Aaron Jones [Fri, 15 Jul 2022 01:09:02 +0000 (01:09 +0000)]
modules/chanserv/close: check correct flags variable for log target
A user reported that the ChanServ CLOSE command was not working for
their channel, saying that the channel could not be closed.
MC_HOLD and CHAN_LOG both have the same value (1), but the former is
for flags in `struct mychan`, and the latter is for `struct channel`.
This lead me to believe that the channel was defined as a log target,
when in reality it was checking the wrong flags field and deducing
that the channel was a log target because it was held.
The IRCv3.1 SASL specification contains the following wording:
If the client completes registration (with CAP END, NICK, USER
and any other necessary messages) while the SASL authentication
is still in progress, the server SHOULD abort it and send a 906
numeric, then register the client without authentication.
We were relying on this behaviour (which was our mistake; it's a
SHOULD, not a MUST), which turned out to be implemented in every
IRC server daemon (that supports SASL) that we are aware of. This
means that if someone completes registration without having completed
an SASL negotiation, the SASL session would be aborted before the
client is introduced to the network. At that point, the session would
not exist and the client would not be logged in.
The InspIRCd developers changed this behaviour in the
inspircd/inspircd@407b2e004cf66e442771 commit. It no longer aborts
negotiation when a client prematurely completes registration.
This means that if the client is attempting a multi-step (challenge-
response) authentication mechanism, and that mechanism caches user
credentials at some point before completion, the client can pre-
maturely end negotiation and get logged in as that user.
Worse still, SASL impersonation lets the attacker set the authzid to
their intended victim, allowing them to login as anyone, even if they
don't have a challenge-response authentication credential configured.
This does not exist in version 7.1; the victim's account there has to
have such a credential to be vulnerable to this attack.
Vulnerable configurations are as follows:
- All of:
- InspIRCd 3+
- Any of:
- Atheme 7.1 (any version)
- Atheme 7.2 (any version before 7.2.12; this commit)
- Atheme 7.3 (any version before commit 4e664c75d0b280a052eb)
- Any of:
- The saslserv/scram module is loaded
- The saslserv/ecdh-x25519-challenge module is loaded
- The saslserv/ecdsa-nist256p-challenge module is loaded
This is a fix for a security vulnerability. The master (7.3) branch
was already fixed in 4e664c75d0b280a052eb, but the scope of the
problem was not fully known at that time. The 7.1 branch is no longer
supported, is not receiving security updates, and will not be patched;
users of the 7.1 series (using an IRCd that does not abort the SASL
session when the client prematurely completes registration) must
upgrade, or unload the `saslserv/ecdsa-nist256p-challenge` module.
This problem was discovered by and reported by @edk0.
Aaron Jones [Thu, 18 Mar 2021 21:10:55 +0000 (21:10 +0000)]
modules/contrib/: transition to independent build system
Having to duplicate configure tests in all supported Atheme release and
development branches, to enable contrib modules to be built reliably on
all of our supported platforms, was quickly becoming untenable.
Aaron Jones [Thu, 11 Mar 2021 20:03:24 +0000 (20:03 +0000)]
configure: put directory macros in a header file, not in CPPFLAGS
This will be necessary for my near-future intention to change the contrib
modules repository to be self-building; i.e. to have its own configure
script and build system.
Also don't try to expand directories like MODDIR for pretty printing,
because it sometimes doesn't work depending on the directory arguments
given to ./configure. Yeah, the config output looks worse, but oh well.
Aaron Jones [Tue, 2 Mar 2021 05:43:18 +0000 (05:43 +0000)]
include/mkserno.sh: exit early in presence of an environment variable
This makes life easier for people who want to package snapshots
of a git branch. They must provide their own serno.h in this
case, containing also, perhaps, the date the snapshot was
downloaded or such.
Aaron Jones [Sun, 28 Feb 2021 14:49:10 +0000 (14:49 +0000)]
Git tree (not tarballs): include/mkserno.sh: remove --broken switch
Some very old gits do not support this; it was added in 2.13.0 (2017).
We already sort of detect broken submodules in the configure script,
so this should be safe to remove. Unless the user deliberately
corrupts their repository, there's no difference.
Nicole Kleinhoff [Fri, 19 Feb 2021 07:43:40 +0000 (07:43 +0000)]
libathemecore/conf.c: fix minor memory leak with hide_xop
The entries in global_template_dict are heap-allocated structures;
hide_xop was deleting the entries without freeing them, leaking a few
bytes each time the config was loaded.
Aaron Jones [Sun, 29 Nov 2020 03:15:51 +0000 (03:15 +0000)]
modules/chanserv/akick: fix unload crash with akicks that have timeouts
The module did not take care to cancel any outstanding expiry timers on
deinit, leading the event loop to (eventually) call a function that no
longer exists.
Nicole Kleinhoff [Wed, 18 Dec 2019 19:12:02 +0000 (19:12 +0000)]
Add SECURITY.md
Quick summary:
- we'll support the current and previous release series once 7.3 is out
(for now, only 7.2 is supported)
- poke us on IRC or email security@atheme.org to report stuff
- we do coordinated disclosure, full disclosure after two weeks
Aaron Jones [Thu, 5 Jul 2018 14:06:06 +0000 (14:06 +0000)]
modules/crypto/pbkdf2v2: fix regression from v7.2.9
Interoperability tests were performed between 7.2.9 and master,
and 7.2.10 and master, but not 7.2.9 and 7.2.10. 7.2.10 and
master use base64-encoded salts for new hashes, and master has
a verify function which doesn't require string-equal output.
However, 7.2 doesn't have that feature, so crypt() must output
a string-equal hash to all of the previous outputs over all
versions. What I failed to notice was that crypt() was assuming
the salt was base64-encoded, so if it wasn't, password
verification would fail; the hash is the same byte-wise, but it
is encoded as a string differently.
While we're at it, make sure the parameter upgrade system takes
account of various salt lengths, allow the user to configure a
different salt length (as if on master), and make sure we erase
the password from the stack after we're done with it.
Aaron Jones [Wed, 28 Feb 2018 11:50:04 +0000 (11:50 +0000)]
modules/crypto/argon2d.c: argon2d_hash_raw(): fix uninitialised data path
If the first blake2b_long() call in argon2d_hash_raw() fails, it would pass
uninitialised data in bhash_bytes[] to argon2d_load_block(). Similarly if
the second call fails, same thing. Lastly, the return value should depend on
whether the final call succeeds.
Fix this by testing if it fails, and add a function attribute to all boolean
functions that will result in a diagnostic if their return value is not
tested (or under Clang, explicitly discarded). Adjust other callers of those
functions to also test for failure.
This issue was found by the Clang static analyzer.
groupserv/main: write out group definitions before their access lists
If a group '!a' includes an access list entry for group '!b' (which is
lexicographically after) then upon read-back (when restarting services)
the access list contains an entry for a (for the moment) non-existent
group which is ignored. This results in data loss.
The fix is simple: Write out all group definitions (& their flags and
metadata) and then all group access lists.
Reported-by: Samuel Hoffman <redacted> (sjh) Reported-by: Aaron M. D. Jones <redacted> (amdj) Reviewed-by: Janik Kleinhoff <redacted> (ilbelkyr)
modules/crypto/pbkdf2v2: don't ask OpenSSL for digest length
We know it's only ever going to be SHA1 (20 bytes), SHA2-256 (32 bytes)
or SHA2-512 (64 bytes), and we're already in a switch() statement
converting a PRF ID into a digest algorithm, so we may as well set the
digest length in there too.
Aaron Jones [Sun, 22 Oct 2017 02:24:39 +0000 (02:24 +0000)]
modules/crypto/pbkdf2v2: reduce size of sscanf(3) buffers
0x2000 (8 KiB) is definitely sufficient to mitigate any potential
inadvertant overflow, and an attacker with a crafted malicious
database would have been able to overflow the old 0x8000 (32 KiB)
buffers anyway.
Aaron Jones [Sun, 22 Oct 2017 02:24:18 +0000 (02:24 +0000)]
modules/crypto/argon2d: reduce size of sscanf(3) buffers
0x2000 (8 KiB) is definitely sufficient to mitigate any potential
inadvertant overflow, and an attacker with a crafted malicious
database would have been able to overflow the old 0x8000 (32 KiB)
buffers anyway.
Aaron Jones [Sun, 15 Oct 2017 14:31:46 +0000 (14:31 +0000)]
modules/crypto/pbkdf2v2: add support for HMAC-SHA1
The master branch (what will become 7.3) got this too, but it was
added there for future possibility of implementing SASL SCRAM support.
We will not be implementing support for SCRAM in version 7.2, but
people who used the pbkdf2v2 module with SHA1 in version 7.3 might
want to downgrade to version 7.2, so we need support for verifying
those hashes too.
Aaron Jones [Sun, 15 Oct 2017 11:01:45 +0000 (11:01 +0000)]
modules/crypto/argon2d: don't mix format strings for scanning & printing
The inttypes.h header provides format specifier macros for scanning, so
use those for parsing instead of the printing ones, just incase we're
building on a machine where they are different.
Aaron Jones [Thu, 5 Oct 2017 22:56:41 +0000 (22:56 +0000)]
modules/crypto/posix: fix potential NULL deref on password verify
If we have an encrypted password from the database that does not
contain a '$' in it (as is the case for the original deprecated
pbkdf2 module) then when posix tries to verify the hash it will
segfault because we assume a '$' is present.