src/modules/m_sasl.cpp

   1 /*
   2  * InspIRCd -- Internet Relay Chat Daemon
   3  *
   4  *   Copyright (C) 2009-2010 Daniel De Graaf <danieldg@inspircd.org>
   5  *   Copyright (C) 2008 Craig Edwards <craigedwards@brainbox.cc>
   6  *
   7  * This file is part of InspIRCd.  InspIRCd is free software: you can
   8  * redistribute it and/or modify it under the terms of the GNU General Public
   9  * License as published by the Free Software Foundation, version 2.
  10  *
  11  * This program is distributed in the hope that it will be useful, but WITHOUT
  12  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
  13  * FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
  14  * details.
  15  *
  16  * You should have received a copy of the GNU General Public License
  17  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  18  */
  19
  20
  21 #include "inspircd.h"
  22 #include "m_cap.h"
  23 #include "account.h"
  24 #include "sasl.h"
  25 #include "ssl.h"
  26
  27 /* $ModDesc: Provides support for IRC Authentication Layer (aka: atheme SASL) via AUTHENTICATE. */
  28
  29 enum SaslState { SASL_INIT, SASL_COMM, SASL_DONE };
  30 enum SaslResult { SASL_OK, SASL_FAIL, SASL_ABORT };
  31
  32 static std::string sasl_target = "*";
  33
  34 static void SendSASL(const parameterlist& params)
  35 {
  36         if (!ServerInstance->PI->SendEncapsulatedData(params))
  37         {
  38                 SASLFallback(NULL, params);
  39         }
  40 }
  41
  42 /**
  43  * Tracks SASL authentication state like charybdis does. --nenolod
  44  */
  45 class SaslAuthenticator
  46 {
  47  private:
  48         std::string agent;
  49         User *user;
  50         SaslState state;
  51         SaslResult result;
  52         bool state_announced;
  53
  54  public:
  55         SaslAuthenticator(User* user_, const std::string& method)
  56                 : user(user_), state(SASL_INIT), state_announced(false)
  57         {
  58                 parameterlist params;
  59                 params.push_back(sasl_target);
  60                 params.push_back("SASL");
  61                 params.push_back(user->uuid);
  62                 params.push_back("*");
  63                 params.push_back("S");
  64                 params.push_back(method);
  65
  66                 if (method == "EXTERNAL" && IS_LOCAL(user_))
  67                 {
  68                         SocketCertificateRequest req(&((LocalUser*)user_)->eh, ServerInstance->Modules->Find("m_sasl.so"));
  69                         std::string fp = req.GetFingerprint();
  70
  71                         if (fp.size())
  72                                 params.push_back(fp);
  73                 }
  74
  75                 SendSASL(params);
  76         }
  77
  78         SaslResult GetSaslResult(const std::string &result_)
  79         {
  80                 if (result_ == "F")
  81                         return SASL_FAIL;
  82
  83                 if (result_ == "A")
  84                         return SASL_ABORT;
  85
  86                 return SASL_OK;
  87         }
  88
  89         /* checks for and deals with a state change. */
  90         SaslState ProcessInboundMessage(const std::vector<std::string> &msg)
  91         {
  92                 switch (this->state)
  93                 {
  94                  case SASL_INIT:
  95                         this->agent = msg[0];
  96                         this->state = SASL_COMM;
  97                         /* fall through */
  98                  case SASL_COMM:
  99                         if (msg[0] != this->agent)
 100                                 return this->state;
 101
 102                         if (msg.size() < 4)
 103                                 return this->state;
 104
 105                         if (msg[2] == "C")
 106                                 this->user->Write("AUTHENTICATE %s", msg[3].c_str());
 107                         else if (msg[2] == "D")
 108                         {
 109                                 this->state = SASL_DONE;
 110                                 this->result = this->GetSaslResult(msg[3]);
 111                         }
 112                         else if (msg[2] == "M")
 113                                 this->user->WriteNumeric(908, "%s %s :are available SASL mechanisms", this->user->nick.c_str(), msg[3].c_str());
 114                         else
 115                                 ServerInstance->Logs->Log("m_sasl", DEFAULT, "Services sent an unknown SASL message \"%s\" \"%s\"", msg[2].c_str(), msg[3].c_str());
 116
 117                         break;
 118                  case SASL_DONE:
 119                         break;
 120                  default:
 121                         ServerInstance->Logs->Log("m_sasl", DEFAULT, "WTF: SaslState is not a known state (%d)", this->state);
 122                         break;
 123                 }
 124
 125                 return this->state;
 126         }
 127
 128         void Abort(void)
 129         {
 130                 this->state = SASL_DONE;
 131                 this->result = SASL_ABORT;
 132         }
 133
 134         bool SendClientMessage(const std::vector<std::string>& parameters)
 135         {
 136                 if (this->state != SASL_COMM)
 137                         return true;
 138
 139                 parameterlist params;
 140                 params.push_back(sasl_target);
 141                 params.push_back("SASL");
 142                 params.push_back(this->user->uuid);
 143                 params.push_back(this->agent);
 144                 params.push_back("C");
 145
 146                 params.insert(params.end(), parameters.begin(), parameters.end());
 147
 148                 SendSASL(params);
 149
 150                 if (parameters[0].c_str()[0] == '*')
 151                 {
 152                         this->Abort();
 153                         return false;
 154                 }
 155
 156                 return true;
 157         }
 158
 159         void AnnounceState(void)
 160         {
 161                 if (this->state_announced)
 162                         return;
 163
 164                 switch (this->result)
 165                 {
 166                  case SASL_OK:
 167                         this->user->WriteNumeric(903, "%s :SASL authentication successful", this->user->nick.c_str());
 168                         break;
 169                  case SASL_ABORT:
 170                         this->user->WriteNumeric(906, "%s :SASL authentication aborted", this->user->nick.c_str());
 171                         break;
 172                  case SASL_FAIL:
 173                         this->user->WriteNumeric(904, "%s :SASL authentication failed", this->user->nick.c_str());
 174                         break;
 175                  default:
 176                         break;
 177                 }
 178
 179                 this->state_announced = true;
 180         }
 181 };
 182
 183 class CommandAuthenticate : public Command
 184 {
 185  public:
 186         SimpleExtItem<SaslAuthenticator>& authExt;
 187         GenericCap& cap;
 188         CommandAuthenticate(Module* Creator, SimpleExtItem<SaslAuthenticator>& ext, GenericCap& Cap)
 189                 : Command(Creator, "AUTHENTICATE", 1), authExt(ext), cap(Cap)
 190         {
 191                 works_before_reg = true;
 192         }
 193
 194         CmdResult Handle (const std::vector<std::string>& parameters, User *user)
 195         {
 196                 /* Only allow AUTHENTICATE on unregistered clients */
 197                 if (user->registered != REG_ALL)
 198                 {
 199                         if (!cap.ext.get(user))
 200                                 return CMD_FAILURE;
 201
 202                         SaslAuthenticator *sasl = authExt.get(user);
 203                         if (!sasl)
 204                                 authExt.set(user, new SaslAuthenticator(user, parameters[0]));
 205                         else if (sasl->SendClientMessage(parameters) == false)  // IAL abort extension --nenolod
 206                         {
 207                                 sasl->AnnounceState();
 208                                 authExt.unset(user);
 209                         }
 210                 }
 211                 return CMD_FAILURE;
 212         }
 213 };
 214
 215 class CommandSASL : public Command
 216 {
 217  public:
 218         SimpleExtItem<SaslAuthenticator>& authExt;
 219         CommandSASL(Module* Creator, SimpleExtItem<SaslAuthenticator>& ext) : Command(Creator, "SASL", 2), authExt(ext)
 220         {
 221                 this->flags_needed = FLAG_SERVERONLY; // should not be called by users
 222         }
 223
 224         CmdResult Handle(const std::vector<std::string>& parameters, User *user)
 225         {
 226                 User* target = ServerInstance->FindNick(parameters[1]);
 227                 if ((!target) || (IS_SERVER(target)))
 228                 {
 229                         ServerInstance->Logs->Log("m_sasl", DEBUG,"User not found in sasl ENCAP event: %s", parameters[1].c_str());
 230                         return CMD_FAILURE;
 231                 }
 232
 233                 SaslAuthenticator *sasl = authExt.get(target);
 234                 if (!sasl)
 235                         return CMD_FAILURE;
 236
 237                 SaslState state = sasl->ProcessInboundMessage(parameters);
 238                 if (state == SASL_DONE)
 239                 {
 240                         sasl->AnnounceState();
 241                         authExt.unset(target);
 242                 }
 243                 return CMD_SUCCESS;
 244         }
 245
 246         RouteDescriptor GetRouting(User* user, const std::vector<std::string>& parameters)
 247         {
 248                 return ROUTE_BROADCAST;
 249         }
 250 };
 251
 252 class ModuleSASL : public Module
 253 {
 254         SimpleExtItem<SaslAuthenticator> authExt;
 255         GenericCap cap;
 256         CommandAuthenticate auth;
 257         CommandSASL sasl;
 258  public:
 259         ModuleSASL()
 260                 : authExt("sasl_auth", this), cap(this, "sasl"), auth(this, authExt, cap), sasl(this, authExt)
 261         {
 262         }
 263
 264         void init()
 265         {
 266                 OnRehash(NULL);
 267                 Implementation eventlist[] = { I_OnEvent, I_OnUserRegister, I_OnRehash };
 268                 ServerInstance->Modules->Attach(eventlist, this, sizeof(eventlist)/sizeof(Implementation));
 269
 270                 ServiceProvider* providelist[] = { &auth, &sasl, &authExt };
 271                 ServerInstance->Modules->AddServices(providelist, 3);
 272
 273                 if (!ServerInstance->Modules->Find("m_services_account.so") || !ServerInstance->Modules->Find("m_cap.so"))
 274                         ServerInstance->Logs->Log("m_sasl", DEFAULT, "WARNING: m_services_account.so and m_cap.so are not loaded! m_sasl.so will NOT function correctly until these two modules are loaded!");
 275         }
 276
 277         void OnRehash(User*)
 278         {
 279                 sasl_target = ServerInstance->Config->ConfValue("sasl")->getString("target", "*");
 280         }
 281
 282         ModResult OnUserRegister(LocalUser *user)
 283         {
 284                 SaslAuthenticator *sasl_ = authExt.get(user);
 285                 if (sasl_)
 286                 {
 287                         sasl_->Abort();
 288                         authExt.unset(user);
 289                 }
 290
 291                 return MOD_RES_PASSTHRU;
 292         }
 293
 294         Version GetVersion()
 295         {
 296                 return Version("Provides support for IRC Authentication Layer (aka: SASL) via AUTHENTICATE.", VF_VENDOR);
 297         }
 298
 299         void OnEvent(Event &ev)
 300         {
 301                 cap.HandleEvent(ev);
 302         }
 303 };
 304
 305 MODULE_INIT(ModuleSASL)