search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Remove cruft left behind by removed stats_p_hook.
[seven-1.x.git] / modules / m_challenge.c
blob2c2bfd94d280969190335c0cd51d388131d6d7fd
1 /*
2 * ircd-ratbox: A slightly useful ircd.
3 * m_challenge.c: Allows an IRC Operator to securely authenticate.
4 *
5 * Copyright (C) 1990 Jarkko Oikarinen and University of Oulu, Co Center
6 * Copyright (C) 1996-2002 Hybrid Development Team
7 * Copyright (C) 2002-2005 ircd-ratbox development team
8 *
9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation; either version 2 of the License, or
12 * (at your option) any later version.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License
20 * along with this program; if not, write to the Free Software
21 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
22 * USA
23 */
24
25 #include "stdinc.h"
26
27 #ifdef HAVE_LIBCRYPTO
28 #include <openssl/pem.h>
29 #include <openssl/rand.h>
30 #include <openssl/rsa.h>
31 #include <openssl/md5.h>
32 #include <openssl/bn.h>
33 #include <openssl/evp.h>
34 #include <openssl/err.h>
35 #endif
36
37 #include "memory.h"
38 #include "client.h"
39 #include "ircd.h"
40 #include "modules.h"
41 #include "numeric.h"
42 #include "send.h"
43 #include "s_conf.h"
44 #include "msg.h"
45 #include "parse.h"
46 #include "irc_string.h"
47 #include "s_log.h"
48 #include "s_user.h"
49 #include "cache.h"
50 #include "s_newconf.h"
51
52 #define CHALLENGE_WIDTH BUFSIZE - (NICKLEN + HOSTLEN + 12)
53 #define CHALLENGE_EXPIRES 180 /* 180 seconds should be more than long enough */
54 #define CHALLENGE_SECRET_LENGTH 128 /* how long our challenge secret should be */
55
56 #ifndef HAVE_LIBCRYPTO
57 /* Maybe this should be an error or something?-davidt */
58 /* now it is -larne */
59 static int challenge_load(void)
60 {
61 #ifndef STATIC_MODULES
62 sendto_realops_snomask(SNO_GENERAL, L_ALL,
63 "Challenge module not loaded because OpenSSL is not available.");
64 ilog(L_MAIN, "Challenge module not loaded because OpenSSL is not available.");
65 return -1;
66 #else
67 return 0;
68 #endif
69 }
70
71 DECLARE_MODULE_AV1(challenge, challenge_load, NULL, NULL, NULL, NULL, "$Revision: 26 $");
72 #else
73
74 static int m_challenge(struct Client *, struct Client *, int, const char **);
75
76 /* We have openssl support, so include /CHALLENGE */
77 struct Message challenge_msgtab = {
78 "CHALLENGE", 0, 0, 0, MFLG_SLOW,
79 {mg_unreg, {m_challenge, 2}, mg_ignore, mg_ignore, mg_ignore, {m_challenge, 2}}
80 };
81
82 mapi_clist_av1 challenge_clist[] = { &challenge_msgtab, NULL };
83 DECLARE_MODULE_AV1(challenge, NULL, NULL, challenge_clist, NULL, NULL, "$Revision: 26 $");
84
85 static int generate_challenge(char **r_challenge, char **r_response, RSA * key);
86
87 static void
88 cleanup_challenge(struct Client *target_p)
89 {
90 if(target_p->localClient == NULL)
91 return;
92
93 MyFree(target_p->localClient->challenge);
94 MyFree(target_p->localClient->opername);
95 target_p->localClient->challenge = NULL;
96 target_p->localClient->opername = NULL;
97 target_p->localClient->chal_time = 0;
98 }
99
100 /*
101 * m_challenge - generate RSA challenge for wouldbe oper
102 * parv[0] = sender prefix
103 * parv[1] = operator to challenge for, or +response
104 *
105 */
106 static int
107 m_challenge(struct Client *client_p, struct Client *source_p, int parc, const char *parv[])
108 {
109 struct oper_conf *oper_p;
110 char *challenge = NULL; /* to placate gcc */
111 char chal_line[CHALLENGE_WIDTH];
112 unsigned char *b_response;
113 size_t cnt;
114 int len = 0;
115
116 /* if theyre an oper, reprint oper motd and ignore */
117 if(IsOper(source_p))
118 {
119 sendto_one(source_p, form_str(RPL_YOUREOPER), me.name, source_p->name);
120 send_oper_motd(source_p);
121 return 0;
122 }
123
124 if(*parv[1] == '+')
125 {
126 /* Ignore it if we aren't expecting this... -A1kmm */
127 if(!source_p->localClient->challenge)
128 return 0;
129
130 if((CurrentTime - source_p->localClient->chal_time) > CHALLENGE_EXPIRES)
131 {
132 sendto_one(source_p, form_str(ERR_PASSWDMISMATCH), me.name, source_p->name);
133 ilog(L_FOPER, "EXPIRED CHALLENGE (%s) by (%s!%s@%s) (%s)",
134 source_p->localClient->opername, source_p->name,
135 source_p->username, source_p->host, source_p->sockhost);
136
137 if(ConfigFileEntry.failed_oper_notice)
138 sendto_realops_snomask(SNO_GENERAL, L_NETWIDE,
139 "Expired CHALLENGE attempt by %s (%s@%s)",
140 source_p->name, source_p->username,
141 source_p->host);
142 cleanup_challenge(source_p);
143 return 0;
144 }
145
146 b_response = ircd_base64_decode((const unsigned char *)++parv[1], strlen(parv[1]), &len);
147
148 if(len != SHA_DIGEST_LENGTH ||
149 memcmp(source_p->localClient->challenge, b_response, SHA_DIGEST_LENGTH))
150 {
151 sendto_one(source_p, form_str(ERR_PASSWDMISMATCH), me.name, source_p->name);
152 ilog(L_FOPER, "FAILED CHALLENGE (%s) by (%s!%s@%s) (%s)",
153 source_p->localClient->opername, source_p->name,
154 source_p->username, source_p->host, source_p->sockhost);
155
156 if(ConfigFileEntry.failed_oper_notice)
157 sendto_realops_snomask(SNO_GENERAL, L_NETWIDE,
158 "Failed CHALLENGE attempt by %s (%s@%s)",
159 source_p->name, source_p->username,
160 source_p->host);
161
162 MyFree(b_response);
163 cleanup_challenge(source_p);
164 return 0;
165 }
166
167 MyFree(b_response);
168
169 oper_p = find_oper_conf(source_p->username, source_p->orighost,
170 source_p->sockhost,
171 source_p->localClient->opername);
172
173 if(oper_p == NULL)
174 {
175 sendto_one(source_p, form_str(ERR_NOOPERHOST),
176 me.name, source_p->name);
177 ilog(L_FOPER, "FAILED OPER (%s) by (%s!%s@%s) (%s)",
178 source_p->localClient->opername, source_p->name,
179 source_p->username, source_p->host,
180 source_p->sockhost);
181
182 if(ConfigFileEntry.failed_oper_notice)
183 sendto_realops_snomask(SNO_GENERAL, L_NETWIDE,
184 "Failed CHALLENGE attempt - host mismatch by %s (%s@%s)",
185 source_p->name, source_p->username,
186 source_p->host);
187 return 0;
188 }
189
190 cleanup_challenge(source_p);
191
192 oper_up(source_p, oper_p);
193
194 ilog(L_OPERED, "OPER %s by %s!%s@%s (%s)",
195 source_p->localClient->opername, source_p->name,
196 source_p->username, source_p->host, source_p->sockhost);
197 return 0;
198 }
199
200 cleanup_challenge(source_p);
201
202 oper_p = find_oper_conf(source_p->username, source_p->orighost,
203 source_p->sockhost, parv[1]);
204
205 if(oper_p == NULL)
206 {
207 sendto_one(source_p, form_str(ERR_NOOPERHOST), me.name, source_p->name);
208 ilog(L_FOPER, "FAILED OPER (%s) by (%s!%s@%s) (%s)",
209 parv[1], source_p->name,
210 source_p->username, source_p->host, source_p->sockhost);
211
212 if(ConfigFileEntry.failed_oper_notice)
213 sendto_realops_snomask(SNO_GENERAL, L_NETWIDE,
214 "Failed CHALLENGE attempt - host mismatch by %s (%s@%s)",
215 source_p->name, source_p->username, source_p->host);
216 return 0;
217 }
218
219 if(!oper_p->rsa_pubkey)
220 {
221 sendto_one(source_p, ":%s NOTICE %s :I'm sorry, PK authentication "
222 "is not enabled for your oper{} block.", me.name, parv[0]);
223 return 0;
224 }
225
226 if(!generate_challenge(&challenge, &(source_p->localClient->challenge), oper_p->rsa_pubkey))
227 {
228 char *chal = challenge;
229 source_p->localClient->chal_time = CurrentTime;
230 for(;;)
231 {
232 cnt = strlcpy(chal_line, chal, CHALLENGE_WIDTH);
233 sendto_one(source_p, form_str(RPL_RSACHALLENGE2), me.name, source_p->name, chal_line);
234 if(cnt > CHALLENGE_WIDTH)
235 chal += CHALLENGE_WIDTH - 1;
236 else
237 break;
238
239 }
240 sendto_one(source_p, form_str(RPL_ENDOFRSACHALLENGE2),
241 me.name, source_p->name);
242 MyFree(challenge);
243 DupString(source_p->localClient->opername, oper_p->name);
244 }
245 else
246 sendto_one_notice(source_p, ":Failed to generate challenge.");
247
248 return 0;
249 }
250
251 static int
252 get_randomness(unsigned char *buf, int length)
253 {
254 /* Seed OpenSSL PRNG with EGD enthropy pool -kre */
255 if(ConfigFileEntry.use_egd && (ConfigFileEntry.egdpool_path != NULL))
256 {
257 if(RAND_egd(ConfigFileEntry.egdpool_path) == -1)
258 return -1;
259 }
260
261 if(RAND_status())
262 {
263 if(RAND_bytes(buf, length) > 0)
264 return 1;
265 }
266 else {
267 if(RAND_pseudo_bytes(buf, length) >= 0)
268 return 1;
269 }
270 return 0;
271 }
272
273 static int
274 generate_challenge(char **r_challenge, char **r_response, RSA * rsa)
275 {
276 SHA_CTX ctx;
277 unsigned char secret[CHALLENGE_SECRET_LENGTH], *tmp;
278 unsigned long length;
279 unsigned long e = 0;
280 unsigned long cnt = 0;
281 int ret;
282
283 if(!rsa)
284 return -1;
285 if(get_randomness(secret, CHALLENGE_SECRET_LENGTH))
286 {
287 SHA1_Init(&ctx);
288 SHA1_Update(&ctx, (u_int8_t *)secret, CHALLENGE_SECRET_LENGTH);
289 *r_response = MyMalloc(SHA_DIGEST_LENGTH);
290 SHA1_Final((u_int8_t *)*r_response, &ctx);
291
292 length = RSA_size(rsa);
293 tmp = MyMalloc(length);
294 ret = RSA_public_encrypt(CHALLENGE_SECRET_LENGTH, secret, tmp, rsa, RSA_PKCS1_OAEP_PADDING);
295
296 if (ret >= 0)
297 {
298 *r_challenge = (char *)ircd_base64_encode(tmp, ret);
299 MyFree(tmp);
300 return 0;
301 }
302 MyFree(tmp);
303 MyFree(*r_response);
304 *r_response = NULL;
305 }
306
307 ERR_load_crypto_strings();
308 while ((cnt < 100) && (e = ERR_get_error()))
309 {
310 ilog(L_MAIN, "SSL error: %s", ERR_error_string(e, 0));
311 cnt++;
312 }
313
314 return (-1);
315 }
316
317 #endif /* HAVE_LIBCRYPTO */
ircd-seven: Cows like it.