From fbc563a94e02c951c5931c6128f2c1cf0ff9de02 Mon Sep 17 00:00:00 2001 From: "psyc://loupsycedyglgamf.onion/~lynX" Date: Mon, 30 Jul 2018 19:32:12 +0200 Subject: [PATCH] introducing TLS requirement for IRC users --- world/net/include/place.gen | 8 ++++++++ world/net/irc/server.c | 19 ++++++++++++++++++- world/net/library/dns.c | 2 +- world/net/library/tls.c | 1 + 4 files changed, 28 insertions(+), 2 deletions(-) diff --git a/world/net/include/place.gen b/world/net/include/place.gen index e9de120..a025557 100644 --- a/world/net/include/place.gen +++ b/world/net/include/place.gen @@ -613,10 +613,15 @@ htget(prot, query, headers, qs) { #ifdef CHALLENGE_MATCH #include +#define CHALOG(verb) log_file("CHALLENGE", "%s %s %O A:%O P:%O C:%O\n", \ + MYNICK, verb, query_ip_name(), \ + query["answer"], query["parameters"], headers["cookie"]) + // maybe this all belongs into archetype.gen.. chesmo! htget(prot, query, headers, qs, data, noprocess) { if (stringp(headers["cookie"]) && regmatch(headers["cookie"], "challenge=complete&answer="+ md5(CHALLENGE_MATCH))) { + CHALOG("completes"); htnotify(query, headers, "_accomplished_web", "Challenge accomplished in [_nick_place] by [_web_on] coming from [_web_from]."); # ifdef CHALLENGE_REDIRECT @@ -638,6 +643,7 @@ htget(prot, query, headers, qs, data, noprocess) { string nu = stringp(query["parameters"]) && strlen(query["parameters"]) ? item +"?"+ query["parameters"] : item; + CHALOG("reloads"); htredirect(prot, nu, "Reload, please", 0, "Set-Cookie: psycplace=\"challenge=complete&answer="+ md5(CHALLENGE_MATCH) +"\"; path="+ item +";\n"); return 1; } @@ -646,6 +652,7 @@ htget(prot, query, headers, qs, data, noprocess) { // url that allows other people to bypass the challenge. // could add a timeout here... htok3(prot, 0, "Set-Cookie: psycplace=\"challenge=given\"; path="+ item +";\n"); + CHALOG("challenges"); w("_PAGES_group_challenge", 0, ([ "_challenge" : htquote(CHALLENGE_QUESTION), // if the user failed the challenge, @@ -655,6 +662,7 @@ htget(prot, query, headers, qs, data, noprocess) { // printf("%O vs %O\n", query, headers); htnotify(query, headers, "_challenged_web", "[_nick_place] challenges [_web_on] coming from [_web_from]."); + // (query [_web_query], cookie [_web_cookie])."); return 1; } #endif diff --git a/world/net/irc/server.c b/world/net/irc/server.c index a1efe60..ac8ff19 100644 --- a/world/net/irc/server.c +++ b/world/net/irc/server.c @@ -38,6 +38,12 @@ createUser(nick) { return named_clone(IRC_PATH "user", nick); } +#ifndef _flag_enable_unencrypted_users +ignorance(a) { + if (ME) next_input_to(#'ignorance); +} +#endif + parse(a) { ::parse(a); if (ME) next_input_to(#'parse); @@ -158,15 +164,26 @@ tls_logon(a) { logon(failure) { if (this_interactive()) set_prompt(""); // case of failure? - next_input_to(#'parse); #if __EFUN_DEFINED__(tls_query_connection_state) +# ifdef _flag_enable_unencrypted_users if (tls_query_connection_state(ME) == 0) { // DONT ::logon if this is to be done by tls_logon ::logon(failure); } +# else + if (probably_private(ME) <= PRIVACY_SURVEILLED) { + log_file("IRCPLAIN", "[%s] %O(%O)\n", ctime(), + query_ip_number(), query_ip_name()); + w("_error_mandatory_encryption", "Your connection does not satisfy our privacy requirements. Please fix your configuration."); + next_input_to(#'ignorance); + write("\n"); // why is this needed? + return 1; + } +# endif #else ::logon(failure); #endif + next_input_to(#'parse); #ifdef _flag_log_sockets_IRC log_file("RAW_IRC", "\nnew connection %O from %O\n", ME, diff --git a/world/net/library/dns.c b/world/net/library/dns.c index a95fa0b..8a914f4 100644 --- a/world/net/library/dns.c +++ b/world/net/library/dns.c @@ -33,7 +33,7 @@ inherit NET_PATH "queue"; // this mapping has to be *volatile* or it will carry old hostnames // that may no longer be valid, then cause wild illogical behaviour volatile mapping localhosts = ([ - "localhost": "127.0.0.1", + "localhost": "127.0.0.1", // what if remote hosts dns-resolve to "localhost" ? "127.0.0.1": "localhost", // unusual but valid syntax for localhost // then again usually any 127.* leads to localhost so it's diff --git a/world/net/library/tls.c b/world/net/library/tls.c index de3673b..044487d 100644 --- a/world/net/library/tls.c +++ b/world/net/library/tls.c @@ -203,6 +203,7 @@ int probably_private(object source) { // LPC variable, so it is fine we call it often || query_ip_number(source) == __HOST_IP_NUMBER__ # ifdef SECURE_IP_NUMBER +// problem: apparently this macro isn't defined when library is compiled || SECURE_IP_NUMBER(query_ip_number(source)) # endif // People coming from localhost have either made it