/* * InspIRCd -- Internet Relay Chat Daemon * * Copyright (C) 2019 linuxdaemon * Copyright (C) 2014 md_5 * Copyright (C) 2014 Googolplexed * Copyright (C) 2013, 2017-2018, 2020-2021 Sadie Powell * Copyright (C) 2013 Adam * Copyright (C) 2012-2013, 2015 Attila Molnar * Copyright (C) 2012, 2019 Robby * Copyright (C) 2009-2010 Daniel De Graaf * Copyright (C) 2009 Uli Schlachter * Copyright (C) 2007-2009 Robin Burchell * Copyright (C) 2007 Dennis Friis * Copyright (C) 2006-2007, 2010 Craig Edwards * * This file is part of InspIRCd. InspIRCd is free software: you can * redistribute it and/or modify it under the terms of the GNU General Public * License as published by the Free Software Foundation, version 2. * * This program is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more * details. * * You should have received a copy of the GNU General Public License * along with this program. If not, see . */ #include "inspircd.h" #include "modules/extban.h" #include "modules/ssl.h" #include "modules/webirc.h" #include "modules/whois.h" // One or more hostmask globs or CIDR ranges. typedef std::vector MaskList; // Encapsulates information about an ident host. class IdentHost final { private: MaskList hostmasks; std::string newident; public: IdentHost(const MaskList& masks, const std::string& ident) : hostmasks(masks) , newident(ident) { } const std::string& GetIdent() const { return newident; } bool Matches(LocalUser* user) const { for (const auto& mask : hostmasks) { // Does the user's hostname match this hostmask? if (InspIRCd::Match(user->GetRealHost(), mask, ascii_case_insensitive_map)) return true; // Does the user's IP address match this hostmask? if (InspIRCd::MatchCIDR(user->GetIPString(), mask, ascii_case_insensitive_map)) return true; } // The user didn't match any hostmasks. return false; } }; // Encapsulates information about a WebIRC host. class WebIRCHost final { private: MaskList hostmasks; std::string fingerprint; std::string password; std::string passhash; TokenList trustedflags; public: WebIRCHost(const MaskList& masks, const std::string& fp, const std::string& pass, const std::string& hash, const std::string& flags) : hostmasks(masks) , fingerprint(fp) , password(pass) , passhash(hash) , trustedflags(flags) { } bool IsFlagTrusted(const std::string& flag) const { return trustedflags.Contains(flag); } bool Matches(LocalUser* user, const std::string& pass, UserCertificateAPI& sslapi) const { // Did the user send a valid password? if (!password.empty() && !ServerInstance->PassCompare(user, password, pass, passhash)) return false; // Does the user have a valid fingerprint? const std::string fp = sslapi ? sslapi->GetFingerprint(user) : ""; if (!fingerprint.empty() && !InspIRCd::TimingSafeCompare(fp, fingerprint)) return false; for (const auto& mask : hostmasks) { // Does the user's hostname match this hostmask? if (InspIRCd::Match(user->GetRealHost(), mask, ascii_case_insensitive_map)) return true; // Does the user's IP address match this hostmask? if (InspIRCd::MatchCIDR(user->GetIPString(), mask, ascii_case_insensitive_map)) return true; } // The user didn't match any hostmasks. return false; } }; class CommandHexIP final : public SplitCommand { public: CommandHexIP(Module* Creator) : SplitCommand(Creator, "HEXIP", 1) { penalty = 2000; syntax = { "" }; } CmdResult HandleLocal(LocalUser* user, const Params& parameters) override { irc::sockets::sockaddrs sa(false); if (sa.from_ip(parameters[0])) { if (sa.family() != AF_INET) { user->WriteNotice("*** HEXIP: You can only hex encode an IPv4 address!"); return CmdResult::FAILURE; } uint32_t addr = sa.in4.sin_addr.s_addr; user->WriteNotice(InspIRCd::Format("*** HEXIP: %s encodes to %02x%02x%02x%02x.", sa.addr().c_str(), (addr & 0xFF), ((addr >> 8) & 0xFF), ((addr >> 16) & 0xFF), ((addr >> 24) & 0xFF))); return CmdResult::SUCCESS; } if (ParseIP(parameters[0], sa)) { user->WriteNotice(InspIRCd::Format("*** HEXIP: %s decodes to %s.", parameters[0].c_str(), sa.addr().c_str())); return CmdResult::SUCCESS; } user->WriteNotice(InspIRCd::Format("*** HEXIP: %s is not a valid raw or hex encoded IPv4 address.", parameters[0].c_str())); return CmdResult::FAILURE; } static bool ParseIP(const std::string& in, irc::sockets::sockaddrs& out) { const char* ident = nullptr; if (in.length() == 8) { // The ident is an IPv4 address encoded in hexadecimal with two characters // per address segment. ident = in.c_str(); } else if (in.length() == 9 && in[0] == '~') { // The same as above but m_ident got to this user before we did. Strip the // ident prefix and continue as normal. ident = in.c_str() + 1; } else { // The user either does not have an IPv4 in their ident or the gateway server // is also running an identd. In the latter case there isn't really a lot we // can do so we just assume that the client in question is not connecting via // an ident gateway. return false; } // Try to convert the IP address to a string. If this fails then the user // does not have an IPv4 address in their ident. errno = 0; unsigned long address = strtoul(ident, nullptr, 16); if (errno) return false; // If the converted IP address is > 32 bits then it's not valid so bail. if (address > UINT32_MAX) return false; out.in4.sin_family = AF_INET; out.in4.sin_addr.s_addr = htonl(uint32_t(address)); return true; } }; class GatewayExtBan final : public ExtBan::MatchingBase { public: StringExtItem gateway; GatewayExtBan(Module* Creator) : ExtBan::MatchingBase(Creator, "gateway", 'w') , gateway(Creator, "webirc-gateway", ExtensionType::USER, true) { } bool IsMatch(User* user, Channel* channel, const std::string& text) override { const std::string* gatewayname = gateway.Get(user); return gatewayname ? InspIRCd::Match(*gatewayname, text) : false; } }; class CommandWebIRC final : public SplitCommand { public: std::vector hosts; GatewayExtBan extban; StringExtItem realhost; StringExtItem realip; UserCertificateAPI sslapi; Events::ModuleEventProvider webircevprov; CommandWebIRC(Module* Creator) : SplitCommand(Creator, "WEBIRC", 4) , extban(Creator) , realhost(Creator, "gateway-realhost", ExtensionType::USER, true) , realip(Creator, "gateway-realip", ExtensionType::USER, true) , sslapi(Creator) , webircevprov(Creator, "event/webirc") { works_before_reg = true; syntax = { " []" }; } CmdResult HandleLocal(LocalUser* user, const Params& parameters) override { if (user->IsFullyConnected() || realhost.Get(user)) return CmdResult::FAILURE; for (const auto& host : hosts) { // If we don't match the host then skip to the next host. if (!host.Matches(user, parameters[0], sslapi)) continue; irc::sockets::sockaddrs ipaddr(false); if (!ipaddr.from_ip_port(parameters[3], user->client_sa.port())) { ServerInstance->SNO.WriteGlobalSno('w', "Connecting user %s (%s) tried to use WEBIRC but gave an invalid IP address.", user->uuid.c_str(), user->GetIPString().c_str()); ServerInstance->Users.QuitUser(user, "WEBIRC: IP address is invalid: " + parameters[3]); return CmdResult::FAILURE; } // The user matched a WebIRC block! extban.gateway.Set(user, parameters[1]); realhost.Set(user, user->GetRealHost()); realip.Set(user, user->GetIPString()); ServerInstance->SNO.WriteGlobalSno('w', "Connecting user %s is using the %s WebIRC gateway; changing their IP from %s to %s.", user->uuid.c_str(), parameters[1].c_str(), user->GetIPString().c_str(), parameters[3].c_str()); // If we have custom flags then deal with them. WebIRC::FlagMap flags; const bool hasflags = (parameters.size() > 4); if (hasflags) { std::string flagname; std::string flagvalue; // Parse the flags. irc::spacesepstream flagstream(parameters[4]); for (std::string flag; flagstream.GetToken(flag); ) { // Does this flag have a value? const size_t separator = flag.find('='); if (separator == std::string::npos) { // It does not; just use the flag. flagname = flag; flagvalue.clear(); } else { // It does; extract the value. flagname = flag.substr(0, separator); flagvalue = flag.substr(separator + 1); } if (host.IsFlagTrusted(flagname)) flags[flagname] = flagvalue; } } // Inform modules about the WebIRC attempt. webircevprov.Call(&WebIRC::EventListener::OnWebIRCAuth, user, (hasflags ? &flags : nullptr)); // Set the IP address sent via WEBIRC. We ignore the hostname and lookup // instead do our own DNS lookups because of unreliable gateways. user->ChangeRemoteAddress(ipaddr); return CmdResult::SUCCESS; } ServerInstance->SNO.WriteGlobalSno('w', "Connecting user %s (%s) tried to use WEBIRC but didn't match any configured WebIRC hosts.", user->uuid.c_str(), user->GetIPString().c_str()); ServerInstance->Users.QuitUser(user, "WEBIRC: you don't match any configured WebIRC hosts."); return CmdResult::FAILURE; } }; class ModuleGateway final : public Module , public WebIRC::EventListener , public Whois::EventListener { private: CommandHexIP cmdhexip; CommandWebIRC cmdwebirc; std::vector hosts; public: ModuleGateway() : Module(VF_VENDOR, "Adds the ability for IRC gateways to forward the real IP address of users connecting through them.") , WebIRC::EventListener(this) , Whois::EventListener(this) , cmdhexip(this) , cmdwebirc(this) { } void init() override { ServerInstance->SNO.EnableSnomask('w', "GATEWAY"); } void ReadConfig(ConfigStatus& status) override { std::vector identhosts; std::vector webirchosts; for (const auto& [_, tag] : ServerInstance->Config->ConfTags("gateway", ServerInstance->Config->ConfTags("cgihost"))) { MaskList masks; irc::spacesepstream maskstream(tag->getString("mask")); for (std::string mask; maskstream.GetToken(mask); ) masks.push_back(mask); // Ensure that we have the parameter. if (masks.empty()) throw ModuleException(this, "<" + tag->name + ":mask> is a mandatory field, at " + tag->source.str()); // Determine what lookup type this host uses. const std::string type = tag->getString("type"); if (stdalgo::string::equalsci(type, "ident")) { // The IP address should be looked up from the hex IP address. const std::string newident = tag->getString("newident", "gateway", ServerInstance->IsIdent); identhosts.emplace_back(masks, newident); } else if (stdalgo::string::equalsci(type, "webirc")) { // The IP address will be received via the WEBIRC command. const std::string fingerprint = tag->getString("fingerprint"); const std::string password = tag->getString("password"); const std::string passwordhash = tag->getString("hash", "plaintext", 1); const std::string trustedflags = tag->getString("trustedflags", "*", 1); // WebIRC blocks require a password. if (fingerprint.empty() && password.empty()) throw ModuleException(this, "When using <" + tag->name + " type=\"webirc\"> either the fingerprint or password field is required, at " + tag->source.str()); if (!password.empty() && stdalgo::string::equalsci(passwordhash, "plaintext")) { ServerInstance->Logs.Normal(MODNAME, "<%s> tag at %s contains an plain text password, this is insecure!", tag->name.c_str(), tag->source.str().c_str()); } webirchosts.emplace_back(masks, fingerprint, password, passwordhash, trustedflags); } else { throw ModuleException(this, type + " is an invalid <" + tag->name + ":mask> type, at " + tag->source.str()); } } // The host configuration was valid so we can apply it. hosts.swap(identhosts); cmdwebirc.hosts.swap(webirchosts); } ModResult OnSetConnectClass(LocalUser* user, const ConnectClass::Ptr& myclass) override { // If is not set then we have nothing to do. const std::string webirc = myclass->config->getString("webirc"); if (webirc.empty()) return MOD_RES_PASSTHRU; // If the user is not connecting via a WebIRC gateway then they // cannot match this connect class. const std::string* gateway = cmdwebirc.extban.gateway.Get(user); if (!gateway) { ServerInstance->Logs.Debug("CONNECTCLASS", "The %s connect class is not suitable as it requires a connection via a WebIRC gateway", myclass->GetName().c_str()); return MOD_RES_DENY; } // If the gateway matches the constraint then // allow the check to continue. Otherwise, reject it. if (!InspIRCd::Match(*gateway, webirc)) { ServerInstance->Logs.Debug("CONNECTCLASS", "The %s connect class is not suitable as the WebIRC gateway name (%s) does not match %s", myclass->GetName().c_str(), gateway->c_str(), webirc.c_str()); return MOD_RES_DENY; } return MOD_RES_PASSTHRU; } ModResult OnUserRegister(LocalUser* user) override { // There is no need to check for gateways if one is already being used. if (cmdwebirc.realhost.Get(user)) return MOD_RES_PASSTHRU; for (const auto& host : hosts) { // If we don't match the host then skip to the next host. if (!host.Matches(user)) continue; // We have matched an gateway block! Try to parse the encoded IPv4 address // out of the ident. irc::sockets::sockaddrs address(user->client_sa); if (!CommandHexIP::ParseIP(user->ident, address)) return MOD_RES_PASSTHRU; // Store the hostname and IP of the gateway for later use. cmdwebirc.realhost.Set(user, user->GetRealHost()); cmdwebirc.realip.Set(user, user->GetIPString()); const std::string& newident = host.GetIdent(); ServerInstance->SNO.WriteGlobalSno('w', "Connecting user %s is using an ident gateway; changing their IP from %s to %s and their ident from %s to %s.", user->uuid.c_str(), user->GetIPString().c_str(), address.addr().c_str(), user->ident.c_str(), newident.c_str()); user->ChangeIdent(newident); user->ChangeRemoteAddress(address); break; } return MOD_RES_PASSTHRU; } void OnWebIRCAuth(LocalUser* user, const WebIRC::FlagMap* flags) override { // We are only interested in connection flags. If none have been // given then we have nothing to do. if (!flags) return; WebIRC::FlagMap::const_iterator cport = flags->find("remote-port"); if (cport != flags->end()) { // If we can't parse the port then just give up. uint16_t port = ConvToNum(cport->second); if (port) { switch (user->client_sa.family()) { case AF_INET: user->client_sa.in4.sin_port = htons(port); break; case AF_INET6: user->client_sa.in6.sin6_port = htons(port); break; default: // If we have reached this point then we have encountered a bug. ServerInstance->Logs.Debug(MODNAME, "BUG: OnWebIRCAuth(%s): socket type %hu is unknown!", user->uuid.c_str(), user->client_sa.family()); return; } } } WebIRC::FlagMap::const_iterator sport = flags->find("local-port"); if (sport != flags->end()) { // If we can't parse the port then just give up. uint16_t port = ConvToNum(sport->second); if (port) { switch (user->server_sa.family()) { case AF_INET: user->server_sa.in4.sin_port = htons(port); break; case AF_INET6: user->server_sa.in6.sin6_port = htons(port); break; default: // If we have reached this point then we have encountered a bug. ServerInstance->Logs.Debug(MODNAME, "BUG: OnWebIRCAuth(%s): socket type %hu is unknown!", user->uuid.c_str(), user->server_sa.family()); return; } } } } void OnWhois(Whois::Context& whois) override { // If these fields are not set then the client is not using a gateway. std::string* realhost = cmdwebirc.realhost.Get(whois.GetTarget()); std::string* realip = cmdwebirc.realip.Get(whois.GetTarget()); if (!realhost || !realip) return; // If the source doesn't have the right privs then only show the gateway name. std::string hidden = "*"; if (!whois.GetSource()->HasPrivPermission("users/auspex")) realhost = realip = &hidden; const std::string* gateway = cmdwebirc.extban.gateway.Get(whois.GetTarget()); if (gateway) whois.SendLine(RPL_WHOISGATEWAY, *realhost, *realip, "is connected via the " + *gateway + " WebIRC gateway"); else whois.SendLine(RPL_WHOISGATEWAY, *realhost, *realip, "is connected via an ident gateway"); } }; MODULE_INIT(ModuleGateway)