]>
jfr.im git - solanum.git/log
Simon Arlott [Wed, 27 Apr 2016 20:16:29 +0000 (21:16 +0100)]
epoll: don't try to read from closed FDs
Aaron Jones [Wed, 27 Apr 2016 16:17:33 +0000 (16:17 +0000)]
[openssl] support ECDHE on more than one curve when possible
Simon Arlott [Tue, 26 Apr 2016 19:58:16 +0000 (20:58 +0100)]
mkfingerprint: use certfp method names from certfp.h
Simon Arlott [Tue, 26 Apr 2016 19:21:23 +0000 (20:21 +0100)]
add mkfingerprint program
Simon Arlott [Tue, 26 Apr 2016 19:19:59 +0000 (20:19 +0100)]
certfp: Move method name/prefix strings to a separate header file
Simon Arlott [Tue, 26 Apr 2016 19:28:12 +0000 (20:28 +0100)]
librb: gnutls: check return value of fread()
Simon Arlott [Mon, 25 Apr 2016 22:52:18 +0000 (23:52 +0100)]
ircd.conf.example: use certfp_method = spki_sha256
SHA1 is insecure. SHA2-512 is a bit long. Hashes of the full certificate
are really impractical and people need to stop using them.
Simon Arlott [Mon, 25 Apr 2016 22:21:38 +0000 (23:21 +0100)]
getopt: don't modify argv as it breaks restart()
Simon Arlott [Mon, 25 Apr 2016 21:27:57 +0000 (22:27 +0100)]
modules: use exit(EXIT_FAILURE) on failure
This will allow service process monitoring to recognise the difference
between a shutdown and an error of a -foreground ircd, because only
/DIE (or SIGINT) will exit with return code 0.
Simon Arlott [Mon, 25 Apr 2016 20:35:58 +0000 (21:35 +0100)]
authd: wait until the ssl connection is "open" before reading
It's useful to allow authd to run in parallel with ssl negotiation,
but if the ssld connection has plaintext data ready for reading
there's a race condition between authd calling read_packet() and
ssl_process_certfp() storing the certificate fingerprint. This
scenario would be bad for a server connecting because fingerprint
verification will fail.
Allow either operation to complete first, but wait until
ssl_process_open_fd() calls the ssl open callback before calling
read_packet().
Simon Arlott [Mon, 25 Apr 2016 20:12:44 +0000 (21:12 +0100)]
sslproc: simplify ssl open callback
Don't use the librb callback type as we're always passing client_p.
Provide a return value so that the connect handler can exit_client()
and the accept handler can opt to use the default dead handler.
Simon Arlott [Mon, 25 Apr 2016 19:38:33 +0000 (20:38 +0100)]
openssl: accept more certificate verify errors as valid
Simon Arlott [Mon, 25 Apr 2016 19:19:48 +0000 (20:19 +0100)]
conf: require certificate fingerprint for SSL connections
Simon Arlott [Mon, 25 Apr 2016 19:12:27 +0000 (20:12 +0100)]
sslproc: prefix SPKI certfp types to distinguish them from CERT
Simon Arlott [Mon, 25 Apr 2016 18:22:10 +0000 (19:22 +0100)]
sslproc: send the certftp method on rehash
Simon Arlott [Mon, 25 Apr 2016 18:20:45 +0000 (19:20 +0100)]
sslproc: use global ServerInfo configuration
There's no need to pass information around that sslproc already has access
to, so use ServerInfo directly. Remove the extra NULL checks as these are
already performed before setting ircd_ssl_ok = true.
Simon Arlott [Mon, 25 Apr 2016 18:12:47 +0000 (19:12 +0100)]
sslproc: include ssl_cipher_list in length check before sending configuration to ssld
Simon Arlott [Mon, 25 Apr 2016 18:02:03 +0000 (19:02 +0100)]
ssld: remove init_prng command
This is no longer configurable so it's redundant.
Simon Arlott [Sun, 24 Apr 2016 16:41:44 +0000 (17:41 +0100)]
ircd: don't send ERR_NOTREGISTERED to servers
Sending messages after SERVER but before zlib is established breaks
outgoing connections. If the other server is misbehaving then ignore
its messages.
Simon Arlott [Sun, 24 Apr 2016 16:11:20 +0000 (17:11 +0100)]
librb: remove socklen parameter from rb_connect_tcp
Simon Arlott [Sun, 24 Apr 2016 16:05:05 +0000 (17:05 +0100)]
ircd: server connection configuration
Fix the server connection configuration so that it can simultaneously
handle a hostname/IPv4/IPv6 for connecting and a hostname/IPv4/IPv6
for binding. Maintains backwards compatibility for matching a hostname
with a mask.
Multiple host/vhost entries can be specified and the last value for
each address family is stored. Hostnames that resolve automatically
overwrite the IP address.
Server connections can now be made to either IPv4 or IPv6 at random
as well as preferring a specific address family.
Simon Arlott [Sun, 24 Apr 2016 10:49:21 +0000 (11:49 +0100)]
ircd: Don't try to connect to servers that we know have an invalid fingerprint
This just causes an unnecessary link/squit on the other server.
Simon Arlott [Sun, 24 Apr 2016 10:48:35 +0000 (11:48 +0100)]
ssld: add a callback when the connection is opened
This allows us to wait until we have the fingerprint information before
continuing with a server connect process.
Simon Arlott [Sun, 24 Apr 2016 09:39:16 +0000 (10:39 +0100)]
ssld: send cipher/certfp before proxying any plaintext traffic
Simon Arlott [Sat, 23 Apr 2016 23:29:11 +0000 (00:29 +0100)]
m_stats: display certificate fingerprint in STATS C
Simon Arlott [Sat, 23 Apr 2016 23:09:12 +0000 (00:09 +0100)]
m_alias: store a copy of alias->name as it will be freed on a rehash
Simon Arlott [Sat, 23 Apr 2016 22:56:41 +0000 (23:56 +0100)]
ircd: parse: add asserts for improper use of mod_add_cmd/mod_del_cmd
Simon Arlott [Sat, 23 Apr 2016 22:35:27 +0000 (23:35 +0100)]
modules: add missing break
Simon Arlott [Sat, 23 Apr 2016 22:25:25 +0000 (23:25 +0100)]
ircd: do nothing in client_release_connids if !MyConnect
Simon Arlott [Sat, 23 Apr 2016 22:21:47 +0000 (23:21 +0100)]
ircd: fix assert in client_release_connids
The connection may have already been closed and MyConnect cleared.
It's only a bug if the connection somehow has connids but is not
our connection.
Simon Arlott [Sat, 23 Apr 2016 21:51:05 +0000 (22:51 +0100)]
ssld: Add new certfp_methods spki_sha256 and spki_sha512
These operate on the SubjectPublicKeyInfo of the certificate, which does
change unless the private key is changed. This allows the fingerprint to
stay constant even if the certificate is reissued.
(The same fingerprint is also used by DANE)
Simon Arlott [Sat, 23 Apr 2016 21:46:25 +0000 (22:46 +0100)]
ssld: cipher commands don't have any fds
Simon Arlott [Sat, 23 Apr 2016 21:45:13 +0000 (22:45 +0100)]
librb: mbedtls: fix rb_get_ssl_certfp()
Add missing break statements.
Return the hash length on success.
Simon Arlott [Sat, 23 Apr 2016 21:13:03 +0000 (22:13 +0100)]
librb: fix mbedtls library order
libmbedtls depends on libmbedx509 and libmbedcrypto
libmbedx509 depends on libmbedcrypto
They have to be specified in the correct order for the GNU linker to work.
Simon Arlott [Sat, 23 Apr 2016 19:52:20 +0000 (20:52 +0100)]
ircd: sslproc: certfp commands have a 9 byte header, not 5 bytes
SHA512 hashes were being ignored because the message was too large
Simon Arlott [Sat, 23 Apr 2016 19:46:26 +0000 (20:46 +0100)]
ssld: certfp change commands don't have any fds
William Pitcock [Sat, 23 Apr 2016 19:26:01 +0000 (14:26 -0500)]
client: fix up client_release_connids() too, pointed out by lp0
William Pitcock [Sat, 23 Apr 2016 19:17:09 +0000 (14:17 -0500)]
client: connid_get() should check MyConnect(), not MyClient().
Simon Arlott [Sat, 23 Apr 2016 16:32:24 +0000 (17:32 +0100)]
mr_server: Report certificate fingerprint mismatches
Log the received certificate fingerprint when it causes a server to be
rejected.
Simon Arlott [Sat, 23 Apr 2016 16:30:59 +0000 (17:30 +0100)]
mr_server: Handle unknown error codes
As mr_server is a module, it could potentially receive an unknown
error code from check_server().
Mantas Mikulėnas [Sat, 23 Apr 2016 14:57:07 +0000 (17:57 +0300)]
doc: fix whitespace in example configs [ci skip]
Simon Arlott [Sat, 23 Apr 2016 14:41:27 +0000 (15:41 +0100)]
authproc: set GOT_ID flag when an ident response is received
staticfox [Sat, 23 Apr 2016 03:06:42 +0000 (23:06 -0400)]
authd: Avoid negative array indices
Elizabeth Myers [Sat, 16 Apr 2016 16:05:00 +0000 (11:05 -0500)]
Revert "Implement the netsplit batch type."
This needs more work, see
https://github.com/ircv3/ircv3-specifications/issues/253
This reverts commit
23738912993a8debf007542c51aeff79588e35ca .
Elizabeth Myers [Fri, 15 Apr 2016 21:50:43 +0000 (16:50 -0500)]
Implement the netsplit batch type.
This also lays the groundwork for the netjoin batch type, but that isn't
implemented yet. I don't like how some of this is implemented but it'll
have to do for now...
Compile tested, needs more testing.
Elizabeth Myers [Tue, 12 Apr 2016 14:43:50 +0000 (09:43 -0500)]
Don't use key member of dictionary iter objects after deletion
Elizabeth Myers [Tue, 12 Apr 2016 14:37:56 +0000 (09:37 -0500)]
authproc: fix a typo
Elizabeth Myers [Tue, 12 Apr 2016 14:33:51 +0000 (09:33 -0500)]
Change the way authd configures opm
It's a bit of a hack, but better than before. Rather than rehashing
(which could get us into an endless loop), we now segregate the
configuration phase (creating entries ircd-side in case we restart authd
later) and sending phases (when configure_authd() is called). Since we
have to call configure_authd() no matter what (to send timeouts etc.)
and we have to send this data to configure authd anyway, and sending
duplicate data is bad, this is the only way I can think of for now.
Mantas Mikulėnas [Mon, 11 Apr 2016 19:28:33 +0000 (22:28 +0300)]
Merge pull request #183 from grawity/sasl-fail-throttle-v3
limit failed SASL authentication attempts
Mantas Mikulėnas [Mon, 11 Apr 2016 18:38:43 +0000 (21:38 +0300)]
m_sasl: rate-limit SASL REAUTH usage
Mantas Mikulėnas [Mon, 11 Apr 2016 17:12:31 +0000 (20:12 +0300)]
m_sasl: fix coding style
Mantas Mikulėnas [Fri, 13 Feb 2015 18:13:06 +0000 (20:13 +0200)]
m_sasl: temporarily reject clients after many failed attempts
Elizabeth Myers [Mon, 11 Apr 2016 16:51:51 +0000 (11:51 -0500)]
send: trim a blank line [ci skip]
Elizabeth Myers [Mon, 11 Apr 2016 16:26:15 +0000 (11:26 -0500)]
Make directions more clear for disabling OPM
Elizabeth Myers [Sun, 10 Apr 2016 22:28:20 +0000 (17:28 -0500)]
Name the fallback strncasecmp properly [ci skip]
Elizabeth Myers [Sun, 10 Apr 2016 22:26:09 +0000 (17:26 -0500)]
whoops, fix a typo
Elizabeth Myers [Sun, 10 Apr 2016 22:25:32 +0000 (17:25 -0500)]
Replace my shitty fallbacks with those from FreeBSD
Elizabeth Myers [Sun, 10 Apr 2016 22:15:46 +0000 (17:15 -0500)]
README: put git command in backticks [ci skip]
Elizabeth Myers [Sun, 10 Apr 2016 22:11:57 +0000 (17:11 -0500)]
*sigh* comment these out until travis is fixed.
Elizabeth Myers [Sun, 10 Apr 2016 22:07:33 +0000 (17:07 -0500)]
Add these for now until travis actually gets their shit together.
Elizabeth Myers [Sun, 10 Apr 2016 21:53:40 +0000 (16:53 -0500)]
travis: install shtool.
Elizabeth Myers [Sun, 10 Apr 2016 21:49:42 +0000 (16:49 -0500)]
Get rid of install-sh and use shtoolize to create them.
Contributed by jackal^
Elizabeth Myers [Sun, 10 Apr 2016 15:11:03 +0000 (10:11 -0500)]
modules/m_set: booleanify.
Elizabeth Myers [Sun, 10 Apr 2016 15:10:46 +0000 (10:10 -0500)]
librb: minor adjustments to rb_strcasestr fallback to avoid warnings.
Elizabeth Myers [Sun, 10 Apr 2016 15:02:33 +0000 (10:02 -0500)]
s_user: clean up authd checks
Elizabeth Myers [Sun, 10 Apr 2016 14:35:02 +0000 (09:35 -0500)]
s_user: enhancements to proxy reporting messages
Elizabeth Myers [Sun, 10 Apr 2016 14:23:14 +0000 (09:23 -0500)]
Remove extraneous whitespace [ci skip]
Elizabeth Myers [Sun, 10 Apr 2016 14:22:34 +0000 (09:22 -0500)]
Fix stupid linux warning
Elizabeth Myers [Sun, 10 Apr 2016 14:20:51 +0000 (09:20 -0500)]
Wrap up authd preclient stuff in its own struct
staticfox [Sat, 9 Apr 2016 10:05:08 +0000 (06:05 -0400)]
version.c.SH: Fix build
We need stddef.h mainly for NULL
Elizabeth Myers [Sat, 9 Apr 2016 09:54:56 +0000 (04:54 -0500)]
Formatting fixes for credits
Contributed from jackal^, but fixed up a bit.
Elizabeth Myers [Fri, 8 Apr 2016 15:33:36 +0000 (10:33 -0500)]
Properly clean up build artifacts.
Author: jackal^ from freenode
Elizabeth Myers [Fri, 8 Apr 2016 08:49:23 +0000 (03:49 -0500)]
ipv4_from_ipv6: move to librb
Elizabeth Myers [Thu, 7 Apr 2016 14:45:12 +0000 (09:45 -0500)]
elide messages about not checking blacklists or scanning for proxies
Elizabeth Myers [Thu, 7 Apr 2016 12:48:50 +0000 (07:48 -0500)]
Fix overzealotry in flags fixing.
These flags are for oper confs, not for client flags.
Elizabeth Myers [Thu, 7 Apr 2016 12:40:55 +0000 (07:40 -0500)]
Get rid of flags2.
It seems to come from an era where long long didn't exist and 64-bit
machines weren't common. 32-bit machines are still common but I can't
imagine this will have much performance impact there.
This "fixes" #179 in title only, but see comments within.
Elizabeth Myers [Thu, 7 Apr 2016 09:47:48 +0000 (04:47 -0500)]
Cleanup defaults.h config file.
Clean up spaces/tabs mixing mess (bleh), add some defaults for authd
stuff, and get rid of CHARYBDIS_SOMAXCONN (just define SOMAXCONN if it's
available...).
Elizabeth Myers [Thu, 7 Apr 2016 09:47:31 +0000 (04:47 -0500)]
NEWS: add some more relevant items [ci skip]
Elizabeth Myers [Thu, 7 Apr 2016 09:21:16 +0000 (04:21 -0500)]
NEWS: move news element down to code changes [ci skip]
Elizabeth Myers [Thu, 7 Apr 2016 09:19:24 +0000 (04:19 -0500)]
NEWS: add module changes
Elizabeth Myers [Thu, 7 Apr 2016 09:15:12 +0000 (04:15 -0500)]
modules: fix up display names
Elizabeth Myers [Thu, 7 Apr 2016 09:00:25 +0000 (04:00 -0500)]
modules: move module loading/unloading commands to dedicated module.
There's no reason to really have these in the main ircd anymore, static
modules are dead and aren't coming back.
To ensure people don't do something hopelessly retarded, this is a core
module.
Elizabeth Myers [Thu, 7 Apr 2016 08:27:50 +0000 (03:27 -0500)]
m_stats: use macros to clean up generating the stats table
Elizabeth Myers [Wed, 6 Apr 2016 16:47:13 +0000 (11:47 -0500)]
Remove useless alias_entry hits member
Elizabeth Myers [Wed, 6 Apr 2016 16:45:55 +0000 (11:45 -0500)]
m_stats: don't list alias entries twice.
Elizabeth Myers [Wed, 6 Apr 2016 16:43:19 +0000 (11:43 -0500)]
m_alias: fix an assert
Elizabeth Myers [Wed, 6 Apr 2016 16:43:05 +0000 (11:43 -0500)]
authd: clean up refcounting stuff
Elizabeth Myers [Wed, 6 Apr 2016 14:52:25 +0000 (09:52 -0500)]
authd: refcounting fixes
Elizabeth Myers [Wed, 6 Apr 2016 14:22:24 +0000 (09:22 -0500)]
opm: big cleanup
This simplifies the creation of scan types by removing lots of awful
boilerplate code and checks that need to be duplicated everywhere.
Elizabeth Myers [Wed, 6 Apr 2016 13:34:39 +0000 (08:34 -0500)]
opm: minor fixes
Elizabeth Myers [Wed, 6 Apr 2016 12:57:20 +0000 (07:57 -0500)]
m_alias: fix build with --enable-assert
Elizabeth Myers [Wed, 6 Apr 2016 12:43:45 +0000 (07:43 -0500)]
ircd: load modules after conf files
The alias module depends on this
Elizabeth Myers [Wed, 6 Apr 2016 12:43:36 +0000 (07:43 -0500)]
opm: silly bugfix
Elizabeth Myers [Wed, 6 Apr 2016 12:33:36 +0000 (07:33 -0500)]
m_alias: minor cleanup
Elizabeth Myers [Wed, 6 Apr 2016 12:28:30 +0000 (07:28 -0500)]
Partially update a comment
Elizabeth Myers [Wed, 6 Apr 2016 12:27:50 +0000 (07:27 -0500)]
Move alias handling into a dedicated module.
Not yet tested, caveat emptor!
Closes #166
Elizabeth Myers [Wed, 6 Apr 2016 11:48:59 +0000 (06:48 -0500)]
s_conf: s_bsd's been gone for a long time... lol
Elizabeth Myers [Wed, 6 Apr 2016 11:30:58 +0000 (06:30 -0500)]
Static modules are dead, remove this.
Elizabeth Myers [Wed, 6 Apr 2016 10:43:54 +0000 (05:43 -0500)]
Add hook for when rehash is called.
This will be used by the future alias module.
Elizabeth Myers [Wed, 6 Apr 2016 10:43:28 +0000 (05:43 -0500)]
Use uint32_t for get_provider_id, not int