unrealircd- supernets unrealircd source & configuration |
| git clone git://git.acid.vegas/unrealircd.git |
| Log | Files | Refs | Archive | README | LICENSE |
sasl.c (10888B)
1 /* 2 * IRC - Internet Relay Chat, src/modules/sasl.c 3 * (C) 2012 The UnrealIRCd Team 4 * 5 * See file AUTHORS in IRC package for additional names of 6 * the programmers. 7 * 8 * This program is free software; you can redistribute it and/or modify 9 * it under the terms of the GNU General Public License as published by 10 * the Free Software Foundation; either version 1, or (at your option) 11 * any later version. 12 * 13 * This program is distributed in the hope that it will be useful, 14 * but WITHOUT ANY WARRANTY; without even the implied warranty of 15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 16 * GNU General Public License for more details. 17 * 18 * You should have received a copy of the GNU General Public License 19 * along with this program; if not, write to the Free Software 20 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. 21 */ 22 23 #include "unrealircd.h" 24 25 ModuleHeader MOD_HEADER 26 = { 27 "sasl", 28 "5.2.1", 29 "SASL", 30 "UnrealIRCd Team", 31 "unrealircd-6", 32 }; 33 34 /* Forward declarations */ 35 void saslmechlist_free(ModData *m); 36 const char *saslmechlist_serialize(ModData *m); 37 void saslmechlist_unserialize(const char *str, ModData *m); 38 const char *sasl_capability_parameter(Client *client); 39 int sasl_server_synced(Client *client); 40 int sasl_account_login(Client *client, MessageTag *mtags); 41 EVENT(sasl_timeout); 42 43 /* Macros */ 44 #define MSG_AUTHENTICATE "AUTHENTICATE" 45 #define MSG_SASL "SASL" 46 #define AGENT_SID(agent_p) (agent_p->user != NULL ? agent_p->user->server : agent_p->name) 47 48 /* Variables */ 49 long CAP_SASL = 0L; 50 51 /* 52 * The following people were involved in making the previous iteration of SASL over 53 * IRC which allowed psuedo-identifiers: 54 * 55 * danieldg, Daniel de Graff <danieldg@inspircd.org> 56 * jilles, Jilles Tjoelker <jilles@stack.nl> 57 * Jobe, Matthew Beeching <jobe@mdbnet.co.uk> 58 * gxti, Michael Tharp <gxti@partiallystapled.com> 59 * nenolod, William Pitcock <nenolod@dereferenced.org> 60 * 61 * Thanks also to all of the client authors which have implemented SASL in their 62 * clients. With the backwards-compatibility layer allowing "lightweight" SASL 63 * implementations, we now truly have a universal authentication mechanism for 64 * IRC. 65 */ 66 67 int sasl_account_login(Client *client, MessageTag *mtags) 68 { 69 if (!MyConnect(client)) 70 return 0; 71 72 /* Notify user */ 73 if (IsLoggedIn(client)) 74 { 75 sendnumeric(client, RPL_LOGGEDIN, 76 BadPtr(client->name) ? "*" : client->name, 77 BadPtr(client->user->username) ? "*" : client->user->username, 78 BadPtr(client->user->realhost) ? "*" : client->user->realhost, 79 client->user->account, client->user->account); 80 } 81 else 82 { 83 sendnumeric(client, RPL_LOGGEDOUT, 84 BadPtr(client->name) ? "*" : client->name, 85 BadPtr(client->user->username) ? "*" : client->user->username, 86 BadPtr(client->user->realhost) ? "*" : client->user->realhost); 87 } 88 return 0; 89 } 90 91 92 /* 93 * SASL message 94 * 95 * parv[1]: distribution mask 96 * parv[2]: target 97 * parv[3]: mode/state 98 * parv[4]: data 99 * parv[5]: out-of-bound data 100 */ 101 CMD_FUNC(cmd_sasl) 102 { 103 if (!SASL_SERVER || MyUser(client) || (parc < 4) || !parv[4]) 104 return; 105 106 if (!strcasecmp(parv[1], me.name) || !strncmp(parv[1], me.id, 3)) 107 { 108 Client *target; 109 110 target = find_client(parv[2], NULL); 111 if (!target || !MyConnect(target)) 112 return; 113 114 if (target->user == NULL) 115 make_user(target); 116 117 /* reject if another SASL agent is answering */ 118 if (*target->local->sasl_agent && strcasecmp(client->name, target->local->sasl_agent)) 119 return; 120 else 121 strlcpy(target->local->sasl_agent, client->name, sizeof(target->local->sasl_agent)); 122 123 if (*parv[3] == 'C') 124 { 125 RunHookReturn(HOOKTYPE_SASL_CONTINUATION, !=0, target, parv[4]); 126 sendto_one(target, NULL, "AUTHENTICATE %s", parv[4]); 127 } 128 else if (*parv[3] == 'D') 129 { 130 *target->local->sasl_agent = '\0'; 131 if (*parv[4] == 'F') 132 { 133 target->local->sasl_sent_time = 0; 134 add_fake_lag(target, 7000); /* bump fakelag due to failed authentication attempt */ 135 RunHookReturn(HOOKTYPE_SASL_RESULT, !=0, target, 0); 136 sendnumeric(target, ERR_SASLFAIL); 137 } 138 else if (*parv[4] == 'S') 139 { 140 target->local->sasl_sent_time = 0; 141 target->local->sasl_complete++; 142 RunHookReturn(HOOKTYPE_SASL_RESULT, !=0, target, 1); 143 sendnumeric(target, RPL_SASLSUCCESS); 144 } 145 } 146 else if (*parv[3] == 'M') 147 sendnumeric(target, RPL_SASLMECHS, parv[4]); 148 149 return; 150 } 151 152 /* not for us; propagate. */ 153 sendto_server(client, 0, 0, NULL, ":%s SASL %s %s %c %s %s", 154 client->name, parv[1], parv[2], *parv[3], parv[4], parc > 5 ? parv[5] : ""); 155 } 156 157 /* 158 * AUTHENTICATE message 159 * 160 * parv[1]: data 161 */ 162 CMD_FUNC(cmd_authenticate) 163 { 164 Client *agent_p = NULL; 165 166 /* Failing to use CAP REQ for sasl is a protocol violation. */ 167 if (!SASL_SERVER || !MyConnect(client) || BadPtr(parv[1]) || !HasCapability(client, "sasl")) 168 return; 169 170 if ((parv[1][0] == ':') || strchr(parv[1], ' ')) 171 { 172 sendnumeric(client, ERR_CANNOTDOCOMMAND, "AUTHENTICATE", "Invalid parameter"); 173 return; 174 } 175 176 if (strlen(parv[1]) > 400) 177 { 178 sendnumeric(client, ERR_SASLTOOLONG); 179 return; 180 } 181 182 if (client->user == NULL) 183 make_user(client); 184 185 if (*client->local->sasl_agent) 186 agent_p = find_client(client->local->sasl_agent, NULL); 187 188 if (agent_p == NULL) 189 { 190 char *addr = BadPtr(client->ip) ? "0" : client->ip; 191 const char *certfp = moddata_client_get(client, "certfp"); 192 193 sendto_server(NULL, 0, 0, NULL, ":%s SASL %s %s H %s %s", 194 me.name, SASL_SERVER, client->id, addr, addr); 195 196 if (certfp) 197 sendto_server(NULL, 0, 0, NULL, ":%s SASL %s %s S %s %s", 198 me.name, SASL_SERVER, client->id, parv[1], certfp); 199 else 200 sendto_server(NULL, 0, 0, NULL, ":%s SASL %s %s S %s", 201 me.name, SASL_SERVER, client->id, parv[1]); 202 } 203 else 204 sendto_server(NULL, 0, 0, NULL, ":%s SASL %s %s C %s", 205 me.name, AGENT_SID(agent_p), client->id, parv[1]); 206 207 client->local->sasl_out++; 208 client->local->sasl_sent_time = TStime(); 209 } 210 211 static int abort_sasl(Client *client) 212 { 213 client->local->sasl_sent_time = 0; 214 215 if (client->local->sasl_out == 0 || client->local->sasl_complete) 216 return 0; 217 218 client->local->sasl_out = client->local->sasl_complete = 0; 219 sendnumeric(client, ERR_SASLABORTED); 220 221 if (*client->local->sasl_agent) 222 { 223 Client *agent_p = find_client(client->local->sasl_agent, NULL); 224 225 if (agent_p != NULL) 226 { 227 sendto_server(NULL, 0, 0, NULL, ":%s SASL %s %s D A", 228 me.name, AGENT_SID(agent_p), client->id); 229 return 0; 230 } 231 } 232 233 sendto_server(NULL, 0, 0, NULL, ":%s SASL * %s D A", me.name, client->id); 234 return 0; 235 } 236 237 /** Is this capability visible? 238 * Note that 'client' may be NULL when queried from CAP DEL / CAP NEW 239 */ 240 int sasl_capability_visible(Client *client) 241 { 242 if (!SASL_SERVER || !find_server(SASL_SERVER, NULL)) 243 return 0; 244 245 /* Don't advertise 'sasl' capability if we are going to reject the 246 * user anyway due to set::plaintext-policy. This way the client 247 * won't attempt SASL authentication and thus it prevents the client 248 * from sending the password unencrypted (in case of method PLAIN). 249 */ 250 if (client && !IsSecure(client) && !IsLocalhost(client) && (iConf.plaintext_policy_user == POLICY_DENY)) 251 return 0; 252 253 /* Similarly, don't advertise when we are going to reject the user 254 * due to set::outdated-tls-policy. 255 */ 256 if (IsSecure(client) && (iConf.outdated_tls_policy_user == POLICY_DENY) && outdated_tls_client(client)) 257 return 0; 258 259 return 1; 260 } 261 262 int sasl_connect(Client *client) 263 { 264 return abort_sasl(client); 265 } 266 267 int sasl_quit(Client *client, MessageTag *mtags, const char *comment) 268 { 269 return abort_sasl(client); 270 } 271 272 int sasl_server_quit(Client *client, MessageTag *mtags) 273 { 274 if (!SASL_SERVER) 275 return 0; 276 277 /* If the set::sasl-server is gone, let everyone know 'sasl' is no longer available */ 278 if (!strcasecmp(client->name, SASL_SERVER)) 279 send_cap_notify(0, "sasl"); 280 281 return 0; 282 } 283 284 void auto_discover_sasl_server(int justlinked) 285 { 286 if (!SASL_SERVER && SERVICES_NAME) 287 { 288 Client *client = find_server(SERVICES_NAME, NULL); 289 if (client && moddata_client_get(client, "saslmechlist")) 290 { 291 /* SASL server found */ 292 if (justlinked) 293 { 294 unreal_log(ULOG_INFO, "config", "SASL_SERVER_AUTODETECT", client, 295 "Services server $client provides SASL authentication, good! " 296 "I'm setting set::sasl-server to \"$client\" internally."); 297 } 298 safe_strdup(SASL_SERVER, SERVICES_NAME); 299 if (justlinked) 300 sasl_server_synced(client); 301 } 302 } 303 } 304 305 int sasl_server_synced(Client *client) 306 { 307 if (!SASL_SERVER) 308 { 309 auto_discover_sasl_server(1); 310 return 0; 311 } 312 313 /* If the set::sasl-server is gone, let everyone know 'sasl' is no longer available */ 314 if (!strcasecmp(client->name, SASL_SERVER)) 315 send_cap_notify(1, "sasl"); 316 317 return 0; 318 } 319 320 MOD_INIT() 321 { 322 ClientCapabilityInfo cap; 323 ModDataInfo mreq; 324 325 MARK_AS_OFFICIAL_MODULE(modinfo); 326 327 CommandAdd(modinfo->handle, MSG_SASL, cmd_sasl, MAXPARA, CMD_USER|CMD_SERVER); 328 CommandAdd(modinfo->handle, MSG_AUTHENTICATE, cmd_authenticate, MAXPARA, CMD_UNREGISTERED|CMD_USER); 329 330 HookAdd(modinfo->handle, HOOKTYPE_LOCAL_CONNECT, 0, sasl_connect); 331 HookAdd(modinfo->handle, HOOKTYPE_LOCAL_QUIT, 0, sasl_quit); 332 HookAdd(modinfo->handle, HOOKTYPE_SERVER_QUIT, 0, sasl_server_quit); 333 HookAdd(modinfo->handle, HOOKTYPE_SERVER_SYNCED, 0, sasl_server_synced); 334 HookAdd(modinfo->handle, HOOKTYPE_ACCOUNT_LOGIN, 0, sasl_account_login); 335 336 memset(&cap, 0, sizeof(cap)); 337 cap.name = "sasl"; 338 cap.visible = sasl_capability_visible; 339 cap.parameter = sasl_capability_parameter; 340 ClientCapabilityAdd(modinfo->handle, &cap, &CAP_SASL); 341 342 memset(&mreq, 0, sizeof(mreq)); 343 mreq.name = "saslmechlist"; 344 mreq.free = saslmechlist_free; 345 mreq.serialize = saslmechlist_serialize; 346 mreq.unserialize = saslmechlist_unserialize; 347 mreq.sync = MODDATA_SYNC_EARLY; 348 mreq.self_write = 1; 349 mreq.type = MODDATATYPE_CLIENT; 350 ModDataAdd(modinfo->handle, mreq); 351 352 EventAdd(modinfo->handle, "sasl_timeout", sasl_timeout, NULL, 2000, 0); 353 354 return MOD_SUCCESS; 355 } 356 357 MOD_LOAD() 358 { 359 auto_discover_sasl_server(0); 360 return MOD_SUCCESS; 361 } 362 363 MOD_UNLOAD() 364 { 365 return MOD_SUCCESS; 366 } 367 368 void saslmechlist_free(ModData *m) 369 { 370 safe_free(m->str); 371 } 372 373 const char *saslmechlist_serialize(ModData *m) 374 { 375 if (!m->str) 376 return NULL; 377 return m->str; 378 } 379 380 void saslmechlist_unserialize(const char *str, ModData *m) 381 { 382 safe_strdup(m->str, str); 383 } 384 385 const char *sasl_capability_parameter(Client *client) 386 { 387 Client *server; 388 389 if (SASL_SERVER) 390 { 391 server = find_server(SASL_SERVER, NULL); 392 if (server) 393 return moddata_client_get(server, "saslmechlist"); /* NOTE: could still return NULL */ 394 } 395 396 return NULL; 397 } 398 399 EVENT(sasl_timeout) 400 { 401 Client *client; 402 403 list_for_each_entry(client, &unknown_list, lclient_node) 404 { 405 if (client->local->sasl_sent_time && 406 (TStime() - client->local->sasl_sent_time > iConf.sasl_timeout)) 407 { 408 sendnotice(client, "SASL request timed out (server or client misbehaving) -- aborting SASL and continuing connection..."); 409 abort_sasl(client); 410 } 411 } 412 }