Back out AUTHENTICATE EXTERNAL so I can do it differently.

The current approach is fundamentally broken as it allows
anyone in that knows the certfp and uses an old ircd as
their server.
This commit is contained in:
Jilles Tjoelker 2011-04-04 00:44:07 +02:00
parent 1b19fe8b5e
commit f62f94b094
2 changed files with 2 additions and 25 deletions

View file

@ -292,7 +292,6 @@ struct PreClient
char sasl_agent[IDLEN];
unsigned char sasl_out;
unsigned char sasl_complete;
unsigned char sasl_external;
rb_dlink_list dnsbl_queries; /* list of struct BlacklistClient * */
struct Blacklist *dnsbl_listed; /* first dnsbl where it's listed */

View file

@ -1,6 +1,6 @@
/* modules/m_sasl.c
* Copyright (C) 2006 Michael Tharp <gxti@partiallystapled.com>
* Copyright (C) 2006, 2011 charybdis development team
* Copyright (C) 2006 charybdis development team
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
@ -67,10 +67,6 @@ mapi_hfn_list_av1 sasl_hfnlist[] = {
DECLARE_MODULE_AV1(sasl, NULL, NULL, sasl_clist, NULL, sasl_hfnlist, "$Revision: 1409 $");
/*
* parv[1] = mechanism.
* in ircv3.1, if this is EXTERNAL, we just send the certificate fingerprint.
*/
static int
mr_authenticate(struct Client *client_p, struct Client *source_p,
int parc, const char *parv[])
@ -110,16 +106,8 @@ mr_authenticate(struct Client *client_p, struct Client *source_p,
agent_p = find_id(source_p->preClient->sasl_agent);
if(agent_p == NULL)
{
if (!strcasecmp(parv[1], "EXTERNAL"))
{
if (source_p->certfp)
source_p->preClient->sasl_external++;
}
sendto_server(NULL, NULL, CAP_TS6|CAP_ENCAP, NOCAPS, ":%s ENCAP * SASL %s * S %s", me.id,
source_p->id, parv[1]);
}
else
sendto_one(agent_p, ":%s ENCAP %s SASL %s %s C %s", me.id, agent_p->servptr->name,
source_p->id, agent_p->id, parv[1]);
@ -164,18 +152,8 @@ me_sasl(struct Client *client_p, struct Client *source_p,
else if(!*target_p->preClient->sasl_agent)
rb_strlcpy(target_p->preClient->sasl_agent, parv[1], IDLEN);
if(*parv[3] == 'C' && !target_p->preClient->sasl_external)
if(*parv[3] == 'C')
sendto_one(target_p, "AUTHENTICATE %s", parv[4]);
else if(*parv[3] == 'C' && *target_p->preClient->sasl_agent)
{
unsigned char *message;
message = rb_base64_encode((unsigned char *) target_p->certfp, strlen(target_p->certfp));
sendto_one(agent_p, ":%s ENCAP %s SASL %s %s C %s", me.id, agent_p->servptr->name,
source_p->id, agent_p->id, message);
rb_free(message);
}
else if(*parv[3] == 'D')
{
if(*parv[4] == 'F')