|
@@ -2159,18 +2159,53 @@ func passHandler(server *Server, client *Client, msg ircmsg.IrcMessage, rb *Resp
|
2159
|
2159
|
rb.Add(nil, server.name, ERR_ALREADYREGISTRED, client.nick, client.t("You may not reregister"))
|
2160
|
2160
|
return false
|
2161
|
2161
|
}
|
|
2162
|
+ // only give them one try to run the PASS command (all code paths end with this
|
|
2163
|
+ // variable being set):
|
|
2164
|
+ if rb.session.passStatus != serverPassUnsent {
|
|
2165
|
+ return false
|
|
2166
|
+ }
|
|
2167
|
+
|
|
2168
|
+ password := msg.Params[0]
|
|
2169
|
+ config := server.Config()
|
|
2170
|
+
|
|
2171
|
+ if config.Accounts.LoginViaPassCommand {
|
|
2172
|
+ colonIndex := strings.IndexByte(password, ':')
|
|
2173
|
+ if colonIndex != -1 && client.Account() == "" {
|
|
2174
|
+ // TODO consolidate all login throttle checks into AccountManager
|
|
2175
|
+ throttled, _ := client.loginThrottle.Touch()
|
|
2176
|
+ if !throttled {
|
|
2177
|
+ account, accountPass := password[:colonIndex], password[colonIndex+1:]
|
|
2178
|
+ err := server.accounts.AuthenticateByPassphrase(client, account, accountPass)
|
|
2179
|
+ if err == nil {
|
|
2180
|
+ sendSuccessfulAccountAuth(client, rb, false, true)
|
|
2181
|
+ // login-via-pass-command entails that we do not need to check
|
|
2182
|
+ // an actual server password (either no password or skip-server-password)
|
|
2183
|
+ rb.session.passStatus = serverPassSuccessful
|
|
2184
|
+ return false
|
|
2185
|
+ }
|
|
2186
|
+ }
|
|
2187
|
+ }
|
|
2188
|
+ }
|
|
2189
|
+ // if login-via-PASS failed for any reason, proceed to try and interpret the
|
|
2190
|
+ // provided password as the server password
|
|
2191
|
+
|
|
2192
|
+ serverPassword := config.Server.passwordBytes
|
2162
|
2193
|
|
2163
|
2194
|
// if no password exists, skip checking
|
2164
|
|
- serverPassword := server.Config().Server.passwordBytes
|
2165
|
2195
|
if serverPassword == nil {
|
2166
|
2196
|
return false
|
2167
|
2197
|
}
|
2168
|
2198
|
|
2169
|
2199
|
// check the provided password
|
2170
|
|
- password := []byte(msg.Params[0])
|
2171
|
|
- rb.session.sentPassCommand = bcrypt.CompareHashAndPassword(serverPassword, password) == nil
|
|
2200
|
+ if bcrypt.CompareHashAndPassword(serverPassword, []byte(password)) == nil {
|
|
2201
|
+ rb.session.passStatus = serverPassSuccessful
|
|
2202
|
+ } else {
|
|
2203
|
+ rb.session.passStatus = serverPassFailed
|
|
2204
|
+ }
|
2172
|
2205
|
|
2173
|
2206
|
// if they failed the check, we'll bounce them later when they try to complete registration
|
|
2207
|
+ // note in particular that with skip-server-password, you can give the wrong server
|
|
2208
|
+ // password here, then successfully SASL and be admitted
|
2174
|
2209
|
return false
|
2175
|
2210
|
}
|
2176
|
2211
|
|