src/modules/m_spanningtree/hmac.cpp

   1 /*       +------------------------------------+
   2  *       | Inspire Internet Relay Chat Daemon |
   3  *       +------------------------------------+
   4  *
   5  *  InspIRCd: (C) 2002-2010 InspIRCd Development Team
   6  * See: http://wiki.inspircd.org/Credits
   7  *
   8  * This program is free but copyrighted software; see
   9  *            the file COPYING for details.
  10  *
  11  * ---------------------------------------------------
  12  */
  13
  14 #include "inspircd.h"
  15 #include "socket.h"
  16 #include "xline.h"
  17 #include "../hash.h"
  18 #include "../ssl.h"
  19 #include "socketengine.h"
  20
  21 #include "main.h"
  22 #include "utils.h"
  23 #include "treeserver.h"
  24 #include "link.h"
  25 #include "treesocket.h"
  26 #include "resolvers.h"
  27
  28 const std::string& TreeSocket::GetOurChallenge()
  29 {
  30         return capab->ourchallenge;
  31 }
  32
  33 void TreeSocket::SetOurChallenge(const std::string &c)
  34 {
  35         capab->ourchallenge = c;
  36 }
  37
  38 const std::string& TreeSocket::GetTheirChallenge()
  39 {
  40         return capab->theirchallenge;
  41 }
  42
  43 void TreeSocket::SetTheirChallenge(const std::string &c)
  44 {
  45         capab->theirchallenge = c;
  46 }
  47
  48 std::string TreeSocket::MakePass(const std::string &password, const std::string &challenge)
  49 {
  50         /* This is a simple (maybe a bit hacky?) HMAC algorithm, thanks to jilles for
  51          * suggesting the use of HMAC to secure the password against various attacks.
  52          *
  53          * Note: If m_sha256.so is not loaded, we MUST fall back to plaintext with no
  54          *       HMAC challenge/response.
  55          */
  56         HashProvider* sha256 = ServerInstance->Modules->FindDataService<HashProvider>("hash/sha256");
  57         if (Utils->ChallengeResponse && sha256 && !challenge.empty())
  58         {
  59                 if (proto_version < 1202)
  60                 {
  61                         /* This is how HMAC is done in InspIRCd 1.2:
  62                          *
  63                          * sha256( (pass xor 0x5c) + sha256((pass xor 0x36) + m) )
  64                          *
  65                          * 5c and 36 were chosen as part of the HMAC standard, because they
  66                          * flip the bits in a way likely to strengthen the function.
  67                          */
  68                         std::string hmac1, hmac2;
  69
  70                         for (size_t n = 0; n < password.length(); n++)
  71                         {
  72                                 hmac1.push_back(static_cast<char>(password[n] ^ 0x5C));
  73                                 hmac2.push_back(static_cast<char>(password[n] ^ 0x36));
  74                         }
  75
  76                         hmac2.append(challenge);
  77                         hmac2 = sha256->hexsum(hmac2);
  78
  79                         std::string hmac = hmac1 + hmac2;
  80                         hmac = sha256->hexsum(hmac);
  81
  82                         return "HMAC-SHA256:"+ hmac;
  83                 }
  84                 else
  85                 {
  86                         return "AUTH:" + BinToBase64(sha256->hmac(password, challenge));
  87                 }
  88         }
  89         else if (!challenge.empty() && !sha256)
  90                 ServerInstance->Logs->Log("m_spanningtree",DEFAULT,"Not authenticating to server using SHA256/HMAC because we don't have m_sha256 loaded!");
  91
  92         return password;
  93 }
  94
  95 bool TreeSocket::ComparePass(const Link& link, const std::string &theirs)
  96 {
  97         capab->auth_fingerprint = !link.Fingerprint.empty();
  98         capab->auth_challenge = !capab->ourchallenge.empty() && !capab->theirchallenge.empty();
  99
 100         std::string fp;
 101         if (GetIOHook())
 102         {
 103                 SocketCertificateRequest req(this, Utils->Creator);
 104                 if (req.cert)
 105                 {
 106                         fp = req.cert->GetFingerprint();
 107                 }
 108         }
 109
 110         if (capab->auth_challenge)
 111         {
 112                 std::string our_hmac = MakePass(link.RecvPass, capab->ourchallenge);
 113
 114                 /* Straight string compare of hashes */
 115                 if (our_hmac != theirs)
 116                         return false;
 117         }
 118         else
 119         {
 120                 /* Straight string compare of plaintext */
 121                 if (link.RecvPass != theirs)
 122                         return false;
 123         }
 124
 125         if (capab->auth_fingerprint)
 126         {
 127                 /* Require fingerprint to exist and match */
 128                 if (link.Fingerprint != fp)
 129                 {
 130                         ServerInstance->SNO->WriteToSnoMask('l',"Invalid SSL fingerprint on link %s: need \"%s\" got \"%s\"",
 131                                 link.Name.c_str(), link.Fingerprint.c_str(), fp.c_str());
 132                         SendError("Provided invalid SSL fingerprint " + fp + " - expected " + link.Fingerprint);
 133                         return false;
 134                 }
 135         }
 136         else if (!fp.empty())
 137         {
 138                 ServerInstance->SNO->WriteToSnoMask('l', "SSL fingerprint for link %s is \"%s\". "
 139                         "You can improve security by specifying this in <link:fingerprint>.", link.Name.c_str(), fp.c_str());
 140         }
 141         return true;
 142 }