1 |
/** |
2 |
* main.C: This file contains the main() routine. |
3 |
* |
4 |
* Copyright © 2007 Pippijn van Steenhoven / The Ermyth Team |
5 |
* Rights to this code are as documented in COPYING. |
6 |
* |
7 |
* |
8 |
* Portions of this file were derived from sources bearing the following license: |
9 |
* Copyright © 2005 Atheme Development Group |
10 |
* Rights to this code are documented in doc/pod/license.pod. |
11 |
* |
12 |
* $Id: main.C,v 1.9 2007-09-16 18:54:44 pippijn Exp $ |
13 |
*/ |
14 |
|
15 |
#include "atheme.h" |
16 |
#include <libermyth.h> |
17 |
#include "confparse.h" |
18 |
#include <ermyth/module.h> |
19 |
#include <account/myuser.h> |
20 |
#include <util/base64.h> |
21 |
#include <sasl.h> |
22 |
|
23 |
static char const rcsid[] = "$Id: main.C,v 1.9 2007-09-16 18:54:44 pippijn Exp $"; |
24 |
|
25 |
REGISTER_MODULE ("saslserv/main", false, "The Ermyth Team <http://ermyth.xinutec.org>"); |
26 |
|
27 |
list_t sessions; |
28 |
list_t sasl_mechanisms; |
29 |
|
30 |
/* main services client routine */ |
31 |
static void |
32 |
saslserv (sourceinfo_t *si, int parc, char *parv[]) |
33 |
{ |
34 |
char *cmd; |
35 |
char *text; |
36 |
char orig[BUFSIZE]; |
37 |
|
38 |
/* this should never happen */ |
39 |
if (parv[0][0] == '&') |
40 |
{ |
41 |
slog (LG_ERROR, "services(): got parv with local channel: %s", parv[0]); |
42 |
return; |
43 |
} |
44 |
|
45 |
/* make a copy of the original for debugging */ |
46 |
strlcpy (orig, parv[parc - 1], BUFSIZE); |
47 |
|
48 |
/* lets go through this to get the command */ |
49 |
cmd = strtok (parv[parc - 1], " "); |
50 |
text = strtok (NULL, ""); |
51 |
|
52 |
if (!cmd) |
53 |
return; |
54 |
if (*cmd == '\001') |
55 |
{ |
56 |
handle_ctcp_common (si, cmd, text); |
57 |
return; |
58 |
} |
59 |
|
60 |
command_fail (si, fault::noprivs, "This service exists to identify " |
61 |
"connecting clients to the network. It has no " |
62 |
"public interface."); |
63 |
} |
64 |
|
65 |
static void |
66 |
on_config_ready (void) |
67 |
{ |
68 |
if (saslsvs.me) |
69 |
del_service (saslsvs.me); |
70 |
|
71 |
saslsvs.me = add_service (saslsvs.nick, saslsvs.user, saslsvs.host, saslsvs.real, saslserv); |
72 |
} |
73 |
|
74 |
/* |
75 |
* Begin SASL-specific code |
76 |
*/ |
77 |
|
78 |
static void |
79 |
sasl_logcommand (sasl_session_t *p, myuser_t *login, int level, char const * const fmt, ...) |
80 |
{ |
81 |
va_list args; |
82 |
char lbuf[BUFSIZE]; |
83 |
|
84 |
va_start (args, fmt); |
85 |
vsnprintf (lbuf, BUFSIZE, fmt, args); |
86 |
slog (level, "%s %s:%s %s", saslsvs.nick, login ? login->name : "", p->uid, lbuf); |
87 |
va_end (args); |
88 |
} |
89 |
|
90 |
/* find an existing session by uid */ |
91 |
static sasl_session_t * |
92 |
find_session (char const * const uid) |
93 |
{ |
94 |
sasl_session_t *p; |
95 |
node_t *n; |
96 |
|
97 |
LIST_FOREACH (n, sessions.head) |
98 |
{ |
99 |
p = static_cast<sasl_session_t *> (n->data); |
100 |
if (!strcmp (p->uid, uid)) |
101 |
return p; |
102 |
} |
103 |
|
104 |
return NULL; |
105 |
} |
106 |
|
107 |
/* create a new session if it does not already exist */ |
108 |
static sasl_session_t * |
109 |
make_session (char const * const uid) |
110 |
{ |
111 |
sasl_session_t *p = find_session (uid); |
112 |
node_t *n; |
113 |
|
114 |
if (p) |
115 |
return p; |
116 |
|
117 |
p = new sasl_session_t; |
118 |
strlcpy (p->uid, uid, IDLEN); |
119 |
|
120 |
n = node_create (); |
121 |
node_add (p, n, &sessions); |
122 |
|
123 |
return p; |
124 |
} |
125 |
|
126 |
/* free a session and all its contents */ |
127 |
static void |
128 |
destroy_session (sasl_session_t *p) |
129 |
{ |
130 |
node_t *n, *tn; |
131 |
myuser_t *mu; |
132 |
|
133 |
if (p->flags & ASASL_NEED_LOG && p->username != NULL) |
134 |
{ |
135 |
mu = myuser_t::find (p->username); |
136 |
if (mu != NULL) |
137 |
sasl_logcommand (p, mu, CMDLOG_LOGIN, "LOGIN (session timed out)"); |
138 |
} |
139 |
|
140 |
LIST_FOREACH_SAFE (n, tn, sessions.head) |
141 |
{ |
142 |
if (n->data == p) |
143 |
{ |
144 |
node_del (n, &sessions); |
145 |
node_free (n); |
146 |
} |
147 |
} |
148 |
|
149 |
sfree (p->buf); |
150 |
p->buf = p->p = NULL; |
151 |
if (p->mechptr) |
152 |
p->mechptr->mech_finish (p); /* Free up any mechanism data */ |
153 |
p->mechptr = NULL; /* We're not freeing the mechanism, just "dereferencing" it */ |
154 |
sfree (p->username); |
155 |
|
156 |
delete p; |
157 |
} |
158 |
|
159 |
/* find a mechanism by name */ |
160 |
static sasl_mechanism_t * |
161 |
find_mechanism (char *name) |
162 |
{ |
163 |
node_t *n; |
164 |
sasl_mechanism_t *mptr; |
165 |
|
166 |
LIST_FOREACH (n, sasl_mechanisms.head) |
167 |
{ |
168 |
mptr = static_cast<sasl_mechanism_t *> (n->data); |
169 |
if (!strcmp (mptr->name, name)) |
170 |
return mptr; |
171 |
} |
172 |
|
173 |
slog (LG_DEBUG, "find_mechanism(): cannot find mechanism `%s'!", name); |
174 |
|
175 |
return NULL; |
176 |
} |
177 |
|
178 |
/* output an arbitrary amount of data to the SASL client */ |
179 |
static void |
180 |
sasl_write (char *target, char *data, int length) |
181 |
{ |
182 |
char out[401]; |
183 |
int last = 400, rem = length; |
184 |
|
185 |
while (rem) |
186 |
{ |
187 |
int nbytes = rem > 400 ? 400 : rem; |
188 |
memcpy (out, data, nbytes); |
189 |
out[nbytes] = '\0'; |
190 |
phandler->sasl_sts (target, 'C', out); |
191 |
|
192 |
data += nbytes; |
193 |
rem -= nbytes; |
194 |
last = nbytes; |
195 |
} |
196 |
|
197 |
/* The end of a packet is indicated by a string not of length 400. |
198 |
* If last piece is exactly 400 in size, send an empty string to |
199 |
* finish the transaction. |
200 |
* Also if there is no data at all. |
201 |
*/ |
202 |
if (last == 400) |
203 |
phandler->sasl_sts (target, 'C', "+"); |
204 |
} |
205 |
|
206 |
/* authenticated, now double check that their account is ok for login */ |
207 |
static int |
208 |
login_user (sasl_session_t *p) |
209 |
{ |
210 |
myuser_t *mu = myuser_t::find (p->username); |
211 |
metadata *md; |
212 |
|
213 |
if (mu == NULL) /* WTF? */ |
214 |
return 0; |
215 |
|
216 |
if ((md = mu->find_metadata ("private:freeze:freezer"))) |
217 |
{ |
218 |
sasl_logcommand (p, NULL, CMDLOG_LOGIN, "failed LOGIN to %s (frozen)", mu->name); |
219 |
return 0; |
220 |
} |
221 |
|
222 |
if (mu->logins.size () >= me.maxlogins) |
223 |
{ |
224 |
sasl_logcommand (p, NULL, CMDLOG_LOGIN, "failed LOGIN to %s (too many logins)", mu->name); |
225 |
return 0; |
226 |
} |
227 |
|
228 |
/* Log it with the full n!u@h later */ |
229 |
p->flags |= ASASL_NEED_LOG; |
230 |
|
231 |
return 1; |
232 |
} |
233 |
|
234 |
/* given an entire sasl message, advance session by passing data to mechanism |
235 |
* and feeding returned data back to client. |
236 |
*/ |
237 |
static void |
238 |
sasl_packet (sasl_session_t *p, char *buf, int len) |
239 |
{ |
240 |
int rc; |
241 |
size_t tlen = 0; |
242 |
char const *cloak; |
243 |
char *out = NULL; |
244 |
char *temp; |
245 |
char mech[21]; |
246 |
int out_len = 0; |
247 |
metadata *md; |
248 |
base64::encoder b64enc; |
249 |
base64::decoder b64dec; |
250 |
|
251 |
/* First piece of data in a session is the name of |
252 |
* the SASL mechanism that will be used. |
253 |
*/ |
254 |
if (!p->mechptr) |
255 |
{ |
256 |
if (len > 20) |
257 |
{ |
258 |
phandler->sasl_sts (p->uid, 'D', "F"); |
259 |
destroy_session (p); |
260 |
return; |
261 |
} |
262 |
|
263 |
memcpy (mech, buf, len); |
264 |
mech[len] = '\0'; |
265 |
|
266 |
if (!(p->mechptr = find_mechanism (mech))) |
267 |
{ |
268 |
/* Generate a list of supported mechanisms (disabled since charybdis doesn't support this yet). */ |
269 |
#if 0 |
270 |
char temp[400], *ptr = temp; |
271 |
int l = 0; |
272 |
node_t *n; |
273 |
|
274 |
LIST_FOREACH(n, sasl_mechanisms.head) |
275 |
{ |
276 |
sasl_mechanism_t *mptr = n->data; |
277 |
if(l + strlen(mptr->name) > 510) |
278 |
break; |
279 |
strcpy(ptr, mptr->name); |
280 |
ptr += strlen(mptr->name); |
281 |
*ptr++ = ','; |
282 |
l += strlen(mptr->name) + 1; |
283 |
} |
284 |
|
285 |
if(l) |
286 |
ptr--; |
287 |
*ptr = '\0'; |
288 |
|
289 |
phandler->sasl_sts(p->uid, 'M', temp); |
290 |
#endif |
291 |
|
292 |
phandler->sasl_sts (p->uid, 'D', "F"); |
293 |
destroy_session (p); |
294 |
return; |
295 |
} |
296 |
|
297 |
rc = p->mechptr->mech_start (p, &out, &out_len); |
298 |
} |
299 |
else |
300 |
{ |
301 |
if (b64dec.decode (buf, len, &temp, &tlen)) |
302 |
{ |
303 |
rc = p->mechptr->mech_step (p, temp, tlen, &out, &out_len); |
304 |
delete[] temp; |
305 |
} |
306 |
else |
307 |
rc = ASASL_FAIL; |
308 |
} |
309 |
|
310 |
if (rc == ASASL_DONE) |
311 |
{ |
312 |
myuser_t *mu = myuser_t::find (p->username); |
313 |
if (mu && login_user (p)) |
314 |
{ |
315 |
if ((md = mu->find_metadata ("private:usercloak"))) |
316 |
cloak = md->value; |
317 |
else |
318 |
cloak = "*"; |
319 |
|
320 |
phandler->svslogin_sts (p->uid, "*", "*", cloak, mu->name); |
321 |
phandler->sasl_sts (p->uid, 'D', "S"); |
322 |
} |
323 |
else |
324 |
phandler->sasl_sts (p->uid, 'D', "F"); |
325 |
/* Will destroy session on introduction of user to net. */ |
326 |
return; |
327 |
} |
328 |
else if (rc == ASASL_MORE) |
329 |
{ |
330 |
if (out_len) |
331 |
{ |
332 |
if (b64enc.encode (out, out_len, &temp)) |
333 |
{ |
334 |
sasl_write (p->uid, temp, strlen (temp)); |
335 |
delete[] temp; |
336 |
sfree (out); |
337 |
return; |
338 |
} |
339 |
} |
340 |
else |
341 |
{ |
342 |
phandler->sasl_sts (p->uid, 'C', "+"); |
343 |
sfree (out); |
344 |
return; |
345 |
} |
346 |
} |
347 |
|
348 |
sfree (out); |
349 |
phandler->sasl_sts (p->uid, 'D', "F"); |
350 |
destroy_session (p); |
351 |
} |
352 |
|
353 |
/* interpret an AUTHENTICATE message */ |
354 |
static void |
355 |
sasl_input (char const * const uid, char const mode, char const * const buf) |
356 |
{ |
357 |
sasl_session_t *p = make_session (uid); |
358 |
int len = strlen (buf); |
359 |
|
360 |
/* Abort packets, or maybe some other kind of (D)one */ |
361 |
if (mode == 'D') |
362 |
{ |
363 |
destroy_session (p); |
364 |
return; |
365 |
} |
366 |
|
367 |
if (mode != 'S' && mode != 'C') |
368 |
return; |
369 |
|
370 |
if (p->buf == NULL) |
371 |
{ |
372 |
p->buf = salloc<char> (len + 1); |
373 |
p->p = p->buf; |
374 |
p->len = len; |
375 |
} |
376 |
else |
377 |
{ |
378 |
if (p->len + len + 1 > 8192) /* This is a little much... */ |
379 |
{ |
380 |
phandler->sasl_sts (p->uid, 'D', "F"); |
381 |
destroy_session (p); |
382 |
return; |
383 |
} |
384 |
|
385 |
p->buf = (char *) realloc (p->buf, p->len + len + 1); |
386 |
p->p = p->buf + p->len; |
387 |
p->len += len; |
388 |
} |
389 |
|
390 |
memcpy (p->p, buf, len); |
391 |
|
392 |
/* Messages not exactly 400 bytes are the end of a packet. */ |
393 |
if (len < 400) |
394 |
{ |
395 |
p->buf[p->len] = '\0'; |
396 |
sasl_packet (p, p->buf, p->len); |
397 |
sfree (p->buf); |
398 |
p->buf = p->p = NULL; |
399 |
p->len = 0; |
400 |
} |
401 |
} |
402 |
|
403 |
/* clean up after a user who is finally on the net */ |
404 |
static void |
405 |
sasl_newuser (user_t *u) |
406 |
{ |
407 |
sasl_session_t *p = find_session (u->uid); |
408 |
metadata *md_failnum; |
409 |
char lau[BUFSIZE], lao[BUFSIZE]; |
410 |
char strfbuf[BUFSIZE]; |
411 |
struct tm tm; |
412 |
myuser_t *mu; |
413 |
|
414 |
/* Not concerned unless it's a SASL login. */ |
415 |
if (p == NULL) |
416 |
return; |
417 |
|
418 |
/* We will log it ourselves, if needed */ |
419 |
p->flags &= ~ASASL_NEED_LOG; |
420 |
|
421 |
/* Find the account */ |
422 |
mu = p->username ? myuser_t::find (p->username) : NULL; |
423 |
if (mu == NULL) |
424 |
{ |
425 |
notice (saslsvs.nick, u->nick, "Account %s dropped, login cancelled", p->username ? p->username : "??"); |
426 |
destroy_session (p); |
427 |
/* We'll remove their ircd login in handle_burstlogin() */ |
428 |
return; |
429 |
} |
430 |
destroy_session (p); |
431 |
|
432 |
if (is_soper (mu)) |
433 |
{ |
434 |
snoop ("SOPER: \2%s\2 as \2%s\2", u->nick, mu->name); |
435 |
} |
436 |
|
437 |
mu->notice (saslsvs.nick, "%s!%s@%s has just authenticated as you (%s)", u->nick, u->user, u->vhost, mu->name); |
438 |
|
439 |
u->myuser = mu; |
440 |
mu->logins.insert (u); |
441 |
|
442 |
/* keep track of login address for users */ |
443 |
strlcpy (lau, u->user, BUFSIZE); |
444 |
strlcat (lau, "@", BUFSIZE); |
445 |
strlcat (lau, u->vhost, BUFSIZE); |
446 |
mu->add_metadata ("private:host:vhost", lau); |
447 |
|
448 |
/* and for opers */ |
449 |
strlcpy (lao, u->user, BUFSIZE); |
450 |
strlcat (lao, "@", BUFSIZE); |
451 |
/* Hack for charybdis before 2.1: store IP instead of vhost |
452 |
* (real host is not known at this time) -- jilles */ |
453 |
slog (LG_DEBUG, "nick %s host %s vhost %s ip %s", u->nick, u->host, u->vhost, u->ip); |
454 |
if (!strcmp (u->host, u->vhost) && *u->ip != '\0' && mu->find_metadata ("private:usercloak")) |
455 |
strlcat (lao, u->ip, BUFSIZE); |
456 |
else |
457 |
strlcat (lao, u->host, BUFSIZE); |
458 |
mu->add_metadata ("private:host:actual", lao); |
459 |
|
460 |
logcommand_user (saslsvs.me, u, CMDLOG_LOGIN, "LOGIN"); |
461 |
|
462 |
/* check for failed attempts and let them know */ |
463 |
if ((md_failnum = mu->find_metadata ("private:loginfail:failnum")) && (atoi (md_failnum->value) > 0)) |
464 |
{ |
465 |
metadata *md_failtime, *md_failaddr; |
466 |
time_t ts; |
467 |
|
468 |
tm = *localtime (&mu->lastlogin); |
469 |
strftime (strfbuf, sizeof (strfbuf) - 1, "%b %d %H:%M:%S %Y", &tm); |
470 |
|
471 |
notice (saslsvs.nick, u->nick, "\2%d\2 failed %s since %s.", atoi (md_failnum->value), (atoi (md_failnum->value) == 1) ? "login" : "logins", strfbuf); |
472 |
|
473 |
md_failtime = mu->find_metadata ("private:loginfail:lastfailtime"); |
474 |
ts = atol (md_failtime->value); |
475 |
md_failaddr = mu->find_metadata ("private:loginfail:lastfailaddr"); |
476 |
|
477 |
tm = *localtime (&ts); |
478 |
strftime (strfbuf, sizeof (strfbuf) - 1, "%b %d %H:%M:%S %Y", &tm); |
479 |
|
480 |
notice (saslsvs.nick, u->nick, "Last failed attempt from: \2%s\2 on %s.", md_failaddr->value, strfbuf); |
481 |
|
482 |
mu->del_metadata ("private:loginfail:failnum"); /* md_failnum now invalid */ |
483 |
mu->del_metadata ("private:loginfail:lastfailtime"); |
484 |
mu->del_metadata ("private:loginfail:lastfailaddr"); |
485 |
} |
486 |
|
487 |
mu->lastlogin = NOW; |
488 |
u->callback.identify (u); |
489 |
} |
490 |
|
491 |
/* This function is run approximately once every 30 seconds. |
492 |
* It looks for flagged sessions, and deletes them, while |
493 |
* flagging all the others. This way stale sessions are deleted |
494 |
* after no more than 60 seconds. |
495 |
*/ |
496 |
static void |
497 |
delete_stale (void *vptr) |
498 |
{ |
499 |
sasl_session_t *p; |
500 |
node_t *n, *tn; |
501 |
|
502 |
LIST_FOREACH_SAFE (n, tn, sessions.head) |
503 |
{ |
504 |
p = static_cast<sasl_session_t *> (n->data); |
505 |
if (p->flags & ASASL_MARKED_FOR_DELETION) |
506 |
{ |
507 |
node_del (n, &sessions); |
508 |
destroy_session (p); |
509 |
node_free (n); |
510 |
} |
511 |
else |
512 |
p->flags |= ASASL_MARKED_FOR_DELETION; |
513 |
} |
514 |
} |
515 |
|
516 |
bool |
517 |
_modinit (module *m) |
518 |
{ |
519 |
ConfTable::callback.ready.attach (on_config_ready); |
520 |
|
521 |
user_t::callback.sasl_input.attach (sasl_input); |
522 |
user_t::callback.add.attach (sasl_newuser); |
523 |
event_add ("sasl_delete_stale", delete_stale, NULL, 30); |
524 |
|
525 |
if (!cold_start) |
526 |
saslsvs.me = add_service (saslsvs.nick, saslsvs.user, saslsvs.host, saslsvs.real, saslserv); |
527 |
authservice_loaded++; |
528 |
|
529 |
return true; |
530 |
} |
531 |
|
532 |
void |
533 |
_moddeinit () |
534 |
{ |
535 |
node_t *n, *tn; |
536 |
|
537 |
user_t::callback.sasl_input.detach (sasl_input); |
538 |
user_t::callback.add.detach (sasl_newuser); |
539 |
event_delete (delete_stale, NULL); |
540 |
|
541 |
if (saslsvs.me) |
542 |
{ |
543 |
del_service (saslsvs.me); |
544 |
saslsvs.me = NULL; |
545 |
} |
546 |
authservice_loaded--; |
547 |
|
548 |
LIST_FOREACH_SAFE (n, tn, sessions.head) |
549 |
{ |
550 |
destroy_session (static_cast<sasl_session_t *> (n->data)); |
551 |
node_del (n, &sessions); |
552 |
node_free (n); |
553 |
} |
554 |
|
555 |
ConfTable::callback.ready.detach (on_config_ready); |
556 |
} |