]> jfr.im git - solanum.git/blame_incremental - modules/m_sasl.c
projects / solanum.git / blame_incremental
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (non-incremental) | history | HEAD
MODRESTART/MODRELOAD: Defer reloading more quickly
[solanum.git] / modules / m_sasl.c
... / ...
CommitLineData
1/* modules/m_sasl.c
2 * Copyright (C) 2006 Michael Tharp <gxti@partiallystapled.com>
3 * Copyright (C) 2006 charybdis development team
4 * Copyright (C) 2016 ChatLounge IRC Network Development Team
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions are
8 * met:
9 *
10 * 1.Redistributions of source code must retain the above copyright notice,
11 * this list of conditions and the following disclaimer.
12 * 2.Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3.The name of the author may not be used to endorse or promote products
16 * derived from this software without specific prior written permission.
17 *
18 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
19 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
22 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
24 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
26 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
27 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
28 * POSSIBILITY OF SUCH DAMAGE.
29 */
30
31#include "stdinc.h"
32
33#include "client.h"
34#include "hash.h"
35#include "send.h"
36#include "msg.h"
37#include "modules.h"
38#include "numeric.h"
39#include "reject.h"
40#include "s_serv.h"
41#include "s_stats.h"
42#include "string.h"
43#include "s_newconf.h"
44#include "s_conf.h"
45
46static const char sasl_desc[] = "Provides SASL authentication support";
47
48static void m_authenticate(struct MsgBuf *, struct Client *, struct Client *, int, const char **);
49static void me_sasl(struct MsgBuf *, struct Client *, struct Client *, int, const char **);
50static void me_mechlist(struct MsgBuf *, struct Client *, struct Client *, int, const char **);
51
52static void abort_sasl(void *);
53static void abort_sasl_exit(void *);
54
55static unsigned int CLICAP_SASL = 0;
56static char mechlist_buf[BUFSIZE];
57
58struct Message authenticate_msgtab = {
59 "AUTHENTICATE", 0, 0, 0, 0,
60 {{m_authenticate, 2}, {m_authenticate, 2}, mg_ignore, mg_ignore, mg_ignore, {m_authenticate, 2}}
61};
62struct Message sasl_msgtab = {
63 "SASL", 0, 0, 0, 0,
64 {mg_ignore, mg_ignore, mg_ignore, mg_ignore, {me_sasl, 5}, mg_ignore}
65};
66struct Message mechlist_msgtab = {
67 "MECHLIST", 0, 0, 0, 0,
68 {mg_ignore, mg_ignore, mg_ignore, mg_ignore, {me_mechlist, 2}, mg_ignore}
69};
70
71mapi_clist_av1 sasl_clist[] = {
72 &authenticate_msgtab, &sasl_msgtab, &mechlist_msgtab, NULL
73};
74mapi_hfn_list_av1 sasl_hfnlist[] = {
75 { "client_exit", abort_sasl_exit },
76 { NULL, NULL }
77};
78
79static const char *
80sasl_data(struct Client *client_p)
81{
82 return *mechlist_buf != 0 ? mechlist_buf : NULL;
83}
84
85static struct ClientCapability capdata_sasl = {
86 .data = sasl_data,
87 .flags = CLICAP_FLAGS_STICKY | CLICAP_FLAGS_PRIORITY,
88};
89
90mapi_cap_list_av2 sasl_cap_list[] = {
91 { MAPI_CAP_CLIENT, "sasl", &capdata_sasl, &CLICAP_SASL },
92 { 0, NULL, NULL, NULL },
93};
94
95static int
96_modinit(void)
97{
98 memset(mechlist_buf, 0, sizeof mechlist_buf);
99 return 0;
100}
101
102DECLARE_MODULE_AV2(sasl, _modinit, NULL, sasl_clist, NULL, sasl_hfnlist, sasl_cap_list, NULL, sasl_desc);
103
104static void
105m_authenticate(struct MsgBuf *msgbuf_p, struct Client *client_p, struct Client *source_p,
106 int parc, const char *parv[])
107{
108 struct Client *agent_p = NULL;
109 struct Client *saslserv_p = NULL;
110
111 /* They really should use CAP for their own sake. */
112 if(!IsCapable(source_p, CLICAP_SASL))
113 return;
114
115 if(source_p->localClient->sasl_next_retry > rb_current_time())
116 {
117 sendto_one(source_p, form_str(RPL_LOAD2HI), me.name, EmptyString(source_p->name) ? "*" : source_p->name, msgbuf_p->cmd);
118 return;
119 }
120
121 if (strlen(client_p->id) == 3 || (source_p->preClient && !EmptyString(source_p->preClient->id)))
122 {
123 exit_client(client_p, client_p, client_p, "Mixing client and server protocol");
124 return;
125 }
126
127 if (*parv[1] == ':' || strchr(parv[1], ' '))
128 {
129 exit_client(client_p, client_p, client_p, "Malformed AUTHENTICATE");
130 return;
131 }
132
133 saslserv_p = find_named_client(ConfigFileEntry.sasl_service);
134 if(saslserv_p == NULL || !IsService(saslserv_p))
135 {
136 sendto_one(source_p, form_str(ERR_SASLABORTED), me.name, EmptyString(source_p->name) ? "*" : source_p->name);
137 return;
138 }
139
140 if(source_p->localClient->sasl_complete)
141 {
142 *source_p->localClient->sasl_agent = '\0';
143 source_p->localClient->sasl_complete = 0;
144 }
145
146 if(strlen(parv[1]) > 400)
147 {
148 sendto_one(source_p, form_str(ERR_SASLTOOLONG), me.name, EmptyString(source_p->name) ? "*" : source_p->name);
149 return;
150 }
151
152 if(!*source_p->id)
153 {
154 /* Allocate a UID. */
155 rb_strlcpy(source_p->id, generate_uid(), sizeof(source_p->id));
156 add_to_id_hash(source_p->id, source_p);
157 }
158
159 if(*source_p->localClient->sasl_agent)
160 agent_p = find_id(source_p->localClient->sasl_agent);
161
162 if(agent_p == NULL)
163 {
164 if (!strcmp(parv[1], "*"))
165 {
166 sendto_one(source_p, form_str(ERR_SASLABORTED), me.name, EmptyString(source_p->name) ? "*" : source_p->name);
167 source_p->localClient->sasl_out = 0;
168 return;
169 }
170
171 sendto_one(saslserv_p, ":%s ENCAP %s SASL %s %s H %s %s %c",
172 me.id, saslserv_p->servptr->name, source_p->id, saslserv_p->id,
173 source_p->host, source_p->sockhost,
174 IsSecure(source_p) ? 'S' : 'P');
175
176 if (source_p->certfp != NULL)
177 sendto_one(saslserv_p, ":%s ENCAP %s SASL %s %s S %s %s",
178 me.id, saslserv_p->servptr->name, source_p->id, saslserv_p->id,
179 parv[1], source_p->certfp);
180 else
181 sendto_one(saslserv_p, ":%s ENCAP %s SASL %s %s S %s",
182 me.id, saslserv_p->servptr->name, source_p->id, saslserv_p->id,
183 parv[1]);
184
185 rb_strlcpy(source_p->localClient->sasl_agent, saslserv_p->id, IDLEN);
186 }
187 else
188 {
189 if (!strcmp(parv[1], "*"))
190 {
191 sendto_one(source_p, form_str(ERR_SASLABORTED), me.name, EmptyString(source_p->name) ? "*" : source_p->name);
192 sendto_one(agent_p, ":%s ENCAP %s SASL %s %s D A", me.id, agent_p->servptr->name, source_p->id, agent_p->id);
193 source_p->localClient->sasl_out = 0;
194 return;
195 }
196
197 sendto_one(agent_p, ":%s ENCAP %s SASL %s %s C %s",
198 me.id, agent_p->servptr->name, source_p->id, agent_p->id,
199 parv[1]);
200 }
201
202 source_p->localClient->sasl_out++;
203}
204
205static void
206me_sasl(struct MsgBuf *msgbuf_p, struct Client *client_p, struct Client *source_p,
207 int parc, const char *parv[])
208{
209 struct Client *target_p, *agent_p;
210 bool in_progress;
211
212 /* Let propagate if not addressed to us, or if broadcast.
213 * Only SASL agents can answer global requests.
214 */
215 if(strncmp(parv[2], me.id, 3))
216 return;
217
218 if((target_p = find_id(parv[2])) == NULL)
219 return;
220
221 if((agent_p = find_id(parv[1])) == NULL)
222 return;
223
224 if(source_p != agent_p->servptr) /* WTF?! */
225 return;
226
227 /* We only accept messages from SASL agents; these must have umode +S
228 * (so the server must be listed in a service{} block).
229 */
230 if(!IsService(agent_p))
231 return;
232
233 /* If SASL has been aborted, we only want to track authentication failures. */
234 in_progress = target_p->localClient->sasl_out != 0;
235
236 /* Reject if someone has already answered. */
237 if(*target_p->localClient->sasl_agent && strncmp(parv[1], target_p->localClient->sasl_agent, IDLEN))
238 return;
239 else if(!*target_p->localClient->sasl_agent && in_progress)
240 rb_strlcpy(target_p->localClient->sasl_agent, parv[1], IDLEN);
241
242 if(*parv[3] == 'C')
243 {
244 if (in_progress) {
245 sendto_one(target_p, "AUTHENTICATE %s", parv[4]);
246 target_p->localClient->sasl_messages++;
247 }
248 }
249 else if(*parv[3] == 'D')
250 {
251 if(*parv[4] == 'F')
252 {
253 if (in_progress) {
254 sendto_one(target_p, form_str(ERR_SASLFAIL), me.name, EmptyString(target_p->name) ? "*" : target_p->name);
255 }
256 /* Failures with zero messages are just "unknown mechanism" errors; don't count those. */
257 if(target_p->localClient->sasl_messages > 0)
258 {
259 if(*target_p->name)
260 {
261 /* Allow 2 tries before rate-limiting as some clients try EXTERNAL
262 * then PLAIN right after it if the auth failed, causing the client to be
263 * rate-limited immediately and not being able to login with SASL.
264 */
265 if (target_p->localClient->sasl_failures++ > 0)
266 target_p->localClient->sasl_next_retry = rb_current_time() + (1 << MIN(target_p->localClient->sasl_failures + 1, 8));
267 }
268 else if(throttle_add((struct sockaddr*)&target_p->localClient->ip))
269 {
270 exit_client(target_p, target_p, &me, "Too many failed authentication attempts");
271 return;
272 }
273 }
274 }
275 else if(*parv[4] == 'S')
276 {
277 if (in_progress) {
278 sendto_one(target_p, form_str(RPL_SASLSUCCESS), me.name, EmptyString(target_p->name) ? "*" : target_p->name);
279 target_p->localClient->sasl_failures = 0;
280 target_p->localClient->sasl_complete = 1;
281 ServerStats.is_ssuc++;
282 }
283 }
284 *target_p->localClient->sasl_agent = '\0'; /* Blank the stored agent so someone else can answer */
285 target_p->localClient->sasl_messages = 0;
286 }
287 else if(*parv[3] == 'M')
288 {
289 if (in_progress) {
290 sendto_one(target_p, form_str(RPL_SASLMECHS), me.name, EmptyString(target_p->name) ? "*" : target_p->name, parv[4]);
291 }
292 }
293}
294
295static void
296me_mechlist(struct MsgBuf *msgbuf_p, struct Client *client_p, struct Client *source_p,
297 int parc, const char *parv[])
298{
299 rb_strlcpy(mechlist_buf, parv[1], sizeof mechlist_buf);
300}
301
302static void
303abort_sasl(void *data_)
304{
305 struct Client *data = data_;
306 if(data->localClient->sasl_out == 0 || data->localClient->sasl_complete)
307 return;
308
309 data->localClient->sasl_out = data->localClient->sasl_complete = 0;
310 ServerStats.is_sbad++;
311
312 if(!IsClosing(data))
313 sendto_one(data, form_str(ERR_SASLABORTED), me.name, EmptyString(data->name) ? "*" : data->name);
314
315 if(*data->localClient->sasl_agent)
316 {
317 struct Client *agent_p = find_id(data->localClient->sasl_agent);
318 if(agent_p)
319 {
320 sendto_one(agent_p, ":%s ENCAP %s SASL %s %s D A", me.id, agent_p->servptr->name,
321 data->id, agent_p->id);
322 return;
323 }
324 }
325
326 sendto_server(NULL, NULL, CAP_TS6|CAP_ENCAP, NOCAPS, ":%s ENCAP * SASL %s * D A", me.id,
327 data->id);
328}
329
330static void
331abort_sasl_exit(void *data_)
332{
333 hook_data_client_exit *data = data_;
334 if (data->target->localClient)
335 abort_sasl(data->target);
336}
Fork of solanum ircd, history is rebased regularly