X-Git-Url: https://git.netwichtig.de/gitweb/?a=blobdiff_plain;f=src%2Fmodules%2Fm_cgiirc.cpp;h=52c24e50ad89eb815173d9abbc46b72efbbf09d2;hb=0a6b1e1a7de92e078a98f0b955d2624e5b85e4c1;hp=7d4f671b9dfcee4f74fa8d5491bde53747a661be;hpb=c9cdf7255356761152f1e679a948f9bc55e07b00;p=user%2Fhenk%2Fcode%2Finspircd.git diff --git a/src/modules/m_cgiirc.cpp b/src/modules/m_cgiirc.cpp index 7d4f671b9..52c24e50a 100644 --- a/src/modules/m_cgiirc.cpp +++ b/src/modules/m_cgiirc.cpp @@ -1,13 +1,18 @@ /* * InspIRCd -- Internet Relay Chat Daemon * + * Copyright (C) 2019 linuxdaemon + * Copyright (C) 2014 md_5 + * Copyright (C) 2014 Googolplexed + * Copyright (C) 2013, 2017-2018, 2020 Sadie Powell + * Copyright (C) 2013 Adam + * Copyright (C) 2012-2013, 2015 Attila Molnar + * Copyright (C) 2012, 2019 Robby * Copyright (C) 2009-2010 Daniel De Graaf - * Copyright (C) 2007-2008 John Brooks - * Copyright (C) 2008 Pippijn van Steenhoven - * Copyright (C) 2006-2008 Craig Edwards - * Copyright (C) 2007 Robin Burchell + * Copyright (C) 2009 Uli Schlachter + * Copyright (C) 2007-2009 Robin Burchell * Copyright (C) 2007 Dennis Friis - * Copyright (C) 2006 Oliver Lupton + * Copyright (C) 2006-2007, 2010 Craig Edwards * * This file is part of InspIRCd. InspIRCd is free software: you can * redistribute it and/or modify it under the terms of the GNU General Public @@ -25,6 +30,7 @@ #include "inspircd.h" #include "modules/ssl.h" +#include "modules/webirc.h" #include "modules/whois.h" enum @@ -33,13 +39,33 @@ enum RPL_WHOISGATEWAY = 350 }; -// We need this method up here so that it can be accessed from anywhere -static void ChangeIP(User* user, const std::string& newip) +// Encapsulates information about an ident host. +class IdentHost { - ServerInstance->Users->RemoveCloneCounts(user); - user->SetClientIP(newip); - ServerInstance->Users->AddClone(user); -} + private: + std::string hostmask; + std::string newident; + + public: + IdentHost(const std::string& mask, const std::string& ident) + : hostmask(mask) + , newident(ident) + { + } + + const std::string& GetIdent() const + { + return newident; + } + + bool Matches(LocalUser* user) const + { + if (!InspIRCd::Match(user->GetRealHost(), hostmask, ascii_case_insensitive_map)) + return false; + + return InspIRCd::MatchCIDR(user->GetIPString(), hostmask, ascii_case_insensitive_map); + } +}; // Encapsulates information about a WebIRC host. class WebIRCHost @@ -59,15 +85,15 @@ class WebIRCHost { } - bool Matches(LocalUser* user, const std::string& pass) const + bool Matches(LocalUser* user, const std::string& pass, UserCertificateAPI& sslapi) const { // Did the user send a valid password? if (!password.empty() && !ServerInstance->PassCompare(user, password, pass, passhash)) return false; // Does the user have a valid fingerprint? - const std::string fp = SSLClientCert::GetFingerprint(&user->eh); - if (!fingerprint.empty() && fp != fingerprint) + const std::string fp = sslapi ? sslapi->GetFingerprint(user) : ""; + if (!fingerprint.empty() && !InspIRCd::TimingSafeCompare(fp, fingerprint)) return false; // Does the user's hostname match our hostmask? @@ -98,38 +124,42 @@ class CommandWebIRC : public SplitCommand StringExtItem gateway; StringExtItem realhost; StringExtItem realip; + UserCertificateAPI sslapi; + Events::ModuleEventProvider webircevprov; CommandWebIRC(Module* Creator) : SplitCommand(Creator, "WEBIRC", 4) , gateway("cgiirc_gateway", ExtensionItem::EXT_USER, Creator) , realhost("cgiirc_realhost", ExtensionItem::EXT_USER, Creator) , realip("cgiirc_realip", ExtensionItem::EXT_USER, Creator) + , sslapi(Creator) + , webircevprov(Creator, "event/webirc") { allow_empty_last_param = false; works_before_reg = true; - this->syntax = "password gateway hostname ip"; + this->syntax = " []"; } - CmdResult HandleLocal(const std::vector& parameters, LocalUser* user) CXX11_OVERRIDE + CmdResult HandleLocal(LocalUser* user, const Params& parameters) CXX11_OVERRIDE { - if (user->registered == REG_ALL) + if (user->registered == REG_ALL || realhost.get(user)) return CMD_FAILURE; - irc::sockets::sockaddrs ipaddr; - if (!irc::sockets::aptosa(parameters[3], 0, ipaddr)) - { - user->CommandFloodPenalty += 5000; - WriteLog("Connecting user %s (%s) tried to use WEBIRC but gave an invalid IP address.", - user->uuid.c_str(), user->GetIPString().c_str()); - return CMD_FAILURE; - } - for (std::vector::const_iterator iter = hosts.begin(); iter != hosts.end(); ++iter) { // If we don't match the host then skip to the next host. - if (!iter->Matches(user, parameters[0])) + if (!iter->Matches(user, parameters[0], sslapi)) continue; + irc::sockets::sockaddrs ipaddr; + if (!irc::sockets::aptosa(parameters[3], user->client_sa.port(), ipaddr)) + { + WriteLog("Connecting user %s (%s) tried to use WEBIRC but gave an invalid IP address.", + user->uuid.c_str(), user->GetIPString().c_str()); + ServerInstance->Users->QuitUser(user, "WEBIRC: IP address is invalid: " + parameters[3]); + return CMD_FAILURE; + } + // The user matched a WebIRC block! gateway.set(user, parameters[1]); realhost.set(user, user->GetRealHost()); @@ -138,15 +168,42 @@ class CommandWebIRC : public SplitCommand WriteLog("Connecting user %s is using a WebIRC gateway; changing their IP from %s to %s.", user->uuid.c_str(), user->GetIPString().c_str(), parameters[3].c_str()); + // If we have custom flags then deal with them. + WebIRC::FlagMap flags; + const bool hasflags = (parameters.size() > 4); + if (hasflags) + { + // Parse the flags. + irc::spacesepstream flagstream(parameters[4]); + for (std::string flag; flagstream.GetToken(flag); ) + { + // Does this flag have a value? + const size_t separator = flag.find('='); + if (separator == std::string::npos) + { + flags[flag]; + continue; + } + + // The flag has a value! + const std::string key = flag.substr(0, separator); + const std::string value = flag.substr(separator + 1); + flags[key] = value; + } + } + + // Inform modules about the WebIRC attempt. + FOREACH_MOD_CUSTOM(webircevprov, WebIRC::EventListener, OnWebIRCAuth, (user, (hasflags ? &flags : NULL))); + // Set the IP address sent via WEBIRC. We ignore the hostname and lookup // instead do our own DNS lookups because of unreliable gateways. - ChangeIP(user, parameters[3]); + user->SetClientIP(ipaddr); return CMD_SUCCESS; } - user->CommandFloodPenalty += 5000; WriteLog("Connecting user %s (%s) tried to use WEBIRC but didn't match any configured WebIRC hosts.", user->uuid.c_str(), user->GetIPString().c_str()); + ServerInstance->Users->QuitUser(user, "WEBIRC: you don't match any configured WebIRC hosts."); return CMD_FAILURE; } @@ -164,32 +221,55 @@ class CommandWebIRC : public SplitCommand } }; -class ModuleCgiIRC : public Module, public Whois::EventListener +class ModuleCgiIRC + : public Module + , public WebIRC::EventListener + , public Whois::EventListener { + private: CommandWebIRC cmd; - std::vector hosts; + std::vector hosts; - static void RecheckClass(LocalUser* user) + static bool ParseIdent(LocalUser* user, irc::sockets::sockaddrs& out) { - user->MyClass = NULL; - user->SetClass(); - user->CheckClass(); - } + const char* ident = NULL; + if (user->ident.length() == 8) + { + // The ident is an IPv4 address encoded in hexadecimal with two characters + // per address segment. + ident = user->ident.c_str(); + } + else if (user->ident.length() == 9 && user->ident[0] == '~') + { + // The same as above but m_ident got to this user before we did. Strip the + // ident prefix and continue as normal. + ident = user->ident.c_str() + 1; + } + else + { + // The user either does not have an IPv4 in their ident or the gateway server + // is also running an identd. In the latter case there isn't really a lot we + // can do so we just assume that the client in question is not connecting via + // an ident gateway. + return false; + } - void HandleIdent(LocalUser* user, const std::string& newip) - { - cmd.realhost.set(user, user->GetRealHost()); - cmd.realip.set(user, user->GetIPString()); + // Try to convert the IP address to a string. If this fails then the user + // does not have an IPv4 address in their ident. + errno = 0; + unsigned long address = strtoul(ident, NULL, 16); + if (errno) + return false; - cmd.WriteLog("Connecting user %s is using an ident gateway; changing their IP from %s to %s.", - user->uuid.c_str(), user->GetIPString().c_str(), newip.c_str()); - ChangeIP(user, newip); - RecheckClass(user); + out.in4.sin_family = AF_INET; + out.in4.sin_addr.s_addr = htonl(address); + return true; } -public: + public: ModuleCgiIRC() - : Whois::EventListener(this) + : WebIRC::EventListener(this) + , Whois::EventListener(this) , cmd(this) { } @@ -201,7 +281,7 @@ public: void ReadConfig(ConfigStatus& status) CXX11_OVERRIDE { - std::vector identhosts; + std::vector identhosts; std::vector webirchosts; ConfigTagList tags = ServerInstance->Config->ConfTags("cgihost"); @@ -219,23 +299,31 @@ public: if (stdalgo::string::equalsci(type, "ident")) { // The IP address should be looked up from the hex IP address. - identhosts.push_back(mask); + const std::string newident = tag->getString("newident", "gateway", ServerInstance->IsIdent); + identhosts.push_back(IdentHost(mask, newident)); } else if (stdalgo::string::equalsci(type, "webirc")) { // The IP address will be received via the WEBIRC command. const std::string fingerprint = tag->getString("fingerprint"); const std::string password = tag->getString("password"); + const std::string passwordhash = tag->getString("hash", "plaintext", 1); // WebIRC blocks require a password. if (fingerprint.empty() && password.empty()) throw ModuleException("When using either the fingerprint or password field is required, at " + tag->getTagLocation()); - webirchosts.push_back(WebIRCHost(mask, fingerprint, password, tag->getString("hash"))); + if (!password.empty() && stdalgo::string::equalsci(passwordhash, "plaintext")) + { + ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, " tag at %s contains an plain text password, this is insecure!", + tag->getTagLocation().c_str()); + } + + webirchosts.push_back(WebIRCHost(mask, fingerprint, password, passwordhash)); } else { - throw ModuleException(type + " is an invalid type, at " + tag->getTagLocation()); + throw ModuleException(type + " is an invalid type, at " + tag->getTagLocation()); } } @@ -247,22 +335,6 @@ public: cmd.notify = ServerInstance->Config->ConfValue("cgiirc")->getBool("opernotice", true); } - ModResult OnCheckReady(LocalUser *user) CXX11_OVERRIDE - { - if (!cmd.realip.get(user)) - return MOD_RES_PASSTHRU; - - RecheckClass(user); - if (user->quitting) - return MOD_RES_DENY; - - user->CheckLines(true); - if (user->quitting) - return MOD_RES_DENY; - - return MOD_RES_PASSTHRU; - } - ModResult OnSetConnectClass(LocalUser* user, ConnectClass* myclass) CXX11_OVERRIDE { // If is not set then we have nothing to do. @@ -274,27 +346,117 @@ public: // cannot match this connect class. const std::string* gateway = cmd.gateway.get(user); if (!gateway) + { + ServerInstance->Logs->Log("CONNECTCLASS", LOG_DEBUG, "The %s connect class is not suitable as it requires a connection via a WebIRC gateway", + myclass->GetName().c_str()); return MOD_RES_DENY; + } // If the gateway matches the constraint then // allow the check to continue. Otherwise, reject it. - return InspIRCd::Match(*gateway, webirc) ? MOD_RES_PASSTHRU : MOD_RES_DENY; + if (!InspIRCd::Match(*gateway, webirc)) + { + ServerInstance->Logs->Log("CONNECTCLASS", LOG_DEBUG, "The %s connect class is not suitable as the WebIRC gateway name (%s) does not match %s", + myclass->GetName().c_str(), gateway->c_str(), webirc.c_str()); + return MOD_RES_DENY; + } + + return MOD_RES_PASSTHRU; } ModResult OnUserRegister(LocalUser* user) CXX11_OVERRIDE { - for (std::vector::const_iterator iter = hosts.begin(); iter != hosts.end(); ++iter) + // There is no need to check for gateways if one is already being used. + if (cmd.realhost.get(user)) + return MOD_RES_PASSTHRU; + + for (std::vector::const_iterator iter = hosts.begin(); iter != hosts.end(); ++iter) { - if (!InspIRCd::Match(user->GetRealHost(), *iter, ascii_case_insensitive_map) && !InspIRCd::MatchCIDR(user->GetIPString(), *iter, ascii_case_insensitive_map)) + // If we don't match the host then skip to the next host. + if (!iter->Matches(user)) continue; - CheckIdent(user); // Nothing on failure. - user->CheckLines(true); + // We have matched an block! Try to parse the encoded IPv4 address + // out of the ident. + irc::sockets::sockaddrs address(user->client_sa); + if (!ParseIdent(user, address)) + return MOD_RES_PASSTHRU; + + // Store the hostname and IP of the gateway for later use. + cmd.realhost.set(user, user->GetRealHost()); + cmd.realip.set(user, user->GetIPString()); + + const std::string& newident = iter->GetIdent(); + cmd.WriteLog("Connecting user %s is using an ident gateway; changing their IP from %s to %s and their ident from %s to %s.", + user->uuid.c_str(), user->GetIPString().c_str(), address.addr().c_str(), user->ident.c_str(), newident.c_str()); + + user->ChangeIdent(newident); + user->SetClientIP(address); break; } return MOD_RES_PASSTHRU; } + void OnWebIRCAuth(LocalUser* user, const WebIRC::FlagMap* flags) CXX11_OVERRIDE + { + // We are only interested in connection flags. If none have been + // given then we have nothing to do. + if (!flags) + return; + + WebIRC::FlagMap::const_iterator cport = flags->find("remote-port"); + if (cport != flags->end()) + { + // If we can't parse the port then just give up. + uint16_t port = ConvToNum(cport->second); + if (port) + { + switch (user->client_sa.family()) + { + case AF_INET: + user->client_sa.in4.sin_port = htons(port); + break; + + case AF_INET6: + user->client_sa.in6.sin6_port = htons(port); + break; + + default: + // If we have reached this point then we have encountered a bug. + ServerInstance->Logs->Log(MODNAME, LOG_DEBUG, "BUG: OnWebIRCAuth(%s): socket type %d is unknown!", + user->uuid.c_str(), user->client_sa.family()); + return; + } + } + } + + WebIRC::FlagMap::const_iterator sport = flags->find("local-port"); + if (sport != flags->end()) + { + // If we can't parse the port then just give up. + uint16_t port = ConvToNum(sport->second); + if (port) + { + switch (user->server_sa.family()) + { + case AF_INET: + user->server_sa.in4.sin_port = htons(port); + break; + + case AF_INET6: + user->server_sa.in6.sin6_port = htons(port); + break; + + default: + // If we have reached this point then we have encountered a bug. + ServerInstance->Logs->Log(MODNAME, LOG_DEBUG, "BUG: OnWebIRCAuth(%s): socket type %d is unknown!", + user->uuid.c_str(), user->server_sa.family()); + return; + } + } + } + } + void OnWhois(Whois::Context& whois) CXX11_OVERRIDE { if (!whois.IsSelfWhois() && !whois.GetSource()->HasPrivPermission("users/auspex")) @@ -313,34 +475,9 @@ public: whois.SendLine(RPL_WHOISGATEWAY, *realhost, *realip, "is connected via an ident gateway"); } - bool CheckIdent(LocalUser* user) - { - const char* ident; - in_addr newip; - - if (user->ident.length() == 8) - ident = user->ident.c_str(); - else if (user->ident.length() == 9 && user->ident[0] == '~') - ident = user->ident.c_str() + 1; - else - return false; - - errno = 0; - unsigned long ipaddr = strtoul(ident, NULL, 16); - if (errno) - return false; - newip.s_addr = htonl(ipaddr); - std::string newipstr(inet_ntoa(newip)); - - user->ident = "~cgiirc"; - HandleIdent(user, newipstr); - - return true; - } - Version GetVersion() CXX11_OVERRIDE { - return Version("Enables forwarding the real IP address of a user from a gateway to the IRC server", VF_VENDOR); + return Version("Adds the ability for IRC gateways to forward the real IP address of users connecting through them.", VF_VENDOR); } };