X-Git-Url: https://jfr.im/git/irc/evilnet/x3.git/blobdiff_plain/a6bcc9299647fd6e2875946d764712103134c76e..91889fec644e55e3ca3a513b6dd25e7ef9a7a39f:/src/nickserv.c diff --git a/src/nickserv.c b/src/nickserv.c index 20c8d58..9c866b6 100644 --- a/src/nickserv.c +++ b/src/nickserv.c @@ -18,6 +18,7 @@ * Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. */ +#include "base64.h" #include "chanserv.h" #include "conf.h" #include "config.h" @@ -64,6 +65,8 @@ #define KEY_HANDLE_EXPIRE_FREQ "handle_expire_freq" #define KEY_ACCOUNT_EXPIRE_FREQ "account_expire_freq" #define KEY_HANDLE_EXPIRE_DELAY "handle_expire_delay" +#define KEY_NICK_EXPIRE_FREQ "nick_expire_freq" +#define KEY_NICK_EXPIRE_DELAY "nick_expire_delay" #define KEY_ACCOUNT_EXPIRE_DELAY "account_expire_delay" #define KEY_NOCHAN_HANDLE_EXPIRE_DELAY "nochan_handle_expire_delay" #define KEY_NOCHAN_ACCOUNT_EXPIRE_DELAY "nochan_account_expire_delay" @@ -87,7 +90,9 @@ #define KEY_ID "id" #define KEY_PASSWD "passwd" #define KEY_NICKS "nicks" +#define KEY_NICKS_EX "nicks_ex" #define KEY_MASKS "masks" +#define KEY_SSLFPS "sslfps" #define KEY_IGNORES "ignores" #define KEY_OPSERV_LEVEL "opserv_level" #define KEY_FLAGS "flags" @@ -142,7 +147,7 @@ #define NICKSERV_VALID_CHARS "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_" #define NICKSERV_FUNC(NAME) MODCMD_FUNC(NAME) -#define OPTION_FUNC(NAME) int NAME(UNUSED_ARG(struct svccmd *cmd), struct userNode *user, struct handle_info *hi, UNUSED_ARG(unsigned int override), unsigned int argc, char *argv[]) +#define OPTION_FUNC(NAME) int NAME(UNUSED_ARG(struct svccmd *cmd), struct userNode *user, struct handle_info *hi, UNUSED_ARG(unsigned int override), int noreply, unsigned int argc, char *argv[]) typedef OPTION_FUNC(option_func_t); DEFINE_LIST(handle_info_list, struct handle_info*) @@ -216,7 +221,7 @@ static const struct message_entry msgtab[] = { { "NSMSG_NICK_NOT_REGISTERED", "Nick $b%s$b has not been registered to any account." }, { "NSMSG_HANDLE_NOT_FOUND", "Could not find your account -- did you register yet?" }, { "NSMSG_ALREADY_AUTHED", "You are already authed to account $b%s$b; you must reconnect to auth to a different account." }, - { "NSMSG_USE_AUTHCOOKIE", "Your hostmask is not valid for account $b%1$s$b. Please use the $bauthcookie$b command to grant yourself access. (/msg $S authcookie %1$s)" }, + { "NSMSG_USE_AUTHCOOKIE", "Your hostmask is not valid for account $b%1$s$b. Please use the $bauthcookie$b command to grant yourself access. (/msg $N authcookie %1$s)" }, { "NSMSG_HOSTMASK_INVALID", "Your hostmask is not valid for account $b%s$b." }, { "NSMSG_USER_IS_SERVICE", "$b%s$b is a network service; you can only use that command on real users." }, { "NSMSG_USER_PREV_AUTH", "$b%s$b is already authenticated." }, @@ -238,7 +243,7 @@ static const struct message_entry msgtab[] = { { "NSMSG_HANDLEINFO_REGGED", "Registered on: %s" }, { "NSMSG_HANDLEINFO_LASTSEEN", "Last seen: %s" }, { "NSMSG_HANDLEINFO_LASTSEEN_NOW", "Last seen: Right now!" }, - { "NSMSG_HANDLEINFO_KARMA", " Karma: %d" }, + { "NSMSG_HANDLEINFO_KARMA", "Karma: %d" }, { "NSMSG_HANDLEINFO_VACATION", "On vacation." }, { "NSMSG_HANDLEINFO_EMAIL_ADDR", "Email address: %s" }, { "NSMSG_HANDLEINFO_COOKIE_ACTIVATION", "Cookie: There is currently an activation cookie issued for this account" }, @@ -246,8 +251,10 @@ static const struct message_entry msgtab[] = { { "NSMSG_HANDLEINFO_COOKIE_EMAIL", "Cookie: There is currently an email change cookie issued for this account" }, { "NSMSG_HANDLEINFO_COOKIE_ALLOWAUTH", "Cookie: There is currently an allowauth cookie issued for this account" }, { "NSMSG_HANDLEINFO_COOKIE_UNKNOWN", "Cookie: There is currently an unknown cookie issued for this account" }, + { "NSMSG_HANDLEINFO_COOKIE_EMAIL_DATA", "Cookie: New email address: %s" }, { "NSMSG_HANDLEINFO_INFOLINE", "Infoline: %s" }, { "NSMSG_HANDLEINFO_FLAGS", "Flags: %s" }, + { "NSMSG_HANDLEINFO_OPSERV_LEVEL", "Opserv level: %d " }, { "NSMSG_HANDLEINFO_EPITHET", "Epithet: %s" }, { "NSMSG_HANDLEINFO_NOTE", "Note (by %s on %s): %s " }, { "NSMSG_HANDLEINFO_FAKEHOST", "Fake host: %s" }, @@ -257,13 +264,19 @@ static const struct message_entry msgtab[] = { { "NSMSG_HANDLEINFO_LAST_HOST_UNKNOWN", "Last quit hostmask: Unknown" }, { "NSMSG_HANDLEINFO_NICKS", "Nickname(s): %s" }, { "NSMSG_HANDLEINFO_MASKS", "Hostmask(s): %s" }, + { "NSMSG_HANDLEINFO_SSLFPS", "SSL Fingerprints(s): %s" }, { "NSMSG_HANDLEINFO_IGNORES", "Ignore(s): %s" }, { "NSMSG_HANDLEINFO_CHANNELS", "Channel(s): %s" }, { "NSMSG_HANDLEINFO_CURRENT", "Current nickname(s): %s" }, { "NSMSG_HANDLEINFO_DNR", "Do-not-register (by %s): %s" }, { "NSMSG_USERINFO_AUTHED_AS", "$b%s$b is authenticated to account $b%s$b." }, { "NSMSG_USERINFO_NOT_AUTHED", "$b%s$b is not authenticated to any account." }, - { "NSMSG_NICKINFO_OWNER", "Nick $b%s$b is owned by account $b%s$b." }, + { "NSMSG_NICKINFO_ON", "$bNick Information for %s$b" }, + { "NSMSG_NICKINFO_END", "----------End of Nick Info-----------" }, + { "NSMSG_NICKINFO_REGGED", "Registered on: %s" }, + { "NSMSG_NICKINFO_LASTSEEN", "Last seen: %s" }, + { "NSMSG_NICKINFO_LASTSEEN_NOW", "Last seen: Right now!" }, + { "NSMSG_NICKINFO_OWNER", "Account: %s." }, { "NSMSG_PASSWORD_INVALID", "Incorrect password; please try again." }, { "NSMSG_PLEASE_SET_EMAIL", "We now require email addresses for users. Please use the $bset email$b command to set your email address!" }, { "NSMSG_WEAK_PASSWORD", "WARNING: You are using a password that is considered weak (easy to guess). It is STRONGLY recommended you change it (now, if not sooner) by typing \"/msg $S@$s PASS oldpass newpass\" (with your current password and a new password)." }, @@ -286,9 +299,13 @@ static const struct message_entry msgtab[] = { { "NSMSG_ADDMASK_SUCCESS", "Hostmask %s added." }, { "NSMSG_ADDIGNORE_ALREADY", "$b%s$b is already an ignored hostmask in your account." }, { "NSMSG_ADDIGNORE_SUCCESS", "Hostmask %s added." }, + { "NSMSG_ADDSSLFP_ALREADY", "$b%s$b is already an SSL fingerprint in your account." }, + { "NSMSG_ADDSSLFP_SUCCESS", "SSL fingerprint %s added." }, { "NSMSG_DELMASK_NOTLAST", "You may not delete your last hostmask." }, { "NSMSG_DELMASK_SUCCESS", "Hostmask %s deleted." }, { "NSMSG_DELMASK_NOT_FOUND", "Unable to find mask to be deleted." }, + { "NSMSG_DELSSLFP_SUCCESS", "SSL fingerprint %s deleted." }, + { "NSMSG_DELSSLFP_NOT_FOUND", "Unable to find SSL fingerprint to be deleted." }, { "NSMSG_OPSERV_LEVEL_BAD", "You may not promote another oper above your level." }, { "NSMSG_USE_CMD_PASS", "Please use the PASS command to change your password." }, { "NSMSG_UNKNOWN_NICK", "I know nothing about nick $b%s$b." }, @@ -349,13 +366,13 @@ static const struct message_entry msgtab[] = { { "NSMSG_SET_FLAGS", "$bFLAGS: $b%s" }, { "NSMSG_SET_EMAIL", "$bEMAIL: $b%s" }, { "NSMSG_SET_MAXLOGINS", "$bMAXLOGINS: $b%d" }, - { "NSMSG_SET_ADVANCED", "$bADVANCED: $b%s" }, + { "NSMSG_SET_ADVANCED", "$bADVANCED: $b%s" }, { "NSMSG_SET_LANGUAGE", "$bLANGUAGE: $b%s" }, { "NSMSG_SET_LEVEL", "$bLEVEL: $b%d" }, { "NSMSG_SET_EPITHET", "$bEPITHET: $b%s" }, { "NSMSG_SET_NOTE", "$bNOTE: $b%s"}, { "NSMSG_SET_TITLE", "$bTITLE: $b%s" }, - { "NSMSG_SET_FAKEHOST", "$bFAKEHOST: $b%s" }, + { "NSMSG_SET_FAKEHOST", "$bFAKEHOST: $b%s" }, { "NSMSG_AUTO_OPER", "You have been auto-opered" }, { "NSMSG_AUTO_OPER_ADMIN", "You have been auto-admined" }, @@ -472,6 +489,8 @@ register_nick(const char *nick, struct handle_info *owner) struct nick_info *ni; ni = malloc(sizeof(struct nick_info)); safestrncpy(ni->nick, nick, sizeof(ni->nick)); + ni->registered = now; + ni->lastseen = now; ni->owner = owner; ni->next = owner->nicks; owner->nicks = ni; @@ -504,21 +523,25 @@ delete_nick(struct nick_info *ni) } static unreg_func_t *unreg_func_list; +static void **unreg_func_list_extra; static unsigned int unreg_func_size = 0, unreg_func_used = 0; void -reg_unreg_func(unreg_func_t func) +reg_unreg_func(unreg_func_t func, void *extra) { if (unreg_func_used == unreg_func_size) { if (unreg_func_size) { unreg_func_size <<= 1; unreg_func_list = realloc(unreg_func_list, unreg_func_size*sizeof(unreg_func_t)); + unreg_func_list_extra = realloc(unreg_func_list_extra, unreg_func_size*sizeof(void*)); } else { unreg_func_size = 8; unreg_func_list = malloc(unreg_func_size*sizeof(unreg_func_t)); + unreg_func_list_extra = malloc(unreg_func_size*sizeof(void*)); } } - unreg_func_list[unreg_func_used++] = func; + unreg_func_list[unreg_func_used] = func; + unreg_func_list_extra[unreg_func_used++] = extra; } static void @@ -536,6 +559,7 @@ free_handle_info(void *vhi) struct handle_info *hi = vhi; free_string_list(hi->masks); + free_string_list(hi->sslfps); free_string_list(hi->ignores); assert(!hi->users); @@ -581,7 +605,7 @@ nickserv_unregister_handle(struct handle_info *hi, struct userNode *notify, stru } #endif for (n=0; nusers) { if (nickserv_conf.sync_log) { uNode = GetUserH(hi->users->nick); @@ -827,6 +851,25 @@ valid_user_for(struct userNode *user, struct handle_info *hi) return 0; } +static int +valid_user_sslfp(struct userNode *user, struct handle_info *hi) +{ + unsigned int ii; + + if (!hi->sslfps->used) + return 0; + if (!(user->sslfp)) + return 0; + + /* If any SSL fingerprint matches, allow it. */ + for (ii=0; iisslfps->used; ii++) + if (!irccasecmp(user->sslfp, hi->sslfps->list[ii])) + return 1; + + /* No valid SSL fingerprint found. */ + return 0; +} + static int is_secure_password(const char *handle, const char *pass, struct userNode *user) { @@ -870,39 +913,47 @@ is_secure_password(const char *handle, const char *pass, struct userNode *user) } static auth_func_t *auth_func_list; +static void **auth_func_list_extra; static unsigned int auth_func_size = 0, auth_func_used = 0; void -reg_auth_func(auth_func_t func) +reg_auth_func(auth_func_t func, void *extra) { if (auth_func_used == auth_func_size) { if (auth_func_size) { auth_func_size <<= 1; auth_func_list = realloc(auth_func_list, auth_func_size*sizeof(auth_func_t)); + auth_func_list_extra = realloc(auth_func_list_extra, auth_func_size*sizeof(void*)); } else { auth_func_size = 8; auth_func_list = malloc(auth_func_size*sizeof(auth_func_t)); + auth_func_list_extra = malloc(auth_func_size*sizeof(void*)); } } - auth_func_list[auth_func_used++] = func; + auth_func_list[auth_func_used] = func; + auth_func_list_extra[auth_func_used++] = extra; } static handle_rename_func_t *rf_list; +static void **rf_list_extra; static unsigned int rf_list_size, rf_list_used; void -reg_handle_rename_func(handle_rename_func_t func) +reg_handle_rename_func(handle_rename_func_t func, void *extra) { if (rf_list_used == rf_list_size) { if (rf_list_size) { rf_list_size <<= 1; rf_list = realloc(rf_list, rf_list_size*sizeof(rf_list[0])); + rf_list_extra = realloc(rf_list_extra, rf_list_size*sizeof(void*)); } else { rf_list_size = 8; rf_list = malloc(rf_list_size*sizeof(rf_list[0])); + rf_list_extra = malloc(rf_list_size*sizeof(void*)); } } - rf_list[rf_list_used++] = func; + rf_list[rf_list_used] = func; + rf_list_extra[rf_list_used++] = extra; } static char * @@ -919,7 +970,7 @@ generate_fakehost(struct handle_info *handle) if (data) style = atoi(data); - if (style == 1) + if ((style == 1) || (style == 3)) snprintf(buffer, sizeof(buffer), "%s.%s", handle->handle, hidden_host_suffix); else if (style == 2) { /* Due to the way fakehost is coded theres no way i can @@ -928,7 +979,10 @@ generate_fakehost(struct handle_info *handle) for (target = handle->users; target; target = target->next_authed) break; - snprintf(buffer, sizeof(buffer), "%s", target->crypthost); + if (target) + snprintf(buffer, sizeof(buffer), "%s", target->crypthost); + else + strncpy(buffer, "none", sizeof(buffer)); } return buffer; } else if (handle->fakehost[0] == '.') { @@ -960,7 +1014,7 @@ void send_func_list(struct userNode *user) old_info = user->handle_info; for (n=0; nhandle_info) { struct userNode *other; + struct nick_info* ni; if (IsHelper(user)) userList_remove(&curr_helpers, user); @@ -998,6 +1053,8 @@ set_user_handle_info(struct userNode *user, struct handle_info *hi, int stamp) HANDLE_CLEAR_FLAG(user->handle_info, HELPING); /* record them as being last seen at this time */ user->handle_info->lastseen = now; + if ((ni = get_nick_info(user->nick))) + ni->lastseen = now; /* and record their hostmask */ snprintf(user->handle_info->last_quit_host, sizeof(user->handle_info->last_quit_host), "%s@%s", user->ident, user->hostname); } @@ -1056,8 +1113,10 @@ set_user_handle_info(struct userNode *user, struct handle_info *hi, int stamp) } /* Stop trying to kick this user off their nick */ - if ((ni = get_nick_info(user->nick)) && (ni->owner == hi)) + if ((ni = get_nick_info(user->nick)) && (ni->owner == hi)) { timeq_del(0, nickserv_reclaim_p, user, TIMEQ_IGNORE_WHEN); + ni->lastseen = now; + } } else { /* We cannot clear the user's account ID, unfortunately. */ user->next_authed = NULL; @@ -1066,7 +1125,7 @@ set_user_handle_info(struct userNode *user, struct handle_info *hi, int stamp) /* Call auth handlers */ if (GetUserH(user->nick)) { for (n=0; ndead) return; } @@ -1078,7 +1137,7 @@ nickserv_register(struct userNode *user, struct userNode *settee, const char *ha { struct handle_info *hi; struct nick_info *ni; - char crypted[MD5_CRYPT_LENGTH]; + char crypted[MD5_CRYPT_LENGTH] = ""; if ((hi = dict_find(nickserv_handle_dict, handle, NULL))) { if(user) @@ -1093,14 +1152,17 @@ nickserv_register(struct userNode *user, struct userNode *settee, const char *ha return 0; } - if (!is_secure_password(handle, passwd, user)) - return 0; + if (passwd) + { + if (!is_secure_password(handle, passwd, user)) + return 0; - cryptpass(passwd, crypted); + cryptpass(passwd, crypted); + } #ifdef WITH_LDAP if(nickserv_conf.ldap_enable && nickserv_conf.ldap_admin_dn) { int rc; - rc = ldap_do_add(handle, crypted, NULL); + rc = ldap_do_add(handle, (no_auth || !passwd ? NULL : crypted), NULL); if(LDAP_SUCCESS != rc && LDAP_ALREADY_EXISTS != rc ) { if(user) send_message(user, nickserv, "NSMSG_LDAP_FAIL", ldap_err2string(rc)); @@ -1110,6 +1172,7 @@ nickserv_register(struct userNode *user, struct userNode *settee, const char *ha #endif hi = register_handle(handle, crypted, 0); hi->masks = alloc_string_list(1); + hi->sslfps = alloc_string_list(1); hi->ignores = alloc_string_list(1); hi->users = NULL; hi->language = lang_C; @@ -1140,6 +1203,11 @@ nickserv_register(struct userNode *user, struct userNode *settee, const char *ha send_message(user, nickserv, "NSMSG_REGISTER_HN_SUCCESS"); } } + else { + if (is_registerable_nick(handle)) { + register_nick(handle, hi); + } + } } if (settee && (user != settee)) { if(user) { @@ -1481,20 +1549,21 @@ static NICKSERV_FUNC(cmd_oregister) char* mask = NULL; char* nick = NULL; - NICKSERV_MIN_PARMS(2); + NICKSERV_MIN_PARMS(3); account = argv[1]; pass = argv[2]; if(nickserv_conf.force_handles_lowercase) irc_strtolower(account); + if (!is_valid_handle(argv[1])) { + reply("NSMSG_BAD_HANDLE", argv[1]); + return 0; + } if (nickserv_conf.email_required) { NICKSERV_MIN_PARMS(3); email = argv[3]; - if (argc >= 4) {/* take: "acct pass email mask nick" or "acct pass email mask" or "acct pass email nick" */ - if (argc < 4) { - mask = NULL; - settee = NULL; - } else if (strchr(argv[4], '@')) + if (argc > 4) {/* take: "acct pass email mask nick" or "acct pass email mask" or "acct pass email nick" */ + if (strchr(argv[4], '@')) mask = argv[4]; else nick = argv[4]; @@ -1504,11 +1573,8 @@ static NICKSERV_FUNC(cmd_oregister) } } else { - if (argc >= 4) {/* take: "account pass mask nick" or "account pass mask" or "account pass nick" */ - if (argc < 4) { - mask = NULL; - settee = NULL; - } else if (strchr(argv[3], '@')) + if (argc > 3) {/* take: "account pass mask nick" or "account pass mask" or "account pass nick" */ + if (strchr(argv[3], '@')) mask = argv[3]; else nick = argv[3]; @@ -1568,6 +1634,8 @@ static NICKSERV_FUNC(cmd_oregister) string_list_append(hi->masks, mask_canonicalized); } + argv[2] = "****"; + if (nickserv_conf.sync_log) SyncLog("REGISTER %s %s %s %s", hi->handle, hi->passwd, email ? email : "@", user->info); /* Send just @ for email if none */ return 1; @@ -1711,6 +1779,8 @@ static NICKSERV_FUNC(cmd_handleinfo) default: type = "NSMSG_HANDLEINFO_COOKIE_UNKNOWN"; break; } reply(type); + if (IsOper(user) && (hi->cookie->type == EMAIL_CHANGE)) + reply("NSMSG_HANDLEINFO_COOKIE_EMAIL_DATA", hi->cookie->data); } if (hi->flags) { @@ -1726,6 +1796,10 @@ static NICKSERV_FUNC(cmd_handleinfo) reply("NSMSG_HANDLEINFO_FLAGS", nsmsg_none); } + if (hi->opserv_level > 0) { + reply("NSMSG_HANDLEINFO_OPSERV_LEVEL", hi->opserv_level); + } + if (HANDLE_FLAGGED(hi, SUPPORT_HELPER) || HANDLE_FLAGGED(hi, NETWORK_HELPER) || (hi->opserv_level > 0)) { @@ -1795,6 +1869,26 @@ static NICKSERV_FUNC(cmd_handleinfo) reply("NSMSG_HANDLEINFO_MASKS", nsmsg_none); } + if (hi->sslfps->used) { + for (i=0; i < hi->sslfps->used; i++) { + herelen = strlen(hi->sslfps->list[i]); + if (pos + herelen + 1 > ArrayLength(buff)) { + i--; + goto print_sslfp_buff; + } + memcpy(buff+pos, hi->sslfps->list[i], herelen); + pos += herelen; buff[pos++] = ' '; + if (i+1 == hi->sslfps->used) { + print_sslfp_buff: + buff[pos-1] = 0; + reply("NSMSG_HANDLEINFO_SSLFPS", buff); + pos = 0; + } + } + } else { + reply("NSMSG_HANDLEINFO_SSLFPS", nsmsg_none); + } + if (hi->ignores->used) { for (i=0; i < hi->ignores->used; i++) { herelen = strlen(hi->ignores->list[i]); @@ -1882,13 +1976,29 @@ static NICKSERV_FUNC(cmd_userinfo) static NICKSERV_FUNC(cmd_nickinfo) { struct nick_info *ni; + char buff[400]; NICKSERV_MIN_PARMS(2); if (!(ni = get_nick_info(argv[1]))) { reply("MSG_NICK_UNKNOWN", argv[1]); return 0; } - reply("NSMSG_NICKINFO_OWNER", ni->nick, ni->owner->handle); + + reply("NSMSG_NICKINFO_ON", ni->nick); + reply("MSG_BAR"); + reply("NSMSG_NICKINFO_REGGED", ctime(&ni->registered)); + + if (!GetUserH(ni->nick)) { + intervalString(buff, now - ni->lastseen, user->handle_info); + reply("NSMSG_NICKINFO_LASTSEEN", buff); + } else { + reply("NSMSG_NICKINFO_LASTSEEN_NOW"); + } + + reply("NSMSG_NICKINFO_OWNER", ni->owner->handle); + + reply("NSMSG_NICKINFO_END"); + return 1; } @@ -1931,7 +2041,7 @@ static NICKSERV_FUNC(cmd_rename_handle) hi->handle = strdup(argv[2]); dict_insert(nickserv_handle_dict, hi->handle, hi); for (nn=0; nnusers; uNode; uNode = uNode->next_authed) @@ -1949,21 +2059,46 @@ static NICKSERV_FUNC(cmd_rename_handle) } static failpw_func_t *failpw_func_list; +static void **failpw_func_list_extra; static unsigned int failpw_func_size = 0, failpw_func_used = 0; void -reg_failpw_func(failpw_func_t func) +reg_failpw_func(failpw_func_t func, void *extra) { if (failpw_func_used == failpw_func_size) { if (failpw_func_size) { failpw_func_size <<= 1; failpw_func_list = realloc(failpw_func_list, failpw_func_size*sizeof(failpw_func_t)); + failpw_func_list_extra = realloc(failpw_func_list_extra, failpw_func_size*sizeof(void*)); } else { failpw_func_size = 8; failpw_func_list = malloc(failpw_func_size*sizeof(failpw_func_t)); + failpw_func_list_extra = malloc(failpw_func_size*sizeof(void*)); + } + } + failpw_func_list[failpw_func_used] = func; + failpw_func_list_extra[failpw_func_used++] = extra; +} + +/* + * Return hi for the first handle that has a matching SSL fingerprint. + */ +struct handle_info *find_handleinfo_by_sslfp(char *sslfp) +{ + dict_iterator_t it; + struct handle_info *hi; + unsigned int ii = 0;; + + for (it = dict_first(nickserv_handle_dict); it; it = iter_next(it)) { + hi = iter_data(it); + for (ii=0; iisslfps->used; ii++) { + if (!irccasecmp(sslfp, hi->sslfps->list[ii])) { + return hi; + } } } - failpw_func_list[failpw_func_used++] = func; + + return NULL; } /* @@ -1972,88 +2107,104 @@ reg_failpw_func(failpw_func_t func) * called by nefariouses enhanced AC login-on-connect code * */ -struct handle_info *loc_auth(char *handle, char *password, char *userhost) +struct handle_info *loc_auth(char *sslfp, char *handle, char *password, char *userhost) { - int pw_arg, used, maxlogins; + int wildmask = 0, auth = 0; + int used, maxlogins; unsigned int ii; - int wildmask = 0; - struct handle_info *hi; + struct handle_info *hi = NULL; struct userNode *other; #ifdef WITH_LDAP int ldap_result = LDAP_SUCCESS; char *email = NULL; #endif - - hi = dict_find(nickserv_handle_dict, handle, NULL); - pw_arg = 2; + + if (handle != NULL) + hi = dict_find(nickserv_handle_dict, handle, NULL); + if (!hi && (sslfp != NULL)) { + hi = find_handleinfo_by_sslfp(sslfp); + if (!handle && (hi != NULL)) + handle = hi->handle; + } + + /* Ensure handle is valid if not found in internal DB */ + if (!hi && !is_valid_handle(handle)) + return 0; #ifdef WITH_LDAP - if(nickserv_conf.ldap_enable) { + if (nickserv_conf.ldap_enable && (password != NULL)) { ldap_result = ldap_check_auth(handle, password); - if(ldap_result != LDAP_SUCCESS) { - return NULL; + if (!hi && (ldap_result != LDAP_SUCCESS)) + return NULL; + if (ldap_result == LDAP_SUCCESS) { + /* Mark auth as successful */ + auth++; + } + + if (!hi && (ldap_result == LDAP_SUCCESS) && nickserv_conf.ldap_autocreate) { + /* user not found, but authed to ldap successfully.. + * create the account. + */ + char *mask; + int rc; + + /* Add a *@* mask */ + /* TODO if userhost is not null, build mask based on that. */ + if(nickserv_conf.default_hostmask) + mask = "*@*"; + else + return NULL; /* They dont have a *@* mask so they can't loc */ + + if(!(hi = nickserv_register(NULL, NULL, handle, password, 0))) { + return 0; /* couldn't add the user for some reason */ + } + + if((rc = ldap_get_user_info(handle, &email) != LDAP_SUCCESS)) + { + if(nickserv_conf.email_required) { + return 0; + } + } + if(email) { + nickserv_set_email_addr(hi, email); + free(email); + } + if(mask) { + char* mask_canonicalized = canonicalize_hostmask(strdup(mask)); + string_list_append(hi->masks, mask_canonicalized); + } + if(nickserv_conf.sync_log) + SyncLog("REGISTER %s %s %s %s", hi->handle, hi->passwd, "@", handle); } } -#else - if (!hi) { - return NULL; - } +#endif - if (!checkpass(password, hi->passwd)) { + /* hi should now be a valid handle, if not return NULL */ + if (!hi) return NULL; - } -#endif + #ifdef WITH_LDAP - /* ldap libs are present but we are not using them... */ - if( !nickserv_conf.ldap_enable ) { - if (!hi) { - return NULL; - } - if (!checkpass(password, hi->passwd)) { - return NULL; - } + if (password && *password && !nickserv_conf.ldap_enable) { +#else + if (password && *password) { +#endif + if (checkpass(password, hi->passwd)) + auth++; } - else if( (!hi) && ldap_result == LDAP_SUCCESS && nickserv_conf.ldap_autocreate) { - /* user not found, but authed to ldap successfully.. - * create the account. - */ - char *mask; - int rc; - - /* Add a *@* mask */ - /* TODO if userhost is not null, build mask based on that. */ - if(nickserv_conf.default_hostmask) - mask = "*@*"; - else - return NULL; /* They dont have a *@* mask so they can't loc */ - - if(!(hi = nickserv_register(NULL, NULL, handle, password, 0))) { - return 0; /* couldn't add the user for some reason */ - } - - if((rc = ldap_get_user_info(handle, &email) != LDAP_SUCCESS)) - { - if(nickserv_conf.email_required) { - return 0; + + if (!auth && sslfp && *sslfp && hi->sslfps->used) { + /* If any SSL fingerprint matches, allow it. */ + for (ii=0; iisslfps->used; ii++) { + if (!irccasecmp(sslfp, hi->sslfps->list[ii])) { + auth++; + break; } - } - if(email) { - nickserv_set_email_addr(hi, email); - free(email); - } - if(mask) { - char* mask_canonicalized = canonicalize_hostmask(strdup(mask)); - string_list_append(hi->masks, mask_canonicalized); - } - if(nickserv_conf.sync_log) - SyncLog("REGISTER %s %s %s %s", hi->handle, hi->passwd, "@", handle); + } } -#endif - - /* Still no account, so just fail out */ - if (!hi) { + + /* Auth should have succeeded by this point */ + if (!auth) return NULL; - } /* We don't know the users hostname, or anything because they * havn't registered yet. So we can only allow LOC if your @@ -2063,16 +2214,37 @@ struct handle_info *loc_auth(char *handle, char *password, char *userhost) */ if(userhost) { char *buf; - char *ident; - char *realhost; - char *ip; + char *ident = NULL; + char *realhost = NULL; + char *ip = NULL; char *uh; char *ui; + char *c; + int bracket = 0; buf = strdup(userhost); - ident = mysep(&buf, "@"); - realhost = mysep(&buf, ":"); - ip = mysep(&buf, ":"); + + ident = buf; + for (c = buf; *c; c++) { + if ((realhost == NULL) && (*c == '@')) { + *c++ = '\0'; + if (*c == '[') { + bracket = 1; + *c++ = '\0'; + } + realhost = c; + } else if (bracket && (ip == NULL) && (*c == ']')) { + bracket = 0; + *c = '\0'; + } else if (!bracket && (ip == NULL) && (*c == ':')) { + *c++ = '\0'; + ip = c; + break; + } + } + + log_module(NS_LOG, LOG_DEBUG, "LOC: ident=%s host=%s ip=%s", ident, realhost, ip); + if(!ip || !realhost || !ident) { free(buf); return NULL; /* Invalid AC request, just quit */ @@ -2081,7 +2253,7 @@ struct handle_info *loc_auth(char *handle, char *password, char *userhost) ui = malloc(strlen(userhost)); sprintf(uh, "%s@%s", ident, realhost); sprintf(ui, "%s@%s", ident, ip); - for (ii=0; iimasks->used; ii++) + for (ii=0; iimasks->used; ii++) { if(match_ircglob(uh, hi->masks->list[ii]) || match_ircglob(ui, hi->masks->list[ii])) @@ -2124,9 +2296,8 @@ struct handle_info *loc_auth(char *handle, char *password, char *userhost) static NICKSERV_FUNC(cmd_auth) { - char *privv[MAXNUMPARAMS]; - int privc, i; int pw_arg, used, maxlogins; + int sslfpauth = 0; struct handle_info *hi; const char *passwd; const char *handle; @@ -2180,7 +2351,7 @@ static NICKSERV_FUNC(cmd_auth) } #ifdef WITH_LDAP - if(strchr(argv[1], '<') || strchr(handle, '>')) { + if(strchr(handle, '<') || strchr(handle, '>')) { reply("NSMSG_NO_ANGLEBRACKETS"); return 0; } @@ -2216,7 +2387,7 @@ static NICKSERV_FUNC(cmd_auth) * create the account. */ char *mask; - if(!(hi = nickserv_register(user, NULL, argv[1], argv[2], 0))) { + if(!(hi = nickserv_register(user, user, handle, passwd, 0))) { reply("NSMSG_UNABLE_TO_ADD"); return 0; /* couldn't add the user for some reason */ } @@ -2258,17 +2429,22 @@ static NICKSERV_FUNC(cmd_auth) argv[pw_arg] = "BADMASK"; return 1; } + + if (valid_user_sslfp(user, hi)) + sslfpauth = 1; + #ifdef WITH_LDAP - if( ( nickserv_conf.ldap_enable && ldap_result == LDAP_INVALID_CREDENTIALS ) || - ( (!nickserv_conf.ldap_enable) && (!checkpass(passwd, hi->passwd)) ) ) { + if(( ( nickserv_conf.ldap_enable && ldap_result == LDAP_INVALID_CREDENTIALS ) || + ( (!nickserv_conf.ldap_enable) && (!checkpass(passwd, hi->passwd)) ) ) && !sslfpauth) { #else - if (!checkpass(passwd, hi->passwd)) { + if (!checkpass(passwd, hi->passwd) && !sslfpauth) { #endif unsigned int n; send_message_type(4, user, cmd->parent->bot, handle_find_message(hi, "NSMSG_PASSWORD_INVALID")); argv[pw_arg] = "BADPASS"; - for (n=0; nauth_policer.params) { user->auth_policer.last_req = now; @@ -2305,9 +2481,9 @@ static NICKSERV_FUNC(cmd_auth) set_user_handle_info(user, hi, 1); if (nickserv_conf.email_required && !hi->email_addr) reply("NSMSG_PLEASE_SET_EMAIL"); - if (!is_secure_password(hi->handle, passwd, NULL)) + if (!sslfpauth && !is_secure_password(hi->handle, passwd, NULL)) reply("NSMSG_WEAK_PASSWORD"); - if (hi->passwd[0] != '$') + if (!sslfpauth && (hi->passwd[0] != '$')) cryptpass(passwd, hi->passwd); /* If a channel was waiting for this user to auth, @@ -2321,37 +2497,6 @@ static NICKSERV_FUNC(cmd_auth) if(HANDLE_FLAGGED(hi, AUTOHIDE)) irc_umode(user, "+x"); - if(!IsOper(user)) /* If they arnt already opered.. */ - { - /* Auto Oper users with Opserv access -Life4Christ 8-10-2005 */ - if( nickserv_conf.auto_admin[0] && hi->opserv_level >= opserv_conf_admin_level()) - { - if (nickserv_conf.auto_admin_privs[0]) { - irc_raw_privs(user, nickserv_conf.auto_admin_privs); - privc = split_line(strdup(nickserv_conf.auto_admin_privs), false, MAXNUMPARAMS, privv); - for (i = 0; i < privc; i++) { - client_modify_priv_by_name(user, privv[i], 1); - } - } - irc_umode(user,nickserv_conf.auto_admin); - reply("NSMSG_AUTO_OPER_ADMIN"); - } - else if (nickserv_conf.auto_oper[0] && hi->opserv_level > 0) - { - if (nickserv_conf.auto_oper_privs[0]) { - irc_raw_privs(user, nickserv_conf.auto_oper_privs); - privc = split_line(strdup(nickserv_conf.auto_oper_privs), false, MAXNUMPARAMS, privv); - for (i = 0; i < privc; i++) { - client_modify_priv_by_name(user, privv[i], 1); - } - } - irc_umode(user,nickserv_conf.auto_oper); - reply("NSMSG_AUTO_OPER"); - } - } - - /* Wipe out the pass for the logs */ - if (!hi->masks->used) { irc_in_addr_t ip; string_list_append(hi->masks, generate_hostmask(user, GENMASK_OMITNICK|GENMASK_NO_HIDING|GENMASK_ANY_IDENT)); @@ -2359,26 +2504,31 @@ static NICKSERV_FUNC(cmd_auth) string_list_append(hi->masks, generate_hostmask(user, GENMASK_OMITNICK|GENMASK_BYIP|GENMASK_NO_HIDING|GENMASK_ANY_IDENT)); } + /* Wipe out the pass for the logs */ argv[pw_arg] = "****"; return 1; } static allowauth_func_t *allowauth_func_list; +static void **allowauth_func_list_extra; static unsigned int allowauth_func_size = 0, allowauth_func_used = 0; void -reg_allowauth_func(allowauth_func_t func) +reg_allowauth_func(allowauth_func_t func, void *extra) { if (allowauth_func_used == allowauth_func_size) { if (allowauth_func_size) { allowauth_func_size <<= 1; allowauth_func_list = realloc(allowauth_func_list, allowauth_func_size*sizeof(allowauth_func_t)); + allowauth_func_list_extra = realloc(allowauth_func_list_extra, allowauth_func_size*sizeof(void*)); } else { allowauth_func_size = 8; allowauth_func_list = malloc(allowauth_func_size*sizeof(allowauth_func_t)); + allowauth_func_list_extra = malloc(allowauth_func_size*sizeof(void*)); } } - allowauth_func_list[allowauth_func_used++] = func; + allowauth_func_list[allowauth_func_used] = func; + allowauth_func_list_extra[allowauth_func_used++] = extra; } static NICKSERV_FUNC(cmd_allowauth) @@ -2432,7 +2582,7 @@ static NICKSERV_FUNC(cmd_allowauth) reply("NSMSG_AUTH_UNSPECIAL", target->nick); } for (n=0; ncookie->type) { case ACTIVATION: safestrncpy(hi->passwd, hi->cookie->data, sizeof(hi->passwd)); - if (nickserv_conf.sync_log) - SyncLog("ACCOUNTACC %s", hi->handle); - break; - case PASSWORD_CHANGE: - safestrncpy(hi->passwd, hi->cookie->data, sizeof(hi->passwd)); - if (nickserv_conf.sync_log) - SyncLog("PASSCHANGE %s %s", hi->handle, hi->passwd); - break; - case EMAIL_CHANGE: - if (!hi->email_addr && nickserv_conf.sync_log) { - if (nickserv_conf.sync_log) - SyncLog("REGISTER %s %s %s %s", hi->handle, hi->passwd, hi->cookie->data, user->info); - } #ifdef WITH_LDAP if(nickserv_conf.ldap_enable && nickserv_conf.ldap_admin_dn) { int rc; - if((rc = ldap_do_modify(hi->handle, NULL, hi->cookie->data)) != LDAP_SUCCESS) { - /* Falied to update email in ldap, but still + if((rc = ldap_do_modify(hi->handle, hi->cookie->data, NULL)) != LDAP_SUCCESS) { + /* Falied to update password in ldap, but still * updated it here.. what should we do? */ - reply("NSMSG_LDAP_FAIL_SEND_EMAIL", ldap_err2string(rc)); - } else { - nickserv_set_email_addr(hi, hi->cookie->data); + reply("NSMSG_LDAP_FAIL", ldap_err2string(rc)); + return 0; } } - else { - nickserv_set_email_addr(hi, hi->cookie->data); - } -#else - nickserv_set_email_addr(hi, hi->cookie->data); #endif if (nickserv_conf.sync_log) - SyncLog("EMAILCHANGE %s %s", hi->handle, hi->cookie->data); + SyncLog("ACCOUNTACC %s", hi->handle); + break; + case PASSWORD_CHANGE: break; + case EMAIL_CHANGE: + break; + case ALLOWAUTH: + break; default: reply("NSMSG_BAD_COOKIE_TYPE", hi->cookie->type); log_module(NS_LOG, LOG_ERROR, "Bad cookie type %d for account %s.", hi->cookie->type, hi->handle); @@ -2886,6 +3023,80 @@ static NICKSERV_FUNC(cmd_odelmask) return nickserv_delmask(cmd, user, hi, argv[2], 1); } +static int +nickserv_addsslfp(struct userNode *user, struct handle_info *hi, const char *sslfp) +{ + unsigned int i; + char *new_sslfp = strdup(sslfp); + for (i=0; isslfps->used; i++) { + if (!irccasecmp(new_sslfp, hi->sslfps->list[i])) { + send_message(user, nickserv, "NSMSG_ADDSSLFP_ALREADY", new_sslfp); + free(new_sslfp); + return 0; + } + } + string_list_append(hi->sslfps, new_sslfp); + send_message(user, nickserv, "NSMSG_ADDSSLFP_SUCCESS", new_sslfp); + return 1; +} + +static NICKSERV_FUNC(cmd_addsslfp) +{ + NICKSERV_MIN_PARMS((user->sslfp ? 1 : 2)); + if ((argc < 2) && (user->sslfp)) { + int res = nickserv_addsslfp(user, user->handle_info, user->sslfp); + return res; + } else { + return nickserv_addsslfp(user, user->handle_info, argv[1]); + } +} + +static NICKSERV_FUNC(cmd_oaddsslfp) +{ + struct handle_info *hi; + + NICKSERV_MIN_PARMS(3); + if (!(hi = get_victim_oper(user, argv[1]))) + return 0; + return nickserv_addsslfp(user, hi, argv[2]); +} + +static int +nickserv_delsslfp(struct svccmd *cmd, struct userNode *user, struct handle_info *hi, const char *del_sslfp) +{ + unsigned int i; + for (i=0; isslfps->used; i++) { + if (!irccasecmp(del_sslfp, hi->sslfps->list[i])) { + char *old_sslfp = hi->sslfps->list[i]; + hi->sslfps->list[i] = hi->sslfps->list[--hi->sslfps->used]; + reply("NSMSG_DELSSLFP_SUCCESS", old_sslfp); + free(old_sslfp); + return 1; + } + } + reply("NSMSG_DELSSLFP_NOT_FOUND"); + return 0; +} + +static NICKSERV_FUNC(cmd_delsslfp) +{ + NICKSERV_MIN_PARMS((user->sslfp ? 1 : 2)); + if ((argc < 2) && (user->sslfp)) { + return nickserv_delsslfp(cmd, user, user->handle_info, user->sslfp); + } else { + return nickserv_delsslfp(cmd, user, user->handle_info, argv[1]); + } +} + +static NICKSERV_FUNC(cmd_odelsslfp) +{ + struct handle_info *hi; + NICKSERV_MIN_PARMS(3); + if (!(hi = get_victim_oper(user, argv[1]))) + return 0; + return nickserv_delsslfp(cmd, user, hi, argv[2]); +} + int nickserv_modify_handle_flags(struct userNode *user, struct userNode *bot, const char *str, unsigned long *padded, unsigned long *premoved) { unsigned int nn, add = 1, pos; @@ -2973,7 +3184,7 @@ set_list(struct svccmd *cmd, struct userNode *user, struct handle_info *hi, int /* Do this so options are presented in a consistent order. */ for (i = 0; i < ArrayLength(set_display); ++i) if ((opt = dict_find(nickserv_opt_dict, set_display[i], NULL))) - opt(cmd, user, hi, override, 0, NULL); + opt(cmd, user, hi, override, 0, 0, NULL); reply("NSMSG_SETTING_LIST_END"); } @@ -2991,7 +3202,7 @@ static NICKSERV_FUNC(cmd_set) reply("NSMSG_INVALID_OPTION", argv[1]); return 0; } - return opt(cmd, user, hi, 0, argc-1, argv+1); + return opt(cmd, user, hi, 0, 0, argc-1, argv+1); } static NICKSERV_FUNC(cmd_oset) @@ -3014,7 +3225,7 @@ static NICKSERV_FUNC(cmd_oset) return 0; } - return opt(cmd, user, hi, 1, argc-2, argv+2); + return opt(cmd, user, hi, 1, 0, argc-2, argv+2); } static OPTION_FUNC(opt_info) @@ -3030,7 +3241,8 @@ static OPTION_FUNC(opt_info) } info = hi->infoline ? hi->infoline : user_find_message(user, "MSG_NONE"); - reply("NSMSG_SET_INFO", info); + if (!(noreply)) + reply("NSMSG_SET_INFO", info); return 1; } @@ -3044,7 +3256,8 @@ static OPTION_FUNC(opt_width) else if (hi->screen_width > MAX_LINE_SIZE) hi->screen_width = MAX_LINE_SIZE; - reply("NSMSG_SET_WIDTH", hi->screen_width); + if (!(noreply)) + reply("NSMSG_SET_WIDTH", hi->screen_width); return 1; } @@ -3058,7 +3271,8 @@ static OPTION_FUNC(opt_tablewidth) else if (hi->screen_width > MAX_LINE_SIZE) hi->table_width = MAX_LINE_SIZE; - reply("NSMSG_SET_TABLEWIDTH", hi->table_width); + if (!(noreply)) + reply("NSMSG_SET_TABLEWIDTH", hi->table_width); return 1; } @@ -3070,12 +3284,14 @@ static OPTION_FUNC(opt_color) else if (disabled_string(argv[1])) HANDLE_CLEAR_FLAG(hi, MIRC_COLOR); else { - reply("MSG_INVALID_BINARY", argv[1]); + if (!(noreply)) + reply("MSG_INVALID_BINARY", argv[1]); return 0; } } - reply("NSMSG_SET_COLOR", user_find_message(user, HANDLE_FLAGGED(hi, MIRC_COLOR) ? "MSG_ON" : "MSG_OFF")); + if (!(noreply)) + reply("NSMSG_SET_COLOR", user_find_message(user, HANDLE_FLAGGED(hi, MIRC_COLOR) ? "MSG_ON" : "MSG_OFF")); return 1; } @@ -3087,12 +3303,14 @@ static OPTION_FUNC(opt_privmsg) else if (disabled_string(argv[1])) HANDLE_CLEAR_FLAG(hi, USE_PRIVMSG); else { - reply("MSG_INVALID_BINARY", argv[1]); + if (!(noreply)) + reply("MSG_INVALID_BINARY", argv[1]); return 0; } } - reply("NSMSG_SET_PRIVMSG", user_find_message(user, HANDLE_FLAGGED(hi, USE_PRIVMSG) ? "MSG_ON" : "MSG_OFF")); + if (!(noreply)) + reply("NSMSG_SET_PRIVMSG", user_find_message(user, HANDLE_FLAGGED(hi, USE_PRIVMSG) ? "MSG_ON" : "MSG_OFF")); return 1; } @@ -3104,12 +3322,14 @@ static OPTION_FUNC(opt_autohide) else if (disabled_string(argv[1])) HANDLE_CLEAR_FLAG(hi, AUTOHIDE); else { - reply("MSG_INVALID_BINARY", argv[1]); + if (!(noreply)) + reply("MSG_INVALID_BINARY", argv[1]); return 0; } } - reply("NSMSG_SET_AUTOHIDE", user_find_message(user, HANDLE_FLAGGED(hi, AUTOHIDE) ? "MSG_ON" : "MSG_OFF")); + if (!(noreply)) + reply("NSMSG_SET_AUTOHIDE", user_find_message(user, HANDLE_FLAGGED(hi, AUTOHIDE) ? "MSG_ON" : "MSG_OFF")); return 1; } @@ -3143,7 +3363,8 @@ static OPTION_FUNC(opt_style) style = "Normal"; } - reply("NSMSG_SET_STYLE", style); + if (!(noreply)) + reply("NSMSG_SET_STYLE", style); return 1; } @@ -3159,7 +3380,8 @@ static OPTION_FUNC(opt_announcements) else if (!strcmp(argv[1], "?") || !irccasecmp(argv[1], "default")) hi->announcements = '?'; else { - reply("NSMSG_INVALID_ANNOUNCE", argv[1]); + if (!(noreply)) + reply("NSMSG_INVALID_ANNOUNCE", argv[1]); return 0; } } @@ -3170,7 +3392,8 @@ static OPTION_FUNC(opt_announcements) case '?': choice = "default"; break; default: choice = "unknown"; break; } - reply("NSMSG_SET_ANNOUNCEMENTS", choice); + if (!(noreply)) + reply("NSMSG_SET_ANNOUNCEMENTS", choice); return 1; } @@ -3181,7 +3404,8 @@ static OPTION_FUNC(opt_password) return 0; } if (!override) { - reply("NSMSG_USE_CMD_PASS"); + if (!(noreply)) + reply("NSMSG_USE_CMD_PASS"); return 0; } @@ -3190,8 +3414,9 @@ static OPTION_FUNC(opt_password) if(nickserv_conf.ldap_enable && nickserv_conf.ldap_admin_dn) { int rc; if((rc = ldap_do_modify(hi->handle, crypted, NULL)) != LDAP_SUCCESS) { - reply("NSMSG_LDAP_FAIL", ldap_err2string(rc)); - return 0; + if (!(noreply)) + reply("NSMSG_LDAP_FAIL", ldap_err2string(rc)); + return 0; } } #endif @@ -3199,7 +3424,8 @@ static OPTION_FUNC(opt_password) if (nickserv_conf.sync_log) SyncLog("PASSCHANGE %s %s", hi->handle, hi->passwd); - reply("NSMSG_SET_PASSWORD", "***"); + if (!(noreply)) + reply("NSMSG_SET_PASSWORD", "***"); return 1; } @@ -3209,7 +3435,8 @@ static OPTION_FUNC(opt_flags) unsigned int ii, flen; if (!override) { - reply("MSG_SETTING_PRIVILEGED", argv[0]); + if (!(noreply)) + reply("MSG_SETTING_PRIVILEGED", argv[0]); return 0; } @@ -3220,10 +3447,12 @@ static OPTION_FUNC(opt_flags) if (hi->flags & (1 << ii)) flags[flen++] = handle_flags[ii]; flags[flen] = '\0'; - if (hi->flags) - reply("NSMSG_SET_FLAGS", flags); - else - reply("NSMSG_SET_FLAGS", user_find_message(user, "MSG_NONE")); + if (!(noreply)) { + if (hi->flags) + reply("NSMSG_SET_FLAGS", flags); + else + reply("NSMSG_SET_FLAGS", user_find_message(user, "MSG_NONE")); + } return 1; } @@ -3232,23 +3461,27 @@ static OPTION_FUNC(opt_email) if (argc > 1) { const char *str; if (!valid_email(argv[1])) { - reply("NSMSG_BAD_EMAIL_ADDR"); + if (!(noreply)) + reply("NSMSG_BAD_EMAIL_ADDR"); return 0; } if ((str = mail_prohibited_address(argv[1]))) { - reply("NSMSG_EMAIL_PROHIBITED", argv[1], str); + if (!(noreply)) + reply("NSMSG_EMAIL_PROHIBITED", argv[1], str); return 0; } - if (hi->email_addr && !irccasecmp(hi->email_addr, argv[1])) - reply("NSMSG_EMAIL_SAME"); - else if (!override) + if (hi->email_addr && !irccasecmp(hi->email_addr, argv[1])) { + if (!(noreply)) + reply("NSMSG_EMAIL_SAME"); + } else if (!override) nickserv_make_cookie(user, hi, EMAIL_CHANGE, argv[1], 0); else { #ifdef WITH_LDAP if(nickserv_conf.ldap_enable && nickserv_conf.ldap_admin_dn) { int rc; if((rc = ldap_do_modify(hi->handle, NULL, argv[1])) != LDAP_SUCCESS) { - reply("NSMSG_LDAP_FAIL", ldap_err2string(rc)); + if (!(noreply)) + reply("NSMSG_LDAP_FAIL", ldap_err2string(rc)); return 0; } } @@ -3256,10 +3489,13 @@ static OPTION_FUNC(opt_email) nickserv_set_email_addr(hi, argv[1]); if (hi->cookie) nickserv_eat_cookie(hi->cookie); - reply("NSMSG_SET_EMAIL", visible_email_addr(user, hi)); + if (!(noreply)) + reply("NSMSG_SET_EMAIL", visible_email_addr(user, hi)); } - } else - reply("NSMSG_SET_EMAIL", visible_email_addr(user, hi)); + } else { + if (!(noreply)) + reply("NSMSG_SET_EMAIL", visible_email_addr(user, hi)); + } return 1; } @@ -3269,13 +3505,15 @@ static OPTION_FUNC(opt_maxlogins) if (argc > 1) { maxlogins = strtoul(argv[1], NULL, 0); if ((maxlogins > nickserv_conf.hard_maxlogins) && !override) { - reply("NSMSG_BAD_MAX_LOGINS", nickserv_conf.hard_maxlogins); + if (!(noreply)) + reply("NSMSG_BAD_MAX_LOGINS", nickserv_conf.hard_maxlogins); return 0; } hi->maxlogins = maxlogins; } maxlogins = hi->maxlogins ? hi->maxlogins : nickserv_conf.default_maxlogins; - reply("NSMSG_SET_MAXLOGINS", maxlogins); + if (!(noreply)) + reply("NSMSG_SET_MAXLOGINS", maxlogins); return 1; } @@ -3287,12 +3525,14 @@ static OPTION_FUNC(opt_advanced) else if (disabled_string(argv[1])) HANDLE_CLEAR_FLAG(hi, ADVANCED); else { - reply("MSG_INVALID_BINARY", argv[1]); + if (!(noreply)) + reply("MSG_INVALID_BINARY", argv[1]); return 0; } } - reply("NSMSG_SET_ADVANCED", user_find_message(user, HANDLE_FLAGGED(hi, ADVANCED) ? "MSG_ON" : "MSG_OFF")); + if (!(noreply)) + reply("NSMSG_SET_ADVANCED", user_find_message(user, HANDLE_FLAGGED(hi, ADVANCED) ? "MSG_ON" : "MSG_OFF")); return 1; } @@ -3301,18 +3541,22 @@ static OPTION_FUNC(opt_language) struct language *lang; if (argc > 1) { lang = language_find(argv[1]); - if (irccasecmp(lang->name, argv[1])) - reply("NSMSG_LANGUAGE_NOT_FOUND", argv[1], lang->name); + if (irccasecmp(lang->name, argv[1])) { + if (!(noreply)) + reply("NSMSG_LANGUAGE_NOT_FOUND", argv[1], lang->name); + } hi->language = lang; } - reply("NSMSG_SET_LANGUAGE", hi->language->name); + if (!(noreply)) + reply("NSMSG_SET_LANGUAGE", hi->language->name); return 1; } static OPTION_FUNC(opt_karma) { if (!override) { - send_message(user, nickserv, "MSG_SETTING_PRIVILEGED", argv[0]); + if (!(noreply)) + send_message(user, nickserv, "MSG_SETTING_PRIVILEGED", argv[0]); return 0; } @@ -3322,11 +3566,13 @@ static OPTION_FUNC(opt_karma) } else if (argv[1][0] == '-' && isdigit(argv[1][1])) { hi->karma -= strtoul(argv[1] + 1, NULL, 10); } else { - send_message(user, nickserv, "NSMSG_INVALID_KARMA", argv[1]); + if (!(noreply)) + send_message(user, nickserv, "NSMSG_INVALID_KARMA", argv[1]); } } - send_message(user, nickserv, "NSMSG_SET_KARMA", hi->karma); + if (!(noreply)) + send_message(user, nickserv, "NSMSG_SET_KARMA", hi->karma); return 1; } @@ -3365,7 +3611,7 @@ oper_try_set_access(struct userNode *user, struct userNode *bot, struct handle_i } if(nickserv_conf.ldap_enable && *(nickserv_conf.ldap_field_oslevel) && *(nickserv_conf.ldap_admin_dn)) { int rc; - if((rc = ldap_do_oslevel(target->handle, new_level)) != LDAP_SUCCESS) { + if((rc = ldap_do_oslevel(target->handle, new_level, target->opserv_level)) != LDAP_SUCCESS) { send_message(user, bot, "NSMSG_LDAP_FAIL", ldap_err2string(rc)); return 0; } @@ -3384,12 +3630,14 @@ static OPTION_FUNC(opt_level) int res; if (!override) { - reply("MSG_SETTING_PRIVILEGED", argv[0]); + if (!(noreply)) + reply("MSG_SETTING_PRIVILEGED", argv[0]); return 0; } res = (argc > 1) ? oper_try_set_access(user, nickserv, hi, strtoul(argv[1], NULL, 0)) : 0; - reply("NSMSG_SET_LEVEL", hi->opserv_level); + if (!(noreply)) + reply("NSMSG_SET_LEVEL", hi->opserv_level); return res; } @@ -3400,7 +3648,8 @@ static OPTION_FUNC(opt_epithet) struct userNode *target, *next_un; if (!override) { - reply("MSG_SETTING_PRIVILEGED", argv[0]); + if (!(noreply)) + reply("MSG_SETTING_PRIVILEGED", argv[0]); return 0; } @@ -3420,22 +3669,25 @@ static OPTION_FUNC(opt_epithet) } } - if (hi->epithet) - reply("NSMSG_SET_EPITHET", hi->epithet); - else - reply("NSMSG_SET_EPITHET", user_find_message(user, "MSG_NONE")); + if (!(noreply)) { + if (hi->epithet) + reply("NSMSG_SET_EPITHET", hi->epithet); + else + reply("NSMSG_SET_EPITHET", user_find_message(user, "MSG_NONE")); + } return 1; } static OPTION_FUNC(opt_title) { char *title; - const char *none; + const char *none = NULL; char *sptr; if ((argc > 1) && oper_has_access(user, nickserv, nickserv_conf.set_title_level, 0)) { if (!override) { - reply("MSG_SETTING_PRIVILEGED", argv[0]); + if (!(noreply)) + reply("MSG_SETTING_PRIVILEGED", argv[0]); return 0; } @@ -3446,19 +3698,22 @@ static OPTION_FUNC(opt_title) } else { if (strchr(title, '.')) { - reply("NSMSG_TITLE_INVALID"); + if (!(noreply)) + reply("NSMSG_TITLE_INVALID"); return 0; } /* Alphanumeric titles only. */ for(sptr = title; *sptr; sptr++) { if(!isalnum(*sptr) && *sptr != '-') { - reply("NSMSG_TITLE_INVALID"); + if (!(noreply)) + reply("NSMSG_TITLE_INVALID"); return 0; } } if ((strlen(user->handle_info->handle) + strlen(title) + strlen(nickserv_conf.titlehost_suffix) + 2) > HOSTLEN) { - reply("NSMSG_TITLE_TRUNCATED"); + if (!(noreply)) + reply("NSMSG_TITLE_TRUNCATED"); return 0; } free(hi->fakehost); @@ -3496,7 +3751,8 @@ static OPTION_FUNC(opt_title) if (!title) none = user_find_message(user, "MSG_NONE"); - send_message(user, nickserv, "NSMSG_SET_TITLE", title ? title : none); + if (!(noreply)) + send_message(user, nickserv, "NSMSG_SET_TITLE", title ? title : none); return 1; } @@ -3570,13 +3826,15 @@ static OPTION_FUNC(opt_fakehost) if ((argc > 1) && oper_has_access(user, nickserv, nickserv_conf.set_fakehost_level, 0)) { if (!override) { - reply("MSG_SETTING_PRIVILEGED", argv[0]); + if (!(noreply)) + reply("MSG_SETTING_PRIVILEGED", argv[0]); return 0; } fake = argv[1]; if ((strlen(fake) > HOSTLEN) || (fake[0] == '.')) { - reply("NSMSG_FAKEHOST_INVALID", HOSTLEN); + if (!(noreply)) + reply("NSMSG_FAKEHOST_INVALID", HOSTLEN); return 0; } if (!strcmp(fake, "*")) { @@ -3602,14 +3860,16 @@ static OPTION_FUNC(opt_fakehost) /* Tell them we set the host */ if (!fake) fake = user_find_message(user, "MSG_NONE"); - reply("NSMSG_SET_FAKEHOST", fake); + if (!(noreply)) + reply("NSMSG_SET_FAKEHOST", fake); return 1; } static OPTION_FUNC(opt_note) { if (!override) { - reply("MSG_SETTING_PRIVILEGED", argv[0]); + if (!(noreply)) + reply("MSG_SETTING_PRIVILEGED", argv[0]); return 0; } @@ -3627,7 +3887,8 @@ static OPTION_FUNC(opt_note) } } - reply("NSMSG_SET_NOTE", hi->note ? hi->note->note : user_find_message(user, "MSG_NONE")); + if (!(noreply)) + reply("NSMSG_SET_NOTE", hi->note ? hi->note->note : user_find_message(user, "MSG_NONE")); return 1; } @@ -3876,19 +4137,23 @@ nickserv_saxdb_write(struct saxdb_context *ctx) { saxdb_write_sint(ctx, KEY_KARMA, hi->karma); if (hi->masks->used) saxdb_write_string_list(ctx, KEY_MASKS, hi->masks); + if (hi->sslfps->used) + saxdb_write_string_list(ctx, KEY_SSLFPS, hi->sslfps); if (hi->ignores->used) saxdb_write_string_list(ctx, KEY_IGNORES, hi->ignores); if (hi->maxlogins) saxdb_write_int(ctx, KEY_MAXLOGINS, hi->maxlogins); if (hi->nicks) { - struct string_list *slist; struct nick_info *ni; - slist = alloc_string_list(nickserv_conf.nicks_per_handle); - for (ni = hi->nicks; ni; ni = ni->next) string_list_append(slist, ni->nick); - saxdb_write_string_list(ctx, KEY_NICKS, slist); - free(slist->list); - free(slist); + saxdb_start_record(ctx, KEY_NICKS_EX, 0); + for (ni = hi->nicks; ni; ni = ni->next) { + saxdb_start_record(ctx, ni->nick, 0); + saxdb_write_int(ctx, KEY_REGISTER_ON, ni->registered); + saxdb_write_int(ctx, KEY_LAST_SEEN, ni->lastseen); + saxdb_end_record(ctx); + } + saxdb_end_record(ctx); } if (hi->opserv_level) saxdb_write_int(ctx, KEY_OPSERV_LEVEL, hi->opserv_level); @@ -3910,21 +4175,25 @@ nickserv_saxdb_write(struct saxdb_context *ctx) { } static handle_merge_func_t *handle_merge_func_list; +static void **handle_merge_func_list_extra; static unsigned int handle_merge_func_size = 0, handle_merge_func_used = 0; void -reg_handle_merge_func(handle_merge_func_t func) +reg_handle_merge_func(handle_merge_func_t func, void *extra) { if (handle_merge_func_used == handle_merge_func_size) { if (handle_merge_func_size) { handle_merge_func_size <<= 1; handle_merge_func_list = realloc(handle_merge_func_list, handle_merge_func_size*sizeof(handle_merge_func_t)); + handle_merge_func_list_extra = realloc(handle_merge_func_list_extra, handle_merge_func_size*sizeof(void*)); } else { handle_merge_func_size = 8; handle_merge_func_list = malloc(handle_merge_func_size*sizeof(handle_merge_func_t)); + handle_merge_func_list_extra = malloc(handle_merge_func_size*sizeof(void*)); } } - handle_merge_func_list[handle_merge_func_used++] = func; + handle_merge_func_list[handle_merge_func_used] = func; + handle_merge_func_list_extra[handle_merge_func_used++] = extra; } static NICKSERV_FUNC(cmd_merge) @@ -3946,7 +4215,7 @@ static NICKSERV_FUNC(cmd_merge) } for (n=0; nnicks) { @@ -3969,6 +4238,16 @@ static NICKSERV_FUNC(cmd_merge) string_list_append(hi_to->masks, strdup(mask)); } + /* Merge the SSL fingerprints. */ + for (ii=0; iisslfps->used; ii++) { + char *sslfp = hi_from->sslfps->list[ii]; + for (jj=0; jjsslfps->used; jj++) + if (!irccasecmp(hi_to->sslfps->list[jj], sslfp)) + break; + if (jj==hi_to->sslfps->used) /* Nothing from the "to" handle covered this sslfp, so add it. */ + string_list_append(hi_to->sslfps, strdup(sslfp)); + } + /* Merge the ignores. */ for (ii=0; iiignores->used; ii++) { char *ignore = hi_from->ignores->list[ii]; @@ -4071,12 +4350,16 @@ struct nickserv_discrim { const char *hostmask; const char *handlemask; const char *emailmask; + const char *titlemask; + const char *setwhat; + const char *setval; + struct svccmd *cmd; #ifdef WITH_LDAP unsigned int inldap; #endif }; -typedef void (*discrim_search_func)(struct userNode *source, struct handle_info *hi); +typedef void (*discrim_search_func)(struct userNode *source, struct handle_info *hi, struct nickserv_discrim *discrim); struct discrim_apply_info { struct nickserv_discrim *discrim; @@ -4101,6 +4384,7 @@ nickserv_discrim_create(struct svccmd *cmd, struct userNode *user, unsigned int discrim->lastseen = LONG_MAX; discrim->min_karma = INT_MIN; discrim->max_karma = INT_MAX; + discrim->cmd = cmd; #ifdef WITH_LDAP discrim->inldap = 2; #endif @@ -4137,6 +4421,14 @@ nickserv_discrim_create(struct svccmd *cmd, struct userNode *user, unsigned int discrim->lastseen = now - ParseInterval(argv[++i]); } else if (!nickserv_conf.disable_nicks && !irccasecmp(argv[i], "nickmask")) { discrim->nickmask = argv[++i]; + } else if (!irccasecmp(argv[i], "setwhat")) { + discrim->setwhat = argv[++i]; + if (!(dict_find(nickserv_opt_dict, discrim->setwhat, NULL))) { + reply("NSMSG_INVALID_OPTION", discrim->setwhat); + goto fail; + } + } else if (!irccasecmp(argv[i], "setvalue")) { + discrim->setval = argv[++i]; } else if (!irccasecmp(argv[i], "hostmask")) { i++; if (!irccasecmp(argv[i], "exact")) { @@ -4183,6 +4475,12 @@ nickserv_discrim_create(struct svccmd *cmd, struct userNode *user, unsigned int } else { discrim->emailmask = argv[i]; } + } else if (!irccasecmp(argv[i], "title")) { + if (!irccasecmp(argv[++i], "*")) { + discrim->titlemask = 0; + } else { + discrim->titlemask = argv[i]; + } } else if (!irccasecmp(argv[i], "access")) { const char *cmp = argv[++i]; if (cmp[0] == '<') { @@ -4249,6 +4547,11 @@ nickserv_discrim_create(struct svccmd *cmd, struct userNode *user, unsigned int static int nickserv_discrim_match(struct nickserv_discrim *discrim, struct handle_info *hi) { + char *title = NULL; + + if (hi->fakehost && (hi->fakehost[0] == '.')) + title = hi->fakehost + 1; + if (((discrim->flags_on & hi->flags) != discrim->flags_on) || (discrim->flags_off & hi->flags) || (discrim->min_registered > hi->registered) @@ -4256,6 +4559,7 @@ nickserv_discrim_match(struct nickserv_discrim *discrim, struct handle_info *hi) || (discrim->lastseen < (hi->users?now:hi->lastseen)) || (discrim->handlemask && !match_ircglob(hi->handle, discrim->handlemask)) || (discrim->emailmask && (!hi->email_addr || !match_ircglob(hi->email_addr, discrim->emailmask))) + || (discrim->titlemask && (!title || !match_ircglob(title, discrim->titlemask))) || (discrim->min_level > hi->opserv_level) || (discrim->max_level < hi->opserv_level) || (discrim->min_karma > hi->karma) @@ -4311,7 +4615,7 @@ nickserv_discrim_search(struct nickserv_discrim *discrim, discrim_search_func ds it = next) { next = iter_next(it); if (nickserv_discrim_match(discrim, iter_data(it))) { - dsf(source, iter_data(it)); + dsf(source, iter_data(it), discrim); matched++; } } @@ -4319,18 +4623,18 @@ nickserv_discrim_search(struct nickserv_discrim *discrim, discrim_search_func ds } static void -search_print_func(struct userNode *source, struct handle_info *match) +search_print_func(struct userNode *source, struct handle_info *match, UNUSED_ARG(struct nickserv_discrim *discrim)) { send_message(source, nickserv, "NSMSG_SEARCH_MATCH", match->handle); } static void -search_count_func(UNUSED_ARG(struct userNode *source), UNUSED_ARG(struct handle_info *match)) +search_count_func(UNUSED_ARG(struct userNode *source), UNUSED_ARG(struct handle_info *match), UNUSED_ARG(struct nickserv_discrim *discrim)) { } static void -search_unregister_func (struct userNode *source, struct handle_info *match) +search_unregister_func (struct userNode *source, struct handle_info *match, UNUSED_ARG(struct nickserv_discrim *discrim)) { if (oper_has_access(source, nickserv, match->opserv_level, 0)) nickserv_unregister_handle(match, source, nickserv); // XXX nickserv hard coded @@ -4338,7 +4642,7 @@ search_unregister_func (struct userNode *source, struct handle_info *match) #ifdef WITH_LDAP static void -search_add2ldap_func (struct userNode *source, struct handle_info *match) +search_add2ldap_func (struct userNode *source, struct handle_info *match, UNUSED_ARG(struct nickserv_discrim *discrim)) { int rc; if(match->email_addr && match->passwd && match->handle) { @@ -4350,6 +4654,22 @@ search_add2ldap_func (struct userNode *source, struct handle_info *match) } #endif +static void +search_set_func (struct userNode *source, struct handle_info *match, struct nickserv_discrim *discrim) +{ + option_func_t *opt; + char *oargv[2]; + + if (!(opt = dict_find(nickserv_opt_dict, discrim->setwhat, NULL))) { + return; + } + + oargv[0] = (char *)discrim->setwhat; + oargv[1] = (char *)discrim->setval; + + opt(discrim->cmd, source, match, 1, 1, 2, oargv); +} + static int nickserv_sort_accounts_by_access(const void *a, const void *b) { @@ -4414,6 +4734,8 @@ static NICKSERV_FUNC(cmd_search) action = search_count_func; else if (!irccasecmp(argv[1], "unregister")) action = search_unregister_func; + else if (!irccasecmp(argv[1], "set")) + action = search_set_func; #ifdef WITH_LDAP else if (nickserv_conf.ldap_enable && !irccasecmp(argv[1], "add2ldap")) action = search_add2ldap_func; @@ -4434,6 +4756,8 @@ static NICKSERV_FUNC(cmd_search) reply("NSMSG_ACCOUNT_SEARCH_RESULTS"); else if (action == search_count_func) discrim->limit = INT_MAX; + else if ((action == search_set_func) && (!(discrim->setwhat) || !(discrim->setval))) + return reply("MSG_MISSING_PARAMS", argv[1]); matches = nickserv_discrim_search(discrim, action, user); @@ -4484,10 +4808,12 @@ static void nickserv_db_read_handle(char *handle, dict_t obj) { const char *str; - struct string_list *masks, *slist, *ignores; + struct string_list *masks, *sslfps, *slist, *ignores; struct handle_info *hi; struct userNode *authed_users; struct userData *channel_list; + struct dict *obj2; + dict_iterator_t it; unsigned long int id; unsigned int ii; dict_t subdb; @@ -4524,6 +4850,8 @@ nickserv_db_read_handle(char *handle, dict_t obj) hi->channels = channel_list; masks = database_get_data(obj, KEY_MASKS, RECDB_STRING_LIST); hi->masks = masks ? string_list_copy(masks) : alloc_string_list(1); + sslfps = database_get_data(obj, KEY_SSLFPS, RECDB_STRING_LIST); + hi->sslfps = sslfps ? string_list_copy(sslfps) : alloc_string_list(1); ignores = database_get_data(obj, KEY_IGNORES, RECDB_STRING_LIST); hi->ignores = ignores ? string_list_copy(ignores) : alloc_string_list(1); str = database_get_data(obj, KEY_MAXLOGINS, RECDB_QSTRING); @@ -4543,10 +4871,39 @@ nickserv_db_read_handle(char *handle, dict_t obj) hi->karma = str ? strtoul(str, NULL, 0) : 0; /* We want to read the nicks even if disable_nicks is set. This is so * that we don't lose the nick data entirely. */ - slist = database_get_data(obj, KEY_NICKS, RECDB_STRING_LIST); - if (slist) { - for (ii=0; iiused; ii++) - register_nick(slist->list[ii], hi); + obj2 = database_get_data(obj, KEY_NICKS_EX, RECDB_OBJECT); + for(it = dict_first(obj2); it; it = iter_next(it)) + { + struct record_data *rd = iter_data(it); + struct nick_info* ni; + + register_nick(iter_key(it), hi); + ni = get_nick_info(iter_key(it)); + + if (!(ni)) + continue; + + str = database_get_data(rd->d.object, KEY_REGISTER_ON, RECDB_QSTRING); + ni->registered = str ? (time_t)strtoul(str, NULL, 0) : now; + str = database_get_data(rd->d.object, KEY_LAST_SEEN, RECDB_QSTRING); + ni->lastseen = str ? (time_t)strtoul(str, NULL, 0) : ni->registered; + } + if (!obj2) { + slist = database_get_data(obj, KEY_NICKS, RECDB_STRING_LIST); + if (slist) { + for (ii=0; iiused; ii++) { + struct nick_info* ni; + + register_nick(slist->list[ii], hi); + ni = get_nick_info(slist->list[ii]); + + if (!(ni)) + continue; + + ni->registered = hi->registered; + ni->lastseen = ni->registered; + } + } } str = database_get_data(obj, KEY_FLAGS, RECDB_QSTRING); if (str) { @@ -4696,6 +5053,36 @@ expire_handles(UNUSED_ARG(void *data)) timeq_add(now + nickserv_conf.handle_expire_frequency, expire_handles, NULL); } +static void +expire_nicks(UNUSED_ARG(void *data)) +{ + dict_iterator_t it, next; + time_t expiry = nickserv_conf.nick_expire_delay; + struct nick_info *ni; + struct userNode *ui; + + if (!(nickserv_conf.expire_nicks)) + return; + + for (it=dict_first(nickserv_nick_dict); it; it=next) { + next = iter_next(it); + ni = iter_data(it); + if ((ni->owner->opserv_level > 0) + || ((ui = GetUserH(ni->nick)) && (ui->handle_info) && (ui->handle_info == ni->owner)) + || HANDLE_FLAGGED(ni->owner, FROZEN) + || HANDLE_FLAGGED(ni->owner, NODELETE)) { + continue; + } + if ((now - ni->lastseen) > expiry) { + log_module(NS_LOG, LOG_INFO, "Expiring nick %s for inactivity.", ni->nick); + delete_nick(ni); + } + } + + if (nickserv_conf.nick_expire_frequency && nickserv_conf.expire_nicks) + timeq_add(now + nickserv_conf.nick_expire_frequency, expire_nicks, NULL); +} + static void nickserv_load_dict(const char *fname) { @@ -4817,6 +5204,7 @@ nickserv_conf_read(void) str = database_get_data(conf_node, "default_maxlogins", RECDB_QSTRING); nickserv_conf.default_maxlogins = str ? strtoul(str, NULL, 0) : 2; str = database_get_data(conf_node, "hard_maxlogins", RECDB_QSTRING); + nickserv_conf.hard_maxlogins = str ? strtoul(str, NULL, 0) : 10; str = database_get_data(conf_node, KEY_OUNREGISTER_INACTIVE, RECDB_QSTRING); nickserv_conf.ounregister_inactive = str ? ParseInterval(str) : 86400*28; str = database_get_data(conf_node, KEY_OUNREGISTER_FLAGS, RECDB_QSTRING); @@ -4829,7 +5217,6 @@ nickserv_conf_read(void) if(pos) nickserv_conf.ounregister_flags |= 1 << (pos - 1); } - nickserv_conf.hard_maxlogins = str ? strtoul(str, NULL, 0) : 10; if (!nickserv_conf.disable_nicks) { str = database_get_data(conf_node, "reclaim_action", RECDB_QSTRING); nickserv_conf.reclaim_action = str ? reclaim_action_from_string(str) : RECLAIM_NONE; @@ -4839,6 +5226,12 @@ nickserv_conf_read(void) nickserv_conf.auto_reclaim_action = str ? reclaim_action_from_string(str) : RECLAIM_NONE; str = database_get_data(conf_node, "auto_reclaim_delay", RECDB_QSTRING); nickserv_conf.auto_reclaim_delay = str ? ParseInterval(str) : 0; + str = database_get_data(conf_node, KEY_NICK_EXPIRE_FREQ, RECDB_QSTRING); + nickserv_conf.nick_expire_frequency = str ? ParseInterval(str) : 86400; + str = database_get_data(conf_node, KEY_NICK_EXPIRE_DELAY, RECDB_QSTRING); + nickserv_conf.nick_expire_delay = str ? ParseInterval(str) : 86400*30; + str = database_get_data(conf_node, "expire_nicks", RECDB_QSTRING); + nickserv_conf.expire_nicks = str ? enabled_string(str) : 0; } child = database_get_data(conf_node, KEY_FLAG_LEVELS, RECDB_OBJECT); for (it=dict_first(child); it; it=iter_next(it)) { @@ -4938,8 +5331,9 @@ nickserv_conf_read(void) if(nickserv_conf.ldap_enable > 0) { /* ldap is enabled but not compiled in - error out */ log_module(MAIN_LOG, LOG_ERROR, "ldap is enabled in config, but not compiled in!"); - nickserv_conf.ldap_enable = 0; - sleep(5); + exit(2); + /* nickserv_conf.ldap_enable = 0; */ + /* sleep(5); */ } #endif @@ -5010,6 +5404,10 @@ nickserv_reclaim(struct userNode *user, struct nick_info *ni, enum reclaim_actio assert(user); assert(ni); + + if (IsLocal(user)) + return; + switch (action) { case RECLAIM_NONE: /* do nothing */ @@ -5043,6 +5441,7 @@ static int check_user_nick(struct userNode *user, UNUSED_ARG(void *extra)) { struct nick_info *ni; user->modes &= ~FLAGS_REGNICK; + if (!(ni = get_nick_info(user->nick))) return 0; if (user->handle_info == ni->owner) { @@ -5063,6 +5462,21 @@ check_user_nick(struct userNode *user, UNUSED_ARG(void *extra)) { return 0; } +static int +new_user_event(struct userNode *user, void *extra) { + /* If the user's server is not bursting, + * the user is authed, the account has autohide set + * and the user doesn't have user mode +x then apply + * the autohide setting. + */ + if (!user->uplink->burst && user->handle_info && + HANDLE_FLAGGED(user->handle_info, AUTOHIDE) && + !IsHiddenHost(user)) + irc_umode(user, "+x"); + + return check_user_nick(user, extra); +} + void handle_account(struct userNode *user, const char *stamp) { @@ -5090,6 +5504,39 @@ ctime(&hi->registered)); log_module(MAIN_LOG, LOG_WARNING, "Using non-P10 code in accounts, not tested at all!"); #endif +#ifdef WITH_LDAP + if(!hi && nickserv_conf.ldap_enable && nickserv_conf.ldap_autocreate && + (ldap_user_exists(stamp) == LDAP_SUCCESS)) { + int rc = 0; + int cont = 1; + char *email = NULL; + char *mask; + + /* First attempt to get the email address from LDAP */ + if((rc = ldap_get_user_info(stamp, &email) != LDAP_SUCCESS)) + if(nickserv_conf.email_required) + cont = 0; + + /* Now try to register the handle */ + if (cont && (hi = nickserv_register(user, user, stamp, NULL, 1))) { + if(nickserv_conf.default_hostmask) + mask = "*@*"; + else + mask = generate_hostmask(user, GENMASK_OMITNICK|GENMASK_NO_HIDING|GENMASK_ANY_IDENT); + + if(mask) { + char* mask_canonicalized = canonicalize_hostmask(strdup(mask)); + string_list_append(hi->masks, mask_canonicalized); + } + + if(email) { + nickserv_set_email_addr(hi, email); + free(email); + } + } + } +#endif + if (hi) { if (HANDLE_FLAGGED(hi, SUSPENDED)) { return; @@ -5101,7 +5548,7 @@ ctime(&hi->registered)); } void -handle_nick_change(struct userNode *user, const char *old_nick) +handle_nick_change(struct userNode *user, const char *old_nick, UNUSED_ARG(void *extra)) { struct handle_info *hi; @@ -5147,10 +5594,333 @@ nickserv_define_func(const char *name, modcmd_func_t func, int min_level, int mu } } +#define SDFLAG_STALE 0x01 /**< SASL session data is stale, delete on next pass. */ + +struct SASLSession +{ + struct SASLSession *next; + struct SASLSession *prev; + struct server* source; + char *buf, *p; + int buflen; + char uid[128]; + char mech[10]; + char *sslclifp; + char *hostmask; + int flags; +}; + +struct SASLSession *saslsessions = NULL; + +void +sasl_delete_session(struct SASLSession *session) +{ + if (!session) + return; + + if (session->buf) + free(session->buf); + session->buf = NULL; + + if (session->sslclifp) + free(session->sslclifp); + session->sslclifp = NULL; + + if (session->hostmask) + free(session->hostmask); + session->hostmask = NULL; + + if (session->next) + session->next->prev = session->prev; + if (session->prev) + session->prev->next = session->next; + else + saslsessions = session->next; + + free(session); +} + +void +sasl_delete_stale(UNUSED_ARG(void *data)) +{ + int delcount = 0; + int remcount = 0; + struct SASLSession *sess = NULL; + struct SASLSession *nextsess = NULL; + + log_module(NS_LOG, LOG_DEBUG, "SASL: Checking for stale sessions"); + + for (sess = saslsessions; sess; sess = nextsess) + { + nextsess = sess->next; + + if (sess->flags & SDFLAG_STALE) + { + delcount++; + sasl_delete_session(sess); + } + else + { + remcount++; + sess->flags |= SDFLAG_STALE; + } + } + + if (delcount) + log_module(NS_LOG, LOG_DEBUG, "SASL: Deleted %d stale sessions, %d remaining", delcount, remcount); + if (remcount) + timeq_add(now + 30, sasl_delete_stale, NULL); +} + +struct SASLSession* +sasl_get_session(const char *uid) +{ + struct SASLSession *sess; + + for (sess = saslsessions; sess; sess = sess->next) + { + if (!strncmp(sess->uid, uid, 128)) + { + log_module(NS_LOG, LOG_DEBUG, "SASL: Found session for %s", sess->uid); + return sess; + } + } + + sess = malloc(sizeof(struct SASLSession)); + memset(sess, 0, sizeof(struct SASLSession)); + + strncpy(sess->uid, uid, 128); + + if (!saslsessions) + timeq_add(now + 30, sasl_delete_stale, NULL); + + if (saslsessions) + saslsessions->prev = sess; + sess->next = saslsessions; + saslsessions = sess; + + log_module(NS_LOG, LOG_DEBUG, "SASL: Created session for %s", sess->uid); + return sess; +} + +void +sasl_packet(struct SASLSession *session) +{ + log_module(NS_LOG, LOG_DEBUG, "SASL: Got packet containing: %s", session->buf); + + if (!session->mech[0]) + { + log_module(NS_LOG, LOG_DEBUG, "SASL: No mechanism stored yet, using %s", session->buf); + if (strcmp(session->buf, "PLAIN") && (strcmp(session->buf, "EXTERNAL") || !session->sslclifp)) { + if (!session->sslclifp) + irc_sasl(session->source, session->uid, "M", "PLAIN"); + else + irc_sasl(session->source, session->uid, "M", "PLAIN,EXTERNAL"); + irc_sasl(session->source, session->uid, "D", "F"); + sasl_delete_session(session); + return; + } + + strncpy(session->mech, session->buf, 10); + irc_sasl(session->source, session->uid, "C", "+"); + } + else if (!strcmp(session->mech, "EXTERNAL")) + { + char *raw = NULL; + size_t rawlen = 0; + char *authzid = NULL; + struct handle_info *hi = NULL; + static char buffer[256]; + + base64_decode_alloc(session->buf, session->buflen, &raw, &rawlen); + + if (rawlen != 0) + authzid = raw; + + log_module(NS_LOG, LOG_DEBUG, "SASL: Checking supplied credentials"); + + if (!session->sslclifp) { + log_module(NS_LOG, LOG_DEBUG, "SASL: Incomplete credentials supplied"); + irc_sasl(session->source, session->uid, "D", "F"); + } else { + if (!(hi = loc_auth(session->sslclifp, authzid, NULL, session->hostmask))) + { + log_module(NS_LOG, LOG_DEBUG, "SASL: Invalid credentials supplied"); + irc_sasl(session->source, session->uid, "D", "F"); + } + else + { + snprintf(buffer, sizeof(buffer), "%s "FMT_TIME_T, hi->handle, hi->registered); + log_module(NS_LOG, LOG_DEBUG, "SASL: Valid credentials supplied"); + irc_sasl(session->source, session->uid, "L", buffer); + irc_sasl(session->source, session->uid, "D", "S"); + } + } + + sasl_delete_session(session); + + free(raw); + return; + } + else + { + char *raw = NULL; + size_t rawlen = 0; + char *authzid = NULL; + char *authcid = NULL; + char *passwd = NULL; + char *r = NULL; + unsigned int i = 0, c = 0; + struct handle_info *hi = NULL; + struct handle_info *hii = NULL; + static char buffer[256]; + + base64_decode_alloc(session->buf, session->buflen, &raw, &rawlen); + + raw = (char *)realloc(raw, rawlen+1); + raw[rawlen] = '\0'; + + authzid = raw; + r = raw; + for (i=0; isource, session->uid, "D", "F"); + } + else + { + if (!(hi = loc_auth(session->sslclifp, authcid, passwd, session->hostmask))) + { + log_module(NS_LOG, LOG_DEBUG, "SASL: Invalid credentials supplied"); + irc_sasl(session->source, session->uid, "D", "F"); + } + else + { + if (*authzid && irccasecmp(authzid, authcid)) + { + if (HANDLE_FLAGGED(hi, IMPERSONATE)) + { + hii = hi; + hi = get_handle_info(authzid); + } + else + { + log_module(NS_LOG, LOG_DEBUG, "SASL: Impersonation unauthorized"); + hi = NULL; + } + } + if (hi) + { + if (hii) + { + log_module(NS_LOG, LOG_DEBUG, "SASL: %s is ipersonating %s", hii->handle, hi->handle); + snprintf(buffer, sizeof(buffer), "%s "FMT_TIME_T, hii->handle, hii->registered); + irc_sasl(session->source, session->uid, "I", buffer); + } + log_module(NS_LOG, LOG_DEBUG, "SASL: Valid credentials supplied"); + snprintf(buffer, sizeof(buffer), "%s "FMT_TIME_T, hi->handle, hi->registered); + irc_sasl(session->source, session->uid, "L", buffer); + irc_sasl(session->source, session->uid, "D", "S"); + } + else + { + log_module(NS_LOG, LOG_DEBUG, "SASL: Invalid credentials supplied"); + irc_sasl(session->source, session->uid, "D", "F"); + } + } + } + + sasl_delete_session(session); + + free(raw); + return; + } + + /* clear stale state */ + session->flags &= ~SDFLAG_STALE; +} + +void +handle_sasl_input(struct server* source ,const char *uid, const char *subcmd, const char *data, const char *ext, UNUSED_ARG(void *extra)) +{ + struct SASLSession* sess = sasl_get_session(uid); + int len = strlen(data); + + sess->source = source; + + if (!strcmp(subcmd, "D")) + { + sasl_delete_session(sess); + return; + } + + if (!strcmp(subcmd, "H")) { + log_module(NS_LOG, LOG_DEBUG, "SASL: Storing host mask %s", data); + sess->hostmask = strdup(data); + return ; + } + + if (strcmp(subcmd, "S") && strcmp(subcmd, "C")) + return; + + if (len == 0) + return; + + if (sess->p == NULL) + { + sess->buf = (char *)malloc(len + 1); + sess->p = sess->buf; + sess->buflen = len; + } + else + { + if (sess->buflen + len + 1 > 8192) /* This is a little much... */ + { + irc_sasl(source, uid, "D", "F"); + sasl_delete_session(sess); + return; + } + + sess->buf = (char *)realloc(sess->buf, sess->buflen + len + 1); + sess->p = sess->buf + sess->buflen; + sess->buflen += len; + } + + memcpy(sess->p, data, len); + sess->buf[len] = '\0'; + + if (ext != NULL) + sess->sslclifp = strdup(ext); + + /* Messages not exactly 400 bytes are the end of a packet. */ + if(len < 400) + { + sasl_packet(sess); + sess->buflen = 0; + if (sess->buf != NULL) + free(sess->buf); + sess->buf = sess->p = NULL; + } +} + static void -nickserv_db_cleanup(void) +nickserv_db_cleanup(UNUSED_ARG(void* extra)) { unreg_del_user_func(nickserv_remove_user, NULL); + unreg_sasl_input_func(handle_sasl_input, NULL); userList_clean(&curr_helpers); policer_params_delete(nickserv_conf.auth_policer_params); dict_delete(nickserv_handle_dict); @@ -5161,30 +5931,55 @@ nickserv_db_cleanup(void) dict_delete(nickserv_id_dict); dict_delete(nickserv_conf.weak_password_dict); free(auth_func_list); + free(auth_func_list_extra); free(unreg_func_list); + free(unreg_func_list_extra); free(rf_list); + free(rf_list_extra); free(allowauth_func_list); + free(allowauth_func_list_extra); free(handle_merge_func_list); + free(handle_merge_func_list_extra); free(failpw_func_list); + free(failpw_func_list_extra); if (nickserv_conf.valid_handle_regex_set) regfree(&nickserv_conf.valid_handle_regex); if (nickserv_conf.valid_nick_regex_set) regfree(&nickserv_conf.valid_nick_regex); } -void handle_loc_auth_oper(struct userNode *user, UNUSED_ARG(struct handle_info *old_handle)) { +void handle_loc_auth_oper(struct userNode *user, UNUSED_ARG(struct handle_info *old_handle), UNUSED_ARG(void *extra)) { + char *privv[MAXNUMPARAMS]; + int privc, i; + if (!*nickserv_conf.auto_oper || !user->handle_info) return; if (!IsOper(user)) { if (*nickserv_conf.auto_admin && user->handle_info->opserv_level >= opserv_conf_admin_level()) { + if (nickserv_conf.auto_admin_privs[0]) { + irc_raw_privs(user, nickserv_conf.auto_admin_privs); + privc = split_line(strdup(nickserv_conf.auto_admin_privs), false, MAXNUMPARAMS, privv); + for (i = 0; i < privc; i++) { + client_modify_priv_by_name(user, privv[i], 1); + } + } irc_umode(user, nickserv_conf.auto_admin); irc_sno(0x1, "%s (%s@%s) is now an IRC Administrator", user->nick, user->ident, user->hostname); + send_message(user, nickserv, "NSMSG_AUTO_OPER_ADMIN"); } else if (*nickserv_conf.auto_oper && user->handle_info->opserv_level) { + if (nickserv_conf.auto_oper_privs[0]) { + irc_raw_privs(user, nickserv_conf.auto_oper_privs); + privc = split_line(strdup(nickserv_conf.auto_oper_privs), false, MAXNUMPARAMS, privv); + for (i = 0; i < privc; i++) { + client_modify_priv_by_name(user, privv[i], 1); + } + } irc_umode(user, nickserv_conf.auto_oper); irc_sno(0x1, "%s (%s@%s) is now an IRC Operator", user->nick, user->ident, user->hostname); + send_message(user, nickserv, "NSMSG_AUTO_OPER"); } } } @@ -5195,17 +5990,21 @@ init_nickserv(const char *nick) struct chanNode *chan; unsigned int i; NS_LOG = log_register_type("NickServ", "file:nickserv.log"); - reg_new_user_func(check_user_nick, NULL); - reg_nick_change_func(handle_nick_change); + reg_new_user_func(new_user_event, NULL); + reg_nick_change_func(handle_nick_change, NULL); reg_del_user_func(nickserv_remove_user, NULL); reg_account_func(handle_account); - reg_auth_func(handle_loc_auth_oper); + reg_auth_func(handle_loc_auth_oper, NULL); + reg_sasl_input_func(handle_sasl_input, NULL); /* set up handle_inverse_flags */ memset(handle_inverse_flags, 0, sizeof(handle_inverse_flags)); for (i=0; handle_flags[i]; i++) { handle_inverse_flags[(unsigned char)handle_flags[i]] = i + 1; flag_access_levels[i] = 0; + /* ensure flag I requires a minimum of 999 if not set in the config */ + if ((unsigned char)handle_flags[i] == 'I') + flag_access_levels[i] = 999; } conf_register_reload(nickserv_conf_read); @@ -5230,6 +6029,10 @@ init_nickserv(const char *nick) nickserv_define_func("OADDMASK", cmd_oaddmask, 0, 1, 0); nickserv_define_func("DELMASK", cmd_delmask, -1, 1, 0); nickserv_define_func("ODELMASK", cmd_odelmask, 0, 1, 0); + nickserv_define_func("ADDSSLFP", cmd_addsslfp, -1, 1, 0); + nickserv_define_func("OADDSSLFP", cmd_oaddsslfp, 0, 1, 0); + nickserv_define_func("DELSSLFP", cmd_delsslfp, -1, 1, 0); + nickserv_define_func("ODELSSLFP", cmd_odelsslfp, 0, 1, 0); nickserv_define_func("PASS", cmd_pass, -1, 1, 0); nickserv_define_func("SET", cmd_set, -1, 1, 0); nickserv_define_func("OSET", cmd_oset, 0, 1, 0); @@ -5313,9 +6116,11 @@ init_nickserv(const char *nick) nickserv_service = service_register(nickserv); } saxdb_register("NickServ", nickserv_saxdb_read, nickserv_saxdb_write); - reg_exit_func(nickserv_db_cleanup); + reg_exit_func(nickserv_db_cleanup, NULL); if(nickserv_conf.handle_expire_frequency) timeq_add(now + nickserv_conf.handle_expire_frequency, expire_handles, NULL); + if(nickserv_conf.nick_expire_frequency && nickserv_conf.expire_nicks) + timeq_add(now + nickserv_conf.nick_expire_frequency, expire_nicks, NULL); if(autojoin_channels && nickserv) { for (i = 0; i < autojoin_channels->used; i++) { @@ -5323,6 +6128,7 @@ init_nickserv(const char *nick) AddChannelUser(nickserv, chan)->modes |= MODE_CHANOP; } } + #ifdef WITH_LDAP ldap_do_init(nickserv_conf); #endif