Merge pull request #717 from slingamn/issue716

fix #716
2024-11-10 22:19:31 +01:00 · 2019-12-25 21:11:53 -05:00 · 2019-12-25 21:11:53 -05:00 · 68e3b74b79
commit 68e3b74b79
parent 5cb4a8fc42 33c8b2177e
4 changed files with 28 additions and 8 deletions
--- a/irc/accounts.go
+++ b/irc/accounts.go
@ -972,7 +972,7 @@ func (am *AccountManager) ChannelsForAccount(account string) (channels []string)
 	return unmarshalRegisteredChannels(channelStr)
 }

-func (am *AccountManager) AuthenticateByCertFP(client *Client) error {
+func (am *AccountManager) AuthenticateByCertFP(client *Client, authzid string) error {
 	if client.certfp == "" {
 		return errAccountInvalidCredentials
 	}
@ -992,6 +992,10 @@ func (am *AccountManager) AuthenticateByCertFP(client *Client) error {
 		return err
 	}

+	if authzid != "" && authzid != account {
+		return errAuthzidAuthcidMismatch
+	}
+
 	// ok, we found an account corresponding to their certificate
 	clientAccount, err := am.LoadAccount(account)
 	if err != nil {
--- a/irc/errors.go
+++ b/irc/errors.go
@ -27,6 +27,7 @@ var (
 	errAccountVerificationInvalidCode = errors.New("Invalid account verification code")
 	errAccountUpdateFailed            = errors.New(`Error while updating your account information`)
 	errAccountMustHoldNick            = errors.New(`You must hold that nickname in order to register it`)
+	errAuthzidAuthcidMismatch         = errors.New(`authcid and authzid must be the same`)
 	errCallbackFailed                 = errors.New("Account verification could not be sent")
 	errCertfpAlreadyExists            = errors.New(`An account already exists for your certificate fingerprint`)
 	errChannelNotOwnedByAccount       = errors.New("Channel not owned by the specified account")
--- a/irc/handlers.go
+++ b/irc/handlers.go
@ -446,13 +446,14 @@ func authPlainHandler(server *Server, client *Client, mechanism string, value []
 }

 func authErrorToMessage(server *Server, err error) (msg string) {
-	if err == errAccountDoesNotExist || err == errAccountUnverified || err == errAccountInvalidCredentials {
-		msg = err.Error()
-	} else {
+	switch err {
+	case errAccountDoesNotExist, errAccountUnverified, errAccountInvalidCredentials, errAuthzidAuthcidMismatch:
+		return err.Error()
+	default:
+		// don't expose arbitrary error messages to the user
 		server.logger.Error("internal", "sasl authentication failure", err.Error())
-		msg = "Unknown"
+		return "Unknown"
 	}
-	return
 }

 // AUTHENTICATE EXTERNAL
@ -462,7 +463,21 @@ func authExternalHandler(server *Server, client *Client, mechanism string, value
 		return false
 	}

-	err := server.accounts.AuthenticateByCertFP(client)
+	// EXTERNAL doesn't carry an authentication ID (this is determined from the
+	// certificate), but does carry an optional authorization ID.
+	var authzid string
+	var err error
+	if len(value) != 0 {
+		authzid, err = CasefoldName(string(value))
+		if err != nil {
+			err = errAuthzidAuthcidMismatch
+		}
+	}
+
+	if err == nil {
+		err = server.accounts.AuthenticateByCertFP(client, authzid)
+	}
+
 	if err != nil {
 		msg := authErrorToMessage(server, err)
 		rb.Add(nil, server.name, ERR_SASLFAIL, client.nick, fmt.Sprintf("%s: %s", client.t("SASL authentication failed"), client.t(msg)))
--- a/irc/nickserv.go
+++ b/irc/nickserv.go
@ -536,7 +536,7 @@ func nsIdentifyHandler(server *Server, client *Client, command string, params []

 	// try certfp
 	if !loginSuccessful && client.certfp != "" {
-		err := server.accounts.AuthenticateByCertFP(client)
+		err := server.accounts.AuthenticateByCertFP(client, "")
 		loginSuccessful = (err == nil)
 	}