]> git.netwichtig.de Git - user/henk/code/inspircd.git/blob - src/modules/m_spanningtree/hmac.cpp
projects / user / henk / code / inspircd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Fix spacing in calls to LogManager::Log.
[user/henk/code/inspircd.git] / src / modules / m_spanningtree / hmac.cpp
1 /*
2  * InspIRCd -- Internet Relay Chat Daemon
3  *
4  *   Copyright (C) 2009-2010 Daniel De Graaf <danieldg@inspircd.org>
5  *   Copyright (C) 2008 Robin Burchell <robin+git@viroteck.net>
6  *
7  * This file is part of InspIRCd.  InspIRCd is free software: you can
8  * redistribute it and/or modify it under the terms of the GNU General Public
9  * License as published by the Free Software Foundation, version 2.
10  *
11  * This program is distributed in the hope that it will be useful, but WITHOUT
12  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
13  * FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
14  * details.
15  *
16  * You should have received a copy of the GNU General Public License
17  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
18  */
19
20
21 #include "inspircd.h"
22 #include "modules/hash.h"
23 #include "modules/ssl.h"
24
25 #include "main.h"
26 #include "link.h"
27 #include "treesocket.h"
28
29 const std::string& TreeSocket::GetOurChallenge()
30 {
31         return capab->ourchallenge;
32 }
33
34 void TreeSocket::SetOurChallenge(const std::string &c)
35 {
36         capab->ourchallenge = c;
37 }
38
39 const std::string& TreeSocket::GetTheirChallenge()
40 {
41         return capab->theirchallenge;
42 }
43
44 void TreeSocket::SetTheirChallenge(const std::string &c)
45 {
46         capab->theirchallenge = c;
47 }
48
49 std::string TreeSocket::MakePass(const std::string &password, const std::string &challenge)
50 {
51         /* This is a simple (maybe a bit hacky?) HMAC algorithm, thanks to jilles for
52          * suggesting the use of HMAC to secure the password against various attacks.
53          *
54          * Note: If m_sha256.so is not loaded, we MUST fall back to plaintext with no
55          *       HMAC challenge/response.
56          */
57         HashProvider* sha256 = ServerInstance->Modules->FindDataService<HashProvider>("hash/sha256");
58         if (Utils->ChallengeResponse && sha256 && !challenge.empty())
59                 return "AUTH:" + BinToBase64(sha256->hmac(password, challenge));
60
61         if (!challenge.empty() && !sha256)
62                 ServerInstance->Logs->Log("m_spanningtree", LOG_DEFAULT, "Not authenticating to server using SHA256/HMAC because we don't have m_sha256 loaded!");
63
64         return password;
65 }
66
67 bool TreeSocket::ComparePass(const Link& link, const std::string &theirs)
68 {
69         capab->auth_fingerprint = !link.Fingerprint.empty();
70         capab->auth_challenge = !capab->ourchallenge.empty() && !capab->theirchallenge.empty();
71
72         std::string fp;
73         if (GetIOHook())
74         {
75                 SocketCertificateRequest req(this, Utils->Creator);
76                 if (req.cert)
77                 {
78                         fp = req.cert->GetFingerprint();
79                 }
80         }
81
82         if (capab->auth_challenge)
83         {
84                 std::string our_hmac = MakePass(link.RecvPass, capab->ourchallenge);
85
86                 /* Straight string compare of hashes */
87                 if (our_hmac != theirs)
88                         return false;
89         }
90         else
91         {
92                 /* Straight string compare of plaintext */
93                 if (link.RecvPass != theirs)
94                         return false;
95         }
96
97         if (capab->auth_fingerprint)
98         {
99                 /* Require fingerprint to exist and match */
100                 if (link.Fingerprint != fp)
101                 {
102                         ServerInstance->SNO->WriteToSnoMask('l',"Invalid SSL fingerprint on link %s: need \"%s\" got \"%s\"",
103                                 link.Name.c_str(), link.Fingerprint.c_str(), fp.c_str());
104                         SendError("Provided invalid SSL fingerprint " + fp + " - expected " + link.Fingerprint);
105                         return false;
106                 }
107         }
108         else if (!fp.empty())
109         {
110                 ServerInstance->SNO->WriteToSnoMask('l', "SSL fingerprint for link %s is \"%s\". "
111                         "You can improve security by specifying this in <link:fingerprint>.", link.Name.c_str(), fp.c_str());
112         }
113         return true;
114 }