X-Git-Url: https://git.netwichtig.de/gitweb/?a=blobdiff_plain;f=src%2Fmodules%2Fm_cgiirc.cpp;h=f0963e4c1a81706a33ab134795796afb0fd2dd6f;hb=HEAD;hp=1e5a188f8c37b92d937b3af61fd4e4660c208bdc;hpb=248fa43bf98d61bc84025b68ac373b7c42d728f6;p=user%2Fhenk%2Fcode%2Finspircd.git diff --git a/src/modules/m_cgiirc.cpp b/src/modules/m_cgiirc.cpp index 1e5a188f8..f0963e4c1 100644 --- a/src/modules/m_cgiirc.cpp +++ b/src/modules/m_cgiirc.cpp @@ -1,13 +1,18 @@ /* * InspIRCd -- Internet Relay Chat Daemon * + * Copyright (C) 2019 linuxdaemon + * Copyright (C) 2014 md_5 + * Copyright (C) 2014 Googolplexed + * Copyright (C) 2013, 2017-2018, 2020-2021 Sadie Powell + * Copyright (C) 2013 Adam + * Copyright (C) 2012-2013, 2015 Attila Molnar + * Copyright (C) 2012, 2019 Robby * Copyright (C) 2009-2010 Daniel De Graaf - * Copyright (C) 2007-2008 John Brooks - * Copyright (C) 2008 Pippijn van Steenhoven - * Copyright (C) 2006-2008 Craig Edwards - * Copyright (C) 2007 Robin Burchell + * Copyright (C) 2009 Uli Schlachter + * Copyright (C) 2007-2009 Robin Burchell * Copyright (C) 2007 Dennis Friis - * Copyright (C) 2006 Oliver Lupton + * Copyright (C) 2006-2007, 2010 Craig Edwards * * This file is part of InspIRCd. InspIRCd is free software: you can * redistribute it and/or modify it under the terms of the GNU General Public @@ -34,39 +39,19 @@ enum RPL_WHOISGATEWAY = 350 }; -// We need this method up here so that it can be accessed from anywhere -static void ChangeIP(LocalUser* user, const irc::sockets::sockaddrs& sa) -{ - // Set the users IP address and make sure they are in the right clone pool. - ServerInstance->Users->RemoveCloneCounts(user); - user->SetClientIP(sa); - ServerInstance->Users->AddClone(user); - if (user->quitting) - return; - - // Recheck the connect class. - user->MyClass = NULL; - user->SetClass(); - user->CheckClass(); - if (user->quitting) - return; - - // Check if this user matches any XLines. - user->CheckLines(true); - if (user->quitting) - return; -} +// One or more hostmask globs or CIDR ranges. +typedef std::vector MaskList; // Encapsulates information about an ident host. class IdentHost { private: - std::string hostmask; + MaskList hostmasks; std::string newident; public: - IdentHost(const std::string& mask, const std::string& ident) - : hostmask(mask) + IdentHost(const MaskList& masks, const std::string& ident) + : hostmasks(masks) , newident(ident) { } @@ -78,10 +63,19 @@ class IdentHost bool Matches(LocalUser* user) const { - if (!InspIRCd::Match(user->GetRealHost(), hostmask, ascii_case_insensitive_map)) - return false; + for (MaskList::const_iterator iter = hostmasks.begin(); iter != hostmasks.end(); ++iter) + { + // Does the user's hostname match this hostmask? + if (InspIRCd::Match(user->GetRealHost(), *iter, ascii_case_insensitive_map)) + return true; + + // Does the user's IP address match this hostmask? + if (InspIRCd::MatchCIDR(user->GetIPString(), *iter, ascii_case_insensitive_map)) + return true; + } - return InspIRCd::MatchCIDR(user->GetIPString(), hostmask, ascii_case_insensitive_map); + // The user didn't match any hostmasks. + return false; } }; @@ -89,51 +83,125 @@ class IdentHost class WebIRCHost { private: - std::string hostmask; + MaskList hostmasks; std::string fingerprint; std::string password; std::string passhash; public: - WebIRCHost(const std::string& mask, const std::string& fp, const std::string& pass, const std::string& hash) - : hostmask(mask) + WebIRCHost(const MaskList& masks, const std::string& fp, const std::string& pass, const std::string& hash) + : hostmasks(masks) , fingerprint(fp) , password(pass) , passhash(hash) { } - bool Matches(LocalUser* user, const std::string& pass) const + bool Matches(LocalUser* user, const std::string& pass, UserCertificateAPI& sslapi) const { // Did the user send a valid password? if (!password.empty() && !ServerInstance->PassCompare(user, password, pass, passhash)) return false; // Does the user have a valid fingerprint? - const std::string fp = SSLClientCert::GetFingerprint(&user->eh); - if (!fingerprint.empty() && fp != fingerprint) + const std::string fp = sslapi ? sslapi->GetFingerprint(user) : ""; + if (!fingerprint.empty() && !InspIRCd::TimingSafeCompare(fp, fingerprint)) return false; - // Does the user's hostname match our hostmask? - if (InspIRCd::Match(user->GetRealHost(), hostmask, ascii_case_insensitive_map)) - return true; + for (MaskList::const_iterator iter = hostmasks.begin(); iter != hostmasks.end(); ++iter) + { + // Does the user's hostname match this hostmask? + if (InspIRCd::Match(user->GetRealHost(), *iter, ascii_case_insensitive_map)) + return true; + + // Does the user's IP address match this hostmask? + if (InspIRCd::MatchCIDR(user->GetIPString(), *iter, ascii_case_insensitive_map)) + return true; + } - // Does the user's IP address match our hostmask? - return InspIRCd::MatchCIDR(user->GetIPString(), hostmask, ascii_case_insensitive_map); + // The user didn't match any hostmasks. + return false; + } +}; + +class CommandHexIP : public SplitCommand +{ + public: + CommandHexIP(Module* Creator) + : SplitCommand(Creator, "HEXIP", 1) + { + allow_empty_last_param = false; + Penalty = 2; + syntax = ""; + } + + CmdResult HandleLocal(LocalUser* user, const Params& parameters) CXX11_OVERRIDE + { + irc::sockets::sockaddrs sa; + if (irc::sockets::aptosa(parameters[0], 0, sa)) + { + if (sa.family() != AF_INET) + { + user->WriteNotice("*** HEXIP: You can only hex encode an IPv4 address!"); + return CMD_FAILURE; + } + + uint32_t addr = sa.in4.sin_addr.s_addr; + user->WriteNotice(InspIRCd::Format("*** HEXIP: %s encodes to %02x%02x%02x%02x.", + sa.addr().c_str(), (addr & 0xFF), ((addr >> 8) & 0xFF), ((addr >> 16) & 0xFF), + ((addr >> 24) & 0xFF))); + return CMD_SUCCESS; + } + + if (ParseIP(parameters[0], sa)) + { + user->WriteNotice(InspIRCd::Format("*** HEXIP: %s decodes to %s.", + parameters[0].c_str(), sa.addr().c_str())); + return CMD_SUCCESS; + } + + user->WriteNotice(InspIRCd::Format("*** HEXIP: %s is not a valid raw or hex encoded IPv4 address.", + parameters[0].c_str())); + return CMD_FAILURE; + } + + static bool ParseIP(const std::string& in, irc::sockets::sockaddrs& out) + { + const char* ident = NULL; + if (in.length() == 8) + { + // The ident is an IPv4 address encoded in hexadecimal with two characters + // per address segment. + ident = in.c_str(); + } + else if (in.length() == 9 && in[0] == '~') + { + // The same as above but m_ident got to this user before we did. Strip the + // ident prefix and continue as normal. + ident = in.c_str() + 1; + } + else + { + // The user either does not have an IPv4 in their ident or the gateway server + // is also running an identd. In the latter case there isn't really a lot we + // can do so we just assume that the client in question is not connecting via + // an ident gateway. + return false; + } + + // Try to convert the IP address to a string. If this fails then the user + // does not have an IPv4 address in their ident. + errno = 0; + unsigned long address = strtoul(ident, NULL, 16); + if (errno) + return false; + + out.in4.sin_family = AF_INET; + out.in4.sin_addr.s_addr = htonl(address); + return true; } }; -/* - * WEBIRC - * This is used for the webirc method of CGIIRC auth, and is (really) the best way to do these things. - * Syntax: WEBIRC password gateway hostname ip - * Where password is a shared key, gateway is the name of the WebIRC gateway and version (e.g. cgiirc), hostname - * is the resolved host of the client issuing the command and IP is the real IP of the client. - * - * How it works: - * To tie in with the rest of cgiirc module, and to avoid race conditions, /webirc is only processed locally - * and simply sets metadata on the user, which is later decoded on full connect to give something meaningful. - */ class CommandWebIRC : public SplitCommand { public: @@ -142,6 +210,7 @@ class CommandWebIRC : public SplitCommand StringExtItem gateway; StringExtItem realhost; StringExtItem realip; + UserCertificateAPI sslapi; Events::ModuleEventProvider webircevprov; CommandWebIRC(Module* Creator) @@ -149,11 +218,12 @@ class CommandWebIRC : public SplitCommand , gateway("cgiirc_gateway", ExtensionItem::EXT_USER, Creator) , realhost("cgiirc_realhost", ExtensionItem::EXT_USER, Creator) , realip("cgiirc_realip", ExtensionItem::EXT_USER, Creator) + , sslapi(Creator) , webircevprov(Creator, "event/webirc") { allow_empty_last_param = false; works_before_reg = true; - this->syntax = " [flags]"; + this->syntax = " []"; } CmdResult HandleLocal(LocalUser* user, const Params& parameters) CXX11_OVERRIDE @@ -164,7 +234,7 @@ class CommandWebIRC : public SplitCommand for (std::vector::const_iterator iter = hosts.begin(); iter != hosts.end(); ++iter) { // If we don't match the host then skip to the next host. - if (!iter->Matches(user, parameters[0])) + if (!iter->Matches(user, parameters[0], sslapi)) continue; irc::sockets::sockaddrs ipaddr; @@ -181,8 +251,9 @@ class CommandWebIRC : public SplitCommand realhost.set(user, user->GetRealHost()); realip.set(user, user->GetIPString()); - WriteLog("Connecting user %s is using a WebIRC gateway; changing their IP from %s to %s.", - user->uuid.c_str(), user->GetIPString().c_str(), parameters[3].c_str()); + WriteLog("Connecting user %s is using the %s WebIRC gateway; changing their IP from %s to %s.", + user->uuid.c_str(), parameters[1].c_str(), + user->GetIPString().c_str(), parameters[3].c_str()); // If we have custom flags then deal with them. WebIRC::FlagMap flags; @@ -213,7 +284,7 @@ class CommandWebIRC : public SplitCommand // Set the IP address sent via WEBIRC. We ignore the hostname and lookup // instead do our own DNS lookups because of unreliable gateways. - ChangeIP(user, ipaddr); + user->SetClientIP(ipaddr); return CMD_SUCCESS; } @@ -243,50 +314,16 @@ class ModuleCgiIRC , public Whois::EventListener { private: - CommandWebIRC cmd; + CommandHexIP cmdhexip; + CommandWebIRC cmdwebirc; std::vector hosts; - static bool ParseIdent(LocalUser* user, irc::sockets::sockaddrs& out) - { - const char* ident = NULL; - if (user->ident.length() == 8) - { - // The ident is an IPv4 address encoded in hexadecimal with two characters - // per address segment. - ident = user->ident.c_str(); - } - else if (user->ident.length() == 9 && user->ident[0] == '~') - { - // The same as above but m_ident got to this user before we did. Strip the - // ident prefix and continue as normal. - ident = user->ident.c_str() + 1; - } - else - { - // The user either does not have an IPv4 in their ident or the gateway server - // is also running an identd. In the latter case there isn't really a lot we - // can do so we just assume that the client in question is not connecting via - // an ident gateway. - return false; - } - - // Try to convert the IP address to a string. If this fails then the user - // does not have an IPv4 address in their ident. - errno = 0; - unsigned long address = strtoul(ident, NULL, 16); - if (errno) - return false; - - out.in4.sin_family = AF_INET; - out.in4.sin_addr.s_addr = htonl(address); - return true; - } - public: ModuleCgiIRC() : WebIRC::EventListener(this) , Whois::EventListener(this) - , cmd(this) + , cmdhexip(this) + , cmdwebirc(this) { } @@ -295,6 +332,26 @@ class ModuleCgiIRC ServerInstance->SNO->EnableSnomask('w', "CGIIRC"); } + void On005Numeric(std::map& tokens) CXX11_OVERRIDE + { + tokens["EXTBAN"].push_back('w'); + } + + ModResult OnCheckBan(User* user, Channel*, const std::string& mask) CXX11_OVERRIDE + { + if (mask.length() <= 2 || mask[0] != 'w' || mask[1] != ':') + return MOD_RES_PASSTHRU; + + const std::string* gateway = cmdwebirc.gateway.get(user); + if (!gateway) + return MOD_RES_PASSTHRU; + + if (InspIRCd::Match(*gateway, mask.substr(2))) + return MOD_RES_DENY; + + return MOD_RES_PASSTHRU; + } + void ReadConfig(ConfigStatus& status) CXX11_OVERRIDE { std::vector identhosts; @@ -305,9 +362,13 @@ class ModuleCgiIRC { ConfigTag* tag = i->second; + MaskList masks; + irc::spacesepstream maskstream(tag->getString("mask")); + for (std::string mask; maskstream.GetToken(mask); ) + masks.push_back(mask); + // Ensure that we have the parameter. - const std::string mask = tag->getString("mask"); - if (mask.empty()) + if (masks.empty()) throw ModuleException(" is a mandatory field, at " + tag->getTagLocation()); // Determine what lookup type this host uses. @@ -316,32 +377,39 @@ class ModuleCgiIRC { // The IP address should be looked up from the hex IP address. const std::string newident = tag->getString("newident", "gateway", ServerInstance->IsIdent); - identhosts.push_back(IdentHost(mask, newident)); + identhosts.push_back(IdentHost(masks, newident)); } else if (stdalgo::string::equalsci(type, "webirc")) { // The IP address will be received via the WEBIRC command. const std::string fingerprint = tag->getString("fingerprint"); const std::string password = tag->getString("password"); + const std::string passwordhash = tag->getString("hash", "plaintext", 1); // WebIRC blocks require a password. if (fingerprint.empty() && password.empty()) throw ModuleException("When using either the fingerprint or password field is required, at " + tag->getTagLocation()); - webirchosts.push_back(WebIRCHost(mask, fingerprint, password, tag->getString("hash"))); + if (!password.empty() && stdalgo::string::equalsci(passwordhash, "plaintext")) + { + ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, " tag at %s contains an plain text password, this is insecure!", + tag->getTagLocation().c_str()); + } + + webirchosts.push_back(WebIRCHost(masks, fingerprint, password, passwordhash)); } else { - throw ModuleException(type + " is an invalid type, at " + tag->getTagLocation()); + throw ModuleException(type + " is an invalid type, at " + tag->getTagLocation()); } } // The host configuration was valid so we can apply it. hosts.swap(identhosts); - cmd.hosts.swap(webirchosts); + cmdwebirc.hosts.swap(webirchosts); // Do we send an oper notice when a m_cgiirc client has their IP changed? - cmd.notify = ServerInstance->Config->ConfValue("cgiirc")->getBool("opernotice", true); + cmdwebirc.notify = ServerInstance->Config->ConfValue("cgiirc")->getBool("opernotice", true); } ModResult OnSetConnectClass(LocalUser* user, ConnectClass* myclass) CXX11_OVERRIDE @@ -353,19 +421,30 @@ class ModuleCgiIRC // If the user is not connecting via a WebIRC gateway then they // cannot match this connect class. - const std::string* gateway = cmd.gateway.get(user); + const std::string* gateway = cmdwebirc.gateway.get(user); if (!gateway) + { + ServerInstance->Logs->Log("CONNECTCLASS", LOG_DEBUG, "The %s connect class is not suitable as it requires a connection via a WebIRC gateway", + myclass->GetName().c_str()); return MOD_RES_DENY; + } // If the gateway matches the constraint then // allow the check to continue. Otherwise, reject it. - return InspIRCd::Match(*gateway, webirc) ? MOD_RES_PASSTHRU : MOD_RES_DENY; + if (!InspIRCd::Match(*gateway, webirc)) + { + ServerInstance->Logs->Log("CONNECTCLASS", LOG_DEBUG, "The %s connect class is not suitable as the WebIRC gateway name (%s) does not match %s", + myclass->GetName().c_str(), gateway->c_str(), webirc.c_str()); + return MOD_RES_DENY; + } + + return MOD_RES_PASSTHRU; } ModResult OnUserRegister(LocalUser* user) CXX11_OVERRIDE { // There is no need to check for gateways if one is already being used. - if (cmd.realhost.get(user)) + if (cmdwebirc.realhost.get(user)) return MOD_RES_PASSTHRU; for (std::vector::const_iterator iter = hosts.begin(); iter != hosts.end(); ++iter) @@ -377,20 +456,20 @@ class ModuleCgiIRC // We have matched an block! Try to parse the encoded IPv4 address // out of the ident. irc::sockets::sockaddrs address(user->client_sa); - if (!ParseIdent(user, address)) + if (!CommandHexIP::ParseIP(user->ident, address)) return MOD_RES_PASSTHRU; // Store the hostname and IP of the gateway for later use. - cmd.realhost.set(user, user->GetRealHost()); - cmd.realip.set(user, user->GetIPString()); + cmdwebirc.realhost.set(user, user->GetRealHost()); + cmdwebirc.realip.set(user, user->GetIPString()); const std::string& newident = iter->GetIdent(); - cmd.WriteLog("Connecting user %s is using an ident gateway; changing their IP from %s to %s and their ident from %s to %s.", + cmdwebirc.WriteLog("Connecting user %s is using an ident gateway; changing their IP from %s to %s and their ident from %s to %s.", user->uuid.c_str(), user->GetIPString().c_str(), address.addr().c_str(), user->ident.c_str(), newident.c_str()); user->ChangeIdent(newident); - ChangeIP(user, address); - break; + user->SetClientIP(address); + break; } return MOD_RES_PASSTHRU; } @@ -457,16 +536,18 @@ class ModuleCgiIRC void OnWhois(Whois::Context& whois) CXX11_OVERRIDE { - if (!whois.IsSelfWhois() && !whois.GetSource()->HasPrivPermission("users/auspex")) - return; - // If these fields are not set then the client is not using a gateway. - const std::string* realhost = cmd.realhost.get(whois.GetTarget()); - const std::string* realip = cmd.realip.get(whois.GetTarget()); + std::string* realhost = cmdwebirc.realhost.get(whois.GetTarget()); + std::string* realip = cmdwebirc.realip.get(whois.GetTarget()); if (!realhost || !realip) return; - const std::string* gateway = cmd.gateway.get(whois.GetTarget()); + // If the source doesn't have the right privs then only show the gateway name. + std::string hidden = "*"; + if (!whois.GetSource()->HasPrivPermission("users/auspex")) + realhost = realip = &hidden; + + const std::string* gateway = cmdwebirc.gateway.get(whois.GetTarget()); if (gateway) whois.SendLine(RPL_WHOISGATEWAY, *realhost, *realip, "is connected via the " + *gateway + " WebIRC gateway"); else @@ -475,7 +556,7 @@ class ModuleCgiIRC Version GetVersion() CXX11_OVERRIDE { - return Version("Enables forwarding the real IP address of a user from a gateway to the IRC server", VF_VENDOR); + return Version("Adds the ability for IRC gateways to forward the real IP address of users connecting through them.", VF_VENDOR); } };