195 lines
7 KiB
Python
195 lines
7 KiB
Python
#--depends-on config
|
|
|
|
import base64, hashlib, hmac, typing, uuid
|
|
from src import ModuleManager, utils
|
|
from . import scram
|
|
|
|
CAP = utils.irc.Capability("sasl")
|
|
|
|
USERPASS_MECHANISMS = [
|
|
"SCRAM-SHA-512",
|
|
"SCRAM-SHA-256",
|
|
"SCRAM-SHA-1",
|
|
"PLAIN"
|
|
]
|
|
ALL_MECHANISMS = USERPASS_MECHANISMS+["EXTERNAL"]
|
|
|
|
def _parse(value):
|
|
mechanism, _, arguments = value.partition(" ")
|
|
mechanism = mechanism.upper()
|
|
|
|
if mechanism in ALL_MECHANISMS:
|
|
return {"mechanism": mechanism.upper(), "args": arguments}
|
|
else:
|
|
raise utils.settings.SettingParseException(
|
|
"Unknown SASL mechanism '%s'" % mechanism)
|
|
|
|
SASL_TIMEOUT = 15 # 15 seconds
|
|
|
|
HARDFAIL = utils.BoolSetting("sasl-hard-fail",
|
|
"Set whether a SASL failure should cause a disconnect")
|
|
|
|
@utils.export("serverset", utils.FunctionSetting(_parse, "sasl",
|
|
"Set the sasl username/password for this server",
|
|
example="PLAIN BitBot:hunter2", format=utils.sensitive_format))
|
|
@utils.export("serverset", HARDFAIL)
|
|
@utils.export("botset", HARDFAIL)
|
|
class Module(ModuleManager.BaseModule):
|
|
@utils.hook("new.server")
|
|
def new_server(self, event):
|
|
event["server"]._sasl_timeout = None
|
|
event["server"]._sasl_retry = False
|
|
|
|
def _best_userpass_mechanism(self, mechanisms):
|
|
for potential_mechanism in USERPASS_MECHANISMS:
|
|
if potential_mechanism in mechanisms:
|
|
return potential_mechanism
|
|
|
|
def _mech_match(self, server, server_mechanisms):
|
|
our_sasl = server.get_setting("sasl", None)
|
|
if not our_sasl:
|
|
return None
|
|
|
|
our_mechanism = our_sasl["mechanism"].upper()
|
|
|
|
if not server_mechanisms and our_mechanism in ALL_MECHANISMS:
|
|
return our_mechanism
|
|
elif our_mechanism in server_mechanisms:
|
|
return our_mechanism
|
|
elif our_mechanism == "USERPASS":
|
|
if server_mechanisms:
|
|
return self._best_userpass_mechanism(server_mechanisms)
|
|
else:
|
|
return USERPASS_MECHANISMS[0]
|
|
return None
|
|
|
|
@utils.hook("received.cap.new")
|
|
@utils.hook("received.cap.ls")
|
|
def on_cap(self, event):
|
|
has_sasl = "sasl" in event["capabilities"]
|
|
if has_sasl:
|
|
server_mechanisms = event["capabilities"]["sasl"]
|
|
if server_mechanisms:
|
|
server_mechanisms = server_mechanisms.split(",")
|
|
else:
|
|
server_mechanisms = []
|
|
|
|
mechanism = self._mech_match(event["server"], server_mechanisms)
|
|
|
|
if mechanism:
|
|
cap = CAP.copy()
|
|
cap.on_ack(
|
|
lambda: self._sasl_ack(event["server"], mechanism))
|
|
return cap
|
|
|
|
def _sasl_ack(self, server, mechanism):
|
|
server.send_authenticate(mechanism)
|
|
server._sasl_timeout = self.timers.add("sasl-timeout",
|
|
self._sasl_timeout, SASL_TIMEOUT, server=server)
|
|
server._sasl_mechanism = mechanism
|
|
|
|
server.wait_for_capability("sasl")
|
|
|
|
def _sasl_timeout(self, timer):
|
|
server = timer.kwargs["server"]
|
|
self._panic(server, "SASL handshake timed out")
|
|
|
|
@utils.hook("received.authenticate")
|
|
def on_authenticate(self, event):
|
|
sasl = event["server"].get_setting("sasl")
|
|
mechanism = event["server"]._sasl_mechanism
|
|
|
|
auth_text = None
|
|
if mechanism == "PLAIN":
|
|
if event["message"] != "+":
|
|
event["server"].send_authenticate("*")
|
|
else:
|
|
sasl_username, sasl_password = sasl["args"].split(":", 1)
|
|
auth_text = ("%s\0%s\0%s" % (
|
|
sasl_username, sasl_username, sasl_password)).encode("utf8")
|
|
|
|
elif mechanism == "EXTERNAL":
|
|
if event["message"] != "+":
|
|
event["server"].send_authenticate("*")
|
|
else:
|
|
auth_text = "+"
|
|
|
|
elif mechanism.startswith("SCRAM-"):
|
|
|
|
if event["message"] == "+":
|
|
# start SCRAM handshake
|
|
|
|
# create SCRAM helper
|
|
sasl_username, sasl_password = sasl["args"].split(":", 1)
|
|
algo = mechanism.split("SCRAM-", 1)[1]
|
|
event["server"]._scram = scram.SCRAM(
|
|
algo, sasl_username, sasl_password)
|
|
|
|
# generate client-first-message
|
|
auth_text = event["server"]._scram.client_first()
|
|
else:
|
|
current_scram = event["server"]._scram
|
|
data = base64.b64decode(event["message"])
|
|
if current_scram.state == scram.SCRAMState.ClientFirst:
|
|
# use server-first-message to generate client-final-message
|
|
auth_text = current_scram.server_first(data)
|
|
elif current_scram.state == scram.SCRAMState.ClientFinal:
|
|
# use server-final-message to check server proof
|
|
verified = current_scram.server_final(data)
|
|
del event["server"]._scram
|
|
|
|
if verified:
|
|
auth_text = "+"
|
|
else:
|
|
if current_scram.state == scram.SCRAMState.VerifyFailed:
|
|
# server gave a bad verification so we should panic
|
|
self._panic(event["server"], "SCRAM VerifyFailed")
|
|
|
|
else:
|
|
raise ValueError("unknown sasl mechanism '%s'" % mechanism)
|
|
|
|
if not auth_text == None:
|
|
if not auth_text == "+":
|
|
auth_text = base64.b64encode(auth_text)
|
|
auth_text = auth_text.decode("utf8")
|
|
event["server"].send_authenticate(auth_text)
|
|
|
|
def _end_sasl(self, server):
|
|
server.capability_done("sasl")
|
|
if not server._sasl_timeout == None:
|
|
server._sasl_timeout.cancel()
|
|
server._sasl_timeout = None
|
|
|
|
@utils.hook("received.908")
|
|
def sasl_mechanisms(self, event):
|
|
server_mechanisms = event["line"].args[1].split(",")
|
|
mechanism = self._mech_match(event["server"], server_mechanisms)
|
|
if mechanism:
|
|
event["server"]._sasl_mechanism = mechanism
|
|
event["server"].send_authenticate(mechanism)
|
|
event["server"]._sasl_retry = True
|
|
|
|
@utils.hook("received.903")
|
|
def sasl_success(self, event):
|
|
self._end_sasl(event["server"])
|
|
@utils.hook("received.904")
|
|
def sasl_failure(self, event):
|
|
if not event["server"]._sasl_retry:
|
|
self._panic(event["server"], "ERR_SASLFAIL (%s)" %
|
|
event["line"].args[1])
|
|
else:
|
|
event["server"]._sasl_retry = False
|
|
|
|
@utils.hook("received.907")
|
|
def sasl_already(self, event):
|
|
self._end_sasl(event["server"])
|
|
|
|
def _panic(self, server, message):
|
|
if server.get_setting("sasl-hard-fail",
|
|
self.bot.get_setting("sasl-hard-fail", False)):
|
|
message = "SASL panic for %s: %s" % (str(server), message)
|
|
self.log.error(message)
|
|
self.bot.disconnect(server)
|
|
else:
|
|
self.log.warn("SASL failure for %s: %s" % (str(server), message))
|
|
self._end_sasl(server)
|