X-Git-Url: https://git.netwichtig.de/gitweb/?a=blobdiff_plain;f=src%2Fmodules%2Fm_spanningtree%2Fhmac.cpp;h=15cfbc37a0af1e592bc98c147ac7a9430996539e;hb=2cffabe0c7375a15c702aeaea5d553d90a549860;hp=d79f13567b925860325e65401787da43066dc43c;hpb=abc57eddfb56462ac3e433601d010abf1942e611;p=user%2Fhenk%2Fcode%2Finspircd.git diff --git a/src/modules/m_spanningtree/hmac.cpp b/src/modules/m_spanningtree/hmac.cpp index d79f13567..15cfbc37a 100644 --- a/src/modules/m_spanningtree/hmac.cpp +++ b/src/modules/m_spanningtree/hmac.cpp @@ -51,15 +51,15 @@ std::string TreeSocket::MakePass(const std::string &password, const std::string /* This is a simple (maybe a bit hacky?) HMAC algorithm, thanks to jilles for * suggesting the use of HMAC to secure the password against various attacks. * - * Note: If m_sha256.so is not loaded, we MUST fall back to plaintext with no + * Note: If an sha256 provider is not available, we MUST fall back to plaintext with no * HMAC challenge/response. */ HashProvider* sha256 = ServerInstance->Modules->FindDataService("hash/sha256"); - if (Utils->ChallengeResponse && sha256 && !challenge.empty()) + if (sha256 && !challenge.empty()) return "AUTH:" + BinToBase64(sha256->hmac(password, challenge)); if (!challenge.empty() && !sha256) - ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "Not authenticating to server using SHA256/HMAC because we don't have m_sha256 loaded!"); + ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "Not authenticating to server using SHA256/HMAC because we don't have an SHA256 provider (e.g. m_sha256) loaded!"); return password; } @@ -69,21 +69,6 @@ bool TreeSocket::ComparePass(const Link& link, const std::string &theirs) capab->auth_fingerprint = !link.Fingerprint.empty(); capab->auth_challenge = !capab->ourchallenge.empty() && !capab->theirchallenge.empty(); - if (capab->auth_challenge) - { - std::string our_hmac = MakePass(link.RecvPass, capab->ourchallenge); - - /* Straight string compare of hashes */ - if (our_hmac != theirs) - return false; - } - else - { - /* Straight string compare of plaintext */ - if (link.RecvPass != theirs) - return false; - } - std::string fp = SSLClientCert::GetFingerprint(this); if (capab->auth_fingerprint) { @@ -101,5 +86,20 @@ bool TreeSocket::ComparePass(const Link& link, const std::string &theirs) ServerInstance->SNO->WriteToSnoMask('l', "SSL fingerprint for link %s is \"%s\". " "You can improve security by specifying this in .", link.Name.c_str(), fp.c_str()); } + + if (capab->auth_challenge) + { + std::string our_hmac = MakePass(link.RecvPass, capab->ourchallenge); + + /* Straight string compare of hashes */ + if (our_hmac != theirs) + return false; + } + else + { + /* Straight string compare of plaintext */ + if (link.RecvPass != theirs) + return false; + } return true; }