1
0
mirror of https://github.com/osmarks/ngircd.git synced 2024-12-12 09:50:29 +00:00
Commit Graph

3634 Commits

Author SHA1 Message Date
Alexander Barton
663972c88d S2S-TLS/GnuTLS: Streamline logging 2024-03-23 20:19:01 +01:00
Alexander Barton
509ff60326 S2S-TLS/GnuTLS: Fix handling of certificate information for incoming connections
Show proper certificate information for incoming connections, too, and
not "peer did not present a certificate", regardless if the client sent
a certificate or not.

This change is for GnuTLS and similar to what was implemented in commit
for OpenSSL in "S2S-TLS/OpenSSL: Fix handling of certificate information
for incoming connections".
2024-03-23 20:19:01 +01:00
Alexander Barton
0e176b5570 S2S-TLS/GnuTLS: Update SSL code for GnuTLS certificate reloading
Without this, the S2S-TLS-Patch not even compiles with GnuTLS because
of the "new" GnuTLS certificate reload support implemented in commit
eead4a63 ("x509_cred_slot").
2024-03-23 20:19:01 +01:00
Alexander Barton
c8589e9890 S2S-TLS: MAX_CERT_CHAIN_LENGTH is only used by OpenSSL 2024-03-23 20:19:01 +01:00
Alexander Barton
58ee4df2ae S2S-TLS: Fix formatting and sort new SSL options in ngircd.conf manual page 2024-03-23 20:19:01 +01:00
Alexander Barton
02bb99b024 S2S-TLS/OpenSSL: Streamline logging
This includes simplifying cb_connserver_login_ssl() a bit, we do not
have to code for invalid state which was ruled out by an assert() and
therefore can get rid of the goto altogether (and don't log the same
error twice with different messages).
2024-03-23 20:19:01 +01:00
Alexander Barton
3db3b47fc7 S2S-TLS/OpenSSL: Postpone verification of TLS session right before server handshake
The verify callback in OpenSSL is called pretty early, and at that time
it is not possible yet to check which connection it belongs to, and some
connections may have relaxed requirements.

So always return success in the Verify_openssl() callback, and postpone
validation of the TLS session until starting the server handshake in
cb_connserver_login_ssl(), when we know which server this connection
belongs to and which options (like "SSLVerify") are in effect.

The code doing this was already present in cb_connserver_login_ssl(),
but this patch adds a more prominent comment to the function.
2024-03-23 20:19:01 +01:00
Alexander Barton
679505aab9 S2S-TLS/OpenSSL: Fix handling of certificate information for incoming connections
Show proper certificate information for incoming connections, too, and
not "peer did not present a certificate", regardless if the client sent
a certificate or not.

And free the client certificate structure "peer_cert" on incoming
connections as well!
2024-03-23 20:19:01 +01:00
Alexander Barton
08647ab1e7 S2S-TLS/OpenSSL: Set the verification flags only once
Set the verification flags in the ConnSSL_SetVerifyProperties_openssl
function only, don't override them in ConnSSL_InitLibrary() afterwards.

No functional changes, now ConnSSL_SetVerifyProperties_openssl() sets
exactly the parameters which ConnSSL_InitLibrary() always overwrote ...
2024-03-23 20:19:01 +01:00
Alexander Barton
84b019b11f S2S-TLS/OpenSSL: Always setup host name verification
Setup host name verification even when the "SSLVerify" option is
disabled, because even then the peer can present a valid certificate and
validation would always(!) fail because of the missing host name
verification setup.
2024-03-23 20:19:01 +01:00
Alexander Barton
8f8bef9fae S2S-TLS: Remove leftover debug messages 2024-03-23 20:19:01 +01:00
Alexander Barton
5ca567a18c S2S-TLS: Add missing CAFile and CRLFile options to "configtest" output 2024-03-23 20:19:01 +01:00
Christoph Biedl
817937b218 Support for server certificate validation on server links [S2S-TLS]
This patch provides code to validate the server certificate in
server links, defeating nasty man-in-the-middle attacks on server
links.

Features:

- Check whether the certificate is signed by a trusted certificate
  authority (CA).
- Check the host name, including wildcard certificates and Subject
  Alternative Names.
- Optionally check against a certificate revocation list (CRL).
- Implementation for both OpenSSL and GnuTLS linkage.

Left for another day:

- Parameterize the TLS parameter of an outbound connection. Currently,
  it's hardcoded to disable all versions before TLSv1.1.
- Using certificate as CA-certificate. They work for GnuTLS only but
  perhaps this should rather raise an error there, too.
- Optional OCSP checking.
- Checking client certificates. Code is there but this first needs some
  consideration about the use cases. This could replace all other
  authentication methods, for both client-server and server-server
  connections.

This patch is based on a patch by Florian Westphal from 2009, which
implemented this for OpenSSL only:

  From: Florian Westphal <fw@strlen.de>
  Date: Mon, 18 May 2009 00:29:02 +0200
  Subject: SSL/TLS: Add initial certificate support to OpenSSL backend

Commit message modified by Alex Barton.

Closes #120, "Server links using TLS/SSL need certificate validation".
Supersedes PR #8, "Options for verifying and requiring SSL client
certificates", which had (incomplete?) code for OpenSSL, no GnuTLS.
2024-03-23 20:19:01 +01:00
Alexander Barton
339ad77b62 Streamline README.md & INSTALL.md files
- Tweak some paragraphs and bring others more in line with texts on the
  homepage ...
- Try to not duplicate information:
  - Configuration is explained in doc/QuickStart.md;
  - command line parameters are already better described in the
    ngircd(8) manual page.
- Move all pointers to documentation to the README.md file, which is
  directly shown in GitHub when browsing the repository, for example.
2024-03-23 20:15:16 +01:00
Alexander Barton
c8798fcec0 Bring manual page more in line with README.md and homepage 2024-03-23 19:58:23 +01:00
Alexander Barton
c1c0bca0e2 QuickStart.md: Tweak the text a bit ... 2024-03-17 22:42:19 +01:00
Alexander Barton
7efda4168f INSTALL.md: Add info for macOS systems 2024-03-17 22:42:19 +01:00
Alexander Barton
1118b0e77c METATADA: Fix unsetting "cloakhost"
Correctly re-generate the "cloaked hostname" when removing the
"cloakhost" using an empty string by passing down NULL instead of the
empty string, which results in protocol violations (for example on
WHOIS).
2024-03-17 22:42:19 +01:00
Alexander Barton
5fd195a2cd Update the "rpm" make target to use rpmbuild(8) 2024-03-17 22:42:19 +01:00
Alexander Barton
934f3a0d88 Add a Dockerfile and documentation to the project 2024-03-17 22:42:15 +01:00
Alexander Barton
c0b8b94550 Streamline the "testsuite" and "srcdoc" make targets 2024-02-10 00:22:33 +01:00
Alexander Barton
ea7f4e07b7 Remove outdated, unsupported and broken support for splint(1) 2024-02-10 00:22:33 +01:00
Alexander Barton
f3961ec6ab Git: Streamline and simplify .gitignore file 2024-02-10 00:22:33 +01:00
Alexander Barton
b3513ee159 Convert contrib/README to Markdown 2024-02-10 00:22:33 +01:00
Alexander Barton
39eccffa32 Doxygen: Update the footer links 2024-02-05 14:03:42 +01:00
Sebastian Andrzej Siewior
bdb55fb4b3 testsuite: Pass -nameopt to openssl s_client.
The default value for the -nameopt option changed in OpenSSL 3.2 from
`oneline' to `utf8'. The `oneline' option also included a space around
the fields which is not the case for `utf8'. This means that
	CN = my.first.domain.tld

changed to

	CN=my.first.domain.tld

and is now longer recognized, leading to test failure.
This can be fixed by either going back to `oneline' or keeping `utf8'
and adding additionally `space_eq'. Anoter way would be to teach the
expect that the space is optional.

Add explicit -nameopt option with `utf8,space_eq' which is understood by
by OpenSSL 3.2 and earlier to make explicit. Remove the wildcard.

Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
2024-02-05 13:39:15 +01:00
Alexander Barton
79aefe43dd Debian package: Enable the [SSL] section
This makes sense because the package is build with SSL support enabled,
and we set and enable "CAFile" in commit ae9cfade -- which results in an
error when this is not in an enabled(!) [SSL] section ...
2024-01-23 22:42:57 +01:00
Alexander Barton
a1c2ac5d5b 2nd attempt to always show the correct config file name ...
But we are getting there!
2024-01-23 22:21:33 +01:00
Alexander Barton
951c8b84ab Testsuite: Test for the openssl command before using it
And skip the tests calling it instead of failing!
2024-01-23 14:43:06 +01:00
Alexander Barton
14838a249f Correctly show the configuration file used 2024-01-23 14:43:06 +01:00
Alexander Barton
e8670f8690 INSTALL.md: Add info for current Red Hat/Fedora systems 2024-01-21 20:15:47 +01:00
Alexander Barton
6fb8022949 Migrate info from INSTALL.md into doc/QuickStart.md
Move most information regarding configuring ngIRCd into the
doc/QuickStart.md document, only describe building and installing ngIRCd
in the INSTALL.md file. Don't duplicate content!

Add references where this makes sense.
2024-01-21 20:15:47 +01:00
Alexander Barton
47d3872c60 Don't show the default config file name on config errors
The configuration can be set in drop-in files in the include directory,
too, so it is not clear in which file it is actually missing.
2024-01-21 20:15:47 +01:00
Alexander Barton
b4c8e74ccb Use a default "IncludeDir" only when no config file was specified
No longer use a default built-in value for the "IncludeDir" directive
when a configuration file was explicitly specified on the command line
using "--config"/"-f": This way no default include directory is scanned
when a possibly non-default configuration file is used which
(intentionally) did not specify an "IncludeDir" directive.

With this patch you now can use "-f /dev/null" for checking all built-in
defaults, regardless of any local configuration files in the default
drop-in directory (which would have been read in until this change).
2024-01-21 20:15:47 +01:00
Alexander Barton
3ab6c85284 Add an introduction and generic info to doc/QuickStart.md 2024-01-21 14:21:57 +01:00
Alexander Barton
ae9cfade44 Debian package: Configure the system CA certificates store 2024-01-21 14:14:59 +01:00
Alexander Barton
aa92837b02 Do not log channel keys ("passwords") for predefined channels 2024-01-21 14:14:59 +01:00
Alexander Barton
c349f2a6ba CI: Fix YAML, there shouldn't have been tabs in the file! 2024-01-21 01:51:46 +01:00
Alexander Barton
7dcf9f1ad3 CI: Looks like "cache-apt-pkgs-action" needs exact package names
And list only one package per line; way easier to read and maintain :-)
2024-01-21 01:37:52 +01:00
Alexander Barton
2984dad8b4 "ngIRCd CI" GitHub Action: Update and use cache-apt-pkgs-action 2024-01-21 01:20:46 +01:00
Alexander Barton
bb8b6f0fba Make the description of the "Info" option more precise
The "Info" option in the "[Global]" section is optional (so comment it
out in the sample configuration file) and set to the server software
name and its version when not set (so add this information to the sample
configuration file and the ngircd.conf(5) manual page).
2024-01-21 01:20:46 +01:00
Alexander Barton
3c39094b52 Deduce a server name when not set in the configuration
The server "Name" in the "[Global]" section of the configuration file is
optional now: When not set (or empty), ngIRCd now tries to deduce a
valid IRC server name from the local host name ("node name"), possibly
adding a ".host" extension when the host name does not contain a dot
(".") which is required in an IRC server name ("ID").

This new behaviour, with all configuration parameters now being
optional, allows running ngIRCd without any configuration file at all.
2024-01-21 01:20:46 +01:00
Alexander Barton
669d71f3fe Explicitly test for the empty string in Channel_UserHasMode()
Basically this is unnecessary, as Channel_UserModes() always returns a
valid pointer and strchr() can deal with an empty (NULL-terminated)
string perfectly fine, bit it makes the code a bit more obvious and
silences the following warning:

  In function ‘Channel_UserHasMode’,
      inlined from ‘Channel_Kick’ at channel.c:384:7:
  channel.c:784:16: warning: ‘strchr’ reading 1 or more bytes from a region
                    of size 0 [-Wstringop-overread]
    784 |         return strchr(Channel_UserModes(Chan, Client), Mode) != NULL;
        |                ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

This was seen with "gcc (Debian 12.2.0-14) 12.2.0" at least.
2024-01-20 16:43:54 +01:00
Alexander Barton
dbfe54ce62 Update the AUTHORS.md file 2024-01-20 16:43:54 +01:00
Alexander Barton
39d41001bc Update the mailing list address to ngircd@lists.barton.de 2024-01-20 16:43:54 +01:00
Alexander Barton
e339d9c381 Convert the AUTHORS file to Markdown 2024-01-20 16:43:54 +01:00
Alexander Barton
47f9c6d0a0 Update included Debian package configuration
- Rewrite using current dh_make.
- Standards-Version: 4.6.2.
- No longer build 3 different packages; only build "ngircd" which now
  includes support for IDENT, PAM (disabled in the ngircd.conf installed
  by the package), SSL (OpenSSL), ZLib and IPv6.
- Update package description accordingly.
- No longer install a SysV init file, only install ngircd.service unit.
2024-01-20 16:43:54 +01:00
Alexander Barton
c65c3435e3 Remove outdated and obsolete targets from the toplevel Makefile
This affects targets for Apple Xcode and Package Maker, which both are
no longer supported/included in the ngIRCd distribution.

See commits 0652c99b and 07219281, this is a leftover ...
2024-01-20 16:43:54 +01:00
Alexander Barton
a87b124648 Use -Werror when testing for -Wno-format-truncation
Clang does not know the -Wno-format-truncation option of (current) GCC,
but accepts unknown -W... options (exit core 0) but issues a warning
message on every invocation. So for example on macOS, where Clang is
used as "gcc", a new warning message was shown for every file to
compile, since we enabled -Wno-format-truncation in commit 1d527eaf:

  warning: unknown warning option '-Wno-format-truncation' [-Wunknown-warning-option]

Clang no longer acceps unknown -W... options by enabling -Werror, which
this patch adds to the CFLAGS while testing for -Wno-format-truncation,
which fixes this issue.

This fixes commit 1d527eaf.
2024-01-19 17:07:47 +01:00
Alexander Barton
c83d55f758 Annotate "fall through" cases to silence warnings
Add a "/* fall through */" annotation to "case" statements which
actually should "fall through" to silences GCC warning like this:

  hash.c: In function ‘jenkins_hash’:
  hash.c:110:27: warning: this statement may fall through
                 [-Wimplicit-fallthrough=]
    110 |                 case 12: c+=((UINT32)k[11])<<24;
        |                          ~^~~~~~~~~~~~~~~~~~~~~
2024-01-18 22:49:48 +01:00