/*
* cryptlink_auth - CRYPTLINK AUTH message handler
* parv[1] = secret key
*/
static void
cryptlink_auth(struct Client *client_p, struct Client *source_p,
int parc, char *parv[])
{
struct EncCapability *ecap;
struct ConfItem *conf;
struct AccessItem *aconf;
int enc_len;
int len;
unsigned char *enc;
unsigned char *key;
if (parc < 4)
{
cryptlink_error(client_p, "AUTH", "Invalid params",
"CRYPTLINK AUTH - Invalid params");
return;
}
if (!IsWaitAuth(client_p))
return;
for (ecap = CipherTable; ecap->name; ecap++)
{
if ((!irccmp(ecap->name, parv[2])) &&
(IsCapableEnc(client_p, ecap->cap)))
{
client_p->localClient->in_cipher = ecap;
break;
}
}
if (client_p->localClient->in_cipher == NULL)
{
cryptlink_error(client_p, "AUTH", "Invalid cipher", "Invalid cipher");
return;
}
if (!(enc_len = unbase64_block(&enc, parv[3], strlen(parv[3]))))
{
cryptlink_error(client_p, "AUTH",
"Could not base64 decode response",
"Malformed CRYPTLINK AUTH reply");
return;
}
if (verify_private_key() == -1)
{
sendto_realops_flags(UMODE_ALL, L_ADMIN,
"verify_private_key() returned -1. Check log for information.");
}
key = MyMalloc(RSA_size(ServerInfo.rsa_private_key));
len = RSA_private_decrypt(enc_len, (unsigned char *)enc,(unsigned char *)key,
ServerInfo.rsa_private_key,
RSA_PKCS1_PADDING);
if (len < client_p->localClient->in_cipher->keylen)
{
report_crypto_errors();
if (len < 0)
{
cryptlink_error(client_p, "AUTH",
"Decryption failed",
"Malformed CRYPTLINK AUTH reply");
}
else
{
cryptlink_error(client_p, "AUTH",
"Not enough random data sent",
"Malformed CRYPTLINK AUTH reply");
}
MyFree(enc);
MyFree(key);
return;
}
if (memcmp(key, client_p->localClient->in_key,
client_p->localClient->in_cipher->keylen) != 0)
{
cryptlink_error(client_p, "AUTH",
"Unauthorized server connection attempt",
"Malformed CRYPTLINK AUTH reply");
return;
}
conf = find_conf_name(&client_p->localClient->confs,
client_p->name, SERVER_TYPE);
if (conf == NULL)
{
cryptlink_error(client_p, "AUTH",
"Lost C-line for server",
"Lost C-line");
return;
}
aconf = (struct AccessItem *)map_to_conf(conf);
if (!(client_p->localClient->out_cipher ||
(client_p->localClient->out_cipher = check_cipher(client_p, aconf))))
{
cryptlink_error(client_p, "AUTH",
"Couldn't find compatible cipher",
"Couldn't find compatible cipher");
return;
}
/* set hopcount */
client_p->hopcount = 1;
SetCryptIn(client_p);
ClearWaitAuth(client_p);
server_estab(client_p);
}
/*
* cryptlink_serv - CRYPTLINK SERV message handler
* parv[0] == CRYPTLINK
* parv[1] == SERV
* parv[2] == server name
* parv[3] == keyphrase
* parv[4] == :server info (M-line)
*/
static void
cryptlink_serv(struct Client *client_p, struct Client *source_p,
int parc, char *parv[])
{
char info[REALLEN + 1];
char *name;
struct Client *target_p;
char *key = client_p->localClient->out_key;
unsigned char *b64_key;
struct ConfItem *conf;
struct AccessItem *aconf;
char *encrypted;
const char *p;
int enc_len;
/*
if (client_p->name[0] != 0)
return;
*/
if ((parc < 5) || (*parv[4] == '\0'))
{
cryptlink_error(client_p, "SERV", "Invalid params",
"CRYPTLINK SERV - Invalid params");
return;
}
if ((name = parse_cryptserv_args(client_p, parv, parc, info, key)) == NULL)
{
cryptlink_error(client_p, "SERV", "Invalid params",
"CRYPTLINK SERV - Invalid params");
return;
}
/* CRYPTLINK SERV support => TS support */
client_p->tsinfo = TS_DOESTS;
if (bogus_host(name))
{
exit_client(client_p, client_p, "Bogus server name");
return;
}
/* Now we just have to call check_server and everything should be
* checked for us... -A1kmm. */
switch (check_server(name, client_p, CHECK_SERVER_CRYPTLINK))
{
case -1:
if (ConfigFileEntry.warn_no_nline)
{
cryptlink_error(client_p, "SERV",
"Unauthorized server connection attempt: No entry for server",
NULL);
}
exit_client(client_p, client_p, "Invalid server name");
return;
break;
case -2:
cryptlink_error(client_p, "SERV",
"Unauthorized server connection attempt: CRYPTLINK not "
"enabled on remote server",
"CRYPTLINK not enabled");
return;
break;
case -3:
cryptlink_error(client_p, "SERV",
"Unauthorized server connection attempt: Invalid host",
"Invalid host");
return;
break;
}
if ((target_p = find_server(name)))
{
/*
* This link is trying feed me a server that I already have
* access through another path -- multiple paths not accepted
* currently, kill this link immediately!!
*
* Rather than KILL the link which introduced it, KILL the
* youngest of the two links. -avalon
*
* Definitely don't do that here. This is from an unregistered
* connect - A1kmm.
*/
cryptlink_error(client_p, "SERV",
"Attempt to re-introduce existing server",
"Server Exists");
return;
}
if (ServerInfo.hub && IsCapable(client_p, CAP_LL))
{
if (IsCapable(client_p, CAP_HUB))
{
ClearCap(client_p,CAP_LL);
sendto_realops_flags(UMODE_ALL, L_ALL,
"*** LazyLinks to a hub from a hub, that's a no-no.");
}
else
{
client_p->localClient->serverMask = nextFreeMask();
if(!client_p->localClient->serverMask)
{
sendto_realops_flags(UMODE_ALL, L_ALL,
"serverMask is full!");
/* try and negotiate a non LL connect */
ClearCap(client_p,CAP_LL);
}
}
}
else if (IsCapable(client_p, CAP_LL))
{
if (!IsCapable(client_p, CAP_HUB))
{
ClearCap(client_p,CAP_LL);
sendto_realops_flags(UMODE_ALL, L_ALL,
"*** LazyLinks to a leaf from a leaf, that's a no-no.");
}
}
conf = find_conf_name(&client_p->localClient->confs,
name, SERVER_TYPE);
if (conf == NULL)
{
cryptlink_error(client_p, "AUTH",
"Lost C-line for server",
"Lost C-line" );
return;
}
/*
* if we are connecting (Handshake), we already have the name from the
* connect {} block in client_p->name
*/
strlcpy(client_p->name, name, sizeof(client_p->name));
p = info;
if (!strncmp(info, "(H)", 3))
{
SetHidden(client_p);
if ((p = strchr(info, ' ')) != NULL)
{
p++;
if (*p == '\0')
p = "(Unknown Location)";
}
else
p = "(Unknown Location)";
}
strlcpy(client_p->info, p, sizeof(client_p->info));
client_p->hopcount = 0;
aconf = (struct AccessItem *)map_to_conf(conf);
if (!(client_p->localClient->out_cipher ||
(client_p->localClient->out_cipher = check_cipher(client_p, aconf))))
{
cryptlink_error(client_p, "AUTH",
"Couldn't find compatible cipher",
"Couldn't find compatible cipher");
return;
}
encrypted = MyMalloc(RSA_size(ServerInfo.rsa_private_key));
enc_len = RSA_public_encrypt(client_p->localClient->out_cipher->keylen,
(unsigned char *)key,
(unsigned char *)encrypted,
aconf->rsa_public_key,
RSA_PKCS1_PADDING);
if (enc_len <= 0)
{
report_crypto_errors();
MyFree(encrypted);
cryptlink_error(client_p, "AUTH",
"Couldn't encrypt data",
"Couldn't encrypt data");
return;
}
base64_block(&b64_key, encrypted, enc_len);
MyFree(encrypted);
if (!IsWaitAuth(client_p))
{
cryptlink_init(client_p, conf, NULL);
}
sendto_one(client_p, "CRYPTLINK AUTH %s %s",
client_p->localClient->out_cipher->name,
b64_key);
/* needed for old servers that can't shove data back into slink */
send_queued_write(client_p);
SetCryptOut(client_p);
MyFree(b64_key);
}
/*
** exit_client
** This is old "m_bye". Name changed, because this is not a
** protocol function, but a general server utility function.
**
** This function exits a client of *any* type (user, server, etc)
** from this server. Also, this generates all necessary prototol
** messages that this exit may cause.
**
** 1) If the client is a local client, then this implicitly
** exits all other clients depending on this connection (e.g.
** remote clients having 'from'-field that points to this.
**
** 2) If the client is a remote client, then only this is exited.
**
** For convenience, this function returns a suitable value for
** m_funtion return value:
**
** FLUSH_BUFFER if (cptr == sptr)
** 0 if (cptr != sptr)
**
** Parameters:
**
** aClient *cptr
** The local client originating the exit or NULL, if this
** exit is generated by this server for internal reasons.
** This will not get any of the generated messages.
** aClient *sptr
** Client exiting
** aClient *from
** Client firing off this Exit, never NULL!
** char *comment
** Reason for the exit
*/
int exit_client(aClient *cptr, aClient *sptr, aClient *from,
const char *comment)
{
char comment1[HOSTLEN + HOSTLEN + 2];
if (MyConnect(sptr))
{
if (sptr->flags & FLAGS_KILLED)
{
sendto_flag(SCH_NOTICE, "Killed: %s.",
get_client_name(sptr, TRUE));
sptr->exitc = EXITC_KILL;
}
sptr->flags |= FLAGS_CLOSING;
#if (defined(FNAME_USERLOG) || defined(FNAME_CONNLOG) \
|| defined(USE_SERVICES)) \
|| (defined(USE_SYSLOG) && (defined(SYSLOG_USERS) || defined(SYSLOG_CONN)))
if (IsPerson(sptr))
{
# if defined(FNAME_USERLOG) || defined(USE_SERVICES) || \
(defined(USE_SYSLOG) && defined(SYSLOG_USERS))
sendto_flog(sptr, EXITC_REG, sptr->user->username,
sptr->user->host);
# endif
# if defined(CLIENTS_CHANNEL) && (CLIENTS_CHANNEL_LEVEL & CCL_QUIT)
sendto_flag(SCH_CLIENT, "%s %s %s %s QUIT %c"
# if (CLIENTS_CHANNEL_LEVEL & CCL_QUITINFO)
" :%s"
# endif
, sptr->user->uid, sptr->name,
sptr->user->username, sptr->user->host,
sptr->exitc
# if (CLIENTS_CHANNEL_LEVEL & CCL_QUITINFO)
, comment
# endif
);
# endif
}
else if (!IsService(sptr))
{
# if defined(FNAME_CONNLOG) || defined(USE_SERVICES) || \
(defined(USE_SYSLOG) && defined(SYSLOG_CONN))
if (sptr->exitc == '\0' || sptr->exitc == EXITC_REG)
{
sptr->exitc = EXITC_UNDEF;
}
sendto_flog(sptr, sptr->exitc,
sptr->user && sptr->user->username ?
sptr->user->username : "",
#ifdef UNIXPORT
(IsUnixSocket(sptr)) ? me.sockhost :
#endif
((sptr->hostp) ? sptr->hostp->h_name :
sptr->sockhost));
# endif
}
#endif
if (MyConnect(sptr))
{
if (IsPerson(sptr))
{
istat.is_myclnt--;
}
else if (IsServer(sptr))
{
istat.is_myserv--;
}
else if (IsService(sptr))
{
istat.is_myservice--;
}
else
{
istat.is_unknown--;
}
if (istat.is_myclnt % CLCHNO == 0 &&
istat.is_myclnt != istat.is_l_myclnt)
{
sendto_flag(SCH_NOTICE,
"Local %screase from %d to %d clients "
"in %d seconds",
istat.is_myclnt>istat.is_l_myclnt?"in":"de",
istat.is_l_myclnt, istat.is_myclnt,
timeofday - istat.is_l_myclnt_t);
istat.is_l_myclnt_t = timeofday;
istat.is_l_myclnt = istat.is_myclnt;
}
/* Send SQUIT message to 2.11 servers to tell them
* the squit reason for rebroadcast on the other side
* - jv
*/
if (IsServer(sptr))
{
sendto_one(sptr, ":%s SQUIT %s :%s",
me.serv->sid, sptr->serv->sid,
comment);
}
if (cptr != NULL && sptr != cptr)
{
sendto_one(sptr, "ERROR :Closing Link: "
"%s %s (%s)",
get_client_name(sptr,FALSE),
cptr->name, comment);
}
else
{
sendto_one(sptr, "ERROR :Closing Link: %s (%s)",
get_client_name(sptr,FALSE), comment);
}
if (sptr->auth != sptr->username)
{
istat.is_authmem -= strlen(sptr->auth) + 1;
istat.is_auth -= 1;
MyFree(sptr->auth);
sptr->auth = sptr->username;
}
}
/*
** Currently only server connections can have
** depending remote clients here, but it does no
** harm to check for all local clients. In
** future some other clients than servers might
** have remotes too...
** now, I think it harms big client servers... - krys
**
** Close the Client connection first and mark it
** so that no messages are attempted to send to it.
** (The following *must* make MyConnect(sptr) == FALSE!).
** It also makes sptr->from == NULL, thus it's unnecessary
** to test whether "sptr != acptr" in the following loops.
*/
close_connection(sptr);
} /* if (MyConnect(sptr) */
if (IsServer(sptr))
{
/* Remove all dependent servers and clients. */
if (!IsMasked(sptr))
{
sprintf(comment1, "%s %s", sptr->serv->up->name,
sptr->name);
}
else
{
/* It was a masked server, the squit reason should
** give the right quit reason for clients. */
strncpyzt(comment1, comment, sizeof(comment1));
}
/* cptr != sptr means non-local server */
if (cptr != sptr &&
nextconnect == 0 && find_conf_name(sptr->name,
(CONF_CONNECT_SERVER|CONF_ZCONNECT_SERVER)))
{
/* try AC */
nextconnect = timeofday + HANGONRETRYDELAY;
}
exit_server(sptr, sptr, from, comment, comment1);
check_split();
if ((cptr == sptr))
{
/* It serves no purpose. --B.
sendto_flag(SCH_SERVER, "Sending SQUIT %s (%s)",
cptr->name, comment);
*/
return FLUSH_BUFFER;
}
return 0;
}
/*
** Try to guess from comment if the client is exiting
** normally (KILL or issued QUIT), or if it is splitting
** It requires comment for splitting users to be
** "server.some.where splitting.some.where"
*/
comment1[0] = '\0';
if ((sptr->flags & FLAGS_KILLED) == 0)
{
if (comment[0] == '"')
{
/* definitely user quit, see m_quit */
sptr->flags |= FLAGS_QUIT;
}
else
{
const char *c = comment;
int i = 0;
while (*c && *c != ' ')
if (*c++ == '.')
i++;
if (*c++ && i)
{
i = 0;
while (*c && *c != ' ')
if (*c++ == '.')
i++;
if (!i || *c)
sptr->flags |= FLAGS_QUIT;
}
else
{
sptr->flags |= FLAGS_QUIT;
}
}
if (sptr == cptr && !(sptr->flags & FLAGS_QUIT))
{
/*
** This will avoid nick delay to be abused by
** letting local users put a comment looking
** like a server split.
*/
strncpyzt(comment1, comment, HOSTLEN + HOSTLEN);
strcat(comment1, " ");
sptr->flags |= FLAGS_QUIT;
}
}
exit_one_client(cptr, sptr, from, (*comment1) ? comment1 : comment);
/* XXX: we probably should not call it every client exit */
/* checking every server quit should suffice --B. */
/* check_split(); */
return cptr == sptr ? FLUSH_BUFFER : 0;
}
