Commit graph

52 commits

Author SHA1 Message Date
Eric Mertens
82436efb60
hook_fn casts were hiding UB (#265) 2021-08-19 20:09:40 -07:00
Eric Mertens
e83449d5be
Stop announcing SASL cap changes on services split/join (#263) 2021-08-15 16:25:46 -07:00
Aaron Jones
8b7110d6ba modules/m_sasl.c: use IsSecure() instead of IsSSL()
Further to our implementation of the concept of "secure origins", we can
indicate to services that the client is connected securely, rather than
just that the client is using TLS. For example, connections from the
local host (from the IRCd's perspective) can be considered secure
against eavesdropping.

Allow this to factor into services' decision on whether to allow an SASL
negotiation or not. Atheme currently assumes this means the client is
using TLS, but I have changed that in atheme/atheme@412d50103c
2021-06-08 04:59:43 +00:00
Ed Kellett
738b5d291e Mint CLICAP_FLAGS_PRIORITY 2020-10-19 19:30:43 -04:00
Ariadne Conill
3792c63dc0 sasl: use mapi_cap_list_v2 correctly 2020-07-09 17:47:28 -06:00
Simon Arlott
40a766a0a0
m_sasl: Don't process authentication messages if SASL has been aborted, but track failures 2019-02-23 13:02:15 +00:00
Simon Arlott
d5d52a994d
m_nick/m_sasl/m_user: restore check for mixing of client and server protocol 2018-08-15 22:48:21 +01:00
Simon Arlott
15b05f95f0
m_sasl: check if the agent is present after every client_exit
When a server disconnects the client_exit hook will only be called once
but there could be multiple servers and clients behind that server.

After any client exits, check if the agent is still present.
2018-08-12 12:50:43 +01:00
Aaron Jones
6d8a8851df
modules/m_sasl.c: prevent abort_sasl() sending 906 twice 2018-04-06 20:07:08 +00:00
Aaron Jones
631c30890c
modules/m_sasl.c: command functions are void on this branch 2018-04-06 19:58:45 +00:00
Aaron Jones
280ce6a951
modules/m_sasl.c: abort session if we receive '*' as data
Otherwise we'd send the * on to services as actual data, which is likely
to fail to decode it (it's not valid Base-64) and reply with an SASL ...
D F which will result in us sending a 904 numeric instead of a 906.

cf. https://github.com/ircv3/ircv3-specifications/pull/298#issuecomment-271336287

Reported-By: James Wheare
2018-04-06 19:49:33 +00:00
Simon Arlott
0ee833da4a
m_sasl: indicate client connection type for SASL 2017-08-09 22:04:11 +01:00
Aaron Jones
23f5c31719
SASL: Relax rate limiting for failures a little
Begin at 8 seconds after 2 failures and up to ~4 minutes
2016-10-02 14:13:02 +00:00
Xenthys
46ef49c390
SASL: rate-limit after the 2nd failed attempt (m_sasl.c) 2016-10-02 03:57:11 +02:00
Aaron Jones
ac88154f94
SASL: Disallow beginning : and space anywhere in AUTHENTICATE parameter
This is a FIX FOR A SECURITY VULNERABILITY. All Charybdis users must
apply this fix if you support SASL on your servers, or unload m_sasl.so
in the meantime.
2016-09-03 17:29:53 +00:00
Aaron Jones
4d5a902f08
strcpy: mass-migrate to strlcpy where appropriate 2016-05-15 03:57:16 +00:00
Mantas Mikulėnas
9d07a42d7a
m_sasl: rate-limit SASL REAUTH usage 2016-04-11 21:45:10 +03:00
Mantas Mikulėnas
834579cecd
m_sasl: fix coding style 2016-04-11 20:12:31 +03:00
Mantas Mikulėnas
37289346cd
m_sasl: temporarily reject clients after many failed attempts 2016-04-11 20:02:09 +03:00
Elizabeth Myers
3c7d6fcce7 Message handlers should return void.
Also fix up some return values and stuff to use bool (or void if
nothing). I just did it whilst I was here.

According to jilles, the return value used to signify whether or not the
client had exited. This was error-prone and was fixed a long, long time
ago, but the return value was left int for historical reasons.

Since the return type is not used (and has no clear use case anyway),
it's safe to just get rid of it.
2016-03-09 01:37:03 -06:00
Elizabeth Myers
eeabf33a7c Move module description headers to the top
This is cleaner.

Note this was broken out of a much larger piece of work I did, so if
there's any problems, I apologise!
2016-03-09 01:29:41 -06:00
Andrew Wilcox
3abc337fe1 modules: Add AV2 descriptions to all m_s* modules 2016-03-07 02:05:28 -06:00
Elizabeth Myers
105a4985b4 Migrate remaining modules to AV2
No descriptions yet. :(
2016-03-07 00:03:39 -06:00
Elizabeth Myers
cbeab4bc34 Remove $Id tags from everything.
These are obsolete and none have changed since 10 years gao...
2016-03-06 02:47:27 -06:00
William Pitcock
38ffccf8c3 cap: allow modules to return client-specific responses for capability inquiries 2016-03-05 18:56:36 -06:00
mniip
802710b59a Always send the certificate fingerprint when doing SASL because the services might need it for SOME REASON 2016-02-29 03:29:08 +03:00
William Pitcock
da3e5fcb42 sasl: implement support for distributing mechlists 2016-02-28 01:02:10 -06:00
William Pitcock
193d4db30c sasl: transfer ownership of 'sasl' capability to m_sasl module 2016-02-28 00:29:26 -06:00
William Pitcock
7baa37a9ef msg: remove last vestiges of the fakelag system. charybdis has never supported fakelag. 2016-02-19 16:43:39 -06:00
William Pitcock
428ca87b01 modules: chase MsgBuf API change 2016-02-10 20:54:17 -06:00
Mantas Mikulėnas
6fb9f21449 sasl: reformat the other messages consistently 2015-03-06 17:19:16 +02:00
Mantas Mikulėnas
1cae2411d7 sasl: adjust 'H' message following commit 7d33cce8ef 2015-03-06 17:18:54 +02:00
William Pitcock
125652041b cap-notify: implement cap-notify for sasl service (closes #84) 2015-03-01 00:58:40 -06:00
William Pitcock
c23902ae00 sasl: fix null deref on remote client exit 2015-03-01 00:01:24 -06:00
William Pitcock
51535fcbce sasl: allow reauth without sasl-reauth capability (since it's being dropped) 2015-02-28 00:48:43 -06:00
William Pitcock
dd28e3f2a4 Merge pull request #82 from grawity/sasl-send-conn-info
m_sasl: send information about the client connection
2015-02-18 12:29:57 -06:00
William Pitcock
c6bc97fdcd m_sasl: move some struct members around for sasl-reauth 2015-02-16 15:39:36 -06:00
William Pitcock
ef3ab8e3a5 cap: allow clients to do sasl reauth if they requested sasl and sasl-reauth (ref ircv3/ircv3#103). 2015-02-15 17:11:28 -06:00
Max Teufel
7d33cce8ef m_sasl: add configuration option for the nick of the SASL agent
This allows multiple improvements to m_sasl. With this change, the SASL
authentication gets aborted immediately when services are offline.
Additionally, we send the SASL ENCAP messages directly to the specified
SASL agent.
2015-02-14 20:31:25 +01:00
Mantas Mikulėnas
a3fa9d81a2 m_sasl: send information about the client connection 2015-02-13 22:38:24 +02:00
Keith Buck
55abcbb20a Remove trailing whitespace from all .c and .h files.
3134 bytes were removed.
2014-03-03 04:25:47 +00:00
Mantas Mikulėnas
dbd8ca2bf6 sasl: send RPL_SASLMECHS 2014-01-12 00:29:32 +02:00
Jilles Tjoelker
572488e029 If the sasl mechanism is EXTERNAL, send the certfp in the initial S message. 2011-04-04 00:59:20 +02:00
Jilles Tjoelker
f62f94b094 Back out AUTHENTICATE EXTERNAL so I can do it differently.
The current approach is fundamentally broken as it allows
anyone in that knows the certfp and uses an old ircd as
their server.
2011-04-04 00:44:07 +02:00
Jilles Tjoelker
1b19fe8b5e Revert "sasl: remove checks for impossible conditions".
This check is not impossible and can be triggered by
sending a PASS command like a server would send first.

This backs out changeset 8cba4464feec.
2011-03-31 23:26:26 +02:00
William Pitcock
27126f911d sasl: first attempt at ircv3.1 AUTHENTICATE EXTERNAL support 2011-03-31 00:35:58 -05:00
William Pitcock
d8c45202e3 sasl: remove checks for impossible conditions 2011-03-31 00:18:32 -05:00
Valery Yatsko
f427c8b00d strlcpy -> rb_strlcpy 2008-04-20 08:40:40 +04:00
Valery Yatsko
47adde3def s_stats.c removed, now we use new style of stats handling. 2008-04-04 19:54:37 +04:00
Valery Yatsko
54ac8b60a1 Reverting some changed related not to moving on libratbox3 but using ratbox3 source! 2008-04-02 19:37:50 +04:00