search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Initial import
[ratbox-ambernet.git] / modules / m_oper.c
blob078112a5a32f5ccf3d909807a8cf8bc9b9cdc9b2
1 /*
2 * ircd-ratbox: A slightly useful ircd.
3 * m_oper.c: Makes a user an IRC Operator.
4 *
5 * Copyright (C) 1990 Jarkko Oikarinen and University of Oulu, Co Center
6 * Copyright (C) 1996-2002 Hybrid Development Team
7 * Copyright (C) 2002-2005 ircd-ratbox development team
8 *
9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation; either version 2 of the License, or
12 * (at your option) any later version.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License
20 * along with this program; if not, write to the Free Software
21 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
22 * USA
23 *
24 * $Id: m_oper.c 22407 2006-05-07 15:39:43Z androsyn $
25 */
26
27 #include "stdinc.h"
28
29 #ifdef HAVE_LIBCRYPTO
30 #include <openssl/pem.h>
31 #include <openssl/rand.h>
32 #include <openssl/rsa.h>
33 #include <openssl/sha.h>
34 #include <openssl/bn.h>
35 #include <openssl/evp.h>
36 #include <openssl/err.h>
37 #endif
38
39 #include "tools.h"
40 #include "client.h"
41 #include "common.h"
42 #include "irc_string.h"
43 #include "ircd.h"
44 #include "numeric.h"
45 #include "commio.h"
46 #include "s_conf.h"
47 #include "s_newconf.h"
48 #include "s_log.h"
49 #include "s_user.h"
50 #include "send.h"
51 #include "msg.h"
52 #include "parse.h"
53 #include "modules.h"
54 #include "packet.h"
55 #include "cache.h"
56
57 #define CHALLENGE_WIDTH BUFSIZE - (NICKLEN + HOSTLEN + 12)
58 #define CHALLENGE_EXPIRES 180 /* 180 seconds should be more than long enough */
59 #define CHALLENGE_SECRET_LENGTH 128 /* how long our challenge secret should be */
60
61 static int m_oper(struct Client *, struct Client *, int, const char **);
62 static int m_challenge(struct Client *, struct Client *, int, const char **);
63
64 struct Message oper_msgtab = {
65 "OPER", 0, 0, 0, MFLG_SLOW,
66 {mg_unreg, {m_oper, 3}, mg_ignore, mg_ignore, mg_ignore, {m_oper, 3}}
67 };
68 struct Message challenge_msgtab = {
69 "CHALLENGE", 0, 0, 0, MFLG_SLOW,
70 {mg_unreg, {m_challenge, 2}, mg_ignore, mg_ignore, mg_ignore, {m_challenge, 2}}
71 };
72
73
74 mapi_clist_av1 oper_clist[] = { &oper_msgtab, &challenge_msgtab, NULL };
75 DECLARE_MODULE_AV1(oper, NULL, NULL, oper_clist, NULL, NULL, "$Revision: 22407 $");
76
77 static int match_oper_password(const char *password, struct oper_conf *oper_p);
78 extern char *crypt();
79
80 /*
81 * m_oper
82 * parv[0] = sender prefix
83 * parv[1] = oper name
84 * parv[2] = oper password
85 */
86 static int
87 m_oper(struct Client *client_p, struct Client *source_p, int parc, const char *parv[])
88 {
89 struct oper_conf *oper_p;
90 const char *name;
91 const char *password;
92
93 name = parv[1];
94 password = parv[2];
95
96 if(IsOper(source_p))
97 {
98 sendto_one(source_p, form_str(RPL_YOUREOPER), me.name, source_p->name);
99 send_oper_motd(source_p);
100 return 0;
101 }
102
103 /* end the grace period */
104 if(!IsFloodDone(source_p))
105 flood_endgrace(source_p);
106
107 oper_p = find_oper_conf(source_p->username, source_p->host,
108 source_p->sockhost, name);
109
110 if(oper_p == NULL)
111 {
112 sendto_one(source_p, form_str(ERR_NOOPERHOST), me.name, source_p->name);
113 ilog(L_FOPER, "FAILED OPER (%s) by (%s!%s@%s)",
114 name, source_p->name,
115 source_p->username, source_p->host);
116
117 if(ConfigFileEntry.failed_oper_notice)
118 {
119 sendto_realops_flags(UMODE_ALL, L_ALL,
120 "Failed OPER attempt - host mismatch by %s (%s@%s)",
121 source_p->name, source_p->username, source_p->host);
122 }
123
124 return 0;
125 }
126
127 if(match_oper_password(password, oper_p))
128 {
129 oper_up(source_p, oper_p);
130
131 ilog(L_OPERED, "OPER %s by %s!%s@%s",
132 name, source_p->name, source_p->username, source_p->host);
133 return 0;
134 }
135 else
136 {
137 sendto_one(source_p, form_str(ERR_PASSWDMISMATCH),
138 me.name, source_p->name);
139
140 ilog(L_FOPER, "FAILED OPER (%s) by (%s!%s@%s)",
141 name, source_p->name, source_p->username, source_p->host);
142
143 if(ConfigFileEntry.failed_oper_notice)
144 {
145 sendto_realops_flags(UMODE_ALL, L_ALL,
146 "Failed OPER attempt by %s (%s@%s)",
147 source_p->name, source_p->username, source_p->host);
148 }
149 }
150
151 return 0;
152 }
153
154 /*
155 * match_oper_password
156 *
157 * inputs - pointer to given password
158 * - pointer to Conf
159 * output - YES or NO if match
160 * side effects - none
161 */
162 static int
163 match_oper_password(const char *password, struct oper_conf *oper_p)
164 {
165 const char *encr;
166
167 /* passwd may be NULL pointer. Head it off at the pass... */
168 if(EmptyString(oper_p->passwd))
169 return NO;
170
171 if(IsOperConfEncrypted(oper_p))
172 {
173 /* use first two chars of the password they send in as salt */
174 /* If the password in the conf is MD5, and ircd is linked
175 * to scrypt on FreeBSD, or the standard crypt library on
176 * glibc Linux, then this code will work fine on generating
177 * the proper encrypted hash for comparison.
178 */
179 if(!EmptyString(password))
180 encr = crypt(password, oper_p->passwd);
181 else
182 encr = "";
183 }
184 else
185 encr = password;
186
187 if(strcmp(encr, oper_p->passwd) == 0)
188 return YES;
189 else
190 return NO;
191 }
192
193 #ifndef HAVE_LIBCRYPTO
194 static int
195 m_challenge(struct Client *client_p, struct Client *source_p, int parc, const char *parv[])
196 {
197 sendto_one(source_p, ":%s NOTICE %s :Challenge not implemented ",
198 me.name, source_p->name);
199 return 0;
200 }
201
202 #else
203
204 static int generate_challenge(char **r_challenge, char **r_response, RSA * rsa);
205
206 static void
207 cleanup_challenge(struct Client *target_p)
208 {
209 if(target_p->localClient == NULL)
210 return;
211
212 MyFree(target_p->localClient->challenge);
213 MyFree(target_p->localClient->opername);
214 target_p->localClient->challenge = NULL;
215 target_p->localClient->opername = NULL;
216 target_p->localClient->chal_time = 0;
217 }
218
219 /*
220 * m_challenge - generate RSA challenge for wouldbe oper
221 * parv[0] = sender prefix
222 * parv[1] = operator to challenge for, or +response
223 *
224 */
225
226 static int
227 m_challenge(struct Client *client_p, struct Client *source_p, int parc, const char *parv[])
228 {
229 struct oper_conf *oper_p;
230 char *challenge;
231 char chal_line[CHALLENGE_WIDTH];
232 unsigned char *b_response;
233 size_t cnt;
234 int len = 0;
235
236 if(IsOper(source_p))
237 {
238 sendto_one(source_p, form_str(RPL_YOUREOPER), me.name, source_p->name);
239 send_oper_motd(source_p);
240 return 0;
241 }
242
243 if(*parv[1] == '+')
244 {
245 if(source_p->localClient->challenge == NULL)
246 return 0;
247
248 if((CurrentTime - source_p->localClient->chal_time) > CHALLENGE_EXPIRES)
249 {
250 sendto_one(source_p, form_str(ERR_PASSWDMISMATCH), me.name, source_p->name);
251 ilog(L_FOPER, "EXPIRED CHALLENGE (%s) by (%s!%s@%s)",
252 source_p->localClient->opername, source_p->name,
253 source_p->username, source_p->host);
254
255 if(ConfigFileEntry.failed_oper_notice)
256 sendto_realops_flags(UMODE_ALL, L_ALL,
257 "Expired CHALLENGE attempt by %s (%s@%s)",
258 source_p->name, source_p->username,
259 source_p->host);
260 cleanup_challenge(source_p);
261 return 0;
262 }
263
264 b_response = ircd_base64_decode((const unsigned char *)++parv[1], strlen(parv[1]), &len);
265
266 if(len != SHA_DIGEST_LENGTH ||
267 memcmp(source_p->localClient->challenge, b_response, SHA_DIGEST_LENGTH))
268 {
269 sendto_one(source_p, form_str(ERR_PASSWDMISMATCH), me.name, source_p->name);
270 ilog(L_FOPER, "FAILED CHALLENGE (%s) by (%s!%s@%s)",
271 source_p->localClient->opername, source_p->name,
272 source_p->username, source_p->host);
273
274 if(ConfigFileEntry.failed_oper_notice)
275 sendto_realops_flags(UMODE_ALL, L_ALL,
276 "Failed CHALLENGE attempt by %s (%s@%s)",
277 source_p->name, source_p->username,
278 source_p->host);
279
280 MyFree(b_response);
281 cleanup_challenge(source_p);
282 return 0;
283 }
284
285 MyFree(b_response);
286
287 oper_p = find_oper_conf(source_p->username, source_p->host,
288 source_p->sockhost,
289 source_p->localClient->opername);
290
291 if(oper_p == NULL)
292 {
293 sendto_one(source_p, form_str(ERR_NOOPERHOST),
294 me.name, source_p->name);
295 ilog(L_FOPER, "FAILED OPER (%s) by (%s!%s@%s)",
296 source_p->localClient->opername, source_p->name,
297 source_p->username, source_p->host);
298
299 if(ConfigFileEntry.failed_oper_notice)
300 sendto_realops_flags(UMODE_ALL, L_ALL,
301 "Failed CHALLENGE attempt - host mismatch by %s (%s@%s)",
302 source_p->name, source_p->username,
303 source_p->host);
304 return 0;
305 }
306
307 cleanup_challenge(source_p);
308
309 oper_up(source_p, oper_p);
310
311 ilog(L_OPERED, "OPER %s by %s!%s@%s",
312 source_p->localClient->opername, source_p->name,
313 source_p->username, source_p->host);
314 return 0;
315 }
316
317 cleanup_challenge(source_p);
318
319 oper_p = find_oper_conf(source_p->username, source_p->host,
320 source_p->sockhost, parv[1]);
321
322 if(oper_p == NULL)
323 {
324 sendto_one(source_p, form_str(ERR_NOOPERHOST), me.name, source_p->name);
325 ilog(L_FOPER, "FAILED OPER (%s) by (%s!%s@%s)",
326 parv[1], source_p->name,
327 source_p->username, source_p->host);
328
329 if(ConfigFileEntry.failed_oper_notice)
330 sendto_realops_flags(UMODE_ALL, L_ALL,
331 "Failed CHALLENGE attempt - host mismatch by %s (%s@%s)",
332 source_p->name, source_p->username, source_p->host);
333 return 0;
334 }
335
336 if(!oper_p->rsa_pubkey)
337 {
338 sendto_one(source_p, ":%s NOTICE %s :I'm sorry, PK authentication "
339 "is not enabled for your oper{} block.", me.name, parv[0]);
340 return 0;
341 }
342
343 if(!generate_challenge(&challenge, &(source_p->localClient->challenge), oper_p->rsa_pubkey))
344 {
345 char *chal = challenge;
346 source_p->localClient->chal_time = CurrentTime;
347 for(;;)
348 {
349 cnt = strlcpy(chal_line, chal, CHALLENGE_WIDTH);
350 sendto_one(source_p, form_str(RPL_RSACHALLENGE2), me.name, source_p->name, chal_line);
351 if(cnt > CHALLENGE_WIDTH)
352 chal += CHALLENGE_WIDTH - 1;
353 else
354 break;
355
356 }
357 sendto_one(source_p, form_str(RPL_ENDOFRSACHALLENGE2),
358 me.name, source_p->name);
359 MyFree(challenge);
360 DupString(source_p->localClient->opername, oper_p->name);
361 }
362 else
363 sendto_one_notice(source_p, ":Failed to generate challenge.");
364
365 return 0;
366 }
367
368
369 static int
370 get_randomness(unsigned char *buf, int length)
371 {
372 /* Seed OpenSSL PRNG with EGD enthropy pool -kre */
373 if(ConfigFileEntry.use_egd && (ConfigFileEntry.egdpool_path != NULL))
374 {
375 if(RAND_egd(ConfigFileEntry.egdpool_path) == -1)
376 return -1;
377 }
378
379 if(RAND_status())
380 {
381 if(RAND_bytes(buf, length) > 0)
382 return 1;
383 }
384 else
385 {
386 if(RAND_pseudo_bytes(buf, length) >= 0)
387 return 1;
388 }
389 return 0;
390 }
391
392 static int
393 generate_challenge(char **r_challenge, char **r_response, RSA * rsa)
394 {
395 SHA_CTX ctx;
396 unsigned char secret[CHALLENGE_SECRET_LENGTH], *tmp;
397 unsigned long length;
398 unsigned long e = 0;
399 unsigned long cnt = 0;
400 int ret;
401
402 if(!rsa)
403 return -1;
404 if(get_randomness(secret, CHALLENGE_SECRET_LENGTH))
405 {
406 SHA1_Init(&ctx);
407 SHA1_Update(&ctx, (uint8_t *)secret, CHALLENGE_SECRET_LENGTH);
408 *r_response = MyMalloc(SHA_DIGEST_LENGTH);
409 SHA1_Final((uint8_t *)*r_response, &ctx);
410
411 length = RSA_size(rsa);
412 tmp = MyMalloc(length);
413 ret = RSA_public_encrypt(CHALLENGE_SECRET_LENGTH, secret, tmp, rsa, RSA_PKCS1_OAEP_PADDING);
414
415 if (ret >= 0)
416 {
417 *r_challenge = (char *)ircd_base64_encode(tmp, ret);
418 MyFree(tmp);
419 return 0;
420 }
421 MyFree(tmp);
422 MyFree(*r_response);
423 *r_response = NULL;
424 }
425
426 ERR_load_crypto_strings();
427 while ((cnt < 100) && (e = ERR_get_error()))
428 {
429 ilog(L_MAIN, "SSL error: %s", ERR_error_string(e, 0));
430 cnt++;
431 }
432
433 return (-1);
434 }
435
436 #endif /* HAVE_LIBCRYPTO */
ratbox ircd with ambernet patches