1
0
mirror of https://github.com/osmarks/ngircd.git synced 2024-12-14 19:00:27 +00:00
Commit Graph

3320 Commits

Author SHA1 Message Date
Alexander Barton
13a5358a3d Log an error (not info) when working directory can't be changed 2013-09-24 00:04:54 +02:00
Alexander Barton
99db111bca doc/PAM.txt: add a slightly more useful example 2013-09-19 00:17:43 +02:00
Federico G. Schwindt
27b9d32bf2 Change the certificate fingerprint digest to sha256
While here correct some indentation.
2013-09-17 17:35:56 +01:00
Federico G. Schwindt
0985d69cc6 Change cipher defaults
Switch cipher defaults to HIGH:!aNULL:@STRENGTH (OpenSSL) or
SECURE128 (GnuTLS).
2013-09-17 17:15:24 +01:00
Alexander Barton
d0977258ee Merge remote-tracking branch 'alex/bug162-SSLCipherList'
* alex/bug162-SSLCipherList:
  Cipher list selection for GnuTLS
  ConnSSL_Init_SSL(): correctly set CONN_SSL flag
  Cipher list selection for OpenSSL
  ConnSSL_InitLibrary(): Code cleanup
2013-09-16 17:32:25 +02:00
Federico G. Schwindt
2cebfc54f5 Fix server reconnection
In some error cases conn_id will be left as SERVER_WAIT and
subsequently ignored in Check_Servers(). Ensure conn_id is set to
NONE before returning from New_Server() if we couldn't establish
the connection.

Prompted by a report from gabrielgi-at-gmail-dot-com.
2013-09-16 02:15:49 +01:00
Alexander Barton
de3e5fa77c Don't ignore SSL-related errors during startup
Without this patch, ngIRCd ignores SSL-related messages and continues
to start up but only listens on plain text communication ports -- and
this most probably isn't what the administrator wanted ...

Closes bug #163.
2013-09-16 00:31:03 +02:00
Alexander Barton
b9006acee3 Cipher list selection for GnuTLS
This patch implements the missing functionality for cipher list selection
using GnuTLS (our OpenSSL code has this already).
2013-09-15 17:57:47 +02:00
Alexander Barton
51231ac8d4 ConnSSL_Init_SSL(): correctly set CONN_SSL flag
The CONN_SSL flag must be set before any calls to ConnSSL_Free()!
2013-09-15 17:35:52 +02:00
Alexander Barton
84ed46d4c1 Cipher list selection for OpenSSL
This patch introduces the possibility to arbitrarily select ciphers which
should be promoted resp. declined when establishing a SSL connection
with a client by implementing the new configuration option "CipherList".

By default, OpenSSL would accept low and medium strength and RC-4 ciphers,
which nowadays are known to be broken.

This patch only implements the feature for OpenSSL. A GnuTLS counterpart
has to be implemented in another patch ...

Original patch by Bastian <bastian-ngircd@t6l.de>.

Closes bug #162.
2013-09-15 15:09:36 +02:00
Alexander Barton
849f85a05c ConnSSL_InitLibrary(): Code cleanup 2013-09-15 14:09:31 +02:00
Alexander Barton
e8e0351985 TRACE: fix error message when there are too many parameters
ircd 2.11 ignores additional parameters silently, but I don't think
that this is the correct behaviour either ...
2013-09-07 00:19:21 +02:00
Alexander Barton
131364def1 IRC_SetPenalty(): Code cleanup 2013-09-07 00:05:49 +02:00
Federico G. Schwindt
bcb45da1b4 Add more penalty times
Ensure before every numeric 461 there is a call to IRC_SetPenalty().
2013-09-06 23:02:01 +01:00
Federico G. Schwindt
08f9d31d60 Rework check for number of parameters
Move most of the checks that return numeric 461 into Handle_Request().
2013-09-06 23:01:59 +01:00
Federico G. Schwindt
37609d6a4f Reorder checks
Move oper and Conf_MorePrivacy checks after checking the number of
parameters.
2013-09-05 17:31:57 +01:00
Federico G. Schwindt
33c2d5e4e2 Move the IRC_SetPenalty() call after the asserts 2013-09-05 17:31:57 +01:00
Federico G. Schwindt
a98bbc8e0b Correct numeric returned by whois
As per RFC whois should return 431 if no nick is provided.  While
here convert upper check to use irc-macros. As a bonus we get to set
the penalty for free.
2013-09-05 17:31:56 +01:00
Federico G. Schwindt
9f74c0ff07 Minor cosmetic change
Add a define to indicate any client.  While I'm here use hex values
instead of decimal, it's somewhat clearer that they could be OR'ed
together.
2013-09-05 17:31:55 +01:00
Alexander Barton
e5cdd61fe3 Commands.txt: Document proprietary DIE <message> parameter 2013-09-05 00:19:03 +02:00
Alexander Barton
e3a2a6c44d getpid.sh: use /bin/pidof when available 2013-09-03 21:33:22 +02:00
Alexander Barton
aad92ceafe Don't enforce channel types for other servers
The configuration option "AllowedChannelTypes" must only be enforced for
regular clients and not for remote servers. Channels created by other
servres are always allowed, because they already exist and the daemon
must stay in sync with the network.
2013-09-03 17:13:46 +02:00
Alexander Barton
4102e8fdfe Only log "IDENT ... no result" when IDENT was looked up
Without this patch, ngIRCd logged the "IDENT lookup for connection X:
no result"-message even when IDENT lookups have been disabled using the
"Ident = no" configuration option, which is a little bit misleading.

Reported by "btwe" in #ngircd.
2013-09-02 16:42:20 +02:00
Florian Westphal
f8f8a9a041 ngircd: use setgid/setuid errno value in error path
Need to use saved errno value as strerror argument, else you
get bogus output ('success') in the log message.
2013-08-31 22:42:56 +02:00
Alexander Barton
04b947cdc3 Show connection flag "s" (SSL) in RPL_TRACE{LINK|SERVER}
Now you can check if a server-to-server link is SSL-encrypted or not
using the IRC "TRACE" command.

Idea by Götz Hoffart, thanks!
2013-08-31 14:15:24 +02:00
Federico G. Schwindt
be2e611680 Change away to be allocated dynamically 2013-08-27 00:06:03 +01:00
Alexander Barton
41f75b6974 Ignore "operation not permitted" while dropping groups
Without this exception, you can't start ngIRCd as user any more,
it is analog to setting the user and group ID.
2013-08-27 00:41:36 +02:00
Florian Westphal
e009ccbe66 ngircd: discard supplementary group ids on startup
The intention was to switch to JUST uid:gid, but setgid is not
sufficient.

Reported-by:  Michael Scherer <misc@zarb.org>
2013-08-27 00:19:31 +02:00
Alexander Barton
46d43dc09c Xcode: update project settings for Xcode 5 2013-08-26 23:23:12 +02:00
Alexander Barton
44698e44e8 Merge branch 'bug159-WebircIPA'
* bug159-WebircIPA:
  Introduce Free_Client() function to free CLIENT structure
  Save client IP address text for "WebIRC" users
2013-08-26 23:22:20 +02:00
Alexander Barton
0ff33777fe Introduce Free_Client() function to free CLIENT structure 2013-08-26 22:55:00 +02:00
Alexander Barton
1dc93286a0 Save client IP address text for "WebIRC" users
This patch introduces a new field in the CLIENT structure, "ipa_text",
which points to an optional textual representation of the client IP
address (or NULL) which can be used to store the "real" IP address
information of a client using the "WEBIRC" protocol.

Without this patch, ngIRCd ignored the <ip-address> paramater ...

In addition, the functions Client_SetIPAText() and Client_IPAText()
have been introduced to set and get the textual representation of the
client IP address.

Client_IPAText() can be used even when no "IP address text" has been
set before, it then returns the real IP address of the connection.

Closes bug #159.
2013-08-26 22:54:00 +02:00
Alexander Barton
2bacb8210b Implement new configuration option "DefaultUserModes"
The new configuration option "DefaultUserModes" lists user modes that
become automatically set on new local clients right after login.

Please note that only modes can be set that the client could set on
itself, you can't set "a" (away) or "o" (IRC Op), for example! User
modes "i" (invisible) or "x" (cloaked) etc. are "interesting", though.

Default: set no modes (like without this patch).

Closes bug #160.
2013-08-26 21:17:10 +02:00
Federico G. Schwindt
3b65f4e38d Change strdup() to strndup() 2013-08-26 12:18:46 +01:00
Federico G. Schwindt
6ac5a82eec private strndup() implementation in case libc does not provide it 2013-08-26 10:47:04 +01:00
Federico G. Schwindt
086cf3a272 Cosmetic changes to METADATA
Update certfp and sort entries.
2013-08-25 05:26:08 +01:00
Federico G. Schwindt
8d01be7bbd Silence warning
Cast the result of the operation to long, not the time(NULL) call.
On systems where sizeof(time_t) is other than long this will produce
a warning.
2013-08-25 05:24:11 +01:00
Federico G. Schwindt
eb86d234f8 Plug memory leak 2013-08-25 05:24:11 +01:00
Federico G. Schwindt
3af0ece2bc Implement account login support
This is done via the `accountname' METADATA command and used to
automatically identify users after netsplits or across service
restarts.
2013-08-25 05:24:08 +01:00
Federico G. Schwindt
a9ffbdea3f Fix spelling 2013-08-24 17:51:44 +01:00
Alexander Barton
6dc5471a75 ngIRCd Release 20.3
(cherry picked from commit bb6e277963)

Conflicts:
	ChangeLog
	NEWS
2013-08-23 23:34:55 +02:00
Alexander Barton
309122017e Correctly handle return code of Handle_Write()
There have been code paths that ignored the return code of Handle_Write()
when sending "notice auth" messages to new clients connecting to the
server. But because Handle_Write() would have closed the client connection
again if an error occurred, this would have resulted in new errors and
assert()'s later on that could have crashed the server (denial of service).

Only setups having the configuration option "NoticeAuth" enabled are
affected, which is not the default.

CVE-2013-5580.
2013-08-23 21:40:51 +02:00
Alexander Barton
8f530eb315 Enhance log messages on "recursive" connection errors 2013-08-21 01:16:16 +02:00
Alexander Barton
d56341c77b Add some assert() calls to ng_ipaddr library 2013-08-21 00:23:47 +02:00
Alexander Barton
212d99146d Update ChangeLog file 2013-08-20 13:08:43 +02:00
Alexander Barton
e2f09213bc Debian init script: test for binary after reading defaults
This allows the system administrator to overwrite the DAEMON variable in
/etc/defaults/<name> and to use this init script even when the default
"/usr/sbin/ngircd" doesn't exist on the system.
2013-08-19 23:33:11 +02:00
Alexander Barton
c8b12af1d2 Merge branch 'ssl-log-messages'
* ssl-log-messages:
  Make SSL-related log messages more readable
  ConnSSL_HandleError: Code cleanup, more documentation
2013-08-17 22:05:59 +02:00
Alexander Barton
a919e02ba1 Make SSL-related log messages more readable
- Don't use internal function names but describe the error.
 - Streamline wording, use "SSL" for SSL and TLS.
 - Streamline punctuation.
2013-08-14 10:56:09 +02:00
Federico G. Schwindt
b081cfb628 Use _IRC_ARGC_BETWEEN_OR_RETURN_ when possible 2013-08-14 00:07:12 +01:00
Alexander Barton
dd4c60cf39 ConnSSL_HandleError: Code cleanup, more documentation 2013-08-13 00:09:04 +02:00