From f62f94b094b2d0f8ef11fe8cdd0b8b6a38acafc7 Mon Sep 17 00:00:00 2001 From: Jilles Tjoelker Date: Mon, 4 Apr 2011 00:44:07 +0200 Subject: [PATCH] Back out AUTHENTICATE EXTERNAL so I can do it differently. The current approach is fundamentally broken as it allows anyone in that knows the certfp and uses an old ircd as their server. --- include/client.h | 1 - modules/m_sasl.c | 26 ++------------------------ 2 files changed, 2 insertions(+), 25 deletions(-) diff --git a/include/client.h b/include/client.h index 8eaa971a..2c3597f7 100644 --- a/include/client.h +++ b/include/client.h @@ -292,7 +292,6 @@ struct PreClient char sasl_agent[IDLEN]; unsigned char sasl_out; unsigned char sasl_complete; - unsigned char sasl_external; rb_dlink_list dnsbl_queries; /* list of struct BlacklistClient * */ struct Blacklist *dnsbl_listed; /* first dnsbl where it's listed */ diff --git a/modules/m_sasl.c b/modules/m_sasl.c index 3345b212..41bf823d 100644 --- a/modules/m_sasl.c +++ b/modules/m_sasl.c @@ -1,6 +1,6 @@ /* modules/m_sasl.c * Copyright (C) 2006 Michael Tharp - * Copyright (C) 2006, 2011 charybdis development team + * Copyright (C) 2006 charybdis development team * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are @@ -67,10 +67,6 @@ mapi_hfn_list_av1 sasl_hfnlist[] = { DECLARE_MODULE_AV1(sasl, NULL, NULL, sasl_clist, NULL, sasl_hfnlist, "$Revision: 1409 $"); -/* - * parv[1] = mechanism. - * in ircv3.1, if this is EXTERNAL, we just send the certificate fingerprint. - */ static int mr_authenticate(struct Client *client_p, struct Client *source_p, int parc, const char *parv[]) @@ -110,16 +106,8 @@ mr_authenticate(struct Client *client_p, struct Client *source_p, agent_p = find_id(source_p->preClient->sasl_agent); if(agent_p == NULL) - { - if (!strcasecmp(parv[1], "EXTERNAL")) - { - if (source_p->certfp) - source_p->preClient->sasl_external++; - } - sendto_server(NULL, NULL, CAP_TS6|CAP_ENCAP, NOCAPS, ":%s ENCAP * SASL %s * S %s", me.id, source_p->id, parv[1]); - } else sendto_one(agent_p, ":%s ENCAP %s SASL %s %s C %s", me.id, agent_p->servptr->name, source_p->id, agent_p->id, parv[1]); @@ -164,18 +152,8 @@ me_sasl(struct Client *client_p, struct Client *source_p, else if(!*target_p->preClient->sasl_agent) rb_strlcpy(target_p->preClient->sasl_agent, parv[1], IDLEN); - if(*parv[3] == 'C' && !target_p->preClient->sasl_external) + if(*parv[3] == 'C') sendto_one(target_p, "AUTHENTICATE %s", parv[4]); - else if(*parv[3] == 'C' && *target_p->preClient->sasl_agent) - { - unsigned char *message; - - message = rb_base64_encode((unsigned char *) target_p->certfp, strlen(target_p->certfp)); - sendto_one(agent_p, ":%s ENCAP %s SASL %s %s C %s", me.id, agent_p->servptr->name, - source_p->id, agent_p->id, message); - - rb_free(message); - } else if(*parv[3] == 'D') { if(*parv[4] == 'F')