View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0001482 | Anope Development (1.9.x series) | Other | public | 2013-02-16 09:32 | 2013-02-19 06:22 |
| Reporter | nenolod | Assigned To | DukePyrolator | ||
| Priority | normal | Severity | minor | Reproducibility | always |
| Status | resolved | Resolution | fixed | ||
| Fixed in Version | 1.9.x-GIT | ||||
| Summary | 0001482: SASL support should authfail if the requested mechanism isn't implemented | ||||
| Description | Requesting mechanisms like DH-BLOWFISH or ECDSA-NIST256P-CHALLENGE which are unsupported presently in Anope are instead interpreted to be the same as PLAIN. They should, instead, authfail so that the client may properly fallback to PLAIN. | ||||
| Tags | No tags attached. | ||||
|
|
fixed in https://github.com/anope/anope/commit/d0e1f3b66a9bbee91bade0b57c3335908704c2e5 |
|
|
hello, i typoed the patch, and it worked simply as a side effect of most SASL stacks not understanding the input given back by services. the "C F" should be changed to "D F" to indicate "done" verb instead of "continue" verb. this will trigger a server-side abort instead of client-side abort. |
|
|
thanks for reporting :) fixed in https://github.com/anope/anope/commit/bcf99d599862d8a7a6741b5f805c593fe7bf4aea0 |
|
|
Attached patch adds a check to ensure that the requested mechanism is PLAIN and fails the authentication request if it is not. |
|
|
anope-sasl-authfail.patch (1,710 bytes)
diff --git a/modules/protocol/inspircd20.cpp b/modules/protocol/inspircd20.cpp
index 32e1a76..99f40f0 100644
--- a/modules/protocol/inspircd20.cpp
+++ b/modules/protocol/inspircd20.cpp
@@ -568,7 +568,13 @@ struct IRCDMessageEncap : IRCDMessage
base64(account\0account\0pass)
*/
if (params[4] == "S")
- UplinkSocket::Message(Me) << "ENCAP " << params[2].substr(0, 3) << " SASL " << Me->GetSID() << " " << params[2] << " C +";
+ {
+ /* we only support SASL PLAIN. check for it and authfail if PLAIN is not requested */
+ if (params[5] == "PLAIN")
+ UplinkSocket::Message(Me) << "ENCAP " << params[2].substr(0, 3) << " SASL " << Me->GetSID() << " " << params[2] << " C +";
+ else
+ UplinkSocket::Message(Me) << "ENCAP " << params[2].substr(0, 3) << " SASL " << Me->GetSID() << " " << params[2] << " C F";
+ }
else if (params[4] == "C")
{
Anope::string decoded;
diff --git a/modules/protocol/unreal.cpp b/modules/protocol/unreal.cpp
index 2f5e757..d91861e 100644
--- a/modules/protocol/unreal.cpp
+++ b/modules/protocol/unreal.cpp
@@ -893,7 +893,13 @@ struct IRCDMessageSASL : IRCDMessage
return;
if (params[2] == "S")
- UplinkSocket::Message() << "SASL " << params[1].substr(0, p) << " " << params[1] << " C +";
+ {
+ /* we only support SASL PLAIN. check for it and authfail if PLAIN is not requested */
+ if (params[3] == "PLAIN")
+ UplinkSocket::Message() << "SASL " << params[1].substr(0, p) << " " << params[1] << " C +";
+ else
+ UplinkSocket::Message() << "SASL " << params[1].substr(0, p) << " " << params[1] << " C F";
+ }
else if (params[2] == "C")
{
Anope::string decoded;
|
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2013-02-16 09:32 | nenolod | New Issue | |
| 2013-02-16 23:42 | nenolod | File Added: anope-sasl-authfail.patch | |
| 2013-02-16 23:43 | nenolod | Note Added: 0006378 | |
| 2013-02-17 13:27 | DukePyrolator | Assigned To | => DukePyrolator |
| 2013-02-17 13:27 | DukePyrolator | Status | new => assigned |
| 2013-02-17 13:30 | DukePyrolator | Note Added: 0006379 | |
| 2013-02-17 13:30 | DukePyrolator | Status | assigned => resolved |
| 2013-02-17 13:30 | DukePyrolator | Fixed in Version | => 1.9.x-GIT |
| 2013-02-17 13:30 | DukePyrolator | Resolution | open => fixed |
| 2013-02-18 02:29 | nenolod | Note Added: 0006383 | |
| 2013-02-18 02:29 | nenolod | Status | resolved => feedback |
| 2013-02-18 02:29 | nenolod | Resolution | fixed => reopened |
| 2013-02-19 06:22 | DukePyrolator | Note Added: 0006384 | |
| 2013-02-19 06:22 | DukePyrolator | Status | feedback => resolved |
| 2013-02-19 06:22 | DukePyrolator | Resolution | reopened => fixed |
