From ccebfe6e637b420bef05e8e0faf29bb19f1883d9 Mon Sep 17 00:00:00 2001 From: Matt Schatz Date: Sun, 12 Apr 2020 22:56:10 -0600 Subject: Update user-facing text and comments of SSL to TLS. --- src/modules/extra/m_ssl_gnutls.cpp | 16 ++++++++-------- src/modules/extra/m_ssl_mbedtls.cpp | 16 ++++++++-------- src/modules/extra/m_ssl_openssl.cpp | 14 +++++++------- src/modules/extra/m_sslrehashsignal.cpp | 2 +- src/modules/m_haproxy.cpp | 6 +++--- src/modules/m_ircv3_sts.cpp | 4 ++-- src/modules/m_sslinfo.cpp | 16 +++++++++------- src/modules/m_sslmodes.cpp | 10 +++++----- src/modules/m_starttls.cpp | 2 +- 9 files changed, 44 insertions(+), 42 deletions(-) (limited to 'src/modules') diff --git a/src/modules/extra/m_ssl_gnutls.cpp b/src/modules/extra/m_ssl_gnutls.cpp index 4d9216123..6cafcae22 100644 --- a/src/modules/extra/m_ssl_gnutls.cpp +++ b/src/modules/extra/m_ssl_gnutls.cpp @@ -907,7 +907,7 @@ info_done_dealloc: } CloseSession(); - sock->SetError("No SSL session"); + sock->SetError("No TLS (SSL) session"); return -1; } @@ -1291,7 +1291,7 @@ class ModuleSSLGnuTLS : public Module { // First, store all profiles in a new, temporary container. If no problems occur, swap the two // containers; this way if something goes wrong we can go back and continue using the current profiles, - // avoiding unpleasant situations where no new SSL connections are possible. + // avoiding unpleasant situations where no new TLS (SSL) connections are possible. ProfileList newprofiles; ConfigTagList tags = ServerInstance->Config->ConfTags("sslprofile"); @@ -1309,7 +1309,7 @@ class ModuleSSLGnuTLS : public Module } catch (CoreException& ex) { - throw ModuleException("Error while initializing the default SSL profile - " + ex.GetReason()); + throw ModuleException("Error while initializing the default TLS (SSL) profile - " + ex.GetReason()); } } @@ -1334,7 +1334,7 @@ class ModuleSSLGnuTLS : public Module } catch (CoreException& ex) { - throw ModuleException("Error while initializing SSL profile \"" + name + "\" at " + tag->getTagLocation() + " - " + ex.GetReason()); + throw ModuleException("Error while initializing TLS (SSL) profile \"" + name + "\" at " + tag->getTagLocation() + " - " + ex.GetReason()); } newprofiles.push_back(prov); @@ -1375,7 +1375,7 @@ class ModuleSSLGnuTLS : public Module try { ReadProfiles(); - ServerInstance->SNO->WriteToSnoMask('a', "SSL module %s rehashed.", MODNAME); + ServerInstance->SNO->WriteToSnoMask('a', "TLS (SSL) module GnuTLS rehashed."); } catch (ModuleException& ex) { @@ -1396,9 +1396,9 @@ class ModuleSSLGnuTLS : public Module if ((user) && (user->eh.GetModHook(this))) { - // User is using SSL, they're a local user, and they're using one of *our* SSL ports. - // Potentially there could be multiple SSL modules loaded at once on different ports. - ServerInstance->Users->QuitUser(user, "SSL module unloading"); + // User is using TLS (SSL), they're a local user, and they're using one of *our* TLS (SSL) ports. + // Potentially there could be multiple TLS (SSL) modules loaded at once on different ports. + ServerInstance->Users->QuitUser(user, "GnuTLS module unloading"); } } } diff --git a/src/modules/extra/m_ssl_mbedtls.cpp b/src/modules/extra/m_ssl_mbedtls.cpp index dded7e171..628230d29 100644 --- a/src/modules/extra/m_ssl_mbedtls.cpp +++ b/src/modules/extra/m_ssl_mbedtls.cpp @@ -586,7 +586,7 @@ class mbedTLSIOHook : public SSLIOHook } CloseSession(); - sock->SetError("No SSL session"); + sock->SetError("No TLS (SSL) session"); return -1; } @@ -865,7 +865,7 @@ class ModuleSSLmbedTLS : public Module { // First, store all profiles in a new, temporary container. If no problems occur, swap the two // containers; this way if something goes wrong we can go back and continue using the current profiles, - // avoiding unpleasant situations where no new SSL connections are possible. + // avoiding unpleasant situations where no new TLS (SSL) connections are possible. ProfileList newprofiles; ConfigTagList tags = ServerInstance->Config->ConfTags("sslprofile"); @@ -883,7 +883,7 @@ class ModuleSSLmbedTLS : public Module } catch (CoreException& ex) { - throw ModuleException("Error while initializing the default SSL profile - " + ex.GetReason()); + throw ModuleException("Error while initializing the default TLS (SSL) profile - " + ex.GetReason()); } } @@ -908,7 +908,7 @@ class ModuleSSLmbedTLS : public Module } catch (CoreException& ex) { - throw ModuleException("Error while initializing SSL profile \"" + name + "\" at " + tag->getTagLocation() + " - " + ex.GetReason()); + throw ModuleException("Error while initializing TLS (SSL) profile \"" + name + "\" at " + tag->getTagLocation() + " - " + ex.GetReason()); } newprofiles.push_back(prov); @@ -945,7 +945,7 @@ class ModuleSSLmbedTLS : public Module try { ReadProfiles(); - ServerInstance->SNO->WriteToSnoMask('a', "SSL module %s rehashed.", MODNAME); + ServerInstance->SNO->WriteToSnoMask('a', "TLS (SSL) module mbedTLS rehashed."); } catch (ModuleException& ex) { @@ -961,9 +961,9 @@ class ModuleSSLmbedTLS : public Module LocalUser* user = IS_LOCAL(static_cast(item)); if ((user) && (user->eh.GetModHook(this))) { - // User is using SSL, they're a local user, and they're using our IOHook. - // Potentially there could be multiple SSL modules loaded at once on different ports. - ServerInstance->Users.QuitUser(user, "SSL module unloading"); + // User is using TLS (SSL), they're a local user, and they're using our IOHook. + // Potentially there could be multiple TLS (SSL) modules loaded at once on different ports. + ServerInstance->Users.QuitUser(user, "mbedTLS module unloading"); } } diff --git a/src/modules/extra/m_ssl_openssl.cpp b/src/modules/extra/m_ssl_openssl.cpp index 330055e4a..30cabdf27 100644 --- a/src/modules/extra/m_ssl_openssl.cpp +++ b/src/modules/extra/m_ssl_openssl.cpp @@ -251,7 +251,7 @@ namespace OpenSSL X509_STORE* store = SSL_CTX_get_cert_store(ctx); if (!store) { - throw ModuleException("Unable to get X509_STORE from SSL context; this should never happen"); + throw ModuleException("Unable to get X509_STORE from TLS (SSL) context; this should never happen"); } ERR_clear_error(); if (!X509_STORE_load_locations(store, @@ -987,7 +987,7 @@ class ModuleSSLOpenSSL : public Module } catch (OpenSSL::Exception& ex) { - throw ModuleException("Error while initializing the default SSL profile - " + ex.GetReason()); + throw ModuleException("Error while initializing the default TLS (SSL) profile - " + ex.GetReason()); } } @@ -1011,7 +1011,7 @@ class ModuleSSLOpenSSL : public Module } catch (CoreException& ex) { - throw ModuleException("Error while initializing SSL profile \"" + name + "\" at " + tag->getTagLocation() + " - " + ex.GetReason()); + throw ModuleException("Error while initializing TLS (SSL) profile \"" + name + "\" at " + tag->getTagLocation() + " - " + ex.GetReason()); } newprofiles.push_back(prov); @@ -1062,7 +1062,7 @@ class ModuleSSLOpenSSL : public Module try { ReadProfiles(); - ServerInstance->SNO->WriteToSnoMask('a', "SSL module %s rehashed.", MODNAME); + ServerInstance->SNO->WriteToSnoMask('a', "TLS (SSL) module OpenSSL rehashed."); } catch (ModuleException& ex) { @@ -1078,9 +1078,9 @@ class ModuleSSLOpenSSL : public Module if ((user) && (user->eh.GetModHook(this))) { - // User is using SSL, they're a local user, and they're using one of *our* SSL ports. - // Potentially there could be multiple SSL modules loaded at once on different ports. - ServerInstance->Users->QuitUser(user, "SSL module unloading"); + // User is using TLS (SSL), they're a local user, and they're using one of *our* TLS (SSL) ports. + // Potentially there could be multiple TLS (SSL) modules loaded at once on different ports. + ServerInstance->Users->QuitUser(user, "OpenSSL module unloading"); } } } diff --git a/src/modules/extra/m_sslrehashsignal.cpp b/src/modules/extra/m_sslrehashsignal.cpp index c0cf8fada..b70deedfa 100644 --- a/src/modules/extra/m_sslrehashsignal.cpp +++ b/src/modules/extra/m_sslrehashsignal.cpp @@ -45,7 +45,7 @@ class ModuleSSLRehashSignal : public Module if (!signaled) return; - const std::string feedbackmsg = "Got SIGUSR1, reloading SSL credentials"; + const std::string feedbackmsg = "Got SIGUSR1, reloading TLS (SSL) credentials"; ServerInstance->SNO->WriteGlobalSno('a', feedbackmsg); ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, feedbackmsg); diff --git a/src/modules/m_haproxy.cpp b/src/modules/m_haproxy.cpp index f18738779..1a6583e6f 100644 --- a/src/modules/m_haproxy.cpp +++ b/src/modules/m_haproxy.cpp @@ -200,16 +200,16 @@ class HAProxyHook : public IOHookMiddle if (!sslapi) return true; - // If the client is not connecting via SSL the rest of this TLV is irrelevant. + // If the client is not connecting via TLS (SSL) the rest of this TLV is irrelevant. std::string& recvq = GetRecvQ(); if ((recvq[start_index] & PP2_CLIENT_SSL) == 0) return true; // Create a fake ssl_cert for the user. Ideally we should use the user's - // SSL client certificate here but as of 2018-10-16 this is not forwarded + // TLS (SSL) client certificate here but as of 2018-10-16 this is not forwarded // by HAProxy. ssl_cert* cert = new ssl_cert; - cert->error = "HAProxy does not forward client SSL certificates"; + cert->error = "HAProxy does not forward client TLS (SSL) certificates"; cert->invalid = true; cert->revoked = true; cert->trusted = false; diff --git a/src/modules/m_ircv3_sts.cpp b/src/modules/m_ircv3_sts.cpp index 6d616f74e..bca378f24 100644 --- a/src/modules/m_ircv3_sts.cpp +++ b/src/modules/m_ircv3_sts.cpp @@ -128,7 +128,7 @@ class ModuleIRCv3STS : public Module private: STSCap cap; - // The IRCv3 STS specification requires that the server is listening using SSL using a valid certificate. + // The IRCv3 STS specification requires that the server is listening using TLS (SSL) using a valid certificate. bool HasValidSSLPort(unsigned int port) { for (std::vector::const_iterator iter = ServerInstance->ports.begin(); iter != ServerInstance->ports.end(); ++iter) @@ -140,7 +140,7 @@ class ModuleIRCv3STS : public Module if (saport != port) continue; - // Is this listener using SSL? + // Is this listener using TLS (SSL)? if (ls->bind_tag->getString("ssl").empty()) continue; diff --git a/src/modules/m_sslinfo.cpp b/src/modules/m_sslinfo.cpp index 4f784c87c..885ae6f74 100644 --- a/src/modules/m_sslinfo.cpp +++ b/src/modules/m_sslinfo.cpp @@ -138,7 +138,7 @@ class UserCertificateAPIImpl : public UserCertificateAPIBase void SetCertificate(User* user, ssl_cert* cert) CXX11_OVERRIDE { - ServerInstance->Logs->Log(MODNAME, LOG_DEBUG, "Setting SSL certificate for %s: %s", + ServerInstance->Logs->Log(MODNAME, LOG_DEBUG, "Setting TLS (SSL) client certificate for %s: %s", user->GetFullHost().c_str(), cert->GetMetaLine().c_str()); sslext.set(user, cert); } @@ -165,20 +165,22 @@ class CommandSSLInfo : public Command user->WriteNumeric(Numerics::NoSuchNick(parameters[0])); return CMD_FAILURE; } + bool operonlyfp = ServerInstance->Config->ConfValue("sslinfo")->getBool("operonly"); if (operonlyfp && !user->IsOper() && target != user) { - user->WriteNotice("*** You cannot view SSL certificate information for other users"); + user->WriteNotice("*** You cannot view TLS (SSL) client certificate information for other users"); return CMD_FAILURE; } + ssl_cert* cert = sslapi.GetCertificate(target); if (!cert) { - user->WriteNotice("*** No SSL certificate for this user"); + user->WriteNotice("*** No TLS (SSL) client certificate for this user"); } else if (cert->GetError().length()) { - user->WriteNotice("*** No SSL certificate information for this user (" + cert->GetError() + ")."); + user->WriteNotice("*** No TLS (SSL) client certificate information for this user (" + cert->GetError() + ")."); } else { @@ -226,7 +228,7 @@ class ModuleSSLInfo whois.SendLine(RPL_WHOISSECURE, "is using a secure connection"); bool operonlyfp = ServerInstance->Config->ConfValue("sslinfo")->getBool("operonly"); if ((!operonlyfp || whois.IsSelfWhois() || whois.GetSource()->IsOper()) && !cert->fingerprint.empty()) - whois.SendLine(RPL_WHOISCERTFP, InspIRCd::Format("has client certificate fingerprint %s", cert->fingerprint.c_str())); + whois.SendLine(RPL_WHOISCERTFP, InspIRCd::Format("has TLS (SSL) client certificate fingerprint %s", cert->fingerprint.c_str())); } } @@ -320,12 +322,12 @@ class ModuleSSLInfo if (stdalgo::string::equalsci(requiressl, "trusted")) { ok = (cert && cert->IsCAVerified()); - ServerInstance->Logs->Log("CONNECTCLASS", LOG_DEBUG, "Class requires a trusted SSL cert. Client %s one.", (ok ? "has" : "does not have")); + ServerInstance->Logs->Log("CONNECTCLASS", LOG_DEBUG, "Class requires a trusted TLS (SSL) client certificate. Client %s one.", (ok ? "has" : "does not have")); } else if (myclass->config->getBool("requiressl")) { ok = (cert != NULL); - ServerInstance->Logs->Log("CONNECTCLASS", LOG_DEBUG, "Class requires SSL. Client %s using SSL.", (ok ? "is" : "is not")); + ServerInstance->Logs->Log("CONNECTCLASS", LOG_DEBUG, "Class requires a secure connection. Client %s on a secure connection.", (ok ? "is" : "is not")); } if (!ok) diff --git a/src/modules/m_sslmodes.cpp b/src/modules/m_sslmodes.cpp index 27f7a4af1..5c7f1fca1 100644 --- a/src/modules/m_sslmodes.cpp +++ b/src/modules/m_sslmodes.cpp @@ -60,7 +60,7 @@ class SSLMode : public ModeHandler { if (!API) { - source->WriteNumeric(ERR_ALLMUSTSSL, channel->name, "Unable to determine whether all members of the channel are connected via SSL"); + source->WriteNumeric(ERR_ALLMUSTSSL, channel->name, "Unable to determine whether all members of the channel are connected via TLS (SSL)"); return MODEACTION_DENY; } @@ -75,7 +75,7 @@ class SSLMode : public ModeHandler if (nonssl) { - source->WriteNumeric(ERR_ALLMUSTSSL, channel->name, InspIRCd::Format("All members of the channel must be connected via SSL (%lu/%lu are non-SSL)", + source->WriteNumeric(ERR_ALLMUSTSSL, channel->name, InspIRCd::Format("All members of the channel must be connected via TLS (SSL) (%lu/%lu are non-TLS (SSL))", nonssl, static_cast(userlist.size()))); return MODEACTION_DENY; } @@ -167,13 +167,13 @@ class ModuleSSLModes { if (!api) { - user->WriteNumeric(ERR_SECUREONLYCHAN, cname, "Cannot join channel; unable to determine if you are an SSL user (+z is set)"); + user->WriteNumeric(ERR_SECUREONLYCHAN, cname, "Cannot join channel; unable to determine if you are a TLS (SSL) user (+z is set)"); return MOD_RES_DENY; } if (!api->GetCertificate(user)) { - user->WriteNumeric(ERR_SECUREONLYCHAN, cname, "Cannot join channel; SSL users only (+z is set)"); + user->WriteNumeric(ERR_SECUREONLYCHAN, cname, "Cannot join channel; TLS (SSL) users only (+z is set)"); return MOD_RES_DENY; } } @@ -243,7 +243,7 @@ class ModuleSSLModes Version GetVersion() CXX11_OVERRIDE { - return Version("Adds channel mode z (sslonly) which prevents users who are not connecting using TLS (SSL) from joining the channel and user mode z (sslqueries) to prevent messages from non-SSL users.", VF_VENDOR); + return Version("Adds channel mode z (sslonly) which prevents users who are not connecting using TLS (SSL) from joining the channel and user mode z (sslqueries) to prevent messages from non-TLS (SSL) users.", VF_VENDOR); } }; diff --git a/src/modules/m_starttls.cpp b/src/modules/m_starttls.cpp index 5280146cc..35e9985e9 100644 --- a/src/modules/m_starttls.cpp +++ b/src/modules/m_starttls.cpp @@ -65,7 +65,7 @@ class CommandStartTLS : public SplitCommand user->WriteNumeric(RPL_STARTTLS, "STARTTLS successful, go ahead with TLS handshake"); /* We need to flush the write buffer prior to adding the IOHook, - * otherwise we'll be sending this line inside the SSL session - which + * otherwise we'll be sending this line inside the TLS (SSL) session - which * won't start its handshake until the client gets this line. Currently, * we assume the write will not block here; this is usually safe, as * STARTTLS is sent very early on in the registration phase, where the -- cgit v1.3.1-10-gc9f91 From 6ce92e8eb0fa1bf253da2c16d3cd9cdede5899a6 Mon Sep 17 00:00:00 2001 From: Matt Schatz Date: Sun, 12 Apr 2020 22:59:22 -0600 Subject: Allow 'tls' to be used in /REHASH. --- src/modules/extra/m_ssl_gnutls.cpp | 2 +- src/modules/extra/m_ssl_mbedtls.cpp | 2 +- src/modules/extra/m_ssl_openssl.cpp | 2 +- src/modules/extra/m_sslrehashsignal.cpp | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) (limited to 'src/modules') diff --git a/src/modules/extra/m_ssl_gnutls.cpp b/src/modules/extra/m_ssl_gnutls.cpp index 6cafcae22..8cf2c7114 100644 --- a/src/modules/extra/m_ssl_gnutls.cpp +++ b/src/modules/extra/m_ssl_gnutls.cpp @@ -1369,7 +1369,7 @@ class ModuleSSLGnuTLS : public Module void OnModuleRehash(User* user, const std::string ¶m) CXX11_OVERRIDE { - if (!irc::equals(param, "ssl")) + if (!irc::equals(param, "tls") && !irc::equals(param, "ssl")) return; try diff --git a/src/modules/extra/m_ssl_mbedtls.cpp b/src/modules/extra/m_ssl_mbedtls.cpp index 628230d29..006d09f15 100644 --- a/src/modules/extra/m_ssl_mbedtls.cpp +++ b/src/modules/extra/m_ssl_mbedtls.cpp @@ -939,7 +939,7 @@ class ModuleSSLmbedTLS : public Module void OnModuleRehash(User* user, const std::string ¶m) CXX11_OVERRIDE { - if (!irc::equals(param, "ssl")) + if (!irc::equals(param, "tls") && !irc::equals(param, "ssl")) return; try diff --git a/src/modules/extra/m_ssl_openssl.cpp b/src/modules/extra/m_ssl_openssl.cpp index 30cabdf27..d4a3e24db 100644 --- a/src/modules/extra/m_ssl_openssl.cpp +++ b/src/modules/extra/m_ssl_openssl.cpp @@ -1056,7 +1056,7 @@ class ModuleSSLOpenSSL : public Module void OnModuleRehash(User* user, const std::string ¶m) CXX11_OVERRIDE { - if (!irc::equals(param, "ssl")) + if (!irc::equals(param, "tls") && !irc::equals(param, "ssl")) return; try diff --git a/src/modules/extra/m_sslrehashsignal.cpp b/src/modules/extra/m_sslrehashsignal.cpp index b70deedfa..e5b7fe9a5 100644 --- a/src/modules/extra/m_sslrehashsignal.cpp +++ b/src/modules/extra/m_sslrehashsignal.cpp @@ -49,7 +49,7 @@ class ModuleSSLRehashSignal : public Module ServerInstance->SNO->WriteGlobalSno('a', feedbackmsg); ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, feedbackmsg); - const std::string str = "ssl"; + const std::string str = "tls"; FOREACH_MOD(OnModuleRehash, (NULL, str)); signaled = 0; } -- cgit v1.3.1-10-gc9f91 From 85bd27a84087397c8ac7e4e026f4187888931262 Mon Sep 17 00:00:00 2001 From: Matt Schatz Date: Tue, 14 Apr 2020 04:51:05 -0600 Subject: Minor cleanup and documentation improvements. - Only show a generic failure message to the user upon oper failure due to not having a secure connection or matching cert. fingerprint. - Update the comment about oper:fingerprint as it can be a space separated list of fingerprints and not just one. - Improve a few code comments and formatting. --- docs/conf/opers.conf.example | 6 +++--- src/coremods/core_oper/cmd_oper.cpp | 3 +-- src/modules/m_sslinfo.cpp | 35 ++++++++++++++++++----------------- 3 files changed, 22 insertions(+), 22 deletions(-) (limited to 'src/modules') diff --git a/docs/conf/opers.conf.example b/docs/conf/opers.conf.example index 2c5da870a..d8c266b1f 100644 --- a/docs/conf/opers.conf.example +++ b/docs/conf/opers.conf.example @@ -112,9 +112,9 @@ host="attila@inspircd.org *@2001:db8::/32" # ** ADVANCED ** This option is disabled by default. - # fingerprint: When using the sslinfo module, you may specify - # a key fingerprint here. This can be obtained by using the /SSLINFO - # command while the module is loaded, and is also noticed on connect. + # fingerprint: When using the sslinfo module, you may specify a space separated + # list of TLS (SSL) client certificate fingerprints here. These can be obtained by using + # the /SSLINFO command while the module is loaded, and is also noticed on connect. # This enhances security by verifying that the person opering up has # a matching TLS (SSL) client certificate, which is very difficult to # forge (impossible unless preimage attacks on the hash exist). diff --git a/src/coremods/core_oper/cmd_oper.cpp b/src/coremods/core_oper/cmd_oper.cpp index 391c7f41f..f1da883e8 100644 --- a/src/coremods/core_oper/cmd_oper.cpp +++ b/src/coremods/core_oper/cmd_oper.cpp @@ -53,7 +53,6 @@ CmdResult CommandOper::HandleLocal(LocalUser* user, const Params& parameters) if (match_pass && match_hosts) { - /* found this oper's opertype */ user->Oper(ifo); return CMD_SUCCESS; } @@ -68,7 +67,7 @@ CmdResult CommandOper::HandleLocal(LocalUser* user, const Params& parameters) fields.append("hosts "); fields.erase(fields.length() - 1, 1); - // tell them they suck, and lag them up to help prevent brute-force attacks + // Tell them they failed (generically) and lag them up to help prevent brute-force attacks user->WriteNumeric(ERR_NOOPERHOST, "Invalid oper credentials"); user->CommandFloodPenalty += 10000; diff --git a/src/modules/m_sslinfo.cpp b/src/modules/m_sslinfo.cpp index 885ae6f74..477785bea 100644 --- a/src/modules/m_sslinfo.cpp +++ b/src/modules/m_sslinfo.cpp @@ -153,7 +153,7 @@ class CommandSSLInfo : public Command : Command(Creator, "SSLINFO", 1) , sslapi(Creator) { - this->syntax = ""; + syntax = ""; } CmdResult Handle(User* user, const Params& parameters) CXX11_OVERRIDE @@ -188,6 +188,7 @@ class CommandSSLInfo : public Command user->WriteNotice("*** Issuer: " + cert->GetIssuer()); user->WriteNotice("*** Key Fingerprint: " + cert->GetFingerprint()); } + return CMD_SUCCESS; } }; @@ -257,18 +258,18 @@ class ModuleSSLInfo if (ifo->oper_block->getBool("sslonly") && !cert) { - user->WriteNumeric(ERR_NOOPERHOST, "This oper login requires an SSL connection."); + user->WriteNumeric(ERR_NOOPERHOST, "Invalid oper credentials"); user->CommandFloodPenalty += 10000; - ServerInstance->SNO->WriteGlobalSno('o', "WARNING! Failed oper attempt by %s using login '%s': secure connection required.", user->GetFullRealHost().c_str(), parameters[0].c_str()); + ServerInstance->SNO->WriteGlobalSno('o', "WARNING! Failed oper attempt by %s using login '%s': a secure connection is required.", user->GetFullRealHost().c_str(), parameters[0].c_str()); return MOD_RES_DENY; } std::string fingerprint; if (ifo->oper_block->readString("fingerprint", fingerprint) && (!cert || !MatchFP(cert, fingerprint))) { - user->WriteNumeric(ERR_NOOPERHOST, "This oper login requires a matching SSL certificate fingerprint."); + user->WriteNumeric(ERR_NOOPERHOST, "Invalid oper credentials"); user->CommandFloodPenalty += 10000; - ServerInstance->SNO->WriteGlobalSno('o', "WARNING! Failed oper attempt by %s using login '%s': client certificate fingerprint does not match.", user->GetFullRealHost().c_str(), parameters[0].c_str()); + ServerInstance->SNO->WriteGlobalSno('o', "WARNING! Failed oper attempt by %s using login '%s': their TLS (SSL) client certificate fingerprint does not match.", user->GetFullRealHost().c_str(), parameters[0].c_str()); return MOD_RES_DENY; } } @@ -290,21 +291,20 @@ class ModuleSSLInfo ssl_cert* const cert = ssliohook->GetCertificate(); - { - std::string text = "*** You are connected to "; - if (!ssliohook->GetServerName(text)) - text.append(ServerInstance->Config->ServerName); - text.append(" using SSL cipher '"); - ssliohook->GetCiphersuite(text); - text.push_back('\''); - if ((cert) && (!cert->GetFingerprint().empty())) - text.append(" and your SSL certificate fingerprint is ").append(cert->GetFingerprint()); - user->WriteNotice(text); - } + std::string text = "*** You are connected to "; + if (!ssliohook->GetServerName(text)) + text.append(ServerInstance->Config->ServerName); + text.append(" using TLS (SSL) cipher '"); + ssliohook->GetCiphersuite(text); + text.push_back('\''); + if (cert && !cert->GetFingerprint().empty()) + text.append(" and your TLS (SSL) client certificate fingerprint is ").append(cert->GetFingerprint()); + user->WriteNotice(text); if (!cert) return; - // find an auto-oper block for this user + + // Find an auto-oper block for this user for (ServerConfig::OperIndex::const_iterator i = ServerInstance->Config->oper_blocks.begin(); i != ServerInstance->Config->oper_blocks.end(); ++i) { OperInfo* ifo = i->second; @@ -332,6 +332,7 @@ class ModuleSSLInfo if (!ok) return MOD_RES_DENY; + return MOD_RES_PASSTHRU; } -- cgit v1.3.1-10-gc9f91 From 751112d9a980c98591ddd097e6bcf146edb42be3 Mon Sep 17 00:00:00 2001 From: Sadie Powell Date: Wed, 15 Apr 2020 16:43:07 +0100 Subject: Rename mkversions to mkdescriptions. --- src/modules/m_servprotect.cpp | 2 +- tools/mkdescriptions | 87 +++++++++++++++++++++++++++++++++++++++++++ tools/mkheaders | 1 + tools/mkversions | 87 ------------------------------------------- 4 files changed, 89 insertions(+), 88 deletions(-) create mode 100755 tools/mkdescriptions delete mode 100755 tools/mkversions (limited to 'src/modules') diff --git a/src/modules/m_servprotect.cpp b/src/modules/m_servprotect.cpp index bc8d54f09..30d2253b0 100644 --- a/src/modules/m_servprotect.cpp +++ b/src/modules/m_servprotect.cpp @@ -68,7 +68,7 @@ class ModuleServProtectMode : public Module, public Whois::EventListener, public Version GetVersion() CXX11_OVERRIDE { - return Version("Adds user mode k (servprotect) which protects services pseudoclients from being kicked, being killed, or having their user modes changed.", VF_VENDOR); + return Version("Adds user mode k (servprotect) which protects services pseudoclients from being kicked, being killed, or having their channel prefix modes changed.", VF_VENDOR); } void OnWhois(Whois::Context& whois) CXX11_OVERRIDE diff --git a/tools/mkdescriptions b/tools/mkdescriptions new file mode 100755 index 000000000..ee29f48e9 --- /dev/null +++ b/tools/mkdescriptions @@ -0,0 +1,87 @@ +#!/usr/bin/env perl +# +# InspIRCd -- Internet Relay Chat Daemon +# +# Copyright (C) 2020 Sadie Powell +# +# This file is part of InspIRCd. InspIRCd is free software: you can +# redistribute it and/or modify it under the terms of the GNU General Public +# License as published by the Free Software Foundation, version 2. +# +# This program is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU General Public License for more +# details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + + +BEGIN { + require 5.10.0; + unless (-f 'configure') { + print "Error: $0 must be run from the main source directory!\n"; + exit 1; + } +} + +use feature ':5.10'; +use strict; +use warnings FATAL => qw(all); + +use File::Basename qw(basename dirname); +use File::Spec::Functions qw(catdir catfile rel2abs); +use FindBin qw($RealDir); +use HTML::FormatText (); +use HTML::TreeBuilder (); +use Text::Markdown::Hoedown qw(HOEDOWN_HTML_SKIP_HTML markdown); +use Text::Sentence qw(split_sentences); + +use lib dirname $RealDir; +use make::common; +use make::console; + +if (scalar @ARGV < 1) { + print_format "<|GREEN Usage:|> $0 <<|UNDERLINE DOCS-SITE|>>\n", *STDERR; + exit 1; +} + +my %version = get_version(); +my $docdir = rel2abs catdir $ARGV[0], 'docs', $version{MAJOR}, 'modules'; +print_error "unable to find the module directory at $docdir!" unless -d $docdir; + +for my $module (, , ) { + print_error "unable to extract module name from $module!" unless $module =~ /m_(\w+)[.\/]/; + my $docfile = catfile $docdir, "$1.md"; + print_error "unable to find the module documentation at $docfile!" unless -f $docfile; + + open(my $dh, $docfile) or print_error "unable to read from $docfile: $!"; + my $docdata = do { local $/; <$dh> }; + close $dh; + print_error "unable to find the module description in $docfile!" unless $docdata =~ /\#\#\# Description\n\n(?:This module )?([^\n]+)/; + + my $docrendered = markdown ucfirst $1, extensions => HOEDOWN_HTML_SKIP_HTML; + my $docplain = HTML::FormatText->new(leftmargin => 0, rightmargin => ~0)->format(HTML::TreeBuilder->new->parse($docrendered)); + + my $description = (split_sentences $docplain)[0] =~ s/"/\\"/gr; + chomp($description); + + open(my $mih, $module) or print_error "unable to read from $module: $!"; + my @lines; + for my $line (<$mih>) { + chomp $line; + if ($line =~ /(\t+return Version\(")[^"]+(",.+)/) { + push @lines, join '', $1, $description, $2; + } else { + push @lines, $line; + } + } + close $mih; + + open(my $moh, '>', $module) or print_error "unable to write to $module: $!"; + for my $line (@lines) { + say $moh $line; + } + close $moh; +} diff --git a/tools/mkheaders b/tools/mkheaders index ee8142d3b..8367b94a1 100755 --- a/tools/mkheaders +++ b/tools/mkheaders @@ -43,6 +43,7 @@ use make::console; my @ignored_revisions = ( '0b4285abd12323920d92fee51e199edd7527dbec', # adding copyright headers '46a39046196f55b52336e19662bb7bac85b731ac', # adding copyright headers + '4a6fedd9324d87349a806c9c1d0ae6e7d3c1fd38', # mass-updating descriptions '56375392ba94f2552bbeeeab4fd39e1e50295525', # sadie's name change 'bab14f0dd2345c9d7dcbc47c918563709e1ac094', # peavey breaking line endings 'f2acdbc3820f0f4f5ef76a0a64e73d2a320df91f', # peavey fixing line endings diff --git a/tools/mkversions b/tools/mkversions deleted file mode 100755 index ee29f48e9..000000000 --- a/tools/mkversions +++ /dev/null @@ -1,87 +0,0 @@ -#!/usr/bin/env perl -# -# InspIRCd -- Internet Relay Chat Daemon -# -# Copyright (C) 2020 Sadie Powell -# -# This file is part of InspIRCd. InspIRCd is free software: you can -# redistribute it and/or modify it under the terms of the GNU General Public -# License as published by the Free Software Foundation, version 2. -# -# This program is distributed in the hope that it will be useful, but WITHOUT -# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS -# FOR A PARTICULAR PURPOSE. See the GNU General Public License for more -# details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . -# - - -BEGIN { - require 5.10.0; - unless (-f 'configure') { - print "Error: $0 must be run from the main source directory!\n"; - exit 1; - } -} - -use feature ':5.10'; -use strict; -use warnings FATAL => qw(all); - -use File::Basename qw(basename dirname); -use File::Spec::Functions qw(catdir catfile rel2abs); -use FindBin qw($RealDir); -use HTML::FormatText (); -use HTML::TreeBuilder (); -use Text::Markdown::Hoedown qw(HOEDOWN_HTML_SKIP_HTML markdown); -use Text::Sentence qw(split_sentences); - -use lib dirname $RealDir; -use make::common; -use make::console; - -if (scalar @ARGV < 1) { - print_format "<|GREEN Usage:|> $0 <<|UNDERLINE DOCS-SITE|>>\n", *STDERR; - exit 1; -} - -my %version = get_version(); -my $docdir = rel2abs catdir $ARGV[0], 'docs', $version{MAJOR}, 'modules'; -print_error "unable to find the module directory at $docdir!" unless -d $docdir; - -for my $module (, , ) { - print_error "unable to extract module name from $module!" unless $module =~ /m_(\w+)[.\/]/; - my $docfile = catfile $docdir, "$1.md"; - print_error "unable to find the module documentation at $docfile!" unless -f $docfile; - - open(my $dh, $docfile) or print_error "unable to read from $docfile: $!"; - my $docdata = do { local $/; <$dh> }; - close $dh; - print_error "unable to find the module description in $docfile!" unless $docdata =~ /\#\#\# Description\n\n(?:This module )?([^\n]+)/; - - my $docrendered = markdown ucfirst $1, extensions => HOEDOWN_HTML_SKIP_HTML; - my $docplain = HTML::FormatText->new(leftmargin => 0, rightmargin => ~0)->format(HTML::TreeBuilder->new->parse($docrendered)); - - my $description = (split_sentences $docplain)[0] =~ s/"/\\"/gr; - chomp($description); - - open(my $mih, $module) or print_error "unable to read from $module: $!"; - my @lines; - for my $line (<$mih>) { - chomp $line; - if ($line =~ /(\t+return Version\(")[^"]+(",.+)/) { - push @lines, join '', $1, $description, $2; - } else { - push @lines, $line; - } - } - close $mih; - - open(my $moh, '>', $module) or print_error "unable to write to $module: $!"; - for my $line (@lines) { - say $moh $line; - } - close $moh; -} -- cgit v1.3.1-10-gc9f91