2007-01-25 07:40:21 +01:00
|
|
|
/* modules/m_sasl.c
|
|
|
|
* Copyright (C) 2006 Michael Tharp <gxti@partiallystapled.com>
|
2011-04-04 00:44:07 +02:00
|
|
|
* Copyright (C) 2006 charybdis development team
|
2007-01-25 07:40:21 +01:00
|
|
|
*
|
|
|
|
* Redistribution and use in source and binary forms, with or without
|
|
|
|
* modification, are permitted provided that the following conditions are
|
|
|
|
* met:
|
|
|
|
*
|
|
|
|
* 1.Redistributions of source code must retain the above copyright notice,
|
|
|
|
* this list of conditions and the following disclaimer.
|
|
|
|
* 2.Redistributions in binary form must reproduce the above copyright
|
|
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
|
|
* documentation and/or other materials provided with the distribution.
|
|
|
|
* 3.The name of the author may not be used to endorse or promote products
|
|
|
|
* derived from this software without specific prior written permission.
|
|
|
|
*
|
|
|
|
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
|
|
|
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
|
|
|
|
* WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
|
|
|
* DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
|
|
|
|
* INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
|
|
|
|
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
|
|
|
* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
|
|
|
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
|
|
|
|
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
|
|
|
* POSSIBILITY OF SUCH DAMAGE.
|
|
|
|
*/
|
|
|
|
|
2016-08-13 05:05:54 +02:00
|
|
|
using namespace ircd;
|
|
|
|
|
2016-03-09 08:29:41 +01:00
|
|
|
static const char sasl_desc[] = "Provides SASL authentication support";
|
|
|
|
|
2016-03-09 08:37:03 +01:00
|
|
|
static void m_authenticate(struct MsgBuf *, struct Client *, struct Client *, int, const char **);
|
|
|
|
static void me_sasl(struct MsgBuf *, struct Client *, struct Client *, int, const char **);
|
|
|
|
static void me_mechlist(struct MsgBuf *, struct Client *, struct Client *, int, const char **);
|
2007-01-25 07:40:21 +01:00
|
|
|
|
|
|
|
static void abort_sasl(struct Client *);
|
|
|
|
static void abort_sasl_exit(hook_data_client_exit *);
|
|
|
|
|
2015-03-01 07:58:40 +01:00
|
|
|
static void advertise_sasl(struct Client *);
|
|
|
|
static void advertise_sasl_exit(hook_data_client_exit *);
|
|
|
|
|
2016-02-28 08:02:10 +01:00
|
|
|
static unsigned int CLICAP_SASL = 0;
|
|
|
|
static char mechlist_buf[BUFSIZE];
|
2016-02-28 07:28:41 +01:00
|
|
|
|
2007-01-25 07:40:21 +01:00
|
|
|
struct Message authenticate_msgtab = {
|
2016-02-19 23:42:40 +01:00
|
|
|
"AUTHENTICATE", 0, 0, 0, 0,
|
2015-02-16 00:10:39 +01:00
|
|
|
{{m_authenticate, 2}, {m_authenticate, 2}, mg_ignore, mg_ignore, mg_ignore, {m_authenticate, 2}}
|
2007-01-25 07:40:21 +01:00
|
|
|
};
|
|
|
|
struct Message sasl_msgtab = {
|
2016-02-19 23:42:40 +01:00
|
|
|
"SASL", 0, 0, 0, 0,
|
2007-01-25 07:40:21 +01:00
|
|
|
{mg_ignore, mg_ignore, mg_ignore, mg_ignore, {me_sasl, 5}, mg_ignore}
|
|
|
|
};
|
2016-02-28 08:02:10 +01:00
|
|
|
struct Message mechlist_msgtab = {
|
|
|
|
"MECHLIST", 0, 0, 0, 0,
|
|
|
|
{mg_ignore, mg_ignore, mg_ignore, mg_ignore, {me_mechlist, 2}, mg_ignore}
|
|
|
|
};
|
2007-01-25 07:40:21 +01:00
|
|
|
|
2014-03-03 05:25:47 +01:00
|
|
|
mapi_clist_av1 sasl_clist[] = {
|
2016-02-28 08:02:10 +01:00
|
|
|
&authenticate_msgtab, &sasl_msgtab, &mechlist_msgtab, NULL
|
2007-01-25 07:40:21 +01:00
|
|
|
};
|
|
|
|
mapi_hfn_list_av1 sasl_hfnlist[] = {
|
|
|
|
{ "new_local_user", (hookfn) abort_sasl },
|
|
|
|
{ "client_exit", (hookfn) abort_sasl_exit },
|
2015-03-01 07:58:40 +01:00
|
|
|
{ "new_remote_user", (hookfn) advertise_sasl },
|
|
|
|
{ "client_exit", (hookfn) advertise_sasl_exit },
|
2007-01-25 07:40:21 +01:00
|
|
|
{ NULL, NULL }
|
|
|
|
};
|
|
|
|
|
2016-03-09 08:37:03 +01:00
|
|
|
static bool
|
2016-03-06 01:56:36 +01:00
|
|
|
sasl_visible(struct Client *client_p)
|
2016-02-28 07:28:41 +01:00
|
|
|
{
|
|
|
|
struct Client *agent_p = NULL;
|
|
|
|
|
|
|
|
if (ConfigFileEntry.sasl_service)
|
|
|
|
agent_p = find_named_client(ConfigFileEntry.sasl_service);
|
|
|
|
|
|
|
|
return agent_p != NULL && IsService(agent_p);
|
|
|
|
}
|
|
|
|
|
2016-02-28 08:02:10 +01:00
|
|
|
static const char *
|
2016-03-06 01:56:36 +01:00
|
|
|
sasl_data(struct Client *client_p)
|
2016-02-28 08:02:10 +01:00
|
|
|
{
|
|
|
|
return *mechlist_buf != 0 ? mechlist_buf : NULL;
|
|
|
|
}
|
|
|
|
|
2016-02-28 07:28:41 +01:00
|
|
|
static struct ClientCapability capdata_sasl = {
|
|
|
|
.visible = sasl_visible,
|
2016-02-28 08:02:10 +01:00
|
|
|
.data = sasl_data,
|
2016-02-28 07:28:41 +01:00
|
|
|
.flags = CLICAP_FLAGS_STICKY,
|
|
|
|
};
|
|
|
|
|
|
|
|
static int
|
|
|
|
_modinit(void)
|
|
|
|
{
|
2016-02-28 08:02:10 +01:00
|
|
|
memset(mechlist_buf, 0, sizeof mechlist_buf);
|
2016-07-31 10:18:22 +02:00
|
|
|
CLICAP_SASL = cli_capindex.put("sasl", &capdata_sasl);
|
2016-02-28 07:28:41 +01:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void
|
|
|
|
_moddeinit(void)
|
|
|
|
{
|
2016-07-31 10:18:22 +02:00
|
|
|
cli_capindex.orphan("sasl");
|
2016-02-28 07:28:41 +01:00
|
|
|
}
|
|
|
|
|
2016-03-07 09:05:28 +01:00
|
|
|
DECLARE_MODULE_AV2(sasl, _modinit, _moddeinit, sasl_clist, NULL, sasl_hfnlist, NULL, NULL, sasl_desc);
|
2007-01-25 07:40:21 +01:00
|
|
|
|
2016-03-09 08:37:03 +01:00
|
|
|
static void
|
2016-02-11 03:54:17 +01:00
|
|
|
m_authenticate(struct MsgBuf *msgbuf_p, struct Client *client_p, struct Client *source_p,
|
2007-01-25 07:40:21 +01:00
|
|
|
int parc, const char *parv[])
|
|
|
|
{
|
|
|
|
struct Client *agent_p = NULL;
|
2015-02-14 10:41:10 +01:00
|
|
|
struct Client *saslserv_p = NULL;
|
2007-01-25 07:40:21 +01:00
|
|
|
|
|
|
|
/* They really should use CAP for their own sake. */
|
|
|
|
if(!IsCapable(source_p, CLICAP_SASL))
|
2016-03-09 08:37:03 +01:00
|
|
|
return;
|
2007-01-25 07:40:21 +01:00
|
|
|
|
2016-04-11 20:38:43 +02:00
|
|
|
if(source_p->localClient->sasl_next_retry > rb_current_time())
|
|
|
|
{
|
|
|
|
sendto_one(source_p, form_str(RPL_LOAD2HI), me.name, EmptyString(source_p->name) ? "*" : source_p->name, msgbuf_p->cmd);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
if(strlen(client_p->id) == 3)
|
2011-03-31 23:26:26 +02:00
|
|
|
{
|
|
|
|
exit_client(client_p, client_p, client_p, "Mixing client and server protocol");
|
2016-03-09 08:37:03 +01:00
|
|
|
return;
|
2011-03-31 23:26:26 +02:00
|
|
|
}
|
|
|
|
|
2015-02-14 10:41:10 +01:00
|
|
|
saslserv_p = find_named_client(ConfigFileEntry.sasl_service);
|
2016-04-11 20:38:43 +02:00
|
|
|
if(saslserv_p == NULL || !IsService(saslserv_p))
|
2015-02-14 10:41:10 +01:00
|
|
|
{
|
|
|
|
sendto_one(source_p, form_str(ERR_SASLABORTED), me.name, EmptyString(source_p->name) ? "*" : source_p->name);
|
2016-03-09 08:37:03 +01:00
|
|
|
return;
|
2015-02-14 10:41:10 +01:00
|
|
|
}
|
|
|
|
|
2015-02-16 22:39:36 +01:00
|
|
|
if(source_p->localClient->sasl_complete)
|
2007-01-25 07:40:21 +01:00
|
|
|
{
|
2015-02-28 07:48:43 +01:00
|
|
|
*source_p->localClient->sasl_agent = '\0';
|
2015-02-16 22:39:36 +01:00
|
|
|
source_p->localClient->sasl_complete = 0;
|
2007-01-25 07:40:21 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
if(strlen(parv[1]) > 400)
|
|
|
|
{
|
|
|
|
sendto_one(source_p, form_str(ERR_SASLTOOLONG), me.name, EmptyString(source_p->name) ? "*" : source_p->name);
|
2016-03-09 08:37:03 +01:00
|
|
|
return;
|
2007-01-25 07:40:21 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
if(!*source_p->id)
|
|
|
|
{
|
|
|
|
/* Allocate a UID. */
|
2016-05-15 05:57:16 +02:00
|
|
|
rb_strlcpy(source_p->id, generate_uid(), sizeof(source_p->id));
|
2007-01-25 07:40:21 +01:00
|
|
|
add_to_id_hash(source_p->id, source_p);
|
|
|
|
}
|
|
|
|
|
2015-02-16 22:39:36 +01:00
|
|
|
if(*source_p->localClient->sasl_agent)
|
|
|
|
agent_p = find_id(source_p->localClient->sasl_agent);
|
2007-01-25 07:40:21 +01:00
|
|
|
|
|
|
|
if(agent_p == NULL)
|
2011-04-04 00:59:20 +02:00
|
|
|
{
|
2015-03-06 16:18:54 +01:00
|
|
|
sendto_one(saslserv_p, ":%s ENCAP %s SASL %s %s H %s %s",
|
|
|
|
me.id, saslserv_p->servptr->name, source_p->id, saslserv_p->id,
|
|
|
|
source_p->host, source_p->sockhost);
|
2015-02-13 21:16:53 +01:00
|
|
|
|
2016-02-29 01:28:34 +01:00
|
|
|
if (source_p->certfp != NULL)
|
2015-03-06 16:19:16 +01:00
|
|
|
sendto_one(saslserv_p, ":%s ENCAP %s SASL %s %s S %s %s",
|
|
|
|
me.id, saslserv_p->servptr->name, source_p->id, saslserv_p->id,
|
|
|
|
parv[1], source_p->certfp);
|
2011-04-04 00:59:20 +02:00
|
|
|
else
|
2015-03-06 16:19:16 +01:00
|
|
|
sendto_one(saslserv_p, ":%s ENCAP %s SASL %s %s S %s",
|
|
|
|
me.id, saslserv_p->servptr->name, source_p->id, saslserv_p->id,
|
|
|
|
parv[1]);
|
2015-02-14 10:41:10 +01:00
|
|
|
|
2015-02-16 22:39:36 +01:00
|
|
|
rb_strlcpy(source_p->localClient->sasl_agent, saslserv_p->id, IDLEN);
|
2011-04-04 00:59:20 +02:00
|
|
|
}
|
2007-01-25 07:40:21 +01:00
|
|
|
else
|
2015-03-06 16:19:16 +01:00
|
|
|
sendto_one(agent_p, ":%s ENCAP %s SASL %s %s C %s",
|
|
|
|
me.id, agent_p->servptr->name, source_p->id, agent_p->id,
|
2015-02-14 10:41:10 +01:00
|
|
|
parv[1]);
|
2015-02-16 22:39:36 +01:00
|
|
|
source_p->localClient->sasl_out++;
|
2007-01-25 07:40:21 +01:00
|
|
|
}
|
|
|
|
|
2016-03-09 08:37:03 +01:00
|
|
|
static void
|
2016-02-11 03:54:17 +01:00
|
|
|
me_sasl(struct MsgBuf *msgbuf_p, struct Client *client_p, struct Client *source_p,
|
2007-01-25 07:40:21 +01:00
|
|
|
int parc, const char *parv[])
|
|
|
|
{
|
|
|
|
struct Client *target_p, *agent_p;
|
|
|
|
|
|
|
|
/* Let propagate if not addressed to us, or if broadcast.
|
|
|
|
* Only SASL agents can answer global requests.
|
|
|
|
*/
|
|
|
|
if(strncmp(parv[2], me.id, 3))
|
2016-03-09 08:37:03 +01:00
|
|
|
return;
|
2007-01-25 07:40:21 +01:00
|
|
|
|
|
|
|
if((target_p = find_id(parv[2])) == NULL)
|
2016-03-09 08:37:03 +01:00
|
|
|
return;
|
2007-01-25 07:40:21 +01:00
|
|
|
|
|
|
|
if((agent_p = find_id(parv[1])) == NULL)
|
2016-03-09 08:37:03 +01:00
|
|
|
return;
|
2007-01-25 07:40:21 +01:00
|
|
|
|
|
|
|
if(source_p != agent_p->servptr) /* WTF?! */
|
2016-03-09 08:37:03 +01:00
|
|
|
return;
|
2007-01-25 07:40:21 +01:00
|
|
|
|
|
|
|
/* We only accept messages from SASL agents; these must have umode +S
|
|
|
|
* (so the server must be listed in a service{} block).
|
|
|
|
*/
|
|
|
|
if(!IsService(agent_p))
|
2016-03-09 08:37:03 +01:00
|
|
|
return;
|
2007-01-25 07:40:21 +01:00
|
|
|
|
|
|
|
/* Reject if someone has already answered. */
|
2015-02-16 22:39:36 +01:00
|
|
|
if(*target_p->localClient->sasl_agent && strncmp(parv[1], target_p->localClient->sasl_agent, IDLEN))
|
2016-03-09 08:37:03 +01:00
|
|
|
return;
|
2015-02-16 22:39:36 +01:00
|
|
|
else if(!*target_p->localClient->sasl_agent)
|
|
|
|
rb_strlcpy(target_p->localClient->sasl_agent, parv[1], IDLEN);
|
2007-01-25 07:40:21 +01:00
|
|
|
|
2011-04-04 00:44:07 +02:00
|
|
|
if(*parv[3] == 'C')
|
2015-02-13 19:13:06 +01:00
|
|
|
{
|
2007-01-25 07:40:21 +01:00
|
|
|
sendto_one(target_p, "AUTHENTICATE %s", parv[4]);
|
2015-02-13 19:13:06 +01:00
|
|
|
target_p->localClient->sasl_messages++;
|
|
|
|
}
|
2007-01-25 07:40:21 +01:00
|
|
|
else if(*parv[3] == 'D')
|
|
|
|
{
|
2016-04-11 19:12:31 +02:00
|
|
|
if(*parv[4] == 'F')
|
|
|
|
{
|
2007-01-25 07:40:21 +01:00
|
|
|
sendto_one(target_p, form_str(ERR_SASLFAIL), me.name, EmptyString(target_p->name) ? "*" : target_p->name);
|
2016-04-11 20:38:43 +02:00
|
|
|
/* Failures with zero messages are just "unknown mechanism" errors; don't count those. */
|
2016-04-11 19:12:31 +02:00
|
|
|
if(target_p->localClient->sasl_messages > 0)
|
2015-02-13 19:13:06 +01:00
|
|
|
{
|
2016-04-11 20:38:43 +02:00
|
|
|
if(*target_p->name)
|
|
|
|
{
|
|
|
|
target_p->localClient->sasl_failures++;
|
|
|
|
target_p->localClient->sasl_next_retry = rb_current_time() + (1 << MIN(target_p->localClient->sasl_failures + 5, 13));
|
|
|
|
}
|
|
|
|
else if(throttle_add((struct sockaddr*)&target_p->localClient->ip))
|
2015-02-13 19:13:06 +01:00
|
|
|
{
|
|
|
|
exit_client(target_p, target_p, &me, "Too many failed authentication attempts");
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
2016-04-11 19:12:31 +02:00
|
|
|
else if(*parv[4] == 'S')
|
|
|
|
{
|
2007-01-25 07:40:21 +01:00
|
|
|
sendto_one(target_p, form_str(RPL_SASLSUCCESS), me.name, EmptyString(target_p->name) ? "*" : target_p->name);
|
2016-04-11 20:38:43 +02:00
|
|
|
target_p->localClient->sasl_failures = 0;
|
2015-02-16 22:39:36 +01:00
|
|
|
target_p->localClient->sasl_complete = 1;
|
2008-04-04 17:54:37 +02:00
|
|
|
ServerStats.is_ssuc++;
|
2007-01-25 07:40:21 +01:00
|
|
|
}
|
2015-02-16 22:39:36 +01:00
|
|
|
*target_p->localClient->sasl_agent = '\0'; /* Blank the stored agent so someone else can answer */
|
2015-02-13 19:13:06 +01:00
|
|
|
target_p->localClient->sasl_messages = 0;
|
2007-01-25 07:40:21 +01:00
|
|
|
}
|
2014-01-11 23:18:58 +01:00
|
|
|
else if(*parv[3] == 'M')
|
|
|
|
sendto_one(target_p, form_str(RPL_SASLMECHS), me.name, EmptyString(target_p->name) ? "*" : target_p->name, parv[4]);
|
2007-01-25 07:40:21 +01:00
|
|
|
}
|
|
|
|
|
2016-03-09 08:37:03 +01:00
|
|
|
static void
|
2016-02-28 08:02:10 +01:00
|
|
|
me_mechlist(struct MsgBuf *msgbuf_p, struct Client *client_p, struct Client *source_p,
|
|
|
|
int parc, const char *parv[])
|
|
|
|
{
|
|
|
|
rb_strlcpy(mechlist_buf, parv[1], sizeof mechlist_buf);
|
|
|
|
}
|
|
|
|
|
2007-01-25 07:40:21 +01:00
|
|
|
/* If the client never finished authenticating but is
|
|
|
|
* registering anyway, abort the exchange.
|
|
|
|
*/
|
|
|
|
static void
|
|
|
|
abort_sasl(struct Client *data)
|
|
|
|
{
|
2015-02-16 22:39:36 +01:00
|
|
|
if(data->localClient->sasl_out == 0 || data->localClient->sasl_complete)
|
2007-01-25 07:40:21 +01:00
|
|
|
return;
|
|
|
|
|
2015-02-16 22:39:36 +01:00
|
|
|
data->localClient->sasl_out = data->localClient->sasl_complete = 0;
|
2008-04-04 17:54:37 +02:00
|
|
|
ServerStats.is_sbad++;
|
2007-01-25 07:40:21 +01:00
|
|
|
|
|
|
|
if(!IsClosing(data))
|
|
|
|
sendto_one(data, form_str(ERR_SASLABORTED), me.name, EmptyString(data->name) ? "*" : data->name);
|
|
|
|
|
2015-02-16 22:39:36 +01:00
|
|
|
if(*data->localClient->sasl_agent)
|
2007-01-25 07:40:21 +01:00
|
|
|
{
|
2015-02-16 22:39:36 +01:00
|
|
|
struct Client *agent_p = find_id(data->localClient->sasl_agent);
|
2007-01-25 07:40:21 +01:00
|
|
|
if(agent_p)
|
|
|
|
{
|
|
|
|
sendto_one(agent_p, ":%s ENCAP %s SASL %s %s D A", me.id, agent_p->servptr->name,
|
|
|
|
data->id, agent_p->id);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
sendto_server(NULL, NULL, CAP_TS6|CAP_ENCAP, NOCAPS, ":%s ENCAP * SASL %s * D A", me.id,
|
|
|
|
data->id);
|
|
|
|
}
|
|
|
|
|
|
|
|
static void
|
|
|
|
abort_sasl_exit(hook_data_client_exit *data)
|
|
|
|
{
|
2015-03-01 07:01:24 +01:00
|
|
|
if (data->target->localClient)
|
|
|
|
abort_sasl(data->target);
|
2007-01-25 07:40:21 +01:00
|
|
|
}
|
|
|
|
|
2015-03-01 07:58:40 +01:00
|
|
|
static void
|
|
|
|
advertise_sasl(struct Client *client_p)
|
|
|
|
{
|
|
|
|
if (!ConfigFileEntry.sasl_service)
|
|
|
|
return;
|
|
|
|
|
|
|
|
if (irccmp(client_p->name, ConfigFileEntry.sasl_service))
|
|
|
|
return;
|
|
|
|
|
|
|
|
sendto_local_clients_with_capability(CLICAP_CAP_NOTIFY, ":%s CAP * NEW :sasl", me.name);
|
|
|
|
}
|
|
|
|
|
|
|
|
static void
|
|
|
|
advertise_sasl_exit(hook_data_client_exit *data)
|
|
|
|
{
|
|
|
|
if (!ConfigFileEntry.sasl_service)
|
|
|
|
return;
|
|
|
|
|
|
|
|
if (irccmp(data->target->name, ConfigFileEntry.sasl_service))
|
|
|
|
return;
|
|
|
|
|
|
|
|
sendto_local_clients_with_capability(CLICAP_CAP_NOTIFY, ":%s CAP * DEL :sasl", me.name);
|
|
|
|
}
|