X-Git-Url: https://jfr.im/git/solanum.git/blobdiff_plain/9d07a42d7a2377eb59150dd0316a884855cbeb2f..67ab06dd8a4c6840fcba129891cd9096543a0478:/modules/m_sasl.c diff --git a/modules/m_sasl.c b/modules/m_sasl.c index 470832cb..3ac5a139 100644 --- a/modules/m_sasl.c +++ b/modules/m_sasl.c @@ -1,6 +1,7 @@ /* modules/m_sasl.c * Copyright (C) 2006 Michael Tharp * Copyright (C) 2006 charybdis development team + * Copyright (C) 2016 ChatLounge IRC Network Development Team * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are @@ -51,11 +52,14 @@ static void me_mechlist(struct MsgBuf *, struct Client *, struct Client *, int, static void abort_sasl(struct Client *); static void abort_sasl_exit(hook_data_client_exit *); -static void advertise_sasl(struct Client *); -static void advertise_sasl_exit(hook_data_client_exit *); +static void advertise_sasl_cap(bool); +static void advertise_sasl_new(struct Client *); +static void advertise_sasl_exit(void *); +static void advertise_sasl_config(void *); static unsigned int CLICAP_SASL = 0; static char mechlist_buf[BUFSIZE]; +static bool sasl_agent_present = false; struct Message authenticate_msgtab = { "AUTHENTICATE", 0, 0, 0, 0, @@ -76,13 +80,14 @@ mapi_clist_av1 sasl_clist[] = { mapi_hfn_list_av1 sasl_hfnlist[] = { { "new_local_user", (hookfn) abort_sasl }, { "client_exit", (hookfn) abort_sasl_exit }, - { "new_remote_user", (hookfn) advertise_sasl }, - { "client_exit", (hookfn) advertise_sasl_exit }, + { "new_remote_user", (hookfn) advertise_sasl_new }, + { "after_client_exit", (hookfn) advertise_sasl_exit }, + { "conf_read_end", (hookfn) advertise_sasl_config }, { NULL, NULL } }; static bool -sasl_visible(struct Client *client_p) +sasl_visible(struct Client *ignored) { struct Client *agent_p = NULL; @@ -101,24 +106,31 @@ sasl_data(struct Client *client_p) static struct ClientCapability capdata_sasl = { .visible = sasl_visible, .data = sasl_data, - .flags = CLICAP_FLAGS_STICKY, + .flags = CLICAP_FLAGS_STICKY | CLICAP_FLAGS_PRIORITY, +}; + +mapi_cap_list_av2 sasl_cap_list[] = { + { MAPI_CAP_CLIENT, "sasl", &capdata_sasl, &CLICAP_SASL }, + { 0, NULL, NULL, NULL }, }; static int _modinit(void) { memset(mechlist_buf, 0, sizeof mechlist_buf); - CLICAP_SASL = capability_put(cli_capindex, "sasl", &capdata_sasl); + sasl_agent_present = false; + + advertise_sasl_config(NULL); return 0; } static void _moddeinit(void) { - capability_orphan(cli_capindex, "sasl"); + advertise_sasl_cap(false); } -DECLARE_MODULE_AV2(sasl, _modinit, _moddeinit, sasl_clist, NULL, sasl_hfnlist, NULL, NULL, sasl_desc); +DECLARE_MODULE_AV2(sasl, _modinit, _moddeinit, sasl_clist, NULL, sasl_hfnlist, sasl_cap_list, NULL, sasl_desc); static void m_authenticate(struct MsgBuf *msgbuf_p, struct Client *client_p, struct Client *source_p, @@ -137,12 +149,18 @@ m_authenticate(struct MsgBuf *msgbuf_p, struct Client *client_p, struct Client * return; } - if(strlen(client_p->id) == 3) + if (strlen(client_p->id) == 3 || (source_p->preClient && !EmptyString(source_p->preClient->id))) { exit_client(client_p, client_p, client_p, "Mixing client and server protocol"); return; } + if (*parv[1] == ':' || strchr(parv[1], ' ')) + { + exit_client(client_p, client_p, client_p, "Malformed AUTHENTICATE"); + return; + } + saslserv_p = find_named_client(ConfigFileEntry.sasl_service); if(saslserv_p == NULL || !IsService(saslserv_p)) { @@ -165,7 +183,7 @@ m_authenticate(struct MsgBuf *msgbuf_p, struct Client *client_p, struct Client * if(!*source_p->id) { /* Allocate a UID. */ - strcpy(source_p->id, generate_uid()); + rb_strlcpy(source_p->id, generate_uid(), sizeof(source_p->id)); add_to_id_hash(source_p->id, source_p); } @@ -174,9 +192,17 @@ m_authenticate(struct MsgBuf *msgbuf_p, struct Client *client_p, struct Client * if(agent_p == NULL) { - sendto_one(saslserv_p, ":%s ENCAP %s SASL %s %s H %s %s", + if (!strcmp(parv[1], "*")) + { + sendto_one(source_p, form_str(ERR_SASLABORTED), me.name, EmptyString(source_p->name) ? "*" : source_p->name); + source_p->localClient->sasl_out = 0; + return; + } + + sendto_one(saslserv_p, ":%s ENCAP %s SASL %s %s H %s %s %c", me.id, saslserv_p->servptr->name, source_p->id, saslserv_p->id, - source_p->host, source_p->sockhost); + source_p->host, source_p->sockhost, + IsSSL(source_p) ? 'S' : 'P'); if (source_p->certfp != NULL) sendto_one(saslserv_p, ":%s ENCAP %s SASL %s %s S %s %s", @@ -190,9 +216,20 @@ m_authenticate(struct MsgBuf *msgbuf_p, struct Client *client_p, struct Client * rb_strlcpy(source_p->localClient->sasl_agent, saslserv_p->id, IDLEN); } else + { + if (!strcmp(parv[1], "*")) + { + sendto_one(source_p, form_str(ERR_SASLABORTED), me.name, EmptyString(source_p->name) ? "*" : source_p->name); + sendto_one(agent_p, ":%s ENCAP %s SASL %s %s D A", me.id, agent_p->servptr->name, source_p->id, agent_p->id); + source_p->localClient->sasl_out = 0; + return; + } + sendto_one(agent_p, ":%s ENCAP %s SASL %s %s C %s", me.id, agent_p->servptr->name, source_p->id, agent_p->id, parv[1]); + } + source_p->localClient->sasl_out++; } @@ -201,6 +238,7 @@ me_sasl(struct MsgBuf *msgbuf_p, struct Client *client_p, struct Client *source_ int parc, const char *parv[]) { struct Client *target_p, *agent_p; + bool in_progress; /* Let propagate if not addressed to us, or if broadcast. * Only SASL agents can answer global requests. @@ -223,29 +261,40 @@ me_sasl(struct MsgBuf *msgbuf_p, struct Client *client_p, struct Client *source_ if(!IsService(agent_p)) return; + /* If SASL has been aborted, we only want to track authentication failures. */ + in_progress = target_p->localClient->sasl_out != 0; + /* Reject if someone has already answered. */ if(*target_p->localClient->sasl_agent && strncmp(parv[1], target_p->localClient->sasl_agent, IDLEN)) return; - else if(!*target_p->localClient->sasl_agent) + else if(!*target_p->localClient->sasl_agent && in_progress) rb_strlcpy(target_p->localClient->sasl_agent, parv[1], IDLEN); if(*parv[3] == 'C') { - sendto_one(target_p, "AUTHENTICATE %s", parv[4]); - target_p->localClient->sasl_messages++; + if (in_progress) { + sendto_one(target_p, "AUTHENTICATE %s", parv[4]); + target_p->localClient->sasl_messages++; + } } else if(*parv[3] == 'D') { if(*parv[4] == 'F') { - sendto_one(target_p, form_str(ERR_SASLFAIL), me.name, EmptyString(target_p->name) ? "*" : target_p->name); + if (in_progress) { + sendto_one(target_p, form_str(ERR_SASLFAIL), me.name, EmptyString(target_p->name) ? "*" : target_p->name); + } /* Failures with zero messages are just "unknown mechanism" errors; don't count those. */ if(target_p->localClient->sasl_messages > 0) { if(*target_p->name) { - target_p->localClient->sasl_failures++; - target_p->localClient->sasl_next_retry = rb_current_time() + (1 << MIN(target_p->localClient->sasl_failures + 5, 13)); + /* Allow 2 tries before rate-limiting as some clients try EXTERNAL + * then PLAIN right after it if the auth failed, causing the client to be + * rate-limited immediately and not being able to login with SASL. + */ + if (target_p->localClient->sasl_failures++ > 0) + target_p->localClient->sasl_next_retry = rb_current_time() + (1 << MIN(target_p->localClient->sasl_failures + 1, 8)); } else if(throttle_add((struct sockaddr*)&target_p->localClient->ip)) { @@ -256,16 +305,22 @@ me_sasl(struct MsgBuf *msgbuf_p, struct Client *client_p, struct Client *source_ } else if(*parv[4] == 'S') { - sendto_one(target_p, form_str(RPL_SASLSUCCESS), me.name, EmptyString(target_p->name) ? "*" : target_p->name); - target_p->localClient->sasl_failures = 0; - target_p->localClient->sasl_complete = 1; - ServerStats.is_ssuc++; + if (in_progress) { + sendto_one(target_p, form_str(RPL_SASLSUCCESS), me.name, EmptyString(target_p->name) ? "*" : target_p->name); + target_p->localClient->sasl_failures = 0; + target_p->localClient->sasl_complete = 1; + ServerStats.is_ssuc++; + } } *target_p->localClient->sasl_agent = '\0'; /* Blank the stored agent so someone else can answer */ target_p->localClient->sasl_messages = 0; } else if(*parv[3] == 'M') - sendto_one(target_p, form_str(RPL_SASLMECHS), me.name, EmptyString(target_p->name) ? "*" : target_p->name, parv[4]); + { + if (in_progress) { + sendto_one(target_p, form_str(RPL_SASLMECHS), me.name, EmptyString(target_p->name) ? "*" : target_p->name, parv[4]); + } + } } static void @@ -313,7 +368,20 @@ abort_sasl_exit(hook_data_client_exit *data) } static void -advertise_sasl(struct Client *client_p) +advertise_sasl_cap(bool available) +{ + if (sasl_agent_present != available) { + if (available) { + sendto_local_clients_with_capability(CLICAP_CAP_NOTIFY, ":%s CAP * NEW :sasl", me.name); + } else { + sendto_local_clients_with_capability(CLICAP_CAP_NOTIFY, ":%s CAP * DEL :sasl", me.name); + } + sasl_agent_present = available; + } +} + +static void +advertise_sasl_new(struct Client *client_p) { if (!ConfigFileEntry.sasl_service) return; @@ -321,17 +389,22 @@ advertise_sasl(struct Client *client_p) if (irccmp(client_p->name, ConfigFileEntry.sasl_service)) return; - sendto_local_clients_with_capability(CLICAP_CAP_NOTIFY, ":%s CAP * NEW :sasl", me.name); + advertise_sasl_cap(IsService(client_p)); } static void -advertise_sasl_exit(hook_data_client_exit *data) +advertise_sasl_exit(void *ignored) { if (!ConfigFileEntry.sasl_service) return; - if (irccmp(data->target->name, ConfigFileEntry.sasl_service)) - return; + if (sasl_agent_present) { + advertise_sasl_cap(sasl_visible(NULL)); + } +} - sendto_local_clients_with_capability(CLICAP_CAP_NOTIFY, ":%s CAP * DEL :sasl", me.name); +static void +advertise_sasl_config(void *ignored) +{ + advertise_sasl_cap(sasl_visible(NULL)); }