From: Peter Powell <petpow@saberuk.com>
Date: Mon, 6 Nov 2017 11:11:22 +0000 (+0000)
Subject: Merge pull request #1359 from genius3000/insp20+sasl_no_server
X-Git-Url: https://git.netwichtig.de/gitweb/?a=commitdiff_plain;h=9375c633371ee8d25adc5cf756590077e5100bb5;hp=52de083afcd1608f030551f532bdcdb1f45f1513;p=user%2Fhenk%2Fcode%2Finspircd.git

Merge pull request #1359 from genius3000/insp20+sasl_no_server

2.0: Inform the client when a SASL message cannot be sent
---

diff --git a/docs/conf/modules.conf.example b/docs/conf/modules.conf.example
index 34e25b1e2..d2dad8af5 100644
--- a/docs/conf/modules.conf.example
+++ b/docs/conf/modules.conf.example
@@ -1591,6 +1591,13 @@
 # Layer via AUTHENTICATE. Note: You also need to have m_cap.so loaded
 # for SASL to work.
 #<module name="m_sasl.so">
+# Define the following to your services server name to improve security
+# by ensuring the SASL messages are only sent to the services server
+# and not to all connected servers. This prevents a rogue server from
+# capturing SASL messages. Having this defined can also improve client
+# connections when your services are down, as the client will be told
+# that SASL failed rather than just timing out on registration.
+#<sasl target="services.mynetwork.com">
 
 #-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
 # Secure list module: Prevent /LIST in the first minute of connection,
diff --git a/src/modules/m_sasl.cpp b/src/modules/m_sasl.cpp
index 0ef93ec5a..7108e0c07 100644
--- a/src/modules/m_sasl.cpp
+++ b/src/modules/m_sasl.cpp
@@ -35,6 +35,10 @@ static void SendSASL(const parameterlist& params)
 {
 	if (!ServerInstance->PI->SendEncapsulatedData(params))
 	{
+		User* u = ServerInstance->FindUUID(params[2]);
+		if (u)
+			u->WriteNumeric(904, "%s :SASL authentication failed", u->nick.c_str());
+
 		SASLFallback(NULL, params);
 	}
 }