Skip to content
Permalink
Browse files

Add initial SASL functionality. Closes #395

Add PLAIN, EXTERNAL, and ECDSA_NIST256 support for SASL authentication
Still TODO: timeouts, other stuff that breaks it right now
  • Loading branch information...
michaelortmann authored and vanosg committed Aug 4, 2019
1 parent 34dceb8 commit a0d921dec71de1d3801f4e589168503bb954ad51
Showing with 311 additions and 51 deletions.
  1. +1 −0 FEATURES
  2. +39 −0 eggdrop.conf
  3. +18 −2 src/mod/server.mod/server.c
  4. +16 −2 src/mod/server.mod/server.h
  5. +237 −47 src/mod/server.mod/servmsg.c
@@ -11,6 +11,7 @@ EGGDROP FEATURES

- Support for SSL-enabled IRC servers
- Support for IPv6 users
- Extended IRC server features such as SASL
- Completely separate channel user lists like having a separate
bot for each channel.
- A "party line" available through dcc chat or telnet, with
@@ -490,6 +490,45 @@ set ssl-capath "/etc/ssl/"
#set ssl-verify-clients 0


##### SASL #####

# SASL is a method that allows Eggdrop to authenticate with a NickServ service
# as part of the connection process to a server, eliminating the need to later
# authenticate via a /msg command. Not all servers support SASL, please consult
# with your server admins to confirm this capability exists on your server.

# To request SASL authentication, set this to 1
#set sasl 0

# Set SASL mechanism to authenticate with.
# For the ECDSA-NIST256P method, set the certificate location in the ecdsa-key
# setting below. For the EXTERNAL method, the ssl certificates to use are set
# via the ssl-certificate and ssl-privatekey settings in the SSL section above.
# Options are:
# 0 - PLAIN
# 1 - ECDSA-NIST256P-CHALLENGE
# 2 - EXTERNAL
#set sasl-mechanism 0

# Set username to authenticate to IRC NickServ with
#set sasl-username "llamabot"

# Set password to authenticate to IRC NickServ with
#set sasl-password "password"

# Specify the location of certificate to use for the SASL
# ecdsa-nist256p-challenge. An ECDSA certificate can be generated with the
# command:
# openssl ecparam -genkey -name prime256v1 -out eggdrop-ecdsa.pem
#set sasl-ecdsa-key "/home/user/eggdrop/eggdrop-ecdsa.pem"

# Set SASL failure action
# If SASL authentication fails, do you want to connect to the server anyway?
# Set to this to 0 to disconnect and retry until success, or 1 to continue
# connecting to the server without SASL authentication.
#
#set sasl-continue 1

##### MORE ADVANCED SETTINGS #####

# Set this to your socks host if your Eggdrop sits behind a firewall. If
@@ -123,6 +123,12 @@ static char *realservername;

static int sasl = 0;

static int sasl_mechanism = 0;
static char sasl_username[NICKMAX + 1];
static char sasl_password[81];
static int sasl_continue = 1;
static char sasl_ecdsa_key[121];

#include "servmsg.c"

#define MAXPENALTY 10
@@ -817,8 +823,13 @@ static void queue_server(int which, char *msg, int len)
remove_crlf(&msg);
len = strlen(buf);

/* No queue for PING and PONG - drummer */
if (!strncasecmp(buf, "PING", 4) || !strncasecmp(buf, "PONG", 4)) {
/* No queue for PING, PONG and AUTHENTICATE */
#define PING "PING"
#define PONG "PONG"
#define AUTHENTICATE "AUTHENTICATE"
if (!strncasecmp(buf, PING, sizeof PING - 1) ||
!strncasecmp(buf, PONG, sizeof PONG - 1) ||
!strncasecmp(buf, AUTHENTICATE, sizeof AUTHENTICATE - 1)) {
if (buf[1] == 'I' || buf[1] == 'i')
lastpingtime = now;
check_tcl_out(which, buf, 1);
@@ -1388,6 +1399,9 @@ static tcl_strings my_tcl_strings[] = {
{"connect-server", connectserver, 120, 0},
{"stackable-commands", stackablecmds, 510, 0},
{"stackable2-commands", stackable2cmds, 510, 0},
{"sasl-username", sasl_username, NICKMAX, 0},
{"sasl-password", sasl_password, 80, 0},
{"sasl-ecdsa-key", sasl_ecdsa_key, 120, 0},
{NULL, NULL, 0, 0}
};

@@ -1428,6 +1442,8 @@ static tcl_ints my_tcl_ints[] = {
{"ssl-verify-server", &tls_vfyserver, 0},
#endif
{"sasl", &sasl, 0},
{"sasl-mechanism", &sasl_mechanism, 0},
{"sasl-continue", &sasl_continue, 0},
{NULL, NULL, 0}
};

@@ -110,13 +110,27 @@ typedef struct cap_list {

extern struct cap_list cap;

/* Available net types. */
/* Available net types. */
enum {
NETT_EFNET = 0, /* EFnet */
NETT_IRCNET = 1, /* IRCnet */
NETT_UNDERNET = 2, /* UnderNet */
NETT_DALNET = 3, /* DALnet */
NETT_HYBRID_EFNET = 4 /* +e/+I/max-bans 20 Hybrid */
} nett_t;
};

/* Available sasl mechanisms. */
enum {
SASL_MECHANISM_PLAIN,
SASL_MECHANISM_ECDSA_NIST256P_CHALLENGE,
SASL_MECHANISM_EXTERNAL,
SASL_MECHANISM_NUM
};

char const *const SASL_MECHANISMS[SASL_MECHANISM_NUM] = {
[SASL_MECHANISM_PLAIN] = "PLAIN",
[SASL_MECHANISM_ECDSA_NIST256P_CHALLENGE] = "ECDSA-NIST256P-CHALLENGE",
[SASL_MECHANISM_EXTERNAL] = "EXTERNAL"
};

#endif /* _EGG_MOD_SERVER_SERVER_H */

0 comments on commit a0d921d

Please sign in to comment.
You can’t perform that action at this time.