1
0
mirror of https://github.com/unrealircd/unrealircd.git synced 2026-07-05 06:13:14 +02:00
Commit Graph

4168 Commits

Author SHA1 Message Date
Bram Matthys 37dbdfeee3 Bump version to 4.0.16-devel. This version is under development.
You should always use https://www.unrealircd.org/ for stable releases.
In case you wondered what happened with 4.0.15: that version consists
of cherry-picked / backports of the two crash fixes from this 'unreal40'
development branch. The current code simply wasn't ready yet for a
rushed security release.
2017-10-01 19:37:29 +02:00
Bram Matthys 6dd147b941 Fix 2nd crash bug. Found when searching for related crash issues. 2017-10-01 13:19:12 +02:00
Bram Matthys 47eebad53d Fix crash bug, reported by Joseph Bisch. 2017-10-01 13:18:45 +02:00
Bram Matthys 5399e060fa Send CAP DEL sasl if set::sasl-server squits and CAP NEW when it returns.
(Only to cap-notify and v3.2 clients, of course)
Also fix a "bug" where sts parameters were not shown in CAP NEW tls.
2017-09-30 15:19:29 +02:00
Bram Matthys ac65e32a26 Add CAP v3.2 support. Add 'cap-notify' support.
Delete CAP CLEAR as it's use is discouraged (too much trouble).
Delete CAP ACK (from client2server) as this is only for CAP's with
ack modifiers. This is something we don't use, and which has been
deprecated in v3.2 of the spec.
2017-09-30 14:34:06 +02:00
Bram Matthys 461fa9a48a Store CAP version in use in sptr->local->cap_protocol. 2017-09-30 12:50:36 +02:00
Bram Matthys 7d381086ad Remove CLICAP_FLAGS_CLIACK. Never understood this idea. Unused and deprecated it seems. 2017-09-30 12:35:56 +02:00
Bram Matthys 44052b86c0 Remove CLICAP_FLAGS_STICKY. We don't use this anyway. 2017-09-30 12:33:57 +02:00
Bram Matthys fbd4e74663 You can now have multiple webirc { } blocks with the same mask.
This permits multiple blocks like..
webirc {
    mask *;
	password "....." { sslclientcertfp; };
};
..should you need it.
In other words: we don't stop matching upon an authentication failure.
2017-09-30 09:53:04 +02:00
Bram Matthys 638b189804 Users connecting to the IRC server from the same machine could be seen as
"localhost", even though they were using an IP other than 127.0.0.1.
So, they were local but not using loopback. Reported by The_Myth (#5013).
2017-09-20 15:51:41 +02:00
Bram Matthys 838354f155 UnrealIRCd 4.0.14 2017-09-15 10:23:49 +02:00
Bram Matthys 91e108499e Convert remaining http:// links to https:// 2017-09-15 08:19:08 +02:00
Bram Matthys a20dc5f8c1 Use static buffer in cipher_check() like in verify_certificate() - duh. 2017-09-10 16:41:34 +02:00
Bram Matthys e7c7b1daff Don't show draft/sts and other unREQ'able CAP's in "CAP LIST" (only in "CAP LS"). 2017-09-09 12:37:50 +02:00
Bram Matthys 1f856745e5 4.0.14-rc1 2017-09-08 08:16:21 +02:00
Bram Matthys 2914695681 We can't prevent all user mistakes, but we can at least prevent some.. 2017-09-08 07:53:20 +02:00
Bram Matthys 461ce8016a Some modes in set::modes-on-connect gave an error. These were
old user modes such as +N and +A that were previously forbidden but
may nowadays be (re-)used by 3rd party modules.
Reported by marco500 (#4980).
2017-09-08 07:39:56 +02:00
Bram Matthys 296decf648 This code can be removed now that we have a working verify_certificate().
Also broke LibreSSL (SSL_CTX_get0_param undefined).
2017-09-06 16:49:25 +02:00
Bram Matthys edb144d570 Update cipher suite to include TLSv1.3 ciphers.
This so upcoming UnrealIRCd version will work with TLSv1.3 whenever it
becomes an official standard and is included in OpenSSL/LibreSSL.
(Verified to work with openssl git master branch)
2017-09-06 16:09:22 +02:00
Bram Matthys a5dbd3aa7c SSL/TLS: Use SNI in outgoing server link. 2017-09-06 14:32:21 +02:00
Bram Matthys b757d2eff0 Show set::sasl-server in '/STATS set'. Suggested by Gottem (#0004997). 2017-09-06 08:44:12 +02:00
Bram Matthys 08bc61ec00 We now refuse to enable SSL/TLS with weak ciphers: DES, 3DES, RC4. 2017-09-06 08:21:14 +02:00
Bram Matthys 8fad7c563d Add cap/link-security and cap/plaintext-policy modules. 2017-09-03 16:06:39 +02:00
Bram Matthys 1faa91ed0e Add helper function plaintextpolicy_valtochar(). 2017-09-02 15:49:02 +02:00
Bram Matthys 78695f3eea Permit attaching client moddata to servers (and synch properly, if .synch=1) 2017-09-02 15:47:58 +02:00
Bram Matthys 0da1fdb2d2 Fix possible crash in /STATS due to change from yesterday.
Other than that, some minor style and real things.
2017-09-02 08:27:55 +02:00
Bram Matthys 3ade6c7ecb :D 2017-09-01 18:15:47 +02:00
Bram Matthys 199a7e162d Make new functions more generic and use it from crash reporter so
people with older OpenSSL libraries (and LibreSSL) benefit from
the hostname validation code there as well.
2017-09-01 17:28:49 +02:00
Bram Matthys aa829bce12 New option link::verify-certificate [yes|no]. This will cause UnrealIRCd
to validate the certificate of the link, making sure that:
1) The certificate is issued by a trusted Certificate Authority (CA).
2) The name on the certificate matches the name of the link block.
Some things still need to be done: documentation, more testing, and
using the X509_check_host() function when available.
2017-09-01 17:10:29 +02:00
Bram Matthys ac66a0fe12 Add hostname verification code from ssl conservatory & curl
(will be used in next commit)
2017-09-01 17:02:36 +02:00
Bram Matthys 5ff4fb3f87 Remove old code.. this is already set in link->ssl_ctx by init_ctx().
(tested)
2017-09-01 09:32:51 +02:00
Bram Matthys 6d7be72f2b Remove ssl option 'no-self-signed'. Use 'verify-certificate' instead.
Nobody used this option and it only caused the following confusing
(and potentially insecure) behavior:
Previously if you had 'verify-certificate' enabled then the certificate
would be checked, BUT if it was a self-signed certificate (and thus
not passing verify-cert) it was STILL allowed unless you also
specified the 'no-self-signed' option. This might be correct as per
documentation but is way too confusing for the user.
Now you simply have to choose whether you verify the certificate or
not. No special handling for self-signed certificates.
2017-09-01 08:55:01 +02:00
Bram Matthys 5cf28d0d46 It was possible to have a block named 'link irc1.test.net' and then get
connected to a server introducing himself as irc2.test.net. This
was rather confusing, of course. Wasn't much of a security issue since
this only happened in outgoing connects and naturally all authentication
need to pass as well.
2017-08-25 20:34:27 +02:00
Bram Matthys bfb3e0847b If you had an unknown link::someunknownitem then UnrealIRCd would not
throw an error. Now it does.
2017-08-25 17:48:54 +02:00
Bram Matthys 74466a4065 Consider any client with the same IP as a listen::ip to be loopback.
This is done for users on shared IRCd shells[*] which may be used to (or
forced to) connect services via their alias IP rather than 127.0.0.1
due to bind restrictions. This, in turn, to ease the transition to
set::plaintext-policy::server deny.
[*] Side-note: The UnrealIRCd team recommends using a VPS and not a
    shared shell, as the latter is considerably less secure.
2017-08-20 10:35:45 +02:00
Bram Matthys d490b0ee3e "No log { } block found -- using default: errors will be logged to 'ircd.log'"
Unfortunately it was then logging to tmp/ircd.log rather than logs/ircd.log
2017-08-19 12:12:06 +02:00
Bram Matthys efb344b9b2 duh. 2017-08-19 12:07:54 +02:00
Bram Matthys 6afbc4ee99 Relative paths for sslclientcerts did not work. This has been fixed
so password "ssl/something.crt" { sslclientcert; }; works OK now.
2017-08-19 12:02:25 +02:00
Bram Matthys bfa00e95b7 Set default plaintext-policy to be 'warn' for /OPER and 'deny' for
server linking. Write some draft release notes for later use.
2017-08-19 11:19:33 +02:00
Bram Matthys 361a354c4b If set::plaintext-policy::user is 'deny' and a non-SSL/TLS-user is
trying to connect then SASL is not advertised.
2017-08-16 19:45:17 +02:00
Bram Matthys d53d46fce4 Add set::plaintext-policy block by which you can warn or deny user connections,
ircop /OPER attempts and incoming server linking attempts from connections
that are not encrypted with SSL/TLS.
Documentation: https://www.unrealircd.org/docs/Set_block#set::plaintext-policy
2017-08-16 19:39:28 +02:00
Bram Matthys 40e3e11b61 UnrealIRCd 4.0.13 2017-08-15 12:12:10 +02:00
Bram Matthys 74d5f380dd A /REHASH from a WebSocket connection would cause a crash (requires
IRCOp privileges). This is a rather technical issue, we now simply
reject the rehash. See comments in code for more information.
2017-08-10 09:02:05 +02:00
Bram Matthys 18202a0f73 Fix "ban too broad" checking. Reported by Gottem in #4961.
* The 'ban too broad' checking was broken. This permitted glines such
  as 192.168.0.0/1 being set. Now it rejects CIDR of /15 and lower.
  To disable this safety measure you can (still) use:
  set { options { allow-insane-bans; }; };
2017-08-10 08:30:54 +02:00
Bram Matthys f5b29ed7de Add modules/cap directory to Windows installer. 2017-08-10 07:54:01 +02:00
Bram Matthys 8ccf5700f1 Prepare for 4.0.13-rc1 2017-08-10 07:46:17 +02:00
Bram Matthys d222a18286 Fix "simple" spamfilters being synched as "posix" during server linking.
This was due to lack of TKLEXT2 support in the m_tkl_synch() code.
2017-08-10 07:07:37 +02:00
Bram Matthys 69a2e7d994 Whoops. This code cleanup screwed up STS. Should work now. 2017-08-09 19:11:28 +02:00
Bram Matthys 6c539c8566 Bump Websocket module version to 1.0.0 2017-08-09 18:12:03 +02:00
Bram Matthys 06aa2ad79a Websocket module: don't send CR/LF in outgoing frames and don't require
CR/LF in incoming frames (simply ignore them if they are present).
2017-08-09 18:00:44 +02:00