src/modules/m_spanningtree/hmac.cpp

   1 /*
   2  * InspIRCd -- Internet Relay Chat Daemon
   3  *
   4  *   Copyright (C) 2009-2010 Daniel De Graaf <danieldg@inspircd.org>
   5  *   Copyright (C) 2008 Robin Burchell <robin+git@viroteck.net>
   6  *
   7  * This file is part of InspIRCd.  InspIRCd is free software: you can
   8  * redistribute it and/or modify it under the terms of the GNU General Public
   9  * License as published by the Free Software Foundation, version 2.
  10  *
  11  * This program is distributed in the hope that it will be useful, but WITHOUT
  12  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
  13  * FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
  14  * details.
  15  *
  16  * You should have received a copy of the GNU General Public License
  17  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  18  */
  19
  20
  21 #include "inspircd.h"
  22 #include "socket.h"
  23 #include "xline.h"
  24 #include "../hash.h"
  25 #include "../ssl.h"
  26 #include "socketengine.h"
  27
  28 #include "main.h"
  29 #include "utils.h"
  30 #include "treeserver.h"
  31 #include "link.h"
  32 #include "treesocket.h"
  33 #include "resolvers.h"
  34
  35 const std::string& TreeSocket::GetOurChallenge()
  36 {
  37         return capab->ourchallenge;
  38 }
  39
  40 void TreeSocket::SetOurChallenge(const std::string &c)
  41 {
  42         capab->ourchallenge = c;
  43 }
  44
  45 const std::string& TreeSocket::GetTheirChallenge()
  46 {
  47         return capab->theirchallenge;
  48 }
  49
  50 void TreeSocket::SetTheirChallenge(const std::string &c)
  51 {
  52         capab->theirchallenge = c;
  53 }
  54
  55 std::string TreeSocket::MakePass(const std::string &password, const std::string &challenge)
  56 {
  57         /* This is a simple (maybe a bit hacky?) HMAC algorithm, thanks to jilles for
  58          * suggesting the use of HMAC to secure the password against various attacks.
  59          *
  60          * Note: If m_sha256.so is not loaded, we MUST fall back to plaintext with no
  61          *       HMAC challenge/response.
  62          */
  63         HashProvider* sha256 = ServerInstance->Modules->FindDataService<HashProvider>("hash/sha256");
  64         if (Utils->ChallengeResponse && sha256 && !challenge.empty())
  65                 return "AUTH:" + BinToBase64(sha256->hmac(password, challenge));
  66
  67         if (!challenge.empty() && !sha256)
  68                 ServerInstance->Logs->Log("m_spanningtree",DEFAULT,"Not authenticating to server using SHA256/HMAC because we don't have m_sha256 loaded!");
  69
  70         return password;
  71 }
  72
  73 bool TreeSocket::ComparePass(const Link& link, const std::string &theirs)
  74 {
  75         capab->auth_fingerprint = !link.Fingerprint.empty();
  76         capab->auth_challenge = !capab->ourchallenge.empty() && !capab->theirchallenge.empty();
  77
  78         std::string fp;
  79         if (GetIOHook())
  80         {
  81                 SocketCertificateRequest req(this, Utils->Creator);
  82                 if (req.cert)
  83                 {
  84                         fp = req.cert->GetFingerprint();
  85                 }
  86         }
  87
  88         if (capab->auth_challenge)
  89         {
  90                 std::string our_hmac = MakePass(link.RecvPass, capab->ourchallenge);
  91
  92                 /* Straight string compare of hashes */
  93                 if (our_hmac != theirs)
  94                         return false;
  95         }
  96         else
  97         {
  98                 /* Straight string compare of plaintext */
  99                 if (link.RecvPass != theirs)
 100                         return false;
 101         }
 102
 103         if (capab->auth_fingerprint)
 104         {
 105                 /* Require fingerprint to exist and match */
 106                 if (link.Fingerprint != fp)
 107                 {
 108                         ServerInstance->SNO->WriteToSnoMask('l',"Invalid SSL fingerprint on link %s: need \"%s\" got \"%s\"",
 109                                 link.Name.c_str(), link.Fingerprint.c_str(), fp.c_str());
 110                         SendError("Provided invalid SSL fingerprint " + fp + " - expected " + link.Fingerprint);
 111                         return false;
 112                 }
 113         }
 114         else if (!fp.empty())
 115         {
 116                 ServerInstance->SNO->WriteToSnoMask('l', "SSL fingerprint for link %s is \"%s\". "
 117                         "You can improve security by specifying this in <link:fingerprint>.", link.Name.c_str(), fp.c_str());
 118         }
 119         return true;
 120 }