| Age | Commit message (Collapse) | Author |
|---|
|
If arc4random is present it will be used over the srand/rand interface.
This fixes some warnings in OpenBSD-current.
|
|
|
|
This fixes the following warning on OpenBSD 5.3:
ngircd.o(.text+0xeb4): In function `main':
src/ngircd/ngircd.c:300: warning: strcat() is almost always misused,
please use strlcat()
Thanks to Götz Hoffart for reporting this!
|
|
Kill all clients that match a new GLINE/KLINE mask and genrate apropriate
KILL commands. These KILL commands can be superfluous, but are required
when the IRC Operator isn't allowd to set remote G-Lines or if there are
older servers in the network that don't kill clients on GLINE/KLINE.
Closes bug #156.
|
|
|
|
The old local function Kill_Nick() in irc.c has been an ugly hack. This
patch implements a generic function for killing clients.
Adjust all callers of Kill_Nick() and respect the return code!
|
|
Now invalid prefixes aren't logged no more when originating from an other
server (besides in debug mode), and spoofed prefixes are correctly logged
using LOG_WARNING (from an other server) or LOG_ERR (from a client) levels.
In addition, the log message texts have been adjusted to better reflect
what will happen: commands with invalid prefixes are ignored and logged,
commands with spoofed prefixes will result in the client being disconncted
(regular users) or the command being ignored (other servers).
This cleans up logging of commands related to already KILL'ed clients.
|
|
All places where Client_OperByMe() is used can either be converted to
Client_HasMode(Client, 'o') or Op_Check().
And Op_Check() itself can use the connection handle for deciding whether
the IRC Operator is a local user or not.
|
|
Change "stats L" to show servers and user links and restrict it to
IRC Operators.
|
|
|
|
While here correct some indentation.
|
|
Switch cipher defaults to HIGH:!aNULL:@STRENGTH (OpenSSL) or
SECURE128 (GnuTLS).
|
|
* alex/bug162-SSLCipherList:
Cipher list selection for GnuTLS
ConnSSL_Init_SSL(): correctly set CONN_SSL flag
Cipher list selection for OpenSSL
ConnSSL_InitLibrary(): Code cleanup
|
|
In some error cases conn_id will be left as SERVER_WAIT and
subsequently ignored in Check_Servers(). Ensure conn_id is set to
NONE before returning from New_Server() if we couldn't establish
the connection.
Prompted by a report from gabrielgi-at-gmail-dot-com.
|
|
Without this patch, ngIRCd ignores SSL-related messages and continues
to start up but only listens on plain text communication ports -- and
this most probably isn't what the administrator wanted ...
Closes bug #163.
|
|
This patch implements the missing functionality for cipher list selection
using GnuTLS (our OpenSSL code has this already).
|
|
The CONN_SSL flag must be set before any calls to ConnSSL_Free()!
|
|
This patch introduces the possibility to arbitrarily select ciphers which
should be promoted resp. declined when establishing a SSL connection
with a client by implementing the new configuration option "CipherList".
By default, OpenSSL would accept low and medium strength and RC-4 ciphers,
which nowadays are known to be broken.
This patch only implements the feature for OpenSSL. A GnuTLS counterpart
has to be implemented in another patch ...
Original patch by Bastian <bastian-ngircd@t6l.de>.
Closes bug #162.
|
|
|
|
ircd 2.11 ignores additional parameters silently, but I don't think
that this is the correct behaviour either ...
|
|
|
|
Ensure before every numeric 461 there is a call to IRC_SetPenalty().
|
|
Move most of the checks that return numeric 461 into Handle_Request().
|
|
Move oper and Conf_MorePrivacy checks after checking the number of
parameters.
|
|
|
|
As per RFC whois should return 431 if no nick is provided. While
here convert upper check to use irc-macros. As a bonus we get to set
the penalty for free.
|
|
Add a define to indicate any client. While I'm here use hex values
instead of decimal, it's somewhat clearer that they could be OR'ed
together.
|
|
|
|
The configuration option "AllowedChannelTypes" must only be enforced for
regular clients and not for remote servers. Channels created by other
servres are always allowed, because they already exist and the daemon
must stay in sync with the network.
|
|
Without this patch, ngIRCd logged the "IDENT lookup for connection X:
no result"-message even when IDENT lookups have been disabled using the
"Ident = no" configuration option, which is a little bit misleading.
Reported by "btwe" in #ngircd.
|
|
Need to use saved errno value as strerror argument, else you
get bogus output ('success') in the log message.
|
|
Now you can check if a server-to-server link is SSL-encrypted or not
using the IRC "TRACE" command.
Idea by Götz Hoffart, thanks!
|
|
|
|
Without this exception, you can't start ngIRCd as user any more,
it is analog to setting the user and group ID.
|
|
The intention was to switch to JUST uid:gid, but setgid is not
sufficient.
Reported-by: Michael Scherer <misc@zarb.org>
|
|
* bug159-WebircIPA:
Introduce Free_Client() function to free CLIENT structure
Save client IP address text for "WebIRC" users
|
|
|
|
This patch introduces a new field in the CLIENT structure, "ipa_text",
which points to an optional textual representation of the client IP
address (or NULL) which can be used to store the "real" IP address
information of a client using the "WEBIRC" protocol.
Without this patch, ngIRCd ignored the <ip-address> paramater ...
In addition, the functions Client_SetIPAText() and Client_IPAText()
have been introduced to set and get the textual representation of the
client IP address.
Client_IPAText() can be used even when no "IP address text" has been
set before, it then returns the real IP address of the connection.
Closes bug #159.
|
|
The new configuration option "DefaultUserModes" lists user modes that
become automatically set on new local clients right after login.
Please note that only modes can be set that the client could set on
itself, you can't set "a" (away) or "o" (IRC Op), for example! User
modes "i" (invisible) or "x" (cloaked) etc. are "interesting", though.
Default: set no modes (like without this patch).
Closes bug #160.
|
|
|
|
|
|
Cast the result of the operation to long, not the time(NULL) call.
On systems where sizeof(time_t) is other than long this will produce
a warning.
|
|
|
|
This is done via the `accountname' METADATA command and used to
automatically identify users after netsplits or across service
restarts.
|
|
|
|
There have been code paths that ignored the return code of Handle_Write()
when sending "notice auth" messages to new clients connecting to the
server. But because Handle_Write() would have closed the client connection
again if an error occurred, this would have resulted in new errors and
assert()'s later on that could have crashed the server (denial of service).
Only setups having the configuration option "NoticeAuth" enabled are
affected, which is not the default.
CVE-2013-5580.
|
|
|
|
|
|
* ssl-log-messages:
Make SSL-related log messages more readable
ConnSSL_HandleError: Code cleanup, more documentation
|
|
- Don't use internal function names but describe the error.
- Streamline wording, use "SSL" for SSL and TLS.
- Streamline punctuation.
|