void start_auth(struct Client* client)
{
struct AuthRequest* auth = 0;
assert(0 != client);
if (conf_check_slines(client)) {
sendheader(client, REPORT_USING_SLINE);
SetSLined(client);
release_auth_client(client);
return;
}
auth = make_auth_request(client);
assert(0 != auth);
Debug((DEBUG_INFO, "Beginning auth request on client %p", client));
if (!feature_bool(FEAT_NODNS)) {
if (LOOPBACK == inet_netof(cli_ip(client)))
strcpy(cli_sockhost(client), cli_name(&me));
else {
struct DNSQuery query;
query.vptr = auth;
query.callback = auth_dns_callback;
if (IsUserPort(auth->client))
sendheader(client, REPORT_DO_DNS);
cli_dns_reply(client) = gethost_byaddr((const char*) &(cli_ip(client)),
&query);
if (cli_dns_reply(client)) {
++(cli_dns_reply(client))->ref_count;
ircd_strncpy(cli_sockhost(client), cli_dns_reply(client)->hp->h_name,
HOSTLEN);
if (IsUserPort(auth->client))
sendheader(client, REPORT_FIN_DNSC);
Debug((DEBUG_LIST, "DNS entry for %p was cached", auth->client));
} else
SetDNSPending(auth);
}
}
if (start_auth_query(auth)) {
Debug((DEBUG_LIST, "identd query for %p initiated successfully",
auth->client));
link_auth_request(auth, &AuthPollList);
} else if (IsDNSPending(auth)) {
Debug((DEBUG_LIST, "identd query for %p not initiated successfully; "
"waiting on DNS", auth->client));
link_auth_request(auth, &AuthIncompleteList);
} else {
Debug((DEBUG_LIST, "identd query for %p not initiated successfully; "
"no DNS pending; releasing immediately", auth->client));
free_auth_request(auth);
release_auth_client(client);
}
}
/** Find Except configuration for \a cptr with flags matching \a flags
* @param[in] cptr Client to match an Except configuration against.
* @param[in] mask Bitmask of EFLAG_* flags to test for exemption.
* @return -1 if an exception was found, 0 otherwise.
*/
int find_except_conf(struct Client *cptr, int flags)
{
struct ExceptConf *econf;
if (flags & EFLAG_IPCHECK) {
if (IsIPCheckExempt(cptr))
return -1;
if (IsNotIPCheckExempt(cptr))
return 0;
}
for(econf = exceptConfList; econf; econf = econf->next) {
if (!(econf->flags & flags))
continue;
if (econf->usermask && match(econf->usermask, cli_username(cptr)))
continue;
if (econf->bits > 0) {
if (!ipmask_check(&cli_ip(cptr), &econf->address, econf->bits))
continue;
} else if (econf->hostmask && match(econf->hostmask, cli_sockhost(cptr)))
continue;
if (econf->flags & EFLAG_IPCHECK)
SetIPCheckExempt(cptr);
return -1;
}
if (flags & EFLAG_IPCHECK)
SetNotIPCheckExempt(cptr);
return 0;
}
/** Find a ConfItem that has the same name and user+host fields as
* specified. Requires an exact match for \a name.
* @param name Name to match
* @param cptr Client to match against
* @param statmask Filter for ConfItem::status
* @return First found matching ConfItem.
*/
struct ConfItem* find_conf_exact(const char* name, struct Client *cptr, int statmask)
{
struct ConfItem *tmp;
for (tmp = GlobalConfList; tmp; tmp = tmp->next) {
if (!(tmp->status & statmask) || !tmp->name || !tmp->host ||
0 != ircd_strcmp(tmp->name, name))
continue;
if (tmp->username
&& (EmptyString(cli_username(cptr))
|| match(tmp->username, cli_username(cptr))))
continue;
if (tmp->addrbits < 0)
{
if (match(tmp->host, cli_sockhost(cptr)))
continue;
}
else if (!ipmask_check(&cli_ip(cptr), &tmp->address.addr, tmp->addrbits))
continue;
if ((tmp->status & CONF_OPERATOR)
&& (MaxLinks(tmp->conn_class) > 0)
&& (tmp->clients >= MaxLinks(tmp->conn_class)))
continue;
return tmp;
}
return 0;
}
/** Find Spoofhost configuration for \a cptr with spoof host matching host and
* a password matching \a passwd
* @param[in] cptr Client to match Spoofhost configuration against.
* @param[in] host Spoofhost host to look for, if NULL look for an autoapply Spoofhost.
* @param[in] passwd Password to compare against Spoofhost configuration.
* @param[out] status 0 for Success, 1 for invalid password and 2 for no Spoofhost configuration.
* @return SHostConf struct of matching Spoofhost configuration or 0 on error.
*/
struct SHostConf* find_shost_conf(struct Client *cptr, char *host, char *passwd, int *status)
{
struct SHostConf* sconf;
char *crypted;
int res = 0;
*status = 2;
for(sconf = shostConfList; sconf; sconf = sconf->next) {
if ((host == NULL) && !(sconf->flags & SHFLAG_AUTOAPPLY))
continue;
if (host != NULL) {
if (!(sconf->flags & SHFLAG_ISMASK) && strcmp(sconf->spoofhost, host))
continue;
if ((sconf->flags & SHFLAG_ISMASK) && match(sconf->spoofhost, host))
continue;
}
if (sconf->usermask) {
if (match(sconf->usermask, cli_username(cptr)) &&
!((sconf->flags & SHFLAG_MATCHUSER) && !match(sconf->usermask, cli_user(cptr)->username)))
continue;
}
if (sconf->bits > 0) {
if (!ipmask_check(&cli_ip(cptr), &sconf->address, sconf->bits))
continue;
} else if (sconf->hostmask && match(sconf->hostmask, cli_sockhost(cptr)))
continue;
*status = 1;
res = 0;
if ((host == NULL) && (sconf->flags & SHFLAG_AUTOAPPLY)) {
*status = 0;
return sconf;
}
if (EmptyString(passwd) && !EmptyString(sconf->passwd))
continue;
if (!EmptyString(passwd) && EmptyString(sconf->passwd))
continue;
if (!EmptyString(passwd) && !EmptyString(sconf->passwd)) {
crypted = ircd_crypt(passwd, sconf->passwd);
if (!crypted)
continue;
res = strcmp(crypted, sconf->passwd);
MyFree(crypted);
}
if (0 == res) {
*status = 0;
return sconf;
}
}
return 0;
}
/** Attempt to attach Client blocks to \a cptr. If attach_iline()
* fails for the client, emit a debugging message.
* @param cptr Client to check for access.
* @return Access check result.
*/
enum AuthorizationCheckResult conf_check_client(struct Client *cptr)
{
enum AuthorizationCheckResult acr = ACR_OK;
if ((acr = attach_iline(cptr))) {
Debug((DEBUG_DNS, "ch_cl: access denied: %s[%s]",
cli_name(cptr), cli_sockhost(cptr)));
return acr;
}
return ACR_OK;
}
/*
* release_auth_client - release auth client from auth system
* this adds the client into the local client lists so it can be read by
* the main io processing loop
*/
static void release_auth_client(struct Client* client)
{
assert(0 != client);
cli_auth(client) = 0;
cli_lasttime(client) = cli_since(client) = CurrentTime;
if (cli_fd(client) > HighestFd)
HighestFd = cli_fd(client);
LocalClientArray[cli_fd(client)] = client;
add_client_to_list(client);
socket_events(&(cli_socket(client)), SOCK_ACTION_SET | SOCK_EVENT_READABLE);
Debug((DEBUG_INFO, "Auth: release_auth_client %s@%s[%s]",
cli_username(client), cli_sockhost(client), cli_sock_ip(client)));
}
/** Get all the exception flags that apply to the client \a cptr
* @param[in] cptr Client to find the exception flags for.
* @return Bitmask of all the exception flags found to apply to \a cptr
*/
int get_except_flags(struct Client *cptr)
{
int flags = 0;
struct ExceptConf *econf;
for(econf = exceptConfList; econf; econf = econf->next) {
if (econf->usermask && match(econf->usermask, cli_username(cptr)))
continue;
if (econf->bits > 0) {
if (!ipmask_check(&cli_ip(cptr), &econf->address, econf->bits))
continue;
} else if (econf->hostmask && match(econf->hostmask, cli_sockhost(cptr)))
continue;
flags |= econf->flags;
}
return flags;
}
/** Find WebIRC configuration for \a cptr with password matching \a passwd
* @param[in] cptr Client to match WebIRC configuration against.
* @param[in] passwd Password to compare against WebIRC configuration.
* @param[out] status 0 for Success, 1 for invalid password and 2 for no WebIRC configuration.
* @return WebIRCConf struct of matching WebIRC configuration or 0 on error.
*/
struct WebIRCConf* find_webirc_conf(struct Client *cptr, char *passwd, int* status)
{
struct WebIRCConf *wconf;
char *crypted;
int res;
*status = 2;
if (!passwd)
return 0;
for(wconf = webircConfList; wconf; wconf = wconf->next) {
if (wconf->usermask && match(wconf->usermask, cli_username(cptr)))
continue;
if (wconf->bits > 0) {
if (!ipmask_check(&cli_ip(cptr), &wconf->address, wconf->bits))
continue;
} else if (wconf->hostmask && match(wconf->hostmask, cli_sockhost(cptr)))
continue;
*status = 1;
if (!wconf->passwd) {
*status = 0;
return wconf;
}
crypted = ircd_crypt(passwd, wconf->passwd);
if (!crypted)
continue;
res = strcmp(crypted, wconf->passwd);
MyFree(crypted);
if (0 == res) {
*status = 0;
return wconf;
}
}
return 0;
}
/** Find the first (best) Client block to attach.
* @param cptr Client for whom to check rules.
* @return Authorization check result.
*/
enum AuthorizationCheckResult attach_iline(struct Client* cptr)
{
struct ConfItem* aconf;
assert(0 != cptr);
for (aconf = GlobalConfList; aconf; aconf = aconf->next) {
if (aconf->status != CONF_CLIENT)
continue;
/* If you change any of this logic, please make corresponding
* changes in conf_debug_iline() below.
*/
if (aconf->address.port && aconf->address.port != cli_listener(cptr)->addr.port)
continue;
if (aconf->username && match(aconf->username, cli_username(cptr)))
continue;
if (aconf->host && match(aconf->host, cli_sockhost(cptr)))
continue;
if (aconf->countrymask && match(aconf->countrymask, cli_countrycode(cptr)))
continue;
if (aconf->continentmask && match(aconf->continentmask, cli_continentcode(cptr)))
continue;
if ((aconf->addrbits >= 0)
&& !ipmask_check(&cli_ip(cptr), &aconf->address.addr, aconf->addrbits))
continue;
if (IPcheck_nr(cptr) > aconf->maximum)
return ACR_TOO_MANY_FROM_IP;
if (aconf->redirserver && !EmptyString(aconf->redirserver)) {
send_reply(cptr, RPL_BOUNCE, aconf->redirserver, aconf->redirport);
return ACR_NO_AUTHORIZATION;
}
if (aconf->username && !IsWebIRCUserIdent(cptr) && (aconf->flags & CONF_NOIDENTTILDE))
SetFlag(cptr, FLAG_DOID);
return attach_conf(cptr, aconf);
}
return ACR_NO_AUTHORIZATION;
}
/** Find the first matching MOTD block for a user.
* If the user is remote, always use remote MOTD.
* Otherwise, if there is a hostmask- or class-based MOTD that matches
* the user, use it.
* Otherwise, use the local MOTD.
* @param[in] cptr Client to find MOTD for.
* @return Pointer to first matching MOTD for the client.
*/
static struct Motd *
motd_lookup(struct Client *cptr)
{
struct Motd *ptr;
char *c_class = NULL;
assert(0 != cptr);
if (!MyUser(cptr)) /* not my user, always return remote motd */
return MotdList.remote;
c_class = get_client_class(cptr);
assert(c_class != NULL);
/* check the motd blocks first */
for (ptr = MotdList.other; ptr; ptr = ptr->next)
{
if (ptr->type == MOTD_CLASS
&& !match(ptr->hostmask, c_class))
return ptr;
else if (ptr->type == MOTD_HOSTMASK
&& !match(ptr->hostmask, cli_sockhost(cptr)))
return ptr;
else if (ptr->type == MOTD_IPMASK
&& ipmask_check(&cli_ip(cptr), &ptr->address, ptr->addrbits))
return ptr;
else if (ptr->type == MOTD_COUNTRY
&& !match(ptr->hostmask, cli_countrycode(cptr)))
return ptr;
else if (ptr->type == MOTD_CONTINENT
&& !match(ptr->hostmask, cli_continentcode(cptr)))
return ptr;
}
return MotdList.local; /* Ok, return the default motd */
}
int get_eflags(struct Client *sptr, struct Client *acptr) {
struct eline *eline;
unsigned int e_flag = 0;
int found = 0;
char outbuf[BUFSIZE];
char i_host[SOCKIPLEN + USERLEN + 2];
char s_host[HOSTLEN + USERLEN + 2];
ircd_snprintf(0, i_host, USERLEN+SOCKIPLEN+2, "%s@%s", cli_username(acptr), ircd_ntoa((const char*) &(cli_ip(acptr))));
ircd_snprintf(0, s_host, USERLEN+HOSTLEN+2, "%s@%s", cli_username(acptr), cli_sockhost(acptr));
for (eline = GlobalEList; eline; eline = eline->next) {
char* ip_start;
char* cidr_start;
in_addr_t cli_addr = 0;
*outbuf = '\0';
e_flag = eflagstr(eline->flags);
if (s_host) {
if ((match(eline->mask, s_host) == 0) || (match(eline->mask, i_host) == 0)) {
found = 1;
}
}
if ((ip_start = strrchr(i_host, '@')))
cli_addr = inet_addr(ip_start + 1);
if ((ip_start = strrchr(eline->mask, '@')) && (cidr_start = strchr(ip_start + 1, '/'))) {
int bits = atoi(cidr_start + 1);
char* p = strchr(i_host, '@');
if (p) {
*p = *ip_start = 0;
if (match(eline->mask, i_host) == 0) {
if ((bits > 0) && (bits < 33)) {
in_addr_t ban_addr;
*cidr_start = 0;
ban_addr = inet_addr(ip_start + 1);
*cidr_start = '/';
if ((NETMASK(bits) & cli_addr) == ban_addr) {
*p = *ip_start = '@';
found = 1;
}
}
}
*p = *ip_start = '@';
}
}
if (found) {
strcat(outbuf, " Exemptions:: ");
if (e_flag & EFLAG_KLINE) {
if (strlen(outbuf) > 21)
strcat(outbuf, ", ");
strcat(outbuf, "K:Lines");
}
if (e_flag & EFLAG_GLINE) {
if (strlen(outbuf) > 21)
strcat(outbuf, ", ");
strcat(outbuf, "G:Lines");
}
if (e_flag & EFLAG_SHUN) {
if (strlen(outbuf) > 21)
strcat(outbuf, ", ");
strcat(outbuf, "Shuns");
}
if (e_flag & EFLAG_ZLINE) {
if (strlen(outbuf) > 21)
strcat(outbuf, ", ");
strcat(outbuf, "Z:Lines");
}
if (e_flag & EFLAG_SFILTER) {
if (strlen(outbuf) > 21)
strcat(outbuf, ", ");
strcat(outbuf, "Spamfilters");
}
if (e_flag & EFLAG_LIST) {
if (strlen(outbuf) > 21)
strcat(outbuf, ", ");
strcat(outbuf, "List Delays");
}
if (e_flag & EFLAG_IDENT) {
if (strlen(outbuf) > 21)
strcat(outbuf, ", ");
strcat(outbuf, "Ident Prompts");
}
if ((e_flag & EFLAG_IPCHECK) && IsIPCheckExempted(acptr)) {
if (strlen(outbuf) > 21)
strcat(outbuf, ", ");
strcat(outbuf, "IPCheck");
}
if (strlen(outbuf) > 18)
send_reply(sptr, RPL_DATASTR, outbuf);
}
found = 0;
}
return 0;
}
/** Searches for a K/G-line for a client. If one is found, notify the
* user and disconnect them.
* @param cptr Client to search for.
* @return 0 if client is accepted; -1 if client was locally denied
* (K-line); -2 if client was globally denied (G-line); -3 if client
* was globally IP denied (Z-line).
*/
int find_kill(struct Client *cptr)
{
const char* host;
const char* name;
const char* realname;
const char* country;
const char* continent;
const char* version;
struct DenyConf* deny;
struct Gline* agline = NULL;
struct Zline* azline = NULL;
assert(0 != cptr);
if (!cli_user(cptr))
return 0;
host = cli_sockhost(cptr);
name = cli_user(cptr)->username;
realname = cli_info(cptr);
country = cli_countrycode(cptr);
continent = cli_continentcode(cptr);
version = cli_version(cptr);
assert(strlen(host) <= HOSTLEN);
assert((name ? strlen(name) : 0) <= HOSTLEN);
assert((realname ? strlen(realname) : 0) <= REALLEN);
assert((country ? strlen(country) : 0) <= 3);
assert((continent ? strlen(continent) : 0) <= 3);
assert((version ? strlen(version) : 0) <= VERSIONLEN);
/* 2000-07-14: Rewrote this loop for massive speed increases.
* -- Isomer
*/
if (!find_except_conf(cptr, EFLAG_KLINE)) {
for (deny = denyConfList; deny; deny = deny->next) {
if (deny->usermask && match(deny->usermask, name))
continue;
if (deny->realmask && match(deny->realmask, realname))
continue;
if (deny->countrymask && country && match(deny->countrymask, country))
continue;
if (deny->continentmask && continent && match(deny->continentmask, continent))
continue;
if (feature_bool(FEAT_CTCP_VERSIONING) && feature_bool(FEAT_CTCP_VERSIONING_KILL)) {
if (deny->version && version && match(deny->version, version))
continue;
}
if (deny->bits > 0) {
if (!ipmask_check(&cli_ip(cptr), &deny->address, deny->bits))
continue;
} else if (deny->hostmask && match(deny->hostmask, host))
continue;
if ((deny->flags & DENY_FLAGS_AUTHEX) && IsAccount(cptr)) {
if (!EmptyString(deny->mark) && EmptyString(cli_killmark(cptr)))
ircd_strncpy(cli_killmark(cptr), deny->mark, BUFSIZE);
continue;
}
if (EmptyString(deny->message))
send_reply(cptr, SND_EXPLICIT | ERR_YOUREBANNEDCREEP,
":Connection from your host is refused on this server.");
else {
if (deny->flags & DENY_FLAGS_FILE)
killcomment(cptr, deny->message);
else
send_reply(cptr, SND_EXPLICIT | ERR_YOUREBANNEDCREEP, ":%s.", deny->message);
}
return -1;
}
}
/* Check Zlines here just in case a spoofed IP matches */
if (!feature_bool(FEAT_DISABLE_ZLINES) && (azline = zline_lookup(cptr, 0))) {
/*
* find active zlines
* added a check against the user's IP address to find_zline()
*/
send_reply(cptr, SND_EXPLICIT | ERR_YOUREBANNEDCREEP, ":%s.", ZlineReason(azline));
return -3;
}
/* Don't need to do an except lookup here as it's done in gline_lookup() */
if (!feature_bool(FEAT_DISABLE_GLINES) && (agline = gline_lookup(cptr, 0))) {
/*
* find active glines
* added a check against the user's IP address to find_gline() -Kev
*/
send_reply(cptr, SND_EXPLICIT | ERR_YOUREBANNEDCREEP, ":%s.", GlineReason(agline));
return -2;
}
return 0;
}
/*
* auth_dns_callback - called when resolver query finishes
* if the query resulted in a successful search, hp will contain
* a non-null pointer, otherwise hp will be null.
* set the client on it's way to a connection completion, regardless
* of success of failure
*/
static void auth_dns_callback(void* vptr, struct DNSReply* reply)
{
struct AuthRequest* auth = (struct AuthRequest*) vptr;
assert(0 != auth);
/*
* need to do this here so auth_kill_client doesn't
* try have the resolver delete the query it's about
* to delete anyways. --Bleep
*/
ClearDNSPending(auth);
if (reply) {
const struct hostent* hp = reply->hp;
int i;
assert(0 != hp);
/*
* Verify that the host to ip mapping is correct both ways and that
* the ip#(s) for the socket is listed for the host.
*/
for (i = 0; hp->h_addr_list[i]; ++i) {
if (0 == memcmp(hp->h_addr_list[i], &(cli_ip(auth->client)),
sizeof(struct in_addr)))
break;
}
if (!hp->h_addr_list[i]) {
if (IsUserPort(auth->client))
sendheader(auth->client, REPORT_IP_MISMATCH);
sendto_opmask_butone(0, SNO_IPMISMATCH, "IP# Mismatch: %s != %s[%s]",
cli_sock_ip(auth->client), hp->h_name,
ircd_ntoa(hp->h_addr_list[0]));
if (feature_bool(FEAT_KILL_IPMISMATCH)) {
auth_kill_client(auth);
return;
}
} else if (!auth_verify_hostname(hp->h_name, HOSTLEN)) {
if (IsUserPort(auth->client))
sendheader(auth->client, REPORT_INVAL_DNS);
} else {
++reply->ref_count;
cli_dns_reply(auth->client) = reply;
ircd_strncpy(cli_sockhost(auth->client), hp->h_name, HOSTLEN);
if (IsUserPort(auth->client))
sendheader(auth->client, REPORT_FIN_DNS);
}
}
else {
/*
* this should have already been done by s_bsd.c in add_connection
*
* strcpy(auth->client->sockhost, auth->client->sock_ip);
*/
if (IsUserPort(auth->client))
sendheader(auth->client, REPORT_FAIL_DNS);
}
if (!IsDoingAuth(auth)) {
release_auth_client(auth->client);
unlink_auth_request(auth, &AuthIncompleteList);
free_auth_request(auth);
}
}
/** Check access for a server given its name (passed in cptr struct).
* Must check for all C/N lines which have a name which matches the
* name given and a host which matches. A host alias which is the
* same as the server name is also acceptable in the host field of a
* C/N line.
* @param cptr Peer server to check.
* @return 0 if accepted, -1 if access denied.
*/
int conf_check_server(struct Client *cptr)
{
struct ConfItem* c_conf = NULL;
struct SLink* lp;
Debug((DEBUG_DNS, "sv_cl: check access for %s[%s]",
cli_name(cptr), cli_sockhost(cptr)));
if (IsUnknown(cptr) && !attach_confs_byname(cptr, cli_name(cptr), CONF_SERVER)) {
Debug((DEBUG_DNS, "No C/N lines for %s", cli_sockhost(cptr)));
return -1;
}
lp = cli_confs(cptr);
/*
* We initiated this connection so the client should have a C and N
* line already attached after passing through the connect_server()
* function earlier.
*/
if (IsConnecting(cptr) || IsHandshake(cptr)) {
c_conf = find_conf_byname(lp, cli_name(cptr), CONF_SERVER);
if (!c_conf) {
sendto_opmask_butone(0, SNO_OLDSNO,
"Connect Error: lost Connect block for %s",
cli_name(cptr));
det_confs_butmask(cptr, 0);
return -1;
}
}
/* Try finding the Connect block by DNS name and IP next. */
if (!c_conf && !(c_conf = find_conf_byhost(lp, cli_sockhost(cptr), CONF_SERVER)))
c_conf = find_conf_byip(lp, &cli_ip(cptr), CONF_SERVER);
/*
* Attach by IP# only if all other checks have failed.
* It is quite possible to get here with the strange things that can
* happen when using DNS in the way the irc server does. -avalon
*/
if (!c_conf)
c_conf = find_conf_byip(lp, &cli_ip(cptr), CONF_SERVER);
/*
* detach all conf lines that got attached by attach_confs()
*/
det_confs_butmask(cptr, 0);
/*
* if no Connect block, then deny access
*/
if (!c_conf) {
Debug((DEBUG_DNS, "sv_cl: access denied: %s[%s@%s]",
cli_name(cptr), cli_username(cptr), cli_sockhost(cptr)));
return -1;
}
/*
* attach the Connect block to the client structure for later use.
*/
attach_conf(cptr, c_conf);
if (!irc_in_addr_valid(&c_conf->address.addr))
memcpy(&c_conf->address.addr, &cli_ip(cptr), sizeof(c_conf->address.addr));
Debug((DEBUG_DNS, "sv_cl: access ok: %s[%s]",
cli_name(cptr), cli_sockhost(cptr)));
return 0;
}
/** Start a connection to another server.
* @param aconf Connect block data for target server.
* @param by Client who requested the connection (if any).
* @return Non-zero on success; zero on failure.
*/
int connect_server(struct ConfItem* aconf, struct Client* by)
{
struct Client* cptr = 0;
assert(0 != aconf);
if (aconf->dns_pending) {
sendto_opmask_butone(0, SNO_OLDSNO, "Server %s connect DNS pending",
aconf->name);
return 0;
}
Debug((DEBUG_NOTICE, "Connect to %s[@%s]", aconf->name,
ircd_ntoa(&aconf->address.addr)));
if ((cptr = FindClient(aconf->name))) {
if (IsServer(cptr) || IsMe(cptr)) {
sendto_opmask_butone(0, SNO_OLDSNO, "Server %s already present from %s",
aconf->name, cli_name(cli_from(cptr)));
if (by && IsUser(by) && !MyUser(by)) {
sendcmdto_one(&me, CMD_NOTICE, by, "%C :Server %s already present "
"from %s", by, aconf->name, cli_name(cli_from(cptr)));
}
return 0;
}
else if (IsHandshake(cptr) || IsConnecting(cptr)) {
if (by && IsUser(by)) {
sendcmdto_one(&me, CMD_NOTICE, by, "%C :Connection to %s already in "
"progress", by, cli_name(cptr));
}
return 0;
}
}
/*
* If we don't know the IP# for this host and it is a hostname and
* not a ip# string, then try and find the appropriate host record.
*/
if (!irc_in_addr_valid(&aconf->address.addr)
&& !ircd_aton(&aconf->address.addr, aconf->host)) {
char buf[HOSTLEN + 1];
host_from_uh(buf, aconf->host, HOSTLEN);
gethost_byname(buf, connect_dns_callback, aconf);
aconf->dns_pending = 1;
return 0;
}
cptr = make_client(NULL, STAT_UNKNOWN_SERVER);
/*
* Copy these in so we have something for error detection.
*/
ircd_strncpy(cli_name(cptr), aconf->name, HOSTLEN);
ircd_strncpy(cli_sockhost(cptr), aconf->host, HOSTLEN);
/*
* Attach config entries to client here rather than in
* completed_connection. This to avoid null pointer references
*/
attach_confs_byhost(cptr, aconf->host, CONF_SERVER);
if (!find_conf_byhost(cli_confs(cptr), aconf->host, CONF_SERVER)) {
sendto_opmask_butone(0, SNO_OLDSNO, "Host %s is not enabled for "
"connecting: no Connect block", aconf->name);
if (by && IsUser(by) && !MyUser(by)) {
sendcmdto_one(&me, CMD_NOTICE, by, "%C :Connect to host %s failed: no "
"Connect block", by, aconf->name);
}
det_confs_butmask(cptr, 0);
free_client(cptr);
return 0;
}
/*
* attempt to connect to the server in the conf line
*/
if (!connect_inet(aconf, cptr)) {
if (by && IsUser(by) && !MyUser(by)) {
sendcmdto_one(&me, CMD_NOTICE, by, "%C :Couldn't connect to %s", by,
cli_name(cptr));
}
det_confs_butmask(cptr, 0);
free_client(cptr);
return 0;
}
/*
* NOTE: if we're here we have a valid C:Line and the client should
* have started the connection and stored the remote address/port and
* ip address name in itself
*
* The socket has been connected or connect is in progress.
*/
make_server(cptr);
if (by && IsUser(by)) {
ircd_snprintf(0, cli_serv(cptr)->by, sizeof(cli_serv(cptr)->by), "%s%s",
NumNick(by));
assert(0 == cli_serv(cptr)->user);
cli_serv(cptr)->user = cli_user(by);
cli_user(by)->refcnt++;
}
else {
*(cli_serv(cptr))->by = '\0';
/* strcpy(cptr->serv->by, "Auto"); */
}
cli_serv(cptr)->up = &me;
SetConnecting(cptr);
if (cli_fd(cptr) > HighestFd)
HighestFd = cli_fd(cptr);
LocalClientArray[cli_fd(cptr)] = cptr;
Count_newunknown(UserStats);
/* Actually we lie, the connect hasn't succeeded yet, but we have a valid
* cptr, so we register it now.
* Maybe these two calls should be merged.
*/
add_client_to_list(cptr);
hAddClient(cptr);
/* nextping = CurrentTime; */
return (s_state(&cli_socket(cptr)) == SS_CONNECTED) ?
completed_connection(cptr) : 1;
}
int ms_challenge(struct Client *cptr, struct Client *sptr, int parc, char *parv[])
{
#ifdef USE_SSL
struct ConfItem *aconf;
RSA *rsa_public_key;
BIO *file = NULL;
char *challenge = NULL;
char *name;
char *tmpname;
char chan[CHANNELLEN-1];
char* join[2];
int nl;
struct Client *acptr = NULL;
char *privbuf;
if (!IsServer(cptr))
return 0;
/* if theyre an oper, reprint oper motd and ignore */
if (IsOper(sptr))
{
send_reply(sptr, RPL_YOUREOPER);
if (feature_bool(FEAT_OPERMOTD))
m_opermotd(sptr, sptr, 1, parv);
}
if (parc < 3) {
return send_reply(sptr, ERR_NOOPERHOST);
}
if (!(acptr = FindNServer(parv[1]))) {
return send_reply(sptr, ERR_NOOPERHOST);
} else if (!IsMe(acptr)) {
sendcmdto_one(sptr, CMD_CHALLENGE, acptr, "%C %s %s", acptr, parv[2],
parv[3]);
return 0;
}
if (*parv[2] == '+')
{
/* Ignore it if we aren't expecting this... -A1kmm */
if (cli_user(sptr)->response == NULL)
return 0;
if (ircd_strcmp(cli_user(sptr)->response, ++parv[2]))
{
send_reply(sptr, ERR_PASSWDMISMATCH);
sendto_allops(&me, SNO_OLDREALOP, "Failed OPER attempt by %s (%s@%s) (Password Incorrect)",
parv[0], cli_user(sptr)->realusername, cli_sockhost(sptr));
tmpname = strdup(cli_user(sptr)->auth_oper);
failed_challenge_notice(sptr, tmpname, "challenge failed");
return 0;
}
name = strdup(cli_user(sptr)->auth_oper);
aconf = find_conf_exact(cli_user(sptr)->auth_oper, cli_user(sptr)->realusername,
MyUser(sptr) ? cli_sockhost(sptr) :
cli_user(sptr)->realhost, CONF_OPS);
if (!aconf)
aconf = find_conf_exact(cli_user(sptr)->auth_oper, cli_user(sptr)->realusername,
ircd_ntoa((const char*) &(cli_ip(sptr))), CONF_OPS);
if (!aconf)
aconf = find_conf_cidr(cli_user(sptr)->auth_oper, cli_user(sptr)->realusername,
cli_ip(sptr), CONF_OPS);
if (!aconf)
{
send_reply(sptr, ERR_NOOPERHOST);
sendto_allops(&me, SNO_OLDREALOP, "Failed OPER attempt by %s (%s@%s) (No O:line)",
parv[0], cli_user(sptr)->realusername, cli_sockhost(sptr));
return 0;
}
if (CONF_LOCOP == aconf->status) {
ClearOper(sptr);
SetLocOp(sptr);
}
else {
/* This must be called before client_set_privs() */
SetRemoteOper(sptr);
if (!feature_bool(FEAT_OPERFLAGS) || (aconf->port & OFLAG_WHOIS)) {
OSetWhois(sptr);
}
if (!feature_bool(FEAT_OPERFLAGS) || (aconf->port & OFLAG_IDLE)) {
OSetIdle(sptr);
}
if (!feature_bool(FEAT_OPERFLAGS) || (aconf->port & OFLAG_XTRAOP)) {
OSetXtraop(sptr);
}
if (!feature_bool(FEAT_OPERFLAGS) || (aconf->port & OFLAG_HIDECHANS)) {
OSetHideChans(sptr);
}
/* prevent someone from being both oper and local oper */
ClearLocOp(sptr);
if (!feature_bool(FEAT_OPERFLAGS) || !(aconf->port & OFLAG_ADMIN)) {
/* Global Oper */
ClearAdmin(sptr);
OSetGlobal(sptr);
SetOper(sptr);
} else {
/* Admin */
OSetGlobal(sptr);
OSetAdmin(sptr);
SetOper(sptr);
SetAdmin(sptr);
}
/* Tell client_set_privs to send privileges to the user */
client_set_privs(sptr, aconf);
ClearOper(sptr);
ClearAdmin(sptr);
ClearRemoteOper(sptr);
privbuf = client_print_privs(sptr);
sendcmdto_one(&me, CMD_PRIVS, sptr, "%C %s", sptr, privbuf);
}
sendcmdto_one(&me, CMD_MODE, sptr, "%s %s", cli_name(sptr),
(OIsAdmin(sptr)) ? "+aoiwsg" : "+oiwsg");
send_reply(sptr, RPL_YOUREOPER);
if (OIsAdmin(sptr)) {
sendto_allops(&me, SNO_OLDSNO, "%s (%s@%s) is now an IRC Administrator",
parv[0], cli_user(sptr)->username, cli_sockhost(sptr));
/* Autojoin admins to admin channel and oper channel (if enabled) */
if (feature_bool(FEAT_AUTOJOIN_ADMIN)) {
if (feature_bool(FEAT_AUTOJOIN_ADMIN_NOTICE))
sendcmdto_one(&me, CMD_NOTICE, sptr, "%C :%s", sptr, feature_str(FEAT_AUTOJOIN_ADMIN_NOTICE_VALUE));
ircd_strncpy(chan, feature_str(FEAT_AUTOJOIN_ADMIN_CHANNEL), CHANNELLEN-1);
join[0] = cli_name(sptr);
join[1] = chan;
m_join(sptr, sptr, 2, join);
}
if (feature_bool(FEAT_AUTOJOIN_OPER) && OIsGlobal(sptr)) {
if (feature_bool(FEAT_AUTOJOIN_OPER_NOTICE))
sendcmdto_one(&me, CMD_NOTICE, sptr, "%C :%s", sptr, feature_str(FEAT_AUTOJOIN_OPER_NOTICE_VALUE));
ircd_strncpy(chan, feature_str(FEAT_AUTOJOIN_OPER_CHANNEL), CHANNELLEN-1);
join[0] = cli_name(sptr);
join[1] = chan;
m_join(sptr, sptr, 2, join);
}
} else {
sendto_allops(&me, SNO_OLDSNO, "%s (%s@%s) is now an IRC Operator (%c)",
parv[0], cli_user(sptr)->username, cli_sockhost(sptr),
OIsGlobal(sptr) ? 'O' : 'o');
if (feature_bool(FEAT_AUTOJOIN_OPER) && OIsGlobal(sptr)) {
if (feature_bool(FEAT_AUTOJOIN_OPER_NOTICE))
sendcmdto_one(&me, CMD_NOTICE, sptr, "%C :%s", sptr, feature_str(FEAT_AUTOJOIN_OPER_NOTICE_VALUE));
ircd_strncpy(chan, feature_str(FEAT_AUTOJOIN_OPER_CHANNEL), CHANNELLEN-1);
join[0] = cli_name(sptr);
join[1] = chan;
m_join(sptr, sptr, 2, join);
}
}
if (feature_bool(FEAT_OPERMOTD))
m_opermotd(sptr, sptr, 1, parv);
log_write(LS_OPER, L_INFO, 0, "OPER (%s) by (%#C)", name, sptr);
ircd_snprintf(0, cli_user(sptr)->response, BUFSIZE+1, "%s", "");
return 0;
}
ircd_snprintf(0, cli_user(sptr)->response, BUFSIZE+1, "%s", "");
ircd_snprintf(0, cli_user(sptr)->auth_oper, NICKLEN+1, "%s", "");
aconf = find_conf_exact(parv[2], cli_user(sptr)->realusername,
cli_user(sptr)->realhost, CONF_OPS);
if (!aconf)
aconf = find_conf_exact(parv[2], cli_user(sptr)->realusername,
ircd_ntoa((const char*) &(cli_ip(sptr))), CONF_OPS);
if (!aconf)
aconf = find_conf_cidr(parv[2], cli_user(sptr)->realusername,
cli_ip(sptr), CONF_OPS);
if (aconf == NULL)
{
send_reply(sptr, ERR_NOOPERHOST);
failed_challenge_notice(sptr, parv[2], "No o:line");
sendto_allops(&me, SNO_OLDREALOP, "Failed OPER attempt by %s (%s@%s) (No O:line)",
parv[0], cli_user(sptr)->realusername, cli_sockhost(sptr));
return 0;
}
if (!(aconf->port & OFLAG_REMOTE)) {
send_reply(sptr, ERR_NOOPERHOST);
sendto_allops(&me, SNO_OLDREALOP,
"Failed OPER attempt by %s (%s@%s) (Remote Oper)", parv[0],
cli_user(sptr)->realusername, cli_user(sptr)->realhost);
return 0;
}
if (!(aconf->port & OFLAG_RSA))
{
send_reply(sptr, RPL_NO_CHALL);
return 0;
}
if (!verify_sslclifp(sptr, aconf))
{
sendto_allops(&me, SNO_OLDREALOP,
"Failed OPER attempt by %s (%s@%s) (SSL Fingerprint Missmatch)",
parv[0], cli_user(sptr)->realusername,
cli_user(sptr)->realhost);
send_reply(sptr, ERR_SSLCLIFP);
return 0;
}
if ((file = BIO_new_file(aconf->passwd, "r")) == NULL)
{
send_reply(sptr, RPL_NO_KEY);
return 0;
}
rsa_public_key = (RSA *)PEM_read_bio_RSA_PUBKEY(file, NULL, 0, NULL);
if (rsa_public_key == NULL)
return send_reply(sptr, RPL_INVALID_KEY);
if (!generate_challenge(&challenge, rsa_public_key, sptr)) {
Debug((DEBUG_DEBUG, "generating challenge sum (%s)", challenge));
send_reply(sptr, RPL_RSACHALLENGE, challenge);
ircd_snprintf(0, cli_user(sptr)->auth_oper, NICKLEN + 1, "%s", aconf->name);
}
nl = BIO_set_close(file, BIO_CLOSE);
BIO_free(file);
return 1;
#else
return 1;
#endif
}
/*
* m_oper - generic message handler
*/
int m_oper(struct Client* cptr, struct Client* sptr, int parc, char* parv[])
{
struct ConfItem* aconf;
char* name;
char* password;
assert(0 != cptr);
assert(cptr == sptr);
name = parc > 1 ? parv[1] : 0;
password = parc > 2 ? parv[2] : 0;
if (EmptyString(name) || EmptyString(password))
return need_more_params(sptr, "OPER");
aconf = find_conf_exact(name, sptr, CONF_OPERATOR);
if (!aconf || IsIllegal(aconf))
{
send_reply(sptr, ERR_NOOPERHOST);
sendto_opmask_butone(0, SNO_OLDREALOP, "Failed staff authentication attempt by %s (%s@%s)",
parv[0], cli_user(sptr)->username, cli_sockhost(sptr));
return 0;
}
assert(0 != (aconf->status & CONF_OPERATOR));
if (oper_password_match(password, aconf->passwd))
{
struct Flags old_mode = cli_flags(sptr);
if (ACR_OK != attach_conf(sptr, aconf)) {
send_reply(sptr, ERR_NOOPERHOST);
sendto_opmask_butone(0, SNO_OLDREALOP, "Failed staff authentication attempt by %s "
"(%s@%s)", parv[0], cli_user(sptr)->username,
cli_sockhost(sptr));
return 0;
}
SetLocOp(sptr);
client_set_privs(sptr, aconf);
if (HasPriv(sptr, PRIV_PROPAGATE))
{
ClearLocOp(sptr);
SetOper(sptr);
++UserStats.opers;
}
cli_handler(cptr) = OPER_HANDLER;
SetFlag(sptr, FLAG_WALLOP);
SetFlag(sptr, FLAG_SERVNOTICE);
SetFlag(sptr, FLAG_DEBUG);
set_snomask(sptr, SNO_OPERDEFAULT, SNO_ADD);
cli_max_sendq(sptr) = 0; /* Get the sendq from the oper's class */
send_umode_out(cptr, sptr, &old_mode, HasPriv(sptr, PRIV_PROPAGATE));
send_reply(sptr, RPL_YOUREOPER);
sendto_opmask_butone(0, SNO_OLDSNO, "%s (%s@%s) has authenticated as staff",
parv[0], cli_user(sptr)->username, cli_sockhost(sptr));
log_write(LS_OPER, L_INFO, 0, "OPER (%s) by (%#C)", name, sptr);
}
else
{
send_reply(sptr, ERR_PASSWDMISMATCH);
sendto_opmask_butone(0, SNO_OLDREALOP, "Failed staff authentication attempt by %s (%s@%s)",
parv[0], cli_user(sptr)->username, cli_sockhost(sptr));
}
return 0;
}
/* Rewritten by Run - 24 sept 94 */
static void exit_one_client(struct Client* bcptr, const char* comment)
{
struct SLink *lp;
struct Ban *bp;
if (cli_serv(bcptr) && cli_serv(bcptr)->client_list) /* Was SetServerYXX called ? */
ClearServerYXX(bcptr); /* Removes server from server_list[] */
if (IsUser(bcptr)) {
/*
* clear out uping requests
*/
if (IsUPing(bcptr))
uping_cancel(bcptr, 0);
/*
* Stop a running /LIST clean
*/
if (MyUser(bcptr) && cli_listing(bcptr)) {
MyFree(cli_listing(bcptr));
cli_listing(bcptr) = NULL;
}
/*
* If a person is on a channel, send a QUIT notice
* to every client (person) on the same channel (so
* that the client can show the "**signoff" message).
* (Note: The notice is to the local clients *only*)
*/
sendcmdto_common_channels_butone(bcptr, CMD_QUIT, NULL, ":%s", comment);
remove_user_from_all_channels(bcptr);
/* Clean up invitefield */
while ((lp = cli_user(bcptr)->invited))
del_invite(bcptr, lp->value.chptr);
/* Clean up silencefield */
while ((bp = cli_user(bcptr)->silence)) {
cli_user(bcptr)->silence = bp->next;
free_ban(bp);
}
/* Clean up snotice lists */
if (MyUser(bcptr))
set_snomask(bcptr, ~0, SNO_DEL);
if (IsInvisible(bcptr)) {
assert(UserStats.inv_clients > 0);
--UserStats.inv_clients;
}
if (IsOper(bcptr)) {
assert(UserStats.opers > 0);
--UserStats.opers;
}
if (MyConnect(bcptr))
Count_clientdisconnects(bcptr, UserStats);
else
Count_remoteclientquits(UserStats, bcptr);
}
else if (IsServer(bcptr))
{
/* Remove downlink list node of uplink */
remove_dlink(&(cli_serv(cli_serv(bcptr)->up))->down, cli_serv(bcptr)->updown);
cli_serv(bcptr)->updown = 0;
if (MyConnect(bcptr))
Count_serverdisconnects(UserStats);
else
Count_remoteserverquits(UserStats);
}
else if (IsMe(bcptr))
{
sendto_opmask_butone(0, SNO_OLDSNO, "ERROR: tried to exit me! : %s",
comment);
return; /* ...must *never* exit self! */
}
else if (IsUnknown(bcptr) || IsConnecting(bcptr) || IsHandshake(bcptr))
Count_unknowndisconnects(UserStats);
/*
* Update IPregistry
*/
if (IsIPChecked(bcptr))
IPcheck_disconnect(bcptr);
/*
* Remove from serv->client_list
* NOTE: user is *always* NULL if this is a server
*/
if (cli_user(bcptr)) {
assert(!IsServer(bcptr));
/* bcptr->user->server->serv->client_list[IndexYXX(bcptr)] = NULL; */
RemoveYXXClient(cli_user(bcptr)->server, cli_yxx(bcptr));
}
/* Remove bcptr from the client list */
#ifdef DEBUGMODE
if (hRemClient(bcptr) != 0)
Debug((DEBUG_ERROR, "%p !in tab %s[%s] %p %p %p %d %d %p",
bcptr, cli_name(bcptr), cli_from(bcptr) ? cli_sockhost(cli_from(bcptr)) : "??host",
cli_from(bcptr), cli_next(bcptr), cli_prev(bcptr), cli_fd(bcptr),
cli_status(bcptr), cli_user(bcptr)));
#else
hRemClient(bcptr);
#endif
remove_client_from_list(bcptr);
}
/**
* Exits a client of *any* type (user, server, etc)
* from this server. Also, this generates all necessary prototol
* messages that this exit may cause.
*
* This function implicitly exits all other clients depending on
* this connection.
*
* For convenience, this function returns a suitable value for
* m_function return value:
*
* CPTR_KILLED if (cptr == bcptr)
* 0 if (cptr != bcptr)
*
* This function can be called in two ways:
* 1) From before or in parse(), exiting the 'cptr', in which case it was
* invoked as exit_client(cptr, cptr, &me,...), causing it to always
* return CPTR_KILLED.
* 2) Via parse from a m_function call, in which case it was invoked as
* exit_client(cptr, acptr, sptr, ...). Here 'sptr' is known; the client
* that generated the message in a way that we can assume he already
* did remove acptr from memory himself (or in other cases we don't mind
* because he will be delinked.) Or invoked as:
* exit_client(cptr, acptr/sptr, &me, ...) when WE decide this one should
* be removed.
* In general: No generated SQUIT or QUIT should be sent to source link
* sptr->from. And CPTR_KILLED should be returned if cptr got removed (too).
*
* --Run
* @param cptr Connection currently being handled by read_message.
* @param victim Client being killed.
* @param killer Client that made the decision to remove \a victim.
* @param comment Reason for the exit.
* @return CPTR_KILLED if cptr == bcptr, else 0.
*/
int exit_client(struct Client *cptr,
struct Client* victim,
struct Client* killer,
const char* comment)
{
struct Client* acptr = 0;
struct DLink *dlp;
time_t on_for;
char comment1[HOSTLEN + HOSTLEN + 2];
assert(killer);
if (MyConnect(victim))
{
SetFlag(victim, FLAG_CLOSING);
if (feature_bool(FEAT_CONNEXIT_NOTICES) && IsUser(victim))
sendto_opmask_butone(0, SNO_CONNEXIT,
"Client exiting: %s (%s@%s) [%s] [%s] <%s%s>",
cli_name(victim), cli_user(victim)->username,
cli_user(victim)->host, comment,
ircd_ntoa(&cli_ip(victim)),
NumNick(victim) /* two %s's */);
update_load();
on_for = CurrentTime - cli_firsttime(victim);
if (IsUser(victim) || IsUserPort(victim))
auth_send_exit(victim);
if (IsUser(victim))
log_write(LS_USER, L_TRACE, 0, "%Tu %i %s@%s %s %s %s%s %s :%s",
cli_firsttime(victim), on_for,
cli_user(victim)->username, cli_sockhost(victim),
ircd_ntoa(&cli_ip(victim)),
IsAccount(victim) ? cli_username(victim) : "0",
NumNick(victim), /* two %s's */
cli_name(victim), cli_info(victim));
if (victim != cli_from(killer) /* The source knows already */
&& IsClient(victim)) /* Not a Ping struct or Log file */
{
if (IsServer(victim) || IsHandshake(victim))
sendcmdto_one(killer, CMD_SQUIT, victim, "%s 0 :%s", cli_name(&me), comment);
else if (!IsConnecting(victim)) {
if (!IsDead(victim)) {
if (IsServer(victim))
sendcmdto_one(killer, CMD_ERROR, victim,
":Closing Link: %s by %s (%s)", cli_name(victim),
cli_name(killer), comment);
else
sendrawto_one(victim, MSG_ERROR " :Closing Link: %s by %s (%s)",
cli_name(victim),
cli_name(IsServer(killer) ? &his : killer),
comment);
}
}
if ((IsServer(victim) || IsHandshake(victim) || IsConnecting(victim)) &&
(killer == &me || (IsServer(killer) &&
(strncmp(comment, "Leaf-only link", 14) ||
strncmp(comment, "Non-Hub link", 12)))))
{
/*
* Note: check user == user needed to make sure we have the same
* client
*/
if (cli_serv(victim)->user && *(cli_serv(victim))->by &&
(acptr = findNUser(cli_serv(victim)->by))) {
if (cli_user(acptr) == cli_serv(victim)->user) {
sendcmdto_one(&me, CMD_NOTICE, acptr,
"%C :Link with %s canceled: %s", acptr,
cli_name(victim), comment);
}
else {
/*
* not right client, set by to empty string
*/
acptr = 0;
*(cli_serv(victim))->by = '\0';
}
}
if (killer == &me)
sendto_opmask_butone(acptr, SNO_OLDSNO, "Link with %s canceled: %s",
cli_name(victim), comment);
}
}
/*
* Close the Client connection first.
*/
close_connection(victim);
}
if (IsServer(victim))
{
if (feature_bool(FEAT_HIS_NETSPLIT))
strcpy(comment1, "*.net *.split");
else
{
strcpy(comment1, cli_name(cli_serv(victim)->up));
strcat(comment1, " ");
strcat(comment1, cli_name(victim));
}
if (IsUser(killer))
sendto_opmask_butone(killer, SNO_OLDSNO, "%s SQUIT by %s [%s]:",
(cli_user(killer)->server == victim ||
cli_user(killer)->server == cli_serv(victim)->up) ?
"Local" : "Remote",
get_client_name(killer, HIDE_IP),
cli_name(cli_user(killer)->server));
else if (killer != &me && cli_serv(victim)->up != killer)
sendto_opmask_butone(0, SNO_OLDSNO, "Received SQUIT %s from %s :",
cli_name(victim), IsServer(killer) ? cli_name(killer) :
get_client_name(killer, HIDE_IP));
sendto_opmask_butone(0, SNO_NETWORK, "Net break: %C %C (%s)",
cli_serv(victim)->up, victim, comment);
}
/*
* First generate the needed protocol for the other server links
* except the source:
*/
for (dlp = cli_serv(&me)->down; dlp; dlp = dlp->next) {
if (dlp->value.cptr != cli_from(killer) && dlp->value.cptr != victim)
{
if (IsServer(victim))
sendcmdto_one(killer, CMD_SQUIT, dlp->value.cptr, "%s %Tu :%s",
cli_name(victim), cli_serv(victim)->timestamp, comment);
else if (IsUser(victim) && !HasFlag(victim, FLAG_KILLED))
sendcmdto_one(victim, CMD_QUIT, dlp->value.cptr, ":%s", comment);
}
}
/* Then remove the client structures */
if (IsServer(victim))
exit_downlinks(victim, killer, comment1);
exit_one_client(victim, comment);
/*
* cptr can only have been killed if it was cptr itself that got killed here,
* because cptr can never have been a dependent of victim --Run
*/
return (cptr == victim) ? CPTR_KILLED : 0;
}
void add_connection(struct Listener* listener, int fd, void *ssl) {
#else
void add_connection(struct Listener* listener, int fd) {
#endif
struct irc_sockaddr addr;
struct Client *new_client;
time_t next_target = 0;
#if defined(USE_SSL)
char *sslfp;
#endif
const char* const throttle_message =
"ERROR :Your host is trying to (re)connect too fast -- throttled\r\n";
/* 12345678901234567890123456789012345679012345678901234567890123456 */
const char* const register_message =
"ERROR :Unable to complete your registration\r\n";
assert(0 != listener);
/*
* Removed preliminary access check. Full check is performed in m_server and
* m_user instead. Also connection time out help to get rid of unwanted
* connections.
*/
if (!os_get_peername(fd, &addr) || !os_set_nonblocking(fd)) {
++ServerStats->is_ref;
#if defined(USE_SSL)
ssl_murder(ssl, fd, NULL);
#else
close(fd);
#endif
return;
}
/*
* Disable IP (*not* TCP) options. In particular, this makes it impossible
* to use source routing to connect to the server. If we didn't do this
* (and if intermediate networks didn't drop source-routed packets), an
* attacker could successfully IP spoof us...and even return the anti-spoof
* ping, because the options would cause the packet to be routed back to
* the spoofer's machine. When we disable the IP options, we delete the
* source route, and the normal routing takes over.
*/
os_disable_options(fd);
if (listener_server(listener))
{
new_client = make_client(0, STAT_UNKNOWN_SERVER);
}
else
{
/*
* Add this local client to the IPcheck registry.
*
* If they're throttled, murder them, but tell them why first.
*/
if (!IPcheck_local_connect(&addr.addr, &next_target))
{
++ServerStats->is_ref;
#if defined(USE_SSL)
ssl_murder(ssl, fd, throttle_message);
#else
write(fd, throttle_message, strlen(throttle_message));
close(fd);
#endif
return;
}
new_client = make_client(0, STAT_UNKNOWN_USER);
SetIPChecked(new_client);
}
/*
* Copy ascii address to 'sockhost' just in case. Then we have something
* valid to put into error messages...
*/
ircd_ntoa_r(cli_sock_ip(new_client), &addr.addr);
strcpy(cli_sockhost(new_client), cli_sock_ip(new_client));
memcpy(&cli_ip(new_client), &addr.addr, sizeof(cli_ip(new_client)));
if (next_target)
cli_nexttarget(new_client) = next_target;
cli_fd(new_client) = fd;
if (!socket_add(&(cli_socket(new_client)), client_sock_callback,
(void*) cli_connect(new_client), SS_CONNECTED, 0, fd)) {
++ServerStats->is_ref;
#if defined(USE_SSL)
ssl_murder(ssl, fd, register_message);
#else
write(fd, register_message, strlen(register_message));
close(fd);
#endif
cli_fd(new_client) = -1;
return;
}
#if defined(USE_SSL)
if (ssl) {
cli_socket(new_client).s_ssl = ssl;
sslfp = ssl_get_fingerprint(ssl);
if (sslfp)
ircd_strncpy(cli_sslclifp(new_client), sslfp, BUFSIZE+1);
}
#endif
cli_freeflag(new_client) |= FREEFLAG_SOCKET;
cli_listener(new_client) = listener;
++listener->ref_count;
Count_newunknown(UserStats);
/* if we've made it this far we can put the client on the auth query pile */
start_auth(new_client);
}
/** Determines whether to tell the events engine we're interested in
* writable events.
* @param cptr Client for which to decide this.
*/
void update_write(struct Client* cptr)
{
/* If there are messages that need to be sent along, or if the client
* is in the middle of a /list, then we need to tell the engine that
* we're interested in writable events--otherwise, we need to drop
* that interest.
*/
socket_events(&(cli_socket(cptr)),
((MsgQLength(&cli_sendQ(cptr)) || cli_listing(cptr)) ?
SOCK_ACTION_ADD : SOCK_ACTION_DEL) | SOCK_EVENT_WRITABLE);
}
/** Handle a SERVER message from an unregistered connection.
*
* \a parv has the following elements:
* \li \a parv[1] is the server name
* \li \a parv[2] is the hop count to the server
* \li \a parv[3] is the start timestamp for the server
* \li \a parv[4] is the link timestamp
* \li \a parv[5] is the protocol version (P10 or J10)
* \li \a parv[6] is the numnick mask for the server
* \li \a parv[7] is a string of flags like +hs to mark hubs and services
* \li \a parv[\a parc - 1] is the server description
*
* See @ref m_functions for discussion of the arguments.
* @param[in] cptr Client that sent us the message.
* @param[in] sptr Original source of message.
* @param[in] parc Number of arguments.
* @param[in] parv Argument vector.
*/
int mr_server(struct Client* cptr, struct Client* sptr, int parc, char* parv[])
{
char* host;
struct ConfItem* aconf;
struct Jupe* ajupe;
unsigned int hop;
int ret;
unsigned short prot;
time_t start_timestamp;
time_t timestamp;
time_t recv_time;
time_t ghost;
if (IsUserPort(cptr))
return exit_client_msg(cptr, cptr, &me,
"Cannot connect a server to a user port");
if (parc < 8)
{
need_more_params(sptr, "SERVER");
return exit_client(cptr, cptr, &me, "Need more parameters");
}
host = clean_servername(parv[1]);
if (!host)
{
sendto_opmask(0, SNO_OLDSNO, "Bogus server name (%s) from %s",
host, cli_name(cptr));
return exit_client_msg(cptr, cptr, &me, "Bogus server name (%s)", host);
}
if ((ajupe = jupe_find(host)) && JupeIsActive(ajupe))
return exit_client_msg(cptr, sptr, &me, "Juped: %s", JupeReason(ajupe));
/* check connection rules */
if (0 != conf_eval_crule(host, CRULE_ALL)) {
ServerStats->is_ref++;
sendto_opmask(0, SNO_OLDSNO, "Refused connection from %s.", cli_name(cptr));
return exit_client(cptr, cptr, &me, "Disallowed by connection rule");
}
log_write(LS_NETWORK, L_NOTICE, LOG_NOSNOTICE, "SERVER: %s %s[%s]", host,
cli_sockhost(cptr), cli_sock_ip(cptr));
/*
* Detect protocol
*/
hop = atoi(parv[2]);
start_timestamp = atoi(parv[3]);
timestamp = atoi(parv[4]);
prot = parse_protocol(parv[5]);
if (!prot)
return exit_client_msg(cptr, sptr, &me, "Bogus protocol (%s)", parv[5]);
else if (prot < atoi(MINOR_PROTOCOL))
return exit_new_server(cptr, sptr, host, timestamp,
"Incompatible protocol: %s", parv[5]);
Debug((DEBUG_INFO, "Got SERVER %s with timestamp [%s] age %Tu (%Tu)",
host, parv[4], start_timestamp, cli_serv(&me)->timestamp));
if (timestamp < OLDEST_TS || start_timestamp < OLDEST_TS)
return exit_client_msg(cptr, sptr, &me,
"Bogus timestamps (%s %s)", parv[3], parv[4]);
/* If the server had a different name before, change it. */
if (!EmptyString(cli_name(cptr)) &&
(IsUnknown(cptr) || IsHandshake(cptr)) &&
0 != ircd_strcmp(cli_name(cptr), host))
hChangeClient(cptr, host);
ircd_strncpy(cli_name(cptr), host, HOSTLEN);
ircd_strncpy(cli_info(cptr), parv[parc-1][0] ? parv[parc-1] : cli_name(&me), REALLEN);
cli_hopcount(cptr) = hop;
if (conf_check_server(cptr)) {
++ServerStats->is_ref;
sendto_opmask(0, SNO_OLDSNO, "Received unauthorized connection from %s",
cli_name(cptr));
log_write(LS_NETWORK, L_NOTICE, LOG_NOSNOTICE, "Received unauthorized "
"connection from %C [%s]", cptr,
ircd_ntoa(&cli_ip(cptr)));
return exit_client(cptr, cptr, &me, "No Connect block");
}
host = cli_name(cptr);
update_load();
if (!(aconf = find_conf_byname(cli_confs(cptr), host, CONF_SERVER))) {
++ServerStats->is_ref;
sendto_opmask(0, SNO_OLDSNO, "Access denied. No conf line for server %s",
cli_name(cptr));
return exit_client_msg(cptr, cptr, &me,
"Access denied. No conf line for server %s", cli_name(cptr));
}
#if defined(USE_SSL)
if (!verify_sslclifp(cptr, aconf)) {
++ServerStats->is_ref;
sendto_opmask(0, SNO_OLDSNO, "Access denied (SSL fingerprint mismatch) %s",
cli_name(cptr));
return exit_client_msg(cptr, cptr, &me,
"No Access (SSL fingerprint mismatch) %s", cli_name(cptr));
}
#endif
if (*aconf->passwd && !!strcmp(aconf->passwd, cli_passwd(cptr))) {
++ServerStats->is_ref;
sendto_opmask(0, SNO_OLDSNO, "Access denied (passwd mismatch) %s",
cli_name(cptr));
return exit_client_msg(cptr, cptr, &me,
"No Access (passwd mismatch) %s", cli_name(cptr));
}
memset(cli_passwd(cptr), 0, sizeof(cli_passwd(cptr)));
ret = check_loop_and_lh(cptr, sptr, &ghost, host, (parc > 7 ? parv[6] : NULL), timestamp, hop, 1);
if (ret != 1)
return ret;
make_server(cptr);
cli_serv(cptr)->timestamp = timestamp;
cli_serv(cptr)->prot = prot;
cli_serv(cptr)->ghost = ghost;
memset(cli_privs(cptr), 255, sizeof(struct Privs));
ClrPriv(cptr, PRIV_SET);
SetServerYXX(cptr, cptr, parv[6]);
update_uworld_flags(cptr);
if (*parv[7] == '+')
set_server_flags(cptr, parv[7] + 1);
recv_time = TStime();
check_start_timestamp(cptr, timestamp, start_timestamp, recv_time);
ret = server_estab(cptr, aconf);
if (feature_bool(FEAT_RELIABLE_CLOCK) &&
abs(cli_serv(cptr)->timestamp - recv_time) > 30) {
sendto_opmask(0, SNO_OLDSNO, "Connected to a net with a "
"timestamp-clock difference of %Td seconds! "
"Used SETTIME to correct this.",
timestamp - recv_time);
sendcmdto_prio_one(&me, CMD_SETTIME, cptr, "%Tu :%s", TStime(),
cli_name(&me));
}
return ret;
}
/** Read a 'packet' of data from a connection and process it. Read in
* 8k chunks to give a better performance rating (for server
* connections). Do some tricky stuff for client connections to make
* sure they don't do any flooding >:-) -avalon
* @param cptr Client from which to read data.
* @param socket_ready If non-zero, more data can be read from the client's socket.
* @return Positive number on success, zero on connection-fatal failure, negative
* if user is killed.
*/
static int read_packet(struct Client *cptr, int socket_ready)
{
unsigned int dolen = 0;
unsigned int length = 0;
if (socket_ready &&
!(IsUser(cptr) &&
DBufLength(&(cli_recvQ(cptr))) > feature_uint(FEAT_CLIENT_FLOOD))) {
#if defined(USE_SSL)
switch (client_recv(cptr, readbuf, sizeof(readbuf), &length)) {
#else
switch (os_recv_nonb(cli_fd(cptr), readbuf, sizeof(readbuf), &length)) {
#endif
case IO_SUCCESS:
if (length)
{
cli_lasttime(cptr) = CurrentTime;
ClearPingSent(cptr);
ClrFlag(cptr, FLAG_NONL);
if (cli_lasttime(cptr) > cli_since(cptr))
cli_since(cptr) = cli_lasttime(cptr);
}
break;
case IO_BLOCKED:
break;
case IO_FAILURE:
cli_error(cptr) = errno;
/* SetFlag(cptr, FLAG_DEADSOCKET); */
return 0;
}
}
/*
* For server connections, we process as many as we can without
* worrying about the time of day or anything :)
*/
if (length > 0 && IsServer(cptr))
return server_dopacket(cptr, readbuf, length);
else if (length > 0 && (IsHandshake(cptr) || IsConnecting(cptr)))
return connect_dopacket(cptr, readbuf, length);
else
{
/*
* Before we even think of parsing what we just read, stick
* it on the end of the receive queue and do it when its
* turn comes around.
*/
if (length > 0 && dbuf_put(cptr, &(cli_recvQ(cptr)), readbuf, length) == 0)
return exit_client(cptr, cptr, &me, "dbuf_put fail");
if ((DBufLength(&(cli_recvQ(cptr))) > feature_uint(FEAT_CLIENT_FLOOD))
&& !IsChannelService(cptr))
return exit_client(cptr, cptr, &me, "Excess Flood");
while (DBufLength(&(cli_recvQ(cptr))) && !NoNewLine(cptr) &&
(IsTrusted(cptr) || IsChannelService(cptr) || cli_since(cptr) - CurrentTime < 10))
{
dolen = dbuf_getmsg(&(cli_recvQ(cptr)), cli_buffer(cptr), BUFSIZE);
/*
* Devious looking...whats it do ? well..if a client
* sends a *long* message without any CR or LF, then
* dbuf_getmsg fails and we pull it out using this
* loop which just gets the next 512 bytes and then
* deletes the rest of the buffer contents.
* -avalon
*/
if (dolen == 0)
{
if (DBufLength(&(cli_recvQ(cptr))) < 510)
SetFlag(cptr, FLAG_NONL);
else
{
/* More than 512 bytes in the line - drop the input and yell
* at the client.
*/
DBufClear(&(cli_recvQ(cptr)));
send_reply(cptr, ERR_INPUTTOOLONG);
}
}
else if (client_dopacket(cptr, dolen) == CPTR_KILLED)
return CPTR_KILLED;
/*
* If it has become registered as a Server
* then skip the per-message parsing below.
*/
if (IsHandshake(cptr) || IsServer(cptr))
{
while (-1)
{
dolen = dbuf_get(&(cli_recvQ(cptr)), readbuf, sizeof(readbuf));
if (dolen <= 0)
return 1;
else if (dolen == 0)
{
if (DBufLength(&(cli_recvQ(cptr))) < 510)
SetFlag(cptr, FLAG_NONL);
else {
DBufClear(&(cli_recvQ(cptr)));
/* send_reply(cptr, ERR_INPUTTOOLONG); */
}
}
else if ((IsServer(cptr) &&
server_dopacket(cptr, readbuf, dolen) == CPTR_KILLED) ||
(!IsServer(cptr) &&
connect_dopacket(cptr, readbuf, dolen) == CPTR_KILLED))
return CPTR_KILLED;
}
}
}
/* If there's still data to process, wait 2 seconds first */
if (DBufLength(&(cli_recvQ(cptr))) && !NoNewLine(cptr) &&
!t_onqueue(&(cli_proc(cptr))))
{
Debug((DEBUG_LIST, "Adding client process timer for %C", cptr));
cli_freeflag(cptr) |= FREEFLAG_TIMER;
timer_add(&(cli_proc(cptr)), client_timer_callback, cli_connect(cptr),
TT_RELATIVE, 2);
}
}
return 1;
}
/** Start a connection to another server.
* @param aconf Connect block data for target server.
* @param by Client who requested the connection (if any).
* @return Non-zero on success; zero on failure.
*/
int connect_server(struct ConfItem* aconf, struct Client* by)
{
struct Client* cptr = 0;
assert(0 != aconf);
if (aconf->dns_pending) {
sendto_opmask(0, SNO_OLDSNO, "Server %s connect DNS pending",
aconf->name);
return 0;
}
Debug((DEBUG_NOTICE, "Connect to %s[@%s]", aconf->name,
ircd_ntoa(&aconf->address.addr)));
if ((cptr = FindClient(aconf->name))) {
if (IsServer(cptr) || IsMe(cptr)) {
sendto_opmask(0, SNO_OLDSNO, "Server %s already present from %s",
aconf->name, cli_name(cli_from(cptr)));
if (by && IsUser(by) && !MyUser(by)) {
sendcmdto_one(&me, CMD_NOTICE, by, "%C :Server %s already present "
"from %s", by, aconf->name, cli_name(cli_from(cptr)));
}
return 0;
}
else if (IsHandshake(cptr) || IsConnecting(cptr)) {
if (by && IsUser(by)) {
sendcmdto_one(&me, CMD_NOTICE, by, "%C :Connection to %s already in "
"progress", by, cli_name(cptr));
}
return 0;
}
}
/*
* If we don't know the IP# for this host and it is a hostname and
* not a ip# string, then try and find the appropriate host record.
*/
if (!irc_in_addr_valid(&aconf->address.addr)
&& !ircd_aton(&aconf->address.addr, aconf->host)) {
char buf[HOSTLEN + 1];
host_from_uh(buf, aconf->host, HOSTLEN);
gethost_byname(buf, connect_dns_callback, aconf);
aconf->dns_pending = 1;
return 0;
}
cptr = make_client(NULL, STAT_UNKNOWN_SERVER);
/*
* Copy these in so we have something for error detection.
*/
ircd_strncpy(cli_name(cptr), aconf->name, HOSTLEN);
ircd_strncpy(cli_sockhost(cptr), aconf->host, HOSTLEN);
/*
* Attach config entries to client here rather than in
* completed_connection. This to avoid null pointer references
*/
attach_confs_byhost(cptr, aconf->host, CONF_SERVER);
if (!find_conf_byhost(cli_confs(cptr), aconf->host, CONF_SERVER)) {
sendto_opmask(0, SNO_OLDSNO, "Host %s is not enabled for "
"connecting: no Connect block", aconf->name);
if (by && IsUser(by) && !MyUser(by)) {
sendcmdto_one(&me, CMD_NOTICE, by, "%C :Connect to host %s failed: no "
"Connect block", by, aconf->name);
}
det_confs_butmask(cptr, 0);
free_client(cptr);
return 0;
}
/*
* attempt to connect to the server in the conf line
*/
if (!connect_inet(aconf, cptr)) {
if (by && IsUser(by) && !MyUser(by)) {
sendcmdto_one(&me, CMD_NOTICE, by, "%C :Couldn't connect to %s", by,
cli_name(cptr));
}
det_confs_butmask(cptr, 0);
free_client(cptr);
return 0;
}
/*
* NOTE: if we're here we have a valid C:Line and the client should
* have started the connection and stored the remote address/port and
* ip address name in itself
*
* The socket has been connected or connect is in progress.
*/
make_server(cptr);
if (by && IsUser(by)) {
ircd_snprintf(0, cli_serv(cptr)->by, sizeof(cli_serv(cptr)->by), "%s%s",
NumNick(by));
assert(0 == cli_serv(cptr)->user);
cli_serv(cptr)->user = cli_user(by);
cli_user(by)->refcnt++;
}
else {
*(cli_serv(cptr))->by = '\0';
/* strcpy(cptr->serv->by, "Auto"); */
}
cli_serv(cptr)->up = &me;
SetConnecting(cptr);
if (cli_fd(cptr) > HighestFd)
HighestFd = cli_fd(cptr);
LocalClientArray[cli_fd(cptr)] = cptr;
Count_newunknown(UserStats);
/* Actually we lie, the connect hasn't succeeded yet, but we have a valid
* cptr, so we register it now.
* Maybe these two calls should be merged.
*/
add_client_to_list(cptr);
hAddClient(cptr);
/* nextping = CurrentTime; */
return (s_state(&cli_socket(cptr)) == SS_CONNECTED) ?
completed_connection(cptr) : 1;
}
/** Find the real hostname for the host running the server (or one which
* matches the server's name) and its primary IP#. Hostname is stored
* in the client structure passed as a pointer.
*/
void init_server_identity(void)
{
const struct LocalConf* conf = conf_get_local();
assert(0 != conf);
ircd_strncpy(cli_name(&me), conf->name, HOSTLEN);
SetYXXServerName(&me, conf->numeric);
}
/** Process events on a client socket.
* @param ev Socket event structure that has a struct Connection as
* its associated data.
*/
static void client_sock_callback(struct Event* ev)
{
struct Client* cptr;
struct Connection* con;
char *fmt = "%s";
char *fallback = 0;
assert(0 != ev_socket(ev));
assert(0 != s_data(ev_socket(ev)));
con = (struct Connection*) s_data(ev_socket(ev));
assert(0 != con_client(con) || ev_type(ev) == ET_DESTROY);
cptr = con_client(con);
assert(0 == cptr || con == cli_connect(cptr));
switch (ev_type(ev)) {
case ET_DESTROY:
con_freeflag(con) &= ~FREEFLAG_SOCKET;
if (!con_freeflag(con) && !cptr)
free_connection(con);
#if defined(USE_SSL)
ssl_free(ev_socket(ev));
#endif
break;
case ET_CONNECT: /* socket connection completed */
if (!completed_connection(cptr) || IsDead(cptr))
fallback = cli_info(cptr);
break;
case ET_ERROR: /* an error occurred */
fallback = cli_info(cptr);
cli_error(cptr) = ev_data(ev);
/* If the OS told us we have a bad file descriptor, we should
* record that for future reference.
*/
if (cli_error(cptr) == EBADF)
cli_fd(cptr) = -1;
if (s_state(&(con_socket(con))) == SS_CONNECTING) {
completed_connection(cptr);
/* for some reason, the os_get_sockerr() in completed_connection()
* can return 0 even when ev_data(ev) indicates a real error, so
* re-assign the client error here.
*/
cli_error(cptr) = ev_data(ev);
break;
}
/*FALLTHROUGH*/
case ET_EOF: /* end of file on socket */
Debug((DEBUG_ERROR, "READ ERROR: fd = %d %d", cli_fd(cptr),
cli_error(cptr)));
SetFlag(cptr, FLAG_DEADSOCKET);
if ((IsServer(cptr) || IsHandshake(cptr)) && cli_error(cptr) == 0) {
exit_client_msg(cptr, cptr, &me, "Server %s closed the connection (%s)",
cli_name(cptr), cli_serv(cptr)->last_error_msg);
return;
} else {
fmt = "Read error: %s";
fallback = "EOF from client";
}
break;
case ET_WRITE: /* socket is writable */
ClrFlag(cptr, FLAG_BLOCKED);
if (cli_listing(cptr) && MsgQLength(&(cli_sendQ(cptr))) < 2048)
list_next_channels(cptr);
Debug((DEBUG_SEND, "Sending queued data to %C", cptr));
send_queued(cptr);
break;
case ET_READ: /* socket is readable */
if (!IsDead(cptr)) {
Debug((DEBUG_DEBUG, "Reading data from %C", cptr));
if (read_packet(cptr, 1) == 0) /* error while reading packet */
fallback = "EOF from client";
}
break;
default:
assert(0 && "Unrecognized socket event in client_sock_callback()");
break;
}
assert(0 == cptr || 0 == cli_connect(cptr) || con == cli_connect(cptr));
if (fallback) {
const char* msg = (cli_error(cptr)) ? strerror(cli_error(cptr)) : fallback;
if (!msg)
msg = "Unknown error";
exit_client_msg(cptr, cptr, &me, fmt, msg);
}
}
/** Process a timer on client socket.
* @param ev Timer event that has a struct Connection as its
* associated data.
*/
static void client_timer_callback(struct Event* ev)
{
struct Client* cptr;
struct Connection* con;
assert(0 != ev_timer(ev));
assert(0 != t_data(ev_timer(ev)));
assert(ET_DESTROY == ev_type(ev) || ET_EXPIRE == ev_type(ev));
con = (struct Connection*) t_data(ev_timer(ev));
assert(0 != con_client(con) || ev_type(ev) == ET_DESTROY);
cptr = con_client(con);
assert(0 == cptr || con == cli_connect(cptr));
if (ev_type(ev)== ET_DESTROY) {
con_freeflag(con) &= ~FREEFLAG_TIMER; /* timer has expired... */
if (!con_freeflag(con) && !cptr)
free_connection(con); /* client is being destroyed */
} else {
Debug((DEBUG_LIST, "Client process timer for %C expired; processing",
cptr));
read_packet(cptr, 0); /* read_packet will re-add timer if needed */
}
assert(0 == cptr || 0 == cli_connect(cptr) || con == cli_connect(cptr));
}
int m_challenge(struct Client *cptr, struct Client *sptr, int parc, char *parv[])
{
#ifdef USE_SSL
struct ConfItem *aconf;
RSA *rsa_public_key;
BIO *file = NULL;
char *challenge = NULL;
char *name;
char *tmpname;
char chan[CHANNELLEN-1];
char* join[2];
int nl;
struct Flags old_mode = cli_flags(sptr);
if (!MyUser(sptr))
return 0;
if (parc < 2)
return need_more_params(sptr, "CHALLENGE");
if (parc > 2) { /* This is a remote OPER Request */
struct Client *srv;
if (!string_has_wildcards(parv[1]))
srv = FindServer(parv[1]);
else
srv = find_match_server(parv[1]);
if (!feature_bool(FEAT_REMOTE_OPER))
return send_reply(sptr, ERR_NOOPERHOST);
if (!srv)
return send_reply(sptr, ERR_NOOPERHOST);
if (IsMe(srv)) {
parv[1] = parv[2];
} else {
sendcmdto_one(sptr, CMD_CHALLENGE, srv, "%C %s", srv, parv[2]);
return 0;
}
}
/* if theyre an oper, reprint oper motd and ignore */
if (IsOper(sptr))
{
send_reply(sptr, RPL_YOUREOPER);
if (feature_bool(FEAT_OPERMOTD))
m_opermotd(sptr, sptr, 1, parv);
}
if (*parv[1] == '+')
{
/* Ignore it if we aren't expecting this... -A1kmm */
if (cli_user(sptr)->response == NULL)
return 0;
if (ircd_strcmp(cli_user(sptr)->response, ++parv[1]))
{
send_reply(sptr, ERR_PASSWDMISMATCH);
sendto_allops(&me, SNO_OLDREALOP, "Failed OPER attempt by %s (%s@%s) (Password Incorrect)",
parv[0], cli_user(sptr)->realusername, cli_sockhost(sptr));
tmpname = strdup(cli_user(sptr)->auth_oper);
failed_challenge_notice(sptr, tmpname, "challenge failed");
return 0;
}
name = strdup(cli_user(sptr)->auth_oper);
aconf = find_conf_exact(cli_user(sptr)->auth_oper, cli_user(sptr)->realusername,
MyUser(sptr) ? cli_sockhost(sptr) :
cli_user(sptr)->realhost, CONF_OPS);
if (!aconf)
aconf = find_conf_exact(cli_user(sptr)->auth_oper, cli_user(sptr)->realusername,
ircd_ntoa((const char*) &(cli_ip(sptr))), CONF_OPS);
if (!aconf)
aconf = find_conf_cidr(cli_user(sptr)->auth_oper, cli_user(sptr)->realusername,
cli_ip(sptr), CONF_OPS);
if (!aconf)
{
send_reply(sptr, ERR_NOOPERHOST);
sendto_allops(&me, SNO_OLDREALOP, "Failed OPER attempt by %s (%s@%s) (No O:line)",
parv[0], cli_user(sptr)->realusername, cli_sockhost(sptr));
return 0;
}
if (CONF_LOCOP == aconf->status) {
ClearOper(sptr);
SetLocOp(sptr);
}
else {
/*
* prevent someone from being both oper and local oper
*/
ClearLocOp(sptr);
if (!feature_bool(FEAT_OPERFLAGS) || !(aconf->port & OFLAG_ADMIN)) {
/* Global Oper */
SetOper(sptr);
ClearAdmin(sptr);
} else {
/* Admin */
SetOper(sptr);
OSetGlobal(sptr);
SetAdmin(sptr);
}
++UserStats.opers;
}
cli_handler(cptr) = OPER_HANDLER;
if (!feature_bool(FEAT_OPERFLAGS) || (aconf->port & OFLAG_WHOIS)) {
OSetWhois(sptr);
}
if (!feature_bool(FEAT_OPERFLAGS) || (aconf->port & OFLAG_IDLE)) {
OSetIdle(sptr);
}
if (!feature_bool(FEAT_OPERFLAGS) || (aconf->port & OFLAG_XTRAOP)) {
OSetXtraop(sptr);
}
if (!feature_bool(FEAT_OPERFLAGS) || (aconf->port & OFLAG_HIDECHANS)) {
OSetHideChans(sptr);
}
SetFlag(sptr, FLAG_WALLOP);
SetFlag(sptr, FLAG_SERVNOTICE);
SetFlag(sptr, FLAG_DEBUG);
if (!IsAdmin(sptr))
cli_oflags(sptr) = aconf->port;
set_snomask(sptr, SNO_OPERDEFAULT, SNO_ADD);
client_set_privs(sptr, aconf);
cli_max_sendq(sptr) = 0; /* Get the sendq from the oper's class */
send_umode_out(cptr, sptr, &old_mode, HasPriv(sptr, PRIV_PROPAGATE));
send_reply(sptr, RPL_YOUREOPER);
if (IsAdmin(sptr)) {
sendto_allops(&me, SNO_OLDSNO, "%s (%s@%s) is now an IRC Administrator",
parv[0], cli_user(sptr)->username, cli_sockhost(sptr));
/* Autojoin admins to admin channel and oper channel (if enabled) */
if (feature_bool(FEAT_AUTOJOIN_ADMIN)) {
if (feature_bool(FEAT_AUTOJOIN_ADMIN_NOTICE))
sendcmdto_one(&me, CMD_NOTICE, sptr, "%C :%s", sptr, feature_str(FEAT_AUTOJOIN_ADMIN_NOTICE_VALUE));
ircd_strncpy(chan, feature_str(FEAT_AUTOJOIN_ADMIN_CHANNEL), CHANNELLEN-1);
join[0] = cli_name(sptr);
join[1] = chan;
m_join(sptr, sptr, 2, join);
}
if (feature_bool(FEAT_AUTOJOIN_OPER) && IsOper(sptr)) {
if (feature_bool(FEAT_AUTOJOIN_OPER_NOTICE))
sendcmdto_one(&me, CMD_NOTICE, sptr, "%C :%s", sptr, feature_str(FEAT_AUTOJOIN_OPER_NOTICE_VALUE));
ircd_strncpy(chan, feature_str(FEAT_AUTOJOIN_OPER_CHANNEL), CHANNELLEN-1);
join[0] = cli_name(sptr);
join[1] = chan;
m_join(sptr, sptr, 2, join);
}
} else {
sendto_allops(&me, SNO_OLDSNO, "%s (%s@%s) is now an IRC Operator (%c)",
parv[0], cli_user(sptr)->username, cli_sockhost(sptr),
IsOper(sptr) ? 'O' : 'o');
if (feature_bool(FEAT_AUTOJOIN_OPER) && IsOper(sptr)) {
if (feature_bool(FEAT_AUTOJOIN_OPER_NOTICE))
sendcmdto_one(&me, CMD_NOTICE, sptr, "%C :%s", sptr, feature_str(FEAT_AUTOJOIN_OPER_NOTICE_VALUE));
ircd_strncpy(chan, feature_str(FEAT_AUTOJOIN_OPER_CHANNEL), CHANNELLEN-1);
join[0] = cli_name(sptr);
join[1] = chan;
m_join(sptr, sptr, 2, join);
}
}
if (feature_bool(FEAT_OPERMOTD))
m_opermotd(sptr, sptr, 1, parv);
log_write(LS_OPER, L_INFO, 0, "OPER (%s) by (%#C)", name, sptr);
ircd_snprintf(0, cli_user(sptr)->response, BUFSIZE+1, "%s", "");
return 0;
}
ircd_snprintf(0, cli_user(sptr)->response, BUFSIZE+1, "%s", "");
ircd_snprintf(0, cli_user(sptr)->auth_oper, NICKLEN+1, "%s", "");
aconf = find_conf_exact(parv[1], cli_user(sptr)->realusername,
cli_user(sptr)->realhost, CONF_OPS);
if (!aconf)
aconf = find_conf_exact(parv[1], cli_user(sptr)->realusername,
ircd_ntoa((const char*) &(cli_ip(sptr))), CONF_OPS);
if (!aconf)
aconf = find_conf_cidr(parv[1], cli_user(sptr)->realusername,
cli_ip(sptr), CONF_OPS);
if (aconf == NULL)
{
send_reply(sptr, ERR_NOOPERHOST);
failed_challenge_notice(sptr, parv[1], "No o:line");
sendto_allops(&me, SNO_OLDREALOP, "Failed OPER attempt by %s (%s@%s) (No O:line)",
parv[0], cli_user(sptr)->realusername, cli_sockhost(sptr));
return 0;
}
if (!(aconf->port & OFLAG_RSA))
{
send_reply(sptr, RPL_NO_CHALL);
return 0;
}
if (!verify_sslclifp(sptr, aconf))
{
sendto_allops(&me, SNO_OLDREALOP,
"Failed OPER attempt by %s (%s@%s) (SSL Fingerprint Missmatch)",
parv[0], cli_user(sptr)->realusername,
cli_user(sptr)->realhost);
send_reply(sptr, ERR_SSLCLIFP);
return 0;
}
if ((file = BIO_new_file(aconf->passwd, "r")) == NULL)
{
send_reply(sptr, RPL_NO_KEY);
return 0;
}
rsa_public_key = (RSA *)PEM_read_bio_RSA_PUBKEY(file, NULL, 0, NULL);
if (rsa_public_key == NULL)
return send_reply(sptr, RPL_INVALID_KEY);
if (!generate_challenge(&challenge, rsa_public_key, sptr)) {
Debug((DEBUG_DEBUG, "generating challenge sum (%s)", challenge));
send_reply(sptr, RPL_RSACHALLENGE, challenge);
ircd_snprintf(0, cli_user(sptr)->auth_oper, NICKLEN + 1, "%s", aconf->name);
}
nl = BIO_set_close(file, BIO_CLOSE);
BIO_free(file);
return 1;
#else
return 1;
#endif
}
/** Creates a client which has just connected to us on the given fd.
* The sockhost field is initialized with the ip# of the host.
* The client is not added to the linked list of clients, it is
* passed off to the auth handler for dns and ident queries.
* @param listener Listening socket that received the connection.
* @param fd File descriptor of new connection.
*/
void add_connection(struct Listener* listener, int fd) {
struct irc_sockaddr addr;
struct Client *new_client;
time_t next_target = 0;
const char* const throttle_message =
"ERROR :Your host is trying to (re)connect too fast -- throttled\r\n";
/* 12345678901234567890123456789012345679012345678901234567890123456 */
const char* const register_message =
"ERROR :Unable to complete your registration\r\n";
assert(0 != listener);
/*
* Removed preliminary access check. Full check is performed in m_server and
* m_user instead. Also connection time out help to get rid of unwanted
* connections.
*/
if (!os_get_peername(fd, &addr) || !os_set_nonblocking(fd)) {
++ServerStats->is_ref;
close(fd);
return;
}
/*
* Disable IP (*not* TCP) options. In particular, this makes it impossible
* to use source routing to connect to the server. If we didn't do this
* (and if intermediate networks didn't drop source-routed packets), an
* attacker could successfully IP spoof us...and even return the anti-spoof
* ping, because the options would cause the packet to be routed back to
* the spoofer's machine. When we disable the IP options, we delete the
* source route, and the normal routing takes over.
*/
os_disable_options(fd);
if (listener_server(listener))
{
new_client = make_client(0, STAT_UNKNOWN_SERVER);
}
else
{
/*
* Add this local client to the IPcheck registry.
*
* If they're throttled, murder them, but tell them why first.
*/
if (!IPcheck_local_connect(&addr.addr, &next_target))
{
++ServerStats->is_ref;
write(fd, throttle_message, strlen(throttle_message));
close(fd);
return;
}
new_client = make_client(0, STAT_UNKNOWN_USER);
SetIPChecked(new_client);
}
/*
* Copy ascii address to 'sockhost' just in case. Then we have something
* valid to put into error messages...
*/
ircd_ntoa_r(cli_sock_ip(new_client), &addr.addr);
strcpy(cli_sockhost(new_client), cli_sock_ip(new_client));
memcpy(&cli_ip(new_client), &addr.addr, sizeof(cli_ip(new_client)));
if (next_target)
cli_nexttarget(new_client) = next_target;
cli_fd(new_client) = fd;
if (!socket_add(&(cli_socket(new_client)), client_sock_callback,
(void*) cli_connect(new_client), SS_CONNECTED, 0, fd)) {
++ServerStats->is_ref;
write(fd, register_message, strlen(register_message));
close(fd);
cli_fd(new_client) = -1;
return;
}
cli_freeflag(new_client) |= FREEFLAG_SOCKET;
cli_listener(new_client) = listener;
++listener->ref_count;
Count_newunknown(UserStats);
/* if we've made it this far we can put the client on the auth query pile */
start_auth(new_client);
}
