1
0
mirror of https://github.com/unrealircd/unrealircd.git synced 2026-07-05 23:33:12 +02:00
Commit Graph

10207 Commits

Author SHA1 Message Date
Bram Matthys 48a69151ef Update example.conf a little to indicate required changes with "CHANGE THIS".
People should preferrably go through the example conf line by line, but
if they are in a hurry or just want to get started quickly initially they
could CTRL+F on that.
2024-11-25 16:34:11 +01:00
Bram Matthys 6940272290 Prevent early UID cut-off. This doesn't happen with current unrealircd traffic
because we send 9 character uids. However, IDLEN is defined as 12 so it is
natural for other people (services and other pseudo server writers) to assume
you could send 12, which failed until now, as it only accepted 11 characters.

Just to be clear:
* We generate and send 9 character uids in UnrealIRCd ourselves, this
  works perfectly fine
* In 114d54ac61 in 2021 (UnrealIRCd 5.2.1) i
  enlarged the buffers to allow INCOMING ids of up to 12 characters.
  The reason for that is that I want the option to allow slightly larger
  uids and could start doing that several years later without causing
  desynchs and other problems.
* That didn't work properly, it only allowed up to 11 chars at this point.
* From now on it allows 12 chars. I do NOT recommend sending that though, if
  you want to send bigger ids from your services/pseudo server then use
  11, or... actually just use 9 like in normal unrealircd traffic at the
  moment.

Reported on IRC by craftxbox
2024-11-24 09:56:06 +01:00
Bram Matthys 47e81fe7d3 Set version to 6.1.10-git 2024-11-24 09:46:21 +01:00
Bram Matthys e782748b40 ** UnrealIRCd 6.1.9.1 ** 2024-11-21 19:30:01 +01:00
Bram Matthys f953c79be4 Update release notes 2024-11-21 19:28:22 +01:00
Bram Matthys 1b4560218a I think this is the correct fix for incorrect TLS ciphers in 6.1.9.
I was dumb: with an RSA cert you need ECDHE-RSA-* and i had
only included ECDHE-ECDSA-*. Long story short: TLSv1.2 didn't work
if you had an RSA certificate. Reported by BlackBishop, and in
hindsight also by Mi_92. Thanks for the quick reports, this should
be a quick fix :-)
2024-11-21 19:01:38 +01:00
Bram Matthys fb9aa72f78 Mention new UnrealIRCd PGP release signing key in release notes
[skip ci]
2024-11-20 11:45:01 +01:00
Bram Matthys 7b0228a2c8 ** UnrealIRCd 6.1.9 ** 2024-11-20 11:17:58 +01:00
Bram Matthys 3aa26ef1f1 Publish new UnrealIRCd release signing key for 2024-2030 (don't use it yet)
pub   rsa4096 2024-11-18 [SC] [expires: 2030-11-17]
      36E6F65706E36B0937280299101001DAF48BB56D
uid           UnrealIRCd releases and patches (for verification of software downloads only!) <releases@unrealircd.org>

The old key is still valid until 2025-06-29:
pub   rsa4096 2015-07-02 [SC] [expires: 2025-06-29]
      1D2D2B03A0B68ED11D68A24BA7A21B0A108FF4A9
uid           UnrealIRCd releases (for verification of software downloads only!) <releases@unrealircd.org>

The new key is signed by the old key and uploaded to keyserver.ubuntu.com.

The old key will still be used for signing releases for now. Somewhere around
the summer of 2025 i will switch to the new key.

Posted in https://forums.unrealircd.org/viewtopic.php?t=9397 for transparency
2024-11-18 13:04:49 +01:00
Bram Matthys 4ef7e4ea8d Read settings from unrealircd-6.1.8.1 2024-11-18 13:04:22 +01:00
Bram Matthys e0ec8dd720 More release notes updates
(also.. sigh.. have mentioned twice now that we 'disable TLSv1.2' when
 instead i meant to write 'require at least TLSv1.2'... ah well...)
[skip ci]
2024-11-17 13:52:02 +01:00
Bram Matthys 170a27e160 Update release notes. Let's call the SSL/TLS changes enhancements :D
[skip ci]
2024-11-17 13:39:42 +01:00
Bram Matthys b3559b5d2c Update release notes a bit
[skip ci]
2024-11-17 13:36:03 +01:00
Bram Matthys 492152f9ea Default TLS ciphers: drop support for AES in CBC mode, only allow AES w/GCM.
For reference, the established TLS connections at irc*.unrealircd.org
over the past 6 months were:
  14379 TLSv1.3-TLS_CHACHA20_POLY1305_SHA256
    368 TLSv1.2-ECDHE-ECDSA-AES256-GCM-SHA384
    160 TLSv1.2-ECDHE-ECDSA-CHACHA20-POLY1305
      3 TLSv1.3-TLS_AES_256_GCM_SHA384

There is nobody connecting with AES CBC in those statistics
(ECDHE-ECDSA-AES256-SHA256 and ECDHE-ECDSA-AES128-SHA384)
2024-11-17 13:08:46 +01:00
Bram Matthys 3317be3069 When using cURL for remote includes we now explicitly disable TLSv1.2
and set our default ciphers and ciphersuites. Note that by default in
UnrealIRCd 6 the built-in (non-cURL) implementation is used for remote
includes, which already uses the same defaults since 6.0.0. Also note
that most distros, like Ubuntu and Debian, already disabled TLSv1.2
in the default openssl conf and thus it was already disabled in cURL.
2024-11-17 12:32:35 +01:00
Bram Matthys cda2bcd930 Fix ecdh-curve X25519 missing when using the defaults.
In config.h we had a:
 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
 #define UNREALIRCD_DEFAULT_ECDH_CURVES "X25519:secp521r1:secp384r1:prime256v1"
 #else
 #define UNREALIRCD_DEFAULT_ECDH_CURVES "secp521r1:secp384r1:prime256v1"
 #endif
...which is fine in theory, but openssl headers are not included at that point,
so OPENSSL_VERSION_NUMBER was not defined.

From now on, we have:
 #define UNREALIRCD_DEFAULT_ECDH_CURVES_PRIMARY "X25519:secp521r1:secp384r1:prime256v1"
 #define UNREALIRCD_DEFAULT_ECDH_CURVES_SECONDARY "secp521r1:secp384r1:prime256v1"
...and we try them in that order. If both fail, we exit with an error (like before).
This because X25519 is not available in OpenSSL before 1.1.0 (so really old)
and may also not be available when running in FIPS mode.
2024-11-17 12:08:23 +01:00
Bram Matthys 116e076f0d Add release notes for upcoming 6.1.9
[skip ci]
2024-11-17 10:22:48 +01:00
Bram Matthys 08435a5674 Bump version to 6.1.9-git 2024-11-17 09:55:05 +01:00
Bram Matthys bace42dd50 Update curl-ca-bundle.crt to Tue Sep 24 03:12:04 2024 GMT
https://curl.se/docs/caextract.html
[skip ci]
2024-11-17 08:54:21 +01:00
Bram Matthys e43b407886 Bump shipped c-ares library from 1.33.1 to 1.34.3
https://c-ares.org/changelog.html
2024-11-17 08:43:11 +01:00
Bram Matthys b49cb1e720 An additional dbuf_delete() in free_client() that should be unneeded.
In all my tests on real servers this was never a reported leak,
because the dbuf_delete() already happens at other places where the
client is marked dead.

However, with my (private) fuzzing patches I need this freeing because
of a slightly different code path.

I'm putting the patch in mainline just in case I'm wrong and it does
trigger in some kind of niche situation.
2024-11-17 08:11:55 +01:00
Bram Matthys 2c6cea2461 Fix problem with unsubscribing I/O, leading to 100% CPU in some cases.
The IRCd is still responsive (as the bad I/O is not prioritzed) but this
isn't good either. Only happens with some rare triggers.

This was previously reported over e-mail in an older UnrealIRCd version
but after 6-8 hours of debugging I was never able to trigger it.
Later it finally happened on one of my servers and I could debug it.
2024-11-17 08:09:50 +01:00
Bram Matthys 08fb2b46ac Fix crash with "STATS S" if having vhosts with autologin (no login).
This crash is only triggerable by IRCOps.

Also, it shouldn't lists vhosts with "STATS S", it should be "STATS V".
2024-11-17 08:03:32 +01:00
Bram Matthys 4e11d81d67 Fix IPv6 hosts not resolving in UnrealIRCd 6.1.8 / 6.1.8.1.
Reported by bss on IRC.

Changed:
r->ipv6 = IsIPV6(client);
To:
r->ipv6 = IsIPV6(client) ? 1 : 0;

The problem is that:
 #define IsIPV6(x)                      ((x)->flags & CLIENT_FLAG_IPV6)
(..so without ?1:0..)
made this effectively:
 r->ipv6 = CLIENT_FLAG_IPV6;

..which is..
 #define CLIENT_FLAG_IPV6                       0x800000000     /**< client is using IPv6 */
.. and 0x800000000 doesn't fit in r->ipv6, which is of size 'char' (so max is 0xff)
2024-11-16 13:17:06 +01:00
Bram Matthys 18b171a071 Some more missing include/windows/setup.h defines.
+#define HAS_ASN1_TIME_diff
+#define HAS_SSL_CTX_SET_MIN_PROTO_VERSION
+#define HAS_SSL_CTX_SET_SECURITY_LEVEL
+#define HAS_X509_check_host
+#define HAS_X509_get0_notAfter

In practice, this only adds that we now do certificate expiry checks
and give warnings, like on *NIX.

The HAS_X509_check_host is good because then OpenSSL/LibreSSL code is
used instead of the one we have from cURL and the ssl conservatory.
To be honest I wanted to rip out this fallback completely at first,
but let's do that in next major version of UnrealIRCd and not during
an existing series.

The HAS_SSL_CTX_SET_* would have given an admin the option to downgrade
to TLSv1.0 or TLSv1.1 but LibreSSL no longer builds with these since
LibreSSL 3.8.1, which is sensible, so... no actual change there.
I'll document the behavior in the docs (wiki), though.

Also the previous claim in b653c68df0 with
regards to what curves were actually enabled in our LibreSSL UnrealIRCd 6
builds was incorrect, an hour ago I claimed X448 would show up as an extra,
but that is not the case (that was with OpenSSL). The correct statement is:
"This also meant the default curves that were offered were up to LibreSSL,
 which meant the following list in practice:
  Elliptic curves offered:     prime256v1 secp384r1 X25519
 Instead of:
  Elliptic curves offered:     prime256v1 secp384r1 secp521r1 X25519"

So it was only missing secp521r1. Nothing major.
2024-11-09 12:55:15 +01:00
Bram Matthys b653c68df0 Fix error on Windows when trying to set set::tls::ecdh-curves.
"[error] ecdh-curves specified but your OpenSSL/LibreSSL library does not
 support setting curves manually by name. Either upgrade to a newer library
 version or remove the 'ecdh-curves' directive from your configuration file"

This also meant the default curves that were offered were up to LibreSSL,
which meant the following list in practice:
 Elliptic curves offered:     prime256v1 secp384r1 secp521r1 X25519 X448
Instead of:
 Elliptic curves offered:     prime256v1 secp384r1 secp521r1 X25519

Not that X448 is considered bad, it just didn't match what we claimed in
the docs at https://www.unrealircd.org/docs/TLS_Ciphers_and_protocols

Fixed by: #define HAS_SSL_CTX_SET1_CURVES_LIST
2024-11-09 12:01:47 +01:00
Bram Matthys 1f3c9b1dd2 Add /HELPOP EXTSERVERBANS and refer to it from GLINE/KLINE/ELINE.
Not from ZLINE/GZLINE since (almost?) extended server bans don't work
from there since it is so early in the connecting process.
2024-10-23 10:09:45 +02:00
Bram Matthys 30b9f66f71 ** UnrealIRCd 6.1.8.1 ** 2024-10-17 18:30:07 +02:00
Bram Matthys 6d60899007 Good idea to bump the vhost module version to 6.1.8.1
[skip ci]
2024-10-17 18:22:16 +02:00
Bram Matthys 019c327821 Fix crash with new auto-vhost code. 2024-10-17 17:44:50 +02:00
Bram Matthys 985a591df2 Previous commit broke "GLINE *@1.2.3.4 0 test" and had a memory leak.
The former was fixed by merging the 'if'. The latter by getting rid
of dynamic memory allocation, long live the stack!
2024-10-16 10:21:16 +02:00
Valerie Liu 8e47aff2cf Make *LINE behave smarter if missing reason or time value (#304)
Now this works like:
if the time param exists, even without a reason, it will be checked if it's a time param. if it's not a time param, it'll be considered to be the reason (or the first part of it anyway)

Reported by PeGaSuS in https://bugs.unrealircd.org/view.php?id=6105
2024-10-16 08:01:12 +00:00
Bram Matthys cf6718fdb2 Fix vhosts and blacklist reasons being lowercased
This was unintentional strtolower() in unreal_expand_string()
2024-10-14 18:56:21 +02:00
Bram Matthys a12ca25f50 Mention donation and shop in the release notes
[skip ci]
2024-10-11 09:24:45 +02:00
Bram Matthys 33276fb2ee ** UnrealIRCd 6.1.8 ** 2024-10-11 07:22:51 +02:00
TehPeGaSuS f7d2683569 Removed an extra { on the listen block syntax example (#303) 2024-09-28 17:33:22 +00:00
Bram Matthys e2400c0270 And some more rewording in release notes
[skip ci]
2024-09-27 10:23:15 +02:00
Bram Matthys 0a4f9af647 Add vhost block link in relnotes
[skip ci]
2024-09-27 10:21:25 +02:00
Bram Matthys 665dd8584a ** UnrealIRCd 6.1.8-rc1 ** 2024-09-27 10:19:18 +02:00
Bram Matthys c86b474ed8 Fix crash on crule "||"; in config file.
Reported by Valware in https://bugs.unrealircd.org/view.php?id=6438
2024-09-25 13:04:30 +02:00
Bram Matthys eae680c773 Update release notes a bit
... and make set::max-inherit-extended-bans::ban-exception default to 0
because that functionality is not implemented
The +e's are already checked when using +b ~inherit though..
2024-09-25 10:14:46 +02:00
Bram Matthys 2c77bc3723 Ok now make it 100% the same as pure IRC. There was still 1 char missing :D 2024-09-25 09:54:29 +02:00
Bram Matthys efbcf1f3b6 Actually test and fix the websocket cutoff bug from
7a43448674
2024-09-25 09:45:55 +02:00
Bram Matthys 918347af9e Fix config test for security-group
(in case of missing parameter for public or priority)
2024-09-25 09:21:44 +02:00
Valerie Liu fff76c4b29 Make authprompt work with recently new "sasl-from-a-module" hooks (#302) 2024-09-25 07:15:31 +00:00
Bram Matthys 7a43448674 Add unrl_utf8_make_valid() special option 2 to fix previous commit.
Without this, the IRC message could be far beyond >510 characters
(excluding message tags).

This code is untested!
2024-09-24 18:32:14 +02:00
Valerie Liu 713414e716 Websockets with type 'text': don't truncate lines to 510 chars when there are message tags (#301)
Allow full mtag messages to be sent over websockets
2024-09-24 16:30:02 +00:00
Bram Matthys 5860172780 Free previous GeoIP result upon IP change. Otherwise if the new geoip
lookup fails the old result stays there which is confusing.

Reported on IRC where 10.x.x.x was shown as "Poland" which was a
leftover from the "real IP" before WEBIRC spoofing was used to set
the IP to 10.x.x.x. Reported by Jellis.
2024-09-23 19:10:33 +02:00
Bram Matthys 7765f226be Detect operclass::parent loops.
Reported by craftxbox in https://bugs.unrealircd.org/view.php?id=6471
2024-09-23 17:25:17 +02:00
Bram Matthys 7d37795353 Don't list security groups by default, add 'public <yes|no>'
* [Security group blocks](https://www.unrealircd.org/docs/Security-group_block)
  are now hidden in lists by default. If you want the security group to be shown
  in things like `MODE #channel +b ~security-group:x` (which shows a list)
  then you need to use `public yes;`. The default security groups
  like known-users, webirc-users, etc. are public by default.
2024-09-23 13:11:24 +02:00