1
0
mirror of https://github.com/unrealircd/unrealircd.git synced 2026-07-09 02:03:14 +02:00
Commit Graph

402 Commits

Author SHA1 Message Date
Bram Matthys 9b83fc0db9 Allow @if with loadmodule, just not module-loaded(). We need this. 2026-03-22 17:07:46 +01:00
Bram Matthys e4d6b51d04 Add certificate/key check to CONFIG INIT. So we properly stop booting
or rehashing if there is an error loading them (at least try harder).
Right now they are only in CONFIG LOAD, which is too late to stop things.

Previously "./unrealircd configtest" showed an error but still said
"Configuration test passed OK". And REHASH passed similar. Now, it
is a real error.

This is not to be confused with a "file does not exist" error, which
we already handled properly. It's the less usual ones, like wrong key.

Only downside is more init_ctx() calls, which can be a bit heavy on
various platforms, slowing boot or REHASH down. Should be fine though...
2026-03-15 15:59:09 +01:00
Bram Matthys 3a96bdf6ec Add set::allow-setident (default: 'no'), set::allow-setname ('yes')
Two new settings that control the use of `SETIDENT` and `SETNAME`:
* [set::allow-setident](https://www.unrealircd.org/docs/Set_block#set::allow-setident)
  now defaults to 'no'. Previously all users were allowed to change their
  ident (taking into account
  [set::allow-userhost-change](https://www.unrealircd.org/docs/Set_block#set::allow-userhost-change)
  restrictions).
* [set::allow-setname])(https://www.unrealircd.org/docs/Set_block#set::allow-setname)
  has a default of 'yes' which matches older UnrealIRCd versions (no change).
  Perhaps some admins who use controlled (web)chats may want to set this
  to 'no' if users are not supposed to change their realname/gecos.
  This is probably rare, but they have the option now.
2026-02-23 08:58:39 +01:00
Bram Matthys 19d17832fe Remove set::restrict-extendedbans as it didn't work. Simply don't load
the particular extended ban module if you don't want it.

For example, if you include the default modules.default.conf and, say,
you don't want ~quiet extbans then you add this in your unrealircd.conf:

blacklist-module "extbans/quiet";
2026-02-22 13:07:57 +01:00
Bram Matthys 8740774d25 Not important but.. this did not free element 255. 2026-02-21 14:01:29 +01:00
Bram Matthys fae9dacf5d Fix some small REHASH leaks: tld->channel, link->connect_ip,
allow->server (last one is very rare).
2026-02-21 13:56:30 +01:00
Bram Matthys bd1e25d017 Slightly raise default set::handshake-timeout from 30 to 40 seconds. 2026-01-28 09:44:49 +01:00
Bram Matthys fd52b71081 Setting set::tls::certificate and set::tls::key did not override the default
certificate or key. It added the cert/key to the list of certs, like a
"dual cert" approach.

This was caused by commit 877d151da4,
which indeed adds support for "dual cert" (or more).

I have now deferred setting the default to happen only if no
set::tls::certificate is specified, as you would expect.

We (already) used a similar delayed-initialization / deferred setting
approach in the ::tls-options inheritance code (for blocks like
listen, sni, link, etc.)

Just as a slightly related reminder, we do normally suggest keeping the
conf/tls/server.cert.pem and conf/tls/server.key.pem for server linking
and then use a cert from a trusted CA in the listen block for 6697 etc.
See https://www.unrealircd.org/docs/Using_Let's_Encrypt_with_UnrealIRCd
for more information (and the 'why').
2025-12-10 19:00:12 +01:00
Bram Matthys 61ebd34a1e Fix compile error and add URL validation: valid UTF8, no spaces, no low ASCII 2025-11-12 10:53:43 +01:00
Bram Matthys 68f01814be Some minor updates to previous.
* We try to keep the dynconf variables the same name as in the conf
  (well, with hyphens to underscores, and there are some exceptions)
* Remove unnecessary but otherwise harmless second safe_free()
* The URL could have been too long. It is now limited to 360 characters,
  which should be plenty.
2025-11-12 10:14:27 +01:00
Valerie Liu 557595fd1c Implement IRCv3 network icon support (PR #326)
set { network-icon 'https://...........'; }
https://ircv3.net/specs/extensions/network-icon
2025-11-12 10:01:42 +01:00
Bram Matthys 53707f27b9 Fix unitialized variable in link config test, due to commit from yesterday
(4c6e259681).
2025-09-22 08:25:18 +02:00
Bram Matthys 507061af46 Add tls-options::signature-algorithms for those who want to override the default.
We don't set it in UnrealIRCd at the moment, so this is just to override
the OpenSSL defaults at the moment. It is good to have this exposed, in
case some vulnerability is discovered or you need some flexibility in
tweaking this.
2025-09-21 13:55:24 +02:00
Bram Matthys 4c6e259681 You can now use "password" multiple times in the conf (eg in allow::password).
allow {
	mask *;
	password "secret";
	password "letmein";
}

This is always an "OR" type of match, any match means you pass.

I was actually doing this for the dual-cert stuff from previous commit,
where this can come in handy:

link irc1.example.org {
...
    password "AHMYBevUxXKU/S3pdBSjXP4zi4VOetYQQVJXoNYiBR0=" { spkifp; };
    password "jNw8P4QMg9tqjEJ4/lFikXBNHdIGSeN2B4/T322VjIo=" { spkifp; };
...
}
2025-09-21 11:42:59 +02:00
Bram Matthys 877d151da4 Support multiple TLS certificates/keys, e.g. ECDSA + ML-DSA (PQC).
In the past a dual cert/key setup could have been useful for RSA + ECDSA
but nowadays all clients support ECDSA so that makes little sense.
The reason it is added now is so you can use ECDSA + ML-DSA or some
other [regular crypto] + [post quantum crypto] combination.
Actually, you could even use more than two.

To use this in the config file, simply use the certificate and key
directive multiple times. Just be sure to load the certificates and keys
in the same order. We will print a helpful error if you fail to do so.

Note that for Post Quantum Cryptography the most important step today
was/is to protect against the "Harvest now, decrypt later" scenario
https://en.wikipedia.org/wiki/Harvest_now,_decrypt_later which is a
"passive attack". That's why in UnrealIRCd 6.2.0 we enabled
X25519MLKEM768 if it is available (OpenSSL 3.5.0 and later).
While, this commit, and this talk about dual ECDSA and ML-DSA, is about
when a quantum computer exists and actively does a man in the middle
attack. That's not a realistic scenario in 2025 and according to experts
also not in the next few years. We just make the UnrealIRCd code-
base ready to have this feature for when it is needed / will be used,
and to get this tested properly.

For testing the dual ECDSA and ML-DSA setup I used the following
command to create the 2nd cert/key (self-signed):

openssl req -x509 -nodes -newkey mldsa65 \
  -keyout ~/unrealircd/conf/tls/server.key.mdsa65.pem \
  -out ~/unrealircd/conf/tls/server.cert.mdsa65.pem \
  -days 3650

And then:

listen {
        ip *;
        port 6697;
        options { tls; }
        tls-options {
                certificate "ssl/server.cert.pem";
                key "ssl/server.key.pem";
                certificate "ssl/server.cert.mdsa65.pem";
                key "ssl/server.key.mdsa65.pem";
        }
}

When running openssl s_client -connect 127.0.0.1:6697 it shows ML-DSA is used:
...
Peer signature type: mldsa65
Negotiated TLS1.3 group: X25519MLKEM768
...

And with openssl s_client -connect 127.0.0.1:6697 -sigalgs "RSA+SHA256:RSA+SHA384:ECDSA+SHA256:ECDSA+SHA384"
it shows ECDSA is used:
..
Peer signature type: ecdsa_secp384r1_sha384
Negotiated TLS1.3 group: X25519MLKEM768
..

This is just for testing purposes (self signed cert). As of right
now (Sep 2025), you can not get a trusted certificate with ML-DSA,
as the CA/Browser Forum only allows issueing RSA and ECDSA keys.
Also, all the trusted Certificate Authorities use RSA or ECDSA.
And, again, all this is not ML-DSA specific, it should work for
other dual/multi combinations, and.. who knows they even go for
something hybrid.

A downside of dual certs is that this makes the whole spkifp thing more
complicated because if you use 2 certs/keys you now have 2 possible
fingerprints (spkifp) that could match in e.g. server linking.

While coding this, I also changed the 'STATS P' output to use the txt
numeric instead of notice, and be more verbose in its output for TLS
listeners: printing the certificate(s) and key(s).
2025-09-21 10:32:29 +02:00
Bram Matthys 9e490196a8 set::send-isupport-updates: Valware added this, but this is now expanded
to all ISUPPORT tokens, instead of only CHANMODES, PREFIX and STATUSMSG.
E.g. changing set::min-nick-length would also broadcast the change.

Technically we will call isupport_snapshot() before the rehash (or before
delayed module unload) and then after modules were reloaded/unloaded we
call isupport_check_for_changes(). This uses the ISUPPORT system in a
general way, so works the same for all tokens.

https://www.unrealircd.org/docs/Set_block#set::send-isupport-updates

TODO: Deal with more than X changes (is currently an abort, crash)

TODO: batch for draft/extended-isupport
2025-09-20 14:05:35 +02:00
Bram Matthys 82bf4a6beb Add logging category "advice" that is used by best practices (color: blue).
Maybe a bit odd since only <10 things use this category but it makes it
stand out as a separate thing much better. As for a level (not that it
matters) it is between 'info' and 'warn'.
2025-09-15 14:21:51 +02:00
Bram Matthys 74538e77d4 Another best practices fix: this one is with listen-nontls-port.
It could cause a spurious
"Your config has NO errors, but you received some best practices tips above, in summary"
even though no best practices were displayed... which was a bit mysterious.

Also, ::listen-nontls-port was actually meant to be called ::listen-tls-only
so accept both forms from now on. The reason it was supposed to be like that
is that all best-practices options are... best practices...
hashed passwords, trusted cert, trusted cert with valid hostname,
listening on a nontls port... ? NOPE! listen-tls-only! Aaaaa.
2025-09-10 16:45:52 +02:00
Bram Matthys 400a6080ab Actually make it possible for set::best-practices::trusted-cert-valid-hostname
to be turned off (it was seen as an unknown option). Reported by PeGaSuS.
2025-09-10 16:30:57 +02:00
Bram Matthys 76934cb815 Fix incorrect message about non-trusted SSL/TLS certificate when you use
the default certificate/key (conf/tls/server.cert.pem) even when that
cert is valid and issued by a trusted CA (like Let's Encrypt).
You would get such an incorrect "best practices advice" on-boot, but
(fortunately) not on each subsequent REHASH.

This was because the TLS system was not yet initialized completely at
the time of the best practices checks, ctx_server was NULL. This is
now solved by re-ordering some function calls.
This does change some win_error() and config_load_failed() stuff for
Windows so I hope that's okay.

Reported by Bun-Bun.
2025-09-10 07:35:50 +02:00
Bram Matthys 84a1e59a44 Best practices: check if the certificate is actually valid for me::name.
That is, if the set::best-practices::trusted-cert check is on and passed
("certificate is valid and issued by a trusted CA") then we also
do this new set::best-practices::trusted-cert-valid-hostname check:

/* If the trusted-cert check passes, then we do another check to see if
 * the certificate is valid for me::name. Since users usually connect to your
 * server by your server name it is important for the certificate to be
 * valid for that name. Unless you really only care about e.g. irc.example.net,
 * and not about individual irc2.example.net server names, in which case you
 * can turn this off, but not sure if that is good practice.
 */
trusted-cert-valid-hostname yes;
2025-07-28 09:55:01 +02:00
Bram Matthys 44177f8c86 No valid trusted cert: change wording a bit ("you don't have any valid certificate"...)
Expired: this is a warning, not an error (we still want to boot the ircd)
Expired: handle the case for link::verify-certificate explicitly to avoid confusion
2025-07-28 09:19:27 +02:00
Bram Matthys 7c66adf196 Don't warn plaintext ports open if set::plaintext-policy::user is 'deny'
(.. since users won't get online then anyway)
2025-07-27 08:38:08 +02:00
Bram Matthys f39269c518 Fix uninitialized variable in config test for listen { }
Caused by previous commit 990fe22e64
2025-07-27 08:33:46 +02:00
Bram Matthys 990fe22e64 Print a best practices message if any plaintext port is open (eg 6667).
Ports that listen on 127.0.0.1 or ::1 are ignored (useful for e.g. services)

Looks like this:
[info] You have at least one IRC plaintext port open (such as 5668). Nowadays, everyone should be using SSL/TLS (on port 6697). See https://www.unrealircd.org/docs/Use_TLS.

See that https://www.unrealircd.org/docs/Use_TLS for more info (feedback welcome)

All this is in addition to somewhat related 29ce0ce29a:
[info] Your SSL/TLS certificate is not issued by a trusted Certificate Authority.
[info] It is highly recommended to use a 'real certificate'. To get a free one, see: https://www.unrealircd.org/docs/Using_Let's_Encrypt_with_UnrealIRCd

If applicable, that message is printed first, the 6667 one comes after ;)

Suggested in https://bugs.unrealircd.org/view.php?id=6500
and numerous times / discussions on IRC over the past years
It's finally time.. no.. it's overdue..
2025-07-26 16:02:33 +02:00
Bram Matthys a73186362b * Add link::options::no-certificate-verification
* Code cleanup: split connect flags in CONNECT_OUTGOING_* and CONNECT_*
* Don't print tls_link_notification_verify() stuff for localhost conns
2025-07-26 13:26:46 +02:00
Bram Matthys 0729382ba2 Rename ::ecdh-curves to groups and add X25519MLKEM768 to group list.
Post-quantum cryptography (PQC). Release notes will follow later.
2025-07-24 14:47:49 +02:00
Bram Matthys 369f55063a For bestpractices::trusted-cert add some crude heuristics so hubs and such
are not (always) affected by this. We now check if there is any client port
exposed (to non-localhost). So if you have a hub with no client ports or
only at localhost then you won't get this bestpractices advice.

And also fix compile error on OpenSSL < 1.1.0 (undeclared var, duh)
2025-07-13 09:46:23 +02:00
Bram Matthys 29ce0ce29a Best Practices: If zero SSL/TLS certs are issued by a trusted CA, complain and
suggest to use Let's Encrypt.

This can be turned off via set::best-practices::trusted-cert, see
https://www.unrealircd.org/docs/Set_block#set::best-practices

Oh yeah, and this only works at OpenSSL 1.1.0 and higher, i didn't bother
with people running ancient versions.
2025-07-13 09:26:54 +02:00
Bram Matthys ba8c587e44 Update to previous commit: disable by default, enable via set { send-isupport-updates yes; }
I totally agree with the goal to have this enabled, but let's do some more
testing with more clients first to see if they misbehave. Last thing I want
is a similar situation to when we were the first IRCd that sent "CAP DEL sasl"
and "CAP NEW sasl" when services went offline and online and it caused all
mIRC clients to reconnect. I don't expect this one to be so bad (also because
users would get the 005's when they typed /VERSION) but... let's test to be sure.

Should probably deploy this with enabled on irc.unrealircd.org and such :)
2025-07-06 09:28:38 +02:00
Bram Matthys 45f35f9cd2 For ./unrealircd genlinkblock, for bind-ip detection, skip 127.0.0.1 and ::1. 2025-05-24 16:25:38 +02:00
Bram Matthys 8c21472d03 Move allow::maxperip to its own module (maxperip), add HOOKTYPE_ALLOW_CLIENT.
Also fix documentation for ~10 hooks to mention the hook name.

Obviously, the maxperip module is loaded by default (in modules.default.conf)
but it is nice to have the 400+ lines contained in a separate module
rather than being in the nick module that does NICK/UID handling.
Will look at moving more later..
2025-03-22 07:42:00 +01:00
Bram Matthys b95c1570a9 Add CONFIG_ALLOW_BLOCK & CONFIG_CLASS in HOOKTYPE_CONFIGTEST and
HOOKTYPE_CONFIGRUN_EX. Allowing to modularize things (for us and
third party modules)
2025-03-22 06:39:44 +01:00
Bram Matthys 094efeee25 Add spamfilter::show-message-content-on-hit to override on a spamfilter basis.
This works the same as set::spamfilter::show-message-content-on-hit
https://www.unrealircd.org/docs/Set_block#set::spamfilter::show-message-content-on-hit
but per spamfilter { } in the conf.

Indirectly suggested in https://bugs.unrealircd.org/view.php?id=6437
2025-02-15 12:14:44 +01:00
Bram Matthys 53e2e9473e Code cleanup 'config_error_flag'.
Maybe a great idea but we use a different errors system.
This config_error_flag thing is unused so only confusing.
2025-01-26 18:12:00 +01:00
Bram Matthys 9aa83edd99 Remove useless \n in calls to config_error() and config_status().
Where did this come from? This isn't printf() or anything.
2025-01-26 17:31:12 +01:00
Bram Matthys 04370d72f9 Minor code cleanup 2025-01-26 17:28:47 +01:00
Bram Matthys d157dc2494 Remove some useless code that is flagged by Coverity.
The set_usermode() result is not used, so useless.

The if (themotd) motdline = ... makes no sense since themotd is
already dereferenced in the code above it (eg: themotd->last_modified.tm_year)
and consequently the motdline = NULL becomes useless too.
2025-01-26 17:14:55 +01:00
Bram Matthys ce47440abd Make config_detect_duplicate() externally accessible. Fix some coverity warnings,
mostly with regards to memory leaks if duplicate config directives are used.
Eg using allow::password twice in the same allow block, or using
link::outgoing::tls-options twice in the same link block. Unusual stuff.
2025-01-26 13:23:32 +01:00
Bram Matthys cda2bcd930 Fix ecdh-curve X25519 missing when using the defaults.
In config.h we had a:
 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
 #define UNREALIRCD_DEFAULT_ECDH_CURVES "X25519:secp521r1:secp384r1:prime256v1"
 #else
 #define UNREALIRCD_DEFAULT_ECDH_CURVES "secp521r1:secp384r1:prime256v1"
 #endif
...which is fine in theory, but openssl headers are not included at that point,
so OPENSSL_VERSION_NUMBER was not defined.

From now on, we have:
 #define UNREALIRCD_DEFAULT_ECDH_CURVES_PRIMARY "X25519:secp521r1:secp384r1:prime256v1"
 #define UNREALIRCD_DEFAULT_ECDH_CURVES_SECONDARY "secp521r1:secp384r1:prime256v1"
...and we try them in that order. If both fail, we exit with an error (like before).
This because X25519 is not available in OpenSSL before 1.1.0 (so really old)
and may also not be available when running in FIPS mode.
2024-11-17 12:08:23 +01:00
Bram Matthys 7765f226be Detect operclass::parent loops.
Reported by craftxbox in https://bugs.unrealircd.org/view.php?id=6471
2024-09-23 17:25:17 +02:00
Bram Matthys 7dc3c230a7 Now that we support $variables, add set::oper-vhost so you can set a default
vhost for opers, such as: set { oper-vhost $operclass.admin.example.net; }

If the oper has an oper::vhost then that one will override.

https://www.unrealircd.org/docs/Set_block#set::oper-vhost
2024-09-20 17:54:39 +02:00
Bram Matthys 9a2d54cd01 Support $variables in oper::vhost (for variables see previous commit)
Eg: vhost "$operlogin@$operclass.example.net";

Also add potentially_valid_vhost() function which can be used in
config code to ignore invalid $vars. Then at runtime you use the
real valid_vhost() function after variable expansion by
unreal_expand_string().
2024-09-20 17:26:16 +02:00
Bram Matthys fe751fdc9d Move all vhost { } block handling to vhost module.
* Convert to use module-based config handling
* Split part of VHOST command into do_vhost() for later
* Use AppendListItem instead of AddListItem so they are in config-order.
  This is not really important atm but will matter later if we go auto.
* No other code changes at this point
2024-09-20 14:45:52 +02:00
Bram Matthys 710afe7cc7 Move throttling code from src/hash.c to src/modules/connect-flood.c
Better to have this all in one place. Though, must admit, the
config checking is still in src/conf.c and a bit of a hassle to move.

Some testing may be wise to see if everything still works ;)
2024-09-14 19:55:43 +02:00
Bram Matthys e5e000508e UNIX sockets: show in boot screen and properly when adding/removing listen block
Was previously shown as like :0 when removing/adding a listen block
with a UNIX socket. Now shows the file, as you would expect.

And in the boot screen it was like:
[info] IPv4: 127.0.0.1:6697(TLS), 127.0.0.1:6667
[info] IPv6: *:6667, *:6697(TLS)
And now also:
[info] Unix Sockets: /home/unrealircd/unrealircd/data/rpc.socket
2024-07-13 08:11:54 +02:00
Bram Matthys 89e6c2c06f listen::port did not error on comma's.
Reported by PeGaSuS in https://bugs.unrealircd.org/view.php?id=6419

Related feature request to allow it - or some other style:
https://bugs.unrealircd.org/view.php?id=6281
2024-07-12 08:52:00 +02:00
Bram Matthys 1ac9d654b9 Fix crash when removing the websocket option on a websocket listener
To reproduce, boot with:

listen {
	ip *;
	port 6000;
	options { websocket { type text; } }
}

And after that, comment out the options and REHASH. You'll crash.

Reported anonymously through crash reporter.
2024-07-11 18:36:08 +02:00
Bram Matthys 9cc2918d5f Make set::spamfilter::except a Mask item
* [set::spamfilter::except](https://www.unrealircd.org/docs/Set_block#set::spamfilter::except)
  is now a [Mask item](https://www.unrealircd.org/docs/Mask_item) instead of
  only a list of exempted targets. A warning is created to existing users
  along with a suggestion of how to use the new syntax. Technically, this is
  not really new functionality as all this was already possible via
  the [Except ban block](https://www.unrealircd.org/docs/Except_ban_block)
  with type spamfilter, but it is more visible/logical to have this also.
2024-07-06 10:09:35 +02:00
Bram Matthys a804b24150 Add set::hide-killed-by which shortens the quit to "Killed (Reason)".
* New option [set::hide-killed-by](https://www.unrealircd.org/docs/Set_block#set::hide-killed-by):
  We normally show the nickname of the oper who did the /KILL in the quit message.
  When set to `yes` the quit message becomes shortened to "Killed (Reason)".
  This can prevent oper harassment.

Suggested by PeGaSuS in https://bugs.unrealircd.org/view.php?id=6425
2024-07-06 08:12:11 +02:00