add ConfigFileEntry.oper_secure_only, to require TLS to oper up (#76)

This commit is contained in:
jess 2020-11-18 14:29:08 +00:00 committed by GitHub
parent 6485005214
commit 40ecb85a1d
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
8 changed files with 41 additions and 0 deletions

View file

@ -1402,6 +1402,9 @@ general {
/* hidden_caps: client capabilities we'll pretend we don't support until they're requested */ /* hidden_caps: client capabilities we'll pretend we don't support until they're requested */
#hidden_caps = "userhost-in-names"; #hidden_caps = "userhost-in-names";
/* oper_secure_only: require TLS on any connection trying to oper up */
oper_secure_only = no;
}; };
modules { modules {

View file

@ -240,6 +240,7 @@ struct config_file_entry
int max_ratelimit_tokens; int max_ratelimit_tokens;
int away_interval; int away_interval;
int tls_ciphers_oper_only; int tls_ciphers_oper_only;
int oper_secure_only;
char **hidden_caps; char **hidden_caps;

View file

@ -2714,6 +2714,7 @@ static struct ConfEntry conf_general_table[] =
{ "certfp_method", CF_STRING, conf_set_general_certfp_method, 0, NULL }, { "certfp_method", CF_STRING, conf_set_general_certfp_method, 0, NULL },
{ "drain_reason", CF_QSTRING, NULL, BUFSIZE, &ConfigFileEntry.drain_reason }, { "drain_reason", CF_QSTRING, NULL, BUFSIZE, &ConfigFileEntry.drain_reason },
{ "tls_ciphers_oper_only", CF_YESNO, NULL, 0, &ConfigFileEntry.tls_ciphers_oper_only }, { "tls_ciphers_oper_only", CF_YESNO, NULL, 0, &ConfigFileEntry.tls_ciphers_oper_only },
{ "oper_secure_only", CF_YESNO, NULL, 0, &ConfigFileEntry.oper_secure_only },
{ "\0", 0, NULL, 0, NULL } { "\0", 0, NULL, 0, NULL }
}; };

View file

@ -773,6 +773,7 @@ set_default_conf(void)
ConfigFileEntry.max_ratelimit_tokens = 30; ConfigFileEntry.max_ratelimit_tokens = 30;
ConfigFileEntry.away_interval = 30; ConfigFileEntry.away_interval = 30;
ConfigFileEntry.tls_ciphers_oper_only = false; ConfigFileEntry.tls_ciphers_oper_only = false;
ConfigFileEntry.oper_secure_only = false;
#ifdef HAVE_LIBZ #ifdef HAVE_LIBZ
ConfigFileEntry.compression_level = 4; ConfigFileEntry.compression_level = 4;

View file

@ -113,6 +113,18 @@ m_challenge(struct MsgBuf *msgbuf_p, struct Client *client_p, struct Client *sou
size_t cnt; size_t cnt;
int len = 0; int len = 0;
if (ConfigFileEntry.oper_secure_only && !IsSecureClient(source_p))
{
sendto_one_notice(source_p, ":You must be using a secure connection to /CHALLENGE on this server");
if (ConfigFileEntry.failed_oper_notice)
{
sendto_realops_snomask(SNO_GENERAL, L_NETWIDE,
"Failed CHALLENGE attempt - missing secure connection by %s (%s@%s)",
source_p->name, source_p->username, source_p->host);
}
return;
}
/* if theyre an oper, reprint oper motd and ignore */ /* if theyre an oper, reprint oper motd and ignore */
if(IsOper(source_p)) if(IsOper(source_p))
{ {

View file

@ -109,6 +109,12 @@ static int do_grant(struct Client *source_p, struct Client *target_p, const char
sendto_one_notice(source_p, ":%s already has privilege set %s.", target_p->name, target_p->user->privset->name); sendto_one_notice(source_p, ":%s already has privilege set %s.", target_p->name, target_p->user->privset->name);
return 0; return 0;
} }
if (ConfigFileEntry.oper_secure_only && !IsSecureClient(target_p))
{
sendto_one_notice(source_p, ":Cannot GRANT %s, opers must be using secure connections.", target_p->name);
return 0;
}
} }
if (!dodeoper) if (!dodeoper)

View file

@ -611,6 +611,11 @@ static struct InfoStruct info_table[] = {
"Links rehash delay", "Links rehash delay",
INFO_DECIMAL(&ConfigServerHide.links_delay), INFO_DECIMAL(&ConfigServerHide.links_delay),
}, },
{
"oper_secure_only",
"Require TLS to become an oper",
INFO_INTBOOL_YN(&ConfigFileEntry.oper_secure_only),
},
{ NULL, NULL, 0, { NULL } }, { NULL, NULL, 0, { NULL } },
}; };

View file

@ -70,6 +70,18 @@ m_oper(struct MsgBuf *msgbuf_p, struct Client *client_p, struct Client *source_p
name = parv[1]; name = parv[1];
password = parv[2]; password = parv[2];
if (ConfigFileEntry.oper_secure_only && !IsSecureClient(source_p))
{
sendto_one_notice(source_p, ":You must be using a secure connection to /OPER on this server");
if (ConfigFileEntry.failed_oper_notice)
{
sendto_realops_snomask(SNO_GENERAL, L_NETWIDE,
"Failed OPER attempt - missing secure connection by %s (%s@%s)",
source_p->name, source_p->username, source_p->host);
}
return;
}
if(IsOper(source_p)) if(IsOper(source_p))
{ {
sendto_one(source_p, form_str(RPL_YOUREOPER), me.name, source_p->name); sendto_one(source_p, form_str(RPL_YOUREOPER), me.name, source_p->name);