X-Git-Url: https://jfr.im/git/irc/evilnet/x3.git/blobdiff_plain/8dc633d68df6ac0487b63b59634066a3d3dfb1f0..91889fec644e55e3ca3a513b6dd25e7ef9a7a39f:/src/nickserv.c diff --git a/src/nickserv.c b/src/nickserv.c index 8a73ede..9c866b6 100644 --- a/src/nickserv.c +++ b/src/nickserv.c @@ -221,7 +221,7 @@ static const struct message_entry msgtab[] = { { "NSMSG_NICK_NOT_REGISTERED", "Nick $b%s$b has not been registered to any account." }, { "NSMSG_HANDLE_NOT_FOUND", "Could not find your account -- did you register yet?" }, { "NSMSG_ALREADY_AUTHED", "You are already authed to account $b%s$b; you must reconnect to auth to a different account." }, - { "NSMSG_USE_AUTHCOOKIE", "Your hostmask is not valid for account $b%1$s$b. Please use the $bauthcookie$b command to grant yourself access. (/msg $S authcookie %1$s)" }, + { "NSMSG_USE_AUTHCOOKIE", "Your hostmask is not valid for account $b%1$s$b. Please use the $bauthcookie$b command to grant yourself access. (/msg $N authcookie %1$s)" }, { "NSMSG_HOSTMASK_INVALID", "Your hostmask is not valid for account $b%s$b." }, { "NSMSG_USER_IS_SERVICE", "$b%s$b is a network service; you can only use that command on real users." }, { "NSMSG_USER_PREV_AUTH", "$b%s$b is already authenticated." }, @@ -254,6 +254,7 @@ static const struct message_entry msgtab[] = { { "NSMSG_HANDLEINFO_COOKIE_EMAIL_DATA", "Cookie: New email address: %s" }, { "NSMSG_HANDLEINFO_INFOLINE", "Infoline: %s" }, { "NSMSG_HANDLEINFO_FLAGS", "Flags: %s" }, + { "NSMSG_HANDLEINFO_OPSERV_LEVEL", "Opserv level: %d " }, { "NSMSG_HANDLEINFO_EPITHET", "Epithet: %s" }, { "NSMSG_HANDLEINFO_NOTE", "Note (by %s on %s): %s " }, { "NSMSG_HANDLEINFO_FAKEHOST", "Fake host: %s" }, @@ -1548,7 +1549,7 @@ static NICKSERV_FUNC(cmd_oregister) char* mask = NULL; char* nick = NULL; - NICKSERV_MIN_PARMS(2); + NICKSERV_MIN_PARMS(3); account = argv[1]; pass = argv[2]; @@ -1795,6 +1796,10 @@ static NICKSERV_FUNC(cmd_handleinfo) reply("NSMSG_HANDLEINFO_FLAGS", nsmsg_none); } + if (hi->opserv_level > 0) { + reply("NSMSG_HANDLEINFO_OPSERV_LEVEL", hi->opserv_level); + } + if (HANDLE_FLAGGED(hi, SUPPORT_HELPER) || HANDLE_FLAGGED(hi, NETWORK_HELPER) || (hi->opserv_level > 0)) { @@ -2075,6 +2080,27 @@ reg_failpw_func(failpw_func_t func, void *extra) failpw_func_list_extra[failpw_func_used++] = extra; } +/* + * Return hi for the first handle that has a matching SSL fingerprint. + */ +struct handle_info *find_handleinfo_by_sslfp(char *sslfp) +{ + dict_iterator_t it; + struct handle_info *hi; + unsigned int ii = 0;; + + for (it = dict_first(nickserv_handle_dict); it; it = iter_next(it)) { + hi = iter_data(it); + for (ii=0; iisslfps->used; ii++) { + if (!irccasecmp(sslfp, hi->sslfps->list[ii])) { + return hi; + } + } + } + + return NULL; +} + /* * Return hi if the handle/pass pair matches, NULL if it doesnt. * @@ -2086,17 +2112,27 @@ struct handle_info *loc_auth(char *sslfp, char *handle, char *password, char *us int wildmask = 0, auth = 0; int used, maxlogins; unsigned int ii; - struct handle_info *hi; + struct handle_info *hi = NULL; struct userNode *other; #ifdef WITH_LDAP int ldap_result = LDAP_SUCCESS; char *email = NULL; #endif - hi = dict_find(nickserv_handle_dict, handle, NULL); + if (handle != NULL) + hi = dict_find(nickserv_handle_dict, handle, NULL); + if (!hi && (sslfp != NULL)) { + hi = find_handleinfo_by_sslfp(sslfp); + if (!handle && (hi != NULL)) + handle = hi->handle; + } + /* Ensure handle is valid if not found in internal DB */ + if (!hi && !is_valid_handle(handle)) + return 0; + #ifdef WITH_LDAP - if (nickserv_conf.ldap_enable) { + if (nickserv_conf.ldap_enable && (password != NULL)) { ldap_result = ldap_check_auth(handle, password); if (!hi && (ldap_result != LDAP_SUCCESS)) return NULL; @@ -2178,16 +2214,37 @@ struct handle_info *loc_auth(char *sslfp, char *handle, char *password, char *us */ if(userhost) { char *buf; - char *ident; - char *realhost; - char *ip; + char *ident = NULL; + char *realhost = NULL; + char *ip = NULL; char *uh; char *ui; + char *c; + int bracket = 0; buf = strdup(userhost); - ident = mysep(&buf, "@"); - realhost = mysep(&buf, ":"); - ip = mysep(&buf, ":"); + + ident = buf; + for (c = buf; *c; c++) { + if ((realhost == NULL) && (*c == '@')) { + *c++ = '\0'; + if (*c == '[') { + bracket = 1; + *c++ = '\0'; + } + realhost = c; + } else if (bracket && (ip == NULL) && (*c == ']')) { + bracket = 0; + *c = '\0'; + } else if (!bracket && (ip == NULL) && (*c == ':')) { + *c++ = '\0'; + ip = c; + break; + } + } + + log_module(NS_LOG, LOG_DEBUG, "LOC: ident=%s host=%s ip=%s", ident, realhost, ip); + if(!ip || !realhost || !ident) { free(buf); return NULL; /* Invalid AC request, just quit */ @@ -2240,6 +2297,7 @@ struct handle_info *loc_auth(char *sslfp, char *handle, char *password, char *us static NICKSERV_FUNC(cmd_auth) { int pw_arg, used, maxlogins; + int sslfpauth = 0; struct handle_info *hi; const char *passwd; const char *handle; @@ -2293,7 +2351,7 @@ static NICKSERV_FUNC(cmd_auth) } #ifdef WITH_LDAP - if(strchr(argv[1], '<') || strchr(handle, '>')) { + if(strchr(handle, '<') || strchr(handle, '>')) { reply("NSMSG_NO_ANGLEBRACKETS"); return 0; } @@ -2329,7 +2387,7 @@ static NICKSERV_FUNC(cmd_auth) * create the account. */ char *mask; - if(!(hi = nickserv_register(user, user, argv[1], argv[2], 0))) { + if(!(hi = nickserv_register(user, user, handle, passwd, 0))) { reply("NSMSG_UNABLE_TO_ADD"); return 0; /* couldn't add the user for some reason */ } @@ -2371,11 +2429,15 @@ static NICKSERV_FUNC(cmd_auth) argv[pw_arg] = "BADMASK"; return 1; } + + if (valid_user_sslfp(user, hi)) + sslfpauth = 1; + #ifdef WITH_LDAP if(( ( nickserv_conf.ldap_enable && ldap_result == LDAP_INVALID_CREDENTIALS ) || - ( (!nickserv_conf.ldap_enable) && (!checkpass(passwd, hi->passwd)) ) ) && !valid_user_sslfp(user, hi)) { + ( (!nickserv_conf.ldap_enable) && (!checkpass(passwd, hi->passwd)) ) ) && !sslfpauth) { #else - if (!checkpass(passwd, hi->passwd) && !valid_user_sslfp(user, hi)) { + if (!checkpass(passwd, hi->passwd) && !sslfpauth) { #endif unsigned int n; send_message_type(4, user, cmd->parent->bot, @@ -2419,9 +2481,9 @@ static NICKSERV_FUNC(cmd_auth) set_user_handle_info(user, hi, 1); if (nickserv_conf.email_required && !hi->email_addr) reply("NSMSG_PLEASE_SET_EMAIL"); - if (!is_secure_password(hi->handle, passwd, NULL)) + if (!sslfpauth && !is_secure_password(hi->handle, passwd, NULL)) reply("NSMSG_WEAK_PASSWORD"); - if (hi->passwd[0] != '$') + if (!sslfpauth && (hi->passwd[0] != '$')) cryptpass(passwd, hi->passwd); /* If a channel was waiting for this user to auth, @@ -4082,15 +4144,8 @@ nickserv_saxdb_write(struct saxdb_context *ctx) { if (hi->maxlogins) saxdb_write_int(ctx, KEY_MAXLOGINS, hi->maxlogins); if (hi->nicks) { - struct string_list *slist; struct nick_info *ni; - slist = alloc_string_list(nickserv_conf.nicks_per_handle); - for (ni = hi->nicks; ni; ni = ni->next) string_list_append(slist, ni->nick); - saxdb_write_string_list(ctx, KEY_NICKS, slist); - free(slist->list); - free(slist); - saxdb_start_record(ctx, KEY_NICKS_EX, 0); for (ni = hi->nicks; ni; ni = ni->next) { saxdb_start_record(ctx, ni->nick, 0); @@ -5276,8 +5331,9 @@ nickserv_conf_read(void) if(nickserv_conf.ldap_enable > 0) { /* ldap is enabled but not compiled in - error out */ log_module(MAIN_LOG, LOG_ERROR, "ldap is enabled in config, but not compiled in!"); - nickserv_conf.ldap_enable = 0; - sleep(5); + exit(2); + /* nickserv_conf.ldap_enable = 0; */ + /* sleep(5); */ } #endif @@ -5385,6 +5441,7 @@ static int check_user_nick(struct userNode *user, UNUSED_ARG(void *extra)) { struct nick_info *ni; user->modes &= ~FLAGS_REGNICK; + if (!(ni = get_nick_info(user->nick))) return 0; if (user->handle_info == ni->owner) { @@ -5405,6 +5462,21 @@ check_user_nick(struct userNode *user, UNUSED_ARG(void *extra)) { return 0; } +static int +new_user_event(struct userNode *user, void *extra) { + /* If the user's server is not bursting, + * the user is authed, the account has autohide set + * and the user doesn't have user mode +x then apply + * the autohide setting. + */ + if (!user->uplink->burst && user->handle_info && + HANDLE_FLAGGED(user->handle_info, AUTOHIDE) && + !IsHiddenHost(user)) + irc_umode(user, "+x"); + + return check_user_nick(user, extra); +} + void handle_account(struct userNode *user, const char *stamp) { @@ -5534,6 +5606,7 @@ struct SASLSession char uid[128]; char mech[10]; char *sslclifp; + char *hostmask; int flags; }; @@ -5553,6 +5626,10 @@ sasl_delete_session(struct SASLSession *session) free(session->sslclifp); session->sslclifp = NULL; + if (session->hostmask) + free(session->hostmask); + session->hostmask = NULL; + if (session->next) session->next->prev = session->prev; if (session->prev) @@ -5634,8 +5711,11 @@ sasl_packet(struct SASLSession *session) if (!session->mech[0]) { log_module(NS_LOG, LOG_DEBUG, "SASL: No mechanism stored yet, using %s", session->buf); - if (strcmp(session->buf, "PLAIN")) { - irc_sasl(session->source, session->uid, "M", "PLAIN"); + if (strcmp(session->buf, "PLAIN") && (strcmp(session->buf, "EXTERNAL") || !session->sslclifp)) { + if (!session->sslclifp) + irc_sasl(session->source, session->uid, "M", "PLAIN"); + else + irc_sasl(session->source, session->uid, "M", "PLAIN,EXTERNAL"); irc_sasl(session->source, session->uid, "D", "F"); sasl_delete_session(session); return; @@ -5644,16 +5724,55 @@ sasl_packet(struct SASLSession *session) strncpy(session->mech, session->buf, 10); irc_sasl(session->source, session->uid, "C", "+"); } - else /* We only have PLAIN at the moment so next message must be credentials */ + else if (!strcmp(session->mech, "EXTERNAL")) + { + char *raw = NULL; + size_t rawlen = 0; + char *authzid = NULL; + struct handle_info *hi = NULL; + static char buffer[256]; + + base64_decode_alloc(session->buf, session->buflen, &raw, &rawlen); + + if (rawlen != 0) + authzid = raw; + + log_module(NS_LOG, LOG_DEBUG, "SASL: Checking supplied credentials"); + + if (!session->sslclifp) { + log_module(NS_LOG, LOG_DEBUG, "SASL: Incomplete credentials supplied"); + irc_sasl(session->source, session->uid, "D", "F"); + } else { + if (!(hi = loc_auth(session->sslclifp, authzid, NULL, session->hostmask))) + { + log_module(NS_LOG, LOG_DEBUG, "SASL: Invalid credentials supplied"); + irc_sasl(session->source, session->uid, "D", "F"); + } + else + { + snprintf(buffer, sizeof(buffer), "%s "FMT_TIME_T, hi->handle, hi->registered); + log_module(NS_LOG, LOG_DEBUG, "SASL: Valid credentials supplied"); + irc_sasl(session->source, session->uid, "L", buffer); + irc_sasl(session->source, session->uid, "D", "S"); + } + } + + sasl_delete_session(session); + + free(raw); + return; + } + else { - char *raw; - size_t rawlen; + char *raw = NULL; + size_t rawlen = 0; char *authzid = NULL; char *authcid = NULL; char *passwd = NULL; - char *r; + char *r = NULL; unsigned int i = 0, c = 0; - struct handle_info *hi; + struct handle_info *hi = NULL; + struct handle_info *hii = NULL; static char buffer[256]; base64_decode_alloc(session->buf, session->buflen, &raw, &rawlen); @@ -5676,24 +5795,51 @@ sasl_packet(struct SASLSession *session) log_module(NS_LOG, LOG_DEBUG, "SASL: Checking supplied credentials"); - if (c != 2) + if ((c != 2) || !(*authcid)) { log_module(NS_LOG, LOG_DEBUG, "SASL: Incomplete credentials supplied"); irc_sasl(session->source, session->uid, "D", "F"); } else { - if (!(hi = loc_auth(session->sslclifp, authcid, passwd, NULL))) + if (!(hi = loc_auth(session->sslclifp, authcid, passwd, session->hostmask))) { log_module(NS_LOG, LOG_DEBUG, "SASL: Invalid credentials supplied"); irc_sasl(session->source, session->uid, "D", "F"); } else { - snprintf(buffer, sizeof(buffer), "%s "FMT_TIME_T, hi->handle, hi->registered); - log_module(NS_LOG, LOG_DEBUG, "SASL: Valid credentials supplied"); - irc_sasl(session->source, session->uid, "L", buffer); - irc_sasl(session->source, session->uid, "D", "S"); + if (*authzid && irccasecmp(authzid, authcid)) + { + if (HANDLE_FLAGGED(hi, IMPERSONATE)) + { + hii = hi; + hi = get_handle_info(authzid); + } + else + { + log_module(NS_LOG, LOG_DEBUG, "SASL: Impersonation unauthorized"); + hi = NULL; + } + } + if (hi) + { + if (hii) + { + log_module(NS_LOG, LOG_DEBUG, "SASL: %s is ipersonating %s", hii->handle, hi->handle); + snprintf(buffer, sizeof(buffer), "%s "FMT_TIME_T, hii->handle, hii->registered); + irc_sasl(session->source, session->uid, "I", buffer); + } + log_module(NS_LOG, LOG_DEBUG, "SASL: Valid credentials supplied"); + snprintf(buffer, sizeof(buffer), "%s "FMT_TIME_T, hi->handle, hi->registered); + irc_sasl(session->source, session->uid, "L", buffer); + irc_sasl(session->source, session->uid, "D", "S"); + } + else + { + log_module(NS_LOG, LOG_DEBUG, "SASL: Invalid credentials supplied"); + irc_sasl(session->source, session->uid, "D", "F"); + } } } @@ -5721,6 +5867,12 @@ handle_sasl_input(struct server* source ,const char *uid, const char *subcmd, co return; } + if (!strcmp(subcmd, "H")) { + log_module(NS_LOG, LOG_DEBUG, "SASL: Storing host mask %s", data); + sess->hostmask = strdup(data); + return ; + } + if (strcmp(subcmd, "S") && strcmp(subcmd, "C")) return; @@ -5838,7 +5990,7 @@ init_nickserv(const char *nick) struct chanNode *chan; unsigned int i; NS_LOG = log_register_type("NickServ", "file:nickserv.log"); - reg_new_user_func(check_user_nick, NULL); + reg_new_user_func(new_user_event, NULL); reg_nick_change_func(handle_nick_change, NULL); reg_del_user_func(nickserv_remove_user, NULL); reg_account_func(handle_account); @@ -5850,6 +6002,9 @@ init_nickserv(const char *nick) for (i=0; handle_flags[i]; i++) { handle_inverse_flags[(unsigned char)handle_flags[i]] = i + 1; flag_access_levels[i] = 0; + /* ensure flag I requires a minimum of 999 if not set in the config */ + if ((unsigned char)handle_flags[i] == 'I') + flag_access_levels[i] = 999; } conf_register_reload(nickserv_conf_read);