1
0
mirror of https://github.com/unrealircd/unrealircd.git synced 2026-07-03 08:13:14 +02:00
Commit Graph

4143 Commits

Author SHA1 Message Date
Bram Matthys 0da1fdb2d2 Fix possible crash in /STATS due to change from yesterday.
Other than that, some minor style and real things.
2017-09-02 08:27:55 +02:00
Bram Matthys 3ade6c7ecb :D 2017-09-01 18:15:47 +02:00
Bram Matthys 199a7e162d Make new functions more generic and use it from crash reporter so
people with older OpenSSL libraries (and LibreSSL) benefit from
the hostname validation code there as well.
2017-09-01 17:28:49 +02:00
Bram Matthys aa829bce12 New option link::verify-certificate [yes|no]. This will cause UnrealIRCd
to validate the certificate of the link, making sure that:
1) The certificate is issued by a trusted Certificate Authority (CA).
2) The name on the certificate matches the name of the link block.
Some things still need to be done: documentation, more testing, and
using the X509_check_host() function when available.
2017-09-01 17:10:29 +02:00
Bram Matthys ac66a0fe12 Add hostname verification code from ssl conservatory & curl
(will be used in next commit)
2017-09-01 17:02:36 +02:00
Bram Matthys 5ff4fb3f87 Remove old code.. this is already set in link->ssl_ctx by init_ctx().
(tested)
2017-09-01 09:32:51 +02:00
Bram Matthys 6d7be72f2b Remove ssl option 'no-self-signed'. Use 'verify-certificate' instead.
Nobody used this option and it only caused the following confusing
(and potentially insecure) behavior:
Previously if you had 'verify-certificate' enabled then the certificate
would be checked, BUT if it was a self-signed certificate (and thus
not passing verify-cert) it was STILL allowed unless you also
specified the 'no-self-signed' option. This might be correct as per
documentation but is way too confusing for the user.
Now you simply have to choose whether you verify the certificate or
not. No special handling for self-signed certificates.
2017-09-01 08:55:01 +02:00
Bram Matthys 5cf28d0d46 It was possible to have a block named 'link irc1.test.net' and then get
connected to a server introducing himself as irc2.test.net. This
was rather confusing, of course. Wasn't much of a security issue since
this only happened in outgoing connects and naturally all authentication
need to pass as well.
2017-08-25 20:34:27 +02:00
Bram Matthys bfb3e0847b If you had an unknown link::someunknownitem then UnrealIRCd would not
throw an error. Now it does.
2017-08-25 17:48:54 +02:00
Bram Matthys 74466a4065 Consider any client with the same IP as a listen::ip to be loopback.
This is done for users on shared IRCd shells[*] which may be used to (or
forced to) connect services via their alias IP rather than 127.0.0.1
due to bind restrictions. This, in turn, to ease the transition to
set::plaintext-policy::server deny.
[*] Side-note: The UnrealIRCd team recommends using a VPS and not a
    shared shell, as the latter is considerably less secure.
2017-08-20 10:35:45 +02:00
Bram Matthys d490b0ee3e "No log { } block found -- using default: errors will be logged to 'ircd.log'"
Unfortunately it was then logging to tmp/ircd.log rather than logs/ircd.log
2017-08-19 12:12:06 +02:00
Bram Matthys efb344b9b2 duh. 2017-08-19 12:07:54 +02:00
Bram Matthys 6afbc4ee99 Relative paths for sslclientcerts did not work. This has been fixed
so password "ssl/something.crt" { sslclientcert; }; works OK now.
2017-08-19 12:02:25 +02:00
Bram Matthys bfa00e95b7 Set default plaintext-policy to be 'warn' for /OPER and 'deny' for
server linking. Write some draft release notes for later use.
2017-08-19 11:19:33 +02:00
Bram Matthys 361a354c4b If set::plaintext-policy::user is 'deny' and a non-SSL/TLS-user is
trying to connect then SASL is not advertised.
2017-08-16 19:45:17 +02:00
Bram Matthys d53d46fce4 Add set::plaintext-policy block by which you can warn or deny user connections,
ircop /OPER attempts and incoming server linking attempts from connections
that are not encrypted with SSL/TLS.
Documentation: https://www.unrealircd.org/docs/Set_block#set::plaintext-policy
2017-08-16 19:39:28 +02:00
Bram Matthys 40e3e11b61 UnrealIRCd 4.0.13 2017-08-15 12:12:10 +02:00
Bram Matthys 74d5f380dd A /REHASH from a WebSocket connection would cause a crash (requires
IRCOp privileges). This is a rather technical issue, we now simply
reject the rehash. See comments in code for more information.
2017-08-10 09:02:05 +02:00
Bram Matthys 18202a0f73 Fix "ban too broad" checking. Reported by Gottem in #4961.
* The 'ban too broad' checking was broken. This permitted glines such
  as 192.168.0.0/1 being set. Now it rejects CIDR of /15 and lower.
  To disable this safety measure you can (still) use:
  set { options { allow-insane-bans; }; };
2017-08-10 08:30:54 +02:00
Bram Matthys f5b29ed7de Add modules/cap directory to Windows installer. 2017-08-10 07:54:01 +02:00
Bram Matthys 8ccf5700f1 Prepare for 4.0.13-rc1 2017-08-10 07:46:17 +02:00
Bram Matthys d222a18286 Fix "simple" spamfilters being synched as "posix" during server linking.
This was due to lack of TKLEXT2 support in the m_tkl_synch() code.
2017-08-10 07:07:37 +02:00
Bram Matthys 69a2e7d994 Whoops. This code cleanup screwed up STS. Should work now. 2017-08-09 19:11:28 +02:00
Bram Matthys 6c539c8566 Bump Websocket module version to 1.0.0 2017-08-09 18:12:03 +02:00
Bram Matthys 06aa2ad79a Websocket module: don't send CR/LF in outgoing frames and don't require
CR/LF in incoming frames (simply ignore them if they are present).
2017-08-09 18:00:44 +02:00
Bram Matthys 455420afc1 SNI-specific sts-policy is now possible. (As recommended by IRCv3 draft spec) 2017-08-09 15:39:52 +02:00
Bram Matthys 0f612a3b30 SNI: Fix for wildcard certificates 2017-08-09 15:20:38 +02:00
Bram Matthys 84776eeeb2 Add support for draft/sts http://ircv3.net/specs/core/sts-3.3.html
Docs: https://www.unrealircd.org/docs/Set_block#set::ssl::sts-policy::port
Example:
set {
    ssl {
        certificate "ssl/server.cert.pem";
        key "ssl/server.key.pem";
        sts-policy {
            port 6697;
            duration 180d;
        };
    };
};
IMPORTANT: Only use this if you know what STS is and what the
implications are. The most important things being A) set a correct
port and B) you need a 'real' SSL certificate and not a self-signed
certificate.

More documentation may follow at another place.
2017-08-09 14:16:03 +02:00
Bram Matthys 1cc6dd3d5b Add Makefile and placeholder module. 2017-08-09 13:30:52 +02:00
Bram Matthys 6500af6ba5 * Use free_ssl_options from generic conf.
* Actually free ssl_options in free_ssl_options.
2017-08-09 13:27:50 +02:00
Bram Matthys ea651384f8 Add groundwork for draft/sts (more to follow)
Module coders:
* The cap->visible(void) callback function is now cap->visible(aClient *)
* There is a new cap->parameter(aClient *) callback function.
* Various updates to subfunctions to pass 'sptr' (due to the above),
  including clicap_find(sptr, ...)
* New CLICAP_FLAGS_UNREQABLE flag
Other:
* There is a new (src/)modules/cap directory containing the sts module,
  well.. once I commit it :D
2017-08-09 13:21:36 +02:00
Bram Matthys b2129205f9 Added support for the "Server Name Indication" (SNI) SSL/TLS extension.
See https://www.unrealircd.org/docs/Sni_block
Requested in #4380 by Eman.
2017-08-09 12:00:04 +02:00
Bram Matthys 7b092f7aeb Verify certificate when submitting bug report. 2017-06-19 16:28:50 +02:00
Bram Matthys 0c1f299b0b UnrealIRCd 4.0.12.1 release 2017-06-02 08:56:24 +02:00
Bram Matthys d27d3760c7 CAP NAK not sent for unrecognised CAPs in all cases. Reported by
jwheare (#4958).
2017-06-02 08:22:19 +02:00
Bram Matthys 072d8537b8 Prevent /OPER for oper blocks with non-existant operclass, as doing so
would only be confusing. Reported by Gottem (#4950).
2017-06-02 07:41:44 +02:00
Bram Matthys 7b8f17ef5e Rename variable (no other changes) 2017-06-02 07:33:15 +02:00
Bram Matthys 6c3c55b4e5 Fix new user mode +Z (secureonlymsg) not working properly across
server links. Reported by HeXiLeD (#4953).
2017-05-28 09:41:11 +02:00
Bram Matthys 2838ef6266 Mark all shipped modules as official (non-3rd-party). 2017-05-13 12:29:05 +02:00
Bram Matthys bbf33b62dc UnrealIRCd will now refuse to run as root, as promised a couple of versions ago.
https://www.unrealircd.org/docs/Do_not_run_as_root
2017-05-12 11:42:01 +02:00
Bram Matthys 3dc27370a1 Prepare for UnrealIRCd 4.0.12 release. 2017-05-12 11:24:36 +02:00
Bram Matthys 5e378fb02b Since 95% of the crash reports are due to bugs in 3rd party modules we now
have to discourage people with 3rd party modules loaded from blindly
submitting crash reports.
2017-05-12 10:25:45 +02:00
Bram Matthys 0412c86d17 Update OpenFiles on listener close (not very common, but..) 2017-05-10 17:18:47 +02:00
Bram Matthys a6f5460ad8 Update OpenFiles upon failed SSL connect to remote server. Reported by Eman (#4948). 2017-05-10 17:03:45 +02:00
Bram Matthys ee9f8441bc Bump lag for remote MOTD requests. 2017-04-07 20:06:36 +02:00
Bram Matthys 0035cafdba Fix server setting +b even if the ban list is full when using +f.
Reported by NoMiaus (#4906).
2017-03-26 15:48:05 +02:00
Bram Matthys e62ea1dedd Module coders: added two functions to search for user modes:
has_user_mode(acptr, 'i'): returns 1 / 0
find_user_mode('i'): returns the user mode (as 'long')

extern int has_user_mode(aClient *acptr, char mode);
extern long find_user_mode(char mode);
2017-03-26 15:40:36 +02:00
Bram Matthys b6f8ddd456 Fix Jumpserver not working for SSL users due to old #ifdef USE_SSL.
Reported by NoMiaus (#4907).
2017-03-26 15:38:04 +02:00
Bram Matthys 0c6fb46704 Minor code cleanup 2017-03-22 16:32:59 +01:00
Bram Matthys fcaa69157b Fix crash when unloading (not reloading) module that uses ModData (#4903). 2017-03-22 10:51:29 +01:00