This adds __attribute__((format(printf,X,Y))) to several functions.
It also adds checking only for the non-literal case to some functions
such as unreal_log/unreal_do_log.
This so we can more easily detect format string issues. Especially now with
the recoding of the logger and with possible future mistakes in this area
in UnrealIRCd 6 itself or in third party modules.
The check is currently disabled in these files, which are TODO items:
* src/send.c: still much work to do
* src/socket.c: due to report_error and report_baderror().
I want to get rid of these functions and integrate them
in the new logger anyway.
* src/serv.c: only disable for hunt_server()
on what hardware people end up running UnrealIRCd.
Also (unrelated) add a check for >64kb strings in unrealdb_write_str()
and return an API error. That too is unlikely to ever happen, but..
better be correct.
This library provides easy to use functions for encryption/decryption
among other things. There is some overlap with things that
OpenSSL also provides but not all.
Note: the only change between 5.0.9 and 5.0.9.1 is:
* Build improvements on *NIX (faster compiling and lower memory requirements)
* Windows version is unchanged and still 5.0.9
Type: Parallel build: Non-parallel build:
Before change 92 seconds 304 seconds
After change 7 seconds 21 seconds
All this thanks to a simple --disable-tests being passed to c-ares' configure.
Thank you BuildBot.
This means on older OpenSSL's we are not going to have certificate
expiry checks. Those OpenSSL versions were deprecated by the OpenSSL
team itself, so yeah then you will miss out a few things.
This provides ROP hardening, which is actually quite nice.
However, it requires CPU hardware support, which is pretty
non existant at the moment. So, right now, on most systems
this option will do nothing.
version or newer on the sytem, otherwise we fall back to shipped version.
This fixes https://bugs.unrealircd.org/view.php?id=5187 among others.
It means:
* Case insensitive matches work better in UTF8 now, such as extended Latin.
For example, a spamfilter on "ę" now also matches "Ę", while previously
it did not catch this.
* Other PCRE2 features such as https://www.pcre.org/current/doc/html/pcre2syntax.html#SEC5
are now available. For example you can now set a spamfilter with the regex
\p{Arabic} to block all Arabic script, or
\p{Cyrillic} to block all Cyrillic script (such as Russian)
Use these new tools with care, of course. Blocking an entire language,
or script, is quite a drastic measure.
All of this was possible because of the new PCRE2_MATCH_INVALID_UTF
compile time option which was introduced in PCRE2 10.34.
This also means we now require at least that PCRE2 version so
everyone can benefit from this new spamfilter UTF8 feature.
Many systems come with older PCRE2 versions so this means we will
fall back to the shipped PCRE2 version in UnrealIRCd. This means
./Config will take a little longer to compile things.
Although there is no indication as of now, but if this feature would
break things heavily then it might get reverted or configurable.
This is also why it was added just after 5.0.4 release and not right
before it, it needs some heavy testing.
Reported by k4be and others.
For the crash to occur a few specific things had to happen:
1) The system is missing the argon2 dev library (or it is too old)
causing us to use the UnrealIRCd-shipped argon2 library.
2) You ran ./Config while there is an existing IRCd running
3) Now some argon2 hash is being checked (eg due to an OPER attempt)
4) Crash
A very similar crash happens (to a LOT more people) when you
run './unrealircd restart' to do the actual upgrade. In such
a case, the old IRCd crashed (the one that was actually supposed
to die anyway). The annoying thing was that the crash reporter
would kick in to report such a crash which was actually quite
harmless. This is actually the same crash as described earlier
so should be fixed as well now.
This variant was reported by Shillos and others.
TLSv1.0 or TLSv1.1. Otherwise it is impossible to enable by the application.
We are still going to turn off TLSv1.0 and TLSv1.1 by the end of this year
by default. Ubuntu 20.04 is just a couple of months too early. See also
the various browsers who postponed disabling TLSv1.0/TLSv1.1.
Also, regardless of the above, we want the admins running the IRC server
be able to control this and not having such a breaking change be dependant
on some distro default settings.
This results in a more general error message that is easy to google.
Also fix the gmake error to complain about make/gmake since it
may also indicate missing make.
Bram Matthys