#define KEY_PASSWD "passwd"
#define KEY_NICKS "nicks"
#define KEY_MASKS "masks"
+#define KEY_SSLFPS "sslfps"
#define KEY_IGNORES "ignores"
#define KEY_OPSERV_LEVEL "opserv_level"
#define KEY_FLAGS "flags"
{ "NSMSG_HANDLEINFO_REGGED", "Registered on: %s" },
{ "NSMSG_HANDLEINFO_LASTSEEN", "Last seen: %s" },
{ "NSMSG_HANDLEINFO_LASTSEEN_NOW", "Last seen: Right now!" },
- { "NSMSG_HANDLEINFO_KARMA", " Karma: %d" },
+ { "NSMSG_HANDLEINFO_KARMA", "Karma: %d" },
{ "NSMSG_HANDLEINFO_VACATION", "On vacation." },
{ "NSMSG_HANDLEINFO_EMAIL_ADDR", "Email address: %s" },
{ "NSMSG_HANDLEINFO_COOKIE_ACTIVATION", "Cookie: There is currently an activation cookie issued for this account" },
{ "NSMSG_HANDLEINFO_LAST_HOST_UNKNOWN", "Last quit hostmask: Unknown" },
{ "NSMSG_HANDLEINFO_NICKS", "Nickname(s): %s" },
{ "NSMSG_HANDLEINFO_MASKS", "Hostmask(s): %s" },
+ { "NSMSG_HANDLEINFO_SSLFPS", "SSL Fingerprints(s): %s" },
{ "NSMSG_HANDLEINFO_IGNORES", "Ignore(s): %s" },
{ "NSMSG_HANDLEINFO_CHANNELS", "Channel(s): %s" },
{ "NSMSG_HANDLEINFO_CURRENT", "Current nickname(s): %s" },
{ "NSMSG_ADDMASK_SUCCESS", "Hostmask %s added." },
{ "NSMSG_ADDIGNORE_ALREADY", "$b%s$b is already an ignored hostmask in your account." },
{ "NSMSG_ADDIGNORE_SUCCESS", "Hostmask %s added." },
+ { "NSMSG_ADDSSLFP_ALREADY", "$b%s$b is already an SSL fingerprint in your account." },
+ { "NSMSG_ADDSSLFP_SUCCESS", "SSL fingerprint %s added." },
{ "NSMSG_DELMASK_NOTLAST", "You may not delete your last hostmask." },
{ "NSMSG_DELMASK_SUCCESS", "Hostmask %s deleted." },
{ "NSMSG_DELMASK_NOT_FOUND", "Unable to find mask to be deleted." },
+ { "NSMSG_DELSSLFP_SUCCESS", "SSL fingerprint %s deleted." },
+ { "NSMSG_DELSSLFP_NOT_FOUND", "Unable to find SSL fingerprint to be deleted." },
{ "NSMSG_OPSERV_LEVEL_BAD", "You may not promote another oper above your level." },
{ "NSMSG_USE_CMD_PASS", "Please use the PASS command to change your password." },
{ "NSMSG_UNKNOWN_NICK", "I know nothing about nick $b%s$b." },
}
static unreg_func_t *unreg_func_list;
+static void **unreg_func_list_extra;
static unsigned int unreg_func_size = 0, unreg_func_used = 0;
void
-reg_unreg_func(unreg_func_t func)
+reg_unreg_func(unreg_func_t func, void *extra)
{
if (unreg_func_used == unreg_func_size) {
if (unreg_func_size) {
unreg_func_size <<= 1;
unreg_func_list = realloc(unreg_func_list, unreg_func_size*sizeof(unreg_func_t));
+ unreg_func_list_extra = realloc(unreg_func_list_extra, unreg_func_size*sizeof(void*));
} else {
unreg_func_size = 8;
unreg_func_list = malloc(unreg_func_size*sizeof(unreg_func_t));
+ unreg_func_list_extra = malloc(unreg_func_size*sizeof(void*));
}
}
- unreg_func_list[unreg_func_used++] = func;
+ unreg_func_list[unreg_func_used] = func;
+ unreg_func_list_extra[unreg_func_used++] = extra;
}
static void
struct handle_info *hi = vhi;
free_string_list(hi->masks);
+ free_string_list(hi->sslfps);
free_string_list(hi->ignores);
assert(!hi->users);
}
#endif
for (n=0; n<unreg_func_used; n++)
- unreg_func_list[n](notify, hi);
+ unreg_func_list[n](notify, hi, unreg_func_list_extra[n]);
while (hi->users) {
if (nickserv_conf.sync_log) {
uNode = GetUserH(hi->users->nick);
return 0;
}
+static int
+valid_user_sslfp(struct userNode *user, struct handle_info *hi)
+{
+ unsigned int ii;
+
+ if (!hi->sslfps->used)
+ return 0;
+ if (!(user->sslfp))
+ return 0;
+
+ /* If any SSL fingerprint matches, allow it. */
+ for (ii=0; ii<hi->sslfps->used; ii++)
+ if (!irccasecmp(user->sslfp, hi->sslfps->list[ii]))
+ return 1;
+
+ /* No valid SSL fingerprint found. */
+ return 0;
+}
+
static int
is_secure_password(const char *handle, const char *pass, struct userNode *user)
{
}
static auth_func_t *auth_func_list;
+static void **auth_func_list_extra;
static unsigned int auth_func_size = 0, auth_func_used = 0;
void
-reg_auth_func(auth_func_t func)
+reg_auth_func(auth_func_t func, void *extra)
{
if (auth_func_used == auth_func_size) {
if (auth_func_size) {
auth_func_size <<= 1;
auth_func_list = realloc(auth_func_list, auth_func_size*sizeof(auth_func_t));
+ auth_func_list_extra = realloc(auth_func_list_extra, auth_func_size*sizeof(void*));
} else {
auth_func_size = 8;
auth_func_list = malloc(auth_func_size*sizeof(auth_func_t));
+ auth_func_list_extra = malloc(auth_func_size*sizeof(void*));
}
}
- auth_func_list[auth_func_used++] = func;
+ auth_func_list[auth_func_used] = func;
+ auth_func_list_extra[auth_func_used++] = extra;
}
static handle_rename_func_t *rf_list;
old_info = user->handle_info;
for (n=0; n<auth_func_used; n++)
- auth_func_list[n](user, old_info);
+ auth_func_list[n](user, old_info, auth_func_list_extra[n]);
}
static void
/* Call auth handlers */
if (GetUserH(user->nick)) {
for (n=0; n<auth_func_used; n++) {
- auth_func_list[n](user, old_info);
+ auth_func_list[n](user, old_info, auth_func_list_extra[n]);
if (user->dead)
return;
}
#endif
hi = register_handle(handle, crypted, 0);
hi->masks = alloc_string_list(1);
+ hi->sslfps = alloc_string_list(1);
hi->ignores = alloc_string_list(1);
hi->users = NULL;
hi->language = lang_C;
reply("NSMSG_HANDLEINFO_MASKS", nsmsg_none);
}
+ if (hi->sslfps->used) {
+ for (i=0; i < hi->sslfps->used; i++) {
+ herelen = strlen(hi->sslfps->list[i]);
+ if (pos + herelen + 1 > ArrayLength(buff)) {
+ i--;
+ goto print_sslfp_buff;
+ }
+ memcpy(buff+pos, hi->sslfps->list[i], herelen);
+ pos += herelen; buff[pos++] = ' ';
+ if (i+1 == hi->sslfps->used) {
+ print_sslfp_buff:
+ buff[pos-1] = 0;
+ reply("NSMSG_HANDLEINFO_SSLFPS", buff);
+ pos = 0;
+ }
+ }
+ } else {
+ reply("NSMSG_HANDLEINFO_SSLFPS", nsmsg_none);
+ }
+
if (hi->ignores->used) {
for (i=0; i < hi->ignores->used; i++) {
herelen = strlen(hi->ignores->list[i]);
* called by nefariouses enhanced AC login-on-connect code
*
*/
-struct handle_info *loc_auth(char *handle, char *password, char *userhost)
+struct handle_info *loc_auth(char *sslfp, char *handle, char *password, char *userhost)
{
- int pw_arg, used, maxlogins;
+ int wildmask = 0, auth = 0;
+ int used, maxlogins;
unsigned int ii;
- int wildmask = 0;
struct handle_info *hi;
struct userNode *other;
#ifdef WITH_LDAP
int ldap_result = LDAP_SUCCESS;
char *email = NULL;
#endif
-
+
hi = dict_find(nickserv_handle_dict, handle, NULL);
- pw_arg = 2;
-
+
#ifdef WITH_LDAP
- if(nickserv_conf.ldap_enable) {
+ if (nickserv_conf.ldap_enable) {
ldap_result = ldap_check_auth(handle, password);
- if(ldap_result != LDAP_SUCCESS) {
- return NULL;
+ if (!hi && (ldap_result != LDAP_SUCCESS))
+ return NULL;
+ if (ldap_result == LDAP_SUCCESS) {
+ /* Mark auth as successful */
+ auth++;
+ }
+
+ if (!hi && (ldap_result == LDAP_SUCCESS) && nickserv_conf.ldap_autocreate) {
+ /* user not found, but authed to ldap successfully..
+ * create the account.
+ */
+ char *mask;
+ int rc;
+
+ /* Add a *@* mask */
+ /* TODO if userhost is not null, build mask based on that. */
+ if(nickserv_conf.default_hostmask)
+ mask = "*@*";
+ else
+ return NULL; /* They dont have a *@* mask so they can't loc */
+
+ if(!(hi = nickserv_register(NULL, NULL, handle, password, 0))) {
+ return 0; /* couldn't add the user for some reason */
+ }
+
+ if((rc = ldap_get_user_info(handle, &email) != LDAP_SUCCESS))
+ {
+ if(nickserv_conf.email_required) {
+ return 0;
+ }
+ }
+ if(email) {
+ nickserv_set_email_addr(hi, email);
+ free(email);
+ }
+ if(mask) {
+ char* mask_canonicalized = canonicalize_hostmask(strdup(mask));
+ string_list_append(hi->masks, mask_canonicalized);
+ }
+ if(nickserv_conf.sync_log)
+ SyncLog("REGISTER %s %s %s %s", hi->handle, hi->passwd, "@", handle);
}
}
-#else
- if (!hi) {
- return NULL;
- }
+#endif
- if (!checkpass(password, hi->passwd)) {
+ /* hi should now be a valid handle, if not return NULL */
+ if (!hi)
return NULL;
- }
-#endif
+
#ifdef WITH_LDAP
- /* ldap libs are present but we are not using them... */
- if( !nickserv_conf.ldap_enable ) {
- if (!hi) {
- return NULL;
- }
- if (!checkpass(password, hi->passwd)) {
- return NULL;
- }
+ if (password && *password && !nickserv_conf.ldap_enable) {
+#else
+ if (password && *password) {
+#endif
+ if (checkpass(password, hi->passwd))
+ auth++;
}
- else if( (!hi) && ldap_result == LDAP_SUCCESS && nickserv_conf.ldap_autocreate) {
- /* user not found, but authed to ldap successfully..
- * create the account.
- */
- char *mask;
- int rc;
-
- /* Add a *@* mask */
- /* TODO if userhost is not null, build mask based on that. */
- if(nickserv_conf.default_hostmask)
- mask = "*@*";
- else
- return NULL; /* They dont have a *@* mask so they can't loc */
-
- if(!(hi = nickserv_register(NULL, NULL, handle, password, 0))) {
- return 0; /* couldn't add the user for some reason */
- }
-
- if((rc = ldap_get_user_info(handle, &email) != LDAP_SUCCESS))
- {
- if(nickserv_conf.email_required) {
- return 0;
+
+ if (!auth && sslfp && *sslfp && hi->sslfps->used) {
+ /* If any SSL fingerprint matches, allow it. */
+ for (ii=0; ii<hi->sslfps->used; ii++) {
+ if (!irccasecmp(sslfp, hi->sslfps->list[ii])) {
+ auth++;
+ break;
}
- }
- if(email) {
- nickserv_set_email_addr(hi, email);
- free(email);
- }
- if(mask) {
- char* mask_canonicalized = canonicalize_hostmask(strdup(mask));
- string_list_append(hi->masks, mask_canonicalized);
- }
- if(nickserv_conf.sync_log)
- SyncLog("REGISTER %s %s %s %s", hi->handle, hi->passwd, "@", handle);
+ }
}
-#endif
-
- /* Still no account, so just fail out */
- if (!hi) {
+
+ /* Auth should have succeeded by this point */
+ if (!auth)
return NULL;
- }
/* We don't know the users hostname, or anything because they
* havn't registered yet. So we can only allow LOC if your
ui = malloc(strlen(userhost));
sprintf(uh, "%s@%s", ident, realhost);
sprintf(ui, "%s@%s", ident, ip);
- for (ii=0; ii<hi->masks->used; ii++)
+ for (ii=0; ii<hi->masks->used; ii++)
{
if(match_ircglob(uh, hi->masks->list[ii])
|| match_ircglob(ui, hi->masks->list[ii]))
return 1;
}
#ifdef WITH_LDAP
- if( ( nickserv_conf.ldap_enable && ldap_result == LDAP_INVALID_CREDENTIALS ) ||
- ( (!nickserv_conf.ldap_enable) && (!checkpass(passwd, hi->passwd)) ) ) {
+ if(( ( nickserv_conf.ldap_enable && ldap_result == LDAP_INVALID_CREDENTIALS ) ||
+ ( (!nickserv_conf.ldap_enable) && (!checkpass(passwd, hi->passwd)) ) ) && !valid_user_sslfp(user, hi)) {
#else
- if (!checkpass(passwd, hi->passwd)) {
+ if (!checkpass(passwd, hi->passwd) && !valid_user_sslfp(user, hi)) {
#endif
unsigned int n;
send_message_type(4, user, cmd->parent->bot,
return nickserv_delmask(cmd, user, hi, argv[2], 1);
}
+static int
+nickserv_addsslfp(struct userNode *user, struct handle_info *hi, const char *sslfp)
+{
+ unsigned int i;
+ char *new_sslfp = strdup(sslfp);
+ for (i=0; i<hi->sslfps->used; i++) {
+ if (!irccasecmp(new_sslfp, hi->sslfps->list[i])) {
+ send_message(user, nickserv, "NSMSG_ADDSSLFP_ALREADY", new_sslfp);
+ free(new_sslfp);
+ return 0;
+ }
+ }
+ string_list_append(hi->sslfps, new_sslfp);
+ send_message(user, nickserv, "NSMSG_ADDSSLFP_SUCCESS", new_sslfp);
+ return 1;
+}
+
+static NICKSERV_FUNC(cmd_addsslfp)
+{
+ NICKSERV_MIN_PARMS((user->sslfp ? 1 : 2));
+ if ((argc < 2) && (user->sslfp)) {
+ int res = nickserv_addsslfp(user, user->handle_info, user->sslfp);
+ return res;
+ } else {
+ return nickserv_addsslfp(user, user->handle_info, argv[1]);
+ }
+}
+
+static NICKSERV_FUNC(cmd_oaddsslfp)
+{
+ struct handle_info *hi;
+
+ NICKSERV_MIN_PARMS(3);
+ if (!(hi = get_victim_oper(user, argv[1])))
+ return 0;
+ return nickserv_addsslfp(user, hi, argv[2]);
+}
+
+static int
+nickserv_delsslfp(struct svccmd *cmd, struct userNode *user, struct handle_info *hi, const char *del_sslfp)
+{
+ unsigned int i;
+ for (i=0; i<hi->sslfps->used; i++) {
+ if (!irccasecmp(del_sslfp, hi->sslfps->list[i])) {
+ char *old_sslfp = hi->sslfps->list[i];
+ hi->sslfps->list[i] = hi->sslfps->list[--hi->sslfps->used];
+ reply("NSMSG_DELSSLFP_SUCCESS", old_sslfp);
+ free(old_sslfp);
+ return 1;
+ }
+ }
+ reply("NSMSG_DELSSLFP_NOT_FOUND");
+ return 0;
+}
+
+static NICKSERV_FUNC(cmd_delsslfp)
+{
+ NICKSERV_MIN_PARMS((user->sslfp ? 1 : 2));
+ if ((argc < 2) && (user->sslfp)) {
+ return nickserv_delsslfp(cmd, user, user->handle_info, user->sslfp);
+ } else {
+ return nickserv_delsslfp(cmd, user, user->handle_info, argv[1]);
+ }
+}
+
+static NICKSERV_FUNC(cmd_odelsslfp)
+{
+ struct handle_info *hi;
+ NICKSERV_MIN_PARMS(3);
+ if (!(hi = get_victim_oper(user, argv[1])))
+ return 0;
+ return nickserv_delsslfp(cmd, user, hi, argv[2]);
+}
+
int
nickserv_modify_handle_flags(struct userNode *user, struct userNode *bot, const char *str, unsigned long *padded, unsigned long *premoved) {
unsigned int nn, add = 1, pos;
saxdb_write_sint(ctx, KEY_KARMA, hi->karma);
if (hi->masks->used)
saxdb_write_string_list(ctx, KEY_MASKS, hi->masks);
+ if (hi->sslfps->used)
+ saxdb_write_string_list(ctx, KEY_SSLFPS, hi->sslfps);
if (hi->ignores->used)
saxdb_write_string_list(ctx, KEY_IGNORES, hi->ignores);
if (hi->maxlogins)
nickserv_db_read_handle(char *handle, dict_t obj)
{
const char *str;
- struct string_list *masks, *slist, *ignores;
+ struct string_list *masks, *sslfps, *slist, *ignores;
struct handle_info *hi;
struct userNode *authed_users;
struct userData *channel_list;
hi->channels = channel_list;
masks = database_get_data(obj, KEY_MASKS, RECDB_STRING_LIST);
hi->masks = masks ? string_list_copy(masks) : alloc_string_list(1);
+ sslfps = database_get_data(obj, KEY_SSLFPS, RECDB_STRING_LIST);
+ hi->sslfps = sslfps ? string_list_copy(sslfps) : alloc_string_list(1);
ignores = database_get_data(obj, KEY_IGNORES, RECDB_STRING_LIST);
hi->ignores = ignores ? string_list_copy(ignores) : alloc_string_list(1);
str = database_get_data(obj, KEY_MAXLOGINS, RECDB_QSTRING);
}
static void
-nickserv_db_cleanup(void)
+nickserv_db_cleanup(UNUSED_ARG(void* extra))
{
unreg_del_user_func(nickserv_remove_user, NULL);
userList_clean(&curr_helpers);
dict_delete(nickserv_id_dict);
dict_delete(nickserv_conf.weak_password_dict);
free(auth_func_list);
+ free(auth_func_list_extra);
free(unreg_func_list);
+ free(unreg_func_list_extra);
free(rf_list);
free(rf_list_extra);
free(allowauth_func_list);
regfree(&nickserv_conf.valid_nick_regex);
}
-void handle_loc_auth_oper(struct userNode *user, UNUSED_ARG(struct handle_info *old_handle)) {
+void handle_loc_auth_oper(struct userNode *user, UNUSED_ARG(struct handle_info *old_handle), UNUSED_ARG(void *extra)) {
if (!*nickserv_conf.auto_oper || !user->handle_info)
return;
reg_nick_change_func(handle_nick_change, NULL);
reg_del_user_func(nickserv_remove_user, NULL);
reg_account_func(handle_account);
- reg_auth_func(handle_loc_auth_oper);
+ reg_auth_func(handle_loc_auth_oper, NULL);
/* set up handle_inverse_flags */
memset(handle_inverse_flags, 0, sizeof(handle_inverse_flags));
nickserv_define_func("OADDMASK", cmd_oaddmask, 0, 1, 0);
nickserv_define_func("DELMASK", cmd_delmask, -1, 1, 0);
nickserv_define_func("ODELMASK", cmd_odelmask, 0, 1, 0);
+ nickserv_define_func("ADDSSLFP", cmd_addsslfp, -1, 1, 0);
+ nickserv_define_func("OADDSSLFP", cmd_oaddsslfp, 0, 1, 0);
+ nickserv_define_func("DELSSLFP", cmd_delsslfp, -1, 1, 0);
+ nickserv_define_func("ODELSSLFP", cmd_odelsslfp, 0, 1, 0);
nickserv_define_func("PASS", cmd_pass, -1, 1, 0);
nickserv_define_func("SET", cmd_set, -1, 1, 0);
nickserv_define_func("OSET", cmd_oset, 0, 1, 0);
nickserv_service = service_register(nickserv);
}
saxdb_register("NickServ", nickserv_saxdb_read, nickserv_saxdb_write);
- reg_exit_func(nickserv_db_cleanup);
+ reg_exit_func(nickserv_db_cleanup, NULL);
if(nickserv_conf.handle_expire_frequency)
timeq_add(now + nickserv_conf.handle_expire_frequency, expire_handles, NULL);