/* * cryptlink_auth - CRYPTLINK AUTH message handler * parv[1] = secret key */ static void cryptlink_auth(struct Client *client_p, struct Client *source_p, int parc, char *parv[]) { struct EncCapability *ecap; struct ConfItem *conf; struct AccessItem *aconf; int enc_len; int len; unsigned char *enc; unsigned char *key; if (parc < 4) { cryptlink_error(client_p, "AUTH", "Invalid params", "CRYPTLINK AUTH - Invalid params"); return; } if (!IsWaitAuth(client_p)) return; for (ecap = CipherTable; ecap->name; ecap++) { if ((!irccmp(ecap->name, parv[2])) && (IsCapableEnc(client_p, ecap->cap))) { client_p->localClient->in_cipher = ecap; break; } } if (client_p->localClient->in_cipher == NULL) { cryptlink_error(client_p, "AUTH", "Invalid cipher", "Invalid cipher"); return; } if (!(enc_len = unbase64_block(&enc, parv[3], strlen(parv[3])))) { cryptlink_error(client_p, "AUTH", "Could not base64 decode response", "Malformed CRYPTLINK AUTH reply"); return; } if (verify_private_key() == -1) { sendto_realops_flags(UMODE_ALL, L_ADMIN, "verify_private_key() returned -1. Check log for information."); } key = MyMalloc(RSA_size(ServerInfo.rsa_private_key)); len = RSA_private_decrypt(enc_len, (unsigned char *)enc,(unsigned char *)key, ServerInfo.rsa_private_key, RSA_PKCS1_PADDING); if (len < client_p->localClient->in_cipher->keylen) { report_crypto_errors(); if (len < 0) { cryptlink_error(client_p, "AUTH", "Decryption failed", "Malformed CRYPTLINK AUTH reply"); } else { cryptlink_error(client_p, "AUTH", "Not enough random data sent", "Malformed CRYPTLINK AUTH reply"); } MyFree(enc); MyFree(key); return; } if (memcmp(key, client_p->localClient->in_key, client_p->localClient->in_cipher->keylen) != 0) { cryptlink_error(client_p, "AUTH", "Unauthorized server connection attempt", "Malformed CRYPTLINK AUTH reply"); return; } conf = find_conf_name(&client_p->localClient->confs, client_p->name, SERVER_TYPE); if (conf == NULL) { cryptlink_error(client_p, "AUTH", "Lost C-line for server", "Lost C-line"); return; } aconf = (struct AccessItem *)map_to_conf(conf); if (!(client_p->localClient->out_cipher || (client_p->localClient->out_cipher = check_cipher(client_p, aconf)))) { cryptlink_error(client_p, "AUTH", "Couldn't find compatible cipher", "Couldn't find compatible cipher"); return; } /* set hopcount */ client_p->hopcount = 1; SetCryptIn(client_p); ClearWaitAuth(client_p); server_estab(client_p); }
/* * cryptlink_serv - CRYPTLINK SERV message handler * parv[0] == CRYPTLINK * parv[1] == SERV * parv[2] == server name * parv[3] == keyphrase * parv[4] == :server info (M-line) */ static void cryptlink_serv(struct Client *client_p, struct Client *source_p, int parc, char *parv[]) { char info[REALLEN + 1]; char *name; struct Client *target_p; char *key = client_p->localClient->out_key; unsigned char *b64_key; struct ConfItem *conf; struct AccessItem *aconf; char *encrypted; const char *p; int enc_len; /* if (client_p->name[0] != 0) return; */ if ((parc < 5) || (*parv[4] == '\0')) { cryptlink_error(client_p, "SERV", "Invalid params", "CRYPTLINK SERV - Invalid params"); return; } if ((name = parse_cryptserv_args(client_p, parv, parc, info, key)) == NULL) { cryptlink_error(client_p, "SERV", "Invalid params", "CRYPTLINK SERV - Invalid params"); return; } /* CRYPTLINK SERV support => TS support */ client_p->tsinfo = TS_DOESTS; if (bogus_host(name)) { exit_client(client_p, client_p, "Bogus server name"); return; } /* Now we just have to call check_server and everything should be * checked for us... -A1kmm. */ switch (check_server(name, client_p, CHECK_SERVER_CRYPTLINK)) { case -1: if (ConfigFileEntry.warn_no_nline) { cryptlink_error(client_p, "SERV", "Unauthorized server connection attempt: No entry for server", NULL); } exit_client(client_p, client_p, "Invalid server name"); return; break; case -2: cryptlink_error(client_p, "SERV", "Unauthorized server connection attempt: CRYPTLINK not " "enabled on remote server", "CRYPTLINK not enabled"); return; break; case -3: cryptlink_error(client_p, "SERV", "Unauthorized server connection attempt: Invalid host", "Invalid host"); return; break; } if ((target_p = find_server(name))) { /* * This link is trying feed me a server that I already have * access through another path -- multiple paths not accepted * currently, kill this link immediately!! * * Rather than KILL the link which introduced it, KILL the * youngest of the two links. -avalon * * Definitely don't do that here. This is from an unregistered * connect - A1kmm. */ cryptlink_error(client_p, "SERV", "Attempt to re-introduce existing server", "Server Exists"); return; } if (ServerInfo.hub && IsCapable(client_p, CAP_LL)) { if (IsCapable(client_p, CAP_HUB)) { ClearCap(client_p,CAP_LL); sendto_realops_flags(UMODE_ALL, L_ALL, "*** LazyLinks to a hub from a hub, that's a no-no."); } else { client_p->localClient->serverMask = nextFreeMask(); if(!client_p->localClient->serverMask) { sendto_realops_flags(UMODE_ALL, L_ALL, "serverMask is full!"); /* try and negotiate a non LL connect */ ClearCap(client_p,CAP_LL); } } } else if (IsCapable(client_p, CAP_LL)) { if (!IsCapable(client_p, CAP_HUB)) { ClearCap(client_p,CAP_LL); sendto_realops_flags(UMODE_ALL, L_ALL, "*** LazyLinks to a leaf from a leaf, that's a no-no."); } } conf = find_conf_name(&client_p->localClient->confs, name, SERVER_TYPE); if (conf == NULL) { cryptlink_error(client_p, "AUTH", "Lost C-line for server", "Lost C-line" ); return; } /* * if we are connecting (Handshake), we already have the name from the * connect {} block in client_p->name */ strlcpy(client_p->name, name, sizeof(client_p->name)); p = info; if (!strncmp(info, "(H)", 3)) { SetHidden(client_p); if ((p = strchr(info, ' ')) != NULL) { p++; if (*p == '\0') p = "(Unknown Location)"; } else p = "(Unknown Location)"; } strlcpy(client_p->info, p, sizeof(client_p->info)); client_p->hopcount = 0; aconf = (struct AccessItem *)map_to_conf(conf); if (!(client_p->localClient->out_cipher || (client_p->localClient->out_cipher = check_cipher(client_p, aconf)))) { cryptlink_error(client_p, "AUTH", "Couldn't find compatible cipher", "Couldn't find compatible cipher"); return; } encrypted = MyMalloc(RSA_size(ServerInfo.rsa_private_key)); enc_len = RSA_public_encrypt(client_p->localClient->out_cipher->keylen, (unsigned char *)key, (unsigned char *)encrypted, aconf->rsa_public_key, RSA_PKCS1_PADDING); if (enc_len <= 0) { report_crypto_errors(); MyFree(encrypted); cryptlink_error(client_p, "AUTH", "Couldn't encrypt data", "Couldn't encrypt data"); return; } base64_block(&b64_key, encrypted, enc_len); MyFree(encrypted); if (!IsWaitAuth(client_p)) { cryptlink_init(client_p, conf, NULL); } sendto_one(client_p, "CRYPTLINK AUTH %s %s", client_p->localClient->out_cipher->name, b64_key); /* needed for old servers that can't shove data back into slink */ send_queued_write(client_p); SetCryptOut(client_p); MyFree(b64_key); }
/* ** exit_client ** This is old "m_bye". Name changed, because this is not a ** protocol function, but a general server utility function. ** ** This function exits a client of *any* type (user, server, etc) ** from this server. Also, this generates all necessary prototol ** messages that this exit may cause. ** ** 1) If the client is a local client, then this implicitly ** exits all other clients depending on this connection (e.g. ** remote clients having 'from'-field that points to this. ** ** 2) If the client is a remote client, then only this is exited. ** ** For convenience, this function returns a suitable value for ** m_funtion return value: ** ** FLUSH_BUFFER if (cptr == sptr) ** 0 if (cptr != sptr) ** ** Parameters: ** ** aClient *cptr ** The local client originating the exit or NULL, if this ** exit is generated by this server for internal reasons. ** This will not get any of the generated messages. ** aClient *sptr ** Client exiting ** aClient *from ** Client firing off this Exit, never NULL! ** char *comment ** Reason for the exit */ int exit_client(aClient *cptr, aClient *sptr, aClient *from, const char *comment) { char comment1[HOSTLEN + HOSTLEN + 2]; if (MyConnect(sptr)) { if (sptr->flags & FLAGS_KILLED) { sendto_flag(SCH_NOTICE, "Killed: %s.", get_client_name(sptr, TRUE)); sptr->exitc = EXITC_KILL; } sptr->flags |= FLAGS_CLOSING; #if (defined(FNAME_USERLOG) || defined(FNAME_CONNLOG) \ || defined(USE_SERVICES)) \ || (defined(USE_SYSLOG) && (defined(SYSLOG_USERS) || defined(SYSLOG_CONN))) if (IsPerson(sptr)) { # if defined(FNAME_USERLOG) || defined(USE_SERVICES) || \ (defined(USE_SYSLOG) && defined(SYSLOG_USERS)) sendto_flog(sptr, EXITC_REG, sptr->user->username, sptr->user->host); # endif # if defined(CLIENTS_CHANNEL) && (CLIENTS_CHANNEL_LEVEL & CCL_QUIT) sendto_flag(SCH_CLIENT, "%s %s %s %s QUIT %c" # if (CLIENTS_CHANNEL_LEVEL & CCL_QUITINFO) " :%s" # endif , sptr->user->uid, sptr->name, sptr->user->username, sptr->user->host, sptr->exitc # if (CLIENTS_CHANNEL_LEVEL & CCL_QUITINFO) , comment # endif ); # endif } else if (!IsService(sptr)) { # if defined(FNAME_CONNLOG) || defined(USE_SERVICES) || \ (defined(USE_SYSLOG) && defined(SYSLOG_CONN)) if (sptr->exitc == '\0' || sptr->exitc == EXITC_REG) { sptr->exitc = EXITC_UNDEF; } sendto_flog(sptr, sptr->exitc, sptr->user && sptr->user->username ? sptr->user->username : "", #ifdef UNIXPORT (IsUnixSocket(sptr)) ? me.sockhost : #endif ((sptr->hostp) ? sptr->hostp->h_name : sptr->sockhost)); # endif } #endif if (MyConnect(sptr)) { if (IsPerson(sptr)) { istat.is_myclnt--; } else if (IsServer(sptr)) { istat.is_myserv--; } else if (IsService(sptr)) { istat.is_myservice--; } else { istat.is_unknown--; } if (istat.is_myclnt % CLCHNO == 0 && istat.is_myclnt != istat.is_l_myclnt) { sendto_flag(SCH_NOTICE, "Local %screase from %d to %d clients " "in %d seconds", istat.is_myclnt>istat.is_l_myclnt?"in":"de", istat.is_l_myclnt, istat.is_myclnt, timeofday - istat.is_l_myclnt_t); istat.is_l_myclnt_t = timeofday; istat.is_l_myclnt = istat.is_myclnt; } /* Send SQUIT message to 2.11 servers to tell them * the squit reason for rebroadcast on the other side * - jv */ if (IsServer(sptr)) { sendto_one(sptr, ":%s SQUIT %s :%s", me.serv->sid, sptr->serv->sid, comment); } if (cptr != NULL && sptr != cptr) { sendto_one(sptr, "ERROR :Closing Link: " "%s %s (%s)", get_client_name(sptr,FALSE), cptr->name, comment); } else { sendto_one(sptr, "ERROR :Closing Link: %s (%s)", get_client_name(sptr,FALSE), comment); } if (sptr->auth != sptr->username) { istat.is_authmem -= strlen(sptr->auth) + 1; istat.is_auth -= 1; MyFree(sptr->auth); sptr->auth = sptr->username; } } /* ** Currently only server connections can have ** depending remote clients here, but it does no ** harm to check for all local clients. In ** future some other clients than servers might ** have remotes too... ** now, I think it harms big client servers... - krys ** ** Close the Client connection first and mark it ** so that no messages are attempted to send to it. ** (The following *must* make MyConnect(sptr) == FALSE!). ** It also makes sptr->from == NULL, thus it's unnecessary ** to test whether "sptr != acptr" in the following loops. */ close_connection(sptr); } /* if (MyConnect(sptr) */ if (IsServer(sptr)) { /* Remove all dependent servers and clients. */ if (!IsMasked(sptr)) { sprintf(comment1, "%s %s", sptr->serv->up->name, sptr->name); } else { /* It was a masked server, the squit reason should ** give the right quit reason for clients. */ strncpyzt(comment1, comment, sizeof(comment1)); } /* cptr != sptr means non-local server */ if (cptr != sptr && nextconnect == 0 && find_conf_name(sptr->name, (CONF_CONNECT_SERVER|CONF_ZCONNECT_SERVER))) { /* try AC */ nextconnect = timeofday + HANGONRETRYDELAY; } exit_server(sptr, sptr, from, comment, comment1); check_split(); if ((cptr == sptr)) { /* It serves no purpose. --B. sendto_flag(SCH_SERVER, "Sending SQUIT %s (%s)", cptr->name, comment); */ return FLUSH_BUFFER; } return 0; } /* ** Try to guess from comment if the client is exiting ** normally (KILL or issued QUIT), or if it is splitting ** It requires comment for splitting users to be ** "server.some.where splitting.some.where" */ comment1[0] = '\0'; if ((sptr->flags & FLAGS_KILLED) == 0) { if (comment[0] == '"') { /* definitely user quit, see m_quit */ sptr->flags |= FLAGS_QUIT; } else { const char *c = comment; int i = 0; while (*c && *c != ' ') if (*c++ == '.') i++; if (*c++ && i) { i = 0; while (*c && *c != ' ') if (*c++ == '.') i++; if (!i || *c) sptr->flags |= FLAGS_QUIT; } else { sptr->flags |= FLAGS_QUIT; } } if (sptr == cptr && !(sptr->flags & FLAGS_QUIT)) { /* ** This will avoid nick delay to be abused by ** letting local users put a comment looking ** like a server split. */ strncpyzt(comment1, comment, HOSTLEN + HOSTLEN); strcat(comment1, " "); sptr->flags |= FLAGS_QUIT; } } exit_one_client(cptr, sptr, from, (*comment1) ? comment1 : comment); /* XXX: we probably should not call it every client exit */ /* checking every server quit should suffice --B. */ /* check_split(); */ return cptr == sptr ? FLUSH_BUFFER : 0; }