8e9a741832
Edited by @aaronmdjones:
- Correct some data types and casts
- Minor style fixups (e.g. we put * on the variable name not the type)
- librb/src/openssl.c:
- Defer call of BIO_free(3ssl) to the end of the conditional block
to avoid having calls to it in multiple paths
- Check the return value of SSL_CTX_set0_tmp_dh_pkey(3ssl) because if
it fails then we must use EVP_PKEY_free(3ssl) to avoid a memory leak
This could fail if, for example, the user supplied DSA parameters
in the DH parameters file instead.
- ircd/newconf.c:
- Check whether OSSL_DECODER_CTX_new_for_pkey(3ssl) was able to parse
the given CHALLANGE public key as a valid RSA public key, and then
check whether OSSL_DECODER_from_bio(3ssl) actually loads it
successfully
- ircd/s_newconf.c:
- Use EVP_PKEY_free(3ssl) instead of OPENSSL_free(3ssl) on EVP_PKEY
pointers; this will avoid inadvertent memory leaks if the EVP_PKEY
structure contains any dynamically-allocated child members
- modules/m_challenge.c:
- Unconditionally use EVP(3ssl) to generate the SHA-1 digest of the
random challenge; this API has been around for a very long time and
is available in all supported versions of OpenSSL
- Add lots of error checking to all steps of the process
Tested against 1.1.1 and 3.0; both with missing and provided DH parameters
(which works as you'd expect; the server will not negotiate a DHE cipher
without them), and CHALLENGE, including missing keys or keys of the wrong
type (e.g. when you supply an EdDSA key instead of an RSA key).
This does break compatibility with OpenSSL 1.1.0 and below, which are now
all end-of-life and unsupported anyway.
Closes #357
261 lines
8.4 KiB
C
261 lines
8.4 KiB
C
/*
|
|
* ircd-ratbox: an advanced Internet Relay Chat Daemon(ircd).
|
|
* s_newconf.h: code for dealing with conf stuff
|
|
*
|
|
* Copyright (C) 2004 Lee Hardy <lee@leeh.co.uk>
|
|
* Copyright (C) 2004 ircd-ratbox development team
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that the following conditions are
|
|
* met:
|
|
*
|
|
* 1.Redistributions of source code must retain the above copyright notice,
|
|
* this list of conditions and the following disclaimer.
|
|
* 2.Redistributions in binary form must reproduce the above copyright
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
* documentation and/or other materials provided with the distribution.
|
|
* 3.The name of the author may not be used to endorse or promote products
|
|
* derived from this software without specific prior written permission.
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
|
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
|
|
* WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
|
* DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
|
|
* INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
|
|
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
|
* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
|
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
|
|
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
|
* POSSIBILITY OF SUCH DAMAGE.
|
|
*/
|
|
|
|
#ifndef INCLUDED_s_newconf_h
|
|
#define INCLUDED_s_newconf_h
|
|
|
|
#include "setup.h"
|
|
#include "privilege.h"
|
|
|
|
#ifdef HAVE_LIBCRYPTO
|
|
#include <openssl/rsa.h>
|
|
#endif
|
|
|
|
#define MAX_TEMP_TIME (52 * 7 * 24 * 60 * 60)
|
|
|
|
struct Client;
|
|
struct ConfItem;
|
|
|
|
extern rb_dlink_list cluster_conf_list;
|
|
extern rb_dlink_list oper_conf_list;
|
|
extern rb_dlink_list server_conf_list;
|
|
extern rb_dlink_list xline_conf_list;
|
|
extern rb_dlink_list resv_conf_list;
|
|
extern rb_dlink_list nd_list;
|
|
extern rb_dlink_list tgchange_list;
|
|
|
|
extern struct _rb_patricia_tree_t *tgchange_tree;
|
|
|
|
extern void init_s_newconf(void);
|
|
extern void clear_s_newconf(void);
|
|
extern void clear_s_newconf_bans(void);
|
|
|
|
typedef struct
|
|
{
|
|
char *ip;
|
|
time_t expiry;
|
|
rb_patricia_node_t *pnode;
|
|
rb_dlink_node node;
|
|
} tgchange;
|
|
|
|
void add_tgchange(const char *host);
|
|
tgchange *find_tgchange(const char *host);
|
|
|
|
/* cluster confs */
|
|
struct remote_conf
|
|
{
|
|
char *username;
|
|
char *host;
|
|
char *server;
|
|
int flags;
|
|
rb_dlink_node node;
|
|
};
|
|
|
|
/* flags used in shared/cluster */
|
|
#define SHARED_TKLINE 0x00001
|
|
#define SHARED_PKLINE 0x00002
|
|
#define SHARED_UNKLINE 0x00004
|
|
#define SHARED_LOCOPS 0x00008
|
|
#define SHARED_TXLINE 0x00010
|
|
#define SHARED_PXLINE 0x00020
|
|
#define SHARED_UNXLINE 0x00040
|
|
#define SHARED_TRESV 0x00080
|
|
#define SHARED_PRESV 0x00100
|
|
#define SHARED_UNRESV 0x00200
|
|
#define SHARED_REHASH 0x00400
|
|
#define SHARED_TDLINE 0x00800
|
|
#define SHARED_PDLINE 0x01000
|
|
#define SHARED_UNDLINE 0x02000
|
|
#define SHARED_GRANT 0x04000
|
|
#define SHARED_DIE 0x08000
|
|
#define SHARED_MODULE 0x10000
|
|
|
|
#define SHARED_ALL (SHARED_TKLINE | SHARED_PKLINE | SHARED_UNKLINE |\
|
|
SHARED_PXLINE | SHARED_TXLINE | SHARED_UNXLINE |\
|
|
SHARED_TRESV | SHARED_PRESV | SHARED_UNRESV | SHARED_GRANT)
|
|
#define CLUSTER_ALL (SHARED_ALL | SHARED_LOCOPS)
|
|
|
|
struct oper_conf
|
|
{
|
|
char *name;
|
|
char *username;
|
|
char *host;
|
|
char *passwd;
|
|
char *certfp;
|
|
|
|
int flags;
|
|
int umodes;
|
|
|
|
unsigned int snomask;
|
|
|
|
struct PrivilegeSet *privset;
|
|
|
|
#ifdef HAVE_LIBCRYPTO
|
|
char *rsa_pubkey_file;
|
|
#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
|
|
EVP_PKEY *rsa_pubkey;
|
|
#else
|
|
RSA *rsa_pubkey;
|
|
#endif
|
|
#endif
|
|
};
|
|
|
|
extern struct remote_conf *make_remote_conf(void);
|
|
extern void free_remote_conf(struct remote_conf *);
|
|
|
|
extern void propagate_generic(struct Client *source_p, const char *command,
|
|
const char *target, int cap, const char *format, ...);
|
|
extern void cluster_generic(struct Client *, const char *, int cltype,
|
|
int cap, const char *format, ...);
|
|
|
|
#define OPER_ENCRYPTED 0x00001
|
|
#define OPER_NEEDSSL 0x80000
|
|
|
|
#define OPER_FLAGS 0 /* no oper privs in Client.flags/oper_conf.flags currently */
|
|
|
|
#define IsOperConfEncrypted(x) ((x)->flags & OPER_ENCRYPTED)
|
|
#define IsOperConfNeedSSL(x) ((x)->flags & OPER_NEEDSSL)
|
|
|
|
#define HasPrivilege(x, y) ((x)->user != NULL && (x)->user->privset != NULL && privilegeset_in_set((x)->user->privset, (y)))
|
|
#define MayHavePrivilege(x, y) (HasPrivilege((x), (y)) || (IsOper((x)) && (x)->user != NULL && (x)->user->privset == NULL))
|
|
|
|
#define IsOperKill(x) (HasPrivilege((x), "oper:kill"))
|
|
#define IsOperRemote(x) (HasPrivilege((x), "oper:routing"))
|
|
#define IsOperUnkline(x) (HasPrivilege((x), "oper:unkline"))
|
|
#define IsOperN(x) (HasPrivilege((x), "snomask:nick_changes"))
|
|
#define IsOperK(x) (HasPrivilege((x), "oper:kline"))
|
|
#define IsOperXline(x) (HasPrivilege((x), "oper:xline"))
|
|
#define IsOperResv(x) (HasPrivilege((x), "oper:resv"))
|
|
#define IsOperDie(x) (HasPrivilege((x), "oper:die"))
|
|
#define IsOperRehash(x) (HasPrivilege((x), "oper:rehash"))
|
|
#define IsOperHiddenAdmin(x) (HasPrivilege((x), "oper:hidden_admin"))
|
|
#define IsOperAdmin(x) (HasPrivilege((x), "oper:admin") || HasPrivilege((x), "oper:hidden_admin"))
|
|
#define IsOperOperwall(x) (HasPrivilege((x), "oper:operwall"))
|
|
#define IsOperSpy(x) (HasPrivilege((x), "oper:spy"))
|
|
#define IsOperInvis(x) (HasPrivilege((x), "oper:hidden"))
|
|
#define IsOperRemoteBan(x) (HasPrivilege((x), "oper:remoteban"))
|
|
#define IsOperMassNotice(x) (HasPrivilege((x), "oper:mass_notice"))
|
|
#define IsOperGeneral(x) (MayHavePrivilege((x), "oper:general"))
|
|
|
|
#define SeesOper(target, source) (IsOper((target)) && ((!ConfigFileEntry.hide_opers && !HasPrivilege((target), "oper:hidden")) || HasPrivilege((source), "auspex:oper")))
|
|
|
|
extern struct oper_conf *make_oper_conf(void);
|
|
extern void free_oper_conf(struct oper_conf *);
|
|
extern void clear_oper_conf(void);
|
|
|
|
extern struct oper_conf *find_oper_conf(const char *username, const char *host,
|
|
const char *locip, const char *oname);
|
|
|
|
extern const char *get_oper_privs(int flags);
|
|
|
|
struct server_conf
|
|
{
|
|
char *name;
|
|
char *connect_host;
|
|
struct rb_sockaddr_storage connect4;
|
|
uint16_t dns_query_connect4;
|
|
struct rb_sockaddr_storage connect6;
|
|
uint16_t dns_query_connect6;
|
|
char *passwd;
|
|
char *spasswd;
|
|
char *certfp;
|
|
int port;
|
|
int flags;
|
|
int servers;
|
|
time_t hold;
|
|
|
|
int aftype;
|
|
char *bind_host;
|
|
struct rb_sockaddr_storage bind4;
|
|
uint16_t dns_query_bind4;
|
|
struct rb_sockaddr_storage bind6;
|
|
uint16_t dns_query_bind6;
|
|
|
|
char *class_name;
|
|
struct Class *class;
|
|
rb_dlink_node node;
|
|
};
|
|
|
|
#define SERVER_ILLEGAL 0x0001
|
|
#define SERVER_ENCRYPTED 0x0004
|
|
#define SERVER_COMPRESSED 0x0008
|
|
#define SERVER_TB 0x0010
|
|
#define SERVER_AUTOCONN 0x0020
|
|
#define SERVER_SSL 0x0040
|
|
#define SERVER_NO_EXPORT 0x0080
|
|
#define SERVER_SCTP 0x0100
|
|
|
|
#define ServerConfIllegal(x) ((x)->flags & SERVER_ILLEGAL)
|
|
#define ServerConfEncrypted(x) ((x)->flags & SERVER_ENCRYPTED)
|
|
#define ServerConfCompressed(x) ((x)->flags & SERVER_COMPRESSED)
|
|
#define ServerConfTb(x) ((x)->flags & SERVER_TB)
|
|
#define ServerConfAutoconn(x) ((x)->flags & SERVER_AUTOCONN)
|
|
#define ServerConfSCTP(x) ((x)->flags & SERVER_SCTP)
|
|
#define ServerConfSSL(x) ((x)->flags & SERVER_SSL)
|
|
#define ServerConfNoExport(x) ((x)->flags & SERVER_NO_EXPORT)
|
|
|
|
extern struct server_conf *make_server_conf(void);
|
|
extern void free_server_conf(struct server_conf *);
|
|
extern void clear_server_conf(void);
|
|
extern void add_server_conf(struct server_conf *);
|
|
|
|
extern struct server_conf *find_server_conf(const char *name);
|
|
|
|
extern void attach_server_conf(struct Client *, struct server_conf *);
|
|
extern void detach_server_conf(struct Client *);
|
|
extern void set_server_conf_autoconn(struct Client *source_p, const char *name,
|
|
int newval);
|
|
extern void disable_server_conf_autoconn(const char *name);
|
|
|
|
|
|
extern struct ConfItem *find_xline(const char *, int);
|
|
extern struct ConfItem *find_xline_mask(const char *);
|
|
extern struct ConfItem *find_nick_resv(const char *name);
|
|
extern struct ConfItem *find_nick_resv_mask(const char *name);
|
|
|
|
extern int valid_wild_card_simple(const char *);
|
|
extern int clean_resv_nick(const char *);
|
|
time_t valid_temp_time(const char *p);
|
|
|
|
struct nd_entry
|
|
{
|
|
char name[NICKLEN+1];
|
|
time_t expire;
|
|
rb_dlink_node lnode; /* node in ll */
|
|
};
|
|
|
|
extern void add_nd_entry(const char *name);
|
|
extern void free_nd_entry(struct nd_entry *);
|
|
extern unsigned long get_nd_count(void);
|
|
|
|
#endif
|
|
|