|
@@ -446,13 +446,14 @@ func authPlainHandler(server *Server, client *Client, mechanism string, value []
|
446
|
446
|
}
|
447
|
447
|
|
448
|
448
|
func authErrorToMessage(server *Server, err error) (msg string) {
|
449
|
|
- if err == errAccountDoesNotExist || err == errAccountUnverified || err == errAccountInvalidCredentials {
|
450
|
|
- msg = err.Error()
|
451
|
|
- } else {
|
|
449
|
+ switch err {
|
|
450
|
+ case errAccountDoesNotExist, errAccountUnverified, errAccountInvalidCredentials, errAuthzidAuthcidMismatch:
|
|
451
|
+ return err.Error()
|
|
452
|
+ default:
|
|
453
|
+ // don't expose arbitrary error messages to the user
|
452
|
454
|
server.logger.Error("internal", "sasl authentication failure", err.Error())
|
453
|
|
- msg = "Unknown"
|
|
455
|
+ return "Unknown"
|
454
|
456
|
}
|
455
|
|
- return
|
456
|
457
|
}
|
457
|
458
|
|
458
|
459
|
// AUTHENTICATE EXTERNAL
|
|
@@ -462,24 +463,27 @@ func authExternalHandler(server *Server, client *Client, mechanism string, value
|
462
|
463
|
return false
|
463
|
464
|
}
|
464
|
465
|
|
465
|
|
- err := server.accounts.AuthenticateByCertFP(client)
|
466
|
|
- if err != nil {
|
467
|
|
- msg := authErrorToMessage(server, err)
|
468
|
|
- rb.Add(nil, server.name, ERR_SASLFAIL, client.nick, fmt.Sprintf("%s: %s", client.t("SASL authentication failed"), client.t(msg)))
|
469
|
|
- return false
|
470
|
|
- }
|
471
|
|
-
|
472
|
466
|
// EXTERNAL doesn't carry an authentication ID (this is determined from the
|
473
|
467
|
// certificate), but does carry an optional authorization ID.
|
|
468
|
+ var authzid string
|
|
469
|
+ var err error
|
474
|
470
|
if len(value) != 0 {
|
475
|
|
- authcid := client.Account()
|
476
|
|
- cfAuthzid, err := CasefoldName(string(value))
|
477
|
|
- if err != nil || cfAuthzid != authcid {
|
478
|
|
- rb.Add(nil, server.name, ERR_SASLFAIL, client.Nick(), client.t("SASL authentication failed: authcid and authzid should be the same"))
|
479
|
|
- return false
|
|
471
|
+ authzid, err = CasefoldName(string(value))
|
|
472
|
+ if err != nil {
|
|
473
|
+ err = errAuthzidAuthcidMismatch
|
480
|
474
|
}
|
481
|
475
|
}
|
482
|
476
|
|
|
477
|
+ if err == nil {
|
|
478
|
+ err = server.accounts.AuthenticateByCertFP(client, authzid)
|
|
479
|
+ }
|
|
480
|
+
|
|
481
|
+ if err != nil {
|
|
482
|
+ msg := authErrorToMessage(server, err)
|
|
483
|
+ rb.Add(nil, server.name, ERR_SASLFAIL, client.nick, fmt.Sprintf("%s: %s", client.t("SASL authentication failed"), client.t(msg)))
|
|
484
|
+ return false
|
|
485
|
+ }
|
|
486
|
+
|
483
|
487
|
sendSuccessfulAccountAuth(client, rb, false, true)
|
484
|
488
|
return false
|
485
|
489
|
}
|