aboutsummaryrefslogtreecommitdiff
path: root/src/modules/m_sasl.cpp
diff options
context:
space:
mode:
authorGravatar Sadie Powell2022-01-30 12:49:28 +0000
committerGravatar Sadie Powell2022-01-30 13:22:53 +0000
commit6703b8065ccaa0acb50380736f25780e3a8e549d (patch)
tree783b07c0b18c179a63ec86c5028f04ed564bb0c8 /src/modules/m_sasl.cpp
parentWork around the deprecation of the old curve API in OpenSSL 3.0.0. (diff)
Abort pre-registration SASL attempts when the user fully connects.
This makes InspIRCd work more like other IRC servers which implement the recommended behaviour from the sasl-3.1 specification: If the client completes registration (with CAP END, NICK, USER and any other necessary messages) while the SASL authentication is still in progress, the server SHOULD abort it and send a 906 numeric, then register the client without authentication. Thanks to @aaronmdjones and @edk0 for finding and reporting this.
Diffstat (limited to 'src/modules/m_sasl.cpp')
-rw-r--r--src/modules/m_sasl.cpp26
1 files changed, 23 insertions, 3 deletions
diff --git a/src/modules/m_sasl.cpp b/src/modules/m_sasl.cpp
index 20f2dba90..69d33e25c 100644
--- a/src/modules/m_sasl.cpp
+++ b/src/modules/m_sasl.cpp
@@ -281,6 +281,12 @@ class SaslAuthenticator
return this->state;
}
+ void Abort()
+ {
+ this->state = SASL_DONE;
+ this->result = SASL_ABORT;
+ }
+
bool SendClientMessage(const std::vector<std::string>& parameters)
{
if (this->state != SASL_COMM)
@@ -290,15 +296,14 @@ class SaslAuthenticator
if (parameters[0].c_str()[0] == '*')
{
- this->state = SASL_DONE;
- this->result = SASL_ABORT;
+ this->Abort();
return false;
}
return true;
}
- void AnnounceState(void)
+ void AnnounceState()
{
if (this->state_announced)
return;
@@ -451,6 +456,21 @@ class ModuleSASL : public Module
servertracker.Reset();
}
+ void OnUserConnect(LocalUser* user) CXX11_OVERRIDE
+ {
+ // If the client completes registration (with CAP END, NICK, USER and
+ // any other necessary messages) while the SASL authentication is still
+ // in progress, the server SHOULD abort it and send a 906 numeric, then
+ // register the client without authentication.
+ SaslAuthenticator* saslauth = authExt.get(user);
+ if (saslauth)
+ {
+ saslauth->Abort();
+ saslauth->AnnounceState();
+ authExt.unset(user);
+ }
+ }
+
void OnDecodeMetaData(Extensible* target, const std::string& extname, const std::string& extdata) CXX11_OVERRIDE
{
if ((target == NULL) && (extname == "saslmechlist"))