diff options
| author | 2021-06-18 15:02:34 +0100 | |
|---|---|---|
| committer | 2021-06-18 15:02:34 +0100 | |
| commit | b2fde769b6daa6fe062525210d65ae5f1536f4bf (patch) | |
| tree | e9039e6a3b9a8f3241b71108f4bf2193f4c61b11 /src/modules | |
| parent | Import a greatly refactored version of the opmoderated module. (diff) | |
| parent | Fix some inverted ignoreuntil values in the connectban module. (diff) | |
| download | inspircd++-b2fde769b6daa6fe062525210d65ae5f1536f4bf.tar.gz inspircd++-b2fde769b6daa6fe062525210d65ae5f1536f4bf.tar.bz2 inspircd++-b2fde769b6daa6fe062525210d65ae5f1536f4bf.zip | |
Merge branch 'insp3' into master.
Diffstat (limited to 'src/modules')
| -rw-r--r-- | src/modules/extra/m_ssl_gnutls.cpp | 62 | ||||
| -rw-r--r-- | src/modules/m_connectban.cpp | 27 | ||||
| -rw-r--r-- | src/modules/m_joinflood.cpp | 7 |
3 files changed, 52 insertions, 44 deletions
diff --git a/src/modules/extra/m_ssl_gnutls.cpp b/src/modules/extra/m_ssl_gnutls.cpp index a31c5d374..d13bd0cfd 100644 --- a/src/modules/extra/m_ssl_gnutls.cpp +++ b/src/modules/extra/m_ssl_gnutls.cpp @@ -676,26 +676,14 @@ class GnuTLSIOHook : public SSLIOHook void VerifyCertificate() { - unsigned int certstatus; - const gnutls_datum_t* cert_list; - int ret; - unsigned int cert_list_size; - gnutls_x509_crt_t cert; - char str[512]; - unsigned char digest[512]; - size_t digest_size = sizeof(digest); - size_t name_size = sizeof(str); ssl_cert* certinfo = new ssl_cert; this->certificate = certinfo; - /* This verification function uses the trusted CAs in the credentials - * structure. So you must have installed one or more CA certificates. - */ - ret = gnutls_certificate_verify_peers2(this->sess, &certstatus); - + unsigned int certstatus; + int ret = gnutls_certificate_verify_peers2(this->sess, &certstatus); if (ret < 0) { - certinfo->error = std::string(gnutls_strerror(ret)); + certinfo->error = gnutls_strerror(ret); return; } @@ -704,16 +692,13 @@ class GnuTLSIOHook : public SSLIOHook certinfo->revoked = (certstatus & GNUTLS_CERT_REVOKED); certinfo->trusted = !(certstatus & GNUTLS_CERT_SIGNER_NOT_CA); - /* Up to here the process is the same for X.509 certificates and - * OpenPGP keys. From now on X.509 certificates are assumed. This can - * be easily extended to work with openpgp keys as well. - */ if (gnutls_certificate_type_get(this->sess) != GNUTLS_CRT_X509) { certinfo->error = "No X509 keys sent"; return; } + gnutls_x509_crt_t cert; ret = gnutls_x509_crt_init(&cert); if (ret < 0) { @@ -721,18 +706,17 @@ class GnuTLSIOHook : public SSLIOHook return; } - cert_list_size = 0; - cert_list = gnutls_certificate_get_peers(this->sess, &cert_list_size); + char buffer[512]; + size_t buffer_size = sizeof(buffer); + + unsigned int cert_list_size = 0; + const gnutls_datum_t* cert_list = gnutls_certificate_get_peers(this->sess, &cert_list_size); if (cert_list == NULL) { certinfo->error = "No certificate was found"; goto info_done_dealloc; } - /* This is not a real world example, since we only check the first - * certificate in the given chain. - */ - ret = gnutls_x509_crt_import(cert, &cert_list[0], GNUTLS_X509_FMT_DER); if (ret < 0) { @@ -740,31 +724,31 @@ class GnuTLSIOHook : public SSLIOHook goto info_done_dealloc; } - if (gnutls_x509_crt_get_dn(cert, str, &name_size) == 0) + if (gnutls_x509_crt_get_dn(cert, buffer, &buffer_size) == 0) { - std::string& dn = certinfo->dn; - dn = str; - // Make sure there are no chars in the string that we consider invalid - if (dn.find_first_of("\r\n") != std::string::npos) - dn.clear(); + // Make sure there are no chars in the string that we consider invalid. + certinfo->dn = buffer; + if (certinfo->dn.find_first_of("\r\n") != std::string::npos) + certinfo->dn.clear(); } - name_size = sizeof(str); - if (gnutls_x509_crt_get_issuer_dn(cert, str, &name_size) == 0) + buffer_size = sizeof(buffer); + if (gnutls_x509_crt_get_issuer_dn(cert, buffer, &buffer_size) == 0) { - std::string& issuer = certinfo->issuer; - issuer = str; - if (issuer.find_first_of("\r\n") != std::string::npos) - issuer.clear(); + // Make sure there are no chars in the string that we consider invalid. + certinfo->issuer = buffer; + if (certinfo->issuer.find_first_of("\r\n") != std::string::npos) + certinfo->issuer.clear(); } - if ((ret = gnutls_x509_crt_get_fingerprint(cert, GetProfile().GetHash(), digest, &digest_size)) < 0) + buffer_size = sizeof(buffer); + if ((ret = gnutls_x509_crt_get_fingerprint(cert, GetProfile().GetHash(), buffer, &buffer_size)) < 0) { certinfo->error = gnutls_strerror(ret); } else { - certinfo->fingerprint = Hex::Encode(digest, digest_size); + certinfo->fingerprint = Hex::Encode(buffer, buffer_size); } /* Beware here we do not check for errors. diff --git a/src/modules/m_connectban.cpp b/src/modules/m_connectban.cpp index 846de9e80..7146e0df2 100644 --- a/src/modules/m_connectban.cpp +++ b/src/modules/m_connectban.cpp @@ -26,18 +26,25 @@ #include "inspircd.h" #include "xline.h" +#include "modules/server.h" #include "modules/webirc.h" -class ModuleConnectBan +class ModuleConnectBan final : public Module + , public ServerProtocol::LinkEventListener , public WebIRC::EventListener { + private: typedef std::map<irc::sockets::cidr_mask, unsigned int> ConnectMap; + ConnectMap connects; unsigned long threshold; unsigned long banduration; unsigned int ipv4_cidr; unsigned int ipv6_cidr; + unsigned long bootwait; + unsigned long splitwait; + time_t ignoreuntil; std::string banmessage; unsigned char GetRange(LocalUser* user) @@ -72,9 +79,14 @@ class ModuleConnectBan } public: + // Stop GCC warnings about the deprecated OnServerSplit event. + using ServerProtocol::LinkEventListener::OnServerSplit; + ModuleConnectBan() : Module(VF_VENDOR, "Z-lines IP addresses which make excessive connections to the server.") + , ServerProtocol::LinkEventListener(this) , WebIRC::EventListener(this) + , ignoreuntil(0) { } @@ -91,8 +103,13 @@ class ModuleConnectBan ipv4_cidr = static_cast<unsigned int>(tag->getUInt("ipv4cidr", 32, 1, 32)); ipv6_cidr = static_cast<unsigned int>(tag->getUInt("ipv6cidr", 128, 1, 128)); threshold = tag->getUInt("threshold", 10, 1); + bootwait = tag->getDuration("bootwait", 60*2); + splitwait = tag->getDuration("splitwait", 60*2); banduration = tag->getDuration("duration", 10*60, 1); banmessage = tag->getString("banmessage", "Your IP range has been attempting to connect too many times in too short a duration. Wait a while, and you will be able to connect."); + + if (status.initial) + ignoreuntil = ServerInstance->Time() + bootwait; } void OnWebIRCAuth(LocalUser* user, const WebIRC::FlagMap* flags) override @@ -109,9 +126,15 @@ class ModuleConnectBan iter->second--; } + void OnServerSplit(const Server* server, bool error) override + { + if (splitwait) + ignoreuntil = std::max<time_t>(ignoreuntil, ServerInstance->Time() + splitwait); + } + void OnSetUserIP(LocalUser* u) override { - if (IsExempt(u)) + if (IsExempt(u) || ignoreuntil > ServerInstance->Time()) return; irc::sockets::cidr_mask mask(u->client_sa, GetRange(u)); diff --git a/src/modules/m_joinflood.cpp b/src/modules/m_joinflood.cpp index 5dfeb845f..c8836d12f 100644 --- a/src/modules/m_joinflood.cpp +++ b/src/modules/m_joinflood.cpp @@ -152,20 +152,21 @@ class ModuleJoinFlood { } - void ReadConfig(ConfigStatus&) override + void ReadConfig(ConfigStatus& status) override { auto tag = ServerInstance->Config->ConfValue("joinflood"); duration = static_cast<unsigned int>(tag->getDuration("duration", 60, 10, 600)); bootwait = tag->getDuration("bootwait", 30); splitwait = tag->getDuration("splitwait", 30); - ignoreuntil = ServerInstance->startup_time + bootwait; + if (status.initial) + ignoreuntil = ServerInstance->startup_time + bootwait; } void OnServerSplit(const Server* server, bool error) override { if (splitwait) - ignoreuntil = ServerInstance->Time() + splitwait; + ignoreuntil = std::max<time_t>(ignoreuntil, ServerInstance->Time() + splitwait); } ModResult OnUserPreJoin(LocalUser* user, Channel* chan, const std::string& cname, std::string& privs, const std::string& keygiven, bool override) override |
