Nicole Kleinhoff [Thu, 11 Feb 2021 03:29:27 +0000 (03:29 +0000)]
nickserv/enforce: REGAIN: fix race condition
FNC semantics with most protocols are that services request the nick
change, but the actual nick change itself has to originate from the
user's own server. This means that we must wait for the Guest nick
change to be applied before changing the regaining user's nick, as
otherwise that change might be applied first on part of the network,
requiring an ircd-side resolution of the nick collision resulting from
this as the original person using the nick has not been renamed yet.
This probably still has a number of imperfections; it's essentially a
rebase of a handful of commits from almost two years ago and hasn't seen
much real-world testing yet.
chanserv: allow hiding AKICK entries from public ACLs
The PUBACL flag newly introduced in Atheme 7.3 allows channels to
make their access lists visible to the general public. Previously,
certain networks may have chosen to use custom modules or unsupported
modifications to enable similar functionality for their channels.
However, AKICK entries may have been excluded from such custom
functionality for historical or network policy reasons even though they
are technically equivalent to an ACL entry with the +b flag.
In the interest of helping such networks that wish to use the officially
supported PUBACL mechanism but need to preserve the behaviour of keeping
AKICK entries visible only to channel and network staff, this commit
adds an option to hide +b entries from channel access lists for users
without the +A channel access flag (or chan:auspex services privilege).
AKICK reasons and expiries (where used) - as exposed with the AKICK
command - remain accessible to authorized users only, no matter the
value of this option.
This arguably introduces potentially rather unintuitive behaviour in
silently pretending the applicable entries simply don't exist except for
the subset of users authorized to view them. Networks may wish to weigh
this against the perceived benefits of hiding AKICKs.
Aaron Jones [Sun, 7 Feb 2021 18:43:41 +0000 (18:43 +0000)]
dist/atheme.conf.example: several large improvements
- Re-wrap all paragraphs to 78 columns.
- Space out unrelated paragraphs to make scrolling quickly through the
file easier.
- Unify the format of warnings in comment blocks.
- Mention that SASLServ is an authentication service too.
- Replace "ircd" with "IRCd" and "email" with "e-mail".
- Remove some erroneous text referring to "core components" left
behind by commit c7858583106c9161b454.
- Make IRC /commands UPPERCASE.
- Comment out all of the StatServ modules by default.
- Clarify that exttargets are not experimental.
- Copy text from crypto::argon2_saltlen to crypto::pbkdf2v2_saltlen.
- Replace single-line /* comments */ with // comments.
- Change example e-mail addresses to invalid ones, lest the user
un-comment them without changing them, and start sending bogus
e-mails.
- Add missing denycmd log level to documentation for serverinfo{}.
- Comment out all of the default logfile directives.
It's not at all obvious that people would want these to be created
by default, given the abundance of personal information they would
end up containing.
- Where a configuration option accepts multiple semicolon-delimited
tokens, re-arrange them in alphabetical order.
- Replace "SSL" with "TLS".
- Eliminate massively-duplicated documentation for service::nick,
service::user, service::host, service::real, service::aliases and
service::access.
- Remove pointless text that says the foo{} block is for configuring
the foo modules. That much is obvious.
- Remove the modules/ prefix from documentation about options that
affect modules, and quote the module name.
- Quote XOP template names and flags.
- Add missing aliases{} and access{} blocks to pseudoservice blocks
which provide commands.
- Correct some grammatical errors.
- Move proxyscan{} up so that it is with the other pseudoservice
blocks.
chanserv/why: don't leak akick reason to users without +A/auspex
On channels with the PUBACL flag, we expose the flag listing to users
without any access as well. However, details about AKICK entries are
still gated behind the +A flag. This specifically includes the reason
(including the private part, if any).
Ensure users have +A or the chan:auspex privilege before revealing the
reason to them via the WHY command.
Aaron Jones [Sat, 6 Feb 2021 17:09:09 +0000 (17:09 +0000)]
include/atheme/attributes.h: add support for Clang object ownership
This enables Clang's static analyser to better diagnose memory logic
errors, such as use-after-free with custom (de)allocators.
Note that this currently trips up Clang's static analyser with false-
positive "bad deallocator" diagnostics, as it does not yet recognise
that sfree() can deallocate memory like free() will, and will suggest
that you should call free() on the object instead, even though sfree()
is marked with the appropriate attribute. This is a bug in Clang.
Aaron Jones [Tue, 2 Feb 2021 15:10:22 +0000 (15:10 +0000)]
modules/chanserv/: add module conflicts for ban & unban_self
Both of these modules provide an UNBAN command. Loading both would result
in a potentially-concerning mowgli.patricia duplicate key warning. The
example configuration file already tells you not to load both, and the
unban_self module is thus commented-out by default, but it still happens
that someone loads both because they want to UNCOMMENT ALL THE THINGS
without reading what they actually do.
Aaron Jones [Tue, 2 Feb 2021 14:57:45 +0000 (14:57 +0000)]
dist/atheme.conf.example: remove loadmodule lines for some main modules
Where a pseudoservice main module only provides scaffolding for its other
modules to do anything, there's no point in explicitly loading it anymore,
because I fixed those module dependencies with commit 2ed940b07ce48e0ed339.
This avoids some harmless "foo/main is already loaded" noise on startup.
Nicole Kleinhoff [Sat, 30 Jan 2021 05:05:12 +0000 (05:05 +0000)]
entity validation: provide match_user for default, groupserv vtables
Previously, callers were expected to call match_entity against a given
user's myuser if there was no match_user provided. Providing this logic
in match_user instead moves this from multiple call sites to the entity
validation implementation itself.
Notably, this affected chanserv/sync which only checked match_user
without checking match_entity, breaking auto-sync upon ACL changes.
jesopo [Wed, 20 Jan 2021 22:05:44 +0000 (22:05 +0000)]
use try_kick() instead of kick() for channels that have been CS CLOSEd
my proposed solution for #743, stolen from cs/akick.c, still sets the
closed channel modes but announces that it isn't kicking you because
you're oper/immune.
Nicole Kleinhoff [Mon, 30 Nov 2020 07:54:27 +0000 (07:54 +0000)]
command_exec: avoid crashing with security/cmdperm
Previously, if a custom command_authorize handler denied execution of a
command, the error message would unconditionally try to include the
command's normally required privilege (either from the command
definition or an access{} item in the configuration). In the case of a
command normally available without special privileges (such as
nickserv/help), this would cause a null pointer dereference.
In such a case, we now give a generic "you are not authorized"
message instead.
There are some cases where the error message is misleading – in
particular, it'll blame the failure on the defined privileges, even if
the failure is actually due to a custom security policy module
(including the case where the privileges are actually held by the user).
Improving this situation is out of the scope of this commit.
Aaron Jones [Sun, 29 Nov 2020 02:50:56 +0000 (02:50 +0000)]
modules/chanserv/akick: fix unload crash with akicks that have timeouts
The module did not take care to cancel any outstanding expiry timers on
deinit, leading the event loop to (eventually) call a function that no
longer exists.
If SOPER ADD is used on a config that contains the operclass being
added, and then the services database is used with a version of
services running a config that doesn't have that operclass in it,
services blows up on a NULL dereference when logging that soper in.
Aaron Jones [Thu, 22 Oct 2020 13:48:35 +0000 (13:48 +0000)]
modules/hostserv/request: small bugfixes, two new small features
- Fix memory leaks when removing a vhost request from the outstanding
requests list. Also consolidate the code responsible for this into
one function, to save having to repeat it 6 times.
- Add a silent rejection feature. If a rejection reason is provided,
and it is the string "SILENT", no memos or notices will be sent to
the user whose vhost is being rejected.
- Add an option restricting users from making a subsequent vhost
request until they no longer have an outstanding request that has
yet to be accepted or rejected.
Aaron Jones [Thu, 17 Sep 2020 16:45:43 +0000 (16:45 +0000)]
modules/crypto/pbkdf2: don't reject valid salts from v7.2
Atheme 7.2's random_string() function uses more than just hexadecimal
characters. This is essentially the same problem as fixed by the
previous commit; the original problem with the statserv module was
because of looking at the code in this function which was also
deficient in the same manner.
Aaron Jones [Thu, 17 Sep 2020 12:01:39 +0000 (12:01 +0000)]
modules/statserv/pwhashes: fix broken pbkdf2 (v1) test
The output length of this deprecated module is 144 characters,
not 140. Also, the first 16 characters are an entirely alphanumeric
salt, not a hexadecimal one.
This addresses a race condition where the user is "banned" on a channel
because all unregistered users are banned, preventing them from changing
their nick.
Many users are only ever exposed to the one-argument variant, and
require human assistance to get out of situations that could have been
resolved easily. For example, a user matching a +q $~a may find
themselves stuck on an alternate nick.
Attempt to mitigate this problem by making two-argument IDENTIFY more
prominent in help and nags.
Aaron Jones [Fri, 12 Jun 2020 08:20:43 +0000 (08:20 +0000)]
attributes.h: add support for the 'fallthrough' statement attribute
GCC parses literal code comments of the form /* FALLTHROUGH */ but
Clang does not; this statement attribute is a more concrete declaration
of intent supported by both compilers, and yet still readable by humans.
Supported since at least Clang v5, and since GCC v7.1.
Add the new statement attribute where missing to the codebase to finally
silence the unannotated fallthrough warnings emitted during Clang build.
Original commit by @lstarnes1024, edited by @aaronmdjones to further
remove the flag that it depended on, now that it has no use. Shuffling
the other flag up after it is okay because the only user of this flag
is saslserv/main, and reloading that will reload all other saslserv
modules anyway, so there is no ABI concern.
random_string() was changed to use a wider alphabet in commit 659dfb78fb35edf488ac, but the lengths of its consumers were not.
Bump these from 12 to 16 characters for even more prediction
resistance. I'm hesitant to go even further because people may
have to end up typing these out on mobile devices or such.
Aaron Jones [Thu, 30 Apr 2020 14:41:06 +0000 (14:41 +0000)]
modules/crypto/argon2: warn if building against very old libargon2
I cannot in my right mind fathom why Debian 9 ships with a 4-year-old
version of a cryptographic library, and not even a backport of a newer
version available, but it does, and there isn't.
This fixes building modules/crypto/argon2 on Debian 9.
Aaron Jones [Thu, 30 Apr 2020 14:14:53 +0000 (14:14 +0000)]
m4/atheme-libtest-*.m4: pkg-config: actually no-op on not found
Providing an empty action-if-not-found argument for PKG_CHECK_MODULES
doesn't stop ./configure from aborting. Actually do something (with no
effect) instead; we don't require any of these libraries.
This allows the configure script to succeed on a freshly-installed
machine without the libraries in question installed.
Further, warn the user that pkg-config is missing if it is. This is
necessary for a lot of the library detection tests, unless the user
manually specifies LIBFOO_CFLAGS and LIBFOO_LIBS on the ./configure
command-line, which we don't want to encourage, and is provided only
for compatibility with weird operating systems that install libraries
into paths that its toolchain does not look for libraries in.
Ed Kellett [Sun, 12 Apr 2020 15:37:02 +0000 (16:37 +0100)]
nickserv/info: Make private times more private
The previous approach rounded the elapsed time down to weeks, which does
reduce the resolution of last seen times to a week over one observation.
Unfortunately, if we're allowed multiple observations, we can zero in on
the time the low-resolution clock ticks over.
The solution used here is to reduce the resolution of the last-seen time
itself. Since the time is not changing, this happens the same way each
time, and subsequent observations reveal no information. This is not
perfect on its own: it discloses high-resolution information about users
who were last seen at the beginning of the current Atheme week, since
they couldn't have been last seen in the future. We deal with this by
representing both 0- and 1-week differences as "less than two
weeks ago".
Finally, this is of limited value as long as we reveal the
high-resolution fact that a user is online now. We dispense with this
and show an obfuscated time for private users regardless of
logged-in status.
During an saslserv/main reload, some modules (such as SCRAM) can end up
registering their mechanisms twice. We should ignore that; it pollutes
the mechanism list propagated to servers.
Aaron Jones [Thu, 27 Feb 2020 21:19:00 +0000 (21:19 +0000)]
modules/saslserv/scram: provide correct mechanism to use on mismatch
When a client tries to login with e.g. SCRAM-SHA-512 but their database
credentials were calculated with SHA2-256, indicate to the client that
SCRAM-SHA-256 is the only acceptable SASL SCRAM method for login. This
is done by recalculating a new SASL mechanism list, against a list of
mechanisms to /avoid/ putting into the list, and then sending that list
to the client (but not telling servers to set their general mechanism
list to it, as that would affect other clients). The list of mechanisms
to avoid is calculated based on the database credentials, which we only
know after receiving a username from the client.
As an aside, I am rather disappointed with the design of SCRAM, in
particular its choice to leave negotiation of digest algorithm out of
band. This would be much cleaner if the mechanism was just named "SCRAM"
(or "SCRAM-PLUS"), and the server could indicate (in the server's first
message) which digest algorithm the client should use to calculate
SaltedPassword, ClientKey, & ServerKey. As it stands, we can only fail
the mechanism if the digest algorithm implied by the SASL mechanism name
doesn't match the digest algorithm used to calculate the database
credentials, and then hope that the client eventually falls back to the
correct mechanism.
This commit aids that fallback process for IRCv3.1 networks (IRCv3.2
networks will have the full mechlist as a value of the sasl= capability,
so clients always know which mechanisms it should try). To that end, we
also put a note in the documentation that deploying SCRAM on IRCv3.1
networks is discouraged.
Aaron Jones [Tue, 18 Feb 2020 01:26:08 +0000 (01:26 +0000)]
libathemecore/atheme.c: move digest tests to crypto benchmark utility
This removes the -t and -T command-line options from atheme-services and
adds a -T option to the crypto benchmark utility. Atheme proper now un-
conditionally requires the digest testsuite to pass (because libathemecore
itself uses the Digest API), with no option to skip it. CI builds can now
invoke the testsuite from the crypto benchmarking utility.
Aaron Jones [Mon, 17 Feb 2020 20:20:57 +0000 (20:20 +0000)]
modules/crypto/: move legacy modules to subdirectory
This does not rename the modules themselves; you still load them with the
standard modules/crypto/ prefix. This is just to tidy up the source tree.
This also removes the modules/crypto/posix compatibility module. Please
see the Password Hashing Modules section of dist/atheme.conf.example if
you still use this module on v7.2 or older, for migration instructions.
Finally, document the ./configure options necessary to have each module
built, and elaborate on the distinction between pbkdf2 and pbkdf2v2.
Aaron Jones [Sun, 9 Feb 2020 12:46:26 +0000 (12:46 +0000)]
m4/: tidy up NLS logic
We shouldn't do all the NLS checks before parsing --enable-nls; it should
be the other way around: only do the checks if --enable-nls=yes was given.
Since all but one of our translations are currently broken, also change
the default from yes to no. This can be revisited after our translations
are brought up to scratch.
Aaron Jones [Thu, 6 Feb 2020 05:29:50 +0000 (05:29 +0000)]
m4/atheme-print-configuration: make even nicer output
Group lines by category, indent them some more, indicate which SASL
mechanisms are going to be built (some are always built, so this output
won't change, but they're just there for consistency's sake...).
Good news for all of those stuck in 1995: Aside from the build variables
(CC/CFLAGS/CPPFLAGS/LDFLAGS/LIBS), it all still fits into 80 columns, so
your VGA console can render it just fine.
Aaron Jones [Thu, 6 Feb 2020 05:16:54 +0000 (05:16 +0000)]
m4/atheme-libtest-rt.m4: rename to clock-gettime
This file tests whether we can use the clock_gettime(3) function, and
whether we need to link against -lrt to do so (as on older GNU libc...)
However, the functionality we're actually looking for is clock_gettime(3),
not whether we need -lrt or not, so don't name it after the library we
might need, but rather after the function we do need.
Aaron Jones [Sun, 2 Feb 2020 22:19:54 +0000 (22:19 +0000)]
Use #elif more to avoid pointless preprocessor soup
This looks *MUCH* better, and is also much more maintainable.
Also document, in libathemecore/memory_frontend.c, where various memory
comparison and wiping functions originated, and clean up some other
miscellaneous things.
Aaron Jones [Sun, 2 Feb 2020 11:24:28 +0000 (11:24 +0000)]
libathemecore/memory: support consttime_memequal & explicit_memset
These C library functions are present in NetBSD v7.0+ and possibly other
C libraries. On NetBSD they both require only <string.h>, which we
already include (by way of <atheme/stdheaders.h>).
Also move the preprocessor warning directive down to where it is actually
needed.
Aaron Jones [Sun, 2 Feb 2020 05:34:28 +0000 (05:34 +0000)]
doc/SASL-SCRAM: clarify setup instructions
- Explain the ./configure argument to force GNU libidn to be available
and what to look for when it prints its configuration.
- Reorder mechanisms in order of strength when asking to decide.
- Clarify that regular PBKDF2 credentials definitely allow impersonation,
and that this is why the SCRAM module does nothing if this style of
credentials is being used.
- Move loadmodule advice to next to eachother.
- Space everything out a bit more for readability.
- Directly discourage uncommenting the SCRAM loadmodule line in the
example configuration file without having read the documentation.
projects / irc / atheme / atheme.git / log
