/* modules/m_sasl.c
* Copyright (C) 2006 Michael Tharp <gxti@partiallystapled.com>
* Copyright (C) 2006 charybdis development team
+ * Copyright (C) 2016 ChatLounge IRC Network Development Team
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
static void abort_sasl(struct Client *);
static void abort_sasl_exit(hook_data_client_exit *);
-static void advertise_sasl(struct Client *);
-static void advertise_sasl_exit(hook_data_client_exit *);
+static void advertise_sasl_cap(bool);
+static void advertise_sasl_new(struct Client *);
+static void advertise_sasl_exit(void *);
+static void advertise_sasl_config(void *);
static unsigned int CLICAP_SASL = 0;
static char mechlist_buf[BUFSIZE];
+static bool sasl_agent_present = false;
struct Message authenticate_msgtab = {
"AUTHENTICATE", 0, 0, 0, 0,
mapi_hfn_list_av1 sasl_hfnlist[] = {
{ "new_local_user", (hookfn) abort_sasl },
{ "client_exit", (hookfn) abort_sasl_exit },
- { "new_remote_user", (hookfn) advertise_sasl },
- { "client_exit", (hookfn) advertise_sasl_exit },
+ { "new_remote_user", (hookfn) advertise_sasl_new },
+ { "after_client_exit", (hookfn) advertise_sasl_exit },
+ { "conf_read_end", (hookfn) advertise_sasl_config },
{ NULL, NULL }
};
static bool
-sasl_visible(struct Client *client_p)
+sasl_visible(struct Client *ignored)
{
struct Client *agent_p = NULL;
_modinit(void)
{
memset(mechlist_buf, 0, sizeof mechlist_buf);
+ sasl_agent_present = false;
+
CLICAP_SASL = capability_put(cli_capindex, "sasl", &capdata_sasl);
+ advertise_sasl_config(NULL);
return 0;
}
static void
_moddeinit(void)
{
+ advertise_sasl_cap(false);
capability_orphan(cli_capindex, "sasl");
}
return;
}
- if(strlen(client_p->id) == 3)
+ if (strlen(client_p->id) == 3 || (source_p->preClient && !EmptyString(source_p->preClient->id)))
{
exit_client(client_p, client_p, client_p, "Mixing client and server protocol");
return;
}
+ if (*parv[1] == ':' || strchr(parv[1], ' '))
+ {
+ exit_client(client_p, client_p, client_p, "Malformed AUTHENTICATE");
+ return;
+ }
+
saslserv_p = find_named_client(ConfigFileEntry.sasl_service);
if(saslserv_p == NULL || !IsService(saslserv_p))
{
if(agent_p == NULL)
{
- sendto_one(saslserv_p, ":%s ENCAP %s SASL %s %s H %s %s",
+ if (!strcmp(parv[1], "*"))
+ {
+ sendto_one(source_p, form_str(ERR_SASLABORTED), me.name, EmptyString(source_p->name) ? "*" : source_p->name);
+ source_p->localClient->sasl_out = 0;
+ return;
+ }
+
+ sendto_one(saslserv_p, ":%s ENCAP %s SASL %s %s H %s %s %c",
me.id, saslserv_p->servptr->name, source_p->id, saslserv_p->id,
- source_p->host, source_p->sockhost);
+ source_p->host, source_p->sockhost,
+ IsSSL(source_p) ? 'S' : 'P');
if (source_p->certfp != NULL)
sendto_one(saslserv_p, ":%s ENCAP %s SASL %s %s S %s %s",
rb_strlcpy(source_p->localClient->sasl_agent, saslserv_p->id, IDLEN);
}
else
+ {
+ if (!strcmp(parv[1], "*"))
+ {
+ sendto_one(source_p, form_str(ERR_SASLABORTED), me.name, EmptyString(source_p->name) ? "*" : source_p->name);
+ sendto_one(agent_p, ":%s ENCAP %s SASL %s %s D A", me.id, agent_p->servptr->name, source_p->id, agent_p->id);
+ source_p->localClient->sasl_out = 0;
+ return;
+ }
+
sendto_one(agent_p, ":%s ENCAP %s SASL %s %s C %s",
me.id, agent_p->servptr->name, source_p->id, agent_p->id,
parv[1]);
+ }
+
source_p->localClient->sasl_out++;
}
int parc, const char *parv[])
{
struct Client *target_p, *agent_p;
+ bool in_progress;
/* Let propagate if not addressed to us, or if broadcast.
* Only SASL agents can answer global requests.
if(!IsService(agent_p))
return;
+ /* If SASL has been aborted, we only want to track authentication failures. */
+ in_progress = target_p->localClient->sasl_out != 0;
+
/* Reject if someone has already answered. */
if(*target_p->localClient->sasl_agent && strncmp(parv[1], target_p->localClient->sasl_agent, IDLEN))
return;
- else if(!*target_p->localClient->sasl_agent)
+ else if(!*target_p->localClient->sasl_agent && in_progress)
rb_strlcpy(target_p->localClient->sasl_agent, parv[1], IDLEN);
if(*parv[3] == 'C')
{
- sendto_one(target_p, "AUTHENTICATE %s", parv[4]);
- target_p->localClient->sasl_messages++;
+ if (in_progress) {
+ sendto_one(target_p, "AUTHENTICATE %s", parv[4]);
+ target_p->localClient->sasl_messages++;
+ }
}
else if(*parv[3] == 'D')
{
if(*parv[4] == 'F')
{
- sendto_one(target_p, form_str(ERR_SASLFAIL), me.name, EmptyString(target_p->name) ? "*" : target_p->name);
+ if (in_progress) {
+ sendto_one(target_p, form_str(ERR_SASLFAIL), me.name, EmptyString(target_p->name) ? "*" : target_p->name);
+ }
/* Failures with zero messages are just "unknown mechanism" errors; don't count those. */
if(target_p->localClient->sasl_messages > 0)
{
if(*target_p->name)
{
- target_p->localClient->sasl_failures++;
- target_p->localClient->sasl_next_retry = rb_current_time() + (1 << MIN(target_p->localClient->sasl_failures + 5, 13));
+ /* Allow 2 tries before rate-limiting as some clients try EXTERNAL
+ * then PLAIN right after it if the auth failed, causing the client to be
+ * rate-limited immediately and not being able to login with SASL.
+ */
+ if (target_p->localClient->sasl_failures++ > 0)
+ target_p->localClient->sasl_next_retry = rb_current_time() + (1 << MIN(target_p->localClient->sasl_failures + 1, 8));
}
else if(throttle_add((struct sockaddr*)&target_p->localClient->ip))
{
}
else if(*parv[4] == 'S')
{
- sendto_one(target_p, form_str(RPL_SASLSUCCESS), me.name, EmptyString(target_p->name) ? "*" : target_p->name);
- target_p->localClient->sasl_failures = 0;
- target_p->localClient->sasl_complete = 1;
- ServerStats.is_ssuc++;
+ if (in_progress) {
+ sendto_one(target_p, form_str(RPL_SASLSUCCESS), me.name, EmptyString(target_p->name) ? "*" : target_p->name);
+ target_p->localClient->sasl_failures = 0;
+ target_p->localClient->sasl_complete = 1;
+ ServerStats.is_ssuc++;
+ }
}
*target_p->localClient->sasl_agent = '\0'; /* Blank the stored agent so someone else can answer */
target_p->localClient->sasl_messages = 0;
}
else if(*parv[3] == 'M')
- sendto_one(target_p, form_str(RPL_SASLMECHS), me.name, EmptyString(target_p->name) ? "*" : target_p->name, parv[4]);
+ {
+ if (in_progress) {
+ sendto_one(target_p, form_str(RPL_SASLMECHS), me.name, EmptyString(target_p->name) ? "*" : target_p->name, parv[4]);
+ }
+ }
}
static void
}
static void
-advertise_sasl(struct Client *client_p)
+advertise_sasl_cap(bool available)
+{
+ if (sasl_agent_present != available) {
+ if (available) {
+ sendto_local_clients_with_capability(CLICAP_CAP_NOTIFY, ":%s CAP * NEW :sasl", me.name);
+ } else {
+ sendto_local_clients_with_capability(CLICAP_CAP_NOTIFY, ":%s CAP * DEL :sasl", me.name);
+ }
+ sasl_agent_present = available;
+ }
+}
+
+static void
+advertise_sasl_new(struct Client *client_p)
{
if (!ConfigFileEntry.sasl_service)
return;
if (irccmp(client_p->name, ConfigFileEntry.sasl_service))
return;
- sendto_local_clients_with_capability(CLICAP_CAP_NOTIFY, ":%s CAP * NEW :sasl", me.name);
+ advertise_sasl_cap(IsService(client_p));
}
static void
-advertise_sasl_exit(hook_data_client_exit *data)
+advertise_sasl_exit(void *ignored)
{
if (!ConfigFileEntry.sasl_service)
return;
- if (irccmp(data->target->name, ConfigFileEntry.sasl_service))
- return;
+ if (sasl_agent_present) {
+ advertise_sasl_cap(sasl_visible(NULL));
+ }
+}
- sendto_local_clients_with_capability(CLICAP_CAP_NOTIFY, ":%s CAP * DEL :sasl", me.name);
+static void
+advertise_sasl_config(void *ignored)
+{
+ advertise_sasl_cap(sasl_visible(NULL));
}