/* * NeoIRCd: NeoStats Group. Based on Hybird7 * m_challenge.c: Allows an IRC Operator to securely authenticate. * * Copyright (C) 2002 by the past and present ircd coders, and others. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 * USA * * $Id: m_challenge.c,v 1.7 2003/01/29 09:28:48 fishwaldo Exp $ */ #include "stdinc.h" #include "handlers.h" #include "client.h" #include "ircd.h" #include "modules.h" #include "numeric.h" #include "send.h" #include "s_conf.h" #ifdef HAVE_LIBCRYPTO #include "rsa.h" #endif #include "msg.h" #include "parse.h" #include "irc_string.h" #include "s_log.h" int oper_up( struct Client *source_p, struct ConfItem *aconf ); #ifndef HAVE_LIBCRYPTO /* Maybe this should be an error or something?-davidt */ #ifndef STATIC_MODULES void _modinit(void) { return; } void _moddeinit(void) { return; } const char *_version = "$Revision: 1.7 $"; #endif #else static void failed_challenge_notice(struct Client *, char *, char *); static void m_challenge(struct Client*, struct Client*, int, char**); void binary_to_hex( unsigned char * bin, char * hex, int length ); /* We have openssl support, so include /CHALLENGE */ struct Message challenge_msgtab = { "CHALLENGE", 0, 0, 2, 0, MFLG_SLOW, 0, {m_unregistered, m_challenge, m_ignore, m_challenge} }; #ifndef STATIC_MODULES void _modinit(void) { mod_add_cmd(&challenge_msgtab); } void _moddeinit(void) { mod_del_cmd(&challenge_msgtab); } const char *_version = "$Revision: 1.7 $"; #endif /* * m_challenge - generate RSA challenge for wouldbe oper * parv[0] = sender prefix * parv[1] = operator to challenge for, or +response * */ static void m_challenge( struct Client *client_p, struct Client *source_p, int parc, char *parv[] ) { char * challenge; dlink_node *ptr; struct ConfItem *aconf, *oconf; if(!(source_p->user) || !source_p->localClient) return; /* if theyre an oper, reprint oper motd and ignore */ if(IsOper(source_p)) { sendto_one(source_p, form_str(RPL_YOUREOPER), me.name, parv[0]); SendMessageFile(source_p, &ConfigFileEntry.opermotd); return; } if (*parv[1] == '+') { /* Ignore it if we aren't expecting this... -A1kmm */ if (!source_p->user->response) return; if (irccmp(source_p->user->response, ++parv[1])) { sendto_one(source_p, form_str(ERR_PASSWDMISMATCH), me.name, source_p->name); failed_challenge_notice(source_p, source_p->user->auth_oper, "challenge failed"); return; } if (!(aconf = find_conf_by_name(source_p->user->auth_oper, CONF_OPERATOR))) { sendto_one (source_p, form_str(ERR_NOOPERHOST), me.name, parv[0]); log_failed_oper(source_p, source_p->user->auth_oper); return; } ptr = source_p->localClient->confs.head; oconf = ptr->data; detach_conf(source_p,oconf); if(attach_conf(source_p, aconf) != 0) { sendto_one(source_p,":%s NOTICE %s :Can't attach conf!", me.name,source_p->name); sendto_realops_flags(FLAGS_ALL|FLAGS_REMOTE, L_ALL, "Failed OPER attempt by %s (%s@%s) can't attach conf!", source_p->name, source_p->username, source_p->host); attach_conf(source_p, oconf); log_failed_oper(source_p, source_p->user->auth_oper); return; } oper_up(source_p, aconf); ilog(L_TRACE, "OPER %s by %s!%s@%s", source_p->user->auth_oper, source_p->name, source_p->username, source_p->host); log_oper(source_p, source_p->user->auth_oper); MyFree(source_p->user->response); MyFree(source_p->user->auth_oper); source_p->user->response = NULL; source_p->user->auth_oper = NULL; return; } MyFree(source_p->user->response); MyFree(source_p->user->auth_oper); source_p->user->response = NULL; source_p->user->auth_oper = NULL; if (!(aconf = find_conf_exact(parv[1], source_p->username, source_p->host, CONF_OPERATOR)) && !(aconf = find_conf_exact(parv[1], source_p->username, source_p->localClient->sockhost, CONF_OPERATOR))) { sendto_one (source_p, form_str(ERR_NOOPERHOST), me.name, parv[0]); /* they suck, do we tell the world? */ if (ConfigFileEntry.failed_oper_notice) { sendto_realops_flags(FLAGS_ALL, L_ALL, "Failed CHALLENGE attempt - host" " mismatch by %s (%s@%s)", source_p->name, source_p->username, source_p->host); } log_failed_oper(source_p, parv[1]); return; } if (!aconf->rsa_public_key) { sendto_one (source_p, ":%s NOTICE %s :I'm sorry, PK authentication " "is not enabled for your oper{} block.", me.name, parv[0]); return; } if ( !generate_challenge (&challenge, &(source_p->user->response), aconf->rsa_public_key) ) { sendto_one (source_p, form_str(RPL_RSACHALLENGE), me.name, parv[0], challenge); } DupString(source_p->user->auth_oper, aconf->name); MyFree(challenge); return; } /* * failed_challenge_notice * * inputs - pointer to client doing /oper ... * - pointer to nick they tried to oper as * - pointer to reason they have failed * output - nothing * side effects - notices all opers of the failed oper attempt if enabled */ static void failed_challenge_notice(struct Client *source_p, char *name, char *reason) { if (ConfigFileEntry.failed_oper_notice) sendto_realops_flags(FLAGS_ALL | FLAGS_REMOTE, L_ALL, "Failed CHALLENGE attempt as %s " "by %s (%s@%s) - %s", name, source_p->name, source_p->username, source_p->host, reason); } #endif /* HAVE_LIBCRYPTO */