diff options
| author | 2022-01-30 12:49:28 +0000 | |
|---|---|---|
| committer | 2022-01-30 13:22:53 +0000 | |
| commit | 6703b8065ccaa0acb50380736f25780e3a8e549d (patch) | |
| tree | 783b07c0b18c179a63ec86c5028f04ed564bb0c8 /src/modules/m_sasl.cpp | |
| parent | Work around the deprecation of the old curve API in OpenSSL 3.0.0. (diff) | |
Abort pre-registration SASL attempts when the user fully connects.
This makes InspIRCd work more like other IRC servers which implement
the recommended behaviour from the sasl-3.1 specification:
If the client completes registration (with CAP END, NICK, USER
and any other necessary messages) while the SASL authentication
is still in progress, the server SHOULD abort it and send a 906
numeric, then register the client without authentication.
Thanks to @aaronmdjones and @edk0 for finding and reporting this.
Diffstat (limited to 'src/modules/m_sasl.cpp')
| -rw-r--r-- | src/modules/m_sasl.cpp | 26 |
1 files changed, 23 insertions, 3 deletions
diff --git a/src/modules/m_sasl.cpp b/src/modules/m_sasl.cpp index 20f2dba90..69d33e25c 100644 --- a/src/modules/m_sasl.cpp +++ b/src/modules/m_sasl.cpp @@ -281,6 +281,12 @@ class SaslAuthenticator return this->state; } + void Abort() + { + this->state = SASL_DONE; + this->result = SASL_ABORT; + } + bool SendClientMessage(const std::vector<std::string>& parameters) { if (this->state != SASL_COMM) @@ -290,15 +296,14 @@ class SaslAuthenticator if (parameters[0].c_str()[0] == '*') { - this->state = SASL_DONE; - this->result = SASL_ABORT; + this->Abort(); return false; } return true; } - void AnnounceState(void) + void AnnounceState() { if (this->state_announced) return; @@ -451,6 +456,21 @@ class ModuleSASL : public Module servertracker.Reset(); } + void OnUserConnect(LocalUser* user) CXX11_OVERRIDE + { + // If the client completes registration (with CAP END, NICK, USER and + // any other necessary messages) while the SASL authentication is still + // in progress, the server SHOULD abort it and send a 906 numeric, then + // register the client without authentication. + SaslAuthenticator* saslauth = authExt.get(user); + if (saslauth) + { + saslauth->Abort(); + saslauth->AnnounceState(); + authExt.unset(user); + } + } + void OnDecodeMetaData(Extensible* target, const std::string& extname, const std::string& extdata) CXX11_OVERRIDE { if ((target == NULL) && (extname == "saslmechlist")) |
