Skip to content
Permalink
Browse files Browse the repository at this point in the history
saslserv/main: Track EID we're pending login to
The existing model does not remember that we've sent a SVSLOGIN for a
given SASL session, and simply assumes that if a client is introduced
with a SASL session open, that session must have succeeded. The security
of this approach requires ircd to implicitly abort SASL sessions on
client registration.

This also means that if a client successfully authenticates and then
does something else its pending login is forgotten about, even though a
SVSLOGIN has been sent for it, and the ircd is going to think it's
logged in.

This change removes the dependency on ircd's state machine by keeping
explicit track of the pending login, i.e. the one we've most recently
sent a SVSLOGIN for. The next commit will ensure that a client abort
(even an implicit one) doesn't blow that information away.
  • Loading branch information
edk0 committed Oct 17, 2021
1 parent 19bcc5c commit 4e664c7
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 3 deletions.
1 change: 1 addition & 0 deletions include/atheme/sasl.h
Expand Up @@ -62,6 +62,7 @@ struct sasl_session
char authzid[NICKLEN + 1]; // Authorization identity (user being logged in)
char authceid[IDLEN + 1]; // Entity ID for authcid
char authzeid[IDLEN + 1]; // Entity ID for authzid
char pendingeid[IDLEN + 1]; // Entity ID for pending login (for pre-reg clients)
char uid[UIDLEN + 1]; // Network UID
};

Expand Down
8 changes: 5 additions & 3 deletions modules/saslserv/main.c
Expand Up @@ -385,15 +385,15 @@ sasl_handle_login(struct sasl_session *const restrict p, struct user *const u, s
// Find the account if necessary
if (! mu)
{
if (! *p->authzeid)
if (! *p->pendingeid)
{
(void) slog(LG_INFO, "%s: session for '%s' without an authzeid (BUG)",
(void) slog(LG_INFO, "%s: session for '%s' without an pendingeid (BUG)",
MOWGLI_FUNC_NAME, u->nick);
(void) notice(saslsvs->nick, u->nick, LOGIN_CANCELLED_STR);
return false;
}

if (! (mu = myuser_find_uid(p->authzeid)))
if (! (mu = myuser_find_uid(p->pendingeid)))
{
if (*p->authzid)
(void) notice(saslsvs->nick, u->nick, "Account %s dropped; login cancelled",
Expand Down Expand Up @@ -638,6 +638,8 @@ sasl_process_packet(struct sasl_session *const restrict p, char *const restrict
return false;
}

(void) mowgli_strlcpy(p->pendingeid, p->authzeid, sizeof p->pendingeid);

/* If the user is already on the network, attempt to log them in immediately.
* Otherwise, we will log them in on introduction of user to network
*/
Expand Down

0 comments on commit 4e664c7

Please sign in to comment.