/* * ircd-hybrid: an advanced, lightweight Internet Relay Chat Daemon (ircd) * * Copyright (c) 2000-2014 ircd-hybrid development team * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 * USA */ /*! \file m_challenge.c * \brief Includes required functions for processing the CHALLENGE command. * \version $Id$ */ #include "stdinc.h" #include "client.h" #include "ircd.h" #include "modules.h" #include "numeric.h" #include "send.h" #include "conf.h" #include "rsa.h" #include "parse.h" #include "irc_string.h" #include "log.h" #include "s_user.h" #include "memory.h" #ifdef HAVE_LIBCRYPTO /* failed_challenge_notice() * * inputs - pointer to client doing /oper ... * - pointer to nick they tried to oper as * - pointer to reason they have failed * output - nothing * side effects - notices all opers of the failed oper attempt if enabled */ static void failed_challenge_notice(struct Client *source_p, const char *name, const char *reason) { if (ConfigFileEntry.failed_oper_notice) sendto_realops_flags(UMODE_ALL, L_ALL, SEND_NOTICE, "Failed CHALLENGE attempt as %s " "by %s (%s@%s) - %s", name, source_p->name, source_p->username, source_p->host, reason); ilog(LOG_TYPE_OPER, "Failed CHALLENGE attempt as %s " "by %s (%s@%s) - %s", name, source_p->name, source_p->username, source_p->host, reason); } /* * m_challenge - generate RSA challenge for wouldbe oper * parv[0] = sender prefix * parv[1] = operator to challenge for, or +response * */ static int m_challenge(struct Client *client_p, struct Client *source_p, int parc, char *parv[]) { char *challenge = NULL; struct MaskItem *conf = NULL; if (EmptyString(parv[1])) { sendto_one(source_p, form_str(ERR_NEEDMOREPARAMS), me.name, source_p->name, "CHALLENGE"); return 0; } if (*parv[1] == '+') { /* Ignore it if we aren't expecting this... -A1kmm */ if (source_p->localClient->response == NULL) return 0; if (irccmp(source_p->localClient->response, ++parv[1])) { sendto_one(source_p, form_str(ERR_PASSWDMISMATCH), me.name, source_p->name); failed_challenge_notice(source_p, source_p->localClient->auth_oper, "challenge failed"); return 0; } conf = find_exact_name_conf(CONF_OPER, source_p, source_p->localClient->auth_oper, NULL, NULL); if (conf == NULL) { sendto_one(source_p, form_str(ERR_NOOPERHOST), me.name, source_p->name); conf = find_exact_name_conf(CONF_OPER, NULL, source_p->localClient->auth_oper, NULL, NULL); failed_challenge_notice(source_p, source_p->localClient->auth_oper, (conf != NULL) ? "host mismatch" : "no operator {} block"); return 0; } if (attach_conf(source_p, conf) != 0) { sendto_one(source_p,":%s NOTICE %s :Can't attach conf!", me.name, source_p->name); failed_challenge_notice(source_p, conf->name, "can't attach conf!"); return 0; } oper_up(source_p); ilog(LOG_TYPE_OPER, "CHALLENGE %s by %s!%s@%s", source_p->localClient->auth_oper, source_p->name, source_p->username, source_p->host); MyFree(source_p->localClient->response); MyFree(source_p->localClient->auth_oper); source_p->localClient->response = NULL; source_p->localClient->auth_oper = NULL; return 0; } MyFree(source_p->localClient->response); MyFree(source_p->localClient->auth_oper); source_p->localClient->response = NULL; source_p->localClient->auth_oper = NULL; conf = find_exact_name_conf(CONF_OPER, source_p, parv[1], NULL, NULL); if (!conf) { sendto_one(source_p, form_str(ERR_NOOPERHOST), me.name, source_p->name); conf = find_exact_name_conf(CONF_OPER, NULL, parv[1], NULL, NULL); failed_challenge_notice(source_p, parv[1], (conf != NULL) ? "host mismatch" : "no operator {} block"); return 0; } if (conf->rsa_public_key == NULL) { sendto_one(source_p, ":%s NOTICE %s :I'm sorry, PK authentication " "is not enabled for your operator {} block.", me.name, source_p->name); return 0; } if (IsConfSSL(conf) && !HasUMode(source_p, UMODE_SSL)) { sendto_one(source_p, form_str(ERR_NOOPERHOST), me.name, source_p->name); failed_challenge_notice(source_p, conf->name, "requires SSL/TLS"); return 0; } if (!EmptyString(conf->certfp)) { if (EmptyString(source_p->certfp) || strcasecmp(source_p->certfp, conf->certfp)) { sendto_one(source_p, form_str(ERR_NOOPERHOST), me.name, source_p->name); failed_challenge_notice(source_p, conf->name, "client certificate fingerprint mismatch"); return 0; } } if (!generate_challenge(&challenge, &source_p->localClient->response, conf->rsa_public_key)) { sendto_one(source_p, form_str(RPL_RSACHALLENGE), me.name, source_p->name, challenge); source_p->localClient->auth_oper = xstrdup(conf->name); } MyFree(challenge); return 0; } static int mo_challenge(struct Client *client_p, struct Client *source_p, int parc, char *parv[]) { sendto_one(source_p, form_str(RPL_YOUREOPER), me.name, source_p->name); return 0; } static struct Message challenge_msgtab = { "CHALLENGE", 0, 0, 2, MAXPARA, MFLG_SLOW, 0, { m_unregistered, m_challenge, m_ignore, m_ignore, mo_challenge, m_ignore } }; static void module_init(void) { mod_add_cmd(&challenge_msgtab); } static void module_exit(void) { mod_del_cmd(&challenge_msgtab); } #else static void module_init(void) { } static void module_exit(void) { } #endif struct module module_entry = { .node = { NULL, NULL, NULL }, .name = NULL, .version = "$Revision$", .handle = NULL, .modinit = module_init, .modexit = module_exit, .flags = 0 };