ircd/newconf: ignore invalid connect block passwords (#261)

Also, ignore a connect block that requests certfp authentication
without setting the ssl flag, as it will then go on to fail anyway.

Finally, correct an erroneous error message about class blocks.
This commit is contained in:
Aaron Jones 2021-08-14 23:14:39 +00:00 committed by GitHub
parent f6b73103d6
commit 95898abbb1
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -768,7 +768,7 @@ conf_end_class(struct TopConf *tc)
if(EmptyString(yy_class->class_name)) if(EmptyString(yy_class->class_name))
{ {
conf_report_error("Ignoring connect block -- missing name."); conf_report_error("Ignoring class block -- missing name.");
return 0; return 0;
} }
@ -1239,32 +1239,43 @@ conf_end_connect(struct TopConf *tc)
if (ServerInfo.name != NULL && !irccmp(ServerInfo.name, yy_server->name)) if (ServerInfo.name != NULL && !irccmp(ServerInfo.name, yy_server->name))
{ {
conf_report_error("Ignoring connect block for %s -- name is equal to my own name.", conf_report_error("Ignoring connect block for %s -- name is "
yy_server->name); "equal to my own name.", yy_server->name);
return 0; return 0;
} }
if((EmptyString(yy_server->passwd) || EmptyString(yy_server->spasswd)) && EmptyString(yy_server->certfp)) if ((EmptyString(yy_server->passwd) || EmptyString(yy_server->spasswd))
&& EmptyString(yy_server->certfp))
{ {
conf_report_error("Ignoring connect block for %s -- no fingerprint or password credentials provided.", conf_report_error("Ignoring connect block for %s -- no "
yy_server->name); "fingerprint or password credentials "
"provided.", yy_server->name);
return 0; return 0;
} }
if ((yy_server->flags & SERVER_SSL) && EmptyString(yy_server->certfp)) if ((yy_server->flags & SERVER_SSL) && EmptyString(yy_server->certfp))
{ {
conf_report_error("Ignoring connect block for %s -- no fingerprint provided for SSL connection.", conf_report_error("Ignoring connect block for %s -- no "
yy_server->name); "fingerprint provided for SSL "
"connection.", yy_server->name);
return 0;
}
if (! (yy_server->flags & SERVER_SSL) && ! EmptyString(yy_server->certfp))
{
conf_report_error("Ignoring connect block for %s -- "
"fingerprint authentication has "
"been requested; but the ssl flag "
"is not set.", yy_server->name);
return 0; return 0;
} }
if (EmptyString(yy_server->connect_host) if (EmptyString(yy_server->connect_host)
&& GET_SS_FAMILY(&yy_server->connect4) != AF_INET && GET_SS_FAMILY(&yy_server->connect4) != AF_INET
&& GET_SS_FAMILY(&yy_server->connect6) != AF_INET6 && GET_SS_FAMILY(&yy_server->connect6) != AF_INET6)
)
{ {
conf_report_error("Ignoring connect block for %s -- missing host.", conf_report_error("Ignoring connect block for %s -- missing "
yy_server->name); "host.", yy_server->name);
return 0; return 0;
} }
@ -1336,6 +1347,19 @@ conf_set_connect_send_password(void *data)
rb_free(yy_server->spasswd); rb_free(yy_server->spasswd);
} }
if (EmptyString((const char *) data))
{
yy_server->spasswd = NULL;
conf_report_warning("Invalid send_password for connect "
"block; must not be empty if provided");
}
else if (strpbrk(data, " :"))
{
yy_server->spasswd = NULL;
conf_report_error("Invalid send_password for connect "
"block; cannot contain spaces or colons");
}
else
yy_server->spasswd = rb_strdup(data); yy_server->spasswd = rb_strdup(data);
} }
@ -1347,6 +1371,20 @@ conf_set_connect_accept_password(void *data)
memset(yy_server->passwd, 0, strlen(yy_server->passwd)); memset(yy_server->passwd, 0, strlen(yy_server->passwd));
rb_free(yy_server->passwd); rb_free(yy_server->passwd);
} }
if (EmptyString((const char *) data))
{
yy_server->passwd = NULL;
conf_report_warning("Invalid accept_password for connect "
"block; must not be empty if provided");
}
else if (strpbrk(data, " :"))
{
yy_server->passwd = NULL;
conf_report_error("Invalid accept_password for connect "
"block; cannot contain spaces or colons");
}
else
yy_server->passwd = rb_strdup(data); yy_server->passwd = rb_strdup(data);
} }