X-Git-Url: https://git.netwichtig.de/gitweb/?a=blobdiff_plain;f=src%2Fmodules%2Fm_cloaking.cpp;h=7a500c1b30695b01570cc6960c64f0de0beaa75d;hb=ce168051e23bf7a33410ad17a4b78f5da478dbbe;hp=243b79ac2d44effaa80634c88ec9bd4f5c2a7aa9;hpb=4a8335d9ce69341216bea7fa8027043368c50870;p=user%2Fhenk%2Fcode%2Finspircd.git diff --git a/src/modules/m_cloaking.cpp b/src/modules/m_cloaking.cpp index 243b79ac2..7a500c1b3 100644 --- a/src/modules/m_cloaking.cpp +++ b/src/modules/m_cloaking.cpp @@ -2,60 +2,89 @@ * | Inspire Internet Relay Chat Daemon | * +------------------------------------+ * - * InspIRCd is copyright (C) 2002-2006 ChatSpike-Dev. - * E-mail: - * - * - * - * Written by Craig Edwards, Craig McLure, and others. + * InspIRCd: (C) 2002-2008 InspIRCd Development Team + * See: http://www.inspircd.org/wiki/index.php/Credits + * * This program is free but copyrighted software; see - * the file COPYING for details. + * the file COPYING for details. * * --------------------------------------------------- */ -#include "inspircd_config.h" -#include "configreader.h" #include "inspircd.h" -#include "users.h" -#include "channels.h" -#include "modules.h" - -#include "m_md5.h" +#include "wildcard.h" +#include "m_hash.h" /* $ModDesc: Provides masking of user hostnames */ - -static const char* xtab[] = {"F92E45D871BCA630", "A1B9D80C72E653F4", "1ABC078934DEF562", "ABCDEF5678901234"}; +/* $ModDep: m_hash.h */ /** Handles user mode +x */ class CloakUser : public ModeHandler { - + public: std::string prefix; unsigned int key1; unsigned int key2; unsigned int key3; unsigned int key4; + bool ipalways; Module* Sender; - Module* MD5Provider; - - public: - CloakUser(InspIRCd* Instance, Module* Source, Module* MD5) : ModeHandler(Instance, 'x', 0, 0, false, MODETYPE_USER, false), Sender(Source), MD5Provider(MD5) + Module* HashProvider; + const char *xtab[4]; + + /** This function takes a domain name string and returns just the last two domain parts, + * or the last domain part if only two are available. Failing that it just returns what it was given. + * + * For example, if it is passed "svn.inspircd.org" it will return ".inspircd.org". + * If it is passed "brainbox.winbot.co.uk" it will return ".co.uk", + * and if it is passed "localhost.localdomain" it will return ".localdomain". + * + * This is used to ensure a significant part of the host is always cloaked (see Bug #216) + */ + std::string LastTwoDomainParts(const std::string &host) + { + int dots = 0; + std::string::size_type splitdot = host.length(); + + for (std::string::size_type x = host.length() - 1; x; --x) + { + if (host[x] == '.') + { + splitdot = x; + dots++; + } + if (dots >= 3) + break; + } + + if (splitdot == host.length()) + return host; + else + return host.substr(splitdot); + } + + CloakUser(InspIRCd* Instance, Module* source, Module* Hash) : ModeHandler(Instance, 'x', 0, 0, false, MODETYPE_USER, false), Sender(source), HashProvider(Hash) { } - ModeAction OnModeChange(userrec* source, userrec* dest, chanrec* channel, std::string ¶meter, bool adding) + ModeAction OnModeChange(User* source, User* dest, Channel* channel, std::string ¶meter, bool adding, bool) { - /* Only opers can change other users modes */ - if ((source != dest) && (!*source->oper)) + if (source != dest) return MODEACTION_DENY; /* For remote clients, we dont take any action, we just allow it. * The local server where they are will set their cloak instead. + * This is fine, as we will recieve it later. */ if (!IS_LOCAL(dest)) + { + dest->SetMode('x',adding); return MODEACTION_ALLOW; + } + + /* don't allow this user to spam modechanges */ + dest->IncreasePenalty(5); if (adding) { @@ -69,46 +98,16 @@ class CloakUser : public ModeHandler * naming in their hostname (e.g. if they are on a lan or * are connecting via localhost) -- this doesnt matter much. */ - - if (strchr(dest->host,'.') || strchr(dest->host,':')) + + std::string* cloak; + + if (dest->GetExt("cloaked_host", cloak)) { - /* InspIRCd users have two hostnames; A displayed - * hostname which can be modified by modules (e.g. - * to create vhosts, implement chghost, etc) and a - * 'real' hostname which you shouldnt write to. - */ - - char* n = strstr(dest->host,"."); - if (!n) - n = strstr(dest->host,":"); - - std::string a = n; - - std::string b; - insp_inaddr testaddr; - std::string hostcloak = prefix + "-" + MD5SumRequest(Sender, MD5Provider, dest->host).Send() + a; - - /* Fix by brain - if the cloaked host is > the max length of a host (64 bytes - * according to the DNS RFC) then tough titty, they get cloaked as an IP. - * Their ISP shouldnt go to town on subdomains, or they shouldnt have a kiddie - * vhost. - */ - - if ((insp_aton(dest->host,&testaddr) < 1) && (hostcloak.length() <= 64)) - { - // if they have a hostname, make something appropriate - b = hostcloak; - } - else - { - b = ((b.find(':') == std::string::npos) ? Cloak4(dest->host) : Cloak6(dest->host)); - } - ServerInstance->Log(DEBUG,"cloak: allocated "+b); - dest->ChangeDisplayedHost(b.c_str()); + /* Cloaked host has been set before on this user, don't bother to recalculate and waste cpu */ + dest->ChangeDisplayedHost(cloak->c_str()); + dest->SetMode('x',true); + return MODEACTION_ALLOW; } - - dest->SetMode('x',true); - return MODEACTION_ALLOW; } } else @@ -131,113 +130,123 @@ class CloakUser : public ModeHandler { unsigned int iv[] = { key1, key2, key3, key4 }; irc::sepstream seps(ip, '.'); - std::string ra1, ra2, ra3, ra4; - int i1, i2, i3, i4; - std::string octet1 = seps.GetToken(); - std::string octet2 = seps.GetToken(); - std::string octet3 = seps.GetToken(); - std::string octet4 = seps.GetToken(); - i1 = atoi(octet1.c_str()); - i2 = atoi(octet2.c_str()); - i3 = atoi(octet3.c_str()); - i4 = atoi(octet4.c_str()); - octet4 = octet1 + "." + octet2 + "." + octet3 + "." + octet4; - octet3 = octet1 + "." + octet2 + "." + octet3; - octet2 = octet1 + "." + octet2; - - MD5ResetRequest(Sender, MD5Provider).Send(); - MD5KeyRequest(Sender, MD5Provider, iv).Send(); - - MD5HexRequest(Sender, MD5Provider, xtab[(key1+i1) % 4]).Send(); - ra1 = std::string(MD5SumRequest(Sender, MD5Provider, octet1).Send()).substr(0,6); - - MD5HexRequest(Sender, MD5Provider, xtab[(key2+i2) % 4]).Send(); - ra2 = std::string(MD5SumRequest(Sender, MD5Provider, octet2).Send()).substr(0,6); - - MD5HexRequest(Sender, MD5Provider, xtab[(key3+i3) % 4]).Send(); - ra3 = std::string(MD5SumRequest(Sender, MD5Provider, octet3).Send()).substr(0,6); - - MD5HexRequest(Sender, MD5Provider, xtab[(key4+i4) % 4]).Send(); - ra4 = std::string(MD5SumRequest(Sender, MD5Provider, octet4).Send()).substr(0,6); - - /* This is safe as we know the length generated by our genhash is always 16 */ - return std::string().append(ra1).append(".").append(ra2).append(".").append(ra3).append(".").append(ra4); + std::string ra[4];; + std::string octet[4]; + int i[4]; + + for (int j = 0; j < 4; j++) + { + seps.GetToken(octet[j]); + i[j] = atoi(octet[j].c_str()); + } + + octet[3] = octet[0] + "." + octet[1] + "." + octet[2] + "." + octet[3]; + octet[2] = octet[0] + "." + octet[1] + "." + octet[2]; + octet[1] = octet[0] + "." + octet[1]; + + /* Reset the Hash module and send it our IV */ + HashResetRequest(Sender, HashProvider).Send(); + HashKeyRequest(Sender, HashProvider, iv).Send(); + + /* Send the Hash module a different hex table for each octet group's Hash sum */ + for (int k = 0; k < 4; k++) + { + HashHexRequest(Sender, HashProvider, xtab[(iv[k]+i[k]) % 4]).Send(); + ra[k] = std::string(HashSumRequest(Sender, HashProvider, octet[k]).Send()).substr(0,6); + } + /* Stick them all together */ + return std::string().append(ra[0]).append(".").append(ra[1]).append(".").append(ra[2]).append(".").append(ra[3]); } std::string Cloak6(const char* ip) { + /* Theyre using 4in6 (YUCK). Translate as ipv4 cloak */ + if (!strncmp(ip, "0::ffff:", 8)) + return Cloak4(ip + 8); + + /* If we get here, yes it really is an ipv6 ip */ unsigned int iv[] = { key1, key2, key3, key4 }; std::vector hashies; - std::string item = ""; + std::string item; int rounds = 0; - MD5ResetRequest(Sender, MD5Provider).Send(); - MD5KeyRequest(Sender, MD5Provider, iv).Send(); + /* Reset the Hash module and send it our IV */ + HashResetRequest(Sender, HashProvider).Send(); + HashKeyRequest(Sender, HashProvider, iv).Send(); for (const char* input = ip; *input; input++) { item += *input; - if (item.length() > 5) + if (item.length() > 7) { - MD5HexRequest(Sender, MD5Provider, xtab[(key1+rounds) % 4]).Send(); - hashies.push_back(std::string(MD5SumRequest(Sender, MD5Provider, item).Send()).substr(0,10)); - item = ""; + /* Send the Hash module a different hex table for each octet group's Hash sum */ + HashHexRequest(Sender, HashProvider, xtab[(key1+rounds) % 4]).Send(); + hashies.push_back(std::string(HashSumRequest(Sender, HashProvider, item).Send()).substr(0,8)); + item.clear(); } rounds++; } if (!item.empty()) { - MD5HexRequest(Sender, MD5Provider, xtab[(key1+rounds) % 4]).Send(); - hashies.push_back(std::string(MD5SumRequest(Sender, MD5Provider, item).Send()).substr(0,10)); - item = ""; + /* Send the Hash module a different hex table for each octet group's Hash sum */ + HashHexRequest(Sender, HashProvider, xtab[(key1+rounds) % 4]).Send(); + hashies.push_back(std::string(HashSumRequest(Sender, HashProvider, item).Send()).substr(0,8)); + item.clear(); } + /* Stick them all together */ return irc::stringjoiner(":", hashies, 0, hashies.size() - 1).GetJoined(); } - - /* XXX: Uncomment and call to use the test suite - void TestSuite() - { - printf("%s %s\n", "192.168.1.1", Cloak4("192.168.1.1").c_str()); - printf("%s %s\n", "192.168.1.2", Cloak4("192.168.1.2").c_str()); - printf("%s %s\n", "192.168.10.1", Cloak4("192.168.10.1").c_str()); - printf("%s %s\n", "192.168.10.1", Cloak4("192.168.10.2").c_str()); - printf("%s %s\n", "192.169.1.1", Cloak4("192.169.1.1").c_str()); - printf("%s %s\n", "192.169.2.1", Cloak4("192.169.2.1").c_str()); - printf("%s %s\n", "200.168.1.1", Cloak4("200.168.1.1").c_str()); - printf("%s %s\n", "200.168.1.3", Cloak4("200.168.1.3").c_str()); - printf("%s %s\n", "200.168.3.3", Cloak4("200.168.3.3").c_str()); - printf("%s %s\n", "200.169.4.3", Cloak4("200.169.4.3").c_str()); - printf("---\n"); - printf("%s %s\n", "9a05:2f00:3f11::5f12::1", Cloak6("9a05:2f00:3f11::5f12::1").c_str()); - printf("%s %s\n", "9a05:2f00:3f11::5f12::2", Cloak6("9a05:2f00:3f11::5f12::2").c_str()); - printf("%s %s\n", "9a05:2f00:3f11::5a12::1", Cloak6("9a05:2f00:3f11::5a12::1").c_str()); - printf("%s %s\n", "9a05:2f00:3f11::5a12::2", Cloak6("9a05:2f00:3f11::5a12::2").c_str()); - printf("%s %s\n", "9a05:3f01:3f11::5f12::1", Cloak6("9a05:3f01:3f11::5f12::1").c_str()); - printf("%s %s\n", "9a05:4f00:3f11::5f13::2", Cloak6("9a05:4f00:3f11::5f13::2").c_str()); - printf("%s %s\n", "ffff:2f00:3f11::5f12::1", Cloak6("ffff:2f00:3f11::5f12::1").c_str()); - printf("%s %s\n", "ffff:2f00:3f11::5f13::2", Cloak6("ffff:2f00:3f11::5f13::2").c_str()); - exit(0); - } - */ void DoRehash() { ConfigReader Conf(ServerInstance); - key1 = key2 = key3 = key4 = 0; - key1 = Conf.ReadInteger("cloak","key1",0,false); - key2 = Conf.ReadInteger("cloak","key2",0,false); - key3 = Conf.ReadInteger("cloak","key3",0,false); - key4 = Conf.ReadInteger("cloak","key4",0,false); + bool lowercase; + /* These are *not* using the need_positive parameter of ReadInteger - + * that will limit the valid values to only the positive values in a + * signed int. Instead, accept any value that fits into an int and + * cast it to an unsigned int. That will, a bit oddly, give us the full + * spectrum of an unsigned integer. - Special */ + key1 = key2 = key3 = key4 = 0; + key1 = (unsigned int) Conf.ReadInteger("cloak","key1",0,false); + key2 = (unsigned int) Conf.ReadInteger("cloak","key2",0,false); + key3 = (unsigned int) Conf.ReadInteger("cloak","key3",0,false); + key4 = (unsigned int) Conf.ReadInteger("cloak","key4",0,false); prefix = Conf.ReadValue("cloak","prefix",0); - if (prefix == "") + ipalways = Conf.ReadFlag("cloak", "ipalways", 0); + lowercase = Conf.ReadFlag("cloak", "lowercase", 0); + + if (!lowercase) { - prefix = ServerInstance->Config->Network; + xtab[0] = "F92E45D871BCA630"; + xtab[1] = "A1B9D80C72E653F4"; + xtab[2] = "1ABC078934DEF562"; + xtab[3] = "ABCDEF5678901234"; + } + else + { + xtab[0] = "f92e45d871bca630"; + xtab[1] = "a1b9d80c72e653f4"; + xtab[2] = "1abc078934def562"; + xtab[3] = "abcdef5678901234"; } - if (!key1 && !key2 && !key3 && !key4) + + if (prefix.empty()) + prefix = ServerInstance->Config->Network; + + if (!key1 || !key2 || !key3 || !key4) { - ModuleException ex("You have not defined cloak keys for m_cloaking!!! THIS IS INSECURE AND SHOULD BE CHECKED!"); - throw (ex); + std::string detail; + if (!key1) + detail = " is not valid, it may be set to a too high/low value, or it may not exist."; + else if (!key2) + detail = " is not valid, it may be set to a too high/low value, or it may not exist."; + else if (!key3) + detail = " is not valid, it may be set to a too high/low value, or it may not exist."; + else if (!key4) + detail = " is not valid, it may be set to a too high/low value, or it may not exist."; + + throw ModuleException("You have not defined cloak keys for m_cloaking!!! THIS IS INSECURE AND SHOULD BE CHECKED! - " + detail); } } }; @@ -248,71 +257,179 @@ class ModuleCloaking : public Module private: CloakUser* cu; - Module* MD5Module; + Module* HashModule; public: ModuleCloaking(InspIRCd* Me) - : Module::Module(Me) + : Module(Me) { - MD5Module = ServerInstance->FindModule("m_md5.so"); - if (!MD5Module) + /* Attempt to locate the md5 service provider, bail if we can't find it */ + HashModule = ServerInstance->Modules->Find("m_md5.so"); + if (!HashModule) throw ModuleException("Can't find m_md5.so. Please load m_md5.so before m_cloaking.so."); - /* Create new mode handler object */ - cu = new CloakUser(ServerInstance, this, MD5Module); + cu = new CloakUser(ServerInstance, this, HashModule); - /* Register it with the core */ - ServerInstance->AddMode(cu, 'x'); + try + { + OnRehash(NULL,""); + } + catch (ModuleException &e) + { + delete cu; + throw e; + } - OnRehash(""); + /* Register it with the core */ + if (!ServerInstance->Modes->AddMode(cu)) + { + delete cu; + throw ModuleException("Could not add new modes!"); + } + + ServerInstance->Modules->UseInterface("HashRequest"); + + Implementation eventlist[] = { I_OnRehash, I_OnUserDisconnect, I_OnCleanup, I_OnCheckBan, I_OnUserConnect, I_OnSyncUserMetaData }; + ServerInstance->Modules->Attach(eventlist, this, 6); + } + + void OnSyncUserMetaData(User* user, Module* proto,void* opaque, const std::string &extname, bool displayable) + { + if ((displayable) && (extname == "cloaked_host")) + { + std::string* cloak; + if (user->GetExt("cloaked_host", cloak)) + proto->ProtoSendMetaData(opaque, TYPE_USER, user, extname, *cloak); + } + } + + + virtual int OnCheckBan(User* user, Channel* chan) + { + char mask[MAXBUF]; + std::string* tofree; + /* Check if they have a cloaked host, but are not using it */ + if (user->GetExt("cloaked_host", tofree) && *tofree != user->dhost) + { + snprintf(mask, MAXBUF, "%s!%s@%s", user->nick, user->ident, tofree->c_str()); + for (BanList::iterator i = chan->bans.begin(); i != chan->bans.end(); i++) + { + if (match(mask,i->data)) + return -1; + } + } + return 0; + } + + void Prioritize() + { + /* Needs to be after m_banexception etc. */ + ServerInstance->Modules->SetPriority(this, I_OnCheckBan, PRIO_LAST); + } + + virtual void OnUserDisconnect(User* user) + { + std::string* tofree; + if (user->GetExt("cloaked_host", tofree)) + delete tofree; + } + + virtual void OnCleanup(int target_type, void* item) + { + if (target_type == TYPE_USER) + OnUserDisconnect((User*)item); } virtual ~ModuleCloaking() { ServerInstance->Modes->DelMode(cu); - DELETE(cu); + delete cu; + ServerInstance->Modules->DoneWithInterface("HashRequest"); } virtual Version GetVersion() { // returns the version number of the module to be // listed in /MODULES - return Version(1,1,0,2,VF_COMMON|VF_VENDOR,API_VERSION); + return Version(1,2,0,2,VF_COMMON|VF_VENDOR,API_VERSION); } - virtual void OnRehash(const std::string ¶meter) + virtual void OnRehash(User* user, const std::string ¶meter) { cu->DoRehash(); } - void Implements(char* List) + virtual void OnUserConnect(User* dest) { - List[I_OnRehash] = 1; - } -}; + char* n1 = strchr(dest->host,'.'); + char* n2 = strchr(dest->host,':'); -// stuff down here is the module-factory stuff. For basic modules you can ignore this. + if (n1 || n2) + { + unsigned int iv[] = { cu->key1, cu->key2, cu->key3, cu->key4 }; + std::string a = cu->LastTwoDomainParts(dest->host); + std::string b; + + /* InspIRCd users have two hostnames; A displayed + * hostname which can be modified by modules (e.g. + * to create vhosts, implement chghost, etc) and a + * 'real' hostname which you shouldnt write to. + */ + + /* 2008/08/18: add which always cloaks + * the IP, for anonymity. --nenolod + */ + if (!cu->ipalways) + { + /** Reset the Hash module, and send it our IV and hex table */ + HashResetRequest(this, cu->HashProvider).Send(); + HashKeyRequest(this, cu->HashProvider, iv).Send(); + HashHexRequest(this, cu->HashProvider, cu->xtab[(*dest->host) % 4]); + + /* Generate a cloak using specialized Hash */ + std::string hostcloak = cu->prefix + "-" + std::string(HashSumRequest(this, cu->HashProvider, dest->host).Send()).substr(0,8) + a; + + /* Fix by brain - if the cloaked host is > the max length of a host (64 bytes + * according to the DNS RFC) then tough titty, they get cloaked as an IP. + * Their ISP shouldnt go to town on subdomains, or they shouldnt have a kiddie + * vhost. + */ +#ifdef IPV6 + in6_addr testaddr; + in_addr testaddr2; + if ((dest->GetProtocolFamily() == AF_INET6) && (inet_pton(AF_INET6,dest->host,&testaddr) < 1) && (hostcloak.length() <= 64)) + /* Invalid ipv6 address, and ipv6 user (resolved host) */ + b = hostcloak; + else if ((dest->GetProtocolFamily() == AF_INET) && (inet_aton(dest->host,&testaddr2) < 1) && (hostcloak.length() <= 64)) + /* Invalid ipv4 address, and ipv4 user (resolved host) */ + b = hostcloak; + else + /* Valid ipv6 or ipv4 address (not resolved) ipv4 or ipv6 user */ + b = ((!strchr(dest->host,':')) ? cu->Cloak4(dest->host) : cu->Cloak6(dest->host)); +#else + in_addr testaddr; + if ((inet_aton(dest->host,&testaddr) < 1) && (hostcloak.length() <= 64)) + /* Invalid ipv4 address, and ipv4 user (resolved host) */ + b = hostcloak; + else + /* Valid ipv4 address (not resolved) ipv4 user */ + b = cu->Cloak4(dest->host); +#endif + } + else + { +#ifdef IPV6 + if (dest->GetProtocolFamily() == AF_INET6) + b = cu->Cloak6(dest->GetIPString()); +#endif + if (dest->GetProtocolFamily() == AF_INET) + b = cu->Cloak4(dest->GetIPString()); + } -class ModuleCloakingFactory : public ModuleFactory -{ - public: - ModuleCloakingFactory() - { - } - - ~ModuleCloakingFactory() - { - } - - virtual Module * CreateModule(InspIRCd* Me) - { - return new ModuleCloaking(Me); + dest->Extend("cloaked_host", new std::string(b)); + } } - -}; +}; -extern "C" void * init_module( void ) -{ - return new ModuleCloakingFactory; -} +MODULE_INIT(ModuleCloaking)