Commit graph

928 commits

Author SHA1 Message Date
Aaron Jones
5c8da48264
Backport more TLS backend and ssld fixes & improvements from 3.6
openssl:
 * Don't manually initialise libssl 1.1.0 -- it does this automatically
 * SSL_library_init() should be called first otherwise
 * Move SSL_CTX construction to rb_setup_ssl_server()
 * Test for all required files (certificate & key) before doing anything
 * Free the old CTX before constructing a new one (Fixes #186)
 * Properly abort rb_setup_ssl_server() on CTX construction failures
 * Support ECDHE on more than one curve on OpenSSL 1.0.2 and above
 * Clean up ifdef indentation
 * Fix DH parameters memory leak

mbedtls:
 * Fix certificate fingerprint generation
 * Fix library linking order
 * Fix incorrect printf()-esque argument count
 * Return digest length for fingerprints instead of 1, consistent
   with the other backends

sslproc / ssld:
 * Fingerprint methods have no assocated file descriptors
 * Send TLS information (cipher, fingerprint) before data
 * Use correct header length for fingerprint method

Authored-by: Aaron Jones <aaronmdjones@gmail.com>
Authored-by: William Pitcock <nenolod@dereferenced.org>
Authored-by: Simon Arlott <sa.me.uk>
2016-04-30 21:39:05 +00:00
William Pitcock
1d2ba176ea
ircd: Channel.bants is not a serial but a timestamp.
Previously, the IRCd would increment bants instead of resyncing the timestamp, causing the potential of
false negatives from the bancache system.
2016-04-30 00:14:06 +00:00
William Pitcock
18244e32f3 more ssld ipc improvements from 3.6 2016-04-02 17:20:15 -05:00
William Pitcock
987fa43982 sslproc: partial backport of 3.6 connid changes 2016-04-02 17:16:09 -05:00
William Pitcock
f76b0cee90 s_serv: ensure we use the actual assigned connid on an outbound connection 2016-04-02 17:15:01 -05:00
William Pitcock
2daf18131c chmode: sscanf(3) returns the number of items matched, so might as well use it 2016-01-05 19:06:05 -06:00
William Pitcock
90552e214c chmode: properly validate chm_throttle mode parameters 2016-01-05 19:02:44 -06:00
William Pitcock
0950390c77 version: update general copyright to 2016 since we will probably release later this week 2015-12-28 00:39:38 -06:00
William Pitcock
9603d01164 CREDITS: cosmetic updates 2015-12-28 00:31:03 -06:00
William Pitcock
0b904d91bf supported: move ISUPPORT tokens provided by modules to their specific modules:
- m_cmessage: CPRIVMSG/CNOTICE
- m_etrace: ETRACE
- m_knock: KNOCK
- m_services: FNC
- m_who: WHOX
2015-12-26 22:41:09 -06:00
William Pitcock
d513218a9e LIST: allow channel display threshold to be configured (closes #109) 2015-12-26 22:23:28 -06:00
William Pitcock
bcbc6bd9e1 channel: actually store the last checked client pointer 2015-12-13 11:25:15 -06:00
William Pitcock
0a604c72a3 sslproc: handle ssl_cipher_list being NULL better 2015-12-13 09:42:12 -06:00
William Pitcock
1e8138afb0 channel: actually, use bancache invalidation as the metric for the duplication check
any state change which would cause the duplicate check to change would invalidate bancache as a whole anyway
2015-12-13 08:17:04 -06:00
William Pitcock
2f9687c48c channel: cache duplicate calls to is_banned() and is_quieted() 2015-12-13 08:13:52 -06:00
William Pitcock
c42a66be2e sslproc: garbage collect dead ssld resources every minute 2015-12-13 07:58:50 -06:00
Jilles Tjoelker
2d28539c68 Reduce clean_nick() code duplication further.
Side effect: hurt and monitor now allow nicks starting with a digit.
2015-12-13 00:22:21 +01:00
William Pitcock
c1725bda3c ssl: allow cipher list to be overridden (closes #67) 2015-12-12 07:50:48 -06:00
William Pitcock
b5b4a0e79b client: use sequential connection ids for ssld connections in ssld RPC, instead of the file descriptor
this avoids race conditions when a file descriptor is reused and an ssld worker has not acked that the previous
connection was closed, which results in the new client being kicked.
2015-12-12 05:20:51 -06:00
William Pitcock
4952e40b7e newconf: fix error message on channel::autochanmodes 2015-12-12 00:33:46 -06:00
William Pitcock
63eb8567cb implement configurable channel modes (closes #31)
While functionally compatible with the implementation in ElementalIRCd, our approach is different,
specifically pre-calculating the bitmask at config load time.  This is more efficient, and allows us
to report errors as part of the configuration phase.
2015-12-11 15:36:53 -06:00
William Pitcock
ebe33dbfab sslproc: set Client.localClient.cipher_string if sent by ssld 2015-12-11 08:19:50 -06:00
William Pitcock
196740c42b sslproc: likewise 2015-12-10 23:44:31 -06:00
William Pitcock
7801d174d7 Revert "extban: implement helper functions for stackable extbans (part 1) (ref #74)"
This reverts commit 304bd0d095.
2015-12-10 02:19:21 -06:00
William Pitcock
304bd0d095 extban: implement helper functions for stackable extbans (part 1) (ref #74) 2015-12-10 01:33:30 -06:00
William Pitcock
202d496644 override: only engage override code if we're needing to authorize a WRITE to a channel's state (closes #65) 2015-12-10 01:00:32 -06:00
William Pitcock
13d8f0edba allow certfp method to be configured 2015-12-07 01:49:30 -06:00
William Pitcock
772c95cc7a ssld: we only will continue supporting one fingerprint method at a time 2015-12-07 01:21:26 -06:00
Elizabeth Myers
e6bbb41030 Add ability to change CertFP hash.
Presently this only supports SHA1, as the machinery to actually change
the cipher is not hooked up to anything yet.
2015-12-07 01:14:02 -06:00
William Pitcock
bbccb09a90 newconf: TLS listener ports should always be defer_accept
TLS clients are required to send ClientHello upon connection, the server may not reply with ServerHello until this has happened
2015-12-04 22:53:04 -06:00
William Pitcock
7f2cc0eacb Revert "supported: remove TARGMAX, nothing really uses it, and the information conveyed is useless anyway"
This reverts commit ff2f68e617.
2015-11-19 23:10:36 -06:00
William Pitcock
4a5330bb4d cap: implement ircv3.2 chghost cap 2015-11-19 22:53:55 -06:00
William Pitcock
583f064fef send: add negation argument to sendto_common_channels_local() and friends 2015-11-19 22:43:45 -06:00
William Pitcock
8e9e22b4d3 parse: handle_encap(): remove parv[0] initialization, anything using parv[0] should crash the ircd 2015-11-19 17:13:04 -06:00
William Pitcock
ff2f68e617 supported: remove TARGMAX, nothing really uses it, and the information conveyed is useless anyway 2015-11-16 15:01:57 -06:00
Jilles Tjoelker
439bf4db58 monitor: Show 005 entry only if m_monitor.so is actually loaded.
This only affects the MONITOR=<max> entry, not TARGMAX=...,MONITOR:
which is harder to modify from a module.
2015-11-15 22:57:23 +01:00
Andrew Wilcox
7a40c9a5b4 monitor: don't use already-freed pointer, unlike the moronic atheme developers 2015-10-15 17:32:02 -05:00
Andrew Wilcox
5f8fb56d02 Revert "remove MONITOR for now pending a complete rewrite"
This reverts commit 87fa262fec.
2015-10-15 17:31:55 -05:00
William Pitcock
87fa262fec remove MONITOR for now pending a complete rewrite 2015-10-15 09:39:48 -05:00
William Pitcock
7485e86073 monitor: additional cleanups, and add a missing free_monitor() in m_monitor 2015-10-11 19:11:01 -05:00
William Pitcock
d5f856c68e monitor: fix the resource leak properly, unlike the moronic elemental-ircd developers 2015-10-11 18:48:53 -05:00
Jilles Tjoelker
dd64bf8dad Fix build on glibc (no strlcpy). 2015-10-01 22:55:07 +02:00
Jilles Tjoelker
0e17ce0612 Use new info when sending away-notify after QJM. 2015-09-20 15:20:05 +02:00
Jilles Tjoelker
b4a7304c94 s_conf: Split out a function. 2015-09-13 22:59:03 +02:00
Jilles Tjoelker
2125182293 Remove the unneeded username parameter to register_local_user(). 2015-09-13 22:59:03 +02:00
Jilles Tjoelker
83e5941c87 Check CIDR ban IP address for validity.
Otherwise, we compare to uninitialized stack data. This is wrong but seems
harmless.

Closes #103
2015-09-13 22:59:03 +02:00
Elizabeth Myers
34c10ca8b7 Relocate report_Klines to proper home
This function is not used anywhere else but m_stats, so should be put
there.
2015-08-08 17:25:29 -05:00
Jail Bird
29c92cf95f Spring cleaning redux:
- Implemented changes suggested by Jilles
- Remove some unused parameters in functions
- Remove some unused ssl procs
- 63-bit time_t support in TS deltas
- const char * vs char * cleanup
- struct alignment (void *) casts
- signed vs unsigned fixes
- bad memset() call
- Bad LT_MAIN in libratbox
- char -> unsigned char casts for isdigit/isspace/etc calls

Thanks Jilles!
2015-04-20 00:55:20 -05:00
Aaron Jones
32fb589528 Misc code cleanups
* src/packet.c: Remove a dead store
* src/res.c: Remove a dead store
* src/sslproc.c: Remove a dead store
* src/sslproc.c: Don't call the same accessor twice

These silence some fairly harmless compiler warnings
2015-03-27 23:07:20 +00:00
Aaron Jones
c9b5cd623b Remove network_desc configuration option, never actually used anywhere 2015-03-26 14:46:54 -05:00
Jilles Tjoelker
9279ad6461 Fix some compiler warnings about signed/unsigned comparison. 2015-03-01 23:46:20 +01:00
Jilles Tjoelker
4f0d2b588b conf: Correct message when serverinfo::nicklen is set too low (<9). 2015-03-01 16:12:12 +01:00
Jilles Tjoelker
bed692ca0e send: sendto_local_clients_with_capability() needn't use serial
sendto_local_clients_with_capability() sends to a subset of the list of
local clients and cannot visit the same client multiple times like
sendto_channel_flags() and sendto_common_channels_local() can.
2015-03-01 14:55:57 +01:00
William Pitcock
bb2a50509a config: further EGD removal 2015-03-01 01:06:58 -06:00
William Pitcock
e861902fd9 libratbox: remove RB_PRNG_EGD in its entirety (closes #85) 2015-03-01 01:05:14 -06:00
William Pitcock
984d80c988 cap-notify: add sendto_local_clients_with_capability() (ref #84) 2015-03-01 00:44:34 -06:00
Max Teufel
1b54aa5c3b src/channel: add support for IRCv3.2 userhost-in-names 2015-02-28 01:06:38 -06:00
Max Teufel
7d33cce8ef m_sasl: add configuration option for the nick of the SASL agent
This allows multiple improvements to m_sasl. With this change, the SASL
authentication gets aborted immediately when services are offline.
Additionally, we send the SASL ENCAP messages directly to the specified
SASL agent.
2015-02-14 20:31:25 +01:00
Jilles Tjoelker
e9f86e320e introduce_client(): Remove redundant check for sockhost starting with colon.
Other code (inet_ntop6() in libratbox/src/commio.c and
extensions/m_webirc.c) ensures the sockhost does not start with a colon.
Checking only here does not make sense.

Reported by:	Attila
2015-01-25 22:11:16 +01:00
Jilles Tjoelker
3881a3ce5d Don't append a domain to names without dot from reverse lookup.
Some code to append "domain" from /etc/resolv.conf to unqualified names (for
server connections) erroneously applied to names from reverse DNS lookups as
well.

The effect was that "domain" from /etc/resolv.conf was appended to
"localhost", even though the DNS server intended "localhost" to be a fully
qualified name.
2015-01-16 23:23:56 +01:00
Aaron Jones
3c80b42532 Allow clients to have a resolved hostname of localhost
I slightly changed the patch to match surrounding style.

(cherry picked from commit 0b06270fd6266c85d19e008efcd039605daf59d0)
2015-01-16 21:38:42 +01:00
Jilles Tjoelker
74b2fb72db pretty_mask(): Stop temporarily modifying the passed mask entirely. 2015-01-15 23:45:02 +01:00
Jilles Tjoelker
f4e893b515 pretty_mask(): Use explicit lengths instead of temporarily writing '\0'.
This is slightly simpler and should fix Coverity warnings.
2015-01-15 23:38:50 +01:00
Attila Molnar
76d82c19ad Fix sending null char after ERROR when the server is full 2014-11-04 21:57:37 +01:00
Jilles Tjoelker
624d779127 bandb: Don't apply empty ban list when bandb starts sending bans.
When bandb sends the ban list, it first sends 'C', then all bans and
finally 'F'. Only when 'F' is sent is ircd supposed to apply the bans.
Because of a missing break, 'C' also did 'F', clearing the ircd active
permanent bans until bandb sent 'F'.

The effect is pretty limited because having bandb send the ban list via
/rehash bans is uncommon and most bans will be enforced when reset.
2014-09-21 18:09:18 +02:00
Jilles Tjoelker
5f1db61bdf server: Don't read beyond the bounds of ServerInfo.ip and ServerInfo.ip6. 2014-09-21 16:57:38 +02:00
Jilles Tjoelker
483987a464 Explicitly pass the current time to deactivate_conf().
Some places depend on the ban not being destroyed.
2014-09-21 15:02:43 +02:00
Jilles Tjoelker
2196b1825d Fix crash when there are two blacklist hosts without intervening reason.
This is invalid configuration; the first host is supposed to be ignored.
2014-09-21 14:42:14 +02:00
Byron Grobe
e8d7921a08 Removed comment from src/modules.c that states certain function were moved into a file that no longer exists. (Circa ~2002) 2014-09-09 08:13:42 +00:00
Jilles Tjoelker
aea6c4f9e6 chmode: Check mlock when a local oper changes cmode +L/+P.
This check was erroneously removed when fixing /mode #channel f when +f is
mlocked. Mlock checks were restricted to the places requiring chanops
(other than viewing +eI lists); cmode +L/+P do not require chanops, but
still constitute a mode change that must be checked against mlock.
2014-08-18 00:26:38 +02:00
Jilles Tjoelker
dfbf41a0ab conf: Make channel::channel_target_change option actually work.
Channel target change was forcibly enabled.
2014-08-08 11:57:09 +02:00
Jilles Tjoelker
67b7840a5d ircd_parser: Fix inconsistent declaration of yyerror(). 2014-05-29 23:23:50 +02:00
Jilles Tjoelker
0f8db0552e channel: Remove write-only field. 2014-05-29 17:41:35 +02:00
Jilles Tjoelker
51452a370b channel: Stop pretending to support per-mode server capabilities.
After a change for dynamic server capabilities, the code to send out mode
changes was changed to use the capabilities belonging to the last mode
being sent out. This does not make sense; therefore, just use no
capabilities and remove supporting infrastructure.
2014-05-29 17:40:16 +02:00
Jilles Tjoelker
d0c2fc8266 server: Require EX and IE capabilities (+e and +I cmodes).
The code to send each channel mode only to servers supporting it was
broken a while ago and was not very useful anyway. Therefore, require
all connecting servers to support all standard channel modes.
2014-05-29 16:24:42 +02:00
Adam
9744d53ec9 Fix buffer overflow in introduce_client and burst_TS6
If the client being introduced has more than 10 user modes send_umode()
will overflow ubuf
2014-05-13 19:33:41 -04:00
Douglas Freed
cea0689e80 Fix const qualifier on raw_mask
Fixes compilation warning about losing const qualifier in assignment to
non-const variable

(cherry picked from commit 6d9c3f50944e1da3bf3a1be6454f85d6d6f7ab37)
2014-03-09 19:13:25 +01:00
Jilles Tjoelker
0c5e50f430 Fix format string type mismatch in src/capability.c.
The type 'long' was correct on most machines but not according to the C
standard and Windows 64-bit.
2014-03-09 19:11:54 +01:00
Jilles Tjoelker
5457b10278 Fix fd leak if /dev/urandom can be opened but not read. 2014-03-09 14:54:45 +01:00
Jilles Tjoelker
0894d18b87 blacklist: Make the snote more like the +c one. 2014-03-07 21:55:43 +01:00
Keith Buck
48e409767f Add DNSBL snotes for snomask +r. 2014-03-05 08:12:22 +00:00
Keith Buck
55abcbb20a Remove trailing whitespace from all .c and .h files.
3134 bytes were removed.
2014-03-03 04:25:47 +00:00
Keith Buck
00533129dc s_conf: Don't leak log file paths when loading default conf
This change prevents the log file paths from being leaked when
rehashing. Additionally, fname_killlog was added to two places where it
was previously forgotten.
2014-03-03 04:12:07 +00:00
Keith Buck
010c4fbdc5 s_conf: Don't leak strings when loading default conf
This change prevents conf strings from being leaked when resetting the
conf to default prior to a rehash. Additionally, some default strings
are now rb_strdup'd into the ConfigFileEntry structure after loading the
conf so that they aren't allocated and then immediately freed by the
conf loading process.
2014-03-03 03:58:40 +00:00
Keith Buck
023c36ae22 newconf.c: Remove end-of-line whitespace. 2014-03-03 01:43:33 +00:00
Keith Buck
e12981c028 conf parsing: Fix freeing section names upon section end. 2014-03-03 01:43:33 +00:00
Keith Buck
1d39324556 Fix a couple more string leaks. 2014-03-02 22:05:30 +00:00
Jilles Tjoelker
f1709d5ac8 sslproc: Add missing break, still allowing zlib when ssl cannot be set up. 2014-03-02 21:58:38 +01:00
Jilles Tjoelker
0e717d8eb4 log_client_name: Remove MASK_IP case.
The MASK_IP case in log_client_name() was broken (because of a missing
break, it behaved as HIDE_IP). However, log_client_name() with MASK_IP
does not make sense anyway and is not used.
2014-03-02 21:54:29 +01:00
Jilles Tjoelker
40173bcbb3 listener: Move error messages to something visible by default.
If a listening port cannot be opened, send error messages to opers with
snomask +s and ircd.log, instead of snomask +d and the ioerror log, which
both are usually disabled.

Also, restore information about what listener is having problems. This
was lost when report_error() was replaced.
2014-03-01 19:05:55 +01:00
Keith Buck
dceac3e4fb conf parsing: Fix memory leaks and clean up code a bit.
Charybdis currently leaks about 45-50k per configuration parse,
including every rehash. This change plugs these leaks by properly
iterating through all conf_parm_t structures to seek all strings that
should be freed and also by freeing the conf_parm_t structures
themselves.

These leaks have been present since the original rewrite of the
configuration parsing system in ircd-ratbox r11953.

Additionally, this change also cleans up and documents the parsing code
a bit.
2014-02-28 17:35:51 +00:00
Jilles Tjoelker
e8cfec47c6 ircd_parser: Fix whitespace errors. 2014-02-28 15:51:52 +01:00
Jilles Tjoelker
a1f7ec5be0 server: Use rb_strlcpy() instead of strcpy().
An overflow should be impossible here, but be paranoid.
2014-02-24 00:04:11 +01:00
Jilles Tjoelker
26c6ac3dc7 Simplify module path list, removing strcpy use. 2014-02-23 23:47:27 +01:00
Jilles Tjoelker
b84e58f905 Fix use after free. 2014-02-23 23:46:57 +01:00
Jilles Tjoelker
12edf3e3d2 conf: Remove dead store. 2014-02-23 23:04:52 +01:00
Jilles Tjoelker
77910830e3 Fix various printf arg types. 2014-02-23 23:01:59 +01:00
Jilles Tjoelker
a9f1281448 modlist: Fix address display on 64-bit systems. 2014-02-23 22:55:40 +01:00
Jilles Tjoelker
1e170010e7 modules: Fix bad sizeofs. 2014-02-23 22:39:42 +01:00
Jilles Tjoelker
5ef68b1398 Replace double semicolons with single; place null statement on its own line.
No functional change is intended.
2014-02-23 22:23:34 +01:00