cpp b/src/modules/m_spanningtree/server.cpp index c635856e3..b55743659 100644 --- a/src/modules/m_spanningtree/server.cpp +++ b/src/modules/m_spanningtree/server.cpp @@ -141,6 +141,10 @@ Link* TreeSocket::AuthRemote(const CommandBase::Params& params) ssliohook->GetCiphersuite(ciphersuite); ServerInstance->SNO->WriteToSnoMask('l', "Negotiated ciphersuite %s on link %s", ciphersuite.c_str(), x->Name.c_str()); } + else if (!irc::sockets::cidr_mask("127.0.0.0/8").match(capab->remotesa) && !irc::sockets::cidr_mask("::1/128").match(capab->remotesa)) + { + ServerInstance->SNO->WriteGlobalSno('l', "Server connection to %s is not using SSL (TLS). This is VERY INSECURE and will not be allowed the next major version of InspIRCd.", x->Name.c_str()); + } return x; } diff --git a/src/modules/m_spanningtree/treesocket.h b/src/modules/m_spanningtree/treesocket.h index 046f0eb0a..0d3d515d0 100644 --- a/src/modules/m_spanningtree/treesocket.h +++ b/src/modules/m_spanningtree/treesocket.h @@ -80,6 +80,7 @@ struct CapabData int capab_phase; /* Have sent CAPAB already */ bool auth_fingerprint; /* Did we auth using SSL certificate fingerprint */ bool auth_challenge; /* Did we auth using challenge/response */ + irc::sockets::sockaddrs remotesa; /* The remote socket address. */ // Data saved from incoming SERVER command, for later use when our credentials have been accepted by the other party std::string description; diff --git a/src/modules/m_spanningtree/treesocket1.cpp b/src/modules/m_spanningtree/treesocket1.cpp index 5bc41ea64..ad69c42fa 100644 --- a/src/modules/m_spanningtree/treesocket1.cpp +++ b/src/modules/m_spanningtree/treesocket1.cpp @@ -40,13 +40,18 @@ * and only do minor initialization tasks ourselves. */ TreeSocket::TreeSocket(Link* link, Autoconnect* myac, const irc::sockets::sockaddrs& dest) - : linkID(link->Name), LinkState(CONNECTING), MyRoot(NULL), proto_version(0) - , burstsent(false), age(ServerInstance->Time()) + : linkID(link->Name) + , LinkState(CONNECTING) + , MyRoot(NULL) + , proto_version(0) + , burstsent(false) + , age(ServerInstance->Time()) { capab = new CapabData; capab->link = link; capab->ac = myac; capab->capab_phase = 0; + capab->remotesa = dest; irc::sockets::sockaddrs bind; memset(&bind, 0, sizeof(bind)); @@ -77,11 +82,16 @@ TreeSocket::TreeSocket(Link* link, Autoconnect* myac, const irc::sockets::sockad */ TreeSocket::TreeSocket(int newfd, ListenSocket* via, irc::sockets::sockaddrs* client, irc::sockets::sockaddrs* server) : BufferedSocket(newfd) - , linkID("inbound from " + client->addr()), LinkState(WAIT_AUTH_1), MyRoot(NULL), proto_version(0) - , burstsent(false), age(ServerInstance->Time()) + , linkID("inbound from " + client->addr()) + , LinkState(WAIT_AUTH_1) + , MyRoot(NULL) + , proto_version(0) + , burstsent(false) + , age(ServerInstance->Time()) { capab = new CapabData; capab->capab_phase = 0; + capab->remotesa = *client; for (ListenSocket::IOHookProvList::iterator i = via->iohookprovs.begin(); i != via->iohookprovs.end(); ++i) { -- cgit v1.2.3