From: Alexander Barton Date: Sun, 26 Jun 2011 13:41:27 +0000 (+0200) Subject: Merge branch 'MorePrivacy' X-Git-Tag: rel-18-rc1~5 X-Git-Url: https://arthur.barton.de/gitweb/?a=commitdiff_plain;h=d99edb7728e058a889e4734f8592f495effa5bc3;hp=-c;p=ngircd.git Merge branch 'MorePrivacy' * MorePrivacy: New configuration opion "MorePrivacy" to "censor" some user information --- d99edb7728e058a889e4734f8592f495effa5bc3 diff --combined doc/sample-ngircd.conf.tmpl index fc903cd2,f5d7c8a6..7cd8afe0 --- a/doc/sample-ngircd.conf.tmpl +++ b/doc/sample-ngircd.conf.tmpl @@@ -12,8 -12,7 +12,8 @@@ # Use "ngircd --configtest" (see manual page ngircd(8)) to validate that the # server interprets the configuration file as expected! # -# Please see ngircd.conf(5) for a complete list of configuration options. +# Please see ngircd.conf(5) for a complete list of configuration options +# and their descriptions. # [Global] @@@ -142,6 -141,10 +142,10 @@@ # Do IDENT lookups if ngIRCd has been compiled with support for it. ;Ident = yes + # Enhance user privacy slightly (useful for IRC server on TOR or I2P) + # by censoring some information like idle time, logon time, etc. + ;MorePrivacy = no + # Normally ngIRCd doesn't send any messages to a client until it is # registered. Enable this option to let the daemon send "NOTICE AUTH" # messages to clients while connecting. @@@ -166,41 -169,33 +170,41 @@@ # "PONG" reply. ;RequireAuthPing = no - # SSL Server Key Certificate - ;SSLCertFile = :ETCDIR:/ssl/server-cert.pem - - # Diffie-Hellman parameters - ;SSLDHFile = :ETCDIR:/ssl/dhparams.pem - - # SSL Server Key - ;SSLKeyFile = :ETCDIR:/ssl/server-key.pem - - # password to decrypt SSLKeyFile (OpenSSL only) - ;SSLKeyFilePassword = secret - - # Additional Listen Ports that expect SSL/TLS encrypted connections - ;SSLPorts = 6697, 9999 + # Silently drop all incomming CTCP requests. + ;ScrubCTCP = no # Syslog "facility" to which ngIRCd should send log messages. # Possible values are system dependent, but most probably auth, daemon, # user and local1 through local7 are possible values; see syslog(3). # Default is "local5" for historical reasons, you probably want to # change this to "daemon", for example. - SyslogFacility = local1 + ;SyslogFacility = local1 # Password required for using the WEBIRC command used by some # Web-to-IRC gateways. If not set/empty, the WEBIRC command can't # be used. (Default: not set) ;WebircPassword = xyz +;[SSL] + # SSL-related configuration options. Please note that this section + # is only available when ngIRCd is compiled with support for SSL! + # So don't forget to remove the ";" above if this is the case ... + + # SSL Server Key Certificate + ;CertFile = :ETCDIR:/ssl/server-cert.pem + + # Diffie-Hellman parameters + ;DHFile = :ETCDIR:/ssl/dhparams.pem + + # SSL Server Key + ;KeyFile = :ETCDIR:/ssl/server-key.pem + + # password to decrypt SSLKeyFile (OpenSSL only) + ;KeyFilePassword = secret + + # Additional Listen Ports that expect SSL/TLS encrypted connections + ;Ports = 6697, 9999 + [Operator] # [Operator] sections are used to define IRC Operators. There may be # more than one [Operator] block, one for each local operator. diff --combined man/ngircd.conf.5.tmpl index 13c5452b,8198c92b..d25f1ebc --- a/man/ngircd.conf.5.tmpl +++ b/man/ngircd.conf.5.tmpl @@@ -52,8 -52,8 +52,8 @@@ for numbers all decimal integer values In addition, some string or numerical variables accept lists of values, separated by commas (","). .SH "SECTION OVERVIEW" -The file can contain blocks of four types: [Global], [Limits], [Options], -[Operator], [Server], and [Channel]. +The file can contain blocks of seven types: [Global], [Limits], [Options], +[SSL], [Operator], [Server], and [Channel]. .PP The main configuration of the server is stored in the .I [Global] @@@ -68,10 -68,8 +68,10 @@@ block are used to tweak different limit maximum number of clients allowed to connect to this server. Variables in the .I [Options] section can be used to enable or disable specific features of ngIRCd, like -support for IDENT, PAM, IPv6, SSL, and protocol and cloaking features. These -two sections are both optional. +support for IDENT, PAM, IPv6, and protocol and cloaking features. The +.I [SSL] +block contains all SSL-related configuration variables. These three sections +are all optional. .PP IRC operators of this server are defined in .I [Operator] @@@ -83,7 -81,7 +83,7 @@@ blocks are used to configure pre-define .PP There can be more than one [Operator], [Server] and [Channel] section per configuration file (one for each operator, server, and channel), but only -exactly one [Global], one [Limits], and one [Options] section. +exactly one [Global], one [Limits], one [Options], and one [SSL] section. .SH [GLOBAL] The .I [Global] @@@ -246,6 -244,15 +246,15 @@@ If ngIRCd is compiled with IDENT suppor lookups at run time. Default: yes. .TP + \fBMorePrivacy\fR (boolean) + This will cause ngIRCd to censor user idle time, logon time as well as the + part/quit messages (that are sometimes used to inform everyone about which + client software is being used). WHOWAS requests are also silently ignored. + This option is most useful when ngIRCd is being used together with + anonymizing software such as TOR or I2P and one does not wish to make it + too easy to collect statistics on the users. + Default: no. + .TP \fBNoticeAuth\fR (boolean) Normally ngIRCd doesn't send any messages to a client until it is registered. Enable this option to let the daemon send "NOTICE AUTH" messages to clients @@@ -278,33 -285,6 +287,33 @@@ Let ngIRCd send an "authentication PING register this client only after receiving the corresponding "PONG" reply. Default: no. .TP +\fBScrubCTCP\fR (boolean) +If set to true, ngIRCd will silently drop all CTCP requests sent to it from +both clients and servers. It will also not forward CTCP requests to any +other servers. CTCP requests can be used to query user clients about which +software they are using and which versions said softare is. CTCP can also be +used to reveal clients IP numbers. ACTION CTCP requests are not blocked, +this means that /me commands will not be dropped, but please note that +blocking CTCP will disable file sharing between users! +Default: no. +.TP +\fBSyslogFacility\fR (string) +Syslog "facility" to which ngIRCd should send log messages. Possible +values are system dependent, but most probably "auth", "daemon", "user" +and "local1" through "local7" are possible values; see syslog(3). +Default is "local5" for historical reasons, you probably want to +change this to "daemon", for example. +.TP +\fBWebircPassword\fR (string) +Password required for using the WEBIRC command used by some Web-to-IRC +gateways. If not set or empty, the WEBIRC command can't be used. +Default: not set. +.SH [SSL] +All SSL-related configuration variables are located in the +.I [SSL] +section. Please note that this whole section is only recognized by ngIRCd +when it is compiled with support for SSL using OpenSSL or GnuTLS! +.TP \fBSSLCertFile\fR (string) SSL Certificate file of the private server key. .TP @@@ -327,6 -307,18 +336,6 @@@ OpenSSL only: Password to decrypt the p Same as \fBPorts\fR , except that ngIRCd will expect incoming connections to be SSL/TLS encrypted. Common port numbers for SSL-encrypted IRC are 6669 and 6697. Default: none. -.TP -\fBSyslogFacility\fR (string) -Syslog "facility" to which ngIRCd should send log messages. Possible -values are system dependent, but most probably "auth", "daemon", "user" -and "local1" through "local7" are possible values; see syslog(3). -Default is "local5" for historical reasons, you probably want to -change this to "daemon", for example. -.TP -\fBWebircPassword\fR (string) -Password required for using the WEBIRC command used by some Web-to-IRC -gateways. If not set or empty, the WEBIRC command can't be used. -Default: not set. .SH [OPERATOR] .I [Operator] sections are used to define IRC Operators. There may be more than one @@@ -342,6 -334,10 +351,6 @@@ Password of the IRC operator \fBMask\fR (string) Mask that is to be checked before an /OPER for this account is accepted. Example: nick!ident@*.example.com -.SH [FEATURES] -An optional section that can be used to disable features at -run-time. A feature is enabled by default if if ngircd was built with -support for it. .SH [SERVER] Other servers are configured in .I [Server] diff --combined src/ngircd/conf.c index 3be4eba1,c9479972..4991918d --- a/src/ngircd/conf.c +++ b/src/ngircd/conf.c @@@ -89,8 -89,6 +89,8 @@@ static void Init_Server_Struct PARAMS( #ifdef SSL_SUPPORT +static void Handle_SSL PARAMS(( int Line, char *Var, char *Ark )); + struct SSLOptions Conf_SSLOptions; /** @@@ -123,9 -121,6 +123,9 @@@ CheckFileReadable(const char *Var, cons { FILE *fp; + if (!Filename) + return; + fp = fopen(Filename, "r"); if (fp) fclose(fp); @@@ -369,6 -364,7 +369,7 @@@ Conf_Test( void #ifdef IDENT printf(" Ident = %s\n", yesno_to_str(Conf_Ident)); #endif + printf(" MorePrivacy = %s\n", yesno_to_str(Conf_MorePrivacy)); printf(" NoticeAuth = %s\n", yesno_to_str(Conf_NoticeAuth)); printf(" OperCanUseMode = %s\n", yesno_to_str(Conf_OperCanMode)); printf(" OperServerMode = %s\n", yesno_to_str(Conf_OperServerMode)); @@@ -379,7 -375,18 +380,7 @@@ #ifndef STRICT_RFC printf(" RequireAuthPing = %s\n", yesno_to_str(Conf_AuthPing)); #endif -#ifdef SSL_SUPPORT - printf(" SSLCertFile = %s\n", Conf_SSLOptions.CertFile); - printf(" SSLDHFile = %s\n", Conf_SSLOptions.DHFile); - printf(" SSLKeyFile = %s\n", Conf_SSLOptions.KeyFile); - if (array_bytes(&Conf_SSLOptions.KeyFilePassword)) - puts(" SSLKeyFilePassword = "); - else - puts(" SSLKeyFilePassword = "); - array_free_wipe(&Conf_SSLOptions.KeyFilePassword); - printf(" SSLPorts = "); - ports_puts(&Conf_SSLOptions.ListenPorts); -#endif + printf(" ScrubCTCP = %s\n", yesno_to_str(Conf_ScrubCTCP)); #ifdef SYSLOG printf(" SyslogFacility = %s\n", ngt_SyslogFacilityName(Conf_SyslogFacility)); @@@ -387,24 -394,6 +388,24 @@@ printf(" WebircPassword = %s\n", Conf_WebircPwd); puts(""); +#ifdef SSL_SUPPORT + puts("[SSL]"); + printf(" CertFile = %s\n", Conf_SSLOptions.CertFile + ? Conf_SSLOptions.CertFile : ""); + printf(" DHFile = %s\n", Conf_SSLOptions.DHFile + ? Conf_SSLOptions.DHFile : ""); + printf(" KeyFile = %s\n", Conf_SSLOptions.KeyFile + ? Conf_SSLOptions.KeyFile : ""); + if (array_bytes(&Conf_SSLOptions.KeyFilePassword)) + puts(" KeyFilePassword = "); + else + puts(" KeyFilePassword = "); + array_free_wipe(&Conf_SSLOptions.KeyFilePassword); + printf(" Ports = "); + ports_puts(&Conf_SSLOptions.ListenPorts); + puts(""); +#endif + opers_puts(); for( i = 0; i < MAX_SERVERS; i++ ) { @@@ -689,6 -678,7 +690,7 @@@ Set_Defaults(bool InitServers #else Conf_Ident = false; #endif + Conf_MorePrivacy = false; Conf_NoticeAuth = false; Conf_OperCanMode = false; Conf_OperServerMode = false; @@@ -699,7 -689,6 +701,7 @@@ #endif Conf_PredefChannelsOnly = false; #ifdef SYSLOG + Conf_ScrubCTCP = false; #ifdef LOG_LOCAL5 Conf_SyslogFacility = LOG_LOCAL5; #else @@@ -857,8 -846,7 +859,8 @@@ Read_Config( bool ngircd_starting strlcpy( section, str, sizeof( section )); if (strcasecmp(section, "[GLOBAL]") == 0 || strcasecmp(section, "[LIMITS]") == 0 || - strcasecmp(section, "[OPTIONS]") == 0) + strcasecmp(section, "[OPTIONS]") == 0 || + strcasecmp(section, "[SSL]") == 0) continue; if( strcasecmp( section, "[SERVER]" ) == 0 ) { @@@ -917,10 -905,6 +919,10 @@@ Handle_LIMITS(line, var, arg); else if(strcasecmp(section, "[OPTIONS]") == 0) Handle_OPTIONS(line, var, arg); +#ifdef SSL_SUPPORT + else if(strcasecmp(section, "[SSL]") == 0) + Handle_SSL(line, var, arg); +#endif else if(strcasecmp(section, "[OPERATOR]") == 0) Handle_OPERATOR(line, var, arg); else if(strcasecmp(section, "[SERVER]") == 0) @@@ -967,9 -951,9 +969,9 @@@ #ifdef SSL_SUPPORT /* Make sure that all SSL-related files are readable */ - CheckFileReadable("SSLCertFile", Conf_SSLOptions.CertFile); - CheckFileReadable("SSLDHFile", Conf_SSLOptions.DHFile); - CheckFileReadable("SSLKeyFile", Conf_SSLOptions.KeyFile); + CheckFileReadable("CertFile", Conf_SSLOptions.CertFile); + CheckFileReadable("DHFile", Conf_SSLOptions.DHFile); + CheckFileReadable("KeyFile", Conf_SSLOptions.KeyFile); #endif return true; @@@ -1115,6 -1099,13 +1117,6 @@@ CheckLegacyGlobalOption(int Line, char || strcasecmp(Var, "OperCanUseMode") == 0 || strcasecmp(Var, "OperServerMode") == 0 || strcasecmp(Var, "PredefChannelsOnly") == 0 -#ifdef SSL_SUPPORT - || strcasecmp(Var, "SSLCertFile") == 0 - || strcasecmp(Var, "SSLDHFile") == 0 - || strcasecmp(Var, "SSLKeyFile") == 0 - || strcasecmp(Var, "SSLKeyFilePassword") == 0 - || strcasecmp(Var, "SSLPorts") == 0 -#endif || strcasecmp(Var, "SyslogFacility") == 0 || strcasecmp(Var, "WebircPassword") == 0) { Handle_OPTIONS(Line, Var, Arg); @@@ -1130,16 -1121,6 +1132,16 @@@ Handle_LIMITS(Line, Var, Arg); return "[Limits]"; } +#ifdef SSL_SUPPORT + if (strcasecmp(Var, "SSLCertFile") == 0 + || strcasecmp(Var, "SSLDHFile") == 0 + || strcasecmp(Var, "SSLKeyFile") == 0 + || strcasecmp(Var, "SSLKeyFilePassword") == 0 + || strcasecmp(Var, "SSLPorts") == 0) { + Handle_SSL(Line, Var + 3, Arg); + return "[SSL]"; + } +#endif return NULL; } @@@ -1320,16 -1301,9 +1322,16 @@@ Handle_GLOBAL( int Line, char *Var, cha /** TODO: This function and support for these options in the * [Global] section could be removed starting with ngIRCd * release 19 (one release after marking it "deprecated"). */ - Config_Error(LOG_WARNING, - "%s, line %d (section \"Global\"): \"%s\" is deprecated here, move it to %s!", - NGIRCd_ConfFile, Line, Var, section); + if (strncasecmp(Var, "SSL", 3) == 0) { + Config_Error(LOG_WARNING, + "%s, line %d (section \"Global\"): \"%s\" is deprecated here, move it to %s and rename to \"%s\"!", + NGIRCd_ConfFile, Line, Var, section, + Var + 3); + } else { + Config_Error(LOG_WARNING, + "%s, line %d (section \"Global\"): \"%s\" is deprecated here, move it to %s!", + NGIRCd_ConfFile, Line, Var, section); + } return; } @@@ -1460,6 -1434,10 +1462,10 @@@ Handle_OPTIONS(int Line, char *Var, cha WarnIdent(Line); return; } + if (strcasecmp(Var, "MorePrivacy") == 0) { + Conf_MorePrivacy = Check_ArgIsTrue(Arg); + return; + } if (strcasecmp(Var, "NoticeAuth") == 0) { Conf_NoticeAuth = Check_ArgIsTrue(Arg); return; @@@ -1487,77 -1465,53 +1493,77 @@@ return; } #endif + if (strcasecmp(Var, "ScrubCTCP") == 0) { + Conf_ScrubCTCP = Check_ArgIsTrue(Arg); + return; + } +#ifdef SYSLOG + if (strcasecmp(Var, "SyslogFacility") == 0) { + Conf_SyslogFacility = ngt_SyslogFacilityID(Arg, + Conf_SyslogFacility); + return; + } +#endif + if (strcasecmp(Var, "WebircPassword") == 0) { + len = strlcpy(Conf_WebircPwd, Arg, sizeof(Conf_WebircPwd)); + if (len >= sizeof(Conf_WebircPwd)) + Config_Error_TooLong(Line, Var); + return; + } + + Config_Error_Section(Line, Var, "Options"); +} + #ifdef SSL_SUPPORT - if (strcasecmp(Var, "SSLCertFile") == 0) { + +/** + * Handle variable in [SSL] configuration section. + * + * @param Line Line numer in configuration file. + * @param Var Variable name. + * @param Arg Variable argument. + */ +static void +Handle_SSL(int Line, char *Var, char *Arg) +{ + assert(Line > 0); + assert(Var != NULL); + assert(Arg != NULL); + + if (strcasecmp(Var, "CertFile") == 0) { assert(Conf_SSLOptions.CertFile == NULL); Conf_SSLOptions.CertFile = strdup_warn(Arg); return; } - if (strcasecmp(Var, "SSLDHFile") == 0) { + if (strcasecmp(Var, "DHFile") == 0) { assert(Conf_SSLOptions.DHFile == NULL); Conf_SSLOptions.DHFile = strdup_warn(Arg); return; } - if (strcasecmp(Var, "SSLKeyFile") == 0) { + if (strcasecmp(Var, "KeyFile") == 0) { assert(Conf_SSLOptions.KeyFile == NULL); Conf_SSLOptions.KeyFile = strdup_warn(Arg); return; } - if (strcasecmp(Var, "SSLKeyFilePassword") == 0) { + if (strcasecmp(Var, "KeyFilePassword") == 0) { assert(array_bytes(&Conf_SSLOptions.KeyFilePassword) == 0); if (!array_copys(&Conf_SSLOptions.KeyFilePassword, Arg)) Config_Error(LOG_ERR, - "%s, line %d (section \"Global\"): Could not copy %s: %s!", + "%s, line %d (section \"SSL\"): Could not copy %s: %s!", NGIRCd_ConfFile, Line, Var, strerror(errno)); return; } - if (strcasecmp(Var, "SSLPorts") == 0) { + if (strcasecmp(Var, "Ports") == 0) { ports_parse(&Conf_SSLOptions.ListenPorts, Line, Arg); return; } -#endif -#ifdef SYSLOG - if (strcasecmp(Var, "SyslogFacility") == 0) { - Conf_SyslogFacility = ngt_SyslogFacilityID(Arg, - Conf_SyslogFacility); - return; - } -#endif - if (strcasecmp(Var, "WebircPassword") == 0) { - len = strlcpy(Conf_WebircPwd, Arg, sizeof(Conf_WebircPwd)); - if (len >= sizeof(Conf_WebircPwd)) - Config_Error_TooLong(Line, Var); - return; - } - Config_Error_Section(Line, Var, "Options"); + Config_Error_Section(Line, Var, "SSL"); } +#endif + /** * Handle variable in [Operator] configuration section. * @@@ -1894,7 -1848,7 +1900,7 @@@ Validate_Config(bool Configtest, bool R #ifdef PAM if (Conf_ServerPwd[0]) Config_Error(LOG_ERR, - "This server uses PAM, \"Password\" will be ignored!"); + "This server uses PAM, \"Password\" in [Global] section will be ignored!"); #endif #ifdef DEBUG diff --combined src/ngircd/conf.h index 1f9bd122,c2af692a..afc0afaa --- a/src/ngircd/conf.h +++ b/src/ngircd/conf.h @@@ -175,15 -175,15 +175,18 @@@ GLOBAL bool Conf_DNS /** Enable IDENT lookups, even when compiled with support for it */ GLOBAL bool Conf_Ident; -/** Enable all usage of PAM, even when compiled with support for it */ -GLOBAL bool Conf_PAM; - + /** Enable "more privacy" mode and "censor" some user-related information */ + GLOBAL bool Conf_MorePrivacy; + + /** Enable NOTICE AUTH messages on connect */ + GLOBAL bool Conf_NoticeAuth; + +/** Enable all usage of PAM, even when compiled with support for it */ +GLOBAL bool Conf_PAM; + +/** Disable all CTCP commands except for /me ? */ +GLOBAL bool Conf_ScrubCTCP; + - /** Enable NOTICE AUTH messages on connect */ - GLOBAL bool Conf_NoticeAuth; - /* * try to connect to remote systems using the ipv6 protocol, * if they have an ipv6 address? (default yes)