Updates for new repository name of test framework.

was not possible since the configuration code was missing.
Reported by HeXiLeD in https://bugs.unrealircd.org/view.php?id=5327

.CHANGES.NEW

@@ -7,7 +7,7 @@
  \___/|_| |_|_|  \___|\__,_|_|\___/\_| \_| \____/\__,_|
 
                                Configuration Program
-                                for UnrealIRCd 4.0.19-rc2
+                                for UnrealIRCd 4.2.4.1
                                     
 This program will help you to compile your IRC server, and ask you
 questions regarding the compile-time settings of it during the process. 

.gitmodules

@@ -3,4 +3,4 @@
 	url = https://github.com/unrealircd/ircfly.git
 [submodule "extras/tests/functional-tests"]
 	path = extras/tests/functional-tests
-	url = https://github.com/unrealircd/unrealircd-tests.git
+	url = https://github.com/unrealircd/unrealircd-tests-old.git

.travis.yml

@@ -1,6 +1,6 @@
 language: c
-os:
-- linux
+os: linux
+dist: xenial
 compiler:
   - clang
   - gcc
@@ -20,9 +20,9 @@ matrix:
     env: BUILDCONFIG="system-cares system-curl"
   - os: osx
     env: BUILDCONFIG="local-curl"
-  - env: BUILDCONFIG="libressl-25"
-  - env: BUILDCONFIG="libressl-26"
   - env: BUILDCONFIG="libressl-27"
+  - env: BUILDCONFIG="libressl-28"
+  - env: BUILDCONFIG="libressl-29"
   - env: BUILDCONFIG="openssl-102"
   - env: BUILDCONFIG="openssl-110"
   - env: BUILDCONFIG="openssl-111"

Config

@@ -1,7 +1,7 @@
 #!/bin/sh
 #
 # Config script for UnrealIRCd
-# (C) 2001-2016 The UnrealIRCd Team
+# (C) 2001-2019 The UnrealIRCd Team
 #
 # This configure script is free software; the UnrealIRCd Team gives 
 # unlimited permission to copy, distribute and modify as long as the
@@ -70,6 +70,9 @@ fi
 if [ "$PREFIXAQ" != "1" ]; then
 ARG="$ARG--disable-prefixaq "
 fi
+if [ "$MAXCONNECTIONS_REQUEST" != "auto" ]; then
+	ARG="$ARG--with-maxconnections=$MAXCONNECTIONS_REQUEST "
+fi
 
 ARG="$ARG--with-bindir=$BINDIR "
 ARG="$ARG--with-datadir=$DATADIR "
@@ -85,7 +88,6 @@ ARG="$ARG--with-scriptdir=$BASEPATH "
 ARG="$ARG--with-nick-history=$NICKNAMEHISTORYLENGTH "
 ARG="$ARG--with-sendq=$MAXSENDQLENGTH "
 ARG="$ARG--with-permissions=$DEFPERM "
-ARG="$ARG--with-fd-setsize=$MAXCONNECTIONS "
 ARG="$ARG--enable-dynamic-linking "
 ARG="$ARG $EXTRAPARA "
 CONF="./configure $ARG"
@@ -145,6 +147,11 @@ else
 echo "SSL certificate exists in $CONFDIR/ssl/server.cert.pem, no need to regenerate."
 fi
 fi
+
+# Silently force a 'make clean' as otherwise part (or whole) of the
+# compiled source could be using different settings than the user
+# just requested when re-running ./Config.
+make clean 1>/dev/null 2>&1
 }
 
 RUN_ADVANCED () {
@@ -362,7 +369,7 @@ DEFPERM="0600"
 SSLDIR=""
 NICKNAMEHISTORYLENGTH="2000"
 MAXSENDQLENGTH="3000000"
-MAXCONNECTIONS="1024"
+MAXCONNECTIONS_REQUEST="auto"
 REMOTEINC=""
 CURLDIR=""
 PREFIXAQ="1"
@@ -381,6 +388,22 @@ else
         n="-n"
 fi
 
+date|grep 2019 1>/dev/null 2>&1
+if [ "$?" -ne 0 ]; then
+	echo "*** WARNING ***"
+	echo "UnrealIRCd 4.x will no longer be supported after December 31, 2020."
+	echo "You should upgrade to UnrealIRCd 5 before that date."
+	echo "See https://www.unrealircd.org/docs/UnrealIRCd_4_EOL"
+	echo $n . $c
+	sleep 1
+	echo $n . $c
+	sleep 1
+	echo $n . $c
+	echo ""
+	sleep 1
+	echo "Press ENTER to continue"
+	read xyz
+fi
 
 #parse arguments
 NOCACHE=""
@@ -452,7 +475,7 @@ echo ""
 
 if [ -z "$NOCACHE" ] ; then
 	# This needs to be updated each release so auto-upgrading works for settings, modules, etc!!:
-	UNREALRELEASES="unrealircd-4.0.19-rc1 unrealircd-4.0.18 unrealircd-4.0.18-rc2 unrealircd-4.0.18-rc1 unrealircd-4.0.17 unrealircd-4.0.17-rc1 unrealircd-4.0.16.1 unrealircd-4.0.16 unrealircd-4.0.15 unrealircd-4.0.14 unrealircd-4.0.14-rc1 unrealircd-4.0.13 unrealircd-4.0.13-rc1 unrealircd-4.0.12.1 unrealircd-4.0.12 unrealircd-4.0.11 unrealircd-4.0.10 unrealircd-4.0.9 unrealircd-4.0.8.4 unrealircd-4.0.8.3 unrealircd-4.0.8.2 unrealircd-4.0.8.1"
+	UNREALRELEASES="unrealircd-4.2.3-rc1 unrealircd-4.2.2 unrealircd-4.2.2-rc2 unrealircd-4.2.2-rc1 unrealircd-4.2.1.1 unrealircd-4.2.1 unrealircd-4.2.1-rc1 unrealircd-4.2.0 unrealircd-4.0.19-rc2 unrealircd-4.0.19-rc1 unrealircd-4.0.18 unrealircd-4.0.18-rc2 unrealircd-4.0.18-rc1 unrealircd-4.0.17 unrealircd-4.0.17-rc1 unrealircd-4.0.16.1 unrealircd-4.0.16 unrealircd-4.0.15 unrealircd-4.0.14 unrealircd-4.0.14-rc1 unrealircd-4.0.13 unrealircd-4.0.13-rc1 unrealircd-4.0.12.1 unrealircd-4.0.12"
 	if [ -f "config.settings" ]; then
 		. ./config.settings
 	else
@@ -833,25 +856,34 @@ done
 echo ""
 TEST=""
 while [ -z "$TEST" ] ; do
-    TEST="$MAXCONNECTIONS"
-    echo ""
-    echo "How many file descriptors (or sockets) can the IRCd use?"
-    echo $n "[$TEST] -> $c"
+	TEST="$MAXCONNECTIONS_REQUEST"
+	echo ""
+	echo "What is the maximum number of sockets (and file descriptors) that"
+	echo "UnrealIRCd may use?"
+	echo "It is recommended to leave this at the default setting 'auto',"
+	echo "which at present results in a limit of up to 8192, depending on"
+	echo "the system. When you boot UnrealIRCd later you will always see"
+	echo "the effective limit."
+	echo $n "[$TEST] -> $c"
 	read cc
-    if [ -z "$cc" ] ; then
-	MAXCONNECTIONS=$TEST
-	break
-    fi
-    case "$cc" in
-	[1-9][0-9][0-9]*)
-	    MAXCONNECTIONS="$cc"
-	    ;;
-	*)
-	    echo ""
-	    echo "You must to enter a number greater than or equal to 100"
-	    TEST=""
-	    ;;
-    esac
+	if [ -z "$cc" ] ; then
+		MAXCONNECTIONS_REQUEST=$TEST
+		break
+	fi
+	case "$cc" in
+		auto)
+			MAXCONNECTIONS_REQUEST="$cc"
+			;;
+		[1-9][0-9][0-9]*)
+			MAXCONNECTIONS_REQUEST="$cc"
+			;;
+		*)
+			echo ""
+			echo "You must to enter a number greater than or equal to 100."
+			echo "Or enter 'auto' to leave it at automatic, which is recommended."
+			TEST=""
+			;;
+	esac
 done
 if [ -n "$ADVANCED" ] ; then
 	RUN_ADVANCED
@@ -882,7 +914,7 @@ TMPDIR="$TMPDIR"
 LIBDIR="$LIBDIR"
 PREFIXAQ="$PREFIXAQ"
 MAXSENDQLENGTH="$MAXSENDQLENGTH"
-MAXCONNECTIONS="$MAXCONNECTIONS"
+MAXCONNECTIONS_REQUEST="$MAXCONNECTIONS_REQUEST"
 NICKNAMEHISTORYLENGTH="$NICKNAMEHISTORYLENGTH"
 DEFPERM="$DEFPERM"
 SSLDIR="$SSLDIR"

Makefile.in

@@ -34,11 +34,11 @@ FROMDOS=/home/cmunk/bin/4dos
 #
 
 #XCFLAGS=-O -g -export-dynamic
-IRCDLIBS=@IRCDLIBS@ @TRE_LIBS@ @PCRE2_LIBS@ @CARES_LIBS@ @PTHREAD_LIBS@
+IRCDLIBS=@IRCDLIBS@ @TRE_LIBS@ @PCRE2_LIBS@ @ARGON2_LIBS@ @CARES_LIBS@ @PTHREAD_LIBS@
 CRYPTOLIB=@CRYPTOLIB@
 OPENSSLINCLUDES=
 
-XCFLAGS=@PTHREAD_CFLAGS@ @TRE_CFLAGS@ @PCRE2_CFLAGS@ @CARES_CFLAGS@ @CFLAGS@ @HARDEN_CFLAGS@ @CPPFLAGS@
+XCFLAGS=@PTHREAD_CFLAGS@ @TRE_CFLAGS@ @PCRE2_CFLAGS@ @ARGON2_CFLAGS@ @CARES_CFLAGS@ @CFLAGS@ @HARDEN_CFLAGS@ @CPPFLAGS@
 #
 # use the following on MIPS:
 #CFLAGS= -systype bsd43 -DSYSTYPE_BSD43 -I$(INCLUDEDIR)
@@ -187,6 +187,7 @@ install: all
 	-@if [ ! -f "@CONFDIR@/spamfilter.conf" ] ; then \
 		$(INSTALL) -m 0600 doc/conf/spamfilter.conf @CONFDIR@ ; \
 	fi
+	-@extras/patches/patch_spamfilter_conf "@CONFDIR@"
 	-@if [ ! -f "@CONFDIR@/badwords.conf" ] ; then \
 		$(INSTALL) -m 0600 doc/conf/badwords.conf @CONFDIR@ ; \
 	fi
@@ -244,7 +245,7 @@ install: all
 	@echo '* To start/stop UnrealIRCd run: @SCRIPTDIR@/unrealircd"'
 	@echo ''
 	@echo '* Consult the documentation online at:'
-	@echo '  * https://www.unrealircd.org/docs/UnrealIRCd_4_documentation'
+	@echo '  * https://www.unrealircd.org/docs/'
 	@echo '  * https://www.unrealircd.org/docs/FAQ'
 	@echo '* You may also wish to install a cron job to ensure UnrealIRCd is always running:'
 	@echo '  * https://www.unrealircd.org/docs/Cron_job'

README.md

@@ -1,5 +1,5 @@
-[![Build Status - *NIX](https://travis-ci.org/unrealircd/unrealircd.svg?branch=unreal40)](https://travis-ci.org/unrealircd/unrealircd)
-[![Build Status - Windows](https://ci.appveyor.com/api/projects/status/9kgectl2mfyia0s5/branch/unreal40?svg=true)](https://ci.appveyor.com/project/syzop/unrealircd/branch/unreal40)
+[![Build Status - *NIX](https://travis-ci.org/unrealircd/unrealircd.svg?branch=unreal42)](https://travis-ci.org/unrealircd/unrealircd)
+[![Build Status - Windows](https://ci.appveyor.com/api/projects/status/9kgectl2mfyia0s5/branch/unreal42?svg=true)](https://ci.appveyor.com/project/syzop/unrealircd/branch/unreal42)
 [![Twitter Follow](https://img.shields.io/twitter/follow/Unreal_IRCd.svg?style=social&label=Follow)](https://twitter.com/Unreal_IRCd)
 
 ## About UnrealIRCd

appveyor.yml

@@ -1,4 +1,4 @@
-version: 4.0.x-devbuild-{build}
+version: 4.2.x-devbuild-{build}
 environment:
   matrix:
   - APPVEYOR_BUILD_WORKER_IMAGE: "Visual Studio 2017"

autoconf/m4/unreal.m4

@@ -169,9 +169,11 @@ AS_IF([test $enable_ssl != "no"],
 		AC_MSG_RESULT(not found)
 		echo ""
 		echo "Apparently you do not have both the openssl binary and openssl development libraries installed."
-		echo "Please install the needed binaries and libraries."
-		echo "The package is often called 'openssl-dev', 'openssl-devel' or 'libssl-dev'"
-		echo "After doing so re-run ./Config"
+		echo "The following packages are required:"
+		echo "1) The library package is often called 'openssl-dev', 'openssl-devel' or 'libssl-dev'"
+		echo "2) The binary package is usually called 'openssl'."
+		echo "NOTE: you or your system administrator needs to install the library AND the binary package."
+		echo "After doing so, simply re-run ./Config"
 		exit 1
 	else
 		CRYPTOLIB="-lssl -lcrypto";
@@ -190,14 +192,34 @@ SAVE_LIBS="$LIBS"
 LIBS="$LIBS $CRYPTOLIB"
 AC_TRY_LINK([#include <openssl/ssl.h>],
 	[SSL_CTX *ctx = NULL; SSL_CTX_set1_curves_list(ctx, "test");],
-	has_curves=1,
-	has_curves=0)
+	has_function=1,
+	has_function=0)
 LIBS="$SAVE_LIBS"
 AC_LANG_POP(C)
-if test $has_curves = 1; then
+if test $has_function = 1; then
 	AC_MSG_RESULT([yes])
 	AC_DEFINE([HAS_SSL_CTX_SET1_CURVES_LIST], [], [Define if ssl library has SSL_CTX_set1_curves_list])
 else
 	AC_MSG_RESULT([no])
 fi
 ])
+
+AC_DEFUN([CHECK_SSL_CTX_SET_MIN_PROTO_VERSION],
+[
+AC_MSG_CHECKING([for SSL_CTX_set_min_proto_version in SSL library])
+AC_LANG_PUSH(C)
+SAVE_LIBS="$LIBS"
+LIBS="$LIBS $CRYPTOLIB"
+AC_TRY_LINK([#include <openssl/ssl.h>],
+	[SSL_CTX *ctx = NULL; SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION);],
+	has_function=1,
+	has_function=0)
+LIBS="$SAVE_LIBS"
+AC_LANG_POP(C)
+if test $has_function = 1; then
+	AC_MSG_RESULT([yes])
+	AC_DEFINE([HAS_SSL_CTX_SET_MIN_PROTO_VERSION], [], [Define if ssl library has SSL_CTX_set_min_proto_version])
+else
+	AC_MSG_RESULT([no])
+fi
+])

configure.ac

@@ -8,7 +8,7 @@ dnl src/win32/unrealinst.iss
 dnl .CHANGES.NEW
 dnl src/version.c.SH
 
-AC_INIT([unrealircd], [4.0.19-rc2], [http://bugs.unrealircd.org/], [], [http://unrealircd.org/])
+AC_INIT([unrealircd], [4.2.4.1], [https://bugs.unrealircd.org/], [], [https://unrealircd.org/])
 AC_CONFIG_SRCDIR([src/ircd.c])
 AC_CONFIG_HEADER([include/setup.h])
 AC_CONFIG_AUX_DIR([autoconf])
@@ -32,96 +32,35 @@ UNREAL_VERSION_GENERATION=["4"]
 AC_DEFINE_UNQUOTED([UNREAL_VERSION_GENERATION], [$UNREAL_VERSION_GENERATION], [Generation version number (e.g.: X for X.Y.Z)])
 
 # Major version number (e.g.: Y in X.Y.Z)
-UNREAL_VERSION_MAJOR=["0"]
+UNREAL_VERSION_MAJOR=["2"]
 AC_DEFINE_UNQUOTED([UNREAL_VERSION_MAJOR], [$UNREAL_VERSION_MAJOR], [Major version number (e.g.: Y for X.Y.Z)])
 
 # Minor version number (e.g.: Z in X.Y.Z)
-UNREAL_VERSION_MINOR=["19"]
+UNREAL_VERSION_MINOR=["4"]
 AC_DEFINE_UNQUOTED([UNREAL_VERSION_MINOR], [$UNREAL_VERSION_MINOR], [Minor version number (e.g.: Z for X.Y.Z)])
 
 # The version suffix such as a beta marker or release candidate
 # marker. (e.g.: -rcX for unrealircd-3.2.9-rcX). This macro is a
 # string instead of an integer because it contains arbitrary data.
-UNREAL_VERSION_SUFFIX=["-rc2"]
+UNREAL_VERSION_SUFFIX=[".1"]
 AC_DEFINE_UNQUOTED([UNREAL_VERSION_SUFFIX], ["$UNREAL_VERSION_SUFFIX"], [Version suffix such as a beta marker or release candidate marker. (e.g.: -rcX for unrealircd-3.2.9-rcX)])
 
-AC_PROG_CC
-if test "$ac_cv_prog_gcc" = "yes"; then
-CFLAGS="$CFLAGS -funsigned-char"
-AC_CACHE_CHECK(if gcc has a working -pipe, ac_cv_pipe, [
-	save_cflags="$CFLAGS"
-	CFLAGS="$CFLAGS -pipe"
-	AC_TRY_COMPILE(,, ac_cv_pipe="yes", ac_cv_pipe="no")
-	CFLAGS="$save_cflags"
-])
-if test "$ac_cv_pipe" = "yes"; then
-CFLAGS="-pipe $CFLAGS"
-fi
-fi
-
-dnl UnrealIRCd might not be strict-aliasing safe at this time
-AC_CACHE_CHECK(if the compiler has a working -fno-strict-aliasing, ac_cv_nsa, [
-	save_cflags="$CFLAGS"
-	CFLAGS="$CFLAGS -fno-strict-aliasing"
-	AC_TRY_COMPILE(,, ac_cv_nsa="yes", ac_cv_nsa="no")
-	CFLAGS="$save_cflags"
-])
-if test "$ac_cv_nsa" = "yes"; then
-CFLAGS="$CFLAGS -fno-strict-aliasing"
-fi
-
-dnl Pointer signedness warnings are really a pain and 99.9% of the time
-dnl they are of absolutely no use whatsoever. IMO the person who decided
-dnl to enable this without -Wall should be shot on sight.
-AC_CACHE_CHECK(if the compiler has a working -Wno-pointer-sign, ac_cv_nps, [
-	save_cflags="$CFLAGS"
-	CFLAGS="$CFLAGS -Wno-pointer-sign"
-	AC_TRY_COMPILE(,, ac_cv_nps="yes", ac_cv_nps="no")
-	CFLAGS="$save_cflags"
-])
-if test "$ac_cv_nps" = "yes"; then
-CFLAGS="$CFLAGS -Wno-pointer-sign"
-fi
-
-dnl This is purely for charsys.c... I like it so we can easily read
-dnl this for non-utf8. We can remove it once we ditch non-utf8 some day
-dnl of course, or decide to ignore me and encode them.
-AC_CACHE_CHECK(if the compiler has a working -Wno-invalid-source-encoding, ac_cv_nise, [
-	save_cflags="$CFLAGS"
-	CFLAGS="$CFLAGS -Wno-invalid-source-encoding"
-	AC_TRY_COMPILE(,, ac_cv_nise="yes", ac_cv_nise="no")
-	CFLAGS="$save_cflags"
-])
-if test "$ac_cv_nise" = "yes"; then
-CFLAGS="$CFLAGS -Wno-invalid-source-encoding"
-fi
-
-dnl Pffff..
-AC_CACHE_CHECK(if the compiler has a working -Wno-format-zero-length, ac_cv_nfzl, [
-	save_cflags="$CFLAGS"
-	CFLAGS="$CFLAGS -Wno-format-zero-length"
-	AC_TRY_COMPILE(,, ac_cv_nfzl="yes", ac_cv_nfzl="no")
-	CFLAGS="$save_cflags"
-])
-if test "$ac_cv_nfzl" = "yes"; then
-CFLAGS="$CFLAGS -Wno-format-zero-length"
-fi
-
-dnl More and more and more....
-AC_CACHE_CHECK(if the compiler has a working -Wno-format-truncation, ac_cv_nft, [
-	save_cflags="$CFLAGS"
-	CFLAGS="$CFLAGS -Wno-format-truncation -Werror"
-	AC_TRY_COMPILE(,, ac_cv_nft="yes", ac_cv_nft="no")
-	CFLAGS="$save_cflags"
-])
-if test "$ac_cv_nft" = "yes"; then
-CFLAGS="$CFLAGS -Wno-format-truncation"
-fi
-
 AC_PATH_PROG(RM,rm)
 AC_PATH_PROG(CP,cp)
 AC_PATH_PROG(TOUCH,touch)
 AC_PATH_PROG(OPENSSLPATH,openssl)
+AS_IF([test x"$OPENSSLPATH" = "x"],
+[
+echo ""
+echo "Apparently you do not have both the openssl binary and openssl development libraries installed."
+echo "The following packages are required:"
+echo "1) The library package is often called 'openssl-dev', 'openssl-devel' or 'libssl-dev'"
+echo "2) The binary package is usually called 'openssl'."
+echo "NOTE: you or your system administrator needs to install the library AND the binary package."
+echo "After doing so, simply re-run ./Config"
+exit 1
+])
+
 AC_PATH_PROG(INSTALL,install)
 AC_CHECK_PROG(MAKER, gmake, gmake, make)
 AC_PATH_PROG(GMAKE,gmake)
@@ -146,7 +85,6 @@ AC_CHECK_LIB(nsl, inet_ntoa,
 AC_CHECK_LIB(crypto, RAND_egd,
 		AC_DEFINE(HAVE_RAND_EGD, 1, [Define if the libcrypto has RAND_egd]))
 
-AC_SUBST(IRCDLIBS)
 AC_SUBST(MKPASSWDLIBS)
 
 dnl HARDENING START
@@ -224,6 +162,83 @@ CXX="$saved_CXX"
 LD="$saved_LD"
 dnl HARDENING END
 
+dnl UnrealIRCd might not be strict-aliasing safe at this time
+check_cc_cxx_flag([-fno-strict-aliasing], [CFLAGS="$CFLAGS -fno-strict-aliasing"])
+
+dnl Previously -funsigned-char was in a config check. It would always
+dnl be enabled with gcc and clang. We now unconditionally enable it,
+dnl skipping the check. This will cause an error if someone uses a
+dnl non-gcc/non-clang compiler that does not support -funsigned-char
+dnl which is good. After all, we really depend on it.
+dnl UnrealIRCd should never be compiled without char being unsigned.
+CFLAGS="$CFLAGS -funsigned-char"
+
+dnl Compiler -W checks...
+
+dnl We should be able to turn this on unconditionally:
+CFLAGS="$CFLAGS -Wall"
+
+dnl More warnings (if the compiler supports it):
+check_cc_cxx_flag([-Wextra], [CFLAGS="$CFLAGS -Wextra"])
+check_cc_cxx_flag([-Waggregate-return], [CFLAGS="$CFLAGS -Waggregate-return"])
+dnl The following few are more experimental, if they have false positives we'll have
+dnl to disable them:
+dnl Can't use this, too bad: check_cc_cxx_flag([-Wlogical-op], [CFLAGS="$CFLAGS -Wlogical-op"])
+check_cc_cxx_flag([-Wduplicated-cond], [CFLAGS="$CFLAGS -Wduplicated-cond"])
+check_cc_cxx_flag([-Wduplicated-branches], [CFLAGS="$CFLAGS -Wduplicated-branches"])
+
+dnl And now to filter out certain warnings:
+dnl [!] NOTE REGARDING THE check_cc_cxx_flag used by these:
+dnl We check for the -Woption even though we are going to use -Wno-option.
+dnl This is due to the following (odd) gcc behavior:
+dnl "When an unrecognized warning option is requested (e.g.,
+dnl  -Wunknown-warning), GCC emits a diagnostic stating that the option is not
+dnl  recognized.  However, if the -Wno- form is used, the behavior is slightly
+dnl  different: no diagnostic is produced for -Wno-unknown-warning unless
+dnl  other diagnostics are being produced.  This allows the use of new -Wno-
+dnl  options with old compilers, but if something goes wrong, the compiler
+dnl  warns that an unrecognized option is present."
+dnl Since we don't want to use any unrecognized -Wno-option, we test for
+dnl -Woption instead.
+
+dnl Pointer signedness warnings are really a pain and 99.9% of the time
+dnl they are of absolutely no use whatsoever. IMO the person who decided
+dnl to enable this without -Wall should be shot on sight.
+check_cc_cxx_flag([-Wpointer-sign], [CFLAGS="$CFLAGS -Wno-pointer-sign"])
+
+dnl This is purely for charsys.c... I like it so we can easily read
+dnl this for non-utf8. We can remove it once we ditch non-utf8 some day
+dnl of course, or decide to ignore me and encode them.
+check_cc_cxx_flag([-Winvalid-source-encoding], [CFLAGS="$CFLAGS -Wno-invalid-source-encoding"])
+
+check_cc_cxx_flag([-Wformat-zero-length], [CFLAGS="$CFLAGS -Wno-format-zero-length"])
+
+check_cc_cxx_flag([-Wformat-truncation], [CFLAGS="$CFLAGS -Wno-format-truncation"])
+
+dnl While it can be useful to occasionally to compile with warnings about
+dnl unused variables and parameters, we often 'think ahead' when coding things
+dnl so they may be useless now but not later. Similarly, for variables, we
+dnl don't always care about a variable that may still be present in a build
+dnl without DEBUGMODE. Unused variables are optimized out anyway.
+check_cc_cxx_flag([-Wunused], [CFLAGS="$CFLAGS -Wno-unused"])
+check_cc_cxx_flag([-Wunused-parameter], [CFLAGS="$CFLAGS -Wno-unused-parameter"])
+
+dnl We use this and this warning is meaningless since 'char' is always unsigned
+dnl in UnrealIRCd compiles (-funsigned-char).
+check_cc_cxx_flag([-Wchar-subscripts], [CFLAGS="$CFLAGS -Wno-char-subscripts"])
+
+check_cc_cxx_flag([-Wsign-compare], [CFLAGS="$CFLAGS -Wno-sign-compare"])
+
+dnl Don't warn about empty body, we use this, eg via Debug(()) or in if's.
+check_cc_cxx_flag([-Wempty-body], [CFLAGS="$CFLAGS -Wno-empty-body"])
+
+dnl This one fails with ircstrdup(var, staticstring)
+dnl Shame we have to turn it off completely...
+check_cc_cxx_flag([-Waddress], [CFLAGS="$CFLAGS -Wno-address"])
+
+dnl End of -W... compiler checks.
+
+
 dnl module checking based on Hyb7's module checking code
 AC_DEFUN([AC_ENABLE_DYN],
 [
@@ -463,26 +478,7 @@ if test "$ac_cv_varlen_arrays" = "yes" ; then
 	AC_DEFINE([HAVE_C99_VARLEN_ARRAY], [], [Define if you have a compiler with C99 variable length array support])
 fi
 
-dnl This check doesn't need to be in ./configure, we can
-dnl write the sourcecode to actually handle the return value
-dnl of setrlimit if necessary... -- ohnobinki
-AC_CACHE_CHECK([if we can set the core size to unlimited], [ac_cv_force_core], [
-AC_TRY_RUN([
-#include <sys/time.h>
-#include <sys/resource.h>
-#include <unistd.h>
-int main() {
-struct rlimit corelim;
-corelim.rlim_cur = corelim.rlim_max = RLIM_INFINITY;
-if (setrlimit(RLIMIT_CORE, &corelim))
-exit(1);
-exit(0);
-}
-],ac_cv_force_core=yes,ac_cv_force_core=no)
-])
-if test "$ac_cv_force_core" = "yes"; then
-	AC_DEFINE([FORCE_CORE], [], [Define if you can set the core size to unlimited])
-fi
+AC_CHECK_FUNCS([setrlimit])
 AC_FUNC_VPRINTF
 AC_CHECK_FUNCS([gettimeofday],
 	[AC_DEFINE([GETTIMEOFDAY], [], [Define if you have gettimeofday])],
@@ -665,10 +661,10 @@ AC_SUBST(DOCDIR)
 AC_SUBST(PIDFILE)
 AC_SUBST(LDFLAGS_PRIVATELIBS)
 
-AC_ARG_WITH(fd-setsize, [AS_HELP_STRING([--with-fd-setsize=size], [Specify the max file descriptors to use])],
+AC_ARG_WITH(maxconnections, [AS_HELP_STRING([--with-maxconnections=size], [Specify the max file descriptors to use])],
 	[ac_fd=$withval],
-	[ac_fd=1024])
-AC_DEFINE_UNQUOTED([MAXCONNECTIONS], [$ac_fd], [Set to the max connections you want])
+	[ac_fd=0])
+AC_DEFINE_UNQUOTED([MAXCONNECTIONS_REQUEST], [$ac_fd], [Set to the maximum number of connections you want])
 
 AC_ARG_ENABLE([prefixaq],
 	[AS_HELP_STRING([--disable-prefixaq],[Disable chanadmin (+a) and chanowner (+q) prefixes])],
@@ -681,9 +677,6 @@ AC_ARG_WITH(showlistmodes,
 	[AS_HELP_STRING([--with-showlistmodes], [Specify whether modes are shown in /list])],
 	[AS_IF([test $withval = "yes"],
 		[AC_DEFINE([LIST_SHOW_MODES], [], [Define if you want modes shown in /list])])])
-AC_ARG_WITH(topicisnuhost, [AS_HELP_STRING([--with-topicisnuhost], [Display nick!user@host as the topic setter])],
-	[AS_IF([test $withval = "yes"],
-		[AC_DEFINE([TOPIC_NICK_IS_NUHOST], [], [Define if you want nick!user@host shown for the topic setter])])])
 AC_ARG_WITH(shunnotices, [AS_HELP_STRING([--with-shunnotices], [Notify a user when he/she is no longer shunned])],
 	[AS_IF([test $withval = "yes"],
 		[AC_DEFINE([SHUN_NOTICES], [], [Define if you want users to be notified when their shun is removed])])])
@@ -699,11 +692,14 @@ AC_ARG_WITH(operoverride-verify, [AS_HELP_STRING([--with-operoverride-verify], [
 AC_ARG_WITH(disable-extendedban-stacking, [AS_HELP_STRING([--with-disable-extendedban-stacking], [Disable extended ban stacking])],
        [AS_IF([test $withval = "yes"],
        		[AC_DEFINE([DISABLE_STACKED_EXTBANS], [], [Define to disable extended ban stacking (~q:~c:\#chan, etc)])])])
+AC_ARG_WITH(tre, [AS_HELP_STRING([--without-tre], [Do not use the old deprecated TRE regex library])], [with_tre=no], [with_tre=yes])
 AC_ARG_WITH(system-tre, [AS_HELP_STRING([--with-system-tre], [Use the system tre package instead of bundled, discovered using pkg-config])], [], [with_system_tre=no])
 AC_ARG_WITH(system-pcre2, [AS_HELP_STRING([--with-system-pcre2], [Use the system pcre2 package instead of bundled, discovered using pkg-config])], [], [with_system_pcre2=no])
+AC_ARG_WITH(system-argon2, [AS_HELP_STRING([--without-system-argon2], [Use bundled version instead of system argon2 library. Normally autodetected via pkg-config])], [], [with_system_argon2=yes])
 AC_ARG_WITH(system-cares, [AS_HELP_STRING([--without-system-cares], [Use bundled version instead of system c-ares. Normally autodetected via pkg-config.])], [], [with_system_cares=yes])
 CHECK_SSL
 CHECK_SSL_CTX_SET1_CURVES_LIST
+CHECK_SSL_CTX_SET_MIN_PROTO_VERSION
 AC_ARG_ENABLE(dynamic-linking, [AS_HELP_STRING([--disable-dynamic-linking], [Make the IRCd statically link with shared objects rather than dynamically (noone knows if disabling dynamic linking actually does anything or not)])],
 	[enable_dynamic_linking=$enableval], [enable_dynamic_linking="yes"])
 AS_IF([test $enable_dynamic_linking = "yes"],
@@ -716,6 +712,12 @@ AC_ARG_ENABLE([werror],
   [ac_cv_werror="$enableval"],
   [ac_cv_werror="no"])
 
+AC_ARG_ENABLE([asan],
+  [AS_HELP_STRING([--enable-asan],
+    [Enable address sanitizer, not recommended for production servers!])],
+  [ac_cv_asan="$enableval"],
+  [ac_cv_asan="no"])
+
 AC_MSG_CHECKING([if FD_SETSIZE is large enough to allow $ac_fd file descriptors])
 AC_COMPILE_IFELSE([
 #include <sys/types.h>
@@ -752,7 +754,17 @@ dnl fail on certain solaris boxes. We might as
 dnl well set it here.
 export PATH_SEPARATOR
 
+AS_IF([test "x$with_tre" = "xyes"],[
+	AC_DEFINE([USE_TRE], [], [Use the old deprecated TRE regex library])
+])
+
 AS_IF([test "x$with_system_tre" = "xno"],[
+  AS_IF([test "x$with_tre" = "xyes"],[
+    compile_tre="yes"
+  ])
+])
+
+AS_IF([test "x$compile_tre" = "xyes"],[
 dnl REMEMBER TO CHANGE WITH A NEW TRE RELEASE!
 tre_version="0.8.0-git"
 AC_MSG_RESULT(extracting TRE regex library)
@@ -788,14 +800,16 @@ AS_IF([test -z "$TRE_LIBS"],
        [TRE_LIBS="$PRIVATELIBDIR/libtre.so"])
 AC_SUBST(TRE_LIBS)
 cd $cur_dir
-],[
+])
+
+AS_IF([test "x$with_system_tre" = "xyes"],[
 dnl use pkgconfig for tre:
 PKG_CHECK_MODULES([TRE], tre >= 0.7.5)
 ])
 
 AS_IF([test "x$with_system_pcre2" = "xno"],[
 dnl REMEMBER TO CHANGE WITH A NEW PCRE2 RELEASE!
-pcre2_version="10.30"
+pcre2_version="10.32"
 AC_MSG_RESULT(extracting PCRE2 regex library)
 cur_dir=`pwd`
 cd extras
@@ -837,6 +851,44 @@ dnl use pkgconfig for pcre2:
 PKG_CHECK_MODULES([PCRE2], libpcre2-8 >= 10.00)
 ])
 
+dnl Use system argon2 when available, unless --without-system-argon2
+has_system_argon2="no"
+AS_IF([test "x$with_system_argon2" = "xyes"],[
+PKG_CHECK_MODULES([ARGON2], [libargon2 >= 0~20161029],[has_system_argon2=yes
+AS_IF([test "x$PRIVATELIBDIR" != "x"], [rm -f "$PRIVATELIBDIR/"libargon2*])],[has_system_argon2=no])])
+
+AS_IF([test "$has_system_argon2" = "no"],[
+dnl REMEMBER TO CHANGE WITH A NEW ARGON2 RELEASE!
+argon2_version="20181209"
+AC_MSG_RESULT(extracting Argon2 library)
+cur_dir=`pwd`
+cd extras
+dnl remove old argon2 directory to force a recompile...
+dnl and remove its installation prefix just to clean things up.
+rm -rf argon2-$argon2_version argon2
+if test "x$ac_cv_path_GUNZIP" = "x" ; then
+	tar xfz argon2-$argon2_version.tar.gz
+else
+	cp argon2-$argon2_version.tar.gz argon2-$argon2_version.tar.gz.bak
+	gunzip -f argon2-$argon2_version.tar.gz
+	cp argon2-$argon2_version.tar.gz.bak argon2-$argon2_version.tar.gz
+	tar xf argon2-$argon2_version.tar
+fi
+AC_MSG_RESULT(compiling Argon2 library)
+cd argon2-$argon2_version
+$ac_cv_prog_MAKER || exit 1
+AC_MSG_RESULT(installing Argon2 library)
+$ac_cv_prog_MAKER install PREFIX=$cur_dir/extras/argon2 || exit 1
+# We need to manually copy the libs to PRIVATELIBDIR because
+# there is no way to tell make install in libargon2 to do so.
+cp -av $cur_dir/extras/argon2/lib/* $PRIVATELIBDIR/
+ARGON2_CFLAGS="-I$cur_dir/extras/argon2/include"
+AC_SUBST(ARGON2_CFLAGS)
+ARGON2_LIBS="-L$PRIVATELIBDIR -largon2"
+AC_SUBST(ARGON2_LIBS)
+cd $cur_dir
+])
+
 dnl Use system c-ares when available, unless --without-system-cares.
 has_system_cares="no"
 AS_IF([test "x$with_system_cares" = "xyes"],[
@@ -847,7 +899,7 @@ AS_IF([test "$has_system_cares" = "no"], [
 dnl REMEMBER TO CHANGE WITH A NEW C-ARES RELEASE!
 dnl NOTE: when changing this here, ALSO change it in extras/curlinstall
 dnl       and in the comment in this file around line 400!
-cares_version="1.13.0"
+cares_version="1.15.0"
 AC_MSG_RESULT(extracting c-ares resolver library)
 cur_dir=`pwd`
 cd extras
@@ -924,6 +976,14 @@ if test "$ac_cv_werror" = "yes" ; then
 	CFLAGS="$CFLAGS -Werror"
 fi
 
+dnl Address sanitizer build
+if test "$ac_cv_asan" = "yes" ; then
+	CFLAGS="$CFLAGS -O0 -fno-inline -fsanitize=address -fno-omit-frame-pointer -DNOCLOSEFD"
+	IRCDLIBS="-fsanitize=address $IRCDLIBS"
+fi
+
+AC_SUBST(IRCDLIBS)
+
 AC_SUBST(UNRLINCDIR)
 
 AC_CONFIG_FILES([Makefile

doc/RELEASE-NOTES

@@ -1,121 +1,66 @@
-UnrealIRCd 4.0.19-rc2 Release Notes
-====================================
+UnrealIRCd 4.2.4.1 Release Notes
+=================================
 
-This is the second release candidate for UnrealIRCd 4.0.19. Please help
-test this release and report all bugs to https://bugs.unrealircd.org/
+This version, 4.2.4.1, fixes an issue with Debian 10. On Debian 10 the
+list of permitted SSL/TLS protocols was ignored (set::ssl::protocols).
+Other than that, set::ssl::outdated-protocols and set::ssl::outdated-ciphers
+are now configurable (rarely needed, though).
+
+Below are the release notes of previous release, 4.2.4.
+
+==[ 4.2.4 release notes ]==
+This release fixes a crash issue if UnrealIRCd is configured to use utf8 or
+chinese character sets in set::allowed-nickchars.  This is not the default.
+We don't expect many users to run their IRCd with this enabled, as the utf8
+support was tagged as experimental and the chinese/gbk implementation is
+incomplete.
+
+In addition to the bug fix from above, this release also contains a number
+of other fixes and enhancements.  In particular there were some Windows
+fixes and the reputation and connthrottle modules are now working better.
 
 Enhancements:
-* New option to disable a module: blacklist-module "modulename";
-  This will cause any 'loadmodule' lines for that module to be ignored.
-  This is especially useful if you only want to disable a few modules
-  that are (normally) automatically loaded by conf/modules.default.conf.
-  https://www.unrealircd.org/docs/Blacklist-module_directive
-* Next three new features have to do with SASL. More information on SASL
-  in general can be found at https://www.unrealircd.org/docs/SASL
-* A new require sasl { } block which allows you to force users on the
-  specified hostmask to use SASL. Any unauthenticated users matching
-  the specified hostmask are are rejected.
-  See https://www.unrealircd.org/docs/Require_sasl_block
-* New "soft kline" and "soft gline". These will not be applied to users
-  that are authenticated to services using SASL.
-  These are just GLINE/KLINE's but prefixed with a percent sign:
-  Example: /GLINE %*@10.* 0 Only SASL allowed from here
-* New "soft" ban actions for spamfilter, blacklist, antirandom, etc.
-  Actions such as "soft-kline" and "soft-kill" will only be applied to
-  unauthenticated users. Users who are authenticated to services (SASL)
-  are exempt from the corresponding spamfilter/blacklist/antirandom/..
-  See https://www.unrealircd.org/docs/Actions for the full action list.
-* WARNING: If your network also contains UnrealIRCd servers below v4.0.19
-  then it is not recommended to use global soft bans (such as soft gline
-  or any spamfilter with soft-xx actions). There won't be havoc, but the
-  bans won't be effective on parts of the network.
-* The following extban modules are not new but are now enabled by default:
-  extbans/textban, extbans/timedban and extbans/msgbypass.
-  In case you don't like them, use blacklist-module as mentioned earlier.
-  Just as a reminder, they provide the following functionality:
-  * TextBan: +b ~T:block:*badword* to block sentences with 'badword'
-  * Timed bans: ~t:duration:mask
-    These are bans that are automatically removed by the server.
-    The duration is in minutes and the mask can be any ban mask.
-    Some examples:
-    * A 5 minute ban on a host:
-      +b ~t:5:*!*@host
-    * A 5 minute quiet ban on a host (unable to speak):
-      +b ~t:5:~q:*!*@host
-    * An invite exception for 24 hours (1440 minutes):
-      +I ~t:1440:*!*@host
-    * A temporary exempt ban for a services account:
-      +e ~t:1440:~a:Account
-    * Allows someone to speak through +m for the next 24hrs:
-      +e ~t:1440:~m:moderated:*!*@host
-    * And any other crazy ideas you can come up with...
-  * Ban exception ~m:type:mask to allow bypassing of message restrictions.
-    Valid types are: 'external' (bypass +n), moderated (bypass +m/+M),
-    'censor' (bypass +G), 'color' (bypass +S/+c) and 'notice' (bypass +T).
-    Some examples:
-    * Let LAN users bypass +m: +e ~m:moderated:*!*@192.168.*
-    * Let ops in #otherchan bypass +m: +e ~m:moderated:~c:@#otherchan
-    * Make GitHub commit bot bypass +n: +e ~m:external:*!*@ipmask
-    * Allow a services account to use color: +e ~m:color:~a:ColorBot
-  * Timedban support in +f [5t#b2]:10 (set 2 minute ban on text flood).
-* AntiRandom: The module will now (by default) exempt WEBIRC gateways
-  from antirandom checking because they frequently cause false positives.
-  This new behavior can be disabled via:
-  set { antirandom { except-webirc no; }; };
-* Server linking attempts and errors are now also put in the log file.
-* A new module that provides WHOX support, an enhanced and more standard
-  version of WHO (NOTE: the command is still "WHO").
-  This allows, among other things, the client to request additional
-  information, such as which services account each channel member is using.
-  The module is currently experimental. To use it, add this to your conf:
-  loadmodule "m_whox";
+* Improve server linking error messages
+* Enhance WHOX to WHO auto-conversion for "WHO +s serv.er.name"
 
 Major issues fixed:
-* Blacklist: Potential crash issue when concurrently checking DNSBL
-  for the WEBIRC gateway and the spoofed host.
-* Blacklist: In case of multiple blacklists the 2nd/3rd/.. blacklists
-  were not always checked properly.
+* A crash issue if using utf8 or chinese in set::allowed-nickchars.
+* The Windows version only accepted very few clients.
+* The Windows version should warn and not error if using old-style regex.
+* The Windows version did not save the reputation database.
 
 Minor issues fixed:
-* Remote includes: ./Config didn't properly detect libcurl on Ubuntu 18
-  (and possibly other Linux distributions as well)
-* Timeouts during server linking attempts were not displayed.
-* Delayjoin: Halfops did not see JOIN's when channel mode +D was set.
-* IRCOps with minimal privileges lost their user modes on MODE change.
-* IRCOps could not override channel mode +z (when not using SSL/TLS)
-* Channel names sometimes truncated if using accents or special chars.
-* TLSv1.3 ciphersuite setting was changed to reflect OpenSSL's behavior.
-  There is now set::ssl::ciphersuites, specifically for TLSv1.3.
-  Note that the default is perfectly fine so at this point in time it
-  shouldn't need any adjustment (but the option is there...).
+* The 'connthrottle' module incorrectly allowed 0 unknown users in when
+  it was throttling, rather than the set rate.
+* The 'reputation' module did not show scores for remote users in /WHOIS,
+  only after 5 minutes had passed.
+* Some users may have experienced a "Registration Timeout" error when
+  connecting. This happened because their ident server accepted the TCP/IP
+  connection but after that failed to respond to the ident request. We
+  have now lowered set::ident::read-timeout to 15 seconds to fix this.
+* If successfully logged in using SASL then avoid an "You are already
+  logged in" error message that could happen due to PASS forwarding.
+  The message was harmless, but annoying in some setups.
 
-Removed:
-* allow::options::sasl has been removed. Use the new and more flexible
-  require sasl { } block instead.
+Module coders / Developers:
+* If you are debugging or developing modules then we encourage you to
+  use AddressSanitizer. This does come at a 10x performance slowdown
+  and can consume a lot more memory, but it is very useful in tracing
+  common C mistakes such as out of bounds read/writes, double frees,
+  and so on. You will see exactly where a mistake was made.
+  To use this, in the last ./Config question you answer: --enable-asan
+
+IRC protocol:
+* No changes
 
 Other changes:
-* Windows users may be prompted to install the Visual C++ redistributable
-  package for Visual Studio 2017. This is because we now build on VS 2017
-  instead of VS 2012.
-* We now use standard formatted messages for all K-Lines, G-Lines and
-  any other bans that will cause the user to be disconnected.
-  For technical details see the banned_client() function.
-* The except throttle { } block now also overrides any limitations from
-  set::max-unknown-connection-per-ip. Useful for WEBIRC/cgiirc gateways.
-* Localhost connections are considered secure, so these can be used even
-  if you have a plaintext-policy of 'deny' or 'warn'. (This was already
-  the case for servers, but now also for users and opers)
-* Allow slashes in vhost/chghost/sethost/.. (but not through DNS)
-
-Module coders:
-* Windows: Be aware that we now build with Visual Studio 2017. This means
-  3rd party modules should be compiled with VS 2017 (or VS 2015) as well.
+* Various HELPOP updates
 
 Future versions:
 * We intend to change the default plaintext oper policy from 'warn' to 'deny'
-  later this year. This will deny /OPER when used from a non-SSL connection.
-  For security, IRC Operators should really use SSL/TLS!
+  in the summer of 2019. This will deny /OPER when used from a non-SSL
+  connection. For security, IRC Operators should really use SSL/TLS!
 
 ==[ CHANGES IN OLDER RELEASES ]==
 For changes in previous UnrealIRCd releases see doc/RELEASE-NOTES.old or
-https://raw.githubusercontent.com/unrealircd/unrealircd/unreal40/doc/RELEASE-NOTES.old
+https://raw.githubusercontent.com/unrealircd/unrealircd/unreal42/doc/RELEASE-NOTES.old

doc/RELEASE-NOTES.old

@@ -3,6 +3,480 @@ See doc/RELEASE-NOTES for the latest release notes.
 This file (doc/RELEASE-NOTES.old) contains the release notes
 of OLDER releases for historical purposes.
 
+==[ CHANGES BETWEEN 4.2.2 AND 4.2.3 ]==
+
+This UnrealIRCd release adds new modules to combat drones, it bumps the
+default concurrent user limit, and UnrealIRCd can now easily deal with
+1 million *LINE's placed on *@IP without any noticeable performance impact.
+
+There is also one important change with regards to old style 'posix'
+spamfilters (see under "Deprecated"), these will raise a warning but
+will continue to work for now.
+
+Enhancements:
+* New optional modules 'reputation' and 'connthrottle' to fight drones:
+  * The 'reputation' module will learn what users (IP addresses) are
+    frequently seen on your server and classify these as "known IP's".
+    For every 5 minutes that someone is connected, the IP address receives
+    +1 point. IP's with registered users receive +2 points per 5 minutes.
+    An IRCOp can /WHOIS a user to view this "reputation score".
+    The "/REPUTATION nick" and "/REPUTATION ip" commands are also available.
+    Note that the reputation score is capped at a maximum of 10000 and
+    entries expire if the IP has not been seen online for 30 days (or
+    even sooner for very low reputation scores).
+  * The 'connthrottle' module puts users in one of these two groups:
+    * "known users" with IP addresses that have been online before on
+      your network for some time. By default: 2+ hours past 30 days.
+    * "new users" who have not been seen online before (or too short).
+    Users in the "known users" group can connect without any limitation.
+    Similarly, users who authenticate to services using SASL can also
+    always get in. However, "new users" can be limited, for example
+    at a maximum rate of 20 "new users" per minute.
+    The end result and goal is that in case of a drone attack, 99% of
+    your regular users can still connect as usual. This, while drones
+    and other unknown IP's are limited at, for example, 20 per minute.
+    By limiting the connection rate for drones and other unknown users
+    the damage is limited. It also gives IRCOps a chance to react and
+    take additional countermeasures, if possible.
+  * The modules are not loaded by default. If you want to use them,
+    then have a look at their example configuration in the file
+    conf/modules.optional.conf
+  * The reputation module needs to be running for some time before it
+    contains a meaningful database of "known users". Therefore the
+    connthrottle module will be disabled until the reputation module
+    has gathered sufficient data. This defaults to 1 week.
+  * Full documentation: https://www.unrealircd.org/docs/Connthrottle
+* On *NIX we now default to 'auto' mode to discover MAXCONNECTIONS.
+  On systems that support it this means UnrealIRCd supports up to 8192
+  connections by default. It automatically falls back to a lower value
+  such as 2048 or 1024 if the user account has a lower limit or if the OS
+  does not support it. We recommend users to no longer set any specific
+  value in ./Config and just leave it at 'auto'. If you want to see the
+  effective limit, then look at this message when you start the server
+  on the console: "This server can handle XYZ concurrent sockets".
+* UnrealIRCd now uses a technique that makes KLINE's, GLINE's and (G)ZLINE's
+  placed on individual IP's (*@IP) extremely fast. Just to illustrate:
+  * Previously it took 129 seconds to add 100k ZLINE's, now it takes 2.5 secs.
+  * Checking a connection against 100,000 ZLINE's is now 250 times faster.
+  * Previously 7,500 clients could connect per minute, now 33,560 per minute.
+  * Even with 1 million ZLINE's on *@IP it can handle 30,000 connections p/m.
+  * Rejecting Z-lined users is even faster at 435,000 connections per minute
+    with 100,000 active ZLINE's.
+  Benchmarked on a 2GHz Intel Xeon Skylake CPU with Linux 4.15.
+  To benefit from these speed improvements, just place a *LINE on *@IP.
+* When the server has just been restarted, many users will reconnect and
+  rejoin channels. We now disable the join flood limit in channel mode +f
+  during the first 75 seconds since startup. This so the channel does not
+  become +i or +R due to "flooding". See:
+  https://www.unrealircd.org/docs/Set_block#set::modef-boot-delay
+
+Deprecated:
+* Spamfilter has 3 matching methods: 'simple', 'regex' and 'posix'.
+  The old method 'posix' is deprecated as this uses the TRE regex library
+  which contains bugs and has not been maintained for more than 10 years.
+  On *NIX the 'make install' script will try to upgrade the example
+  spamfilter.conf. This may not work if you have customizations in that
+  file or if it was originating from 3.2.x. Helpful warnings or error
+  messages are printed when you try to start UnrealIRCd, to guide the
+  user in this upgrade process. For details see:
+  https://www.unrealircd.org/docs/FAQ#spamfilter-posix-deprecated
+  https://www.unrealircd.org/docs/FAQ#old-spamfilter-conf
+
+Major issues fixed:
+* None
+
+Minor issues fixed:
+* Changing the set::anti-flood::invite-flood setting had no effect.
+* Sometimes when a server (re)links to the network via 2+ connections it
+  could trigger a race condition where the server would be delinked again.
+
+Module coders / Developers:
+* We now compile with a lot more compiler warnings enabled by default.
+  Similarly, our Travis-CI compiles with --with-werror which enables the
+  -Werror compiler option, which you may want to use as well. This enables
+  the compiler to detect more possible bugs and sketchy code.
+* Some modules still prepend DLLFUNC to functions. This is unnecessary.
+* Similarly, if (!cep->ce_varname) is unnecessary, it never happens.
+* The functions del_Command() and such have been removed. You never needed
+  to use this. Just use CommandAdd() and UnrealIRCd takes care of the rest.
+* For command functions we encourage you to use CMD_FUNC(m_something),
+  this is not new. New is that we now also have something similar for
+  command overrides, namely: CMD_OVERRIDE_FUNC(override_something).
+  This way you don't have to type yourself the int parc, char *parv[] etc.
+  stuff and this way we can also easily change the passed parameters in
+  the future in an automatic way. Eg: provide more variables.
+* If you use linked lists and you use AddListItem() or DelListItem() then
+  you should always have pointers to prev and next at the beginning of
+  your struct (and in that order!), otherwise you risk memory corruption.
+  Because this is an easy mistake to make we will now abort() we detect
+  such an error at runtime in AddListItem or DelListItem (on *NIX).
+
+IRC protocol:
+* Many things changed in previous release (4.2.2).
+* No changes in this release.
+
+Future versions:
+* We intend to change the default plaintext oper policy from 'warn' to 'deny'
+  in the summer of 2019. This will deny /OPER when used from a non-SSL
+  connection. For security, IRC Operators should really use SSL/TLS!
+
+==[ CHANGES BETWEEN 4.2.1 AND 4.2.2 ]==
+
+This is the stable version of UnrealIRCd 4.2.2. It contains several
+major enhancements, in particular with regards to flood controls.
+It also fixes a crash issue in the websocket module. Note that this
+is module is not loaded by default (only via modules.optional.conf
+or explicitly via a loadmodule "websocket").
+
+Enhancements:
+* Quicker connection handshake for clients which use CAP and/or SASL.
+* With "TOPIC #chan" and "MODE #chan +b" (and +e/+I) you can see who set the
+  topic and bans/exempts/invex. The default is to only show the nick of the
+  person who set the item. This can be changed (not the default) by setting:
+  set { topic-setter nick-user-host; };
+  set { ban-setter nick-user-host; };
+* The 'set by' and 'set at' information for +beI lists are now synchronized
+  when servers link. You still see the MODE originating from the server,
+  however when the banlist is queried you will now be able to see the
+  original nick and time of the bansetter rather than serv.er.name.
+  If you want the OLD behavior you can use set { ban-setter-sync no; };
+* The default maximum topic length has been increased from 307 to 360.
+* You can now set more custom limits. The default settings are shown below:
+  set {
+      topic-length 360; /* maximum: 360 */
+      away-length 307; /* maximum: 360 */
+      quit-length 307; /* maximum: 395 */
+      kick-length 307; /* maximum: 360 */
+  };
+* The message sent to users upon *LINE can now be adjusted completely via
+  set::reject-message::kline and set::reject-message::gline.
+  See https://www.unrealircd.org/docs/Set_block#set::reject-message
+* New set::anti-flood::max-concurrent-conversations which configures the
+  maximum number of conversations a user can have with other users at the
+  same time. Until now this was hardcoded at limiting /MSG and /INVITE to
+  20 different users in a 15 second period. The new default is 10 users,
+  which serves as a protection measure against spambots.
+  See https://www.unrealircd.org/docs/Set_block#maxcc for more details.
+* New set::max-targets-per-command which configures the maximum number
+  of targets accepted for a command, eg /MSG nick1,nick2,nick3,nick4 hi.
+  Also changed the following defaults (previously hardcoded):
+  * PRIVMSG from 20 to 4 targets, to counter /amsg spam
+  * NOTICE from 20 to 1 target, to counter /anotice spam
+  * KICK from 1 to 4 targets, to make it easier for channel operators
+    to quickly kick a large amount of spambots
+  See https://www.unrealircd.org/docs/Set_block#set::max-targets-per-command
+  Technical: the 005 token TARGMAX= is used to communicate this information
+  and the old MAXTARGETS= token has been removed.
+* Added INVITE and KNOCK flood protection (command rate limiting):
+  * set::anti-flood::invite-flood now defaults to 4 per 60 seconds
+    (previously the effective limit was 1 invite per 6 seconds).
+  * set::anti-flood::knock-flood now defaults to 4 per 120 seconds.
+* New set::outdated-tls-policy which describes what to do with clients
+  that use outdated SSL/TLS protocols (eg: TLSv1.0) and ciphers.
+  The default settings are to warn in all cases: users connecting,
+  opers /OPER'ing up and servers linking in. The user will see a message
+  telling them to upgrade their IRC client.
+  This should help with migrating such users, since in the future, say one
+  or two years from now, we would want to change the default to only allow
+  TSLv1.2+ with ciphers that provide Forward Secrecy. Instead of rejecting
+  clients without any error message, this provides a way to warn them and
+  give them some time to upgrade their outdated IRC client.
+  https://www.unrealircd.org/docs/Set_block#set::outdated-tls-policy
+
+Major issues fixed:
+* Crash issue in the 'websocket' module.
+
+Minor issues fixed:
+* The advertised "link-security" was incorrectly downgraded from
+  level 2 to 1 if spkifp was used as an authentication method.
+* In case of a crash, the "./unrealircd backtrace" script was not working
+  correctly in non-English environments, leading to less accurate bug reports.
+* Various crashes if a server receives incorrect commands from a trusted
+  linked server.
+* A number of memory leaks on REHASH (about 1K).
+* SASL was not working post-registration, eg: when services link back in.
+  This is now fixed in UnrealIRCd, but may require a services update as well.
+
+Changed:
+* The noctcp user mode (+T) will now only block CTCP's and not CTCP REPLIES.
+  Also, IRCOps can bypass user mode +T restrictions.
+* UnrealIRCd will warn if your ulines { } are matching UnrealIRCd servers.
+* The m_whox module now contains various features that m_who already had.
+  Also, m_whox will try to convert classic UnrealIRCd WHO requests such as
+  "WHO +i 127.0.0.1" to whox style "WHO 127.0.0.1 i". Unfortunately, auto-
+  converting WHO requests this is not always possible. When in doubt the
+  WHOX syntax is assumed. Users are thus (still) encouraged to use the
+  whox style when m_whox is loaded.
+
+Deprecated:
+* None?
+
+Removed:
+* The option to show the topic setter as nick!user@host was previously a
+  config option --with-topicisnuhost and a macro TOPIC_NICK_IS_NUHOST.
+  These are removed, use set::topic-setter "nick-user-host" instead.
+
+Module coders:
+* New hook HOOKTYPE_WELCOME (aClient *acptr, int after_numeric): allows you
+  to send a message at very specific places during the initial welcome
+  https://www.unrealircd.org/docs/Dev:Hook_API#HOOKTYPE_WELCOME
+* New Isupport functions: IsupportSet, IsupportSetFmt and IsupportDelByName.
+* The M_ANNOUNCE flag in the command add functions should no longer be used
+  as the CMDS= 005 token is removed. Please update your module.
+* New "SJSBY" in PROTOCTL, which is used in SJOIN to sync extra data. See
+  https://www.unrealircd.org/docs/Server_protocol:SJOIN_command at the end.
+* For a command with 2 arguments, eg "PRIVMSG #a :txt", parv[1] is "#a",
+  parv[2] is "txt" and parv[3] is NULL. Any arguments beyond that, such as
+  parv[4] should not be accessed. To help module coders with detecting such
+  bugs we now poison unused parv[] elements that should never be accessed.
+  Note that without this poison your code will also crash, now it just
+  crashes more consistently.
+
+IRC protocol:
+This section is intended for client coders and people interested in IRC
+protocol technicalities:
+* Many changes in the tokens used in numeric 005 (RPL_ISUPPORT):
+  * Removed CMDS= because this was an unnecessary abstraction and it was
+    not picked up by any other IRCd.
+  * The tokens KNOCK MAP USERIP have been added (moved from CMDS=..)
+  * STARTTLS is no longer advertised in 005 since doing so would be too
+    late. Also, STARTTLS is not the preferred method of using SSL/TLS.
+  * Added TARGMAX= to communicate set::max-targets-per-command limits.
+  * Removed the MAXTARGETS= token because TARGMAX= replaces it.
+  * Added DEAF=d to signal what user mode is used for "deaf"
+  * Added QUITLEN to communicate the set::quit-length setting (after all,
+    why communicate length for KICK but not for QUIT?)
+  * The 005 tokens are now sorted alphabetically
+* When hitting the TARGMAX limit (set::max-targets-per-command), for
+  example with "/MSG k001,k002,k003,k004,k005 hi", you will see:
+  :server 407 me k005 :Too many targets. The maximum is 4 for PRIVMSG.
+* When hitting the set::anti-flood::max-concurrent-conversations limit
+  (so not per command, but per time frame), you will see:
+  :server 439 me k011 :Message target change too fast. Please wait 7 seconds
+* When hitting the set::anti-flood::invite-flood limit you will get:
+  :server 263 me INVITE :Flooding detected. Please wait a while and try again.
+* When hitting the set::anti-flood::knock-flood limit you will get:
+  :server 480 me :Cannot knock on #channel (You are KNOCK flooding)
+* Not a protocol change. But when a server returns from a netsplit and
+  syncs modes such as: :server MODE #chan +b this!is@an.old.ban
+  Then later on you can query the banlist (MODE #chan b) and you may see
+  the actual original setter and timestamp of the ban. So if a user wishes
+  to see the banlist then IRC clients are encouraged to actively query
+  the banlist before displaying it. Fortunately most clients do this.
+* If the set::topic-setter or set::ban-setter are set to nick-user-host
+  then the "added by" field in numerics that show these entries will
+  contain nick!user@host instead of nick, eg:
+  :server 367 me #channel this!is@some.ban bansetter!user@some.host 1549461765
+
+Future versions:
+* We intend to change the default plaintext oper policy from 'warn' to 'deny'
+  in the year 2019. This will deny /OPER when used from a non-SSL connection.
+  For security, IRC Operators should really use SSL/TLS!
+
+==[ CHANGES BETWEEN 4.2.1 AND 4.2.1.1 ]==
+
+The 4.2.1.1 version includes a compile fix for Debian.
+
+==[ CHANGES BETWEEN 4.2.0 AND 4.2.1 ]==
+
+This version enhances support for authentication for clients that do not
+support SASL. Also new is a module to combat mixed UTF8 character spam,
+a rewrite of the operclass privileges and more secure password hashing.
+
+If you missed the 4.2.0 release, then consider looking at the previous
+release announcement as well, since it introduced a lot of new features:
+https://forums.unrealircd.org/viewtopic.php?f=1&t=8843
+
+NOTE: There will be no further 4.0.x releases. Current stable is 4.2.x.
+https://www.unrealircd.org/docs/FAQ#Questions_about_the_new_4.2.x_series
+
+Enhancements:
+* Support for authentication prompt:
+  Since 4.2.0 you can require specific users to authenticate themselves with
+  their nickname and password via SASL. We now offer a new experimental
+  module called 'authprompt' which will help non-SASL users by showing a
+  notice and asking them to authenticate to their account using the command
+  /AUTH <user>:<pass>. See the new authentication article on the wiki for
+  an overview: https://www.unrealircd.org/docs/Authentication and also
+  https://www.unrealircd.org/docs/Set_block#set::authentication-prompt
+* New optional module 'antimixedutf8' to combat mixed UTF8 character spam
+  (also called freenode spam) that has been plaguing networks.
+  See: https://www.unrealircd.org/docs/Set_block#set::antimixedutf8
+* Support for Argon2 password hashing, which is more resilient against
+  brute force cracking.
+* Indicate 's' in WHO reply flags if the user is secure (SSL/TLS).
+
+Configuration changes:
+* The require sasl { } block is now called require authentication { }
+* The operclass privileges have been redone. Since there were 50+ changes
+  to the 100+ privileges it makes little sense to list the changes here.
+  If, like 99% of the users, you use default operclasses such as "globop"
+  and "admin-with-override" then you don't need to do anything.
+  However, if you have custom operclass { } blocks then the privileges
+  will have to be redone. For more information on the conversion process,
+  see https://www.unrealircd.org/docs/FAQ#New_operclass_permissions
+  For the new list of permissions, with much better naming and grouping:
+  https://www.unrealircd.org/docs/Operclass_permissions
+* In the configuration file you can now use } instead of };
+  Both forms are accepted. There's no need to change if you don't like it.
+* A /* comment in the configuration file is now terminated at the
+  first occurrence of */, instead of two /* /* requiring two */ */.
+  See https://www.unrealircd.org/docs/FAQ#Nesting_comments
+
+Major issues fixed:
+* The blacklist module did not act on IPv6 users listed in DNSBLs.
+
+Minor issues fixed:
+* By default a user shouldn't be allowed to change to a banned nick,
+  unless (s)he has +hoaq in the channel. This was broken since 4.0.0.
+  This feature can be disabled via set { check-target-nick-bans no; };
+* Rehash error messages sent to opers regarding remote includes now no
+  longer include authentication information (replaced with ***:***).
+
+Deprecated:
+* The authentication types 'md5', 'sha1' and 'ripemd160' have been
+  deprecated because they can be cracked at high speeds. They still
+  work, but a warning will be shown on boot and on rehash.
+  Please use the new 'argon2' type instead. Type /MKPASSWD argon2 passwd
+  on IRC, or "./unrealircd mkpasswd argon2" on the command line.
+
+Module coders:
+* Priorities in command overrides were reversed (was added in 4.2.0).
+
+Future versions:
+* We intend to change the default plaintext oper policy from 'warn' to 'deny'
+  in the year 2019. This will deny /OPER when used from a non-SSL connection.
+  For security, IRC Operators should really use SSL/TLS!
+
+==[ CHANGES BETWEEN 4.0.18 AND 4.2.0 ]==
+
+There have been so many changes in this and the last few 4.0.x versions,
+it justifies calling this new release "UnrealIRCd 4.2.0".
+
+Marking the beginning of the 4.2 series, this release introduces features
+such as "soft klines" and "soft actions". A significant number of optional
+modules are now loaded as default, including timed channel bans and
+textbans. Also, a lot more smaller changes are included in this release,
+such as fixes for TLSv1.3 and experimental WHOX support.
+See further down for a full list of changes.
+
+NOTE: Version 4.2.0 is the direct successor to 4.0.18. There will be
+      no further 4.0.x releases (in particular there will be no 4.0.19).
+      https://www.unrealircd.org/docs/FAQ#Questions_about_the_new_4.2.x_series
+
+Enhancements:
+* New option to disable a module: blacklist-module "modulename";
+  This will cause any 'loadmodule' lines for that module to be ignored.
+  This is especially useful if you only want to disable a few modules
+  that are (normally) automatically loaded by conf/modules.default.conf.
+  https://www.unrealircd.org/docs/Blacklist-module_directive
+* Next three new features have to do with SASL. More information on SASL
+  in general can be found at https://www.unrealircd.org/docs/SASL
+* A new require sasl { } block which allows you to force users on the
+  specified hostmask to use SASL. Any unauthenticated users matching
+  the specified hostmask are are rejected.
+  See https://www.unrealircd.org/docs/Require_sasl_block
+* New "soft kline" and "soft gline". These will not be applied to users
+  that are authenticated to services using SASL.
+  These are just GLINE/KLINE's but prefixed with a percent sign:
+  Example: /GLINE %*@10.* 0 Only SASL allowed from here
+* New "soft" ban actions for spamfilter, blacklist, antirandom, etc.
+  Actions such as "soft-kline" and "soft-kill" will only be applied to
+  unauthenticated users. Users who are authenticated to services (SASL)
+  are exempt from the corresponding spamfilter/blacklist/antirandom/..
+  See https://www.unrealircd.org/docs/Actions for the full action list.
+* WARNING: If your network also contains UnrealIRCd servers below v4.2.0
+  then it is not recommended to use global soft bans (such as soft gline
+  or any spamfilter with soft-xx actions). There won't be havoc, but the
+  bans won't be effective on parts of the network.
+* The following extban modules are not new but are now enabled by default:
+  extbans/textban, extbans/timedban and extbans/msgbypass.
+  In case you don't like them, use blacklist-module as mentioned earlier.
+  Just as a reminder, they provide the following functionality:
+  * TextBan: +b ~T:block:*badword* to block sentences with 'badword'
+  * Timed bans: ~t:duration:mask
+    These are bans that are automatically removed by the server.
+    The duration is in minutes and the mask can be any ban mask.
+    Some examples:
+    * A 5 minute ban on a host:
+      +b ~t:5:*!*@host
+    * A 5 minute quiet ban on a host (unable to speak):
+      +b ~t:5:~q:*!*@host
+    * An invite exception for 24 hours (1440 minutes):
+      +I ~t:1440:*!*@host
+    * A temporary exempt ban for a services account:
+      +e ~t:1440:~a:Account
+    * Allows someone to speak through +m for the next 24hrs:
+      +e ~t:1440:~m:moderated:*!*@host
+    * And any other crazy ideas you can come up with...
+  * Ban exception ~m:type:mask to allow bypassing of message restrictions.
+    Valid types are: 'external' (bypass +n), moderated (bypass +m/+M),
+    'censor' (bypass +G), 'color' (bypass +S/+c) and 'notice' (bypass +T).
+    Some examples:
+    * Let LAN users bypass +m: +e ~m:moderated:*!*@192.168.*
+    * Let ops in #otherchan bypass +m: +e ~m:moderated:~c:@#otherchan
+    * Make GitHub commit bot bypass +n: +e ~m:external:*!*@ipmask
+    * Allow a services account to use color: +e ~m:color:~a:ColorBot
+  * Timedban support in +f [5t#b2]:10 (set 2 minute ban on text flood).
+* AntiRandom: The module will now (by default) exempt WEBIRC gateways
+  from antirandom checking because they frequently cause false positives.
+  This new behavior can be disabled via:
+  set { antirandom { except-webirc no; }; };
+* Server linking attempts and errors are now also put in the log file.
+* A new module that provides WHOX support, an enhanced and more standard
+  version of WHO (NOTE: the command is still "WHO").
+  This allows, among other things, the client to request additional
+  information, such as which services account each channel member is using.
+  The module is currently experimental. To use it, add this to your conf:
+  loadmodule "m_whox";
+
+Major issues fixed:
+* Blacklist: Potential crash issue when concurrently checking DNSBL
+  for the WEBIRC gateway and the spoofed host.
+* Blacklist: In case of multiple blacklists the 2nd/3rd/.. blacklists
+  were not always checked properly.
+
+Minor issues fixed:
+* Remote includes: ./Config didn't properly detect libcurl on Ubuntu 18
+  (and possibly other Linux distributions as well)
+* Timeouts during server linking attempts were not displayed.
+* Delayjoin: Halfops did not see JOIN's when channel mode +D was set.
+* IRCOps with minimal privileges lost their user modes on MODE change.
+* IRCOps could not override channel mode +z (when not using SSL/TLS)
+* Channel names sometimes truncated if using accents or special chars.
+* TLSv1.3 ciphersuite setting was changed to reflect OpenSSL's behavior.
+  There is now set::ssl::ciphersuites, specifically for TLSv1.3.
+  Note that the default is perfectly fine so at this point in time it
+  shouldn't need any adjustment (but the option is there...).
+* Windows: conf\modules.optional.conf was missing.
+
+Removed:
+* allow::options::sasl has been removed. Use the new and more flexible
+  require sasl { } block instead.
+
+Other changes:
+* Windows users may be prompted to install the Visual C++ redistributable
+  package for Visual Studio 2017. This is because we now build on VS 2017
+  instead of VS 2012.
+* We now use standard formatted messages for all K-Lines, G-Lines and
+  any other bans that will cause the user to be disconnected.
+  For technical details see the banned_client() function.
+* The except throttle { } block now also overrides any limitations from
+  set::max-unknown-connection-per-ip. Useful for WEBIRC/cgiirc gateways.
+* Localhost connections are considered secure, so these can be used even
+  if you have a plaintext-policy of 'deny' or 'warn'. (This was already
+  the case for servers, but now also for users and opers)
+* Allow slashes in vhost/chghost/sethost/.. (but not through DNS)
+
+Module coders:
+* Windows: Be aware that we now build with Visual Studio 2017. This means
+  3rd party modules should be compiled with VS 2017 (or VS 2015) as well.
+
+Future versions:
+* We intend to change the default plaintext oper policy from 'warn' to 'deny'
+  later this year. This will deny /OPER when used from a non-SSL connection.
+  For security, IRC Operators should really use SSL/TLS!
+
 ==[ CHANGES BETWEEN 4.0.17 AND 4.0.18 ]==
 
 Enhancements:

doc/conf/examples/example.conf

@@ -1,4 +1,4 @@
-/* Configuration file for UnrealIRCd 4.0
+/* Configuration file for UnrealIRCd 4
  *
  * Simply copy this file to your conf/ directory, call it
  * 'unrealircd.conf' and walk through it line by line (edit it!)
@@ -42,12 +42,13 @@ include "modules.default.conf";
  * - help/help.conf for our on-IRC /HELPOP system
  * - badwords.conf for channel and user mode +G
  * - spamfilter.conf as an example for spamfilter usage
+ *   (commented out)
  * - operclass.default.conf contains some good operclasses which
  *   you can use in your oper blocks.
  */
 include "help/help.conf";
 include "badwords.conf";
-include "spamfilter.conf";
+//include "spamfilter.conf";
 include "operclass.default.conf";
 
 /* This is the me { } block which basically says who we are.
@@ -103,7 +104,7 @@ class servers
 	pingfreq 60;
 	connfreq 15; /* try to connect every 15 seconds */
 	maxclients 10; /* max servers */
-	sendq 5M;
+	sendq 20M;
 };
 
 /* Allow blocks define which clients may connect to this server.
@@ -375,6 +376,51 @@ vhost {
 	password "test";
 };
 
+/* Blacklist blocks will query an external DNS Blacklist service
+ * whenever a user connects, to see if the IP address is known
+ * to cause drone attacks, is a known hacked machine, etc.
+ * Documentation: https://www.unrealircd.org/docs/Blacklist_block
+ * Or just have a look at the blocks below.
+ */
+
+/* DroneBL, probably the most popular blacklist used by IRC Servers.
+ * See https://dronebl.org/ for their documentation and the
+ * meaning of the reply types. At time of writing we use types:
+ * 3: IRC Drone, 5: Bottler, 6: Unknown spambot or drone,
+ * 7: DDoS Drone, 8: SOCKS Proxy, 9: HTTP Proxy, 10: ProxyChain,
+ * 11: Web Page Proxy, 12: Open DNS Resolver, 13: Brute force attackers,
+ * 14: Open Wingate Proxy, 15: Compromised router / gateway,
+ * 16: Autorooting worms.
+ */
+blacklist dronebl {
+        dns {
+                name dnsbl.dronebl.org;
+                type record;
+                reply { 3; 5; 6; 7; 8; 9; 10; 11; 12; 13; 14; 15; 16; };
+        };
+        action gline;
+        ban-time 24h;
+        reason "Proxy/Drone detected. Check https://dronebl.org/lookup?ip=$ip for details.";
+};
+
+/* EFnetRBL, see https://rbl.efnetrbl.org/ for documentation
+ * and the meaning of the reply types.
+ * At time of writing: 1 is open proxy, 4 is TOR, 5 is drones/flooding.
+ *
+ * NOTE: If you want to permit TOR proxies on your server, then
+ *       you need to remove the '4;' below in the reply section.
+ */
+blacklist efnetrbl {
+        dns {
+                name rbl.efnetrbl.org;
+                type record;
+                reply { 1; 4; 5; };
+        };
+        action gline;
+        ban-time 24h;
+        reason "Proxy/Drone/TOR detected. Check http://rbl.efnetrbl.org/?i=$ip for details.";
+};
+
 /* You can include other configuration files */
 /* include "klines.conf"; */
 

doc/conf/examples/example.fr.conf

@@ -1,4 +1,4 @@
-/* Fichier de configuration pour UnrealIRCd 4.0
+/* Fichier de configuration pour UnrealIRCd 4
  *
  * Copiez ce fichier dans le répertoire conf/, renommez le
  * 'unrealircd.conf' et parcourez-le ligne par ligne (modifiez le !)
@@ -49,7 +49,7 @@ include "modules.default.conf";
  */
 include "help/help.conf";
 include "badwords.conf";
-include "spamfilter.conf";
+//include "spamfilter.conf";
 include "operclass.default.conf";
 
 /* Le bloc me { } indique qui est le serveur.

doc/conf/examples/example.tr.conf

@@ -1,4 +1,4 @@
-/* UnrealIRCd 4.0 için yapılandırma dosyası
+/* UnrealIRCd 4 için yapılandırma dosyası
  * Türkçe Çeviri: Diablo - (Serkan Sepetçi)
  * İletişim: irc.trirc.com:6667 - diablo@unrealircd.org
  *
@@ -49,7 +49,7 @@ include "modules.default.conf";
  */
 include "help/help.conf";
 include "badwords.conf";
-include "spamfilter.conf";
+//include "spamfilter.conf";
 include "operclass.default.conf";
 
 /* me { } bloğu genelde kim olduğumuzu belirtir.
@@ -377,6 +377,51 @@ vhost {
 	password "test";
 };
 
+/* Blacklist blokları, bir kullanıcı bağlandığında IP adresinin drone saldırılarına
+ * neden olduğunu, bilinen bir saldırıya uğramış bir makine olup olmadığını görmek
+ * için harici bir DNS Kara Liste hizmetinden sorgulayacaktır.
+ * Belgeleme: https://www.unrealircd.org/docs/Blacklist_block
+ * veya aşağıdaki bloklar satırına bakınız.
+ */
+
+/* DroneBL, muhtemelen IRC Sunucuları tarafından kullanılan en popüler kara liste.
+ * Belgeler ve cevap (reply) tiplerin anlamlarını görmek için https://dronebl.org/
+ * adresine bakınız. Bu zamanda aşağıdaki cevap (reply) tiplerini kullanıyoruz:
+ * 3: IRC Drone, 5: Bottler, 6: Unknown spambot or drone,
+ * 7: DDoS Drone, 8: SOCKS Proxy, 9: HTTP Proxy, 10: ProxyChain,
+ * 11: Web Page Proxy, 12: Open DNS Resolver, 13: Brute force attackers,
+ * 14: Open Wingate Proxy, 15: Compromised router / gateway,
+ * 16: Autorooting worms.
+ */
+blacklist dronebl {
+        dns {
+                name dnsbl.dronebl.org;
+                type record;
+                reply { 3; 5; 6; 7; 8; 9; 10; 11; 12; 13; 14; 15; 16; };
+        };
+        action gline;
+        ban-time 24h;
+        reason "Proxy/Drone belirlendi. Ayrıntılar için https://dronebl.org/lookup?ip=$ip adresine bakınız.";
+};
+
+/* EFnetRBL, belgeler ve cevap (reply) tiplerini görmek için https://rbl.efnetrbl.org/
+ * adresine bakınız.
+ * Yazma sırasında: 1 is open proxy, 4 is TOR, 5 is drones/flooding.
+ *
+ * NOT: Sunucunuzda TOR proxy'lerine izin vermek istiyorsanız,
+ *       cevap (reply) tiplerinden '4;' öğesini kaldırmanız gerekiyor.
+ */
+blacklist efnetrbl {
+        dns {
+                name rbl.efnetrbl.org;
+                type record;
+                reply { 1; 4; 5; };
+        };
+        action gline;
+        ban-time 24h;
+        reason "Proxy/Drone/TOR belirlendi.  Ayrıntılar için http://rbl.efnetrbl.org/?i=$ip adresine bakınız.";
+};
+
 /* Diğer yapılandırma dosyalarını dahil edebilirsiniz */
 /* include "klines.conf"; */
 

doc/conf/help/help.conf

@@ -1,4 +1,4 @@
-/* UnrealIRCd 4.0 Help Configuration
+/* UnrealIRCd 4 Help Configuration
  * Based on the original help text written by hAtbLaDe
  * Revised by CC (07/2002) and many others
  */
@@ -13,7 +13,7 @@ help {
 	" -";
 	" /HELPOP USERCMDS - To get the list of User Commands";
 	" /HELPOP OPERCMDS - To get the list of Oper Commands";
-	" /HELPOP SVSCMDS  - Commands sent via U:Lined Server (Services)";
+	" /HELPOP SVSCMDS  - Commands sent via U-Lined Server (Services)";
 	" /HELPOP UMODES   - To get the list of User Modes";
 	" /HELPOP SNOMASKS - To get a list of Snomasks";
 	" /HELPOP CHMODES  - To get the list of Channel Modes";
@@ -68,7 +68,7 @@ help Opercmds {
 
 help Svscmds {
 	" This section gives the commands that can be";
-	" sent via a U:Lined Server such as Services.";
+	" sent via a U-Lined Server such as Services.";
 	" The command is typically sent as:";
 	" /MSG OPERSERV RAW :services <command>";
 	" Use /HELPOP <command name> to get more information about";
@@ -92,7 +92,7 @@ help Umodes {
 	" d = Only receive channel PRIVMSGs starting with a bot command character (Deaf)";
 	" i = Invisible (Not shown in /WHO searches)";
 	" p = Hide all channels in /whois and /who";
-	" q = Only U:lines can kick you (Services Admins/Net Admins only)";
+	" q = Only U-Lines can kick you (Services Admins/Net Admins only)";
 	" r = Identifies the nick as being Registered (settable by services only)";
 	" s = Can listen to Server notices";
 	" t = Says that you are using a /VHOST";
@@ -100,6 +100,7 @@ help Umodes {
 	" x = Gives the user Hidden Hostname (security)";
 	" z = Marks the client as being on a Secure Connection (SSL)";
 	" B = Marks you as being a Bot";
+	" D = Only receive PRIVMSGs from IRCOps, servers and services (privdeaf)";
 	" G = Filters out all Bad words in your messages with <censored>";
 	" H = Hide IRCop status in /WHO and /WHOIS. (IRC Operators only)";
 	" I = Hide an oper's idle time (in /whois output) from regular users.";
@@ -107,6 +108,7 @@ help Umodes {
 	" S = For Services only. (Protects them)";
 	" T = Prevents you from receiving CTCPs";
 	" W = Lets you see when people do a /WHOIS on you (IRC Operators only)";
+	" Z = Only receive/send PRIVMSGs from/to users using a Secure Connection (SSL)";
 	" ==---------------------------oOo---------------------------==";
 };
 
@@ -124,14 +126,14 @@ help Snomasks {
 	" c = View connects/disconnects on local server";
 	" e = View 'Eyes' server messages (OperOverride, /CHG* and /SET* usage, ..)";
 	" f = View flood alerts";
-	" F = View connects/disconnects on remote servers (except U-lines)";
+	" F = View connects/disconnects on remote servers (except U-Lines)";
 	" G = View TKL notices (Gline, GZline, Shun, etc)";
 	" j = View Junk notices (not recommended for normal use)";
 	" k = View KILL notices";
 	" n = View nick changes on local server";
 	" N = View nick changes on remote servers";
 	" o = View oper-up notices";
-	" q = View rejected nick changes due to Q:lines";
+	" q = View rejected nick changes due to Q-Lines";
 	" s = View general notices";
 	" S = View spamfilter matches";
 	" v = View usage of /VHOST command";
@@ -187,8 +189,15 @@ help Chmodes {
 
 help ExtBans {
 	" These bans let you ban based on things other than the traditional nick!user@host";
-	" mask. They also provide support for things like ``quieting'' users (on other IRCds";
-	" you might do +q <hostmask>, on UnrealIRCd use +b ~q:<hostmask>).";
+	" mask. These bans start with a tilde, followed by a letter denoting the extban type.";
+	" For example +b ~q:nick!user@host denotes a quiet extban.";
+	" -";
+	" The following ban type can be used in front of any (ext)ban:";
+	" ==-Type--------Name---------------------------Explanation-----------------------==";
+	"         |               | Timed bans are automatically unset by the server after  ";
+	"    ~t   |   timedban    | the specified number of minutes. For example:           ";
+	"         |               | +b ~t:3:*!*@hostname                                    ";
+	" ==------------------------------------------------------------------------------==";
 	" -";
 	" These bantypes specify which actions are affected by a ban:";
 	" ==-Type--------Name---------------------------Explanation-----------------------==";
@@ -206,6 +215,16 @@ help ExtBans {
 	"    ~j   |     join      | He may perform all other activities if he is already on ";
 	"         |               | the channel, such as speaking and changing his nick.    ";
 	"-----------------------------------------------------------------------------------";
+	"         |               | Bypass message restrictions. This extended ban is only  ";
+	"         |               | available as +e and not as +b. Syntax: +e ~m:type:mask. ";
+	"         |               | Valid types: 'external' (bypass +n), 'censor' (bypass +G),";
+	"         |               | 'moderated' (bypass +m/+M), 'color' (bypass +S/+c), and ";
+	"    ~m   |   msgbypass   | 'notice' (bypass +T). Some examples:                    ";
+	"         |               | +e ~m:moderated:*!*@192.168.*  Allow IP to bypass +m    ";
+	"         |               | +e ~m:external:*!*@192.168.*   Allow IP to bypass +n    ";
+	"         |               | +e ~m:color:~a:ColorBot        Allow account 'ColorBot' ";
+	"         |               |                                to bypass +c             ";
+	" ==------------------------------------------------------------------------------==";
 	" -";
 	" These bantypes introduce new criteria which can be used:";
 	" ==-Type--------Name---------------------------Explanation-----------------------==";
@@ -249,12 +268,16 @@ help ExtBans {
 	"    ~S   |    certfp     | (the one you see in /WHOIS). Mostly useful for safe     ";
 	"         |               | ban exceptions and invite exceptions.                   ";
 	"         |               | Example: +iI ~S:00112233445566778899aabbccddeeff..etc.. ";
+	"-----------------------------------------------------------------------------------";
+	"         |               | Channel-specific text filtering. Supports two actions:  ";
+	"    ~T   |    textban    |  'censor' and 'block'. Two examples:                    ";
+	"         |               | +b ~T:censor:*badword* and +b ~T:block:*something*      ";
 	" ==------------------------------------------------------------------------------==";
 	" -";
-	"You may stack extended bans from the first group with the second group.";
-	"For example +b ~q:~c:#lamers would quiet all users who have joined #lamers.";
-	"Bans from the second group may also be used for invite exceptions (+I),";
-	"such as +I ~c:#trusted and +I ~a:accountname.";
+	"You may stack extended bans from the 2nd group with the 3rd group.";
+	"For example +b ~q:~c:#lamers would quiet all users who are also in #lamers.";
+	"Bans from the 3rd group may also be used for invite exceptions (+I),";
+	"such as +I ~c:@#trusted and +I ~a:accountname.";
 };
 
 help Chmodef {
@@ -345,6 +368,7 @@ help Who {
 	" H - User is not /away (here)";
 	" r - User is using a registered nickname";
 	" B - User is a bot (+B)";
+	" s - User is securely connected (SSL/TLS)";
 	" * - User is an IRC Operator";
 	" ~ - User is a Channel Owner (+q)";
 	" & - User is a Channel Admin (+a)";
@@ -503,7 +527,7 @@ help Stats {
 
 help Links {
 	" Lists all of the servers currently linked to the network.";
-	" Only IRCops can see linked U:lined servers.";
+	" Only IRCops can see linked U-Lined servers.";
 	" -";
 	" Syntax: LINKS";
 };
@@ -743,14 +767,14 @@ help Locops {
 	" Sends a message to all IRCops at this server (local).";
 	" -";
 	" Syntax:  LOCOPS <message>";
-	" Example: LOCOPS Gonna k:line that user ...";
+	" Example: LOCOPS Gonna K-Line that user ...";
 };
 
 help Globops {
 	" Sends a message to all ircops (global).";
 	" -";
 	" Syntax:  GLOBOPS <message>";
-	" Example: GLOBOPS Gonna k:line that user ...";
+	" Example: GLOBOPS Gonna K-Line that user ...";
 };
 
 help Kill {
@@ -762,49 +786,69 @@ help Kill {
 };
 
 help Kline {
-	" This command provides timed K:Lines. If you match a K:Line you cannot";
+	" This command provides timed K-Lines. If you match a K-Line you cannot";
 	" connect to the server";
 	" A time of 0 in the KLINE makes it permanent (Never Expires).";
 	" You may also specify the time in the format 1d10h15m30s.";
 	" IRC Operator only command.";
 	" -";
-	" Syntax:  KLINE <hostmask or nick> [time] <reason> (adds a Kline)";
-	"          KLINE -<hostmask> (removes a Kline)";
-	" Example: KLINE *@*.aol.com Abuse (Adds a permanent K:line)";
-	"          KLINE *@*.someisp.com 2d Abuse (Adds a K:line for 2 days)";
+	" Syntax:  KLINE <hostmask or nick> [time] <reason> (adds a K-Line)";
+	"          KLINE -<hostmask> (removes a K-Line)";
+	" Example: KLINE *@*.aol.com Abuse (Adds a permanent K-Line)";
+	"          KLINE *@*.someisp.com 2d Abuse (Adds a K-Line for 2 days)";
 	"          KLINE Idiot 1d Please go away";
 	"          KLINE -*@*.aol.com";
+	" -";
+	" Soft actions (more info at https://www.unrealircd.org/docs/Actions)";
+	" Syntax:  KLINE %<hostmask or nick> [time] <reason> (adds a soft K-Line)";
+	"          KLINE -%<hostmask> (removes a soft K-Line)";
+	" Example: KLINE %*@*.aol.com Abuse (Adds a permanent soft K-Line)";
+	"          KLINE %*@*.someisp.com 2d Abuse (Adds a soft K-Line for 2 days)";
+	"          KLINE %Idiot 1d Please go away";
+	"          KLINE -%*@*.aol.com";
 };
 
 help Zline {
-	" This command provides timed Z:Lines. If you match a Z:Line you cannot";
+	" This command provides timed Z-Lines. If you match a Z-Line you cannot";
 	" connect to the server";
 	" A time of 0 in the ZLINE makes it permanent (Never Expires).";
 	" You may also specify the time in the format 1d10h15m30s.";
 	" IRC Operator only command.";
 	" -";
-	" Syntax:  ZLINE <*@ipmask> [time] <reason> (adds a Zline)";
-	"          ZLINE -<*@ipmask> (removes a Zline)";
-	" Example: ZLINE *@127.0.0.1 Abuse (Adds a permanent Z:line)";
-	"          ZLINE *@127.0.0.1 2d Abuse (Adds a Z:line for 2 days)";
+	" Syntax:  ZLINE <*@ipmask> [time] <reason> (adds a Z-Line)";
+	"          ZLINE -<*@ipmask> (removes a Z-Line)";
+	" Example: ZLINE *@127.0.0.1 Abuse (Adds a permanent Z-Line)";
+	"          ZLINE *@127.0.0.1 2d Abuse (Adds a Z-Line for 2 days)";
 	"          ZLINE -*@127.0.0.1";
 	" NOTE: requires the can_zline oper flag";
 };
 
 help Gline {
-	" This command provides timed G:Lines. If you match a G:Line you cannot";
+	" This command provides timed G-Lines. If you match a G-Line you cannot";
 	" connect to ANY server on the IRC network";
 	" A time of 0 in the GLINE makes it permanent (Never Expires).";
 	" You may also specify the time in the format 1d10h15m30s.";
 	" IRC Operator only command.";
 	" -";
 	" Syntax:  GLINE <user@host mask or nick> [time] <reason>";
-	"  (Adds a G:line for user@host)";
-	"          GLINE -<user@host mask> (Removes a G:line for user@host)";
-	" Example: GLINE *@*.idiot.net 900 Spammers (Adds a 15 min G:line)";
-	"          GLINE *@*.idiot.net 1d5h Spammers (Adds a 29 hour G:line)";
+	"  (Adds a G-Line for user@host)";
+	"          GLINE -<user@host mask> (Removes a G-Line for user@host)";
+	" Example: GLINE *@*.idiot.net 900 Spammers (Adds a 15 min G-Line)";
+	"          GLINE *@*.idiot.net 1d5h Spammers (Adds a 29 hour G-Line)";
 	"          GLINE Idiot 1d Abuse";
 	"          GLINE -*@*.idiot.net";
+	" -";
+	" Soft Actions (More info at https://www.unrealircd.org/docs/Actions)";
+	" -";
+	" Syntax:  GLINE %<user@host mask or nick> [time] <reason>";
+	"  (Adds a G-Line for user@host, but still allows the connection if the";
+	"  user has a registered account and identifies using SASL)";
+	"          GLINE -%<user@host mask> (Removes a soft G-Line for user@host)";
+	" Example: GLINE %*@*.idiot.net 900 Spammers (Adds a 15 min soft G-Line)";
+	"          GLINE %*@*.idiot.net 1d5h Spammers (Adds a 29 hour soft G-Line)";
+	"          GLINE %Idiot 1d Abuse";
+	"          GLINE -%*@*.idiot.net";
+	" -";
 	" NOTE: requires the can_gkline oper flag";
 };
 
@@ -827,17 +871,17 @@ help Shun {
 };
 
 help Gzline {
-	" This command provides timed global Z:line. If you match a Global Z:Line you cannot";
+	" This command provides timed global Z-Line. If you match a Global Z-Line you cannot";
 	" connect to ANY server on the IRC network";
 	" A time of 0 in the GZLINE makes it permanent (Never Expires).";
 	" You may also specify the time in the format 1d10h15m30s.";
 	" IRC Operator only command.";
 	" -";
 	" Syntax:  GZLINE <*@ipmask> <seconds to be banned> :<reason>";
-	"  (Adds a Global Z:line for *@ipmask)";
-	"          GZLINE -<*@ipmask> (Removes a Global Z:line for *@ipmask)";
-	" Example: GZLINE *@4.16.200.* 900 Spammers (Adds a 15 min Global Z:line)";
-	"          GZLINE *@4.16.200.* 1d5h Spammers (Adds a 29 hour Global Z:line)";
+	"  (Adds a Global Z-Line for *@ipmask)";
+	"          GZLINE -<*@ipmask> (Removes a Global Z-Line for *@ipmask)";
+	" Example: GZLINE *@4.16.200.* 900 Spammers (Adds a 15 min Global Z-Line)";
+	"          GZLINE *@4.16.200.* 1d5h Spammers (Adds a 29 hour Global Z-Line)";
 	" NOTE: requires the can_gzline oper flag";
 };
 
@@ -1021,16 +1065,14 @@ help Sdesc {
 };
 
 help Mkpasswd {
-	" This command will return a 'hash' of the string that has been specified,";
-	" you can use this hash for any encrypted passwords in your configuration file:";
-	" eg: for oper::password, vhost::password, etc.";
-	" Available types (in order of 'secureness'):";
-	"    *NIX: crypt, md5, sha1 [*], ripemd160 [*]";
-	" Windows: crypt [*], md5, sha1, ripemd160 [*]";
-	" [*: only available if compiled with SSL support]";
+	" This command will return a 'hash' of the string that has been specified.";
+	" You can use this hash for any encrypted passwords in your configuration";
+	" file, such as for oper::password, vhost::password, etc.";
+	" See https://www.unrealircd.org/docs/Authentication_types for a list of";
+	" types and general recommendations.";
 	" -";
 	" Syntax:  MKPASSWD <method> <password>";
-	" Example: MKPASSWD md5 IamTeh1337";
+	" Example: MKPASSWD argon2 IamTeh1337";
 };
 
 help Module {
@@ -1075,7 +1117,7 @@ help Tsctl {
 
 help Svsnick {
 	" Changes the nickname of the user in question.";
-	" Must be sent through an U:Lined server.";
+	" Must be sent through an U-Lined server.";
 	" -";
 	" Syntax:  SVSNICK <nickname> <new nickname> <timestamp>";
 	" Example: SVSNICK hAtbLaDe Foobar 963086432";
@@ -1083,7 +1125,7 @@ help Svsnick {
 
 help Svsmode {
 	" Changes the mode of the User in question.";
-	" Must be sent through an U:Lined server.";
+	" Must be sent through an U-Lined server.";
 	" -";
 	" Syntax:  SVSMODE <nickname> <usermode>";
 	" Example: SVSMODE hAtbLaDe +i";
@@ -1091,7 +1133,7 @@ help Svsmode {
 
 help Svskill {
 	" Forcefully disconnects a user from the network.";
-	" Must be sent through an U:Lined server.";
+	" Must be sent through an U-Lined server.";
 	" -";
 	" Syntax:  SVSKILL <user> :<reason>";
 	" Example: SVSKILL Lamer21 :Goodbye";
@@ -1100,7 +1142,7 @@ help Svskill {
 help Svsnoop {
 	" Enables or disables whether IRCop functions";
 	" exist on the server in question or not.";
-	" Must be sent through an U:Lined server.";
+	" Must be sent through an U-Lined server.";
 	" -";
 	" Syntax:  SVSNOOP <server> <+/->";
 	" Example: SVSNOOP leaf.server.net -";
@@ -1108,7 +1150,7 @@ help Svsnoop {
 
 help Svsjoin {
 	" Forces a user to join a channel.";
-	" Must be sent through an U:Lined server.";
+	" Must be sent through an U-Lined server.";
 	" -";
 	" Syntax:  SVSJOIN <nick> <channel>[,<channel2>..] [key1[,key2[..]]]";
 	" Example: SVSJOIN hAtbLaDe #jail";
@@ -1117,7 +1159,7 @@ help Svsjoin {
 
 help Svspart {
 	" Forces a user to leave a channel.";
-	" Must be sent through an U:Lined server.";
+	" Must be sent through an U-Lined server.";
 	" -";
 	" Syntax:  SVSPART <nick> <channel>[,<channel2>..] [<comment>]";
 	" Example: SVSPART hAtbLaDe #Hanson";
@@ -1126,18 +1168,18 @@ help Svspart {
 };
 
 help Svso {
-	" Gives nick Operflags like the ones in O:lines.";
+	" Gives nick Operflags like the ones in O-Lines.";
 	" Remember to set SVSMODE +o and alike.";
-	" Must be sent through an U:Lined server.";
+	" Must be sent through an U-Lined server.";
 	" -";
 	" Syntax:  SVSO <nick> <+operflags> (Adds the Operflags)";
-	"          SVSO <nick> - (Removes all O:Line flags)";
+	"          SVSO <nick> - (Removes all O-Line flags)";
 	" Example: SVSO SomeNick +bBkK";
 };
 
 help Swhois {
 	" Changes the WHOIS message of the Nickname.";
-	" Must be sent through an U:Lined server.";
+	" Must be sent through an U-Lined server.";
 	" -";
 	" Syntax:  SWHOIS <nick> :<message> (Sets the SWHOIS)";
 	"          SWHOIS <nick> :  (Resets the SWHOIS)";
@@ -1146,7 +1188,7 @@ help Swhois {
 
 help Sqline {
 	" Bans a Nickname or a certain Nickname mask from the Server.";
-	" Must be sent through an U:Lined server.";
+	" Must be sent through an U-Lined server.";
 	" -";
 	" Syntax:  SQLINE <nickmask> :<Reason>";
 	" Example: SQLINE *Bot* :No bots";
@@ -1154,7 +1196,7 @@ help Sqline {
 
 help Unsqline {
 	" Un-Bans a Nickname or Nickname mask";
-	" Must be sent through an U:Lined server.";
+	" Must be sent through an U-Lined server.";
 	" -";
 	" Synax:  UNSQLINE <nickmask>";
 	" Example: UNSQLINE *Bot*";
@@ -1163,7 +1205,7 @@ help Unsqline {
 help Svs2mode {
 	" Changes the Usermode of a nickname and displays";
 	" the change to the user.";
-	" Must be sent through an U:Lined server.";
+	" Must be sent through an U-Lined server.";
 	" -";
 	" Syntax:  SVS2MODE <nickname> <usermodes>";
 	" Example: SVS2MODE hAtbLaDe +h";
@@ -1171,7 +1213,7 @@ help Svs2mode {
 
 help Svsfline {
 	" Adds the given Filename mask to DCCDENY";
-	" Must be sent through an U:Lined server.";
+	" Must be sent through an U-Lined server.";
 	" -";
 	" Syntax: :server SVSFLINE + file :reason (Add the filename)";
 	"         :server SVSFLINE - file (Deletes the filename)";
@@ -1180,7 +1222,7 @@ help Svsfline {
 
 help Svsmotd {
 	"Changes the Services Message Of The Day";
-	"Must be sent through an U:Lined server.";
+	"Must be sent through an U-Lined server.";
 	"Syntax:  SVSMOTD # :<text> (Adds to Services MOTD)";
 	"         SVSMOTD !         (Deletes the MOTD)";
 	"         SVSMOTD ! :<text> (Deletes and Adds text)";
@@ -1189,7 +1231,7 @@ help Svsmotd {
 
 help Svsnline {
 	" Adds a global realname ban.";
-	" Must be sent through an U:Lined server.";
+	" Must be sent through an U-Lined server.";
 	" The reason must be a single parameter therefore";
 	" spaces are indicated by _, Unreal will internally";
 	" translate these to spaces.";
@@ -1204,7 +1246,7 @@ help Svslusers {
 	" Changes the global and/or local maximum user count";
 	" for a server. If -1 is specified for either of the";
 	" values, the current value is kept.";
-	" Must be sent through an U:Lined server.";
+	" Must be sent through an U-Lined server.";
 	" -";
 	" Syntax:  SVSLUSERS <server> <globalmax|-1> <localmax|-1>";
 	" Example: SVSLUSERS irc.test.com -1 200";
@@ -1212,14 +1254,14 @@ help Svslusers {
 
 help Svswatch {
 	" Changes the WATCH list of a user.";
-	" Must be sent through an U:Lined server.";
+	" Must be sent through an U-Lined server.";
 	" Syntax: SVSWATCH <nick> :<watch parameters>";
 	" Example: SVSWATCH Blah :+Blih!*@* +Bluh!*@* +Bleh!*@*.com";
 };
 
 help Svssilence {
 	" Changes the SILENCE list of a user.";
-	" Must be sent through an U:Lined server.";
+	" Must be sent through an U-Lined server.";
 	" In contrast to the SILENCE command, you can add/remove";
 	" multiple entries in one line.";
 	" Syntax: SVSSILENCE <nick> :<silence parameters>";
@@ -1228,7 +1270,7 @@ help Svssilence {
 
 help Svssno {
 	" Changes the snomask of the User in question.";
-	" Must be sent through an U:Lined server.";
+	" Must be sent through an U-Lined server.";
 	" -";
 	" Syntax:  SVSSNO <nickname> <snomasks>";
 	" Example: SVSSNO joe +Gc";
@@ -1237,7 +1279,7 @@ help Svssno {
 help Svs2sno {
 	" Changes the snomask of a nickname and displays";
 	" the change to the user.";
-	" Must be sent through an U:Lined server.";
+	" Must be sent through an U-Lined server.";
 	" -";
 	" Syntax:  SVS2SNO <nickname> <snomasks>";
 	" Example: SVS2SNO joe +Gc";
@@ -1245,7 +1287,7 @@ help Svs2sno {
 
 help Svsnolag {
         " Enable 'no fake lag' for a user.";
-        " Must be sent through an U:Lined server.";
+        " Must be sent through an U-Lined server.";
         " -";
         " Syntax:  SVSNOLAG [+|-] <nickname>";
         " Example: SVSNOLAG + joe";
@@ -1253,7 +1295,7 @@ help Svsnolag {
 
 help Svs2nolag {
         " Enable 'no fake lag' for a user.";
-        " Must be sent through an U:Lined server.";
+        " Must be sent through an U-Lined server.";
         " -";
         " Syntax:  SVS2NOLAG [+|-] <nickname>";
         " Example: SVS2NOLAG + joe";

doc/conf/help/help.de.conf

@@ -1,4 +1,4 @@
-/* UnrealIRCd 4.0 Help Configuration
+/* UnrealIRCd 4 Help Configuration
  * Based on the original help text written by hAtbLaDe
  * Revised by CC (07/2002) and many others
  *
@@ -1090,13 +1090,11 @@ help Mkpasswd {
 	" Dieser Befehl verschlüsselt den übergebenen String und liefert einen 'hash' zurück.";
 	" Diesen 'hash' kann man für jegliche verschlüsselten Passworte in die conf Datei einbauen";
 	" wie z.B. bei oper::passwort, vhost::passwort etc.";
-	" Mögliche Typen (in der Reihenfolge ihrer Sicherheit) sind:";
-	"    *NIX: crypt, md5, sha1 [*], ripemd160 [*]";
-	" Windows: crypt [*], md5, sha1, ripemd160 [*]";
-	" [*: nur verfügbar, wenn mit SSL Unterstützung compiliert wurde]";
+	" Weitere Informationen und mögliche Typen:";
+	" https://www.unrealircd.org/docs/Authentication_types";
 	" -";
 	" Syntax:  MKPASSWD <method> <password>";
-	" Beispiel: MKPASSWD md5 IamTeh1337";
+	" Beispiel: MKPASSWD argon2 IamTeh1337";
 };
 
 help Module {

doc/conf/help/help.fr.conf

@@ -1,4 +1,4 @@
-/* UnrealIRCd 4.0 Help Configuration
+/* UnrealIRCd 4 Help Configuration
  * Basé sur l'aide originale écrite par hAtbLaDe
  * Révisé par CC (07/2002)
  * Ancien traducteur français : babass
@@ -1091,13 +1091,11 @@ help Mkpasswd {
 	" vous pouvez utiliser ce hash pour n'importe quel mot de passe chiffré dans"; 
 	" votre fichier de configuration :";
 	" Ex : pour oper::password, vhost::password, etc.";
-	" Types disponibles (dans l'ordre de sureté) :";
-	"    *NIX: crypt, md5, sha1 [*], ripemd160 [*]";
-	" Windows: crypt [*], md5, sha1, ripemd160 [*]";
-	" [*: disponible uniquement si compilé avec le support du SSL]";
+	" Pour plus d'informations et types disponibles, consultez la page:";
+	" https://www.unrealircd.org/docs/Authentication_types";
 	" -";
 	" Syntaxe : MKPASSWD <méthode> <mot de passe>";
-	" Exemple : MKPASSWD md5 IamTeh1337";
+	" Exemple : MKPASSWD argon2 IamTeh1337";
 };
 
 help Module {

doc/conf/help/help.it.conf

@@ -1,4 +1,4 @@
-/* UnrealIRCd 4.0 Help Configuration
+/* UnrealIRCd 4 Help Configuration
  * Based on the original help text written by hAtbLaDe
  * Revised by CC (07/2002) and many others
  *
@@ -1018,13 +1018,11 @@ help Mkpasswd {
 	" Restituisce un 'hash' della stringa specificata.";
 	" Può essere utilizzato per ogni password criptata da inserire nel file di configurazione,";
 	" ad esempio come password per gli oper o per i vhost.";
-	" Metodi disponibili (in ordine di sicurezza):";
-	"    *NIX: crypt, md5, sha1 [*], ripemd160 [*]";
-	" Windows: crypt [*], md5, sha1, ripemd160 [*]";
-	" [*: disponibile solo se compilato con supporto SSL]";
+	" Per ulteriori informazioni e metodi disponibili, consultare:";
+	" https://www.unrealircd.org/docs/Authentication_types";
 	" -";
 	" Sintassi:  MKPASSWD <metodo> <password>";
-	" Esempio: MKPASSWD md5 LaMiaPassword";
+	" Esempio: MKPASSWD argon2 LaMiaPassword";
 };
 
 help Module {

doc/conf/help/help.ru.conf

@@ -1,4 +1,4 @@
-/* UnrealIRCd 4.0 Help Configuration
+/* UnrealIRCd 4 Help Configuration
  * Based on the original help text written by hAtbLaDe
  * Revised by CC (07/2002)
  *
@@ -1187,13 +1187,11 @@ help Mkpasswd {
 	" Команда возвратит 'hash' указанной строки, который можно";
 	" в последствии использовать в конфигурационном файле в качестве пароля:";
 	" в oper::password, vhost::password, и т.д.";
-	" Доступные типы хешей (по возрастанию уровня безопасности):";
-	"    *NIX: crypt, md5, sha1 [*], ripemd160 [*]";
-	" Windows: crypt [*], md5, sha1, ripemd160 [*]";
-	" [*: доступно в случае, если сервер имеет поддержку SSL]";
+	" Дополнительную информацию и типы хешей:";
+	" https://www.unrealircd.org/docs/Authentication_types";
 	" -";
 	" Синтаксис:  MKPASSWD <метод> <пароль>";
-	" Пример:     MKPASSWD md5 IamTeh1337";
+	" Пример:     MKPASSWD argon2 IamTeh1337";
 };
 
 help Module {

doc/conf/help/help.tr.conf

@@ -1,4 +1,4 @@
-/* UnrealIRCd 4.0 Yardım Ayarları
+/* UnrealIRCd 4 Yardım Yapılandırması
 *
 * Orjinal yardım metnini yazan by hAtbLaDe
 * Gözden geçiren by CC (07/2002) ve diğerleri
@@ -83,7 +83,7 @@ help Svscmds {
 	" SVS2MODE        SVSLUSERS       SVSNOLAG    SVSSNO";
 	" SVS2SNO         SVSMODE         SVSNOOP     SVSWATCH";
 	" SVSFLINE        SVSMOTD         SVSO        SWHOIS";
-	" SVSFLINE        SVSMOTD         SVSPART     UNSQLINE";
+	" SVSJOIN         SVSNICK         SVSPART     UNSQLINE";
 	" ==-------------------------oOo-------------------------==";
 };
 
@@ -104,13 +104,15 @@ help Umodes {
 	" x = Gizlenmiş host kullandığınızı belirtir (Güvenlik)";
 	" z = Güvenli bağlantı (SSL) kullanıldığını belirtir";
 	" B = Bot statüsündeki kullanıcı";
+	" D = Sadece IRC Operator, sunucu ve servislerden PRIVMSG'ler alırsınız (privdeaf)";
 	" G = Badwords bloğunda belirtilen kötü kelimeler kullanıldığında sansürlenir.";
 	" H = IRCOp statüsüne sahipseniz /whois /who sorgusunda bu statünüz görünmez.(Sadece IRCop)";
-      " I = Bir IRCOp'un bota kalma sresini (/whois iinden) normal kullanclardan gizler.";
+	" I = Bir IRCOp'un bota kalma sresini (/whois iinden) normal kullanclardan gizler.";
 	" R = Sadece rumuzu kayitli (+r) olan kullanıcılardan mesaj almanızı sağlar";
 	" S = Servisler için koruma modu";
 	" T = CTCP metinlerinin size gönderimini engeller";
 	" W = Size /whois çekildiğinde whois çekeni görmenizi sağlar. (Sadece IRCOp statüsündeki kullanıcılar kullanabilir)";
+	" Z = Sadece güvenli bağlantı kullanan kullanıcılardan/kullanıcılara PRIVMSG'ler alın/gönderin (SSL)";
 	" ==---------------------------oOo---------------------------==";
 };
 
@@ -124,7 +126,7 @@ help Snomasks {
 	"-";
 	" Aşağıdaki mümkün snomaskların bir listesidir:";
 	" ==-------------------------oOo-----------------------==";
-      " b = blacklist uyarlarını görmenizi sağlar";
+	" b = blacklist uyarlarını görmenizi sağlar";
 	" c = Yerel serverdaki giriş/çıkışları gösterir.";
 	" e = /CHG* ve /SET* ile servislere gönderilen komutlari görmenizi sağlar";
 	" f = Flood saldırı uyarılarını gösterir.";
@@ -172,7 +174,7 @@ help Chmodes {
 	" N = Nick değişikliği yapılamayan bir kanal. [o]";
 	" O = Sadece IRCopların girebileceği bir kanal. (sadece IRCop'lar için)";
 	" p = Özel bir kanal olduğunu belirtir. [o]";
-      " P = Kalıcı kanal (kanal boş olduğunda bile yok olmaz) (IRCop'lar tarafından ayarlanabilir)";
+	" P = Kalıcı kanal (kanal boş olduğunda bile yok olmaz) (IRCop'lar tarafından ayarlanabilir)";
 	" Q = KICK Komutunun uygulanamayacağı bir kanal. [o]";
 	" r = Kayıt edilmiş bir kanal. (Sadece Servisler tarafından kullanılır.)";
 	" R = Sadece kayıtlı (+r) kullanıcıların girebileceği bir kanal. [o]";
@@ -191,40 +193,57 @@ help Chmodes {
 
 help ExtBans {
 	" Bu banlar, temel alınan geleneksel banlardan başka sana nick!user@host maskesi";
-	" olarak izin verir. Bu banlar hemde kullanıcılar için ``Quieting'' desteği sağlar.";
-	" (diğer IRCd'lerde +q <hostmask>, UnrealIRCd ise +b ~q:<hostmask> yapabilirsin).";
+	" olarak izin verir. Bu yasaklar bir sonla başlar, bunu extban tipini gösteren";
+	" bir harf ile izler. Örneğin +b ~q:nick!user@host sessiz extban anlamına gelir.";
 	" -";
 	" Bu ban tipleri, hangi hareketlerin bir ban ile etkilendiğini belirtir:";
 	" ==-Tip--------İsim-----------------------------Açıklama-------------------------==";
-	"         |               | Kullanıcı kanala girebilir fakat yazı yazamaz,       	";
-	"   ~q    |     quiet     | yazabilmesi için +v veya daha yükseği gerekmektedir. 	";
-	"         |               | Örnek:                                                 	";
+	"         |               | Zamanlanmış banlar, belirtilen dakika sayısından sonra  ";
+	"   ~t    |   timedban    | sunucu tarafından otomatik olarak silinir. Örneğin:     ";
+	"         |               | +b ~t:3:*!*@hostname                                    ";
+	" ==------------------------------------------------------------------------------==";
+	" -";
+	" Bu ban tipleri, hangi işlemlerin bir yasaktan etkilendiğini belirtir:";
+	" ==-Tip--------İsim---------------------------Açıklama-----------------------==";
+	"         |               | Bu yasaklarla eşleşen kişiler kanala girebilir ancak    ";
+	"    ~q   |     quiet     | veya daha yüksek olmadıkça konuşamazlar.                ";
+	"         |               | Örnek:                                                  ";
 	"         |               | +bb ~q:*!*@blah.blah.com ~q:nick*!*@*                   ";
 	"-----------------------------------------------------------------------------------";
-	"         |               | Kullanıcı nick değişemez, değiştirmesi için			";
-	"    ~n   |  nickchange   | +v veya daha yükseği gerekmektedir.                   	";
-	"         |               | Örnek:                                                 	";
+	"         |               | Kullanıcı nick değişemez, değiştirmesi için             ";
+	"    ~n   |  nickchange   | +v veya daha yükseği gerekmektedir.                     ";
+	"         |               | Örnek:                                                  ";
 	"         |               | +bb ~n:*!*@*.aol.com ~n:nick*!*@*                       ";
 	"-----------------------------------------------------------------------------------";
-	"         |               | Eğer bir kullanıcı banla eşleşiyorsa kanala giremez.	";
-	"    ~j   |     join      | Eğer kanal içerisinde ise tüm faaliyetleri yapabilir.	";
-	"         |               | Kanal içerisinde yazabilme ve nick değiştirme gibi.  	";
+	"         |               | Eğer bir kullanıcı banla eşleşiyorsa kanala giremez.    ";
+	"    ~j   |     join      | Eğer kanal içerisinde ise tüm faaliyetleri yapabilir.   ";
+	"         |               | Kanal içerisinde yazabilme ve nick değiştirme gibi.     ";
 	"-----------------------------------------------------------------------------------";
+	"         |               | Mesaj kısıtlamalarını atlar. Bu genişletilmiş ban sadece";
+	"         |               | +e ve +b olarak kullanılır. Kullanımı: +e ~m:tip:maske  ";
+	"         |               | Geçerli tipler: 'external' (bypass +n), 'censor' (bypass +G),";
+	"         |               | 'moderated' (bypass +m/+M), 'color' (bypass +S/+c), ve  ";
+	"    ~m   |   msgbypass   | 'notice' (bypass +T). Bazı örnekler:                    ";
+	"         |               | +e ~m:moderated:*!*@192.168.*  IP adresine izin verir +m";
+	"         |               | +e ~m:external:*!*@192.168.*   IP adresine izin verir +n";
+	"         |               | +e ~m:color:~a:ColorBot        'ColorBot' hesabının +c  ";
+	"         |               |                                atlamasına izin verir    ";
+	" ==------------------------------------------------------------------------------==";
 	" -";
 	" Bu ban tipleri kullanılabilen yeni kriterleri gösterir:";
 	" ==-Tip--------İsim------------------------------Açıklama------------------------==";
-      "         |               | Bir kullanıcı servislere bu hesap adıyla giriş yaptıysa ";
+	"         |               | Bir kullanıcı servislere bu hesap adıyla giriş yaptıysa ";
 	"         |               | bu yasak ile eşleşecektir.                              ";
-	"         |               | Bu ABC harfli bir kullanıcının XYZ hesab altında oturum	";
+	"         |               | Bu ABC harfli bir kullanıcının XYZ hesab altında oturum ";
 	"    ~a   |   account     | açabileceği anlamına gelir ~R'den biraz farklıdır.      ";
 	"         |               | Tüm servis paketleri bunu desteklemez, bu durumda bunun ";
-	"         |               | yerine ~R kullanmanız gerekecektir.                    	";
+	"         |               | yerine ~R kullanmanız gerekecektir.                     ";
 	"         |               | Örnek: +e ~a:Name                                       ";
 	"-----------------------------------------------------------------------------------";
 	"         |               | Kullanıcı bu kanaldaysa, diğer kanala giriş yapabilir   ";
-	"         |               | (+/%/@/&/~) şeklinde önekde belirtilebilir. kullancının	";
+	"         |               | (+/%/@/&/~) şeklinde önekde belirtilebilir. kullancının ";
 	"    ~c   |    channel    | yalnızca belirtilen kanalda bu haklara sahip veya daha  ";
-	"         |               | yüksek olması durumunda eşleceği anlamına gelir.      	";
+	"         |               | yüksek olması durumunda eşleceği anlamına gelir.        ";
 	"         |               | Örnek:  +b ~c:#lamers,    +e ~c:@#trusted               ";
 	"-----------------------------------------------------------------------------------";
 	"         |               | Kullanıcı bir IRCOp ise ve bir oper::operclass adıyla   ";
@@ -234,25 +253,29 @@ help ExtBans {
 	"         |               | Örnek: +iI ~O:*admin*                                   ";
 	"-----------------------------------------------------------------------------------";
 	"         |               | Kullanıcıların realnameleri eşleşiyorsa, diğer kanallara";
-	"         |               | giriş gerçekleştiremez.                    			";
-	"    ~r   |   realname    | Örnek: +b ~r:*Stupid_bot_script*                       	";
+	"         |               | giriş gerçekleştiremez.                                 ";
+	"    ~r   |   realname    | Örnek: +b ~r:*Stupid_bot_script*                        ";
 	"         |               | NOT: ('_') Karakteri (' ') karakterine denk gelir ve    ";
-	"         |               | dolayısı ile ('_') karekteri, bu ban                  	";
-	"         |               | 'Stupid bot script v1.4' ile eşleşir.           	      ";
+	"         |               | dolayısı ile ('_') karekteri, bu ban                    ";
+	"         |               | 'Stupid bot script v1.4' ile eşleşir.           	    ";
 	"-----------------------------------------------------------------------------------";
-	"         |               | Eğer bir kullanıcı kendini servislere tanıtmamışsa  	";
-	"         |               | (Genellikle NickServ) ve nicki eşleşiyorsa bu ban da  	";
-	"         |               | eşleşir. Yani bu ban çeşidi yalnıca ban yollarında	";
-	"    ~R   |   registered  | geçerlidir (+e). Örnek: +e ~R:Nick                    	";
-	"         |               | Nick veya rumuzlu kullanıcının diğer banlarına     	";
-	"         |               | bakılmaksızın eğer kendini NickServ'e tanıtmışsa 		";
-	"         |               | kanalda bulunmasına izin verir.                        	";
+	"         |               | Eğer bir kullanıcı kendini servislere tanıtmamışsa      ";
+	"         |               | (Genellikle NickServ) ve nicki eşleşiyorsa bu ban da    ";
+	"         |               | eşleşir. Yani bu ban çeşidi yalnıca ban yollarında	    ";
+	"    ~R   |   registered  | geçerlidir (+e). Örnek: +e ~R:Nick                      ";
+	"         |               | Nick veya rumuzlu kullanıcının diğer banlarına     	    ";
+	"         |               | bakılmaksızın eğer kendini NickServ'e tanıtmışsa 	    ";
+	"         |               | kanalda bulunmasına izin verir.                         ";
 	"-----------------------------------------------------------------------------------";
 	"         |               | Bir kullanıcı istemci sertifikasına sahip SSL/TLS       ";
 	"         |               | kullanıyorsa, kullanıcıyı SSL fingerprint iziyle        ";
 	"    ~S   |    certfp     | eşletirebilirsiniz (bunu /WHOIS içinde görürüsünüz).    ";
 	"         |               | Güvenli yasaklama istisnalar için çoğunlukla yararlıdır.";
-	"         |               | Örnek: +iI ~S:00112233445566778899aabbccddeeff..etc..  	";
+	"         |               | Örnek: +iI ~S:00112233445566778899aabbccddeeff..etc..   ";
+	"-----------------------------------------------------------------------------------";
+	"         |               | Kanal-özel metin filtreleme. İki eylemi destekler:      ";
+	"    ~T   |    textban    |  'censor' ve 'block'. İki örnek:                        ";
+	"         |               | +b ~T:censor:*Kötü kelime* ve +b ~T:block:*gibi bir şey*";
 	" ==------------------------------------------------------------------------------==";
 	" -";
 	" Sen 1. gruptan olan banları 2. bir grupa yönlendirebilirsin.";
@@ -325,7 +348,7 @@ help Who {
 	" Flag  a: Away olan kullanıcı";
 	" Flag  c <kanal>: kanal üzerindeki kullanıcıları listeler, wildcards kabul edilemez.";
 	" Flag  g <gcos/isim>: <gcos> içeren kullanıcıları listeler, wildcards kabul edilir. Sadece IRCop'lar için";
-    	" Sadece Oper'ler iin joker karakterler kabul edildi";
+	" Sadece Oper'ler iin joker karakterler kabul edildi";
 	" Flag  h <host>: <host> içeren kullanıcıları listeler, wildcards kabul edilir.";
 	" Flag  i <ip>: <ip> adresi içeren kullanıcıları listeler.";
 	" Flag  m <kullanıcı modeleri>: <kullanıcı modeleri> içeren kullanıcıları listeler, OPER olmayanlar.";
@@ -347,6 +370,7 @@ help Who {
 	" H - Kullanıcı /away (Burada)";
 	" r - Kullanıcı bir kayıtlı nicke sahip";
 	" B - Kullanıcı bir bot (+B)";
+	" s - Kullanıcı güvenli bir şekilde bağlandı (SSL/TLS)";
 	" * - Kullanıcı bir IRCOperator";
 	" ~ - Kullanıcı bir kanal sahibi (+q)";
 	" & - Kullanıcı bir kanal admini (+a)";
@@ -1025,12 +1049,10 @@ help Mkpasswd {
 	" Bu komut belirlenen bir hash komutu olarak geri döner.";
 	" hash ı şifrelenmiş parolalarınızda veya ayar dosyalarınızda kullanabilirsiniz:";
 	" Örn: oper::şifre, vhost::şifre, şeklinde.";
-	"    *NIX: crypt, md5, sha1 [*], ripemd160 [*]";
-	" Windows: crypt [*], md5, sha1, ripemd160 [*]";
-	" [*: Sadece, eğer SSL desteğiyle derlenirse müsait olur]";
+	" See https://www.unrealircd.org/docs/Authentication_types";
 	" -";
 	" Kullanımı: MKPASSWD <metod> <şifre>";
-	" Örnek: MKPASSWD md5 IamTeh1337";
+	" Örnek: MKPASSWD argon2 IamTeh1337";
 };
 
 help Module {

doc/conf/modules.default.conf

@@ -118,6 +118,7 @@ loadmodule "m_sjoin";
 loadmodule "m_sqline";
 loadmodule "m_swhois";
 loadmodule "m_umode2";
+loadmodule "m_sinfo";
 
 // Services commands
 // You could disable these if you don't use Services

doc/conf/modules.optional.conf

@@ -145,3 +145,115 @@ loadmodule "websocket";
 // This adds support for WHOX
 // This is currently experimental!
 loadmodule "m_whox";
+
+// This module will detect and stop spam containing of characters of
+// mixed "scripts", where (for example) some characters are in
+// Latin script and other characters are in Cyrillic script.
+loadmodule "antimixedutf8";
+set {
+	antimixedutf8 {
+		/* Take action at this 'score'.
+		 * 10 is a good and safe default.
+		 */
+		score 10;
+
+		/* Action to take, see:
+		 * https://www.unrealircd.org/docs/Actions
+		 */
+		ban-action block;
+
+		/* Block/kill/ban reason (sent to user) */
+		ban-reason "Possible mixed character spam";
+
+		/* Duration of ban (does not apply to block/kill) */
+		ban-time 4h; // For other types
+	};
+};
+
+// This provides an authentication prompt if a user is forced to
+// authenticate due to a 'require authentication' block or for
+// some other reason. It tells them to use SASL or type /AUTH user:pass
+// See also the following article for more general information:
+// https://www.unrealircd.org/docs/Authentication
+// NOTE: This feature is currently experimental.
+loadmodule "authprompt";
+set {
+	authentication-prompt {
+		/* Enabled or not? */
+		enabled yes;
+
+		message "The server requires clients from this IP address to authenticate with a registered nickname and password.";
+		message "Please reconnect using SASL, or authenticate now by typing: /QUOTE AUTH nick:password";
+		/* As you can see you can have multiple 'message' items.
+		 * It may be useful to refer to a webpage for more
+		 * information and/or where users can register their nick.
+		 */
+
+		//fail-message "Authentication failed";
+		/* Multiple fail-message lines are also supported */
+	};
+};
+// If you use the authprompt module then you may want to raise the
+// timeout in which users must complete the handshake.
+// By uncommenting the following, you can raise it from 30 to 60 seconds:
+// set { handshake-timeout 60s; };
+
+/*
+ * The following will configure connection throttling of "unknown users".
+ *
+ * When UnrealIRCd detects a high number of users connecting from IP addresses
+ * that have not been seen before, then connections from new IP's are rejected
+ * above the set rate. For example at 10:60 only 10 users per minute can connect
+ * that have not been seen before. Known IP addresses can always get in,
+ * regardless of the set rate. Same for users who login using SASL.
+ *
+ * See also https://www.unrealircd.org/docs/Connthrottle
+ * Or just keep reading the default configuration below:
+ */
+
+loadmodule "reputation";
+loadmodule "connthrottle";
+
+set {
+	connthrottle {
+		/* First we must configure what we call "known users".
+		 * By default these are users on IP addresses that have
+		 * a score of 24 or higher. A score of 24 means that the
+		 * IP was connected to this network for at least 2 hours
+		 * in the past month (or minimum 1 hour if registered).
+		 * The sasl-bypass option is another setting. It means
+		 * that users who authenticate to services via SASL
+		 * are considered known users as well.
+		 * Users in the "known-users" group (either by reputation
+		 * or by SASL) are always allowed in by this module.
+		 */
+		known-users {
+			minimum-reputation-score 24;
+			sasl-bypass yes;
+		};
+
+		/* New users are all users that do not belong in the
+		 * known-users group. They are considered "new" and in
+		 * case of a high number of such new users connecting
+		 * they are subject to connection rate limiting.
+		 * By default the rate is 20 new local users per minute
+		 * and 30 new global users per minute.
+		 */
+		new-users {
+			local-throttle 20:60;
+			global-throttle 30:60;
+		};
+
+		/* This configures when this module will NOT be active.
+		 * The default settings will disable the module when:
+		 * - The reputation module has been running for less than
+		 *   a week. If running less than 1 week then there is
+		 *   insufficient data to consider who is a "known user".
+		 * - The server has just been booted up (first 3 minutes).
+		 */
+		disabled-when {
+			reputation-gathering 1w;
+			start-delay 3m;
+		};
+	};
+};

doc/conf/operclass.default.conf

@@ -6,9 +6,11 @@
  *
  * The operclass block is extensively documented at:
  * https://www.unrealircd.org/docs/Operclass_block
+ * And the permissions itself (operclass::permissions) at:
+ * https://www.unrealircd.org/docs/Operclass_permissions
  *
  * DO NOT EDIT THIS FILE! IT WILL BE OVERWRITTEN DURING NEXT UPGRADE!!
- * Instead, if you want to change the privileges in an operclass block,
+ * Instead, if you want to change the permissions in an operclass block,
  * you should copy the definition, or this entire file, to either your
  * unrealircd.conf or some other file (eg: operclass.conf) that you
  * you will include from your unrealircd.conf.
@@ -18,147 +20,121 @@
 
 /* Local IRC Operator */
 operclass locop {
-	privileges {
-		privacy;
+	permissions {
 		chat;
-		channel;
-		client;
+		channel { operonly; override { flood; }; };
+		client { see; };
 		immune;
 		self;
-		notice { local; };
 		server { opermotd; info; close; module; dns; rehash; };
 		route { local; };
 		kill { local; };
-		tkl {
+		server-ban {
 			kline;
 			zline { local; };
 		};
-		trace { local; invisible-users; };
-		map;
 	};
 };
 
 /* Global IRC Operator */
 operclass globop {
-	privileges {
-		privacy;
+	permissions {
 		chat;
-		channel;
+		channel { operonly; see; override { flood; }; };
 		client;
 		immune;
-		notice;
 		self;
-		server { opermotd; info; close; remote; module; dns; rehash; };
+		server { opermotd; info; close; module; dns; rehash;
+		         remote; tsctl { view; }; };
 		route;
 		kill;
-		tkl { shun; zline; kline; gline; };
-		trace;
-		who;
-		override { see; };
-		map;
+		server-ban { dccdeny; shun; zline; kline; gline; };
 	};
 };
 
 /* Server administrator */
 operclass admin {
-	privileges {
-		privacy;
+	permissions {
 		chat;
-		channel;
+		channel { operonly; see; override { flood; }; };
 		client;
 		immune;
-		notice;
 		self;
-		server { opermotd; info; close; remote; module; dns; addline; rehash; description; addmotd; addomotd; tsctl; };
+		server { opermotd; info; close; module; dns; rehash;
+		         remote; description; addmotd;
+		         addomotd; tsctl { view; }; };
 		route;
 		kill;
-		tkl { shun; zline; kline; gline; };
-		spamfilter;
-		trace;
-		who;
-		override { see; };
-		map;
+		server-ban;
 	};
 };
 
 /* Services Admin */
 operclass services-admin {
-	privileges {
-		privacy;
+	permissions {
 		chat;
-		channel;
+		channel { operonly; see; override { flood; }; };
 		client;
 		immune;
-		notice;
 		self;
-		server { opermotd; info; close; remote; module; dns; addline; rehash; description; addmotd; addomotd; tsctl; };
+		server { opermotd; info; close; module; dns; rehash;
+		         remote; description; addmotd;
+		         addomotd; tsctl { view; }; };
 		route;
 		kill;
-		tkl { shun; zline; kline; gline; };
-		spamfilter;
-		trace;
-		who;
-		sajoin;
-		sapart;
-		samode;
-		override { see; };
+		server-ban;
+		sacmd;
+		services;
 	};
 };
 
 /* Network Administrator */
 operclass netadmin {
-	privileges {
-		privacy;
+	permissions {
 		chat;
-		channel;
+		channel { operonly; see; override { flood; }; };
 		client;
 		immune;
-		notice;
 		self;
-		server { opermotd; info; close; remote; module; dns; addline; rehash; description; addmotd; addomotd; tsctl; };
-		kill;
-		tkl { shun; zline; kline; gline; };
+		server { opermotd; info; close; module; dns; rehash;
+		         remote; description; addmotd;
+		         addomotd; tsctl; };
 		route;
-		spamfilter;
-		trace;
-		who;
-		sajoin;
-		sapart;
-		samode;
-		servicebot { deop; kill; };
-		override { see; };
-		map;
+		kill;
+		server-ban;
+		sacmd;
+		services;
 	};
 };
 
 /* Same as 'globop' operclass, but with OperOverride capabilities added */
 operclass globop-with-override {
 	parent globop;
-	privileges {
-		override;
+	permissions {
+		channel { operonly; see; override; };
 	};
 };
 
 /* Same as 'admin' operclass, but with OperOverride capabilities added */
 operclass admin-with-override {
 	parent admin;
-	privileges {
-		override;
+	permissions {
+		channel { operonly; see; override; };
 	};
 };
 
 /* Same as 'services-admin' operclass, but with OperOverride capabilities added */
 operclass services-admin-with-override {
 	parent services-admin;
-	privileges {
-		override;
+	permissions {
+		channel { operonly; see; override; };
 	};
 };
 
 /* Same as 'netadmin' operclass, but with OperOverride capabilities added */
 operclass netadmin-with-override {
 	parent netadmin;
-	privileges {
-		override;
+	permissions {
+		channel { operonly; see; override; };
 	};
 };

doc/conf/spamfilter.conf

@@ -1,232 +1,154 @@
 /*
- * This an example spamfilter file, it contains several
- * real and useful spamfilters. This should give you an
- * idea of how powerful spamfilter can be in real-life
- * situations.
+ * This configuration file contains example spamfilter rules.
+ * They are real rules that were useful a long time ago.
+ * Since 2005 these rules are no longer maintained.
+ * The main purpose nowadays is to serve as an example
+ * to give you an idea of how powerful spamfilters can
+ * be in real-life situations.
  *
- * $Id$
+ * Documentation on spamfilter is available at:
+ * https://www.unrealircd.org/docs/Spamfilter
  */
 
-/* Guidelines on the 'action' field:
- * As a general rule we use 'action block' for any newly added
- * spamfilters at first, later on (after knowing about false
- * positives) we might change some to viruschan/kill/gline/etc..
+/* General note:
+ * If you want to use a \ in a spamfilter, or in fact
+ * anywhere in the configuration file, then you need
+ * to escape this to \\ instead.
+ */
+
+
+/* First some spamfilters with match-type 'simple'.
+ * The only matchers available are * and ?
+ * PRO's: very fast, easy matching: everyone can do this.
+ * CON's: limited ability to fine-tune spamfilters
  */
 
 spamfilter {
-	match-type posix;
-	match "\x01DCC (SEND|RESUME)[ ]+\"(.+ ){20}";
-	target { private; channel; };
-	action kill;
-	reason "mIRC 6.0-6.11 exploit attempt";
-};
-
-spamfilter {
-	match-type posix;
-	match "\x01DCC (SEND|RESUME).{225}";
-	target { private; channel; };
-	action kill;
-	reason "Possible mIRC 6.12 exploit attempt";
-};
-
-spamfilter {
-	match-type posix;
-	match "Come watch me on my webcam and chat /w me :-\) http://.+:\d+/me\.mpg";
+	match-type simple;
+	match "Come watch me on my webcam and chat /w me :-) http://*:*/me.mpg";
 	target private;
 	action gline;
 	reason "Infected by fyle trojan: see http://www.sophos.com/virusinfo/analyses/trojfylexa.html";
 };
 
+/* This signature uses a \ which has to escaped to \\ in the configuration file */
 spamfilter {
-	match-type posix;
-	match "Speed up your mIRC DCC Transfer by up to 75%.*www\.freewebs\.com/mircupdate/mircspeedup\.exe";
-	target private;
-	action gline;
-	reason "Infected by mirseed trojan: see http://www.sophos.com/virusinfo/analyses/trojmirseeda.html";
-};
-
-spamfilter {
-	match-type posix;
-	match "^http://www\.angelfire\.com/[a-z0-9]+/[a-z0-9]+/[a-z_]+\.jpg <- .*!";
-	target private;
-	action block;
-	reason "Infected by fagot worm: see http://www.f-secure.com/v-descs/fagot.shtml";
-};
-
-spamfilter {
-	match-type posix;
-	match "^FREE PORN: http://free:porn@([0-9]{1,3}\.){3}[0-9]{1,3}:8180$";
-	target private;
-	action gline;
-	reason "Infected by aplore worm: see http://www.f-secure.com/v-descs/aplore.shtml";
-};
-
-spamfilter {
-	match-type posix;
-	match "^!login Wasszup!$";
-	target channel;
-	action gline;
-	reason "Attempting to login to a GTBot";
-};
-
-spamfilter {
-	match-type posix;
-	match "^!login grrrr yeah baby!$";
-	target channel;
-	action gline;
-	reason "Attempting to login to a GTBot";
-};
-
-spamfilter {
-	match-type posix;
-	match "^!packet ([0-9]{1,3}\.){3}[0-9]{1,3} [0-9]{1,15}";
-	target channel;
-	action gline;
-	reason "Attempting to use a GTBot";
-};
-
-spamfilter {
-	match-type posix;
-	match "^!icqpagebomb ([0-9]{1,15} ){2}.+";
-	target channel;
-	action gline;
-	reason "Attempting to use a GTBot";
-};
-
-spamfilter {
-	match-type posix;
-	match "^!pfast [0-9]{1,15} ([0-9]{1,3}\.){3}[0-9]{1,3} [0-9]{1,5}$";
-	target channel;
-	action gline;
-	reason "Attempting to use a GTBot";
-};
-
-spamfilter {
-	match-type posix;
-	match "^!portscan ([0-9]{1,3}\.){3}[0-9]{1,3} [0-9]{1,5} [0-9]{1,5}$";
-	target channel;
-	action gline;
-	reason "Attempting to use a GTBot";
-};
-
-spamfilter {
-	match-type posix;
-	match "^.u(dp)? ([0-9]{1,3}\.){3}[0-9]{1,3} [0-9]{1,15} [0-9]{1,15} [0-9]{1,15}( [0-9])*$";
-	target channel;
-	action gline;
-	reason "Attempting to use an SDBot";
-};
-
-spamfilter {
-	match-type posix;
-	match "^.syn ((([0-9]{1,3}\.){3}[0-9]{1,3})|([a-zA-Z0-9_-]+\.[a-zA-Z0-9_-]+\.[a-zA-Z0-9_.-]+)) [0-9]{1,5} [0-9]{1,15} [0-9]{1,15}";
-	target { channel; private; };
-	action gline;
-	reason "Attempting to use a SpyBot";
-};
-
-spamfilter {
-	match-type posix;
-	match "^porn! porno! http://.+\/sexo\.exe";
-	target private;
-	action gline;
-	reason "Infected by soex trojan: see http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FSOEX.A";
-};
-
-spamfilter {
-	match-type posix;
-	match "(^wait a minute plz\. i am updating my site|.*my erotic video).*http://.+/erotic(a)?/myvideo\.exe$";
-	target private;
-	action gline;
-	reason "Infected by some trojan (erotica?)";
-};
-
-spamfilter {
-	match-type posix;
-	match "^STOP SPAM, USE THIS COMMAND: //write nospam \$decode\(.+\) \| \.load -rs nospam \| //mode \$me \+R$";
-	target private;
-	action gline;
-	reason "Infected by nkie worm: see http://www.trojaninfo.com/nkie/nkie.htm";
-};
-
-spamfilter {
-	match-type posix;
-	match "^FOR MATRIX 2 DOWNLOAD, USE THIS COMMAND: //write Matrix2 \$decode\(.+=,m\) \| \.load -rs Matrix2 \| //mode \$me \+R$";
-	target private;
-	action gline;
-	reason "Infected by nkie worm: see http://www.trojaninfo.com/nkie/nkie.htm";
-};
-
-spamfilter {
-	match-type posix;
-	match "^hey .* to get OPs use this hack in the chan but SHH! //\$decode\(.*,m\) \| \$decode\(.*,m\)$";
-	target private;
-	action gline;
-	reason "Infected by nkie worm: see http://www.trojaninfo.com/nkie/nkie.htm";
-};
-
-spamfilter {
-	match-type posix;
-	match ".*(http://jokes\.clubdepeche\.com|http://horny\.69sexy\.net|http://private\.a123sdsdssddddgfg\.com).*";
-	target private;
-	action gline;
-	reason "Infected by LOI trojan";
-};
-
-/* This is a 'general sig' which might have a tad more false positives, hence just 'block' is used */
-spamfilter {
-	match-type posix;
-	match "C:\\WINNT\\system32\\[][0-9a-z_-{|}`]+\.zip";
+	match-type simple;
+	match "C:\\WINNT\\system32\\*.zip";
 	target dcc;
 	action block;
 	reason "Infected by Gaggle worm?";
 };
 
 spamfilter {
-	match-type posix;
-	match "C:\\WINNT\\system32\\(notes|videos|xxx|ManualSeduccion|postal|hechizos|images|sex|avril)\.zip";
-	target dcc;
-	action dccblock;
-	reason "Infected by Gaggle worm";
-};
-
-spamfilter {
-	match-type posix;
-	match "http://.+\.lycos\..+/[iy]server[0-9]/[a-z]{4,11}\.(gif|jpg|avi|txt)";
-	target { private; quit; };
-	action block;
-	reason "Infected by Gaggle worm";
-};
-
-spamfilter {
-	match-type posix;
-	match "^Free porn pic.? and movies (www\.sexymovies\.da\.ru|www\.girlporn\.org)";
+	match-type simple;
+	match "Speed up your mIRC DCC Transfer by up to 75%*www.freewebs.com/mircupdate/mircspeedup.exe";
 	target private;
-	action block;
-	reason "Unknown virus. Site causes Backdoor.Delf.lq infection";
+	action gline;
+	reason "Infected by mirseed trojan: see http://www.sophos.com/virusinfo/analyses/trojmirseeda.html";
 };
 
 spamfilter {
-	match-type posix;
-	match "^LOL! //echo -a \$\(\$decode\(.+,m\),[0-9]\)$";
-	target channel;
-	action block;
-	reason "$decode exploit";
+	match-type simple;
+	match "STOP SPAM, USE THIS COMMAND: //write nospam $decode(*) | .load -rs nospam | //mode $me +R";
+	target private;
+	action gline;
+	reason "Infected by nkie worm: see http://www.trojaninfo.com/nkie/nkie.htm";
 };
 
-/*
+
+/* Now spamfilters of type 'regex'.
+ * These use powerful regular expressions (Perl/PCRE style)
+ * You may have to learn more about "regex" first before you
+ * can use them. For example the dot ('.') has special meaning.
+ */
+
+/* This regex shows a pattern which requires 20 paramaters,
+ * such as "x x x x x x x x x x x x x x x x x x x x"
+ */
 spamfilter {
-	regex "//write \$decode\(.+\|.+load -rs";
+	match-type regex;
+	match "\x01DCC (SEND|RESUME)[ ]+\"(.+ ){20}";
 	target { private; channel; };
-	reason "Generic $decode exploit";
-	action block;
+	action kill;
+	reason "mIRC 6.0-6.11 exploit attempt";
 };
-*/
 
+/* Similarly, this regex shows a pattern that matches
+ * against at least 225 characters in length.
+ */
 spamfilter {
-	match-type posix;
+	match-type regex;
+	match "\x01DCC (SEND|RESUME).{225}";
+	target { private; channel; };
+	action kill;
+	reason "Possible mIRC 6.12 exploit attempt";
+};
+
+/* Earlier you saw an example of a $decode exploit which used
+ * match-type 'simple' and - indeed - the filter was quite simple.
+ * The following uses a regex with a similar example.
+ * Regular expressions are very powerful but here you can see
+ * that it actually complicates writing a filter quite a bit.
+ * With regex in this filter we need to escape the ( and all
+ * the dots, question marks, etc. if we want to match these
+ * characters in literal text.
+ */
+spamfilter {
+	match-type regex;
 	match "^Want To Be An IRCOp\? Try This New Bug Type: //write \$decode\(.+=.?,m\) \| \.load -rs \$decode\(.+=.?,m\)$";
 	target private;
 	action block;
 	reason "Spamming users with an mIRC trojan. Type '/unload -rs newb' to remove the trojan.";
 };
+
+spamfilter {
+	match-type regex;
+	match "^http://www\.angelfire\.com/[a-z0-9]+/[a-z0-9]+/[a-z_]+\.jpg <- .*!";
+	target private;
+	action block;
+	reason "Infected by fagot worm: see http://www.f-secure.com/v-descs/fagot.shtml";
+};
+
+/* This shows a regex which specifically matches an entire line by 
+ * the use of ^ and $
+ */
+spamfilter {
+	match-type regex;
+	match "^!login Wasszup!$";
+	target channel;
+	action gline;
+	reason "Attempting to login to a GTBot";
+};
+
+/* An example of how to match against an IP address in text (IPv4 only) */
+spamfilter {
+	match-type regex;
+	match "^!packet ([0-9]{1,3}\.){3}[0-9]{1,3} [0-9]{1,15}";
+	target channel;
+	action gline;
+	reason "Attempting to use a GTBot";
+};
+
+/* A slightly more complex example with a partial OR matcher (|) */
+spamfilter {
+	match-type regex;
+	match "(^wait a minute plz\. i am updating my site|.*my erotic video).*http://.+/erotic(a)?/myvideo\.exe$";
+	target private;
+	action gline;
+	reason "Infected by some trojan (erotica?)";
+};
+
+/* In regex a \ is special and needs to be escaped to \\
+ * However in this configuration file, \ is also special and
+ * needs to be escaped to \\ as well.
+ * The result is that we need double escaping:
+ * To match a \ you need to write \\\\ in the configuration file.
+ */
+spamfilter {
+	match-type regex;
+	match "C:\\\\WINNT\\\\system32\\\\(notes|videos|xxx|ManualSeduccion|postal|hechizos|images|sex|avril)\.zip";
+	target dcc;
+	action dccblock;
+	reason "Infected by Gaggle worm";
+};

doc/conf/ssl/curl-ca-bundle.crt

@@ -1,7 +1,7 @@
 ##
 ## Bundle of CA Root Certificates
 ##
-## Certificate data from Mozilla as of: Wed Mar  7 04:12:06 2018 GMT
+## Certificate data from Mozilla as of: Wed Jan 23 04:12:09 2019 GMT
 ##
 ## This is a bundle of X.509 certificates of public Certificate Authorities
 ## (CA). These were automatically extracted from Mozilla's root certificates
@@ -14,7 +14,7 @@
 ## Just configure this file as the SSLCACertificateFile.
 ##
 ## Conversion done with mk-ca-bundle.pl version 1.27.
-## SHA256: 704f02707ec6b4c4a7597a8c6039b020def11e64f3ef0605a9c3543d48038a57
+## SHA256: 18372117493b5b7ec006c31d966143fc95a9464a2b5f8d5188e23c5557b2292d
 ##
 
 
@@ -261,28 +261,6 @@ gn2Z9DH2canPLAEnpQW5qrJITirvn5NSUZU8UnOOVkwXQMAJKOSLakhT2+zNVVXxxvjpoixMptEm
 X36vWkzaH6byHCx+rgIW0lbQL1dTR+iS
 -----END CERTIFICATE-----
 
-Visa eCommerce Root
-===================
------BEGIN CERTIFICATE-----
-MIIDojCCAoqgAwIBAgIQE4Y1TR0/BvLB+WUF1ZAcYjANBgkqhkiG9w0BAQUFADBrMQswCQYDVQQG
-EwJVUzENMAsGA1UEChMEVklTQTEvMC0GA1UECxMmVmlzYSBJbnRlcm5hdGlvbmFsIFNlcnZpY2Ug
-QXNzb2NpYXRpb24xHDAaBgNVBAMTE1Zpc2EgZUNvbW1lcmNlIFJvb3QwHhcNMDIwNjI2MDIxODM2
-WhcNMjIwNjI0MDAxNjEyWjBrMQswCQYDVQQGEwJVUzENMAsGA1UEChMEVklTQTEvMC0GA1UECxMm
-VmlzYSBJbnRlcm5hdGlvbmFsIFNlcnZpY2UgQXNzb2NpYXRpb24xHDAaBgNVBAMTE1Zpc2EgZUNv
-bW1lcmNlIFJvb3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvV95WHm6h2mCxlCfL
-F9sHP4CFT8icttD0b0/Pmdjh28JIXDqsOTPHH2qLJj0rNfVIsZHBAk4ElpF7sDPwsRROEW+1QK8b
-RaVK7362rPKgH1g/EkZgPI2h4H3PVz4zHvtH8aoVlwdVZqW1LS7YgFmypw23RuwhY/81q6UCzyr0
-TP579ZRdhE2o8mCP2w4lPJ9zcc+U30rq299yOIzzlr3xF7zSujtFWsan9sYXiwGd/BmoKoMWuDpI
-/k4+oKsGGelT84ATB+0tvz8KPFUgOSwsAGl0lUq8ILKpeeUYiZGo3BxN77t+Nwtd/jmliFKMAGzs
-GHxBvfaLdXe6YJ2E5/4tAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEG
-MB0GA1UdDgQWBBQVOIMPPyw/cDMezUb+B4wg4NfDtzANBgkqhkiG9w0BAQUFAAOCAQEAX/FBfXxc
-CLkr4NWSR/pnXKUTwwMhmytMiUbPWU3J/qVAtmPN3XEolWcRzCSs00Rsca4BIGsDoo8Ytyk6feUW
-YFN4PMCvFYP3j1IzJL1kk5fui/fbGKhtcbP3LBfQdCVp9/5rPJS+TUtBjE7ic9DjkCJzQ83z7+pz
-zkWKsKZJ/0x9nXGIxHYdkFsd7v3M9+79YKWxehZx0RbQfBI8bGmX265fOZpwLwU8GUYEmSA20GBu
-YQa7FkKMcPcw++DbZqMAAb3mLNqRX6BGi01qnD093QVG/na/oAo85ADmJ7f/hC3euiInlhBx6yLt
-398znM/jra6O1I7mT1GvFpLgXPYHDw==
------END CERTIFICATE-----
-
 Comodo AAA Services root
 ========================
 -----BEGIN CERTIFICATE-----
@@ -2635,30 +2613,6 @@ kbcFgKyLmZJ956LYBws2J+dIeWCKw9cTXPhyQN9Ky8+ZAAoACxGV2lZFA4gKn2fQ1XmxqI1AbQ3C
 ekD6819kR5LLU7m7Wc5P/dAVUwHY3+vZ5nbv0CO7O6l5s9UCKc2Jo5YPSjXnTkLAdc0Hz+Ys63su
 -----END CERTIFICATE-----
 
-TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5
-====================================================
------BEGIN CERTIFICATE-----
-MIIEJzCCAw+gAwIBAgIHAI4X/iQggTANBgkqhkiG9w0BAQsFADCBsTELMAkGA1UEBhMCVFIxDzAN
-BgNVBAcMBkFua2FyYTFNMEsGA1UECgxEVMOcUktUUlVTVCBCaWxnaSDEsGxldGnFn2ltIHZlIEJp
-bGnFn2ltIEfDvHZlbmxpxJ9pIEhpem1ldGxlcmkgQS7Fni4xQjBABgNVBAMMOVTDnFJLVFJVU1Qg
-RWxla3Ryb25payBTZXJ0aWZpa2EgSGl6bWV0IFNhxJ9sYXnEsWPEsXPEsSBINTAeFw0xMzA0MzAw
-ODA3MDFaFw0yMzA0MjgwODA3MDFaMIGxMQswCQYDVQQGEwJUUjEPMA0GA1UEBwwGQW5rYXJhMU0w
-SwYDVQQKDERUw5xSS1RSVVNUIEJpbGdpIMSwbGV0acWfaW0gdmUgQmlsacWfaW0gR8O8dmVubGnE
-n2kgSGl6bWV0bGVyaSBBLsWeLjFCMEAGA1UEAww5VMOcUktUUlVTVCBFbGVrdHJvbmlrIFNlcnRp
-ZmlrYSBIaXptZXQgU2HEn2xhecSxY8Sxc8SxIEg1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
-CgKCAQEApCUZ4WWe60ghUEoI5RHwWrom/4NZzkQqL/7hzmAD/I0Dpe3/a6i6zDQGn1k19uwsu537
-jVJp45wnEFPzpALFp/kRGml1bsMdi9GYjZOHp3GXDSHHmflS0yxjXVW86B8BSLlg/kJK9siArs1m
-ep5Fimh34khon6La8eHBEJ/rPCmBp+EyCNSgBbGM+42WAA4+Jd9ThiI7/PS98wl+d+yG6w8z5UNP
-9FR1bSmZLmZaQ9/LXMrI5Tjxfjs1nQ/0xVqhzPMggCTTV+wVunUlm+hkS7M0hO8EuPbJbKoCPrZV
-4jI3X/xml1/N1p7HIL9Nxqw/dV8c7TKcfGkAaZHjIxhT6QIDAQABo0IwQDAdBgNVHQ4EFgQUVpkH
-HtOsDGlktAxQR95DLL4gwPswDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI
-hvcNAQELBQADggEBAJ5FdnsXSDLyOIspve6WSk6BGLFRRyDN0GSxDsnZAdkJzsiZ3GglE9Rc8qPo
-BP5yCccLqh0lVX6Wmle3usURehnmp349hQ71+S4pL+f5bFgWV1Al9j4uPqrtd3GqqpmWRgqujuwq
-URawXs3qZwQcWDD1YIq9pr1N5Za0/EKJAWv2cMhQOQwt1WbZyNKzMrcbGW3LM/nfpeYVhDfwwvJl
-lpKQd/Ct9JDpEXjXk4nAPQu6KfTomZ1yju2dL+6SfaHx/126M2CFYv4HAqGEVka+lgqaE9chTLd8
-B59OTj+RdPsnnRHM3eaxynFNExc5JsUpISuTKWqW+qtB4Uu2NQvAmxU=
------END CERTIFICATE-----
-
 Certinomis - Root CA
 ====================
 -----BEGIN CERTIFICATE-----
@@ -2816,126 +2770,6 @@ GiecMjvAwNW6qef4BENThe5SId6d9SWDPp5YSy/XZxMOIQIwBeF1Ad5o7SofTUwJCA3sS61kFyjn
 dc5FZXIhF8siQQ6ME5g4mlRtm8rifOoCWCKR
 -----END CERTIFICATE-----
 
-Certplus Root CA G1
-===================
------BEGIN CERTIFICATE-----
-MIIFazCCA1OgAwIBAgISESBVg+QtPlRWhS2DN7cs3EYRMA0GCSqGSIb3DQEBDQUAMD4xCzAJBgNV
-BAYTAkZSMREwDwYDVQQKDAhDZXJ0cGx1czEcMBoGA1UEAwwTQ2VydHBsdXMgUm9vdCBDQSBHMTAe
-Fw0xNDA1MjYwMDAwMDBaFw0zODAxMTUwMDAwMDBaMD4xCzAJBgNVBAYTAkZSMREwDwYDVQQKDAhD
-ZXJ0cGx1czEcMBoGA1UEAwwTQ2VydHBsdXMgUm9vdCBDQSBHMTCCAiIwDQYJKoZIhvcNAQEBBQAD
-ggIPADCCAgoCggIBANpQh7bauKk+nWT6VjOaVj0W5QOVsjQcmm1iBdTYj+eJZJ+622SLZOZ5KmHN
-r49aiZFluVj8tANfkT8tEBXgfs+8/H9DZ6itXjYj2JizTfNDnjl8KvzsiNWI7nC9hRYt6kuJPKNx
-Qv4c/dMcLRC4hlTqQ7jbxofaqK6AJc96Jh2qkbBIb6613p7Y1/oA/caP0FG7Yn2ksYyy/yARujVj
-BYZHYEMzkPZHogNPlk2dT8Hq6pyi/jQu3rfKG3akt62f6ajUeD94/vI4CTYd0hYCyOwqaK/1jpTv
-LRN6HkJKHRUxrgwEV/xhc/MxVoYxgKDEEW4wduOU8F8ExKyHcomYxZ3MVwia9Az8fXoFOvpHgDm2
-z4QTd28n6v+WZxcIbekN1iNQMLAVdBM+5S//Ds3EC0pd8NgAM0lm66EYfFkuPSi5YXHLtaW6uOrc
-4nBvCGrch2c0798wct3zyT8j/zXhviEpIDCB5BmlIOklynMxdCm+4kLV87ImZsdo/Rmz5yCTmehd
-4F6H50boJZwKKSTUzViGUkAksnsPmBIgJPaQbEfIDbsYIC7Z/fyL8inqh3SV4EJQeIQEQWGw9CEj
-jy3LKCHyamz0GqbFFLQ3ZU+V/YDI+HLlJWvEYLF7bY5KinPOWftwenMGE9nTdDckQQoRb5fc5+R+
-ob0V8rqHDz1oihYHAgMBAAGjYzBhMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0G
-A1UdDgQWBBSowcCbkahDFXxdBie0KlHYlwuBsTAfBgNVHSMEGDAWgBSowcCbkahDFXxdBie0KlHY
-lwuBsTANBgkqhkiG9w0BAQ0FAAOCAgEAnFZvAX7RvUz1isbwJh/k4DgYzDLDKTudQSk0YcbX8ACh
-66Ryj5QXvBMsdbRX7gp8CXrc1cqh0DQT+Hern+X+2B50ioUHj3/MeXrKls3N/U/7/SMNkPX0XtPG
-YX2eEeAC7gkE2Qfdpoq3DIMku4NQkv5gdRE+2J2winq14J2by5BSS7CTKtQ+FjPlnsZlFT5kOwQ/
-2wyPX1wdaR+v8+khjPPvl/aatxm2hHSco1S1cE5j2FddUyGbQJJD+tZ3VTNPZNX70Cxqjm0lpu+F
-6ALEUz65noe8zDUa3qHpimOHZR4RKttjd5cUvpoUmRGywO6wT/gUITJDT5+rosuoD6o7BlXGEilX
-CNQ314cnrUlZp5GrRHpejXDbl85IULFzk/bwg2D5zfHhMf1bfHEhYxQUqq/F3pN+aLHsIqKqkHWe
-tUNy6mSjhEv9DKgma3GX7lZjZuhCVPnHHd/Qj1vfyDBviP4NxDMcU6ij/UgQ8uQKTuEVV/xuZDDC
-VRHc6qnNSlSsKWNEz0pAoNZoWRsz+e86i9sgktxChL8Bq4fA1SCC28a5g4VCXA9DO2pJNdWY9BW/
-+mGBDAkgGNLQFwzLSABQ6XaCjGTXOqAHVcweMcDvOrRl++O/QmueD6i9a5jc2NvLi6Td11n0bt3+
-qsOR0C5CB8AMTVPNJLFMWx5R9N/pkvo=
------END CERTIFICATE-----
-
-Certplus Root CA G2
-===================
------BEGIN CERTIFICATE-----
-MIICHDCCAaKgAwIBAgISESDZkc6uo+jF5//pAq/Pc7xVMAoGCCqGSM49BAMDMD4xCzAJBgNVBAYT
-AkZSMREwDwYDVQQKDAhDZXJ0cGx1czEcMBoGA1UEAwwTQ2VydHBsdXMgUm9vdCBDQSBHMjAeFw0x
-NDA1MjYwMDAwMDBaFw0zODAxMTUwMDAwMDBaMD4xCzAJBgNVBAYTAkZSMREwDwYDVQQKDAhDZXJ0
-cGx1czEcMBoGA1UEAwwTQ2VydHBsdXMgUm9vdCBDQSBHMjB2MBAGByqGSM49AgEGBSuBBAAiA2IA
-BM0PW1aC3/BFGtat93nwHcmsltaeTpwftEIRyoa/bfuFo8XlGVzX7qY/aWfYeOKmycTbLXku54uN
-Am8xIk0G42ByRZ0OQneezs/lf4WbGOT8zC5y0xaTTsqZY1yhBSpsBqNjMGEwDgYDVR0PAQH/BAQD
-AgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFNqDYwJ5jtpMxjwjFNiPwyCrKGBZMB8GA1Ud
-IwQYMBaAFNqDYwJ5jtpMxjwjFNiPwyCrKGBZMAoGCCqGSM49BAMDA2gAMGUCMHD+sAvZ94OX7PNV
-HdTcswYO/jOYnYs5kGuUIe22113WTNchp+e/IQ8rzfcq3IUHnQIxAIYUFuXcsGXCwI4Un78kFmjl
-vPl5adytRSv3tjFzzAalU5ORGpOucGpnutee5WEaXw==
------END CERTIFICATE-----
-
-OpenTrust Root CA G1
-====================
------BEGIN CERTIFICATE-----
-MIIFbzCCA1egAwIBAgISESCzkFU5fX82bWTCp59rY45nMA0GCSqGSIb3DQEBCwUAMEAxCzAJBgNV
-BAYTAkZSMRIwEAYDVQQKDAlPcGVuVHJ1c3QxHTAbBgNVBAMMFE9wZW5UcnVzdCBSb290IENBIEcx
-MB4XDTE0MDUyNjA4NDU1MFoXDTM4MDExNTAwMDAwMFowQDELMAkGA1UEBhMCRlIxEjAQBgNVBAoM
-CU9wZW5UcnVzdDEdMBsGA1UEAwwUT3BlblRydXN0IFJvb3QgQ0EgRzEwggIiMA0GCSqGSIb3DQEB
-AQUAA4ICDwAwggIKAoICAQD4eUbalsUwXopxAy1wpLuwxQjczeY1wICkES3d5oeuXT2R0odsN7fa
-Yp6bwiTXj/HbpqbfRm9RpnHLPhsxZ2L3EVs0J9V5ToybWL0iEA1cJwzdMOWo010hOHQX/uMftk87
-ay3bfWAfjH1MBcLrARYVmBSO0ZB3Ij/swjm4eTrwSSTilZHcYTSSjFR077F9jAHiOH3BX2pfJLKO
-YheteSCtqx234LSWSE9mQxAGFiQD4eCcjsZGT44ameGPuY4zbGneWK2gDqdkVBFpRGZPTBKnjix9
-xNRbxQA0MMHZmf4yzgeEtE7NCv82TWLxp2NX5Ntqp66/K7nJ5rInieV+mhxNaMbBGN4zK1FGSxyO
-9z0M+Yo0FMT7MzUj8czxKselu7Cizv5Ta01BG2Yospb6p64KTrk5M0ScdMGTHPjgniQlQ/GbI4Kq
-3ywgsNw2TgOzfALU5nsaqocTvz6hdLubDuHAk5/XpGbKuxs74zD0M1mKB3IDVedzagMxbm+WG+Oi
-n6+Sx+31QrclTDsTBM8clq8cIqPQqwWyTBIjUtz9GVsnnB47ev1CI9sjgBPwvFEVVJSmdz7QdFG9
-URQIOTfLHzSpMJ1ShC5VkLG631UAC9hWLbFJSXKAqWLXwPYYEQRVzXR7z2FwefR7LFxckvzluFqr
-TJOVoSfupb7PcSNCupt2LQIDAQABo2MwYTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB
-/zAdBgNVHQ4EFgQUl0YhVyE12jZVx/PxN3DlCPaTKbYwHwYDVR0jBBgwFoAUl0YhVyE12jZVx/Px
-N3DlCPaTKbYwDQYJKoZIhvcNAQELBQADggIBAB3dAmB84DWn5ph76kTOZ0BP8pNuZtQ5iSas000E
-PLuHIT839HEl2ku6q5aCgZG27dmxpGWX4m9kWaSW7mDKHyP7Rbr/jyTwyqkxf3kfgLMtMrpkZ2Cv
-uVnN35pJ06iCsfmYlIrM4LvgBBuZYLFGZdwIorJGnkSI6pN+VxbSFXJfLkur1J1juONI5f6ELlgK
-n0Md/rcYkoZDSw6cMoYsYPXpSOqV7XAp8dUv/TW0V8/bhUiZucJvbI/NeJWsZCj9VrDDb8O+WVLh
-X4SPgPL0DTatdrOjteFkdjpY3H1PXlZs5VVZV6Xf8YpmMIzUUmI4d7S+KNfKNsSbBfD4Fdvb8e80
-nR14SohWZ25g/4/Ii+GOvUKpMwpZQhISKvqxnUOOBZuZ2mKtVzazHbYNeS2WuOvyDEsMpZTGMKcm
-GS3tTAZQMPH9WD25SxdfGbRqhFS0OE85og2WaMMolP3tLR9Ka0OWLpABEPs4poEL0L9109S5zvE/
-bw4cHjdx5RiHdRk/ULlepEU0rbDK5uUTdg8xFKmOLZTW1YVNcxVPS/KyPu1svf0OnWZzsD2097+o
-4BGkxK51CUpjAEggpsadCwmKtODmzj7HPiY46SvepghJAwSQiumPv+i2tCqjI40cHLI5kqiPAlxA
-OXXUc0ECd97N4EOH1uS6SsNsEn/+KuYj1oxx
------END CERTIFICATE-----
-
-OpenTrust Root CA G2
-====================
------BEGIN CERTIFICATE-----
-MIIFbzCCA1egAwIBAgISESChaRu/vbm9UpaPI+hIvyYRMA0GCSqGSIb3DQEBDQUAMEAxCzAJBgNV
-BAYTAkZSMRIwEAYDVQQKDAlPcGVuVHJ1c3QxHTAbBgNVBAMMFE9wZW5UcnVzdCBSb290IENBIEcy
-MB4XDTE0MDUyNjAwMDAwMFoXDTM4MDExNTAwMDAwMFowQDELMAkGA1UEBhMCRlIxEjAQBgNVBAoM
-CU9wZW5UcnVzdDEdMBsGA1UEAwwUT3BlblRydXN0IFJvb3QgQ0EgRzIwggIiMA0GCSqGSIb3DQEB
-AQUAA4ICDwAwggIKAoICAQDMtlelM5QQgTJT32F+D3Y5z1zCU3UdSXqWON2ic2rxb95eolq5cSG+
-Ntmh/LzubKh8NBpxGuga2F8ORAbtp+Dz0mEL4DKiltE48MLaARf85KxP6O6JHnSrT78eCbY2albz
-4e6WiWYkBuTNQjpK3eCasMSCRbP+yatcfD7J6xcvDH1urqWPyKwlCm/61UWY0jUJ9gNDlP7ZvyCV
-eYCYitmJNbtRG6Q3ffyZO6v/v6wNj0OxmXsWEH4db0fEFY8ElggGQgT4hNYdvJGmQr5J1WqIP7wt
-UdGejeBSzFfdNTVY27SPJIjki9/ca1TSgSuyzpJLHB9G+h3Ykst2Z7UJmQnlrBcUVXDGPKBWCgOz
-3GIZ38i1MH/1PCZ1Eb3XG7OHngevZXHloM8apwkQHZOJZlvoPGIytbU6bumFAYueQ4xncyhZW+vj
-3CzMpSZyYhK05pyDRPZRpOLAeiRXyg6lPzq1O4vldu5w5pLeFlwoW5cZJ5L+epJUzpM5ChaHvGOz
-9bGTXOBut9Dq+WIyiET7vycotjCVXRIouZW+j1MY5aIYFuJWpLIsEPUdN6b4t/bQWVyJ98LVtZR0
-0dX+G7bw5tYee9I8y6jj9RjzIR9u701oBnstXW5DiabA+aC/gh7PU3+06yzbXfZqfUAkBXKJOAGT
-y3HCOV0GEfZvePg3DTmEJwIDAQABo2MwYTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB
-/zAdBgNVHQ4EFgQUajn6QiL35okATV59M4PLuG53hq8wHwYDVR0jBBgwFoAUajn6QiL35okATV59
-M4PLuG53hq8wDQYJKoZIhvcNAQENBQADggIBAJjLq0A85TMCl38th6aP1F5Kr7ge57tx+4BkJamz
-Gj5oXScmp7oq4fBXgwpkTx4idBvpkF/wrM//T2h6OKQQbA2xx6R3gBi2oihEdqc0nXGEL8pZ0keI
-mUEiyTCYYW49qKgFbdEfwFFEVn8nNQLdXpgKQuswv42hm1GqO+qTRmTFAHneIWv2V6CG1wZy7HBG
-S4tz3aAhdT7cHcCP009zHIXZ/n9iyJVvttN7jLpTwm+bREx50B1ws9efAvSyB7DH5fitIw6mVskp
-EndI2S9G/Tvw/HRwkqWOOAgfZDC2t0v7NqwQjqBSM2OdAzVWxWm9xiNaJ5T2pBL4LTM8oValX9YZ
-6e18CL13zSdkzJTaTkZQh+D5wVOAHrut+0dSixv9ovneDiK3PTNZbNTe9ZUGMg1RGUFcPk8G97kr
-gCf2o6p6fAbhQ8MTOWIaNr3gKC6UAuQpLmBVrkA9sHSSXvAgZJY/X0VdiLWK2gKgW0VU3jg9CcCo
-SmVGFvyqv1ROTVu+OEO3KMqLM6oaJbolXCkvW0pujOotnCr2BXbgd5eAiN1nE28daCSLT7d0geX0
-YJ96Vdc+N9oWaz53rK4YcJUIeSkDiv7BO7M/Gg+kO14fWKGVyasvc0rQLW6aWQ9VGHgtPFGml4vm
-u7JwqkwR3v98KzfUetF3NI/n+UL3PIEMS1IK
------END CERTIFICATE-----
-
-OpenTrust Root CA G3
-====================
------BEGIN CERTIFICATE-----
-MIICITCCAaagAwIBAgISESDm+Ez8JLC+BUCs2oMbNGA/MAoGCCqGSM49BAMDMEAxCzAJBgNVBAYT
-AkZSMRIwEAYDVQQKDAlPcGVuVHJ1c3QxHTAbBgNVBAMMFE9wZW5UcnVzdCBSb290IENBIEczMB4X
-DTE0MDUyNjAwMDAwMFoXDTM4MDExNTAwMDAwMFowQDELMAkGA1UEBhMCRlIxEjAQBgNVBAoMCU9w
-ZW5UcnVzdDEdMBsGA1UEAwwUT3BlblRydXN0IFJvb3QgQ0EgRzMwdjAQBgcqhkjOPQIBBgUrgQQA
-IgNiAARK7liuTcpm3gY6oxH84Bjwbhy6LTAMidnW7ptzg6kjFYwvWYpa3RTqnVkrQ7cG7DK2uu5B
-ta1doYXM6h0UZqNnfkbilPPntlahFVmhTzeXuSIevRHr9LIfXsMUmuXZl5mjYzBhMA4GA1UdDwEB
-/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRHd8MUi2I5DMlv4VBN0BBY3JWIbTAf
-BgNVHSMEGDAWgBRHd8MUi2I5DMlv4VBN0BBY3JWIbTAKBggqhkjOPQQDAwNpADBmAjEAj6jcnboM
-BBf6Fek9LykBl7+BFjNAk2z8+e2AcG+qj9uEwov1NcoG3GRvaBbhj5G5AjEA2Euly8LQCGzpGPta
-3U1fJAuwACEl74+nBCZx4nxp5V2a+EEfOzmTk51V6s2N8fvB
------END CERTIFICATE-----
-
 ISRG Root X1
 ============
 -----BEGIN CERTIFICATE-----
@@ -3336,3 +3170,232 @@ BBYEFFvKXuXe0oGqzagtZFG22XKbl+ZPMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAUW8pe
 N+vp1RPZytRrJPOwPYdGWBrssd9v+1a6cGvHOMzosYxPD/fxZ3YOg9AeUY8CMD32IygmTMZgh5Mm
 m7I1HrrW9zzRHM76JTymGoEVW/MSD2zuZYrJh6j5B+BimoxcSg==
 -----END CERTIFICATE-----
+
+GlobalSign Root CA - R6
+=======================
+-----BEGIN CERTIFICATE-----
+MIIFgzCCA2ugAwIBAgIORea7A4Mzw4VlSOb/RVEwDQYJKoZIhvcNAQEMBQAwTDEgMB4GA1UECxMX
+R2xvYmFsU2lnbiBSb290IENBIC0gUjYxEzARBgNVBAoTCkdsb2JhbFNpZ24xEzARBgNVBAMTCkds
+b2JhbFNpZ24wHhcNMTQxMjEwMDAwMDAwWhcNMzQxMjEwMDAwMDAwWjBMMSAwHgYDVQQLExdHbG9i
+YWxTaWduIFJvb3QgQ0EgLSBSNjETMBEGA1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFs
+U2lnbjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJUH6HPKZvnsFMp7PPcNCPG0RQss
+grRIxutbPK6DuEGSMxSkb3/pKszGsIhrxbaJ0cay/xTOURQh7ErdG1rG1ofuTToVBu1kZguSgMpE
+3nOUTvOniX9PeGMIyBJQbUJmL025eShNUhqKGoC3GYEOfsSKvGRMIRxDaNc9PIrFsmbVkJq3MQbF
+vuJtMgamHvm566qjuL++gmNQ0PAYid/kD3n16qIfKtJwLnvnvJO7bVPiSHyMEAc4/2ayd2F+4OqM
+PKq0pPbzlUoSB239jLKJz9CgYXfIWHSw1CM69106yqLbnQneXUQtkPGBzVeS+n68UARjNN9rkxi+
+azayOeSsJDa38O+2HBNXk7besvjihbdzorg1qkXy4J02oW9UivFyVm4uiMVRQkQVlO6jxTiWm05O
+WgtH8wY2SXcwvHE35absIQh1/OZhFj931dmRl4QKbNQCTXTAFO39OfuD8l4UoQSwC+n+7o/hbguy
+CLNhZglqsQY6ZZZZwPA1/cnaKI0aEYdwgQqomnUdnjqGBQCe24DWJfncBZ4nWUx2OVvq+aWh2IMP
+0f/fMBH5hc8zSPXKbWQULHpYT9NLCEnFlWQaYw55PfWzjMpYrZxCRXluDocZXFSxZba/jJvcE+kN
+b7gu3GduyYsRtYQUigAZcIN5kZeR1BonvzceMgfYFGM8KEyvAgMBAAGjYzBhMA4GA1UdDwEB/wQE
+AwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSubAWjkxPioufi1xzWx/B/yGdToDAfBgNV
+HSMEGDAWgBSubAWjkxPioufi1xzWx/B/yGdToDANBgkqhkiG9w0BAQwFAAOCAgEAgyXt6NH9lVLN
+nsAEoJFp5lzQhN7craJP6Ed41mWYqVuoPId8AorRbrcWc+ZfwFSY1XS+wc3iEZGtIxg93eFyRJa0
+lV7Ae46ZeBZDE1ZXs6KzO7V33EByrKPrmzU+sQghoefEQzd5Mr6155wsTLxDKZmOMNOsIeDjHfrY
+BzN2VAAiKrlNIC5waNrlU/yDXNOd8v9EDERm8tLjvUYAGm0CuiVdjaExUd1URhxN25mW7xocBFym
+Fe944Hn+Xds+qkxV/ZoVqW/hpvvfcDDpw+5CRu3CkwWJ+n1jez/QcYF8AOiYrg54NMMl+68KnyBr
+3TsTjxKM4kEaSHpzoHdpx7Zcf4LIHv5YGygrqGytXm3ABdJ7t+uA/iU3/gKbaKxCXcPu9czc8FB1
+0jZpnOZ7BN9uBmm23goJSFmH63sUYHpkqmlD75HHTOwY3WzvUy2MmeFe8nI+z1TIvWfspA9MRf/T
+uTAjB0yPEL+GltmZWrSZVxykzLsViVO6LAUP5MSeGbEYNNVMnbrt9x+vJJUEeKgDu+6B5dpffItK
+oZB0JaezPkvILFa9x8jvOOJckvB595yEunQtYQEgfn7R8k8HWV+LLUNS60YMlOH1Zkd5d9VUWx+t
+JDfLRVpOoERIyNiwmcUVhAn21klJwGW45hpxbqCo8YLoRT5s1gLXCmeDBVrJpBA=
+-----END CERTIFICATE-----
+
+OISTE WISeKey Global Root GC CA
+===============================
+-----BEGIN CERTIFICATE-----
+MIICaTCCAe+gAwIBAgIQISpWDK7aDKtARb8roi066jAKBggqhkjOPQQDAzBtMQswCQYDVQQGEwJD
+SDEQMA4GA1UEChMHV0lTZUtleTEiMCAGA1UECxMZT0lTVEUgRm91bmRhdGlvbiBFbmRvcnNlZDEo
+MCYGA1UEAxMfT0lTVEUgV0lTZUtleSBHbG9iYWwgUm9vdCBHQyBDQTAeFw0xNzA1MDkwOTQ4MzRa
+Fw00MjA1MDkwOTU4MzNaMG0xCzAJBgNVBAYTAkNIMRAwDgYDVQQKEwdXSVNlS2V5MSIwIAYDVQQL
+ExlPSVNURSBGb3VuZGF0aW9uIEVuZG9yc2VkMSgwJgYDVQQDEx9PSVNURSBXSVNlS2V5IEdsb2Jh
+bCBSb290IEdDIENBMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAETOlQwMYPchi82PG6s4nieUqjFqdr
+VCTbUf/q9Akkwwsin8tqJ4KBDdLArzHkdIJuyiXZjHWd8dvQmqJLIX4Wp2OQ0jnUsYd4XxiWD1Ab
+NTcPasbc2RNNpI6QN+a9WzGRo1QwUjAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAd
+BgNVHQ4EFgQUSIcUrOPDnpBgOtfKie7TrYy0UGYwEAYJKwYBBAGCNxUBBAMCAQAwCgYIKoZIzj0E
+AwMDaAAwZQIwJsdpW9zV57LnyAyMjMPdeYwbY9XJUpROTYJKcx6ygISpJcBMWm1JKWB4E+J+SOtk
+AjEA2zQgMgj/mkkCtojeFK9dbJlxjRo/i9fgojaGHAeCOnZT/cKi7e97sIBPWA9LUzm9
+-----END CERTIFICATE-----
+
+GTS Root R1
+===========
+-----BEGIN CERTIFICATE-----
+MIIFWjCCA0KgAwIBAgIQbkepxUtHDA3sM9CJuRz04TANBgkqhkiG9w0BAQwFADBHMQswCQYDVQQG
+EwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExMQzEUMBIGA1UEAxMLR1RTIFJv
+b3QgUjEwHhcNMTYwNjIyMDAwMDAwWhcNMzYwNjIyMDAwMDAwWjBHMQswCQYDVQQGEwJVUzEiMCAG
+A1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExMQzEUMBIGA1UEAxMLR1RTIFJvb3QgUjEwggIi
+MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC2EQKLHuOhd5s73L+UPreVp0A8of2C+X0yBoJx
+9vaMf/vo27xqLpeXo4xL+Sv2sfnOhB2x+cWX3u+58qPpvBKJXqeqUqv4IyfLpLGcY9vXmX7wCl7r
+aKb0xlpHDU0QM+NOsROjyBhsS+z8CZDfnWQpJSMHobTSPS5g4M/SCYe7zUjwTcLCeoiKu7rPWRnW
+r4+wB7CeMfGCwcDfLqZtbBkOtdh+JhpFAz2weaSUKK0PfyblqAj+lug8aJRT7oM6iCsVlgmy4HqM
+LnXWnOunVmSPlk9orj2XwoSPwLxAwAtcvfaHszVsrBhQf4TgTM2S0yDpM7xSma8ytSmzJSq0SPly
+4cpk9+aCEI3oncKKiPo4Zor8Y/kB+Xj9e1x3+naH+uzfsQ55lVe0vSbv1gHR6xYKu44LtcXFilWr
+06zqkUspzBmkMiVOKvFlRNACzqrOSbTqn3yDsEB750Orp2yjj32JgfpMpf/VjsPOS+C12LOORc92
+wO1AK/1TD7Cn1TsNsYqiA94xrcx36m97PtbfkSIS5r762DL8EGMUUXLeXdYWk70paDPvOmbsB4om
+3xPXV2V4J95eSRQAogB/mqghtqmxlbCluQ0WEdrHbEg8QOB+DVrNVjzRlwW5y0vtOUucxD/SVRNu
+JLDWcfr0wbrM7Rv1/oFB2ACYPTrIrnqYNxgFlQIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYD
+VR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU5K8rJnEaK0gnhS9SZizv8IkTcT4wDQYJKoZIhvcNAQEM
+BQADggIBADiWCu49tJYeX++dnAsznyvgyv3SjgofQXSlfKqE1OXyHuY3UjKcC9FhHb8owbZEKTV1
+d5iyfNm9dKyKaOOpMQkpAWBz40d8U6iQSifvS9efk+eCNs6aaAyC58/UEBZvXw6ZXPYfcX3v73sv
+fuo21pdwCxXu11xWajOl40k4DLh9+42FpLFZXvRq4d2h9mREruZRgyFmxhE+885H7pwoHyXa/6xm
+ld01D1zvICxi/ZG6qcz8WpyTgYMpl0p8WnK0OdC3d8t5/Wk6kjftbjhlRn7pYL15iJdfOBL07q9b
+gsiG1eGZbYwE8na6SfZu6W0eX6DvJ4J2QPim01hcDyxC2kLGe4g0x8HYRZvBPsVhHdljUEn2NIVq
+4BjFbkerQUIpm/ZgDdIx02OYI5NaAIFItO/Nis3Jz5nu2Z6qNuFoS3FJFDYoOj0dzpqPJeaAcWEr
+tXvM+SUWgeExX6GjfhaknBZqlxi9dnKlC54dNuYvoS++cJEPqOba+MSSQGwlfnuzCdyyF62ARPBo
+pY+Udf90WuioAnwMCeKpSwughQtiue+hMZL77/ZRBIls6Kl0obsXs7X9SQ98POyDGCBDTtWTurQ0
+sR8WNh8M5mQ5Fkzc4P4dyKliPUDqysU0ArSuiYgzNdwsE3PYJ/HQcu51OyLemGhmW/HGY0dVHLql
+CFF1pkgl
+-----END CERTIFICATE-----
+
+GTS Root R2
+===========
+-----BEGIN CERTIFICATE-----
+MIIFWjCCA0KgAwIBAgIQbkepxlqz5yDFMJo/aFLybzANBgkqhkiG9w0BAQwFADBHMQswCQYDVQQG
+EwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExMQzEUMBIGA1UEAxMLR1RTIFJv
+b3QgUjIwHhcNMTYwNjIyMDAwMDAwWhcNMzYwNjIyMDAwMDAwWjBHMQswCQYDVQQGEwJVUzEiMCAG
+A1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExMQzEUMBIGA1UEAxMLR1RTIFJvb3QgUjIwggIi
+MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDO3v2m++zsFDQ8BwZabFn3GTXd98GdVarTzTuk
+k3LvCvptnfbwhYBboUhSnznFt+4orO/LdmgUud+tAWyZH8QiHZ/+cnfgLFuv5AS/T3KgGjSY6Dlo
+7JUle3ah5mm5hRm9iYz+re026nO8/4Piy33B0s5Ks40FnotJk9/BW9BuXvAuMC6C/Pq8tBcKSOWI
+m8Wba96wyrQD8Nr0kLhlZPdcTK3ofmZemde4wj7I0BOdre7kRXuJVfeKH2JShBKzwkCX44ofR5Gm
+dFrS+LFjKBC4swm4VndAoiaYecb+3yXuPuWgf9RhD1FLPD+M2uFwdNjCaKH5wQzpoeJ/u1U8dgbu
+ak7MkogwTZq9TwtImoS1mKPV+3PBV2HdKFZ1E66HjucMUQkQdYhMvI35ezzUIkgfKtzra7tEscsz
+cTJGr61K8YzodDqs5xoic4DSMPclQsciOzsSrZYuxsN2B6ogtzVJV+mSSeh2FnIxZyuWfoqjx5RW
+Ir9qS34BIbIjMt/kmkRtWVtd9QCgHJvGeJeNkP+byKq0rxFROV7Z+2et1VsRnTKaG73Vululycsl
+aVNVJ1zgyjbLiGH7HrfQy+4W+9OmTN6SpdTi3/UGVN4unUu0kzCqgc7dGtxRcw1PcOnlthYhGXmy
+5okLdWTK1au8CcEYof/UVKGFPP0UJAOyh9OktwIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYD
+VR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUu//KjiOfT5nK2+JopqUVJxce2Q4wDQYJKoZIhvcNAQEM
+BQADggIBALZp8KZ3/p7uC4Gt4cCpx/k1HUCCq+YEtN/L9x0Pg/B+E02NjO7jMyLDOfxA325BS0JT
+vhaI8dI4XsRomRyYUpOM52jtG2pzegVATX9lO9ZY8c6DR2Dj/5epnGB3GFW1fgiTz9D2PGcDFWEJ
++YF59exTpJ/JjwGLc8R3dtyDovUMSRqodt6Sm2T4syzFJ9MHwAiApJiS4wGWAqoC7o87xdFtCjMw
+c3i5T1QWvwsHoaRc5svJXISPD+AVdyx+Jn7axEvbpxZ3B7DNdehyQtaVhJ2Gg/LkkM0JR9SLA3Da
+WsYDQvTtN6LwG1BUSw7YhN4ZKJmBR64JGz9I0cNv4rBgF/XuIwKl2gBbbZCr7qLpGzvpx0QnRY5r
+n/WkhLx3+WuXrD5RRaIRpsyF7gpo8j5QOHokYh4XIDdtak23CZvJ/KRY9bb7nE4Yu5UC56Gtmwfu
+Nmsk0jmGwZODUNKBRqhfYlcsu2xkiAhu7xNUX90txGdj08+JN7+dIPT7eoOboB6BAFDC5AwiWVIQ
+7UNWhwD4FFKnHYuTjKJNRn8nxnGbJN7k2oaLDX5rIMHAnuFl2GqjpuiFizoHCBy69Y9Vmhh1fuXs
+gWbRIXOhNUQLgD1bnF5vKheW0YMjiGZt5obicDIvUiLnyOd/xCxgXS/Dr55FBcOEArf9LAhST4Ld
+o/DUhgkC
+-----END CERTIFICATE-----
+
+GTS Root R3
+===========
+-----BEGIN CERTIFICATE-----
+MIICDDCCAZGgAwIBAgIQbkepx2ypcyRAiQ8DVd2NHTAKBggqhkjOPQQDAzBHMQswCQYDVQQGEwJV
+UzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExMQzEUMBIGA1UEAxMLR1RTIFJvb3Qg
+UjMwHhcNMTYwNjIyMDAwMDAwWhcNMzYwNjIyMDAwMDAwWjBHMQswCQYDVQQGEwJVUzEiMCAGA1UE
+ChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExMQzEUMBIGA1UEAxMLR1RTIFJvb3QgUjMwdjAQBgcq
+hkjOPQIBBgUrgQQAIgNiAAQfTzOHMymKoYTey8chWEGJ6ladK0uFxh1MJ7x/JlFyb+Kf1qPKzEUU
+Rout736GjOyxfi//qXGdGIRFBEFVbivqJn+7kAHjSxm65FSWRQmx1WyRRK2EE46ajA2ADDL24Cej
+QjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTB8Sa6oC2uhYHP
+0/EqEr24Cmf9vDAKBggqhkjOPQQDAwNpADBmAjEAgFukfCPAlaUs3L6JbyO5o91lAFJekazInXJ0
+glMLfalAvWhgxeG4VDvBNhcl2MG9AjEAnjWSdIUlUfUk7GRSJFClH9voy8l27OyCbvWFGFPouOOa
+KaqW04MjyaR7YbPMAuhd
+-----END CERTIFICATE-----
+
+GTS Root R4
+===========
+-----BEGIN CERTIFICATE-----
+MIICCjCCAZGgAwIBAgIQbkepyIuUtui7OyrYorLBmTAKBggqhkjOPQQDAzBHMQswCQYDVQQGEwJV
+UzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExMQzEUMBIGA1UEAxMLR1RTIFJvb3Qg
+UjQwHhcNMTYwNjIyMDAwMDAwWhcNMzYwNjIyMDAwMDAwWjBHMQswCQYDVQQGEwJVUzEiMCAGA1UE
+ChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExMQzEUMBIGA1UEAxMLR1RTIFJvb3QgUjQwdjAQBgcq
+hkjOPQIBBgUrgQQAIgNiAATzdHOnaItgrkO4NcWBMHtLSZ37wWHO5t5GvWvVYRg1rkDdc/eJkTBa
+6zzuhXyiQHY7qca4R9gq55KRanPpsXI5nymfopjTX15YhmUPoYRlBtHci8nHc8iMai/lxKvRHYqj
+QjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSATNbrdP9JNqPV
+2Py1PsVq8JQdjDAKBggqhkjOPQQDAwNnADBkAjBqUFJ0CMRw3J5QdCHojXohw0+WbhXRIjVhLfoI
+N+4Zba3bssx9BzT1YBkstTTZbyACMANxsbqjYAuG7ZoIapVon+Kz4ZNkfF6Tpt95LY2F45TPI11x
+zPKwTdb+mciUqXWi4w==
+-----END CERTIFICATE-----
+
+UCA Global G2 Root
+==================
+-----BEGIN CERTIFICATE-----
+MIIFRjCCAy6gAwIBAgIQXd+x2lqj7V2+WmUgZQOQ7zANBgkqhkiG9w0BAQsFADA9MQswCQYDVQQG
+EwJDTjERMA8GA1UECgwIVW5pVHJ1c3QxGzAZBgNVBAMMElVDQSBHbG9iYWwgRzIgUm9vdDAeFw0x
+NjAzMTEwMDAwMDBaFw00MDEyMzEwMDAwMDBaMD0xCzAJBgNVBAYTAkNOMREwDwYDVQQKDAhVbmlU
+cnVzdDEbMBkGA1UEAwwSVUNBIEdsb2JhbCBHMiBSb290MIICIjANBgkqhkiG9w0BAQEFAAOCAg8A
+MIICCgKCAgEAxeYrb3zvJgUno4Ek2m/LAfmZmqkywiKHYUGRO8vDaBsGxUypK8FnFyIdK+35KYmT
+oni9kmugow2ifsqTs6bRjDXVdfkX9s9FxeV67HeToI8jrg4aA3++1NDtLnurRiNb/yzmVHqUwCoV
+8MmNsHo7JOHXaOIxPAYzRrZUEaalLyJUKlgNAQLx+hVRZ2zA+te2G3/RVogvGjqNO7uCEeBHANBS
+h6v7hn4PJGtAnTRnvI3HLYZveT6OqTwXS3+wmeOwcWDcC/Vkw85DvG1xudLeJ1uK6NjGruFZfc8o
+LTW4lVYa8bJYS7cSN8h8s+1LgOGN+jIjtm+3SJUIsUROhYw6AlQgL9+/V087OpAh18EmNVQg7Mc/
+R+zvWr9LesGtOxdQXGLYD0tK3Cv6brxzks3sx1DoQZbXqX5t2Okdj4q1uViSukqSKwxW/YDrCPBe
+KW4bHAyvj5OJrdu9o54hyokZ7N+1wxrrFv54NkzWbtA+FxyQF2smuvt6L78RHBgOLXMDj6DlNaBa
+4kx1HXHhOThTeEDMg5PXCp6dW4+K5OXgSORIskfNTip1KnvyIvbJvgmRlld6iIis7nCs+dwp4wwc
+OxJORNanTrAmyPPZGpeRaOrvjUYG0lZFWJo8DA+DuAUlwznPO6Q0ibd5Ei9Hxeepl2n8pndntd97
+8XplFeRhVmUCAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0O
+BBYEFIHEjMz15DD/pQwIX4wVZyF0Ad/fMA0GCSqGSIb3DQEBCwUAA4ICAQATZSL1jiutROTL/7lo
+5sOASD0Ee/ojL3rtNtqyzm325p7lX1iPyzcyochltq44PTUbPrw7tgTQvPlJ9Zv3hcU2tsu8+Mg5
+1eRfB70VVJd0ysrtT7q6ZHafgbiERUlMjW+i67HM0cOU2kTC5uLqGOiiHycFutfl1qnN3e92mI0A
+Ds0b+gO3joBYDic/UvuUospeZcnWhNq5NXHzJsBPd+aBJ9J3O5oUb3n09tDh05S60FdRvScFDcH9
+yBIw7m+NESsIndTUv4BFFJqIRNow6rSn4+7vW4LVPtateJLbXDzz2K36uGt/xDYotgIVilQsnLAX
+c47QN6MUPJiVAAwpBVueSUmxX8fjy88nZY41F7dXyDDZQVu5FLbowg+UMaeUmMxq67XhJ/UQqAHo
+jhJi6IjMtX9Gl8CbEGY4GjZGXyJoPd/JxhMnq1MGrKI8hgZlb7F+sSlEmqO6SWkoaY/X5V+tBIZk
+bxqgDMUIYs6Ao9Dz7GjevjPHF1t/gMRMTLGmhIrDO7gJzRSBuhjjVFc2/tsvfEehOjPI+Vg7RE+x
+ygKJBJYoaMVLuCaJu9YzL1DV/pqJuhgyklTGW+Cd+V7lDSKb9triyCGyYiGqhkCyLmTTX8jjfhFn
+RR8F/uOi77Oos/N9j/gMHyIfLXC0uAE0djAA5SN4p1bXUB+K+wb1whnw0A==
+-----END CERTIFICATE-----
+
+UCA Extended Validation Root
+============================
+-----BEGIN CERTIFICATE-----
+MIIFWjCCA0KgAwIBAgIQT9Irj/VkyDOeTzRYZiNwYDANBgkqhkiG9w0BAQsFADBHMQswCQYDVQQG
+EwJDTjERMA8GA1UECgwIVW5pVHJ1c3QxJTAjBgNVBAMMHFVDQSBFeHRlbmRlZCBWYWxpZGF0aW9u
+IFJvb3QwHhcNMTUwMzEzMDAwMDAwWhcNMzgxMjMxMDAwMDAwWjBHMQswCQYDVQQGEwJDTjERMA8G
+A1UECgwIVW5pVHJ1c3QxJTAjBgNVBAMMHFVDQSBFeHRlbmRlZCBWYWxpZGF0aW9uIFJvb3QwggIi
+MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCpCQcoEwKwmeBkqh5DFnpzsZGgdT6o+uM4AHrs
+iWogD4vFsJszA1qGxliG1cGFu0/GnEBNyr7uaZa4rYEwmnySBesFK5pI0Lh2PpbIILvSsPGP2KxF
+Rv+qZ2C0d35qHzwaUnoEPQc8hQ2E0B92CvdqFN9y4zR8V05WAT558aopO2z6+I9tTcg1367r3CTu
+eUWnhbYFiN6IXSV8l2RnCdm/WhUFhvMJHuxYMjMR83dksHYf5BA1FxvyDrFspCqjc/wJHx4yGVMR
+59mzLC52LqGj3n5qiAno8geK+LLNEOfic0CTuwjRP+H8C5SzJe98ptfRr5//lpr1kXuYC3fUfugH
+0mK1lTnj8/FtDw5lhIpjVMWAtuCeS31HJqcBCF3RiJ7XwzJE+oJKCmhUfzhTA8ykADNkUVkLo4KR
+el7sFsLzKuZi2irbWWIQJUoqgQtHB0MGcIfS+pMRKXpITeuUx3BNr2fVUbGAIAEBtHoIppB/TuDv
+B0GHr2qlXov7z1CymlSvw4m6WC31MJixNnI5fkkE/SmnTHnkBVfblLkWU41Gsx2VYVdWf6/wFlth
+WG82UBEL2KwrlRYaDh8IzTY0ZRBiZtWAXxQgXy0MoHgKaNYs1+lvK9JKBZP8nm9rZ/+I8U6laUpS
+NwXqxhaN0sSZ0YIrO7o1dfdRUVjzyAfd5LQDfwIDAQABo0IwQDAdBgNVHQ4EFgQU2XQ65DA9DfcS
+3H5aBZ8eNJr34RQwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQEL
+BQADggIBADaNl8xCFWQpN5smLNb7rhVpLGsaGvdftvkHTFnq88nIua7Mui563MD1sC3AO6+fcAUR
+ap8lTwEpcOPlDOHqWnzcSbvBHiqB9RZLcpHIojG5qtr8nR/zXUACE/xOHAbKsxSQVBcZEhrxH9cM
+aVr2cXj0lH2RC47skFSOvG+hTKv8dGT9cZr4QQehzZHkPJrgmzI5c6sq1WnIeJEmMX3ixzDx/BR4
+dxIOE/TdFpS/S2d7cFOFyrC78zhNLJA5wA3CXWvp4uXViI3WLL+rG761KIcSF3Ru/H38j9CHJrAb
++7lsq+KePRXBOy5nAliRn+/4Qh8st2j1da3Ptfb/EX3C8CSlrdP6oDyp+l3cpaDvRKS+1ujl5BOW
+F3sGPjLtx7dCvHaj2GU4Kzg1USEODm8uNBNA4StnDG1KQTAYI1oyVZnJF+A83vbsea0rWBmirSwi
+GpWOvpaQXUJXxPkUAzUrHC1RVwinOt4/5Mi0A3PCwSaAuwtCH60NryZy2sy+s6ODWA2CxR9GUeOc
+GMyNm43sSet1UNWMKFnKdDTajAshqx7qG+XH/RU+wBeq+yNuJkbL+vmxcmtpzyKEC2IPrNkZAJSi
+djzULZrtBJ4tBmIQN1IchXIbJ+XMxjHsN+xjWZsLHXbMfjKaiJUINlK73nZfdklJrX+9ZSCyycEr
+dhh2n1ax
+-----END CERTIFICATE-----
+
+Certigna Root CA
+================
+-----BEGIN CERTIFICATE-----
+MIIGWzCCBEOgAwIBAgIRAMrpG4nxVQMNo+ZBbcTjpuEwDQYJKoZIhvcNAQELBQAwWjELMAkGA1UE
+BhMCRlIxEjAQBgNVBAoMCURoaW15b3RpczEcMBoGA1UECwwTMDAwMiA0ODE0NjMwODEwMDAzNjEZ
+MBcGA1UEAwwQQ2VydGlnbmEgUm9vdCBDQTAeFw0xMzEwMDEwODMyMjdaFw0zMzEwMDEwODMyMjda
+MFoxCzAJBgNVBAYTAkZSMRIwEAYDVQQKDAlEaGlteW90aXMxHDAaBgNVBAsMEzAwMDIgNDgxNDYz
+MDgxMDAwMzYxGTAXBgNVBAMMEENlcnRpZ25hIFJvb3QgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4IC
+DwAwggIKAoICAQDNGDllGlmx6mQWDoyUJJV8g9PFOSbcDO8WV43X2KyjQn+Cyu3NW9sOty3tRQgX
+stmzy9YXUnIo245Onoq2C/mehJpNdt4iKVzSs9IGPjA5qXSjklYcoW9MCiBtnyN6tMbaLOQdLNyz
+KNAT8kxOAkmhVECe5uUFoC2EyP+YbNDrihqECB63aCPuI9Vwzm1RaRDuoXrC0SIxwoKF0vJVdlB8
+JXrJhFwLrN1CTivngqIkicuQstDuI7pmTLtipPlTWmR7fJj6o0ieD5Wupxj0auwuA0Wv8HT4Ks16
+XdG+RCYyKfHx9WzMfgIhC59vpD++nVPiz32pLHxYGpfhPTc3GGYo0kDFUYqMwy3OU4gkWGQwFsWq
+4NYKpkDfePb1BHxpE4S80dGnBs8B92jAqFe7OmGtBIyT46388NtEbVncSVmurJqZNjBBe3YzIoej
+wpKGbvlw7q6Hh5UbxHq9MfPU0uWZ/75I7HX1eBYdpnDBfzwboZL7z8g81sWTCo/1VTp2lc5ZmIoJ
+lXcymoO6LAQ6l73UL77XbJuiyn1tJslV1c/DeVIICZkHJC1kJWumIWmbat10TWuXekG9qxf5kBdI
+jzb5LdXF2+6qhUVB+s06RbFo5jZMm5BX7CO5hwjCxAnxl4YqKE3idMDaxIzb3+KhF1nOJFl0Mdp/
+/TBt2dzhauH8XwIDAQABo4IBGjCCARYwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
+HQYDVR0OBBYEFBiHVuBud+4kNTxOc5of1uHieX4rMB8GA1UdIwQYMBaAFBiHVuBud+4kNTxOc5of
+1uHieX4rMEQGA1UdIAQ9MDswOQYEVR0gADAxMC8GCCsGAQUFBwIBFiNodHRwczovL3d3d3cuY2Vy
+dGlnbmEuZnIvYXV0b3JpdGVzLzBtBgNVHR8EZjBkMC+gLaArhilodHRwOi8vY3JsLmNlcnRpZ25h
+LmZyL2NlcnRpZ25hcm9vdGNhLmNybDAxoC+gLYYraHR0cDovL2NybC5kaGlteW90aXMuY29tL2Nl
+cnRpZ25hcm9vdGNhLmNybDANBgkqhkiG9w0BAQsFAAOCAgEAlLieT/DjlQgi581oQfccVdV8AOIt
+OoldaDgvUSILSo3L6btdPrtcPbEo/uRTVRPPoZAbAh1fZkYJMyjhDSSXcNMQH+pkV5a7XdrnxIxP
+TGRGHVyH41neQtGbqH6mid2PHMkwgu07nM3A6RngatgCdTer9zQoKJHyBApPNeNgJgH60BGM+RFq
+7q89w1DTj18zeTyGqHNFkIwgtnJzFyO+B2XleJINugHA64wcZr+shncBlA2c5uk5jR+mUYyZDDl3
+4bSb+hxnV29qao6pK0xXeXpXIs/NX2NGjVxZOob4Mkdio2cNGJHc+6Zr9UhhcyNZjgKnvETq9Emd
+8VRY+WCv2hikLyhF3HqgiIZd8zvn/yk1gPxkQ5Tm4xxvvq0OKmOZK8l+hfZx6AYDlf7ej0gcWtSS
+6Cvu5zHbugRqh5jnxV/vfaci9wHYTfmJ0A6aBVmknpjZbyvKcL5kwlWj9Omvw5Ip3IgWJJk8jSaY
+tlu3zM63Nwf9JtmYhST/WSMDmu2dnajkXjjO11INb9I/bbEFa0nOipFGc/T2L/Coc3cOZayhjWZS
+aX5LaAzHHjcng6WMxwLkFM1JAbBzs/3GkDpv0mztO+7skb6iQ12LAEpmJURw3kAP+HwV96LOPNde
+E4yBFxgX0b3xdxA61GU5wSesVywlVP+i2k+KYTlerj1KjL0=
+-----END CERTIFICATE-----

extras/build-tests/nix/build

@@ -53,6 +53,6 @@ fi
 
 echo ""
 echo ""
-echo "Now running UnrealIRCd test framework..."
-set -x
-extras/build-tests/nix/run-tests
+#echo "Now running UnrealIRCd test framework..."
+#set -x
+#extras/build-tests/nix/run-tests

extras/build-tests/nix/run-tests

@@ -18,11 +18,11 @@ if [[ "$OSTYPE" == "darwin"* ]]; then
 	gem install rspec || true
 else
 	sudo apt-get install git python rake -y
-	sudo gem install bundler
+	gem install bundler -v "~>1.0"
 fi
 
 # Install 'ircfly'
-git clone https://github.com/unrealircd/ircfly.git
+git clone -q https://github.com/unrealircd/ircfly.git
 cd ircfly
 bundle install
 bundle exec rake build
@@ -34,30 +34,29 @@ fi
 cd ..
 
 # Install 'cipherscan'
-git clone https://github.com/mozilla/cipherscan
+git clone -q https://github.com/mozilla/cipherscan
 
-# Install 'unrealircd-tests'
-git clone https://github.com/unrealircd/unrealircd-tests.git
-cd unrealircd-tests
+# Install 'unrealircd-tests-old'
+git clone -q https://github.com/unrealircd/unrealircd-tests-old.git
+cd unrealircd-tests-old
 bundle install
 mv config.yaml.example config.yaml
 
 # Start the IRC servers
 cp ircdconfig/* ~/unrealircd/conf/
 cd ~/unrealircd
+bin/unrealircd -f hub.conf
 bin/unrealircd -f irc1.conf
 bin/unrealircd -f irc2.conf
 cd -
 
 # Do cipherscan test
 sleep 2
-cd ../cipherscan
-./cipherscan --no-colors 127.0.0.1:5900
-#./cipherscan --json 127.0.0.1:5900 >.........
-sleep 5
+cd ../extras/tests/tls
+./tls-tests
 cd -
 
-# Back in unrealircd-tests, run the tests!
+# Back in unrealircd-tests-old, run the tests!
 if [[ "$OSTYPE" == "darwin"* ]]; then
 	bundle exec rake
 else

extras/build-tests/nix/select-config

@@ -4,22 +4,28 @@
 # It is not meant to be used by end-users
 #
 
+function fail()
+{
+	echo "select-config failed: $*"
+	exit 1
+}
+
 function build_ssl {
 	DIR="$2"
 	URL="$1/$2.tar.gz"
 	savewd="$PWD"
 	cd ~
 	wget "$URL" || exit 1
-	tar xzvf $DIR.tar.gz
+	tar xzf $DIR.tar.gz
 	cd "$DIR"
-	(./configure --prefix=$HOME/ssl || ./config --prefix=$HOME/ssl -fPIC) || exit 1
-	(make -j2 && make install) || exit 1
+	(./configure --prefix=$HOME/ssl 1>/dev/null 2>&1 || ./config --prefix=$HOME/ssl -fPIC 1>/dev/null 2>&1 ) || fail "build_ssl: configure/config failed"
+	(make -j2 1>/dev/null 2>&1 && make install 1>/dev/null 2>&1) || fail "build_ssl: make failed"
 	cd "$savewd"
 	echo "SSLDIR=$HOME/ssl" >>config.settings
 }
 
 if [ ! -d extras ]; then
-	echo "This tool is supposed to be run from the source root, so ~/unrealircd-4.0.x or similar"
+	echo "This tool is supposed to be run from the source root, so ~/unrealircd-4.2.x or similar"
 	exit 1
 fi
 
@@ -82,18 +88,18 @@ do
 		fi
 		echo 'REMOTEINC=1' >>config.settings
 		echo "CURLDIR=`pwd`/extras/curl" >>config.settings
-	elif [ "$1" = "libressl-25" ]; then
-		build_ssl https://ftp.openbsd.org/pub/OpenBSD/LibreSSL libressl-2.5.5
-	elif [ "$1" = "libressl-26" ]; then
-		build_ssl https://ftp.openbsd.org/pub/OpenBSD/LibreSSL libressl-2.6.4
 	elif [ "$1" = "libressl-27" ]; then
-		build_ssl https://ftp.openbsd.org/pub/OpenBSD/LibreSSL libressl-2.7.2
+		build_ssl https://ftp.openbsd.org/pub/OpenBSD/LibreSSL libressl-2.7.5
+	elif [ "$1" = "libressl-28" ]; then
+		build_ssl https://ftp.openbsd.org/pub/OpenBSD/LibreSSL libressl-2.8.3
+	elif [ "$1" = "libressl-29" ]; then
+		build_ssl https://ftp.openbsd.org/pub/OpenBSD/LibreSSL libressl-2.9.0
 	elif [ "$1" = "openssl-102" ]; then
-		build_ssl https://www.openssl.org/source openssl-1.0.2o
+		build_ssl https://www.openssl.org/source openssl-1.0.2q
 	elif [ "$1" = "openssl-110" ]; then
-		build_ssl https://www.openssl.org/source openssl-1.1.0h
+		build_ssl https://www.openssl.org/source openssl-1.1.0j
 	elif [ "$1" = "openssl-111" ]; then
-		build_ssl https://www.openssl.org/source openssl-1.1.1-pre7
+		build_ssl https://www.openssl.org/source openssl-1.1.1a
 	else
 		echo "Unknown option $1"
 		exit 1

extras/build-tests/windows/build.bat

@@ -6,16 +6,15 @@ if "%TARGET%" == "Visual Studio 2017" call "C:\Program Files (x86)\Microsoft Vis
 rem Installing tools
 cinst unrar -y
 cinst unzip -y
-cinst wget -y
 cinst innosetup -y
-wget https://www.unrealircd.org/files/dev/win/dlltool.exe
+curl -fsS -o dlltool.exe https://www.unrealircd.org/files/dev/win/dlltool.exe
 
 rem Installing UnrealIRCd dependencies
 cd \projects
 mkdir unrealircd-deps
 cd unrealircd-deps
-wget https://www.unrealircd.org/files/dev/win/SetACL.exe
-wget https://www.unrealircd.org/files/dev/win/libs/unrealircd-libraries-devel.zip
+curl -fsS -o SetACL.exe https://www.unrealircd.org/files/dev/win/SetACL.exe
+curl -fsS -o unrealircd-libraries-devel.zip https://www.unrealircd.org/files/dev/win/libs/unrealircd-libraries-devel.zip
 unzip unrealircd-libraries-devel.zip
 
 cd \projects\unrealircd

extras/build-tests/windows/compilecmd/vs2017.bat

@@ -3,7 +3,7 @@ rem Build command for Visual Studio 2017
 nmake -f makefile.win32 ^
 LIBRESSL_INC_DIR="c:\projects\unrealircd-deps\libressl\include" ^
 LIBRESSL_LIB_DIR="c:\projects\unrealircd-deps\libressl\lib" ^
-SSLLIB="crypto-43.lib ssl-45.lib" ^
+SSLLIB="crypto-44.lib ssl-46.lib" ^
 USE_REMOTEINC=1 ^
 LIBCURL_INC_DIR="c:\projects\unrealircd-deps\curl-ssl\include" ^
 LIBCURL_LIB_DIR="c:\projects\unrealircd-deps\curl-ssl\builds\libcurl-vc-x86-release-dll-ssl-dll-ipv6-sspi-obj-lib" ^
@@ -15,4 +15,7 @@ TRE_INC_DIR="c:\projects\unrealircd-deps\tre" ^
 TRELIB="tre.lib" ^
 PCRE2_INC_DIR="c:\projects\unrealircd-deps\pcre2\include" ^
 PCRE2_LIB_DIR="c:\projects\unrealircd-deps\pcre2\lib" ^
-PCRE2LIB="pcre2-8.lib" %*
+PCRE2LIB="pcre2-8.lib" ^
+ARGON2_LIB_DIR="c:\projects\unrealircd-deps\argon2\vs2015\build" ^
+ARGON2_INC_DIR="c:\projects\unrealircd-deps\argon2\include" ^
+ARGON2LIB="Argon2RefDll.lib" %*

extras/curlinstall

@@ -4,7 +4,7 @@ OUTF="curl-latest.tar.gz"
 OUTD="curl-latest"
 ARESPATH="`pwd`/extras/c-ares"
 UNREALDIR="`pwd`"
-CARESVERSION="1.13.0"
+CARESVERSION="1.15.0"
 LIBDIR="$1"
 
 if [ "x$1" = "x" ]; then
@@ -18,7 +18,7 @@ if [ ! -f src/parse.c ]; then
 		cd ..
 	else
 		echo "Please run this program from your UnrealIRCd directory"
-		echo "(usually $HOME/unrealircd-4.0.X or something like that)"
+		echo "(usually $HOME/unrealircd-4.2.X or something like that)"
 		exit 1
 	fi
 fi

extras/patches/patch_spamfilter_conf

@@ -0,0 +1,40 @@
+#!/bin/sh
+#
+# This script tries to upgrade spamfilter.conf from an old
+# version that uses 'posix' spamfilters to a bit more recent
+# version with examples using 'regex' spamfilters.
+# This so fewer users end up with a headache when upgrading
+# to UnrealIRCd 4.2.3+.
+#
+
+if [ -f spamfilter.conf.patch ]; then
+	F="`pwd`/spamfilter.conf.patch"
+elif [ -f extras/patches/spamfilter.conf.patch ]; then
+	F="`pwd`/extras/patches/spamfilter.conf.patch"
+else
+	echo "WARNING: spamfilter.conf.patch not found"
+	exit 0
+fi
+
+if [ ! -f "$F" ]; then
+	echo "WARNING: spamfilter.conf.patch not found in round two"
+	exit 0
+fi
+
+if [ "$1" = "" ]; then
+	echo "ERROR: No target confdir specified."
+	exit 0
+fi
+
+if [ ! -f "$1/spamfilter.conf" ]; then
+	echo "WARNING: no spamfilter.conf found in $1 -- strange"
+	exit 0
+fi
+
+cd "$1" || exit 1
+cat "$F"|patch -p0 --dry-run -N 1>/dev/null 2>&1
+if [ "$?" = 0 ]; then
+	# Patch succeeded, patch now!
+	echo "Upgrading examples in your spamfilter.conf..."
+	cat "$F"|patch -p0 -N
+fi

extras/patches/spamfilter.conf.patch

@@ -0,0 +1,328 @@
+--- spamfilter.conf.old	2015-06-27 18:29:01.084559805 +0200
++++ spamfilter.conf	2019-04-04 18:29:38.390647262 +0200
+@@ -1,232 +1,154 @@
+ /*
+- * This an example spamfilter file, it contains several
+- * real and useful spamfilters. This should give you an
+- * idea of how powerful spamfilter can be in real-life
+- * situations.
++ * This configuration file contains example spamfilter rules.
++ * They are real rules that were useful a long time ago.
++ * Since 2005 these rules are no longer maintained.
++ * The main purpose nowadays is to serve as an example
++ * to give you an idea of how powerful spamfilters can
++ * be in real-life situations.
+  *
+- * $Id$
++ * Documentation on spamfilter is available at:
++ * https://www.unrealircd.org/docs/Spamfilter
+  */
+ 
+-/* Guidelines on the 'action' field:
+- * As a general rule we use 'action block' for any newly added
+- * spamfilters at first, later on (after knowing about false
+- * positives) we might change some to viruschan/kill/gline/etc..
++/* General note:
++ * If you want to use a \ in a spamfilter, or in fact
++ * anywhere in the configuration file, then you need
++ * to escape this to \\ instead.
+  */
+ 
+-spamfilter {
+-	match-type posix;
+-	match "\x01DCC (SEND|RESUME)[ ]+\"(.+ ){20}";
+-	target { private; channel; };
+-	action kill;
+-	reason "mIRC 6.0-6.11 exploit attempt";
+-};
+ 
+-spamfilter {
+-	match-type posix;
+-	match "\x01DCC (SEND|RESUME).{225}";
+-	target { private; channel; };
+-	action kill;
+-	reason "Possible mIRC 6.12 exploit attempt";
+-};
++/* First some spamfilters with match-type 'simple'.
++ * The only matchers available are * and ?
++ * PRO's: very fast, easy matching: everyone can do this.
++ * CON's: limited ability to fine-tune spamfilters
++ */
+ 
+ spamfilter {
+-	match-type posix;
+-	match "Come watch me on my webcam and chat /w me :-\) http://.+:\d+/me\.mpg";
++	match-type simple;
++	match "Come watch me on my webcam and chat /w me :-) http://*:*/me.mpg";
+ 	target private;
+ 	action gline;
+ 	reason "Infected by fyle trojan: see http://www.sophos.com/virusinfo/analyses/trojfylexa.html";
+ };
+ 
++/* This signature uses a \ which has to escaped to \\ in the configuration file */
+ spamfilter {
+-	match-type posix;
+-	match "Speed up your mIRC DCC Transfer by up to 75%.*www\.freewebs\.com/mircupdate/mircspeedup\.exe";
+-	target private;
+-	action gline;
+-	reason "Infected by mirseed trojan: see http://www.sophos.com/virusinfo/analyses/trojmirseeda.html";
+-};
+-
+-spamfilter {
+-	match-type posix;
+-	match "^http://www\.angelfire\.com/[a-z0-9]+/[a-z0-9]+/[a-z_]+\.jpg <- .*!";
+-	target private;
++	match-type simple;
++	match "C:\\WINNT\\system32\\*.zip";
++	target dcc;
+ 	action block;
+-	reason "Infected by fagot worm: see http://www.f-secure.com/v-descs/fagot.shtml";
++	reason "Infected by Gaggle worm?";
+ };
+ 
+ spamfilter {
+-	match-type posix;
+-	match "^FREE PORN: http://free:porn@([0-9]{1,3}\.){3}[0-9]{1,3}:8180$";
++	match-type simple;
++	match "Speed up your mIRC DCC Transfer by up to 75%*www.freewebs.com/mircupdate/mircspeedup.exe";
+ 	target private;
+ 	action gline;
+-	reason "Infected by aplore worm: see http://www.f-secure.com/v-descs/aplore.shtml";
+-};
+-
+-spamfilter {
+-	match-type posix;
+-	match "^!login Wasszup!$";
+-	target channel;
+-	action gline;
+-	reason "Attempting to login to a GTBot";
+-};
+-
+-spamfilter {
+-	match-type posix;
+-	match "^!login grrrr yeah baby!$";
+-	target channel;
+-	action gline;
+-	reason "Attempting to login to a GTBot";
+-};
+-
+-spamfilter {
+-	match-type posix;
+-	match "^!packet ([0-9]{1,3}\.){3}[0-9]{1,3} [0-9]{1,15}";
+-	target channel;
+-	action gline;
+-	reason "Attempting to use a GTBot";
+-};
+-
+-spamfilter {
+-	match-type posix;
+-	match "^!icqpagebomb ([0-9]{1,15} ){2}.+";
+-	target channel;
+-	action gline;
+-	reason "Attempting to use a GTBot";
++	reason "Infected by mirseed trojan: see http://www.sophos.com/virusinfo/analyses/trojmirseeda.html";
+ };
+ 
+ spamfilter {
+-	match-type posix;
+-	match "^!pfast [0-9]{1,15} ([0-9]{1,3}\.){3}[0-9]{1,3} [0-9]{1,5}$";
+-	target channel;
++	match-type simple;
++	match "STOP SPAM, USE THIS COMMAND: //write nospam $decode(*) | .load -rs nospam | //mode $me +R";
++	target private;
+ 	action gline;
+-	reason "Attempting to use a GTBot";
++	reason "Infected by nkie worm: see http://www.trojaninfo.com/nkie/nkie.htm";
+ };
+ 
+-spamfilter {
+-	match-type posix;
+-	match "^!portscan ([0-9]{1,3}\.){3}[0-9]{1,3} [0-9]{1,5} [0-9]{1,5}$";
+-	target channel;
+-	action gline;
+-	reason "Attempting to use a GTBot";
+-};
+ 
+-spamfilter {
+-	match-type posix;
+-	match "^.u(dp)? ([0-9]{1,3}\.){3}[0-9]{1,3} [0-9]{1,15} [0-9]{1,15} [0-9]{1,15}( [0-9])*$";
+-	target channel;
+-	action gline;
+-	reason "Attempting to use an SDBot";
+-};
++/* Now spamfilters of type 'regex'.
++ * These use powerful regular expressions (Perl/PCRE style)
++ * You may have to learn more about "regex" first before you
++ * can use them. For example the dot ('.') has special meaning.
++ */
+ 
++/* This regex shows a pattern which requires 20 paramaters,
++ * such as "x x x x x x x x x x x x x x x x x x x x"
++ */
+ spamfilter {
+-	match-type posix;
+-	match "^.syn ((([0-9]{1,3}\.){3}[0-9]{1,3})|([a-zA-Z0-9_-]+\.[a-zA-Z0-9_-]+\.[a-zA-Z0-9_.-]+)) [0-9]{1,5} [0-9]{1,15} [0-9]{1,15}";
+-	target { channel; private; };
+-	action gline;
+-	reason "Attempting to use a SpyBot";
++	match-type regex;
++	match "\x01DCC (SEND|RESUME)[ ]+\"(.+ ){20}";
++	target { private; channel; };
++	action kill;
++	reason "mIRC 6.0-6.11 exploit attempt";
+ };
+ 
++/* Similarly, this regex shows a pattern that matches
++ * against at least 225 characters in length.
++ */
+ spamfilter {
+-	match-type posix;
+-	match "^porn! porno! http://.+\/sexo\.exe";
+-	target private;
+-	action gline;
+-	reason "Infected by soex trojan: see http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FSOEX.A";
++	match-type regex;
++	match "\x01DCC (SEND|RESUME).{225}";
++	target { private; channel; };
++	action kill;
++	reason "Possible mIRC 6.12 exploit attempt";
+ };
+ 
++/* Earlier you saw an example of a $decode exploit which used
++ * match-type 'simple' and - indeed - the filter was quite simple.
++ * The following uses a regex with a similar example.
++ * Regular expressions are very powerful but here you can see
++ * that it actually complicates writing a filter quite a bit.
++ * With regex in this filter we need to escape the ( and all
++ * the dots, question marks, etc. if we want to match these
++ * characters in literal text.
++ */
+ spamfilter {
+-	match-type posix;
+-	match "(^wait a minute plz\. i am updating my site|.*my erotic video).*http://.+/erotic(a)?/myvideo\.exe$";
++	match-type regex;
++	match "^Want To Be An IRCOp\? Try This New Bug Type: //write \$decode\(.+=.?,m\) \| \.load -rs \$decode\(.+=.?,m\)$";
+ 	target private;
+-	action gline;
+-	reason "Infected by some trojan (erotica?)";
++	action block;
++	reason "Spamming users with an mIRC trojan. Type '/unload -rs newb' to remove the trojan.";
+ };
+ 
+ spamfilter {
+-	match-type posix;
+-	match "^STOP SPAM, USE THIS COMMAND: //write nospam \$decode\(.+\) \| \.load -rs nospam \| //mode \$me \+R$";
++	match-type regex;
++	match "^http://www\.angelfire\.com/[a-z0-9]+/[a-z0-9]+/[a-z_]+\.jpg <- .*!";
+ 	target private;
+-	action gline;
+-	reason "Infected by nkie worm: see http://www.trojaninfo.com/nkie/nkie.htm";
++	action block;
++	reason "Infected by fagot worm: see http://www.f-secure.com/v-descs/fagot.shtml";
+ };
+ 
++/* This shows a regex which specifically matches an entire line by 
++ * the use of ^ and $
++ */
+ spamfilter {
+-	match-type posix;
+-	match "^FOR MATRIX 2 DOWNLOAD, USE THIS COMMAND: //write Matrix2 \$decode\(.+=,m\) \| \.load -rs Matrix2 \| //mode \$me \+R$";
+-	target private;
++	match-type regex;
++	match "^!login Wasszup!$";
++	target channel;
+ 	action gline;
+-	reason "Infected by nkie worm: see http://www.trojaninfo.com/nkie/nkie.htm";
++	reason "Attempting to login to a GTBot";
+ };
+ 
++/* An example of how to match against an IP address in text (IPv4 only) */
+ spamfilter {
+-	match-type posix;
+-	match "^hey .* to get OPs use this hack in the chan but SHH! //\$decode\(.*,m\) \| \$decode\(.*,m\)$";
+-	target private;
++	match-type regex;
++	match "^!packet ([0-9]{1,3}\.){3}[0-9]{1,3} [0-9]{1,15}";
++	target channel;
+ 	action gline;
+-	reason "Infected by nkie worm: see http://www.trojaninfo.com/nkie/nkie.htm";
++	reason "Attempting to use a GTBot";
+ };
+ 
++/* A slightly more complex example with a partial OR matcher (|) */
+ spamfilter {
+-	match-type posix;
+-	match ".*(http://jokes\.clubdepeche\.com|http://horny\.69sexy\.net|http://private\.a123sdsdssddddgfg\.com).*";
++	match-type regex;
++	match "(^wait a minute plz\. i am updating my site|.*my erotic video).*http://.+/erotic(a)?/myvideo\.exe$";
+ 	target private;
+ 	action gline;
+-	reason "Infected by LOI trojan";
+-};
+-
+-/* This is a 'general sig' which might have a tad more false positives, hence just 'block' is used */
+-spamfilter {
+-	match-type posix;
+-	match "C:\\WINNT\\system32\\[][0-9a-z_-{|}`]+\.zip";
+-	target dcc;
+-	action block;
+-	reason "Infected by Gaggle worm?";
++	reason "Infected by some trojan (erotica?)";
+ };
+ 
++/* In regex a \ is special and needs to be escaped to \\
++ * However in this configuration file, \ is also special and
++ * needs to be escaped to \\ as well.
++ * The result is that we need double escaping:
++ * To match a \ you need to write \\\\ in the configuration file.
++ */
+ spamfilter {
+-	match-type posix;
+-	match "C:\\WINNT\\system32\\(notes|videos|xxx|ManualSeduccion|postal|hechizos|images|sex|avril)\.zip";
++	match-type regex;
++	match "C:\\\\WINNT\\\\system32\\\\(notes|videos|xxx|ManualSeduccion|postal|hechizos|images|sex|avril)\.zip";
+ 	target dcc;
+ 	action dccblock;
+ 	reason "Infected by Gaggle worm";
+ };
+-
+-spamfilter {
+-	match-type posix;
+-	match "http://.+\.lycos\..+/[iy]server[0-9]/[a-z]{4,11}\.(gif|jpg|avi|txt)";
+-	target { private; quit; };
+-	action block;
+-	reason "Infected by Gaggle worm";
+-};
+-
+-spamfilter {
+-	match-type posix;
+-	match "^Free porn pic.? and movies (www\.sexymovies\.da\.ru|www\.girlporn\.org)";
+-	target private;
+-	action block;
+-	reason "Unknown virus. Site causes Backdoor.Delf.lq infection";
+-};
+-
+-spamfilter {
+-	match-type posix;
+-	match "^LOL! //echo -a \$\(\$decode\(.+,m\),[0-9]\)$";
+-	target channel;
+-	action block;
+-	reason "$decode exploit";
+-};
+-
+-/*
+-spamfilter {
+-	regex "//write \$decode\(.+\|.+load -rs";
+-	target { private; channel; };
+-	reason "Generic $decode exploit";
+-	action block;
+-};
+-*/
+-
+-spamfilter {
+-	match-type posix;
+-	match "^Want To Be An IRCOp\? Try This New Bug Type: //write \$decode\(.+=.?,m\) \| \.load -rs \$decode\(.+=.?,m\)$";
+-	target private;
+-	action block;
+-	reason "Spamming users with an mIRC trojan. Type '/unload -rs newb' to remove the trojan.";
+-};

extras/security/apparmor/unrealircd

@@ -3,10 +3,10 @@
 # Note that you may still see some DENIED warnings in logs with
 # operation="chmod". These are harmless and can be safely ignored.
 #
-# Tested on Ubuntu 16.x and 17.x
+# Tested on Ubuntu 16.04 LTS and Ubuntu 18.04 LTS
 #
-# NOTE: you will have to modify the path to executable below
-#       if it's not /home/ircd/unrealircd/bin/unrealircd.
+# IMPORTANT: you will have to modify the path to executable below
+#            if it's not /home/ircd/unrealircd/bin/unrealircd !
 
 #include <tunables/global>
 

extras/tests/tls/cipherscan_profiles/baseline.txt

@@ -0,0 +1,33 @@
+Target: 127.0.0.1:5900
+
+prio  ciphersuite                  protocols              pfs                 curves
+1     ECDHE-RSA-AES256-GCM-SHA384  TLSv1.2                ECDH,P-521,521bits  secp521r1,secp384r1,prime256v1
+2     ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2                ECDH,P-521,521bits  secp521r1,secp384r1,prime256v1
+3     ECDHE-RSA-AES256-SHA384      TLSv1.2                ECDH,P-521,521bits  secp521r1,secp384r1,prime256v1
+4     ECDHE-RSA-AES128-SHA256      TLSv1.2                ECDH,P-521,521bits  secp521r1,secp384r1,prime256v1
+5     ECDHE-RSA-AES256-SHA         TLSv1,TLSv1.1,TLSv1.2  ECDH,P-521,521bits  secp521r1,secp384r1,prime256v1
+6     ECDHE-RSA-AES128-SHA         TLSv1,TLSv1.1,TLSv1.2  ECDH,P-521,521bits  secp521r1,secp384r1,prime256v1
+7     AES256-GCM-SHA384            TLSv1.2                None                None
+8     AES128-GCM-SHA256            TLSv1.2                None                None
+9     AES256-SHA256                TLSv1.2                None                None
+10    AES128-SHA256                TLSv1.2                None                None
+11    AES256-SHA                   TLSv1,TLSv1.1,TLSv1.2  None                None
+12    AES128-SHA                   TLSv1,TLSv1.1,TLSv1.2  None                None
+
+Certificate: untrusted, 4096 bits, sha256WithRSAEncryption signature
+TLS ticket lifetime hint: None
+NPN protocols: None
+OCSP stapling: not supported
+Cipher ordering: server
+Curves ordering: server - fallback: no
+Server supports secure renegotiation
+Server supported compression methods: NONE
+TLS Tolerance: yes
+
+Intolerance to:
+ SSL 3.254           : absent
+ TLS 1.0             : absent
+ TLS 1.1             : absent
+ TLS 1.2             : absent
+ TLS 1.3             : absent
+ TLS 1.4             : absent

extras/tests/tls/cipherscan_profiles/baseline2.txt

@@ -0,0 +1,33 @@
+Target: 127.0.0.1:5900
+
+prio  ciphersuite                  protocols              pfs                 curves
+1     ECDHE-RSA-AES256-GCM-SHA384  TLSv1.2                ECDH,P-521,521bits  secp521r1,secp384r1,prime256v1
+2     ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2                ECDH,P-521,521bits  secp521r1,secp384r1,prime256v1
+3     ECDHE-RSA-AES256-SHA384      TLSv1.2                ECDH,P-521,521bits  secp521r1,secp384r1,prime256v1
+4     ECDHE-RSA-AES256-SHA         TLSv1,TLSv1.1,TLSv1.2  ECDH,P-521,521bits  secp521r1,secp384r1,prime256v1
+5     ECDHE-RSA-AES128-SHA256      TLSv1.2                ECDH,P-521,521bits  secp521r1,secp384r1,prime256v1
+6     ECDHE-RSA-AES128-SHA         TLSv1,TLSv1.1,TLSv1.2  ECDH,P-521,521bits  secp521r1,secp384r1,prime256v1
+7     AES256-GCM-SHA384            TLSv1.2                None                None
+8     AES128-GCM-SHA256            TLSv1.2                None                None
+9     AES256-SHA256                TLSv1.2                None                None
+10    AES128-SHA256                TLSv1.2                None                None
+11    AES256-SHA                   TLSv1,TLSv1.1,TLSv1.2  None                None
+12    AES128-SHA                   TLSv1,TLSv1.1,TLSv1.2  None                None
+
+Certificate: untrusted, 4096 bits, sha256WithRSAEncryption signature
+TLS ticket lifetime hint: None
+NPN protocols: None
+OCSP stapling: not supported
+Cipher ordering: server
+Curves ordering: server - fallback: no
+Server supports secure renegotiation
+Server supported compression methods: NONE
+TLS Tolerance: yes
+
+Intolerance to:
+ SSL 3.254           : absent
+ TLS 1.0             : absent
+ TLS 1.1             : absent
+ TLS 1.2             : absent
+ TLS 1.3             : absent
+ TLS 1.4             : absent

extras/tests/tls/cipherscan_profiles/openssl-102.txt

@@ -0,0 +1,33 @@
+Target: 127.0.0.1:5900
+
+prio  ciphersuite                  protocols              pfs                 curves
+1     ECDHE-RSA-AES256-GCM-SHA384  TLSv1.2                ECDH,P-256,256bits  prime256v1,secp521r1,brainpoolP512r1,brainpoolP384r1,secp384r1,brainpoolP256r1,secp256k1,sect571r1,sect571k1,sect409k1,sect409r1,sect283k1,sect283r1
+2     ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2                ECDH,P-256,256bits  prime256v1,secp521r1,brainpoolP512r1,brainpoolP384r1,secp384r1,brainpoolP256r1,secp256k1,sect571r1,sect571k1,sect409k1,sect409r1,sect283k1,sect283r1
+3     ECDHE-RSA-AES256-SHA384      TLSv1.2                ECDH,P-256,256bits  prime256v1,secp521r1,brainpoolP512r1,brainpoolP384r1,secp384r1,brainpoolP256r1,secp256k1,sect571r1,sect571k1,sect409k1,sect409r1,sect283k1,sect283r1
+4     ECDHE-RSA-AES256-SHA         TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits  prime256v1,secp521r1,brainpoolP512r1,brainpoolP384r1,secp384r1,brainpoolP256r1,secp256k1,sect571r1,sect571k1,sect409k1,sect409r1,sect283k1,sect283r1
+5     ECDHE-RSA-AES128-SHA256      TLSv1.2                ECDH,P-256,256bits  prime256v1,secp521r1,brainpoolP512r1,brainpoolP384r1,secp384r1,brainpoolP256r1,secp256k1,sect571r1,sect571k1,sect409k1,sect409r1,sect283k1,sect283r1
+6     ECDHE-RSA-AES128-SHA         TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits  prime256v1,secp521r1,brainpoolP512r1,brainpoolP384r1,secp384r1,brainpoolP256r1,secp256k1,sect571r1,sect571k1,sect409k1,sect409r1,sect283k1,sect283r1
+7     AES256-GCM-SHA384            TLSv1.2                None                None
+8     AES128-GCM-SHA256            TLSv1.2                None                None
+9     AES256-SHA256                TLSv1.2                None                None
+10    AES128-SHA256                TLSv1.2                None                None
+11    AES256-SHA                   TLSv1,TLSv1.1,TLSv1.2  None                None
+12    AES128-SHA                   TLSv1,TLSv1.1,TLSv1.2  None                None
+
+Certificate: untrusted, 4096 bits, sha256WithRSAEncryption signature
+TLS ticket lifetime hint: None
+NPN protocols: None
+OCSP stapling: not supported
+Cipher ordering: server
+Curves ordering: server - fallback: no
+Server supports secure renegotiation
+Server supported compression methods: NONE
+TLS Tolerance: yes
+
+Intolerance to:
+ SSL 3.254           : absent
+ TLS 1.0             : absent
+ TLS 1.1             : absent
+ TLS 1.2             : absent
+ TLS 1.3             : absent
+ TLS 1.4             : absent

extras/tests/tls/tls-tests

@@ -0,0 +1,81 @@
+#!/bin/bash
+# We assume we are executed from extras/tests/tls
+
+function fail()
+{
+	echo "TLS TEST ERROR: $*"
+	exit 1
+}
+
+CIPHERSCAN="cipherscan"
+OPENSSL="openssl"
+if [ -x /home/travis/build/unrealircd/unrealircd/cipherscan/cipherscan ]; then
+	CIPHERSCAN="/home/travis/build/unrealircd/unrealircd/cipherscan/cipherscan"
+	OPENSSL="/home/travis/build/unrealircd/unrealircd/cipherscan/openssl"
+fi
+
+$CIPHERSCAN --help >/dev/null || exit 1
+
+
+# This is the basic cipherscan test.
+# It compares the output against a reference .txt file and alarms us if there
+# are any changes. These changes may not always be harmful, but at least we
+# will get warned on any possible changes.
+$CIPHERSCAN --no-colors 127.0.0.1:5900|grep -vF '.....' >cipherscan.test.txt
+
+# Now check if profile matches, if so.. everything is ok.
+# We have 1 or more baseline profiles
+# And you can optionally add profile-specific, eg openssl-102.txt
+FAILED=1
+for f in cipherscan_profiles/baseline*txt cipherscan_profiles/$BUILDCONFIG.txt
+do
+	diff -uab $f cipherscan.test.txt 1>/dev/null 2>&1
+	if [ "$?" -eq 0 ]; then
+		FAILED=0
+		echo "Cipherscan profile $f matched."
+		break
+	fi
+done
+
+if [ "$FAILED" -eq 1 ]; then
+	echo "*** Differences found between cipherscan scan and expected output ***"
+	if [ -f cipherscan_profiles/$BUILDCONFIG.txt ]; then
+		COMPARE_PROFILE="cipherscan_profiles/$BUILDCONFIG.txt"
+	else
+		COMPARE_PROFILE="cipherscan_profiles/baseline.txt"
+	fi
+	echo "== EXPECTED OUTPUT ($COMPARE_PROFILE) =="
+	cat $COMPARE_PROFILE
+	echo
+	echo "== ACTUAL TEST OUTPUT =="
+	cat cipherscan.test.txt
+	echo
+	echo "== DIFF =="
+	diff -uab $COMPARE_PROFILE cipherscan.test.txt
+	echo
+	echo "cipherscan test failed."
+	exit 1
+else
+	echo "*** Cipherscan output was good ***"
+	cat cipherscan.test.txt
+fi
+
+# This checks for a couple of old ciphers that should never work:
+for cipher in 3DES RC4
+do
+	echo "Testing cipher $cipher (MUST FAIL!).."
+	(echo QUIT|$OPENSSL s_client -connect 127.0.0.1:5900 -cipher $cipher) &&
+	fail "UnrealIRCd allowed us to connect with cipher $cipher, BAD!"
+done
+
+# This checks older SSL/TLS versions that should not work:
+for protocol in ssl2 ssl3
+do
+	echo "Testing protocol $protocol (MUST FAIL!).."
+	(echo QUIT|$OPENSSL s_client -connect 127.0.0.1:5900 -$protocol) &&
+	fail "UnrealIRCd allowed us to connect with protocol $protocol, BAD!"
+done
+
+echo
+echo "TLS tests ended (no issues)."
+exit 0

include/auth.h

@@ -33,6 +33,7 @@ typedef	struct {
 #define AUTHTYPE_SSL_CLIENTCERTFP 6
 #define AUTHTYPE_BCRYPT 7
 #define AUTHTYPE_SPKIFP	8
+#define AUTHTYPE_ARGON2 9
 
 #ifndef HAVE_CRYPT
 #define crypt DES_crypt

include/badwords.h

@@ -1,36 +0,0 @@
-#ifndef __BADWORDS_H
-#define __BADWORDS_H
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include "tre/regex.h"
-
-#define MAX_MATCH       1
-#define MAX_WORDLEN	64
-
-#define PATTERN		"\\w*%s\\w*"
-#define REPLACEWORD	"<censored>"
-
-#define BADW_TYPE_INVALID 0x0
-#define BADW_TYPE_FAST    0x1
-#define BADW_TYPE_FAST_L  0x2
-#define BADW_TYPE_FAST_R  0x4
-#define BADW_TYPE_REGEX   0x8
-
-#define BADWORD_REPLACE 1
-#define BADWORD_BLOCK 2
-
-typedef struct _configitem_badword ConfigItem_badword;
-
-struct _configitem_badword {
-	ConfigItem_badword      *prev, *next;
-	ConfigFlag	flag;
-	char		*word, *replace;
-	unsigned short	type;
-	char		action;
-	regex_t 	expr;
-};
-
-#endif

include/common.h

@@ -225,7 +225,7 @@ static char *StsMalloc(size_t size, char *file, long line)
 
 #endif
 
-#define safestrdup(x,y) do { if (x) MyFree(x); if (!y) x = NULL; else x = strdup(y); } while(0)
+#define safestrdup(x,y) do { if (x) MyFree(x); if (!(y)) x = NULL; else x = strdup(y); } while(0)
 #define safestrldup(x,y,sz) do { if (x) MyFree(x); if (!y) x = NULL; else x = strldup(y,sz); } while(0)
 #define safefree(x) do { if (x) MyFree(x); x = NULL; } while(0)
 
@@ -255,23 +255,6 @@ extern struct SLink *find_user_link( /* struct SLink *, struct Client * */ );
 #define CHPAR3        "l"
 #define CHPAR4        "psmntir"
 
-
-/* Server-Server PROTOCTL -Stskeeps
- * This is the FIRST line only, please check send_proto() for more. -- Syzop
- * Also take MAXPARA into account !
- */
-#define PROTOCTL_SERVER "NOQUIT" \
-                        " NICKv2" \
-                        " SJOIN" \
-                        " SJOIN2" \
-                        " UMODE2" \
-                        " VL" \
-                        " SJ3" \
-                        " TKLEXT" \
-                        " TKLEXT2" \
-                        " NICKIP" \
-                        " ESVID"
-
 #ifdef _WIN32
 /*
  * Used to display a string to the GUI interface.

include/config.h

@@ -215,14 +215,6 @@
  */
 #define NickServ "NickServ"
 
-/*
- * How many open targets can one nick have for messaging nicks and
- * inviting them?
- */
-
-#define MAXTARGETS		20
-#define TARGET_DELAY		15
-
 /*   STOP STOP STOP STOP STOP STOP STOP STOP STOP STOP STOP STOP STOP STOP  */
 
 /* You shouldn't change anything below this line, unless absolutely needed. */
@@ -242,8 +234,36 @@
  *
  * 2004-10-13: 1024 -> 4096
  */
-#ifndef MAXCONNECTIONS
-#define MAXCONNECTIONS	10240
+#ifdef _WIN32
+ #define MAXCONNECTIONS	10240
+#else
+ /* Non-Windows: */
+ #if (!defined(MAXCONNECTIONS_REQUEST) || (MAXCONNECTIONS_REQUEST < 1)) && \
+      (defined(HAVE_POLL) || defined(HAVE_EPOLL) || defined(HAVE_KQUEUE))
+  /* Have poll/epoll/kqueue and either no --with-maxconnections or
+   * --with-maxconnections=0, either of which indicates 'automatic' mode.
+   * At the time of writing we will try a limit of 8192.
+   * It will automatically be lowered at boottime if we can only use
+   * 4096, 2048 or 1024. No problem.
+   */
+  #define MAXCONNECTIONS 8192
+ #elif defined(MAXCONNECTIONS_REQUEST) && (MAXCONNECTIONS_REQUEST >= 1)
+  /* --with-maxconnections=something */
+  #define MAXCONNECTIONS MAXCONNECTIONS_REQUEST
+ #else
+  /* Automatic mode, but we only have select(). Bummer... */
+  #define MAXCONNECTIONS 1024
+ #endif
+#endif
+
+/* Number of file descriptors reserved for non-incoming-clients.
+ * One of which may be used by auth, the rest are really reserved.
+ * They can be used for outgoing server links, listeners, logging, etc.
+ */
+#if MAXCONNECTIONS > 1024
+ #define CLIENTS_RESERVE 8
+#else
+ #define CLIENTS_RESERVE 4
 #endif
 
 /*
@@ -295,9 +315,6 @@
 #define SPAMFILTER_DETECTSLOW
 #endif
 
-/* Use TRE Regex Library (as well) ? */
-#define USE_TRE
-
 /* Maximum number of ModData objects that may be attached to an object */
 /* UnrealIRCd 4.0.0 - 4.0.13:  8, 8, 4, 4
  * UnrealIRCd 4.0.14+       : 12, 8, 4, 4
@@ -316,7 +333,7 @@
 /* Default SSL/TLS cipherlist (except for TLS1.3, see further down).
  * This can be changed via set::ssl::options::ciphers in the config file.
  */
-#define UNREALIRCD_DEFAULT_CIPHERS "TLS13-CHACHA20-POLY1305-SHA256 TLS13-AES-128-GCM-SHA256 TLS13-AES-256-GCM-SHA384 EECDH+CHACHA20 EECDH+AESGCM EECDH+AES AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA"
+#define UNREALIRCD_DEFAULT_CIPHERS "TLS13-CHACHA20-POLY1305-SHA256 TLS13-AES-256-GCM-SHA384 TLS13-AES-128-GCM-SHA256 EECDH+CHACHA20 EECDH+AESGCM EECDH+AES AES256-GCM-SHA384 AES128-GCM-SHA256 AES256-SHA256 AES128-SHA256 AES256-SHA AES128-SHA"
 
 /* Default TLS 1.3 ciphersuites.
  * This can be changed via set::ssl::options::ciphersuites in the config file.
@@ -415,11 +432,6 @@ error You stuffed up config.h signals
 #ifdef	POSIX_SIGNALS
 #define	HAVE_RELIABLE_SIGNALS
 #endif
-/*
- * safety margin so we can always have one spare fd, for motd/authd or
- * whatever else.  -4 allows "safety" margin of 1 and space reserved.
- */
-#define	MAXCLIENTS	(MAXCONNECTIONS-4)
 #ifdef HAVECURSES
 # define DOCURSES
 #else
@@ -464,12 +476,6 @@ error You stuffed up config.h signals
 #if defined(SOL20) || defined(SOL25) || defined(SOL26) || defined(SOL27)
 #define _SOLARIS
 #endif
-/*
- * Cleaup for WIN32 platform.
- */
-#ifdef _WIN32
-# undef FORCE_CORE
-#endif
 #ifdef NEED_BCMP
 #define bcmp memcmp
 #endif

include/dynconf.h

@@ -92,11 +92,16 @@ struct zConfiguration {
 	char *static_quit;
 	char *static_part;
 	SSLOptions *ssl_options;
-	PlaintextPolicy plaintext_policy_user;
+	Policy plaintext_policy_user;
 	char *plaintext_policy_user_message;
-	PlaintextPolicy plaintext_policy_oper;
+	Policy plaintext_policy_oper;
 	char *plaintext_policy_oper_message;
-	PlaintextPolicy plaintext_policy_server;
+	Policy plaintext_policy_server;
+	Policy outdated_tls_policy_user;
+	char *outdated_tls_policy_user_message;
+	Policy outdated_tls_policy_oper;
+	char *outdated_tls_policy_oper_message;
+	Policy outdated_tls_policy_server;
 	enum UHAllowed userhost_allowed;
 	char *restrict_usermodes;
 	char *restrict_channelmodes;
@@ -111,13 +116,17 @@ struct zConfiguration {
 	long away_period;
 	unsigned char nick_count;
 	long nick_period;
+	unsigned char invite_count;
+	long invite_period;
+	unsigned char knock_count;
+	long knock_period;
+	unsigned char max_concurrent_conversations_users;
+	unsigned char max_concurrent_conversations_new_user_every;
 	int ident_connect_timeout;
 	int ident_read_timeout;
 	long default_bantime;
 	int who_limit;
 	int silence_limit;
-	unsigned char modef_default_unsettime;
-	unsigned char modef_max_unsettime;
 	long ban_version_tkl_time;
 	long spamfilter_ban_time;
 	char *spamfilter_ban_reason;
@@ -138,7 +147,11 @@ struct zConfiguration {
 	aNetwork network;
 	unsigned short default_ipv6_clone_mask;
 	int ping_cookie;
-	int nicklen;
+	int nick_length;
+	int topic_length;
+	int kick_length;
+	int quit_length;
+	int away_length;
 	int hide_list;
 	int max_unknown_connections_per_ip;
 	long handshake_timeout;
@@ -148,6 +161,11 @@ struct zConfiguration {
 	char *reject_message_too_many_connections;
 	char *reject_message_server_full;
 	char *reject_message_unauthorized;
+	char *reject_message_kline;
+	char *reject_message_gline;
+	int topic_setter;
+	int ban_setter;
+	int ban_setter_sync;
 };
 
 #ifndef DYNCONF_C
@@ -216,6 +234,10 @@ extern MODVAR int ipv6_disabled;
 #define AWAY_COUNT			iConf.away_count
 #define NICK_PERIOD			iConf.nick_period
 #define NICK_COUNT			iConf.nick_count
+#define KNOCK_PERIOD			iConf.knock_period
+#define KNOCK_COUNT			iConf.knock_count
+#define INVITE_PERIOD			iConf.invite_period
+#define INVITE_COUNT			iConf.invite_count
 
 #define IDENT_CONNECT_TIMEOUT	iConf.ident_connect_timeout
 #define IDENT_READ_TIMEOUT		iConf.ident_read_timeout
@@ -228,9 +250,6 @@ extern MODVAR int ipv6_disabled;
 #define DEFAULT_BANTIME			iConf.default_bantime
 #define WHOLIMIT			iConf.who_limit
 
-#define MODEF_DEFAULT_UNSETTIME	iConf.modef_default_unsettime
-#define MODEF_MAX_UNSETTIME		iConf.modef_max_unsettime
-
 #define ALLOW_PART_IF_SHUNNED	iConf.allow_part_if_shunned
 
 #define DISABLE_CAP	iConf.disable_cap
@@ -313,6 +332,8 @@ struct SetCheck {
 	unsigned has_anti_flood_away_period:1;
 	unsigned has_anti_flood_nick_flood:1;
 	unsigned has_anti_flood_connect_flood:1;
+	unsigned has_anti_flood_invite_flood:1;
+	unsigned has_anti_flood_knock_flood:1;
 	unsigned has_ident_connect_timeout:1;
 	unsigned has_ident_read_timeout:1;
 	unsigned has_default_bantime:1;
@@ -320,8 +341,6 @@ struct SetCheck {
 	unsigned has_maxbans:1;
 	unsigned has_maxbanlength:1;
 	unsigned has_silence_limit:1;
-	unsigned has_modef_default_unsettime:1;
-	unsigned has_modef_max_unsettime:1;
 	unsigned has_ban_version_tkl_time:1;
 	unsigned has_spamfilter_ban_time:1;
 	unsigned has_spamfilter_ban_reason:1;
@@ -351,7 +370,7 @@ struct SetCheck {
 	unsigned has_options_disable_cap:1;
 	unsigned has_options_disable_ipv6:1;
 	unsigned has_ping_cookie:1;
-	unsigned has_nicklen:1;
+	unsigned has_nick_length:1;
 	unsigned has_hide_ban_reason:1;
 };
 

include/h.h

@@ -43,12 +43,15 @@ extern MODVAR struct stats *ircstp;
 extern MODVAR int bootopt;
 extern MODVAR time_t TSoffset;
 extern MODVAR time_t timeofday;
+extern MODVAR char cmodestring[512];
+extern MODVAR char umodestring[UMODETABLESZ+1];
 /* newconf */
 #define get_sendq(x) ((x)->local->class ? (x)->local->class->sendq : MAXSENDQLENGTH)
 /* get_recvq is only called in send.c for local connections */
 #define get_recvq(x) ((x)->local->class->recvq ? (x)->local->class->recvq : DEFAULT_RECVQ)
 
 #define CMD_FUNC(x) int (x) (aClient *cptr, aClient *sptr, int parc, char *parv[])
+#define CMD_OVERRIDE_FUNC(x) int (x)(Cmdoverride *ovr, aClient *cptr, aClient *sptr, int parc, char *parv[])
 
 /*
  * Configuration linked lists
@@ -125,6 +128,7 @@ extern void OperClassValidatorDel(OperClassValidator *validator);
 
 extern ConfigItem_ban  *Find_ban_ip(aClient *sptr);
 extern void add_ListItem(ListStruct *, ListStruct **);
+extern void append_ListItem(ListStruct *item, ListStruct **list);
 extern void add_ListItemPrio(ListStructPrio *, ListStructPrio **, int);
 extern ListStruct *del_ListItem(ListStruct *, ListStruct **);
 extern aClient *find_match_server(char *mask);
@@ -235,6 +239,7 @@ extern void get_my_name(aClient *, char *, int);
 extern int get_sockerr(aClient *);
 extern int inetport(ConfigItem_listen *, char *, int, int);
 extern void init_sys();
+extern void check_user_limit(void);
 extern void init_modef();
 extern int verify_hostname(char *name);
 
@@ -293,7 +298,7 @@ extern void sendto_server(aClient *one, unsigned long caps, unsigned long nocaps
 extern void sendto_ops_and_log(char *pattern, ...) __attribute__((format(printf,1,2)));
 
 extern MODVAR int writecalls, writeb[];
-extern int deliver_it(aClient *, char *, int);
+extern int deliver_it(aClient *cptr, char *str, int len, int *want_read);
 extern int  check_for_target_limit(aClient *sptr, void *target, const char *name);
 extern char *canonize(char *buffer);
 extern ConfigItem_deny_dcc *dcc_isforbidden(aClient *sptr, char *filename);
@@ -431,17 +436,10 @@ extern int checkprotoflags(aClient *, int, char *, int);
 
 extern char *inetntop(int af, const void *in, char *local_dummy, size_t the_size);
 
-/*
- * CommandHash -Stskeeps
-*/
+/* Internal command stuff - not for modules */
 extern MODVAR aCommand *CommandHash[256];
-extern void	init_CommandHash(void);
-extern aCommand *add_Command_backend(char *cmd, int (*func)(), unsigned char parameters, int flags);
-extern void	add_Command(char *cmd, int (*func)(), unsigned char parameters);
-extern void	add_Command_to_list(aCommand *item, aCommand **list);
-extern aCommand *del_Command_from_list(aCommand *item, aCommand **list);
-extern int	del_Command(char *cmd, int (*func)());
-extern void    add_CommandX(char *cmd, int (*func)(), unsigned char parameters, int flags);
+extern void init_CommandHash(void);
+extern aCommand *add_Command_backend(char *cmd);
 
 /* CRULE */
 char *crule_parse(char *);
@@ -490,6 +488,7 @@ extern void      flag_add(char ch);
 extern void      flag_del(char ch);
 extern void init_dynconf(void);
 extern char *pretty_time_val(long);
+extern char *pretty_date(TS t);
 extern int        init_conf(char *filename, int rehash);
 extern void       validate_configuration(void);
 extern void       run_configuration(void);
@@ -504,6 +503,9 @@ extern time_t rfc2time(char *s);
 extern char *rfctime(time_t t, char *buf);
 extern void *MyMallocEx(size_t size);
 extern MODFUNC char  *ssl_get_cipher(SSL *ssl);
+extern SSLOptions *get_ssl_options_for_client(aClient *acptr);
+extern int outdated_tls_client(aClient *acptr);
+extern char *outdated_tls_client_build_string(char *pattern, aClient *acptr);
 extern long config_checkval(char *value, unsigned short flags);
 extern void config_status(char *format, ...) __attribute__((format(printf,1,2)));
 extern void init_random();
@@ -513,7 +515,6 @@ extern u_int32_t getrandom32();
 extern void ident_failed(aClient *cptr);
 
 extern MODVAR char extchmstr[4][64];
-extern MODVAR char extbanstr[EXTBANTABLESZ+1];
 
 extern int extcmode_default_requirechop(aClient *, aChannel *, char, char *, int, int);
 extern int extcmode_default_requirehalfop(aClient *, aChannel *, char, char *, int, int);
@@ -553,7 +554,6 @@ extern void ExtbanDel(Extban *);
 extern void extban_init(void);
 extern char *trim_str(char *str, int len);
 extern MODVAR char *ban_realhost, *ban_virthost, *ban_ip;
-extern char *unreal_checkregex(char *s, int fastsupport, int check_broadness);
 extern int banact_stringtoval(char *s);
 extern char *banact_valtostring(int val);
 extern int banact_chartoval(char c);
@@ -601,7 +601,6 @@ extern int del_dccallow(aClient *sptr, aClient *optr);
 extern void delete_linkblock(ConfigItem_link *link_ptr);
 extern void delete_classblock(ConfigItem_class *class_ptr);
 extern void del_async_connects(void);
-extern void make_extbanstr(void);
 extern void isupport_init(void);
 extern void clicap_init(void);
 extern int do_cmd(aClient *cptr, aClient *sptr, char *cmd, int parc, char *parv[]);
@@ -659,7 +658,7 @@ extern MODVAR void (*send_moddata_members)(aClient *srv);
 extern MODVAR void (*broadcast_moddata_client)(aClient *acptr);
 extern MODVAR int (*check_banned)(aClient *cptr);
 extern MODVAR void (*introduce_user)(aClient *to, aClient *acptr);
-extern MODVAR int (*check_deny_version)(aClient *cptr, char *version_string, int protocol, char *flags);
+extern MODVAR int (*check_deny_version)(aClient *cptr, char *software, int protocol, char *flags);
 extern MODVAR int (*match_user)(char *rmask, aClient *acptr, int options);
 extern MODVAR void (*userhost_save_current)(aClient *sptr);
 extern MODVAR void (*userhost_changed)(aClient *sptr);
@@ -667,11 +666,13 @@ extern MODVAR void (*send_join_to_local_users)(aClient *sptr, aChannel *chptr);
 extern MODVAR int (*do_nick_name)(char *nick);
 extern MODVAR int (*do_remote_nick_name)(char *nick);
 extern MODVAR char *(*charsys_get_current_languages)(void);
+extern MODVAR void *(*broadcast_sinfo)(aClient *acptr, aClient *to, aClient *except);
 /* /Efuncs */
 
 extern MODVAR aMotdFile opermotd, svsmotd, motd, botmotd, smotd, rules;
 extern MODVAR int max_connection_count;
 extern int add_listmode(Ban **list, aClient *cptr, aChannel *chptr, char *banid);
+extern int add_listmode_ex(Ban **list, aClient *cptr, aChannel *chptr, char *banid, char *setby, TS seton);
 extern int del_listmode(Ban **list, aChannel *chptr, char *banid);
 extern int Halfop_mode(long mode);
 extern char *clean_ban_mask(char *, int, aClient *);
@@ -681,9 +682,10 @@ extern char *md5hash(unsigned char *dst, const unsigned char *src, unsigned long
 extern MODVAR char langsinuse[4096];
 extern MODVAR char *casemapping[2];
 extern MODVAR aTKline *tklines[TKLISTLEN];
+extern MODVAR aTKline *tklines_ip_hash[TKLIPHASHLEN1][TKLIPHASHLEN2];
 extern char *cmdname_by_spamftarget(int target);
 extern void unrealdns_delreq_bycptr(aClient *cptr);
-extern void sendtxtnumeric(aClient *to, char *pattern, ...) __attribute__((format(printf,2,3)));;
+extern void sendtxtnumeric(aClient *to, char *pattern, ...) __attribute__((format(printf,2,3)));
 extern void unrealdns_gethostbyname_link(char *name, ConfigItem_link *conf, int ipv4_only);
 extern void unrealdns_delasyncconnects(void);
 extern int is_autojoin_chan(char *chname);
@@ -737,6 +739,7 @@ extern MODVAR BOOL IsService;
 #endif
 extern int match_ip46(char *a, char *b);
 extern void extcmodes_check_for_changes(void);
+extern void umodes_check_for_changes(void);
 extern int config_parse_flood(char *orig, int *times, int *period);
 extern int swhois_add(aClient *acptr, char *tag, int priority, char *swhois, aClient *from, aClient *skip);
 extern int swhois_delete(aClient *acptr, char *tag, char *swhois, aClient *from, aClient *skip);
@@ -759,7 +762,7 @@ extern int has_channel_mode(aChannel *chptr, char mode);
 extern int has_user_mode(aClient *acptr, char mode);
 extern long find_user_mode(char mode);
 extern void start_listeners(void);
-extern void buildvarstring(char *inbuf, char *outbuf, size_t len, char *name[], char *value[]);
+extern void buildvarstring(const char *inbuf, char *outbuf, size_t len, const char *name[], const char *value[]);
 extern void reinit_ssl(aClient *);
 extern int m_error(aClient *cptr, aClient *sptr, int parc, char *parv[]);
 extern int m_dns(aClient *cptr, aClient *sptr, int parc, char *parv[]);
@@ -783,9 +786,9 @@ extern int invisible_user_in_channel(aClient *target, aChannel *chptr);
 extern MODVAR int ssl_client_index;
 extern SSLOptions *FindSSLOptionsForUser(aClient *acptr);
 extern int IsWebsocket(aClient *acptr);
-extern PlaintextPolicy plaintextpolicy_strtoval(char *s);
-extern char *plaintextpolicy_valtostr(PlaintextPolicy policy);
-extern char plaintextpolicy_valtochar(PlaintextPolicy policy);
+extern Policy policy_strtoval(char *s);
+extern char *policy_valtostr(Policy policy);
+extern char policy_valtochar(Policy policy);
 extern int verify_certificate(SSL *ssl, char *hostname, char **errstr);
 extern char *certificate_name(SSL *ssl);
 extern int cipher_check(SSL_CTX *ctx, char **errstr);
@@ -798,3 +801,20 @@ extern char *spki_fingerprint(aClient *acptr);
 extern int is_module_loaded(char *name);
 extern void close_std_descriptors(void);
 extern int banned_client(aClient *acptr, char *bantype, char *reason, int global, int noexit);
+extern char *mystpcpy(char *dst, const char *src);
+extern size_t add_sjsby(char *buf, char *setby, TS seton);
+extern MaxTarget *findmaxtarget(char *cmd);
+extern void setmaxtargets(char *cmd, int limit);
+extern void freemaxtargets(void);
+extern int max_targets_for_command(char *cmd);
+extern void set_targmax_defaults(void);
+extern void parse_chanmodes_protoctl(aClient *sptr, char *str);
+extern void concat_params(char *buf, int len, int parc, char *parv[]);
+extern void charsys_check_for_changes(void);
+extern int maxclients;
+extern int fast_badword_match(ConfigItem_badword *badword, char *line);
+extern int fast_badword_replace(ConfigItem_badword *badword, char *line, char *buf, int max);
+extern char *stripbadwords(char *str, ConfigItem_badword *start_bw, int *blocked);
+extern int badword_config_process(ConfigItem_badword *ca, char *str);
+extern void badword_config_free(ConfigItem_badword *ca);
+extern char *badword_config_check_regex(char *s, int fastsupport, int check_broadness);

include/modules.h

@@ -426,8 +426,8 @@ struct _irccallback {
  * for things like do_join, join_channel, etc.
  * The difference between callbacks and efunctions are:
  * - efunctions are mandatory, while callbacks can be optional (depends!)
- * - efunctions are ment for internal usage, so 3rd party modules are not allowed
- *   to add them.
+ * - efunctions are meant for internal usage, so 3rd party modules are
+ *   not allowed to add them.
  * - all efunctions are declared as function pointers in modules.c
  */
 struct _ircefunction {
@@ -602,6 +602,9 @@ extern Isupport *IsupportAdd(Module *module, const char *token, const char *valu
 extern void IsupportSetValue(Isupport *isupport, const char *value);
 extern void IsupportDel(Isupport *isupport);
 extern Isupport *IsupportFind(const char *token);
+extern void IsupportSet(Module *module, const char *name, const char *value);
+extern void IsupportSetFmt(Module *module, const char *name, const char *pattern, ...) __attribute__((format(printf,3,4)));
+extern void IsupportDelByName(const char *name);
 
 extern ClientCapability *ClientCapabilityFind(const char *token, aClient *sptr);
 extern ClientCapability *ClientCapabilityFindReal(const char *token);
@@ -671,6 +674,16 @@ extern void HooktypeDel(Hooktype *hooktype, Module *module);
   if (retval retchk) return retval; \
  } \
 }
+#define RunHookReturnInt4(hooktype,a,b,c,d,retchk) \
+{ \
+ int retval; \
+ Hook *h; \
+ for (h = Hooks[hooktype]; h; h = h->next) \
+ { \
+  retval = (*(h->func.intfunc))(a,b,c,d); \
+  if (retval retchk) return retval; \
+ } \
+}
 
 #define RunHookReturnVoid(hooktype,x,ret) do { Hook *h; for (h = Hooks[hooktype]; h; h = h->next) if((*(h->func.intfunc))(x) ret) return; } while(0)
 #define RunHook2(hooktype,x,y) do { Hook *h; for (h = Hooks[hooktype]; h; h = h->next) (*(h->func.intfunc))(x,y); } while(0)
@@ -698,11 +711,13 @@ extern Callback	*CallbackDel(Callback *cb);
 extern Efunction	*EfunctionAddMain(Module *module, int eftype, int (*intfunc)(), void (*voidfunc)(), void *(*pvoidfunc)(), char *(*pcharfunc)());
 extern Efunction	*EfunctionDel(Efunction *cb);
 
-extern Command *CommandAdd(Module *module, char *cmd, int (*func)(aClient *cptr, aClient *sptr, int parc, char *parv[]), unsigned char params, int flags);
+extern Command *CommandAdd(Module *module, char *cmd, CmdFunc func, unsigned char params, int flags);
+extern Command *AliasAdd(Module *module, char *cmd, AliasCmdFunc aliasfunc, unsigned char params, int flags);
 extern void CommandDel(Command *command);
+extern void CommandDelX(Command *command, aCommand *cmd);
 extern int CommandExists(char *name);
-extern Cmdoverride *CmdoverrideAdd(Module *module, char *cmd, int (*func)(Cmdoverride *ovr, aClient *cptr, aClient *sptr, int parc, char *parv[]));
-extern Cmdoverride *CmdoverrideAddEx(Module *module, char *name, int priority, int (*func)(Cmdoverride *ovr, aClient *cptr, aClient *sptr, int parc, char *parv[]));
+extern Cmdoverride *CmdoverrideAdd(Module *module, char *cmd, OverrideCmdFunc func);
+extern Cmdoverride *CmdoverrideAddEx(Module *module, char *name, int priority, OverrideCmdFunc func);
 extern void CmdoverrideDel(Cmdoverride *ovr);
 extern int CallCmdoverride(Cmdoverride *ovr, aClient *cptr, aClient *sptr, int parc, char *parv[]);
 
@@ -791,7 +806,7 @@ extern char *moddata_client_get(aClient *acptr, char *varname);
 #define HOOKTYPE_VIEW_TOPIC_OUTSIDE_CHANNEL 75
 #define HOOKTYPE_CHAN_PERMIT_NICK_CHANGE 76
 #define HOOKTYPE_IS_CHANNEL_SECURE 77
-#define HOOKTYPE_CAN_SEND_SECURE 78
+#define HOOKTYPE_SEND_CHANNEL 78
 #define HOOKTYPE_CHANNEL_SYNCED 79
 #define HOOKTYPE_CAN_SAJOIN 80
 #define HOOKTYPE_WHOIS 81
@@ -805,6 +820,12 @@ extern char *moddata_client_get(aClient *acptr, char *varname);
 #define HOOKTYPE_SERVER_SYNCHED	89
 #define HOOKTYPE_SECURE_CONNECT 90
 #define HOOKTYPE_CAN_BYPASS_CHANNEL_MESSAGE_RESTRICTION 91
+#define HOOKTYPE_REQUIRE_SASL 92
+#define HOOKTYPE_SASL_CONTINUATION 93
+#define HOOKTYPE_SASL_RESULT 94
+#define HOOKTYPE_PLACE_HOST_BAN 95
+#define HOOKTYPE_FIND_TKLINE_MATCH 96
+#define HOOKTYPE_WELCOME 97
 
 /* Adding a new hook here?
  * 1) Add the #define HOOKTYPE_.... with a new number
@@ -903,6 +924,12 @@ int hooktype_server_handshake_out(aClient *sptr);
 int hooktype_server_synched(aClient *sptr);
 int hooktype_secure_connect(aClient *sptr);
 int hooktype_can_bypass_channel_message_restriction(aClient *sptr, aChannel *chptr, BypassChannelMessageRestrictionType bypass_type);
+int hooktype_require_sasl(aClient *sptr, char *reason);
+int hooktype_sasl_continuation(aClient *sptr, char *buf);
+int hooktype_sasl_result(aClient *sptr, int success);
+int hooktype_place_host_ban(aClient *sptr, int action, char *reason, long duration);
+int hooktype_find_tkline_match(aClient *sptr, aTKline *tk);
+int hooktype_welcome(aClient *sptr, int after_numeric);
 
 #ifdef GCC_TYPECHECKING
 #define ValidateHook(validatefunc, func) __builtin_types_compatible_p(__typeof__(func), __typeof__(validatefunc))
@@ -985,7 +1012,7 @@ _UNREAL_ERROR(_hook_error_incompatible, "Incompatible hook function. Check argum
         ((hooktype == HOOKTYPE_VIEW_TOPIC_OUTSIDE_CHANNEL) && !ValidateHook(hooktype_view_topic_outside_channel, func)) || \
         ((hooktype == HOOKTYPE_CHAN_PERMIT_NICK_CHANGE) && !ValidateHook(hooktype_chan_permit_nick_change, func)) || \
         ((hooktype == HOOKTYPE_IS_CHANNEL_SECURE) && !ValidateHook(hooktype_is_channel_secure, func)) || \
-        ((hooktype == HOOKTYPE_CAN_SEND_SECURE) && !ValidateHook(hooktype_can_send_secure, func)) || \
+        ((hooktype == HOOKTYPE_SEND_CHANNEL) && !ValidateHook(hooktype_can_send_secure, func)) || \
         ((hooktype == HOOKTYPE_CHANNEL_SYNCED) && !ValidateHook(hooktype_channel_synced, func)) || \
         ((hooktype == HOOKTYPE_CAN_SAJOIN) && !ValidateHook(hooktype_can_sajoin, func)) || \
         ((hooktype == HOOKTYPE_WHOIS) && !ValidateHook(hooktype_whois, func)) || \
@@ -998,7 +1025,13 @@ _UNREAL_ERROR(_hook_error_incompatible, "Incompatible hook function. Check argum
         ((hooktype == HOOKTYPE_SERVER_HANDSHAKE_OUT) && !ValidateHook(hooktype_server_handshake_out, func)) || \
         ((hooktype == HOOKTYPE_SERVER_SYNCHED) && !ValidateHook(hooktype_server_synched, func)) || \
         ((hooktype == HOOKTYPE_SECURE_CONNECT) && !ValidateHook(hooktype_secure_connect, func)) || \
-        ((hooktype == HOOKTYPE_CAN_BYPASS_CHANNEL_MESSAGE_RESTRICTION) && !ValidateHook(hooktype_can_bypass_channel_message_restriction, func)) ) \
+        ((hooktype == HOOKTYPE_CAN_BYPASS_CHANNEL_MESSAGE_RESTRICTION) && !ValidateHook(hooktype_can_bypass_channel_message_restriction, func)) || \
+        ((hooktype == HOOKTYPE_REQUIRE_SASL) && !ValidateHook(hooktype_require_sasl, func)) || \
+        ((hooktype == HOOKTYPE_SASL_CONTINUATION) && !ValidateHook(hooktype_sasl_continuation, func)) || \
+        ((hooktype == HOOKTYPE_SASL_RESULT) && !ValidateHook(hooktype_sasl_result, func)) || \
+        ((hooktype == HOOKTYPE_PLACE_HOST_BAN) && !ValidateHook(hooktype_place_host_ban, func)) || \
+        ((hooktype == HOOKTYPE_FIND_TKLINE_MATCH) && !ValidateHook(hooktype_find_tkline_match, func)) || \
+        ((hooktype == HOOKTYPE_WELCOME) && !ValidateHook(hooktype_welcome, func)) ) \
         _hook_error_incompatible();
 #endif /* GCC_TYPECHECKING */
 
@@ -1012,6 +1045,7 @@ _UNREAL_ERROR(_hook_error_incompatible, "Incompatible hook function. Check argum
 #define CALLBACKTYPE_CLOAKKEYCSUM 2
 #define CALLBACKTYPE_CLOAK_EX 3
 #define CALLBACKTYPE_BLACKLIST_CHECK 4
+#define CALLBACKTYPE_REPUTATION_STARTTIME 5
 
 /* Efunction types */
 #define EFUNC_DO_JOIN       				1
@@ -1070,6 +1104,7 @@ _UNREAL_ERROR(_hook_error_incompatible, "Incompatible hook function. Check argum
 #define EFUNC_DO_NICK_NAME			57
 #define EFUNC_DO_REMOTE_NICK_NAME	58
 #define EFUNC_CHARSYS_GET_CURRENT_LANGUAGES	59
+#define EFUNC_BROADCAST_SINFO		60
 
 /* Module flags */
 #define MODFLAG_NONE	0x0000
@@ -1092,6 +1127,7 @@ _UNREAL_ERROR(_hook_error_incompatible, "Incompatible hook function. Check argum
 #define CONFIG_CLOAKKEYS 7
 #define CONFIG_SET_ANTI_FLOOD 8
 #define CONFIG_REQUIRE 9
+#define CONFIG_LISTEN 10
 
 #define MOD_HEADER(name) Mod_Header
 #define MOD_TEST(name) DLLFUNC int Mod_Test(ModuleInfo *modinfo)

include/numeric.h

@@ -308,6 +308,7 @@
 #define	RPL_ADMINEMAIL       259
 
 #define	RPL_TRACELOG         261
+#define RPL_TRYAGAIN         263
 #define RPL_LOCALUSERS       265
 #define RPL_GLOBALUSERS      266
 

include/setup.h.in

@@ -28,9 +28,6 @@
 /* Define the location of the documentation */
 #undef DOCDIR
 
-/* Define if you can set the core size to unlimited */
-#undef FORCE_CORE
-
 /* Define if you have getrusage */
 #undef GETRUSAGE_2
 
@@ -46,6 +43,9 @@
 /* Define if ssl library has SSL_CTX_set1_curves_list */
 #undef HAS_SSL_CTX_SET1_CURVES_LIST
 
+/* Define if ssl library has SSL_CTX_set_min_proto_version */
+#undef HAS_SSL_CTX_SET_MIN_PROTO_VERSION
+
 /* Define to 1 if you have the `bcmp' function. */
 #undef HAVE_BCMP
 
@@ -136,6 +136,9 @@
 /* Define if you have setproctitle */
 #undef HAVE_SETPROCTITLE
 
+/* Define to 1 if you have the `setrlimit' function. */
+#undef HAVE_SETRLIMIT
+
 /* Define to 1 if you have the `snprintf' function. */
 #undef HAVE_SNPRINTF
 
@@ -214,8 +217,8 @@
 /* Define to <malloc.h> you need malloc.h. */
 #undef MALLOCH
 
-/* Set to the max connections you want */
-#undef MAXCONNECTIONS
+/* Set to the maximum number of connections you want */
+#undef MAXCONNECTIONS_REQUEST
 
 /* Set to the max sendq you want */
 #undef MAXSENDQLENGTH
@@ -369,9 +372,6 @@
 /* Define to 1 if your <sys/time.h> declares `struct tm'. */
 #undef TM_IN_SYS_TIME
 
-/* Define if you want nick!user@host shown for the topic setter */
-#undef TOPIC_NICK_IS_NUHOST
-
 /* Define if your system prepends an underscore to symbols */
 #undef UNDERSCORE
 
@@ -395,6 +395,9 @@
    support */
 #undef USE_LIBCURL
 
+/* Use the old deprecated TRE regex library */
+#undef USE_TRE
+
 /* Define if you are compiling unrealircd on Sun's (or Oracle's?) Solaris */
 #undef _SOLARIS
 

include/struct.h

@@ -59,7 +59,9 @@
 # endif
 #endif
 #include "auth.h" 
+#ifdef USE_TRE
 #include "tre/regex.h"
+#endif
 #define PCRE2_CODE_UNIT_WIDTH 8
 #include "pcre2.h"
 
@@ -180,7 +182,10 @@ typedef OperPermission (*OperClassEntryEvalCallback)(OperClassACLEntryVar* varia
 #define	USERLEN		10
 #define	REALLEN	 	50
 #define SVIDLEN		30
-#define	TOPICLEN	307
+#define MAXTOPICLEN	360	/* absolute maximum permitted topic length (above this = potential desynch) */
+#define MAXAWAYLEN	360	/* absolute maximum permitted away length (above this = potential desynch) */
+#define MAXKICKLEN	360	/* absolute maximum kick length (above this = only cutoff danger) */
+#define MAXQUITLEN	395	/* absolute maximum quit length (above this = only cutoff danger) */
 #define	CHANNELLEN	32
 #define	PASSWDLEN 	48	/* was 20, then 32, now 48. */
 #define	KEYLEN		23
@@ -193,6 +198,7 @@ typedef OperPermission (*OperClassEntryEvalCallback)(OperClassACLEntryVar* varia
 #define SIDLEN           3
 #define SWHOISLEN	256
 #define UMODETABLESZ (sizeof(long) * 8)
+#define MAXCCUSERS		20 /* Maximum for set::anti-flood::target-limit::max-concurrent-conversations */
 /*
  * Watch it - Don't change this unless you also change the ERR_TOOMANYWATCH
  * and PROTOCOL_SUPPORTED settings.
@@ -360,7 +366,7 @@ typedef OperPermission (*OperClassEntryEvalCallback)(OperClassACLEntryVar* varia
 #define PROTO_EXTSWHOIS 0x800000	/* extended SWHOIS support */
 #define PROTO_CAP_CHGHOST	0x1000000	/* CAP chghost */
 #define PROTO_CAP_EXTENDED_JOIN	0x2000000	/* CAP extended-join */
-
+#define PROTO_SJSBY		0x4000000	/* SJOIN setby information (TS and nick) */
 /*
  * flags macros.
  */
@@ -460,6 +466,7 @@ typedef OperPermission (*OperClassEntryEvalCallback)(OperClassACLEntryVar* varia
 #define SupportUMODE2(x)	(CHECKPROTO(x, PROTO_UMODE2))
 #define SupportVL(x)		(CHECKPROTO(x, PROTO_VL))
 #define SupportSJ3(x)		(CHECKPROTO(x, PROTO_SJ3))
+#define SupportSJSBY(x)		(CHECKPROTO(x, PROTO_SJSBY))
 #define SupportVHP(x)		(CHECKPROTO(x, PROTO_VHP))
 #define SupportTKLEXT(x)	(CHECKPROTO(x, PROTO_TKLEXT))
 #define SupportTKLEXT2(x)	(CHECKPROTO(x, PROTO_TKLEXT2))
@@ -475,6 +482,7 @@ typedef OperPermission (*OperClassEntryEvalCallback)(OperClassACLEntryVar* varia
 #define SetUMODE2(x)		((x)->local->proto |= PROTO_UMODE2)
 #define SetVL(x)		((x)->local->proto |= PROTO_VL)
 #define SetSJ3(x)		((x)->local->proto |= PROTO_SJ3)
+#define SetSJSBY(x)		((x)->local->proto |= PROTO_SJSBY)
 #define SetVHP(x)		((x)->local->proto |= PROTO_VHP)
 #define SetTKLEXT(x)	((x)->local->proto |= PROTO_TKLEXT)
 #define SetTKLEXT2(x)	((x)->local->proto |= PROTO_TKLEXT2)
@@ -596,9 +604,7 @@ struct aloopStruct {
 typedef enum {
 	MATCH_SIMPLE=1, /**< Simple pattern with * and ? */
 	MATCH_PCRE_REGEX=2, /**< PCRE2 Perl-like regex (new) */
-#ifdef USE_TRE
 	MATCH_TRE_REGEX=3, /**< TRE POSIX regex (old, unreal3.2.x) */
-#endif
 } MatchType;
 
 /** Match struct, which allows various matching styles, see MATCH_* */
@@ -674,8 +680,12 @@ struct User {
 	struct {
 		time_t nick_t;
 		unsigned char nick_c;
-		time_t away_t;			/* last time the user set away */
+		time_t away_t;		/* last time the user set away */
 		unsigned char away_c;	/* number of times away has been set */
+		time_t knock_t;		/* last time the user has knocked */
+		unsigned char knock_c;	/* number of times the user knocked */
+		time_t invite_t;	/* last time the user used /invite */
+		unsigned char invite_c;	/* number of times the user used /invite */
 	} flood;
 	TS lastaway;
 };
@@ -686,8 +696,9 @@ struct Server {
 	char 		*up;		/* uplink for this server */
 	char 		by[NICKLEN + 1];
 	ConfigItem_link *conf;
-	TS   		timestamp;		/* Remotely determined connect try time */
-	long		 users;
+	TS   		timestamp;	/* Remotely determined connect try time */
+	long		users;
+	TS		boottime;	/* Startup time of server */
 #ifdef	LIST_DEBUG
 	aClient *bcptr;
 #endif
@@ -696,8 +707,11 @@ struct Server {
 		unsigned server_sent:1;		/* SERVER message sent to this link? (for outgoing links) */
 	} flags;
 	struct {
+		char *usermodes;
 		char *chanmodes[4];
 		int protocol;
+		char *software;
+		char *nickchars;
 	} features;
 };
 
@@ -709,7 +723,7 @@ struct Server {
 #define M_ALIAS			0x0020
 #define M_RESETIDLE		0x0040
 #define M_VIRUS			0x0080
-#define M_ANNOUNCE		0x0100
+#define M_ANNOUNCE		0x0100 /* deprecated! */
 #define M_OPER			0x0200
 
 
@@ -783,6 +797,10 @@ typedef struct ircstatsx {
 
 extern MODVAR ircstats IRCstats;
 
+typedef int (*CmdFunc)(aClient *cptr, aClient *sptr, int parc, char *parv[]);
+typedef int (*AliasCmdFunc)(aClient *cptr, aClient *sptr, int parc, char *parv[], char *cmd);
+typedef int (*OverrideCmdFunc)(Cmdoverride *ovr, aClient *cptr, aClient *sptr, int parc, char *parv[]);
+
 #include "modules.h"
 
 extern MODVAR Umode *Usermode_Table;
@@ -862,7 +880,7 @@ struct LocalClient {
 	TS   last;		/* last time a RESETIDLE message was received */
 	TS   nexttarget;	/* next time that a new target will be allowed (msg/notice/invite) */
  	TS   nextnick;		/* Time the next nick change will be allowed */
-	u_char targets[MAXTARGETS];	/* hash values of targets */
+	u_char targets[MAXCCUSERS];	/* hash values of targets */
 	char buffer[BUFSIZE];	/* Incoming message buffer */
 	short lastsq;		/* # of 2k blocks when sendqueued called last */
 	dbuf sendQ;		/* Outgoing message queue--if socket full */
@@ -1118,6 +1136,11 @@ struct _configitem_oper {
 	int maxlogins;
 };
 
+/** The SSL options that are used in set::ssl and otherblocks::ssl-options.
+ * NOTE: If you add something here then you must also update the
+ *       conf_sslblock() function in s_conf.c to have it inherited
+ *       from set::ssl to the other config blocks!
+ */
 typedef struct _ssloptions SSLOptions;
 struct _ssloptions {
 	char *certificate_file;
@@ -1128,6 +1151,8 @@ struct _ssloptions {
 	char *ciphers;
 	char *ciphersuites;
 	char *ecdh_curves;
+	char *outdated_protocols;
+	char *outdated_ciphers;
 	long options;
 	int renegotiate_bytes;
 	int renegotiate_timeout;
@@ -1376,6 +1401,9 @@ struct _configitem_offchans {
 #define HM_IPV4 2
 #define HM_IPV6 3
 
+#define SETTER_NICK 0
+#define SETTER_NICK_USER_HOST 1
+
 /*
  * statistics structures
  */
@@ -1533,11 +1561,65 @@ struct DSlink {
 		char *cp;
 	} value;
 };
-#define AddListItem(item,list) add_ListItem((ListStruct *)item, (ListStruct **)&list)
-#define DelListItem(item,list) del_ListItem((ListStruct *)item, (ListStruct **)&list)
+#ifndef _WIN32
+ #define CHECK_LIST_ENTRY(list)		if (offsetof(typeof(*list),prev) != offsetof(ListStruct,prev)) \
+					{ \
+						ircd_log(LOG_ERROR, "[BUG] %s:%d: List operation on struct with incorrect order (->prev must be 1st struct member)", __FILE__, __LINE__); \
+						abort(); \
+					} \
+					if (offsetof(typeof(*list),next) != offsetof(ListStruct,next)) \
+					{ \
+						ircd_log(LOG_ERROR, "[BUG] %s:%d: List operation on struct with incorrect order (->next must be 2nd struct member))", __FILE__, __LINE__); \
+						abort(); \
+					}
+#else
+ #define CHECK_LIST_ENTRY(list)		/* not available on Windows, typeof() not reliable */
+#endif
 
-#define AddListItemPrio(item,list,prio) add_ListItemPrio((ListStructPrio *)item, (ListStructPrio **)&list, prio)
-#define DelListItemPrio(item,list,prio) del_ListItem((ListStruct *)item, (ListStruct **)&list)
+#define AddListItem(item,list)		do { \
+						CHECK_LIST_ENTRY(list) \
+						add_ListItem((ListStruct *)item, (ListStruct **)&list); \
+					} while(0)
+
+#define AppendListItem(item,list)	do { \
+						CHECK_LIST_ENTRY(list) \
+						append_ListItem((ListStruct *)item, (ListStruct **)&list); \
+					} while(0)
+
+#define DelListItem(item,list)		do { \
+						CHECK_LIST_ENTRY(list) \
+						del_ListItem((ListStruct *)item, (ListStruct **)&list); \
+					} while(0)
+
+#ifndef _WIN32
+ #define CHECK_PRIO_LIST_ENTRY(list)	if (offsetof(typeof(*list),prev) != offsetof(ListStructPrio,prev)) \
+					{ \
+						ircd_log(LOG_ERROR, "[BUG] %s:%d: List operation on struct with incorrect order (->prev must be 1st struct member)", __FILE__, __LINE__); \
+						abort(); \
+					} \
+					if (offsetof(typeof(*list),next) != offsetof(ListStructPrio,next)) \
+					{ \
+						ircd_log(LOG_ERROR, "[BUG] %s:%d: List operation on struct with incorrect order (->next must be 2nd struct member))", __FILE__, __LINE__); \
+						abort(); \
+					} \
+					if (offsetof(typeof(*list),priority) != offsetof(ListStructPrio,priority)) \
+					{ \
+						ircd_log(LOG_ERROR, "[BUG] %s:%d: List operation on struct with incorrect order (->priority must be 3rd struct member))", __FILE__, __LINE__); \
+						abort(); \
+					}
+#else
+ #define CHECK_PRIO_LIST_ENTRY(list)	/* not available on Windows, typeof() not reliable */
+#endif
+
+#define AddListItemPrio(item,list,prio)	do { \
+						CHECK_PRIO_LIST_ENTRY(list); \
+						add_ListItemPrio((ListStructPrio *)item, (ListStructPrio **)&list, prio); \
+					} while(0)
+
+#define DelListItemPrio(item,list,prio)	do { \
+						CHECK_PRIO_LIST_ENTRY(list); \
+						del_ListItem((ListStruct *)item, (ListStruct **)&list); \
+					} while(0)
 
 struct liststruct {
 	ListStruct *prev, *next;
@@ -1688,7 +1770,8 @@ extern MODVAR char *gnulicense[];
 struct Command {
 	aCommand		*prev, *next;
 	char 			*cmd;
-	int			(*func) ();
+	CmdFunc			func;
+	AliasCmdFunc		aliasfunc;
 	int			flags;
 	unsigned int    	count;
 	unsigned		parameters : 5;
@@ -1708,7 +1791,7 @@ struct _cmdoverride {
 	int			priority;
 	Module			*owner;
 	aCommand		*command;
-	int			(*func)();
+	OverrideCmdFunc		func;
 };
 
 struct ThrottlingBucket
@@ -1756,6 +1839,14 @@ struct ThrottlingBucket *find_throttling_bucket(aClient *);
 void add_throttling_bucket(aClient *);
 int throttle_can_connect(aClient *);
 
+typedef struct _maxtargets MaxTarget;
+struct _maxtargets {
+	MaxTarget *prev, *next;
+	char *cmd;
+	int limit;
+};
+#define MAXTARGETS_MAX	1000000 /* used for 'max' */
+
 #define VERIFY_OPERCOUNT(clnt,tag) { if (IRCstats.operators < 0) verify_opercount(clnt,tag); } while(0)
 
 #define MARK_AS_OFFICIAL_MODULE(modinf)	do { if (modinf && modinf->handle) ModuleSetOptions(modinfo->handle, MOD_OPT_OFFICIAL, 1);  } while(0)
@@ -1768,7 +1859,9 @@ int throttle_can_connect(aClient *);
 #define BANCHK_MSG		1	/* checking if a ban forbids the person from sending messages */
 #define BANCHK_NICK		2	/* checking if a ban forbids the person from changing his/her nick */
 
-#define TKLISTLEN 26
+#define TKLISTLEN		26
+#define TKLIPHASHLEN1		4
+#define TKLIPHASHLEN2		1021
 
 #define MATCH_CHECK_IP              0x0001
 #define MATCH_CHECK_REAL_HOST       0x0002
@@ -1784,13 +1877,43 @@ int throttle_can_connect(aClient *);
 #define MATCH_USE_IDENT             0x0100
 
 typedef enum {
-	PLAINTEXT_POLICY_ALLOW=1,
-	PLAINTEXT_POLICY_WARN=2,
-	PLAINTEXT_POLICY_DENY=3
-} PlaintextPolicy;
+	POLICY_ALLOW=1,
+	POLICY_WARN=2,
+	POLICY_DENY=3
+} Policy;
 
 #define NO_EXIT_CLIENT	99
 
+/*-- badwords --*/
+
+#define MAX_MATCH       1
+#define MAX_WORDLEN	64
+
+#define PATTERN		"\\w*%s\\w*"
+#define REPLACEWORD	"<censored>"
+
+#define BADW_TYPE_INVALID 0x0
+#define BADW_TYPE_FAST    0x1
+#define BADW_TYPE_FAST_L  0x2
+#define BADW_TYPE_FAST_R  0x4
+#define BADW_TYPE_REGEX   0x8
+
+#define BADWORD_REPLACE 1
+#define BADWORD_BLOCK 2
+
+typedef struct _configitem_badword ConfigItem_badword;
+
+struct _configitem_badword {
+	ConfigItem_badword      *prev, *next;
+	ConfigFlag	flag;
+	char		*word, *replace;
+	unsigned short	type;
+	char		action;
+	pcre2_code	*pcre2_expr;
+};
+
+/*-- end of badwords --*/
+
 #endif /* __struct_include__ */
 
 #include "dynconf.h"

include/unrealircd.h

@@ -22,7 +22,6 @@
 #endif
 #include <fcntl.h>
 #include "h.h"
-#include "badwords.h"
 #ifdef _WIN32
 #include "version.h"
 #endif

include/url.h

@@ -3,6 +3,7 @@
 #include "types.h"
 
 int MODFUNC url_is_valid(const char *);
+extern const char MODFUNC *displayurl(const char *url);
 char MODFUNC *url_getfilename(const char *url);
 char MODFUNC *download_file(const char *, char **);
 void MODFUNC download_file_async(const char *, time_t, vFP, void *callback_data);

include/version.h

@@ -54,9 +54,9 @@
  * Can be useful if the above 3 versionids are insufficient for you (eg: you want to support CVS).
  * This is updated automatically on the CVS server every Monday. so don't touch it.
  */
-#define UNREAL_VERSION_TIME         201552
+#define UNREAL_VERSION_TIME         201915
 
-#define UnrealProtocol 		4019
+#define UnrealProtocol 		4203
 #define PATCH1  		macro_to_str(UNREAL_VERSION_GENERATION)
 #define PATCH2  		"." macro_to_str(UNREAL_VERSION_MAJOR)
 #define PATCH3  		"." macro_to_str(UNREAL_VERSION_MINOR)

include/win32/setup.h

@@ -54,6 +54,7 @@
 #define NEED_U_INT32_T
 #define PREFIX_AQ
 #define LIST_SHOW_MODES
+#define USE_TRE
 #ifndef mode_t
 #define GOT_STRCASECMP
 #define strcasecmp _stricmp
@@ -81,13 +82,13 @@
 #define UNREAL_VERSION_GENERATION 4
 
 /* Major version number (e.g.: 2 for Unreal3.2*) */
-#define UNREAL_VERSION_MAJOR 0
+#define UNREAL_VERSION_MAJOR 2
 
 /* Minor version number (e.g.: 1 for Unreal3.2.1) */
-#define UNREAL_VERSION_MINOR 19
+#define UNREAL_VERSION_MINOR 4
 
 /* Version suffix such as a beta marker or release candidate marker. (e.g.:
    -rcX for unrealircd-3.2.9-rcX) */
-#define UNREAL_VERSION_SUFFIX "-rc2"
+#define UNREAL_VERSION_SUFFIX ".1"
 
 #endif

makefile.win32

@@ -24,6 +24,11 @@ MT=mt
 #PCRE2_INC_DIR="C:\dev\pcre2"
 #PCRE2LIB="pcre2-8.lib"
 
+### ARGON2 ###
+#ARGON2_LIB_DIR="C:\dev\argon2\vs2015\build"
+#ARGON2_INC_DIR="C:\dev\argon2\include"
+#ARGON2LIB="Argon2RefDll.lib"
+
 ### C-ARES ####
 #CARES_LIB_DIR="C:\dev\c-ares\vc\cares\dll-release"
 #CARES_INC_DIR="C:\dev\c-ares"
@@ -94,6 +99,13 @@ PCRE2_INC=/I "$(PCRE2_INC_DIR)"
 PCRE2_LIB=/LIBPATH:"$(PCRE2_LIB_DIR)"
 !ENDIF
 
+!IFDEF ARGON2_INC_DIR
+ARGON2_INC=/I "$(ARGON2_INC_DIR)"
+!ENDIF
+!IFDEF ARGON2_LIB_DIR
+ARGON2_LIB=/LIBPATH:"$(ARGON2_LIB_DIR)"
+!ENDIF
+
 !IFDEF USE_REMOTEINC
 CURLCFLAGS=/D USE_LIBCURL
 CURLOBJ=SRC/URL.OBJ
@@ -126,19 +138,19 @@ MODDBGCFLAG=/LDd /MD /Zi
 !ENDIF 
 
 FD_SETSIZE=/D FD_SETSIZE=16384
-CFLAGS=$(DBGCFLAG) $(TRE_INC) $(PCRE2_INC) $(CARES_INC) $(LIBCURL_INC) $(LIBRESSL_INC) /J /I ./INCLUDE /I ./INCLUDE/WIN32/ARES /Fosrc/ /nologo \
+CFLAGS=$(DBGCFLAG) $(TRE_INC) $(PCRE2_INC) $(ARGON2_INC) $(CARES_INC) $(LIBCURL_INC) $(LIBRESSL_INC) /J /I ./INCLUDE /I ./INCLUDE/WIN32/ARES /Fosrc/ /nologo \
  $(CURLCFLAGS) $(FD_SETSIZE) $(SSLCFLAGS) /D NOSPOOF=1 /c /D _CRT_SECURE_NO_DEPRECATE /D _CRT_NONSTDC_NO_DEPRECATE /D _USE_32BIT_TIME_T
-CFLAGSST=$(DBGCFLAGST) $(TRE_INC) $(PCRE2_INC) $(CARES_INC) $(LIBCURL_INC) $(LIBRESSL_INC) /J /I ./INCLUDE /I ./INCLUDE/WIN32/ARES /Fosrc/ /nologo \
+CFLAGSST=$(DBGCFLAGST) $(TRE_INC) $(PCRE2_INC) $(ARGON2_INC) $(CARES_INC) $(LIBCURL_INC) $(LIBRESSL_INC) /J /I ./INCLUDE /I ./INCLUDE/WIN32/ARES /Fosrc/ /nologo \
  $(CURLCFLAGS) $(FD_SETSIZE) $(SSLCFLAGS) /D NOSPOOF=1 /c /D _CRT_SECURE_NO_DEPRECATE /D _CRT_NONSTDC_NO_DEPRECATE /D _USE_32BIT_TIME_T
 LFLAGS=kernel32.lib user32.lib gdi32.lib shell32.lib ws2_32.lib advapi32.lib \
  dbghelp.lib oldnames.lib comctl32.lib comdlg32.lib $(CARES_LIB) $(CARESLIB) $(TRE_LIB) $(TRELIB) \
-  $(PCRE2_LIB) $(PCRE2LIB) $(LIBRESSL_LIB) $(SSLLIB) $(LIBCURL_LIB) $(CURLLIB) /def:UnrealIRCd.def /implib:UnrealIRCd.lib \
+  $(PCRE2_LIB) $(PCRE2LIB) $(ARGON2_LIB) $(ARGON2LIB) $(LIBRESSL_LIB) $(SSLLIB) $(LIBCURL_LIB) $(CURLLIB) /def:UnrealIRCd.def /implib:UnrealIRCd.lib \
  /nologo $(DBGLFLAG) /out:UnrealIRCd.exe
 MODCFLAGS=$(MODDBGCFLAG) $(SSLCFLAGS) $(CURLCFLAGS) /J /Fesrc/modules/ \
- /Fosrc/modules/ /nologo $(TRE_INC) $(PCRE2_INC) $(CARES_INC) $(LIBCURL_INC) $(LIBRESSL_INC) /I ./INCLUDE /D \
+ /Fosrc/modules/ /nologo $(TRE_INC) $(PCRE2_INC) $(ARGON2_INC) $(CARES_INC) $(LIBCURL_INC) $(LIBRESSL_INC) /I ./INCLUDE /D \
  DYNAMIC_LINKING /D NOSPOOF /D MODULE_COMPILE /D _CRT_SECURE_NO_DEPRECATE /D _CRT_NONSTDC_NO_DEPRECATE /D _USE_32BIT_TIME_T
 MODLFLAGS=/link /def:src/modules/module.def UnrealIRCd.lib ws2_32.lib $(TRE_LIB) $(TRELIB) \
- $(PCRE2_LIB) $(PCRE2LIB) $(CARES_LIB) $(LIBRESSL_LIB) $(SSLLIB) \
+ $(PCRE2_LIB) $(PCRE2LIB) $(ARGON2_LIB) $(ARGON2LIB) $(CARES_LIB) $(LIBRESSL_LIB) $(SSLLIB) \
  $(LIBCURL_LIB) $(CURLLIB)
 
 INCLUDES=./include/struct.h ./include/config.h ./include/sys.h \
@@ -218,6 +230,11 @@ DLL_FILES=SRC/MODULES/M_CHGHOST.DLL SRC/MODULES/M_SDESC.DLL SRC/MODULES/M_SETIDE
  SRC/MODULES/M_STAFF.DLL \
  SRC/MODULES/NOCODES.DLL \
  SRC/MODULES/CHARSYS.DLL \
+ SRC/MODULES/ANTIMIXEDUTF8.DLL \
+ SRC/MODULES/AUTHPROMPT.DLL \
+ SRC/MODULES/M_SINFO.DLL \
+ SRC/MODULES/REPUTATION.DLL \
+ SRC/MODULES/CONNTHROTTLE.DLL \
  SRC/MODULES/CHANMODES/CENSOR.DLL \
  SRC/MODULES/CHANMODES/DELAYJOIN.DLL \
  SRC/MODULES/CHANMODES/FLOODPROT.DLL \
@@ -847,6 +864,21 @@ src/modules/nocodes.dll: src/modules/nocodes.c $(INCLUDES)
 src/modules/charsys.dll: src/modules/charsys.c $(INCLUDES)
         $(CC) $(MODCFLAGS) src/modules/charsys.c $(MODLFLAGS)
 
+src/modules/antimixedutf8.dll: src/modules/antimixedutf8.c $(INCLUDES)
+        $(CC) $(MODCFLAGS) src/modules/antimixedutf8.c $(MODLFLAGS)
+
+src/modules/authprompt.dll: src/modules/authprompt.c $(INCLUDES)
+        $(CC) $(MODCFLAGS) src/modules/authprompt.c $(MODLFLAGS)
+
+src/modules/m_sinfo.dll: src/modules/m_sinfo.c $(INCLUDES)
+        $(CC) $(MODCFLAGS) src/modules/m_sinfo.c $(MODLFLAGS)
+
+src/modules/reputation.dll: src/modules/reputation.c $(INCLUDES)
+        $(CC) $(MODCFLAGS) src/modules/reputation.c $(MODLFLAGS)
+
+src/modules/connthrottle.dll: src/modules/connthrottle.c $(INCLUDES)
+        $(CC) $(MODCFLAGS) src/modules/connthrottle.c $(MODLFLAGS)
+
 src/modules/chanmodes/censor.dll: src/modules/chanmodes/censor.c $(INCLUDES)
 	$(CC) $(MODCFLAGS) /Fosrc/modules/chanmodes/ /Fesrc/modules/chanmodes/ src/modules/chanmodes/censor.c $(MODLFLAGS)
 

src/api-clicap.c

@@ -224,4 +224,8 @@ void clicap_post_rehash(void)
 			send_cap_notify(1, name);
 		}
 	}
+
+	/* Now free the old caps. */
+	for (i = 0; old_caps[i]; i++)
+		safefree(old_caps[i]);
 }

src/api-command.c

@@ -24,8 +24,6 @@
 #include "h.h"
 #include <string.h>
 
-char *cmdstr = NULL;
-
 int CommandExists(char *name)
 {
 	aCommand *p;
@@ -39,7 +37,7 @@ int CommandExists(char *name)
 	return 0;
 }
 
-Command *CommandAdd(Module *module, char *cmd, int (*func)(), unsigned char params, int flags)
+Command *CommandAddInternal(Module *module, char *cmd, CmdFunc func, AliasCmdFunc aliasfunc, unsigned char params, int flags)
 {
 	Command *command = NULL;
 	aCommand *c;
@@ -59,7 +57,11 @@ Command *CommandAdd(Module *module, char *cmd, int (*func)(), unsigned char para
 		return NULL;
 	}
 	
-	c = add_Command_backend(cmd, func, params, flags);
+	c = add_Command_backend(cmd);
+	c->parameters = (params > MAXPARA) ? MAXPARA : params;
+	c->flags = flags;
+	c->func = func;
+	c->aliasfunc = aliasfunc;
 
 	if (module)
 	{
@@ -76,73 +78,65 @@ Command *CommandAdd(Module *module, char *cmd, int (*func)(), unsigned char para
 
 	if (flags & M_ANNOUNCE)
 	{
-		char *tmp;
-		if (cmdstr)
-			tmp = MyMallocEx(strlen(cmdstr)+strlen(cmd)+2);
-		else
-			tmp = MyMallocEx(strlen(cmd)+2);
-		if (cmdstr)
-		{
-			strcpy(tmp, cmdstr);
-			strcat(tmp, ",");
-		}
-		strcat(tmp, cmd);
-		if (cmdstr)
-		{
-			IsupportSetValue(IsupportFind("CMDS"), tmp);
-			free(cmdstr);
-		}
-		else
-			IsupportAdd(NULL, "CMDS", tmp);
-		cmdstr = tmp;
+		config_warn("Command '%s' has M_ANNOUNCE set, but this is no longer "
+		            "supported. Old 3rd party module %s? Check for updates!",
+		            c->cmd, module ? module->header->name : "");
 	}
 
 	return command;
 }
 
+Command *CommandAdd(Module *module, char *cmd, CmdFunc func, unsigned char params, int flags)
+{
+	if (flags & M_ALIAS)
+	{
+		config_error("Command '%s' used CommandAdd() to add a command alias, "
+		             "but should have used AliasAdd() instead. "
+		             "Old 3rd party module %s? Check for updates!",
+		             cmd,
+		             module ? module->header->name : "");
+		return NULL;
+	}
+	return CommandAddInternal(module, cmd, func, NULL, params, flags);
+}
 
-void CommandDel(Command *command) {
+Command *AliasAdd(Module *module, char *cmd, AliasCmdFunc aliasfunc, unsigned char params, int flags)
+{
+	if (!(flags & M_ALIAS))
+		flags |= M_ALIAS;
+	return CommandAddInternal(module, cmd, NULL, aliasfunc, params, flags);
+}
+
+void CommandDelX(Command *command, aCommand *cmd)
+{
 	Cmdoverride *ovr, *ovrnext;
 
-	if (command->cmd->flags & M_ANNOUNCE)
+	DelListItem(cmd, CommandHash[toupper(*cmd->cmd)]);
+	if (command && cmd->owner)
 	{
-		char *tmp = MyMallocEx(strlen(cmdstr)+1);
-		char *tok;
-		for (tok = strtok(cmdstr, ","); tok; tok = strtok(NULL, ","))
-		{
-			if (!stricmp(tok, command->cmd->cmd))
-				continue;
-			if (tmp)
-				strcat(tmp, ",");
-			strcat(tmp, tok);
-		}
-		free(cmdstr);
-		if (!*tmp)
-		{
-			IsupportDel(IsupportFind("CMDS"));
-			free(tmp);
-			cmdstr = NULL;
-		}
-		else
-			cmdstr = tmp;
-	}
-	DelListItem(command->cmd, CommandHash[toupper(*command->cmd->cmd)]);
-	if (command->cmd->owner) {
 		ModuleObject *cmdobj;
-		for (cmdobj = command->cmd->owner->objects; cmdobj; cmdobj = cmdobj->next) {
-			if (cmdobj->type == MOBJ_COMMAND && cmdobj->object.command == command) {
-				DelListItem(cmdobj,command->cmd->owner->objects);
+		for (cmdobj = cmd->owner->objects; cmdobj; cmdobj = cmdobj->next)
+		{
+			if (cmdobj->type == MOBJ_COMMAND && cmdobj->object.command == command)
+			{
+				DelListItem(cmdobj,cmd->owner->objects);
 				MyFree(cmdobj);
 				break;
 			}
 		}
 	}
-	for (ovr = command->cmd->overriders; ovr; ovr = ovrnext)
+	for (ovr = cmd->overriders; ovr; ovr = ovrnext)
 	{
 		ovrnext = ovr->next;
 		CmdoverrideDel(ovr);
 	}
-	MyFree(command->cmd->cmd);
-	MyFree(command->cmd);
-	MyFree(command);
+	MyFree(cmd->cmd);
+	MyFree(cmd);
+	if (command)
+		MyFree(command);
+}
+
+void CommandDel(Command *command)
+{
+	return CommandDelX(command, command->cmd);
 }

src/api-isupport.c

@@ -43,114 +43,107 @@ Isupport *Isupports; /* List of ISUPPORT (005) tokens */
 #define MAXISUPPORTLINES 10
 
 MODVAR char *IsupportStrings[MAXISUPPORTLINES+1];
-extern char *cmdstr;
 
-/**
- * Builds isupport token strings.
- * Respects both the 13 token limit and the 512 buffer limit.
+void isupport_add_sorted(Isupport *is);
+void make_isupportstrings(void);
+
+/** Easier way to set a 005 name or name=value.
+ * @param name   Name of the 005 token
+ * @param value  Value of the 005 token (or NULL)
+ * @note  The 'name' 005 token will be overwritten if it already exists.
+ *        The 'value' may be NULL, in which case if there was a value
+ *        it will be unset.
  */
-/* TODO: is all this code really safe? */
-void make_isupportstrings(void)
+void IsupportSet(Module *module, const char *name, const char *value)
 {
-	int i;
-	int bufsize = BUFSIZE-HOSTLEN-NICKLEN-39;
-	int tokcnt = 0, len = 0;
-	Isupport *isupport;
-
-	/* Clear out the old junk */
-	for (i = 0; IsupportStrings[i]; i++)
-	{
-		safefree(IsupportStrings[i]);
-	}
-
-	i = 0;
-	IsupportStrings[i] = MyMallocEx(bufsize);
-	for (isupport = Isupports; isupport; isupport = isupport->next)
-	{
-		int toklen;
-		/* Just a token */
-		if (!isupport->value)
-		{
-			toklen = strlen(isupport->token);
-			if (tokcnt == 13 || bufsize < len+toklen+1)
-			{
-				tokcnt = 0;
-				len = 0;
-				IsupportStrings[++i] = MyMallocEx(bufsize); 
-			}
-			if (IsupportStrings[i][0]) toklen++;
-			ircsnprintf(IsupportStrings[i]+len, bufsize-len, "%s%s", IsupportStrings[i][0]? " ": "", isupport->token);
-			len += toklen;
-			tokcnt++;
-		}
-		else
-		{
-			toklen = strlen(isupport->token)+strlen(isupport->value)+1;
-			if (tokcnt == 13 || bufsize < len+toklen+1) {
-				tokcnt = 0;
-				len = 0;
-				IsupportStrings[++i] = MyMallocEx(bufsize);
-			}
-			if (IsupportStrings[i][0]) toklen++;
-			ircsnprintf(IsupportStrings[i]+len, bufsize-len, "%s%s=%s", IsupportStrings[i][0]? " ": "", isupport->token, isupport->value);
-			len += toklen;
-			tokcnt++;
-		}
-		if (i == MAXISUPPORTLINES)
-			abort(); /* should never happen anyway */
-	}
+	Isupport *is = IsupportFind(name);
+	if (!is)
+		is = IsupportAdd(module, name, value);
+	IsupportSetValue(is, value);
 }
 
+/** Easy way to set a 005 name=value with printf style formatting.
+ * @param name     Name of the 005 token
+ * @param pattern  Value pattern for the 005 token (or NULL)
+ * @param ...      Any variables needed for 'pattern'.
+ * @note  The 'name' 005 token will be overwritten if it already exists.
+ *        The 'pattern' may be NULL, in which case if there was a value
+ *        it will be unset.
+ */
+void IsupportSetFmt(Module *module, const char *name, const char *pattern, ...)
+{
+	const char *value = NULL;
+	char buf[256];
+	va_list vl;
+
+	if (pattern)
+	{
+		va_start(vl, pattern);
+		ircvsnprintf(buf, sizeof(buf), pattern, vl);
+		va_end(vl);
+		value = buf;
+	}
+	IsupportSet(module, name, value);
+}
+
+void IsupportDelByName(const char *name)
+{
+	Isupport *is = IsupportFind(name);
+	if (is)
+		IsupportDel(is);
+}
+
+extern void set_isupport_extban(void);
+extern void set_isupport_targmax(void);
+
 /**
  * Initializes the builtin isupport tokens.
  */
 void isupport_init(void)
 {
-	char tmpbuf[512];
-	int i;
-
-	IsupportAdd(NULL, "INVEX", NULL);
-	IsupportAdd(NULL, "EXCEPTS", NULL);
+	IsupportSet(NULL, "INVEX", NULL);
+	IsupportSet(NULL, "EXCEPTS", NULL);
 #ifdef PREFIX_AQ
-	IsupportAdd(NULL, "STATUSMSG", "~&@%+");
+	IsupportSet(NULL, "STATUSMSG", "~&@%+");
 #else
-	IsupportAdd(NULL, "STATUSMSG", "@%+");
+	IsupportSet(NULL, "STATUSMSG", "@%+");
 #endif
-	IsupportAdd(NULL, "ELIST", "MNUCT");
-	ircsnprintf(tmpbuf, sizeof(tmpbuf), "~,%s", extbanstr);
-	IsupportAdd(NULL, "EXTBAN", tmpbuf);
-	IsupportAdd(NULL, "CASEMAPPING", "ascii");
-	IsupportAdd(NULL, "NETWORK", ircnet005);
-	ircsnprintf(tmpbuf, sizeof(tmpbuf), CHPAR1 "%s," CHPAR2 "%s," CHPAR3 "%s," CHPAR4 "%s",
- 			EXPAR1, EXPAR2, EXPAR3, EXPAR4);
-	IsupportAdd(NULL, "CHANMODES", tmpbuf);
-	IsupportAdd(NULL, "PREFIX", CHPFIX);
-	IsupportAdd(NULL, "CHANTYPES", "#");
-	IsupportAdd(NULL, "MODES", my_itoa(MAXMODEPARAMS));
-	IsupportAdd(NULL, "SILENCE", my_itoa(SILENCE_LIMIT));
+	IsupportSet(NULL, "ELIST", "MNUCT");
+	IsupportSet(NULL, "CASEMAPPING", "ascii");
+	IsupportSet(NULL, "NETWORK", ircnet005);
+	IsupportSetFmt(NULL, "CHANMODES",
+	               CHPAR1 "%s," CHPAR2 "%s," CHPAR3 "%s," CHPAR4 "%s",
+	               EXPAR1, EXPAR2, EXPAR3, EXPAR4);
+	IsupportSet(NULL, "PREFIX", CHPFIX);
+	IsupportSet(NULL, "CHANTYPES", "#");
+	IsupportSetFmt(NULL, "MODES", "%d", MAXMODEPARAMS);
+	IsupportSetFmt(NULL, "SILENCE", "%d", SILENCE_LIMIT);
 	if (WATCH_AWAY_NOTIFICATION)
-		IsupportAdd(NULL, "WATCHOPTS", "A");
-	IsupportAdd(NULL, "WATCH", my_itoa(MAXWATCH));
-	IsupportAdd(NULL, "WALLCHOPS", NULL);
-	IsupportAdd(NULL, "MAXTARGETS", my_itoa(MAXTARGETS));
-	IsupportAdd(NULL, "AWAYLEN", my_itoa(TOPICLEN));
-	IsupportAdd(NULL, "KICKLEN", my_itoa(TOPICLEN));
-	IsupportAdd(NULL, "TOPICLEN", my_itoa(TOPICLEN));
-	IsupportAdd(NULL, "CHANNELLEN", my_itoa(CHANNELLEN));
-	IsupportAdd(NULL, "NICKLEN", my_itoa(iConf.nicklen));
-	IsupportAdd(NULL, "MAXNICKLEN", my_itoa(NICKLEN));
-	ircsnprintf(tmpbuf, sizeof(tmpbuf), "b:%d,e:%d,I:%d", MAXBANS, MAXBANS, MAXBANS);
-	IsupportAdd(NULL, "MAXLIST", tmpbuf);
-	ircsnprintf(tmpbuf, sizeof(tmpbuf), "#:%d", MAXCHANNELSPERUSER);
-	IsupportAdd(NULL, "CHANLIMIT", tmpbuf);
-	IsupportAdd(NULL, "MAXCHANNELS", my_itoa(MAXCHANNELSPERUSER));
-	IsupportAdd(NULL, "HCN", NULL);
-	IsupportAdd(NULL, "SAFELIST", NULL);
-	IsupportAdd(NULL, "NAMESX", NULL);
+		IsupportSet(NULL, "WATCHOPTS", "A");
+	else
+		IsupportDelByName("WATCHOPTS");
+	IsupportSetFmt(NULL, "WATCH", "%d", MAXWATCH);
+	IsupportSet(NULL, "WALLCHOPS", NULL);
+	IsupportSetFmt(NULL, "AWAYLEN", "%d", iConf.away_length);
+	IsupportSetFmt(NULL, "KICKLEN", "%d", iConf.kick_length);
+	IsupportSetFmt(NULL, "TOPICLEN", "%d", iConf.topic_length);
+	IsupportSetFmt(NULL, "QUITLEN", "%d", iConf.quit_length);
+	IsupportSetFmt(NULL, "CHANNELLEN", "%d", CHANNELLEN);
+	IsupportSetFmt(NULL, "NICKLEN", "%d", iConf.nick_length);
+	IsupportSetFmt(NULL, "MAXNICKLEN", "%d", NICKLEN);
+	IsupportSetFmt(NULL, "MAXLIST", "b:%d,e:%d,I:%d", MAXBANS, MAXBANS, MAXBANS);
+	IsupportSetFmt(NULL, "CHANLIMIT", "#:%d", MAXCHANNELSPERUSER);
+	IsupportSetFmt(NULL, "MAXCHANNELS", "%d", MAXCHANNELSPERUSER);
+	IsupportSet(NULL, "HCN", NULL);
+	IsupportSet(NULL, "SAFELIST", NULL);
+	IsupportSet(NULL, "NAMESX", NULL);
 	if (UHNAMES_ENABLED)
-		IsupportAdd(NULL, "UHNAMES", NULL);
-	if (cmdstr)
-		IsupportAdd(NULL, "CMDS", cmdstr);
+		IsupportSet(NULL, "UHNAMES", NULL);
+	else
+		IsupportDelByName("UHNAMES");
+	IsupportSet(NULL, "DEAF", "d");
+	set_isupport_extban(); /* EXTBAN=xyz */
+	set_isupport_targmax(); /* TARGMAX=... */
 }
 
 /**
@@ -245,7 +238,7 @@ Isupport *IsupportAdd(Module *module, const char *token, const char *value)
 	isupport->token = strdup(token);
 	if (value)
 		isupport->value = strdup(value);
-	AddListItem(isupport, Isupports);
+	isupport_add_sorted(isupport);
 	make_isupportstrings(); 
 	if (module)
 	{
@@ -272,3 +265,81 @@ void IsupportDel(Isupport *isupport)
 	free(isupport);
 	make_isupportstrings();
 }
+
+/**
+ * Builds isupport token strings.
+ * Respects both the 13 token limit and the 512 buffer limit.
+ */
+void make_isupportstrings(void)
+{
+	int i;
+#define ISUPPORTLEN BUFSIZE-HOSTLEN-NICKLEN-39
+	int bufsize = ISUPPORTLEN;
+	int tokcnt = 0, len = 0;
+	Isupport *isupport;
+	char tmp[ISUPPORTLEN];
+
+	/* Free any previous strings */
+	for (i = 0; IsupportStrings[i]; i++)
+		safefree(IsupportStrings[i]);
+
+	i = 0;
+	IsupportStrings[i] = MyMallocEx(bufsize+1);
+
+	for (isupport = Isupports; isupport; isupport = isupport->next)
+	{
+		if (isupport->value)
+			snprintf(tmp, sizeof(tmp), "%s=%s", isupport->token, isupport->value);
+		else
+			strlcpy(tmp, isupport->token, sizeof(tmp));
+
+		tokcnt++;
+		if ((strlen(IsupportStrings[i]) + strlen(tmp) + 1 >= ISUPPORTLEN) || (tokcnt == 13))
+		{
+			/* No room or max tokens reached: start a new buffer */
+			IsupportStrings[++i] = MyMallocEx(bufsize+1);
+			tokcnt = 1;
+			if (i == MAXISUPPORTLINES)
+				abort(); /* should never happen anyway */
+		}
+
+		if (*IsupportStrings[i])
+			strlcat(IsupportStrings[i], " ", ISUPPORTLEN);
+		strlcat(IsupportStrings[i], tmp, ISUPPORTLEN);
+	}
+}
+
+void isupport_add_sorted(Isupport *n)
+{
+	Isupport *e;
+
+	if (!Isupports)
+	{
+		Isupports = n;
+		return;
+	}
+
+	for (e = Isupports; e; e = e->next)
+	{
+		if (strcmp(n->token, e->token) < 0)
+		{
+			/* Insert us before */
+			if (e->prev)
+				e->prev->next = n;
+			else
+				Isupports = n; /* new head */
+			n->prev = e->prev;
+
+			n->next = e;
+			e->prev = n;
+			return;
+		}
+		if (!e->next)
+		{
+			/* Append us at end */
+			e->next = n;
+			n->prev = e;
+			return;
+		}
+	}
+}

src/auth.c

@@ -19,6 +19,7 @@
 
 #include "unrealircd.h"
 #include "crypt_blowfish.h"
+#include <argon2.h>
 
 anAuthStruct MODVAR AuthTypes[] = {
 	{"plain",           AUTHTYPE_PLAINTEXT},
@@ -34,6 +35,7 @@ anAuthStruct MODVAR AuthTypes[] = {
 	{"sslclientcertfp", AUTHTYPE_SSL_CLIENTCERTFP},
 	{"certfp",          AUTHTYPE_SSL_CLIENTCERTFP},
 	{"spkifp",          AUTHTYPE_SPKIFP},
+	{"argon2",          AUTHTYPE_ARGON2},
 	{NULL,              0}
 };
 
@@ -83,6 +85,9 @@ int Auth_AutoDetectHashType(char *hash)
 	if (!strncmp(hash, "$2a$", 4) || !strncmp(hash, "$2b$", 4) || !strncmp(hash, "$2y$", 4))
 		return AUTHTYPE_BCRYPT;
 
+	if (!strncmp(hash, "$argon2", 7))
+		return AUTHTYPE_ARGON2;
+
 	/* Now handle UnrealIRCd-style password hashes.. */
 	if (parsepass(hash, &saltstr, &hashstr) == 0)
 		return AUTHTYPE_PLAINTEXT; /* old method (pre-3.2.1) or could not detect, fallback. */
@@ -197,7 +202,34 @@ int		Auth_CheckError(ConfigEntry *ce)
 			break;
 		default: ;
 	}
-	
+
+	if ((type == AUTHTYPE_MD5) || (type == AUTHTYPE_SHA1) || (type == AUTHTYPE_RIPEMD160))
+	{
+		config_warn("%s:%i: Deprecated authentication type. "
+		            "Consider using the more secure auth-type 'argon2' instead. "
+		            "See https://www.unrealircd.org/docs/Authentication_types for the complete list.",
+		            ce->ce_fileptr->cf_filename, ce->ce_varlinenum);
+		/* do not return, not an error. */
+	}
+
+	/* Unix crypt is a bit more complicated: most types are outright 'bad',
+	 * while other types have reasonable security similar to 'bcrypt'.
+	 * To be honest these people should probably use 'argon2' since it's
+	 * a lot better. Then again, warning about this when it's still such
+	 * a common hashing method (now, in 2018) may be a bit overzealous.
+	 * So: not warning about crypt types $5/$6 which use SHA256/SHA512
+	 * with normally at least 5000 rounds (unless deliberately weakened
+	 * by the user).
+	 */
+	if ((type == AUTHTYPE_UNIXCRYPT) && strncmp(ce->ce_vardata, "$5", 2) &&
+	    strncmp(ce->ce_vardata, "$6", 2) && !strstr(ce->ce_vardata, "$rounds"))
+	{
+		config_warn("%s:%i: Using simple crypt for authentication is not recommended. "
+		            "Consider using the more secure auth-type 'argon2' instead. "
+		            "See https://www.unrealircd.org/docs/Authentication_types for the complete list.",
+                            ce->ce_fileptr->cf_filename, ce->ce_varlinenum);
+		/* do not return, not an error. */
+	}
 	if ((type == AUTHTYPE_PLAINTEXT) && (strlen(ce->ce_vardata) > PASSWDLEN))
 	{
 		config_error("%s:%i: passwords length may not exceed %d",
@@ -272,6 +304,31 @@ int max;
 	return 1;
 }
 
+static int authcheck_argon2(aClient *cptr, anAuthStruct *as, char *para)
+{
+	argon2_type hashtype;
+
+	if (!para)
+		return -1;
+
+	/* Find out the hashtype. Why do we need to do this, why is this
+	 * not in the library or irrelevant by using some generic function?
+	 */
+	if (!strncmp(as->data, "$argon2id", 9))
+		hashtype = Argon2_id;
+	else if (!strncmp(as->data, "$argon2i", 8))
+		hashtype = Argon2_i;
+	else if (!strncmp(as->data, "$argon2d", 8))
+		hashtype = Argon2_d;
+	else
+		return -1; /* unknown argon2 type */
+
+	if (argon2_verify(as->data, para, strlen(para), hashtype) == ARGON2_OK)
+		return 2; /* MATCH */
+
+	return -1; /* NO MATCH or error */
+}
+
 static int authcheck_bcrypt(aClient *cptr, anAuthStruct *as, char *para)
 {
 char data[512]; /* NOTE: only 64 required by BF_crypt() */
@@ -500,6 +557,9 @@ int	Auth_Check(aClient *cptr, anAuthStruct *as, char *para)
 				return 2;
 			return -1;
 
+		case AUTHTYPE_ARGON2:
+			return authcheck_argon2(cptr, as, para);
+
 		case AUTHTYPE_BCRYPT:
 			return authcheck_bcrypt(cptr, as, para);
 
@@ -603,6 +663,44 @@ int	Auth_Check(aClient *cptr, anAuthStruct *as, char *para)
 	return -1;
 }
 
+#define UNREALIRCD_ARGON2_DEFAULT_TIME_COST             3
+#define UNREALIRCD_ARGON2_DEFAULT_MEMORY_COST           8192
+#define UNREALIRCD_ARGON2_DEFAULT_PARALLELISM_COST      2
+#define UNREALIRCD_ARGON2_DEFAULT_HASH_LENGTH           32
+#define UNREALIRCD_ARGON2_DEFAULT_SALT_LENGTH           (128/8)
+
+static char *mkpass_argon2(char *para)
+{
+	static char buf[512];
+	char salt[UNREALIRCD_ARGON2_DEFAULT_SALT_LENGTH];
+	int ret, i;
+
+	if (!para)
+		return NULL;
+
+	/* Initialize salt */
+	for (i=0; i < sizeof(salt); i++)
+		salt[i] = getrandom8();
+
+	*buf = '\0';
+
+	ret = argon2id_hash_encoded(UNREALIRCD_ARGON2_DEFAULT_TIME_COST,
+	                            UNREALIRCD_ARGON2_DEFAULT_MEMORY_COST,
+	                            UNREALIRCD_ARGON2_DEFAULT_PARALLELISM_COST,
+	                            para,
+	                            strlen(para),
+	                            salt,
+	                            sizeof(salt),
+	                            UNREALIRCD_ARGON2_DEFAULT_HASH_LENGTH,
+	                            buf,
+	                            sizeof(buf));
+
+	if (ret != ARGON2_OK)
+		return NULL; /* internal error */
+
+	return buf;
+}
+
 static char *mkpass_bcrypt(char *para)
 {
 	static char buf[128];
@@ -634,197 +732,20 @@ static char *mkpass_bcrypt(char *para)
 	return buf;
 }
 
-static char *mkpass_md5(char *para)
-{
-static char buf[128];
-char result1[16+REALSALTLEN];
-char result2[16];
-char saltstr[REALSALTLEN]; /* b64 encoded printable string*/
-char saltraw[RAWSALTLEN];  /* raw binary */
-char xresult[64];
-int i;
-
-	if (!para) return NULL;
-
-	/* generate a random salt... */
-	for (i=0; i < RAWSALTLEN; i++)
-		saltraw[i] = getrandom8();
-
-	i = b64_encode(saltraw, RAWSALTLEN, saltstr, REALSALTLEN);
-	if (!i) return NULL;
-
-	/* b64(MD5(MD5(<pass>)+salt))
-	 *         ^^^^^^^^^^^
-	 *           step 1
-	 *     ^^^^^^^^^^^^^^^^^^^^^
-	 *     step 2
-	 * ^^^^^^^^^^^^^^^^^^^^^^^^^^
-	 * step 3
-	 */
-
-	/* STEP 1 */
-	DoMD5(result1, para, strlen(para));
-
-	/* STEP 2 */
-	/* add salt to result */
-	memcpy(result1+16, saltraw, RAWSALTLEN);
-	/* Then hash it all together */
-	DoMD5(result2, result1, RAWSALTLEN+16);
-	
-	/* STEP 3 */
-	/* Then base64 encode it all together.. */
-	i = b64_encode(result2, sizeof(result2), xresult, sizeof(xresult));
-	if (!i) return NULL;
-
-	/* Good.. now create the whole string:
-	 * $<saltb64d>$<totalhashb64d>
-	 */
-	ircsnprintf(buf, sizeof(buf), "$%s$%s", saltstr, xresult);
-	return buf;
-}
-
-static char *mkpass_sha1(char *para)
-{
-static char buf[128];
-char result1[20+REALSALTLEN];
-char result2[20];
-char saltstr[REALSALTLEN]; /* b64 encoded printable string*/
-char saltraw[RAWSALTLEN];  /* raw binary */
-char xresult[64];
-SHA_CTX hash;
-int i;
-
-	if (!para) return NULL;
-
-	/* generate a random salt... */
-	for (i=0; i < RAWSALTLEN; i++)
-		saltraw[i] = getrandom8();
-
-	i = b64_encode(saltraw, RAWSALTLEN, saltstr, REALSALTLEN);
-	if (!i) return NULL;
-
-	/* b64(SHA1(SHA1(<pass>)+salt))
-	 *         ^^^^^^^^^^^
-	 *           step 1
-	 *     ^^^^^^^^^^^^^^^^^^^^^
-	 *     step 2
-	 * ^^^^^^^^^^^^^^^^^^^^^^^^^^
-	 * step 3
-	 */
-
-	/* STEP 1 */
-	SHA1_Init(&hash);
-	SHA1_Update(&hash, para, strlen(para));
-	SHA1_Final(result1, &hash);
-
-	/* STEP 2 */
-	/* add salt to result */
-	memcpy(result1+20, saltraw, RAWSALTLEN);
-	/* Then hash it all together */
-	SHA1_Init(&hash);
-	SHA1_Update(&hash, result1, RAWSALTLEN+20);
-	SHA1_Final(result2, &hash);
-
-	/* STEP 3 */
-	/* Then base64 encode it all together.. */
-	i = b64_encode(result2, sizeof(result2), xresult, sizeof(xresult));
-	if (!i) return NULL;
-
-	/* Good.. now create the whole string:
-	 * $<saltb64d>$<totalhashb64d>
-	 */
-	ircsnprintf(buf, sizeof(buf), "$%s$%s", saltstr, xresult);
-	return buf;
-}
-
-static char *mkpass_ripemd160(char *para)
-{
-static char buf[128];
-char result1[20+REALSALTLEN];
-char result2[20];
-char saltstr[REALSALTLEN]; /* b64 encoded printable string*/
-char saltraw[RAWSALTLEN];  /* raw binary */
-char xresult[64];
-RIPEMD160_CTX hash;
-int i;
-
-	if (!para) return NULL;
-
-	/* generate a random salt... */
-	for (i=0; i < RAWSALTLEN; i++)
-		saltraw[i] = getrandom8();
-
-	i = b64_encode(saltraw, RAWSALTLEN, saltstr, REALSALTLEN);
-	if (!i) return NULL;
-
-	/* b64(RIPEMD160(RIPEMD160(<pass>)+salt))
-	 *         ^^^^^^^^^^^
-	 *           step 1
-	 *     ^^^^^^^^^^^^^^^^^^^^^
-	 *     step 2
-	 * ^^^^^^^^^^^^^^^^^^^^^^^^^^
-	 * step 3
-	 */
-
-	/* STEP 1 */
-	RIPEMD160_Init(&hash);
-	RIPEMD160_Update(&hash, para, strlen(para));
-	RIPEMD160_Final(result1, &hash);
-
-	/* STEP 2 */
-	/* add salt to result */
-	memcpy(result1+20, saltraw, RAWSALTLEN);
-	/* Then hash it all together */
-	RIPEMD160_Init(&hash);
-	RIPEMD160_Update(&hash, result1, RAWSALTLEN+20);
-	RIPEMD160_Final(result2, &hash);
-
-	/* STEP 3 */
-	/* Then base64 encode it all together.. */
-	i = b64_encode(result2, sizeof(result2), xresult, sizeof(xresult));
-	if (!i) return NULL;
-
-	/* Good.. now create the whole string:
-	 * $<saltb64d>$<totalhashb64d>
-	 */
-	ircsnprintf(buf, sizeof(buf), "$%s$%s", saltstr, xresult);
-	return buf;
-}
-
 char	*Auth_Make(short type, char *para)
 {
-	char	salt[3];
-	extern	char *crypt();
-
 	switch (type)
 	{
 		case AUTHTYPE_PLAINTEXT:
-			return (para);
+			return para;
+
+		case AUTHTYPE_ARGON2:
+			return mkpass_argon2(para);
 
 		case AUTHTYPE_BCRYPT:
 			return mkpass_bcrypt(para);
 
-		case AUTHTYPE_UNIXCRYPT:
-			if (!para)
-				return NULL;
-			/* If our data is like 1 or none, we just let em through .. */
-			if (!(para[0] && para[1]))
-				return NULL;
-			snprintf(salt, sizeof(salt), "%02X", (unsigned int)getrandom8());
-			return(crypt(para, salt));
-
-		case AUTHTYPE_MD5:
-			return mkpass_md5(para);
-
-		case AUTHTYPE_SHA1:
-			return mkpass_sha1(para);
-
-		case AUTHTYPE_RIPEMD160:
-			return mkpass_ripemd160(para);
-
 		default:
-			return (NULL);
+			return NULL;
 	}
-
 }
-

src/channel.c

@@ -80,7 +80,7 @@ aCtab cFlagTab[] = {
 	{MODE_BAN, 'b', 1, 1},
 	{MODE_EXCEPT, 'e', 1, 1},	/* exception ban */
 	{MODE_INVEX, 'I', 1, 1},	/* invite-only exception */
-	{0x0, 0x0, 0x0}
+	{0x0, 0x0, 0x0, 0x0}
 };
 
 char cmodestring[512];
@@ -332,15 +332,15 @@ int identical_ban(char *one, char *two)
 	return 0;
 }
 
-/*
- * add_listmode - Add a listmode (+beI) with the specified banid to
- *                the specified channel.
+/** Add a listmode (+beI) with the specified banid to
+ *  the specified channel. (Extended version with
+ *  set by nick and set on timestamp)
  */
-
-int add_listmode(Ban **list, aClient *cptr, aChannel *chptr, char *banid)
+int add_listmode_ex(Ban **list, aClient *cptr, aChannel *chptr, char *banid, char *setby, TS seton)
 {
 	Ban *ban;
 	int cnt = 0, len;
+	int do_not_add = 0;
 
 	if (MyClient(cptr))
 		(void)collapse(banid);
@@ -348,9 +348,13 @@ int add_listmode(Ban **list, aClient *cptr, aChannel *chptr, char *banid)
 	len = strlen(banid);
 	if (!*list && ((len > MAXBANLENGTH) || (MAXBANS < 1)))
 	{
-		sendto_one(cptr, err_str(ERR_BANLISTFULL),
-			me.name, cptr->name, chptr->chname, banid);
-		return -1;
+		if (MyClient(cptr))
+		{
+			/* Only send the error to local clients */
+			sendto_one(cptr, err_str(ERR_BANLISTFULL),
+				me.name, cptr->name, chptr->chname, banid);
+		}
+		do_not_add = 1;
 	}
 	for (ban = *list; ban; ban = ban->next)
 	{
@@ -366,19 +370,56 @@ int add_listmode(Ban **list, aClient *cptr, aChannel *chptr, char *banid)
 				sendto_one(cptr, err_str(ERR_BANLISTFULL),
 				    me.name, cptr->name, chptr->chname, banid);
 			}
-			return -1;
+			do_not_add = 1;
 		}
 		if (identical_ban(ban->banstr, banid))
-			return -1;
+			break; /* update existing ban (potentially) */
 	}
-	ban = make_ban();
-	ban->next = *list;
-	ban->banstr = strdup(banid);
-	ban->who = strdup(cptr->name);
-	ban->when = TStime();
-	*list = ban;
+
+	/* Create a new ban if needed */
+	if (!ban)
+	{
+		if (do_not_add)
+		{
+			/* The banlist is full and trying to add a new ban.
+			 * This is not permitted.
+			 */
+			return -1;
+		}
+		ban = make_ban();
+		ban->next = *list;
+		*list = ban;
+	}
+
+	if ((ban->when > 0) && (seton >= ban->when))
+	{
+		/* Trying to add the same ban while an older version
+		 * or identical version of the ban already exists.
+		 */
+		return -1;
+	}
+
+	/* Update/set if this ban is new or older than existing one */
+	safestrdup(ban->banstr, banid); /* cAsE may differ, use oldest version of it */
+	safestrdup(ban->who, setby);
+	ban->when = seton;
 	return 0;
 }
+
+/** Add a listmode (+beI) with the specified banid to
+ *  the specified channel. (Simplified version)
+ */
+int add_listmode(Ban **list, aClient *cptr, aChannel *chptr, char *banid)
+{
+	char *setby = cptr->name;
+	char nuhbuf[NICKLEN+USERLEN+HOSTLEN+4];
+
+	if (IsPerson(cptr) && (iConf.ban_setter == SETTER_NICK_USER_HOST))
+		setby = make_nick_user_host_r(nuhbuf, cptr->name, cptr->user->username, GetHost(cptr));
+
+	return add_listmode_ex(list, cptr, chptr, banid, setby, TStime());
+}
+
 /*
  * del_listmode - delete a listmode (+beI) from a channel
  *                that matches the specified banid.
@@ -419,7 +460,7 @@ int del_listmode(Ban **list, aChannel *chptr, char *banid)
  */
 inline Ban *is_banned(aClient *sptr, aChannel *chptr, int type)
 {
-	return is_banned_with_nick(sptr, chptr, type, sptr->name);
+	return is_banned_with_nick(sptr, chptr, type, NULL);
 }
 
 /** ban_check_mask - Checks if the user matches the specified n!u@h mask -or- run an extended ban.
@@ -459,52 +500,63 @@ inline int ban_check_mask(aClient *sptr, aChannel *chptr, char *banstr, int type
  * @param sptr   Client to check (can be remote client)
  * @param chptr  Channel to check
  * @param type   Type of ban to check for (BANCHK_*)
- * @param nick   Nick of the user
+ * @param nick   Nick of the user (or NULL, to default to sptr->name)
  * @returns      A pointer to the ban struct if banned, otherwise NULL.
  */
 Ban *is_banned_with_nick(aClient *sptr, aChannel *chptr, int type, char *nick)
 {
-	Ban *tmp, *tmp2;
+	Ban *ban, *ex;
+	char savednick[NICKLEN+1];
+
+	/* It's not really doable to pass 'nick' to all the ban layers,
+	 * including extbans (with stacking) and so on. Or at least not
+	 * without breaking several module API's.
+	 * So, instead, we temporarily set 'sptr->name' to 'nick' and
+	 * restore it to the orginal value at the end of this function.
+	 * This is possible because all these layers never send a message
+	 * to 'sptr' and only indicate success/failure.
+	 * Note that all this ONLY happens if is_banned_with_nick() is called
+	 * with a non-NULL nick. That doesn't happen much. In UnrealIRCd
+	 * only in case of '/NICK newnick'. This fixes #5165.
+	 */
+	if (nick)
+	{
+		strlcpy(savednick, sptr->name, sizeof(savednick));
+		strlcpy(sptr->name, nick, sizeof(sptr->name));
+	}
 
 	/* We check +b first, if a +b is found we then see if there is a +e.
 	 * If a +e was found we return NULL, if not, we return the ban.
 	 */
-	for (tmp = chptr->banlist; tmp; tmp = tmp->next)
-	{
-		if (!ban_check_mask(sptr, chptr, tmp->banstr, type, 0))
-			continue;
 
-		/* Ban found, now check for +e */
-		for (tmp2 = chptr->exlist; tmp2; tmp2 = tmp2->next)
-		{
-			if (ban_check_mask(sptr, chptr, tmp2->banstr, type, 0))
-				return NULL; /* except matched */
-		}
-		break; /* ban found and not on except */
+	for (ban = chptr->banlist; ban; ban = ban->next)
+	{
+		if (ban_check_mask(sptr, chptr, ban->banstr, type, 0))
+			break;
 	}
 
-	return (tmp);
-}
-
-/*
- * Checks if the "user" IRC is banned, used by +mu.
- */
-static int is_irc_banned(aChannel *chptr)
-{
-	Ban *tmp;
-	/* Check for this user, ident/host are "illegal" on purpose */
-	char *check = "IRC!\001@\001";
-	
-	for (tmp = chptr->banlist; tmp; tmp = tmp->next)
-		if (match(tmp->banstr, check) == 0)
+	if (ban)
+	{
+		/* Ban found, now check for +e */
+		for (ex = chptr->exlist; ex; ex = ex->next)
 		{
-			/* Ban found, now check for +e */
-			for (tmp = chptr->exlist; tmp; tmp = tmp->next)
-				if (match(tmp->banstr, check) == 0)
-					return 0; /* In exception list */
-			return 1;
+			if (ban_check_mask(sptr, chptr, ex->banstr, type, 0))
+			{
+				/* except matched */
+				ban = NULL;
+				break;
+			}
 		}
-	return 0;
+		/* user is not on except, 'ban' stays non-NULL. */
+	}
+
+	if (nick)
+	{
+		/* Restore the nick */
+		strlcpy(sptr->name, savednick, sizeof(sptr->name));
+	}
+
+	return ban;
 }
 
 /*
@@ -709,7 +761,7 @@ int  can_send(aClient *cptr, aChannel *chptr, char *msgtext, int notice)
 	}
 
 	lp = find_membership_link(cptr->user->channel, chptr);
-	if (chptr->mode.mode & MODE_MODERATED && !op_can_override("override:message:moderated",cptr,chptr,NULL) &&
+	if (chptr->mode.mode & MODE_MODERATED && !op_can_override("channel:override:message:moderated",cptr,chptr,NULL) &&
 	    (!lp
 	    || !(lp->flags & (CHFL_CHANOP | CHFL_VOICE | CHFL_CHANOWNER |
 	CHFL_HALFOP | CHFL_CHANPROT))))
@@ -739,7 +791,7 @@ int  can_send(aClient *cptr, aChannel *chptr, char *msgtext, int notice)
 		return i;
 
 	/* Makes opers able to talk thru bans -Stskeeps suggested by The_Cat */
-	if (op_can_override("override:message:ban",cptr,chptr,NULL))
+	if (op_can_override("channel:override:message:ban",cptr,chptr,NULL))
 		return 0;
 
 	if ((!lp
@@ -963,7 +1015,7 @@ char *clean_ban_mask(char *mask, int what, aClient *cptr)
 	/* Extended ban? */
 	if ((*mask == '~') && mask[1] && (mask[2] == ':'))
 	{
-		if (RESTRICT_EXTENDEDBANS && MyClient(cptr) && !ValidatePermissionsForPath("channel:extbans",cptr,NULL,NULL,NULL))
+		if (RESTRICT_EXTENDEDBANS && MyClient(cptr) && !ValidatePermissionsForPath("immune:restrict-extendedbans",cptr,NULL,NULL,NULL))
 		{
 			if (!strcmp(RESTRICT_EXTENDEDBANS, "*"))
 			{

src/crashreport.c

@@ -129,7 +129,13 @@ void crash_report_fix_libs(char *coredump, int *thirdpartymods)
 #ifndef _WIN32
 	FILE *fd;
 	char cmd[512], buf[1024];
-	
+
+	/* This is needed for this function to work, but we keep it since it's
+	 * useful in general to have the bug report in English as well.
+	 */
+	setenv("LANG", "C", 1);
+	setenv("LC_ALL", "C", 1);
+
 	snprintf(cmd, sizeof(cmd), "echo info sharedlibrary|gdb %s/unrealircd %s 2>&1",
 		BINDIR, coredump);
 
@@ -367,7 +373,11 @@ int attach_coredump(FILE *fdo, char *coredump)
 
 	attach_file(fdi, fdo);
 
+#ifndef _WIN32
+	pclose(fdi);
+#else
 	fclose(fdi);
+#endif
 	return 1;
 }
 

src/dbuf.c

@@ -169,7 +169,7 @@ int  dbuf_getmsg(dbuf *dyn, char *buf)
 			}
 			else switch (phase)
 			{
-				case 0: phase = 1;
+				case 0: phase = 1; /* FALLTHROUGH */
 				case 1: if (line_bytes++ < BUFSIZE - 2)
 						*buf++ = c;
 					break;

src/events.c

@@ -46,6 +46,7 @@ ID_Copyright("(C) Carsten Munk 2001");
 MODVAR Event *events = NULL;
 
 extern EVENT(unrealdns_removeoldrecords);
+extern EVENT(deprecated_notice);
 
 void	LockEventSystem(void)
 {
@@ -213,6 +214,7 @@ void	SetupEvents(void)
 	EventAddEx(NULL, "garbage", GARBAGE_COLLECT_EVERY, 0, garbage_collect, NULL);
 	EventAddEx(NULL, "loop", 0, 0, loop_event, NULL);
 	EventAddEx(NULL, "unrealdns_removeoldrecords", 15, 0, unrealdns_removeoldrecords, NULL);
+	EventAddEx(NULL, "deprecated_notice", (86400*7)-(3600*8), 0, deprecated_notice, NULL);
 	EventAddEx(NULL, "check_pings", 1, 0, check_pings, NULL);
 	EventAddEx(NULL, "check_deadsockets", 1, 0, check_deadsockets, NULL);
 	EventAddEx(NULL, "check_unknowns", 1, 0, check_unknowns, NULL);

src/extbans.c

@@ -42,12 +42,10 @@
 Extban MODVAR ExtBan_Table[EXTBANTABLESZ]; /* this should be fastest */
 unsigned MODVAR short ExtBan_highest = 0;
 
-char MODVAR extbanstr[EXTBANTABLESZ+1];
-
-void make_extbanstr(void)
+void set_isupport_extban(void)
 {
 	int i;
-	char *m;
+	char extbanstr[EXTBANTABLESZ+1], *m;
 
 	m = extbanstr;
 	for (i = 0; i <= ExtBan_highest; i++)
@@ -56,6 +54,7 @@ void make_extbanstr(void)
 			*m++ = ExtBan_Table[i].flag;
 	}
 	*m = 0;
+	IsupportSetFmt(NULL, "EXTBAN", "~,%s", extbanstr);
 }
 
 Extban *findmod_by_bantype(char c)
@@ -106,12 +105,7 @@ char tmpbuf[512];
 		module->errorcode = MODERR_NOERROR;
 	}
 	ExtBan_highest = slot;
-	if (loop.ircd_booted)
-	{
-		make_extbanstr();
-		ircsnprintf(tmpbuf, sizeof(tmpbuf), "~,%s", extbanstr);
-		IsupportSetValue(IsupportFind("EXTBAN"), tmpbuf);
-	}
+	set_isupport_extban();
 	return &ExtBan_Table[slot];
 }
 
@@ -134,9 +128,7 @@ char tmpbuf[512];
 		}
 	}
 	memset(eb, 0, sizeof(Extban));
-	make_extbanstr();
-	ircsnprintf(tmpbuf, sizeof(tmpbuf), "~,%s", extbanstr);
-	IsupportSetValue(IsupportFind("EXTBAN"), tmpbuf);
+	set_isupport_extban();
 	/* Hmm do we want to go trough all chans and remove the bans?
 	 * I would say 'no' because perhaps we are just reloading,
 	 * and else.. well... screw them?
@@ -162,7 +154,7 @@ int extban_is_ok_nuh_extban(aClient* sptr, aChannel* chptr, char* para, int chec
 		if (extban_is_ok_recursion)
 			return 0; /* Fail: more than one stacked extban */
 
-		if ((checkt == EXBCHK_PARAM) && RESTRICT_EXTENDEDBANS && !ValidatePermissionsForPath("channel:extbans",sptr,NULL,chptr,NULL))
+		if ((checkt == EXBCHK_PARAM) && RESTRICT_EXTENDEDBANS && !ValidatePermissionsForPath("immune:restrict-extendedbans",sptr,NULL,chptr,NULL))
 		{
 			/* Test if this specific extban has been disabled.
 			 * (We can be sure RESTRICT_EXTENDEDBANS is not *. Else this extended ban wouldn't be happening at all.)

src/extcmodes.c

@@ -39,8 +39,6 @@
 #include <fcntl.h>
 #include "h.h"
 
-extern char cmodestring[512];
-
 /* Channel parameter to slot# mapping */
 MODVAR unsigned char param_to_slot_mapping[256];
 
@@ -93,12 +91,25 @@ void extcmodes_check_for_changes(void)
 {
 	char chanmodes[256];
 	Isupport *isup;
-	
+
 	make_cmodestr();
 	make_extcmodestr();
-	ircsnprintf(chanmodes, sizeof(chanmodes), CHPAR1 "%s," CHPAR2 "%s," CHPAR3 "%s," CHPAR4 "%s",
-		EXPAR1, EXPAR2, EXPAR3, EXPAR4);
-	
+
+	snprintf(chanmodes, sizeof(chanmodes), "%s%s", CHPAR1, EXPAR1);
+	safestrdup(me.serv->features.chanmodes[0], chanmodes);
+	snprintf(chanmodes, sizeof(chanmodes), "%s%s", CHPAR2, EXPAR2);
+	safestrdup(me.serv->features.chanmodes[1], chanmodes);
+	snprintf(chanmodes, sizeof(chanmodes), "%s%s", CHPAR3, EXPAR3);
+	safestrdup(me.serv->features.chanmodes[2], chanmodes);
+	snprintf(chanmodes, sizeof(chanmodes), "%s%s", CHPAR4, EXPAR4);
+	safestrdup(me.serv->features.chanmodes[3], chanmodes);
+
+	ircsnprintf(chanmodes, sizeof(chanmodes), "%s,%s,%s,%s",
+	            me.serv->features.chanmodes[0],
+	            me.serv->features.chanmodes[1],
+	            me.serv->features.chanmodes[2],
+	            me.serv->features.chanmodes[3]);
+
 	isup = IsupportFind("CHANMODES");
 	if (!isup)
 	{
@@ -108,7 +119,7 @@ void extcmodes_check_for_changes(void)
 	
 	IsupportSetValue(isup, chanmodes);
 	
-	if (strcmp(chanmodes, previous_chanmodes))
+	if (*previous_chanmodes && strcmp(chanmodes, previous_chanmodes))
 	{
 		ircd_log(LOG_ERROR, "Channel modes changed at runtime: %s -> %s",
 			previous_chanmodes, chanmodes);

src/ircd.c

@@ -402,6 +402,18 @@ EVENT(garbage_collect)
 		loop.do_garbage_collect = 0;
 }
 
+EVENT(deprecated_notice)
+{
+	/* Send a warning to opers currently online every week after June 1, 2020 */
+	if (TStime() > 1590962400)
+	{
+		char *msg = "[WARNING] UnrealIRCd 4.x is no longer supported after December 31, 2020. "
+		            "See https://www.unrealircd.org/docs/UnrealIRCd_4_EOL";
+		sendto_realops("%s", msg);
+		ircd_log(LOG_ERROR, "%s", msg);
+	}
+}
+
 /*
 ** try_connections
 **
@@ -998,7 +1010,7 @@ int InitUnrealIRCd(int argc, char *argv[])
 	union pstun pstats;
 #endif
 	int  portarg = 0;
-#ifdef  FORCE_CORE
+#ifdef HAVE_SETRLIMIT
 	struct rlimit corelim;
 #endif
 
@@ -1074,10 +1086,10 @@ int InitUnrealIRCd(int argc, char *argv[])
 	extcmode_init();
 	init_random(); /* needs to be done very early!! */
 	clear_scache_hash_table();
-#ifdef FORCE_CORE
+#ifdef HAVE_SETRLIMIT
+	/* Make it so we can dump core */
 	corelim.rlim_cur = corelim.rlim_max = RLIM_INFINITY;
-	if (setrlimit(RLIMIT_CORE, &corelim))
-		printf("unlimit core size failed; errno = %d\n", errno);
+	setrlimit(RLIMIT_CORE, &corelim);
 #endif
 	/*
 	 * ** All command line parameters have the syntax "-fstring"
@@ -1137,7 +1149,7 @@ int InitUnrealIRCd(int argc, char *argv[])
 			  type = Auth_FindType(NULL, p);
 			  if (type == -1)
 			  {
-			      type = AUTHTYPE_BCRYPT;
+			      type = AUTHTYPE_ARGON2;
 			  } else {
 			      p = *++argv;
 			      argc--;
@@ -1155,11 +1167,11 @@ int InitUnrealIRCd(int argc, char *argv[])
 			  {
 			      /* Hmmm.. is this warning really still true (and always) ?? */
 			      printf("WARNING: Password truncated to 8 characters due to 'crypt' algorithm. "
-		                 "You are suggested to use the 'bcrypt' algorithm instead.");
+		                 "You are suggested to use the 'argon2' algorithm instead.");
 				  p[8] = '\0';
 			  }
 			  if (!(result = Auth_Make(type, p))) {
-				  printf("Authentication failed\n");
+				  printf("Failed to generate password. Deprecated method? Try 'argon2' instead.\n");
 				  exit(0);
 			  }
 			  printf("Encrypted password is: %s\n", result);
@@ -1306,12 +1318,19 @@ int InitUnrealIRCd(int argc, char *argv[])
 	fprintf(stderr, "%s", unreallogo);
 	fprintf(stderr, "                           v%s\n\n", VERSIONONLY);
 	fprintf(stderr, "  using %s\n", pcre2_version());
+#ifdef USE_TRE
 	fprintf(stderr, "  using %s\n", tre_version());
+#endif
 	fprintf(stderr, "  using %s\n", SSLeay_version(SSLEAY_VERSION));
 #ifdef USE_LIBCURL
 	fprintf(stderr, "  using %s\n", curl_version());
 #endif
+#endif
+	check_user_limit();
+#ifndef _WIN32
 	fprintf(stderr, "\n");
+	fprintf(stderr, "This server can handle %d concurrent sockets (%d clients + %d reserve)\n\n",
+		maxclients+CLIENTS_RESERVE, maxclients, CLIENTS_RESERVE);
 #endif
 	clear_client_hash_table();
 	clear_channel_hash_table();
@@ -1347,9 +1366,13 @@ int InitUnrealIRCd(int argc, char *argv[])
 	booted = TRUE;
 	load_tunefile();
 	make_umodestr();
+	me.flags = FLAGS_LISTEN;
+	me.fd = -1;
+	SetMe(&me);
+	make_server(&me);
 	extcmodes_check_for_changes();
-	make_extbanstr();
-	isupport_init();
+	umodes_check_for_changes();
+	charsys_check_for_changes();
 	clicap_init();
 	if (!find_Command_simple("AWAY") /*|| !find_Command_simple("KILL") ||
 		!find_Command_simple("OPER") || !find_Command_simple("PING")*/)
@@ -1376,15 +1399,17 @@ int InitUnrealIRCd(int argc, char *argv[])
 #ifndef _WIN32
 	fprintf(stderr, "Dynamic configuration initialized.. booting IRCd.\n");
 #endif
+	/* Warn about this starting March 1, 2020 */
+	if (time(NULL) > 1583017200)
+	{
+		fprintf(stderr, "WARNING: UnrealIRCd 4.x is no longer supported after December 31, 2020.\n"
+		                "See https://www.unrealircd.org/docs/UnrealIRCd_4_EOL\n");
+	}
 	open_debugfile();
 	if (portnum < 0)
 		portnum = PORTNUM;
 	me.local->port = portnum;
 	(void)init_sys();
-	me.flags = FLAGS_LISTEN;
-	me.fd = -1;
-	SetMe(&me);
-	make_server(&me);
 	applymeblock();
 #ifdef HAVE_SYSLOG
 	openlog("ircd", LOG_PID | LOG_NDELAY, LOG_DAEMON);
@@ -1411,7 +1436,9 @@ int InitUnrealIRCd(int argc, char *argv[])
 	me_hash = find_or_add(me.name);
 	me.serv->up = me_hash;
 	timeofday = time(NULL);
-	me.local->lasttime = me.local->since = me.local->firsttime = TStime();
+	me.local->lasttime = me.local->since = me.local->firsttime = me.serv->boottime = TStime();
+	me.serv->features.protocol = UnrealProtocol;
+	me.serv->features.software = strdup(version);
 	(void)add_to_client_hash_table(me.name, &me);
 	(void)add_to_id_hash_table(me.id, &me);
 	list_add(&me.client_node, &global_server_list);

src/list.c

@@ -144,6 +144,7 @@ aClient *make_client(aClient *from, aClient *servr)
 	if (!from)
 	{
 		/* Local client */
+		const char *id;
 		
 		cptr->local = MyMallocEx(sizeof(aLocalClient));
 		
@@ -161,6 +162,11 @@ aClient *make_client(aClient *from, aClient *servr)
 
 		dbuf_queue_init(&cptr->local->recvQ);
 		dbuf_queue_init(&cptr->local->sendQ);
+
+		while (hash_find_id((id = uid_get()), NULL) != NULL)
+			;
+		strlcpy(cptr->id, id, sizeof cptr->id);
+		add_to_id_hash_table(cptr->id, cptr);
 	} else {
 		cptr->fd = -256;
 	}
@@ -189,6 +195,14 @@ void free_client(aClient *cptr)
 			
 			MyFree(cptr->local);
 		}
+		if (*cptr->id)
+		{
+			/* This is already del'd in exit_one_client, so we
+			 * only have it here in case a shortcut was taken,
+			 * such as from add_connection() to free_client().
+			 */
+			del_from_id_hash_table(cptr->id, cptr);
+		}
 	}
 	
 	safefree(cptr->ip);
@@ -257,6 +271,14 @@ aServer *make_server(aClient *cptr)
 		serv->up = NULL;
 		cptr->serv = serv;
 	}
+	if (strlen(cptr->id) > 3)
+	{
+		/* Probably the auto-generated UID for a server that
+		 * still uses the old protocol (without SID).
+		 */
+		del_from_id_hash_table(cptr->id, cptr);
+		*cptr->id = '\0';
+	}
 	return cptr->serv;
 }
 
@@ -341,10 +363,13 @@ void remove_client_from_list(aClient *cptr)
 	{
 		if (cptr->serv->user)
 			free_user(cptr->serv->user, cptr);
+		safefree(cptr->serv->features.usermodes);
 		safefree(cptr->serv->features.chanmodes[0]);
 		safefree(cptr->serv->features.chanmodes[1]);
 		safefree(cptr->serv->features.chanmodes[2]);
 		safefree(cptr->serv->features.chanmodes[3]);
+		safefree(cptr->serv->features.software);
+		safefree(cptr->serv->features.nickchars);
 		MyFree(cptr->serv);
 #ifdef	DEBUGMODE
 		servs.inuse--;
@@ -356,9 +381,12 @@ void remove_client_from_list(aClient *cptr)
 	else
 		crem.inuse--;
 #endif
-	assert(list_empty(&cptr->client_node));
-	assert(list_empty(&cptr->client_hash));
-	assert(list_empty(&cptr->id_hash));
+	if (!list_empty(&cptr->client_node))
+		abort();
+	if (!list_empty(&cptr->client_hash))
+		abort();
+	if (!list_empty(&cptr->id_hash))
+		abort();
 	(void)free_client(cptr);
 	checklist();
 	numclients--;
@@ -538,6 +566,23 @@ void add_ListItem(ListStruct *item, ListStruct **list) {
 	*list = item;
 }
 
+/* (note that if you end up using this, you should probably
+ *  use a circular linked list instead)
+ */
+void append_ListItem(ListStruct *item, ListStruct **list) {
+	ListStruct *l;
+
+	if (!*list)
+	{
+		*list = item;
+		return;
+	}
+
+	for (l = *list; l->next; l = l->next);
+	l->next = item;
+	item->prev = l;
+}
+
 ListStruct *del_ListItem(ListStruct *item, ListStruct **list) {
 	ListStruct *l, *ret;
 

src/match.c

@@ -581,3 +581,388 @@ char *unreal_match_method_valtostr(int val)
 	
 	return "unknown";
 }
+
+/* It is unfortunately that we have 2 matching/replace systems.
+ * However, the above is for spamfilter matching and stuff
+ * and below is for matching on WORDS, which does specific things
+ * like replacement on word boundaries etc.
+ * Moved here from the censor channel and user mode module
+ * (previously was present in both modules, code duplication)
+ */
+int fast_badword_match(ConfigItem_badword *badword, char *line)
+{
+	char *p;
+	int bwlen = strlen(badword->word);
+	if ((badword->type & BADW_TYPE_FAST_L) && (badword->type & BADW_TYPE_FAST_R))
+		return (our_strcasestr(line, badword->word) ? 1 : 0);
+
+	p = line;
+	while((p = our_strcasestr(p, badword->word)))
+	{
+		if (!(badword->type & BADW_TYPE_FAST_L))
+		{
+			if ((p != line) && !iswseperator(*(p - 1))) /* aaBLA but no *BLA */
+				goto next;
+		}
+		if (!(badword->type & BADW_TYPE_FAST_R))
+		{
+			if (!iswseperator(*(p + bwlen)))  /* BLAaa but no BLA* */
+				goto next;
+		}
+		/* Looks like it matched */
+		return 1;
+next:
+		p += bwlen;
+	}
+	return 0;
+}
+
+/* fast_badword_replace:
+ * A fast replace routine written by Syzop used for replacing badwords.
+ * This searches in line for the bad word and replaces it.
+ * buf is used for the result and max is sizeof(buf).
+ * Assumptions[!]: max > 0 AND max > strlen(line)+1
+ */
+int fast_badword_replace(ConfigItem_badword *badword, char *line, char *buf, int max)
+{
+	/* Some aliases ;P */
+	char *replacew = badword->replace ? badword->replace : REPLACEWORD;
+	char *pold = line, *pnew = buf; /* Pointers to old string and new string */
+	char *poldx = line;
+	int replacen = -1; /* Only calculated if needed. w00t! saves us a few nanosecs? lol */
+	int searchn = -1;
+	char *startw, *endw;
+	char *c_eol = buf + max - 1; /* Cached end of (new) line */
+	int run = 1;
+	int cleaned = 0;
+
+	Debug((DEBUG_NOTICE, "replacing %s -> %s in '%s'", badword->word, replacew, line));
+
+	while(run) {
+		pold = our_strcasestr(pold, badword->word);
+		if (!pold)
+			break;
+		if (replacen == -1)
+			replacen = strlen(replacew);
+		if (searchn == -1)
+			searchn = strlen(badword->word);
+		/* Hunt for start of word */
+		if (pold > line) {
+			for (startw = pold; (!iswseperator(*startw) && (startw != line)); startw--);
+			if (iswseperator(*startw))
+				startw++; /* Don't point at the space/seperator but at the word! */
+		} else {
+			startw = pold;
+		}
+
+		if (!(badword->type & BADW_TYPE_FAST_L) && (pold != startw)) {
+			/* not matched */
+			pold++;
+			continue;
+		}
+
+		/* Hunt for end of word
+		 * Fix for bug #4909: word will be at least 'searchn' long so we can skip
+		 * 'searchn' bytes and avoid stopping half-way the badword.
+		 */
+		for (endw = pold+searchn; ((*endw != '\0') && (!iswseperator(*endw))); endw++);
+
+		if (!(badword->type & BADW_TYPE_FAST_R) && (pold+searchn != endw)) {
+			/* not matched */
+			pold++;
+			continue;
+		}
+
+		cleaned = 1; /* still too soon? Syzop/20050227 */
+
+		/* Do we have any not-copied-yet data? */
+		if (poldx != startw) {
+			int tmp_n = startw - poldx;
+			if (pnew + tmp_n >= c_eol) {
+				/* Partial copy and return... */
+				memcpy(pnew, poldx, c_eol - pnew);
+				*c_eol = '\0';
+				return 1;
+			}
+
+			memcpy(pnew, poldx, tmp_n);
+			pnew += tmp_n;
+		}
+		/* Now update the word in buf (pnew is now something like startw-in-new-buffer */
+
+		if (replacen) {
+			if ((pnew + replacen) >= c_eol) {
+				/* Partial copy and return... */
+				memcpy(pnew, replacew, c_eol - pnew);
+				*c_eol = '\0';
+				return 1;
+			}
+			memcpy(pnew, replacew, replacen);
+			pnew += replacen;
+		}
+		poldx = pold = endw;
+	}
+	/* Copy the last part */
+	if (*poldx) {
+		strncpy(pnew, poldx, c_eol - pnew);
+		*(c_eol) = '\0';
+	} else {
+		*pnew = '\0';
+	}
+	return cleaned;
+}
+
+/*
+ * Returns a string, which has been filtered by the words loaded via
+ * the loadbadwords() function.  It's primary use is to filter swearing
+ * in both private and public messages
+ */
+char *stripbadwords(char *str, ConfigItem_badword *start_bw, int *blocked)
+{
+	static char cleanstr[4096];
+	char buf[4096];
+	char *ptr;
+	int matchlen, m, stringlen, cleaned;
+	ConfigItem_badword *this_word;
+
+	*blocked = 0;
+
+	if (!start_bw)
+		return str;
+
+	/*
+	 * work on a copy
+	 */
+	stringlen = strlcpy(cleanstr, StripControlCodes(str), sizeof cleanstr);
+	matchlen = 0;
+	buf[0] = '\0';
+	cleaned = 0;
+
+	for (this_word = start_bw; this_word; this_word = this_word->next)
+	{
+		if (this_word->type & BADW_TYPE_FAST)
+		{
+			if (this_word->action == BADWORD_BLOCK)
+			{
+				if (fast_badword_match(this_word, cleanstr))
+				{
+					*blocked = 1;
+					return NULL;
+				}
+			}
+			else
+			{
+				int n;
+				/* fast_badword_replace() does size checking so we can use 512 here instead of 4096 */
+				n = fast_badword_replace(this_word, cleanstr, buf, 512);
+				if (!cleaned && n)
+					cleaned = n;
+				strcpy(cleanstr, buf);
+				memset(buf, 0, sizeof(buf)); /* regexp likes this somehow */
+			}
+		} else
+		if (this_word->type & BADW_TYPE_REGEX)
+		{
+			if (this_word->action == BADWORD_BLOCK)
+			{
+				pcre2_match_data *md = pcre2_match_data_create(9, NULL);
+				int ret;
+
+				ret = pcre2_match(this_word->pcre2_expr, cleanstr, PCRE2_ZERO_TERMINATED, 0, 0, md, NULL); /* run the regex */
+				pcre2_match_data_free(md); /* yeah, we never use it. unfortunately argument must be non-NULL for pcre2_match() */
+				if (ret > 0)
+				{
+					*blocked = 1;
+					return NULL;
+				}
+			}
+			else
+			{
+				pcre2_match_data *md;
+				int ret;
+				PCRE2_SIZE *dd;
+				int start, end;
+
+				ptr = cleanstr; /* set pointer to start of string */
+				while(1) {
+					md = pcre2_match_data_create(9, NULL);
+					/* ^^ we need to free 'md' in ALL circumstances.
+					 * remember this if you break or continue in this loop!
+					 */
+					ret = pcre2_match(this_word->pcre2_expr, ptr, PCRE2_ZERO_TERMINATED, 0, 0, md, NULL); /* run the regex */
+					if (ret > 0)
+					{
+						ircd_log(LOG_ERROR, "pcre2_get_ovector_count: %d", pcre2_get_ovector_count(md));
+						dd = pcre2_get_ovector_pointer(md);
+						start = (int)dd[0];
+						end = (int)dd[1];
+						if ((start < 0) || (end < 0) || (start > strlen(ptr)) || (end > strlen(ptr)+1))
+						{
+							ircd_log(LOG_ERROR, "pcre2_match() returned an ovector with OOB start/end: %d/%d, str (%d): '%s'",
+								(int)start, (int)end, (int)strlen(ptr), ptr);
+							abort();
+						}
+						m = end - start;
+						if (m == 0)
+						{
+							pcre2_match_data_free(md);
+							break; /* anti-loop */
+						}
+						cleaned = 1;
+						matchlen += m;
+						strlncat(buf, ptr, sizeof buf, start);
+						if (this_word->replace)
+							strlcat(buf, this_word->replace, sizeof buf); 
+						else
+							strlcat(buf, REPLACEWORD, sizeof buf);
+						ptr += end; /* Set pointer after the match pos */
+						pcre2_match_data_free(md);
+						continue; /* next! */
+					}
+					pcre2_match_data_free(md);
+					break; /* NOMATCH: we are done! */
+				}
+				/* All the better to eat you with! */
+				strlcat(buf, ptr, sizeof buf);	
+				memcpy(cleanstr, buf, sizeof cleanstr);
+				memset(buf, 0, sizeof(buf));
+				if (matchlen == stringlen)
+					break;
+			}
+		}
+	}
+
+	cleanstr[511] = '\0'; /* cutoff, just to be sure */
+
+	return (cleaned) ? cleanstr : str;
+}
+
+/** Checks if the specified regex (or fast badwords) is valid.
+ * returns NULL in case of success [!],
+ * pointer to buffer with error message otherwise
+ * if check_broadness is 1, the function will attempt to determine
+ * if the given regex string is too broad (i.e. matches everything)
+ */
+char *badword_config_check_regex(char *str, int fastsupport, int check_broadness)
+{
+	int errorcode, errorbufsize, regex=0;
+	char *errtmp, *tmp;
+	static char errorbuf[512];
+
+	if (fastsupport)
+	{
+		for (tmp = str; *tmp; tmp++) {
+			if (!isalnum(*tmp) && !(*tmp >= 128)) {
+				if ((str == tmp) && (*tmp == '*'))
+					continue;
+				if ((*(tmp + 1) == '\0') && (*tmp == '*'))
+					continue;
+				regex = 1;
+				break;
+			}
+		}
+	}
+	if (!fastsupport || regex)
+	{
+		int errorcode = 0;
+		PCRE2_SIZE erroroffset = 0;
+		pcre2_code *expr;
+		int options = 0;
+		char buf2[512];
+
+		options = PCRE2_CASELESS|PCRE2_NEVER_UTF|PCRE2_NEVER_UCP;
+
+		expr = pcre2_compile(str, PCRE2_ZERO_TERMINATED, options, &errorcode, &erroroffset, NULL);
+		if (expr == NULL)
+		{
+			pcre2_get_error_message(errorcode, buf2, sizeof(buf2));
+			if (erroroffset > 0)
+				snprintf(errorbuf, sizeof(errorbuf), "%s (at character #%d)", buf2, (int)erroroffset);
+			else
+				strlcpy(errorbuf, buf2, sizeof(errorbuf));
+			return errorbuf;
+		}
+		pcre2_code_free(expr);
+	}
+	return NULL;
+}
+
+int badword_config_process(ConfigItem_badword *ca, char *str)
+{
+	char *tmp;
+	short regex = 0;
+	int regflags = 0;
+	int ast_l = 0, ast_r = 0;
+
+	/* The fast badwords routine can do: "blah" "*blah" "blah*" and "*blah*",
+	 * in all other cases use regex.
+	 */
+	for (tmp = str; *tmp; tmp++) {
+		if (!isalnum(*tmp) && !(*tmp >= 128)) {
+			if ((str == tmp) && (*tmp == '*')) {
+				ast_l = 1; /* Asterisk at the left */
+				continue;
+			}
+			if ((*(tmp + 1) == '\0') && (*tmp == '*')) {
+				ast_r = 1; /* Asterisk at the right */
+				continue;
+			}
+			regex = 1;
+			break;
+		}
+	}
+	if (regex)
+	{
+		int errorcode = 0;
+		PCRE2_SIZE erroroffset = 0;
+		int options = 0;
+		char buf2[512];
+
+		ca->type = BADW_TYPE_REGEX;
+		safestrdup(ca->word, str);
+
+		options = PCRE2_CASELESS|PCRE2_NEVER_UTF|PCRE2_NEVER_UCP;
+
+		ca->pcre2_expr = pcre2_compile(str, PCRE2_ZERO_TERMINATED, options, &errorcode, &erroroffset, NULL);
+		if (ca->pcre2_expr == NULL)
+		{
+			/* This cannot happen since badword_config_check_regex()
+			 * should be called from config_test on each regex.
+			 */
+			config_error("badword_config_process(): failed to compile regex '%s', this is impossible!", str);
+			abort();
+		}
+		pcre2_jit_compile(ca->pcre2_expr, PCRE2_JIT_COMPLETE);
+	}
+	else
+	{
+		char *tmpw;
+		ca->type = BADW_TYPE_FAST;
+		ca->word = tmpw = MyMallocEx(strlen(str) - ast_l - ast_r + 1);
+		/* Copy except for asterisks */
+		for (tmp = str; *tmp; tmp++)
+			if (*tmp != '*')
+				*tmpw++ = *tmp;
+		*tmpw = '\0';
+		if (ast_l)
+			ca->type |= BADW_TYPE_FAST_L;
+		if (ast_r)
+			ca->type |= BADW_TYPE_FAST_R;
+	}
+
+	return 1;
+}
+
+/** Frees a ConfigItem_badword item.
+ * Note that it does NOT remove from the list, you need
+ * to do this BEFORE calling this function.
+ */
+void badword_config_free(ConfigItem_badword *e)
+{
+	safefree(e->word);
+	if (e->replace)
+		safefree(e->replace);
+	if (e->pcre2_expr)
+		pcre2_code_free(e->pcre2_expr);
+	MyFree(e);
+}

src/modules.c

@@ -121,7 +121,7 @@ void (*broadcast_md_channel)(ModDataInfo *mdi, aChannel *chptr, ModData *md);
 void (*broadcast_md_member)(ModDataInfo *mdi, aChannel *chptr, Member *m, ModData *md);
 void (*broadcast_md_membership)(ModDataInfo *mdi, aClient *acptr, Membership *m, ModData *md);
 int (*check_banned)(aClient *cptr);
-int (*check_deny_version)(aClient *cptr, char *version_string, int protocol, char *flags);
+int (*check_deny_version)(aClient *cptr, char *software, int protocol, char *flags);
 void (*broadcast_md_client_cmd)(aClient *except, aClient *sender, aClient *acptr, char *varname, char *value);
 void (*broadcast_md_channel_cmd)(aClient *except, aClient *sender, aChannel *chptr, char *varname, char *value);
 void (*broadcast_md_member_cmd)(aClient *except, aClient *sender, aChannel *chptr, aClient *acptr, char *varname, char *value);
@@ -137,6 +137,7 @@ void (*send_join_to_local_users)(aClient *sptr, aChannel *chptr);
 int (*do_nick_name)(char *nick);
 int (*do_remote_nick_name)(char *nick);
 char *(*charsys_get_current_languages)(void);
+void *(*broadcast_sinfo)(aClient *acptr, aClient *to, aClient *except);
 
 static const EfunctionsList efunction_table[MAXEFUNCTIONS] = {
 /* 00 */	{NULL, NULL},
@@ -199,7 +200,8 @@ static const EfunctionsList efunction_table[MAXEFUNCTIONS] = {
 /* 57 */	{"do_nick_name", (void *)&do_nick_name},
 /* 58 */	{"do_remote_nick_name", (void *)&do_remote_nick_name},
 /* 59 */	{"charsys_get_current_languages", (void *)&charsys_get_current_languages},
-/* 60 */	{NULL, NULL}
+/* 60 */	{"broadcast_sinfo", (void *)&broadcast_sinfo},
+/* 61 */	{NULL, NULL}
 };
 
 #ifdef UNDERSCORE
@@ -1390,11 +1392,12 @@ Callback *CallbackDel(Callback *cb)
 
 Efunction	*EfunctionAddMain(Module *module, int eftype, int (*func)(), void (*vfunc)(), void *(*pvfunc)(), char *(*cfunc)())
 {
-Efunction *p;
+	Efunction *p;
 
 	if (!module || !(module->options & MOD_OPT_OFFICIAL))
 	{
-		module->errorcode = MODERR_INVALID;
+		if (module)
+			module->errorcode = MODERR_INVALID;
 		return NULL;
 	}
 	
@@ -1446,7 +1449,7 @@ Efunction *p, *q;
 	return NULL;
 }
 
-Cmdoverride *CmdoverrideAddEx(Module *module, char *name, int priority, iFP function)
+Cmdoverride *CmdoverrideAddEx(Module *module, char *name, int priority, OverrideCmdFunc function)
 {
 	aCommand *p;
 	Cmdoverride *ovr;
@@ -1491,7 +1494,7 @@ Cmdoverride *CmdoverrideAddEx(Module *module, char *name, int priority, iFP func
 	return ovr;
 }
 
-Cmdoverride *CmdoverrideAdd(Module *module, char *name, iFP function)
+Cmdoverride *CmdoverrideAdd(Module *module, char *name, OverrideCmdFunc function)
 {
 	return CmdoverrideAddEx(module, name, 0, function);
 }
@@ -1529,8 +1532,8 @@ void CmdoverrideDel(Cmdoverride *cmd)
 
 int CallCmdoverride(Cmdoverride *ovr, aClient *cptr, aClient *sptr, int parc, char *parv[])
 {
-	if (ovr->prev)
-		return ovr->prev->func(ovr->prev, cptr, sptr, parc, parv);
+	if (ovr->next)
+		return ovr->next->func(ovr->next, cptr, sptr, parc, parv);
 	return ovr->command->func(cptr, sptr, parc, parv);
 }
 

src/modules/Makefile.in

@@ -62,7 +62,8 @@ R_MODULES= \
 	 blacklist.so jointhrottle.so \
 	 antirandom.so hideserver.so jumpserver.so \
 	 m_ircops.so m_staff.so nocodes.so \
-	 charsys.so
+	 charsys.so antimixedutf8.so authprompt.so m_sinfo.so \
+	 reputation.so connthrottle.so
 
 MODULES=cloak.so $(R_MODULES)
 MODULEFLAGS=@MODULEFLAGS@
@@ -518,6 +519,26 @@ charsys.so: charsys.c $(INCLUDES)
 	$(CC) $(CFLAGS) $(MODULEFLAGS) -DDYNAMIC_LINKING \
 		-o charsys.so charsys.c
 
+antimixedutf8.so: antimixedutf8.c $(INCLUDES)
+	$(CC) $(CFLAGS) $(MODULEFLAGS) -DDYNAMIC_LINKING \
+		-o antimixedutf8.so antimixedutf8.c
+
+authprompt.so: authprompt.c $(INCLUDES)
+	$(CC) $(CFLAGS) $(MODULEFLAGS) -DDYNAMIC_LINKING \
+		-o authprompt.so authprompt.c
+
+m_sinfo.so: m_sinfo.c $(INCLUDES)
+	$(CC) $(CFLAGS) $(MODULEFLAGS) -DDYNAMIC_LINKING \
+		-o m_sinfo.so m_sinfo.c
+
+reputation.so: reputation.c $(INCLUDES)
+	$(CC) $(CFLAGS) $(MODULEFLAGS) -DDYNAMIC_LINKING \
+		-o reputation.so reputation.c
+
+connthrottle.so: connthrottle.c $(INCLUDES)
+	$(CC) $(CFLAGS) $(MODULEFLAGS) -DDYNAMIC_LINKING \
+		-o connthrottle.so connthrottle.c
+
 #############################################################################
 # capabilities
 #############################################################################

src/modules/antimixedutf8.c

@@ -0,0 +1,349 @@
+/*
+ * Anti mixed UTF8 - a filter written by Bram Matthys ("Syzop").
+ * Reported by Mr_Smoke in https://bugs.unrealircd.org/view.php?id=5163
+ * Tested by PeGaSuS (The_Myth) with some of the most used spam lines.
+ * Help with testing and fixing Cyrillic from 'i' <info@servx.org>
+ *
+ * ==[ ABOUT ]==
+ * This module will detect and stop spam containing of characters of
+ * mixed "scripts", where some characters are in Latin script and other
+ * characters are in Cyrillic.
+ * This unusual behavior can be detected easily and action can be taken.
+ *
+ * ==[ MODULE LOADING AND CONFIGURATION ]==
+ * loadmodule "antimixedutf8";
+ * set {
+ *         antimixedutf8 {
+ *                 score 10;
+ *                 ban-action block;
+ *                 ban-reason "Possible mixed character spam";
+ *                 ban-time 4h; // For other types
+ *         };
+ * };
+ *
+ * ==[ LICENSE AND PORTING ]==
+ * Feel free to copy/move the idea or code to other IRCds.
+ * The license is GPLv1 (or later, at your option):
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 1, or (at your option)
+ * any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ */
+
+#include "unrealircd.h"
+
+ModuleHeader MOD_HEADER(antimixedutf8)
+= {
+	"antimixedutf8",
+	"1.0",
+	"Mixed UTF8 character filter (look-alike character spam) - by Syzop",
+	"3.2-b8-1",
+	NULL 
+};
+
+struct {
+	int score;
+	int ban_action;
+	char *ban_reason;
+	long ban_time;
+} cfg;
+
+static void free_config(void);
+static void init_config(void);
+int antimixedutf8_config_test(ConfigFile *, ConfigEntry *, int, int *);
+int antimixedutf8_config_run(ConfigFile *, ConfigEntry *, int);
+
+#define SCRIPT_UNDEFINED	0
+#define SCRIPT_LATIN		1
+#define SCRIPT_CYRILLIC		2
+
+/**** the detection algorithm follows first, the module/config code is at the end ****/
+
+/** Detect which script the current character is,
+ * such as latin script or cyrillic script.
+ * @retval See SCRIPT_*
+ */
+int detect_script(const char *t)
+{
+	/* Safety: as long as *t is never \0 then at worst
+	 * the character after this will be \0 and since we
+	 * only look at 2 characters (at most) at a time
+	 * this will be safe.
+	 */
+
+	/* Currently we only detect cyrillic and call all the
+	 * rest latin (which is not true). This can always
+	 * be enhanced later.
+	 */
+
+	if ((t[0] == 0xd0) && (t[1] >= 0x80) && (t[1] <= 0xbf))
+		return SCRIPT_CYRILLIC;
+	else if ((t[0] == 0xd1) && (t[1] >= 0x80) && (t[1] <= 0xbf))
+		return SCRIPT_CYRILLIC;
+	else if ((t[0] == 0xd2) && (t[1] >= 0x80) && (t[1] <= 0xbf))
+		return SCRIPT_CYRILLIC;
+	else if ((t[0] == 0xd3) && (t[1] >= 0x80) && (t[1] <= 0xbf))
+		return SCRIPT_CYRILLIC;
+
+	if ((t[0] >= 'a') && (t[0] <= 'z'))
+		return SCRIPT_LATIN;
+	if ((t[0] >= 'A') && (t[0] <= 'Z'))
+		return SCRIPT_LATIN;
+
+	return SCRIPT_UNDEFINED;
+}
+
+/** Returns length of an (UTF8) character. May return <1 for error conditions.
+ * Made by i <info@servx.org>
+ */
+static int utf8_charlen(const char *str)
+{
+	struct { char mask; char val; } t[4] =
+	{ { 0x80, 0x00 }, { 0xE0, 0xC0 }, { 0xF0, 0xE0 }, { 0xF8, 0xF0 } };
+	unsigned k, j;
+
+	for (k = 0; k < 4; k++)
+	{
+		if ((*str & t[k].mask) == t[k].val)
+		{
+			for (j = 0; j < k; j++)
+			{
+				if ((*(++str) & 0xC0) != 0x80)
+					return -1;
+			}
+			return k + 1;
+		}
+	}
+	return 1;
+}
+
+int lookalikespam_score(const char *text)
+{
+	const char *p;
+	int last_script = SCRIPT_UNDEFINED;
+	int current_script;
+	int points = 0;
+	int last_character_was_word_separator = 0;
+	int skip = 0;
+
+	for (p = text; *p; p++)
+	{
+		current_script = detect_script(p);
+
+		if (current_script != SCRIPT_UNDEFINED)
+		{
+			if ((current_script != last_script) && (last_script != SCRIPT_UNDEFINED))
+			{
+				/* A script change = 1 point */
+				points++;
+
+				/* Give an additional point if the script change happened
+				 * within the same word, as that would be rather unusual
+				 * in normal cases.
+				 */
+				if (!last_character_was_word_separator)
+					points++;
+			}
+			last_script = current_script;
+		}
+
+		if (strchr("., ", *p))
+			last_character_was_word_separator = 1;
+		else
+			last_character_was_word_separator = 0;
+
+		skip = utf8_charlen(p);
+		if (skip > 1)
+			p += skip - 1;
+	}
+
+	return points;
+}
+
+CMD_OVERRIDE_FUNC(override_msg)
+{
+	int score, ret;
+	
+	if (!MyClient(sptr) || (parc < 3) || BadPtr(parv[2]))
+	{
+		/* Short circuit for: remote clients or insufficient parameters */
+		return CallCmdoverride(ovr, cptr, sptr, parc, parv);
+	}
+
+	score = lookalikespam_score(StripControlCodes(parv[2]));
+	if (score >= cfg.score)
+	{
+		if (cfg.ban_action == BAN_ACT_KILL)
+		{
+			sendto_realops("[antimixedutf8] Killed connection from %s (score %d)",
+				GetIP(sptr), score);
+		} /* no else here!! */
+
+		if ((cfg.ban_action == BAN_ACT_BLOCK)
+#ifdef BAN_ACT_SOFT_BLOCK
+		    || ((cfg.ban_action == BAN_ACT_SOFT_BLOCK) && !IsLoggedIn(sptr))
+#endif
+		    )
+		{
+			sendnotice(sptr, "%s", cfg.ban_reason);
+			return 0;
+		} else {
+			ret = place_host_ban(sptr, cfg.ban_action, cfg.ban_reason, cfg.ban_time);
+			if (ret != 0)
+				return ret;
+			/* a return value of 0 means the user is exempted, so fallthrough.. */
+		}
+	}
+
+	return CallCmdoverride(ovr, cptr, sptr, parc, parv);
+}
+
+/*** rest is module and config stuff ****/
+
+MOD_TEST(antimixedutf8)
+{
+	HookAdd(modinfo->handle, HOOKTYPE_CONFIGTEST, 0, antimixedutf8_config_test);
+	return MOD_SUCCESS;
+}
+
+MOD_INIT(antimixedutf8)
+{
+	MARK_AS_OFFICIAL_MODULE(modinfo);
+	
+	init_config();
+	HookAdd(modinfo->handle, HOOKTYPE_CONFIGRUN, 0, antimixedutf8_config_run);
+	return MOD_SUCCESS;
+}
+
+MOD_LOAD(antimixedutf8)
+{
+	if (!CmdoverrideAdd(modinfo->handle, "PRIVMSG", override_msg))
+		return MOD_FAILED;
+
+	if (!CmdoverrideAdd(modinfo->handle, "NOTICE", override_msg))
+		return MOD_FAILED;
+
+	return MOD_SUCCESS;
+}
+
+MOD_UNLOAD(antimixedutf8)
+{
+	free_config();
+	return MOD_SUCCESS;
+}
+
+static void init_config(void)
+{
+	memset(&cfg, 0, sizeof(cfg));
+	/* Default values */
+	cfg.score = 10;
+	cfg.ban_reason = strdup("Possible mixed character spam");
+	cfg.ban_action = BAN_ACT_BLOCK;
+	cfg.ban_time = 60 * 60 * 4; /* irrelevant for block, but some default for others */
+}
+
+static void free_config(void)
+{
+	safefree(cfg.ban_reason);
+	memset(&cfg, 0, sizeof(cfg)); /* needed! */
+}
+
+int antimixedutf8_config_test(ConfigFile *cf, ConfigEntry *ce, int type, int *errs)
+{
+	int errors = 0;
+	ConfigEntry *cep;
+
+	if (type != CONFIG_SET)
+		return 0;
+	
+	/* We are only interrested in set::antimixedutf8... */
+	if (!ce || !ce->ce_varname || strcmp(ce->ce_varname, "antimixedutf8"))
+		return 0;
+	
+	for (cep = ce->ce_entries; cep; cep = cep->ce_next)
+	{
+		if (!cep->ce_vardata)
+		{
+			config_error("%s:%i: set::antimixedutf8::%s with no value",
+				cep->ce_fileptr->cf_filename, cep->ce_varlinenum, cep->ce_varname);
+			errors++;
+		} else
+		if (!strcmp(cep->ce_varname, "score"))
+		{
+			int v = atoi(cep->ce_vardata);
+			if ((v < 1) || (v > 99))
+			{
+				config_error("%s:%i: set::antimixedutf8::score: must be between 1 - 99 (got: %d)",
+					cep->ce_fileptr->cf_filename, cep->ce_varlinenum, v);
+				errors++;
+			}
+		} else
+		if (!strcmp(cep->ce_varname, "ban-action"))
+		{
+			if (!banact_stringtoval(cep->ce_vardata))
+			{
+				config_error("%s:%i: set::antimixedutf8::ban-action: unknown action '%s'",
+					cep->ce_fileptr->cf_filename, cep->ce_varlinenum, cep->ce_vardata);
+				errors++;
+			}
+		} else
+		if (!strcmp(cep->ce_varname, "ban-reason"))
+		{
+		} else
+		if (!strcmp(cep->ce_varname, "ban-time"))
+		{
+		} else
+		{
+			config_error("%s:%i: unknown directive set::antimixedutf8::%s",
+				cep->ce_fileptr->cf_filename, cep->ce_varlinenum, cep->ce_varname);
+			errors++;
+		}
+	}
+	*errs = errors;
+	return errors ? -1 : 1;
+}
+
+int antimixedutf8_config_run(ConfigFile *cf, ConfigEntry *ce, int type)
+{
+	ConfigEntry *cep;
+
+	if (type != CONFIG_SET)
+		return 0;
+	
+	/* We are only interrested in set::antimixedutf8... */
+	if (!ce || !ce->ce_varname || strcmp(ce->ce_varname, "antimixedutf8"))
+		return 0;
+	
+	for (cep = ce->ce_entries; cep; cep = cep->ce_next)
+	{
+		if (!strcmp(cep->ce_varname, "score"))
+		{
+			cfg.score = atoi(cep->ce_vardata);
+		} else
+		if (!strcmp(cep->ce_varname, "ban-action"))
+		{
+			cfg.ban_action = banact_stringtoval(cep->ce_vardata);
+		} else
+		if (!strcmp(cep->ce_varname, "ban-reason"))
+		{
+			if (cfg.ban_reason)
+				MyFree(cfg.ban_reason);
+			cfg.ban_reason = strdup(cep->ce_vardata);
+		} else
+		if (!strcmp(cep->ce_varname, "ban-time"))
+		{
+			cfg.ban_time = config_checkval(cep->ce_vardata, CFG_TIME);
+		}
+	}
+	return 1;
+}

src/modules/antirandom.c

@@ -46,29 +46,10 @@ ModuleHeader MOD_HEADER(antirandom)
  #define MAX(x,y) ((x) > (y) ? (x) : (y))
 #endif
 
-#ifndef _WIN32
-typedef struct {
-    char *regex;
-    int score;
-} ScoreTable;
-#endif
-
 #ifndef BAN_ACT_WARN
  #define BAN_ACT_WARN 11
 #endif
 
-#ifndef _WIN32
-/* You can define regexes here.. the format is:
- * {"<REGEX>", SCORE},
- */
-ScoreTable regex_scores[] = {
-	/* These have all been moved to internal digit/vowel/consonant checks.
-	 * But I've left the regex ability here, in case someone else uses it.
-	 */
-	{NULL, 0}
-};
-#endif
-
 /* "<char1><char2>" followed by "<rest>" */
 static char *triples_txt[] = {
 	"aj", "fqtvxz",
@@ -513,19 +494,6 @@ static char *triples_txt[] = {
 	NULL, NULL
 };
 
-#ifndef _WIN32
-/* Used for parsed sregexes */
-typedef struct _regexlist RegexList;
-struct _regexlist {
-	RegexList *next;
-	regex_t regex;
-#ifdef DEBUGMODE
-	char *regextxt;
-#endif
-	int score;
-};
-#endif
-
 /* Used for parsed triples: */
 #define TRIPLES_REST_SIZE	32
 typedef struct _triples Triples;
@@ -535,9 +503,6 @@ struct _triples {
 	char rest[TRIPLES_REST_SIZE];
 };
 
-#ifndef _WIN32
-RegexList *sregexes = NULL;
-#endif
 Triples *triples = NULL;
 
 struct {
@@ -561,7 +526,6 @@ struct {
 
 /* Forward declarations */
 static int init_stuff(void);
-static int init_sregexes(void);
 static int init_triples(void);
 static void free_stuff(void);
 static void free_config(void);
@@ -619,8 +583,8 @@ MOD_UNLOAD(antirandom)
 /* Sends a message to all (local) opers AND logs to the ircdlog (as LOG_ERROR) */
 static void multi_log(char *fmt, ...)
 {
-va_list vl;
-static char buf[2048];
+	va_list vl;
+	static char buf[2048];
 
 	va_start(vl, fmt);
 	vsnprintf(buf, sizeof(buf), fmt, vl);
@@ -640,8 +604,8 @@ static void free_config(void)
 
 int antirandom_config_test(ConfigFile *cf, ConfigEntry *ce, int type, int *errs)
 {
-int errors = 0;
-ConfigEntry *cep;
+	int errors = 0;
+	ConfigEntry *cep;
 
 	if (type != CONFIG_SET)
 		return 0;
@@ -652,12 +616,6 @@ ConfigEntry *cep;
 	
 	for (cep = ce->ce_entries; cep; cep = cep->ce_next)
 	{
-		if (!cep->ce_varname)
-		{
-			config_error("%s:%i: blank set::antirandom item",
-				cep->ce_fileptr->cf_filename, cep->ce_varlinenum);
-			errors++;
-		} else
 		if (!strcmp(cep->ce_varname, "except-hosts"))
 		{
 		} else
@@ -781,7 +739,7 @@ int antirandom_config_run(ConfigFile *cf, ConfigEntry *ce, int type)
 
 int antirandom_config_posttest(int *errs)
 {
-int errors = 0;
+	int errors = 0;
 
 	if (!req.threshold) { config_error("set::antirandom::threshold missing"); errors++; }
 	if (!req.ban_action) { config_error("set::antirandom::ban-action missing"); errors++; }
@@ -794,64 +752,17 @@ int errors = 0;
 
 static int init_stuff(void)
 {
-	if (!init_sregexes() || !init_triples())
+	if (!init_triples())
 		return 0;
 	return 1;
 }
 
-/** Initializes the sregexes regex list */
-static int init_sregexes(void)
-{
-#ifndef _WIN32
-ScoreTable *s = &regex_scores[0];
-RegexList *e, *last=NULL;
-int cnt=0, n;
-char *res;
-
-	for (s=&regex_scores[0]; s->regex; s++)
-	{
-		cnt++;
-		e = MyMallocEx(sizeof(RegexList));
-		/* validate regex */
-		res = unreal_checkregex(s->regex, 0, 1);
-		if (res)
-		{
-			config_error("init_sregexes: sregexes_txt contains invalid regex (nr %d): %s",
-				cnt, res);
-			return 0;
-		}
-		/* parse regex here (should go fine, checked above) */
-		n = regcomp(&e->regex, s->regex, REG_ICASE|REG_EXTENDED);
-		if (n)
-		{
-			/* should never happen (yes I'm too lazy to get the errormsg) */
-			config_error("init_sregexes: weird regcomp() failure: item=%d, errorcode=%d, aborting...",
-				cnt, n);
-			return 0;
-		}
-#ifdef DEBUGMODE
-		e->regextxt = strdup(s->regex);
-#endif
-
-		e->score = s->score;
-
-		/* Append at end of list (to keep it in order, not importent yet, but..) */
-		if (last)
-			last->next = e;
-		else
-			sregexes = e; /*(head)*/
-		last = e;
-	}
-#endif
-	return 1;
-}
-
 /** Initializes the triples list. */
 static int init_triples(void)
 {
-char **s;
-Triples *e, *last=NULL;
-int cnt=0;
+	char **s;
+	Triples *e, *last=NULL;
+	int cnt=0;
 
 	for (s=triples_txt; *s; s++)
 	{
@@ -892,32 +803,16 @@ int cnt=0;
 /** Run the actual tests over this string.
  * There are 3 tests:
  * - weird chars (not used)
- * - sregexes (easy stuff)
+ * - sregexes (not used)
  * - triples (three-letter combinations)
  */
 static int internal_getscore(char *str)
 {
-#ifndef _WIN32
-RegexList *r;
-#endif
-Triples *t;
-register char *s;
-int score = 0;
-int highest_vowels=0, highest_consonants=0, highest_digits=0;
-int vowels=0, consonants=0, digits=0;
-
-#ifndef _WIN32
-	for (r=sregexes; r; r=r->next)
-	{
-		if (!regexec(&r->regex, str, 0, NULL, 0))
-		{
-			score += r->score; /* note: in the draft this returns the # of occurances, not 1 */
-#ifdef DEBUGMODE
-			multi_log("score@'%s': MATCH for '%s'", str, r->regextxt);
-#endif
-		}
-	}
-#endif
+	Triples *t;
+	register char *s;
+	int score = 0;
+	int highest_vowels=0, highest_consonants=0, highest_digits=0;
+	int vowels=0, consonants=0, digits=0;
 
 	/* Fast digit/consonant/vowel checks... */
 	for (s=str; *s; s++)
@@ -988,7 +883,7 @@ int vowels=0, consonants=0, digits=0;
 
 void strtolower_safe(char *dst, char *src, int size)
 {
-int i;
+	int i;
 
 	if (!size)
 		return; /* size of 0 is unworkable */
@@ -1007,13 +902,13 @@ int i;
  */
 static int get_spam_score(aClient *sptr)
 {
-char *nick = sptr->name;
-char *user = sptr->user->username;
-char *gecos = sptr->info;
-char nbuf[NICKLEN+1], ubuf[USERLEN+1], rbuf[REALLEN+1];
-int nscore, uscore, gscore, score;
+	char *nick = sptr->name;
+	char *user = sptr->user->username;
+	char *gecos = sptr->info;
+	char nbuf[NICKLEN+1], ubuf[USERLEN+1], rbuf[REALLEN+1];
+	int nscore, uscore, gscore, score;
 #ifdef TIMING
-struct timeval tv_alpha, tv_beta;
+	struct timeval tv_alpha, tv_beta;
 
 	gettimeofday(&tv_alpha, NULL);
 #endif
@@ -1075,7 +970,7 @@ void check_all_users(void)
 
 int antirandom_preconnect(aClient *sptr)
 {
-int score;
+	int score;
 
 	if (!is_exempt(sptr))
 	{
@@ -1099,24 +994,7 @@ int score;
 
 static void free_stuff(void)
 {
-#ifndef _WIN32
-RegexList *r, *r_next;
-#endif
-Triples *t, *t_next;
-
-#ifndef _WIN32
-	for (r=sregexes; r; r=r_next)
-	{
-		r_next = r->next;
-		regfree(&r->regex);
-#ifdef DEBUGMODE
-		if (r->regextxt)
-			MyFree(r->regextxt);
-#endif
-		MyFree(r);
-	}
-	sregexes = NULL;
-#endif
+	Triples *t, *t_next;
 
 	for (t=triples; t; t=t_next)
 	{

src/modules/authprompt.c

@@ -0,0 +1,523 @@
+/*
+ * Auth prompt: SASL authentication for clients that don't support SASL
+ * (C) Copyright 2018 Bram Matthys ("Syzop") and the UnrealIRCd team
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 1, or (at your option)
+ * any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ */
+
+#include "unrealircd.h"
+
+ModuleHeader MOD_HEADER(authprompt)
+= {
+	"authprompt",
+	"1.0",
+	"SASL authentication for clients that don't support SASL",
+	"3.2-b8-1",
+	NULL 
+};
+
+typedef struct _multiline MultiLine;
+struct _multiline {
+	MultiLine *prev, *next;
+	char *line;
+};
+
+/** Configuration settings */
+struct {
+	int enabled;
+	MultiLine *message;
+	MultiLine *fail_message;
+} cfg;
+
+/** User struct */
+typedef struct _apuser APUser;
+struct _apuser {
+	char *authmsg;
+};
+
+/* Global variables */
+ModDataInfo *authprompt_md = NULL;
+
+/* Forward declarations */
+static void free_config(void);
+static void init_config(void);
+static void config_postdefaults(void);
+int authprompt_config_test(ConfigFile *, ConfigEntry *, int, int *);
+int authprompt_config_run(ConfigFile *, ConfigEntry *, int);
+int authprompt_require_sasl(aClient *acptr, char *reason);
+int authprompt_sasl_continuation(aClient *acptr, char *buf);
+int authprompt_sasl_result(aClient *acptr, int success);
+int authprompt_place_host_ban(aClient *sptr, int action, char *reason, long duration);
+int authprompt_find_tkline_match(aClient *sptr, aTKline *tk);
+int authprompt_pre_connect(aClient *sptr);
+CMD_FUNC(m_auth);
+void authprompt_md_free(ModData *md);
+
+/* Some macros */
+#define SetAPUser(x, y) do { moddata_client(x, authprompt_md).ptr = y; } while(0)
+#define SEUSER(x)       ((APUser *)moddata_client(x, authprompt_md).ptr)
+#define AGENT_SID(agent_p)      (agent_p->user != NULL ? agent_p->user->server : agent_p->name)
+
+MOD_TEST(authprompt)
+{
+	HookAdd(modinfo->handle, HOOKTYPE_CONFIGTEST, 0, authprompt_config_test);
+	return MOD_SUCCESS;
+}
+
+MOD_INIT(authprompt)
+{
+	ModDataInfo mreq;
+
+	MARK_AS_OFFICIAL_MODULE(modinfo);
+
+	memset(&mreq, 0, sizeof(mreq));
+	mreq.name = "authprompt";
+	mreq.type = MODDATATYPE_CLIENT;
+	mreq.free = authprompt_md_free;
+	authprompt_md = ModDataAdd(modinfo->handle, mreq);
+	if (!authprompt_md)
+	{
+		config_error("could not register authprompt moddata");
+		return MOD_FAILED;
+	}
+
+	init_config();
+	HookAdd(modinfo->handle, HOOKTYPE_CONFIGRUN, 0, authprompt_config_run);
+	HookAdd(modinfo->handle, HOOKTYPE_REQUIRE_SASL, 0, authprompt_require_sasl);
+	HookAdd(modinfo->handle, HOOKTYPE_SASL_CONTINUATION, 0, authprompt_sasl_continuation);
+	HookAdd(modinfo->handle, HOOKTYPE_SASL_RESULT, 0, authprompt_sasl_result);
+	HookAdd(modinfo->handle, HOOKTYPE_PLACE_HOST_BAN, 0, authprompt_place_host_ban);
+	HookAdd(modinfo->handle, HOOKTYPE_FIND_TKLINE_MATCH, 0, authprompt_find_tkline_match);
+	/* For HOOKTYPE_PRE_LOCAL_CONNECT we want a low priority, so we are called last.
+	 * This gives hooks like the one from the blacklist module (pending softban)
+	 * a chance to be handled first.
+	 */
+	HookAdd(modinfo->handle, HOOKTYPE_PRE_LOCAL_CONNECT, -1000000, authprompt_pre_connect);
+	CommandAdd(modinfo->handle, "AUTH", m_auth, 1, M_UNREGISTERED);
+	return MOD_SUCCESS;
+}
+
+MOD_LOAD(authprompt)
+{
+	config_postdefaults();
+	return MOD_SUCCESS;
+}
+
+MOD_UNLOAD(authprompt)
+{
+	free_config();
+	return MOD_SUCCESS;
+}
+
+static void init_config(void)
+{
+	/* This sets some default values */
+	memset(&cfg, 0, sizeof(cfg));
+	cfg.enabled = 0;
+}
+
+static void addmultiline(MultiLine **l, char *line)
+{
+	MultiLine *m = MyMallocEx(sizeof(MultiLine));
+	m->line = strdup(line);
+	append_ListItem((ListStruct *)m, (ListStruct **)l);
+}
+
+static void freemultiline(MultiLine *l)
+{
+	MultiLine *l_next;
+	for (; l; l = l_next)
+	{
+		l_next = l->next;
+		safefree(l->line);
+		MyFree(l);
+	}
+}
+
+static void config_postdefaults(void)
+{
+	if (!cfg.message)
+	{
+		addmultiline(&cfg.message, "The server requires clients from this IP address to authenticate with a registered nickname and password.");
+		addmultiline(&cfg.message, "Please reconnect using SASL, or authenticate now by typing: /QUOTE AUTH nick:password");
+	}
+	if (!cfg.fail_message)
+	{
+		addmultiline(&cfg.fail_message, "Authentication failed.");
+	}
+}
+
+static void free_config(void)
+{
+	freemultiline(cfg.message);
+	freemultiline(cfg.fail_message);
+	memset(&cfg, 0, sizeof(cfg)); /* needed! */
+}
+
+int authprompt_config_test(ConfigFile *cf, ConfigEntry *ce, int type, int *errs)
+{
+	int errors = 0;
+	ConfigEntry *cep;
+
+	if (type != CONFIG_SET)
+		return 0;
+
+	/* We are only interrested in set::authentication-prompt... */
+	if (!ce || !ce->ce_varname || strcmp(ce->ce_varname, "authentication-prompt"))
+		return 0;
+
+	for (cep = ce->ce_entries; cep; cep = cep->ce_next)
+	{
+		if (!cep->ce_vardata)
+		{
+			config_error("%s:%i: set::authentication-prompt::%s with no value",
+				cep->ce_fileptr->cf_filename, cep->ce_varlinenum, cep->ce_varname);
+			errors++;
+		} else
+		if (!strcmp(cep->ce_varname, "enabled"))
+		{
+		} else
+		if (!strcmp(cep->ce_varname, "message"))
+		{
+		} else
+		if (!strcmp(cep->ce_varname, "fail-message"))
+		{
+		} else
+		{
+			config_error("%s:%i: unknown directive set::authentication-prompt::%s",
+				cep->ce_fileptr->cf_filename, cep->ce_varlinenum, cep->ce_varname);
+			errors++;
+		}
+	}
+	*errs = errors;
+	return errors ? -1 : 1;
+}
+
+int authprompt_config_run(ConfigFile *cf, ConfigEntry *ce, int type)
+{
+	ConfigEntry *cep;
+
+	if (type != CONFIG_SET)
+		return 0;
+
+	/* We are only interrested in set::authentication-prompt... */
+	if (!ce || !ce->ce_varname || strcmp(ce->ce_varname, "authentication-prompt"))
+		return 0;
+
+	for (cep = ce->ce_entries; cep; cep = cep->ce_next)
+	{
+		if (!strcmp(cep->ce_varname, "enabled"))
+		{
+			cfg.enabled = config_checkval(cep->ce_vardata, CFG_YESNO);
+		} else
+		if (!strcmp(cep->ce_varname, "message"))
+		{
+			addmultiline(&cfg.message, cep->ce_vardata);
+		} else
+		if (!strcmp(cep->ce_varname, "fail-message"))
+		{
+			addmultiline(&cfg.fail_message, cep->ce_vardata);
+		}
+	}
+	return 1;
+}
+
+void authprompt_md_free(ModData *md)
+{
+	APUser *se = md->ptr;
+
+	if (se)
+	{
+		safefree(se->authmsg);
+		MyFree(se);
+		md->ptr = se = NULL;
+	}
+}
+
+/** Parse an authentication request from the user (form: <user>:<pass>).
+ * @param str      The input string with the request.
+ * @param username Pointer to the username string.
+ * @param password Pointer to the password string.
+ * @retval 1 if the format is correct, 0 if not.
+ * @notes The returned 'username' and 'password' are valid until next call to parse_nickpass().
+ */
+int parse_nickpass(const char *str, char **username, char **password)
+{
+	static char buf[250];
+	char *p;
+
+	strlcpy(buf, str, sizeof(buf));
+
+	p = strchr(buf, ':');
+	if (!p)
+		return 0;
+
+	*p++ = '\0';
+	*username = buf;
+	*password = p;
+
+	if (!*username[0] || !*password[0])
+		return 0;
+
+	return 1;
+}
+
+/* NOTE: This function is stolen from m_sasl. Not good. */
+static const char *encode_puid(aClient *client)
+{
+	static char buf[HOSTLEN + 20];
+
+	/* create a cookie if necessary (and in case getrandom16 returns 0, then run again) */
+	while (!client->local->sasl_cookie)
+		client->local->sasl_cookie = getrandom16();
+
+	snprintf(buf, sizeof buf, "%s!0.%d", me.name, client->local->sasl_cookie);
+
+	return buf;
+}
+
+char *make_authbuf(const char *username, const char *password)
+{
+	char inbuf[256];
+	static char outbuf[512];
+	int size;
+
+	size = strlen(username) + 1 + strlen(username) + 1 + strlen(password);
+	if (size >= sizeof(inbuf))
+		return NULL; /* too long */
+
+	/* Because size limits are already checked above, we can cut some corners here: */
+	memset(inbuf, 0, sizeof(inbuf));
+	strcpy(inbuf, username);
+	strcpy(inbuf+strlen(username)+1, username);
+	strcpy(inbuf+strlen(username)+1+strlen(username)+1, password);
+	/* ^ normal people use stpcpy here ;) */
+
+	if (b64_encode(inbuf, size, outbuf, sizeof(outbuf)) < 0)
+		return NULL; /* base64 encoding error */
+
+	return outbuf;
+}
+
+/** Send first SASL authentication request (AUTHENTICATE PLAIN).
+ * Among other things, this is used to discover the agent
+ * which will later be used for this session.
+ */
+void send_first_auth(aClient *sptr)
+{
+	aClient *acptr;
+	char *addr = BadPtr(sptr->ip) ? "0" : sptr->ip;
+	char *certfp = moddata_client_get(sptr, "certfp");
+	acptr = find_client(SASL_SERVER, NULL);
+	if (!acptr)
+	{
+		/* Services down. */
+		return;
+	}
+
+	sendto_one(acptr, ":%s SASL %s %s H %s %s",
+	    me.name, SASL_SERVER, encode_puid(sptr), addr, addr);
+
+	if (certfp)
+		sendto_one(acptr, ":%s SASL %s %s S %s %s",
+		    me.name, SASL_SERVER, encode_puid(sptr), "PLAIN", certfp);
+	else
+		sendto_one(acptr, ":%s SASL %s %s S %s",
+		    me.name, SASL_SERVER, encode_puid(sptr), "PLAIN");
+
+	/* The rest is sent from authprompt_sasl_continuation() */
+
+	sptr->local->sasl_out++;
+}
+
+CMD_FUNC(m_auth)
+{
+	char *username = NULL;
+	char *password = NULL;
+	char *authbuf;
+
+	if (!SEUSER(sptr))
+	{
+		if (CHECKPROTO(sptr, PROTO_SASL))
+			sendnotice(sptr, "ERROR: Cannot use /AUTH when your client is doing SASL.");
+		else
+			sendnotice(sptr, "ERROR: /AUTH authentication request received before authentication prompt (too early!)");
+		return 0;
+	}
+
+	if ((parc < 2) || BadPtr(parv[1]) || !parse_nickpass(parv[1], &username, &password))
+	{
+		sendnotice(sptr, "ERROR: Syntax is: /AUTH <nickname>:<password>");
+		sendnotice(sptr, "Example: /AUTH mynick:secretpass");
+		return 0;
+	}
+
+	if (!SASL_SERVER)
+	{
+		sendnotice(sptr, "ERROR: SASL is not configured on this server, or services are down.");
+		// numeric instead? SERVICESDOWN?
+		return 0;
+	}
+
+	/* Presumably if the user is really fast, this could happen.. */
+	if (*sptr->local->sasl_agent || SEUSER(sptr)->authmsg)
+	{
+		sendnotice(sptr, "ERROR: Previous authentication request is still in progress. Please wait.");
+		return 0;
+	}
+
+	authbuf = make_authbuf(username, password);
+	if (!authbuf)
+	{
+		sendnotice(sptr, "ERROR: Internal error. Oversized username/password?");
+		return 0;
+	}
+
+	safestrdup(SEUSER(sptr)->authmsg, authbuf);
+
+	send_first_auth(sptr);
+
+	return 0;
+}
+
+void send_multinotice(aClient *sptr, MultiLine *m)
+{
+	for (; m; m = m->next)
+		sendnotice(sptr, "%s", m->line);
+}
+
+void authprompt_tag_as_auth_required(aClient *sptr)
+{
+	/* Allocate, and therefore indicate, that we are going to handle SASL for this user */
+	if (!SEUSER(sptr))
+		SetAPUser(sptr, MyMallocEx(sizeof(APUser)));
+}
+
+void authprompt_send_auth_required_message(aClient *sptr)
+{
+	/* Display set::authentication-prompt::message */
+	send_multinotice(sptr, cfg.message);
+}
+
+int authprompt_require_sasl(aClient *sptr, char *reason)
+{
+	/* If the client did SASL then we (authprompt) will not kick in */
+	if (CHECKPROTO(sptr, PROTO_SASL))
+		return 0;
+
+	authprompt_tag_as_auth_required(sptr);
+
+	/* Display the require authentication::reason */
+	if (reason)
+		sendnotice(sptr, "%s", reason);
+
+	authprompt_send_auth_required_message(sptr);
+
+	return 1;
+}
+
+/* Called upon "place a host ban on this user" (eg: spamfilter, blacklist, ..) */
+int authprompt_place_host_ban(aClient *sptr, int action, char *reason, long duration)
+{
+	/* If it's a soft-xx action and the user is not logged in
+	 * and the user is not yet online, then we will handle this user.
+	 */
+	if (IsSoftBanAction(action) && !IsLoggedIn(sptr) && !IsPerson(sptr))
+	{
+		/* Send ban reason */
+		if (reason)
+			sendnotice(sptr, "%s", reason);
+
+		/* And tag the user */
+		authprompt_tag_as_auth_required(sptr);
+		return 0; /* pretend user is exempt */
+	}
+	return 99; /* no action taken, proceed normally */
+}
+
+/** Called upon "check for KLINE/GLINE" */
+int authprompt_find_tkline_match(aClient *sptr, aTKline *tk)
+{
+	/* If it's a soft-xx action and the user is not logged in
+	 * and the user is not yet online, then we will handle this user.
+	 */
+	if ((tk->subtype & TKL_SUBTYPE_SOFT) && !IsLoggedIn(sptr) && !IsPerson(sptr))
+	{
+		/* Send ban reason */
+		if (tk->reason)
+			sendnotice(sptr, "%s", tk->reason);
+
+		/* And tag the user */
+		authprompt_tag_as_auth_required(sptr);
+		return 0; /* pretend user is exempt */
+	}
+	return 99; /* no action taken, proceed normally */
+}
+
+int authprompt_pre_connect(aClient *sptr)
+{
+	/* If the user is tagged as auth required and not logged in, then.. */
+	if (SEUSER(sptr) && !IsLoggedIn(sptr))
+	{
+		authprompt_send_auth_required_message(sptr);
+		return -1; /* do not process register_user() */
+	}
+
+	return 0; /* no action taken, proceed normally */
+}
+
+int authprompt_sasl_continuation(aClient *sptr, char *buf)
+{
+	/* If it's not for us (eg: user is doing real SASL) then return 0. */
+	if (!SEUSER(sptr) || !SEUSER(sptr)->authmsg)
+		return 0;
+
+	if (!strcmp(buf, "+"))
+	{
+		aClient *agent = find_client(sptr->local->sasl_agent, NULL);
+		if (agent)
+		{
+			sendto_one(agent, ":%s SASL %s %s C %s",
+				me.name, AGENT_SID(agent), encode_puid(sptr), SEUSER(sptr)->authmsg);
+		}
+		SEUSER(sptr)->authmsg = NULL;
+	}
+	return 1; /* inhibit displaying of message */
+}
+
+int authprompt_sasl_result(aClient *sptr, int success)
+{
+	/* If it's not for us (eg: user is doing real SASL) then return 0. */
+	if (!SEUSER(sptr))
+		return 0;
+
+	if (!success)
+	{
+		send_multinotice(sptr, cfg.fail_message);
+		return 1;
+	}
+
+	/* Authentication was a success */
+	if (*sptr->name && sptr->user && *sptr->user->username && IsNotSpoof(sptr))
+	{
+		register_user(sptr, sptr, sptr->name, sptr->user->username, NULL, NULL, NULL);
+		/* NOTE: register_user() may return FLUSH_BUFFER here, but since the caller
+		 * won't continue processing (won't touch 'sptr') it's safe.
+		 * That is, as long as we 'return 1'.
+		 */
+	}
+
+	return 1; /* inhibit success/failure message */
+}

src/modules/blacklist.c

@@ -23,7 +23,7 @@
 ModuleHeader MOD_HEADER(blacklist)
 = {
 	"blacklist",
-	"4.0",
+	"4.2",
 	"Check connecting users against DNS Blacklists",
 	"3.2-b8-1",
 	NULL
@@ -76,6 +76,7 @@ struct _blacklist {
 typedef struct _bluser BLUser;
 struct _bluser {
 	aClient *cptr;
+	int is_ipv6;
 	int refcnt;
 	/* The following save_* fields are used by softbans: */
 	int save_action;
@@ -241,7 +242,7 @@ int blacklist_config_test(ConfigFile *cf, ConfigEntry *ce, int type, int *errs)
 	if (type != CONFIG_MAIN)
 		return 0;
 	
-	if (!ce || !ce->ce_varname)
+	if (!ce)
 		return 0;
 	
 	if (strcmp(ce->ce_varname, "blacklist"))
@@ -258,12 +259,6 @@ int blacklist_config_test(ConfigFile *cf, ConfigEntry *ce, int type, int *errs)
 	/* Now actually go parse the blacklist { } block */
 	for (cep = ce->ce_entries; cep; cep = cep->ce_next)
 	{
-		if (!cep->ce_varname)
-		{
-			config_error_blank(cep->ce_fileptr->cf_filename, cep->ce_varlinenum, "blacklist");
-			errors++;
-			continue;
-		}
 		if (!strcmp(cep->ce_varname, "dns"))
 		{
 			for (cepp = cep->ce_entries; cepp; cepp = cepp->ce_next)
@@ -279,7 +274,7 @@ int blacklist_config_test(ConfigFile *cf, ConfigEntry *ce, int type, int *errs)
 						errors++;
 						continue;
 					}
-					if (!cepp->ce_vardata && !(cepp->ce_entries && cepp->ce_entries->ce_varname))
+					if (!cepp->ce_vardata && !cepp->ce_entries)
 					{
 						config_error_blank(cepp->ce_fileptr->cf_filename, cepp->ce_varlinenum, "blacklist::dns::reply");
 						errors++;
@@ -332,7 +327,7 @@ int blacklist_config_test(ConfigFile *cf, ConfigEntry *ce, int type, int *errs)
 							cepp->ce_varlinenum, "blacklist::dns::name");
 					}
 					has_dns_name = 1;
-				}
+				} else
 				if (!strcmp(cepp->ce_varname, "type"))
 				{
 					if (has_dns_type)
@@ -604,6 +599,7 @@ int blacklist_dns_request(aClient *cptr, Blacklist *d)
 	{
 		int i, j;
 		/* IPv6 */
+		BLUSER(cptr)->is_ipv6 = 1;
 		if (sscanf(ip, "%x:%x:%x:%x:%x:%x:%x:%x",
 		    &e[0], &e[1], &e[2], &e[3], &e[4], &e[5], &e[6], &e[7]) != 8)
 		{
@@ -665,15 +661,20 @@ void blacklist_free_bluser_if_able(BLUser *bl)
 	MyFree(bl);
 }
 
-char *getdnsblname(char *p)
+char *getdnsblname(char *p, aClient *cptr)
 {
 int dots = 0;
-
+	int dots_count;
+	if(!cptr) return NULL;
+	if(BLUSER(cptr)->is_ipv6)
+		dots_count = 32;
+	else
+		dots_count = 4;
 	for (; *p; p++)
 		if (*p == '.')
 		{
 			dots++;
-			if (dots == 4)
+			if (dots == dots_count)
 				return p+1;
 		}
 	return NULL;
@@ -716,7 +717,7 @@ int blacklist_action(aClient *acptr, char *opernotice, int ban_action, char *ban
 void blacklist_hit(aClient *acptr, Blacklist *bl, int reply)
 {
 	char opernotice[512], banbuf[512];
-	char *name[4], *value[4];
+	const char *name[4], *value[4];
 	BLUser *blu = BLUSER(acptr);
 
 	if (find_tkline_match(acptr, 1) < 0)
@@ -762,7 +763,7 @@ void blacklist_process_result(aClient *acptr, int status, struct hostent *he)
 	if ((status != 0) || (he->h_length != 4) || !he->h_name)
 		return; /* invalid reply */
 	
-	domain = getdnsblname(he->h_name);
+	domain = getdnsblname(he->h_name, acptr);
 	if (!domain)
 		return; /* odd */
 	bl = blacklist_find_block_by_dns(domain);

src/modules/cap/Makefile.in

@@ -19,7 +19,7 @@
 
 CC = "==== DO NOT RUN MAKE FROM THIS DIRECTORY ===="
 
-INCLUDES = ../../include/auth.h ../../include/badwords.h ../../include/channel.h \
+INCLUDES = ../../include/auth.h ../../include/channel.h \
 	../../include/class.h ../../include/common.h ../../include/config.h ../../include/dbuf.h \
 	../../include/dynconf.h ../../include/fdlist.h ../../include/h.h \
 	../../include/hash.h ../../include/inet.h ../../include/ircsprintf.h \

src/modules/cap/link-security.c

@@ -26,7 +26,7 @@
 ModuleHeader MOD_HEADER(link_security)
   = {
 	"link-security",
-	"4.0",
+	"4.2",
 	"Link Security CAP",
 	"3.2-b8-1",
 	NULL 
@@ -127,7 +127,8 @@ int certificate_verification_active(aClient *acptr)
 		return 1; /* yes, verify-certificate is 'yes' */
 	
 	if ((conf->auth->type == AUTHTYPE_SSL_CLIENTCERT) ||
-	    (conf->auth->type == AUTHTYPE_SSL_CLIENTCERTFP))
+	    (conf->auth->type == AUTHTYPE_SSL_CLIENTCERTFP) ||
+	    (conf->auth->type == AUTHTYPE_SPKIFP))
 	{
 		/* yes, verified by link::password being a
 		 * certificate fingerprint or certificate file.

src/modules/cap/plaintext-policy.c

@@ -25,7 +25,7 @@
 ModuleHeader MOD_HEADER(plaintext_policy)
   = {
 	"plaintext-policy",
-	"4.0",
+	"4.2",
 	"Plaintext Policy CAP",
 	"3.2-b8-1",
 	NULL 
@@ -57,9 +57,9 @@ char *plaintext_policy_capability_parameter(aClient *acptr)
 	static char buf[128];
 	
 	snprintf(buf, sizeof(buf), "user=%s,oper=%s,server=%s",
-             plaintextpolicy_valtostr(iConf.plaintext_policy_user),
-             plaintextpolicy_valtostr(iConf.plaintext_policy_oper),
-             plaintextpolicy_valtostr(iConf.plaintext_policy_server));
+             policy_valtostr(iConf.plaintext_policy_user),
+             policy_valtostr(iConf.plaintext_policy_oper),
+             policy_valtostr(iConf.plaintext_policy_server));
 	return buf;
 }
 

src/modules/cap/sts.c

@@ -25,7 +25,7 @@
 ModuleHeader MOD_HEADER(sts)
   = {
 	"sts",
-	"4.0",
+	"4.2",
 	"Strict Transport Security CAP", 
 	"3.2-b8-1",
 	NULL 

src/modules/certfp.c

@@ -14,7 +14,7 @@
 ModuleHeader MOD_HEADER(certfp)
   = {
 	"certfp",
-	"4.0",
+	"4.2",
 	"Certificate fingerprint",
 	"3.2-b8-1",
 	NULL 

src/modules/chanmodes/Makefile.in

@@ -80,11 +80,11 @@ link.so: link.c $(INCLUDES)
 	$(CC) $(CFLAGS) $(MODULEFLAGS) -DDYNAMIC_LINKING \
 		-o link.so link.c
 
-censor.so: censor.c $(INCLUDES) ../../include/badwords.h
+censor.so: censor.c $(INCLUDES)
 	$(CC) $(CFLAGS) $(MODULEFLAGS) -DDYNAMIC_LINKING \
 		-o censor.so censor.c
 
-delayjoin.so: delayjoin.c $(INCLUDES) ../../include/badwords.h
+delayjoin.so: delayjoin.c $(INCLUDES)
 	$(CC) $(CFLAGS) $(MODULEFLAGS) -DDYNAMIC_LINKING \
 		-o delayjoin.so delayjoin.c
 

src/modules/chanmodes/censor.c

@@ -9,7 +9,7 @@
 ModuleHeader MOD_HEADER(censor)
   = {
 	"chanmodes/censor",
-	"4.0",
+	"4.2",
 	"Channel Mode +G",
 	"3.2-b8-1",
 	NULL,
@@ -24,8 +24,8 @@ char *censor_pre_chanmsg(aClient *sptr, aChannel *chptr, char *text, int notice)
 char *censor_pre_local_part(aClient *sptr, aChannel *chptr, char *text);
 char *censor_pre_local_quit(aClient *sptr, char *text);
 
-DLLFUNC int censor_config_test(ConfigFile *, ConfigEntry *, int, int *);
-DLLFUNC int censor_config_run(ConfigFile *, ConfigEntry *, int);
+int censor_config_test(ConfigFile *, ConfigEntry *, int, int *);
+int censor_config_run(ConfigFile *, ConfigEntry *, int);
 
 ModuleInfo *ModInfo = NULL;
 
@@ -73,17 +73,13 @@ MOD_UNLOAD(censor)
 	for (badword = conf_badword_channel; badword; badword = next)
 	{
 		next = badword->next;
-		safefree(badword->word);
-		if (badword->replace)
-			safefree(badword->replace);
-		regfree(&badword->expr);
 		DelListItem(badword, conf_badword_channel);
-		MyFree(badword);
+		badword_config_free(badword);
 	}
 	return MOD_SUCCESS;
 }
 
-DLLFUNC int censor_config_test(ConfigFile *cf, ConfigEntry *ce, int type, int *errs)
+int censor_config_test(ConfigFile *cf, ConfigEntry *ce, int type, int *errs)
 {
 	int errors = 0;
 	ConfigEntry *cep;
@@ -133,7 +129,7 @@ DLLFUNC int censor_config_test(ConfigFile *cf, ConfigEntry *ce, int type, int *e
 				continue;
 			}
 			has_word = 1;
-			if ((errbuf = unreal_checkregex(cep->ce_vardata,1,1)))
+			if ((errbuf = badword_config_check_regex(cep->ce_vardata,1,1)))
 			{
 				config_error("%s:%i: badword::%s contains an invalid regex: %s",
 					cep->ce_fileptr->cf_filename,
@@ -203,14 +199,10 @@ DLLFUNC int censor_config_test(ConfigFile *cf, ConfigEntry *ce, int type, int *e
 }
 
 
-DLLFUNC int censor_config_run(ConfigFile *cf, ConfigEntry *ce, int type)
+int censor_config_run(ConfigFile *cf, ConfigEntry *ce, int type)
 {
 	ConfigEntry *cep, *word = NULL;
 	ConfigItem_badword *ca;
-	char *tmp;
-	short regex = 0;
-	int regflags = 0;
-	int ast_l = 0, ast_r = 0;
 
 	if (type != CONFIG_MAIN)
 		return 0;
@@ -223,7 +215,6 @@ DLLFUNC int censor_config_run(ConfigFile *cf, ConfigEntry *ce, int type)
 
 	ca = MyMallocEx(sizeof(ConfigItem_badword));
 	ca->action = BADWORD_REPLACE;
-	regflags = REG_ICASE|REG_EXTENDED;
 
 	for (cep = ce->ce_entries; cep; cep = cep->ce_next)
 	{
@@ -232,57 +223,20 @@ DLLFUNC int censor_config_run(ConfigFile *cf, ConfigEntry *ce, int type)
 			if (!strcmp(cep->ce_vardata, "block"))
 			{
 				ca->action = BADWORD_BLOCK;
-				/* If it is set to just block, then we don't need to worry about
-				 * replacements 
-				 */
-				regflags |= REG_NOSUB;
 			}
 		}
 		else if (!strcmp(cep->ce_varname, "replace"))
 		{
 			safestrdup(ca->replace, cep->ce_vardata);
-		}
-		else if (!strcmp(cep->ce_varname, "word"))
+		} else
+		if (!strcmp(cep->ce_varname, "word"))
+		{
 			word = cep;
-	}
-	/* The fast badwords routine can do: "blah" "*blah" "blah*" and "*blah*",
-	 * in all other cases use regex.
-	 */
-	for (tmp = word->ce_vardata; *tmp; tmp++) {
-		if (!isalnum(*tmp) && !(*tmp >= 128)) {
-			if ((word->ce_vardata == tmp) && (*tmp == '*')) {
-				ast_l = 1; /* Asterisk at the left */
-				continue;
-			}
-			if ((*(tmp + 1) == '\0') && (*tmp == '*')) {
-				ast_r = 1; /* Asterisk at the right */
-				continue;
-			}
-			regex = 1;
-			break;
 		}
 	}
-	if (regex)
-	{
-		ca->type = BADW_TYPE_REGEX;
-		safestrdup(ca->word, word->ce_vardata);
-		regcomp(&ca->expr, ca->word, regflags);
-	}
-	else
-	{
-		char *tmpw;
-		ca->type = BADW_TYPE_FAST;
-		ca->word = tmpw = MyMallocEx(strlen(word->ce_vardata) - ast_l - ast_r + 1);
-		/* Copy except for asterisks */
-		for (tmp = word->ce_vardata; *tmp; tmp++)
-			if (*tmp != '*')
-				*tmpw++ = *tmp;
-		*tmpw = '\0';
-		if (ast_l)
-			ca->type |= BADW_TYPE_FAST_L;
-		if (ast_r)
-			ca->type |= BADW_TYPE_FAST_R;
-	}
+
+	badword_config_process(ca, word->ce_vardata);
+
 	if (!strcmp(ce->ce_vardata, "channel"))
 		AddListItem(ca, conf_badword_channel);
 	else if (!strcmp(ce->ce_vardata, "all"))
@@ -294,223 +248,6 @@ DLLFUNC int censor_config_run(ConfigFile *cf, ConfigEntry *ce, int type)
 	return 1;
 }
 
-static inline int fast_badword_match(ConfigItem_badword *badword, char *line)
-{
- 	char *p;
-	int bwlen = strlen(badword->word);
-	if ((badword->type & BADW_TYPE_FAST_L) && (badword->type & BADW_TYPE_FAST_R))
-		return (our_strcasestr(line, badword->word) ? 1 : 0);
-
-	p = line;
-	while((p = our_strcasestr(p, badword->word)))
-	{
-		if (!(badword->type & BADW_TYPE_FAST_L))
-		{
-			if ((p != line) && !iswseperator(*(p - 1))) /* aaBLA but no *BLA */
-				goto next;
-		}
-		if (!(badword->type & BADW_TYPE_FAST_R))
-		{
-			if (!iswseperator(*(p + bwlen)))  /* BLAaa but no BLA* */
-				goto next;
-		}
-		/* Looks like it matched */
-		return 1;
-next:
-		p += bwlen;
-	}
-	return 0;
-}
-/* fast_badword_replace:
- * a fast replace routine written by Syzop used for replacing badwords.
- * searches in line for huntw and replaces it with replacew,
- * buf is used for the result and max is sizeof(buf).
- * (Internal assumptions: max > 0 AND max > strlen(line)+1)
- */
-static inline int fast_badword_replace(ConfigItem_badword *badword, char *line, char *buf, int max)
-{
-/* Some aliases ;P */
-char *replacew = badword->replace ? badword->replace : REPLACEWORD;
-char *pold = line, *pnew = buf; /* Pointers to old string and new string */
-char *poldx = line;
-int replacen = -1; /* Only calculated if needed. w00t! saves us a few nanosecs? lol */
-int searchn = -1;
-char *startw, *endw;
-char *c_eol = buf + max - 1; /* Cached end of (new) line */
-int run = 1;
-int cleaned = 0;
-
-	Debug((DEBUG_NOTICE, "replacing %s -> %s in '%s'", badword->word, replacew, line));
-
-	while(run) {
-		pold = our_strcasestr(pold, badword->word);
-		if (!pold)
-			break;
-		if (replacen == -1)
-			replacen = strlen(replacew);
-		if (searchn == -1)
-			searchn = strlen(badword->word);
-		/* Hunt for start of word */
- 		if (pold > line) {
-			for (startw = pold; (!iswseperator(*startw) && (startw != line)); startw--);
-			if (iswseperator(*startw))
-				startw++; /* Don't point at the space/seperator but at the word! */
-		} else {
-			startw = pold;
-		}
-
-		if (!(badword->type & BADW_TYPE_FAST_L) && (pold != startw)) {
-			/* not matched */
-			pold++;
-			continue;
-		}
-
-		/* Hunt for end of word */
-		for (endw = pold; ((*endw != '\0') && (!iswseperator(*endw))); endw++);
-
-		if (!(badword->type & BADW_TYPE_FAST_R) && (pold+searchn != endw)) {
-			/* not matched */
-			pold++;
-			continue;
-		}
-
-		cleaned = 1; /* still too soon? Syzop/20050227 */
-
-		/* Do we have any not-copied-yet data? */
-		if (poldx != startw) {
-			int tmp_n = startw - poldx;
-			if (pnew + tmp_n >= c_eol) {
-				/* Partial copy and return... */
-				memcpy(pnew, poldx, c_eol - pnew);
-				*c_eol = '\0';
-				return 1;
-			}
-
-			memcpy(pnew, poldx, tmp_n);
-			pnew += tmp_n;
-		}
-		/* Now update the word in buf (pnew is now something like startw-in-new-buffer */
-
-		if (replacen) {
-			if ((pnew + replacen) >= c_eol) {
-				/* Partial copy and return... */
-				memcpy(pnew, replacew, c_eol - pnew);
-				*c_eol = '\0';
-				return 1;
-			}
-			memcpy(pnew, replacew, replacen);
-			pnew += replacen;
-		}
-		poldx = pold = endw;
-	}
-	/* Copy the last part */
-	if (*poldx) {
-		strncpy(pnew, poldx, c_eol - pnew);
-		*(c_eol) = '\0';
-	} else {
-		*pnew = '\0';
-	}
-	return cleaned;
-}
-
-/*
- * Returns a string, which has been filtered by the words loaded via
- * the loadbadwords() function.  It's primary use is to filter swearing
- * in both private and public messages
- */
-
-char *stripbadwords(char *str, ConfigItem_badword *start_bw, int *blocked)
-{
-	regmatch_t pmatch[MAX_MATCH];
-	static char cleanstr[4096];
-	char buf[4096];
-	char *ptr;
-	int  matchlen, m, stringlen, cleaned;
-	ConfigItem_badword *this_word;
-	
-	*blocked = 0;
-
-	if (!start_bw)
-		return str;
-
-	/*
-	 * work on a copy
-	 */
-	stringlen = strlcpy(cleanstr, StripControlCodes(str), sizeof cleanstr);
-	memset(&pmatch, 0, sizeof pmatch);
-	matchlen = 0;
-	buf[0] = '\0';
-	cleaned = 0;
-
-	for (this_word = start_bw; this_word; this_word = this_word->next)
-	{
-		if (this_word->type & BADW_TYPE_FAST)
-		{
-			if (this_word->action == BADWORD_BLOCK)
-			{
-				if (fast_badword_match(this_word, cleanstr))
-				{
-					*blocked = 1;
-					return NULL;
-				}
-			}
-			else
-			{
-				int n;
-				/* fast_badword_replace() does size checking so we can use 512 here instead of 4096 */
-				n = fast_badword_replace(this_word, cleanstr, buf, 512);
-				if (!cleaned && n)
-					cleaned = n;
-				strcpy(cleanstr, buf);
-				memset(buf, 0, sizeof(buf)); /* regexp likes this somehow */
-			}
-		} else
-		if (this_word->type & BADW_TYPE_REGEX)
-		{
-			if (this_word->action == BADWORD_BLOCK)
-			{
-				if (!regexec(&this_word->expr, cleanstr, 0, NULL, 0))
-				{
-					*blocked = 1;
-					return NULL;
-				}
-			}
-			else
-			{
-				ptr = cleanstr; /* set pointer to start of string */
-				while (regexec(&this_word->expr, ptr, MAX_MATCH, pmatch,0) != REG_NOMATCH)
-				{
-					if (pmatch[0].rm_so == -1)
-						break;
-					m = pmatch[0].rm_eo - pmatch[0].rm_so;
-					if (m == 0)
-						break; /* anti-loop */
-					cleaned = 1;
-					matchlen += m;
-					strlncat(buf, ptr, sizeof buf, pmatch[0].rm_so);
-					if (this_word->replace)
-						strlcat(buf, this_word->replace, sizeof buf); 
-					else
-						strlcat(buf, REPLACEWORD, sizeof buf);
-					ptr += pmatch[0].rm_eo;	/* Set pointer after the match pos */
-					memset(&pmatch, 0, sizeof(pmatch));
-				}
-
-				/* All the better to eat you with! */
-				strlcat(buf, ptr, sizeof buf);	
-				memcpy(cleanstr, buf, sizeof cleanstr);
-				memset(buf, 0, sizeof(buf));
-				if (matchlen == stringlen)
-					break;
-			}
-		}
-	}
-
-	cleanstr[511] = '\0'; /* cutoff, just to be sure */
-
-	return (cleaned) ? cleanstr : str;
-}
-
 char *stripbadwords_channel(char *str, int *blocked)
 {
 	return stripbadwords(str, conf_badword_channel, blocked);

src/modules/chanmodes/delayjoin.c

@@ -23,15 +23,15 @@ static Cmode *CmodePostDelayed = NULL;
 static Cmode_t EXTMODE_DELAYED;
 static Cmode_t EXTMODE_POST_DELAYED;
 
-DLLFUNC int visible_in_channel( aClient *cptr, aChannel *chptr);
-DLLFUNC int moded_check_part( aClient *cptr, aChannel *chptr);
-DLLFUNC int moded_join(aClient *cptr, aChannel *chptr);
-DLLFUNC int moded_part(aClient *cptr, aClient *sptr, aChannel *chptr, char *comment);
-DLLFUNC int deny_all(aClient *cptr, aChannel *chptr, char mode, char *para, int checkt, int what);
-DLLFUNC int moded_kick(aClient *cptr, aClient *sptr, aClient *acptr, aChannel *chptr, char *comment);
-DLLFUNC int moded_chanmode(aClient *cptr, aClient *sptr, aChannel *chptr,
+int visible_in_channel( aClient *cptr, aChannel *chptr);
+int moded_check_part( aClient *cptr, aChannel *chptr);
+int moded_join(aClient *cptr, aChannel *chptr);
+int moded_part(aClient *cptr, aClient *sptr, aChannel *chptr, char *comment);
+int deny_all(aClient *cptr, aChannel *chptr, char mode, char *para, int checkt, int what);
+int moded_kick(aClient *cptr, aClient *sptr, aClient *acptr, aChannel *chptr, char *comment);
+int moded_chanmode(aClient *cptr, aClient *sptr, aChannel *chptr,
                            char *modebuf, char *parabuf, time_t sendts, int samode);
-DLLFUNC char *moded_prechanmsg(aClient *sptr, aChannel *chptr, char *text, int notice);
+char *moded_prechanmsg(aClient *sptr, aChannel *chptr, char *text, int notice);
 char *moded_serialize(ModData *m);
 void moded_unserialize(char *str, ModData *m);
 
@@ -95,13 +95,13 @@ MOD_UNLOAD(delayjoin)
 	return MOD_SUCCESS;
 }
 
-DLLFUNC void set_post_delayed(aChannel *chptr)
+void set_post_delayed(aChannel *chptr)
 {
 	chptr->mode.extmode |= EXTMODE_POST_DELAYED;
 	sendto_channel_butserv(chptr, &me, ":%s MODE %s +d", me.name, chptr->chname);
 }
 
-DLLFUNC void clear_post_delayed(aChannel *chptr)
+void clear_post_delayed(aChannel *chptr)
 {
 	chptr->mode.extmode &= ~EXTMODE_POST_DELAYED;
 	sendto_channel_butserv(chptr, &me, ":%s MODE %s -d", me.name, chptr->chname);
@@ -130,7 +130,7 @@ bool moded_user_invisible(aClient *cptr, aChannel *chptr)
 	return moded_member_invisible(find_member_link(chptr->members, cptr),chptr);
 }
 
-DLLFUNC bool channel_has_invisible_users(aChannel *chptr)
+bool channel_has_invisible_users(aChannel *chptr)
 {
 	Member* i;
 	for (i = chptr->members; i; i = i->next)
@@ -143,21 +143,21 @@ DLLFUNC bool channel_has_invisible_users(aChannel *chptr)
 	return false;
 }
 
-DLLFUNC bool channel_is_post_delayed(aChannel *chptr)
+bool channel_is_post_delayed(aChannel *chptr)
 {
 	if (chptr->mode.extmode & EXTMODE_POST_DELAYED)
 		return true;
 	return false;
 }
 
-DLLFUNC bool channel_is_delayed(aChannel *chptr)
+bool channel_is_delayed(aChannel *chptr)
 {
 	if (chptr->mode.extmode & EXTMODE_DELAYED)
 		return true;
 	return false;
 }
 
-DLLFUNC void clear_user_invisible(aChannel *chptr, aClient *sptr)
+void clear_user_invisible(aChannel *chptr, aClient *sptr)
 {
 	Member *i;
 	ModDataInfo *md;
@@ -194,7 +194,7 @@ DLLFUNC void clear_user_invisible(aChannel *chptr, aClient *sptr)
 	}
 }
 
-DLLFUNC void clear_user_invisible_announce(aChannel *chptr, aClient *sptr)
+void clear_user_invisible_announce(aChannel *chptr, aClient *sptr)
 {
 	Member *i;
 	char joinbuf[512];
@@ -223,7 +223,7 @@ DLLFUNC void clear_user_invisible_announce(aChannel *chptr, aClient *sptr)
 	}
 }
 
-DLLFUNC void set_user_invisible(aChannel *chptr, aClient *sptr)
+void set_user_invisible(aChannel *chptr, aClient *sptr)
 {
 	Member *m = find_member_link(chptr->members,sptr);
 	ModDataInfo *md;
@@ -240,19 +240,19 @@ DLLFUNC void set_user_invisible(aChannel *chptr, aClient *sptr)
 }
 
 
-DLLFUNC int deny_all(aClient *cptr, aChannel *chptr, char mode, char *para, int checkt, int what)
+int deny_all(aClient *cptr, aChannel *chptr, char mode, char *para, int checkt, int what)
 {
 	return EX_ALWAYS_DENY;
 }
 
 
-DLLFUNC int visible_in_channel(aClient *cptr, aChannel *chptr)
+int visible_in_channel(aClient *cptr, aChannel *chptr)
 {
 	return channel_is_delayed(chptr) && moded_user_invisible(cptr,chptr);
 }
 
 
-DLLFUNC int moded_join(aClient *cptr, aChannel *chptr)
+int moded_join(aClient *cptr, aChannel *chptr)
 {
 	if (channel_is_delayed(chptr))
 		set_user_invisible(chptr,cptr);
@@ -260,7 +260,7 @@ DLLFUNC int moded_join(aClient *cptr, aChannel *chptr)
 	return 0;
 }
 
-DLLFUNC int moded_part(aClient *cptr, aClient *sptr, aChannel *chptr, char *comment)
+int moded_part(aClient *cptr, aClient *sptr, aChannel *chptr, char *comment)
 {
 	if (channel_is_delayed(chptr) || channel_is_post_delayed(chptr))
 		clear_user_invisible(chptr,cptr);
@@ -268,7 +268,7 @@ DLLFUNC int moded_part(aClient *cptr, aClient *sptr, aChannel *chptr, char *comm
 	return 0;
 }
 
-DLLFUNC int moded_kick(aClient *cptr, aClient *sptr, aClient *acptr, aChannel *chptr, char *comment)
+int moded_kick(aClient *cptr, aClient *sptr, aClient *acptr, aChannel *chptr, char *comment)
 {
 	if (channel_is_delayed(chptr) || channel_is_post_delayed(chptr))
 		if (moded_user_invisible(acptr, chptr))
@@ -278,7 +278,7 @@ DLLFUNC int moded_kick(aClient *cptr, aClient *sptr, aClient *acptr, aChannel *c
 }
 
 
-DLLFUNC int moded_chanmode(aClient *cptr, aClient *sptr, aChannel *chptr,
+int moded_chanmode(aClient *cptr, aClient *sptr, aChannel *chptr,
                            char *modebuf, char *parabuf, time_t sendts, int samode)
 {
 	// Handle case where we just unset +D but have invisible users
@@ -356,7 +356,7 @@ DLLFUNC int moded_chanmode(aClient *cptr, aClient *sptr, aChannel *chptr,
 	return 0;
 }
 
-DLLFUNC char *moded_prechanmsg(aClient *sptr, aChannel *chptr, char *text, int notice)
+char *moded_prechanmsg(aClient *sptr, aChannel *chptr, char *text, int notice)
 {
 
 	if ((channel_is_delayed(chptr) || channel_is_post_delayed(chptr)) && (moded_user_invisible(sptr,chptr)))

src/modules/chanmodes/floodprot.c

@@ -1,6 +1,7 @@
 /*
  * Channel Mode +f
- * (C) Copyright 2005-2014 Bram Matthys and The UnrealIRCd team.
+ * (C) Copyright 2005-2019 Bram Matthys and The UnrealIRCd team.
+ * License: GPLv2
  */
 
 #include "unrealircd.h"
@@ -25,6 +26,17 @@ ModuleHeader MOD_HEADER(floodprot)
 
 #define NUMFLD	6 /* 6 flood types */
 
+/** Configuration settings */
+struct {
+	unsigned char modef_default_unsettime;
+	unsigned char modef_max_unsettime;
+	long modef_boot_delay;
+} cfg;
+
+#define MODEF_DEFAULT_UNSETTIME		cfg.modef_default_unsettime
+#define MODEF_MAX_UNSETTIME		cfg.modef_max_unsettime
+#define MODEF_BOOT_DELAY		cfg.modef_boot_delay
+
 typedef struct SChanFloodProt ChanFloodProt;
 typedef struct SRemoveFld RemoveFld;
 
@@ -66,7 +78,10 @@ static int timedban_available = 0; /**< Set to 1 if extbans/timedban module is l
 #define IsFloodLimit(x)	((x)->mode.extmode & EXTMODE_FLOODLIMIT)
 
 /* Forward declarations */
+static void init_config(void);
 int floodprot_rehash_complete(void);
+int floodprot_config_test(ConfigFile *, ConfigEntry *, int, int *);
+int floodprot_config_run(ConfigFile *, ConfigEntry *, int);
 void floodprottimer_del(aChannel *chptr, char mflag);
 void floodprottimer_stopchantimers(aChannel *chptr);
 static inline char *chmodefstrhelper(char *buf, char t, char tdef, unsigned short l, unsigned char a, unsigned char r);
@@ -92,6 +107,13 @@ int floodprot_local_nickchange(aClient *sptr, char *oldnick);
 int floodprot_remote_nickchange(aClient *cptr, aClient *sptr, char *oldnick);
 int floodprot_chanmode_del(aChannel *chptr, int m);
 void userfld_free(ModData *md);
+int floodprot_stats(aClient *sptr, char *flag);
+
+MOD_TEST(floodprot)
+{
+	HookAdd(modinfo->handle, HOOKTYPE_CONFIGTEST, 0, floodprot_config_test);
+	return MOD_SUCCESS;
+}
 
 MOD_INIT(floodprot)
 {
@@ -115,6 +137,8 @@ MOD_INIT(floodprot)
 	creq.sjoin_check = cmodef_sjoin_check;
 	CmodeAdd(modinfo->handle, creq, &EXTMODE_FLOODLIMIT);
 
+	init_config();
+
 	memset(&mreq, 0, sizeof(mreq));
 	mreq.name = "floodprot";
 	mreq.type = MODDATATYPE_MEMBERSHIP;
@@ -122,7 +146,8 @@ MOD_INIT(floodprot)
 	mdflood = ModDataAdd(modinfo->handle, mreq);
 	if (!mdflood)
 	        abort();
-	
+
+	HookAdd(modinfo->handle, HOOKTYPE_CONFIGRUN, 0, floodprot_config_run);
 	HookAddPChar(modinfo->handle, HOOKTYPE_PRE_CHANMSG, 0, floodprot_pre_chanmsg);
 	HookAdd(modinfo->handle, HOOKTYPE_CHANMSG, 0, floodprot_post_chanmsg);
 	HookAdd(modinfo->handle, HOOKTYPE_KNOCK, 0, floodprot_knock);
@@ -133,6 +158,7 @@ MOD_INIT(floodprot)
 	HookAdd(modinfo->handle, HOOKTYPE_REMOTE_JOIN, 0, floodprot_join);
 	HookAdd(modinfo->handle, HOOKTYPE_CHANNEL_DESTROY, 0, cmodef_channel_destroy);
 	HookAdd(modinfo->handle, HOOKTYPE_REHASH_COMPLETE, 0, floodprot_rehash_complete);
+	HookAdd(modinfo->handle, HOOKTYPE_STATS, 0, floodprot_stats);
 	return MOD_SUCCESS;
 }
 
@@ -154,6 +180,99 @@ int floodprot_rehash_complete(void)
 	return 0;
 }
 
+static void init_config(void)
+{
+	/* This sets some default values */
+	memset(&cfg, 0, sizeof(cfg));
+	cfg.modef_default_unsettime = 0;
+	cfg.modef_max_unsettime = 60; /* 1 hour seems enough :p */
+	cfg.modef_boot_delay = 75;
+}
+
+int floodprot_config_test(ConfigFile *cf, ConfigEntry *ce, int type, int *errs)
+{
+	int errors = 0;
+
+	if (type != CONFIG_SET)
+		return 0;
+
+	if (!strcmp(ce->ce_varname, "modef-default-unsettime"))
+	{
+		if (!ce->ce_vardata)
+		{
+			config_error_empty(ce->ce_fileptr->cf_filename, ce->ce_varlinenum,
+				"set", ce->ce_varname);
+			errors++;
+		} else {
+			int v = atoi(ce->ce_vardata);
+			if ((v <= 0) || (v > 255))
+			{
+				config_error("%s:%i: set::modef-default-unsettime: value '%d' out of range (should be 1-255)",
+					ce->ce_fileptr->cf_filename, ce->ce_varlinenum, v);
+				errors++;
+			}
+		}
+	} else
+	if (!strcmp(ce->ce_varname, "modef-max-unsettime"))
+	{
+		if (!ce->ce_vardata)
+		{
+			config_error_empty(ce->ce_fileptr->cf_filename, ce->ce_varlinenum,
+				"set", ce->ce_varname);
+			errors++;
+		} else {
+			int v = atoi(ce->ce_vardata);
+			if ((v <= 0) || (v > 255))
+			{
+				config_error("%s:%i: set::modef-max-unsettime: value '%d' out of range (should be 1-255)",
+					ce->ce_fileptr->cf_filename, ce->ce_varlinenum, v);
+				errors++;
+			}
+		}
+	} else
+	if (!strcmp(ce->ce_varname, "modef-boot-delay"))
+	{
+		if (!ce->ce_vardata)
+		{
+			config_error_empty(ce->ce_fileptr->cf_filename, ce->ce_varlinenum,
+				"set", ce->ce_varname);
+			errors++;
+		} else {
+			long v = config_checkval(ce->ce_vardata, CFG_TIME);
+			if ((v < 0) || (v > 600))
+			{
+				config_error("%s:%i: set::modef-boot-delay: value '%ld' out of range (should be 0-600)",
+					ce->ce_fileptr->cf_filename, ce->ce_varlinenum, v);
+				errors++;
+			}
+		}
+	} else
+	{
+		/* Not handled by us */
+		return 0;
+	}
+
+	*errs = errors;
+	return errors ? -1 : 1;
+}
+
+int floodprot_config_run(ConfigFile *cf, ConfigEntry *ce, int type)
+{
+	if (type != CONFIG_SET)
+		return 0;
+
+	if (!strcmp(ce->ce_varname, "modef-default-unsettime"))
+		cfg.modef_default_unsettime = (unsigned char)atoi(ce->ce_vardata);
+	else if (!strcmp(ce->ce_varname, "modef-max-unsettime"))
+		cfg.modef_max_unsettime = (unsigned char)atoi(ce->ce_vardata);
+	else if (!strcmp(ce->ce_varname, "modef-boot-delay"))
+		cfg.modef_boot_delay = config_checkval(ce->ce_vardata, CFG_TIME);
+	else
+		return 0; /* not handled by us */
+
+	return 1;
+}
+
 int cmodef_is_ok(aClient *sptr, aChannel *chptr, char mode, char *param, int type, int what)
 {
 	if ((type == EXCHK_ACCESS) || (type == EXCHK_ACCESS_ERR))
@@ -383,7 +502,7 @@ invalidsyntax:
 		return EX_DENY;
 	}
 
-	/* falltrough -- should not be used */
+	/* fallthrough -- should not be used */
 	return EX_DENY;
 }
 
@@ -820,13 +939,19 @@ int floodprot_join(aClient *cptr, aClient *sptr, aChannel *chptr, char *parv[])
 	/* I'll explain this only once:
 	 * 1. if channel is +f
 	 * 2. local client OR synced server
-	 * 3. then, increase floodcounter
-	 * 4. if we reached the limit AND only if source was a local client.. do the action (+i).
-	 * Nr 4 is done because otherwise you would have a noticeflood with 'joinflood detected'
+	 * 3. server uptime more than XX seconds (if this information is available)
+	 * 4. is not a uline
+	 * 5. then, increase floodcounter
+	 * 6. if we reached the limit AND only if source was a local client.. do the action (+i).
+	 * Nr 6 is done because otherwise you would have a noticeflood with 'joinflood detected'
 	 * from all servers.
 	 */
-	if (IsFloodLimit(chptr) && (MyClient(sptr) || sptr->srvptr->serv->flags.synced) && 
-	    !IsULine(sptr) && do_floodprot(chptr, FLD_JOIN) && MyClient(sptr))
+	if (IsFloodLimit(chptr) &&
+	    (MyClient(sptr) || sptr->srvptr->serv->flags.synced) &&
+	    (sptr->srvptr->serv->boottime && (TStime() - sptr->srvptr->serv->boottime >= MODEF_BOOT_DELAY)) &&
+	    !IsULine(sptr) &&
+	    do_floodprot(chptr, FLD_JOIN) &&
+	    MyClient(sptr))
 	{
 		do_floodprot_action(chptr, FLD_JOIN, "join");
 	}
@@ -924,15 +1049,6 @@ int floodprot_post_chanmsg(aClient *sptr, aChannel *chptr, char *text, int notic
 	return 0;
 }
 
-#if 0
-int floodprot_remotejoin(aClient *cptr, aClient *acptr, aChannel *chptr, char *parv[])
-{
-	if (IsFloodLimit(chptr) && acptr->serv->flags.synced && !IsULine(acptr)) /* hope that's correctly copied? acptr/cptr fun */
-		do_floodprot(chptr, FLD_JOIN);
-	return 0;
-}
-#endif
-
 int floodprot_knock(aClient *sptr, aChannel *chptr)
 {
 	if (IsFloodLimit(chptr) && !IsULine(sptr) && do_floodprot(chptr, FLD_KNOCK) && MyClient(sptr))
@@ -1023,7 +1139,7 @@ int  check_for_chan_flood(aClient *sptr, aChannel *chptr)
 	ChanFloodProt *chp;
 	aUserFld *userfld;
 
-	if (ValidatePermissionsForPath("immune:channel:flood",sptr,NULL,chptr,NULL) || !IsFloodLimit(chptr) || is_skochanop(sptr, chptr))
+	if (ValidatePermissionsForPath("channel:override:flood",sptr,NULL,chptr,NULL) || !IsFloodLimit(chptr) || is_skochanop(sptr, chptr))
 		return 0;
 
 	if (!(lp = find_membership_link(sptr->user->channel, chptr)))
@@ -1369,3 +1485,12 @@ void userfld_free(ModData *md)
 {
 	MyFree(md->ptr);
 }
+
+int floodprot_stats(aClient *sptr, char *flag)
+{
+	sendto_one(sptr, ":%s %i %s :modef-default-unsettime: %hd", me.name, RPL_TEXT,
+			sptr->name, (unsigned short)MODEF_DEFAULT_UNSETTIME);
+	sendto_one(sptr, ":%s %i %s :modef-max-unsettime: %hd", me.name, RPL_TEXT,
+			sptr->name, (unsigned short)MODEF_MAX_UNSETTIME);
+	return 0;
+}

src/modules/chanmodes/issecure.c

@@ -31,7 +31,7 @@ CMD_FUNC(issecure);
 ModuleHeader MOD_HEADER(issecure)
   = {
 	"chanmodes/issecure",
-	"4.0",
+	"4.2",
 	"Channel Mode +Z", 
 	"3.2-b8-1",
 	NULL 
@@ -43,11 +43,11 @@ Cmode_t EXTCMODE_ISSECURE;
 
 int IsSecureJoin(aChannel *chptr);
 int modeZ_is_ok(aClient *sptr, aChannel *chptr, char mode, char *para, int checkt, int what);
-DLLFUNC int issecure_join(aClient *cptr, aClient *sptr, aChannel *chptr, char *parv[]);
-DLLFUNC int issecure_part(aClient *cptr, aClient *sptr, aChannel *chptr, char *comment);
-DLLFUNC int issecure_quit(aClient *acptr, char *comment);
-DLLFUNC int issecure_kick(aClient *cptr, aClient *sptr, aClient *acptr, aChannel *chptr, char *comment);
-DLLFUNC int issecure_chanmode(aClient *cptr, aClient *sptr, aChannel *chptr,
+int issecure_join(aClient *cptr, aClient *sptr, aChannel *chptr, char *parv[]);
+int issecure_part(aClient *cptr, aClient *sptr, aChannel *chptr, char *comment);
+int issecure_quit(aClient *acptr, char *comment);
+int issecure_kick(aClient *cptr, aClient *sptr, aClient *acptr, aChannel *chptr, char *comment);
+int issecure_chanmode(aClient *cptr, aClient *sptr, aChannel *chptr,
                              char *modebuf, char *parabuf, time_t sendts, int samode);
                              
 
@@ -178,7 +178,7 @@ void issecure_set(aChannel *chptr, aClient *sptr, int notice)
  *       so while they can be written shorter, they would only take longer to execute!
  */
 
-DLLFUNC int issecure_join(aClient *cptr, aClient *sptr, aChannel *chptr, char *parv[])
+int issecure_join(aClient *cptr, aClient *sptr, aChannel *chptr, char *parv[])
 {
 	/* Check only if chan already +zZ and the user joining is insecure (no need to count) */
 	if (IsSecureJoin(chptr) && IsSecureChanIndicated(chptr) && !IsSecureConnect(sptr) && !IsULine(sptr))
@@ -191,7 +191,7 @@ DLLFUNC int issecure_join(aClient *cptr, aClient *sptr, aChannel *chptr, char *p
 	return 0;
 }
 
-DLLFUNC int issecure_part(aClient *cptr, aClient *sptr, aChannel *chptr, char *comment)
+int issecure_part(aClient *cptr, aClient *sptr, aChannel *chptr, char *comment)
 {
 	/* Only care if chan is +z-Z and the user leaving is insecure, then count */
 	if (IsSecureJoin(chptr) && !IsSecureChanIndicated(chptr) && !IsSecureConnect(sptr) &&
@@ -200,7 +200,7 @@ DLLFUNC int issecure_part(aClient *cptr, aClient *sptr, aChannel *chptr, char *c
 	return 0;
 }
 
-DLLFUNC int issecure_quit(aClient *sptr, char *comment)
+int issecure_quit(aClient *sptr, char *comment)
 {
 Membership *membership;
 aChannel *chptr;
@@ -216,7 +216,7 @@ aChannel *chptr;
 	return 0;
 }
 
-DLLFUNC int issecure_kick(aClient *cptr, aClient *sptr, aClient *victim, aChannel *chptr, char *comment)
+int issecure_kick(aClient *cptr, aClient *sptr, aClient *victim, aChannel *chptr, char *comment)
 {
 	/* Identical to part&quit, except we care about 'victim' and not 'sptr' */
 	if (IsSecureJoin(chptr) && !IsSecureChanIndicated(chptr) &&
@@ -225,7 +225,7 @@ DLLFUNC int issecure_kick(aClient *cptr, aClient *sptr, aClient *victim, aChanne
 	return 0;
 }
 
-DLLFUNC int issecure_chanmode(aClient *cptr, aClient *sptr, aChannel *chptr,
+int issecure_chanmode(aClient *cptr, aClient *sptr, aChannel *chptr,
                              char *modebuf, char *parabuf, time_t sendts, int samode)
 {
 	if (!strchr(modebuf, 'z'))

src/modules/chanmodes/link.c

@@ -9,7 +9,7 @@
 ModuleHeader MOD_HEADER(link)
   = {
 	"chanmodes/link",
-	"4.0",
+	"4.2",
 	"Channel Mode +L",
 	"3.2-b8-1",
 	NULL,
@@ -107,7 +107,7 @@ int cmodeL_is_ok(aClient *sptr, aChannel *chptr, char mode, char *para, int type
 		return EX_ALLOW;
 	}
 
-	/* falltrough -- should not be used */
+	/* fallthrough -- should not be used */
 	return EX_DENY;
 }
 

src/modules/chanmodes/nocolor.c

@@ -24,7 +24,7 @@ CMD_FUNC(nocolor);
 ModuleHeader MOD_HEADER(nocolor)
   = {
 	"chanmodes/nocolor",
-	"4.0",
+	"4.2",
 	"Channel Mode +c",
 	"3.2-b8-1",
 	NULL 
@@ -34,9 +34,9 @@ Cmode_t EXTCMODE_NOCOLOR;
 
 #define IsNoColor(chptr)    (chptr->mode.extmode & EXTCMODE_NOCOLOR)
 
-DLLFUNC char *nocolor_prechanmsg(aClient *sptr, aChannel *chptr, char *text, int notice);
-DLLFUNC char *nocolor_prelocalpart(aClient *sptr, aChannel *chptr, char *comment);
-DLLFUNC char *nocolor_prelocalquit(aClient *sptr, char *comment);
+char *nocolor_prechanmsg(aClient *sptr, aChannel *chptr, char *text, int notice);
+char *nocolor_prelocalpart(aClient *sptr, aChannel *chptr, char *comment);
+char *nocolor_prelocalquit(aClient *sptr, char *comment);
 
 MOD_TEST(nocolor)
 {
@@ -84,7 +84,7 @@ static int IsUsingColor(char *s)
         return 0;
 }
 
-DLLFUNC char *nocolor_prechanmsg(aClient *sptr, aChannel *chptr, char *text, int notice)
+char *nocolor_prechanmsg(aClient *sptr, aChannel *chptr, char *text, int notice)
 {
 	Hook *h;
 	int i;
@@ -112,7 +112,7 @@ DLLFUNC char *nocolor_prechanmsg(aClient *sptr, aChannel *chptr, char *text, int
 	return text;
 }
 
-DLLFUNC char *nocolor_prelocalpart(aClient *sptr, aChannel *chptr, char *comment)
+char *nocolor_prelocalpart(aClient *sptr, aChannel *chptr, char *comment)
 {
 	if (!comment)
 		return NULL;
@@ -134,7 +134,7 @@ static int IsAnyChannelNoColor(aClient *sptr)
 	return 0;
 }
 
-DLLFUNC char *nocolor_prelocalquit(aClient *sptr, char *comment)
+char *nocolor_prelocalquit(aClient *sptr, char *comment)
 {
 	if (!comment)
 		return NULL;

src/modules/chanmodes/noctcp.c

@@ -24,7 +24,7 @@ CMD_FUNC(noctcp);
 ModuleHeader MOD_HEADER(noctcp)
   = {
 	"chanmodes/noctcp",
-	"4.0",
+	"4.2",
 	"Channel Mode +C",
 	"3.2-b8-1",
 	NULL 
@@ -34,7 +34,7 @@ Cmode_t EXTCMODE_NOCTCP;
 
 #define IsNoCTCP(chptr)    (chptr->mode.extmode & EXTCMODE_NOCTCP)
 
-DLLFUNC char *noctcp_prechanmsg(aClient *sptr, aChannel *chptr, char *text, int notice);
+char *noctcp_prechanmsg(aClient *sptr, aChannel *chptr, char *text, int notice);
 
 MOD_TEST(noctcp)
 {
@@ -78,7 +78,7 @@ static int IsACTCP(char *s)
 	return 0;
 }
 
-DLLFUNC char *noctcp_prechanmsg(aClient *sptr, aChannel *chptr, char *text, int notice)
+char *noctcp_prechanmsg(aClient *sptr, aChannel *chptr, char *text, int notice)
 {
 	if (MyClient(sptr) && IsNoCTCP(chptr) && IsACTCP(text))
 	{

src/modules/chanmodes/noinvite.c

@@ -24,7 +24,7 @@ CMD_FUNC(noinvite);
 ModuleHeader MOD_HEADER(noinvite)
   = {
 	"chanmodes/noinvite",
-	"4.0",
+	"4.2",
 	"Channel Mode +V",
 	"3.2-b8-1",
 	NULL 
@@ -34,8 +34,8 @@ Cmode_t EXTCMODE_NOINVITE;
 
 #define IsNoInvite(chptr)    (chptr->mode.extmode & EXTCMODE_NOINVITE)
 
-DLLFUNC int noinvite_pre_knock(aClient *sptr, aChannel *chptr);
-DLLFUNC int noinvite_pre_invite(aClient *sptr, aClient *acptr, aChannel *chptr, int *override);
+int noinvite_pre_knock(aClient *sptr, aChannel *chptr);
+int noinvite_pre_invite(aClient *sptr, aClient *acptr, aChannel *chptr, int *override);
 
 MOD_TEST(noinvite)
 {
@@ -70,7 +70,7 @@ MOD_UNLOAD(noinvite)
 }
 
 
-DLLFUNC int noinvite_pre_knock(aClient *sptr, aChannel *chptr)
+int noinvite_pre_knock(aClient *sptr, aChannel *chptr)
 {
 	if (MyClient(sptr) && IsNoInvite(chptr))
 	{
@@ -84,11 +84,11 @@ DLLFUNC int noinvite_pre_knock(aClient *sptr, aChannel *chptr)
 	return HOOK_CONTINUE;
 }
 
-DLLFUNC int noinvite_pre_invite(aClient *sptr, aClient *acptr, aChannel *chptr, int *override)
+int noinvite_pre_invite(aClient *sptr, aClient *acptr, aChannel *chptr, int *override)
 {
 	if (MyClient(sptr) && IsNoInvite(chptr))
 	{
-		if (ValidatePermissionsForPath("override:invite:nopermissions",sptr,NULL,chptr,NULL) && sptr == acptr)
+		if (ValidatePermissionsForPath("channel:override:invite:noinvite",sptr,NULL,chptr,NULL) && sptr == acptr)
 		{
 			*override = 1;
 		} else {

src/modules/chanmodes/nokick.c

@@ -23,7 +23,7 @@
 ModuleHeader MOD_HEADER(nokick)
   = {
 	"chanmodes/nokick",
-	"4.0",
+	"4.2",
 	"Channel Mode +Q",
 	"3.2-b8-1",
 	NULL 

src/modules/chanmodes/noknock.c

@@ -22,7 +22,7 @@
 ModuleHeader MOD_HEADER(noknock)
   = {
 	"chanmodes/noknock",
-	"4.0",
+	"4.2",
 	"Channel Mode +K",
 	"3.2-b8-1",
 	NULL 
@@ -32,9 +32,9 @@ Cmode_t EXTCMODE_NOKNOCK;
 
 #define IsNoKnock(chptr)    (chptr->mode.extmode & EXTCMODE_NOKNOCK)
 
-DLLFUNC int noknock_check (aClient *sptr, aChannel *chptr);
-DLLFUNC int noknock_mode_allow(aClient *cptr, aChannel *chptr, char mode, char *para, int checkt, int what);
-DLLFUNC int noknock_mode_del (aChannel *chptr, int modeChar);
+int noknock_check (aClient *sptr, aChannel *chptr);
+int noknock_mode_allow(aClient *cptr, aChannel *chptr, char mode, char *para, int checkt, int what);
+int noknock_mode_del (aChannel *chptr, int modeChar);
 
 MOD_TEST(noknock)
 {
@@ -70,7 +70,7 @@ MOD_UNLOAD(noctcp)
 }
 
 
-DLLFUNC int noknock_check (aClient *sptr, aChannel *chptr)
+int noknock_check (aClient *sptr, aChannel *chptr)
 {
 	if (MyClient(sptr) && IsNoKnock(chptr))
 	{
@@ -83,7 +83,7 @@ DLLFUNC int noknock_check (aClient *sptr, aChannel *chptr)
 	return HOOK_CONTINUE;
 }
 
-DLLFUNC int noknock_mode_del (aChannel *chptr, int modeChar)
+int noknock_mode_del (aChannel *chptr, int modeChar)
 {
 	// Remove noknock when we're removing invite only
 	if (modeChar == 'i')
@@ -92,7 +92,7 @@ DLLFUNC int noknock_mode_del (aChannel *chptr, int modeChar)
 	return 0;
 }
 
-DLLFUNC int noknock_mode_allow(aClient *cptr, aChannel *chptr, char mode, char *para, int checkt, int what)
+int noknock_mode_allow(aClient *cptr, aChannel *chptr, char mode, char *para, int checkt, int what)
 {
 
 	if (!(chptr->mode.mode & MODE_INVITEONLY))

src/modules/chanmodes/nonickchange.c

@@ -23,7 +23,7 @@
 ModuleHeader MOD_HEADER(nonickchange)
   = {
 	"chanmodes/nonickchange",
-	"4.0",
+	"4.2",
 	"Channel Mode +N",
 	"3.2-b8-1",
 	NULL 
@@ -33,7 +33,7 @@ Cmode_t EXTCMODE_NONICKCHANGE;
 
 #define IsNoNickChange(chptr)    (chptr->mode.extmode & EXTCMODE_NONICKCHANGE)
 
-DLLFUNC int nonickchange_check (aClient *sptr, aChannel *chptr);
+int nonickchange_check (aClient *sptr, aChannel *chptr);
 
 MOD_TEST(nonickchange)
 {
@@ -67,7 +67,7 @@ MOD_UNLOAD(nonickchange)
 	return MOD_SUCCESS;
 }
 
-DLLFUNC int nonickchange_check (aClient *sptr, aChannel *chptr)
+int nonickchange_check (aClient *sptr, aChannel *chptr)
 {
 	if (!IsOper(sptr) && !IsULine(sptr)
 		&& IsNoNickChange(chptr)

src/modules/chanmodes/nonotice.c

@@ -22,7 +22,7 @@
 ModuleHeader MOD_HEADER(nonotice)
   = {
 	"chanmodes/nonotice",
-	"4.0",
+	"4.2",
 	"Channel Mode +T",
 	"3.2-b8-1",
 	NULL 

src/modules/chanmodes/operonly.c

@@ -24,7 +24,7 @@ CMD_FUNC(operonly);
 ModuleHeader MOD_HEADER(operonly)
   = {
 	"chanmodes/operonly",
-	"4.0",
+	"4.2",
 	"Channel Mode +O",
 	"3.2-b8-1",
 	NULL 
@@ -32,10 +32,10 @@ ModuleHeader MOD_HEADER(operonly)
 
 Cmode_t EXTCMODE_OPERONLY;
 
-DLLFUNC int operonly_require_oper(aClient *cptr, aChannel *chptr, char mode, char *para, int checkt, int what);
-DLLFUNC int operonly_check (aClient *cptr, aChannel *chptr, char *key, char *parv[]);
-DLLFUNC int operonly_topic_allow (aClient *sptr, aChannel *chptr);
-DLLFUNC int operonly_check_ban(aClient *cptr, aChannel *chptr);
+int operonly_require_oper(aClient *cptr, aChannel *chptr, char mode, char *para, int checkt, int what);
+int operonly_check (aClient *cptr, aChannel *chptr, char *key, char *parv[]);
+int operonly_topic_allow (aClient *sptr, aChannel *chptr);
+int operonly_check_ban(aClient *cptr, aChannel *chptr);
 
 MOD_TEST(operonly)
 {
@@ -71,23 +71,23 @@ MOD_UNLOAD(noctcp)
 	return MOD_SUCCESS;
 }
 
-DLLFUNC int operonly_check (aClient *cptr, aChannel *chptr, char *key, char *parv[])
+int operonly_check (aClient *cptr, aChannel *chptr, char *key, char *parv[])
 {
-	if ((chptr->mode.extmode & EXTCMODE_OPERONLY) && !ValidatePermissionsForPath("channel:operonly",cptr,NULL,chptr,NULL))
+	if ((chptr->mode.extmode & EXTCMODE_OPERONLY) && !ValidatePermissionsForPath("channel:operonly:join",cptr,NULL,chptr,NULL))
 		return ERR_OPERONLY;
 	return 0;
 }
 
-DLLFUNC int operonly_check_ban(aClient *cptr, aChannel *chptr)
+int operonly_check_ban(aClient *cptr, aChannel *chptr)
 {
 	 if ((chptr->mode.extmode & EXTCMODE_OPERONLY) &&
-		    !ValidatePermissionsForPath("override:ban:operonly",cptr,NULL,NULL,NULL))
+		    !ValidatePermissionsForPath("channel:operonly:ban",cptr,NULL,NULL,NULL))
 		 return HOOK_DENY;
 
 	 return HOOK_CONTINUE;
 }
 
-DLLFUNC int operonly_topic_allow (aClient *sptr, aChannel *chptr)
+int operonly_topic_allow (aClient *sptr, aChannel *chptr)
 {
 	if (chptr->mode.extmode & EXTCMODE_OPERONLY && !ValidatePermissionsForPath("channel:operonly:topic",sptr,NULL,chptr,NULL))
 		return HOOK_DENY;
@@ -95,9 +95,9 @@ DLLFUNC int operonly_topic_allow (aClient *sptr, aChannel *chptr)
 	return HOOK_CONTINUE;
 }
 
-DLLFUNC int operonly_require_oper(aClient *cptr, aChannel *chptr, char mode, char *para, int checkt, int what)
+int operonly_require_oper(aClient *cptr, aChannel *chptr, char mode, char *para, int checkt, int what)
 {
-	if (!MyClient(cptr) || ValidatePermissionsForPath("channel:operonly",cptr,NULL,chptr,NULL))
+	if (!MyClient(cptr) || ValidatePermissionsForPath("channel:operonly:set",cptr,NULL,chptr,NULL))
 		return EX_ALLOW;
 
 	if (checkt == EXCHK_ACCESS_ERR)

src/modules/chanmodes/permanent.c

@@ -22,7 +22,7 @@
 ModuleHeader MOD_HEADER(permanent)
   = {
 	"chanmodes/permanent",
-	"4.0",
+	"4.2",
 	"Permanent channel mode (+P)", 
 	"3.2-b8-1",
 	NULL 

src/modules/chanmodes/regonly.c

@@ -23,7 +23,7 @@
 ModuleHeader MOD_HEADER(regonly)
   = {
 	"chanmodes/regonly",
-	"4.0",
+	"4.2",
 	"Channel Mode +R",
 	"3.2-b8-1",
 	NULL 
@@ -33,7 +33,7 @@ Cmode_t EXTCMODE_REGONLY;
 
 #define IsRegOnly(chptr)    (chptr->mode.extmode & EXTCMODE_REGONLY)
 
-DLLFUNC int regonly_check (aClient *cptr, aChannel *chptr, char *key, char *parv[]);
+int regonly_check (aClient *cptr, aChannel *chptr, char *key, char *parv[]);
 
 
 MOD_TEST(regonly)
@@ -68,7 +68,7 @@ MOD_UNLOAD(regonly)
 	return MOD_SUCCESS;
 }
 
-DLLFUNC int regonly_check (aClient *cptr, aChannel *chptr, char *key, char *parv[])
+int regonly_check (aClient *cptr, aChannel *chptr, char *key, char *parv[])
 {
 	if (IsRegOnly(chptr) && !IsLoggedIn(cptr))
 		return ERR_NEEDREGGEDNICK;

src/modules/chanmodes/regonlyspeak.c

@@ -23,7 +23,7 @@
 ModuleHeader MOD_HEADER(regonlyspeak)
   = {
 	"chanmodes/regonlyspeak",
-	"4.0",
+	"4.2",
 	"Channel Mode +M",
 	"3.2-b8-1",
 	NULL 
@@ -34,8 +34,8 @@ static char errMsg[2048];
 
 #define IsRegOnlySpeak(chptr)    (chptr->mode.extmode & EXTCMODE_REGONLYSPEAK)
 
-DLLFUNC int regonlyspeak_can_send (aClient* cptr, aChannel *chptr, char* message, Membership* lp, int notice);
-DLLFUNC char * regonlyspeak_part_message (aClient* sptr, aChannel *chptr, char* comment);
+int regonlyspeak_can_send (aClient* cptr, aChannel *chptr, char* message, Membership* lp, int notice);
+char * regonlyspeak_part_message (aClient* sptr, aChannel *chptr, char* comment);
 
 MOD_TEST(regonlyspeak)
 {
@@ -70,23 +70,23 @@ MOD_UNLOAD(regonlyspeak)
 	return MOD_SUCCESS;
 }
 
-DLLFUNC char *regonlyspeak_part_message (aClient *sptr, aChannel *chptr, char *comment)
+char *regonlyspeak_part_message (aClient *sptr, aChannel *chptr, char *comment)
 {
 	if (!comment)
 		return NULL;
 
-	if (IsRegOnlySpeak(chptr) && !IsLoggedIn(sptr) && !ValidatePermissionsForPath("immune:regonly",sptr,NULL,NULL,NULL))
+	if (IsRegOnlySpeak(chptr) && !IsLoggedIn(sptr) && !ValidatePermissionsForPath("channel:override:message:regonlyspeak",sptr,NULL,NULL,NULL))
 		return NULL;
 
 	return comment;
 }
 
-DLLFUNC int regonlyspeak_can_send (aClient *cptr, aChannel *chptr, char *message, Membership *lp, int notice)
+int regonlyspeak_can_send (aClient *cptr, aChannel *chptr, char *message, Membership *lp, int notice)
 {
 	Hook *h;
 	int i;
 
-	if (IsRegOnlySpeak(chptr) && !op_can_override("override:message:regonlyspeak",cptr,chptr,NULL) && !IsLoggedIn(cptr) &&
+	if (IsRegOnlySpeak(chptr) && !op_can_override("channel:override:message:regonlyspeak",cptr,chptr,NULL) && !IsLoggedIn(cptr) &&
 		    (!lp
 		    || !(lp->flags & (CHFL_CHANOP | CHFL_VOICE | CHFL_CHANOWNER |
 		    CHFL_HALFOP | CHFL_CHANPROT))))

src/modules/chanmodes/secureonly.c

@@ -22,7 +22,7 @@
 ModuleHeader MOD_HEADER(sslonly)
   = {
 	"chanmodes/sslonly",
-	"4.0",
+	"4.2",
 	"Channel Mode +z",
 	"3.2-b8-1",
 	NULL 
@@ -34,7 +34,7 @@ Cmode_t EXTCMODE_SSLONLY;
 
 int secureonly_check_join(aClient *sptr, aChannel *chptr, char *key, char *parv[]);
 void secureonly_channel_sync (aChannel* chptr, int merge, int removetheirs, int nomode);
-int secureonly_check_send(aClient *acptr, aChannel* chptr);
+int secureonly_send_channel(aClient *acptr, aChannel* chptr);
 int secureonly_check_secure(aChannel* chptr);
 int secureonly_check_sajoin(aClient *acptr, aChannel* chptr, aClient *sptr);
 int secureonly_specialcheck(aClient *sptr, aChannel *chptr, char *parv[]);
@@ -58,7 +58,7 @@ MOD_INIT(sslonly)
 	HookAdd(modinfo->handle, HOOKTYPE_CAN_JOIN, 0, secureonly_check_join);
 	HookAddVoid(modinfo->handle, HOOKTYPE_CHANNEL_SYNCED, 0, secureonly_channel_sync);
 	HookAdd(modinfo->handle, HOOKTYPE_IS_CHANNEL_SECURE, 0, secureonly_check_secure);
-	HookAdd(modinfo->handle, HOOKTYPE_CAN_SEND_SECURE, 0, secureonly_check_send);
+	HookAdd(modinfo->handle, HOOKTYPE_SEND_CHANNEL, 0, secureonly_send_channel);
 	HookAdd(modinfo->handle, HOOKTYPE_CAN_SAJOIN, 0, secureonly_check_sajoin);
 
 
@@ -119,18 +119,18 @@ int secureonly_check_join(aClient *sptr, aChannel *chptr, char *key, char *parv[
 	Link *lp;
 
 	if (IsSecureOnly(chptr) && !(sptr->umodes & UMODE_SECURE))
+	{
+		if (ValidatePermissionsForPath("channel:override:secureonly",sptr,NULL,chptr,NULL))
 		{
-			if (ValidatePermissionsForPath("immune:secureonly",sptr,NULL,chptr,NULL))
-			{
-				/* if the channel is +z we still allow an ircop to bypass it
-				 * if they are invited.
-				 */
-				for (lp = sptr->user->invited; lp; lp = lp->next)
-					if (lp->value.chptr == chptr)
-						return HOOK_CONTINUE;
-			}
-			return (ERR_SECUREONLYCHAN);
+			/* if the channel is +z we still allow an ircop to bypass it
+			 * if they are invited.
+			 */
+			for (lp = sptr->user->invited; lp; lp = lp->next)
+				if (lp->value.chptr == chptr)
+					return HOOK_CONTINUE;
 		}
+		return (ERR_SECUREONLYCHAN);
+	}
 	return 0;
 }
 
@@ -152,7 +152,7 @@ void secureonly_channel_sync(aChannel *chptr, int merge, int removetheirs, int n
 	}
 }
 
-int secureonly_check_send(aClient *acptr, aChannel *chptr)
+int secureonly_send_channel(aClient *acptr, aChannel *chptr)
 {
 	if (IsSecureOnly(chptr))
 		if (!IsSecure(acptr))

src/modules/chanmodes/stripcolor.c

@@ -24,7 +24,7 @@ CMD_FUNC(stripcolor);
 ModuleHeader MOD_HEADER(stripcolor)
   = {
 	"chanmodes/stripcolor",
-	"4.0",
+	"4.2",
 	"Channel Mode +S",
 	"3.2-b8-1",
 	NULL 
@@ -34,9 +34,9 @@ Cmode_t EXTCMODE_STRIPCOLOR;
 
 #define IsStripColor(chptr)    (chptr->mode.extmode & EXTCMODE_STRIPCOLOR)
 
-DLLFUNC char *stripcolor_prechanmsg(aClient *sptr, aChannel *chptr, char *text, int notice);
-DLLFUNC char *stripcolor_prelocalpart(aClient *sptr, aChannel *chptr, char *comment);
-DLLFUNC char *stripcolor_prelocalquit(aClient *sptr, char *comment);
+char *stripcolor_prechanmsg(aClient *sptr, aChannel *chptr, char *text, int notice);
+char *stripcolor_prelocalpart(aClient *sptr, aChannel *chptr, char *comment);
+char *stripcolor_prelocalquit(aClient *sptr, char *comment);
 
 MOD_TEST(stripcolor)
 {
@@ -72,7 +72,7 @@ MOD_UNLOAD(stripcolor)
 	return MOD_SUCCESS;
 }
 
-DLLFUNC char *stripcolor_prechanmsg(aClient *sptr, aChannel *chptr, char *text, int notice)
+char *stripcolor_prechanmsg(aClient *sptr, aChannel *chptr, char *text, int notice)
 {
 	Hook *h;
 	int i;
@@ -94,7 +94,7 @@ DLLFUNC char *stripcolor_prechanmsg(aClient *sptr, aChannel *chptr, char *text,
 	return text;
 }
 
-DLLFUNC char *stripcolor_prelocalpart(aClient *sptr, aChannel *chptr, char *comment)
+char *stripcolor_prelocalpart(aClient *sptr, aChannel *chptr, char *comment)
 {
 	if (!comment)
 		return NULL;
@@ -117,7 +117,7 @@ static int IsAnyChannelStripColor(aClient *sptr)
 }
 
 
-DLLFUNC char *stripcolor_prelocalquit(aClient *sptr, char *comment)
+char *stripcolor_prelocalquit(aClient *sptr, char *comment)
 {
 	if (!comment)
 		return NULL;