X-Git-Url: https://git.netwichtig.de/gitweb/?a=blobdiff_plain;f=src%2Fmodules%2Fm_spanningtree%2Ftreesocket1.cpp;h=acc6c7fe2f4cf9fa22d3a18b848f1f928cfda414;hb=715074dd10079a3ed846e8815290ba0d13cd4bd8;hp=20943ef2695dbf4d64a0ac4b432a7f3bb1bba9ef;hpb=5870145ac255da65f5bf4ff0fae4715cbb930ec9;p=user%2Fhenk%2Fcode%2Finspircd.git

diff --git a/src/modules/m_spanningtree/treesocket1.cpp b/src/modules/m_spanningtree/treesocket1.cpp
index 20943ef26..acc6c7fe2 100644
--- a/src/modules/m_spanningtree/treesocket1.cpp
+++ b/src/modules/m_spanningtree/treesocket1.cpp
@@ -1,3 +1,16 @@
+/*       +------------------------------------+
+ *       | Inspire Internet Relay Chat Daemon |
+ *       +------------------------------------+
+ *
+ *  InspIRCd: (C) 2002-2007 InspIRCd Development Team
+ * See: http://www.inspircd.org/wiki/index.php/Credits
+ *
+ * This program is free but copyrighted software; see
+ *            the file COPYING for details.
+ *
+ * ---------------------------------------------------
+ */
+
 #include "configreader.h"
 #include "users.h"
 #include "channels.h"
@@ -9,6 +22,7 @@
 #include "wildcard.h"
 #include "xline.h"
 #include "transport.h"
+#include "m_hash.h"
 #include "socketengine.h"
 
 #include "m_spanningtree/main.h"
@@ -19,7 +33,8 @@
 #include "m_spanningtree/resolvers.h"
 #include "m_spanningtree/handshaketimer.h"
 
-/* $ModDep: m_spanningtree/timesynctimer.h m_spanningtree/resolvers.h m_spanningtree/main.h m_spanningtree/utils.h m_spanningtree/treeserver.h m_spanningtree/link.h m_spanningtree/treesocket.h */
+/* $ModDep: m_spanningtree/timesynctimer.h m_spanningtree/resolvers.h m_spanningtree/main.h m_spanningtree/utils.h m_spanningtree/treeserver.h m_spanningtree/link.h m_spanningtree/treesocket.h m_hash.h */
+
 
 /** Because most of the I/O gubbins are encapsulated within
  * InspSocket, we just call the superclass constructor for
@@ -31,6 +46,7 @@ TreeSocket::TreeSocket(SpanningTreeUtilities* Util, InspIRCd* SI, std::string ho
 {
 	myhost = host;
 	this->LinkState = LISTENER;
+	theirchallenge = ourchallenge = "";
 	if (listening && Hook)
 		InspSocketHookRequest(this, (Module*)Utils->Creator, Hook).Send();
 }
@@ -39,6 +55,7 @@ TreeSocket::TreeSocket(SpanningTreeUtilities* Util, InspIRCd* SI, std::string ho
 	: InspSocket(SI, host, port, listening, maxtime, bindto), Utils(Util), Hook(HookMod)
 {
 	myhost = ServerName;
+	theirchallenge = ourchallenge = "";
 	this->LinkState = CONNECTING;
 	if (Hook)
 		InspSocketHookRequest(this, (Module*)Utils->Creator, Hook).Send();
@@ -52,21 +69,14 @@ TreeSocket::TreeSocket(SpanningTreeUtilities* Util, InspIRCd* SI, int newfd, cha
 	: InspSocket(SI, newfd, ip), Utils(Util), Hook(HookMod)
 {
 	this->LinkState = WAIT_AUTH_1;
+	theirchallenge = ourchallenge = "";
 	/* If we have a transport module hooked to the parent, hook the same module to this
 	 * socket, and set a timer waiting for handshake before we send CAPAB etc.
 	 */
 	if (Hook)
-	{
 		InspSocketHookRequest(this, (Module*)Utils->Creator, Hook).Send();
-		Instance->Timers->AddTimer(new HandshakeTimer(Instance, this, &(Utils->LinkBlocks[0]), this->Utils));
-	}
-	else
-	{
-		/* Otherwise, theres no lower layer transport in plain TCP/IP,
-		 * so just send the capabilities right now.
-		 */
-		this->SendCapabilities();
-	}
+
+	Instance->Timers->AddTimer(new HandshakeTimer(Instance, this, &(Utils->LinkBlocks[0]), this->Utils, 1));
 }
 
 ServerState TreeSocket::GetLinkState()
@@ -85,6 +95,69 @@ TreeSocket::~TreeSocket()
 		InspSocketUnhookRequest(this, (Module*)Utils->Creator, Hook).Send();
 }
 
+const std::string& TreeSocket::GetOurChallenge()
+{
+	return this->ourchallenge;
+}
+
+void TreeSocket::SetOurChallenge(const std::string &c)
+{
+	this->ourchallenge = c;
+}
+
+const std::string& TreeSocket::GetTheirChallenge()
+{
+	return this->theirchallenge;
+}
+
+void TreeSocket::SetTheirChallenge(const std::string &c)
+{
+	this->theirchallenge = c;
+}
+
+std::string TreeSocket::MakePass(const std::string &password, const std::string &challenge)
+{
+	/* This is a simple (maybe a bit hacky?) HMAC algorithm, thanks to jilles for
+	 * suggesting the use of HMAC to secure the password against various attacks.
+	 *
+	 * Note: If m_sha256.so is not loaded, we MUST fall back to plaintext with no
+	 *       HMAC challenge/response.
+	 */
+	Module* sha256 = Instance->FindModule("m_sha256.so");
+	if (Utils->ChallengeResponse && sha256 && !challenge.empty())
+	{
+		/* XXX: This is how HMAC is supposed to be done:
+		 *
+		 * sha256( (pass xor 0x5c) + sha256((pass xor 0x36) + m) )
+		 *
+		 * Note that we are encoding the hex hash, not the binary
+		 * output of the hash which is slightly different to standard.
+		 *
+		 * Don't ask me why its always 0x5c and 0x36... it just is.
+		 */
+		std::string hmac1, hmac2;
+
+		for (size_t n = 0; n < password.length(); n++)
+		{
+			hmac1 += static_cast<char>(password[n] ^ 0x5C);
+			hmac2 += static_cast<char>(password[n] ^ 0x36);
+		}
+
+		HashResetRequest(Utils->Creator, sha256).Send();
+		hmac2 = HashSumRequest(Utils->Creator, sha256, hmac2).Send();
+
+		HashResetRequest(Utils->Creator, sha256).Send();
+		std::string hmac = hmac1 + hmac2 + challenge;
+		hmac = HashSumRequest(Utils->Creator, sha256, hmac).Send();
+
+		return "HMAC-SHA256:"+ hmac;
+	}
+	else if (!challenge.empty() && !sha256)
+		Instance->Log(DEFAULT,"Not authenticating to server using SHA256/HMAC because we don't have m_sha256 loaded!");
+
+	return password;
+}
+
 /** When an outbound connection finishes connecting, we receive
  * this event, and must send our SERVER string to the other
  * side. If the other side is happy, as outlined in the server
@@ -106,13 +179,9 @@ bool TreeSocket::OnConnected()
 					InspSocketHookRequest(this, (Module*)Utils->Creator, Hook).Send();
 					this->Instance->SNO->WriteToSnoMask('l',"Connection to \2"+myhost+"\2["+(x->HiddenFromStats ? "<hidden>" : this->GetIP())+"] using transport \2"+x->Hook+"\2");
 				}
-				else
-					this->SendCapabilities();
+				this->OutboundPass = x->SendPass;
 				/* found who we're supposed to be connecting to, send the neccessary gubbins. */
-				if (Hook)
-					Instance->Timers->AddTimer(new HandshakeTimer(Instance, this, &(*x), this->Utils));
-				else
-					this->WriteLine(std::string("SERVER ")+this->Instance->Config->ServerName+" "+x->SendPass+" 0 :"+this->Instance->Config->ServerDesc);
+				Instance->Timers->AddTimer(new HandshakeTimer(Instance, this, &(*x), this->Utils, 2));
 				return true;
 			}
 		}
@@ -194,6 +263,30 @@ std::string TreeSocket::MyCapabilities()
 	return capabilities;
 }
 
+std::string TreeSocket::RandString(unsigned int length)
+{
+	char* randombuf = new char[length+1];
+	std::string out;
+	int fd = open("/dev/urandom", O_RDONLY, 0);
+
+	if (fd >= 0)
+	{
+		read(fd, randombuf, length);
+		close(fd);
+	}
+	else
+	{
+		for (unsigned int i = 0; i < length; i++)
+			randombuf[i] = rand();
+	}
+
+	for (unsigned int i = 0; i < length; i++)
+		out += static_cast<char>((randombuf[i] & 0x7F) | 0x21);
+
+	delete[] randombuf;
+	return out;
+}
+
 void TreeSocket::SendCapabilities()
 {
 	irc::commasepstream modulelist(MyCapabilities());
@@ -226,7 +319,15 @@ void TreeSocket::SendCapabilities()
 #ifdef SUPPORT_IP6LINKS
 	ip6support = 1;
 #endif
-	this->WriteLine("CAPAB CAPABILITIES :NICKMAX="+ConvToStr(NICKMAX)+" HALFOP="+ConvToStr(this->Instance->Config->AllowHalfop)+" CHANMAX="+ConvToStr(CHANMAX)+" MAXMODES="+ConvToStr(MAXMODES)+" IDENTMAX="+ConvToStr(IDENTMAX)+" MAXQUIT="+ConvToStr(MAXQUIT)+" MAXTOPIC="+ConvToStr(MAXTOPIC)+" MAXKICK="+ConvToStr(MAXKICK)+" MAXGECOS="+ConvToStr(MAXGECOS)+" MAXAWAY="+ConvToStr(MAXAWAY)+" IP6NATIVE="+ConvToStr(ip6)+" IP6SUPPORT="+ConvToStr(ip6support)+" PROTOCOL="+ConvToStr(ProtocolVersion));
+	std::string extra;
+	/* Do we have sha256 available? If so, we send a challenge */
+	if (Utils->ChallengeResponse && (Instance->FindModule("m_sha256.so")))
+	{
+		this->SetOurChallenge(RandString(20));
+		extra = " CHALLENGE=" + this->GetOurChallenge();
+	}
+
+	this->WriteLine("CAPAB CAPABILITIES :NICKMAX="+ConvToStr(NICKMAX)+" HALFOP="+ConvToStr(this->Instance->Config->AllowHalfop)+" CHANMAX="+ConvToStr(CHANMAX)+" MAXMODES="+ConvToStr(MAXMODES)+" IDENTMAX="+ConvToStr(IDENTMAX)+" MAXQUIT="+ConvToStr(MAXQUIT)+" MAXTOPIC="+ConvToStr(MAXTOPIC)+" MAXKICK="+ConvToStr(MAXKICK)+" MAXGECOS="+ConvToStr(MAXGECOS)+" MAXAWAY="+ConvToStr(MAXAWAY)+" IP6NATIVE="+ConvToStr(ip6)+" IP6SUPPORT="+ConvToStr(ip6support)+" PROTOCOL="+ConvToStr(ProtocolVersion)+extra);
 
 	this->WriteLine("CAPAB END");
 }
@@ -334,6 +435,25 @@ bool TreeSocket::Capab(const std::deque<std::string> &params)
 			reason = "Maximum GECOS (fullname) lengths differ or remote GECOS length not specified";
 		if (((this->CapKeys.find("MAXAWAY") == this->CapKeys.end()) || ((this->CapKeys.find("MAXAWAY") != this->CapKeys.end()) && (this->CapKeys.find("MAXAWAY")->second != ConvToStr(MAXAWAY)))))
 			reason = "Maximum awaymessage lengths differ or remote awaymessage length not specified";
+
+		/* Challenge response, store their challenge for our password */
+		std::map<std::string,std::string>::iterator n = this->CapKeys.find("CHALLENGE");
+		if (Utils->ChallengeResponse && (n != this->CapKeys.end()) && (Instance->FindModule("m_sha256.so")))
+		{
+			/* Challenge-response is on now */
+			this->SetTheirChallenge(n->second);
+			if (!this->GetOurChallenge().empty() && (this->LinkState == CONNECTING))
+			{
+				this->WriteLine(std::string("SERVER ")+this->Instance->Config->ServerName+" "+this->MakePass(OutboundPass, this->GetTheirChallenge())+" 0 :"+this->Instance->Config->ServerDesc);
+			}
+		}
+		else
+		{
+			/* They didnt specify a challenge or we don't have m_sha256.so, we use plaintext */
+			if (this->LinkState == CONNECTING)
+				this->WriteLine(std::string("SERVER ")+this->Instance->Config->ServerName+" "+OutboundPass+" 0 :"+this->Instance->Config->ServerDesc);
+		}
+
 		if (reason.length())
 		{
 			this->WriteLine("ERROR :CAPAB negotiation failed: "+reason);
@@ -946,7 +1066,9 @@ bool TreeSocket::IntroduceClient(const std::string &source, std::deque<std::stri
 		_new->SetSockAddr(AF_INET, params[6].c_str(), 0);
 
 	Instance->AddGlobalClone(_new);
-	this->Instance->SNO->WriteToSnoMask('C',"Client connecting at %s: %s!%s@%s [%s]",_new->server,_new->nick,_new->ident,_new->host, _new->GetIPString());
+
+	if (!this->Instance->SilentULine(_new->server))
+		this->Instance->SNO->WriteToSnoMask('C',"Client connecting at %s: %s!%s@%s [%s]",_new->server,_new->nick,_new->ident,_new->host, _new->GetIPString());
 
 	params[7] = ":" + params[7];
 	Utils->DoOneToAllButSender(source,"NICK", params, source);
@@ -1173,11 +1295,10 @@ void TreeSocket::SendUsers(TreeServer* Current)
  */
 void TreeSocket::DoBurst(TreeServer* s)
 {
+	std::string name = s->GetName();
 	std::string burst = "BURST "+ConvToStr(Instance->Time(true));
 	std::string endburst = "ENDBURST";
-	// Because by the end of the netburst, it  could be gone!
-	std::string name = s->GetName();
-	this->Instance->SNO->WriteToSnoMask('l',"Bursting to \2"+name+"\2.");
+	this->Instance->SNO->WriteToSnoMask('l',"Bursting to \2%s\2 (Authentication: %s).", name.c_str(), this->GetTheirChallenge().empty() ? "plaintext password" : "SHA256-HMAC challenge-response");
 	this->WriteLine(burst);
 	/* send our version string */
 	this->WriteLine(std::string(":")+this->Instance->Config->ServerName+" VERSION :"+this->Instance->GetVersionString());