pegasus/unrealircd
1
0
Fork 0
mirror of https://github.com/unrealircd/unrealircd.git synced 2026-06-26 11:36:37 +02:00
Code Activity

Compare commits

base: pegasus/unrealircd:unreal50
Branches Tags
pegasus/unrealircd:unreal60_dev pegasus/unrealircd:unreal52 pegasus/unrealircd:unreal50 pegasus/unrealircd:unreal42 pegasus/unrealircd:unreal40 pegasus/unrealircd:tmcarthur-osx pegasus/unrealircd:master pegasus/unrealircd:unreal33 pegasus/unrealircd:unreal3_2_fixes pegasus/unrealircd:stable pegasus/unrealircd:devel pegasus/unrealircd:c-ares_resolver pegasus/unrealircd:beta pegasus/unrealircd:komara pegasus/unrealircd:u31_chatfirst pegasus/unrealircd:newio pegasus/unrealircd:unrealstorm pegasus/unrealircd:firestorm pegasus/unrealircd:experimentalweirdnes pegasus/unrealircd:unlabeled-1.1.1.1.4 pegasus/unrealircd:unlabeled-1.1.2
..
compare: pegasus/unrealircd:unreal52
Branches Tags
pegasus/unrealircd:unreal60_dev pegasus/unrealircd:unreal52 pegasus/unrealircd:unreal50 pegasus/unrealircd:unreal42 pegasus/unrealircd:unreal40 pegasus/unrealircd:tmcarthur-osx pegasus/unrealircd:master pegasus/unrealircd:unreal33 pegasus/unrealircd:unreal3_2_fixes pegasus/unrealircd:stable pegasus/unrealircd:devel pegasus/unrealircd:c-ares_resolver pegasus/unrealircd:beta pegasus/unrealircd:komara pegasus/unrealircd:u31_chatfirst pegasus/unrealircd:newio pegasus/unrealircd:unrealstorm pegasus/unrealircd:firestorm pegasus/unrealircd:experimentalweirdnes pegasus/unrealircd:unlabeled-1.1.1.1.4 pegasus/unrealircd:unlabeled-1.1.2

139 Commits
unreal50 .. unreal52

Author SHA1 Message Date
Bram Matthys a0ae1a5a66 Update release notes header to conform to style 2022-05-03 11:45:58 +02:00
Bram Matthys fc3711fcbe Refer to UnrealIRCd 6 module api page from the UnrealIRCd 5 module api page. 2022-02-06 07:42:59 +01:00
Bram Matthys 6604856973 ** UnrealIRCd 5.2.4 ** 2022-01-28 17:03:07 +01:00
Bram Matthys 0843ac64c0 Handle outdated version in the crash reporter: 
1) Warn when >= July 1, 2022 that we only do security fixes (but continue the report)
2) Error when >= July 1, 2023 that all support ceased (do not send a report)
3) Handle HTTP 403 condition
 2022-01-02 09:47:35 +01:00
Bram Matthys 5b3b50c084 Add variable declaration in innosetup file. 2021-12-29 20:09:59 +01:00
Bram Matthys 9ea7aebef2 Add link to UnrealIRCd 6 "what's new" 2021-12-29 15:29:00 +01:00
Bram Matthys 8f2e31f911 ** UnrealIRCd 5.2.3 ** 
This release will be put online at a later date, together with 6.0.1.
 2021-12-29 12:18:02 +01:00
Bram Matthys fb3becb30e Make ./unrealircd upgrade work on FreeBSD as well 
(fix ported from U6)
 2021-12-29 12:15:56 +01:00
k4bek4be 311cdc4639 Make CHATHISTORY not FAIL on a -H channel, sending empty history instead (#156) 2021-12-19 10:41:54 +01:00
Bram Matthys 191ecc0e11 Fix EOL date, apparently I promised July and not June :D. 2021-12-15 07:12:09 +01:00
Bram Matthys 8584058a61 Update release notes a bit more 
[skip ci]
 2021-12-13 19:02:08 +01:00
Bram Matthys 08afb5ce3a Update release notes for 5.2.3 
[skip ci]
 2021-12-13 18:59:24 +01:00
musk 26ad4b48f7 Add example.es.conf (#187) 2021-12-13 18:53:22 +01:00
Bram Matthys fb0aeb14c0 Mention 6.x (already) as a supported version and mention U5 EOL date 
explicitly in this document as well. (Even though it already contains
a reference to the EOL dates)
 2021-12-13 18:49:56 +01:00
Val Lorentz da34552027 Send nick!user@host in WALLOPS message from self. 2021-12-10 19:42:38 +01:00
Bram Matthys de31964738 Update release notes 
[skip ci]
 2021-12-06 17:50:51 +01:00
Bram Matthys e1b3016426 Fix set::anti-flood::connect-flood not obeying the 'per XX seconds' 
configuration. It was always cleaning up old entries after 2 minutes.
That is, until the first REHASH happened, after that the correct
connect-flood setting was applied.
In practice, with the default configuration, this means that instead
of 3:60 it was 3:120 until the first REHASH, and after that 3:60.

This was caused by update_throttling_timer_settings() being
called before init_throttling().
 2021-12-06 17:46:40 +01:00
Bram Matthys 343c4834ba Add CONTRIBUTING.md file 2021-12-06 12:55:24 +01:00
Bram Matthys 59ac6b8218 This looks better. Less = more. 
[skip ci]
 2021-12-06 12:29:18 +01:00
Bram Matthys 4a91f8c33a Update release notes a bit more 
[skip ci]
 2021-12-06 12:09:47 +01:00
Bram Matthys ca9fa7c2cc Update release notes a bit: dot dot dot 
[skip ci]
 2021-12-06 12:04:46 +01:00
Bram Matthys 7d4cafd068 Bump version to 5.2.3-git and write some early release notes 2021-12-06 11:54:06 +01:00
Bram Matthys fd81a98364 Add more warnings 3/6/9 months before EOL date (June 1, 2023) 
Just like we did in UnrealIRCd 4.
 2021-12-06 11:40:20 +01:00
Bram Matthys 40161cad0c Show EOL warning in 2023 2021-12-06 11:21:52 +01:00
Bram Matthys 14dadac9ff Remove some confusing examples about extended server bans in (G)ZLINE. 
And also remove some references to old oper privilege flags.
Reported by progval.
 2021-12-03 16:07:47 +01:00
Bram Matthys f65a2ba3d1 Backport fix for memory leak in websocket module. 2021-12-01 09:08:07 +01:00
Bram Matthys 22f5039180 Don't use slashes at start and end in SPAMFILTER example in HELPOP. 
Reported by srhuston in https://bugs.unrealircd.org/view.php?id=6002
[skip ci]
 2021-12-01 09:03:20 +01:00
Ramiro Bou a35b476b05 Sending WALLOPS back to the oper that issued it. (#159) 2021-11-28 10:54:05 +01:00
Bram Matthys dbdac4e304 ** UnrealIRCd 5.2.2 ** 2021-10-03 15:59:13 +02:00
Bram Matthys 98fa3a63c8 Update release notes a bit more 
[skip ci]
 2021-10-03 15:54:06 +02:00
Bram Matthys 8e3c3a1bd7 Also mention possible OpenBSD c-ares fix in release notes 
[skip ci]
 2021-10-03 12:17:05 +02:00
Bram Matthys d48acf638a Update text a bit 
[skip ci]
 2021-10-03 12:13:26 +02:00
Bram Matthys 82c8c9aed4 BuildBot: FreeBSD hangs with ASan enabled, in OPENSSL_init_ssl(), 
which calls qsort(). So disable it in the build tests (wtf?).
[skip ci]
 2021-10-03 12:12:47 +02:00
Bram Matthys 3715ae6789 Update release notes 
[skip ci]
 2021-10-03 11:02:19 +02:00
Bram Matthys a21168928f Update shipped c-ares from 1.17.1 to 1.17.2 (10-aug-2021) 2021-10-03 10:37:03 +02:00
Bram Matthys 745f3fbb06 Update release notes, get ready for 5.2.2. 2021-10-03 10:33:14 +02:00
Bram Matthys d2ef328147 Update curl-ca-bundle.crt to version of Thu Sep 30 03:12:05 2021 GMT 
from https://curl.se/ca/cacert.pem. Has a few changes, but the most
notable change is that they removed DST Root CA X3. This fixes
verifying Let's Encrypt certificates if you use the "DST Root CA X3"
chain (which is currently the default in certbot and all) on:
* OpenSSL 1.0.2 or earlier (old but in use on eg: Debian 8, Ubuntu 16.04, ..)
* LibreSSL below 3.3.5/3.2.7 (so until a day ago)

This only affects outgoing connections, so for remote includes and
for server linking. Server linking is only affected if you use the
link::verify-certificate option, which most people don't use.

On a side note, ISRG Root X1, so the "real root" for Let's Encrypt is
already included since August 2017 (c8a67f9436)
 2021-10-03 10:13:40 +02:00
Bram Matthys 3feac27c43 Put arabic-utf8 in the correct group and #if out the hard errror 
when mixing UTF8 groups, make it a general warning again as it
may or may not be an issue.
 2021-09-22 09:31:47 +02:00
Bram Matthys c51a3d96be Add support for arabic-utf8 in set::allowed-nickchars. Supplied by Sensiva 
in https://bugs.unrealircd.org/view.php?id=3734
 2021-09-22 09:20:19 +02:00
Bram Matthys 871b581a06 Module coders: add UNREAL_VERSION so you can more easily check UnrealIRCd 
versions in #ifdef's. Eg: #if UNREAL_VERSION > 0x05020100 to check if >5.2.1
 2021-08-10 14:32:32 +02:00
Bram Matthys 41d8a13b19 Fix crash in set::server-linking::autoconnect-strategy sequential-fallback 
when a remote server links to another server.
 2021-08-08 15:56:29 +02:00
Bram Matthys 0593dc4b73 Allow SVSLOGIN also if set::sasl-server is not set. 
Because yeah... why not.
 2021-07-15 10:30:23 +02:00
k4bek4be c5a6f3c549 Make CHATHISTORY subcommands case-insensitive. (#157) 2021-07-11 09:24:56 +02:00
Ramiro Bou 0985728662 Adding sequential-fallback autoconnect strategy (#151) 
After successful server connection it will restart from the beginning of the link blocks again.
 2021-07-11 09:24:14 +02:00
Val Lorentz 67bfd41e44 chathistory: Use more explicit messages on INVALID_TARGET failure message (#150) 2021-07-11 09:09:18 +02:00
Bram Matthys d726c3aadd Bump version to 5.2.2-git as this is git / work in progress. 2021-07-10 10:03:46 +02:00
Bram Matthys d3c98c73c2 Fix issue where saslmechlist could not be set by services server. 
This broke SASL services autodetection and also sasl=x,y,z in CAP.
Reported by Valware in https://bugs.unrealircd.org/view.php?id=5960

Of course the easiest solution would be just to set .remote_write=1
for this, which is what I've just done for the 5.2.1.1 release.
But there seems to be a pattern here. When a server wants to write
its own object (irc1.example.net writing to the MD object of
irc1.example.net) we have the problem that that object is both
"our client" and from the other server POV it is "themselves".
On one hand you may want to allow that (eg for 'saslmechlist'), on
the other hand a server writing its own 'certfp' sounds like a bad
idea in principle.
So we now add a new option for the 'self' case and make some MD
objects use it. In fact, in the core we now have zero MD objects
using remote_write. We keep the option available though, for example
for k4be's geoip modules and possibly future features.

Module API change:
* .self_write added which allows a server to write to its own object
  (irc1.example.net writing to the MD object of irc1.example.net)
* .remote_write still exists too if you want to allow remote servers
  to write to your own objects
* Note that in all cases, servers can always write to their own
  (child) client objects.

Changes:
* The link-security MD changed from .remote_write=1 to .self_write=1
* The salmechslist MD now has .self_write=1, this fixes the actual bug
 2021-07-10 09:14:18 +02:00
Bram Matthys 8322a48026 ** UnrealIRCd 5.2.1 ** 2021-07-08 17:42:52 +02:00
Bram Matthys 0971cf7d70 modules.optional.conf: example set::antirandom block: Use CIDR 
instead of standard wildcard.
In this case, since it's antirandom, it is not really important
as someone is not going to add DNS records specially to avoid
triggering antirandom. That makes no sense since it is much
easier to avoid using a random looking name.
Main reason of changing it here is to set a good example.
 2021-07-07 14:20:15 +02:00
Bram Matthys b398c3d101 Change default exempt from 127.* to 127.0.0.0/8 so it does not match 
arbitrary hosts that have a host starting with "127.". A rather stupid
oversight on my part, really.

In the meantime, if this happens, then you can still resort to using
ZLINE/GZLINE as a workaround to ban such a user. (The exemption won't
match against the host because DNS lookups are not done for zlines)

Reported by armyn in https://bugs.unrealircd.org/view.php?id=5957
 2021-07-07 09:21:17 +02:00
Bram Matthys 141dd8acd0 Load settings from 5.2.0.x dot releases as well 2021-07-03 15:18:47 +02:00
Bram Matthys 94993a03ca ** UnrealIRCd 5.2.1-rc1 ** 2021-07-03 14:42:34 +02:00
Bram Matthys 1d62ca1153 Send account tag to recipient on INVITE. 
Reported by ProgVal in https://bugs.unrealircd.org/view.php?id=5951
 2021-07-03 14:18:15 +02:00
Bram Matthys 527726be41 Take message tags into account when calculating fake lag. 
This was more of a oversight because the cmdbytes calculation happens
in a different function after message tags have already been processed.
Also, wasn't really important up to now since we only allow quite short
tags at the moment.

Instead of just counting these in cmdbytes, as would be the most logical
and easiest fix, we use a different strategy:
We use a separate counter for message-tags so clients benefit from the
"rounding down rule". In other words: the first xyz bytes give you
no extra penalty compared to before (eg they are "free"). Useful for
clients who use eg @label heavily.
By default this is 90 bytes for unknown-users and 180 bytes for
known-users. See lag-penalty-bytes in set::anti-flood.
 2021-07-03 09:33:19 +02:00
Bram Matthys ee9db59d36 Fix two more small memory leaks on REHASH. 
Now we are at zero leaks again with ASan, or so it seems.
 2021-07-02 11:42:58 +02:00
Bram Matthys 12299b45bf Fix small memory leak on REHASH (<1kb): free set::anti-flood block 2021-07-02 10:56:51 +02:00
Bram Matthys abaed84190 Order CHATHISTORY TARGETS response in descending order (newest first) 
https://bugs.unrealircd.org/view.php?id=5904
 2021-07-02 10:42:40 +02:00
Bram Matthys 35f8598f3f Fix crash if using persistent channel history: if you had ANY rehash error 
(often completely unrelated to channel history) and you then rehashed again
UnrealIRCd would crash. Reported by gh0st.
May be the same issue as reported by adamus1red in
https://bugs.unrealircd.org/view.php?id=5943

This has to do with SavePersistentPointer/LoadPersistentPointer calls
which normally work fine but this particular module uses it in MOD_TEST
causing a certain sequence of events causing a double free or read-
after-free if you do it slightly differently.
 2021-07-02 09:16:58 +02:00
Bram Matthys f0db0735a8 Update release notes a bit 
[skip ci]
 2021-06-30 13:32:20 +02:00
Bram Matthys 696d5f05fb Last argument in fd_open() is now used to indicate what should be done on a 
later fd_close() call. This also removes fd_map() since fd_open w/FDCLOSE_NONE
now does that.

* If you use fd_socket() or fd_accept(), then no change.
  When fd_close() is called we call close() on *NIX and closesocket() on Win.
* If you use fd_fileopen(), then no change.
  When fd_close() is called we will call close() on both *NIX and Win.
* If you used fd_open() and then fd_unmap() because you didn't want us
  to close the socket, then use fd_open() with FDCLOSE_NONE and
  just call fd_close() instead of fd_unmap().
  We will not actually close the fd in fd_close() (FDCLOSE_NONE).
* If you called fd_open() with other intentions then either specify a
  FDCLOSE_SOCKET / FDCLOSE_FILE as the last argument, or more likely:
  don't use fd_open() at all and use fd_socket() or fd_fileopen() instead.

For reasons on this change, see previous patch. This way is more sane and
makes it harder to make mistakes even beyond Windows-specific issues.
 2021-06-30 11:33:46 +02:00
Bram Matthys 329f48334c I/O engine: track if a fd is a file or socket, needed for Windows. 
This fixes a file descriptor leak in Windows that happened in the
logging code. The most visible effect of this was if you had a
log::maxsize set then on Windows you would see:
"Max file size reached, starting new log file"
Every other line, forever (and not actually starting a new log).

fd_close() previously did not close the file descriptor of a file
on Windows because on Windows it needs to call close() for a file
and closesocket() for a socket, and it always did the latter.
On *NIX it's more easy and you can just always close() any fd.
 2021-06-30 11:06:44 +02:00
Bram Matthys a44b1cb63e Fix ./unralircd genlinkblock printing out a confusing error message if 
you have serversonly listen block without tls.
Reported by Valware in https://bugs.unrealircd.org/view.php?id=5945
 2021-06-30 10:06:19 +02:00
Bram Matthys 0bd2cfd0fc Update file_exists() function to work with directories on Windows. 
And then let's use the similar (and faster) function on Linux too.
 2021-06-28 19:33:14 +02:00
Bram Matthys 137703f04a Add cipherscan profile for OpenSSL 3.0.0. 2021-06-28 15:56:05 +02:00
Bram Matthys c586592516 Add -nodes (no DES) to openssl command so it doesn't ask for a 
password on OpenSSL 3.0.0 and later when generating the standard
self-signed certificate.
 2021-06-28 13:59:27 +02:00
Bram Matthys 088218817d Whitespace....... 
[skip ci]
 2021-06-28 13:07:15 +02:00
Bram Matthys 50089d340a Build test updates 
[skip ci]
 2021-06-28 13:02:36 +02:00
Bram Matthys cf5966cce4 Call early_init_ssl() even more early, fixes './unrealircd module list' 
from crashing and other symptoms.
Crash was introduced with the OpenSSL 3.0.0 changes from
a541b8f4ad, so 9 days ago.
 2021-06-28 08:18:43 +02:00
Ramiro Bou 26295151a9 Add microsecond precision to TSCTL ALLTIME (#147) 2021-06-28 06:27:02 +02:00
Bram Matthys c667662e9b Windows: Allow UnrealIRCd to be terminated gracefully (without prompt) 
via taskill /im unrealircd.exe. Needed for BuildBot.
 2021-06-27 19:21:56 +02:00
Bram Matthys ec3407a42f Set -Wno-tautological-compare on clang 3.x (yeah old version), 
this to shut up false positives in buildbot.
 2021-06-27 18:13:52 +02:00
Bram Matthys 30155ddd7c Only call reinit_tls() when rehashing. 2021-06-27 17:22:15 +02:00
Bram Matthys 79740c4a38 Make "REHASH" and ./unrealircd rehash also run the same code as "REHASH -tls", 
if on OpenSSL 1.1.1 or later.

We trust OpenSSL 1.1.1 and later to be good enough to handle all
the reference counting and freeing nowadays, which is something that
was not done correctly in (much) older OpenSSL versions, leading
to crashes on one hand and on memory leaks on the other hand.

In OpenSSL 1.1.0 and earlier we do not rehash tls on simple "REHASH",
since that code has not been vetted. However, nobody should be
running those old OpenSSL versions anyway, since they are out of
official OpenSSL support.
 2021-06-27 15:38:40 +02:00
Bram Matthys a8e52fdead Bump sjoin module version to 5.1 
[skip ci]
 2021-06-27 07:41:21 +02:00
Bram Matthys c37c965506 Fix SJOIN not properly propagated due to a copy-paste error in the SJSBY 
vs non-SJSBY code. Reported by puckipedia in
https://bugs.unrealircd.org/view.php?id=5934
 2021-06-27 07:39:02 +02:00
Bram Matthys 1347b33c14 Update release notes 
[skip ci]
 2021-06-26 19:44:47 +02:00
Bram Matthys 2afc57aa38 Use IsLoggedIn() macro everywhere where possible. 
Based on previous reports and patches from k4be in
https://github.com/unrealircd/unrealircd/pull/129

Looks much cleaner now.

This also filters out the edge case where user_account_login()
could have been called when a user transitioned from "not logged in"
to "unconfirmed account". It did not cause any issues AFAICT but
it is not really expected either.
 2021-06-26 11:47:08 +02:00
Bram Matthys 68d172854d Remove IsARegNick() as we already have IsRegNick() 2021-06-26 11:19:47 +02:00
Bram Matthys 06c0a34ab1 Assume all services use account names (SVID), and drop suport for services 
that only set +r on people. To my knowledge, practically no services are
out there anymore that do not use proper SVIDs (and that can link with
UnrealIRCd 5).
 2021-06-26 11:14:52 +02:00
Bram Matthys 9f10fa2193 Improve error message when trying to use SASL with an unconfirmed 
services account.

This adds set::authentication-prompt::unconfirmed-message with
a default of:
unconfirmed-message "You are trying to use an unconfirmed services account.";
unconfirmed-message "This services account can only be used after it has been activated/confirmed.";
See https://www.unrealircd.org/docs/Set_block#set::authentication-prompt

Note that this is only shown for services which allow SASL from
unconfirmed services account in the first place, like atheme.
Anope does not allow it, which is something that could very well
be considered 'correct' as well. In that case you would simply
get the "Authentication failed" message instead
(set::authentication-prompt::fail-message).
 2021-06-26 11:03:53 +02:00
Guillaume Hérail 317b3df01e modules/tkl: Fix wrong tkl names in table (#139) 2021-06-26 09:27:55 +02:00
Bram Matthys f30ce90732 Update release notes a bit 
[skip ci]
 2021-06-25 15:52:14 +02:00
Ramiro Bou 4dbc1f8771 Allow remote servers to write to the link-security MD object (#145) 2021-06-25 14:50:53 +02:00
Bram Matthys 114d54ac61 Allow larger IDLEN for incoming, but keep sending current length. 
I would like a bit more room for this in the future,
but until then we will keep sending UIDs of length 9 in
server to server traffic, so no change at all.
 2021-06-25 12:17:33 +02:00
Bram Matthys 26a3444f4e Validate the UID in cmd_uid(). Reported by Valware in 
https://bugs.unrealircd.org/view.php?id=5925

This does two things in cmd_uid() now:
* It checks if parameter 6 in UID is a valid UID, using valid_uid()
* It checks if the first 3 characters of the UID match the SID
 2021-06-25 11:47:23 +02:00
Bram Matthys e9e2504bf4 Don't allow remote servers to write to our MD client objects by default. 
Modules can still opt-in via mreq.remote_write=1 to allow it for
certain moddata.
For example, k4be may want to do this for his geoip-base module which
allows a single server to set moddata "geoip" for all connecting clients,
including remote clients.
If you are a moddata provider then you can enable it like this:
 ModDataInfo mreq;
 [..]
 #if UNREAL_VERSION_TIME >= 202125
 mreq.remote_write = 1;
 #endif
 [..]

See discussion on https://github.com/unrealircd/unrealircd/pull/142
 2021-06-25 11:28:32 +02:00
Bram Matthys e80c7b5b65 Add set::anti-flood options lag-penalty and lag-penalty-sec. 
This also allows known-users to execute slightly more commands per second.

For people who want their trusted users/bots to allow even more commands
per second (eg 20cmds/sec) we now have a nice FAQ item that uses this:
https://www.unrealircd.org/docs/FAQ#high-command-rate
 2021-06-23 16:21:06 +02:00
Bram Matthys 28f98da5f8 Remove debug message "Checking flood_limit_exceeded()" that was logged. 
This was a leftover from debugging and should not have been present
in 5.2.0. Reported by westor.
 2021-06-23 16:16:47 +02:00
Bram Matthys 3fabc1ef5f New security-group::include-mask item so you can put clients into 
security-groups based on masks too.
 2021-06-23 13:22:17 +02:00
Bram Matthys 7779a4e353 Show git version hash id in /INFO if you are using git 
Suggested in https://bugs.unrealircd.org/view.php?id=5920 by KindOne
 2021-06-21 15:08:24 +02:00
Bram Matthys 9fde768201 New block set::server-linking and change autoconnect strategy to 'sequential' 
* New block [set::server-linking](https://www.unrealircd.org/docs/Set_block#set::server-linking)
  * For link blocks with autoconnect we now default to the strategy
    'sequential', meaning we will try the 1st link block first,
    then the 2nd, then the 3rd, then the 1st again, etc.
  * We now have different and lower timeouts for the connect and
    the handshake. So we give up a bit more early on servers that
    are currently down or extremely lagged.
 2021-06-21 14:53:35 +02:00
Bram Matthys 883a1e02ad Initial work on new set::server-linking block: 
set {
        server-linking {
                autoconnect-strategy parallel;
                connect-timeout 10s;
                handshake-timeout 20s;
        }
}

Right now the only autoconnect-strategy is 'parallel', which is simply
the existing behavior since 4.x. A future commit will add other
strategies and may or may not change the default as well.

The bit that is working already is that you can now specify different
timeouts for the connect()/TLS_connect() call and for the rest of
the handshake (when the "SERVER" message is seen), this so the connect
timeout can be relatively short.

All this will be documented later in the wiki and release notes.
 2021-06-21 13:23:15 +02:00
Bram Matthys 52297e24b6 Don't send "local" channel modes to remote servers. 
They were already ignored in MODE by remote UnrealIRCd servers,
but this makes it so local modes (+Z and +d at the moment)
are not sent across the wire.

This also changes the channel_modes() function to have an additional
'hide_local_modes' argument. Set this to 1 if you are building a
buffer that will be sent to remote servers, otherwise use 0,
which is far more common.

Also, this will skip saving of local channel modes to channeldb
since all of these are temporary, or at the moment anyway.

Thanks to alice for reporting this bug and providing a good test
case to help fix this issue and the previous ones.
 2021-06-19 17:25:26 +02:00
Bram Matthys fcc7a2cf06 Channel mode +d is local, so should be tagged as such. 2021-06-19 17:03:26 +02:00
Bram Matthys dd1f572acb The code for -d (so after -D+d) never took QUITs into account. Fun. 2021-06-19 16:59:54 +02:00
Bram Matthys 06633047a2 Remove "HCN" from 005. Nobody uses this anyway. 2021-06-19 14:14:33 +02:00
Bram Matthys a541b8f4ad Add support for OpenSSL 3.0.0 (based on -beta1) 
Now compiles fine without any warnings.

Note that certificate_quality_check() is an outstanding TODO item.
 2021-06-19 13:10:52 +02:00
Bram Matthys e28895c8a9 Show 'security-groups: known-users' etc in connect notice to opers. 2021-06-19 12:49:09 +02:00
Bram Matthys 6cc50d16d0 Fix security group code seeing remote users as always on TLS. 
Likely not that important until now, but fix needed for next...
 2021-06-19 12:47:52 +02:00
Bram Matthys 991f9f347e Allow wildcards in ~a extban, also special code for ~a:0 and ~a:* 
~a:0: match all unauthenticated users
~a:*: match all authenticated users
~a:SomeUser: match only SomeUser, also allow wildcards here, even
though that is usually a very bad idea :D
 2021-06-19 11:13:30 +02:00
Bram Matthys fb4b21982d Start writing early release notes for 5.2.1, in particular the new allow 
and mask options that should give people food for thought.
[skip ci]
 2021-06-19 10:41:04 +02:00
Bram Matthys 905850a825 Bump version to 5.2.1-git and indicate this is bleeding edge 2021-06-19 10:21:46 +02:00
Bram Matthys b72ea1d945 Change allow block to use allow::mask instead of allow::ip / allow::hostname 
We use 'mask' everywhere in the config except here, which is annoying
and also inflexible since mask has several nice options, see
https://www.unrealircd.org/docs/Mask_item

Users upgrading will receive a warning, and a reference to
https://www.unrealircd.org/docs/FAQ#allow-mask
but the IRCd will continue to boot (it is not an error).
 2021-06-19 10:17:18 +02:00
Bram Matthys deead90ac3 Allow extended server ban syntax in ::mask entries. Eg mask ~a:Syzop; 2021-06-19 09:12:18 +02:00
Bram Matthys f71f6c8fe3 Another update to positive and negative mask rules, the rules are now: 
- If you have only negating entries, like '!abc' and '!def', then
  we assume an implicit * rule first, since that is clearly what
  the user wants.
- If you have a mix, like '*.com', '!irc1*', '!irc2*', then the
  implicit * is dropped and we assume you only want to match *.com,
  with the exception of irc1*.com and irc2*.com.
- If you only have normal entries without ! then things are
  as they always are.

This patch also makes the behavior for unreal_mask_match() and
unreal_mask_match_string() the same.
 2021-06-19 08:44:03 +02:00
Bram Matthys f7d115e87c More fixes and enhancements for deny link::mask 
( 5d6738b3e8 )
 2021-06-19 08:00:04 +02:00
Bram Matthys 360d3f507f Move try_connections() from core to server module 2021-06-18 17:21:08 +02:00
Bram Matthys 497c3059ea Fix to support existing deny link::mask syntax as well. 2021-06-18 16:05:50 +02:00
Ramiro Bou 5d6738b3e8 Allowing multiple masks in "deny link" blocks. (#140) 2021-06-18 15:13:50 +02:00
Bram Matthys f0d00ff109 modules.optional.conf: elaborate a bit more on antimixedutf8 score. 
And set the default there to 8 instead of 10, which should be OK.
 2021-06-16 13:33:01 +02:00
Bram Matthys 89755ccec6 ** UnrealIRCd 5.2.0.1 ** 
Note: existing 5.2.0 users on *NIX can upgrade without restart to
have the spamfilter fix by using:
./unrealircd hot-patch wrongspamfilter520
 2021-06-16 08:25:07 +02:00
Bram Matthys fb8c7a5a75 Fix weird behavior for users in pre-connect stage, eg showing 
up in WHOIS. Reported by armyn and Valware.
 2021-06-15 20:26:12 +02:00
Bram Matthys 8a655b8bb4 Fix spamfilter not working with type 'c'. 
If you had a spamfilter on type 'c' but not on 'p' then it would not
trigger. Reported by armyn in https://bugs.unrealircd.org/view.php?id=5913
This probably went unnoticed because most people add spamfilters
on 'pc' (or even 'pcnN').
 2021-06-15 20:01:58 +02:00
Bram Matthys ce807c4e21 Fix Windows build 2021-06-14 10:22:46 +02:00
Bram Matthys f7933a8d72 Set version to 5.2.0 2021-06-14 10:19:06 +02:00
Bram Matthys de4c09eae4 ** UnrealIRCd 5.2.0 ** 2021-06-14 10:14:23 +02:00
Bram Matthys c60b5f48c2 Update release notes 2021-06-14 09:43:04 +02:00
Bram Matthys 210bb2201e Update release notes 
[skip ci]
 2021-06-14 09:08:44 +02:00
Bram Matthys f8934a44c8 Update release notes 
[skip ci]
 2021-06-14 08:06:29 +02:00
Bram Matthys 572b349cbd set::restrict-commands: new option exempt-tls which allows SSL/TLS users 
to bypass a restriction.
 2021-06-14 08:00:48 +02:00
Bram Matthys 389a971f96 Fix rapid autoconnect protection to work with >120 servers (:D) 2021-06-07 17:11:20 +02:00
Bram Matthys 36097fbdce Fix SQUIT being sent back to where it came from. 
Reported by Ariadne Conill in https://bugs.unrealircd.org/view.php?id=5906

This patch applies cleanly against 5.2.0-rc1 and 5.0.9.x.

Needs more testing, though, as fiddling with SQUIT code and the
various directions and far/near server distinctions can be tricky.
 2021-06-07 10:22:23 +02:00
Bram Matthys 5237ebaabc Fix crash in 5.2.0-rc1: don't call flood_limit_exceeded_log() if a remote 
server causes the target flood protection limit to be hit for a target
user or a channel.
 2021-06-07 07:48:03 +02:00
Bram Matthys a22ac547c2 Some markup stuff 
[skip ci]
 2021-06-06 17:37:51 +02:00
Bram Matthys cc490ca924 When using old set::anti-flood settings it is now a (big) warning instead 
of an error. Also the warning will differ depending on whether you use
the defaults that were in example.conf for a long time, or some custom
settings.

It's not perfect but should help people with migrating from 5.0.x to 5.2.x.
 2021-06-06 17:35:17 +02:00
Bram Matthys 3335eb3305 Fix a doc URL and a (now) confusing syntax example 
[skip ci]
 2021-06-06 17:09:31 +02:00
Bram Matthys 46550cf180 Update example conf with new anti-flood block. 
Replace it with a reference to the documentation instead of trying
to include some or all of the defaults since 1) the block is huge
nowadays with all the settings, and 2) this way we can tweak the
defaults over time in newer versions rather than having people
change their configuration file.
 2021-06-06 09:01:31 +02:00
Bram Matthys 3188b7be2d Small code cleanup for two efuncs, so the names match. 2021-06-06 08:33:20 +02:00
Bram Matthys 20c20b3053 Try to explain to people that symmetric encryption works with keys (:D) 2021-06-05 19:20:11 +02:00
Bram Matthys 173af8c88c ** UnrealIRCd 5.2.0-rc1 ** 2021-06-04 11:13:02 +02:00
Bram Matthys 020421a01c Mention websocket type negotiation (Sec-WebSocket-Protocol) in release notes. 
[skip ci]
 2021-06-04 10:39:18 +02:00
Bram Matthys f6c2b93c72 Show how many sockets/clients the server can handle in 'STATS S'. 
Suggested by westor in https://bugs.unrealircd.org/view.php?id=5838

This also fixes a bug where output from modules for 'STATS S' was
shown twice (eg: modef-default-unsettime shown twice).
 2021-06-04 10:09:28 +02:00
Bram Matthys 67deb7ec8c UnrealIRCd script: restart is now identical to stop+start (:D) 2021-06-04 09:16:44 +02:00
Bram Matthys 25db0c73e4 Compiler too dumb to detect this properly... 2021-06-04 09:11:15 +02:00
Bram Matthys 6771c98d76 Move check for secret block to beginning of unrealdb_open() so we don't 
end up with a 0 byte file due to an easy-to-avoid error later on.
 2021-06-04 09:09:06 +02:00
Bram Matthys 148ea98307 Load chathistory module by default 2021-06-04 08:46:09 +02:00
Bram Matthys a7f2406557 Add security-group "webirc" by default. This matches users who 
connect through approved webirc gateways, the ones in
https://www.unrealircd.org/docs/WebIRC_block
 2021-06-02 19:32:10 +02:00
Bram Matthys e126d924a5 Somehow DEBUGMODE was turned on by last commit, now off again by default. 2021-06-02 19:31:05 +02:00
Bram Matthys 40bc3ef8cc Bump version to 5.2.0-git. This is still work in progress. 
Note that we are on the 'unreal52' branch now and have left 'unreal50'
 2021-06-02 15:27:14 +02:00
91 changed files with 2858 additions and 915 deletions
Expand all files Collapse all files
CONTRIBUTING.md
+5
View File
@@ -0,0 +1,5 @@
Help out and make UnrealIRCd a better product!
You can do so by reporting issues, testing, programming, documenting,
translating, helping others, and more.
See https://www.unrealircd.org/docs/Contributing
Config
+17 -7
View File
@@ -18,12 +18,6 @@
# some bits edited by baafie on March 17 2004, every change marked.
echo "This is UnrealIRCd from git branch 'unreal50'"
echo "You are looking at an incomplete release that cannot be used."
echo ""
echo "Please use branch 'unreal52' instead (or later)"
echo ""
exit 1
RUN_CONFIGURE () {
ARG=" "
@@ -293,6 +287,22 @@ else
n="-n"
fi
date|egrep '2021|2022' 1>/dev/null 2>&1
if [ "$?" -ne 0 ]; then
echo "*** WARNING ***"
echo "UnrealIRCd 5.x will no longer be supported after June 1, 2023."
echo "You should upgrade to a newer UnrealIRCd version before that date."
echo "See https://www.unrealircd.org/docs/UnrealIRCd_5_EOL"
echo $n . $c
sleep 1
echo $n . $c
sleep 1
echo $n . $c
echo ""
sleep 1
echo "Press ENTER to continue"
read xyz
fi
#parse arguments
IMPORTEDSETTINGS=""
@@ -353,7 +363,7 @@ echo "We will now ask you a number of questions. You can just press ENTER to acc
echo ""
# This needs to be updated each release so auto-upgrading works for settings, modules, etc!!:
UNREALRELEASES="unrealircd-5.0.9 unrealircd-5.0.9-rc1 unrealircd-5.0.8 unrealircd-5.0.8-rc1 unrealircd-5.0.7 unrealircd-5.0.7-rc1 unrealircd-5.0.6 unrealircd-5.0.5.1 unrealircd-5.0.5 unrealircd-5.0.4 unrealircd-5.0.3.1 unrealircd-5.0.3 unrealircd-5.0.2 unrealircd-5.0.1 unrealircd-5.0.0"
UNREALRELEASES="unrealircd-5.2.3 unrealircd-5.2.2 unrealircd-5.2.1.1 unrealircd-5.2.1 unrealircd-5.2.1-rc1 unrealircd-5.2.0.2 unrealircd-5.2.0.1 unrealircd-5.2.0 unrealircd-5.2.0-rc1 unrealircd-5.0.9.1 unrealircd-5.0.9 unrealircd-5.0.9-rc1 unrealircd-5.0.8 unrealircd-5.0.8-rc1 unrealircd-5.0.7 unrealircd-5.0.7-rc1 unrealircd-5.0.6 unrealircd-5.0.5.1 unrealircd-5.0.5 unrealircd-5.0.4 unrealircd-5.0.3.1 unrealircd-5.0.3 unrealircd-5.0.2 unrealircd-5.0.1 unrealircd-5.0.0"
if [ -f "config.settings" ]; then
. ./config.settings
else
Makefile.in
+1 -1
View File
@@ -266,7 +266,7 @@ pem: extras/tls.cnf
-config extras/tls.cnf -sha256 -out server.req.pem \
-key server.key.pem -nodes
@echo "Generating self-signed certificate..."
$(OPENSSLPATH) req -x509 -days 3650 -sha256 -in server.req.pem \
$(OPENSSLPATH) req -x509 -days 3650 -sha256 -nodes -in server.req.pem \
-key server.key.pem -out server.cert.pem
@echo "Setting permissions on server.*.pem files..."
chmod o-rwx server.req.pem server.key.pem server.cert.pem
SECURITY.md
+2 -1
View File
@@ -1,7 +1,8 @@
# Security Policy
## Supported Versions
* The latest *stable* release of the 5.x branch
* The latest *stable* release of the 5.x branch (until 2023-07-01)
* The latest *stable* release of the 6.x branch
See [UnrealIRCd releases](https://www.unrealircd.org/docs/UnrealIRCd_releases) for information on older versions and End Of Life dates.
configure
Vendored
+17 -13
View File
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
# Generated by GNU Autoconf 2.69 for unrealircd 5.0.10-git.
# Generated by GNU Autoconf 2.69 for unrealircd 5.2.4.
#
# Report bugs to <https://bugs.unrealircd.org/>.
#
@@ -580,8 +580,8 @@ MAKEFLAGS=
# Identity of this package.
PACKAGE_NAME='unrealircd'
PACKAGE_TARNAME='unrealircd'
PACKAGE_VERSION='5.0.10-git'
PACKAGE_STRING='unrealircd 5.0.10-git'
PACKAGE_VERSION='5.2.4'
PACKAGE_STRING='unrealircd 5.2.4'
PACKAGE_BUGREPORT='https://bugs.unrealircd.org/'
PACKAGE_URL='https://unrealircd.org/'
@@ -1330,7 +1330,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
\`configure' configures unrealircd 5.0.10-git to adapt to many kinds of systems.
\`configure' configures unrealircd 5.2.4 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1396,7 +1396,7 @@ fi
if test -n "$ac_init_help"; then
case $ac_init_help in
short | recursive ) echo "Configuration of unrealircd 5.0.10-git:";;
short | recursive ) echo "Configuration of unrealircd 5.2.4:";;
esac
cat <<\_ACEOF
@@ -1554,7 +1554,7 @@ fi
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
unrealircd configure 5.0.10-git
unrealircd configure 5.2.4
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
@@ -1923,7 +1923,7 @@ cat >config.log <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
It was created by unrealircd $as_me 5.0.10-git, which was
It was created by unrealircd $as_me 5.2.4, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
@@ -2323,7 +2323,7 @@ _ACEOF
# Major version number (e.g.: Y in X.Y.Z)
UNREAL_VERSION_MAJOR="0"
UNREAL_VERSION_MAJOR="2"
cat >>confdefs.h <<_ACEOF
#define UNREAL_VERSION_MAJOR $UNREAL_VERSION_MAJOR
@@ -2331,7 +2331,7 @@ _ACEOF
# Minor version number (e.g.: Z in X.Y.Z)
UNREAL_VERSION_MINOR="10"
UNREAL_VERSION_MINOR="4"
cat >>confdefs.h <<_ACEOF
#define UNREAL_VERSION_MINOR $UNREAL_VERSION_MINOR
@@ -2341,7 +2341,7 @@ _ACEOF
# The version suffix such as a beta marker or release candidate
# marker. (e.g.: -rcX for unrealircd-3.2.9-rcX). This macro is a
# string instead of an integer because it contains arbitrary data.
UNREAL_VERSION_SUFFIX="-git"
UNREAL_VERSION_SUFFIX=""
cat >>confdefs.h <<_ACEOF
#define UNREAL_VERSION_SUFFIX "$UNREAL_VERSION_SUFFIX"
@@ -5887,6 +5887,10 @@ ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $
ac_compiler_gnu=$ac_cv_c_compiler_gnu
if $CC --version | grep -q "clang version 3."; then :
CFLAGS="$CFLAGS -Wno-tautological-compare"
fi
@@ -7655,7 +7659,7 @@ fi
if test "$has_system_cares" = "no"; then :
cares_version="1.17.1"
cares_version="1.17.2"
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: extracting c-ares resolver library" >&5
$as_echo "extracting c-ares resolver library" >&6; }
cur_dir=`pwd`
@@ -8866,7 +8870,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
This file was extended by unrealircd $as_me 5.0.10-git, which was
This file was extended by unrealircd $as_me 5.2.4, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -8929,7 +8933,7 @@ _ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
unrealircd config.status 5.0.10-git
unrealircd config.status 5.2.4
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
configure.ac
+8 -5
View File
@@ -7,7 +7,7 @@ dnl src/windows/unrealinst.iss
dnl doc/Config.header
dnl src/version.c.SH
AC_INIT([unrealircd], [5.0.10-git], [https://bugs.unrealircd.org/], [], [https://unrealircd.org/])
AC_INIT([unrealircd], [5.2.4], [https://bugs.unrealircd.org/], [], [https://unrealircd.org/])
AC_CONFIG_SRCDIR([src/ircd.c])
AC_CONFIG_HEADER([include/setup.h])
AC_CONFIG_AUX_DIR([autoconf])
@@ -30,17 +30,17 @@ UNREAL_VERSION_GENERATION=["5"]
AC_DEFINE_UNQUOTED([UNREAL_VERSION_GENERATION], [$UNREAL_VERSION_GENERATION], [Generation version number (e.g.: X for X.Y.Z)])
# Major version number (e.g.: Y in X.Y.Z)
UNREAL_VERSION_MAJOR=["0"]
UNREAL_VERSION_MAJOR=["2"]
AC_DEFINE_UNQUOTED([UNREAL_VERSION_MAJOR], [$UNREAL_VERSION_MAJOR], [Major version number (e.g.: Y for X.Y.Z)])
# Minor version number (e.g.: Z in X.Y.Z)
UNREAL_VERSION_MINOR=["10"]
UNREAL_VERSION_MINOR=["4"]
AC_DEFINE_UNQUOTED([UNREAL_VERSION_MINOR], [$UNREAL_VERSION_MINOR], [Minor version number (e.g.: Z for X.Y.Z)])
# The version suffix such as a beta marker or release candidate
# marker. (e.g.: -rcX for unrealircd-3.2.9-rcX). This macro is a
# string instead of an integer because it contains arbitrary data.
UNREAL_VERSION_SUFFIX=["-git"]
UNREAL_VERSION_SUFFIX=[""]
AC_DEFINE_UNQUOTED([UNREAL_VERSION_SUFFIX], ["$UNREAL_VERSION_SUFFIX"], [Version suffix such as a beta marker or release candidate marker. (e.g.: -rcX for unrealircd-3.2.9-rcX)])
AC_PATH_PROG(RM,rm)
@@ -254,6 +254,9 @@ check_cc_flag([-Waddress], [CFLAGS="$CFLAGS -Wno-address"])
dnl This one breaks our TO_INTFUNC() that is used in m_tkl for tkl_typetochar
check_cc_flag([-Wcast-function-type], [CFLAGS="$CFLAGS -Wno-cast-function-type"])
AS_IF([$CC --version | grep -q "clang version 3."],
[CFLAGS="$CFLAGS -Wno-tautological-compare"])
dnl End of -W... compiler checks.
@@ -697,7 +700,7 @@ AS_IF([test "$has_system_cares" = "no"], [
dnl REMEMBER TO CHANGE WITH A NEW C-ARES RELEASE!
dnl NOTE: when changing this here, ALSO change it in extras/curlinstall
dnl and in the comment in this file around line 400!
cares_version="1.17.1"
cares_version="1.17.2"
AC_MSG_RESULT(extracting c-ares resolver library)
cur_dir=`pwd`
cd extras
doc/Config.header
+2 -2
View File
@@ -7,7 +7,7 @@
\___/|_| |_|_| \___|\__,_|_|\___/\_| \_| \____/\__,_|
Configuration Program
for UnrealIRCd 5.0.10-git
for UnrealIRCd 5.2.4
This program will help you to compile your IRC server, and ask you
questions regarding the compile-time settings of it during the process.
@@ -22,7 +22,7 @@ https://www.unrealircd.org/docs/UnrealIRCd_5_documentation
The full release notes are available in doc/RELEASE-NOTES.md
For easier viewing, check out the latest online release notes at:
https://github.com/unrealircd/unrealircd/blob/unreal50/doc/RELEASE-NOTES.md
https://github.com/unrealircd/unrealircd/blob/unreal52/doc/RELEASE-NOTES.md
UnrealIRCd 5 is compatible with the following services:
* anope with the "unreal4" protocol module - version 2.0.7 or higher required!
doc/RELEASE-NOTES.md
+231 -29
View File
@@ -1,30 +1,216 @@
UnrealIRCd 5.X.Y-git Release Notes
===============================
UnrealIRCd 5.2.4
=================
This is the current development version (git) of UnrealIRCd.
This release fixes a crash bug that can be triggered by ordinary users.
This UnrealIRCd release focusses on channel history. A way to store channel
history encrypted on disk has been added (to preserve between server restarts)
and the IRCv3 CHATHISTORY command has been implemented to allow fetching
thousands of lines of channel history.
Fixes:
* Fix crash that can be triggered by regular users if you have any `deny dcc`
blocks in the config or any spamfilters with the `d` (DCC) target.
NOTE: You don't *have* to upgrade to 5.2.4 to fix this, you can also
hot-patch this issue without restart, see the news announcement.
It also contains a breaking change, meaning (almost) everyone will need
to change a few things in their configuration file.
Also important:
* [UnrealIRCd 6](https://www.unrealircd.org/docs/What's_new_in_UnrealIRCd_6) is the new "stable"
* UnrealIRCd 5.2.x ("oldstable")
[end of support dates](https://www.unrealircd.org/docs/UnrealIRCd_5_EOL):
* Bug fixes until July 1, 2022 (no more feature enhancements)
* Security fixes until July 1, 2023
Breaking change:
UnrealIRCd 5.2.3
-----------------
This release contains a couple of small changes.
Enhancements:
* Spanish example conf was added (`conf/help/example.es.conf`)
Fixes:
* [set::anti-flood::connect-flood](https://www.unrealircd.org/docs/Anti-flood_settings#connect-flood)
was only expiring entries every 2 minutes. Only after a `REHASH`
the configuration file setting was used.
* Memory leak in websocket module
* Send `WALLOPS` back to the sender too
Changes:
* Update `HELPOP` docs
* Add information on EOL date
* Add `CONTRIBUTING.md` file with a reference to docs on
[how people can help out](https://www.unrealircd.org/docs/Contributing).
UnrealIRCd 5.2.2
-----------------
Previous release 5.2.1.1 turned out to be good and stable. This 5.2.2 release
only contains some minor changes.
If you are still using UnrealIRCd 5.0.x then we recommend you to upgrade
to 5.2.2 in the next few weeks/months. Just as a reminder: 5.2.x is the
direct successor to 5.0.9, there is
[no support for 5.0.x](https://www.unrealircd.org/docs/FAQ#about-52x).
Fixes:
* Fix issues with Let's Encrypt certificates for
[remote includes](https://www.unrealircd.org/docs/Remote_includes) (quite
common) and with linking to servers with link::verify-certificate enabled
(more rare). Both issues only happen with:
* OpenSSL 1.0.2 and older, which is officially unsupported, but still in
use on e.g. Debian 8 and Ubuntu 16.04.
* LibreSSL, such as with UnrealIRCd on Windows
* OpenBSD compile issue when using shipped c-ares
Enhancements:
* [set::allowed-nickchars](https://www.unrealircd.org/docs/Nick_Character_Sets):
added ```arabic-utf8```
* [set::server-linking](https://www.unrealircd.org/docs/Set_block#set::server-linking):
add another autoconnect-strategy called ```sequential-fallback```.
Changes:
* Shipped libs: updated c-ares to 1.17.2
* Windows build: updated LibreSSL to 3.3.5
Module coders / IRC protocol:
* S2S: Allow ```SVSLOGIN``` also when
[set::sasl-server](https://www.unrealircd.org/docs/Set_block#set::sasl-server)
is not set.
* Some minor ```CHATHISTORY``` fixes, for example the subcommand is now
case-insensitive.
* You can use the new ```UNREAL_VERSION``` macro. It is easier than the
old individual UNREAL_VERSION_MAJOR/MINOR/etc macros.
UnrealIRCd 5.2.1.1
-------------------
UnrealIRCd 5.2.1.1 fixes an issue with SASL services autodetection and mechlist in
5.2.1.
UnrealIRCd 5.2.1
-----------------
This is UnrealIRCd 5.2.1. Even though only a month has passed since 5.2.0,
this release comes with several new features and some major bug fixes.
Please report any issues to https://bugs.unrealircd.org/.
Enhancements:
* The [allow block](https://www.unrealircd.org/docs/Allow_block)
now uses allow::mask instead of allow::ip and allow::hostname.
Users upgrading will receive a warning but the server will continue to boot.
* New documentation for [mask items](https://www.unrealircd.org/docs/Mask_item)
in the configuration file to show how it works with 1 or more mask
items in a block. Also support for negative matching has been
improved and we now support
[extended server ban syntax](https://www.unrealircd.org/docs/Extended_server_bans).
* Combining the new options from above you can do things like:
* ```allow { mask ~a:TrustedUser; class flooders; maxperip 100; }```
If TrustedUser authenticates to services using
[SASL](https://www.unrealircd.org/docs/SASL) then he gets in the
special class "flooders" with a maxperip of 100.
* ```allow { mask { ~S:112233etc; ~S:anotherone; }; class clients; maxperip 10; }```
Users matching one of these
[certificate fingerprints](https://www.unrealircd.org/docs/Extended_server_bans)
get a high maximum per ip of 10.
* New block [set::server-linking](https://www.unrealircd.org/docs/Set_block#set::server-linking)
* For link blocks with autoconnect we now default to the strategy
'sequential', meaning we will try the 1st link block first,
then the 2nd, then the 3rd, then the 1st again, etc.
* We now have different and lower timeouts for the connect and
the handshake. So we give up a bit more early on servers that
are currently down or extremely lagged.
* New [security-group block](https://www.unrealircd.org/docs/Security-group_block)
item called *include-mask*. This can be used to put clients matching
a [mask](https://www.unrealircd.org/docs/Mask_item) into a security group.
* New option *lag-penalty* and *lag-penalty-bytes* in the
[set::anti-flood block](https://www.unrealircd.org/docs/Anti-flood_settings).
* *known-users* can now executes commands at a slightly faster rate than
*unknown-users*.
* It can further be used to allow really trusted users/bots to execute
commands at even higher rates, such as 20 commands per second,
without making them IRCOp. This explained in
[FAQ: How to allow users to send more commands per second](https://www.unrealircd.org/docs/FAQ#high-command-rate).
* The [REHASH](https://www.unrealircd.org/docs/Rehashing_the_IRCd) command
is now sufficient to reload SSL/TLS certificates. You no longer need to
use ```REHASH -tls```. The same is true for ```./unrealircd rehash```
which now also does the extra steps in ```./unrealircd reloadtls```.
The commands will stay, though, in case you only want to reload the
TLS certificates and not rehash the entire configuration file.
* Support for OpenSSL 3.0.0
* Show microseconds in ```TSCTL ALLTIME```
* The git version id is now shown in the ```INFO``` command on *NIX (ReleaseId).
* [Extban](https://www.unrealircd.org/docs/Extended_bans) ```~a:*``` now matches
all authenticated users and ```~a:0``` matches all unauthenticated users.
* Allow multiple masks in the [deny link { } block](https://www.unrealircd.org/docs/Deny_link_block)
Fixes:
* When using persistent channel history: if you had ANY rehash error (often
completely unrelated to channel history) and you then rehashed again
UnrealIRCd would crash.
* When server syncing larger channels we could accidentally skip over or
forget to send a few users. These users would then not be shown on the
other side of the link but are actually in the channel (ghosts)
* When using autoconnect on (very) big networks, the network no longer breaks down
(with the new default strategy 'sequential')
* The default ban exemption on ```127.*``` was too broad. It also matched
hostnames that started with it, allowing such users to bypass
gline/kline/shun (but not zline/gzline).
* Channel mode ```+d``` (so after ```-D```) never took QUITs into account
properly. This should now fix things, so the channel goes ```-d```
immediately once it is no longer needed.
* Windows log file maximum size exceeded did not start a new log file
* Give a better error message when trying to use an unconfirmed account
with [authprompt](https://www.unrealircd.org/docs/Set_block#set::authentication-prompt).
Module coders / IRC protocol:
* We now assume all services set the SVID field. If your services only sets
umode ```+r``` and does not use ```SVSLOGIN``` or ```SVSMODE nick +d SVID```
then users will not be recognized as authenticated anymore.
* In the ```UID``` command we now validate the UID (parameter 6) to start with
the SID and contains digits and uppercase only.
* Servers can no longer change moddata of remote clients.
That is, it is disabled by default, but modules can still allow it for
certain moddata via mreq.remote_write=1.
You can use ```#if UNREAL_VERSION_TIME >= 202125``` to detect
if this new .remote_write option is available.
* Removed ```HCN``` from 005, since nobody uses this anyway.
UnrealIRCd 5.2.0
-----------------
The two main new features in 5.2.0 are: an improved and more flexible
anti-flood block and channel history which can now be stored encrypted
on disk and allows clients to fetch hundreds/thousands of lines.
Upgrading and the 5.0.x series
-------------------------------
UnrealIRCd 5.2.0 is the direct successor to 5.0.9/5.0.9.1.
There will be [no further 5.0.x releases](https://www.unrealircd.org/docs/FAQ#about-52x),
in particular there will be no 5.0.10.
Only four bugs that affect a limited number of people/networks were fixed.
UnrealIRCd 5.2.0 is mostly a feature release.
Admins wishing to take a conservative approach don't need to rush an
upgrade from 5.0.x to 5.2.0, they can wait for a 5.2.1 or 5.2.2 release.
If you are upgrading from 5.0.9(.1) to 5.2.0 then feel free to try the new
```./unrealircd upgrade``` command.
The only configuration change is in the set::anti-flood block (as explained
further down under *Enhancements*). When starting UnrealIRCd will give you
clear instructions if anything needs to be changed (and what).
This process is really minor, the server will usually tell you to just
delete a few old lines from the configuration file.
Enhancements
-------------
* The set::anti-flood block has been redone so you can have different limits
for ''unknown-users'' and ''known-users''.
* As a reminder, by default, "known-users" are users who are identified
for *unknown-users* and *known-users*.
* As a reminder, by default, *known-users* are users who are identified
to services OR are on an IP that has been connected for over 2 hours
in the past X days. The exact definition of "known-users" is in the
[security-group block](https://www.unrealircd.org/docs/Security-group_block).
* See [here](https://www.unrealircd.org/docs/FAQ#new-anti-flood-block)
* See [here](https://www.unrealircd.org/docs/Anti-flood_settings)
for more information on the layout of the new set::anti-flood block.
* All violatons of target-flood, nick-flood, join-flood, away-flood,
* All violations of target-flood, nick-flood, join-flood, away-flood,
invite-flood, knock-flood, max-concurrent-conversations are now
reported to opers with the snomask ```f``` (flood).
Enhancements:
* Add support for database encryption. The way this works
is that you define an encryption password in a
[secret { } block](https://www.unrealircd.org/docs/Secret_block).
@@ -47,9 +233,8 @@ Enhancements:
names are visible in the filenames for optimal privacy.
* See [Persistent channel history](https://www.unrealircd.org/docs/Set_block#Persistent_channel_history)
on how to enable this. By default it is off.
* Add optional support for IRCv3
* Add support for IRCv3
[draft/chathistory](https://ircv3.net/specs/extensions/chathistory).
This module can be loaded via ```loadmodule "chathistory";```
* The maximums for channel mode ```+H``` have been raised and are now
different for ```+r``` (registered) and ```-r``` channels. For unregistered
channels the limit is now 200 lines / 31 days. For registered channels
@@ -62,24 +247,39 @@ Enhancements:
[reputation score](https://www.unrealircd.org/docs/Reputation_score).
If you are an IRCOp then you can use e.g. ```WHO * %cuhsnfmdaRr```.
* Add ability to [spamfilter](https://www.unrealircd.org/docs/Spamfilter)
message tags via the new 'T' target. Right now it would be unusual
message tags via the new ```T``` target. Right now it would be unusual
to use this, but some day when we have more
[message tags](https://www.unrealircd.org/docs/Message_tags) it
may come in handy.
* Support [+draft/reply](https://ircv3.net/specs/client-tags/reply) IRCv3
* Support [```+draft/reply```](https://ircv3.net/specs/client-tags/reply) IRCv3
client tag. Can be used by bots (and others) to indicate to what message
people are replying to. This module, reply-tag, is loaded by default.
* Send [draft/bot](https://ircv3.net/specs/extensions/bot-mode) IRCv3
* Send [```draft/bot```](https://ircv3.net/specs/extensions/bot-mode) IRCv3
message tag if the user has mode ```+B``` set.
* [Websockets](https://www.unrealircd.org/docs/WebSocket_support):
add support for clients to negotiate an explicit type via
```Sec-WebSocket-Protocol```, instead of only the default type from
[listen::websocket::type](https://www.unrealircd.org/docs/WebSocket_support#2._Enable_websocket_on_the_port).
This is based on an IRCv3 websocket draft specification.
Note that UnrealIRCd refuses type text if your configuration allows
non-UTF8 characters in channel or nick names because it would lead
to security and compatibility issues.
* [set::restrict-commands](https://www.unrealircd.org/docs/Set_block#set::restrict-commands):
new option *exempt-tls* which allows SSL/TLS users to bypass a restriction.
Fixes:
Fixes
------
* Server squiting the wrong side. Often harmless, but when (re)connecting
rapidly to multiple servers with autoconnect this could cause the
network to fall apart.
* Forbid using [extended server bans](https://www.unrealircd.org/docs/Extended_server_bans)
in ZLINE/GZLINE since they won't work.
in ZLINE/GZLINE since they won't work there.
* Extended server ban ```~a:accname``` was not working for shun, and only
partially working for kline/gline.
* More accurate /ELINE error message.
Changed:
Changed
--------
* Channel mode ```+H``` always showed time in minutes (```m```) until now.
From now on it will show it in minutes (```m```), hours (```h```) or
days (```d```) depending on the actual value. Eg ```+H 50:7d```.
@@ -90,10 +290,12 @@ Changed:
then we already automatically logged errors to ```ircd.log```.
From now on we will log everything (not only errors) to that file.
Removed:
Removed
--------
* Version check for curl and openssl as nowadays they have ABI guarantees.
Module coders / Developers:
Module coders / Developers
---------------------------
* New UnrealDB API and disk format, see
https://www.unrealircd.org/docs/Dev:UnrealDB
* We now use libsodium for file encryption routines as well
@@ -109,12 +311,12 @@ Module coders / Developers:
This can be used for modules to indicate they wish to be unloaded
before or after others. It is used by for example the channel
and history modules so they can save their databases before
chanmode modules or other modules get unloaded.
channel mode modules or other modules get unloaded.
* New CAP [```draft/chathistory```](https://ircv3.net/specs/extensions/chathistory).
If a client REQ's this CAP then UnrealIRCd won't send history on-join as
it assumes the client will fetch it when they feel the need for it.
* New informative CAP:
[unrealircd.org/history-backend](https://www.unrealircd.org/history-backend)
[```unrealircd.org/history-backend```](https://www.unrealircd.org/history-backend)
Reminder: UnrealIRCd 4 is no longer supported
----------------------------------------------
@@ -167,7 +369,7 @@ Fixes:
missing.
Changes:
* Add doc/KEYS which contains the public key(s) used to sign UnrealIRCd releases
* Add ```doc/KEYS``` which contains the public key(s) used to sign UnrealIRCd releases
* The options set::anti-flood::unknown-flood-* have been renamed and
integrated in a new block called
[set::anti-flood::handshake-data-flood](https://www.unrealircd.org/docs/Set_block#set::anti-flood::handshake-data-flood).
doc/conf/examples/example.conf
+6 -6
View File
@@ -116,7 +116,7 @@ class servers
/* Allow everyone in, but only 3 connections per IP */
allow {
ip *@*;
mask *;
class clients;
maxperip 3;
}
@@ -126,7 +126,7 @@ allow {
* is correct then it permits 20 connections on that IP.
*/
allow {
ip *@192.0.2.1;
mask 192.0.2.1;
class clients;
password "somesecretpasswd";
maxperip 20;
@@ -474,11 +474,11 @@ set {
/* static-part does the same for /PART */
/* static-part yes; */
/* Flood protection */
/* Flood protection:
* There are lots of settings for this and most have good defaults.
* See https://www.unrealircd.org/docs/Set_block#set::anti-flood
*/
anti-flood {
nick-flood 3:60; /* 3 nick changes per 60 seconds (the default) */
connect-flood 3:60; /* 3 connection attempts per 60 seconds (the default) */
away-flood 4:120; /* 4 times per 2 minutes you may use /AWAY (default) */
}
/* Settings for spam filter */
doc/conf/examples/example.es.conf
+610
View File
@@ -0,0 +1,610 @@
/* Archivo de configuración para UnrealIRCd 5
*
* Simplemente copie este archivo a su directorio conf /, llámelo
* 'unrealircd.conf' y recorrerlo línea por línea (¡edítalo!)
*
* Importante: Todas las líneas, excepto { y } terminan con un;
* Esto es muy importante, si pierde un; en algún lugar entonces el
* el analizador de archivos de configuración se quejará y el archivo no
* ¡será procesado correctamente!
* Si esta es su primera experiencia con una configuración de UnrealIRCd
* entonces realmente le recomendamos que lea un poco sobre la sintaxis,
* esto solo toma unos minutos y te ayudará mucho:
* https://www.unrealircd.org/docs/Configuration#Configuration_file_syntax
*
* Documentación de UnrealIRCd 5 (¡muy extensa!):
* https://www.unrealircd.org/docs/Main_Page/es
*
* Preguntas frecuentes:
* https://www.unrealircd.org/docs/FAQ
*
*/
/* Esto es un comentario, todo el texto aquí se ignora (tipo de comentario #1) */
// Esto también es un comentario, esta línea se ignora (tipo de comentario #2)
#Esto también es un comentario, nuevamente esta línea se ignora (tipo de comentario # 3)
/* UnrealIRCd hace un uso intensivo de módulos. Los módulos le permiten
* personalizar el conjunto de funciones que desea habilitar en UnrealIRCd.
* Vea más: https://www.unrealircd.org/docs/Modules
*
* Al usar la inclusión a continuación, le indicamos al IRCd que lea el archivo
* 'modules.default.conf' este cargará más de 150 módulos
* cargados con UnrealIRCd. En otras palabras: esto simplemente cargará
* todas las funciones disponibles en UnrealIRCd.
* Si está configurando UnrealIRCd por primera vez, le sugerimos
* utilizar este. Entonces, cuando todo esté en funcionamiento, puedes venir
* volver más tarde para personalizar la lista (si así lo desea).
*/
include "modules.default.conf";
/* Ahora incluyamos algunos otros archivos:
* - help / help.conf para nuestro sistema on-IRC /HELPOP
* - badwords.conf para canal y modo de usuario +G
* - spamfilter.conf como ejemplo de uso de filtro de texto.
* (comentado)
* - operclass.default.conf contiene algunas buenas operclasses que
* puedes usarlo en tus bloques operativos.
*/
include "help/help.conf";
include "badwords.conf";
//include "spamfilter.conf";
include "operclass.default.conf";
/* Este es el bloque me {} que básicamente dice quiénes somos.
* Define el nombre de nuestro servidor, alguna línea de información y un "sid" único.
* La identificación del servidor (sid) debe comenzar con un dígito seguido de dos dígitos o
* letras. El sid debe ser único para su red IRC (cada servidor debe
* tiene su propio sid).
*/
me {
name "irc.ejemplo.org";
info "Servidor EjemploNET";
sid "001";
}
/* El bloque admin {} define lo que los usuarios verán si escriben /ADMIN.
* Normalmente contiene información sobre cómo contactar al administrador.
*/
admin {
"Bob Smith";
"bob";
"correo-electrónico@ejemplo.org";
}
/* Los clientes y servidores se colocan en bloques de clase {}, los definimos aquí.
* Los bloques de clase constan de los siguientes elementos:
* - pingfreq: con qué frecuencia hacer ping a un usuario /servidor (en segundos)
* - connfreq: con qué frecuencia intentamos conectarnos a este servidor (en segundos)
* - sendq: el tamaño máximo de cola para una conexión
* - recvq: cola de recepción máxima de una conexión (control de inundaciones)
*/
/* Clase de cliente con buenos valores predeterminados */
class clients
{
pingfreq 90;
maxclients 1000;
sendq 200k;
recvq 8000;
}
/* Clase especial para IRCOps con límites superiores */
class opers
{
pingfreq 90;
maxclients 50;
sendq 1M;
recvq 8000;
}
/* Clase de servidor con buenos valores predeterminados */
class servers
{
pingfreq 60;
connfreq 15; /* intenta conectarte cada 15 segundos */
maxclients 10; /* máximo de servidores */
sendq 20M;
}
/* Bloques de permitir definen qué clientes pueden conectarse a este servidor.
* Esto le permite agregar una contraseña de servidor o restringir el servidor a
* IP específicas únicamente. También configuras las conexiones máximas
* permitido por IP aquí.
* Ver también: https://www.unrealircd.org/docs/Allow_block
*/
/* Permitir que todos entren, pero solo 3 conexiones por IP */
allow {
mask *;
class clients;
maxperip 3;
}
/* Ejemplo de un bloque de permiso especial en una IP específica:
* Requiere que los usuarios de esa IP se conecten con una contraseña. Si la contraseña
* es correcto, entonces permite 20 conexiones en esa IP.
*/
allow {
mask 192.0.2.1;
class clients;
password "algunacontraseña";
maxperip 20;
}
/* Los bloques de operaciones definen sus operadores de IRC.
* Los operadores de IRC son personas que tienen "derechos adicionales" en comparación con otros,
* por ejemplo, pueden /KILL a otras personas, iniciar la vinculación del servidor,
* /JOIN a canales aunque estén prohibidos, etc.
*
* Para obtener más información sobre cómo convertirse en un IRCOp y cómo administrar
* tareas, consulte: https://www.unrealircd.org/docs/IRCOp_guide
*
* Para obtener detalles sobre el bloque oper {} en sí, consulte
* https://www.unrealircd.org/docs/Oper_block
*/
/* Aquí hay un ejemplo de bloque de operador para 'bobsmith' con contraseña 'test'.
* ¡¡DEBES cambiar esto !!
*/
oper bobsmith {
class opers;
mask *@*;
password "test";
/* Los permisos de operador se definen en un bloque 'operclass'.
* Ver https://www.unrealircd.org/docs/Operclass_block
* UnrealIRCd viene con una serie de bloques predeterminados, consulte
* el artículo para una lista completa. Elegimos 'netadmin' aquí.
*/
operclass netadmin;
swhois "es un Administrador de Red";
vhost netadmin.ejemplo.org;
}
/* Los bloques de escucha definen los puertos donde el servidor debe escuchar.
* En otras palabras: los puertos que los clientes y servidores pueden usar para
* conectarse a este servidor.
*
* Sintaxis:
* listen {
* {
* ip <ip>;
* port <puerto>;
* options {
* <opciones....>;
* }
* }
*/
/* Puerto estándar para IRC 6667 */
listen {
ip *;
port 6667;
}
/* Puerto estándar para IRC SSL/TLS 6697 */
listen {
ip *;
port 6697;
options { tls; }
}
/* Puerto especial SSL/TLS servers-only/(Solo servidores) para enlaces */
listen {
ip *;
port 6900;
options { tls; serversonly; }
}
/* NOTA: Si está en una shell IRCd con varias IP y usa
* los bloques listen {} anteriores, es probable que obtenga un
* Error "address is already in use" y el ircd no se inicia.
* Esto significa que DEBE vincularse a una IP específica en lugar de '*' como:
* escuchar { ip 1.2.3.4; puerto 6667; }
* Por supuesto, reemplace la IP con la IP que se le asignó.
*/
/*
* Los bloques de enlaces le permiten enlazar varios servidores para formar una red.
* Ver https://www.unrealircd.org/docs/Tutorial:_Linking_servers
*/
link hub.ejemplo.org
{
incoming {
mask *@algo;
}
outgoing {
bind-ip *; /* o explícitamente una IP */
hostname hub.ejemplo.org;
port 6900;
options { tls; }
}
/* Usamos la huella digital SPKI del otro servidor para la autenticación.
* Ejecute './unrealircd spkifp' en el otro lado para obtenerlo.
*/
password "AABBCCDDEEFFGGHHIIJJKKLLMMNNOOPPQQRRSSTTUUV=" { spkifp; }
class servers;
}
/* El bloqueo de enlaces para servicios suele ser mucho más sencillo.
* Para obtener más información sobre qué son los Servicios,
* ver https://www.unrealircd.org/docs/Services
*/
link servicios.ejemplo.org
{
incoming {
mask 127.0.0.1;
}
password "cambiameporfavor";
class servers;
}
/* Las líneas U dan a otros servidores (incluso) más poder/comandos.
* Si utiliza servicios debe agregarlos aquí.
* ¡¡¡NUNCA ponga aquí el nombre de un servidor UnrealIRCd !!!
*/
ulines {
servicios.ejemplo.org;
}
/* Aquí puede agregar una contraseña para los comandos solo IRCOp /DIE y /RESTART.
* Esto está destinado principalmente a proporcionar una pequeña protección contra accidentes
* se reinicia y el servidor se mata.
*/
drpass {
restart "reiniciar";
die "muere";
}
/* El bloque de registros define qué se debe registrar y en qué archivo.
* Ver también https://www.unrealircd.org/docs/Log_block
*/
/* Este es un buen valor predeterminado, registra todo */
log "ircd.log" {
flags {
oper;
connects;
server-connects;
kills;
errors;
flood;
sadmin-commands;
chg-commands;
oper-override;
tkl;
spamfilter;
}
}
/ * Con "aliases" puedes crear un alias como /ALGO para enviar un mensaje
* algún usuario o bot. Suelen utilizarse para servicios.
*
* Tenemos varios archivos de alias preestablecidos, consulte el directorio alias /.
* Como ejemplo, aquí incluimos todos los alias utilizados para los servicios de anope.
* /
include "aliases/anope.conf";
/* Prohibir los apodos para que no puedan ser utilizados por usuarios habituales. */
ban nick {
mask "*C*h*a*n*S*e*r*v*";
reason "Reservado para Servicios";
}
/* Prohibir ip.
* Tenga en cuenta que normalmente se usa /KLINE, /GLINE y /ZLINE para esto.
*/
ban ip {
mask 195.86.232.81;
reason "Te odio";
}
/* Ban server - if we see this server linked to someone then we delink */
ban server {
mask eris.berkeley.edu;
reason "Sal de aquí.";
}
/* Banear un user - solo como ejemplo, normalmente usa /KLINE or /GLINE para esto */
ban user {
mask *tirc@*.saturn.bbn.com;
reason "Idiota";
}
/* Banear realname te permite prohibir clientes en función de su 'nombre real'
* o campo 'gecos'.
*/
ban realname {
mask "Equipo Swat";
reason "mIRKFORCE";
}
ban realname {
mask "sub7server";
reason "sub7";
}
/* Excepciones de prohibición y TKL. Le permite eximir a los usuarios/máquinas de
* KLINE, GLINE, etc.
* Si es un IRCOp con una IP estática (y no hay personas que no sean de confianza en esa IP)
* entonces le sugerimos que se agregue aquí. De esa manera siempre puedes entrar
* incluso si accidentalmente te aplicas una prohibición de * LINE.
*/
/* Excepciones, te protege de KLINE and ZLINE */
except ban {
mask *@192.0.2.1;
// puede agregar más entradas de máscara aquí..
}
/* excepto prohibir con tipo 'all' te protege de GLINE, GZLINE, QLINE, SHUN */
except ban {
mask *@192.0.2.1;
type all;
}
/* Con deny dcc puedes prohibir nombres de archivo para DCC */
deny dcc {
filename "*sub7*";
reason "Posible Sub7 Virus";
}
/* deny channel te perimte banear un canal entero (mascará) */
deny channel {
channel "*warez*";
reason "Warez es ilegal";
class "clients";
}
/* VHosts (Virtual Hosts) permite a los usuarios adquirir un host diferente.
* Ver https://www.unrealircd.org/docs/Vhost_block
*/
/* Ejemplo de vhost que puede usar. En el tipo de IRC: /VHOST test test
* NOTA: solo las personas con un host 'unrealircd.com' pueden usarlo así
* asegúrese de cambiar vhost :: mask antes de realizar la prueba.
*/
vhost {
vhost odio.microsefrs.com;
mask *@unrealircd.com;
login "testeo";
password "testeo";
}
/* Los bloques de lista negra consultarán un servicio de lista negra de DNS externo
* cada vez que un usuario se conecta, para ver si se conoce la dirección IP
* por causar ataques con drones, es una máquina pirateada conocida, etc.
* Documentación: https://www.unrealircd.org/docs/Blacklist_block
* O simplemente eche un vistazo a los bloques a continuación.
*/
/* DroneBL, probablemente la lista negra más popular utilizada por los servidores IRC.
* Consulte https://dronebl.org/ para obtener su documentación y el
* significado de los tipos de respuesta. En el momento de escribir este artículo utilizamos tipos:
* 3: IRC Drone, 5: Embotellador, 6: Spambot o drone desconocido,
* 7: DDoS Drone, 8: Proxy SOCKS, 9: Proxy HTTP, 10: ProxyChain,
* 11: Proxy de página web, 12: Open DNS Resolver, 13: Atacantes de fuerza bruta,
* 14: Proxy Wingate abierto, 15: Enrutador / puerta de enlace comprometido,
* 16: Gusanos de autorooting.
*/
blacklist dronebl {
dns {
name dnsbl.dronebl.org;
type record;
reply { 3; 5; 6; 7; 8; 9; 10; 11; 12; 13; 14; 15; 16; }
}
action gline;
ban-time 24h;
reason "Proxy/Drone detectado. Consulte https://dronebl.org/lookup?ip=$ip para más detalles.";
}
/* EFnetRBL, consulte https://rbl.efnetrbl.org/ para obtener documentación
* y el significado de los tipos de respuesta.
* Al momento de escribir este artículo: 1 es proxy abierto, 4 es TOR, 5 es drones/flooding.
*
* NOTA: Si desea permitir proxies TOR en su servidor, entonces
* necesita eliminar el '4;' a continuación en la sección de respuesta.
*/
blacklist efnetrbl {
dns {
name rbl.efnetrbl.org;
type record;
reply { 1; 4; 5; }
}
action gline;
ban-time 24h;
reason "Proxy/Drone detectado. Consulte https://rbl.efnetrbl.org/?i=$ip para más detalles.";
}
/* Puede incluir otros archivos de configuración */
/* include "klines.conf"; */
/* Configuración de la red */
set {
network-name "EjemploNET";
default-server "irc.ejemplo.org";
services-server "services.ejemplo.org";
stats-server "stats.ejemplo.org";
help-channel "#Ayuda";
hiddenhost-prefix "Clk";
prefix-quit "Quit";
/* Las claves de ocultación deben ser las mismas en todos los servidores de la red.
* Se utilizan para generar hosts enmascarados y deben mantenerse en secreto.
* Las claves deben ser 3 cadenas aleatorias de 50-100 caracteres
* y debe constar de minúsculas (a-z), mayúsculas (A-Z) y dígitos (0-9).
* SUGERENCIA: en * NIX, puede ejecutar './unrealircd gencloak' en su shell/Vps para
* que UnrealIRCd genere 3 cadenas aleatorias para ti.
*/
cloak-keys {
"aoAr1HnR6gl3sJ7hVz4Zb7x4YwpW";
"uno más";
"y otro más";
}
}
/* Configuración específica del servidor */
set {
kline-address "setea.un.correo.electrónico"; /* Correo electrónico o URL que se muestra cuando un usuario está baneado */
modes-on-connect "+ixw"; /* cuando los usuarios se conectan, obtendrán estos modos de usuario */
modes-on-oper "+xws"; /* cuando alguien se convierte en IRCOp obtendrá estos modos */
modes-on-join "+nt"; /* modos de canal predeterminados cuando se crea un nuevo canal */
oper-auto-join "#opers"; /* Las IRCOps se unen automáticamente a este canal. */
options {
hide-ulines; /* ocultar las líneas U en /MAP and /LINKS */
show-connect-info; /* muestra "looking up your hostname" cuando conectas */
}
maxchannelsperuser 10; /* Número máximo de canales que un usuario puede /JOIN */
/* El tiempo mínimo que un usuario debe estar conectado antes de que se le permita
* usar un mensaje QUIT. Con suerte, esto ayudará a detener el spam.
*/
anti-spam-quit-message-time 10s;
/* O simplemente setea un quit estático, significa que cualquier /QUIT es ignorado */
/* static-quit "Client quit"; */
/* static-part hace lo mismo para /PART */
/* static-part yes; */
/* Protección contra flood:
* Hay muchas configuraciones para esto y la mayoría tienen buenos valores predeterminados.
* Ver https://www.unrealircd.org/docs/Set_block#set::anti-flood
*/
anti-flood {
}
/* Opciones de Filtro de texto */
spamfilter {
ban-time 1d; /* la duracion por defecto de un *LINE seteado por el filtro de texto */
ban-reason "Spam/Publicidad"; /* razón por defecto */
virus-help-channel "#ayuda"; /* canal de uso para 'viruschan' */
/* except "#ayuda"; inmunidad para el canal Ayuda del filtro de texto */
}
/* Restringir ciertos comandos.
* Ver https://www.unrealircd.org/docs/Set_block#set::restrict-commands
*/
restrict-commands {
list {
connect-delay 60;
exempt-identified yes;
exempt-reputation-score 24;
}
invite {
connect-delay 120;
exempt-identified yes;
exempt-reputation-score 24;
}
/* Además de la capacidad de restringir cualquier comando,
* como se muestra arriba. También hay 4 tipos especiales
* que puede restringir. Estos son "private-message",
* "private-notice", "channel-message" y "channel-notice".
* Están comentados (desactivados) en este ejemplo:
*/
//private-message {
// connect-delay 10;
//}
//private-notice {
// connect-delay 10;
//}
}
}
/*
* Lo siguiente configurará la limitación de la conexión de "unknown users".
*
* Cuando UnrealIRCd detecta una gran cantidad de usuarios que se conectan desde direcciones IP
* que no se han visto antes, se rechazan las conexiones de las nuevas IP
* por encima de la configuración establecida. Por ejemplo, 10:60 solo pueden conectarse 10 usuarios por minuto
* que no se hayan visto antes. Las direcciones IP conocidas siempre pueden ingresar,
* independientemente de la configuración establecida. Lo mismo para los usuarios que inician sesión con SASL.
*
* Consulte también https://www.unrealircd.org/docs/Connthrottle para obtener más detalles.
* O simplemente siga leyendo los ajustes de configuración predeterminados a continuación:
*/
set {
connthrottle {
/* Primero debemos configurar lo que llamamos "known users".
* De forma predeterminada, estos son usuarios en direcciones IP que tienen
* una puntuación de 24 o más. Una puntuación de 24 significa que
* La IP estuvo conectada a esta red durante al menos 2 horas
* en el último mes (o mínimo 1 hora si está registrado).
* La opción sasl-bypass es otra configuración. Significa
* que los usuarios que se autentican en los servicios a través de SASL
* también se consideran usuarios conocidos.
* Usuarios del grupo "known users" (ya sea por reputación
* o por SASL) siempre están permitidos por este módulo.
*/
known-users {
minimum-reputation-score 24;
sasl-bypass yes;
}
/* Los nuevos usuarios son todos los usuarios que no pertenecen al
* grupo de usuarios conocidos. Se consideran "nuevos" y en
* caso de un gran número de nuevos usuarios que se conectan
* están sujetos a limitación de velocidad de conexión.
* Por defecto, la configuración es de 20 nuevos usuarios locales por minuto.
* y 30 nuevos usuarios globales por minuto.
*/
new-users {
local-throttle 20:60;
global-throttle 30:60;
}
/* Esta configuración es para cuando este módulo NO este activo.
* La configuración predeterminada deshabilitará el módulo cuando:
* - El módulo de reputación se ha estado ejecutando durante menos de
* una semana. Si se ejecuta menos de 1 semana, entonces hay
* Datos insuficientes para considerar quién es un "known users".
* - El servidor acaba de iniciarse (primeros 3 minutos).
*/
disabled-when {
reputation-gathering 1w;
start-delay 3m;
}
}
}
/* Finalmente, es posible que desee tener un MOTD (Mensaje del día), esto puede ser
* hecho creando un archivo de texto 'ircd.motd' en su directorio conf /.
* Este archivo se mostrará a sus usuarios al conectarse.
* Para obtener más información, consulte https://www.unrealircd.org/docs/MOTD_and_Rules
*/
/*
* ¿Problemas o necesita más ayuda?
* 1) https://www.unrealircd.org/docs/Main_Page/es
* 2) https://www.unrealircd.org/docs/FAQ <- ¡responde el 80% de sus preguntas!
* 3) Si aún tiene problemas, puede obtener asistencia:
* - Foros: https://forums.unrealircd.org/
* - IRC: irc.unrealircd.org (SSL en el puerto 6697) / #unreal-support
* Tenga en cuenta que primero le pedimos que lea la documentación y las preguntas frecuentes.
*/
doc/conf/examples/example.fr.conf
+5 -6
View File
@@ -121,7 +121,7 @@ class servers
/* Accepter tout le monde, mais seulement 5 connexions par IP */
allow {
ip *@*;
mask *;
class clients;
maxperip 5;
}
@@ -131,7 +131,7 @@ allow {
* S'il est correct, alors autoriser 20 connexions sur cette IP.
*/
allow {
ip *@192.0.2.1;
mask 192.0.2.1;
class clients;
password "unmotdepassesecret";
maxperip 20;
@@ -430,11 +430,10 @@ set {
/* static-part fait la même chose pour /PART */
/* static-part yes; */
/* Protections anti-flood */
/* Protections anti-flood.
* Voir: https://www.unrealircd.org/docs/Set_block#set::anti-flood
*/
anti-flood {
nick-flood 3:60; /* 3 changements de nick par 60 secondes */
connect-flood 3:60; /* 3 tentatives de connexions par 60 seconds */
away-flood 4:120; /* 4 utilisation de /AWAY par 2 minutes */
}
/* Paramètres de Spamfilter */
doc/conf/examples/example.tr.conf
+5 -6
View File
@@ -117,7 +117,7 @@ class servers
/* IP başına sadece 5 bağlantı izini verir */
allow {
ip *@*;
mask *;
class clients;
maxperip 3;
}
@@ -127,7 +127,7 @@ allow {
* Şifre doğru ise o zaman bu IP 20 bağlantıya izin verecektir.
*/
allow {
ip *@192.0.2.1;
mask 192.0.2.1;
class clients;
password "somesecretpasswd";
maxperip 20;
@@ -473,11 +473,10 @@ set {
/* static-part /PART komutu ile aynı işi görür */
/* static-part yes; */
/* Anti flood Koruması */
/* Anti flood Koruması
* Görmeniz için: https://www.unrealircd.org/docs/Set_block#set::anti-flood
*/
anti-flood {
nick-flood 3:60; /* Her 60 saniyede 3 nick değişikliği (varsayılan) */
connect-flood 3:60; /* Her 60 saniyede 3 bağlantı girişi izni (varsayılan) */
away-flood 4:120; /* Her 2 dakikada 4 kez /AWAY kullanımı izni (varsayılan) */
}
/* Spam filter Ayarları */
doc/conf/help/help.conf
+1 -17
View File
@@ -860,12 +860,6 @@ help Zline {
" Example: ZLINE *@127.0.0.1 Abuse (Adds a permanent Z-Line)";
" ZLINE *@127.0.0.1 2d Abuse (Adds a Z-Line for 2 days)";
" ZLINE -*@127.0.0.1";
" -";
" Extended server bans (more info at https://www.unrealircd.org/docs/Extended_server_bans)";
" Syntax: ZLINE ~<flag>:<mask> [time] <reason>";
" Example: ZLINE ~r:*Stupid_bot_script*";
" -";
" NOTE: requires the can_zline oper flag";
}
help Gline {
@@ -901,8 +895,6 @@ help Gline {
" a - Services account name";
" r - gecos/realname string";
" S - SSL/TLS client certificate fingerprint";
" -";
" NOTE: requires the can_gkline oper flag";
}
help Shun {
@@ -924,8 +916,6 @@ help Shun {
" Extended server bans (more info at https://www.unrealircd.org/docs/Extended_server_bans)";
" Syntax: SHUN ~<flag>:<mask> [time] <reason>";
" Example: SHUN ~r:*Stupid_bot_script*";
" -";
" NOTE: requires the can_gkline oper flag";
}
help Gzline {
@@ -940,12 +930,6 @@ help Gzline {
" GZLINE -<*@ipmask> (Removes a Global Z-Line for *@ipmask)";
" Example: GZLINE *@4.16.200.* 900 Spammers (Adds a 15 min Global Z-Line)";
" GZLINE *@4.16.200.* 1d5h Spammers (Adds a 29 hour Global Z-Line)";
" -";
" Extended server bans (more info at https://www.unrealircd.org/docs/Extended_server_bans)";
" Syntax: GZLINE ~<flag>:<mask> [time] <reason>";
" Example: GZLINE ~r:*Stupid_bot_script*";
" -";
" NOTE: requires the can_gzline oper flag";
}
help Eline {
@@ -1427,7 +1411,7 @@ help Spamfilter {
" /spamfilter add -simple p gline 3h Please_go_to_www.viruscan.xx/nicepage/virus=blah Come watch me on my webcam";
" /spamfilter add -simple p kill - Please_go_to_www.viruscan.xx/nicepage/virus=blah Come watch me on my webcam";
" /spamfilter del -simple p block - - Come watch me on my webcam*";
" /spamfilter add -regex cN gzline 1d No_advertising_please /come to irc\..+\..+/";
" /spamfilter add -regex cN gzline 1d No_advertising_please come to irc\..+\..+";
}
help Tempshun {
doc/conf/help/help.fr.conf
+1 -1
View File
@@ -1372,7 +1372,7 @@ help Spamfilter {
" /spamfilter add -simple p gline 3h Please_go_to_www.viruscan.xx/nicepage/virus=blah Come watch me on my webcam";
" /spamfilter add -simple p kill - Please_go_to_www.viruscan.xx/nicepage/virus=blah Come watch me on my webcam";
" /spamfilter del -simple p block - - Come watch me on my webcam*";
" /spamfilter add -regex cN gzline 1d No_advertising_please /come to irc\..+\..+/";
" /spamfilter add -regex cN gzline 1d No_advertising_please come to irc\..+\..+";
}
help Tempshun {
doc/conf/help/help.it.conf
+1 -1
View File
@@ -1278,7 +1278,7 @@ help Spamfilter {
" /spamfilter add -simple p gline 3h Please_go_to_www.viruscan.xx/nicepage/virus=blah Come watch me on my webcam";
" /spamfilter add -simple p kill - Please_go_to_www.viruscan.xx/nicepage/virus=blah Come watch me on my webcam";
" /spamfilter del -simple p block - - Come watch me on my webcam*";
" /spamfilter add -regex cN gzline 1d No_advertising_please /come to irc\..+\..+/";
" /spamfilter add -regex cN gzline 1d No_advertising_please come to irc\..+\..+";
}
help Tempshun {
doc/conf/help/help.nl.conf
+1 -1
View File
@@ -1426,7 +1426,7 @@ help Spamfilter {
" /spamfilter toevoegen -simple p gline 3h Please_go_to_www.viruscan.xx/nicepage/virus=blah Kom kijken op mijn webcam";
" /spamfilter toevoegen -eenvoudige p kill - Please_go_to_www.viruscan.xx/nicepage/virus=blah Kom kijken op mijn webcam";
" /spamfilter del -simple p block - - - Kom naar me kijken op mijn webcam*";
" /spamfilter voeg -regex cN gzline 1d No_advertising_please /come to irc\..+\..+/";
" /spamfilter voeg -regex cN gzline 1d No_advertising_please come to irc\..+\..+";
}
help Tempshun {
doc/conf/help/help.pl.conf
+1 -1
View File
@@ -1459,7 +1459,7 @@ help Spamfilter {
" /spamfilter add -simple p gline 3h Please_go_to_www.viruscan.xx/nicepage/virus=blah Come watch me on my webcam";
" /spamfilter add -simple p kill - Please_go_to_www.viruscan.xx/nicepage/virus=blah Come watch me on my webcam";
" /spamfilter del -simple p block - - Come watch me on my webcam*";
" /spamfilter add -regex cN gzline 1d No_advertising_please /come to irc\..+\..+/";
" /spamfilter add -regex cN gzline 1d No_advertising_please come to irc\..+\..+";
}
help Tempshun {
doc/conf/modules.default.conf
+1
View File
@@ -212,6 +212,7 @@ loadmodule "clienttagdeny"; /* informs clients about supported client-only messa
loadmodule "sts"; /* strict transport policy (set::tls::sts-policy) */
loadmodule "link-security"; /* link-security announce */
loadmodule "plaintext-policy"; /* plaintext-policy announce */
loadmodule "chathistory"; /* CHATHISTORY client command, 005 and a CAP (draft) */
/*** Other ***/
doc/conf/modules.optional.conf
+12 -9
View File
@@ -125,8 +125,8 @@ set {
* NOTE: Use the REAL host or IP here, not any cloaked hosts!
*/
except-hosts {
mask 192.168.*;
mask 127.*;
mask 192.168.0.0/16;
mask 127.0.0.0/8;
}
/* EXCEPT-WEBIRC:
@@ -158,10 +158,16 @@ loadmodule "websocket";
loadmodule "antimixedutf8";
set {
antimixedutf8 {
/* Take action at this 'score'.
* 10 is a good and safe default.
/* Take action at this 'score' (lower = more sensitive)
*
* A score of 2 or 3 will catch a lot but also
* catch innocent users who are not using a pure
* Latin script, such as Russian people who
* commonly use a mix of Latin and Cyrillic.
*
* A score of 8 is a safe default.
*/
score 10;
score 8;
/* Action to take, see:
* https://www.unrealircd.org/docs/Actions
@@ -169,12 +175,9 @@ set {
ban-action block;
/* Block/kill/ban reason (sent to user) */
ban-reason "Possible mixed character spam";
ban-reason "Mixed character spam";
/* Duration of ban (does not apply to block/kill) */
ban-time 4h; // For other types
}
}
// Currently incomplete and experimental:
loadmodule "chathistory";
doc/conf/tls/curl-ca-bundle.crt
+172 -246
View File
@@ -1,7 +1,7 @@
##
## Bundle of CA Root Certificates
##
## Certificate data from Mozilla as of: Tue Jan 19 04:12:04 2021 GMT
## Certificate data from Mozilla as of: Thu Sep 30 03:12:05 2021 GMT
##
## This is a bundle of X.509 certificates of public Certificate Authorities
## (CA). These were automatically extracted from Mozilla's root certificates
@@ -14,7 +14,7 @@
## Just configure this file as the SSLCACertificateFile.
##
## Conversion done with mk-ca-bundle.pl version 1.28.
## SHA256: 3bdc63d1de27058fec943a999a2a8a01fcc6806a611b19221a7727d3d9bbbdfd
## SHA256: c8f6733d1ff4e6a4769c182971a1234f95ae079247a9c439a13423fe8ba5c24f
##
@@ -156,38 +156,6 @@ Rt0vxuBqw8M0Ayx9lt1awg6nCpnBBYurDC/zXDrPbDdVCYfeU0BsWO/8tqtlbgT2G9w84FoVxp7Z
12yxow+ev+to51byrvLjKzg6CYG1a4XXvi3tPxq3smPi9WIsgtRqAEFQ8TmDn5XpNpaYbg==
-----END CERTIFICATE-----
QuoVadis Root CA
================
-----BEGIN CERTIFICATE-----
MIIF0DCCBLigAwIBAgIEOrZQizANBgkqhkiG9w0BAQUFADB/MQswCQYDVQQGEwJCTTEZMBcGA1UE
ChMQUXVvVmFkaXMgTGltaXRlZDElMCMGA1UECxMcUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0
eTEuMCwGA1UEAxMlUXVvVmFkaXMgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wMTAz
MTkxODMzMzNaFw0yMTAzMTcxODMzMzNaMH8xCzAJBgNVBAYTAkJNMRkwFwYDVQQKExBRdW9WYWRp
cyBMaW1pdGVkMSUwIwYDVQQLExxSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MS4wLAYDVQQD
EyVRdW9WYWRpcyBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAv2G1lVO6V/z68mcLOhrfEYBklbTRvM16z/Ypli4kVEAkOPcahdxYTMuk
J0KX0J+DisPkBgNbAKVRHnAEdOLB1Dqr1607BxgFjv2DrOpm2RgbaIr1VxqYuvXtdj182d6UajtL
F8HVj71lODqV0D1VNk7feVcxKh7YWWVJWCCYfqtffp/p1k3sg3Spx2zY7ilKhSoGFPlU5tPaZQeL
YzcS19Dsw3sgQUSj7cugF+FxZc4dZjH3dgEZyH0DWLaVSR2mEiboxgx24ONmy+pdpibu5cxfvWen
AScOospUxbF6lR1xHkopigPcakXBpBlebzbNw6Kwt/5cOOJSvPhEQ+aQuwIDAQABo4ICUjCCAk4w
PQYIKwYBBQUHAQEEMTAvMC0GCCsGAQUFBzABhiFodHRwczovL29jc3AucXVvdmFkaXNvZmZzaG9y
ZS5jb20wDwYDVR0TAQH/BAUwAwEB/zCCARoGA1UdIASCAREwggENMIIBCQYJKwYBBAG+WAABMIH7
MIHUBggrBgEFBQcCAjCBxxqBxFJlbGlhbmNlIG9uIHRoZSBRdW9WYWRpcyBSb290IENlcnRpZmlj
YXRlIGJ5IGFueSBwYXJ0eSBhc3N1bWVzIGFjY2VwdGFuY2Ugb2YgdGhlIHRoZW4gYXBwbGljYWJs
ZSBzdGFuZGFyZCB0ZXJtcyBhbmQgY29uZGl0aW9ucyBvZiB1c2UsIGNlcnRpZmljYXRpb24gcHJh
Y3RpY2VzLCBhbmQgdGhlIFF1b1ZhZGlzIENlcnRpZmljYXRlIFBvbGljeS4wIgYIKwYBBQUHAgEW
Fmh0dHA6Ly93d3cucXVvdmFkaXMuYm0wHQYDVR0OBBYEFItLbe3TKbkGGew5Oanwl4Rqy+/fMIGu
BgNVHSMEgaYwgaOAFItLbe3TKbkGGew5Oanwl4Rqy+/foYGEpIGBMH8xCzAJBgNVBAYTAkJNMRkw
FwYDVQQKExBRdW9WYWRpcyBMaW1pdGVkMSUwIwYDVQQLExxSb290IENlcnRpZmljYXRpb24gQXV0
aG9yaXR5MS4wLAYDVQQDEyVRdW9WYWRpcyBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5ggQ6
tlCLMA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQUFAAOCAQEAitQUtf70mpKnGdSkfnIYj9lo
fFIk3WdvOXrEql494liwTXCYhGHoG+NpGA7O+0dQoE7/8CQfvbLO9Sf87C9TqnN7Az10buYWnuul
LsS/VidQK2K6vkscPFVcQR0kvoIgR13VRH56FmjffU1RcHhXHTMe/QKZnAzNCgVPx7uOpHX6Sm2x
gI4JVrmcGmD+XcHXetwReNDWXcG31a0ymQM6isxUJTkxgXsTIlG6Rmyhu576BGxJJnSP0nPrzDCi
5upZIof4l/UO/erMkqQWxFIY6iHOsfHmhIHluqmGKPJDWl0Snawe2ajlCmqnf6CHKc/yiU3U7MXi
5nrQNiOKSnQ2+Q==
-----END CERTIFICATE-----
QuoVadis Root CA 2
==================
-----BEGIN CERTIFICATE-----
@@ -275,26 +243,6 @@ s58+OmJYxUmtYg5xpTKqL8aJdkNAExNnPaJUJRDL8Try2frbSVa7pv6nQTXD4IhhyYjH3zYQIphZ
FL39vmwLAw==
-----END CERTIFICATE-----
Sonera Class 2 Root CA
======================
-----BEGIN CERTIFICATE-----
MIIDIDCCAgigAwIBAgIBHTANBgkqhkiG9w0BAQUFADA5MQswCQYDVQQGEwJGSTEPMA0GA1UEChMG
U29uZXJhMRkwFwYDVQQDExBTb25lcmEgQ2xhc3MyIENBMB4XDTAxMDQwNjA3Mjk0MFoXDTIxMDQw
NjA3Mjk0MFowOTELMAkGA1UEBhMCRkkxDzANBgNVBAoTBlNvbmVyYTEZMBcGA1UEAxMQU29uZXJh
IENsYXNzMiBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJAXSjWdyvANlsdE+hY3
/Ei9vX+ALTU74W+oZ6m/AxxNjG8yR9VBaKQTBME1DJqEQ/xcHf+Js+gXGM2RX/uJ4+q/Tl18GybT
dXnt5oTjV+WtKcT0OijnpXuENmmz/V52vaMtmdOQTiMofRhj8VQ7Jp12W5dCsv+u8E7s3TmVToMG
f+dJQMjFAbJUWmYdPfz56TwKnoG4cPABi+QjVHzIrviQHgCWctRUz2EjvOr7nQKV0ba5cTppCD8P
tOFCx4j1P5iop7oc4HFx71hXgVB6XGt0Rg6DA5jDjqhu8nYybieDwnPz3BjotJPqdURrBGAgcVeH
nfO+oJAjPYok4doh28MCAwEAAaMzMDEwDwYDVR0TAQH/BAUwAwEB/zARBgNVHQ4ECgQISqCqWITT
XjwwCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBBQUAA4IBAQBazof5FnIVV0sd2ZvnoiYw7JNn39Yt
0jSv9zilzqsWuasvfDXLrNAPtEwr/IDva4yRXzZ299uzGxnq9LIR/WFxRL8oszodv7ND6J+/3DEI
cbCdjdY0RzKQxmUk96BKfARzjzlvF4xytb1LyHr4e4PDKE6cCepnP7JnBBvDFNr450kkkdAdavph
Oe9r5yF1BgfYErQhIHBCcYHaPJo2vqZbDWpsmh+Re/n570K6Tk6ezAyNlNzZRZxe7EJQY670XcSx
EtzKO6gunRRaBXW37Ndj4ro1tgQIkejanZz2ZrUYrAqmVCY0M9IbwdR/GjqOC6oybtv8TyWf2TLH
llpwrN9M
-----END CERTIFICATE-----
XRamp Global CA Root
====================
-----BEGIN CERTIFICATE-----
@@ -433,26 +381,6 @@ mNEVX58Svnw2Yzi9RKR/5CYrCsSXaQ3pjOLAEFe4yHYSkVXySGnYvCoCWw9E1CAx2/S6cCZdkGCe
vEsXCS+0yx5DaMkHJ8HSXPfqIbloEpw8nL+e/IBcm2PN7EeqJSdnoDfzAIJ9VNep+OkuE6N36B9K
-----END CERTIFICATE-----
DST Root CA X3
==============
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/MSQwIgYDVQQK
ExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMTDkRTVCBSb290IENBIFgzMB4X
DTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVowPzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1
cmUgVHJ1c3QgQ28uMRcwFQYDVQQDEw5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmT
rE4Orz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEqOLl5CjH9
UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9bxiqKqy69cK3FCxolkHRy
xXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40d
utolucbY38EVAjqr2m7xPi71XAicPNaDaeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0T
AQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQ
MA0GCSqGSIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69ikug
dB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXrAvHRAosZy5Q6XkjE
GB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZzR8srzJmwN0jP41ZL9c8PDHIyh8bw
RLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubS
fZGL+T0yjWW06XyxV3bqxbYoOb8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----
SwissSign Gold CA - G2
======================
-----BEGIN CERTIFICATE-----
@@ -718,51 +646,6 @@ vBTjD4au8as+x6AJzKNI0eDbZOeStc+vckNwi/nDhDwTqn6Sm1dTk/pwwpEOMfmbZ13pljheX7Nz
TogVZ96edhBiIL5VaZVDADlN9u6wWk5JRFRYX0KD
-----END CERTIFICATE-----
GeoTrust Primary Certification Authority - G2
=============================================
-----BEGIN CERTIFICATE-----
MIICrjCCAjWgAwIBAgIQPLL0SAoA4v7rJDteYD7DazAKBggqhkjOPQQDAzCBmDELMAkGA1UEBhMC
VVMxFjAUBgNVBAoTDUdlb1RydXN0IEluYy4xOTA3BgNVBAsTMChjKSAyMDA3IEdlb1RydXN0IElu
Yy4gLSBGb3IgYXV0aG9yaXplZCB1c2Ugb25seTE2MDQGA1UEAxMtR2VvVHJ1c3QgUHJpbWFyeSBD
ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEcyMB4XDTA3MTEwNTAwMDAwMFoXDTM4MDExODIzNTk1
OVowgZgxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMTkwNwYDVQQLEzAoYykg
MjAwNyBHZW9UcnVzdCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxNjA0BgNVBAMTLUdl
b1RydXN0IFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgLSBHMjB2MBAGByqGSM49AgEG
BSuBBAAiA2IABBWx6P0DFUPlrOuHNxFi79KDNlJ9RVcLSo17VDs6bl8VAsBQps8lL33KSLjHUGMc
KiEIfJo22Av+0SbFWDEwKCXzXV2juLaltJLtbCyf691DiaI8S0iRHVDsJt/WYC69IaNCMEAwDwYD
VR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFBVfNVdRVfslsq0DafwBo/q+
EVXVMAoGCCqGSM49BAMDA2cAMGQCMGSWWaboCd6LuvpaiIjwH5HTRqjySkwCY/tsXzjbLkGTqQ7m
ndwxHLKgpxgceeHHNgIwOlavmnRs9vuD4DPTCF+hnMJbn0bWtsuRBmOiBuczrD6ogRLQy7rQkgu2
npaqBA+K
-----END CERTIFICATE-----
VeriSign Universal Root Certification Authority
===============================================
-----BEGIN CERTIFICATE-----
MIIEuTCCA6GgAwIBAgIQQBrEZCGzEyEDDrvkEhrFHTANBgkqhkiG9w0BAQsFADCBvTELMAkGA1UE
BhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBO
ZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwOCBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVk
IHVzZSBvbmx5MTgwNgYDVQQDEy9WZXJpU2lnbiBVbml2ZXJzYWwgUm9vdCBDZXJ0aWZpY2F0aW9u
IEF1dGhvcml0eTAeFw0wODA0MDIwMDAwMDBaFw0zNzEyMDEyMzU5NTlaMIG9MQswCQYDVQQGEwJV
UzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlTaWduIFRydXN0IE5ldHdv
cmsxOjA4BgNVBAsTMShjKSAyMDA4IFZlcmlTaWduLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNl
IG9ubHkxODA2BgNVBAMTL1ZlcmlTaWduIFVuaXZlcnNhbCBSb290IENlcnRpZmljYXRpb24gQXV0
aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx2E3XrEBNNti1xWb/1hajCMj
1mCOkdeQmIN65lgZOIzF9uVkhbSicfvtvbnazU0AtMgtc6XHaXGVHzk8skQHnOgO+k1KxCHfKWGP
MiJhgsWHH26MfF8WIFFE0XBPV+rjHOPMee5Y2A7Cs0WTwCznmhcrewA3ekEzeOEz4vMQGn+HLL72
9fdC4uW/h2KJXwBL38Xd5HVEMkE6HnFuacsLdUYI0crSK5XQz/u5QGtkjFdN/BMReYTtXlT2NJ8I
AfMQJQYXStrxHXpma5hgZqTZ79IugvHw7wnqRMkVauIDbjPTrJ9VAMf2CGqUuV/c4DPxhGD5WycR
tPwW8rtWaoAljQIDAQABo4GyMIGvMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMG0G
CCsGAQUFBwEMBGEwX6FdoFswWTBXMFUWCWltYWdlL2dpZjAhMB8wBwYFKw4DAhoEFI/l0xqGrI2O
a8PPgGrUSBgsexkuMCUWI2h0dHA6Ly9sb2dvLnZlcmlzaWduLmNvbS92c2xvZ28uZ2lmMB0GA1Ud
DgQWBBS2d/ppSEefUxLVwuoHMnYH0ZcHGTANBgkqhkiG9w0BAQsFAAOCAQEASvj4sAPmLGd75JR3
Y8xuTPl9Dg3cyLk1uXBPY/ok+myDjEedO2Pzmvl2MpWRsXe8rJq+seQxIcaBlVZaDrHC1LGmWazx
Y8u4TB1ZkErvkBYoH1quEPuBUDgMbMzxPcP1Y+Oz4yHJJDnp/RVmRvQbEdBNc6N9Rvk97ahfYtTx
P/jgdFcrGJ2BtMQo2pSXpXDrrB2+BxHw1dvd5Yzw1TKwg+ZX4o+/vqGqvz0dtdQ46tewXDpPaj+P
wGZsY6rp2aQW9IHRlRQOfc2VNNnSj3BzgXucfr2YYdhFh5iQxeuGMMY1v/D/w1WIg0vvBZIGcfK4
mJO37M2CYfE45k+XmCpajQ==
-----END CERTIFICATE-----
NetLock Arany (Class Gold) Főtanúsítvány
========================================
-----BEGIN CERTIFICATE-----
@@ -938,82 +821,6 @@ Q0iy2+tzJOeRf1SktoA+naM8THLCV8Sg1Mw4J87VBp6iSNnpn86CcDaTmjvfliHjWbcM2pE38P1Z
WrOZyGlsQyYBNWNgVYkDOnXYukrZVP/u3oDYLdE41V4tC5h9Pmzb/CaIxw==
-----END CERTIFICATE-----
Chambers of Commerce Root - 2008
================================
-----BEGIN CERTIFICATE-----
MIIHTzCCBTegAwIBAgIJAKPaQn6ksa7aMA0GCSqGSIb3DQEBBQUAMIGuMQswCQYDVQQGEwJFVTFD
MEEGA1UEBxM6TWFkcmlkIChzZWUgY3VycmVudCBhZGRyZXNzIGF0IHd3dy5jYW1lcmZpcm1hLmNv
bS9hZGRyZXNzKTESMBAGA1UEBRMJQTgyNzQzMjg3MRswGQYDVQQKExJBQyBDYW1lcmZpcm1hIFMu
QS4xKTAnBgNVBAMTIENoYW1iZXJzIG9mIENvbW1lcmNlIFJvb3QgLSAyMDA4MB4XDTA4MDgwMTEy
Mjk1MFoXDTM4MDczMTEyMjk1MFowga4xCzAJBgNVBAYTAkVVMUMwQQYDVQQHEzpNYWRyaWQgKHNl
ZSBjdXJyZW50IGFkZHJlc3MgYXQgd3d3LmNhbWVyZmlybWEuY29tL2FkZHJlc3MpMRIwEAYDVQQF
EwlBODI3NDMyODcxGzAZBgNVBAoTEkFDIENhbWVyZmlybWEgUy5BLjEpMCcGA1UEAxMgQ2hhbWJl
cnMgb2YgQ29tbWVyY2UgUm9vdCAtIDIwMDgwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC
AQCvAMtwNyuAWko6bHiUfaN/Gh/2NdW928sNRHI+JrKQUrpjOyhYb6WzbZSm891kDFX29ufyIiKA
XuFixrYp4YFs8r/lfTJqVKAyGVn+H4vXPWCGhSRv4xGzdz4gljUha7MI2XAuZPeEklPWDrCQiorj
h40G072QDuKZoRuGDtqaCrsLYVAGUvGef3bsyw/QHg3PmTA9HMRFEFis1tPo1+XqxQEHd9ZR5gN/
ikilTWh1uem8nk4ZcfUyS5xtYBkL+8ydddy/Js2Pk3g5eXNeJQ7KXOt3EgfLZEFHcpOrUMPrCXZk
NNI5t3YRCQ12RcSprj1qr7V9ZS+UWBDsXHyvfuK2GNnQm05aSd+pZgvMPMZ4fKecHePOjlO+Bd5g
D2vlGts/4+EhySnB8esHnFIbAURRPHsl18TlUlRdJQfKFiC4reRB7noI/plvg6aRArBsNlVq5331
lubKgdaX8ZSD6e2wsWsSaR6s+12pxZjptFtYer49okQ6Y1nUCyXeG0+95QGezdIp1Z8XGQpvvwyQ
0wlf2eOKNcx5Wk0ZN5K3xMGtr/R5JJqyAQuxr1yW84Ay+1w9mPGgP0revq+ULtlVmhduYJ1jbLhj
ya6BXBg14JC7vjxPNyK5fuvPnnchpj04gftI2jE9K+OJ9dC1vX7gUMQSibMjmhAxhduub+84Mxh2
EQIDAQABo4IBbDCCAWgwEgYDVR0TAQH/BAgwBgEB/wIBDDAdBgNVHQ4EFgQU+SSsD7K1+HnA+mCI
G8TZTQKeFxkwgeMGA1UdIwSB2zCB2IAU+SSsD7K1+HnA+mCIG8TZTQKeFxmhgbSkgbEwga4xCzAJ
BgNVBAYTAkVVMUMwQQYDVQQHEzpNYWRyaWQgKHNlZSBjdXJyZW50IGFkZHJlc3MgYXQgd3d3LmNh
bWVyZmlybWEuY29tL2FkZHJlc3MpMRIwEAYDVQQFEwlBODI3NDMyODcxGzAZBgNVBAoTEkFDIENh
bWVyZmlybWEgUy5BLjEpMCcGA1UEAxMgQ2hhbWJlcnMgb2YgQ29tbWVyY2UgUm9vdCAtIDIwMDiC
CQCj2kJ+pLGu2jAOBgNVHQ8BAf8EBAMCAQYwPQYDVR0gBDYwNDAyBgRVHSAAMCowKAYIKwYBBQUH
AgEWHGh0dHA6Ly9wb2xpY3kuY2FtZXJmaXJtYS5jb20wDQYJKoZIhvcNAQEFBQADggIBAJASryI1
wqM58C7e6bXpeHxIvj99RZJe6dqxGfwWPJ+0W2aeaufDuV2I6A+tzyMP3iU6XsxPpcG1Lawk0lgH
3qLPaYRgM+gQDROpI9CF5Y57pp49chNyM/WqfcZjHwj0/gF/JM8rLFQJ3uIrbZLGOU8W6jx+ekbU
RWpGqOt1glanq6B8aBMz9p0w8G8nOSQjKpD9kCk18pPfNKXG9/jvjA9iSnyu0/VU+I22mlaHFoI6
M6taIgj3grrqLuBHmrS1RaMFO9ncLkVAO+rcf+g769HsJtg1pDDFOqxXnrN2pSB7+R5KBWIBpih1
YJeSDW4+TTdDDZIVnBgizVGZoCkaPF+KMjNbMMeJL0eYD6MDxvbxrN8y8NmBGuScvfaAFPDRLLmF
9dijscilIeUcE5fuDr3fKanvNFNb0+RqE4QGtjICxFKuItLcsiFCGtpA8CnJ7AoMXOLQusxI0zcK
zBIKinmwPQN/aUv0NCB9szTqjktk9T79syNnFQ0EuPAtwQlRPLJsFfClI9eDdOTlLsn+mCdCxqvG
nrDQWzilm1DefhiYtUU79nm06PcaewaD+9CL2rvHvRirCG88gGtAPxkZumWK5r7VXNM21+9AUiRg
OGcEMeyP84LG3rlV8zsxkVrctQgVrXYlCg17LofiDKYGvCYQbTed7N14jHyAxfDZd0jQ
-----END CERTIFICATE-----
Global Chambersign Root - 2008
==============================
-----BEGIN CERTIFICATE-----
MIIHSTCCBTGgAwIBAgIJAMnN0+nVfSPOMA0GCSqGSIb3DQEBBQUAMIGsMQswCQYDVQQGEwJFVTFD
MEEGA1UEBxM6TWFkcmlkIChzZWUgY3VycmVudCBhZGRyZXNzIGF0IHd3dy5jYW1lcmZpcm1hLmNv
bS9hZGRyZXNzKTESMBAGA1UEBRMJQTgyNzQzMjg3MRswGQYDVQQKExJBQyBDYW1lcmZpcm1hIFMu
QS4xJzAlBgNVBAMTHkdsb2JhbCBDaGFtYmVyc2lnbiBSb290IC0gMjAwODAeFw0wODA4MDExMjMx
NDBaFw0zODA3MzExMjMxNDBaMIGsMQswCQYDVQQGEwJFVTFDMEEGA1UEBxM6TWFkcmlkIChzZWUg
Y3VycmVudCBhZGRyZXNzIGF0IHd3dy5jYW1lcmZpcm1hLmNvbS9hZGRyZXNzKTESMBAGA1UEBRMJ
QTgyNzQzMjg3MRswGQYDVQQKExJBQyBDYW1lcmZpcm1hIFMuQS4xJzAlBgNVBAMTHkdsb2JhbCBD
aGFtYmVyc2lnbiBSb290IC0gMjAwODCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMDf
VtPkOpt2RbQT2//BthmLN0EYlVJH6xedKYiONWwGMi5HYvNJBL99RDaxccy9Wglz1dmFRP+RVyXf
XjaOcNFccUMd2drvXNL7G706tcuto8xEpw2uIRU/uXpbknXYpBI4iRmKt4DS4jJvVpyR1ogQC7N0
ZJJ0YPP2zxhPYLIj0Mc7zmFLmY/CDNBAspjcDahOo7kKrmCgrUVSY7pmvWjg+b4aqIG7HkF4ddPB
/gBVsIdU6CeQNR1MM62X/JcumIS/LMmjv9GYERTtY/jKmIhYF5ntRQOXfjyGHoiMvvKRhI9lNNgA
TH23MRdaKXoKGCQwoze1eqkBfSbW+Q6OWfH9GzO1KTsXO0G2Id3UwD2ln58fQ1DJu7xsepeY7s2M
H/ucUa6LcL0nn3HAa6x9kGbo1106DbDVwo3VyJ2dwW3Q0L9R5OP4wzg2rtandeavhENdk5IMagfe
Ox2YItaswTXbo6Al/3K1dh3ebeksZixShNBFks4c5eUzHdwHU1SjqoI7mjcv3N2gZOnm3b2u/GSF
HTynyQbehP9r6GsaPMWis0L7iwk+XwhSx2LE1AVxv8Rk5Pihg+g+EpuoHtQ2TS9x9o0o9oOpE9Jh
wZG7SMA0j0GMS0zbaRL/UJScIINZc+18ofLx/d33SdNDWKBWY8o9PeU1VlnpDsogzCtLkykPAgMB
AAGjggFqMIIBZjASBgNVHRMBAf8ECDAGAQH/AgEMMB0GA1UdDgQWBBS5CcqcHtvTbDprru1U8VuT
BjUuXjCB4QYDVR0jBIHZMIHWgBS5CcqcHtvTbDprru1U8VuTBjUuXqGBsqSBrzCBrDELMAkGA1UE
BhMCRVUxQzBBBgNVBAcTOk1hZHJpZCAoc2VlIGN1cnJlbnQgYWRkcmVzcyBhdCB3d3cuY2FtZXJm
aXJtYS5jb20vYWRkcmVzcykxEjAQBgNVBAUTCUE4Mjc0MzI4NzEbMBkGA1UEChMSQUMgQ2FtZXJm
aXJtYSBTLkEuMScwJQYDVQQDEx5HbG9iYWwgQ2hhbWJlcnNpZ24gUm9vdCAtIDIwMDiCCQDJzdPp
1X0jzjAOBgNVHQ8BAf8EBAMCAQYwPQYDVR0gBDYwNDAyBgRVHSAAMCowKAYIKwYBBQUHAgEWHGh0
dHA6Ly9wb2xpY3kuY2FtZXJmaXJtYS5jb20wDQYJKoZIhvcNAQEFBQADggIBAICIf3DekijZBZRG
/5BXqfEv3xoNa/p8DhxJJHkn2EaqbylZUohwEurdPfWbU1Rv4WCiqAm57OtZfMY18dwY6fFn5a+6
ReAJ3spED8IXDneRRXozX1+WLGiLwUePmJs9wOzL9dWCkoQ10b42OFZyMVtHLaoXpGNR6woBrX/s
dZ7LoR/xfxKxueRkf2fWIyr0uDldmOghp+G9PUIadJpwr2hsUF1Jz//7Dl3mLEfXgTpZALVza2Mg
9jFFCDkO9HB+QHBaP9BrQql0PSgvAm11cpUJjUhjxsYjV5KTXjXBjfkK9yydYhz2rXzdpjEetrHH
foUm+qRqtdpjMNHvkzeyZi99Bffnt0uYlDXA2TopwZ2yUDMdSqlapskD7+3056huirRXhOukP9Du
qqqHW2Pok+JrqNS4cnhrG+055F3Lm6qH1U9OAP7Zap88MQ8oAgF9mOinsKJknnn4SPIVqczmyETr
P3iZ8ntxPjzxmKfFGBI/5rsoM0LpRQp8bfKGeS/Fghl9CYl8slR2iK7ewfPM4W7bMdaTrpmg7yVq
c5iJWzouE4gev8CSlDQb4ye3ix5vQv/n6TebUB0tovkC7stYWDpxvGjjqsGvHCgfotwjZT+B6q6Z
09gwzxMNTxXJhLynSC34MCN32EZLeW32jO06f2ARePTpm67VVMB0gNELQp/B
-----END CERTIFICATE-----
Go Daddy Root Certificate Authority - G2
========================================
-----BEGIN CERTIFICATE-----
@@ -1315,27 +1122,6 @@ OR/qnuOf0GZvBeyqdn6/axag67XH/JJULysRJyU3eExRarDzzFhdFPFqSBX/wge2sY0PjlxQRrM9
vwGYT7JZVEc+NHt4bVaTLnPqZih4zR0Uv6CPLy64Lo7yFIrM6bV8+2ydDKXhlg==
-----END CERTIFICATE-----
Trustis FPS Root CA
===================
-----BEGIN CERTIFICATE-----
MIIDZzCCAk+gAwIBAgIQGx+ttiD5JNM2a/fH8YygWTANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQG
EwJHQjEYMBYGA1UEChMPVHJ1c3RpcyBMaW1pdGVkMRwwGgYDVQQLExNUcnVzdGlzIEZQUyBSb290
IENBMB4XDTAzMTIyMzEyMTQwNloXDTI0MDEyMTExMzY1NFowRTELMAkGA1UEBhMCR0IxGDAWBgNV
BAoTD1RydXN0aXMgTGltaXRlZDEcMBoGA1UECxMTVHJ1c3RpcyBGUFMgUm9vdCBDQTCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMVQe547NdDfxIzNjpvto8A2mfRC6qc+gIMPpqdZh8mQ
RUN+AOqGeSoDvT03mYlmt+WKVoaTnGhLaASMk5MCPjDSNzoiYYkchU59j9WvezX2fihHiTHcDnlk
H5nSW7r+f2C/revnPDgpai/lkQtV/+xvWNUtyd5MZnGPDNcE2gfmHhjjvSkCqPoc4Vu5g6hBSLwa
cY3nYuUtsuvffM/bq1rKMfFMIvMFE/eC+XN5DL7XSxzA0RU8k0Fk0ea+IxciAIleH2ulrG6nS4zt
o3Lmr2NNL4XSFDWaLk6M6jKYKIahkQlBOrTh4/L68MkKokHdqeMDx4gVOxzUGpTXn2RZEm0CAwEA
AaNTMFEwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBS6+nEleYtXQSUhhgtx67JkDoshZzAd
BgNVHQ4EFgQUuvpxJXmLV0ElIYYLceuyZA6LIWcwDQYJKoZIhvcNAQEFBQADggEBAH5Y//01GX2c
GE+esCu8jowU/yyg2kdbw++BLa8F6nRIW/M+TgfHbcWzk88iNVy2P3UnXwmWzaD+vkAMXBJV+JOC
yinpXj9WV4s4NvdFGkwozZ5BuO1WTISkQMi4sKUraXAEasP41BIy+Q7DsdwyhEQsb8tGD+pmQQ9P
8Vilpg0ND2HepZ5dfWWhPBfnqFVO76DH7cZEf1T1o+CP8HxVIo8ptoGj4W1OLBuAZ+ytIJ8MYmHV
l/9D7S3B2l0pKoU/rGXuhg8FjZBf3+6f9L/uHfuY5H+QK4R4EA5sSVPvFVtlRkpdr7r7OnIdzfYl
iB6XzCGcKQENZetX2fNXlrtIzYE=
-----END CERTIFICATE-----
Buypass Class 2 Root CA
=======================
-----BEGIN CERTIFICATE-----
@@ -1980,36 +1766,6 @@ uglB4Zf4+/2a4n0Sye18ZNPLBSWLVtmg515dTguDnFt2KaAJJiFqYgIwcdK1j1zqO+F4CYWodZI7
yFz9SO8NdCKoCOJuxUnOxwy8p2Fp8fc74SrL+SvzZpA3
-----END CERTIFICATE-----
Staat der Nederlanden Root CA - G3
==================================
-----BEGIN CERTIFICATE-----
MIIFdDCCA1ygAwIBAgIEAJiiOTANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJOTDEeMBwGA1UE
CgwVU3RhYXQgZGVyIE5lZGVybGFuZGVuMSswKQYDVQQDDCJTdGFhdCBkZXIgTmVkZXJsYW5kZW4g
Um9vdCBDQSAtIEczMB4XDTEzMTExNDExMjg0MloXDTI4MTExMzIzMDAwMFowWjELMAkGA1UEBhMC
TkwxHjAcBgNVBAoMFVN0YWF0IGRlciBOZWRlcmxhbmRlbjErMCkGA1UEAwwiU3RhYXQgZGVyIE5l
ZGVybGFuZGVuIFJvb3QgQ0EgLSBHMzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAL4y
olQPcPssXFnrbMSkUeiFKrPMSjTysF/zDsccPVMeiAho2G89rcKezIJnByeHaHE6n3WWIkYFsO2t
x1ueKt6c/DrGlaf1F2cY5y9JCAxcz+bMNO14+1Cx3Gsy8KL+tjzk7FqXxz8ecAgwoNzFs21v0IJy
EavSgWhZghe3eJJg+szeP4TrjTgzkApyI/o1zCZxMdFyKJLZWyNtZrVtB0LrpjPOktvA9mxjeM3K
Tj215VKb8b475lRgsGYeCasH/lSJEULR9yS6YHgamPfJEf0WwTUaVHXvQ9Plrk7O53vDxk5hUUur
mkVLoR9BvUhTFXFkC4az5S6+zqQbwSmEorXLCCN2QyIkHxcE1G6cxvx/K2Ya7Irl1s9N9WMJtxU5
1nus6+N86U78dULI7ViVDAZCopz35HCz33JvWjdAidiFpNfxC95DGdRKWCyMijmev4SH8RY7Ngzp
07TKbBlBUgmhHbBqv4LvcFEhMtwFdozL92TkA1CvjJFnq8Xy7ljY3r735zHPbMk7ccHViLVlvMDo
FxcHErVc0qsgk7TmgoNwNsXNo42ti+yjwUOH5kPiNL6VizXtBznaqB16nzaeErAMZRKQFWDZJkBE
41ZgpRDUajz9QdwOWke275dhdU/Z/seyHdTtXUmzqWrLZoQT1Vyg3N9udwbRcXXIV2+vD3dbAgMB
AAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBRUrfrHkleu
yjWcLhL75LpdINyUVzANBgkqhkiG9w0BAQsFAAOCAgEAMJmdBTLIXg47mAE6iqTnB/d6+Oea31BD
U5cqPco8R5gu4RV78ZLzYdqQJRZlwJ9UXQ4DO1t3ApyEtg2YXzTdO2PCwyiBwpwpLiniyMMB8jPq
KqrMCQj3ZWfGzd/TtiunvczRDnBfuCPRy5FOCvTIeuXZYzbB1N/8Ipf3YF3qKS9Ysr1YvY2WTxB1
v0h7PVGHoTx0IsL8B3+A3MSs/mrBcDCw6Y5p4ixpgZQJut3+TcCDjJRYwEYgr5wfAvg1VUkvRtTA
8KCWAg8zxXHzniN9lLf9OtMJgwYh/WA9rjLA0u6NpvDntIJ8CsxwyXmA+P5M9zWEGYox+wrZ13+b
8KKaa8MFSu1BYBQw0aoRQm7TIwIEC8Zl3d1Sd9qBa7Ko+gE4uZbqKmxnl4mUnrzhVNXkanjvSr0r
mj1AfsbAddJu+2gw7OyLnflJNZoaLNmzlTnVHpL3prllL+U9bTpITAjc5CgSKL59NVzq4BZ+Extq
1z7XnvwtdbLBFNUjA9tbbws+eC8N3jONFrdI54OagQ97wUNNVQQXOEpR1VmiiXTTn74eS9fGbbeI
JG9gkaSChVtWQbzQRKtqE77RLFi3EjNYsjdj3BP1lB0/QFH1T/U67cjF68IeHRaVesd+QnGTbksV
tzDfqu1XhUisHWrdOWnk4Xl4vs4Fv6EM94B7IWcnMFk=
-----END CERTIFICATE-----
Staat der Nederlanden EV Root CA
================================
-----BEGIN CERTIFICATE-----
@@ -3226,3 +2982,173 @@ qqFJu3FS8r/2/yehNq+4tneI3TqkbZs0kNwUXTC/t+sX5Ie3cdCh13cV1ELX8vMxmV2b3RZtP+oG
I/hGoiLtk/bdmuYqh7GYVPEi92tF4+KOdh2ajcQGjTa3FPOdVGm3jjzVpG2Tgbet9r1ke8LJaDmg
kpzNNIaRkPpkUZ3+/uul9XXeifdy
-----END CERTIFICATE-----
AC RAIZ FNMT-RCM SERVIDORES SEGUROS
===================================
-----BEGIN CERTIFICATE-----
MIICbjCCAfOgAwIBAgIQYvYybOXE42hcG2LdnC6dlTAKBggqhkjOPQQDAzB4MQswCQYDVQQGEwJF
UzERMA8GA1UECgwIRk5NVC1SQ00xDjAMBgNVBAsMBUNlcmVzMRgwFgYDVQRhDA9WQVRFUy1RMjgy
NjAwNEoxLDAqBgNVBAMMI0FDIFJBSVogRk5NVC1SQ00gU0VSVklET1JFUyBTRUdVUk9TMB4XDTE4
MTIyMDA5MzczM1oXDTQzMTIyMDA5MzczM1oweDELMAkGA1UEBhMCRVMxETAPBgNVBAoMCEZOTVQt
UkNNMQ4wDAYDVQQLDAVDZXJlczEYMBYGA1UEYQwPVkFURVMtUTI4MjYwMDRKMSwwKgYDVQQDDCNB
QyBSQUlaIEZOTVQtUkNNIFNFUlZJRE9SRVMgU0VHVVJPUzB2MBAGByqGSM49AgEGBSuBBAAiA2IA
BPa6V1PIyqvfNkpSIeSX0oNnnvBlUdBeh8dHsVnyV0ebAAKTRBdp20LHsbI6GA60XYyzZl2hNPk2
LEnb80b8s0RpRBNm/dfF/a82Tc4DTQdxz69qBdKiQ1oKUm8BA06Oi6NCMEAwDwYDVR0TAQH/BAUw
AwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFAG5L++/EYZg8k/QQW6rcx/n0m5JMAoGCCqG
SM49BAMDA2kAMGYCMQCuSuMrQMN0EfKVrRYj3k4MGuZdpSRea0R7/DjiT8ucRRcRTBQnJlU5dUoD
zBOQn5ICMQD6SmxgiHPz7riYYqnOK8LZiqZwMR2vsJRM60/G49HzYqc8/5MuB1xJAWdpEgJyv+c=
-----END CERTIFICATE-----
GlobalSign Root R46
===================
-----BEGIN CERTIFICATE-----
MIIFWjCCA0KgAwIBAgISEdK7udcjGJ5AXwqdLdDfJWfRMA0GCSqGSIb3DQEBDAUAMEYxCzAJBgNV
BAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMRwwGgYDVQQDExNHbG9iYWxTaWduIFJv
b3QgUjQ2MB4XDTE5MDMyMDAwMDAwMFoXDTQ2MDMyMDAwMDAwMFowRjELMAkGA1UEBhMCQkUxGTAX
BgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExHDAaBgNVBAMTE0dsb2JhbFNpZ24gUm9vdCBSNDYwggIi
MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCsrHQy6LNl5brtQyYdpokNRbopiLKkHWPd08Es
CVeJOaFV6Wc0dwxu5FUdUiXSE2te4R2pt32JMl8Nnp8semNgQB+msLZ4j5lUlghYruQGvGIFAha/
r6gjA7aUD7xubMLL1aa7DOn2wQL7Id5m3RerdELv8HQvJfTqa1VbkNud316HCkD7rRlr+/fKYIje
2sGP1q7Vf9Q8g+7XFkyDRTNrJ9CG0Bwta/OrffGFqfUo0q3v84RLHIf8E6M6cqJaESvWJ3En7YEt
bWaBkoe0G1h6zD8K+kZPTXhc+CtI4wSEy132tGqzZfxCnlEmIyDLPRT5ge1lFgBPGmSXZgjPjHvj
K8Cd+RTyG/FWaha/LIWFzXg4mutCagI0GIMXTpRW+LaCtfOW3T3zvn8gdz57GSNrLNRyc0NXfeD4
12lPFzYE+cCQYDdF3uYM2HSNrpyibXRdQr4G9dlkbgIQrImwTDsHTUB+JMWKmIJ5jqSngiCNI/on
ccnfxkF0oE32kRbcRoxfKWMxWXEM2G/CtjJ9++ZdU6Z+Ffy7dXxd7Pj2Fxzsx2sZy/N78CsHpdls
eVR2bJ0cpm4O6XkMqCNqo98bMDGfsVR7/mrLZqrcZdCinkqaByFrgY/bxFn63iLABJzjqls2k+g9
vXqhnQt2sQvHnf3PmKgGwvgqo6GDoLclcqUC4wIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAYYwDwYD
VR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA1yrc4GHqMywptWU4jaWSf8FmSwwDQYJKoZIhvcNAQEM
BQADggIBAHx47PYCLLtbfpIrXTncvtgdokIzTfnvpCo7RGkerNlFo048p9gkUbJUHJNOxO97k4Vg
JuoJSOD1u8fpaNK7ajFxzHmuEajwmf3lH7wvqMxX63bEIaZHU1VNaL8FpO7XJqti2kM3S+LGteWy
gxk6x9PbTZ4IevPuzz5i+6zoYMzRx6Fcg0XERczzF2sUyQQCPtIkpnnpHs6i58FZFZ8d4kuaPp92
CC1r2LpXFNqD6v6MVenQTqnMdzGxRBF6XLE+0xRFFRhiJBPSy03OXIPBNvIQtQ6IbbjhVp+J3pZm
OUdkLG5NrmJ7v2B0GbhWrJKsFjLtrWhV/pi60zTe9Mlhww6G9kuEYO4Ne7UyWHmRVSyBQ7N0H3qq
JZ4d16GLuc1CLgSkZoNNiTW2bKg2SnkheCLQQrzRQDGQob4Ez8pn7fXwgNNgyYMqIgXQBztSvwye
qiv5u+YfjyW6hY0XHgL+XVAEV8/+LbzvXMAaq7afJMbfc2hIkCwU9D9SGuTSyxTDYWnP4vkYxboz
nxSjBF25cfe1lNj2M8FawTSLfJvdkzrnE6JwYZ+vj+vYxXX4M2bUdGc6N3ec592kD3ZDZopD8p/7
DEJ4Y9HiD2971KE9dJeFt0g5QdYg/NA6s/rob8SKunE3vouXsXgxT7PntgMTzlSdriVZzH81Xwj3
QEUxeCp6
-----END CERTIFICATE-----
GlobalSign Root E46
===================
-----BEGIN CERTIFICATE-----
MIICCzCCAZGgAwIBAgISEdK7ujNu1LzmJGjFDYQdmOhDMAoGCCqGSM49BAMDMEYxCzAJBgNVBAYT
AkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMRwwGgYDVQQDExNHbG9iYWxTaWduIFJvb3Qg
RTQ2MB4XDTE5MDMyMDAwMDAwMFoXDTQ2MDMyMDAwMDAwMFowRjELMAkGA1UEBhMCQkUxGTAXBgNV
BAoTEEdsb2JhbFNpZ24gbnYtc2ExHDAaBgNVBAMTE0dsb2JhbFNpZ24gUm9vdCBFNDYwdjAQBgcq
hkjOPQIBBgUrgQQAIgNiAAScDrHPt+ieUnd1NPqlRqetMhkytAepJ8qUuwzSChDH2omwlwxwEwkB
jtjqR+q+soArzfwoDdusvKSGN+1wCAB16pMLey5SnCNoIwZD7JIvU4Tb+0cUB+hflGddyXqBPCCj
QjBAMA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQxCpCPtsad0kRL
gLWi5h+xEk8blTAKBggqhkjOPQQDAwNoADBlAjEA31SQ7Zvvi5QCkxeCmb6zniz2C5GMn0oUsfZk
vLtoURMMA/cVi4RguYv/Uo7njLwcAjA8+RHUjE7AwWHCFUyqqx0LMV87HOIAl0Qx5v5zli/altP+
CAezNIm8BZ/3Hobui3A=
-----END CERTIFICATE-----
GLOBALTRUST 2020
================
-----BEGIN CERTIFICATE-----
MIIFgjCCA2qgAwIBAgILWku9WvtPilv6ZeUwDQYJKoZIhvcNAQELBQAwTTELMAkGA1UEBhMCQVQx
IzAhBgNVBAoTGmUtY29tbWVyY2UgbW9uaXRvcmluZyBHbWJIMRkwFwYDVQQDExBHTE9CQUxUUlVT
VCAyMDIwMB4XDTIwMDIxMDAwMDAwMFoXDTQwMDYxMDAwMDAwMFowTTELMAkGA1UEBhMCQVQxIzAh
BgNVBAoTGmUtY29tbWVyY2UgbW9uaXRvcmluZyBHbWJIMRkwFwYDVQQDExBHTE9CQUxUUlVTVCAy
MDIwMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAri5WrRsc7/aVj6B3GyvTY4+ETUWi
D59bRatZe1E0+eyLinjF3WuvvcTfk0Uev5E4C64OFudBc/jbu9G4UeDLgztzOG53ig9ZYybNpyrO
VPu44sB8R85gfD+yc/LAGbaKkoc1DZAoouQVBGM+uq/ufF7MpotQsjj3QWPKzv9pj2gOlTblzLmM
CcpL3TGQlsjMH/1WljTbjhzqLL6FLmPdqqmV0/0plRPwyJiT2S0WR5ARg6I6IqIoV6Lr/sCMKKCm
fecqQjuCgGOlYx8ZzHyyZqjC0203b+J+BlHZRYQfEs4kUmSFC0iAToexIiIwquuuvuAC4EDosEKA
A1GqtH6qRNdDYfOiaxaJSaSjpCuKAsR49GiKweR6NrFvG5Ybd0mN1MkGco/PU+PcF4UgStyYJ9OR
JitHHmkHr96i5OTUawuzXnzUJIBHKWk7buis/UDr2O1xcSvy6Fgd60GXIsUf1DnQJ4+H4xj04KlG
DfV0OoIu0G4skaMxXDtG6nsEEFZegB31pWXogvziB4xiRfUg3kZwhqG8k9MedKZssCz3AwyIDMvU
clOGvGBG85hqwvG/Q/lwIHfKN0F5VVJjjVsSn8VoxIidrPIwq7ejMZdnrY8XD2zHc+0klGvIg5rQ
mjdJBKuxFshsSUktq6HQjJLyQUp5ISXbY9e2nKd+Qmn7OmMCAwEAAaNjMGEwDwYDVR0TAQH/BAUw
AwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFNwuH9FhN3nkq9XVsxJxaD1qaJwiMB8GA1Ud
IwQYMBaAFNwuH9FhN3nkq9XVsxJxaD1qaJwiMA0GCSqGSIb3DQEBCwUAA4ICAQCR8EICaEDuw2jA
VC/f7GLDw56KoDEoqoOOpFaWEhCGVrqXctJUMHytGdUdaG/7FELYjQ7ztdGl4wJCXtzoRlgHNQIw
4Lx0SsFDKv/bGtCwr2zD/cuz9X9tAy5ZVp0tLTWMstZDFyySCstd6IwPS3BD0IL/qMy/pJTAvoe9
iuOTe8aPmxadJ2W8esVCgmxcB9CpwYhgROmYhRZf+I/KARDOJcP5YBugxZfD0yyIMaK9MOzQ0MAS
8cE54+X1+NZK3TTN+2/BT+MAi1bikvcoskJ3ciNnxz8RFbLEAwW+uxF7Cr+obuf/WEPPm2eggAe2
HcqtbepBEX4tdJP7wry+UUTF72glJ4DjyKDUEuzZpTcdN3y0kcra1LGWge9oXHYQSa9+pTeAsRxS
vTOBTI/53WXZFM2KJVj04sWDpQmQ1GwUY7VA3+vA/MRYfg0UFodUJ25W5HCEuGwyEn6CMUO+1918
oa2u1qsgEu8KwxCMSZY13At1XrFP1U80DhEgB3VDRemjEdqso5nCtnkn4rnvyOL2NSl6dPrFf4IF
YqYK6miyeUcGbvJXqBUzxvd4Sj1Ce2t+/vdG6tHrju+IaFvowdlxfv1k7/9nR4hYJS8+hge9+6jl
gqispdNpQ80xiEmEU5LAsTkbOYMBMMTyqfrQA71yN2BWHzZ8vTmR9W0Nv3vXkg==
-----END CERTIFICATE-----
ANF Secure Server Root CA
=========================
-----BEGIN CERTIFICATE-----
MIIF7zCCA9egAwIBAgIIDdPjvGz5a7EwDQYJKoZIhvcNAQELBQAwgYQxEjAQBgNVBAUTCUc2MzI4
NzUxMDELMAkGA1UEBhMCRVMxJzAlBgNVBAoTHkFORiBBdXRvcmlkYWQgZGUgQ2VydGlmaWNhY2lv
bjEUMBIGA1UECxMLQU5GIENBIFJhaXoxIjAgBgNVBAMTGUFORiBTZWN1cmUgU2VydmVyIFJvb3Qg
Q0EwHhcNMTkwOTA0MTAwMDM4WhcNMzkwODMwMTAwMDM4WjCBhDESMBAGA1UEBRMJRzYzMjg3NTEw
MQswCQYDVQQGEwJFUzEnMCUGA1UEChMeQU5GIEF1dG9yaWRhZCBkZSBDZXJ0aWZpY2FjaW9uMRQw
EgYDVQQLEwtBTkYgQ0EgUmFpejEiMCAGA1UEAxMZQU5GIFNlY3VyZSBTZXJ2ZXIgUm9vdCBDQTCC
AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANvrayvmZFSVgpCjcqQZAZ2cC4Ffc0m6p6zz
BE57lgvsEeBbphzOG9INgxwruJ4dfkUyYA8H6XdYfp9qyGFOtibBTI3/TO80sh9l2Ll49a2pcbnv
T1gdpd50IJeh7WhM3pIXS7yr/2WanvtH2Vdy8wmhrnZEE26cLUQ5vPnHO6RYPUG9tMJJo8gN0pcv
B2VSAKduyK9o7PQUlrZXH1bDOZ8rbeTzPvY1ZNoMHKGESy9LS+IsJJ1tk0DrtSOOMspvRdOoiXse
zx76W0OLzc2oD2rKDF65nkeP8Nm2CgtYZRczuSPkdxl9y0oukntPLxB3sY0vaJxizOBQ+OyRp1RM
VwnVdmPF6GUe7m1qzwmd+nxPrWAI/VaZDxUse6mAq4xhj0oHdkLePfTdsiQzW7i1o0TJrH93PB0j
7IKppuLIBkwC/qxcmZkLLxCKpvR/1Yd0DVlJRfbwcVw5Kda/SiOL9V8BY9KHcyi1Swr1+KuCLH5z
JTIdC2MKF4EA/7Z2Xue0sUDKIbvVgFHlSFJnLNJhiQcND85Cd8BEc5xEUKDbEAotlRyBr+Qc5RQe
8TZBAQIvfXOn3kLMTOmJDVb3n5HUA8ZsyY/b2BzgQJhdZpmYgG4t/wHFzstGH6wCxkPmrqKEPMVO
Hj1tyRRM4y5Bu8o5vzY8KhmqQYdOpc5LMnndkEl/AgMBAAGjYzBhMB8GA1UdIwQYMBaAFJxf0Gxj
o1+TypOYCK2Mh6UsXME3MB0GA1UdDgQWBBScX9BsY6Nfk8qTmAitjIelLFzBNzAOBgNVHQ8BAf8E
BAMCAYYwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEATh65isagmD9uw2nAalxJ
UqzLK114OMHVVISfk/CHGT0sZonrDUL8zPB1hT+L9IBdeeUXZ701guLyPI59WzbLWoAAKfLOKyzx
j6ptBZNscsdW699QIyjlRRA96Gejrw5VD5AJYu9LWaL2U/HANeQvwSS9eS9OICI7/RogsKQOLHDt
dD+4E5UGUcjohybKpFtqFiGS3XNgnhAY3jyB6ugYw3yJ8otQPr0R4hUDqDZ9MwFsSBXXiJCZBMXM
5gf0vPSQ7RPi6ovDj6MzD8EpTBNO2hVWcXNyglD2mjN8orGoGjR0ZVzO0eurU+AagNjqOknkJjCb
5RyKqKkVMoaZkgoQI1YS4PbOTOK7vtuNknMBZi9iPrJyJ0U27U1W45eZ/zo1PqVUSlJZS2Db7v54
EX9K3BR5YLZrZAPbFYPhor72I5dQ8AkzNqdxliXzuUJ92zg/LFis6ELhDtjTO0wugumDLmsx2d1H
hk9tl5EuT+IocTUW0fJz/iUrB0ckYyfI+PbZa/wSMVYIwFNCr5zQM378BvAxRAMU8Vjq8moNqRGy
g77FGr8H6lnco4g175x2MjxNBiLOFeXdntiP2t7SxDnlF4HPOEfrf4htWRvfn0IUrn7PqLBmZdo3
r5+qPeoott7VMVgWglvquxl1AnMaykgaIZOQCo6ThKd9OyMYkomgjaw=
-----END CERTIFICATE-----
Certum EC-384 CA
================
-----BEGIN CERTIFICATE-----
MIICZTCCAeugAwIBAgIQeI8nXIESUiClBNAt3bpz9DAKBggqhkjOPQQDAzB0MQswCQYDVQQGEwJQ
TDEhMB8GA1UEChMYQXNzZWNvIERhdGEgU3lzdGVtcyBTLkEuMScwJQYDVQQLEx5DZXJ0dW0gQ2Vy
dGlmaWNhdGlvbiBBdXRob3JpdHkxGTAXBgNVBAMTEENlcnR1bSBFQy0zODQgQ0EwHhcNMTgwMzI2
MDcyNDU0WhcNNDMwMzI2MDcyNDU0WjB0MQswCQYDVQQGEwJQTDEhMB8GA1UEChMYQXNzZWNvIERh
dGEgU3lzdGVtcyBTLkEuMScwJQYDVQQLEx5DZXJ0dW0gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkx
GTAXBgNVBAMTEENlcnR1bSBFQy0zODQgQ0EwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAATEKI6rGFtq
vm5kN2PkzeyrOvfMobgOgknXhimfoZTy42B4mIF4Bk3y7JoOV2CDn7TmFy8as10CW4kjPMIRBSqn
iBMY81CE1700LCeJVf/OTOffph8oxPBUw7l8t1Ot68KjQjBAMA8GA1UdEwEB/wQFMAMBAf8wHQYD
VR0OBBYEFI0GZnQkdjrzife81r1HfS+8EF9LMA4GA1UdDwEB/wQEAwIBBjAKBggqhkjOPQQDAwNo
ADBlAjADVS2m5hjEfO/JUG7BJw+ch69u1RsIGL2SKcHvlJF40jocVYli5RsJHrpka/F2tNQCMQC0
QoSZ/6vnnvuRlydd3LBbMHHOXjgaatkl5+r3YZJW+OraNsKHZZYuciUvf9/DE8k=
-----END CERTIFICATE-----
Certum Trusted Root CA
======================
-----BEGIN CERTIFICATE-----
MIIFwDCCA6igAwIBAgIQHr9ZULjJgDdMBvfrVU+17TANBgkqhkiG9w0BAQ0FADB6MQswCQYDVQQG
EwJQTDEhMB8GA1UEChMYQXNzZWNvIERhdGEgU3lzdGVtcyBTLkEuMScwJQYDVQQLEx5DZXJ0dW0g
Q2VydGlmaWNhdGlvbiBBdXRob3JpdHkxHzAdBgNVBAMTFkNlcnR1bSBUcnVzdGVkIFJvb3QgQ0Ew
HhcNMTgwMzE2MTIxMDEzWhcNNDMwMzE2MTIxMDEzWjB6MQswCQYDVQQGEwJQTDEhMB8GA1UEChMY
QXNzZWNvIERhdGEgU3lzdGVtcyBTLkEuMScwJQYDVQQLEx5DZXJ0dW0gQ2VydGlmaWNhdGlvbiBB
dXRob3JpdHkxHzAdBgNVBAMTFkNlcnR1bSBUcnVzdGVkIFJvb3QgQ0EwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQDRLY67tzbqbTeRn06TpwXkKQMlzhyC93yZn0EGze2jusDbCSzBfN8p
fktlL5On1AFrAygYo9idBcEq2EXxkd7fO9CAAozPOA/qp1x4EaTByIVcJdPTsuclzxFUl6s1wB52
HO8AU5853BSlLCIls3Jy/I2z5T4IHhQqNwuIPMqw9MjCoa68wb4pZ1Xi/K1ZXP69VyywkI3C7Te2
fJmItdUDmj0VDT06qKhF8JVOJVkdzZhpu9PMMsmN74H+rX2Ju7pgE8pllWeg8xn2A1bUatMn4qGt
g/BKEiJ3HAVz4hlxQsDsdUaakFjgao4rpUYwBI4Zshfjvqm6f1bxJAPXsiEodg42MEx51UGamqi4
NboMOvJEGyCI98Ul1z3G4z5D3Yf+xOr1Uz5MZf87Sst4WmsXXw3Hw09Omiqi7VdNIuJGmj8PkTQk
fVXjjJU30xrwCSss0smNtA0Aq2cpKNgB9RkEth2+dv5yXMSFytKAQd8FqKPVhJBPC/PgP5sZ0jeJ
P/J7UhyM9uH3PAeXjA6iWYEMspA90+NZRu0PqafegGtaqge2Gcu8V/OXIXoMsSt0Puvap2ctTMSY
njYJdmZm/Bo/6khUHL4wvYBQv3y1zgD2DGHZ5yQD4OMBgQ692IU0iL2yNqh7XAjlRICMb/gv1SHK
HRzQ+8S1h9E6Tsd2tTVItQIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSM+xx1
vALTn04uSNn5YFSqxLNP+jAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQENBQADggIBAEii1QAL
LtA/vBzVtVRJHlpr9OTy4EA34MwUe7nJ+jW1dReTagVphZzNTxl4WxmB82M+w85bj/UvXgF2Ez8s
ALnNllI5SW0ETsXpD4YN4fqzX4IS8TrOZgYkNCvozMrnadyHncI013nR03e4qllY/p0m+jiGPp2K
h2RX5Rc64vmNueMzeMGQ2Ljdt4NR5MTMI9UGfOZR0800McD2RrsLrfw9EAUqO0qRJe6M1ISHgCq8
CYyqOhNf6DR5UMEQGfnTKB7U0VEwKbOukGfWHwpjscWpxkIxYxeU72nLL/qMFH3EQxiJ2fAyQOaA
4kZf5ePBAFmo+eggvIksDkc0C+pXwlM2/KfUrzHN/gLldfq5Jwn58/U7yn2fqSLLiMmq0Uc9Nneo
WWRrJ8/vJ8HjJLWG965+Mk2weWjROeiQWMODvA8s1pfrzgzhIMfatz7DP78v3DSk+yshzWePS/Tj
6tQ/50+6uaWTRRxmHyH6ZF5v4HaUMst19W7l9o/HuKTMqJZ9ZPskWkoDbGs4xugDQ5r3V7mzKWmT
OPQD8rv7gmsHINFSH5pkAnuYZttcTVoP0ISVoDwUQwbKytu4QTbaakRnh6+v40URFWkIsr4WOZck
bxJF0WddCajJFdr60qZfE2Efv4WstK2tBZQIgx51F9NxO5NQI1mg7TyRVJ12AMXDuDjb
-----END CERTIFICATE-----
extras/build-tests/nix/build
+10
View File
@@ -27,6 +27,16 @@ if lsb_release -av 2>&1|egrep 'Debian.*jessie'; then
echo "Disabling ASan due to false positives on deb8"
echo 'EXTRAPARA="--enable-werror --disable-asan"' >>config.settings
fi
if uname -s|grep -i freebsd; then
echo "Disabling ASan on FreeBSD due to 100% CPU loop in OpenSSL initialization routine"
echo 'EXTRAPARA="--enable-werror --disable-asan"' >>config.settings
fi
# If SSLDIR is set the environment, this overrides config.settings
# Used for example in the openssl3 build tests.
if [ "$SSLDIR" != "" ]; then
echo 'SSLDIR="'"$SSLDIR"'"' >>config.settings
fi
# Read config.settings, this makes a couple of variables available to us.
. ./config.settings
extras/c-ares.tar.gz
BIN
View File
Binary file not shown.
extras/curlinstall
+1 -1
View File
@@ -4,7 +4,7 @@ OUTF="curl-latest.tar.gz"
OUTD="curl-latest"
ARESPATH="`pwd`/extras/c-ares"
UNREALDIR="`pwd`"
CARESVERSION="1.17.1"
CARESVERSION="1.17.2"
LIBDIR="$1"
if [ "x$1" = "x" ]; then
extras/doxygen/Developers.md
+4 -5
View File
@@ -1,11 +1,10 @@
Welcome to the doxygen-generated documentation for the UnrealIRCd 5.x API.
This is intended **for developers only!**
If you are creating a 3rd party module for UnrealIRCd or are interested
in contributing to UnrealIRCd then this is the right place.
Here you should be able to find a lot of information on the data structures
and functions available to you when coding for UnrealIRCd.
Note that UnrealIRCd 5 is the **old stable**, it is no longer receiving new
features and is bug fix only. If you are developing a new 3rd party module
then you are suggested to develop for UnrealIRCd 6 and go to the
[UnrealIRCd 6 module api](https://www.unrealircd.org/api/6/) page instead.
## Wiki documentation ##
* Be sure to check the [Module API](https://www.unrealircd.org/docs/Dev:Module_API) article on the wiki
extras/doxygen/Doxyfile
+1 -1
View File
@@ -38,7 +38,7 @@ PROJECT_NAME = "UnrealIRCd"
# could be handy for archiving the generated documentation or if some version
# control system is used.
PROJECT_NUMBER = 5.0.10
PROJECT_NUMBER = 5.2.4
# Using the PROJECT_BRIEF tag one can provide an optional one line description
# for a project that appears at the top of each page and should give viewer a
extras/tests/tls/cipherscan_profiles/openssl-300.txt
+27
View File
@@ -0,0 +1,27 @@
Target: 127.0.0.1:5901
prio ciphersuite protocols pfs curves
1 ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 ECDH,P-521,521bits secp521r1,secp384r1
2 ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 ECDH,P-521,521bits secp521r1,secp384r1
3 ECDHE-ECDSA-AES256-SHA384 TLSv1.2 ECDH,P-521,521bits secp521r1,secp384r1
4 ECDHE-ECDSA-AES128-SHA256 TLSv1.2 ECDH,P-521,521bits secp521r1,secp384r1
5 ECDHE-ECDSA-AES256-SHA TLSv1.2 ECDH,P-521,521bits secp521r1,secp384r1
6 ECDHE-ECDSA-AES128-SHA TLSv1.2 ECDH,P-521,521bits secp521r1,secp384r1
Certificate: untrusted, 384 bits, ecdsa-with-SHA256 signature
TLS ticket lifetime hint: None
NPN protocols: None
OCSP stapling: not supported
Cipher ordering: server
Curves ordering: server - fallback: no
Server supports secure renegotiation
Server supported compression methods: NONE
TLS Tolerance: yes
Intolerance to:
SSL 3.254 : absent
TLS 1.0 : PRESENT
TLS 1.1 : PRESENT
TLS 1.2 : absent
TLS 1.3 : absent
TLS 1.4 : absent
extras/unrealircd-upgrade-script.in
+31 -13
View File
@@ -1,11 +1,11 @@
#!/bin/bash
#!/usr/bin/env bash
#
# This is stage 1 of the UnrealIRCd upgrade script
# It downloads stage 2 online, verifies the integrity, and then
# passes control to it to proceed with the rest of the upgrade.
#
# This is a bash script, so it is less cross-platform than
# the rest of UnrealIRCd. We also mostly assume Linux here.
# This is a bash script, so it is less cross-platform than the
# rest of UnrealIRCd. We also mostly assume Linux/FreeBSD here.
#
BUILDDIR="@BUILDDIR@"
@@ -55,13 +55,19 @@ if [ ! -d "$BUILDDIR" ]; then
exit 1
fi
FETCHER="wget"
if ! wget --help 1>/dev/null 2>&1; then
echo "The tool 'wget' is missing, which is used by this script."
echo "On Linux consider running 'sudo apt install wget' or 'sudo yum install wget'"
echo "and run this script again."
echo "Or, don't use this script and follow the manual upgrade procedure from"
echo "https://www.unrealircd.org/docs/Upgrading"
exit 1
# fetch is a pain: it always returns 1 (false) even for usage info and has no --version
fetch 1>/dev/null 2>&1
if [ "$?" -ne 1 ]; then
echo "The tool 'wget' is missing, which is used by this script."
echo "On Linux consider running 'sudo apt install wget' or 'sudo yum install wget'"
echo "and run this script again."
echo "Or, don't use this script and follow the manual upgrade procedure from"
echo "https://www.unrealircd.org/docs/Upgrading"
exit 1
fi
FETCHER="fetch"
fi
# Weird way to get version, but ok.
@@ -70,11 +76,16 @@ UNREALVER="`./configure --version|head -n1|awk '{ print $3 }'`"
cd .. || fail "Could not cd back"
# Set and export all variables with settings
export UNREALVER BUILDDIR SCRIPTDIR DOCDIR TMPDIR
export UNREALVER BUILDDIR SCRIPTDIR DOCDIR TMPDIR FETCHER
# Download the install script
wget -O unrealircd-upgrade-script.stage2 "https://www.unrealircd.org/downloads/unrealircd-upgrade-script.stage2?from=$UNREALVER" || fail "Could not download online installer"
wget -O unrealircd-upgrade-script.stage2.asc "https://www.unrealircd.org/downloads/unrealircd-upgrade-script.stage2.asc" || fail "Could not download online installer signature"
if [ "$FETCHER" = "wget" ]; then
wget -O unrealircd-upgrade-script.stage2 "https://www.unrealircd.org/downloads/unrealircd-upgrade-script.stage2?from=$UNREALVER" || fail "Could not download online installer"
wget -O unrealircd-upgrade-script.stage2.asc "https://www.unrealircd.org/downloads/unrealircd-upgrade-script.stage2.asc" || fail "Could not download online installer signature"
else
fetch -o unrealircd-upgrade-script.stage2 "https://www.unrealircd.org/downloads/unrealircd-upgrade-script.stage2?from=$UNREALVER" || fail "Could not download online installer"
fetch -o unrealircd-upgrade-script.stage2.asc "https://www.unrealircd.org/downloads/unrealircd-upgrade-script.stage2.asc" || fail "Could not download online installer signature"
fi
# GPG verification - if available
if gpg --version 1>/dev/null 2>&1; then
@@ -94,7 +105,11 @@ if gpg --version 1>/dev/null 2>&1; then
fi
else
echo "WARNING: The GnuPG (GPG/PGP) verification tool 'gpg' is not installed."
echo "Consider running 'sudo apt install gpg' or 'yum install gnupg2'"
if [[ "$OSTYPE" == "freebsd"* ]] ; then
echo "Consider running 'sudo pkg install gnupg'"
else
echo "Consider running 'sudo apt install gpg' or 'yum install gnupg2'"
fi
echo "When 'gpg' is installed then the UnrealIRCd upgrade script can"
echo "verify the digital signature of the download file."
warn "Unable to check download integrity"
@@ -103,3 +118,6 @@ fi
chmod +x unrealircd-upgrade-script.stage2
./unrealircd-upgrade-script.stage2 $*
SAVERET="$?"
rm -f unrealircd-upgrade-script.stage2 unrealircd-upgrade-script.stage2
exit $SAVERET
include/fdlist.h
+5 -3
View File
@@ -7,6 +7,8 @@
typedef void (*IOCallbackFunc)(int fd, int revents, void *data);
typedef enum FDCloseMethod { FDCLOSE_SOCKET=0, FDCLOSE_FILE=1, FDCLOSE_NONE=3 } FDCloseMethod;
typedef struct fd_entry {
int fd;
char desc[FD_DESC_SZ];
@@ -15,14 +17,14 @@ typedef struct fd_entry {
void *data;
time_t deadline;
unsigned char is_open;
FDCloseMethod close_method;
unsigned int backend_flags;
} FDEntry;
extern MODVAR FDEntry fd_table[MAXCONNECTIONS + 1];
extern int fd_open(int fd, const char *desc);
extern void fd_close(int fd);
extern int fd_unmap(int fd);
extern int fd_open(int fd, const char *desc, FDCloseMethod close_method);
extern int fd_close(int fd);
extern void fd_unnotify(int fd);
extern int fd_socket(int family, int type, int protocol, const char *desc);
extern int fd_accept(int sockfd);
include/h.h
+11 -2
View File
@@ -285,6 +285,7 @@ extern char *myctime(time_t);
extern char *short_date(time_t, char *buf);
extern char *long_date(time_t);
extern void exit_client(Client *client, MessageTag *recv_mtags, char *comment);
extern void exit_client_ex(Client *client, Client *origin, MessageTag *recv_mtags, char *comment);
extern void initstats(), tstats(Client *, char *);
extern char *check_string(char *);
extern char *make_nick_user_host(char *, char *, char *);
@@ -447,6 +448,7 @@ extern void Auth_FreeAuthConfig(AuthConfig *as);
extern int Auth_Check(Client *cptr, AuthConfig *as, char *para);
extern char *Auth_Hash(int type, char *para);
extern int Auth_CheckError(ConfigEntry *ce);
extern int Auth_AutoDetectHashType(char *hash);
extern void make_cloakedhost(Client *client, char *curr, char *buf, size_t buflen);
extern int channel_canjoin(Client *client, char *name);
@@ -642,7 +644,7 @@ extern MODVAR char backupbuf[];
extern void add_invite(Client *, Client *, Channel *, MessageTag *);
extern void del_invite(Client *, Channel *);
extern int is_invited(Client *client, Channel *channel);
extern void channel_modes(Client *cptr, char *mbuf, char *pbuf, size_t mbuf_size, size_t pbuf_size, Channel *channel);
extern void channel_modes(Client *client, char *mbuf, char *pbuf, size_t mbuf_size, size_t pbuf_size, Channel *channel, int hide_local_modes);
extern MODVAR char modebuf[BUFSIZE], parabuf[BUFSIZE];
extern int op_can_override(char *acl, Client *client,Channel *channel,void* extra);
extern Client *find_chasing(Client *client, char *user, int *chasing);
@@ -789,6 +791,9 @@ extern int outdated_tls_client(Client *acptr);
extern char *outdated_tls_client_build_string(char *pattern, Client *acptr);
extern int check_certificate_expiry_ctx(SSL_CTX *ctx, char **errstr);
extern EVENT(tls_check_expiry);
extern MODVAR EVP_MD *sha256_function;
extern MODVAR EVP_MD *sha1_function;
extern MODVAR EVP_MD *md5_function;
/* End of SSL/TLS functions */
extern void parse_message_tags_default_handler(Client *client, char **str, MessageTag **mtag_list);
@@ -811,6 +816,8 @@ extern int find_invex(Channel *channel, Client *client);
extern void DoMD5(char *mdout, const char *src, unsigned long n);
extern char *md5hash(char *dst, const char *src, unsigned long n);
extern char *sha256hash(char *dst, const char *src, unsigned long n);
extern void sha256hash_binary(char *dst, const char *src, unsigned long n);
extern void sha1hash_binary(char *dst, const char *src, unsigned long n);
extern MODVAR TKL *tklines[TKLISTLEN];
extern MODVAR TKL *tklines_ip_hash[TKLIPHASHLEN1][TKLIPHASHLEN2];
extern char *cmdname_by_spamftarget(int target);
@@ -860,6 +867,7 @@ extern int mixed_network(void);
extern void unreal_delete_masks(ConfigItem_mask *m);
extern void unreal_add_masks(ConfigItem_mask **head, ConfigEntry *ce);
extern int unreal_mask_match(Client *acptr, ConfigItem_mask *m);
extern int unreal_mask_match_string(const char *name, ConfigItem_mask *m);
extern char *our_strcasestr(char *haystack, char *needle);
extern void update_conf(void);
extern MODVAR int need_34_upgrade;
@@ -894,7 +902,7 @@ extern long get_mode_bitbychar(char m);
extern long find_user_mode(char mode);
extern void start_listeners(void);
extern void buildvarstring(const char *inbuf, char *outbuf, size_t len, const char *name[], const char *value[]);
extern void reinit_ssl(Client *);
extern void reinit_tls(void);
extern CMD_FUNC(cmd_error);
extern CMD_FUNC(cmd_dns);
extern CMD_FUNC(cmd_info);
@@ -999,6 +1007,7 @@ extern int should_show_connect_info(Client *client);
extern void send_invalid_channelname(Client *client, char *channelname);
extern int is_extended_ban(const char *str);
extern int valid_sid(char *name);
extern int valid_uid(char *name);
extern void parse_client_queued(Client *client);
extern char *sha256sum_file(const char *fname);
extern char *filename_strip_suffix(const char *fname, const char *suffix);
include/modules.h
+4 -2
View File
@@ -151,6 +151,8 @@ struct ModDataInfo {
char *(*serialize)(ModData *m); /**< Function which converts the data to a string. May return NULL if 'm' contains no data (since for example m->ptr may be NULL). */
void (*unserialize)(char *str, ModData *m); /**< Function which converts the string back to data */
int sync; /**< Send in netsynch (when servers connect) */
int remote_write; /**< Allow remote servers to set/unset this moddata, even if it they target one of our own clients */
int self_write; /**< Allow remote servers to set/unset moddata of their own server object (irc1.example.net writing the MD object of irc1.example.net) */
};
#define moddata_client(acptr, md) acptr->moddata[md->slot]
@@ -2259,9 +2261,9 @@ enum EfunctionType {
EFUNC_TKL_SYNCH,
EFUNC_CMD_TKL,
EFUNC_PLACE_HOST_BAN,
EFUNC_DOSPAMFILTER,
EFUNC_MATCH_SPAMFILTER,
EFUNC_MATCH_SPAMFILTER_MTAGS,
EFUNC_DOSPAMFILTER_VIRUSCHAN,
EFUNC_JOIN_VIRUSCHAN,
EFUNC_FIND_TKLINE_MATCH_ZAP_EX,
EFUNC_SEND_LIST,
EFUNC_STRIPCOLORS,
include/struct.h
+8 -6
View File
@@ -182,7 +182,7 @@ typedef OperPermission (*OperClassEntryEvalCallback)(OperClassACLEntryVar* varia
#define READBUFSIZE 8192 /* for the read buffer */
#define MAXRECIPIENTS 20
#define MAXSILELENGTH NICKLEN+USERLEN+HOSTLEN+10
#define IDLEN 10
#define IDLEN 12
#define SIDLEN 3
#define SWHOISLEN 256
#define UMODETABLESZ (sizeof(long) * 8)
@@ -368,7 +368,6 @@ typedef enum ClientStatus {
#define IsDeaf(x) ((x)->umodes & UMODE_DEAF)
#define IsOper(x) ((x)->umodes & UMODE_OPER)
#define IsInvisible(x) ((x)->umodes & UMODE_INVISIBLE)
#define IsARegNick(x) ((x)->umodes & (UMODE_REGNICK))
#define IsRegNick(x) ((x)->umodes & UMODE_REGNICK)
#define SendWallops(x) (!IsMe(x) && IsUser(x) && ((x)->umodes & UMODE_WALLOP))
#define IsHidden(x) ((x)->umodes & UMODE_HIDE)
@@ -508,7 +507,7 @@ typedef enum ClientStatus {
#define IsNotSpoof(x) ((x)->local->nospoof == 0)
#define GetHost(x) (IsHidden(x) ? (x)->user->virthost : (x)->user->realhost)
#define GetIP(x) (x->ip ? x->ip : "255.255.255.255")
#define IsLoggedIn(x) (IsRegNick(x) || (x->user && (*x->user->svid != '*') && !isdigit(*x->user->svid))) /* registered nick (+r) or just logged into services (may be -r) */
#define IsLoggedIn(x) (x->user && (*x->user->svid != '*') && !isdigit(*x->user->svid)) /**< Logged into services */
#define IsSynched(x) (x->serv->flags.synced)
#define IsServerSent(x) (x->serv && x->serv->flags.server_sent)
@@ -1225,6 +1224,7 @@ typedef enum FloodOption {
FLD_INVITE = 3, /**< invite-flood */
FLD_KNOCK = 4, /**< knock-flood */
FLD_CONVERSATIONS = 5, /**< max-concurrent-conversations */
FLD_LAG_PENALTY = 6, /**< lag-penalty / lag-penalty-bytes */
} FloodOption;
#define MAXFLOODOPTIONS 10
@@ -1268,6 +1268,7 @@ struct LocalClient {
int fd; /**< File descriptor, can be <0 if socket has been closed already. */
SSL *ssl; /**< OpenSSL/LibreSSL struct for SSL/TLS connection */
time_t since; /**< Time when user will next be allowed to send something (actually since<currenttime+10) */
int since_msec; /**< Used for calculating 'since' penalty (modulo) */
time_t firsttime; /**< Time user was created (connected on IRC) */
time_t lasttime; /**< Last time any message was received */
dbuf sendQ; /**< Outgoing send queue (data to be sent) */
@@ -1524,8 +1525,7 @@ struct ConfigFlag_allow {
struct ConfigItem_allow {
ConfigItem_allow *prev, *next;
ConfigFlag flag;
char *ip;
char *hostname;
ConfigItem_mask *mask;
char *server;
AuthConfig *auth;
int maxperip; /**< Maximum connections permitted per IP address (locally) */
@@ -1734,7 +1734,8 @@ struct ConfigItem_deny_dcc {
struct ConfigItem_deny_link {
ConfigItem_deny_link *prev, *next;
ConfigFlag_except flag;
char *mask, *rule, *prettyrule;
ConfigItem_mask *mask;
char *rule, *prettyrule;
};
struct ConfigItem_deny_version {
@@ -1868,6 +1869,7 @@ struct SecurityGroup {
int reputation_score;
int webirc;
int tls;
ConfigItem_mask *include_mask;
};
#define HM_HOST 1
include/version.h
+2 -1
View File
@@ -54,8 +54,9 @@
* Can be useful if the above 3 versionids are insufficient for you (eg: you want to support CVS).
* This is updated automatically on the CVS server every Monday. so don't touch it.
*/
#define UNREAL_VERSION_TIME 202120
#define UNREAL_VERSION_TIME 202139
#define UNREAL_VERSION ((UNREAL_VERSION_GENERATION << 24) + (UNREAL_VERSION_MAJOR << 16) + (UNREAL_VERSION_MINOR << 8))
#define UnrealProtocol 5002
#define PATCH1 macro_to_str(UNREAL_VERSION_GENERATION)
#define PATCH2 "." macro_to_str(UNREAL_VERSION_MAJOR)
include/windows/setup.h
+3 -3
View File
@@ -60,13 +60,13 @@
#define UNREAL_VERSION_GENERATION 5
/* Major version number (e.g.: 2 for Unreal3.2*) */
#define UNREAL_VERSION_MAJOR 0
#define UNREAL_VERSION_MAJOR 2
/* Minor version number (e.g.: 1 for Unreal3.2.1) */
#define UNREAL_VERSION_MINOR 10
#define UNREAL_VERSION_MINOR 4
/* Version suffix such as a beta marker or release candidate marker. (e.g.:
-rcX for unrealircd-3.2.9-rcX) */
#define UNREAL_VERSION_SUFFIX "-git"
#define UNREAL_VERSION_SUFFIX ""
#endif
src/api-efunctions.c
+2 -2
View File
@@ -307,9 +307,9 @@ void efunctions_init(void)
efunc_init_function(EFUNC_TKL_SYNCH, tkl_sync, NULL);
efunc_init_function(EFUNC_CMD_TKL, cmd_tkl, NULL);
efunc_init_function(EFUNC_PLACE_HOST_BAN, place_host_ban, NULL);
efunc_init_function(EFUNC_DOSPAMFILTER, match_spamfilter, NULL);
efunc_init_function(EFUNC_MATCH_SPAMFILTER, match_spamfilter, NULL);
efunc_init_function(EFUNC_MATCH_SPAMFILTER_MTAGS, match_spamfilter_mtags, NULL);
efunc_init_function(EFUNC_DOSPAMFILTER_VIRUSCHAN, join_viruschan, NULL);
efunc_init_function(EFUNC_JOIN_VIRUSCHAN, join_viruschan, NULL);
efunc_init_function(EFUNC_STRIPCOLORS, StripColors, NULL);
efunc_init_function(EFUNC_STRIPCONTROLCODES, StripControlCodes, NULL);
efunc_init_function(EFUNC_SPAMFILTER_BUILD_USER_STRING, spamfilter_build_user_string, NULL);
src/api-event.c
+3 -1
View File
@@ -29,6 +29,7 @@ MODVAR Event *events = NULL;
extern EVENT(unrealdns_removeoldrecords);
extern EVENT(unrealdb_expire_secret_cache);
extern EVENT(deprecated_notice);
/** Add an event, a function that will run at regular intervals.
* @param module Module that this event belongs to
@@ -237,10 +238,11 @@ void SetupEvents(void)
EventAdd(NULL, "garbage", garbage_collect, NULL, GARBAGE_COLLECT_EVERY*1000, 0);
EventAdd(NULL, "loop", loop_event, NULL, 1000, 0);
EventAdd(NULL, "unrealdns_removeoldrecords", unrealdns_removeoldrecords, NULL, 15000, 0);
EventAdd(NULL, "deprecated_notice", deprecated_notice, NULL, ((86400*7)-(3600*8))*1000, 0);
EventAdd(NULL, "check_pings", check_pings, NULL, 1000, 0);
EventAdd(NULL, "check_deadsockets", check_deadsockets, NULL, 1000, 0);
EventAdd(NULL, "handshake_timeout", handshake_timeout, NULL, 1000, 0);
EventAdd(NULL, "try_connections", try_connections, NULL, 2000, 0);
EventAdd(NULL, "tls_check_expiry", tls_check_expiry, NULL, (86400/2)*1000, 0);
EventAdd(NULL, "unrealdb_expire_secret_cache", unrealdb_expire_secret_cache, NULL, 61000, 0);
EventAdd(NULL, "throttling_check_expire", throttling_check_expire, NULL, 1000, 0);
}
src/api-isupport.c
-1
View File
@@ -118,7 +118,6 @@ void isupport_init(void)
ISupportSetFmt(NULL, "MAXLIST", "b:%d,e:%d,I:%d", MAXBANS, MAXBANS, MAXBANS);
ISupportSetFmt(NULL, "CHANLIMIT", "#:%d", MAXCHANNELSPERUSER);
ISupportSetFmt(NULL, "MAXCHANNELS", "%d", MAXCHANNELSPERUSER);
ISupportSet(NULL, "HCN", NULL);
ISupportSet(NULL, "SAFELIST", NULL);
ISupportSet(NULL, "NAMESX", NULL);
if (UHNAMES_ENABLED)
src/api-moddata.c
+2
View File
@@ -80,6 +80,8 @@ moddataadd_isok:
m->serialize = req.serialize;
m->unserialize = req.unserialize;
m->sync = req.sync;
m->remote_write = req.remote_write;
m->self_write = req.self_write;
m->owner = module;
if (new_struct)
src/channel.c
+33 -18
View File
@@ -74,12 +74,6 @@ CoreChannelModeTable corechannelmodetable[] = {
/** The advertised supported channel modes in the 004 numeric */
char cmodestring[512];
/* Some forward declarations */
char *clean_ban_mask(char *, int, Client *);
void channel_modes(Client *client, char *mbuf, char *pbuf, size_t mbuf_size, size_t pbuf_size, Channel *channel);
int sub1_from_channel(Channel *);
void del_invite(Client *, Channel *);
/** Returns 1 if the IRCOp can override or is a remote connection */
inline int op_can_override(char *acl, Client *client,Channel *channel,void* extra)
{
@@ -642,41 +636,58 @@ long get_mode_bitbychar(char m)
}
/** Write the "simple" list of channel modes for channel channel onto buffer mbuf with the parameters in pbuf.
* @param client The client requesting the mode list (can be NULL)
* @param mbuf Modes will be stored here
* @param pbuf Mode parameters will be stored here
* @param mbuf_size Length of the mbuf buffer
* @param pbuf_size Length of the pbuf buffer
* @param channel The channel to fetch modes from
* @param hide_local_modes If set to 1 then we will hide local channel modes like Z and d
* (eg: if you intend to send the buffer to a remote server)
*/
/* TODO: this function has many security issues and needs an audit, maybe even a recode */
void channel_modes(Client *client, char *mbuf, char *pbuf, size_t mbuf_size, size_t pbuf_size, Channel *channel)
void channel_modes(Client *client, char *mbuf, char *pbuf, size_t mbuf_size, size_t pbuf_size, Channel *channel, int hide_local_modes)
{
CoreChannelModeTable *tab = &corechannelmodetable[0];
int ismember;
int ismember = 0;
int i;
if (!(mbuf_size && pbuf_size)) return;
ismember = (IsMember(client, channel) || IsServer(client) || IsMe(client) || IsULine(client)) ? 1 : 0;
if (!client || IsMember(client, channel) || IsServer(client) || IsMe(client) || IsULine(client))
ismember = 1;
*pbuf = '\0';
*mbuf++ = '+';
mbuf_size--;
/* Paramless first */
while (mbuf_size && tab->mode != 0x0)
{
if ((channel->mode.mode & tab->mode))
{
if (!tab->parameters) {
*mbuf++ = tab->flag;
mbuf_size--;
}
}
tab++;
}
for (i=0; i <= Channelmode_highest; i++)
{
if (!mbuf_size) break;
if (Channelmode_Table[i].flag && !Channelmode_Table[i].paracount &&
(channel->mode.extmode & Channelmode_Table[i].mode)) {
if (!mbuf_size)
break;
if (Channelmode_Table[i].flag &&
!Channelmode_Table[i].paracount &&
!(hide_local_modes && Channelmode_Table[i].local) &&
(channel->mode.extmode & Channelmode_Table[i].mode))
{
*mbuf++ = Channelmode_Table[i].flag;
mbuf_size--;
}
}
if (channel->mode.limit)
{
if (mbuf_size) {
@@ -704,9 +715,12 @@ void channel_modes(Client *client, char *mbuf, char *pbuf, size_t mbuf_size, siz
for (i=0; i <= Channelmode_highest; i++)
{
if (Channelmode_Table[i].flag && Channelmode_Table[i].paracount &&
(channel->mode.extmode & Channelmode_Table[i].mode)) {
char flag = Channelmode_Table[i].flag;
if (Channelmode_Table[i].flag &&
Channelmode_Table[i].paracount &&
!(hide_local_modes && Channelmode_Table[i].local) &&
(channel->mode.extmode & Channelmode_Table[i].mode))
{
char flag = Channelmode_Table[i].flag;
if (mbuf_size) {
*mbuf++ = flag;
mbuf_size--;
@@ -721,11 +735,12 @@ void channel_modes(Client *client, char *mbuf, char *pbuf, size_t mbuf_size, siz
}
/* Remove the trailing space from the parameters -- codemastr */
if (*pbuf) pbuf[strlen(pbuf)-1]=0;
if (*pbuf)
pbuf[strlen(pbuf)-1]='\0';
if (!mbuf_size) mbuf--;
if (!mbuf_size)
mbuf--;
*mbuf++ = '\0';
return;
}
/** Make a pretty mask from the input string - only used by SILENCE
src/conf.c
+235 -98
View File
@@ -441,6 +441,12 @@ int flood_option_is_for_everyone(const char *name)
return text_in_array(name, opts);
}
/** Free a FloodSettings struct */
void free_floodsettings(FloodSettings *f)
{
safe_free(f->name);
safe_free(f);
}
/** Parses a value like '5:60s' into a flood setting that we can store.
* @param str The string to parse (eg: '5:60s')
@@ -1702,6 +1708,8 @@ ConfigCommand *config_binary_search(char *cmd) {
void free_iConf(Configuration *i)
{
FloodSettings *f, *f_next;
safe_free(i->dns_bindip);
safe_free(i->link_bindip);
safe_free(i->kline_address);
@@ -1744,6 +1752,13 @@ void free_iConf(Configuration *i)
safe_free(i->network.x_helpchan);
safe_free(i->network.x_stats_server);
safe_free(i->network.x_sasl_server);
// anti-flood:
for (f = i->floodsettings; f; f = f_next)
{
f_next = f->next;
free_floodsettings(f);
}
i->floodsettings = NULL;
}
int config_test();
@@ -1807,6 +1822,7 @@ void config_setdefaultsettings(Configuration *i)
config_parse_flood_generic("4:60", i, "known-users", FLD_INVITE); /* INVITE flood protection: max 4 per 60s */
config_parse_flood_generic("4:120", i, "known-users", FLD_KNOCK); /* KNOCK protection: max 4 per 120s */
config_parse_flood_generic("10:15", i, "known-users", FLD_CONVERSATIONS); /* 10 users, new user every 15s */
config_parse_flood_generic("180:750", i, "known-users", FLD_LAG_PENALTY); /* 180 bytes / 750 msec */
/* - unknown-users */
config_parse_flood_generic("2:60", i, "unknown-users", FLD_NICK); /* NICK flood protection: max 2 per 60s */
config_parse_flood_generic("2:90", i, "unknown-users", FLD_JOIN); /* JOIN flood protection: max 2 per 90s */
@@ -1814,6 +1830,7 @@ void config_setdefaultsettings(Configuration *i)
config_parse_flood_generic("2:60", i, "unknown-users", FLD_INVITE); /* INVITE flood protection: max 2 per 60s */
config_parse_flood_generic("2:120", i, "unknown-users", FLD_KNOCK); /* KNOCK protection: max 2 per 120s */
config_parse_flood_generic("4:15", i, "unknown-users", FLD_CONVERSATIONS); /* 4 users, new user every 15s */
config_parse_flood_generic("90:1000", i, "unknown-users", FLD_LAG_PENALTY); /* 90 bytes / 1000 msec */
/* SSL/TLS options */
i->tls_options = safe_alloc(sizeof(TLSOptions));
@@ -2016,6 +2033,11 @@ void postconf(void)
do_weird_shun_stuff();
isupport_init(); /* for all the 005 values that changed.. */
tls_check_expiry(NULL);
#if OPENSSL_VERSION_NUMBER >= 0x10101000L
if (loop.ircd_rehashing)
reinit_tls();
#endif
}
int isanyserverlinked(void)
@@ -2540,8 +2562,7 @@ void config_rehash()
for (allow_ptr = conf_allow; allow_ptr; allow_ptr = (ConfigItem_allow *) next)
{
next = (ListStruct *)allow_ptr->next;
safe_free(allow_ptr->ip);
safe_free(allow_ptr->hostname);
unreal_delete_masks(allow_ptr->mask);
Auth_FreeAuthConfig(allow_ptr->auth);
DelListItem(allow_ptr, conf_allow);
safe_free(allow_ptr);
@@ -2614,7 +2635,7 @@ void config_rehash()
for (deny_link_ptr = conf_deny_link; deny_link_ptr; deny_link_ptr = (ConfigItem_deny_link *) next) {
next = (ListStruct *)deny_link_ptr->next;
safe_free(deny_link_ptr->prettyrule);
safe_free(deny_link_ptr->mask);
unreal_delete_masks(deny_link_ptr->mask);
crule_free(&deny_link_ptr->rule);
DelListItem(deny_link_ptr, conf_deny_link);
safe_free(deny_link_ptr);
@@ -3009,8 +3030,8 @@ int config_test()
if (strchr(ce->ce_varname, ':'))
{
config_error("You cannot use :: in a directive, you have to write them out. "
"For example 'set::anti-flood::nick-flood 3:60' needs to be written as: "
"set { anti-flood { nick-flood 3:60; } }");
"For example 'set::auto-join #something' needs to be written as: "
"set { auto-join \"#something\"; }");
config_error("See also https://www.unrealircd.org/docs/Set_block#Syntax_used_in_this_documentation");
}
}
@@ -5439,12 +5460,10 @@ int _conf_allow(ConfigFile *conf, ConfigEntry *ce)
for (cep = ce->ce_entries; cep; cep = cep->ce_next)
{
if (!strcmp(cep->ce_varname, "ip"))
if (!strcmp(cep->ce_varname, "mask") || !strcmp(cep->ce_varname, "ip") || !strcmp(cep->ce_varname, "hostname"))
{
safe_strdup(allow->ip, cep->ce_vardata);
unreal_add_masks(&allow->mask, cep);
}
else if (!strcmp(cep->ce_varname, "hostname"))
safe_strdup(allow->hostname, cep->ce_vardata);
else if (!strcmp(cep->ce_varname, "password"))
allow->auth = AuthBlockToAuthConfig(cep);
else if (!strcmp(cep->ce_varname, "class"))
@@ -5492,12 +5511,6 @@ int _conf_allow(ConfigFile *conf, ConfigEntry *ce)
}
}
if (!allow->hostname)
safe_strdup(allow->hostname, "*@NOMATCH");
if (!allow->ip)
safe_strdup(allow->ip, "*@NOMATCH");
/* Default: global-maxperip = maxperip+1 */
if (allow->global_maxperip == 0)
allow->global_maxperip = allow->maxperip+1;
@@ -5515,7 +5528,8 @@ int _test_allow(ConfigFile *conf, ConfigEntry *ce)
ConfigEntry *cep, *cepp;
int errors = 0;
Hook *h;
char has_ip = 0, has_hostname = 0, has_maxperip = 0, has_global_maxperip = 0, has_password = 0, has_class = 0;
char has_ip = 0, has_hostname = 0, has_mask = 0;
char has_maxperip = 0, has_global_maxperip = 0, has_password = 0, has_class = 0;
char has_redirectserver = 0, has_redirectport = 0, has_options = 0;
int hostname_possible_silliness = 0;
@@ -5563,7 +5577,9 @@ int _test_allow(ConfigFile *conf, ConfigEntry *ce)
for (cep = ce->ce_entries; cep; cep = cep->ce_next)
{
if (strcmp(cep->ce_varname, "options") && config_is_blankorempty(cep, "allow"))
if (strcmp(cep->ce_varname, "options") &&
strcmp(cep->ce_varname, "mask") &&
config_is_blankorempty(cep, "allow"))
{
errors++;
continue;
@@ -5578,6 +5594,22 @@ int _test_allow(ConfigFile *conf, ConfigEntry *ce)
}
has_ip = 1;
}
else if (!strcmp(cep->ce_varname, "hostname"))
{
if (has_hostname)
{
config_warn_duplicate(cep->ce_fileptr->cf_filename,
cep->ce_varlinenum, "allow::hostname");
continue;
}
has_hostname = 1;
if (!strcmp(cep->ce_vardata, "*@*") || !strcmp(cep->ce_vardata, "*"))
hostname_possible_silliness = 1;
}
else if (!strcmp(cep->ce_varname, "mask"))
{
has_mask = 1;
}
else if (!strcmp(cep->ce_varname, "maxperip"))
{
int v = atoi(cep->ce_vardata);
@@ -5636,18 +5668,6 @@ int _test_allow(ConfigFile *conf, ConfigEntry *ce)
cep->ce_fileptr->cf_filename, cep->ce_varlinenum);
}
}
else if (!strcmp(cep->ce_varname, "hostname"))
{
if (has_hostname)
{
config_warn_duplicate(cep->ce_fileptr->cf_filename,
cep->ce_varlinenum, "allow::hostname");
continue;
}
has_hostname = 1;
if (!strcmp(cep->ce_vardata, "*@*") || !strcmp(cep->ce_vardata, "*"))
hostname_possible_silliness = 1;
}
else if (!strcmp(cep->ce_varname, "password"))
{
if (has_password)
@@ -5736,25 +5756,45 @@ int _test_allow(ConfigFile *conf, ConfigEntry *ce)
}
}
if (!has_ip && !has_hostname)
if (has_mask && (has_ip || has_hostname))
{
config_error("%s:%d: allow block needs an allow::ip or allow::hostname",
config_error("%s:%d: The allow block uses allow::mask, but you also have an allow::ip and allow::hostname.",
ce->ce_fileptr->cf_filename, ce->ce_varlinenum);
config_error("Please delete your allow::ip and allow::hostname entries and/or integrate them into allow::mask");
} else
if (has_ip)
{
config_warn("%s:%d: The allow block uses allow::mask nowadays. Rename your allow::ip item to allow::mask.",
ce->ce_fileptr->cf_filename, ce->ce_varlinenum);
config_warn("See https://www.unrealircd.org/docs/FAQ#allow-mask for more information");
} else
if (has_hostname)
{
config_warn("%s:%d: The allow block uses allow::mask nowadays. Rename your allow::hostname item to allow::mask.",
ce->ce_fileptr->cf_filename, ce->ce_varlinenum);
config_warn("See https://www.unrealircd.org/docs/FAQ#allow-mask for more information");
} else
if (!has_mask)
{
config_error("%s:%d: allow block needs an allow::mask",
ce->ce_fileptr->cf_filename, ce->ce_varlinenum);
errors++;
}
if (has_ip && has_hostname)
{
config_warn("%s:%d: allow block has both allow::ip and allow::hostname which is no longer permitted.",
ce->ce_fileptr->cf_filename, ce->ce_varlinenum);
config_error("%s:%d: allow block has both allow::ip and allow::hostname, this is no longer permitted.",
ce->ce_fileptr->cf_filename, ce->ce_varlinenum);
config_error("Please integrate your allow::ip and allow::hostname items into a single allow::mask block");
need_34_upgrade = 1;
errors++;
} else
if (hostname_possible_silliness)
{
config_warn("%s:%d: allow block contains 'hostname *;'. This means means that users "
"without a valid hostname (unresolved IP's) will be unable to connect. "
"You most likely want to use 'ip *;' instead.",
ce->ce_fileptr->cf_filename, ce->ce_varlinenum);
config_error("%s:%d: allow block contains 'hostname *;'. This means means that users "
"without a valid hostname (unresolved IP's) will be unable to connect. "
"You most likely want to use 'mask *;' instead.",
ce->ce_fileptr->cf_filename, ce->ce_varlinenum);
}
if (!has_class)
@@ -6463,7 +6503,7 @@ int _conf_link(ConfigFile *conf, ConfigEntry *ce)
if (!link->hub && !link->leaf)
safe_strdup(link->hub, "*");
AddListItem(link, conf_link);
AppendListItem(link, conf_link);
return 0;
}
@@ -7663,6 +7703,8 @@ int _conf_set(ConfigFile *conf, ConfigEntry *ce)
else if (!strcmp(cep->ce_varname, "anti-flood")) {
for (cepp = cep->ce_entries; cepp; cepp = cepp->ce_next)
{
int lag_penalty = -1;
int lag_penalty_bytes = -1;
for (ceppp = cepp->ce_entries; ceppp; ceppp = ceppp->ce_next)
{
if (!strcmp(ceppp->ce_varname, "handshake-data-flood"))
@@ -7697,6 +7739,16 @@ int _conf_set(ConfigFile *conf, ConfigEntry *ce)
{
config_parse_flood_generic(ceppp->ce_vardata, &tempiConf, cepp->ce_varname, FLD_KNOCK);
}
else if (!strcmp(ceppp->ce_varname, "lag-penalty"))
{
lag_penalty = atoi(ceppp->ce_vardata);
}
else if (!strcmp(ceppp->ce_varname, "lag-penalty-bytes"))
{
lag_penalty_bytes = config_checkval(ceppp->ce_vardata, CFG_SIZE);
if (lag_penalty_bytes <= 0)
lag_penalty_bytes = INT_MAX;
}
else if (!strcmp(ceppp->ce_varname, "connect-flood"))
{
int cnt, period;
@@ -7734,6 +7786,13 @@ int _conf_set(ConfigFile *conf, ConfigEntry *ce)
}
}
}
if ((lag_penalty != -1) && (lag_penalty_bytes != -1))
{
/* We use a hack here to make it fit our storage format */
char buf[64];
snprintf(buf, sizeof(buf), "%d:%d", lag_penalty_bytes, lag_penalty);
config_parse_flood_generic(buf, &tempiConf, cepp->ce_varname, FLD_LAG_PENALTY);
}
}
}
else if (!strcmp(cep->ce_varname, "options")) {
@@ -8485,22 +8544,27 @@ int _test_set(ConfigFile *conf, ConfigEntry *ce)
}
else if (!strcmp(cep->ce_varname, "anti-flood"))
{
int anti_flood_warned_old = 0;
int anti_flood_old = 0;
int anti_flood_old_and_default = 0;
for (cepp = cep->ce_entries; cepp; cepp = cepp->ce_next)
{
int has_lag_penalty = 0;
int has_lag_penalty_bytes = 0;
/* Test for old options: */
if (flood_option_is_old(cepp->ce_varname))
{
/* Warn only once per block: */
if (anti_flood_warned_old == 0)
/* Special code if the user is using 100% of the defaults */
if (cepp->ce_vardata &&
((!strcmp(cepp->ce_varname, "nick-flood") && !strcmp(cepp->ce_vardata, "3:60")) ||
(!strcmp(cepp->ce_varname, "connect-flood") && cepp->ce_vardata && !strcmp(cepp->ce_vardata, "3:60")) ||
(!strcmp(cepp->ce_varname, "away-flood") && cepp->ce_vardata && !strcmp(cepp->ce_vardata, "4:120"))))
{
config_error("%s:%d: the set::anti-flood block has been reorganized to be more flexible. "
"See https://www.unrealircd.org/docs/FAQ#new-anti-flood-block for how to update your block. "
"Or simply remove all the anti-flood options from the conf to use UnrealIRCds defaults.",
cepp->ce_fileptr->cf_filename, cepp->ce_varlinenum);
anti_flood_warned_old = 1;
errors++;
anti_flood_old_and_default = 1;
} else
{
anti_flood_old = 1;
}
continue;
}
@@ -8569,7 +8633,7 @@ int _test_set(ConfigFile *conf, ConfigEntry *ce)
!strcmp(ceppp->ce_varname, "unknown-flood-bantime"))
{
config_error("%s:%i: set::anti-flood::%s: this setting has been moved. "
"See https://www.unrealircd.org/docs/Set_block#set::anti-flood::handshake-data-flood",
"See https://www.unrealircd.org/docs/Anti-flood_settings#handshake-data-flood",
ceppp->ce_fileptr->cf_filename, ceppp->ce_varlinenum, ceppp->ce_varname);
errors++;
continue;
@@ -8701,6 +8765,24 @@ int _test_set(ConfigFile *conf, ConfigEntry *ce)
errors++;
}
}
else if (!strcmp(ceppp->ce_varname, "lag-penalty"))
{
int v;
CheckNull(ceppp);
v = atoi(ceppp->ce_vardata);
has_lag_penalty = 1;
if ((v < 0) || (v > 10000))
{
config_error("%s:%i: set::anti-flood::%s::lag-penalty: value is in milliseconds and should be between 0 and 10000",
ceppp->ce_fileptr->cf_filename, ceppp->ce_varlinenum, cepp->ce_varname);
errors++;
}
}
else if (!strcmp(ceppp->ce_varname, "lag-penalty-bytes"))
{
has_lag_penalty_bytes = 1;
CheckNull(ceppp);
}
else if (!strcmp(ceppp->ce_varname, "connect-flood"))
{
int cnt, period;
@@ -8762,6 +8844,32 @@ int _test_set(ConfigFile *conf, ConfigEntry *ce)
continue;
}
}
if (has_lag_penalty+has_lag_penalty_bytes == 1)
{
config_error("%s:%i: set::anti-flood::%s: if you use lag-penalty then you must also add an lag-penalty-bytes item (and vice-versa)",
cepp->ce_fileptr->cf_filename, cepp->ce_varlinenum, cepp->ce_varname);
errors++;
}
}
/* Now the warnings: */
if (anti_flood_old == 1)
{
config_warn("%s:%d: the set::anti-flood block has been reorganized to be more flexible. "
"Your custom anti-flood settings have NOT been read.",
cep->ce_fileptr->cf_filename, cep->ce_varlinenum);
config_warn("See https://www.unrealircd.org/docs/Anti-flood_settings for the new block style,");
config_warn("OR: simply remove all the anti-flood options from the conf to get rid of this "
"warning and use the built-in defaults.");
} else
if (anti_flood_old_and_default == 1)
{
config_warn("%s:%d: the set::anti-flood block has been reorganized to be more flexible.",
cep->ce_fileptr->cf_filename, cep->ce_varlinenum);
config_warn("To fix this warning, delete the anti-flood block from your configuration file "
"(file %s around line %d), this will make UnrealIRCd use the built-in defaults.",
cep->ce_fileptr->cf_filename, cep->ce_varlinenum);
config_warn("If you want to learn more about the new functionality you can visit "
"https://www.unrealircd.org/docs/Anti-flood_settings");
}
}
else if (!strcmp(cep->ce_varname, "options")) {
@@ -9971,7 +10079,7 @@ int _conf_deny_link(ConfigFile *conf, ConfigEntry *ce)
{
if (!strcmp(cep->ce_varname, "mask"))
{
safe_strdup(deny->mask, cep->ce_vardata);
unreal_add_masks(&deny->mask, cep);
}
else if (!strcmp(cep->ce_varname, "rule"))
{
@@ -10114,64 +10222,76 @@ int _test_deny(ConfigFile *conf, ConfigEntry *ce)
char has_mask = 0, has_rule = 0, has_type = 0;
for (cep = ce->ce_entries; cep; cep = cep->ce_next)
{
if (config_is_blankorempty(cep, "deny link"))
if (!cep->ce_entries)
{
errors++;
continue;
}
if (!strcmp(cep->ce_varname, "mask"))
{
if (has_mask)
if (config_is_blankorempty(cep, "deny link"))
{
config_warn_duplicate(cep->ce_fileptr->cf_filename,
cep->ce_varlinenum, "deny link::mask");
continue;
}
has_mask = 1;
}
else if (!strcmp(cep->ce_varname, "rule"))
{
int val = 0;
if (has_rule)
{
config_warn_duplicate(cep->ce_fileptr->cf_filename,
cep->ce_varlinenum, "deny link::rule");
continue;
}
has_rule = 1;
if ((val = crule_test(cep->ce_vardata)))
{
config_error("%s:%i: deny link::rule contains an invalid expression: %s",
cep->ce_fileptr->cf_filename,
cep->ce_varlinenum,
crule_errstring(val));
errors++;
}
}
else if (!strcmp(cep->ce_varname, "type"))
{
if (has_type)
{
config_warn_duplicate(cep->ce_fileptr->cf_filename,
cep->ce_varlinenum, "deny link::type");
continue;
}
has_type = 1;
if (!strcmp(cep->ce_vardata, "auto"))
;
else if (!strcmp(cep->ce_vardata, "all"))
;
else {
config_status("%s:%i: unknown deny link type",
cep->ce_fileptr->cf_filename, cep->ce_varlinenum);
else if (!strcmp(cep->ce_varname, "mask"))
{
has_mask = 1;
} else if (!strcmp(cep->ce_varname, "rule"))
{
int val = 0;
if (has_rule)
{
config_warn_duplicate(cep->ce_fileptr->cf_filename,
cep->ce_varlinenum, "deny link::rule");
continue;
}
has_rule = 1;
if ((val = crule_test(cep->ce_vardata)))
{
config_error("%s:%i: deny link::rule contains an invalid expression: %s",
cep->ce_fileptr->cf_filename,
cep->ce_varlinenum,
crule_errstring(val));
errors++;
}
}
else if (!strcmp(cep->ce_varname, "type"))
{
if (has_type)
{
config_warn_duplicate(cep->ce_fileptr->cf_filename,
cep->ce_varlinenum, "deny link::type");
continue;
}
has_type = 1;
if (!strcmp(cep->ce_vardata, "auto"))
;
else if (!strcmp(cep->ce_vardata, "all"))
;
else {
config_status("%s:%i: unknown deny link type",
cep->ce_fileptr->cf_filename, cep->ce_varlinenum);
errors++;
}
}
else
{
config_error_unknown(cep->ce_fileptr->cf_filename,
cep->ce_varlinenum, "deny link", cep->ce_varname);
errors++;
}
}
else
{
config_error_unknown(cep->ce_fileptr->cf_filename,
cep->ce_varlinenum, "deny link", cep->ce_varname);
errors++;
// Sections
if (!strcmp(cep->ce_varname, "mask"))
{
if (cep->ce_vardata || cep->ce_entries)
has_mask = 1;
}
else
{
config_error_unknown(cep->ce_fileptr->cf_filename,
cep->ce_varlinenum, "deny link", cep->ce_varname);
errors++;
continue;
}
}
}
if (!has_mask)
@@ -10355,6 +10475,9 @@ int _test_security_group(ConfigFile *conf, ConfigEntry *ce)
errors++;
}
} else
if (!strcmp(cep->ce_varname, "include-mask"))
{
} else
{
config_error_unknown(cep->ce_fileptr->cf_filename, cep->ce_varlinenum,
"security-group", cep->ce_varname);
@@ -10387,6 +10510,10 @@ int _conf_security_group(ConfigFile *conf, ConfigEntry *ce)
DelListItem(s, securitygroups);
AddListItemPrio(s, securitygroups, s->priority);
}
else if (!strcmp(cep->ce_varname, "include-mask"))
{
unreal_add_masks(&s->include_mask, cep);
}
}
return 1;
}
@@ -10513,8 +10640,18 @@ int _test_secret(ConfigFile *conf, ConfigEntry *ce)
{
if (!strcmp(cep->ce_varname, "password"))
{
int n;
has_password = 1;
CheckNull(cep);
if (cep->ce_entries ||
(((n = Auth_AutoDetectHashType(cep->ce_vardata))) && ((n == AUTHTYPE_BCRYPT) || (n == AUTHTYPE_ARGON2))))
{
config_error("%s:%d: you cannot use hashed passwords here, see "
"https://www.unrealircd.org/docs/Secret_block#secret-plaintext",
cep->ce_fileptr->cf_filename, cep->ce_varlinenum);
errors++;
continue;
}
if (!valid_secret_password(cep->ce_vardata, &err))
{
config_error("%s:%d: secret::password does not meet password complexity requirements: %s",
@@ -11254,7 +11391,7 @@ void link_generator(void)
if (!port)
{
printf("You don't have any listen { } blocks that are serversonly.\n");
printf("You don't have any listen { } blocks that are serversonly (and have tls enabled).\n");
printf("It is recommended to have at least one. Add this to your configuration file:\n");
printf("listen { ip *; port 6900; options { tls; serversonly; }; };\n");
exit(1);
src/crashreport.c
+23
View File
@@ -649,6 +649,13 @@ int crashreport_send(char *fname)
if ((n < 0) || strncmp(buf, "HTTP/1.1 100", 12))
{
printf("Error transmitting bug report (stage II, n=%d)\n", n);
if (!strncmp(buf, "HTTP/1.1 403", 12))
{
printf("Your crash report was rejected automatically.\n"
"This normally means your UnrealIRCd version is too old and unsupported.\n"
"Chances are that your crash issue is already fixed in a later release.\n"
"Check https://www.unrealircd.org/ for latest releases!\n");
}
return 0;
}
@@ -758,6 +765,22 @@ void report_crash(void)
if (!fname)
return;
if (time(NULL) > 1688169600)
{
printf("Crash report generated in '%s' but NOT sent.\n\n"
"UnrealIRCd 5 is no longer supported since July 1, 2023.\n"
"All support stopped after that date. You had 18+ months to upgrade.\n"
"See https://www.unrealircd.org/docs/UnrealIRCd_5_EOL.\n",
fname);
return;
} else
if (time(NULL) > 1656633600)
{
printf("WARNING: UnrealIRCd 5 is only receiving security fixes until July 1, 2023.\n"
" See https://www.unrealircd.org/docs/UnrealIRCd_5_EOL\n");
/* continue below.. */
}
if (thirdpartymods == 0)
thirdpartymods = check_third_party_mods_present();
#ifndef _WIN32
src/dns.c
+6 -5
View File
@@ -87,10 +87,7 @@ static void unrealdns_sock_state_cb(void *data, ares_socket_t fd, int read, int
if (!read && !write)
{
/* Socket is going to be closed *BY C-ARES*..
* so don't call fd_close() but fd_unmap().
*/
fd_unmap(fd);
fd_close(fd);
return;
}
@@ -108,7 +105,11 @@ static void unrealdns_sock_state_cb(void *data, ares_socket_t fd, int read, int
*/
static int unrealdns_sock_create_cb(ares_socket_t fd, int type, void *data)
{
fd_open(fd, "DNS Resolver Socket");
/* NOTE: We use FDCLOSE_NONE here because c-ares
* will take care of the closing. So *WE* must
* never close the socket.
*/
fd_open(fd, "DNS Resolver Socket", FDCLOSE_NONE);
return ARES_SUCCESS;
}
src/fdlist.c
+37 -14
View File
@@ -24,7 +24,14 @@
*/
FDEntry fd_table[MAXCONNECTIONS + 1];
int fd_open(int fd, const char *desc)
/** Notify I/O engine that a file descriptor opened.
* @param fd The file descriptor
* @param desc Description for in the fd table
* @param close_method Tell what a subsequent call to fd_close() should do,
* eg close the socket, file or don't close anything.
* @returns The file descriptor 'fd' or -1 in case of fatal error.
*/
int fd_open(int fd, const char *desc, FDCloseMethod close_method)
{
FDEntry *fde;
@@ -46,6 +53,7 @@ int fd_open(int fd, const char *desc)
fde->fd = fd;
fde->is_open = 1;
fde->backend_flags = 0;
fde->close_method = close_method;
strlcpy(fde->desc, desc, FD_DESC_SZ);
return fde->fd;
@@ -71,13 +79,21 @@ int fd_fileopen(const char *path, unsigned int flags)
snprintf(comment, sizeof comment, "File: %s", unreal_getfilename(pathbuf));
return fd_open(fd, comment);
return fd_open(fd, comment, FDCLOSE_FILE);
}
int fd_unmap(int fd)
/** Internal function to unmap and optionally close the fd.
*/
/** Remove file descriptor from our table and possibly close the fd.
* The fd is closed (or not) according to the method specified in fd_open().
* @param fd The file descriptor
* @returns 1 on success, 0 on failure
*/
int fd_close(int fd)
{
FDEntry *fde;
unsigned int befl;
FDCloseMethod close_method;
if ((fd < 0) || (fd >= MAXCONNECTIONS))
{
@@ -105,6 +121,7 @@ int fd_unmap(int fd)
}
befl = fde->backend_flags;
close_method = fde->close_method;
memset(fde, 0, sizeof(FDEntry));
fde->fd = fd;
@@ -112,18 +129,24 @@ int fd_unmap(int fd)
/* only notify the backend if it is actively tracking the FD */
if (befl)
fd_refresh(fd);
/* Finally, close the file or socket if requested to do so */
switch (close_method)
{
case FDCLOSE_SOCKET:
CLOSE_SOCK(fd);
break;
case FDCLOSE_FILE:
close(fd);
break;
case FDCLOSE_NONE:
default:
break;
}
return 1;
}
void fd_close(int fd)
{
if (!fd_unmap(fd))
return;
CLOSE_SOCK(fd);
}
/* Deregister I/O notification for this file descriptor */
void fd_unnotify(int fd)
{
@@ -150,7 +173,7 @@ int fd_socket(int family, int type, int protocol, const char *desc)
if (fd < 0)
return -1;
return fd_open(fd, desc);
return fd_open(fd, desc, FDCLOSE_SOCKET);
}
int fd_accept(int sockfd)
@@ -162,7 +185,7 @@ int fd_accept(int sockfd)
if (fd < 0)
return -1;
return fd_open(fd, buf);
return fd_open(fd, buf, FDCLOSE_SOCKET);
}
void fd_desc(int fd, const char *desc)
src/hash.c
+1 -14
View File
@@ -289,12 +289,7 @@ void init_hash(void)
memset(channelTable, 0, sizeof(channelTable));
memset(watchTable, 0, sizeof(watchTable));
memset(ThrottlingHash, 0, sizeof(ThrottlingHash));
/* do not call init_throttling() here, as
* config file has not been read yet.
* The hash table is ready, anyway.
*/
if (strcmp(BASE_VERSION, &unreallogo[337]))
loop.tainted = 1;
@@ -465,7 +460,7 @@ Client *hash_find_nickatserver(const char *str, Client *def)
if (serv)
*serv++ = '\0';
client = find_client(nick, NULL);
client = find_person(nick, NULL);
if (!client)
return NULL; /* client not found */
@@ -925,14 +920,6 @@ void update_throttling_timer_settings(void)
EventMod(EventFind("throttling_check_expire"), &eInfo);
}
void init_throttling()
{
EventAdd(NULL, "throttling_check_expire", throttling_check_expire, NULL, 123456, 0);
/* Note: the every_ms value (123,456) will be adjusted on boot and rehash
* via the update_throttling_timer_settings() function.
*/
}
uint64_t hash_throttling(char *ip)
{
return siphash(ip, siphashkey_throttling) % THROTTLING_HASH_TABLE_SIZE;
src/ircd.c
+23 -51
View File
@@ -273,49 +273,6 @@ EVENT(garbage_collect)
loop.do_garbage_collect = 0;
}
/** Perform autoconnect to servers that are not linked yet. */
EVENT(try_connections)
{
ConfigItem_link *aconf;
ConfigItem_deny_link *deny;
Client *client;
int confrq;
ConfigItem_class *class;
for (aconf = conf_link; aconf; aconf = aconf->next)
{
/* We're only interested in autoconnect blocks that are valid. Also, we ignore temporary link blocks. */
if (!(aconf->outgoing.options & CONNECT_AUTO) || !aconf->outgoing.hostname || (aconf->flag.temporary == 1))
continue;
class = aconf->class;
/* Only do one connection attempt per <connfreq> seconds (for the same server) */
if ((aconf->hold > TStime()))
continue;
confrq = class->connfreq;
aconf->hold = TStime() + confrq;
client = find_client(aconf->servername, NULL);
if (client)
continue; /* Server already connected (or connecting) */
if (class->clients >= class->maxclients)
continue; /* Class is full */
/* Check connect rules to see if we're allowed to try the link */
for (deny = conf_deny_link; deny; deny = deny->next)
if (match_simple(deny->mask, aconf->servername) && crule_eval(deny->rule))
break;
if (!deny && connect_server(aconf, NULL, NULL) == 0)
sendto_ops_and_log("Trying to activate link with server %s[%s]...",
aconf->servername, aconf->outgoing.hostname);
}
}
/** Does this user match any TKL's? */
int match_tkls(Client *client)
{
@@ -388,11 +345,7 @@ EVENT(handshake_timeout)
if (client->local->firsttime && ((TStime() - client->local->firsttime) > iConf.handshake_timeout))
{
if (client->serv && *client->serv->by)
{
/* If this is a handshake timeout to an outgoing server then notify ops & log it */
sendto_ops_and_log("Connection handshake timeout while trying to link to server '%s' (%s)",
client->name, client->ip?client->ip:"<unknown ip>");
}
continue; /* handled by server module */
exit_client(client, NULL, "Registration Timeout");
continue;
@@ -533,6 +486,18 @@ EVENT(check_deadsockets)
}
}
EVENT(deprecated_notice)
{
/* Send a warning to opers currently online every week after January 1, 2023 */
if (TStime() > 1672527600)
{
char *msg = "[WARNING] UnrealIRCd 5.x is no longer supported after July 1, 2023. "
"See https://www.unrealircd.org/docs/UnrealIRCd_5_EOL";
sendto_realops("%s", msg);
ircd_log(LOG_ERROR, "%s", msg);
}
}
/*
** bad_command
** This is called when the commandline is not acceptable.
@@ -919,6 +884,7 @@ int InitUnrealIRCd(int argc, char *argv[])
dbuf_init();
initlists();
early_init_ssl();
#ifdef USE_LIBCURL
url_init();
#endif
@@ -1170,7 +1136,6 @@ int InitUnrealIRCd(int argc, char *argv[])
(void)chmod(CPATH, DEFAULT_PERMISSIONS);
#endif
init_dynconf();
early_init_ssl();
/*
* Add default class
*/
@@ -1224,6 +1189,13 @@ int InitUnrealIRCd(int argc, char *argv[])
#ifndef _WIN32
fprintf(stderr, "Dynamic configuration initialized.. booting IRCd.\n");
#endif
/* Warn about this starting September 1, 2022 (9 months in advance) */
if (time(NULL) > 1661983200)
{
fprintf(stderr, "\n"
"[WARNING] UnrealIRCd 5.x is no longer supported after July 1, 2023.\n"
" See https://www.unrealircd.org/docs/UnrealIRCd_5_EOL\n\n");
}
open_debugfile();
me.local->port = 6667; /* pointless? */
init_sys();
@@ -1287,7 +1259,6 @@ int InitUnrealIRCd(int argc, char *argv[])
fix_timers();
write_pidfile();
Debug((DEBUG_NOTICE, "Server ready..."));
init_throttling();
loop.ircd_booted = 1;
#if defined(HAVE_SETPROCTITLE)
setproctitle("%s", me.name);
@@ -1355,7 +1326,8 @@ void SocketLoop(void *dummy)
}
if (doreloadcert)
{
reinit_ssl(NULL);
reinit_tls();
sendto_realops_and_log("Reloading all SSL related data (./unrealircd reloadtls)");
doreloadcert = 0;
}
}
src/misc.c
+199 -28
View File
@@ -584,7 +584,7 @@ static void recurse_send_quits(Client *cptr, Client *client, Client *from, Clien
recurse_send_quits(cptr, acptr, from, to, mtags, comment, splitstr);
}
if (cptr == client && to != from)
if (cptr == client && to != from && !(to->direction && (to->direction == from)))
sendto_one(to, mtags, "SQUIT %s :%s", client->name, comment);
}
@@ -700,6 +700,16 @@ static void exit_one_client(Client *client, MessageTag *mtags_i, const char *com
* @param comment The (s)quit message
*/
void exit_client(Client *client, MessageTag *recv_mtags, char *comment)
{
exit_client_ex(client, client->direction, recv_mtags, comment);
}
/** Exit this IRC client, and all the dependents (users, servers) if this is a server.
* @param client The client to exit.
* @param recv_mtags Message tags to use as a base (if any).
* @param comment The (s)quit message
*/
void exit_client_ex(Client *client, Client *origin, MessageTag *recv_mtags, char *comment)
{
long long on_for;
ConfigItem_listen *listen_conf;
@@ -813,7 +823,7 @@ void exit_client(Client *client, MessageTag *recv_mtags, char *comment)
else
ircsnprintf(splitstr, sizeof splitstr, "%s %s", client->srvptr->name, client->name);
remove_dependents(client, client->direction, recv_mtags, comment, splitstr);
remove_dependents(client, origin, recv_mtags, comment, splitstr);
RunHook2(HOOKTYPE_SERVER_QUIT, client, recv_mtags);
}
@@ -1137,23 +1147,102 @@ void unreal_add_masks(ConfigItem_mask **head, ConfigEntry *ce)
}
}
/** Check if a client matches any of the masks in the mask list */
int unreal_mask_match(Client *client, ConfigItem_mask *m)
/** Check if a client matches any of the masks in the mask list.
* The following rules apply:
* - If you have only negating entries, like '!abc' and '!def', then
* we assume an implicit * rule first, since that is clearly what
* the user wants.
* - If you have a mix, like '*.com', '!irc1*', '!irc2*' then the
* implicit * is dropped and we assume you only want to match *.com,
* with the exception of irc1*.com and irc2*.com.
* - If you only have normal entries without ! then things are
* as they always are.
* @param client The client to run the mask match against
* @param mask The mask entry from the config file
* @returns 1 on match, 0 on non-match.
*/
int unreal_mask_match(Client *client, ConfigItem_mask *mask)
{
for (; m; m = m->next)
int retval = 1;
ConfigItem_mask *m;
if (!mask)
return 0; /* Empty mask block is no match */
/* First check normal matches (without ! prefix) */
for (m = mask; m; m = m->next)
{
/* With special support for '!' prefix (negative matching like "!192.168.*") */
if (m->mask[0] == '!')
if (m->mask[0] != '!')
{
if (!match_user(m->mask+1, client, MATCH_CHECK_REAL))
return 1;
} else {
if (match_user(m->mask, client, MATCH_CHECK_REAL))
return 1;
retval = 0; /* no implicit * */
if (match_user(m->mask, client, MATCH_CHECK_REAL|MATCH_CHECK_EXTENDED))
{
retval = 1;
break;
}
}
}
return 0;
if (retval)
{
/* We matched. Check for exceptions (with ! prefix) */
for (m = mask; m; m = m->next)
{
if ((m->mask[0] == '!') && match_user(m->mask+1, client, MATCH_CHECK_REAL|MATCH_CHECK_EXTENDED))
return 0;
}
}
return retval;
}
/** Check if a string matches any of the masks in the mask list.
* The following rules apply:
* - If you have only negating entries, like '!abc' and '!def', then
* we assume an implicit * rule first, since that is clearly what
* the user wants.
* - If you have a mix, like '*.com', '!irc1*', '!irc2*' then the
* implicit * is dropped and we assume you only want to match *.com,
* with the exception of irc1*.com and irc2*.com.
* - If you only have normal entries without ! then things are
* as they always are.
* @param name The name to run the mask matching on
* @param mask The mask entry from the config file
* @returns 1 on match, 0 on non-match.
*/
int unreal_mask_match_string(const char *name, ConfigItem_mask *mask)
{
int retval = 1;
ConfigItem_mask *m;
if (!mask)
return 0; /* Empty mask block is no match */
/* First check normal matches (without ! prefix) */
for (m = mask; m; m = m->next)
{
if (m->mask[0] != '!')
{
retval = 0; /* no implicit * */
if (match_simple(m->mask, name))
{
retval = 1;
break;
}
}
}
if (retval)
{
/* We matched. Check for exceptions (with ! prefix) */
for (m = mask; m; m = m->next)
{
if ((m->mask[0] == '!') && match_simple(m->mask+1, name))
return 0;
}
}
return retval;
}
/** Our own strcasestr implementation because strcasestr is
@@ -1804,19 +1893,31 @@ void binarytohex(void *data, size_t len, char *str)
str[n] = '\0';
}
/** Generates an MD5 checksum.
/** Generates an MD5 checksum - binary version.
* @param mdout[out] Buffer to store result in, the result will be 16 bytes in binary
* (not ascii printable!).
* @param src[in] The input data used to generate the checksum.
* @param n[in] Length of data.
* @deprecated The MD5 algorithm is deprecated and insecure,
* so only use this if absolutely needed.
*/
void DoMD5(char *mdout, const char *src, unsigned long n)
{
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
unsigned int md_len;
EVP_MD_CTX *mdctx = EVP_MD_CTX_new();
if (EVP_DigestInit_ex(mdctx, md5_function, NULL) != 1)
abort();
EVP_DigestUpdate(mdctx, src, n);
EVP_DigestFinal_ex(mdctx, mdout, &md_len);
EVP_MD_CTX_free(mdctx);
#else
MD5_CTX hash;
MD5_Init(&hash);
MD5_Update(&hash, src, n);
MD5_Final(mdout, &hash);
#endif
}
/** Generates an MD5 checksum - ASCII printable string (0011223344..etc..).
@@ -1824,6 +1925,8 @@ void DoMD5(char *mdout, const char *src, unsigned long n)
* 32 characters + nul terminator, so needs to be at least 33 characters.
* @param src[in] The input data used to generate the checksum.
* @param n[in] Length of data.
* @deprecated The MD5 algorithm is deprecated and insecure,
* so only use this if absolutely needed.
*/
char *md5hash(char *dst, const char *src, unsigned long n)
{
@@ -1834,6 +1937,32 @@ char *md5hash(char *dst, const char *src, unsigned long n)
return dst;
}
/** Generates a SHA256 checksum - binary version.
* Most people will want to use sha256hash() instead which outputs hex.
* @param dst[out] Buffer to store result in, which needs to be 32 bytes in length
* (SHA256_DIGEST_LENGTH).
* @param src[in] The input data used to generate the checksum.
* @param n[in] Length of data.
*/
void sha256hash_binary(char *dst, const char *src, unsigned long n)
{
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
unsigned int md_len;
EVP_MD_CTX *mdctx = EVP_MD_CTX_new();
if (EVP_DigestInit_ex(mdctx, sha256_function, NULL) != 1)
abort();
EVP_DigestUpdate(mdctx, src, n);
EVP_DigestFinal_ex(mdctx, dst, &md_len);
EVP_MD_CTX_free(mdctx);
#else
SHA256_CTX hash;
SHA256_Init(&hash);
SHA256_Update(&hash, src, n);
SHA256_Final(dst, &hash);
#endif
}
/** Generates a SHA256 checksum - ASCII printable string (0011223344..etc..).
* @param dst[out] Buffer to store result in, which needs to be 65 bytes minimum.
* @param src[in] The input data used to generate the checksum.
@@ -1841,12 +1970,9 @@ char *md5hash(char *dst, const char *src, unsigned long n)
*/
char *sha256hash(char *dst, const char *src, unsigned long n)
{
SHA256_CTX hash;
char binaryhash[SHA256_DIGEST_LENGTH];
SHA256_Init(&hash);
SHA256_Update(&hash, src, n);
SHA256_Final(binaryhash, &hash);
sha256hash_binary(binaryhash, src, n);
binarytohex(binaryhash, sizeof(binaryhash), dst);
return dst;
}
@@ -1860,22 +1986,68 @@ char *sha256sum_file(const char *fname)
char binaryhash[SHA256_DIGEST_LENGTH];
static char hexhash[SHA256_DIGEST_LENGTH*2+1];
int n;
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
unsigned int md_len;
EVP_MD_CTX *mdctx;
mdctx = EVP_MD_CTX_new();
if (EVP_DigestInit_ex(mdctx, sha256_function, NULL) != 1)
abort();
#else
SHA256_Init(&hash);
#endif
fd = fopen(fname, "rb");
if (!fd)
return NULL;
SHA256_Init(&hash);
while ((n = fread(buf, 1, sizeof(buf), fd)) > 0)
{
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
EVP_DigestUpdate(mdctx, buf, n);
#else
SHA256_Update(&hash, buf, n);
#endif
}
fclose(fd);
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
EVP_DigestFinal_ex(mdctx, binaryhash, &md_len);
EVP_MD_CTX_free(mdctx);
#else
SHA256_Final(binaryhash, &hash);
#endif
binarytohex(binaryhash, sizeof(binaryhash), hexhash);
return hexhash;
}
/** Generates a SHA1 checksum - binary version.
* @param dst[out] Buffer to store result in, which needs to be 32 bytes in length
* (SHA1_DIGEST_LENGTH).
* @param src[in] The input data used to generate the checksum.
* @param n[in] Length of data.
* @deprecated The SHA1 algorithm is deprecated and insecure,
* so only use this if absolutely needed.
*/
void sha1hash_binary(char *dst, const char *src, unsigned long n)
{
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
unsigned int md_len;
EVP_MD_CTX *mdctx = EVP_MD_CTX_new();
if (EVP_DigestInit_ex(mdctx, sha1_function, NULL) != 1)
abort();
EVP_DigestUpdate(mdctx, src, n);
EVP_DigestFinal_ex(mdctx, dst, &md_len);
EVP_MD_CTX_free(mdctx);
#else
SHA_CTX hash;
SHA1_Init(&hash);
SHA1_Update(&hash, src, n);
SHA1_Final(dst, &hash);
#endif
}
/** Remove a suffix from a filename, eg ".c" (if it is present) */
char *filename_strip_suffix(const char *fname, const char *suffix)
{
@@ -1922,17 +2094,16 @@ int filename_has_suffix(const char *fname, const char *suffix)
return 0;
}
/** Check if the specified file exists */
/** Check if the specified file or directory exists */
int file_exists(char *file)
{
FILE *fd;
fd = fopen(file, "r");
if (!fd)
return 0;
fclose(fd);
return 1;
#ifdef _WIN32
if (_access(file, 0) == 0)
#else
if (access(file, 0) == 0)
#endif
return 1;
return 0;
}
/** Get the file creation time */
src/modules/account-notify.c
+1 -1
View File
@@ -70,7 +70,7 @@ int account_notify_account_login(Client *client, MessageTag *recv_mtags)
CAP_ACCOUNT_NOTIFY, mtags,
":%s ACCOUNT %s",
client->name,
!isdigit(*client->user->svid) ? client->user->svid : "*");
IsLoggedIn(client) ? client->user->svid : "*");
free_message_tags(mtags);
return 0;
}
src/modules/account-tag.c
+1 -1
View File
@@ -87,7 +87,7 @@ void mtag_add_account(Client *client, MessageTag *recv_mtags, MessageTag **mtag_
{
MessageTag *m;
if (client && client->user && (*client->user->svid != '*') && !isdigit(*client->user->svid))
if (IsLoggedIn(client))
{
m = safe_alloc(sizeof(MessageTag));
safe_strdup(m->name, "account");
src/modules/authprompt.c
+20
View File
@@ -33,6 +33,7 @@ struct {
int enabled;
MultiLine *message;
MultiLine *fail_message;
MultiLine *unconfirmed_message;
} cfg;
/** User struct */
@@ -133,12 +134,18 @@ static void config_postdefaults(void)
{
addmultiline(&cfg.fail_message, "Authentication failed.");
}
if (!cfg.unconfirmed_message)
{
addmultiline(&cfg.unconfirmed_message, "You are trying to use an unconfirmed services account.");
addmultiline(&cfg.unconfirmed_message, "This services account can only be used after it has been activated/confirmed.");
}
}
static void free_config(void)
{
freemultiline(cfg.message);
freemultiline(cfg.fail_message);
freemultiline(cfg.unconfirmed_message);
memset(&cfg, 0, sizeof(cfg)); /* needed! */
}
@@ -171,6 +178,9 @@ int authprompt_config_test(ConfigFile *cf, ConfigEntry *ce, int type, int *errs)
if (!strcmp(cep->ce_varname, "fail-message"))
{
} else
if (!strcmp(cep->ce_varname, "unconfirmed-message"))
{
} else
{
config_error("%s:%i: unknown directive set::authentication-prompt::%s",
cep->ce_fileptr->cf_filename, cep->ce_varlinenum, cep->ce_varname);
@@ -205,6 +215,10 @@ int authprompt_config_run(ConfigFile *cf, ConfigEntry *ce, int type)
if (!strcmp(cep->ce_varname, "fail-message"))
{
addmultiline(&cfg.fail_message, cep->ce_vardata);
} else
if (!strcmp(cep->ce_varname, "unconfirmed-message"))
{
addmultiline(&cfg.unconfirmed_message, cep->ce_vardata);
}
}
return 1;
@@ -468,6 +482,12 @@ int authprompt_sasl_result(Client *client, int success)
return 1;
}
if (client->user && !IsLoggedIn(client))
{
sendnotice_multiline(client, cfg.unconfirmed_message);
return 1;
}
/* Authentication was a success */
if (*client->name && client->user && *client->user->username && IsNotSpoof(client))
{
src/modules/chanmodes/delayjoin.c
+22 -2
View File
@@ -27,6 +27,7 @@ int visible_in_channel(Client *client, Channel *channel);
int moded_check_part(Client *client, Channel *channel);
int moded_join(Client *client, Channel *channel);
int moded_part(Client *client, Channel *channel, MessageTag *mtags, char *comment);
int moded_quit(Client *client, MessageTag *mtags, char *comment);
int deny_all(Client *client, Channel *channel, char mode, char *para, int checkt, int what);
int moded_chanmode(Client *client, Channel *channel,
MessageTag *mtags, char *modebuf, char *parabuf, time_t sendts, int samode);
@@ -52,6 +53,7 @@ MOD_INIT()
req.paracount = 0;
req.is_ok = deny_all;
req.flag = 'd';
req.local = 1;
CmodePostDelayed = CmodeAdd(modinfo->handle, req, &EXTMODE_POST_DELAYED);
memset(&mreq, 0, sizeof(mreq));
@@ -76,6 +78,8 @@ MOD_INIT()
HookAdd(modinfo->handle, HOOKTYPE_JOIN_DATA, 0, moded_join);
HookAdd(modinfo->handle, HOOKTYPE_LOCAL_PART, 0, moded_part);
HookAdd(modinfo->handle, HOOKTYPE_REMOTE_PART, 0, moded_part);
HookAdd(modinfo->handle, HOOKTYPE_LOCAL_QUIT, 0, moded_quit);
HookAdd(modinfo->handle, HOOKTYPE_REMOTE_QUIT, 0, moded_quit);
HookAdd(modinfo->handle, HOOKTYPE_PRE_LOCAL_CHANMODE, 0, moded_chanmode);
HookAdd(modinfo->handle, HOOKTYPE_PRE_REMOTE_CHANMODE, 0, moded_chanmode);
HookAdd(modinfo->handle, HOOKTYPE_PRE_CHANMSG, 0, moded_prechanmsg);
@@ -217,7 +221,7 @@ void clear_user_invisible_announce(Channel *channel, Client *client, MessageTag
ircsnprintf(exjoinbuf, sizeof(exjoinbuf), ":%s!%s@%s JOIN %s %s :%s",
client->name, client->user->username, GetHost(client), channel->chname,
!isdigit(*client->user->svid) ? client->user->svid : "*",
IsLoggedIn(client) ? client->user->svid : "*",
client->info);
new_message_special(client, recv_mtags, &mtags, ":%s JOIN %s", client->name, channel->chname);
@@ -280,6 +284,22 @@ int moded_part(Client *client, Channel *channel, MessageTag *mtags, char *commen
return 0;
}
int moded_quit(Client *client, MessageTag *mtags, char *comment)
{
Membership *membership;
Channel *channel;
for (membership = client->user->channel; membership; membership=membership->next)
{
channel = membership->channel;
/* Identical to moded_part() */
if (channel_is_delayed(channel) || channel_is_post_delayed(channel))
clear_user_invisible(channel, client);
}
return 0;
}
int moded_chanmode(Client *client, Channel *channel, MessageTag *recv_mtags, char *modebuf, char *parabuf, time_t sendts, int samode)
{
long CAP_EXTENDED_JOIN = ClientCapabilityBit("extended-join");
@@ -323,7 +343,7 @@ int moded_chanmode(Client *client, Channel *channel, MessageTag *recv_mtags, cha
sendto_one(user, mtags, ":%s!%s@%s JOIN %s %s :%s",
i->client->name, i->client->user->username, GetHost(i->client),
channel->chname,
!isdigit(*i->client->user->svid) ? i->client->user->svid : "*",
IsLoggedIn(i->client) ? i->client->user->svid : "*",
i->client->info);
} else {
sendto_one(user, mtags, ":%s!%s@%s JOIN :%s", i->client->name, i->client->user->username, GetHost(i->client), channel->chname);
src/modules/channeldb.c
+1 -1
View File
@@ -343,7 +343,7 @@ int write_channel_entry(UnrealDB *db, const char *tmpfname, Channel *channel)
W_SAFE(unrealdb_write_str(db, channel->topic_nick));
W_SAFE(unrealdb_write_int64(db, channel->topic_time));
/* Basic channel modes (eg: +sntkl key 55) */
channel_modes(&me, modebuf, parabuf, sizeof(modebuf), sizeof(parabuf), channel);
channel_modes(&me, modebuf, parabuf, sizeof(modebuf), sizeof(parabuf), channel, 1);
W_SAFE(unrealdb_write_str(db, modebuf));
W_SAFE(unrealdb_write_str(db, parabuf));
/* Mode lock */
src/modules/charsys.c
+26 -2
View File
@@ -73,6 +73,7 @@ char langsinuse[4096];
#define LANGAV_CYRILLIC_UTF8 0x008000 /* UTF8: cyrillic script */
#define LANGAV_GREEK_UTF8 0x010000 /* UTF8: greek script */
#define LANGAV_HEBREW_UTF8 0x020000 /* UTF8: hebrew script */
#define LANGAV_ARABIC_UTF8 0x040000 /* UTF8: arabic script */
typedef struct LangList LangList;
struct LangList
{
@@ -84,6 +85,7 @@ struct LangList
/* MUST be alphabetized (first column) */
static LangList langlist[] = {
/* { "arabic", "ara", LANGAV_ASCII|LANGAV_ISO8859_6 }, -- TODO: check if this has issues first! */
{ "arabic-utf8", "ara-utf8", LANGAV_ASCII|LANGAV_UTF8|LANGAV_ARABIC_UTF8 },
{ "belarussian-utf8", "blr-utf8", LANGAV_ASCII|LANGAV_UTF8|LANGAV_CYRILLIC_UTF8 },
{ "belarussian-w1251", "blr", LANGAV_ASCII|LANGAV_W1251 },
{ "catalan", "cat", LANGAV_ASCII|LANGAV_LATIN1 },
@@ -313,6 +315,8 @@ int charsys_config_posttest(int *errs)
x++;
if (x > 1)
{
#if 0
// I don't think this should be hard error, right? Some combinations may be problematic, but not all.
if (langav & LANGAV_LATIN_UTF8)
{
config_error("ERROR: set::allowed-nickchars: you cannot combine 'latin-utf8' with any other character set");
@@ -333,8 +337,13 @@ int charsys_config_posttest(int *errs)
config_error("ERROR: set::allowed-nickchars: you cannot combine 'hebrew-utf8' with any other character set");
errors++;
}
config_status("WARNING: set::allowed-nickchars: "
"Mixing of charsets (eg: latin1+latin2) can cause display problems");
if (langav & LANGAV_ARABIC_UTF8)
{
config_error("ERROR: set::allowed-nickchars: you cannot combine 'arabic-utf8' with any other character set");
errors++;
}
#endif
config_status("WARNING: set::allowed-nickchars: Mixing of charsets (eg: latin1+latin2) may cause display problems");
}
*errs = errors;
@@ -1181,6 +1190,19 @@ void charsys_add_language(char *name)
charsys_addmultibyterange(0xc5, 0xc5, 0xaa, 0xab);
charsys_addmultibyterange(0xc5, 0xc5, 0xbd, 0xbe);
}
/* [ARABIC] */
if (latin_utf8 || !strcmp(name, "arabic-utf8"))
{
/* Supplied by Sensiva */
/*charsys_addallowed("اأإآءبتثجحخدذرزسشصضطظعغفقكلمنهؤةويىئ");*/
/*- From U+0621 to U+063A (Regex: [\u0621-\u063A])*/
/* 0xd8a1 - 0xd8ba */
charsys_addmultibyterange(0xd8, 0xd8, 0xa1, 0xba);
/*- From U+0641 to U+064A (Regex: [\u0641-\u064A])*/
/* 0xd981 - 0xd98a */
charsys_addmultibyterange(0xd9, 0xd9, 0x81, 0x8a);
}
}
/** This displays all the nick characters that are permitted */
@@ -1250,6 +1272,8 @@ char *charsys_group(int v)
return "Greek script";
if (v & LANGAV_HEBREW_UTF8)
return "Hebrew script";
if (v & LANGAV_ARABIC_UTF8)
return "Arabic script";
return "Other";
}
src/modules/chathistory.c
+128 -29
View File
@@ -16,6 +16,14 @@ ModuleHeader MOD_HEADER
"unrealircd-5",
};
/* Structs */
typedef struct ChatHistoryTarget ChatHistoryTarget;
struct ChatHistoryTarget {
ChatHistoryTarget *prev, *next;
char *datetime;
char *object;
};
/* Forward declarations */
CMD_FUNC(cmd_chathistory);
@@ -65,15 +73,68 @@ int chathistory_token(char *str, char *token, char **store)
return 0;
}
static int chathistory_targets_send_line(Client *client, HistoryResult *r, char *batchid)
static void add_chathistory_target_list(ChatHistoryTarget *new, ChatHistoryTarget **list)
{
ChatHistoryTarget *x, *last = NULL;
if (!*list)
{
/* We are the only item. Easy. */
*list = new;
return;
}
for (x = *list; x; x = x->next)
{
last = x;
if (strcmp(new->datetime, x->datetime) >= 0)
break;
}
if (x)
{
if (x->prev)
{
/* We will insert ourselves just before this item */
new->prev = x->prev;
new->next = x;
x->prev->next = new;
x->prev = new;
} else {
/* We are the new head */
*list = new;
new->next = x;
x->prev = new;
}
} else
{
/* We are the last item */
last->next = new;
new->prev = last;
}
}
static void add_chathistory_target(ChatHistoryTarget **list, HistoryResult *r)
{
MessageTag *m;
time_t ts;
char *datetime;
ChatHistoryTarget *e;
if (!r->log || !((m = find_mtag(r->log->mtags, "time"))) || !m->value)
return;
datetime = m->value;
e = safe_alloc(sizeof(ChatHistoryTarget));
safe_strdup(e->datetime, datetime);
safe_strdup(e->object, r->object);
add_chathistory_target_list(e, list);
}
static void chathistory_targets_send_line(Client *client, ChatHistoryTarget *r, char *batchid)
{
MessageTag *mtags = NULL;
MessageTag *m;
char *ts;
if (!r->log || !((m = find_mtag(r->log->mtags, "time"))) || !m->value)
return 0;
ts = m->value;
if (!BadPtr(batchid))
{
@@ -83,12 +144,10 @@ static int chathistory_targets_send_line(Client *client, HistoryResult *r, char
}
sendto_one(client, mtags, ":%s CHATHISTORY TARGETS %s %s",
me.name, r->object, ts);
me.name, r->object, r->datetime);
if (mtags)
free_message_tags(mtags);
return 1;
}
void chathistory_targets(Client *client, HistoryFilter *filter, int limit)
@@ -97,14 +156,9 @@ void chathistory_targets(Client *client, HistoryFilter *filter, int limit)
HistoryResult *r;
char batch[BATCHLEN+1];
int sent = 0;
ChatHistoryTarget *targets = NULL, *targets_next;
batch[0] = '\0';
if (HasCapability(client, "batch"))
{
/* Start a new batch */
generate_batch_id(batch);
sendto_one(client, NULL, ":%s BATCH +%s draft/chathistory-targets", me.name, batch);
}
/* 1. Grab all information we need */
filter->cmd = HFC_BEFORE;
if (strcmp(filter->timestamp_a, filter->timestamp_b) < 0)
@@ -120,13 +174,31 @@ void chathistory_targets(Client *client, HistoryFilter *filter, int limit)
{
Channel *channel = mp->channel;
r = history_request(channel->chname, filter);
if (r->log && chathistory_targets_send_line(client, r, batch))
if (r)
{
if (++sent >= limit)
break; /* We are done */
add_chathistory_target(&targets, r);
free_history_result(r);
}
free_history_result(r);
r = NULL;
}
/* 2. Now send it to the client */
batch[0] = '\0';
if (HasCapability(client, "batch"))
{
/* Start a new batch */
generate_batch_id(batch);
sendto_one(client, NULL, ":%s BATCH +%s draft/chathistory-targets", me.name, batch);
}
for (; targets; targets = targets_next)
{
targets_next = targets->next;
if (++sent < limit)
chathistory_targets_send_line(client, targets, batch);
safe_free(targets->datetime);
safe_free(targets->object);
safe_free(targets);
}
/* End of batch */
@@ -160,7 +232,7 @@ CMD_FUNC(cmd_chathistory)
return;
}
if (!strcmp(parv[1], "TARGETS"))
if (!strcasecmp(parv[1], "TARGETS"))
{
Membership *mp;
int limit;
@@ -186,17 +258,44 @@ CMD_FUNC(cmd_chathistory)
}
channel = find_channel(parv[2], NULL);
if (!channel || !IsMember(client, channel) || !has_channel_mode(channel, 'H'))
if (!channel)
{
sendto_one(client, NULL, ":%s FAIL CHATHISTORY INVALID_TARGET %s %s :Messages could not be retrieved",
sendto_one(client, NULL, ":%s FAIL CHATHISTORY INVALID_TARGET %s %s :Messages could not be retrieved, not an existing channel",
me.name, parv[1], parv[2]);
return;
}
if (!IsMember(client, channel))
{
sendto_one(client, NULL, ":%s FAIL CHATHISTORY INVALID_TARGET %s %s :Messages could not be retrieved, you are not a member",
me.name, parv[1], parv[2]);
return;
}
if (!has_channel_mode(channel, 'H'))
/* empty history = empty batch */
{
char batch[BATCHLEN+1];
batch[0] = '\0';
if (HasCapability(client, "batch"))
{
/* Start a new batch */
generate_batch_id(batch);
sendto_one(client, NULL, ":%s BATCH +%s chathistory %s", me.name, batch, channel->chname);
}
/* End of batch */
if (*batch)
sendto_one(client, NULL, ":%s BATCH -%s", me.name, batch);
return;
}
filter = safe_alloc(sizeof(HistoryFilter));
/* Below this point, instead of 'return', use 'goto end', which takes care of the freeing of 'filter' and 'history' */
if (!strcmp(parv[1], "BEFORE"))
if (!strcasecmp(parv[1], "BEFORE"))
{
filter->cmd = HFC_BEFORE;
if (!chathistory_token(parv[3], "timestamp", &filter->timestamp_a) &&
@@ -208,7 +307,7 @@ CMD_FUNC(cmd_chathistory)
}
filter->limit = atoi(parv[4]);
} else
if (!strcmp(parv[1], "AFTER"))
if (!strcasecmp(parv[1], "AFTER"))
{
filter->cmd = HFC_AFTER;
if (!chathistory_token(parv[3], "timestamp", &filter->timestamp_a) &&
@@ -220,7 +319,7 @@ CMD_FUNC(cmd_chathistory)
}
filter->limit = atoi(parv[4]);
} else
if (!strcmp(parv[1], "LATEST"))
if (!strcasecmp(parv[1], "LATEST"))
{
filter->cmd = HFC_LATEST;
if (!chathistory_token(parv[3], "timestamp", &filter->timestamp_a) &&
@@ -233,7 +332,7 @@ CMD_FUNC(cmd_chathistory)
}
filter->limit = atoi(parv[4]);
} else
if (!strcmp(parv[1], "AROUND"))
if (!strcasecmp(parv[1], "AROUND"))
{
filter->cmd = HFC_AROUND;
if (!chathistory_token(parv[3], "timestamp", &filter->timestamp_a) &&
@@ -245,7 +344,7 @@ CMD_FUNC(cmd_chathistory)
}
filter->limit = atoi(parv[4]);
} else
if (!strcmp(parv[1], "BETWEEN"))
if (!strcasecmp(parv[1], "BETWEEN"))
{
filter->cmd = HFC_BETWEEN;
if (BadPtr(parv[5]))
src/modules/connect.c
+1 -1
View File
@@ -117,7 +117,7 @@ CMD_FUNC(cmd_connect)
/* Evaluate deny link */
for (deny = conf_deny_link; deny; deny = deny->next)
{
if (deny->flag.type == CRULE_ALL && match_simple(deny->mask, aconf->servername)
if (deny->flag.type == CRULE_ALL && unreal_mask_match_string(aconf->servername, deny->mask)
&& crule_eval(deny->rule))
{
sendnotice(client, "*** Connect: Disallowed by connection rule");
src/modules/dccdeny.c
+7 -6
View File
@@ -25,7 +25,7 @@
ModuleHeader MOD_HEADER
= {
"dccdeny",
"5.0",
"5.2.4",
"command /dccdeny",
"UnrealIRCd Team",
"unrealircd-5",
@@ -517,11 +517,8 @@ int dccdeny_can_send_to_channel(Client *client, Channel *channel, Membership *lp
char *filename = get_dcc_filename(*msg);
if (filename && !can_dcc(client, channel->chname, NULL, filename, &err))
{
if (!IsDead(client) && (sendtype != SEND_TYPE_NOTICE))
{
strlcpy(errbuf, err, sizeof(errbuf));
*errmsg = errbuf;
}
strlcpy(errbuf, err, sizeof(errbuf));
*errmsg = errbuf;
return HOOK_DENY;
}
}
@@ -640,7 +637,11 @@ static int can_dcc(Client *client, char *target, Client *targetcli, char *filena
}
if (match_spamfilter(client, filename, SPAMF_DCC, "PRIVMSG", target, 0, NULL))
{
/* Dirty hack, yeah spamfilter already sent the error message :( */
*errmsg = "";
return 0;
}
if ((fl = dcc_isforbidden(client, filename)))
{
src/modules/extbans/account.c
+12 -3
View File
@@ -75,8 +75,6 @@ char *extban_account_conv_param(char *para)
acc = retbuf+3;
if (!*acc)
return NULL; /* don't allow "~a:" */
if (!strcmp(acc, "0"))
return NULL; /* ~a:0 would mean ban all non-regged, but we already have +R for that. */
return retbuf;
}
@@ -85,7 +83,18 @@ int extban_account_is_banned(Client *client, Channel *channel, char *banin, int
{
char *ban = banin+3;
if (!strcasecmp(ban, client->user->svid))
/* ~a:0 is special and matches all unauthenticated users */
if (!strcmp(ban, "0") && !IsLoggedIn(client))
return 1;
/* ~a:* matches all authenticated users
* (Yes this special code is needed because svid
* is 0 or * for unauthenticated users)
*/
if (!strcmp(ban, "*") && IsLoggedIn(client))
return 1;
if (match_simple(ban, client->user->svid))
return 1;
return 0;
src/modules/history_backend_mem.c
+13 -4
View File
@@ -235,6 +235,7 @@ static void setcfg(struct cfgstruct *cfg)
static void freecfg(struct cfgstruct *cfg)
{
safe_free(cfg->masterdb);
safe_free(cfg->directory);
safe_free(cfg->db_secret);
}
@@ -1142,10 +1143,18 @@ static int hbm_read_masterdb(void)
}
/* Now, safely switch over.. */
safe_free(hbm_prehash);
safe_free(hbm_posthash);
hbm_prehash = prehash;
hbm_posthash = posthash;
if (hbm_prehash && !strcmp(hbm_prehash, prehash) && hbm_posthash && !strcmp(hbm_posthash, posthash))
{
/* Identical sets */
safe_free(prehash);
safe_free(posthash);
} else {
/* Diffferent */
safe_free(hbm_prehash);
safe_free(hbm_posthash);
hbm_prehash = prehash;
hbm_posthash = posthash;
}
return 1;
}
src/modules/invite.c
+6 -1
View File
@@ -287,7 +287,12 @@ CMD_FUNC(cmd_invite)
/* Notify the person who got invited */
if (!is_silenced(client, target))
{
sendto_prefix_one(target, client, NULL, ":%s INVITE %s :%s", client->name,
MessageTag *mtags = NULL;
new_message(client, NULL, &mtags);
sendto_prefix_one(target, client, mtags, ":%s INVITE %s :%s", client->name,
target->name, channel->chname);
free_message_tags(mtags);
}
}
src/modules/join.c
+3 -3
View File
@@ -198,7 +198,7 @@ void _send_join_to_local_users(Client *client, Channel *channel, MessageTag *mta
ircsnprintf(exjoinbuf, sizeof(exjoinbuf), ":%s!%s@%s JOIN %s %s :%s",
client->name, client->user->username, GetHost(client), channel->chname,
!isdigit(*client->user->svid) ? client->user->svid : "*",
IsLoggedIn(client) ? client->user->svid : "*",
client->info);
for (lp = channel->members; lp; lp = lp->next)
@@ -294,7 +294,7 @@ void _join_channel(Channel *channel, Client *client, MessageTag *recv_mtags, int
channel->mode.mode = MODES_ON_JOIN;
*modebuf = *parabuf = 0;
channel_modes(client, modebuf, parabuf, sizeof(modebuf), sizeof(parabuf), channel);
channel_modes(client, modebuf, parabuf, sizeof(modebuf), sizeof(parabuf), channel, 0);
/* This should probably be in the SJOIN stuff */
new_message_special(&me, recv_mtags, &mtags_mode, ":%s MODE %s %s %s", me.name, channel->chname, modebuf, parabuf);
sendto_server(NULL, 0, 0, mtags_mode, ":%s MODE %s %s %s %lld",
@@ -722,7 +722,7 @@ void _userhost_changed(Client *client)
ircsnprintf(exjoinbuf, sizeof(exjoinbuf), ":%s!%s@%s JOIN %s %s :%s",
client->name, client->user->username, GetHost(client), channel->chname,
!isdigit(*client->user->svid) ? client->user->svid : "*",
IsLoggedIn(client) ? client->user->svid : "*",
client->info);
modes = get_chmodes_for_user(client, flags);
src/modules/link-security.c
+1
View File
@@ -59,6 +59,7 @@ MOD_INIT()
mreq.serialize = link_security_md_serialize;
mreq.unserialize = link_security_md_unserialize;
mreq.sync = 1;
mreq.self_write = 1;
link_security_md = ModDataAdd(modinfo->handle, mreq);
if (!link_security_md)
{
src/modules/list.c
+2 -2
View File
@@ -273,7 +273,7 @@ CMD_FUNC(cmd_list)
if (channel && (ShowChannel(client, channel) || ValidatePermissionsForPath("channel:see:list:secret",client,NULL,channel,NULL))) {
#ifdef LIST_SHOW_MODES
modebuf[0] = '[';
channel_modes(client, modebuf+1, parabuf, sizeof(modebuf)-1, sizeof(parabuf), channel);
channel_modes(client, modebuf+1, parabuf, sizeof(modebuf)-1, sizeof(parabuf), channel, 0);
if (modebuf[2] == '\0')
modebuf[0] = '\0';
else
@@ -403,7 +403,7 @@ int send_list(Client *client)
}
#ifdef LIST_SHOW_MODES
modebuf[0] = '[';
channel_modes(client, modebuf+1, parabuf, sizeof(modebuf)-1, sizeof(parabuf), channel);
channel_modes(client, modebuf+1, parabuf, sizeof(modebuf)-1, sizeof(parabuf), channel, 0);
if (modebuf[2] == '\0')
modebuf[0] = '\0';
else
src/modules/md.c
+26
View File
@@ -72,6 +72,22 @@ MOD_UNLOAD()
return MOD_SUCCESS;
}
/** Check if client may write to this MD object */
int md_access_check(Client *client, ModDataInfo *md, Client *target)
{
if ((client == target) && md->self_write)
return 1;
if (MyConnect(target) && !md->remote_write)
{
ircd_log(LOG_ERROR, "Remote server '%s' tried to write moddata '%s' of a client from ours '%s' -- attempt blocked.",
client->name, md->name, target->name);
return 0;
}
return 1;
}
/** Set ModData command.
* Syntax: MD <type> <object name> <variable name> <value>
* Example: MD client Syzop sslfp 123456789
@@ -105,6 +121,10 @@ CMD_FUNC(cmd_md)
md = findmoddata_byname(varname, MODDATATYPE_CLIENT);
if (!md || !md->unserialize || !target)
return;
if (!md_access_check(client, md, target))
return;
if (value)
md->unserialize(value, &moddata_client(target, md));
else
@@ -162,6 +182,9 @@ CMD_FUNC(cmd_md)
if (!md || !md->unserialize)
return;
if (!md_access_check(client, md, target))
return;
if (value)
md->unserialize(value, &moddata_member(m, md));
else
@@ -202,6 +225,9 @@ CMD_FUNC(cmd_md)
if (!md || !md->unserialize)
return;
if (!md_access_check(client, md, target))
return;
if (value)
md->unserialize(value, &moddata_membership(m, md));
else
src/modules/message-ids.c
+1 -3
View File
@@ -146,9 +146,7 @@ void mtag_add_or_inherit_msgid(Client *sender, MessageTag *recv_mtags, MessageTa
char newbuf[256];
memset(&binaryhash, 0, sizeof(binaryhash));
memset(&b64hash, 0, sizeof(b64hash));
SHA256_Init(&hash);
SHA256_Update(&hash, signature, strlen(signature));
SHA256_Final(binaryhash, &hash);
sha256hash_binary(binaryhash, signature, strlen(signature));
b64_encode(binaryhash, sizeof(binaryhash)/2, b64hash, sizeof(b64hash));
b64hash[22] = '\0'; /* cut off at '=' */
snprintf(newbuf, sizeof(newbuf), "%s-%s", prefix, b64hash);
src/modules/message.c
+4 -4
View File
@@ -37,7 +37,7 @@ long CAP_MESSAGE_TAGS = 0; /**< Looked up at MOD_LOAD, may stay 0 if message-tag
ModuleHeader MOD_HEADER
= {
"message", /* Name of module */
"5.0", /* Version */
"5.2.4", /* Version */
"private message and notice", /* Short description of module */
"UnrealIRCd Team",
"unrealircd-5",
@@ -371,7 +371,7 @@ void cmd_message(Client *client, MessageTag *recv_mtags, int parc, char *parv[],
*/
if (IsDead(client))
return;
if (!IsDead(client) && (sendtype != SEND_TYPE_NOTICE) && errmsg)
if (!IsDead(client) && (sendtype != SEND_TYPE_NOTICE) && !BadPtr(errmsg))
sendnumeric(client, ERR_CANNOTSENDTOCHAN, channel->chname, errmsg, p2);
continue; /* skip delivery to this target */
}
@@ -387,7 +387,7 @@ void cmd_message(Client *client, MessageTag *recv_mtags, int parc, char *parv[],
if (MyUser(client))
{
int spamtype = (sendtype == SEND_TYPE_NOTICE ? SPAMF_USERNOTICE : SPAMF_USERMSG);
int spamtype = (sendtype == SEND_TYPE_NOTICE ? SPAMF_CHANNOTICE : SPAMF_CHANMSG);
if (match_spamfilter(client, text, spamtype, cmd, channel->chname, 0, NULL))
return;
@@ -476,7 +476,7 @@ void cmd_message(Client *client, MessageTag *recv_mtags, int parc, char *parv[],
/* Message is discarded */
if (IsDead(client))
return;
if ((sendtype != SEND_TYPE_NOTICE) && errmsg)
if ((sendtype != SEND_TYPE_NOTICE) && !BadPtr(errmsg))
sendnumeric(client, ERR_CANTSENDTOUSER, target->name, errmsg);
} else
{
src/modules/mode.c
+1 -1
View File
@@ -133,7 +133,7 @@ CMD_FUNC(cmd_mode)
*modebuf = *parabuf = '\0';
modebuf[1] = '\0';
channel_modes(client, modebuf, parabuf, sizeof(modebuf), sizeof(parabuf), channel);
channel_modes(client, modebuf, parabuf, sizeof(modebuf), sizeof(parabuf), channel, 0);
sendnumeric(client, RPL_CHANNELMODEIS, channel->chname, modebuf, parabuf);
sendnumeric(client, RPL_CREATIONTIME, channel->chname, channel->creationtime);
return;
src/modules/nick.c
+38 -61
View File
@@ -534,6 +534,26 @@ CMD_FUNC(cmd_uid)
return;
}
if (!valid_uid(parv[6]))
{
ircstats.is_kill++;
sendto_umode(UMODE_OPER, "Bad UID: %s From: %s %s",
parv[6], client->name, get_client_name(client, FALSE));
/* Send kill to uplink only, hasn't been broadcasted to the rest, anyway */
sendto_one(client, NULL, ":%s KILL %s :Bad UID", me.id, parv[6]);
return;
}
if (strncmp(parv[6], client->id, 3))
{
ircstats.is_kill++;
sendto_umode(UMODE_OPER, "Bad UID: %s From: %s %s",
parv[6], client->name, get_client_name(client, FALSE));
/* Send kill to uplink only, hasn't been broadcasted to the rest, anyway */
sendto_one(client, NULL, ":%s KILL %s :Bad UID: UID must contain SID", me.id, parv[6]);
return;
}
/* Kill quarantined opers early... */
if (IsQuarantined(client->direction) && strchr(parv[8], 'o'))
{
@@ -669,7 +689,7 @@ nickkill2done:
if (IsDead(client))
return;
if (client->user->svid[0] != '0')
if (IsLoggedIn(client))
{
user_account_login(recv_mtags, client);
/* no need to check for kill upon user_account_login() here
@@ -1321,6 +1341,18 @@ int AllowClient(Client *client, char *username)
return 0;
hp = client->local->hostp;
if (hp && hp->h_name)
set_sockhost(client, hp->h_name);
else if (!strcmp(sockhost, "localhost"))
set_sockhost(client, "localhost"); /* yeah, special case :D */
/* SET HOSTNAME: We set client->user->realhost early here
* because we are going to run some checks.
* Note that later on this may be reversed from hostname to IP if
* allow::options::useip is set.
* Also, register_user() contains more stringent hostname checks later on.
*/
strlcpy(client->user->realhost, client->local->sockhost, sizeof(client->local->sockhost));
if (!IsSecure(client) && !IsLocalhost(client) && (iConf.plaintext_policy_user == POLICY_DENY))
{
@@ -1340,62 +1372,9 @@ int AllowClient(Client *client, char *username)
if (aconf->flags.tls && !IsSecure(client))
continue;
if (hp && hp->h_name)
{
hname = hp->h_name;
strlcpy(fullname, hname, sizeof(fullname));
Debug((DEBUG_DNS, "a_il: %s->%s", sockhost, fullname));
if (strchr(aconf->hostname, '@'))
{
if (aconf->flags.noident)
strlcpy(uhost, username, sizeof(uhost));
else
strlcpy(uhost, client->ident, sizeof(uhost));
strlcat(uhost, "@", sizeof(uhost));
}
else
*uhost = '\0';
strlcat(uhost, fullname, sizeof(uhost));
if (match_simple(aconf->hostname, uhost))
goto attach;
}
if (!unreal_mask_match(client, aconf->mask))
continue;
if (strchr(aconf->ip, '@'))
{
if (aconf->flags.noident)
strlcpy(uhost, username, sizeof(uhost));
else
strlcpy(uhost, client->ident, sizeof(uhost));
strlcat(uhost, "@", sizeof(uhost));
}
else
*uhost = '\0';
strlcat(uhost, sockhost, sizeof(uhost));
/* Check the IP */
if (match_user(aconf->ip, client, MATCH_CHECK_IP))
goto attach;
/* Hmm, localhost is a special case, hp == NULL and sockhost contains
* 'localhost' instead of an ip... -- Syzop. */
if (!strcmp(sockhost, "localhost"))
{
if (strchr(aconf->hostname, '@'))
{
if (aconf->flags.noident)
strlcpy(uhost, username, sizeof(uhost));
else
strlcpy(uhost, client->ident, sizeof(uhost));
strlcat(uhost, "@localhost", sizeof(uhost));
}
else
strcpy(uhost, "localhost");
if (match_simple(aconf->hostname, uhost))
goto attach;
}
continue; /* No match */
attach:
/* Check authentication */
if (aconf->auth && !Auth_Check(client, aconf->auth, client->local->passwd))
{
@@ -1411,11 +1390,9 @@ int AllowClient(Client *client, char *username)
if (!aconf->flags.noident)
SetUseIdent(client);
if (!aconf->flags.useip && hp)
strlcpy(uhost, fullname, sizeof(uhost));
else
strlcpy(uhost, sockhost, sizeof(uhost));
set_sockhost(client, uhost);
if (aconf->flags.useip)
set_sockhost(client, GetIP(client));
if (exceeds_maxperip(client, aconf))
{
src/modules/restrict-commands.c
+14 -2
View File
@@ -36,6 +36,7 @@ struct RestrictedCommand {
int exempt_identified;
int exempt_reputation_score;
int exempt_webirc;
int exempt_tls;
};
typedef struct {
@@ -189,10 +190,13 @@ int rcmd_configtest(ConfigFile *cf, ConfigEntry *ce, int type, int *errs)
if (!strcmp(cep2->ce_varname, "exempt-identified"))
continue;
if (!strcmp(cep2->ce_varname, "exempt-webirc"))
continue;
if (!strcmp(cep2->ce_varname, "exempt-tls"))
continue;
if (!strcmp(cep2->ce_varname, "exempt-reputation-score"))
{
int v = atoi(cep2->ce_vardata);
@@ -279,6 +283,12 @@ int rcmd_configrun(ConfigFile *cf, ConfigEntry *ce, int type)
continue;
}
if (!strcmp(cep2->ce_varname, "exempt-tls"))
{
rcmd->exempt_tls = config_checkval(cep2->ce_vardata, CFG_YESNO);
continue;
}
if (!strcmp(cep2->ce_varname, "exempt-reputation-score"))
{
rcmd->exempt_reputation_score = atoi(cep2->ce_vardata);
@@ -299,6 +309,8 @@ int rcmd_canbypass(Client *client, RestrictedCommand *rcmd)
return 1;
if (rcmd->exempt_webirc && moddata_client_get(client, "webirc"))
return 1;
if (rcmd->exempt_tls && IsSecureConnect(client))
return 1;
if (rcmd->exempt_reputation_score > 0 && (GetReputation(client) >= rcmd->exempt_reputation_score))
return 1;
if (rcmd->connect_delay && client->local && (TStime() - client->local->firsttime >= rcmd->connect_delay))
src/modules/sasl.c
+5 -3
View File
@@ -25,7 +25,7 @@
ModuleHeader MOD_HEADER
= {
"sasl",
"5.0",
"5.2.1",
"SASL",
"UnrealIRCd Team",
"unrealircd-5",
@@ -69,8 +69,9 @@ int sasl_account_login(Client *client, MessageTag *mtags)
{
if (!MyConnect(client))
return 0;
/* Notify user */
if (client->user->svid[0] != '0')
if (IsLoggedIn(client))
{
sendnumeric(client, RPL_LOGGEDIN,
BadPtr(client->name) ? "*" : client->name,
@@ -99,7 +100,7 @@ CMD_FUNC(cmd_svslogin)
{
Client *target;
if (!SASL_SERVER || MyUser(client) || (parc < 3) || !parv[3])
if (MyUser(client) || (parc < 3) || !parv[3])
return;
/* We actually ignore parv[1] since this is a broadcast message.
@@ -395,6 +396,7 @@ MOD_INIT()
mreq.serialize = saslmechlist_serialize;
mreq.unserialize = saslmechlist_unserialize;
mreq.sync = 1;
mreq.self_write = 1;
mreq.type = MODDATATYPE_CLIENT;
ModDataAdd(modinfo->handle, mreq);
src/modules/server.c
+444 -10
View File
@@ -22,7 +22,26 @@
#include "unrealircd.h"
/* Definitions */
typedef enum AutoConnectStrategy {
AUTOCONNECT_PARALLEL = 0,
AUTOCONNECT_SEQUENTIAL = 1,
AUTOCONNECT_SEQUENTIAL_FALLBACK = 2
} AutoConnectStrategy;
typedef struct cfgstruct cfgstruct;
struct cfgstruct {
AutoConnectStrategy autoconnect_strategy;
long connect_timeout;
long handshake_timeout;
};
/* Forward declarations */
void server_config_setdefaults(cfgstruct *cfg);
int server_config_test(ConfigFile *cf, ConfigEntry *ce, int type, int *errs);
int server_config_run(ConfigFile *cf, ConfigEntry *ce, int type);
EVENT(server_autoconnect);
EVENT(server_handshake_timeout);
void send_channel_modes_sjoin3(Client *to, Channel *channel);
CMD_FUNC(cmd_server);
CMD_FUNC(cmd_sid);
@@ -32,11 +51,15 @@ void _send_server_message(Client *client);
void _introduce_user(Client *to, Client *acptr);
int _check_deny_version(Client *cptr, char *software, int protocol, char *flags);
void _broadcast_sinfo(Client *acptr, Client *to, Client *except);
int server_sync(Client *cptr, ConfigItem_link *conf);
void server_generic_free(ModData *m);
int server_post_connect(Client *client);
/* Global variables */
static char buf[BUFSIZE];
#define MSG_SERVER "SERVER"
static cfgstruct cfg;
static char *last_autoconnect_server = NULL;
ModuleHeader MOD_HEADER
= {
@@ -56,30 +79,417 @@ MOD_TEST()
EfunctionAddVoid(modinfo->handle, EFUNC_INTRODUCE_USER, _introduce_user);
EfunctionAdd(modinfo->handle, EFUNC_CHECK_DENY_VERSION, _check_deny_version);
EfunctionAddVoid(modinfo->handle, EFUNC_BROADCAST_SINFO, _broadcast_sinfo);
HookAdd(modinfo->handle, HOOKTYPE_CONFIGTEST, 0, server_config_test);
return MOD_SUCCESS;
}
MOD_INIT()
{
CommandAdd(modinfo->handle, MSG_SERVER, cmd_server, MAXPARA, CMD_UNREGISTERED|CMD_SERVER);
CommandAdd(modinfo->handle, "SID", cmd_sid, MAXPARA, CMD_SERVER);
MARK_AS_OFFICIAL_MODULE(modinfo);
LoadPersistentPointer(modinfo, last_autoconnect_server, server_generic_free);
server_config_setdefaults(&cfg);
HookAdd(modinfo->handle, HOOKTYPE_CONFIGRUN, 0, server_config_run);
HookAdd(modinfo->handle, HOOKTYPE_POST_SERVER_CONNECT, 0, server_post_connect);
CommandAdd(modinfo->handle, "SERVER", cmd_server, MAXPARA, CMD_UNREGISTERED|CMD_SERVER);
CommandAdd(modinfo->handle, "SID", cmd_sid, MAXPARA, CMD_SERVER);
return MOD_SUCCESS;
}
MOD_LOAD()
{
EventAdd(modinfo->handle, "server_autoconnect", server_autoconnect, NULL, 2000, 0);
EventAdd(modinfo->handle, "server_handshake_timeout", server_handshake_timeout, NULL, 1000, 0);
return MOD_SUCCESS;
}
MOD_UNLOAD()
{
SavePersistentPointer(modinfo, last_autoconnect_server);
return MOD_SUCCESS;
}
int server_sync(Client *cptr, ConfigItem_link *conf);
/** Convert 'str' to a AutoConnectStrategy value.
* @param str The string, eg "parallel"
* @returns a valid AutoConnectStrategy value or -1 if not found.
*/
AutoConnectStrategy autoconnect_strategy_strtoval(char *str)
{
if (!strcmp(str, "parallel"))
return AUTOCONNECT_PARALLEL;
if (!strcmp(str, "sequential"))
return AUTOCONNECT_SEQUENTIAL;
if (!strcmp(str, "sequential-fallback"))
return AUTOCONNECT_SEQUENTIAL_FALLBACK;
return -1;
}
/** Convert an AutoConnectStrategy value to a string.
* @param val The value to convert to a string
* @returns a string, such as "parallel".
*/
char *autoconnect_strategy_valtostr(AutoConnectStrategy val)
{
switch (val)
{
case AUTOCONNECT_PARALLEL:
return "parallel";
case AUTOCONNECT_SEQUENTIAL:
return "sequential";
case AUTOCONNECT_SEQUENTIAL_FALLBACK:
return "sequential-fallback";
default:
return "???";
}
}
void server_config_setdefaults(cfgstruct *cfg)
{
cfg->autoconnect_strategy = AUTOCONNECT_SEQUENTIAL;
cfg->connect_timeout = 10;
cfg->handshake_timeout = 20;
}
int server_config_test(ConfigFile *cf, ConfigEntry *ce, int type, int *errs)
{
int errors = 0;
ConfigEntry *cep;
if (type != CONFIG_SET)
return 0;
/* We are only interrested in set::server-linking.. */
if (!ce || strcmp(ce->ce_varname, "server-linking"))
return 0;
for (cep = ce->ce_entries; cep; cep = cep->ce_next)
{
if (!cep->ce_vardata)
{
config_error("%s:%i: blank set::server-linking::%s without value",
cep->ce_fileptr->cf_filename, cep->ce_varlinenum, cep->ce_varname);
errors++;
continue;
} else
if (!strcmp(cep->ce_varname, "autoconnect-strategy"))
{
if (autoconnect_strategy_strtoval(cep->ce_vardata) < 0)
{
config_error("%s:%i: set::server-linking::autoconnect-strategy: invalid value '%s'. "
"Should be one of: parallel",
cep->ce_fileptr->cf_filename, cep->ce_varlinenum, cep->ce_vardata);
errors++;
continue;
}
} else
if (!strcmp(cep->ce_varname, "connect-timeout"))
{
long v = config_checkval(cep->ce_vardata, CFG_TIME);
if ((v < 5) || (v > 30))
{
config_error("%s:%i: set::server-linking::connect-timeout should be between 5 and 60 seconds",
cep->ce_fileptr->cf_filename, cep->ce_varlinenum);
errors++;
continue;
}
} else
if (!strcmp(cep->ce_varname, "handshake-timeout"))
{
long v = config_checkval(cep->ce_vardata, CFG_TIME);
if ((v < 10) || (v > 120))
{
config_error("%s:%i: set::server-linking::handshake-timeout should be between 10 and 120 seconds",
cep->ce_fileptr->cf_filename, cep->ce_varlinenum);
errors++;
continue;
}
} else
{
config_error("%s:%i: unknown directive set::server-linking::%s",
cep->ce_fileptr->cf_filename, cep->ce_varlinenum, cep->ce_varname);
errors++;
continue;
}
}
*errs = errors;
return errors ? -1 : 1;
}
int server_config_run(ConfigFile *cf, ConfigEntry *ce, int type)
{
ConfigEntry *cep;
if (type != CONFIG_SET)
return 0;
/* We are only interrested in set::server-linking.. */
if (!ce || strcmp(ce->ce_varname, "server-linking"))
return 0;
for (cep = ce->ce_entries; cep; cep = cep->ce_next)
{
if (!strcmp(cep->ce_varname, "autoconnect-strategy"))
{
cfg.autoconnect_strategy = autoconnect_strategy_strtoval(cep->ce_vardata);
} else
if (!strcmp(cep->ce_varname, "connect-timeout"))
{
cfg.connect_timeout = config_checkval(cep->ce_vardata, CFG_TIME);
} else
if (!strcmp(cep->ce_varname, "handshake-timeout"))
{
cfg.handshake_timeout = config_checkval(cep->ce_vardata, CFG_TIME);
}
}
return 1;
}
int server_needs_linking(ConfigItem_link *aconf)
{
ConfigItem_deny_link *deny;
Client *client;
ConfigItem_class *class;
/* We're only interested in autoconnect blocks that are valid. Also, we ignore temporary link blocks. */
if (!(aconf->outgoing.options & CONNECT_AUTO) || !aconf->outgoing.hostname || (aconf->flag.temporary == 1))
return 0;
class = aconf->class;
/* Never do more than one connection attempt per <connfreq> seconds (for the same server) */
if ((aconf->hold > TStime()))
return 0;
aconf->hold = TStime() + class->connfreq;
client = find_client(aconf->servername, NULL);
if (client)
return 0; /* Server already connected (or connecting) */
if (class->clients >= class->maxclients)
return 0; /* Class is full */
/* Check connect rules to see if we're allowed to try the link */
for (deny = conf_deny_link; deny; deny = deny->next)
if (unreal_mask_match_string(aconf->servername, deny->mask) && crule_eval(deny->rule))
return 0;
/* Yes, this server is a linking candidate */
return 1;
}
void server_autoconnect_parallel(void)
{
ConfigItem_link *aconf;
for (aconf = conf_link; aconf; aconf = aconf->next)
{
if (!server_needs_linking(aconf))
continue;
if (connect_server(aconf, NULL, NULL) == 0)
{
sendto_ops_and_log("Trying to activate link with server %s[%s]...",
aconf->servername, aconf->outgoing.hostname);
}
}
}
/** Find first (valid) autoconnect server in link blocks.
* This function should not be used directly. It is a helper function
* for find_next_autoconnect_server().
*/
ConfigItem_link *find_first_autoconnect_server(void)
{
ConfigItem_link *aconf;
for (aconf = conf_link; aconf; aconf = aconf->next)
{
if (!server_needs_linking(aconf))
continue;
return aconf; /* found! */
}
return NULL; /* none */
}
/** Find next server that we should try to autoconnect to.
* Taking into account that we last tried server 'current'.
* @param current Server the previous autoconnect attempt was made to
* @returns A link block, or NULL if no servers are suitable.
*/
ConfigItem_link *find_next_autoconnect_server(char *current)
{
ConfigItem_link *aconf;
/* If the current autoconnect server is NULL then
* just find whichever valid server is first.
*/
if (current == NULL)
return find_first_autoconnect_server();
/* Next code is a bit convulted, it would have
* been easier if conf_link was a circular list ;)
*/
/* Otherwise, walk the list up to 'current' */
for (aconf = conf_link; aconf; aconf = aconf->next)
{
if (!strcmp(aconf->servername, current))
break;
}
/* If the 'current' server dissapeared, then let's
* just pick the first one from the list.
* It is a rare event to have the link { } block
* removed of a server that we just happened to
* try to link to before, so we can afford to do
* it this way.
*/
if (!aconf)
return find_first_autoconnect_server();
/* Check the remainder for the list, in other words:
* check all servers after 'current' if they are
* ready for an outgoing connection attempt...
*/
for (aconf = aconf->next; aconf; aconf = aconf->next)
{
if (!server_needs_linking(aconf))
continue;
return aconf; /* found! */
}
/* If we get here then there are no valid servers
* after 'current', so now check for before 'current'
* (and including 'current', since we may
* have to autoconnect to that one again,
* eg if it is the only autoconnect server)...
*/
for (aconf = conf_link; aconf; aconf = aconf->next)
{
if (!server_needs_linking(aconf))
{
if (!strcmp(aconf->servername, current))
break; /* need to stop here */
continue;
}
return aconf; /* found! */
}
return NULL; /* none */
}
/** Check if we are currently connecting to a server (outgoing).
* This function takes into account not only an outgoing TCP/IP connect
* or TLS handshake, but also if we are 'somewhat connected' to that
* server but have not completed the full sync, eg we may still need
* to receive SIDs or other sync data.
* NOTE: This implicitly assumes that outgoing links only go to
* servers that will (eventually) send "EOS".
* Should be a reasonable assumption given that in nearly all
* cases we only connect to UnrealIRCd servers for the outgoing
* case, as services are "always" incoming links.
* @returns 1 if an outgoing link is in progress, 0 if not.
*/
int current_outgoing_link_in_process(void)
{
Client *client;
list_for_each_entry(client, &unknown_list, lclient_node)
{
if (client->serv && *client->serv->by && client->local->firsttime &&
(IsConnecting(client) || IsTLSConnectHandshake(client) || !IsSynched(client)))
{
return 1;
}
}
list_for_each_entry(client, &server_list, special_node)
{
if (client->serv && *client->serv->by && client->local->firsttime &&
(IsConnecting(client) || IsTLSConnectHandshake(client) || !IsSynched(client)))
{
return 1;
}
}
return 0;
}
void server_autoconnect_sequential(void)
{
ConfigItem_link *aconf;
if (current_outgoing_link_in_process())
return;
/* We are currently not in the process of doing an outgoing connect,
* let's see if we need to connect to somewhere...
*/
aconf = find_next_autoconnect_server(last_autoconnect_server);
if (aconf == NULL)
return; /* No server to connect to at this time */
/* Start outgoing link attempt */
safe_strdup(last_autoconnect_server, aconf->servername);
if (connect_server(aconf, NULL, NULL) == 0)
{
sendto_ops_and_log("Trying to activate link with server %s[%s]...",
aconf->servername, aconf->outgoing.hostname);
}
}
/** Perform autoconnect to servers that are not linked yet. */
EVENT(server_autoconnect)
{
switch (cfg.autoconnect_strategy)
{
case AUTOCONNECT_PARALLEL:
server_autoconnect_parallel();
break;
case AUTOCONNECT_SEQUENTIAL:
/* Fallback is the same as sequential but we reset last_autoconnect_server on connect */
case AUTOCONNECT_SEQUENTIAL_FALLBACK:
server_autoconnect_sequential();
break;
}
}
EVENT(server_handshake_timeout)
{
Client *client, *next;
list_for_each_entry_safe(client, next, &unknown_list, lclient_node)
{
/* We are only interested in outgoing server connects */
if (!client->serv || !*client->serv->by || !client->local->firsttime)
continue;
/* Handle set::server-linking::connect-timeout */
if ((IsConnecting(client) || IsTLSConnectHandshake(client)) &&
((TStime() - client->local->firsttime) >= cfg.connect_timeout))
{
/* If this is a connect timeout to an outgoing server then notify ops & log it */
sendto_ops_and_log("Connect timeout while trying to link to server '%s' (%s)",
client->name, client->ip?client->ip:"<unknown ip>");
exit_client(client, NULL, "Connection timeout");
continue;
}
/* Handle set::server-linking::handshake-timeout */
if ((TStime() - client->local->firsttime) >= cfg.handshake_timeout)
{
/* If this is a handshake timeout to an outgoing server then notify ops & log it */
sendto_ops_and_log("Connection handshake timeout while trying to link to server '%s' (%s)",
client->name, client->ip?client->ip:"<unknown ip>");
exit_client(client, NULL, "Handshake Timeout");
continue;
}
}
}
/** Check deny version { } blocks.
* @param cptr Client (a server)
@@ -179,6 +589,7 @@ void _send_protoctl_servers(Client *client, int response)
{
char buf[512];
Client *acptr;
int sendit = 1;
sendto_one(client, NULL, "PROTOCTL EAUTH=%s,%d,%s%s,%s",
me.name, UnrealProtocol, serveropts, extraflags ? extraflags : "", version);
@@ -188,15 +599,24 @@ void _send_protoctl_servers(Client *client, int response)
list_for_each_entry(acptr, &global_server_list, client_node)
{
snprintf(buf+strlen(buf), sizeof(buf)-strlen(buf), "%s,", acptr->id);
sendit = 1;
if (strlen(buf) > sizeof(buf)-12)
break; /* prevent overflow/cutoff if you have a network with more than 90 servers or something. */
{
if (buf[strlen(buf)-1] == ',')
buf[strlen(buf)-1] = '\0';
sendto_one(client, NULL, "%s", buf);
/* We use the asterisk here too for continuation lines */
ircsnprintf(buf, sizeof(buf), "PROTOCTL SERVERS=*");
sendit = 0;
}
}
/* Remove final comma (if any) */
if (buf[strlen(buf)-1] == ',')
buf[strlen(buf)-1] = '\0';
sendto_one(client, NULL, "%s", buf);
if (sendit)
sendto_one(client, NULL, "%s", buf);
}
void _send_server_message(Client *client)
@@ -587,7 +1007,7 @@ CMD_FUNC(cmd_server)
/* Process deny server { } restrictions */
for (deny = conf_deny_link; deny; deny = deny->next)
{
if (deny->flag.type == CRULE_ALL && match_simple(deny->mask, servername)
if (deny->flag.type == CRULE_ALL && unreal_mask_match_string(servername, deny->mask)
&& crule_eval(deny->rule))
{
sendto_ops_and_log("Refused connection from %s. Rejected by deny link { } block.",
@@ -1119,7 +1539,7 @@ void send_channel_modes_sjoin3(Client *to, Channel *channel)
/* First we'll send channel, channel modes and members and status */
*modebuf = *parabuf = '\0';
channel_modes(to, modebuf, parabuf, sizeof(modebuf), sizeof(parabuf), channel);
channel_modes(to, modebuf, parabuf, sizeof(modebuf), sizeof(parabuf), channel, 1);
if (!modebuf[1])
nomode = 1;
@@ -1283,3 +1703,17 @@ void send_channel_modes_sjoin3(Client *to, Channel *channel)
free_message_tags(mtags);
}
void server_generic_free(ModData *m)
{
safe_free(m->ptr);
}
int server_post_connect(Client *client) {
if (cfg.autoconnect_strategy == AUTOCONNECT_SEQUENTIAL_FALLBACK && last_autoconnect_server
&& !strcmp(last_autoconnect_server, client->name))
{
last_autoconnect_server = NULL;
}
return 0;
}
src/modules/sjoin.c
+5 -4
View File
@@ -29,7 +29,7 @@ CMD_FUNC(cmd_sjoin);
ModuleHeader MOD_HEADER
= {
"sjoin",
"5.0",
"5.1",
"command /sjoin",
"UnrealIRCd Team",
"unrealircd-5",
@@ -221,7 +221,7 @@ CMD_FUNC(cmd_sjoin)
modebuf[1] = '\0';
/* Grab current modes -> modebuf & parabuf */
channel_modes(client, modebuf, parabuf, sizeof(modebuf), sizeof(parabuf), channel);
channel_modes(client, modebuf, parabuf, sizeof(modebuf), sizeof(parabuf), channel, 1);
/* Do we need to remove all our modes, bans/exempt/inves lists and -vhoaq our users? */
if (removeours)
@@ -537,7 +537,7 @@ getnick:
if (strlen(uid_sjsby_buf) + strlen(prefix) + IDLEN > BUFSIZE - 10)
{
/* Send what we have and start a new buffer */
sendto_server(client, 0, PROTO_SJSBY, recv_mtags, "%s", uid_sjsby_buf);
sendto_server(client, PROTO_SJSBY, 0, recv_mtags, "%s", uid_sjsby_buf);
snprintf(uid_sjsby_buf, sizeof(uid_sjsby_buf), ":%s SJOIN %lld %s :", client->id, (long long)ts, sj3_parabuf);
/* Double-check the new buffer is sufficient to concat the data */
if (strlen(uid_sjsby_buf) + strlen(prefix) + strlen(acptr->id) > BUFSIZE - 5)
@@ -711,7 +711,8 @@ getnick:
*/
for (i=0; i <= Channelmode_highest; i++)
{
if ((Channelmode_Table[i].flag) &&
if (Channelmode_Table[i].flag &&
!Channelmode_Table[i].local &&
(oldmode.extmode & Channelmode_Table[i].mode) &&
!(channel->mode.extmode & Channelmode_Table[i].mode))
{
src/modules/squit.c
+1 -10
View File
@@ -144,15 +144,6 @@ CMD_FUNC(cmd_squit)
sendto_umode_global(UMODE_OPER, "Received SQUIT %s from %s (%s)",
target->name, get_client_name(client, FALSE), comment);
}
if (IsOper(client))
{
/*
* It was manually /squit'ed by a human being(we hope),
* there is a very good chance they don't want us to
* reconnect right away. -Cabal95
*/
SetSQuit(target);
}
exit_client(target, recv_mtags, comment);
exit_client_ex(target, client->direction, recv_mtags, comment);
}
src/modules/stats.c
+32 -9
View File
@@ -376,8 +376,14 @@ CMD_FUNC(cmd_stats)
else
stat->func(client, NULL);
/* Modules can append data: */
RunHook2(HOOKTYPE_STATS, client, flags);
/* Modules can append data:
* ('STATS S' already has special code for this that
* maintains certain ordering, so not included here)
*/
if (stat->flag != 'S')
{
RunHook2(HOOKTYPE_STATS, client, flags);
}
sendnumeric(client, RPL_ENDOFSTATS, stat->flag);
@@ -487,15 +493,20 @@ int stats_except(Client *client, char *para)
int stats_allow(Client *client, char *para)
{
ConfigItem_allow *allows;
ConfigItem_mask *m;
for (allows = conf_allow; allows; allows = allows->next)
{
sendnumeric(client, RPL_STATSILINE,
allows->ip, allows->hostname,
allows->maxperip,
allows->global_maxperip,
allows->class->name,
allows->server ? allows->server : defserv,
allows->port ? allows->port : 6667);
for (m = allows->mask; m; m = m->next)
{
sendnumeric(client, RPL_STATSILINE,
m->mask, "-",
allows->maxperip,
allows->global_maxperip,
allows->class->name,
allows->server ? allows->server : defserv,
allows->port ? allows->port : 6667);
}
}
return 0;
}
@@ -785,6 +796,14 @@ static void stats_set_anti_flood(Client *client, FloodSettings *f)
f->name, floodoption_names[i],
(int)f->limit[i], pretty_time_val(f->period[i]));
}
if (i == FLD_LAG_PENALTY)
{
sendtxtnumeric(client, "anti-flood::%s::lag-penalty: %d msec",
f->name, (int)f->period[i]);
sendtxtnumeric(client, "anti-flood::%s::lag-penalty-bytes: %d",
f->name,
f->limit[i] == INT_MAX ? 0 : (int)f->limit[i]);
}
else
{
sendtxtnumeric(client, "anti-flood::%s::%s: %d per %s",
@@ -927,6 +946,10 @@ int stats_set(Client *client, char *para)
sendtxtnumeric(client, "outdated-tls-policy::oper: %s", policy_valtostr(iConf.outdated_tls_policy_oper));
sendtxtnumeric(client, "outdated-tls-policy::server: %s", policy_valtostr(iConf.outdated_tls_policy_server));
RunHook2(HOOKTYPE_STATS, client, "S");
#ifndef _WIN32
sendtxtnumeric(client, "This server can handle %d concurrent sockets (%d clients + %d reserve)",
maxclients+CLIENTS_RESERVE, maxclients, CLIENTS_RESERVE);
#endif
return 1;
}
src/modules/svsmode.c
+11 -1
View File
@@ -406,8 +406,18 @@ void do_svsmode(Client *client, MessageTag *recv_mtags, int parc, char *parv[],
case 'd':
if (parv[3])
{
int was_logged_in = IsLoggedIn(target) ? 1 : 0;
strlcpy(target->user->svid, parv[3], sizeof(target->user->svid));
user_account_login(recv_mtags, target);
if (!was_logged_in && !IsLoggedIn(target))
{
/* We don't care about users going from not logged in
* to not logged in, which is something that can happen
* from 0 to 123456, eg from no account to unconfirmed account.
*/
} else {
/* LOGIN or LOGOUT (or account change) */
user_account_login(recv_mtags, target);
}
if (MyConnect(target) && IsDead(target))
return; /* was killed due to *LINE on ~a probably */
}
src/modules/targetfloodprot.c
+6 -4
View File
@@ -117,6 +117,8 @@ MOD_LOAD()
MOD_UNLOAD()
{
safe_free(channelcfg);
safe_free(privatecfg);
return MOD_SUCCESS;
}
@@ -234,8 +236,8 @@ int targetfloodprot_can_send_to_channel(Client *client, Channel *channel, Member
if (!MyUser(client))
return HOOK_CONTINUE;
/* IRCOps and U-Lines override */
if (IsULine(client) || (IsOper(client) && ValidatePermissionsForPath("immune:target-flood",client,NULL,channel,NULL)))
/* U-Lines, servers and IRCOps override */
if (IsULine(client) || !IsUser(client) || (IsOper(client) && ValidatePermissionsForPath("immune:target-flood",client,NULL,channel,NULL)))
return HOOK_CONTINUE;
what = sendtypetowhat(sendtype);
@@ -281,8 +283,8 @@ int targetfloodprot_can_send_to_user(Client *client, Client *target, char **text
if (!MyUser(target))
return HOOK_CONTINUE;
/* IRCOps and U-Lines override */
if (IsULine(client) || (IsOper(client) && ValidatePermissionsForPath("immune:target-flood",client,target,NULL,NULL)))
/* U-Lines, servers and IRCOps override */
if (IsULine(client) || !IsUser(client) || (IsOper(client) && ValidatePermissionsForPath("immune:target-flood",client,target,NULL,NULL)))
return HOOK_CONTINUE;
what = sendtypetowhat(sendtype);
src/modules/tkl.c
+6 -8
View File
@@ -134,8 +134,8 @@ TKLTypeTable tkl_types[] = {
{ "except", 'E', TKL_EXCEPTION | TKL_GLOBAL, "Exception", 1, 0, 0 },
{ "shun", 's', TKL_SHUN | TKL_GLOBAL, "Shun", 1, 1, 0 },
{ "local-qline", 'q', TKL_NAME, "Local Q-Line", 1, 0, 0 },
{ "local-spamfilter", 'e', TKL_EXCEPTION, "Local Exception", 1, 0, 0 },
{ "local-exception", 'f', TKL_SPAMF, "Local Spamfilter", 1, 0, 0 },
{ "local-exception", 'e', TKL_EXCEPTION, "Local Exception", 1, 0, 0 },
{ "local-spamfilter", 'f', TKL_SPAMF, "Local Spamfilter", 1, 0, 0 },
{ "blacklist", 'b', TKL_BLACKLIST, "Blacklist", 0, 1, 1 },
{ "connect-flood", 'c', TKL_CONNECT_FLOOD, "Connect flood", 0, 1, 1 },
{ "maxperip", 'm', TKL_MAXPERIP, "Max-per-IP", 0, 1, 0 },
@@ -181,9 +181,9 @@ MOD_TEST()
EfunctionAddVoid(modinfo->handle, EFUNC_TKL_SYNCH, _tkl_sync);
EfunctionAddVoid(modinfo->handle, EFUNC_CMD_TKL, _cmd_tkl);
EfunctionAdd(modinfo->handle, EFUNC_PLACE_HOST_BAN, _place_host_ban);
EfunctionAdd(modinfo->handle, EFUNC_DOSPAMFILTER, _match_spamfilter);
EfunctionAdd(modinfo->handle, EFUNC_MATCH_SPAMFILTER, _match_spamfilter);
EfunctionAdd(modinfo->handle, EFUNC_MATCH_SPAMFILTER_MTAGS, _match_spamfilter_mtags);
EfunctionAdd(modinfo->handle, EFUNC_DOSPAMFILTER_VIRUSCHAN, _join_viruschan);
EfunctionAdd(modinfo->handle, EFUNC_JOIN_VIRUSCHAN, _join_viruschan);
EfunctionAddVoid(modinfo->handle, EFUNC_SPAMFILTER_BUILD_USER_STRING, _spamfilter_build_user_string);
EfunctionAdd(modinfo->handle, EFUNC_MATCH_USER, _match_user);
EfunctionAdd(modinfo->handle, EFUNC_TKL_IP_HASH, _tkl_ip_hash);
@@ -2672,7 +2672,7 @@ static void add_default_exempts(void)
* Currently the list is: gline, kline, gzline, zline, shun, blacklist,
* connect-flood, handshake-data-flood.
*/
tkl_add_banexception(TKL_EXCEPTION, "*", "127.*", "localhost is always exempt",
tkl_add_banexception(TKL_EXCEPTION, "*", "127.0.0.0/8", "localhost is always exempt",
"-default-", 0, TStime(), 0, "GkZzsbcd", TKL_FLAG_CONFIG);
}
@@ -4422,9 +4422,7 @@ void ban_target_to_tkl_layer(BanTarget ban_target, BanAction action, Client *cli
if (ban_target == BAN_TARGET_ACCOUNT)
{
if (client->user && client->user->svid &&
strcmp(client->user->svid, "0") &&
(*client->user->svid != ':'))
if (IsLoggedIn(client) && (*client->user->svid != ':'))
{
/* Place a ban on ~a:Accountname */
strlcpy(username, "~a:", sizeof(username));
src/modules/tsctl.c
+4 -2
View File
@@ -64,8 +64,10 @@ CMD_FUNC(cmd_tsctl)
if (parv[1] && !strcasecmp(parv[1], "alltime"))
{
sendnotice(client, "*** Server=%s TStime=%lld",
me.name, (long long)TStime());
struct timeval currenttime_tv;
gettimeofday(&currenttime_tv, NULL);
sendnotice(client, "*** Server=%s TStime=%lld.%ld",
me.name, (long long)currenttime_tv.tv_sec, (long)currenttime_tv.tv_usec);
sendto_server(client, 0, 0, NULL, ":%s TSCTL alltime", client->id);
return;
}
src/modules/wallops.c
+3
View File
@@ -73,5 +73,8 @@ CMD_FUNC(cmd_wallops)
return;
}
if (MyUser(client))
sendto_prefix_one(client, client, NULL, ":%s WALLOPS :%s", client->name, message);
sendto_ops_butone(client->direction, client, ":%s WALLOPS :%s", client->name, message);
}
src/modules/websocket.c
+2 -5
View File
@@ -230,6 +230,7 @@ void websocket_mdata_free(ModData *m)
{
safe_free(wsu->handshake_key);
safe_free(wsu->lefttoparse);
safe_free(wsu->sec_websocket_protocol);
safe_free(m->ptr);
}
}
@@ -589,16 +590,12 @@ int websocket_handle_handshake(Client *client, char *readbuf, int *length)
int websocket_handshake_send_response(Client *client)
{
char buf[512], hashbuf[64];
SHA_CTX hash;
char sha1out[20]; /* 160 bits */
WSU(client)->handshake_completed = 1;
snprintf(buf, sizeof(buf), "%s%s", WSU(client)->handshake_key, WEBSOCKET_MAGIC_KEY);
SHA1_Init(&hash);
SHA1_Update(&hash, buf, strlen(buf));
SHA1_Final(sha1out, &hash);
sha1hash_binary(sha1out, buf, strlen(buf));
b64_encode(sha1out, sizeof(sha1out), hashbuf, sizeof(hashbuf));
snprintf(buf, sizeof(buf),
src/modules/who_old.c
+1 -1
View File
@@ -617,7 +617,7 @@ static void make_who_status(Client *client, Client *acptr, Channel *channel,
else
status[i++] = 'H';
if (IsARegNick(acptr))
if (IsRegNick(acptr))
status[i++] = 'r';
if (IsSecureConnect(acptr))
src/modules/whois.c
+3 -10
View File
@@ -103,15 +103,8 @@ CMD_FUNC(cmd_whois)
if (wilds)
continue;
if ((target = find_client(nick, NULL)))
if ((target = find_person(nick, NULL)))
{
if (IsServer(target))
continue;
/*
* I'm always last :-) and target->next == NULL!!
*/
if (IsMe(target))
break;
/*
* 'Rules' established for sending a WHOIS reply:
* - only send replies about common or public channels
@@ -148,7 +141,7 @@ CMD_FUNC(cmd_whois)
target->user->realhost, target->ip ? target->ip : "");
}
if (IsARegNick(target))
if (IsRegNick(target))
sendnumeric(client, RPL_WHOISREGNICK, name);
found = 1;
@@ -335,7 +328,7 @@ CMD_FUNC(cmd_whois)
* display services account name if it's actually a services account name and
* not a legacy timestamp. --nenolod
*/
if (!isdigit(*target->user->svid))
if (IsLoggedIn(target))
sendnumeric(client, RPL_WHOISLOGGEDIN, name, target->user->svid);
/*
src/modules/whox.c
+3 -4
View File
@@ -426,8 +426,7 @@ static int do_match(Client *client, Client *acptr, char *mask, struct who_format
return 1;
/* match account */
if (IsMatch(fmt, WMATCH_ACCOUNT) && !BadPtr(acptr->user->svid) &&
!isdigit(*acptr->user->svid) && match_simple(mask, acptr->user->svid))
if (IsMatch(fmt, WMATCH_ACCOUNT) && IsLoggedIn(acptr) && match_simple(mask, acptr->user->svid))
{
return 1;
}
@@ -688,7 +687,7 @@ static void do_who(Client *client, Client *acptr, Channel *channel, struct who_f
else
status[i++] = 'H';
if (IsARegNick(acptr))
if (IsRegNick(acptr))
status[i++] = 'r';
if (IsSecureConnect(acptr))
@@ -813,7 +812,7 @@ static void do_who(Client *client, Client *acptr, Channel *channel, struct who_f
(int)((MyUser(acptr) && !hide_idle_time(client, acptr)) ? (TStime() - acptr->local->last) : 0));
}
if (HasField(fmt, FIELD_ACCOUNT))
append_format(str, sizeof str, &pos, " %s", (!isdigit(*acptr->user->svid)) ? acptr->user->svid : "0");
append_format(str, sizeof str, &pos, " %s", IsLoggedIn(acptr) ? acptr->user->svid : "0");
if (HasField(fmt, FIELD_OPLEVEL))
append_format(str, sizeof str, &pos, " %s", (channel && is_skochanop(acptr, channel)) ? "999" : "n/a");
if (HasField(fmt, FIELD_REPUTATION))
src/parse.c
+32 -15
View File
@@ -32,8 +32,8 @@ static char *para[MAXPARA + 2];
static int do_numeric(int, Client *, MessageTag *, int, char **);
static void cancel_clients(Client *, Client *, char *);
static void remove_unknown(Client *, char *);
static void parse2(Client *client, Client **fromptr, MessageTag *mtags, char *ch);
static void parse_addlag(Client *client, int cmdbytes);
static void parse2(Client *client, Client **fromptr, MessageTag *mtags, int mtags_bytes, char *ch);
static void parse_addlag(Client *client, int command_bytes, int mtags_bytes);
static int client_lagged_up(Client *client);
static void ban_handshake_data_flooder(Client *client);
@@ -175,6 +175,7 @@ void parse(Client *cptr, char *buffer, int length)
char *ch;
int i, ret;
MessageTag *mtags = NULL;
int mtags_bytes = 0;
/* Take extreme care in this function, as messages can be up to READBUFSIZE
* in size, which is 8192 at the time of writing.
@@ -218,13 +219,16 @@ void parse(Client *cptr, char *buffer, int length)
/* Now, parse message tags, if any */
if (*ch == '@')
{
char *start = ch;
parse_message_tags(cptr, &ch, &mtags);
if (ch - start > 0)
mtags_bytes = ch - start;
/* Skip whitespace again */
for (; *ch == ' '; ch++)
;
}
parse2(cptr, &from, mtags, ch);
parse2(cptr, &from, mtags, mtags_bytes, ch);
if (IsDead(cptr))
RunHook3(HOOKTYPE_POST_COMMAND, NULL, mtags, ch);
@@ -236,13 +240,14 @@ void parse(Client *cptr, char *buffer, int length)
}
/** Parse the remaining line - helper function for parse().
* @param cptr The client from which the message was received
* @param from The sender, this may be changed by parse2() when
* the message has a sender, eg :xyz PRIVMSG ..
* @param mtags Message tags received for this message.
* @param ch The incoming line received (buffer), excluding message tags.
* @param cptr The client from which the message was received
* @param from The sender, this may be changed by parse2() when
* the message has a sender, eg :xyz PRIVMSG ..
* @param mtags Message tags received for this message.
* @param mtags_bytes The length of all message tags.
* @param ch The incoming line received (buffer), excluding message tags.
*/
static void parse2(Client *cptr, Client **fromptr, MessageTag *mtags, char *ch)
static void parse2(Client *cptr, Client **fromptr, MessageTag *mtags, int mtags_bytes, char *ch)
{
Client *from = cptr;
char *s;
@@ -351,7 +356,7 @@ static void parse2(Client *cptr, Client **fromptr, MessageTag *mtags, char *ch)
numeric = (*ch - '0') * 100 + (*(ch + 1) - '0') * 10 + (*(ch + 2) - '0');
paramcount = MAXPARA;
ircstats.is_num++;
parse_addlag(cptr, bytes);
parse_addlag(cptr, bytes, mtags_bytes);
}
else
{
@@ -377,7 +382,7 @@ static void parse2(Client *cptr, Client **fromptr, MessageTag *mtags, char *ch)
if (!cmptr || !(cmptr->flags & CMD_NOLAG))
{
/* Add fake lag (doing this early in the code, so we don't forget) */
parse_addlag(cptr, bytes);
parse_addlag(cptr, bytes, mtags_bytes);
}
if (!cmptr)
{
@@ -568,18 +573,30 @@ static void ban_handshake_data_flooder(Client *client)
* be able to flood at full speed causing potentially many Mbits or even
* GBits of data to be sent out to other clients.
*
* @param client The client.
* @param cmdbytes Number of bytes in the command.
* @param client The client.
* @param command_bytes Command length in bytes (excluding message tagss)
* @param mtags_bytes Length of message tags in bytes
*/
void parse_addlag(Client *client, int cmdbytes)
void parse_addlag(Client *client, int command_bytes, int mtags_bytes)
{
FloodSettings *settings = get_floodsettings_for_user(client, FLD_LAG_PENALTY);
if (!IsServer(client) && !IsNoFakeLag(client) &&
#ifdef FAKELAG_CONFIGURABLE
!(client->local->class && (client->local->class->options & CLASS_OPT_NOFAKELAG)) &&
#endif
!ValidatePermissionsForPath("immune:lag",client,NULL,NULL,NULL))
{
client->local->since += (1 + cmdbytes/90);
int lag_penalty = settings->period[FLD_LAG_PENALTY];
int lag_penalty_bytes = settings->limit[FLD_LAG_PENALTY];
client->local->since_msec += (1 + (command_bytes/lag_penalty_bytes) + (mtags_bytes/lag_penalty_bytes)) * lag_penalty;
/* This code takes into account not only the msecs we just calculated
* but also any leftover msec from previous lagging up.
*/
client->local->since += (client->local->since_msec / 1000);
client->local->since_msec = client->local->since_msec % 1000;
}
}
src/serv.c
+34 -1
View File
@@ -636,7 +636,15 @@ CMD_FUNC(cmd_rehash)
}
if (match_simple("-ssl*", parv[1]) || match_simple("-tls*", parv[1]))
{
reinit_ssl(client);
if (IsUser(client))
{
sendto_realops_and_log("%s (%s@%s) requested a reload of all SSL related data (/rehash -tls)",
client->name, client->user->username, client->user->realhost);
} else {
sendto_realops_and_log("%s requested a reload of all SSL related data (/rehash -tls)",
client->name);
}
reinit_tls();
return;
}
if (match_simple("-o*motd", parv[1]))
@@ -1274,6 +1282,31 @@ int valid_sid(char *name)
return 1;
}
/** Check if the supplied name is a valid UID, as in: syntax. */
int valid_uid(char *name)
{
char *p;
/* Enforce at least some minimum length */
if (strlen(name) < 6)
return 0;
/* UID cannot be larger than IDLEN or it would be cut off later */
if (strlen(name) > IDLEN)
return 0;
/* Must start with a digit */
if (!isdigit(*name))
return 0;
/* For all the remaining characters: digit or uppercase character */
for (p = name+1; *p; p++)
if (!isdigit(*p) && !isupper(*p))
return 0;
return 1;
}
/** Initialize the TKL subsystem */
void tkl_init(void)
{
src/tls.c
+45 -27
View File
@@ -218,19 +218,6 @@ static int ssl_hostname_callback(SSL *ssl, int *unk, void *arg)
return SSL_TLSEXT_ERR_OK;
}
/** Special logging function for SSL/TLS (? make more generic?) */
static void mylog(char *fmt, ...)
{
va_list vl;
static char buf[2048];
va_start(vl, fmt);
ircvsnprintf(buf, sizeof(buf), fmt, vl);
va_end(vl);
sendto_realops("[SSL rehash] %s", buf);
ircd_log(LOG_ERROR, "%s", buf);
}
/** Disable SSL/TLS protocols as set by config */
void disable_ssl_protocols(SSL_CTX *ctx, TLSOptions *tlsoptions)
{
@@ -487,6 +474,12 @@ fail:
return NULL;
}
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
MODVAR EVP_MD *sha256_function; /**< SHA256 function for EVP_DigestInit_ex() call */
MODVAR EVP_MD *sha1_function; /**< SHA1 function for EVP_DigestInit_ex() call */
MODVAR EVP_MD *md5_function; /**< MD5 function for EVP_DigestInit_ex() call */
#endif
/** Early initalization of SSL/TLS subsystem - called on startup */
int early_init_ssl(void)
{
@@ -495,6 +488,29 @@ int early_init_ssl(void)
/* This is used to track (SSL *) <--> (Client *) relationships: */
ssl_client_index = SSL_get_ex_new_index(0, "ssl_client", NULL, NULL, NULL);
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
sha256_function = EVP_MD_fetch(NULL, "SHA2-256", NULL);
if (!sha256_function)
{
fprintf(stderr, "Could not find SHA256 algorithm in SSL library\n");
exit(6);
}
sha1_function = EVP_MD_fetch(NULL, "SHA1", NULL);
if (!sha1_function)
{
fprintf(stderr, "Could not find SHA1 algorithm in SSL library\n");
exit(6);
}
md5_function = EVP_MD_fetch(NULL, "MD5", NULL);
if (!md5_function)
{
fprintf(stderr, "Could not find MD5 algorithm in SSL library\n");
exit(6);
}
#endif
return 1;
}
@@ -515,22 +531,13 @@ int init_ssl(void)
/** Reinitialize SSL/TLS server and client contexts - after REHASH -tls
*/
void reinit_ssl(Client *client)
void reinit_tls(void)
{
SSL_CTX *tmp;
ConfigItem_listen *listen;
ConfigItem_sni *sni;
ConfigItem_link *link;
if (!client)
mylog("Reloading all SSL related data (./unrealircd reloadtls)");
else if (IsUser(client))
mylog("%s (%s@%s) requested a reload of all SSL related data (/rehash -tls)",
client->name, client->user->username, client->user->realhost);
else
mylog("%s requested a reload of all SSL related data (/rehash -tls)",
client->name);
tmp = init_ctx(iConf.tls_options, 1);
if (!tmp)
{
@@ -892,6 +899,16 @@ static int fatal_ssl_error(int ssl_error, int where, int my_errno, Client *clien
ssl_func = "undefined SSL func";
}
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
/* Fetch additional error information from OpenSSL 3.0.0+ */
two = ERR_reason_error_string(additional_errno);
if (two && *two)
{
snprintf(additional_info, sizeof(additional_info), ": %s", two);
} else {
*additional_info = '\0';
}
#else
/* Fetch additional error information from OpenSSL. This is new as of Nov 2017 (4.0.16+) */
one = ERR_func_error_string(additional_errno);
two = ERR_reason_error_string(additional_errno);
@@ -901,6 +918,7 @@ static int fatal_ssl_error(int ssl_error, int where, int my_errno, Client *clien
} else {
*additional_info = '\0';
}
#endif
ssl_errstr = ssl_error_str(ssl_error, my_errno);
@@ -1169,6 +1187,8 @@ int cipher_check(SSL_CTX *ctx, char **errstr)
/** Check if a certificate (or actually: key) is weak */
int certificate_quality_check(SSL_CTX *ctx, char **errstr)
{
#if OPENSSL_VERSION_NUMBER < 0x30000000L
// FIXME: this only works on OpenSSL <3.0.0
SSL *ssl;
X509 *cert;
EVP_PKEY *public_key;
@@ -1225,6 +1245,7 @@ int certificate_quality_check(SSL_CTX *ctx, char **errstr)
return 0;
}
#endif
return 1;
}
@@ -1258,7 +1279,6 @@ char *spki_fingerprint_ex(X509 *x509_cert)
unsigned char *der_cert = NULL, *p;
int der_cert_len, n;
static char retbuf[256];
SHA256_CTX ckctx;
unsigned char checksum[SHA256_DIGEST_LENGTH];
memset(retbuf, 0, sizeof(retbuf));
@@ -1274,9 +1294,7 @@ char *spki_fingerprint_ex(X509 *x509_cert)
/* The DER encoded SPKI is stored in 'der_cert' with length 'der_cert_len'.
* Now we need to create an SHA256 hash out of it.
*/
SHA256_Init(&ckctx);
SHA256_Update(&ckctx, der_cert, der_cert_len);
SHA256_Final(checksum, &ckctx);
sha256hash_binary(checksum, der_cert, der_cert_len);
/* And convert the binary to a base64 string... */
n = b64_encode(checksum, SHA256_DIGEST_LENGTH, retbuf, sizeof(retbuf));
src/unrealdb.c
+20 -16
View File
@@ -40,11 +40,11 @@
* and I/O speeds of the underlying hardware.
*/
/* In UnrealIRCd 5.0.10 we don't write the v1 header yet for unencrypted
/* In UnrealIRCd 5.2.0 we don't write the v1 header yet for unencrypted
* database files, this so users using unencrypted can easily downgrade
* to 5.0.9 and lower should there be any need to do so.
* We DO support READING encypted, unencrypted v1, and unencrypted raw (v0)
* in 5.0.10, though.
* in 5.2.0, though.
* Presumably in 2022 or so we will stop writing v0 by default and change
* this #undef to a #define to write v1.
*/
@@ -163,7 +163,7 @@ UnrealDB *unrealdb_open(const char *filename, UnrealDBMode mode, char *secret_bl
UnrealDB *c = safe_alloc_sensitive(sizeof(UnrealDB));
char header[crypto_secretstream_xchacha20poly1305_HEADERBYTES];
char buf[32]; /* don't change this */
Secret *secr;
Secret *secr=NULL;
SecretCache *dbcache;
int cached = 0;
char *err;
@@ -176,6 +176,23 @@ UnrealDB *unrealdb_open(const char *filename, UnrealDBMode mode, char *secret_bl
goto unrealdb_open_fail;
}
/* Do this check early, before we try to create any file */
if (secret_block != NULL)
{
secr = find_secret(secret_block);
if (!secr)
{
unrealdb_set_error(c, UNREALDB_ERROR_SECRET, "Secret block '%s' not found or invalid", secret_block);
goto unrealdb_open_fail;
}
if (!valid_secret_password(secr->password, &err))
{
unrealdb_set_error(c, UNREALDB_ERROR_SECRET, "Password in secret block '%s' does not meet complexity requirements", secr->name);
goto unrealdb_open_fail;
}
}
c->mode = mode;
c->fd = fopen(filename, (c->mode == UNREALDB_MODE_WRITE) ? "wb" : "rb");
if (!c->fd)
@@ -249,19 +266,6 @@ UnrealDB *unrealdb_open(const char *filename, UnrealDBMode mode, char *secret_bl
c->crypted = 1;
secr = find_secret(secret_block);
if (!secr)
{
unrealdb_set_error(c, UNREALDB_ERROR_SECRET, "Secret block '%s' not found or invalid", secret_block);
goto unrealdb_open_fail;
}
if (!valid_secret_password(secr->password, &err))
{
unrealdb_set_error(c, UNREALDB_ERROR_SECRET, "Password in secret block '%s' does not meet complexity requirements", secr->name);
goto unrealdb_open_fail;
}
if (c->mode == UNREALDB_MODE_WRITE)
{
/* Write the:
src/url.c
+6 -5
View File
@@ -324,10 +324,7 @@ static int url_socket_cb(CURL *e, curl_socket_t s, int what, void *cbp, void *so
Debug((DEBUG_DEBUG, "url_socket_cb: %d (%s)", (int)s, (what == CURL_POLL_REMOVE)?"remove":"add-or-modify"));
if (what == CURL_POLL_REMOVE)
{
/* Socket is going to be closed *BY CURL*.. so don't call fd_close() but fd_unmap().
* Otherwise we (or actually, they) may end up closing the wrong fd.
*/
fd_unmap(s);
fd_close(s);
}
else
{
@@ -336,7 +333,11 @@ static int url_socket_cb(CURL *e, curl_socket_t s, int what, void *cbp, void *so
if (!fde->is_open)
{
fd_open(s, "CURL transfer");
/* NOTE: We use FDCLOSE_NONE here because cURL will take
* care of the closing of the socket. So *WE* must never
* close the socket ourselves.
*/
fd_open(s, "CURL transfer", FDCLOSE_NONE);
}
if (what == CURL_POLL_IN || what == CURL_POLL_INOUT)
src/user.c
+51 -8
View File
@@ -812,9 +812,7 @@ SecurityGroup *add_security_group(char *name, int priority)
/** Free a SecurityGroup struct */
void free_security_group(SecurityGroup *s)
{
/* atm there is nothing else to free,
* but who knows this may change in the future
*/
unreal_delete_masks(s->include_mask);
safe_free(s);
}
@@ -831,6 +829,10 @@ void set_security_group_defaults(void)
}
securitygroups = NULL;
/* Default group: webirc */
s = add_security_group("webirc-users", 50);
s->webirc = 1;
/* Default group: known-users */
s = add_security_group("known-users", 100);
s->identified = 1;
@@ -862,7 +864,9 @@ int user_allowed_by_security_group(Client *client, SecurityGroup *s)
return 1;
if (s->reputation_score && (GetReputation(client) >= s->reputation_score))
return 1;
if (s->tls && (IsSecureConnect(client) || IsSecure(client)))
if (s->tls && (IsSecureConnect(client) || (MyConnect(client) && IsSecure(client))))
return 1;
if (s->include_mask && unreal_mask_match(client, s->include_mask))
return 1;
return 0;
}
@@ -893,13 +897,49 @@ int user_allowed_by_security_group_name(Client *client, char *secgroupname)
return user_allowed_by_security_group(client, s);
}
/** Get comma separated list of matching security groups for 'client'.
* This is usually only used for displaying purposes.
* @returns string like "unknown-users,tls-users" from a static buffer.
*/
char *get_security_groups(Client *client)
{
SecurityGroup *s;
static char buf[512];
*buf = '\0';
/* We put known-users or unknown-users at the beginning.
* The latter is special and doesn't actually exist
* in the linked list, hence the special code here,
* and again later in the for loop to skip it.
*/
if (user_allowed_by_security_group_name(client, "known-users"))
strlcat(buf, "known-users,", sizeof(buf));
else
strlcat(buf, "unknown-users,", sizeof(buf));
for (s = securitygroups; s; s = s->next)
{
if (strcmp(s->name, "known-users") &&
user_allowed_by_security_group(client, s))
{
strlcat(buf, s->name, sizeof(buf));
strlcat(buf, ",", sizeof(buf));
}
}
if (*buf)
buf[strlen(buf)-1] = '\0';
return buf;
}
/** Return extended information about user for the "Client connecting" line.
* @returns A string such as "[secure] [reputation: 5]", never returns NULL.
*/
char *get_connect_extinfo(Client *client)
{
static char retbuf[512];
char tmp[512];
char tmp[512], *secgroups;
NameValuePrioList *list = NULL, *e;
/* From modules... */
@@ -921,6 +961,11 @@ char *get_connect_extinfo(Client *client)
if (IsLoggedIn(client))
add_nvplist(&list, -500, "account", client->user->svid);
/* security groups */
secgroups = get_security_groups(client);
if (secgroups)
add_nvplist(&list, 100, "security-groups", secgroups);
*retbuf = '\0';
for (e = list; e; e = e->next)
{
@@ -976,9 +1021,6 @@ int flood_limit_exceeded(Client *client, FloodOption opt)
if (f->limit[opt] <= 0)
return 0; /* No limit set or unlimited */
ircd_log(LOG_ERROR, "Checking flood_limit_exceeded() for '%s', type %d with max %d:%ld...",
client->name, (int)opt, (int)f->limit[opt], (long)f->period[opt]);
/* Ok, let's do the flood check */
if ((client->local->flood[opt].t + f->period[opt]) <= timeofday)
{
@@ -1044,5 +1086,6 @@ MODVAR char *floodoption_names[] = {
"invite-flood",
"knock-flood",
"max-concurrent-conversations",
"lag-penalty",
NULL
};
src/version.c.SH
+4 -1
View File
@@ -4,7 +4,10 @@ echo "Extracting src/version.c..."
#id=`grep '$Id: Changes,v' ../Changes`
#id=`echo $id |sed 's/.* Changes\,v \(.*\) .* Exp .*/\1/'`
id="5.0.9.1"
if [ -d ../.git ]; then
SUFFIX="-$(git rev-parse --short HEAD)"
fi
id="5.2.4$SUFFIX"
echo "$id"
if test -r version.c
src/windows/UnrealIRCd.exe.manifest
+1 -1
View File
@@ -3,7 +3,7 @@
<assemblyIdentity
processorArchitecture="amd64"
name="UnrealIRCd.UnrealIRCd.5"
version="5.0.10.0"
version="5.2.4.0"
type="win32"
/>
<description>Internet Relay Chat Daemon</description>
src/windows/gui.c
+25 -10
View File
@@ -167,16 +167,22 @@ LRESULT RESubClassFunc(HWND hWnd, UINT Message, WPARAM wParam, LPARAM lParam)
return CallWindowProc((WNDPROC)lpfnOldWndProc, hWnd, Message, wParam, lParam);
}
int CloseUnreal(HWND hWnd)
int DoCloseUnreal(HWND hWnd)
{
ircd_log(LOG_ERROR, "Stopping UnrealIRCd...");
loop.ircd_terminating = 1;
unload_all_modules();
DestroyWindow(hWnd);
TerminateProcess(GetCurrentProcess(), 0);
exit(0); /* in case previous fails (possible?) */
}
int AskCloseUnreal(HWND hWnd)
{
if (MessageBox(hWnd, "Close UnrealIRCd?", "Are you sure?", MB_YESNO|MB_ICONQUESTION) == IDNO)
return 0;
else
{
DestroyWindow(hWnd);
TerminateProcess(GetCurrentProcess(), 0);
exit(0); /* in case previous fails (possible?) */
}
DoCloseUnreal(hWnd);
exit(0);
}
int APIENTRY WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow)
@@ -328,7 +334,7 @@ LRESULT CALLBACK MainDLG(HWND hDlg, UINT message, WPARAM wParam, LPARAM lParam)
return 0;
}
case WM_CLOSE:
return CloseUnreal(hDlg);
return DoCloseUnreal(hDlg);
case WM_USER:
{
switch(LOWORD(lParam))
@@ -520,7 +526,16 @@ LRESULT CALLBACK MainDLG(HWND hDlg, UINT message, WPARAM wParam, LPARAM lParam)
return 0;
}
else if ((p.x >= 336) && (p.x <= 411) && (p.y >= TOOLBAR_START) && (p.y <= TOOLBAR_STOP))
return CloseUnreal(hDlg);
return AskCloseUnreal(hDlg);
}
case WM_SYSCOMMAND:
{
if (wParam == SC_CLOSE)
{
AskCloseUnreal(hDlg);
return 1;
}
break;
}
case WM_COMMAND:
{
@@ -561,7 +576,7 @@ LRESULT CALLBACK MainDLG(HWND hDlg, UINT message, WPARAM wParam, LPARAM lParam)
ShowDialog(&hStatusWnd, hInst, "Status", hDlg,StatusDLG);
break;
case IDM_SHUTDOWN:
return CloseUnreal(hDlg);
return AskCloseUnreal(hDlg);
case IDM_RHALL:
MessageBox(NULL, "Rehashing all files", "Rehashing", MB_OK);
sendto_realops("Rehashing all files via the console");
src/windows/unrealinst.iss
+14 -1
View File
@@ -6,7 +6,7 @@
[Setup]
AppName=UnrealIRCd 5
AppVerName=UnrealIRCd 5.0.10-git
AppVerName=UnrealIRCd 5.2.4
AppPublisher=UnrealIRCd Team
AppPublisherURL=https://www.unrealircd.org
AppSupportURL=https://www.unrealircd.org
@@ -104,7 +104,20 @@ var
function InitializeSetup(): Boolean;
var
major: Cardinal;
d: Integer;
begin
d := StrToInt(GetDateTimeString('yyyymm',#0,#0));
if (d > 202209) then
begin
MsgBox('You are installing the old UnrealIRCd 5.x stable series. This branch will receive security fixes only until July 1, 2023. ' +
'After that date, all support for the UnrealIRCd 5.x series will stop. ' +
'Please consider upgrading. See https://www.unrealircd.org/docs/UnrealIRCd_5_EOL', mbInformation, MB_OK);
if (d > 202303) then
begin
ShellExec('open', 'https://www.unrealircd.org/docs/UnrealIRCd_5_EOL', '', '', SW_SHOWNORMAL,ewNoWait,ErrorCode);
end;
end;
Result := true;
if Not RegQueryDWordValue(HKEY_LOCAL_MACHINE, 'SOFTWARE\Microsoft\VisualStudio\14.0\VC\Runtimes\x64', 'Major', major) then
unrealircd.in
+2 -11
View File
@@ -97,17 +97,7 @@ elif [ "$1" = "rehash" ] ; then
fi
elif [ "$1" = "restart" ] ; then
echo "Restarting UnrealIRCd"
if [ ! -r $PID_FILE ] ; then
echo "WARNING: UnrealIRCd was not running"
else
kill -15 `cat $PID_FILE`
if [ "$?" != 0 ]; then
echo "WARNING: UnrealIRCd was not running"
else
sleep 1
kill -9 `cat $PID_FILE` 1>/dev/null 2>&1
fi
fi
$0 stop
$0 start
elif [ "$1" = "croncheck" ] ; then
if [ -r $PID_FILE ] ; then
@@ -305,6 +295,7 @@ elif [ "$1" = "hot-patch" -o "$1" = "cold-patch" ] ; then
fi
elif [ "$1" = "upgrade" ] ; then
@BINDIR@/unrealircd-upgrade-script $*
exit
elif [ "$1" = "genlinkblock" ] ; then
@BINDIR@/unrealircd -L
else