/*! \brief OPER command handler
*
* \param source_p Pointer to allocated Client struct from which the message
* originally comes from. This can be a local or remote client.
* \param parc Integer holding the number of supplied arguments.
* \param parv Argument vector where parv[0] .. parv[parc-1] are non-NULL
* pointers.
* \note Valid arguments for this command are:
* - parv[0] = command
* - parv[1] = oper name
* - parv[2] = oper password
*/
static int
m_oper(struct Client *source_p, int parc, char *parv[])
{
const char *const opername = parv[1];
const char *const password = parv[2];
if (EmptyString(password))
{
sendto_one_numeric(source_p, &me, ERR_NEEDMOREPARAMS, "OPER");
return 0;
}
struct MaskItem *conf;
if ((conf = operator_find(source_p, opername)) == NULL)
{
sendto_one_numeric(source_p, &me, ERR_NOOPERHOST);
conf = operator_find(NULL, opername);
failed_oper_notice(source_p, opername, conf ? "host mismatch" : "no operator {} block");
return 0;
}
if (IsConfSSL(conf) && !HasUMode(source_p, UMODE_SSL))
{
sendto_one_numeric(source_p, &me, ERR_NOOPERHOST);
failed_oper_notice(source_p, opername, "requires SSL/TLS");
return 0;
}
if (!EmptyString(conf->certfp))
{
if (EmptyString(source_p->certfp) || strcasecmp(source_p->certfp, conf->certfp))
{
sendto_one_numeric(source_p, &me, ERR_NOOPERHOST);
failed_oper_notice(source_p, opername, "client certificate fingerprint mismatch");
return 0;
}
}
if (match_conf_password(password, conf) == true)
{
if (conf_attach(source_p, conf))
{
sendto_one_notice(source_p, &me, ":Can't attach conf!");
failed_oper_notice(source_p, opername, "can't attach conf!");
return 0;
}
oper_up(source_p, conf);
}
else
{
sendto_one_numeric(source_p, &me, ERR_PASSWDMISMATCH);
failed_oper_notice(source_p, opername, "password mismatch");
}
return 0;
}
/*
** m_oper
** parv[0] = sender prefix
** parv[1] = oper name
** parv[2] = oper password
*/
static void
m_oper(struct Client *client_p, struct Client *source_p,
int parc, char *parv[])
{
struct ConfItem *conf;
struct AccessItem *aconf=NULL;
const char *name = parv[1];
const char *password = parv[2];
if (EmptyString(password))
{
sendto_one(source_p, form_str(ERR_NEEDMOREPARAMS),
me.name, source_p->name, "OPER");
return;
}
/* end the grace period */
if (!IsFloodDone(source_p))
flood_endgrace(source_p);
if ((conf = find_password_conf(name,source_p)) == NULL)
{
sendto_one(source_p, form_str(ERR_NOOPERHOST), me.name, source_p->name);
conf = find_exact_name_conf(OPER_TYPE, name, NULL, NULL);
failed_oper_notice(source_p, name, (conf != NULL) ?
"host mismatch" : "no oper {} block");
log_failed_oper(source_p, name);
return;
}
aconf = (struct AccessItem *)map_to_conf(conf);
if (match_oper_password(password, aconf))
{
if (attach_conf(source_p, conf) != 0)
{
sendto_one(source_p, ":%s NOTICE %s :Can't attach conf!",
me.name, source_p->name);
failed_oper_notice(source_p, name, "can't attach conf!");
log_failed_oper(source_p, name);
return;
}
oper_up(source_p);
ilog(L_TRACE, "OPER %s by %s!%s@%s",
name, source_p->name, source_p->username, source_p->host);
log_oper(source_p, name);
}
else
{
sendto_one(source_p, form_str(ERR_PASSWDMISMATCH), me.name, parv[0]);
failed_oper_notice(source_p, name, "password mismatch");
log_failed_oper(source_p, name);
}
}
/*
** m_oper
** parv[0] = sender prefix
** parv[1] = oper name
** parv[2] = oper password
*/
static void
m_oper(struct Client *client_p, struct Client *source_p,
int parc, char *parv[])
{
struct MaskItem *conf = NULL;
const char *name = parv[1];
const char *password = parv[2];
if (EmptyString(password))
{
sendto_one(source_p, form_str(ERR_NEEDMOREPARAMS),
me.name, source_p->name, "OPER");
return;
}
/* end the grace period */
if (!IsFloodDone(source_p))
flood_endgrace(source_p);
if ((conf = find_exact_name_conf(CONF_OPER, source_p, name, NULL, NULL)) == NULL)
{
sendto_one(source_p, form_str(ERR_NOOPERHOST), me.name, source_p->name);
conf = find_exact_name_conf(CONF_OPER, NULL, name, NULL, NULL);
failed_oper_notice(source_p, name, (conf != NULL) ?
"host mismatch" : "no oper {} block");
return;
}
if (match_conf_password(password, conf))
{
if (attach_conf(source_p, conf) != 0)
{
sendto_one(source_p, ":%s NOTICE %s :Can't attach conf!",
me.name, source_p->name);
failed_oper_notice(source_p, name, "can't attach conf!");
return;
}
++conf->count;
oper_up(source_p);
ilog(LOG_TYPE_OPER, "OPER %s by %s!%s@%s",
name, source_p->name, source_p->username, source_p->host);
}
else
{
sendto_one(source_p, form_str(ERR_PASSWDMISMATCH), me.name, source_p->name);
failed_oper_notice(source_p, name, "password mismatch");
}
}
static int do_grant(struct Client *source_p, struct Client *target_p, int addflags, int removeflags, int dooper,
int dodeoper, int add_snomask, int remove_snomask)
{
const char *newparv[4];
struct oper_conf oper;
int changes = 0;
int orig_snomask = target_p->allowed_snomask;
char desc[512];
int j;
if (dodeoper)
{
if (!IsOper(target_p))
sendto_one_notice(source_p, ":%s is not an oper",
target_p->name);
else
{
newparv[0] = target_p->name;
newparv[1] = target_p->name;
newparv[2] = "-o";
newparv[3] = NULL;
sendto_realops_snomask(SNO_GENERAL, L_NETWIDE,
"%s is deopering %s",
get_oper_name(source_p),
get_client_name(target_p, HIDE_IP));
sendto_one_notice(target_p, ":%s is deopering you",
source_p->name);
user_mode(target_p, target_p, 3, newparv);
sendto_one_notice(source_p, ":Deopered %s",
target_p->name);
changes++;
}
}
else if (dooper)
{
if (IsOper(target_p))
sendto_one_notice(source_p, ":%s is already an oper",
target_p->name);
else
{
desc[0] = '\0';
for (j = 0; flag_table[j].name != NULL; j++)
{
if ((addflags & flag_table[j].mode) == flag_table[j].mode)
{
if (desc[0] != '\0')
strlcat(desc, " ", sizeof desc);
strlcat(desc, "+", sizeof desc);
strlcat(desc, flag_table[j].name, sizeof desc);
}
}
if (desc[0] == '\0')
strlcpy(desc, "<none>", sizeof desc);
oper.name = "<grant>";
oper.username = "";
oper.host = "";
oper.passwd = "";
oper.flags = addflags;
oper.umodes = 0;
oper.snomask = 0;
oper.allowed_snomask = add_snomask;
sendto_realops_snomask(SNO_GENERAL, L_NETWIDE,
"%s is opering %s with flags %s and snomask %s",
get_oper_name(source_p),
get_client_name(target_p, HIDE_IP),
desc,
construct_snobuf(oper.allowed_snomask));
sendto_one_notice(target_p, ":%s is opering you",
source_p->name);
oper_up(target_p, &oper);
sendto_one_notice(source_p, ":Opered %s with flags %s and snomask %s",
target_p->name, desc, construct_snobuf(oper.allowed_snomask));
changes++;
}
}
removeflags &= target_p->operflags;
addflags &= ~target_p->operflags;
remove_snomask &= target_p->allowed_snomask;
add_snomask &= ~target_p->allowed_snomask;
if ((addflags | removeflags | add_snomask | remove_snomask) != 0)
{
if (!IsOper(target_p))
{
sendto_one_notice(source_p, ":%s is not an oper",
target_p->name);
}
else
{
target_p->operflags |= addflags;
target_p->operflags &= ~removeflags;
target_p->allowed_snomask |= add_snomask;
target_p->allowed_snomask &= ~remove_snomask;
desc[0] = '\0';
for (j = 0; flag_table[j].name != NULL; j++)
{
if ((addflags & flag_table[j].mode) == flag_table[j].mode)
{
if (desc[0] != '\0')
strlcat(desc, " ", sizeof desc);
strlcat(desc, "+", sizeof desc);
strlcat(desc, flag_table[j].name, sizeof desc);
}
else if ((removeflags & flag_table[j].mode) == flag_table[j].mode)
{
if (desc[0] != '\0')
strlcat(desc, " ", sizeof desc);
strlcat(desc, "-", sizeof desc);
strlcat(desc, flag_table[j].name, sizeof desc);
}
}
if(desc[0] == '\0')
strlcpy(desc, "<none>", sizeof desc);
sendto_realops_snomask(SNO_GENERAL, L_NETWIDE,
"%s is changing oper flags on %s (%s, snomask %s)",
get_oper_name(source_p),
get_client_name(target_p, HIDE_IP),
desc,
construct_snobuf_changes(target_p->allowed_snomask & ~orig_snomask,
orig_snomask & ~target_p->allowed_snomask));
sendto_one_notice(target_p, ":%s is changing oper flags on you: %s, snomask %s",
source_p->name, desc, construct_snobuf_changes(target_p->allowed_snomask & ~orig_snomask,
orig_snomask & ~target_p->allowed_snomask));
sendto_one_notice(source_p, ":Changed oper flags on %s: %s, snomask %s",
target_p->name, desc, construct_snobuf_changes(target_p->allowed_snomask & ~orig_snomask,
orig_snomask & ~target_p->allowed_snomask));
sendto_server(source_p, NULL, CAP_TS6, NOCAPS, ":%s ENCAP * OPER %s",
get_id(target_p, target_p), get_oper_privs(target_p->operflags));
sendto_server(source_p, NULL, NOCAPS, CAP_TS6, ":%s ENCAP * OPER %s",
target_p->name, get_oper_privs(target_p->operflags));
/* fix up any umodes/snomasks they may not have
* anymore */
newparv[0] = target_p->name;
newparv[1] = target_p->name;
newparv[2] = "+";
newparv[3] = NULL;
user_mode(target_p, target_p, 3, newparv);
changes++;
}
}
if (!changes)
sendto_one_notice(source_p, ":Oper flags on %s unchanged",
target_p->name);
return 0;
}
/*
* m_challenge - generate RSA challenge for wouldbe oper
* parv[0] = sender prefix
* parv[1] = operator to challenge for, or +response
*
*/
static void
m_challenge(struct Client *client_p, struct Client *source_p, int parc, char *parv[])
{
char *challenge;
dlink_node *ptr;
struct ConfItem *aconf, *oconf;
if(!(source_p->user) || !source_p->localClient)
return;
/* if theyre an oper, reprint oper motd and ignore */
if(IsOper(source_p))
{
sendto_one(source_p, form_str(RPL_YOUREOPER), me.name, parv[0]);
SendMessageFile(source_p, &ConfigFileEntry.opermotd);
return;
}
if(*parv[1] == '+')
{
/* Ignore it if we aren't expecting this... -A1kmm */
if(!source_p->user->response)
return;
if(irccmp(source_p->user->response, ++parv[1]))
{
sendto_one(source_p, form_str(ERR_PASSWDMISMATCH), me.name, source_p->name);
log_foper(source_p, source_p->user->auth_oper);
if(ConfigFileEntry.failed_oper_notice)
sendto_realops_flags(UMODE_ALL, L_ALL,
"Failed OPER attempt by %s (%s@%s)",
source_p->name, source_p->username,
source_p->host);
return;
}
if((aconf = find_conf_by_name(source_p->user->auth_oper, CONF_OPERATOR)) == NULL)
{
sendto_one(source_p, form_str(ERR_NOOPERHOST), me.name, parv[0]);
log_foper(source_p, source_p->user->auth_oper);
if(ConfigFileEntry.failed_oper_notice)
sendto_realops_flags(UMODE_ALL, L_ALL,
"Failed CHALLENGE attempt - host mismatch by %s (%s@%s)",
source_p->name, source_p->username,
source_p->host);
return;
}
ptr = source_p->localClient->confs.head;
oconf = ptr->data;
detach_conf(source_p, oconf);
if(attach_conf(source_p, aconf) != 0)
{
sendto_one(source_p, ":%s NOTICE %s :Can't attach conf!",
me.name, source_p->name);
sendto_realops_flags(UMODE_ALL, L_ALL,
"Failed CHALLENGE attempt by %s (%s@%s) can't attach conf!",
source_p->name, source_p->username, source_p->host);
log_foper(source_p, source_p->user->auth_oper);
attach_conf(source_p, oconf);
return;
}
oper_up(source_p, aconf);
ilog(L_TRACE, "OPER %s by %s!%s@%s",
source_p->user->auth_oper, source_p->name, source_p->username, source_p->host);
log_oper(source_p, source_p->user->auth_oper);
MyFree(source_p->user->response);
MyFree(source_p->user->auth_oper);
source_p->user->response = NULL;
source_p->user->auth_oper = NULL;
return;
}
MyFree(source_p->user->response);
MyFree(source_p->user->auth_oper);
source_p->user->response = NULL;
source_p->user->auth_oper = NULL;
if(!(aconf = find_conf_exact(parv[1], source_p->username, source_p->host,
CONF_OPERATOR)) &&
!(aconf = find_conf_exact(parv[1], source_p->username,
source_p->localClient->sockhost, CONF_OPERATOR)))
{
sendto_one(source_p, form_str(ERR_NOOPERHOST), me.name, parv[0]);
log_foper(source_p, parv[1]);
if(ConfigFileEntry.failed_oper_notice)
sendto_realops_flags(UMODE_ALL, L_ALL,
"Failed CHALLENGE attempt - host mismatch by %s (%s@%s)",
source_p->name, source_p->username, source_p->host);
return;
}
if(!aconf->rsa_public_key)
{
sendto_one(source_p, ":%s NOTICE %s :I'm sorry, PK authentication "
"is not enabled for your oper{} block.", me.name, parv[0]);
return;
}
if(!generate_challenge(&challenge, &(source_p->user->response), aconf->rsa_public_key))
{
sendto_one(source_p, form_str(RPL_RSACHALLENGE), me.name, parv[0], challenge);
}
DupString(source_p->user->auth_oper, aconf->name);
MyFree(challenge);
return;
}
/*
* m_challenge - generate RSA challenge for wouldbe oper
* parv[0] = sender prefix
* parv[1] = operator to challenge for, or +response
*
*/
static void
m_challenge(struct Client *client_p, struct Client *source_p, int parc, char *parv[])
{
char *challenge = NULL;
struct ConfItem *conf = NULL;
struct AccessItem *aconf = NULL;
/* if theyre an oper, reprint oper motd and ignore */
if(IsOper(source_p))
{
sendto_one(source_p, form_str(RPL_YOUREOPER), me.name, parv[0]);
send_message_file(source_p, &ConfigFileEntry.opermotd);
return;
}
if(*parv[1] == '+')
{
/* Ignore it if we aren't expecting this... -A1kmm */
if(source_p->localClient->response == NULL)
return;
if(svsnoop)
{
sendto_one(source_p,
":%s NOTICE %s :*** This server is in NOOP mode, you cannot /oper",
me.name, source_p->name);
failed_challenge_notice(source_p, source_p->localClient->auth_oper,
"This server is in NOOP mode");
log_oper_action(LOG_FAILED_OPER_TYPE, source_p, "%s\n",
source_p->localClient->auth_oper);
return;
}
if(irccmp(source_p->localClient->response, ++parv[1]))
{
sendto_one(source_p, form_str(ERR_PASSWDMISMATCH), me.name, source_p->name);
failed_challenge_notice(source_p, source_p->localClient->auth_oper,
"challenge failed");
return;
}
conf = find_exact_name_conf(OPER_TYPE,
source_p->localClient->auth_oper,
source_p->username, source_p->host);
if(conf == NULL)
conf = find_exact_name_conf(OPER_TYPE,
source_p->localClient->auth_oper,
source_p->username, source_p->realhost);
if(conf == NULL)
conf = find_exact_name_conf(OPER_TYPE,
source_p->localClient->auth_oper,
source_p->username, source_p->sockhost);
if(conf == NULL)
{
sendto_one(source_p, form_str(ERR_NOOPERHOST), me.name, parv[0]);
log_oper_action(LOG_FAILED_OPER_TYPE, source_p, "%s\n",
source_p->localClient->auth_oper);
return;
}
if(attach_conf(source_p, conf) != 0)
{
sendto_one(source_p, ":%s NOTICE %s :Can't attach conf!",
me.name, source_p->name);
failed_challenge_notice(source_p, conf->name, "can't attach conf!");
log_oper_action(LOG_FAILED_OPER_TYPE, source_p, "%s\n",
source_p->localClient->auth_oper);
return;
}
oper_up(source_p);
ilog(L_TRACE, "OPER %s by %s!%s@%s",
source_p->localClient->auth_oper, source_p->name, source_p->username,
source_p->realhost);
log_oper_action(LOG_OPER_TYPE, source_p, "%s\n", source_p->localClient->auth_oper);
MyFree(source_p->localClient->response);
MyFree(source_p->localClient->auth_oper);
source_p->localClient->response = NULL;
source_p->localClient->auth_oper = NULL;
return;
}
MyFree(source_p->localClient->response);
MyFree(source_p->localClient->auth_oper);
source_p->localClient->response = NULL;
source_p->localClient->auth_oper = NULL;
if((conf = find_conf_exact(OPER_TYPE, parv[1], source_p->username, source_p->host)) != NULL)
aconf = map_to_conf(conf);
else if((conf = find_conf_exact(OPER_TYPE,
parv[1], source_p->username, source_p->realhost)) != NULL)
aconf = map_to_conf(conf);
else if((conf = find_conf_exact(OPER_TYPE,
parv[1], source_p->username, source_p->sockhost)) != NULL)
aconf = map_to_conf(conf);
if(aconf == NULL)
{
sendto_one(source_p, form_str(ERR_NOOPERHOST), me.name, parv[0]);
conf = find_exact_name_conf(OPER_TYPE, parv[1], NULL, NULL);
failed_challenge_notice(source_p, parv[1], (conf != NULL)
? "host mismatch" : "no oper {} block");
log_oper_action(LOG_FAILED_OPER_TYPE, source_p, "%s\n", parv[1]);
return;
}
if(aconf->rsa_public_key == NULL)
{
sendto_one(source_p, ":%s NOTICE %s :I'm sorry, PK authentication "
"is not enabled for your oper{} block.", me.name, parv[0]);
return;
}
if(!generate_challenge(&challenge, &(source_p->localClient->response),
aconf->rsa_public_key))
sendto_one(source_p, form_str(RPL_RSACHALLENGE), me.name, parv[0], challenge);
DupString(source_p->localClient->auth_oper, conf->name);
MyFree(challenge);
}
/*
** m_oper
** parv[0] = sender prefix
** parv[1] = oper name
** parv[2] = oper password
*/
static void
m_oper(struct Client *client_p, struct Client *source_p, int parc, char *parv[])
{
struct ConfItem *aconf;
struct ConfItem *oconf = NULL;
char *name;
char *password;
dlink_node *ptr;
name = parv[1];
password = parv[2];
if(EmptyString(password))
{
sendto_one(source_p, form_str(ERR_NEEDMOREPARAMS), me.name, source_p->name, "OPER");
return;
}
/* end the grace period */
if(!IsFloodDone(source_p))
flood_endgrace(source_p);
if((aconf = find_password_aconf(name, source_p)) == NULL)
{
sendto_one(source_p, form_str(ERR_NOOPERHOST), me.name, source_p->name);
log_foper(source_p, name);
if(ConfigFileEntry.failed_oper_notice)
{
sendto_realops_flags(UMODE_ALL, L_ALL,
"Failed OPER attempt - host mismatch by %s (%s@%s)",
source_p->name, source_p->username, source_p->host);
}
return;
}
if(match_oper_password(password, aconf))
{
/*
20001216:
detach old iline
-einride
*/
ptr = source_p->localClient->confs.head;
if(ptr)
{
oconf = ptr->data;
detach_conf(source_p, oconf);
}
if(attach_conf(source_p, aconf) != 0)
{
sendto_one(source_p, ":%s NOTICE %s :Can't attach conf!",
me.name, source_p->name);
sendto_realops_flags(UMODE_ALL, L_ALL,
"Failed OPER attempt by %s (%s@%s) can't attach conf!",
source_p->name, source_p->username, source_p->host);
log_foper(source_p, name);
/*
20001216:
Reattach old iline
-einride
*/
attach_conf(source_p, oconf);
return;
}
oper_up(source_p, aconf);
ilog(L_TRACE, "OPER %s by %s!%s@%s",
name, source_p->name, source_p->username, source_p->host);
log_oper(source_p, name);
return;
}
else
{
sendto_one(source_p, form_str(ERR_PASSWDMISMATCH), me.name, parv[0]);
log_foper(source_p, name);
if(ConfigFileEntry.failed_oper_notice)
{
sendto_realops_flags(UMODE_ALL, L_ALL,
"Failed OPER attempt by %s (%s@%s)",
source_p->name, source_p->username, source_p->host);
}
}
}
/*
* m_challenge - generate RSA challenge for wouldbe oper
* parv[1] = operator to challenge for, or +response
*
*/
static int
m_challenge(struct Client *client_p, struct Client *source_p, int parc, const char *parv[])
{
struct oper_conf *oper_p;
char *challenge = NULL; /* to placate gcc */
char chal_line[CHALLENGE_WIDTH];
unsigned char *b_response;
size_t cnt;
int len = 0;
/* if theyre an oper, reprint oper motd and ignore */
if(IsOper(source_p))
{
sendto_one(source_p, form_str(RPL_YOUREOPER), me.name, source_p->name);
send_oper_motd(source_p);
return 0;
}
if(*parv[1] == '+')
{
/* Ignore it if we aren't expecting this... -A1kmm */
if(!source_p->localClient->challenge)
return 0;
if((rb_current_time() - source_p->localClient->chal_time) > CHALLENGE_EXPIRES)
{
sendto_one(source_p, form_str(ERR_PASSWDMISMATCH), me.name, source_p->name);
ilog(L_FOPER, "EXPIRED CHALLENGE (%s) by (%s!%s@%s) (%s)",
source_p->localClient->opername, source_p->name,
source_p->username, source_p->host, source_p->sockhost);
if(ConfigFileEntry.failed_oper_notice)
sendto_realops_snomask(SNO_GENERAL, L_NETWIDE,
"Expired CHALLENGE attempt by %s (%s@%s)",
source_p->name, source_p->username,
source_p->host);
cleanup_challenge(source_p);
return 0;
}
parv[1]++;
b_response = rb_base64_decode((const unsigned char *)parv[1], strlen(parv[1]), &len);
if(len != SHA_DIGEST_LENGTH ||
memcmp(source_p->localClient->challenge, b_response, SHA_DIGEST_LENGTH))
{
sendto_one(source_p, form_str(ERR_PASSWDMISMATCH), me.name, source_p->name);
ilog(L_FOPER, "FAILED CHALLENGE (%s) by (%s!%s@%s) (%s)",
source_p->localClient->opername, source_p->name,
source_p->username, source_p->host, source_p->sockhost);
if(ConfigFileEntry.failed_oper_notice)
sendto_realops_snomask(SNO_GENERAL, L_NETWIDE,
"Failed CHALLENGE attempt by %s (%s@%s)",
source_p->name, source_p->username,
source_p->host);
rb_free(b_response);
cleanup_challenge(source_p);
return 0;
}
rb_free(b_response);
oper_p = find_oper_conf(source_p->username, source_p->orighost,
source_p->sockhost,
source_p->localClient->opername);
if(oper_p == NULL)
{
sendto_one_numeric(source_p, ERR_NOOPERHOST, form_str(ERR_NOOPERHOST));
ilog(L_FOPER, "FAILED OPER (%s) by (%s!%s@%s) (%s)",
source_p->localClient->opername, source_p->name,
source_p->username, source_p->host,
source_p->sockhost);
if(ConfigFileEntry.failed_oper_notice)
sendto_realops_snomask(SNO_GENERAL, L_NETWIDE,
"Failed CHALLENGE attempt - host mismatch by %s (%s@%s)",
source_p->name, source_p->username,
source_p->host);
return 0;
}
cleanup_challenge(source_p);
oper_up(source_p, oper_p);
ilog(L_OPERED, "OPER %s by %s!%s@%s (%s)",
source_p->localClient->opername, source_p->name,
source_p->username, source_p->host, source_p->sockhost);
return 0;
}
cleanup_challenge(source_p);
oper_p = find_oper_conf(source_p->username, source_p->orighost,
source_p->sockhost, parv[1]);
if(oper_p == NULL)
{
sendto_one_numeric(source_p, ERR_NOOPERHOST, form_str(ERR_NOOPERHOST));
ilog(L_FOPER, "FAILED OPER (%s) by (%s!%s@%s) (%s)",
parv[1], source_p->name,
source_p->username, source_p->host, source_p->sockhost);
if(ConfigFileEntry.failed_oper_notice)
sendto_realops_snomask(SNO_GENERAL, L_NETWIDE,
"Failed CHALLENGE attempt - host mismatch by %s (%s@%s)",
source_p->name, source_p->username, source_p->host);
return 0;
}
if(!oper_p->rsa_pubkey)
{
sendto_one_notice(source_p, ":I'm sorry, PK authentication is not enabled for your oper{} block.");
return 0;
}
if(IsOperConfNeedSSL(oper_p) && !IsSSLClient(source_p))
{
sendto_one_numeric(source_p, ERR_NOOPERHOST, form_str(ERR_NOOPERHOST));
ilog(L_FOPER, "FAILED CHALLENGE (%s) by (%s!%s@%s) (%s) -- requires SSL/TLS",
parv[1], source_p->name, source_p->username, source_p->host,
source_p->sockhost);
if(ConfigFileEntry.failed_oper_notice)
{
sendto_realops_snomask(SNO_GENERAL, L_ALL,
"Failed CHALLENGE attempt - missing SSL/TLS by %s (%s@%s)",
source_p->name, source_p->username, source_p->host);
}
return 0;
}
if (oper_p->certfp != NULL)
{
if (source_p->certfp == NULL || strcasecmp(source_p->certfp, oper_p->certfp))
{
sendto_one_numeric(source_p, ERR_NOOPERHOST, form_str(ERR_NOOPERHOST));
ilog(L_FOPER, "FAILED OPER (%s) by (%s!%s@%s) (%s) -- client certificate fingerprint mismatch",
parv[1], source_p->name,
source_p->username, source_p->host, source_p->sockhost);
if(ConfigFileEntry.failed_oper_notice)
{
sendto_realops_snomask(SNO_GENERAL, L_ALL,
"Failed OPER attempt - client certificate fingerprint mismatch by %s (%s@%s)",
source_p->name, source_p->username, source_p->host);
}
return 0;
}
}
if(!generate_challenge(&challenge, &(source_p->localClient->challenge), oper_p->rsa_pubkey))
{
char *chal = challenge;
source_p->localClient->chal_time = rb_current_time();
for(;;)
{
cnt = rb_strlcpy(chal_line, chal, CHALLENGE_WIDTH);
sendto_one(source_p, form_str(RPL_RSACHALLENGE2), me.name, source_p->name, chal_line);
if(cnt > CHALLENGE_WIDTH)
chal += CHALLENGE_WIDTH - 1;
else
break;
}
sendto_one(source_p, form_str(RPL_ENDOFRSACHALLENGE2),
me.name, source_p->name);
rb_free(challenge);
source_p->localClient->opername = rb_strdup(oper_p->name);
}
else
sendto_one_notice(source_p, ":Failed to generate challenge.");
return 0;
}
/*
* m_oper
* parv[1] = oper name
* parv[2] = oper password
*/
static int
m_oper(struct Client *client_p, struct Client *source_p, int parc, const char *parv[])
{
struct oper_conf *oper_p;
const char *name;
const char *password;
name = parv[1];
password = parv[2];
if(IsOper(source_p)) {
sendto_one(source_p, form_str(RPL_YOUREOPER), me.name, source_p->name);
send_oper_motd(source_p);
return 0;
}
/* end the grace period */
if(!IsFloodDone(source_p))
flood_endgrace(source_p);
oper_p = find_oper_conf(source_p->username, source_p->orighost,
source_p->sockhost, name);
if(oper_p == NULL) {
sendto_one_numeric(source_p, ERR_NOOPERHOST, form_str(ERR_NOOPERHOST));
ilog(L_FOPER, "FAILED OPER (%s) by (%s!%s@%s) (%s)",
name, source_p->name,
source_p->username, source_p->host, source_p->sockhost);
if(ConfigFileEntry.failed_oper_notice) {
sendto_realops_snomask(SNO_GENERAL, L_NETWIDE,
"Failed OPER attempt - host mismatch by %s (%s@%s)",
source_p->name, source_p->username, source_p->host);
}
return 0;
}
if(IsOperConfNeedSSL(oper_p) && !IsSSLClient(source_p)) {
sendto_one_numeric(source_p, ERR_NOOPERHOST, form_str(ERR_NOOPERHOST));
ilog(L_FOPER, "FAILED OPER (%s) by (%s!%s@%s) (%s) -- requires SSL/TLS",
name, source_p->name,
source_p->username, source_p->host, source_p->sockhost);
if(ConfigFileEntry.failed_oper_notice) {
sendto_realops_snomask(SNO_GENERAL, L_ALL,
"Failed OPER attempt - missing SSL/TLS by %s (%s@%s)",
source_p->name, source_p->username, source_p->host);
}
return 0;
}
if (oper_p->certfp != NULL) {
if (source_p->certfp == NULL || strcasecmp(source_p->certfp, oper_p->certfp)) {
sendto_one_numeric(source_p, ERR_NOOPERHOST, form_str(ERR_NOOPERHOST));
ilog(L_FOPER, "FAILED OPER (%s) by (%s!%s@%s) (%s) -- client certificate fingerprint mismatch",
name, source_p->name,
source_p->username, source_p->host, source_p->sockhost);
if(ConfigFileEntry.failed_oper_notice) {
sendto_realops_snomask(SNO_GENERAL, L_ALL,
"Failed OPER attempt - client certificate fingerprint mismatch by %s (%s@%s)",
source_p->name, source_p->username, source_p->host);
}
return 0;
}
}
if(match_oper_password(password, oper_p)) {
oper_up(source_p, oper_p);
ilog(L_OPERED, "OPER %s by %s!%s@%s (%s)",
name, source_p->name, source_p->username, source_p->host,
source_p->sockhost);
return 0;
} else {
sendto_one_numeric(source_p, ERR_NOOPERHOST, form_str(ERR_NOOPERHOST));
ilog(L_FOPER, "FAILED OPER (%s) by (%s!%s@%s) (%s)",
name, source_p->name, source_p->username, source_p->host,
source_p->sockhost);
if(ConfigFileEntry.failed_oper_notice) {
sendto_realops_snomask(SNO_GENERAL, L_NETWIDE,
"Failed OPER attempt by %s (%s@%s)",
source_p->name, source_p->username, source_p->host);
}
}
return 0;
}
static int
do_grant(struct Client *source_p, struct Client *target_p, const char *new_privset)
{
int dooper = 0, dodeoper = 0;
struct PrivilegeSet *privset = 0;
if(!strcmp(new_privset, "deoper"))
{
if(!IsAnyOper(target_p))
{
sendto_one_notice(source_p, ":You can't deoper someone who isn't an oper.");
return 0;
}
new_privset = "default";
dodeoper = 1;
sendto_one_notice(target_p, ":%s is deopering you.", source_p->name);
sendto_realops_snomask(SNO_GENERAL, L_NETWIDE, "%s is deopering %s.",
get_oper_name(source_p), target_p->name);
}
else
{
if(!(privset = privilegeset_get(new_privset)))
{
sendto_one_notice(source_p, ":There is no privilege set named '%s'.",
new_privset);
return 0;
}
if(privset == target_p->localClient->privset)
{
sendto_one_notice(source_p, ":%s already has privilege set %s.",
target_p->name, target_p->localClient->privset->name);
return 0;
}
}
if(!dodeoper)
{
if(!IsAnyOper(target_p))
{
sendto_one_notice(target_p, ":%s is opering you with privilege set %s",
source_p->name, privset->name);
sendto_realops_snomask(SNO_GENERAL, L_NETWIDE,
"%s is opering %s with privilege set %s",
get_oper_name(source_p), target_p->name,
privset->name);
dooper = 1;
}
else
{
sendto_one_notice(target_p, ":%s is changing your privilege set to %s",
source_p->name, privset->name);
sendto_realops_snomask(SNO_GENERAL, L_NETWIDE,
"%s is changing the privilege set of %s to %s",
get_oper_name(source_p), target_p->name,
privset->name);
}
if(privilegeset_in_set(privset, "oper:staffer") && !IsOper(target_p))
{
dooper = 1;
if(IsHelper(target_p))
dodeoper = 1;
}
else if(!privilegeset_in_set(privset, "oper:staffer") && IsOper(target_p))
dooper = dodeoper = 1;
}
if(dodeoper)
{
const char *modeparv[4];
modeparv[0] = modeparv[1] = target_p->name;
modeparv[2] = "-oO";
modeparv[3] = NULL;
user_mode(target_p, target_p, 3, modeparv);
}
if(dooper)
{
struct oper_conf oper;
oper.name = "<grant>";
oper.umodes = 0;
oper.snomask = 0;
oper.privset = privset;
oper_up(target_p, &oper);
}
target_p->localClient->privset = privset;
const char *modeparv[4];
modeparv[0] = modeparv[1] = target_p->name;
modeparv[2] = "+";
modeparv[3] = NULL;
user_mode(target_p, target_p, 3, modeparv);
return 0;
}
/*
* m_challenge - generate RSA challenge for wouldbe oper
* parv[0] = sender prefix
* parv[1] = operator to challenge for, or +response
*
*/
static void
m_challenge(struct Client *client_p, struct Client *source_p,
int parc, char *parv[])
{
char *challenge = NULL;
struct MaskItem *conf = NULL;
if (*parv[1] == '+')
{
/* Ignore it if we aren't expecting this... -A1kmm */
if (source_p->localClient->response == NULL)
return;
if (irccmp(source_p->localClient->response, ++parv[1]))
{
sendto_one(source_p, form_str(ERR_PASSWDMISMATCH), me.name,
source_p->name);
failed_challenge_notice(source_p, source_p->localClient->auth_oper,
"challenge failed");
return;
}
conf = find_exact_name_conf(CONF_OPER, source_p,
source_p->localClient->auth_oper, NULL, NULL);
if (conf == NULL)
{
/* XXX: logging */
sendto_one (source_p, form_str(ERR_NOOPERHOST), me.name, source_p->name);
return;
}
if (attach_conf(source_p, conf) != 0)
{
sendto_one(source_p,":%s NOTICE %s :Can't attach conf!",
me.name, source_p->name);
failed_challenge_notice(source_p, conf->name, "can't attach conf!");
return;
}
++conf->count;
oper_up(source_p);
ilog(LOG_TYPE_OPER, "OPER %s by %s!%s@%s",
source_p->localClient->auth_oper, source_p->name, source_p->username,
source_p->host);
MyFree(source_p->localClient->response);
MyFree(source_p->localClient->auth_oper);
source_p->localClient->response = NULL;
source_p->localClient->auth_oper = NULL;
return;
}
MyFree(source_p->localClient->response);
MyFree(source_p->localClient->auth_oper);
source_p->localClient->response = NULL;
source_p->localClient->auth_oper = NULL;
conf = find_exact_name_conf(CONF_OPER, source_p, parv[1], NULL, NULL);
if (!conf)
{
sendto_one (source_p, form_str(ERR_NOOPERHOST), me.name, source_p->name);
conf = find_exact_name_conf(CONF_OPER, NULL, parv[1], NULL, NULL);
failed_challenge_notice(source_p, parv[1], (conf != NULL)
? "host mismatch" : "no oper {} block");
return;
}
if (conf->rsa_public_key == NULL)
{
sendto_one (source_p, ":%s NOTICE %s :I'm sorry, PK authentication "
"is not enabled for your oper{} block.", me.name,
source_p->name);
return;
}
if (!generate_challenge(&challenge, &(source_p->localClient->response),
conf->rsa_public_key))
sendto_one(source_p, form_str(RPL_RSACHALLENGE),
me.name, source_p->name, challenge);
source_p->localClient->auth_oper = xstrdup(conf->name);
MyFree(challenge);
}
