X-Git-Url: https://git.netwichtig.de/gitweb/?a=blobdiff_plain;ds=sidebyside;f=src%2Fmodules%2Fm_spanningtree%2Fhmac.cpp;h=15cfbc37a0af1e592bc98c147ac7a9430996539e;hb=2cffabe0c7375a15c702aeaea5d553d90a549860;hp=ad632dbc7057c3c4bcf491619cfd71cff12f590f;hpb=d9d99cd02dadf34bfcc220734ba0c422f0acb3e6;p=user%2Fhenk%2Fcode%2Finspircd.git diff --git a/src/modules/m_spanningtree/hmac.cpp b/src/modules/m_spanningtree/hmac.cpp index ad632dbc7..15cfbc37a 100644 --- a/src/modules/m_spanningtree/hmac.cpp +++ b/src/modules/m_spanningtree/hmac.cpp @@ -51,15 +51,15 @@ std::string TreeSocket::MakePass(const std::string &password, const std::string /* This is a simple (maybe a bit hacky?) HMAC algorithm, thanks to jilles for * suggesting the use of HMAC to secure the password against various attacks. * - * Note: If m_sha256.so is not loaded, we MUST fall back to plaintext with no + * Note: If an sha256 provider is not available, we MUST fall back to plaintext with no * HMAC challenge/response. */ HashProvider* sha256 = ServerInstance->Modules->FindDataService("hash/sha256"); - if (Utils->ChallengeResponse && sha256 && !challenge.empty()) + if (sha256 && !challenge.empty()) return "AUTH:" + BinToBase64(sha256->hmac(password, challenge)); if (!challenge.empty() && !sha256) - ServerInstance->Logs->Log("m_spanningtree", LOG_DEFAULT, "Not authenticating to server using SHA256/HMAC because we don't have m_sha256 loaded!"); + ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "Not authenticating to server using SHA256/HMAC because we don't have an SHA256 provider (e.g. m_sha256) loaded!"); return password; } @@ -69,15 +69,23 @@ bool TreeSocket::ComparePass(const Link& link, const std::string &theirs) capab->auth_fingerprint = !link.Fingerprint.empty(); capab->auth_challenge = !capab->ourchallenge.empty() && !capab->theirchallenge.empty(); - std::string fp; - if (GetIOHook()) + std::string fp = SSLClientCert::GetFingerprint(this); + if (capab->auth_fingerprint) { - SocketCertificateRequest req(this, Utils->Creator); - if (req.cert) + /* Require fingerprint to exist and match */ + if (link.Fingerprint != fp) { - fp = req.cert->GetFingerprint(); + ServerInstance->SNO->WriteToSnoMask('l',"Invalid SSL fingerprint on link %s: need \"%s\" got \"%s\"", + link.Name.c_str(), link.Fingerprint.c_str(), fp.c_str()); + SendError("Provided invalid SSL fingerprint " + fp + " - expected " + link.Fingerprint); + return false; } } + else if (!fp.empty()) + { + ServerInstance->SNO->WriteToSnoMask('l', "SSL fingerprint for link %s is \"%s\". " + "You can improve security by specifying this in .", link.Name.c_str(), fp.c_str()); + } if (capab->auth_challenge) { @@ -93,22 +101,5 @@ bool TreeSocket::ComparePass(const Link& link, const std::string &theirs) if (link.RecvPass != theirs) return false; } - - if (capab->auth_fingerprint) - { - /* Require fingerprint to exist and match */ - if (link.Fingerprint != fp) - { - ServerInstance->SNO->WriteToSnoMask('l',"Invalid SSL fingerprint on link %s: need \"%s\" got \"%s\"", - link.Name.c_str(), link.Fingerprint.c_str(), fp.c_str()); - SendError("Provided invalid SSL fingerprint " + fp + " - expected " + link.Fingerprint); - return false; - } - } - else if (!fp.empty()) - { - ServerInstance->SNO->WriteToSnoMask('l', "SSL fingerprint for link %s is \"%s\". " - "You can improve security by specifying this in .", link.Name.c_str(), fp.c_str()); - } return true; }