src/modules/m_sasl.cpp

   1 /*
   2  * InspIRCd -- Internet Relay Chat Daemon
   3  *
   4  *   Copyright (C) 2009-2010 Daniel De Graaf <danieldg@inspircd.org>
   5  *   Copyright (C) 2008 Craig Edwards <craigedwards@brainbox.cc>
   6  *
   7  * This file is part of InspIRCd.  InspIRCd is free software: you can
   8  * redistribute it and/or modify it under the terms of the GNU General Public
   9  * License as published by the Free Software Foundation, version 2.
  10  *
  11  * This program is distributed in the hope that it will be useful, but WITHOUT
  12  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
  13  * FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
  14  * details.
  15  *
  16  * You should have received a copy of the GNU General Public License
  17  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  18  */
  19
  20
  21 #include "inspircd.h"
  22 #include "modules/cap.h"
  23 #include "modules/account.h"
  24 #include "modules/sasl.h"
  25 #include "modules/ssl.h"
  26
  27 class SASLCap : public Cap::Capability
  28 {
  29         std::string mechlist;
  30
  31         bool OnRequest(LocalUser* user, bool adding) CXX11_OVERRIDE
  32         {
  33                 // Requesting this cap is allowed anytime
  34                 if (adding)
  35                         return true;
  36
  37                 // But removing it can only be done when unregistered
  38                 return (user->registered != REG_ALL);
  39         }
  40
  41         const std::string* GetValue(LocalUser* user) const CXX11_OVERRIDE
  42         {
  43                 return &mechlist;
  44         }
  45
  46  public:
  47         SASLCap(Module* mod)
  48                 : Cap::Capability(mod, "sasl")
  49         {
  50         }
  51
  52         void SetMechlist(const std::string& newmechlist)
  53         {
  54                 if (mechlist == newmechlist)
  55                         return;
  56
  57                 mechlist = newmechlist;
  58                 NotifyValueChange();
  59         }
  60 };
  61
  62 enum SaslState { SASL_INIT, SASL_COMM, SASL_DONE };
  63 enum SaslResult { SASL_OK, SASL_FAIL, SASL_ABORT };
  64
  65 static std::string sasl_target = "*";
  66 static Events::ModuleEventProvider* saslevprov;
  67
  68 static void SendSASL(const parameterlist& params)
  69 {
  70         if (!ServerInstance->PI->SendEncapsulatedData(sasl_target, "SASL", params))
  71         {
  72                 FOREACH_MOD_CUSTOM(*saslevprov, SASLEventListener, OnSASLAuth, (params));
  73         }
  74 }
  75
  76 /**
  77  * Tracks SASL authentication state like charybdis does. --nenolod
  78  */
  79 class SaslAuthenticator
  80 {
  81  private:
  82         std::string agent;
  83         User *user;
  84         SaslState state;
  85         SaslResult result;
  86         bool state_announced;
  87
  88  public:
  89         SaslAuthenticator(User* user_, const std::string& method)
  90                 : user(user_), state(SASL_INIT), state_announced(false)
  91         {
  92                 parameterlist params;
  93                 params.push_back(user->uuid);
  94                 params.push_back("*");
  95                 params.push_back("S");
  96                 params.push_back(method);
  97
  98                 LocalUser* localuser = IS_LOCAL(user);
  99                 if (method == "EXTERNAL" && localuser)
 100                 {
 101                         std::string fp = SSLClientCert::GetFingerprint(&localuser->eh);
 102
 103                         if (fp.size())
 104                                 params.push_back(fp);
 105                 }
 106
 107                 SendSASL(params);
 108         }
 109
 110         SaslResult GetSaslResult(const std::string &result_)
 111         {
 112                 if (result_ == "F")
 113                         return SASL_FAIL;
 114
 115                 if (result_ == "A")
 116                         return SASL_ABORT;
 117
 118                 return SASL_OK;
 119         }
 120
 121         /* checks for and deals with a state change. */
 122         SaslState ProcessInboundMessage(const std::vector<std::string> &msg)
 123         {
 124                 switch (this->state)
 125                 {
 126                  case SASL_INIT:
 127                         this->agent = msg[0];
 128                         this->state = SASL_COMM;
 129                         /* fall through */
 130                  case SASL_COMM:
 131                         if (msg[0] != this->agent)
 132                                 return this->state;
 133
 134                         if (msg.size() < 4)
 135                                 return this->state;
 136
 137                         if (msg[2] == "C")
 138                                 this->user->Write("AUTHENTICATE %s", msg[3].c_str());
 139                         else if (msg[2] == "D")
 140                         {
 141                                 this->state = SASL_DONE;
 142                                 this->result = this->GetSaslResult(msg[3]);
 143                         }
 144                         else if (msg[2] == "M")
 145                                 this->user->WriteNumeric(908, msg[3], "are available SASL mechanisms");
 146                         else
 147                                 ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "Services sent an unknown SASL message \"%s\" \"%s\"", msg[2].c_str(), msg[3].c_str());
 148
 149                         break;
 150                  case SASL_DONE:
 151                         break;
 152                  default:
 153                         ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "WTF: SaslState is not a known state (%d)", this->state);
 154                         break;
 155                 }
 156
 157                 return this->state;
 158         }
 159
 160         void Abort(void)
 161         {
 162                 this->state = SASL_DONE;
 163                 this->result = SASL_ABORT;
 164         }
 165
 166         bool SendClientMessage(const std::vector<std::string>& parameters)
 167         {
 168                 if (this->state != SASL_COMM)
 169                         return true;
 170
 171                 parameterlist params;
 172                 params.push_back(this->user->uuid);
 173                 params.push_back(this->agent);
 174                 params.push_back("C");
 175
 176                 params.insert(params.end(), parameters.begin(), parameters.end());
 177
 178                 SendSASL(params);
 179
 180                 if (parameters[0][0] == '*')
 181                 {
 182                         this->Abort();
 183                         return false;
 184                 }
 185
 186                 return true;
 187         }
 188
 189         void AnnounceState(void)
 190         {
 191                 if (this->state_announced)
 192                         return;
 193
 194                 switch (this->result)
 195                 {
 196                  case SASL_OK:
 197                         this->user->WriteNumeric(903, "SASL authentication successful");
 198                         break;
 199                  case SASL_ABORT:
 200                         this->user->WriteNumeric(906, "SASL authentication aborted");
 201                         break;
 202                  case SASL_FAIL:
 203                         this->user->WriteNumeric(904, "SASL authentication failed");
 204                         break;
 205                  default:
 206                         break;
 207                 }
 208
 209                 this->state_announced = true;
 210         }
 211 };
 212
 213 class CommandAuthenticate : public Command
 214 {
 215  public:
 216         SimpleExtItem<SaslAuthenticator>& authExt;
 217         Cap::Capability& cap;
 218         CommandAuthenticate(Module* Creator, SimpleExtItem<SaslAuthenticator>& ext, Cap::Capability& Cap)
 219                 : Command(Creator, "AUTHENTICATE", 1), authExt(ext), cap(Cap)
 220         {
 221                 works_before_reg = true;
 222         }
 223
 224         CmdResult Handle (const std::vector<std::string>& parameters, User *user)
 225         {
 226                 /* Only allow AUTHENTICATE on unregistered clients */
 227                 if (user->registered != REG_ALL)
 228                 {
 229                         if (!cap.get(user))
 230                                 return CMD_FAILURE;
 231
 232                         SaslAuthenticator *sasl = authExt.get(user);
 233                         if (!sasl)
 234                                 authExt.set(user, new SaslAuthenticator(user, parameters[0]));
 235                         else if (sasl->SendClientMessage(parameters) == false)  // IAL abort extension --nenolod
 236                         {
 237                                 sasl->AnnounceState();
 238                                 authExt.unset(user);
 239                         }
 240                 }
 241                 return CMD_FAILURE;
 242         }
 243 };
 244
 245 class CommandSASL : public Command
 246 {
 247  public:
 248         SimpleExtItem<SaslAuthenticator>& authExt;
 249         CommandSASL(Module* Creator, SimpleExtItem<SaslAuthenticator>& ext) : Command(Creator, "SASL", 2), authExt(ext)
 250         {
 251                 this->flags_needed = FLAG_SERVERONLY; // should not be called by users
 252         }
 253
 254         CmdResult Handle(const std::vector<std::string>& parameters, User *user)
 255         {
 256                 User* target = ServerInstance->FindUUID(parameters[1]);
 257                 if (!target)
 258                 {
 259                         ServerInstance->Logs->Log(MODNAME, LOG_DEBUG, "User not found in sasl ENCAP event: %s", parameters[1].c_str());
 260                         return CMD_FAILURE;
 261                 }
 262
 263                 SaslAuthenticator *sasl = authExt.get(target);
 264                 if (!sasl)
 265                         return CMD_FAILURE;
 266
 267                 SaslState state = sasl->ProcessInboundMessage(parameters);
 268                 if (state == SASL_DONE)
 269                 {
 270                         sasl->AnnounceState();
 271                         authExt.unset(target);
 272                 }
 273                 return CMD_SUCCESS;
 274         }
 275
 276         RouteDescriptor GetRouting(User* user, const std::vector<std::string>& parameters)
 277         {
 278                 return ROUTE_BROADCAST;
 279         }
 280 };
 281
 282 class ModuleSASL : public Module
 283 {
 284         SimpleExtItem<SaslAuthenticator> authExt;
 285         SASLCap cap;
 286         CommandAuthenticate auth;
 287         CommandSASL sasl;
 288         Events::ModuleEventProvider sasleventprov;
 289
 290  public:
 291         ModuleSASL()
 292                 : authExt("sasl_auth", ExtensionItem::EXT_USER, this)
 293                 , cap(this)
 294                 , auth(this, authExt, cap)
 295                 , sasl(this, authExt)
 296                 , sasleventprov(this, "event/sasl")
 297         {
 298                 saslevprov = &sasleventprov;
 299         }
 300
 301         void init() CXX11_OVERRIDE
 302         {
 303                 if (!ServerInstance->Modules->Find("m_services_account.so") || !ServerInstance->Modules->Find("m_cap.so"))
 304                         ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "WARNING: m_services_account.so and m_cap.so are not loaded! m_sasl.so will NOT function correctly until these two modules are loaded!");
 305         }
 306
 307         void ReadConfig(ConfigStatus& status) CXX11_OVERRIDE
 308         {
 309                 sasl_target = ServerInstance->Config->ConfValue("sasl")->getString("target", "*");
 310         }
 311
 312         ModResult OnUserRegister(LocalUser *user) CXX11_OVERRIDE
 313         {
 314                 SaslAuthenticator *sasl_ = authExt.get(user);
 315                 if (sasl_)
 316                 {
 317                         sasl_->Abort();
 318                         authExt.unset(user);
 319                 }
 320
 321                 return MOD_RES_PASSTHRU;
 322         }
 323
 324         void OnDecodeMetaData(Extensible* target, const std::string& extname, const std::string& extdata) CXX11_OVERRIDE
 325         {
 326                 if ((target == NULL) && (extname == "saslmechlist"))
 327                         cap.SetMechlist(extdata);
 328         }
 329
 330         Version GetVersion() CXX11_OVERRIDE
 331         {
 332                 return Version("Provides support for IRC Authentication Layer (aka: SASL) via AUTHENTICATE.", VF_VENDOR);
 333         }
 334 };
 335
 336 MODULE_INIT(ModuleSASL)