X-Git-Url: https://jfr.im/git/solanum.git/blobdiff_plain/65f2c0a26355f9494733e6709c0a7d59ce7f120d..f0356d2a6f6447caa632667a04d4f5f0020a90d0:/ircd/s_serv.c diff --git a/ircd/s_serv.c b/ircd/s_serv.c index 58e086a4..83511349 100644 --- a/ircd/s_serv.c +++ b/ircd/s_serv.c @@ -20,8 +20,6 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 * USA - * - * $Id: s_serv.c 3550 2007-08-09 06:47:26Z nenolod $ */ #include "stdinc.h" @@ -33,7 +31,6 @@ #include "s_serv.h" #include "class.h" #include "client.h" -#include "common.h" #include "hash.h" #include "match.h" #include "ircd.h" @@ -56,10 +53,6 @@ #include "capability.h" #include "s_assert.h" -#ifndef INADDR_NONE -#define INADDR_NONE ((unsigned int) 0xffffffff) -#endif - int MaxConnectionCount = 1; int MaxClientCount = 1; int refresh_user_links = 0; @@ -110,6 +103,7 @@ unsigned int CLICAP_ECHO_MESSAGE; void init_builtin_capabs(void) { + static struct ClientCapability high_priority = {.flags = CLICAP_FLAGS_PRIORITY}; serv_capindex = capability_index_create("server capabilities"); /* These two are not set via CAPAB/GCAP keywords. */ @@ -142,18 +136,19 @@ init_builtin_capabs(void) cli_capindex = capability_index_create("client capabilities"); - CLICAP_MULTI_PREFIX = capability_put(cli_capindex, "multi-prefix", NULL); - CLICAP_ACCOUNT_NOTIFY = capability_put(cli_capindex, "account-notify", NULL); - CLICAP_EXTENDED_JOIN = capability_put(cli_capindex, "extended-join", NULL); - CLICAP_AWAY_NOTIFY = capability_put(cli_capindex, "away-notify", NULL); - CLICAP_USERHOST_IN_NAMES = capability_put(cli_capindex, "userhost-in-names", NULL); + CLICAP_MULTI_PREFIX = capability_put(cli_capindex, "multi-prefix", &high_priority); + CLICAP_ACCOUNT_NOTIFY = capability_put(cli_capindex, "account-notify", &high_priority); + CLICAP_EXTENDED_JOIN = capability_put(cli_capindex, "extended-join", &high_priority); + CLICAP_AWAY_NOTIFY = capability_put(cli_capindex, "away-notify", &high_priority); + CLICAP_USERHOST_IN_NAMES = capability_put(cli_capindex, "userhost-in-names", &high_priority); CLICAP_CAP_NOTIFY = capability_put(cli_capindex, "cap-notify", NULL); - CLICAP_CHGHOST = capability_put(cli_capindex, "chghost", NULL); + CLICAP_CHGHOST = capability_put(cli_capindex, "chghost", &high_priority); CLICAP_ECHO_MESSAGE = capability_put(cli_capindex, "echo-message", NULL); } static CNCB serv_connect_callback; static CNCB serv_connect_ssl_callback; +static SSL_OPEN_CB serv_connect_ssl_open_callback; /* * hunt_server - Do the basic thing in delivering the message (command) @@ -263,7 +258,7 @@ try_connections(void *unused) struct server_conf *tmp_p; struct Class *cltmp; rb_dlink_node *ptr; - int connecting = FALSE; + bool connecting = false; int confrq = 0; time_t next = 0; @@ -275,7 +270,7 @@ try_connections(void *unused) continue; /* don't allow ssl connections if ssl isn't setup */ - if(ServerConfSSL(tmp_p) && (!ssl_ok || !get_ssld_count())) + if(ServerConfSSL(tmp_p) && (!ircd_ssl_ok || !get_ssld_count())) continue; cltmp = tmp_p->class; @@ -303,12 +298,12 @@ try_connections(void *unused) */ client_p = find_server(NULL, tmp_p->name); - if(!client_p && (CurrUsers(cltmp) < MaxUsers(cltmp)) && !connecting) + if(!client_p && (CurrUsers(cltmp) < MaxAutoconn(cltmp)) && !connecting) { server_p = tmp_p; /* We connect only one at time... */ - connecting = TRUE; + connecting = true; } if((next > tmp_p->hold) || (next == 0)) @@ -335,7 +330,7 @@ try_connections(void *unused) * error afterwards if it fails. * -- adrian */ - sendto_realops_snomask(SNO_GENERAL, L_ALL, + sendto_realops_snomask(SNO_GENERAL, L_NETWIDE, "Connection to %s activated", server_p->name); @@ -350,6 +345,9 @@ check_server(const char *name, struct Client *client_p) rb_dlink_node *ptr; int error = -1; const char *encr; + bool name_matched = false; + bool host_matched = false; + bool certfp_failed = false; s_assert(NULL != client_p); if(client_p == NULL) @@ -363,6 +361,8 @@ check_server(const char *name, struct Client *client_p) RB_DLINK_FOREACH(ptr, server_conf_list.head) { + struct rb_sockaddr_storage client_addr; + tmp_p = ptr->data; if(ServerConfIllegal(tmp_p)) @@ -371,14 +371,21 @@ check_server(const char *name, struct Client *client_p) if(!match(tmp_p->name, name)) continue; - error = -3; + name_matched = true; + + if(rb_inet_pton_sock(client_p->sockhost, &client_addr) <= 0) + SET_SS_FAMILY(&client_addr, AF_UNSPEC); - /* XXX: Fix me for IPv6 */ - /* XXX sockhost is the IPv4 ip as a string */ - if(match(tmp_p->host, client_p->host) || - match(tmp_p->host, client_p->sockhost)) + if((tmp_p->connect_host && match(tmp_p->connect_host, client_p->host)) + || (GET_SS_FAMILY(&client_addr) == GET_SS_FAMILY(&tmp_p->connect4) + && comp_with_mask_sock((struct sockaddr *)&client_addr, + (struct sockaddr *)&tmp_p->connect4, 32)) + || (GET_SS_FAMILY(&client_addr) == GET_SS_FAMILY(&tmp_p->connect6) + && comp_with_mask_sock((struct sockaddr *)&client_addr, + (struct sockaddr *)&tmp_p->connect6, 128)) + ) { - error = -2; + host_matched = true; if(tmp_p->passwd) { @@ -400,8 +407,10 @@ check_server(const char *name, struct Client *client_p) if(tmp_p->certfp) { - if(!client_p->certfp || strcasecmp(tmp_p->certfp, client_p->certfp) != 0) + if(!client_p->certfp || rb_strcasecmp(tmp_p->certfp, client_p->certfp) != 0) { + certfp_failed = true; continue; + } } server_p = tmp_p; @@ -410,13 +419,28 @@ check_server(const char *name, struct Client *client_p) } if(server_p == NULL) + { + /* return the most specific error */ + if(certfp_failed) + error = -6; + else if(host_matched) + error = -2; + else if(name_matched) + error = -3; + return error; + } if(ServerConfSSL(server_p) && client_p->localClient->ssl_ctl == NULL) { return -5; } + if (client_p->localClient->att_sconf && client_p->localClient->att_sconf->class == server_p->class) { + /* this is an outgoing connection that is already attached to the correct class */ + } else if (CurrUsers(server_p->class) >= MaxUsers(server_p->class)) { + return -7; + } attach_server_conf(client_p, server_p); /* clear ZIP/TB if they support but we dont want them */ @@ -438,7 +462,6 @@ check_server(const char *name, struct Client *client_p) * - int flag of capabilities that this server has * output - NONE * side effects - send the CAPAB line to a server -orabidoo - * */ void send_capabilities(struct Client *client_p, unsigned int cap_can_send) @@ -482,7 +505,7 @@ burst_ban(struct Client *client_p) * to other servers, so rewrite to our server * name. */ - rb_strlcpy(operbuf, aconf->info.oper, sizeof buf); + rb_strlcpy(operbuf, aconf->info.oper, sizeof operbuf); p = strrchr(operbuf, '{'); if (p != NULL && operbuf + sizeof operbuf - p > (ptrdiff_t)(melen + 2)) @@ -528,7 +551,7 @@ burst_modes_TS6(struct Client *client_p, struct Channel *chptr, me.id, (long) chptr->channelts, chptr->chname, flag); t = buf + mlen; - RB_DLINK_FOREACH(ptr, list->head) + RB_DLINK_FOREACH_PREV(ptr, list->tail) { banptr = ptr->data; @@ -598,6 +621,9 @@ burst_TS6(struct Client *client_p) if(!IsPerson(target_p)) continue; + if(MyClient(target_p->from) && target_p->localClient->att_sconf != NULL && ServerConfNoExport(target_p->localClient->att_sconf)) + continue; + send_umode(NULL, target_p, 0, ubuf); if(!*ubuf) { @@ -644,6 +670,12 @@ burst_TS6(struct Client *client_p) use_id(target_p), target_p->user->away); + if(IsOper(target_p) && target_p->user && target_p->user->opername && target_p->user->privset) + sendto_one(client_p, ":%s OPER %s %s", + use_id(target_p), + target_p->user->opername, + target_p->user->privset->name); + hclientinfo.target = target_p; call_hook(h_burst_client, &hclientinfo); } @@ -782,7 +814,7 @@ server_estab(struct Client *client_p) if((server_p = client_p->localClient->att_sconf) == NULL) { /* This shouldn't happen, better tell the ops... -A1kmm */ - sendto_realops_snomask(SNO_GENERAL, is_remote_connect(client_p) ? L_NETWIDE : L_ALL, + sendto_realops_snomask(SNO_GENERAL, L_NETWIDE, "Warning: Lost connect{} block for server %s!", host); return exit_client(client_p, client_p, client_p, "Lost connect{} block!"); } @@ -800,19 +832,6 @@ server_estab(struct Client *client_p) /* Its got identd , since its a server */ SetGotId(client_p); - /* If there is something in the serv_list, it might be this - * connecting server.. - */ - if(!ServerInfo.hub && serv_list.head) - { - if(client_p != serv_list.head->data || serv_list.head->next) - { - ServerStats.is_ref++; - sendto_one(client_p, "ERROR :I'm a leaf not a hub"); - return exit_client(client_p, client_p, client_p, "I'm a leaf"); - } - } - if(IsUnknown(client_p)) { /* the server may be linking based on certificate fingerprint now. --nenolod */ @@ -820,7 +839,7 @@ server_estab(struct Client *client_p) EmptyString(server_p->spasswd) ? "*" : server_p->spasswd, TS_CURRENT, me.id); /* pass info to new server */ - send_capabilities(client_p, default_server_capabs + send_capabilities(client_p, default_server_capabs | CAP_MASK | (ServerConfCompressed(server_p) ? CAP_ZIP_SUPPORTED : 0) | (ServerConfTb(server_p) ? CAP_TB : 0)); @@ -838,14 +857,13 @@ server_estab(struct Client *client_p) { start_zlib_session(client_p); } - sendto_one(client_p, "SVINFO %d %d 0 :%ld", TS_CURRENT, TS_MIN, (long int)rb_current_time()); client_p->servptr = &me; if(IsAnyDead(client_p)) return CLIENT_EXITED; - SetServer(client_p); + sendto_one(client_p, "SVINFO %d %d 0 :%ld", TS_CURRENT, TS_MIN, (long int)rb_current_time()); rb_dlinkAdd(client_p, &client_p->lnode, &me.serv->servers); rb_dlinkMoveNode(&client_p->localClient->tnode, &unknown_list, &serv_list); @@ -857,6 +875,7 @@ server_estab(struct Client *client_p) add_to_client_hash(client_p->name, client_p); /* doesnt duplicate client_p->serv if allocated this struct already */ make_server(client_p); + SetServer(client_p); client_p->serv->caps = client_p->localClient->caps; @@ -904,6 +923,9 @@ server_estab(struct Client *client_p) if(target_p == client_p) continue; + if(target_p->localClient->att_sconf != NULL && ServerConfNoExport(target_p->localClient->att_sconf)) + continue; + if(has_id(target_p) && has_id(client_p)) { sendto_one(target_p, ":%s SID %s 2 %s :%s%s", @@ -952,6 +974,10 @@ server_estab(struct Client *client_p) if(IsMe(target_p) || target_p->from == client_p) continue; + /* don't distribute downstream leaves of servers that are no-export */ + if(MyClient(target_p->from) && target_p->from->localClient->att_sconf != NULL && ServerConfNoExport(target_p->from->localClient->att_sconf)) + continue; + /* presumption, if target has an id, so does its uplink */ if(has_id(client_p) && has_id(target_p)) sendto_one(client_p, ":%s SID %s %d %s :%s%s", @@ -1012,7 +1038,8 @@ int serv_connect(struct server_conf *server_p, struct Client *by) { struct Client *client_p; - struct rb_sockaddr_storage myipnum; + struct sockaddr_storage sa_connect[2]; + struct sockaddr_storage sa_bind[ARRAY_SIZE(sa_connect)]; char note[HOSTLEN + 10]; rb_fde_t *F; @@ -1020,16 +1047,66 @@ serv_connect(struct server_conf *server_p, struct Client *by) if(server_p == NULL) return 0; + for (int i = 0; i < ARRAY_SIZE(sa_connect); i++) { + SET_SS_FAMILY(&sa_connect[i], AF_UNSPEC); + SET_SS_FAMILY(&sa_bind[i], AF_UNSPEC); + } + + if(server_p->aftype == AF_UNSPEC + && GET_SS_FAMILY(&server_p->connect4) == AF_INET + && GET_SS_FAMILY(&server_p->connect6) == AF_INET6) + { + if(rand() % 2 == 0) + { + sa_connect[0] = server_p->connect4; + sa_connect[1] = server_p->connect6; + sa_bind[0] = server_p->bind4; + sa_bind[1] = server_p->bind6; + } + else + { + sa_connect[0] = server_p->connect6; + sa_connect[1] = server_p->connect4; + sa_bind[0] = server_p->bind6; + sa_bind[1] = server_p->bind4; + } + } + else if(server_p->aftype == AF_INET || GET_SS_FAMILY(&server_p->connect4) == AF_INET) + { + sa_connect[0] = server_p->connect4; + sa_bind[0] = server_p->bind4; + } + else if(server_p->aftype == AF_INET6 || GET_SS_FAMILY(&server_p->connect6) == AF_INET6) + { + sa_connect[0] = server_p->connect6; + sa_bind[0] = server_p->bind6; + } + /* log */ - rb_inet_ntop_sock((struct sockaddr *)&server_p->my_ipnum, buf, sizeof(buf)); - ilog(L_SERVER, "Connect to *[%s] @%s", server_p->name, buf); +#ifdef HAVE_LIBSCTP + if (ServerConfSCTP(server_p) && GET_SS_FAMILY(&sa_connect[1]) != AF_UNSPEC) { + char buf2[HOSTLEN + 1]; + + buf[0] = 0; + buf2[0] = 0; + rb_inet_ntop_sock((struct sockaddr *)&sa_connect[0], buf, sizeof(buf)); + rb_inet_ntop_sock((struct sockaddr *)&sa_connect[1], buf2, sizeof(buf2)); + ilog(L_SERVER, "Connect to *[%s] @%s&%s", server_p->name, buf, buf2); + } else { +#else + { +#endif + buf[0] = 0; + rb_inet_ntop_sock((struct sockaddr *)&sa_connect[0], buf, sizeof(buf)); + ilog(L_SERVER, "Connect to *[%s] @%s", server_p->name, buf); + } /* * Make sure this server isn't already connected */ if((client_p = find_server(NULL, server_p->name))) { - sendto_realops_snomask(SNO_GENERAL, L_ALL, + sendto_realops_snomask(SNO_GENERAL, L_NETWIDE, "Server %s already present from %s", server_p->name, client_p->name); if(by && IsPerson(by) && !MyClient(by)) @@ -1038,9 +1115,28 @@ serv_connect(struct server_conf *server_p, struct Client *by) return 0; } + if (CurrUsers(server_p->class) >= MaxUsers(server_p->class)) { + sendto_realops_snomask(SNO_GENERAL, L_NETWIDE, + "No more connections allowed in class \"%s\" for server %s", + server_p->class->class_name, server_p->name); + if(by && IsPerson(by) && !MyClient(by)) + sendto_one_notice(by, ":No more connections allowed in class \"%s\" for server %s", + server_p->class->class_name, server_p->name); + return 0; + } + /* create a socket for the server connection */ - if((F = rb_socket(GET_SS_FAMILY(&server_p->my_ipnum), SOCK_STREAM, 0, NULL)) == NULL) - { + if(GET_SS_FAMILY(&sa_connect[0]) == AF_UNSPEC) { + ilog_error("unspecified socket address family"); + return 0; +#ifdef HAVE_LIBSCTP + } else if (ServerConfSCTP(server_p)) { + if ((F = rb_socket(AF_INET6, SOCK_STREAM, IPPROTO_SCTP, NULL)) == NULL) { + ilog_error("opening a stream socket"); + return 0; + } +#endif + } else if ((F = rb_socket(GET_SS_FAMILY(&sa_connect[0]), SOCK_STREAM, IPPROTO_TCP, NULL)) == NULL) { ilog_error("opening a stream socket"); return 0; } @@ -1054,16 +1150,15 @@ serv_connect(struct server_conf *server_p, struct Client *by) /* Copy in the server, hostname, fd */ rb_strlcpy(client_p->name, server_p->name, sizeof(client_p->name)); - rb_strlcpy(client_p->host, server_p->host, sizeof(client_p->host)); + if(server_p->connect_host) + rb_strlcpy(client_p->host, server_p->connect_host, sizeof(client_p->host)); + else + rb_strlcpy(client_p->host, buf, sizeof(client_p->host)); rb_strlcpy(client_p->sockhost, buf, sizeof(client_p->sockhost)); client_p->localClient->F = F; /* shove the port number into the sockaddr */ -#ifdef RB_IPV6 - if(GET_SS_FAMILY(&server_p->my_ipnum) == AF_INET6) - ((struct sockaddr_in6 *)&server_p->my_ipnum)->sin6_port = htons(server_p->port); - else -#endif - ((struct sockaddr_in *)&server_p->my_ipnum)->sin_port = htons(server_p->port); + SET_SS_PORT(&sa_connect[0], htons(server_p->port)); + SET_SS_PORT(&sa_connect[1], htons(server_p->port)); /* * Set up the initial server evilness, ripped straight from @@ -1091,65 +1186,38 @@ serv_connect(struct server_conf *server_p, struct Client *by) */ make_server(client_p); if(by && IsClient(by)) - strcpy(client_p->serv->by, by->name); + rb_strlcpy(client_p->serv->by, by->name, sizeof(client_p->serv->by)); else strcpy(client_p->serv->by, "AutoConn."); SetConnecting(client_p); rb_dlinkAddTail(client_p, &client_p->node, &global_client_list); - if(ServerConfVhosted(server_p)) - { - memcpy(&myipnum, &server_p->my_ipnum, sizeof(myipnum)); - ((struct sockaddr_in *)&myipnum)->sin_port = 0; - SET_SS_FAMILY(&myipnum, GET_SS_FAMILY(&server_p->my_ipnum)); - - } - else if(GET_SS_FAMILY(&server_p->my_ipnum) == AF_INET && ServerInfo.specific_ipv4_vhost) - { - memcpy(&myipnum, &ServerInfo.ip, sizeof(myipnum)); - ((struct sockaddr_in *)&myipnum)->sin_port = 0; - SET_SS_FAMILY(&myipnum, AF_INET); - SET_SS_LEN(&myipnum, sizeof(struct sockaddr_in)); + for (int i = 0; i < ARRAY_SIZE(sa_connect); i++) { + if (GET_SS_FAMILY(&sa_bind[i]) == AF_UNSPEC) { + if (GET_SS_FAMILY(&sa_connect[i]) == GET_SS_FAMILY(&ServerInfo.bind4)) + sa_bind[i] = ServerInfo.bind4; + if (GET_SS_FAMILY(&sa_connect[i]) == GET_SS_FAMILY(&ServerInfo.bind6)) + sa_bind[i] = ServerInfo.bind6; + } } -#ifdef RB_IPV6 - else if((GET_SS_FAMILY(&server_p->my_ipnum) == AF_INET6) && ServerInfo.specific_ipv6_vhost) +#ifdef HAVE_LIBSCTP + if (ServerConfSCTP(server_p)) { + rb_connect_sctp(client_p->localClient->F, + sa_connect, ARRAY_SIZE(sa_connect), sa_bind, ARRAY_SIZE(sa_bind), + ServerConfSSL(server_p) ? serv_connect_ssl_callback : serv_connect_callback, + client_p, ConfigFileEntry.connect_timeout); + } else { +#else { - memcpy(&myipnum, &ServerInfo.ip6, sizeof(myipnum)); - ((struct sockaddr_in6 *)&myipnum)->sin6_port = 0; - SET_SS_FAMILY(&myipnum, AF_INET6); - SET_SS_LEN(&myipnum, sizeof(struct sockaddr_in6)); - } #endif - else - { - if(ServerConfSSL(server_p)) - { - rb_connect_tcp(client_p->localClient->F, - (struct sockaddr *)&server_p->my_ipnum, NULL, 0, - serv_connect_ssl_callback, client_p, - ConfigFileEntry.connect_timeout); - } - else - rb_connect_tcp(client_p->localClient->F, - (struct sockaddr *)&server_p->my_ipnum, NULL, 0, - serv_connect_callback, client_p, - ConfigFileEntry.connect_timeout); - - return 1; + rb_connect_tcp(client_p->localClient->F, + (struct sockaddr *)&sa_connect[0], + GET_SS_FAMILY(&sa_bind[0]) == AF_UNSPEC ? NULL : (struct sockaddr *)&sa_bind[0], + ServerConfSSL(server_p) ? serv_connect_ssl_callback : serv_connect_callback, + client_p, ConfigFileEntry.connect_timeout); } - if(ServerConfSSL(server_p)) - rb_connect_tcp(client_p->localClient->F, (struct sockaddr *)&server_p->my_ipnum, - (struct sockaddr *)&myipnum, - GET_SS_LEN(&myipnum), serv_connect_ssl_callback, client_p, - ConfigFileEntry.connect_timeout); - else - rb_connect_tcp(client_p->localClient->F, (struct sockaddr *)&server_p->my_ipnum, - (struct sockaddr *)&myipnum, - GET_SS_LEN(&myipnum), serv_connect_callback, client_p, - ConfigFileEntry.connect_timeout); - return 1; } @@ -1173,15 +1241,22 @@ serv_connect_ssl_callback(rb_fde_t *F, int status, void *data) } client_p->localClient->F = xF[0]; + client_p->localClient->ssl_callback = serv_connect_ssl_open_callback; - client_p->localClient->ssl_ctl = start_ssld_connect(F, xF[1], rb_get_fd(xF[0])); + client_p->localClient->ssl_ctl = start_ssld_connect(F, xF[1], connid_get(client_p)); if(!client_p->localClient->ssl_ctl) { serv_connect_callback(client_p->localClient->F, RB_ERROR, data); return; } SetSSL(client_p); - serv_connect_callback(client_p->localClient->F, RB_OK, client_p); +} + +static int +serv_connect_ssl_open_callback(struct Client *client_p, int status) +{ + serv_connect_callback(client_p->localClient->F, status, client_p); + return 1; /* suppress default exit_client handler for status != RB_OK */ } /* @@ -1225,9 +1300,9 @@ serv_connect_callback(rb_fde_t *F, int status, void *data) /* COMM_ERR_TIMEOUT wont have an errno associated with it, * the others will.. --fl */ - if(status == RB_ERR_TIMEOUT) + if(status == RB_ERR_TIMEOUT || status == RB_ERROR_SSL) { - sendto_realops_snomask(SNO_GENERAL, is_remote_connect(client_p) ? L_NETWIDE : L_ALL, + sendto_realops_snomask(SNO_GENERAL, L_NETWIDE, "Error connecting to %s[%s]: %s", client_p->name, "255.255.255.255", @@ -1239,7 +1314,7 @@ serv_connect_callback(rb_fde_t *F, int status, void *data) else { errstr = strerror(rb_get_sockerr(F)); - sendto_realops_snomask(SNO_GENERAL, is_remote_connect(client_p) ? L_NETWIDE : L_ALL, + sendto_realops_snomask(SNO_GENERAL, L_NETWIDE, "Error connecting to %s[%s]: %s (%s)", client_p->name, "255.255.255.255", @@ -1257,12 +1332,24 @@ serv_connect_callback(rb_fde_t *F, int status, void *data) /* Get the C/N lines */ if((server_p = client_p->localClient->att_sconf) == NULL) { - sendto_realops_snomask(SNO_GENERAL, is_remote_connect(client_p) ? L_NETWIDE : L_ALL, "Lost connect{} block for %s", + sendto_realops_snomask(SNO_GENERAL, L_NETWIDE, "Lost connect{} block for %s", client_p->name); exit_client(client_p, client_p, &me, "Lost connect{} block"); return; } + if(server_p->certfp && (!client_p->certfp || rb_strcasecmp(server_p->certfp, client_p->certfp) != 0)) + { + sendto_realops_snomask(SNO_GENERAL, L_NETWIDE, + "Connection to %s has invalid certificate fingerprint %s", + client_p->name, client_p->certfp); + ilog(L_SERVER, "Access denied, invalid certificate fingerprint %s from %s", + client_p->certfp, log_client_name(client_p, SHOW_IP)); + + exit_client(client_p, client_p, &me, "Invalid fingerprint."); + return; + } + /* Next, send the initial handshake */ SetHandshake(client_p); @@ -1271,7 +1358,7 @@ serv_connect_callback(rb_fde_t *F, int status, void *data) EmptyString(server_p->spasswd) ? "*" : server_p->spasswd, TS_CURRENT, me.id); /* pass my info to the new server */ - send_capabilities(client_p, default_server_capabs + send_capabilities(client_p, default_server_capabs | CAP_MASK | (ServerConfCompressed(server_p) ? CAP_ZIP_SUPPORTED : 0) | (ServerConfTb(server_p) ? CAP_TB : 0)); @@ -1285,7 +1372,7 @@ serv_connect_callback(rb_fde_t *F, int status, void *data) */ if(IsAnyDead(client_p)) { - sendto_realops_snomask(SNO_GENERAL, is_remote_connect(client_p) ? L_NETWIDE : L_ALL, + sendto_realops_snomask(SNO_GENERAL, L_NETWIDE, "%s went dead during handshake", client_p->name); exit_client(client_p, client_p, &me, "Went dead during handshake"); return;