Merge pull request #1359 from genius3000/insp20+sasl_no_server

2.0: Inform the client when a SASL message cannot be sent

diff --git a/docs/conf/modules.conf.example b/docs/conf/modules.conf.example
index 34e25b1e271e47408da2ff1a6e346947bed49669..d2dad8af56c9f962c37d60443ba433a825bd8905 100644 (file)
--- a/docs/conf/modules.conf.example
+++ b/docs/conf/modules.conf.example
@@ -1591,6 +1591,13 @@
 # Layer via AUTHENTICATE. Note: You also need to have m_cap.so loaded
 # for SASL to work.
 #<module name="m_sasl.so">
+# Define the following to your services server name to improve security
+# by ensuring the SASL messages are only sent to the services server
+# and not to all connected servers. This prevents a rogue server from
+# capturing SASL messages. Having this defined can also improve client
+# connections when your services are down, as the client will be told
+# that SASL failed rather than just timing out on registration.
+#<sasl target="services.mynetwork.com">
 
 #-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
 # Secure list module: Prevent /LIST in the first minute of connection,

diff --git a/src/modules/m_sasl.cpp b/src/modules/m_sasl.cpp
index 0ef93ec5ae66476923dfe7eaded192dba54711df..7108e0c07e84f285788eb10e36dff885bd75e75b 100644 (file)
--- a/src/modules/m_sasl.cpp
+++ b/src/modules/m_sasl.cpp
@@ -35,6 +35,10 @@ static void SendSASL(const parameterlist& params)
 {
        if (!ServerInstance->PI->SendEncapsulatedData(params))
        {
+               User* u = ServerInstance->FindUUID(params[2]);
+               if (u)
+                       u->WriteNumeric(904, "%s :SASL authentication failed", u->nick.c_str());
+
                SASLFallback(NULL, params);
        }
 }