mirror of
https://github.com/ChronosX88/psyced.git
synced 2024-12-05 00:22:19 +00:00
are you human? do you care about privacy?
This commit is contained in:
parent
5cf911c6ae
commit
b8506361f6
@ -511,10 +511,10 @@ then
|
|||||||
git stash save 'changes stashed automatically by psyced -m'
|
git stash save 'changes stashed automatically by psyced -m'
|
||||||
git merge -s resolve origin
|
git merge -s resolve origin
|
||||||
# restore local changes?
|
# restore local changes?
|
||||||
# git stash apply
|
# git stash pop
|
||||||
echo ""
|
echo ""
|
||||||
echo "If you had local changes to your files you can now restore them using"
|
echo "If you had local changes to your files you can now restore them using"
|
||||||
echo "${hi}git stash apply${lo}"
|
echo "${hi}git stash pop${lo}"
|
||||||
exit
|
exit
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
@ -4,6 +4,9 @@
|
|||||||
_warning_server_shutdown_temporary
|
_warning_server_shutdown_temporary
|
||||||
|Serverneustart: [_reason]
|
|Serverneustart: [_reason]
|
||||||
|
|
||||||
|
_warning_missing_circuit_encryption
|
||||||
|
|Deine Verbindung ist nicht verschlüsselt. Du gefährdest die Privatsphäre anderer Personen!
|
||||||
|
|
||||||
_status_circuit_encryption_cipher
|
_status_circuit_encryption_cipher
|
||||||
|Gratuliere! Deine Verbindung ist mit forward secrecy verschlüsselt ([_circuit_encryption_cipher]).
|
|Gratuliere! Deine Verbindung ist mit forward secrecy verschlüsselt ([_circuit_encryption_cipher]).
|
||||||
|
|
||||||
|
@ -1,6 +1,9 @@
|
|||||||
<PSYC:TEXTDB> ## vim:syntax=mail
|
<PSYC:TEXTDB> ## vim:syntax=mail
|
||||||
## Check utf-8: Praise Atatürk!
|
## Check utf-8: Praise Atatürk!
|
||||||
|
|
||||||
|
_warning_missing_circuit_encryption
|
||||||
|
|Your connection is not encrypted. You are putting other people's privacy at risk!
|
||||||
|
|
||||||
_status_circuit_encryption_cipher
|
_status_circuit_encryption_cipher
|
||||||
|Congratulations. Your connection is encrypted with forward secrecy.
|
|Congratulations. Your connection is encrypted with forward secrecy.
|
||||||
|
|
||||||
|
@ -1,6 +1,9 @@
|
|||||||
<PSYC:TEXTDB> ## vim:syntax=mail
|
<PSYC:TEXTDB> ## vim:syntax=mail
|
||||||
## tradotto al 30% ... cerca /TODO/ per continuare
|
## tradotto al 30% ... cerca /TODO/ per continuare
|
||||||
|
|
||||||
|
_warning_missing_circuit_encryption
|
||||||
|
|La tua connessione non è crittata. Stai mettendo a rischio la privacy di altre persone!
|
||||||
|
|
||||||
_status_circuit_encryption_cipher
|
_status_circuit_encryption_cipher
|
||||||
|Muy bueno! La tua connessione è crittata con forward secrecy.
|
|Muy bueno! La tua connessione è crittata con forward secrecy.
|
||||||
|
|
||||||
|
@ -276,4 +276,9 @@
|
|||||||
# endif
|
# endif
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
#define PRIVACY_SURVEILLED 0
|
||||||
|
#define PRIVACY_UNKNOWN -1
|
||||||
|
#define PRIVACY_MITMX509 23
|
||||||
|
#define PRIVACY_REASONABLE 44
|
||||||
|
|
||||||
#endif
|
#endif
|
||||||
|
@ -487,8 +487,9 @@ enter(source, mc, data, vars) {
|
|||||||
}
|
}
|
||||||
# endif
|
# endif
|
||||||
# if defined(SECURE)
|
# if defined(SECURE)
|
||||||
// let people in who are either connected via a SSL/TLS
|
// let people in who are either connected via an MITM-prone TLS
|
||||||
// protocol or are coming from the localhost (probably SSH users).
|
// protocol or are coming from the reasonably safe localhost
|
||||||
|
// (either SSH or Tor users).
|
||||||
//
|
//
|
||||||
// both cases are no absolute guarantee for safety.. it is still
|
// both cases are no absolute guarantee for safety.. it is still
|
||||||
// in the hands of each user in the room to safeguard true secrecy
|
// in the hands of each user in the room to safeguard true secrecy
|
||||||
@ -497,27 +498,14 @@ enter(source, mc, data, vars) {
|
|||||||
// or belong to a certain group, so you have to use the respective
|
// or belong to a certain group, so you have to use the respective
|
||||||
// #defines to also ensure that, if that's what you want.
|
// #defines to also ensure that, if that's what you want.
|
||||||
//
|
//
|
||||||
// -lynX 2004
|
// -lynX 2004, updated 2015
|
||||||
|
//
|
||||||
if (!((objectp(source) &&
|
int intimacy = probably_private(source);
|
||||||
// should use trustworthy level 9 instead? if so.. how?
|
|
||||||
(query_ip_number(source) == "127.0.0.1"
|
|
||||||
# ifdef SECURE_IP_NUMBER
|
|
||||||
|| SECURE_IP_NUMBER(query_ip_number(source))
|
|
||||||
# endif
|
|
||||||
|| query_ip_number(source) == __HOST_IP_NUMBER__ ))
|
|
||||||
# if __EFUN_DEFINED__(tls_query_connection_state)
|
|
||||||
// psyc client.. may also one day be a psyc server, in that
|
// psyc client.. may also one day be a psyc server, in that
|
||||||
// case we have to hope the rest of the link is secured, too
|
// case we have to hope the rest of the link is secured, too
|
||||||
|| (objectp(vars["_INTERNAL_origin"])
|
if (intimacy == PRIVACY_UNKNOWN)
|
||||||
&& interactive(vars["_INTERNAL_origin"])
|
intimacy = probably_private(vars["_INTERNAL_origin"]);
|
||||||
&& tls_query_connection_state(vars["_INTERNAL_origin"]))
|
if (intimacy <= PRIVACY_SURVEILLED) {
|
||||||
// tls connection, be it telnet irc jabber or https
|
|
||||||
// shouldn't this check happen before "_INTERNAL_origin"? -lynX
|
|
||||||
|| (objectp(source) && interactive(source)
|
|
||||||
&& tls_query_connection_state(source))
|
|
||||||
# endif
|
|
||||||
)) {
|
|
||||||
sendmsg(source, "_error_place_enter_necessary_encryption",
|
sendmsg(source, "_error_place_enter_necessary_encryption",
|
||||||
"[_nick_place] may only be accessed by clients with enabled encryption.",
|
"[_nick_place] may only be accessed by clients with enabled encryption.",
|
||||||
([ "_nick_place" : qName() ]) );
|
([ "_nick_place" : qName() ]) );
|
||||||
|
@ -186,3 +186,44 @@ string tls_bad_cipher(object sock, string scheme) {
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Do not use server technologies like psyced for strong
|
||||||
|
// privacy or anonymity requirements. Get started using
|
||||||
|
// distributed technologies instead. Check out:
|
||||||
|
// http://youbroketheinternet.org
|
||||||
|
// http://secushare.org
|
||||||
|
// But if you're happy with half-baked security, here you
|
||||||
|
// have it:
|
||||||
|
// -lynX 2015
|
||||||
|
//
|
||||||
|
int probably_private(object source) {
|
||||||
|
// object has no TCP to it. you have to ask its circuit.
|
||||||
|
unless (objectp(source) && interactive(source))
|
||||||
|
return PRIVACY_UNKNOWN;
|
||||||
|
// should use trustworthy level 9 instead? if so.. how?
|
||||||
|
if (query_ip_number(source) == "127.0.0.1"
|
||||||
|
// query_ip_number() efun is faster than a local
|
||||||
|
// LPC variable, so it is fine we call it often
|
||||||
|
|| query_ip_number(source) == __HOST_IP_NUMBER__
|
||||||
|
# ifdef SECURE_IP_NUMBER
|
||||||
|
|| SECURE_IP_NUMBER(query_ip_number(source))
|
||||||
|
# endif
|
||||||
|
// People coming from localhost have either made it
|
||||||
|
// through SSH's reasonable certificate pinning or
|
||||||
|
// Tor's public-key based addressing.. both provide
|
||||||
|
// reasonable protection from men in the middle, if
|
||||||
|
// only the server itself could be considered secure.
|
||||||
|
//
|
||||||
|
) return PRIVACY_REASONABLE;
|
||||||
|
# if __EFUN_DEFINED__(tls_query_connection_state)
|
||||||
|
// Alas, this person is using a TLS/SSL-enhanced
|
||||||
|
// access protocol which, unless the client implements
|
||||||
|
// certificate pinning, is susceptible to man in the
|
||||||
|
// middle attacks. Find out more on this topic on
|
||||||
|
// http://patrol.psyced.org
|
||||||
|
//
|
||||||
|
if (tls_query_connection_state(source))
|
||||||
|
return PRIVACY_MITMX509;
|
||||||
|
# endif
|
||||||
|
return PRIVACY_SURVEILLED;
|
||||||
|
}
|
||||||
|
|
||||||
|
@ -8,18 +8,27 @@
|
|||||||
|
|
||||||
qScheme() { return "tn"; }
|
qScheme() { return "tn"; }
|
||||||
|
|
||||||
logon() {
|
human(x) {
|
||||||
// first check limits and authlocal, then show banner
|
x = lower_case(x);
|
||||||
if (::logon()) {
|
unless (abbrev(x, "yes") || abbrev(x, "ja") || abbrev(x, "si") || abbrev(x, "zes")) {
|
||||||
// unless (nick) {
|
emit("\nSorry, no other species welcome currently.\n\n");
|
||||||
cat(TELNET_PATH "clear.vt");
|
}
|
||||||
cat("/local/banner.txt");
|
// now check limits
|
||||||
// }
|
else if (::logon()) {
|
||||||
// takes a little tweaking to use T() here
|
// takes a little tweaking to use T() here
|
||||||
emit("Name: ");
|
emit("Name: ");
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
logon() {
|
||||||
|
if (nick) return ::logon(); // authlocal
|
||||||
|
cat(TELNET_PATH "clear.vt");
|
||||||
|
cat("/local/banner.txt");
|
||||||
|
input_to(#'human, INPUT_IGNORE_BANG);
|
||||||
|
// takes a little tweaking to use T() here
|
||||||
|
emit("Are you human? ");
|
||||||
|
}
|
||||||
|
|
||||||
password(a) {
|
password(a) {
|
||||||
// send IAC + WONT + ECHO to go to echo-mode again
|
// send IAC + WONT + ECHO to go to echo-mode again
|
||||||
#ifdef OLD_HACKS_WE_PROBABLY_NO_LONGER_NEED
|
#ifdef OLD_HACKS_WE_PROBABLY_NO_LONGER_NEED
|
||||||
@ -67,7 +76,7 @@ hello(ni) {
|
|||||||
//
|
//
|
||||||
// only the PROMUVE will need this, as the freemuve isn't accepting "." and
|
// only the PROMUVE will need this, as the freemuve isn't accepting "." and
|
||||||
// ":" in nicknames anyways (PROMUVE converts those to "_").
|
// ":" in nicknames anyways (PROMUVE converts those to "_").
|
||||||
#ifdef PRO_PATH
|
#if 0 //def PRO_PATH
|
||||||
# if 0
|
# if 0
|
||||||
{ int i1, i2, i3, i4, i5;
|
{ int i1, i2, i3, i4, i5;
|
||||||
if (strstr(ni, "://") > 0 ||
|
if (strstr(ni, "://") > 0 ||
|
||||||
@ -83,7 +92,8 @@ hello(ni) {
|
|||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
# else
|
# else
|
||||||
if (abbrev("GET ", ni) || abbrev("POST ", ni)
|
// we could simply disallow space in the name here...
|
||||||
|
if (abbrev("GET ", ni) || abbrev("POST ", ni) || abbrev("OPTIONS ", ni)
|
||||||
|| abbrev("CONNECT ", ni)) {
|
|| abbrev("CONNECT ", ni)) {
|
||||||
// hehe.. we could htredirect proxyscanners to our www port ;)
|
// hehe.. we could htredirect proxyscanners to our www port ;)
|
||||||
emit("Dumbhead.\n<h1>Don't you have a telnet client?</h1>\n");
|
emit("Dumbhead.\n<h1>Don't you have a telnet client?</h1>\n");
|
||||||
@ -95,7 +105,7 @@ hello(ni) {
|
|||||||
return ::hello(ni);
|
return ::hello(ni);
|
||||||
}
|
}
|
||||||
|
|
||||||
#ifdef BRAIN
|
#if 0 //def BRAIN
|
||||||
morph() {
|
morph() {
|
||||||
if (user->isNewbie())
|
if (user->isNewbie())
|
||||||
emit("\nSorry, no unregistered users currently.\n\n");
|
emit("\nSorry, no unregistered users currently.\n\n");
|
||||||
|
@ -1572,13 +1572,22 @@ logon() {
|
|||||||
string evil;
|
string evil;
|
||||||
|
|
||||||
if (tls_query_connection_state(ME) == 1) {
|
if (tls_query_connection_state(ME) == 1) {
|
||||||
if (evil = tls_bad_cipher(ME, t)) {
|
// evil TLS ciphers are no problem if the connection is being
|
||||||
// i bet jabber users will love this
|
// tunneled through SSH or Tor, so we shut up in that case.
|
||||||
|
if (probably_private(ME) < PRIVACY_REASONABLE &&
|
||||||
|
(evil = tls_bad_cipher(ME, t))) {
|
||||||
|
// Seems to affect only pidgin for linux prior to 2015
|
||||||
w("_warning_circuit_encryption_cipher", 0, ([ "_circuit_encryption_cipher": evil ]));
|
w("_warning_circuit_encryption_cipher", 0, ([ "_circuit_encryption_cipher": evil ]));
|
||||||
//return remove_interactive(ME);
|
//return remove_interactive(ME);
|
||||||
} else {
|
} else {
|
||||||
unless (beQuiet) w("_status_circuit_encryption_cipher");
|
unless (beQuiet) w("_status_circuit_encryption_cipher");
|
||||||
}
|
}
|
||||||
|
} else if (!probably_private(ME)) {
|
||||||
|
w("_warning_missing_circuit_encryption"
|
||||||
|
# ifdef _warning_missing_circuit_encryption
|
||||||
|
, _warning_missing_circuit_encryption
|
||||||
|
# endif
|
||||||
|
);
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
// cannot if (greeting) here this since jabber:iq:auth depends on this
|
// cannot if (greeting) here this since jabber:iq:auth depends on this
|
||||||
|
Loading…
Reference in New Issue
Block a user