Merge pull request #293 from edk0/webirc

m_webirc: improve TLS handling
2019-10-22 16:17:33 +00:00 · 2019-10-22 16:17:33 +00:00 · a52d84f723
commit a52d84f723
parent 9e6c36d571 cccda2ff2f
3 changed files with 34 additions and 1 deletions
--- a/extensions/m_webirc.c
+++ b/extensions/m_webirc.c
@ -86,6 +86,8 @@ mr_webirc(struct MsgBuf *msgbuf_p, struct Client *client_p, struct Client *sourc
 	const char *encr;
 	struct rb_sockaddr_storage addr;

+	int secure = 0;
+
 	aconf = find_address_conf(client_p->host, client_p->sockhost,
 				IsGotId(client_p) ? client_p->username : "webirc",
 				IsGotId(client_p) ? client_p->username : "webirc",
@ -104,6 +106,11 @@ mr_webirc(struct MsgBuf *msgbuf_p, struct Client *client_p, struct Client *sourc
 		sendto_one(source_p, "NOTICE * :CGI:IRC auth blocks must have a password");
 		return;
 	}
+	if (!IsSSL(source_p) && aconf->flags & CONF_FLAGS_NEED_SSL)
+	{
+		sendto_one(source_p, "NOTICE * :Your CGI:IRC block requires TLS");
+		return;
+	}

 	if (EmptyString(parv[1]))
 		encr = "";
@ -126,6 +133,27 @@ mr_webirc(struct MsgBuf *msgbuf_p, struct Client *client_p, struct Client *sourc

 	source_p->localClient->ip = addr;

+	if (parc >= 6)
+	{
+		const char *s;
+		for (s = parv[5]; s != NULL; (s = strchr(s, ' ')) && s++)
+		{
+			if (!ircncmp(s, "secure", 6) && (s[6] == '=' || s[6] == ' ' || s[6] == '\0'))
+				secure = 1;
+		}
+	}
+
+	if (secure && !IsSSL(source_p))
+	{
+		sendto_one(source_p, "NOTICE * :CGI:IRC is not connected securely; marking you as insecure");
+		secure = 0;
+	}
+
+	if (!secure)
+	{
+		SetInsecure(source_p);
+	}
+
 	rb_inet_ntop_sock((struct sockaddr *)&source_p->localClient->ip, source_p->sockhost, sizeof(source_p->sockhost));

 	if(strlen(parv[3]) <= HOSTLEN)
--- a/include/client.h
+++ b/include/client.h
@ -439,6 +439,7 @@ struct ListClient
 #define LFLAGS_FLUSH		0x00000002
 #define LFLAGS_CORK		0x00000004
 #define LFLAGS_SCTP		0x00000008
+#define LFLAGS_INSECURE	0x00000010	/* for marking SSL clients as insecure before registration */

 /* umodes, settable flags */
 /* lots of this moved to snomask -- jilles */
@ -513,6 +514,10 @@ struct ListClient
 #define SetSCTP(x)		((x)->localClient->localflags |= LFLAGS_SCTP)
 #define ClearSCTP(x)		((x)->localClient->localflags &= ~LFLAGS_SCTP)

+#define IsInsecure(x)		((x)->localClient->localflags & LFLAGS_INSECURE)
+#define SetInsecure(x)		((x)->localClient->localflags |= LFLAGS_INSECURE)
+#define ClearInsecure(x)	((x)->localClient->localflags &= ~LFLAGS_INSECURE)
+
 /* oper flags */
 #define MyOper(x)               (MyConnect(x) && IsOper(x))

--- a/ircd/s_user.c
+++ b/ircd/s_user.c
@ -632,7 +632,7 @@ register_local_user(struct Client *client_p, struct Client *source_p)
 		add_to_id_hash(source_p->id, source_p);
 	}

-	if (IsSSL(source_p))
+	if (IsSSL(source_p) && !IsInsecure(source_p))
 		source_p->umodes |= UMODE_SSLCLIENT;

 	if (source_p->umodes & UMODE_INVISIBLE)