/* modules/m_sasl.c
* Copyright (C) 2006 Michael Tharp <gxti@partiallystapled.com>
* Copyright (C) 2006 charybdis development team
+ * Copyright (C) 2016 ChatLounge IRC Network Development Team
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
- *
- * $Id: m_sasl.c 1409 2006-05-21 14:46:17Z jilles $
*/
#include "stdinc.h"
#include "msg.h"
#include "modules.h"
#include "numeric.h"
+#include "reject.h"
#include "s_serv.h"
#include "s_stats.h"
#include "string.h"
+#include "s_newconf.h"
+#include "s_conf.h"
+
+static const char sasl_desc[] = "Provides SASL authentication support";
+
+static void m_authenticate(struct MsgBuf *, struct Client *, struct Client *, int, const char **);
+static void me_sasl(struct MsgBuf *, struct Client *, struct Client *, int, const char **);
+static void me_mechlist(struct MsgBuf *, struct Client *, struct Client *, int, const char **);
-static int mr_authenticate(struct Client *, struct Client *, int, const char **);
-static int me_sasl(struct Client *, struct Client *, int, const char **);
+static void abort_sasl(void *);
+static void abort_sasl_exit(void *);
-static void abort_sasl(struct Client *);
-static void abort_sasl_exit(hook_data_client_exit *);
+static unsigned int CLICAP_SASL = 0;
+static char mechlist_buf[BUFSIZE];
struct Message authenticate_msgtab = {
- "AUTHENTICATE", 0, 0, 0, MFLG_SLOW,
- {{mr_authenticate, 2}, mg_reg, mg_ignore, mg_ignore, mg_ignore, mg_reg}
+ "AUTHENTICATE", 0, 0, 0, 0,
+ {{m_authenticate, 2}, {m_authenticate, 2}, mg_ignore, mg_ignore, mg_ignore, {m_authenticate, 2}}
};
struct Message sasl_msgtab = {
- "SASL", 0, 0, 0, MFLG_SLOW,
+ "SASL", 0, 0, 0, 0,
{mg_ignore, mg_ignore, mg_ignore, mg_ignore, {me_sasl, 5}, mg_ignore}
};
+struct Message mechlist_msgtab = {
+ "MECHLIST", 0, 0, 0, 0,
+ {mg_ignore, mg_ignore, mg_ignore, mg_ignore, {me_mechlist, 2}, mg_ignore}
+};
-mapi_clist_av1 sasl_clist[] = {
- &authenticate_msgtab, &sasl_msgtab, NULL
+mapi_clist_av1 sasl_clist[] = {
+ &authenticate_msgtab, &sasl_msgtab, &mechlist_msgtab, NULL
};
mapi_hfn_list_av1 sasl_hfnlist[] = {
- { "new_local_user", (hookfn) abort_sasl },
- { "client_exit", (hookfn) abort_sasl_exit },
+ { "client_exit", abort_sasl_exit },
{ NULL, NULL }
};
-DECLARE_MODULE_AV1(sasl, NULL, NULL, sasl_clist, NULL, sasl_hfnlist, "$Revision: 1409 $");
+static const char *
+sasl_data(struct Client *client_p)
+{
+ return *mechlist_buf != 0 ? mechlist_buf : NULL;
+}
+
+static struct ClientCapability capdata_sasl = {
+ .data = sasl_data,
+ .flags = CLICAP_FLAGS_STICKY | CLICAP_FLAGS_PRIORITY,
+};
+
+mapi_cap_list_av2 sasl_cap_list[] = {
+ { MAPI_CAP_CLIENT, "sasl", &capdata_sasl, &CLICAP_SASL },
+ { 0, NULL, NULL, NULL },
+};
static int
-mr_authenticate(struct Client *client_p, struct Client *source_p,
+_modinit(void)
+{
+ memset(mechlist_buf, 0, sizeof mechlist_buf);
+ return 0;
+}
+
+DECLARE_MODULE_AV2(sasl, _modinit, NULL, sasl_clist, NULL, sasl_hfnlist, sasl_cap_list, NULL, sasl_desc);
+
+static void
+m_authenticate(struct MsgBuf *msgbuf_p, struct Client *client_p, struct Client *source_p,
int parc, const char *parv[])
{
struct Client *agent_p = NULL;
+ struct Client *saslserv_p = NULL;
/* They really should use CAP for their own sake. */
if(!IsCapable(source_p, CLICAP_SASL))
- return 0;
+ return;
- if (strlen(client_p->id) == 3)
+ if(source_p->localClient->sasl_next_retry > rb_current_time())
+ {
+ sendto_one(source_p, form_str(RPL_LOAD2HI), me.name, EmptyString(source_p->name) ? "*" : source_p->name, msgbuf_p->cmd);
+ return;
+ }
+
+ if (strlen(client_p->id) == 3 || (source_p->preClient && !EmptyString(source_p->preClient->id)))
{
exit_client(client_p, client_p, client_p, "Mixing client and server protocol");
- return 0;
+ return;
}
- if(source_p->preClient->sasl_complete)
+ if (*parv[1] == ':' || strchr(parv[1], ' '))
{
- sendto_one(source_p, form_str(ERR_SASLALREADY), me.name, EmptyString(source_p->name) ? "*" : source_p->name);
- return 0;
+ exit_client(client_p, client_p, client_p, "Malformed AUTHENTICATE");
+ return;
+ }
+
+ saslserv_p = find_named_client(ConfigFileEntry.sasl_service);
+ if(saslserv_p == NULL || !IsService(saslserv_p))
+ {
+ sendto_one(source_p, form_str(ERR_SASLABORTED), me.name, EmptyString(source_p->name) ? "*" : source_p->name);
+ return;
+ }
+
+ if(source_p->localClient->sasl_complete)
+ {
+ *source_p->localClient->sasl_agent = '\0';
+ source_p->localClient->sasl_complete = 0;
}
if(strlen(parv[1]) > 400)
{
sendto_one(source_p, form_str(ERR_SASLTOOLONG), me.name, EmptyString(source_p->name) ? "*" : source_p->name);
- return 0;
+ return;
}
if(!*source_p->id)
{
/* Allocate a UID. */
- strcpy(source_p->id, generate_uid());
+ rb_strlcpy(source_p->id, generate_uid(), sizeof(source_p->id));
add_to_id_hash(source_p->id, source_p);
}
- if(*source_p->preClient->sasl_agent)
- agent_p = find_id(source_p->preClient->sasl_agent);
+ if(*source_p->localClient->sasl_agent)
+ agent_p = find_id(source_p->localClient->sasl_agent);
if(agent_p == NULL)
{
- if (!strcmp(parv[1], "EXTERNAL") && source_p->certfp != NULL)
- sendto_server(NULL, NULL, CAP_TS6|CAP_ENCAP, NOCAPS, ":%s ENCAP * SASL %s * S %s %s", me.id,
- source_p->id, parv[1],
- source_p->certfp);
+ if (!strcmp(parv[1], "*"))
+ {
+ sendto_one(source_p, form_str(ERR_SASLABORTED), me.name, EmptyString(source_p->name) ? "*" : source_p->name);
+ source_p->localClient->sasl_out = 0;
+ return;
+ }
+
+ sendto_one(saslserv_p, ":%s ENCAP %s SASL %s %s H %s %s %c",
+ me.id, saslserv_p->servptr->name, source_p->id, saslserv_p->id,
+ source_p->host, source_p->sockhost,
+ IsSecure(source_p) ? 'S' : 'P');
+
+ if (source_p->certfp != NULL)
+ sendto_one(saslserv_p, ":%s ENCAP %s SASL %s %s S %s %s",
+ me.id, saslserv_p->servptr->name, source_p->id, saslserv_p->id,
+ parv[1], source_p->certfp);
else
- sendto_server(NULL, NULL, CAP_TS6|CAP_ENCAP, NOCAPS, ":%s ENCAP * SASL %s * S %s", me.id,
- source_p->id, parv[1]);
+ sendto_one(saslserv_p, ":%s ENCAP %s SASL %s %s S %s",
+ me.id, saslserv_p->servptr->name, source_p->id, saslserv_p->id,
+ parv[1]);
+
+ rb_strlcpy(source_p->localClient->sasl_agent, saslserv_p->id, IDLEN);
}
else
- sendto_one(agent_p, ":%s ENCAP %s SASL %s %s C %s", me.id, agent_p->servptr->name,
- source_p->id, agent_p->id, parv[1]);
- source_p->preClient->sasl_out++;
+ {
+ if (!strcmp(parv[1], "*"))
+ {
+ sendto_one(source_p, form_str(ERR_SASLABORTED), me.name, EmptyString(source_p->name) ? "*" : source_p->name);
+ sendto_one(agent_p, ":%s ENCAP %s SASL %s %s D A", me.id, agent_p->servptr->name, source_p->id, agent_p->id);
+ source_p->localClient->sasl_out = 0;
+ return;
+ }
- return 0;
+ sendto_one(agent_p, ":%s ENCAP %s SASL %s %s C %s",
+ me.id, agent_p->servptr->name, source_p->id, agent_p->id,
+ parv[1]);
+ }
+
+ source_p->localClient->sasl_out++;
}
-static int
-me_sasl(struct Client *client_p, struct Client *source_p,
+static void
+me_sasl(struct MsgBuf *msgbuf_p, struct Client *client_p, struct Client *source_p,
int parc, const char *parv[])
{
struct Client *target_p, *agent_p;
+ bool in_progress;
/* Let propagate if not addressed to us, or if broadcast.
* Only SASL agents can answer global requests.
*/
if(strncmp(parv[2], me.id, 3))
- return 0;
+ return;
if((target_p = find_id(parv[2])) == NULL)
- return 0;
-
- if(target_p->preClient == NULL)
- return 0;
+ return;
if((agent_p = find_id(parv[1])) == NULL)
- return 0;
+ return;
if(source_p != agent_p->servptr) /* WTF?! */
- return 0;
+ return;
/* We only accept messages from SASL agents; these must have umode +S
* (so the server must be listed in a service{} block).
*/
if(!IsService(agent_p))
- return 0;
+ return;
+
+ /* If SASL has been aborted, we only want to track authentication failures. */
+ in_progress = target_p->localClient->sasl_out != 0;
/* Reject if someone has already answered. */
- if(*target_p->preClient->sasl_agent && strncmp(parv[1], target_p->preClient->sasl_agent, IDLEN))
- return 0;
- else if(!*target_p->preClient->sasl_agent)
- rb_strlcpy(target_p->preClient->sasl_agent, parv[1], IDLEN);
+ if(*target_p->localClient->sasl_agent && strncmp(parv[1], target_p->localClient->sasl_agent, IDLEN))
+ return;
+ else if(!*target_p->localClient->sasl_agent && in_progress)
+ rb_strlcpy(target_p->localClient->sasl_agent, parv[1], IDLEN);
if(*parv[3] == 'C')
- sendto_one(target_p, "AUTHENTICATE %s", parv[4]);
+ {
+ if (in_progress) {
+ sendto_one(target_p, "AUTHENTICATE %s", parv[4]);
+ target_p->localClient->sasl_messages++;
+ }
+ }
else if(*parv[3] == 'D')
{
if(*parv[4] == 'F')
- sendto_one(target_p, form_str(ERR_SASLFAIL), me.name, EmptyString(target_p->name) ? "*" : target_p->name);
- else if(*parv[4] == 'S') {
- sendto_one(target_p, form_str(RPL_SASLSUCCESS), me.name, EmptyString(target_p->name) ? "*" : target_p->name);
- target_p->preClient->sasl_complete = 1;
- ServerStats.is_ssuc++;
+ {
+ if (in_progress) {
+ sendto_one(target_p, form_str(ERR_SASLFAIL), me.name, EmptyString(target_p->name) ? "*" : target_p->name);
+ }
+ /* Failures with zero messages are just "unknown mechanism" errors; don't count those. */
+ if(target_p->localClient->sasl_messages > 0)
+ {
+ if(*target_p->name)
+ {
+ /* Allow 2 tries before rate-limiting as some clients try EXTERNAL
+ * then PLAIN right after it if the auth failed, causing the client to be
+ * rate-limited immediately and not being able to login with SASL.
+ */
+ if (target_p->localClient->sasl_failures++ > 0)
+ target_p->localClient->sasl_next_retry = rb_current_time() + (1 << MIN(target_p->localClient->sasl_failures + 1, 8));
+ }
+ else if(throttle_add((struct sockaddr*)&target_p->localClient->ip))
+ {
+ exit_client(target_p, target_p, &me, "Too many failed authentication attempts");
+ return;
+ }
+ }
+ }
+ else if(*parv[4] == 'S')
+ {
+ if (in_progress) {
+ sendto_one(target_p, form_str(RPL_SASLSUCCESS), me.name, EmptyString(target_p->name) ? "*" : target_p->name);
+ target_p->localClient->sasl_failures = 0;
+ target_p->localClient->sasl_complete = 1;
+ ServerStats.is_ssuc++;
+ }
+ }
+ *target_p->localClient->sasl_agent = '\0'; /* Blank the stored agent so someone else can answer */
+ target_p->localClient->sasl_messages = 0;
+ }
+ else if(*parv[3] == 'M')
+ {
+ if (in_progress) {
+ sendto_one(target_p, form_str(RPL_SASLMECHS), me.name, EmptyString(target_p->name) ? "*" : target_p->name, parv[4]);
}
- *target_p->preClient->sasl_agent = '\0'; /* Blank the stored agent so someone else can answer */
}
-
- return 0;
}
-/* If the client never finished authenticating but is
- * registering anyway, abort the exchange.
- */
static void
-abort_sasl(struct Client *data)
+me_mechlist(struct MsgBuf *msgbuf_p, struct Client *client_p, struct Client *source_p,
+ int parc, const char *parv[])
+{
+ rb_strlcpy(mechlist_buf, parv[1], sizeof mechlist_buf);
+}
+
+static void
+abort_sasl(void *data_)
{
- if(data->preClient->sasl_out == 0 || data->preClient->sasl_complete)
+ struct Client *data = data_;
+ if(data->localClient->sasl_out == 0 || data->localClient->sasl_complete)
return;
- data->preClient->sasl_out = data->preClient->sasl_complete = 0;
+ data->localClient->sasl_out = data->localClient->sasl_complete = 0;
ServerStats.is_sbad++;
if(!IsClosing(data))
sendto_one(data, form_str(ERR_SASLABORTED), me.name, EmptyString(data->name) ? "*" : data->name);
- if(*data->preClient->sasl_agent)
+ if(*data->localClient->sasl_agent)
{
- struct Client *agent_p = find_id(data->preClient->sasl_agent);
+ struct Client *agent_p = find_id(data->localClient->sasl_agent);
if(agent_p)
{
sendto_one(agent_p, ":%s ENCAP %s SASL %s %s D A", me.id, agent_p->servptr->name,
}
static void
-abort_sasl_exit(hook_data_client_exit *data)
+abort_sasl_exit(void *data_)
{
- if (data->target->preClient)
+ hook_data_client_exit *data = data_;
+ if (data->target->localClient)
abort_sasl(data->target);
}
-