* Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA.
*/
+#include "base64.h"
#include "chanserv.h"
#include "conf.h"
#include "config.h"
{ "NSMSG_NICK_NOT_REGISTERED", "Nick $b%s$b has not been registered to any account." },
{ "NSMSG_HANDLE_NOT_FOUND", "Could not find your account -- did you register yet?" },
{ "NSMSG_ALREADY_AUTHED", "You are already authed to account $b%s$b; you must reconnect to auth to a different account." },
- { "NSMSG_USE_AUTHCOOKIE", "Your hostmask is not valid for account $b%1$s$b. Please use the $bauthcookie$b command to grant yourself access. (/msg $S authcookie %1$s)" },
+ { "NSMSG_USE_AUTHCOOKIE", "Your hostmask is not valid for account $b%1$s$b. Please use the $bauthcookie$b command to grant yourself access. (/msg $N authcookie %1$s)" },
{ "NSMSG_HOSTMASK_INVALID", "Your hostmask is not valid for account $b%s$b." },
{ "NSMSG_USER_IS_SERVICE", "$b%s$b is a network service; you can only use that command on real users." },
{ "NSMSG_USER_PREV_AUTH", "$b%s$b is already authenticated." },
{ "NSMSG_HANDLEINFO_COOKIE_EMAIL_DATA", "Cookie: New email address: %s" },
{ "NSMSG_HANDLEINFO_INFOLINE", "Infoline: %s" },
{ "NSMSG_HANDLEINFO_FLAGS", "Flags: %s" },
+ { "NSMSG_HANDLEINFO_OPSERV_LEVEL", "Opserv level: %d " },
{ "NSMSG_HANDLEINFO_EPITHET", "Epithet: %s" },
{ "NSMSG_HANDLEINFO_NOTE", "Note (by %s on %s): %s " },
{ "NSMSG_HANDLEINFO_FAKEHOST", "Fake host: %s" },
if (data)
style = atoi(data);
- if (style == 1)
+ if ((style == 1) || (style == 3))
snprintf(buffer, sizeof(buffer), "%s.%s", handle->handle, hidden_host_suffix);
else if (style == 2) {
/* Due to the way fakehost is coded theres no way i can
{
struct handle_info *hi;
struct nick_info *ni;
- char crypted[MD5_CRYPT_LENGTH];
+ char crypted[MD5_CRYPT_LENGTH] = "";
if ((hi = dict_find(nickserv_handle_dict, handle, NULL))) {
if(user)
return 0;
}
- if (!is_secure_password(handle, passwd, user))
- return 0;
+ if (passwd)
+ {
+ if (!is_secure_password(handle, passwd, user))
+ return 0;
- cryptpass(passwd, crypted);
+ cryptpass(passwd, crypted);
+ }
#ifdef WITH_LDAP
if(nickserv_conf.ldap_enable && nickserv_conf.ldap_admin_dn) {
int rc;
- rc = ldap_do_add(handle, (no_auth ? NULL : crypted), NULL);
+ rc = ldap_do_add(handle, (no_auth || !passwd ? NULL : crypted), NULL);
if(LDAP_SUCCESS != rc && LDAP_ALREADY_EXISTS != rc ) {
if(user)
send_message(user, nickserv, "NSMSG_LDAP_FAIL", ldap_err2string(rc));
char* mask = NULL;
char* nick = NULL;
- NICKSERV_MIN_PARMS(2);
+ NICKSERV_MIN_PARMS(3);
account = argv[1];
pass = argv[2];
reply("NSMSG_HANDLEINFO_FLAGS", nsmsg_none);
}
+ if (hi->opserv_level > 0) {
+ reply("NSMSG_HANDLEINFO_OPSERV_LEVEL", hi->opserv_level);
+ }
+
if (HANDLE_FLAGGED(hi, SUPPORT_HELPER)
|| HANDLE_FLAGGED(hi, NETWORK_HELPER)
|| (hi->opserv_level > 0)) {
failpw_func_list_extra[failpw_func_used++] = extra;
}
+/*
+ * Return hi for the first handle that has a matching SSL fingerprint.
+ */
+struct handle_info *find_handleinfo_by_sslfp(char *sslfp)
+{
+ dict_iterator_t it;
+ struct handle_info *hi;
+ unsigned int ii = 0;;
+
+ for (it = dict_first(nickserv_handle_dict); it; it = iter_next(it)) {
+ hi = iter_data(it);
+ for (ii=0; ii<hi->sslfps->used; ii++) {
+ if (!irccasecmp(sslfp, hi->sslfps->list[ii])) {
+ return hi;
+ }
+ }
+ }
+
+ return NULL;
+}
+
/*
* Return hi if the handle/pass pair matches, NULL if it doesnt.
*
int wildmask = 0, auth = 0;
int used, maxlogins;
unsigned int ii;
- struct handle_info *hi;
+ struct handle_info *hi = NULL;
struct userNode *other;
#ifdef WITH_LDAP
int ldap_result = LDAP_SUCCESS;
char *email = NULL;
#endif
- hi = dict_find(nickserv_handle_dict, handle, NULL);
+ if (handle != NULL)
+ hi = dict_find(nickserv_handle_dict, handle, NULL);
+ if (!hi && (sslfp != NULL)) {
+ hi = find_handleinfo_by_sslfp(sslfp);
+ if (!handle && (hi != NULL))
+ handle = hi->handle;
+ }
+ /* Ensure handle is valid if not found in internal DB */
+ if (!hi && !is_valid_handle(handle))
+ return 0;
+
#ifdef WITH_LDAP
- if (nickserv_conf.ldap_enable) {
+ if (nickserv_conf.ldap_enable && (password != NULL)) {
ldap_result = ldap_check_auth(handle, password);
if (!hi && (ldap_result != LDAP_SUCCESS))
return NULL;
*/
if(userhost) {
char *buf;
- char *ident;
- char *realhost;
- char *ip;
+ char *ident = NULL;
+ char *realhost = NULL;
+ char *ip = NULL;
char *uh;
char *ui;
+ char *c;
+ int bracket = 0;
buf = strdup(userhost);
- ident = mysep(&buf, "@");
- realhost = mysep(&buf, ":");
- ip = mysep(&buf, ":");
+
+ ident = buf;
+ for (c = buf; *c; c++) {
+ if ((realhost == NULL) && (*c == '@')) {
+ *c++ = '\0';
+ if (*c == '[') {
+ bracket = 1;
+ *c++ = '\0';
+ }
+ realhost = c;
+ } else if (bracket && (ip == NULL) && (*c == ']')) {
+ bracket = 0;
+ *c = '\0';
+ } else if (!bracket && (ip == NULL) && (*c == ':')) {
+ *c++ = '\0';
+ ip = c;
+ break;
+ }
+ }
+
+ log_module(NS_LOG, LOG_DEBUG, "LOC: ident=%s host=%s ip=%s", ident, realhost, ip);
+
if(!ip || !realhost || !ident) {
free(buf);
return NULL; /* Invalid AC request, just quit */
static NICKSERV_FUNC(cmd_auth)
{
int pw_arg, used, maxlogins;
+ int sslfpauth = 0;
struct handle_info *hi;
const char *passwd;
const char *handle;
}
#ifdef WITH_LDAP
- if(strchr(argv[1], '<') || strchr(handle, '>')) {
+ if(strchr(handle, '<') || strchr(handle, '>')) {
reply("NSMSG_NO_ANGLEBRACKETS");
return 0;
}
* create the account.
*/
char *mask;
- if(!(hi = nickserv_register(user, user, argv[1], argv[2], 0))) {
+ if(!(hi = nickserv_register(user, user, handle, passwd, 0))) {
reply("NSMSG_UNABLE_TO_ADD");
return 0; /* couldn't add the user for some reason */
}
argv[pw_arg] = "BADMASK";
return 1;
}
+
+ if (valid_user_sslfp(user, hi))
+ sslfpauth = 1;
+
#ifdef WITH_LDAP
if(( ( nickserv_conf.ldap_enable && ldap_result == LDAP_INVALID_CREDENTIALS ) ||
- ( (!nickserv_conf.ldap_enable) && (!checkpass(passwd, hi->passwd)) ) ) && !valid_user_sslfp(user, hi)) {
+ ( (!nickserv_conf.ldap_enable) && (!checkpass(passwd, hi->passwd)) ) ) && !sslfpauth) {
#else
- if (!checkpass(passwd, hi->passwd) && !valid_user_sslfp(user, hi)) {
+ if (!checkpass(passwd, hi->passwd) && !sslfpauth) {
#endif
unsigned int n;
send_message_type(4, user, cmd->parent->bot,
set_user_handle_info(user, hi, 1);
if (nickserv_conf.email_required && !hi->email_addr)
reply("NSMSG_PLEASE_SET_EMAIL");
- if (!is_secure_password(hi->handle, passwd, NULL))
+ if (!sslfpauth && !is_secure_password(hi->handle, passwd, NULL))
reply("NSMSG_WEAK_PASSWORD");
- if (hi->passwd[0] != '$')
+ if (!sslfpauth && (hi->passwd[0] != '$'))
cryptpass(passwd, hi->passwd);
/* If a channel was waiting for this user to auth,
if (hi->maxlogins)
saxdb_write_int(ctx, KEY_MAXLOGINS, hi->maxlogins);
if (hi->nicks) {
- struct string_list *slist;
struct nick_info *ni;
- slist = alloc_string_list(nickserv_conf.nicks_per_handle);
- for (ni = hi->nicks; ni; ni = ni->next) string_list_append(slist, ni->nick);
- saxdb_write_string_list(ctx, KEY_NICKS, slist);
- free(slist->list);
- free(slist);
-
saxdb_start_record(ctx, KEY_NICKS_EX, 0);
for (ni = hi->nicks; ni; ni = ni->next) {
saxdb_start_record(ctx, ni->nick, 0);
if(nickserv_conf.ldap_enable > 0) {
/* ldap is enabled but not compiled in - error out */
log_module(MAIN_LOG, LOG_ERROR, "ldap is enabled in config, but not compiled in!");
- nickserv_conf.ldap_enable = 0;
- sleep(5);
+ exit(2);
+ /* nickserv_conf.ldap_enable = 0; */
+ /* sleep(5); */
}
#endif
assert(user);
assert(ni);
+
+ if (IsLocal(user))
+ return;
+
switch (action) {
case RECLAIM_NONE:
/* do nothing */
check_user_nick(struct userNode *user, UNUSED_ARG(void *extra)) {
struct nick_info *ni;
user->modes &= ~FLAGS_REGNICK;
+
if (!(ni = get_nick_info(user->nick)))
return 0;
if (user->handle_info == ni->owner) {
return 0;
}
+static int
+new_user_event(struct userNode *user, void *extra) {
+ /* If the user's server is not bursting,
+ * the user is authed, the account has autohide set
+ * and the user doesn't have user mode +x then apply
+ * the autohide setting.
+ */
+ if (!user->uplink->burst && user->handle_info &&
+ HANDLE_FLAGGED(user->handle_info, AUTOHIDE) &&
+ !IsHiddenHost(user))
+ irc_umode(user, "+x");
+
+ return check_user_nick(user, extra);
+}
+
void
handle_account(struct userNode *user, const char *stamp)
{
log_module(MAIN_LOG, LOG_WARNING, "Using non-P10 code in accounts, not tested at all!");
#endif
+#ifdef WITH_LDAP
+ if(!hi && nickserv_conf.ldap_enable && nickserv_conf.ldap_autocreate &&
+ (ldap_user_exists(stamp) == LDAP_SUCCESS)) {
+ int rc = 0;
+ int cont = 1;
+ char *email = NULL;
+ char *mask;
+
+ /* First attempt to get the email address from LDAP */
+ if((rc = ldap_get_user_info(stamp, &email) != LDAP_SUCCESS))
+ if(nickserv_conf.email_required)
+ cont = 0;
+
+ /* Now try to register the handle */
+ if (cont && (hi = nickserv_register(user, user, stamp, NULL, 1))) {
+ if(nickserv_conf.default_hostmask)
+ mask = "*@*";
+ else
+ mask = generate_hostmask(user, GENMASK_OMITNICK|GENMASK_NO_HIDING|GENMASK_ANY_IDENT);
+
+ if(mask) {
+ char* mask_canonicalized = canonicalize_hostmask(strdup(mask));
+ string_list_append(hi->masks, mask_canonicalized);
+ }
+
+ if(email) {
+ nickserv_set_email_addr(hi, email);
+ free(email);
+ }
+ }
+ }
+#endif
+
if (hi) {
if (HANDLE_FLAGGED(hi, SUSPENDED)) {
return;
}
}
+#define SDFLAG_STALE 0x01 /**< SASL session data is stale, delete on next pass. */
+
+struct SASLSession
+{
+ struct SASLSession *next;
+ struct SASLSession *prev;
+ struct server* source;
+ char *buf, *p;
+ int buflen;
+ char uid[128];
+ char mech[10];
+ char *sslclifp;
+ char *hostmask;
+ int flags;
+};
+
+struct SASLSession *saslsessions = NULL;
+
+void
+sasl_delete_session(struct SASLSession *session)
+{
+ if (!session)
+ return;
+
+ if (session->buf)
+ free(session->buf);
+ session->buf = NULL;
+
+ if (session->sslclifp)
+ free(session->sslclifp);
+ session->sslclifp = NULL;
+
+ if (session->hostmask)
+ free(session->hostmask);
+ session->hostmask = NULL;
+
+ if (session->next)
+ session->next->prev = session->prev;
+ if (session->prev)
+ session->prev->next = session->next;
+ else
+ saslsessions = session->next;
+
+ free(session);
+}
+
+void
+sasl_delete_stale(UNUSED_ARG(void *data))
+{
+ int delcount = 0;
+ int remcount = 0;
+ struct SASLSession *sess = NULL;
+ struct SASLSession *nextsess = NULL;
+
+ log_module(NS_LOG, LOG_DEBUG, "SASL: Checking for stale sessions");
+
+ for (sess = saslsessions; sess; sess = nextsess)
+ {
+ nextsess = sess->next;
+
+ if (sess->flags & SDFLAG_STALE)
+ {
+ delcount++;
+ sasl_delete_session(sess);
+ }
+ else
+ {
+ remcount++;
+ sess->flags |= SDFLAG_STALE;
+ }
+ }
+
+ if (delcount)
+ log_module(NS_LOG, LOG_DEBUG, "SASL: Deleted %d stale sessions, %d remaining", delcount, remcount);
+ if (remcount)
+ timeq_add(now + 30, sasl_delete_stale, NULL);
+}
+
+struct SASLSession*
+sasl_get_session(const char *uid)
+{
+ struct SASLSession *sess;
+
+ for (sess = saslsessions; sess; sess = sess->next)
+ {
+ if (!strncmp(sess->uid, uid, 128))
+ {
+ log_module(NS_LOG, LOG_DEBUG, "SASL: Found session for %s", sess->uid);
+ return sess;
+ }
+ }
+
+ sess = malloc(sizeof(struct SASLSession));
+ memset(sess, 0, sizeof(struct SASLSession));
+
+ strncpy(sess->uid, uid, 128);
+
+ if (!saslsessions)
+ timeq_add(now + 30, sasl_delete_stale, NULL);
+
+ if (saslsessions)
+ saslsessions->prev = sess;
+ sess->next = saslsessions;
+ saslsessions = sess;
+
+ log_module(NS_LOG, LOG_DEBUG, "SASL: Created session for %s", sess->uid);
+ return sess;
+}
+
+void
+sasl_packet(struct SASLSession *session)
+{
+ log_module(NS_LOG, LOG_DEBUG, "SASL: Got packet containing: %s", session->buf);
+
+ if (!session->mech[0])
+ {
+ log_module(NS_LOG, LOG_DEBUG, "SASL: No mechanism stored yet, using %s", session->buf);
+ if (strcmp(session->buf, "PLAIN") && (strcmp(session->buf, "EXTERNAL") || !session->sslclifp)) {
+ if (!session->sslclifp)
+ irc_sasl(session->source, session->uid, "M", "PLAIN");
+ else
+ irc_sasl(session->source, session->uid, "M", "PLAIN,EXTERNAL");
+ irc_sasl(session->source, session->uid, "D", "F");
+ sasl_delete_session(session);
+ return;
+ }
+
+ strncpy(session->mech, session->buf, 10);
+ irc_sasl(session->source, session->uid, "C", "+");
+ }
+ else if (!strcmp(session->mech, "EXTERNAL"))
+ {
+ char *raw = NULL;
+ size_t rawlen = 0;
+ char *authzid = NULL;
+ struct handle_info *hi = NULL;
+ static char buffer[256];
+
+ base64_decode_alloc(session->buf, session->buflen, &raw, &rawlen);
+
+ if (rawlen != 0)
+ authzid = raw;
+
+ log_module(NS_LOG, LOG_DEBUG, "SASL: Checking supplied credentials");
+
+ if (!session->sslclifp) {
+ log_module(NS_LOG, LOG_DEBUG, "SASL: Incomplete credentials supplied");
+ irc_sasl(session->source, session->uid, "D", "F");
+ } else {
+ if (!(hi = loc_auth(session->sslclifp, authzid, NULL, session->hostmask)))
+ {
+ log_module(NS_LOG, LOG_DEBUG, "SASL: Invalid credentials supplied");
+ irc_sasl(session->source, session->uid, "D", "F");
+ }
+ else
+ {
+ snprintf(buffer, sizeof(buffer), "%s "FMT_TIME_T, hi->handle, hi->registered);
+ log_module(NS_LOG, LOG_DEBUG, "SASL: Valid credentials supplied");
+ irc_sasl(session->source, session->uid, "L", buffer);
+ irc_sasl(session->source, session->uid, "D", "S");
+ }
+ }
+
+ sasl_delete_session(session);
+
+ free(raw);
+ return;
+ }
+ else
+ {
+ char *raw = NULL;
+ size_t rawlen = 0;
+ char *authzid = NULL;
+ char *authcid = NULL;
+ char *passwd = NULL;
+ char *r = NULL;
+ unsigned int i = 0, c = 0;
+ struct handle_info *hi = NULL;
+ struct handle_info *hii = NULL;
+ static char buffer[256];
+
+ base64_decode_alloc(session->buf, session->buflen, &raw, &rawlen);
+
+ raw = (char *)realloc(raw, rawlen+1);
+ raw[rawlen] = '\0';
+
+ authzid = raw;
+ r = raw;
+ for (i=0; i<rawlen; i++)
+ {
+ if (!*r++)
+ {
+ if (c++)
+ passwd = r;
+ else
+ authcid = r;
+ }
+ }
+
+ log_module(NS_LOG, LOG_DEBUG, "SASL: Checking supplied credentials");
+
+ if ((c != 2) || !(*authcid))
+ {
+ log_module(NS_LOG, LOG_DEBUG, "SASL: Incomplete credentials supplied");
+ irc_sasl(session->source, session->uid, "D", "F");
+ }
+ else
+ {
+ if (!(hi = loc_auth(session->sslclifp, authcid, passwd, session->hostmask)))
+ {
+ log_module(NS_LOG, LOG_DEBUG, "SASL: Invalid credentials supplied");
+ irc_sasl(session->source, session->uid, "D", "F");
+ }
+ else
+ {
+ if (*authzid && irccasecmp(authzid, authcid))
+ {
+ if (HANDLE_FLAGGED(hi, IMPERSONATE))
+ {
+ hii = hi;
+ hi = get_handle_info(authzid);
+ }
+ else
+ {
+ log_module(NS_LOG, LOG_DEBUG, "SASL: Impersonation unauthorized");
+ hi = NULL;
+ }
+ }
+ if (hi)
+ {
+ if (hii)
+ {
+ log_module(NS_LOG, LOG_DEBUG, "SASL: %s is ipersonating %s", hii->handle, hi->handle);
+ snprintf(buffer, sizeof(buffer), "%s "FMT_TIME_T, hii->handle, hii->registered);
+ irc_sasl(session->source, session->uid, "I", buffer);
+ }
+ log_module(NS_LOG, LOG_DEBUG, "SASL: Valid credentials supplied");
+ snprintf(buffer, sizeof(buffer), "%s "FMT_TIME_T, hi->handle, hi->registered);
+ irc_sasl(session->source, session->uid, "L", buffer);
+ irc_sasl(session->source, session->uid, "D", "S");
+ }
+ else
+ {
+ log_module(NS_LOG, LOG_DEBUG, "SASL: Invalid credentials supplied");
+ irc_sasl(session->source, session->uid, "D", "F");
+ }
+ }
+ }
+
+ sasl_delete_session(session);
+
+ free(raw);
+ return;
+ }
+
+ /* clear stale state */
+ session->flags &= ~SDFLAG_STALE;
+}
+
+void
+handle_sasl_input(struct server* source ,const char *uid, const char *subcmd, const char *data, const char *ext, UNUSED_ARG(void *extra))
+{
+ struct SASLSession* sess = sasl_get_session(uid);
+ int len = strlen(data);
+
+ sess->source = source;
+
+ if (!strcmp(subcmd, "D"))
+ {
+ sasl_delete_session(sess);
+ return;
+ }
+
+ if (!strcmp(subcmd, "H")) {
+ log_module(NS_LOG, LOG_DEBUG, "SASL: Storing host mask %s", data);
+ sess->hostmask = strdup(data);
+ return ;
+ }
+
+ if (strcmp(subcmd, "S") && strcmp(subcmd, "C"))
+ return;
+
+ if (len == 0)
+ return;
+
+ if (sess->p == NULL)
+ {
+ sess->buf = (char *)malloc(len + 1);
+ sess->p = sess->buf;
+ sess->buflen = len;
+ }
+ else
+ {
+ if (sess->buflen + len + 1 > 8192) /* This is a little much... */
+ {
+ irc_sasl(source, uid, "D", "F");
+ sasl_delete_session(sess);
+ return;
+ }
+
+ sess->buf = (char *)realloc(sess->buf, sess->buflen + len + 1);
+ sess->p = sess->buf + sess->buflen;
+ sess->buflen += len;
+ }
+
+ memcpy(sess->p, data, len);
+ sess->buf[len] = '\0';
+
+ if (ext != NULL)
+ sess->sslclifp = strdup(ext);
+
+ /* Messages not exactly 400 bytes are the end of a packet. */
+ if(len < 400)
+ {
+ sasl_packet(sess);
+ sess->buflen = 0;
+ if (sess->buf != NULL)
+ free(sess->buf);
+ sess->buf = sess->p = NULL;
+ }
+}
+
static void
nickserv_db_cleanup(UNUSED_ARG(void* extra))
{
unreg_del_user_func(nickserv_remove_user, NULL);
+ unreg_sasl_input_func(handle_sasl_input, NULL);
userList_clean(&curr_helpers);
policer_params_delete(nickserv_conf.auth_policer_params);
dict_delete(nickserv_handle_dict);
struct chanNode *chan;
unsigned int i;
NS_LOG = log_register_type("NickServ", "file:nickserv.log");
- reg_new_user_func(check_user_nick, NULL);
+ reg_new_user_func(new_user_event, NULL);
reg_nick_change_func(handle_nick_change, NULL);
reg_del_user_func(nickserv_remove_user, NULL);
reg_account_func(handle_account);
reg_auth_func(handle_loc_auth_oper, NULL);
+ reg_sasl_input_func(handle_sasl_input, NULL);
/* set up handle_inverse_flags */
memset(handle_inverse_flags, 0, sizeof(handle_inverse_flags));
for (i=0; handle_flags[i]; i++) {
handle_inverse_flags[(unsigned char)handle_flags[i]] = i + 1;
flag_access_levels[i] = 0;
+ /* ensure flag I requires a minimum of 999 if not set in the config */
+ if ((unsigned char)handle_flags[i] == 'I')
+ flag_access_levels[i] = 999;
}
conf_register_reload(nickserv_conf_read);
AddChannelUser(nickserv, chan)->modes |= MODE_CHANOP;
}
}
+
#ifdef WITH_LDAP
ldap_do_init(nickserv_conf);
#endif
projects / irc / evilnet / x3.git / blobdiff