mirror of
https://github.com/unrealircd/unrealircd.git
synced 2026-07-03 10:03:12 +02:00
Linking: for outgoing connects, only support SSL/TLS by default (either 'directly' on an ssl port or via STARTTLS 'upgrading'). Set link::outgoing::options::insecure to disable.
This commit is contained in:
@@ -761,3 +761,4 @@ extern int swhois_delete(aClient *acptr, char *tag, char *swhois, aClient *from,
|
||||
extern void remove_oper_privileges(aClient *sptr, int broadcast_mode_change);
|
||||
extern int client_starttls(aClient *acptr);
|
||||
extern void start_server_handshake(aClient *cptr);
|
||||
extern void reject_insecure_server(aClient *cptr);
|
||||
|
||||
+1
-1
@@ -829,7 +829,7 @@ extern void unload_all_unused_moddata(void);
|
||||
#define CONNECT_QUARANTINE 0x000008
|
||||
#define CONNECT_NODNSCACHE 0x000010
|
||||
#define CONNECT_NOHOSTCHECK 0x000020
|
||||
#define CONNECT_NO_STARTTLS 0x000040
|
||||
#define CONNECT_INSECURE 0x000040
|
||||
|
||||
#define SSLFLAG_FAILIFNOCERT 0x1
|
||||
#define SSLFLAG_VERIFYCERT 0x2
|
||||
|
||||
+14
-1
@@ -759,6 +759,19 @@ int check_client(aClient *cptr, char *username)
|
||||
return 0;
|
||||
}
|
||||
|
||||
/** Reject an insecure (outgoing) server link that isn't SSL/TLS.
|
||||
* This function is void and not int because it can be called from other void functions
|
||||
*/
|
||||
void reject_insecure_server(aClient *cptr)
|
||||
{
|
||||
sendto_umode(UMODE_OPER, "Could not link with server %s with SSL/TLS enabled. "
|
||||
"Please check logs on the other side of the link and make sure the other IRCd "
|
||||
"is compiled with SSL support enabled. "
|
||||
"If you insist with insecure linking then you can set link::options::outgoing::insecure",
|
||||
cptr->name);
|
||||
dead_link(cptr, "Rejected link without SSL/TLS");
|
||||
}
|
||||
|
||||
void start_server_handshake(aClient *cptr)
|
||||
{
|
||||
ConfigItem_link *aconf = cptr->serv ? cptr->serv->conf : NULL;
|
||||
@@ -819,7 +832,7 @@ void completed_connection(int fd, int revents, void *data)
|
||||
return;
|
||||
}
|
||||
|
||||
if (!cptr->ssl && !(aconf->outgoing.options & CONNECT_NO_STARTTLS))
|
||||
if (!cptr->ssl && !(aconf->outgoing.options & CONNECT_INSECURE))
|
||||
{
|
||||
sendto_one(cptr, "STARTTLS");
|
||||
} else
|
||||
|
||||
+3
-3
@@ -172,9 +172,9 @@ static NameValue _ListenerFlags[] = {
|
||||
/* This MUST be alphabetized */
|
||||
static NameValue _LinkFlags[] = {
|
||||
{ CONNECT_AUTO, "autoconnect" },
|
||||
{ CONNECT_NO_STARTTLS, "no-starttls" },
|
||||
{ CONNECT_INSECURE, "insecure" },
|
||||
{ CONNECT_QUARANTINE, "quarantine"},
|
||||
{ CONNECT_SSL, "ssl" },
|
||||
{ CONNECT_SSL, "ssl" },
|
||||
};
|
||||
|
||||
/* This MUST be alphabetized */
|
||||
@@ -6436,7 +6436,7 @@ int _test_link(ConfigFile *conf, ConfigEntry *ce)
|
||||
;
|
||||
else if (!strcmp(ceppp->ce_varname, "ssl"))
|
||||
;
|
||||
else if (!strcmp(ceppp->ce_varname, "no-starttls"))
|
||||
else if (!strcmp(ceppp->ce_varname, "insecure"))
|
||||
;
|
||||
else
|
||||
{
|
||||
|
||||
+48
-32
@@ -57,40 +57,56 @@ int do_numeric(int numeric, aClient *cptr, aClient *sptr, int parc, char *parv[
|
||||
char *nick, *p;
|
||||
int i;
|
||||
|
||||
/* Is this an outgoing connect, and we get a numeric 451 (not registered) back for the
|
||||
* magic command __PANGPANG__ and we did not send a SERVER message yet?
|
||||
* Then this means we are dealing with an Unreal server <3.2.9 and we should send the
|
||||
* SERVER command right now.
|
||||
*/
|
||||
if (!IsServer(sptr) && !IsPerson(sptr) && (numeric == 451) && (parc > 2) && strstr(parv[1], "__PANGPANG__") &&
|
||||
IsHandshake(cptr) && sptr->serv && !IsServerSent(sptr))
|
||||
if (!IsServer(sptr) && !IsPerson(sptr) && IsHandshake(cptr) && sptr->serv && !IsServerSent(sptr))
|
||||
{
|
||||
send_server_message(sptr);
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (!IsServer(sptr) && !IsPerson(sptr) && (numeric == 451) && (parc > 2) && strstr(parv[1], "STARTTLS") &&
|
||||
IsHandshake(cptr) && sptr->serv && !IsServerSent(sptr))
|
||||
{
|
||||
start_server_handshake(cptr);
|
||||
}
|
||||
|
||||
// TODO: handle 691 as well (starttls failed) ? unusual.
|
||||
|
||||
if (!IsServer(sptr) && !IsPerson(sptr) && (numeric == 670) &&
|
||||
IsHandshake(cptr) && sptr->serv && !IsServerSent(sptr))
|
||||
{
|
||||
int ret = client_starttls(cptr);
|
||||
if (ret < 0)
|
||||
{
|
||||
// When failed we could continue with start_server_handshake() here.
|
||||
return ret;
|
||||
}
|
||||
/* We don't call start_server_handshake() here. First the TLS handshake will
|
||||
* be completed, then completed_connection() will be called for a second time,
|
||||
* which will call completed_connection() from there.
|
||||
/* This is an outgoing server connect that is currently not yet IsServer() but in 'unknown' state.
|
||||
* We need to handle a few responses here.
|
||||
*/
|
||||
return 0;
|
||||
|
||||
/* If we get a numeric 451 (not registered) back for the magic command __PANGPANG__
|
||||
* Then this means we are dealing with an Unreal server <3.2.9 and we should send the
|
||||
* SERVER command right now.
|
||||
*/
|
||||
if ((numeric == 451) && (parc > 2) && strstr(parv[1], "__PANGPANG__"))
|
||||
{
|
||||
send_server_message(sptr);
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* STARTTLS: unknown command */
|
||||
if ((numeric == 451) && (parc > 2) && strstr(parv[1], "STARTTLS"))
|
||||
{
|
||||
if (cptr->serv->conf && (cptr->serv->conf->outgoing.options & CONNECT_INSECURE))
|
||||
start_server_handshake(cptr);
|
||||
else
|
||||
reject_insecure_server(cptr);
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* STARTTLS failed */
|
||||
if (numeric == 691)
|
||||
{
|
||||
sendto_umode(UMODE_OPER, "STARTTLS failed for link %s. Please check the other side of the link.", cptr->name);
|
||||
reject_insecure_server(cptr);
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* STARTTLS OK */
|
||||
if (numeric == 670)
|
||||
{
|
||||
int ret = client_starttls(cptr);
|
||||
if (ret < 0)
|
||||
{
|
||||
sendto_umode(UMODE_OPER, "STARTTLS handshake failed for link %s. Strange.", cptr->name);
|
||||
reject_insecure_server(cptr);
|
||||
return ret;
|
||||
}
|
||||
/* We don't call start_server_handshake() here. First the TLS handshake will
|
||||
* be completed, then completed_connection() will be called for a second time,
|
||||
* which will call completed_connection() from there.
|
||||
*/
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
|
||||
if (parc < 1 || !IsServer(sptr))
|
||||
|
||||
Reference in New Issue
Block a user