Commit graph

2360 commits

Author SHA1 Message Date
Jilles Tjoelker
b45b2daef9 startup: Check return value of open /dev/null. Don't fclose stdin/stdout/stderr.
Open /dev/null for standard fds earlier, so a failure can be reported.
Do not fclose stdin/stdout/stderr but just overwrite the fds with
/dev/null.
2014-02-23 21:51:19 +01:00
Jilles Tjoelker
0391874cc7 webirc: Check validity of given IP. 2014-02-23 21:14:09 +01:00
Jilles Tjoelker
a5de4edefd doc/ts6-protocol: Document ETB message (EOPMOD capab). 2014-02-22 17:45:42 +01:00
Jilles Tjoelker
8a4b837775 m_services: Make sure to return a value from the modinit function. 2014-02-22 17:45:42 +01:00
Keith Buck
784ce5c1cc Remove SSL_OP_NO_COMPRESSION from openssl initialization.
SSL_OP_NO_COMPRESSION was presumably added in an attempt to prevent
information leakage in a manner similar to recent attacks on HTTPS.
However, assuming that IRC is vulnerable to the same class of attacks is
incorrect: the behavior of the IRC protocol (a single long-running
connection) is not the same as that of HTTPS (multiple ephemeral
connections). HTTPS's use of ephemeral connections means that certain
assumptions can be made about the contents of the compression
algorithm's dictionaries and the content exchanged between the client
and server (e.g. the content being nearly the same for each connection),
which is not true for IRC. Additionally, they rely on the attacker being
able to coerce the client into creating many HTTPS connections (and
resending some secret token belonging to the user, along with
attacker-controlled data) each time, none of which is possible with IRC.
Lastly, since compression is no longer performed, this option will
result in leaking the lengths of messages transmitted to and from the
client. This option does reduce CPU utilization on Charybdis servers but
also increases bandwidth consumed.
2014-02-21 09:17:29 +00:00
ShadowNinja
445af265f1 Clarify UMODE +R help text 2014-02-19 17:54:53 -05:00
Jilles Tjoelker
fab79c5d25 libratbox: Fix undefined behaviour advancing pointer beyond end of array.
The C standard does not allow constructing pointers beyond one past the end
of an array. Therefore, if size is an unsigned type (size_t), then
buf + size is never less than buf.

Clang on 32-bit took advantage of the undefined behaviour, causing
segfaults.

Lightly tested.
2014-02-16 16:06:01 +01:00
William Pitcock
7f2508c135 Merge pull request #46 from grawity/sasl-mechlist
sasl: send RPL_SASLMECHS
2014-02-08 13:02:16 -06:00
William Pitcock
85e9bf4151 ssld: force the control buffer to be unsigned bytes except in special circumstances
This has the side effect of fixing GnuTLS.
2014-02-08 18:40:35 +00:00
William Pitcock
bf4e01a427 libratbox: regenerate autotools files 2014-02-08 18:35:24 +00:00
William Pitcock
7aa40f6d2c libratbox/gnutls: add gnutls v3 api compatibility without breaking v2 2014-02-08 18:34:49 +00:00
Rylee Elise Fowler
1870e06ad3 autotools: fix typo relating to ban db 2014-01-31 11:03:54 -05:00
Jilles Tjoelker
071e376d9e Remove an unused variable. 2014-01-17 00:23:09 +01:00
Jilles Tjoelker
0c2ea0c3ce Avoid wrong detection of redundant/duplicate auth blocks with auth_user.
If there was more than one user= per auth block, the check for redundant
or duplicate auth blocks did not take auth_user into account.
2014-01-17 00:22:47 +01:00
Jilles Tjoelker
362ef2d9ee openssl: Improve security using options recommanded by Argure.
Note that these are not available in old versions of OpenSSL (like FreeBSD
9.x base OpenSSL), so allow them to be missing.

A side effect may be slightly higher CPU consumption and network traffic.
2014-01-15 22:25:26 +01:00
Jilles Tjoelker
9799bea4a1 openssl: Use cipher list suggested by Argure. 2014-01-15 22:13:47 +01:00
Jilles Tjoelker
cee842a829 openssl: Fix compiler warning. 2014-01-15 22:09:57 +01:00
Jilles Tjoelker
fabc3174fe openssl: Set some sort of session id context.
Without a session id context and if client certificates are used, OpenSSL
fails the handshake if an attempt is made to reuse an old session. Various
clients could not reconnect after a disconnection because of this.

See https://bugzilla.mozilla.org/show_bug.cgi?id=858394#c34 for a bug
report.
2014-01-15 22:04:12 +01:00
Mantas Mikulėnas
9337f5ce45 doc/ts6-protocol: Correct the mode letter for termination 2014-01-12 21:17:52 +02:00
Keith Buck
c8729b08fb bandb: Don't attempt to write to a NULL helper. 2014-01-12 01:38:48 +00:00
Mantas Mikulėnas
dbd8ca2bf6 sasl: send RPL_SASLMECHS 2014-01-12 00:29:32 +02:00
William Pitcock
f70fb6379a Merge pull request #42 from Argure/genssl
Use sha-512 rather than deprecated sha-1; generate a csr
2013-12-27 05:13:08 -08:00
Keith Buck
a150c5935b Merge pull request #45 from somasonic/master
Fix grammatical error in extensions/chm_sslonly.c
2013-12-21 18:55:32 -08:00
Andrew
46b55df60b Fix grammatical error 2013-12-12 04:08:12 +00:00
William Pitcock
b6e799f5df libratbox/openssl: check that ECDHE is really available on redhat derivatives (closes #43) 2013-11-30 19:55:01 +00:00
Keith Buck
566df88ff7 INSTALL: Fix documentation for assert configure options. 2013-11-27 09:23:29 +00:00
Jilles Tjoelker
88c478c2d2 Merge branch 'fix-sha256-crypt' of https://github.com/grawity/charybdis 2013-11-22 23:48:38 +01:00
Jilles Tjoelker
1de147abc5 help: Fix some required oper privileges. 2013-11-22 23:41:15 +01:00
Jilles Tjoelker
73c42a6766 help: Remove mention of remote commands that do not actually work. 2013-11-22 23:37:14 +01:00
Patrick Godschalk
3c55c3a355
Just use 4k RSA certificates while at it 2013-11-19 00:59:08 +01:00
Patrick Godschalk
b858bc54f9
Use sha-512 rather than deprecated sha-1; generate a csr 2013-11-19 00:49:01 +01:00
William Pitcock
faae23e6af Merge pull request #41 from lyska/master
helpfiles: fix spelling, grammar remove old information
2013-11-15 04:26:39 -08:00
Sam Dodrill
9830333e9a helpfiles: fix spelling, grammar remove old information
What is done here:

1. All the outdated configuration flag information has been removed and
   replaced with the more current information.
2. Spellchecking has been done on all helpfiles and the actual errors
   have been fixed.
2013-11-14 23:34:42 -05:00
Keith Buck
7f3382fe98 Remove duplicate default-value code.
Default values for default_floodcount and default_ident_timeout are set
in s_conf.c. Remove code that checks for missing values in ircd.c.
Additionally, reset default_ident_timeout to 5 if an invalid value (i.e.
0) is provided.
2013-10-29 09:32:28 +00:00
Jilles Tjoelker
e5c254d7d1 override: Remove umode +p when deopering. 2013-10-25 17:49:58 +02:00
Keith Buck
0137d36122 Revert "Add m_override.c - an improved override module."
This reverts commit f00a55e9a1.
2013-10-25 05:39:55 +00:00
Keith Buck
f00a55e9a1 Add m_override.c - an improved override module. 2013-10-24 06:36:22 +00:00
Mantas Mikulėnas
320d34a606 libratbox/crypt: fix difference from glibc in sha256_crypt()
rb_crypt() was generating different SHA256 ($5$) hashes than glibc,
making hashes generated with charybdis unusable in ratbox and other
software, and vice versa.
2013-10-23 15:47:28 +03:00
Jilles Tjoelker
cba8bbc3fc Use RFC5737 and RFC3849 addresses in example confs.
There are IPv4 and IPv6 ranges reserved for documentation and example code;
use these to minimize the risk if someone accidentally uses an unmodified
example conf.
2013-10-06 19:39:30 +02:00
Keith Buck
b647efa045 Fix parameter counts for me_dline and me_undline. 2013-09-23 09:34:30 +00:00
Jilles Tjoelker
364e59f82a whowas: Use the normal rules for IP visibility.
Add the flags (auth{} spoof, dynamic spoof) to struct Whowas and add a
show_ip_whowas().

Normal users now see IPs of unspoofed users, and remote opers can see IPs
behind dynamic spoofs. Also, general::hide_spoof_ips is now applied when
the IP is shown, not when the client exits.
2013-09-14 12:26:32 +02:00
Jilles Tjoelker
2635cc8089 Fix parameter name in header file for show_ip_conf(). 2013-09-14 12:26:24 +02:00
Jilles Tjoelker
f1fe7b4b28 Merge branch 'isupport-charset' of github.com:grawity/charybdis 2013-09-13 22:34:11 +02:00
Jilles Tjoelker
7a9a9000b7 Enable remote WHOWAS queries.
On ircd-seven, this will allow remote opers to see certain hidden IPs.
2013-09-13 22:29:26 +02:00
Keith Buck
7fc09bc4f0 Abort blacklist queries at the same time as auth queries.
This fixes an assert(MyConnect(...)) being hit in
register_local_user(...).
2013-09-12 08:23:59 +00:00
Mantas Mikulėnas
e1a9785abe Remove CHARSET=ascii from ISUPPORT
For one, [draft-brocklesby-irc-isupport-02][1] already defines "ascii" as the
default value. According to section 2 ("Except as
explicitly stated in its definition, a parameter should not be sent
unless it changes this default value, or the default value is vague,
badly defined, or differs between IRC server implementations"), there is
no point in sending it.

For another, [version 03 of the same draft][2] removes CHARSET ("It was
found to be unworkable;  a correct specification could not be devised to
represent its meaning across implementations."), and the token is not
present at all in [draft-hardy-irc-isupport-00][3].

[1]: https://tools.ietf.org/html/draft-brocklesby-irc-isupport-02#section-3.17
[2]: https://tools.ietf.org/html/draft-brocklesby-irc-isupport-03#section-4.8
[3]: https://tools.ietf.org/html/draft-hardy-irc-isupport-00
2013-09-11 01:20:56 +03:00
Keith Buck
77d3d2dbaf Remove s_assert definition from ircd_defs.h and add it to its own header.
s_assert requires some higher-level functionality that shouldn't be
present in ircd_defs.h. ircd_defs.h is used by ssld, which has no notion
of logging or sending IRC messages. Additionally, some of the headers
s_assert depends on result in conflicting definitions in ssld.c.

This change also fixes the compile when using --enable-assert=soft.
2013-09-10 06:10:14 +00:00
William Pitcock
d8c3d5fe97 Merge pull request #33 from Argure/master
Enable use of ECDHE in Charybdis on OpenSSL versions that support this.
2013-09-06 11:44:18 -07:00
Patrick Godschalk
31d2201519 Have OpenSSL version check use cpp 2013-09-06 20:05:49 +02:00
Quora
9eab762b72 Merge pull request #34 from grawity/monitor-help
Document MONITOR in /help
2013-09-04 10:14:08 -07:00