X-Git-Url: https://jfr.im/git/solanum.git/blobdiff_plain/66e1914beb3c8290b6537ec9aaa5c80be63f75e0..c1f9603bba04de9f1bac1fa70145c9f0dfe22277:/ircd/s_user.c diff --git a/ircd/s_user.c b/ircd/s_user.c index 86a8c7cd..1a9d51f4 100644 --- a/ircd/s_user.c +++ b/ircd/s_user.c @@ -48,7 +48,6 @@ #include "hook.h" #include "monitor.h" #include "snomask.h" -#include "blacklist.h" #include "substitution.h" #include "chmode.h" #include "s_assert.h" @@ -82,7 +81,7 @@ int user_modes[256] = { 0, /* O */ 0, /* P */ UMODE_NOFORWARD, /* Q */ - UMODE_REGONLYMSG, /* R */ + 0, /* R */ UMODE_SERVICE, /* S */ 0, /* T */ 0, /* U */ @@ -90,7 +89,7 @@ int user_modes[256] = { 0, /* W */ 0, /* X */ 0, /* Y */ - UMODE_SSLCLIENT, /* Z */ + UMODE_SECURE, /* Z */ /* 0x5B */ 0, 0, 0, 0, 0, 0, /* 0x60 */ UMODE_ADMIN, /* a */ 0, /* b */ @@ -98,7 +97,7 @@ int user_modes[256] = { 0, /* d */ 0, /* e */ 0, /* f */ - UMODE_CALLERID, /* g */ + 0, /* g */ 0, /* h */ UMODE_INVISIBLE, /* i */ 0, /* j */ @@ -189,6 +188,139 @@ show_lusers(struct Client *source_p) Count.totalrestartcount); } +/* check if we should exit a client due to authd decision + * inputs - client server, client connecting + * outputs - true if exited, false if not + * side effects - messages/exits client if authd rejected and not exempt + */ +static bool +authd_check(struct Client *client_p, struct Client *source_p) +{ + struct ConfItem *aconf = source_p->localClient->att_conf; + rb_dlink_list varlist = { NULL, NULL, 0 }; + bool reject = false; + char *reason; + + if(source_p->preClient->auth.accepted == true) + return reject; + + substitution_append_var(&varlist, "nick", source_p->name); + substitution_append_var(&varlist, "ip", source_p->sockhost); + substitution_append_var(&varlist, "host", source_p->host); + substitution_append_var(&varlist, "dnsbl-host", source_p->preClient->auth.data); + substitution_append_var(&varlist, "network-name", ServerInfo.network_name); + reason = substitution_parse(source_p->preClient->auth.reason, &varlist); + + switch(source_p->preClient->auth.cause) + { + case 'B': /* DNSBL */ + { + struct DNSBLEntryStats *stats; + char *dnsbl_name = source_p->preClient->auth.data; + + if(dnsbl_stats != NULL) + if((stats = rb_dictionary_retrieve(dnsbl_stats, dnsbl_name)) != NULL) + stats->hits++; + + if(IsExemptKline(source_p) || IsConfExemptDNSBL(aconf)) + { + sendto_one_notice(source_p, ":*** Your IP address %s is listed in %s, but you are exempt", + source_p->sockhost, dnsbl_name); + break; + } + + sendto_realops_snomask(SNO_REJ, L_NETWIDE, + "Listed on DNSBL %s: %s (%s@%s) [%s] [%s]", + dnsbl_name, source_p->name, source_p->username, source_p->host, + IsIPSpoof(source_p) ? "255.255.255.255" : source_p->sockhost, + source_p->info); + + sendto_one(source_p, form_str(ERR_YOUREBANNEDCREEP), + me.name, source_p->name, reason); + + sendto_one_notice(source_p, ":*** Your IP address %s is listed in %s", + source_p->sockhost, dnsbl_name); + add_reject(source_p, NULL, NULL, NULL, "Banned (listed in a DNSBL)"); + exit_client(client_p, source_p, &me, "Banned (listed in a DNSBL)"); + reject = true; + } + break; + case 'O': /* OPM */ + { + char *proxy = source_p->preClient->auth.data; + char *port = strrchr(proxy, ':'); + + if(port == NULL) + { + /* This shouldn't happen, better tell the ops... */ + ierror("authd sent us a malformed OPM string %s", proxy); + sendto_realops_snomask(SNO_GENERAL, L_ALL, + "authd sent us a malformed OPM string %s", proxy); + break; + } + + /* Terminate the proxy type */ + *(port++) = '\0'; + + if(IsExemptKline(source_p) || IsConfExemptProxy(aconf)) + { + sendto_one_notice(source_p, + ":*** Your IP address %s has been detected as an open proxy (type %s, port %s), but you are exempt", + source_p->sockhost, proxy, port); + break; + } + sendto_realops_snomask(SNO_REJ, L_NETWIDE, + "Open proxy %s/%s: %s (%s@%s) [%s] [%s]", + proxy, port, + source_p->name, + source_p->username, source_p->host, + IsIPSpoof(source_p) ? "255.255.255.255" : source_p->sockhost, + source_p->info); + + sendto_one(source_p, form_str(ERR_YOUREBANNEDCREEP), + me.name, source_p->name, reason); + + sendto_one_notice(source_p, + ":*** Your IP address %s has been detected as an open proxy (type %s, port %s)", + source_p->sockhost, proxy, port); + add_reject(source_p, NULL, NULL, NULL, "Banned (Open proxy)"); + exit_client(client_p, source_p, &me, "Banned (Open proxy)"); + reject = true; + } + break; + default: /* Unknown, but handle the case properly */ + if(IsExemptKline(source_p)) + { + sendto_one_notice(source_p, + ":*** You were rejected, but you are exempt (reason: %s)", + reason); + break; + } + sendto_realops_snomask(SNO_REJ, L_NETWIDE, + "Rejected by authentication system (reason %s): %s (%s@%s) [%s] [%s]", + reason, source_p->name, source_p->username, source_p->host, + IsIPSpoof(source_p) ? "255.255.255.255" : source_p->sockhost, + source_p->info); + + sendto_one(source_p, form_str(ERR_YOUREBANNEDCREEP), + me.name, source_p->name, reason); + + sendto_one_notice(source_p, ":*** Rejected by authentication system: %s", + reason); + add_reject(source_p, NULL, NULL, NULL, "Banned (authentication system)"); + exit_client(client_p, source_p, &me, "Banned (authentication system)"); + reject = true; + break; + } + + if(reject) + ServerStats.is_ref++; + + substitution_free(&varlist); + + return reject; +} + /* ** register_local_user ** This function is called when both NICK and USER messages @@ -212,12 +344,10 @@ show_lusers(struct Client *source_p) ** this is not fair. It should actually request another ** nick from local user or kill him/her... */ - int register_local_user(struct Client *client_p, struct Client *source_p) { struct ConfItem *aconf, *xconf; - struct User *user = source_p->user; char tmpstr2[BUFSIZE]; char ipaddr[HOSTIPLEN]; char myusername[USERLEN+1]; @@ -236,9 +366,9 @@ register_local_user(struct Client *client_p, struct Client *source_p) { if(!(source_p->flags & FLAGS_PINGSENT) && source_p->localClient->random_ping == 0) { - source_p->localClient->random_ping = (unsigned long) (rand() * rand()) << 1; - sendto_one(source_p, "PING :%08lX", - (unsigned long) source_p->localClient->random_ping); + source_p->localClient->random_ping = (uint32_t)(((rand() * rand()) << 1) | 1); + sendto_one(source_p, "PING :%08X", + (unsigned int) source_p->localClient->random_ping); source_p->flags |= FLAGS_PINGSENT; return -1; } @@ -252,11 +382,13 @@ register_local_user(struct Client *client_p, struct Client *source_p) if(source_p->flags & FLAGS_CLICAP) return -1; - /* still has DNSbls to validate against */ - if(rb_dlink_list_length(&source_p->preClient->dnsbl_queries) > 0) + /* Waiting on authd */ + if(source_p->preClient->auth.cid) return -1; - client_p->localClient->last = rb_current_time(); + /* Set firsttime here so that post_registration_delay works from registration, + * rather than initial connection. */ + source_p->localClient->firsttime = client_p->localClient->last = rb_current_time(); /* XXX - fixme. we shouldnt have to build a users buffer twice.. */ if(!IsGotId(source_p) && (strchr(source_p->username, '[') != NULL)) @@ -284,13 +416,13 @@ register_local_user(struct Client *client_p, struct Client *source_p) /* Apply nick override */ if(*source_p->preClient->spoofnick) { - char note[NICKLEN + 10]; + char note[NAMELEN + 10]; del_from_client_hash(source_p->name, source_p); rb_strlcpy(source_p->name, source_p->preClient->spoofnick, NICKLEN + 1); add_to_client_hash(source_p->name, source_p); - snprintf(note, NICKLEN + 10, "Nick: %s", source_p->name); + snprintf(note, sizeof(note), "Nick: %s", source_p->name); rb_note(source_p->localClient->F, note); } @@ -301,7 +433,6 @@ register_local_user(struct Client *client_p, struct Client *source_p) rb_strlcpy(source_p->host, source_p->sockhost, sizeof(source_p->host)); } - aconf = source_p->localClient->att_conf; if(aconf == NULL) @@ -310,7 +441,7 @@ register_local_user(struct Client *client_p, struct Client *source_p) return (CLIENT_EXITED); } - if(IsConfSSLNeeded(aconf) && !IsSSL(source_p)) + if(IsConfSSLNeeded(aconf) && !IsSecure(source_p)) { ServerStats.is_ref++; sendto_one_notice(source_p, ":*** Notice -- You need to use SSL/TLS to use this server"); @@ -318,6 +449,14 @@ register_local_user(struct Client *client_p, struct Client *source_p) return (CLIENT_EXITED); } + if(IsSCTP(source_p) && !IsConfAllowSCTP(aconf)) + { + ServerStats.is_ref++; + sendto_one_notice(source_p, ":*** Notice -- You are not allowed to use SCTP on this server"); + exit_client(client_p, source_p, &me, "SCTP not allowed"); + return (CLIENT_EXITED); + } + if(!IsGotId(source_p)) { const char *p; @@ -350,7 +489,7 @@ register_local_user(struct Client *client_p, struct Client *source_p) } } - if(IsNeedSasl(aconf) && !*user->suser) + if(IsNeedSasl(aconf) && !*source_p->user->suser) { ServerStats.is_ref++; sendto_one_notice(source_p, ":*** Notice -- You need to identify via SASL to use this server"); @@ -388,7 +527,7 @@ register_local_user(struct Client *client_p, struct Client *source_p) } } - /* report if user has &^>= etc. and set flags as needed in source_p */ + /* report and set flags (kline exempt etc.) as needed in source_p */ report_and_set_user_flags(source_p, aconf); /* Limit clients */ @@ -416,51 +555,14 @@ register_local_user(struct Client *client_p, struct Client *source_p) (xconf = find_xline(source_p->info, 1)) != NULL) { ServerStats.is_ref++; - add_reject(source_p, xconf->host, NULL); + add_reject(source_p, xconf->host, NULL, NULL, NULL); exit_client(client_p, source_p, &me, "Bad user info"); return CLIENT_EXITED; } - /* dnsbl check */ - if (source_p->preClient->dnsbl_listed != NULL) - { - if (IsExemptKline(source_p) || IsConfExemptDNSBL(aconf)) - sendto_one_notice(source_p, ":*** Your IP address %s is listed in %s, but you are exempt", - source_p->sockhost, source_p->preClient->dnsbl_listed->host); - else - { - sendto_realops_snomask(SNO_REJ, L_NETWIDE, - "Listed on DNSBL %s: %s (%s@%s) [%s] [%s]", - source_p->preClient->dnsbl_listed->host, - source_p->name, - source_p->username, source_p->host, - IsIPSpoof(source_p) ? "255.255.255.255" : source_p->sockhost, - source_p->info); - - rb_dlink_list varlist = { NULL, NULL, 0 }; - - substitution_append_var(&varlist, "nick", source_p->name); - substitution_append_var(&varlist, "ip", source_p->sockhost); - substitution_append_var(&varlist, "host", source_p->host); - substitution_append_var(&varlist, "dnsbl-host", source_p->preClient->dnsbl_listed->host); - substitution_append_var(&varlist, "network-name", ServerInfo.network_name); - - ServerStats.is_ref++; - - sendto_one(source_p, form_str(ERR_YOUREBANNEDCREEP), - me.name, source_p->name, - substitution_parse(source_p->preClient->dnsbl_listed->reject_reason, &varlist)); - - substitution_free(&varlist); - - sendto_one_notice(source_p, ":*** Your IP address %s is listed in %s", - source_p->sockhost, source_p->preClient->dnsbl_listed->host); - source_p->preClient->dnsbl_listed->hits++; - add_reject(source_p, NULL, NULL); - exit_client(client_p, source_p, &me, "*** Banned (DNS blacklist)"); - return CLIENT_EXITED; - } - } + /* authd rejection check */ + if(authd_check(client_p, source_p)) + return CLIENT_EXITED; /* valid user name check */ @@ -528,12 +630,12 @@ register_local_user(struct Client *client_p, struct Client *source_p) */ if(!*source_p->id) { - strcpy(source_p->id, generate_uid()); + rb_strlcpy(source_p->id, generate_uid(), sizeof(source_p->id)); add_to_id_hash(source_p->id, source_p); } - if (IsSSL(source_p)) - source_p->umodes |= UMODE_SSLCLIENT; + if (IsSecure(source_p)) + source_p->umodes |= UMODE_SECURE; if (source_p->umodes & UMODE_INVISIBLE) Count.invisi++; @@ -572,7 +674,7 @@ register_local_user(struct Client *client_p, struct Client *source_p) free_pre_client(source_p); - introduce_client(client_p, source_p, user, source_p->name, 1); + introduce_client(client_p, source_p, source_p->user, source_p->name, 1); return 0; } @@ -825,7 +927,7 @@ report_and_set_user_flags(struct Client *source_p, struct ConfItem *aconf) if(IsConfExemptDNSBL(aconf)) /* kline exempt implies this, don't send both */ if(!IsConfExemptKline(aconf)) - sendto_one_notice(source_p, ":*** You are exempt from DNS blacklists"); + sendto_one_notice(source_p, ":*** You are exempt from DNSBL listings"); /* If this user is exempt from user limits set it F lined" */ if(IsConfExemptLimits(aconf)) @@ -945,7 +1047,7 @@ user_mode(struct Client *client_p, struct Client *source_p, int parc, const char if(source_p != target_p) { - if (MyOper(source_p) && parc < 3) + if (HasPrivilege(source_p, "auspex:umodes") && parc < 3) show_other_user_mode(source_p, target_p); else sendto_one(source_p, form_str(ERR_USERSDONTMATCH), me.name, source_p->name); @@ -1014,19 +1116,21 @@ user_mode(struct Client *client_p, struct Client *source_p, int parc, const char if(MyConnect(source_p)) { source_p->umodes &= ~ConfigFileEntry.oper_only_umodes; - if (!(source_p->umodes & UMODE_SERVNOTICE) && source_p->snomask != 0) - { - source_p->snomask = 0; - showsnomask = true; - } - source_p->flags2 &= ~OPER_FLAGS; - - rb_free(source_p->localClient->opername); - source_p->localClient->opername = NULL; + source_p->flags &= ~OPER_FLAGS; rb_dlinkFindDestroy(source_p, &local_oper_list); - privilegeset_unref(source_p->localClient->privset); - source_p->localClient->privset = NULL; + } + + if(source_p->user->opername != NULL) + { + rb_free(source_p->user->opername); + source_p->user->opername = NULL; + } + + if(source_p->user->privset != NULL) + { + privilegeset_unref(source_p->user->privset); + source_p->user->privset = NULL; } rb_dlinkFindDestroy(source_p, &oper_list); @@ -1049,8 +1153,8 @@ user_mode(struct Client *client_p, struct Client *source_p, int parc, const char case 's': if (MyConnect(source_p)) { - if(!IsOper(source_p) - && (ConfigFileEntry.oper_only_umodes & UMODE_SERVNOTICE)) + if((ConfigFileEntry.oper_only_umodes & UMODE_SERVNOTICE) && + (!IsOper(source_p) || !HasPrivilege(source_p, "usermode:servnotice"))) { if (what == MODE_ADD || source_p->umodes & UMODE_SERVNOTICE) badflag = true; @@ -1109,6 +1213,18 @@ user_mode(struct Client *client_p, struct Client *source_p, int parc, const char if(badflag) sendto_one(source_p, form_str(ERR_UMODEUNKNOWNFLAG), me.name, source_p->name); + if(MyClient(source_p)) + { + if ((ConfigFileEntry.oper_only_umodes & UMODE_SERVNOTICE) && + !HasPrivilege(source_p, "usermode:servnotice")) + source_p->umodes &= ~UMODE_SERVNOTICE; + if (!(source_p->umodes & UMODE_SERVNOTICE) && source_p->snomask != 0) + { + source_p->snomask = 0; + showsnomask = true; + } + } + if(MyClient(source_p) && (source_p->snomask & SNO_NCHANGE) && !IsOperN(source_p)) { sendto_one_notice(source_p, ":*** You need oper and nick_changes flag for +s +n"); @@ -1128,6 +1244,9 @@ user_mode(struct Client *client_p, struct Client *source_p, int parc, const char source_p->umodes &= ~UMODE_ADMIN; } + if(MyClient(source_p)) + source_p->handler = IsOperGeneral(source_p) ? OPER_HANDLER : CLIENT_HANDLER; + /* let modules providing usermodes know that we've changed our usermode --nenolod */ hdata.client = source_p; hdata.oldumodes = setflags; @@ -1312,9 +1431,9 @@ oper_up(struct Client *source_p, struct oper_conf *oper_p) SetExtendChans(source_p); SetExemptKline(source_p); - source_p->flags2 |= oper_p->flags; - source_p->localClient->opername = rb_strdup(oper_p->name); - source_p->localClient->privset = privilegeset_ref(oper_p->privset); + source_p->flags |= oper_p->flags; + source_p->user->opername = rb_strdup(oper_p->name); + source_p->user->privset = privilegeset_ref(oper_p->privset); rb_dlinkAddAlloc(source_p, &local_oper_list); rb_dlinkAddAlloc(source_p, &oper_list); @@ -1325,14 +1444,24 @@ oper_up(struct Client *source_p, struct oper_conf *oper_p) source_p->snomask &= ~SNO_NCHANGE; if(!IsOperOperwall(source_p)) source_p->umodes &= ~UMODE_OPERWALL; + if((ConfigFileEntry.oper_only_umodes & UMODE_SERVNOTICE) && + !HasPrivilege(source_p, "usermode:servnotice")) + { + source_p->umodes &= ~UMODE_SERVNOTICE; + source_p->snomask = 0; + } hdata.client = source_p; hdata.oldumodes = old; hdata.oldsnomask = oldsnomask; call_hook(h_umode_changed, &hdata); + source_p->handler = IsOperGeneral(source_p) ? OPER_HANDLER : CLIENT_HANDLER; + sendto_realops_snomask(SNO_GENERAL, L_ALL, "%s (%s!%s@%s) is now an operator", oper_p->name, source_p->name, source_p->username, source_p->host); + sendto_server(NULL, NULL, CAP_TS6, NOCAPS, ":%s OPER %s %s", + use_id(source_p), oper_p->name, oper_p->privset->name); if(!(old & UMODE_INVISIBLE) && IsInvisible(source_p)) ++Count.invisi; if((old & UMODE_INVISIBLE) && !IsInvisible(source_p))