Set default ECDH(E) curves to be X25519:secp521r1:secp384r1:prime256v1 with
the following remarks:
* We only set these curves if SSL_CTX_set1_curves_list() is available
(OpenSSL 1.0.2 or later, LibreSSL 2.5.1 or later)
* The X25519 curve is only added if it is available (OpenSSL 1.1.0+)
Add set::ssl::ecdh-curve so you can force one or more ECDH(E) curves.
This requires OpenSSL 1.0.2 or newer (released on 22 Jan 2015).
Also fix a bug with OpenSSL 1.1.0+ where - due to removal of an API
function - we accidentally forced curve P-256 rather than automatic
selection. That sucks because the automatic selection (since 1.0.2+)
allows supporting multiple curves and selecting the highest one.
Travis-CI: system-cares + system-curl test wasn't run properly
because only the first argument was passed to the select-config script.
Also add 'set -x' in select-config for easier debugging.
-Wno-invalid-source-encoding:
+dnl This is purely for charsys.c... I like it so we can easily read
+dnl this for non-utf8. We can remove it once we ditch non-utf8 some day
+dnl of course, or decide to ignore me and encode them.
Similar to previous commit, change: alter HOOKTYPE_MODE_DEOP function:
-int hooktype_mode_deop(aClient *sptr, aClient *victim, aChannel *chptr, u_int what, char modechar, long my_access, char **badmode);
+int hooktype_mode_deop(aClient *sptr, aClient *victim, aChannel *chptr, u_int what, int modechar, long my_access, char **badmode);
.. this to get rid of a compiler warning and potential problem.
Update HOOKTYPE_CHANNEL_SYNCED to get rid of compiler warning.
Can't safely use shorts with variable argument functions I think,
or maybe only with reduced type checking which is not what we want.
-void hooktype_channel_synced(aChannel *chptr, unsigned short merge, unsigned short removetheirs, unsigned short nomode);
+void hooktype_channel_synced(aChannel *chptr, int merge, int removetheirs, int nomode);
Add strldup() and safestrldup(), reducing ridiculous amount of code in
m_pass and m_topic.c when duplicating strings with a length limit.
+/* strldup(str,max) copies a string and ensures the new buffer
+ * is at most 'max' size, including nul byte. The syntax is pretty
+ * much identical to strlcpy() except that the buffer is newly
+ * allocated.
+ * If you wonder why not use strndup() instead?
+ * I feel that mixing code with strlcpy() and strndup() would be
+ * rather confusing since strlcpy() assumes buffer size including
+ * the nul byte and strndup() assumes without the nul byte and
+ * will write one character extra. Hence this strldup(). -- Syzop
+ */
Mass-replace MyMalloc with MyMallocEx, even if it's unnecessary.
Replace century-old custom functions with C standard funcs,
such as AllocCpy -> strdup.
More code cleanups to get rid of useless casts and other useless
structures such as:
- lp->value.cp = (char *)MyMalloc(strlen(mask) + 1);
- (void)strcpy(lp->value.cp, mask);
+ lp->value.cp = strdup(mask);
Partially rewrite send_channel_modes() (+helper functions).
Although this is only used by servers lacking SJOIN/SJOIN3 so
is of limited use. Still.. got rid of the most ridiculous casts.
Make m_ircops use RPL_TEXT rather than conflicting numeric.
The output of /IRCOPS isn't meant to be client parsable anyway (which
can be seen by the use of bold text and such), so using a generic
numeric rather than wasting two others seems sensible.
Reported by The_Myth in #5066.
Fix bug in blacklist module with multiple replies for the same IP.
We only parsed the first A record reply, so if the blacklist returned
multiple results /and/ you would not have all those types in your
blacklist { } block then you could miss a hit (false negative).
Cleanup of init_sys(): remove old stuff for ancient OS's.
On *NIX now always redirect stdin, stdout and stderr to /dev/null for
safety and to prevent any ssh hanging as reported by mbw (#5087).
This code needs some testing on non-Linux though it should be all
POSIX, unless I missed something... :)
Bram Matthys [Sun, 25 Mar 2018 11:45:59 +0000 (13:45 +0200)]
Change numeric 008 format which reports snomask.
This is for easier parsing of the "MODE yournick" response.
From:
:maintest.test.net 008 testuser :Server notice mask (+kcfjvGqSso)
To:
:maintest.test.net 008 testuser +kcfjvGqSso :Server notice mask
Reported by emerson in #5079.
Bram Matthys [Sun, 25 Mar 2018 11:22:19 +0000 (13:22 +0200)]
Fix './unrealircd reloadtls' not reloading certificates/keys if
listen::ssl-options, sni::ssl-options or link::outgoing::ssl-options
are used. In short: it only reloaded the ones from set::ssl until
now. Bug reported by Mr_Smoke (#5072)
Bram Matthys [Wed, 7 Mar 2018 08:40:13 +0000 (09:40 +0100)]
Disable timesynch by default.
Built-in time synchronization was added in 2006 when many computers did not
do time synchronization by default. Nowadays nearly all operating systems,
including many Linux distro's, Windows and OS X have time synchronization
enabled out-of-the box.
You can still re-enable the built-in timesynch feature via:
set { timesynch { enable yes; }; };
..but you should really use NTP instead.
Bram Matthys [Fri, 29 Dec 2017 08:15:11 +0000 (09:15 +0100)]
dead_link() was not sending the error message to the user.
This affected the following errors:
* Max SendQ exceeded
* Excess Flood
* Flood from unknown connection
* SSL Handshake flood detected
* Rejected link without SSL/TLS
* Various errors from the websocket module
* Other errors generated by 3rd party modules
Bram Matthys [Wed, 13 Dec 2017 08:02:32 +0000 (09:02 +0100)]
Fix linking problem if only using link::outgoing (and not link::incoming)
which is perfectly legal but caused a confusing error message about
a 'server name mismatch'.
Bram Matthys [Fri, 1 Dec 2017 09:00:15 +0000 (10:00 +0100)]
Apparently individual PROTOCTL tokens were limited at 128 chars.
This posed a limitation with utf8 PROTOCTL NICKCHARS=... and
potentially PROTOCTL SERVERS=... if having more than 32 servers.
The limitation has now been removed (buffer length = 512)
Bram Matthys [Mon, 27 Nov 2017 16:57:57 +0000 (17:57 +0100)]
Add ability to use vs2012/vs2017 command with CUSTOMMODULE:
Visual Studio 2012:
call extras/build-tests/windows/compilecmd/vs2012.bat CUSTOMMODULE MODULEFILE=xyz
Visual Studio 2017:
call extras/build-tests/windows/compilecmd/vs2017.bat CUSTOMMODULE MODULEFILE=xyz
Bram Matthys [Mon, 27 Nov 2017 11:03:53 +0000 (12:03 +0100)]
Add note regarding CASEMAPPING and "visually identical character" checks.
Also call the UTF8 charsys support experimental. Not so much because
of issues in UnrealIRCd that are unique to utf8 but because of the many
"but's" such as lack of services support. And people suddenly waking up
and realizing there never was improved CASEMAPPING and "visually identical
character checks" in original charsys either.
Bram Matthys [Mon, 27 Nov 2017 10:41:07 +0000 (11:41 +0100)]
Permit 0xa0, if it appears inside UTF8 (via set::allowed-nickchars).
This is the "non breaking space" outside UTF8 and thus was previously
blacklisted. Keeping it blacklisted even if it appears in UTF8 is not
really an option as it means some UTF8 characters can never be used,
like the letter "nun" in Hebrew, and likely others.
Bram Matthys [Mon, 27 Nov 2017 10:24:25 +0000 (11:24 +0100)]
Modularize charsys (set::allowed-nickchars). It's still a mandatory
module but at least the code can be updated on the fly (or replaced
with some other secondary alternative module in the future).
src/charsys.c -> src/modules/charsys.c
This also means everyone needs to load the modules/charsys module.
Bram Matthys [Sat, 25 Nov 2017 20:12:41 +0000 (21:12 +0100)]
Added UTF8 support in set::allowed-nickchars
See https://www.unrealircd.org/docs/Nick_Character_Sets
Example: set { allowed-nickchars { latin-utf8; }; };
Important remarks:
* All your servers must be on UnrealIRCd 4.0.17 (or later)
* Most(?) services do not support this, so users using UTF8 nicknames
won't be able to register at NickServ.
* In set::allowed-nickchars you must either choose an utf8 language
or a non-utf8 character set. You cannot combine the two.
* You also cannot combine multiple scripts/alphabets, such as:
latin, greek, cyrillic and hebrew. You must choose one.
* If you are already using set::allowed-nickchars on your network
(eg: 'latin1') then be careful when migrating (to eg: 'latin-utf8'):
* Your clients may still assume non-UTF8
* If users registered nicks with accents or other special characters
at NickServ then they may not be able to access their account
after the migration to UTF8.
Bram Matthys [Sat, 25 Nov 2017 14:48:28 +0000 (15:48 +0100)]
Show additional information in SSL errors. Such as:
"SSL_accept(): Internal OpenSSL error or protocol error: tls_process_client_hello: unsupported protocol"
rather than just
"SSL_accept(): Internal OpenSSL error or protocol error"
Perhaps it can be shortened in a later version if this is acceptable.
This can help with tracing server linking errors, and/or
if using the junk snomask (MODE nick +s +j).
Bram Matthys [Tue, 21 Nov 2017 10:40:07 +0000 (11:40 +0100)]
Fix crash if using anope with old unreal32 mod w/SSL on non-localhost.
Sounds rare and you should really use a more recent version of anope
with the unreal4 protocol module. But, of course, we shouldn't crash.