Add general::tls_ciphers_oper_only

2020-07-05 21:05:18 +01:00 · 2020-07-05 21:05:18 +01:00 · fff4f76353
parent f598ba3857
commit fff4f76353
7 changed files with 15 additions and 1 deletions
--- a/doc/ircd.conf.example
+++ b/doc/ircd.conf.example
@ -625,6 +625,7 @@ general {
 	away_interval = 30;
 	certfp_method = spki_sha256;
 	hide_opers_in_whois = no;
+	tls_ciphers_oper_only = no;
 };

 modules {
--- a/doc/reference.conf
+++ b/doc/reference.conf
@ -1436,6 +1436,9 @@ general {

 	/* hide_opers_in_whois: if set to YES, then oper status will be hidden in /WHOIS output. */
 	hide_opers_in_whois = no;
+
+	/* tls_ciphers_oper_only: show the TLS cipher string in /WHOIS only to opers and self */
+	tls_ciphers_oper_only = no;
 };

 modules {
--- a/include/s_conf.h
+++ b/include/s_conf.h
@ -232,6 +232,7 @@ struct config_file_entry
 	int use_propagated_bans;
 	int max_ratelimit_tokens;
 	int away_interval;
+	int tls_ciphers_oper_only;

 	int client_flood_max_lines;
 	int client_flood_burst_rate;
--- a/ircd/newconf.c
+++ b/ircd/newconf.c
@ -2802,6 +2802,7 @@ static struct ConfEntry conf_general_table[] =
 	{ "hide_opers",		CF_YESNO, NULL, 0, &ConfigFileEntry.hide_opers		},
 	{ "certfp_method",	CF_STRING, conf_set_general_certfp_method, 0, NULL },
 	{ "drain_reason",	CF_QSTRING, NULL, BUFSIZE, &ConfigFileEntry.drain_reason	},
+	{ "tls_ciphers_oper_only",	CF_YESNO, NULL, 0, &ConfigFileEntry.tls_ciphers_oper_only	},
 	{ "\0", 		0, 	  NULL, 0, NULL }
 };

--- a/ircd/s_conf.c
+++ b/ircd/s_conf.c
@ -772,6 +772,7 @@ set_default_conf(void)
 	ConfigFileEntry.use_propagated_bans = true;
 	ConfigFileEntry.max_ratelimit_tokens = 30;
 	ConfigFileEntry.away_interval = 30;
+	ConfigFileEntry.tls_ciphers_oper_only = false;

 #ifdef HAVE_LIBZ
 	ConfigFileEntry.compression_level = 4;
--- a/modules/m_info.c
+++ b/modules/m_info.c
@ -524,6 +524,12 @@ static struct InfoStruct info_table[] = {
 		&ConfigFileEntry.away_interval,
 		"The minimum time between aways",
 	},
+	{
+		"tls_ciphers_oper_only",
+		OUTPUT_BOOLEAN_YN,
+		&ConfigFileEntry.tls_ciphers_oper_only,
+		"TLS cipher strings are hidden in whois for non-opers",
+	},
 	{
 		"default_split_server_count",
 		OUTPUT_DECIMAL,
--- a/modules/m_whois.c
+++ b/modules/m_whois.c
@ -334,7 +334,8 @@ single_whois(struct Client *source_p, struct Client *target_p, int operspy)
 	{
 		char cbuf[256] = "is using a secure connection";

-		if (MyClient(target_p) && target_p->localClient->cipher_string != NULL)
+		if (MyClient(target_p) && target_p->localClient->cipher_string != NULL &&
+				(!ConfigFileEntry.tls_ciphers_oper_only || source_p == target_p || IsOper(source_p)))
 			rb_snprintf_append(cbuf, sizeof(cbuf), " [%s]", target_p->localClient->cipher_string);

 		sendto_one_numeric(source_p, RPL_WHOISSECURE, form_str(RPL_WHOISSECURE),