src/modules/m_sasl.cpp

   1 /*
   2  * InspIRCd -- Internet Relay Chat Daemon
   3  *
   4  *   Copyright (C) 2009-2010 Daniel De Graaf <danieldg@inspircd.org>
   5  *   Copyright (C) 2008 Craig Edwards <craigedwards@brainbox.cc>
   6  *
   7  * This file is part of InspIRCd.  InspIRCd is free software: you can
   8  * redistribute it and/or modify it under the terms of the GNU General Public
   9  * License as published by the Free Software Foundation, version 2.
  10  *
  11  * This program is distributed in the hope that it will be useful, but WITHOUT
  12  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
  13  * FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
  14  * details.
  15  *
  16  * You should have received a copy of the GNU General Public License
  17  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  18  */
  19
  20
  21 #include "inspircd.h"
  22 #include "m_cap.h"
  23 #include "account.h"
  24 #include "sasl.h"
  25 #include "ssl.h"
  26
  27 /* $ModDesc: Provides support for IRC Authentication Layer (aka: atheme SASL) via AUTHENTICATE. */
  28
  29 enum SaslState { SASL_INIT, SASL_COMM, SASL_DONE };
  30 enum SaslResult { SASL_OK, SASL_FAIL, SASL_ABORT };
  31
  32 static std::string sasl_target = "*";
  33
  34 static void SendSASL(const parameterlist& params)
  35 {
  36         if (!ServerInstance->PI->SendEncapsulatedData(params))
  37         {
  38                 SASLFallback(NULL, params);
  39         }
  40 }
  41
  42 /**
  43  * Tracks SASL authentication state like charybdis does. --nenolod
  44  */
  45 class SaslAuthenticator
  46 {
  47  private:
  48         std::string agent;
  49         User *user;
  50         SaslState state;
  51         SaslResult result;
  52         bool state_announced;
  53
  54  public:
  55         SaslAuthenticator(User* user_, const std::string& method)
  56                 : user(user_), state(SASL_INIT), state_announced(false)
  57         {
  58                 parameterlist params;
  59                 params.push_back(sasl_target);
  60                 params.push_back("SASL");
  61                 params.push_back(user->uuid);
  62                 params.push_back("*");
  63                 params.push_back("S");
  64                 params.push_back(method);
  65
  66                 if (method == "EXTERNAL" && IS_LOCAL(user_))
  67                 {
  68                         SocketCertificateRequest req(&((LocalUser*)user_)->eh, ServerInstance->Modules->Find("m_sasl.so"));
  69                         std::string fp = req.GetFingerprint();
  70
  71                         if (fp.size())
  72                                 params.push_back(fp);
  73                 }
  74
  75                 SendSASL(params);
  76         }
  77
  78         SaslResult GetSaslResult(const std::string &result_)
  79         {
  80                 if (result_ == "F")
  81                         return SASL_FAIL;
  82
  83                 if (result_ == "A")
  84                         return SASL_ABORT;
  85
  86                 return SASL_OK;
  87         }
  88
  89         /* checks for and deals with a state change. */
  90         SaslState ProcessInboundMessage(const std::vector<std::string> &msg)
  91         {
  92                 switch (this->state)
  93                 {
  94                  case SASL_INIT:
  95                         this->agent = msg[0];
  96                         this->state = SASL_COMM;
  97                         /* fall through */
  98                  case SASL_COMM:
  99                         if (msg[0] != this->agent)
 100                                 return this->state;
 101
 102                         if (msg.size() < 4)
 103                                 return this->state;
 104
 105                         if (msg[2] == "C")
 106                                 this->user->Write("AUTHENTICATE %s", msg[3].c_str());
 107                         else if (msg[2] == "D")
 108                         {
 109                                 this->state = SASL_DONE;
 110                                 this->result = this->GetSaslResult(msg[3]);
 111                         }
 112                         else if (msg[2] == "M")
 113                                 this->user->WriteNumeric(908, "%s %s :are available SASL mechanisms", this->user->nick.c_str(), msg[3].c_str());
 114                         else
 115                                 ServerInstance->Logs->Log("m_sasl", DEFAULT, "Services sent an unknown SASL message \"%s\" \"%s\"", msg[2].c_str(), msg[3].c_str());
 116
 117                         break;
 118                  case SASL_DONE:
 119                         break;
 120                  default:
 121                         ServerInstance->Logs->Log("m_sasl", DEFAULT, "WTF: SaslState is not a known state (%d)", this->state);
 122                         break;
 123                 }
 124
 125                 return this->state;
 126         }
 127
 128         void Abort(void)
 129         {
 130                 this->state = SASL_DONE;
 131                 this->result = SASL_ABORT;
 132         }
 133
 134         bool SendClientMessage(const std::vector<std::string>& parameters)
 135         {
 136                 if (this->state != SASL_COMM)
 137                         return true;
 138
 139                 parameterlist params;
 140                 params.push_back(sasl_target);
 141                 params.push_back("SASL");
 142                 params.push_back(this->user->uuid);
 143                 params.push_back(this->agent);
 144                 params.push_back("C");
 145
 146                 params.insert(params.end(), parameters.begin(), parameters.end());
 147
 148                 SendSASL(params);
 149
 150                 if (parameters[0].c_str()[0] == '*')
 151                 {
 152                         this->Abort();
 153                         return false;
 154                 }
 155
 156                 return true;
 157         }
 158
 159         void AnnounceState(void)
 160         {
 161                 if (this->state_announced)
 162                         return;
 163
 164                 switch (this->result)
 165                 {
 166                  case SASL_OK:
 167                         this->user->WriteNumeric(903, "%s :SASL authentication successful", this->user->nick.c_str());
 168                         break;
 169                  case SASL_ABORT:
 170                         this->user->WriteNumeric(906, "%s :SASL authentication aborted", this->user->nick.c_str());
 171                         break;
 172                  case SASL_FAIL:
 173                         this->user->WriteNumeric(904, "%s :SASL authentication failed", this->user->nick.c_str());
 174                         break;
 175                  default:
 176                         break;
 177                 }
 178
 179                 this->state_announced = true;
 180         }
 181 };
 182
 183 class CommandAuthenticate : public Command
 184 {
 185  public:
 186         SimpleExtItem<SaslAuthenticator>& authExt;
 187         GenericCap& cap;
 188         CommandAuthenticate(Module* Creator, SimpleExtItem<SaslAuthenticator>& ext, GenericCap& Cap)
 189                 : Command(Creator, "AUTHENTICATE", 1), authExt(ext), cap(Cap)
 190         {
 191                 works_before_reg = true;
 192                 allow_empty_last_param = false;
 193         }
 194
 195         CmdResult Handle (const std::vector<std::string>& parameters, User *user)
 196         {
 197                 /* Only allow AUTHENTICATE on unregistered clients */
 198                 if (user->registered != REG_ALL)
 199                 {
 200                         if (!cap.ext.get(user))
 201                                 return CMD_FAILURE;
 202
 203                         if (parameters[0].find(' ') != std::string::npos || parameters[0][0] == ':')
 204                                 return CMD_FAILURE;
 205
 206                         SaslAuthenticator *sasl = authExt.get(user);
 207                         if (!sasl)
 208                                 authExt.set(user, new SaslAuthenticator(user, parameters[0]));
 209                         else if (sasl->SendClientMessage(parameters) == false)  // IAL abort extension --nenolod
 210                         {
 211                                 sasl->AnnounceState();
 212                                 authExt.unset(user);
 213                         }
 214                 }
 215                 return CMD_FAILURE;
 216         }
 217 };
 218
 219 class CommandSASL : public Command
 220 {
 221  public:
 222         SimpleExtItem<SaslAuthenticator>& authExt;
 223         CommandSASL(Module* Creator, SimpleExtItem<SaslAuthenticator>& ext) : Command(Creator, "SASL", 2), authExt(ext)
 224         {
 225                 this->flags_needed = FLAG_SERVERONLY; // should not be called by users
 226         }
 227
 228         CmdResult Handle(const std::vector<std::string>& parameters, User *user)
 229         {
 230                 User* target = ServerInstance->FindNick(parameters[1]);
 231                 if ((!target) || (IS_SERVER(target)))
 232                 {
 233                         ServerInstance->Logs->Log("m_sasl", DEBUG,"User not found in sasl ENCAP event: %s", parameters[1].c_str());
 234                         return CMD_FAILURE;
 235                 }
 236
 237                 SaslAuthenticator *sasl = authExt.get(target);
 238                 if (!sasl)
 239                         return CMD_FAILURE;
 240
 241                 SaslState state = sasl->ProcessInboundMessage(parameters);
 242                 if (state == SASL_DONE)
 243                 {
 244                         sasl->AnnounceState();
 245                         authExt.unset(target);
 246                 }
 247                 return CMD_SUCCESS;
 248         }
 249
 250         RouteDescriptor GetRouting(User* user, const std::vector<std::string>& parameters)
 251         {
 252                 return ROUTE_BROADCAST;
 253         }
 254 };
 255
 256 class ModuleSASL : public Module
 257 {
 258         SimpleExtItem<SaslAuthenticator> authExt;
 259         GenericCap cap;
 260         CommandAuthenticate auth;
 261         CommandSASL sasl;
 262  public:
 263         ModuleSASL()
 264                 : authExt("sasl_auth", this), cap(this, "sasl"), auth(this, authExt, cap), sasl(this, authExt)
 265         {
 266         }
 267
 268         void init()
 269         {
 270                 OnRehash(NULL);
 271                 Implementation eventlist[] = { I_OnEvent, I_OnUserConnect, I_OnRehash };
 272                 ServerInstance->Modules->Attach(eventlist, this, sizeof(eventlist)/sizeof(Implementation));
 273
 274                 ServiceProvider* providelist[] = { &auth, &sasl, &authExt };
 275                 ServerInstance->Modules->AddServices(providelist, 3);
 276
 277                 if (!ServerInstance->Modules->Find("m_services_account.so") || !ServerInstance->Modules->Find("m_cap.so"))
 278                         ServerInstance->Logs->Log("m_sasl", DEFAULT, "WARNING: m_services_account.so and m_cap.so are not loaded! m_sasl.so will NOT function correctly until these two modules are loaded!");
 279         }
 280
 281         void OnRehash(User*)
 282         {
 283                 sasl_target = ServerInstance->Config->ConfValue("sasl")->getString("target", "*");
 284         }
 285
 286         void OnUserConnect(LocalUser *user)
 287         {
 288                 SaslAuthenticator *sasl_ = authExt.get(user);
 289                 if (sasl_)
 290                 {
 291                         sasl_->Abort();
 292                         authExt.unset(user);
 293                 }
 294         }
 295
 296         Version GetVersion()
 297         {
 298                 return Version("Provides support for IRC Authentication Layer (aka: SASL) via AUTHENTICATE.", VF_VENDOR);
 299         }
 300
 301         void OnEvent(Event &ev)
 302         {
 303                 cap.HandleEvent(ev);
 304         }
 305 };
 306
 307 MODULE_INIT(ModuleSASL)