#include "hook.h"
#include "monitor.h"
#include "snomask.h"
-#include "blacklist.h"
#include "substitution.h"
#include "chmode.h"
#include "s_assert.h"
0, /* O */
0, /* P */
UMODE_NOFORWARD, /* Q */
- UMODE_REGONLYMSG, /* R */
+ 0, /* R */
UMODE_SERVICE, /* S */
0, /* T */
0, /* U */
0, /* d */
0, /* e */
0, /* f */
- UMODE_CALLERID, /* g */
+ 0, /* g */
0, /* h */
UMODE_INVISIBLE, /* i */
0, /* j */
Count.totalrestartcount);
}
+/* check if we should exit a client due to authd decision
+ * inputs - client server, client connecting
+ * outputs - true if exited, false if not
+ * side effects - messages/exits client if authd rejected and not exempt
+ */
+static bool
+authd_check(struct Client *client_p, struct Client *source_p)
+{
+ struct ConfItem *aconf = source_p->localClient->att_conf;
+ rb_dlink_list varlist = { NULL, NULL, 0 };
+ bool reject = false;
+ char *reason;
+
+ if(source_p->preClient->auth.accepted == true)
+ return reject;
+
+ substitution_append_var(&varlist, "nick", source_p->name);
+ substitution_append_var(&varlist, "ip", source_p->sockhost);
+ substitution_append_var(&varlist, "host", source_p->host);
+ substitution_append_var(&varlist, "dnsbl-host", source_p->preClient->auth.data);
+ substitution_append_var(&varlist, "network-name", ServerInfo.network_name);
+ reason = substitution_parse(source_p->preClient->auth.reason, &varlist);
+
+ switch(source_p->preClient->auth.cause)
+ {
+ case 'B': /* DNSBL */
+ {
+ struct DNSBLEntryStats *stats;
+ char *dnsbl_name = source_p->preClient->auth.data;
+
+ if(dnsbl_stats != NULL)
+ if((stats = rb_dictionary_retrieve(dnsbl_stats, dnsbl_name)) != NULL)
+ stats->hits++;
+
+ if(IsExemptKline(source_p) || IsConfExemptDNSBL(aconf))
+ {
+ sendto_one_notice(source_p, ":*** Your IP address %s is listed in %s, but you are exempt",
+ source_p->sockhost, dnsbl_name);
+ break;
+ }
+
+ sendto_realops_snomask(SNO_REJ, L_NETWIDE,
+ "Listed on DNSBL %s: %s (%s@%s) [%s] [%s]",
+ dnsbl_name, source_p->name, source_p->username, source_p->host,
+ IsIPSpoof(source_p) ? "255.255.255.255" : source_p->sockhost,
+ source_p->info);
+
+ sendto_one(source_p, form_str(ERR_YOUREBANNEDCREEP),
+ me.name, source_p->name, reason);
+
+ sendto_one_notice(source_p, ":*** Your IP address %s is listed in %s",
+ source_p->sockhost, dnsbl_name);
+ add_reject(source_p, NULL, NULL, NULL, "Banned (listed in a DNSBL)");
+ exit_client(client_p, source_p, &me, "Banned (listed in a DNSBL)");
+ reject = true;
+ }
+ break;
+ case 'O': /* OPM */
+ {
+ char *proxy = source_p->preClient->auth.data;
+ char *port = strrchr(proxy, ':');
+
+ if(port == NULL)
+ {
+ /* This shouldn't happen, better tell the ops... */
+ ierror("authd sent us a malformed OPM string %s", proxy);
+ sendto_realops_snomask(SNO_GENERAL, L_ALL,
+ "authd sent us a malformed OPM string %s", proxy);
+ break;
+ }
+
+ /* Terminate the proxy type */
+ *(port++) = '\0';
+
+ if(IsExemptKline(source_p) || IsConfExemptProxy(aconf))
+ {
+ sendto_one_notice(source_p,
+ ":*** Your IP address %s has been detected as an open proxy (type %s, port %s), but you are exempt",
+ source_p->sockhost, proxy, port);
+ break;
+ }
+ sendto_realops_snomask(SNO_REJ, L_NETWIDE,
+ "Open proxy %s/%s: %s (%s@%s) [%s] [%s]",
+ proxy, port,
+ source_p->name,
+ source_p->username, source_p->host,
+ IsIPSpoof(source_p) ? "255.255.255.255" : source_p->sockhost,
+ source_p->info);
+
+ sendto_one(source_p, form_str(ERR_YOUREBANNEDCREEP),
+ me.name, source_p->name, reason);
+
+ sendto_one_notice(source_p,
+ ":*** Your IP address %s has been detected as an open proxy (type %s, port %s)",
+ source_p->sockhost, proxy, port);
+ add_reject(source_p, NULL, NULL, NULL, "Banned (Open proxy)");
+ exit_client(client_p, source_p, &me, "Banned (Open proxy)");
+ reject = true;
+ }
+ break;
+ default: /* Unknown, but handle the case properly */
+ if(IsExemptKline(source_p))
+ {
+ sendto_one_notice(source_p,
+ ":*** You were rejected, but you are exempt (reason: %s)",
+ reason);
+ break;
+ }
+ sendto_realops_snomask(SNO_REJ, L_NETWIDE,
+ "Rejected by authentication system (reason %s): %s (%s@%s) [%s] [%s]",
+ reason, source_p->name, source_p->username, source_p->host,
+ IsIPSpoof(source_p) ? "255.255.255.255" : source_p->sockhost,
+ source_p->info);
+
+ sendto_one(source_p, form_str(ERR_YOUREBANNEDCREEP),
+ me.name, source_p->name, reason);
+
+ sendto_one_notice(source_p, ":*** Rejected by authentication system: %s",
+ reason);
+ add_reject(source_p, NULL, NULL, NULL, "Banned (authentication system)");
+ exit_client(client_p, source_p, &me, "Banned (authentication system)");
+ reject = true;
+ break;
+ }
+
+ if(reject)
+ ServerStats.is_ref++;
+
+ substitution_free(&varlist);
+
+ return reject;
+}
+
/*
** register_local_user
** This function is called when both NICK and USER messages
** this is not fair. It should actually request another
** nick from local user or kill him/her...
*/
-
int
register_local_user(struct Client *client_p, struct Client *source_p)
{
struct ConfItem *aconf, *xconf;
- struct User *user = source_p->user;
char tmpstr2[BUFSIZE];
char ipaddr[HOSTIPLEN];
char myusername[USERLEN+1];
{
if(!(source_p->flags & FLAGS_PINGSENT) && source_p->localClient->random_ping == 0)
{
- source_p->localClient->random_ping = (unsigned long) (rand() * rand()) << 1;
- sendto_one(source_p, "PING :%08lX",
- (unsigned long) source_p->localClient->random_ping);
+ source_p->localClient->random_ping = (uint32_t)(((rand() * rand()) << 1) | 1);
+ sendto_one(source_p, "PING :%08X",
+ (unsigned int) source_p->localClient->random_ping);
source_p->flags |= FLAGS_PINGSENT;
return -1;
}
if(source_p->flags & FLAGS_CLICAP)
return -1;
- /* still has DNSbls to validate against */
- if(rb_dlink_list_length(&source_p->preClient->dnsbl_queries) > 0)
+ /* Waiting on authd */
+ if(source_p->preClient->auth.cid)
return -1;
- client_p->localClient->last = rb_current_time();
+ /* Set firsttime here so that post_registration_delay works from registration,
+ * rather than initial connection. */
+ source_p->localClient->firsttime = client_p->localClient->last = rb_current_time();
/* XXX - fixme. we shouldnt have to build a users buffer twice.. */
if(!IsGotId(source_p) && (strchr(source_p->username, '[') != NULL))
/* Apply nick override */
if(*source_p->preClient->spoofnick)
{
- char note[NICKLEN + 10];
+ char note[NAMELEN + 10];
del_from_client_hash(source_p->name, source_p);
rb_strlcpy(source_p->name, source_p->preClient->spoofnick, NICKLEN + 1);
add_to_client_hash(source_p->name, source_p);
- snprintf(note, NICKLEN + 10, "Nick: %s", source_p->name);
+ snprintf(note, sizeof(note), "Nick: %s", source_p->name);
rb_note(source_p->localClient->F, note);
}
rb_strlcpy(source_p->host, source_p->sockhost, sizeof(source_p->host));
}
-
aconf = source_p->localClient->att_conf;
if(aconf == NULL)
return (CLIENT_EXITED);
}
+ if(IsSCTP(source_p) && !IsConfAllowSCTP(aconf))
+ {
+ ServerStats.is_ref++;
+ sendto_one_notice(source_p, ":*** Notice -- You are not allowed to use SCTP on this server");
+ exit_client(client_p, source_p, &me, "SCTP not allowed");
+ return (CLIENT_EXITED);
+ }
+
if(!IsGotId(source_p))
{
const char *p;
}
}
- if(IsNeedSasl(aconf) && !*user->suser)
+ if(IsNeedSasl(aconf) && !*source_p->user->suser)
{
ServerStats.is_ref++;
sendto_one_notice(source_p, ":*** Notice -- You need to identify via SASL to use this server");
}
}
- /* report if user has &^>= etc. and set flags as needed in source_p */
+ /* report and set flags (kline exempt etc.) as needed in source_p */
report_and_set_user_flags(source_p, aconf);
/* Limit clients */
(xconf = find_xline(source_p->info, 1)) != NULL)
{
ServerStats.is_ref++;
- add_reject(source_p, xconf->host, NULL);
+ add_reject(source_p, xconf->host, NULL, NULL, NULL);
exit_client(client_p, source_p, &me, "Bad user info");
return CLIENT_EXITED;
}
- /* dnsbl check */
- if (source_p->preClient->dnsbl_listed != NULL)
- {
- if (IsExemptKline(source_p) || IsConfExemptDNSBL(aconf))
- sendto_one_notice(source_p, ":*** Your IP address %s is listed in %s, but you are exempt",
- source_p->sockhost, source_p->preClient->dnsbl_listed->host);
- else
- {
- sendto_realops_snomask(SNO_REJ, L_NETWIDE,
- "Listed on DNSBL %s: %s (%s@%s) [%s] [%s]",
- source_p->preClient->dnsbl_listed->host,
- source_p->name,
- source_p->username, source_p->host,
- IsIPSpoof(source_p) ? "255.255.255.255" : source_p->sockhost,
- source_p->info);
-
- rb_dlink_list varlist = { NULL, NULL, 0 };
-
- substitution_append_var(&varlist, "nick", source_p->name);
- substitution_append_var(&varlist, "ip", source_p->sockhost);
- substitution_append_var(&varlist, "host", source_p->host);
- substitution_append_var(&varlist, "dnsbl-host", source_p->preClient->dnsbl_listed->host);
- substitution_append_var(&varlist, "network-name", ServerInfo.network_name);
-
- ServerStats.is_ref++;
-
- sendto_one(source_p, form_str(ERR_YOUREBANNEDCREEP),
- me.name, source_p->name,
- substitution_parse(source_p->preClient->dnsbl_listed->reject_reason, &varlist));
-
- substitution_free(&varlist);
-
- sendto_one_notice(source_p, ":*** Your IP address %s is listed in %s",
- source_p->sockhost, source_p->preClient->dnsbl_listed->host);
- source_p->preClient->dnsbl_listed->hits++;
- add_reject(source_p, NULL, NULL);
- exit_client(client_p, source_p, &me, "*** Banned (DNS blacklist)");
- return CLIENT_EXITED;
- }
- }
+ /* authd rejection check */
+ if(authd_check(client_p, source_p))
+ return CLIENT_EXITED;
/* valid user name check */
*/
if(!*source_p->id)
{
- strcpy(source_p->id, generate_uid());
+ rb_strlcpy(source_p->id, generate_uid(), sizeof(source_p->id));
add_to_id_hash(source_p->id, source_p);
}
- if (IsSSL(source_p))
+ if (IsSSL(source_p) && !IsInsecure(source_p))
source_p->umodes |= UMODE_SSLCLIENT;
if (source_p->umodes & UMODE_INVISIBLE)
free_pre_client(source_p);
- introduce_client(client_p, source_p, user, source_p->name, 1);
+ introduce_client(client_p, source_p, source_p->user, source_p->name, 1);
return 0;
}
if(IsConfExemptDNSBL(aconf))
/* kline exempt implies this, don't send both */
if(!IsConfExemptKline(aconf))
- sendto_one_notice(source_p, ":*** You are exempt from DNS blacklists");
+ sendto_one_notice(source_p, ":*** You are exempt from DNSBL listings");
/* If this user is exempt from user limits set it F lined" */
if(IsConfExemptLimits(aconf))
source_p->snomask = 0;
showsnomask = true;
}
- source_p->flags2 &= ~OPER_FLAGS;
-
- rb_free(source_p->localClient->opername);
- source_p->localClient->opername = NULL;
+ source_p->flags &= ~OPER_FLAGS;
rb_dlinkFindDestroy(source_p, &local_oper_list);
- privilegeset_unref(source_p->localClient->privset);
- source_p->localClient->privset = NULL;
+ }
+
+ if(source_p->user->opername != NULL)
+ {
+ rb_free(source_p->user->opername);
+ source_p->user->opername = NULL;
+ }
+
+ if(source_p->user->privset != NULL)
+ {
+ privilegeset_unref(source_p->user->privset);
+ source_p->user->privset = NULL;
}
rb_dlinkFindDestroy(source_p, &oper_list);
SetExtendChans(source_p);
SetExemptKline(source_p);
- source_p->flags2 |= oper_p->flags;
- source_p->localClient->opername = rb_strdup(oper_p->name);
- source_p->localClient->privset = privilegeset_ref(oper_p->privset);
+ source_p->flags |= oper_p->flags;
+ source_p->user->opername = rb_strdup(oper_p->name);
+ source_p->user->privset = privilegeset_ref(oper_p->privset);
rb_dlinkAddAlloc(source_p, &local_oper_list);
rb_dlinkAddAlloc(source_p, &oper_list);
sendto_realops_snomask(SNO_GENERAL, L_ALL,
"%s (%s!%s@%s) is now an operator", oper_p->name, source_p->name,
source_p->username, source_p->host);
+ sendto_server(NULL, NULL, CAP_TS6, NOCAPS, ":%s OPER %s %s",
+ use_id(source_p), oper_p->name, oper_p->privset->name);
if(!(old & UMODE_INVISIBLE) && IsInvisible(source_p))
++Count.invisi;
if((old & UMODE_INVISIBLE) && !IsInvisible(source_p))
projects / solanum.git / blobdiff