1
0
mirror of https://github.com/unrealircd/unrealircd.git synced 2026-07-03 19:43:12 +02:00
Commit Graph

1538 Commits

Author SHA1 Message Date
Bram Matthys 5992a759f7 return 0.. 2019-03-23 18:44:00 +01:00
Bram Matthys ab50bf2afc Communicate server featureset (and changes) across server links.
Previously various information was only available for directly attached
servers, since it is communicated via PROTOCTL.
Now, we will also communicate information about leafs behind us.
IRCOps can use the /SINFO command to see these server features.
Services codes don't need to do anything, or at least are not expected
to do anything. They can still receive the information and do something
with it, of course...
Read the following technical documentation for full information,
as it will outline very specific rules for using the command S2S:
https://www.unrealircd.org/docs/Server_protocol:SINFO_command
2019-03-23 17:56:59 +01:00
Bram Matthys 7ad6b15e92 It would be nice if expired TKL's actually get removed (duh).
Caused by fac1e30b91 from March 3, 2019.
2019-03-15 16:34:30 +01:00
Bram Matthys 5d69fe9d93 Missing return NULL in find_tkline_match_zap_matcher (due to commit from
a few days ago)
2019-03-09 10:23:19 +01:00
Bram Matthys fac1e30b91 Major TKL speed improvements. 2019-03-03 20:25:05 +01:00
Bram Matthys 766055d5c0 Fix set::ban-setter and set::topic-setter being set to nick-user-host
out of the blue. The classic C mistake where = instead of == was written
in an if statement... duh.
2019-03-02 08:49:47 +01:00
Bram Matthys f599ea02cb WHO(X) auto-conversion bug regarding 'a' and 'c' which no longer exist
in WHOX.
2019-03-01 14:34:43 +01:00
Bram Matthys d068cd41ca Fix crash in websocket module. 2019-03-01 14:10:06 +01:00
Bram Matthys c6f01aa3f1 Protect 2 more commands against rogue server to server traffic. 2019-02-11 08:47:51 +01:00
Bram Matthys 294560f944 KILL: Not sure if this fixes anything but at least it's less cryptic. 2019-02-10 17:30:39 +01:00
Bram Matthys 9a0bd31cf8 Fix unlikely crash if you had a spamfilter targetting away that was
only local (so in .conf) and it hit a remote user.
Also, re-indent this monster...
2019-02-10 17:09:48 +01:00
Bram Matthys 1dbef111fb Fix crash if receiving malformed server to server traffic (from an
authenticated server): TKL deleting a spamfilter with insufficient
parameters.
2019-02-10 17:08:47 +01:00
Bram Matthys 1f03dbdd05 CHGNAME and SETNAME: if a remote user used a realname that was banned
on this server then we could possibly crash. (Fortunately most networks
use the same ban realname blocks on all their servers)
2019-02-10 14:54:28 +01:00
Bram Matthys 7e444d3b9f Fix SJOIN bug in rc1: was using an incorrect buffer when SJSBY was
not used, such as in a mixed version scenario.
2019-02-10 14:43:34 +01:00
Bram Matthys 77d3e844dc Fix a bunch of REHASH memory leaks. 2019-02-10 10:36:20 +01:00
Bram Matthys c7f00edd9d Quicker handshake when using many CAP requests and/or AUTHENTICATE.
I was wondering why the handshake took 4 seconds for a client which
authenticates using SASL. Turns out that fake lag was kicking in due
to the many "CAP req" commands combined with the other handshake stuff.
Now the first 15 (or so) "CAP" requests are "free", without fake lag.
2019-02-09 16:47:24 +01:00
Bram Matthys 78cd122a05 Allow SASL post-registration. Unfortunately the anope unreal4 protocol
module also requires an update to support this.
2019-02-09 14:39:34 +01:00
Bram Matthys dde8f914fb Internal: make UID available early (pre-auth). 2019-02-09 14:35:48 +01:00
Bram Matthys 9c0f1f3505 Fix OOB read in m_whox.
Strange order for a compare, first the 2nd byte, then the 1st byte ;)
Anyway, this issue can only be triggered since rc1, no big issue.
2019-02-06 19:31:10 +01:00
Bram Matthys 988f64e3b3 Fix crash when linking (caused by commit from 4 days ago). 2019-02-06 12:54:37 +01:00
Bram Matthys 70a9a6f6b2 Added INVITE and KNOCK flood protection (command rate limiting).
set::anti-flood::invite-flood defaults to 4 per 60 seconds.
set::anti-flood::knock-flood defaults to 4 per 120 seconds.
2019-02-06 12:00:51 +01:00
Bram Matthys 1e1f750b44 New set::max-targets-per-command which configures the maximum number
of targets accepted for a command, eg /MSG nick1,nick2,nick3,nick4 hi.
Also changed the following defaults (previously hardcoded):
* PRIVMSG from 20 to 4 targets, to counter /amsg spam
* NOTICE from 20 to 1 target, to counter /anotice spam
* KICK from 1 to 4 targets, to make it easier for channel operators
  to quickly kick a large amount of spambots
See https://www.unrealircd.org/docs/Set_block#set::max-targets-per-command

(actually still need to write the documentation)
2019-02-04 17:51:09 +01:00
Bram Matthys 7153468081 UnrealIRCd will now warn if your ulines { } are matching UnrealIRCd servers.
See https://www.unrealircd.org/docs/FAQ#WARNING:_Bad_ulines
2019-02-02 08:44:14 +01:00
Bram Matthys f9415e1a91 m_whox: now accept and transform most classic UnrealIRCd WHO requests
such as "WHO +s serv.er.name" to "WHO serv.er.name s".
It also does advanced transformation such as "WHO -m z" to "WHO -z m"
**copy paste from comment in code**
Flag a: user is away                                            << no longer exists
Flag c <channel>: user is on <channel>                          << no longer exists
Flag g <gcos/realname>: user has string <gcos> in his/her GCOS  << now called 'r'
Flag h <host>: user has string <host> in his/her hostname       << no change
Flag i <ip>: user has string <ip> in his/her IP address         << no change
Flag m <usermodes>: user has <usermodes> set                    << behavior change
Flag n <nick>: user has string <nick> in his/her nickname       << no change
Flag s <server>: user is on server <server>                     << no change
Flag u <user>: user has string <user> in his/her username       << no change
Behavior flags:
Flag M: check for user in channels I am a member of             << no longer exists
Flag R: show users' real hostnames                              << no change (re-added)
Flag I: show users' IP addresses                                << no change (re-added)
**end of paste**
Of course we cannot convert 100% from classic UnrealIRCd WHO to WHOX-style
because things like "WHO +m r" could mean either "search for +m in realname" (WHOX)
or "search for +r in modes" (classic). In cases like this we assume WHOX, so to not
break any WHOX compatibility.

Added matchers: 'R' (show real host) and 'I' (show IP)

This code will need more testing, both by classic WHO and by WHOX users...
2019-02-01 17:46:59 +01:00
Bram Matthys eecd29bdc8 WHOX: adaptions for UnrealIRCd part 1:
* No longer require a ! prefix for ircops to see users
* "WHO *" is no longer different than the rest
  (previously in m_whox would only list users on 1st channel)
Neither is part of the WHOX specs.
2019-02-01 15:21:53 +01:00
Bram Matthys a999b305a5 Remove 005 CMDS= token, which was an unnecessary abstraction and was
not picked up by any other IRCd. The 005 tokens KNOCK MAP USERIP are
now used instead. We do not announce STARTTLS in 005 anymore as this
is way too late (post-handshake, sensitive info already sent and/or
received). Not to mention STARTTLS is not the preferred method to
setup a secure connection in the first place.
Module coders: this means CommandAdd() with M_ANNOUNCE should no
longer be used. If a 3rd party module does use it, then UnrealIRCd
will now raise a warning. In a later UnrealIRCd version the flag
is likely to be removed completely so would cause a compile error.
(I doubt any module uses this anyway... but still..)
2019-01-31 17:34:07 +01:00
Bram Matthys 6cbd2744d7 * The default maximum topic length has been increased from 307 to 360.
* You can now set more custom limits. The default settings are shown below:
  set {
      topic-length 360; /* maximum: 360 */
      away-length 307; /* maximum: 360 */
      quit-length 307; /* maximum: 395 */
      kick-length 307; /* maximum: 360 */
  };
* A new 005 token has been added: QUITLEN. Works similar to KICKLEN.

The ability to adjust the topic length in the configuration file was
requested by Amiga600 in https://bugs.unrealircd.org/view.php?id=4692
At that place is also additional information on why there is a
"maximum" for topic length.
2019-01-30 17:50:17 +01:00
Bram Matthys 41239119f8 Update release notes a bit. 2019-01-30 16:54:56 +01:00
Bram Matthys 88030c63fb 1) Simplify dealing with isupport (numeric 005) stuff from the config code.
There's now no longer a difference between a rehash or boot.
2) Other cleanups in s_conf.c as well. Looks better now.
3) Sort the 005 tokens alphabetically. Enforcing some other 'logical order'
   was futile and this makes things consistent between rehashes.

For module coders this adds some new functions, such as IsupportSet,
IsupportSetFmt and IsupportDelByName. I'll document them later.
2019-01-30 16:42:19 +01:00
Bram Matthys 98fca7979f Code cleanup: internally rename iConf.nicklen to .nick_length to match the
convention that set::some-name is called iConf.some_name
2019-01-30 10:49:44 +01:00
Bram Matthys d085fb09c1 Three new config items to make topic and ban setter nick!user@host and
to control synchronization of the +beI setter across server links
(that is, the feature just introduced one commit ago):
set {
     topic-setter [nick|nick-user-host]; /* nick = default */
     ban-setter [nick|nick-user-host]; /* nick = default */
     ban-setter-sync [yes|no]; /* yes = default */
};
This also means that --with-topicisnuhost / TOPIC_NICK_IS_NUHOST
is now removed, since this now goes via set::topic-setter.

Also, moved the "first" PROTOCTL from include/common.h to send_proto()
in src/s_serv.c so the bunch of PROTOCTL lines is all in one place
(and so I could conditionally send SJSBY).
Ok, it's not entirely all in one place, PROTOCTL EAUTH is still sent
at another place (early, duh), but still..
2019-01-28 15:41:44 +01:00
Bram Matthys 874d99e0eb For +beI lists the 'set by' and 'set at' information is now synchronized
when servers link. Thus, you can see the real setter and time also after
a netsplit (/mode #channel b). This, unlike before, when setby was
name.of.server and time was the time of the synch.
This requires the entire network to run UnrealIRCd 4.2.2 or later.
Suggested by k4be in https://bugs.unrealircd.org/view.php?id=5183
Technical details: the PROTOCTL token to enable this is "SJSBY" and see
https://www.unrealircd.org/docs/Server_protocol:SJOIN_command for more
information, in particular the last section there.
2019-01-28 14:36:41 +01:00
Bram Matthys ac9463a83f Rename hook HOOKTYPE_CAN_SEND_SECURE to HOOKTYPE_SEND_CHANNEL, which is
more descriptive and AFAICT nobody uses this hook in a public 3rd party
module anyway.
2019-01-21 17:02:14 +01:00
Bram Matthys 083826ee94 modules/usermodes/noctcp (+T): 1) only block CTCP's and not CTCP REPLIES,
2) allow IRCOps to bypass user mode +T restrictions. Reported by St3Nl3y,
HeXiLeD and Koragg in https://bugs.unrealircd.org/view.php?id=5166
2019-01-21 16:55:29 +01:00
Bram Matthys bcb667c59e New hook HOOKTYPE_WELCOME (aClient *acptr, int after_numeric): allows you
to send a message at very specific places during the initial welcome
https://www.unrealircd.org/docs/Dev:Hook_API#HOOKTYPE_WELCOME
2019-01-21 10:12:46 +01:00
Bram Matthys 25ede84a04 This makes more sense. Also testing announcement bot :D 2019-01-21 10:10:51 +01:00
Bram Matthys 4681603c52 Fix bug where "link-security" was downgraded to level 1 if using 'spkifp'. 2019-01-18 13:10:51 +01:00
Bram Matthys 67d691fce9 * New set::outdated-tls-policy which describes what to do with clients
that use outdated SSL/TLS protocols (eg: TLSv1.0) and ciphers.
  The default settings are to warn in all cases: users connecting,
  opers /OPER'ing up and servers linking in. The user will see a message
  telling them to upgrade their IRC client.
  This should help with migrating such users since in the future, say one
  or two years from now, we would want to change the default to only allow
  TSLv1.2+ with ciphers that provide Forward Secrecy. Instead of rejecting
  clients without any error message, this provides a way to warn them and
  give them some time to upgrade their outdated IRC client.
  https://www.unrealircd.org/docs/Set_block#set::outdated-tls-policy
2019-01-12 11:08:18 +01:00
Bram Matthys 5fd673d059 Rename PLAINTEXT_POLICY_* to POLICY_ (and similarly, the struct, etc) 2019-01-11 13:27:29 +01:00
Bram Matthys 54c17aa65d Indicate 's' in WHO reply flags if the user is secure (SSL/TLS). 2018-12-21 14:21:19 +01:00
Bram Matthys 7755d10829 [authprompt] Suggest /QUOTE AUTH .. instead of /AUTH .. 2018-12-21 07:58:38 +01:00
Bram Matthys 267c2f3e56 Make authprompt work for soft KLINE/GLINE and soft-xx ban actions
(in registration phase anyway), as promised earlier in the documentation.
2018-12-19 17:42:13 +01:00
Bram Matthys 7f8172faef Bump fakelag on failed authentication attempt (SASL, real or emulated) 2018-12-19 17:41:28 +01:00
Bram Matthys 56a964bba1 Hide remote includes auth information in error messages. Reported by Jellis
in https://bugs.unrealircd.org/view.php?id=5172
2018-12-19 13:02:36 +01:00
Bram Matthys 6b089dfcd6 The new module is now called authprompt. Also wrote an article:
https://www.unrealircd.org/docs/Authentication
And "require sasl" is now "require authentication"
(the old name will only raise a warning, not cause an error)

Note that authprompt currently only does the "require authentication"
stuff and not yet the soft-xx actions. That will be something for
later this week, but I've already documented it as such (here and
there anyway).
2018-12-17 17:32:43 +01:00
Bram Matthys 0254894368 Authentication prompt for non-SASL users:
We previously introduced the "require sasl" block which allows you to
force users from certain IP addresses to authenticate with their nickname
and password via SASL. We now offer a new experimental module called
'saslemulation' which will help non-SASL users by showing a notice and
asking them to authenticate to their account via /AUTH <user>:<pass>.
See https://www.unrealircd.org/docs/Set_block#set::sasl-emulation

Note that this is work in progress, although the functionality of
already works. Still need to do some cleaning and expand the scope.
And more testing...
2018-12-16 13:51:22 +01:00
k4bek4be c124f65027 fix IPv6 DNS blacklist (#78)
Fix IPv6 blacklist checking (DNSBL). Patch from k4be.
2018-12-15 19:53:33 +01:00
Bram Matthys a0167c35c0 Major reorganization of operclass privileges:
* The operclass privileges have been redone. Since there were 50+ changes
  to the 100+ privileges it makes little sense to list the changes here.
  If, like 99% of the users, you use default operclasses such as "globop"
  and "admin-with-override" then you don't need to do anything.
  However, if you have custom operclass { } blocks then the privileges
  will have to be redone. For more information on the conversion process,
  see https://www.unrealircd.org/docs/FAQ#New_operclass_permissions
  For the new list of permissions, with much better naming and grouping:
  https://www.unrealircd.org/docs/Operclass_permissions
The inconsistency in the privileges was initially reported by webczat in
https://bugs.unrealircd.org/view.php?id=4771
The subsequent reorganization took two full days, so.. hopefully the
people who are using - or plan to use - custom operclasses will like the
new layout... except that they need to redo their work of course ;)
2018-12-14 17:05:32 +01:00
Bram Matthys 7dcb5a5bb1 The authentication types 'md5', 'sha1' and 'ripemd160' have been
deprecated because they can be cracked at high speeds. They still
work, but a warning will be shown on boot and on rehash.
Please use 'bcrypt' or (even better) the new 'argon2' type instead:
"./unrealircd mkpasswd argon2" or "/mkpasswd argon2 passwd" on IRC.

Also, not in release notes because it would take up too much text:
Unix crypt is a bit more complicated: most types are outright 'bad',
while other types have reasonable security similar to 'bcrypt'.
To be honest these people should probably use 'argon2' since it's
a lot better. Then again, warning about this when it's still such
a common hashing method (now, in 2018) may be a bit overzealous.
So: not warning about crypt types $5/$6 which use SHA256/SHA512
with normally at least 5000 rounds (unless deliberately weakened
by the user), but we do warn about other crypt() usage.

Also, mkpasswd support for those deprecated types has been removed since
there's no good reason to generate new password hashes with these.
2018-12-10 15:46:11 +01:00
Bram Matthys a852b480d5 Add support for Argon2 password hashes (argon2id).
Also, make this the default for './unrealircd mkpasswd'.
The Windows version also works.. I just need to create a new library
package, will be done later today or tomorrow.
https://bugs.unrealircd.org/view.php?id=5116
2018-12-09 17:22:12 +01:00