vulpineawoo/solanum
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity
4019 commits 2 branches 0 tags 40 MiB
Commit graph

52 commits

Author SHA1 Message Date
Eric Mertens 82436efb60
hook_fn casts were hiding UB (#265) 2021-08-19 20:09:40 -07:00
Eric Mertens e83449d5be
Stop announcing SASL cap changes on services split/join (#263) 2021-08-15 16:25:46 -07:00
Aaron Jones 8b7110d6ba modules/m_sasl.c: use IsSecure() instead of IsSSL() 
Further to our implementation of the concept of "secure origins", we can
indicate to services that the client is connected securely, rather than
just that the client is using TLS. For example, connections from the
local host (from the IRCd's perspective) can be considered secure
against eavesdropping.

Allow this to factor into services' decision on whether to allow an SASL
negotiation or not. Atheme currently assumes this means the client is
using TLS, but I have changed that in atheme/atheme@412d50103c
 2021-06-08 04:59:43 +00:00
Ed Kellett 738b5d291e Mint CLICAP_FLAGS_PRIORITY 2020-10-19 19:30:43 -04:00
Ariadne Conill 3792c63dc0 sasl: use mapi_cap_list_v2 correctly 2020-07-09 17:47:28 -06:00
Simon Arlott 40a766a0a0
m_sasl: Don't process authentication messages if SASL has been aborted, but track failures 2019-02-23 13:02:15 +00:00
Simon Arlott d5d52a994d
m_nick/m_sasl/m_user: restore check for mixing of client and server protocol 2018-08-15 22:48:21 +01:00
Simon Arlott 15b05f95f0
m_sasl: check if the agent is present after every client_exit 
When a server disconnects the client_exit hook will only be called once
but there could be multiple servers and clients behind that server.

After any client exits, check if the agent is still present.
 2018-08-12 12:50:43 +01:00
Aaron Jones 6d8a8851df
modules/m_sasl.c: prevent abort_sasl() sending 906 twice 2018-04-06 20:07:08 +00:00
Aaron Jones 631c30890c
modules/m_sasl.c: command functions are void on this branch 2018-04-06 19:58:45 +00:00
Aaron Jones 280ce6a951
modules/m_sasl.c: abort session if we receive '*' as data 
Otherwise we'd send the * on to services as actual data, which is likely
to fail to decode it (it's not valid Base-64) and reply with an SASL ...
D F which will result in us sending a 904 numeric instead of a 906.

cf. https://github.com/ircv3/ircv3-specifications/pull/298#issuecomment-271336287

Reported-By: James Wheare
 2018-04-06 19:49:33 +00:00
Simon Arlott 0ee833da4a
m_sasl: indicate client connection type for SASL 2017-08-09 22:04:11 +01:00
Aaron Jones 23f5c31719
SASL: Relax rate limiting for failures a little 
Begin at 8 seconds after 2 failures and up to ~4 minutes
 2016-10-02 14:13:02 +00:00
Xenthys 46ef49c390
SASL: rate-limit after the 2nd failed attempt (m_sasl.c) 2016-10-02 03:57:11 +02:00
Aaron Jones ac88154f94
SASL: Disallow beginning : and space anywhere in AUTHENTICATE parameter 
This is a FIX FOR A SECURITY VULNERABILITY. All Charybdis users must
apply this fix if you support SASL on your servers, or unload m_sasl.so
in the meantime.
 2016-09-03 17:29:53 +00:00
Aaron Jones 4d5a902f08
strcpy: mass-migrate to strlcpy where appropriate 2016-05-15 03:57:16 +00:00
Mantas Mikulėnas 9d07a42d7a
m_sasl: rate-limit SASL REAUTH usage 2016-04-11 21:45:10 +03:00
Mantas Mikulėnas 834579cecd
m_sasl: fix coding style 2016-04-11 20:12:31 +03:00
Mantas Mikulėnas 37289346cd
m_sasl: temporarily reject clients after many failed attempts 2016-04-11 20:02:09 +03:00
Elizabeth Myers 3c7d6fcce7 Message handlers should return void. 
Also fix up some return values and stuff to use bool (or void if
nothing). I just did it whilst I was here.

According to jilles, the return value used to signify whether or not the
client had exited. This was error-prone and was fixed a long, long time
ago, but the return value was left int for historical reasons.

Since the return type is not used (and has no clear use case anyway),
it's safe to just get rid of it.
 2016-03-09 01:37:03 -06:00
Elizabeth Myers eeabf33a7c Move module description headers to the top 
This is cleaner.

Note this was broken out of a much larger piece of work I did, so if
there's any problems, I apologise!
 2016-03-09 01:29:41 -06:00
Andrew Wilcox 3abc337fe1 modules: Add AV2 descriptions to all m_s* modules 2016-03-07 02:05:28 -06:00
Elizabeth Myers 105a4985b4 Migrate remaining modules to AV2 
No descriptions yet. :(
 2016-03-07 00:03:39 -06:00
Elizabeth Myers cbeab4bc34 Remove $Id tags from everything. 
These are obsolete and none have changed since 10 years gao...
 2016-03-06 02:47:27 -06:00
William Pitcock 38ffccf8c3 cap: allow modules to return client-specific responses for capability inquiries 2016-03-05 18:56:36 -06:00
mniip 802710b59a Always send the certificate fingerprint when doing SASL because the services might need it for SOME REASON 2016-02-29 03:29:08 +03:00
William Pitcock da3e5fcb42 sasl: implement support for distributing mechlists 2016-02-28 01:02:10 -06:00
William Pitcock 193d4db30c sasl: transfer ownership of 'sasl' capability to m_sasl module 2016-02-28 00:29:26 -06:00
William Pitcock 7baa37a9ef msg: remove last vestiges of the fakelag system. charybdis has never supported fakelag. 2016-02-19 16:43:39 -06:00
William Pitcock 428ca87b01 modules: chase MsgBuf API change 2016-02-10 20:54:17 -06:00
Mantas Mikulėnas 6fb9f21449 sasl: reformat the other messages consistently 2015-03-06 17:19:16 +02:00
Mantas Mikulėnas 1cae2411d7 sasl: adjust 'H' message following commit 7d33cce8ef 2015-03-06 17:18:54 +02:00
William Pitcock 125652041b cap-notify: implement cap-notify for sasl service (closes #84) 2015-03-01 00:58:40 -06:00
William Pitcock c23902ae00 sasl: fix null deref on remote client exit 2015-03-01 00:01:24 -06:00
William Pitcock 51535fcbce sasl: allow reauth without sasl-reauth capability (since it's being dropped) 2015-02-28 00:48:43 -06:00
William Pitcock dd28e3f2a4 Merge pull request #82 from grawity/sasl-send-conn-info 
m_sasl: send information about the client connection
 2015-02-18 12:29:57 -06:00
William Pitcock c6bc97fdcd m_sasl: move some struct members around for sasl-reauth 2015-02-16 15:39:36 -06:00
William Pitcock ef3ab8e3a5 cap: allow clients to do sasl reauth if they requested sasl and sasl-reauth (ref ircv3/ircv3#103). 2015-02-15 17:11:28 -06:00
Max Teufel 7d33cce8ef m_sasl: add configuration option for the nick of the SASL agent 
This allows multiple improvements to m_sasl. With this change, the SASL
authentication gets aborted immediately when services are offline.
Additionally, we send the SASL ENCAP messages directly to the specified
SASL agent.
 2015-02-14 20:31:25 +01:00
Mantas Mikulėnas a3fa9d81a2 m_sasl: send information about the client connection 2015-02-13 22:38:24 +02:00
Keith Buck 55abcbb20a Remove trailing whitespace from all .c and .h files. 
3134 bytes were removed.
 2014-03-03 04:25:47 +00:00
Mantas Mikulėnas dbd8ca2bf6 sasl: send RPL_SASLMECHS 2014-01-12 00:29:32 +02:00
Jilles Tjoelker 572488e029 If the sasl mechanism is EXTERNAL, send the certfp in the initial S message. 2011-04-04 00:59:20 +02:00
Jilles Tjoelker f62f94b094 Back out AUTHENTICATE EXTERNAL so I can do it differently. 
The current approach is fundamentally broken as it allows
anyone in that knows the certfp and uses an old ircd as
their server.
 2011-04-04 00:44:07 +02:00
Jilles Tjoelker 1b19fe8b5e Revert "sasl: remove checks for impossible conditions". 
This check is not impossible and can be triggered by
sending a PASS command like a server would send first.

This backs out changeset 8cba4464feec.
 2011-03-31 23:26:26 +02:00
William Pitcock 27126f911d sasl: first attempt at ircv3.1 AUTHENTICATE EXTERNAL support 2011-03-31 00:35:58 -05:00
William Pitcock d8c45202e3 sasl: remove checks for impossible conditions 2011-03-31 00:18:32 -05:00
Valery Yatsko f427c8b00d strlcpy -> rb_strlcpy 2008-04-20 08:40:40 +04:00
Valery Yatsko 47adde3def s_stats.c removed, now we use new style of stats handling. 2008-04-04 19:54:37 +04:00
Valery Yatsko 54ac8b60a1 Reverting some changed related not to moving on libratbox3 but using ratbox3 source! 2008-04-02 19:37:50 +04:00