Merge remote-tracking branch 'upstream/unreal60_dev' into piss60

Config

@@ -520,36 +520,38 @@ if [ "$SSLDIR" != "" -a "$SSLDIR" != "/usr" ]; then
 	read cc
 fi
 
-TEST=""
-while [ -z "$TEST" ] ; do
-  if [ "$GENCERTIFICATE" = "1" ] ; then
-    TEST="Yes"
-  else
-    TEST="No"
-  fi
-  echo ""
-  echo "UnrealIRCd requires a TLS certificate in order to work."
-  echo "Do you want to generate a TLS certificate for the IRCd?"
-  echo "Only answer No if you already have one."
-  echo $n "[$TEST] -> $c"
-  read cc
-  if [ -z "$cc" ] ; then
-  cc=$TEST
-  fi
-  case "$cc" in
-  [Yy]*)
-    GENCERTIFICATE="1"
-    ;;
-  [Nn]*)
-    GENCERTIFICATE=""
-    ;;
-  *)
-    echo ""
-    echo "You must enter either Yes or No"
-    TEST=""
-    ;;
-  esac
-done
+if [ ! -f $BASEPATH/conf/tls/server.cert.pem -a ! -f $BASEPATH/conf/ssl/server.cert.pem ]; then
+	TEST=""
+	while [ -z "$TEST" ] ; do
+	  if [ "$GENCERTIFICATE" = "1" ] ; then
+	    TEST="Yes"
+	  else
+	    TEST="No"
+	  fi
+	  echo ""
+	  echo "UnrealIRCd requires a TLS certificate in order to work."
+	  echo "Do you want to generate a self-signed TLS certificate for the IRCd?"
+	  echo "Only answer No if you already have one."
+	  echo $n "[$TEST] -> $c"
+	  read cc
+	  if [ -z "$cc" ] ; then
+	  cc=$TEST
+	  fi
+	  case "$cc" in
+	  [Yy]*)
+	    GENCERTIFICATE="1"
+	    ;;
+	  [Nn]*)
+	    GENCERTIFICATE=""
+	    ;;
+	  *)
+	    echo ""
+	    echo "You must enter either Yes or No"
+	    TEST=""
+	    ;;
+	  esac
+	done
+fi
 
 TEST=""
 while [ -z "$TEST" ] ; do

configure

@@ -6330,6 +6330,51 @@ if test "$ac_cv_ip6" = "no"; then
 	as_fn_error $? "Your system does not support IPv6" "$LINENO" 5
 fi
 
+{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking if you have getsockopt TCP_INFO" >&5
+printf %s "checking if you have getsockopt TCP_INFO... " >&6; }
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#include <sys/types.h>
+	  #include <stdlib.h>
+	  #include <sys/socket.h>
+	  #include <netinet/in.h>
+	  #include <netinet/tcp.h>
+	  #include <sys/socket.h>
+int
+main (void)
+{
+
+	  socklen_t optlen = sizeof(struct tcp_info);
+	  struct tcp_info ti;
+	  ti.tcpi_rtt = 0;
+	  ti.tcpi_rttvar = 0;
+	  #if defined(__FreeBSD__)
+	  ti.__tcpi_pmtu = 0;
+	  #else
+	  ti.tcpi_pmtu = 0;
+	  #endif
+	  ti.tcpi_snd_cwnd = 0;
+	  ti.tcpi_snd_mss = 0;
+	  ti.tcpi_rcv_mss = 0;
+	  getsockopt(0, IPPROTO_TCP, TCP_INFO, &ti, &optlen);
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"
+then :
+
+printf "%s\n" "#define HAVE_TCP_INFO 1" >>confdefs.h
+
+	{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+printf "%s\n" "yes" >&6; }
+else $as_nop
+  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
+printf "%s\n" "no" >&6; }
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext
+
 ac_fn_c_check_header_compile "$LINENO" "sys/syslog.h" "ac_cv_header_sys_syslog_h" "$ac_includes_default"
 if test "x$ac_cv_header_sys_syslog_h" = xyes
 then :

configure.ac

@@ -370,6 +370,32 @@ if test "$ac_cv_ip6" = "no"; then
 	AC_MSG_ERROR([Your system does not support IPv6])
 fi
 
+AC_MSG_CHECKING([if you have getsockopt TCP_INFO])
+AC_COMPILE_IFELSE([AC_LANG_PROGRAM(
+	[[#include <sys/types.h>
+	  #include <stdlib.h>
+	  #include <sys/socket.h>
+	  #include <netinet/in.h>
+	  #include <netinet/tcp.h>
+	  #include <sys/socket.h>]],
+	[[
+	  socklen_t optlen = sizeof(struct tcp_info);
+	  struct tcp_info ti;
+	  ti.tcpi_rtt = 0;
+	  ti.tcpi_rttvar = 0;
+	  #if defined(__FreeBSD__)
+	  ti.__tcpi_pmtu = 0;
+	  #else
+	  ti.tcpi_pmtu = 0;
+	  #endif
+	  ti.tcpi_snd_cwnd = 0;
+	  ti.tcpi_snd_mss = 0;
+	  ti.tcpi_rcv_mss = 0;
+	  getsockopt(0, IPPROTO_TCP, TCP_INFO, &ti, &optlen);
+	]])],
+	[AC_DEFINE(HAVE_TCP_INFO, 1, [Have getsockopt TCP_INFO])
+	AC_MSG_RESULT(yes)],[AC_MSG_RESULT(no)])
+
 AC_CHECK_HEADER(sys/syslog.h,
 	AC_DEFINE([SYSSYSLOGH], [], [Define if you have the <sys/syslog.h> header file.]))
 AC_CHECK_HEADER(sys/rusage.h,

doc/conf/snomasks.default.conf

@@ -251,6 +251,8 @@ log {
 		samode.SAMODE_COMMAND;
 		/* Blacklist hits */
 		blacklist;
+		/* Central blocklist hits and errors */
+		central-blocklist;
 		/* Never any debug messages */
 		!debug;
 	}

include/config.h

@@ -177,12 +177,17 @@
 
 /* Number of file descriptors reserved for non-incoming-clients.
  * One of which may be used by auth, the rest are really reserved.
- * They can be used for outgoing server links, listeners, logging, etc.
+ * They can be used for outgoing server links, listeners, logging,
+ * DNS lookups, HTTPS callbacks, etc.
  */
-#if MAXCONNECTIONS > 1024
- #define CLIENTS_RESERVE 8
+#if MAXCONNECTIONS >= 10000
+ #define CLIENTS_RESERVE 250
+#elif MAXCONNECTIONS >= 2048
+ #define CLIENTS_RESERVE 32
+#elif MAXCONNECTIONS >= 1024
+ #define CLIENTS_RESERVE 16
 #else
- #define CLIENTS_RESERVE 4
+ #define CLIENTS_RESERVE 8
 #endif
 
 /*

include/h.h

@@ -1466,3 +1466,5 @@ extern const char *config_item_name(ConfigEntry *ce);
 extern int inchannel_compareflags(char symbol, const char *member_modes);
 extern int highest_channel_member_count(Client *client);
 extern MODVAR long long central_spamfilter_last_download;
+extern int valid_operclass_character(char c);
+extern int valid_operclass_name(const char *str);

include/setup.h.in

@@ -136,6 +136,9 @@
 /* Define to 1 if you have the <sys/types.h> header file. */
 #undef HAVE_SYS_TYPES_H
 
+/* Have getsockopt TCP_INFO */
+#undef HAVE_TCP_INFO
+
 /* Define to 1 if you have the `times' function. */
 #undef HAVE_TIMES
 

include/struct.h

@@ -191,6 +191,7 @@ typedef OperPermission (*OperClassEntryEvalCallback)(OperClassACLEntryVar* varia
 #define IDLEN		12
 #define SIDLEN		3
 #define SWHOISLEN	256
+#define OPERCLASSLEN	64
 #define UMODETABLESZ (sizeof(long) * 8)
 #define MAXCCUSERS		20 /* Maximum for set::anti-flood::max-concurrent-conversations */
 #define BATCHLEN	22

include/version.h

@@ -54,7 +54,7 @@
  * Can be useful if the above 3 versionids are insufficient for you (eg: you want to support CVS).
  * This is updated automatically on the CVS server every Monday. so don't touch it.
  */
-#define UNREAL_VERSION_TIME	202340
+#define UNREAL_VERSION_TIME	202343
 
 #define UNREAL_VERSION		((UNREAL_VERSION_GENERATION << 24) + (UNREAL_VERSION_MAJOR << 16) + (UNREAL_VERSION_MINOR << 8))
 #define UnrealProtocol 		6100

src/conf.c

@@ -3334,7 +3334,7 @@ ConfigItem_deny_channel *find_channel_allowed(Client *client, const char *name)
 
 	for (dchannel = conf_deny_channel; dchannel; dchannel = dchannel->next)
 	{
-		if (match_simple(dchannel->channel, name))
+		if (match_esc(dchannel->channel, name))
 		{
 			if (dchannel->class && strcmp(client->local->class->name, dchannel->class))
 				continue;
@@ -3349,7 +3349,7 @@ ConfigItem_deny_channel *find_channel_allowed(Client *client, const char *name)
 		/* Check exceptions... ('allow channel') */
 		for (achannel = conf_allow_channel; achannel; achannel = achannel->next)
 		{
-			if (match_simple(achannel->channel, name))
+			if (match_esc(achannel->channel, name))
 			{
 				if (achannel->class && strcmp(client->local->class->name, achannel->class))
 					continue;
@@ -4085,7 +4085,15 @@ int 	_test_operclass(ConfigFile *conf, ConfigEntry *ce)
 	{
 		config_error_noname(ce->file->filename, ce->line_number, "operclass");
 		errors++;
+	} else
+	if (!valid_operclass_name(ce->value))
+	{
+		config_error("%s:%d: operclass name may only contain alphanumerical characters and "
+		             "characters _-",
+		             ce->file->filename, ce->line_number);
+		errors++;
 	}
+
 	for (cep = ce->items; cep; cep = cep->next)
 	{
 		if (!strcmp(cep->name, "parent"))

src/json.c

@@ -240,7 +240,35 @@ void json_expand_client(json_t *j, const char *key, Client *client, int detail)
 	 */
 	if (client->user)
 	{
-		snprintf(buf, sizeof(buf), "%s!%s@%s", client->name, client->user->username, client->user->realhost);
+		if (IsUser(client) || !MyConnect(client))
+		{
+			/* Post-handshake, after register_user(), it is easy: */
+			snprintf(buf, sizeof(buf), "%s!%s@%s", client->name, client->user->username, client->user->realhost);
+		} else
+		{
+			/* In the handshake, more possibilities (ident could still be ongoing)
+			 * and more speculative (a later class block may want to ignore ident,
+			 * but we don't know that, so we assume that is not the case).
+			 */
+			const char *ident;
+			char temp[USERLEN+1];
+			if (IDENT_CHECK)
+			{
+				if (IsIdentSuccess(client))
+				{
+					/* ident succeeded means: use the identd and no ~ prefix */
+					ident = client->ident;
+				} else {
+					/* ident check failed means ~ prefix */
+					snprintf(temp, sizeof(temp), "~%s", client->user->username);
+					ident = temp;
+				}
+			} else {
+				/* no ident check means no ~ prefix */
+				ident = client->user->username;
+			}
+			snprintf(buf, sizeof(buf), "%s!%s@%s", client->name, ident, client->user->realhost);
+		}
 		json_object_set_new(child, "details", json_string_unreal(buf));
 	} else if (client->ip) {
 		if (*client->name)

src/misc.c

@@ -3107,3 +3107,25 @@ void download_complete_dontcare(const char *url, const char *file, const char *m
 	}
 #endif
 }
+
+int valid_operclass_character(char c)
+{
+	/* allow alpha, numeric, -, _ */
+	if (!strchr("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890-_", c))
+		return 0;
+	return 1;
+}
+
+int valid_operclass_name(const char *str)
+{
+	const char *p;
+
+	if (strlen(str) > OPERCLASSLEN)
+		return 0;
+
+	for (p = str; *p; p++)
+		if (!valid_operclass_character(*p))
+			return 0;
+
+	return 1;
+}

src/modules/authprompt.c

@@ -483,7 +483,7 @@ int authprompt_sasl_result(Client *client, int success)
 	}
 
 	/* Authentication was a success */
-	if (*client->name && client->user && *client->user->username && IsNotSpoof(client))
+	if (is_handshake_finished(client))
 	{
 		register_user(client);
 		/* User MAY be killed now. But since we 'return 1' below, it's safe */

src/modules/cap.c

@@ -209,7 +209,7 @@ static void cap_end(Client *client, const char *arg)
 
 	ClearCapabilityFast(client, CAP_IN_PROGRESS);
 
-	if (*client->name && client->user && *client->user->username && IsNotSpoof(client))
+	if (is_handshake_finished(client))
 		register_user(client);
 }
 

src/modules/extbans/operclass.c

@@ -68,8 +68,6 @@ MOD_UNLOAD()
 }
 
 
-#define OPERCLASSLEN 64
-
 const char *extban_operclass_conv_param(BanContext *b, Extban *extban)
 {
 	static char retbuf[OPERCLASSLEN + 4];
@@ -77,10 +75,15 @@ const char *extban_operclass_conv_param(BanContext *b, Extban *extban)
 
 	strlcpy(retbuf, b->banstr, sizeof(retbuf));
 
-	/* allow alpha, numeric, -, _, * and ? wildcards */
+	/* cut off at first invalid character (.. but allow wildcards) */
 	for (p = retbuf; *p; p++)
-		if (!strchr("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ-_?*", *p))
+	{
+		if (!valid_operclass_character(*p) && !strchr("*?", *p))
+		{
 			*p = '\0';
+			break;
+		}
+	}
 
 	if (retbuf[3] == '\0')
 		return NULL; /* just "~O:" is invalid */