X-Git-Url: https://jfr.im/git/solanum.git/blobdiff_plain/81af5bcb394280ff1af82486961d852b102b923b..a92275551218402bf4969a7fe613cab27416c4ef:/modules/m_challenge.c diff --git a/modules/m_challenge.c b/modules/m_challenge.c index d71abcc8..1842f727 100644 --- a/modules/m_challenge.c +++ b/modules/m_challenge.c @@ -20,8 +20,6 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 * USA - * - * $Id: m_challenge.c 3161 2007-01-25 07:23:01Z nenolod $ */ #include "stdinc.h" @@ -44,8 +42,8 @@ #include "s_conf.h" #include "msg.h" #include "parse.h" -#include "irc_string.h" -#include "s_log.h" +#include "match.h" +#include "logger.h" #include "s_user.h" #include "cache.h" #include "s_newconf.h" @@ -55,61 +53,62 @@ #define CHALLENGE_SECRET_LENGTH 128 /* how long our challenge secret should be */ #ifndef HAVE_LIBCRYPTO + +static const char challenge_desc[] = "Does nothing as OpenSSL was not enabled."; + /* Maybe this should be an error or something?-davidt */ /* now it is -larne */ -static int challenge_load(void) +static int challenge_load(void) { -#ifndef STATIC_MODULES - sendto_realops_snomask(SNO_GENERAL, L_ALL, + sendto_realops_snomask(SNO_GENERAL, L_NETWIDE, "Challenge module not loaded because OpenSSL is not available."); ilog(L_MAIN, "Challenge module not loaded because OpenSSL is not available."); return -1; -#else - return 0; -#endif } -DECLARE_MODULE_AV1(challenge, challenge_load, NULL, NULL, NULL, NULL, "$Revision: 3161 $"); +DECLARE_MODULE_AV2(challenge, challenge_load, NULL, NULL, NULL, NULL, NULL, NULL, challenge_desc); #else -static int m_challenge(struct Client *, struct Client *, int, const char **); +static const char challenge_desc[] = + "Provides the challenge-response facility used for becoming an IRC operator"; + +static void m_challenge(struct MsgBuf *, struct Client *, struct Client *, int, const char **); /* We have openssl support, so include /CHALLENGE */ struct Message challenge_msgtab = { - "CHALLENGE", 0, 0, 0, MFLG_SLOW, + "CHALLENGE", 0, 0, 0, 0, {mg_unreg, {m_challenge, 2}, mg_ignore, mg_ignore, mg_ignore, {m_challenge, 2}} }; mapi_clist_av1 challenge_clist[] = { &challenge_msgtab, NULL }; -DECLARE_MODULE_AV1(challenge, NULL, NULL, challenge_clist, NULL, NULL, "$Revision: 3161 $"); -static int generate_challenge(char **r_challenge, char **r_response, RSA * key); +DECLARE_MODULE_AV2(challenge, NULL, NULL, challenge_clist, NULL, NULL, NULL, NULL, challenge_desc); + +static bool generate_challenge(char **r_challenge, char **r_response, RSA * key); static void cleanup_challenge(struct Client *target_p) { if(target_p->localClient == NULL) return; - - MyFree(target_p->localClient->challenge); - MyFree(target_p->localClient->opername); + + rb_free(target_p->localClient->challenge); + rb_free(target_p->user->opername); target_p->localClient->challenge = NULL; - target_p->localClient->opername = NULL; + target_p->user->opername = NULL; target_p->localClient->chal_time = 0; } /* * m_challenge - generate RSA challenge for wouldbe oper - * parv[0] = sender prefix * parv[1] = operator to challenge for, or +response - * */ -static int -m_challenge(struct Client *client_p, struct Client *source_p, int parc, const char *parv[]) +static void +m_challenge(struct MsgBuf *msgbuf_p, struct Client *client_p, struct Client *source_p, int parc, const char *parv[]) { struct oper_conf *oper_p; char *challenge = NULL; /* to placate gcc */ - char chal_line[CHALLENGE_WIDTH]; + char chal_line[CHALLENGE_WIDTH]; unsigned char *b_response; size_t cnt; int len = 0; @@ -119,20 +118,20 @@ m_challenge(struct Client *client_p, struct Client *source_p, int parc, const ch { sendto_one(source_p, form_str(RPL_YOUREOPER), me.name, source_p->name); send_oper_motd(source_p); - return 0; + return; } if(*parv[1] == '+') { /* Ignore it if we aren't expecting this... -A1kmm */ if(!source_p->localClient->challenge) - return 0; + return; - if((CurrentTime - source_p->localClient->chal_time) > CHALLENGE_EXPIRES) + if((rb_current_time() - source_p->localClient->chal_time) > CHALLENGE_EXPIRES) { sendto_one(source_p, form_str(ERR_PASSWDMISMATCH), me.name, source_p->name); ilog(L_FOPER, "EXPIRED CHALLENGE (%s) by (%s!%s@%s) (%s)", - source_p->localClient->opername, source_p->name, + source_p->user->opername, source_p->name, source_p->username, source_p->host, source_p->sockhost); if(ConfigFileEntry.failed_oper_notice) @@ -141,17 +140,18 @@ m_challenge(struct Client *client_p, struct Client *source_p, int parc, const ch source_p->name, source_p->username, source_p->host); cleanup_challenge(source_p); - return 0; + return; } - b_response = ircd_base64_decode((const unsigned char *)++parv[1], strlen(parv[1]), &len); + parv[1]++; + b_response = rb_base64_decode((const unsigned char *)parv[1], strlen(parv[1]), &len); if(len != SHA_DIGEST_LENGTH || memcmp(source_p->localClient->challenge, b_response, SHA_DIGEST_LENGTH)) { sendto_one(source_p, form_str(ERR_PASSWDMISMATCH), me.name, source_p->name); ilog(L_FOPER, "FAILED CHALLENGE (%s) by (%s!%s@%s) (%s)", - source_p->localClient->opername, source_p->name, + source_p->user->opername, source_p->name, source_p->username, source_p->host, source_p->sockhost); if(ConfigFileEntry.failed_oper_notice) @@ -160,23 +160,22 @@ m_challenge(struct Client *client_p, struct Client *source_p, int parc, const ch source_p->name, source_p->username, source_p->host); - MyFree(b_response); + rb_free(b_response); cleanup_challenge(source_p); - return 0; + return; } - MyFree(b_response); + rb_free(b_response); - oper_p = find_oper_conf(source_p->username, source_p->orighost, - source_p->sockhost, - source_p->localClient->opername); + oper_p = find_oper_conf(source_p->username, source_p->orighost, + source_p->sockhost, + source_p->user->opername); if(oper_p == NULL) { - sendto_one(source_p, form_str(ERR_NOOPERHOST), - me.name, source_p->name); + sendto_one_numeric(source_p, ERR_NOOPERHOST, form_str(ERR_NOOPERHOST)); ilog(L_FOPER, "FAILED OPER (%s) by (%s!%s@%s) (%s)", - source_p->localClient->opername, source_p->name, + source_p->user->opername, source_p->name, source_p->username, source_p->host, source_p->sockhost); @@ -185,7 +184,7 @@ m_challenge(struct Client *client_p, struct Client *source_p, int parc, const ch "Failed CHALLENGE attempt - host mismatch by %s (%s@%s)", source_p->name, source_p->username, source_p->host); - return 0; + return; } cleanup_challenge(source_p); @@ -193,19 +192,19 @@ m_challenge(struct Client *client_p, struct Client *source_p, int parc, const ch oper_up(source_p, oper_p); ilog(L_OPERED, "OPER %s by %s!%s@%s (%s)", - source_p->localClient->opername, source_p->name, + source_p->user->opername, source_p->name, source_p->username, source_p->host, source_p->sockhost); - return 0; + return; } cleanup_challenge(source_p); - oper_p = find_oper_conf(source_p->username, source_p->orighost, + oper_p = find_oper_conf(source_p->username, source_p->orighost, source_p->sockhost, parv[1]); if(oper_p == NULL) { - sendto_one(source_p, form_str(ERR_NOOPERHOST), me.name, source_p->name); + sendto_one_numeric(source_p, ERR_NOOPERHOST, form_str(ERR_NOOPERHOST)); ilog(L_FOPER, "FAILED OPER (%s) by (%s!%s@%s) (%s)", parv[1], source_p->name, source_p->username, source_p->host, source_p->sockhost); @@ -214,63 +213,74 @@ m_challenge(struct Client *client_p, struct Client *source_p, int parc, const ch sendto_realops_snomask(SNO_GENERAL, L_NETWIDE, "Failed CHALLENGE attempt - host mismatch by %s (%s@%s)", source_p->name, source_p->username, source_p->host); - return 0; + return; } if(!oper_p->rsa_pubkey) { sendto_one_notice(source_p, ":I'm sorry, PK authentication is not enabled for your oper{} block."); - return 0; + return; } - if(!generate_challenge(&challenge, &(source_p->localClient->challenge), oper_p->rsa_pubkey)) + if(IsOperConfNeedSSL(oper_p) && !IsSecureClient(source_p)) + { + sendto_one_numeric(source_p, ERR_NOOPERHOST, form_str(ERR_NOOPERHOST)); + ilog(L_FOPER, "FAILED CHALLENGE (%s) by (%s!%s@%s) (%s) -- requires SSL/TLS", + parv[1], source_p->name, source_p->username, source_p->host, + source_p->sockhost); + + if(ConfigFileEntry.failed_oper_notice) + { + sendto_realops_snomask(SNO_GENERAL, L_NETWIDE, + "Failed CHALLENGE attempt - missing SSL/TLS by %s (%s@%s)", + source_p->name, source_p->username, source_p->host); + } + return; + } + + if (oper_p->certfp != NULL) + { + if (source_p->certfp == NULL || rb_strcasecmp(source_p->certfp, oper_p->certfp)) + { + sendto_one_numeric(source_p, ERR_NOOPERHOST, form_str(ERR_NOOPERHOST)); + ilog(L_FOPER, "FAILED OPER (%s) by (%s!%s@%s) (%s) -- client certificate fingerprint mismatch", + parv[1], source_p->name, + source_p->username, source_p->host, source_p->sockhost); + + if(ConfigFileEntry.failed_oper_notice) + { + sendto_realops_snomask(SNO_GENERAL, L_NETWIDE, + "Failed OPER attempt - client certificate fingerprint mismatch by %s (%s@%s)", + source_p->name, source_p->username, source_p->host); + } + return; + } + } + + if(generate_challenge(&challenge, &(source_p->localClient->challenge), oper_p->rsa_pubkey)) { char *chal = challenge; - source_p->localClient->chal_time = CurrentTime; + source_p->localClient->chal_time = rb_current_time(); for(;;) { - cnt = strlcpy(chal_line, chal, CHALLENGE_WIDTH); + cnt = rb_strlcpy(chal_line, chal, CHALLENGE_WIDTH); sendto_one(source_p, form_str(RPL_RSACHALLENGE2), me.name, source_p->name, chal_line); if(cnt > CHALLENGE_WIDTH) chal += CHALLENGE_WIDTH - 1; else break; - + } - sendto_one(source_p, form_str(RPL_ENDOFRSACHALLENGE2), + sendto_one(source_p, form_str(RPL_ENDOFRSACHALLENGE2), me.name, source_p->name); - MyFree(challenge); - DupString(source_p->localClient->opername, oper_p->name); + rb_free(challenge); + source_p->user->opername = rb_strdup(oper_p->name); } else sendto_one_notice(source_p, ":Failed to generate challenge."); - - return 0; } -static int -get_randomness(unsigned char *buf, int length) -{ - /* Seed OpenSSL PRNG with EGD enthropy pool -kre */ - if(ConfigFileEntry.use_egd && (ConfigFileEntry.egdpool_path != NULL)) - { - if(RAND_egd(ConfigFileEntry.egdpool_path) == -1) - return -1; - } - - if(RAND_status()) - { - if(RAND_bytes(buf, length) > 0) - return 1; - } - else { - if(RAND_pseudo_bytes(buf, length) >= 0) - return 1; - } - return 0; -} - -static int +static bool generate_challenge(char **r_challenge, char **r_response, RSA * rsa) { SHA_CTX ctx; @@ -281,26 +291,27 @@ generate_challenge(char **r_challenge, char **r_response, RSA * rsa) int ret; if(!rsa) - return -1; - if(get_randomness(secret, CHALLENGE_SECRET_LENGTH)) + return false; + if(rb_get_random(secret, CHALLENGE_SECRET_LENGTH)) { SHA1_Init(&ctx); - SHA1_Update(&ctx, (u_int8_t *)secret, CHALLENGE_SECRET_LENGTH); - *r_response = MyMalloc(SHA_DIGEST_LENGTH); - SHA1_Final((u_int8_t *)*r_response, &ctx); + SHA1_Update(&ctx, (uint8_t *)secret, CHALLENGE_SECRET_LENGTH); + *r_response = malloc(SHA_DIGEST_LENGTH); + SHA1_Final((uint8_t *)*r_response, &ctx); length = RSA_size(rsa); - tmp = MyMalloc(length); + tmp = rb_malloc(length); ret = RSA_public_encrypt(CHALLENGE_SECRET_LENGTH, secret, tmp, rsa, RSA_PKCS1_OAEP_PADDING); - if (ret >= 0) + if(ret >= 0) { - *r_challenge = (char *)ircd_base64_encode(tmp, ret); - MyFree(tmp); - return 0; + *r_challenge = (char *)rb_base64_encode(tmp, ret); + rb_free(tmp); + return true; } - MyFree(tmp); - MyFree(*r_response); + + rb_free(tmp); + rb_free(*r_response); *r_response = NULL; } @@ -311,7 +322,7 @@ generate_challenge(char **r_challenge, char **r_response, RSA * rsa) cnt++; } - return (-1); + return false; } #endif /* HAVE_LIBCRYPTO */