trunk/modules/m_challenge.c

/*
 *  ircd-hybrid: an advanced Internet Relay Chat Daemon(ircd).
 *  m_challenge.c: Allows an IRC Operator to securely authenticate.
 *
 *  Copyright (C) 2002 by the past and present ircd coders, and others.
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License
 *  along with this program; if not, write to the Free Software
 *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307
 *  USA
 *
 *  $Id$
 */

#include "stdinc.h"
#include "client.h"
#include "ircd.h"
#include "modules.h"
#include "numeric.h"
#include "send.h"
#include "conf.h"
#include "rsa.h"
#include "parse.h"
#include "irc_string.h"
#include "log.h"
#include "s_user.h"
#include "memory.h"


#ifdef HAVE_LIBCRYPTO
/* failed_challenge_notice()
 *
 * inputs       - pointer to client doing /oper ...
 *              - pointer to nick they tried to oper as
 *              - pointer to reason they have failed
 * output       - nothing
 * side effects - notices all opers of the failed oper attempt if enabled
 */
static void
failed_challenge_notice(struct Client *source_p, const char *name,
                        const char *reason)
{
  if (ConfigFileEntry.failed_oper_notice)
    sendto_realops_flags(UMODE_ALL, L_ALL, SEND_NOTICE,
                         "Failed CHALLENGE attempt as %s "
                         "by %s (%s@%s) - %s", name, source_p->name,
                         source_p->username, source_p->host, reason);

  ilog(LOG_TYPE_OPER, "Failed CHALLENGE attempt as %s "
       "by %s (%s@%s) - %s", name, source_p->name,
       source_p->username, source_p->host, reason);
}

/*
 * m_challenge - generate RSA challenge for wouldbe oper
 * parv[0] = sender prefix
 * parv[1] = operator to challenge for, or +response
 *
 */
static void
m_challenge(struct Client *client_p, struct Client *source_p,
            int parc, char *parv[])
{
  char *challenge = NULL;
  struct MaskItem *conf = NULL;

  if (*parv[1] == '+')
  {
    /* Ignore it if we aren't expecting this... -A1kmm */
    if (source_p->localClient->response == NULL)
      return;

    if (irccmp(source_p->localClient->response, ++parv[1]))
    {
      sendto_one(source_p, form_str(ERR_PASSWDMISMATCH), me.name,
                 source_p->name);
      failed_challenge_notice(source_p, source_p->localClient->auth_oper,
                              "challenge failed");
      return;
    }
    
    conf = find_exact_name_conf(CONF_OPER, source_p,
                                source_p->localClient->auth_oper, NULL, NULL);
    if (conf == NULL)
    {
      /* XXX: logging */
      sendto_one(source_p, form_str(ERR_NOOPERHOST), me.name, source_p->name);
      return;
    }

    if (attach_conf(source_p, conf) != 0)
    {
      sendto_one(source_p,":%s NOTICE %s :Can't attach conf!",
                 me.name, source_p->name);   
      failed_challenge_notice(source_p, conf->name, "can't attach conf!");
      return;
    }

    ++conf->count;
    oper_up(source_p);

    ilog(LOG_TYPE_OPER, "OPER %s by %s!%s@%s",
         source_p->localClient->auth_oper, source_p->name, source_p->username,
         source_p->host);

    MyFree(source_p->localClient->response);
    MyFree(source_p->localClient->auth_oper);
    source_p->localClient->response  = NULL;
    source_p->localClient->auth_oper = NULL;
    return;
  }

  MyFree(source_p->localClient->response);
  MyFree(source_p->localClient->auth_oper);
  source_p->localClient->response  = NULL;
  source_p->localClient->auth_oper = NULL;

  conf = find_exact_name_conf(CONF_OPER, source_p, parv[1], NULL, NULL);

  if (!conf)
  {
    sendto_one(source_p, form_str(ERR_NOOPERHOST), me.name, source_p->name);
    conf = find_exact_name_conf(CONF_OPER, NULL, parv[1], NULL, NULL);
    failed_challenge_notice(source_p, parv[1], (conf != NULL)
                            ? "host mismatch" : "no oper {} block");
    return;
  }

  if (conf->rsa_public_key == NULL)
  {
    sendto_one(source_p, ":%s NOTICE %s :I'm sorry, PK authentication "
               "is not enabled for your oper{} block.", me.name,
               source_p->name);
    return;
  }

  if (IsConfSSL(conf) && !HasUMode(source_p, UMODE_SSL))
  {
    sendto_one(source_p, form_str(ERR_NOOPERHOST), me.name, source_p->name);
    failed_challenge_notice(source_p, conf->name, "requires SSL/TLS");
    return;
  }

  if (!EmptyString(conf->certfp))
  {
    if (EmptyString(source_p->certfp) || strcasecmp(source_p->certfp, conf->certfp))
    {
      sendto_one(source_p, form_str(ERR_NOOPERHOST), me.name, source_p->name);
      failed_challenge_notice(source_p, conf->name, "client certificate fingerprint mismatch");
      return;
    }
  }

  if (!generate_challenge(&challenge, &(source_p->localClient->response),
                          conf->rsa_public_key))
    sendto_one(source_p, form_str(RPL_RSACHALLENGE),
               me.name, source_p->name, challenge);

  source_p->localClient->auth_oper = xstrdup(conf->name);
  MyFree(challenge);
}

static void
mo_challenge(struct Client *client_p, struct Client *source_p,
             int parc, char *parv[])
{
  sendto_one(source_p, form_str(RPL_YOUREOPER),
             me.name, source_p->name);
}

static struct Message challenge_msgtab = {
  "CHALLENGE", 0, 0, 2, MAXPARA, MFLG_SLOW, 0,
  { m_unregistered, m_challenge, m_ignore, m_ignore, mo_challenge, m_ignore }
};

static void
module_init(void)
{
  mod_add_cmd(&challenge_msgtab);
}

static void
module_exit(void)
{
  mod_del_cmd(&challenge_msgtab);
}

#else

static void
module_init(void)
{
}

static void
module_exit(void)
{
}
#endif

struct module module_entry = {
  .node    = { NULL, NULL, NULL },
  .name    = NULL,
  .version = "$Revision$",
  .handle  = NULL,
  .modinit = module_init,
  .modexit = module_exit,
  .flags   = 0
};
Revision:	2248
Committed:	Sun Jun 16 11:28:30 2013 UTC (12 years, 2 months ago) by michael
Content type:	text/x-csrc
File size:	6281 byte(s)
Log Message:	- Add operator::ssl_connection_required configuration option
#	User	Rev	Content
1	adx	30	/*
2			* ircd-hybrid: an advanced Internet Relay Chat Daemon(ircd).
3			* m_challenge.c: Allows an IRC Operator to securely authenticate.
4			*
5			* Copyright (C) 2002 by the past and present ircd coders, and others.
6			*
7			* This program is free software; you can redistribute it and/or modify
8			* it under the terms of the GNU General Public License as published by
9			* the Free Software Foundation; either version 2 of the License, or
10			* (at your option) any later version.
11			*
12			* This program is distributed in the hope that it will be useful,
13			* but WITHOUT ANY WARRANTY; without even the implied warranty of
14			* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15			* GNU General Public License for more details.
16			*
17			* You should have received a copy of the GNU General Public License
18			* along with this program; if not, write to the Free Software
19			* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
20			* USA
21			*
22	knight	31	* $Id$
23	adx	30	*/
24
25			#include "stdinc.h"
26			#include "client.h"
27			#include "ircd.h"
28			#include "modules.h"
29			#include "numeric.h"
30			#include "send.h"
31	michael	1309	#include "conf.h"
32	adx	30	#include "rsa.h"
33			#include "parse.h"
34			#include "irc_string.h"
35	michael	1309	#include "log.h"
36	adx	30	#include "s_user.h"
37	michael	1666	#include "memory.h"
38	adx	30
39
40	michael	1415	#ifdef HAVE_LIBCRYPTO
41	michael	1230	/* failed_challenge_notice()
42			*
43			* inputs - pointer to client doing /oper ...
44			* - pointer to nick they tried to oper as
45			* - pointer to reason they have failed
46			* output - nothing
47			* side effects - notices all opers of the failed oper attempt if enabled
48			*/
49			static void
50			failed_challenge_notice(struct Client source_p, const char name,
51			const char *reason)
52	adx	30	{
53	michael	1230	if (ConfigFileEntry.failed_oper_notice)
54	michael	1618	sendto_realops_flags(UMODE_ALL, L_ALL, SEND_NOTICE,
55			"Failed CHALLENGE attempt as %s "
56	michael	1230	"by %s (%s@%s) - %s", name, source_p->name,
57			source_p->username, source_p->host, reason);
58	michael	1247
59			ilog(LOG_TYPE_OPER, "Failed CHALLENGE attempt as %s "
60			"by %s (%s@%s) - %s", name, source_p->name,
61			source_p->username, source_p->host, reason);
62	adx	30	}
63
64			/*
65			* m_challenge - generate RSA challenge for wouldbe oper
66			* parv[0] = sender prefix
67			* parv[1] = operator to challenge for, or +response
68			*
69			*/
70			static void
71			m_challenge(struct Client client_p, struct Client source_p,
72			int parc, char *parv[])
73			{
74	michael	817	char *challenge = NULL;
75	michael	1632	struct MaskItem *conf = NULL;
76	adx	30
77			if (*parv[1] == '+')
78			{
79			/* Ignore it if we aren't expecting this... -A1kmm */
80	michael	817	if (source_p->localClient->response == NULL)
81	adx	30	return;
82
83			if (irccmp(source_p->localClient->response, ++parv[1]))
84			{
85	michael	1834	sendto_one(source_p, form_str(ERR_PASSWDMISMATCH), me.name,
86	michael	1121	source_p->name);
87	adx	30	failed_challenge_notice(source_p, source_p->localClient->auth_oper,
88	michael	1121	"challenge failed");
89	adx	30	return;
90			}
91	michael	817
92	michael	1632	conf = find_exact_name_conf(CONF_OPER, source_p,
93	michael	1285	source_p->localClient->auth_oper, NULL, NULL);
94	michael	817	if (conf == NULL)
95	adx	30	{
96	michael	1247	/* XXX: logging */
97	michael	2224	sendto_one(source_p, form_str(ERR_NOOPERHOST), me.name, source_p->name);
98	adx	30	return;
99			}
100
101			if (attach_conf(source_p, conf) != 0)
102			{
103			sendto_one(source_p,":%s NOTICE %s :Can't attach conf!",
104	michael	2224	me.name, source_p->name);
105	adx	30	failed_challenge_notice(source_p, conf->name, "can't attach conf!");
106			return;
107			}
108
109	michael	1925	++conf->count;
110	adx	30	oper_up(source_p);
111
112	michael	1247	ilog(LOG_TYPE_OPER, "OPER %s by %s!%s@%s",
113	michael	2224	source_p->localClient->auth_oper, source_p->name, source_p->username,
114			source_p->host);
115	adx	30
116			MyFree(source_p->localClient->response);
117			MyFree(source_p->localClient->auth_oper);
118			source_p->localClient->response = NULL;
119			source_p->localClient->auth_oper = NULL;
120			return;
121			}
122
123			MyFree(source_p->localClient->response);
124			MyFree(source_p->localClient->auth_oper);
125			source_p->localClient->response = NULL;
126			source_p->localClient->auth_oper = NULL;
127
128	michael	1636	conf = find_exact_name_conf(CONF_OPER, source_p, parv[1], NULL, NULL);
129	adx	30
130	michael	1632	if (!conf)
131	adx	30	{
132	michael	2224	sendto_one(source_p, form_str(ERR_NOOPERHOST), me.name, source_p->name);
133	michael	1632	conf = find_exact_name_conf(CONF_OPER, NULL, parv[1], NULL, NULL);
134	adx	30	failed_challenge_notice(source_p, parv[1], (conf != NULL)
135			? "host mismatch" : "no oper {} block");
136			return;
137			}
138
139	michael	1632	if (conf->rsa_public_key == NULL)
140	adx	30	{
141	michael	2224	sendto_one(source_p, ":%s NOTICE %s :I'm sorry, PK authentication "
142			"is not enabled for your oper{} block.", me.name,
143			source_p->name);
144	adx	30	return;
145			}
146
147	michael	2248	if (IsConfSSL(conf) && !HasUMode(source_p, UMODE_SSL))
148			{
149			sendto_one(source_p, form_str(ERR_NOOPERHOST), me.name, source_p->name);
150			failed_challenge_notice(source_p, conf->name, "requires SSL/TLS");
151			return;
152			}
153
154	michael	2232	if (!EmptyString(conf->certfp))
155			{
156			if (EmptyString(source_p->certfp) \|\| strcasecmp(source_p->certfp, conf->certfp))
157			{
158			sendto_one(source_p, form_str(ERR_NOOPERHOST), me.name, source_p->name);
159			failed_challenge_notice(source_p, conf->name, "client certificate fingerprint mismatch");
160			return;
161			}
162			}
163
164	adx	30	if (!generate_challenge(&challenge, &(source_p->localClient->response),
165	michael	1632	conf->rsa_public_key))
166	michael	1834	sendto_one(source_p, form_str(RPL_RSACHALLENGE),
167	michael	1230	me.name, source_p->name, challenge);
168	adx	30
169	michael	1646	source_p->localClient->auth_oper = xstrdup(conf->name);
170	adx	30	MyFree(challenge);
171			}
172
173	michael	1467	static void
174			mo_challenge(struct Client client_p, struct Client source_p,
175			int parc, char *parv[])
176			{
177	michael	1834	sendto_one(source_p, form_str(RPL_YOUREOPER),
178	michael	1467	me.name, source_p->name);
179			}
180
181	michael	1230	static struct Message challenge_msgtab = {
182			"CHALLENGE", 0, 0, 2, MAXPARA, MFLG_SLOW, 0,
183	michael	1467	{ m_unregistered, m_challenge, m_ignore, m_ignore, mo_challenge, m_ignore }
184	michael	1230	};
185
186	adx	30	static void
187	michael	1230	module_init(void)
188	adx	30	{
189	michael	1230	mod_add_cmd(&challenge_msgtab);
190	adx	30	}
191	michael	1230
192			static void
193			module_exit(void)
194			{
195			mod_del_cmd(&challenge_msgtab);
196			}
197
198	michael	1415	#else
199
200			static void
201			module_init(void)
202			{
203			}
204
205			static void
206			module_exit(void)
207			{
208			}
209			#endif
210
211	michael	1230	struct module module_entry = {
212			.node = { NULL, NULL, NULL },
213			.name = NULL,
214			.version = "$Revision$",
215			.handle = NULL,
216			.modinit = module_init,
217			.modexit = module_exit,
218			.flags = 0
219			};