/*
* cryptlink_serv - CRYPTLINK SERV message handler
* parv[0] == CRYPTLINK
* parv[1] == SERV
* parv[2] == server name
* parv[3] == keyphrase
* parv[4] == :server info (M-line)
*/
static void
cryptlink_serv(struct Client *client_p, struct Client *source_p,
int parc, char *parv[])
{
char info[REALLEN + 1];
char *name;
struct Client *target_p;
char *key = client_p->localClient->out_key;
unsigned char *b64_key;
struct ConfItem *conf;
struct AccessItem *aconf;
char *encrypted;
const char *p;
int enc_len;
/*
if (client_p->name[0] != 0)
return;
*/
if ((parc < 5) || (*parv[4] == '\0'))
{
cryptlink_error(client_p, "SERV", "Invalid params",
"CRYPTLINK SERV - Invalid params");
return;
}
if ((name = parse_cryptserv_args(client_p, parv, parc, info, key)) == NULL)
{
cryptlink_error(client_p, "SERV", "Invalid params",
"CRYPTLINK SERV - Invalid params");
return;
}
/* CRYPTLINK SERV support => TS support */
client_p->tsinfo = TS_DOESTS;
if (bogus_host(name))
{
exit_client(client_p, client_p, "Bogus server name");
return;
}
/* Now we just have to call check_server and everything should be
* checked for us... -A1kmm. */
switch (check_server(name, client_p, CHECK_SERVER_CRYPTLINK))
{
case -1:
if (ConfigFileEntry.warn_no_nline)
{
cryptlink_error(client_p, "SERV",
"Unauthorized server connection attempt: No entry for server",
NULL);
}
exit_client(client_p, client_p, "Invalid server name");
return;
break;
case -2:
cryptlink_error(client_p, "SERV",
"Unauthorized server connection attempt: CRYPTLINK not "
"enabled on remote server",
"CRYPTLINK not enabled");
return;
break;
case -3:
cryptlink_error(client_p, "SERV",
"Unauthorized server connection attempt: Invalid host",
"Invalid host");
return;
break;
}
if ((target_p = find_server(name)))
{
/*
* This link is trying feed me a server that I already have
* access through another path -- multiple paths not accepted
* currently, kill this link immediately!!
*
* Rather than KILL the link which introduced it, KILL the
* youngest of the two links. -avalon
*
* Definitely don't do that here. This is from an unregistered
* connect - A1kmm.
*/
cryptlink_error(client_p, "SERV",
"Attempt to re-introduce existing server",
"Server Exists");
return;
}
if (ServerInfo.hub && IsCapable(client_p, CAP_LL))
{
if (IsCapable(client_p, CAP_HUB))
{
ClearCap(client_p,CAP_LL);
sendto_realops_flags(UMODE_ALL, L_ALL,
"*** LazyLinks to a hub from a hub, that's a no-no.");
}
else
{
client_p->localClient->serverMask = nextFreeMask();
if(!client_p->localClient->serverMask)
{
sendto_realops_flags(UMODE_ALL, L_ALL,
"serverMask is full!");
/* try and negotiate a non LL connect */
ClearCap(client_p,CAP_LL);
}
}
}
else if (IsCapable(client_p, CAP_LL))
{
if (!IsCapable(client_p, CAP_HUB))
{
ClearCap(client_p,CAP_LL);
sendto_realops_flags(UMODE_ALL, L_ALL,
"*** LazyLinks to a leaf from a leaf, that's a no-no.");
}
}
conf = find_conf_name(&client_p->localClient->confs,
name, SERVER_TYPE);
if (conf == NULL)
{
cryptlink_error(client_p, "AUTH",
"Lost C-line for server",
"Lost C-line" );
return;
}
/*
* if we are connecting (Handshake), we already have the name from the
* connect {} block in client_p->name
*/
strlcpy(client_p->name, name, sizeof(client_p->name));
p = info;
if (!strncmp(info, "(H)", 3))
{
SetHidden(client_p);
if ((p = strchr(info, ' ')) != NULL)
{
p++;
if (*p == '\0')
p = "(Unknown Location)";
}
else
p = "(Unknown Location)";
}
strlcpy(client_p->info, p, sizeof(client_p->info));
client_p->hopcount = 0;
aconf = (struct AccessItem *)map_to_conf(conf);
if (!(client_p->localClient->out_cipher ||
(client_p->localClient->out_cipher = check_cipher(client_p, aconf))))
{
cryptlink_error(client_p, "AUTH",
"Couldn't find compatible cipher",
"Couldn't find compatible cipher");
return;
}
encrypted = MyMalloc(RSA_size(ServerInfo.rsa_private_key));
enc_len = RSA_public_encrypt(client_p->localClient->out_cipher->keylen,
(unsigned char *)key,
(unsigned char *)encrypted,
aconf->rsa_public_key,
RSA_PKCS1_PADDING);
if (enc_len <= 0)
{
report_crypto_errors();
MyFree(encrypted);
cryptlink_error(client_p, "AUTH",
"Couldn't encrypt data",
"Couldn't encrypt data");
return;
}
base64_block(&b64_key, encrypted, enc_len);
MyFree(encrypted);
if (!IsWaitAuth(client_p))
{
cryptlink_init(client_p, conf, NULL);
}
sendto_one(client_p, "CRYPTLINK AUTH %s %s",
client_p->localClient->out_cipher->name,
b64_key);
/* needed for old servers that can't shove data back into slink */
send_queued_write(client_p);
SetCryptOut(client_p);
MyFree(b64_key);
}
static
int
tc_build_cipher_chains(void)
{
struct tc_cipher_chain *chain, *elem, *prev;
int i = 0;
int k;
while (valid_cipher_chains[i][0] != NULL) {
chain = NULL;
prev = NULL;
k = 0;
while (valid_cipher_chains[i][k] != NULL) {
if ((elem = alloc_safe_mem(sizeof(*elem))) == NULL) {
tc_log(1, "Error allocating memory for "
"cipher chain\n");
return -1;
}
/* Initialize first element of chain */
if (chain == NULL) {
chain = elem;
elem->prev = NULL;
}
/* Populate previous element */
if (prev != NULL) {
prev->next = elem;
elem->prev = prev;
}
/* Assume we are the last element in the chain */
elem->next = NULL;
/* Initialize other fields */
elem->cipher = check_cipher(valid_cipher_chains[i][k], 0);
if (elem->cipher == NULL)
return -1;
elem->key = NULL;
prev = elem;
++k;
}
/* Store cipher chain */
tc_cipher_chains[i++] = chain;
/* Integrity check */
if (i >= MAX_CIPHER_CHAINS) {
tc_log(1, "FATAL: tc_cipher_chains is full!!\n");
return -1;
}
/* Make sure array is NULL terminated */
tc_cipher_chains[i] = NULL;
}
return 0;
}
/*
* cryptlink_auth - CRYPTLINK AUTH message handler
* parv[1] = secret key
*/
static void
cryptlink_auth(struct Client *client_p, struct Client *source_p,
int parc, char *parv[])
{
struct EncCapability *ecap;
struct ConfItem *conf;
struct AccessItem *aconf;
int enc_len;
int len;
unsigned char *enc;
unsigned char *key;
if (parc < 4)
{
cryptlink_error(client_p, "AUTH", "Invalid params",
"CRYPTLINK AUTH - Invalid params");
return;
}
if (!IsWaitAuth(client_p))
return;
for (ecap = CipherTable; ecap->name; ecap++)
{
if ((!irccmp(ecap->name, parv[2])) &&
(IsCapableEnc(client_p, ecap->cap)))
{
client_p->localClient->in_cipher = ecap;
break;
}
}
if (client_p->localClient->in_cipher == NULL)
{
cryptlink_error(client_p, "AUTH", "Invalid cipher", "Invalid cipher");
return;
}
if (!(enc_len = unbase64_block(&enc, parv[3], strlen(parv[3]))))
{
cryptlink_error(client_p, "AUTH",
"Could not base64 decode response",
"Malformed CRYPTLINK AUTH reply");
return;
}
if (verify_private_key() == -1)
{
sendto_realops_flags(UMODE_ALL, L_ADMIN,
"verify_private_key() returned -1. Check log for information.");
}
key = MyMalloc(RSA_size(ServerInfo.rsa_private_key));
len = RSA_private_decrypt(enc_len, (unsigned char *)enc,(unsigned char *)key,
ServerInfo.rsa_private_key,
RSA_PKCS1_PADDING);
if (len < client_p->localClient->in_cipher->keylen)
{
report_crypto_errors();
if (len < 0)
{
cryptlink_error(client_p, "AUTH",
"Decryption failed",
"Malformed CRYPTLINK AUTH reply");
}
else
{
cryptlink_error(client_p, "AUTH",
"Not enough random data sent",
"Malformed CRYPTLINK AUTH reply");
}
MyFree(enc);
MyFree(key);
return;
}
if (memcmp(key, client_p->localClient->in_key,
client_p->localClient->in_cipher->keylen) != 0)
{
cryptlink_error(client_p, "AUTH",
"Unauthorized server connection attempt",
"Malformed CRYPTLINK AUTH reply");
return;
}
conf = find_conf_name(&client_p->localClient->confs,
client_p->name, SERVER_TYPE);
if (conf == NULL)
{
cryptlink_error(client_p, "AUTH",
"Lost C-line for server",
"Lost C-line");
return;
}
aconf = (struct AccessItem *)map_to_conf(conf);
if (!(client_p->localClient->out_cipher ||
(client_p->localClient->out_cipher = check_cipher(client_p, aconf))))
{
cryptlink_error(client_p, "AUTH",
"Couldn't find compatible cipher",
"Couldn't find compatible cipher");
return;
}
/* set hopcount */
client_p->hopcount = 1;
SetCryptIn(client_p);
ClearWaitAuth(client_p);
server_estab(client_p);
}
