1 |
/* |
2 |
* ircd-hybrid: an advanced Internet Relay Chat Daemon(ircd). |
3 |
* m_challenge.c: Allows an IRC Operator to securely authenticate. |
4 |
* |
5 |
* Copyright (C) 2002 by the past and present ircd coders, and others. |
6 |
* |
7 |
* This program is free software; you can redistribute it and/or modify |
8 |
* it under the terms of the GNU General Public License as published by |
9 |
* the Free Software Foundation; either version 2 of the License, or |
10 |
* (at your option) any later version. |
11 |
* |
12 |
* This program is distributed in the hope that it will be useful, |
13 |
* but WITHOUT ANY WARRANTY; without even the implied warranty of |
14 |
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
15 |
* GNU General Public License for more details. |
16 |
* |
17 |
* You should have received a copy of the GNU General Public License |
18 |
* along with this program; if not, write to the Free Software |
19 |
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 |
20 |
* USA |
21 |
* |
22 |
* $Id$ |
23 |
*/ |
24 |
|
25 |
#include "stdinc.h" |
26 |
#ifdef HAVE_LIBCRYPTO |
27 |
|
28 |
#include "handlers.h" |
29 |
#include "client.h" |
30 |
#include "ircd.h" |
31 |
#include "modules.h" |
32 |
#include "numeric.h" |
33 |
#include "send.h" |
34 |
#include "s_conf.h" |
35 |
/* -lcrypto is implicit for building this module! */ |
36 |
#include "rsa.h" |
37 |
#include "msg.h" |
38 |
#include "parse.h" |
39 |
#include "irc_string.h" |
40 |
#include "s_log.h" |
41 |
#include "s_user.h" |
42 |
|
43 |
static void failed_challenge_notice(struct Client *, const char *, |
44 |
const char *); |
45 |
static void m_challenge(struct Client *, struct Client *, int, char *[]); |
46 |
|
47 |
/* We have openssl support, so include /CHALLENGE */ |
48 |
struct Message challenge_msgtab = { |
49 |
"CHALLENGE", 0, 0, 2, 0, MFLG_SLOW, 0, |
50 |
{ m_unregistered, m_challenge, m_ignore, m_ignore, m_challenge, m_ignore } |
51 |
}; |
52 |
|
53 |
void |
54 |
_modinit(void) |
55 |
{ |
56 |
mod_add_cmd(&challenge_msgtab); |
57 |
} |
58 |
|
59 |
void |
60 |
_moddeinit(void) |
61 |
{ |
62 |
mod_del_cmd(&challenge_msgtab); |
63 |
} |
64 |
|
65 |
const char *_version = "$Revision$"; |
66 |
|
67 |
/* |
68 |
* m_challenge - generate RSA challenge for wouldbe oper |
69 |
* parv[0] = sender prefix |
70 |
* parv[1] = operator to challenge for, or +response |
71 |
* |
72 |
*/ |
73 |
static void |
74 |
m_challenge(struct Client *client_p, struct Client *source_p, |
75 |
int parc, char *parv[]) |
76 |
{ |
77 |
char *challenge = NULL; |
78 |
struct ConfItem *conf = NULL; |
79 |
struct AccessItem *aconf = NULL; |
80 |
|
81 |
/* if theyre an oper, reprint oper motd and ignore */ |
82 |
if (IsOper(source_p)) |
83 |
{ |
84 |
sendto_one(source_p, form_str(RPL_YOUREOPER), me.name, parv[0]); |
85 |
send_message_file(source_p, &ConfigFileEntry.opermotd); |
86 |
return; |
87 |
} |
88 |
|
89 |
if (*parv[1] == '+') |
90 |
{ |
91 |
/* Ignore it if we aren't expecting this... -A1kmm */ |
92 |
if (source_p->localClient->response == NULL) |
93 |
return; |
94 |
|
95 |
if (irccmp(source_p->localClient->response, ++parv[1])) |
96 |
{ |
97 |
sendto_one(source_p, form_str(ERR_PASSWDMISMATCH), me.name, |
98 |
source_p->name); |
99 |
failed_challenge_notice(source_p, source_p->localClient->auth_oper, |
100 |
"challenge failed"); |
101 |
return; |
102 |
} |
103 |
|
104 |
conf = find_exact_name_conf(OPER_TYPE, |
105 |
source_p->localClient->auth_oper, |
106 |
source_p->username, source_p->host); |
107 |
if (conf == NULL) |
108 |
conf = find_exact_name_conf(OPER_TYPE, |
109 |
source_p->localClient->auth_oper, |
110 |
source_p->username, source_p->sockhost); |
111 |
if (conf == NULL) |
112 |
{ |
113 |
sendto_one (source_p, form_str(ERR_NOOPERHOST), me.name, parv[0]); |
114 |
log_oper_action(LOG_FAILED_OPER_TYPE, source_p, "%s\n", |
115 |
source_p->localClient->auth_oper); |
116 |
return; |
117 |
} |
118 |
|
119 |
if (attach_conf(source_p, conf) != 0) |
120 |
{ |
121 |
sendto_one(source_p,":%s NOTICE %s :Can't attach conf!", |
122 |
me.name, source_p->name); |
123 |
failed_challenge_notice(source_p, conf->name, "can't attach conf!"); |
124 |
log_oper_action(LOG_FAILED_OPER_TYPE, source_p, "%s\n", |
125 |
source_p->localClient->auth_oper); |
126 |
return; |
127 |
} |
128 |
|
129 |
oper_up(source_p); |
130 |
|
131 |
ilog(L_TRACE, "OPER %s by %s!%s@%s", |
132 |
source_p->localClient->auth_oper, source_p->name, source_p->username, |
133 |
source_p->host); |
134 |
log_oper_action(LOG_OPER_TYPE, source_p, |
135 |
"%s\n", source_p->localClient->auth_oper); |
136 |
|
137 |
MyFree(source_p->localClient->response); |
138 |
MyFree(source_p->localClient->auth_oper); |
139 |
source_p->localClient->response = NULL; |
140 |
source_p->localClient->auth_oper = NULL; |
141 |
return; |
142 |
} |
143 |
|
144 |
MyFree(source_p->localClient->response); |
145 |
MyFree(source_p->localClient->auth_oper); |
146 |
source_p->localClient->response = NULL; |
147 |
source_p->localClient->auth_oper = NULL; |
148 |
|
149 |
if ((conf = find_conf_exact(OPER_TYPE, |
150 |
parv[1], source_p->username, source_p->host |
151 |
)) != NULL) |
152 |
aconf = map_to_conf(conf); |
153 |
else if ((conf = find_conf_exact(OPER_TYPE, |
154 |
parv[1], source_p->username, |
155 |
source_p->sockhost)) != NULL) |
156 |
aconf = map_to_conf(conf); |
157 |
|
158 |
if (aconf == NULL) |
159 |
{ |
160 |
sendto_one (source_p, form_str(ERR_NOOPERHOST), me.name, parv[0]); |
161 |
conf = find_exact_name_conf(OPER_TYPE, parv[1], NULL, NULL); |
162 |
failed_challenge_notice(source_p, parv[1], (conf != NULL) |
163 |
? "host mismatch" : "no oper {} block"); |
164 |
log_oper_action(LOG_FAILED_OPER_TYPE, source_p, "%s\n", parv[1]); |
165 |
return; |
166 |
} |
167 |
|
168 |
if (aconf->rsa_public_key == NULL) |
169 |
{ |
170 |
sendto_one (source_p, ":%s NOTICE %s :I'm sorry, PK authentication " |
171 |
"is not enabled for your oper{} block.", me.name, |
172 |
parv[0]); |
173 |
return; |
174 |
} |
175 |
|
176 |
if (!generate_challenge(&challenge, &(source_p->localClient->response), |
177 |
aconf->rsa_public_key)) |
178 |
sendto_one(source_p, form_str(RPL_RSACHALLENGE), |
179 |
me.name, parv[0], challenge); |
180 |
|
181 |
DupString(source_p->localClient->auth_oper, conf->name); |
182 |
MyFree(challenge); |
183 |
} |
184 |
|
185 |
/* failed_challenge_notice() |
186 |
* |
187 |
* inputs - pointer to client doing /oper ... |
188 |
* - pointer to nick they tried to oper as |
189 |
* - pointer to reason they have failed |
190 |
* output - nothing |
191 |
* side effects - notices all opers of the failed oper attempt if enabled |
192 |
*/ |
193 |
static void |
194 |
failed_challenge_notice(struct Client *source_p, const char *name, |
195 |
const char *reason) |
196 |
{ |
197 |
if (ConfigFileEntry.failed_oper_notice) |
198 |
sendto_realops_flags(UMODE_ALL, L_ALL, "Failed CHALLENGE attempt as %s " |
199 |
"by %s (%s@%s) - %s", name, source_p->name, |
200 |
source_p->username, source_p->host, reason); |
201 |
} |
202 |
#endif |