]> jfr.im git - irc/quakenet/newserv.git/blob - ticketauth/ticketauth.c
projects / irc / quakenet / newserv.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Fix timing attacks in HMAC functions.
[irc/quakenet/newserv.git] / ticketauth / ticketauth.c
1 /* ticketauth.c */
2
3 #include <stdio.h>
4 #include <string.h>
5 #include <strings.h>
6
7 #include "../control/control.h"
8 #include "../core/config.h"
9 #include "../nick/nick.h"
10 #include "../core/error.h"
11 #include "../lib/hmac.h"
12 #include "../lib/version.h"
13 #include "../localuser/localuser.h"
14 #include "../core/hooks.h"
15 #include "../irc/irc.h"
16
17 #define CS_NODB
18 #include "../chanserv/chanserv.h"
19
20 #define WARN_CHANNEL "#twilightzone"
21
22 MODULE_VERSION("");
23
24 sstring *sharedsecret = NULL;
25
26 int ta_ticketauth(void *source, int cargc, char **cargv) {
27 nick *np = (nick *)source;
28 char buffer[1024], *uhmac, *acc, *junk, *flags;
29 unsigned char digest[32];
30 int expiry, acclen, id;
31 hmacsha256 hmac;
32 channel *wcp;
33
34 if(IsAccount(np)) {
35 controlreply(np, "You're already authed.");
36 return CMD_ERROR;
37 }
38
39 if(cargc != 6) {
40 controlreply(np, "%d\n", cargc);
41 return CMD_USAGE;
42 }
43
44 acc = cargv[0];
45 expiry = atoi(cargv[1]);
46 id = atoi(cargv[2]);
47 acclen = strlen(acc);
48 flags = cargv[3];
49 junk = cargv[4];
50 uhmac = cargv[5];
51
52 if((acclen <= 1) || (acclen > ACCOUNTLEN)) {
53 controlreply(np, "Bad account.");
54 return CMD_ERROR;
55 }
56
57 if(time(NULL) > expiry + 30) {
58 controlwall(NO_OPER, NL_MISC, "%s!%s@%s attempted to TICKETAUTH as %s (expired)", np->nick, np->ident, np->host->name->content, acc);
59 controlreply(np, "Ticket time is bad or has expired.");
60 return CMD_ERROR;
61 }
62
63 hmacsha256_init(&hmac, (unsigned char *)sharedsecret->content, sharedsecret->length);
64 snprintf(buffer, sizeof(buffer), "%s %d %d %s %s", acc, expiry, id, flags, junk);
65 hmacsha256_update(&hmac, (unsigned char *)buffer, strlen(buffer));
66 hmacsha256_final(&hmac, digest);
67
68 /* hahahaha */
69 snprintf(buffer, sizeof(buffer), "%.2x%.2x%.2x%.2x%.2x%.2x%.2x%.2x%.2x%.2x%.2x%.2x%.2x%.2x%.2x%.2x%.2x%.2x%.2x%.2x%.2x%.2x%.2x%.2x%.2x%.2x%.2x%.2x%.2x%.2x%.2x%.2x", digest[0], digest[1], digest[2], digest[3], digest[4], digest[5], digest[6], digest[7], digest[8], digest[9], digest[10], digest[11], digest[12], digest[13], digest[14], digest[15], digest[16], digest[17], digest[18], digest[19], digest[20], digest[21], digest[22], digest[23], digest[24], digest[25], digest[26], digest[27], digest[28], digest[29], digest[30], digest[31]);
70
71 if(hmac_strcmp(buffer, uhmac)) {
72 controlwall(NO_OPER, NL_MISC, "%s!%s@%s attempted to TICKETAUTH as %s (bad HMAC)", np->nick, np->ident, np->host->name->content, acc);
73 controlreply(np, "Bad HMAC.");
74 return CMD_ERROR;
75 }
76
77 controlwall(NO_OPER, NL_MISC, "%s!%s@%s TICKETAUTH'ed as %s", np->nick, np->ident, np->host->name->content, acc);
78
79 wcp = findchannel(WARN_CHANNEL);
80 if(wcp)
81 controlchanmsg(wcp, "WARNING: %s!%s@%s TICKETAUTH'ed as %s", np->nick, np->ident, np->host->name->content, acc);
82
83 controlreply(np, "Ticket valid, authing. . .");
84
85 localusersetaccount(np, acc, id, cs_accountflagmap_str(flags), 0);
86
87 controlreply(np, "Done.");
88 return CMD_OK;
89 }
90
91 void _init() {
92 sharedsecret = getcopyconfigitem("ticketauth", "sharedsecret", "", 512);
93 if(!sharedsecret || !sharedsecret->content || !sharedsecret->content[0]) {
94 Error("ticketauth", ERR_ERROR, "Shared secret not defined in config file.");
95 if(sharedsecret) {
96 freesstring(sharedsecret);
97 sharedsecret = NULL;
98 }
99
100 return;
101 }
102
103 registercontrolhelpcmd("ticketauth", NO_OPERED, 6, ta_ticketauth, "Usage: ticketauth <ticket>");
104 }
105
106 void _fini() {
107 if(!sharedsecret)
108 return;
109
110 deregistercontrolcmd("ticketauth", ta_ticketauth);
111
112 freesstring(sharedsecret);
113 }
Unnamed repository; edit this file 'description' to name the repository.