X-Git-Url: https://jfr.im/git/irc/evilnet/x3.git/blobdiff_plain/779da1cad46e1ff02e94067ceb8321de10833090..b8036263460c7bb538684caafa7309c360734155:/src/nickserv.c diff --git a/src/nickserv.c b/src/nickserv.c index 091b20e..ee3ebdc 100644 --- a/src/nickserv.c +++ b/src/nickserv.c @@ -221,7 +221,7 @@ static const struct message_entry msgtab[] = { { "NSMSG_NICK_NOT_REGISTERED", "Nick $b%s$b has not been registered to any account." }, { "NSMSG_HANDLE_NOT_FOUND", "Could not find your account -- did you register yet?" }, { "NSMSG_ALREADY_AUTHED", "You are already authed to account $b%s$b; you must reconnect to auth to a different account." }, - { "NSMSG_USE_AUTHCOOKIE", "Your hostmask is not valid for account $b%1$s$b. Please use the $bauthcookie$b command to grant yourself access. (/msg $S authcookie %1$s)" }, + { "NSMSG_USE_AUTHCOOKIE", "Your hostmask is not valid for account $b%1$s$b. Please use the $bauthcookie$b command to grant yourself access. (/msg $N authcookie %1$s)" }, { "NSMSG_HOSTMASK_INVALID", "Your hostmask is not valid for account $b%s$b." }, { "NSMSG_USER_IS_SERVICE", "$b%s$b is a network service; you can only use that command on real users." }, { "NSMSG_USER_PREV_AUTH", "$b%s$b is already authenticated." }, @@ -254,6 +254,7 @@ static const struct message_entry msgtab[] = { { "NSMSG_HANDLEINFO_COOKIE_EMAIL_DATA", "Cookie: New email address: %s" }, { "NSMSG_HANDLEINFO_INFOLINE", "Infoline: %s" }, { "NSMSG_HANDLEINFO_FLAGS", "Flags: %s" }, + { "NSMSG_HANDLEINFO_OPSERV_LEVEL", "Opserv level: %d " }, { "NSMSG_HANDLEINFO_EPITHET", "Epithet: %s" }, { "NSMSG_HANDLEINFO_NOTE", "Note (by %s on %s): %s " }, { "NSMSG_HANDLEINFO_FAKEHOST", "Fake host: %s" }, @@ -1548,7 +1549,7 @@ static NICKSERV_FUNC(cmd_oregister) char* mask = NULL; char* nick = NULL; - NICKSERV_MIN_PARMS(2); + NICKSERV_MIN_PARMS(3); account = argv[1]; pass = argv[2]; @@ -1795,6 +1796,10 @@ static NICKSERV_FUNC(cmd_handleinfo) reply("NSMSG_HANDLEINFO_FLAGS", nsmsg_none); } + if (hi->opserv_level > 0) { + reply("NSMSG_HANDLEINFO_OPSERV_LEVEL", hi->opserv_level); + } + if (HANDLE_FLAGGED(hi, SUPPORT_HELPER) || HANDLE_FLAGGED(hi, NETWORK_HELPER) || (hi->opserv_level > 0)) { @@ -2205,16 +2210,37 @@ struct handle_info *loc_auth(char *sslfp, char *handle, char *password, char *us */ if(userhost) { char *buf; - char *ident; - char *realhost; - char *ip; + char *ident = NULL; + char *realhost = NULL; + char *ip = NULL; char *uh; char *ui; + char *c; + int bracket = 0; buf = strdup(userhost); - ident = mysep(&buf, "@"); - realhost = mysep(&buf, ":"); - ip = mysep(&buf, ":"); + + ident = buf; + for (c = buf; *c; c++) { + if ((realhost == NULL) && (*c == '@')) { + *c++ = '\0'; + if (*c == '[') { + bracket = 1; + *c++ = '\0'; + } + realhost = c; + } else if (bracket && (ip == NULL) && (*c == ']')) { + bracket = 0; + *c = '\0'; + } else if (!bracket && (ip == NULL) && (*c == ':')) { + *c++ = '\0'; + ip = c; + break; + } + } + + log_module(NS_LOG, LOG_DEBUG, "LOC: ident=%s host=%s ip=%s", ident, realhost, ip); + if(!ip || !realhost || !ident) { free(buf); return NULL; /* Invalid AC request, just quit */ @@ -2267,6 +2293,7 @@ struct handle_info *loc_auth(char *sslfp, char *handle, char *password, char *us static NICKSERV_FUNC(cmd_auth) { int pw_arg, used, maxlogins; + int sslfpauth = 0; struct handle_info *hi; const char *passwd; const char *handle; @@ -2320,7 +2347,7 @@ static NICKSERV_FUNC(cmd_auth) } #ifdef WITH_LDAP - if(strchr(argv[1], '<') || strchr(handle, '>')) { + if(strchr(handle, '<') || strchr(handle, '>')) { reply("NSMSG_NO_ANGLEBRACKETS"); return 0; } @@ -2356,7 +2383,7 @@ static NICKSERV_FUNC(cmd_auth) * create the account. */ char *mask; - if(!(hi = nickserv_register(user, user, argv[1], argv[2], 0))) { + if(!(hi = nickserv_register(user, user, handle, passwd, 0))) { reply("NSMSG_UNABLE_TO_ADD"); return 0; /* couldn't add the user for some reason */ } @@ -2398,11 +2425,15 @@ static NICKSERV_FUNC(cmd_auth) argv[pw_arg] = "BADMASK"; return 1; } + + if (valid_user_sslfp(user, hi)) + sslfpauth = 1; + #ifdef WITH_LDAP if(( ( nickserv_conf.ldap_enable && ldap_result == LDAP_INVALID_CREDENTIALS ) || - ( (!nickserv_conf.ldap_enable) && (!checkpass(passwd, hi->passwd)) ) ) && !valid_user_sslfp(user, hi)) { + ( (!nickserv_conf.ldap_enable) && (!checkpass(passwd, hi->passwd)) ) ) && !sslfpauth) { #else - if (!checkpass(passwd, hi->passwd) && !valid_user_sslfp(user, hi)) { + if (!checkpass(passwd, hi->passwd) && !sslfpauth) { #endif unsigned int n; send_message_type(4, user, cmd->parent->bot, @@ -2446,9 +2477,9 @@ static NICKSERV_FUNC(cmd_auth) set_user_handle_info(user, hi, 1); if (nickserv_conf.email_required && !hi->email_addr) reply("NSMSG_PLEASE_SET_EMAIL"); - if (!is_secure_password(hi->handle, passwd, NULL)) + if (!sslfpauth && !is_secure_password(hi->handle, passwd, NULL)) reply("NSMSG_WEAK_PASSWORD"); - if (hi->passwd[0] != '$') + if (!sslfpauth && (hi->passwd[0] != '$')) cryptpass(passwd, hi->passwd); /* If a channel was waiting for this user to auth, @@ -4109,15 +4140,8 @@ nickserv_saxdb_write(struct saxdb_context *ctx) { if (hi->maxlogins) saxdb_write_int(ctx, KEY_MAXLOGINS, hi->maxlogins); if (hi->nicks) { - struct string_list *slist; struct nick_info *ni; - slist = alloc_string_list(nickserv_conf.nicks_per_handle); - for (ni = hi->nicks; ni; ni = ni->next) string_list_append(slist, ni->nick); - saxdb_write_string_list(ctx, KEY_NICKS, slist); - free(slist->list); - free(slist); - saxdb_start_record(ctx, KEY_NICKS_EX, 0); for (ni = hi->nicks; ni; ni = ni->next) { saxdb_start_record(ctx, ni->nick, 0); @@ -5412,6 +5436,7 @@ static int check_user_nick(struct userNode *user, UNUSED_ARG(void *extra)) { struct nick_info *ni; user->modes &= ~FLAGS_REGNICK; + if (!(ni = get_nick_info(user->nick))) return 0; if (user->handle_info == ni->owner) { @@ -5432,6 +5457,21 @@ check_user_nick(struct userNode *user, UNUSED_ARG(void *extra)) { return 0; } +static int +new_user_event(struct userNode *user, void *extra) { + /* If the user's server is not bursting, + * the user is authed, the account has autohide set + * and the user doesn't have user mode +x then apply + * the autohide setting. + */ + if (!user->uplink->burst && user->handle_info && + HANDLE_FLAGGED(user->handle_info, AUTOHIDE) && + !IsHiddenHost(user)) + irc_umode(user, "+x"); + + return check_user_nick(user, extra); +} + void handle_account(struct userNode *user, const char *stamp) { @@ -5561,6 +5601,7 @@ struct SASLSession char uid[128]; char mech[10]; char *sslclifp; + char *hostmask; int flags; }; @@ -5580,6 +5621,10 @@ sasl_delete_session(struct SASLSession *session) free(session->sslclifp); session->sslclifp = NULL; + if (session->hostmask) + free(session->hostmask); + session->hostmask = NULL; + if (session->next) session->next->prev = session->prev; if (session->prev) @@ -5693,7 +5738,7 @@ sasl_packet(struct SASLSession *session) log_module(NS_LOG, LOG_DEBUG, "SASL: Incomplete credentials supplied"); irc_sasl(session->source, session->uid, "D", "F"); } else { - if (!(hi = loc_auth(session->sslclifp, authzid, NULL, NULL))) + if (!(hi = loc_auth(session->sslclifp, authzid, NULL, session->hostmask))) { log_module(NS_LOG, LOG_DEBUG, "SASL: Invalid credentials supplied"); irc_sasl(session->source, session->uid, "D", "F"); @@ -5712,7 +5757,7 @@ sasl_packet(struct SASLSession *session) free(raw); return; } - else /* We only have PLAIN at the moment so next message must be credentials */ + else { char *raw = NULL; size_t rawlen = 0; @@ -5722,6 +5767,7 @@ sasl_packet(struct SASLSession *session) char *r = NULL; unsigned int i = 0, c = 0; struct handle_info *hi = NULL; + struct handle_info *hii = NULL; static char buffer[256]; base64_decode_alloc(session->buf, session->buflen, &raw, &rawlen); @@ -5744,24 +5790,51 @@ sasl_packet(struct SASLSession *session) log_module(NS_LOG, LOG_DEBUG, "SASL: Checking supplied credentials"); - if (c != 2) + if ((c != 2) || !(*authcid)) { log_module(NS_LOG, LOG_DEBUG, "SASL: Incomplete credentials supplied"); irc_sasl(session->source, session->uid, "D", "F"); } else { - if (!(hi = loc_auth(session->sslclifp, authcid, passwd, NULL))) + if (!(hi = loc_auth(session->sslclifp, authcid, passwd, session->hostmask))) { log_module(NS_LOG, LOG_DEBUG, "SASL: Invalid credentials supplied"); irc_sasl(session->source, session->uid, "D", "F"); } else { - snprintf(buffer, sizeof(buffer), "%s "FMT_TIME_T, hi->handle, hi->registered); - log_module(NS_LOG, LOG_DEBUG, "SASL: Valid credentials supplied"); - irc_sasl(session->source, session->uid, "L", buffer); - irc_sasl(session->source, session->uid, "D", "S"); + if (*authzid && irccasecmp(authzid, authcid)) + { + if (HANDLE_FLAGGED(hi, IMPERSONATE)) + { + hii = hi; + hi = get_handle_info(authzid); + } + else + { + log_module(NS_LOG, LOG_DEBUG, "SASL: Impersonation unauthorized"); + hi = NULL; + } + } + if (hi) + { + if (hii) + { + log_module(NS_LOG, LOG_DEBUG, "SASL: %s is ipersonating %s", hii->handle, hi->handle); + snprintf(buffer, sizeof(buffer), "%s "FMT_TIME_T, hii->handle, hii->registered); + irc_sasl(session->source, session->uid, "I", buffer); + } + log_module(NS_LOG, LOG_DEBUG, "SASL: Valid credentials supplied"); + snprintf(buffer, sizeof(buffer), "%s "FMT_TIME_T, hi->handle, hi->registered); + irc_sasl(session->source, session->uid, "L", buffer); + irc_sasl(session->source, session->uid, "D", "S"); + } + else + { + log_module(NS_LOG, LOG_DEBUG, "SASL: Invalid credentials supplied"); + irc_sasl(session->source, session->uid, "D", "F"); + } } } @@ -5789,6 +5862,12 @@ handle_sasl_input(struct server* source ,const char *uid, const char *subcmd, co return; } + if (!strcmp(subcmd, "H")) { + log_module(NS_LOG, LOG_DEBUG, "SASL: Storing host mask %s", data); + sess->hostmask = strdup(data); + return ; + } + if (strcmp(subcmd, "S") && strcmp(subcmd, "C")) return; @@ -5906,7 +5985,7 @@ init_nickserv(const char *nick) struct chanNode *chan; unsigned int i; NS_LOG = log_register_type("NickServ", "file:nickserv.log"); - reg_new_user_func(check_user_nick, NULL); + reg_new_user_func(new_user_event, NULL); reg_nick_change_func(handle_nick_change, NULL); reg_del_user_func(nickserv_remove_user, NULL); reg_account_func(handle_account); @@ -5918,6 +5997,9 @@ init_nickserv(const char *nick) for (i=0; handle_flags[i]; i++) { handle_inverse_flags[(unsigned char)handle_flags[i]] = i + 1; flag_access_levels[i] = 0; + /* ensure flag I requires a minimum of 999 if not set in the config */ + if ((unsigned char)handle_flags[i] == 'I') + flag_access_levels[i] = 999; } conf_register_reload(nickserv_conf_read);