X-Git-Url: https://jfr.im/git/irc/evilnet/x3.git/blobdiff_plain/d18d752ebf7b72228ed3978446b8e45cec374bcb..a3da4b66b05fa77dec803e29b525c464cbd5d37c:/src/nickserv.c diff --git a/src/nickserv.c b/src/nickserv.c index dfcb698..b85d5ad 100644 --- a/src/nickserv.c +++ b/src/nickserv.c @@ -18,6 +18,7 @@ * Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. */ +#include "base64.h" #include "chanserv.h" #include "conf.h" #include "config.h" @@ -220,7 +221,7 @@ static const struct message_entry msgtab[] = { { "NSMSG_NICK_NOT_REGISTERED", "Nick $b%s$b has not been registered to any account." }, { "NSMSG_HANDLE_NOT_FOUND", "Could not find your account -- did you register yet?" }, { "NSMSG_ALREADY_AUTHED", "You are already authed to account $b%s$b; you must reconnect to auth to a different account." }, - { "NSMSG_USE_AUTHCOOKIE", "Your hostmask is not valid for account $b%1$s$b. Please use the $bauthcookie$b command to grant yourself access. (/msg $S authcookie %1$s)" }, + { "NSMSG_USE_AUTHCOOKIE", "Your hostmask is not valid for account $b%1$s$b. Please use the $bauthcookie$b command to grant yourself access. (/msg $N authcookie %1$s)" }, { "NSMSG_HOSTMASK_INVALID", "Your hostmask is not valid for account $b%s$b." }, { "NSMSG_USER_IS_SERVICE", "$b%s$b is a network service; you can only use that command on real users." }, { "NSMSG_USER_PREV_AUTH", "$b%s$b is already authenticated." }, @@ -250,8 +251,10 @@ static const struct message_entry msgtab[] = { { "NSMSG_HANDLEINFO_COOKIE_EMAIL", "Cookie: There is currently an email change cookie issued for this account" }, { "NSMSG_HANDLEINFO_COOKIE_ALLOWAUTH", "Cookie: There is currently an allowauth cookie issued for this account" }, { "NSMSG_HANDLEINFO_COOKIE_UNKNOWN", "Cookie: There is currently an unknown cookie issued for this account" }, + { "NSMSG_HANDLEINFO_COOKIE_EMAIL_DATA", "Cookie: New email address: %s" }, { "NSMSG_HANDLEINFO_INFOLINE", "Infoline: %s" }, { "NSMSG_HANDLEINFO_FLAGS", "Flags: %s" }, + { "NSMSG_HANDLEINFO_OPSERV_LEVEL", "Opserv level: %d " }, { "NSMSG_HANDLEINFO_EPITHET", "Epithet: %s" }, { "NSMSG_HANDLEINFO_NOTE", "Note (by %s on %s): %s " }, { "NSMSG_HANDLEINFO_FAKEHOST", "Fake host: %s" }, @@ -261,7 +264,7 @@ static const struct message_entry msgtab[] = { { "NSMSG_HANDLEINFO_LAST_HOST_UNKNOWN", "Last quit hostmask: Unknown" }, { "NSMSG_HANDLEINFO_NICKS", "Nickname(s): %s" }, { "NSMSG_HANDLEINFO_MASKS", "Hostmask(s): %s" }, - { "NSMSG_HANDLEINFO_SSLFPS", "SSL Fingerprints(s): %s" }, + { "NSMSG_HANDLEINFO_SSLFPS", "Client Certificate Fingerprints(s): %s" }, { "NSMSG_HANDLEINFO_IGNORES", "Ignore(s): %s" }, { "NSMSG_HANDLEINFO_CHANNELS", "Channel(s): %s" }, { "NSMSG_HANDLEINFO_CURRENT", "Current nickname(s): %s" }, @@ -296,13 +299,13 @@ static const struct message_entry msgtab[] = { { "NSMSG_ADDMASK_SUCCESS", "Hostmask %s added." }, { "NSMSG_ADDIGNORE_ALREADY", "$b%s$b is already an ignored hostmask in your account." }, { "NSMSG_ADDIGNORE_SUCCESS", "Hostmask %s added." }, - { "NSMSG_ADDSSLFP_ALREADY", "$b%s$b is already an SSL fingerprint in your account." }, - { "NSMSG_ADDSSLFP_SUCCESS", "SSL fingerprint %s added." }, + { "NSMSG_ADDSSLFP_ALREADY", "$b%s$b is already a client certificate fingerprint in your account." }, + { "NSMSG_ADDSSLFP_SUCCESS", "Client certificate fingerprint %s added." }, { "NSMSG_DELMASK_NOTLAST", "You may not delete your last hostmask." }, { "NSMSG_DELMASK_SUCCESS", "Hostmask %s deleted." }, { "NSMSG_DELMASK_NOT_FOUND", "Unable to find mask to be deleted." }, - { "NSMSG_DELSSLFP_SUCCESS", "SSL fingerprint %s deleted." }, - { "NSMSG_DELSSLFP_NOT_FOUND", "Unable to find SSL fingerprint to be deleted." }, + { "NSMSG_DELSSLFP_SUCCESS", "Client certificate fingerprint %s deleted." }, + { "NSMSG_DELSSLFP_NOT_FOUND", "Unable to find client certificate fingerprint to be deleted." }, { "NSMSG_OPSERV_LEVEL_BAD", "You may not promote another oper above your level." }, { "NSMSG_USE_CMD_PASS", "Please use the PASS command to change your password." }, { "NSMSG_UNKNOWN_NICK", "I know nothing about nick $b%s$b." }, @@ -363,13 +366,13 @@ static const struct message_entry msgtab[] = { { "NSMSG_SET_FLAGS", "$bFLAGS: $b%s" }, { "NSMSG_SET_EMAIL", "$bEMAIL: $b%s" }, { "NSMSG_SET_MAXLOGINS", "$bMAXLOGINS: $b%d" }, - { "NSMSG_SET_ADVANCED", "$bADVANCED: $b%s" }, + { "NSMSG_SET_ADVANCED", "$bADVANCED: $b%s" }, { "NSMSG_SET_LANGUAGE", "$bLANGUAGE: $b%s" }, { "NSMSG_SET_LEVEL", "$bLEVEL: $b%d" }, { "NSMSG_SET_EPITHET", "$bEPITHET: $b%s" }, { "NSMSG_SET_NOTE", "$bNOTE: $b%s"}, { "NSMSG_SET_TITLE", "$bTITLE: $b%s" }, - { "NSMSG_SET_FAKEHOST", "$bFAKEHOST: $b%s" }, + { "NSMSG_SET_FAKEHOST", "$bFAKEHOST: $b%s" }, { "NSMSG_AUTO_OPER", "You have been auto-opered" }, { "NSMSG_AUTO_OPER_ADMIN", "You have been auto-admined" }, @@ -967,7 +970,7 @@ generate_fakehost(struct handle_info *handle) if (data) style = atoi(data); - if (style == 1) + if ((style == 1) || (style == 3)) snprintf(buffer, sizeof(buffer), "%s.%s", handle->handle, hidden_host_suffix); else if (style == 2) { /* Due to the way fakehost is coded theres no way i can @@ -976,7 +979,10 @@ generate_fakehost(struct handle_info *handle) for (target = handle->users; target; target = target->next_authed) break; - snprintf(buffer, sizeof(buffer), "%s", target->crypthost); + if (target) + snprintf(buffer, sizeof(buffer), "%s", target->crypthost); + else + strncpy(buffer, "none", sizeof(buffer)); } return buffer; } else if (handle->fakehost[0] == '.') { @@ -1131,7 +1137,7 @@ nickserv_register(struct userNode *user, struct userNode *settee, const char *ha { struct handle_info *hi; struct nick_info *ni; - char crypted[MD5_CRYPT_LENGTH]; + char crypted[MD5_CRYPT_LENGTH] = ""; if ((hi = dict_find(nickserv_handle_dict, handle, NULL))) { if(user) @@ -1146,14 +1152,17 @@ nickserv_register(struct userNode *user, struct userNode *settee, const char *ha return 0; } - if (!is_secure_password(handle, passwd, user)) - return 0; + if (passwd) + { + if (!is_secure_password(handle, passwd, user)) + return 0; - cryptpass(passwd, crypted); + cryptpass(passwd, crypted); + } #ifdef WITH_LDAP if(nickserv_conf.ldap_enable && nickserv_conf.ldap_admin_dn) { int rc; - rc = ldap_do_add(handle, (no_auth ? NULL : crypted), NULL); + rc = ldap_do_add(handle, (no_auth || !passwd ? NULL : crypted), NULL); if(LDAP_SUCCESS != rc && LDAP_ALREADY_EXISTS != rc ) { if(user) send_message(user, nickserv, "NSMSG_LDAP_FAIL", ldap_err2string(rc)); @@ -1540,7 +1549,7 @@ static NICKSERV_FUNC(cmd_oregister) char* mask = NULL; char* nick = NULL; - NICKSERV_MIN_PARMS(2); + NICKSERV_MIN_PARMS(3); account = argv[1]; pass = argv[2]; @@ -1625,6 +1634,8 @@ static NICKSERV_FUNC(cmd_oregister) string_list_append(hi->masks, mask_canonicalized); } + argv[2] = "****"; + if (nickserv_conf.sync_log) SyncLog("REGISTER %s %s %s %s", hi->handle, hi->passwd, email ? email : "@", user->info); /* Send just @ for email if none */ return 1; @@ -1768,6 +1779,8 @@ static NICKSERV_FUNC(cmd_handleinfo) default: type = "NSMSG_HANDLEINFO_COOKIE_UNKNOWN"; break; } reply(type); + if (IsOper(user) && (hi->cookie->type == EMAIL_CHANGE)) + reply("NSMSG_HANDLEINFO_COOKIE_EMAIL_DATA", hi->cookie->data); } if (hi->flags) { @@ -1783,6 +1796,10 @@ static NICKSERV_FUNC(cmd_handleinfo) reply("NSMSG_HANDLEINFO_FLAGS", nsmsg_none); } + if (hi->opserv_level > 0) { + reply("NSMSG_HANDLEINFO_OPSERV_LEVEL", hi->opserv_level); + } + if (HANDLE_FLAGGED(hi, SUPPORT_HELPER) || HANDLE_FLAGGED(hi, NETWORK_HELPER) || (hi->opserv_level > 0)) { @@ -2063,6 +2080,27 @@ reg_failpw_func(failpw_func_t func, void *extra) failpw_func_list_extra[failpw_func_used++] = extra; } +/* + * Return hi for the first handle that has a matching SSL fingerprint. + */ +struct handle_info *find_handleinfo_by_sslfp(char *sslfp) +{ + dict_iterator_t it; + struct handle_info *hi; + unsigned int ii = 0;; + + for (it = dict_first(nickserv_handle_dict); it; it = iter_next(it)) { + hi = iter_data(it); + for (ii=0; iisslfps->used; ii++) { + if (!irccasecmp(sslfp, hi->sslfps->list[ii])) { + return hi; + } + } + } + + return NULL; +} + /* * Return hi if the handle/pass pair matches, NULL if it doesnt. * @@ -2074,17 +2112,27 @@ struct handle_info *loc_auth(char *sslfp, char *handle, char *password, char *us int wildmask = 0, auth = 0; int used, maxlogins; unsigned int ii; - struct handle_info *hi; + struct handle_info *hi = NULL; struct userNode *other; #ifdef WITH_LDAP int ldap_result = LDAP_SUCCESS; char *email = NULL; #endif - hi = dict_find(nickserv_handle_dict, handle, NULL); + if (handle != NULL) + hi = dict_find(nickserv_handle_dict, handle, NULL); + if (!hi && (sslfp != NULL)) { + hi = find_handleinfo_by_sslfp(sslfp); + if (!handle && (hi != NULL)) + handle = hi->handle; + } + /* Ensure handle is valid if not found in internal DB */ + if (!hi && (!handle || !is_valid_handle(handle))) + return 0; + #ifdef WITH_LDAP - if (nickserv_conf.ldap_enable) { + if (nickserv_conf.ldap_enable && (password != NULL)) { ldap_result = ldap_check_auth(handle, password); if (!hi && (ldap_result != LDAP_SUCCESS)) return NULL; @@ -2166,16 +2214,37 @@ struct handle_info *loc_auth(char *sslfp, char *handle, char *password, char *us */ if(userhost) { char *buf; - char *ident; - char *realhost; - char *ip; + char *ident = NULL; + char *realhost = NULL; + char *ip = NULL; char *uh; char *ui; + char *c; + int bracket = 0; buf = strdup(userhost); - ident = mysep(&buf, "@"); - realhost = mysep(&buf, ":"); - ip = mysep(&buf, ":"); + + ident = buf; + for (c = buf; *c; c++) { + if ((realhost == NULL) && (*c == '@')) { + *c++ = '\0'; + if (*c == '[') { + bracket = 1; + *c++ = '\0'; + } + realhost = c; + } else if (bracket && (ip == NULL) && (*c == ']')) { + bracket = 0; + *c = '\0'; + } else if (!bracket && (ip == NULL) && (*c == ':')) { + *c++ = '\0'; + ip = c; + break; + } + } + + log_module(NS_LOG, LOG_DEBUG, "LOC: ident=%s host=%s ip=%s", ident, realhost, ip); + if(!ip || !realhost || !ident) { free(buf); return NULL; /* Invalid AC request, just quit */ @@ -2225,9 +2294,75 @@ struct handle_info *loc_auth(char *sslfp, char *handle, char *password, char *us return hi; } +void nickserv_do_autoauth(struct userNode *user) +{ + struct handle_info *hi; + struct userNode *other; + int used, maxlogins; + + /* Already authed, nothing to do */ + if (user->handle_info) + return; + + /* No client certificate fingerprint, cant auto auth */ + if (!user->sslfp) + return; + + hi = find_handleinfo_by_sslfp(user->sslfp); + if (!hi) + return; + + /* User doesn't match host masks */ + if (!valid_user_for(user, hi)) { + if (hi->email_addr && nickserv_conf.email_enabled) + send_message_type(4, user, nickserv, + handle_find_message(hi, "NSMSG_USE_AUTHCOOKIE"), + hi->handle); + else + send_message_type(4, user, nickserv, + handle_find_message(hi, "NSMSG_HOSTMASK_INVALID"), + hi->handle); + return; + } + + /* Account suspended? */ + if (HANDLE_FLAGGED(hi, SUSPENDED)) { + send_message_type(4, user, nickserv, + handle_find_message(hi, "NSMSG_HANDLE_SUSPENDED")); + return; + } + + maxlogins = hi->maxlogins ? hi->maxlogins : nickserv_conf.default_maxlogins; + for (used = 0, other = hi->users; other; other = other->next_authed) { + if (++used >= maxlogins) { + send_message_type(4, user, nickserv, + handle_find_message(hi, "NSMSG_MAX_LOGINS"), + maxlogins); + return; + } + } + + set_user_handle_info(user, hi, 1); + if (nickserv_conf.email_required && !hi->email_addr) + send_message_type(4, user, nickserv, + handle_find_message(hi, "NSMSG_PLEASE_SET_EMAIL")); + + /* If a channel was waiting for this user to auth, + * finish adding them */ + process_adduser_pending(user); + + send_message_type(4, user, nickserv, + handle_find_message(hi, "NSMSG_AUTH_SUCCESS")); + + /* Set +x if autohide is on */ + if(HANDLE_FLAGGED(hi, AUTOHIDE)) + irc_umode(user, "+x"); +} + static NICKSERV_FUNC(cmd_auth) { int pw_arg, used, maxlogins; + int sslfpauth = 0; struct handle_info *hi; const char *passwd; const char *handle; @@ -2281,7 +2416,7 @@ static NICKSERV_FUNC(cmd_auth) } #ifdef WITH_LDAP - if(strchr(argv[1], '<') || strchr(handle, '>')) { + if(strchr(handle, '<') || strchr(handle, '>')) { reply("NSMSG_NO_ANGLEBRACKETS"); return 0; } @@ -2317,7 +2452,7 @@ static NICKSERV_FUNC(cmd_auth) * create the account. */ char *mask; - if(!(hi = nickserv_register(user, user, argv[1], argv[2], 0))) { + if(!(hi = nickserv_register(user, user, handle, passwd, 0))) { reply("NSMSG_UNABLE_TO_ADD"); return 0; /* couldn't add the user for some reason */ } @@ -2359,11 +2494,15 @@ static NICKSERV_FUNC(cmd_auth) argv[pw_arg] = "BADMASK"; return 1; } + + if (valid_user_sslfp(user, hi)) + sslfpauth = 1; + #ifdef WITH_LDAP if(( ( nickserv_conf.ldap_enable && ldap_result == LDAP_INVALID_CREDENTIALS ) || - ( (!nickserv_conf.ldap_enable) && (!checkpass(passwd, hi->passwd)) ) ) && !valid_user_sslfp(user, hi)) { + ( (!nickserv_conf.ldap_enable) && (!checkpass(passwd, hi->passwd)) ) ) && !sslfpauth) { #else - if (!checkpass(passwd, hi->passwd) && !valid_user_sslfp(user, hi)) { + if (!checkpass(passwd, hi->passwd) && !sslfpauth) { #endif unsigned int n; send_message_type(4, user, cmd->parent->bot, @@ -2407,9 +2546,9 @@ static NICKSERV_FUNC(cmd_auth) set_user_handle_info(user, hi, 1); if (nickserv_conf.email_required && !hi->email_addr) reply("NSMSG_PLEASE_SET_EMAIL"); - if (!is_secure_password(hi->handle, passwd, NULL)) + if (!sslfpauth && !is_secure_password(hi->handle, passwd, NULL)) reply("NSMSG_WEAK_PASSWORD"); - if (hi->passwd[0] != '$') + if (!sslfpauth && (hi->passwd[0] != '$')) cryptpass(passwd, hi->passwd); /* If a channel was waiting for this user to auth, @@ -3820,12 +3959,10 @@ static OPTION_FUNC(opt_note) static NICKSERV_FUNC(cmd_reclaim) { - struct handle_info *hi; struct nick_info *ni; struct userNode *victim; NICKSERV_MIN_PARMS(2); - hi = user->handle_info; ni = dict_find(nickserv_nick_dict, argv[1], 0); if (!ni) { reply("NSMSG_UNKNOWN_NICK", argv[1]); @@ -4070,15 +4207,8 @@ nickserv_saxdb_write(struct saxdb_context *ctx) { if (hi->maxlogins) saxdb_write_int(ctx, KEY_MAXLOGINS, hi->maxlogins); if (hi->nicks) { - struct string_list *slist; struct nick_info *ni; - slist = alloc_string_list(nickserv_conf.nicks_per_handle); - for (ni = hi->nicks; ni; ni = ni->next) string_list_append(slist, ni->nick); - saxdb_write_string_list(ctx, KEY_NICKS, slist); - free(slist->list); - free(slist); - saxdb_start_record(ctx, KEY_NICKS_EX, 0); for (ni = hi->nicks; ni; ni = ni->next) { saxdb_start_record(ctx, ni->nick, 0); @@ -5137,6 +5267,7 @@ nickserv_conf_read(void) str = database_get_data(conf_node, "default_maxlogins", RECDB_QSTRING); nickserv_conf.default_maxlogins = str ? strtoul(str, NULL, 0) : 2; str = database_get_data(conf_node, "hard_maxlogins", RECDB_QSTRING); + nickserv_conf.hard_maxlogins = str ? strtoul(str, NULL, 0) : 10; str = database_get_data(conf_node, KEY_OUNREGISTER_INACTIVE, RECDB_QSTRING); nickserv_conf.ounregister_inactive = str ? ParseInterval(str) : 86400*28; str = database_get_data(conf_node, KEY_OUNREGISTER_FLAGS, RECDB_QSTRING); @@ -5149,7 +5280,6 @@ nickserv_conf_read(void) if(pos) nickserv_conf.ounregister_flags |= 1 << (pos - 1); } - nickserv_conf.hard_maxlogins = str ? strtoul(str, NULL, 0) : 10; if (!nickserv_conf.disable_nicks) { str = database_get_data(conf_node, "reclaim_action", RECDB_QSTRING); nickserv_conf.reclaim_action = str ? reclaim_action_from_string(str) : RECLAIM_NONE; @@ -5264,8 +5394,9 @@ nickserv_conf_read(void) if(nickserv_conf.ldap_enable > 0) { /* ldap is enabled but not compiled in - error out */ log_module(MAIN_LOG, LOG_ERROR, "ldap is enabled in config, but not compiled in!"); - nickserv_conf.ldap_enable = 0; - sleep(5); + exit(2); + /* nickserv_conf.ldap_enable = 0; */ + /* sleep(5); */ } #endif @@ -5336,6 +5467,10 @@ nickserv_reclaim(struct userNode *user, struct nick_info *ni, enum reclaim_actio assert(user); assert(ni); + + if (IsLocal(user)) + return; + switch (action) { case RECLAIM_NONE: /* do nothing */ @@ -5369,6 +5504,7 @@ static int check_user_nick(struct userNode *user, UNUSED_ARG(void *extra)) { struct nick_info *ni; user->modes &= ~FLAGS_REGNICK; + if (!(ni = get_nick_info(user->nick))) return 0; if (user->handle_info == ni->owner) { @@ -5376,9 +5512,10 @@ check_user_nick(struct userNode *user, UNUSED_ARG(void *extra)) { irc_regnick(user); return 0; } - if (nickserv_conf.warn_nick_owned) + if (nickserv_conf.warn_nick_owned) { send_message(user, nickserv, "NSMSG_RECLAIM_WARN", ni->nick, ni->owner->handle); send_message(user, nickserv, "NSMSG_RECLAIM_HOWTO", ni->owner->handle, nickserv->nick, self->name, ni->owner->handle); + } if (nickserv_conf.auto_reclaim_action == RECLAIM_NONE) return 0; if (nickserv_conf.auto_reclaim_delay) @@ -5389,6 +5526,21 @@ check_user_nick(struct userNode *user, UNUSED_ARG(void *extra)) { return 0; } +static int +new_user_event(struct userNode *user, void *extra) { + /* If the user's server is not bursting, + * the user is authed, the account has autohide set + * and the user doesn't have user mode +x then apply + * the autohide setting. + */ + if (!user->uplink->burst && user->handle_info && + HANDLE_FLAGGED(user->handle_info, AUTOHIDE) && + !IsHiddenHost(user)) + irc_umode(user, "+x"); + + return check_user_nick(user, extra); +} + void handle_account(struct userNode *user, const char *stamp) { @@ -5416,6 +5568,39 @@ ctime(&hi->registered)); log_module(MAIN_LOG, LOG_WARNING, "Using non-P10 code in accounts, not tested at all!"); #endif +#ifdef WITH_LDAP + if(!hi && nickserv_conf.ldap_enable && nickserv_conf.ldap_autocreate && + (ldap_user_exists(stamp) == LDAP_SUCCESS)) { + int rc = 0; + int cont = 1; + char *email = NULL; + char *mask; + + /* First attempt to get the email address from LDAP */ + if((rc = ldap_get_user_info(stamp, &email) != LDAP_SUCCESS)) + if(nickserv_conf.email_required) + cont = 0; + + /* Now try to register the handle */ + if (cont && (hi = nickserv_register(user, user, stamp, NULL, 1))) { + if(nickserv_conf.default_hostmask) + mask = "*@*"; + else + mask = generate_hostmask(user, GENMASK_OMITNICK|GENMASK_NO_HIDING|GENMASK_ANY_IDENT); + + if(mask) { + char* mask_canonicalized = canonicalize_hostmask(strdup(mask)); + string_list_append(hi->masks, mask_canonicalized); + } + + if(email) { + nickserv_set_email_addr(hi, email); + free(email); + } + } + } +#endif + if (hi) { if (HANDLE_FLAGGED(hi, SUSPENDED)) { return; @@ -5473,10 +5658,333 @@ nickserv_define_func(const char *name, modcmd_func_t func, int min_level, int mu } } +#define SDFLAG_STALE 0x01 /**< SASL session data is stale, delete on next pass. */ + +struct SASLSession +{ + struct SASLSession *next; + struct SASLSession *prev; + struct server* source; + char *buf, *p; + int buflen; + char uid[128]; + char mech[10]; + char *sslclifp; + char *hostmask; + int flags; +}; + +struct SASLSession *saslsessions = NULL; + +void +sasl_delete_session(struct SASLSession *session) +{ + if (!session) + return; + + if (session->buf) + free(session->buf); + session->buf = NULL; + + if (session->sslclifp) + free(session->sslclifp); + session->sslclifp = NULL; + + if (session->hostmask) + free(session->hostmask); + session->hostmask = NULL; + + if (session->next) + session->next->prev = session->prev; + if (session->prev) + session->prev->next = session->next; + else + saslsessions = session->next; + + free(session); +} + +void +sasl_delete_stale(UNUSED_ARG(void *data)) +{ + int delcount = 0; + int remcount = 0; + struct SASLSession *sess = NULL; + struct SASLSession *nextsess = NULL; + + log_module(NS_LOG, LOG_DEBUG, "SASL: Checking for stale sessions"); + + for (sess = saslsessions; sess; sess = nextsess) + { + nextsess = sess->next; + + if (sess->flags & SDFLAG_STALE) + { + delcount++; + sasl_delete_session(sess); + } + else + { + remcount++; + sess->flags |= SDFLAG_STALE; + } + } + + if (delcount) + log_module(NS_LOG, LOG_DEBUG, "SASL: Deleted %d stale sessions, %d remaining", delcount, remcount); + if (remcount) + timeq_add(now + 30, sasl_delete_stale, NULL); +} + +struct SASLSession* +sasl_get_session(const char *uid) +{ + struct SASLSession *sess; + + for (sess = saslsessions; sess; sess = sess->next) + { + if (!strncmp(sess->uid, uid, 128)) + { + log_module(NS_LOG, LOG_DEBUG, "SASL: Found session for %s", sess->uid); + return sess; + } + } + + sess = malloc(sizeof(struct SASLSession)); + memset(sess, 0, sizeof(struct SASLSession)); + + strncpy(sess->uid, uid, 128); + + if (!saslsessions) + timeq_add(now + 30, sasl_delete_stale, NULL); + + if (saslsessions) + saslsessions->prev = sess; + sess->next = saslsessions; + saslsessions = sess; + + log_module(NS_LOG, LOG_DEBUG, "SASL: Created session for %s", sess->uid); + return sess; +} + +void +sasl_packet(struct SASLSession *session) +{ + log_module(NS_LOG, LOG_DEBUG, "SASL: Got packet containing: %s", session->buf); + + if (!session->mech[0]) + { + log_module(NS_LOG, LOG_DEBUG, "SASL: No mechanism stored yet, using %s", session->buf); + if (strcmp(session->buf, "PLAIN") && (strcmp(session->buf, "EXTERNAL") || !session->sslclifp)) { + if (!session->sslclifp) + irc_sasl(session->source, session->uid, "M", "PLAIN"); + else + irc_sasl(session->source, session->uid, "M", "PLAIN,EXTERNAL"); + irc_sasl(session->source, session->uid, "D", "F"); + sasl_delete_session(session); + return; + } + + strncpy(session->mech, session->buf, 10); + irc_sasl(session->source, session->uid, "C", "+"); + } + else if (!strcmp(session->mech, "EXTERNAL")) + { + char *raw = NULL; + size_t rawlen = 0; + char *authzid = NULL; + struct handle_info *hi = NULL; + static char buffer[256]; + + base64_decode_alloc(session->buf, session->buflen, &raw, &rawlen); + + if (rawlen != 0) + authzid = raw; + + log_module(NS_LOG, LOG_DEBUG, "SASL: Checking supplied credentials"); + + if (!session->sslclifp) { + log_module(NS_LOG, LOG_DEBUG, "SASL: Incomplete credentials supplied"); + irc_sasl(session->source, session->uid, "D", "F"); + } else { + if (!(hi = loc_auth(session->sslclifp, authzid, NULL, session->hostmask))) + { + log_module(NS_LOG, LOG_DEBUG, "SASL: Invalid credentials supplied"); + irc_sasl(session->source, session->uid, "D", "F"); + } + else + { + snprintf(buffer, sizeof(buffer), "%s "FMT_TIME_T, hi->handle, hi->registered); + log_module(NS_LOG, LOG_DEBUG, "SASL: Valid credentials supplied"); + irc_sasl(session->source, session->uid, "L", buffer); + irc_sasl(session->source, session->uid, "D", "S"); + } + } + + sasl_delete_session(session); + + free(raw); + return; + } + else + { + char *raw = NULL; + size_t rawlen = 0; + char *authzid = NULL; + char *authcid = NULL; + char *passwd = NULL; + char *r = NULL; + unsigned int i = 0, c = 0; + struct handle_info *hi = NULL; + struct handle_info *hii = NULL; + static char buffer[256]; + + base64_decode_alloc(session->buf, session->buflen, &raw, &rawlen); + + raw = (char *)realloc(raw, rawlen+1); + raw[rawlen] = '\0'; + + authzid = raw; + r = raw; + for (i=0; isource, session->uid, "D", "F"); + } + else + { + if (!(hi = loc_auth(session->sslclifp, authcid, passwd, session->hostmask))) + { + log_module(NS_LOG, LOG_DEBUG, "SASL: Invalid credentials supplied"); + irc_sasl(session->source, session->uid, "D", "F"); + } + else + { + if (*authzid && irccasecmp(authzid, authcid)) + { + if (HANDLE_FLAGGED(hi, IMPERSONATE)) + { + hii = hi; + hi = get_handle_info(authzid); + } + else + { + log_module(NS_LOG, LOG_DEBUG, "SASL: Impersonation unauthorized"); + hi = NULL; + } + } + if (hi) + { + if (hii) + { + log_module(NS_LOG, LOG_DEBUG, "SASL: %s is ipersonating %s", hii->handle, hi->handle); + snprintf(buffer, sizeof(buffer), "%s "FMT_TIME_T, hii->handle, hii->registered); + irc_sasl(session->source, session->uid, "I", buffer); + } + log_module(NS_LOG, LOG_DEBUG, "SASL: Valid credentials supplied"); + snprintf(buffer, sizeof(buffer), "%s "FMT_TIME_T, hi->handle, hi->registered); + irc_sasl(session->source, session->uid, "L", buffer); + irc_sasl(session->source, session->uid, "D", "S"); + } + else + { + log_module(NS_LOG, LOG_DEBUG, "SASL: Invalid credentials supplied"); + irc_sasl(session->source, session->uid, "D", "F"); + } + } + } + + sasl_delete_session(session); + + free(raw); + return; + } + + /* clear stale state */ + session->flags &= ~SDFLAG_STALE; +} + +void +handle_sasl_input(struct server* source ,const char *uid, const char *subcmd, const char *data, const char *ext, UNUSED_ARG(void *extra)) +{ + struct SASLSession* sess = sasl_get_session(uid); + int len = strlen(data); + + sess->source = source; + + if (!strcmp(subcmd, "D")) + { + sasl_delete_session(sess); + return; + } + + if (!strcmp(subcmd, "H")) { + log_module(NS_LOG, LOG_DEBUG, "SASL: Storing host mask %s", data); + sess->hostmask = strdup(data); + return ; + } + + if (strcmp(subcmd, "S") && strcmp(subcmd, "C")) + return; + + if (len == 0) + return; + + if (sess->p == NULL) + { + sess->buf = (char *)malloc(len + 1); + sess->p = sess->buf; + sess->buflen = len; + } + else + { + if (sess->buflen + len + 1 > 8192) /* This is a little much... */ + { + irc_sasl(source, uid, "D", "F"); + sasl_delete_session(sess); + return; + } + + sess->buf = (char *)realloc(sess->buf, sess->buflen + len + 1); + sess->p = sess->buf + sess->buflen; + sess->buflen += len; + } + + memcpy(sess->p, data, len); + sess->buf[len] = '\0'; + + if (ext != NULL) + sess->sslclifp = strdup(ext); + + /* Messages not exactly 400 bytes are the end of a packet. */ + if(len < 400) + { + sasl_packet(sess); + sess->buflen = 0; + if (sess->buf != NULL) + free(sess->buf); + sess->buf = sess->p = NULL; + } +} + static void nickserv_db_cleanup(UNUSED_ARG(void* extra)) { unreg_del_user_func(nickserv_remove_user, NULL); + unreg_sasl_input_func(handle_sasl_input, NULL); userList_clean(&curr_helpers); policer_params_delete(nickserv_conf.auth_policer_params); dict_delete(nickserv_handle_dict); @@ -5546,17 +6054,21 @@ init_nickserv(const char *nick) struct chanNode *chan; unsigned int i; NS_LOG = log_register_type("NickServ", "file:nickserv.log"); - reg_new_user_func(check_user_nick, NULL); + reg_new_user_func(new_user_event, NULL); reg_nick_change_func(handle_nick_change, NULL); reg_del_user_func(nickserv_remove_user, NULL); reg_account_func(handle_account); reg_auth_func(handle_loc_auth_oper, NULL); + reg_sasl_input_func(handle_sasl_input, NULL); /* set up handle_inverse_flags */ memset(handle_inverse_flags, 0, sizeof(handle_inverse_flags)); for (i=0; handle_flags[i]; i++) { handle_inverse_flags[(unsigned char)handle_flags[i]] = i + 1; flag_access_levels[i] = 0; + /* ensure flag I requires a minimum of 999 if not set in the config */ + if ((unsigned char)handle_flags[i] == 'I') + flag_access_levels[i] = 999; } conf_register_reload(nickserv_conf_read); @@ -5581,10 +6093,10 @@ init_nickserv(const char *nick) nickserv_define_func("OADDMASK", cmd_oaddmask, 0, 1, 0); nickserv_define_func("DELMASK", cmd_delmask, -1, 1, 0); nickserv_define_func("ODELMASK", cmd_odelmask, 0, 1, 0); - nickserv_define_func("ADDSSLFP", cmd_addsslfp, -1, 1, 0); - nickserv_define_func("OADDSSLFP", cmd_oaddsslfp, 0, 1, 0); - nickserv_define_func("DELSSLFP", cmd_delsslfp, -1, 1, 0); - nickserv_define_func("ODELSSLFP", cmd_odelsslfp, 0, 1, 0); + nickserv_define_func("ADDCERTFP", cmd_addsslfp, -1, 1, 0); + nickserv_define_func("OADDCERTFP", cmd_oaddsslfp, 0, 1, 0); + nickserv_define_func("DELCERTFP", cmd_delsslfp, -1, 1, 0); + nickserv_define_func("ODELCERTFP", cmd_odelsslfp, 0, 1, 0); nickserv_define_func("PASS", cmd_pass, -1, 1, 0); nickserv_define_func("SET", cmd_set, -1, 1, 0); nickserv_define_func("OSET", cmd_oset, 0, 1, 0); @@ -5680,6 +6192,7 @@ init_nickserv(const char *nick) AddChannelUser(nickserv, chan)->modes |= MODE_CHANOP; } } + #ifdef WITH_LDAP ldap_do_init(nickserv_conf); #endif