2 * ircd-ratbox: A slightly useful ircd.
3 * m_challenge.c: Allows an IRC Operator to securely authenticate.
5 * Copyright (C) 1990 Jarkko Oikarinen and University of Oulu, Co Center
6 * Copyright (C) 1996-2002 Hybrid Development Team
7 * Copyright (C) 2002-2005 ircd-ratbox development team
9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation; either version 2 of the License, or
12 * (at your option) any later version.
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
19 * You should have received a copy of the GNU General Public License
20 * along with this program; if not, write to the Free Software
21 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
28 #include <openssl/pem.h>
29 #include <openssl/rand.h>
30 #include <openssl/rsa.h>
31 #include <openssl/md5.h>
32 #include <openssl/bn.h>
33 #include <openssl/evp.h>
34 #include <openssl/err.h>
49 #include "s_newconf.h"
51 #define CHALLENGE_WIDTH BUFSIZE - (NICKLEN + HOSTLEN + 12)
52 #define CHALLENGE_EXPIRES 180 /* 180 seconds should be more than long enough */
53 #define CHALLENGE_SECRET_LENGTH 128 /* how long our challenge secret should be */
55 #ifndef HAVE_LIBCRYPTO
57 static const char challenge_desc
[] = "Does nothing as OpenSSL was not enabled.";
59 /* Maybe this should be an error or something?-davidt */
60 /* now it is -larne */
61 static int challenge_load(void)
63 sendto_realops_snomask(SNO_GENERAL
, L_NETWIDE
,
64 "Challenge module not loaded because OpenSSL is not available.");
65 ilog(L_MAIN
, "Challenge module not loaded because OpenSSL is not available.");
69 DECLARE_MODULE_AV2(challenge
, challenge_load
, NULL
, NULL
, NULL
, NULL
, NULL
, NULL
, challenge_desc
);
72 static const char challenge_desc
[] =
73 "Provides the challenge-response facility used for becoming an IRC operator";
75 static void m_challenge(struct MsgBuf
*, struct Client
*, struct Client
*, int, const char **);
77 /* We have openssl support, so include /CHALLENGE */
78 struct Message challenge_msgtab
= {
79 "CHALLENGE", 0, 0, 0, 0,
80 {mg_unreg
, {m_challenge
, 2}, mg_ignore
, mg_ignore
, mg_ignore
, {m_challenge
, 2}}
83 mapi_clist_av1 challenge_clist
[] = { &challenge_msgtab
, NULL
};
85 DECLARE_MODULE_AV2(challenge
, NULL
, NULL
, challenge_clist
, NULL
, NULL
, NULL
, NULL
, challenge_desc
);
87 static bool generate_challenge(char **r_challenge
, char **r_response
, RSA
* key
);
90 cleanup_challenge(struct Client
*target_p
)
92 if(target_p
->localClient
== NULL
)
95 rb_free(target_p
->localClient
->challenge
);
96 rb_free(target_p
->user
->opername
);
97 target_p
->localClient
->challenge
= NULL
;
98 target_p
->user
->opername
= NULL
;
99 target_p
->localClient
->chal_time
= 0;
103 * m_challenge - generate RSA challenge for wouldbe oper
104 * parv[1] = operator to challenge for, or +response
107 m_challenge(struct MsgBuf
*msgbuf_p
, struct Client
*client_p
, struct Client
*source_p
, int parc
, const char *parv
[])
109 struct oper_conf
*oper_p
;
110 char *challenge
= NULL
; /* to placate gcc */
111 char chal_line
[CHALLENGE_WIDTH
];
112 unsigned char *b_response
;
116 if (ConfigFileEntry
.oper_secure_only
&& !IsSecureClient(source_p
))
118 sendto_one_notice(source_p
, ":You must be using a secure connection to /CHALLENGE on this server");
119 if (ConfigFileEntry
.failed_oper_notice
)
121 sendto_realops_snomask(SNO_GENERAL
, L_NETWIDE
,
122 "Failed CHALLENGE attempt - missing secure connection by %s (%s@%s)",
123 source_p
->name
, source_p
->username
, source_p
->host
);
128 /* if theyre an oper, reprint oper motd and ignore */
131 sendto_one(source_p
, form_str(RPL_YOUREOPER
), me
.name
, source_p
->name
);
132 send_oper_motd(source_p
);
138 /* Ignore it if we aren't expecting this... -A1kmm */
139 if(!source_p
->localClient
->challenge
)
142 if((rb_current_time() - source_p
->localClient
->chal_time
) > CHALLENGE_EXPIRES
)
144 sendto_one(source_p
, form_str(ERR_PASSWDMISMATCH
), me
.name
, source_p
->name
);
145 ilog(L_FOPER
, "EXPIRED CHALLENGE (%s) by (%s!%s@%s) (%s)",
146 source_p
->user
->opername
, source_p
->name
,
147 source_p
->username
, source_p
->host
, source_p
->sockhost
);
149 if(ConfigFileEntry
.failed_oper_notice
)
150 sendto_realops_snomask(SNO_GENERAL
, L_NETWIDE
,
151 "Expired CHALLENGE attempt by %s (%s@%s)",
152 source_p
->name
, source_p
->username
,
154 cleanup_challenge(source_p
);
159 b_response
= rb_base64_decode((const unsigned char *)parv
[1], strlen(parv
[1]), &len
);
161 if(len
!= SHA_DIGEST_LENGTH
||
162 memcmp(source_p
->localClient
->challenge
, b_response
, SHA_DIGEST_LENGTH
))
164 sendto_one(source_p
, form_str(ERR_PASSWDMISMATCH
), me
.name
, source_p
->name
);
165 ilog(L_FOPER
, "FAILED CHALLENGE (%s) by (%s!%s@%s) (%s)",
166 source_p
->user
->opername
, source_p
->name
,
167 source_p
->username
, source_p
->host
, source_p
->sockhost
);
169 if(ConfigFileEntry
.failed_oper_notice
)
170 sendto_realops_snomask(SNO_GENERAL
, L_NETWIDE
,
171 "Failed CHALLENGE attempt by %s (%s@%s)",
172 source_p
->name
, source_p
->username
,
176 cleanup_challenge(source_p
);
182 oper_p
= find_oper_conf(source_p
->username
, source_p
->orighost
,
184 source_p
->user
->opername
);
188 sendto_one_numeric(source_p
, ERR_NOOPERHOST
, form_str(ERR_NOOPERHOST
));
189 ilog(L_FOPER
, "FAILED OPER (%s) by (%s!%s@%s) (%s)",
190 source_p
->user
->opername
, source_p
->name
,
191 source_p
->username
, source_p
->host
,
194 if(ConfigFileEntry
.failed_oper_notice
)
195 sendto_realops_snomask(SNO_GENERAL
, L_NETWIDE
,
196 "Failed CHALLENGE attempt - host mismatch by %s (%s@%s)",
197 source_p
->name
, source_p
->username
,
199 cleanup_challenge(source_p
);
203 cleanup_challenge(source_p
);
205 oper_up(source_p
, oper_p
);
207 ilog(L_OPERED
, "OPER %s by %s!%s@%s (%s)",
208 source_p
->user
->opername
, source_p
->name
,
209 source_p
->username
, source_p
->host
, source_p
->sockhost
);
213 cleanup_challenge(source_p
);
215 oper_p
= find_oper_conf(source_p
->username
, source_p
->orighost
,
216 source_p
->sockhost
, parv
[1]);
220 sendto_one_numeric(source_p
, ERR_NOOPERHOST
, form_str(ERR_NOOPERHOST
));
221 ilog(L_FOPER
, "FAILED OPER (%s) by (%s!%s@%s) (%s)",
222 parv
[1], source_p
->name
,
223 source_p
->username
, source_p
->host
, source_p
->sockhost
);
225 if(ConfigFileEntry
.failed_oper_notice
)
226 sendto_realops_snomask(SNO_GENERAL
, L_NETWIDE
,
227 "Failed CHALLENGE attempt - host mismatch by %s (%s@%s)",
228 source_p
->name
, source_p
->username
, source_p
->host
);
232 if(!oper_p
->rsa_pubkey
)
234 sendto_one_notice(source_p
, ":I'm sorry, PK authentication is not enabled for your oper{} block.");
238 if(IsOperConfNeedSSL(oper_p
) && !IsSecureClient(source_p
))
240 sendto_one_numeric(source_p
, ERR_NOOPERHOST
, form_str(ERR_NOOPERHOST
));
241 ilog(L_FOPER
, "FAILED CHALLENGE (%s) by (%s!%s@%s) (%s) -- requires SSL/TLS",
242 parv
[1], source_p
->name
, source_p
->username
, source_p
->host
,
245 if(ConfigFileEntry
.failed_oper_notice
)
247 sendto_realops_snomask(SNO_GENERAL
, L_NETWIDE
,
248 "Failed CHALLENGE attempt - missing SSL/TLS by %s (%s@%s)",
249 source_p
->name
, source_p
->username
, source_p
->host
);
254 if (oper_p
->certfp
!= NULL
)
256 if (source_p
->certfp
== NULL
|| rb_strcasecmp(source_p
->certfp
, oper_p
->certfp
))
258 sendto_one_numeric(source_p
, ERR_NOOPERHOST
, form_str(ERR_NOOPERHOST
));
259 ilog(L_FOPER
, "FAILED OPER (%s) by (%s!%s@%s) (%s) -- client certificate fingerprint mismatch",
260 parv
[1], source_p
->name
,
261 source_p
->username
, source_p
->host
, source_p
->sockhost
);
263 if(ConfigFileEntry
.failed_oper_notice
)
265 sendto_realops_snomask(SNO_GENERAL
, L_NETWIDE
,
266 "Failed OPER attempt - client certificate fingerprint mismatch by %s (%s@%s)",
267 source_p
->name
, source_p
->username
, source_p
->host
);
273 if(generate_challenge(&challenge
, &(source_p
->localClient
->challenge
), oper_p
->rsa_pubkey
))
275 char *chal
= challenge
;
276 source_p
->localClient
->chal_time
= rb_current_time();
279 cnt
= rb_strlcpy(chal_line
, chal
, CHALLENGE_WIDTH
);
280 sendto_one(source_p
, form_str(RPL_RSACHALLENGE2
), me
.name
, source_p
->name
, chal_line
);
281 if(cnt
>= CHALLENGE_WIDTH
)
282 chal
+= CHALLENGE_WIDTH
- 1;
287 sendto_one(source_p
, form_str(RPL_ENDOFRSACHALLENGE2
),
288 me
.name
, source_p
->name
);
290 source_p
->user
->opername
= rb_strdup(oper_p
->name
);
293 sendto_one_notice(source_p
, ":Failed to generate challenge.");
297 generate_challenge(char **r_challenge
, char **r_response
, RSA
* rsa
)
300 unsigned char secret
[CHALLENGE_SECRET_LENGTH
], *tmp
;
301 unsigned long length
;
303 unsigned long cnt
= 0;
308 if(rb_get_random(secret
, CHALLENGE_SECRET_LENGTH
))
311 SHA1_Update(&ctx
, (uint8_t *)secret
, CHALLENGE_SECRET_LENGTH
);
312 *r_response
= rb_malloc(SHA_DIGEST_LENGTH
);
313 SHA1_Final((uint8_t *)*r_response
, &ctx
);
315 length
= RSA_size(rsa
);
316 tmp
= rb_malloc(length
);
317 ret
= RSA_public_encrypt(CHALLENGE_SECRET_LENGTH
, secret
, tmp
, rsa
, RSA_PKCS1_OAEP_PADDING
);
321 *r_challenge
= (char *)rb_base64_encode(tmp
, ret
);
327 rb_free(*r_response
);
331 ERR_load_crypto_strings();
332 while ((cnt
< 100) && (e
= ERR_get_error()))
334 ilog(L_MAIN
, "SSL error: %s", ERR_error_string(e
, 0));
341 #endif /* HAVE_LIBCRYPTO */