1 /* +------------------------------------+
2 * | Inspire Internet Relay Chat Daemon |
3 * +------------------------------------+
5 * InspIRCd: (C) 2002-2009 InspIRCd Development Team
6 * See: http://wiki.inspircd.org/Credits
8 * This program is free but copyrighted software; see
9 * the file COPYING for details.
11 * ---------------------------------------------------
17 /* $ModDesc: Provides masking of user hostnames */
18 /* $ModDep: m_hash.h */
20 /** Handles user mode +x
22 class CloakUser : public ModeHandler
34 /** This function takes a domain name string and returns just the last two domain parts,
35 * or the last domain part if only two are available. Failing that it just returns what it was given.
37 * For example, if it is passed "svn.inspircd.org" it will return ".inspircd.org".
38 * If it is passed "brainbox.winbot.co.uk" it will return ".co.uk",
39 * and if it is passed "localhost.localdomain" it will return ".localdomain".
41 * This is used to ensure a significant part of the host is always cloaked (see Bug #216)
43 std::string LastTwoDomainParts(const std::string &host)
46 std::string::size_type splitdot = host.length();
48 for (std::string::size_type x = host.length() - 1; x; --x)
59 if (splitdot == host.length())
62 return host.substr(splitdot);
65 CloakUser(InspIRCd* Instance, Module* source, Module* Hash)
66 : ModeHandler(Instance, source, 'x', 0, 0, false, MODETYPE_USER, false), HashProvider(Hash)
70 ModeAction OnModeChange(User* source, User* dest, Channel* channel, std::string ¶meter, bool adding)
72 /* For remote clients, we dont take any action, we just allow it.
73 * The local server where they are will set their cloak instead.
74 * This is fine, as we will recieve it later.
78 dest->SetMode('x',adding);
79 return MODEACTION_ALLOW;
82 /* don't allow this user to spam modechanges */
83 dest->IncreasePenalty(5);
87 if(!dest->IsModeSet('x'))
89 /* The mode is being turned on - so attempt to
90 * allocate the user a cloaked host using a non-reversible
91 * algorithm (its simple, but its non-reversible so the
92 * simplicity doesnt really matter). This algorithm
93 * will not work if the user has only one level of domain
94 * naming in their hostname (e.g. if they are on a lan or
95 * are connecting via localhost) -- this doesnt matter much.
100 if (!dest->GetExt("cloaked_host", cloak))
102 /* Force creation of missing cloak */
103 creator->OnUserConnect(dest);
105 if (dest->GetExt("cloaked_host", cloak))
107 dest->ChangeDisplayedHost(cloak->c_str());
108 dest->SetMode('x',true);
109 return MODEACTION_ALLOW;
115 if (dest->IsModeSet('x'))
117 /* User is removing the mode, so just restore their real host
118 * and make it match the displayed one.
120 dest->ChangeDisplayedHost(dest->host.c_str());
121 dest->SetMode('x',false);
122 return MODEACTION_ALLOW;
126 return MODEACTION_DENY;
129 std::string Cloak4(const char* ip)
131 unsigned int iv[] = { key1, key2, key3, key4 };
132 irc::sepstream seps(ip, '.');
134 std::string octet[4];
137 for (int j = 0; j < 4; j++)
139 seps.GetToken(octet[j]);
140 i[j] = atoi(octet[j].c_str());
143 octet[3] = octet[0] + "." + octet[1] + "." + octet[2] + "." + octet[3];
144 octet[2] = octet[0] + "." + octet[1] + "." + octet[2];
145 octet[1] = octet[0] + "." + octet[1];
147 /* Reset the Hash module and send it our IV */
148 HashResetRequest(creator, HashProvider).Send();
149 HashKeyRequest(creator, HashProvider, iv).Send();
151 /* Send the Hash module a different hex table for each octet group's Hash sum */
152 for (int k = 0; k < 4; k++)
154 HashHexRequest(creator, HashProvider, xtab[(iv[k]+i[k]) % 4]).Send();
155 ra[k] = std::string(HashSumRequest(creator, HashProvider, octet[k]).Send()).substr(0,6);
157 /* Stick them all together */
158 return std::string().append(ra[0]).append(".").append(ra[1]).append(".").append(ra[2]).append(".").append(ra[3]);
161 std::string Cloak6(const char* ip)
163 unsigned int iv[] = { key1, key2, key3, key4 };
164 std::vector<std::string> hashies;
168 /* Reset the Hash module and send it our IV */
169 HashResetRequest(creator, HashProvider).Send();
170 HashKeyRequest(creator, HashProvider, iv).Send();
172 for (const char* input = ip; *input; input++)
175 if (item.length() > 7)
177 /* Send the Hash module a different hex table for each octet group's Hash sum */
178 HashHexRequest(creator, HashProvider, xtab[(key1+rounds) % 4]).Send();
179 hashies.push_back(std::string(HashSumRequest(creator, HashProvider, item).Send()).substr(0,8));
186 /* Send the Hash module a different hex table for each octet group's Hash sum */
187 HashHexRequest(creator, HashProvider, xtab[(key1+rounds) % 4]).Send();
188 hashies.push_back(std::string(HashSumRequest(creator, HashProvider, item).Send()).substr(0,8));
191 /* Stick them all together */
192 return irc::stringjoiner(":", hashies, 0, hashies.size() - 1).GetJoined();
197 ConfigReader Conf(ServerInstance);
200 /* These are *not* using the need_positive parameter of ReadInteger -
201 * that will limit the valid values to only the positive values in a
202 * signed int. Instead, accept any value that fits into an int and
203 * cast it to an unsigned int. That will, a bit oddly, give us the full
204 * spectrum of an unsigned integer. - Special */
205 key1 = key2 = key3 = key4 = 0;
206 key1 = (unsigned int) Conf.ReadInteger("cloak","key1",0,false);
207 key2 = (unsigned int) Conf.ReadInteger("cloak","key2",0,false);
208 key3 = (unsigned int) Conf.ReadInteger("cloak","key3",0,false);
209 key4 = (unsigned int) Conf.ReadInteger("cloak","key4",0,false);
210 prefix = Conf.ReadValue("cloak","prefix",0);
211 ipalways = Conf.ReadFlag("cloak", "ipalways", 0);
212 lowercase = Conf.ReadFlag("cloak", "lowercase", 0);
216 xtab[0] = "F92E45D871BCA630";
217 xtab[1] = "A1B9D80C72E653F4";
218 xtab[2] = "1ABC078934DEF562";
219 xtab[3] = "ABCDEF5678901234";
223 xtab[0] = "f92e45d871bca630";
224 xtab[1] = "a1b9d80c72e653f4";
225 xtab[2] = "1abc078934def562";
226 xtab[3] = "abcdef5678901234";
230 prefix = ServerInstance->Config->Network;
232 if (!key1 || !key2 || !key3 || !key4)
236 detail = "<cloak:key1> is not valid, it may be set to a too high/low value, or it may not exist.";
238 detail = "<cloak:key2> is not valid, it may be set to a too high/low value, or it may not exist.";
240 detail = "<cloak:key3> is not valid, it may be set to a too high/low value, or it may not exist.";
242 detail = "<cloak:key4> is not valid, it may be set to a too high/low value, or it may not exist.";
244 throw ModuleException("You have not defined cloak keys for m_cloaking!!! THIS IS INSECURE AND SHOULD BE CHECKED! - " + detail);
250 class ModuleCloaking : public Module
256 ModuleCloaking(InspIRCd* Me)
259 /* Attempt to locate the md5 service provider, bail if we can't find it */
260 Module* HashModule = ServerInstance->Modules->Find("m_md5.so");
262 throw ModuleException("Can't find m_md5.so. Please load m_md5.so before m_cloaking.so.");
264 cu = new CloakUser(ServerInstance, this, HashModule);
270 catch (ModuleException &e)
276 /* Register it with the core */
277 if (!ServerInstance->Modes->AddMode(cu))
280 throw ModuleException("Could not add new modes!");
283 ServerInstance->Modules->UseInterface("HashRequest");
285 Implementation eventlist[] = { I_OnRehash, I_OnUserDisconnect, I_OnCleanup, I_OnCheckBan, I_OnUserConnect, I_OnSyncUser, I_OnCleanup };
286 ServerInstance->Modules->Attach(eventlist, this, 6);
288 CloakExistingUsers();
291 void OnSyncUser(User* user, Module* proto,void* opaque)
294 if (user->GetExt("cloaked_host", cloak) && proto->ProtoTranslate(NULL) == "?")
295 proto->ProtoSendMetaData(opaque, user, "cloaked_host", *cloak);
298 void CloakExistingUsers()
301 for (std::vector<User*>::iterator u = ServerInstance->Users->local_users.begin(); u != ServerInstance->Users->local_users.end(); u++)
303 if (!(*u)->GetExt("cloaked_host", cloak))
310 virtual ModResult OnCheckBan(User* user, Channel* chan)
314 /* Check if they have a cloaked host, but are not using it */
315 if (user->GetExt("cloaked_host", tofree) && *tofree != user->dhost)
317 snprintf(mask, MAXBUF, "%s!%s@%s", user->nick.c_str(), user->ident.c_str(), tofree->c_str());
318 for (BanList::iterator i = chan->bans.begin(); i != chan->bans.end(); i++)
320 if (InspIRCd::Match(mask,i->data))
324 return MOD_RES_PASSTHRU;
329 /* Needs to be after m_banexception etc. */
330 ServerInstance->Modules->SetPriority(this, I_OnCheckBan, PRIORITY_LAST);
332 /* but before m_conn_umodes, so host is generated ready to apply */
333 Module *um = ServerInstance->Modules->Find("m_conn_umodes.so");
334 ServerInstance->Modules->SetPriority(this, I_OnUserConnect, PRIORITY_AFTER, &um);
337 virtual void OnUserDisconnect(User* user)
340 if (user->GetExt("cloaked_host", tofree))
343 user->Shrink("cloaked_host");
347 virtual void OnCleanup(int target_type, void* item)
349 if (target_type == TYPE_USER)
350 OnUserDisconnect((User*)item);
353 virtual ~ModuleCloaking()
355 ServerInstance->Modes->DelMode(cu);
357 ServerInstance->Modules->DoneWithInterface("HashRequest");
360 virtual Version GetVersion()
362 // returns the version number of the module to be
363 // listed in /MODULES
364 return Version("$Id$", VF_COMMON|VF_VENDOR,API_VERSION);
367 virtual void OnRehash(User* user)
372 virtual void OnUserConnect(User* dest)
375 if (dest->GetExt("cloaked_host", tofree))
378 if (dest->host.find('.') != std::string::npos || dest->host.find(':') != std::string::npos)
380 unsigned int iv[] = { cu->key1, cu->key2, cu->key3, cu->key4 };
381 std::string a = cu->LastTwoDomainParts(dest->host);
384 /* InspIRCd users have two hostnames; A displayed
385 * hostname which can be modified by modules (e.g.
386 * to create vhosts, implement chghost, etc) and a
387 * 'real' hostname which you shouldnt write to.
390 /* 2008/08/18: add <cloak:ipalways> which always cloaks
391 * the IP, for anonymity. --nenolod
395 /** Reset the Hash module, and send it our IV and hex table */
396 HashResetRequest(this, cu->HashProvider).Send();
397 HashKeyRequest(this, cu->HashProvider, iv).Send();
398 HashHexRequest(this, cu->HashProvider, cu->xtab[(dest->host[0]) % 4]);
400 /* Generate a cloak using specialized Hash */
401 std::string hostcloak = cu->prefix + "-" + std::string(HashSumRequest(this, cu->HashProvider, dest->host.c_str()).Send()).substr(0,8) + a;
403 /* Fix by brain - if the cloaked host is > the max length of a host (64 bytes
404 * according to the DNS RFC) then tough titty, they get cloaked as an IP.
405 * Their ISP shouldnt go to town on subdomains, or they shouldnt have a kiddie
408 std::string testaddr;
410 if (!irc::sockets::satoap(&dest->client_sa, testaddr, testport) && (hostcloak.length() <= 64))
411 /* not a valid address, must have been a host, so cloak as a host */
413 else if (dest->client_sa.sa.sa_family == AF_INET6)
414 b = cu->Cloak6(dest->GetIPString());
416 b = cu->Cloak4(dest->GetIPString());
420 if (dest->client_sa.sa.sa_family == AF_INET6)
421 b = cu->Cloak6(dest->GetIPString());
423 b = cu->Cloak4(dest->GetIPString());
426 dest->Extend("cloaked_host", new std::string(b));
432 MODULE_INIT(ModuleCloaking)