From: Matthew Mondor Date: Thu, 17 Mar 2005 20:39:03 +0000 (+0000) Subject: - Cleanups to SSL related code X-Git-Tag: rubiks-ircd-1-0-6~15 X-Git-Url: http://git.pulsar-zone.net/?a=commitdiff_plain;h=301e578f49211bf350c2ceb68193ca0c58ae744c;p=rubiks-ircd.git - Cleanups to SSL related code - Now by default only allows SSL connected IRC operators to minimize +S channels leak and to secure operator passwords --- diff --git a/RUBIKS-CHANGES b/RUBIKS-CHANGES index 1132e98..84881ba 100644 --- a/RUBIKS-CHANGES +++ b/RUBIKS-CHANGES @@ -1,3 +1,14 @@ +rubiks-ircd-1-0-2 +================= + +- Minor code cleanups related to SSL support +- Added support for SSL_ONLY_OPERS, and added it as default in config.h. + This prevents opers from leaking channel information, since they can of + course join +S (secure only) channels. It seems a better approach than to + prevent opers from joining these channels. Moreover, this enhances security + since opers using SSL will not type their operator password in plain text. + + rubiks-ircd-1-0-1 ================= diff --git a/include/config.h b/include/config.h index 8e7c88c..c2935c9 100644 --- a/include/config.h +++ b/include/config.h @@ -18,7 +18,7 @@ * */ -/* $Id: config.h,v 1.13 2005/03/07 19:14:48 mwiggins Exp $ */ +/* $Id: config.h,v 1.14 2005/03/17 20:39:02 mmondor Exp $ */ #ifndef __config_include__ #define __config_include__ @@ -585,6 +585,9 @@ * SSL support stolen from fqircd */ #ifdef USE_SSL + +#define SSL_ONLY_OPERS /* Opers must use SSL */ + #define IRCDSSL_KPATH "ircd.key" #define IRCDSSL_CPATH "ircd.crt" @@ -596,8 +599,9 @@ send(to->fd, buf, len, 0) #define WRITEV_CHECK_SSL(to, iov, len) (IsSSL(to) && to->ssl) ?\ - safe_SSL_write(to,iov->iov_base,iov->iov_len) :\ - writev(to->fd, iov, len); + safe_SSL_write(to,iov->iov_base,iov->iov_len) :\ + writev(to->fd, iov, len) + #endif diff --git a/include/numeric.h b/include/numeric.h index 768f220..cee6be6 100644 --- a/include/numeric.h +++ b/include/numeric.h @@ -18,7 +18,7 @@ * */ -/* $Id: numeric.h,v 1.2 2005/01/13 10:35:43 mmondor Exp $ */ +/* $Id: numeric.h,v 1.3 2005/03/17 20:39:02 mmondor Exp $ */ #define RPL_WELCOME 001 @@ -240,7 +240,8 @@ #define ERR_MSGSERVICES 487 #ifdef USE_SSL -#define ERR_NOSSL 488 +#define ERR_SSLONLYCHAN 488 +#define ERR_SSLONLYOPERS 490 #endif #define ERR_NOOPERHOST 491 diff --git a/src/channel.c b/src/channel.c index d8a92f8..df750b0 100644 --- a/src/channel.c +++ b/src/channel.c @@ -18,7 +18,7 @@ * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. */ -/* $Id: channel.c,v 1.4 2005/03/16 19:12:16 mwiggins Exp $ */ +/* $Id: channel.c,v 1.5 2005/03/17 20:39:02 mmondor Exp $ */ #include "struct.h" #include "common.h" @@ -971,8 +971,8 @@ int can_send(aClient *cptr, aChannel *chptr, char *msg) if ((chptr->mode.mode & MODE_NOCOLOR) && msg_has_colors(msg)) return (ERR_NOCOLORSONCHAN); #ifdef USE_SSL - if ((chptr->mode.mode & MODE_SSL) && !IsUmodeS(cptr)) - return (MODE_SSL); + if ((chptr->mode.mode & MODE_SSL) && !IsUmodeS(cptr)) + return (MODE_SSL); #endif if (MyClient(cptr) && is_banned(cptr, chptr, NULL)) return (MODE_BAN); /* @@ -992,8 +992,8 @@ int can_send(aClient *cptr, aChannel *chptr, char *msg) if ((chptr->mode.mode & MODE_MODREG) && !IsRegNick(cptr)) return (ERR_NEEDREGGEDNICK); #ifdef USE_SSL - if ((chptr->mode.mode & MODE_SSL) && !IsUmodeS(cptr)) - return (MODE_SSL); + if ((chptr->mode.mode & MODE_SSL) && !IsUmodeS(cptr)) + return (MODE_SSL); #endif } if ((chptr->mode.mode & MODE_NOCOLOR) && msg_has_colors(msg)) @@ -2193,7 +2193,7 @@ static int can_join(aClient *sptr, aChannel *chptr, char *key) else if (chptr->mode.mode & MODE_SSL && !IsSSL(sptr) && !IsOper(sptr)) { r = "+S"; - error = ERR_NOSSL; + error = ERR_SSLONLYCHAN; } #endif else if (chptr->mode.mode & MODE_REGONLY && !IsRegNick(sptr)) diff --git a/src/s_err.c b/src/s_err.c index 7baca0f..e3f5e3a 100644 --- a/src/s_err.c +++ b/src/s_err.c @@ -300,7 +300,12 @@ static char *replies[] = /* 272 RPL_ENDOFSILELIST*/ ":%s 272 %s :End of /SILENCE list.", /* 273 */ NULL, /* 274 */ NULL, - /* 275 */ ":%s 275 %s %s :is using a secure connection (SSL)", +#ifdef USE_SSL + /* 275 RPL_USINGSSL */ ":%s 275 %s %s :is using a secure connection " + "(SSL)", +#else + /* 275 */ NULL, +#endif /* 276 */ NULL, /* 277 */ NULL, /* 278 */ NULL, @@ -552,10 +557,19 @@ static char *replies[] = "registered nick to private message %s", /* 487 ERR_MSGSERVICES */ ":%s 487 %s :Error! \"/msg %s\" is no longer supported. " "Use \"/msg %s@%s\" or \"/%s\" instead.", - /* 488 ERR_NOPRIVILEGES */ ":%s 488 %s :SSL Only channel (+S), You must connect " - "using SSL to join this channel.", +#ifdef USE_SSL + /* 488 ERR_SSLONLYCHAN */ ":%s 488 %s :SSL Only channel (+S), You must " + "connect using SSL to join this channel.", +#else + /* 488 */ NULL, +#endif /* 489 */ NULL, /* In use by Undernet */ +#if defined(USE_SSL) && defined(SSL_ONLY_OPERS) + /* 490 ERR_SSLONLYOPERS */ ":%s 490 %s :Operators only allowed through " + "SSL", +#else /* 490 */ NULL, +#endif /* 491 ERR_NOOPERHOST */ ":%s 491 %s :No Oper block for your host", /* 492 */ NULL, /* 493 */ NULL, diff --git a/src/s_user.c b/src/s_user.c index b2acfa5..fc3caf9 100644 --- a/src/s_user.c +++ b/src/s_user.c @@ -21,7 +21,7 @@ * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. */ -/* $Id: s_user.c,v 1.10 2005/01/19 22:05:45 mwiggins Exp $ */ +/* $Id: s_user.c,v 1.11 2005/03/17 20:39:03 mmondor Exp $ */ #include "struct.h" #include "common.h" @@ -2762,6 +2762,12 @@ int m_oper(aClient *cptr, aClient *sptr, int parc, char *parv[]) sendto_one(sptr, rpl_str(RPL_YOUREOPER), me.name, parv[0]); return 0; } +#if defined(USE_SSL) && defined(SSL_ONLY_OPERS) + if (!IsUmodeS(cptr)) { + sendto_one(sptr, rpl_str(ERR_SSLONLYOPERS), me.name, parv[0]); + return 0; + } +#endif #if (RIDICULOUS_PARANOIA_LEVEL>=1) if(!sptr->user->real_oper_host) {