Commit graph

3783 commits

Author SHA1 Message Date
Simon Arlott
0346918701
add mkfingerprint program 2016-04-26 20:49:03 +01:00
Simon Arlott
f018ed844d
certfp: Move method name/prefix strings to a separate header file 2016-04-26 20:33:18 +01:00
Simon Arlott
31646e89ba
librb: gnutls: check return value of fread() 2016-04-26 20:33:17 +01:00
Simon Arlott
7380ded584
ircd.conf.example: use certfp_method = spki_sha256
SHA1 is insecure. SHA2-512 is a bit long. Hashes of the full certificate
are really impractical and people need to stop using them.
2016-04-25 23:52:18 +01:00
Simon Arlott
5adde7a4ed
getopt: don't modify argv as it breaks restart() 2016-04-25 23:32:18 +01:00
Simon Arlott
c173a8ad44
modules: use exit(EXIT_FAILURE) on failure
This will allow service process monitoring to recognise the difference
between a shutdown and an error of a -foreground ircd, because only
/DIE (or SIGINT) will exit with return code 0.
2016-04-25 22:27:57 +01:00
Simon Arlott
762468f85d
authd: wait until the ssl connection is "open" before reading
It's useful to allow authd to run in parallel with ssl negotiation,
but if the ssld connection has plaintext data ready for reading
there's a race condition between authd calling read_packet() and
ssl_process_certfp() storing the certificate fingerprint. This
scenario would be bad for a server connecting because fingerprint
verification will fail.

Allow either operation to complete first, but wait until
ssl_process_open_fd() calls the ssl open callback before calling
read_packet().
2016-04-25 21:43:21 +01:00
Simon Arlott
53789fddda
sslproc: simplify ssl open callback
Don't use the librb callback type as we're always passing client_p.

Provide a return value so that the connect handler can exit_client()
and the accept handler can opt to use the default dead handler.
2016-04-25 21:12:44 +01:00
Simon Arlott
e1f16ce22e
openssl: accept more certificate verify errors as valid 2016-04-25 20:38:39 +01:00
Simon Arlott
f61d096186
conf: require certificate fingerprint for SSL connections 2016-04-25 20:19:48 +01:00
Simon Arlott
dc986b5468
sslproc: prefix SPKI certfp types to distinguish them from CERT 2016-04-25 20:12:27 +01:00
Simon Arlott
93ad89b232
sslproc: send the certftp method on rehash 2016-04-25 19:25:45 +01:00
Simon Arlott
f7b0c4b3d8
sslproc: use global ServerInfo configuration
There's no need to pass information around that sslproc already has access
to, so use ServerInfo directly. Remove the extra NULL checks as these are
already performed before setting ircd_ssl_ok = true.
2016-04-25 19:20:45 +01:00
Simon Arlott
90fd6ede1b
sslproc: include ssl_cipher_list in length check before sending configuration to ssld 2016-04-25 19:12:47 +01:00
Simon Arlott
19d1853f71
ssld: remove init_prng command
This is no longer configurable so it's redundant.
2016-04-25 19:02:03 +01:00
Simon Arlott
8cbd70a8ed
ircd: don't send ERR_NOTREGISTERED to servers
Sending messages after SERVER but before zlib is established breaks
outgoing connections. If the other server is misbehaving then ignore
its messages.
2016-04-24 17:41:44 +01:00
Simon Arlott
5ad62c80ee
librb: remove socklen parameter from rb_connect_tcp 2016-04-24 17:11:20 +01:00
Simon Arlott
d4214e9445
ircd: server connection configuration
Fix the server connection configuration so that it can simultaneously
handle a hostname/IPv4/IPv6 for connecting and a hostname/IPv4/IPv6
for binding. Maintains backwards compatibility for matching a hostname
with a mask.

Multiple host/vhost entries can be specified and the last value for
each address family is stored. Hostnames that resolve automatically
overwrite the IP address.

Server connections can now be made to either IPv4 or IPv6 at random
as well as preferring a specific address family.
2016-04-24 17:06:24 +01:00
Simon Arlott
65f43a4fc4
ircd: Don't try to connect to servers that we know have an invalid fingerprint
This just causes an unnecessary link/squit on the other server.
2016-04-24 11:49:21 +01:00
Simon Arlott
4fbb736202
ssld: add a callback when the connection is opened
This allows us to wait until we have the fingerprint information before
continuing with a server connect process.
2016-04-24 11:48:35 +01:00
Simon Arlott
fbbc6aeb00
ssld: send cipher/certfp before proxying any plaintext traffic 2016-04-24 10:39:16 +01:00
Simon Arlott
3085734104
m_stats: display certificate fingerprint in STATS C 2016-04-24 01:06:51 +01:00
Simon Arlott
00039dcddd
m_alias: store a copy of alias->name as it will be freed on a rehash 2016-04-24 00:09:12 +01:00
Simon Arlott
5c317f1313
ircd: parse: add asserts for improper use of mod_add_cmd/mod_del_cmd 2016-04-23 23:56:41 +01:00
Simon Arlott
e8de2bfaf0
modules: add missing break 2016-04-23 23:37:38 +01:00
Simon Arlott
558744e520
ircd: do nothing in client_release_connids if !MyConnect 2016-04-23 23:25:25 +01:00
Simon Arlott
cc02bdf3a6
ircd: fix assert in client_release_connids
The connection may have already been closed and MyConnect cleared.

It's only a bug if the connection somehow has connids but is not
our connection.
2016-04-23 23:22:01 +01:00
Simon Arlott
cf430c1a40
ssld: Add new certfp_methods spki_sha256 and spki_sha512
These operate on the SubjectPublicKeyInfo of the certificate, which does
change unless the private key is changed. This allows the fingerprint to
stay constant even if the certificate is reissued.

(The same fingerprint is also used by DANE)
2016-04-23 22:51:05 +01:00
Simon Arlott
9e98a842e3
ssld: cipher commands don't have any fds 2016-04-23 22:46:25 +01:00
Simon Arlott
7da82465a8
librb: mbedtls: fix rb_get_ssl_certfp()
Add missing break statements.
Return the hash length on success.
2016-04-23 22:45:13 +01:00
Simon Arlott
bf3bcbb5b2
librb: fix mbedtls library order
libmbedtls depends on libmbedx509 and libmbedcrypto
libmbedx509 depends on libmbedcrypto

They have to be specified in the correct order for the GNU linker to work.
2016-04-23 22:13:03 +01:00
Simon Arlott
0ae7a89d78
ircd: sslproc: certfp commands have a 9 byte header, not 5 bytes
SHA512 hashes were being ignored because the message was too large
2016-04-23 20:52:20 +01:00
Simon Arlott
5a9fa2e2fa
ssld: certfp change commands don't have any fds 2016-04-23 20:46:26 +01:00
William Pitcock
c6098ed357 client: fix up client_release_connids() too, pointed out by lp0 2016-04-23 14:26:01 -05:00
William Pitcock
5c63bfe8b1 client: connid_get() should check MyConnect(), not MyClient(). 2016-04-23 14:17:36 -05:00
Simon Arlott
84e3e445aa
mr_server: Report certificate fingerprint mismatches
Log the received certificate fingerprint when it causes a server to be
rejected.
2016-04-23 17:37:05 +01:00
Simon Arlott
b49efe577c
mr_server: Handle unknown error codes
As mr_server is a module, it could potentially receive an unknown
error code from check_server().
2016-04-23 17:37:04 +01:00
Mantas Mikulėnas
3bb3dcf7f5
doc: fix whitespace in example configs [ci skip] 2016-04-23 17:57:07 +03:00
Simon Arlott
e7c4cf63bc
authproc: set GOT_ID flag when an ident response is received 2016-04-23 15:41:27 +01:00
staticfox
1729f46eab
authd: Avoid negative array indices 2016-04-22 23:06:42 -04:00
Elizabeth Myers
7445ece1d1
Revert "Implement the netsplit batch type."
This needs more work, see
https://github.com/ircv3/ircv3-specifications/issues/253

This reverts commit 2373891299.
2016-04-16 11:05:00 -05:00
Elizabeth Myers
2373891299
Implement the netsplit batch type.
This also lays the groundwork for the netjoin batch type, but that isn't
implemented yet. I don't like how some of this is implemented but it'll
have to do for now...

Compile tested, needs more testing.
2016-04-15 16:50:43 -05:00
Elizabeth Myers
4f2b9a4fd1
Don't use key member of dictionary iter objects after deletion 2016-04-12 09:43:50 -05:00
Elizabeth Myers
9e5c31ea0d
authproc: fix a typo 2016-04-12 09:37:56 -05:00
Elizabeth Myers
5e9a3f8674
Change the way authd configures opm
It's a bit of a hack, but better than before. Rather than rehashing
(which could get us into an endless loop), we now segregate the
configuration phase (creating entries ircd-side in case we restart authd
later) and sending phases (when configure_authd() is called). Since we
have to call configure_authd() no matter what (to send timeouts etc.)
and we have to send this data to configure authd anyway, and sending
duplicate data is bad, this is the only way I can think of for now.
2016-04-12 09:36:09 -05:00
Mantas Mikulėnas
5eb8ce0679 Merge pull request #183 from grawity/sasl-fail-throttle-v3
limit failed SASL authentication attempts
2016-04-11 22:28:33 +03:00
Mantas Mikulėnas
9d07a42d7a
m_sasl: rate-limit SASL REAUTH usage 2016-04-11 21:45:10 +03:00
Mantas Mikulėnas
834579cecd
m_sasl: fix coding style 2016-04-11 20:12:31 +03:00
Mantas Mikulėnas
37289346cd
m_sasl: temporarily reject clients after many failed attempts 2016-04-11 20:02:09 +03:00
Elizabeth Myers
ed5e1d1e41 send: trim a blank line [ci skip] 2016-04-11 11:52:01 -05:00