Fix for SASL vulnerability

[irc/evilnet/x3.git] / src / nickserv.c

diff --git a/src/nickserv.c b/src/nickserv.c
index cbbaea2ef571ec4fe17a1ccd6e24dc84c09146e3..ee3ebdcf5233d6fc63f9abfc9a6c6331aaf43475 100644 (file)
--- a/src/nickserv.c
+++ b/src/nickserv.c
@@ -254,6 +254,7 @@ static const struct message_entry msgtab[] = {
     { "NSMSG_HANDLEINFO_COOKIE_EMAIL_DATA", "Cookie: New email address: %s" },
     { "NSMSG_HANDLEINFO_INFOLINE", "Infoline: %s" },
     { "NSMSG_HANDLEINFO_FLAGS", "Flags: %s" },
+    { "NSMSG_HANDLEINFO_OPSERV_LEVEL", "Opserv level: %d " },
     { "NSMSG_HANDLEINFO_EPITHET", "Epithet: %s" },
     { "NSMSG_HANDLEINFO_NOTE", "Note (by %s on %s): %s " },
     { "NSMSG_HANDLEINFO_FAKEHOST", "Fake host: %s" },
@@ -1795,6 +1796,10 @@ static NICKSERV_FUNC(cmd_handleinfo)
        reply("NSMSG_HANDLEINFO_FLAGS", nsmsg_none);
     }
 
+    if (hi->opserv_level > 0) {
+        reply("NSMSG_HANDLEINFO_OPSERV_LEVEL", hi->opserv_level);
+    }
+
     if (HANDLE_FLAGGED(hi, SUPPORT_HELPER)
         || HANDLE_FLAGGED(hi, NETWORK_HELPER)
         || (hi->opserv_level > 0)) {
@@ -2288,6 +2293,7 @@ struct handle_info *loc_auth(char *sslfp, char *handle, char *password, char *us
 static NICKSERV_FUNC(cmd_auth)
 {
     int pw_arg, used, maxlogins;
+    int sslfpauth = 0;
     struct handle_info *hi;
     const char *passwd;
     const char *handle;
@@ -2419,11 +2425,15 @@ static NICKSERV_FUNC(cmd_auth)
         argv[pw_arg] = "BADMASK";
         return 1;
     }
+
+    if (valid_user_sslfp(user, hi))
+        sslfpauth = 1;
+
 #ifdef WITH_LDAP
     if(( ( nickserv_conf.ldap_enable && ldap_result == LDAP_INVALID_CREDENTIALS )  ||
-        ( (!nickserv_conf.ldap_enable) && (!checkpass(passwd, hi->passwd)) ) ) && !valid_user_sslfp(user, hi)) {
+        ( (!nickserv_conf.ldap_enable) && (!checkpass(passwd, hi->passwd)) ) ) && !sslfpauth) {
 #else
-    if (!checkpass(passwd, hi->passwd) && !valid_user_sslfp(user, hi)) {
+    if (!checkpass(passwd, hi->passwd) && !sslfpauth) {
 #endif
         unsigned int n;
         send_message_type(4, user, cmd->parent->bot,
@@ -2467,9 +2477,9 @@ static NICKSERV_FUNC(cmd_auth)
     set_user_handle_info(user, hi, 1);
     if (nickserv_conf.email_required && !hi->email_addr)
         reply("NSMSG_PLEASE_SET_EMAIL");
-    if (!is_secure_password(hi->handle, passwd, NULL))
+    if (!sslfpauth && !is_secure_password(hi->handle, passwd, NULL))
         reply("NSMSG_WEAK_PASSWORD");
-    if (hi->passwd[0] != '$')
+    if (!sslfpauth && (hi->passwd[0] != '$'))
         cryptpass(passwd, hi->passwd);
 
    /* If a channel was waiting for this user to auth, 
@@ -5780,7 +5790,7 @@ sasl_packet(struct SASLSession *session)
 
         log_module(NS_LOG, LOG_DEBUG, "SASL: Checking supplied credentials");
 
-        if (c != 2)
+        if ((c != 2) || !(*authcid))
         {
             log_module(NS_LOG, LOG_DEBUG, "SASL: Incomplete credentials supplied");
             irc_sasl(session->source, session->uid, "D", "F");
@@ -5794,10 +5804,18 @@ sasl_packet(struct SASLSession *session)
             }
             else
             {
-                if (*authzid && irccasecmp(authzid, authcid) && HANDLE_FLAGGED(hi, IMPERSONATE))
+                if (*authzid && irccasecmp(authzid, authcid))
                 {
-                    hii = hi;
-                    hi = get_handle_info(authzid);
+                    if (HANDLE_FLAGGED(hi, IMPERSONATE))
+                    {
+                        hii = hi;
+                        hi = get_handle_info(authzid);
+                    }
+                    else
+                    {
+                        log_module(NS_LOG, LOG_DEBUG, "SASL: Impersonation unauthorized");
+                        hi = NULL;
+                    }
                 }
                 if (hi)
                 {