[cvslog] [CVS] Module eggdrop1.8: Change committed

cvs at eggheads.org cvs at eggheads.org
Tue Nov 23 10:36:34 CST 2010


CVSROOT    : /usr/local/cvsroot
Module     : eggdrop1.8
Commit time: 2010-11-23 16:36:33 UTC
Committer  : Rumen Stoyanov <pseudo at egg6.net>

Modified files:
     doc/Changes1.8 src/botcmd.c src/dcc.c src/net.c src/patch.h
     src/tls.c src/mod/server.mod/server.c src/mod/share.mod/share.c
     src/mod/transfer.mod/transfer.c

Log message:

Fixed a problem with sharing causing starttls to fail.
Moved STARTTLS early in the bot link process and synchronized the handshake.
Made it possible for ssl handshakes to complete even without data to be sent on the channel.
Fixed an ancient bug resulting in sending uninitialized strings when sharing bot addresses.
Enabled userfile sending over ssl.

---------------------- diff included ----------------------
Index: eggdrop1.8/doc/Changes1.8
diff -u eggdrop1.8/doc/Changes1.8:1.37 eggdrop1.8/doc/Changes1.8:1.38
--- eggdrop1.8/doc/Changes1.8:1.37	Thu Nov 18 06:54:39 2010
+++ eggdrop1.8/doc/Changes1.8	Tue Nov 23 10:36:23 2010
@@ -1,4 +1,4 @@
-$Id: Changes1.8,v 1.37 2010/11/18 12:54:39 pseudo Exp $
+$Id: Changes1.8,v 1.38 2010/11/23 16:36:23 pseudo Exp $
 
 Eggdrop Changes (since version 1.8.0)
 
@@ -6,6 +6,17 @@
 
 1.8.0 (CVS):
 
+  - Fixed a problem with sharing causing starttls to fail.
+    Found by dr1
+  - Moved STARTTLS early in the bot link process and synchronized the
+    handshake.
+  - Made it possible for ssl handshakes to complete even without data to be
+    sent on the channel.
+  - Fixed an ancient bug resulting in sending uninitialized strings when
+    sharing bot addresses.
+  - Enabled (user)file sending over ssl.
+    Patch by: pseudo
+
   - Fixed a problem with resolving hostnames when compiled with IPv6 disabled.
   - Made server.mod report connection failures properly.
     Found by: Arkadietz / Patch by: pseudo
Index: eggdrop1.8/src/botcmd.c
diff -u eggdrop1.8/src/botcmd.c:1.2 eggdrop1.8/src/botcmd.c:1.3
--- eggdrop1.8/src/botcmd.c:1.2	Tue Oct 19 06:13:32 2010
+++ eggdrop1.8/src/botcmd.c	Tue Nov 23 10:36:23 2010
@@ -3,7 +3,7 @@
  *   commands that comes across the botnet
  *   userfile transfer and update commands from sharebots
  *
- * $Id: botcmd.c,v 1.2 2010/10/19 12:13:32 pseudo Exp $
+ * $Id: botcmd.c,v 1.3 2010/11/23 16:36:23 pseudo Exp $
  */
 /*
  * Copyright (C) 1997 Robey Pointer
@@ -1453,31 +1453,25 @@
 
 #ifdef TLS
 /* Negotiate an encrypted session over the existing link
- * starttls
+ * starttls <c/s>
  */
 static void bot_starttls(int idx, char *par)
 {
+  char *con;
   /* We're already using ssl, ignore the request */
   if (dcc[idx].ssl)
     return;
 
-  if (dcc[idx].status & STAT_STARTTLS) {
-    /* we requested ssl, now we got the reply */
-    dcc[idx].status &= ~STAT_STARTTLS;
-    ssl_handshake(dcc[idx].sock, TLS_CONNECT, tls_vfybots, LOG_BOTS,
-                  dcc[idx].host, NULL);
-  } else {
-    /* the peer requests ssl, tell it to go on */
-    /*
-      if (!SSL_CTX_check_private_key(ssl_ctx)) {
-      putlog(LOG_BOTS, "*", "%s", ERR_error_string(ERR_get_error()));
-      return;
-    }
-    */
-    dprintf(idx, "starttls\n");
+  con = newsplit(&par);
+  /* check who's going to play the server */
+  if (!egg_strcasecmp(con, "s")) { /* we're server */
     putlog(LOG_BOTS, "*", "Got STARTTLS from %s. Replying...", dcc[idx].nick);
+    dprintf(idx, "starttls c\n");
     ssl_handshake(dcc[idx].sock, TLS_LISTEN, tls_vfybots, LOG_BOTS,
                   dcc[idx].host, NULL);
+  } else { /* we're client, don't reply or we'll be in the loop forever */
+    ssl_handshake(dcc[idx].sock, TLS_CONNECT, tls_vfybots, LOG_BOTS,
+                  dcc[idx].host, NULL);
   }
   dcc[idx].ssl = 1;
 }
Index: eggdrop1.8/src/dcc.c
diff -u eggdrop1.8/src/dcc.c:1.6 eggdrop1.8/src/dcc.c:1.7
--- eggdrop1.8/src/dcc.c:1.6	Sun Oct 31 08:40:38 2010
+++ eggdrop1.8/src/dcc.c	Tue Nov 23 10:36:23 2010
@@ -4,7 +4,7 @@
  *   disconnect on a dcc socket
  *   ...and that's it!  (but it's a LOT)
  *
- * $Id: dcc.c,v 1.6 2010/10/31 14:40:38 pseudo Exp $
+ * $Id: dcc.c,v 1.7 2010/11/23 16:36:23 pseudo Exp $
  */
 /*
  * Copyright (C) 1997 Robey Pointer
@@ -43,12 +43,15 @@
            make_userfile, default_flags, raw_log, ignore_time,
            par_telnet_flood;
 
-struct dcc_t *dcc = NULL;       /* DCC list                                   */
 #ifdef TLS
-int tls_vfyclients = 0;		/* Certificate validation mode for clients    */
+extern int tls_vfybots;
+
+int tls_vfyclients = 0;         /* Certificate validation mode for clients    */
 int tls_vfydcc = 0;             /* Verify DCC chat/send user certificates     */
 int tls_auth = 0;               /* Allow certificate authentication           */
 #endif
+
+struct dcc_t *dcc = NULL;       /* DCC list                                   */
 int dcc_total = 0;              /* Total dcc's                                */
 int require_p = 0;              /* Require 'p' access to get on the
                                  * party line?                                */
@@ -249,17 +252,6 @@
   egg_snprintf(x, sizeof x, "v %d", dcc[idx].u.bot->numver);
   bot_share(idx, x);
   dprintf(idx, "el\n");
-#ifdef TLS
-  /* Ask the peer to switch to ssl communication. We'll continue
-   * using plain text, until it replies with stls itself. Bots which don't
-   * support it will simply ignore the request and everything goes on as usual.
-   */
-  if (dcc[idx].status & STAT_STARTTLS) {
-    dprintf(idx, "starttls\n");
-    putlog(LOG_BOTS, "*", "Sent STARTTLS to %s...", dcc[idx].nick);
-  }
-#endif
-
 }
 
 void failed_link(int idx)
@@ -322,11 +314,6 @@
       }
     }
   }
-  /* Indicate that we'd like to switch to tls later */
-#ifdef TLS
-  if (!dcc[idx].ssl)
-    dcc[idx].status |= STAT_STARTTLS;
-#endif
   dcc[idx].type = &DCC_BOT_NEW;
   dcc[idx].u.bot->numver = 0;
 
@@ -376,6 +363,19 @@
   else if (!egg_strcasecmp(code, "passreq")) {
     char *pass = get_user(&USERENTRY_PASS, u);
 
+#ifdef TLS
+    /* We got a STARTTLS request earlier. Switch to ssl NOW. Doing this
+     * in two steps is necessary in order to synchronize the handshake.
+     */
+    if (dcc[idx].status & STAT_STARTTLS) {
+      dcc[idx].ssl = 1;
+      if (ssl_handshake(dcc[idx].sock, TLS_CONNECT, tls_vfybots, LOG_BOTS,
+                    dcc[idx].host, NULL))
+        putlog(LOG_BOTS, "*", "STARTTLS failed while linking to %s",
+               dcc[idx].nick);
+      dcc[idx].status &= ~STAT_STARTTLS;
+    }
+#endif
     if (!pass || !strcmp(pass, "-")) {
       putlog(LOG_BOTS, "*", DCC_PASSREQ, dcc[idx].nick);
       dprintf(idx, "-\n");
@@ -388,6 +388,18 @@
       else
         dprintf(idx, "%s\n", pass);
     }
+#ifdef TLS
+  } else if (!egg_strcasecmp(code, "starttls") && !dcc[idx].ssl) {
+    /* Mark the connection for secure communication, but don't switch yet.
+     * The hub has to send a plaintext passreq right after the starttls command
+     * and if we switch now, we'll break the handshake. Instead, we'll only
+     * send a confirmation to the peer and wait for the passreq.
+     */
+    putlog(LOG_BOTS, "*", "Got STARTTLS from %s. Replying...", dcc[idx].nick);
+    dcc[idx].status |= STAT_STARTTLS;
+    /* needs to have space to be distinguished from a plaintext password */
+    dprintf(idx, "starttls -\n");
+#endif
   } else if (!egg_strcasecmp(code, "error"))
     putlog(LOG_BOTS, "*", DCC_LINKERROR, dcc[idx].nick, buf);
   /* Ignore otherwise */
@@ -593,6 +605,17 @@
   atr = dcc[idx].user ? dcc[idx].user->flags : 0;
 
   /* Check for MD5 digest from remote _bot_. <cybah> */
+#ifdef TLS
+  if ((atr & USER_BOT) && !egg_strncasecmp(buf, "starttls ", 9)) {
+    dcc[idx].ssl = 1;
+    if (ssl_handshake(dcc[idx].sock, TLS_LISTEN, tls_vfybots, LOG_BOTS,
+                      dcc[idx].host, NULL)) {
+      killsock(dcc[idx].sock);
+      lostdcc(idx);
+    }
+    return;
+  }
+#endif
   if ((atr & USER_BOT) && !egg_strncasecmp(buf, "digest ", 7)) {
     if (dcc_bot_check_digest(idx, buf + 7)) {
       nfree(dcc[idx].u.chat);
@@ -1617,6 +1640,16 @@
   }
 
   if (glob_bot(fr)) {
+#ifdef TLS
+  /* Ask the peer to switch to ssl communication. We'll continue using plain
+   * text, until it replies with starttls itself. Bots which don't support ssl
+   * will simply ignore the request and everything will go on as usual.
+   */
+    if (!dcc[idx].ssl) {
+      dprintf(idx, "starttls\n");
+      putlog(LOG_BOTS, "*", "Sent STARTTLS to %s...", dcc[idx].nick);
+    }
+#endif
     /* Must generate a string consisting of our process ID and the current
      * time. The bot will add it's password to the end and use it to generate
      * an MD5 checksum (always 128bit). The checksum is sent back and this
Index: eggdrop1.8/src/mod/server.mod/server.c
diff -u eggdrop1.8/src/mod/server.mod/server.c:1.6 eggdrop1.8/src/mod/server.mod/server.c:1.7
--- eggdrop1.8/src/mod/server.mod/server.c:1.6	Mon Nov  1 16:38:34 2010
+++ eggdrop1.8/src/mod/server.mod/server.c	Tue Nov 23 10:36:23 2010
@@ -2,7 +2,7 @@
  * server.c -- part of server.mod
  *   basic irc server support
  *
- * $Id: server.c,v 1.6 2010/11/01 22:38:34 pseudo Exp $
+ * $Id: server.c,v 1.7 2010/11/23 16:36:23 pseudo Exp $
  */
 /*
  * Copyright (C) 1997 Robey Pointer
@@ -1618,14 +1618,11 @@
     putlog(LOG_MISC, "*", "DCC connection: CHAT (%s!%s)", dcc[i].nick,
            dcc[i].host);
 #ifdef TLS
-    if (dcc[i].ssl)
-    /* Queue something up to make sure the handshake moves on */
-      dprintf(i, "TLS handshake in progress...\n");
-    else
     /* For SSL connections, the handshake callback will determine
        if we should request a password */
+    if (!dcc[i].ssl)
 #endif
-      dprintf(i, "%s\n", DCC_ENTERPASS);
+    dprintf(i, "%s\n", DCC_ENTERPASS);
   }
   return;
 }
Index: eggdrop1.8/src/mod/share.mod/share.c
diff -u eggdrop1.8/src/mod/share.mod/share.c:1.4 eggdrop1.8/src/mod/share.mod/share.c:1.5
--- eggdrop1.8/src/mod/share.mod/share.c:1.4	Tue Oct 19 06:13:33 2010
+++ eggdrop1.8/src/mod/share.mod/share.c	Tue Nov 23 10:36:23 2010
@@ -1,7 +1,7 @@
 /*
  * share.c -- part of share.mod
  *
- * $Id: share.c,v 1.4 2010/10/19 12:13:33 pseudo Exp $
+ * $Id: share.c,v 1.5 2010/11/23 16:36:23 pseudo Exp $
  */
 /*
  * Copyright (C) 1997 Robey Pointer
@@ -1969,10 +1969,18 @@
             q_tbuf(dcc[idx].nick, s2, NULL);
           }
           /* Send address */
-          if (bi)
+          if (bi) {
+#ifdef TLS
+            egg_snprintf(s2, sizeof s2, "s c BOTADDR %s %s %s%d %s%d\n",
+                         u->handle, bi->address, (bi->ssl & TLS_BOT),
+                         bi->telnet_port, (bi->ssl & TLS_RELAY),
+                         bi->relay_port);
+#else
             egg_snprintf(s2, sizeof s2, "s c BOTADDR %s %s %d %d\n", u->handle,
                          bi->address, bi->telnet_port, bi->relay_port);
-          q_tbuf(dcc[idx].nick, s2, NULL);
+#endif
+            q_tbuf(dcc[idx].nick, s2, NULL);
+          }
           fr.match = FR_GLOBAL;
           fr.global = u->flags;
 
Index: eggdrop1.8/src/mod/transfer.mod/transfer.c
diff -u eggdrop1.8/src/mod/transfer.mod/transfer.c:1.4 eggdrop1.8/src/mod/transfer.mod/transfer.c:1.5
--- eggdrop1.8/src/mod/transfer.mod/transfer.c:1.4	Wed Oct  6 13:07:47 2010
+++ eggdrop1.8/src/mod/transfer.mod/transfer.c	Tue Nov 23 10:36:23 2010
@@ -1,7 +1,7 @@
 /*
  * transfer.c -- part of transfer.mod
  *
- * $Id: transfer.c,v 1.4 2010/10/06 19:07:47 pseudo Exp $
+ * $Id: transfer.c,v 1.5 2010/11/23 16:36:23 pseudo Exp $
  *
  * Copyright (C) 1997 Robey Pointer
  * Copyright (C) 1999 - 2010 Eggheads Development Team
@@ -910,6 +910,15 @@
 
   i = answer(dcc[idx].sock, &dcc[idx].sockname, &port, 1);
   killsock(dcc[idx].sock);
+#ifdef TLS
+  if (dcc[idx].ssl && ssl_handshake(i, TLS_LISTEN, tls_vfydcc,
+                                    LOG_FILES, dcc[idx].host, NULL)) {
+    putlog(LOG_FILES, "*", "DCC failed SSL handshake: GET %s (%s!%s)",
+           dcc[idx].u.xfer->origname, dcc[idx].nick, dcc[idx].host);
+    lostdcc(idx);
+    return;
+  }
+#endif
   dcc[idx].sock = i;
   dcc[idx].addr = 0;
   dcc[idx].port = (int) port;
Index: eggdrop1.8/src/net.c
diff -u eggdrop1.8/src/net.c:1.7 eggdrop1.8/src/net.c:1.8
--- eggdrop1.8/src/net.c:1.7	Thu Nov 18 06:54:39 2010
+++ eggdrop1.8/src/net.c	Tue Nov 23 10:36:23 2010
@@ -2,7 +2,7 @@
  * net.c -- handles:
  *   all raw network i/o
  *
- * $Id: net.c,v 1.7 2010/11/18 12:54:39 pseudo Exp $
+ * $Id: net.c,v 1.8 2010/11/23 16:36:23 pseudo Exp $
  */
 /*
  * This is hereby released into the public domain.
@@ -732,7 +732,8 @@
       if (!tclonly && ((!(slist[i].flags & (SOCK_UNUSED | SOCK_TCL))) &&
           ((FD_ISSET(slist[i].sock, &fdr)) ||
 #ifdef TLS
-          (slist[i].ssl && SSL_pending(slist[i].ssl)) ||
+          (slist[i].ssl && (SSL_pending(slist[i].ssl) ||
+           !SSL_is_init_finished(slist[i].ssl))) ||
 #endif
           ((slist[i].sock == STDOUT) && (!backgrd) &&
           (FD_ISSET(STDIN, &fdr)))))) {
@@ -745,7 +746,7 @@
             grab = 10;
 #ifdef TLS
           else if (!(slist[i].flags & SOCK_STRONGCONN) &&
-            (!(slist[i].ssl) || !SSL_in_init(slist[i].ssl))) {
+            (!(slist[i].ssl) || SSL_is_init_finished(slist[i].ssl))) {
 #else
           else if (!(slist[i].flags & SOCK_STRONGCONN)) {
 #endif
@@ -772,7 +773,8 @@
 	      if (err == SSL_ERROR_WANT_READ || err == SSL_ERROR_WANT_WRITE)
 	        errno = EAGAIN;
               else
-                debug1("SSL error: %s", ERR_error_string(ERR_get_error(), 0));
+                debug1("sockread(): SSL error = %s",
+                       ERR_error_string(ERR_get_error(), 0));
               x = -1;
             }
           } else
@@ -1096,7 +1098,8 @@
             errno = EAGAIN;
           else if (!inhere) { /* Out there, somewhere */
             inhere = 1;
-            debug1("SSL error: %s", ERR_error_string(ERR_get_error(), 0));
+            debug1("tputs(): SSL error = %s",
+                   ERR_error_string(ERR_get_error(), 0));
             inhere = 0;
           }
           x = -1;
@@ -1150,10 +1153,18 @@
   tv.tv_sec = 0;
   tv.tv_usec = 0;               /* we only want to see if it's ready for writing, no need to actually wait.. */
   for (i = 0; i < threaddata()->MAXSOCKS; i++) {
-    if (!(socklist[i].flags & (SOCK_UNUSED | SOCK_TCL)) &&
-        socklist[i].handler.sock.outbuf != NULL) {
-      FD_SET(socklist[i].sock, &wfds);
-      z = 1;
+    if (!(socklist[i].flags & (SOCK_UNUSED | SOCK_TCL))) {
+#ifdef TLS
+      /* We can't rely on a transparent negotiation, because the
+       * handshake may never finish if we don't have any data to send.
+       */
+      if (socklist[i].ssl && !SSL_is_init_finished(socklist[i].ssl))
+        SSL_do_handshake(socklist[i].ssl);
+#endif
+      if (socklist[i].handler.sock.outbuf != NULL) {
+        FD_SET(socklist[i].sock, &wfds);
+        z = 1;
+      }
     }
   }
   if (!z)
@@ -1173,18 +1184,20 @@
 #ifdef TLS
       if (socklist[i].ssl) {
         x = SSL_write(socklist[i].ssl, socklist[i].handler.sock.outbuf,
-        socklist[i].handler.sock.outbuflen);
+                      socklist[i].handler.sock.outbuflen);
         if (x < 0) {
           int err = SSL_get_error(socklist[i].ssl, x);
           if (err == SSL_ERROR_WANT_WRITE || err == SSL_ERROR_WANT_READ)
             errno = EAGAIN;
           else
-            debug1("SSL error: %s", ERR_error_string(ERR_get_error(), 0));
+            debug1("dequeue_sockets(): SSL error = %s",
+                   ERR_error_string(ERR_get_error(), 0));
           x = -1;
         }
       } else
 #endif   
-      x = write(socklist[i].sock, socklist[i].handler.sock.outbuf, socklist[i].handler.sock.outbuflen);
+      x = write(socklist[i].sock, socklist[i].handler.sock.outbuf,
+                socklist[i].handler.sock.outbuflen);
       if ((x < 0) && (errno != EAGAIN)
 #ifdef EBADSLT
           && (errno != EBADSLT)
@@ -1206,8 +1219,10 @@
         char *p = socklist[i].handler.sock.outbuf;
 
         /* This removes any sent bytes from the beginning of the buffer */
-        socklist[i].handler.sock.outbuf = nmalloc(socklist[i].handler.sock.outbuflen - x);
-        egg_memcpy(socklist[i].handler.sock.outbuf, p + x, socklist[i].handler.sock.outbuflen - x);
+        socklist[i].handler.sock.outbuf =
+                            nmalloc(socklist[i].handler.sock.outbuflen - x);
+        egg_memcpy(socklist[i].handler.sock.outbuf, p + x,
+                   socklist[i].handler.sock.outbuflen - x);
         socklist[i].handler.sock.outbuflen -= x;
         nfree(p);
       } else {
Index: eggdrop1.8/src/patch.h
diff -u eggdrop1.8/src/patch.h:1.25 eggdrop1.8/src/patch.h:1.26
--- eggdrop1.8/src/patch.h:1.25	Fri Nov  5 10:18:02 2010
+++ eggdrop1.8/src/patch.h	Tue Nov 23 10:36:23 2010
@@ -10,7 +10,7 @@
  * statement, leave the rest of the file alone, this allows better
  * overlapping patches.
  *
- * $Id: patch.h,v 1.25 2010/11/05 16:18:02 pseudo Exp $
+ * $Id: patch.h,v 1.26 2010/11/23 16:36:23 pseudo Exp $
  */
 /*
  * Copyright (C) 1997 Robey Pointer
@@ -41,12 +41,12 @@
  *
  *
  */
-patch("1288971899");            /* current unixtime */
+patch("1290530142");            /* current unixtime */
 /*
  *
  *
  */
-patch("getudef64");
+patch("tlsandsharefix");
 /*
  *
  *
Index: eggdrop1.8/src/tls.c
diff -u eggdrop1.8/src/tls.c:1.2 eggdrop1.8/src/tls.c:1.3
--- eggdrop1.8/src/tls.c:1.2	Tue Oct 19 08:20:56 2010
+++ eggdrop1.8/src/tls.c	Tue Nov 23 10:36:23 2010
@@ -4,7 +4,7 @@
  *   Certificate handling
  *   OpenSSL initialization and shutdown
  *
- * $Id: tls.c,v 1.2 2010/10/19 14:20:56 pseudo Exp $
+ * $Id: tls.c,v 1.3 2010/11/23 16:36:23 pseudo Exp $
  */
 /*
  * Written by Rumen Stoyanov <pseudo at egg6.net>
@@ -628,7 +628,7 @@
   }
 
   /* Display the state of the engine for debugging purposes */
-/*  debug1("TLS: state change: %s", SSL_state_string_long(ssl)); */
+  debug1("TLS: state change: %s", SSL_state_string_long(ssl));
 }
     
 /* Switch a socket to SSL communication
----------------------- End of diff -----------------------


More information about the Changes mailing list