{ "NSMSG_NICK_NOT_REGISTERED", "Nick $b%s$b has not been registered to any account." },
{ "NSMSG_HANDLE_NOT_FOUND", "Could not find your account -- did you register yet?" },
{ "NSMSG_ALREADY_AUTHED", "You are already authed to account $b%s$b; you must reconnect to auth to a different account." },
- { "NSMSG_USE_AUTHCOOKIE", "Your hostmask is not valid for account $b%1$s$b. Please use the $bauthcookie$b command to grant yourself access. (/msg $S authcookie %1$s)" },
+ { "NSMSG_USE_AUTHCOOKIE", "Your hostmask is not valid for account $b%1$s$b. Please use the $bauthcookie$b command to grant yourself access. (/msg $N authcookie %1$s)" },
{ "NSMSG_HOSTMASK_INVALID", "Your hostmask is not valid for account $b%s$b." },
{ "NSMSG_USER_IS_SERVICE", "$b%s$b is a network service; you can only use that command on real users." },
{ "NSMSG_USER_PREV_AUTH", "$b%s$b is already authenticated." },
if (data)
style = atoi(data);
- if (style == 1)
+ if ((style == 1) || (style == 3))
snprintf(buffer, sizeof(buffer), "%s.%s", handle->handle, hidden_host_suffix);
else if (style == 2) {
/* Due to the way fakehost is coded theres no way i can
char* mask = NULL;
char* nick = NULL;
- NICKSERV_MIN_PARMS(2);
+ NICKSERV_MIN_PARMS(3);
account = argv[1];
pass = argv[2];
failpw_func_list_extra[failpw_func_used++] = extra;
}
+/*
+ * Return hi for the first handle that has a matching SSL fingerprint.
+ */
+struct handle_info *find_handleinfo_by_sslfp(char *sslfp)
+{
+ dict_iterator_t it;
+ struct handle_info *hi;
+ unsigned int ii = 0;;
+
+ for (it = dict_first(nickserv_handle_dict); it; it = iter_next(it)) {
+ hi = iter_data(it);
+ for (ii=0; ii<hi->sslfps->used; ii++) {
+ if (!irccasecmp(sslfp, hi->sslfps->list[ii])) {
+ return hi;
+ }
+ }
+ }
+
+ return NULL;
+}
+
/*
* Return hi if the handle/pass pair matches, NULL if it doesnt.
*
int wildmask = 0, auth = 0;
int used, maxlogins;
unsigned int ii;
- struct handle_info *hi;
+ struct handle_info *hi = NULL;
struct userNode *other;
#ifdef WITH_LDAP
int ldap_result = LDAP_SUCCESS;
char *email = NULL;
#endif
- hi = dict_find(nickserv_handle_dict, handle, NULL);
+ if (handle != NULL)
+ hi = dict_find(nickserv_handle_dict, handle, NULL);
+ if (!hi && (sslfp != NULL)) {
+ hi = find_handleinfo_by_sslfp(sslfp);
+ if (!handle && (hi != NULL))
+ handle = hi->handle;
+ }
#ifdef WITH_LDAP
- if (nickserv_conf.ldap_enable) {
+ if (nickserv_conf.ldap_enable && (password != NULL)) {
ldap_result = ldap_check_auth(handle, password);
if (!hi && (ldap_result != LDAP_SUCCESS))
return NULL;
*/
if(userhost) {
char *buf;
- char *ident;
- char *realhost;
- char *ip;
+ char *ident = NULL;
+ char *realhost = NULL;
+ char *ip = NULL;
char *uh;
char *ui;
+ char *c;
+ int bracket = 0;
buf = strdup(userhost);
- ident = mysep(&buf, "@");
- realhost = mysep(&buf, ":");
- ip = mysep(&buf, ":");
+
+ ident = buf;
+ for (c = buf; *c; c++) {
+ if ((realhost == NULL) && (*c == '@')) {
+ *c++ = '\0';
+ if (*c == '[') {
+ bracket = 1;
+ *c++ = '\0';
+ }
+ realhost = c;
+ } else if (bracket && (ip == NULL) && (*c == ']')) {
+ bracket = 0;
+ *c = '\0';
+ } else if (!bracket && (ip == NULL) && (*c == ':')) {
+ *c++ = '\0';
+ ip = c;
+ break;
+ }
+ }
+
+ log_module(NS_LOG, LOG_DEBUG, "LOC: ident=%s host=%s ip=%s", ident, realhost, ip);
+
if(!ip || !realhost || !ident) {
free(buf);
return NULL; /* Invalid AC request, just quit */
}
#ifdef WITH_LDAP
- if(strchr(argv[1], '<') || strchr(handle, '>')) {
+ if(strchr(handle, '<') || strchr(handle, '>')) {
reply("NSMSG_NO_ANGLEBRACKETS");
return 0;
}
* create the account.
*/
char *mask;
- if(!(hi = nickserv_register(user, user, argv[1], argv[2], 0))) {
+ if(!(hi = nickserv_register(user, user, handle, passwd, 0))) {
reply("NSMSG_UNABLE_TO_ADD");
return 0; /* couldn't add the user for some reason */
}
if (hi->maxlogins)
saxdb_write_int(ctx, KEY_MAXLOGINS, hi->maxlogins);
if (hi->nicks) {
- struct string_list *slist;
struct nick_info *ni;
- slist = alloc_string_list(nickserv_conf.nicks_per_handle);
- for (ni = hi->nicks; ni; ni = ni->next) string_list_append(slist, ni->nick);
- saxdb_write_string_list(ctx, KEY_NICKS, slist);
- free(slist->list);
- free(slist);
-
saxdb_start_record(ctx, KEY_NICKS_EX, 0);
for (ni = hi->nicks; ni; ni = ni->next) {
saxdb_start_record(ctx, ni->nick, 0);
int buflen;
char uid[128];
char mech[10];
- char sslclifp[128];
+ char *sslclifp;
+ char *hostmask;
int flags;
};
if (session->buf)
free(session->buf);
+ session->buf = NULL;
+
+ if (session->sslclifp)
+ free(session->sslclifp);
+ session->sslclifp = NULL;
+
+ if (session->hostmask)
+ free(session->hostmask);
+ session->hostmask = NULL;
if (session->next)
session->next->prev = session->prev;
if (!session->mech[0])
{
log_module(NS_LOG, LOG_DEBUG, "SASL: No mechanism stored yet, using %s", session->buf);
- if (strcmp(session->buf, "PLAIN")) {
- irc_sasl(session->source, session->uid, "M", "PLAIN");
+ if (strcmp(session->buf, "PLAIN") && (strcmp(session->buf, "EXTERNAL") || !session->sslclifp)) {
+ if (!session->sslclifp)
+ irc_sasl(session->source, session->uid, "M", "PLAIN");
+ else
+ irc_sasl(session->source, session->uid, "M", "PLAIN,EXTERNAL");
irc_sasl(session->source, session->uid, "D", "F");
sasl_delete_session(session);
return;
strncpy(session->mech, session->buf, 10);
irc_sasl(session->source, session->uid, "C", "+");
}
- else /* We only have PLAIN at the moment so next message must be credentials */
+ else if (!strcmp(session->mech, "EXTERNAL"))
+ {
+ char *raw = NULL;
+ size_t rawlen = 0;
+ char *authzid = NULL;
+ struct handle_info *hi = NULL;
+ static char buffer[256];
+
+ base64_decode_alloc(session->buf, session->buflen, &raw, &rawlen);
+
+ if (rawlen != 0)
+ authzid = raw;
+
+ log_module(NS_LOG, LOG_DEBUG, "SASL: Checking supplied credentials");
+
+ if (!session->sslclifp) {
+ log_module(NS_LOG, LOG_DEBUG, "SASL: Incomplete credentials supplied");
+ irc_sasl(session->source, session->uid, "D", "F");
+ } else {
+ if (!(hi = loc_auth(session->sslclifp, authzid, NULL, session->hostmask)))
+ {
+ log_module(NS_LOG, LOG_DEBUG, "SASL: Invalid credentials supplied");
+ irc_sasl(session->source, session->uid, "D", "F");
+ }
+ else
+ {
+ snprintf(buffer, sizeof(buffer), "%s "FMT_TIME_T, hi->handle, hi->registered);
+ log_module(NS_LOG, LOG_DEBUG, "SASL: Valid credentials supplied");
+ irc_sasl(session->source, session->uid, "L", buffer);
+ irc_sasl(session->source, session->uid, "D", "S");
+ }
+ }
+
+ sasl_delete_session(session);
+
+ free(raw);
+ return;
+ }
+ else
{
- char *raw;
- size_t rawlen;
+ char *raw = NULL;
+ size_t rawlen = 0;
char *authzid = NULL;
char *authcid = NULL;
char *passwd = NULL;
- char *r;
+ char *r = NULL;
unsigned int i = 0, c = 0;
- struct handle_info *hi;
+ struct handle_info *hi = NULL;
+ struct handle_info *hii = NULL;
+ static char buffer[256];
base64_decode_alloc(session->buf, session->buflen, &raw, &rawlen);
}
else
{
- if (!(hi = loc_auth(NULL, authcid, passwd, NULL)))
+ if (!(hi = loc_auth(session->sslclifp, authcid, passwd, session->hostmask)))
{
log_module(NS_LOG, LOG_DEBUG, "SASL: Invalid credentials supplied");
irc_sasl(session->source, session->uid, "D", "F");
}
else
{
- log_module(NS_LOG, LOG_DEBUG, "SASL: Valid credentials supplied");
- irc_sasl(session->source, session->uid, "L", hi->handle);
- irc_sasl(session->source, session->uid, "D", "S");
+ if (*authzid && irccasecmp(authzid, authcid) && HANDLE_FLAGGED(hi, IMPERSONATE))
+ {
+ hii = hi;
+ hi = get_handle_info(authzid);
+ }
+ if (hi)
+ {
+ if (hii)
+ {
+ log_module(NS_LOG, LOG_DEBUG, "SASL: %s is ipersonating %s", hii->handle, hi->handle);
+ snprintf(buffer, sizeof(buffer), "%s "FMT_TIME_T, hii->handle, hii->registered);
+ irc_sasl(session->source, session->uid, "I", buffer);
+ }
+ log_module(NS_LOG, LOG_DEBUG, "SASL: Valid credentials supplied");
+ snprintf(buffer, sizeof(buffer), "%s "FMT_TIME_T, hi->handle, hi->registered);
+ irc_sasl(session->source, session->uid, "L", buffer);
+ irc_sasl(session->source, session->uid, "D", "S");
+ }
+ else
+ {
+ log_module(NS_LOG, LOG_DEBUG, "SASL: Invalid credentials supplied");
+ irc_sasl(session->source, session->uid, "D", "F");
+ }
}
}
}
void
-handle_sasl_input(struct server* source ,const char *uid, const char *subcmd, const char *data, UNUSED_ARG(const char *ext), UNUSED_ARG(void *extra))
+handle_sasl_input(struct server* source ,const char *uid, const char *subcmd, const char *data, const char *ext, UNUSED_ARG(void *extra))
{
struct SASLSession* sess = sasl_get_session(uid);
int len = strlen(data);
return;
}
+ if (!strcmp(subcmd, "H")) {
+ log_module(NS_LOG, LOG_DEBUG, "SASL: Storing host mask %s", data);
+ sess->hostmask = strdup(data);
+ return ;
+ }
+
if (strcmp(subcmd, "S") && strcmp(subcmd, "C"))
return;
}
memcpy(sess->p, data, len);
+ sess->buf[len] = '\0';
+
+ if (ext != NULL)
+ sess->sslclifp = strdup(ext);
/* Messages not exactly 400 bytes are the end of a packet. */
if(len < 400)
{
sasl_packet(sess);
sess->buflen = 0;
- free(sess->buf);
+ if (sess->buf != NULL)
+ free(sess->buf);
sess->buf = sess->p = NULL;
}
}
for (i=0; handle_flags[i]; i++) {
handle_inverse_flags[(unsigned char)handle_flags[i]] = i + 1;
flag_access_levels[i] = 0;
+ /* ensure flag I requires a minimum of 999 if not set in the config */
+ if ((unsigned char)handle_flags[i] == 'I')
+ flag_access_levels[i] = 999;
}
conf_register_reload(nickserv_conf_read);
projects / irc / evilnet / x3.git / blobdiff