Merge insp20

10 files changed, 214 insertions, 19 deletions

diff --git a/src/modules/extra/m_sqlite3.cpp b/src/modules/extra/m_sqlite3.cpp
index f86e08fb3..e5c8f600a 100644
--- a/src/modules/extra/m_sqlite3.cpp
+++ b/src/modules/extra/m_sqlite3.cpp
@@ -98,8 +98,11 @@ class SQLConn : public SQLProvider
 
 	~SQLConn()
 	{
-		sqlite3_interrupt(conn);
-		sqlite3_close(conn);
+		if (conn)
+		{
+			sqlite3_interrupt(conn);
+			sqlite3_close(conn);
+		}
 	}
 
 	void Query(SQLQuery* query, const std::string& q)
diff --git a/src/modules/extra/m_ssl_gnutls.cpp b/src/modules/extra/m_ssl_gnutls.cpp
index e6efb9771..74b66d2de 100644
--- a/src/modules/extra/m_ssl_gnutls.cpp
+++ b/src/modules/extra/m_ssl_gnutls.cpp
@@ -159,6 +159,10 @@ namespace GnuTLS
 				hash = GNUTLS_DIG_MD5;
 			else if (hashname == "sha1")
 				hash = GNUTLS_DIG_SHA1;
+#ifdef INSPIRCD_GNUTLS_ENABLE_SHA256_FINGERPRINT
+			else if (hashname == "sha256")
+				hash = GNUTLS_DIG_SHA256;
+#endif
 			else
 				throw Exception("Unknown hash type " + hashname);
 #endif
diff --git a/src/modules/extra/m_ssl_openssl.cpp b/src/modules/extra/m_ssl_openssl.cpp
index b09539e50..3dd8a8544 100644
--- a/src/modules/extra/m_ssl_openssl.cpp
+++ b/src/modules/extra/m_ssl_openssl.cpp
@@ -53,6 +53,7 @@ char* get_error()
 }
 
 static int OnVerify(int preverify_ok, X509_STORE_CTX* ctx);
+static void StaticSSLInfoCallback(const SSL* ssl, int where, int rc);
 
 namespace OpenSSL
 {
@@ -95,6 +96,7 @@ namespace OpenSSL
 	class Context
 	{
 		SSL_CTX* const ctx;
+		long ctx_options;
 
 	 public:
 		Context(SSL_CTX* context)
@@ -102,12 +104,20 @@ namespace OpenSSL
 		{
 			// Sane default options for OpenSSL see https://www.openssl.org/docs/ssl/SSL_CTX_set_options.html
 			// and when choosing a cipher, use the server's preferences instead of the client preferences.
-			SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION | SSL_OP_CIPHER_SERVER_PREFERENCE);
+			long opts = SSL_OP_NO_SSLv2 | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION | SSL_OP_CIPHER_SERVER_PREFERENCE | SSL_OP_SINGLE_DH_USE;
+			// Only turn options on if they exist
+#ifdef SSL_OP_SINGLE_ECDH_USE
+			opts |= SSL_OP_SINGLE_ECDH_USE;
+#endif
+#ifdef SSL_OP_NO_TICKET
+			opts |= SSL_OP_NO_TICKET;
+#endif
+
+			ctx_options = SSL_CTX_set_options(ctx, opts);
 			SSL_CTX_set_mode(ctx, SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
 			SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, OnVerify);
-
-			const unsigned char session_id[] = "inspircd";
-			SSL_CTX_set_session_id_context(ctx, session_id, sizeof(session_id) - 1);
+			SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
+			SSL_CTX_set_info_callback(ctx, StaticSSLInfoCallback);
 		}
 
 		~Context()
@@ -117,29 +127,68 @@ namespace OpenSSL
 
 		bool SetDH(DHParams& dh)
 		{
+			ERR_clear_error();
 			return (SSL_CTX_set_tmp_dh(ctx, dh.get()) >= 0);
 		}
 
+#ifdef INSPIRCD_OPENSSL_ENABLE_ECDH
+		void SetECDH(const std::string& curvename)
+		{
+			int nid = OBJ_sn2nid(curvename.c_str());
+			if (nid == 0)
+				throw Exception("Unknown curve: " + curvename);
+
+			EC_KEY* eckey = EC_KEY_new_by_curve_name(nid);
+			if (!eckey)
+				throw Exception("Unable to create EC key object");
+
+			ERR_clear_error();
+			bool ret = (SSL_CTX_set_tmp_ecdh(ctx, eckey) >= 0);
+			EC_KEY_free(eckey);
+			if (!ret)
+				throw Exception("Couldn't set ECDH parameters");
+		}
+#endif
+
 		bool SetCiphers(const std::string& ciphers)
 		{
+			ERR_clear_error();
 			return SSL_CTX_set_cipher_list(ctx, ciphers.c_str());
 		}
 
 		bool SetCerts(const std::string& filename)
 		{
+			ERR_clear_error();
 			return SSL_CTX_use_certificate_chain_file(ctx, filename.c_str());
 		}
 
 		bool SetPrivateKey(const std::string& filename)
 		{
+			ERR_clear_error();
 			return SSL_CTX_use_PrivateKey_file(ctx, filename.c_str(), SSL_FILETYPE_PEM);
 		}
 
 		bool SetCA(const std::string& filename)
 		{
+			ERR_clear_error();
 			return SSL_CTX_load_verify_locations(ctx, filename.c_str(), 0);
 		}
 
+		long GetDefaultContextOptions() const
+		{
+			return ctx_options;
+		}
+
+		long SetRawContextOptions(long setoptions, long clearoptions)
+		{
+			// Clear everything
+			SSL_CTX_clear_options(ctx, SSL_CTX_get_options(ctx));
+
+			// Set the default options and what is in the conf
+			SSL_CTX_set_options(ctx, ctx_options | setoptions);
+			return SSL_CTX_clear_options(ctx, clearoptions);
+		}
+
 		SSL* CreateSession()
 		{
 			return SSL_new(ctx);
@@ -169,6 +218,10 @@ namespace OpenSSL
 		 */
 		std::string lasterr;
 
+		/** True if renegotiations are allowed, false if not
+		 */
+		const bool allowrenego;
+
 		static int error_callback(const char* str, size_t len, void* u)
 		{
 			Profile* profile = reinterpret_cast<Profile*>(u);
@@ -176,12 +229,39 @@ namespace OpenSSL
 			return 0;
 		}
 
+		/** Set raw OpenSSL context (SSL_CTX) options from a config tag
+		 * @param ctxname Name of the context, client or server
+		 * @param tag Config tag defining this profile
+		 * @param context Context object to manipulate
+		 */
+		void SetContextOptions(const std::string& ctxname, ConfigTag* tag, Context& context)
+		{
+			long setoptions = tag->getInt(ctxname + "setoptions");
+			long clearoptions = tag->getInt(ctxname + "clearoptions");
+#ifdef SSL_OP_NO_COMPRESSION
+			if (!tag->getBool("compression", true))
+				setoptions |= SSL_OP_NO_COMPRESSION;
+#endif
+			if (!tag->getBool("sslv3", true))
+				setoptions |= SSL_OP_NO_SSLv3;
+			if (!tag->getBool("tlsv1", true))
+				setoptions |= SSL_OP_NO_TLSv1;
+
+			if (!setoptions && !clearoptions)
+				return; // Nothing to do
+
+			ServerInstance->Logs->Log(MODNAME, LOG_DEBUG, "Setting %s %s context options, default: %ld set: %ld clear: %ld", name.c_str(), ctxname.c_str(), ctx.GetDefaultContextOptions(), setoptions, clearoptions);
+			long final = context.SetRawContextOptions(setoptions, clearoptions);
+			ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "%s %s context options: %ld", name.c_str(), ctxname.c_str(), final);
+		}
+
 	 public:
 		Profile(const std::string& profilename, ConfigTag* tag)
 			: name(profilename)
 			, dh(ServerInstance->Config->Paths.PrependConfig(tag->getString("dhfile", "dh.pem")))
 			, ctx(SSL_CTX_new(SSLv23_server_method()))
 			, clictx(SSL_CTX_new(SSLv23_client_method()))
+			, allowrenego(tag->getBool("renegotiation", true))
 		{
 			if ((!ctx.SetDH(dh)) || (!clictx.SetDH(dh)))
 				throw Exception("Couldn't set DH parameters");
@@ -201,6 +281,15 @@ namespace OpenSSL
 				}
 			}
 
+#ifdef INSPIRCD_OPENSSL_ENABLE_ECDH
+			std::string curvename = tag->getString("ecdhcurve", "prime256v1");
+			if (!curvename.empty())
+				ctx.SetECDH(curvename);
+#endif
+
+			SetContextOptions("server", tag, ctx);
+			SetContextOptions("client", tag, clictx);
+
 			/* Load our keys and certificates
 			 * NOTE: OpenSSL's error logging API sucks, don't blame us for this clusterfuck.
 			 */
@@ -231,6 +320,7 @@ namespace OpenSSL
 		SSL* CreateServerSession() { return ctx.CreateSession(); }
 		SSL* CreateClientSession() { return clictx.CreateSession(); }
 		const EVP_MD* GetDigest() { return digest; }
+		bool AllowRenegotiation() const { return allowrenego; }
 	};
 }
 
@@ -261,6 +351,7 @@ class OpenSSLIOHook : public SSLIOHook
 	{
 		int ret;
 
+		ERR_clear_error();
 		if (outbound)
 			ret = SSL_connect(sess);
 		else
@@ -303,10 +394,8 @@ class OpenSSLIOHook : public SSLIOHook
 		else if (ret == 0)
 		{
 			CloseSession();
-			return true;
 		}
-
-		return true;
+		return false;
 	}
 
 	void CloseSession()
@@ -319,7 +408,6 @@ class OpenSSLIOHook : public SSLIOHook
 		sess = NULL;
 		certificate = NULL;
 		status = ISSL_NONE;
-		errno = EIO;
 	}
 
 	void VerifyCertificate()
@@ -380,6 +468,36 @@ class OpenSSLIOHook : public SSLIOHook
 		X509_free(cert);
 	}
 
+#ifdef INSPIRCD_OPENSSL_ENABLE_RENEGO_DETECTION
+	void SSLInfoCallback(int where, int rc)
+	{
+		if ((where & SSL_CB_HANDSHAKE_START) && (status == ISSL_OPEN))
+		{
+			if (profile->AllowRenegotiation())
+				return;
+
+			// The other side is trying to renegotiate, kill the connection and change status
+			// to ISSL_NONE so CheckRenego() closes the session
+			status = ISSL_NONE;
+			SocketEngine::Shutdown(SSL_get_fd(sess), 2);
+		}
+	}
+
+	bool CheckRenego(StreamSocket* sock)
+	{
+		if (status != ISSL_NONE)
+			return true;
+
+		ServerInstance->Logs->Log(MODNAME, LOG_DEBUG, "Session %p killed, attempted to renegotiate", (void*)sess);
+		CloseSession();
+		sock->SetError("Renegotiation is not allowed");
+		return false;
+	}
+#endif
+
+	// Calls our private SSLInfoCallback()
+	friend void StaticSSLInfoCallback(const SSL* ssl, int where, int rc);
+
  public:
 	OpenSSLIOHook(IOHookProvider* hookprov, StreamSocket* sock, bool is_outbound, SSL* session, const reference<OpenSSL::Profile>& sslprofile)
 		: SSLIOHook(hookprov)
@@ -428,10 +546,16 @@ class OpenSSLIOHook : public SSLIOHook
 
 		if (status == ISSL_OPEN)
 		{
+			ERR_clear_error();
 			char* buffer = ServerInstance->GetReadBuffer();
 			size_t bufsiz = ServerInstance->Config->NetBufferSize;
 			int ret = SSL_read(sess, buffer, bufsiz);
 
+#ifdef INSPIRCD_OPENSSL_ENABLE_RENEGO_DETECTION
+			if (!CheckRenego(user))
+				return -1;
+#endif
+
 			if (ret > 0)
 			{
 				recvq.append(buffer, ret);
@@ -494,7 +618,14 @@ class OpenSSLIOHook : public SSLIOHook
 
 		if (status == ISSL_OPEN)
 		{
+			ERR_clear_error();
 			int ret = SSL_write(sess, buffer.data(), buffer.size());
+
+#ifdef INSPIRCD_OPENSSL_ENABLE_RENEGO_DETECTION
+			if (!CheckRenego(user))
+				return -1;
+#endif
+
 			if (ret == (int)buffer.length())
 			{
 				data_to_write = false;
@@ -550,6 +681,14 @@ class OpenSSLIOHook : public SSLIOHook
 	}
 };
 
+static void StaticSSLInfoCallback(const SSL* ssl, int where, int rc)
+{
+#ifdef INSPIRCD_OPENSSL_ENABLE_RENEGO_DETECTION
+	OpenSSLIOHook* hook = static_cast<OpenSSLIOHook*>(SSL_get_ex_data(ssl, exdataindex));
+	hook->SSLInfoCallback(where, rc);
+#endif
+}
+
 class OpenSSLIOHookProvider : public refcountbase, public IOHookProvider
 {
 	reference<OpenSSL::Profile> profile;
diff --git a/src/modules/m_banredirect.cpp b/src/modules/m_banredirect.cpp
index d82b8473c..9833c720d 100644
--- a/src/modules/m_banredirect.cpp
+++ b/src/modules/m_banredirect.cpp
@@ -74,6 +74,9 @@ class BanRedirect : public ModeWatcher
 			if (param.length() >= 2 && param[1] == ':')
 				return true;
 
+			if (param.find('#') == std::string::npos)
+				return true;
+
 			ListModeBase* banlm = static_cast<ListModeBase*>(*ban);
 			unsigned int maxbans = banlm->GetLimit(channel);
 			ListModeBase::ModeList* list = banlm->GetList(channel);
@@ -123,6 +126,14 @@ class BanRedirect : public ModeWatcher
 				mask[NICK].swap(mask[IDENT]);
 			}
 
+			if (!mask[NICK].empty() && mask[IDENT].empty() && mask[HOST].empty())
+			{
+				if (mask[NICK].find('.') != std::string::npos || mask[NICK].find(':') != std::string::npos)
+				{
+					mask[NICK].swap(mask[HOST]);
+				}
+			}
+
 			for(int i = 0; i < 3; i++)
 			{
 				if(mask[i].empty())
diff --git a/src/modules/m_delayjoin.cpp b/src/modules/m_delayjoin.cpp
index 55ffd08d7..2474cd6ad 100644
--- a/src/modules/m_delayjoin.cpp
+++ b/src/modules/m_delayjoin.cpp
@@ -168,6 +168,10 @@ ModResult ModuleDelayJoin::OnRawMode(User* user, Channel* channel, ModeHandler*
 	if (!user || !channel || param.empty())
 		return MOD_RES_PASSTHRU;
 
+	// If not a prefix mode then we got nothing to do here
+	if (!mh->IsPrefixMode())
+		return MOD_RES_PASSTHRU;
+
 	User* dest;
 	if (IS_LOCAL(user))
 		dest = ServerInstance->FindNickOnly(param);
diff --git a/src/modules/m_delaymsg.cpp b/src/modules/m_delaymsg.cpp
index 06a05db02..c906e2c30 100644
--- a/src/modules/m_delaymsg.cpp
+++ b/src/modules/m_delaymsg.cpp
@@ -47,6 +47,7 @@ class DelayMsgMode : public ParamMode<DelayMsgMode, LocalIntExt>
 class ModuleDelayMsg : public Module
 {
 	DelayMsgMode djm;
+	bool allownotice;
  public:
 	ModuleDelayMsg() : djm(this)
 	{
@@ -55,6 +56,7 @@ class ModuleDelayMsg : public Module
 	Version GetVersion() CXX11_OVERRIDE;
 	void OnUserJoin(Membership* memb, bool sync, bool created, CUList&) CXX11_OVERRIDE;
 	ModResult OnUserPreMessage(User* user, void* dest, int target_type, std::string& text, char status, CUList& exempt_list, MessageType msgtype) CXX11_OVERRIDE;
+	void ReadConfig(ConfigStatus& status) CXX11_OVERRIDE;
 };
 
 ModeAction DelayMsgMode::OnSet(User* source, Channel* chan, std::string& parameter)
@@ -97,7 +99,7 @@ ModResult ModuleDelayMsg::OnUserPreMessage(User* user, void* dest, int target_ty
 	if ((!user) || (!IS_LOCAL(user)))
 		return MOD_RES_PASSTHRU;
 
-	if ((target_type != TYPE_CHANNEL) || (msgtype != MSG_PRIVMSG))
+	if ((target_type != TYPE_CHANNEL) || ((!allownotice) && (msgtype == MSG_NOTICE)))
 		return MOD_RES_PASSTHRU;
 
 	Channel* channel = (Channel*) dest;
@@ -130,4 +132,10 @@ ModResult ModuleDelayMsg::OnUserPreMessage(User* user, void* dest, int target_ty
 	return MOD_RES_PASSTHRU;
 }
 
+void ModuleDelayMsg::ReadConfig(ConfigStatus& status)
+{
+	ConfigTag* tag = ServerInstance->Config->ConfValue("delaymsg");
+	allownotice = tag->getBool("allownotice", true);
+}
+
 MODULE_INIT(ModuleDelayMsg)
diff --git a/src/modules/m_nationalchars.cpp b/src/modules/m_nationalchars.cpp
index 0650cb3d0..f77899ad4 100644
--- a/src/modules/m_nationalchars.cpp
+++ b/src/modules/m_nationalchars.cpp
@@ -223,11 +223,40 @@ class ModuleNationalChars : public Module
 	caller1<bool, const std::string&> rememberer;
 	bool forcequit;
 	const unsigned char * lowermap_rememberer;
+	unsigned char prev_map[256];
+
+	template <typename T>
+	void RehashHashmap(T& hashmap)
+	{
+		T newhash(hashmap.bucket_count());
+		for (typename T::const_iterator i = hashmap.begin(); i != hashmap.end(); ++i)
+			newhash.insert(std::make_pair(i->first, i->second));
+		hashmap.swap(newhash);
+	}
+
+	void CheckRehash()
+	{
+		// See if anything changed
+		if (!memcmp(prev_map, national_case_insensitive_map, sizeof(prev_map)))
+			return;
+
+		memcpy(prev_map, national_case_insensitive_map, sizeof(prev_map));
+
+		RehashHashmap(ServerInstance->Users.clientlist);
+		RehashHashmap(ServerInstance->Users.uuidlist);
+		RehashHashmap(ServerInstance->chanlist);
+
+		// The OnGarbageCollect() method in m_watch rebuilds the hashmap used by it
+		Module* mod = ServerInstance->Modules->Find("m_watch.so");
+		if (mod)
+			mod->OnGarbageCollect();
+	}
 
  public:
 	ModuleNationalChars()
 		: rememberer(ServerInstance->IsNick), lowermap_rememberer(national_case_insensitive_map)
 	{
+		memcpy(prev_map, national_case_insensitive_map, sizeof(prev_map));
 	}
 
 	void init() CXX11_OVERRIDE
@@ -254,6 +283,7 @@ class ModuleNationalChars : public Module
 		loadtables(charset, tables, 8, 5);
 		forcequit = tag->getBool("forcequit");
 		CheckForceQuit("National character set changed");
+		CheckRehash();
 	}
 
 	void CheckForceQuit(const char * message)
@@ -276,6 +306,7 @@ class ModuleNationalChars : public Module
 		ServerInstance->IsNick = rememberer;
 		national_case_insensitive_map = lowermap_rememberer;
 		CheckForceQuit("National characters module unloaded");
+		CheckRehash();
 	}
 
 	Version GetVersion() CXX11_OVERRIDE
diff --git a/src/modules/m_spanningtree/treesocket.h b/src/modules/m_spanningtree/treesocket.h
index a775d7c24..6dc584537 100644
--- a/src/modules/m_spanningtree/treesocket.h
+++ b/src/modules/m_spanningtree/treesocket.h
@@ -95,8 +95,6 @@ class TreeSocket : public BufferedSocket
 	ServerState LinkState;			/* Link state */
 	CapabData* capab;			/* Link setup data (held until burst is sent) */
 	TreeServer* MyRoot;			/* The server we are talking to */
-	time_t NextPing;			/* Time when we are due to ping this server */
-	bool LastPingWasGood;			/* Responded to last ping we sent? */
 	int proto_version;			/* Remote protocol version */
 
 	/** True if we've sent our burst.
diff --git a/src/modules/m_spanningtree/treesocket2.cpp b/src/modules/m_spanningtree/treesocket2.cpp
index 7574be90a..25b8e3b71 100644
--- a/src/modules/m_spanningtree/treesocket2.cpp
+++ b/src/modules/m_spanningtree/treesocket2.cpp
@@ -152,13 +152,13 @@ void TreeSocket::ProcessLine(std::string &line)
 					time_t delta = them - ServerInstance->Time();
 					if ((delta < -600) || (delta > 600))
 					{
-						ServerInstance->SNO->WriteGlobalSno('l',"\2ERROR\2: Your clocks are out by %d seconds (this is more than five minutes). Link aborted, \2PLEASE SYNC YOUR CLOCKS!\2",abs((long)delta));
-						SendError("Your clocks are out by "+ConvToStr(abs((long)delta))+" seconds (this is more than five minutes). Link aborted, PLEASE SYNC YOUR CLOCKS!");
+						ServerInstance->SNO->WriteGlobalSno('l',"\2ERROR\2: Your clocks are out by %ld seconds (this is more than five minutes). Link aborted, \2PLEASE SYNC YOUR CLOCKS!\2",labs((long)delta));
+						SendError("Your clocks are out by "+ConvToStr(labs((long)delta))+" seconds (this is more than five minutes). Link aborted, PLEASE SYNC YOUR CLOCKS!");
 						return;
 					}
 					else if ((delta < -30) || (delta > 30))
 					{
-						ServerInstance->SNO->WriteGlobalSno('l',"\2WARNING\2: Your clocks are out by %d seconds. Please consider synching your clocks.", abs((long)delta));
+						ServerInstance->SNO->WriteGlobalSno('l',"\2WARNING\2: Your clocks are out by %ld seconds. Please consider synching your clocks.", labs((long)delta));
 					}
 				}
 
diff --git a/src/modules/m_watch.cpp b/src/modules/m_watch.cpp
index 68fe09d64..9cb31a6d8 100644
--- a/src/modules/m_watch.cpp
+++ b/src/modules/m_watch.cpp
@@ -156,9 +156,6 @@ class CommandWatch : public Command
 			/* Yup, is on my list */
 			watchlist::iterator n = wl->find(nick);
 
-			if (!wl)
-				return CMD_FAILURE;
-
 			if (n != wl->end())
 			{
 				if (!n->second.empty())