]> jfr.im git - solanum.git/blob - modules/m_sasl.c
projects / solanum.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
fix two headings to be toplevel
[solanum.git] / modules / m_sasl.c
1 /* modules/m_sasl.c
2 * Copyright (C) 2006 Michael Tharp <gxti@partiallystapled.com>
3 * Copyright (C) 2006 charybdis development team
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions are
7 * met:
8 *
9 * 1.Redistributions of source code must retain the above copyright notice,
10 * this list of conditions and the following disclaimer.
11 * 2.Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
14 * 3.The name of the author may not be used to endorse or promote products
15 * derived from this software without specific prior written permission.
16 *
17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
18 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
19 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
20 * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
21 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
22 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
23 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
25 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
26 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
27 * POSSIBILITY OF SUCH DAMAGE.
28 */
29
30 #include "stdinc.h"
31
32 #include "client.h"
33 #include "hash.h"
34 #include "send.h"
35 #include "msg.h"
36 #include "modules.h"
37 #include "numeric.h"
38 #include "reject.h"
39 #include "s_serv.h"
40 #include "s_stats.h"
41 #include "string.h"
42 #include "s_newconf.h"
43 #include "s_conf.h"
44
45 static const char sasl_desc[] = "Provides SASL authentication support";
46
47 static void m_authenticate(struct MsgBuf *, struct Client *, struct Client *, int, const char **);
48 static void me_sasl(struct MsgBuf *, struct Client *, struct Client *, int, const char **);
49 static void me_mechlist(struct MsgBuf *, struct Client *, struct Client *, int, const char **);
50
51 static void abort_sasl(struct Client *);
52 static void abort_sasl_exit(hook_data_client_exit *);
53
54 static void advertise_sasl(struct Client *);
55 static void advertise_sasl_exit(hook_data_client_exit *);
56
57 static unsigned int CLICAP_SASL = 0;
58 static char mechlist_buf[BUFSIZE];
59
60 struct Message authenticate_msgtab = {
61 "AUTHENTICATE", 0, 0, 0, 0,
62 {{m_authenticate, 2}, {m_authenticate, 2}, mg_ignore, mg_ignore, mg_ignore, {m_authenticate, 2}}
63 };
64 struct Message sasl_msgtab = {
65 "SASL", 0, 0, 0, 0,
66 {mg_ignore, mg_ignore, mg_ignore, mg_ignore, {me_sasl, 5}, mg_ignore}
67 };
68 struct Message mechlist_msgtab = {
69 "MECHLIST", 0, 0, 0, 0,
70 {mg_ignore, mg_ignore, mg_ignore, mg_ignore, {me_mechlist, 2}, mg_ignore}
71 };
72
73 mapi_clist_av1 sasl_clist[] = {
74 &authenticate_msgtab, &sasl_msgtab, &mechlist_msgtab, NULL
75 };
76 mapi_hfn_list_av1 sasl_hfnlist[] = {
77 { "new_local_user", (hookfn) abort_sasl },
78 { "client_exit", (hookfn) abort_sasl_exit },
79 { "new_remote_user", (hookfn) advertise_sasl },
80 { "client_exit", (hookfn) advertise_sasl_exit },
81 { NULL, NULL }
82 };
83
84 static bool
85 sasl_visible(struct Client *client_p)
86 {
87 struct Client *agent_p = NULL;
88
89 if (ConfigFileEntry.sasl_service)
90 agent_p = find_named_client(ConfigFileEntry.sasl_service);
91
92 return agent_p != NULL && IsService(agent_p);
93 }
94
95 static const char *
96 sasl_data(struct Client *client_p)
97 {
98 return *mechlist_buf != 0 ? mechlist_buf : NULL;
99 }
100
101 static struct ClientCapability capdata_sasl = {
102 .visible = sasl_visible,
103 .data = sasl_data,
104 .flags = CLICAP_FLAGS_STICKY,
105 };
106
107 static int
108 _modinit(void)
109 {
110 memset(mechlist_buf, 0, sizeof mechlist_buf);
111 CLICAP_SASL = capability_put(cli_capindex, "sasl", &capdata_sasl);
112 return 0;
113 }
114
115 static void
116 _moddeinit(void)
117 {
118 capability_orphan(cli_capindex, "sasl");
119 }
120
121 DECLARE_MODULE_AV2(sasl, _modinit, _moddeinit, sasl_clist, NULL, sasl_hfnlist, NULL, NULL, sasl_desc);
122
123 static void
124 m_authenticate(struct MsgBuf *msgbuf_p, struct Client *client_p, struct Client *source_p,
125 int parc, const char *parv[])
126 {
127 struct Client *agent_p = NULL;
128 struct Client *saslserv_p = NULL;
129
130 /* They really should use CAP for their own sake. */
131 if(!IsCapable(source_p, CLICAP_SASL))
132 return;
133
134 if(source_p->localClient->sasl_next_retry > rb_current_time())
135 {
136 sendto_one(source_p, form_str(RPL_LOAD2HI), me.name, EmptyString(source_p->name) ? "*" : source_p->name, msgbuf_p->cmd);
137 return;
138 }
139
140 if(strlen(client_p->id) == 3)
141 {
142 exit_client(client_p, client_p, client_p, "Mixing client and server protocol");
143 return;
144 }
145
146 if (*parv[1] == ':' || strchr(parv[1], ' '))
147 {
148 exit_client(client_p, client_p, client_p, "Malformed AUTHENTICATE");
149 return;
150 }
151
152 saslserv_p = find_named_client(ConfigFileEntry.sasl_service);
153 if(saslserv_p == NULL || !IsService(saslserv_p))
154 {
155 sendto_one(source_p, form_str(ERR_SASLABORTED), me.name, EmptyString(source_p->name) ? "*" : source_p->name);
156 return;
157 }
158
159 if(source_p->localClient->sasl_complete)
160 {
161 *source_p->localClient->sasl_agent = '\0';
162 source_p->localClient->sasl_complete = 0;
163 }
164
165 if(strlen(parv[1]) > 400)
166 {
167 sendto_one(source_p, form_str(ERR_SASLTOOLONG), me.name, EmptyString(source_p->name) ? "*" : source_p->name);
168 return;
169 }
170
171 if(!*source_p->id)
172 {
173 /* Allocate a UID. */
174 rb_strlcpy(source_p->id, generate_uid(), sizeof(source_p->id));
175 add_to_id_hash(source_p->id, source_p);
176 }
177
178 if(*source_p->localClient->sasl_agent)
179 agent_p = find_id(source_p->localClient->sasl_agent);
180
181 if(agent_p == NULL)
182 {
183 if (!strcmp(parv[1], "*"))
184 {
185 sendto_one(source_p, form_str(ERR_SASLABORTED), me.name, EmptyString(source_p->name) ? "*" : source_p->name);
186 source_p->localClient->sasl_out = 0;
187 return;
188 }
189
190 sendto_one(saslserv_p, ":%s ENCAP %s SASL %s %s H %s %s %c",
191 me.id, saslserv_p->servptr->name, source_p->id, saslserv_p->id,
192 source_p->host, source_p->sockhost,
193 IsSSL(source_p) ? 'S' : 'P');
194
195 if (source_p->certfp != NULL)
196 sendto_one(saslserv_p, ":%s ENCAP %s SASL %s %s S %s %s",
197 me.id, saslserv_p->servptr->name, source_p->id, saslserv_p->id,
198 parv[1], source_p->certfp);
199 else
200 sendto_one(saslserv_p, ":%s ENCAP %s SASL %s %s S %s",
201 me.id, saslserv_p->servptr->name, source_p->id, saslserv_p->id,
202 parv[1]);
203
204 rb_strlcpy(source_p->localClient->sasl_agent, saslserv_p->id, IDLEN);
205 }
206 else
207 {
208 if (!strcmp(parv[1], "*"))
209 {
210 sendto_one(source_p, form_str(ERR_SASLABORTED), me.name, EmptyString(source_p->name) ? "*" : source_p->name);
211 sendto_one(agent_p, ":%s ENCAP %s SASL %s %s D A", me.id, agent_p->servptr->name, source_p->id, agent_p->id);
212 source_p->localClient->sasl_out = 0;
213 return;
214 }
215
216 sendto_one(agent_p, ":%s ENCAP %s SASL %s %s C %s",
217 me.id, agent_p->servptr->name, source_p->id, agent_p->id,
218 parv[1]);
219 }
220
221 source_p->localClient->sasl_out++;
222 }
223
224 static void
225 me_sasl(struct MsgBuf *msgbuf_p, struct Client *client_p, struct Client *source_p,
226 int parc, const char *parv[])
227 {
228 struct Client *target_p, *agent_p;
229
230 /* Let propagate if not addressed to us, or if broadcast.
231 * Only SASL agents can answer global requests.
232 */
233 if(strncmp(parv[2], me.id, 3))
234 return;
235
236 if((target_p = find_id(parv[2])) == NULL)
237 return;
238
239 if((agent_p = find_id(parv[1])) == NULL)
240 return;
241
242 if(source_p != agent_p->servptr) /* WTF?! */
243 return;
244
245 /* We only accept messages from SASL agents; these must have umode +S
246 * (so the server must be listed in a service{} block).
247 */
248 if(!IsService(agent_p))
249 return;
250
251 /* Reject if someone has already answered. */
252 if(*target_p->localClient->sasl_agent && strncmp(parv[1], target_p->localClient->sasl_agent, IDLEN))
253 return;
254 else if(!*target_p->localClient->sasl_agent)
255 rb_strlcpy(target_p->localClient->sasl_agent, parv[1], IDLEN);
256
257 if(*parv[3] == 'C')
258 {
259 sendto_one(target_p, "AUTHENTICATE %s", parv[4]);
260 target_p->localClient->sasl_messages++;
261 }
262 else if(*parv[3] == 'D')
263 {
264 if(*parv[4] == 'F')
265 {
266 sendto_one(target_p, form_str(ERR_SASLFAIL), me.name, EmptyString(target_p->name) ? "*" : target_p->name);
267 /* Failures with zero messages are just "unknown mechanism" errors; don't count those. */
268 if(target_p->localClient->sasl_messages > 0)
269 {
270 if(*target_p->name)
271 {
272 /* Allow 2 tries before rate-limiting as some clients try EXTERNAL
273 * then PLAIN right after it if the auth failed, causing the client to be
274 * rate-limited immediately and not being able to login with SASL.
275 */
276 if (target_p->localClient->sasl_failures++ > 0)
277 target_p->localClient->sasl_next_retry = rb_current_time() + (1 << MIN(target_p->localClient->sasl_failures + 1, 8));
278 }
279 else if(throttle_add((struct sockaddr*)&target_p->localClient->ip))
280 {
281 exit_client(target_p, target_p, &me, "Too many failed authentication attempts");
282 return;
283 }
284 }
285 }
286 else if(*parv[4] == 'S')
287 {
288 sendto_one(target_p, form_str(RPL_SASLSUCCESS), me.name, EmptyString(target_p->name) ? "*" : target_p->name);
289 target_p->localClient->sasl_failures = 0;
290 target_p->localClient->sasl_complete = 1;
291 ServerStats.is_ssuc++;
292 }
293 *target_p->localClient->sasl_agent = '\0'; /* Blank the stored agent so someone else can answer */
294 target_p->localClient->sasl_messages = 0;
295 }
296 else if(*parv[3] == 'M')
297 sendto_one(target_p, form_str(RPL_SASLMECHS), me.name, EmptyString(target_p->name) ? "*" : target_p->name, parv[4]);
298 }
299
300 static void
301 me_mechlist(struct MsgBuf *msgbuf_p, struct Client *client_p, struct Client *source_p,
302 int parc, const char *parv[])
303 {
304 rb_strlcpy(mechlist_buf, parv[1], sizeof mechlist_buf);
305 }
306
307 /* If the client never finished authenticating but is
308 * registering anyway, abort the exchange.
309 */
310 static void
311 abort_sasl(struct Client *data)
312 {
313 if(data->localClient->sasl_out == 0 || data->localClient->sasl_complete)
314 return;
315
316 data->localClient->sasl_out = data->localClient->sasl_complete = 0;
317 ServerStats.is_sbad++;
318
319 if(!IsClosing(data))
320 sendto_one(data, form_str(ERR_SASLABORTED), me.name, EmptyString(data->name) ? "*" : data->name);
321
322 if(*data->localClient->sasl_agent)
323 {
324 struct Client *agent_p = find_id(data->localClient->sasl_agent);
325 if(agent_p)
326 {
327 sendto_one(agent_p, ":%s ENCAP %s SASL %s %s D A", me.id, agent_p->servptr->name,
328 data->id, agent_p->id);
329 return;
330 }
331 }
332
333 sendto_server(NULL, NULL, CAP_TS6|CAP_ENCAP, NOCAPS, ":%s ENCAP * SASL %s * D A", me.id,
334 data->id);
335 }
336
337 static void
338 abort_sasl_exit(hook_data_client_exit *data)
339 {
340 if (data->target->localClient)
341 abort_sasl(data->target);
342 }
343
344 static void
345 advertise_sasl(struct Client *client_p)
346 {
347 if (!ConfigFileEntry.sasl_service)
348 return;
349
350 if (irccmp(client_p->name, ConfigFileEntry.sasl_service))
351 return;
352
353 sendto_local_clients_with_capability(CLICAP_CAP_NOTIFY, ":%s CAP * NEW :sasl", me.name);
354 }
355
356 static void
357 advertise_sasl_exit(hook_data_client_exit *data)
358 {
359 if (!ConfigFileEntry.sasl_service)
360 return;
361
362 if (irccmp(data->target->name, ConfigFileEntry.sasl_service))
363 return;
364
365 sendto_local_clients_with_capability(CLICAP_CAP_NOTIFY, ":%s CAP * DEL :sasl", me.name);
366 }
Fork of solanum ircd, history is rebased regularly