From: brain <brain@e03df62e-2008-0410-955e-edbf42e46eb7>
Date: Mon, 9 Apr 2007 15:18:13 +0000 (+0000)
Subject: Add basic HMAC suggested by jilles to make the auth not suck -- this is probably... 
X-Git-Tag: v2.0.23~5629
X-Git-Url: https://git.netwichtig.de/gitweb/?a=commitdiff_plain;ds=inline;h=fdecf7fb707c415a54c3f41fd45fbc41f6ae4f3d;p=user%2Fhenk%2Fcode%2Finspircd.git

Add basic HMAC suggested by jilles to make the auth not suck -- this is probably buggy, and the other side doesnt auth yet. do not use.


git-svn-id: http://svn.inspircd.org/repository/trunk/inspircd@6769 e03df62e-2008-0410-955e-edbf42e46eb7
---

diff --git a/src/modules/m_spanningtree/handshaketimer.cpp b/src/modules/m_spanningtree/handshaketimer.cpp
index e57141a7c..a82ea7ea0 100644
--- a/src/modules/m_spanningtree/handshaketimer.cpp
+++ b/src/modules/m_spanningtree/handshaketimer.cpp
@@ -45,7 +45,7 @@ void HandshakeTimer::Tick(time_t TIME)
 		{
 			sock->SendCapabilities();
 			if (sock->GetLinkState() == CONNECTING)
-				sock->WriteLine(std::string("SERVER ")+this->Instance->Config->ServerName+" "+sock->MakePass(lnk->SendPass)+" 0 :"+this->Instance->Config->ServerDesc);
+				sock->WriteLine(std::string("SERVER ")+this->Instance->Config->ServerName+" "+sock->MakePass(lnk->SendPass, sock->GetTheirChallenge())+" 0 :"+this->Instance->Config->ServerDesc);
 		}
 		else
 		{
@@ -54,7 +54,7 @@ void HandshakeTimer::Tick(time_t TIME)
 				InspSocketAttachCertRequest(sock, (Module*)Utils->Creator, sock->GetHook()).Send();
 				sock->SendCapabilities();
 				if (sock->GetLinkState() == CONNECTING)
-					sock->WriteLine(std::string("SERVER ")+this->Instance->Config->ServerName+" "+sock->MakePass(lnk->SendPass)+" 0 :"+this->Instance->Config->ServerDesc);
+					sock->WriteLine(std::string("SERVER ")+this->Instance->Config->ServerName+" "+sock->MakePass(lnk->SendPass, sock->GetTheirChallenge())+" 0 :"+this->Instance->Config->ServerDesc);
 			}
 			else
 			{
diff --git a/src/modules/m_spanningtree/treesocket.h b/src/modules/m_spanningtree/treesocket.h
index 82a066be6..5af0b0eb9 100644
--- a/src/modules/m_spanningtree/treesocket.h
+++ b/src/modules/m_spanningtree/treesocket.h
@@ -152,7 +152,7 @@ class TreeSocket : public InspSocket
 	/** Construct a password, optionally hashed with the other side's
 	 * challenge string
 	 */
-	std::string MakePass(const std::string &password);
+	std::string MakePass(const std::string &password, const std::string &challenge);
 
 	/** When an outbound connection finishes connecting, we receive
 	 * this event, and must send our SERVER string to the other
diff --git a/src/modules/m_spanningtree/treesocket1.cpp b/src/modules/m_spanningtree/treesocket1.cpp
index 8ccd83b3a..f145783bc 100644
--- a/src/modules/m_spanningtree/treesocket1.cpp
+++ b/src/modules/m_spanningtree/treesocket1.cpp
@@ -22,6 +22,7 @@
 #include "wildcard.h"
 #include "xline.h"
 #include "transport.h"
+#include "m_hash.h"
 #include "socketengine.h"
 
 #include "m_spanningtree/main.h"
@@ -32,7 +33,7 @@
 #include "m_spanningtree/resolvers.h"
 #include "m_spanningtree/handshaketimer.h"
 
-/* $ModDep: m_spanningtree/timesynctimer.h m_spanningtree/resolvers.h m_spanningtree/main.h m_spanningtree/utils.h m_spanningtree/treeserver.h m_spanningtree/link.h m_spanningtree/treesocket.h */
+/* $ModDep: m_spanningtree/timesynctimer.h m_spanningtree/resolvers.h m_spanningtree/main.h m_spanningtree/utils.h m_spanningtree/treeserver.h m_spanningtree/link.h m_spanningtree/treesocket.h m_hash.h */
 
 /** Because most of the I/O gubbins are encapsulated within
  * InspSocket, we just call the superclass constructor for
@@ -121,12 +122,32 @@ void TreeSocket::SetTheirChallenge(const std::string &c)
 	this->theirchallenge = c;
 }
 
-std::string TreeSocket::MakePass(const std::string &password)
+std::string TreeSocket::MakePass(const std::string &password, const std::string &challenge)
 {
-	if ((this->GetOurChallenge() != "") && (this->GetTheirChallenge() != ""))
+	Module* sha256 = Instance->FindModule("m_sha256.so");
+	if (sha256 && !challenge.empty())
 	{
-		return password + ":" + this->GetTheirChallenge();
+		/* sha256( (pass xor 0x5c) + sha256((pass xor 0x36) + m) ) */
+		std::string hmac1, hmac2;
+
+		for (size_t n = 0; n < password.length(); n++)
+		{
+			hmac1 += static_cast<char>(password[n] ^ 0x5C);
+			hmac2 += static_cast<char>(password[n] ^ 0x36);
+		}
+
+		HashResetRequest(Utils->Creator, sha256).Send();
+		hmac2 = HashSumRequest(Utils->Creator, sha256, hmac2).Send();
+
+		HashResetRequest(Utils->Creator, sha256).Send();
+		std::string hmac = hmac1 + hmac2 + challenge;
+		hmac = HashSumRequest(Utils->Creator, sha256, hmac).Send();
+
+		return hmac;
 	}
+	else if (!challenge.empty() && !sha256)
+		Instance->Log(DEFAULT,"Not authenticating to server using SHA256/HMAC because we don't have m_sha256 loaded!");
+
 	return password;
 }
 
diff --git a/src/modules/m_spanningtree/treesocket2.cpp b/src/modules/m_spanningtree/treesocket2.cpp
index 1e915cddc..0971a87c5 100644
--- a/src/modules/m_spanningtree/treesocket2.cpp
+++ b/src/modules/m_spanningtree/treesocket2.cpp
@@ -902,7 +902,7 @@ bool TreeSocket::Inbound_Server(std::deque<std::string> &params)
 			this->InboundDescription = description;
 			// this is good. Send our details: Our server name and description and hopcount of 0,
 			// along with the sendpass from this block.
-			this->WriteLine(std::string("SERVER ")+this->Instance->Config->ServerName+" "+this->MakePass(x->SendPass)+" 0 :"+this->Instance->Config->ServerDesc);
+			this->WriteLine(std::string("SERVER ")+this->Instance->Config->ServerName+" "+this->MakePass(x->SendPass, this->GetTheirChallenge())+" 0 :"+this->Instance->Config->ServerDesc);
 			// move to the next state, we are now waiting for THEM.
 			this->LinkState = WAIT_AUTH_2;
 			return true;