From b8d3301d34f383f039071214872570385de1bb59 Mon Sep 17 00:00:00 2001
From: LemonBoy <thatlemon@gmail.com>
Date: Thu, 10 Sep 2015 01:02:44 +0200
Subject: SASL support

The only supported methods are PLAIN and EXTERNAL, the latter is untested as of
now.
The code gets the values from the keys named sasl_{mechanism,username,password}
specified for each chatnet.
---
 src/irc/core/sasl.c | 134 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 134 insertions(+)
 create mode 100644 src/irc/core/sasl.c

(limited to 'src/irc/core/sasl.c')

diff --git a/src/irc/core/sasl.c b/src/irc/core/sasl.c
new file mode 100644
index 00000000..8bffc3d9
--- /dev/null
+++ b/src/irc/core/sasl.c
@@ -0,0 +1,134 @@
+#include "module.h"
+#include "misc.h"
+#include "settings.h"
+
+#include "irc-cap.h"
+#include "irc-servers.h"
+#include "sasl.h"
+
+#define SASL_TIMEOUT (20 * 1000) // ms
+
+static gboolean sasl_timeout (IRC_SERVER_REC *server)
+{
+	/* The authentication timed out, we can't do much beside terminating it */
+	g_critical("The authentication timed out, try increasing the timeout and check your connection "
+	           "to the network.");
+	irc_send_cmd_now(server, "AUTHENTICATE *");
+	cap_finish_negotiation(server);
+
+	return G_SOURCE_REMOVE;
+}
+
+static void sasl_start (IRC_SERVER_REC *server, const char *data, const char *from)
+{
+	IRC_SERVER_CONNECT_REC *conn;
+
+	conn = server->connrec;
+
+	switch (conn->sasl_mechanism) {
+		case SASL_MECHANISM_PLAIN:
+			irc_send_cmd_now(server, "AUTHENTICATE PLAIN");
+			break;
+
+		case SASL_MECHANISM_EXTERNAL:
+			irc_send_cmd_now(server, "AUTHENTICATE EXTERNAL");
+			break;
+	}
+	server->sasl_timeout = g_timeout_add(SASL_TIMEOUT, (GSourceFunc) sasl_timeout, server);
+}
+
+static void sasl_fail (IRC_SERVER_REC *server, const char *data, const char *from)
+{
+	/* Stop any pending timeout, if any */
+	g_source_remove(server->sasl_timeout);
+
+	g_critical("Authentication failed, make sure your credentials are correct and that the mechanism "
+	           "you have selected is supported by this server.");
+
+	/* Terminate the negotiation */
+	cap_finish_negotiation(server);
+}
+
+static void sasl_already (IRC_SERVER_REC *server, const char *data, const char *from)
+{
+	g_source_remove(server->sasl_timeout);
+
+	/* We're already authenticated, do nothing */
+	cap_finish_negotiation(server);
+}
+
+static void sasl_success (IRC_SERVER_REC *server, const char *data, const char *from)
+{
+	g_source_remove(server->sasl_timeout);
+
+	/* The authentication succeeded, time to finish the CAP negotiation */
+	g_warning("SASL authentication succeeded");
+	cap_finish_negotiation(server);
+}
+
+static void sasl_step (IRC_SERVER_REC *server, const char *data, const char *from)
+{
+	IRC_SERVER_CONNECT_REC *conn;
+	GString *req;
+	char *enc_req;
+
+	conn = server->connrec;
+
+	/* Stop the timer */
+	g_source_remove(server->sasl_timeout);
+
+	switch (conn->sasl_mechanism) {
+		case SASL_MECHANISM_PLAIN:
+			/* At this point we assume that conn->{username, password} are non-NULL.
+			 * The PLAIN mechanism expects a NULL-separated string composed by the authorization identity, the
+			 * authentication identity and the password.
+			 * The authorization identity field is optional and can be omitted, the server will derive the
+			 * identity by looking at the credentials provided.
+			 * The whole request is then encoded in base64. */
+
+			req = g_string_new(NULL);
+
+			g_string_append_c(req, '\0');
+			g_string_append(req, conn->sasl_username);
+			g_string_append_c(req, '\0');
+			g_string_append(req, conn->sasl_password);
+
+			enc_req = g_base64_encode((const guchar *)req->str, req->len);
+
+			irc_send_cmdv(server, "AUTHENTICATE %s", enc_req);
+
+			g_free(enc_req);
+			g_string_free(req, TRUE);
+			break;
+
+		case SASL_MECHANISM_EXTERNAL:
+			/* Empty response */
+			irc_send_cmdv(server, "+");
+			break;
+	}
+
+	/* We expect a response within a reasonable time */
+	server->sasl_timeout = g_timeout_add(SASL_TIMEOUT, (GSourceFunc) sasl_timeout, server);
+}
+
+void sasl_init(void)
+{
+	signal_add_first("server cap ack sasl", (SIGNAL_FUNC) sasl_start);
+	signal_add_first("event authenticate", (SIGNAL_FUNC) sasl_step);
+	signal_add_first("event 900", (SIGNAL_FUNC) sasl_success);
+	signal_add_first("event 902", (SIGNAL_FUNC) sasl_fail);
+	signal_add_first("event 904", (SIGNAL_FUNC) sasl_fail);
+	signal_add_first("event 905", (SIGNAL_FUNC) sasl_fail);
+	signal_add_first("event 907", (SIGNAL_FUNC) sasl_already);
+}
+
+void sasl_deinit(void)
+{
+	signal_remove("server cap ack sasl", (SIGNAL_FUNC) sasl_start);
+	signal_remove("event authenticate", (SIGNAL_FUNC) sasl_step);
+	signal_remove("event 900", (SIGNAL_FUNC) sasl_success);
+	signal_remove("event 902", (SIGNAL_FUNC) sasl_fail);
+	signal_remove("event 904", (SIGNAL_FUNC) sasl_fail);
+	signal_remove("event 905", (SIGNAL_FUNC) sasl_fail);
+	signal_remove("event 907", (SIGNAL_FUNC) sasl_already);
+}
-- 
cgit v1.2.3