1
0
mirror of https://github.com/unrealircd/unrealircd.git synced 2026-07-08 22:23:13 +02:00
Commit Graph

44 Commits

Author SHA1 Message Date
Bram Matthys 5e81a6ee67 Add listener->start_handshake function pointer.
This is start_of_normal_client_handshake() by default, but is
start_of_control_client_handshake() for the control channel
(for './unrealircd rehash' and such). Previously that was hardcoded.

It is also used by the RPC code now.
2022-06-19 13:13:33 +00:00
alicetries 2018502e74 Fix various log messages which had missing $expansions (#198) 2022-05-01 13:52:45 +02:00
Bram Matthys 39688517b0 Make "./unrealircd rehash" show output on the terminal, same for
"./unrealircd reloadtls" and there is now also a "./unrealircd status"

The output is colorized if the terminal supports it (just like on the
boot screen) and also the exit status is 0 for success and non-0 for
failure. The purpose of all this is that you can easily detect rehash
errors on the command line.

These three commands communicate to UnrealIRCd via the new control
UNIX socket, which is in ~/data/unrealircd.ctl.
This also does a lot of other stuff because we now have an internal
tool called bin/unrealircdctl which is called by ./unrealircd for
some of the commands to communicate to the unrealircd.ctl socket.
Later on more of the existing functionality may be moved to that
tool and we may also provide it on Windows in CLI mode so people
have more of the same functionality as on *NIX.
2022-01-02 20:17:36 +01:00
Bram Matthys 714461b655 Fix TLS debug error missing IP.
Reported in https://bugs.unrealircd.org/view.php?id=5993
2021-11-05 14:02:28 +01:00
Bram Matthys 3653de5dfb Move debug notices to debug and suggest not to log them by default.
Also, add a note about AddressSanitizer in the release notes.
(this will be in 6.0.0-beta1)
2021-10-31 09:04:17 +01:00
Bram Matthys 3fda96448d Fix crash due to invalid subsystem use in tls.c
[skip ci]
2021-09-24 17:17:03 +02:00
Bram Matthys fcf020b99e It's raining consts... 2021-09-11 09:56:22 +02:00
Bram Matthys ac84d4f207 Const const const... modules.c and elsewhere. 2021-09-11 07:53:30 +02:00
Bram Matthys 9ff56089ad Show TLS cipher in [secure: xyz] in far connects too (+s +F).
This requires both servers to be using UnrealIRCd 6 and there
should be no UnrealIRCd 5 server in-between (eg an old hub).

This also changes tls_cipher() to expect a Client * argument.
And tls_get_cipher() can now safely be called on any client,
including remote clients, and it will return the cipherstring
if it is known via moddata.
2021-08-16 14:30:21 +02:00
Bram Matthys 420eb2ffb6 Rename client->serv to client->server: this is set if the client is a server,
just like client->user is set if the client is a user.

Rename client->srvptr to client->uplink: this is the uplink that the client
is connected to. If the client is a user then it is set to the server that
the client is connected to, if the client is a server then it is set to the
server that the server is connected to (the.. tadah.. uplink).
For local clients it is always set to &me.
2021-08-10 12:52:46 +02:00
Bram Matthys 532a9becda Massive renames of SSL/TLS and SSL to TLS. People should know the term by now :D 2021-08-10 09:07:32 +02:00
Bram Matthys 61ccd94466 Newlog: convert tls.c to use new log system 2021-08-09 14:41:35 +02:00
Bram Matthys d7fcc90014 Change lost_server_link() prototype and log errors properly for both TLS and non-TLS.
Not really satisfied with the way the TLS socket error is logged yet, but ok..
2021-07-14 14:13:02 +02:00
Bram Matthys 05aeba9ba9 Get rid of Debug(()) function calls. I never use it anyway. 2021-07-12 18:54:38 +02:00
Bram Matthys 79740c4a38 Make "REHASH" and ./unrealircd rehash also run the same code as "REHASH -tls",
if on OpenSSL 1.1.1 or later.

We trust OpenSSL 1.1.1 and later to be good enough to handle all
the reference counting and freeing nowadays, which is something that
was not done correctly in (much) older OpenSSL versions, leading
to crashes on one hand and on memory leaks on the other hand.

In OpenSSL 1.1.0 and earlier we do not rehash tls on simple "REHASH",
since that code has not been vetted. However, nobody should be
running those old OpenSSL versions anyway, since they are out of
official OpenSSL support.
2021-06-27 15:38:40 +02:00
Bram Matthys a541b8f4ad Add support for OpenSSL 3.0.0 (based on -beta1)
Now compiles fine without any warnings.

Note that certificate_quality_check() is an outstanding TODO item.
2021-06-19 13:10:52 +02:00
Bram Matthys 75efe02040 And add config check for X509_get0_notAfter().
For our Ubuntu 16 friends.
2020-10-11 15:56:06 +02:00
Bram Matthys b3510c5da8 Fix for previous commit with OpenSSL <1.1.0 (Debian 8, Ubuntu 16, ..)
Thank you BuildBot.

This means on older OpenSSL's we are not going to have certificate
expiry checks. Those OpenSSL versions were deprecated by the OpenSSL
team itself, so yeah then you will miss out a few things.
2020-10-11 15:39:27 +02:00
Bram Matthys 6778b3e26d Warn when SSL/TLS certificate is expired or expires soon (<7d).
Since an expired certificate usually means that users cannot connect
we will actively warn all IRCOps about this situation twice a day.
2020-10-11 15:00:09 +02:00
Bram Matthys 578f8f248c Warn user when undocumented set::ssl::dh / set::tls::dh is present.
That option specified a Diffie Hellman parameter file. Since
UnrealIRCd 5.0.0 we no longer process this option.
This option has never been documented in the wiki docs.
We prefer and use ECDHE/EECDH with SSL_OP_SINGLE_ECDH_USE since 2015
to provide Forward Secrecy in SSL/TLS. And indeed, by now in 2020,
any properly maintained software uses it and old DH(E) usage has
fallen to less than 1%.

What this patch does is remove the unused code (since Dec 2019) and
show a warning if you have a ::dh config directive, so that at least
you are informed that it is unused/ignored. Since it was undocumented
it probably hardly affects anyone, but still, it is proper to inform.
2020-09-12 09:38:17 +02:00
Bram Matthys fea2522067 Fix memory leak on './unrealircd reloadtls' / '/REHASH -tls'
Reported by NoXPhasma in https://bugs.unrealircd.org/view.php?id=5745
2020-08-29 15:05:41 +02:00
Bram Matthys ca6630a2fb Fix "called a function you should not call" server linking error that
happens if all of the following are true:
1) You use link::outgoing::tls-options (or ssl-options)
2) You do a REHASH -tls (or REHASH -ssl)
3) You do NOT do a regular REHASH
4) You try to link to the server in such a link block (outgoing!)

In other words: the problem may happen if you try to link after
a Let's Encrypt cert renewal, unless there has been a regular
REHASH between that and the outgoing linking attempt.

Reported by k4be and Le_Coyoto in https://bugs.unrealircd.org/view.php?id=5607
2020-06-26 15:11:01 +02:00
Bram Matthys f419a61f94 Ubuntu 20.04 needs this change in order to still allow you to enable
TLSv1.0 or TLSv1.1. Otherwise it is impossible to enable by the application.

We are still going to turn off TLSv1.0 and TLSv1.1 by the end of this year
by default. Ubuntu 20.04 is just a couple of months too early. See also
the various browsers who postponed disabling TLSv1.0/TLSv1.1.

Also, regardless of the above, we want the admins running the IRC server
be able to control this and not having such a breaking change be dependant
on some distro default settings.
2020-04-18 12:40:45 +02:00
Bram Matthys f437593b8d Rewrite and expand notices+logging with regards to server linking / lost link.
When connecting, use slightly different wording (and use it consistently):
"Trying to activate link with server xyz"

When the connection is lost before synced:
"Unable to link with server xyz"

When the connection is lost after fully synced (eg: minutes later):
"Lost server link to xyz"

Important small changes (other than text):
* Log ERRORs from remote servers to the log (previously only shown to ircops)
* Some link errors could have been previously suppressed due to
  old code assuming other parts of the code would send or log the error
  (this would be the case for an error when calling SSL/TLS write functions)
* More?
2020-04-13 13:36:58 +02:00
Bram Matthys 870057d4f3 Add "./unrealircd genlinkblock" which spits out a link { } block. Hmm...
we'll see later if this is a good idea or not.. it has pros and cons.
2020-01-19 19:34:11 +01:00
Bram Matthys 9aff820d1a Find_* -> find_*, eg Find_alias -> find_alias. 2019-10-26 09:57:15 +02:00
Bram Matthys 86d15804a8 Document all functions in src/tls.c 2019-10-25 19:31:30 +02:00
Bram Matthys 3a64077f51 Use 'client' everywhere (if there is no confusion) instead of 'sptr' or 'cptr'.
This so I - and others - don't constantly have to wonder whether the client
is called sptr, cptr or acptr in a simple routine.
Insane --> 212 files changed, 6814 insertions(+), 6945 deletions(-)
Couldn't just mass-replace of course since there are places where there
are multiple clients involved. So had to check each function.
Also renamed some 'acptr' to 'target' and such.

I will write a page with new style rules later.. but in short if there is
only 1 client involved it will now be called 'client'.
2019-10-04 15:25:35 +02:00
Bram Matthys 9fc1e758ab Mass change of dst = strdup(str) to safe_strdup(dst,str) but with a manual
audit since 'dst' must now be initialized memory.
There's still a raw_strdup() if you insist.

This is step 2 of X of memory allocation changes
2019-09-14 16:58:01 +02:00
Bram Matthys de87b439b7 Update memory allocation routines. Step 1 of X. 2019-09-14 16:52:53 +02:00
Bram Matthys 70410b3f33 Remove unused variables (67 files done, will do rest another time). 2019-09-12 17:57:01 +02:00
Bram Matthys bf2c5110db IsPerson() -> IsUser(), MyClient() -> MyUser(), etc.
This so we have a few simple concepts:
Client: this can be a user, server, or something unknown yet
Then the type of clients:
User: this is a user, someone with a nick name.
Server: this is a server
Etc.
2019-09-11 17:43:17 +02:00
Bram Matthys 2df5326615 Overhaul of all client flag macros (mass renaming, always use getters/setters/checkers) 2019-09-11 16:00:47 +02:00
Bram Matthys 792709bf4f Move cptr->fd to cptr->local->fd. This may cause some crashes while
the rest of the code is audited / checked ;)
2019-09-11 14:21:07 +02:00
Bram Matthys 23116d344a Give structs the same name as the typedefs. Rename aClient to Client,
aChannel to Channel, and some more. Third party module coders will
love this. But.. it makes things more logical and the doxygen output
will look more clean and logical as well.
(More changes will follow)
2019-09-11 09:48:00 +02:00
Bram Matthys dd5d93ae77 Mostly cleanups / unimportant stuff. 2019-08-19 15:27:03 +02:00
Bram Matthys 0d2d4d5bca Rename match() and _match() to match_simple() -AND- invert the return value
of match_simple() and match_esc(). So, developers, be aware, this is how
you should use the function in a correct way:
if (match_simple("*fun*", str))
    printf("It was fun\n");

Rationale:
I've always been annoyed by the inversed logic, even though it was similar
to strcmp. So I've reverted it.
I could have chosen to maintain match() rather than this match_simple()
name, but this way I force (3rd party module) devs to update their function,
while otherwise everything would mysteriously fail due to the inverted logic.
2019-08-17 09:20:49 +02:00
Bram Matthys e1fcc3a667 Rename match() and _match() both to match_simple()
and get rid of the "bahamut optimized version".
Stage 1 of 2.
2019-08-17 09:15:34 +02:00
Bram Matthys c01c9248f5 Revert e428c77c47 (only to try again later) 2019-08-17 09:05:09 +02:00
Bram Matthys e428c77c47 match() -> match_nuh() and _match -> match_simple() 2019-08-17 08:56:18 +02:00
Bram Matthys 16f3b797e4 Use different OpenSSL functions that are more of a hassle but
also exist in older versions such as 1.0.1.
2019-08-15 09:02:42 +02:00
Bram Matthys ced8b0935d Check for and refuse to run with <2048 bits RSA keys. I hope nobody is
using 1024 bit RSA keys in 2019, but always better to check and inform
the admin about such a big mistake.
2019-08-15 08:52:28 +02:00
Bram Matthys 7fa2b8be05 More ssl -> tls moves. Also recommend to use 'certfp' rather than
the longer 'sslcertfp' or 'tlscertfp', we already support this since
4.0 so... updated the documentation as well.
2019-08-12 14:53:29 +02:00
Bram Matthys 2b0afacdf0 Rename of "ssl" to "tls" part 2 2019-08-12 14:35:32 +02:00