default.nix: drop rb_setenv for BANDB_PATH

Fixes: "bandb - bandb failure: Unable to open sqlite database: unable to open database file"

.travis.yml

@@ -0,0 +1,58 @@
+# Travis-CI Build for charybdis-3.5
+# see travis-ci.org for details
+
+language: c
+
+# Use the faster container-based infrastructure.
+sudo: false
+
+matrix:
+  include:
+    - os: linux
+      compiler: gcc
+      addons:
+        apt:
+          sources: ['ubuntu-toolchain-r-test']
+          packages: ['gcc-4.8', 'automake', 'autoconf', 'libtool', 'shtool', 'libsqlite3-dev', 'python-sphinx', 'texinfo']
+      env: COMPILER=gcc-4.8
+
+    - os: linux
+      compiler: gcc
+      addons:
+        apt:
+          sources: ['ubuntu-toolchain-r-test']
+          packages: ['gcc-4.9', 'automake', 'autoconf', 'libtool', 'shtool', 'libsqlite3-dev', 'python-sphinx', 'texinfo']
+      env: COMPILER=gcc-4.9
+
+    - os: linux
+      compiler: gcc
+      addons:
+        apt:
+          sources: ['ubuntu-toolchain-r-test']
+          packages: ['gcc-5', 'automake', 'autoconf', 'libtool', 'shtool', 'libsqlite3-dev', 'python-sphinx', 'texinfo']
+      env: COMPILER=gcc-5
+
+    - os: linux
+      compiler: clang
+      addons:
+        apt:
+          sources: ['ubuntu-toolchain-r-test', 'llvm-toolchain-precise-3.7']
+          packages: ['clang-3.7', 'automake', 'autoconf', 'libtool', 'shtool', 'libsqlite3-dev', 'python-sphinx', 'texinfo']
+      env: COMPILER=clang-3.7
+
+    - os: osx
+      compiler: clang
+      env: COMPILER=clang LIBTOOLIZE=glibtoolize
+
+
+osx_image: xcode7.3
+
+cache:
+  apt:
+  ccache:
+
+script:
+  - CC=$COMPILER ./configure --with-shared-sqlite
+  - make -j4
+  - make install
+  - "if [ ${TRAVIS_OS_NAME} != 'osx' ]; then make -C doc/oper-guide html man info; fi"

CREDITS

@@ -3,12 +3,21 @@ is led by a team of dedicated developers who have put a lot of time
 into the project, and it has seen use on a variety of different
 network configurations.
  
-The charybdis core team is listed in nick-alphabetical order:
+The Charybdis core team, listed in nick-alphabetical order:
  
+amdj, Aaron Jones <aaronmdjones -at- gmail.com>
+Elizafox, Elizabeth Myers <elizabeth -at- interlinked.me>
 jilles, Jilles Tjoelker <jilles -at- stack.nl>
-mr_flea, Keith Buck <mr_flea -at- esper.net>
 kaniini, William Pitcock <nenolod -at- dereferenced.org>
-spb, Stephen Bennett <spb -at- attenuate.org>
+mr_flea, Keith Buck <mr_flea -at- esper.net>
+Simon, Simon Arlott <charybdis -at- uuid.uk>
+ 
+The following people are also project members, listed in nick-alphabetical
+order:
+ 
+grawity, Mantas Mikulėnas <grawity -at- gmail.com>
+jdhore, JD Horelick <jdhore1 -at- gmail.com>
+viatsko, Valerii Iatsko <dwr -at- codingbox.io>
  
 The following people have made contributions to the Charybdis releases,
 in nick-alphabetical order:
@@ -20,11 +29,12 @@ dwr, Valery Yatsko <dwr -at- shadowircd.net>
 Elizacat, Elizabeth Myers <elizabeth -at- interlinked.me>
 Entrope, Michael Poole <mdpoole -at- trolius.org> 
 gxti, Michael Tharp <gxti -at- partiallystapled.com>
-jdhore, JD Horelick <jdhore1 -at- gmail.com>
+mniip <mniip -at- mniip.com>
+spb, Stephen Bennett <spb -at- attenuate.org>
 Taros, Brett Greenham <taros -at- shadowircd.net>
 ThaPrince, Jon Christopherson <jon -at- vile.com>
 twincest, River Tarnell <river -at- attenuate.org>
 w00t, Robin Burchell <surreal.w00t -at- gmail.com>
 
-Visit the Charybdis website at: http://www.charybdis.io
-Visit us on IRC at: irc.freenode.net #charybdis
+Visit the Charybdis website at: http://www.charybdis.io/
+Visit us on IRC at: irc.charybdis.io #charybdis

NEWS.md

@@ -1,8 +1,113 @@
 # News
 
-This is charybdis 3.5.0, Copyright (c) 2005-2016 Charybdis team.
+This is charybdis 3.5.7, Copyright (c) 2005-2019 Charybdis team.
 See LICENSE for licensing details (GPL v2).
 
+## charybdis-3.5.7
+
+This is primarily a bugfix release.
+
+### user
+- modules/m_sasl.c: don't process messages if SASL has been aborted
+- src/s_user.c: don't corrupt usermodes on module unload/reload
+
+### misc
+- modules/m_list.c: add fake /LIST reply output to help fight spambots
+
+## charybdis-3.5.6
+
+This is primarily a bugfix release.
+
+### security
+- doc/reference.conf: clarify: TLS server fingerprints are not optional
+- extensions/extb_ssl.c: add support for matching fingerprints
+- libratbox/src/mbedtls.c: check public/private keys match
+- libratbox/src/mbedtls.c: support ChaCha20-Poly1305 by default
+
+### user
+- libratbox/src/commio.c: fix accept() for IPv6 after dropping IPv4
+- src/client.c: don't delete servers from the client hash table
+- src/s_user.c: don't send fake MODE for clients with CHGHOST support
+- modules/m_sasl.c: abort session if we receive '*' as data
+- modules/m_sasl.c: check agent is present after every client exit
+
+### misc
+- configure: adjust dlopen/dlsym checks to work under libasan
+- configure: allow exact PID file prefix to be specified
+- doc/: convert SGML oper guide to RST
+- doc/: point users to HELP EXTBAN for inline help
+- extensions/m_webirc.c: set sockhost before using it to set host
+
+## charybdis-3.5.5
+
+This is a minor bugfix release only
+
+### misc
+- GNUTLS: Initialise a variable before trying to load server certificates
+- GNUTLS: Log why certificate fingerprint generation fails
+- GNUTLS: Avoid using new tokens in the default priority string
+
+## charybdis-3.5.4
+
+### security
+- Disable TLSv1.0 in all backends
+- Fix possible NULL dereference in mkpasswd
+- Backport SubjectPublicKeyInfo certificate digest methods from version 4
+- Backport REHASH SSLD functionality from version 4
+  - This allows new ssld processes to be started (to inherit a new or upgraded TLS backend
+    library) without dropping any existing clients or active server links
+
+### misc
+- Various memory leak fixes in newconf, sslproc, zlib
+- Fix crash bug when performing /whois on someone half-way through a CHALLENGE
+- Fix crash bug when performing remote MODRESTART command
+- Allow extban matching presence in secret (+s) channels
+
+## charybdis-3.5.3
+
+### security
+- incorporate all relevant security patches for charybdis through 6th September 2016:
+  - fix issue allowing EXTERNAL authentications to be spoofed using a certificate not actually
+    held by the authenticating user
+
+### misc
+- mbedtls TLS backend improvements from charybdis 4 and 5:
+  - add support for configurable ciphersuites
+  - disable legacy (SSLv2) renegotiation support if possible
+  - disable session tickets if possible
+  - general robustness improvements
+- gnutls TLS backend improvements from charybdis 4:
+  - make certfp support more reliable on newer gnutls versions
+  - avoid possible null dereference when constructing ciphersuites
+- openssl TLS backend improvements from charybdis 4:
+  - avoid a possible use-after-free issue when newer openssl versions cannot load keypairs in a rehash
+  - improve compatibility with libressl
+  - more robustly load DH parameters files
+- daemonization improvements from charybdis 4
+
+## charybdis-3.5.2
+
+### user
+- Allow IRCv3.1 STARTTLS to work with other SSL backends besides OpenSSL.
+- Fix an edge case regression involving channel ban cache that was introduced in 3.5.0.
+
+### misc
+- Ensure ssld does not crash when DH parameters are not provided.
+- mbedtls TLS backend improvements from charybdis 4:
+  - add support for CertFP
+  - provide personalization data for the PRNG
+  - fix library linking order
+- openssl TLS backend improvements from charybdis 4:
+  - do not manually initialise openssl when running with OpenSSL 1.1.0 or later
+  - support ECDHE on more than one curve on OpenSSL 1.0.2 and above
+  - fix DH parameters memory leak
+  - free the old TLS context before constructing a new one (#186)
+
+## charybdis-3.5.1
+
+### misc
+- Backport various ssld IPC improvements from master.
+
 ## charybdis-3.5.0
 
 ### server protocol

README.md

@@ -16,22 +16,22 @@ used with an IRCv3-capable services implementation such as [Atheme][atheme] or [
 
  * For SSL/TLS client and server connections, one of:
 
-   * OpenSSL 1.0 or newer
-   * LibreSSL
-   * mbedTLS
-   * GnuTLS
+   * OpenSSL 1.0.0 or newer (--enable-openssl)
+   * LibreSSL (--enable-openssl)
+   * MbedTLS (--enable-mbedtls)
+   * GnuTLS (--enable-gnutls)
 
- * For certificate-based oper CHALLENGE, OpenSSL 1.0 or newer.
+ * For certificate-based oper CHALLENGE, OpenSSL 1.0.0 or newer.
    (Using CHALLENGE is not recommended for new deployments, so if you want to use a different TLS library,
     feel free.)
 
- * For ECDHE, OpenSSL 1.0.0 or newer is required. RHEL/Fedora and derivatives like CentOS
-   will need to compile OpenSSL from source, as ECC/ECDHE-functionality is removed from
-   the OpenSSL package in these distributions.
+ * For ECDHE under OpenSSL, on Solaris and RHEL/Fedora (and its derivatives such as CentOS) you will
+   need to compile your own OpenSSL on these systems, as they have removed support for ECC/ECDHE.
+   Alternatively, consider using another library (see above).
 
 # tips
 
- * To report bugs in charybdis, visit us at irc.freenode.net #charybdis
+ * To report bugs in charybdis, visit us on IRC at chat.freenode.net #charybdis
 
  * Please read doc/index.txt to get an overview of the current documentation.
 

aclocal.m4

@@ -1,6 +1,6 @@
-# generated automatically by aclocal 1.15 -*- Autoconf -*-
+# generated automatically by aclocal 1.15.1 -*- Autoconf -*-
 
-# Copyright (C) 1996-2014 Free Software Foundation, Inc.
+# Copyright (C) 1996-2017 Free Software Foundation, Inc.
 
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,

appveyor.yml

@@ -0,0 +1,2 @@
+except:
+  - release/3.5

bandb/bandb.c

@@ -238,7 +238,7 @@ parse_request(rb_helper *helper)
 }
 
 
-static void
+static void __attribute__((noreturn))
 error_cb(rb_helper *helper)
 {
 	if(in_transaction)
@@ -284,13 +284,13 @@ setup_signals(void)
 }
 
 
-static void
+static void __attribute__((noreturn))
 db_error_cb(const char *errstr)
 {
 	char buf[256];
 	rb_snprintf(buf, sizeof(buf), "! :%s", errstr);
 	rb_helper_write(bandb_helper, "%s", buf);
-	rb_sleep(2 << 30, 0);
+	rb_sleep(1 << 30, 0);
 	exit(1);
 }
 
@@ -311,8 +311,7 @@ main(int argc, char *argv[])
 	rsdb_init(db_error_cb);
 	check_schema();
 	rb_helper_loop(bandb_helper, 0);
-
-	return 0;
+	/* UNREACHABLE */
 }
 
 static void

bandb/bantool.c

@@ -123,7 +123,7 @@ static void db_reclaim_slack(void);
 static void export_config(const char *conf, int id);
 static void import_config(const char *conf, int id);
 static void check_schema(void);
-static void print_help(int i_exit);
+static void print_help(int i_exit) __attribute__((noreturn));
 static void wipe_schema(void);
 static void drop_dupes(const char *user, const char *host, const char *t);
 
@@ -146,7 +146,7 @@ main(int argc, char *argv[])
 		{
 		case 'h':
 			print_help(EXIT_SUCCESS);
-			break;
+			/* noreturn call above, this is unreachable */
 		case 'i':
 			flag.none = NO;
 			flag.import = YES;
@@ -867,8 +867,8 @@ bt_smalldate(const char *string)
 /**
  * you are here ->.
  */
-void
-print_help(int i_exit)
+static void
+print_help(const int i_exit)
 {
 	fprintf(stderr, "bantool v.%s - the ircd-ratbox database tool.\n", BT_VERSION);
 	fprintf(stderr, "Copyright (C) 2008 Daniel J Reidy <dubkat@gmail.com>\n");
@@ -899,5 +899,6 @@ print_help(int i_exit)
 	fprintf(stderr,
 		"     path : An optional directory containing old ratbox configs for import, or export.\n");
 	fprintf(stderr, "            If not specified, it looks in PREFIX/etc.\n");
+
 	exit(i_exit);
 }

configure

@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for charybdis 3.5.0.
+# Generated by GNU Autoconf 2.69 for charybdis 3.5.7.
 #
 # $Id: configure.ac 3516 2007-06-10 16:14:03Z jilles $
 #
@@ -579,8 +579,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='charybdis'
 PACKAGE_TARNAME='charybdis'
-PACKAGE_VERSION='3.5.0'
-PACKAGE_STRING='charybdis 3.5.0'
+PACKAGE_VERSION='3.5.7'
+PACKAGE_STRING='charybdis 3.5.7'
 PACKAGE_BUGREPORT=''
 PACKAGE_URL=''
 
@@ -635,6 +635,7 @@ MODULES_LIBS
 SELECT_TYPE
 PROGRAM_PREFIX
 PKGRUNDIR
+pkgrundir
 moduledir
 MODULE_DIR
 helpdir
@@ -659,7 +660,6 @@ PKGLIBEXECDIR
 pkglibexecdir
 PKGLOCALSTATEDIR
 pkglocalstatedir
-pkgrundir
 rundir
 pkglibdir
 LEXLIB
@@ -713,6 +713,7 @@ infodir
 docdir
 oldincludedir
 includedir
+runstatedir
 localstatedir
 sharedstatedir
 sysconfdir
@@ -751,6 +752,7 @@ with_logdir
 with_helpdir
 with_moduledir
 with_rundir
+with_pkgrundir
 with_program_prefix
 with_custom_branding
 with_custom_version
@@ -817,6 +819,7 @@ datadir='${datarootdir}'
 sysconfdir='${prefix}/etc'
 sharedstatedir='${prefix}/com'
 localstatedir='${prefix}/var'
+runstatedir='${localstatedir}/run'
 includedir='${prefix}/include'
 oldincludedir='/usr/include'
 docdir='${datarootdir}/doc/${PACKAGE_TARNAME}'
@@ -1069,6 +1072,15 @@ do
   | -silent | --silent | --silen | --sile | --sil)
     silent=yes ;;
 
+  -runstatedir | --runstatedir | --runstatedi | --runstated \
+  | --runstate | --runstat | --runsta | --runst | --runs \
+  | --run | --ru | --r)
+    ac_prev=runstatedir ;;
+  -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \
+  | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \
+  | --run=* | --ru=* | --r=*)
+    runstatedir=$ac_optarg ;;
+
   -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb)
     ac_prev=sbindir ;;
   -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \
@@ -1206,7 +1218,7 @@ fi
 for ac_var in	exec_prefix prefix bindir sbindir libexecdir datarootdir \
 		datadir sysconfdir sharedstatedir localstatedir includedir \
 		oldincludedir docdir infodir htmldir dvidir pdfdir psdir \
-		libdir localedir mandir
+		libdir localedir mandir runstatedir
 do
   eval ac_val=\$$ac_var
   # Remove trailing slashes.
@@ -1319,7 +1331,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures charybdis 3.5.0 to adapt to many kinds of systems.
+\`configure' configures charybdis 3.5.7 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1359,6 +1371,7 @@ Fine tuning of the installation directories:
   --sysconfdir=DIR        read-only single-machine data [PREFIX/etc]
   --sharedstatedir=DIR    modifiable architecture-independent data [PREFIX/com]
   --localstatedir=DIR     modifiable single-machine data [PREFIX/var]
+  --runstatedir=DIR       modifiable per-process data [LOCALSTATEDIR/run]
   --libdir=DIR            object code libraries [EPREFIX/lib]
   --includedir=DIR        C header files [PREFIX/include]
   --oldincludedir=DIR     C header files for non-gcc [/usr/include]
@@ -1380,7 +1393,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of charybdis 3.5.0:";;
+     short | recursive ) echo "Configuration of charybdis 3.5.7:";;
    esac
   cat <<\_ACEOF
 
@@ -1416,7 +1429,8 @@ Optional Packages:
   --with-logdir=DIR       Directory where to write logfiles.
   --with-helpdir=DIR      Directory to install help files.
   --with-moduledir=DIR    Directory to install modules.
-  --with-rundir=DIR       Directory in which to store pidfile.
+  --with-rundir=DIR       Directory to use as prefix for pidfile.
+  --with-pkgrundir=DIR    Directory in which to store pidfile.
   --with-program-prefix=  If set, programs installed into PATH will be
                           installed with names prefixed by this prefix.
   --with-custom-branding=NAME
@@ -1518,7 +1532,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-charybdis configure 3.5.0
+charybdis configure 3.5.7
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2122,7 +2136,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by charybdis $as_me 3.5.0, which was
+It was created by charybdis $as_me 3.5.7, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -5438,7 +5452,6 @@ pkglibdir='${libdir}/${PACKAGE_TARNAME}'
 
 
 
-
   test "x$prefix" = xNONE && prefix="$ac_default_prefix"
   test "x$exec_prefix" = xNONE && exec_prefix='${prefix}'
   last_ac_define_dir=`eval echo $pkglocalstatedir`
@@ -7732,8 +7745,8 @@ _ACEOF
 
 
 
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether or modify rundir" >&5
-$as_echo_n "checking whether or modify rundir... " >&6; }
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to modify rundir" >&5
+$as_echo_n "checking whether to modify rundir... " >&6; }
 
 # Check whether --with-rundir was given.
 if test "${with_rundir+set}" = set; then :
@@ -7752,6 +7765,22 @@ fi
 
 
 
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to modify pkgrundir" >&5
+$as_echo_n "checking whether to modify pkgrundir... " >&6; }
+
+# Check whether --with-pkgrundir was given.
+if test "${with_pkgrundir+set}" = set; then :
+  withval=$with_pkgrundir; { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+	pkgrundir=`echo $withval | sed 's/\/$//'`
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+
+
   test "x$prefix" = xNONE && prefix="$ac_default_prefix"
   test "x$exec_prefix" = xNONE && exec_prefix='${prefix}'
   last_ac_define_dir=`eval echo $pkgrundir`
@@ -7775,6 +7804,7 @@ _ACEOF
 
 
 
+
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for program prefix" >&5
 $as_echo_n "checking for program prefix... " >&6; }
 
@@ -7828,6 +7858,13 @@ $as_echo "no" >&6; }
 fi
 
 
+if git rev-parse --git-dir > /dev/null 2>&1; then
+	GITSHA=$(git rev-parse --short HEAD)
+else
+	GITSHA="unknown"
+fi
+
+
 
 cat >>confdefs.h <<_ACEOF
 #define BRANDING_NAME "$BRANDING_NAME"
@@ -7835,10 +7872,11 @@ _ACEOF
 
 
 cat >>confdefs.h <<_ACEOF
-#define BRANDING_VERSION "$BRANDING_VERSION"
+#define BRANDING_VERSION "${BRANDING_VERSION}-${GITSHA}"
 _ACEOF
 
 
+
 if test "x$BRANDING_NAME" != "x$PACKAGE_NAME"; then
 
 $as_echo "#define CUSTOM_BRANDING 1" >>confdefs.h
@@ -8441,6 +8479,67 @@ ac_res=$ac_cv_search_dlopen
 if test "$ac_res" != no; then :
   test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
 
+			{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing dlsym" >&5
+$as_echo_n "checking for library containing dlsym... " >&6; }
+if ${ac_cv_search_dlsym+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_func_search_save_LIBS=$LIBS
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char dlsym ();
+int
+main ()
+{
+return dlsym ();
+  ;
+  return 0;
+}
+_ACEOF
+for ac_lib in '' dl c_r; do
+  if test -z "$ac_lib"; then
+    ac_res="none required"
+  else
+    ac_res=-l$ac_lib
+    LIBS="-l$ac_lib  $ac_func_search_save_LIBS"
+  fi
+  if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_search_dlsym=$ac_res
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext
+  if ${ac_cv_search_dlsym+:} false; then :
+  break
+fi
+done
+if ${ac_cv_search_dlsym+:} false; then :
+
+else
+  ac_cv_search_dlsym=no
+fi
+rm conftest.$ac_ext
+LIBS=$ac_func_search_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_dlsym" >&5
+$as_echo "$ac_cv_search_dlsym" >&6; }
+ac_res=$ac_cv_search_dlsym
+if test "$ac_res" != no; then :
+  test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
+
+				if
+					test "$ac_cv_search_dlopen" != "none required" &&
+					test "$ac_cv_search_dlsym" != "none required" &&
+					test "$ac_cv_search_dlopen" != "$ac_cv_search_dlsym"; then
+					{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: dlopen and dlsym from different sources" >&5
+$as_echo "$as_me: WARNING: dlopen and dlsym from different sources" >&2;}
+				fi
 
 $as_echo "#define HAVE_DLOPEN 1" >>confdefs.h
 
@@ -8461,17 +8560,6 @@ fi
 done
 
 				fi
-	    ac_fn_c_check_func "$LINENO" "dlsym" "ac_cv_func_dlsym"
-if test "x$ac_cv_func_dlsym" = xyes; then :
-
-else
-
-	      { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: dlsym is not available, shared modules disabled" >&5
-$as_echo "$as_me: WARNING: dlsym is not available, shared modules disabled" >&2;}
-	      shared_modules=no
-
-fi
-
 				for ac_func in dlfunc
 do :
   ac_fn_c_check_func "$LINENO" "dlfunc" "ac_cv_func_dlfunc"
@@ -8491,6 +8579,13 @@ else
 fi
 
 
+else
+
+			shared_modules=no
+
+fi
+
+
 fi
 
 fi
@@ -10389,7 +10484,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by charybdis $as_me 3.5.0, which was
+This file was extended by charybdis $as_me 3.5.7, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -10455,7 +10550,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-charybdis config.status 3.5.0
+charybdis config.status 3.5.7
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 

configure.ac

@@ -10,7 +10,7 @@ AC_PREREQ(2.57)
 dnl Sneaky way to get an Id tag into the configure script
 AC_COPYRIGHT([$Id: configure.ac 3516 2007-06-10 16:14:03Z jilles $])
 
-AC_INIT([charybdis], [3.5.0])
+AC_INIT([charybdis], [3.5.7])
 
 AC_CONFIG_MACRO_DIR([m4])
 AC_CONFIG_HEADER(include/setup.h)
@@ -243,7 +243,6 @@ AS_IF([test "x$enable_fhs_paths" = "xyes"],
 pkglibdir='${libdir}/${PACKAGE_TARNAME}'
 AC_SUBST([pkglibdir])
 AC_SUBST([rundir])
-AC_SUBST([pkgrundir])
 AC_SUBST([pkglocalstatedir])
 AC_DEFINE_DIR([PKGLOCALSTATEDIR], [pkglocalstatedir], [[Directory in which to store state, such as ban database]])
 AC_SUBST([pkglibexecdir])
@@ -684,21 +683,40 @@ AC_ARG_WITH(moduledir,
 AC_DEFINE_DIR(MODULE_DIR, moduledir, [Prefix where modules are installed.])
 AC_SUBST_DIR([moduledir])
 
+dnl **********************************************************************
 dnl Check for --with-rundir
+dnl **********************************************************************
 
-AC_MSG_CHECKING([whether or modify rundir])
+AC_MSG_CHECKING([whether to modify rundir])
 AC_ARG_WITH([rundir],
 	[AC_HELP_STRING([--with-rundir=DIR],
-		[Directory in which to store pidfile.])],
+		[Directory to use as prefix for pidfile.])],
 	[AC_MSG_RESULT([yes])
 	rundir=`echo $withval | sed 's/\/$//'`],
 	[AC_MSG_RESULT([no])
 	AS_IF([test "x$enable_fhs_paths" = "xyes"],
 		[rundir='${prefix}/run'],
 		[rundir='${sysconfdir}'])])
-AC_SUBST([rundir])
+
+dnl **********************************************************************
+dnl Check for --with-pkgrundir
+dnl **********************************************************************
+
+AC_MSG_CHECKING([whether to modify pkgrundir])
+AC_ARG_WITH([pkgrundir],
+	[AC_HELP_STRING([--with-pkgrundir=DIR],
+		[Directory in which to store pidfile.])],
+	[AC_MSG_RESULT([yes])
+	pkgrundir=`echo $withval | sed 's/\/$//'`],
+	[AC_MSG_RESULT([no])])
+
+AC_SUBST([pkgrundir])
 AC_DEFINE_DIR([PKGRUNDIR], [pkgrundir], [Directory to store pidfile in.])
 
+dnl **********************************************************************
+dnl Check for --with-program-prefix
+dnl **********************************************************************
+
 dnl Installed utility program prefixes (does not affect binaries
 dnl installed into pkglibexecdir)
 AC_MSG_CHECKING([for program prefix])
@@ -735,8 +753,16 @@ AC_HELP_STRING([--with-custom-version=NAME],
 		AC_MSG_RESULT([no])]
 )
 
+if git rev-parse --git-dir > /dev/null 2>&1; then
+	GITSHA=$(git rev-parse --short HEAD)
+else
+	GITSHA="unknown"
+fi
+
+
 AC_DEFINE_UNQUOTED(BRANDING_NAME, ["$BRANDING_NAME"], [Custom branding name.])
-AC_DEFINE_UNQUOTED(BRANDING_VERSION, ["$BRANDING_VERSION"], [Custom branding name.])
+AC_DEFINE_UNQUOTED(BRANDING_VERSION, ["${BRANDING_VERSION}-${GITSHA}"], [Custom branding name.])
+
 
 if test "x$BRANDING_NAME" != "x$PACKAGE_NAME"; then
 	AC_DEFINE(CUSTOM_BRANDING, 1, [Define if custom branding is enabled.])
@@ -1005,6 +1031,14 @@ if test "$shared_modules" = yes; then
 		dnl standard dlopen
 		AC_SEARCH_LIBS(dlopen, [dl c_r],
 		[
+			AC_SEARCH_LIBS(dlsym, [dl c_r],
+			[
+				if
+					test "$ac_cv_search_dlopen" != "none required" &&
+					test "$ac_cv_search_dlsym" != "none required" &&
+					test "$ac_cv_search_dlopen" != "$ac_cv_search_dlsym"; then
+					AC_MSG_WARN([dlopen and dlsym from different sources])
+				fi
 				AC_DEFINE(HAVE_DLOPEN, 1, [Define if the dlopen function is available.])
 				SUFFIX=".so"
 				MOD_TARGET=shared_modules
@@ -1012,12 +1046,11 @@ if test "$shared_modules" = yes; then
 				if test "$AppleGCC" = yes; then
 					AC_CHECK_HEADERS([mach-o/dyld.h])
 				fi
-	    AC_CHECK_FUNC(dlsym, ,
+				AC_CHECK_FUNCS(dlfunc)
+			],
 			[
-	      AC_MSG_WARN([dlsym is not available, shared modules disabled])
 				shared_modules=no
 			])
-	    AC_CHECK_FUNCS(dlfunc)
 		],
 		[
 			shared_modules=no

default.nix

@@ -0,0 +1,26 @@
+{ stdenv, bash
+, flex, bison
+, openssl, gnutls, zlib }:
+
+stdenv.mkDerivation {
+  pname = "charybdis";
+  version = "3.5.7";
+
+  src = ./.;
+
+  patches = [
+    ./patches/bandb-remove-setenv.patch
+  ];
+
+  configureFlags = [
+    "--enable-epoll"
+    "--enable-ipv6"
+    "--with-zlib-path=${zlib.dev}/lib"
+    "--enable-openssl=${openssl.dev}"
+    "--with-program-prefix=charybdis-"
+    "--sysconfdir=/etc/charybdis"
+  ];
+
+  nativeBuildInputs = [ bison flex ];
+  buildInputs = [ openssl gnutls zlib ];
+}

doc/ircd.conf.example

@@ -24,6 +24,7 @@
 #loadmodule "extensions/extb_realname.so";
 #loadmodule "extensions/extb_server.so";
 #loadmodule "extensions/extb_ssl.so";
+#loadmodule "extensions/extb_usermode.so";
 #loadmodule "extensions/hurt.so";
 #loadmodule "extensions/m_findforwards.so";
 #loadmodule "extensions/m_identify.so";
@@ -450,6 +451,14 @@ alias "MS" {
 	target = "MemoServ";
 };
 
+/*
+fakechannel "#honeypot" {
+	topic = "Come in";
+	users_min = 50;
+	users_max = 300;
+};
+*/
+
 general {
 	hide_error_messages = opers;
 	hide_spoof_ips = yes;
@@ -519,6 +528,7 @@ general {
 	caller_id_wait = 1 minute;
 	pace_wait_simple = 1 second;
 	pace_wait = 10 seconds;
+	listfake_wait = 180 seconds;
 	short_motd = no;
 	ping_cookie = no;
 	connect_timeout = 30 seconds;
@@ -547,3 +557,17 @@ modules {
 	path = "modules";
 	path = "modules/autoload";
 };
+
+/*
+vhost "selfsigned.hades.arpa" {
+	ssl_private_key = "etc/selfssl.key";
+	ssl_cert = "etc/selfssl.pem";
+};
+
+vhost "oldca.hades.arpa" {
+	ssl_private_key = "etc/oldssl.key";
+	ssl_cert = "etc/oldssl2.pem";
+  ssl_dh_params = "etc/olddh.pem";
+  ssl_cipher_list = "kEECDH+HIGH:kEDH+HIGH:HIGH:!RC4:!aNULL";;
+};
+*/

doc/oper-guide/.gitignore

@@ -0,0 +1 @@
+_build

doc/oper-guide/Makefile

@@ -0,0 +1,225 @@
+# Makefile for Sphinx documentation
+#
+
+# You can set these variables from the command line.
+SPHINXOPTS    =
+SPHINXBUILD   = sphinx-build
+PAPER         =
+BUILDDIR      = _build
+
+# Internal variables.
+PAPEROPT_a4     = -D latex_paper_size=a4
+PAPEROPT_letter = -D latex_paper_size=letter
+ALLSPHINXOPTS   = -d $(BUILDDIR)/doctrees $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) .
+# the i18n builder cannot share the environment and doctrees with the others
+I18NSPHINXOPTS  = $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) .
+
+.PHONY: help
+help:
+	@echo "Please use \`make <target>' where <target> is one of"
+	@echo "  html       to make standalone HTML files"
+	@echo "  dirhtml    to make HTML files named index.html in directories"
+	@echo "  singlehtml to make a single large HTML file"
+	@echo "  pickle     to make pickle files"
+	@echo "  json       to make JSON files"
+	@echo "  htmlhelp   to make HTML files and a HTML help project"
+	@echo "  qthelp     to make HTML files and a qthelp project"
+	@echo "  applehelp  to make an Apple Help Book"
+	@echo "  devhelp    to make HTML files and a Devhelp project"
+	@echo "  epub       to make an epub"
+	@echo "  epub3      to make an epub3"
+	@echo "  latex      to make LaTeX files, you can set PAPER=a4 or PAPER=letter"
+	@echo "  latexpdf   to make LaTeX files and run them through pdflatex"
+	@echo "  latexpdfja to make LaTeX files and run them through platex/dvipdfmx"
+	@echo "  text       to make text files"
+	@echo "  man        to make manual pages"
+	@echo "  texinfo    to make Texinfo files"
+	@echo "  info       to make Texinfo files and run them through makeinfo"
+	@echo "  gettext    to make PO message catalogs"
+	@echo "  changes    to make an overview of all changed/added/deprecated items"
+	@echo "  xml        to make Docutils-native XML files"
+	@echo "  pseudoxml  to make pseudoxml-XML files for display purposes"
+	@echo "  linkcheck  to check all external links for integrity"
+	@echo "  doctest    to run all doctests embedded in the documentation (if enabled)"
+	@echo "  coverage   to run coverage check of the documentation (if enabled)"
+	@echo "  dummy      to check syntax errors of document sources"
+
+.PHONY: clean
+clean:
+	rm -rf $(BUILDDIR)/*
+
+.PHONY: html
+html:
+	$(SPHINXBUILD) -b html $(ALLSPHINXOPTS) $(BUILDDIR)/html
+	@echo
+	@echo "Build finished. The HTML pages are in $(BUILDDIR)/html."
+
+.PHONY: dirhtml
+dirhtml:
+	$(SPHINXBUILD) -b dirhtml $(ALLSPHINXOPTS) $(BUILDDIR)/dirhtml
+	@echo
+	@echo "Build finished. The HTML pages are in $(BUILDDIR)/dirhtml."
+
+.PHONY: singlehtml
+singlehtml:
+	$(SPHINXBUILD) -b singlehtml $(ALLSPHINXOPTS) $(BUILDDIR)/singlehtml
+	@echo
+	@echo "Build finished. The HTML page is in $(BUILDDIR)/singlehtml."
+
+.PHONY: pickle
+pickle:
+	$(SPHINXBUILD) -b pickle $(ALLSPHINXOPTS) $(BUILDDIR)/pickle
+	@echo
+	@echo "Build finished; now you can process the pickle files."
+
+.PHONY: json
+json:
+	$(SPHINXBUILD) -b json $(ALLSPHINXOPTS) $(BUILDDIR)/json
+	@echo
+	@echo "Build finished; now you can process the JSON files."
+
+.PHONY: htmlhelp
+htmlhelp:
+	$(SPHINXBUILD) -b htmlhelp $(ALLSPHINXOPTS) $(BUILDDIR)/htmlhelp
+	@echo
+	@echo "Build finished; now you can run HTML Help Workshop with the" \
+	      ".hhp project file in $(BUILDDIR)/htmlhelp."
+
+.PHONY: qthelp
+qthelp:
+	$(SPHINXBUILD) -b qthelp $(ALLSPHINXOPTS) $(BUILDDIR)/qthelp
+	@echo
+	@echo "Build finished; now you can run "qcollectiongenerator" with the" \
+	      ".qhcp project file in $(BUILDDIR)/qthelp, like this:"
+	@echo "# qcollectiongenerator $(BUILDDIR)/qthelp/Charybdisoperatorguide.qhcp"
+	@echo "To view the help file:"
+	@echo "# assistant -collectionFile $(BUILDDIR)/qthelp/Charybdisoperatorguide.qhc"
+
+.PHONY: applehelp
+applehelp:
+	$(SPHINXBUILD) -b applehelp $(ALLSPHINXOPTS) $(BUILDDIR)/applehelp
+	@echo
+	@echo "Build finished. The help book is in $(BUILDDIR)/applehelp."
+	@echo "N.B. You won't be able to view it unless you put it in" \
+	      "~/Library/Documentation/Help or install it in your application" \
+	      "bundle."
+
+.PHONY: devhelp
+devhelp:
+	$(SPHINXBUILD) -b devhelp $(ALLSPHINXOPTS) $(BUILDDIR)/devhelp
+	@echo
+	@echo "Build finished."
+	@echo "To view the help file:"
+	@echo "# mkdir -p $$HOME/.local/share/devhelp/Charybdisoperatorguide"
+	@echo "# ln -s $(BUILDDIR)/devhelp $$HOME/.local/share/devhelp/Charybdisoperatorguide"
+	@echo "# devhelp"
+
+.PHONY: epub
+epub:
+	$(SPHINXBUILD) -b epub $(ALLSPHINXOPTS) $(BUILDDIR)/epub
+	@echo
+	@echo "Build finished. The epub file is in $(BUILDDIR)/epub."
+
+.PHONY: epub3
+epub3:
+	$(SPHINXBUILD) -b epub3 $(ALLSPHINXOPTS) $(BUILDDIR)/epub3
+	@echo
+	@echo "Build finished. The epub3 file is in $(BUILDDIR)/epub3."
+
+.PHONY: latex
+latex:
+	$(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex
+	@echo
+	@echo "Build finished; the LaTeX files are in $(BUILDDIR)/latex."
+	@echo "Run \`make' in that directory to run these through (pdf)latex" \
+	      "(use \`make latexpdf' here to do that automatically)."
+
+.PHONY: latexpdf
+latexpdf:
+	$(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex
+	@echo "Running LaTeX files through pdflatex..."
+	$(MAKE) -C $(BUILDDIR)/latex all-pdf
+	@echo "pdflatex finished; the PDF files are in $(BUILDDIR)/latex."
+
+.PHONY: latexpdfja
+latexpdfja:
+	$(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex
+	@echo "Running LaTeX files through platex and dvipdfmx..."
+	$(MAKE) -C $(BUILDDIR)/latex all-pdf-ja
+	@echo "pdflatex finished; the PDF files are in $(BUILDDIR)/latex."
+
+.PHONY: text
+text:
+	$(SPHINXBUILD) -b text $(ALLSPHINXOPTS) $(BUILDDIR)/text
+	@echo
+	@echo "Build finished. The text files are in $(BUILDDIR)/text."
+
+.PHONY: man
+man:
+	$(SPHINXBUILD) -b man $(ALLSPHINXOPTS) $(BUILDDIR)/man
+	@echo
+	@echo "Build finished. The manual pages are in $(BUILDDIR)/man."
+
+.PHONY: texinfo
+texinfo:
+	$(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo
+	@echo
+	@echo "Build finished. The Texinfo files are in $(BUILDDIR)/texinfo."
+	@echo "Run \`make' in that directory to run these through makeinfo" \
+	      "(use \`make info' here to do that automatically)."
+
+.PHONY: info
+info:
+	$(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo
+	@echo "Running Texinfo files through makeinfo..."
+	make -C $(BUILDDIR)/texinfo info
+	@echo "makeinfo finished; the Info files are in $(BUILDDIR)/texinfo."
+
+.PHONY: gettext
+gettext:
+	$(SPHINXBUILD) -b gettext $(I18NSPHINXOPTS) $(BUILDDIR)/locale
+	@echo
+	@echo "Build finished. The message catalogs are in $(BUILDDIR)/locale."
+
+.PHONY: changes
+changes:
+	$(SPHINXBUILD) -b changes $(ALLSPHINXOPTS) $(BUILDDIR)/changes
+	@echo
+	@echo "The overview file is in $(BUILDDIR)/changes."
+
+.PHONY: linkcheck
+linkcheck:
+	$(SPHINXBUILD) -b linkcheck $(ALLSPHINXOPTS) $(BUILDDIR)/linkcheck
+	@echo
+	@echo "Link check complete; look for any errors in the above output " \
+	      "or in $(BUILDDIR)/linkcheck/output.txt."
+
+.PHONY: doctest
+doctest:
+	$(SPHINXBUILD) -b doctest $(ALLSPHINXOPTS) $(BUILDDIR)/doctest
+	@echo "Testing of doctests in the sources finished, look at the " \
+	      "results in $(BUILDDIR)/doctest/output.txt."
+
+.PHONY: coverage
+coverage:
+	$(SPHINXBUILD) -b coverage $(ALLSPHINXOPTS) $(BUILDDIR)/coverage
+	@echo "Testing of coverage in the sources finished, look at the " \
+	      "results in $(BUILDDIR)/coverage/python.txt."
+
+.PHONY: xml
+xml:
+	$(SPHINXBUILD) -b xml $(ALLSPHINXOPTS) $(BUILDDIR)/xml
+	@echo
+	@echo "Build finished. The XML files are in $(BUILDDIR)/xml."
+
+.PHONY: pseudoxml
+pseudoxml:
+	$(SPHINXBUILD) -b pseudoxml $(ALLSPHINXOPTS) $(BUILDDIR)/pseudoxml
+	@echo
+	@echo "Build finished. The pseudo-XML files are in $(BUILDDIR)/pseudoxml."
+
+.PHONY: dummy
+dummy:
+	$(SPHINXBUILD) -b dummy $(ALLSPHINXOPTS) $(BUILDDIR)/dummy
+	@echo
+	@echo "Build finished. Dummy builder generates no files."

doc/oper-guide/cmodes.rst

@@ -0,0 +1,264 @@
+Channel modes
+=============
+
+Channel modes are determined by the various plugins loaded by the
+server. The following consists only of a base list of common modes:
+your server may have more plugins available, which you can see with
+the following server command, depending on your IRC client::
+
+  /QUOTE HELP CMODE
+
+or::
+
+  /RAW HELP CMODE
+
+``+b``, channel ban
+-------------------
+
+Bans take one parameter which can take several forms. The most common
+form is ``+b nick!user@host``. The wildcards ``*`` and ``?`` are
+allowed, matching zero-or-more, and exactly-one characters
+respectively. The masks will be trimmed to fit the maximum allowable
+length for the relevant element.  Bans are also checked against the IP
+address, even if it resolved or is spoofed. CIDR is supported, like
+``*!*@10.0.0.0/8``. This is most useful with IPv6. Bans are not
+checked against the real hostname behind any kind of spoof, except if
+host mangling is in use (e.g.  ``extensions/ip_cloaking.so``): if the
+user's host is mangled, their real hostname is checked additionally,
+and if a user has no spoof but could enable mangling, the mangled form
+of their hostname is checked additionally. Hence, it is not possible
+to evade bans by toggling host mangling.
+
+The second form (extban) is ``+b $type`` or ``+b $type:data``. type is
+a single character (case insensitive) indicating the type of match,
+optionally preceded by a tilde (``~``) to negate the comparison. data
+depends on type.  Each type is loaded as a module. The available types
+(if any) are listed in the ``EXTBAN`` token of the 005
+(``RPL_ISUPPORT``) numeric. See ``doc/extban.txt`` in the source
+distribution or ``HELP EXTBAN`` for more information.
+
+If no parameter is given, the list of bans is returned. All users can
+use this form. The plus sign should also be omitted.
+
+Matching users will not be allowed to join the channel or knock on it.
+If they are already on the channel, they may not send to it or change
+their nick.
+
+``+c``, colour filter
+---------------------
+
+This cmode activates the colour filter for the channel. This filters out
+bold, underline, reverse video, beeps, mIRC colour codes, and ANSI
+escapes. Note that escape sequences will usually leave cruft sent to the
+channel, just without the escape characters themselves.
+
+``+e``, ban exemption
+---------------------
+
+This mode takes one parameter of the same form as bans, which overrides
+``+b`` and ``+q`` bans for all clients it matches.
+
+This can be useful if it is necessary to ban an entire ISP due to
+persistent abuse, but some users from that ISP should still be allowed
+in. For example::
+
+  /mode #channel +be *!*@*.example.com *!*someuser@host3.example.com
+
+Only channel operators can see ``+e`` changes or request the list.
+
+``+f``, channel forwarding
+--------------------------
+
+This mode takes one parameter, the name of a channel (``+f
+#channel``). If the channel also has the ``+i`` cmode set, and
+somebody attempts to join without either being expliticly invited, or
+having an invex (``+I``), then they will instead join the channel
+named in the mode parameter. The client will also be sent a 470
+numeric giving the original and target channels.
+
+Users are similarly forwarded if the ``+j`` cmode is set and their attempt
+to join is throttled, if ``+l`` is set and there are already too many users
+in the channel or if ``+r`` is set and they are not identified.
+
+Forwards may only be set to ``+F`` channels, or to channels the setter has
+ops in.
+
+Without parameter (``/mode #channel f`` or ``/mode #channel +f``) the forward
+channel is returned. This form also works off channel.
+
+``+F``, allow anybody to forward to this
+----------------------------------------
+
+When this mode is set, anybody may set a forward from a channel they
+have ops in to this channel. Otherwise they have to have ops in this
+channel.
+
+``+g``, allow anybody to invite
+-------------------------------
+
+When this mode is set, anybody may use the ``INVITE`` command on the channel
+in question. When it is unset, only channel operators may use the ``INVITE``
+command.
+
+When this mode is set together with ``+i``, ``+j``, ``+l`` or ``+r``, all channel
+members can influence who can join.
+
+``+i``, invite only
+-------------------
+
+When this cmode is set, no client can join the channel unless they have
+an invex (``+I``) or are invited with the ``INVITE`` command.
+
+``+I``, invite exception (invex)
+--------------------------------
+
+This mode takes one parameter of the same form as bans. Matching clients
+do not need to be invited to join the channel when it is invite-only
+(``+i``). Unlike the ``INVITE`` command, this does not override ``+j``, ``+l`` and ``+r``.
+
+Only channel operators can see ``+I`` changes or request the list.
+
+``+j``, join throttling
+-----------------------
+
+This mode takes one parameter of the form n:t, where n and t are
+positive integers. Only n users may join in each period of t seconds.
+
+Invited users can join regardless of ``+j``, but are counted as normal.
+
+Due to propagation delays between servers, more users may be able to
+join (by racing for the last slot on each server).
+
+``+k``, key (channel password)
+------------------------------
+
+Taking one parameter, when set, this mode requires a user to supply the
+key in order to join the channel: ``/JOIN #channel key``.
+
+``+l``, channel member limit
+----------------------------
+
+Takes one numeric parameter, the number of users which are allowed to be
+in the channel before further joins are blocked. Invited users may join
+regardless.
+
+Due to propagation delays between servers, more users may be able to
+join (by racing for the last slot on each server).
+
+``+L``, large ban list
+----------------------
+
+Channels with this mode will be allowed larger banlists (by default, 500
+instead of 50 entries for ``+b``, ``+q``, ``+e`` and ``+I`` together). Only network
+operators with resv privilege may set this mode.
+
+``+m``, moderated
+-----------------
+
+When a channel is set ``+m``, only users with ``+o`` or ``+v`` on the channel can
+send to it.
+
+Users can still knock on the channel or change their nick.
+
+``+n``, no external messages
+----------------------------
+
+When set, this mode prevents users from sending to the channel without
+being in it themselves. This is recommended.
+
+``+o``, channel operator
+------------------------
+
+This mode takes one parameter, a nick, and grants or removes channel
+operator privilege to that user. Channel operators have full control
+over the channel, having the ability to set all channel modes except ``+L``
+and ``+P``, and kick users. Like voiced users, channel operators can always
+send to the channel, overriding ``+b``, ``+m`` and ``+q`` modes and the per-channel
+flood limit. In most clients channel operators are marked with an '@'
+sign.
+
+The privilege is lost if the user leaves the channel or server in any
+way.
+
+Most networks will run channel registration services (e.g. ChanServ)
+which ensure the founder (and users designated by the founder) can
+always gain channel operator privileges and provide some features to
+manage the channel.
+
+``+p``, paranoid channel
+------------------------
+
+When set, the ``KNOCK`` command cannot be used on the channel to request an
+invite, and users will not be shown the channel in ``WHOIS`` replies unless
+they are on it. Unlike in traditional IRC, ``+p`` and ``+s`` can be set
+together.
+
+``+P``, permanent channel
+-------------------------
+
+Channels with this mode (which is accessible only to network operators
+with resv privilege) set will not be destroyed when the last user
+leaves.
+
+This makes it less likely modes, bans and the topic will be lost and
+makes it harder to abuse network splits, but also causes more unwanted
+restoring of old modes, bans and topics after long splits.
+
+``+q``, quiet
+-------------
+
+This mode behaves exactly like ``+b`` (ban), except that the user may still
+join the channel. The net effect is that they cannot knock on the
+channel, send to the channel or change their nick while on channel.
+
+``+Q``, block forwarded users
+-----------------------------
+
+Channels with this mode set are not valid targets for forwarding. Any
+attempt to forward to this channel will be ignored, and the user will be
+handled as if the attempt was never made (by sending them the relevant
+error message).
+
+This does not affect the ability to set ``+f``.
+
+``+r``, block unidentified
+--------------------------
+
+When set, this mode prevents unidentified users from joining. Invited
+users can still join.
+
+``+s``, secret channel
+----------------------
+
+When set, this mode prevents the channel from appearing in the output of
+the ``LIST``, ``WHO`` and ``WHOIS`` command by users who are not on it. Also, the
+server will refuse to answer ``WHO``, ``NAMES``, ``TOPIC`` and ``LIST`` queries from
+users not on the channel.
+
+``+t``, topic limit
+-------------------
+
+When set, this mode prevents users who are not channel operators from
+changing the topic.
+
+``+v``, voice
+-------------
+
+This mode takes one parameter, a nick, and grants or removes voice
+privilege to that user. Voiced users can always send to the channel,
+overriding ``+b``, ``+m`` and ``+q`` modes and the per-channel flood limit. In most
+clients voiced users are marked with a plus sign.
+
+The privilege is lost if the user leaves the channel or server in any
+way.
+
+``+z``, reduced moderation
+--------------------------
+
+When ``+z`` is set, the effects of ``+m``, ``+b`` and ``+q`` are relaxed. For each
+message, if that message would normally be blocked by one of these
+modes, it is instead sent to all channel operators. This is intended for
+use in moderated debates.
+
+Note that ``+n`` is unaffected by this. To silence a given user completely,
+remove them from the channel.

doc/oper-guide/commands.rst

@@ -0,0 +1,754 @@
+Operator Commands
+=================
+
+Network management commands
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. note:: All commands and names are case insensitive. Parameters
+          consisting of one or more separate letters, such as in ``MODE``,
+          ``STATS`` and ``WHO``, are case sensitive.
+
+CONNECT
+-------
+
+::
+
+   CONNECT target [port] [source]
+
+Initiate a connection attempt to server target. If a port is given,
+connect to that port on the target, otherwise use the one given in
+``ircd.conf``. If source is given, tell that server to initiate the
+connection attempt, otherwise it will be made from the server you are
+attached to.
+
+To use the default port with source, specify 0 for port.
+
+SQUIT
+-----
+
+::
+
+   SQUIT server [reason]
+
+Closes down the link to server from this side of the network. If a
+reason is given, it will be sent out in the server notices on both sides
+of the link.
+
+REHASH
+------
+
+::
+
+   REHASH [BANS | DNS | MOTD | OMOTD | TKLINES | TDLINES | TXLINES | TRESVS | REJECTCACHE | HELP] [server]
+
+With no parameter given, ``ircd.conf`` will be reread and parsed. The
+server argument is a wildcard match of server names.
+
+``BANS``
+    Rereads ``kline.conf``, ``dline.conf``, ``xline.conf``,
+    ``resv.conf`` and their .perm variants
+
+``DNS``
+    Reread ``/etc/resolv.conf``.
+
+``MOTD``
+    Reload the ``MOTD`` file
+
+``OMOTD``
+    Reload the operator ``MOTD`` file
+
+``TKLINES``
+    Clears temporary ``K:lines``.
+
+``TDLINES``
+    Clears temporary ``D:lines``.
+
+``TXLINES``
+    Clears temporary ``X:lines``.
+
+``TRESVS``
+    Clears temporary reservations.
+
+``REJECTCACHE``
+    Clears the client rejection cache.
+
+``HELP``
+    Refreshes the help system cache.
+
+RESTART
+-------
+
+::
+
+   RESTART server
+
+Cause an immediate total shutdown of the IRC server, and restart from
+scratch as if it had just been executed.
+
+This reexecutes the ircd using the compiled-in path, visible as ``SPATH`` in
+``INFO``.
+
+.. note:: This command cannot be used remotely. The server name is
+          used only as a safety measure.
+
+DIE
+---
+
+::
+
+   DIE server
+
+Immediately terminate the IRC server, after sending notices to all
+connected clients and servers
+
+.. note:: This command cannot be used remotely. The server name is
+          used only as a safety measure.
+
+SET
+---
+
+::
+
+   SET [ ADMINSTRING | AUTOCONN | AUTOCONNALL | FLOODCOUNT | IDENTTIMEOUT | MAX | OPERSTRING | SPAMNUM | SPAMTIME | SPLITMODE | SPLITNUM | SPLITUSERS ] value
+
+The ``SET`` command sets a runtime-configurable value.
+
+Most of the ``ircd.conf`` equivalents have a ``default_prefix`` and are
+only read on startup. ``SET`` is the only way to change these at run time.
+
+Most of the values can be queried by omitting value.
+
+``ADMINSTRING``
+    Sets string shown in ``WHOIS`` for admins. (umodes +o and +a set, umode
+    +S not set).
+
+``AUTOCONN``
+    Sets auto-connect on or off for a particular server. Takes two
+    parameters, server name and new state.
+
+    To see these values, use ``/stats c``. Changes to this are lost on a
+    rehash.
+
+``AUTOCONNALL``
+    Globally sets auto-connect on or off. If disabled, no automatic
+    connections are done; if enabled, automatic connections are done
+    following the rules for them.
+
+``FLOODCOUNT``
+    The number of lines allowed to be sent to a connection before
+    throttling it due to flooding. Note that this variable is used for
+    both channels and clients.
+
+    For channels, op or voice overrides this; for users, IRC operator
+    status or op or voice on a common channel overrides this.
+
+``IDENTTIMEOUT``
+    Timeout for requesting ident from a client.
+
+``MAX``
+    Sets the maximum number of connections to value.
+
+    This number cannot exceed maxconnections - ``MAX_BUFFER``.
+    maxconnections is the rlimit for number of open files. ``MAX_BUFFER``
+    is defined in config.h, normally 60.
+
+    ``MAXCLIENTS`` is an alias for this.
+
+``OPERSTRING``
+    Sets string shown in ``WHOIS`` for opers (umode ``+o`` set, umodes ``+a`` and ``+S``
+    not set).
+
+``SPAMNUM``
+    Sets how many join/parts to channels constitutes a possible spambot.
+
+``SPAMTIME``
+    Below this time on a channel counts as a join/part as above.
+
+``SPLITMODE``
+    Sets splitmode to value:
+
+    ``ON``
+        splitmode is permanently on
+
+    ``OFF``
+        splitmode is permanently off (default if ``no_create_on_split``
+        and ``no_join_on_split`` are disabled)
+
+    ``AUTO``
+        ircd chooses splitmode based on ``SPLITUSERS`` and ``SPLITNUM`` (default
+        if ``no_create_on_split`` or ``no_join_on_split`` are enabled)
+
+``SPLITUSERS``
+    Sets the minimum amount of users needed to deactivate automatic
+    splitmode.
+
+``SPLITNUM``
+    Sets the minimum amount of servers needed to deactivate automatic
+    splitmode. Only servers that have finished bursting count for this.
+
+User management commands
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+KILL
+----
+
+::
+
+   KILL nick [reason]
+
+Disconnects the user with the given nick from the server they are
+connected to, with the reason given, if present, and broadcast a server
+notice announcing this.
+
+Your nick and the reason will appear on channels.
+
+CLOSE
+-----
+
+Closes all connections from and to clients and servers who have not
+completed registering.
+
+KLINE
+-----
+
+::
+
+   KLINE [length] [user@host | user@a.b.c.d] [ON servername] [:reason]
+
+Adds a ``K:line`` to ``kline.conf`` to ban the given ``user@host`` from using
+that server.
+
+If the optional parameter length is given, the ``K:line`` will be temporary
+(i.e. it will not be stored on disk) and last that long in minutes.
+
+If an IP address is given, the ban will be against all hosts matching
+that IP regardless of DNS. The IP address can be given as a full address
+(``192.168.0.1``), as a CIDR mask (``192.168.0.0/24``), or as a glob
+(``192.168.0.*``).
+
+All clients matching the ``K:line`` will be disconnected from the server
+immediately.
+
+If a reason is specified, it will be sent to the client when they are
+disconnected, and whenever a connection is attempted which is banned.
+
+If the ON part is specified, the ``K:line`` is set on servers matching the
+given mask (provided a matching ``shared{}`` block exists there). Otherwise,
+if specified in a ``cluster{}`` block, the ``K:Line`` will be propagated across
+the network accordingly.
+
+UNKLINE
+-------
+
+::
+
+   UNKLINE user@host [ON servername]
+
+Will attempt to remove a ``K:line`` matching ``user@host`` from ``kline.conf``,
+and will flush a temporary ``K:line``.
+
+XLINE
+-----
+
+::
+
+   XLINE [length] mask [ON servername] [:reason]
+
+Works similarly to ``KLINE``, but matches against the real name field. The
+wildcards are ``*`` (any sequence), ``?`` (any character), ``#`` (a digit) and ``@`` (a
+letter); wildcard characters can be escaped with a backslash. The
+sequence ``\s`` matches a space.
+
+All clients matching the ``X:line`` will be disconnected from the server
+immediately.
+
+The reason is never sent to users. Instead, they will be exited with
+"Bad user info".
+
+If the ON part is specified, the ``X:line`` is set on servers matching the
+given mask (provided a matching ``shared{}`` block exists there). Otherwise,
+if specified in a ``cluster{}`` block, the ``X:line`` will be propagated across
+the network accordingly.
+
+UNXLINE
+-------
+
+::
+
+   UNXLINE mask [ON servername]
+
+Will attempt to remove an ``X:line`` from ``xline.conf``, and will flush a
+temporary ``X:line``.
+
+RESV
+----
+
+::
+
+   RESV [length] [channel | mask] [ON servername] [:reason]
+
+If used on a channel, “jupes” the channel locally. Joins to the channel
+will be disallowed and generate a server notice on ``+y``, and users will
+not be able to send to the channel. Channel jupes cannot contain
+wildcards.
+
+If used on a nickname mask, prevents local users from using a nick
+matching the mask (the same wildcard characters as xlines). There is no
+way to exempt the initial nick from this.
+
+In neither case will current users of the nick or channel be kicked or
+disconnected.
+
+This facility is not designed to make certain nicks or channels
+oper-only.
+
+The reason is never sent to users.
+
+If the ON part is specified, the resv is set on servers matching the
+given mask (provided a matching ``shared{}`` block exists there). Otherwise,
+if specified in a ``cluster{}`` block, the resv will be propagated across
+the network accordingly.
+
+UNRESV
+------
+
+::
+
+   UNRESV [channel | mask] [ON servername]
+
+Will attempt to remove a resv from ``resv.conf``, and will flush a
+temporary resv.
+
+DLINE
+-----
+
+::
+
+   DLINE [length] a.b.c.d [ON servername] [:reason]
+
+Adds a ``D:line`` to ``dline.conf``, which will deny any connections from
+the given IP address. The IP address can be given as a full address
+(``192.168.0.1``) or as a CIDR mask (``192.168.0.0/24``).
+
+If the optional parameter length is given, the ``D:line`` will be temporary
+(i.e. it will not be stored on disk) and last that long in minutes.
+
+All clients matching the ``D:line`` will be disconnected from the server
+immediately.
+
+If a reason is specified, it will be sent to the client when they are
+disconnected, and, if ``dline_reason`` is enabled, whenever a connection is
+attempted which is banned.
+
+``D:lines`` are less load on a server, and may be more appropriate if
+somebody is flooding connections.
+
+If the ON part is specified, the ``D:line`` is set on servers matching the
+given mask (provided a matching ``shared{}`` block exists there, which is
+not the case by default). Otherwise, the D:Line will be set on the local
+server only.
+
+Only ``exempt{}`` blocks exempt from ``D:lines``. Being a server or having
+``kline_exempt`` in ``auth{}`` does *not* exempt (different from ``K/G/X:lines``).
+
+UNDLINE
+-------
+
+::
+
+   UNDLINE a.b.c.d [ON servername]
+
+Will attempt to remove a ``D:line`` from ``dline.conf``, and will flush a
+temporary ``D:line``.
+
+TESTGECOS
+---------
+
+::
+
+   TESTGECOS gecos
+
+Looks up X:Lines matching the given gecos.
+
+TESTLINE
+--------
+
+::
+
+   TESTLINE [nick!] [user@host | a.b.c.d]
+
+Looks up the given hostmask or IP address and reports back on any ``auth{}``
+blocks, D: or K: lines found. If nick is given, also searches for nick
+resvs.
+
+For temporary items the number of minutes until the item expires is
+shown (as opposed to the hit count in STATS q/Q/x/X).
+
+This command will not perform DNS lookups; for best results you must
+testline a host and its IP form.
+
+The given username should begin with a tilde (~) if identd is not in
+use. As of charybdis 2.1.1, ``no_tilde`` and username truncation will be
+taken into account like in the normal client access check.
+
+As of charybdis 2.2.0, a channel name can be specified and the RESV will
+be returned, if there is one.
+
+TESTMASK
+--------
+
+::
+
+   TESTMASK hostmask [gecos]
+
+Searches the network for users that match the hostmask and gecos given,
+returning the number of matching users on this server and other servers.
+
+The hostmask is of the form user@host or user@ip/cidr with \* and ?
+wildcards, optionally preceded by nick!.
+
+The gecos field accepts the same wildcards as xlines.
+
+The IP address checked against is ``255.255.255.255`` if the IP address is
+unknown (remote client on a TS5 server) or 0 if the IP address is hidden
+(``auth{}`` spoof).
+
+LUSERS
+------
+
+::
+   
+   LUSERS [mask] [nick | server]
+
+Shows various user and channel counts.
+
+The mask parameter is obsolete but must be used when querying a remote
+server.
+
+TRACE
+-----
+
+::
+
+   TRACE [server | nick] [location]
+
+With no argument or one argument which is the current server, TRACE
+gives a list of all connections to the current server and a summary of
+connection classes.
+
+With one argument which is another server, TRACE displays the path to
+the specified server, and all servers, opers and -i users on that
+server, along with a summary of connection classes.
+
+With one argument which is a client, TRACE displays the path to that
+client, and that client's information.
+
+If location is given, the command is executed on that server; no path is
+displayed.
+
+When listing connections, type, name and class is shown in addition to
+information depending on the type:
+
+Try.
+    A server we are trying to make a TCP connection to.
+
+H.S.
+    A server we have established a TCP connection to, but is not yet
+    registered.
+
+\?\?\?\?
+    An incoming connection that has not yet registered as a user or a
+    server (“unknown”). Shows the username, hostname, IP address and the
+    time the connection has been open. It is possible that the ident or
+    DNS lookups have not completed yet, and in any case no tildes are
+    shown here. Unknown connections may not have a name yet.
+
+User
+    A registered unopered user. Shows the username, hostname, IP
+    address, the time the client has not sent anything (as in STATS l)
+    and the time the user has been idle (from PRIVMSG only, as in
+    WHOIS).
+
+Oper
+    Like User, but opered.
+
+Serv
+    A registered server. Shows the number of servers and users reached
+    via this link, who made this connection and the time the server has
+    not sent anything.
+
+ETRACE
+------
+
+::
+
+   ETRACE [nick]
+
+Shows client information about the given target, or about all local
+clients if no target is specified.
+
+PRIVS
+-----
+
+::
+
+   PRIVS [nick]
+
+Displays effective operator privileges for the specified nick, or for
+yourself if no nick is given. This includes all privileges from the
+operator block, the name of the operator block and those privileges from
+the auth block that have an effect after the initial connection.
+
+The exact output depends on the server the nick is on, see the matching
+version of this document. If the remote server does not support this
+extension, you will not receive a reply.
+
+MASKTRACE
+---------
+
+::
+
+   MASKTRACE hostmask [gecos]
+
+Searches the local server or network for users that match the hostmask
+and gecos given. Network searches require the ``oper_spy`` privilege and an
+'!' before the hostmask. The matching works the same way as TESTMASK.
+
+The hostmask is of the form ``user@host`` or ``user@ip/cidr`` with ``*`` and ``?``
+wildcards, optionally preceded by ``nick!``.
+
+The gecos field accepts the same wildcards as xlines.
+
+The IP address field contains ``255.255.255.255`` if the IP address is
+unknown (remote client on a TS5 server) or ``0`` if the IP address is hidden
+(``auth{}`` spoof).
+
+CHANTRACE
+---------
+
+::
+
+   CHANTRACE channel
+
+Displays information about users in a channel. Opers with the ``oper_spy``
+privilege can get the information without being on the channel, by
+prefixing the channel name with an ``!``.
+
+The IP address field contains ``255.255.255.255`` if the IP address is
+unknown (remote client on a TS5 server) or ``0`` if the IP address is hidden
+(``auth{}`` spoof).
+
+SCAN
+----
+
+::
+
+   SCAN UMODES +modes-modes [no-list] [list] [global] [list-max number] [mask nick!user@host]
+
+Searches the local server or network for users that have the umodes
+given with + and do not have the umodes given with -. no-list disables
+the listing of matching users and only shows the count. list enables the
+listing (default). global extends the search to the entire network
+instead of local users only. list-max limits the listing of matching
+users to the given amount. mask causes only users matching the given
+nick!user@host mask to be selected. Only the displayed host is
+considered, not the IP address or real host behind dynamic spoofs.
+
+The IP address field contains ``255.255.255.255`` if the IP address is
+unknown (remote client on a TS5 server) or 0 if the IP address is hidden
+(``auth{}`` spoof).
+
+Network searches where a listing is given are operspy commands.
+
+CHGHOST
+-------
+
+::
+
+   CHGHOST nick value
+
+Set the hostname associated with a particular nick for the duration of
+this session. This command is disabled by default because of the abuse
+potential and little practical use.
+
+Miscellaneous commands
+~~~~~~~~~~~~~~~~~~~~~~
+
+ADMIN
+-----
+
+::
+
+   ADMIN [nick | server]
+
+Shows the information in the ``admin{}`` block.
+
+INFO
+----
+
+::
+
+   INFO [nick | server]
+
+Shows information about the authors of the IRC server, and some
+information about this server instance. Opers also get a list of
+configuration options.
+
+TIME
+----
+
+::
+
+   TIME [nick | server]
+
+Shows the local time on the given server, in a human-readable format.
+
+VERSION
+-------
+
+::
+
+   VERSION [nick | server]
+
+Shows version information, a few compile/config options, the SID and the
+005 numerics. The 005 numeric will be remapped to 105 for remote
+requests.
+
+STATS
+-----
+
+::
+
+   STATS [type] [nick | server]
+
+Display various statistics and configuration information.
+
+A
+    Show DNS servers
+
+b
+    Show active nick delays
+
+B
+    Show hash statistics
+
+c
+    Show connect blocks
+
+d
+    Show temporary ``D:lines``
+
+D
+    Show permanent ``D:lines``
+
+e
+    Show exempt blocks (exceptions to ``D:lines``)
+
+E
+    Show events
+
+f
+    Show file descriptors
+
+h
+    Show ``hub_mask``/``leaf_mask``
+
+i
+    Show auth blocks, or matched auth blocks
+
+k
+    Show temporary ``K:lines``, or matched ``K:lines``
+
+K
+    Show permanent ``K:lines``, or matched ``K:lines``
+
+l
+    Show hostname and link information about the given nick. With a
+    server name, show information about opers and servers on that
+    server; opers get information about all local connections if they
+    query their own server. No hostname is shown for server connections.
+
+L
+    Like l, but show IP address instead of hostname
+
+m
+    Show commands and their usage statistics (total counts, total bytes,
+    counts from server connections)
+
+n
+    Show blacklist blocks (DNS blacklists) with hit counts since last
+    rehash and (parenthesized) reference counts. The reference count
+    shows how many clients are waiting on a lookup of this blacklist or
+    have been found and are waiting on registration to complete.
+
+o
+    Show operator blocks
+
+O
+    Show privset blocks
+
+p
+    Show logged on network operators which are not set AWAY.
+
+P
+    Show listen blocks (ports)
+
+q
+    Show temporarily resv'ed nicks and channels with hit counts
+
+Q
+    Show permanently resv'ed nicks and channels with hit counts since
+    last rehash bans
+
+r
+    Show resource usage by the ircd
+
+t
+    Show generic server statistics about local connections
+
+u
+    Show server uptime
+
+U
+    Show shared (c), cluster (C) and service (s) blocks
+
+v
+    Show connected servers and brief status
+
+x
+    Show temporary ``X:lines`` with hit counts
+
+X
+    Show permanent ``X:lines`` with hit counts since last rehash bans
+
+y
+    Show class blocks
+
+z
+    Show memory usage statistics
+
+Z
+    Show ziplinks statistics
+
+?
+    Show connected servers and link information about them
+
+WALLOPS
+-------
+
+::
+
+   WALLOPS :message
+
+Sends a WALLOPS message to all users who have the +w umode set. This is
+for things you don't mind the whole network knowing about.
+
+OPERWALL
+--------
+
+::
+
+   OPERWALL :message
+
+Sends an OPERWALL message to all opers who have the +z umode set. +z is
+restricted, OPERWALL should be considered private communications.

doc/oper-guide/conf.py

@@ -0,0 +1,423 @@
+# -*- coding: utf-8 -*-
+#
+# Charybdis operator guide documentation build configuration file, created by
+# sphinx-quickstart on Sat Mar 25 10:41:29 2017.
+#
+# This file is execfile()d with the current directory set to its
+# containing dir.
+#
+# Note that not all possible configuration values are present in this
+# autogenerated file.
+#
+# All configuration values have a default; values that are commented out
+# serve to show the default.
+
+# If extensions (or modules to document with autodoc) are in another directory,
+# add these directories to sys.path here. If the directory is relative to the
+# documentation root, use os.path.abspath to make it absolute, like shown here.
+#
+# import os
+# import sys
+# sys.path.insert(0, os.path.abspath('.'))
+
+# -- General configuration ------------------------------------------------
+
+# If your documentation needs a minimal Sphinx version, state it here.
+#
+# needs_sphinx = '1.0'
+
+# Add any Sphinx extension module names here, as strings. They can be
+# extensions coming with Sphinx (named 'sphinx.ext.*') or your custom
+# ones.
+extensions = []
+
+# Add any paths that contain templates here, relative to this directory.
+templates_path = ['_templates']
+
+# The suffix(es) of source filenames.
+# You can specify multiple suffix as a list of string:
+#
+# source_suffix = ['.rst', '.md']
+source_suffix = '.rst'
+
+# The encoding of source files.
+#
+# source_encoding = 'utf-8-sig'
+
+# The master toctree document.
+master_doc = 'index'
+
+# General information about the project.
+project = u'Charybdis operator guide'
+copyright = u'2009, Jilles Tjoelker'
+author = u'Jilles Tjoelker'
+
+# The version info for the project you're documenting, acts as replacement for
+# |version| and |release|, also used in various other places throughout the
+# built documents.
+#
+# The short X.Y version.
+version = u'3.5'
+# The full version, including alpha/beta/rc tags.
+release = u'3.5'
+
+# The language for content autogenerated by Sphinx. Refer to documentation
+# for a list of supported languages.
+#
+# This is also used if you do content translation via gettext catalogs.
+# Usually you set "language" from the command line for these cases.
+language = None
+
+# There are two options for replacing |today|: either, you set today to some
+# non-false value, then it is used:
+#
+# today = ''
+#
+# Else, today_fmt is used as the format for a strftime call.
+#
+# today_fmt = '%B %d, %Y'
+
+# List of patterns, relative to source directory, that match files and
+# directories to ignore when looking for source files.
+# This patterns also effect to html_static_path and html_extra_path
+exclude_patterns = ['_build', 'Thumbs.db', '.DS_Store']
+
+# The reST default role (used for this markup: `text`) to use for all
+# documents.
+#
+# default_role = None
+
+# If true, '()' will be appended to :func: etc. cross-reference text.
+#
+# add_function_parentheses = True
+
+# If true, the current module name will be prepended to all description
+# unit titles (such as .. function::).
+#
+# add_module_names = True
+
+# If true, sectionauthor and moduleauthor directives will be shown in the
+# output. They are ignored by default.
+#
+# show_authors = False
+
+# The name of the Pygments (syntax highlighting) style to use.
+pygments_style = 'sphinx'
+
+# A list of ignored prefixes for module index sorting.
+# modindex_common_prefix = []
+
+# If true, keep warnings as "system message" paragraphs in the built documents.
+# keep_warnings = False
+
+# If true, `todo` and `todoList` produce output, else they produce nothing.
+todo_include_todos = False
+
+
+# -- Options for HTML output ----------------------------------------------
+
+# The theme to use for HTML and HTML Help pages.  See the documentation for
+# a list of builtin themes.
+#
+#html_theme = 'alabaster'
+
+# Theme options are theme-specific and customize the look and feel of a theme
+# further.  For a list of options available for each theme, see the
+# documentation.
+#
+# html_theme_options = {}
+
+# Add any paths that contain custom themes here, relative to this directory.
+# html_theme_path = []
+
+# The name for this set of Sphinx documents.
+# "<project> v<release> documentation" by default.
+#
+# html_title = u'Charybdis operator guide v3.5'
+
+# A shorter title for the navigation bar.  Default is the same as html_title.
+#
+# html_short_title = None
+
+# The name of an image file (relative to this directory) to place at the top
+# of the sidebar.
+#
+# html_logo = None
+
+# The name of an image file (relative to this directory) to use as a favicon of
+# the docs.  This file should be a Windows icon file (.ico) being 16x16 or 32x32
+# pixels large.
+#
+# html_favicon = None
+
+# Add any paths that contain custom static files (such as style sheets) here,
+# relative to this directory. They are copied after the builtin static files,
+# so a file named "default.css" will overwrite the builtin "default.css".
+# html_static_path = ['_static']
+
+# Add any extra paths that contain custom files (such as robots.txt or
+# .htaccess) here, relative to this directory. These files are copied
+# directly to the root of the documentation.
+#
+# html_extra_path = []
+
+# If not None, a 'Last updated on:' timestamp is inserted at every page
+# bottom, using the given strftime format.
+# The empty string is equivalent to '%b %d, %Y'.
+#
+# html_last_updated_fmt = None
+
+# If true, SmartyPants will be used to convert quotes and dashes to
+# typographically correct entities.
+#
+# html_use_smartypants = True
+
+# Custom sidebar templates, maps document names to template names.
+#
+# html_sidebars = {}
+
+# Additional templates that should be rendered to pages, maps page names to
+# template names.
+#
+# html_additional_pages = {}
+
+# If false, no module index is generated.
+#
+# html_domain_indices = True
+
+# If false, no index is generated.
+#
+# html_use_index = True
+
+# If true, the index is split into individual pages for each letter.
+#
+# html_split_index = False
+
+# If true, links to the reST sources are added to the pages.
+#
+# html_show_sourcelink = True
+
+# If true, "Created using Sphinx" is shown in the HTML footer. Default is True.
+#
+# html_show_sphinx = True
+
+# If true, "(C) Copyright ..." is shown in the HTML footer. Default is True.
+#
+# html_show_copyright = True
+
+# If true, an OpenSearch description file will be output, and all pages will
+# contain a <link> tag referring to it.  The value of this option must be the
+# base URL from which the finished HTML is served.
+#
+# html_use_opensearch = ''
+
+# This is the file name suffix for HTML files (e.g. ".xhtml").
+# html_file_suffix = None
+
+# Language to be used for generating the HTML full-text search index.
+# Sphinx supports the following languages:
+#   'da', 'de', 'en', 'es', 'fi', 'fr', 'hu', 'it', 'ja'
+#   'nl', 'no', 'pt', 'ro', 'ru', 'sv', 'tr', 'zh'
+#
+# html_search_language = 'en'
+
+# A dictionary with options for the search language support, empty by default.
+# 'ja' uses this config value.
+# 'zh' user can custom change `jieba` dictionary path.
+#
+# html_search_options = {'type': 'default'}
+
+# The name of a javascript file (relative to the configuration directory) that
+# implements a search results scorer. If empty, the default will be used.
+#
+# html_search_scorer = 'scorer.js'
+
+# Output file base name for HTML help builder.
+htmlhelp_basename = 'Charybdisoperatorguidedoc'
+
+# -- Options for LaTeX output ---------------------------------------------
+
+latex_elements = {
+     # The paper size ('letterpaper' or 'a4paper').
+     #
+     # 'papersize': 'letterpaper',
+
+     # The font size ('10pt', '11pt' or '12pt').
+     #
+     # 'pointsize': '10pt',
+
+     # Additional stuff for the LaTeX preamble.
+     #
+     # 'preamble': '',
+
+     # Latex figure (float) alignment
+     #
+     # 'figure_align': 'htbp',
+}
+
+# Grouping the document tree into LaTeX files. List of tuples
+# (source start file, target name, title,
+#  author, documentclass [howto, manual, or own class]).
+latex_documents = [
+    (master_doc, 'Charybdisoperatorguide.tex', u'Charybdis operator guide Documentation',
+     u'Jilles Tjoelker', 'manual'),
+]
+
+# The name of an image file (relative to this directory) to place at the top of
+# the title page.
+#
+# latex_logo = None
+
+# For "manual" documents, if this is true, then toplevel headings are parts,
+# not chapters.
+#
+# latex_use_parts = False
+
+# If true, show page references after internal links.
+#
+# latex_show_pagerefs = False
+
+# If true, show URL addresses after external links.
+#
+# latex_show_urls = False
+
+# Documents to append as an appendix to all manuals.
+#
+# latex_appendices = []
+
+# It false, will not define \strong, \code, 	itleref, \crossref ... but only
+# \sphinxstrong, ..., \sphinxtitleref, ... To help avoid clash with user added
+# packages.
+#
+# latex_keep_old_macro_names = True
+
+# If false, no module index is generated.
+#
+# latex_domain_indices = True
+
+
+# -- Options for manual page output ---------------------------------------
+
+# One entry per manual page. List of tuples
+# (source start file, name, description, authors, manual section).
+man_pages = [
+    (master_doc, 'charybdisoperatorguide', u'Charybdis operator guide Documentation',
+     [author], 1)
+]
+
+# If true, show URL addresses after external links.
+#
+# man_show_urls = False
+
+
+# -- Options for Texinfo output -------------------------------------------
+
+# Grouping the document tree into Texinfo files. List of tuples
+# (source start file, target name, title, author,
+#  dir menu entry, description, category)
+texinfo_documents = [
+    (master_doc, 'Charybdisoperatorguide', u'Charybdis operator guide Documentation',
+     author, 'Charybdisoperatorguide', 'One line description of project.',
+     'Miscellaneous'),
+]
+
+# Documents to append as an appendix to all manuals.
+#
+# texinfo_appendices = []
+
+# If false, no module index is generated.
+#
+# texinfo_domain_indices = True
+
+# How to display URL addresses: 'footnote', 'no', or 'inline'.
+#
+# texinfo_show_urls = 'footnote'
+
+# If true, do not generate a @detailmenu in the "Top" node's menu.
+#
+# texinfo_no_detailmenu = False
+
+
+# -- Options for Epub output ----------------------------------------------
+
+# Bibliographic Dublin Core info.
+epub_title = project
+epub_author = author
+epub_publisher = author
+epub_copyright = copyright
+
+# The basename for the epub file. It defaults to the project name.
+# epub_basename = project
+
+# The HTML theme for the epub output. Since the default themes are not
+# optimized for small screen space, using the same theme for HTML and epub
+# output is usually not wise. This defaults to 'epub', a theme designed to save
+# visual space.
+#
+# epub_theme = 'epub'
+
+# The language of the text. It defaults to the language option
+# or 'en' if the language is not set.
+#
+# epub_language = ''
+
+# The scheme of the identifier. Typical schemes are ISBN or URL.
+# epub_scheme = ''
+
+# The unique identifier of the text. This can be a ISBN number
+# or the project homepage.
+#
+# epub_identifier = ''
+
+# A unique identification for the text.
+#
+# epub_uid = ''
+
+# A tuple containing the cover image and cover page html template filenames.
+#
+# epub_cover = ()
+
+# A sequence of (type, uri, title) tuples for the guide element of content.opf.
+#
+# epub_guide = ()
+
+# HTML files that should be inserted before the pages created by sphinx.
+# The format is a list of tuples containing the path and title.
+#
+# epub_pre_files = []
+
+# HTML files that should be inserted after the pages created by sphinx.
+# The format is a list of tuples containing the path and title.
+#
+# epub_post_files = []
+
+# A list of files that should not be packed into the epub file.
+epub_exclude_files = ['search.html']
+
+# The depth of the table of contents in toc.ncx.
+#
+# epub_tocdepth = 3
+
+# Allow duplicate toc entries.
+#
+# epub_tocdup = True
+
+# Choose between 'default' and 'includehidden'.
+#
+# epub_tocscope = 'default'
+
+# Fix unsupported image types using the Pillow.
+#
+# epub_fix_images = False
+
+# Scale large images.
+#
+# epub_max_image_width = 0
+
+# How to display URL addresses: 'footnote', 'no', or 'inline'.
+#
+# epub_show_urls = 'inline'
+
+# If false, no index is generated.
+#
+# epub_use_index = True

doc/oper-guide/config.rst

@@ -0,0 +1,825 @@
+Server config file format
+=========================
+
+General format
+~~~~~~~~~~~~~~
+
+The config file consists of a series of BIND-style blocks. Each block
+consists of a series of values inside it which pertain to configuration
+settings that apply to the given block.
+
+Several values take lists of values and have defaults preset inside
+them. Prefix a keyword with a tilde (``~``) to override the default and
+disable it.
+
+A line may also be a .include directive, which is of the form::
+
+  .include "file"
+
+and causes file to be read in at that point, before the rest of
+the current file is processed. Relative paths are first tried relative
+to ``PREFIX`` and then relative to ``ETCPATH`` (normally ``PREFIX``/etc).
+
+Anything from a ``#`` to the end of a line is a comment. Blank lines are
+ignored. C-style comments are also supported.
+
+Specific blocks and directives
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Not all configuration blocks and directives are listed here, only the
+most common ones. More blocks and directives will be documented in later
+revisions of this manual.
+
+loadmodule directive
+--------------------
+
+::
+
+   loadmodule "text";
+
+Loads a module into the IRCd. In charybdis 1.1, most modules are
+automatically loaded in. In future versions, it is intended to remove
+this behaviour as to allow for easy customization of the IRCd's
+featureset.
+
+serverinfo {} block
+-------------------
+
+::
+
+   serverinfo {
+        name = "text";
+        sid = "text";
+        description = "text";
+        network_name = "text";
+        network_desc = "text";
+        hub = boolean;
+        vhost = "text";
+        vhost6 = "text";
+   };
+
+The serverinfo {} block defines the core operational parameters of the
+IRC server.
+
+**serverinfo {} variables**
+
+name
+    The name of the IRC server that you are configuring. This must
+    contain at least one dot. It is not necessarily equal to any DNS
+    name. This must be unique on the IRC network.
+
+sid
+    A unique ID which describes the server. This consists of one digit
+    and two characters which can be digits or letters.
+
+description
+    A user-defined field of text which describes the IRC server. This
+    information is used in ``/links`` and ``/whois`` requests. Geographical
+    location information could be a useful use of this field, but most
+    administrators put a witty saying inside it instead.
+
+network\_name
+    The name of the IRC network that this server will be a member of.
+    This is used in the welcome message and ``NETWORK=`` in 005.
+
+hub
+    A boolean which defines whether or not this IRC server will be
+    serving as a hub, i.e. have multiple servers connected to it.
+
+vhost
+    An optional text field which defines an IP from which to connect
+    outward to other IRC servers.
+
+vhost6
+    An optional text field which defines an IPv6 IP from which to
+    connect outward to other IRC servers.
+
+admin {} block
+--------------
+
+::
+
+   admin {
+       name = "text";
+	   description = "text";
+	   email = "text";
+   };
+
+This block provides the information which is returned by the ``ADMIN``
+command.
+
+name
+    The name of the administrator running this service.
+
+description
+    The description of the administrator's position in the network.
+
+email
+    A point of contact for the administrator, usually an e-mail address.
+
+class {} block
+--------------
+
+::
+
+    class "name" {
+            ping_time = duration;
+            number_per_ident = number;
+            number_per_ip = number;
+            number_per_ip_global = number;
+            cidr_ipv4_bitlen = number;
+            cidr_ipv6_bitlen = number;
+            number_per_cidr = number;
+            max_number = number;
+            sendq = size;
+    };
+    
+    class "name" {
+            ping_time = duration;
+            connectfreq = duration;
+            max_number = number;
+            sendq = size;
+    };    
+   
+Class blocks define classes of connections for later use. The class name
+is used to connect them to other blocks in the config file (auth{} and
+connect{}). They must be defined before they are used.
+
+Classes are used both for client and server connections, but most
+variables are different.
+
+**class {} variables: client classes**
+
+ping\_time
+    The amount of time between checking pings for clients, e.g.: 2
+    minutes
+
+number\_per\_ident
+    The amount of clients which may be connected from a single identd
+    username on a per-IP basis, globally. Unidented clients all count as
+    the same username.
+
+number\_per\_ip
+    The amount of clients which may be connected from a single IP
+    address.
+
+number\_per\_ip\_global
+    The amount of clients which may be connected globally from a single
+    IP address.
+
+cidr\_ipv4\_bitlen
+    The netblock length to use with CIDR-based client limiting for IPv4
+    users in this class (between 0 and 32).
+
+cidr\_ipv6\_bitlen
+    The netblock length to use with CIDR-based client limiting for IPv6
+    users in this class (between 0 and 128).
+
+number\_per\_cidr
+    The amount of clients which may be connected from a single netblock.
+
+    If this needs to differ between IPv4 and IPv6, make different
+    classes for IPv4 and IPv6 users.
+
+max\_number
+    The maximum amount of clients which may use this class at any given
+    time.
+
+sendq
+    The maximum size of the queue of data to be sent to a client before
+    it is dropped.
+
+**class {} variables: server classes**
+
+ping\_time
+    The amount of time between checking pings for servers, e.g.: 2
+    minutes
+
+connectfreq
+    The amount of time between autoconnects. This must at least be one
+    minute, as autoconnects are evaluated with that granularity.
+
+max\_number
+    The amount of servers to autoconnect to in this class. More
+    precisely, no autoconnects are done if the number of servers in this
+    class is greater than or equal max\_number
+
+sendq
+    The maximum size of the queue of data to be sent to a server before
+    it is dropped.
+
+auth {} block
+-------------
+
+::
+
+    auth {
+    	user = "hostmask";
+    	password = "text";
+    	spoof = "text";
+    	flags = list;
+    	class = "text";
+    };
+
+auth {} blocks allow client connections to the server, and set various
+properties concerning those connections.
+
+Auth blocks are evaluated from top to bottom in priority, so put special
+blocks first.
+
+auth {} variables
+~~~~~~~~~~~~~~~~~
+
+user
+    A hostmask (``user@host``) that the auth {} block applies to. It is
+    matched against the hostname and IP address (using :: shortening for
+    IPv6 and prepending a 0 if it starts with a colon) and can also use
+    CIDR masks. You can have multiple user entries.
+
+password
+    An optional password to use for authenticating into this auth{}
+    block. If the password is wrong the user will not be able to connect
+    (will not fall back on another auth{} block).
+
+spoof
+    An optional fake hostname (or ``user@host``) to apply to users
+    authenticated to this auth{} block. In ``STATS i`` and ``TESTLINE``, an
+    equals sign (=) appears before the ``user@host`` and the spoof is shown.
+
+flags
+    A list of flags to apply to this ``auth{}`` block. They are listed
+    below. Some of the flags appear as a special character,
+    parenthesized in the list, before the ``user@host`` in ``STATS i`` and
+    ``TESTLINE``.
+
+class
+    A name of a class to put users matching this auth{} block into.
+
+auth {} flags
+~~~~~~~~~~~~~
+
+encrypted
+    The password used has been encrypted.
+
+spoof\_notice
+    Causes the IRCd to send out a server notice when activating a spoof
+    provided by this auth{} block.
+
+exceed\_limit (>)
+    Users in this auth{} block can exceed class-wide limitations.
+
+dnsbl\_exempt ($)
+    Users in this auth{} block are exempted from DNS blacklist checks.
+    However, they will still be warned if they are listed.
+
+kline\_exempt (^)
+    Users in this auth{} block are exempted from DNS blacklists, k:lines
+    and x:lines.
+
+spambot\_exempt
+    Users in this auth{} block are exempted from spambot checks.
+
+shide\_exempt
+    Users in this auth{} block are exempted from some serverhiding
+    effects.
+
+jupe\_exempt
+    Users in this auth{} block do not trigger an alarm when joining
+    juped channels.
+
+resv\_exempt
+    Users in this auth{} block may use reserved nicknames and channels.
+
+    .. note:: The initial nickname may still not be reserved.
+          
+flood\_exempt (\|) Users in this auth{} block may send arbitrary
+    amounts of commands per time unit to the server. This does not
+    exempt them from any other flood limits. You should use this
+    setting with caution.
+
+no\_tilde (-)
+    Users in this auth{} block will not have a tilde added to their
+    username if they do not run identd.
+
+need\_ident (+)
+    Users in this auth{} block must have identd, otherwise they will be
+    rejected.
+
+need\_ssl
+    Users in this auth{} block must be connected via SSL/TLS, otherwise
+    they will be rejected.
+
+need\_sasl
+    Users in this auth{} block must identify via SASL, otherwise they
+    will be rejected.
+
+exempt {} block
+---------------
+
+::
+
+    exempt {
+    	ip = "ip";
+    };
+
+An exempt block specifies IP addresses which are exempt from ``D:lines`` and
+throttling. Multiple addresses can be specified in one block. Clients
+coming from these addresses can still be ``K/G/X:lined`` or banned by a DNS
+blacklist unless they also have appropriate flags in their auth{} block.
+
+**exempt {} variables**
+
+ip
+    The IP address or CIDR range to exempt.
+
+privset {} block
+----------------
+
+::
+   
+    privset {
+    	extends = "name";
+    	privs = list;
+    };
+
+A privset (privilege set) block specifies a set of operator privileges.
+
+**privset {} variables**
+
+extends
+    An optional privset to inherit. The new privset will have all
+    privileges that the given privset has.
+
+privs
+    Privileges to grant to this privset. These are described in the
+    operator privileges section.
+
+operator {} block
+-----------------
+
+::
+
+   operator "name" {
+    	user = "hostmask";
+    	password = "text";
+    	rsa_public_key_file = "text";
+    	umodes = list;
+    	snomask = "text";
+    	flags = list;
+   };
+
+Operator blocks define who may use the ``OPER`` command to gain extended
+privileges.
+
+**operator {} variables**
+
+user
+    A hostmask that users trying to use this operator {} block must
+    match. This is checked against the original host and IP address;
+    CIDR is also supported. So auth {} spoofs work in operator {}
+    blocks; the real host behind them is not checked. Other kind of
+    spoofs do not work in operator {} blocks; the real host behind them
+    is checked.
+
+    Note that this is different from charybdis 1.x where all kinds of
+    spoofs worked in operator {} blocks.
+
+password
+    A password used with the ``OPER`` command to use this operator {} block.
+    Passwords are encrypted by default, but may be unencrypted if
+    ~encrypted is present in the flags list.
+
+rsa\_public\_key\_file
+    An optional path to a RSA public key file associated with the
+    operator {} block. This information is used by the ``CHALLENGE``
+    command, which is an alternative authentication scheme to the
+    traditional ``OPER`` command.
+
+umodes
+    A list of usermodes to apply to successfully opered clients.
+
+snomask
+    An snomask to apply to successfully opered clients.
+
+privset
+    The privilege set granted to successfully opered clients. This must
+    be defined before this operator{} block.
+
+flags
+    A list of flags to apply to this operator{} block. They are listed
+    below.
+
+**operator {} flags**
+
+encrypted
+    The password used has been encrypted. This is enabled by default,
+    use ~encrypted to disable it.
+
+need\_ssl
+    Restricts use of this operator{} block to SSL/TLS connections only.
+
+connect {} block
+----------------
+
+::
+       
+    connect "name" {
+    	host = "text";
+    	send_password = "text";
+    	accept_password = "text";
+    	port = number;
+    	hub_mask = "mask";
+    	leaf_mask = "mask";
+    	class = "text";
+    	flags = list;
+    	aftype = protocol;
+    };
+
+Connect blocks define what servers may connect or be connected to.
+
+**connect {} variables**
+
+host
+    The hostname or IP to connect to.
+
+    .. note:: Furthermore, if a hostname is used, it must have an
+              ``A`` or ``AAAA`` record (no ``CNAME``) and it must be
+              the primary hostname for inbound connections to work.
+
+          IPv6 addresses must be in ``::`` shortened form; addresses which
+          then start with a colon must be prepended with a zero, for
+          example ``0::1``.
+
+send\_password
+    The password to send to the other server.
+
+accept\_password
+    The password that should be accepted from the other server.
+
+port
+    The port on the other server to connect to.
+
+hub\_mask
+    An optional domain mask of servers allowed to be introduced by this
+    link. Usually, "\*" is fine. Multiple hub\_masks may be specified,
+    and any of them may be introduced. Violation of hub\_mask and
+    leaf\_mask restrictions will cause the local link to be closed.
+
+leaf\_mask
+    An optional domain mask of servers not allowed to be introduced by
+    this link. Multiple leaf\_masks may be specified, and none of them
+    may be introduced. leaf\_mask has priority over hub\_mask.
+
+class
+    The name of the class this server should be placed into.
+
+flags
+    A list of flags concerning the connect block. They are listed below.
+
+aftype
+    The protocol that should be used to connect with, either ipv4 or
+    ipv6. This defaults to ipv4 unless host is a numeric IPv6 address.
+
+**connect {} flags**
+
+encrypted
+    The value for accept\_password has been encrypted.
+
+autoconn
+    The server should automatically try to connect to the server defined
+    in this connect {} block if it's not connected already and
+    max\_number in the class is not reached yet.
+
+compressed
+    Ziplinks should be used with this server connection. This compresses
+    traffic using zlib, saving some bandwidth and speeding up netbursts.
+
+    If you have trouble setting up a link, you should turn this off as
+    it often hides error messages.
+
+topicburst
+    Topics should be bursted to this server.
+
+    This is enabled by default.
+
+listen {} block
+---------------
+
+::
+
+   listen {
+    	host = "text";
+    	port = number;
+   };
+
+A listen block specifies what ports a server should listen on.
+
+**listen {} variables**
+
+host
+    An optional host to bind to. Otherwise, the ircd will listen on all
+    available hosts.
+
+port
+    A port to listen on. You can specify multiple ports via commas, and
+    define a range by seperating the start and end ports with two dots
+    (..).
+
+modules {} block
+----------------
+
+::
+   
+    modules {
+    	path = "text";
+    	module = text;
+    };
+
+The modules block specifies information for loadable modules.
+
+**modules {} variables**
+
+path
+    Specifies a path to search for loadable modules.
+
+module
+    Specifies a module to load, similar to loadmodule.
+
+general {} block
+----------------
+
+::
+
+    modules {
+    	values
+    };
+
+The general block specifies a variety of options, many of which were in
+``config.h`` in older daemons. The options are documented in
+``reference.conf``.
+
+channel {} block
+----------------
+
+::
+
+    modules {
+    	values
+    };
+
+The channel block specifies a variety of channel-related options, many
+of which were in ``config.h`` in older daemons. The options are
+documented in ``reference.conf``.
+
+serverhide {} block
+-------------------
+
+::
+
+    modules {
+    	values
+    };
+
+The serverhide block specifies options related to server hiding. The
+options are documented in ``reference.conf``.
+
+blacklist {} block
+------------------
+
+::
+
+    blacklist {
+    	host = "text";
+    	reject_reason = "text";
+    };
+
+The blacklist block specifies DNS blacklists to check. Listed clients
+will not be allowed to connect. IPv6 clients are not checked against
+these.
+
+Multiple blacklists can be specified, in pairs with first host then
+reject\_reason.
+
+**blacklist {} variables**
+
+host
+    The DNSBL to use.
+
+reject\_reason
+    The reason to send to listed clients when disconnecting them.
+
+alias {} block
+--------------
+
+::
+
+    alias "name" {
+    	target = "text";
+    };
+
+Alias blocks allow the definition of custom commands. These commands
+send ``PRIVMSG`` to the given target. A real command takes precedence above
+an alias.
+
+**alias {} variables**
+
+target
+    The target nick (must be a network service (umode ``+S``)) or
+    user@server. In the latter case, the server cannot be this server,
+    only opers can use user starting with "opers" reliably and the user
+    is interpreted on the target server only so you may need to use
+    nick@server instead).
+
+cluster {} block
+----------------
+
+::
+   
+    cluster {
+    	name = "text";
+    	flags = list;
+    };
+    
+The cluster block specifies servers we propagate things to
+automatically. This does not allow them to set bans, you need a separate
+shared{} block for that.
+
+Having overlapping cluster{} items will cause the command to be executed
+twice on the target servers. This is particularly undesirable for ban
+removals.
+
+The letters in parentheses denote the flags in ``/stats`` U.
+
+**cluster {} variables**
+
+name
+    The server name to share with, this may contain wildcards and may be
+    stacked.
+
+flags
+    The list of what to share, all the name lines above this (up to
+    another flags entry) will receive these flags. They are listed
+    below.
+
+**cluster {} flags**
+
+kline (K)
+    Permanent ``K:lines``
+
+tkline (k)
+    Temporary ``K:lines``
+
+unkline (U)
+    ``K:line`` removals
+
+xline (X)
+    Permanent ``X:lines``
+
+txline (x)
+    Temporary ``X:lines``
+
+unxline (Y)
+    ``X:line`` removals
+
+resv (Q)
+    Permanently reserved nicks/channels
+
+tresv (q)
+    Temporarily reserved nicks/channels
+
+unresv (R)
+    ``RESV`` removals
+
+locops (L)
+    ``LOCOPS`` messages (sharing this with \* makes ``LOCOPS`` rather similar to
+    ``OPERWALL`` which is not useful)
+
+all
+    All of the above
+
+shared {} block
+---------------
+
+::
+   
+    shared {
+    	oper = "user@host", "server";
+    	flags = list;
+    };
+
+The shared block specifies opers allowed to perform certain actions on
+our server remotely. These are ordered top down. The first one matching
+will determine the oper's access. If access is denied, the command will
+be silently ignored.
+
+The letters in parentheses denote the flags in ``/stats U``.
+
+**shared {} variables**
+
+oper
+    The user@host the oper must have, and the server they must be on.
+    This may contain wildcards.
+
+flags
+    The list of what to allow, all the oper lines above this (up to
+    another flags entry) will receive these flags. They are listed
+    below.
+
+    .. note:: While they have the same names, the flags have subtly
+              different meanings from those in the cluster{} block.
+
+**shared {} flags**
+
+kline (K)
+    Permanent and temporary ``K:lines``
+
+tkline (k)
+    Temporary ``K:lines``
+
+unkline (U)
+    ``K:line`` removals
+
+xline (X)
+    Permanent and temporary ``X:lines``
+
+txline (x)
+    Temporary ``X:lines``
+
+unxline (Y)
+    ``X:line`` removals
+
+resv (Q)
+    Permanently and temporarily reserved nicks/channels
+
+tresv (q)
+    Temporarily reserved nicks/channels
+
+unresv (R)
+    ``RESV`` removals
+
+all
+    All of the above; this does not include locops, rehash, dline,
+    tdline or undline.
+
+locops (L)
+    ``LOCOPS`` messages (accepting this from \* makes ``LOCOPS`` rather similar
+    to ``OPERWALL`` which is not useful); unlike the other flags, this can
+    only be accepted from \*@\* although it can be restricted based on
+    source server.
+
+rehash (H)
+    ``REHASH`` commands; all options can be used
+
+dline (D)
+    Permanent and temporary ``D:lines``
+
+tdline (d)
+    Temporary ``D:lines``
+
+undline (E)
+    ``D:line`` removals
+
+none
+    Allow nothing to be done
+
+service {} block
+----------------
+
+::
+
+    service {
+    	name = "text";
+    };
+
+The service block specifies privileged servers (services). These servers
+have extra privileges such as setting login names on users and
+introducing clients with umode ``+S`` (unkickable, hide channels, etc). This
+does not allow them to set bans, you need a separate shared{} block for
+that.
+
+Do not place normal servers here.
+
+Multiple names may be specified but there may be only one service{}
+block.
+
+**service {} variables**
+
+name
+    The server name to grant special privileges. This may not contain
+    wildcards.
+
+Hostname resolution (DNS)
+~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Charybdis uses solely DNS for all hostname/address lookups (no
+``/etc/hosts`` or anything else). The DNS servers are taken from
+``/etc/resolv.conf``. If this file does not exist or no valid IP
+addresses are listed in it, the local host (``127.0.0.1``) is used. (Note
+that the latter part did not work in older versions of Charybdis.)
+
+IPv4 as well as IPv6 DNS servers are supported, but it is not possible
+to use both IPv4 and IPv6 in ``/etc/resolv.conf``.
+
+For both security and performance reasons, it is recommended that a
+caching nameserver such as BIND be run on the same machine as Charybdis
+and that ``/etc/resolv.conf`` only list ``127.0.0.1``.

doc/oper-guide/index.rst

@@ -0,0 +1,29 @@
+.. Charybdis operator guide documentation master file, created by
+   sphinx-quickstart on Sat Mar 25 10:41:29 2017.
+   You can adapt this file completely to your liking, but it should at least
+   contain the root `toctree` directive.
+
+============================================
+Operators guide for the charybdis IRC server
+============================================
+
+Contents:
+
+.. toctree::
+   :maxdepth: 1
+
+   intro
+   umodes
+   cmodes
+   ucommands
+   commands
+   oprivs
+   config
+
+Indices and tables
+==================
+
+* :ref:`genindex`
+* :ref:`modindex`
+* :ref:`search`
+

doc/oper-guide/intro.rst

@@ -0,0 +1,17 @@
+Scope of this document
+======================
+
+This document describes the commands and functions available to
+operators in the charybdis ircd, as used on
+`AthemeNet <http://www.atheme.net>`__.
+
+This document, and various ideas for features of charybdis, have been
+taken from dancer-ircd/hyperion, the ircd used on freenode, mainly
+written by Andrew Suffield and Jilles Tjoelker.
+
+While this document may be of some interest to the users of charybdis
+servers, it is intended as a reference for network staff.
+
+Charybdis is based on ircd-ratbox 2.1.4, although much has changed.
+`ircd-ratbox <http://www.ircd-ratbox.org>`__ is commonly used on efnet,
+and some other networks.

doc/oper-guide/make.bat

@@ -0,0 +1,281 @@
+@ECHO OFF
+
+REM Command file for Sphinx documentation
+
+if "%SPHINXBUILD%" == "" (
+	set SPHINXBUILD=sphinx-build
+)
+set BUILDDIR=_build
+set ALLSPHINXOPTS=-d %BUILDDIR%/doctrees %SPHINXOPTS% .
+set I18NSPHINXOPTS=%SPHINXOPTS% .
+if NOT "%PAPER%" == "" (
+	set ALLSPHINXOPTS=-D latex_paper_size=%PAPER% %ALLSPHINXOPTS%
+	set I18NSPHINXOPTS=-D latex_paper_size=%PAPER% %I18NSPHINXOPTS%
+)
+
+if "%1" == "" goto help
+
+if "%1" == "help" (
+	:help
+	echo.Please use `make ^<target^>` where ^<target^> is one of
+	echo.  html       to make standalone HTML files
+	echo.  dirhtml    to make HTML files named index.html in directories
+	echo.  singlehtml to make a single large HTML file
+	echo.  pickle     to make pickle files
+	echo.  json       to make JSON files
+	echo.  htmlhelp   to make HTML files and a HTML help project
+	echo.  qthelp     to make HTML files and a qthelp project
+	echo.  devhelp    to make HTML files and a Devhelp project
+	echo.  epub       to make an epub
+	echo.  epub3      to make an epub3
+	echo.  latex      to make LaTeX files, you can set PAPER=a4 or PAPER=letter
+	echo.  text       to make text files
+	echo.  man        to make manual pages
+	echo.  texinfo    to make Texinfo files
+	echo.  gettext    to make PO message catalogs
+	echo.  changes    to make an overview over all changed/added/deprecated items
+	echo.  xml        to make Docutils-native XML files
+	echo.  pseudoxml  to make pseudoxml-XML files for display purposes
+	echo.  linkcheck  to check all external links for integrity
+	echo.  doctest    to run all doctests embedded in the documentation if enabled
+	echo.  coverage   to run coverage check of the documentation if enabled
+	echo.  dummy      to check syntax errors of document sources
+	goto end
+)
+
+if "%1" == "clean" (
+	for /d %%i in (%BUILDDIR%\*) do rmdir /q /s %%i
+	del /q /s %BUILDDIR%\*
+	goto end
+)
+
+
+REM Check if sphinx-build is available and fallback to Python version if any
+%SPHINXBUILD% 1>NUL 2>NUL
+if errorlevel 9009 goto sphinx_python
+goto sphinx_ok
+
+:sphinx_python
+
+set SPHINXBUILD=python -m sphinx.__init__
+%SPHINXBUILD% 2> nul
+if errorlevel 9009 (
+	echo.
+	echo.The 'sphinx-build' command was not found. Make sure you have Sphinx
+	echo.installed, then set the SPHINXBUILD environment variable to point
+	echo.to the full path of the 'sphinx-build' executable. Alternatively you
+	echo.may add the Sphinx directory to PATH.
+	echo.
+	echo.If you don't have Sphinx installed, grab it from
+	echo.http://sphinx-doc.org/
+	exit /b 1
+)
+
+:sphinx_ok
+
+
+if "%1" == "html" (
+	%SPHINXBUILD% -b html %ALLSPHINXOPTS% %BUILDDIR%/html
+	if errorlevel 1 exit /b 1
+	echo.
+	echo.Build finished. The HTML pages are in %BUILDDIR%/html.
+	goto end
+)
+
+if "%1" == "dirhtml" (
+	%SPHINXBUILD% -b dirhtml %ALLSPHINXOPTS% %BUILDDIR%/dirhtml
+	if errorlevel 1 exit /b 1
+	echo.
+	echo.Build finished. The HTML pages are in %BUILDDIR%/dirhtml.
+	goto end
+)
+
+if "%1" == "singlehtml" (
+	%SPHINXBUILD% -b singlehtml %ALLSPHINXOPTS% %BUILDDIR%/singlehtml
+	if errorlevel 1 exit /b 1
+	echo.
+	echo.Build finished. The HTML pages are in %BUILDDIR%/singlehtml.
+	goto end
+)
+
+if "%1" == "pickle" (
+	%SPHINXBUILD% -b pickle %ALLSPHINXOPTS% %BUILDDIR%/pickle
+	if errorlevel 1 exit /b 1
+	echo.
+	echo.Build finished; now you can process the pickle files.
+	goto end
+)
+
+if "%1" == "json" (
+	%SPHINXBUILD% -b json %ALLSPHINXOPTS% %BUILDDIR%/json
+	if errorlevel 1 exit /b 1
+	echo.
+	echo.Build finished; now you can process the JSON files.
+	goto end
+)
+
+if "%1" == "htmlhelp" (
+	%SPHINXBUILD% -b htmlhelp %ALLSPHINXOPTS% %BUILDDIR%/htmlhelp
+	if errorlevel 1 exit /b 1
+	echo.
+	echo.Build finished; now you can run HTML Help Workshop with the ^
+.hhp project file in %BUILDDIR%/htmlhelp.
+	goto end
+)
+
+if "%1" == "qthelp" (
+	%SPHINXBUILD% -b qthelp %ALLSPHINXOPTS% %BUILDDIR%/qthelp
+	if errorlevel 1 exit /b 1
+	echo.
+	echo.Build finished; now you can run "qcollectiongenerator" with the ^
+.qhcp project file in %BUILDDIR%/qthelp, like this:
+	echo.^> qcollectiongenerator %BUILDDIR%\qthelp\Charybdisoperatorguide.qhcp
+	echo.To view the help file:
+	echo.^> assistant -collectionFile %BUILDDIR%\qthelp\Charybdisoperatorguide.ghc
+	goto end
+)
+
+if "%1" == "devhelp" (
+	%SPHINXBUILD% -b devhelp %ALLSPHINXOPTS% %BUILDDIR%/devhelp
+	if errorlevel 1 exit /b 1
+	echo.
+	echo.Build finished.
+	goto end
+)
+
+if "%1" == "epub" (
+	%SPHINXBUILD% -b epub %ALLSPHINXOPTS% %BUILDDIR%/epub
+	if errorlevel 1 exit /b 1
+	echo.
+	echo.Build finished. The epub file is in %BUILDDIR%/epub.
+	goto end
+)
+
+if "%1" == "epub3" (
+	%SPHINXBUILD% -b epub3 %ALLSPHINXOPTS% %BUILDDIR%/epub3
+	if errorlevel 1 exit /b 1
+	echo.
+	echo.Build finished. The epub3 file is in %BUILDDIR%/epub3.
+	goto end
+)
+
+if "%1" == "latex" (
+	%SPHINXBUILD% -b latex %ALLSPHINXOPTS% %BUILDDIR%/latex
+	if errorlevel 1 exit /b 1
+	echo.
+	echo.Build finished; the LaTeX files are in %BUILDDIR%/latex.
+	goto end
+)
+
+if "%1" == "latexpdf" (
+	%SPHINXBUILD% -b latex %ALLSPHINXOPTS% %BUILDDIR%/latex
+	cd %BUILDDIR%/latex
+	make all-pdf
+	cd %~dp0
+	echo.
+	echo.Build finished; the PDF files are in %BUILDDIR%/latex.
+	goto end
+)
+
+if "%1" == "latexpdfja" (
+	%SPHINXBUILD% -b latex %ALLSPHINXOPTS% %BUILDDIR%/latex
+	cd %BUILDDIR%/latex
+	make all-pdf-ja
+	cd %~dp0
+	echo.
+	echo.Build finished; the PDF files are in %BUILDDIR%/latex.
+	goto end
+)
+
+if "%1" == "text" (
+	%SPHINXBUILD% -b text %ALLSPHINXOPTS% %BUILDDIR%/text
+	if errorlevel 1 exit /b 1
+	echo.
+	echo.Build finished. The text files are in %BUILDDIR%/text.
+	goto end
+)
+
+if "%1" == "man" (
+	%SPHINXBUILD% -b man %ALLSPHINXOPTS% %BUILDDIR%/man
+	if errorlevel 1 exit /b 1
+	echo.
+	echo.Build finished. The manual pages are in %BUILDDIR%/man.
+	goto end
+)
+
+if "%1" == "texinfo" (
+	%SPHINXBUILD% -b texinfo %ALLSPHINXOPTS% %BUILDDIR%/texinfo
+	if errorlevel 1 exit /b 1
+	echo.
+	echo.Build finished. The Texinfo files are in %BUILDDIR%/texinfo.
+	goto end
+)
+
+if "%1" == "gettext" (
+	%SPHINXBUILD% -b gettext %I18NSPHINXOPTS% %BUILDDIR%/locale
+	if errorlevel 1 exit /b 1
+	echo.
+	echo.Build finished. The message catalogs are in %BUILDDIR%/locale.
+	goto end
+)
+
+if "%1" == "changes" (
+	%SPHINXBUILD% -b changes %ALLSPHINXOPTS% %BUILDDIR%/changes
+	if errorlevel 1 exit /b 1
+	echo.
+	echo.The overview file is in %BUILDDIR%/changes.
+	goto end
+)
+
+if "%1" == "linkcheck" (
+	%SPHINXBUILD% -b linkcheck %ALLSPHINXOPTS% %BUILDDIR%/linkcheck
+	if errorlevel 1 exit /b 1
+	echo.
+	echo.Link check complete; look for any errors in the above output ^
+or in %BUILDDIR%/linkcheck/output.txt.
+	goto end
+)
+
+if "%1" == "doctest" (
+	%SPHINXBUILD% -b doctest %ALLSPHINXOPTS% %BUILDDIR%/doctest
+	if errorlevel 1 exit /b 1
+	echo.
+	echo.Testing of doctests in the sources finished, look at the ^
+results in %BUILDDIR%/doctest/output.txt.
+	goto end
+)
+
+if "%1" == "coverage" (
+	%SPHINXBUILD% -b coverage %ALLSPHINXOPTS% %BUILDDIR%/coverage
+	if errorlevel 1 exit /b 1
+	echo.
+	echo.Testing of coverage in the sources finished, look at the ^
+results in %BUILDDIR%/coverage/python.txt.
+	goto end
+)
+
+if "%1" == "xml" (
+	%SPHINXBUILD% -b xml %ALLSPHINXOPTS% %BUILDDIR%/xml
+	if errorlevel 1 exit /b 1
+	echo.
+	echo.Build finished. The XML files are in %BUILDDIR%/xml.
+	goto end
+)
+
+if "%1" == "pseudoxml" (
+	%SPHINXBUILD% -b pseudoxml %ALLSPHINXOPTS% %BUILDDIR%/pseudoxml
+	if errorlevel 1 exit /b 1
+	echo.
+	echo.Build finished. The pseudo-XML files are in %BUILDDIR%/pseudoxml.
+	goto end
+)
+
+if "%1" == "dummy" (
+	%SPHINXBUILD% -b dummy %ALLSPHINXOPTS% %BUILDDIR%/dummy
+	if errorlevel 1 exit /b 1
+	echo.
+	echo.Build finished. Dummy builder generates no files.
+	goto end
+)
+
+:end

doc/oper-guide/oprivs.rst

@@ -0,0 +1,124 @@
+Oper privileges
+===============
+
+These are specified in privset{}.
+
+oper:admin, server administrator
+--------------------------------
+
+Various privileges intended for server administrators. Among other
+things, this automatically sets umode +a and allows loading modules.
+
+oper:die, die and restart
+-------------------------
+
+This grants permission to use ``DIE`` and ``RESTART``, shutting down or
+restarting the server.
+
+oper:global\_kill, global kill
+------------------------------
+
+Allows using ``KILL`` on users on any server.
+
+oper:hidden, hide from /stats p
+-------------------------------
+
+This privilege currently does nothing, but was designed to hide bots
+from /stats p so users will not message them for help.
+
+oper:hidden\_admin, hidden administrator
+----------------------------------------
+
+This grants everything granted to the oper:admin privilege, except the
+ability to set umode +a. If both oper:admin and oper:hidden\_admin are
+possessed, umode +a can still not be used.
+
+oper:kline, kline and dline
+---------------------------
+
+Allows using ``KLINE`` and ``DLINE``, to ban users by user@host mask or IP
+address.
+
+oper:local\_kill, kill local users
+----------------------------------
+
+This grants permission to use ``KILL`` on users on the same server,
+disconnecting them from the network.
+
+oper:mass\_notice, global notices and wallops
+---------------------------------------------
+
+Allows using server name ($$mask) and hostname ($#mask) masks in ``NOTICE``
+and ``PRIVMSG`` to send a message to all matching users, and allows using
+the ``WALLOPS`` command to send a message to all users with umode +w set.
+
+oper:operwall, send/receive operwall
+------------------------------------
+
+Allows using the ``OPERWALL`` command and umode +z to send and receive
+operwalls.
+
+oper:rehash, rehash
+-------------------
+
+Allows using the ``REHASH`` command, to rehash various configuration files
+or clear certain lists.
+
+oper:remoteban, set remote bans
+-------------------------------
+
+This grants the ability to use the ON argument on ``DLINE``/``KLINE``/``XLINE``/``RESV``
+and ``UNDLINE``/``UNKLINE``/``UNXLINE``/``UNRESV`` to set and unset bans on other
+servers, and the server argument on ``REHASH``. This is only allowed if the
+oper may perform the action locally, and if the remote server has a
+shared{} block.
+
+.. note:: If a cluster{} block is present, bans are sent remotely even
+          if the oper does not have oper:remoteban privilege.
+
+oper:resv, channel control
+--------------------------
+
+This allows using /resv, /unresv and changing the channel modes +L and
++P.
+
+oper:routing, remote routing
+----------------------------
+
+This allows using the third argument of the ``CONNECT`` command, to instruct
+another server to connect somewhere, and using ``SQUIT`` with an argument
+that is not locally connected. (In both cases all opers with +w set will
+be notified.)
+
+oper:spy, use operspy
+---------------------
+
+This allows using ``/mode !#channel``, ``/whois !nick``, ``/who !#channel``,
+``/chantrace !#channel``, ``/topic !#channel``, ``/who !mask``, ``/masktrace
+!user@host :gecos`` and ``/scan umodes +modes-modes global list`` to see
+through secret channels, invisible users, etc.
+
+All operspy usage is broadcasted to opers with snomask ``+Z`` set (on the
+entire network) and optionally logged. If you grant this to anyone, it
+is a good idea to establish concrete policies describing what it is to
+be used for, and what not.
+
+If ``operspy_dont_care_user_info`` is enabled, ``/who mask`` is operspy
+also, and ``/who !mask``, ``/who mask``, ``/masktrace !user@host :gecos`` and ``/scan
+umodes +modes-modes global list`` do not generate ``+Z`` notices or logs.
+
+oper:unkline, unkline and undline
+---------------------------------
+
+Allows using ``UNKLINE`` and ``UNDLINE``.
+
+oper:xline, xline and unxline
+-----------------------------
+
+Allows using ``XLINE`` and ``UNXLINE``, to ban/unban users by realname.
+
+snomask:nick\_changes, see nick changes
+---------------------------------------
+
+Allows using snomask ``+n`` to see local client nick changes. This is
+designed for monitor bots.

doc/oper-guide/ucommands.rst

@@ -0,0 +1,183 @@
+User Commands
+=============
+
+Standard IRC commands are not listed here. Several of the commands in
+the operator commands chapter can also be used by normal users.
+
+ACCEPT
+------
+
+::
+
+   ACCEPT nick, -nick, ...
+
+Adds or removes users from your accept list for umode +g and +R. Users
+are automatically removed when they quit, split or change nick.
+
+::
+
+   ACCEPT *
+
+Lists all users on your accept list.
+
+Support of this command is indicated by the ``CALLERID`` token in
+``RPL_ISUPPORT`` (005); the optional parameter indicates the letter of the
+“only allow accept users to send private messages” umode, otherwise +g.
+In charybdis this is always +g.
+
+CNOTICE
+-------
+
+::
+
+   CNOTICE nick channel :text
+
+Providing you are opped (+o) or voiced (+v) in channel, and nick is a
+member of channel, ``CNOTICE`` generates a ``NOTICE`` towards nick.
+
+``CNOTICE`` bypasses any anti-spam measures in place. If you get “Targets
+changing too fast, message dropped”, you should probably use this
+command, for example sending a notice to every user joining a certain
+channel.
+
+As of charybdis 3.1, ``NOTICE`` automatically behaves as ``CNOTICE`` if you are
+in a channel fulfilling the conditions.
+
+Support of this command is indicated by the ``CNOTICE`` token in
+``RPL_ISUPPORT`` (005).
+
+CPRIVMSG
+--------
+
+::
+
+   CPRIVMSG nick channel :text
+
+Providing you are opped (+o) or voiced (+v) in channel, and nick is a
+member of channel, ``CPRIVMSG`` generates a ``PRIVMSG`` towards nick.
+
+``CPRIVMSG`` bypasses any anti-spam measures in place. If you get “Targets
+changing too fast, message dropped”, you should probably use this
+command.
+
+As of charybdis 3.1, ``PRIVMSG`` automatically behaves as ``CPRIVMSG`` if you
+are in a channel fulfilling the conditions.
+
+Support of this command is indicated by the ``CPRIVMSG`` token in
+``RPL_ISUPPORT`` (005).
+
+FINDFORWARDS
+------------
+
+::
+
+   FINDFORWARDS channel
+
+.. note:: This command is only available if the ``m_findforwards.so``
+          extension is loaded.
+
+Displays which channels forward to the given channel (via cmode +f). If
+there are very many channels the list will be truncated.
+
+You must be a channel operator on the channel or an IRC operator to use
+this command.
+
+HELP
+----
+
+::
+
+   HELP [topic]
+
+Displays help information. topic can be ``INDEX``, ``CREDITS``, ``UMODE``, ``CMODE``,
+``SNOMASK`` or a command name.
+
+There are separate help files for users and opers. Opers can use ``UHELP``
+to query the user help files.
+
+IDENTIFY
+--------
+
+::
+
+   IDENTIFY parameters...
+
+.. note:: This command is only available if the ``m_identify.so``
+          extension is loaded.
+
+Sends an identify command to either NickServ or ChanServ. If the first
+parameter starts with #, the command is sent to ChanServ, otherwise to
+NickServ. The word ``IDENTIFY``, a space and all parameters are concatenated
+and sent as a ``PRIVMSG`` to the service. If the service is not online or
+does not have umode +S set, no message will be sent.
+
+The exact syntax for this command depends on the services package in
+use.
+
+KNOCK
+-----
+
+::
+
+   KNOCK channel
+
+Requests an invite to the given channel. The channel must be locked
+somehow (+ikl), must not be +p and you may not be banned or quieted.
+Also, this command is rate limited.
+
+If successful, all channel operators will receive a 710 numeric. The
+recipient field of this numeric is the channel.
+
+Support of this command is indicated by the ``KNOCK`` token in ``RPL_ISUPPORT``
+(005).
+
+MONITOR
+-------
+
+Server side notify list. This list contains nicks. When a user connects,
+quits with a listed nick or changes to or from a listed nick, you will
+receive a 730 numeric if the nick went online and a 731 numeric if the
+nick went offline.
+
+Support of this command is indicated by the ``MONITOR`` token in
+``RPL_ISUPPORT`` (005); the parameter indicates the maximum number of
+nicknames you may have in your monitor list.
+
+You may only use this command once per second.
+
+More details can be found in ``doc/monitor.txt`` in the source
+distribution.
+
+::
+
+   MONITOR + nick, ...
+
+Adds nicks to your monitor list. You will receive 730 and 731 numerics
+for the nicks.
+
+::
+
+   MONITOR - nick, ...
+
+Removes nicks from your monitor list. No output is generated for this
+command.
+
+::
+
+   MONITOR C
+
+Clears your monitor list. No output is generated for this command.
+
+::
+
+   MONITOR L
+
+Lists all nicks on your monitor list, using 732 numerics and ending with
+a 733 numeric.
+
+::
+
+   MONITOR S
+
+Shows status for all nicks on your monitor list, using 730 and 731
+numerics.

doc/oper-guide/umodes.rst

@@ -0,0 +1,276 @@
+User modes
+==========
+
+``+a``, server administrator
+----------------------------
+
+This vanity usermode is used to denote a server administrator in WHOIS
+output. All local “admin” privileges are independent of it, though
+services packages may grant extra privileges to ``+a`` users.
+
+``+D``, deaf
+------------
+
+.. note:: This is a user umode, which anybody can set. It is not
+          specific to operators.
+
+Users with the ``+D`` umode set will not receive messages sent to channels.
+Joins, parts, topic changes, mode changes, etc are received as normal,
+as are private messages.
+
+Support of this umode is indicated by the ``DEAF`` token in ``RPL_ISUPPORT``
+(005); the parameter indicates the letter of the umode. Note that
+several common IRCD implementations have an umode like this (typically
+``+d``) but do not have the token in 005.
+
+``+g``, Caller ID
+-----------------
+
+.. note:: This is a user umode, which anybody can set. It is not
+    specific to operators.
+
+Users with the ``+g`` umode set will only receive private messages
+from users on a session-defined whitelist, defined by the ``/accept``
+command. If a user who is not on the whitelist attempts to send a
+private message, the target user will receive a rate-limited notice
+saying that the user wishes to speak to them.
+
+Network operators are not affected by the callerid whitelist system in
+the event that they need to speak to users who have it enabled.
+
+Support of this umode is indicated by the ``CALLERID`` token in
+``RPL_ISUPPORT`` (005); the optional parameter indicates the letter of
+the umode, otherwise ``+g``.
+
+``+i``, invisible
+-----------------
+
+.. note:: This is a user umode, which anybody can set. It is not
+          specific to operators.
+
+Invisible users do not show up in ``WHO`` and ``NAMES`` unless you can see them.
+
+``+l``, receive locops
+----------------------
+
+``LOCOPS`` is a version of ``OPERWALL`` that is sent to opers on a single server
+only. With cluster{} and shared{} blocks they can optionally be
+propagated further.
+
+Unlike ``OPERWALL``, any oper can send and receive ``LOCOPS``.
+
+``+o``, operator
+----------------
+
+This indicates global operator status.
+
+``+Q``, disable forwarding
+--------------------------
+
+.. note:: This is a user umode, which anybody can set. It is not
+          specific to operators.
+
+This umode prevents you from being affected by channel forwarding. If
+enabled on a channel, channel forwarding sends you to another channel if
+you could not join. See channel mode ``+f`` for more information.
+
+``+R``, reject messages from unauthenticated users
+--------------------------------------------------
+
+.. note:: This is a user umode, which anybody can set. It is not
+          specific to operators.
+
+If a user has the ``+R`` umode set, then any users who are not authenticated
+will receive an error message if they attempt to send a private message
+or notice to the ``+R`` user.
+
+Opers and accepted users (like in ``+g``) are exempt. Unlike ``+g``, the target
+user is not notified of failed messages.
+
+``+s``, receive server notices
+------------------------------
+
+This umode allows an oper to receive server notices. The requested types
+of server notices are specified as a parameter (“snomask”) to this
+umode.
+
+``+S``, network service
+-----------------------
+
+.. note:: This umode can only be set by servers named in a service{}
+          block.
+
+This umode grants various features useful for services. For example,
+clients with this umode cannot be kicked or deopped on channels, can
+send to any channel, do not show channels in ``WHOIS``, can be the target of
+services aliases and do not appear in ``/stats p``. No server notices are
+sent for hostname changes by services clients; server notices about
+kills are sent to snomask ``+k`` instead of ``+s``.
+
+The exact effects of this umode are variable; no user or oper on an
+actual charybdis server can set it.
+
+``+w``, receive wallops
+-----------------------
+
+.. note:: This is a user umode, which anybody can set. It is not
+          specific to operators.
+
+Users with the ``+w`` umode set will receive ``WALLOPS`` messages sent by opers.
+Opers with ``+w`` additionally receive ``WALLOPS`` sent by servers (e.g. remote
+``CONNECT``, remote ``SQUIT``, various severe misconfigurations, many services
+packages).
+
+``+z``, receive operwall
+------------------------
+
+``OPERWALL`` differs from ``WALLOPS`` in that the ability to receive such
+messages is restricted. Opers with ``+z`` set will receive ``OPERWALL``
+messages.
+
+``+Z``, SSL user
+----------------
+
+This umode is set on clients connected via SSL/TLS. It cannot be set or
+unset after initial connection.
+
+Snomask usage
+=============
+
+Usage is as follows::
+
+  MODE nick +s +/-flags
+
+To set snomasks.
+
+::
+
+   MODE nick -s
+
+To clear all snomasks.
+
+Umode ``+s`` will be set if at least one snomask is set.
+
+Umode ``+s`` is oper only by default, but even if you allow nonopers to set
+it, they will not get any server notices.
+
+Meanings of server notice masks
+===============================
+
+``+b``, bot warnings
+--------------------
+
+Opers with the ``+b`` snomask set will receive warning messages from the
+server when potential flooders and spambots are detected.
+
+``+c``, client connections
+--------------------------
+
+Opers who have the ``+c`` snomask set will receive server notices when
+clients attach to the local server.
+
+``+C``, extended client connection notices
+------------------------------------------
+
+Opers who have the ``+C`` snomask set will receive server notices when
+clients attach to the local server. Unlike the ``+c`` snomask, the
+information is displayed in a format intended to be parsed by scripts,
+and includes the two unused fields of the ``USER`` command.
+
+``+d``, debug
+-------------
+
+The ``+d`` snomask provides opers extra information which may be of interest
+to debuggers. It will also cause the user to receive server notices if
+certain assertions fail inside the server. Its precise meaning is
+variable. Do not depend on the effects of this snomask as they can and
+will change without notice in later revisions.
+
+``+f``, full warning
+--------------------
+
+Opers with the ``+f`` snomask set will receive notices when a user
+connection is denied because a connection limit is exceeded (one of the
+limits in a class{} block, or the total per-server limit settable with
+``/quote set max``).
+
+``+F``, far client connection notices
+-------------------------------------
+
+.. note:: This snomask is only available if the ``sno_farconnect.so``
+          extension is loaded.
+
+Opers with ``+F`` receive server notices when clients connect or disconnect
+on other servers. The notices have the same format as those from the ``+c``
+snomask, except that the class is ? and the source server of the notice
+is the server the user is/was on.
+
+No notices are generated for netsplits and netjoins. Hence, these
+notices cannot be used to keep track of all clients on the network.
+
+There is no far equivalent of the ``+C`` snomask.
+
+``+k``, server kill notices
+---------------------------
+
+Opers with the ``+k`` snomask set will receive server notices when services
+kill users and when other servers kill and save (forced nick change to
+UID) users. Kills and saves by this server are on ``+d`` or ``+s``.
+
+``+n``, nick change notices
+---------------------------
+
+An oper with ``+n`` set will receive a server notice every time a local user
+changes their nick, giving the old and new nicks. This is mostly useful
+for bots that track all users on a single server.
+
+``+r``, notices on name rejections
+----------------------------------
+
+Opers with this snomask set will receive a server notice when somebody
+tries to use an invalid username, or if a dumb HTTP proxy tries to
+connect.
+
+``+s``, generic server notices
+------------------------------
+
+This snomask allows an oper to receive generic server notices. This
+includes kills from opers (except services).
+
+``+u``, unauthorized connections
+--------------------------------
+
+This snomask allows an oper to see when users try to connect who do not
+have an available auth{} block.
+
+``+W``, whois notifications
+---------------------------
+
+.. note:: This snomask is only available if the ``sno_whois.so``
+          extension is loaded.
+
+Opers with ``+W`` receive notices when a ``WHOIS`` is executed on them on their
+server (showing idle time).
+
+``+x``, extra routing notices
+-----------------------------
+
+Opers who have the ``+x`` snomask set will get notices about servers
+connecting and disconnecting on the whole network. This includes all
+servers connected behind the affected link. This can get rather noisy
+but is useful for keeping track of all linked servers.
+
+``+y``, spy
+-----------
+
+Opers with ``+y`` receive notices when users try to join ``RESV``'ed (“juped”)
+channels. Additionally, if certain extension modules are loaded, they
+will receive notices when special commands are used.
+
+``+Z``, operspy notices
+-----------------------
+
+Opers with ``+Z`` receive notices whenever an oper anywhere on the network
+uses operspy.
+
+This snomask can be configured to be only effective for admins.

doc/reference.conf

@@ -61,6 +61,7 @@
  * Realname (gecos) bans (+b $r:mask)                -- extb_realname.so
  * Server bans (+b $s:mask)                          -- extb_server.so
  * SSL bans (+b $z)                                  -- extb_ssl.so
+ * User mode bans (+b $u:modes)                      -- extb_usermode.so
  * HURT system                                       -- hurt.so
  * New host mangling (umode +x)                      -- ip_cloaking_4.0.so
  * Old host mangling (umode +h)                      -- ip_cloaking.so
@@ -91,6 +92,7 @@
 #loadmodule "extensions/extb_realname.so";
 #loadmodule "extensions/extb_server.so";
 #loadmodule "extensions/extb_ssl.so";
+#loadmodule "extensions/extb_usermode.so";
 #loadmodule "extensions/hurt.so";
 #loadmodule "extensions/ip_cloaking_4.0.so";
 #loadmodule "extensions/ip_cloaking.so";
@@ -140,7 +142,7 @@ serverinfo {
 	/* vhost6: the IP to bind to when we connect outward to ipv6 servers.
 	 * This should be an ipv6 IP only.
 	 */
-	#vhost6 = "2001:db7:2::6";
+	#vhost6 = "2001:db8:2::6";
 	
 	/* ssl_private_key: our ssl private key */
 	ssl_private_key = "etc/ssl.key";
@@ -528,9 +530,9 @@ connect "irc.uplink.com" {
 	send_password = "password";
 	accept_password = "anotherpassword";
 
-	/* fingerprint: if specified, the server's client certificate
-	 * fingerprint will be checked against the specified fingerprint
-	 * below.
+	/* fingerprint: if flags = ssl is specified, the server's
+	 * certificate fingerprint will be checked against the fingerprint
+	 * specified below. required if using flags = ssl.
 	 */
 	#fingerprint = "c77106576abf7f9f90cca0f63874a60f2e40a64b";
 
@@ -925,6 +927,14 @@ alias "MS" {
 	target = "MemoServ";
 };
 
+/*
+fakechannel "#honeypot" {
+	topic = "Come in";
+	users_min = 50;
+	users_max = 300;
+};
+*/
+
 /* The general block contains many of the options that were once compiled
  * in options in config.h.  The general block is read at start time.
  */
@@ -1179,6 +1189,9 @@ general {
 	 */
 	pace_wait = 10 seconds;
 
+	/* listfake_wait: time until real list command can be used */
+	listfake_wait = 180 seconds;
+
 	/* short motd: send clients a notice telling them to read the motd
 	 * instead of forcing a motd to clients who may simply ignore it.
 	 */
@@ -1314,10 +1327,27 @@ general {
 	away_interval = 30;
 
 	/* certfp_method: the method that should be used for computing certificate fingerprints.
-	 * Acceptable options are sha1, sha256 and sha512.  Networks running versions of charybdis
-	 * prior to charybdis 3.5 MUST use sha1 for certfp_method.
+	 * Acceptable options are sha1, sha256, spki_sha256, sha512 and spki_sha512.  Networks
+	 * running versions of charybdis prior to charybdis 3.5 MUST use sha1 for certfp_method.
+	 *
+	 * The spki_* variants operate on the SubjectPublicKeyInfo of the certificate, which does
+	 * not change unless the private key is changed.  This allows the fingerprint to stay
+	 * constant even if the certificate is reissued.  These fingerprints will be prefixed with
+	 * "SPKI:SHA2-256:" or "SPKI:SHA2-512:" depending on the hash type.  These fingerprints
+	 * are not supported on servers running charybdis 3.5.3 or earlier.
+	 *
+	 * To generate a fingerprint from a certificate file, run the following:
+	 * $ openssl x509 -outform DER -in your.crt | sha1sum     (or sha256sum, or sha512sum)
+	 *
+	 * To generate a SPKI SHA-256 fingerprint, run the following:
+	 * $ openssl x509 -pubkey -noout -in your.crt | openssl pkey -pubin -outform DER | \
+	 *   sha256sum | sed -r -e 's/^/SPKI:SHA2-256:/'
+	 *
+	 * To generate a SPKI SHA-512 fingerprint, run the following:
+	 * $ openssl x509 -pubkey -noout -in your.crt | openssl pkey -pubin -outform DER | \
+	 *   sha512sum | sed -r -e 's/^/SPKI:SHA2-512:/'
 	 */
-	certfp_method = sha1;
+	certfp_method = sha256;
 };
 
 modules {
@@ -1330,3 +1360,17 @@ modules {
 	/* module: the name of a module to load on startup/rehash */
 	#module = "some_module.so";
 };
+
+/*
+vhost "selfsigned.hades.arpa" {
+	ssl_private_key = "etc/selfssl.key";
+	ssl_cert = "etc/selfssl.pem";
+};
+
+vhost "oldca.hades.arpa" {
+	ssl_private_key = "etc/oldssl.key";
+	ssl_cert = "etc/oldssl2.pem";
+  ssl_dh_params = "etc/olddh.pem";
+  ssl_cipher_list = "kEECDH+HIGH:kEDH+HIGH:HIGH:!RC4:!aNULL";
+};
+*/

doc/sgml/oper-guide/charybdis-oper-guide.sgml

@@ -1,60 +0,0 @@
-<!DOCTYPE Book PUBLIC "-//OASIS//DTD DocBook V4.2//EN" [
-<!ENTITY intro SYSTEM "intro.sgml">
-<!ENTITY oprivs SYSTEM "oprivs.sgml">
-<!ENTITY umodes SYSTEM "umodes.sgml">
-<!ENTITY cmodes SYSTEM "cmodes.sgml">
-<!ENTITY ucommands SYSTEM "ucommands.sgml">
-<!ENTITY commands SYSTEM "commands.sgml">
-<!ENTITY config SYSTEM "config.sgml">
-]>
-<book id="charybdis-oper-guide">
-  <bookinfo>
-    <date>2009</date>
-    <title>Operators guide for the charybdis IRC server</title>
-    <author>
-      <firstname>William</firstname>
-      <surname>Pitcock</surname>
-    </author>
-    <author>
-      <firstname>Jilles</firstname>
-      <surname>Tjoelker</surname>
-    </author>
-    <copyright>
-      <year>2005-2009</year>
-      <holder>William Pitcock and Jilles Tjoelker</holder>
-    </copyright>
-    <legalnotice>
-      <para>
-	Permission is granted to copy, distribute and/or modify this document under the terms of the GNU
-	General Public License, Version 2 or any later version published by the Free Software Foundation
-      </para>
-    </legalnotice>
-  </bookinfo>
-  <toc>
-  </toc>
-  &intro;
-  &umodes;
-  &cmodes;
-  &ucommands;
-  &commands;
-  &oprivs;
-  &config;
-</book>
-<!-- Keep this comment at the end of the file
-Local variables:
-mode: sgml
-sgml-omittag:t
-sgml-shorttag:t
-sgml-namecase-general:t
-sgml-general-insert-case:lower
-sgml-minimize-attributes:nil
-sgml-always-quote-attributes:t
-sgml-indent-step:2
-sgml-indent-data:t
-sgml-parent-document:nil
-sgml-exposed-tags:nil
-sgml-local-catalogs:("/usr/lib/sgml/catalog")
-sgml-local-ecat-files:nil
-fill-column: 105
-End:
--->

doc/sgml/oper-guide/cmodes.sgml

@@ -1,324 +0,0 @@
-  <chapter id="cmodes">
-    <title>Cmodes</title>
-    <sect1>
-      <title>Meanings of channel modes</title>
-      <sect2>
-	<title>+b, channel ban</title>
-	<para>
-	  Bans take one parameter which can take several forms.
-	  The most common form is +b nick!user@host.
-	  The wildcards * and ? are allowed, matching zero-or-more, and
-	  exactly-one characters respectively. The masks will be trimmed to fit the maximum allowable
-	  length for the relevant element.
-	  Bans are also checked against the IP address, even if it resolved or
-	  is spoofed.
-	  CIDR is supported, like *!*@10.0.0.0/8. This is most useful with
-	  IPv6.
-	  Bans are not checked against the real hostname behind any kind
-	  of spoof, except if host mangling is in use (e.g.
-	  <filename>extensions/ip_cloaking.so</filename>):
-	  if the user's host is mangled, their real hostname is checked
-	  additionally, and if a user has no spoof but could enable mangling,
-	  the mangled form of their hostname is checked additionally.
-	  Hence, it is not possible to evade bans by toggling
-	  host mangling.
-	</para>
-	<para>
-	  The second form (extban) is +b $type or +b $type:data. 
-	  type is a single character (case insensitive) indicating the
-	  type of match, optionally preceded by a tilde (~) to negate the
-	  comparison. data depends on type. Each type is loaded as a module.
-	  The available types (if any)
-	  are listed in the EXTBAN token of the 005 (RPL_ISUPPORT) numeric.
-	  See <filename>doc/extban.txt</filename> in the source distribution
-	  for more information.
-	</para>
-	<para>
-	  If no parameter is given, the list of bans is returned. All users
-	  can use this form. The plus sign should also be omitted.
-	</para>
-	<para>
-	  Matching users will not be allowed to join the channel or knock
-	  on it. If they are already on the channel, they may not send to
-	  it or change their nick.
-	</para>
-      </sect2>
-      <sect2>
-	<title>+c, colour filter</title>
-	<para>
-	  This cmode activates the colour filter for the channel. This filters out bold, underline,
-	  reverse video, beeps, mIRC colour codes, and ANSI escapes. Note that escape sequences will
-	  usually leave cruft sent to the channel, just without the escape characters themselves.
-	</para>
-      </sect2>
-      <sect2>
-	<title>+e, ban exemption</title>
-	<para>
-	  This mode takes one parameter of the same form as bans, which
-	  overrides +b and +q bans for all clients it matches.
-	</para>
-	<para>
-	  This can be useful if it is necessary to ban an entire ISP
-	  due to persistent abuse, but some users from that ISP should
-	  still be allowed in. For example:
-	  /mode #channel +be *!*@*.example.com *!*someuser@host3.example.com
-	</para>
-	<para>
-	  Only channel operators can see +e changes or request the list.
-	</para>
-      </sect2>
-      <sect2>
-	<title>+f, channel forwarding</title>
-	<para>
-	  This mode takes one parameter, the name of a channel (+f #channel). If the channel also has the
-	  +i cmode set, and somebody attempts to join without either being expliticly invited, or having
-	  an invex (+I), then they will instead join the channel named in the mode parameter. The client
-	  will also be sent a 470 numeric giving the original and target channels.
-	</para>
-        <para>
-          Users are similarly forwarded if the +j cmode is set and their attempt to join is throttled,
-	  if +l is set and there are already too many users in the channel
-	  or if +r is set and they are not identified.
-        </para>
-        <para>
-          Forwards may only be set to +F channels, or to channels the setter
-          has ops in.
-        </para>
-	<para>
-	  Without parameter (/mode #channel f or /mode #channel +f) the
-	  forward channel is returned. This form also works off channel.
-	</para>
-      </sect2>
-      <sect2>
-	<title>+F, allow anybody to forward to this</title>
-	<para>
-	  When this mode is set, anybody may set a forward from a channel
-	  they have ops in to this channel. Otherwise they have to have ops
-	  in this channel.
-	</para>
-      </sect2>
-      <sect2>
-	<title>+g, allow anybody to invite</title>
-	<para>
-	  When this mode is set, anybody may use the INVITE command on the channel in question. When it
-	  is unset, only channel operators may use the INVITE command.
-	</para>
-	<para>
-	  When this mode is set together with +i, +j, +l or +r, all channel members can influence who can join.
-	</para>
-      </sect2>
-      <sect2>
-	<title>+i, invite only</title>
-	<para>
-	  When this cmode is set, no client can join the channel unless they have an invex (+I) or are
-	  invited with the INVITE command.
-	</para>
-      </sect2>
-      <sect2>
-	<title>+I, invite exception (invex)</title>
-	<para>
-	  This mode takes one parameter of the same form as bans. Matching
-	  clients do not need to be invited to join the channel when it is invite-only (+i).
-	  Unlike the INVITE command, this does not override +j, +l and +r.
-	</para>
-	<para>
-	  Only channel operators can see +I changes or request the list.
-	</para>
-      </sect2>
-      <sect2>
-        <title>+j, join throttling</title>
-        <para>
-          This mode takes one parameter of the form <replaceable>n</replaceable>:<replaceable>t</replaceable>, where <replaceable>n</replaceable> and <replaceable>t</replaceable> are positive integers. Only <replaceable>n</replaceable> users may join in each period of <replaceable>t</replaceable> seconds.
-        </para>
-	<para>
-	  Invited users can join regardless of +j, but are counted as normal.
-	</para>
-	<para>
-	  Due to propagation delays between servers, more users may be
-	  able to join (by racing for the last slot on each server).
-	</para>
-      </sect2>
-      <sect2>
-	<title>+k, key (channel password)</title>
-	<para>
-	  Taking one parameter, when set, this mode requires a user to supply the key in order to join
-	  the channel: /JOIN #channel key.
-	</para>
-      </sect2>
-      <sect2>
-	<title>+l, channel member limit</title>
-	<para>
-	  Takes one numeric parameter, the number of users which are allowed to be in the channel before
-	  further joins are blocked.
-	  Invited users may join regardless.
-	</para>
-	<para>
-	  Due to propagation delays between servers, more users may be
-	  able to join (by racing for the last slot on each server).
-	</para>
-      </sect2>
-      <sect2>
-	<title>+L, large ban list</title>
-	<para>
-	  Channels with this mode will be allowed larger banlists (by default,
-          500 instead of 50 entries for +b, +q, +e and +I together).
-	  Only network operators with resv privilege may set this mode.
-	</para>
-      </sect2>
-      <sect2>
-	<title>+m, moderated</title>
-	<para>
-	  When a channel is set +m, only users with +o or +v on the channel can send to it.
-	</para>
-	<para>
-	  Users can still knock on the channel or change their nick.
-	</para>
-      </sect2>
-      <sect2>
-	<title>+n, no external messages</title>
-	<para>
-	  When set, this mode prevents users from sending to the channel without being in it themselves.
-	  This is recommended.
-	</para>
-      </sect2>
-      <sect2>
-	<title>+o, channel operator</title>
-	<para>
-	  This mode takes one parameter, a nick, and grants or removes channel
-	  operator privilege to that user. Channel operators have full control
-	  over the channel, having the ability to set all channel modes except
-	  +L and +P, and kick users.
-	  Like voiced users, channel operators can always
-	  send to the channel, overriding +b, +m and +q modes and the
-	  per-channel flood limit.
-	  In most clients channel operators are marked with an '@' sign.
-	</para>
-	<para>
-	  The privilege is lost if the user leaves the channel or server
-	  in any way.
-	</para>
-	<para>
-	  Most networks will run channel registration services (e.g. ChanServ)
-	  which ensure the founder (and users designated by the founder) can
-	  always gain channel operator privileges and provide some features
-	  to manage the channel.
-	</para>
-      </sect2>
-      <sect2>
-	<title>+p, paranoid channel</title>
-	<para>
-	  When set, the KNOCK command cannot be used on the channel
-	  to request an invite, and users will not be shown the
-	  channel in WHOIS replies unless they are on it.
-	  Unlike in traditional IRC, +p and +s can be set together.
-	</para>
-      </sect2>
-      <sect2>
-	<title>+P, permanent channel</title>
-	<para>
-	  Channels with this mode (which is accessible only to network operators with resv privilege) set will not be destroyed
-	  when the last user leaves.
-	</para>
-	<para>
-	  This makes it less likely modes, bans and the topic will be lost and
-	  makes it harder to abuse network splits, but also causes more
-	  unwanted restoring of old modes, bans and topics after long splits.
-	</para>
-      </sect2>
-      <sect2>
-	<title>+q, quiet</title>
-	<para>
-	  This mode behaves exactly like +b (ban), except that the user may still join
-	  the channel. The net effect is that they cannot knock on the channel,
-	  send to the channel or change their nick while on channel.
-	</para>
-      </sect2>
-      <sect2>
-        <title>+Q, block forwarded users</title>
-        <para>
-          Channels with this mode set are not valid targets for forwarding. Any attempt to forward to
-          this channel will be ignored, and the user will be handled as if the attempt was never made (by
-          sending them the relevant error message).
-        </para>
-        <para>
-          This does not affect the ability to set +f.
-        </para>
-      </sect2>
-      <sect2>
-        <title>+r, block unidentified</title>
-        <para>
-          When set, this mode prevents unidentified users from joining.
-	  Invited users can still join.
-        </para>
-      </sect2>
-      <!-- not planned (jilles)
-      <sect2>
-        <title>+R, quiet unidentified</title>
-        <para>
-          When set, this mode prevents unidentified users from sending to the channel, although they can
-          still join.
-        </para>
-	<para>
-	  Please note that this mode is not implemented in Charybdis 1.0.x, and is documented in
-	  expectation for upcoming Charybdis 1.1.
-	</para>
-      </sect2>
-      -->
-      <sect2>
-	<title>+s, secret channel</title>
-	<para>
-	  When set, this mode prevents the channel from appearing in the
-	  output of the LIST, WHO and WHOIS command by users who are not on
-	  it. Also, the server will refuse to answer WHO, NAMES, TOPIC and
-	  LIST queries from users not on the channel.
-	</para>
-      </sect2>
-      <sect2>
-	<title>+t, topic limit</title>
-	<para>
-	  When set, this mode prevents users who are not channel operators
-	  from changing the topic.
-	</para>
-      </sect2>
-      <sect2>
-	<title>+v, voice</title>
-	<para>
-	  This mode takes one parameter, a nick, and grants or removes voice
-	  privilege to that user. Voiced users can always send to the channel,
-	  overriding +b, +m and +q modes and the per-channel flood limit.
-	  In most clients voiced users are marked with a plus sign.
-	</para>
-	<para>
-	  The privilege is lost if the user leaves the channel or server
-	  in any way.
-	</para>
-      </sect2>
-      <sect2>
-        <title>+z, reduced moderation</title>
-        <para>
-          When +z is set, the effects of +m, +b and +q are relaxed. For each message, if that message
-          would normally be blocked by one of these modes, it is instead sent to all channel operators. This is intended for use in moderated debates.
-        </para>
-        <para>
-          Note that +n is unaffected by this. To silence a given user completely,
-	  remove them from the channel.
-        </para>
-      </sect2>
-    </sect1>
-  </chapter>
-<!-- Keep this comment at the end of the file
-Local variables:
-mode: sgml
-sgml-omittag:t
-sgml-shorttag:t
-sgml-namecase-general:t
-sgml-general-insert-case:lower
-sgml-minimize-attributes:nil
-sgml-always-quote-attributes:t
-sgml-indent-step:2
-sgml-indent-data:t
-sgml-parent-document:("charybdis-oper-guide.sgml" "book")
-sgml-exposed-tags:nil
-fill-column:105
-End:
--->

doc/sgml/oper-guide/intro.sgml

@@ -1,41 +0,0 @@
-  <chapter id="intro">
-    <title>Introduction</title>
-    <sect1>
-      <title>Scope of this document</title>
-      <para>
-	This document describes the commands and functions available to operators in
-	the charybdis ircd, as used on <ulink url="http://www.atheme.net">AthemeNet</ulink>.
-      </para>
-      <para>
-        This document, and various ideas for features of charybdis, have
-	been taken from dancer-ircd/hyperion, the ircd used on freenode,
-	mainly written by Andrew Suffield and Jilles Tjoelker.
-      </para>
-      <para>
-	While this document may be of some interest to the users of charybdis servers,
-	it is intended as a reference for network staff.
-      </para>
-      <para>
-	Charybdis is based on ircd-ratbox 2.1.4, although much has changed.
-	<ulink url="http://www.ircd-ratbox.org">ircd-ratbox</ulink> is commonly used
-	on efnet, and some other networks.
-      </para>
-    </sect1>
-  </chapter>
-<!-- Keep this comment at the end of the file
-Local variables:
-mode: sgml
-sgml-omittag:t
-sgml-shorttag:t
-sgml-namecase-general:t
-sgml-general-insert-case:lower
-sgml-minimize-attributes:nil
-sgml-always-quote-attributes:t
-sgml-indent-step:2
-sgml-indent-data:t
-sgml-parent-document: ("charybdis-oper-guide.sgml" "book")
-sgml-exposed-tags:nil
-fill-column:105
-sgml-validate-command: "nsgmls -e -g -s -u charybdis-oper-guide.sgml"
-End:
--->

doc/sgml/oper-guide/oprivs.sgml

@@ -1,171 +0,0 @@
-  <chapter id="oprivs">
-    <title>Oper privileges</title>
-    <sect1 id="oprivlist">
-      <title>Meanings of oper privileges</title>
-      <para>
-        These are specified in privset{}.
-      </para>
-      <sect2>
-	<title>oper:admin, server administrator</title>
-	<para>
-	  Various privileges intended for server administrators.
-	  Among other things, this automatically sets umode +a and allows
-	  loading modules.
-	</para>
-      </sect2>
-      <sect2>
-	<title>oper:die, die and restart</title>
-	<para>
-	  This grants permission to use DIE and RESTART, shutting down
-	  or restarting the server.
-	</para>
-      </sect2>
-      <sect2>
-	<title>oper:global_kill, global kill</title>
-	<para>
-	  Allows using KILL on users on any server.
-	</para>
-      </sect2>
-      <sect2>
-	<title>oper:hidden, hide from /stats p</title>
-	<para>
-	  This privilege currently does nothing, but was designed
-	  to hide bots from /stats p so users will not message them
-	  for help.
-	</para>
-      </sect2>
-      <sect2>
-	<title>oper:hidden_admin, hidden administrator</title>
-	<para>
-	  This grants everything granted to the oper:admin privilege,
-	  except the ability to set umode +a. If both oper:admin and oper:hidden_admin
-	  are possessed, umode +a can still not be used.
-	</para>
-      </sect2>
-      <sect2>
-	<title>oper:kline, kline and dline</title>
-	<para>
-	  Allows using KLINE and DLINE, to ban users by user@host mask
-	  or IP address.
-	</para>
-      </sect2>
-      <sect2>
-	<title>oper:local_kill, kill local users</title>
-	<para>
-	  This grants permission to use KILL on users on the same server,
-	  disconnecting them from the network.
-	</para>
-      </sect2>
-      <sect2>
-	<title>oper:mass_notice, global notices and wallops</title>
-	<para>
-	  Allows using server name ($$mask) and hostname ($#mask) masks in
-	  NOTICE and PRIVMSG to send a message to all matching users, and
-	  allows using the WALLOPS command to send a message to all users
-	  with umode +w set.
-	</para>
-      </sect2>
-      <sect2>
-	<title>oper:operwall, send/receive operwall</title>
-	<para>
-	  Allows using the OPERWALL command and umode +z to send and
-	  receive operwalls.
-	</para>
-      </sect2>
-      <sect2>
-	<title>oper:rehash, rehash</title>
-	<para>
-	  Allows using the REHASH command, to rehash various configuration
-	  files or clear certain lists.
-	</para>
-      </sect2>
-      <sect2>
-	<title>oper:remoteban, set remote bans</title>
-	<para>
-	  This grants the ability to use the ON argument on
-	  DLINE/KLINE/XLINE/RESV and UNDLINE/UNKLINE/UNXLINE/UNRESV to set
-	  and unset bans on other servers, and the server argument on REHASH.
-	  This is only allowed if the oper may perform the action locally,
-	  and if the remote server has a shared{} block.
-	</para>
-	<note><para>
-	  If a cluster{} block is present, bans are sent remotely even
-	  if the oper does not have oper:remoteban privilege.
-	</para></note>
-      </sect2>
-      <sect2>
-	<title>oper:resv, channel control</title>
-	<para>
-	  This allows using /resv, /unresv and changing the channel
-	  modes +L and +P.
-	</para>
-      </sect2>
-      <sect2>
-	<title>oper:routing, remote routing</title>
-	<para>
-	  This allows using the third argument of the CONNECT command, to
-	  instruct another server to connect somewhere, and using SQUIT
-	  with an argument that is not locally connected.
-	  (In both cases all opers with +w set will be notified.)
-	</para>
-      </sect2>
-      <sect2>
-	<title>oper:spy, use operspy</title>
-	<para>
-	  This allows using /mode !#channel, /whois !nick, /who !#channel,
-	  /chantrace !#channel, /topic !#channel, /who !mask,
-	  /masktrace !user@host :gecos and /scan umodes +modes-modes global list
-	  to see through secret channels, invisible users, etc.
-	</para>
-	<para>
-	  All operspy usage is broadcasted to opers with snomask +Z set
-	  (on the entire network) and optionally logged.
-	  If you grant this to anyone, it is a good idea to establish 
-	  concrete policies describing what it is to be used for, and
-	  what not.
-	</para>
-	<para>
-	  If operspy_dont_care_user_info is enabled, /who mask is operspy
-	  also, and /who !mask, /who mask, /masktrace !user@host :gecos
-	  and /scan umodes +modes-modes global list do not generate +Z notices
-	  or logs.
-	</para>
-      </sect2>
-      <sect2>
-	<title>oper:unkline, unkline and undline</title>
-	<para>
-	  Allows using UNKLINE and UNDLINE.
-	</para>
-      </sect2>
-      <sect2>
-	<title>oper:xline, xline and unxline</title>
-	<para>
-	  Allows using XLINE and UNXLINE, to ban/unban users by realname.
-	</para>
-      </sect2>
-      <sect2>
-	<title>snomask:nick_changes, see nick changes</title>
-	<para>
-	  Allows using snomask +n to see local client nick changes.
-	  This is designed for monitor bots.
-	</para>
-      </sect2>
-    </sect1>
-  </chapter>
-<!-- Keep this comment at the end of the file
-Local variables:
-mode: sgml
-sgml-omittag:t
-sgml-shorttag:t
-sgml-namecase-general:t
-sgml-general-insert-case:lower
-sgml-minimize-attributes:nil
-sgml-always-quote-attributes:t
-sgml-indent-step:2
-sgml-indent-data:t
-sgml-parent-document: ("charybdis-oper-guide.sgml" "book")
-sgml-exposed-tags:nil
-fill-column: 105
-sgml-validate-command: "nsgmls -e -g -s -u charybdis-oper-guide.sgml"
-End:
--->

doc/sgml/oper-guide/stylesheet.dsl

@@ -1,33 +0,0 @@
-<!DOCTYPE style-sheet PUBLIC "-//James Clark//DTD DSSSL Style Sheet//EN" [
-<!ENTITY docbook-html.dsl PUBLIC "-//Norman Walsh//DOCUMENT DocBook HTML Stylesheet//EN" CDATA DSSSL>
-<!ENTITY docbook-print.dsl PUBLIC "-//Norman Walsh//DOCUMENT DocBook Print Stylesheet//EN" CDATA DSSSL>
-]>
-
-<style-sheet>
-<style-specification id="print" use="print-stylesheet">
-<style-specification-body> 
-
-(define %generate-book-titlepage% #t)
-(define %generate-book-titlepage-on-separate-page% #t)
-(define %generate-book-toc% #t)
-(define %generate-book-toc-on-titlepage% #f)
-
-</style-specification-body>
-</style-specification>
-
-<style-specification id="html" use="html-stylesheet">
-<style-specification-body> 
-
-(define %header-navigation% #t)
-(define %section-autolabel% #t)
-(define %root-filename% "index")
-(define %use-id-as-filename% #t)
-(define %css-decoration% #t)
-(define %example-rules% #t)
-
-</style-specification-body>
-</style-specification>
-
-<external-specification id="print-stylesheet" document="docbook-print.dsl">
-<external-specification id="html-stylesheet"  document="docbook-html.dsl">
-</style-sheet>

doc/sgml/oper-guide/ucommands.sgml

@@ -1,239 +0,0 @@
-  <chapter id="ucommands">
-    <title>User Commands</title>
-    <sect1>
-      <title>User commands</title>
-      <para>
-	Standard IRC commands are not listed here.
-	Several of the commands in the operator commands chapter
-	can also be used by normal users.
-      </para>
-      <sect2>
-	<title>ACCEPT</title>
-	<cmdsynopsis><command>ACCEPT</command>
-	  <arg choice=plain><replaceable>nick</replaceable>,</arg>
-	  <arg choice=plain>-<replaceable>nick</replaceable>,</arg>
-	  <arg choice=plain><replaceable>...</replaceable></arg>
-	</cmdsynopsis>
-	<para>
-	  Adds or removes users from your accept list for umode +g and +R.
-	  Users are automatically removed when they quit, split or change
-	  nick.
-	</para>
-	<cmdsynopsis><command>ACCEPT</command>
-	  <arg choice=plain>*</arg>
-	</cmdsynopsis>
-	<para>
-	  Lists all users on your accept list.
-	</para>
-	<para>
-	  Support of this command is indicated by the CALLERID token in
-	  RPL_ISUPPORT (005); the optional parameter indicates the letter
-	  of the <quote>only allow accept users to send private messages</quote>
-	  umode, otherwise +g. In charybdis this is always +g.
-	</para>
-      </sect2>
-      <sect2>
-	<title>CNOTICE</title>
-	<cmdsynopsis><command>CNOTICE</command>
-	  <arg choice=plain><replaceable>nick</replaceable></arg>
-	  <arg choice=plain><replaceable>channel</replaceable></arg>
-	  <arg choice=plain>:<replaceable>text</replaceable></arg>
-	</cmdsynopsis>
-	<para>
-	  Providing you are opped (+o) or voiced (+v) in
-	  <replaceable>channel</replaceable>, and <replaceable>nick</replaceable>
-	  is a member of <replaceable>channel</replaceable>, CNOTICE generates a NOTICE towards
-	  <replaceable>nick</replaceable>.
-	</para>
-	<para>
-	  CNOTICE bypasses any anti-spam measures in place.
-	  If you get <quote>Targets changing too fast, message dropped</quote>,
-	  you should probably use this command, for example sending a
-	  notice to every user joining a certain channel.
-	</para>
-	<para>
-	  As of charybdis 3.1, NOTICE automatically behaves as CNOTICE
-	  if you are in a channel fulfilling the conditions.
-	</para>
-	<para>
-	  Support of this command is indicated by the CNOTICE token in
-	  RPL_ISUPPORT (005).
-	</para>
-      </sect2>
-      <sect2>
-	<title>CPRIVMSG</title>
-	<cmdsynopsis><command>CPRIVMSG</command>
-	  <arg choice=plain><replaceable>nick</replaceable></arg>
-	  <arg choice=plain><replaceable>channel</replaceable></arg>
-	  <arg choice=plain>:<replaceable>text</replaceable></arg>
-	</cmdsynopsis>
-	<para>
-	  Providing you are opped (+o) or voiced (+v) in
-	  <replaceable>channel</replaceable>, and <replaceable>nick</replaceable>
-	  is a member of <replaceable>channel</replaceable>, CPRIVMSG generates a PRIVMSG towards
-	  <replaceable>nick</replaceable>.
-	</para>
-	<para>
-	  CPRIVMSG bypasses any anti-spam measures in place.
-	  If you get <quote>Targets changing too fast, message dropped</quote>,
-	  you should probably use this command.
-	</para>
-	<para>
-	  As of charybdis 3.1, PRIVMSG automatically behaves as CPRIVMSG
-	  if you are in a channel fulfilling the conditions.
-	</para>
-	<para>
-	  Support of this command is indicated by the CPRIVMSG token in
-	  RPL_ISUPPORT (005).
-	</para>
-      </sect2>
-      <sect2>
-	<title>FINDFORWARDS</title>
-	<cmdsynopsis><command>FINDFORWARDS</command>
-	  <arg choice=plain><replaceable>channel</replaceable></arg>
-	</cmdsynopsis>
-	<para>
-	  <note>
-	    <para>
-	      This command is only available if the <filename>m_findforwards.so</filename> extension is loaded.
-	    </para>
-	  </note>
-	  Displays which channels forward to the given channel (via cmode +f).
-	  If there are very many channels the list will be truncated.
-	</para>
-	<para>
-	  You must be a channel operator on the channel or an IRC operator
-	  to use this command.
-	</para>
-      </sect2>
-      <sect2>
-	<title>HELP</title>
-	<cmdsynopsis><command>HELP</command>
-	  <arg><replaceable>topic</replaceable></arg>
-	</cmdsynopsis>
-	<para>
-	  Displays help information. <replaceable>topic</replaceable> can
-	  be INDEX, CREDITS, UMODE, CMODE, SNOMASK or a command name.
-	</para>
-	<para>
-	  There are separate help files for users and opers. Opers can use
-	  UHELP to query the user help files.
-	</para>
-      </sect2>
-      <sect2>
-	<title>IDENTIFY</title>
-	<cmdsynopsis><command>IDENTIFY</command>
-	  <arg choice=plain><replaceable>parameters...</replaceable></arg>
-	</cmdsynopsis>
-	<para>
-	  <note>
-	    <para>
-	      This command is only available if the <filename>m_identify.so</filename> extension is loaded.
-	    </para>
-	  </note>
-	  Sends an identify command to either NickServ or ChanServ.
-	  If the first parameter starts with #, the command is sent to
-	  ChanServ, otherwise to NickServ.
-	  The word IDENTIFY, a space and all parameters are concatenated
-	  and sent as a PRIVMSG to the service.
-	  If the service is not online or does not have umode +S set, 
-	  no message will be sent.
-	</para>
-	<para>
-	  The exact syntax for this command depends on the services package
-	  in use.
-	</para>
-      </sect2>
-      <sect2>
-	<title>KNOCK</title>
-	<cmdsynopsis><command>KNOCK</command>
-	  <arg choice=plain><replaceable>channel</replaceable></arg>
-	</cmdsynopsis>
-	<para>
-	  Requests an invite to the given channel. The channel must be
-	  locked somehow (+ikl), must not be +p and you may not be banned
-	  or quieted. Also, this command is rate limited.
-	</para>
-	<para>
-	  If successful, all channel operators will receive a 710 numeric.
-	  The recipient field of this numeric is the channel.
-	</para>
-	<para>
-	  Support of this command is indicated by the KNOCK token in
-	  RPL_ISUPPORT (005).
-	</para>
-      </sect2>
-      <sect2>
-	<title>MONITOR</title>
-	<para>
-	  Server side notify list. This list contains nicks. When a user
-	  connects, quits with a listed nick or changes to or from a listed
-	  nick, you will receive a 730 numeric if the nick went online and
-	  a 731 numeric if the nick went offline.
-	</para>
-	<para>
-	  Support of this command is indicated by the MONITOR token in
-	  RPL_ISUPPORT (005); the parameter indicates the maximum number
-	  of nicknames you may have in your monitor list.
-	</para>
-	<para>
-	  You may only use this command once per second.
-	</para>
-	<para>
-	  More details can be found in <filename>doc/monitor.txt</filename>
-	  in the source distribution.
-	</para>
-	<cmdsynopsis><command>MONITOR +</command>
-	  <arg choice=plain><replaceable>nick</replaceable>,</arg>
-	  <arg choice=plain><replaceable>...</replaceable></arg>
-	</cmdsynopsis>
-	<para>
-	  Adds nicks to your monitor list. You will receive 730 and 731
-	  numerics for the nicks.
-	</para>
-	<cmdsynopsis><command>MONITOR -</command>
-	  <arg choice=plain><replaceable>nick</replaceable>,</arg>
-	  <arg choice=plain><replaceable>...</replaceable></arg>
-	</cmdsynopsis>
-	<para>
-	  Removes nicks from your monitor list. No output is generated for
-	  this command.
-	</para>
-	<cmdsynopsis><command>MONITOR C</command>
-	</cmdsynopsis>
-	<para>
-	  Clears your monitor list. No output is generated for
-	  this command.
-	</para>
-	<cmdsynopsis><command>MONITOR L</command>
-	</cmdsynopsis>
-	<para>
-	  Lists all nicks on your monitor list, using 732 numerics and
-	  ending with a 733 numeric.
-	</para>
-	<cmdsynopsis><command>MONITOR S</command>
-	</cmdsynopsis>
-	<para>
-	  Shows status for all nicks on your monitor list, using 730 and 731
-	  numerics.
-	</para>
-      </sect2>
-    </sect1>
-  </chapter>
-<!-- Keep this comment at the end of the file
-Local variables:
-mode: sgml
-sgml-omittag:t
-sgml-shorttag:t
-sgml-namecase-general:t
-sgml-general-insert-case:lower
-sgml-minimize-attributes:nil
-sgml-always-quote-attributes:t
-sgml-indent-step:2
-sgml-indent-data:t
-sgml-parent-document: ("charybdis-oper-guide.sgml" "book")
-sgml-exposed-tags:nil
-sgml-local-ecat-files:nil
-fill-column:105
-End:
--->

doc/sgml/oper-guide/umodes.sgml

@@ -1,377 +0,0 @@
-  <chapter id="umodes">
-    <title>Umodes</title>
-    <sect1 id="umodelist">
-      <title>Meanings of user modes</title>
-      <sect2>
-	<title>+a, server administrator</title>
-	<para>
-	  This vanity usermode is used to denote a server administrator in WHOIS output.
-	  All local <quote>admin</quote> privileges are independent of it, though services
-	  packages may grant extra privileges to +a users.
-	</para>
-      </sect2>
-      <sect2>
-	<title>+D, deaf</title>
-	<para>
-	  <note>
-	    <para>
-	      This is a user umode, which anybody can set. It is not specific to operators.
-	    </para>
-	  </note>
-	  Users with the +D umode set will not receive messages sent to
-	  channels. Joins, parts, topic changes, mode changes, etc are
-	  received as normal, as are private messages.
-	</para>
-	<para>
-	  Support of this umode is indicated by the DEAF token in
-	  RPL_ISUPPORT (005); the parameter indicates the letter
-	  of the umode. Note that several common IRCD implementations have
-	  an umode like this (typically +d) but do not have the token in 005.
-	</para>
-      </sect2>
-      <sect2>
-	<title>+g, Caller ID</title>
-	<para>
-	  <note>
-	    <para>
-	      This is a user umode, which anybody can set. It is not specific to operators.
-	    </para>
-	  </note>
-	  Users with the +g umode set will only receive private messages from users on a
-	  session-defined whitelist, defined by the /accept command. If a user who is not
-	  on the whitelist attempts to send a private message, the target user will receive a rate-limited notice saying that the user
-	  wishes to speak to them.
-	</para>
-	<para>
-	  Network operators are not affected by the callerid whitelist system in the event
-	  that they need to speak to users who have it enabled.
-	</para>
-	<para>
-	  Support of this umode is indicated by the CALLERID token in
-	  RPL_ISUPPORT (005); the optional parameter indicates the letter
-	  of the umode, otherwise +g.
-	</para>
-      </sect2>
-      <sect2>
-	<title>+i, invisible</title>
-	<para>
-	  <note>
-	    <para>
-	      This is a user umode, which anybody can set. It is not specific to operators.
-	    </para>
-	  </note>
-	  Invisible users do not show up in WHO and NAMES unless you can see them.
-	</para>
-      </sect2>
-      <!-- not planned (jilles)
-      <sect2>
-	<title>+I, refuse invite</title>
-	<para>
-	  <note>
-	    <para>
-	      This is a user umode, which anybody can set. It is not specific to operators.
-	    </para>
-	  </note>
-	  If you have the +I umode set, nobody will be able to issue an INVITE to let you
-	  in to a channel.
-	</para>
-	<para>
-	  This mode is not yet implemented. It will be implemented in Charybdis 1.1.
-	</para>
-      </sect2>
-      -->
-      <sect2>
-	<title>+l, receive locops</title>
-	<para>
-	  LOCOPS is a version of OPERWALL that is sent to opers on a single
-	  server only. With cluster{} and shared{} blocks they can optionally
-	  be propagated further.
-	</para>
-	<para>
-	  Unlike OPERWALL, any oper can send and receive LOCOPS.
-	</para>
-      </sect2>
-      <sect2>
-	<title>+o, operator</title>
-	<para>
-	  This indicates global operator status.
-	</para>
-      </sect2>
-      <sect2>
-	<title>+Q, disable forwarding</title>
-	<para>
-	  <note>
-	    <para>
-	      This is a user umode, which anybody can set. It is not specific to operators.
-	    </para>
-	  </note>
-          This umode prevents you from being affected by channel forwarding.
-	  If enabled on a channel, channel forwarding sends you to another
-	  channel if you could not join. See channel mode +f for more
-	  information.
-	</para>
-      </sect2>
-      <sect2>
-	<title>+R, reject messages from unauthenticated users</title>
-	<para>
-	  <note>
-	    <para>
-	      This is a user umode, which anybody can set. It is not specific to operators.
-	    </para>
-	  </note>
-	  If a user has the +R umode set, then any users who are not authenticated
-	  will receive an error message if they attempt to send a private
-	  message or notice to the +R user.
-	</para>
-	<para>
-	  Opers and accepted users (like in +g) are exempt.
-	  Unlike +g, the target user is not notified of failed messages.
-	</para>
-      </sect2>
-      <sect2>
-	<title>+s, receive server notices</title>
-	<para>
-	  This umode allows an oper to receive server notices.
-	  The requested types of server notices are specified as a
-	  parameter (<quote>snomask</quote>) to this umode.
-	</para>
-      </sect2>
-      <sect2>
-	<title>+S, network service</title>
-	<para>
-	  <note>
-	    <para>
-	      This umode can only be set by servers named in a service{}
-	      block.
-	    </para>
-	  </note>
-	  This umode grants various features useful for services. For example,
-	  clients with this umode cannot be kicked or deopped on channels,
-	  can send to any channel, do not show channels in WHOIS,
-	  can be the target of services aliases and do not appear in /stats p.
-	  No server notices are sent for hostname changes by services clients;
-	  server notices about kills are sent to snomask +k instead of +s.
-	</para>
-	<para>
-	  The exact effects of this umode are variable; no user or oper on
-	  an actual charybdis server can set it.
-	</para>
-      </sect2>
-      <sect2>
-	<title>+w, receive wallops</title>
-	<para>
-	  <note>
-	    <para>
-	      This is a user umode, which anybody can set. It is not specific to operators.
-	    </para>
-	  </note>
-	  Users with the +w umode set will receive WALLOPS messages sent by opers.
-	  Opers with +w additionally receive WALLOPS sent by servers (e.g.
-	  remote CONNECT, remote SQUIT, various severe misconfigurations,
-	  many services packages).
-	</para>
-      </sect2>
-      <sect2>
-	<title>+z, receive operwall</title>
-	<para>
-	  OPERWALL differs from WALLOPS in that the ability to receive such messages is
-	  restricted. Opers with +z set will receive OPERWALL messages.
-	</para>
-      </sect2>
-      <sect2>
-	<title>+Z, SSL user</title>
-	<para>
-	  This umode is set on clients connected via SSL/TLS.
-	  It cannot be set or unset after initial connection.
-	</para>
-      </sect2>
-    </sect1>
-    <sect1 id="snomaskusage">
-      <title>Snomask usage</title>
-      <para>
-	Usage is as follows:
-      </para>
-      <cmdsynopsis><command>MODE</command> 
-	<arg choice=plain><replaceable>nick</replaceable></arg> 
-	<arg choice=plain>+s</arg>
-	<arg choice=plain><replaceable>+/-flags</replaceable></arg>
-      </cmdsynopsis>
-      <para>
-	To set snomasks.
-      </para>
-      <cmdsynopsis><command>MODE</command> 
-	<arg choice=plain><replaceable>nick</replaceable></arg> 
-	<arg choice=plain>-s</arg>
-      </cmdsynopsis>
-      <para>
-	To clear all snomasks.
-      </para>
-      <para>
-	Umode +s will be set if at least one snomask is set.
-      </para>
-      <para>
-	Umode +s is oper only by default, but even if you allow nonopers to
-	set it, they will not get any server notices.
-      </para>
-    </sect1>
-    <sect1 id="snomasklist">
-      <title>Meanings of server notice masks</title>
-      <sect2>
-	<title>+b, bot warnings</title>
-	<para>
-	  Opers with the +b snomask set will receive warning messages from the server when potential
-	  flooders and spambots are detected.
-	</para>
-      </sect2>
-      <sect2>
-	<title>+c, client connections</title>
-	<para>
-	  Opers who have the +c snomask set will receive server notices when clients attach to the
-	  local server.
-	</para>
-      </sect2>
-      <sect2>
-	<title>+C, extended client connection notices</title>
-	<para>
-	  Opers who have the +C snomask set will receive server notices when clients attach to the
-	  local server. Unlike the +c snomask, the information is displayed in a format intended
-	  to be parsed by scripts, and includes the two unused fields of the USER command.
-	</para>
-      </sect2>
-      <sect2>
-	<title>+d, debug</title>
-	<para>
-	  The +d snomask provides opers extra information which may be of interest to debuggers.
-	  It will also cause the user to receive server notices if certain assertions fail inside the
-	  server. Its precise meaning is variable. Do not depend on the
-	  effects of this snomask as they can and will change without notice in later revisions.
-	</para>
-      </sect2>
-      <sect2>
-	<title>+f, full warning</title>
-	<para>
-	  Opers with the +f snomask set will receive notices when a user
-	  connection is denied because a connection limit is exceeded
-	  (one of the limits in a class{} block, or the total per-server
-	  limit settable with /quote set max).
-	</para>
-      </sect2>
-      <sect2>
-	<title>+F, far client connection notices</title>
-	<para>
-	  <note>
-	    <para>
-	      This snomask is only available if the <filename>sno_farconnect.so</filename> extension is loaded.
-	    </para>
-	  </note>
-	  Opers with +F receive server notices when clients connect or
-	  disconnect on other servers. The notices have the same format
-	  as those from the +c snomask, except that the class is ? and
-	  the source server of the notice is the server the user is/was on.
-	</para>
-	<para>
-	  No notices are generated for netsplits and netjoins.
-	  Hence, these notices cannot be used to keep track of all
-	  clients on the network.
-	</para>
-	<para>
-	  There is no far equivalent of the +C snomask.
-	</para>
-      </sect2>
-      <sect2>
-	<title>+k, server kill notices</title>
-	<para>
-	  Opers with the +k snomask set will receive server notices when
-	  services kill users and when
-	  other servers kill and save (forced nick change to UID) users.
-	  Kills and saves by this server are on +d or +s.
-	</para>
-      </sect2>
-      <sect2>
-	<title>+n, nick change notices</title>
-	<para>
-	  An oper with +n set will receive a server notice every time a local user changes their nick,
-	  giving the old and new nicks.
-	  This is mostly useful for bots that track all users on a single server.
-	</para>
-      </sect2>
-      <sect2>
-	<title>+r, notices on name rejections</title>
-	<para>
-	  Opers with this snomask set will receive a server notice when somebody tries to use an
-	  invalid username, or if a dumb HTTP proxy tries to connect.
-	</para>
-      </sect2>
-      <sect2>
-	<title>+s, generic server notices</title>
-	<para>
-	  This snomask allows an oper to receive generic server notices.
-	  This includes kills from opers (except services).
-	</para>
-      </sect2>
-      <sect2>
-	<title>+u, unauthorized connections</title>
-	<para>
-	  This snomask allows an oper to see when users try to connect who do not have an
-	  available auth{} block.
-	</para>
-      </sect2>
-      <sect2>
-	<title>+W, whois notifications</title>
-	<para>
-	  <note>
-	    <para>
-	      This snomask is only available if the <filename>sno_whois.so</filename> extension is loaded.
-	    </para>
-	  </note>
-	  Opers with +W receive notices when a WHOIS is executed on them
-	  on their server (showing idle time).
-	</para>
-      </sect2>
-      <sect2>
-	<title>+x, extra routing notices</title>
-	<para>
-	  Opers who have the +x snomask set will get notices about servers
-	  connecting and disconnecting on the whole network. This includes
-	  all servers connected behind the affected link. This can get
-	  rather noisy but is useful for keeping track of all linked
-	  servers.
-	</para>
-      </sect2>
-      <sect2>
-	<title>+y, spy</title>
-	<para>
-	  Opers with +y receive notices when users try to join RESV'ed (<quote>juped</quote>) channels. 
-	  Additionally, if certain extension modules are loaded, they will
-	  receive notices when special commands are used.
-	</para>
-      </sect2>
-      <sect2>
-	<title>+Z, operspy notices</title>
-	<para>
-	  Opers with +Z receive notices whenever an oper anywhere on the
-	  network uses operspy.
-	</para>
-	<para>
-	  This snomask can be configured to be only effective for admins.
-	</para>
-      </sect2>
-    </sect1>
-  </chapter>
-<!-- Keep this comment at the end of the file
-Local variables:
-mode: sgml
-sgml-omittag:t
-sgml-shorttag:t
-sgml-namecase-general:t
-sgml-general-insert-case:lower
-sgml-minimize-attributes:nil
-sgml-always-quote-attributes:t
-sgml-indent-step:2
-sgml-indent-data:t
-sgml-parent-document: ("charybdis-oper-guide.sgml" "book")
-sgml-exposed-tags:nil
-fill-column: 105
-sgml-validate-command: "nsgmls -e -g -s -u charybdis-oper-guide.sgml"
-End:
--->

doc/technical/ts6-protocol.txt

@@ -766,6 +766,16 @@ Part of a SASL authentication exchange. The mode is 'C' to send some data
 termination: 'A' for abort, 'F' for authentication failure, 'S' for
 authentication success).
 
+3.
+encap target: *
+source: server
+parameters: source uid, '*', 'H', hostname, ip, tls
+
+Provides information on a client. The "tls" data is either 'P' for a
+plaintext connection or any other string for a TLS connection.
+The source uid is that of an unregistered client. This is why it is not sent
+as the prefix.
+
 SAVE
 capab: SAVE
 source: server

extensions/extb_channel.c

@@ -1,5 +1,5 @@
 /*
- * Channel extban type: matches users who are in a certain public channel
+ * Channel extban type: matches users who are in a certain channel
  * -- jilles
  *
  * $Id: extb_channel.c 1723 2006-07-06 15:23:58Z jilles $
@@ -47,8 +47,5 @@ static int eb_channel(const char *data, struct Client *client_p,
 	/* require consistent target */
 	if (chptr->chname[0] == '#' && data[0] == '&')
 		return EXTBAN_INVALID;
-	/* privacy! don't allow +s/+p channels to influence another channel */
-	if (!PubChannel(chptr2) && chptr2 != chptr)
-		return EXTBAN_INVALID;
 	return IsMember(client_p, chptr2) ? EXTBAN_MATCH : EXTBAN_NOMATCH;
 }

extensions/extb_ssl.c

@@ -1,5 +1,9 @@
 /* SSL extban type: matches ssl users */
 
+/* This file is available under the same conditions as the rest of
+   https://github.com/asterIRC/ircd-chatd, and by extension, the rest
+   of Charybdis. */
+
 #include "stdinc.h"
 #include "modules.h"
 #include "client.h"
@@ -9,7 +13,7 @@ static int _modinit(void);
 static void _moddeinit(void);
 static int eb_ssl(const char *data, struct Client *client_p, struct Channel *chptr, long mode_type);
 
-DECLARE_MODULE_AV1(extb_ssl, _modinit, _moddeinit, NULL, NULL, NULL, "$Revision$");
+DECLARE_MODULE_AV1(extb_ssl, _modinit, _moddeinit, NULL, NULL, NULL, "1.05");
 
 static int
 _modinit(void)
@@ -31,7 +35,18 @@ static int eb_ssl(const char *data, struct Client *client_p,
 
 	(void)chptr;
 	(void)mode_type;
+
+	if (! IsSSLClient(client_p))
+		return EXTBAN_NOMATCH;
+
 	if (data != NULL)
-		return EXTBAN_INVALID;
-	return IsSSLClient(client_p) ? EXTBAN_MATCH : EXTBAN_NOMATCH;
+	{
+		if (EmptyString(client_p->certfp))
+			return EXTBAN_NOMATCH;
+
+		if (irccmp(data, client_p->certfp) != 0)
+			return EXTBAN_NOMATCH;
+	}
+
+	return EXTBAN_MATCH;
 }

extensions/extb_usermode.c

@@ -24,7 +24,7 @@ DECLARE_MODULE_AV1(extb_usermode, _modinit, _moddeinit, NULL, NULL, NULL, "$Revi
 static int
 _modinit(void)
 {
-	extban_table['m'] = eb_usermode;
+	extban_table['u'] = eb_usermode;
 
 	return 0;
 }
@@ -32,7 +32,7 @@ _modinit(void)
 static void
 _moddeinit(void)
 {
-	extban_table['m'] = NULL;
+	extban_table['u'] = NULL;
 }
 
 static int eb_usermode(const char *data, struct Client *client_p,

extensions/hurt.c

@@ -193,9 +193,17 @@ mo_hurt(struct Client *client_p, struct Client *source_p,
 	}
 
 	if (parc == 3)
-		expire = NULL, ip = parv[1], reason = parv[2];
+	{
+		expire = NULL;
+		ip = parv[1];
+		reason = parv[2];
+	}
 	else
-		expire = parv[1], ip = parv[2], reason = parv[3];
+	{
+		expire = parv[1];
+		ip = parv[2];
+		reason = parv[3];
+	}
 
 	if (!expire)
 		expire_time = HURT_DEFAULT_EXPIRE;

extensions/m_mkpasswd.c

@@ -189,36 +189,31 @@ char *
 generate_poor_salt(char *salt, int length)
 {
 	int i;
+
 	srand(time(NULL));
 	for(i = 0; i < length; i++)
-	{
 		salt[i] = saltChars[rand() % 64];
-	}
+
 	return (salt);
 }
 
 char *
 generate_random_salt(char *salt, int length)
 {
-	char *buf;
 	int fd, i;
-	if((fd = open("/dev/random", O_RDONLY)) < 0)
-	{
+
+	if((fd = open("/dev/urandom", O_RDONLY)) < 0)
 		return (generate_poor_salt(salt, length));
-	}
-	buf = calloc(1, length);
-	if(read(fd, buf, length) != length)
+
+	if(read(fd, salt, (size_t)length) != length)
 	{
-		free(buf);
 		close(fd);
 		return (generate_poor_salt(salt, length));
 	}
 
 	for(i = 0; i < length; i++)
-	{
-		salt[i] = saltChars[abs(buf[i]) % 64];
-	}
-	free(buf);
+		salt[i] = saltChars[abs(salt[i]) % 64];
+
 	close(fd);
 	return (salt);
 }

extensions/m_sendbans.c

@@ -73,7 +73,10 @@ static const char *expand_xline(const char *mask)
 	while (*p != '\0')
 	{
 		if (*p == ' ')
-			*q++ = '\\', *q++ = 's';
+		{
+			*q++ = '\\';
+			*q++ = 's';
+		}
 		else
 			*q++ = *p;
 		p++;

extensions/m_webirc.c

@@ -79,14 +79,6 @@ mr_webirc(struct Client *client_p, struct Client *source_p, int parc, const char
 	const char *encr;
 	struct rb_sockaddr_storage addr;
 
-	if ((!strchr(parv[4], '.') && !strchr(parv[4], ':')) ||
-			strlen(parv[4]) + (*parv[4] == ':') >=
-			sizeof(source_p->sockhost))
-	{
-		sendto_one(source_p, "NOTICE * :Invalid IP");
-		return 0;
-	}
-
 	aconf = find_address_conf(client_p->host, client_p->sockhost,
 				IsGotId(client_p) ? client_p->username : "webirc",
 				IsGotId(client_p) ? client_p->username : "webirc",
@@ -125,23 +117,15 @@ mr_webirc(struct Client *client_p, struct Client *source_p, int parc, const char
 		return 0;
 	}
 
-	if (*parv[4] == ':')
-	{
-		source_p->sockhost[0] = '0';
-		rb_strlcpy(source_p->sockhost + 1, parv[4],
-				sizeof(source_p->sockhost) - 1);
-	}
-	else
-		rb_strlcpy(source_p->sockhost, parv[4],
-				sizeof(source_p->sockhost));
+	source_p->localClient->ip = addr;
+
+	rb_inet_ntop_sock((struct sockaddr *)&source_p->localClient->ip, source_p->sockhost, sizeof(source_p->sockhost));
 
 	if(strlen(parv[3]) <= HOSTLEN)
 		rb_strlcpy(source_p->host, parv[3], sizeof(source_p->host));
 	else
 		rb_strlcpy(source_p->host, source_p->sockhost, sizeof(source_p->host));
 
-	source_p->localClient->ip = addr;
-
 	/* Check dlines now, klines will be checked on registration */
 	if((aconf = find_dline((struct sockaddr *)&source_p->localClient->ip,
 			       source_p->localClient->ip.ss_family)))

help/opers/extban

@@ -18,11 +18,7 @@ Unless noted below, all types can be used with +b, +q, +e and +I.
      $a     - Matches all logged in users
   $a:<mask> - Matches users logged in with a username matching the mask
               (* and ? wildcards)
-  $c:<chan> - Matches users who are on the given channel; this is only
-              valid if the channel exists and is not +s or +p. (The ops
-              of the channel the ban is on cannot necessarily see whether
-              the user is in the target channel, so it should not
-              influence whether they can join either.)
+  $c:<chan> - Matches users who are on the given channel
      $o     - Matches opers (most useful with +I)
   $r:<mask> - Matches users with a realname (gecos) matching the mask
               (* and ? wildcards); this can only be used with +b and +q
@@ -32,4 +28,5 @@ Unless noted below, all types can be used with +b, +q, +e and +I.
               channel
   $x:<mask> - Bans all users with matching nick!user@host#gecos
      $z     - Matches all SSL users
+  $z:<data> - Matches all SSL users with a fingerprint matching the data
 

help/opers/rehash

@@ -11,6 +11,7 @@ ircd.conf file.
   NICKDELAY - Clears delayed nicks
   OMOTD    - Re-reads Oper MOTD file
   REJECTCACHE - Clears the reject cache
+  SSLD     - Restarts the ssld processes
   TDLINES  - Clears temporary D Lines
   THROTTLES - Clears throttled IP addresses
   TKLINES  - Clears temporary K Lines

help/opers/stats

@@ -32,6 +32,7 @@ X f - Shows File Descriptors
 * q - Shows temporary and global resv'd nicks and channels
 * Q - Shows resv'd nicks and channels
 * r - Shows resource usage by ircd
+X S - Shows ssld processes
 * t - Shows generic server stats
 * U - Shows shared blocks (Old U: lines)
   u - Shows server uptime

include/client.h

@@ -302,6 +302,8 @@ struct PreClient
 	struct Blacklist *dnsbl_listed; /* first dnsbl where it's listed */
 
 	struct rb_sockaddr_storage lip; /* address of our side of the connection */
+
+	char id[IDLEN]; /* UID/SID, unique on the network (unverified) */
 };
 
 struct ListClient
@@ -581,7 +583,6 @@ extern int is_remote_connect(struct Client *);
 extern void init_client(void);
 extern struct Client *make_client(struct Client *from);
 extern void free_pre_client(struct Client *client);
-extern void free_client(struct Client *client);
 
 extern int exit_client(struct Client *, struct Client *, struct Client *, const char *);
 

include/hook.h

@@ -25,6 +25,7 @@ extern int h_burst_finished;
 extern int h_server_introduced;
 extern int h_server_eob;
 extern int h_client_exit;
+extern int h_after_client_exit;
 extern int h_umode_changed;
 extern int h_new_local_user;
 extern int h_new_remote_user;

include/ircd.h

@@ -102,10 +102,11 @@ extern int testing_conf;
 
 extern struct ev_entry *check_splitmode_ev;
 
-extern int ssl_ok;
-extern int zlib_ok;
+extern int ircd_ssl_ok;
+extern int ircd_zlib_ok;
 extern int maxconnections;
 
-void ircd_shutdown(const char *reason);
+extern void rehash_ulimit();
+void ircd_shutdown(const char *reason) __attribute__((noreturn));
 
 #endif

include/ircd_getopt.h

@@ -39,7 +39,6 @@ struct lgetopt
 
 extern struct lgetopt myopts[];
 
-void usage(char *);
 void parseargs(int *, char ***, struct lgetopt *);
 
 #endif /* __GETOPT_H_INCLUDED__ */

include/parse.h

@@ -41,5 +41,6 @@ extern void mod_del_cmd(struct Message *msg);
 extern void report_messages(struct Client *);
 
 extern struct Dictionary *alias_dict;
+extern struct Dictionary *fakechannel_dict;
 
 #endif /* INCLUDED_parse_h_h */

include/restart.h

@@ -27,7 +27,7 @@
 #ifndef INCLUDED_restart_h
 #define INCLUDED_restart_h
 
-void restart(const char *);
-void server_reboot(void);
+void restart(const char *) __attribute__((noreturn));
+void server_reboot(void) __attribute__((noreturn));
 
 #endif

include/s_conf.h

@@ -191,6 +191,7 @@ struct config_file_entry
 	int operspy_admin_only;
 	int pace_wait;
 	int pace_wait_simple;
+	int listfake_wait;
 	int short_motd;
 	int no_oper_flood;
 	int hide_server;
@@ -309,6 +310,16 @@ struct alias_entry
 	int hits;
 };
 
+struct fakechannel_entry
+{
+	char *name;
+	char *topic;
+
+	int users_min;
+	int users_max;
+};
+
+
 /* All variables are GLOBAL */
 extern int specific_ipv4_vhost;	/* used in s_bsd.c */
 extern int specific_ipv6_vhost;

include/s_newconf.h

@@ -53,6 +53,7 @@ extern rb_dlink_list xline_conf_list;
 extern rb_dlink_list resv_conf_list;
 extern rb_dlink_list nd_list;
 extern rb_dlink_list tgchange_list;
+extern rb_dlink_list vhost_conf_list;
 
 extern struct _rb_patricia_tree_t *tgchange_tree;
 
@@ -245,5 +246,16 @@ extern void add_nd_entry(const char *name);
 extern void free_nd_entry(struct nd_entry *);
 extern unsigned long get_nd_count(void);
 
-#endif
+struct vhost_conf
+{
+	char *hostname;
+	char *ssl_private_key;
+	char *ssl_cert;
+	char *ssl_dh_params;
+	char *ssl_cipher_list;
+	rb_dlink_node node;
+};
+extern struct vhost_conf *make_vhost_conf(void);
+extern void free_vhost_conf(struct vhost_conf *);
 
+#endif

include/s_user.h

@@ -28,6 +28,7 @@
 #define INCLUDED_s_user_h
 
 #include "config.h"
+#include "ircd_defs.h"
 
 struct Client;
 struct User;
@@ -47,7 +48,8 @@ extern int introduce_client(struct Client *client_p, struct Client *source_p,
 			    struct User *user, const char *nick, int use_euid);
 
 extern void change_nick_user_host(struct Client *target_p, const char *nick, const char *user,
-				  const char *host, int newts, const char *format, ...);
+				  const char *host, int newts, const char *format, ...)
+				  AFP(6, 7);
 
 extern int user_modes[256];
 extern unsigned int find_umode_slot(void);

include/sslproc.h

@@ -27,14 +27,22 @@
 struct _ssl_ctl;
 typedef struct _ssl_ctl ssl_ctl_t;
 
+enum ssld_status {
+	SSLD_ACTIVE,
+	SSLD_SHUTDOWN,
+	SSLD_DEAD,
+};
+
 void init_ssld(void);
+void restart_ssld(void);
 int start_ssldaemon(int count, const char *ssl_cert, const char *ssl_private_key, const char *ssl_dh_params, const char *ssl_cipher_list);
 ssl_ctl_t *start_ssld_accept(rb_fde_t *sslF, rb_fde_t *plainF, uint32_t id);
 ssl_ctl_t *start_ssld_connect(rb_fde_t *sslF, rb_fde_t *plainF, uint32_t id);
 void start_zlib_session(void *data);
-void send_new_ssl_certs(const char *ssl_cert, const char *ssl_private_key, const char *ssl_dh_params, const char *ssl_cipher_list);
+void send_new_ssl_certs(const char *ssl_cert, const char *ssl_private_key, const char *ssl_dh_params, const char *ssl_cipher_list, const int method, const char *hostname);
+void send_remove_ssl_vhost(const char *hostname);
 void ssld_decrement_clicount(ssl_ctl_t *ctl);
 int get_ssld_count(void);
+void ssld_foreach_info(void (*func)(void *data, pid_t pid, int cli_count, enum ssld_status status), void *data);
 
 #endif
-

libratbox/Makefile.in

@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.15 from Makefile.am.
+# Makefile.in generated by automake 1.15.1 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2014 Free Software Foundation, Inc.
+# Copyright (C) 1994-2017 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -189,8 +189,8 @@ CSCOPE = cscope
 DIST_SUBDIRS = $(SUBDIRS)
 am__DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/libratbox.pc.in \
 	$(top_srcdir)/include/libratbox_config.h.in COPYING ChangeLog \
-	INSTALL README TODO compile config.guess config.sub depcomp \
-	install-sh ltmain.sh missing
+	INSTALL README TODO compile config.guess config.sub install-sh \
+	ltmain.sh missing
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 distdir = $(PACKAGE)-$(VERSION)
 top_distdir = $(distdir)
@@ -360,6 +360,7 @@ pdfdir = @pdfdir@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+runstatedir = @runstatedir@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
@@ -627,7 +628,7 @@ distdir: $(DISTFILES)
 	  ! -type d ! -perm -444 -exec $(install_sh) -c -m a+r {} {} \; \
 	|| chmod -R a+r "$(distdir)"
 dist-gzip: distdir
-	tardir=$(distdir) && $(am__tar) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).tar.gz
+	tardir=$(distdir) && $(am__tar) | eval GZIP= gzip $(GZIP_ENV) -c >$(distdir).tar.gz
 	$(am__post_remove_distdir)
 
 dist-bzip2: distdir
@@ -653,7 +654,7 @@ dist-shar: distdir
 	@echo WARNING: "Support for shar distribution archives is" \
 	               "deprecated." >&2
 	@echo WARNING: "It will be removed altogether in Automake 2.0" >&2
-	shar $(distdir) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).shar.gz
+	shar $(distdir) | eval GZIP= gzip $(GZIP_ENV) -c >$(distdir).shar.gz
 	$(am__post_remove_distdir)
 
 dist-zip: distdir
@@ -671,7 +672,7 @@ dist dist-all:
 distcheck: dist
 	case '$(DIST_ARCHIVES)' in \
 	*.tar.gz*) \
-	  GZIP=$(GZIP_ENV) gzip -dc $(distdir).tar.gz | $(am__untar) ;;\
+	  eval GZIP= gzip $(GZIP_ENV) -dc $(distdir).tar.gz | $(am__untar) ;;\
 	*.tar.bz2*) \
 	  bzip2 -dc $(distdir).tar.bz2 | $(am__untar) ;;\
 	*.tar.lz*) \
@@ -681,7 +682,7 @@ distcheck: dist
 	*.tar.Z*) \
 	  uncompress -c $(distdir).tar.Z | $(am__untar) ;;\
 	*.shar.gz*) \
-	  GZIP=$(GZIP_ENV) gzip -dc $(distdir).shar.gz | unshar ;;\
+	  eval GZIP= gzip $(GZIP_ENV) -dc $(distdir).shar.gz | unshar ;;\
 	*.zip*) \
 	  unzip $(distdir).zip ;;\
 	esac

libratbox/aclocal.m4

@@ -1,6 +1,6 @@
-# generated automatically by aclocal 1.15 -*- Autoconf -*-
+# generated automatically by aclocal 1.15.1 -*- Autoconf -*-
 
-# Copyright (C) 1996-2014 Free Software Foundation, Inc.
+# Copyright (C) 1996-2017 Free Software Foundation, Inc.
 
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -744,7 +744,6 @@ _LT_CONFIG_SAVE_COMMANDS([
     cat <<_LT_EOF >> "$cfgfile"
 #! $SHELL
 # Generated automatically by $as_me ($PACKAGE) $VERSION
-# Libtool was configured on host `(hostname || uname -n) 2>/dev/null | sed 1q`:
 # NOTE: Changes made to this file will be lost: look at ltmain.sh.
 
 # Provide generalized library-building support services.
@@ -2901,6 +2900,18 @@ linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*)
   dynamic_linker='GNU/Linux ld.so'
   ;;
 
+netbsdelf*-gnu)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  hardcode_into_libs=yes
+  dynamic_linker='NetBSD ld.elf_so'
+  ;;
+
 netbsd*)
   version_type=sunos
   need_lib_prefix=no
@@ -3560,7 +3571,7 @@ linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*)
   lt_cv_deplibs_check_method=pass_all
   ;;
 
-netbsd*)
+netbsd* | netbsdelf*-gnu)
   if echo __ELF__ | $CC -E - | $GREP __ELF__ > /dev/null; then
     lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so\.[[0-9]]+\.[[0-9]]+|_pic\.a)$'
   else
@@ -4438,7 +4449,7 @@ m4_if([$1], [CXX], [
 	    ;;
 	esac
 	;;
-      netbsd*)
+      netbsd* | netbsdelf*-gnu)
 	;;
       *qnx* | *nto*)
         # QNX uses GNU C++, but need to define -shared option too, otherwise
@@ -4950,6 +4961,9 @@ m4_if([$1], [CXX], [
       ;;
     esac
     ;;
+  linux* | k*bsd*-gnu | gnu*)
+    _LT_TAGVAR(link_all_deplibs, $1)=no
+    ;;
   *)
     _LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
     ;;
@@ -5012,6 +5026,9 @@ dnl Note also adjust exclude_expsyms for C++ above.
   openbsd* | bitrig*)
     with_gnu_ld=no
     ;;
+  linux* | k*bsd*-gnu | gnu*)
+    _LT_TAGVAR(link_all_deplibs, $1)=no
+    ;;
   esac
 
   _LT_TAGVAR(ld_shlibs, $1)=yes
@@ -5266,7 +5283,7 @@ _LT_EOF
       fi
       ;;
 
-    netbsd*)
+    netbsd* | netbsdelf*-gnu)
       if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then
 	_LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib'
 	wlarc=
@@ -5787,6 +5804,7 @@ _LT_EOF
 	if test yes = "$lt_cv_irix_exported_symbol"; then
           _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags $wl-soname $wl$soname `test -n "$verstring" && func_echo_all "$wl-set_version $wl$verstring"` $wl-update_registry $wl$output_objdir/so_locations $wl-exports_file $wl$export_symbols -o $lib'
 	fi
+	_LT_TAGVAR(link_all_deplibs, $1)=no
       else
 	_LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry $output_objdir/so_locations -o $lib'
 	_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry $output_objdir/so_locations -exports_file $export_symbols -o $lib'
@@ -5808,7 +5826,7 @@ _LT_EOF
       esac
       ;;
 
-    netbsd*)
+    netbsd* | netbsdelf*-gnu)
       if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then
 	_LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'  # a.out
       else
@@ -9050,7 +9068,7 @@ m4_ifndef([_LT_PROG_FC],		[AC_DEFUN([_LT_PROG_FC])])
 m4_ifndef([_LT_PROG_CXX],		[AC_DEFUN([_LT_PROG_CXX])])
 
 dnl pkg.m4 - Macros to locate and utilise pkg-config.   -*- Autoconf -*-
-dnl serial 11 (pkg-config-0.29)
+dnl serial 11 (pkg-config-0.29.1)
 dnl
 dnl Copyright © 2004 Scott James Remnant <scott@netsplit.com>.
 dnl Copyright © 2012-2015 Dan Nicholson <dbn.lists@gmail.com>
@@ -9092,7 +9110,7 @@ dnl
 dnl See the "Since" comment for each macro you use to see what version
 dnl of the macros you require.
 m4_defun([PKG_PREREQ],
-[m4_define([PKG_MACROS_VERSION], [0.29])
+[m4_define([PKG_MACROS_VERSION], [0.29.1])
 m4_if(m4_version_compare(PKG_MACROS_VERSION, [$1]), -1,
     [m4_fatal([pkg.m4 version $1 or higher is required but ]PKG_MACROS_VERSION[ found])])
 ])dnl PKG_PREREQ
@@ -9325,7 +9343,7 @@ AS_VAR_COPY([$1], [pkg_cv_][$1])
 AS_VAR_IF([$1], [""], [$5], [$4])dnl
 ])dnl PKG_CHECK_VAR
 
-# Copyright (C) 2002-2014 Free Software Foundation, Inc.
+# Copyright (C) 2002-2017 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -9340,7 +9358,7 @@ AC_DEFUN([AM_AUTOMAKE_VERSION],
 [am__api_version='1.15'
 dnl Some users find AM_AUTOMAKE_VERSION and mistake it for a way to
 dnl require some minimum version.  Point them to the right macro.
-m4_if([$1], [1.15], [],
+m4_if([$1], [1.15.1], [],
       [AC_FATAL([Do not call $0, use AM_INIT_AUTOMAKE([$1]).])])dnl
 ])
 
@@ -9356,14 +9374,14 @@ m4_define([_AM_AUTOCONF_VERSION], [])
 # Call AM_AUTOMAKE_VERSION and AM_AUTOMAKE_VERSION so they can be traced.
 # This function is AC_REQUIREd by AM_INIT_AUTOMAKE.
 AC_DEFUN([AM_SET_CURRENT_AUTOMAKE_VERSION],
-[AM_AUTOMAKE_VERSION([1.15])dnl
+[AM_AUTOMAKE_VERSION([1.15.1])dnl
 m4_ifndef([AC_AUTOCONF_VERSION],
   [m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl
 _AM_AUTOCONF_VERSION(m4_defn([AC_AUTOCONF_VERSION]))])
 
 # AM_AUX_DIR_EXPAND                                         -*- Autoconf -*-
 
-# Copyright (C) 2001-2014 Free Software Foundation, Inc.
+# Copyright (C) 2001-2017 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -9415,7 +9433,7 @@ am_aux_dir=`cd "$ac_aux_dir" && pwd`
 
 # AM_CONDITIONAL                                            -*- Autoconf -*-
 
-# Copyright (C) 1997-2014 Free Software Foundation, Inc.
+# Copyright (C) 1997-2017 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -9446,7 +9464,7 @@ AC_CONFIG_COMMANDS_PRE(
 Usually this means the macro was only invoked conditionally.]])
 fi])])
 
-# Copyright (C) 1999-2014 Free Software Foundation, Inc.
+# Copyright (C) 1999-2017 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -9637,7 +9655,7 @@ _AM_SUBST_NOTMAKE([am__nodep])dnl
 
 # Generate code to set up dependency tracking.              -*- Autoconf -*-
 
-# Copyright (C) 1999-2014 Free Software Foundation, Inc.
+# Copyright (C) 1999-2017 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -9713,7 +9731,7 @@ AC_DEFUN([AM_OUTPUT_DEPENDENCY_COMMANDS],
 
 # Do all the work for Automake.                             -*- Autoconf -*-
 
-# Copyright (C) 1996-2014 Free Software Foundation, Inc.
+# Copyright (C) 1996-2017 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -9910,7 +9928,7 @@ for _am_header in $config_headers :; do
 done
 echo "timestamp for $_am_arg" >`AS_DIRNAME(["$_am_arg"])`/stamp-h[]$_am_stamp_count])
 
-# Copyright (C) 2001-2014 Free Software Foundation, Inc.
+# Copyright (C) 2001-2017 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -9931,7 +9949,7 @@ if test x"${install_sh+set}" != xset; then
 fi
 AC_SUBST([install_sh])])
 
-# Copyright (C) 2003-2014 Free Software Foundation, Inc.
+# Copyright (C) 2003-2017 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -9953,7 +9971,7 @@ AC_SUBST([am__leading_dot])])
 # Add --enable-maintainer-mode option to configure.         -*- Autoconf -*-
 # From Jim Meyering
 
-# Copyright (C) 1996-2014 Free Software Foundation, Inc.
+# Copyright (C) 1996-2017 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -9988,7 +10006,7 @@ AC_MSG_CHECKING([whether to enable maintainer-specific portions of Makefiles])
 
 # Check to see how 'make' treats includes.	            -*- Autoconf -*-
 
-# Copyright (C) 2001-2014 Free Software Foundation, Inc.
+# Copyright (C) 2001-2017 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -10038,7 +10056,7 @@ rm -f confinc confmf
 
 # Fake the existence of programs that GNU maintainers use.  -*- Autoconf -*-
 
-# Copyright (C) 1997-2014 Free Software Foundation, Inc.
+# Copyright (C) 1997-2017 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -10079,7 +10097,7 @@ fi
 # Obsolete and "removed" macros, that must however still report explicit
 # error messages when used, to smooth transition.
 #
-# Copyright (C) 1996-2014 Free Software Foundation, Inc.
+# Copyright (C) 1996-2017 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -10106,7 +10124,7 @@ AU_DEFUN([fp_C_PROTOTYPES], [AM_C_PROTOTYPES])
 
 # Helper functions for option handling.                     -*- Autoconf -*-
 
-# Copyright (C) 2001-2014 Free Software Foundation, Inc.
+# Copyright (C) 2001-2017 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -10135,7 +10153,7 @@ AC_DEFUN([_AM_SET_OPTIONS],
 AC_DEFUN([_AM_IF_OPTION],
 [m4_ifset(_AM_MANGLE_OPTION([$1]), [$2], [$3])])
 
-# Copyright (C) 1999-2014 Free Software Foundation, Inc.
+# Copyright (C) 1999-2017 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -10182,7 +10200,7 @@ AC_LANG_POP([C])])
 # For backward compatibility.
 AC_DEFUN_ONCE([AM_PROG_CC_C_O], [AC_REQUIRE([AC_PROG_CC])])
 
-# Copyright (C) 2001-2014 Free Software Foundation, Inc.
+# Copyright (C) 2001-2017 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -10201,7 +10219,7 @@ AC_DEFUN([AM_RUN_LOG],
 
 # Check to make sure that the build environment is sane.    -*- Autoconf -*-
 
-# Copyright (C) 1996-2014 Free Software Foundation, Inc.
+# Copyright (C) 1996-2017 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -10282,7 +10300,7 @@ AC_CONFIG_COMMANDS_PRE(
 rm -f conftest.file
 ])
 
-# Copyright (C) 2009-2014 Free Software Foundation, Inc.
+# Copyright (C) 2009-2017 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -10342,7 +10360,7 @@ AC_SUBST([AM_BACKSLASH])dnl
 _AM_SUBST_NOTMAKE([AM_BACKSLASH])dnl
 ])
 
-# Copyright (C) 2001-2014 Free Software Foundation, Inc.
+# Copyright (C) 2001-2017 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -10370,7 +10388,7 @@ fi
 INSTALL_STRIP_PROGRAM="\$(install_sh) -c -s"
 AC_SUBST([INSTALL_STRIP_PROGRAM])])
 
-# Copyright (C) 2006-2014 Free Software Foundation, Inc.
+# Copyright (C) 2006-2017 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -10389,7 +10407,7 @@ AC_DEFUN([AM_SUBST_NOTMAKE], [_AM_SUBST_NOTMAKE($@)])
 
 # Check how to create a tarball.                            -*- Autoconf -*-
 
-# Copyright (C) 2004-2014 Free Software Foundation, Inc.
+# Copyright (C) 2004-2017 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,

libratbox/config.sub

@@ -1,8 +1,8 @@
 #! /bin/sh
 # Configuration validation subroutine script.
-#   Copyright 1992-2015 Free Software Foundation, Inc.
+#   Copyright 1992-2018 Free Software Foundation, Inc.
 
-timestamp='2015-01-01'
+timestamp='2018-02-22'
 
 # This file is free software; you can redistribute it and/or modify it
 # under the terms of the GNU General Public License as published by
@@ -15,7 +15,7 @@ timestamp='2015-01-01'
 # General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
-# along with this program; if not, see <http://www.gnu.org/licenses/>.
+# along with this program; if not, see <https://www.gnu.org/licenses/>.
 #
 # As a special exception to the GNU General Public License, if you
 # distribute this file as part of a program that contains a
@@ -33,7 +33,7 @@ timestamp='2015-01-01'
 # Otherwise, we print the canonical config type on stdout and succeed.
 
 # You can get the latest version of this script from:
-# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub;hb=HEAD
+# https://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub
 
 # This file is supposed to be the same for all GNU packages
 # and recognize all the CPU types, system types and aliases
@@ -53,12 +53,11 @@ timestamp='2015-01-01'
 me=`echo "$0" | sed -e 's,.*/,,'`
 
 usage="\
-Usage: $0 [OPTION] CPU-MFR-OPSYS
-       $0 [OPTION] ALIAS
+Usage: $0 [OPTION] CPU-MFR-OPSYS or ALIAS
 
 Canonicalize a configuration name.
 
-Operation modes:
+Options:
   -h, --help         print this help, then exit
   -t, --time-stamp   print date of last modification, then exit
   -v, --version      print version number, then exit
@@ -68,7 +67,7 @@ Report bugs and patches to <config-patches@gnu.org>."
 version="\
 GNU config.sub ($timestamp)
 
-Copyright 1992-2015 Free Software Foundation, Inc.
+Copyright 1992-2018 Free Software Foundation, Inc.
 
 This is free software; see the source for copying conditions.  There is NO
 warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
@@ -95,7 +94,7 @@ while test $# -gt 0 ; do
 
     *local*)
        # First pass through any local machine types.
-       echo $1
+       echo "$1"
        exit ;;
 
     * )
@@ -113,24 +112,24 @@ esac
 
 # Separate what the user gave into CPU-COMPANY and OS or KERNEL-OS (if any).
 # Here we must recognize all the valid KERNEL-OS combinations.
-maybe_os=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'`
+maybe_os=`echo "$1" | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'`
 case $maybe_os in
   nto-qnx* | linux-gnu* | linux-android* | linux-dietlibc | linux-newlib* | \
   linux-musl* | linux-uclibc* | uclinux-uclibc* | uclinux-gnu* | kfreebsd*-gnu* | \
-  knetbsd*-gnu* | netbsd*-gnu* | \
-  kopensolaris*-gnu* | \
+  knetbsd*-gnu* | netbsd*-gnu* | netbsd*-eabi* | \
+  kopensolaris*-gnu* | cloudabi*-eabi* | \
   storm-chaos* | os2-emx* | rtmk-nova*)
     os=-$maybe_os
-    basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`
+    basic_machine=`echo "$1" | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`
     ;;
   android-linux)
     os=-linux-android
-    basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`-unknown
+    basic_machine=`echo "$1" | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`-unknown
     ;;
   *)
-    basic_machine=`echo $1 | sed 's/-[^-]*$//'`
-    if [ $basic_machine != $1 ]
-    then os=`echo $1 | sed 's/.*-/-/'`
+    basic_machine=`echo "$1" | sed 's/-[^-]*$//'`
+    if [ "$basic_machine" != "$1" ]
+    then os=`echo "$1" | sed 's/.*-/-/'`
     else os=; fi
     ;;
 esac
@@ -179,44 +178,44 @@ case $os in
 		;;
 	-sco6)
 		os=-sco5v6
-		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		basic_machine=`echo "$1" | sed -e 's/86-.*/86-pc/'`
 		;;
 	-sco5)
 		os=-sco3.2v5
-		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		basic_machine=`echo "$1" | sed -e 's/86-.*/86-pc/'`
 		;;
 	-sco4)
 		os=-sco3.2v4
-		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		basic_machine=`echo "$1" | sed -e 's/86-.*/86-pc/'`
 		;;
 	-sco3.2.[4-9]*)
 		os=`echo $os | sed -e 's/sco3.2./sco3.2v/'`
-		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		basic_machine=`echo "$1" | sed -e 's/86-.*/86-pc/'`
 		;;
 	-sco3.2v[4-9]*)
 		# Don't forget version if it is 3.2v4 or newer.
-		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		basic_machine=`echo "$1" | sed -e 's/86-.*/86-pc/'`
 		;;
 	-sco5v6*)
 		# Don't forget version if it is 3.2v4 or newer.
-		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		basic_machine=`echo "$1" | sed -e 's/86-.*/86-pc/'`
 		;;
 	-sco*)
 		os=-sco3.2v2
-		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		basic_machine=`echo "$1" | sed -e 's/86-.*/86-pc/'`
 		;;
 	-udk*)
-		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		basic_machine=`echo "$1" | sed -e 's/86-.*/86-pc/'`
 		;;
 	-isc)
 		os=-isc2.2
-		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		basic_machine=`echo "$1" | sed -e 's/86-.*/86-pc/'`
 		;;
 	-clix*)
 		basic_machine=clipper-intergraph
 		;;
 	-isc*)
-		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		basic_machine=`echo "$1" | sed -e 's/86-.*/86-pc/'`
 		;;
 	-lynx*178)
 		os=-lynxos178
@@ -228,10 +227,7 @@ case $os in
 		os=-lynxos
 		;;
 	-ptx*)
-		basic_machine=`echo $1 | sed -e 's/86-.*/86-sequent/'`
-		;;
-	-windowsnt*)
-		os=`echo $os | sed -e 's/windowsnt/winnt/'`
+		basic_machine=`echo "$1" | sed -e 's/86-.*/86-sequent/'`
 		;;
 	-psos*)
 		os=-psos
@@ -255,15 +251,16 @@ case $basic_machine in
 	| arc | arceb \
 	| arm | arm[bl]e | arme[lb] | armv[2-8] | armv[3-8][lb] | armv7[arm] \
 	| avr | avr32 \
+	| ba \
 	| be32 | be64 \
 	| bfin \
 	| c4x | c8051 | clipper \
 	| d10v | d30v | dlx | dsp16xx \
-	| epiphany \
+	| e2k | epiphany \
 	| fido | fr30 | frv | ft32 \
 	| h8300 | h8500 | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \
 	| hexagon \
-	| i370 | i860 | i960 | ia64 \
+	| i370 | i860 | i960 | ia16 | ia64 \
 	| ip2k | iq2000 \
 	| k1om \
 	| le32 | le64 \
@@ -299,13 +296,14 @@ case $basic_machine in
 	| nios | nios2 | nios2eb | nios2el \
 	| ns16k | ns32k \
 	| open8 | or1k | or1knd | or32 \
-	| pdp10 | pdp11 | pj | pjl \
+	| pdp10 | pj | pjl \
 	| powerpc | powerpc64 | powerpc64le | powerpcle \
+	| pru \
 	| pyramid \
 	| riscv32 | riscv64 \
 	| rl78 | rx \
 	| score \
-	| sh | sh[1234] | sh[24]a | sh[24]aeb | sh[23]e | sh[34]eb | sheb | shbe | shle | sh[1234]le | sh3ele \
+	| sh | sh[1234] | sh[24]a | sh[24]aeb | sh[23]e | sh[234]eb | sheb | shbe | shle | sh[1234]le | sh3ele \
 	| sh64 | sh64le \
 	| sparc | sparc64 | sparc64b | sparc64v | sparc86x | sparclet | sparclite \
 	| sparcv8 | sparcv9 | sparcv9b | sparcv9v \
@@ -314,7 +312,7 @@ case $basic_machine in
 	| ubicom32 \
 	| v850 | v850e | v850e1 | v850e2 | v850es | v850e2v3 \
 	| visium \
-	| we32k \
+	| wasm32 \
 	| x86 | xc16x | xstormy16 | xtensa \
 	| z8k | z80)
 		basic_machine=$basic_machine-unknown
@@ -335,7 +333,7 @@ case $basic_machine in
 		basic_machine=$basic_machine-unknown
 		os=-none
 		;;
-	m88110 | m680[12346]0 | m683?2 | m68360 | m5200 | v70 | w65 | z8k)
+	m88110 | m680[12346]0 | m683?2 | m68360 | m5200 | v70 | w65)
 		;;
 	ms1)
 		basic_machine=mt-unknown
@@ -364,7 +362,7 @@ case $basic_machine in
 	  ;;
 	# Object if more than one company name word.
 	*-*-*)
-		echo Invalid configuration \`$1\': machine \`$basic_machine\' not recognized 1>&2
+		echo Invalid configuration \`"$1"\': machine \`"$basic_machine"\' not recognized 1>&2
 		exit 1
 		;;
 	# Recognize the basic CPU types with company name.
@@ -376,17 +374,18 @@ case $basic_machine in
 	| alphapca5[67]-* | alpha64pca5[67]-* | arc-* | arceb-* \
 	| arm-*  | armbe-* | armle-* | armeb-* | armv*-* \
 	| avr-* | avr32-* \
+	| ba-* \
 	| be32-* | be64-* \
 	| bfin-* | bs2000-* \
 	| c[123]* | c30-* | [cjt]90-* | c4x-* \
 	| c8051-* | clipper-* | craynv-* | cydra-* \
 	| d10v-* | d30v-* | dlx-* \
-	| elxsi-* \
+	| e2k-* | elxsi-* \
 	| f30[01]-* | f700-* | fido-* | fr30-* | frv-* | fx80-* \
 	| h8300-* | h8500-* \
 	| hppa-* | hppa1.[01]-* | hppa2.0-* | hppa2.0[nw]-* | hppa64-* \
 	| hexagon-* \
-	| i*86-* | i860-* | i960-* | ia64-* \
+	| i*86-* | i860-* | i960-* | ia16-* | ia64-* \
 	| ip2k-* | iq2000-* \
 	| k1om-* \
 	| le32-* | le64-* \
@@ -427,13 +426,15 @@ case $basic_machine in
 	| orion-* \
 	| pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \
 	| powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* \
+	| pru-* \
 	| pyramid-* \
+	| riscv32-* | riscv64-* \
 	| rl78-* | romp-* | rs6000-* | rx-* \
 	| sh-* | sh[1234]-* | sh[24]a-* | sh[24]aeb-* | sh[23]e-* | sh[34]eb-* | sheb-* | shbe-* \
 	| shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \
 	| sparc-* | sparc64-* | sparc64b-* | sparc64v-* | sparc86x-* | sparclet-* \
 	| sparclite-* \
-	| sparcv8-* | sparcv9-* | sparcv9b-* | sparcv9v-* | sv1-* | sx?-* \
+	| sparcv8-* | sparcv9-* | sparcv9b-* | sparcv9v-* | sv1-* | sx*-* \
 	| tahoe-* \
 	| tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* \
 	| tile*-* \
@@ -442,6 +443,7 @@ case $basic_machine in
 	| v850-* | v850e-* | v850e1-* | v850es-* | v850e2-* | v850e2v3-* \
 	| vax-* \
 	| visium-* \
+	| wasm32-* \
 	| we32k-* \
 	| x86-* | x86_64-* | xc16x-* | xps100-* \
 	| xstormy16-* | xtensa*-* \
@@ -455,7 +457,7 @@ case $basic_machine in
 	# Recognize the various machine names and aliases which stand
 	# for a CPU type and a company and sometimes even an OS.
 	386bsd)
-		basic_machine=i386-unknown
+		basic_machine=i386-pc
 		os=-bsd
 		;;
 	3b1 | 7300 | 7300-att | att-7300 | pc7300 | safari | unixpc)
@@ -489,7 +491,7 @@ case $basic_machine in
 		basic_machine=x86_64-pc
 		;;
 	amd64-*)
-		basic_machine=x86_64-`echo $basic_machine | sed 's/^[^-]*-//'`
+		basic_machine=x86_64-`echo "$basic_machine" | sed 's/^[^-]*-//'`
 		;;
 	amdahl)
 		basic_machine=580-amdahl
@@ -518,6 +520,9 @@ case $basic_machine in
 		basic_machine=i386-pc
 		os=-aros
 		;;
+	asmjs)
+		basic_machine=asmjs-unknown
+		;;
 	aux)
 		basic_machine=m68k-apple
 		os=-aux
@@ -531,7 +536,7 @@ case $basic_machine in
 		os=-linux
 		;;
 	blackfin-*)
-		basic_machine=bfin-`echo $basic_machine | sed 's/^[^-]*-//'`
+		basic_machine=bfin-`echo "$basic_machine" | sed 's/^[^-]*-//'`
 		os=-linux
 		;;
 	bluegene*)
@@ -539,13 +544,13 @@ case $basic_machine in
 		os=-cnk
 		;;
 	c54x-*)
-		basic_machine=tic54x-`echo $basic_machine | sed 's/^[^-]*-//'`
+		basic_machine=tic54x-`echo "$basic_machine" | sed 's/^[^-]*-//'`
 		;;
 	c55x-*)
-		basic_machine=tic55x-`echo $basic_machine | sed 's/^[^-]*-//'`
+		basic_machine=tic55x-`echo "$basic_machine" | sed 's/^[^-]*-//'`
 		;;
 	c6x-*)
-		basic_machine=tic6x-`echo $basic_machine | sed 's/^[^-]*-//'`
+		basic_machine=tic6x-`echo "$basic_machine" | sed 's/^[^-]*-//'`
 		;;
 	c90)
 		basic_machine=c90-cray
@@ -634,10 +639,18 @@ case $basic_machine in
 		basic_machine=rs6000-bull
 		os=-bosx
 		;;
-	dpx2* | dpx2*-bull)
+	dpx2*)
 		basic_machine=m68k-bull
 		os=-sysv3
 		;;
+	e500v[12])
+		basic_machine=powerpc-unknown
+		os=$os"spe"
+		;;
+	e500v[12]-*)
+		basic_machine=powerpc-`echo "$basic_machine" | sed 's/^[^-]*-//'`
+		os=$os"spe"
+		;;
 	ebmon29k)
 		basic_machine=a29k-amd
 		os=-ebmon
@@ -727,9 +740,6 @@ case $basic_machine in
 	hp9k8[0-9][0-9] | hp8[0-9][0-9])
 		basic_machine=hppa1.0-hp
 		;;
-	hppa-next)
-		os=-nextstep3
-		;;
 	hppaosf)
 		basic_machine=hppa1.1-hp
 		os=-osf
@@ -742,26 +752,26 @@ case $basic_machine in
 		basic_machine=i370-ibm
 		;;
 	i*86v32)
-		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
+		basic_machine=`echo "$1" | sed -e 's/86.*/86-pc/'`
 		os=-sysv32
 		;;
 	i*86v4*)
-		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
+		basic_machine=`echo "$1" | sed -e 's/86.*/86-pc/'`
 		os=-sysv4
 		;;
 	i*86v)
-		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
+		basic_machine=`echo "$1" | sed -e 's/86.*/86-pc/'`
 		os=-sysv
 		;;
 	i*86sol2)
-		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
+		basic_machine=`echo "$1" | sed -e 's/86.*/86-pc/'`
 		os=-solaris2
 		;;
 	i386mach)
 		basic_machine=i386-mach
 		os=-mach
 		;;
-	i386-vsta | vsta)
+	vsta)
 		basic_machine=i386-unknown
 		os=-vsta
 		;;
@@ -780,19 +790,16 @@ case $basic_machine in
 		os=-sysv
 		;;
 	leon-*|leon[3-9]-*)
-		basic_machine=sparc-`echo $basic_machine | sed 's/-.*//'`
+		basic_machine=sparc-`echo "$basic_machine" | sed 's/-.*//'`
 		;;
 	m68knommu)
 		basic_machine=m68k-unknown
 		os=-linux
 		;;
 	m68knommu-*)
-		basic_machine=m68k-`echo $basic_machine | sed 's/^[^-]*-//'`
+		basic_machine=m68k-`echo "$basic_machine" | sed 's/^[^-]*-//'`
 		os=-linux
 		;;
-	m88k-omron*)
-		basic_machine=m88k-omron
-		;;
 	magnum | m3230)
 		basic_machine=mips-mips
 		os=-sysv
@@ -824,10 +831,10 @@ case $basic_machine in
 		os=-mint
 		;;
 	mips3*-*)
-		basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'`
+		basic_machine=`echo "$basic_machine" | sed -e 's/mips3/mips64/'`
 		;;
 	mips3*)
-		basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'`-unknown
+		basic_machine=`echo "$basic_machine" | sed -e 's/mips3/mips64/'`-unknown
 		;;
 	monitor)
 		basic_machine=m68k-rom68k
@@ -846,7 +853,7 @@ case $basic_machine in
 		os=-msdos
 		;;
 	ms1-*)
-		basic_machine=`echo $basic_machine | sed -e 's/ms1-/mt-/'`
+		basic_machine=`echo "$basic_machine" | sed -e 's/ms1-/mt-/'`
 		;;
 	msys)
 		basic_machine=i686-pc
@@ -933,6 +940,12 @@ case $basic_machine in
 	nsr-tandem)
 		basic_machine=nsr-tandem
 		;;
+	nsv-tandem)
+		basic_machine=nsv-tandem
+		;;
+	nsx-tandem)
+		basic_machine=nsx-tandem
+		;;
 	op50n-* | op60c-*)
 		basic_machine=hppa1.1-oki
 		os=-proelf
@@ -965,7 +978,7 @@ case $basic_machine in
 		os=-linux
 		;;
 	parisc-*)
-		basic_machine=hppa-`echo $basic_machine | sed 's/^[^-]*-//'`
+		basic_machine=hppa-`echo "$basic_machine" | sed 's/^[^-]*-//'`
 		os=-linux
 		;;
 	pbd)
@@ -981,7 +994,7 @@ case $basic_machine in
 		basic_machine=i386-pc
 		;;
 	pc98-*)
-		basic_machine=i386-`echo $basic_machine | sed 's/^[^-]*-//'`
+		basic_machine=i386-`echo "$basic_machine" | sed 's/^[^-]*-//'`
 		;;
 	pentium | p5 | k5 | k6 | nexgen | viac3)
 		basic_machine=i586-pc
@@ -996,16 +1009,16 @@ case $basic_machine in
 		basic_machine=i786-pc
 		;;
 	pentium-* | p5-* | k5-* | k6-* | nexgen-* | viac3-*)
-		basic_machine=i586-`echo $basic_machine | sed 's/^[^-]*-//'`
+		basic_machine=i586-`echo "$basic_machine" | sed 's/^[^-]*-//'`
 		;;
 	pentiumpro-* | p6-* | 6x86-* | athlon-*)
-		basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'`
+		basic_machine=i686-`echo "$basic_machine" | sed 's/^[^-]*-//'`
 		;;
 	pentiumii-* | pentium2-* | pentiumiii-* | pentium3-*)
-		basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'`
+		basic_machine=i686-`echo "$basic_machine" | sed 's/^[^-]*-//'`
 		;;
 	pentium4-*)
-		basic_machine=i786-`echo $basic_machine | sed 's/^[^-]*-//'`
+		basic_machine=i786-`echo "$basic_machine" | sed 's/^[^-]*-//'`
 		;;
 	pn)
 		basic_machine=pn-gould
@@ -1015,23 +1028,23 @@ case $basic_machine in
 	ppc | ppcbe)	basic_machine=powerpc-unknown
 		;;
 	ppc-* | ppcbe-*)
-		basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'`
+		basic_machine=powerpc-`echo "$basic_machine" | sed 's/^[^-]*-//'`
 		;;
-	ppcle | powerpclittle | ppc-le | powerpc-little)
+	ppcle | powerpclittle)
 		basic_machine=powerpcle-unknown
 		;;
 	ppcle-* | powerpclittle-*)
-		basic_machine=powerpcle-`echo $basic_machine | sed 's/^[^-]*-//'`
+		basic_machine=powerpcle-`echo "$basic_machine" | sed 's/^[^-]*-//'`
 		;;
 	ppc64)	basic_machine=powerpc64-unknown
 		;;
-	ppc64-*) basic_machine=powerpc64-`echo $basic_machine | sed 's/^[^-]*-//'`
+	ppc64-*) basic_machine=powerpc64-`echo "$basic_machine" | sed 's/^[^-]*-//'`
 		;;
-	ppc64le | powerpc64little | ppc64-le | powerpc64-little)
+	ppc64le | powerpc64little)
 		basic_machine=powerpc64le-unknown
 		;;
 	ppc64le-* | powerpc64little-*)
-		basic_machine=powerpc64le-`echo $basic_machine | sed 's/^[^-]*-//'`
+		basic_machine=powerpc64le-`echo "$basic_machine" | sed 's/^[^-]*-//'`
 		;;
 	ps2)
 		basic_machine=i386-ibm
@@ -1085,17 +1098,10 @@ case $basic_machine in
 	sequent)
 		basic_machine=i386-sequent
 		;;
-	sh)
-		basic_machine=sh-hitachi
-		os=-hms
-		;;
 	sh5el)
 		basic_machine=sh5le-unknown
 		;;
-	sh64)
-		basic_machine=sh64-unknown
-		;;
-	sparclite-wrs | simso-wrs)
+	simso-wrs)
 		basic_machine=sparclite-wrs
 		os=-vxworks
 		;;
@@ -1114,7 +1120,7 @@ case $basic_machine in
 		os=-sysv4
 		;;
 	strongarm-* | thumb-*)
-		basic_machine=arm-`echo $basic_machine | sed 's/^[^-]*-//'`
+		basic_machine=arm-`echo "$basic_machine" | sed 's/^[^-]*-//'`
 		;;
 	sun2)
 		basic_machine=m68000-sun
@@ -1236,6 +1242,9 @@ case $basic_machine in
 		basic_machine=hppa1.1-winbond
 		os=-proelf
 		;;
+	x64)
+		basic_machine=x86_64-pc
+		;;
 	xbox)
 		basic_machine=i686-pc
 		os=-mingw32
@@ -1244,20 +1253,12 @@ case $basic_machine in
 		basic_machine=xps100-honeywell
 		;;
 	xscale-* | xscalee[bl]-*)
-		basic_machine=`echo $basic_machine | sed 's/^xscale/arm/'`
+		basic_machine=`echo "$basic_machine" | sed 's/^xscale/arm/'`
 		;;
 	ymp)
 		basic_machine=ymp-cray
 		os=-unicos
 		;;
-	z8k-*-coff)
-		basic_machine=z8k-unknown
-		os=-sim
-		;;
-	z80-*-coff)
-		basic_machine=z80-unknown
-		os=-sim
-		;;
 	none)
 		basic_machine=none-none
 		os=-none
@@ -1286,10 +1287,6 @@ case $basic_machine in
 	vax)
 		basic_machine=vax-dec
 		;;
-	pdp10)
-		# there are many clones, so DEC is not a safe bet
-		basic_machine=pdp10-unknown
-		;;
 	pdp11)
 		basic_machine=pdp11-dec
 		;;
@@ -1299,9 +1296,6 @@ case $basic_machine in
 	sh[1234] | sh[24]a | sh[24]aeb | sh[34]eb | sh[1234]le | sh[23]ele)
 		basic_machine=sh-unknown
 		;;
-	sparc | sparcv8 | sparcv9 | sparcv9b | sparcv9v)
-		basic_machine=sparc-sun
-		;;
 	cydra)
 		basic_machine=cydra-cydrome
 		;;
@@ -1321,7 +1315,7 @@ case $basic_machine in
 		# Make sure to match an already-canonicalized machine name.
 		;;
 	*)
-		echo Invalid configuration \`$1\': machine \`$basic_machine\' not recognized 1>&2
+		echo Invalid configuration \`"$1"\': machine \`"$basic_machine"\' not recognized 1>&2
 		exit 1
 		;;
 esac
@@ -1329,10 +1323,10 @@ esac
 # Here we canonicalize certain aliases for manufacturers.
 case $basic_machine in
 	*-digital*)
-		basic_machine=`echo $basic_machine | sed 's/digital.*/dec/'`
+		basic_machine=`echo "$basic_machine" | sed 's/digital.*/dec/'`
 		;;
 	*-commodore*)
-		basic_machine=`echo $basic_machine | sed 's/commodore.*/cbm/'`
+		basic_machine=`echo "$basic_machine" | sed 's/commodore.*/cbm/'`
 		;;
 	*)
 		;;
@@ -1343,8 +1337,8 @@ esac
 if [ x"$os" != x"" ]
 then
 case $os in
-	# First match some system type aliases
-	# that might get confused with valid system types.
+	# First match some system type aliases that might get confused
+	# with valid system types.
 	# -solaris* is a basic system type, with this one exception.
 	-auroraux)
 		os=-auroraux
@@ -1355,45 +1349,48 @@ case $os in
 	-solaris)
 		os=-solaris2
 		;;
-	-svr4*)
-		os=-sysv4
-		;;
 	-unixware*)
 		os=-sysv4.2uw
 		;;
 	-gnu/linux*)
 		os=`echo $os | sed -e 's|gnu/linux|linux-gnu|'`
 		;;
-	# First accept the basic system types.
+	# es1800 is here to avoid being matched by es* (a different OS)
+	-es1800*)
+		os=-ose
+		;;
+	# Now accept the basic system types.
 	# The portable systems comes first.
-	# Each alternative MUST END IN A *, to match a version number.
+	# Each alternative MUST end in a * to match a version number.
 	# -sysv* is not here because it comes later, after sysvr4.
 	-gnu* | -bsd* | -mach* | -minix* | -genix* | -ultrix* | -irix* \
 	      | -*vms* | -sco* | -esix* | -isc* | -aix* | -cnk* | -sunos | -sunos[34]*\
 	      | -hpux* | -unos* | -osf* | -luna* | -dgux* | -auroraux* | -solaris* \
 	      | -sym* | -kopensolaris* | -plan9* \
 	      | -amigaos* | -amigados* | -msdos* | -newsos* | -unicos* | -aof* \
-	      | -aos* | -aros* \
+	      | -aos* | -aros* | -cloudabi* | -sortix* \
 	      | -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \
 	      | -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \
-	      | -hiux* | -386bsd* | -knetbsd* | -mirbsd* | -netbsd* \
-	      | -bitrig* | -openbsd* | -solidbsd* \
+	      | -hiux* | -knetbsd* | -mirbsd* | -netbsd* \
+	      | -bitrig* | -openbsd* | -solidbsd* | -libertybsd* \
 	      | -ekkobsd* | -kfreebsd* | -freebsd* | -riscix* | -lynxos* \
 	      | -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \
 	      | -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \
 	      | -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \
-	      | -chorusos* | -chorusrdb* | -cegcc* \
+	      | -chorusos* | -chorusrdb* | -cegcc* | -glidix* \
 	      | -cygwin* | -msys* | -pe* | -psos* | -moss* | -proelf* | -rtems* \
-	      | -mingw32* | -mingw64* | -linux-gnu* | -linux-android* \
+	      | -midipix* | -mingw32* | -mingw64* | -linux-gnu* | -linux-android* \
 	      | -linux-newlib* | -linux-musl* | -linux-uclibc* \
 	      | -uxpv* | -beos* | -mpeix* | -udk* | -moxiebox* \
-	      | -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \
+	      | -interix* | -uwin* | -mks* | -rhapsody* | -darwin* \
 	      | -openstep* | -oskit* | -conix* | -pw32* | -nonstopux* \
 	      | -storm-chaos* | -tops10* | -tenex* | -tops20* | -its* \
 	      | -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \
-	      | -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \
+	      | -morphos* | -superux* | -rtmk* | -windiss* \
 	      | -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly* \
-	      | -skyos* | -haiku* | -rdos* | -toppers* | -drops* | -es* | -tirtos*)
+	      | -skyos* | -haiku* | -rdos* | -toppers* | -drops* | -es* \
+	      | -onefs* | -tirtos* | -phoenix* | -fuchsia* | -redox* | -bme* \
+	      | -midnightbsd*)
 	# Remember, each alternative MUST END IN *, to match a version number.
 		;;
 	-qnx*)
@@ -1410,12 +1407,12 @@ case $os in
 	-nto*)
 		os=`echo $os | sed -e 's|nto|nto-qnx|'`
 		;;
-	-sim | -es1800* | -hms* | -xray | -os68k* | -none* | -v88r* \
-	      | -windows* | -osx | -abug | -netware* | -os9* | -beos* | -haiku* \
+	-sim | -xray | -os68k* | -v88r* \
+	      | -windows* | -osx | -abug | -netware* | -os9* \
 	      | -macos* | -mpw* | -magic* | -mmixware* | -mon960* | -lnews*)
 		;;
 	-mac*)
-		os=`echo $os | sed -e 's|mac|macos|'`
+		os=`echo "$os" | sed -e 's|mac|macos|'`
 		;;
 	-linux-dietlibc)
 		os=-linux-dietlibc
@@ -1424,10 +1421,10 @@ case $os in
 		os=`echo $os | sed -e 's|linux|linux-gnu|'`
 		;;
 	-sunos5*)
-		os=`echo $os | sed -e 's|sunos5|solaris2|'`
+		os=`echo "$os" | sed -e 's|sunos5|solaris2|'`
 		;;
 	-sunos6*)
-		os=`echo $os | sed -e 's|sunos6|solaris3|'`
+		os=`echo "$os" | sed -e 's|sunos6|solaris3|'`
 		;;
 	-opened*)
 		os=-openedition
@@ -1438,12 +1435,6 @@ case $os in
 	-wince*)
 		os=-wince
 		;;
-	-osfrose*)
-		os=-osfrose
-		;;
-	-osf*)
-		os=-osf
-		;;
 	-utek*)
 		os=-bsd
 		;;
@@ -1490,7 +1481,7 @@ case $os in
 	-oss*)
 		os=-sysv3
 		;;
-	-svr4)
+	-svr4*)
 		os=-sysv4
 		;;
 	-svr3)
@@ -1505,32 +1496,38 @@ case $os in
 	-ose*)
 		os=-ose
 		;;
-	-es1800*)
-		os=-ose
-		;;
-	-xenix)
-		os=-xenix
-		;;
 	-*mint | -mint[0-9]* | -*MiNT | -MiNT[0-9]*)
 		os=-mint
 		;;
-	-aros*)
-		os=-aros
-		;;
 	-zvmoe)
 		os=-zvmoe
 		;;
 	-dicos*)
 		os=-dicos
 		;;
+	-pikeos*)
+		# Until real need of OS specific support for
+		# particular features comes up, bare metal
+		# configurations are quite functional.
+		case $basic_machine in
+		    arm*)
+			os=-eabi
+			;;
+		    *)
+			os=-elf
+			;;
+		esac
+		;;
 	-nacl*)
 		;;
+	-ios)
+		;;
 	-none)
 		;;
 	*)
 		# Get rid of the `-' at the beginning of $os.
 		os=`echo $os | sed 's/[^-]*-//'`
-		echo Invalid configuration \`$1\': system \`$os\' not recognized 1>&2
+		echo Invalid configuration \`"$1"\': system \`"$os"\' not recognized 1>&2
 		exit 1
 		;;
 esac
@@ -1620,12 +1617,12 @@ case $basic_machine in
 	sparc-* | *-sun)
 		os=-sunos4.1.1
 		;;
+	pru-*)
+		os=-elf
+		;;
 	*-be)
 		os=-beos
 		;;
-	*-haiku)
-		os=-haiku
-		;;
 	*-ibm)
 		os=-aix
 		;;
@@ -1680,9 +1677,6 @@ case $basic_machine in
 	i370-*)
 		os=-mvs
 		;;
-	*-next)
-		os=-nextstep3
-		;;
 	*-gould)
 		os=-sysv
 		;;
@@ -1792,15 +1786,15 @@ case $basic_machine in
 				vendor=stratus
 				;;
 		esac
-		basic_machine=`echo $basic_machine | sed "s/unknown/$vendor/"`
+		basic_machine=`echo "$basic_machine" | sed "s/unknown/$vendor/"`
 		;;
 esac
 
-echo $basic_machine$os
+echo "$basic_machine$os"
 exit
 
 # Local variables:
-# eval: (add-hook 'write-file-hooks 'time-stamp)
+# eval: (add-hook 'write-file-functions 'time-stamp)
 # time-stamp-start: "timestamp='"
 # time-stamp-format: "%:y-%02m-%02d"
 # time-stamp-end: "'"

libratbox/configure

@@ -754,6 +754,7 @@ infodir
 docdir
 oldincludedir
 includedir
+runstatedir
 localstatedir
 sharedstatedir
 sysconfdir
@@ -849,6 +850,7 @@ datadir='${datarootdir}'
 sysconfdir='${prefix}/etc'
 sharedstatedir='${prefix}/com'
 localstatedir='${prefix}/var'
+runstatedir='${localstatedir}/run'
 includedir='${prefix}/include'
 oldincludedir='/usr/include'
 docdir='${datarootdir}/doc/${PACKAGE_TARNAME}'
@@ -1101,6 +1103,15 @@ do
   | -silent | --silent | --silen | --sile | --sil)
     silent=yes ;;
 
+  -runstatedir | --runstatedir | --runstatedi | --runstated \
+  | --runstate | --runstat | --runsta | --runst | --runs \
+  | --run | --ru | --r)
+    ac_prev=runstatedir ;;
+  -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \
+  | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \
+  | --run=* | --ru=* | --r=*)
+    runstatedir=$ac_optarg ;;
+
   -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb)
     ac_prev=sbindir ;;
   -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \
@@ -1238,7 +1249,7 @@ fi
 for ac_var in	exec_prefix prefix bindir sbindir libexecdir datarootdir \
 		datadir sysconfdir sharedstatedir localstatedir includedir \
 		oldincludedir docdir infodir htmldir dvidir pdfdir psdir \
-		libdir localedir mandir
+		libdir localedir mandir runstatedir
 do
   eval ac_val=\$$ac_var
   # Remove trailing slashes.
@@ -1391,6 +1402,7 @@ Fine tuning of the installation directories:
   --sysconfdir=DIR        read-only single-machine data [PREFIX/etc]
   --sharedstatedir=DIR    modifiable architecture-independent data [PREFIX/com]
   --localstatedir=DIR     modifiable single-machine data [PREFIX/var]
+  --runstatedir=DIR       modifiable per-process data [LOCALSTATEDIR/run]
   --libdir=DIR            object code libraries [EPREFIX/lib]
   --includedir=DIR        C header files [PREFIX/include]
   --oldincludedir=DIR     C header files for non-gcc [/usr/include]
@@ -6880,7 +6892,7 @@ linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*)
   lt_cv_deplibs_check_method=pass_all
   ;;
 
-netbsd*)
+netbsd* | netbsdelf*-gnu)
   if echo __ELF__ | $CC -E - | $GREP __ELF__ > /dev/null; then
     lt_cv_deplibs_check_method='match_pattern /lib[^/]+(\.so\.[0-9]+\.[0-9]+|_pic\.a)$'
   else
@@ -10241,6 +10253,9 @@ $as_echo_n "checking whether the $compiler linker ($LD) supports shared librarie
   openbsd* | bitrig*)
     with_gnu_ld=no
     ;;
+  linux* | k*bsd*-gnu | gnu*)
+    link_all_deplibs=no
+    ;;
   esac
 
   ld_shlibs=yes
@@ -10495,7 +10510,7 @@ _LT_EOF
       fi
       ;;
 
-    netbsd*)
+    netbsd* | netbsdelf*-gnu)
       if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then
 	archive_cmds='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib'
 	wlarc=
@@ -11165,6 +11180,7 @@ $as_echo "$lt_cv_irix_exported_symbol" >&6; }
 	if test yes = "$lt_cv_irix_exported_symbol"; then
           archive_expsym_cmds='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags $wl-soname $wl$soname `test -n "$verstring" && func_echo_all "$wl-set_version $wl$verstring"` $wl-update_registry $wl$output_objdir/so_locations $wl-exports_file $wl$export_symbols -o $lib'
 	fi
+	link_all_deplibs=no
       else
 	archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry $output_objdir/so_locations -o $lib'
 	archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry $output_objdir/so_locations -exports_file $export_symbols -o $lib'
@@ -11186,7 +11202,7 @@ $as_echo "$lt_cv_irix_exported_symbol" >&6; }
       esac
       ;;
 
-    netbsd*)
+    netbsd* | netbsdelf*-gnu)
       if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then
 	archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'  # a.out
       else
@@ -12301,6 +12317,18 @@ fi
   dynamic_linker='GNU/Linux ld.so'
   ;;
 
+netbsdelf*-gnu)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  hardcode_into_libs=yes
+  dynamic_linker='NetBSD ld.elf_so'
+  ;;
+
 netbsd*)
   version_type=sunos
   need_lib_prefix=no
@@ -14734,6 +14762,8 @@ main ()
     if (*(data + i) != *(data3 + i))
       return 14;
   close (fd);
+  free (data);
+  free (data3);
   return 0;
 }
 _ACEOF
@@ -14986,7 +15016,7 @@ if ${ac_cv_lib_mbedtls_mbedtls_ssl_init+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
-LIBS="-lmbedtls -lmbedcrypto -lmbedx509 $LIBS"
+LIBS="-lmbedtls -lmbedx509 -lmbedcrypto $LIBS"
 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
@@ -15018,7 +15048,7 @@ fi
 $as_echo "$ac_cv_lib_mbedtls_mbedtls_ssl_init" >&6; }
 if test "x$ac_cv_lib_mbedtls_mbedtls_ssl_init" = xyes; then :
 
-		MBEDTLS_LIBS="$MBEDTLS_LIBS -lmbedtls -lmbedcrypto -lmbedx509"
+		MBEDTLS_LIBS="$MBEDTLS_LIBS -lmbedtls -lmbedx509 -lmbedcrypto"
 		cf_enable_mbedtls=yes
 
 else
@@ -17196,7 +17226,6 @@ $as_echo X"$file" |
     cat <<_LT_EOF >> "$cfgfile"
 #! $SHELL
 # Generated automatically by $as_me ($PACKAGE) $VERSION
-# Libtool was configured on host `(hostname || uname -n) 2>/dev/null | sed 1q`:
 # NOTE: Changes made to this file will be lost: look at ltmain.sh.
 
 # Provide generalized library-building support services.

libratbox/configure.ac

@@ -351,9 +351,9 @@ if test "$cf_enable_mbedtls" != no; then
 	save_LIBS="$LIBS"
 	LIBS="$LIBS $MBEDTLS_LIBS"
 	AC_CHECK_LIB(mbedtls, mbedtls_ssl_init, [
-		MBEDTLS_LIBS="$MBEDTLS_LIBS -lmbedtls -lmbedcrypto -lmbedx509"
+		MBEDTLS_LIBS="$MBEDTLS_LIBS -lmbedtls -lmbedx509 -lmbedcrypto"
 		cf_enable_mbedtls=yes
-	], [cf_enable_mbedtls=no], [-lmbedcrypto -lmbedx509])
+	], [cf_enable_mbedtls=no], [-lmbedx509 -lmbedcrypto])
 fi
 
 dnl GnuTLS support

libratbox/depcomp

@@ -1,9 +1,9 @@
 #! /bin/sh
 # depcomp - compile a program generating dependencies as side-effects
 
-scriptversion=2004-04-25.13
+scriptversion=2016-01-11.22; # UTC
 
-# Copyright (C) 1999, 2000, 2003, 2004 Free Software Foundation, Inc.
+# Copyright (C) 1999-2017 Free Software Foundation, Inc.
 
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -16,9 +16,7 @@ scriptversion=2004-04-25.13
 # GNU General Public License for more details.
 
 # You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
-# 02111-1307, USA.
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 # As a special exception to the GNU General Public License, if you
 # distribute this file as part of a program that contains a
@@ -29,7 +27,7 @@ scriptversion=2004-04-25.13
 
 case $1 in
   '')
-     echo "$0: No command.  Try \`$0 --help' for more information." 1>&2
+    echo "$0: No command.  Try '$0 --help' for more information." 1>&2
     exit 1;
     ;;
   -h | --h*)
@@ -41,42 +39,98 @@ as side-effects.
 
 Environment variables:
   depmode     Dependency tracking mode.
-  source      Source file read by `PROGRAMS ARGS'.
-  object      Object file output by `PROGRAMS ARGS'.
+  source      Source file read by 'PROGRAMS ARGS'.
+  object      Object file output by 'PROGRAMS ARGS'.
+  DEPDIR      directory where to store dependencies.
   depfile     Dependency file to output.
-  tmpdepfile  Temporary file to use when outputing dependencies.
+  tmpdepfile  Temporary file to use when outputting dependencies.
   libtool     Whether libtool is used (yes/no).
 
 Report bugs to <bug-automake@gnu.org>.
 EOF
-    exit 0
+    exit $?
     ;;
   -v | --v*)
     echo "depcomp $scriptversion"
-    exit 0
+    exit $?
     ;;
 esac
 
+# Get the directory component of the given path, and save it in the
+# global variables '$dir'.  Note that this directory component will
+# be either empty or ending with a '/' character.  This is deliberate.
+set_dir_from ()
+{
+  case $1 in
+    */*) dir=`echo "$1" | sed -e 's|/[^/]*$|/|'`;;
+      *) dir=;;
+  esac
+}
+
+# Get the suffix-stripped basename of the given path, and save it the
+# global variable '$base'.
+set_base_from ()
+{
+  base=`echo "$1" | sed -e 's|^.*/||' -e 's/\.[^.]*$//'`
+}
+
+# If no dependency file was actually created by the compiler invocation,
+# we still have to create a dummy depfile, to avoid errors with the
+# Makefile "include basename.Plo" scheme.
+make_dummy_depfile ()
+{
+  echo "#dummy" > "$depfile"
+}
+
+# Factor out some common post-processing of the generated depfile.
+# Requires the auxiliary global variable '$tmpdepfile' to be set.
+aix_post_process_depfile ()
+{
+  # If the compiler actually managed to produce a dependency file,
+  # post-process it.
+  if test -f "$tmpdepfile"; then
+    # Each line is of the form 'foo.o: dependency.h'.
+    # Do two passes, one to just change these to
+    #   $object: dependency.h
+    # and one to simply output
+    #   dependency.h:
+    # which is needed to avoid the deleted-header problem.
+    { sed -e "s,^.*\.[$lower]*:,$object:," < "$tmpdepfile"
+      sed -e "s,^.*\.[$lower]*:[$tab ]*,," -e 's,$,:,' < "$tmpdepfile"
+    } > "$depfile"
+    rm -f "$tmpdepfile"
+  else
+    make_dummy_depfile
+  fi
+}
+
+# A tabulation character.
+tab='	'
+# A newline character.
+nl='
+'
+# Character ranges might be problematic outside the C locale.
+# These definitions help.
+upper=ABCDEFGHIJKLMNOPQRSTUVWXYZ
+lower=abcdefghijklmnopqrstuvwxyz
+digits=0123456789
+alpha=${upper}${lower}
+
 if test -z "$depmode" || test -z "$source" || test -z "$object"; then
   echo "depcomp: Variables source, object and depmode must be set" 1>&2
   exit 1
 fi
-# `libtool' can also be set to `yes' or `no'.
-
-if test -z "$depfile"; then
-   base=`echo "$object" | sed -e 's,^.*/,,' -e 's,\.\([^.]*\)$,.P\1,'`
-   dir=`echo "$object" | sed 's,/.*$,/,'`
-   if test "$dir" = "$object"; then
-      dir=
-   fi
-   # FIXME: should be _deps on DOS.
-   depfile="$dir.deps/$base"
-fi
 
+# Dependencies for sub/bar.o or sub/bar.obj go into sub/.deps/bar.Po.
+depfile=${depfile-`echo "$object" |
+  sed 's|[^\\/]*$|'${DEPDIR-.deps}'/&|;s|\.\([^.]*\)$|.P\1|;s|Pobj$|Po|'`}
 tmpdepfile=${tmpdepfile-`echo "$depfile" | sed 's/\.\([^.]*\)$/.T\1/'`}
 
 rm -f "$tmpdepfile"
 
+# Avoid interferences from the environment.
+gccflag= dashmflag=
+
 # Some modes work just like other modes, but use different flags.  We
 # parameterize here, but still list the modes in the big case below,
 # to make depend.m4 easier to write.  Note that we *cannot* use a case
@@ -93,15 +147,50 @@ if test "$depmode" = dashXmstdout; then
   depmode=dashmstdout
 fi
 
+cygpath_u="cygpath -u -f -"
+if test "$depmode" = msvcmsys; then
+  # This is just like msvisualcpp but w/o cygpath translation.
+  # Just convert the backslash-escaped backslashes to single forward
+  # slashes to satisfy depend.m4
+  cygpath_u='sed s,\\\\,/,g'
+  depmode=msvisualcpp
+fi
+
+if test "$depmode" = msvc7msys; then
+  # This is just like msvc7 but w/o cygpath translation.
+  # Just convert the backslash-escaped backslashes to single forward
+  # slashes to satisfy depend.m4
+  cygpath_u='sed s,\\\\,/,g'
+  depmode=msvc7
+fi
+
+if test "$depmode" = xlc; then
+  # IBM C/C++ Compilers xlc/xlC can output gcc-like dependency information.
+  gccflag=-qmakedep=gcc,-MF
+  depmode=gcc
+fi
+
 case "$depmode" in
 gcc3)
 ## gcc 3 implements dependency tracking that does exactly what
 ## we want.  Yay!  Note: for some reason libtool 1.4 doesn't like
 ## it if -MD -MP comes after the -MF stuff.  Hmm.
-  "$@" -MT "$object" -MD -MP -MF "$tmpdepfile"
+## Unfortunately, FreeBSD c89 acceptance of flags depends upon
+## the command line argument order; so add the flags where they
+## appear in depend2.am.  Note that the slowdown incurred here
+## affects only configure: in makefiles, %FASTDEP% shortcuts this.
+  for arg
+  do
+    case $arg in
+    -c) set fnord "$@" -MT "$object" -MD -MP -MF "$tmpdepfile" "$arg" ;;
+    *)  set fnord "$@" "$arg" ;;
+    esac
+    shift # fnord
+    shift # $arg
+  done
+  "$@"
   stat=$?
-  if test $stat -eq 0; then :
-  else
+  if test $stat -ne 0; then
     rm -f "$tmpdepfile"
     exit $stat
   fi
@@ -109,13 +198,17 @@ gcc3)
   ;;
 
 gcc)
+## Note that this doesn't just cater to obsosete pre-3.x GCC compilers.
+## but also to in-use compilers like IMB xlc/xlC and the HP C compiler.
+## (see the conditional assignment to $gccflag above).
 ## There are various ways to get dependency output from gcc.  Here's
 ## why we pick this rather obscure method:
 ## - Don't want to use -MD because we'd like the dependencies to end
 ##   up in a subdir.  Having to rename by hand is ugly.
 ##   (We might end up doing this anyway to support other compilers.)
 ## - The DEPENDENCIES_OUTPUT environment variable makes gcc act like
-##   -MM, not -M (despite what the docs say).
+##   -MM, not -M (despite what the docs say).  Also, it might not be
+##   supported by the other compilers which use the 'gcc' depmode.
 ## - Using -M directly means running the compiler twice (even worse
 ##   than renaming).
   if test -z "$gccflag"; then
@@ -123,31 +216,31 @@ gcc)
   fi
   "$@" -Wp,"$gccflag$tmpdepfile"
   stat=$?
-  if test $stat -eq 0; then :
-  else
+  if test $stat -ne 0; then
     rm -f "$tmpdepfile"
     exit $stat
   fi
   rm -f "$depfile"
   echo "$object : \\" > "$depfile"
-  alpha=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
-## The second -e expression handles DOS-style file names with drive letters.
+  # The second -e expression handles DOS-style file names with drive
+  # letters.
   sed -e 's/^[^:]*: / /' \
       -e 's/^['$alpha']:\/[^:]*: / /' < "$tmpdepfile" >> "$depfile"
-## This next piece of magic avoids the `deleted header file' problem.
+## This next piece of magic avoids the "deleted header file" problem.
 ## The problem is that when a header file which appears in a .P file
 ## is deleted, the dependency causes make to die (because there is
 ## typically no way to rebuild the header).  We avoid this by adding
 ## dummy dependencies for each header file.  Too bad gcc doesn't do
 ## this for us directly.
-  tr ' ' '
-' < "$tmpdepfile" |
-## Some versions of gcc put a space before the `:'.  On the theory
+## Some versions of gcc put a space before the ':'.  On the theory
 ## that the space means something, we add a space to the output as
-## well.
+## well.  hp depmode also adds that space, but also prefixes the VPATH
+## to the object.  Take care to not repeat it in the output.
 ## Some versions of the HPUX 10.20 sed can't process this invocation
 ## correctly.  Breaking it into two sed invocations is a workaround.
-    sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' | sed -e 's/$/ :/' >> "$depfile"
+  tr ' ' "$nl" < "$tmpdepfile" \
+    | sed -e 's/^\\$//' -e '/^$/d' -e "s|.*$object$||" -e '/:$/d' \
+    | sed -e 's/$/ :/' >> "$depfile"
   rm -f "$tmpdepfile"
   ;;
 
@@ -165,8 +258,7 @@ sgi)
     "$@" -MDupdate "$tmpdepfile"
   fi
   stat=$?
-  if test $stat -eq 0; then :
-  else
+  if test $stat -ne 0; then
     rm -f "$tmpdepfile"
     exit $stat
   fi
@@ -174,99 +266,156 @@ sgi)
 
   if test -f "$tmpdepfile"; then  # yes, the sourcefile depend on other files
     echo "$object : \\" > "$depfile"
-
     # Clip off the initial element (the dependent).  Don't try to be
     # clever and replace this with sed code, as IRIX sed won't handle
     # lines with more than a fixed number of characters (4096 in
     # IRIX 6.2 sed, 8192 in IRIX 6.5).  We also remove comment lines;
-    # the IRIX cc adds comments like `#:fec' to the end of the
+    # the IRIX cc adds comments like '#:fec' to the end of the
     # dependency line.
-    tr ' ' '
-' < "$tmpdepfile" \
-    | sed -e 's/^.*\.o://' -e 's/#.*$//' -e '/^$/ d' | \
-    tr '
-' ' ' >> $depfile
-    echo >> $depfile
-
+    tr ' ' "$nl" < "$tmpdepfile" \
+      | sed -e 's/^.*\.o://' -e 's/#.*$//' -e '/^$/ d' \
+      | tr "$nl" ' ' >> "$depfile"
+    echo >> "$depfile"
     # The second pass generates a dummy entry for each header file.
-    tr ' ' '
-' < "$tmpdepfile" \
+    tr ' ' "$nl" < "$tmpdepfile" \
       | sed -e 's/^.*\.o://' -e 's/#.*$//' -e '/^$/ d' -e 's/$/:/' \
-   >> $depfile
+      >> "$depfile"
   else
-    # The sourcefile does not contain any dependencies, so just
-    # store a dummy comment line, to avoid errors with the Makefile
-    # "include basename.Plo" scheme.
-    echo "#dummy" > "$depfile"
+    make_dummy_depfile
   fi
   rm -f "$tmpdepfile"
   ;;
 
+xlc)
+  # This case exists only to let depend.m4 do its work.  It works by
+  # looking at the text of this script.  This case will never be run,
+  # since it is checked for above.
+  exit 1
+  ;;
+
 aix)
   # The C for AIX Compiler uses -M and outputs the dependencies
   # in a .u file.  In older versions, this file always lives in the
-  # current directory.  Also, the AIX compiler puts `$object:' at the
+  # current directory.  Also, the AIX compiler puts '$object:' at the
   # start of each line; $object doesn't have directory information.
   # Version 6 uses the directory in both cases.
-  stripped=`echo "$object" | sed 's/\(.*\)\..*$/\1/'`
-  tmpdepfile="$stripped.u"
+  set_dir_from "$object"
+  set_base_from "$object"
   if test "$libtool" = yes; then
+    tmpdepfile1=$dir$base.u
+    tmpdepfile2=$base.u
+    tmpdepfile3=$dir.libs/$base.u
     "$@" -Wc,-M
   else
+    tmpdepfile1=$dir$base.u
+    tmpdepfile2=$dir$base.u
+    tmpdepfile3=$dir$base.u
     "$@" -M
   fi
   stat=$?
-
-  if test -f "$tmpdepfile"; then :
-  else
-    stripped=`echo "$stripped" | sed 's,^.*/,,'`
-    tmpdepfile="$stripped.u"
-  fi
-
-  if test $stat -eq 0; then :
-  else
-    rm -f "$tmpdepfile"
+  if test $stat -ne 0; then
+    rm -f "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3"
     exit $stat
   fi
 
-  if test -f "$tmpdepfile"; then
-    outname="$stripped.o"
-    # Each line is of the form `foo.o: dependent.h'.
-    # Do two passes, one to just change these to
-    # `$object: dependent.h' and one to simply `dependent.h:'.
-    sed -e "s,^$outname:,$object :," < "$tmpdepfile" > "$depfile"
-    sed -e "s,^$outname: \(.*\)$,\1:," < "$tmpdepfile" >> "$depfile"
-  else
-    # The sourcefile does not contain any dependencies, so just
-    # store a dummy comment line, to avoid errors with the Makefile
-    # "include basename.Plo" scheme.
-    echo "#dummy" > "$depfile"
+  for tmpdepfile in "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3"
+  do
+    test -f "$tmpdepfile" && break
+  done
+  aix_post_process_depfile
+  ;;
+
+tcc)
+  # tcc (Tiny C Compiler) understand '-MD -MF file' since version 0.9.26
+  # FIXME: That version still under development at the moment of writing.
+  #        Make that this statement remains true also for stable, released
+  #        versions.
+  # It will wrap lines (doesn't matter whether long or short) with a
+  # trailing '\', as in:
+  #
+  #   foo.o : \
+  #    foo.c \
+  #    foo.h \
+  #
+  # It will put a trailing '\' even on the last line, and will use leading
+  # spaces rather than leading tabs (at least since its commit 0394caf7
+  # "Emit spaces for -MD").
+  "$@" -MD -MF "$tmpdepfile"
+  stat=$?
+  if test $stat -ne 0; then
+    rm -f "$tmpdepfile"
+    exit $stat
   fi
+  rm -f "$depfile"
+  # Each non-empty line is of the form 'foo.o : \' or ' dep.h \'.
+  # We have to change lines of the first kind to '$object: \'.
+  sed -e "s|.*:|$object :|" < "$tmpdepfile" > "$depfile"
+  # And for each line of the second kind, we have to emit a 'dep.h:'
+  # dummy dependency, to avoid the deleted-header problem.
+  sed -n -e 's|^  *\(.*\) *\\$|\1:|p' < "$tmpdepfile" >> "$depfile"
   rm -f "$tmpdepfile"
   ;;
 
-icc)
-  # Intel's C compiler understands `-MD -MF file'.  However on
-  #    icc -MD -MF foo.d -c -o sub/foo.o sub/foo.c
-  # ICC 7.0 will fill foo.d with something like
-  #    foo.o: sub/foo.c
-  #    foo.o: sub/foo.h
-  # which is wrong.  We want:
-  #    sub/foo.o: sub/foo.c
-  #    sub/foo.o: sub/foo.h
-  #    sub/foo.c:
-  #    sub/foo.h:
-  # ICC 7.1 will output
+## The order of this option in the case statement is important, since the
+## shell code in configure will try each of these formats in the order
+## listed in this file.  A plain '-MD' option would be understood by many
+## compilers, so we must ensure this comes after the gcc and icc options.
+pgcc)
+  # Portland's C compiler understands '-MD'.
+  # Will always output deps to 'file.d' where file is the root name of the
+  # source file under compilation, even if file resides in a subdirectory.
+  # The object file name does not affect the name of the '.d' file.
+  # pgcc 10.2 will output
   #    foo.o: sub/foo.c sub/foo.h
-  # and will wrap long lines using \ :
+  # and will wrap long lines using '\' :
   #    foo.o: sub/foo.c ... \
   #     sub/foo.h ... \
   #     ...
+  set_dir_from "$object"
+  # Use the source, not the object, to determine the base name, since
+  # that's sadly what pgcc will do too.
+  set_base_from "$source"
+  tmpdepfile=$base.d
 
-  "$@" -MD -MF "$tmpdepfile"
+  # For projects that build the same source file twice into different object
+  # files, the pgcc approach of using the *source* file root name can cause
+  # problems in parallel builds.  Use a locking strategy to avoid stomping on
+  # the same $tmpdepfile.
+  lockdir=$base.d-lock
+  trap "
+    echo '$0: caught signal, cleaning up...' >&2
+    rmdir '$lockdir'
+    exit 1
+  " 1 2 13 15
+  numtries=100
+  i=$numtries
+  while test $i -gt 0; do
+    # mkdir is a portable test-and-set.
+    if mkdir "$lockdir" 2>/dev/null; then
+      # This process acquired the lock.
+      "$@" -MD
       stat=$?
-  if test $stat -eq 0; then :
+      # Release the lock.
+      rmdir "$lockdir"
+      break
     else
+      # If the lock is being held by a different process, wait
+      # until the winning process is done or we timeout.
+      while test -d "$lockdir" && test $i -gt 0; do
+        sleep 1
+        i=`expr $i - 1`
+      done
+    fi
+    i=`expr $i - 1`
+  done
+  trap - 1 2 13 15
+  if test $i -le 0; then
+    echo "$0: failed to acquire lock after $numtries attempts" >&2
+    echo "$0: check lockdir '$lockdir'" >&2
+    exit 1
+  fi
+
+  if test $stat -ne 0; then
     rm -f "$tmpdepfile"
     exit $stat
   fi
@@ -278,57 +427,140 @@ icc)
   sed "s,^[^:]*:,$object :," < "$tmpdepfile" > "$depfile"
   # Some versions of the HPUX 10.20 sed can't process this invocation
   # correctly.  Breaking it into two sed invocations is a workaround.
-  sed 's,^[^:]*: \(.*\)$,\1,;s/^\\$//;/^$/d;/:$/d' < "$tmpdepfile" |
-    sed -e 's/$/ :/' >> "$depfile"
+  sed 's,^[^:]*: \(.*\)$,\1,;s/^\\$//;/^$/d;/:$/d' < "$tmpdepfile" \
+    | sed -e 's/$/ :/' >> "$depfile"
   rm -f "$tmpdepfile"
   ;;
 
+hp2)
+  # The "hp" stanza above does not work with aCC (C++) and HP's ia64
+  # compilers, which have integrated preprocessors.  The correct option
+  # to use with these is +Maked; it writes dependencies to a file named
+  # 'foo.d', which lands next to the object file, wherever that
+  # happens to be.
+  # Much of this is similar to the tru64 case; see comments there.
+  set_dir_from  "$object"
+  set_base_from "$object"
+  if test "$libtool" = yes; then
+    tmpdepfile1=$dir$base.d
+    tmpdepfile2=$dir.libs/$base.d
+    "$@" -Wc,+Maked
+  else
+    tmpdepfile1=$dir$base.d
+    tmpdepfile2=$dir$base.d
+    "$@" +Maked
+  fi
+  stat=$?
+  if test $stat -ne 0; then
+     rm -f "$tmpdepfile1" "$tmpdepfile2"
+     exit $stat
+  fi
+
+  for tmpdepfile in "$tmpdepfile1" "$tmpdepfile2"
+  do
+    test -f "$tmpdepfile" && break
+  done
+  if test -f "$tmpdepfile"; then
+    sed -e "s,^.*\.[$lower]*:,$object:," "$tmpdepfile" > "$depfile"
+    # Add 'dependent.h:' lines.
+    sed -ne '2,${
+               s/^ *//
+               s/ \\*$//
+               s/$/:/
+               p
+             }' "$tmpdepfile" >> "$depfile"
+  else
+    make_dummy_depfile
+  fi
+  rm -f "$tmpdepfile" "$tmpdepfile2"
+  ;;
+
 tru64)
   # The Tru64 compiler uses -MD to generate dependencies as a side
-   # effect.  `cc -MD -o foo.o ...' puts the dependencies into `foo.o.d'.
+  # effect.  'cc -MD -o foo.o ...' puts the dependencies into 'foo.o.d'.
   # At least on Alpha/Redhat 6.1, Compaq CCC V6.2-504 seems to put
-   # dependencies in `foo.d' instead, so we check for that too.
+  # dependencies in 'foo.d' instead, so we check for that too.
   # Subdirectories are respected.
-   dir=`echo "$object" | sed -e 's|/[^/]*$|/|'`
-   test "x$dir" = "x$object" && dir=
-   base=`echo "$object" | sed -e 's|^.*/||' -e 's/\.o$//' -e 's/\.lo$//'`
+  set_dir_from  "$object"
+  set_base_from "$object"
 
   if test "$libtool" = yes; then
-      # Dependencies are output in .lo.d with libtool 1.4.
-      # They are output in .o.d with libtool 1.5.
-      tmpdepfile1="$dir.libs/$base.lo.d"
-      tmpdepfile2="$dir.libs/$base.o.d"
-      tmpdepfile3="$dir.libs/$base.d"
+    # Libtool generates 2 separate objects for the 2 libraries.  These
+    # two compilations output dependencies in $dir.libs/$base.o.d and
+    # in $dir$base.o.d.  We have to check for both files, because
+    # one of the two compilations can be disabled.  We should prefer
+    # $dir$base.o.d over $dir.libs/$base.o.d because the latter is
+    # automatically cleaned when .libs/ is deleted, while ignoring
+    # the former would cause a distcleancheck panic.
+    tmpdepfile1=$dir$base.o.d          # libtool 1.5
+    tmpdepfile2=$dir.libs/$base.o.d    # Likewise.
+    tmpdepfile3=$dir.libs/$base.d      # Compaq CCC V6.2-504
     "$@" -Wc,-MD
   else
-      tmpdepfile1="$dir$base.o.d"
-      tmpdepfile2="$dir$base.d"
-      tmpdepfile3="$dir$base.d"
+    tmpdepfile1=$dir$base.d
+    tmpdepfile2=$dir$base.d
+    tmpdepfile3=$dir$base.d
     "$@" -MD
   fi
 
   stat=$?
-   if test $stat -eq 0; then :
-   else
+  if test $stat -ne 0; then
     rm -f "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3"
     exit $stat
   fi
 
-   if test -f "$tmpdepfile1"; then
-      tmpdepfile="$tmpdepfile1"
-   elif test -f "$tmpdepfile2"; then
-      tmpdepfile="$tmpdepfile2"
+  for tmpdepfile in "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3"
+  do
+    test -f "$tmpdepfile" && break
+  done
+  # Same post-processing that is required for AIX mode.
+  aix_post_process_depfile
+  ;;
+
+msvc7)
+  if test "$libtool" = yes; then
+    showIncludes=-Wc,-showIncludes
   else
-      tmpdepfile="$tmpdepfile3"
-   fi
-   if test -f "$tmpdepfile"; then
-      sed -e "s,^.*\.[a-z]*:,$object:," < "$tmpdepfile" > "$depfile"
-      # That's a tab and a space in the [].
-      sed -e 's,^.*\.[a-z]*:[	 ]*,,' -e 's,$,:,' < "$tmpdepfile" >> "$depfile"
-   else
-      echo "#dummy" > "$depfile"
+    showIncludes=-showIncludes
   fi
+  "$@" $showIncludes > "$tmpdepfile"
+  stat=$?
+  grep -v '^Note: including file: ' "$tmpdepfile"
+  if test $stat -ne 0; then
     rm -f "$tmpdepfile"
+    exit $stat
+  fi
+  rm -f "$depfile"
+  echo "$object : \\" > "$depfile"
+  # The first sed program below extracts the file names and escapes
+  # backslashes for cygpath.  The second sed program outputs the file
+  # name when reading, but also accumulates all include files in the
+  # hold buffer in order to output them again at the end.  This only
+  # works with sed implementations that can handle large buffers.
+  sed < "$tmpdepfile" -n '
+/^Note: including file:  *\(.*\)/ {
+  s//\1/
+  s/\\/\\\\/g
+  p
+}' | $cygpath_u | sort -u | sed -n '
+s/ /\\ /g
+s/\(.*\)/'"$tab"'\1 \\/p
+s/.\(.*\) \\/\1:/
+H
+$ {
+  s/.*/'"$tab"'/
+  G
+  p
+}' >> "$depfile"
+  echo >> "$depfile" # make sure the fragment doesn't end with a backslash
+  rm -f "$tmpdepfile"
+  ;;
+
+msvc7msys)
+  # This case exists only to let depend.m4 do its work.  It works by
+  # looking at the text of this script.  This case will never be run,
+  # since it is checked for above.
+  exit 1
   ;;
 
 #nosideeffect)
@@ -342,13 +574,13 @@ dashmstdout)
 
   # Remove the call to Libtool.
   if test "$libtool" = yes; then
-    while test $1 != '--mode=compile'; do
+    while test "X$1" != 'X--mode=compile'; do
       shift
     done
     shift
   fi
 
-  # Remove `-o $object'.
+  # Remove '-o $object'.
   IFS=" "
   for arg
   do
@@ -368,18 +600,18 @@ dashmstdout)
   done
 
   test -z "$dashmflag" && dashmflag=-M
-  # Require at least two characters before searching for `:'
+  # Require at least two characters before searching for ':'
   # in the target name.  This is to cope with DOS-style filenames:
-  # a dependency such as `c:/foo/bar' could be seen as target `c' otherwise.
+  # a dependency such as 'c:/foo/bar' could be seen as target 'c' otherwise.
   "$@" $dashmflag |
-    sed 's:^[  ]*[^: ][^:][^:]*\:[    ]*:'"$object"'\: :' > "$tmpdepfile"
+    sed "s|^[$tab ]*[^:$tab ][^:][^:]*:[$tab ]*|$object: |" > "$tmpdepfile"
   rm -f "$depfile"
   cat < "$tmpdepfile" > "$depfile"
-  tr ' ' '
-' < "$tmpdepfile" | \
-## Some versions of the HPUX 10.20 sed can't process this invocation
-## correctly.  Breaking it into two sed invocations is a workaround.
-    sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' | sed -e 's/$/ :/' >> "$depfile"
+  # Some versions of the HPUX 10.20 sed can't process this sed invocation
+  # correctly.  Breaking it into two sed invocations is a workaround.
+  tr ' ' "$nl" < "$tmpdepfile" \
+    | sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' \
+    | sed -e 's/$/ :/' >> "$depfile"
   rm -f "$tmpdepfile"
   ;;
 
@@ -393,41 +625,51 @@ makedepend)
   "$@" || exit $?
   # Remove any Libtool call
   if test "$libtool" = yes; then
-    while test $1 != '--mode=compile'; do
+    while test "X$1" != 'X--mode=compile'; do
       shift
     done
     shift
   fi
   # X makedepend
   shift
-  cleared=no
-  for arg in "$@"; do
+  cleared=no eat=no
+  for arg
+  do
     case $cleared in
     no)
       set ""; shift
       cleared=yes ;;
     esac
+    if test $eat = yes; then
+      eat=no
+      continue
+    fi
     case "$arg" in
     -D*|-I*)
       set fnord "$@" "$arg"; shift ;;
     # Strip any option that makedepend may not understand.  Remove
     # the object too, otherwise makedepend will parse it as a source file.
+    -arch)
+      eat=yes ;;
     -*|$object)
       ;;
     *)
       set fnord "$@" "$arg"; shift ;;
     esac
   done
-  obj_suffix="`echo $object | sed 's/^.*\././'`"
+  obj_suffix=`echo "$object" | sed 's/^.*\././'`
   touch "$tmpdepfile"
   ${MAKEDEPEND-makedepend} -o"$obj_suffix" -f"$tmpdepfile" "$@"
   rm -f "$depfile"
-  cat < "$tmpdepfile" > "$depfile"
-  sed '1,2d' "$tmpdepfile" | tr ' ' '
-' | \
-## Some versions of the HPUX 10.20 sed can't process this invocation
-## correctly.  Breaking it into two sed invocations is a workaround.
-    sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' | sed -e 's/$/ :/' >> "$depfile"
+  # makedepend may prepend the VPATH from the source file name to the object.
+  # No need to regex-escape $object, excess matching of '.' is harmless.
+  sed "s|^.*\($object *:\)|\1|" "$tmpdepfile" > "$depfile"
+  # Some versions of the HPUX 10.20 sed can't process the last invocation
+  # correctly.  Breaking it into two sed invocations is a workaround.
+  sed '1,2d' "$tmpdepfile" \
+    | tr ' ' "$nl" \
+    | sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' \
+    | sed -e 's/$/ :/' >> "$depfile"
   rm -f "$tmpdepfile" "$tmpdepfile".bak
   ;;
 
@@ -438,13 +680,13 @@ cpp)
 
   # Remove the call to Libtool.
   if test "$libtool" = yes; then
-    while test $1 != '--mode=compile'; do
+    while test "X$1" != 'X--mode=compile'; do
       shift
     done
     shift
   fi
 
-  # Remove `-o $object'.
+  # Remove '-o $object'.
   IFS=" "
   for arg
   do
@@ -463,9 +705,10 @@ cpp)
     esac
   done
 
-  "$@" -E |
-    sed -n '/^# [0-9][0-9]* "\([^"]*\)".*/ s:: \1 \\:p' |
-    sed '$ s: \\$::' > "$tmpdepfile"
+  "$@" -E \
+    | sed -n -e '/^# [0-9][0-9]* "\([^"]*\)".*/ s:: \1 \\:p' \
+             -e '/^#line [0-9][0-9]* "\([^"]*\)".*/ s:: \1 \\:p' \
+    | sed '$ s: \\$::' > "$tmpdepfile"
   rm -f "$depfile"
   echo "$object : \\" > "$depfile"
   cat < "$tmpdepfile" >> "$depfile"
@@ -475,13 +718,27 @@ cpp)
 
 msvisualcpp)
   # Important note: in order to support this mode, a compiler *must*
-  # always write the preprocessed file to stdout, regardless of -o,
-  # because we must use -o when running libtool.
+  # always write the preprocessed file to stdout.
   "$@" || exit $?
+
+  # Remove the call to Libtool.
+  if test "$libtool" = yes; then
+    while test "X$1" != 'X--mode=compile'; do
+      shift
+    done
+    shift
+  fi
+
   IFS=" "
   for arg
   do
     case "$arg" in
+    -o)
+      shift
+      ;;
+    $object)
+      shift
+      ;;
     "-Gm"|"/Gm"|"-Gi"|"/Gi"|"-ZI"|"/ZI")
         set fnord "$@"
         shift
@@ -494,16 +751,23 @@ msvisualcpp)
         ;;
     esac
   done
-  "$@" -E |
-  sed -n '/^#line [0-9][0-9]* "\([^"]*\)"/ s::echo "`cygpath -u \\"\1\\"`":p' | sort | uniq > "$tmpdepfile"
+  "$@" -E 2>/dev/null |
+  sed -n '/^#line [0-9][0-9]* "\([^"]*\)"/ s::\1:p' | $cygpath_u | sort -u > "$tmpdepfile"
   rm -f "$depfile"
   echo "$object : \\" > "$depfile"
-  . "$tmpdepfile" | sed 's% %\\ %g' | sed -n '/^\(.*\)$/ s::	\1 \\:p' >> "$depfile"
-  echo "	" >> "$depfile"
-  . "$tmpdepfile" | sed 's% %\\ %g' | sed -n '/^\(.*\)$/ s::\1\::p' >> "$depfile"
+  sed < "$tmpdepfile" -n -e 's% %\\ %g' -e '/^\(.*\)$/ s::'"$tab"'\1 \\:p' >> "$depfile"
+  echo "$tab" >> "$depfile"
+  sed < "$tmpdepfile" -n -e 's% %\\ %g' -e '/^\(.*\)$/ s::\1\::p' >> "$depfile"
   rm -f "$tmpdepfile"
   ;;
 
+msvcmsys)
+  # This case exists only to let depend.m4 do its work.  It works by
+  # looking at the text of this script.  This case will never be run,
+  # since it is checked for above.
+  exit 1
+  ;;
+
 none)
   exec "$@"
   ;;
@@ -522,5 +786,6 @@ exit 0
 # eval: (add-hook 'write-file-hooks 'time-stamp)
 # time-stamp-start: "scriptversion="
 # time-stamp-format: "%:y-%02m-%02d.%02H"
-# time-stamp-end: "$"
+# time-stamp-time-zone: "UTC0"
+# time-stamp-end: "; # UTC"
 # End:

libratbox/include/commio-ssl.h

@@ -25,7 +25,7 @@
 #ifndef _COMMIO_SSL_H
 #define _COMMIO_SSL_H
 
-int rb_setup_ssl_server(const char *cert, const char *keyfile, const char *dhfile, const char *cipher_list);
+int rb_setup_ssl_server(const char *cert, const char *keyfile, const char *dhfile, const char *cipher_list, const char *hostname);
 int rb_init_ssl(void);
 
 int rb_ssl_listen(rb_fde_t *F, int backlog, int defer_accept);

libratbox/include/ratbox_lib.h

@@ -179,14 +179,14 @@ typedef void die_cb(const char *buffer);
 char *rb_ctime(const time_t, char *, size_t);
 char *rb_date(const time_t, char *, size_t);
 void rb_lib_log(const char *, ...);
-void rb_lib_restart(const char *, ...);
+void rb_lib_restart(const char *, ...) __attribute__((noreturn));
 void rb_lib_die(const char *, ...);
 void rb_set_time(void);
 const char *rb_lib_version(void);
 
 void rb_lib_init(log_cb * xilog, restart_cb * irestart, die_cb * idie, int closeall, int maxfds,
 		 size_t dh_size, size_t fd_heap_size);
-void rb_lib_loop(long delay);
+void rb_lib_loop(long delay) __attribute__((noreturn));
 
 time_t rb_current_time(void);
 const struct timeval *rb_current_time_tv(void);

libratbox/include/rb_commio.h

@@ -103,9 +103,27 @@ void rb_note(rb_fde_t *, const char *);
 #define RB_SSL_CERTFP_LEN	64
 
 /* Methods for certfp */
-#define RB_SSL_CERTFP_METH_SHA1		0
-#define RB_SSL_CERTFP_METH_SHA256	1
-#define RB_SSL_CERTFP_METH_SHA512	2
+/* Digest of full X.509 certificate */
+#define RB_SSL_CERTFP_METH_CERT_SHA1    0x0000
+#define RB_SSL_CERTFP_METH_CERT_SHA256  0x0001
+#define RB_SSL_CERTFP_METH_CERT_SHA512  0x0002
+/* Digest of SubjectPublicKeyInfo (RFC 5280), used by DANE (RFC 6698) */
+#define RB_SSL_CERTFP_METH_SPKI_SHA256  0x1001
+#define RB_SSL_CERTFP_METH_SPKI_SHA512  0x1002
+
+/* Names for certfp */
+#define CERTFP_NAME_CERT_SHA1           "sha1"
+#define CERTFP_PREFIX_CERT_SHA1         ""
+#define CERTFP_NAME_CERT_SHA256         "sha256"
+#define CERTFP_PREFIX_CERT_SHA256       ""
+#define CERTFP_NAME_CERT_SHA512         "sha512"
+#define CERTFP_PREFIX_CERT_SHA512       ""
+/* These prefixes are copied from RFC 7218 */
+#define CERTFP_NAME_SPKI_SHA256         "spki_sha256"
+#define CERTFP_PREFIX_SPKI_SHA256       "SPKI:SHA2-256:"
+#define CERTFP_NAME_SPKI_SHA512         "spki_sha512"
+#define CERTFP_PREFIX_SPKI_SHA512       "SPKI:SHA2-512:"
+
 
 #define RB_SSL_CERTFP_LEN_SHA1		20
 #define RB_SSL_CERTFP_LEN_SHA256	32
@@ -134,9 +152,10 @@ ssize_t rb_writev(rb_fde_t *, struct rb_iovec *vector, int count);
 ssize_t rb_read(rb_fde_t *, void *buf, int count);
 int rb_pipe(rb_fde_t **, rb_fde_t **, const char *desc);
 
-int rb_setup_ssl_server(const char *cert, const char *keyfile, const char *dhfile, const char *cipher_list);
+int rb_setup_ssl_server(const char *cert, const char *keyfile, const char *dhfile, const char *cipher_list, const char *hostname);
 int rb_ssl_listen(rb_fde_t *, int backlog, int defer_accept);
 int rb_listen(rb_fde_t *, int backlog, int defer_accept);
+int rb_remove_ssl_vserver(const char *hostname);
 
 const char *rb_inet_ntop(int af, const void *src, char *dst, unsigned int size);
 int rb_inet_pton(int af, const char *src, void *dst);

libratbox/include/rb_helper.h

@@ -59,5 +59,5 @@ void rb_helper_write_flush(rb_helper *helper);
 void rb_helper_run(rb_helper *helper);
 void rb_helper_close(rb_helper *helper);
 int rb_helper_read(rb_helper *helper, void *buf, size_t bufsize);
-void rb_helper_loop(rb_helper *helper, long delay);
+void rb_helper_loop(rb_helper *helper, long delay) __attribute__((noreturn));
 #endif

libratbox/include/rb_memory.h

@@ -34,7 +34,7 @@
 #include <stdlib.h>
 
 
-void rb_outofmemory(void);
+void rb_outofmemory(void) __attribute__((noreturn));
 
 static inline void *
 rb_malloc(size_t size)

libratbox/install-sh

@@ -1,7 +1,7 @@
 #!/bin/sh
 # install - install a program, script, or datafile
 
-scriptversion=2013-12-25.23; # UTC
+scriptversion=2014-09-12.12; # UTC
 
 # This originates from X11R5 (mit/util/scripts/install.sh), which was
 # later released in X11R6 (xc/config/util/install.sh) with the
@@ -324,34 +324,41 @@ do
             # is incompatible with FreeBSD 'install' when (umask & 300) != 0.
             ;;
           *)
+            # $RANDOM is not portable (e.g. dash);  use it when possible to
+            # lower collision chance
             tmpdir=${TMPDIR-/tmp}/ins$RANDOM-$$
-            trap 'ret=$?; rmdir "$tmpdir/d" "$tmpdir" 2>/dev/null; exit $ret' 0
+            trap 'ret=$?; rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir" 2>/dev/null; exit $ret' 0
 
+            # As "mkdir -p" follows symlinks and we work in /tmp possibly;  so
+            # create the $tmpdir first (and fail if unsuccessful) to make sure
+            # that nobody tries to guess the $tmpdir name.
             if (umask $mkdir_umask &&
-                exec $mkdirprog $mkdir_mode -p -- "$tmpdir/d") >/dev/null 2>&1
+                $mkdirprog $mkdir_mode "$tmpdir" &&
+                exec $mkdirprog $mkdir_mode -p -- "$tmpdir/a/b") >/dev/null 2>&1
             then
               if test -z "$dir_arg" || {
                    # Check for POSIX incompatibilities with -m.
                    # HP-UX 11.23 and IRIX 6.5 mkdir -m -p sets group- or
                    # other-writable bit of parent directory when it shouldn't.
                    # FreeBSD 6.1 mkdir -m -p sets mode of existing directory.
-                   ls_ld_tmpdir=`ls -ld "$tmpdir"`
+                   test_tmpdir="$tmpdir/a"
+                   ls_ld_tmpdir=`ls -ld "$test_tmpdir"`
                    case $ls_ld_tmpdir in
                      d????-?r-*) different_mode=700;;
                      d????-?--*) different_mode=755;;
                      *) false;;
                    esac &&
-                   $mkdirprog -m$different_mode -p -- "$tmpdir" && {
-                     ls_ld_tmpdir_1=`ls -ld "$tmpdir"`
+                   $mkdirprog -m$different_mode -p -- "$test_tmpdir" && {
+                     ls_ld_tmpdir_1=`ls -ld "$test_tmpdir"`
                      test "$ls_ld_tmpdir" = "$ls_ld_tmpdir_1"
                    }
                  }
               then posix_mkdir=:
               fi
-              rmdir "$tmpdir/d" "$tmpdir"
+              rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir"
             else
               # Remove any dirs left behind by ancient mkdir implementations.
-              rmdir ./$mkdir_mode ./-p ./-- 2>/dev/null
+              rmdir ./$mkdir_mode ./-p ./-- "$tmpdir" 2>/dev/null
             fi
             trap '' 0;;
         esac;;

libratbox/ltmain.sh

@@ -31,7 +31,7 @@
 
 PROGRAM=libtool
 PACKAGE=libtool
-VERSION=2.4.6
+VERSION="2.4.6 Debian-2.4.6-2"
 package_revision=2.4.6
 
 
@@ -2068,12 +2068,12 @@ include the following information:
        compiler:       $LTCC
        compiler flags: $LTCFLAGS
        linker:         $LD (gnu? $with_gnu_ld)
-       version:        $progname (GNU libtool) 2.4.6
+       version:        $progname $scriptversion Debian-2.4.6-2
        automake:       `($AUTOMAKE --version) 2>/dev/null |$SED 1q`
        autoconf:       `($AUTOCONF --version) 2>/dev/null |$SED 1q`
 
 Report bugs to <bug-libtool@gnu.org>.
-GNU libtool home page: <http://www.gnu.org/software/libtool/>.
+GNU libtool home page: <http://www.gnu.org/s/libtool/>.
 General help using GNU software: <http://www.gnu.org/gethelp/>."
     exit 0
 }
@@ -7272,10 +7272,13 @@ func_mode_link ()
       # -tp=*                Portland pgcc target processor selection
       # --sysroot=*          for sysroot support
       # -O*, -g*, -flto*, -fwhopr*, -fuse-linker-plugin GCC link-time optimization
+      # -specs=*             GCC specs files
       # -stdlib=*            select c++ std lib with clang
+      # -fsanitize=*         Clang/GCC memory and address sanitizer
       -64|-mips[0-9]|-r[0-9][0-9]*|-xarch=*|-xtarget=*|+DA*|+DD*|-q*|-m*| \
       -t[45]*|-txscale*|-p|-pg|--coverage|-fprofile-*|-F*|@*|-tp=*|--sysroot=*| \
-      -O*|-g*|-flto*|-fwhopr*|-fuse-linker-plugin|-fstack-protector*|-stdlib=*)
+      -O*|-g*|-flto*|-fwhopr*|-fuse-linker-plugin|-fstack-protector*|-stdlib=*| \
+      -specs=*|-fsanitize=*)
         func_quote_for_eval "$arg"
 	arg=$func_quote_for_eval_result
         func_append compile_command " $arg"
@@ -7568,7 +7571,10 @@ func_mode_link ()
 	case $pass in
 	dlopen) libs=$dlfiles ;;
 	dlpreopen) libs=$dlprefiles ;;
-	link) libs="$deplibs %DEPLIBS% $dependency_libs" ;;
+	link)
+	  libs="$deplibs %DEPLIBS%"
+	  test "X$link_all_deplibs" != Xno && libs="$libs $dependency_libs"
+	  ;;
 	esac
       fi
       if test lib,dlpreopen = "$linkmode,$pass"; then
@@ -7887,9 +7893,6 @@ func_mode_link ()
 	    # It is a libtool convenience library, so add in its objects.
 	    func_append convenience " $ladir/$objdir/$old_library"
 	    func_append old_convenience " $ladir/$objdir/$old_library"
-	  elif test prog != "$linkmode" && test lib != "$linkmode"; then
-	    func_fatal_error "'$lib' is not a convenience library"
-	  fi
 	    tmp_libs=
 	    for deplib in $dependency_libs; do
 	      deplibs="$deplib $deplibs"
@@ -7900,6 +7903,9 @@ func_mode_link ()
 	      fi
 	      func_append tmp_libs " $deplib"
 	    done
+	  elif test prog != "$linkmode" && test lib != "$linkmode"; then
+	    func_fatal_error "'$lib' is not a convenience library"
+	  fi
 	  continue
 	fi # $pass = conv
 
@@ -8823,6 +8829,9 @@ func_mode_link ()
 	    revision=$number_minor
 	    lt_irix_increment=no
 	    ;;
+	  *)
+	    func_fatal_configuration "$modename: unknown library version type '$version_type'"
+	    ;;
 	  esac
 	  ;;
 	no)

libratbox/missing

@@ -1,11 +1,10 @@
 #! /bin/sh
-# Common stub for a few missing GNU programs while installing.
+# Common wrapper for a few potentially missing GNU programs.
 
-scriptversion=2003-09-02.23
+scriptversion=2013-10-28.13; # UTC
 
-# Copyright (C) 1996, 1997, 1999, 2000, 2002, 2003 
-#   Free Software Foundation, Inc.
-# Originally by Fran,cois Pinard <pinard@iro.umontreal.ca>, 1996.
+# Copyright (C) 1996-2014 Free Software Foundation, Inc.
+# Originally written by Fran,cois Pinard <pinard@iro.umontreal.ca>, 1996.
 
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -18,9 +17,7 @@ scriptversion=2003-09-02.23
 # GNU General Public License for more details.
 
 # You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
-# 02111-1307, USA.
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 # As a special exception to the GNU General Public License, if you
 # distribute this file as part of a program that contains a
@@ -28,333 +25,191 @@ scriptversion=2003-09-02.23
 # the same distribution terms that you use for the rest of that program.
 
 if test $# -eq 0; then
-  echo 1>&2 "Try \`$0 --help' for more information"
+  echo 1>&2 "Try '$0 --help' for more information"
   exit 1
 fi
 
-run=:
+case $1 in
 
-# In the cases where this matters, `missing' is being run in the
-# srcdir already.
-if test -f configure.ac; then
-  configure_ac=configure.ac
-else
-  configure_ac=configure.in
-fi
-
-msg="missing on your system"
-
-case "$1" in
---run)
-  # Try to run requested program, and just exit if it succeeds.
-  run=
-  shift
-  "$@" && exit 0
-  # Exit code 63 means version mismatch.  This often happens
-  # when the user try to use an ancient version of a tool on
-  # a file that requires a minimum version.  In this case we
-  # we should proceed has if the program had been absent, or
-  # if --run hadn't been passed.
-  if test $? = 63; then
-    run=:
-    msg="probably too old"
-  fi
+  --is-lightweight)
+    # Used by our autoconf macros to check whether the available missing
+    # script is modern enough.
+    exit 0
     ;;
-esac
 
-# If it does not exist, or fails to run (possibly an outdated version),
-# try to emulate it.
-case "$1" in
+  --run)
+    # Back-compat with the calling convention used by older automake.
+    shift
+    ;;
 
   -h|--h|--he|--hel|--help)
     echo "\
 $0 [OPTION]... PROGRAM [ARGUMENT]...
 
-Handle \`PROGRAM [ARGUMENT]...' for when PROGRAM is missing, or return an
-error status if there is no known handling for PROGRAM.
+Run 'PROGRAM [ARGUMENT]...', returning a proper advice when this fails due
+to PROGRAM being missing or too old.
 
 Options:
   -h, --help      display this help and exit
   -v, --version   output version information and exit
-  --run           try to run the given command, and emulate it if it fails
 
 Supported PROGRAM values:
-  aclocal      touch file \`aclocal.m4'
-  autoconf     touch file \`configure'
-  autoheader   touch file \`config.h.in'
-  automake     touch all \`Makefile.in' files
-  bison        create \`y.tab.[ch]', if possible, from existing .[ch]
-  flex         create \`lex.yy.c', if possible, from existing .c
-  help2man     touch the output file
-  lex          create \`lex.yy.c', if possible, from existing .c
-  makeinfo     touch the output file
-  tar          try tar, gnutar, gtar, then tar without non-portable flags
-  yacc         create \`y.tab.[ch]', if possible, from existing .[ch]
+  aclocal   autoconf  autoheader   autom4te  automake  makeinfo
+  bison     yacc      flex         lex       help2man
+
+Version suffixes to PROGRAM as well as the prefixes 'gnu-', 'gnu', and
+'g' are ignored when checking the name.
 
 Send bug reports to <bug-automake@gnu.org>."
+    exit $?
     ;;
 
   -v|--v|--ve|--ver|--vers|--versi|--versio|--version)
     echo "missing $scriptversion (GNU Automake)"
+    exit $?
     ;;
 
   -*)
-    echo 1>&2 "$0: Unknown \`$1' option"
-    echo 1>&2 "Try \`$0 --help' for more information"
+    echo 1>&2 "$0: unknown '$1' option"
+    echo 1>&2 "Try '$0 --help' for more information"
     exit 1
     ;;
 
-  aclocal*)
-    if test -z "$run" && ($1 --version) > /dev/null 2>&1; then
-       # We have it, but it failed.
-       exit 1
-    fi
-
-    echo 1>&2 "\
-WARNING: \`$1' is $msg.  You should only need it if
-         you modified \`acinclude.m4' or \`${configure_ac}'.  You might want
-         to install the \`Automake' and \`Perl' packages.  Grab them from
-         any GNU archive site."
-    touch aclocal.m4
-    ;;
-
-  autoconf)
-    if test -z "$run" && ($1 --version) > /dev/null 2>&1; then
-       # We have it, but it failed.
-       exit 1
-    fi
-
-    echo 1>&2 "\
-WARNING: \`$1' is $msg.  You should only need it if
-         you modified \`${configure_ac}'.  You might want to install the
-         \`Autoconf' and \`GNU m4' packages.  Grab them from any GNU
-         archive site."
-    touch configure
-    ;;
-
-  autoheader)
-    if test -z "$run" && ($1 --version) > /dev/null 2>&1; then
-       # We have it, but it failed.
-       exit 1
-    fi
-
-    echo 1>&2 "\
-WARNING: \`$1' is $msg.  You should only need it if
-         you modified \`acconfig.h' or \`${configure_ac}'.  You might want
-         to install the \`Autoconf' and \`GNU m4' packages.  Grab them
-         from any GNU archive site."
-    files=`sed -n 's/^[ ]*A[CM]_CONFIG_HEADER(\([^)]*\)).*/\1/p' ${configure_ac}`
-    test -z "$files" && files="config.h"
-    touch_files=
-    for f in $files; do
-      case "$f" in
-      *:*) touch_files="$touch_files "`echo "$f" |
-				       sed -e 's/^[^:]*://' -e 's/:.*//'`;;
-      *) touch_files="$touch_files $f.in";;
 esac
-    done
-    touch $touch_files
-    ;;
 
+# Run the given program, remember its exit status.
+"$@"; st=$?
+
+# If it succeeded, we are done.
+test $st -eq 0 && exit 0
+
+# Also exit now if we it failed (or wasn't found), and '--version' was
+# passed; such an option is passed most likely to detect whether the
+# program is present and works.
+case $2 in --version|--help) exit $st;; esac
+
+# Exit code 63 means version mismatch.  This often happens when the user
+# tries to use an ancient version of a tool on a file that requires a
+# minimum version.
+if test $st -eq 63; then
+  msg="probably too old"
+elif test $st -eq 127; then
+  # Program was missing.
+  msg="missing on your system"
+else
+  # Program was found and executed, but failed.  Give up.
+  exit $st
+fi
+
+perl_URL=http://www.perl.org/
+flex_URL=http://flex.sourceforge.net/
+gnu_software_URL=http://www.gnu.org/software
+
+program_details ()
+{
+  case $1 in
+    aclocal|automake)
+      echo "The '$1' program is part of the GNU Automake package:"
+      echo "<$gnu_software_URL/automake>"
+      echo "It also requires GNU Autoconf, GNU m4 and Perl in order to run:"
+      echo "<$gnu_software_URL/autoconf>"
+      echo "<$gnu_software_URL/m4/>"
+      echo "<$perl_URL>"
+      ;;
+    autoconf|autom4te|autoheader)
+      echo "The '$1' program is part of the GNU Autoconf package:"
+      echo "<$gnu_software_URL/autoconf/>"
+      echo "It also requires GNU m4 and Perl in order to run:"
+      echo "<$gnu_software_URL/m4/>"
+      echo "<$perl_URL>"
+      ;;
+  esac
+}
+
+give_advice ()
+{
+  # Normalize program name to check for.
+  normalized_program=`echo "$1" | sed '
+    s/^gnu-//; t
+    s/^gnu//; t
+    s/^g//; t'`
+
+  printf '%s\n' "'$1' is $msg."
+
+  configure_deps="'configure.ac' or m4 files included by 'configure.ac'"
+  case $normalized_program in
+    autoconf*)
+      echo "You should only need it if you modified 'configure.ac',"
+      echo "or m4 files included by it."
+      program_details 'autoconf'
+      ;;
+    autoheader*)
+      echo "You should only need it if you modified 'acconfig.h' or"
+      echo "$configure_deps."
+      program_details 'autoheader'
+      ;;
     automake*)
-    if test -z "$run" && ($1 --version) > /dev/null 2>&1; then
-       # We have it, but it failed.
-       exit 1
-    fi
-
-    echo 1>&2 "\
-WARNING: \`$1' is $msg.  You should only need it if
-         you modified \`Makefile.am', \`acinclude.m4' or \`${configure_ac}'.
-         You might want to install the \`Automake' and \`Perl' packages.
-         Grab them from any GNU archive site."
-    find . -type f -name Makefile.am -print |
-	   sed 's/\.am$/.in/' |
-	   while read f; do touch "$f"; done
+      echo "You should only need it if you modified 'Makefile.am' or"
+      echo "$configure_deps."
+      program_details 'automake'
       ;;
-
-  autom4te)
-    if test -z "$run" && ($1 --version) > /dev/null 2>&1; then
-       # We have it, but it failed.
-       exit 1
-    fi
-
-    echo 1>&2 "\
-WARNING: \`$1' is needed, but is $msg.
-         You might have modified some files without having the
-         proper tools for further handling them.
-         You can get \`$1' as part of \`Autoconf' from any GNU
-         archive site."
-
-    file=`echo "$*" | sed -n 's/.*--output[ =]*\([^ ]*\).*/\1/p'`
-    test -z "$file" && file=`echo "$*" | sed -n 's/.*-o[ ]*\([^ ]*\).*/\1/p'`
-    if test -f "$file"; then
-	touch $file
-    else
-	test -z "$file" || exec >$file
-	echo "#! /bin/sh"
-	echo "# Created by GNU Automake missing as a replacement of"
-	echo "#  $ $@"
-	echo "exit 0"
-	chmod +x $file
-	exit 1
-    fi
+    aclocal*)
+      echo "You should only need it if you modified 'acinclude.m4' or"
+      echo "$configure_deps."
+      program_details 'aclocal'
       ;;
-
-  bison|yacc)
-    echo 1>&2 "\
-WARNING: \`$1' $msg.  You should only need it if
-         you modified a \`.y' file.  You may need the \`Bison' package
-         in order for those modifications to take effect.  You can get
-         \`Bison' from any GNU archive site."
-    rm -f y.tab.c y.tab.h
-    if [ $# -ne 1 ]; then
-        eval LASTARG="\${$#}"
-	case "$LASTARG" in
-	*.y)
-	    SRCFILE=`echo "$LASTARG" | sed 's/y$/c/'`
-	    if [ -f "$SRCFILE" ]; then
-	         cp "$SRCFILE" y.tab.c
-	    fi
-	    SRCFILE=`echo "$LASTARG" | sed 's/y$/h/'`
-	    if [ -f "$SRCFILE" ]; then
-	         cp "$SRCFILE" y.tab.h
-	    fi
+   autom4te*)
+      echo "You might have modified some maintainer files that require"
+      echo "the 'autom4te' program to be rebuilt."
+      program_details 'autom4te'
       ;;
-	esac
-    fi
-    if [ ! -f y.tab.h ]; then
-	echo >y.tab.h
-    fi
-    if [ ! -f y.tab.c ]; then
-	echo 'main() { return 0; }' >y.tab.c
-    fi
+    bison*|yacc*)
+      echo "You should only need it if you modified a '.y' file."
+      echo "You may want to install the GNU Bison package:"
+      echo "<$gnu_software_URL/bison/>"
       ;;
-
-  lex|flex)
-    echo 1>&2 "\
-WARNING: \`$1' is $msg.  You should only need it if
-         you modified a \`.l' file.  You may need the \`Flex' package
-         in order for those modifications to take effect.  You can get
-         \`Flex' from any GNU archive site."
-    rm -f lex.yy.c
-    if [ $# -ne 1 ]; then
-        eval LASTARG="\${$#}"
-	case "$LASTARG" in
-	*.l)
-	    SRCFILE=`echo "$LASTARG" | sed 's/l$/c/'`
-	    if [ -f "$SRCFILE" ]; then
-	         cp "$SRCFILE" lex.yy.c
-	    fi
+    lex*|flex*)
+      echo "You should only need it if you modified a '.l' file."
+      echo "You may want to install the Fast Lexical Analyzer package:"
+      echo "<$flex_URL>"
       ;;
-	esac
-    fi
-    if [ ! -f lex.yy.c ]; then
-	echo 'main() { return 0; }' >lex.yy.c
-    fi
+    help2man*)
+      echo "You should only need it if you modified a dependency" \
+           "of a man page."
+      echo "You may want to install the GNU Help2man package:"
+      echo "<$gnu_software_URL/help2man/>"
     ;;
-
-  help2man)
-    if test -z "$run" && ($1 --version) > /dev/null 2>&1; then
-       # We have it, but it failed.
-       exit 1
-    fi
-
-    echo 1>&2 "\
-WARNING: \`$1' is $msg.  You should only need it if
-	 you modified a dependency of a manual page.  You may need the
-	 \`Help2man' package in order for those modifications to take
-	 effect.  You can get \`Help2man' from any GNU archive site."
-
-    file=`echo "$*" | sed -n 's/.*-o \([^ ]*\).*/\1/p'`
-    if test -z "$file"; then
-	file=`echo "$*" | sed -n 's/.*--output=\([^ ]*\).*/\1/p'`
-    fi
-    if [ -f "$file" ]; then
-	touch $file
-    else
-	test -z "$file" || exec >$file
-	echo ".ab help2man is required to generate this page"
-	exit 1
-    fi
+    makeinfo*)
+      echo "You should only need it if you modified a '.texi' file, or"
+      echo "any other file indirectly affecting the aspect of the manual."
+      echo "You might want to install the Texinfo package:"
+      echo "<$gnu_software_URL/texinfo/>"
+      echo "The spurious makeinfo call might also be the consequence of"
+      echo "using a buggy 'make' (AIX, DU, IRIX), in which case you might"
+      echo "want to install GNU make:"
+      echo "<$gnu_software_URL/make/>"
       ;;
-
-  makeinfo)
-    if test -z "$run" && (makeinfo --version) > /dev/null 2>&1; then
-       # We have makeinfo, but it failed.
-       exit 1
-    fi
-
-    echo 1>&2 "\
-WARNING: \`$1' is $msg.  You should only need it if
-         you modified a \`.texi' or \`.texinfo' file, or any other file
-         indirectly affecting the aspect of the manual.  The spurious
-         call might also be the consequence of using a buggy \`make' (AIX,
-         DU, IRIX).  You might want to install the \`Texinfo' package or
-         the \`GNU make' package.  Grab either from any GNU archive site."
-    file=`echo "$*" | sed -n 's/.*-o \([^ ]*\).*/\1/p'`
-    if test -z "$file"; then
-      file=`echo "$*" | sed 's/.* \([^ ]*\) *$/\1/'`
-      file=`sed -n '/^@setfilename/ { s/.* \([^ ]*\) *$/\1/; p; q; }' $file`
-    fi
-    touch $file
-    ;;
-
-  tar)
-    shift
-    if test -n "$run"; then
-      echo 1>&2 "ERROR: \`tar' requires --run"
-      exit 1
-    fi
-
-    # We have already tried tar in the generic part.
-    # Look for gnutar/gtar before invocation to avoid ugly error
-    # messages.
-    if (gnutar --version > /dev/null 2>&1); then
-       gnutar "$@" && exit 0
-    fi
-    if (gtar --version > /dev/null 2>&1); then
-       gtar "$@" && exit 0
-    fi
-    firstarg="$1"
-    if shift; then
-	case "$firstarg" in
-	*o*)
-	    firstarg=`echo "$firstarg" | sed s/o//`
-	    tar "$firstarg" "$@" && exit 0
-	    ;;
-	esac
-	case "$firstarg" in
-	*h*)
-	    firstarg=`echo "$firstarg" | sed s/h//`
-	    tar "$firstarg" "$@" && exit 0
-	    ;;
-	esac
-    fi
-
-    echo 1>&2 "\
-WARNING: I can't seem to be able to run \`tar' with the given arguments.
-         You may want to install GNU tar or Free paxutils, or check the
-         command line arguments."
-    exit 1
-    ;;
-
     *)
-    echo 1>&2 "\
-WARNING: \`$1' is needed, and is $msg.
-         You might have modified some files without having the
-         proper tools for further handling them.  Check the \`README' file,
-         it often tells you about the needed prerequisites for installing
-         this package.  You may also peek at any GNU archive site, in case
-         some other package would contain this missing \`$1' program."
-    exit 1
+      echo "You might have modified some files without having the proper"
+      echo "tools for further handling them.  Check the 'README' file, it"
+      echo "often tells you about the needed prerequisites for installing"
+      echo "this package.  You may also peek at any GNU archive site, in"
+      echo "case some other package contains this missing '$1' program."
       ;;
   esac
+}
 
-exit 0
+give_advice "$1" | sed -e '1s/^/WARNING: /' \
+                       -e '2,$s/^/         /' >&2
+
+# Propagate the correct exit status (expected to be 127 for a program
+# not found, 63 for a program that failed due to version mismatch).
+exit $st
 
 # Local variables:
 # eval: (add-hook 'write-file-hooks 'time-stamp)
 # time-stamp-start: "scriptversion="
 # time-stamp-format: "%:y-%02m-%02d.%02H"
-# time-stamp-end: "$"
+# time-stamp-time-zone: "UTC"
+# time-stamp-end: "; # UTC"
 # End:

libratbox/src/Makefile.in

@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.15 from Makefile.am.
+# Makefile.in generated by automake 1.15.1 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2014 Free Software Foundation, Inc.
+# Copyright (C) 1994-2017 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -334,6 +334,7 @@ pdfdir = @pdfdir@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+runstatedir = @runstatedir@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@

libratbox/src/balloc.c

@@ -106,7 +106,7 @@ static HANDLE block_heap;
 
 #define rb_bh_fail(x) _rb_bh_fail(x, __FILE__, __LINE__)
 
-static void
+static void __attribute__((noreturn))
 _rb_bh_fail(const char *reason, const char *file, int line)
 {
 	rb_lib_log("rb_heap_blockheap failure: %s (%s:%d)", reason, file, line);

libratbox/src/commio.c

@@ -336,11 +336,14 @@ rb_accept_tryaccept(rb_fde_t *F, void *data)
 {
 	struct rb_sockaddr_storage st;
 	rb_fde_t *new_F;
-	rb_socklen_t addrlen = sizeof(st);
+	rb_socklen_t addrlen;
 	int new_fd;
 
 	while(1)
 	{
+		(void) memset(&st, 0x00, sizeof st);
+		addrlen = (rb_socklen_t) sizeof st;
+
 		new_fd = accept(F->fd, (struct sockaddr *)&st, &addrlen);
 		rb_get_errno();
 		if(new_fd < 0)
@@ -742,9 +745,6 @@ mangle_mapped_sockaddr(struct sockaddr *in)
 {
 	struct sockaddr_in6 *in6 = (struct sockaddr_in6 *)in;
 
-	if(in->sa_family == AF_INET)
-		return;
-
 	if(in->sa_family == AF_INET6 && IN6_IS_ADDR_V4MAPPED(&in6->sin6_addr))
 	{
 		struct sockaddr_in in4;
@@ -754,7 +754,6 @@ mangle_mapped_sockaddr(struct sockaddr *in)
 		in4.sin_addr.s_addr = ((uint32_t *)&in6->sin6_addr)[3];
 		memcpy(in, &in4, sizeof(struct sockaddr_in));
 	}
-	return;
 }
 #endif
 
@@ -1266,7 +1265,10 @@ inet_ntop6(const unsigned char *src, char *dst, unsigned int size)
 		if(words[i] == 0)
 		{
 			if(cur.base == -1)
-				cur.base = i, cur.len = 1;
+			{
+				cur.base = i;
+				cur.len = 1;
+			}
 			else
 				cur.len++;
 		}
@@ -1365,17 +1367,14 @@ rb_inet_ntop_sock(struct sockaddr *src, char *dst, unsigned int size)
 	{
 	case AF_INET:
 		return (rb_inet_ntop(AF_INET, &((struct sockaddr_in *)src)->sin_addr, dst, size));
-		break;
 #ifdef RB_IPV6
 	case AF_INET6:
 		return (rb_inet_ntop
 			(AF_INET6, &((struct sockaddr_in6 *)src)->sin6_addr, dst, size));
-		break;
 #endif
-	default:
-		return NULL;
-		break;
 	}
+
+	return NULL;
 }
 
 /* char *
@@ -2242,7 +2241,7 @@ rb_send_fd_buf(rb_fde_t *xF, rb_fde_t **F, int count, void *data, size_t datasiz
 	if(count > 0)
 	{
 		int len = CMSG_SPACE(sizeof(int) * count);
-		char buf[len];
+		char *buf = alloca(len);
 
 		msg.msg_control = buf;
 		msg.msg_controllen = len;
@@ -2251,13 +2250,14 @@ rb_send_fd_buf(rb_fde_t *xF, rb_fde_t **F, int count, void *data, size_t datasiz
 		cmsg->cmsg_type = SCM_RIGHTS;
 		cmsg->cmsg_len = CMSG_LEN(sizeof(int) * count);
 
-		for(unsigned int i = 0; i < count; i++)
+		for(int i = 0; i < count; i++)
 		{
 			((int *)CMSG_DATA(cmsg))[i] = rb_get_fd(F[i]);
 		}
+
 		msg.msg_controllen = cmsg->cmsg_len;
-		return sendmsg(rb_get_fd(xF), &msg, MSG_NOSIGNAL);
 	}
+
 	return sendmsg(rb_get_fd(xF), &msg, MSG_NOSIGNAL);
 }
 #else

libratbox/src/crypt.c

@@ -46,16 +46,12 @@ rb_crypt(const char *key, const char *salt)
 		{
 		case '1':
 			return rb_md5_crypt(key, salt);
-			break;
 		case '5':
 			return rb_sha256_crypt(key, salt);
-			break;
 		case '6':
 			return rb_sha512_crypt(key, salt);
-			break;
 		default:
 			return NULL;
-			break;
 		};
 	}
 	else
@@ -536,7 +532,7 @@ rb_do_des(uint32_t l_in, uint32_t r_in, uint32_t *l_out, uint32_t *r_out, int co
 	 *      l_in, r_in, l_out, and r_out are in pseudo-"big-endian" format.
 	 */
 	uint32_t l, r, *kl, *kr, *kl1, *kr1;
-	uint32_t f, r48l, r48r;
+	uint32_t f = 0, r48l, r48r;
 	int round;
 
 	if(count == 0)
@@ -1951,6 +1947,9 @@ static void *rb_sha512_finish_ctx(struct sha512_ctx *ctx, void *resbuf)
 	return resbuf;
 }
 
+#ifndef _STRING_ARCH_unaligned
+#define _STRING_ARCH_unaligned 0
+#endif
 
 static void rb_sha512_process_bytes(const void *buffer, size_t len, struct sha512_ctx *ctx)
 {
@@ -1980,7 +1979,7 @@ static void rb_sha512_process_bytes(const void *buffer, size_t len, struct sha51
 	/* Process available complete blocks.  */
 	if (len >= 128)
 	{
-	#if !_STRING_ARCH_unaligned
+	#if (!_STRING_ARCH_unaligned)
 	/* To check alignment gcc has an appropriate operator.  Other
 	   compilers don't.  */
 	#	if __GNUC__ >= 2

libratbox/src/export-syms.txt

@@ -48,6 +48,8 @@ rb_setselect
 rb_settimeout
 rb_setup_fd
 rb_setup_ssl_server
+rb_setup_ssl_server_hostname
+rb_remove_ssl_vserver
 rb_socket
 rb_socketpair
 rb_ssl_listen

libratbox/src/gnutls_ratbox.h

@@ -0,0 +1,37 @@
+/*
+ *  libratbox: a library used by ircd-ratbox and other things
+ *  gnutls_ratbox.h: embedded data for GNUTLS backend
+ *
+ *  Copyright (C) 2007-2008 ircd-ratbox development team
+ *  Copyright (C) 2007-2008 Aaron Sethman <androsyn@ratbox.org>
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, write to the Free Software
+ *  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301
+ *  USA
+ *
+ */
+
+static const char rb_gnutls_default_priority_str[] = ""
+	"+SECURE256:"
+	"+SECURE128:"
+	"!RSA:"
+	"+NORMAL:"
+	"!ARCFOUR-128:"
+	"!3DES-CBC:"
+	"!MD5:"
+	"+VERS-TLS1.2:"
+	"+VERS-TLS1.1:"
+	"!VERS-TLS1.0:"
+	"!VERS-SSL3.0:"
+	"%SAFE_RENEGOTIATION";

libratbox/src/linebuf.c

@@ -301,7 +301,6 @@ rb_linebuf_copy_raw(buf_head_t * bufhead, buf_line_t * bufline, char *data, int
 		clen = BUF_DATA_SIZE - bufline->len - 1;
 		memcpy(bufch, ch, clen);
 		bufline->buf[BUF_DATA_SIZE - 1] = '\0';
-		bufch = bufline->buf + BUF_DATA_SIZE - 2;
 		bufline->terminated = 1;
 		bufline->len = BUF_DATA_SIZE - 1;
 		bufhead->len += BUF_DATA_SIZE - 1;

libratbox/src/mbedtls_ratbox.h

@@ -0,0 +1,237 @@
+/*
+ *  libratbox: a library used by ircd-ratbox and other things
+ *  mbedtls_ratbox.h: embedded data for ARM MbedTLS backend
+ *
+ *  Copyright (C) 2016 Aaron Jones <aaronmdjones@gmail.com>
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, write to the Free Software
+ *  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301
+ *  USA
+ *
+ *  $Id$
+ */
+
+#ifndef RB_MBEDTLS_EMBEDDED_DATA_H
+#define RB_MBEDTLS_EMBEDDED_DATA_H
+
+#include "mbedtls/entropy.h"
+#include "mbedtls/ctr_drbg.h"
+#include "mbedtls/certs.h"
+#include "mbedtls/x509.h"
+#include "mbedtls/ssl.h"
+#include "mbedtls/ssl_ciphersuites.h"
+#include "mbedtls/error.h"
+#include "mbedtls/debug.h"
+#include "mbedtls/dhm.h"
+#include "mbedtls/version.h"
+
+/*
+ * Personalization string for CTR-DRBG initialization
+ */
+static const char rb_mbedtls_personal_str[] = "charybdis/librb personalization string";
+
+/*
+ * Default list of supported ciphersuites
+ * The user can override this with the ssl_cipher_list option in ircd.conf
+ *
+ * The format for this option is the same as the macro names below, but
+ * with underscores replaced with hyphens, and without the initial MBEDTLS_
+ *
+ * For example;
+ * ssl_cipher_list = "TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384"
+ *
+ * Multiple ciphersuites can be separated by colons (:)
+ *
+ * ************************************************************************
+ *
+ * The ordering of the following list should be intuitive. Within the list;
+ *
+ * * All AEAD forward-secret ciphersuites are located first [1]
+ * * All SHA2 forward-secret ciphersuites are located second
+ * * All remaining forward-secret ciphersuites are located third
+ * * All non-forward-secret ciphersuites are located last, in the same order
+ *
+ *   [1] Because in practice, they are the only secure ciphersuites available;
+ *       the ETM extension for CBC ciphersuites has not seen wide adoption.
+ *
+ * In practice, all clients SHOULD support an AEAD forward-secret cipher,
+ * which the server will then negotiate as they are preferred.
+ *
+ * This choice can be revisited in future; please consult me first.  -- amdj
+ */
+static const int rb_mbedtls_ciphersuites[] = {
+
+	// AEAD forward-secret ciphersuites
+
+#ifdef	MBEDTLS_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
+	MBEDTLS_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
+	MBEDTLS_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+	MBEDTLS_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+#endif
+
+	MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+	MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384,
+	MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+	MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384,
+	MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
+	MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384,
+	MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM,
+	MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CCM,
+
+	MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+	MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256,
+	MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+	MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256,
+	MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
+	MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256,
+	MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM,
+	MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CCM,
+
+	// SHA2 forward-secret ciphersuites
+
+	MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
+	MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
+	MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
+	MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384,
+	MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
+	MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
+
+	MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
+	MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
+	MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
+	MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
+	MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
+	MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
+
+	// Remaining forward-secret ciphersuites
+
+	MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+	MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+	MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
+	MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
+
+	MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+	MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+	MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
+	MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
+
+	// Non-forward-secret ciphersuites
+
+	MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384,
+	MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384,
+	MBEDTLS_TLS_RSA_WITH_AES_256_CCM,
+
+	MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256,
+	MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256,
+	MBEDTLS_TLS_RSA_WITH_AES_128_CCM,
+
+	MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256,
+	MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256,
+
+	MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256,
+	MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256,
+
+	MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA,
+	MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
+
+	MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA,
+	MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
+
+	// The end of list sentinel
+	0
+};
+
+/*
+ * YES, this is a hardcoded CA certificate.
+ *
+ * BEFORE YOU THROW YOUR ARMS UP IN A PANIC ABOUT A BACKDOOR, READ THIS TEXT!
+ *
+ * ARM mbedTLS required a CA certificate to be set in its configuration before it will
+ * process a client certificate from peers. Since we want to do that, and not all
+ * installations will have a CA certificate to hand, we have this.
+ *
+ * Its key was securely destroyed after being generated, but even if it wasn't, that
+ * doesn't matter; the IRCd will accept ALL certificates, whether signed by this CA
+ * certificate or not!
+ *
+ * After all, it only cares about certificates in as far as to generate a fingerprint
+ * for them.
+ *
+ * Yes, this is a massive hack, but there is no alternative for older versions.
+ *
+ * This issue was fixed in commit 39ae8cd2077d on the MbedTLS 2.5 development branch,
+ * released in version 2.5.1 on 19 June 2017. This certificate will not be used if
+ * that version (or greater) is installed.
+ */
+
+#if (MBEDTLS_VERSION_NUMBER < 0x02050100)
+
+static const unsigned char rb_mbedtls_dummy_ca_certificate[825] = {
+	0x30, 0x82, 0x03, 0x35, 0x30, 0x82, 0x02, 0x1D, 0xA0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x09, 0x00,
+	0x86, 0xC5, 0x1F, 0x62, 0xBE, 0xFC, 0x0B, 0xA8, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86,
+	0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x05, 0x00, 0x30, 0x31, 0x31, 0x2F, 0x30, 0x2D, 0x06, 0x03, 0x55,
+	0x04, 0x03, 0x0C, 0x26, 0x43, 0x68, 0x61, 0x72, 0x79, 0x62, 0x64, 0x69, 0x73, 0x20, 0x6D, 0x62,
+	0x65, 0x64, 0x54, 0x4C, 0x53, 0x20, 0x44, 0x75, 0x6D, 0x6D, 0x79, 0x20, 0x43, 0x41, 0x20, 0x43,
+	0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x30, 0x1E, 0x17, 0x0D, 0x31, 0x36,
+	0x30, 0x35, 0x30, 0x34, 0x30, 0x38, 0x35, 0x32, 0x35, 0x33, 0x5A, 0x17, 0x0D, 0x34, 0x33, 0x30,
+	0x39, 0x32, 0x30, 0x30, 0x38, 0x35, 0x32, 0x35, 0x33, 0x5A, 0x30, 0x31, 0x31, 0x2F, 0x30, 0x2D,
+	0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x26, 0x43, 0x68, 0x61, 0x72, 0x79, 0x62, 0x64, 0x69, 0x73,
+	0x20, 0x6D, 0x62, 0x65, 0x64, 0x54, 0x4C, 0x53, 0x20, 0x44, 0x75, 0x6D, 0x6D, 0x79, 0x20, 0x43,
+	0x41, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x30, 0x82, 0x01,
+	0x22, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x01, 0x05, 0x00,
+	0x03, 0x82, 0x01, 0x0F, 0x00, 0x30, 0x82, 0x01, 0x0A, 0x02, 0x82, 0x01, 0x01, 0x00, 0xCA, 0x4B,
+	0xA6, 0xA1, 0x82, 0x5B, 0x06, 0xC6, 0x82, 0x76, 0x8E, 0xB2, 0x22, 0x37, 0x83, 0x91, 0x4B, 0xD0,
+	0xAE, 0x2F, 0xEE, 0x8E, 0x60, 0x04, 0xBA, 0x77, 0x8C, 0xD0, 0xCF, 0x5E, 0xA4, 0xFD, 0x80, 0xA1,
+	0x2E, 0xDC, 0x1F, 0xD9, 0x72, 0x2C, 0x28, 0x03, 0x27, 0x48, 0x23, 0x6E, 0x41, 0x49, 0x62, 0x09,
+	0x2D, 0xCF, 0x87, 0xA1, 0x45, 0x9D, 0x2B, 0x43, 0x6F, 0xBB, 0xDB, 0x23, 0xD8, 0xD9, 0x6D, 0x36,
+	0x4E, 0xA3, 0x85, 0x40, 0x4D, 0x72, 0xEC, 0x7B, 0xEF, 0x2B, 0x13, 0xE4, 0x6F, 0xDA, 0x23, 0x4F,
+	0x1C, 0xE7, 0xEA, 0xD9, 0x17, 0x2B, 0xD6, 0x67, 0x79, 0x42, 0xC3, 0x81, 0x9A, 0x77, 0x64, 0xC7,
+	0xC5, 0x44, 0xE1, 0xA4, 0xA3, 0x50, 0x8C, 0x1F, 0xCA, 0xD3, 0x6F, 0xC7, 0xFF, 0x2C, 0xBA, 0x7B,
+	0x21, 0x0C, 0xF3, 0xA9, 0x6A, 0x89, 0x74, 0x33, 0x60, 0xA1, 0xF8, 0x9F, 0xAA, 0x39, 0xA9, 0x45,
+	0x7E, 0x3D, 0x41, 0x67, 0x04, 0xF5, 0x9F, 0x47, 0x62, 0xAC, 0x65, 0xE0, 0x8D, 0x46, 0x9E, 0xD9,
+	0xE5, 0x77, 0xD5, 0x8C, 0x47, 0xA2, 0xFB, 0x7D, 0x94, 0x27, 0xC9, 0xB9, 0x3F, 0x4D, 0xF4, 0xFD,
+	0x19, 0x3C, 0xF6, 0x24, 0xAE, 0x70, 0xD7, 0x23, 0xE4, 0x64, 0x0A, 0xFC, 0x63, 0x89, 0x8A, 0xFE,
+	0xD0, 0x8E, 0x48, 0x1A, 0xD8, 0xC3, 0xA9, 0xEC, 0x9D, 0x0F, 0xC7, 0xC5, 0x22, 0xBC, 0x45, 0x4A,
+	0x2F, 0x4D, 0xF5, 0x0E, 0x4F, 0xFF, 0xAC, 0xE0, 0x55, 0xF4, 0x86, 0x04, 0x1B, 0x60, 0xDF, 0x4C,
+	0x25, 0xB9, 0xEC, 0x10, 0x0C, 0x54, 0x16, 0xDF, 0x42, 0xF0, 0x07, 0x00, 0x28, 0x81, 0x7C, 0x95,
+	0xAA, 0xC1, 0x01, 0xA3, 0xB8, 0xDF, 0x68, 0xCB, 0x55, 0xA7, 0x80, 0xCC, 0xE5, 0x3D, 0xE1, 0x68,
+	0x10, 0x27, 0x56, 0x94, 0x67, 0xEC, 0x82, 0x66, 0x3D, 0x96, 0x76, 0xC3, 0xEE, 0x23, 0x02, 0x03,
+	0x01, 0x00, 0x01, 0xA3, 0x50, 0x30, 0x4E, 0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D, 0x0E, 0x04, 0x16,
+	0x04, 0x14, 0xFF, 0xC8, 0xBA, 0x56, 0x74, 0xB1, 0x03, 0xA9, 0x79, 0x55, 0xFA, 0x58, 0x86, 0x13,
+	0xDE, 0xC0, 0xFA, 0xF2, 0x94, 0x62, 0x30, 0x1F, 0x06, 0x03, 0x55, 0x1D, 0x23, 0x04, 0x18, 0x30,
+	0x16, 0x80, 0x14, 0xFF, 0xC8, 0xBA, 0x56, 0x74, 0xB1, 0x03, 0xA9, 0x79, 0x55, 0xFA, 0x58, 0x86,
+	0x13, 0xDE, 0xC0, 0xFA, 0xF2, 0x94, 0x62, 0x30, 0x0C, 0x06, 0x03, 0x55, 0x1D, 0x13, 0x04, 0x05,
+	0x30, 0x03, 0x01, 0x01, 0xFF, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01,
+	0x01, 0x0B, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x3D, 0x35, 0x69, 0x87, 0xEB, 0x41, 0xA9,
+	0x2A, 0x51, 0xF3, 0x28, 0x71, 0xB4, 0x06, 0x7F, 0x15, 0x5A, 0x6D, 0x88, 0x5B, 0xC8, 0x4C, 0xE1,
+	0x6C, 0xC7, 0xCB, 0x93, 0x63, 0x69, 0xFB, 0xA6, 0x6D, 0xC7, 0x44, 0x6B, 0xD6, 0x39, 0x46, 0x34,
+	0xFC, 0x45, 0x23, 0xD2, 0x29, 0x1B, 0xCC, 0x1C, 0x13, 0xD7, 0x63, 0x10, 0x81, 0xF5, 0x82, 0x45,
+	0xEC, 0xDC, 0x20, 0x5F, 0xBB, 0xC3, 0xE6, 0x4A, 0x07, 0xA7, 0xBD, 0x9E, 0xFC, 0x5D, 0xFE, 0xC5,
+	0x43, 0x3A, 0xC6, 0xA4, 0x6C, 0x5B, 0xF9, 0x63, 0x8F, 0xF9, 0xEB, 0xC2, 0xF4, 0xA7, 0xE4, 0x1B,
+	0x23, 0xFA, 0xE1, 0x5A, 0x79, 0xC5, 0x1D, 0x1D, 0xFC, 0xAA, 0x81, 0xF7, 0x21, 0x52, 0xC9, 0x46,
+	0x17, 0x1B, 0x24, 0x4B, 0x14, 0x5C, 0xF9, 0xB5, 0x86, 0x04, 0x80, 0x51, 0x95, 0xCF, 0x4E, 0x47,
+	0x32, 0x8A, 0x1E, 0x52, 0x2E, 0xBF, 0x08, 0x8E, 0x9E, 0xE3, 0x88, 0x45, 0xC3, 0x75, 0xD7, 0xAE,
+	0xC3, 0x7E, 0x7E, 0xE9, 0xC9, 0x5B, 0xD8, 0x58, 0x3B, 0x25, 0x53, 0x0C, 0x00, 0x21, 0x1A, 0x71,
+	0x12, 0x23, 0xA0, 0x35, 0x6E, 0xC9, 0x7D, 0x83, 0x5C, 0x19, 0xE4, 0x05, 0x84, 0x46, 0x4E, 0x50,
+	0xE2, 0x9E, 0x70, 0x2E, 0x74, 0x05, 0xEA, 0x31, 0x04, 0x55, 0xA7, 0xF4, 0x67, 0x95, 0xDC, 0x86,
+	0x1F, 0x9D, 0xA0, 0x5D, 0x7F, 0x29, 0x48, 0x84, 0xEF, 0x13, 0xB8, 0xB3, 0xBF, 0x65, 0xD4, 0x52,
+	0x98, 0x06, 0xE6, 0x8A, 0xB1, 0x36, 0xEA, 0x39, 0xB3, 0x04, 0x2B, 0x6E, 0x64, 0x6E, 0xF3, 0x20,
+	0x74, 0xB6, 0x6E, 0x21, 0x3B, 0x99, 0xFE, 0x6E, 0x70, 0x48, 0x78, 0xEA, 0x31, 0x95, 0xB3, 0xB0,
+	0x0E, 0x48, 0x83, 0x35, 0xA9, 0x74, 0xBF, 0x45, 0x07, 0xC8, 0x5A, 0x12, 0xA2, 0x4D, 0x16, 0xDB,
+	0xB3, 0x1F, 0x72, 0xDE, 0x2A, 0x28, 0xFE, 0x7C, 0x2D
+};
+
+#endif /* MBEDTLS_VERSION_NUMBER */
+
+#endif /* RB_MBEDTLS_EMBEDDED_DATA_H */

libratbox/src/nossl.c

@@ -34,7 +34,7 @@
 #include <commio-ssl.h>
 
 int
-rb_setup_ssl_server(const char *cert, const char *keyfile, const char *dhfile, const char *cipher_list)
+rb_setup_ssl_server(const char *cert, const char *keyfile, const char *dhfile, const char *cipher_list, const char *hostname)
 {
 	errno = ENOSYS;
 	return 0;

libratbox/src/openssl_ratbox.h

@@ -0,0 +1,141 @@
+/*
+ *  libratbox: a library used by ircd-ratbox and other things
+ *  openssl_ratbox.h: OpenSSL backend data
+ *
+ *  Copyright (C) 2015-2016 Aaron Jones <aaronmdjones@gmail.com>
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, write to the Free Software
+ *  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301
+ *  USA
+ *
+ */
+
+#ifndef LRB_OPENSSL_H_INC
+#define LRB_OPENSSL_H_INC 1
+
+#include <openssl/dh.h>
+#include <openssl/ec.h>
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/rand.h>
+#include <openssl/ssl.h>
+
+#include <openssl/opensslv.h>
+
+/*
+ * A long time ago, in a world far away, OpenSSL had a well-established mechanism for ensuring compatibility with
+ * regards to added, changed, and removed functions, by having an SSLEAY_VERSION_NUMBER macro. This was then
+ * renamed to OPENSSL_VERSION_NUMBER, but the old macro was kept around for compatibility until OpenSSL version
+ * 1.1.0.
+ *
+ * Then the OpenBSD developers decided that having OpenSSL in their codebase was a bad idea. They forked it to
+ * create LibreSSL, gutted all of the functionality they didn't want or need, and generally improved the library
+ * a lot. Then, as the OpenBSD developers are want to do, they packaged up LibreSSL for release to other
+ * operating systems, as LibreSSL Portable. Think along the lines of OpenSSH where they have also done this.
+ *
+ * The fun part of this story ends there. LibreSSL has an OPENSSL_VERSION_NUMBER macro, but they have set it to a
+ * stupidly high value, version 2.0. OpenSSL version 2.0 does not exist, and LibreSSL 2.2 does not implement
+ * everything OpenSSL 1.0.2 or 1.1.0 do. This completely breaks the entire purpose of the macro.
+ *
+ * The ifdef soup below is for LibreSSL compatibility. Please find whoever thought setting OPENSSL_VERSION_NUMBER
+ * to a version that does not exist was a good idea. Encourage them to realise that it is not.   -- amdj
+ */
+
+#if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10100000L)
+#  define LRB_SSL_NO_EXPLICIT_INIT      1
+#endif
+
+#if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10002000L)
+#  define LRB_HAVE_TLS_SET_CURVES       1
+#  if (OPENSSL_VERSION_NUMBER < 0x10100000L)
+#    define LRB_HAVE_TLS_ECDH_AUTO      1
+#  endif
+#endif
+
+#if defined(LIBRESSL_VERSION_NUMBER) && (LIBRESSL_VERSION_NUMBER >= 0x20020002L)
+#  define LRB_HAVE_TLS_METHOD_API       1
+#else
+#  if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10100000L)
+#    define LRB_HAVE_TLS_METHOD_API     1
+#  endif
+#endif
+
+#if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10100000L)
+#  define LRB_SSL_VTEXT_COMPILETIME     OPENSSL_VERSION_TEXT
+#  define LRB_SSL_VTEXT_RUNTIME         OpenSSL_version(OPENSSL_VERSION)
+#  define LRB_SSL_VNUM_COMPILETIME      OPENSSL_VERSION_NUMBER
+#  define LRB_SSL_VNUM_RUNTIME          OpenSSL_version_num()
+#  define LRB_SSL_FULL_VERSION_INFO     1
+#else
+#  if defined(LIBRESSL_VERSION_NUMBER) && (LIBRESSL_VERSION_NUMBER >= 0x20200000L)
+#    define LRB_SSL_VTEXT_RUNTIME       SSLeay_version(SSLEAY_VERSION)
+#    define LRB_SSL_VNUM_COMPILETIME    LIBRESSL_VERSION_NUMBER
+#  else
+#    define LRB_SSL_VTEXT_RUNTIME       SSLeay_version(SSLEAY_VERSION)
+#    define LRB_SSL_VNUM_COMPILETIME    SSLEAY_VERSION_NUMBER
+#  endif
+#endif
+
+#if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER > 0x10101000L)
+#  define LRB_HAVE_TLS_ECDH_X25519      1
+#else
+#  if defined(LIBRESSL_VERSION_NUMBER) && (LIBRESSL_VERSION_NUMBER > 0x2050100fL)
+#    define LRB_HAVE_TLS_ECDH_X25519    1
+#  endif
+#endif
+
+
+
+/*
+ * Default supported ciphersuites (if the user does not provide any) and
+ * curves (OpenSSL 1.0.2+). Hardcoded secp384r1 (NIST P-384) is used on
+ * OpenSSL 1.0.0 and 1.0.1 (if available).
+ *
+ * We prefer AEAD ciphersuites first in order of strength, then SHA2
+ * ciphersuites, then remaining suites.
+ */
+
+static const char rb_default_ciphers[] = ""
+	"aECDSA+kEECDH+CHACHA20:"
+	"aRSA+kEECDH+CHACHA20:"
+	"aRSA+kEDH+CHACHA20:"
+	"aECDSA+kEECDH+AESGCM:"
+	"aRSA+kEECDH+AESGCM:"
+	"aRSA+kEDH+AESGCM:"
+	"aECDSA+kEECDH+AESCCM:"
+	"aRSA+kEECDH+AESCCM:"
+	"aRSA+kEDH+AESCCM:"
+	"@STRENGTH:"
+	"aECDSA+kEECDH+HIGH+SHA384:"
+	"aRSA+kEECDH+HIGH+SHA384:"
+	"aRSA+kEDH+HIGH+SHA384:"
+	"aECDSA+kEECDH+HIGH+SHA256:"
+	"aRSA+kEECDH+HIGH+SHA256:"
+	"aRSA+kEDH+HIGH+SHA256:"
+	"aECDSA+kEECDH+HIGH:"
+	"aRSA+kEECDH+HIGH:"
+	"aRSA+kEDH+HIGH:"
+	"HIGH:"
+	"!3DES:"
+	"!aNULL";
+
+#ifdef LRB_HAVE_TLS_SET_CURVES
+#  ifdef LRB_HAVE_TLS_ECDH_X25519
+static char rb_default_curves[] = "X25519:P-521:P-384:P-256";
+#  else
+static char rb_default_curves[] = "P-521:P-384:P-256";
+#  endif
+#endif
+
+#endif /* LRB_OPENSSL_H_INC */

libratbox/src/ratbox_lib.c

@@ -223,8 +223,6 @@ rb_lib_loop(long delay)
 
 	if(rb_io_supports_event())
 	{
-		if(delay == 0)
-			delay = -1;
 		while(1)
 			rb_select(-1);
 	}

modules/core/m_die.c

@@ -72,6 +72,5 @@ mo_die(struct Client *client_p __unused, struct Client *source_p, int parc, cons
 	}
 
 	ircd_shutdown(get_client_name(source_p, HIDE_IP));
-
-	return 0;
+	/* UNREACHABLE */
 }

modules/core/m_join.c

@@ -75,18 +75,12 @@ static void do_join_0(struct Client *client_p, struct Client *source_p);
 static int check_channel_name_loc(struct Client *source_p, const char *name);
 static void send_join_error(struct Client *source_p, int numeric, const char *name);
 
-static void set_final_mode(struct Mode *mode, struct Mode *oldmode);
+static char *set_final_mode(char *mbuf, char *parabuf, struct Mode *mode, struct Mode *oldmode);
 static void remove_our_modes(struct Channel *chptr, struct Client *source_p);
 
 static void remove_ban_list(struct Channel *chptr, struct Client *source_p,
 			    rb_dlink_list * list, char c, int mems);
 
-static char modebuf[MODEBUFLEN];
-static char parabuf[MODEBUFLEN];
-static const char *para[MAXMODEPARAMS];
-static char *mbuf;
-static int pargs;
-
 /* Check what we will forward to, without sending any notices to the user
  * -- jilles
  */
@@ -394,6 +388,8 @@ m_join(struct Client *client_p, struct Client *source_p, int parc, const char *p
 static int
 ms_join(struct Client *client_p, struct Client *source_p, int parc, const char *parv[])
 {
+	static char modebuf[MODEBUFLEN];
+	static char parabuf[MODEBUFLEN];
 	struct Channel *chptr;
 	static struct Mode mode;
 	time_t oldts;
@@ -419,7 +415,7 @@ ms_join(struct Client *client_p, struct Client *source_p, int parc, const char *
 	if(parv[2][0] == '&')
 		return 0;
 
-	mbuf = modebuf;
+	char *mbuf = modebuf;
 	mode.key[0] = mode.forward[0] = '\0';
 	mode.mode = mode.limit = mode.join_num = mode.join_time = 0;
 
@@ -465,7 +461,7 @@ ms_join(struct Client *client_p, struct Client *source_p, int parc, const char *
 	/* Lost the TS, other side wins, so remove modes on this side */
 	if(!keep_our_modes)
 	{
-		set_final_mode(&mode, &chptr->mode);
+		mbuf = set_final_mode(mbuf, parabuf, &mode, &chptr->mode);
 		chptr->mode = mode;
 		remove_our_modes(chptr, source_p);
 		RB_DLINK_FOREACH_SAFE(ptr, next_ptr, chptr->invites.head)
@@ -514,6 +510,8 @@ ms_join(struct Client *client_p, struct Client *source_p, int parc, const char *
 static int
 ms_sjoin(struct Client *client_p, struct Client *source_p, int parc, const char *parv[])
 {
+	static char modebuf[MODEBUFLEN];
+	static char parabuf[MODEBUFLEN];
 	static char buf_uid[BUFSIZE];
 	static const char empty_modes[] = "0";
 	struct Channel *chptr;
@@ -537,6 +535,7 @@ ms_sjoin(struct Client *client_p, struct Client *source_p, int parc, const char
 	int i, joinc = 0, timeslice = 0;
 	static char empty[] = "";
 	rb_dlink_node *ptr, *next_ptr;
+	const char *para[MAXMODEPARAMS];
 
 	if(parc < 5)
 		return 0;
@@ -549,7 +548,7 @@ ms_sjoin(struct Client *client_p, struct Client *source_p, int parc, const char
 		return 0;
 
 	modebuf[0] = parabuf[0] = mode.key[0] = mode.forward[0] = '\0';
-	pargs = mode.mode = mode.limit = mode.join_num = mode.join_time = 0;
+	mode.mode = mode.limit = mode.join_num = mode.join_time = 0;
 
 	/* Hide connecting server on netburst -- jilles */
 	if (ConfigServerHide.flatten_links && !HasSentEob(source_p))
@@ -557,7 +556,7 @@ ms_sjoin(struct Client *client_p, struct Client *source_p, int parc, const char
 	else
 		fakesource_p = source_p;
 
-	mbuf = modebuf;
+	char *mbuf = modebuf;
 	newts = atol(parv[1]);
 
 	s = parv[3];
@@ -721,7 +720,7 @@ ms_sjoin(struct Client *client_p, struct Client *source_p, int parc, const char
 			chptr->join_count = chptr->join_delta = 0;
 	}
 
-	set_final_mode(&mode, oldmode);
+	mbuf = set_final_mode(mbuf, parabuf, &mode, oldmode);
 	chptr->mode = mode;
 
 	/* Lost the TS, other side wins, so remove modes on this side */
@@ -775,9 +774,10 @@ ms_sjoin(struct Client *client_p, struct Client *source_p, int parc, const char
 
 	mbuf = modebuf;
 	para[0] = para[1] = para[2] = para[3] = empty;
-	pargs = 0;
 	len_uid = 0;
 
+	int pargs = 0;
+
 	/* if theres a space, theres going to be more than one nick, change the
 	 * first space to \0, so s is just the first nick, and point p to the
 	 * second nick
@@ -1056,8 +1056,8 @@ send_join_error(struct Client *source_p, int numeric, const char *name)
 	}
 }
 
-static void
-set_final_mode(struct Mode *mode, struct Mode *oldmode)
+static char *
+set_final_mode(char *mbuf, char *parabuf, struct Mode *mode, struct Mode *oldmode)
 {
 	int dir = MODE_QUERY;
 	char *pbuf = parabuf;
@@ -1175,7 +1175,9 @@ set_final_mode(struct Mode *mode, struct Mode *oldmode)
 		len = rb_sprintf(pbuf, "%s ", mode->forward);
 		pbuf += len;
 	}
+
 	*mbuf = '\0';
+	return mbuf;
 }
 
 /*
@@ -1195,7 +1197,7 @@ remove_our_modes(struct Channel *chptr, struct Client *source_p)
 	int count = 0;
 	int i;
 
-	mbuf = lmodebuf;
+	char *mbuf = lmodebuf;
 	*mbuf++ = '-';
 
 	for(i = 0; i < MAXMODEPARAMS; i++)
@@ -1298,7 +1300,7 @@ remove_ban_list(struct Channel *chptr, struct Client *source_p,
 	pbuf = lparabuf;
 
 	cur_len = mlen = rb_sprintf(lmodebuf, ":%s MODE %s -", source_p->name, chptr->chname);
-	mbuf = lmodebuf + mlen;
+	char *mbuf = lmodebuf + mlen;
 
 	RB_DLINK_FOREACH_SAFE(ptr, next_ptr, list->head)
 	{

modules/core/m_mode.c

@@ -375,7 +375,10 @@ ms_bmask(struct Client *client_p, struct Client *source_p, int parc, const char
 		{
 			*forward++ = '\0';
 			if(*forward == '\0')
-				tlen--, forward = NULL;
+			{
+				tlen--;
+				forward = NULL;
+			}
 			else
 				possibly_remove_lower_forward(fakesource_p,
 						mems, chptr, banlist,

modules/core/m_nick.c

@@ -116,7 +116,7 @@ mr_nick(struct Client *client_p, struct Client *source_p, int parc, const char *
 	struct Client *target_p;
 	char nick[NICKLEN];
 
-	if (strlen(client_p->id) == 3)
+	if (strlen(client_p->id) == 3 || (source_p->preClient && !EmptyString(source_p->preClient->id)))
 	{
 		exit_client(client_p, client_p, client_p, "Mixing client and server protocol");
 		return 0;

modules/core/m_server.c

@@ -77,6 +77,7 @@ mr_server(struct Client *client_p, struct Client *source_p, int parc, const char
 	int hop;
 	unsigned int required_mask;
 	const char *missing;
+	int ret;
 
 	name = parv[1];
 	hop = atoi(parv[2]);
@@ -112,8 +113,12 @@ mr_server(struct Client *client_p, struct Client *source_p, int parc, const char
 
 	/* Now we just have to call check_server and everything should be
 	 * check for us... -A1kmm. */
-	switch (check_server(name, client_p))
+	ret = check_server(name, client_p);
+	switch (ret)
 	{
+	case 0:
+		/* success */
+		break;
 	case -1:
 		if(ConfigFileEntry.warn_no_nline)
 		{
@@ -129,8 +134,6 @@ mr_server(struct Client *client_p, struct Client *source_p, int parc, const char
 
 		exit_client(client_p, client_p, client_p, "Invalid servername.");
 		return 0;
-		/* NOT REACHED */
-		break;
 
 	case -2:
 		sendto_realops_snomask(SNO_GENERAL, is_remote_connect(client_p) ? L_NETWIDE : L_ALL,
@@ -144,8 +147,6 @@ mr_server(struct Client *client_p, struct Client *source_p, int parc, const char
 
 		exit_client(client_p, client_p, client_p, "Invalid credentials.");
 		return 0;
-		/* NOT REACHED */
-		break;
 
 	case -3:
 		sendto_realops_snomask(SNO_GENERAL, L_ALL,
@@ -159,8 +160,6 @@ mr_server(struct Client *client_p, struct Client *source_p, int parc, const char
 
 		exit_client(client_p, client_p, client_p, "Invalid host.");
 		return 0;
-		/* NOT REACHED */
-		break;
 
 		/* servername is > HOSTLEN */
 	case -4:
@@ -172,8 +171,7 @@ mr_server(struct Client *client_p, struct Client *source_p, int parc, const char
 
 		exit_client(client_p, client_p, client_p, "Invalid servername.");
 		return 0;
-		/* NOT REACHED */
-		break;
+
 	case -5:
 		sendto_realops_snomask(SNO_GENERAL, L_ALL,
 		     "Connection from servername %s requires SSL/TLS but is plaintext",
@@ -183,6 +181,39 @@ mr_server(struct Client *client_p, struct Client *source_p, int parc, const char
 
 		exit_client(client_p, client_p, client_p, "Access denied, requires SSL/TLS but is plaintext");
 		return 0;
+
+	case -6:
+		if (client_p->certfp)
+		{
+			sendto_realops_snomask(SNO_GENERAL, L_ALL,
+			     "Connection from servername %s has invalid certificate fingerprint %s",
+			     name, client_p->certfp);
+			ilog(L_SERVER, "Access denied, invalid certificate fingerprint %s from %s",
+			     client_p->certfp, log_client_name(client_p, SHOW_IP));
+			exit_client(client_p, client_p, client_p, "Invalid fingerprint.");
+		}
+		else
+		{
+			sendto_realops_snomask(SNO_GENERAL, L_ALL,
+			    "Connection from servername %s failed certificate validation",
+			    name);
+			ilog(L_SERVER, "Access denied; certificate validation failed for certificate from %s",
+			    log_client_name(client_p, SHOW_IP));
+			exit_client(client_p, client_p, client_p, "Invalid certificate.");
+		}
+
+		return 0;
+
+	default:
+		sendto_realops_snomask(SNO_GENERAL, L_ALL,
+		     "Connection from servername %s rejected, unknown error %d",
+		     name, ret);
+		ilog(L_SERVER, "Access denied, unknown error %d for server %s%s", ret,
+		     EmptyString(client_p->name) ? name : "",
+		     log_client_name(client_p, SHOW_IP));
+
+		exit_client(client_p, client_p, client_p, "Unknown error.");
+		return 0;
 	}
 
 	/* require TS6 for direct links */
@@ -251,15 +282,15 @@ mr_server(struct Client *client_p, struct Client *source_p, int parc, const char
 		return 0;
 	}
 
-	if(has_id(client_p) && (target_p = find_id(client_p->id)) != NULL)
-	{
+	if (client_p->preClient && !EmptyString(client_p->preClient->id)) {
+		if ((target_p = find_id(client_p->preClient->id)) != NULL) {
 			sendto_realops_snomask(SNO_GENERAL, is_remote_connect(client_p) ? L_NETWIDE : L_ALL,
 					"Attempt to re-introduce SID %s from %s%s (already in use by %s)",
-				     client_p->id,
+					client_p->preClient->id,
 					EmptyString(client_p->name) ? name : "",
 					client_p->name, target_p->name);
 			ilog(L_SERVER, "Attempt to re-introduce SID %s from %s%s (already in use by %s)",
-				client_p->id,
+					client_p->preClient->id,
 					EmptyString(client_p->name) ? name : "",
 					log_client_name(client_p, SHOW_IP),
 					target_p->name);
@@ -267,6 +298,9 @@ mr_server(struct Client *client_p, struct Client *source_p, int parc, const char
 			sendto_one(client_p, "ERROR :SID already exists.");
 			exit_client(client_p, client_p, client_p, "SID Exists");
 			return 0;
+		} else {
+			rb_strlcpy(client_p->id, client_p->preClient->id, sizeof(client_p->id));
+		}
 	}
 
 	/*

modules/m_cap.c

@@ -180,8 +180,8 @@ clicap_find(const char *data, int *negate, int *finished)
 static void
 clicap_generate(struct Client *source_p, const char *subcmd, int flags, int clear)
 {
-	char buf[BUFSIZE];
-	char capbuf[BUFSIZE];
+	char buf[BUFSIZE] = { 0 };
+	char capbuf[BUFSIZE] = { 0 };
 	char *p;
 	int buflen = 0;
 	int curlen, mlen;
@@ -237,8 +237,10 @@ clicap_generate(struct Client *source_p, const char *subcmd, int flags, int clea
 				*p = '\0';
 
 			sendto_one(source_p, "%s * :%s", buf, capbuf);
+
 			p = capbuf;
 			buflen = mlen;
+			memset(capbuf, 0, sizeof(capbuf));
 		}
 
 		if(clear)

modules/m_connect.c

@@ -97,7 +97,7 @@ mo_connect(struct Client *client_p, struct Client *source_p, int parc, const cha
 		return 0;
 	}
 
-	if(ServerConfSSL(server_p) && (!ssl_ok || !get_ssld_count()))
+	if(ServerConfSSL(server_p) && (!ircd_ssl_ok || !get_ssld_count()))
 	{
 		sendto_one_notice(source_p,
 				  ":Connect: Server %s is set to use SSL/TLS but SSL/TLS is not configured.",
@@ -192,7 +192,7 @@ ms_connect(struct Client *client_p, struct Client *source_p, int parc, const cha
 		return 0;
 	}
 
-	if(ServerConfSSL(server_p) && (!ssl_ok || !get_ssld_count()))
+	if(ServerConfSSL(server_p) && (!ircd_ssl_ok || !get_ssld_count()))
 	{
 		sendto_one_notice(source_p,
 				  ":Connect: Server %s is set to use SSL/TLS but SSL/TLS is not configured.",

modules/m_info.c

@@ -398,6 +398,12 @@ static struct InfoStruct info_table[] = {
 		&ConfigFileEntry.pace_wait_simple,
 		"Minimum delay between less intensive commands"
 	},
+	{
+		"listfake_wait",
+		OUTPUT_DECIMAL,
+		&ConfigFileEntry.listfake_wait,
+		"Time until real list command can be used"
+	},
 	{
 		"ping_cookie",
 		OUTPUT_BOOLEAN,

modules/m_list.c

@@ -153,6 +153,32 @@ static int m_list(struct Client *client_p, struct Client *source_p, int parc, co
 			last_used = rb_current_time();
 	}
 
+	/* Disable LIST for a configured timespan after connect and send configured fake
+	 * channels instead.
+	 * Exempts: Opers, identifed users and users with spambot_exempt flag
+	 */
+	if (((source_p->localClient->firsttime + ConfigFileEntry.listfake_wait) > rb_current_time())
+			&& !IsOper(source_p) && !IsExemptSpambot(source_p) &&
+			!(source_p->user != NULL && !EmptyString(source_p->user->suser)))
+	{
+		struct fakechannel_entry *fakechannel;
+		struct DictionaryIter iter;
+
+		sendto_one(source_p, form_str(RPL_LISTSTART), me.name, source_p->name);
+
+		DICTIONARY_FOREACH(fakechannel, &iter, fakechannel_dict)
+		{
+			sendto_one(source_p, form_str(RPL_LIST), me.name, source_p->name,
+					 "",
+					 fakechannel->name,
+					 (rand() % fakechannel->users_max + fakechannel->users_min),
+					 fakechannel->topic);
+		}
+
+		sendto_one(source_p, form_str(RPL_LISTEND), me.name, source_p->name);
+		return 0;
+	}
+
 	return mo_list(client_p, source_p, parc, parv);
 }
 

modules/m_pass.c

@@ -82,7 +82,7 @@ mr_pass(struct Client *client_p, struct Client *source_p, int parc, const char *
 		client_p->localClient->auth_user = rb_strndup(auth_user, PASSWDLEN);
 
 	/* These are for servers only */
-	if(parc > 2 && client_p->user == NULL)
+	if(parc > 2 && client_p->user == NULL && client_p->preClient != NULL)
 	{
 		/*
 		 * It looks to me as if orabidoo wanted to have more
@@ -100,10 +100,10 @@ mr_pass(struct Client *client_p, struct Client *source_p, int parc, const char *
 			/* only mark as TS6 if the SID is valid.. */
 			if(IsDigit(parv[4][0]) && IsIdChar(parv[4][1]) &&
 			   IsIdChar(parv[4][2]) && parv[4][3] == '\0' &&
-			   EmptyString(client_p->id))
+			   EmptyString(client_p->preClient->id))
 			{
 				client_p->localClient->caps |= CAP_TS6;
-				strcpy(client_p->id, parv[4]);
+				rb_strlcpy(client_p->preClient->id, parv[4], sizeof(client_p->preClient->id));
 			}
 		}
 	}

modules/m_rehash.c

@@ -44,6 +44,7 @@
 #include "reject.h"
 #include "hash.h"
 #include "cache.h"
+#include "sslproc.h"
 
 static int mo_rehash(struct Client *, struct Client *, int, const char **);
 static int me_rehash(struct Client *, struct Client *, int, const char **);
@@ -85,6 +86,22 @@ rehash_dns(struct Client *source_p)
 	restart_resolver();
 }
 
+static void
+rehash_ssld(struct Client *source_p)
+{
+	if (!IsOperAdmin(source_p))
+	{
+		sendto_one(source_p, form_str(ERR_NOPRIVS),
+			   me.name, source_p->name, "admin");
+		return;
+	}
+
+	sendto_realops_snomask(SNO_GENERAL, L_ALL, "%s is restarting ssld",
+				get_oper_name(source_p));
+
+	restart_ssld();
+}
+
 static void
 rehash_motd(struct Client *source_p)
 {
@@ -278,6 +295,7 @@ static struct hash_commands rehash_commands[] =
 {
 	{"BANS",	rehash_bans_loc		},
 	{"DNS", 	rehash_dns		},
+	{"SSLD", 	rehash_ssld		},
 	{"MOTD", 	rehash_motd		},
 	{"OMOTD", 	rehash_omotd		},
 	{"TKLINES", 	rehash_tklines		},
@@ -336,6 +354,7 @@ do_rehash(struct Client *source_p, const char *type)
 		ilog(L_MAIN, "REHASH From %s[%s]", get_oper_name(source_p),
 		     source_p->sockhost);
 		rehash(0);
+		rehash_ulimit();
 		remote_rehash_oper_p = NULL;
 	}
 }
@@ -359,13 +378,25 @@ mo_rehash(struct Client *client_p, struct Client *source_p, int parc, const char
 	}
 
 	if (parc > 2)
-		type = parv[1], target_server = parv[2];
+	{
+		type = parv[1];
+		target_server = parv[2];
+	}
 	else if (parc > 1 && (strchr(parv[1], '.') || strchr(parv[1], '?') || strchr(parv[1], '*')))
-		type = NULL, target_server = parv[1];
+	{
+		type = NULL;
+		target_server = parv[1];
+	}
 	else if (parc > 1)
-		type = parv[1], target_server = NULL;
+	{
+		type = parv[1];
+		target_server = NULL;
+	}
 	else
-		type = NULL, target_server = NULL;
+	{
+		type = NULL;
+		target_server = NULL;
+	}
 
 	if (target_server != NULL)
 	{

modules/m_restart.c

@@ -95,6 +95,5 @@ mo_restart(struct Client *client_p, struct Client *source_p, int parc, const cha
 
 	rb_sprintf(buf, "Server RESTART by %s", get_client_name(source_p, HIDE_IP));
 	restart(buf);
-
-	return 0;
+	/* UNREACHABLE */
 }

modules/m_sasl.c

@@ -1,6 +1,7 @@
 /* modules/m_sasl.c
  *   Copyright (C) 2006 Michael Tharp <gxti@partiallystapled.com>
  *   Copyright (C) 2006 charybdis development team
+ *   Copyright (C) 2016 ChatLounge IRC Network Development Team
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
@@ -49,8 +50,12 @@ static int me_sasl(struct Client *, struct Client *, int, const char **);
 static void abort_sasl(struct Client *);
 static void abort_sasl_exit(hook_data_client_exit *);
 
-static void advertise_sasl(struct Client *);
-static void advertise_sasl_exit(hook_data_client_exit *);
+static void advertise_sasl_cap(int);
+static void advertise_sasl_new(struct Client *);
+static void advertise_sasl_exit(void *);
+static void advertise_sasl_config(void *);
+
+static int sasl_agent_present = 0;
 
 struct Message authenticate_msgtab = {
 	"AUTHENTICATE", 0, 0, 0, MFLG_SLOW,
@@ -67,12 +72,38 @@ mapi_clist_av1 sasl_clist[] = {
 mapi_hfn_list_av1 sasl_hfnlist[] = {
 	{ "new_local_user",	(hookfn) abort_sasl },
 	{ "client_exit",	(hookfn) abort_sasl_exit },
-	{ "new_remote_user",	(hookfn) advertise_sasl },
-	{ "client_exit",	(hookfn) advertise_sasl_exit },
+	{ "new_remote_user",	(hookfn) advertise_sasl_new },
+	{ "after_client_exit",	(hookfn) advertise_sasl_exit },
+	{ "conf_read_end",	(hookfn) advertise_sasl_config },
 	{ NULL, NULL }
 };
 
-DECLARE_MODULE_AV1(sasl, NULL, NULL, sasl_clist, NULL, sasl_hfnlist, "$Revision: 1409 $");
+static int
+sasl_visible(void)
+{
+        struct Client *agent_p = NULL;
+
+        if (ConfigFileEntry.sasl_service)
+                agent_p = find_named_client(ConfigFileEntry.sasl_service);
+
+        return agent_p != NULL && IsService(agent_p);
+}
+
+static int
+_modinit(void)
+{
+	sasl_agent_present = 0;
+	advertise_sasl_config(NULL);
+	return 0;
+}
+
+static void
+_moddeinit(void)
+{
+	advertise_sasl_cap(0);
+}
+
+DECLARE_MODULE_AV1(sasl, _modinit, _moddeinit, sasl_clist, NULL, sasl_hfnlist, "$Revision: 1409 $");
 
 static int
 m_authenticate(struct Client *client_p, struct Client *source_p,
@@ -85,12 +116,18 @@ m_authenticate(struct Client *client_p, struct Client *source_p,
 	if(!IsCapable(source_p, CLICAP_SASL))
 		return 0;
 
-	if (strlen(client_p->id) == 3)
+	if (strlen(client_p->id) == 3 || (source_p->preClient && !EmptyString(source_p->preClient->id)))
 	{
 		exit_client(client_p, client_p, client_p, "Mixing client and server protocol");
 		return 0;
 	}
 
+	if (*parv[1] == ':' || strchr(parv[1], ' '))
+	{
+		exit_client(client_p, client_p, client_p, "Malformed AUTHENTICATE");
+		return 0;
+	}
+
 	saslserv_p = find_named_client(ConfigFileEntry.sasl_service);
 	if (saslserv_p == NULL || !IsService(saslserv_p))
 	{
@@ -122,9 +159,17 @@ m_authenticate(struct Client *client_p, struct Client *source_p,
 
 	if(agent_p == NULL)
 	{
-		sendto_one(saslserv_p, ":%s ENCAP %s SASL %s %s H %s %s",
+		if (!strcmp(parv[1], "*"))
+		{
+			sendto_one(source_p, form_str(ERR_SASLABORTED), me.name, EmptyString(source_p->name) ? "*" : source_p->name);
+			source_p->localClient->sasl_out = 0;
+			return 0;
+		}
+
+		sendto_one(saslserv_p, ":%s ENCAP %s SASL %s %s H %s %s %c",
 					me.id, saslserv_p->servptr->name, source_p->id, saslserv_p->id,
-					source_p->host, source_p->sockhost);
+					source_p->host, source_p->sockhost,
+					IsSSL(source_p) ? 'S' : 'P');
 
 		if (!strcmp(parv[1], "EXTERNAL") && source_p->certfp != NULL)
 			sendto_one(saslserv_p, ":%s ENCAP %s SASL %s %s S %s %s",
@@ -138,9 +183,20 @@ m_authenticate(struct Client *client_p, struct Client *source_p,
 		rb_strlcpy(source_p->localClient->sasl_agent, saslserv_p->id, IDLEN);
 	}
 	else
+	{
+		if (!strcmp(parv[1], "*"))
+		{
+			sendto_one(source_p, form_str(ERR_SASLABORTED), me.name, EmptyString(source_p->name) ? "*" : source_p->name);
+			sendto_one(agent_p, ":%s ENCAP %s SASL %s %s D A", me.id, agent_p->servptr->name, source_p->id, agent_p->id);
+			source_p->localClient->sasl_out = 0;
+			return 0;
+		}
+
 		sendto_one(agent_p, ":%s ENCAP %s SASL %s %s C %s",
 				me.id, agent_p->servptr->name, source_p->id, agent_p->id,
 				parv[1]);
+	}
+
 	source_p->localClient->sasl_out++;
 
 	return 0;
@@ -173,6 +229,10 @@ me_sasl(struct Client *client_p, struct Client *source_p,
 	if(!IsService(agent_p))
 		return 0;
 
+	/* If SASL has been aborted, do nothing. */
+	if (target_p->localClient->sasl_out == 0)
+		return 0;
+
 	/* Reject if someone has already answered. */
 	if(*target_p->localClient->sasl_agent && strncmp(parv[1], target_p->localClient->sasl_agent, IDLEN))
 		return 0;
@@ -236,7 +296,20 @@ abort_sasl_exit(hook_data_client_exit *data)
 }
 
 static void
-advertise_sasl(struct Client *client_p)
+advertise_sasl_cap(int available)
+{
+	if (sasl_agent_present != available) {
+		if (available) {
+			sendto_local_clients_with_capability(CLICAP_CAP_NOTIFY, ":%s CAP * NEW :sasl", me.name);
+		} else {
+			sendto_local_clients_with_capability(CLICAP_CAP_NOTIFY, ":%s CAP * DEL :sasl", me.name);
+		}
+		sasl_agent_present = available;
+	}
+}
+
+static void
+advertise_sasl_new(struct Client *client_p)
 {
 	if (!ConfigFileEntry.sasl_service)
 		return;
@@ -244,17 +317,22 @@ advertise_sasl(struct Client *client_p)
 	if (irccmp(client_p->name, ConfigFileEntry.sasl_service))
 		return;
 
-	sendto_local_clients_with_capability(CLICAP_CAP_NOTIFY, ":%s CAP * NEW :sasl", me.name);
+	advertise_sasl_cap(IsService(client_p));
 }
 
 static void
-advertise_sasl_exit(hook_data_client_exit *data)
+advertise_sasl_exit(void *ignored)
 {
 	if (!ConfigFileEntry.sasl_service)
 		return;
 
-	if (irccmp(data->target->name, ConfigFileEntry.sasl_service))
-		return;
-
-	sendto_local_clients_with_capability(CLICAP_CAP_NOTIFY, ":%s CAP * DEL :sasl", me.name);
+	if (sasl_agent_present) {
+		advertise_sasl_cap(sasl_visible());
+	}
+}
+
+static void
+advertise_sasl_config(void *ignored)
+{
+	advertise_sasl_cap(sasl_visible());
 }

modules/m_starttls.c

@@ -46,7 +46,6 @@ DECLARE_MODULE_AV1(starttls, NULL, NULL, starttls_clist, NULL, NULL, "$Revision$
 static int
 mr_starttls(struct Client *client_p, struct Client *source_p, int parc, const char *parv[])
 {
-#ifdef HAVE_LIBCRYPTO
 	ssl_ctl_t *ctl;
 	rb_fde_t *F[2];
 
@@ -59,7 +58,7 @@ mr_starttls(struct Client *client_p, struct Client *source_p, int parc, const ch
 		return 1;
 	}
 
-	if (!ssl_ok || !get_ssld_count())
+	if (!ircd_ssl_ok || !get_ssld_count())
 	{
 		sendto_one_numeric(client_p, ERR_STARTTLS, form_str(ERR_STARTTLS), "TLS is not configured");
 		return 1;
@@ -80,7 +79,7 @@ mr_starttls(struct Client *client_p, struct Client *source_p, int parc, const ch
 	sendto_one_numeric(client_p, RPL_STARTTLS, form_str(RPL_STARTTLS));
 	send_queued(client_p);
 
-	ctl = start_ssld_accept(client_p->localClient->F, F[1], rb_get_fd(F[0]));
+	ctl = start_ssld_accept(client_p->localClient->F, F[1], client_p->localClient->connid);
 	if (ctl != NULL)
 	{
 		client_p->localClient->F = F[0];
@@ -90,8 +89,5 @@ mr_starttls(struct Client *client_p, struct Client *source_p, int parc, const ch
 	else
 		return 1;
 
-#else
-	sendto_one_numeric(client_p, ERR_STARTTLS, form_str(ERR_STARTTLS), "TLS is not configured");
-#endif
 	return 0;
 }

modules/m_stats.c

@@ -48,6 +48,10 @@
 #include "hash.h"
 #include "reject.h"
 #include "whowas.h"
+#include "sslproc.h"
+
+#define Lformat "%s %u %u %u %u %u :%ld %ld %s"
+#define Sformat ":%s %d %s %s %u %u %u %u %u :%ld %ld %s"
 
 static int m_stats (struct Client *, struct Client *, int, const char **);
 
@@ -68,8 +72,6 @@ mapi_hlist_av1 stats_hlist[] = {
 
 DECLARE_MODULE_AV1(stats, NULL, NULL, stats_clist, stats_hlist, NULL, "$Revision: 1608 $");
 
-const char *Lformat = "%s %u %u %u %u %u :%u %u %s";
-
 static void stats_l_list(struct Client *s, const char *, int, int, rb_dlink_list *, char,
 				int (*check_fn)(struct Client *target_p));
 static void stats_l_client(struct Client *source_p, struct Client *target_p,
@@ -108,6 +110,7 @@ static void stats_operedup(struct Client *);
 static void stats_ports(struct Client *);
 static void stats_tresv(struct Client *);
 static void stats_resv(struct Client *);
+static void stats_ssld(struct Client *);
 static void stats_usage(struct Client *);
 static void stats_tstats(struct Client *);
 static void stats_uptime(struct Client *);
@@ -161,6 +164,8 @@ static struct StatsStruct stats_cmd_table[] = {
 	{'Q', stats_resv,		1, 0, },
 	{'r', stats_usage,		1, 0, },
 	{'R', stats_usage,		1, 0, },
+	{'s', stats_ssld,		1, 1, },
+	{'S', stats_ssld,		1, 1, },
 	{'t', stats_tstats,		1, 0, },
 	{'T', stats_tstats,		1, 0, },
 	{'u', stats_uptime,		0, 0, },
@@ -174,7 +179,7 @@ static struct StatsStruct stats_cmd_table[] = {
 	{'z', stats_memory,		1, 0, },
 	{'Z', stats_ziplinks,		1, 0, },
 	{'?', stats_servlinks,		0, 0, },
-	{(char) 0, (void (*)()) 0, 	0, 0, }
+	{(char) 0, (void (*)(struct Client *)) 0, 0, 0, }
 };
 
 /*
@@ -869,6 +874,24 @@ stats_resv(struct Client *source_p)
 	HASH_WALK_END
 }
 
+static void
+stats_ssld_foreach(void *data, pid_t pid, int cli_count, enum ssld_status status)
+{
+	struct Client *source_p = data;
+
+	sendto_one_numeric(source_p, RPL_STATSDEBUG,
+			"S :%u %c %u",
+			pid,
+			status == SSLD_DEAD ? 'D' : (status == SSLD_SHUTDOWN ? 'S' : 'A'),
+			cli_count);
+}
+
+static void
+stats_ssld(struct Client *source_p)
+{
+	ssld_foreach_info(stats_ssld_foreach, source_p);
+}
+
 static void
 stats_usage (struct Client *source_p)
 {
@@ -1452,7 +1475,6 @@ stats_ziplinks (struct Client *source_p)
 static void
 stats_servlinks (struct Client *source_p)
 {
-	static char Sformat[] = ":%s %d %s %s %u %u %u %u %u :%u %u %s";
 	long uptime, sendK, receiveK;
 	struct Client *target_p;
 	rb_dlink_node *ptr;
@@ -1487,7 +1509,7 @@ stats_servlinks (struct Client *source_p)
 			(int) target_p->localClient->receiveK,
 			rb_current_time() - target_p->localClient->firsttime,
 			(rb_current_time() > target_p->localClient->lasttime) ?
-			 (rb_current_time() - target_p->localClient->lasttime) : 0,
+			 (rb_current_time() - target_p->localClient->lasttime) : (long) 0,
 			IsOper (source_p) ? show_capabilities (target_p) : "TS");
 	}
 
@@ -1650,7 +1672,7 @@ stats_l_client(struct Client *source_p, struct Client *target_p,
 				(int) target_p->localClient->receiveK,
 				rb_current_time() - target_p->localClient->firsttime,
 				(rb_current_time() > target_p->localClient->lasttime) ?
-				 (rb_current_time() - target_p->localClient->lasttime) : 0,
+				 (rb_current_time() - target_p->localClient->lasttime) : (long) 0,
 				IsOper(source_p) ? show_capabilities(target_p) : "-");
 	}
 
@@ -1669,7 +1691,7 @@ stats_l_client(struct Client *source_p, struct Client *target_p,
 				    (int) target_p->localClient->receiveK,
 				    rb_current_time() - target_p->localClient->firsttime,
 				    (rb_current_time() > target_p->localClient->lasttime) ?
-				     (rb_current_time() - target_p->localClient->lasttime) : 0,
+				     (rb_current_time() - target_p->localClient->lasttime) : (long) 0,
 				    "-");
 	}
 }

modules/m_user.c

@@ -63,7 +63,7 @@ mr_user(struct Client *client_p, struct Client *source_p, int parc, const char *
 	static char buf[BUFSIZE];
 	char *p;
 
-	if (strlen(client_p->id) == 3)
+	if (strlen(client_p->id) == 3 || (source_p->preClient && !EmptyString(source_p->preClient->id)))
 	{
 		exit_client(client_p, client_p, client_p, "Mixing client and server protocol");
 		return 0;