]>
Commit | Line | Data |
---|---|---|
1 | /* modules/m_sasl.c | |
2 | * Copyright (C) 2006 Michael Tharp <gxti@partiallystapled.com> | |
3 | * Copyright (C) 2006 charybdis development team | |
4 | * Copyright (C) 2016 ChatLounge IRC Network Development Team | |
5 | * | |
6 | * Redistribution and use in source and binary forms, with or without | |
7 | * modification, are permitted provided that the following conditions are | |
8 | * met: | |
9 | * | |
10 | * 1.Redistributions of source code must retain the above copyright notice, | |
11 | * this list of conditions and the following disclaimer. | |
12 | * 2.Redistributions in binary form must reproduce the above copyright | |
13 | * notice, this list of conditions and the following disclaimer in the | |
14 | * documentation and/or other materials provided with the distribution. | |
15 | * 3.The name of the author may not be used to endorse or promote products | |
16 | * derived from this software without specific prior written permission. | |
17 | * | |
18 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR | |
19 | * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED | |
20 | * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE | |
21 | * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, | |
22 | * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES | |
23 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR | |
24 | * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
25 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, | |
26 | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING | |
27 | * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE | |
28 | * POSSIBILITY OF SUCH DAMAGE. | |
29 | */ | |
30 | ||
31 | #include "stdinc.h" | |
32 | ||
33 | #include "client.h" | |
34 | #include "hash.h" | |
35 | #include "send.h" | |
36 | #include "msg.h" | |
37 | #include "modules.h" | |
38 | #include "numeric.h" | |
39 | #include "reject.h" | |
40 | #include "s_serv.h" | |
41 | #include "s_stats.h" | |
42 | #include "string.h" | |
43 | #include "s_newconf.h" | |
44 | #include "s_conf.h" | |
45 | ||
46 | static const char sasl_desc[] = "Provides SASL authentication support"; | |
47 | ||
48 | static void m_authenticate(struct MsgBuf *, struct Client *, struct Client *, int, const char **); | |
49 | static void me_sasl(struct MsgBuf *, struct Client *, struct Client *, int, const char **); | |
50 | static void me_mechlist(struct MsgBuf *, struct Client *, struct Client *, int, const char **); | |
51 | ||
52 | static void abort_sasl(struct Client *); | |
53 | static void abort_sasl_exit(hook_data_client_exit *); | |
54 | ||
55 | static void advertise_sasl_cap(bool); | |
56 | static void advertise_sasl_new(struct Client *); | |
57 | static void advertise_sasl_exit(void *); | |
58 | static void advertise_sasl_config(void *); | |
59 | ||
60 | static unsigned int CLICAP_SASL = 0; | |
61 | static char mechlist_buf[BUFSIZE]; | |
62 | static bool sasl_agent_present = false; | |
63 | ||
64 | struct Message authenticate_msgtab = { | |
65 | "AUTHENTICATE", 0, 0, 0, 0, | |
66 | {{m_authenticate, 2}, {m_authenticate, 2}, mg_ignore, mg_ignore, mg_ignore, {m_authenticate, 2}} | |
67 | }; | |
68 | struct Message sasl_msgtab = { | |
69 | "SASL", 0, 0, 0, 0, | |
70 | {mg_ignore, mg_ignore, mg_ignore, mg_ignore, {me_sasl, 5}, mg_ignore} | |
71 | }; | |
72 | struct Message mechlist_msgtab = { | |
73 | "MECHLIST", 0, 0, 0, 0, | |
74 | {mg_ignore, mg_ignore, mg_ignore, mg_ignore, {me_mechlist, 2}, mg_ignore} | |
75 | }; | |
76 | ||
77 | mapi_clist_av1 sasl_clist[] = { | |
78 | &authenticate_msgtab, &sasl_msgtab, &mechlist_msgtab, NULL | |
79 | }; | |
80 | mapi_hfn_list_av1 sasl_hfnlist[] = { | |
81 | { "new_local_user", (hookfn) abort_sasl }, | |
82 | { "client_exit", (hookfn) abort_sasl_exit }, | |
83 | { "new_remote_user", (hookfn) advertise_sasl_new }, | |
84 | { "after_client_exit", (hookfn) advertise_sasl_exit }, | |
85 | { "conf_read_end", (hookfn) advertise_sasl_config }, | |
86 | { NULL, NULL } | |
87 | }; | |
88 | ||
89 | static bool | |
90 | sasl_visible(struct Client *ignored) | |
91 | { | |
92 | struct Client *agent_p = NULL; | |
93 | ||
94 | if (ConfigFileEntry.sasl_service) | |
95 | agent_p = find_named_client(ConfigFileEntry.sasl_service); | |
96 | ||
97 | return agent_p != NULL && IsService(agent_p); | |
98 | } | |
99 | ||
100 | static const char * | |
101 | sasl_data(struct Client *client_p) | |
102 | { | |
103 | return *mechlist_buf != 0 ? mechlist_buf : NULL; | |
104 | } | |
105 | ||
106 | static struct ClientCapability capdata_sasl = { | |
107 | .visible = sasl_visible, | |
108 | .data = sasl_data, | |
109 | .flags = CLICAP_FLAGS_STICKY | CLICAP_FLAGS_PRIORITY, | |
110 | }; | |
111 | ||
112 | mapi_cap_list_av2 sasl_cap_list[] = { | |
113 | { MAPI_CAP_CLIENT, "sasl", &capdata_sasl, &CLICAP_SASL }, | |
114 | { 0, NULL, NULL, NULL }, | |
115 | }; | |
116 | ||
117 | static int | |
118 | _modinit(void) | |
119 | { | |
120 | memset(mechlist_buf, 0, sizeof mechlist_buf); | |
121 | sasl_agent_present = false; | |
122 | ||
123 | advertise_sasl_config(NULL); | |
124 | return 0; | |
125 | } | |
126 | ||
127 | static void | |
128 | _moddeinit(void) | |
129 | { | |
130 | advertise_sasl_cap(false); | |
131 | } | |
132 | ||
133 | DECLARE_MODULE_AV2(sasl, _modinit, _moddeinit, sasl_clist, NULL, sasl_hfnlist, sasl_cap_list, NULL, sasl_desc); | |
134 | ||
135 | static void | |
136 | m_authenticate(struct MsgBuf *msgbuf_p, struct Client *client_p, struct Client *source_p, | |
137 | int parc, const char *parv[]) | |
138 | { | |
139 | struct Client *agent_p = NULL; | |
140 | struct Client *saslserv_p = NULL; | |
141 | ||
142 | /* They really should use CAP for their own sake. */ | |
143 | if(!IsCapable(source_p, CLICAP_SASL)) | |
144 | return; | |
145 | ||
146 | if(source_p->localClient->sasl_next_retry > rb_current_time()) | |
147 | { | |
148 | sendto_one(source_p, form_str(RPL_LOAD2HI), me.name, EmptyString(source_p->name) ? "*" : source_p->name, msgbuf_p->cmd); | |
149 | return; | |
150 | } | |
151 | ||
152 | if (strlen(client_p->id) == 3 || (source_p->preClient && !EmptyString(source_p->preClient->id))) | |
153 | { | |
154 | exit_client(client_p, client_p, client_p, "Mixing client and server protocol"); | |
155 | return; | |
156 | } | |
157 | ||
158 | if (*parv[1] == ':' || strchr(parv[1], ' ')) | |
159 | { | |
160 | exit_client(client_p, client_p, client_p, "Malformed AUTHENTICATE"); | |
161 | return; | |
162 | } | |
163 | ||
164 | saslserv_p = find_named_client(ConfigFileEntry.sasl_service); | |
165 | if(saslserv_p == NULL || !IsService(saslserv_p)) | |
166 | { | |
167 | sendto_one(source_p, form_str(ERR_SASLABORTED), me.name, EmptyString(source_p->name) ? "*" : source_p->name); | |
168 | return; | |
169 | } | |
170 | ||
171 | if(source_p->localClient->sasl_complete) | |
172 | { | |
173 | *source_p->localClient->sasl_agent = '\0'; | |
174 | source_p->localClient->sasl_complete = 0; | |
175 | } | |
176 | ||
177 | if(strlen(parv[1]) > 400) | |
178 | { | |
179 | sendto_one(source_p, form_str(ERR_SASLTOOLONG), me.name, EmptyString(source_p->name) ? "*" : source_p->name); | |
180 | return; | |
181 | } | |
182 | ||
183 | if(!*source_p->id) | |
184 | { | |
185 | /* Allocate a UID. */ | |
186 | rb_strlcpy(source_p->id, generate_uid(), sizeof(source_p->id)); | |
187 | add_to_id_hash(source_p->id, source_p); | |
188 | } | |
189 | ||
190 | if(*source_p->localClient->sasl_agent) | |
191 | agent_p = find_id(source_p->localClient->sasl_agent); | |
192 | ||
193 | if(agent_p == NULL) | |
194 | { | |
195 | if (!strcmp(parv[1], "*")) | |
196 | { | |
197 | sendto_one(source_p, form_str(ERR_SASLABORTED), me.name, EmptyString(source_p->name) ? "*" : source_p->name); | |
198 | source_p->localClient->sasl_out = 0; | |
199 | return; | |
200 | } | |
201 | ||
202 | sendto_one(saslserv_p, ":%s ENCAP %s SASL %s %s H %s %s %c", | |
203 | me.id, saslserv_p->servptr->name, source_p->id, saslserv_p->id, | |
204 | source_p->host, source_p->sockhost, | |
205 | IsSecure(source_p) ? 'S' : 'P'); | |
206 | ||
207 | if (source_p->certfp != NULL) | |
208 | sendto_one(saslserv_p, ":%s ENCAP %s SASL %s %s S %s %s", | |
209 | me.id, saslserv_p->servptr->name, source_p->id, saslserv_p->id, | |
210 | parv[1], source_p->certfp); | |
211 | else | |
212 | sendto_one(saslserv_p, ":%s ENCAP %s SASL %s %s S %s", | |
213 | me.id, saslserv_p->servptr->name, source_p->id, saslserv_p->id, | |
214 | parv[1]); | |
215 | ||
216 | rb_strlcpy(source_p->localClient->sasl_agent, saslserv_p->id, IDLEN); | |
217 | } | |
218 | else | |
219 | { | |
220 | if (!strcmp(parv[1], "*")) | |
221 | { | |
222 | sendto_one(source_p, form_str(ERR_SASLABORTED), me.name, EmptyString(source_p->name) ? "*" : source_p->name); | |
223 | sendto_one(agent_p, ":%s ENCAP %s SASL %s %s D A", me.id, agent_p->servptr->name, source_p->id, agent_p->id); | |
224 | source_p->localClient->sasl_out = 0; | |
225 | return; | |
226 | } | |
227 | ||
228 | sendto_one(agent_p, ":%s ENCAP %s SASL %s %s C %s", | |
229 | me.id, agent_p->servptr->name, source_p->id, agent_p->id, | |
230 | parv[1]); | |
231 | } | |
232 | ||
233 | source_p->localClient->sasl_out++; | |
234 | } | |
235 | ||
236 | static void | |
237 | me_sasl(struct MsgBuf *msgbuf_p, struct Client *client_p, struct Client *source_p, | |
238 | int parc, const char *parv[]) | |
239 | { | |
240 | struct Client *target_p, *agent_p; | |
241 | bool in_progress; | |
242 | ||
243 | /* Let propagate if not addressed to us, or if broadcast. | |
244 | * Only SASL agents can answer global requests. | |
245 | */ | |
246 | if(strncmp(parv[2], me.id, 3)) | |
247 | return; | |
248 | ||
249 | if((target_p = find_id(parv[2])) == NULL) | |
250 | return; | |
251 | ||
252 | if((agent_p = find_id(parv[1])) == NULL) | |
253 | return; | |
254 | ||
255 | if(source_p != agent_p->servptr) /* WTF?! */ | |
256 | return; | |
257 | ||
258 | /* We only accept messages from SASL agents; these must have umode +S | |
259 | * (so the server must be listed in a service{} block). | |
260 | */ | |
261 | if(!IsService(agent_p)) | |
262 | return; | |
263 | ||
264 | /* If SASL has been aborted, we only want to track authentication failures. */ | |
265 | in_progress = target_p->localClient->sasl_out != 0; | |
266 | ||
267 | /* Reject if someone has already answered. */ | |
268 | if(*target_p->localClient->sasl_agent && strncmp(parv[1], target_p->localClient->sasl_agent, IDLEN)) | |
269 | return; | |
270 | else if(!*target_p->localClient->sasl_agent && in_progress) | |
271 | rb_strlcpy(target_p->localClient->sasl_agent, parv[1], IDLEN); | |
272 | ||
273 | if(*parv[3] == 'C') | |
274 | { | |
275 | if (in_progress) { | |
276 | sendto_one(target_p, "AUTHENTICATE %s", parv[4]); | |
277 | target_p->localClient->sasl_messages++; | |
278 | } | |
279 | } | |
280 | else if(*parv[3] == 'D') | |
281 | { | |
282 | if(*parv[4] == 'F') | |
283 | { | |
284 | if (in_progress) { | |
285 | sendto_one(target_p, form_str(ERR_SASLFAIL), me.name, EmptyString(target_p->name) ? "*" : target_p->name); | |
286 | } | |
287 | /* Failures with zero messages are just "unknown mechanism" errors; don't count those. */ | |
288 | if(target_p->localClient->sasl_messages > 0) | |
289 | { | |
290 | if(*target_p->name) | |
291 | { | |
292 | /* Allow 2 tries before rate-limiting as some clients try EXTERNAL | |
293 | * then PLAIN right after it if the auth failed, causing the client to be | |
294 | * rate-limited immediately and not being able to login with SASL. | |
295 | */ | |
296 | if (target_p->localClient->sasl_failures++ > 0) | |
297 | target_p->localClient->sasl_next_retry = rb_current_time() + (1 << MIN(target_p->localClient->sasl_failures + 1, 8)); | |
298 | } | |
299 | else if(throttle_add((struct sockaddr*)&target_p->localClient->ip)) | |
300 | { | |
301 | exit_client(target_p, target_p, &me, "Too many failed authentication attempts"); | |
302 | return; | |
303 | } | |
304 | } | |
305 | } | |
306 | else if(*parv[4] == 'S') | |
307 | { | |
308 | if (in_progress) { | |
309 | sendto_one(target_p, form_str(RPL_SASLSUCCESS), me.name, EmptyString(target_p->name) ? "*" : target_p->name); | |
310 | target_p->localClient->sasl_failures = 0; | |
311 | target_p->localClient->sasl_complete = 1; | |
312 | ServerStats.is_ssuc++; | |
313 | } | |
314 | } | |
315 | *target_p->localClient->sasl_agent = '\0'; /* Blank the stored agent so someone else can answer */ | |
316 | target_p->localClient->sasl_messages = 0; | |
317 | } | |
318 | else if(*parv[3] == 'M') | |
319 | { | |
320 | if (in_progress) { | |
321 | sendto_one(target_p, form_str(RPL_SASLMECHS), me.name, EmptyString(target_p->name) ? "*" : target_p->name, parv[4]); | |
322 | } | |
323 | } | |
324 | } | |
325 | ||
326 | static void | |
327 | me_mechlist(struct MsgBuf *msgbuf_p, struct Client *client_p, struct Client *source_p, | |
328 | int parc, const char *parv[]) | |
329 | { | |
330 | rb_strlcpy(mechlist_buf, parv[1], sizeof mechlist_buf); | |
331 | } | |
332 | ||
333 | /* If the client never finished authenticating but is | |
334 | * registering anyway, abort the exchange. | |
335 | */ | |
336 | static void | |
337 | abort_sasl(struct Client *data) | |
338 | { | |
339 | if(data->localClient->sasl_out == 0 || data->localClient->sasl_complete) | |
340 | return; | |
341 | ||
342 | data->localClient->sasl_out = data->localClient->sasl_complete = 0; | |
343 | ServerStats.is_sbad++; | |
344 | ||
345 | if(!IsClosing(data)) | |
346 | sendto_one(data, form_str(ERR_SASLABORTED), me.name, EmptyString(data->name) ? "*" : data->name); | |
347 | ||
348 | if(*data->localClient->sasl_agent) | |
349 | { | |
350 | struct Client *agent_p = find_id(data->localClient->sasl_agent); | |
351 | if(agent_p) | |
352 | { | |
353 | sendto_one(agent_p, ":%s ENCAP %s SASL %s %s D A", me.id, agent_p->servptr->name, | |
354 | data->id, agent_p->id); | |
355 | return; | |
356 | } | |
357 | } | |
358 | ||
359 | sendto_server(NULL, NULL, CAP_TS6|CAP_ENCAP, NOCAPS, ":%s ENCAP * SASL %s * D A", me.id, | |
360 | data->id); | |
361 | } | |
362 | ||
363 | static void | |
364 | abort_sasl_exit(hook_data_client_exit *data) | |
365 | { | |
366 | if (data->target->localClient) | |
367 | abort_sasl(data->target); | |
368 | } | |
369 | ||
370 | static void | |
371 | advertise_sasl_cap(bool available) | |
372 | { | |
373 | if (sasl_agent_present != available) { | |
374 | if (available) { | |
375 | sendto_local_clients_with_capability(CLICAP_CAP_NOTIFY, ":%s CAP * NEW :sasl", me.name); | |
376 | } else { | |
377 | sendto_local_clients_with_capability(CLICAP_CAP_NOTIFY, ":%s CAP * DEL :sasl", me.name); | |
378 | } | |
379 | sasl_agent_present = available; | |
380 | } | |
381 | } | |
382 | ||
383 | static void | |
384 | advertise_sasl_new(struct Client *client_p) | |
385 | { | |
386 | if (!ConfigFileEntry.sasl_service) | |
387 | return; | |
388 | ||
389 | if (irccmp(client_p->name, ConfigFileEntry.sasl_service)) | |
390 | return; | |
391 | ||
392 | advertise_sasl_cap(IsService(client_p)); | |
393 | } | |
394 | ||
395 | static void | |
396 | advertise_sasl_exit(void *ignored) | |
397 | { | |
398 | if (!ConfigFileEntry.sasl_service) | |
399 | return; | |
400 | ||
401 | if (sasl_agent_present) { | |
402 | advertise_sasl_cap(sasl_visible(NULL)); | |
403 | } | |
404 | } | |
405 | ||
406 | static void | |
407 | advertise_sasl_config(void *ignored) | |
408 | { | |
409 | advertise_sasl_cap(sasl_visible(NULL)); | |
410 | } |