X-Git-Url: https://jfr.im/git/irc/rqf/shadowircd.git/blobdiff_plain/9f6bbe3cf9c786c5089bfd605315aed5268e8974..12c4f819fadcc5fac4de0c9f510c02c560ad0f20:/modules/m_challenge.c diff --git a/modules/m_challenge.c b/modules/m_challenge.c index 9c27011..19729e3 100644 --- a/modules/m_challenge.c +++ b/modules/m_challenge.c @@ -44,8 +44,8 @@ #include "s_conf.h" #include "msg.h" #include "parse.h" -#include "irc_string.h" -#include "s_log.h" +#include "match.h" +#include "logger.h" #include "s_user.h" #include "cache.h" #include "s_newconf.h" @@ -100,7 +100,6 @@ cleanup_challenge(struct Client *target_p) /* * m_challenge - generate RSA challenge for wouldbe oper - * parv[0] = sender prefix * parv[1] = operator to challenge for, or +response * */ @@ -144,7 +143,7 @@ m_challenge(struct Client *client_p, struct Client *source_p, int parc, const ch return 0; } - b_response = ircd_base64_decode((const unsigned char *)++parv[1], strlen(parv[1]), &len); + b_response = rb_base64_decode((const unsigned char *)++parv[1], strlen(parv[1]), &len); if(len != SHA_DIGEST_LENGTH || memcmp(source_p->localClient->challenge, b_response, SHA_DIGEST_LENGTH)) @@ -223,13 +222,29 @@ m_challenge(struct Client *client_p, struct Client *source_p, int parc, const ch return 0; } + if(IsOperConfNeedSSL(oper_p) && !IsSSLClient(source_p)) + { + sendto_one(source_p, form_str(ERR_NOOPERHOST), me.name, source_p->name); + ilog(L_FOPER, "FAILED CHALLENGE (%s) by (%s!%s@%s) (%s) -- requires SSL/TLS", + parv[1], source_p->name, source_p->username, source_p->host, + source_p->sockhost); + + if(ConfigFileEntry.failed_oper_notice) + { + sendto_realops_snomask(SNO_GENERAL, L_ALL, + "Failed CHALLENGE attempt - missing SSL/TLS by %s (%s@%s)", + source_p->name, source_p->username, source_p->host); + } + return 0; + } + if(!generate_challenge(&challenge, &(source_p->localClient->challenge), oper_p->rsa_pubkey)) { char *chal = challenge; source_p->localClient->chal_time = rb_current_time(); for(;;) { - cnt = strlcpy(chal_line, chal, CHALLENGE_WIDTH); + cnt = rb_strlcpy(chal_line, chal, CHALLENGE_WIDTH); sendto_one(source_p, form_str(RPL_RSACHALLENGE2), me.name, source_p->name, chal_line); if(cnt > CHALLENGE_WIDTH) chal += CHALLENGE_WIDTH - 1; @@ -248,28 +263,6 @@ m_challenge(struct Client *client_p, struct Client *source_p, int parc, const ch return 0; } -static int -get_randomness(unsigned char *buf, int length) -{ - /* Seed OpenSSL PRNG with EGD enthropy pool -kre */ - if(ConfigFileEntry.use_egd && (ConfigFileEntry.egdpool_path != NULL)) - { - if(RAND_egd(ConfigFileEntry.egdpool_path) == -1) - return -1; - } - - if(RAND_status()) - { - if(RAND_bytes(buf, length) > 0) - return 1; - } - else { - if(RAND_pseudo_bytes(buf, length) >= 0) - return 1; - } - return 0; -} - static int generate_challenge(char **r_challenge, char **r_response, RSA * rsa) { @@ -282,23 +275,24 @@ generate_challenge(char **r_challenge, char **r_response, RSA * rsa) if(!rsa) return -1; - if(get_randomness(secret, CHALLENGE_SECRET_LENGTH)) + if(rb_get_random(secret, CHALLENGE_SECRET_LENGTH)) { SHA1_Init(&ctx); - SHA1_Update(&ctx, (u_int8_t *)secret, CHALLENGE_SECRET_LENGTH); - *r_response = rb_malloc(SHA_DIGEST_LENGTH); - SHA1_Final((u_int8_t *)*r_response, &ctx); + SHA1_Update(&ctx, (uint8_t *)secret, CHALLENGE_SECRET_LENGTH); + *r_response = malloc(SHA_DIGEST_LENGTH); + SHA1_Final((uint8_t *)*r_response, &ctx); length = RSA_size(rsa); tmp = rb_malloc(length); ret = RSA_public_encrypt(CHALLENGE_SECRET_LENGTH, secret, tmp, rsa, RSA_PKCS1_OAEP_PADDING); - if (ret >= 0) + if(ret >= 0) { - *r_challenge = (char *)ircd_base64_encode(tmp, ret); + *r_challenge = (char *)rb_base64_encode(tmp, ret); rb_free(tmp); return 0; } + rb_free(tmp); rb_free(*r_response); *r_response = NULL;