Commit graph

95 commits

Author SHA1 Message Date
Simon Arlott
598a7d3b7e mr_server: Report certificate fingerprint mismatches
Log the received certificate fingerprint when it causes a server to be
rejected.
2016-12-04 21:49:59 +00:00
Simon Arlott
65b9b1d06d
server_estab: don't try to send to a dead client
If the zlib setup fails the client will be exited, so don't send
to it before checking this.
2016-11-20 21:43:58 +00:00
Aaron Jones
6008896554
Backport ffedad8d to release/3.5 2016-08-31 14:21:16 +00:00
Aaron Jones
865e70f529
Revert "Backport c1fc044c to release/3.5"
This reverts commit c9c2d6ea12.

This commit included some as yet untested and unrelated code by mistake.
2016-08-31 14:19:43 +00:00
Aaron Jones
c9c2d6ea12
Backport c1fc044c to release/3.5 2016-08-31 14:13:45 +00:00
William Pitcock
bc2eeb0992
Do not shadow OpenSSL-internal symbol "ssl_ok".
This is a backport of commit bfc44622
2016-06-01 16:32:26 +00:00
William Pitcock
f76b0cee90 s_serv: ensure we use the actual assigned connid on an outbound connection 2016-04-02 17:15:01 -05:00
William Pitcock
b5b4a0e79b client: use sequential connection ids for ssld connections in ssld RPC, instead of the file descriptor
this avoids race conditions when a file descriptor is reused and an ssld worker has not acked that the previous
connection was closed, which results in the new client being kicked.
2015-12-12 05:20:51 -06:00
Jail Bird
29c92cf95f Spring cleaning redux:
- Implemented changes suggested by Jilles
- Remove some unused parameters in functions
- Remove some unused ssl procs
- 63-bit time_t support in TS deltas
- const char * vs char * cleanup
- struct alignment (void *) casts
- signed vs unsigned fixes
- bad memset() call
- Bad LT_MAIN in libratbox
- char -> unsigned char casts for isdigit/isspace/etc calls

Thanks Jilles!
2015-04-20 00:55:20 -05:00
Jilles Tjoelker
5f1db61bdf server: Don't read beyond the bounds of ServerInfo.ip and ServerInfo.ip6. 2014-09-21 16:57:38 +02:00
Jilles Tjoelker
d0c2fc8266 server: Require EX and IE capabilities (+e and +I cmodes).
The code to send each channel mode only to servers supporting it was
broken a while ago and was not very useful anyway. Therefore, require
all connecting servers to support all standard channel modes.
2014-05-29 16:24:42 +02:00
Adam
9744d53ec9 Fix buffer overflow in introduce_client and burst_TS6
If the client being introduced has more than 10 user modes send_umode()
will overflow ubuf
2014-05-13 19:33:41 -04:00
Keith Buck
55abcbb20a Remove trailing whitespace from all .c and .h files.
3134 bytes were removed.
2014-03-03 04:25:47 +00:00
Jilles Tjoelker
a1f7ec5be0 server: Use rb_strlcpy() instead of strcpy().
An overflow should be impossible here, but be paranoid.
2014-02-24 00:04:11 +01:00
Keith Buck
77d3d2dbaf Remove s_assert definition from ircd_defs.h and add it to its own header.
s_assert requires some higher-level functionality that shouldn't be
present in ircd_defs.h. ircd_defs.h is used by ssld, which has no notion
of logging or sending IRC messages. Additionally, some of the headers
s_assert depends on result in conflicting definitions in ssld.c.

This change also fixes the compile when using --enable-assert=soft.
2013-09-10 06:10:14 +00:00
Jilles Tjoelker
e69375f3ac Cope with rb_crypt() returning NULL. 2013-02-02 00:54:32 +01:00
Jilles Tjoelker
ce4fa4477b server: Simplify some code now ENCAP is mandatory. 2012-12-19 17:42:49 +01:00
Jilles Tjoelker
58b60c20cb server: As per the TS6 spec, require QS and ENCAP capabilities. 2012-12-19 14:53:06 +01:00
Jilles Tjoelker
22cae20f02 server: Make sure CAP_CAP and CAP_TS6 are non-zero.
A zero CAP_CAP caused duplicate CAPAB to go undetected, allowing a
mismatch between what is sent out via ENCAP GCAP and what applies locally.

A zero CAP_TS6 allowed server connections without SID (with a valid
connect block).
2012-12-18 17:03:59 +01:00
Jilles Tjoelker
89fd463e59 Add needed space between "TS6" or "SSL" and capabs from CAPAB in /stats ?. 2012-07-03 19:11:15 +02:00
Jilles Tjoelker
7f0fc87d3c Include forward channels when bursting bans to servers.
Obtained from:	ircd-seven (spb)
2012-02-16 23:36:05 +01:00
William Pitcock
885cd603b5 capability: add global list of capability indexes, and name all capability indexes 2012-02-04 21:16:40 -06:00
William Pitcock
346fba9252 Migrate capability negotiation code to new dynamic capability management API.
This needs a lot of testing, obviously.
2012-02-04 01:47:46 -06:00
Jilles Tjoelker
2fb0796158 hunt_server: Disallow wildcarded nicknames.
Any hunted parameter with wildcards is now assumed
to be a server, never a user.

Reasons:
* fewer match() calls
* do not disclose existing nicknames
* more intuitive behaviour for CONNECT

m_trace has a copy of some hunt_server logic in it
(for the RPL_TRACELINK reply), so adjust that too.
2011-01-08 17:47:05 +01:00
William Pitcock
ff0cc1e616 Add support for linking using SSL certificate fingerprints as the link credential rather than the traditional server-password pair. 2010-12-13 23:14:00 -06:00
Stephen Bennett
6b8db2daf2 Allow the final parameter of MLOCK to be empty, to remove an existing mlock 2010-05-02 20:42:46 +01:00
William Pitcock
b99c9ae0bf Fix order on channel_mlock() call. 2010-03-07 23:12:35 -06:00
William Pitcock
084ecbe030 Add MLOCK message to netjoin burst. 2010-03-07 22:29:34 -06:00
William Pitcock
ec55bec527 Add MLOCK capability token. 2010-03-07 22:25:41 -06:00
Jilles Tjoelker
ee6da53d74 Avoid crash if get_oper_name() somehow gave no {} for local oper. 2010-03-06 16:37:50 +01:00
Jilles Tjoelker
cedb7d05b4 Remove +/- from the BAN message, instead indicating unban with duration=0.
A kline must now last at least one second since its creation time.

Also add better logic for bans that have already expired
when they come in.
2010-03-05 22:51:47 +01:00
Jilles Tjoelker
431a1a2784 Add propagated klines.
A KLINE command without the ON clause now sets a propagated
("global") ban. KLINE commands with the ON clause work as
before.

Propagated klines can only be removed with an UNKLINE command
without the ON clause, and this removes them everywhere.
In fact, they remain in a deactivated state until the latest
expiry ever used for the mask has passed.

Propagated klines are part of the netburst using a new BAN
message and capab. If such a burst has an effect, both the
server name and the original oper are shown in the server
notice.

No checks whatsoever are done on bursted klines at this time.

The system should be extended to XLINE and RESV later.

There is currently no way to list propagated klines,
but TESTLINE works normally.
2010-03-05 18:36:44 +01:00
Jilles Tjoelker
8eda114a78 Pass certfp to other servers and show it in whois. Do not show it on connect.
The server protocol for this is
:<uid> ENCAP * CERTFP :<40 hex chars>
both in new user introductions and in burst.

As in oftc-hybrid, only the user themselves and opers can see the certfp.

Displaying the certfp on connect seems unnecessary to me,
the user can whois themselves if needed.
2010-02-06 00:18:27 +01:00
Stephen Bennett
c127b45b83 Revert all presence-related changes 2009-12-08 19:22:55 +00:00
William Pitcock
884b5d41c1 presence: Remove user.away, replaced by a metadata entry.
Cache the metadata retrieval value where feasible for minimal performance impact.
2009-06-02 02:03:51 -05:00
Jilles Tjoelker
c04a500dfa Remove unused inet_socketpair() code, this is in libratbox now. 2009-05-12 23:56:28 +02:00
Jilles Tjoelker
eda22d87af More rb_socketpair() return value checks.
from ircd-ratbox (r26507) (androsyn)
2009-05-12 23:30:46 +02:00
Jilles Tjoelker
c4d2d01419 Apply +z to messages blocked by +b and +q as well.
This adds a new server capab EOPMOD which will be used
for an extended topic command also.
2009-03-29 15:48:07 +02:00
Jilles Tjoelker
e0f8d70cb2 Remove comments related to (removed) ability to disable TS6. 2009-01-30 16:50:00 +01:00
Jilles Tjoelker
cd300c1b82 Simplify hunt_server(), send ERR_NOSUCHSERVER from only one place. 2009-01-21 20:15:07 +01:00
Jilles Tjoelker
bea2295fed burst_TS6(): assume users have a UID 2009-01-16 23:11:11 +01:00
androsyn
0bd120ed48 [svn r26332] get rid of the zip ready stuff 2009-01-01 14:50:21 +03:00
Jilles Tjoelker
43946961df Move to ratbox3 reject and throttle code.
Throttle replaces max_unknown_ip, reject is like before
(including the charybdis-specific unkline handling).
Both of these now apply before SSL negotiation.

This commit does not include the global_cidr and new dline code.

m_webirc is a bit nasty with throttling (unlike before
with max_unknown_ip), this may be fixed later (or
the webirc IP needs to be exempt{}ed).
2008-08-01 01:59:08 +02:00
Valery Yatsko
ba8b3ff18a last changes of crypt -> rb_crypt 2008-07-27 14:52:46 +04:00
Jilles Tjoelker
39452169e8 Call serv_connect_callback() directly from serv_connect_ssl_callback().
This speeds up outgoing SSL server connections by 1 second.
2008-06-29 23:47:10 +02:00
Jilles Tjoelker
9ec5132680 Give proper error messages if connect fails for a server using SSL. 2008-06-29 23:47:02 +02:00
Valery V Yatsko
b3ebc7ab9e Applied svn diff from ratbox3 r21458:21470 2008-06-28 14:13:50 +04:00
William Pitcock
23489ed776 Remove one last bit of TS5 stuff. 2008-06-08 02:14:21 -05:00
William Pitcock
7bb8c655ec Remove burst_modes_TS5() and burst_TS5(). 2008-06-08 01:11:57 -05:00
Valery Yatsko
4562c60489 irc_string.h -> match.h, irc_string.h; includes changed 2008-04-20 09:47:38 +04:00