]> jfr.im git - solanum.git/blobdiff - modules/m_sasl.c
projects / solanum.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Combine stats A output parameters (#35)
[solanum.git] / modules / m_sasl.c
diff --git a/modules/m_sasl.c b/modules/m_sasl.c
index 470832cb85d5c4f72b99797a98c5dee224ee059d..3ac5a1397b45f8139ec164f1bef2134ec280b755 100644 (file)
--- a/modules/m_sasl.c
+++ b/modules/m_sasl.c
@@ -1,6 +1,7 @@
 /* modules/m_sasl.c
  *   Copyright (C) 2006 Michael Tharp <gxti@partiallystapled.com>
  *   Copyright (C) 2006 charybdis development team
+ *   Copyright (C) 2016 ChatLounge IRC Network Development Team
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
@@ -51,11 +52,14 @@ static void me_mechlist(struct MsgBuf *, struct Client *, struct Client *, int,
 static void abort_sasl(struct Client *);
 static void abort_sasl_exit(hook_data_client_exit *);
 
-static void advertise_sasl(struct Client *);
-static void advertise_sasl_exit(hook_data_client_exit *);
+static void advertise_sasl_cap(bool);
+static void advertise_sasl_new(struct Client *);
+static void advertise_sasl_exit(void *);
+static void advertise_sasl_config(void *);
 
 static unsigned int CLICAP_SASL = 0;
 static char mechlist_buf[BUFSIZE];
+static bool sasl_agent_present = false;
 
 struct Message authenticate_msgtab = {
        "AUTHENTICATE", 0, 0, 0, 0,
@@ -76,13 +80,14 @@ mapi_clist_av1 sasl_clist[] = {
 mapi_hfn_list_av1 sasl_hfnlist[] = {
        { "new_local_user",     (hookfn) abort_sasl },
        { "client_exit",        (hookfn) abort_sasl_exit },
-       { "new_remote_user",    (hookfn) advertise_sasl },
-       { "client_exit",        (hookfn) advertise_sasl_exit },
+       { "new_remote_user",    (hookfn) advertise_sasl_new },
+       { "after_client_exit",  (hookfn) advertise_sasl_exit },
+       { "conf_read_end",      (hookfn) advertise_sasl_config },
        { NULL, NULL }
 };
 
 static bool
-sasl_visible(struct Client *client_p)
+sasl_visible(struct Client *ignored)
 {
        struct Client *agent_p = NULL;
 
@@ -101,24 +106,31 @@ sasl_data(struct Client *client_p)
 static struct ClientCapability capdata_sasl = {
        .visible = sasl_visible,
        .data = sasl_data,
-       .flags = CLICAP_FLAGS_STICKY,
+       .flags = CLICAP_FLAGS_STICKY | CLICAP_FLAGS_PRIORITY,
+};
+
+mapi_cap_list_av2 sasl_cap_list[] = {
+       { MAPI_CAP_CLIENT, "sasl", &capdata_sasl, &CLICAP_SASL },
+       { 0, NULL, NULL, NULL },
 };
 
 static int
 _modinit(void)
 {
        memset(mechlist_buf, 0, sizeof mechlist_buf);
-       CLICAP_SASL = capability_put(cli_capindex, "sasl", &capdata_sasl);
+       sasl_agent_present = false;
+
+       advertise_sasl_config(NULL);
        return 0;
 }
 
 static void
 _moddeinit(void)
 {
-       capability_orphan(cli_capindex, "sasl");
+       advertise_sasl_cap(false);
 }
 
-DECLARE_MODULE_AV2(sasl, _modinit, _moddeinit, sasl_clist, NULL, sasl_hfnlist, NULL, NULL, sasl_desc);
+DECLARE_MODULE_AV2(sasl, _modinit, _moddeinit, sasl_clist, NULL, sasl_hfnlist, sasl_cap_list, NULL, sasl_desc);
 
 static void
 m_authenticate(struct MsgBuf *msgbuf_p, struct Client *client_p, struct Client *source_p,
@@ -137,12 +149,18 @@ m_authenticate(struct MsgBuf *msgbuf_p, struct Client *client_p, struct Client *
                return;
        }
 
-       if(strlen(client_p->id) == 3)
+       if (strlen(client_p->id) == 3 || (source_p->preClient && !EmptyString(source_p->preClient->id)))
        {
                exit_client(client_p, client_p, client_p, "Mixing client and server protocol");
                return;
        }
 
+       if (*parv[1] == ':' || strchr(parv[1], ' '))
+       {
+               exit_client(client_p, client_p, client_p, "Malformed AUTHENTICATE");
+               return;
+       }
+
        saslserv_p = find_named_client(ConfigFileEntry.sasl_service);
        if(saslserv_p == NULL || !IsService(saslserv_p))
        {
@@ -165,7 +183,7 @@ m_authenticate(struct MsgBuf *msgbuf_p, struct Client *client_p, struct Client *
        if(!*source_p->id)
        {
                /* Allocate a UID. */
-               strcpy(source_p->id, generate_uid());
+               rb_strlcpy(source_p->id, generate_uid(), sizeof(source_p->id));
                add_to_id_hash(source_p->id, source_p);
        }
 
@@ -174,9 +192,17 @@ m_authenticate(struct MsgBuf *msgbuf_p, struct Client *client_p, struct Client *
 
        if(agent_p == NULL)
        {
-               sendto_one(saslserv_p, ":%s ENCAP %s SASL %s %s H %s %s",
+               if (!strcmp(parv[1], "*"))
+               {
+                       sendto_one(source_p, form_str(ERR_SASLABORTED), me.name, EmptyString(source_p->name) ? "*" : source_p->name);
+                       source_p->localClient->sasl_out = 0;
+                       return;
+               }
+
+               sendto_one(saslserv_p, ":%s ENCAP %s SASL %s %s H %s %s %c",
                                        me.id, saslserv_p->servptr->name, source_p->id, saslserv_p->id,
-                                       source_p->host, source_p->sockhost);
+                                       source_p->host, source_p->sockhost,
+                                       IsSSL(source_p) ? 'S' : 'P');
 
                if (source_p->certfp != NULL)
                        sendto_one(saslserv_p, ":%s ENCAP %s SASL %s %s S %s %s",
@@ -190,9 +216,20 @@ m_authenticate(struct MsgBuf *msgbuf_p, struct Client *client_p, struct Client *
                rb_strlcpy(source_p->localClient->sasl_agent, saslserv_p->id, IDLEN);
        }
        else
+       {
+               if (!strcmp(parv[1], "*"))
+               {
+                       sendto_one(source_p, form_str(ERR_SASLABORTED), me.name, EmptyString(source_p->name) ? "*" : source_p->name);
+                       sendto_one(agent_p, ":%s ENCAP %s SASL %s %s D A", me.id, agent_p->servptr->name, source_p->id, agent_p->id);
+                       source_p->localClient->sasl_out = 0;
+                       return;
+               }
+
                sendto_one(agent_p, ":%s ENCAP %s SASL %s %s C %s",
                                me.id, agent_p->servptr->name, source_p->id, agent_p->id,
                                parv[1]);
+       }
+
        source_p->localClient->sasl_out++;
 }
 
@@ -201,6 +238,7 @@ me_sasl(struct MsgBuf *msgbuf_p, struct Client *client_p, struct Client *source_
        int parc, const char *parv[])
 {
        struct Client *target_p, *agent_p;
+       bool in_progress;
 
        /* Let propagate if not addressed to us, or if broadcast.
         * Only SASL agents can answer global requests.
@@ -223,29 +261,40 @@ me_sasl(struct MsgBuf *msgbuf_p, struct Client *client_p, struct Client *source_
        if(!IsService(agent_p))
                return;
 
+       /* If SASL has been aborted, we only want to track authentication failures. */
+       in_progress = target_p->localClient->sasl_out != 0;
+
        /* Reject if someone has already answered. */
        if(*target_p->localClient->sasl_agent && strncmp(parv[1], target_p->localClient->sasl_agent, IDLEN))
                return;
-       else if(!*target_p->localClient->sasl_agent)
+       else if(!*target_p->localClient->sasl_agent && in_progress)
                rb_strlcpy(target_p->localClient->sasl_agent, parv[1], IDLEN);
 
        if(*parv[3] == 'C')
        {
-               sendto_one(target_p, "AUTHENTICATE %s", parv[4]);
-               target_p->localClient->sasl_messages++;
+               if (in_progress) {
+                       sendto_one(target_p, "AUTHENTICATE %s", parv[4]);
+                       target_p->localClient->sasl_messages++;
+               }
        }
        else if(*parv[3] == 'D')
        {
                if(*parv[4] == 'F')
                {
-                       sendto_one(target_p, form_str(ERR_SASLFAIL), me.name, EmptyString(target_p->name) ? "*" : target_p->name);
+                       if (in_progress) {
+                               sendto_one(target_p, form_str(ERR_SASLFAIL), me.name, EmptyString(target_p->name) ? "*" : target_p->name);
+                       }
                        /* Failures with zero messages are just "unknown mechanism" errors; don't count those. */
                        if(target_p->localClient->sasl_messages > 0)
                        {
                                if(*target_p->name)
                                {
-                                       target_p->localClient->sasl_failures++;
-                                       target_p->localClient->sasl_next_retry = rb_current_time() + (1 << MIN(target_p->localClient->sasl_failures + 5, 13));
+                                       /* Allow 2 tries before rate-limiting as some clients try EXTERNAL
+                                        * then PLAIN right after it if the auth failed, causing the client to be
+                                        * rate-limited immediately and not being able to login with SASL.
+                                        */
+                                       if (target_p->localClient->sasl_failures++ > 0)
+                                               target_p->localClient->sasl_next_retry = rb_current_time() + (1 << MIN(target_p->localClient->sasl_failures + 1, 8));
                                }
                                else if(throttle_add((struct sockaddr*)&target_p->localClient->ip))
                                {
@@ -256,16 +305,22 @@ me_sasl(struct MsgBuf *msgbuf_p, struct Client *client_p, struct Client *source_
                }
                else if(*parv[4] == 'S')
                {
-                       sendto_one(target_p, form_str(RPL_SASLSUCCESS), me.name, EmptyString(target_p->name) ? "*" : target_p->name);
-                       target_p->localClient->sasl_failures = 0;
-                       target_p->localClient->sasl_complete = 1;
-                       ServerStats.is_ssuc++;
+                       if (in_progress) {
+                               sendto_one(target_p, form_str(RPL_SASLSUCCESS), me.name, EmptyString(target_p->name) ? "*" : target_p->name);
+                               target_p->localClient->sasl_failures = 0;
+                               target_p->localClient->sasl_complete = 1;
+                               ServerStats.is_ssuc++;
+                       }
                }
                *target_p->localClient->sasl_agent = '\0'; /* Blank the stored agent so someone else can answer */
                target_p->localClient->sasl_messages = 0;
        }
        else if(*parv[3] == 'M')
-               sendto_one(target_p, form_str(RPL_SASLMECHS), me.name, EmptyString(target_p->name) ? "*" : target_p->name, parv[4]);
+       {
+               if (in_progress) {
+                       sendto_one(target_p, form_str(RPL_SASLMECHS), me.name, EmptyString(target_p->name) ? "*" : target_p->name, parv[4]);
+               }
+       }
 }
 
 static void
@@ -313,7 +368,20 @@ abort_sasl_exit(hook_data_client_exit *data)
 }
 
 static void
-advertise_sasl(struct Client *client_p)
+advertise_sasl_cap(bool available)
+{
+       if (sasl_agent_present != available) {
+               if (available) {
+                       sendto_local_clients_with_capability(CLICAP_CAP_NOTIFY, ":%s CAP * NEW :sasl", me.name);
+               } else {
+                       sendto_local_clients_with_capability(CLICAP_CAP_NOTIFY, ":%s CAP * DEL :sasl", me.name);
+               }
+               sasl_agent_present = available;
+       }
+}
+
+static void
+advertise_sasl_new(struct Client *client_p)
 {
        if (!ConfigFileEntry.sasl_service)
                return;
@@ -321,17 +389,22 @@ advertise_sasl(struct Client *client_p)
        if (irccmp(client_p->name, ConfigFileEntry.sasl_service))
                return;
 
-       sendto_local_clients_with_capability(CLICAP_CAP_NOTIFY, ":%s CAP * NEW :sasl", me.name);
+       advertise_sasl_cap(IsService(client_p));
 }
 
 static void
-advertise_sasl_exit(hook_data_client_exit *data)
+advertise_sasl_exit(void *ignored)
 {
        if (!ConfigFileEntry.sasl_service)
                return;
 
-       if (irccmp(data->target->name, ConfigFileEntry.sasl_service))
-               return;
+       if (sasl_agent_present) {
+               advertise_sasl_cap(sasl_visible(NULL));
+       }
+}
 
-       sendto_local_clients_with_capability(CLICAP_CAP_NOTIFY, ":%s CAP * DEL :sasl", me.name);
+static void
+advertise_sasl_config(void *ignored)
+{
+       advertise_sasl_cap(sasl_visible(NULL));
 }
Fork of solanum ircd, history is rebased regularly