X-Git-Url: https://git.netwichtig.de/gitweb/?a=blobdiff_plain;f=src%2Fmodules%2Fm_cloaking.cpp;h=2bd8df80eea37f9dc6b3126e44c85cd0ba8e0b31;hb=de25d946733f774e3a5b53a58438a9c92af0acbe;hp=c0edf21a97694dac99ca19bbdb5fb53211902ec2;hpb=12923aae21367d948c74e4bdceaf98b61d9f4992;p=user%2Fhenk%2Fcode%2Finspircd.git diff --git a/src/modules/m_cloaking.cpp b/src/modules/m_cloaking.cpp index c0edf21a9..2bd8df80e 100644 --- a/src/modules/m_cloaking.cpp +++ b/src/modules/m_cloaking.cpp @@ -2,11 +2,11 @@ * | Inspire Internet Relay Chat Daemon | * +------------------------------------+ * - * InspIRCd: (C) 2002-2007 InspIRCd Development Team - * See: http://www.inspircd.org/wiki/index.php/Credits + * InspIRCd: (C) 2002-2009 InspIRCd Development Team + * See: http://wiki.inspircd.org/Credits * * This program is free but copyrighted software; see - * the file COPYING for details. + * the file COPYING for details. * * --------------------------------------------------- */ @@ -21,15 +21,16 @@ */ class CloakUser : public ModeHandler { + public: std::string prefix; unsigned int key1; unsigned int key2; unsigned int key3; unsigned int key4; bool ipalways; - Module* Sender; Module* HashProvider; const char *xtab[4]; + LocalStringExt ext; /** This function takes a domain name string and returns just the last two domain parts, * or the last domain part if only two are available. Failing that it just returns what it was given. @@ -37,7 +38,7 @@ class CloakUser : public ModeHandler * For example, if it is passed "svn.inspircd.org" it will return ".inspircd.org". * If it is passed "brainbox.winbot.co.uk" it will return ".co.uk", * and if it is passed "localhost.localdomain" it will return ".localdomain". - * + * * This is used to ensure a significant part of the host is always cloaked (see Bug #216) */ std::string LastTwoDomainParts(const std::string &host) @@ -61,22 +62,24 @@ class CloakUser : public ModeHandler else return host.substr(splitdot); } - - public: - CloakUser(InspIRCd* Instance, Module* Source, Module* Hash) : ModeHandler(Instance, 'x', 0, 0, false, MODETYPE_USER, false), Sender(Source), HashProvider(Hash) + + CloakUser(Module* source, Module* Hash) + : ModeHandler(source, 'x', PARAM_NONE, MODETYPE_USER), HashProvider(Hash), + ext("cloaked_host", source) { } ModeAction OnModeChange(User* source, User* dest, Channel* channel, std::string ¶meter, bool adding) { - if (source != dest) - return MODEACTION_DENY; - /* For remote clients, we dont take any action, we just allow it. * The local server where they are will set their cloak instead. + * This is fine, as we will recieve it later. */ if (!IS_LOCAL(dest)) + { + dest->SetMode('x',adding); return MODEACTION_ALLOW; + } /* don't allow this user to spam modechanges */ dest->IncreasePenalty(5); @@ -94,86 +97,30 @@ class CloakUser : public ModeHandler * are connecting via localhost) -- this doesnt matter much. */ - char* n1 = strchr(dest->host,'.'); - char* n2 = strchr(dest->host,':'); - - if (n1 || n2) + std::string* cloak = ext.get(dest); + + if (!cloak) { - unsigned int iv[] = { key1, key2, key3, key4 }; - std::string a = LastTwoDomainParts(dest->host); - std::string b; - - /* InspIRCd users have two hostnames; A displayed - * hostname which can be modified by modules (e.g. - * to create vhosts, implement chghost, etc) and a - * 'real' hostname which you shouldnt write to. - */ - - /* 2007/08/18: add which always cloaks - * the IP, for anonymity. --nenolod - */ - if (!ipalways) - { - /** Reset the Hash module, and send it our IV and hex table */ - HashResetRequest(Sender, HashProvider).Send(); - HashKeyRequest(Sender, HashProvider, iv).Send(); - HashHexRequest(Sender, HashProvider, xtab[(*dest->host) % 4]); - - /* Generate a cloak using specialized Hash */ - std::string hostcloak = prefix + "-" + std::string(HashSumRequest(Sender, HashProvider, dest->host).Send()).substr(0,8) + a; - - /* Fix by brain - if the cloaked host is > the max length of a host (64 bytes - * according to the DNS RFC) then tough titty, they get cloaked as an IP. - * Their ISP shouldnt go to town on subdomains, or they shouldnt have a kiddie - * vhost. - */ -#ifdef IPV6 - in6_addr testaddr; - in_addr testaddr2; - if ((dest->GetProtocolFamily() == AF_INET6) && (inet_pton(AF_INET6,dest->host,&testaddr) < 1) && (hostcloak.length() <= 64)) - /* Invalid ipv6 address, and ipv6 user (resolved host) */ - b = hostcloak; - else if ((dest->GetProtocolFamily() == AF_INET) && (inet_aton(dest->host,&testaddr2) < 1) && (hostcloak.length() <= 64)) - /* Invalid ipv4 address, and ipv4 user (resolved host) */ - b = hostcloak; - else - /* Valid ipv6 or ipv4 address (not resolved) ipv4 or ipv6 user */ - b = ((!strchr(dest->host,':')) ? Cloak4(dest->host) : Cloak6(dest->host)); -#else - in_addr testaddr; - if ((inet_aton(dest->host,&testaddr) < 1) && (hostcloak.length() <= 64)) - /* Invalid ipv4 address, and ipv4 user (resolved host) */ - b = hostcloak; - else - /* Valid ipv4 address (not resolved) ipv4 user */ - b = Cloak4(dest->host); -#endif - } - else - { -#ifdef IPV6 - if (dest->GetProtocolFamily() == AF_INET6) - b = Cloak6(dest->GetIPString()); -#endif - if (dest->GetProtocolFamily() == AF_INET) - b = Cloak4(dest->GetIPString()); - } - - dest->ChangeDisplayedHost(b.c_str()); + /* Force creation of missing cloak */ + creator->OnUserConnect(dest); + cloak = ext.get(dest); + } + if (cloak) + { + dest->ChangeDisplayedHost(cloak->c_str()); + dest->SetMode('x',true); + return MODEACTION_ALLOW; } - - dest->SetMode('x',true); - return MODEACTION_ALLOW; } } else - { + { if (dest->IsModeSet('x')) { - /* User is removing the mode, so just restore their real host - * and make it match the displayed one. + /* User is removing the mode, so just restore their real host + * and make it match the displayed one. */ - dest->ChangeDisplayedHost(dest->host); + dest->ChangeDisplayedHost(dest->host.c_str()); dest->SetMode('x',false); return MODEACTION_ALLOW; } @@ -201,14 +148,14 @@ class CloakUser : public ModeHandler octet[1] = octet[0] + "." + octet[1]; /* Reset the Hash module and send it our IV */ - HashResetRequest(Sender, HashProvider).Send(); - HashKeyRequest(Sender, HashProvider, iv).Send(); + HashResetRequest(creator, HashProvider).Send(); + HashKeyRequest(creator, HashProvider, iv).Send(); /* Send the Hash module a different hex table for each octet group's Hash sum */ for (int k = 0; k < 4; k++) { - HashHexRequest(Sender, HashProvider, xtab[(iv[k]+i[k]) % 4]).Send(); - ra[k] = std::string(HashSumRequest(Sender, HashProvider, octet[k]).Send()).substr(0,6); + HashHexRequest(creator, HashProvider, xtab[(iv[k]+i[k]) % 4]).Send(); + ra[k] = std::string(HashSumRequest(creator, HashProvider, octet[k]).Send()).substr(0,6); } /* Stick them all together */ return std::string().append(ra[0]).append(".").append(ra[1]).append(".").append(ra[2]).append(".").append(ra[3]); @@ -216,19 +163,14 @@ class CloakUser : public ModeHandler std::string Cloak6(const char* ip) { - /* Theyre using 4in6 (YUCK). Translate as ipv4 cloak */ - if (!strncmp(ip, "0::ffff:", 8)) - return Cloak4(ip + 8); - - /* If we get here, yes it really is an ipv6 ip */ unsigned int iv[] = { key1, key2, key3, key4 }; std::vector hashies; std::string item; int rounds = 0; /* Reset the Hash module and send it our IV */ - HashResetRequest(Sender, HashProvider).Send(); - HashKeyRequest(Sender, HashProvider, iv).Send(); + HashResetRequest(creator, HashProvider).Send(); + HashKeyRequest(creator, HashProvider, iv).Send(); for (const char* input = ip; *input; input++) { @@ -236,8 +178,8 @@ class CloakUser : public ModeHandler if (item.length() > 7) { /* Send the Hash module a different hex table for each octet group's Hash sum */ - HashHexRequest(Sender, HashProvider, xtab[(key1+rounds) % 4]).Send(); - hashies.push_back(std::string(HashSumRequest(Sender, HashProvider, item).Send()).substr(0,8)); + HashHexRequest(creator, HashProvider, xtab[(key1+rounds) % 4]).Send(); + hashies.push_back(std::string(HashSumRequest(creator, HashProvider, item).Send()).substr(0,8)); item.clear(); } rounds++; @@ -245,20 +187,20 @@ class CloakUser : public ModeHandler if (!item.empty()) { /* Send the Hash module a different hex table for each octet group's Hash sum */ - HashHexRequest(Sender, HashProvider, xtab[(key1+rounds) % 4]).Send(); - hashies.push_back(std::string(HashSumRequest(Sender, HashProvider, item).Send()).substr(0,8)); + HashHexRequest(creator, HashProvider, xtab[(key1+rounds) % 4]).Send(); + hashies.push_back(std::string(HashSumRequest(creator, HashProvider, item).Send()).substr(0,8)); item.clear(); } /* Stick them all together */ return irc::stringjoiner(":", hashies, 0, hashies.size() - 1).GetJoined(); } - + void DoRehash() { - ConfigReader Conf(ServerInstance); + ConfigReader Conf; bool lowercase; - - /* These are *not* using the need_positive parameter of ReadInteger - + + /* These are *not* using the need_positive parameter of ReadInteger - * that will limit the valid values to only the positive values in a * signed int. Instead, accept any value that fits into an int and * cast it to an unsigned int. That will, a bit oddly, give us the full @@ -271,7 +213,7 @@ class CloakUser : public ModeHandler prefix = Conf.ReadValue("cloak","prefix",0); ipalways = Conf.ReadFlag("cloak", "ipalways", 0); lowercase = Conf.ReadFlag("cloak", "lowercase", 0); - + if (!lowercase) { xtab[0] = "F92E45D871BCA630"; @@ -311,53 +253,158 @@ class CloakUser : public ModeHandler class ModuleCloaking : public Module { private: - CloakUser* cu; - Module* HashModule; public: - ModuleCloaking(InspIRCd* Me) - : Module(Me) + ModuleCloaking() { - ServerInstance->Modules->UseInterface("HashRequest"); - /* Attempt to locate the md5 service provider, bail if we can't find it */ - HashModule = ServerInstance->Modules->Find("m_md5.so"); + Module* HashModule = ServerInstance->Modules->Find("m_md5.so"); if (!HashModule) throw ModuleException("Can't find m_md5.so. Please load m_md5.so before m_cloaking.so."); - /* Create new mode handler object */ - cu = new CloakUser(ServerInstance, this, HashModule); + cu = new CloakUser(this, HashModule); - OnRehash(NULL,""); + try + { + OnRehash(NULL); + } + catch (ModuleException &e) + { + delete cu; + throw e; + } /* Register it with the core */ - if (!ServerInstance->AddMode(cu)) + if (!ServerInstance->Modes->AddMode(cu)) + { + delete cu; throw ModuleException("Could not add new modes!"); + } + + ServerInstance->Modules->UseInterface("HashRequest"); + Extensible::Register(&cu->ext); - Implementation eventlist[] = { I_OnRehash }; - ServerInstance->Modules->Attach(eventlist, this, 1); + Implementation eventlist[] = { I_OnRehash, I_OnCheckBan, I_OnUserConnect }; + ServerInstance->Modules->Attach(eventlist, this, 3); + + CloakExistingUsers(); } - - virtual ~ModuleCloaking() + + void CloakExistingUsers() + { + std::string* cloak; + for (std::vector::iterator u = ServerInstance->Users->local_users.begin(); u != ServerInstance->Users->local_users.end(); u++) + { + cloak = cu->ext.get(*u); + if (!cloak) + { + OnUserConnect(*u); + } + } + } + + ModResult OnCheckBan(User* user, Channel* chan, const std::string& mask) + { + char cmask[MAXBUF]; + std::string* cloak = cu->ext.get(user); + /* Check if they have a cloaked host, but are not using it */ + if (cloak && *cloak != user->dhost) + { + snprintf(cmask, MAXBUF, "%s!%s@%s", user->nick.c_str(), user->ident.c_str(), cloak->c_str()); + if (InspIRCd::Match(cmask,mask)) + return MOD_RES_DENY; + } + return MOD_RES_PASSTHRU; + } + + void Prioritize() + { + /* Needs to be after m_banexception etc. */ + ServerInstance->Modules->SetPriority(this, I_OnCheckBan, PRIORITY_LAST); + + /* but before m_conn_umodes, so host is generated ready to apply */ + Module *um = ServerInstance->Modules->Find("m_conn_umodes.so"); + ServerInstance->Modules->SetPriority(this, I_OnUserConnect, PRIORITY_AFTER, &um); + } + + ~ModuleCloaking() { ServerInstance->Modes->DelMode(cu); delete cu; ServerInstance->Modules->DoneWithInterface("HashRequest"); } - - virtual Version GetVersion() + + Version GetVersion() { // returns the version number of the module to be // listed in /MODULES - return Version(1,1,0,2,VF_COMMON|VF_VENDOR,API_VERSION); + return Version("Provides masking of user hostnames", VF_COMMON|VF_VENDOR,API_VERSION); } - virtual void OnRehash(User* user, const std::string ¶meter) + void OnRehash(User* user) { cu->DoRehash(); } + void OnUserConnect(User* dest) + { + std::string* cloak = cu->ext.get(dest); + if (cloak) + return; + + if (dest->host.find('.') != std::string::npos || dest->host.find(':') != std::string::npos) + { + unsigned int iv[] = { cu->key1, cu->key2, cu->key3, cu->key4 }; + std::string a = cu->LastTwoDomainParts(dest->host); + std::string b; + + /* InspIRCd users have two hostnames; A displayed + * hostname which can be modified by modules (e.g. + * to create vhosts, implement chghost, etc) and a + * 'real' hostname which you shouldnt write to. + */ + + /* 2008/08/18: add which always cloaks + * the IP, for anonymity. --nenolod + */ + if (!cu->ipalways) + { + /** Reset the Hash module, and send it our IV and hex table */ + HashResetRequest(this, cu->HashProvider).Send(); + HashKeyRequest(this, cu->HashProvider, iv).Send(); + HashHexRequest(this, cu->HashProvider, cu->xtab[(dest->host[0]) % 4]); + + /* Generate a cloak using specialized Hash */ + std::string hostcloak = cu->prefix + "-" + std::string(HashSumRequest(this, cu->HashProvider, dest->host.c_str()).Send()).substr(0,8) + a; + + /* Fix by brain - if the cloaked host is > the max length of a host (64 bytes + * according to the DNS RFC) then tough titty, they get cloaked as an IP. + * Their ISP shouldnt go to town on subdomains, or they shouldnt have a kiddie + * vhost. + */ + std::string testaddr; + int testport; + if (!irc::sockets::satoap(&dest->client_sa, testaddr, testport) && (hostcloak.length() <= 64)) + /* not a valid address, must have been a host, so cloak as a host */ + b = hostcloak; + else if (dest->client_sa.sa.sa_family == AF_INET6) + b = cu->Cloak6(dest->GetIPString()); + else + b = cu->Cloak4(dest->GetIPString()); + } + else + { + if (dest->client_sa.sa.sa_family == AF_INET6) + b = cu->Cloak6(dest->GetIPString()); + else + b = cu->Cloak4(dest->GetIPString()); + } + + cu->ext.set(dest,b); + } + } + }; MODULE_INIT(ModuleCloaking)