Aaron Jones [Sun, 19 Nov 2023 11:47:24 +0000 (11:47 +0000)]
MODRESTART/MODRELOAD: Defer reloading more quickly
Commit 41390bfe5fa3895b8dee fixed a bug whereby the processing
of a MODRESTART command could result in a crash. The approach
taken in this fix was to defer the reloading of all modules
so that the call stack does not contain functions located in
modules that are being reloaded. It did this by scheduling a
one-shot timer event for 1 second in the future, in the absense
of any better deferral mechanism at the time. Timers are
processed by the event loop, which is core to IRCd and cannot
be reloaded.
Commit 59ea3c6753e80d051b20 introduced a mechanism to defer the
execution of a function until all events have been processed by
the event loop, in order to fix a REHASH bug that could result
in a crash due to closing and reopening listener sockets with a
pending socket connection event to process after the REHASH was
completed.
Aaron Jones [Thu, 15 Jun 2023 22:32:12 +0000 (22:32 +0000)]
ircd/listener: return a fatal TLS alert for early rejected TLS clients
This is in furtherance of commit 3fdf26aa19628d5e12a3 which added
functionality to reply with a TLS record layer alert for D-Lined TLS
clients. It turns out that there are other plaintext error messages
in this same function that should receive the same treatment.
Also move another error string to a variable and use a compile-time
optimised-out strlen for it too, to use the same approach as an
existing error string.
Finally, use a different alert (internal_error) for the case where
IRCd is simply unable to accept more connections.
client: refactor del_all_accepts to allow skipping own accept list
This allows reusing this function for other uses that just need to
remove this client from others' accept lists on nick change and not have
duplicates of this code everywhere
Aaron Jones [Wed, 4 Oct 2023 18:54:05 +0000 (18:54 +0000)]
modules/m_oper.c: give a better error message for failure to find o:line
The snotice sent to other opers can be misleading. For example, it will say
host mismatch even if the host is correct but the username is wrong, or if
the oper name given does not exist in the configuration.
Aaron Jones [Wed, 4 Oct 2023 18:52:47 +0000 (18:52 +0000)]
modules/m_challenge.c: give a better error message for failure to find o:line
The snotice sent to other opers can be misleading. For example, it will say
host mismatch even if the host is correct but the username is wrong, or if
the oper name given does not exist in the configuration.
Ed Kellett [Sun, 5 Nov 2023 22:05:41 +0000 (22:05 +0000)]
Delay rehashing until we're not processing events
Fixes crash introduced by 0ab6dbbc651ddd1c26cb7baa6e6cf86890a4abd2. It's
probably a regression since it defeats a system designed to stop this
from happening, but I didn't dig through the history.
rehash() closes listeners. If we happen to get a single epoll() result
that wants to first rehash and then accept a connection, the epoll info
will point to a freed rb_fde_t. Other selectors should have similar
problems, but we didn't investigate that.
rb_fde_ts are normally batched up and freed outside the event
processing, but as of the above commit close_listeners() screws that up
by closing pending FDs immediately in order to create new listeners.
I think it might be a bit better to revert this behaviour and simply not
close listeners if we are going to open new ones over them, but have
opted for the smallest reasonable change I can think of.
Doug Freed [Thu, 22 Jun 2023 23:11:35 +0000 (23:11 +0000)]
modules: quietly succeed at loading a module if already loaded
This allows explicitly loading a module in the config so it's available
for later config items that might need it, and skips the double load
when main loads all modules, which would cause errors
Doug Freed [Fri, 23 Jun 2023 00:00:55 +0000 (00:00 +0000)]
modules: clear module list and mod paths in init
If main is called more than once (like in tests), everything is
reinitialized except the loaded module list and module paths, so clear
them too so that modules are loaded again and the path list is correct.
Doug Freed [Wed, 16 Nov 2022 21:44:25 +0000 (16:44 -0500)]
chmode: convert bants to a proper serial
This way it increments for every change. It need not be a timestamp, as
its actual value is not important.
This fixes an issue where a ban could be set, hit, and cleared all in
the same second, and the affected client would still be cached as banned
because the bants hadn't actually changed.
Doug Freed [Wed, 18 Jan 2023 22:21:30 +0000 (16:21 -0600)]
um_callerid: increase hook priority to restore +Rg behavior
Before splitting things out into hooks, umode +Rg would only notify the
recipient if the sender satisfied +R. This restores that behavior by
making the +g hook happen after +R.
authd child processes are only told about configured DNSBLs when the
configuration is being parsed.
This is bad, because when authd crashes or is killed, IRCd will restart
it, but will not tell it about any configured DNSBLs until IRCd is next
rehashed.
We already have a dictionary that stores configured DNSBLs (for hit
statistics for `STATS n'), so store the additional needed fields in
that structure, and loop over that dictionary's entries when authd is
restarted, sending the fields just as if the configuration were being
reloaded.
Aaron Jones [Fri, 21 Oct 2022 08:01:41 +0000 (08:01 +0000)]
extensions/umode_hide_idle_time: mask times for hidden sources (#373)
If the user performing a WHOIS has hidden their idle time (is umode +I),
also prevent them from seeing other user's idle times, even if said users
are not themselves umode +I.
Ed Kellett [Sat, 16 Oct 2021 23:00:55 +0000 (00:00 +0100)]
m_sasl: Remove implicit abort on registration
This doesn't make sense in a world where post-registration SASL is
allowed, and should fix one case of an annoying login desync that's seen
in the real world.
Specifically, when a client sends its final AUTHENTICATE and Atheme
receives it, it sends an SVSLOGIN for that client. If the client sends
us its CAP END *before* we see the SVSLOGIN, the implicit abort will try
to abort the SASL session that's already succeeded.
Atheme interprets this as an instruction to forget about the successful
SASL session; you'll connect unidentified. But it's already sent
SVSLOGIN, which will log the client in ircd-side, causing ircd and
services views to differ until the user authenticates again manually.
I think allowing a SASL session to be aborted when it has already
succeeded is an Atheme bug, and it can still be triggered without this
change. But our behaviour here seems silly anyway.
jailbird777 [Sat, 13 Aug 2022 03:40:48 +0000 (22:40 -0500)]
OpenSSL 3.0 compatibility
Edited by @aaronmdjones:
- Correct some data types and casts
- Minor style fixups (e.g. we put * on the variable name not the type)
- librb/src/openssl.c:
- Defer call of BIO_free(3ssl) to the end of the conditional block
to avoid having calls to it in multiple paths
- Check the return value of SSL_CTX_set0_tmp_dh_pkey(3ssl) because if
it fails then we must use EVP_PKEY_free(3ssl) to avoid a memory leak
This could fail if, for example, the user supplied DSA parameters
in the DH parameters file instead.
- ircd/newconf.c:
- Check whether OSSL_DECODER_CTX_new_for_pkey(3ssl) was able to parse
the given CHALLANGE public key as a valid RSA public key, and then
check whether OSSL_DECODER_from_bio(3ssl) actually loads it
successfully
- ircd/s_newconf.c:
- Use EVP_PKEY_free(3ssl) instead of OPENSSL_free(3ssl) on EVP_PKEY
pointers; this will avoid inadvertent memory leaks if the EVP_PKEY
structure contains any dynamically-allocated child members
- modules/m_challenge.c:
- Unconditionally use EVP(3ssl) to generate the SHA-1 digest of the
random challenge; this API has been around for a very long time and
is available in all supported versions of OpenSSL
- Add lots of error checking to all steps of the process
Tested against 1.1.1 and 3.0; both with missing and provided DH parameters
(which works as you'd expect; the server will not negotiate a DHE cipher
without them), and CHALLENGE, including missing keys or keys of the wrong
type (e.g. when you supply an EdDSA key instead of an RSA key).
This does break compatibility with OpenSSL 1.1.0 and below, which are now
all end-of-life and unsupported anyway.
Aaron Jones [Wed, 24 Aug 2022 23:51:14 +0000 (23:51 +0000)]
librb/src/crypt.c: rb_sha*_crypt_r: avoid UB pointer math
This code is doing (foo - (char*)0) to convert foo from a pointer
value into a numeric value. Unfortunately, this is undefined
behaviour, which clang-14 is now warning about [1].
Cast to uintptr_t instead. Same result, but well-defined.
jailbird777 [Tue, 16 Aug 2022 00:03:49 +0000 (19:03 -0500)]
Fix SCTP support on FreeBSD & NetBSD
Unlike Linux, Solaris, and Illumos (and probably others), the 2 BSDs that still
support SCTP didn't put SCTP into its own library, they put it into libc.
They, unlike Linux, don't set SOL_SCTP for us. The official method appears to
be calling getprotobyname("sctp") & endprotoent(), with getprotobyname()
returning a struct that has a p_proto entry. This all reads from
/etc/protocols. However, SCTP is assigned 132 by IANA, so it's 132 everywhere,
so I just set SOL_SCTP to 132 if it's not already set.
Aaron Jones [Tue, 5 Jul 2022 06:01:26 +0000 (06:01 +0000)]
serv_connect(): ensure both sa_bind[]/sa_connect[] are always populated (#352)
Due to [1], linking with SCTP sometimes does not multi-home correctly.
This is triggered by the rand() on the lines immediately above these.
The connect{} blocks already support an `aftype` parameter to instruct
IRCd to prefer IPv4 or IPv6. This commit additionally ensures that the
other structure is always populated with the other address (if any) if
this parameter is specified.
This will allow SCTP server-linking users to work around the bug and
ensure that it always multi-homes by setting `connect::aftype` to IPv4.
Without this commit, that would cause Solanum to not include the IPv6
addresses (if any) in the connect block in its SCTP setup.
If there isn't a valid IP address in the other sockaddr, this should be
of no consequence, because it will not be used by rb_connect_tcp(), and
both rb_connect_sctp() and rb_sctp_bindx_only() already verify that
there is a valid IP address in the sockaddr before making use of it.
Ed Kellett [Sun, 19 Jun 2022 21:07:20 +0000 (22:07 +0100)]
valid_temp_time: simplify/correct overflow check
the logic for trying to detect the maximum value of time_t was broken;
since we target a lower maximum time anyway, just use that for the
overflow check
While working on reproducible builds for openSUSE, I found that
our package varied even when building in clean VMs
with as little non-determinism as possible.
This was because of