1 |
/* |
2 |
* ircd-hybrid: an advanced Internet Relay Chat Daemon(ircd). |
3 |
* m_challenge.c: Allows an IRC Operator to securely authenticate. |
4 |
* |
5 |
* Copyright (C) 2002 by the past and present ircd coders, and others. |
6 |
* |
7 |
* This program is free software; you can redistribute it and/or modify |
8 |
* it under the terms of the GNU General Public License as published by |
9 |
* the Free Software Foundation; either version 2 of the License, or |
10 |
* (at your option) any later version. |
11 |
* |
12 |
* This program is distributed in the hope that it will be useful, |
13 |
* but WITHOUT ANY WARRANTY; without even the implied warranty of |
14 |
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
15 |
* GNU General Public License for more details. |
16 |
* |
17 |
* You should have received a copy of the GNU General Public License |
18 |
* along with this program; if not, write to the Free Software |
19 |
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 |
20 |
* USA |
21 |
* |
22 |
* $Id: m_challenge.c,v 1.59 2005/09/05 14:16:58 db Exp $ |
23 |
*/ |
24 |
|
25 |
#include "stdinc.h" |
26 |
#include "handlers.h" |
27 |
#include "client.h" |
28 |
#include "ircd.h" |
29 |
#include "modules.h" |
30 |
#include "numeric.h" |
31 |
#include "send.h" |
32 |
#include "s_conf.h" |
33 |
/* -lcrypto is implicit for building this module! */ |
34 |
#include "rsa.h" |
35 |
#include "msg.h" |
36 |
#include "parse.h" |
37 |
#include "irc_string.h" |
38 |
#include "s_log.h" |
39 |
#include "s_user.h" |
40 |
|
41 |
static void failed_challenge_notice(struct Client *, const char *, |
42 |
const char *); |
43 |
static void m_challenge(struct Client *, struct Client *, int, char **); |
44 |
|
45 |
/* We have openssl support, so include /CHALLENGE */ |
46 |
struct Message challenge_msgtab = { |
47 |
"CHALLENGE", 0, 0, 2, 0, MFLG_SLOW, 0, |
48 |
{ m_unregistered, m_challenge, m_ignore, m_ignore, m_challenge, m_ignore } |
49 |
}; |
50 |
|
51 |
#ifndef STATIC_MODULES |
52 |
void |
53 |
_modinit(void) |
54 |
{ |
55 |
mod_add_cmd(&challenge_msgtab); |
56 |
} |
57 |
|
58 |
void |
59 |
_moddeinit(void) |
60 |
{ |
61 |
mod_del_cmd(&challenge_msgtab); |
62 |
} |
63 |
|
64 |
const char *_version = "$Revision: 1.59 $"; |
65 |
#endif |
66 |
|
67 |
/* |
68 |
* m_challenge - generate RSA challenge for wouldbe oper |
69 |
* parv[0] = sender prefix |
70 |
* parv[1] = operator to challenge for, or +response |
71 |
* |
72 |
*/ |
73 |
static void |
74 |
m_challenge(struct Client *client_p, struct Client *source_p, |
75 |
int parc, char *parv[]) |
76 |
{ |
77 |
char *challenge; |
78 |
struct ConfItem *conf=NULL; |
79 |
struct AccessItem *aconf=NULL; |
80 |
|
81 |
assert(source_p->localClient); |
82 |
|
83 |
/* if theyre an oper, reprint oper motd and ignore */ |
84 |
if (IsOper(source_p)) |
85 |
{ |
86 |
sendto_one(source_p, form_str(RPL_YOUREOPER), me.name, parv[0]); |
87 |
send_message_file(source_p, &ConfigFileEntry.opermotd); |
88 |
return; |
89 |
} |
90 |
|
91 |
if (*parv[1] == '+') |
92 |
{ |
93 |
/* Ignore it if we aren't expecting this... -A1kmm */ |
94 |
if (!source_p->localClient->response) |
95 |
return; |
96 |
|
97 |
if (irccmp(source_p->localClient->response, ++parv[1])) |
98 |
{ |
99 |
sendto_one(source_p, form_str(ERR_PASSWDMISMATCH), me.name, |
100 |
source_p->name); |
101 |
failed_challenge_notice(source_p, source_p->localClient->auth_oper, |
102 |
"challenge failed"); |
103 |
return; |
104 |
} |
105 |
|
106 |
if ((conf = find_exact_name_conf(OPER_TYPE, |
107 |
source_p->localClient->auth_oper, |
108 |
source_p->username, source_p->host |
109 |
)) == NULL) |
110 |
{ |
111 |
sendto_one (source_p, form_str(ERR_NOOPERHOST), me.name, parv[0]); |
112 |
log_oper_action(LOG_FAILED_OPER_TYPE, source_p, "%s\n", |
113 |
source_p->localClient->auth_oper); |
114 |
return; |
115 |
} |
116 |
|
117 |
if (attach_conf(source_p, conf) != 0) |
118 |
{ |
119 |
sendto_one(source_p,":%s NOTICE %s :Can't attach conf!", |
120 |
me.name, source_p->name); |
121 |
failed_challenge_notice(source_p, conf->name, "can't attach conf!"); |
122 |
log_oper_action(LOG_FAILED_OPER_TYPE, source_p, "%s\n", |
123 |
source_p->localClient->auth_oper); |
124 |
return; |
125 |
} |
126 |
|
127 |
oper_up(source_p); |
128 |
|
129 |
ilog(L_TRACE, "OPER %s by %s!%s@%s", |
130 |
source_p->localClient->auth_oper, source_p->name, source_p->username, |
131 |
source_p->host); |
132 |
log_oper_action(LOG_OPER_TYPE, source_p, |
133 |
"%s\n", source_p->localClient->auth_oper); |
134 |
|
135 |
MyFree(source_p->localClient->response); |
136 |
MyFree(source_p->localClient->auth_oper); |
137 |
source_p->localClient->response = NULL; |
138 |
source_p->localClient->auth_oper = NULL; |
139 |
return; |
140 |
} |
141 |
|
142 |
MyFree(source_p->localClient->response); |
143 |
MyFree(source_p->localClient->auth_oper); |
144 |
source_p->localClient->response = NULL; |
145 |
source_p->localClient->auth_oper = NULL; |
146 |
|
147 |
if ((conf = find_conf_exact(OPER_TYPE, |
148 |
parv[1], source_p->username, source_p->host |
149 |
)) != NULL) |
150 |
{ |
151 |
aconf = (struct AccessItem *)map_to_conf(conf); |
152 |
} |
153 |
else if ((conf = find_conf_exact(OPER_TYPE, |
154 |
parv[1], source_p->username, |
155 |
source_p->sockhost)) != NULL) |
156 |
{ |
157 |
aconf = (struct AccessItem *)map_to_conf(conf); |
158 |
} |
159 |
|
160 |
if(aconf == NULL) |
161 |
{ |
162 |
sendto_one (source_p, form_str(ERR_NOOPERHOST), me.name, parv[0]); |
163 |
conf = find_exact_name_conf(OPER_TYPE, parv[1], NULL, NULL); |
164 |
failed_challenge_notice(source_p, parv[1], (conf != NULL) |
165 |
? "host mismatch" : "no oper {} block"); |
166 |
log_oper_action(LOG_FAILED_OPER_TYPE, source_p, "%s\n", parv[1]); |
167 |
return; |
168 |
} |
169 |
|
170 |
if (aconf->rsa_public_key == NULL) |
171 |
{ |
172 |
sendto_one (source_p, ":%s NOTICE %s :I'm sorry, PK authentication " |
173 |
"is not enabled for your oper{} block.", me.name, |
174 |
parv[0]); |
175 |
return; |
176 |
} |
177 |
|
178 |
if (!generate_challenge(&challenge, &(source_p->localClient->response), |
179 |
aconf->rsa_public_key)) |
180 |
sendto_one(source_p, form_str(RPL_RSACHALLENGE), |
181 |
me.name, parv[0], challenge); |
182 |
|
183 |
DupString(source_p->localClient->auth_oper, conf->name); |
184 |
MyFree(challenge); |
185 |
} |
186 |
|
187 |
/* failed_challenge_notice() |
188 |
* |
189 |
* inputs - pointer to client doing /oper ... |
190 |
* - pointer to nick they tried to oper as |
191 |
* - pointer to reason they have failed |
192 |
* output - nothing |
193 |
* side effects - notices all opers of the failed oper attempt if enabled |
194 |
*/ |
195 |
static void |
196 |
failed_challenge_notice(struct Client *source_p, const char *name, |
197 |
const char *reason) |
198 |
{ |
199 |
if (ConfigFileEntry.failed_oper_notice) |
200 |
sendto_realops_flags(UMODE_ALL, L_ALL, "Failed CHALLENGE attempt as %s " |
201 |
"by %s (%s@%s) - %s", name, source_p->name, |
202 |
source_p->username, source_p->host, reason); |
203 |
} |