X-Git-Url: https://jfr.im/git/solanum.git/blobdiff_plain/35eccf49306c5f774229a67b4966719c14444d0f..f8838806ef332738fd17e725c9e7d5b1418a9756:/modules/m_challenge.c

diff --git a/modules/m_challenge.c b/modules/m_challenge.c
index 137dfb7a..74fa7708 100644
--- a/modules/m_challenge.c
+++ b/modules/m_challenge.c
@@ -60,7 +60,7 @@ static const char challenge_desc[] = "Does nothing as OpenSSL was not enabled.";
 /* now it is	-larne	*/
 static int challenge_load(void)
 {
-	sendto_realops_snomask(SNO_GENERAL, L_ALL,
+	sendto_realops_snomask(SNO_GENERAL, L_NETWIDE,
 		"Challenge module not loaded because OpenSSL is not available.");
 	ilog(L_MAIN, "Challenge module not loaded because OpenSSL is not available.");
 	return -1;
@@ -113,6 +113,18 @@ m_challenge(struct MsgBuf *msgbuf_p, struct Client *client_p, struct Client *sou
 	size_t cnt;
 	int len = 0;
 
+        if (ConfigFileEntry.oper_secure_only && !IsSecureClient(source_p))
+        {
+                sendto_one_notice(source_p, ":You must be using a secure connection to /CHALLENGE on this server");
+                if (ConfigFileEntry.failed_oper_notice)
+                {
+                        sendto_realops_snomask(SNO_GENERAL, L_NETWIDE,
+					"Failed CHALLENGE attempt - missing secure connection by %s (%s@%s)",
+					source_p->name, source_p->username, source_p->host);
+                }
+                return;
+        }
+
 	/* if theyre an oper, reprint oper motd and ignore */
 	if(IsOper(source_p))
 	{
@@ -184,6 +196,7 @@ m_challenge(struct MsgBuf *msgbuf_p, struct Client *client_p, struct Client *sou
 						     "Failed CHALLENGE attempt - host mismatch by %s (%s@%s)",
 						     source_p->name, source_p->username,
 						     source_p->host);
+			cleanup_challenge(source_p);
 			return;
 		}
 
@@ -231,7 +244,7 @@ m_challenge(struct MsgBuf *msgbuf_p, struct Client *client_p, struct Client *sou
 
 		if(ConfigFileEntry.failed_oper_notice)
 		{
-			sendto_realops_snomask(SNO_GENERAL, L_ALL,
+			sendto_realops_snomask(SNO_GENERAL, L_NETWIDE,
 					     "Failed CHALLENGE attempt - missing SSL/TLS by %s (%s@%s)",
 					     source_p->name, source_p->username, source_p->host);
 		}
@@ -249,7 +262,7 @@ m_challenge(struct MsgBuf *msgbuf_p, struct Client *client_p, struct Client *sou
 
 			if(ConfigFileEntry.failed_oper_notice)
 			{
-				sendto_realops_snomask(SNO_GENERAL, L_ALL,
+				sendto_realops_snomask(SNO_GENERAL, L_NETWIDE,
 						     "Failed OPER attempt - client certificate fingerprint mismatch by %s (%s@%s)",
 						     source_p->name, source_p->username, source_p->host);
 			}
@@ -265,7 +278,7 @@ m_challenge(struct MsgBuf *msgbuf_p, struct Client *client_p, struct Client *sou
 		{
 			cnt = rb_strlcpy(chal_line, chal, CHALLENGE_WIDTH);
 			sendto_one(source_p, form_str(RPL_RSACHALLENGE2), me.name, source_p->name, chal_line);
-			if(cnt > CHALLENGE_WIDTH)
+			if(cnt >= CHALLENGE_WIDTH)
 				chal += CHALLENGE_WIDTH - 1;
 			else
 				break;
@@ -296,7 +309,7 @@ generate_challenge(char **r_challenge, char **r_response, RSA * rsa)
 	{
 		SHA1_Init(&ctx);
 		SHA1_Update(&ctx, (uint8_t *)secret, CHALLENGE_SECRET_LENGTH);
-		*r_response = malloc(SHA_DIGEST_LENGTH);
+		*r_response = rb_malloc(SHA_DIGEST_LENGTH);
 		SHA1_Final((uint8_t *)*r_response, &ctx);
 
 		length = RSA_size(rsa);