trunk/modules/m_challenge.c

/*
 *  ircd-hybrid: an advanced Internet Relay Chat Daemon(ircd).
 *  m_challenge.c: Allows an IRC Operator to securely authenticate.
 *
 *  Copyright (C) 2002 by the past and present ircd coders, and others.
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License
 *  along with this program; if not, write to the Free Software
 *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307
 *  USA
 *
 *  $Id$
 */

#include "stdinc.h"
#ifdef HAVE_LIBCRYPTO

#include "handlers.h"
#include "client.h"
#include "ircd.h"
#include "modules.h"
#include "numeric.h"
#include "send.h"
#include "s_conf.h"
/* -lcrypto is implicit for building this module! */
#include "rsa.h"
#include "msg.h"
#include "parse.h"
#include "irc_string.h"
#include "s_log.h"
#include "s_user.h"

static void failed_challenge_notice(struct Client *, const char *,
                                    const char *);
static void m_challenge(struct Client *, struct Client *, int, char *[]);

/* We have openssl support, so include /CHALLENGE */
struct Message challenge_msgtab = {
  "CHALLENGE", 0, 0, 2, 0, MFLG_SLOW, 0,
  { m_unregistered, m_challenge, m_ignore, m_ignore, m_challenge, m_ignore }
};

void
_modinit(void)
{
  mod_add_cmd(&challenge_msgtab);
}

void
_moddeinit(void)
{
  mod_del_cmd(&challenge_msgtab);
}

const char *_version = "$Revision$";

/*
 * m_challenge - generate RSA challenge for wouldbe oper
 * parv[0] = sender prefix
 * parv[1] = operator to challenge for, or +response
 *
 */
static void
m_challenge(struct Client *client_p, struct Client *source_p,
            int parc, char *parv[])
{
  char *challenge = NULL;
  struct ConfItem *conf = NULL;
  struct AccessItem *aconf = NULL;

  /* if theyre an oper, reprint oper motd and ignore */
  if (IsOper(source_p))
  {
    sendto_one(source_p, form_str(RPL_YOUREOPER), me.name, parv[0]);
    send_message_file(source_p, &ConfigFileEntry.opermotd);
    return;
  }

  if (*parv[1] == '+')
  {
    /* Ignore it if we aren't expecting this... -A1kmm */
    if (source_p->localClient->response == NULL)
      return;

    if (irccmp(source_p->localClient->response, ++parv[1]))
    {
      sendto_one(source_p, form_str(ERR_PASSWDMISMATCH), me.name,
                 source_p->name);
      failed_challenge_notice(source_p, source_p->localClient->auth_oper,
                              "challenge failed");
      return;
    }
    
    conf = find_exact_name_conf(OPER_TYPE,
                                source_p->localClient->auth_oper,
                                source_p->username, source_p->host);
    if (conf == NULL)
      conf = find_exact_name_conf(OPER_TYPE,
                                  source_p->localClient->auth_oper,
                                  source_p->username, source_p->sockhost);
    if (conf == NULL)
    {
      sendto_one (source_p, form_str(ERR_NOOPERHOST), me.name, parv[0]);
      log_oper_action(LOG_FAILED_OPER_TYPE, source_p, "%s\n",
                      source_p->localClient->auth_oper);
      return;
    }

    if (attach_conf(source_p, conf) != 0)
    {
      sendto_one(source_p,":%s NOTICE %s :Can't attach conf!",
                 me.name, source_p->name);   
      failed_challenge_notice(source_p, conf->name, "can't attach conf!");
      log_oper_action(LOG_FAILED_OPER_TYPE, source_p, "%s\n", 
                      source_p->localClient->auth_oper);
      return;
    }

    oper_up(source_p);

    ilog(L_TRACE, "OPER %s by %s!%s@%s",
         source_p->localClient->auth_oper, source_p->name, source_p->username,
         source_p->host);
    log_oper_action(LOG_OPER_TYPE, source_p,
                    "%s\n", source_p->localClient->auth_oper);

    MyFree(source_p->localClient->response);
    MyFree(source_p->localClient->auth_oper);
    source_p->localClient->response  = NULL;
    source_p->localClient->auth_oper = NULL;
    return;
  }

  MyFree(source_p->localClient->response);
  MyFree(source_p->localClient->auth_oper);
  source_p->localClient->response  = NULL;
  source_p->localClient->auth_oper = NULL;

  if ((conf = find_conf_exact(OPER_TYPE,
                              parv[1], source_p->username, source_p->host
                              )) != NULL)
    aconf = map_to_conf(conf);
  else if ((conf = find_conf_exact(OPER_TYPE,
                                   parv[1], source_p->username,
                                   source_p->sockhost)) != NULL)
    aconf = map_to_conf(conf);

  if (aconf == NULL)
  {
    sendto_one (source_p, form_str(ERR_NOOPERHOST), me.name, parv[0]);
    conf = find_exact_name_conf(OPER_TYPE, parv[1], NULL, NULL);
    failed_challenge_notice(source_p, parv[1], (conf != NULL)
                            ? "host mismatch" : "no oper {} block");
    log_oper_action(LOG_FAILED_OPER_TYPE, source_p, "%s\n", parv[1]);
    return;
  }

  if (aconf->rsa_public_key == NULL)
  {
    sendto_one (source_p, ":%s NOTICE %s :I'm sorry, PK authentication "
                "is not enabled for your oper{} block.", me.name,
                parv[0]);
    return;
  }

  if (!generate_challenge(&challenge, &(source_p->localClient->response),
                          aconf->rsa_public_key))
    sendto_one(source_p, form_str(RPL_RSACHALLENGE),
               me.name, parv[0], challenge);

  DupString(source_p->localClient->auth_oper, conf->name);
  MyFree(challenge);
}

/* failed_challenge_notice()
 *
 * inputs       - pointer to client doing /oper ...
 *              - pointer to nick they tried to oper as
 *              - pointer to reason they have failed
 * output       - nothing
 * side effects - notices all opers of the failed oper attempt if enabled
 */
static void
failed_challenge_notice(struct Client *source_p, const char *name,
                        const char *reason)
{
  if (ConfigFileEntry.failed_oper_notice)
    sendto_realops_flags(UMODE_ALL, L_ALL, "Failed CHALLENGE attempt as %s "
                         "by %s (%s@%s) - %s", name, source_p->name,
                         source_p->username, source_p->host, reason);
}
#endif
Revision:	1156
Committed:	Tue Aug 9 20:29:20 2011 UTC (14 years ago) by michael
Content type:	text/x-csrc
Original Path:	*ircd-hybrid-8/modules/m_challenge.c*
File size:	6340 byte(s)
Log Message:	- create ircd-hybrid-8 "branch"
#	User	Rev	Content
1	adx	30	/*
2			* ircd-hybrid: an advanced Internet Relay Chat Daemon(ircd).
3			* m_challenge.c: Allows an IRC Operator to securely authenticate.
4			*
5			* Copyright (C) 2002 by the past and present ircd coders, and others.
6			*
7			* This program is free software; you can redistribute it and/or modify
8			* it under the terms of the GNU General Public License as published by
9			* the Free Software Foundation; either version 2 of the License, or
10			* (at your option) any later version.
11			*
12			* This program is distributed in the hope that it will be useful,
13			* but WITHOUT ANY WARRANTY; without even the implied warranty of
14			* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15			* GNU General Public License for more details.
16			*
17			* You should have received a copy of the GNU General Public License
18			* along with this program; if not, write to the Free Software
19			* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
20			* USA
21			*
22	knight	31	* $Id$
23	adx	30	*/
24
25			#include "stdinc.h"
26	michael	912	#ifdef HAVE_LIBCRYPTO
27
28	adx	30	#include "handlers.h"
29			#include "client.h"
30			#include "ircd.h"
31			#include "modules.h"
32			#include "numeric.h"
33			#include "send.h"
34			#include "s_conf.h"
35			/* -lcrypto is implicit for building this module! */
36			#include "rsa.h"
37			#include "msg.h"
38			#include "parse.h"
39			#include "irc_string.h"
40			#include "s_log.h"
41			#include "s_user.h"
42
43			static void failed_challenge_notice(struct Client , const char ,
44			const char *);
45	michael	1121	static void m_challenge(struct Client , struct Client , int, char *[]);
46	adx	30
47			/* We have openssl support, so include /CHALLENGE */
48			struct Message challenge_msgtab = {
49			"CHALLENGE", 0, 0, 2, 0, MFLG_SLOW, 0,
50			{ m_unregistered, m_challenge, m_ignore, m_ignore, m_challenge, m_ignore }
51			};
52
53			void
54			_modinit(void)
55			{
56			mod_add_cmd(&challenge_msgtab);
57			}
58
59			void
60			_moddeinit(void)
61			{
62			mod_del_cmd(&challenge_msgtab);
63			}
64
65	knight	31	const char *_version = "$Revision$";
66	adx	30
67			/*
68			* m_challenge - generate RSA challenge for wouldbe oper
69			* parv[0] = sender prefix
70			* parv[1] = operator to challenge for, or +response
71			*
72			*/
73			static void
74			m_challenge(struct Client client_p, struct Client source_p,
75			int parc, char *parv[])
76			{
77	michael	817	char *challenge = NULL;
78			struct ConfItem *conf = NULL;
79			struct AccessItem *aconf = NULL;
80	adx	30
81			/* if theyre an oper, reprint oper motd and ignore */
82			if (IsOper(source_p))
83			{
84			sendto_one(source_p, form_str(RPL_YOUREOPER), me.name, parv[0]);
85			send_message_file(source_p, &ConfigFileEntry.opermotd);
86			return;
87			}
88
89			if (*parv[1] == '+')
90			{
91			/* Ignore it if we aren't expecting this... -A1kmm */
92	michael	817	if (source_p->localClient->response == NULL)
93	adx	30	return;
94
95			if (irccmp(source_p->localClient->response, ++parv[1]))
96			{
97			sendto_one(source_p, form_str(ERR_PASSWDMISMATCH), me.name,
98	michael	1121	source_p->name);
99	adx	30	failed_challenge_notice(source_p, source_p->localClient->auth_oper,
100	michael	1121	"challenge failed");
101	adx	30	return;
102			}
103	michael	817
104			conf = find_exact_name_conf(OPER_TYPE,
105			source_p->localClient->auth_oper,
106			source_p->username, source_p->host);
107			if (conf == NULL)
108			conf = find_exact_name_conf(OPER_TYPE,
109			source_p->localClient->auth_oper,
110			source_p->username, source_p->sockhost);
111			if (conf == NULL)
112	adx	30	{
113			sendto_one (source_p, form_str(ERR_NOOPERHOST), me.name, parv[0]);
114			log_oper_action(LOG_FAILED_OPER_TYPE, source_p, "%s\n",
115			source_p->localClient->auth_oper);
116			return;
117			}
118
119			if (attach_conf(source_p, conf) != 0)
120			{
121			sendto_one(source_p,":%s NOTICE %s :Can't attach conf!",
122			me.name, source_p->name);
123			failed_challenge_notice(source_p, conf->name, "can't attach conf!");
124			log_oper_action(LOG_FAILED_OPER_TYPE, source_p, "%s\n",
125			source_p->localClient->auth_oper);
126			return;
127			}
128
129			oper_up(source_p);
130
131			ilog(L_TRACE, "OPER %s by %s!%s@%s",
132			source_p->localClient->auth_oper, source_p->name, source_p->username,
133			source_p->host);
134			log_oper_action(LOG_OPER_TYPE, source_p,
135			"%s\n", source_p->localClient->auth_oper);
136
137			MyFree(source_p->localClient->response);
138			MyFree(source_p->localClient->auth_oper);
139			source_p->localClient->response = NULL;
140			source_p->localClient->auth_oper = NULL;
141			return;
142			}
143
144			MyFree(source_p->localClient->response);
145			MyFree(source_p->localClient->auth_oper);
146			source_p->localClient->response = NULL;
147			source_p->localClient->auth_oper = NULL;
148
149			if ((conf = find_conf_exact(OPER_TYPE,
150			parv[1], source_p->username, source_p->host
151			)) != NULL)
152	michael	817	aconf = map_to_conf(conf);
153	adx	30	else if ((conf = find_conf_exact(OPER_TYPE,
154			parv[1], source_p->username,
155			source_p->sockhost)) != NULL)
156	michael	817	aconf = map_to_conf(conf);
157	adx	30
158	michael	817	if (aconf == NULL)
159	adx	30	{
160			sendto_one (source_p, form_str(ERR_NOOPERHOST), me.name, parv[0]);
161			conf = find_exact_name_conf(OPER_TYPE, parv[1], NULL, NULL);
162			failed_challenge_notice(source_p, parv[1], (conf != NULL)
163			? "host mismatch" : "no oper {} block");
164			log_oper_action(LOG_FAILED_OPER_TYPE, source_p, "%s\n", parv[1]);
165			return;
166			}
167
168			if (aconf->rsa_public_key == NULL)
169			{
170			sendto_one (source_p, ":%s NOTICE %s :I'm sorry, PK authentication "
171			"is not enabled for your oper{} block.", me.name,
172			parv[0]);
173			return;
174			}
175
176			if (!generate_challenge(&challenge, &(source_p->localClient->response),
177			aconf->rsa_public_key))
178			sendto_one(source_p, form_str(RPL_RSACHALLENGE),
179			me.name, parv[0], challenge);
180
181			DupString(source_p->localClient->auth_oper, conf->name);
182			MyFree(challenge);
183			}
184
185			/* failed_challenge_notice()
186			*
187			* inputs - pointer to client doing /oper ...
188			* - pointer to nick they tried to oper as
189			* - pointer to reason they have failed
190			* output - nothing
191			* side effects - notices all opers of the failed oper attempt if enabled
192			*/
193			static void
194			failed_challenge_notice(struct Client source_p, const char name,
195	michael	1121	const char *reason)
196	adx	30	{
197			if (ConfigFileEntry.failed_oper_notice)
198			sendto_realops_flags(UMODE_ALL, L_ALL, "Failed CHALLENGE attempt as %s "
199			"by %s (%s@%s) - %s", name, source_p->name,
200			source_p->username, source_p->host, reason);
201			}
202	michael	912	#endif