bitbot-3.11-fork/modules/sasl.py

import base64, hashlib, hmac, uuid
from src import ModuleManager, utils

def _validate(self, s):
    mechanism = s
    if " " in s:
        mechanism, arguments = s.split(" ", 1)
    return {"mechanism": mechanism, "args": arguments}

def _scram_nonce():
    return str(uuid.uuid4().hex)
def _scram_escape(s):
    return s.replace("=", "=3D").replace(",", "=2C")
def _scram_unescape(s):
    return s.replace("=3D", "=").replace("=2C", ",")
def _scram_xor(s1, s2):
    return bytes(a ^ b for a, b in zip(s1, s2))

@utils.export("serverset", {"setting": "sasl",
    "help": "Set the sasl username/password for this server",
    "validate": _validate})
class Module(ModuleManager.BaseModule):
    @utils.hook("received.cap.ls")
    def on_cap(self, event):
        has_sasl = "sasl" in event["capabilities"]
        our_sasl = event["server"].get_setting("sasl", None)

        do_sasl = False
        if has_sasl and our_sasl:
            if not event["capabilities"]["sasl"] == None:
                our_mechanism = our_sasl["mechanism"].upper()
                do_sasl = our_mechanism in event["capabilities"
                    ]["sasl"].split(",")
            else:
                do_sasl = True

        if do_sasl:
            event["server"].queue_capability("sasl")

    @utils.hook("received.cap.ack")
    def on_cap_ack(self, event):
        if "sasl" in event["capabilities"]:
            sasl = event["server"].get_setting("sasl")
            event["server"].send_authenticate(sasl["mechanism"].upper())
            event["server"].wait_for_capability("sasl")

    @utils.hook("received.authenticate")
    def on_authenticate(self, event):
        sasl = event["server"].get_setting("sasl")
        mechanism = sasl["mechanism"].upper()

        if mechanism == "PLAIN":
            if event["message"] != "+":
                event["server"].send_authenticate("*")
            else:
                sasl_username, sasl_password = sasl["args"].split(":", 1)
                auth_text = ("%s\0%s\0%s" % (
                    sasl_username, sasl_username, sasl_password)).encode("utf8")

        elif mechanism == "EXTERNAL":
            if event["message"] != "+":
                event["server"].send_authenticate("*")
            else:
                auth_text = "+"

        elif mechanism.startswith("SCRAM-"):
            algo = mechanism.split("SCRAM-", 1)[1].replace("-", "")
            sasl_username, sasl_password = sasl["args"].split(":", 1)
            if event["message"] == "+":
                # start SCRAM handshake
                first_base = "n=%s,r=%s" % (
                    _scram_escape(sasl_username), _scram_nonce())
                first_withchannel = "n,,%s" % first_base
                auth_text = first_withchannel.encode("utf8")
                event["server"]._scram_first = first_base.encode("utf8")
            else:
                data = base64.b64decode(event["message"]).decode("utf8")
                pieces = dict(piece.split("=", 1) for piece in data.split(","))
                if "s" in pieces:
                    # server-first-message
                    nonce = pieces["r"].encode("utf8")
                    salt = base64.b64decode(pieces["s"])
                    iterations = pieces["i"]
                    password = sasl_password.encode("utf8")

                    salted_password = hashlib.pbkdf2_hmac(algo, password, salt,
                        int(iterations), dklen=None)
                    event["server"]._scram_salted_password = salted_password

                    client_key = hmac.digest(salted_password, b"Client Key",
                        algo)
                    stored_key = hashlib.new(algo, client_key).digest()

                    channel = base64.b64encode(b"n,,")
                    auth_noproof = b"c=%s,r=%s" % (channel, nonce)
                    auth_message = b"%s,%s,%s" % (event["server"]._scram_first,
                        data.encode("utf8"), auth_noproof)
                    event["server"]._scram_auth_message = auth_message

                    client_signature = hmac.digest(stored_key, auth_message,
                        algo)
                    client_proof = base64.b64encode(
                        _scram_xor(client_key, client_signature))

                    auth_text = auth_noproof + (b",p=%s" % client_proof)
                elif "v" in pieces:
                    # server-final-message
                    verifier = pieces["v"]

                    salted_password = event["server"]._scram_salted_password
                    auth_message = event["server"]._scram_auth_message
                    server_key = hmac.digest(salted_password, b"Server Key",
                        algo)
                    server_signature = hmac.digest(server_key, auth_message,
                        algo)

                    del event["server"]._scram_first
                    del event["server"]._scram_salted_password
                    del event["server"]._scram_auth_message

                    if server_signature != base64.b64decode(verifier):
                        raise ValueError("SCRAM %s authentication failed "
                            % algo)
                        event["server"].disconnect()
                    auth_text = "+"

        else:
            raise ValueError("unknown sasl mechanism '%s'" % mechanism)

        if not auth_text == "+":
            auth_text = base64.b64encode(auth_text)
            auth_text = auth_text.decode("utf8")
        event["server"].send_authenticate(auth_text)

    def _end_sasl(self, server):
        server.capability_done("sasl")
    @utils.hook("received.numeric.903")
    def sasl_success(self, event):
        self._end_sasl(event["server"])
    @utils.hook("received.numeric.904")
    def sasl_failure(self, event):
        self._end_sasl(event["server"])
Support SCRAM SASL mechanisms (sasl.py) 2019-02-05 12:17:25 +00:00			`import base64, hashlib, hmac, uuid`
Move src/Utils.py in to src/utils/, splitting functionality out in to modules of related functionality 2018-10-03 12:22:37 +00:00			`from src import ModuleManager, utils`
move sasl logic to it's own module 2018-07-15 22:56:06 +00:00
Move all exports to @Utils.export calls 2018-09-27 11:08:07 +00:00			`def _validate(self, s):`
			`mechanism = s`
			`if " " in s:`
			`mechanism, arguments = s.split(" ", 1)`
			`return {"mechanism": mechanism, "args": arguments}`
Add nickserv-password and sasl to !serverset 2018-09-09 09:04:21 +00:00
Support SCRAM SASL mechanisms (sasl.py) 2019-02-05 12:17:25 +00:00			`def _scram_nonce():`
			`return str(uuid.uuid4().hex)`
			`def _scram_escape(s):`
			`return s.replace("=", "=3D").replace(",", "=2C")`
			`def _scram_unescape(s):`
			`return s.replace("=3D", "=").replace("=2C", ",")`
			`def _scram_xor(s1, s2):`
			`return bytes(a ^ b for a, b in zip(s1, s2))`

Move src/Utils.py in to src/utils/, splitting functionality out in to modules of related functionality 2018-10-03 12:22:37 +00:00			`@utils.export("serverset", {"setting": "sasl",`
Move all exports to @Utils.export calls 2018-09-27 11:08:07 +00:00			`"help": "Set the sasl username/password for this server",`
			`"validate": _validate})`
			`class Module(ModuleManager.BaseModule):`
Move src/Utils.py in to src/utils/, splitting functionality out in to modules of related functionality 2018-10-03 12:22:37 +00:00			`@utils.hook("received.cap.ls")`
move sasl logic to it's own module 2018-07-15 22:56:06 +00:00			`def on_cap(self, event):`
Support CAP 3.2 2018-09-07 14:51:41 +00:00			`has_sasl = "sasl" in event["capabilities"]`
Don't just listen for 'sasl=PLAIN' in IRCv3 CAP 3.2 2018-09-17 10:49:23 +00:00			`our_sasl = event["server"].get_setting("sasl", None)`
Support CAP 3.2 2018-09-07 14:51:41 +00:00
Don't just listen for 'sasl=PLAIN' in IRCv3 CAP 3.2 2018-09-17 10:49:23 +00:00			`do_sasl = False`
			`if has_sasl and our_sasl:`
			`if not event["capabilities"]["sasl"] == None:`
			`our_mechanism = our_sasl["mechanism"].upper()`
			`do_sasl = our_mechanism in event["capabilities"`
			`]["sasl"].split(",")`
			`else:`
Typo in sasl.py; proceed with sasl regardless of mechanism when using CAP 3.1 2018-09-17 12:25:11 +00:00			`do_sasl = True`
Don't just listen for 'sasl=PLAIN' in IRCv3 CAP 3.2 2018-09-17 10:49:23 +00:00
			`if do_sasl:`
Make CAP functionality more part of the framework and support message-tags and multi-prefix 2018-09-03 10:14:27 +00:00			`event["server"].queue_capability("sasl")`
Support CAP 3.2 2018-09-07 14:51:41 +00:00
Move src/Utils.py in to src/utils/, splitting functionality out in to modules of related functionality 2018-10-03 12:22:37 +00:00			`@utils.hook("received.cap.ack")`
Make CAP functionality more part of the framework and support message-tags and multi-prefix 2018-09-03 10:14:27 +00:00			`def on_cap_ack(self, event):`
			`if "sasl" in event["capabilities"]:`
Support EXTERNAL sasl authentication 2018-09-17 10:31:40 +00:00			`sasl = event["server"].get_setting("sasl")`
			`event["server"].send_authenticate(sasl["mechanism"].upper())`
Make CAP functionality more part of the framework and support message-tags and multi-prefix 2018-09-03 10:14:27 +00:00			`event["server"].wait_for_capability("sasl")`
move sasl logic to it's own module 2018-07-15 22:56:06 +00:00
Move src/Utils.py in to src/utils/, splitting functionality out in to modules of related functionality 2018-10-03 12:22:37 +00:00			`@utils.hook("received.authenticate")`
move sasl logic to it's own module 2018-07-15 22:56:06 +00:00			`def on_authenticate(self, event):`
Support SCRAM SASL mechanisms (sasl.py) 2019-02-05 12:17:25 +00:00			`sasl = event["server"].get_setting("sasl")`
			`mechanism = sasl["mechanism"].upper()`

			`if mechanism == "PLAIN":`
			`if event["message"] != "+":`
			`event["server"].send_authenticate("*")`
			`else:`
			`sasl_username, sasl_password = sasl["args"].split(":", 1)`
			`auth_text = ("%s\0%s\0%s" % (`
			`sasl_username, sasl_username, sasl_password)).encode("utf8")`
Support EXTERNAL sasl authentication 2018-09-17 10:31:40 +00:00
Support SCRAM SASL mechanisms (sasl.py) 2019-02-05 12:17:25 +00:00			`elif mechanism == "EXTERNAL":`
			`if event["message"] != "+":`
			`event["server"].send_authenticate("*")`
			`else:`
Support EXTERNAL sasl authentication 2018-09-17 10:31:40 +00:00			`auth_text = "+"`
Support SCRAM SASL mechanisms (sasl.py) 2019-02-05 12:17:25 +00:00
			`elif mechanism.startswith("SCRAM-"):`
			`algo = mechanism.split("SCRAM-", 1)[1].replace("-", "")`
			`sasl_username, sasl_password = sasl["args"].split(":", 1)`
			`if event["message"] == "+":`
			`# start SCRAM handshake`
			`first_base = "n=%s,r=%s" % (`
			`_scram_escape(sasl_username), _scram_nonce())`
			`first_withchannel = "n,,%s" % first_base`
			`auth_text = first_withchannel.encode("utf8")`
			`event["server"]._scram_first = first_base.encode("utf8")`
Support EXTERNAL sasl authentication 2018-09-17 10:31:40 +00:00			`else:`
Support SCRAM SASL mechanisms (sasl.py) 2019-02-05 12:17:25 +00:00			`data = base64.b64decode(event["message"]).decode("utf8")`
			`pieces = dict(piece.split("=", 1) for piece in data.split(","))`
			`if "s" in pieces:`
			`# server-first-message`
			`nonce = pieces["r"].encode("utf8")`
			`salt = base64.b64decode(pieces["s"])`
			`iterations = pieces["i"]`
			`password = sasl_password.encode("utf8")`

			`salted_password = hashlib.pbkdf2_hmac(algo, password, salt,`
			`int(iterations), dklen=None)`
			`event["server"]._scram_salted_password = salted_password`

			`client_key = hmac.digest(salted_password, b"Client Key",`
			`algo)`
			`stored_key = hashlib.new(algo, client_key).digest()`

			`channel = base64.b64encode(b"n,,")`
			`auth_noproof = b"c=%s,r=%s" % (channel, nonce)`
			`auth_message = b"%s,%s,%s" % (event["server"]._scram_first,`
			`data.encode("utf8"), auth_noproof)`
			`event["server"]._scram_auth_message = auth_message`

			`client_signature = hmac.digest(stored_key, auth_message,`
			`algo)`
			`client_proof = base64.b64encode(`
			`_scram_xor(client_key, client_signature))`

			`auth_text = auth_noproof + (b",p=%s" % client_proof)`
			`elif "v" in pieces:`
			`# server-final-message`
			`verifier = pieces["v"]`

			`salted_password = event["server"]._scram_salted_password`
			`auth_message = event["server"]._scram_auth_message`
			`server_key = hmac.digest(salted_password, b"Server Key",`
			`algo)`
			`server_signature = hmac.digest(server_key, auth_message,`
			`algo)`

Remove SCRAM-related variables on IRCServer object when we see server-final-message (sasl.py) 2019-02-05 12:53:19 +00:00			`del event["server"]._scram_first`
			`del event["server"]._scram_salted_password`
			`del event["server"]._scram_auth_message`

Support SCRAM SASL mechanisms (sasl.py) 2019-02-05 12:17:25 +00:00			`if server_signature != base64.b64decode(verifier):`
			`raise ValueError("SCRAM %s authentication failed "`
			`% algo)`
			`event["server"].disconnect()`
			`auth_text = "+"`

			`else:`
			`raise ValueError("unknown sasl mechanism '%s'" % mechanism)`
Support EXTERNAL sasl authentication 2018-09-17 10:31:40 +00:00
Support SCRAM SASL mechanisms (sasl.py) 2019-02-05 12:17:25 +00:00			`if not auth_text == "+":`
			`auth_text = base64.b64encode(auth_text)`
			`auth_text = auth_text.decode("utf8")`
			`event["server"].send_authenticate(auth_text)`
Only "finish" a sasl handshake when we get a 900 2018-09-07 15:04:37 +00:00
Handle 904 (ERR_SASLFAIL) in sasl.py 2018-09-17 11:56:41 +00:00			`def _end_sasl(self, server):`
			`server.capability_done("sasl")`
Move src/Utils.py in to src/utils/, splitting functionality out in to modules of related functionality 2018-10-03 12:22:37 +00:00			`@utils.hook("received.numeric.903")`
Only "finish" a sasl handshake when we get a 900 2018-09-07 15:04:37 +00:00			`def sasl_success(self, event):`
Handle 904 (ERR_SASLFAIL) in sasl.py 2018-09-17 11:56:41 +00:00			`self._end_sasl(event["server"])`
Move src/Utils.py in to src/utils/, splitting functionality out in to modules of related functionality 2018-10-03 12:22:37 +00:00			`@utils.hook("received.numeric.904")`
Fix a copypaste fail that caused sasl.py to have two sasl_success functions 2018-09-17 12:10:22 +00:00			`def sasl_failure(self, event):`
Handle 904 (ERR_SASLFAIL) in sasl.py 2018-09-17 11:56:41 +00:00			`self._end_sasl(event["server"])`