Commit graph

3970 commits

Author SHA1 Message Date
Ed Kellett
396edc6fbd authd: substitute * if rewritten user is empty
We remove characters like ^ and ~ from the ident string after checking
if it's valid. If it consisted entirely of those, we'd try to send an
empty string to ircd, which would break the protocol, so don't let that
happen.
2021-06-08 22:09:47 +01:00
Ed Kellett
888d20da6d msgbuf_cache_get: Don't create cycle when evicting 2021-06-08 22:00:26 +01:00
Ed Kellett
73d8a5aa23 Don't free propagated bans on dereference 2021-06-08 21:57:43 +01:00
Ed Kellett
ce376a21cc Keep propagated bans in a dictionary, not a list 2021-06-08 21:57:43 +01:00
Aaron Jones
8b7110d6ba modules/m_sasl.c: use IsSecure() instead of IsSSL()
Further to our implementation of the concept of "secure origins", we can
indicate to services that the client is connected securely, rather than
just that the client is using TLS. For example, connections from the
local host (from the IRCd's perspective) can be considered secure
against eavesdropping.

Allow this to factor into services' decision on whether to allow an SASL
negotiation or not. Atheme currently assumes this means the client is
using TLS, but I have changed that in atheme/atheme@412d50103c
2021-06-08 04:59:43 +00:00
Ed Kellett
ea51635c01 m_whois: show services even if they lack opernames 2021-06-05 20:21:45 +01:00
Ed Kellett
b5f46fda92 Delete RPL_WHOISSPECIAL 2021-06-05 20:21:45 +01:00
Ed Kellett
96f6804b24 m_whois: put opername/privset in RPL_WHOISOPERATOR
Show just the opername if you're an oper the target is not hidden from
and you don't have oper:privs.

close #100
2021-06-05 20:21:45 +01:00
Ed Kellett
eeaea74616 Allow privset-less OPER bursting 2021-06-05 19:42:18 +01:00
Ed Kellett
53b209c748 m_oper: receive ircd-seven-style opernames 2021-06-05 19:42:18 +01:00
megubyte
cad61c9d1a
m_invite: send message tags (#173) 2021-06-05 15:57:03 +01:00
Aaron Jones
68f3678b46 GitHub CI: Ignore more text file updates 2021-06-03 01:45:12 +00:00
NetSysFire
2a8338475c Improve README.md
Some minor changes, mostly more consistent use of monospace, more convenient links to mentioned files, consistent captialization of Solanum.
2021-06-03 01:19:29 +00:00
jailbird777
b29800911a librb mbedTLS: der_pubkey is used out of scope 2021-06-02 18:38:22 +00:00
Ariadne Conill
3fc0499e77
Mailmap and copyright update for Ariadne 2021-06-01 12:40:02 -04:00
Doug Freed
6adc24e5b1 CREDITS: update IRC channel for network move 2021-05-31 00:41:20 +00:00
mniip
79a38ce96d Fix time.h in librb autoconf 2021-05-30 16:13:38 -05:00
Ariadne Conill
8dbfb0203e librb: radixtree: fix iteration restarting
STATE_CUR(state) = NULL causes rb_radixtree_foreach_next() to fail,
instead set both state pointers to the same address.
2021-05-30 10:39:34 -05:00
Mike Quin
f47785bca2
Use plain language in +r/+R error messages (#169) 2021-05-29 00:41:25 +01:00
Doug Freed
2450895399
README: change IRC network (#172) 2021-05-27 21:01:24 +01:00
Sadie Powell
cb2af23193
Remove the CLIENTVER 005 token. (#161)
This was introduced in commit bde6442c47 but the rationale for it is
pretty shaky. No other non-Charybdis-derived servers send it and the
features the original commit claims it can be used to detect all have
their own methods of detection. The concept of "core capabilities" and
versioned releases was also dropped by IRCv3 many years ago in favour
of living specifications.
2021-05-25 11:08:59 +01:00
Mike Quin
a07fd84069 Document +u in umode and cmode help 2021-05-22 21:12:04 -05:00
Ed Kellett
3ff5a12e75
Allow temporary K-lines to extend shorter ones (#142)
* Temp K-lines may extend shorter temp K-lines

* /unkline removes multiple matching K-lines

* K-lines remove any temp K-lines they're replacing
2021-04-27 14:45:04 +01:00
Ed Kellett
788e1a98f0 Remove $x's magical powers 2021-04-26 17:51:55 +01:00
Ed Kellett
dfeba65563 Add channel::ip_bans_through_vhost 2021-04-26 17:51:55 +01:00
Ed Kellett
d58de35b83 Remove redundant param to update_session_deadline 2021-04-26 17:45:49 +01:00
Ed Kellett
0abb79b706 Manage override sessions properly 2021-04-26 17:45:49 +01:00
jess
64d5cff464
add separate priv (oper:message) for walking over CALLERID (umode +g) (#152) 2021-04-26 16:24:36 +00:00
Ed Kellett
4cac091255
Add an s2s cap for ECHO (#141) 2021-04-20 12:22:50 +01:00
Ed Kellett
e6e26343c3
Reword ERR_ALREADYREGISTERED (#145) 2021-04-17 18:48:53 +00:00
Ed Kellett
92fa29ce37
channel: flood warnings for privmsg, not notice (#147) 2021-04-17 18:43:59 +00:00
David Schultz
f8838806ef
make VERSION not include sid (#118) 2021-04-10 15:19:27 +01:00
jesopo
5a261597e4 send account-notify messages to subject connection too 2021-04-10 15:15:39 +01:00
jesopo
72b1dbd4bf "KDX-Line active for" is now L_NETWIDE, so remove sno_globalkline 2021-04-10 15:12:40 +01:00
jesopo
36828ff720 switch "KDX-Line active for" snote to L_NETWIDE and include which mask
caused it
2021-04-10 15:12:40 +01:00
Ed Kellett
f89a8deb3e
Make show_ip not care about remoteness (#139) 2021-04-09 20:01:11 +00:00
Eric Mertens
a03871c657
A missing colon to RPL_MAP recently split (#131) 2021-03-16 17:51:42 -07:00
Ed Kellett
df4fead0f2 privilegeset_add_privs: append rather than replace 2021-03-01 15:45:03 +00:00
Ed Kellett
181410f218 Make privilegeset_privs more const 2021-03-01 15:45:03 +00:00
Ed Kellett
9962f62577 privilegeset_diff: return things in a struct 2021-03-01 15:45:03 +00:00
Ed Kellett
8b8320596c privilege: factor out a null check 2021-03-01 15:45:03 +00:00
Ed Kellett
02690ad5b2 Use bsearch to check privset membership
I don't really care if it's faster, I just prefer it
2021-03-01 15:45:03 +00:00
Ed Kellett
ae54b3a735 Add tests for privsets 2021-03-01 15:45:03 +00:00
Ed Kellett
8aadf0ce46 Track and inform modules of privset changes 2021-03-01 15:45:03 +00:00
Aaron Jones
2e8a889fc9 doc/reference.conf: add an example TLSv1.3 ciphersuite name
[ci skip]
2021-02-07 11:52:58 +00:00
Aaron Jones
a90f22c92d OpenSSL: Support configuration of TLSv1.3 ciphersuites
The OpenSSL developers decided, during the OpenSSL 1.1.1 development
phase, to use a different API and different set of lists for TLSv1.3
ciphersuites, than for every TLS version preceeding it.

This is stupid, but we have to work with it.

This commit also improves configuration fault resilience. The reason
is that if you don't pass any valid old-style ciphersuites, OpenSSL
will not negotiate an older protocol at all. However, when they
implemented the new API, they decided that lack of any valid
ciphersuites should result in using the defaults. This means that if
you pass a completely invalid ciphersuite list (like "foo"), OR if
you pass a TLSv1.2-only ciphersuite list, TLSv1.3 continues to work.
This is not mirrored; passing a TLSv1.3-only ciphersuite list will
break TLSv1.2 and below.

Therefore we work around this lack of mirroring by falling back to
the default list for each protocol. This means that if
ssl_cipher_list is complete garbage, the default will be used, and
TLS setup will succeed for both protocols. This is logged, so that
administrators can fix their configuration.

I prefer this approach over explicitly disabling the protocols if
their respective ciphersuite lists are invalid, because it will
result in unusable TLSv1.3 if people run newer solanum with their
older charybdis/solanum configuration files that contain custom
ssl_cipher_list definitions. Hindering TLSv1.3 adoption is not an
option, in my opinion.

The downside of this is that it is no longer possible to disable a
protocol family by not including any of its ciphersuites. This could
be remedied by an ssl_protocol_list configuration directive if it is
decided that this functionality is ultimately necessary.

This work is not required for either of the other TLS backends,
because neither of those libraries yet support TLSv1.3, and in the
event that they eventually do, I expect them to allow configuration
of newer ciphersuites with the existing APIs. This can be revisited
if it turns out not to be the case.

Signed-off-by: Aaron Jones <me@aaronmdjones.net>
Tested-by: Aaron Jones <me@aaronmdjones.net>
2021-02-07 11:52:58 +00:00
Taavi Väänänen
4863b35d1d
doc: Change missed chadybdis name to solanum (#111)
Looks like this was missed in a6f63a8.
2021-01-28 14:14:40 +00:00
Taavi Väänänen
d04ed5c53f
wallops: require new oper:wallops right (#110)
Split oper:wallops right from oper:mass_notice. Update documentation and
examples to grant oper:wallops everywhere oper:mass_notice was granted.

closes #103
2021-01-28 14:09:31 +00:00
Ed Kellett
2e79cebb9e
chmode: centralise + test mode limits (#94) 2021-01-26 11:22:39 +00:00
Doug Freed
12fd6e80c5 wsproc: call rb_clear_cloexec on child fds 2021-01-26 00:03:48 -05:00