+/* +------------------------------------+
+ * | Inspire Internet Relay Chat Daemon |
+ * +------------------------------------+
+ *
+ * InspIRCd: (C) 2002-2007 InspIRCd Development Team
+ * See: http://www.inspircd.org/wiki/index.php/Credits
+ *
+ * This program is free but copyrighted software; see
+ * the file COPYING for details.
+ *
+ * ---------------------------------------------------
+ */
+
#include "configreader.h"
#include "users.h"
#include "channels.h"
#include "wildcard.h"
#include "xline.h"
#include "transport.h"
+#include "m_hash.h"
#include "socketengine.h"
#include "m_spanningtree/main.h"
#include "m_spanningtree/resolvers.h"
#include "m_spanningtree/handshaketimer.h"
-/* $ModDep: m_spanningtree/timesynctimer.h m_spanningtree/resolvers.h m_spanningtree/main.h m_spanningtree/utils.h m_spanningtree/treeserver.h m_spanningtree/link.h m_spanningtree/treesocket.h */
+/* $ModDep: m_spanningtree/timesynctimer.h m_spanningtree/resolvers.h m_spanningtree/main.h m_spanningtree/utils.h m_spanningtree/treeserver.h m_spanningtree/link.h m_spanningtree/treesocket.h m_hash.h */
+
/** Because most of the I/O gubbins are encapsulated within
* InspSocket, we just call the superclass constructor for
{
myhost = host;
this->LinkState = LISTENER;
+ theirchallenge = ourchallenge = "";
if (listening && Hook)
InspSocketHookRequest(this, (Module*)Utils->Creator, Hook).Send();
}
: InspSocket(SI, host, port, listening, maxtime, bindto), Utils(Util), Hook(HookMod)
{
myhost = ServerName;
+ theirchallenge = ourchallenge = "";
this->LinkState = CONNECTING;
if (Hook)
InspSocketHookRequest(this, (Module*)Utils->Creator, Hook).Send();
: InspSocket(SI, newfd, ip), Utils(Util), Hook(HookMod)
{
this->LinkState = WAIT_AUTH_1;
+ theirchallenge = ourchallenge = "";
/* If we have a transport module hooked to the parent, hook the same module to this
* socket, and set a timer waiting for handshake before we send CAPAB etc.
*/
if (Hook)
- {
InspSocketHookRequest(this, (Module*)Utils->Creator, Hook).Send();
- Instance->Timers->AddTimer(new HandshakeTimer(Instance, this, &(Utils->LinkBlocks[0]), this->Utils));
- }
- else
- {
- /* Otherwise, theres no lower layer transport in plain TCP/IP,
- * so just send the capabilities right now.
- */
- this->SendCapabilities();
- }
+
+ Instance->Timers->AddTimer(new HandshakeTimer(Instance, this, &(Utils->LinkBlocks[0]), this->Utils, 1));
}
ServerState TreeSocket::GetLinkState()
InspSocketUnhookRequest(this, (Module*)Utils->Creator, Hook).Send();
}
+const std::string& TreeSocket::GetOurChallenge()
+{
+ return this->ourchallenge;
+}
+
+void TreeSocket::SetOurChallenge(const std::string &c)
+{
+ this->ourchallenge = c;
+}
+
+const std::string& TreeSocket::GetTheirChallenge()
+{
+ return this->theirchallenge;
+}
+
+void TreeSocket::SetTheirChallenge(const std::string &c)
+{
+ this->theirchallenge = c;
+}
+
+std::string TreeSocket::MakePass(const std::string &password, const std::string &challenge)
+{
+ /* This is a simple (maybe a bit hacky?) HMAC algorithm, thanks to jilles for
+ * suggesting the use of HMAC to secure the password against various attacks.
+ *
+ * Note: If m_sha256.so is not loaded, we MUST fall back to plaintext with no
+ * HMAC challenge/response.
+ */
+ Module* sha256 = Instance->FindModule("m_sha256.so");
+ if (Utils->ChallengeResponse && sha256 && !challenge.empty())
+ {
+ /* XXX: This is how HMAC is supposed to be done:
+ *
+ * sha256( (pass xor 0x5c) + sha256((pass xor 0x36) + m) )
+ *
+ * Note that we are encoding the hex hash, not the binary
+ * output of the hash which is slightly different to standard.
+ *
+ * Don't ask me why its always 0x5c and 0x36... it just is.
+ */
+ std::string hmac1, hmac2;
+
+ for (size_t n = 0; n < password.length(); n++)
+ {
+ hmac1 += static_cast<char>(password[n] ^ 0x5C);
+ hmac2 += static_cast<char>(password[n] ^ 0x36);
+ }
+
+ HashResetRequest(Utils->Creator, sha256).Send();
+ hmac2 = HashSumRequest(Utils->Creator, sha256, hmac2).Send();
+
+ HashResetRequest(Utils->Creator, sha256).Send();
+ std::string hmac = hmac1 + hmac2 + challenge;
+ hmac = HashSumRequest(Utils->Creator, sha256, hmac).Send();
+
+ return "HMAC-SHA256:"+ hmac;
+ }
+ else if (!challenge.empty() && !sha256)
+ Instance->Log(DEFAULT,"Not authenticating to server using SHA256/HMAC because we don't have m_sha256 loaded!");
+
+ return password;
+}
+
/** When an outbound connection finishes connecting, we receive
* this event, and must send our SERVER string to the other
* side. If the other side is happy, as outlined in the server
InspSocketHookRequest(this, (Module*)Utils->Creator, Hook).Send();
this->Instance->SNO->WriteToSnoMask('l',"Connection to \2"+myhost+"\2["+(x->HiddenFromStats ? "<hidden>" : this->GetIP())+"] using transport \2"+x->Hook+"\2");
}
- else
- this->SendCapabilities();
+ this->OutboundPass = x->SendPass;
/* found who we're supposed to be connecting to, send the neccessary gubbins. */
- if (Hook)
- Instance->Timers->AddTimer(new HandshakeTimer(Instance, this, &(*x), this->Utils));
- else
- this->WriteLine(std::string("SERVER ")+this->Instance->Config->ServerName+" "+x->SendPass+" 0 :"+this->Instance->Config->ServerDesc);
+ Instance->Timers->AddTimer(new HandshakeTimer(Instance, this, &(*x), this->Utils, 2));
return true;
}
}
return capabilities;
}
+std::string TreeSocket::RandString(unsigned int length)
+{
+ char* randombuf = new char[length+1];
+ std::string out;
+ int fd = open("/dev/urandom", O_RDONLY, 0);
+
+ if (fd >= 0)
+ {
+ read(fd, randombuf, length);
+ close(fd);
+ }
+ else
+ {
+ for (unsigned int i = 0; i < length; i++)
+ randombuf[i] = rand();
+ }
+
+ for (unsigned int i = 0; i < length; i++)
+ out += static_cast<char>((randombuf[i] & 0x7F) | 0x21);
+
+ delete[] randombuf;
+ return out;
+}
+
void TreeSocket::SendCapabilities()
{
irc::commasepstream modulelist(MyCapabilities());
#ifdef SUPPORT_IP6LINKS
ip6support = 1;
#endif
- this->WriteLine("CAPAB CAPABILITIES :NICKMAX="+ConvToStr(NICKMAX)+" HALFOP="+ConvToStr(this->Instance->Config->AllowHalfop)+" CHANMAX="+ConvToStr(CHANMAX)+" MAXMODES="+ConvToStr(MAXMODES)+" IDENTMAX="+ConvToStr(IDENTMAX)+" MAXQUIT="+ConvToStr(MAXQUIT)+" MAXTOPIC="+ConvToStr(MAXTOPIC)+" MAXKICK="+ConvToStr(MAXKICK)+" MAXGECOS="+ConvToStr(MAXGECOS)+" MAXAWAY="+ConvToStr(MAXAWAY)+" IP6NATIVE="+ConvToStr(ip6)+" IP6SUPPORT="+ConvToStr(ip6support)+" PROTOCOL="+ConvToStr(ProtocolVersion));
+ std::string extra;
+ /* Do we have sha256 available? If so, we send a challenge */
+ if (Utils->ChallengeResponse && (Instance->FindModule("m_sha256.so")))
+ {
+ this->SetOurChallenge(RandString(20));
+ extra = " CHALLENGE=" + this->GetOurChallenge();
+ }
+
+ this->WriteLine("CAPAB CAPABILITIES :NICKMAX="+ConvToStr(NICKMAX)+" HALFOP="+ConvToStr(this->Instance->Config->AllowHalfop)+" CHANMAX="+ConvToStr(CHANMAX)+" MAXMODES="+ConvToStr(MAXMODES)+" IDENTMAX="+ConvToStr(IDENTMAX)+" MAXQUIT="+ConvToStr(MAXQUIT)+" MAXTOPIC="+ConvToStr(MAXTOPIC)+" MAXKICK="+ConvToStr(MAXKICK)+" MAXGECOS="+ConvToStr(MAXGECOS)+" MAXAWAY="+ConvToStr(MAXAWAY)+" IP6NATIVE="+ConvToStr(ip6)+" IP6SUPPORT="+ConvToStr(ip6support)+" PROTOCOL="+ConvToStr(ProtocolVersion)+extra);
this->WriteLine("CAPAB END");
}
reason = "Maximum GECOS (fullname) lengths differ or remote GECOS length not specified";
if (((this->CapKeys.find("MAXAWAY") == this->CapKeys.end()) || ((this->CapKeys.find("MAXAWAY") != this->CapKeys.end()) && (this->CapKeys.find("MAXAWAY")->second != ConvToStr(MAXAWAY)))))
reason = "Maximum awaymessage lengths differ or remote awaymessage length not specified";
+
+ /* Challenge response, store their challenge for our password */
+ std::map<std::string,std::string>::iterator n = this->CapKeys.find("CHALLENGE");
+ if (Utils->ChallengeResponse && (n != this->CapKeys.end()) && (Instance->FindModule("m_sha256.so")))
+ {
+ /* Challenge-response is on now */
+ this->SetTheirChallenge(n->second);
+ if (!this->GetOurChallenge().empty() && (this->LinkState == CONNECTING))
+ {
+ this->WriteLine(std::string("SERVER ")+this->Instance->Config->ServerName+" "+this->MakePass(OutboundPass, this->GetTheirChallenge())+" 0 :"+this->Instance->Config->ServerDesc);
+ }
+ }
+ else
+ {
+ /* They didnt specify a challenge or we don't have m_sha256.so, we use plaintext */
+ if (this->LinkState == CONNECTING)
+ this->WriteLine(std::string("SERVER ")+this->Instance->Config->ServerName+" "+OutboundPass+" 0 :"+this->Instance->Config->ServerDesc);
+ }
+
if (reason.length())
{
this->WriteLine("ERROR :CAPAB negotiation failed: "+reason);
_new->SetSockAddr(AF_INET, params[6].c_str(), 0);
Instance->AddGlobalClone(_new);
- this->Instance->SNO->WriteToSnoMask('C',"Client connecting at %s: %s!%s@%s [%s]",_new->server,_new->nick,_new->ident,_new->host, _new->GetIPString());
+
+ if (!this->Instance->SilentULine(_new->server))
+ this->Instance->SNO->WriteToSnoMask('C',"Client connecting at %s: %s!%s@%s [%s]",_new->server,_new->nick,_new->ident,_new->host, _new->GetIPString());
params[7] = ":" + params[7];
Utils->DoOneToAllButSender(source,"NICK", params, source);
*/
void TreeSocket::DoBurst(TreeServer* s)
{
+ std::string name = s->GetName();
std::string burst = "BURST "+ConvToStr(Instance->Time(true));
std::string endburst = "ENDBURST";
- // Because by the end of the netburst, it could be gone!
- std::string name = s->GetName();
- this->Instance->SNO->WriteToSnoMask('l',"Bursting to \2"+name+"\2.");
+ this->Instance->SNO->WriteToSnoMask('l',"Bursting to \2%s\2 (Authentication: %s).", name.c_str(), this->GetTheirChallenge().empty() ? "plaintext password" : "SHA256-HMAC challenge-response");
this->WriteLine(burst);
/* send our version string */
this->WriteLine(std::string(":")+this->Instance->Config->ServerName+" VERSION :"+this->Instance->GetVersionString());