From 1cf798beb1b901e5ccb23b94a67bc8dbb3274a6d Mon Sep 17 00:00:00 2001
From: Ed Kellett <e@kellett.im>
Date: Wed, 28 Oct 2020 20:55:35 +0000
Subject: [PATCH] Add secure{} blocks

---
 include/s_conf.h |  1 +
 ircd/hostmask.c  |  4 ++--
 ircd/listener.c  |  8 ++++++++
 ircd/newconf.c   | 22 ++++++++++++++++++++++
 4 files changed, 33 insertions(+), 2 deletions(-)

diff --git a/include/s_conf.h b/include/s_conf.h
index c804dd40..be3a254d 100644
--- a/include/s_conf.h
+++ b/include/s_conf.h
@@ -84,6 +84,7 @@ struct ConfItem
 
 #define CONF_DLINE		0x020000
 #define CONF_EXEMPTDLINE	0x100000
+#define CONF_SECURE		0x200000
 
 #define IsIllegal(x)    ((x)->status & CONF_ILLEGAL)
 
diff --git a/ircd/hostmask.c b/ircd/hostmask.c
index cfbab79c..67d26b51 100644
--- a/ircd/hostmask.c
+++ b/ircd/hostmask.c
@@ -646,7 +646,7 @@ clear_out_address_conf(void)
 			/* We keep the temporary K-lines and destroy the
 			 * permanent ones, just to be confusing :) -A1kmm */
 			if(arec->aconf->flags & CONF_FLAGS_TEMPORARY ||
-			   (arec->type != CONF_CLIENT && arec->type != CONF_EXEMPTDLINE))
+			   (arec->type != CONF_CLIENT && arec->type != CONF_EXEMPTDLINE && arec->type != CONF_SECURE))
 			{
 				*store_next = arec;
 				store_next = &arec->next;
@@ -679,7 +679,7 @@ clear_out_address_conf_bans(void)
 			/* We keep the temporary K-lines and destroy the
 			 * permanent ones, just to be confusing :) -A1kmm */
 			if(arec->aconf->flags & CONF_FLAGS_TEMPORARY ||
-			   (arec->type == CONF_CLIENT || arec->type == CONF_EXEMPTDLINE))
+			   (arec->type == CONF_CLIENT || arec->type == CONF_EXEMPTDLINE || arec->type == CONF_SECURE))
 			{
 				*store_next = arec;
 				store_next = &arec->next;
diff --git a/ircd/listener.c b/ircd/listener.c
index 2cd2e8a2..f7466295 100644
--- a/ircd/listener.c
+++ b/ircd/listener.c
@@ -541,6 +541,14 @@ add_connection(struct Listener *listener, rb_fde_t *F, struct sockaddr *sai, str
 		SetSSL(new_client);
 		SetSecure(new_client);
 	}
+	else
+	{
+		struct ConfItem *aconf;
+		aconf = find_conf_by_address(NULL, NULL, NULL, sai, CONF_SECURE | 1, sai->sa_family, NULL, NULL);
+
+		if (aconf != NULL)
+			SetSecure(new_client);
+	}
 
 	if (listener->wsock)
 	{
diff --git a/ircd/newconf.c b/ircd/newconf.c
index 5b03cd38..3dc3ef6c 100644
--- a/ircd/newconf.c
+++ b/ircd/newconf.c
@@ -1536,6 +1536,25 @@ conf_set_exempt_ip(void *data)
 	add_conf_by_address(yy_tmp->host, CONF_EXEMPTDLINE, NULL, NULL, yy_tmp);
 }
 
+static void
+conf_set_secure_ip(void *data)
+{
+	struct ConfItem *yy_tmp;
+	int masktype = parse_netmask_strict(data, NULL, NULL);
+
+	if(masktype != HM_IPV4 && masktype != HM_IPV6)
+	{
+		conf_report_error("Ignoring secure -- invalid secure::ip.");
+		return;
+	}
+
+	yy_tmp = make_conf();
+	yy_tmp->passwd = rb_strdup("*");
+	yy_tmp->host = rb_strdup(data);
+	yy_tmp->status = CONF_SECURE;
+	add_conf_by_address(yy_tmp->host, CONF_SECURE, NULL, NULL, yy_tmp);
+}
+
 static int
 conf_cleanup_cluster(struct TopConf *tc)
 {
@@ -2894,6 +2913,9 @@ newconf_init()
 	add_top_conf("exempt", NULL, NULL, NULL);
 	add_conf_item("exempt", "ip", CF_QSTRING, conf_set_exempt_ip);
 
+	add_top_conf("secure", NULL, NULL, NULL);
+	add_conf_item("secure", "ip", CF_QSTRING, conf_set_secure_ip);
+
 	add_top_conf("cluster", conf_cleanup_cluster, conf_cleanup_cluster, NULL);
 	add_conf_item("cluster", "name", CF_QSTRING, conf_set_cluster_name);
 	add_conf_item("cluster", "flags", CF_STRING | CF_FLIST, conf_set_cluster_flags);