1
0
mirror of https://github.com/unrealircd/unrealircd.git synced 2026-07-06 15:33:12 +02:00
Commit Graph

4130 Commits

Author SHA1 Message Date
Bram Matthys bfa00e95b7 Set default plaintext-policy to be 'warn' for /OPER and 'deny' for
server linking. Write some draft release notes for later use.
2017-08-19 11:19:33 +02:00
Bram Matthys 361a354c4b If set::plaintext-policy::user is 'deny' and a non-SSL/TLS-user is
trying to connect then SASL is not advertised.
2017-08-16 19:45:17 +02:00
Bram Matthys d53d46fce4 Add set::plaintext-policy block by which you can warn or deny user connections,
ircop /OPER attempts and incoming server linking attempts from connections
that are not encrypted with SSL/TLS.
Documentation: https://www.unrealircd.org/docs/Set_block#set::plaintext-policy
2017-08-16 19:39:28 +02:00
Bram Matthys 40e3e11b61 UnrealIRCd 4.0.13 2017-08-15 12:12:10 +02:00
Bram Matthys 74d5f380dd A /REHASH from a WebSocket connection would cause a crash (requires
IRCOp privileges). This is a rather technical issue, we now simply
reject the rehash. See comments in code for more information.
2017-08-10 09:02:05 +02:00
Bram Matthys 18202a0f73 Fix "ban too broad" checking. Reported by Gottem in #4961.
* The 'ban too broad' checking was broken. This permitted glines such
  as 192.168.0.0/1 being set. Now it rejects CIDR of /15 and lower.
  To disable this safety measure you can (still) use:
  set { options { allow-insane-bans; }; };
2017-08-10 08:30:54 +02:00
Bram Matthys f5b29ed7de Add modules/cap directory to Windows installer. 2017-08-10 07:54:01 +02:00
Bram Matthys 8ccf5700f1 Prepare for 4.0.13-rc1 2017-08-10 07:46:17 +02:00
Bram Matthys d222a18286 Fix "simple" spamfilters being synched as "posix" during server linking.
This was due to lack of TKLEXT2 support in the m_tkl_synch() code.
2017-08-10 07:07:37 +02:00
Bram Matthys 69a2e7d994 Whoops. This code cleanup screwed up STS. Should work now. 2017-08-09 19:11:28 +02:00
Bram Matthys 6c539c8566 Bump Websocket module version to 1.0.0 2017-08-09 18:12:03 +02:00
Bram Matthys 06aa2ad79a Websocket module: don't send CR/LF in outgoing frames and don't require
CR/LF in incoming frames (simply ignore them if they are present).
2017-08-09 18:00:44 +02:00
Bram Matthys 455420afc1 SNI-specific sts-policy is now possible. (As recommended by IRCv3 draft spec) 2017-08-09 15:39:52 +02:00
Bram Matthys 0f612a3b30 SNI: Fix for wildcard certificates 2017-08-09 15:20:38 +02:00
Bram Matthys 84776eeeb2 Add support for draft/sts http://ircv3.net/specs/core/sts-3.3.html
Docs: https://www.unrealircd.org/docs/Set_block#set::ssl::sts-policy::port
Example:
set {
    ssl {
        certificate "ssl/server.cert.pem";
        key "ssl/server.key.pem";
        sts-policy {
            port 6697;
            duration 180d;
        };
    };
};
IMPORTANT: Only use this if you know what STS is and what the
implications are. The most important things being A) set a correct
port and B) you need a 'real' SSL certificate and not a self-signed
certificate.

More documentation may follow at another place.
2017-08-09 14:16:03 +02:00
Bram Matthys 1cc6dd3d5b Add Makefile and placeholder module. 2017-08-09 13:30:52 +02:00
Bram Matthys 6500af6ba5 * Use free_ssl_options from generic conf.
* Actually free ssl_options in free_ssl_options.
2017-08-09 13:27:50 +02:00
Bram Matthys ea651384f8 Add groundwork for draft/sts (more to follow)
Module coders:
* The cap->visible(void) callback function is now cap->visible(aClient *)
* There is a new cap->parameter(aClient *) callback function.
* Various updates to subfunctions to pass 'sptr' (due to the above),
  including clicap_find(sptr, ...)
* New CLICAP_FLAGS_UNREQABLE flag
Other:
* There is a new (src/)modules/cap directory containing the sts module,
  well.. once I commit it :D
2017-08-09 13:21:36 +02:00
Bram Matthys b2129205f9 Added support for the "Server Name Indication" (SNI) SSL/TLS extension.
See https://www.unrealircd.org/docs/Sni_block
Requested in #4380 by Eman.
2017-08-09 12:00:04 +02:00
Bram Matthys 7b092f7aeb Verify certificate when submitting bug report. 2017-06-19 16:28:50 +02:00
Bram Matthys 0c1f299b0b UnrealIRCd 4.0.12.1 release 2017-06-02 08:56:24 +02:00
Bram Matthys d27d3760c7 CAP NAK not sent for unrecognised CAPs in all cases. Reported by
jwheare (#4958).
2017-06-02 08:22:19 +02:00
Bram Matthys 072d8537b8 Prevent /OPER for oper blocks with non-existant operclass, as doing so
would only be confusing. Reported by Gottem (#4950).
2017-06-02 07:41:44 +02:00
Bram Matthys 7b8f17ef5e Rename variable (no other changes) 2017-06-02 07:33:15 +02:00
Bram Matthys 6c3c55b4e5 Fix new user mode +Z (secureonlymsg) not working properly across
server links. Reported by HeXiLeD (#4953).
2017-05-28 09:41:11 +02:00
Bram Matthys 2838ef6266 Mark all shipped modules as official (non-3rd-party). 2017-05-13 12:29:05 +02:00
Bram Matthys bbf33b62dc UnrealIRCd will now refuse to run as root, as promised a couple of versions ago.
https://www.unrealircd.org/docs/Do_not_run_as_root
2017-05-12 11:42:01 +02:00
Bram Matthys 3dc27370a1 Prepare for UnrealIRCd 4.0.12 release. 2017-05-12 11:24:36 +02:00
Bram Matthys 5e378fb02b Since 95% of the crash reports are due to bugs in 3rd party modules we now
have to discourage people with 3rd party modules loaded from blindly
submitting crash reports.
2017-05-12 10:25:45 +02:00
Bram Matthys 0412c86d17 Update OpenFiles on listener close (not very common, but..) 2017-05-10 17:18:47 +02:00
Bram Matthys a6f5460ad8 Update OpenFiles upon failed SSL connect to remote server. Reported by Eman (#4948). 2017-05-10 17:03:45 +02:00
Bram Matthys ee9f8441bc Bump lag for remote MOTD requests. 2017-04-07 20:06:36 +02:00
Bram Matthys 0035cafdba Fix server setting +b even if the ban list is full when using +f.
Reported by NoMiaus (#4906).
2017-03-26 15:48:05 +02:00
Bram Matthys e62ea1dedd Module coders: added two functions to search for user modes:
has_user_mode(acptr, 'i'): returns 1 / 0
find_user_mode('i'): returns the user mode (as 'long')

extern int has_user_mode(aClient *acptr, char mode);
extern long find_user_mode(char mode);
2017-03-26 15:40:36 +02:00
Bram Matthys b6f8ddd456 Fix Jumpserver not working for SSL users due to old #ifdef USE_SSL.
Reported by NoMiaus (#4907).
2017-03-26 15:38:04 +02:00
Bram Matthys 0c6fb46704 Minor code cleanup 2017-03-22 16:32:59 +01:00
Bram Matthys fcaa69157b Fix crash when unloading (not reloading) module that uses ModData (#4903). 2017-03-22 10:51:29 +01:00
Bram Matthys e6a02003f5 Delayjoin (chanmode +D): When people are de-oped we now part 'hidden' users.
Prevents client desynch.
2017-03-22 08:25:03 +01:00
Bram Matthys 4c39648b03 Improve source code (setflags -> oldumodes) 2017-03-20 16:18:43 +01:00
Bram Matthys cd0836572f Fix /mode nick -t and force-rejoin. Reported by NoMiaus (#4901). 2017-03-20 16:17:23 +01:00
Bram Matthys ec9db8fd5f Move match_user() to module (efunc in m_tkl) 2017-03-18 15:00:34 +01:00
Bram Matthys 000f9e10fc 'nocodes' module: also strip/block italic. Suggested by The_Myth (#4898). 2017-03-18 14:50:49 +01:00
Bram Matthys af694e0cbd Fix crash in Windows GUI 2017-03-13 08:30:45 +01:00
Bram Matthys 0963cddd28 Vhosts were not synched correctly during linking. Reported by unic0rn (#4890).
This was not really noticeable on 2 server networks, but in A-B-C linking setups
a vhost of user A would not show on server C.
2017-03-11 10:50:00 +01:00
Bram Matthys abd4296d8e Add support for negative ip/hostmask matching in deny channel / allow channel
and at some other places (any place which uses the 'mask' system).
This allows things like:
deny channel { channel "#help*"; };
allow channel { channel "#help-nolan"; mask !192.168.*; };
allow channel { channel "#help-lan"; mask 192.168.*; };
Similarly in vhost blocks etc etc..
2017-03-10 09:20:15 +01:00
Bram Matthys f65d5fce8b Add new option: set { hide-list { deny-channel }; };
This will hide channels in /LIST that are denied by deny channel blocks
(and not exempt via allow channel blocks).
2017-03-10 08:48:08 +01:00
Bram Matthys 5c417b4235 Fix minor memleak on /REHASH (set::sasl-server) 2017-03-08 17:30:28 +01:00
Bram Matthys 176566962a Add support for 'mask' in allow channel { } and deny channel { }.
This so you can easily add allow/deny channel blocks for IP ranges.
Possibly not so useful for services-networks (ban/akick is very similar)
but has some use on serviceless networks.
2017-03-08 17:28:15 +01:00
Bram Matthys 9dc4e7d31b Windows: shut up warning on certificate generation during installation.
WARNING: can't open config file: c:/libressl/ssl/openssl.cnf
2017-03-08 09:03:03 +01:00
Bram Matthys cb59538309 Fix chanmode +f issue where unsetting parts were not effective.
For example: '+f [5j#i1,5m#m1,3n]:3' and then '+f [5j#i1,5m]:3'
In that case the '3n' was not removed and still effective, as
could be seen by a '/MODE #chan'. Reported by The_Myth (#4883).
2017-03-06 10:05:30 +01:00