src/modules/m_sasl.cpp

   1 /*
   2  * InspIRCd -- Internet Relay Chat Daemon
   3  *
   4  *   Copyright (C) 2009-2010 Daniel De Graaf <danieldg@inspircd.org>
   5  *   Copyright (C) 2008 Craig Edwards <craigedwards@brainbox.cc>
   6  *
   7  * This file is part of InspIRCd.  InspIRCd is free software: you can
   8  * redistribute it and/or modify it under the terms of the GNU General Public
   9  * License as published by the Free Software Foundation, version 2.
  10  *
  11  * This program is distributed in the hope that it will be useful, but WITHOUT
  12  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
  13  * FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
  14  * details.
  15  *
  16  * You should have received a copy of the GNU General Public License
  17  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  18  */
  19
  20
  21 #include "inspircd.h"
  22 #include "m_cap.h"
  23 #include "account.h"
  24 #include "sasl.h"
  25 #include "ssl.h"
  26
  27 /* $ModDesc: Provides support for IRC Authentication Layer (aka: atheme SASL) via AUTHENTICATE. */
  28
  29 enum SaslState { SASL_INIT, SASL_COMM, SASL_DONE };
  30 enum SaslResult { SASL_OK, SASL_FAIL, SASL_ABORT };
  31
  32 static std::string sasl_target = "*";
  33
  34 static void SendSASL(const parameterlist& params)
  35 {
  36         if (!ServerInstance->PI->SendEncapsulatedData(params))
  37         {
  38                 SASLFallback(NULL, params);
  39         }
  40 }
  41
  42 /**
  43  * Tracks SASL authentication state like charybdis does. --nenolod
  44  */
  45 class SaslAuthenticator
  46 {
  47  private:
  48         std::string agent;
  49         User *user;
  50         SaslState state;
  51         SaslResult result;
  52         bool state_announced;
  53
  54  public:
  55         SaslAuthenticator(User* user_, const std::string& method)
  56                 : user(user_), state(SASL_INIT), state_announced(false)
  57         {
  58                 parameterlist params;
  59                 params.push_back(sasl_target);
  60                 params.push_back("SASL");
  61                 params.push_back(user->uuid);
  62                 params.push_back("*");
  63                 params.push_back("S");
  64                 params.push_back(method);
  65
  66                 if (method == "EXTERNAL" && IS_LOCAL(user_))
  67                 {
  68                         SocketCertificateRequest req(&((LocalUser*)user_)->eh, ServerInstance->Modules->Find("m_sasl.so"));
  69                         std::string fp = req.GetFingerprint();
  70
  71                         if (fp.size())
  72                                 params.push_back(fp);
  73                 }
  74
  75                 SendSASL(params);
  76         }
  77
  78         SaslResult GetSaslResult(const std::string &result_)
  79         {
  80                 if (result_ == "F")
  81                         return SASL_FAIL;
  82
  83                 if (result_ == "A")
  84                         return SASL_ABORT;
  85
  86                 return SASL_OK;
  87         }
  88
  89         /* checks for and deals with a state change. */
  90         SaslState ProcessInboundMessage(const std::vector<std::string> &msg)
  91         {
  92                 switch (this->state)
  93                 {
  94                  case SASL_INIT:
  95                         this->agent = msg[0];
  96                         this->state = SASL_COMM;
  97                         /* fall through */
  98                  case SASL_COMM:
  99                         if (msg[0] != this->agent)
 100                                 return this->state;
 101
 102                         if (msg[2] == "C")
 103                                 this->user->Write("AUTHENTICATE %s", msg[3].c_str());
 104                         else if (msg[2] == "D")
 105                         {
 106                                 this->state = SASL_DONE;
 107                                 this->result = this->GetSaslResult(msg[3]);
 108                         }
 109                         else if (msg[2] == "M")
 110                                 this->user->WriteNumeric(908, "%s %s :are available SASL mechanisms", this->user->nick.c_str(), msg[3].c_str());
 111                         else
 112                                 ServerInstance->Logs->Log("m_sasl", DEFAULT, "Services sent an unknown SASL message \"%s\" \"%s\"", msg[2].c_str(), msg[3].c_str());
 113
 114                         break;
 115                  case SASL_DONE:
 116                         break;
 117                  default:
 118                         ServerInstance->Logs->Log("m_sasl", DEFAULT, "WTF: SaslState is not a known state (%d)", this->state);
 119                         break;
 120                 }
 121
 122                 return this->state;
 123         }
 124
 125         void Abort(void)
 126         {
 127                 this->state = SASL_DONE;
 128                 this->result = SASL_ABORT;
 129         }
 130
 131         bool SendClientMessage(const std::vector<std::string>& parameters)
 132         {
 133                 if (this->state != SASL_COMM)
 134                         return true;
 135
 136                 parameterlist params;
 137                 params.push_back(sasl_target);
 138                 params.push_back("SASL");
 139                 params.push_back(this->user->uuid);
 140                 params.push_back(this->agent);
 141                 params.push_back("C");
 142
 143                 params.insert(params.end(), parameters.begin(), parameters.end());
 144
 145                 SendSASL(params);
 146
 147                 if (parameters[0][0] == '*')
 148                 {
 149                         this->Abort();
 150                         return false;
 151                 }
 152
 153                 return true;
 154         }
 155
 156         void AnnounceState(void)
 157         {
 158                 if (this->state_announced)
 159                         return;
 160
 161                 switch (this->result)
 162                 {
 163                  case SASL_OK:
 164                         this->user->WriteNumeric(903, "%s :SASL authentication successful", this->user->nick.c_str());
 165                         break;
 166                  case SASL_ABORT:
 167                         this->user->WriteNumeric(906, "%s :SASL authentication aborted", this->user->nick.c_str());
 168                         break;
 169                  case SASL_FAIL:
 170                         this->user->WriteNumeric(904, "%s :SASL authentication failed", this->user->nick.c_str());
 171                         break;
 172                  default:
 173                         break;
 174                 }
 175
 176                 this->state_announced = true;
 177         }
 178 };
 179
 180 class CommandAuthenticate : public Command
 181 {
 182  public:
 183         SimpleExtItem<SaslAuthenticator>& authExt;
 184         GenericCap& cap;
 185         CommandAuthenticate(Module* Creator, SimpleExtItem<SaslAuthenticator>& ext, GenericCap& Cap)
 186                 : Command(Creator, "AUTHENTICATE", 1), authExt(ext), cap(Cap)
 187         {
 188                 works_before_reg = true;
 189         }
 190
 191         CmdResult Handle (const std::vector<std::string>& parameters, User *user)
 192         {
 193                 /* Only allow AUTHENTICATE on unregistered clients */
 194                 if (user->registered != REG_ALL)
 195                 {
 196                         if (!cap.ext.get(user))
 197                                 return CMD_FAILURE;
 198
 199                         SaslAuthenticator *sasl = authExt.get(user);
 200                         if (!sasl)
 201                                 authExt.set(user, new SaslAuthenticator(user, parameters[0]));
 202                         else if (sasl->SendClientMessage(parameters) == false)  // IAL abort extension --nenolod
 203                         {
 204                                 sasl->AnnounceState();
 205                                 authExt.unset(user);
 206                         }
 207                 }
 208                 return CMD_FAILURE;
 209         }
 210 };
 211
 212 class CommandSASL : public Command
 213 {
 214  public:
 215         SimpleExtItem<SaslAuthenticator>& authExt;
 216         CommandSASL(Module* Creator, SimpleExtItem<SaslAuthenticator>& ext) : Command(Creator, "SASL", 2), authExt(ext)
 217         {
 218                 this->flags_needed = FLAG_SERVERONLY; // should not be called by users
 219         }
 220
 221         CmdResult Handle(const std::vector<std::string>& parameters, User *user)
 222         {
 223                 User* target = ServerInstance->FindNick(parameters[1]);
 224                 if ((!target) || (IS_SERVER(target)))
 225                 {
 226                         ServerInstance->Logs->Log("m_sasl", DEBUG,"User not found in sasl ENCAP event: %s", parameters[1].c_str());
 227                         return CMD_FAILURE;
 228                 }
 229
 230                 SaslAuthenticator *sasl = authExt.get(target);
 231                 if (!sasl)
 232                         return CMD_FAILURE;
 233
 234                 SaslState state = sasl->ProcessInboundMessage(parameters);
 235                 if (state == SASL_DONE)
 236                 {
 237                         sasl->AnnounceState();
 238                         authExt.unset(target);
 239                 }
 240                 return CMD_SUCCESS;
 241         }
 242
 243         RouteDescriptor GetRouting(User* user, const std::vector<std::string>& parameters)
 244         {
 245                 return ROUTE_BROADCAST;
 246         }
 247 };
 248
 249 class ModuleSASL : public Module
 250 {
 251         SimpleExtItem<SaslAuthenticator> authExt;
 252         GenericCap cap;
 253         CommandAuthenticate auth;
 254         CommandSASL sasl;
 255  public:
 256         ModuleSASL()
 257                 : authExt("sasl_auth", this), cap(this, "sasl"), auth(this, authExt, cap), sasl(this, authExt)
 258         {
 259         }
 260
 261         void init()
 262         {
 263                 OnRehash(NULL);
 264                 Implementation eventlist[] = { I_OnEvent, I_OnUserRegister, I_OnRehash };
 265                 ServerInstance->Modules->Attach(eventlist, this, sizeof(eventlist)/sizeof(Implementation));
 266
 267                 ServiceProvider* providelist[] = { &auth, &sasl, &authExt };
 268                 ServerInstance->Modules->AddServices(providelist, 3);
 269
 270                 if (!ServerInstance->Modules->Find("m_services_account.so") || !ServerInstance->Modules->Find("m_cap.so"))
 271                         ServerInstance->Logs->Log("m_sasl", DEFAULT, "WARNING: m_services_account.so and m_cap.so are not loaded! m_sasl.so will NOT function correctly until these two modules are loaded!");
 272         }
 273
 274         void OnRehash(User*)
 275         {
 276                 sasl_target = ServerInstance->Config->ConfValue("sasl")->getString("target", "*");
 277         }
 278
 279         ModResult OnUserRegister(LocalUser *user)
 280         {
 281                 SaslAuthenticator *sasl_ = authExt.get(user);
 282                 if (sasl_)
 283                 {
 284                         sasl_->Abort();
 285                         authExt.unset(user);
 286                 }
 287
 288                 return MOD_RES_PASSTHRU;
 289         }
 290
 291         Version GetVersion()
 292         {
 293                 return Version("Provides support for IRC Authentication Layer (aka: atheme SASL) via AUTHENTICATE.",VF_VENDOR);
 294         }
 295
 296         void OnEvent(Event &ev)
 297         {
 298                 cap.HandleEvent(ev);
 299         }
 300 };
 301
 302 MODULE_INIT(ModuleSASL)