Commit graph

637 commits

Author SHA1 Message Date
Aaron Jones
4d12e65469 extensions/invite_notify: make the NOTICE optional, configurable
This adds a configuration option that determines whether the NOTICE is
sent to clients that do not support the IRCv3 invite-notify capability.

Requested by LiberaChat MGM.
2023-11-08 13:12:49 +00:00
Aaron Jones
642c73dddb ircd/listener: return a fatal TLS alert for early rejected TLS clients
This is in furtherance of commit 3fdf26aa19 which added
functionality to reply with a TLS record layer alert for D-Lined TLS
clients. It turns out that there are other plaintext error messages
in this same function that should receive the same treatment.

Also move another error string to a variable and use a compile-time
optimised-out strlen for it too, to use the same approach as an
existing error string.

Finally, use a different alert (internal_error) for the case where
IRCd is simply unable to accept more connections.
2023-11-07 23:52:41 +00:00
Doug Freed
c1b01bf5ec client: refactor del_all_accepts to allow skipping own accept list
This allows reusing this function for other uses that just need to
remove this client from others' accept lists on nick change and not have
duplicates of this code everywhere
2023-11-06 17:31:44 +00:00
Eric Mertens
f718aed2ae Replace free with rb_free 2023-11-06 14:22:55 +00:00
Ed Kellett
59ea3c6753 Delay rehashing until we're not processing events
Fixes crash introduced by 0ab6dbbc65. It's
probably a regression since it defeats a system designed to stop this
from happening, but I didn't dig through the history.

rehash() closes listeners. If we happen to get a single epoll() result
that wants to first rehash and then accept a connection, the epoll info
will point to a freed rb_fde_t. Other selectors should have similar
problems, but we didn't investigate that.

rb_fde_ts are normally batched up and freed outside the event
processing, but as of the above commit close_listeners() screws that up
by closing pending FDs immediately in order to create new listeners.

I think it might be a bit better to revert this behaviour and simply not
close listeners if we are going to open new ones over them, but have
opted for the smallest reasonable change I can think of.

Helped-by: Eric Mertens <emertens@gmail.com>
2023-11-06 14:22:55 +00:00
Doug Freed
cc95a6722e modules: quietly succeed at loading a module if already loaded
This allows explicitly loading a module in the config so it's available
for later config items that might need it, and skips the double load
when main loads all modules, which would cause errors
2023-07-01 19:23:56 +01:00
Doug Freed
7a2ccb077f modules: clear module list and mod paths in init
If main is called more than once (like in tests), everything is
reinitialized except the loaded module list and module paths, so clear
them too so that modules are loaded again and the path list is correct.
2023-07-01 19:23:56 +01:00
Jess Porter
c33da0d24e
support RSFNC indicating type of FNC (e.g. FORCE vs REGAIN) (#406) 2023-07-01 19:22:40 +01:00
David Schultz
d1c028f212
Warn opers about unresponsive servers 2023-06-13 09:13:42 -05:00
Doug Freed
4a47689a35 chmode: convert bants to a proper serial
This way it increments for every change. It need not be a timestamp, as
its actual value is not important.

This fixes an issue where a ban could be set, hit, and cleared all in
the same second, and the affected client would still be cached as banned
because the bants hadn't actually changed.
2023-01-23 04:27:25 -06:00
Aaron Jones
e02cc991bb ircd/authproc.c: avoid crash on lack of any configured DNSBLs
Fixes fbc97166a6
Closes #396
2023-01-11 21:31:50 +00:00
Aaron Jones
fbc97166a6
authd: fix crash/restart breaking DNSBL lookups (#394)
authd child processes are only told about configured DNSBLs when the
configuration is being parsed.

This is bad, because when authd crashes or is killed, IRCd will restart
it, but will not tell it about any configured DNSBLs until IRCd is next
rehashed.

We already have a dictionary that stores configured DNSBLs (for hit
statistics for `STATS n'), so store the additional needed fields in
that structure, and loop over that dictionary's entries when authd is
restarted, sending the fields just as if the configuration were being
reloaded.

Reported-By: @Unit193
2023-01-11 01:28:32 +00:00
Jess Porter
3a4efe9081
CHGHOST when only case changes (#384) 2022-11-09 23:33:07 +00:00
Aaron Jones
63ee10379c
timeout_dead_authd_clients(): fix memory leak and order of operations (#385)
Ensure we deallocate the nodes created by the first loop, and zero out
the authd data after removing them from the authd clients dict.

The authd_abort_client() function already does the latter, so just call
that instead of authd_free_client().
2022-11-06 08:14:15 +00:00
Unit 193
f085388a74 Unify helper snotes and make netwide. 2022-10-21 03:00:22 -04:00
Jess Porter
687f290a6c
make some authd warnings L_NETWIDE 2022-10-03 20:00:21 +01:00
jailbird777
3c586ccf3e
Remove ancient portability code (#361)
Remove portability code for systems that don't follow at least SUSv3.
This fairly closely aligns with ISO C99, which solanum already requires.
2022-08-24 20:53:52 -04:00
jailbird777
8e9a741832 OpenSSL 3.0 compatibility
Edited by @aaronmdjones:

- Correct some data types and casts

- Minor style fixups (e.g. we put * on the variable name not the type)

- librb/src/openssl.c:

  - Defer call of BIO_free(3ssl) to the end of the conditional block
    to avoid having calls to it in multiple paths

  - Check the return value of SSL_CTX_set0_tmp_dh_pkey(3ssl) because if
    it fails then we must use EVP_PKEY_free(3ssl) to avoid a memory leak

    This could fail if, for example, the user supplied DSA parameters
    in the DH parameters file instead.

- ircd/newconf.c:

  - Check whether OSSL_DECODER_CTX_new_for_pkey(3ssl) was able to parse
    the given CHALLANGE public key as a valid RSA public key, and then
    check whether OSSL_DECODER_from_bio(3ssl) actually loads it
    successfully

- ircd/s_newconf.c:

  - Use EVP_PKEY_free(3ssl) instead of OPENSSL_free(3ssl) on EVP_PKEY
    pointers; this will avoid inadvertent memory leaks if the EVP_PKEY
    structure contains any dynamically-allocated child members

- modules/m_challenge.c:

  - Unconditionally use EVP(3ssl) to generate the SHA-1 digest of the
    random challenge; this API has been around for a very long time and
    is available in all supported versions of OpenSSL

  - Add lots of error checking to all steps of the process

Tested against 1.1.1 and 3.0; both with missing and provided DH parameters
(which works as you'd expect; the server will not negotiate a DHE cipher
without them), and CHALLENGE, including missing keys or keys of the wrong
type (e.g. when you supply an EdDSA key instead of an RSA key).

This does break compatibility with OpenSSL 1.1.0 and below, which are now
all end-of-life and unsupported anyway.

Closes #357
2022-08-25 00:36:47 +00:00
Jess Porter
fdd8cad93f
EBMASK capab, to burst BMASK metadata (#354) 2022-08-20 01:35:54 +01:00
Aaron Jones
a6b99c07d1
serv_connect(): ensure both sa_bind[]/sa_connect[] are always populated (#352)
Due to [1], linking with SCTP sometimes does not multi-home correctly.
This is triggered by the rand() on the lines immediately above these.

The connect{} blocks already support an `aftype` parameter to instruct
IRCd to prefer IPv4 or IPv6. This commit additionally ensures that the
other structure is always populated with the other address (if any) if
this parameter is specified.

This will allow SCTP server-linking users to work around the bug and
ensure that it always multi-homes by setting `connect::aftype` to IPv4.
Without this commit, that would cause Solanum to not include the IPv6
addresses (if any) in the connect block in its SCTP setup.

If there isn't a valid IP address in the other sockaddr, this should be
of no consequence, because it will not be used by rb_connect_tcp(), and
both rb_connect_sctp() and rb_sctp_bindx_only() already verify that
there is a valid IP address in the sockaddr before making use of it.

[1] https://marc.info/?l=linux-sctp&m=165684809726472&w=2
2022-07-05 06:01:26 +00:00
Matthew Martin
5c01fc8bd7 Cast time_t to long long when printing 2022-07-01 03:43:36 -04:00
Aaron Jones
3fdf26aa19 ircd/listener: return a TLS record layer alert to D-Lined TLS clients 2022-06-30 18:55:41 -04:00
Matthew Martin
c0d93064a6 chmode: Use original string when removing a mask 2022-06-30 21:00:46 +01:00
JailBird
62f6351d90 Illumos fixes
- getexecname(3) returns const char *
- pid_t is long
2022-06-29 20:28:11 -04:00
Matthew Martin
57aa79acb8 Normalize snprintf size to use sizeof where possible 2022-06-24 01:42:08 -04:00
Matthew Martin
e239ac8785 chmode: Fix snprintf size 2022-06-24 01:42:08 -04:00
Doug Freed
fae8f2517c valid_temp_time: more simplification and test fixes 2022-06-20 16:35:03 +01:00
Ed Kellett
4f46809305 valid_temp_time: simplify/correct overflow check
the logic for trying to detect the maximum value of time_t was broken;
since we target a lower maximum time anyway, just use that for the
overflow check
2022-06-20 16:35:03 +01:00
Bernhard M. Wiedemann
2681c7d2e4 Normalize generation for reproducible builds
While working on reproducible builds for openSUSE, I found that
our package varied even when building in clean VMs
with as little non-determinism as possible.
This was because of

+++ solanum-0~ch560/ircd/version.c.last
@@ -25,7 +25,7 @@
 #include "serno.h"
 #include "stdinc.h"

-const char *generation = "6";
+const char *generation = "5";
 const char *creation = "1653004800";
 const char *ircd_version = PATCHLEVEL;
 const char *serno = SERNO;
2022-05-29 10:16:00 +01:00
Eric Mertens
48a06ae3d7
Add description parameter to auth blocks (#327) 2022-04-14 14:39:45 -07:00
Ed Kellett
ba95896969 Make valid_temp_time overflow-resistant 2022-04-13 01:09:27 +01:00
Ed Kellett
1fcdacb424 Test some edge cases of valid_temp_time 2022-04-13 01:09:27 +01:00
Jess Porter
099d470763
show IPs in remote /stats i (#312)
Co-authored-by: Eric Mertens <emertens@galois.com>
2022-04-08 10:06:43 -07:00
David Schultz
9dd98618d0
whowas.c: store account name in whowas (#323)
Co-authored-by: Eric Mertens <emertens@galois.com>
2022-04-01 14:58:43 -07:00
Ed Kellett
c2fdb023a9 Remove the subset ban restriction
I think this was always pretty questionable. You can set redundant bans
in various ways anyway, and preventing all of them would only make the
situation worse, as wide temporary bans would destroy narrow permanent
ones, for example.
2022-04-01 22:49:54 +01:00
Ed Kellett
492d560ee1 valid_temp_time: style fixes 2022-03-06 22:51:19 +00:00
David Schultz
93035e75d9 Support more human friendly k/d/x-line duration format 2022-03-06 22:51:19 +00:00
Ed Kellett
5a1b54fddc channel: always send chm_hidden modes to servers 2021-12-04 20:27:59 +00:00
Aaron Jones
284649441f
ircd/packet.c: make function definition consistent with declaration (#301)
This function has a static forward-declaration, and is not used outside
this compilation unit. However, the definition was non-static. Fix this.
2021-11-30 11:50:30 -08:00
jess
bd38559fed
better standardised SNO_FULL. always show host AND ip 2021-11-14 17:59:58 +00:00
Ed Kellett
19f0ae8429
check_one_kline: fix kline_spoof_ip handling 2021-11-07 23:30:22 +00:00
jess
430833dca2
"KLINE active for ..." -> "Disconnecting K-Lined user ..." 2021-10-09 23:44:36 +01:00
jess
78825899cd
explicitly show IP in SNO_BANNED snotes 2021-10-09 22:45:22 +01:00
David Schultz
202674a822
fix typo in sasl_only_client_message (#279) 2021-09-15 11:57:48 -07:00
Eric Mertens
2ef034d111
Avoid show_iline_prefix showing leftovers (#266) 2021-08-21 08:54:16 -07:00
Aaron Jones
95898abbb1
ircd/newconf: ignore invalid connect block passwords (#261)
Also, ignore a connect block that requests certfp authentication
without setting the ssl flag, as it will then go on to fail anyway.

Finally, correct an erroneous error message about class blocks.
2021-08-14 23:14:39 +00:00
jesopo
be52c4c062
add SNO_BANNED, snote for it on client k/x-line rejection (#242)
* add SNO_BANNED, snote for it on client k/x-line rejection

* add snomask help file line for SNO_BANNED
2021-08-11 17:08:31 +01:00
jesopo
0fd3040caf add show_iline_prefix for IsNeedSasl 2021-08-04 11:33:04 -04:00
Ariadne Conill
e2ade30437 listener: refactor to use rb_dlink like the other lists in ircd 2021-07-31 00:05:59 -04:00
Ariadne Conill
0ab6dbbc65 listener: use rb_close_pending_fds() in close_listeners() 2021-07-31 00:05:59 -04:00