1
0
mirror of https://github.com/unrealircd/unrealircd.git synced 2026-07-09 22:23:13 +02:00
Commit Graph

1536 Commits

Author SHA1 Message Date
Bram Matthys b7b8e41ac4 CAP chghost: also send CHGHOST message to "self" (impacted user)
https://github.com/ircv3/ircv3-specifications/issues/324
2017-10-11 10:29:00 +02:00
Bram Matthys 55e4c8ea03 Tell admins to verify the SSL/TLS certificates of their server links.
https://www.unrealircd.org/docs/Link_verification
This is only outputted if both sides are 4.0.16+ so we can use spkifp
and use the same instruction on both sides of the link.
(If we would do it for previous versions then we would only give
 half of the instructions to the users, which makes no sense)
2017-10-09 14:17:35 +02:00
Bram Matthys abd7354bbb A common complaint is that spamfilters are hard to remove. Well, no more!
There is now '/spamfilter del' which will output all spamfilter along with
the appropriate command to delete each spamfilter (by unique ID).
This way it should be easy for anyone to delete an existing spamfilter.

We also refer to this new feature from '/spamfilter', '/stats spamfilter',
etc.
2017-10-08 17:09:28 +02:00
Bram Matthys 16f71e8360 Add option: set { ban-include-username yes; }; which will make bans
places by spamfilters (and some other systems) to be placed not on *@ip
but rather on user@ip. Note that this won't work for ZLINE/GZLINE since
no ident/username lookups are done in such cases.
Bit of a niche feature but okay..
2017-10-08 15:44:42 +02:00
Bram Matthys 1b6d49a9dc Add set { cloak-method ip; }; which will make cloaking only be done
on the IP and thus result in an XX.YY.ZZ.IP cloaked host.
This so you can have "IP cloaking" without disabling DNS lookups.
GLINES on hosts still work and IRCOps (and yourself) can still see
the host in /WHOIS.
Requested in 4957 by Gottem and The_Myth.
2017-10-08 15:14:57 +02:00
Bram Matthys 66143927e0 In /STATS S display throttling as anti-flood::connect-flood, as that
is the new name (since about 2 years).
2017-10-08 09:12:46 +02:00
Bram Matthys 87815ad397 Automatically discover SASL server if saslmechlist is sent by services
and set::sasl-server is not set by the administrator. Looks like this:
*** Services server 'services.test.net' provides SASL authentication, good! I'm setting set::sasl-server to 'services.test.net' internally.
Hopefully this will increase SASL availability significantly.
That is, once anope and atheme start sending the saslmechlist to us,
of course ;) (see commit d6e26d59e5)
2017-10-07 21:05:49 +02:00
Bram Matthys 7801dc888d Move CAP NEW "sasl" sending to after EOS (End Of Synch)
This so saslmechs are properly sent in case of services (re)connect,
otherwise the CAP NEW is sent too early when the saslmechs are
not known yet.
NOTE: This makes sending "EOS" mandatory for any SASL servers.
You should be doing this since 14 years ago (it was added
in 3.2beta18 in August 2003) so hopefully that is the case.
Anope is good anyway :)
2017-10-07 19:40:39 +02:00
Bram Matthys d6e26d59e5 Allow services to set the saslmechlist so it can be used by sasl v3.2.
Note to services coders: send something like this:
MD client your.services.server saslmechlist :EXTERNAL,PLAIN
2017-10-07 19:20:06 +02:00
Bram Matthys 5bd9878413 Only send CAP parameters (token=aaaaaa) to clients with CAP proto 302 or higher,
as per CAP specification. (So use "CAP LS 302" to see them)
2017-10-07 19:18:21 +02:00
Bram Matthys 5c7d89a642 Add support for "CAP extended-join". 2017-10-07 18:33:25 +02:00
Bram Matthys 2248699c60 Fix crash due to previous enhancements. 2017-10-07 17:25:37 +02:00
Bram Matthys 5124e60b7c Add "CAP chghost" support. Internal recode of userhost changes.
Fix force-rejoin not working if doing SVSMODE -x/+x (Koragg, #5015).

Note to module coders:
Please use the following procedure in case of an user/host change:
* userhost_save_current(acptr);
* << change username or hostname here (or both) >>
* userhost_changed(acptr);
This function will take care of notifying other clients about
the userhost change, such as doing PART+JOIN+MODE if force-rejoin
is enabled, and sending :xx CHGHOST user host messages to
"CAP chghost" capable clients.

Also, small note to everyone:
If force-rejoin is enabled we will not send the PART+JOIN+MODE to
"CAP chghost" capable clients. Doing so is just a hack to notify
people of a userhost change. "CAP chghost" users can thus benefit
from the reduced noise in this respect.
2017-10-07 13:31:30 +02:00
Bram Matthys 0fd265349a Remove HOSTILENAME config.h option since running without it is
and has never been supported.
2017-10-07 09:33:48 +02:00
Bram Matthys 3d38adff4f Rename config.h setting CLIENT_FLOOD to DEFAULT_RECVQ since that is what
it is. You should simply set a class::recvq instead of changing this
in config.h.
2017-10-07 09:29:47 +02:00
Bram Matthys 885e474211 Removed option in config.h to disable NO_FLOOD_AWAY. You can already
tweak or disable this via set::anti-flood::away-flood.
2017-10-07 09:25:45 +02:00
Bram Matthys 6dd147b941 Fix 2nd crash bug. Found when searching for related crash issues. 2017-10-01 13:19:12 +02:00
Bram Matthys 47eebad53d Fix crash bug, reported by Joseph Bisch. 2017-10-01 13:18:45 +02:00
Bram Matthys 5399e060fa Send CAP DEL sasl if set::sasl-server squits and CAP NEW when it returns.
(Only to cap-notify and v3.2 clients, of course)
Also fix a "bug" where sts parameters were not shown in CAP NEW tls.
2017-09-30 15:19:29 +02:00
Bram Matthys ac65e32a26 Add CAP v3.2 support. Add 'cap-notify' support.
Delete CAP CLEAR as it's use is discouraged (too much trouble).
Delete CAP ACK (from client2server) as this is only for CAP's with
ack modifiers. This is something we don't use, and which has been
deprecated in v3.2 of the spec.
2017-09-30 14:34:06 +02:00
Bram Matthys 461fa9a48a Store CAP version in use in sptr->local->cap_protocol. 2017-09-30 12:50:36 +02:00
Bram Matthys 7d381086ad Remove CLICAP_FLAGS_CLIACK. Never understood this idea. Unused and deprecated it seems. 2017-09-30 12:35:56 +02:00
Bram Matthys 44052b86c0 Remove CLICAP_FLAGS_STICKY. We don't use this anyway. 2017-09-30 12:33:57 +02:00
Bram Matthys fbd4e74663 You can now have multiple webirc { } blocks with the same mask.
This permits multiple blocks like..
webirc {
    mask *;
	password "....." { sslclientcertfp; };
};
..should you need it.
In other words: we don't stop matching upon an authentication failure.
2017-09-30 09:53:04 +02:00
Bram Matthys 91e108499e Convert remaining http:// links to https:// 2017-09-15 08:19:08 +02:00
Bram Matthys e7c7b1daff Don't show draft/sts and other unREQ'able CAP's in "CAP LIST" (only in "CAP LS"). 2017-09-09 12:37:50 +02:00
Bram Matthys b757d2eff0 Show set::sasl-server in '/STATS set'. Suggested by Gottem (#0004997). 2017-09-06 08:44:12 +02:00
Bram Matthys 8fad7c563d Add cap/link-security and cap/plaintext-policy modules. 2017-09-03 16:06:39 +02:00
Bram Matthys 78695f3eea Permit attaching client moddata to servers (and synch properly, if .synch=1) 2017-09-02 15:47:58 +02:00
Bram Matthys 0da1fdb2d2 Fix possible crash in /STATS due to change from yesterday.
Other than that, some minor style and real things.
2017-09-02 08:27:55 +02:00
Bram Matthys 199a7e162d Make new functions more generic and use it from crash reporter so
people with older OpenSSL libraries (and LibreSSL) benefit from
the hostname validation code there as well.
2017-09-01 17:28:49 +02:00
Bram Matthys aa829bce12 New option link::verify-certificate [yes|no]. This will cause UnrealIRCd
to validate the certificate of the link, making sure that:
1) The certificate is issued by a trusted Certificate Authority (CA).
2) The name on the certificate matches the name of the link block.
Some things still need to be done: documentation, more testing, and
using the X509_check_host() function when available.
2017-09-01 17:10:29 +02:00
Bram Matthys 6d7be72f2b Remove ssl option 'no-self-signed'. Use 'verify-certificate' instead.
Nobody used this option and it only caused the following confusing
(and potentially insecure) behavior:
Previously if you had 'verify-certificate' enabled then the certificate
would be checked, BUT if it was a self-signed certificate (and thus
not passing verify-cert) it was STILL allowed unless you also
specified the 'no-self-signed' option. This might be correct as per
documentation but is way too confusing for the user.
Now you simply have to choose whether you verify the certificate or
not. No special handling for self-signed certificates.
2017-09-01 08:55:01 +02:00
Bram Matthys 5cf28d0d46 It was possible to have a block named 'link irc1.test.net' and then get
connected to a server introducing himself as irc2.test.net. This
was rather confusing, of course. Wasn't much of a security issue since
this only happened in outgoing connects and naturally all authentication
need to pass as well.
2017-08-25 20:34:27 +02:00
Bram Matthys efb344b9b2 duh. 2017-08-19 12:07:54 +02:00
Bram Matthys bfa00e95b7 Set default plaintext-policy to be 'warn' for /OPER and 'deny' for
server linking. Write some draft release notes for later use.
2017-08-19 11:19:33 +02:00
Bram Matthys 361a354c4b If set::plaintext-policy::user is 'deny' and a non-SSL/TLS-user is
trying to connect then SASL is not advertised.
2017-08-16 19:45:17 +02:00
Bram Matthys d53d46fce4 Add set::plaintext-policy block by which you can warn or deny user connections,
ircop /OPER attempts and incoming server linking attempts from connections
that are not encrypted with SSL/TLS.
Documentation: https://www.unrealircd.org/docs/Set_block#set::plaintext-policy
2017-08-16 19:39:28 +02:00
Bram Matthys 18202a0f73 Fix "ban too broad" checking. Reported by Gottem in #4961.
* The 'ban too broad' checking was broken. This permitted glines such
  as 192.168.0.0/1 being set. Now it rejects CIDR of /15 and lower.
  To disable this safety measure you can (still) use:
  set { options { allow-insane-bans; }; };
2017-08-10 08:30:54 +02:00
Bram Matthys d222a18286 Fix "simple" spamfilters being synched as "posix" during server linking.
This was due to lack of TKLEXT2 support in the m_tkl_synch() code.
2017-08-10 07:07:37 +02:00
Bram Matthys 69a2e7d994 Whoops. This code cleanup screwed up STS. Should work now. 2017-08-09 19:11:28 +02:00
Bram Matthys 6c539c8566 Bump Websocket module version to 1.0.0 2017-08-09 18:12:03 +02:00
Bram Matthys 06aa2ad79a Websocket module: don't send CR/LF in outgoing frames and don't require
CR/LF in incoming frames (simply ignore them if they are present).
2017-08-09 18:00:44 +02:00
Bram Matthys 455420afc1 SNI-specific sts-policy is now possible. (As recommended by IRCv3 draft spec) 2017-08-09 15:39:52 +02:00
Bram Matthys 84776eeeb2 Add support for draft/sts http://ircv3.net/specs/core/sts-3.3.html
Docs: https://www.unrealircd.org/docs/Set_block#set::ssl::sts-policy::port
Example:
set {
    ssl {
        certificate "ssl/server.cert.pem";
        key "ssl/server.key.pem";
        sts-policy {
            port 6697;
            duration 180d;
        };
    };
};
IMPORTANT: Only use this if you know what STS is and what the
implications are. The most important things being A) set a correct
port and B) you need a 'real' SSL certificate and not a self-signed
certificate.

More documentation may follow at another place.
2017-08-09 14:16:03 +02:00
Bram Matthys 1cc6dd3d5b Add Makefile and placeholder module. 2017-08-09 13:30:52 +02:00
Bram Matthys ea651384f8 Add groundwork for draft/sts (more to follow)
Module coders:
* The cap->visible(void) callback function is now cap->visible(aClient *)
* There is a new cap->parameter(aClient *) callback function.
* Various updates to subfunctions to pass 'sptr' (due to the above),
  including clicap_find(sptr, ...)
* New CLICAP_FLAGS_UNREQABLE flag
Other:
* There is a new (src/)modules/cap directory containing the sts module,
  well.. once I commit it :D
2017-08-09 13:21:36 +02:00
Bram Matthys d27d3760c7 CAP NAK not sent for unrecognised CAPs in all cases. Reported by
jwheare (#4958).
2017-06-02 08:22:19 +02:00
Bram Matthys 072d8537b8 Prevent /OPER for oper blocks with non-existant operclass, as doing so
would only be confusing. Reported by Gottem (#4950).
2017-06-02 07:41:44 +02:00
Bram Matthys 7b8f17ef5e Rename variable (no other changes) 2017-06-02 07:33:15 +02:00