Commit graph

55 commits

Author SHA1 Message Date
jailbird777
8e9a741832 OpenSSL 3.0 compatibility
Edited by @aaronmdjones:

- Correct some data types and casts

- Minor style fixups (e.g. we put * on the variable name not the type)

- librb/src/openssl.c:

  - Defer call of BIO_free(3ssl) to the end of the conditional block
    to avoid having calls to it in multiple paths

  - Check the return value of SSL_CTX_set0_tmp_dh_pkey(3ssl) because if
    it fails then we must use EVP_PKEY_free(3ssl) to avoid a memory leak

    This could fail if, for example, the user supplied DSA parameters
    in the DH parameters file instead.

- ircd/newconf.c:

  - Check whether OSSL_DECODER_CTX_new_for_pkey(3ssl) was able to parse
    the given CHALLANGE public key as a valid RSA public key, and then
    check whether OSSL_DECODER_from_bio(3ssl) actually loads it
    successfully

- ircd/s_newconf.c:

  - Use EVP_PKEY_free(3ssl) instead of OPENSSL_free(3ssl) on EVP_PKEY
    pointers; this will avoid inadvertent memory leaks if the EVP_PKEY
    structure contains any dynamically-allocated child members

- modules/m_challenge.c:

  - Unconditionally use EVP(3ssl) to generate the SHA-1 digest of the
    random challenge; this API has been around for a very long time and
    is available in all supported versions of OpenSSL

  - Add lots of error checking to all steps of the process

Tested against 1.1.1 and 3.0; both with missing and provided DH parameters
(which works as you'd expect; the server will not negotiate a DHE cipher
without them), and CHALLENGE, including missing keys or keys of the wrong
type (e.g. when you supply an EdDSA key instead of an RSA key).

This does break compatibility with OpenSSL 1.1.0 and below, which are now
all end-of-life and unsupported anyway.

Closes #357
2022-08-25 00:36:47 +00:00
Ed Kellett
ba95896969 Make valid_temp_time overflow-resistant 2022-04-13 01:09:27 +01:00
Ed Kellett
7a246575e5 remove some header dependencies on client.h 2022-03-06 22:51:19 +00:00
Ed Kellett
6485005214 Get rid of hub_mask/leaf_mask 2020-11-14 18:22:08 +00:00
Ed Kellett
f57d88bc71 Remove shared blocks 2020-11-01 04:20:44 +00:00
Ed Kellett
7d84719d68 Unify oper:{global,local}_kill 2020-10-25 20:02:03 +00:00
Ed Kellett
64c9f5093f
Make opers with no known privset pass IsOperGeneral 2020-08-04 22:58:31 +01:00
Ed Kellett
1cd6639a35
Add auspex:oper 2020-08-04 22:58:30 +01:00
Ed Kellett
d4f7eb4ce6
Replace most checks for +o with oper:general
I'm preparing to PR a succession of privs changes with the ultimate goal
of severely limiting the scope of the binary oper/user dichotomy and
move conceptually distinct oper functions into their own privs.

Accomplishing this is a non-trivial task, and can wait, but it's
inconvenient now to have such functions enabled by the same mechanism
that grants any privs at all--so I'm moving all of them to a
transitional priv with the intention of eroding that later.
2020-08-04 22:58:30 +01:00
Simon Arlott
bcd241da68
Fix compiler warning for SeesOper 2019-09-15 10:00:56 +01:00
Ed Kellett
ed3ca2ff16
Propagate OPER
Move opername and privset storage to struct User, so it can exist for
remote opers.

On /oper and when bursting opers, send:

    :foo OPER opername privset

which sets foo's opername and privset. The contents of the privset on
remote servers come from the remote server's config, so the potential
for confusion exists if these do not match.

If an oper's privset does not exist on a server that sees it, it will
complain, but create a placeholder privset. If the privset is created by
a rehash, this will be reflected properly.

/privs is udpated to take an optional argument, the server to query, and
is now local by default:

    /privs [[nick_or_server] nick]
2019-09-13 10:08:27 +01:00
Ed Kellett
1123eefcb0
Rework oper hiding
As it stands, oper hiding is rather messy and inconsistent. Add
SeesOper(target, source), which is true iff target should appear as an
oper to source. If I haven't missed something, all commands that reveal
oper status now use the same logic.

general::hide_opers_in_whois is a special case, and affects /whois only.

general::hide_opers is introduced, and has the same effect as giving
everyone oper:hidden. All commands that reveal oper status respect both.
2019-09-12 23:14:15 +01:00
Simon Arlott
6003ce763c
Add outgoing SCTP connect support 2017-08-24 20:08:21 +01:00
Simon Arlott
de2934965c
remove RB_IPV6 2017-08-20 12:54:46 +01:00
William Pitcock
087555a00f ircd: introduce 'no-export' links
Links that are 'no-export' are not distributed to the rest of the IRC network (including local peers).
This provides a core primitive for 'anycasting' services (but the actual issue of synchronizing data in
a services package is left to the authors of the services package).
2016-09-16 17:18:55 -05:00
Simon Arlott
d4214e9445
ircd: server connection configuration
Fix the server connection configuration so that it can simultaneously
handle a hostname/IPv4/IPv6 for connecting and a hostname/IPv4/IPv6
for binding. Maintains backwards compatibility for matching a hostname
with a mask.

Multiple host/vhost entries can be specified and the last value for
each address family is stored. Hostnames that resolve automatically
overwrite the IP address.

Server connections can now be made to either IPv4 or IPv6 at random
as well as preferring a specific address family.
2016-04-24 17:06:24 +01:00
Elizabeth Myers
5a22e9259b Fix overzealotry in flags fixing.
These flags are for oper confs, not for client flags.
2016-04-07 07:48:50 -05:00
Elizabeth Myers
66f7fe673b Get rid of flags2.
It seems to come from an era where long long didn't exist and 64-bit
machines weren't common. 32-bit machines are still common but I can't
imagine this will have much performance impact there.

This "fixes" #179 in title only, but see comments within.
2016-04-07 07:40:55 -05:00
Elizabeth Myers
bd43a44469 Remove more YES/NO usage. 2016-03-23 08:43:28 -05:00
Elizabeth Myers
cbeab4bc34 Remove $Id tags from everything.
These are obsolete and none have changed since 10 years gao...
2016-03-06 02:47:27 -06:00
William Pitcock
15feac531c ircd: implement support for remote module load/unload/etc commands 2016-01-12 00:37:54 -06:00
William Pitcock
cc7ae51cdc Allow remote DIE and RESTART (from ircd-seven) 2016-01-12 00:04:54 -06:00
William Pitcock
fe749d3709 ircd: implement GRANT subsystem based on ircd-seven 2016-01-11 23:02:03 -06:00
William Pitcock
1d02144f8b ircd: move DNS resolution over to authd 2016-01-08 06:31:08 -06:00
Keith Buck
55abcbb20a Remove trailing whitespace from all .c and .h files.
3134 bytes were removed.
2014-03-03 04:25:47 +00:00
William Pitcock
ff0cc1e616 Add support for linking using SSL certificate fingerprints as the link credential rather than the traditional server-password pair. 2010-12-13 23:14:00 -06:00
William Pitcock
ff31db8473 Add support for client certificate fingerprints in o:lines. 2010-02-17 06:41:41 -06:00
Jilles Tjoelker
179becdf5f target change: Overwrite the least recently used target with a new one. 2010-02-15 00:31:17 +01:00
Jilles Tjoelker
53307da8ca Disable autoconnect for a server with excessive TS delta.
Note that in some cases (different TS delta settings,
heavy lag) it is possible only one of the servers
detects the problem and autoconnect may be left enabled.
The mechanism used for disabling is the same as
/quote set autoconn <server> 0; the A flag in /stats c
disappears and a rehash or /quote set autoconn can put
it back.
2009-02-05 23:43:07 +01:00
Jilles Tjoelker
10847f65d3 Remove old oper privilege flags. 2008-09-09 21:51:26 +02:00
Jilles Tjoelker
b159441429 Add need_ssl to auth{} and operator{}.
Specifying need_ssl on auth{} denies the connection if
it is not SSL/TLS, much like need_ident or need_sasl.
Specifying need_ssl on operator{} refuses opering with
ERR_NOOPERHOST if the connection is not SSL/TLS.
from ircd-ratbox
2008-09-07 01:18:58 +02:00
William Pitcock
f37fc9389b HasPrivilege(): check to make sure localClient and localClient.privset are non-NULL. 2008-08-17 08:52:04 -05:00
William Pitcock
6ac9e53ee4 All modules converted to use privsets by porting the macro over.
New macro, HasPrivilege() does most of the work here, the old IsOper*() macros
are deprecated, and will likely be removed later.
2008-08-17 08:36:17 -05:00
William Pitcock
a2e1310cbe oper_conf structure: add privset association. 2008-08-17 07:32:30 -05:00
Jilles Tjoelker
a3143c9b6b Some const stuff for m_set. 2008-06-11 00:28:08 +02:00
Jilles Tjoelker
c42fb00e7f Remove dline flags from shared all.
This means dline/undline need to be specified
explicitly in a shared{} block.
2008-04-21 01:41:42 +02:00
Jilles Tjoelker
2e819b6b3e Fix various compiler warnings. 2008-04-20 15:20:10 +02:00
Valery Yatsko
f5cb68d51d Remote d:lines implementation (based on ircd-seven's r230 by spb, Stephen Bennett <spb@attenuate.org>) 2008-04-20 11:26:37 +04:00
Valery Yatsko
170703fe3a Removing glines 2008-04-11 18:47:03 +04:00
Valery Yatsko
c6d7203732 ssl sync with http://hg.angelforce.ru/charybdis-old 2008-04-06 18:52:42 +04:00
Valery Yatsko
e7046ee54d irc_sockaddr_storage -> rb_sockaddr_storage, changing fd in Listener struct to F 'cause libratbox3 need it. 2008-04-02 19:57:37 +04:00
Valery Yatsko
54ac8b60a1 Reverting some changed related not to moving on libratbox3 but using ratbox3 source! 2008-04-02 19:37:50 +04:00
Valery Yatsko
ae78a57163 Reverting to 398.. trying again with native charybdis hash 2008-04-02 14:16:31 +04:00
Valery Yatsko
5c65d4ca0c nd_entry struct from ratbox3 2008-04-02 14:00:41 +04:00
Valery Yatsko
f7e2c5b340 Trying again - this will need ssld integration from me 2008-04-02 13:32:14 +04:00
Valery Yatsko
81af5bcb39 libcharybdis includes gone. 2008-04-02 02:39:19 +04:00
Jilles Tjoelker
7018b86a12 More changes for libratbox. 2008-04-01 23:11:11 +02:00
William Pitcock
5b96d9a6b9 start making this compile 2008-04-01 15:18:48 -05:00
Jilles Tjoelker
de82e84fae Use a more expected value for SHARED_TRESV. 2008-01-05 14:58:13 +01:00
Jilles Tjoelker
a6f4368b96 Add mass_notice oper priv, enabled by default for compatibility.
Controls /wallops and masked notices/privmsgs.
2007-12-24 21:47:05 +01:00