[xonotic/xonotic.git] / misc / infrastructure / keygen / response.d0ir

#!/usr/bin/perl

BEGIN
{
        $ENV{PATH} = "/usr/bin:/bin";
}

# if we are suid, set uid := euid
$( = $);
$< = $>;

use strict;
use CGI;
use LWP::Simple;
use MIME::Base64;
use File::Temp;
use DBI;
my $cgi = CGI->new();

sub error($)
{
        my ($err) = @_;
        print "Content-type: text/plain\n\nd0er $err";
        exit 0;
}

sub check_ipfiles($)
{
        my ($dir) = @_;
        my $ip = $ENV{REMOTE_ADDR};
        return 0 if -f "$dir/$ip";
        return -1;
}

sub check_dnsbl($$@)
{
        my ($goodpatterns, $badpatterns, $list) = @_;

        my $name = $ENV{REMOTE_HOST} . ".";
        my $addr = $ENV{REMOTE_ADDR};

        # check goodpatterns
        for(@$goodpatterns)
        {
                if($name =~ /^(??{$_})$/ || $addr =~ /^(??{$_})$/)
                {
                        return 0;
                }
        }
        # check badpatterns
        for(@$badpatterns)
        {
                if($name =~ /^(??{$_})$/ || $addr =~ /^(??{$_})$/)
                {
                        warn "$addr/$name blocked by $_";
                        return -1;
                }
        }

        # is he tor?
        my $h = gethostbyname $addr;
        if(not defined $h)
        {
                warn "$addr blocked by gethostbyname()";
                return -1;
        }
        
        my $blprefix = join '.', reverse unpack 'C4', $h;
        my $i = 0;
        for(@$list)
        {
                ++$i;
                my $hn = "$blprefix.$_.";
                my $h2 = gethostbyname $hn;
                next
                        if not defined $h2;
                my $h2_text = join '.', reverse unpack 'C4', $h2;
                warn "$addr blocked by $hn -> $h2_text";
                return -1;
        }

        return 0;
}

# create table ip ( id INT AUTO_INCREMENT PRIMARY KEY, ip VARCHAR(64), t DATETIME, error BOOLEAN, INDEX(ip), INDEX(t), INDEX(error) );
our $__CACHED_DBH__;

sub check_ip_record
{
        my ($DBH, $tbl, $ip) = @_;
        my $status = $DBH->selectrow_arrayref("select count(*) from $tbl where ip=? and error=false and t>date_sub(now(), interval 7 day)", undef, $ip)
                or die "DBI/DBD: $!";
        return $status->[0];
}
sub insert_ip_record
{
        my ($DBH, $tbl, $ip) = @_;
        my $status = $DBH->selectall_arrayref("select error, t>date_sub(now(), interval 7 day) from $tbl where ip=?", undef, $ip)
                or die "DBI/DBD: $!";
        if(@$status)
        {
                if($status->[0][0] || !$status->[0][1]) # error, or after interval
                {
                        $DBH->do("update $tbl set error=false, t=now() where ip=?", undef, $ip);
                        return 0;
                }
                else # too soon
                {
                        return 1;
                }
        }
        else
        {
                $DBH->do("insert into $tbl(ip, error, t) values(?, false, now())", undef, $ip);
                return 0;
        }
}
sub delete_ip_record
{
        my ($DBH, $tbl, $ip) = @_;
        $DBH->do("update $tbl set error=true where ip=?", undef, $ip);
}

sub check_sql($$$$$$$$$)
{
        my ($dsn, $u, $p, $tbl, $per32, $per24, $per16, $per8, $inc) = @_;
        my $ip = $ENV{REMOTE_ADDR};
        my $DBH = ($__CACHED_DBH__ ? $__CACHED_DBH__ : ($__CACHED_DBH__ = DBI->connect($dsn, $u, $p, { RaiseError => 1, AutoCommit => 0 })))
                or die "DBI/DBD: $!";
        eval {
                $DBH->do("set character set utf8");
                $DBH->do("set names utf8");
                $DBH->do("set time_zone = '+0:00'");
        } or do {
                undef $__CACHED_DBH__;
                die $@;
        };
        if($inc < 0)
        {
                delete_ip_record($DBH, $tbl, $ip);
                $DBH->commit();
                $DBH->disconnect();
                return 0;
        }
        elsif($inc == 0)
        {
                my $status = check_ip_record($DBH, $tbl, $ip);
                $DBH->disconnect();
                if ($status)
                {
                        warn "$ip blocked by SQL";
                }
                return $status;
        }
        else
        {
                my $status = insert_ip_record($DBH, $tbl, $ip);
                $DBH->commit();
                $DBH->disconnect();
                if ($status)
                {
                        warn "$ip blocked by SQL";
                }
                return $status;
        }
}

sub check_banlist($)
{
        my ($s) = @_;
        my $ip = $ENV{REMOTE_ADDR};
        my @s = split /\n/, get $s;
        for(0..@s/4-1)
        {
                my $i = $s[4*$_];
                if("$ip." =~ /^\Q$i\E\./)
                {
                        warn "$ip blocked by SQL";
                        return 1;
                }
        }
        return 0;
}

our %ca = ();
our $default_ca = 0;

do './config.pl';

if((my $key = $cgi->param('key')))
{
        local $| = 1;
        undef local $/;

        my $ca = $cgi->param('ca');
        $ca = $default_ca if not defined $ca;
        error "Invalid CA" if not defined $ca{$ca};
        error "Not allowed" if not $ca{$ca}->{check}->(1);
        my $tempfh = undef;
        eval
        {
                $tempfh = File::Temp->new();
                binmode $tempfh;
                my $fh = $cgi->upload('key');
                if($fh)
                {
                        binmode $fh;
                        print $tempfh $_ for <$fh>;
                }
                else
                {
                        $key =~ s/ /+/g;
                        $key = decode_base64($key);
                        print $tempfh $key;
                }
                seek $tempfh, 0, 0;

                $ENV{REQUESTFILE} = $tempfh->filename;
                $ENV{RESPONSEFILE} = $tempfh->filename;
                $ENV{SECRET} = "key_$ca.d0sk";
                open my $errfh, '-|', './crypto-keygen-standalone -P "$SECRET" -j "$REQUESTFILE" -o "$RESPONSEFILE" 2>&1'
                        or die "cannot start crypto-keygen-standalone";
                my $err = <$errfh>;
                close $errfh
                        or die "crypto-keygen-standalone failed: $err";
                1;
        }
        or do
        {
                $ca{$ca}->{check}->(-1);
                die "$@";
        };

        print "Content-type: application/octet-stream\n\n";
        binmode STDOUT;
        print for <$tempfh>;
}
else
{
        print <<EOF;
Content-type: text/html

<!doctype html>
<html>
<head>
        <title>Xonotic keygen</title>
</head>
<body>
        <h1>Xonotic keygen</h1>
        <form action="response.d0ir" method="post" enctype="multipart/form-data">
        To generate and sign a key IN GAME, follow these steps on the console:
        <ol>
                <li>crypto_keygen $default_ca http://ca.xonotic.org/?ca=$default_ca&amp;key=</li>
        </ol>
        To generate and sign a key MANUALLY, follow these steps on a UNIX command line:
        <ol>
                <li>./crypto-keygen-standalone -p key_$default_ca.d0pk -o key_$default_ca.d0si</li>
                <li>./crypto-keygen-standalone -p key_$default_ca.d0pk -I key_$default_ca.d0si -o request.d0iq -O camouflage.d0ic
                <li>Upload the request.d0iq file: <input type="file" name="key"><input type="submit"></li>
                <li>Save the response.d0ir file you are getting</li>
                <li>./crypto-keygen-standalone -p key_$default_ca.d0pk -I key_$default_ca.d0si -c camouflage.d0ic -J response.d0ir -o key_$default_ca.d0si</li>
                <li>Delete request.d0iq, camouflage.d0ic, response.d0ir</li>
        </ol>
        Your key_$default_ca.d0si key is now signed.
        <hr>
        To use another CA, please enter its number here before using this page:
        <input type="text" name="ca" value="$default_ca" size="2">
        <hr>
        REMOTE_HOST=$ENV{REMOTE_HOST}<br>
        REMOTE_ADDR=$ENV{REMOTE_ADDR}
</body>
</html>
EOF
}