Commit graph

63 commits

Author SHA1 Message Date
c7da812303
Merge branch 'solanum' into merging-solanum-into-hackint 2024-06-06 00:33:19 +00:00
Ed Kellett
06c5309534 m_sasl: Remove implicit abort on registration
This doesn't make sense in a world where post-registration SASL is
allowed, and should fix one case of an annoying login desync that's seen
in the real world.

Specifically, when a client sends its final AUTHENTICATE and Atheme
receives it, it sends an SVSLOGIN for that client. If the client sends
us its CAP END *before* we see the SVSLOGIN, the implicit abort will try
to abort the SASL session that's already succeeded.

Atheme interprets this as an instruction to forget about the successful
SASL session; you'll connect unidentified. But it's already sent
SVSLOGIN, which will log the client in ircd-side, causing ircd and
services views to differ until the user authenticates again manually.

I think allowing a SASL session to be aborted when it has already
succeeded is an Atheme bug, and it can still be triggered without this
change. But our behaviour here seems silly anyway.
2022-10-06 17:06:28 -04:00
Eric Mertens
82436efb60
hook_fn casts were hiding UB (#265) 2021-08-19 20:09:40 -07:00
Eric Mertens
e83449d5be
Stop announcing SASL cap changes on services split/join (#263) 2021-08-15 16:25:46 -07:00
Aaron Jones
8b7110d6ba modules/m_sasl.c: use IsSecure() instead of IsSSL()
Further to our implementation of the concept of "secure origins", we can
indicate to services that the client is connected securely, rather than
just that the client is using TLS. For example, connections from the
local host (from the IRCd's perspective) can be considered secure
against eavesdropping.

Allow this to factor into services' decision on whether to allow an SASL
negotiation or not. Atheme currently assumes this means the client is
using TLS, but I have changed that in atheme/atheme@412d50103c
2021-06-08 04:59:43 +00:00
Ed Kellett
738b5d291e Mint CLICAP_FLAGS_PRIORITY 2020-10-19 19:30:43 -04:00
Ariadne Conill
3792c63dc0 sasl: use mapi_cap_list_v2 correctly 2020-07-09 17:47:28 -06:00
Simon Arlott
24b8fd0063
m_sasl: Don't process authentication messages if SASL has been aborted 2019-06-08 22:07:36 +01:00
Aaron Jones
a589946b42
Revert "m_sasl: Don't process authentication messages if SASL has been aborted"
SASL does not work with this commit in the tree.

This reverts commit f44a0d7ea2.
2019-06-08 20:59:36 +00:00
Simon Arlott
f44a0d7ea2
m_sasl: Don't process authentication messages if SASL has been aborted 2019-02-23 13:19:13 +00:00
Simon Arlott
40a766a0a0
m_sasl: Don't process authentication messages if SASL has been aborted, but track failures 2019-02-23 13:02:15 +00:00
Simon Arlott
d5d52a994d
m_nick/m_sasl/m_user: restore check for mixing of client and server protocol 2018-08-15 22:48:21 +01:00
Simon Arlott
3ea954da3a
m_nick/m_sasl/m_user: restore check for mixing of client and server protocol 2018-08-15 22:48:08 +01:00
Simon Arlott
03f04cd80e
m_sasl: check if the agent is present after every client_exit
When a server disconnects the client_exit hook will only be called once
but there could be multiple servers and clients behind that server.

After any client exits, check if the agent is still present.
2018-08-12 13:06:20 +01:00
Simon Arlott
15b05f95f0
m_sasl: check if the agent is present after every client_exit
When a server disconnects the client_exit hook will only be called once
but there could be multiple servers and clients behind that server.

After any client exits, check if the agent is still present.
2018-08-12 12:50:43 +01:00
Aaron Jones
6d8a8851df
modules/m_sasl.c: prevent abort_sasl() sending 906 twice 2018-04-06 20:07:08 +00:00
Aaron Jones
bfffef7436
modules/m_sasl.c: prevent abort_sasl() sending 906 twice 2018-04-06 20:05:48 +00:00
Aaron Jones
631c30890c
modules/m_sasl.c: command functions are void on this branch 2018-04-06 19:58:45 +00:00
Aaron Jones
280ce6a951
modules/m_sasl.c: abort session if we receive '*' as data
Otherwise we'd send the * on to services as actual data, which is likely
to fail to decode it (it's not valid Base-64) and reply with an SASL ...
D F which will result in us sending a 904 numeric instead of a 906.

cf. https://github.com/ircv3/ircv3-specifications/pull/298#issuecomment-271336287

Reported-By: James Wheare
2018-04-06 19:49:33 +00:00
Aaron Jones
11d111c3fa
modules/m_sasl.c: abort session if we receive '*' as data
Otherwise we'd send the * on to services as actual data, which is likely
to fail to decode it (it's not valid Base-64) and reply with an SASL ...
D F which will result in us sending a 904 numeric instead of a 906.

cf. https://github.com/ircv3/ircv3-specifications/pull/298#issuecomment-271336287

Reported-By: James Wheare
2018-04-06 19:45:56 +00:00
Simon Arlott
754c1edf2e
m_sasl: indicate client connection type for SASL 2017-08-13 21:52:04 +01:00
Simon Arlott
0ee833da4a
m_sasl: indicate client connection type for SASL 2017-08-09 22:04:11 +01:00
Aaron Jones
23f5c31719
SASL: Relax rate limiting for failures a little
Begin at 8 seconds after 2 failures and up to ~4 minutes
2016-10-02 14:13:02 +00:00
Xenthys
46ef49c390
SASL: rate-limit after the 2nd failed attempt (m_sasl.c) 2016-10-02 03:57:11 +02:00
Aaron Jones
ac88154f94
SASL: Disallow beginning : and space anywhere in AUTHENTICATE parameter
This is a FIX FOR A SECURITY VULNERABILITY. All Charybdis users must
apply this fix if you support SASL on your servers, or unload m_sasl.so
in the meantime.
2016-09-03 17:29:53 +00:00
Aaron Jones
818a3fda94
SASL: Disallow beginning : and space anywhere in AUTHENTICATE parameter
This is a FIX FOR A SECURITY VULNERABILITY. All Charybdis users must
apply this fix if you support SASL on your servers, or unload m_sasl.so
in the meantime.
2016-09-03 17:28:41 +00:00
Aaron Jones
4d5a902f08
strcpy: mass-migrate to strlcpy where appropriate 2016-05-15 03:57:16 +00:00
Mantas Mikulėnas
9d07a42d7a
m_sasl: rate-limit SASL REAUTH usage 2016-04-11 21:45:10 +03:00
Mantas Mikulėnas
834579cecd
m_sasl: fix coding style 2016-04-11 20:12:31 +03:00
Mantas Mikulėnas
37289346cd
m_sasl: temporarily reject clients after many failed attempts 2016-04-11 20:02:09 +03:00
Elizabeth Myers
3c7d6fcce7 Message handlers should return void.
Also fix up some return values and stuff to use bool (or void if
nothing). I just did it whilst I was here.

According to jilles, the return value used to signify whether or not the
client had exited. This was error-prone and was fixed a long, long time
ago, but the return value was left int for historical reasons.

Since the return type is not used (and has no clear use case anyway),
it's safe to just get rid of it.
2016-03-09 01:37:03 -06:00
Elizabeth Myers
eeabf33a7c Move module description headers to the top
This is cleaner.

Note this was broken out of a much larger piece of work I did, so if
there's any problems, I apologise!
2016-03-09 01:29:41 -06:00
Andrew Wilcox
3abc337fe1 modules: Add AV2 descriptions to all m_s* modules 2016-03-07 02:05:28 -06:00
Elizabeth Myers
105a4985b4 Migrate remaining modules to AV2
No descriptions yet. :(
2016-03-07 00:03:39 -06:00
Elizabeth Myers
cbeab4bc34 Remove $Id tags from everything.
These are obsolete and none have changed since 10 years gao...
2016-03-06 02:47:27 -06:00
William Pitcock
38ffccf8c3 cap: allow modules to return client-specific responses for capability inquiries 2016-03-05 18:56:36 -06:00
mniip
802710b59a Always send the certificate fingerprint when doing SASL because the services might need it for SOME REASON 2016-02-29 03:29:08 +03:00
William Pitcock
da3e5fcb42 sasl: implement support for distributing mechlists 2016-02-28 01:02:10 -06:00
William Pitcock
193d4db30c sasl: transfer ownership of 'sasl' capability to m_sasl module 2016-02-28 00:29:26 -06:00
William Pitcock
7baa37a9ef msg: remove last vestiges of the fakelag system. charybdis has never supported fakelag. 2016-02-19 16:43:39 -06:00
William Pitcock
428ca87b01 modules: chase MsgBuf API change 2016-02-10 20:54:17 -06:00
Mantas Mikulėnas
6fb9f21449 sasl: reformat the other messages consistently 2015-03-06 17:19:16 +02:00
Mantas Mikulėnas
1cae2411d7 sasl: adjust 'H' message following commit 7d33cce8ef 2015-03-06 17:18:54 +02:00
William Pitcock
125652041b cap-notify: implement cap-notify for sasl service (closes #84) 2015-03-01 00:58:40 -06:00
William Pitcock
c23902ae00 sasl: fix null deref on remote client exit 2015-03-01 00:01:24 -06:00
William Pitcock
51535fcbce sasl: allow reauth without sasl-reauth capability (since it's being dropped) 2015-02-28 00:48:43 -06:00
William Pitcock
dd28e3f2a4 Merge pull request #82 from grawity/sasl-send-conn-info
m_sasl: send information about the client connection
2015-02-18 12:29:57 -06:00
William Pitcock
c6bc97fdcd m_sasl: move some struct members around for sasl-reauth 2015-02-16 15:39:36 -06:00
William Pitcock
ef3ab8e3a5 cap: allow clients to do sasl reauth if they requested sasl and sasl-reauth (ref ircv3/ircv3#103). 2015-02-15 17:11:28 -06:00
Max Teufel
7d33cce8ef m_sasl: add configuration option for the nick of the SASL agent
This allows multiple improvements to m_sasl. With this change, the SASL
authentication gets aborted immediately when services are offline.
Additionally, we send the SASL ENCAP messages directly to the specified
SASL agent.
2015-02-14 20:31:25 +01:00