Add basic HMAC suggested by jilles to make the auth not suck -- this is probably...

git-svn-id: http://svn.inspircd.org/repository/trunk/inspircd@6769 e03df62e-2008-0410-955e-edbf42e46eb7

diff --git a/src/modules/m_spanningtree/handshaketimer.cpp b/src/modules/m_spanningtree/handshaketimer.cpp
index e57141a7c2be25e4c9ad25188c61bc6b9a14a2e7..a82ea7ea00b5b6f7a5067df0965971de74858070 100644 (file)
--- a/src/modules/m_spanningtree/handshaketimer.cpp
+++ b/src/modules/m_spanningtree/handshaketimer.cpp
@@ -45,7 +45,7 @@ void HandshakeTimer::Tick(time_t TIME)
                {
                        sock->SendCapabilities();
                        if (sock->GetLinkState() == CONNECTING)
                {
                        sock->SendCapabilities();
                        if (sock->GetLinkState() == CONNECTING)

-                               sock->WriteLine(std::string("SERVER ")+this->Instance->Config->ServerName+" "+sock->MakePass(lnk->SendPass)+" 0 :"+this->Instance->Config->ServerDesc);
+                               sock->WriteLine(std::string("SERVER ")+this->Instance->Config->ServerName+" "+sock->MakePass(lnk->SendPass, sock->GetTheirChallenge())+" 0 :"+this->Instance->Config->ServerDesc);

                }
                else
                {
                }
                else
                {


@@ -54,7 +54,7 @@ void HandshakeTimer::Tick(time_t TIME)
                                InspSocketAttachCertRequest(sock, (Module*)Utils->Creator, sock->GetHook()).Send();
                                sock->SendCapabilities();
                                if (sock->GetLinkState() == CONNECTING)
                                InspSocketAttachCertRequest(sock, (Module*)Utils->Creator, sock->GetHook()).Send();
                                sock->SendCapabilities();
                                if (sock->GetLinkState() == CONNECTING)

-                                       sock->WriteLine(std::string("SERVER ")+this->Instance->Config->ServerName+" "+sock->MakePass(lnk->SendPass)+" 0 :"+this->Instance->Config->ServerDesc);
+                                       sock->WriteLine(std::string("SERVER ")+this->Instance->Config->ServerName+" "+sock->MakePass(lnk->SendPass, sock->GetTheirChallenge())+" 0 :"+this->Instance->Config->ServerDesc);

                        }
                        else
                        {
                        }
                        else
                        {

diff --git a/src/modules/m_spanningtree/treesocket.h b/src/modules/m_spanningtree/treesocket.h
index 82a066be6ebd4df8c8e7c013789ef171effc10ba..5af0b0eb9f6cc825740f9964b235529977ca5e07 100644 (file)
--- a/src/modules/m_spanningtree/treesocket.h
+++ b/src/modules/m_spanningtree/treesocket.h
@@ -152,7 +152,7 @@ class TreeSocket : public InspSocket
        /** Construct a password, optionally hashed with the other side's
         * challenge string
         */
        /** Construct a password, optionally hashed with the other side's
         * challenge string
         */

-       std::string MakePass(const std::string &password);
+       std::string MakePass(const std::string &password, const std::string &challenge);

 
        /** When an outbound connection finishes connecting, we receive
         * this event, and must send our SERVER string to the other
 
        /** When an outbound connection finishes connecting, we receive
         * this event, and must send our SERVER string to the other

diff --git a/src/modules/m_spanningtree/treesocket1.cpp b/src/modules/m_spanningtree/treesocket1.cpp
index 8ccd83b3a24f4bcce2450d5aa4f612bfd74ad8d2..f145783bc20fbe5c87213b91d08029f87231bfa2 100644 (file)
--- a/src/modules/m_spanningtree/treesocket1.cpp
+++ b/src/modules/m_spanningtree/treesocket1.cpp
@@ -22,6 +22,7 @@
 #include "wildcard.h"
 #include "xline.h"
 #include "transport.h"
 #include "wildcard.h"
 #include "xline.h"
 #include "transport.h"

+#include "m_hash.h"

 #include "socketengine.h"
 
 #include "m_spanningtree/main.h"
 #include "socketengine.h"
 
 #include "m_spanningtree/main.h"


@@ -32,7 +33,7 @@
 #include "m_spanningtree/resolvers.h"
 #include "m_spanningtree/handshaketimer.h"
 
 #include "m_spanningtree/resolvers.h"
 #include "m_spanningtree/handshaketimer.h"
 

-/* $ModDep: m_spanningtree/timesynctimer.h m_spanningtree/resolvers.h m_spanningtree/main.h m_spanningtree/utils.h m_spanningtree/treeserver.h m_spanningtree/link.h m_spanningtree/treesocket.h */
+/* $ModDep: m_spanningtree/timesynctimer.h m_spanningtree/resolvers.h m_spanningtree/main.h m_spanningtree/utils.h m_spanningtree/treeserver.h m_spanningtree/link.h m_spanningtree/treesocket.h m_hash.h */

 
 /** Because most of the I/O gubbins are encapsulated within
  * InspSocket, we just call the superclass constructor for
 
 /** Because most of the I/O gubbins are encapsulated within
  * InspSocket, we just call the superclass constructor for


@@ -121,12 +122,32 @@ void TreeSocket::SetTheirChallenge(const std::string &c)
        this->theirchallenge = c;
 }
 
        this->theirchallenge = c;
 }
 

-std::string TreeSocket::MakePass(const std::string &password)
+std::string TreeSocket::MakePass(const std::string &password, const std::string &challenge)

 {
 {

-       if ((this->GetOurChallenge() != "") && (this->GetTheirChallenge() != ""))
+       Module* sha256 = Instance->FindModule("m_sha256.so");
+       if (sha256 && !challenge.empty())

        {
        {

-               return password + ":" + this->GetTheirChallenge();
+               /* sha256( (pass xor 0x5c) + sha256((pass xor 0x36) + m) ) */
+               std::string hmac1, hmac2;
+
+               for (size_t n = 0; n < password.length(); n++)
+               {
+                       hmac1 += static_cast<char>(password[n] ^ 0x5C);
+                       hmac2 += static_cast<char>(password[n] ^ 0x36);
+               }
+
+               HashResetRequest(Utils->Creator, sha256).Send();
+               hmac2 = HashSumRequest(Utils->Creator, sha256, hmac2).Send();
+
+               HashResetRequest(Utils->Creator, sha256).Send();
+               std::string hmac = hmac1 + hmac2 + challenge;
+               hmac = HashSumRequest(Utils->Creator, sha256, hmac).Send();
+
+               return hmac;

        }
        }

+       else if (!challenge.empty() && !sha256)
+               Instance->Log(DEFAULT,"Not authenticating to server using SHA256/HMAC because we don't have m_sha256 loaded!");
+

        return password;
 }
 
        return password;
 }
 

diff --git a/src/modules/m_spanningtree/treesocket2.cpp b/src/modules/m_spanningtree/treesocket2.cpp
index 1e915cddcdb9376784c835b2259b750c70917074..0971a87c517c8373ec14440a3c6e077eea99c28c 100644 (file)
--- a/src/modules/m_spanningtree/treesocket2.cpp
+++ b/src/modules/m_spanningtree/treesocket2.cpp
@@ -902,7 +902,7 @@ bool TreeSocket::Inbound_Server(std::deque<std::string> &params)
                        this->InboundDescription = description;
                        // this is good. Send our details: Our server name and description and hopcount of 0,
                        // along with the sendpass from this block.
                        this->InboundDescription = description;
                        // this is good. Send our details: Our server name and description and hopcount of 0,
                        // along with the sendpass from this block.

-                       this->WriteLine(std::string("SERVER ")+this->Instance->Config->ServerName+" "+this->MakePass(x->SendPass)+" 0 :"+this->Instance->Config->ServerDesc);
+                       this->WriteLine(std::string("SERVER ")+this->Instance->Config->ServerName+" "+this->MakePass(x->SendPass, this->GetTheirChallenge())+" 0 :"+this->Instance->Config->ServerDesc);

                        // move to the next state, we are now waiting for THEM.
                        this->LinkState = WAIT_AUTH_2;
                        return true;
                        // move to the next state, we are now waiting for THEM.
                        this->LinkState = WAIT_AUTH_2;
                        return true;