summaryrefslogtreecommitdiff
path: root/src/irc/core/sasl.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/irc/core/sasl.c')
-rw-r--r--src/irc/core/sasl.c134
1 files changed, 134 insertions, 0 deletions
diff --git a/src/irc/core/sasl.c b/src/irc/core/sasl.c
new file mode 100644
index 00000000..8bffc3d9
--- /dev/null
+++ b/src/irc/core/sasl.c
@@ -0,0 +1,134 @@
+#include "module.h"
+#include "misc.h"
+#include "settings.h"
+
+#include "irc-cap.h"
+#include "irc-servers.h"
+#include "sasl.h"
+
+#define SASL_TIMEOUT (20 * 1000) // ms
+
+static gboolean sasl_timeout (IRC_SERVER_REC *server)
+{
+ /* The authentication timed out, we can't do much beside terminating it */
+ g_critical("The authentication timed out, try increasing the timeout and check your connection "
+ "to the network.");
+ irc_send_cmd_now(server, "AUTHENTICATE *");
+ cap_finish_negotiation(server);
+
+ return G_SOURCE_REMOVE;
+}
+
+static void sasl_start (IRC_SERVER_REC *server, const char *data, const char *from)
+{
+ IRC_SERVER_CONNECT_REC *conn;
+
+ conn = server->connrec;
+
+ switch (conn->sasl_mechanism) {
+ case SASL_MECHANISM_PLAIN:
+ irc_send_cmd_now(server, "AUTHENTICATE PLAIN");
+ break;
+
+ case SASL_MECHANISM_EXTERNAL:
+ irc_send_cmd_now(server, "AUTHENTICATE EXTERNAL");
+ break;
+ }
+ server->sasl_timeout = g_timeout_add(SASL_TIMEOUT, (GSourceFunc) sasl_timeout, server);
+}
+
+static void sasl_fail (IRC_SERVER_REC *server, const char *data, const char *from)
+{
+ /* Stop any pending timeout, if any */
+ g_source_remove(server->sasl_timeout);
+
+ g_critical("Authentication failed, make sure your credentials are correct and that the mechanism "
+ "you have selected is supported by this server.");
+
+ /* Terminate the negotiation */
+ cap_finish_negotiation(server);
+}
+
+static void sasl_already (IRC_SERVER_REC *server, const char *data, const char *from)
+{
+ g_source_remove(server->sasl_timeout);
+
+ /* We're already authenticated, do nothing */
+ cap_finish_negotiation(server);
+}
+
+static void sasl_success (IRC_SERVER_REC *server, const char *data, const char *from)
+{
+ g_source_remove(server->sasl_timeout);
+
+ /* The authentication succeeded, time to finish the CAP negotiation */
+ g_warning("SASL authentication succeeded");
+ cap_finish_negotiation(server);
+}
+
+static void sasl_step (IRC_SERVER_REC *server, const char *data, const char *from)
+{
+ IRC_SERVER_CONNECT_REC *conn;
+ GString *req;
+ char *enc_req;
+
+ conn = server->connrec;
+
+ /* Stop the timer */
+ g_source_remove(server->sasl_timeout);
+
+ switch (conn->sasl_mechanism) {
+ case SASL_MECHANISM_PLAIN:
+ /* At this point we assume that conn->{username, password} are non-NULL.
+ * The PLAIN mechanism expects a NULL-separated string composed by the authorization identity, the
+ * authentication identity and the password.
+ * The authorization identity field is optional and can be omitted, the server will derive the
+ * identity by looking at the credentials provided.
+ * The whole request is then encoded in base64. */
+
+ req = g_string_new(NULL);
+
+ g_string_append_c(req, '\0');
+ g_string_append(req, conn->sasl_username);
+ g_string_append_c(req, '\0');
+ g_string_append(req, conn->sasl_password);
+
+ enc_req = g_base64_encode((const guchar *)req->str, req->len);
+
+ irc_send_cmdv(server, "AUTHENTICATE %s", enc_req);
+
+ g_free(enc_req);
+ g_string_free(req, TRUE);
+ break;
+
+ case SASL_MECHANISM_EXTERNAL:
+ /* Empty response */
+ irc_send_cmdv(server, "+");
+ break;
+ }
+
+ /* We expect a response within a reasonable time */
+ server->sasl_timeout = g_timeout_add(SASL_TIMEOUT, (GSourceFunc) sasl_timeout, server);
+}
+
+void sasl_init(void)
+{
+ signal_add_first("server cap ack sasl", (SIGNAL_FUNC) sasl_start);
+ signal_add_first("event authenticate", (SIGNAL_FUNC) sasl_step);
+ signal_add_first("event 900", (SIGNAL_FUNC) sasl_success);
+ signal_add_first("event 902", (SIGNAL_FUNC) sasl_fail);
+ signal_add_first("event 904", (SIGNAL_FUNC) sasl_fail);
+ signal_add_first("event 905", (SIGNAL_FUNC) sasl_fail);
+ signal_add_first("event 907", (SIGNAL_FUNC) sasl_already);
+}
+
+void sasl_deinit(void)
+{
+ signal_remove("server cap ack sasl", (SIGNAL_FUNC) sasl_start);
+ signal_remove("event authenticate", (SIGNAL_FUNC) sasl_step);
+ signal_remove("event 900", (SIGNAL_FUNC) sasl_success);
+ signal_remove("event 902", (SIGNAL_FUNC) sasl_fail);
+ signal_remove("event 904", (SIGNAL_FUNC) sasl_fail);
+ signal_remove("event 905", (SIGNAL_FUNC) sasl_fail);
+ signal_remove("event 907", (SIGNAL_FUNC) sasl_already);
+}
generated by cgit v1.2.3 (git 2.25.1) at 2024-09-21 14:49:08 +0000