Merge pull request #514 from LemonBoy/sasl_fail

Add an option to stop the connection when SASL fails.

src/fe-common/irc/fe-sasl.c

@@ -23,6 +23,9 @@
 #include "signals.h"
 #include "levels.h"
 
+#include "irc-servers.h"
+#include "settings.h"
+
 #include "printtext.h"
 
 static void sig_sasl_success(IRC_SERVER_REC *server)
@@ -35,14 +38,35 @@ static void sig_sasl_failure(IRC_SERVER_REC *server, const char *reason)
 	printformat(server, NULL, MSGLEVEL_CRAP, IRCTXT_SASL_ERROR, reason);
 }
 
+static void sig_cap_end(IRC_SERVER_REC *server)
+{
+	/* The negotiation has now been terminated, if we didn't manage to
+	 * authenticate successfully with the server just disconnect. */
+	if (!server->sasl_success &&
+	    settings_get_bool("sasl_disconnect_on_failure")) {
+		/* We can't use server_disconnect() here because we'd end up
+		 * freeing the 'server' object and be guilty of a slew of UaF. */
+		server->connection_lost = TRUE;
+		/* By setting connection_lost we make sure the communication is
+		 * halted and when the control goes back to irc_parse_incoming
+		 * the server object is safely destroyed. */
+		signal_stop();
+	}
+
+}
+
 void fe_sasl_init(void)
 {
+	settings_add_bool("server", "sasl_disconnect_on_failure", TRUE);
+
 	signal_add("server sasl success", (SIGNAL_FUNC) sig_sasl_success);
 	signal_add("server sasl failure", (SIGNAL_FUNC) sig_sasl_failure);
+	signal_add_first("server cap end", (SIGNAL_FUNC) sig_cap_end);
 }
 
 void fe_sasl_deinit(void)
 {
 	signal_remove("server sasl success", (SIGNAL_FUNC) sig_sasl_success);
 	signal_remove("server sasl failure", (SIGNAL_FUNC) sig_sasl_failure);
+	signal_remove("server cap end", (SIGNAL_FUNC) sig_cap_end);
 }

src/irc/core/irc-servers.h

@@ -68,6 +68,7 @@ struct _IRC_SERVER_REC {
 	unsigned int motd_got:1; /* We've received MOTD */
 	unsigned int isupport_sent:1; /* Server has sent us an isupport reply */
 	unsigned int cap_complete:1; /* We've done the initial CAP negotiation */
+	unsigned int sasl_success:1; /* Did we authenticate successfully ? */
 
 	int max_kicks_in_cmd; /* max. number of people to kick with one /KICK command */
 	int max_modes_in_cmd; /* max. number of mode changes in one /MODE command */

src/irc/core/sasl.c

@@ -48,6 +48,7 @@ static gboolean sasl_timeout(IRC_SERVER_REC *server)
 	cap_finish_negotiation(server);
 
 	server->sasl_timeout = 0;
+	server->sasl_success = FALSE;
 
 	signal_emit("server sasl failure", 2, server, "The authentication timed out");
 
@@ -84,6 +85,8 @@ static void sasl_fail(IRC_SERVER_REC *server, const char *data, const char *from
 
 	params = event_get_params(data, 2, NULL, &error);
 
+	server->sasl_success = FALSE;
+
 	signal_emit("server sasl failure", 2, server, error);
 
 	/* Terminate the negotiation */
@@ -99,6 +102,8 @@ static void sasl_already(IRC_SERVER_REC *server, const char *data, const char *f
 		server->sasl_timeout = 0;
 	}
 
+	server->sasl_success = TRUE;
+
 	signal_emit("server sasl success", 1, server);
 
 	/* We're already authenticated, do nothing */
@@ -112,6 +117,8 @@ static void sasl_success(IRC_SERVER_REC *server, const char *data, const char *f
 		server->sasl_timeout = 0;
 	}
 
+	server->sasl_success = TRUE;
+
 	signal_emit("server sasl success", 1, server);
 
 	/* The authentication succeeded, time to finish the CAP negotiation */

src/perl/irc/Irc.xs

@@ -32,6 +32,7 @@ static void perl_irc_server_fill_hash(HV *hv, IRC_SERVER_REC *server)
 	(void) hv_store(hv, "isupport_sent", 13, newSViv(server->isupport_sent), 0);
 
 	(void) hv_store(hv, "cap_complete", 12, newSViv(server->cap_complete), 0);
+	(void) hv_store(hv, "sasl_success", 12, newSViv(server->sasl_success), 0);
 
 	av = newAV();
 	for (tmp = server->cap_supported; tmp != NULL; tmp = tmp->next)