MODE: Reply with ERR_NOSUCHCHANNEL when the target is a channel (#319 )

While it is common for IRC servers to use ERR_NOSUCHNICK instead of ERR_NOSUCHCHANNEL when a target can be either a channel or a nick, it seems every other IRCd but UnrealIRCd uses ERR_NOSUCHCHANNEL in this particular case.
Github CI: Build on a matrix of (ubuntu,macos)x(gcc,clang)
2025-04-05 07:17:13 +00:00 · 2024-07-27 16:37:16 +02:00 · 2024-05-22 21:28:48 +02:00 · 2024-04-26 16:53:00 +02:00 · 2024-04-26 14:29:28 +02:00 · 2024-04-26 14:18:36 +02:00
175 changed files with 7959 additions and 6176 deletions
--- a/.dockerignore
+++ b/.dockerignore
@ -0,0 +1 @@
+.gitignore
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -0,0 +1,81 @@
+name: ngIRCd CI
+
+on:
+  push:
+    branches:
+      - master
+    paths-ignore:
+      - 'COPYING'
+      - 'ChangeLog'
+      - 'NEWS'
+      - 'contrib/**'
+      - 'doc/**'
+      - 'man/**'
+      - '**.md'
+      - '**.txt'
+  pull_request:
+    branches:
+      - master
+    paths-ignore:
+      - 'COPYING'
+      - 'ChangeLog'
+      - 'NEWS'
+      - 'contrib/**'
+      - 'doc/**'
+      - 'man/**'
+      - '**.md'
+      - '**.txt'
+
+jobs:
+  build_and_distcheck:
+    name: build+test
+    strategy:
+      matrix:
+        os:
+          - ubuntu
+          - macos
+        toolchain:
+          - gcc
+          - llvm
+        include:
+          - os: ubuntu
+            toolchain: gcc
+            install_cmd: |
+              sudo apt update
+              sudo apt install build-essential expect libident-dev libpam0g-dev libssl-dev libwrap0-dev pkg-config telnet zlib1g-dev gcc
+            configure_cmd: |
+              ./configure CC=gcc --enable-ipv6 --with-iconv --with-ident --with-openssl --with-pam --with-tcp-wrappers --with-zlib
+          - os: ubuntu
+            toolchain: llvm
+            install_cmd: |
+              sudo apt update
+              sudo apt install build-essential expect libident-dev libpam0g-dev libssl-dev libwrap0-dev pkg-config telnet zlib1g-dev clang
+            configure_cmd: |
+              ./configure CC=clang --enable-ipv6 --with-iconv --with-ident --with-openssl --with-pam --with-tcp-wrappers --with-zlib  
+          - os: macos
+            toolchain: gcc
+            install_cmd: |
+              brew update
+              brew install autoconf automake expect openssl@3 pkg-config telnet zlib gcc
+            configure_cmd: |
+              ./configure CC=gcc --enable-ipv6 --with-iconv --with-openssl --with-zlib
+          - os: macos
+            toolchain: llvm
+            install_cmd: |
+              brew update
+              brew install autoconf automake expect openssl@3 pkg-config telnet zlib llvm
+            configure_cmd: |
+              ./configure CC=clang --enable-ipv6 --with-iconv --with-openssl --with-zlib
+    runs-on: ${{ matrix.os }}-latest
+    steps:
+    - uses: actions/checkout@v4
+    - name: Install dependencies
+      run: ${{ matrix.install_cmd }}
+    - name: Generate build system files
+      run: ./autogen.sh
+    - name: Configure the build system
+      run: ${{ matrix.configure_cmd }}
+    - name: Build everything
+      run: make all
+    - name: Create distribution archive and run tests
+      run: make distcheck
--- a/.gitignore
+++ b/.gitignore
@ -1,5 +1,14 @@
+.*.swp
+.deps
+.trunk
+.vscode
+*.a
+*.e_
+*.exe
+*.log
+*.o
+*~
 Makefile
-Makefile.am
 Makefile.in
 aclocal.m4
 ansi2knr.1
@ -11,7 +20,6 @@ build-stamp-ngircd*
 build+*
 compile
 config.cache
-config.log
 config.status
 configure
 configure.ac
@ -23,45 +31,24 @@ depcomp
 install-sh
 missing
 ngircd.dest
-.deps
-*.a
-*.o
 doc/sample-ngircd.conf
 doc/src/html
 man/ngircd.8
 man/ngircd.conf.5
+src/*/Makefile.am
 src/config.h
 src/config.h.in
-src/config.h.in~
 src/stamp-h1
 src/ngircd/check-help
 src/ngircd/check-version
 src/ngircd/ngircd
-src/ngircd/ngircd.exe
 src/portab/portabtest
-src/portab/portabtest.exe
-src/testsuite/*.e_
-src/testsuite/channel-test
-src/testsuite/connect-test
-src/testsuite/invite-test
-src/testsuite/join-test
-src/testsuite/kick-test
+src/testsuite/*-test
 src/testsuite/logs
-src/testsuite/message-test
-src/testsuite/misc-test
-src/testsuite/mode-test
-src/testsuite/ngircd-test1.log
-src/testsuite/ngircd-test1.motd
-src/testsuite/ngircd-test2.log
-src/testsuite/ngircd-test2.motd
-src/testsuite/opless-channel-test
-src/testsuite/server-link-test
-src/testsuite/server-login-test
-src/testsuite/T-ngircd1
-src/testsuite/T-ngircd1.exe
-src/testsuite/T-ngircd2
-src/testsuite/T-ngircd2.exe
+src/testsuite/ngircd-*.motd
+src/testsuite/ssl/cert.pem
+src/testsuite/ssl/dhparams.pem
+src/testsuite/ssl/key.pem
+src/testsuite/T-ngircd?
 src/testsuite/tests
 src/testsuite/tests-skipped.lst
-src/testsuite/who-test
-src/testsuite/whois-test
--- a/.mailmap
+++ b/.mailmap
@ -6,9 +6,17 @@ Alexander Barton <alex@barton.de> <alex@kfreebsd.barton.de>

 Ali Shemiran <ashemira@ucsd.edu>

+Christoph Biedl <ngircd.anoy@manchmal.in-ulm.de> <debian.axhn@manchmal.in-ulm.de>
+
 Dana Dahlstrom <dana+ngIRCd@cs.ucsd.edu> <dana@cs.ucsd.edu>
 Dana Dahlstrom <dana+ngIRCd@cs.ucsd.edu> <dana+70@cs.ucsd.edu>

 DNS <dns@rbose.org>

+Götz Hoffart <goetz@hoffart.de>
+
 LucentW <lucent@zebes.info> <LucentW@users.noreply.github.com>
+
+Michi <michi+ngircd@dataswamp.org>
+
+Sam James <sam@cmpct.info> <11667869+thesamesam@users.noreply.github.com>
--- a/.travis.yml
+++ b/.travis.yml
@ -1,16 +0,0 @@
-language: c
-sudo: false
-addons:
-  apt:
-    packages:
-    - libident-dev
-    - libpam0g-dev
-    - libssl-dev
-    - libwrap0-dev
-    - zlib1g-dev
-    - expect
-    - telnet
-compiler:
-  - gcc
-  - clang
-script: ./autogen.sh && ./configure --enable-ipv6 --with-iconv --with-ident --with-openssl --with-pam --with-tcp-wrappers --with-zlib && make check
--- a/69
+++ b/69
@ -1,69 +0,0 @@
-
-                     ngIRCd - Next Generation IRC Server
-                           http://ngircd.barton.de/
-
-               (c)2001-2017 Alexander Barton and Contributors.
-               ngIRCd is free software and published under the
-                   terms of the GNU General Public License.
-
-                       -- AUTHORS and CONTRIBUTORS --
-
-
-Note:
-If you have comments, patches or something else, please feel free to post
-a mail to the ngIRCd mailing list: <ngircd-ml@ngircd.barton.de> (please see
-<http://ngircd.barton.de/support.php> for details) or join the ngIRCd IRC
-channel: <irc://irc.barton.de/ngircd>.
-
-Don't mail the people listed here directly, if possible!
-
-
-Main Authors
-~~~~~~~~~~~~
-Alexander Barton <alex@barton.de>
-Florian Westphal <fw@strlen.de>
-
-
-Contributors
-~~~~~~~~~~~~
-Ali Shemiran <ashemira@ucsd.edu>
-Ask Bjørn Hansen <ask@develooper.com>
-Benjamin Pineau <ben@zouh.org>
-Brandon Beresini <beresini@google.com>
-Brett Smith <brett@w3.org>
-Brian Collins <bricollins@gmail.com>
-Bryan Caldwell <bcaldwel@ucsd.edu>
-Christian Aistleitner <christian@quelltextlich.at>
-Christoph Biedl <ngircd.anoy@manchmal.in-ulm.de>
-Dana Dahlstrom <dana+ngIRCd@cs.ucsd.edu>
-David Kingston <deathking1337@aim.com>
-DNS <dns@rbose.org>
-Eric Grunow <egrunow@ucsd.edu>
-Federico G. Schwindt <fgsch@lodoss.net>
-Gabor Adam Toth <tg@tgbit.net>
-Goetz Hoffart <goetz@hoffart.de>
-Ian Chard <ian@chard.org>
-Ilja Osthoff <i.osthoff@gmx.net>
-Jari Aalto <jari.aalto@cante.net>
-LucentW <lucent@zebes.info>
-Mantas Mikulėnas <grawity@gmail.com>
-Neale Pickett <neale@woozle.org>
-Peter Powell <petpow@saberuk.com>
-Rolf Eike Beer <eike@sf-mail.de>
-Roy Sindre Norangshol <roy.sindre@norangshol.no>
-Scott Perry <scperry@ucsd.edu>
-Sean Reifschneider <jafo-rpms@tummy.com>
-Sebastian Köhler <sebkoehler@whoami.org.uk>
-Tassilo Schweyer <dev@welterde.de>
-Tom Ryder <tom@sanctum.geek.nz>
-Unit 193 <unit193@ubuntu.com>
-William Pitcock <nenolod@dereferenced.org>
-Yecheng Fu <cofyc.jackson@gmail.com>
-xor <xorboy@gmail.com>
-
-
-Code snippets
-~~~~~~~~~~~~~
-Andrew Tridgell & Martin Pool: strl{cpy|cat}()-functions
-John Kercheval: pattern matching functions
-Patrick Powell <papowell@astart.com>: snprintf()-function
--- a/AUTHORS.md
+++ b/AUTHORS.md
@ -0,0 +1,82 @@
+# [ngIRCd](https://ngircd.barton.de) - Authors & Contributors
+
+Please feel free to post an email to the ngIRCd users mailing list
+<ngircd@lists.barton.de> (see <https://ngircd.barton.de/support> for details)
+if you have comments, patches, suggestions or questions.
+
+Or join the "#ngircd" channel in IRC on irc.barton.de:
+<irc://irc.barton.de/ngircd>.
+
+*Please do not email the people listed here directly, if possible!*
+
+## Main Authors
+
+- Alexander Barton <alex@barton.de>
+- Florian Westphal <fw@strlen.de>
+
+## Contributors
+
+- 9pfs <hellosmile6@tilde.pink>
+- Ali Shemiran <ashemira@ucsd.edu>
+- Ask Bjørn Hansen <ask@develooper.com>
+- Benjamin Pineau <ben@zouh.org>
+- Bernd Kuhls <bernd.kuhls@t-online.de>
+- Brandon Beresini <beresini@google.com>
+- Brett Smith <brett@w3.org>
+- Brian Collins <bricollins@gmail.com>
+- Bryan Caldwell <bcaldwel@ucsd.edu>
+- Christian Aistleitner <christian@quelltextlich.at>
+- Christoph Biedl <ngircd.anoy@manchmal.in-ulm.de>
+- Dana Dahlstrom <dana+ngIRCd@cs.ucsd.edu>
+- David Kingston <deathking1337@aim.com>
+- DNS <dns@rbose.org>
+- Eric Grunow <egrunow@ucsd.edu>
+- ewired <37567272+ewired@users.noreply.github.com>
+- Fabrice Fontaine <fontaine.fabrice@gmail.com>
+- Federico G. Schwindt <fgsch@lodoss.net>
+- Florian Weimer <fweimer@redhat.com>
+- Gabor Adam Toth <tg@tgbit.net>
+- Götz Hoffart <goetz@hoffart.de>
+- hello-smile6 <73048226+hello-smile6@users.noreply.github.com>
+- Hilko Bengen <bengen@hilluzination.de>
+- Ian Chard <ian@chard.org>
+- Ilja Osthoff <i.osthoff@gmx.net>
+- ItsOnlyBinary <ItsOnlyBinary@users.noreply.github.com>
+- Ivan Agarkov <i_agarkov@wargaming.net>
+- James Lu <james@overdrivenetworks.com>
+- Jari Aalto <jari.aalto@cante.net>
+- Johann Hartwig Hauschild <git@hauschild.it>
+- JRMU <jrmu@lecturify.com>
+- Jules Maselbas <jmaselbas@zdiv.net>
+- Katherine Peeters <katherine.peeters@leagueh.xyz>
+- LucentW <lucent@zebes.info>
+- Mantas Mikulėnas <grawity@gmail.com>
+- Michi <michi+ngircd@dataswamp.org>
+- Neale Pickett <neale@woozle.org>
+- Peter Powell <petpow@saberuk.com>
+- Rolf Eike Beer <eike@sf-mail.de>
+- Rosen Penev <rosenp@gmail.com>
+- Roy Sindre Norangshol <roy.sindre@norangshol.no>
+- salaaad2 <47527723+salaaad2@users.noreply.github.com>
+- Sam James <sam@cmpct.info>
+- Scott Perry <scperry@ucsd.edu>
+- Sean Reifschneider <jafo-rpms@tummy.com>
+- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
+- Sebastian Köhler <sebkoehler@whoami.org.uk>
+- shankari <shankari@eecs.berkeley.edu>
+- Tassilo Schweyer <dev@welterde.de>
+- Tom Ryder <tom@sanctum.geek.nz>
+- Unit 193 <unit193@ubuntu.com>
+- Valentin Lorentz <progval+git@progval.net>
+- Val Lorentz <progval+git@progval.net>
+- William Pitcock <nenolod@dereferenced.org>
+- Windree <57554809+Windree@users.noreply.github.com>
+- xnaas <8271327+xnaas@users.noreply.github.com>
+- xor <xorboy@gmail.com>
+- Yecheng Fu <cofyc.jackson@gmail.com>
+
+## Code snippets
+
+- Andrew Tridgell & Martin Pool: strl{cpy|cat}()-functions
+- John Kercheval: pattern matching functions
+- Patrick Powell <papowell@astart.com>: snprintf()-function
--- a/417
+++ b/417
@ -2,12 +2,421 @@
                     ngIRCd - Next Generation IRC Server
                           http://ngircd.barton.de/

-               (c)2001-2017 Alexander Barton and Contributors.
+               (c)2001-2024 Alexander Barton and Contributors.
               ngIRCd is free software and published under the
                   terms of the GNU General Public License.

                               -- ChangeLog --

+ngIRCd 27 (2024-04-26)
+
+  - Update ChangeLog, NEWS, AUTHORS.md & doc/Platforms.txt for ngIRCd 27.
+  - Clarify in the sample configuration file and the ngircd.conf(5) manual
+    page that the "CAFile" option is unset by default.
+  - Fix channel symbol returned in the RPL_NAMREPLY(353) numeric of NAMES
+    commands for secret (mode +s) channels: this should be "@", not "=".
+    Thanks Val Lorentz <progval+git@progval.net> for the patch!
+    Closes #313.
+  - Add an example filter file for "Fail2Ban": contrib/ngircd-fail2ban.conf.
+  - Don't abort startup when setgid/setuid() fails with EINVAL: Both setgid(2)
+    as well as setuid(2) can fail with EINVAL in addition to EPERM, their
+    manual pages state "EINVAL: The user/group ID specified in uid/gid is not
+    valid in this user namespace ". So not only treat EPERM as an "acceptable
+    error" and continue with logging the error, but do the same for EINVAL.
+    This was triggered by the Void Linux xbps-uunshare(1) tool used for
+    building "XBPS source packages" and reported by luca in #ngircd. Thanks!
+  - Test suite: Don't use "pgrep -u" when LOGNAME and USER are not set
+    Thanks for reporting this on IRC, luca!
+
+  ngIRCd 27~rc1 (2024-04-13)
+  - Validate certificates on server links. Up to now, ngIRCd optionally used
+    SSL/TLS encrypted server-server links but never checked and validated any
+    certificates. Now ngIRCd validates SSL/TLS certificates on outgoing
+    server-server links by default and drops(!) connections when the remote
+    certificate is invalid (for example self-signed, expired, not matching the
+    host name, ...). Therefore you have to make sure that all relevant
+    *certificates are valid* (or to disable certificate validation on this
+    connection using the new `SSLVerify = false` setting in the affected
+    `[Server]` block, where the remote certificate is not valid and you can not
+    fix this issue).
+    The original patch for OpenSSL dates back to 2009 and was written by Florian
+    Westphal and was extended for GnuTLS in 2014 by Christoph Biedl. But it took
+    us another 10 years to bring it to life ... oh my! Many thanks to both
+    Florian and Christoph!
+    Closes #120.
+  - Add support for the "sd_notify" protocol of systemd(8): Periodically
+    "ping" the service manager (every 3 seconds) and set a status message
+    showing current connection statistics which then is included in "systemctl
+    status ngircd.service" output. In addition, this enables using the
+    systemd(8) watchdog functionality ("WatchdogSec") for the "ngircd.service"
+    unit and allows it to use the "notify" service type, which results in
+    better status tracking by the service manager.
+  - Try to set file descriptor limit to its maximum and show info on startup:
+    The number of possible parallel connections is limited by the file
+    descriptor limit of the process (among other things). Therefore try to
+    upgrade the current "soft" limit to its "hard" maximum (but limited to
+    100000 instead of "infinite"), and show an information or even warning when
+    the limit is still less than the configured "MaxConnections" setting. Please
+    note that ngIRCd and its linked libraries (like PAM) need file descriptors
+    not only for incoming and outgoing IRC connections, but for reading files
+    and inter-process communication, too! Therefore the actual connection limit
+    is less(!) than the file descriptor limit!
+  - Update and fix the logcheck(8) rules file.
+  - METADATA: Fix unsetting the "cloakhost" hostname, which did not result in
+    the original hostname being restored, but actually resulted in an empty
+    string being used as the client hostname -- which is a protocol violation.
+  - Update the "rpm" make target to use the rpmbuild(8) command.
+  - Add a "Docker file" (contrib/Dockerfile) and corresponding documentation
+    (doc/Container.md) to the project. The resulting container is based on the
+    latest Debian "stable-slim" container and built using a "build container".
+  - Remove outdated, unsupported and broken support for splint(1).
+  - Don't show the default config file name on config errors: The configuration
+    can be set in drop-in files in the include directory, too, so it is not
+    clear in which file it is actually missing.
+  - No longer use a default built-in value for the "IncludeDir" directive when
+    a configuration file was explicitly specified on the command line using
+    "--config"/"-f": This way no default include directory is scanned when a
+    possibly non-default configuration file is used which (intentionally) did
+    not specify an "IncludeDir" directive. So now you can use "-f /dev/null"
+    for checking all built-in defaults, regardless of any local configuration
+    files in the default drop-in directory (which would have been read in
+    until this change).
+  - No longer log channel keys ("passwords") for predefined channels.
+  - The server "Name" in the "[Global]" section of the configuration file no
+    longer needs to be set: When not set (or empty), ngIRCd now tries to
+    deduce a valid IRC server name from the local host name ("node name"),
+    possibly adding a ".host" extension when the host name does not contain a
+    dot (".") which is required in an IRC server name ("ID").
+    This new behavior, with all configuration parameters now being optional,
+    allows running ngIRCd without any configuration file at all.
+  - Silence some compiler warnings.
+  - autogen.sh: Prefer automake 1.11 over other releases because this is the
+    last release supporting "de-ANSI-fication" using the included ansi2knr tool.
+    And because we _want_ to support old K&R platforms, we try hard to use this
+    release of automake when available to generate our build system.
+    Note: This is only relevant for you if you are building from Git sources.
+  - Autodetect support for IPv6 by default: Until now, IPv6 support was disabled
+    by default, which seems a bit outdated in 2024. Note: You still can pass
+    "--enable-ipv6"/"--disable-ipv6" to the ./configure script to forcefully
+    activate or deactivate IPv6 support.
+  - Do IDENT requests even when DNS lookups are disabled: Up to now disabling
+    DNS in the configuration disabled IDENT lookups as well (for no good
+    reason). Now you can activate/deactivate DNS lookups and IDENT requests
+    completely separately. Thanks for reporting this, Miniontoby!
+    Closes #291.
+  - Update config.guess (2023-08-22) and config.sub (2023-09-19) files.
+  - Fix Channel Admins being able to to set Channel Owner status! "Sarah"
+    reported this back in April 2021 and proposed a patch, thanks a lot!
+  - Test suite: Update for OpenSSL 3.x, some command outputs changed, clean up
+    shell scripts and make the getpid.sh script more robust.
+  - Allow SSL client-only configurations without keys/certificates: You don't
+    need to configure certificates/keys as long as you don't configure
+    SSL-enabled listening ports. This can make sense when you want to only link
+    your local daemon to an uplink server using SSL and only have clients on
+    your local host or in your fully trusted network, where SSL is not required.
+  - Remove the unmaintained contrib/MacOSX/ folder: this includes the Xcode
+    project as well as the outdated macOS "Package Maker" configuration. The
+    sample launchd(8) configuration properties list file was moved to
+    "contrib/de.barton.ngircd.plist" and kept.
+  - Fix showing the "Ident" option in "--configtest" output which was never
+    shown because of a coding error. Whoops!
+  - Change GnuTLS "slot handling" messages to debug level: Those messages are
+    about an internal implementation detail, not relevant for an administrator
+    of ngIRCd.
+  - Enlarge buffer for log messages: For example, SSL/TLS certificate
+    information can easily get longer than 256 characters. So enlarge the log
+    buffer to 1 KB to avoid cutting off relevant information.
+  - Respect "SSLConnect" option for incoming connections and do not accept
+    incoming plain-text ("non SSL") server connections for servers configured
+    with "SSLConnect" enabled. This change prevents an authenticated
+    client-server being able to force the server-server to send its password
+    on a plain-text connection when SSL/TLS was intended.
+  - Always try to close a connection with errors immediately, but try hard
+    to avoid too much recursion. Without this patch, an outgoing server
+    connection could get stuck in an "endless" state trying to write out data
+    over and over again.
+  - Add "hopm.service" to "Wants" and "Before" dependencies in the sample
+    systemd unit file (Hopm is the successor of Bopm).
+  - Update Debian package configuration using current "dh_make", package
+    dependencies and build rules. And no longer build 3 different versions,
+    only build "ngircd" which now includes support for IDENT, PAM (disabled in
+    the ngircd.conf installed by the package), SSL (OpenSSL), ZLib and IPv6.
+  - Return ERR_NOTEXTTOSEND on empty PRIVMSG content, which matches the
+    behavior of other servers.
+  - Add a new option "Autojoin" to [Channel] blocks: When it is set, ngIRCd
+    automatically joins all local users to this channel on connect. Note: The
+    users must have permissions to access the channel, otherwise joining them
+    will fail!
+    Thanks Ivan Agarkov <i_agarkov@wargaming.net> for the initial patch!
+  - Hide invisible (+i) users on "WHOIS <pattern>": Let's behave like most(?)
+    other IRC daemons (at least ircd2.11) and hide all +i users when WHOIS is
+    used with a pattern. Otherwise privacy of this users is not guaranteed and
+    the +i mode a bit useless ...
+    Reported by Cahata on #ngircd, thanks!
+  - Update the final "closing connection" message: Add some more information
+    like nick name, user name, host name and bring it in line with some other
+    implementations (at least ircd2.11 and Hybrid).
+  - Fix RPL_INVITING message: All numeric replies must originate from an IRC
+    server, never from a client. Thanks "tommyrot" for reporting this!
+    Closes #307.
+  - Enhance some log messages, for example for errors when accepting new
+    connections.
+  - Make the debug log level ("--debug"/-"d" command line option) always
+    available, not only when ./configure'd with "--enable-debug": the latter
+    now only enables additional checks (like the tests done using assert(2))
+    and is signalled by adding "+DEBUG" to the version "feature string". This
+    change enables everyone to get even more detailed logging when required.
+  - Always report an error when a parameter is missing in a channel "MODE +k"
+    or "MODE +l" command, and better validate their parameters: return the new
+    numeric ERR_INVALIDMODEPARAM_MSG(696) on errors.
+    Thanks Val Lorentz for reporting this!
+    Closes #290.
+  - Allow IRC Operators to use the WHO command on any channel.
+  - Add configuration for "ngIRCd CI" GitHub Action, no longer use Travis-CI.
+  - Send the NAMES list and channel topic to users "forcefully" joined to a
+    channel using NJOIN, like they joined on their own using JOIN, and
+    streamline the order of NAMES list and channel topic messages.
+    Closes #288.
+  - Fix (invalid) error messages when setting modes on local channels which
+    are defined in the configuration file.
+  - Fix handling of G-Lines/K-Lines with cloaked host names.
+  - Streamline logging of debug messages.
+  - Added a new command line option "-y"/"--syslog", with which logging to
+    syslog can be activated/deactivated separately from running on the console
+    (using "--nodaemon") or in the background.
+    Thanks Katherine Peeters for the patch and pull request!
+    Closes #294.
+  - Fix a possible race condition while introducing new clients in the network.
+  - Update, enhance and extend our documentation in README.md, INSTALL.md,
+    doc/HowToRelease.txt and the manual pages ngircd(8) and ngircd.conf(5), add
+    a new doc/QuickStart.md document, and convert some more documentation files
+    to Markdown (AUTHORS.md, contrib/README.md, doc/FAQ.md, doc/SSL.md).
+
+ngIRCd 26.1 (2021-01-02)
+
+  - Fix a "format string" compiler warning (detected on OpenBSD).
+  - No longer set "AI_ADDRCONFIG" when resolving host names, even when it
+    exists: with this option set, on an IPv6-only host, we prevent 127.0.0.1
+    to get translated properly, even when the loopback interface has this
+    address configured! And as the test suite uses 127.0.0.1, it was broken
+    on IPv6-only hosts.
+    The drawback is that the resolver possibly returns more addresses now,
+    even of an unsupported/not connected address family; but this shouldn't
+    do much harm in practice, as ngIRCd iterates over all returned addresses
+    while trying to establish an outgoing connection.
+    Closes #281.
+  - Revert "Show allowed channel types in ISUPPORT(005) numeric only", which
+    was introduced in 26~rc1: This lead to some IRC clients assuming "oh, no
+    channel prefix characters at all, so no channels at all, so no PRIVMSG can
+    go to any channel" when "AllowedChannelTypes" was set to the empty string
+    ("") -- which is not the case when there are pre-defined channel set up or
+    other servers still having channels!
+    So "allowed channel types" != "supported channel types", and we always have
+    to list all supported ones in the ISUPPORT(005) numeric!
+    Closes #285.
+  - Test suite: Wait 2 seconds after reloading the daemon, which is required
+    because on reload, all listening ports are closed, configuration updated,
+    and then opened again. This lead to subsequent tests running while the
+    daemon isn't listening on any ports, and that's why some tests could fail.
+    Closes #280.
+  - platformtest.sh: Try to mangle CLang name more intelligently.
+  - Documentation: Fixed URLs of Atheme IRC services, updated all mentions
+    from CVS to Git, and updated Platforms.txt -- Oh, and it is 2021 now! ;-)
+
+ngIRCd 26 (2020-06-20)
+
+  ngIRCd 26~rc2 (2020-06-11)
+  - Add AppStream metadata file (contrib/de.barton.ngircd.metainfo.xml).
+  - Don't send invalid CHANINFO commands when a channel has mode +k set but no
+    key is known to the server. This can happen with a misconfigured predefined
+    channel, for example, and looked like this: "CHANINFO #test +Pk  0 :" --
+    note the unset key represented by the two spaces. Fix this by sending a
+    "*" in this case and update the CHANINFO documentation, too.
+  - ngircd.spec: Fix names of README.md and INSTALL.md, add ".md" extension.
+  - Update description texts in the README.md file, the RPM and Debian package
+    files and the manual page: bring them in line with the updated homepage.
+  - Server-Server protocol: Fix use-after-free when unregistering a directly
+    connected server sending a SQUIT for itself.
+  - Server-Server protocol: Detect bogus SERVER commands lacking a prefix.
+    Thanks Hilko Bengen (hillu) for finding & reporting this as well for the
+    patch & pull request (even if fixed differently).
+    Closes #275.
+  - Fix the PING-PONG logic: In ngIRCd 26~rc1 this was completely broken (while
+    trying to fix timeouts during server handshakes in bigger networks): the
+    daemon never disconnected any stale peers but kept sending out PINGs over
+    and over again ...
+  - Test suite: Add missing files needed to test SSL support to "EXTRA_DIST",
+    so that they are included in distribution archives: in rc1, "make check"
+    fails when using sources from an archive and enabling SSL support.
+    Thanks to Hilko Bengen <bengen@hilluzination.de> for the patch!
+
+  ngIRCd 26~rc1 (2020-05-10)
+  - Tweak & update doc/HowToRelease.txt, .mailmap and AUTHORS files.
+  - Allow up to 512 characters per line in MOTD and help text files (but keep
+    in mind that lines can't get that long, because they have to be prefixed
+    before being sent to the client). But this allows for more fancy MOTDs :-)
+    Closes #271.
+  - Show the actually allowed channel types in the ISUPPORT(005) numeric which
+    are configured by the "AllowedChannelTypes" configuration variable.
+    Closes #273.
+  - Handle commands in the read buffer before reading more data and don't wait
+    for the network in this case: If there are more bytes in the read buffer
+    already than a single valid IRC command can get long (513 bytes), wait for
+    this/those command(s) to be handled first and don't try to read even more
+    data from the network (which most probably would overflow the read buffer
+    of this connection soon).
+  - Update Travis-CI configuration, "sudo" is deprecated.
+  - Log G-/K-Line changes only when not initiated by a server: this prevents
+    the log from becoming spammed during "net bursts".
+  - Update test suite to include SSL tests, including checking for reloading
+    certificates during runtime.
+  - Makefile.am: Replace "make" with "${MAKE}". This fixes warnings like this:
+    "warning: jobserver unavailable: using -j1. Add `+' to parent make rule."
+    Thanks to Sam James (sam_c) <sam@cmpct.info>!
+    Closes #270.
+  - Add support for GnuTLS certificate reload, which is quite handy when using
+    Let's Encrypt, for example. Until now this was only supported when linked
+    with OpenSSL. Thanks a lot, Hilko Bengen <bengen@hilluzination.de>!
+  - Remove deprecated legacy configuration options and related functions that
+    have been marked for removal for quite some time:
+    - PredefChannelsOnly (v22)
+    - NoticeAuth (v24)
+    - NoXXX (v19)
+    - Old '[GLOBAL]' section handling (v19)
+    Thanks to Michi <michi+ngircd@dataswamp.org> for the patch!
+  - Fix recursion bug on write errors: Depending on the stack size, too many
+    clients on the same channel quitting at the same time would trigger a crash
+    due to too many recursive calls to Conn_Close(). Thanks to Michi
+    <michi+ngircd@dataswamp.org> for the patch!
+  - Fix builds using GCC option -fno-common, which is the default starting with
+    GCC 10. Thanks to Michi <michi+ngircd@dataswamp.org> for the patch!
+    Closes #266.
+  - Convert INSTALL and README files to Markdown.
+  - Allow setting arbitrary channel modes in the configuration file by handling
+    them like in MODE commands, and allow multiple "Modes =" lines per [Channel]
+    section. Thanks to Michi <michi+ngircd@dataswamp.org>!
+    Closes #55.
+  - Add "FNC" (forced nick changes) to ISUPPORT(005) numeric. Most probably
+    this doesn't make any difference to any client, but it seems correct.
+    See <http://www.irc.org/tech_docs/005.html> for details.
+  - Reuse old SSL key if loading a new one failed.
+  - Remove outdated OpenBSD/NetBSD systrace.policy.
+  - Enhance handling of command line errors, and return with exit code 0 ("no
+    error") when "--help" or "--version" is used (which resulted in exit code 1,
+    "error" before). Exit with code 2 ("command line error") for all other
+    invalid command line options, and show the error message itself on stderr
+    (instead of stdout and exit code 1, "generic error", as before).
+    This new behavior is more in line with the GNU "coding standards",
+    see <https://www.gnu.org/prep/standards/html_node/_002d_002dhelp.html>.
+  - Fix and update Xcode project: Reference correct contrib/Makefile.am file,
+    correctly sort contrib/nglog.sh and add "ORGANIZATIONNAME" setting.
+  - contrib/ngindent.sh: Add more GNU indent options for better results, and
+    add the ".sh" suffix to bring this script in line with the others in the
+    contrib/ folder.
+  - Add ./contrib/nglog.sh: This script parses the log output of ngircd(8),
+    and colorizes the messages according to their log level. Example usage:
+    ngircd -f $PWD/doc/sample-ngircd.conf -np | ./contrib/nglog.sh
+  - Log received signals with their names using strsignal(3), when available.
+  - Make test suite compatible with Haiku OS.
+  - Fix host mask cloaking bug, don't cloak multiple times: Previously, each
+    server would cloak every user's host mask. The problem is that if a network
+    has more than one server, then a user's host mask would get cloaked twice.
+    This patch ensures that a server only cloaks the host mask if it has not yet
+    been cloaked (the period indicates it's still an IP address). Thanks to
+    JRMU <jrmu@lecturify.com> for the patch!
+    Closes #228.
+  - Enlarge buffers of info texts to 128 bytes. This includes:
+    - "Real name" of a client (4th filed of the USER command).
+    - Server info text ("Info" configuration option).
+    - Admin info texts and email address ("AdminInfo1", "AdminInfo2" and
+      "AdminEmail" configuration options).
+    - Network name ("Network" configuration option).
+    The limit was 64 bytes before ...
+    Closes #258.
+  - Streamline handling of invalid and unset server name: Don't exit during
+    runtime (REHASH command, HUP signal), because the server name can't be
+    changed in this case anyway and the new invalid name will be ignored.
+  - Fix and extend documentation: Fix some typos, fix syntax of LINKS and LIST
+    commands, whitespace and spelling fixes, update dependencies and add some
+    more information about IRCv3 support.
+    Thanks to Thanks Windree, Étienne Mollier <etienne.mollier@mailoo.org> and
+    Christoph Biedl <debian.axhn@manchmal.in-ulm.de>.
+    Closes #264.
+  - Slightly reorder startup steps, and enhance logging:
+    - Show name of configuration file at the beginning of start up.
+    - Add a message when ngIRCd is ready, including its host name.
+    - Show name of configuration file on REHASH (SIGHUP), too.
+    - Change level of "done message" to NOTICE, like "starting" & "ready".
+    - Initialize IO functions before channels, connections, clients, ...
+  - configure.ng: OpenSSL can depends on lz or latomic so use pkg-config to
+    find those dependencies and fallback to existing mechanism.
+    Closes #256.
+  - ngircd.conf.5: Fix wording as suggested by lintian.
+
+ngIRCd 25 (2019-01-23)
+
+  - Fix documentation of MotdPhrase length, which actually is 126 characters:
+    update sample configuration file as well as the man page. Thanks to
+    shankari <shankari@eecs.berkeley.edu>.
+    Closes #254.
+  - Implement new configuration option "MaxPenaltyTime", which configures the
+    maximum penalty time increase in seconds, per penalty event. Set to -1 for
+    no limit (the default), 0 to disable penalties altogether. ngIRCd doesn't
+    use penalty increases higher than 2 seconds during normal operation, so
+    values higher than 1 rarely make sense.
+    Disabling (or reducing) penalties can greatly speed up "make check" runs
+    for example, see below, but are mostly a debugging feature and normally
+    not meant to be used on production systems!
+    Some example timings running "make check" from my macOS workstation:
+     - MaxPenaltyTime not set: 4:41,79s
+     - "MaxPenaltyTime = 1":   3:14,71s
+     - "MaxPenaltyTime = 0":     25,46s
+    Closes #249 and #251.
+  - Fix compilation without deprecated OpenSSL APIs. Thanks to Rosen Penev
+    <rosenp@gmail.com> for the patch!
+    Closes #252.
+  - Update Xcode project for latest Xcode version (10.0)
+  - Fix some compiler warnings of Apple Xcode/Clang
+  - Allow a 5th parameter in WEBIRC. Thanks to "ItsOnlyBinary".
+    Closes #247.
+  - Update some more documentation files and source code comments.
+  - Platforms.txt: Add and update systems.
+
+  ngIRCd 25~rc1 (2018-08-11)
+  - Update config.guess (2018-03-08) and config.sub (2018-03-08) files.
+  - Correctly retry to establish an outgoing connections when forking of the
+    resolver sub-process failed (for example because of lack of free memory).
+    Until now, such a connection was never retried once this error was hit.
+    Thanks to Robert Obermeier for reporting this bug!
+    Closes #243.
+  - Fix a "use after free" bug which can be triggered on a newly established
+    connection when the daemon handles an ERROR command received from the peer
+    during client login. Thanks a lot to Joseph Bisch <joseph.bisch@gmail.com>
+    for discovering and reporting this issue!
+  - Only send TOPIC updates to a channel when the topic actually changed:
+    This prevents the channel from becoming flooded by unnecessary TOPIC update
+    messages, that can happen when IRC services try to enforce a certain topic
+    but which is already set (at least on the local server), for example.
+    Therefore still forward it to all servers, but don't inform local clients
+    (still update setter and timestamp information, though).
+  - Update Xcode project for latest Xcode version (9.2). This includes adding
+    missing and deleting obsolete file references.
+  - Handle user mode "C" ("Only users that share a channel are allowed to send
+    messages") like user mode "b" ("block private messages and notices"): allow
+    messages from servers, services, and IRC Operators, too. Change proposed by
+    "wowaname" back in 2015 in #ngircd, thanks!
+  - Fix some compiler warnings.
+  - Add contrib/ngircd.logcheck: Some sample logcheck(8) rules.
+  - Allow IRC Ops and remote servers to KILL service clients: such clients
+    behave like regular users, therefore IRC operators and servers should be
+    able to KILL them: for example to resolve nick collisions.
+    Closes #242.
+  - Don't forward KILLs to other servers if they've been blocked locally:
+    This prevents clients from killing IRC services, for example.
+    Closes #238 and #239.
+  - Fix a cross-compiler issue related to the Get_Error() function.
+    Closes #240 and #241.
+  - Update ./doc/Services.txt, enhance configuration examples.

 ngIRCd 24 (2017-01-20)

@ -75,7 +484,7 @@ ngIRCd 24 (2017-01-20)
  - contrib/ngindent: Fix shebang line.
  - Make contrib/platformtest.sh script more portable, and only show
    "runs=Y" when the test suite really has been passed successfully.
-  - Code cleanup in the NJON handler and the function killing clients as
+  - Code cleanup in the NJOIN handler and the function killing clients as
    well as the function sending messages to a "mask" (cleaner code, more
    fault tolerant, better code comments).
  - Update and enhance documentation: README file, doc/Platforms.txt,
@ -136,7 +545,7 @@ ngIRCd 23 (2015-11-16)
    Idea and implementation by LucentW, Thanks! Closes #207.
  - Update ngircd.conf.5: "CloakUserToNick" hides user _and_ real name.
    This closes #208.
-  - Fix case insensitive pattern matching: Up to now, only the the input
+  - Fix case insensitive pattern matching: Up to now, only the input
    string became lowercased and was then compared to the pattern -- which
    failed when the pattern itself wasn't all lowercase!
  - Streamline the effect of "MorePrivacy" option: Update documentation
@ -489,7 +898,7 @@ ngIRCd 20.3 (2013-08-23)
 ngIRCd 20.2 (2013-02-15)

  - Security: Fix a denial of service bug in the function handling KICK
-    commands that could be used by arbitrary users to to crash the daemon
+    commands that could be used by arbitrary users to crash the daemon
    (CVE-2013-1747).
  - WHO command: Use the currently "displayed hostname" (which can be cloaked!)
    for hostname matching, not the real one. In other words: don't display all
--- a/367
+++ b/367
@ -1,367 +0,0 @@
-
-                     ngIRCd - Next Generation IRC Server
-                           http://ngircd.barton.de/
-
-               (c)2001-2017 Alexander Barton and Contributors.
-               ngIRCd is free software and published under the
-                   terms of the GNU General Public License.
-
-                                -- INSTALL --
-
-
-I. Upgrade Information
-~~~~~~~~~~~~~~~~~~~~~~
-
-Differences to version 22.x
-
- The "NoticeAuth" ngircd.conf configuration variable has been renamed to
-  "NoticeBeforeRegistration". The old "NoticeAuth" variable still works but
-  is deprecated now.
-
- The default value of the SSL "CipherList" variable has been changed to
-  "HIGH:!aNULL:@STRENGTH:!SSLv3" (OpenSSL) and "SECURE128:-VERS-SSL3.0"
-  (GnuTLS) to disable the old SSLv3 protocol by default.
-  To enable connections of clients still requiring the weak SSLv3 protocol,
-  the "CipherList" must be set to its old value (not recommended!), which
-  was "HIGH:!aNULL:@STRENGTH" (OpenSSL) and "SECURE128" (GnuTLS), see below.
-
-Differences to version 20.x
-
- Starting with ngIRCd 21, the ciphers used by SSL are configurable and
-  default to "HIGH:!aNULL:@STRENGTH" (OpenSSL) or "SECURE128" (GnuTLS).
-  Previous version were using the OpenSSL or GnuTLS defaults, "DEFAULT"
-  and "NORMAL" respectively.
-
- When adding GLINE's or KLINE's to ngIRCd 21 (or newer), all clients matching
-  the new mask will be KILL'ed. This was not the case with earlier versions
-  that only added the mask but didn't kill already connected users.
-
- The "PredefChannelsOnly" configuration variable has been superseded by the
-  new "AllowedChannelTypes" variable. It is still supported and translated to
-  the appropriate "AllowedChannelTypes" setting but is deprecated now.
-
-Differences to version 19.x
-
- Starting with ngIRCd 20, users can "cloak" their hostname only when the
-  configuration variable "CloakHostModeX" (introduced in 19.2) is set.
-  Otherwise, only IRC operators, other servers, and services are allowed to
-  set mode +x. This prevents regular users from changing their hostmask to
-  the name of the IRC server itself, which confused quite a few people ;-)
-
-Differences to version 17.x
-
- Support for ZeroConf/Bonjour/Rendezvous service registration has been
-  removed. The configuration option "NoZeroconf" is no longer available.
-
- The structure of ngircd.conf has been cleaned up and three new configuration
-  sections have been introduced: [Limits], [Options], and [SSL].
-  Lots of configuration variables stored in the [Global] section are now
-  deprecated there and should be stored in one of these new sections (but
-  still work in [Global]):
-    "AllowRemoteOper"    -> [Options]
-    "ChrootDir"          -> [Options]
-    "ConnectIPv4"        -> [Options]
-    "ConnectIPv6"        -> [Options]
-    "ConnectRetry"       -> [Limits]
-    "MaxConnections"     -> [Limits]
-    "MaxConnectionsIP"   -> [Limits]
-    "MaxJoins"           -> [Limits]
-    "MaxNickLength"      -> [Limits]
-    "NoDNS"              -> [Options], and renamed to "DNS"
-    "NoIdent"            -> [Options], and renamed to "Ident"
-    "NoPAM"              -> [Options], and renamed to "PAM"
-    "OperCanUseMode"     -> [Options]
-    "OperServerMode"     -> [Options]
-    "PingTimeout"        -> [Limits]
-    "PongTimeout"        -> [Limits]
-    "PredefChannelsOnly" -> [Options]
-    "SSLCertFile"        -> [SSL], and renamed to "CertFile"
-    "SSLDHFile"          -> [SSL], and renamed to "DHFile"
-    "SSLKeyFile"         -> [SSL], and renamed to "KeyFile"
-    "SSLKeyFilePassword" -> [SSL], and renamed to "KeyFilePassword"
-    "SSLPorts"           -> [SSL], and renamed to "Ports"
-    "SyslogFacility"     -> [Options]
-    "WebircPassword"     -> [Options]
-  You should adjust your ngircd.conf and run "ngircd --configtest" to make
-  sure that your settings are correct and up to date!
-
-Differences to version 16.x
-
- Changes to the "MotdFile" specified in ngircd.conf now require a ngircd
-  configuration reload to take effect (HUP signal, REHASH command).
-
-Differences to version 0.9.x
-
- The option of the configure script to enable support for Zeroconf/Bonjour/
-  Rendezvous/WhateverItIsNamedToday has been renamed:
-    --with-rendezvous  ->  --with-zeroconf
-
-Differences to version 0.8.x
-
- The maximum length of passwords has been raised to 20 characters (instead
-  of 8 characters). If your passwords are longer than 8 characters then they
-  are cut at an other position now.
-
-Differences to version 0.6.x
-
- Some options of the configure script have been renamed:
-    --disable-syslog  ->  --without-syslog
-    --disable-zlib    ->  --without-zlib
-  Please call "./configure --help" to review the full list of options!
-
-Differences to version 0.5.x
-
- Starting with version 0.6.0, other servers are identified using asynchronous
-  passwords: therefore the variable "Password" in [Server]-sections has been
-  replaced by "MyPassword" and "PeerPassword".
-
- New configuration variables, section [Global]: MaxConnections, MaxJoins
-  (see example configuration file "doc/sample-ngircd.conf"!).
-
-
-II. Standard Installation
-~~~~~~~~~~~~~~~~~~~~~~~~~
-
-ngIRCd is developed for UNIX-based systems, which means that the installation
-on modern UNIX-like systems that are supported by GNU autoconf and GNU
-automake ("configure") should be no problem.
-
-The normal installation procedure after getting (and expanding) the source
-files (using a distribution archive or GIT) is as following:
-
-  0) Satisfy prerequisites
-  1) ./autogen.sh  [only necessary when using GIT]
-  2) ./configure
-  3) make
-  4) make install
-
-(Please see details below!)
-
-Now the newly compiled executable "ngircd" is installed in its standard
-location, /usr/local/sbin/.
-
-The next step is to configure and afterwards starting the daemon. Please
-have a look at the ngircd(8) and ngircd.conf(5) manual pages for details
-and all possible options -- and don't forget to run "ngircd --configtest"
-to validate your configuration file!
-
-If no previous version of the configuration file exists (the standard name
-is /usr/local/etc/ngircd.conf), a sample configuration file containing all
-possible options will be installed there. You'll find its template in the
-doc/ directory: sample-ngircd.conf.
-
-
-0): Satisfy prerequisites
-
-When building from source, you'll need some other software to build ngIRCd:
-for example a working C compiler, make tool, GNU automake and autoconf (only
-when not using a distribution archive), and a few libraries depending on the
-features you want to compile in (like IDENT support, SSL, and PAM).
-
-If you are using one of the "big" operating systems or Linux distributions,
-you can use the following commands to install all the required packages to
-build the sources including all optional features and to run the test suite:
-
-* Red Hat / Fedora based distributions:
-
-  yum install \
-    autoconf automake expect gcc glibc-devel gnutls-devel \
-    libident-devel make pam-devel tcp_wrappers-devel telnet zlib-devel
-
-* Debian / Ubuntu based distributions:
-
-  apt-get install \
-    autoconf automake build-essential expect libgnutls-dev \
-    libident-dev libpam-dev libwrap0-dev libz-dev telnet
-
-
-1): "autogen.sh"
-
-The first step, autogen.sh, is only necessary if the configure-script isn't
-already generated. This never happens in official ("stable") releases in
-tar.gz-archives, but when using GIT.
-
-This step is therefore only interesting for developers.
-
-autogen.sh produces the Makefile.in's, which are necessary for the configure
-script itself, and some more files for make. To run autogen.sh you'll need
-GNU autoconf and GNU automake: at least autoconf 2.61 and automake 1.10 are
-required, newer is better. But don't use automake 1.12 or newer for creating
-distribution archives: it will work but lack "de-ANSI-fication" support in the
-generated Makefile's! Stick with automake 1.11.x for this purpose ...
-So automake 1.11.x and autoconf 2.67+ is recommended.
-
-Again: "end users" do not need this step and neither need GNU autoconf nor GNU
-automake at all!
-
-
-2): "./configure"
-
-The configure-script is used to detect local system dependencies.
-
-In the perfect case, configure should recognize all needed libraries, header
-files and so on. If this shouldn't work, "./configure --help" shows all
-possible options.
-
-In addition, you can pass some command line options to "configure" to enable
-and/or disable some features of ngIRCd. All these options are shown using
-"./configure --help", too.
-
-Compiling a static binary will avoid you the hassle of feeding a chroot dir
-(if you want use the chroot feature). Just do something like:
-  CFLAGS=-static ./configure [--your-options ...]
-Then you can use a void directory as ChrootDir (like OpenSSH's /var/empty).
-
-
-3): "make"
-
-The make command uses the Makefiles produced by configure and compiles the
-ngIRCd daemon.
-
-
-4): "make install"
-
-Use "make install" to install the server and a sample configuration file on
-the local system. Normally, root privileges are necessary to complete this
-step. If there is already an older configuration file present, it won't be
-overwritten.
-
-These files and folders will be installed by default:
-
- /usr/local/sbin/ngircd: executable server
- /usr/local/etc/ngircd.conf: sample configuration (if not already present)
- /usr/local/share/doc/ngircd/: documentation
- /usr/local/share/man/: manual pages
-
-
-III. Additional features
-~~~~~~~~~~~~~~~~~~~~~~~~
-
-The following optional features can be compiled into the daemon by passing
-options to the "configure" script. Most options can handle a <path> argument
-which will be used to search for the required libraries and header files in
-the given paths ("<path>/lib/...", "<path>/include/...") in addition to the
-standard locations.
-
-* Syslog Logging (autodetected by default):
-  --with-syslog[=<path>] / --without-syslog
-
-  Enable (disable) support for logging to "syslog", which should be
-  available on most modern UNIX-like operating systems by default.
-
-* ZLib Compression (autodetected by default):
-  --with-zlib[=<path>] / --without-zlib
-
-  Enable (disable) support for compressed server-server links.
-  The Z compression library ("libz") is required for this option.
-
-* IO Backend (autodetected by default):
-  --with-select[=<path>] / --without-select
-  --with-poll[=<path>] / --without-poll
-  --with-devpoll[=<path>] / --without-devpoll
-  --with-epoll[=<path>] / --without-epoll
-  --with-kqueue[=<path>] / --without-kqueue
-
-  ngIRCd can use different IO "backends": the "old school" select() and poll()
-  API which should be supported by most UNIX-like operating systems, or the
-  more efficient and flexible epoll() (Linux >=2.6), kqueue() (BSD) and
-  /dev/poll APIs.
-  By default the IO backend is autodetected, but you can use "--without-xxx"
-  to disable a more enhanced API.
-  When using the epoll() API, support for select() is compiled in as well by
-  default to enable the binary to run on older Linux kernels (<2.6), too.
-
-* IDENT-Support:
-  --with-ident[=<path>]
-
-  Include support for IDENT ("AUTH") lookups. The "ident" library is
-  required for this option.
-
-* TCP-Wrappers:
-  --with-tcp-wrappers[=<path>]
-
-  Include support for Wietse Venemas "TCP Wrappers" to limit client access
-  to the daemon, for example by using "/etc/hosts.{allow|deny}".
-  The "libwrap" is required for this option.
-
-* PAM:
-  --with-pam[=<path>]
-
-  Enable support for PAM, the Pluggable Authentication Modules library.
-  See doc/PAM.txt for details.
-
-* SSL:
-  --with-openssl[=<path>]
-  --with-gnutls[=<path>]
-
-  Enable support for SSL/TLS using OpenSSL or gnutls libraries.
-  See doc/SSL.txt for details.
-
-* IPv6:
-  --enable-ipv6
-
-  Adds support for version 6 of the Internet Protocol.
-
-
-IV. Useful make-targets
-~~~~~~~~~~~~~~~~~~~~~~~
-
-The Makefile produced by the configure-script contains always these useful
-targets:
-
- - clean: delete every product from the compiler/linker
-   next step: -> make
-
- - distclean: the above plus erase all generated Makefiles
-   next step: -> ./configure
-
- - maintainer-clean: erase all automatic generated files
-   next step: -> ./autogen.sh
-
-
-V. Sample configuration file ngircd.conf
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-In the sample configuration file, there are comments beginning with "#" OR
-";" -- this is only for the better understanding of the file.
-
-The file is separated in five blocks: [Global], [Features], [Operator],
-[Server], and [Channel].
-
-In the [Global] section, there is the main configuration like the server
-name and the ports, on which the server should be listening. Options in
-the [Features] section enable or disable functionality in the daemon.
-IRC operators of this server are defined in [Operator] blocks, remote
-servers are configured in [Server] sections, and [Channel] blocks are
-used to configure pre-defined ("persistent") IRC channels.
-
-The meaning of the variables in the configuration file is explained in the
-"doc/sample-ngircd.conf", which is used as sample configuration file in
-/usr/local/etc after running "make install" (if you don't already have one)
-and in the ngircd.conf(5) manual page.
-
-
-VI. Command line options
-~~~~~~~~~~~~~~~~~~~~~~~~
-
-These parameters could be passed to the ngIRCd:
-
-f, --config <file>
-	The daemon uses the file <file> as configuration file rather than
-	the standard configuration /usr/local/etc/ngircd.conf.
-
-n, --nodaemon
-	ngIRCd should be running as a foreground process.
-
-p, --passive
-	Server-links won't be automatically established.
-
-t, --configtest
-	Reads, validates and dumps the configuration file as interpreted
-	by the server. Then exits.
-
-Use "--help" to see a short help text describing all available parameters
-the server understands, with "--version" the ngIRCd shows its version
-number. In both cases the server exits after the output.
-
-Please see the ngircd(8) manual page for complete details!
--- a/INSTALL.md
+++ b/INSTALL.md
@ -0,0 +1,411 @@
+# [ngIRCd](https://ngircd.barton.de) - Installation
+
+This document describes how to install ngIRCd, the lightweight Internet Relay
+Chat (IRC) server.
+
+The first section lists noteworthy changes to earlier releases; you definitely
+should read this when upgrading your setup! But you can skip over this section
+when you are working on a fresh installation.
+
+The subsequent sections describe the steps required to build and install ngIRCd
+_from sources_. The information given here is not relevant when you are using
+packages provided by your operating system vendor or third-party repositories!
+
+Please see the file `doc/QuickStart.md` in the `doc/` directory or on
+[GitHub](https://github.com/ngircd/ngircd/blob/master/doc/QuickStart.md) for
+information about _setting up_ and _running_ ngIRCd, including some real-world
+configuration examples.
+
+## Upgrade Information
+
+This section lists important updates and breaking changes that you should be
+aware of *before* starting the upgrade:
+
+Differences to version 26
+
+- **Attention**:
+  Starting with release 27, ngIRCd validates SSL/TLS certificates on outgoing
+  server-server links by default and drops(!) connections when the remote
+  certificate is invalid (for example self-signed, expired, not matching the
+  host name, ...). Therefore you have to make sure that all relevant
+  *certificates are valid* (or to disable certificate validation on this
+  connection using the new `SSLVerify = false` setting in the affected
+  `[Server]` block, where the remote certificate is not valid and you can not
+  fix this issue).
+
+Differences to version 25
+
+- **Attention**:
+  All already deprecated legacy options (besides the newly deprecated *Key* and
+  *MaxUsers* settings, see below) were removed in ngIRCd 26, so make sure to
+  update your configuration before upgrading, if you haven't done so already
+  (you got a warning on daemon startup when using deprecated options): you can
+  check your configuration using `ngircd --configtest` -- which is a good idea
+  anyway ;-)
+
+- Setting modes for predefined channels in *[Channel]* sections has been
+  enhanced: now you can set *all* modes, like in IRC "MODE" commands, and have
+  this setting multiple times per *[Channel]* block. Modifying lists (ban list,
+  invite list, exception list) is supported, too.
+
+  Both the *Key* and *MaxUsers* settings are now deprecated and should be
+  replaced by `Modes = +l <limit>` and `Modes = +k <key>` respectively.
+
+Differences to version 22.x
+
+- The *NoticeAuth* `ngircd.conf` configuration variable has been renamed to
+  *NoticeBeforeRegistration*. The old *NoticeAuth* variable still works but
+  is deprecated now.
+
+- The default value of the SSL *CipherList* variable has been changed to
+  "HIGH:!aNULL:@STRENGTH:!SSLv3" (OpenSSL) and "SECURE128:-VERS-SSL3.0"
+  (GnuTLS) to disable the old SSLv3 protocol by default.
+
+  To enable connections of clients still requiring the weak SSLv3 protocol,
+  the *CipherList* must be set to its old value (not recommended!), which
+  was "HIGH:!aNULL:@STRENGTH" (OpenSSL) and "SECURE128" (GnuTLS), see below.
+
+Differences to version 20.x
+
+- Starting with ngIRCd 21, the ciphers used by SSL are configurable and
+  default to "HIGH:!aNULL:@STRENGTH" (OpenSSL) or "SECURE128" (GnuTLS).
+  Previous version were using the OpenSSL or GnuTLS defaults, "DEFAULT"
+  and "NORMAL" respectively.
+
+- When adding GLINE's or KLINE's to ngIRCd 21 (or newer), all clients matching
+  the new mask will be KILL'ed. This was not the case with earlier versions
+  that only added the mask but didn't kill already connected users.
+
+- The *PredefChannelsOnly* configuration variable has been superseded by the
+  new *AllowedChannelTypes* variable. It is still supported and translated to
+  the appropriate *AllowedChannelTypes* setting but is deprecated now.
+
+Differences to version 19.x
+
+- Starting with ngIRCd 20, users can "cloak" their hostname only when the
+  configuration variable *CloakHostModeX* (introduced in 19.2) is set.
+  Otherwise, only IRC operators, other servers, and services are allowed to
+  set mode +x. This prevents regular users from changing their hostmask to
+  the name of the IRC server itself, which confused quite a few people ;-)
+
+Differences to version 17.x
+
+- Support for ZeroConf/Bonjour/Rendezvous service registration has been
+  removed. The configuration option *NoZeroconf* is no longer available.
+
+- The structure of `ngircd.conf` has been cleaned up and three new configuration
+  sections have been introduced: *[Limits]*, *[Options]*, and *[SSL]*.
+
+  Lots of configuration variables stored in the *[Global]* section are now
+  deprecated there and should be stored in one of these new sections (but
+  still work in *[Global]*):
+
+  - *AllowRemoteOper*    -> [Options]
+  - *ChrootDir*          -> [Options]
+  - *ConnectIPv4*        -> [Options]
+  - *ConnectIPv6*        -> [Options]
+  - *ConnectRetry*       -> [Limits]
+  - *MaxConnections*     -> [Limits]
+  - *MaxConnectionsIP*   -> [Limits]
+  - *MaxJoins*           -> [Limits]
+  - *MaxNickLength*      -> [Limits]
+  - *NoDNS*              -> [Options], and renamed to *DNS*
+  - *NoIdent*            -> [Options], and renamed to *Ident*
+  - *NoPAM*              -> [Options], and renamed to *PAM*
+  - *OperCanUseMode*     -> [Options]
+  - *OperServerMode*     -> [Options]
+  - *PingTimeout*        -> [Limits]
+  - *PongTimeout*        -> [Limits]
+  - *PredefChannelsOnly* -> [Options]
+  - *SSLCertFile*        -> [SSL], and renamed to *CertFile*
+  - *SSLDHFile*          -> [SSL], and renamed to *DHFile*
+  - *SSLKeyFile*         -> [SSL], and renamed to *KeyFile*
+  - *SSLKeyFilePassword* -> [SSL], and renamed to *KeyFilePassword*
+  - *SSLPorts*           -> [SSL], and renamed to *Ports*
+  - *SyslogFacility*     -> [Options]
+  - *WebircPassword*     -> [Options]
+
+  You should adjust your `ngircd.conf` and run `ngircd --configtest` to make
+  sure that your settings are correct and up to date!
+
+Differences to version 16.x
+
+- Changes to the *MotdFile* specified in `ngircd.conf` now require a ngIRCd
+  configuration reload to take effect (HUP signal, *REHASH* command).
+
+Differences to version 0.9.x
+
+- The option of the configure script to enable support for Zeroconf/Bonjour/
+  Rendezvous/WhateverItIsNamedToday has been renamed:
+
+  - `--with-rendezvous`  ->  `--with-zeroconf`
+
+Differences to version 0.8.x
+
+- The maximum length of passwords has been raised to 20 characters (instead
+  of 8 characters). If your passwords are longer than 8 characters then they
+  are cut at an other position now.
+
+Differences to version 0.6.x
+
+- Some options of the configure script have been renamed:
+
+  - `--disable-syslog`  ->  `--without-syslog`
+  - `--disable-zlib`    ->  `--without-zlib`
+
+  Please call `./configure --help` to review the full list of options!
+
+Differences to version 0.5.x
+
+- Starting with version 0.6.0, other servers are identified using asynchronous
+  passwords: therefore the variable *Password* in *[Server]*-sections has been
+  replaced by *MyPassword* and *PeerPassword*.
+
+- New configuration variables, section *[Global]*: *MaxConnections*, *MaxJoins*
+  (see example configuration file `doc/sample-ngircd.conf`!).
+
+## Standard Installation
+
+*Note*: This sections describes installing ngIRCd *from sources*. If you use
+packages available for your operating system distribution you should skip over
+and continue with the *Configuration* section, see below.
+
+ngIRCd is developed for UNIX-based systems, which means that the installation
+on modern UNIX-like systems that are supported by GNU autoconf and GNU
+automake ("`configure` script") should be no problem.
+
+The normal installation procedure after getting (and expanding) the source
+files (using a distribution archive or Git) is as following:
+
+1) Satisfy prerequisites
+2) `./autogen.sh` [only necessary when using "raw" sources with Git]
+3) `./configure`
+4) `make`
+5) `make install`
+
+(Please see details below!)
+
+Now the newly compiled executable "ngircd" is installed in its standard
+location, `/usr/local/sbin/`.
+
+If no previous version of the configuration file exists (the standard name
+is `/usr/local/etc/ngircd.conf)`, a sample configuration file containing all
+possible options will be installed there. You'll find its template in the
+`doc/` directory: `sample-ngircd.conf`.
+
+The next step is to configure and afterwards start the daemon. See the section
+*Configuration* below.
+
+### Satisfy prerequisites
+
+When building from source, you'll need some other software to build ngIRCd:
+for example a working C compiler, make tool, and a few libraries depending on
+the feature set you want to enable at compile time (like IDENT, SSL, and PAM).
+
+And if you aren't using a distribution archive ("tar.gz" file), but cloned the
+plain source archive, you need a few additional tools to generate the build
+system itself: GNU automake and autoconf, as well as pkg-config.
+
+If you are using one of the "big" operating systems or Linux distributions,
+you can use the following commands to install all the required packages to
+build the sources including all optional features and to run the test suite:
+
+#### Red Hat / Fedora based distributions
+
+``` shell
+  yum install \
+    autoconf automake expect gcc glibc-devel gnutls-devel \
+    libident-devel make pam-devel pkg-config tcp_wrappers-devel \
+    telnet zlib-devel
+```
+
+*Note:* More recent versions use the DNF package manager; so substitute "yum"
+with "dnf" in the command above. And neither "libident-devel" (IDENT support)
+nor "tcp_wrappers-devel" (TCP Wrappers) are provided any more!
+
+So the resulting command looks like this:
+
+``` shell
+  dnf install \
+    autoconf automake expect gcc glibc-devel gnutls-devel \
+    make pam-devel pkg-config telnet zlib-devel
+```
+
+#### Debian / Ubuntu based distributions
+
+``` shell
+  apt-get install \
+    autoconf automake build-essential expect libgnutls28-dev \
+    libident-dev libpam-dev pkg-config libwrap0-dev libz-dev telnet
+```
+
+#### ArchLinux based distributions
+
+``` shell
+  pacman -S --needed \
+    autoconf automake expect gcc gnutls inetutils libident libwrap \
+    make pam pkg-config zlib
+```
+
+#### macOS with Homebrew
+
+To build ngIRCd on Apple macOS, you need either Xcode or the command line
+development tools. You can install the latter with the `xcode-select --install`
+command.
+
+Additional tools and libraries that are not part of macOS itself are best
+installed with the [Homebrew](https://brew.sh) package manager:
+
+``` shell
+  brew install autoconf automake gnutls libident pkg-config
+```
+
+Note: To actually use the GnuTLS and IDENT libraries installed by Homebrew, you
+need to pass the installation path to the `./configure` command (see below). For
+example like this:
+
+``` shell
+  ./configure --with-gnutls=$(brew --prefix) --with-ident=$(brew --prefix) [...]
+```
+
+### `./autogen.sh`
+
+The first step, to run `./autogen.sh`, is *only* necessary if the `configure`
+script itself isn't already generated and available. This never happens in
+official ("stable") releases in "tar.gz" archives, but when cloning the source
+code repository using Git.
+
+**This step is therefore only interesting for developers!**
+
+The `autogen.sh` script produces the `Makefile.in`'s, which are necessary for
+the configure script itself, and some more files for `make(1)`.
+
+To run `autogen.sh` you'll need GNU autoconf, GNU automake and pkg-config: at
+least autoconf 2.61 and automake 1.10 are required, newer is better. But don't
+use automake 1.12 or newer for creating distribution archives: it will work
+but lack "de-ANSI-fication" support in the generated Makefile's! Stick with
+automake 1.11.x for this purpose ...
+
+So *automake 1.11.x* and *autoconf 2.67+* is recommended.
+
+Again: "end users" do not need this step and neither need GNU autoconf nor GNU
+automake at all!
+
+### `./configure`
+
+The `configure` script is used to detect local system dependencies.
+
+In the perfect case, `configure` should recognize all needed libraries, header
+files and so on. If this shouldn't work, `./configure --help` shows all
+possible options.
+
+In addition, you can pass some command line options to `configure` to enable
+and/or disable some features of ngIRCd. All these options are shown using
+`./configure --help`, too.
+
+Compiling a static binary will avoid you the hassle of feeding a chroot dir
+(if you want use the chroot feature). Just do something like:
+
+``` shell
+  CFLAGS=-static ./configure [--your-options ...]
+```
+
+Then you can use a void directory as ChrootDir (like OpenSSH's `/var/empty`).
+
+### `make`
+
+The `make(1)` command uses the `Makefile`'s produced by `configure` and
+compiles the ngIRCd daemon.
+
+### `make install`
+
+Use `make install` to install the server and a sample configuration file on
+the local system. Normally, root privileges are necessary to complete this
+step. If there is already an older configuration file present, it won't be
+overwritten.
+
+These files and folders will be installed by default:
+
+- `/usr/local/sbin/ngircd`: executable server
+- `/usr/local/etc/ngircd.conf`: sample configuration (if not already present)
+- `/usr/local/share/doc/ngircd/`: documentation
+- `/usr/local/share/man/`: manual pages
+
+### Additional features
+
+The following optional features can be compiled into the daemon by passing
+options to the `configure` script. Most options can handle a `<path>` argument
+which will be used to search for the required libraries and header files in
+the given paths (`<path>/lib/...`, `<path>/include/...`) in addition to the
+standard locations.
+
+- Syslog Logging (autodetected by default):
+
+  `--with-syslog[=<path>]` / `--without-syslog`
+
+  Enable (disable) support for logging to "syslog", which should be
+  available on most modern UNIX-like operating systems by default.
+
+- ZLib Compression (autodetected by default):
+
+  `--with-zlib[=<path>]` / `--without-zlib`
+
+  Enable (disable) support for compressed server-server links.
+  The Z compression library ("libz") is required for this option.
+
+- IO Backend (autodetected by default):
+
+  - `--with-select[=<path>]` / `--without-select`
+  - `--with-poll[=<path>]` / `--without-poll`
+  - `--with-devpoll[=<path>]` / `--without-devpoll`
+  - `--with-epoll[=<path>]` / `--without-epoll`
+  - `--with-kqueue[=<path>]` / `--without-kqueue`
+
+  ngIRCd can use different IO "backends": the "old school" `select(2)` and
+  `poll(2)` API which should be supported by most UNIX-like operating systems,
+  or the more efficient and flexible `epoll(7)` (Linux >=2.6), `kqueue(2)`
+  (BSD) and `/dev/poll` APIs.
+
+  By default the IO backend is autodetected, but you can use `--without-xxx`
+  to disable a more enhanced API.
+
+  When using the `epoll(7)` API, support for `select(2)` is compiled in as
+  well by default, to enable the binary to run on older Linux kernels (<2.6),
+  too.
+
+- IDENT-Support:
+
+  `--with-ident[=<path>]`
+
+  Include support for IDENT ("AUTH") lookups. The "ident" library is
+  required for this option.
+
+- TCP-Wrappers:
+
+  `--with-tcp-wrappers[=<path>]`
+
+  Include support for Wietse Venemas "TCP Wrappers" to limit client access
+  to the daemon, for example by using `/etc/hosts.{allow|deny}`.
+  The "libwrap" is required for this option.
+
+- PAM:
+
+  `--with-pam[=<path>]`
+
+  Enable support for PAM, the Pluggable Authentication Modules library.
+  See `doc/PAM.txt` for details.
+
+- SSL:
+
+  - `--with-openssl[=<path>]`
+  - `--with-gnutls[=<path>]`
+
+  Enable support for SSL/TLS using OpenSSL or GnuTLS libraries.
+  See `doc/SSL.md` for details.
+
+- IPv6 (autodetected by default):
+
+  `--enable-ipv6` / `--disable-ipv6`
+
+  Enable (disable) support for version 6 of the Internet Protocol, which should
+  be available on most modern UNIX-like operating systems by default.
--- a/Makefile.am
+++ b/Makefile.am
@ -1,6 +1,6 @@
 #
 # ngIRCd -- The Next Generation IRC Daemon
-# Copyright (c)2001-2015 Alexander Barton (alex@barton.de) and Contributors
+# Copyright (c)2001-2024 Alexander Barton (alex@barton.de) and Contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@ -9,13 +9,19 @@
 # Please read the file COPYING, README and AUTHORS for more information.
 #

-AUTOMAKE_OPTIONS = gnu
-
 SUBDIRS = doc src man contrib

-EXTRA_DIST = autogen.sh configure.ng .clang_complete .mailmap
+EXTRA_DIST = \
+	AUTHORS.md \
+	INSTALL.md \
+	README.md \
+	autogen.sh \
+	configure.ng \
+	.clang_complete \
+	.dockerignore \
+	.mailmap

-clean-local: osxpkg-clean
+clean-local:
 	rm -f build-stamp*

 maintainer-clean-local:
@ -25,69 +31,18 @@ maintainer-clean-local:
 	rm -f config.log debian

 testsuite:
-	cd src/testsuite && make check
-
-lint:
-	cd src/ngircd && make lint
+	${MAKE} -C src/testsuite check

 srcdoc:
-	cd doc && make srcdoc
-
-have-xcodebuild:
-	@xcodebuild -project contrib/MacOSX/ngIRCd.xcodeproj -list \
-	 >/dev/null 2>&1 \
-	 || ( echo; echo "Error: \"xcodebuild\" not found!"; echo; exit 1 )
-
-have-packagemaker:
-	@packagemaker >/dev/null 2>&1; [ $$? -le 1 ] \
-	 || ( echo; echo "Error: \"packagemaker\" not found!"; echo; exit 2)
-
-xcode: have-xcodebuild
-	rel=`git describe|sed -e 's/rel-//g'|sed -e 's/-/~/'`; \
-	 def="GCC_PREPROCESSOR_DEFINITIONS=\"VERSION=\\\"$$rel\\\"\""; \
-	 xcodebuild -project contrib/MacOSX/ngIRCd.xcodeproj -alltargets \
-	 -configuration Default $$def build
-
-xcode-clean: have-xcodebuild
-	xcodebuild -project contrib/MacOSX/ngIRCd.xcodeproj -alltargets \
-	 -configuration Default clean
-	rm -fr contrib/MacOSX/build
+	${MAKE} -C doc/src srcdoc

 rpm: distcheck
-	rpm -ta ngircd-*.tar.gz
+	rpmbuild -ta ngircd-$(VERSION).tar.gz

 deb:
 	[ -f debian/rules ] || ln -s contrib/Debian debian
-	dpkg-buildpackage -rfakeroot -i
+	dpkg-buildpackage --build=binary

-osxpkg: have-packagemaker osxpkg-dest
-	cd contrib/MacOSX && packagemaker --no-recommend \
-	 --doc ngIRCd.pmdoc \
-	 --out ../../$(distdir).mpkg
-	rm -f $(distdir).mpkg.zip
-	zip -ro9 $(distdir).mpkg.zip $(distdir).mpkg
-	make osxpkg-clean
-
-osxpkg-clean:
-	[ ! -r ngircd.dest ] || sudo -n rm -rf ngircd.dest
-	rm -rf ngircd.dest $(distdir).mpkg
-
-osxpkg-dest: have-xcodebuild osxpkg-clean clean
-	./configure --prefix=/opt/ngircd
-	make xcode
-	make -C contrib/MacOSX de.barton.ngircd.plist
-	mkdir -p ngircd.dest/opt/ngircd/sbin
-	DESTDIR="$$PWD/ngircd.dest" make -C doc install
-	DESTDIR="$$PWD/ngircd.dest" make -C contrib install
-	DESTDIR="$$PWD/ngircd.dest" make -C man install
-	cp contrib/MacOSX/build/Default/ngIRCd \
-	 ngircd.dest/opt/ngircd/sbin/ngircd
-	rm ngircd.dest/opt/ngircd/etc/ngircd.conf
-	echo "Have a nice day IRCing!" >ngircd.dest/opt/ngircd/etc/ngircd.motd
-	chmod -R a-s,og-w,a+rX ngircd.dest
-	sudo chown -R root:wheel ngircd.dest
-
-.PHONY: deb have-packagemaker have-xcodebuild lint osxpkg osxpkg-clean \
-	osxpkg-dest rpm srcdoc testsuite xcode xcode-clean
+.PHONY: deb rpm srcdoc testsuite

 # -eof-
--- a/213
+++ b/213
@ -2,12 +2,221 @@
                     ngIRCd - Next Generation IRC Server
                           http://ngircd.barton.de/

-               (c)2001-2017 Alexander Barton and Contributors.
+               (c)2001-2024 Alexander Barton and Contributors.
               ngIRCd is free software and published under the
                   terms of the GNU General Public License.

                                  -- NEWS --

+ngIRCd 27 (2024-04-26)
+
+  - Add an example filter file for "Fail2Ban": contrib/ngircd-fail2ban.conf.
+
+  ngIRCd 27~rc1 (2024-04-13)
+  - Validate certificates on server links. Up to now, ngIRCd optionally used
+    SSL/TLS encrypted server-server links but never checked and validated any
+    certificates. Now ngIRCd validates SSL/TLS certificates on outgoing
+    server-server links by default and drops(!) connections when the remote
+    certificate is invalid (for example self-signed, expired, not matching the
+    host name, ...). Therefore you have to make sure that all relevant
+    *certificates are valid* (or to disable certificate validation on this
+    connection using the new `SSLVerify = false` setting in the affected
+    `[Server]` block, where the remote certificate is not valid and you can not
+    fix this issue).
+    The original patch for OpenSSL dates back to 2009 and was written by Florian
+    Westphal and was extended for GnuTLS in 2014 by Christoph Biedl. But it took
+    us another 10 years to bring it to life ... oh my! Many thanks to both
+    Florian and Christoph!
+    Closes #120.
+  - Add support for the "sd_notify" protocol of systemd(8): Periodically
+    "ping" the service manager (every 3 seconds) and set a status message
+    showing current connection statistics which then is included in "systemctl
+    status ngircd.service" output. In addition, this enables using the
+    systemd(8) watchdog functionality ("WatchdogSec") for the "ngircd.service"
+    unit and allows it to use the "notify" service type, which results in
+    better status tracking by the service manager.
+  - Try to set file descriptor limit to its maximum and show info on startup:
+    The number of possible parallel connections is limited by the file
+    descriptor limit of the process (among other things). Therefore try to
+    upgrade the current "soft" limit to its "hard" maximum (but limited to
+    100000 instead of "infinite"), and show an information or even warning when
+    the limit is still less than the configured "MaxConnections" setting. Please
+    note that ngIRCd and its linked libraries (like PAM) need file descriptors
+    not only for incoming and outgoing IRC connections, but for reading files
+    and inter-process communication, too! Therefore the actual connection limit
+    is less(!) than the file descriptor limit!
+  - Add a "Docker file" (contrib/Dockerfile) and corresponding documentation
+    (doc/Container.md) to the project. The resulting container is based on the
+    latest Debian "stable-slim" container and built using a "build container".
+  - No longer use a default built-in value for the "IncludeDir" directive when
+    a configuration file was explicitly specified on the command line using
+    "--config"/"-f": This way no default include directory is scanned when a
+    possibly non-default configuration file is used which (intentionally) did
+    not specify an "IncludeDir" directive. So now you can use "-f /dev/null"
+    for checking all built-in defaults, regardless of any local configuration
+    files in the default drop-in directory (which would have been read in
+    until this change).
+  - The server "Name" in the "[Global]" section of the configuration file no
+    longer needs to be set: When not set (or empty), ngIRCd now tries to
+    deduce a valid IRC server name from the local host name ("node name"),
+    possibly adding a ".host" extension when the host name does not contain a
+    dot (".") which is required in an IRC server name ("ID").
+    This new behavior, with all configuration parameters now being optional,
+    allows running ngIRCd without any configuration file at all.
+  - Autodetect support for IPv6 by default: Until now, IPv6 support was disabled
+    by default, which seems a bit outdated in 2024. Note: You still can pass
+    "--enable-ipv6"/"--disable-ipv6" to the ./configure script to forcefully
+    activate or deactivate IPv6 support.
+  - Do IDENT requests even when DNS lookups are disabled: Up to now disabling
+    DNS in the configuration disabled IDENT lookups as well (for no good
+    reason). Now you can activate/deactivate DNS lookups and IDENT requests
+    completely separately. Thanks for reporting this, Miniontoby!
+    Closes #291.
+  - Allow SSL client-only configurations without keys/certificates: You don't
+    need to configure certificates/keys as long as you don't configure
+    SSL-enabled listening ports. This can make sense when you want to only link
+    your local daemon to an uplink server using SSL and only have clients on
+    your local host or in your fully trusted network, where SSL is not required.
+  - Respect "SSLConnect" option for incoming connections and do not accept
+    incoming plain-text ("non SSL") server connections for servers configured
+    with "SSLConnect" enabled. This change prevents an authenticated
+    client-server being able to force the server-server to send its password
+    on a plain-text connection when SSL/TLS was intended.
+  - Add a new option "Autojoin" to [Channel] blocks: When it is set, ngIRCd
+    automatically joins all local users to this channel on connect. Note: The
+    users must have permissions to access the channel, otherwise joining them
+    will fail!
+    Thanks Ivan Agarkov <i_agarkov@wargaming.net> for the initial patch!
+  - Hide invisible (+i) users on "WHOIS <pattern>": Let's behave like most(?)
+    other IRC daemons (at least ircd2.11) and hide all +i users when WHOIS is
+    used with a pattern. Otherwise privacy of this users is not guaranteed and
+    the +i mode a bit useless ...
+    Reported by Cahata on #ngircd, thanks!
+  - Make the debug log level ("--debug"/-"d" command line option) always
+    available, not only when ./configure'd with "--enable-debug": the latter
+    now only enables additional checks (like the tests done using assert(2))
+    and is signalled by adding "+DEBUG" to the version "feature string". This
+    change enables everyone to get even more detailed logging when required.
+  - Allow IRC Operators to use the WHO command on any channel.
+  - Send the NAMES list and channel topic to users "forcefully" joined to a
+    channel using NJOIN, like they joined on their own using JOIN, and
+    streamline the order of NAMES list and channel topic messages.
+    Closes #288.
+  - Added a new command line option "-y"/"--syslog", with which logging to
+    syslog can be activated/deactivated separately from running on the console
+    (using "--nodaemon") or in the background.
+    Thanks Katherine Peeters for the patch and pull request!
+    Closes #294.
+  - Update, enhance and extend our documentation in README.md, INSTALL.md,
+    doc/HowToRelease.txt and the manual pages ngircd(8) and ngircd.conf(5), add
+    a new doc/QuickStart.md document, and convert some more documentation files
+    to Markdown (AUTHORS.md, contrib/README.md, doc/FAQ.md, doc/SSL.md).
+
+ngIRCd 26.1 (2021-01-02)
+
+  - This release is a bugfix release only, without new features.
+
+ngIRCd 26 (2020-06-20)
+
+  ngIRCd 26~rc2 (2020-06-11)
+  - Add AppStream metadata file (contrib/de.barton.ngircd.metainfo.xml).
+  - Various bug fixes, see the ChangeLog. No new or changed functionality.
+
+  ngIRCd 26~rc1 (2020-05-10)
+  - Allow up to 512 characters per line in MOTD and help text files (but keep
+    in mind that lines can't get that long, because they have to be prefixed
+    before being sent to the client). But this allows for more fancy MOTDs :-)
+    Closes #271.
+  - Show the actually allowed channel types in the ISUPPORT(005) numeric which
+    are configured by the "AllowedChannelTypes" configuration variable.
+    Closes #273.
+  - Handle commands in the read buffer before reading more data and don't wait
+    for the network in this case: If there are more bytes in the read buffer
+    already than a single valid IRC command can get long (513 bytes), wait for
+    this/those command(s) to be handled first and don't try to read even more
+    data from the network (which most probably would overflow the read buffer
+    of this connection soon).
+  - Log G-/K-Line changes only when not initiated by a server: this prevents
+    the log from becoming spammed during "net bursts".
+  - Update test suite to include SSL tests, including checking for reloading
+    certificates during runtime.
+  - Add support for GnuTLS certificate reload, which is quite handy when using
+    Let's Encrypt, for example. Until now this was only supported when linked
+    with OpenSSL. Thanks a lot, Hilko Bengen <bengen@hilluzination.de>!
+  - Allow setting arbitrary channel modes in the configuration file by handling
+    them like in MODE commands, and allow multiple "Modes =" lines per [Channel]
+    section. Thanks to Michi <michi+ngircd@dataswamp.org>!
+    Closes #55.
+  - Add "FNC" (forced nick changes) to ISUPPORT(005) numeric. Most probably
+    this doesn't make any difference to any client, but it seems correct.
+    See <http://www.irc.org/tech_docs/005.html> for details.
+  - Enhance handling of command line errors, and return with exit code 0 ("no
+    error") when "--help" or "--version" is used (which resulted in exit code 1,
+    "error" before). Exit with code 2 ("command line error") for all other
+    invalid command line options, and show the error message itself on stderr
+    (instead of stdout and exit code 1, "generic error", as before).
+    This new behavior is more in line with the GNU "coding standards",
+    see <https://www.gnu.org/prep/standards/html_node/_002d_002dhelp.html>.
+  - Add ./contrib/nglog.sh: This script parses the log output of ngircd(8),
+    and colorizes the messages according to their log level. Example usage:
+    ngircd -f $PWD/doc/sample-ngircd.conf -np | ./contrib/nglog.sh
+  - Enlarge buffers of info texts to 128 bytes. This includes:
+    - "Real name" of a client (4th filed of the USER command).
+    - Server info text ("Info" configuration option).
+    - Admin info texts and email address ("AdminInfo1", "AdminInfo2" and
+      "AdminEmail" configuration options).
+    - Network name ("Network" configuration option).
+    The limit was 64 bytes before ...
+    Closes #258.
+  - Streamline handling of invalid and unset server name: Don't exit during
+    runtime (REHASH command, HUP signal), because the server name can't be
+    changed in this case anyway and the new invalid name will be ignored.
+  - Slightly reorder startup steps, and enhance logging:
+    - Show name of configuration file at the beginning of start up.
+    - Add a message when ngIRCd is ready, including its host name.
+    - Show name of configuration file on REHASH (SIGHUP), too.
+    - Change level of "done message" to NOTICE, like "starting" & "ready".
+    - Initialize IO functions before channels, connections, clients, ...
+  - configure.ng: OpenSSL can depends on lz or latomic so use pkg-config to
+    find those dependencies and fallback to existing mechanism.
+    Closes #256.
+
+ngIRCd 25 (2019-01-23)
+
+  - Implement new configuration option "MaxPenaltyTime", which configures the
+    maximum penalty time increase in seconds, per penalty event. Set to -1 for
+    no limit (the default), 0 to disable penalties altogether. ngIRCd doesn't
+    use penalty increases higher than 2 seconds during normal operation, so
+    values higher than 1 rarely make sense.
+    Disabling (or reducing) penalties can greatly speed up "make check" runs
+    for example, see below, but are mostly a debugging feature and normally
+    not meant to be used on production systems!
+    Some example timings running "make check" from my macOS workstation:
+     - MaxPenaltyTime not set: 4:41,79s
+     - "MaxPenaltyTime = 1":   3:14,71s
+     - "MaxPenaltyTime = 0":     25,46s
+    Closes #249 and #251.
+  - Update Xcode project for latest Xcode version (10.0)
+  - Allow a 5th parameter in WEBIRC. Thanks to "ItsOnlyBinary".
+    Closes #247.
+
+  ngIRCd 25~rc1 (2018-08-11)
+  - Only send TOPIC updates to a channel when the topic actually changed:
+    This prevents the channel from becoming flooded by unnecessary TOPIC update
+    messages, that can happen when IRC services try to enforce a certain topic
+    but which is already set (at least on the local server), for example.
+    Therefore still forward it to all servers, but don't inform local clients
+    (still update setter and timestamp information, though!).
+  - Update Xcode project for latest Xcode version (9.2). This includes adding
+    missing and deleting obsolete file references.
+  - Handle user mode "C" ("Only users that share a channel are allowed to send
+    messages") like user mode "b" ("block private messages and notices"): allow
+    messages from servers, services, and IRC Operators, too. Change proposed by
+    "wowaname" back in 2015 in #ngircd, thanks!
+  - Allow IRC Ops and remote servers to KILL service clients: such clients
+    behave like regular users, therefore IRC operators and servers should be
+    able to KILL them: for example to resolve nick collisions.
+    Closes #242.

 ngIRCd 24 (2017-01-20)

@ -261,7 +470,7 @@ ngIRCd 20.2 (2013-02-15)

  - This release is a bugfix release only, without new features.
  - Security: Fix a denial of service bug in the function handling KICK
-    commands that could be used by arbitrary users to to crash the daemon
+    commands that could be used by arbitrary users to crash the daemon
    (CVE-2013-1747).

 ngIRCd 20.1 (2013-01-02)
--- a/89
+++ b/89
@ -1,89 +0,0 @@
-
-                     ngIRCd - Next Generation IRC Server
-                           http://ngircd.barton.de/
-
-               (c)2001-2017 Alexander Barton and Contributors.
-               ngIRCd is free software and published under the
-                   terms of the GNU General Public License.
-
-                                -- README --
-
-
-I. Introduction
-~~~~~~~~~~~~~~~
-
-ngIRCd is a free, portable and lightweight Internet Relay Chat server for
-small or private networks, developed under the GNU General Public License
-(GPL; please see the file COPYING for details). It is simple to configure,
-can cope with dynamic IP addresses, and supports IPv6 as well as SSL. It is
-written from scratch and not based on the original IRCd.
-
-The name ngIRCd means next generation IRC daemon, which is a little bit
-exaggerated: lightweight Internet Relay Chat server most probably would be a
-better name :-)
-
-Please see the INSTALL document for installation and upgrade information!
-
-
-II. Status
-~~~~~~~~~~~
-
-ngIRCd should be quite feature complete and stable to be used as daemon in
-real world IRC networks.
-
-It is not the goal of ngIRCd to implement all the nasty behaviors of the
-original ircd, but to implement most of the useful commands and semantics
-specified by the RFCs that are used by existing clients.
-
-
-III. Features (or: why use ngIRCd?)
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
- Well arranged (lean) configuration file.
- Simple to build, install, configure, and maintain.
- Supports IPv6 and SSL.
- Can use PAM for user authentication.
- Lots of popular user and channel modes are implemented.
- Supports "cloaking" of users.
- No problems with servers that have dynamic IP addresses.
- Freely available, modern, portable and tidy C source.
- Wide field of supported platforms, including AIX, A/UX, FreeBSD, HP-UX,
-  IRIX, Linux, Mac OS X, NetBSD, OpenBSD, Solaris, and Windows with Cygwin.
- ngIRCd is being actively developed since 2001.
-
-
-IV. Documentation
-~~~~~~~~~~~~~~~~~
-
-More documentation can be found in the "doc/" directory and the homepage of
-ngIRCd: <http://ngircd.barton.de/>.
-
-
-V. Download
-~~~~~~~~~~~
-
-The homepage of the ngIRCd is <http://ngircd.barton.de/>; you will find
-the newest information about the ngIRCd and the most recent ("stable")
-releases there.
-
-Visit our source code repository at GitHub if you are interested in the
-latest development version: <https://github.com/ngircd/ngircd>.
-
-
-VI. Problems, Bugs, Patches
-~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-Please don't hesitate to contact us if you encounter problems:
-
- On IRC: <irc://irc.barton.de/ngircd>
- Via the mailing list: <ngircd-ml@ngircd.barton.de>
-
-See <http://ngircd.barton.de/support.php> for details.
-
-If you find bugs in ngIRCd (which will be there most probably ...), please
-report them to our issue tracker at GitHub:
-
- Bug tracker: <https://github.com/ngircd/ngircd/issues>
- Patches, "pull requests": <https://github.com/ngircd/ngircd/pulls>
-
-There you can read about known bugs and limitations, too.
--- a/README.md
+++ b/README.md
@ -0,0 +1,101 @@
+# [ngIRCd](https://ngircd.barton.de) - Internet Relay Chat Server
+
+## Introduction
+
+*ngIRCd* is a free, portable and lightweight *Internet Relay Chat* ([IRC])
+server for small or private networks, developed under the terms of the GNU
+General Public License ([GPL]); please see the file `COPYING` for licensing
+information.
+
+The server is quite easy to configure and runs as a single-node server or can
+be part of a network of ngIRCd servers in a LAN or across the internet. It
+optionally supports the IPv6 protocol, SSL/TLS-protected client-server and
+server-server links, the Pluggable Authentication Modules (PAM) system for user
+authentication, IDENT requests, and character set conversion for legacy
+clients.
+
+The name ngIRCd stands for *next-generation IRC daemon*, which is a little bit
+exaggerated: *lightweight Internet Relay Chat server* most probably would have
+been a better name :-)
+
+## Status
+
+Development of *ngIRCd* started back in 2001: The server has been written from
+scratch in C, tries to follow all relevant standards, and is not based on the
+forefather, the daemon of the IRCNet.
+
+It is not the goal of ngIRCd to implement all the nasty behaviors of the
+original `ircd` or corner-cases in the RFCs, but to implement most of the useful
+commands and semantics that are used by existing clients.
+
+*ngIRCd* is used as the daemon in real-world in-house and public IRC networks
+and included in the package repositories of various operating systems.
+
+## Advantages and strengths
+
+- Well arranged (lean) configuration file.
+- Simple to build, install, configure, and maintain.
+- Supports IPv6 and SSL.
+- Can use PAM for user authentication.
+- Lots of popular user and channel modes are implemented.
+- Supports "cloaking" of users.
+- No problems with servers that have dynamic IP addresses.
+- Freely available, modern, portable and tidy C source.
+- Wide field of supported platforms, including AIX, A/UX, FreeBSD, HP-UX,
+  IRIX, Linux, macOS, NetBSD, OpenBSD, Solaris and Windows with WSL or Cygwin.
+
+## Documentation
+
+The **homepage** of the ngIRCd project is <https://ngircd.barton.de>.
+
+The `INSTALL.md` document describes how to _install_ and _upgrade_ ngIRCd. It
+is included in all distribution archives and available online on
+[GitHub](https://github.com/ngircd/ngircd/blob/master/INSTALL.md).
+
+Please see the file `doc/QuickStart.md` in the `doc/` directory or on
+[GitHub](https://github.com/ngircd/ngircd/blob/master/doc/QuickStart.md) for
+information about _setting up_ and _running_ ngIRCd, including some real-world
+configuration examples.
+
+More information can be found in a couple of files in the `doc/` directory
+(online on [GitHub](https://github.com/ngircd/ngircd/tree/master/doc)) and in
+the [documentation section](https://ngircd.barton.de/documentation) on the
+[homepage of ngIRCd](https://ngircd.barton.de).
+
+In addition, ngIRCd comes with two _manual pages_: `ngircd(8)` (for the daemon)
+and `ngircd.conf(5)` (for its configuration file). They have even more details
+and list all possible command line parameters and configuration options. You
+can read them with the `man` command (when they are installed locally on your
+system, e.g. `man 8 ngircd` and `man 5 ngircd.conf`) or online here:
+
+- Daemon:
+  [ngircd(8)](https://ngircd.barton.de/man/ngircd.8.html)
+- Configuration file:
+  [ngircd.conf(5)](https://ngircd.barton.de/man/ngircd.conf.5.html)
+
+## Downloads & Source Code
+
+You can find the latest information about the ngIRCd and the most recent
+stable release on the [news](https://ngircd.barton.de/news) and
+[downloads](https://ngircd.barton.de/download) pages of the homepage.
+
+Visit our source code repository at [GitHub](https://github.com/ngircd/ngircd)
+if you are interested in the latest development code.
+
+## Problems, Bugs, Patches
+
+Please don't hesitate to contact us if you encounter problems:
+
+- On IRC: <irc://irc.barton.de/ngircd>
+- Via the mailing list: <ngircd@lists.barton.de>
+
+See <https://ngircd.barton.de/support> for details.
+
+If you find any bugs in ngIRCd (which most probably will be there ...), please
+report them to our issue tracker at GitHub:
+
+- Bug tracker: <https://github.com/ngircd/ngircd/issues>
+- Patches, "pull requests": <https://github.com/ngircd/ngircd/pulls>
+
+[IRC]: https://wikipedia.org/wiki/Internet_Relay_Chat
+[GPL]: https://wikipedia.org/wiki/GNU_General_Public_License
--- a/autogen.sh
+++ b/autogen.sh
@ -1,7 +1,7 @@
 #!/bin/sh
 #
 # ngIRCd -- The Next Generation IRC Daemon
-# Copyright (c)2001-2015 Alexander Barton (alex@barton.de) and Contributors
+# Copyright (c)2001-2024 Alexander Barton (alex@barton.de) and Contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@ -60,16 +60,43 @@
 #   and runs it with these arguments: "./configure --prefix=$HOME".
 #

+Check_Tool()
+{
+	searchlist="$1"
+	major="$2"
+	minor="$3"
+
+	for name in $searchlist; do
+		$EXIST "${name}${major}${minor}" >/dev/null 2>&1
+		if [ $? -eq 0 ]; then
+			echo "${name}${major}${minor}"
+			return 0
+		fi
+		$EXIST "${name}-${major}.${minor}" >/dev/null 2>&1
+		if [ $? -eq 0 ]; then
+			echo "${name}-${major}.${minor}"
+			return 0
+		fi
+	done
+	return 1
+}
+
 Search()
 {
-	[ $# -eq 2 ] || exit 1
+	[ $# -lt 2 ] && return 1
+	[ $# -gt 3 ] && return 1

 	searchlist="$1"
 	major="$2"
+	minor_pref="$3"
 	minor=99

 	[ -n "$PREFIX" ] && searchlist="${PREFIX}/$1 ${PREFIX}/bin/$1 $searchlist"

+	if [ -n "$minor_pref" ]; then
+		Check_Tool "$searchlist" "$major" "$minor_pref" && return 0
+	fi
+
 	for name in $searchlist; do
 		$EXIST "${name}" >/dev/null 2>&1
 		if [ $? -eq 0 ]; then
@ -83,18 +110,7 @@ Search()
 	done

 	while [ $minor -ge 0 ]; do
-		for name in $searchlist; do
-			$EXIST "${name}${major}${minor}" >/dev/null 2>&1
-			if [ $? -eq 0 ]; then
-				echo "${name}${major}${minor}"
-				return 0
-			fi
-			$EXIST "${name}-${major}.${minor}" >/dev/null 2>&1
-			if [ $? -eq 0 ]; then
-				echo "${name}-${major}.${minor}"
-				return 0
-			fi
-		done
+		Check_Tool "$searchlist" "$major" "$minor" && return 0
 		minor=$(expr $minor - 1)
 	done
 	return 1
@ -103,7 +119,8 @@ Search()
 Notfound()
 {
 	echo "Error: $* not found!"
-	echo "Please install recent versions of GNU autoconf and GNU automake."
+	echo 'Please install supported versions of GNU autoconf, GNU automake'
+	echo 'and pkg-config: see the INSTALL file for details.'
 	exit 1
 }

@ -139,11 +156,11 @@ fi
 # Try to detect the needed tools when no environment variable already
 # specifies one:
 echo "Searching for required tools ..."
-[ -z "$ACLOCAL" ] && ACLOCAL=$(Search aclocal 1)
+[ -z "$ACLOCAL" ] && ACLOCAL=$(Search aclocal 1 11)
 [ "$VERBOSE" = "1" ] && echo " - ACLOCAL=$ACLOCAL"
 [ -z "$AUTOHEADER" ] && AUTOHEADER=$(Search autoheader 2)
 [ "$VERBOSE" = "1" ] && echo " - AUTOHEADER=$AUTOHEADER"
-[ -z "$AUTOMAKE" ] && AUTOMAKE=$(Search automake 1)
+[ -z "$AUTOMAKE" ] && AUTOMAKE=$(Search automake 1 11)
 [ "$VERBOSE" = "1" ] && echo " - AUTOMAKE=$AUTOMAKE"
 [ -z "$AUTOCONF" ] && AUTOCONF=$(Search autoconf 2)
 [ "$VERBOSE" = "1" ] && echo " - AUTOCONF=$AUTOCONF"
@ -161,6 +178,7 @@ AUTOMAKE_VERSION=$(echo $AUTOMAKE | cut -d'-' -f2-)
 [ -z "$GO" ] && [ -n "$CONFIGURE_ARGS" ] && GO=1

 # Verify that all tools have been found
+command -v pkg-config >/dev/null || Notfound pkg-config
 [ -z "$ACLOCAL" ] && Notfound aclocal
 [ -z "$AUTOHEADER" ] && Notfound autoheader
 [ -z "$AUTOMAKE" ] && Notfound automake
--- a/config.guess
+++ b/config.guess
--- a/config.sub
+++ b/config.sub
--- a/configure.ng
+++ b/configure.ng
@ -1,6 +1,6 @@
 #
 # ngIRCd -- The Next Generation IRC Daemon
-# Copyright (c)2001-2014 Alexander Barton (alex@barton.de) and Contributors
+# Copyright (c)2001-2024 Alexander Barton (alex@barton.de) and Contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@ -23,13 +23,13 @@ m4_ifdef([AM_SILENT_RULES],
 # -- Initialisation --

 AC_PREREQ([2.61])
-AC_INIT([ngIRCd],[VERSION_ID],[ngircd-ml@ngircd.barton.de],[ngircd],[http://ngircd.barton.de/])
+AC_INIT([ngIRCd],[VERSION_ID],[ngircd@lists.barton.de],[ngircd],[https://ngircd.barton.de/])

 AC_CONFIG_SRCDIR([src/ngircd/ngircd.c])
 AC_CONFIG_HEADER([src/config.h])
 AC_CANONICAL_HOST

-AM_INIT_AUTOMAKE([-Wall 1.10 ]ng_color_tests)
+AM_INIT_AUTOMAKE([-Wall 1.10 foreign ]ng_color_tests)

 m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES([yes])])

@ -101,6 +101,7 @@ AC_DEFUN([WORKING_GETADDRINFO],[
 #include <sys/types.h>
 #include <sys/socket.h>
 #include <netdb.h>
+#include <string.h>
 int
 main(int argc, char **argv)
 {
@ -124,6 +125,20 @@ main(int argc, char **argv)
 	])
 ])

+AC_DEFUN([GCC_W_NO_FORMAT_TRUNC],[
+	result=yes
+	AC_MSG_CHECKING([whether ${CC} accepts -Wno-format-truncation])
+	old_cflags="$CFLAGS"
+	CFLAGS="$CFLAGS -Werror -Wno-format-truncation"
+	AC_LINK_IFELSE([AC_LANG_PROGRAM([],[])],[],[result=no])
+	echo $result
+	if test "X$result" = "Xyes"; then
+		CFLAGS="$old_cflags -Wno-format-truncation"
+	else
+		CFLAGS="$old_cflags"
+	fi
+])
+
 # -- Hard coded system and compiler dependencies/features/options ... --

 if test "$GCC" = "yes"; then
@ -131,6 +146,7 @@ if test "$GCC" = "yes"; then
 	CFLAGS="$CFLAGS -pipe -W -Wall -Wpointer-arith -Wstrict-prototypes"

 	GCC_STACK_PROTECT_CC
+	GCC_W_NO_FORMAT_TRUNC
 fi

 case "$host_os" in
@ -154,15 +170,32 @@ AC_HEADER_TIME

 # Required header files
 AC_CHECK_HEADERS([ \
-	fcntl.h netdb.h netinet/in.h stdlib.h string.h \
-	strings.h sys/socket.h sys/time.h sys/types.h unistd.h \
+		fcntl.h \
+		netdb.h \
+		netinet/in.h \
+		stdlib.h \
+		string.h \
+		strings.h \
+		sys/socket.h \
+		sys/time.h \
+		sys/types.h \
+		unistd.h \
 	],,AC_MSG_ERROR([required C header missing!]))

 # Optional header files
 AC_CHECK_HEADERS_ONCE([ \
-	arpa/inet.h inttypes.h malloc.h netinet/in_systm.h netinet/ip.h \
-	stdbool.h stddef.h stdint.h varargs.h \
-	])
+	arpa/inet.h \
+	inttypes.h \
+	malloc.h \
+	netinet/in_systm.h \
+	netinet/ip.h \
+	stdbool.h \
+	stddef.h \
+	stdint.h \
+	sys/resource.h \
+	sys/un.h \
+	varargs.h \
+])

 # -- Datatypes --

@ -212,17 +245,51 @@ AC_FUNC_STRFTIME

 # Required functions
 AC_CHECK_FUNCS([ \
-	alarm dup2 endpwent gethostbyaddr gethostbyname gethostname \
-	gettimeofday inet_ntoa memmove memset setsid socket strcasecmp \
-	strchr strcspn strerror strncasecmp strrchr strspn strstr \
+		alarm \
+		dup2 \
+		endpwent \
+		gethostbyaddr \
+		gethostbyname \
+		gethostname \
+		gettimeofday \
+		inet_ntoa \
+		memmove \
+		memset \
+		setsid \
+		socket \
+		strcasecmp \
+		strchr \
+		strcspn \
+		strerror \
+		strncasecmp \
+		strrchr \
+		strspn \
+		strstr \
 	],,
 	AC_MSG_ERROR([required function missing!]))

 # Optional functions
 AC_CHECK_FUNCS_ONCE([
-	arc4random arc4random_stir gai_strerror getnameinfo inet_aton \
-	setgroups sigaction sigprocmask snprintf strdup strlcat strlcpy \
-	strndup strtok_r unsetenv vsnprintf waitpid])
+	arc4random \
+	arc4random_stir \
+	gai_strerror \
+	getnameinfo \
+	inet_aton \
+	setgroups \
+	setrlimit \
+	sigaction \
+	sigprocmask \
+	snprintf \
+	strdup \
+	strlcat \
+	strlcpy \
+	strndup \
+	strsignal \
+	strtok_r \
+	unsetenv \
+	vsnprintf \
+	waitpid \
+])

 WORKING_GETADDRINFO

@ -417,8 +484,12 @@ AC_ARG_WITH(openssl,
 				CPPFLAGS="-I$withval/include $CPPFLAGS"
 				LDFLAGS="-L$withval/lib $LDFLAGS"
 			fi
-			AC_CHECK_LIB(crypto, BIO_s_mem)
-			AC_CHECK_LIB(ssl, SSL_new)
+			PKG_CHECK_MODULES([OPENSSL], [libssl libcrypto],
+				[LIBS="$LIBS $OPENSSL_LIBS" CFLAGS="$CFLAGS $OPENSSL_CFLAGS"
+				AC_DEFINE(HAVE_LIBSSL, 1)],
+				[AC_CHECK_LIB(crypto, BIO_s_mem)
+				AC_CHECK_LIB(ssl, SSL_new)]
+			)
 			AC_CHECK_FUNCS(SSL_new, x_ssl_openssl=yes,
 				AC_MSG_ERROR([Can't enable openssl])
 			)
@ -454,6 +525,8 @@ if test "$x_ssl_openssl" = "yes"; then
 	x_ssl_lib=openssl
 fi

+AM_CONDITIONAL(HAVE_SSL, [test $x_ssl_lib != "no"])
+
 # use TCP wrappers?

 x_tcpwrap_on=no
@ -584,18 +657,24 @@ if test "$x_ircplus_on" = "yes"; then
 fi

 # enable support for IPv6?
-x_ipv6_on=no
+
+x_ipv6_on=yes
 AC_ARG_ENABLE(ipv6,
-	AS_HELP_STRING([--enable-ipv6],
-		       [enable IPv6 protocol support]),
-	if test "$enableval" = "yes"; then x_ipv6_on=yes; fi
+	AS_HELP_STRING([--disable-ipv6],
+		       [disable IPv6 protocol support (autodetected by default)]),
+	[	if test "$enableval" = "no"; then
+			x_ipv6_on=no
+		else
+			AC_CHECK_FUNCS(
+				[getaddrinfo getnameinfo],,
+				AC_MSG_ERROR([required function missing for IPv6 support!])
+			)
+		fi
+	],
+	[	AC_CHECK_FUNCS([getaddrinfo getnameinfo],, x_ipv6_on=no)
+	]
 )
 if test "$x_ipv6_on" = "yes"; then
-	# getaddrinfo() and getnameinfo() are optional when not compiling
-	# with IPv6 support, but are required for IPv6 to work!
-	AC_CHECK_FUNCS([ \
-		getaddrinfo getnameinfo \
-		],,AC_MSG_ERROR([required function missing for IPv6 support!]))
 	AC_DEFINE(WANT_IPV6, 1)
 fi

@ -654,9 +733,6 @@ test -n "$LIBS_END" && LIBS="$LIBS $LIBS_END"
 AC_CONFIG_FILES([ \
 	Makefile \
 	contrib/Debian/Makefile \
-	contrib/MacOSX/Makefile \
-	contrib/MacOSX/ngIRCd.pmdoc/Makefile \
-	contrib/MacOSX/ngIRCd.xcodeproj/Makefile \
 	contrib/Makefile \
 	doc/Makefile \
 	doc/src/Makefile \
--- a/contrib/Debian/.gitignore
+++ b/contrib/Debian/.gitignore
@ -1,16 +1,7 @@
 *.log
 *.debhelper
 *.substvars
+debhelper-build-stamp
 files
 ngircd/
-ngircd-full/
 ngircd.service
-ngircd-full.default
-ngircd-full.init
-ngircd-full.postinst
-ngircd-full.service
-ngircd-full-dbg/
-ngircd-full-dbg.default
-ngircd-full-dbg.init
-ngircd-full-dbg.postinst
-ngircd-full-dbg.service
--- a/contrib/Debian/Makefile.am
+++ b/contrib/Debian/Makefile.am
@ -1,6 +1,6 @@
 #
 # ngIRCd -- The Next Generation IRC Daemon
-# Copyright (c)2001-2017 Alexander Barton (alex@barton.de) and Contributors
+# Copyright (c)2001-2024 Alexander Barton (alex@barton.de) and Contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@ -9,22 +9,22 @@
 # Please read the file COPYING, README and AUTHORS for more information.
 #

-EXTRA_DIST = rules changelog compat control copyright \
-	ngircd.init ngircd.default ngircd.pam ngircd.postinst \
+EXTRA_DIST = \
+	changelog \
+	control \
+	copyright \
+	ngircd.default \
+	ngircd.pam \
+	rules \
+	watch \
 	source/format

 maintainer-clean-local:
 	rm -f Makefile Makefile.in

 clean-local:
-	rm -f ngircd.postinst.debhelper ngircd.postrm.debhelper \
-	 ngircd.prerm.debhelper ngircd.substvars
-	rm -f ngircd-full.postinst.debhelper ngircd-full.postrm.debhelper \
-	 ngircd-full.prerm.debhelper ngircd-full.substvars
-	rm -f ngircd-full-dbg.postinst.debhelper \
-	 ngircd-full-dbg.postrm.debhelper ngircd-full-dbg.prerm.debhelper \
-	 ngircd-full-dbg.substvars
-	rm -rf ngircd ngircd-full ngircd-full-dbg
-	rm -f files
+	rm -f *.log *.debhelper *.substvars
+	rm -f debhelper-build-stamp files ngircd.service
+	rm -rf .debhelper/ ngircd/

 # -eof-
--- a/contrib/Debian/changelog
+++ b/contrib/Debian/changelog
@ -1,3 +1,51 @@
+ngircd (27-0ab1) unstable; urgency=medium
+
+  * New "upstream" release: ngIRCd 27.
+
+ -- Alexander Barton <alex@barton.de>  Fri, 26 Apr 2024 16:52:14 +0200
+
+ngircd (27~rc1-0ab1) unstable; urgency=medium
+
+  * New "upstream" release candidate 1 for ngIRCd Release 27.
+
+ -- Alexander Barton <alex@barton.de>  Sat, 13 Apr 2024 12:26:35 +0200
+
+ngircd (26.1-0ab1) unstable; urgency=medium
+
+  * New "upstream" release: ngIRCd 26.1.
+
+ -- Alexander Barton <alex@barton.de>  Sat, 02 Jan 2021 14:31:51 +0100
+
+ngircd (26-0ab1) unstable; urgency=medium
+
+  * New "upstream" release: ngIRCd 26.
+
+ -- Alexander Barton <alex@barton.de>  Sat, 20 Jun 2020 15:26:46 +0200
+
+ngircd (26~rc2-0ab1) unstable; urgency=low
+
+  * New "upstream" release candidate 2 for ngIRCd Release 26.
+
+ -- Alexander Barton <alex@barton.de>  Thu, 11 Jun 2020 17:21:17 +0200
+
+ngircd (26~rc1-0ab1) unstable; urgency=low
+
+  * New "upstream" release candidate 1 for ngIRCd Release 26.
+
+ -- Alexander Barton <alex@barton.de>  Sun, 10 May 2020 17:13:17 +0200
+
+ngircd (25-0ab1) unstable; urgency=low
+
+  * New "upstream" release: ngIRCd 25.
+
+ -- Alexander Barton <alex@barton.de>  Wed, 23 Jan 2019 23:13:03 +0100
+
+ngircd (25~rc1-0ab1) unstable; urgency=low
+
+  * New "upstream" release candidate 1 for ngIRCd Release 25.
+
+ -- Alexander Barton <alex@barton.de>  Sat, 11 Aug 2018 21:35:08 +0200
+
 ngircd (24-0ab1) unstable; urgency=low

  * New "upstream" release: ngIRCd 24.
--- a/contrib/Debian/compat
+++ b/contrib/Debian/compat
@ -1 +0,0 @@
-9
--- a/contrib/Debian/control
+++ b/contrib/Debian/control
@ -2,65 +2,45 @@ Source: ngircd
 Section: net
 Priority: optional
 Maintainer: Alexander Barton <alex@barton.de>
-Build-Depends: debhelper (>> 9.0.0),
-    autotools-dev,
-    dh-systemd (>= 1.5),
-    expect,
-    libident-dev,
-    libpam0g-dev,
-    libssl-dev,
-    libwrap0-dev,
-    libz-dev,
-    telnet | telnet-ssl,
-Standards-Version: 3.9.1
+Rules-Requires-Root: binary-targets
+Build-Depends: debhelper-compat (= 13),
+ expect,
+ libident-dev,
+ libpam0g-dev,
+ libssl-dev,
+ libz-dev,
+ openssl,
+ procps,
+ telnet | telnet-ssl,
+Standards-Version: 4.6.2
+Homepage: https://ngircd.barton.de
+Vcs-Browser: https://github.com/ngircd/ngircd
+Vcs-Git: https://github.com/ngircd/ngircd.git

 Package: ngircd
 Architecture: any
-Depends: ${shlibs:Depends}, ${misc:Depends}
-Provides: ircd
-Description: lightweight Internet Relay Chat server
- This package provides ngIRCd, a portable and lightweight Internet Relay
- Chat server for small or private networks, developed under the GNU
- General Public License (GPL). It is simple to configure, can cope with
- dynamic IP addresses, and supports IPv6 as well as SSL. It is written
- from scratch and not based on the original IRCd.
+Depends:
+ ${shlibs:Depends},
+ ${misc:Depends},
+Conflicts:
+ ircd,
+Provides:
+ ircd,
+Description: lightweight Internet Relay Chat (IRC) server
+ ngIRCd is a free, portable and lightweight Internet Relay Chat (IRC) server
+ for small or private networks, developed under the terms of the GNU General
+ Public License (GPL).
 .
- This package contains the "standard distribution", including support for
- syslog logging and compressed server-links using zlib. Please have a look
- at the "ngircd-full" package if you need advanced functionality like support
- for IPv6 or SSL.
-
-Package: ngircd-full
-Architecture: any
-Depends: ${shlibs:Depends}, ${misc:Depends}
-Provides: ircd
-Conflicts: ngircd, ngircd-dbg
-Description: lightweight Internet Relay Chat server
- This package provides ngIRCd, a portable and lightweight Internet Relay
- Chat server for small or private networks, developed under the GNU
- General Public License (GPL). It is simple to configure, can cope with
- dynamic IP addresses, and supports IPv6 as well as SSL. It is written
- from scratch and not based on the original IRCd.
+ The server is quite easy to configure and runs as a single-node server or can
+ be part of a network of ngIRCd servers in a LAN or across the internet. It
+ optionally supports the IPv6 protocol, SSL/TLS-protected client-server and
+ server-server links, the Pluggable Authentication Modules (PAM) system for
+ user authentication, IDENT requests, and character set conversion for legacy
+ clients.
 .
- In addition to the features of the "standard package", this package
- includes support for TCP wrappers, IDENT requests, the IPv6 protocol and
- SSL encrypted client and server links.
-
-Package: ngircd-full-dbg
-Architecture: any
-Depends: ${shlibs:Depends}, ${misc:Depends}
-Provides: ircd
-Conflicts: ngircd, ngircd-full
-Description: lightweight Internet Relay Chat server
- This package provides ngIRCd, a portable and lightweight Internet Relay
- Chat server for small or private networks, developed under the GNU
- General Public License (GPL). It is simple to configure, can cope with
- dynamic IP addresses, and supports IPv6 as well as SSL. It is written
- from scratch and not based on the original IRCd.
+ The name ngIRCd stands for next-generation IRC daemon, which is a little bit
+ exaggerated: lightweight Internet Relay Chat server most probably would have
+ been a better name :-)
 .
- In addition to the features of the "standard package", this package
- includes support for TCP wrappers, IDENT requests, the IPv6 protocol and
- SSL encrypted client and server links.
- .
- And in addition to the "full" variant, the binaries contained in this
- package are build with debug code and contain debug symbols.
+ This package is built with support for all optional features and uses the
+ OpenSSL library for SSL/TLS support.
--- a/contrib/Debian/copyright
+++ b/contrib/Debian/copyright
@ -1,13 +1,58 @@
-This package was debianized by Alexander Barton <alex@barton.de> on
-Tue, 20 May 2003 15:47:40 +0200.
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Source: https://ngircd.barton.de
+Upstream-Name: ngircd
+Upstream-Contact: ngIRCd Mailing List <ngircd@lists.barton.de>

-It was downloaded from ftp://Arthur.Ath.CX/pub/Users/alex/ngircd/
+Files:
+ *
+Copyright:
+ 2001-2024 Alexander Barton <alex@barton.de> and Contributors.
+License: GPL-2.0+
+Comment:
+ See /usr/share/doc/ngircd/AUTHORS.md for the full list of authors and
+ contributors.

-Upstream Author: Alexander Barton <alex@barton.de>
+Files:
+ contrib/de.barton.ngircd.metainfo.xml
+Copyright:
+ 2001-2024 Alexander Barton <alex@barton.de> and Contributors.
+License: MIT
+Comment:
+ See /usr/share/doc/ngircd/AUTHORS.md for the full list of authors and
+ contributors.

-This software is copyright (c) 1999-2003 by Alexander Barton.
+License: GPL-2.0+
+ This package is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+ .
+ This package is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ GNU General Public License for more details.
+ .
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <https://www.gnu.org/licenses/>
+Comment:
+ On Debian systems, the complete text of the GNU General
+ Public License version 2 can be found in "/usr/share/common-licenses/GPL-2".

-You are free to distribute this software under the terms of the
-GNU General Public License.
-On Debian systems, the complete text of the GNU General Public
-License can be found in /usr/share/common-licenses/GPL file.
+License: MIT
+ Permission is hereby granted, free of charge, to any person obtaining a copy
+ of this software and associated documentation files (the "Software"), to
+ deal in the Software without restriction, including without limitation the
+ rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+ sell copies of the Software, and to permit persons to whom the Software is
+ furnished to do so, subject to the following conditions:
+ .
+ The above copyright notice and this permission notice shall be included in
+ all copies or substantial portions of the Software.
+ .
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
+ IN THE SOFTWARE.
--- a/contrib/Debian/ngircd.default
+++ b/contrib/Debian/ngircd.default
@ -1,10 +1,7 @@
 #
-# Defaults for ngIRCd start and stop script
+# Defaults for the ngIRCd daemon
 #

 # Parameters to pass to the ngircd daemon on startup, see ngircd(8) for
 # possible options (default: empty).
-
 PARAMS=""
-
-# -eof-
--- a/contrib/Debian/ngircd.init
+++ b/contrib/Debian/ngircd.init
@ -1,176 +0,0 @@
-#!/bin/sh
-#
-# ngIRCd start and stop script for Debian-based systems
-# Copyright 2008-2015 Alexander Barton <alex@barton.de>
-#
-
-### BEGIN INIT INFO
-# Provides:		ngircd
-# Required-Start:	$network $remote_fs
-# Required-Stop:	$network $remote_fs
-# Should-Start:		$syslog $named
-# Should-Stop:		$syslog
-# Default-Start:	2 3 4 5
-# Default-Stop:		0 1 6
-# Short-Description:	Next Generation IRC Server
-# Description:		IRC daemon written from scratch
-### END INIT INFO
-
-PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
-DAEMON=/usr/sbin/ngircd
-NAME=ngIRCd
-DESC="IRC daemon"
-PARAMS=""
-STARTTIME=1
-DIETIME=10
-
-test -h "$0" && me=`readlink $0` || me="$0"
-BASENAME=`basename $me`
-
-test -r /etc/default/$BASENAME && . /etc/default/$BASENAME
-
-test -x $DAEMON || exit 5
-
-# LSB compatibility functions that become used if there is no local
-# include file available.
-log_daemon_msg() {
-	echo -n "$*"
-}
-log_end_msg() {
-	[ "$1" = "0" ] && echo "." || echo " failed!"
-}
-log_failure_msg() {
-	echo "$*"
-}
-log_warning_msg() {
-	log_failure_msg "$*"
-}
-
-# Include LSB functions, if available:
-test -r /lib/lsb/init-functions && . /lib/lsb/init-functions
-
-PIDFILE=`$DAEMON $PARAMS -t | tr -d ' ' | grep "^PidFile=" | cut -d'=' -f2`
-[ -n "$PIDFILE" ] || PIDFILE="/var/run/ircd/ngircd.pid"
-
-r=3
-
-Check_Config()
-{
-	# Make sure that the configuration of ngIRCd is valid:
-	$DAEMON $PARAMS --configtest >/dev/null 2>&1
-	[ $? -eq 0 ] && return 0
-	log_end_msg 1
-	log_failure_msg "Configuration of $NAME is not valid, won't (re)start!"
-	log_failure_msg "Run \"$DAEMON --configtest\" and fix it up ..."
-	exit 6
-}
-
-Prepare() {
-	# Make sure the PID file directory exists and is writable:
-	user=`$DAEMON $PARAMS -t|tr -d ' '|grep "^ServerUID="|cut -d'=' -f2`
-	group=`$DAEMON $PARAMS -t|tr -d ' '|grep "^ServerGID="|cut -d'=' -f2`
-	piddir=`dirname "$PIDFILE"`
-	[ -d "$piddir" ] || mkdir -p "$piddir" 2>/dev/null
-	chown "$user:$group" "$piddir" 2>/dev/null
-	[ $? -eq 0 ] && return 0
-	log_end_msg 1
-	log_failure_msg "Failed to prepare '$piddir' for user '$user'!"
-	exit 1
-}
-
-Do_Start() {
-	if Do_Status; then
-		log_end_msg 0
-		log_warning_msg "$NAME seems to be already running, nothing to do."
-		exit 0
-	fi
-	rm -f "$PIDFILE"
-	start-stop-daemon --start \
-		--quiet --exec $DAEMON -- $PARAMS
-	sleep $STARTTIME
-	Do_Status || return 7
-	return 0
-}
-
-Do_Stop() {
-	if ! Do_Status; then
-		log_end_msg 0
-		log_warning_msg "$NAME seems not to be running, nothing to do."
-		exit 0
-	fi
-	Do_ForceStop
-	return $?
-}
-
-Do_ForceStop() {
-	[ -e $PIDFILE ] \
-		&& pidfile="--pidfile $PIDFILE" \
-		|| pidfile=""
-	start-stop-daemon --stop \
-		--quiet --oknodo --exec $DAEMON $pidfile
-	for i in `seq 1 $DIETIME`; do
-		Do_Status || return 0
-		sleep 1
-	done
-	return 1
-}
-
-Do_Reload() {
-	start-stop-daemon --stop --signal 1 --quiet --exec $DAEMON
-	return $?
-}
-
-Do_Status() {
-	[ -e $PIDFILE ] \
-		&& pidfile="--pidfile $PIDFILE" \
-		|| pidfile=""
-	start-stop-daemon --stop \
-		--quiet --signal 0 --exec $DAEMON $pidfile >/dev/null
-	return $?
-}
-
-case "$1" in
-  start)
-	log_daemon_msg "Starting $DESC" "$NAME"
-	Check_Config
-	Prepare
-	Do_Start; r=$?
-	log_end_msg $r
-	;;
-  stop)
-	log_daemon_msg "Stopping $DESC" "$NAME"
-	Do_Stop; r=$?
-	log_end_msg $r
-	;;
-  reload|force-reload)
-	log_daemon_msg "Reloading $DESC" "$NAME"
-	Check_Config
-	Do_Reload; r=$?
-	log_end_msg $r
-	;;
-  restart)
-	log_daemon_msg "Restarting $DESC" "$NAME"
-	Check_Config
-	Prepare
-	Do_ForceStop
-	Do_Start; r=$?
-	log_end_msg $r
-	;;
-  status)
-	log_daemon_msg "Checking for $DESC" "$NAME"
-	Do_Status; r=$?
-	log_end_msg $r
-	;;
-  test)
-	Check_Config
-	echo "Configuration of $DAEMON seems to be ok."; r=0
-	;;
-  *)
-	N=/etc/init.d/$NAME; r=2
-	echo "Usage: $N {start|stop|restart|reload|force-reload|status|test}" >&2
-	;;
-esac
-
-exit $r
-
-# -eof-
--- a/contrib/Debian/ngircd.pam
+++ b/contrib/Debian/ngircd.pam
@ -1,4 +1,10 @@
 # /etc/pam.d/ngircd

-# allow all connections to ngIRCd
-auth required pam_permit.so
+# You have to adjust this configuration to your local setup and needs. Keep in
+# mind that all PAM modules are run with the privileges of the user account the
+# ngIRCd daemon runs as ("irc" by default, not root!), so you can't use PAM
+# modules requiring root privileges (like pam_unix, for example)!
+
+# Log and deny all connections to ngIRCd:
+auth required pam_warn.so
+auth required pam_deny.so
--- a/contrib/Debian/ngircd.postinst
+++ b/contrib/Debian/ngircd.postinst
@ -1,21 +0,0 @@
-#!/bin/sh
-#
-# Debian post-installation script
-#
-
-set -e
-
-case "$1" in
-	configure)
-		if [ -f /etc/ngircd/ngircd.conf ]; then
-			# make sure that the configuration file is not
-			# world-readable, it contains passwords!
-			chmod o= /etc/ngircd/ngircd.conf
-			chgrp irc /etc/ngircd/ngircd.conf
-		fi
-		;;
-esac
-
-#DEBHELPER#
-
-# -eof-
--- a/contrib/Debian/rules
+++ b/contrib/Debian/rules
@ -1,238 +1,72 @@
 #!/usr/bin/make -f
-#
-# ngIRCd -- The Next Generation IRC Daemon
-# Copyright (c)2001-2016 Alexander Barton (alex@barton.de) and Contributors
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-# Please read the file COPYING, README and AUTHORS for more information.
-#
-# debian/rules for ngIRCd
-#
-# Based on the sample debian/rules that uses debhelper,
-# GNU copyright 1997 to 1999 by Joey Hess.
-#

-# Uncomment this to turn on verbose mode.
-#export DH_VERBOSE=1
+# See FEATURE AREAS in dpkg-buildflags(1).
+export DEB_BUILD_MAINT_OPTIONS = hardening=+all

-# These are used for cross-compiling and for saving the configure script
-# from having to guess our platform (since we know it already)
-DEB_HOST_GNU_TYPE  ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE)
-DEB_BUILD_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE)
+%:
+	dh $@

-CFLAGS = -Wall -g
+# Disable dh_autoreconf since we are using de-ANSI-fication which was removed
+# from automake a while ago. See <https://github.com/ngircd/ngircd/issues/261>.
+override_dh_autoreconf:

-ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS)))
-	CFLAGS += -O0
-else
-	CFLAGS += -O2
-endif
-ifeq (,$(findstring nostrip,$(DEB_BUILD_OPTIONS)))
-	INSTALL_PROGRAM += -s
-endif
+override_dh_auto_configure:
+	dh_auto_configure -- \
+	    --host=$(DEB_HOST_GNU_TYPE) --build=$(DEB_BUILD_GNU_TYPE) \
+	    --prefix=/usr \
+	    --mandir=\$${prefix}/share/man \
+	    --sysconfdir=/etc/ngircd \
+	    --with-iconv \
+	    --with-ident \
+	    --with-openssl \
+	    --with-pam \
+	    --with-syslog \
+	    --with-zlib

-configure-ngircd: configure
-	dh_testdir
+execute_before_dh_auto_install:
+	ln -fs $(CURDIR)/contrib/ngircd.service $(CURDIR)/debian/ngircd.service

-	# configure "standard" variant:
-	./configure --host=$(DEB_HOST_GNU_TYPE) --build=$(DEB_BUILD_GNU_TYPE) \
-	  --prefix=/usr \
-	  --sysconfdir=/etc/ngircd \
-	  --mandir=\$${prefix}/share/man \
-	  --docdir=\$${prefix}/share/doc/ngircd \
-	  --with-syslog --with-zlib
+execute_after_dh_auto_install:
+#	Generate the default ngircd.conf:
+	install -o root -g irc -m 0640 -D /dev/null \
+	 $(CURDIR)/debian/ngircd/etc/ngircd/ngircd.conf
+	sed \
+	 -e "s|;ServerUID = 65534|ServerUID = irc|g" \
+	 -e "s|;ServerGID = 65534|ServerGID = irc|g" \
+	 -e "s|;PidFile = /var/run/ngircd/ngircd.pid|PidFile = /run/ircd/ngircd.pid|g" \
+	 -e "s|;PAM = yes|PAM = no|g" \
+	 -e "s|;\[SSL\]|[SSL]|g" \
+	 -e "s|;CAFile = /etc/ssl/CA/cacert.pem|CAFile = /etc/ssl/certs/ca-certificates.crt|g" \
+	 $(CURDIR)/debian/ngircd/usr/share/doc/ngircd/sample-ngircd.conf \
+	 >>$(CURDIR)/debian/ngircd/etc/ngircd/ngircd.conf

-configure-ngircd-full: configure
-	dh_testdir
+#	Create drop-in configuration directory:
+	install -o root -g irc -m 0750 -d \
+	 $(CURDIR)/debian/ngircd/etc/ngircd/ngircd.conf.d

-	# configure "full" variant:
-	./configure --host=$(DEB_HOST_GNU_TYPE) --build=$(DEB_BUILD_GNU_TYPE) \
-	  --prefix=/usr \
-	  --sysconfdir=/etc/ngircd \
-	  --mandir=\$${prefix}/share/man \
-	  --docdir=\$${prefix}/share/doc/ngircd-full \
-	  --with-syslog --with-zlib \
-	  --with-openssl --with-iconv --with-ident --with-tcp-wrappers \
-	  --with-pam \
-	  --enable-ipv6
+#	Install an empty MOTD file.
+	install -o root -g irc -m 0640 -D /dev/null \
+	 $(CURDIR)/debian/ngircd/etc/ngircd/ngircd.motd

-configure-ngircd-full-dbg: configure
-	dh_testdir
+#	Install the logcheck(8) configuration.
+	install -o root -g root -m 0644 -D \
+	 $(CURDIR)/contrib/ngircd.logcheck \
+	 $(CURDIR)/debian/ngircd/etc/logcheck/ignore.d.paranoid/ngircd

-	# configure "full debug" variant:
-	./configure --host=$(DEB_HOST_GNU_TYPE) --build=$(DEB_BUILD_GNU_TYPE) \
-	  --prefix=/usr \
-	  --sysconfdir=/etc/ngircd \
-	  --mandir=\$${prefix}/share/man \
-	  --docdir=\$${prefix}/share/doc/ngircd-full-dbg \
-	  --enable-debug --enable-sniffer \
-	  --with-syslog --with-zlib \
-	  --with-openssl --with-iconv --with-ident --with-tcp-wrappers \
-	  --with-pam \
-	  --enable-ipv6
+#	Install the fail2ban configuration.
+	install -o root -g root -m 0644 -D \
+	 $(CURDIR)/contrib/ngircd-fail2ban.conf \
+	 $(CURDIR)/debian/ngircd/etc/fail2ban/filter.d/ngircd.conf

-build:
-	dh_prep
+#	Make lintian happy :-)
+	rm $(CURDIR)/debian/ngircd/usr/share/doc/ngircd/COPYING
+	mv $(CURDIR)/debian/ngircd/usr/share/doc/ngircd/ChangeLog \
+	    $(CURDIR)/debian/ngircd/usr/share/doc/ngircd/changelog

-build-ngircd: build-stamp-ngircd
-build-stamp-ngircd: configure-ngircd
-	dh_testdir
-	rm -f build-stamp-*
+override_dh_fixperms:
+#	Preserve the permissions of files installed in /etc/ngircd!
+	dh_fixperms -X/etc/ngircd

-	# Add here commands to compile the "standard" package:
-	$(MAKE)
-
-	touch build-stamp-ngircd
-
-build-ngircd-full: build-stamp-ngircd-full
-build-stamp-ngircd-full: configure-ngircd-full
-	dh_testdir
-	rm -f build-stamp-*
-
-	# Add here commands to compile the "full" package:
-	$(MAKE)
-
-	touch build-stamp-ngircd-full
-
-build-ngircd-full-dbg: build-stamp-ngircd-full-dbg
-build-stamp-ngircd-full-dbg: configure-ngircd-full-dbg
-	dh_testdir
-	rm -f build-stamp-*
-
-	# Add here commands to compile the "full debug" package:
-	$(MAKE)
-
-	touch build-stamp-ngircd-full
-
-clean:
-	dh_testdir
-	dh_testroot
-	rm -f build-stamp*
-	rm -f $(CURDIR)/debian/ngircd.service
-	rm -f $(CURDIR)/debian/ngircd-full.default
-	rm -f $(CURDIR)/debian/ngircd-full.init
-	rm -f $(CURDIR)/debian/ngircd-full.postinst
-	rm -f $(CURDIR)/debian/ngircd-full.service
-	rm -f $(CURDIR)/debian/ngircd-full-dbg.default
-	rm -f $(CURDIR)/debian/ngircd-full-dbg.postinst
-	rm -f $(CURDIR)/debian/ngircd-full-dbg.init
-	rm -f $(CURDIR)/debian/ngircd-full-dbg.service
-
-	# Add here commands to clean up after the build process:
-	[ ! -f Makefile ] || $(MAKE) distclean
-
-ifneq "$(wildcard /usr/share/misc/config.sub)" ""
-	cp -f /usr/share/misc/config.sub config.sub
-endif
-ifneq "$(wildcard /usr/share/misc/config.guess)" ""
-	cp -f /usr/share/misc/config.guess config.guess
-endif
-	dh_clean
-
-install: install-ngircd install-ngircd-full install-ngircd-full-dbg
-
-install-ngircd: build-ngircd
-	dh_testdir
-	dh_testroot
-	dh_installdirs
-
-	# Add here commands to install the "standard" package into debian/ngircd:
-	$(MAKE) install DESTDIR=$(CURDIR)/debian/ngircd
-	rm $(CURDIR)/debian/ngircd/usr/share/doc/ngircd/INSTALL*
-	rm $(CURDIR)/debian/ngircd/usr/share/doc/ngircd/COPYING*
-	cat $(CURDIR)/debian/ngircd/usr/share/doc/ngircd/sample-ngircd.conf | \
-	 sed -e "s|;ServerUID = 65534|ServerUID = irc|g" | \
-	 sed -e "s|;ServerGID = 65534|ServerGID = irc|g" | \
-	 sed -e "s|;PidFile = /var/run/ngircd/ngircd.pid|PidFile = /var/run/ircd/ngircd.pid|g" \
-	 >$(CURDIR)/debian/ngircd/etc/ngircd/ngircd.conf
-	touch $(CURDIR)/debian/ngircd/etc/ngircd/ngircd.motd
-
-install-ngircd-full: build-ngircd-full
-	dh_testdir
-	dh_testroot
-	dh_installdirs
-
-	# Add here commands to install the "full" package into debian/ngircd-full:
-	$(MAKE) install DESTDIR=$(CURDIR)/debian/ngircd-full
-	rm $(CURDIR)/debian/ngircd-full/usr/share/doc/ngircd-full/INSTALL*
-	rm $(CURDIR)/debian/ngircd-full/usr/share/doc/ngircd-full/COPYING*
-	cat $(CURDIR)/debian/ngircd-full/usr/share/doc/ngircd-full/sample-ngircd.conf | \
-	 sed -e "s|;ServerUID = 65534|ServerUID = irc|g" | \
-	 sed -e "s|;ServerGID = 65534|ServerGID = irc|g" | \
-	 sed -e "s|;PidFile = /var/run/ngircd/ngircd.pid|PidFile = /var/run/ircd/ngircd.pid|g" \
-	 >$(CURDIR)/debian/ngircd-full/etc/ngircd/ngircd.conf
-	touch $(CURDIR)/debian/ngircd-full/etc/ngircd/ngircd.motd
-	mkdir -p $(CURDIR)/debian/ngircd-full/etc/pam.d
-	cp $(CURDIR)/debian/ngircd.pam $(CURDIR)/debian/ngircd-full/etc/pam.d/ngircd
-
-install-ngircd-full-dbg: build-ngircd-full-dbg
-	dh_testdir
-	dh_testroot
-	dh_installdirs
-
-	# Add here commands to install the "full" package into debian/ngircd-full:
-	$(MAKE) install DESTDIR=$(CURDIR)/debian/ngircd-full-dbg
-	rm $(CURDIR)/debian/ngircd-full-dbg/usr/share/doc/ngircd-full-dbg/INSTALL*
-	rm $(CURDIR)/debian/ngircd-full-dbg/usr/share/doc/ngircd-full-dbg/COPYING*
-	cat $(CURDIR)/debian/ngircd-full-dbg/usr/share/doc/ngircd-full-dbg/sample-ngircd.conf | \
-	 sed -e "s|;ServerUID = 65534|ServerUID = irc|g" | \
-	 sed -e "s|;ServerGID = 65534|ServerGID = irc|g" | \
-	 sed -e "s|;PidFile = /var/run/ngircd/ngircd.pid|PidFile = /var/run/ircd/ngircd.pid|g" \
-	 >$(CURDIR)/debian/ngircd-full-dbg/etc/ngircd/ngircd.conf
-	touch $(CURDIR)/debian/ngircd-full-dbg/etc/ngircd/ngircd.motd
-	mkdir -p $(CURDIR)/debian/ngircd-full-dbg/etc/pam.d
-	cp $(CURDIR)/debian/ngircd.pam $(CURDIR)/debian/ngircd-full-dbg/etc/pam.d/ngircd
-
-# Build architecture-independent files here.
-binary-indep:
-	# We have nothing to do by default.
-
-# Build architecture-dependent files here.
-binary-arch: build install
-	ln -s $(CURDIR)/contrib/ngircd.service \
-	 $(CURDIR)/debian/ngircd.service
-
-	ln -s $(CURDIR)/debian/ngircd.default \
-	 $(CURDIR)/debian/ngircd-full.default
-	ln -s $(CURDIR)/debian/ngircd.init \
-	 $(CURDIR)/debian/ngircd-full.init
-	ln -s $(CURDIR)/debian/ngircd.postinst \
-	 $(CURDIR)/debian/ngircd-full.postinst
-	cp $(CURDIR)/contrib/ngircd.service \
-	 $(CURDIR)/debian/ngircd-full.service
-	echo "Alias=ngircd.service" >>$(CURDIR)/debian/ngircd-full.service
-
-	ln -s $(CURDIR)/debian/ngircd.default \
-	 $(CURDIR)/debian/ngircd-full-dbg.default
-	ln -s $(CURDIR)/debian/ngircd.init \
-	 $(CURDIR)/debian/ngircd-full-dbg.init
-	ln -s $(CURDIR)/debian/ngircd.postinst \
-	 $(CURDIR)/debian/ngircd-full-dbg.postinst
-	cp $(CURDIR)/contrib/ngircd.service \
-	 $(CURDIR)/debian/ngircd-full-dbg.service
-	echo "Alias=ngircd.service" >>$(CURDIR)/debian/ngircd-full-dbg.service
-
-	dh_testdir
-	dh_testroot
-	dh_installchangelogs -a -A ChangeLog
-	dh_installdocs -a
-	dh_systemd_enable -a
-	dh_installinit -a
-	dh_systemd_start -a
-	dh_strip -a --no-package=ngircd-full-dbg
-	dh_compress -a -XCommands.txt
-	dh_fixperms -a
-	dh_installdeb -a
-	dh_shlibdeps -a
-	dh_gencontrol -a
-	dh_md5sums -a
-	dh_builddeb -a
-
-binary: binary-indep binary-arch
-
-.PHONY: build clean binary-indep binary-arch binary install
-
-# -eof-
+override_dh_compress:
+#	The Commands.txt file is read by the daemon, don't compress it!
+	dh_compress -XCommands.txt
--- a/contrib/Debian/source/format
+++ b/contrib/Debian/source/format
@ -1 +1 @@
-1.0
+3.0 (quilt)
--- a/contrib/Debian/watch
+++ b/contrib/Debian/watch
@ -0,0 +1,10 @@
+# Watch control file for uscan.
+# See uscan(1) for format.
+
+# Compulsory line, this is a version 4 file.
+version=4
+
+# PGP signature mangle, so foo.tar.gz has foo.tar.gz.sig.
+opts="pgpsigurlmangle=s%$%.sig%"
+
+https://arthur.barton.de/pub/@PACKAGE@/@PACKAGE@-([0-9\.]+)@ARCHIVE_EXT@
--- a/contrib/Dockerfile
+++ b/contrib/Dockerfile
@ -0,0 +1,62 @@
+# ngIRCd -- The Next Generation IRC Daemon
+# Copyright (c)2001-2024 Alexander Barton (alex@barton.de) and Contributors
+
+# Build Container
+
+FROM docker.io/library/debian:stable-slim AS build
+USER root
+RUN apt-get -y update \
+	&& apt-get -y install --no-install-recommends \
+		autoconf \
+		automake \
+		build-essential \
+		expect \
+		gawk \
+		git \
+		libgnutls28-dev \
+		libident-dev \
+		libpam0g-dev \
+		openssl \
+		pkg-config \
+		telnet \
+		zlib1g-dev \
+	&& mkdir -p /usr/local/src/ngircd /opt/ngircd \
+	&& chown bin:bin /usr/local/src/ngircd /opt/ngircd
+WORKDIR /usr/local/src/ngircd
+COPY . /usr/local/src/ngircd
+RUN chown -R bin /usr/local/src/ngircd
+USER bin
+RUN ./autogen.sh --prefix=/opt/ngircd \
+		--with-gnutls \
+		--with-iconv \
+		--with-ident \
+		--with-pam \
+	&& make all \
+	&& make -C src/ngircd check \
+	&& make install \
+	&& printf \
+		"# ngircd.conf\n\n[Global]\nServerGID=irc\nServerUID=irc\n\n[Options]\nIdent=no\nPAM=no\n\n[SSL]\nCAFile=/etc/ssl/certs/ca-certificates.crt\n" \
+		>/opt/ngircd/etc/ngircd.conf \
+	&& chmod -R a+rX /opt/ngircd
+
+# Run container
+
+FROM docker.io/library/debian:stable-slim
+USER root
+RUN apt-get -y update \
+	&& apt-get -y install --no-install-recommends --no-install-suggests \
+		ca-certificates \
+		catatonit \
+		libgnutls30 \
+		libident \
+		libpam0g \
+		libwrap0 \
+		zlib1g \
+	&& apt-get -y clean \
+	&& rm -rf /var/cache/debconf/*-old /var/lib/apt/lists/*
+COPY --from=build /opt/ngircd /opt/ngircd
+USER irc
+ENTRYPOINT [ "/usr/bin/catatonit", "--", "/opt/ngircd/sbin/ngircd", "--nodaemon" ]
+EXPOSE 6667 6697
+HEALTHCHECK --interval=30s --timeout=5s --retries=1 --start-period=5s \
+	CMD [ "/usr/bin/grep", "-F", ":1A0B ", "/proc/net/tcp" ]
--- a/contrib/MacOSX/.gitignore
+++ b/contrib/MacOSX/.gitignore
@ -1,2 +0,0 @@
-build
-de.barton.ngircd.plist
--- a/contrib/MacOSX/Makefile.am
+++ b/contrib/MacOSX/Makefile.am
@ -1,52 +0,0 @@
-#
-# ngIRCd -- The Next Generation IRC Daemon
-# Copyright (c)2001-2008 Alexander Barton <alex@barton.de>
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-# Please read the file COPYING, README and AUTHORS for more information.
-#
-
-SUBDIRS = ngIRCd.xcodeproj ngIRCd.pmdoc
-
-EXTRA_DIST = de.barton.ngircd.plist.tmpl config.h preinstall.sh postinstall.sh
-
-SUFFIXES = .tmpl .
-
-.tmpl:
-	sed \
-	    -e s@:SBINDIR:@${sbindir}@ \
-	    <$< >$@
-
-install-data-local:
-	[ `uname -s` != "Darwin" ] || make install-sys-darwin
-
-install-sys-darwin:
-	@if [ `id -u` -eq 0 ]; then \
-	  make install-sys-darwin-root; \
-	else \
-	  echo; \
-	  echo " ** NOTE: Not installing with root privileges, so the LaunchDaemon script"; \
-	  echo " ** \"/Library/LaunchDaemons/de.barton.ngircd.plist\" can't be installed/updated!"; \
-	  echo; \
-	fi
-
-install-sys-darwin-root: de.barton.ngircd.plist
-	install -d -m 755 -o root -g wheel $(DESTDIR)/Library/LaunchDaemons
-	install -c -m 644 -b -o root -g wheel de.barton.ngircd.plist \
-	 $(DESTDIR)/Library/LaunchDaemons/de.barton.ngircd.plist
-	@echo
-	@echo " ** \"/Library/LaunchDaemons/de.barton.ngircd.plist\" has been installed,"
-	@echo " ** but is disabled. Use launchctl(8) to enable/run ngIRCd on Darwin/Mac OS X."
-	@echo
-
-clean-local:
-	rm -rf build
-	rm -f de.barton.ngircd.plist
-
-maintainer-clean-local:
-	rm -f Makefile Makefile.in
-
-# -eof-
--- a/contrib/MacOSX/config.h
+++ b/contrib/MacOSX/config.h
@ -1,134 +0,0 @@
-/*
- * ngIRCd -- The Next Generation IRC Daemon
- * Copyright (c)2001-2013 Alexander Barton (alex@barton.de) and Contributors.
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- * Please read the file COPYING, README and AUTHORS for more information.
- *
- * Static configuration file for Mac OS X Xcode project
- */
-
-#define PACKAGE_NAME "ngIRCd"
-# define PACKAGE "ngircd"
-#ifndef VERSION
-# define VERSION "??("__DATE__")"
-#endif
-
-#ifndef HOST_VENDOR
-# define HOST_VENDOR "apple"
-# define HOST_OS "darwin"
-# ifdef __x86_64
-#  define HOST_CPU "x86_64"
-# endif
-#endif
-
-#define SYSCONFDIR "/etc/ngircd"
-#define DOCDIR "/usr/share/doc/ngircd"
-
-/* -- Build options -- */
-
-/* Define if debug-mode should be enabled */
-#define DEBUG 1
-
-/* Define if the server should do IDENT requests */
-/*#define IDENTAUTH 1*/
-
-/* Define if IRC+ protocol should be used */
-#define IRCPLUS 1
-
-/* Define if IRC sniffer should be enabled */
-/*#define SNIFFER 1*/
-
-/* Define if syslog should be used for logging */
-#define SYSLOG 1
-
-/* Define if TCP wrappers should be used */
-/*#define TCPWRAP 1*/
-
-/* Define if zlib compression should be enabled */
-#define ZLIB 1
-
-/* Define if IPV6 protocol should be enabled */
-#define WANT_IPV6 1
-
-/* Define if PAM should be used */
-#define PAM 1
-
-/* Define if libiconv can be used, e.g. for CHARCONV */
-#define ICONV 1
-
-/* -- Supported features -- */
-
-/* Define if SSP C support is enabled. */
-#define ENABLE_SSP_CC 1
-
-/* Define to 1 if the C compiler supports function prototypes. */
-#define PROTOTYPES 1
-/* Define like PROTOTYPES; this can be used by system headers. */
-#define __PROTOTYPES 1
-
-/* Define to 1 if you have the <sys/types.h> header file. */
-#define HAVE_SYS_TYPES_H 1
-/* Define to 1 if you have the <inttypes.h> header file. */
-#define HAVE_INTTYPES_H 1
-/* Define to 1 if you have the <stddef.h> header file. */
-#define HAVE_STDDEF_H 1
-/* Define to 1 if you have the <stdbool.h> header file. */
-#define HAVE_STDBOOL_H 1
-/* Define to 1 if you have the <arpa/inet.h> header file. */
-#define HAVE_ARPA_INET_H 1
-/* Define to 1 if you have the <netinet/ip.h> header file. */
-#define HAVE_NETINET_IP_H 1
-
-/* Define to 1 if you have the `gai_strerror' function. */
-#define HAVE_GAI_STRERROR 1
-/* Define to 1 if you have the `iconv_open' function. */
-#define HAVE_ICONV_OPEN 1
-/* Define to 1 if you have the `kqueue' function. */
-#define HAVE_KQUEUE 1
-/* Define to 1 if you have the `inet_ntoa' function. */
-#define HAVE_INET_NTOA 1
-/* Define to 1 if you have the `snprintf' function. */
-#define HAVE_SNPRINTF 1
-/* Define to 1 if you have the `strlcat' function. */
-#define HAVE_STRLCAT 1
-/* Define to 1 if you have the `strlcpy' function. */
-#define HAVE_STRLCPY 1
-/* Define to 1 if you have the `strdup' function. */
-#define HAVE_STRDUP 1
-/* Define to 1 if you have the `vsnprintf' function. */
-#define HAVE_VSNPRINTF 1
-/* Define to 1 if you have the `inet_aton' function. */
-#define HAVE_INET_ATON 1
-/* Define to 1 if you have the `getaddrinfo' function. */
-#define HAVE_GETADDRINFO 1
-/* getaddrinfo(0) */
-#define HAVE_WORKING_GETADDRINFO 1
-/* Define to 1 if you have the `getnameinfo' function. */
-#define HAVE_GETNAMEINFO 1
-/* Define to 1 if you have the `sigaction' function. */
-#define HAVE_SIGACTION 1
-/* Define to 1 if you have the `setsid' function. */
-#define HAVE_SETSID 1
-
-/* Define if socklen_t exists */
-#define HAVE_socklen_t 1
-
-#ifdef PAM
-/* Define to 1 if you have the `pam_authenticate' function. */
-#define HAVE_PAM_AUTHENTICATE 1
-#if (__ENVIRONMENT_MAC_OS_X_VERSION_MIN_REQUIRED__ < 1060)
-/* Define to 1 if you have the <pam/pam_appl.h> header file. */
-#define HAVE_PAM_PAM_APPL_H 1
-/* Mac OS X <10.6 doesn't have pam_fail_delay() */
-#define NO_PAM_FAIL_DELAY 1
-#else
-/* Define to 1 if you have the <security/pam_appl.h> header file. */
-#define HAVE_SECURITY_PAM_APPL_H 1
-#endif
-#endif
-
-/* -eof- */
--- a/contrib/MacOSX/ngIRCd.pmdoc/01ngircd-contents.xml
+++ b/contrib/MacOSX/ngIRCd.pmdoc/01ngircd-contents.xml
@ -1 +0,0 @@
-<pkg-contents spec="1.12"><f n="ngircd.dest" o="root" g="admin" p="16877" pt="../../ngircd.dest" m="false" t="file"><f n="opt" o="root" g="admin" p="16877"><f n="ngircd" o="root" g="admin" p="16877"><f n="etc" o="root" g="admin" p="16877"><f n="ngircd.motd" o="root" g="admin" p="33188"><mod>group</mod><mod>owner</mod></f><mod>group</mod><mod>owner</mod></f><f n="sbin" o="root" g="admin" p="16877"><f n="ngircd" o="root" g="admin" p="33261"><mod>group</mod><mod>owner</mod></f><mod>group</mod><mod>owner</mod></f><f n="share" o="root" g="admin" p="16877"><f n="doc" o="root" g="admin" p="16877"><f n="ngircd" o="root" g="admin" p="16877"><f n="AUTHORS" o="root" g="admin" p="33188"><mod>group</mod><mod>owner</mod></f><f n="Bopm.txt" o="root" g="admin" p="33188"><mod>group</mod><mod>owner</mod></f><f n="ChangeLog" o="root" g="admin" p="33188"><mod>group</mod><mod>owner</mod></f><f n="COPYING" o="root" g="admin" p="33188"><mod>group</mod><mod>owner</mod></f><f n="FAQ.txt" o="root" g="admin" p="33188"><mod>group</mod><mod>owner</mod></f><f n="GIT.txt" o="root" g="admin" p="33188"><mod>group</mod><mod>owner</mod></f><f n="HowToRelease.txt" o="root" g="admin" p="33188"><mod>group</mod><mod>owner</mod></f><f n="INSTALL" o="root" g="admin" p="33188"><mod>group</mod><mod>owner</mod></f><f n="NEWS" o="root" g="admin" p="33188"><mod>group</mod><mod>owner</mod></f><f n="PAM.txt" o="root" g="admin" p="33188"><mod>group</mod><mod>owner</mod></f><f n="Platforms.txt" o="root" g="admin" p="33188"><mod>group</mod><mod>owner</mod></f><f n="Protocol.txt" o="root" g="admin" p="33188"><mod>group</mod><mod>owner</mod></f><f n="README" o="root" g="admin" p="33188"><mod>group</mod><mod>owner</mod></f><f n="README-AUX.txt" o="root" g="admin" p="33188"><mod>group</mod><mod>owner</mod></f><f n="README-BeOS.txt" o="root" g="admin" p="33188"><mod>group</mod><mod>owner</mod></f><f n="README-Interix.txt" o="root" g="admin" p="33188"><mod>group</mod><mod>owner</mod></f><f n="RFC.txt" o="root" g="admin" p="33188"><mod>group</mod><mod>owner</mod></f><f n="sample-ngircd.conf" o="root" g="admin" p="33188"><mod>group</mod><mod>owner</mod></f><f n="Services.txt" o="root" g="admin" p="33188"><mod>group</mod><mod>owner</mod></f><f n="SSL.txt" o="root" g="admin" p="33188"><mod>group</mod><mod>owner</mod></f><mod>group</mod><mod>owner</mod></f><mod>group</mod><mod>owner</mod></f><f n="man" o="root" g="admin" p="16877"><f n="man5" o="root" g="admin" p="16877"><f n="ngircd.conf.5" o="root" g="admin" p="33188"><mod>group</mod><mod>owner</mod></f><mod>group</mod><mod>owner</mod></f><f n="man8" o="root" g="admin" p="16877"><f n="ngircd.8" o="root" g="admin" p="33188"><mod>group</mod><mod>owner</mod></f><mod>group</mod><mod>owner</mod></f><mod>group</mod><mod>owner</mod></f><mod>group</mod><mod>owner</mod></f><mod>group</mod><mod>owner</mod></f><mod>group</mod><mod>owner</mod></f><mod>group</mod><mod>owner</mod></f></pkg-contents>
--- a/contrib/MacOSX/ngIRCd.pmdoc/01ngircd.xml
+++ b/contrib/MacOSX/ngIRCd.pmdoc/01ngircd.xml
@ -1 +0,0 @@
-<pkgref spec="1.12" uuid="46208410-4A1B-48C6-97BD-DE284F13F864"><config><identifier>de.barton.ngircd.daemon.pkg</identifier><version>17.1</version><description></description><post-install type="none"/><requireAuthorization/><installFrom>../../ngircd.dest</installFrom><installTo mod="true">/</installTo><flags><followSymbolicLinks/></flags><packageStore type="internal"></packageStore><mod>extraFiles</mod><mod>installTo</mod><mod>installTo.isAbsoluteType</mod><mod>scripts.preinstall.path</mod><mod>identifier</mod><mod>parent</mod><mod>version</mod><mod>installTo.path</mod><mod>scripts.preupgrade.path</mod><mod>requireAuthorization</mod></config><contents><file-list>02ngircd-contents.xml</file-list><filter>/CVS$</filter><filter>/\.svn$</filter><filter>/\.cvsignore$</filter><filter>/\.cvspass$</filter><filter>/\.DS_Store$</filter></contents><extra-files/></pkgref>
--- a/contrib/MacOSX/ngIRCd.pmdoc/02de-contents.xml
+++ b/contrib/MacOSX/ngIRCd.pmdoc/02de-contents.xml
@ -1 +0,0 @@
-<pkg-contents spec="1.12"><f n="de.barton.ngircd.plist" o="root" g="wheel" p="33188" pt="/Users/alex/Develop/ngircd/alex.git/contrib/MacOSX/de.barton.ngircd.plist" m="false" t="file"><mod>group</mod><mod>owner</mod></f></pkg-contents>
--- a/contrib/MacOSX/ngIRCd.pmdoc/02de.xml
+++ b/contrib/MacOSX/ngIRCd.pmdoc/02de.xml
@ -1 +0,0 @@
-<pkgref spec="1.12" uuid="F0954DA7-0607-4277-AE10-D882AC7C38CA"><config><identifier>de.barton.ngircd.launchscript.pkg</identifier><version>17.1</version><description></description><post-install type="none"/><requireAuthorization/><installFrom relative="true">de.barton.ngircd.plist</installFrom><installTo mod="true">/Library/LaunchDaemons</installTo><flags><followSymbolicLinks/></flags><packageStore type="internal"></packageStore><mod>scripts.preinstall.path</mod><mod>installTo</mod><mod>scripts.postinstall.path</mod><mod>scripts.postinstall.isRelativeType</mod><mod>installFrom.isRelativeType</mod><mod>installTo.isAbsoluteType</mod><mod>version</mod><mod>parent</mod><mod>scripts.preupgrade.path</mod><mod>identifier</mod><mod>scripts.postupgrade.path</mod><mod>requireAuthorization</mod><mod>extraFiles</mod><mod>scripts.postupgrade.isRelativeType</mod><mod>installTo.path</mod></config><scripts><preinstall relative="true" mod="true">preinstall.sh</preinstall><postinstall relative="true" mod="true">postinstall.sh</postinstall><preupgrade relative="true" mod="true">preinstall.sh</preupgrade><postupgrade relative="true" mod="true">postinstall.sh</postupgrade></scripts><contents><file-list>01de-contents.xml</file-list><filter>/CVS$</filter><filter>/\.svn$</filter><filter>/\.cvsignore$</filter><filter>/\.cvspass$</filter><filter>/\.DS_Store$</filter></contents><extra-files/></pkgref>
--- a/contrib/MacOSX/ngIRCd.pmdoc/Makefile.am
+++ b/contrib/MacOSX/ngIRCd.pmdoc/Makefile.am
@ -1,18 +0,0 @@
-#
-# ngIRCd -- The Next Generation IRC Daemon
-# Copyright (c)2001-2008 Alexander Barton <alex@barton.de>
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-# Please read the file COPYING, README and AUTHORS for more information.
-#
-
-EXTRA_DIST = index.xml \
- 01ngircd-contents.xml 01ngircd.xml 02de-contents.xml 02de.xml
-
-maintainer-clean-local:
-	rm -f Makefile Makefile.in
-
-# -eof-
--- a/contrib/MacOSX/ngIRCd.pmdoc/index.xml
+++ b/contrib/MacOSX/ngIRCd.pmdoc/index.xml
@ -1,238 +0,0 @@
-<pkmkdoc spec="1.12"><properties><title>ngIRCd</title><build>../../ngIRCd.mpkg</build><organization>de.barton.ngircd</organization><userSees ui="both"/><min-target os="2"/><domain system="true"/></properties><distribution><versions min-spec="1.000000"/><scripts></scripts></distribution><description>ngIRCd – next generation Internet Relay Chat (IRC) server
-  daemon</description><contents><choice title="ngIRCd daemon" id="choicengircd" tooltip="ngIRCd daemon, documentation and manual pages" description="Binaries, documentation and manual pages of the ngIRCd, the next generation IRC (Internet Relay Chat) daemon. This package will be installed into /opt/ngircd." starts_selected="true" starts_enabled="true" starts_hidden="false"><pkgref id="de.barton.ngircd.daemon.pkg"/></choice><choice title="Start and stop script" id="choicelaunchscript" tooltip="LaunchDaemon start and stop script" description="Installs the ngIRCd start and stop script for the &quot;launch daemon&quot;. If this is an update/upgrade, and ngIRCd is already running, it will be automatically restarted." starts_selected="true" starts_enabled="true" starts_hidden="false"><pkgref id="de.barton.ngircd.launchscript.pkg"/></choice></contents><resources bg-scale="none" bg-align="bottomleft"><locale lang="en"><resource type="background">../ngIRCd-Logo.gif</resource><resource mime-type="text/rtf" kind="embedded" type="license"><![CDATA[{\rtf1\ansi\ansicpg1252\cocoartf1038\cocoasubrtf350
-{\fonttbl\f0\fswiss\fcharset0 Helvetica;}
-{\colortbl;\red255\green255\blue255;}
-\pard\tx566\tx1133\tx1700\tx2267\tx2834\tx3401\tx3968\tx4535\tx5102\tx5669\tx6236\tx6803\qc\pardirnatural
-
-\f0\i\fs24 \cf0 ngIRCd -- The Next Generation IRC Daemon\
-Copyright (c)2001-2014 Alexander Barton and Contributors.\
-\pard\tx566\tx1133\tx1700\tx2267\tx2834\tx3401\tx3968\tx4535\tx5102\tx5669\tx6236\tx6803\ql\qnatural\pardirnatural
-
-\i0 \cf0 \
-This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. \
-\
-Please see below and read the file COPYING, README and AUTHORS for more information.\
-\
-\
-\
-\pard\tx566\tx1133\tx1700\tx2267\tx2834\tx3401\tx3968\tx4535\tx5102\tx5669\tx6236\tx6803\qc\pardirnatural
-
-\b \cf0 GNU GENERAL PUBLIC LICENSE\
-Version 2, June 1991\
-\pard\tx566\tx1133\tx1700\tx2267\tx2834\tx3401\tx3968\tx4535\tx5102\tx5669\tx6236\tx6803\ql\qnatural\pardirnatural
-
-\b0 \cf0 \
-\pard\tx566\tx1133\tx1700\tx2267\tx2834\tx3401\tx3968\tx4535\tx5102\tx5669\tx6236\tx6803\qc\pardirnatural
-\cf0 Copyright (C) 1989, 1991 Free Software Foundation, Inc.\
-59 Temple Place, Suite 330, Boston, MA  02111-1307  USA\
-Everyone is permitted to copy and distribute verbatim copies\
-of this license document, but changing it is not allowed.\
-\pard\tx566\tx1133\tx1700\tx2267\tx2834\tx3401\tx3968\tx4535\tx5102\tx5669\tx6236\tx6803\ql\qnatural\pardirnatural
-\cf0 \
-\pard\tx566\tx1133\tx1700\tx2267\tx2834\tx3401\tx3968\tx4535\tx5102\tx5669\tx6236\tx6803\qc\pardirnatural
-
-\b \cf0 Preamble\
-\pard\tx566\tx1133\tx1700\tx2267\tx2834\tx3401\tx3968\tx4535\tx5102\tx5669\tx6236\tx6803\ql\qnatural\pardirnatural
-
-\b0 \cf0 \
-The licenses for most software are designed to take away your freedom to share and change it.  By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users.  This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it.  (Some other Free Software Foundation software is covered by the GNU Library General Public License instead.)  You can apply it to your programs, too.\
-\
-When we speak of free software, we are referring to freedom, not price.  Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things.\
-\
-To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it.\
-\
-For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have.  You must make sure that they, too, receive or can get the source code.  And you must show them these terms so they know their rights.\
-\
-We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software.\
-\
-Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software.  If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations.\
-\
-Finally, any free program is threatened constantly by software patents.  We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary.  To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all.\
-\
-The precise terms and conditions for copying, distribution and modification follow.\
-\page \
-\pard\tx566\tx1133\tx1700\tx2267\tx2834\tx3401\tx3968\tx4535\tx5102\tx5669\tx6236\tx6803\qc\pardirnatural
-
-\b \cf0 GNU GENERAL PUBLIC LICENSE\
-TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION\
-AND MODIFICATION\
-\pard\tx566\tx1133\tx1700\tx2267\tx2834\tx3401\tx3968\tx4535\tx5102\tx5669\tx6236\tx6803\ql\qnatural\pardirnatural
-
-\b0 \cf0 \
-0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License.  The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law:\
-that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language.  (Hereinafter, translation is included without limitation in the term "modification".)  Each licensee is addressed as "you".\
-\
-Activities other than copying, distribution and modification are not covered by this License; they are outside its scope.  The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the\
-Program (independent of having been made by running the Program). Whether that is true depends on what the Program does.\
-\
-1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program.\
-\
-You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee.\
-\
-  2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1above, provided that you also meet all of these conditions:\
-\
-    a) You must cause the modified files to carry prominent notices\
-    stating that you changed the files and the date of any change.\
-\
-    b) You must cause any work that you distribute or publish, that in\
-    whole or in part contains or is derived from the Program or any\
-    part thereof, to be licensed as a whole at no charge to all third\
-    parties under the terms of this License.\
-\
-    c) If the modified program normally reads commands interactively\
-    when run, you must cause it, when started running for such\
-    interactive use in the most ordinary way, to print or display an\
-    announcement including an appropriate copyright notice and a\
-    notice that there is no warranty (or else, saying that you provide\
-    a warranty) and that users may redistribute the program under\
-    these conditions, and telling the user how to view a copy of this\
-    License.  (Exception: if the Program itself is interactive but\
-    does not normally print such an announcement, your work based on\
-    the Program is not required to print an announcement.)\
-\page \
-These requirements apply to the modified work as a whole.  If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works.  But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it.\
-\
-Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program.\
-\
-In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License.\
-\
-3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following:\
-\
-    a) Accompany it with the complete corresponding machine-readable\
-    source code, which must be distributed under the terms of Sections\
-    1 and 2 above on a medium customarily used for software\
-    interchange; or,\
-\
-    b) Accompany it with a written offer, valid for at least three\
-    years, to give any third party, for a charge no more than your\
-    cost of physically performing source distribution, a complete\
-    machine-readable copy of the corresponding source code, to be\
-    distributed under the terms of Sections 1 and 2 above on a medium\
-    customarily used for software interchange; or,\
-\
-    c) Accompany it with the information you received as to the offer\
-    to distribute corresponding source code.  (This alternative is\
-    allowed only for noncommercial distribution and only if you\
-    received the program in object code or executable form with such\
-    an offer, in accord with Subsection b above.)\
-\
-The source code for a work means the preferred form of the work for making modifications to it.  For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable.  However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable.\
-\
-If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not\
-compelled to copy the source along with the object code.\
-\
-4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License.  Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.\
-\
-5. You are not required to accept this License, since you have not signed it.  However, nothing else grants you permission to modify or distribute the Program or its derivative works.  These actions are prohibited by law if you do not accept this License.  Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it.\
-\
-6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions.  You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License.\
-\
-7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License.  If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all.  For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program.\
-\
-If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances.\
-\
-It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices.  Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice.\
-\
-This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License.\
-\page \
-8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded.  In such case, this License incorporates the limitation as if written in the body of this License.\
-\
-9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time.  Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns.\
-\
-Each version is given a distinguishing version number.  If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation.  If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation.\
-\
-10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission.  For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this.  Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally.\
-\
-\pard\tx566\tx1133\tx1700\tx2267\tx2834\tx3401\tx3968\tx4535\tx5102\tx5669\tx6236\tx6803\qc\pardirnatural
-
-\b \cf0 NO WARRANTY
-\b0 \
-\pard\tx566\tx1133\tx1700\tx2267\tx2834\tx3401\tx3968\tx4535\tx5102\tx5669\tx6236\tx6803\ql\qnatural\pardirnatural
-\cf0 \
-11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.\
-\
-12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.}]]></resource><resource mime-type="text/rtf" kind="embedded" type="readme"><![CDATA[{\rtf1\ansi\ansicpg1252\cocoartf1038\cocoasubrtf350
-{\fonttbl\f0\fnil\fcharset0 LucidaGrande;\f1\fmodern\fcharset0 Courier;}
-{\colortbl;\red255\green255\blue255;}
-\pard\tx560\tx1120\tx1680\tx2240\tx2800\tx3360\tx3920\tx4480\tx5040\tx5600\tx6160\tx6720\ql\qnatural\pardirnatural
-
-\f0\fs26 \cf0 Please note:\
-\
-\pard\tx260\tx1120\tx1680\tx2240\tx2800\tx3360\tx3920\tx4480\tx5040\tx5600\tx6160\tx6720\li260\fi-260\ql\qnatural\pardirnatural
-\cf0 \'95	You 
-\b have to adjust the configuration file
-\b0  of ngIRCd, at least if you are installing ngIRCd for the first time on this system (it is preserved while updating, of course).\
-\
-\'95	The daemon is automatically restarted when updating, so your 
-\b users will be disconnected
-\b0 .\
-\pard\tx560\tx1120\tx1680\tx2240\tx2800\tx3360\tx3920\tx4480\tx5040\tx5600\tx6160\tx6720\ql\qnatural\pardirnatural
-\cf0 \
-ngIRCd becomes installed in the (newly created) /opt/ngircd directory on your system volume. Interesting files and directories are:\
-\
-\pard\tx260\tx1120\tx1680\tx2240\tx2800\tx3360\tx3920\tx4480\tx5040\tx5600\tx6160\tx6720\li260\fi-260\ql\qnatural\pardirnatural
-\cf0 \'95	
-\f1 /opt/ngircd/sbin/ngircd
-\f0  \'96 executable daemon\
-\'95	
-\f1 /opt/ngircd/etc/ngircd.conf
-\f0  \'96 configuration file\
-\'95	
-\f1 /opt/ngircd/share/doc/ngircd/\'85
-\f0  \'96 documentation\
-\'95	
-\f1 /opt/ngircd/share/mac/\'85
-\f0  \'96 manual pages}]]></resource><resource mime-type="text/rtf" kind="embedded" type="welcome"><![CDATA[{\rtf1\ansi\ansicpg1252\cocoartf1038\cocoasubrtf350
-{\fonttbl\f0\fnil\fcharset0 LucidaGrande;}
-{\colortbl;\red255\green255\blue255;}
-\pard\tx560\tx1120\tx1680\tx2240\tx2800\tx3360\tx3920\tx4480\tx5040\tx5600\tx6160\tx6720\ql\qnatural\pardirnatural
-
-\f0\fs26 \cf0 ngIRCd is a free and open source daemon for the Internet Relay Chat (IRC) protocol, developed under the GNU General Public License (GPL). It is written from scratch, is quite portable and is not based upon the original IRCd like many others.\
-\
-	ngIRCd Homepage: {\field{\*\fldinst{HYPERLINK "http://ngircd.barton.de"}}{\fldrslt http://ngircd.barton.de}}\
-\
-Please see the documentation for details! You can find it online here on the Homepage:\
-\
-	Documentation: {\field{\*\fldinst{HYPERLINK "http://ngircd.barton.de/documentation"}}{\fldrslt http://ngircd.barton.de/documentation}}\
-\
-You will be guided through all steps necessary to install this software on Mac OS X.}]]></resource><resource mime-type="text/rtf" kind="embedded" type="conclusion"><![CDATA[{\rtf1\ansi\ansicpg1252\cocoartf1038\cocoasubrtf350
-{\fonttbl\f0\fnil\fcharset0 LucidaGrande;\f1\fmodern\fcharset0 Courier;}
-{\colortbl;\red255\green255\blue255;}
-{\*\listtable{\list\listtemplateid1\listhybrid{\listlevel\levelnfc23\levelnfcn23\leveljc0\leveljcn0\levelfollow0\levelstartat1\levelspace360\levelindent0{\*\levelmarker \{hyphen\}}{\leveltext\leveltemplateid1\'01\uc0\u8259 ;}{\levelnumbers;}\fi-360\li720\lin720 }{\listname ;}\listid1}
-{\list\listtemplateid2\listhybrid{\listlevel\levelnfc23\levelnfcn23\leveljc0\leveljcn0\levelfollow0\levelstartat1\levelspace360\levelindent0{\*\levelmarker \{hyphen\}}{\leveltext\leveltemplateid101\'01\uc0\u8259 ;}{\levelnumbers;}\fi-360\li720\lin720 }{\listname ;}\listid2}}
-{\*\listoverridetable{\listoverride\listid1\listoverridecount0\ls1}{\listoverride\listid2\listoverridecount0\ls2}}
-\pard\tx560\tx1120\tx1680\tx2240\tx2800\tx3360\tx3920\tx4480\tx5040\tx5600\tx6160\tx6720\ql\qnatural\pardirnatural
-
-\f0\fs26 \cf0 The daemon has been restarted if it was already running before this installation and you have installed the LaunchDaemon start and stop script (which is the default).\
-\
-If you installed ngIRCd for the first time (or had the LaunchDaemon script disabled before), you can start ngIRCd using the following terminal command:\
-\pard\tx560\tx1120\tx1680\tx2240\tx2800\tx3360\tx3920\tx4480\tx5040\tx5600\tx6160\tx6720\ql\qnatural\pardirnatural
-
-\fs20 \cf0 \
-\pard\tx220\tx720\tx1120\tx1680\tx2240\tx2800\tx3360\tx3920\tx4480\tx5040\tx5600\tx6160\tx6720\li720\fi-720\ql\qnatural\pardirnatural
-\ls1\ilvl0
-\f1\fs26 \cf0 	sudo launchctl load -w \\\
-	 /Library/LaunchDaemons/de.barton.ngircd.plist\
-\pard\tx560\tx1120\tx1680\tx2240\tx2800\tx3360\tx3920\tx4480\tx5040\tx5600\tx6160\tx6720\ql\qnatural\pardirnatural
-
-\f0 \cf0 \
-To disable automatic starting of ngIRCd, use this command:\
-\pard\tx560\tx1120\tx1680\tx2240\tx2800\tx3360\tx3920\tx4480\tx5040\tx5600\tx6160\tx6720\ql\qnatural\pardirnatural
-
-\fs18 \cf0 \
-\pard\tx220\tx720\tx1120\tx1680\tx2240\tx2800\tx3360\tx3920\tx4480\tx5040\tx5600\tx6160\tx6720\li720\fi-720\ql\qnatural\pardirnatural
-\ls2\ilvl0
-\f1\fs26 \cf0 	sudo launchctl unload -w \\\
-	 /Library/LaunchDaemons/de.barton.ngircd.plist\
-\pard\tx560\tx1120\tx1680\tx2240\tx2800\tx3360\tx3920\tx4480\tx5040\tx5600\tx6160\tx6720\ql\qnatural\pardirnatural
-
-\f0 \cf0 \
-But don\'92t forget to 
-\b adjust the configuration!
-\b0  By default, it is stored in the following file:\
-\pard\tx560\tx1120\tx1680\tx2240\tx2800\tx3360\tx3920\tx4480\tx5040\tx5600\tx6160\tx6720\ql\qnatural\pardirnatural
-
-\fs18 \cf0 \
-\pard\tx220\tx720\tx1120\tx1680\tx2240\tx2800\tx3360\tx3920\tx4480\tx5040\tx5600\tx6160\tx6720\li720\fi-720\ql\qnatural\pardirnatural
-
-\f1\fs26 \cf0 	/opt/ngircd/etc/ngircd.conf}]]></resource></locale></resources><flags/><extra-files/><item type="file">02de.xml</item><item type="file">01ngircd.xml</item><mod>extraFiles</mod><mod>properties.title</mod><mod>properties.customizeOption</mod><mod>description</mod><mod>properties.anywhereDomain</mod><mod>properties.systemDomain</mod></pkmkdoc>
--- a/contrib/MacOSX/ngIRCd.xcodeproj/.gitignore
+++ b/contrib/MacOSX/ngIRCd.xcodeproj/.gitignore
@ -1,4 +0,0 @@
-project.xcworkspace
-xcuserdata
-*.mode1v3
-*.pbxuser
--- a/contrib/MacOSX/ngIRCd.xcodeproj/Makefile.am
+++ b/contrib/MacOSX/ngIRCd.xcodeproj/Makefile.am
@ -1,17 +0,0 @@
-#
-# ngIRCd -- The Next Generation IRC Daemon
-# Copyright (c)2001-2008 Alexander Barton <alex@barton.de>
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-# Please read the file COPYING, README and AUTHORS for more information.
-#
-
-EXTRA_DIST = project.pbxproj
-
-maintainer-clean-local:
-	rm -f Makefile Makefile.in
-
-# -eof-
--- a/contrib/MacOSX/ngIRCd.xcodeproj/project.pbxproj
+++ b/contrib/MacOSX/ngIRCd.xcodeproj/project.pbxproj
@ -1,852 +0,0 @@
-// !$*UTF8*$!
-{
-	archiveVersion = 1;
-	classes = {
-	};
-	objectVersion = 46;
-	objects = {
-
-/* Begin PBXBuildFile section */
-		FA2D564A11EA158B00D37A35 /* pam.c in Sources */ = {isa = PBXBuildFile; fileRef = FA2D564911EA158B00D37A35 /* pam.c */; };
-		FA2D567B11EA1AB300D37A35 /* libpam.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = FA2D567A11EA1AB300D37A35 /* libpam.dylib */; };
-		FA322D350CEF74B1001761B3 /* array.c in Sources */ = {isa = PBXBuildFile; fileRef = FA322CD90CEF74B1001761B3 /* array.c */; };
-		FA322D360CEF74B1001761B3 /* channel.c in Sources */ = {isa = PBXBuildFile; fileRef = FA322CDB0CEF74B1001761B3 /* channel.c */; };
-		FA322D370CEF74B1001761B3 /* client.c in Sources */ = {isa = PBXBuildFile; fileRef = FA322CDD0CEF74B1001761B3 /* client.c */; };
-		FA322D380CEF74B1001761B3 /* conf.c in Sources */ = {isa = PBXBuildFile; fileRef = FA322CDF0CEF74B1001761B3 /* conf.c */; };
-		FA322D390CEF74B1001761B3 /* conn-func.c in Sources */ = {isa = PBXBuildFile; fileRef = FA322CE10CEF74B1001761B3 /* conn-func.c */; };
-		FA322D3A0CEF74B1001761B3 /* conn-zip.c in Sources */ = {isa = PBXBuildFile; fileRef = FA322CE30CEF74B1001761B3 /* conn-zip.c */; };
-		FA322D3B0CEF74B1001761B3 /* conn.c in Sources */ = {isa = PBXBuildFile; fileRef = FA322CE50CEF74B1001761B3 /* conn.c */; };
-		FA322D3C0CEF74B1001761B3 /* hash.c in Sources */ = {isa = PBXBuildFile; fileRef = FA322CE80CEF74B1001761B3 /* hash.c */; };
-		FA322D3D0CEF74B1001761B3 /* io.c in Sources */ = {isa = PBXBuildFile; fileRef = FA322CEA0CEF74B1001761B3 /* io.c */; };
-		FA322D3E0CEF74B1001761B3 /* irc-channel.c in Sources */ = {isa = PBXBuildFile; fileRef = FA322CEC0CEF74B1001761B3 /* irc-channel.c */; };
-		FA322D3F0CEF74B1001761B3 /* irc-info.c in Sources */ = {isa = PBXBuildFile; fileRef = FA322CEE0CEF74B1001761B3 /* irc-info.c */; };
-		FA322D400CEF74B1001761B3 /* irc-login.c in Sources */ = {isa = PBXBuildFile; fileRef = FA322CF00CEF74B1001761B3 /* irc-login.c */; };
-		FA322D410CEF74B1001761B3 /* irc-mode.c in Sources */ = {isa = PBXBuildFile; fileRef = FA322CF20CEF74B1001761B3 /* irc-mode.c */; };
-		FA322D420CEF74B1001761B3 /* irc-op.c in Sources */ = {isa = PBXBuildFile; fileRef = FA322CF40CEF74B1001761B3 /* irc-op.c */; };
-		FA322D430CEF74B1001761B3 /* irc-oper.c in Sources */ = {isa = PBXBuildFile; fileRef = FA322CF60CEF74B1001761B3 /* irc-oper.c */; };
-		FA322D440CEF74B1001761B3 /* irc-server.c in Sources */ = {isa = PBXBuildFile; fileRef = FA322CF80CEF74B1001761B3 /* irc-server.c */; };
-		FA322D450CEF74B1001761B3 /* irc-write.c in Sources */ = {isa = PBXBuildFile; fileRef = FA322CFA0CEF74B1001761B3 /* irc-write.c */; };
-		FA322D460CEF74B1001761B3 /* irc.c in Sources */ = {isa = PBXBuildFile; fileRef = FA322CFC0CEF74B1001761B3 /* irc.c */; };
-		FA322D470CEF74B1001761B3 /* lists.c in Sources */ = {isa = PBXBuildFile; fileRef = FA322CFE0CEF74B1001761B3 /* lists.c */; };
-		FA322D480CEF74B1001761B3 /* log.c in Sources */ = {isa = PBXBuildFile; fileRef = FA322D000CEF74B1001761B3 /* log.c */; };
-		FA322D490CEF74B1001761B3 /* match.c in Sources */ = {isa = PBXBuildFile; fileRef = FA322D030CEF74B1001761B3 /* match.c */; };
-		FA322D4A0CEF74B1001761B3 /* ngircd.c in Sources */ = {isa = PBXBuildFile; fileRef = FA322D060CEF74B1001761B3 /* ngircd.c */; };
-		FA322D4B0CEF74B1001761B3 /* parse.c in Sources */ = {isa = PBXBuildFile; fileRef = FA322D080CEF74B1001761B3 /* parse.c */; };
-		FA322D4D0CEF74B1001761B3 /* resolve.c in Sources */ = {isa = PBXBuildFile; fileRef = FA322D0C0CEF74B1001761B3 /* resolve.c */; };
-		FA322DBE0CEF7766001761B3 /* tool.c in Sources */ = {isa = PBXBuildFile; fileRef = FA322D330CEF74B1001761B3 /* tool.c */; };
-		FA322DC10CEF77CB001761B3 /* libz.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = FA322DC00CEF77CB001761B3 /* libz.dylib */; };
-		FA407F2E0DB159F400271AF1 /* ng_ipaddr.c in Sources */ = {isa = PBXBuildFile; fileRef = FA407F2C0DB159F400271AF1 /* ng_ipaddr.c */; };
-		FA4F165A164836B100DBD011 /* irc-metadata.c in Sources */ = {isa = PBXBuildFile; fileRef = FA4F1659164836B100DBD011 /* irc-metadata.c */; };
-		FA6BBC631605F0AC0004247A /* conn-encoding.c in Sources */ = {isa = PBXBuildFile; fileRef = FA6BBC5F1605F0AB0004247A /* conn-encoding.c */; };
-		FA6BBC641605F0AC0004247A /* irc-encoding.c in Sources */ = {isa = PBXBuildFile; fileRef = FA6BBC611605F0AC0004247A /* irc-encoding.c */; };
-		FA6BBC661605F6D60004247A /* libiconv.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = FA6BBC651605F6D60004247A /* libiconv.dylib */; };
-		FA85178C0FA061EC006A1F5A /* op.c in Sources */ = {isa = PBXBuildFile; fileRef = FA85178B0FA061EC006A1F5A /* op.c */; };
-		FA99428C10E82A27007F27ED /* proc.c in Sources */ = {isa = PBXBuildFile; fileRef = FA99428B10E82A27007F27ED /* proc.c */; };
-		FAA3D27B0F139CDC00B2447E /* conn-ssl.c in Sources */ = {isa = PBXBuildFile; fileRef = FAA3D2790F139CDC00B2447E /* conn-ssl.c */; };
-		FAA97C57124A271400D5BBA9 /* sighandlers.c in Sources */ = {isa = PBXBuildFile; fileRef = FAA97C55124A271400D5BBA9 /* sighandlers.c */; };
-		FAACD5F514A6099C006ED74F /* class.c in Sources */ = {isa = PBXBuildFile; fileRef = FAACD5F314A6099C006ED74F /* class.c */; };
-		FAD5853215271AAB00328741 /* client-cap.c in Sources */ = {isa = PBXBuildFile; fileRef = FAD5853015271AAB00328741 /* client-cap.c */; };
-		FAD5853515271AB800328741 /* irc-cap.c in Sources */ = {isa = PBXBuildFile; fileRef = FAD5853315271AB800328741 /* irc-cap.c */; };
-		FAD5853815272C2600328741 /* login.c in Sources */ = {isa = PBXBuildFile; fileRef = FAD5853615272C2500328741 /* login.c */; };
-		FAE5CC2E0CF2308A007D69B6 /* numeric.c in Sources */ = {isa = PBXBuildFile; fileRef = FAE5CC2D0CF2308A007D69B6 /* numeric.c */; };
-/* End PBXBuildFile section */
-
-/* Begin PBXCopyFilesBuildPhase section */
-		8DD76FAF0486AB0100D96B5E /* CopyFiles */ = {
-			isa = PBXCopyFilesBuildPhase;
-			buildActionMask = 8;
-			dstPath = /usr/share/man/man1/;
-			dstSubfolderSpec = 0;
-			files = (
-			);
-			runOnlyForDeploymentPostprocessing = 1;
-		};
-/* End PBXCopyFilesBuildPhase section */
-
-/* Begin PBXFileReference section */
-		FA18A63E16CEDDCE00132F66 /* configure.ng */ = {isa = PBXFileReference; lastKnownFileType = text; name = configure.ng; path = ../../configure.ng; sourceTree = "<group>"; };
-		FA18A63F16CEDE2300132F66 /* ngircd.service */ = {isa = PBXFileReference; lastKnownFileType = text; path = ngircd.service; sourceTree = "<group>"; };
-		FA18A64016CEDE2300132F66 /* ngircd.socket */ = {isa = PBXFileReference; lastKnownFileType = text; path = ngircd.socket; sourceTree = "<group>"; };
-		FA18A64116CEDE3500132F66 /* ngircd.pam */ = {isa = PBXFileReference; lastKnownFileType = text; path = ngircd.pam; sourceTree = "<group>"; };
-		FA18A64216CEDE5700132F66 /* de.barton.ngircd.plist.tmpl */ = {isa = PBXFileReference; lastKnownFileType = text.xml; path = de.barton.ngircd.plist.tmpl; sourceTree = "<group>"; };
-		FA18A64316CEDE8100132F66 /* Makefile.am */ = {isa = PBXFileReference; lastKnownFileType = text; path = Makefile.am; sourceTree = "<group>"; };
-		FA18A64416CEDFCE00132F66 /* Commands.txt */ = {isa = PBXFileReference; lastKnownFileType = text; path = Commands.txt; sourceTree = "<group>"; };
-		FA18A64516CEE0C700132F66 /* Makefile.ng */ = {isa = PBXFileReference; lastKnownFileType = text; name = Makefile.ng; path = ipaddr/Makefile.ng; sourceTree = "<group>"; };
-		FA18A64616CEE0DD00132F66 /* Makefile.ng */ = {isa = PBXFileReference; lastKnownFileType = text; path = Makefile.ng; sourceTree = "<group>"; };
-		FA18A64716CEE14900132F66 /* Makefile.ng */ = {isa = PBXFileReference; lastKnownFileType = text; path = Makefile.ng; sourceTree = "<group>"; };
-		FA18A64A16CEE18100132F66 /* Makefile.ng */ = {isa = PBXFileReference; lastKnownFileType = text; path = Makefile.ng; sourceTree = "<group>"; };
-		FA18A64C16CEE1AC00132F66 /* mode-test.e */ = {isa = PBXFileReference; lastKnownFileType = text; path = "mode-test.e"; sourceTree = "<group>"; };
-		FA18A64D16CEE1D900132F66 /* whois-test.e */ = {isa = PBXFileReference; lastKnownFileType = text; path = "whois-test.e"; sourceTree = "<group>"; };
-		FA18A64E16CEE24B00132F66 /* misc-test.e */ = {isa = PBXFileReference; lastKnownFileType = text; path = "misc-test.e"; sourceTree = "<group>"; };
-		FA18A64F16CEE27700132F66 /* Makefile.ng */ = {isa = PBXFileReference; lastKnownFileType = text; path = Makefile.ng; sourceTree = "<group>"; };
-		FA1A6BBD0D6857D900AA8F71 /* who-test.e */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = text; path = "who-test.e"; sourceTree = "<group>"; };
-		FA1DBB6716C707D200D4F838 /* irc-macros.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "irc-macros.h"; sourceTree = "<group>"; };
-		FA2D564811EA158B00D37A35 /* pam.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = pam.h; sourceTree = "<group>"; };
-		FA2D564911EA158B00D37A35 /* pam.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = pam.c; sourceTree = "<group>"; };
-		FA2D567A11EA1AB300D37A35 /* libpam.dylib */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.dylib"; name = libpam.dylib; path = usr/lib/libpam.dylib; sourceTree = SDKROOT; };
-		FA322BBA0CEF72E4001761B3 /* ngircd */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = ngircd; sourceTree = BUILT_PRODUCTS_DIR; };
-		FA322CD60CEF74B1001761B3 /* Makefile.am */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = text; path = Makefile.am; sourceTree = "<group>"; };
-		FA322CD90CEF74B1001761B3 /* array.c */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = sourcecode.c.c; path = array.c; sourceTree = "<group>"; };
-		FA322CDA0CEF74B1001761B3 /* array.h */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = sourcecode.c.h; path = array.h; sourceTree = "<group>"; };
-		FA322CDB0CEF74B1001761B3 /* channel.c */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = sourcecode.c.c; path = channel.c; sourceTree = "<group>"; };
-		FA322CDC0CEF74B1001761B3 /* channel.h */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = sourcecode.c.h; path = channel.h; sourceTree = "<group>"; };
-		FA322CDD0CEF74B1001761B3 /* client.c */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = sourcecode.c.c; path = client.c; sourceTree = "<group>"; };
-		FA322CDE0CEF74B1001761B3 /* client.h */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = sourcecode.c.h; path = client.h; sourceTree = "<group>"; };
-		FA322CDF0CEF74B1001761B3 /* conf.c */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = sourcecode.c.c; path = conf.c; sourceTree = "<group>"; };
-		FA322CE00CEF74B1001761B3 /* conf.h */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = sourcecode.c.h; path = conf.h; sourceTree = "<group>"; };
-		FA322CE10CEF74B1001761B3 /* conn-func.c */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = sourcecode.c.c; path = "conn-func.c"; sourceTree = "<group>"; };
-		FA322CE20CEF74B1001761B3 /* conn-func.h */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = sourcecode.c.h; path = "conn-func.h"; sourceTree = "<group>"; };
-		FA322CE30CEF74B1001761B3 /* conn-zip.c */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = sourcecode.c.c; path = "conn-zip.c"; sourceTree = "<group>"; };
-		FA322CE40CEF74B1001761B3 /* conn-zip.h */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = sourcecode.c.h; path = "conn-zip.h"; sourceTree = "<group>"; };
-		FA322CE50CEF74B1001761B3 /* conn.c */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = sourcecode.c.c; path = conn.c; sourceTree = "<group>"; };
-		FA322CE60CEF74B1001761B3 /* conn.h */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = sourcecode.c.h; path = conn.h; sourceTree = "<group>"; };
-		FA322CE70CEF74B1001761B3 /* defines.h */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = sourcecode.c.h; path = defines.h; sourceTree = "<group>"; };
-		FA322CE80CEF74B1001761B3 /* hash.c */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = sourcecode.c.c; path = hash.c; sourceTree = "<group>"; };
-		FA322CE90CEF74B1001761B3 /* hash.h */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = sourcecode.c.h; path = hash.h; sourceTree = "<group>"; };
-		FA322CEA0CEF74B1001761B3 /* io.c */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = sourcecode.c.c; path = io.c; sourceTree = "<group>"; };
-		FA322CEB0CEF74B1001761B3 /* io.h */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = sourcecode.c.h; path = io.h; sourceTree = "<group>"; };
-		FA322CEC0CEF74B1001761B3 /* irc-channel.c */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = sourcecode.c.c; path = "irc-channel.c"; sourceTree = "<group>"; };
-		FA322CED0CEF74B1001761B3 /* irc-channel.h */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = sourcecode.c.h; path = "irc-channel.h"; sourceTree = "<group>"; };
-		FA322CEE0CEF74B1001761B3 /* irc-info.c */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = sourcecode.c.c; path = "irc-info.c"; sourceTree = "<group>"; };
-		FA322CEF0CEF74B1001761B3 /* irc-info.h */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = sourcecode.c.h; path = "irc-info.h"; sourceTree = "<group>"; };
-		FA322CF00CEF74B1001761B3 /* irc-login.c */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = sourcecode.c.c; path = "irc-login.c"; sourceTree = "<group>"; };
-		FA322CF10CEF74B1001761B3 /* irc-login.h */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = sourcecode.c.h; path = "irc-login.h"; sourceTree = "<group>"; };
-		FA322CF20CEF74B1001761B3 /* irc-mode.c */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = sourcecode.c.c; path = "irc-mode.c"; sourceTree = "<group>"; };
-		FA322CF30CEF74B1001761B3 /* irc-mode.h */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = sourcecode.c.h; path = "irc-mode.h"; sourceTree = "<group>"; };
-		FA322CF40CEF74B1001761B3 /* irc-op.c */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = sourcecode.c.c; path = "irc-op.c"; sourceTree = "<group>"; };
-		FA322CF50CEF74B1001761B3 /* irc-op.h */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = sourcecode.c.h; path = "irc-op.h"; sourceTree = "<group>"; };
-		FA322CF60CEF74B1001761B3 /* irc-oper.c */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = sourcecode.c.c; path = "irc-oper.c"; sourceTree = "<group>"; };
-		FA322CF70CEF74B1001761B3 /* irc-oper.h */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = sourcecode.c.h; path = "irc-oper.h"; sourceTree = "<group>"; };
-		FA322CF80CEF74B1001761B3 /* irc-server.c */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = sourcecode.c.c; path = "irc-server.c"; sourceTree = "<group>"; };
-		FA322CF90CEF74B1001761B3 /* irc-server.h */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = sourcecode.c.h; path = "irc-server.h"; sourceTree = "<group>"; };
-		FA322CFA0CEF74B1001761B3 /* irc-write.c */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = sourcecode.c.c; path = "irc-write.c"; sourceTree = "<group>"; };
-		FA322CFB0CEF74B1001761B3 /* irc-write.h */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = sourcecode.c.h; path = "irc-write.h"; sourceTree = "<group>"; };
-		FA322CFC0CEF74B1001761B3 /* irc.c */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = sourcecode.c.c; path = irc.c; sourceTree = "<group>"; };
-		FA322CFD0CEF74B1001761B3 /* irc.h */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = sourcecode.c.h; path = irc.h; sourceTree = "<group>"; };
-		FA322CFE0CEF74B1001761B3 /* lists.c */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = sourcecode.c.c; path = lists.c; sourceTree = "<group>"; };
-		FA322CFF0CEF74B1001761B3 /* lists.h */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = sourcecode.c.h; path = lists.h; sourceTree = "<group>"; };
-		FA322D000CEF74B1001761B3 /* log.c */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = sourcecode.c.c; path = log.c; sourceTree = "<group>"; };
-		FA322D010CEF74B1001761B3 /* log.h */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = sourcecode.c.h; path = log.h; sourceTree = "<group>"; };
-		FA322D030CEF74B1001761B3 /* match.c */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = sourcecode.c.c; path = match.c; sourceTree = "<group>"; };
-		FA322D040CEF74B1001761B3 /* match.h */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = sourcecode.c.h; path = match.h; sourceTree = "<group>"; };
-		FA322D050CEF74B1001761B3 /* messages.h */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = sourcecode.c.h; path = messages.h; sourceTree = "<group>"; };
-		FA322D060CEF74B1001761B3 /* ngircd.c */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = sourcecode.c.c; path = ngircd.c; sourceTree = "<group>"; };
-		FA322D070CEF74B1001761B3 /* ngircd.h */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = sourcecode.c.h; path = ngircd.h; sourceTree = "<group>"; };
-		FA322D080CEF74B1001761B3 /* parse.c */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = sourcecode.c.c; path = parse.c; sourceTree = "<group>"; };
-		FA322D090CEF74B1001761B3 /* parse.h */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = sourcecode.c.h; path = parse.h; sourceTree = "<group>"; };
-		FA322D0C0CEF74B1001761B3 /* resolve.c */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = sourcecode.c.c; path = resolve.c; sourceTree = "<group>"; };
-		FA322D0D0CEF74B1001761B3 /* resolve.h */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = sourcecode.c.h; path = resolve.h; sourceTree = "<group>"; };
-		FA322D100CEF74B1001761B3 /* ansi2knr.1 */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = text.man; path = ansi2knr.1; sourceTree = "<group>"; };
-		FA322D110CEF74B1001761B3 /* ansi2knr.c */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = sourcecode.c.c; path = ansi2knr.c; sourceTree = "<group>"; };
-		FA322D150CEF74B1001761B3 /* portab.h */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = sourcecode.c.h; path = portab.h; sourceTree = "<group>"; };
-		FA322D160CEF74B1001761B3 /* portabtest.c */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = sourcecode.c.c; path = portabtest.c; sourceTree = "<group>"; };
-		FA322D170CEF74B1001761B3 /* splint.h */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = sourcecode.c.h; path = splint.h; sourceTree = "<group>"; };
-		FA322D180CEF74B1001761B3 /* strdup.c */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = sourcecode.c.c; path = strdup.c; sourceTree = "<group>"; };
-		FA322D190CEF74B1001761B3 /* strlcpy.c */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = sourcecode.c.c; path = strlcpy.c; sourceTree = "<group>"; };
-		FA322D1A0CEF74B1001761B3 /* vsnprintf.c */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = sourcecode.c.c; path = vsnprintf.c; sourceTree = "<group>"; };
-		FA322D1D0CEF74B1001761B3 /* channel-test.e */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = text; path = "channel-test.e"; sourceTree = "<group>"; };
-		FA322D1E0CEF74B1001761B3 /* check-idle.e */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = text; path = "check-idle.e"; sourceTree = "<group>"; };
-		FA322D1F0CEF74B1001761B3 /* connect-test.e */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = text; path = "connect-test.e"; sourceTree = "<group>"; };
-		FA322D200CEF74B1001761B3 /* functions.inc */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = sourcecode.pascal; path = functions.inc; sourceTree = "<group>"; };
-		FA322D210CEF74B1001761B3 /* getpid.sh */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = text.script.sh; path = getpid.sh; sourceTree = "<group>"; };
-		FA322D250CEF74B1001761B3 /* README */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = text; path = README; sourceTree = "<group>"; };
-		FA322D260CEF74B1001761B3 /* start-server.sh */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = text.script.sh; path = "start-server.sh"; sourceTree = "<group>"; };
-		FA322D270CEF74B1001761B3 /* stop-server.sh */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = text.script.sh; path = "stop-server.sh"; sourceTree = "<group>"; };
-		FA322D280CEF74B1001761B3 /* stress-A.e */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = text; path = "stress-A.e"; sourceTree = "<group>"; };
-		FA322D290CEF74B1001761B3 /* stress-B.e */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = text; path = "stress-B.e"; sourceTree = "<group>"; };
-		FA322D2A0CEF74B1001761B3 /* stress-server.sh */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = text.script.sh; path = "stress-server.sh"; sourceTree = "<group>"; };
-		FA322D2B0CEF74B1001761B3 /* test-loop.sh */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = text.script.sh; path = "test-loop.sh"; sourceTree = "<group>"; };
-		FA322D2C0CEF74B1001761B3 /* tests.sh */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = text.script.sh; path = tests.sh; sourceTree = "<group>"; };
-		FA322D2D0CEF74B1001761B3 /* wait-tests.sh */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = text.script.sh; path = "wait-tests.sh"; sourceTree = "<group>"; };
-		FA322D330CEF74B1001761B3 /* tool.c */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = sourcecode.c.c; path = tool.c; sourceTree = "<group>"; };
-		FA322D340CEF74B1001761B3 /* tool.h */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = sourcecode.c.h; path = tool.h; sourceTree = "<group>"; };
-		FA322D5A0CEF750F001761B3 /* AUTHORS */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = text; name = AUTHORS; path = ../../AUTHORS; sourceTree = SOURCE_ROOT; };
-		FA322D5B0CEF750F001761B3 /* autogen.sh */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = text.script.sh; name = autogen.sh; path = ../../autogen.sh; sourceTree = SOURCE_ROOT; };
-		FA322D5C0CEF750F001761B3 /* ChangeLog */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = text; name = ChangeLog; path = ../../ChangeLog; sourceTree = SOURCE_ROOT; };
-		FA322D5E0CEF750F001761B3 /* config.guess */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = text.script.sh; name = config.guess; path = ../../config.guess; sourceTree = SOURCE_ROOT; };
-		FA322D5F0CEF750F001761B3 /* config.sub */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = text.script.sh; name = config.sub; path = ../../config.sub; sourceTree = SOURCE_ROOT; };
-		FA322D610CEF750F001761B3 /* COPYING */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = text; name = COPYING; path = ../../COPYING; sourceTree = SOURCE_ROOT; };
-		FA322D620CEF750F001761B3 /* INSTALL */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = text; name = INSTALL; path = ../../INSTALL; sourceTree = SOURCE_ROOT; };
-		FA322D630CEF750F001761B3 /* Makefile.am */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = text; name = Makefile.am; path = ../../Makefile.am; sourceTree = SOURCE_ROOT; };
-		FA322D640CEF750F001761B3 /* NEWS */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = text; name = NEWS; path = ../../NEWS; sourceTree = SOURCE_ROOT; };
-		FA322D650CEF750F001761B3 /* README */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = text; name = README; path = ../../README; sourceTree = SOURCE_ROOT; };
-		FA322D6A0CEF7523001761B3 /* changelog */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = text; path = changelog; sourceTree = "<group>"; };
-		FA322D6B0CEF7523001761B3 /* compat */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = text; path = compat; sourceTree = "<group>"; };
-		FA322D6C0CEF7523001761B3 /* control */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = text; path = control; sourceTree = "<group>"; };
-		FA322D6D0CEF7523001761B3 /* copyright */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = text; path = copyright; sourceTree = "<group>"; };
-		FA322D6E0CEF7523001761B3 /* Makefile.am */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = text; path = Makefile.am; sourceTree = "<group>"; };
-		FA322D6F0CEF7523001761B3 /* ngircd.default */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = text; path = ngircd.default; sourceTree = "<group>"; };
-		FA322D700CEF7523001761B3 /* ngircd.init */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = text.script.sh; path = ngircd.init; sourceTree = "<group>"; };
-		FA322D710CEF7523001761B3 /* ngircd.postinst */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = text.script.sh; path = ngircd.postinst; sourceTree = "<group>"; };
-		FA322D720CEF7523001761B3 /* rules */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = text; path = rules; sourceTree = "<group>"; };
-		FA322D8D0CEF7523001761B3 /* Makefile.am */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = text; name = Makefile.am; path = MacOSX/Makefile.am; sourceTree = "<group>"; };
-		FA322D8E0CEF7523001761B3 /* ngIRCd.xcodeproj */ = {isa = PBXFileReference; lastKnownFileType = "wrapper.pb-project"; path = ngIRCd.xcodeproj; sourceTree = "<group>"; };
-		FA322D920CEF7523001761B3 /* ngindent */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = text; path = ngindent; sourceTree = "<group>"; };
-		FA322D940CEF7523001761B3 /* ngircd.spec */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = text; path = ngircd.spec; sourceTree = "<group>"; };
-		FA322D950CEF7523001761B3 /* README */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = text; path = README; sourceTree = "<group>"; };
-		FA322D960CEF7523001761B3 /* systrace.policy */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = text; path = systrace.policy; sourceTree = "<group>"; };
-		FA322D9A0CEF752C001761B3 /* FAQ.txt */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = text; path = FAQ.txt; sourceTree = "<group>"; };
-		FA322D9B0CEF752C001761B3 /* Makefile.am */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = text; path = Makefile.am; sourceTree = "<group>"; };
-		FA322D9C0CEF752C001761B3 /* Platforms.txt */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = text; path = Platforms.txt; sourceTree = "<group>"; };
-		FA322D9D0CEF752C001761B3 /* Protocol.txt */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = text; path = Protocol.txt; sourceTree = "<group>"; };
-		FA322D9E0CEF752C001761B3 /* README-AUX.txt */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = text; path = "README-AUX.txt"; sourceTree = "<group>"; };
-		FA322D9F0CEF752C001761B3 /* README-BeOS.txt */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = text; path = "README-BeOS.txt"; sourceTree = "<group>"; };
-		FA322DA00CEF752C001761B3 /* RFC.txt */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = text; path = RFC.txt; sourceTree = "<group>"; };
-		FA322DA40CEF752C001761B3 /* Doxyfile */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = text; path = Doxyfile; sourceTree = "<group>"; };
-		FA322DA50CEF752C001761B3 /* footer.inc.html */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = text.html; path = footer.inc.html; sourceTree = "<group>"; };
-		FA322DA70CEF752C001761B3 /* Makefile.am */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = text; path = Makefile.am; sourceTree = "<group>"; };
-		FA322DA90CEF752C001761B3 /* SSL.txt */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = text; path = SSL.txt; sourceTree = "<group>"; };
-		FA322DAD0CEF7538001761B3 /* Makefile.am */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = text; path = Makefile.am; sourceTree = "<group>"; };
-		FA322DAE0CEF7538001761B3 /* ngircd.8.tmpl */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = text; path = ngircd.8.tmpl; sourceTree = "<group>"; };
-		FA322DAF0CEF7538001761B3 /* ngircd.conf.5.tmpl */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = text; path = ngircd.conf.5.tmpl; sourceTree = "<group>"; };
-		FA322DB10CEF7565001761B3 /* config.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = config.h; sourceTree = "<group>"; };
-		FA322DC00CEF77CB001761B3 /* libz.dylib */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.dylib"; name = libz.dylib; path = /usr/lib/libz.dylib; sourceTree = "<absolute>"; };
-		FA407F2C0DB159F400271AF1 /* ng_ipaddr.c */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = sourcecode.c.c; name = ng_ipaddr.c; path = ipaddr/ng_ipaddr.c; sourceTree = "<group>"; };
-		FA407F2D0DB159F400271AF1 /* ng_ipaddr.h */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = sourcecode.c.h; name = ng_ipaddr.h; path = ipaddr/ng_ipaddr.h; sourceTree = "<group>"; };
-		FA407F380DB15AC700271AF1 /* GIT.txt */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = text; path = GIT.txt; sourceTree = "<group>"; };
-		FA4B08E513E7F8FB00765BA3 /* ngircd-bsd.sh */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.script.sh; path = "ngircd-bsd.sh"; sourceTree = "<group>"; };
-		FA4B08E613E7F91700765BA3 /* ngIRCd-Logo.gif */ = {isa = PBXFileReference; lastKnownFileType = image.gif; path = "ngIRCd-Logo.gif"; sourceTree = "<group>"; };
-		FA4B08E713E7F91700765BA3 /* ngircd-redhat.init */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.script.sh; path = "ngircd-redhat.init"; sourceTree = "<group>"; };
-		FA4B08E813E7F91C00765BA3 /* platformtest.sh */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.script.sh; path = platformtest.sh; sourceTree = "<group>"; };
-		FA4F1659164836B100DBD011 /* irc-metadata.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "irc-metadata.c"; sourceTree = "<group>"; };
-		FA4F165C164836BF00DBD011 /* irc-metadata.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "irc-metadata.h"; sourceTree = "<group>"; };
-		FA6BBC5F1605F0AB0004247A /* conn-encoding.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "conn-encoding.c"; sourceTree = "<group>"; };
-		FA6BBC601605F0AC0004247A /* conn-encoding.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "conn-encoding.h"; sourceTree = "<group>"; };
-		FA6BBC611605F0AC0004247A /* irc-encoding.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "irc-encoding.c"; sourceTree = "<group>"; };
-		FA6BBC621605F0AC0004247A /* irc-encoding.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "irc-encoding.h"; sourceTree = "<group>"; };
-		FA6BBC651605F6D60004247A /* libiconv.dylib */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.dylib"; name = libiconv.dylib; path = ../../../../../../../usr/lib/libiconv.dylib; sourceTree = "<group>"; };
-		FA77849A133FB9FF00740057 /* sample-ngircd.conf.tmpl */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; path = "sample-ngircd.conf.tmpl"; sourceTree = "<group>"; };
-		FA85178A0FA061EC006A1F5A /* op.h */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = sourcecode.c.h; path = op.h; sourceTree = "<group>"; };
-		FA85178B0FA061EC006A1F5A /* op.c */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = sourcecode.c.c; path = op.c; sourceTree = "<group>"; };
-		FA99428A10E82A27007F27ED /* proc.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = proc.h; sourceTree = "<group>"; };
-		FA99428B10E82A27007F27ED /* proc.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = proc.c; sourceTree = "<group>"; };
-		FAA3D2700F139CB300B2447E /* invite-test.e */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = text; path = "invite-test.e"; sourceTree = "<group>"; };
-		FAA3D2710F139CB300B2447E /* join-test.e */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = text; path = "join-test.e"; sourceTree = "<group>"; };
-		FAA3D2720F139CB300B2447E /* kick-test.e */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = text; path = "kick-test.e"; sourceTree = "<group>"; };
-		FAA3D2730F139CB300B2447E /* message-test.e */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = text; path = "message-test.e"; sourceTree = "<group>"; };
-		FAA3D2740F139CB300B2447E /* ngircd-test1.conf */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = text; path = "ngircd-test1.conf"; sourceTree = "<group>"; };
-		FAA3D2750F139CB300B2447E /* ngircd-test2.conf */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = text; path = "ngircd-test2.conf"; sourceTree = "<group>"; };
-		FAA3D2760F139CB300B2447E /* opless-channel-test.e */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = text; path = "opless-channel-test.e"; sourceTree = "<group>"; };
-		FAA3D2770F139CB300B2447E /* server-link-test.e */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = text; path = "server-link-test.e"; sourceTree = "<group>"; };
-		FAA3D2780F139CDC00B2447E /* conf-ssl.h */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = sourcecode.c.h; path = "conf-ssl.h"; sourceTree = "<group>"; };
-		FAA3D2790F139CDC00B2447E /* conn-ssl.c */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = sourcecode.c.c; path = "conn-ssl.c"; sourceTree = "<group>"; };
-		FAA3D27A0F139CDC00B2447E /* conn-ssl.h */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = sourcecode.c.h; path = "conn-ssl.h"; sourceTree = "<group>"; };
-		FAA3D27C0F139CF800B2447E /* strtok_r.c */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = sourcecode.c.c; path = strtok_r.c; sourceTree = "<group>"; };
-		FAA3D27D0F139CF800B2447E /* waitpid.c */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = sourcecode.c.c; path = waitpid.c; sourceTree = "<group>"; };
-		FAA3D2800F139D1500B2447E /* Services.txt */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = text; path = Services.txt; sourceTree = "<group>"; };
-		FAA3D2820F139D2E00B2447E /* 01ngircd-contents.xml */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = text.xml; path = "01ngircd-contents.xml"; sourceTree = "<group>"; };
-		FAA3D2830F139D2E00B2447E /* 01ngircd.xml */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = text.xml; path = 01ngircd.xml; sourceTree = "<group>"; };
-		FAA3D2840F139D2E00B2447E /* 02de-contents.xml */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = text.xml; path = "02de-contents.xml"; sourceTree = "<group>"; };
-		FAA3D2850F139D2E00B2447E /* 02de.xml */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = text.xml; path = 02de.xml; sourceTree = "<group>"; };
-		FAA3D2860F139D2E00B2447E /* index.xml */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = text.xml; path = index.xml; sourceTree = "<group>"; };
-		FAA3D2880F139D2E00B2447E /* Makefile.am */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = text; path = Makefile.am; sourceTree = "<group>"; };
-		FAA3D28A0F139D2E00B2447E /* postinstall.sh */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = text.script.sh; path = postinstall.sh; sourceTree = "<group>"; };
-		FAA3D28B0F139D2E00B2447E /* preinstall.sh */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = text.script.sh; path = preinstall.sh; sourceTree = "<group>"; };
-		FAA97C55124A271400D5BBA9 /* sighandlers.c */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = sourcecode.c.c; path = sighandlers.c; sourceTree = "<group>"; };
-		FAA97C56124A271400D5BBA9 /* sighandlers.h */ = {isa = PBXFileReference; fileEncoding = 5; lastKnownFileType = sourcecode.c.h; path = sighandlers.h; sourceTree = "<group>"; };
-		FAACD5F314A6099C006ED74F /* class.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = class.c; sourceTree = "<group>"; };
-		FAACD5F414A6099C006ED74F /* class.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = class.h; sourceTree = "<group>"; };
-		FAD5852F15271A7800328741 /* Capabilities.txt */ = {isa = PBXFileReference; lastKnownFileType = text; path = Capabilities.txt; sourceTree = "<group>"; };
-		FAD5853015271AAB00328741 /* client-cap.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "client-cap.c"; sourceTree = "<group>"; };
-		FAD5853115271AAB00328741 /* client-cap.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "client-cap.h"; sourceTree = "<group>"; };
-		FAD5853315271AB800328741 /* irc-cap.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "irc-cap.c"; sourceTree = "<group>"; };
-		FAD5853415271AB800328741 /* irc-cap.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "irc-cap.h"; sourceTree = "<group>"; };
-		FAD5853615272C2500328741 /* login.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = login.c; sourceTree = "<group>"; };
-		FAD5853715272C2500328741 /* login.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = login.h; sourceTree = "<group>"; };
-		FAE22BD215270EA300F1A5AB /* Bopm.txt */ = {isa = PBXFileReference; lastKnownFileType = text; path = Bopm.txt; sourceTree = "<group>"; };
-		FAE22BD415270EA300F1A5AB /* Contributing.txt */ = {isa = PBXFileReference; lastKnownFileType = text; path = Contributing.txt; sourceTree = "<group>"; };
-		FAE22BD515270EB500F1A5AB /* HowToRelease.txt */ = {isa = PBXFileReference; lastKnownFileType = text; path = HowToRelease.txt; sourceTree = "<group>"; };
-		FAE22BD615270EB500F1A5AB /* Modes.txt */ = {isa = PBXFileReference; lastKnownFileType = text; path = Modes.txt; sourceTree = "<group>"; };
-		FAE22BD715270EB500F1A5AB /* PAM.txt */ = {isa = PBXFileReference; lastKnownFileType = text; path = PAM.txt; sourceTree = "<group>"; };
-		FAE22BD815270EC400F1A5AB /* README-Interix.txt */ = {isa = PBXFileReference; lastKnownFileType = text; path = "README-Interix.txt"; sourceTree = "<group>"; };
-		FAE5CC2C0CF2308A007D69B6 /* numeric.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = numeric.h; sourceTree = "<group>"; };
-		FAE5CC2D0CF2308A007D69B6 /* numeric.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = numeric.c; sourceTree = "<group>"; };
-/* End PBXFileReference section */
-
-/* Begin PBXFrameworksBuildPhase section */
-		8DD76FAD0486AB0100D96B5E /* Frameworks */ = {
-			isa = PBXFrameworksBuildPhase;
-			buildActionMask = 2147483647;
-			files = (
-				FA322DC10CEF77CB001761B3 /* libz.dylib in Frameworks */,
-				FA2D567B11EA1AB300D37A35 /* libpam.dylib in Frameworks */,
-				FA6BBC661605F6D60004247A /* libiconv.dylib in Frameworks */,
-			);
-			runOnlyForDeploymentPostprocessing = 0;
-		};
-/* End PBXFrameworksBuildPhase section */
-
-/* Begin PBXGroup section */
-		08FB7794FE84155DC02AAC07 /* ngIRCd */ = {
-			isa = PBXGroup;
-			children = (
-				FA322D630CEF750F001761B3 /* Makefile.am */,
-				FA322D660CEF7523001761B3 /* contrib */,
-				FA322D970CEF752C001761B3 /* doc */,
-				FA322DAB0CEF7538001761B3 /* man */,
-				FA322CD40CEF74B0001761B3 /* src */,
-				FA322D5A0CEF750F001761B3 /* AUTHORS */,
-				FA322D5C0CEF750F001761B3 /* ChangeLog */,
-				FA322D610CEF750F001761B3 /* COPYING */,
-				FA322D620CEF750F001761B3 /* INSTALL */,
-				FA322D640CEF750F001761B3 /* NEWS */,
-				FA322D650CEF750F001761B3 /* README */,
-				FA322D5B0CEF750F001761B3 /* autogen.sh */,
-				FA322D5E0CEF750F001761B3 /* config.guess */,
-				FA322D5F0CEF750F001761B3 /* config.sub */,
-				FA18A63E16CEDDCE00132F66 /* configure.ng */,
-				1AB674ADFE9D54B511CA2CBB /* Products */,
-				FA6BBC651605F6D60004247A /* libiconv.dylib */,
-				FA2D567A11EA1AB300D37A35 /* libpam.dylib */,
-				FA322DC00CEF77CB001761B3 /* libz.dylib */,
-			);
-			indentWidth = 8;
-			name = ngIRCd;
-			sourceTree = "<group>";
-			tabWidth = 8;
-			usesTabs = 1;
-			wrapsLines = 0;
-		};
-		1AB674ADFE9D54B511CA2CBB /* Products */ = {
-			isa = PBXGroup;
-			children = (
-				FA322BBA0CEF72E4001761B3 /* ngircd */,
-			);
-			name = Products;
-			sourceTree = "<group>";
-		};
-		FA322CD40CEF74B0001761B3 /* src */ = {
-			isa = PBXGroup;
-			children = (
-				FA322CD60CEF74B1001761B3 /* Makefile.am */,
-				FA407F270DB1598D00271AF1 /* ipaddr */,
-				FA322CD70CEF74B1001761B3 /* ngircd */,
-				FA322D0E0CEF74B1001761B3 /* portab */,
-				FA322D1B0CEF74B1001761B3 /* testsuite */,
-				FA322D2E0CEF74B1001761B3 /* tool */,
-			);
-			name = src;
-			path = ../../src;
-			sourceTree = SOURCE_ROOT;
-		};
-		FA322CD70CEF74B1001761B3 /* ngircd */ = {
-			isa = PBXGroup;
-			children = (
-				FA18A64616CEE0DD00132F66 /* Makefile.ng */,
-				FA322CD90CEF74B1001761B3 /* array.c */,
-				FA322CDA0CEF74B1001761B3 /* array.h */,
-				FA322CDB0CEF74B1001761B3 /* channel.c */,
-				FA322CDC0CEF74B1001761B3 /* channel.h */,
-				FAACD5F314A6099C006ED74F /* class.c */,
-				FAACD5F414A6099C006ED74F /* class.h */,
-				FA322CDD0CEF74B1001761B3 /* client.c */,
-				FA322CDE0CEF74B1001761B3 /* client.h */,
-				FAD5853015271AAB00328741 /* client-cap.c */,
-				FAD5853115271AAB00328741 /* client-cap.h */,
-				FA322CDF0CEF74B1001761B3 /* conf.c */,
-				FA322CE00CEF74B1001761B3 /* conf.h */,
-				FAA3D2780F139CDC00B2447E /* conf-ssl.h */,
-				FA322CE50CEF74B1001761B3 /* conn.c */,
-				FA322CE60CEF74B1001761B3 /* conn.h */,
-				FA6BBC5F1605F0AB0004247A /* conn-encoding.c */,
-				FA6BBC601605F0AC0004247A /* conn-encoding.h */,
-				FA322CE10CEF74B1001761B3 /* conn-func.c */,
-				FA322CE20CEF74B1001761B3 /* conn-func.h */,
-				FAA3D2790F139CDC00B2447E /* conn-ssl.c */,
-				FAA3D27A0F139CDC00B2447E /* conn-ssl.h */,
-				FA322CE30CEF74B1001761B3 /* conn-zip.c */,
-				FA322CE40CEF74B1001761B3 /* conn-zip.h */,
-				FA322CE70CEF74B1001761B3 /* defines.h */,
-				FA322CE80CEF74B1001761B3 /* hash.c */,
-				FA322CE90CEF74B1001761B3 /* hash.h */,
-				FA322CEA0CEF74B1001761B3 /* io.c */,
-				FA322CEB0CEF74B1001761B3 /* io.h */,
-				FA322CFC0CEF74B1001761B3 /* irc.c */,
-				FA322CFD0CEF74B1001761B3 /* irc.h */,
-				FAD5853315271AB800328741 /* irc-cap.c */,
-				FAD5853415271AB800328741 /* irc-cap.h */,
-				FA322CEC0CEF74B1001761B3 /* irc-channel.c */,
-				FA322CED0CEF74B1001761B3 /* irc-channel.h */,
-				FA6BBC611605F0AC0004247A /* irc-encoding.c */,
-				FA6BBC621605F0AC0004247A /* irc-encoding.h */,
-				FA322CEE0CEF74B1001761B3 /* irc-info.c */,
-				FA322CEF0CEF74B1001761B3 /* irc-info.h */,
-				FA322CF00CEF74B1001761B3 /* irc-login.c */,
-				FA322CF10CEF74B1001761B3 /* irc-login.h */,
-				FA1DBB6716C707D200D4F838 /* irc-macros.h */,
-				FA4F1659164836B100DBD011 /* irc-metadata.c */,
-				FA4F165C164836BF00DBD011 /* irc-metadata.h */,
-				FA322CF20CEF74B1001761B3 /* irc-mode.c */,
-				FA322CF30CEF74B1001761B3 /* irc-mode.h */,
-				FA322CF40CEF74B1001761B3 /* irc-op.c */,
-				FA322CF50CEF74B1001761B3 /* irc-op.h */,
-				FA322CF60CEF74B1001761B3 /* irc-oper.c */,
-				FA322CF70CEF74B1001761B3 /* irc-oper.h */,
-				FA322CF80CEF74B1001761B3 /* irc-server.c */,
-				FA322CF90CEF74B1001761B3 /* irc-server.h */,
-				FA322CFA0CEF74B1001761B3 /* irc-write.c */,
-				FA322CFB0CEF74B1001761B3 /* irc-write.h */,
-				FA322CFE0CEF74B1001761B3 /* lists.c */,
-				FA322CFF0CEF74B1001761B3 /* lists.h */,
-				FA322D000CEF74B1001761B3 /* log.c */,
-				FA322D010CEF74B1001761B3 /* log.h */,
-				FAD5853615272C2500328741 /* login.c */,
-				FAD5853715272C2500328741 /* login.h */,
-				FA322D030CEF74B1001761B3 /* match.c */,
-				FA322D040CEF74B1001761B3 /* match.h */,
-				FA322D050CEF74B1001761B3 /* messages.h */,
-				FA322D060CEF74B1001761B3 /* ngircd.c */,
-				FA322D070CEF74B1001761B3 /* ngircd.h */,
-				FAE5CC2D0CF2308A007D69B6 /* numeric.c */,
-				FAE5CC2C0CF2308A007D69B6 /* numeric.h */,
-				FA85178B0FA061EC006A1F5A /* op.c */,
-				FA85178A0FA061EC006A1F5A /* op.h */,
-				FA2D564911EA158B00D37A35 /* pam.c */,
-				FA2D564811EA158B00D37A35 /* pam.h */,
-				FA322D080CEF74B1001761B3 /* parse.c */,
-				FA322D090CEF74B1001761B3 /* parse.h */,
-				FA99428B10E82A27007F27ED /* proc.c */,
-				FA99428A10E82A27007F27ED /* proc.h */,
-				FA322D0C0CEF74B1001761B3 /* resolve.c */,
-				FA322D0D0CEF74B1001761B3 /* resolve.h */,
-				FAA97C55124A271400D5BBA9 /* sighandlers.c */,
-				FAA97C56124A271400D5BBA9 /* sighandlers.h */,
-			);
-			path = ngircd;
-			sourceTree = "<group>";
-		};
-		FA322D0E0CEF74B1001761B3 /* portab */ = {
-			isa = PBXGroup;
-			children = (
-				FA18A64716CEE14900132F66 /* Makefile.ng */,
-				FA322D100CEF74B1001761B3 /* ansi2knr.1 */,
-				FA322D110CEF74B1001761B3 /* ansi2knr.c */,
-				FA322D150CEF74B1001761B3 /* portab.h */,
-				FA322D160CEF74B1001761B3 /* portabtest.c */,
-				FA322D170CEF74B1001761B3 /* splint.h */,
-				FA322D180CEF74B1001761B3 /* strdup.c */,
-				FA322D190CEF74B1001761B3 /* strlcpy.c */,
-				FAA3D27C0F139CF800B2447E /* strtok_r.c */,
-				FA322D1A0CEF74B1001761B3 /* vsnprintf.c */,
-				FAA3D27D0F139CF800B2447E /* waitpid.c */,
-			);
-			path = portab;
-			sourceTree = "<group>";
-		};
-		FA322D1B0CEF74B1001761B3 /* testsuite */ = {
-			isa = PBXGroup;
-			children = (
-				FA18A64A16CEE18100132F66 /* Makefile.ng */,
-				FA322D250CEF74B1001761B3 /* README */,
-				FA322D1D0CEF74B1001761B3 /* channel-test.e */,
-				FA322D1E0CEF74B1001761B3 /* check-idle.e */,
-				FA322D1F0CEF74B1001761B3 /* connect-test.e */,
-				FAA3D2700F139CB300B2447E /* invite-test.e */,
-				FAA3D2710F139CB300B2447E /* join-test.e */,
-				FAA3D2720F139CB300B2447E /* kick-test.e */,
-				FAA3D2730F139CB300B2447E /* message-test.e */,
-				FA18A64E16CEE24B00132F66 /* misc-test.e */,
-				FA18A64C16CEE1AC00132F66 /* mode-test.e */,
-				FAA3D2760F139CB300B2447E /* opless-channel-test.e */,
-				FAA3D2770F139CB300B2447E /* server-link-test.e */,
-				FA322D280CEF74B1001761B3 /* stress-A.e */,
-				FA322D290CEF74B1001761B3 /* stress-B.e */,
-				FA1A6BBD0D6857D900AA8F71 /* who-test.e */,
-				FA18A64D16CEE1D900132F66 /* whois-test.e */,
-				FA322D200CEF74B1001761B3 /* functions.inc */,
-				FAA3D2740F139CB300B2447E /* ngircd-test1.conf */,
-				FAA3D2750F139CB300B2447E /* ngircd-test2.conf */,
-				FA322D210CEF74B1001761B3 /* getpid.sh */,
-				FA322D260CEF74B1001761B3 /* start-server.sh */,
-				FA322D270CEF74B1001761B3 /* stop-server.sh */,
-				FA322D2A0CEF74B1001761B3 /* stress-server.sh */,
-				FA322D2B0CEF74B1001761B3 /* test-loop.sh */,
-				FA322D2C0CEF74B1001761B3 /* tests.sh */,
-				FA322D2D0CEF74B1001761B3 /* wait-tests.sh */,
-			);
-			path = testsuite;
-			sourceTree = "<group>";
-		};
-		FA322D2E0CEF74B1001761B3 /* tool */ = {
-			isa = PBXGroup;
-			children = (
-				FA18A64F16CEE27700132F66 /* Makefile.ng */,
-				FA322D330CEF74B1001761B3 /* tool.c */,
-				FA322D340CEF74B1001761B3 /* tool.h */,
-			);
-			path = tool;
-			sourceTree = "<group>";
-		};
-		FA322D660CEF7523001761B3 /* contrib */ = {
-			isa = PBXGroup;
-			children = (
-				FA322D8D0CEF7523001761B3 /* Makefile.am */,
-				FA322D680CEF7523001761B3 /* Debian */,
-				FA322D730CEF7523001761B3 /* MacOSX */,
-				FA322D950CEF7523001761B3 /* README */,
-				FA322D920CEF7523001761B3 /* ngindent */,
-				FA4B08E513E7F8FB00765BA3 /* ngircd-bsd.sh */,
-				FA4B08E613E7F91700765BA3 /* ngIRCd-Logo.gif */,
-				FA4B08E713E7F91700765BA3 /* ngircd-redhat.init */,
-				FA18A63F16CEDE2300132F66 /* ngircd.service */,
-				FA18A64016CEDE2300132F66 /* ngircd.socket */,
-				FA322D940CEF7523001761B3 /* ngircd.spec */,
-				FA4B08E813E7F91C00765BA3 /* platformtest.sh */,
-				FA322D960CEF7523001761B3 /* systrace.policy */,
-			);
-			name = contrib;
-			path = ..;
-			sourceTree = SOURCE_ROOT;
-		};
-		FA322D680CEF7523001761B3 /* Debian */ = {
-			isa = PBXGroup;
-			children = (
-				FA322D6E0CEF7523001761B3 /* Makefile.am */,
-				FA322D6A0CEF7523001761B3 /* changelog */,
-				FA322D6B0CEF7523001761B3 /* compat */,
-				FA322D6C0CEF7523001761B3 /* control */,
-				FA322D6D0CEF7523001761B3 /* copyright */,
-				FA322D6F0CEF7523001761B3 /* ngircd.default */,
-				FA322D700CEF7523001761B3 /* ngircd.init */,
-				FA18A64116CEDE3500132F66 /* ngircd.pam */,
-				FA322D710CEF7523001761B3 /* ngircd.postinst */,
-				FA322D720CEF7523001761B3 /* rules */,
-			);
-			path = Debian;
-			sourceTree = "<group>";
-		};
-		FA322D730CEF7523001761B3 /* MacOSX */ = {
-			isa = PBXGroup;
-			children = (
-				FA18A64316CEDE8100132F66 /* Makefile.am */,
-				FAA3D2810F139D2E00B2447E /* ngIRCd.pmdoc */,
-				FA322DB10CEF7565001761B3 /* config.h */,
-				FA18A64216CEDE5700132F66 /* de.barton.ngircd.plist.tmpl */,
-				FA322D8E0CEF7523001761B3 /* ngIRCd.xcodeproj */,
-				FAA3D28A0F139D2E00B2447E /* postinstall.sh */,
-				FAA3D28B0F139D2E00B2447E /* preinstall.sh */,
-			);
-			path = MacOSX;
-			sourceTree = "<group>";
-		};
-		FA322D8F0CEF7523001761B3 /* Products */ = {
-			isa = PBXGroup;
-			children = (
-			);
-			name = Products;
-			sourceTree = "<group>";
-		};
-		FA322D970CEF752C001761B3 /* doc */ = {
-			isa = PBXGroup;
-			children = (
-				FA322D9B0CEF752C001761B3 /* Makefile.am */,
-				FA322DA20CEF752C001761B3 /* src */,
-				FAE22BD215270EA300F1A5AB /* Bopm.txt */,
-				FAD5852F15271A7800328741 /* Capabilities.txt */,
-				FA18A64416CEDFCE00132F66 /* Commands.txt */,
-				FAE22BD415270EA300F1A5AB /* Contributing.txt */,
-				FA322D9A0CEF752C001761B3 /* FAQ.txt */,
-				FA407F380DB15AC700271AF1 /* GIT.txt */,
-				FAE22BD515270EB500F1A5AB /* HowToRelease.txt */,
-				FAE22BD615270EB500F1A5AB /* Modes.txt */,
-				FAE22BD715270EB500F1A5AB /* PAM.txt */,
-				FA322D9C0CEF752C001761B3 /* Platforms.txt */,
-				FA322D9D0CEF752C001761B3 /* Protocol.txt */,
-				FA322D9E0CEF752C001761B3 /* README-AUX.txt */,
-				FA322D9F0CEF752C001761B3 /* README-BeOS.txt */,
-				FAE22BD815270EC400F1A5AB /* README-Interix.txt */,
-				FA322DA00CEF752C001761B3 /* RFC.txt */,
-				FAA3D2800F139D1500B2447E /* Services.txt */,
-				FA322DA90CEF752C001761B3 /* SSL.txt */,
-				FA77849A133FB9FF00740057 /* sample-ngircd.conf.tmpl */,
-			);
-			name = doc;
-			path = ../../doc;
-			sourceTree = SOURCE_ROOT;
-		};
-		FA322DA20CEF752C001761B3 /* src */ = {
-			isa = PBXGroup;
-			children = (
-				FA322DA70CEF752C001761B3 /* Makefile.am */,
-				FA322DA40CEF752C001761B3 /* Doxyfile */,
-				FA322DA50CEF752C001761B3 /* footer.inc.html */,
-			);
-			path = src;
-			sourceTree = "<group>";
-		};
-		FA322DAB0CEF7538001761B3 /* man */ = {
-			isa = PBXGroup;
-			children = (
-				FA322DAD0CEF7538001761B3 /* Makefile.am */,
-				FA322DAE0CEF7538001761B3 /* ngircd.8.tmpl */,
-				FA322DAF0CEF7538001761B3 /* ngircd.conf.5.tmpl */,
-			);
-			name = man;
-			path = ../../man;
-			sourceTree = SOURCE_ROOT;
-		};
-		FA407F270DB1598D00271AF1 /* ipaddr */ = {
-			isa = PBXGroup;
-			children = (
-				FA18A64516CEE0C700132F66 /* Makefile.ng */,
-				FA407F2C0DB159F400271AF1 /* ng_ipaddr.c */,
-				FA407F2D0DB159F400271AF1 /* ng_ipaddr.h */,
-			);
-			name = ipaddr;
-			sourceTree = "<group>";
-		};
-		FAA3D2810F139D2E00B2447E /* ngIRCd.pmdoc */ = {
-			isa = PBXGroup;
-			children = (
-				FAA3D2880F139D2E00B2447E /* Makefile.am */,
-				FAA3D2860F139D2E00B2447E /* index.xml */,
-				FAA3D2830F139D2E00B2447E /* 01ngircd.xml */,
-				FAA3D2820F139D2E00B2447E /* 01ngircd-contents.xml */,
-				FAA3D2850F139D2E00B2447E /* 02de.xml */,
-				FAA3D2840F139D2E00B2447E /* 02de-contents.xml */,
-			);
-			path = ngIRCd.pmdoc;
-			sourceTree = "<group>";
-		};
-/* End PBXGroup section */
-
-/* Begin PBXNativeTarget section */
-		8DD76FA90486AB0100D96B5E /* ngIRCd */ = {
-			isa = PBXNativeTarget;
-			buildConfigurationList = 1DEB928508733DD80010E9CD /* Build configuration list for PBXNativeTarget "ngIRCd" */;
-			buildPhases = (
-				8DD76FAB0486AB0100D96B5E /* Sources */,
-				8DD76FAD0486AB0100D96B5E /* Frameworks */,
-				8DD76FAF0486AB0100D96B5E /* CopyFiles */,
-			);
-			buildRules = (
-			);
-			dependencies = (
-			);
-			name = ngIRCd;
-			productInstallPath = "$(HOME)/bin";
-			productName = ngIRCd;
-			productReference = FA322BBA0CEF72E4001761B3 /* ngircd */;
-			productType = "com.apple.product-type.tool";
-		};
-/* End PBXNativeTarget section */
-
-/* Begin PBXProject section */
-		08FB7793FE84155DC02AAC07 /* Project object */ = {
-			isa = PBXProject;
-			attributes = {
-				LastUpgradeCheck = 0800;
-			};
-			buildConfigurationList = 1DEB928908733DD80010E9CD /* Build configuration list for PBXProject "ngIRCd" */;
-			compatibilityVersion = "Xcode 3.2";
-			developmentRegion = English;
-			hasScannedForEncodings = 1;
-			knownRegions = (
-				English,
-				Japanese,
-				French,
-				German,
-			);
-			mainGroup = 08FB7794FE84155DC02AAC07 /* ngIRCd */;
-			projectDirPath = "";
-			projectReferences = (
-				{
-					ProductGroup = FA322D8F0CEF7523001761B3 /* Products */;
-					ProjectRef = FA322D8E0CEF7523001761B3 /* ngIRCd.xcodeproj */;
-				},
-			);
-			projectRoot = "";
-			targets = (
-				8DD76FA90486AB0100D96B5E /* ngIRCd */,
-			);
-		};
-/* End PBXProject section */
-
-/* Begin PBXSourcesBuildPhase section */
-		8DD76FAB0486AB0100D96B5E /* Sources */ = {
-			isa = PBXSourcesBuildPhase;
-			buildActionMask = 2147483647;
-			files = (
-				FA322D350CEF74B1001761B3 /* array.c in Sources */,
-				FA322D360CEF74B1001761B3 /* channel.c in Sources */,
-				FA322D370CEF74B1001761B3 /* client.c in Sources */,
-				FA322D380CEF74B1001761B3 /* conf.c in Sources */,
-				FA322D390CEF74B1001761B3 /* conn-func.c in Sources */,
-				FA322D3A0CEF74B1001761B3 /* conn-zip.c in Sources */,
-				FA322D3B0CEF74B1001761B3 /* conn.c in Sources */,
-				FA322D3C0CEF74B1001761B3 /* hash.c in Sources */,
-				FA322D3D0CEF74B1001761B3 /* io.c in Sources */,
-				FA322D3E0CEF74B1001761B3 /* irc-channel.c in Sources */,
-				FA322D3F0CEF74B1001761B3 /* irc-info.c in Sources */,
-				FA322D400CEF74B1001761B3 /* irc-login.c in Sources */,
-				FA322D410CEF74B1001761B3 /* irc-mode.c in Sources */,
-				FA322D420CEF74B1001761B3 /* irc-op.c in Sources */,
-				FA322D430CEF74B1001761B3 /* irc-oper.c in Sources */,
-				FA322D440CEF74B1001761B3 /* irc-server.c in Sources */,
-				FA322D450CEF74B1001761B3 /* irc-write.c in Sources */,
-				FA322D460CEF74B1001761B3 /* irc.c in Sources */,
-				FA322D470CEF74B1001761B3 /* lists.c in Sources */,
-				FA322D480CEF74B1001761B3 /* log.c in Sources */,
-				FA322D490CEF74B1001761B3 /* match.c in Sources */,
-				FA322D4A0CEF74B1001761B3 /* ngircd.c in Sources */,
-				FA322D4B0CEF74B1001761B3 /* parse.c in Sources */,
-				FA322D4D0CEF74B1001761B3 /* resolve.c in Sources */,
-				FA322DBE0CEF7766001761B3 /* tool.c in Sources */,
-				FAE5CC2E0CF2308A007D69B6 /* numeric.c in Sources */,
-				FA407F2E0DB159F400271AF1 /* ng_ipaddr.c in Sources */,
-				FAA3D27B0F139CDC00B2447E /* conn-ssl.c in Sources */,
-				FA85178C0FA061EC006A1F5A /* op.c in Sources */,
-				FA99428C10E82A27007F27ED /* proc.c in Sources */,
-				FA2D564A11EA158B00D37A35 /* pam.c in Sources */,
-				FAA97C57124A271400D5BBA9 /* sighandlers.c in Sources */,
-				FAACD5F514A6099C006ED74F /* class.c in Sources */,
-				FAD5853215271AAB00328741 /* client-cap.c in Sources */,
-				FAD5853515271AB800328741 /* irc-cap.c in Sources */,
-				FAD5853815272C2600328741 /* login.c in Sources */,
-				FA6BBC631605F0AC0004247A /* conn-encoding.c in Sources */,
-				FA6BBC641605F0AC0004247A /* irc-encoding.c in Sources */,
-				FA4F165A164836B100DBD011 /* irc-metadata.c in Sources */,
-			);
-			runOnlyForDeploymentPostprocessing = 0;
-		};
-/* End PBXSourcesBuildPhase section */
-
-/* Begin XCBuildConfiguration section */
-		1DEB928708733DD80010E9CD /* Default */ = {
-			isa = XCBuildConfiguration;
-			buildSettings = {
-				GCC_TREAT_IMPLICIT_FUNCTION_DECLARATIONS_AS_ERRORS = YES;
-				GCC_VERSION = com.apple.compilers.llvm.clang.1_0;
-				GCC_WARN_64_TO_32_BIT_CONVERSION = YES;
-				GCC_WARN_ABOUT_MISSING_NEWLINE = YES;
-				GCC_WARN_ABOUT_MISSING_PROTOTYPES = YES;
-				GCC_WARN_CHECK_SWITCH_STATEMENTS = YES;
-				GCC_WARN_FOUR_CHARACTER_CONSTANTS = YES;
-				GCC_WARN_INITIALIZER_NOT_FULLY_BRACKETED = YES;
-				GCC_WARN_MISSING_PARENTHESES = YES;
-				GCC_WARN_PEDANTIC = YES;
-				GCC_WARN_SHADOW = YES;
-				GCC_WARN_SIGN_COMPARE = YES;
-				GCC_WARN_TYPECHECK_CALLS_TO_PRINTF = YES;
-				GCC_WARN_UNINITIALIZED_AUTOS = YES;
-				GCC_WARN_UNKNOWN_PRAGMAS = YES;
-				GCC_WARN_UNUSED_FUNCTION = YES;
-				GCC_WARN_UNUSED_LABEL = YES;
-				GCC_WARN_UNUSED_PARAMETER = YES;
-				GCC_WARN_UNUSED_VALUE = YES;
-				INSTALL_PATH = /usr/local/bin;
-				PRODUCT_NAME = ngircd;
-			};
-			name = Default;
-		};
-		1DEB928B08733DD80010E9CD /* Default */ = {
-			isa = XCBuildConfiguration;
-			buildSettings = {
-				CLANG_ANALYZER_LOCALIZABILITY_NONLOCALIZED = YES;
-				CLANG_WARN_BOOL_CONVERSION = YES;
-				CLANG_WARN_CONSTANT_CONVERSION = YES;
-				CLANG_WARN_EMPTY_BODY = YES;
-				CLANG_WARN_ENUM_CONVERSION = YES;
-				CLANG_WARN_INFINITE_RECURSION = YES;
-				CLANG_WARN_INT_CONVERSION = YES;
-				CLANG_WARN_SUSPICIOUS_MOVE = YES;
-				CLANG_WARN_UNREACHABLE_CODE = YES;
-				CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
-				CODE_SIGN_IDENTITY = "";
-				ENABLE_STRICT_OBJC_MSGSEND = YES;
-				GCC_NO_COMMON_BLOCKS = NO;
-				GCC_VERSION = "";
-				GCC_WARN_64_TO_32_BIT_CONVERSION = YES;
-				GCC_WARN_ABOUT_RETURN_TYPE = YES;
-				GCC_WARN_UNDECLARED_SELECTOR = YES;
-				GCC_WARN_UNINITIALIZED_AUTOS = YES;
-				GCC_WARN_UNUSED_FUNCTION = YES;
-				GCC_WARN_UNUSED_VARIABLE = YES;
-				MACOSX_DEPLOYMENT_TARGET = 10.6;
-				SDKROOT = "";
-			};
-			name = Default;
-		};
-		FAB0570C105D917F006AF9E2 /* Debug */ = {
-			isa = XCBuildConfiguration;
-			buildSettings = {
-				CLANG_ANALYZER_LOCALIZABILITY_NONLOCALIZED = YES;
-				CLANG_WARN_BOOL_CONVERSION = YES;
-				CLANG_WARN_CONSTANT_CONVERSION = YES;
-				CLANG_WARN_EMPTY_BODY = YES;
-				CLANG_WARN_ENUM_CONVERSION = YES;
-				CLANG_WARN_INFINITE_RECURSION = YES;
-				CLANG_WARN_INT_CONVERSION = YES;
-				CLANG_WARN_SUSPICIOUS_MOVE = YES;
-				CLANG_WARN_UNREACHABLE_CODE = YES;
-				CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
-				ENABLE_STRICT_OBJC_MSGSEND = YES;
-				ENABLE_TESTABILITY = YES;
-				GCC_DEBUGGING_SYMBOLS = full;
-				GCC_NO_COMMON_BLOCKS = NO;
-				GCC_OPTIMIZATION_LEVEL = 0;
-				GCC_VERSION = "";
-				GCC_WARN_64_TO_32_BIT_CONVERSION = YES;
-				GCC_WARN_ABOUT_RETURN_TYPE = YES;
-				GCC_WARN_UNDECLARED_SELECTOR = YES;
-				GCC_WARN_UNINITIALIZED_AUTOS = YES;
-				GCC_WARN_UNUSED_FUNCTION = YES;
-				GCC_WARN_UNUSED_VARIABLE = YES;
-				MACOSX_DEPLOYMENT_TARGET = 10.6;
-				ONLY_ACTIVE_ARCH = YES;
-				SDKROOT = "";
-			};
-			name = Debug;
-		};
-		FAB0570D105D917F006AF9E2 /* Debug */ = {
-			isa = XCBuildConfiguration;
-			buildSettings = {
-				GCC_TREAT_IMPLICIT_FUNCTION_DECLARATIONS_AS_ERRORS = YES;
-				GCC_VERSION = com.apple.compilers.llvm.clang.1_0;
-				GCC_WARN_64_TO_32_BIT_CONVERSION = YES;
-				GCC_WARN_ABOUT_MISSING_NEWLINE = YES;
-				GCC_WARN_ABOUT_MISSING_PROTOTYPES = YES;
-				GCC_WARN_CHECK_SWITCH_STATEMENTS = YES;
-				GCC_WARN_FOUR_CHARACTER_CONSTANTS = YES;
-				GCC_WARN_INITIALIZER_NOT_FULLY_BRACKETED = YES;
-				GCC_WARN_MISSING_PARENTHESES = YES;
-				GCC_WARN_PEDANTIC = YES;
-				GCC_WARN_SHADOW = YES;
-				GCC_WARN_SIGN_COMPARE = YES;
-				GCC_WARN_TYPECHECK_CALLS_TO_PRINTF = YES;
-				GCC_WARN_UNINITIALIZED_AUTOS = NO;
-				GCC_WARN_UNKNOWN_PRAGMAS = YES;
-				GCC_WARN_UNUSED_FUNCTION = YES;
-				GCC_WARN_UNUSED_LABEL = YES;
-				GCC_WARN_UNUSED_PARAMETER = YES;
-				GCC_WARN_UNUSED_VALUE = YES;
-				INSTALL_PATH = /usr/local/bin;
-				PRODUCT_NAME = ngircd;
-			};
-			name = Debug;
-		};
-/* End XCBuildConfiguration section */
-
-/* Begin XCConfigurationList section */
-		1DEB928508733DD80010E9CD /* Build configuration list for PBXNativeTarget "ngIRCd" */ = {
-			isa = XCConfigurationList;
-			buildConfigurations = (
-				1DEB928708733DD80010E9CD /* Default */,
-				FAB0570D105D917F006AF9E2 /* Debug */,
-			);
-			defaultConfigurationIsVisible = 0;
-			defaultConfigurationName = Default;
-		};
-		1DEB928908733DD80010E9CD /* Build configuration list for PBXProject "ngIRCd" */ = {
-			isa = XCConfigurationList;
-			buildConfigurations = (
-				1DEB928B08733DD80010E9CD /* Default */,
-				FAB0570C105D917F006AF9E2 /* Debug */,
-			);
-			defaultConfigurationIsVisible = 0;
-			defaultConfigurationName = Default;
-		};
-/* End XCConfigurationList section */
-	};
-	rootObject = 08FB7793FE84155DC02AAC07 /* Project object */;
-}
--- a/contrib/MacOSX/postinstall.sh
+++ b/contrib/MacOSX/postinstall.sh
@ -1,56 +0,0 @@
-#!/bin/sh
-# ngIRCd Mac OS X postinstall/postupgrade script
-
-LDPLIST="/Library/LaunchDaemons/de.barton.ngircd.plist"
-
-if [ ! -e /etc/ngircd ]; then
-	echo "Creating symlink: /opt/ngircd/etc -> /etc/ngircd"
-	ln -s /opt/ngircd/etc /etc/ngircd || exit 1
-else
-	echo "/etc/ngircd already exists. Don't create symlink."
-fi
-
-if [ ! -e /opt/ngircd/etc/ngircd.conf ]; then
-	echo "Creating default configuration: /opt/ngircd/etc/ngircd.conf"
-	cp /opt/ngircd/share/doc/ngircd/sample-ngircd.conf \
-	 /opt/ngircd/etc/ngircd.conf || exit 1
-else
-	echo "/opt/ngircd/etc/ngircd.conf exists. Don't copy sample file."
-fi
-chmod o-rwx /opt/ngircd/etc/ngircd.conf
-
-if [ ! -e /opt/ngircd/etc/ngircd.pam ]; then
-	echo "Creating default PAM configuration: /opt/ngircd/etc/ngircd.pam"
-	echo "# PAM configuration for ngIRCd" >/opt/ngircd/etc/ngircd.pam
-	echo "" >>/opt/ngircd/etc/ngircd.pam
-	echo "auth required pam_permit.so" >>/opt/ngircd/etc/ngircd.pam
-	echo "#auth required pam_opendirectory.so" >>/opt/ngircd/etc/ngircd.pam
-fi
-chmod 644 /opt/ngircd/etc/ngircd.pam
-
-if [ ! -e /etc/pam.d/ngircd ]; then
-	echo "Linkint /opt/ngircd/etc/ngircd.pam to /etc/pam.d/ngircd"
-	ln -s /opt/ngircd/etc/ngircd.pam /etc/pam.d/ngircd || exit 1
-fi
-
-if [ -f "$LDPLIST" ]; then
-	echo "Fixing ownership and permissions of LaunchDaemon script ..."
-	chown root:wheel "$LDPLIST" || exit 1
-	chmod 644 "$LDPLIST" || exit 1
-fi
-
-if [ -f /tmp/ngircd_needs_restart ]; then
-	echo "ngIRCd should be (re-)started ..."
-	if [ -r "$LDPLIST" ]; then
-		echo "LaunchDaemon script found, starting daemon ..."
-		launchctl load -w "$LDPLIST" || exit 1
-		echo "OK, LaunchDaemon script loaded successfully."
-	else
-		echo "LaunchDaemon script not installed. Can't start daemon."
-	fi
-else
-	echo "Not loading LaunchDaemon script."
-fi
-rm -f /tmp/ngircd_needs_restart
-
-# -eof-
--- a/contrib/MacOSX/preinstall.sh
+++ b/contrib/MacOSX/preinstall.sh
@ -1,25 +0,0 @@
-#!/bin/sh
-# ngIRCd Mac OS X preinstall/preupgrade script
-
-LDPLIST="/Library/LaunchDaemons/de.barton.ngircd.plist"
-
-rm -f /tmp/ngircd_needs_restart || exit 1
-if [ -r "$LDPLIST" ]; then
-	echo "LaunchDaemon script found, checking status ..."
-	launchctl list | fgrep "de.barton.ngIRCd" >/dev/null 2>&1
-	if [ $? -eq 0 ]; then
-		# ngIRCd is already running; stop it and touch a
-		# "stamp file" so that we know that we have to
-		# restart it after installation/upgrade.
-		echo "ngIRCd is already running; stop it ..."
-		launchctl unload "$LDPLIST" || exit 1
-		echo "Daemon has been stopped."
-		touch /tmp/ngircd_needs_restart || exit 1
-	else
-		echo "ngIRCd is not running."
-	fi
-else
-	echo "LaunchDaemon script not found."
-fi
-
-# -eof-
--- a/contrib/Makefile.am
+++ b/contrib/Makefile.am
@ -1,6 +1,6 @@
 #
 # ngIRCd -- The Next Generation IRC Daemon
-# Copyright (c)2001-2013 Alexander Barton (alex@barton.de) and Contributors
+# Copyright (c)2001-2024 Alexander Barton (alex@barton.de) and Contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@ -9,18 +9,23 @@
 # Please read the file COPYING, README and AUTHORS for more information.
 #

-SUBDIRS = Debian MacOSX
+SUBDIRS = Debian

-EXTRA_DIST = README \
-	ngindent \
+EXTRA_DIST = README.md \
+	de.barton.ngircd.metainfo.xml \
+	de.barton.ngircd.plist \
+	Dockerfile \
+	ngindent.sh \
 	ngircd-bsd.sh \
+	ngircd-fail2ban.conf \
 	ngIRCd-Logo.gif \
 	ngircd-redhat.init \
+	ngircd.logcheck \
 	ngircd.service \
 	ngircd.socket \
 	ngircd.spec \
-	platformtest.sh \
-	systrace.policy
+	nglog.sh \
+	platformtest.sh

 maintainer-clean-local:
 	rm -f Makefile Makefile.in
--- a/contrib/README
+++ b/contrib/README
@ -1,43 +0,0 @@
-
-                     ngIRCd - Next Generation IRC Server
-                           http://ngircd.barton.de/
-
-               (c)2001-2013 Alexander Barton and Contributors.
-               ngIRCd is free software and published under the
-                   terms of the GNU General Public License.
-
-                             -- Contributions --
-
-
-Debian/
- - Various files for building Debian GNU/Linux packages (".deb's").
-	- ngircd.init; ngircd.default: init script for Debian-based systems.
-	- ngircd.pam: example PAM configuration.
-
-MacOSX/
- - Project files for XCode, the "project builder" of Apple Mac OS X.
-	- de.barton.ngircd.plist[.tmpl]: launchd(8) property list.
-
-ngindent
- - Script to indent the code of ngIRCd in the "standard way".
-
-ngircd-bsd.sh
- - Start script for FreeBSD.
-
-ngircd-redhat.init
- - Start/stop script for RedHat-based distributions (like CentOS).
-
-ngircd.service
- - systemd(8) service unit configuration file.
-
-ngircd.socket
- - systemd(8) socket unit configuration file for "socket activation".
-
-ngircd.spec
- - RPM "spec" file.
-
-platformtest.sh
- - Build ngIRCd and output a "result line" suitable for doc/Platforms.txt.
-
-systrace.policy
- - Systrace policy file for OpenBSD (and probably NetBSD).
--- a/contrib/README.md
+++ b/contrib/README.md
@ -0,0 +1,40 @@
+# [ngIRCd](https://ngircd.barton.de) - Supplemental Files
+
+This `contrib/` directory contains the following sub-folders and files:
+
+- `Debian/` folder: This subfolder contains the _rules_ file and additional
+  assets for building Debian packages.
+
+- `de.barton.ngircd.metainfo.xml`: AppStream metadata file.
+
+- `de.barton.ngircd.plist[.tmpl]`: launchd(8) property list file.
+
+- `Dockerfile`: Container definition file, for Docker or Podman for example.
+  More information can be found in the `doc/Container.md` file.
+
+- `ngindent.sh`: Script to indent the code of ngIRCd in the "standard way".
+
+- `ngircd-bsd.sh`: Start/stop script for FreeBSD.
+
+- `ngircd-fail2ban.conf`: fail2ban(1) filter configuration for ngIRCd.
+
+- `ngircd-redhat.init`: Start/stop script for old(er) RedHat-based
+  distributions (like CentOS and Fedora), which did _not_ use systemd(8).
+
+- `ngIRCd-Logo.gif`: The ngIRCd logo as GIF file.
+
+- `ngircd.logcheck`: Sample rules for logcheck(8) to ignore "normal" log
+  messages of ngIRCd.
+
+- `ngircd.service`: systemd(8) service unit configuration file.
+
+- `ngircd.socket`: systemd(8) socket unit configuration file for "socket
+  activation".
+
+- `ngircd.spec`: RPM "spec" file.
+
+- `nglog.sh`: Script for colorizing the log messages of ngircd(8) according to
+  their log level. Example: `./src/ngircd/ngircd -n | ./contrib/nglog.sh`.
+
+- `platformtest.sh`: Build ngIRCd and output a "result line" suitable for
+  the `doc/Platforms.txt` file.
--- a/contrib/de.barton.ngircd.metainfo.xml
+++ b/contrib/de.barton.ngircd.metainfo.xml
@ -0,0 +1,129 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<component type="service">
+	<id>de.barton.ngircd</id>
+	<name>ngIRCd</name>
+	<summary>Lightweight Internet Relay Chat server</summary>
+	<metadata_license>MIT</metadata_license>
+	<project_license>GPL-2.0-or-later</project_license>
+	<developer_name>Alexander Barton and Contributors</developer_name>
+	<update_contact>alex@barton.de</update_contact>
+	<description>
+		<p>ngIRCd is a free, portable and lightweight Internet Relay Chat server for small or private networks, developed under the GNU General Public License (GPL).</p>
+		<p>The server is quite easy to configure and runs as a single-node server or can be part of a network of ngIRCd servers in a LAN or across the internet. It optionally supports the IPv6 protocol, SSL/TLS-protected client-server and server-server links, the Pluggable Authentication Modules (PAM) system for user authentication, IDENT requests, and character set conversion for legacy clients.</p>
+		<p>The name ngIRCd stands for next-generation IRC daemon, which is a little bit exaggerated: lightweight Internet Relay Chat server most probably would have been a better name :-)</p>
+	</description>
+	<icon type="remote" width="300" height="300">https://ngircd.barton.de/common/ngircd-300x300.png</icon>
+	<categories>
+		<category>Network</category>
+	</categories>
+	<url type="homepage">https://ngircd.barton.de</url>
+	<url type="bugtracker">https://ngircd.barton.de/bugtracker</url>
+	<url type="help">https://ngircd.barton.de/support</url>
+	<provides>
+		<binary>ngircd</binary>
+	</provides>
+	<launchable type="service">ngircd</launchable>
+	<releases>
+		<release version="27" date="2024-04-26" />
+		<release version="27~rc1" date="2024-04-13" />
+		<release version="26.1" date="2021-01-02" />
+		<release version="26" date="2020-06-20" />
+		<release version="26~rc2" date="2020-06-11" type="development" />
+		<release version="26~rc1" date="2020-05-10" type="development" />
+		<release version="25" date="2019-01-23" />
+		<release version="25~rc1" date="2018-08-11" type="development" />
+		<release version="24" date="2017-01-20" />
+		<release version="24~rc1" date="2017-01-07" type="development" />
+		<release version="23" date="2015-11-16" />
+		<release version="23~rc1" date="2015-09-06" type="development" />
+		<release version="22.1" date="2015-04-06" />
+		<release version="22" date="2014-10-11" />
+		<release version="22~rc1" date="2014-09-29" type="development" />
+		<release version="21.1" date="2014-03-25" />
+		<release version="21" date="2013-10-30" />
+		<release version="21~rc2" date="2013-10-20" type="development" />
+		<release version="21~rc1" date="2013-10-05" type="development" />
+		<release version="20.3" date="2013-08-23" />
+		<release version="20.2" date="2013-02-15" />
+		<release version="20.1" date="2013-01-02" />
+		<release version="20" date="2012-12-17" />
+		<release version="20~rc2" date="2012-12-02" type="development" />
+		<release version="20~rc1" date="2012-11-11" type="development" />
+		<release version="19.2" date="2012-06-19" />
+		<release version="19.2~rc1" date="2012-06-13" type="development" />
+		<release version="19.1" date="2012-03-19" />
+		<release version="19" date="2012-02-29" />
+		<release version="19~rc1" date="2012-02-12" type="development" />
+		<release version="18" date="2011-07-10" />
+		<release version="18~rc2" date="2011-06-29" type="development" />
+		<release version="18~rc1" date="2011-06-27" type="development" />
+		<release version="17.1" date="2010-12-19" />
+		<release version="17" date="2010-11-07" />
+		<release version="17~rc3" date="2010-10-27" type="development" />
+		<release version="17~rc2" date="2010-10-25" type="development" />
+		<release version="17~rc1" date="2010-10-11" type="development" />
+		<release version="16" date="2010-05-02" />
+		<release version="16~rc2" date="2010-04-25" type="development" />
+		<release version="16~rc1" date="2010-03-25" type="development" />
+		<release version="15" date="2009-11-07" />
+		<release version="15~rc1" date="2009-10-15" type="development" />
+		<release version="14.1" date="2009-05-05" />
+		<release version="14" date="2009-04-20" />
+		<release version="14~rc1" date="2009-03-29" type="development" />
+		<release version="13" date="2008-12-25" />
+		<release version="0.12.1" date="2008-07-09" />
+		<release version="0.12.0" date="2008-05-13" />
+		<release version="0.12.0-pre2" date="2008-04-29" type="development" />
+		<release version="0.12.0-pre1" date="2008-04-20" type="development" />
+		<release version="0.11.1" date="2008-02-26" />
+		<release version="0.11.0" date="2008-01-15" />
+		<release version="0.11.0-pre2" date="2008-01-07" type="development" />
+		<release version="0.11.0-pre1" date="2008-01-02" type="development" />
+		<release version="0.10.4" date="2008-01-07" />
+		<release version="0.10.3" date="2007-08-01" />
+		<release version="0.10.2" date="2007-06-08" />
+		<release version="0.10.2-pre2" date="2007-05-19" type="development" />
+		<release version="0.10.2-pre1" date="2007-05-05" type="development" />
+		<release version="0.10.1" date="2006-12-17" />
+		<release version="0.10.0" date="2006-10-01" />
+		<release version="0.10.0-pre2" date="2006-09-09" type="development" />
+		<release version="0.10.0-pre1" date="2006-08-02" type="development" />
+		<release version="0.9.2" date="2005-10-15" />
+		<release version="0.9.1" date="2005-08-03" />
+		<release version="0.9.0" date="2005-07-24" />
+		<release version="0.9.0-pre1" date="2005-07-09" type="development" />
+		<release version="0.8.3" date="2005-02-03" />
+		<release version="0.8.2" date="2005-01-26" />
+		<release version="0.8.1" date="2004-12-25" />
+		<release version="0.8.0" date="2004-06-26" />
+		<release version="0.8.0-pre1" date="2004-05-07" type="development" />
+		<release version="0.7.7" date="2004-02-05" />
+		<release version="0.7.6" date="2003-12-05" />
+		<release version="0.7.5" date="2003-11-07" />
+		<release version="0.7.1" date="2003-07-18" />
+		<release version="0.7.0" date="2003-05-01" />
+		<release version="0.7.0-pre2" date="2003-04-27" type="development" />
+		<release version="0.7.0-pre1" date="2003-04-22" type="development" />
+		<release version="0.6.0" date="2002-12-24" />
+		<release version="0.6.0-pre2" date="2002-12-23" type="development" />
+		<release version="0.6.0-pre1" date="2002-12-18" type="development" />
+		<release version="0.5.4" date="2002-11-24" />
+		<release version="0.5.3" date="2002-11-08" />
+		<release version="0.5.2" date="2002-10-04" />
+		<release version="0.5.1" date="2002-10-03" />
+		<release version="0.5.0" date="2002-09-20" />
+		<release version="0.5.0-pre2" date="2002-09-17" type="development" />
+		<release version="0.5.0-pre1" date="2002-09-16" type="development" />
+		<release version="0.4.3" date="2002-06-11" />
+		<release version="0.4.2" date="2002-04-29" />
+		<release version="0.4.1" date="2002-04-08" />
+		<release version="0.4.0" date="2002-04-01" />
+		<release version="0.3.0" date="2002-03-02" />
+		<release version="0.2.1" date="2002-02-17" />
+		<release version="0.2.0" date="2002-02-15" />
+		<release version="0.1.0" date="2002-01-29" />
+		<release version="0.0.3" date="2002-01-16" />
+		<release version="0.0.2" date="2002-01-06" />
+		<release version="0.0.1" date="2001-12-31" />
+	</releases>
+</component>
--- a/contrib/MacOSX/de.barton.ngircd.plist.tmpl
+++ b/contrib/MacOSX/de.barton.ngircd.plist.tmpl
@ -10,7 +10,7 @@
 	<string>de.barton.ngIRCd</string>
 	<key>ProgramArguments</key>
 	<array>
-		<string>:SBINDIR:/ngircd</string>
+		<string>/opt/ngircd/sbin/ngircd</string>
 		<string>--nodaemon</string>
 	</array>
 	<key>RunAtLoad</key>
--- a/contrib/ngindent
+++ b/contrib/ngindent
@ -1,17 +0,0 @@
-#!/bin/sh
-
-INDENTARGS="-kr -i8 -ts8 -l80 -c3 -cd41 -ss -ncs -psl"
-
-# check if indent(1) is available
-command -v indent >/dev/null 2>&1 && INDENT="indent"
-command -v gindent >/dev/null 2>&1 && INDENT="gindent"
-command -v gnuindent >/dev/null 2>&1 && INDENT="gnuindent"
-
-if [ -z "$INDENT" ]; then
-	echo "Error: GNU \"indent\" not found!"
-	exit 1
-fi
-
-$INDENT -v $INDENTARGS "$@"
-
-# -eof-
--- a/contrib/ngindent.sh
+++ b/contrib/ngindent.sh
@ -0,0 +1,46 @@
+#!/bin/sh
+#
+# ngIRCd -- The Next Generation IRC Daemon
+# Copyright (c)2001-2019 Alexander Barton (alex@barton.de) and Contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+# Please read the file COPYING, README and AUTHORS for more information.
+#
+# This script uses GNU indent(1) to format C source code files of ngIRCd.
+# Usage:
+#  - ./contrib/ngindent.sh [<file> [<file> [...]]]
+#  - cat ./src/ngircd/<c_file> | ./contrib/ngindent.sh
+
+# Use a coding-style based on "Kernighan & Ritchie" (-kr):
+INDENTARGS="-kr
+	-bad
+	-c3
+	-cd41
+	-i8
+	-l80
+	-ncs
+	-psl
+	-sob
+	-ss
+	-ts8
+	-blf
+	-il0
+"
+
+# check if indent(1) is available
+command -v indent >/dev/null 2>&1 && INDENT="indent"
+command -v gindent >/dev/null 2>&1 && INDENT="gindent"
+command -v gnuindent >/dev/null 2>&1 && INDENT="gnuindent"
+
+if [ -z "$INDENT" ]; then
+	echo "Error: GNU \"indent\" not found!"
+	exit 1
+fi
+
+# shellcheck disable=SC2086
+$INDENT -v $INDENTARGS "$@"
+
+# -eof-
--- a/contrib/ngircd-fail2ban.conf
+++ b/contrib/ngircd-fail2ban.conf
@ -0,0 +1,25 @@
+# Fail2ban filter for ngIRCd
+#
+# Put into /etc/fail2ban/filter.d/ngircd.conf and enable in your jail.local
+# configuration like this:
+#
+# [ngircd]
+# enabled = true
+# backend = systemd
+#
+
+[INCLUDES]
+
+before = common.conf
+
+[DEFAULT]
+
+_daemon = ngircd
+
+[Definition]
+
+failregex = ^%(__prefix_line)sRefused connection from <ADDR> on socket \d+:
+
+[Init]
+
+journalmatch = _SYSTEMD_UNIT=ngircd.service + _COMM=ngircd
--- a/contrib/ngircd.logcheck
+++ b/contrib/ngircd.logcheck
@ -0,0 +1,54 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ngircd\[[0-9]+\]: ".*" added ".*" to G-Line list: ".*" \([0-9]+ seconds\)\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ngircd\[[0-9]+\]: (GnuTLS|OpenSSL) .* initialized\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ngircd\[[0-9]+\]: Accepted connection [0-9]+ from ".*:[0-9]+" on socket [0-9]+\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ngircd\[[0-9]+\]: Address mismatch:
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ngircd\[[0-9]+\]: Can't create pre-defined channel ".*": name already in use\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ngircd\[[0-9]+\]: Can't resolve( address)? ".*": (Name or service not known|No address associated with hostname|Temporary failure in name resolution)( \[.*\]\.)?$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ngircd\[[0-9]+\]: Client( ".*")? unregistered \(connection [0-9]+\): (Can't connect|Client closed connection|Got QUIT command|Read error|Server configuration already in use|SSL accept error, closing socket|Timeout|Write error)\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ngircd\[[0-9]+\]: Connection [0-9]+ \(socket [0-9]+\) with ".*:[0-9]+" established\. Now logging in \.\.\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ngircd\[[0-9]+\]: Connection [0-9]+ with ".*:[0-9]+" closed \(in: .*, out: .*\)\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ngircd\[[0-9]+\]: Connection [0-9]+: initialized TLSv?1\.[0123] using cipher .*\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ngircd\[[0-9]+\]: Created pre-defined channel ".*", mode ".*" \((channel key set|no channel key), user limit [0-9]+\)\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ngircd\[[0-9]+\]: Deleted ".*" \(".*"\) from G-Line list \(expired\)\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ngircd\[[0-9]+\]: Enabled link compression \(zlib\) on connection [0-9]+\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ngircd\[[0-9]+\]: Establishing connection for ".*" to ".*:[0-9]+" \(.*\), socket [0-9]+ \.\.\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ngircd\[[0-9]+\]: File descriptor limit is [0-9]+; "MaxConnections" is (not set|set to [0-9]+)\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ngircd\[[0-9]+\]: Got (valid server|unchecked peer) certificate: .*\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ngircd\[[0-9]+\]: Got signal "(Hangup|Terminated)" \.\.\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ngircd\[[0-9]+\]: Got valid OPER for ".*" from ".*", user is an IRC operator now\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ngircd\[[0-9]+\]: IDENT lookup for connection [0-9]+: (no result|".*")\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ngircd\[[0-9]+\]: IO subsystem: epoll \(hint size 100, initial maxfd 100, masterfd [0-9]+\)\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ngircd\[[0-9]+\]: Not running with changed root directory\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ngircd\[[0-9]+\]: Now listening on .*:[0-9]+ \(socket [0-9]+\)\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ngircd\[[0-9]+\]: Peer did not present a certificate\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ngircd\[[0-9]+\]: Peer on connection [0-9]+ announces itself as .* using protocol .* \(flags: ".*"\)\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ngircd\[[0-9]+\]: Possible forgery: .* resolved to ".*", which (has no IP address|points to a different address)!$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ngircd\[[0-9]+\]: Preparing to establish a new server link for ".*" \.\.\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ngircd\[[0-9]+\]: Re-reading configuration NOW!$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ngircd\[[0-9]+\]: Re-reading of configuration done\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ngircd\[[0-9]+\]: Read error on connection [0-9]+ \(socket [0-9]+\): Connection reset by peer!$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ngircd\[[0-9]+\]: Running as user .*, group .*, with PID [0-9]+\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ngircd\[[0-9]+\]: SSL connection on socket [0-9]+ failed!$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ngircd\[[0-9]+\]: SSL error, client disconnected \[in .*\(\)\]!$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ngircd\[[0-9]+\]: SSL error: (Connection reset by peer|Broken pipe) \[in .*\]!$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ngircd\[[0-9]+\]: SSL protocol error: (ConnSSL_Read|ConnSSL_Write|SSL_accept) \(.*\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ngircd\[[0-9]+\]: Server ".*" \(on ".*"\) ready\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ngircd\[[0-9]+\]: Server ".*" registered \(connection [0-9]+, 1 hop - direct link\)\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ngircd\[[0-9]+\]: Server ".*" registered \(via .*, connected to .*, [0-9]+ hops\)\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ngircd\[[0-9]+\]: Server ".*" unregistered \(connection [0-9]+\): Ping timeout: [0-9]+ seconds\.
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ngircd\[[0-9]+\]: Server ".*" unregistered( \(connection [0-9]+\))?: .* \(Server going down\)\.
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ngircd\[[0-9]+\]: Server ".*" unregistered: .* .*\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ngircd\[[0-9]+\]: Server \".*\" \(on ".*"\) ready\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ngircd\[[0-9]+\]: Server going down NOW!$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ngircd\[[0-9]+\]: Shutting down all listening sockets \([0-9]+ total\) \.\.\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ngircd\[[0-9]+\]: Shutting down connection [0-9]+ \(Can't connect|Client closed connection|Closing connection: .* \(Server going down\)|Got QUIT command|ID ".*" already registered|Ping timeout: [0-9]+ seconds|Read error|SSL accept error, closing socket|Server configuration already in use|Server going down|Timeout|Write error|".*" \((G-Line|SQUIT from .*)\)\) with ".*:[0-9]+" \.\.\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ngircd\[[0-9]+\]: Synchronization with ".*" done \(connection [0-9]+\): [0-9]+ seconds? \[[0-9]+ users, [0-9]+ channels\]\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ngircd\[[0-9]+\]: User ".*!.*@.*" changed nick \(connection [0-9]+\): ".*" -> ".*"\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ngircd\[[0-9]+\]: User ".*!.*@.*" registered \(connection [0-9]+\)\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ngircd\[[0-9]+\]: User ".*!.*@.*" unregistered \(connection [0-9]+\): (Client closed connection|Got QUIT command|Ping timeout: [0-9]+ seconds|Read error|Server going down)\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ngircd\[[0-9]+\]: Using (default|specified) configuration file ".*" \.\.\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ngircd\[[0-9]+\]: Write error on connection [0-9]+ \(socket [0-9]+\): (Broken pipe|Connection reset by peer)!$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ngircd\[[0-9]+\]: ngIRCd [0-9].* starting \.\.\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ngircd\[[0-9]+\]: ngIRCd done, served [0-9]+ connections?\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ngircd\[[0-9]+\]: warning: /etc/hosts\.allow, line [0-9]+: (can't verify hostname|host name/address mismatch): getaddrinfo\(.*, AF_INET\) failed$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ngircd\[[0-9]+\]: warning: can't get client address: Connection reset by peer$
--- a/contrib/ngircd.service
+++ b/contrib/ngircd.service
@ -6,12 +6,12 @@ Description=Next Generation IRC Daemon
 Documentation=man:ngircd(8) man:ngircd.conf(5) https://ngircd.barton.de
 After=network.target
 Wants=anope.service atheme.service irc-services.service
-Wants=bopm.service
+Wants=bopm.service hopm.service
 Before=anope.service atheme.service irc-services.service
-Before=bopm.service
+Before=bopm.service hopm.service

 [Service]
-Type=forking
+Type=notify
 User=irc
 Group=irc
 # Settings & limits:
@ -29,14 +29,19 @@ RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
 RestrictRealtime=yes
 RuntimeDirectory=ircd
 RuntimeDirectoryMode=750
+StandardError=journal
+StandardOutput=journal
 # Try to load "default files" from any Debian package variant to keep this
 # unit generic.
 EnvironmentFile=-/etc/default/ngircd
 EnvironmentFile=-/etc/default/ngircd-full
 EnvironmentFile=-/etc/default/ngircd-full-dbg
 # Start ngIRCd. Note: systemd doesn't allow to use $DAEMON here!
-ExecStart=/usr/sbin/ngircd $PARAMS
+ExecStart=/usr/sbin/ngircd --nodaemon --syslog $PARAMS
 ExecReload=/bin/kill -HUP $MAINPID
+# Error handling:
+# ngIRCd tries to "ping" the service manager every 3 seconds.
+WatchdogSec=10
 Restart=on-failure

 [Install]
--- a/contrib/ngircd.spec
+++ b/contrib/ngircd.spec
@ -1,5 +1,5 @@
 %define name    ngircd
-%define version 24
+%define version 27
 %define release 1
 %define prefix  %{_prefix}

@ -15,19 +15,15 @@ BuildRoot:    %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildRequires:  zlib-devel, openssl-devel

 %description
-This package provides ngIRCd, a portable and lightweight Internet Relay
-Chat server for small or private networks, developed under the GNU
-General Public License (GPL). It is simple to configure, can cope with
-dynamic IP addresses, and supports IPv6 as well as SSL. It is written
-from scratch and not based on the original IRCd.
+ngIRCd is a free, portable and lightweight Internet Relay Chat server for small
+or private networks, developed under the GNU General Public License (GPL).
+
+The server is quite easy to configure, can handle dynamic IP addresses, and
+optionally supports IDENT, IPv6 connections, SSL-protected links, and PAM for
+user authentication as well as character set conversion for legacy clients. The
+server has been written from scratch and is not based on the forefather, the
+daemon of IRCNet.

-Advantages:
- - well arranged (lean) configuration file
- - simple to build/install, configure and maintain
- - supports IPv6 and SSL
- - no problems with servers that have dynamic IP addresses
- - freely available, modern, portable and tidy C-source
- - ngIRCd is being actively developed since 2001

 %prep
 %setup -q
@ -54,7 +50,7 @@ make %{?_smp_mflags}

 %files
 %defattr(755,root,root)
-%doc AUTHORS  COPYING  ChangeLog  INSTALL NEWS  README doc/*
+%doc AUTHORS.md COPYING ChangeLog INSTALL.md NEWS README.md doc/*
 %config(noreplace) /etc
 %{_prefix}/sbin
 %{_mandir}/man5/ngircd.conf*
--- a/contrib/nglog.sh
+++ b/contrib/nglog.sh
@ -0,0 +1,28 @@
+#!/bin/bash
+#
+# ngIRCd -- The Next Generation IRC Daemon
+# Copyright (c)2001-2020 Alexander Barton (alex@barton.de) and Contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+# Please read the file COPYING, README and AUTHORS for more information.
+#
+# This script parses the log output of ngircd(8), and colorizes the messages
+# according to their log level. Example usage:
+# ./src/ngircd/ngircd -f $PWD/doc/sample-ngircd.conf -np | ./contrib/nglog.sh
+#
+
+gawk '
+  /^\[[[:digit:]]+:0 / {print "\033[1;95m" $0 "\033[0m"}
+  /^\[[[:digit:]]+:1 / {print "\033[1;35m" $0 "\033[0m"}
+  /^\[[[:digit:]]+:2 / {print "\033[1;91m" $0 "\033[0m"}
+  /^\[[[:digit:]]+:3 / {print "\033[1;31m" $0 "\033[0m"}
+  /^\[[[:digit:]]+:4 / {print "\033[1;33m" $0 "\033[0m"}
+  /^\[[[:digit:]]+:5 / {print "\033[1m" $0 "\033[0m"}
+  /^\[[[:digit:]]+:6 / {print $0}
+  /^\[[[:digit:]]+:7 / {print "\033[90m" $0 "\033[0m"}
+' </dev/stdin &
+
+wait
--- a/contrib/platformtest.sh
+++ b/contrib/platformtest.sh
@ -12,7 +12,7 @@

 # This script analyzes the build process of ngIRCd and generates output
 # suitable for inclusion in doc/Platforms.txt -- please send reports
-# to the ngIRCd mailing list: <ngircd-ml@ngircd.barton.de>.
+# to the ngIRCd mailing list: <ngircd@lists.barton.de>.

 NAME=$(basename "$0")
 VERBOSE=
@ -174,8 +174,7 @@ if [ -r "Makefile" ]; then
 		if [ $? -eq 0 ]; then
 			COMPILER=$($CC --version 2>/dev/null | head -1 \
 			  | cut -d'(' -f1 | cut -d'-' -f1 \
-			  | sed -e 's/version //g' | sed -e 's/Apple /A-/g' \
-			  | sed -e 's/Debian //g' | sed -e 's/LLVM /clang /g')
+			  | sed -e 's/version //g; s/^\([A-Z]\)[A-Za-z]* clang/\1-clang/g; s/LLVM /clang /g')
 		fi
 		$CC -version 2>&1 | grep -i "tcc" >/dev/null
 		if [ $? -eq 0 ]; then
--- a/contrib/systrace.policy
+++ b/contrib/systrace.policy
@ -1,77 +0,0 @@
-#
-# Sample systrace policy for ngIRCd on OpenBSD
-# Author: Benjamin Pineau <ben@zouh.org>
-#
-# $Id: systrace.policy,v 1.1 2004/04/28 12:16:59 alex Exp $
-#
-# Tune me, put me in /etc/systrace/usr_local_bin_ngircd and start ngIRCd
-# (with root privileges) as:
-#
-#   systrace -a /usr/local/bin/ngircd
-#
-# I didn't tried this on NetBSD, but it should work as is.
-#
-# On systems with pf, it can be supplemented by strict firewall rules:
-# for a ngircd running as '$ircuser', binding on '$ircport' and accepting
-# 30 connections:
-#
-#   block out log quick proto tcp from any port $ircport to any \
-#    user != $ircuser
-#   pass in inet proto tcp from any to any port $ircport user $ircuser \
-#    keep state (max 30) flags S/SA
-#
-
-Policy: /usr/local/bin/ngircd, Emulation: native
-	native-__sysctl: permit
-	native-fsread: filename eq "/etc/malloc.conf" then permit
-	native-fsread: filename sub "/usr/share/zoneinfo/" then permit
-	native-fsread: filename eq "/usr/local/etc/ngircd.conf" then permit
-	native-fsread: filename eq "/usr/local/etc/ngircd.motd" then permit
-	native-fsread: filename eq "/etc/ngircd.conf" then permit
-	native-fsread: filename eq "/etc/ngircd.motd" then permit
-	native-fsread: filename eq "/etc/spwd.db" then deny[eperm]
-	native-fsread: filename eq "/etc/group" then permit
-	native-fsread: filename eq "/etc/resolv.conf" then permit
-	native-fsread: filename eq "/etc/localtime" then permit
-	native-fsread: filename eq "/etc/hosts" then permit
-	native-fsread: filename sub "<non-existent filename>" then deny[enoent]
-	native-socket: sockdom eq "AF_UNIX" and socktype eq "SOCK_DGRAM" then permit
-	native-socket: sockdom eq "AF_INET" and socktype eq "SOCK_STREAM" then permit
-	native-bind: sockaddr match "inet-*:6667" then permit, if user != root
-	native-connect: sockaddr eq "/dev/log" then permit, if user != root
-	native-connect: sockaddr match "inet-*:53" then permit, if user != root
-	native-setsockopt: permit, if user != root
-	native-listen: permit, if user != root
-	native-accept: permit, if user != root
-	native-sendto: true then permit, if user != root
-	native-recvfrom: permit, if user != root
-	native-read: permit
-	native-pread: permit
-	native-write: permit, if user != root
-	native-mmap: permit
-	native-munmap: permit
-	native-mprotect: permit
-	native-break: permit
-	native-umask: permit
-	native-fork: permit
-	native-setsid: permit
-	native-chdir: permit
-	native-chroot: permit
-	native-setgid: gid neq "0" then permit
-	native-setuid: uid neq "0" and uname neq "root" then permit
-	native-getuid: permit
-	native-getgid: permit
-	native-gettimeofday: permit
-	native-getpid: permit
-	native-select: permit
-	native-fcntl: permit
-	native-fstat: permit
-	native-issetugid: permit
-	native-sigaction: permit
-	native-pipe: permit
-	native-sigreturn: permit
-	native-close: permit
-	native-exit: permit
-	native-fswrite: deny[eperm]
-
-# -eof-
--- a/doc/Commands.txt
+++ b/doc/Commands.txt
@ -2,7 +2,7 @@
                     ngIRCd - Next Generation IRC Server
                           http://ngircd.barton.de/

-               (c)2001-2013 Alexander Barton and Contributors.
+               (c)2001-2019 Alexander Barton and Contributors.
               ngIRCd is free software and published under the
                   terms of the GNU General Public License.

@ -386,7 +386,7 @@ Status and Informational Commands
 	 - RFC 2812, 4.9 "Ison message"

 - LINKS
-	LINKS [[<target>] [<mask>]
+	LINKS [[<target>] <mask>]
 	.
 	List all servers currently registered in the network matching <mask>,
 	or all servers if <mask> has been omitted, as seen by the server
@ -617,9 +617,10 @@ Channel Commands
 	 - RFC 2812, 3.2.8 "Kick command"

 - LIST
-	LIST [<channel>[,<channel>[,...]] [<server>]]
+	LIST [<mask>[,<mask>[,...]] [<server>]]
 	.
-	List all visible <channels> (comma-separated list).
+	List all visible channels matching the <mask> (comma-separated list),
+	or all channels when no <mask> was specified.
 	.
 	If <server> is given, the command will be forwarded to <server> for
 	evaluation.
@ -873,6 +874,10 @@ Server Protocol Commands
 	CHANINFO is used by servers to inform each other about a channel:
 	its modes, channel key, user limits and its topic.
 	.
+	Note: even when <modes> don't include "k" (key) or "l" (limit), both
+	parameters must be given when used; use "*" for "no key" and 0 for
+	"no limit" for the unused parameter in this case.
+	.
 	The CHANINFO command is allowed on server-links only.

 	References:
@ -882,7 +887,7 @@ Server Protocol Commands
 - ERROR
 	ERROR [<message> [<> [...]]]
 	.
-	Inform a client or a server about an error condition. The first 
+	Inform a client or a server about an error condition. The first
 	parameter, if given, is logged by the server receiving the message,
 	all other parameters are silently ignored.
 	.
--- a/doc/Container.md
+++ b/doc/Container.md
@ -0,0 +1,83 @@
+# [ngIRCd](https://ngircd.barton.de) - Container How-To
+
+The ngIRCd daemon can be run as a containerized application, for example using
+Docker or Podman (the latter being preferred and used in the examples below).
+The container definition file, also known as "Docker file", is bundled with this
+distribution as `contrib/Dockerfile` and based on the official "stable-slim"
+container of the Debian project (see https://hub.docker.com/_/debian).
+
+## Building the container
+
+You can use the following command to build the ngIRCd container image:
+
+```bash
+podman build --format=docker -f contrib/Dockerfile .
+```
+
+The `Dockerfile` includes a `HEALTHCHECK` directive, which is not supported by
+the default OCI 1.0 image format, therefore we use the "docker" format here.
+
+If you are using Git, you can tag the built image like this (use the ID of the
+newly built image!):
+
+```bash
+tag=$(git describe --tags | sed 's/rel-//g')
+podman tag <container_id> "ngircd:${tag}"
+```
+
+## Running the container
+
+You can use this command to run the ngIRCd container using Podman, for example:
+
+```bash
+podman run --name=ngircd --detach \
+  -p 127.0.0.1:6667:6667 \
+  ngircd:<tag>
+```
+
+This creates and starts a new container named "ngircd" from the image
+"ngircd:<tag>" (you habe to substitute _<tag>_ with the real tag name here!) and
+maps the host port 6667 on localhost to the port 6667 inside of the container.
+
+### Configuring the container
+
+The ngIRCd inside of the container is installed inside of `/opt/ngircd/` and the
+default drop-in directory is `/opt/ngircd/etc/ngircd.conf.d`. Therefore you can
+map a host folder to this drop-in directory inside of the container and place
+drop-in configuration file(s) in the host path like this:
+
+```bash
+mkdir -p /host/path/to/ngircd/conf.d
+touch /host/path/to/ngircd/conf.d/my.conf
+podman run --name=ngircd --detach \
+  -p 127.0.0.1:6667:6667 \
+  -v "/host/path/to/ngircd/conf.d:/opt/ngircd/etc/ngircd.conf.d" \
+  ngircd:<tag>
+```
+
+### Testing the configuration
+
+As with the native daemon, it is a very good idea to validate the configuration
+of the daemon after making changes.
+
+With Docker and Podman, you can pass arguments to the `ngircd` binary inside of
+the container by simply appending it to the "run" command line like this:
+
+```bash
+podman run --rm -it \
+  -v "/host/path/to/ngircd/conf.d:/opt/ngircd/etc/ngircd.conf.d" \
+  ngircd:<tag> \
+  --configtest
+```
+
+### Reloading the daemon configuration in a running container
+
+To activate changed configuration of ngIRCd, you can either restart the
+container (which will disconnect all currently connected clients) or signal
+`ngircd`(8) inside of the running container to reload its configuration file(s).
+
+The latter can be done with this command, for example:
+
+```bash
+podman exec -it ngircd /bin/bash -c 'kill -HUP $(/usr/bin/pidof -s ngircd)'
+```
--- a/doc/FAQ.md
+++ b/doc/FAQ.md
@ -0,0 +1,176 @@
+# [ngIRCd](https://ngircd.barton.de) - FAQ, Tips & Tricks
+
+# General
+
+## Is it possible to link ngIRCd with other non-ngIRCd servers?
+
+Yes and no. Back in the beginning (2001, 2002, ...) the server-server protocol
+used by ngIRCd was compatible to the original ircd used by IRCNet at that time,
+version 2.10.3p3. And most probably this is still the case today, although not
+actively tested for a long time.
+
+Please note that newer ircd versions (2.11.x) are *not* compatible any more!
+
+And other server-server protocols were never supported.
+
+## Is there a homepage with further information and downloads?
+
+Yes. Please visit https://ngircd.barton.de :-)
+
+## Why should I use ngIRCd instead of the original one?
+
+The `README.md` file and the [homepage](https://ngircd.barton.de) list a few
+advantages of ngIRCd:
+
+- Well arranged (lean) configuration file.
+- Simple to build, install, configure, and maintain.
+- Supports IPv6 and SSL.
+- Can use PAM for user authentication.
+- Lots of popular user and channel modes are implemented.
+- Supports "cloaking" of users.
+- No problems with servers that have dynamic IP addresses.
+- Freely available, modern, portable and tidy C source.
+- Wide field of supported platforms, including AIX, A/UX, FreeBSD, HP-UX,
+  IRIX, Linux, macOS, NetBSD, OpenBSD, Solaris and Windows with WSL or Cygwin.
+
+# Building and Compilation
+
+## The `./configure` script is missing in the source directory!?
+
+When using sources checked out via *Git*, the `configure` script as well as the
+`Makefile.in` templates must be generated using the GNU *automake*, *autoconf*
+and *pkg-config* tools. To simplify this task run the `./autogen.sh` script
+which will execute the required commands for you; then continue with executing
+the `./configure` script as usual.
+
+Please see the `INSTALL.md` file for details!
+
+## Error message `aclocal: command not found`
+
+GNU *automake* is missing on your system but required for building Git versions
+of ngIRCd. Install GNU automake 1.6 or later and try again.
+
+## Error message `autoheader: command not found`?
+
+GNU *autoconf* is missing on your system but required for building Git versions
+of ngIRCd. Install GNU autoconf 2.52 or later and try again.
+
+## Error message `automake: configure.in: AM_INIT_AUTOMAKE must be used`?
+
+Most probably you are using version 1.5 of GNU automake which seems to be
+incompatible to the build system of ngIRCd. Solution: upgrade to at least
+version 1.6 of GNU automake.
+
+(If you are using Debian 3.0 "Woody" you can try to downgrade to version 1.4 of
+GNU automake shipped with this distribution; it should work, too.)
+
+# Troubleshooting ngIRCd Runtime Issues
+
+Always start with:
+
+1.  Make sure that ngIRCd parsed its configuration file as it was intended!
+    Run `ngircd --configest` and double-check its output!
+
+2.  Check the logs of your system, especially the entries generated by ngIRCd!
+    Where you can find the log messages depends on your system and your setup:
+    it can be plain text files in `/var/log/` (syslog) or the systemd journal
+    database, for example.
+
+3.  Ensure that the daemon started up successfully, is actually running and did
+    not stop/crash in the meantime. You can check this with your service
+    manager (like `systemctl status ngircd` on Linux systems using systemd) or
+    using `pgrep -l ngircd` to check for "ngircd" processes. If ngIRCd is not
+    running, try to restart the service and check the service status and the
+    logs (syslog, systemd journal) again!
+
+## Where is the log file stored?
+
+See introduction to this section above :-)
+
+## "Connection refused" errors
+
+1.  Is the daemon really running? See introduction to this section above!
+
+2.  Does ngIRCd listen on the correct interface(s) and port(s)? On Linux, you
+    can check this with `sudo ss -ltnp|awk '/ngircd/{print $4}`, for example.
+    Check your `Listen` and `Ports` settings in the `[Global]` (and `[SSL]`)
+    sections and the startup messages of the daemon, especially the lines
+    stating "Now listening on xxx:yyy (socket zzz)"!
+
+3.  Are you able to connect to the ngIRCd service locally from the system the
+    daemon runs on? Test all the interface IP addresses you expect ngIRCd to
+    listen on, for example with a regular IRC client or tools like `telnet` or
+    `nc` ("net cat"): `telnet localhost 6667`, `nc 192.168.1.2 6667`, ...
+
+    If all the above works as expected, the issue most probably is not with
+    ngIRCd or its configuration but the network layer.
+
+4.  Are the port(s) ngIRCd listens on open and not blocked by a firewall? Check
+    the logs of your firewall solution (on the server itself and all firewalls
+    "in front of it") and use tools like `tcpdump` to check the network layer!
+
+## Issues related to running ngIRCd inside of a `chroot` environment
+
+**I cannot connect to remote peers when I use the chroot option, the following
+is logged: `Can't resolve example.com: unknown error!`**
+
+See next question blow ...
+
+**When running ngIRCd inside a chroot, no IP addresses can be translated in DNS
+names, errors like "Name or service not known" are logged!**
+
+On Linux/glibc with chroot enabled you need to put some libraries inside
+the chroot as well, notably `libnss_dns`; maybe others. Unfortunately, even
+linking ngIRCd statically does not help this. So you can either copy
+all the required files into the chroot directory:
+
+``` bash
+mkdir -p ./chroot/etc ./chroot/lib
+cp -a /etc/hosts /etc/resolv.conf /etc/nsswitch.conf ./chroot/etc/
+cp -a /lib/libresolv* /lib/libnss_* ./chroot/lib/
+```
+
+Or you can try to link ngIRCd against an other C library (like dietlibc) that do
+not depend on NSS modules and these files.
+
+# IRC Features
+
+## I have added an `[Oper]` section, but how do I log in as an IRC operator?
+
+You can use the `/OPER <name> <password>` command in your IRC client to become
+an IRC operator as defined in an `[Oper]` block in your configuration file.
+
+ngIRCd will also log all OPER requests (using syslog), and if an OPER command
+fails you can look there to determine why it did not work (bad password,
+unauthorized host mask, ...).
+
+Please keep in mind that the "name" in the `/OPER` command is *not* related to
+your nick name at all!
+
+## I am an IRC operator, but MODE doesn't work!
+
+By default, IRC operators are still not allowed to use `/MODE` globally.
+
+If you set `OperCanUseMode = yes` in your configuration, then IRC operators can
+use the `/MODE` command for changing modes even when they are not joined to the
+specific channel.
+
+## How can I "auto-op" users in channels?
+
+ngIRCd can't do this: you would have to use some "IRC Services", like
+[Atheme](http://atheme.net/atheme.html) or [Anope](http://www.anope.org).
+
+See `doc/Services.txt` for setup instructions.
+
+# Bugs!?
+
+## Is there a list of known bugs and desired feature enhancements?
+
+Yes. Have a look at the bug tracking system (GitHub issues) for ngIRCd located
+at <https://github.com/ngircd/ngircd/issues>. There you can file bug reports and
+feature requests as well as search the bug database.
+
+## What should I do if I found a bug?
+
+Please file a bug report at <https://github.com/ngircd/ngircd/issues/new>!
+The authors will be notified automagically :-)
--- a/doc/FAQ.txt
+++ b/doc/FAQ.txt
@ -1,109 +0,0 @@
-
-                     ngIRCd - Next Generation IRC Server
-
-                      (c)2001-2010 by Alexander Barton,
-                    alex@barton.de, http://www.barton.de/
-
-               ngIRCd is free software and published under the
-                   terms of the GNU General Public License.
-
-                    -- FAQ: Frequently Asked Questions --
-
-
-I. General
-~~~~~~~~~~
-
-Q: Is it possible to link the ngIRCd with non-ngIRCd servers?
-A: Yes. ngIRCd is compatible to the original ircd used by IRCNet. Actually
-   this is being tested with version 2.10.3p3. Please note that newer
-   versions (2.11.x) aren't compatible any more!
-
-Q: Is there a homepage with further information and downloads?
-A: Yes. Please visit <http://ngircd.barton.de/>.
-
-Q: Why should I use ngIRCd instead of the original one?
-A: ngIRCd offers several benefits: no problems with dynamic IPs, easy to
-   configure, open source (GPL), under active development.
-
-
-II. Compilation
-~~~~~~~~~~~~~~~
-
-Q: I did a "CVS checkout" but can't execute ./configure because the script
-   is missing in the generated directory!?
-A: When using development versions via CVS, the configure script as well as
-   the Makefile.in templates must be generated using GNU automake and GNU
-   autoconf. To simplify this task run the ./autogen.sh script which will
-   execute the required tools for you; then continue with executing the
-   ./configure script as usual.
-
-Q: The ./autogen.sh script complains "aclocal: command not found".
-A: GNU automake is missing on your system but required for building CVS
-   versions of ngIRCd. Install GNU automake 1.6 or later and try again.
-
-Q: The ./autogen.sh script stops with "autoheader: command not found".
-A: GNU autoconf is missing on your system but required for building CVS
-   versions of ngIRCd. Install GNU autoconf 2.52 or later and try again.
-
-Q: The ./autogen.sh script fails and the message "automake: configure.in:
-   AM_INIT_AUTOMAKE must be used" is displayed.
-A: Most probably you are using version 1.5 of GNU automake which seems to be
-   incompatible to the build system of ngIRCd. Solution: upgrade to at least
-   version 1.6 of GNU automake.
-   (If you are using Debian 3.0 "Woody" you can try to downgrade to version
-   1.4 of GNU automake shipped with this distribution; it should work, too.)
-
-
-III. Runtime
-~~~~~~~~~~~~
-
-Q: Where is the log file located?
-A: ngIRCd does not write its own log file. Instead, ngIRCd uses syslog(3).
-   Check the files in /var/log/ and/or consult the documentation for your
-   system logger daemon.
-
-Q: I cannot connect to remote peers when I use the chroot option, the
-   following is logged: "Can't resolve example.com: unknown error!".
-A: see next question blow ...
-
-Q: When running ngIRCd inside a chroot, no IP addresses can be translated
-   in DNS names, errors like "Name or service not known" are logged.
-A: On Linux/glibc with chroot enabled you need to put some libraries inside
-   the chroot as well, notably libnss_dns; maybe others. Unfortunately, even
-   linking ngIRCd statically does not help this. So you can either copy
-   all the required files into the chroot directory:
-     $ mkdir -p ./chroot/etc ./chroot/lib
-     $ cp -a /etc/hosts /etc/resolv.conf /etc/nsswitch.conf ./chroot/etc/
-     $ cp -a /lib/libresolv* /lib/libnss_* ./chroot/lib/
-   Or you can try to link ngIRCd against an other C library (like dietlibc)
-   that doesn't depend on NSS modules and/or these files.
-
-Q: I have added an [Oper] section, how do i log on as IRC operator?
-A: You can use the /OPER command in your IRC client to become an IRC operator.
-   ngIRCd will also log all OPER requests (using syslog), if OPER fails you
-   can look there to determine why it did not work (bad password, unauthorized
-   host mask, etc.)
-
-Q: I am an IRC operator, but MODE doesn't work!
-A: You need to set 'OperCanUseMode = yes' in ngircd.conf, then IRC operators
-   can use the MODE command for changing modes even when they are not joined
-   to the specific channel.
-
-Q: How can I "auto-op" users in channels?
-A: ngIRCd can't do this: you would have to use some "IRC Services", like
-   Atheme (<http://atheme.net/atheme.html>) or Anope (<http://www.anope.org>).
-   See "doc/Services.txt" for setup instructions.
-
-
-IV. Bugs!?
-~~~~~~~~~~
-
-Q: Is there a list of known bugs and desired feature enhancements?
-A: Yes. Have a look at the bug tracking system (GitHub issues) for ngIRCd located
-   at <https://github.com/ngircd/ngircd/issues>. There you can file bug
-   reports and feature requests as well as search the bug database.
-
-Q: What should I do if I found a bug?
-A: Please file a bug report at <https://github.com/ngircd/ngircd/issues/new>!
-   The author will be notified automagically :-)
-
--- a/doc/HowToRelease.txt
+++ b/doc/HowToRelease.txt
@ -2,7 +2,7 @@
                     ngIRCd - Next Generation IRC Server
                           http://ngircd.barton.de/

-               (c)2001-2017 Alexander Barton and Contributors.
+               (c)2001-2024 Alexander Barton and Contributors.
               ngIRCd is free software and published under the
                   terms of the GNU General Public License.

@ -35,19 +35,28 @@ up-to-date (e.g. using ./autogen.sh) before generating the archives!
 II. How to prepare a new ngIRCd release?
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

-a) Make sure the source tree is in a releasable state ;-)
-    - is the AUTHORS file up to date?
-
-b) Make sure you have working versions of GNU autoconf and GNU automake
+a) Make sure you have working versions of GNU autoconf and GNU automake
   installed on the system you use for generating the release:
-   as of October 2010 we are using GNU autoconf 2.67 and GNU automake 1.11.1
+   as of May 2020 we are using GNU autoconf 2.69 and GNU automake 1.11.6
   which seem to work just fine.
+   NOTE: new releases of GNU automake DO NOT work, as they lack support for
+   the "ansi2knr" wrapper and "de-ANSI-fication" support!
+
+b) Make sure the source tree is in a releasable state ;-)
+    - Are all branches & patches merged? Check GitHub issues, pull requests
+      and milestones!
+    - Run as many tests as you can!
+    - Is the AUTHORS.md file up to date? This command may be helpful:
+      "( grep '>$' AUTHORS.md; git shortlog -se|cut -c8-|sed 's/^/- /' ) \
+        | grep -Ev '(alex@barton.de|fw@strlen.de)' \
+        | LC_ALL=de_DE.UTF-8 sort -u"

 c) Update the files describing the new release:
    - ChangeLog
    - NEWS

 d) Update the version numbers in the following files:
+    - contrib/de.barton.ngircd.metainfo.xml
    - contrib/ngircd.spec

 e) Generate a new Debian change log entry in the following file, e.g. using
@ -65,15 +74,16 @@ h) Run "./autogen.sh" to update the ./configure script with the correct

 i) Run "./configure" to rebuild all generated Makefiles.

-j) Run "make distcheck" to generate the distribution archives.
+j) Run "make distcheck" (and "make dist-tarZ && make dist-xz") to generate all
+   of the distribution archives.

 k) Sign the distribution archive(s) using GnuPG: "gpg -b <archivefile>"

 l) Upload and distribute the newly generated ngIRCd release archive(s)
-   and GnuPG signatures.
+   and GnuPG signatures (to the website, its mirrors, and GitHub).

-m) Write an announcement to the mailing list, freshmeat, Twitter, ...
+m) Update the ngIRCd website and its mirrors!

-n) Update the list of releases in our bug tracker.
+n) Write an announcement to the mailing list, Twitter, ...

 o) Relax :-)
--- a/doc/Makefile.am
+++ b/doc/Makefile.am
@ -1,6 +1,6 @@
 #
 # ngIRCd -- The Next Generation IRC Daemon
-# Copyright (c)2001-2015 Alexander Barton (alex@barton.de) and Contributors
+# Copyright (c)2001-2024 Alexander Barton (alex@barton.de) and Contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@ -21,8 +21,9 @@ static_docs = \
 	Bopm.txt \
 	Capabilities.txt \
 	Commands.txt \
+	Container.md \
 	Contributing.txt \
-	FAQ.txt \
+	FAQ.md \
 	HowToRelease.txt \
 	Modes.txt \
 	PAM.txt \
@ -33,13 +34,13 @@ static_docs = \
 	README-Interix.txt \
 	RFC.txt \
 	Services.txt \
-	SSL.txt
+	SSL.md

 doc_templates = sample-ngircd.conf.tmpl

 generated_docs = sample-ngircd.conf

-toplevel_docs = ../AUTHORS ../COPYING ../ChangeLog ../INSTALL ../NEWS ../README
+toplevel_docs = ../AUTHORS.md ../COPYING ../ChangeLog ../INSTALL.md ../NEWS ../README.md

 SUBDIRS = src

@ -55,7 +56,7 @@ all: $(generated_docs)
 install-data-hook: $(static_docs) $(toplevel_docs) $(generated_docs)
 	$(MKDIR_P) -m 755 $(DESTDIR)$(sysconfdir)
 	@if [ ! -f $(DESTDIR)$(sysconfdir)/ngircd.conf ]; then \
-	  make install-config; \
+	  ${MAKE} install-config; \
 	 fi
 	$(MKDIR_P) -m 755 $(DESTDIR)$(docdir)
 	for f in $(static_docs) $(toplevel_docs); do \
@ -75,7 +76,7 @@ install-config:
 uninstall-hook:
 	rm -rf $(DESTDIR)$(docdir)
 	@if cmp --silent sample-ngircd.conf $(DESTDIR)$(sysconfdir)/ngircd.conf; then \
-	  make uninstall-config; \
+	  ${MAKE} uninstall-config; \
 	 else \
 	  echo; \
 	  echo " ** NOTE: Not uninstalling changed configuration file:"; \
@ -86,9 +87,6 @@ uninstall-hook:
 uninstall-config:
 	rm -f $(DESTDIR)$(sysconfdir)/ngircd.conf

-srcdoc:
-	make -C src srcdoc
-
-.PHONY: install-config uninstall-config srcdoc
+.PHONY: install-config uninstall-config

 # -eof-
--- a/doc/Platforms.txt
+++ b/doc/Platforms.txt
@ -2,7 +2,7 @@
                     ngIRCd - Next Generation IRC Server
                           http://ngircd.barton.de/

-               (c)2001-2016 Alexander Barton and Contributors.
+               (c)2001-2024 Alexander Barton and Contributors.
               ngIRCd is free software and published under the
                   terms of the GNU General Public License.

@ -26,6 +26,9 @@ for inclusion here. Thanks for your help!
                                                                      | | | |
 Platform                    Compiler     ngIRCd     Date     Tester   C M T R *
 --------------------------- ------------ ---------- -------- -------- - - - - -
+aarch64/apple/darwin        A-clang 12.0 26         20-12-10 goetz    N Y Y Y 3
+aarch64/apple/darwin23.4.0  A-clang 15.0 27~rc1     24-04-13 alex     Y Y Y Y 3
+aarch64/unknown/linux-gnu   gcc 12.2.0   27~rc1     24-04-21 alex     Y Y Y Y 1
 alpha/unknown/netbsd3.0     gcc 3.3.3    CVSHEAD    06-05-07 fw       Y Y Y Y 3
 armv6l/unk./linux-gnueabi   gcc 4.7.2    20.2       13-03-08 goetz    Y Y Y Y 5
 armv6l/unk./linux-gnueabihf gcc 4.6.3    21~rc2     13-10-26 pi       Y Y Y Y 5
@ -45,7 +48,7 @@ i386/pc/linux-gnu           gcc 4.1.2    13~rc1     08-12-05 alex     Y Y Y Y 1
 i386/pc/linux-gnu           gcc 4.4.5    22~rc1-3   14-10-10 alex     Y Y Y Y 1
 i386/pc/minix               clang 3.4    23         16-01-06 goetz    Y Y N Y
 i386/pc/solaris2.9          gcc 3.2.2    CVSHEAD    04-02-24 alex     Y Y Y Y
-i386/pc/solaris2.11         gcc 4.8.2    23         16-02-07 goetz    Y Y Y Y 4
+i386/pc/solaris2.11         gcc 4.8.2    24         17-01-21 goetz    Y Y Y Y 4
 i386/unknown/freebsd5.2.1   gcc 3.3.3    0.8.0      04-05-30 alex     Y Y Y Y
 i386/unknown/freebsd6.2     gcc 3.4.6    20~rc1     12-11-13 alex     Y Y Y Y 3
 i386/unknown/freebsd7.3     gcc 4.2.1    24~rc1-7   17-01-20 alex     Y Y Y Y 3
@ -71,6 +74,7 @@ i686/pc/linux-gnu           gcc 4.3.2    14.1       09-08-04 alex     Y Y Y Y 1
 i686/pc/minix               gcc 4.4.6    21~rc2     13-10-27 alex     Y Y N N
 i686/unknown/gnu0.3         gcc 4.4.5    19         12-02-29 alex     Y Y Y Y
 i686/unknown/gnu0.5         gcc 4.9.1    22~rc1-3   14-10-11 alex     Y Y Y Y
+i686/unknown/gnu0.9         gcc 12.2.0   27~rc1     24-04-21 alex     Y Y Y Y
 i686/unkn./kfreebsd7.2-gnu  gcc 4.3.4    15         09-12-02 alex     Y Y Y Y 3
 m68k/apple/aux3.0.1         gcc 2.7.2    17         10-11-07 alex     Y Y N Y
 m68k/apple/aux3.0.1         Orig. A/UX   17         10-11-07 alex     Y Y N Y 2
@ -78,11 +82,14 @@ m68k/apple/aux3.1.1         gcc 2.7.2    19         12-02-26 alex     Y Y N Y
 m68k/apple/aux3.1.1         Orig. A/UX   19         12-02-26 alex     Y Y N Y 2
 m68k/hp/hp-ux9.10           Orig. HPUX   0.7.x-CVS  03-04-30 goetz    Y Y Y Y
 m88k/dg/dgux5.4R3.10        gcc 2.5.8    CVSHEAD    04-03-15 alex     Y Y ? ?
+mips/sgi/irix6.5            SGI          25         19-12-29 goetz    Y Y ? ?
+mipsel/openwrt/linux-uclibc gcc 4.8      24~9-g619a 18-01-28 goetz    - - - Y 6
 mipsel/unknown/linux-gnu    gcc 4.1.2    18         11-07-05 goetz    Y Y N Y 1
 mipsel/unknown/linux-gnu    gcc 4.4.5    21         13-11-24 goetz    Y Y Y Y 1
+mipsel/unknown/netbsd8.0    gcc 5.5.0    25         19-08-09 root     Y Y y Y 3
 powerpc/apple/darwin6.8     gcc 3.1      21         14-01-03 goetz    Y Y Y Y
 powerpc/apple/darwin7.9.0   gcc 3.3      22         15-03-22 goetz    Y Y Y Y 3
-powerpc/apple/darwin8.11.0  gcc 4.0.1    18         11-07-02 goetz    Y Y Y Y 3
+powerpc/apple/darwin8.11.0  gcc 4.0.1    26         20-07-08 goetz    Y Y Y Y 3
 powerpc/apple/darwin9.8.0   gcc 4.0.1    21         14-01-04 goetz    Y Y Y Y 3
 powerpc/unknown/linux-gnu   gcc 3.3.3    0.8.0      04-05-30 alex     Y Y Y Y
 powerpc/unknown/openbsd3.6  gcc 2.95.3   0.10.0     06-10-08 alex     Y Y N Y
@ -95,43 +102,68 @@ x86_64/apple/darwin12.3.0   gcc 4.2.1    20.2       13-04-01 alex     Y Y Y Y 3
 x86_64/apple/darwin13.0.0   A-clang 5.0  21         14-01-02 alex     Y Y Y Y 3
 x86_64/apple/darwin14.5.0   A-clang 6.1  23~rc1     15-09-06 alex     Y Y Y Y 3
 x86_64/apple/darwin15.6.0   A-clang 8.0  23~38-g455 16-11-04 alex     Y Y Y Y 3
-x86_64/apple/darwin16.3.0   A-clang 8.0  24~rc1-7   17-01-20 alex     Y Y Y Y 3
+x86_64/apple/darwin16.5.0   A-clang 8.1  25~rc1-7-g 18-11-04 alex     Y Y Y Y 3
+x86_64/apple/darwin17.7.0   A-clang 10.0 25~rc1     18-11-04 alex     Y Y Y Y 3
+x86_64/apple/darwin18.2.0   A-clang 10.0 25~rc1-11  19-01-23 alex     Y Y Y Y 3
+x86_64/apple/darwin19.4.0   A-clang 11.0 26~rc1     20-05-10 alex     Y Y Y Y 3
+x86_64/apple/darwin19.6.0   A-clang 12.0 26         20-10-20 alex     Y Y Y Y 3
+x86_64/apple/darwin20.1.0   A-clang 12.0 26         21-01-01 alex     Y Y Y Y 3
+x86_64/apple/darwin23.4.0   A-clang 15.0 27~rc1     24-04-21 alex     Y Y Y Y 3
 x86_64/unknown/dragonfly3.4 gcc 4.7.2    21         13-11-12 goetz    Y Y N Y 3
 x86_64/unkn./freebsd8.1-gnu gcc 4.4.5    19         12-02-26 alex     Y Y Y Y 3
 x86_64/unknown/freebsd8.4   gcc 4.2.1    24~rc1-7   17-01-20 alex     Y Y Y Y 3
 x86_64/unknown/freebsd9.2   gcc 4.2.1    22~rc1-3   14-10-10 alex     Y Y Y Y 3
-x86_64/unknown/freebsd10.0  F-clang 3.3  22~rc1-3   14-10-10 alex     Y Y Y Y 3
+x86_64/unknown/freebsd10.3  F-clang 3.4  24         17-01-20 goetz    Y Y Y Y 3
+x86_64/unknown/freebsd11.0  F-clang 3.8  24         17-01-21 goetz    Y Y Y Y 3
+x86_64/unknown/freebsd12.1  F-clang 8.0  26         20-08-28 alex     Y Y Y Y 3
+x86_64/unknown/freebsd14.0  F-clang 16.0 27~rc1     24-04-21 alex     Y Y Y Y 3
+x86_64/unknown/haiku        gcc 7.3.0    25~rc1-11  19-01-06 alex     Y Y N Y
+x86_64/unknown/haiku        gcc 13.2.0   27~rc1     24-04-21 user     Y Y Y Y
 x86_64/unknown/linux-gnu    clang 3.3    21         14-01-07 alex     Y Y Y Y 1
 x86_64/unknown/linux-gnu    clang 3.4    22~rc1-3   14-10-11 alex     Y Y Y Y 1
+x86_64/pc/linux-gnu         D-clang 14.0 27~rc1     24-04-21 alex     Y Y Y Y 1
 x86_64/pc/linux-gnu         gcc 4.4.5    24~rc1-7   17-01-20 alex     Y Y Y Y 1
 x86_64/unknown/linux-gnu    gcc 4.7.2    23~rc1-3   15-11-15 alex     Y Y Y Y 1
 x86_64/pc/linux-gnu         gcc 4.8.4    24~rc1-7   17-01-20 alex     Y Y Y Y 1
 x86_64/pc/linux-gnu         gcc 4.9.2    24~rc1-7   17-01-20 alex     Y Y Y Y 1
 x86_64/unknown/linux-gnu    gcc 5.3.0    23         15-12-14 goetz    Y Y Y Y 1
+x86_64/pc/linux-gnu [WSL]   gcc 5.4.0    24         18-03-07 goetz    Y Y y Y 7
 x86_64/pc/linux-gnu         gcc 6.2.1    24~rc1-7   17-01-20 alex     Y Y Y Y 1
-x86_64/pc/linux-gnu         gcc 6.3.1    24~rc1-7   17-01-20 alex     Y Y Y Y 1
+x86_64/pc/linux-gnu         gcc 6.3.0    25~rc1-11  19-01-23 alex     Y Y Y Y 1
+x86_64/pc/linux-gnu         gcc 8.3.0    26         20-08-28 alex     Y Y Y Y 1
+x86_64/pc/linux-gnu         gcc 11.4.0   27~rc1     24-04-21 alex     Y Y Y Y 1
+x86_64/pc/linux-gnu         gcc 12.2.0   27~rc1     24-04-21 alex     Y Y Y Y 1
+x86_64/pc/linux-gnu         gcc 13.2.1   27~rc1     24-04-21 alex     Y Y Y Y 1
+x86_64/pc/solaris2.11       gcc 10.3.0   27~rc1     24-04-26 alex     Y Y y Y 5
 x86_64/unknown/linux-gnu    icc 16       23         16-01-13 goetz    Y Y Y Y 1
 x86_64/unknown/linux-gnu    nwcc 0.8.2   21         13-12-01 goetz    Y Y Y Y 1
 x86_64/unknown/linux-gnu    Open64       21.1       14-03-27 goetz    Y Y Y Y 1
 x86_64/unknown/linux-gnu    Sun C 5.12   21.1       14-03-27 goetz    Y Y Y Y 1
+x86_64/unknown/netbsd9.0    gcc 7.4.0    26         20-08-28 alex     Y Y y Y 3
+x86_64/unknown/netbsd10.0   gcc 10.5.0   27~rc1     24-04-21 alex     Y Y Y Y 3
 x86_64/unknown/openbsd4.7   gcc 3.3.5    20~rc1     12-02-26 alex     Y Y Y Y 3
 x86_64/unknown/openbsd4.8   gcc 4.2.1    22~rc1-3   14-10-10 alex     Y Y y Y 3
 x86_64/unknown/openbsd5.1   gcc 4.2.1    21         13-12-28 alex     Y Y Y Y 3
 x86_64/unknown/openbsd5.5   gcc 4.2.1    22~rc1-3   14-10-10 alex     Y Y Y Y 3
+x86_64/unknown/openbsd6.6   gcc 4.2.1    26         20-08-28 alex     Y Y Y Y 3
+x86_64/unknown/openbsd6.6   O-clang 8.0  26         20-08-28 alex     Y Y Y Y 3
+x86_64/unknown/openbsd6.7   gcc 4.2.1    26         20-09-26 goetz    Y Y y Y 3
+x86_64/unknown/openbsd7.4   O-clang 13.0 27~rc1     24-04-21 alex     Y Y Y Y 3


 * Notes
 ~~~~~~~

 (1) */*/linux-gnu (Linux platforms):
-    ngIRCd has been tested with various Linux distributions, such as SuSE,
-    RedHat, Debian, and Gentoo using Kernels 2.2.x, 2.4.x and 2.6.x with
-    various versions of the GNU C compiler (starting with 2.95.x and up to
-    version 4.3.x). The eldest glibc used was glibc-2.0.7. ngIRCd compiled
-    and run on all these systems without problems.
-    Actual Linux kernels (2.6.x) and glibc's support the epoll() IO interface.
+    ngIRCd has been tested with various Linux distributions, such as ArchLinux,
+    Debian, Gentoo, Red Hat (Fedora) and SuSE using Linux kernels 2.2.x, 2.4.x,
+    2.6.x, 3.x, 4.x and 5.x, with various versions of the GNU C compiler
+    (starting with 2.95.x) and Clang. The eldest glibc used was glibc-2.0.7.
+    ngIRCd compiled and ran on all of these systems successfully.
+    Current Linux kernels (starting with 2.6.x) and glibc's support the more
+    efficient epoll() IO interface, see (5) below.

-(2) This compiler is an pre-ANSI C compiler, therefore the source code is
+(2) This compiler is a pre-ANSI C compiler (K&R), therefore the source code is
    automatically converted using the included ansi2knr tool while building.

 (3) Using the kqueue() IO interface.
@ -139,3 +171,9 @@ x86_64/unknown/openbsd5.5   gcc 4.2.1    22~rc1-3   14-10-10 alex     Y Y Y Y 3
 (4) Using the /dev/poll IO interface.

 (5) Using the epoll() IO interface.
+
+(6) ngIRCd has been cross-compiled with gcc 4.8 on Ubuntu x86-64 for
+    MIPSEL Linux OpenWRT distribution (uclibc), for the target computer
+    Vocore2, where the created binary ran well.
+
+(7) This actually is Windows 10 running Windows Subsystem for Linux (WSL).
--- a/doc/Protocol.txt
+++ b/doc/Protocol.txt
@ -2,7 +2,7 @@
                     ngIRCd - Next Generation IRC Server
                           http://ngircd.barton.de/

-               (c)2001-2012 Alexander Barton and Contributors.
+               (c)2001-2019 Alexander Barton and Contributors.
               ngIRCd is free software and published under the
                   terms of the GNU General Public License.

@ -26,6 +26,12 @@ clients are compatible with a server configured that way, some can't even
 connect at all! Therefore this option usually isn't desired for "normal
 server operation".

+In addition, ngIRCd implements some "IRCv3" features. This includes:
+ - IRCv3 Client Capability Negotiation
+ - IRCv3.1 multi-prefix Extension
+ - IRCv3.2 userhost-in-names Extension
+Please see the IRCv3 homepage for more information: <https://ircv3.net>.
+

 II. The IRC+ Protocol
 ~~~~~~~~~~~~~~~~~~~~~
@ -176,7 +182,7 @@ channel mode). In this case <limit> should be "0".
 II.4 Update webchat/proxy client information

     Command: WEBIRC
-  Parameters: <password> <username> <hostname> <ip-address>
+  Parameters: <password> <username> <hostname> <ip-address> [<ignored>]
     Used by: unregistered clients only

 The WEBIRC command is used by some Web-to-IRC gateways to set the correct
@ -186,6 +192,9 @@ first command sent to the server, even before USER and NICK commands!
 The <password> must be set in the server configuration file to prevent
 unauthorized clients to fake their identity; it is an arbitrary string.

+Optionally, a 5th parameter is accepted to comply with an IRCv3 extension,
+see <https://github.com/ircv3/ircv3-ideas/issues/12>, but ignored.
+

 II.5 Client character encoding conversion

--- a/doc/QuickStart.md
+++ b/doc/QuickStart.md
@ -0,0 +1,126 @@
+# [ngIRCd](https://ngircd.barton.de) - Quick Start
+
+This *Quick Start* document explains how to configure ngIRCd, the lightweight
+Internet Relay Chat (IRC) server, using some "real world" scenarios.
+
+## Introduction
+
+The ngIRCd daemon can be run without any configuration file using built-in
+defaults. These defaults are probably sufficient for very simple single-node
+setups, but most probably need further tweaking for more "advanced" setups.
+
+You can check the current settings by running `ngircd --configtest`. This
+command not only shows the settings, it shows error, warning and hints, if it
+detects any.
+
+Therefore it is definitely best practice to *always run this check* after
+making any changes to the configuration file(s) and double-check that
+everything was parsed as expected!
+
+### Configuration File and Drop-in Directory
+
+After installing ngIRCd, a sample configuration file should have been set up if
+none existed already. By default, when installing from sources, the file is
+named `/usr/local/etc/ngircd.conf` (other common names, especially for
+distribution packages, are `/etc/ngircd.conf` or `/etc/ngircd/ngircd.conf`).
+Run the command `ngircd --configtest` to check the name of the configuration
+file which is used by default on your local system.
+
+In addition, ngIRCd supports configuration file snippets in a "drop-in"
+directory which is configured with the `IncludeDir` variable in the `[Options]`
+section and has a built-in default value (like `/etc/ngircd/ngircd.conf.d/`).
+All configuration files matching the `*.conf` pattern are read-in from this
+directory after the main `ngircd.conf` file.
+
+It is a good idea to not edit the default `ngircd.conf` file but to create one
+ore more new files in this include directory, overriding the defaults as
+needed. This way you don't get any clashes when updating ngIRCd to newer
+releases.
+
+You can find the template of the sample configuration file in the `doc/`
+directory as `sample-ngircd.conf` and
+[online](https://ngircd.barton.de/doc/sample-ngircd.conf) on the homepage. It
+contains all available options.
+
+## Configuration File Syntax
+
+The configuration consists of sections and parameters.
+
+A section begins with the name of the section in square brackets (like
+`[Example]`) and continues until the next section begins. Sections contain
+parameters of the form `name = value`.
+
+Section and parameter names are not case sensitive.
+
+Please see the `ngircd.conf`(5) manual page for an in-depth description of the
+configuration file, its syntax and all supported configuration options.
+
+The sample configuration file uses comments beginning with `#` *or* `;` -- this
+is only for the better understanding of the file, both comment styles are
+equal. The lines commented out with `;` show example or default settings,
+whereas the lines using `#` are descriptions of the options.
+
+## Simple Single-Instance Server
+
+A good starting point is to configure a valid (and unique!) IRC server name
+(which is *not* related to a host name, it is purely a unique *server ID* that
+must contain at least one dot ".").
+
+This looks like this:
+
+``` ini
+[Global]
+Name = my.irc.server
+```
+
+This results in the following *warning* in the logs when starting the daemon:
+`No administrative information configured but required by RFC!` -- which works,
+but is a bit ugly. So let's fix that by adding some *admin info*:
+
+``` ini
+[Global]
+Name = irc.example.net
+AdminInfo1 = Example IRC Server
+AdminInfo2 = Anywhere On Earth
+AdminEMail = admin@irc.example.net
+```
+
+*Please Note*: The server `Name` looks like a DNS host name, but it is not: in
+fact it is not related to your server's fully qualified domain name (FQDN) in
+any way and can be an arbitrary string -- but it *must* contain at least
+one dot (".") character!
+
+## Add a Local IRC Operator
+
+Some IRC commands, like `REHASH` which reloads the server configuration on the
+fly, require the user to authenticate to the daemon to become an *IRC
+Operator* first.
+
+So let's configure an *Operator* account in the configuration file (in
+addition to what we configured above):
+
+``` ini
+[Operator]
+# ID of the operator (may be different of the nickname)
+Name = BigOp
+# Password of the IRC operator
+Password = secret
+# Optional Mask from which /OPER will be accepted
+;Mask = *!ident@somewhere.example.com
+```
+
+Now you can use the IRC command `OPER BigOp secret` to get *IRC Operator*
+status on that server.
+
+Please choose a sensible password, and keep in mind that the *name* is not
+related to the *nickname* used by the user at all!
+
+We don't make use of the `Mask` setting in the example above (commented out
+with the `;` character), but it is a good idea to enable it whenever possible!
+
+And you can have as many *Operator blocks* as you like, configuring multiple
+different IRC Operators.
+
+## Configuring SSL/TLS Encryption
+
+Please see the file `SSL.md` for details.
--- a/doc/SSL.md
+++ b/doc/SSL.md
@ -0,0 +1,80 @@
+# [ngIRCd](https://ngircd.barton.de) - SSL/TLS Encrypted Connections
+
+ngIRCd supports SSL/TLS encrypted connections using the *OpenSSL* or *GnuTLS*
+libraries. Both encrypted server-server links as well as client-server links
+are supported.
+
+SSL is a compile-time option which is disabled by default. Use one of these
+options of the ./configure script to enable it:
+
+- `--with-openssl`: enable SSL support using OpenSSL.
+- `--with-gnutls`: enable SSL support using GnuTLS.
+
+You can check the output of `ngircd --version` to validate if your executable
+includes support for SSL or not: "+SSL" must be listed in the feature flags.
+
+You also need a SSL key and certificate, for example using Let's Encrypt, which
+is out of the scope of this document.
+
+From a feature point of view, ngIRCds support for both libraries is
+comparable. The only major difference (at this time) is that ngIRCd with GnuTLS
+does not support password protected private keys.
+
+## Configuration
+
+SSL-encrypted connections and plain-text connects can't run on the same network
+port (which is a limitation of the IRC protocol); therefore you have to define
+separate port(s) in your `[SSL]` block in the configuration file.
+
+A minimal configuration for *accepting* SSL-encrypted client & server
+connections looks like this:
+
+``` ini
+[SSL]
+CertFile = /etc/ssl/certs/my-fullchain.pem
+KeyFile = /etc/ssl/certs/my-privkey.pem
+Ports = 6697, 6698
+```
+
+In this case, the server only deals with *incoming* connections and never has to
+validate SSL certificates itself, and therefore no "Certificate Authorities" are
+needed.
+
+If you want to use *outgoing* SSL-connections to other servers, you need to add:
+
+``` ini
+[SSL]
+...
+CAFile = /etc/ssl/certs/ca-certificates.crt
+DHFile = /etc/ngircd/dhparams.pem
+
+[SERVER]
+...
+SSLConnect = yes
+```
+
+The `CAFile` option configures a file listing all the certificates of the
+trusted Certificate Authorities.
+
+The Diffie-Hellman parameters file `dhparams.pem` can be created like this:
+
+- OpenSSL: `openssl dhparam -2 -out /etc/ngircd/dhparams.pem 4096`
+- GnuTLS: `certtool --generate-dh-params --bits 4096 --outfile /etc/ngircd/dhparams.pem`
+
+Note that enabling `SSLConnect` not only enforces SSL-encrypted links for
+*outgoing* connections to other servers, but for *incoming* connections as well:
+If a server configured with `SSLConnect = yes` tries to connect on a plain-text
+connection, it won't be accepted to prevent data leakage! Therefore you should
+set this for *all* servers you expect to use SSL-encrypted connections!
+
+## Accepting untrusted Remote Certificates
+
+If you are using self-signed certificates or otherwise invalid certificates,
+which ngIRCd would reject by default, you can force ngIRCd to skip certificate
+validation on a per-server basis and continue establishing outgoing connections
+to the respective peer by setting `SSLVerify = no` in the `[SERVER]` block of
+this remote server in your configuration.
+
+But please think twice before doing so: the established connection is still
+encrypted but the remote site is *not verified at all* and man-in-the-middle
+attacks are possible!
--- a/doc/SSL.txt
+++ b/doc/SSL.txt
@ -1,108 +0,0 @@
-
-                     ngIRCd - Next Generation IRC Server
-
-                        (c)2001-2008 Alexander Barton,
-                    alex@barton.de, http://www.barton.de/
-
-               ngIRCd is free software and published under the
-                   terms of the GNU General Public License.
-
-                                 -- SSL.txt --
-
-
-ngIRCd supports SSL/TLSv1 encrypted connections using the OpenSSL or GnuTLS
-libraries. Both encrypted server-server links as well as client-server links
-are supported.
-
-SSL is a compile-time option which is disabled by default. Use one of these
-options of the ./configure script to enable it:
-
-  --with-openssl     enable SSL support using OpenSSL
-  --with-gnutls      enable SSL support using GnuTLS
-
-You also need a key/certificate, see below for how to create a self-signed one.
-
-From a feature point of view, ngIRCds support for both libraries is
-comparable. The only major difference (at this time) is that ngircd with gnutls
-does not support password protected private keys.
-
-Configuration
-~~~~~~~~~~~~~
-
-To enable SSL connections a separate port must be configured: it is NOT
-possible to handle unencrypted and encrypted connections on the same port!
-This is a limitation of the IRC protocol ...
-
-You have to set (at least) the following configuration variables in the
-[SSL] section of ngircd.conf(5): Ports, KeyFile, and CertFile.
-
-Now IRC clients are able to connect using SSL on the configured port(s).
-(Using port 6697 for encrypted connections is common.)
-
-To enable encrypted server-server links, you have to additionally set
-SSLConnect to "yes" in the corresponding [SERVER] section.
-
-
-Creating a self-signed certificate
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-OpenSSL:
-
-Creating a self-signed certificate and key:
- $ openssl req -newkey rsa:2048 -x509 -keyout server-key.pem -out server-cert.pem -days 1461
-Create DH parameters (optional):
- $ openssl dhparam -2 -out dhparams.pem 4096
-
-GnuTLS:
-
-Creating a self-signed certificate and key:
- $ certtool --generate-privkey --bits 2048 --outfile server-key.pem
- $ certtool --generate-self-signed --load-privkey server-key.pem --outfile server-cert.pem
-Create DH parameters (optional):
- $ certtool  --generate-dh-params --bits 4096 --outfile dhparams.pem
-
-
-Alternate approach using stunnel(1)
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-Alternatively (or if you are using ngIRCd compiled without support
-for GnuTLS/OpenSSL), you can use external programs/tools like stunnel(1) to
-get SSL encrypted connections:
-
-  <http://stunnel.mirt.net/>
-  <http://www.stunnel.org/>
-
-Stefan Sperling (stefan at binarchy dot net) mailed the following text as a
-short "how-to", thanks Stefan!
-
-=== snip ===
-    ! This guide applies to stunnel 4.x !
-
-    Put this in your stunnel.conf:
-
-        [ircs]
-        accept = 6667
-        connect = 6668
-
-    This makes stunnel listen for incoming connections
-    on port 6667 and forward decrypted data to port 6668.
-    We call the connection 'ircs'. Stunnel will use this
-    name when logging connection attempts via syslog.
-    You can also use the name in /etc/hosts.{allow,deny}
-    if you run tcp-wrappers.
-
-    To make sure ngircd is listening on the port where
-    the decrypted data arrives, set
-
-        Ports = 6668
-
-    in your ngircd.conf.
-
-    Start stunnel and restart ngircd.
-
-    That's it.
-    Don't forget to activate ssl support in your irc client ;)
-    The main drawback of this approach compared to using builtin ssl
-    is that from ngIRCds point of view, all ssl-enabled client connections will
-    originate from the host running stunnel.
-=== snip ===
--- a/doc/Services.txt
+++ b/doc/Services.txt
@ -15,7 +15,7 @@ using the IRC protocol as defined in RFC 1459 or RFC 2812.

 Support for Services has been tested using
 - Anope 1.9.8 or later (<http://www.anope.org/>)
- - Atheme 7.0.2 or later (<http://www.atheme.net>)
+ - Atheme 7.0.2 or later (<https://atheme.org/>)
 - "IRC Services" 5.1.x by Andrew Church (<http://achurch.org/services/>)

 This document describes setting up ngIRCd and these services.
@ -34,6 +34,10 @@ services instead of regular IRC users.

 Example:

+  [GLOBAL]
+     Name = server.irc.net
+     Ports = 6667
+
  [SERVER]
     Name = services.irc.net
     MyPassword = 123abc
@ -97,13 +101,17 @@ In conf/nickserv.conf:
 Setting up Atheme 7.0.2 or later
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

-Atheme 7.0.2 or later (<http://www.atheme.net>) may be used with ngIRCd using
+Atheme 7.0.2 or later (<https://atheme.org/>) may be used with ngIRCd using
 the "ngircd" protocol module.

 The following settings need to be in atheme.conf:

  loadmodule "modules/protocol/ngircd";

+  serverinfo {
+	name = "services.irc.net";
+  }
+
  uplink "server.irc.net" {
 	password = "123abc";
 	port = 6667;
--- a/doc/sample-ngircd.conf.tmpl
+++ b/doc/sample-ngircd.conf.tmpl
@ -24,8 +24,9 @@
 	# make sure that they correspond to your installation and setup!

 	# Server name in the IRC network, must contain at least one dot
-	# (".") and be unique in the IRC network. Required!
-	Name = irc.example.net
+	# (".") and be unique in the IRC network. When not set, ngIRCd tries
+	# to deduce a valid IRC server name from the local host name.
+	;Name = irc.example.net

 	# Information about the server and the administrator, used by the
 	# ADMIN command. Not required by server but by RFC!
@ -34,12 +35,14 @@
 	;AdminEMail = admin@irc.server

 	# Text file which contains the ngIRCd help text. This file is required
-	# to display help texts when using the "HELP <cmd>" command.
+	# to display help texts when using the "HELP <cmd>" command. Default: a
+	# built-in standard path (check "ngircd --configtest").
 	;HelpFile = :DOCDIR:/Commands.txt

 	# Info text of the server. This will be shown by WHOIS and
-	# LINKS requests for example.
-	Info = Server Info Text
+	# LINKS requests for example. Set to the server software name and
+	# version by default.
+	;Info = Server Info Text

 	# Comma separated list of IP addresses on which the server should
 	# listen. Default values are:
@ -48,10 +51,11 @@
 	;Listen = 127.0.0.1,192.168.0.1

 	# Text file with the "message of the day" (MOTD). This message will
-	# be shown to all users connecting to the server:
+	# be shown to all users connecting to the server: Default: a built-in
+	# standard path (check "ngircd --configtest").
 	;MotdFile = :ETCDIR:/ngircd.motd

-	# A simple Phrase (<256 chars) if you don't want to use a motd file.
+	# A simple Phrase (<127 chars) if you don't want to use a motd file.
 	;MotdPhrase = "Hello world!"

 	# The name of the IRC network to which this server belongs. This name
@ -117,6 +121,12 @@
 	# maximum nickname length!
 	;MaxNickLength = 9

+	# Maximum penalty time increase in seconds, per penalty event. Set to -1
+	# for no limit (the default), 0 to disable penalties altogether. The
+	# daemon doesn't use penalty increases higher than 2 seconds during
+	# normal operation, so values greater than 1 rarely make sense.
+	;MaxPenaltyTime = -1
+
 	# Maximum number of channels returned in response to a /list
 	# command (0: unlimited):
 	;MaxListSize = 100
@ -186,6 +196,9 @@

 	# Directory containing configuration snippets (*.conf), that should
 	# be read in after parsing this configuration file.
+	# Default: a built-in directory name when no configuration file was
+	# explicitly given on the command line (check "ngircd --configtest"),
+	# none (empty) otherwise.
 	;IncludeDir = :ETCDIR:/conf.d

 	# Enhance user privacy slightly (useful for IRC server on TOR or I2P)
@ -260,6 +273,14 @@
 	# is only available when ngIRCd is compiled with support for SSL!
 	# So don't forget to remove the ";" above if this is the case ...

+	# SSL Trusted CA Certificates File for verifying peer certificates.
+	# (Default: not set; so no certificates are trusted)
+	;CAFile = /etc/ssl/CA/cacert.pem
+
+	# Certificate Revocation File (for marking otherwise valid
+	# certficates as invalid)
+	;CRLFile = /etc/ssl/CA/crl.pem
+
 	# SSL Server Key Certificate
 	;CertFile = :ETCDIR:/ssl/server-cert.pem

@ -303,7 +324,7 @@
 [Server]
 	# Other servers are configured in [Server] sections. If you
 	# configure a port for the connection, then this ngircd tries to
-	# connect to to the other server on the given port; if not it waits
+	# connect to the other server on the given port; if not it waits
 	# for the other server to connect.
 	# There may be more than one server block, one for each server.
 	#
@ -351,6 +372,10 @@
 	# Connect to the remote server using TLS/SSL (Default: false)
 	;SSLConnect = yes

+	# Verify the TLS certificate presented by the remote server
+	# (Default: yes)
+	;SSLVerify = yes
+
 	# Define a (case insensitive) list of masks matching nicknames that
 	# should be treated as IRC services when introduced via this remote
 	# server, separated by commas (",").
@ -379,19 +404,21 @@
 	# Topic for this channel
 	;Topic = a great topic

-	# Initial channel modes
-	;Modes = tnk
+	# Initial channel modes, as used in "MODE" commands. Modifying lists
+	# (ban list, invite list, exception list) is supported.
+	# This option can be specified multiple times, evaluated top to bottom.
+	;Modes = +tnk mykey +l 5
+	;Modes = +b nick!~user@bad.host.example.com

-	# initial channel password (mode k)
-	;Key = Secret
+	# Should ngIRCd automatically join ("autojoin") all users to this
+	# channel on connect? Note: The users must have permissions to access
+	# the channel, otherwise joining them will fail!
+	;Autojoin = yes

 	# Key file, syntax for each line: "<user>:<nick>:<key>".
 	# Default: none.
 	;KeyFile = :ETCDIR:/#chan.key

-	# maximum users per channel (mode l)
-	;MaxUsers = 23
-
 [Channel]
 	# More [Channel] sections, if you like ...

--- a/doc/src/footer.inc.html
+++ b/doc/src/footer.inc.html
@ -2,9 +2,10 @@
 <hr class="footer">
 <p style="text-align: center">
  ngIRCd
-  <a href="http://ngircd.barton.de/">Homepage</a>,
-  <a href="http://ngircd.barton.de/cgi-bin/gitweb.cgi?p=ngircd.git">GIT-Repository</a>,
-  <a href="http://ngircd.barton.de/bugzilla/index.cgi">Bug-Tracker</a>.
+  <a href="https://ngircd.barton.de/">Homepage</a>.
+  GitHub:
+  <a href="https://github.com/ngircd/ngircd">Code Repository</a>,
+  <a href="https://github.com/ngircd/ngircd/issues">Bug-Tracker</a>.
 </p>

 </body>
--- a/man/ngircd.8.tmpl
+++ b/man/ngircd.8.tmpl
@ -1,7 +1,7 @@
 .\"
 .\" ngircd(8) manual page template
 .\"
-.TH ngircd 8 "Jan 2017" ngIRCd "ngIRCd Manual"
+.TH ngircd 8 "Sep 2023" ngIRCd "ngIRCd Manual"
 .SH NAME
 ngIRCd \- the "next generation" IRC daemon
 .SH SYNOPSIS
@ -11,24 +11,22 @@ ngIRCd \- the "next generation" IRC daemon
 ]
 .SH DESCRIPTION
 .BR ngIRCd
-is a free, portable and lightweight Internet Relay Chat server for small
+is a free, portable and lightweight Internet Relay Chat (IRC) server for small
 or private networks, developed under the GNU General Public License (GPL).
-It is easy to configure, can cope with dynamic IP addresses, and supports
-IPv6, SSL-protected connections as well as PAM for authentication.
-It is written from scratch and not based on the original IRCd.
 .PP
-The name ngIRCd means
-.IR "next generation IRC daemon",
+The server is quite easy to configure and runs as a single-node server or can
+be part of a network of ngIRCd servers in a LAN or across the internet. It
+optionally supports the IPv6 protocol, SSL/TLS-protected client-server and
+server-server links, the Pluggable Authentication Modules (PAM) system for user
+authentication, IDENT requests, and character set conversion for legacy
+clients.
+.PP
+The name ngIRCd stands for
+.IR "next-generation IRC daemon",
 which is a little bit exaggerated:
 .IR "lightweight Internet Relay Chat server"
 most probably would have been a better name :-)
 .PP
-Currently supported platforms include AIX, A/UX, FreeBSD, HP-UX, Hurd, IRIX,
-Linux, Mac OS X, Minix, NetBSD, OpenBSD, Solaris, and Windows with Cygwin.
-As ngIRCd relies on UNIX standards and uses GNU automake and GNU autoconf
-there are good chances that it also supports other UNIX-based operating
-systems as well.
-.PP
 By default ngIRCd logs diagnostic and informational messages using the syslog
 mechanism, or writes directly to the console when running in the foreground
 (see below).
@ -54,14 +52,25 @@ terminate the server.
 Disable automatic connections to other servers. You can use the IRC command
 CONNECT later on as IRC Operator to link this ngIRCd to other servers.
 .TP
+\fB\-y\fR, \fB\-\-syslog\fR
+Write log messages to the syslog even when running in the foreground. This only
+makes sense when
+.I \-n/\-\-nodaemon
+was given on the command line
+.I before
+this option!
+.PP
+The following options prevent ngIRCd from starting regularly, but perform a
+specific action and then exit the daemon again:
+.TP
+\fB\-h\fR, \fB\-\-help\fR
+Display a brief help text and exit.
+.TP
 \fB\-t\fR, \fB\-\-configtest\fR
 Read, validate and display the configuration; then exit.
 .TP
 \fB\-V\fR, \fB\-\-version\fR
 Output version information and exit.
-.TP
-\fB\-h\fR, \fB\-\-help\fR
-Display a brief help text and exit.
 .SH FILES
 .I :ETCDIR:/ngircd.conf
 .RS
@ -81,14 +90,28 @@ Shut down all connections and terminate the daemon.
 Shut down all listening sockets, re-read the configuration file and
 re-initialize the daemon.
 .SH HINTS
-It's wise to use "ngircd \-\-configtest" to validate the configuration file
-after changing it.
+It is
+.I always wise
+to use "ngircd \-\-configtest" to validate the configuration of ngIRCd after
+making changes to the configuration files!
 .SH DEBUGGING
-When ngIRCd is compiled with debug code, that is, its source code has
-been ./configure'd with "\-\-enable\-debug" and/or "\-\-enable\-sniffer" (witch
-enables debug mode automatically as well), you can use two more command
-line options and two more signals to debug problems with the daemon itself
-or IRC clients:
+ngIRCd can log additional debug messages, which can be enabled with the command
+line option \-\-debug (\-d) or by sending the USR1 signal to the running daemon.
+Some of those messages may leak personal information, be very technical and can
+be very verbose. Therefore the debug mode is meant for troubleshooting only and
+should definitely be disabled during normal operation!
+.PP
+In addition, a "protocol sniffer" can be enabled on build time by passing the
+"\-\-enable\-sniffer" option to the ./configure script which enables the
+"\-\-sniffer" (\-s) command line option (which is not available by default):
+this "sniffer" logs all incoming and outgoing IRC commands on all connections,
+which can be handy to debug problems with the daemon itself or IRC clients.
+.PP
+Both modes are indicated in the version string shown by the IRC "VERSION"
+command: if the version ends in a dot (like in "26.1."), the daemon operates in
+"normal" mode (the version used in the example is "26.1"). If it ends in ".1"
+(like in "26.1.1") the "debug-mode" is enabled; and if it ends in ".2" (like in
+"26.1.2") the "IRC sniffer" is enabled, too.
 .PP
 \fBOptions:\fR
 .TP
@ -101,6 +124,9 @@ the console/syslog. This option requires that ngIRCd has been ./configure'd
 with "\-\-enable\-sniffer" and enables debug mode automatically, too.
 .PP
 \fBSignals:\fR
+.PP
+Note: Usage of these signals is broadcasted to all users with the +s ("receive
+server notices") mode set!
 .TP
 \fBUSR1\fR
 Toggle debug mode on and off during runtime.
--- a/man/ngircd.conf.5.tmpl
+++ b/man/ngircd.conf.5.tmpl
@ -1,7 +1,7 @@
 .\"
 .\" ngircd.conf(5) manual page template
 .\"
-.TH ngircd.conf 5 "Jan 2017" ngIRCd "ngIRCd Manual"
+.TH ngircd.conf 5 "Sep 2023" ngIRCd "ngIRCd Manual"
 .SH NAME
 ngircd.conf \- configuration file of ngIRCd
 .SH SYNOPSIS
@ -93,10 +93,11 @@ like the server name and the ports on which the server should be listening.
 These settings depend on your personal preferences, so you should make sure
 that they correspond to your installation and setup!
 .TP
-\fBName\fR (string; required)
+\fBName\fR (string)
 Server name in the IRC network. This is an individual name of the IRC
 server, it is not related to the DNS host name. It must be unique in the
-IRC network and must contain at least one dot (".") character.
+IRC network and must contain at least one dot (".") character. When not set,
+ngIRCd tries to deduce a valid IRC server name from the local host name.
 .TP
 \fBAdminInfo1\fR, \fBAdminInfo2\fR, \fBAdminEMail\fR (string)
 Information about the server and the administrator, used by the ADMIN
@ -106,11 +107,12 @@ command. This information is not required by the server but by RFC!
 Text file which contains the ngIRCd help text. This file is required
 to display help texts when using the "HELP <cmd>" command.
 Please note: Changes made to this file take effect when ngircd starts up
-or is instructed to re-read its configuration file.
+or is instructed to re-read its configuration file. Default: a built-in
+standard path.
 .TP
 \fBInfo\fR (string)
 Info text of the server. This will be shown by WHOIS and LINKS requests for
-example.
+example. Set to the server software name and version by default.
 .TP
 \fBListen\fR (list of strings)
 A comma separated list of IP address on which the server should listen.
@ -122,10 +124,10 @@ IP addresses and interfaces by default.
 Text file with the "message of the day" (MOTD). This message will be shown to
 all users connecting to the server. Please note: Changes made to this file
 take effect when ngircd starts up or is instructed to re-read its
-configuration file.
+configuration file. Default: a built-in standard path.
 .TP
 \fBMotdPhrase\fR (string)
-A simple Phrase (<256 chars) if you don't want to use a MOTD file.
+A simple Phrase (<127 chars) if you don't want to use a MOTD file.
 .TP
 \fBNetwork\fR (string)
 The name of the IRC network to which this server belongs. This name is
@ -201,6 +203,12 @@ Maximum length of an user nickname (Default: 9, as in RFC 2812). Please
 note that all servers in an IRC network MUST use the same maximum nickname
 length!
 .TP
+\fBMaxPenaltyTime\fR (number)
+Maximum penalty time increase in seconds, per penalty event. Set to -1 for no
+limit (the default), 0 to disable penalties altogether. ngIRCd doesn't use
+penalty increases higher than 2 seconds during normal operation, so values
+greater than 1 rarely make sense.
+.TP
 \fBMaxListSize\fR (number)
 Maximum number of channels returned in response to a LIST command. Default: 100.
 .TP
@ -287,7 +295,17 @@ Default: yes.
 \fBIncludeDir\fR (string)
 Directory containing configuration snippets (*.conf), that should be read in
 after parsing the current configuration file.
-Default: none.
+Default: a built-in directory name when no configuration file was explicitly
+given on the command line (check "ngircd --configtest"), none (empty)
+otherwise.
+.PP
+.RS
+This way no default include directory is used when a possibly non-default
+configuration file was explicitly specified using "--config"/"-f" on the
+command line which (intentionally) did not specify an
+.I "IncludeDir"
+directive.
+.RE
 .TP
 \fBMorePrivacy\fR (boolean)
 This will cause ngIRCd to censor user idle time, logon time as well as the
@ -341,7 +359,7 @@ Default: no.
 .TP
 \fBPAMServiceName\fR (string)
 When PAM is enabled, this value determines the used PAM configuration.
-This setting allows to run multiple ngIRCd instances with different
+This setting allows running multiple ngIRCd instances with different
 PAM configurations on each instance. If you set it to "ngircd-foo",
 PAM will use /etc/pam.d/ngircd-foo instead of the default
 /etc/pam.d/ngircd.
@ -379,6 +397,10 @@ All SSL-related configuration variables are located in the
 section. Please note that this whole section is only recognized by ngIRCd
 when it is compiled with support for SSL using OpenSSL or GnuTLS!
 .TP
+\fBCAFile\fR (string)
+Filename pointing to the Trusted CA Certificates. This is required for
+verifying peer certificates. Default: not set, so no certificates are trusted.
+.TP
 \fBCertFile\fR (string)
 SSL Certificate file of the private server key.
 .TP
@ -388,6 +410,9 @@ Select cipher suites allowed for SSL/TLS connections.  This defaults to
 Please see 'man 1ssl ciphers' (OpenSSL) and 'man 3 gnutls_priority_init'
 (GnuTLS) for details.
 .TP
+\fBCRLFile\fR (string)
+Filename of Certificate Revocation List.
+.TP
 \fBDHFile\fR (string)
 Name of the Diffie-Hellman Parameter file. Can be created with GnuTLS
 "certtool \-\-generate-dh-params" or "openssl dhparam". If this file is not
@ -426,7 +451,7 @@ Example: nick!ident@*.example.com
 Other servers are configured in
 .I [Server]
 sections. If you configure a port for the connection, then this ngIRCd
-tries to connect to to the other server on the given port (active);
+tries to connect to the other server on the given port (active);
 if not, it waits for the other server to connect (passive).
 .PP
 ngIRCd supports "server groups": You can assign an "ID" to every server
@ -473,6 +498,9 @@ You can use the IRC Operator command CONNECT later on to create the link.
 \fBSSLConnect\fR (boolean)
 Connect to the remote server using TLS/SSL. Default: false.
 .TP
+\fBSSLVerify\fR (boolean)
+Verify the TLS certificate presented by the remote server. Default: yes.
+.TP
 \fBServiceMask\fR (string)
 Define a (case insensitive) list of masks matching nicknames that should be
 treated as IRC services when introduced via this remote server, separated
@ -504,10 +532,17 @@ Name of the channel, including channel prefix ("#" or "&").
 Topic for this channel.
 .TP
 \fBModes\fR (string)
-Initial channel modes.
+Initial channel modes, as used in "MODE" commands. Modifying lists (ban list,
+invite list, exception list) is supported.
+.PP
+.RS
+This option can be specified multiple times, evaluated top to bottom.
+.RE
 .TP
-\fBKey\fR (string)
-Sets initial channel key (only relevant if channel mode "k" is set).
+\fBAutojoin\fR (boolean)
+Should ngIRCd automatically join ("autojoin") all users to this channel on
+connect? Note: The users must have permissions to access the channel, otherwise
+joining them will fail!
 .TP
 \fBKeyFile\fR (string)
 Path and file name of a "key file" containing individual channel keys for
@ -551,10 +586,6 @@ The file is not reopened on each access, so you can modify and overwrite it
 without problems, but moving or deleting the file will have not effect until
 the daemon re-reads its configuration!
 .RE
-.TP
-\fBMaxUsers\fR (number)
-Set maximum user limit for this channel (only relevant if channel mode "l"
-is set).
 .SH HINTS
 It's wise to use "ngircd \-\-configtest" to validate the configuration file
 after changing it. See
--- a/src/ngircd/Makefile.ng
+++ b/src/ngircd/Makefile.ng
@ -1,6 +1,6 @@
 #
 # ngIRCd -- The Next Generation IRC Daemon
-# Copyright (c)2001-2012 Alexander Barton (alex@barton.de) and Contributors
+# Copyright (c)2001-2024 Alexander Barton (alex@barton.de) and Contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@ -15,9 +15,6 @@ EXTRA_DIST = Makefile.ng

 AM_CPPFLAGS = -I$(srcdir)/../portab -I$(srcdir)/../tool -I$(srcdir)/../ipaddr

-LINTARGS = -weak -warnunixlib +unixlib -booltype BOOLEAN \
- -varuse -retvalother -emptyret -unrecog
-
 sbin_PROGRAMS = ngircd

 ngircd_SOURCES = \
@ -107,7 +104,7 @@ noinst_HEADERS = \
 	sighandlers.h

 clean-local:
-	rm -f check-version check-help lint.out
+	rm -f check-version check-help

 maintainer-clean-local:
 	rm -f Makefile Makefile.in Makefile.am
@ -122,32 +119,6 @@ check-help: Makefile
 	echo "./ngircd --help | grep help >/dev/null 2>&1" >>check-help
 	chmod 755 check-help

-lint:
-	@splint --version >/dev/null 2>&1 \
-	 || ( echo; echo "Error: \"splint\" not found!"; echo; exit 1 )
-	@echo; warnings=0; files=0; \
-	for f in *.c; do \
-	 echo "checking $$f ..."; \
-	 splint $$f $(LINTARGS) -I$(srcdir) -I$(srcdir)/.. \
-	  $(AM_CPPFLAGS) $(AM_CFLAGS) >lint.out 2>&1; \
-	 grep "no warnings" lint.out > /dev/null 2>&1; \
-	 if [ $$? -ne 0 ]; then \
-	  waswarning=1; \
-	  echo; grep -v "^Command Line: " lint.out; echo; \
-	  w=$$( grep "code warning" lint.out | $(AWK) "{ print \$$4 }" ); \
-	  [ "$$w" -gt 0 ] && warnings=`expr $$warnings + $$w`; \
-	  files=`expr $$files + 1`; \
-	 else \
-	  waswarning=0; \
-	 fi; \
-	 rm -f lint.out; \
-	done; \
-	[ $$waswarning -eq 0 ] && echo; \
-	[ $$warnings -gt 0 ] \
-	 && echo "Result: $$warnings warning(s) in $$files file(s)!" \
-	 || echo "Result: no warnings found."; \
-	echo; [ $$warnings -gt 0 ] && exit 1
-
 TESTS = check-version check-help

 # -eof-
--- a/src/ngircd/array.c
+++ b/src/ngircd/array.c
@ -68,7 +68,7 @@ array_alloc(array * a, size_t size, size_t pos)

 	if (a->allocated < alloc) {
 #if DEBUG_ARRAY
-		Log(LOG_DEBUG, "array_alloc(): changing size from %u to %u bytes.",
+		LogDebug("array_alloc(): changing size from %u to %u bytes.",
 		    a->allocated, alloc);
 #endif
 		tmp = realloc(a->mem, alloc);
@ -169,7 +169,7 @@ array_catb(array * dest, const char *src, size_t len)
 	assert(ptr != NULL);

 #if DEBUG_ARRAY
-	Log(LOG_DEBUG,
+	LogDebug(
 	    "array_catb(): appending %u bytes to array (now %u bytes in array).",
 	    len, tmp);
 #endif
@ -249,7 +249,7 @@ array_free(array * a)
 {
 	assert(a != NULL);
 #if DEBUG_ARRAY
-	Log(LOG_DEBUG,
+	LogDebug(
 	    "array_free(): %u bytes free'd (%u bytes still used at time of free()).",
 	    a->allocated, a->used);
 #endif
@ -315,7 +315,7 @@ array_moveleft(array * a, size_t membersize, size_t pos)
 		return;	/* nothing to do */

 #if DEBUG_ARRAY
-	Log(LOG_DEBUG,
+	LogDebug(
 	    "array_moveleft(): %u bytes used in array, starting at position %u.",
 	    a->used, bytepos);
 #endif
--- a/src/ngircd/channel.c
+++ b/src/ngircd/channel.c
@ -36,6 +36,8 @@
 #include "log.h"
 #include "messages.h"
 #include "match.h"
+#include "parse.h"
+#include "irc-mode.h"

 #define REMOVE_PART 0
 #define REMOVE_QUIT 1
@ -93,9 +95,11 @@ GLOBAL void
 Channel_InitPredefined( void )
 {
 	CHANNEL *new_chan;
+	REQUEST Req;
 	const struct Conf_Channel *conf_chan;
-	const char *c;
-	size_t i, channel_count = array_length(&Conf_Channels, sizeof(*conf_chan));
+	char *c;
+	char modes[COMMAND_LEN], name[CHANNEL_NAME_LEN];
+	size_t i, n, channel_count = array_length(&Conf_Channels, sizeof(*conf_chan));

 	conf_chan = array_start(&Conf_Channels);

@ -126,24 +130,63 @@ Channel_InitPredefined( void )
 							conf_chan->name);
 			continue;
 		}
-		Log(LOG_INFO, "Created pre-defined channel \"%s\".",
-						conf_chan->name);
-
 		Channel_ModeAdd(new_chan, 'P');

 		if (conf_chan->topic[0])
 			Channel_SetTopic(new_chan, NULL, conf_chan->topic);

-		c = conf_chan->modes;
-		while (*c)
-			Channel_ModeAdd(new_chan, *c++);
+		/* Evaluate modes strings with fake requests */
+		if (conf_chan->modes_num) {
+			/* Prepare fake request structure */
+			strlcpy(name, conf_chan->name, sizeof(name));
+			LogDebug("Evaluating predefined channel modes for \"%s\" ...", name);
+			Req.argv[0] = name;
+			Req.prefix = Client_ID(Client_ThisServer());
+			Req.command = "MODE";
+
+			/* Iterate over channel modes strings */
+			for (n = 0; n < conf_chan->modes_num; n++) {
+				Req.argc = 1;
+				strlcpy(modes, conf_chan->modes[n], sizeof(modes));
+				LogDebug("Evaluate \"MODE %s %s\".", name, modes);
+				c = strtok(modes, " ");
+				while (c && Req.argc < 15) {
+					Req.argv[Req.argc++] = c;
+					c = strtok(0, " ");
+				}
+
+				if (Req.argc > 1) {
+					/* Handling of legacy "Key" and "MaxUsers" settings:
+					 * Enforce setting the respective mode(s), to support
+					 * the legacy "Mode = kl" notation, which was valid but
+					 * is an invalid MODE string: key and limit are missing!
+					 * So set them manually when "k" or "l" are detected in
+					 * the first MODE parameter ... */
+					if (Req.argc > 1 && strchr(Req.argv[1], 'k')) {
+						Channel_SetKey(new_chan, conf_chan->key);
+						Channel_ModeAdd(new_chan, 'k');
+					}
+					if (strchr(Req.argv[1], 'l')) {
+						Channel_SetMaxUsers(new_chan, conf_chan->maxusers);
+						Channel_ModeAdd(new_chan, 'l');
+					}
+
+					IRC_MODE(Client_ThisServer(), &Req);
+				}
+
+				/* Original channel modes strings are no longer needed */
+				free(conf_chan->modes[n]);
+			}
+		}

-		Channel_SetKey(new_chan, conf_chan->key);
-		Channel_SetMaxUsers(new_chan, conf_chan->maxusers);
 		Set_KeyFile(new_chan, conf_chan->keyfile);
+
+		Log(LOG_INFO,
+		    "Created pre-defined channel \"%s\", mode \"%s\" (%s, user limit %d).",
+		    new_chan->name, new_chan->modes,
+		    new_chan->key[0] ? "channel key set" : "no channel key",
+		    new_chan->maxusers);
 	}
-	if (channel_count)
-		array_free(&Conf_Channels);

 	/* Make sure the local &SERVER channel exists */
 	if (!Channel_Search("&SERVER")) {
@ -736,10 +779,28 @@ Channel_UserModes( CHANNEL *Chan, CLIENT *Client )
 } /* Channel_UserModes */


+/**
+ * Test if a user has a given channel user mode.
+ *
+ * @param Chan The channel to check.
+ * @param Client The client to check.
+ * @param Mode The channel user mode to test for.
+ * @return true if the user has the given channel user mode set.
+ */
 GLOBAL bool
 Channel_UserHasMode( CHANNEL *Chan, CLIENT *Client, char Mode )
 {
-	return strchr(Channel_UserModes(Chan, Client), Mode) != NULL;
+	char *channel_user_modes;
+
+	assert(Chan != NULL);
+	assert(Client != NULL);
+	assert(Mode > 0);
+
+	channel_user_modes = Channel_UserModes(Chan, Client);
+	if (!channel_user_modes || !*channel_user_modes)
+		return false;
+
+	return strchr(channel_user_modes, Mode) != NULL;
 } /* Channel_UserHasMode */


--- a/src/ngircd/channel.h
+++ b/src/ngircd/channel.h
@ -1,6 +1,6 @@
 /*
 * ngIRCd -- The Next Generation IRC Daemon
- * Copyright (c)2001-2012 Alexander Barton (alex@barton.de) and Contributors.
+ * Copyright (c)2001-2024 Alexander Barton (alex@barton.de) and Contributors.
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
@ -17,7 +17,7 @@
 * Channel management (header)
 */

-#if defined(__channel_c__) | defined(S_SPLINT_S)
+#if defined(__channel_c__)

 #include "lists.h"
 #include "defines.h"
--- a/src/ngircd/client.c
+++ b/src/ngircd/client.c
@ -213,7 +213,7 @@ Init_New_Client(CONN_ID Idx, CLIENT *Introducer, CLIENT *TopServer,
 		Generate_MyToken(client);

 	if (Client_HasMode(client, 'a'))
-		client->away = strndup(DEFAULT_AWAY_MSG, CLIENT_AWAY_LEN - 1);
+		client->away = strdup(DEFAULT_AWAY_MSG);

 	client->next = (POINTER *)My_Clients;
 	My_Clients = client;
@ -337,7 +337,11 @@ Client_SetHostname( CLIENT *Client, const char *Hostname )
 	assert(Client != NULL);
 	assert(Hostname != NULL);

-	if (Conf_CloakHost[0]) {
+	/* Only cloak the hostmask if it has not yet been cloaked.
+	 * The period or colon indicates it's still an IP address.
+	 * An empty string means a rDNS lookup did not happen (yet). */
+	if (Conf_CloakHost[0] && (!Client->host[0] || strchr(Client->host, '.')
+				  || strchr(Client->host, ':'))) {
 		char cloak[GETID_LEN];

 		strlcpy(cloak, Hostname, GETID_LEN);
@ -649,7 +653,7 @@ Client_SearchServer(const char *Mask)


 /**
- * Get client structure ("introducer") identfied by a server token.
+ * Get client structure ("introducer") identified by a server token.
 * @return CLIENT structure or NULL if none could be found.
 */
 GLOBAL CLIENT *
@ -694,10 +698,8 @@ Client_ID( CLIENT *Client )
 {
 	assert( Client != NULL );

-#ifdef DEBUG
 	if(Client->type == CLIENT_USER)
 		assert(strlen(Client->id) < Conf_MaxNickLength);
-#endif

 	if( Client->id[0] ) return Client->id;
 	else return "*";
@ -1311,12 +1313,14 @@ Client_Reject(CLIENT *Client, const char *Reason, bool InformClient)
 GLOBAL void
 Client_Introduce(CLIENT *From, CLIENT *Client, int Type)
 {
+	int server;
+
 	/* Set client type (user or service) */
 	Client_SetType(Client, Type);

 	if (From) {
-		if (Conf_NickIsService(Conf_GetServer(Client_Conn(From)),
-				   Client_ID(Client)))
+		server = Conf_GetServer(Client_Conn(From));
+		if (server > NONE && Conf_NickIsService(server, Client_ID(Client)))
 			Client_SetType(Client, CLIENT_SERVICE);
 		LogDebug("%s \"%s\" (+%s) registered (via %s, on %s, %d hop%s).",
 			 Client_TypeText(Client), Client_Mask(Client),
@ -1374,7 +1378,7 @@ MyCount( CLIENT_TYPE Type )


 /**
- * Allocate and initialize new CLIENT strcuture.
+ * Allocate and initialize new CLIENT structure.
 *
 * @return Pointer to CLIENT structure or NULL on error.
 */
@ -1493,9 +1497,7 @@ Client_RegisterWhowas( CLIENT *Client )
 	slot = Last_Whowas + 1;
 	if( slot >= MAX_WHOWAS || slot < 0 ) slot = 0;

-#ifdef DEBUG
-	Log( LOG_DEBUG, "Saving WHOWAS information to slot %d ...", slot );
-#endif
+	LogDebug( "Saving WHOWAS information to slot %d ...", slot );

 	My_Whowas[slot].time = now;
 	strlcpy( My_Whowas[slot].id, Client_ID( Client ),
@ -1690,17 +1692,16 @@ Client_Announce(CLIENT * Client, CLIENT * Prefix, CLIENT * User)
 } /* Client_Announce */


-#ifdef DEBUG

 GLOBAL void
 Client_DebugDump(void)
 {
 	CLIENT *c;

-	Log(LOG_DEBUG, "Client status:");
+	LogDebug("Client status:");
 	c = My_Clients;
 	while (c) {
-		Log(LOG_DEBUG,
+		LogDebug(
 		    " - %s: type=%d, host=%s, user=%s, conn=%d, start=%ld, flags=%s",
                   Client_ID(c), Client_Type(c), Client_Hostname(c),
                   Client_User(c), Client_Conn(c), Client_StartTime(c),
@ -1709,7 +1710,6 @@ Client_DebugDump(void)
 	}
 } /* Client_DumpClients */

-#endif


 /* -eof- */
--- a/src/ngircd/client.h
+++ b/src/ngircd/client.h
@ -1,6 +1,6 @@
 /*
 * ngIRCd -- The Next Generation IRC Daemon
- * Copyright (c)2001-2013 Alexander Barton (alex@barton.de) and Contributors.
+ * Copyright (c)2001-2024 Alexander Barton (alex@barton.de) and Contributors.
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
@ -36,7 +36,7 @@

 #include "defines.h"

-#if defined(__client_c__) | defined(__client_cap_c__) | defined(S_SPLINT_S)
+#if defined(__client_c__) | defined(__client_cap_c__)

 typedef struct _CLIENT
 {
@ -182,9 +182,7 @@ GLOBAL void Client_UpdateCloakedHostname PARAMS((CLIENT *Client,
 						 const char *hostname));


-#ifdef DEBUG
 GLOBAL void Client_DebugDump PARAMS((void));
-#endif

 #endif

--- a/src/ngircd/conf-ssl.h
+++ b/src/ngircd/conf-ssl.h
@ -13,6 +13,10 @@
 #ifdef HAVE_LIBSSL
 #define SSL_SUPPORT
 #include <openssl/ssl.h>
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#define OpenSSL_version SSLeay_version
+#define OPENSSL_VERSION SSLEAY_VERSION
+#endif
 #endif
 #ifdef HAVE_LIBGNUTLS
 #define SSL_SUPPORT
@ -36,6 +40,7 @@ struct ConnSSL_State {
 	gnutls_session_t gnutls_session;
 	void *cookie;		/* pointer to server configuration structure
 				   (for outgoing connections), or NULL. */
+	size_t x509_cred_idx;	/* index of active x509 credential record */
 #endif
 	char *fingerprint;
 };
--- a/src/ngircd/conf.c
+++ b/src/ngircd/conf.c
@ -1,6 +1,6 @@
 /*
 * ngIRCd -- The Next Generation IRC Daemon
- * Copyright (c)2001-2014 Alexander Barton (alex@barton.de) and Contributors.
+ * Copyright (c)2001-2024 Alexander Barton (alex@barton.de) and Contributors.
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
@ -33,6 +33,11 @@
 #include <grp.h>
 #include <sys/types.h>
 #include <dirent.h>
+#include <netdb.h>
+
+#ifdef HAVE_SYS_RESOURCE_H
+#	include <sys/resource.h>
+#endif

 #include "ngircd.h"
 #include "conn.h"
@ -112,6 +117,12 @@ ConfSSL_Init(void)
 	free(Conf_SSLOptions.CertFile);
 	Conf_SSLOptions.CertFile = NULL;

+	free(Conf_SSLOptions.CAFile);
+	Conf_SSLOptions.CAFile = NULL;
+
+	free(Conf_SSLOptions.CRLFile);
+	Conf_SSLOptions.CRLFile = NULL;
+
 	free(Conf_SSLOptions.DHFile);
 	Conf_SSLOptions.DHFile = NULL;
 	array_free_wipe(&Conf_SSLOptions.KeyFilePassword);
@ -328,7 +339,7 @@ Conf_Test( void )
 {
 	struct passwd *pwd;
 	struct group *grp;
-	unsigned int i;
+	unsigned int i, j;
 	bool config_valid;
 	size_t predef_channel_count;
 	struct Conf_Channel *predef_chan;
@ -388,6 +399,7 @@ Conf_Test( void )
 	printf("  MaxConnectionsIP = %d\n", Conf_MaxConnectionsIP);
 	printf("  MaxJoins = %d\n", Conf_MaxJoins > 0 ? Conf_MaxJoins : -1);
 	printf("  MaxNickLength = %u\n", Conf_MaxNickLength - 1);
+	printf("  MaxPenaltyTime = %ld\n", (long)Conf_MaxPenaltyTime);
 	printf("  MaxListSize = %d\n", Conf_MaxListSize);
 	printf("  PingTimeout = %d\n", Conf_PingTimeout);
 	printf("  PongTimeout = %d\n", Conf_PongTimeout);
@ -407,7 +419,7 @@ Conf_Test( void )
 #endif
 	printf("  DefaultUserModes = %s\n", Conf_DefaultUserModes);
 	printf("  DNS = %s\n", yesno_to_str(Conf_DNS));
-#ifdef IDENT
+#ifdef IDENTAUTH
 	printf("  Ident = %s\n", yesno_to_str(Conf_Ident));
 #endif
 	printf("  IncludeDir = %s\n", Conf_IncludeDir);
@ -434,10 +446,14 @@ Conf_Test( void )

 #ifdef SSL_SUPPORT
 	puts("[SSL]");
+	printf("  CAFile = %s\n", Conf_SSLOptions.CAFile
+					? Conf_SSLOptions.CAFile : "");
 	printf("  CertFile = %s\n", Conf_SSLOptions.CertFile
 					? Conf_SSLOptions.CertFile : "");
 	printf("  CipherList = %s\n", Conf_SSLOptions.CipherList ?
 	       Conf_SSLOptions.CipherList : DEFAULT_CIPHERS);
+	printf("  CRLFile = %s\n", Conf_SSLOptions.CRLFile
+					? Conf_SSLOptions.CRLFile : "");
 	printf("  DHFile = %s\n", Conf_SSLOptions.DHFile
 					? Conf_SSLOptions.DHFile : "");
 	printf("  KeyFile = %s\n", Conf_SSLOptions.KeyFile
@ -463,13 +479,16 @@ Conf_Test( void )
 		printf( "  Host = %s\n", Conf_Server[i].host );
 		printf( "  Port = %u\n", (unsigned int)Conf_Server[i].port );
 #ifdef SSL_SUPPORT
-		printf( "  SSLConnect = %s\n", Conf_Server[i].SSLConnect?"yes":"no");
+		printf("  SSLConnect = %s\n",
+		       yesno_to_str(Conf_Server[i].SSLConnect));
+		printf("  SSLVerify = %s\n",
+		       yesno_to_str(Conf_Server[i].SSLVerify));
 #endif
 		printf( "  MyPassword = %s\n", Conf_Server[i].pwd_in );
 		printf( "  PeerPassword = %s\n", Conf_Server[i].pwd_out );
 		printf( "  ServiceMask = %s\n", Conf_Server[i].svs_mask);
 		printf( "  Group = %d\n", Conf_Server[i].group );
-		printf( "  Passive = %s\n\n", Conf_Server[i].flags & CONF_SFLAG_DISABLED ? "yes" : "no");
+		printf( "  Passive = %s\n\n", yesno_to_str(Conf_Server[i].flags & CONF_SFLAG_DISABLED));
 	}

 	predef_channel_count = array_length(&Conf_Channels, sizeof(*predef_chan));
@ -482,10 +501,12 @@ Conf_Test( void )
 		/* Valid "Channel" section */
 		puts( "[CHANNEL]" );
 		printf("  Name = %s\n", predef_chan->name);
-		printf("  Modes = %s\n", predef_chan->modes);
+		for(j = 0; j < predef_chan->modes_num; j++)
+			printf("  Modes = %s\n", predef_chan->modes[j]);
 		printf("  Key = %s\n", predef_chan->key);
 		printf("  MaxUsers = %lu\n", predef_chan->maxusers);
 		printf("  Topic = %s\n", predef_chan->topic);
+		printf("  Autojoin = %s\n", yesno_to_str(predef_chan->autojoin));
 		printf("  KeyFile = %s\n\n", predef_chan->keyfile);
 	}

@ -711,7 +732,6 @@ Conf_NickIsService(int ConfServer, const char *Nick)
 /**
 * Check if the given nickname is blocked for "normal client" use.
 *
- * @param ConfServer The server index or NONE to check all configured servers.
 * @param Nick The nickname to check.
 * @returns true if the given nickname belongs to an "IRC service".
 */
@ -766,6 +786,7 @@ Set_Defaults(bool InitServers)
 	Conf_MaxConnectionsIP = 5;
 	Conf_MaxJoins = 10;
 	Conf_MaxNickLength = CLIENT_NICK_LEN_DEFAULT;
+	Conf_MaxPenaltyTime = -1;
 	Conf_MaxListSize = 100;
 	Conf_PingTimeout = 120;
 	Conf_PongTimeout = 20;
@ -845,13 +866,13 @@ no_listenports(void)
 *
 * This function is used to read the MOTD and help text file, for example.
 *
- * @param filename	Name of the file to read.
+ * @param Filename	Name of the file to read.
 * @return		true, when the file has been read in.
 */
 static bool
 Read_TextFile(const char *Filename, const char *Name, array *Destination)
 {
-	char line[127];
+	char line[COMMAND_LEN];
 	FILE *fp;
 	int line_no = 1;

@ -887,9 +908,9 @@ Read_TextFile(const char *Filename, const char *Name, array *Destination)
 * Please note that this function uses exit(1) on fatal errors and therefore
 * can result in ngIRCd terminating!
 *
- * @param ngircd_starting	Flag indicating if ngIRCd is starting or not.
- * @returns			true when the configuration file has been read
- *				successfully; false otherwise.
+ * @param IsStarting	Flag indicating if ngIRCd is starting or not.
+ * @returns		true when the configuration file has been read
+ *			successfully; false otherwise.
 */
 static bool
 Read_Config(bool TestOnly, bool IsStarting)
@ -899,27 +920,46 @@ Read_Config(bool TestOnly, bool IsStarting)
 	struct dirent *entry;
 	int i, n;
 	FILE *fd;
-	DIR *dh;
+	DIR *dh = NULL;
+
+	if (!NGIRCd_ConfFile[0]) {
+		/* No configuration file name explicitly given on the command
+		 * line, use defaults but ignore errors when this file can't be
+		 * read later on. */
+		strlcpy(file, SYSCONFDIR, sizeof(file));
+		strlcat(file, CONFIG_FILE, sizeof(file));
+		ptr = file;
+	} else
+		ptr = NGIRCd_ConfFile;
+
+	Config_Error(LOG_INFO, "Using %s configuration file \"%s\" ...",
+		     !NGIRCd_ConfFile[0] ? "default" : "specified", ptr);

 	/* Open configuration file */
-	fd = fopen( NGIRCd_ConfFile, "r" );
-	if( ! fd ) {
-		/* No configuration file found! */
-		Config_Error( LOG_ALERT, "Can't read configuration \"%s\": %s",
-					NGIRCd_ConfFile, strerror( errno ));
-		if (!IsStarting)
-			return false;
-		Config_Error( LOG_ALERT, "%s exiting due to fatal errors!", PACKAGE_NAME );
-		exit( 1 );
+	fd = fopen(ptr, "r");
+	if (!fd) {
+		if (NGIRCd_ConfFile[0]) {
+			Config_Error(LOG_ALERT,
+				     "Can't read specified configuration file \"%s\": %s",
+				     ptr, strerror(errno));
+			if (IsStarting) {
+				Config_Error(LOG_ALERT,
+					     "%s exiting due to fatal errors!",
+					     PACKAGE_NAME);
+				exit(1);
+			}
+		}
+		Config_Error(LOG_WARNING,
+			     "Can't read default configuration file \"%s\": %s - Ignored.",
+			     ptr, strerror(errno));
 	}

 	opers_free();
 	Set_Defaults(IsStarting);

-	if (TestOnly)
+	if (TestOnly && fd)
 		Config_Error(LOG_INFO,
-			     "Reading configuration from \"%s\" ...",
-			     NGIRCd_ConfFile );
+			     "Reading configuration from \"%s\" ...", ptr);

 	/* Clean up server configuration structure: mark all already
 	 * configured servers as "once" so that they are deleted
@ -938,16 +978,13 @@ Read_Config(bool TestOnly, bool IsStarting)

 					if( Conf_Server[i].conn_id == Conf_Server[n].conn_id ) {
 						Init_Server_Struct( &Conf_Server[n] );
-#ifdef DEBUG
-						Log(LOG_DEBUG,"Deleted unused duplicate server %d (kept %d).",
-												n, i );
-#endif
+						LogDebug("Deleted unused duplicate server %d (kept %d).", n, i);
 					}
 				}
 			} else {
 				/* Mark server as "once" */
 				Conf_Server[i].flags |= CONF_SFLAG_ONCE;
-				Log( LOG_DEBUG, "Marked server %d as \"once\"", i );
+				LogDebug("Marked server %d as \"once\"", i);
 			}
 		}
 	}
@ -959,16 +996,23 @@ Read_Config(bool TestOnly, bool IsStarting)
 	ConfSSL_Init();
 #endif

-	Read_Config_File(NGIRCd_ConfFile, fd);
-	fclose(fd);
+	if (fd) {
+		Read_Config_File(ptr, fd);
+		fclose(fd);
+	}

 	if (Conf_IncludeDir[0]) {
+		/* Include directory was set in the main configuration file. So
+		 * use it and show errors. */
 		dh = opendir(Conf_IncludeDir);
 		if (!dh)
 			Config_Error(LOG_ALERT,
 				     "Can't open include directory \"%s\": %s",
 				     Conf_IncludeDir, strerror(errno));
-	} else {
+	} else if (!NGIRCd_ConfFile[0]) {
+		/* No include dir set in the configuration file used (if any)
+		 * but no config file explicitly specified either: so use the
+		 * default include path here as well! */
 		strlcpy(Conf_IncludeDir, SYSCONFDIR, sizeof(Conf_IncludeDir));
 		strlcat(Conf_IncludeDir, CONFIG_DIR, sizeof(Conf_IncludeDir));
 		dh = opendir(Conf_IncludeDir);
@ -1286,121 +1330,11 @@ WarnPAM(const char UNUSED *File, int UNUSED Line)
 #endif
 }

-/**
- * Handle legacy "NoXXX" options in [GLOBAL] section.
- *
- * TODO: This function and support for "NoXXX" could be removed starting
- * with ngIRCd release 19 (one release after marking it "deprecated").
- *
- * @param Var	Variable name.
- * @param Arg	Argument string.
- * @returns	true if a NoXXX option has been processed; false otherwise.
- */
-static bool
-CheckLegacyNoOption(const char *Var, const char *Arg)
-{
-	if(strcasecmp(Var, "NoDNS") == 0) {
-		Conf_DNS = !Check_ArgIsTrue( Arg );
-		return true;
-	}
-	if (strcasecmp(Var, "NoIdent") == 0) {
-		Conf_Ident = !Check_ArgIsTrue(Arg);
-		return true;
-	}
-	if(strcasecmp(Var, "NoPAM") == 0) {
-		Conf_PAM = !Check_ArgIsTrue(Arg);
-		return true;
-	}
-	return false;
-}
-
-/**
- * Handle deprecated legacy options in [GLOBAL] section.
- *
- * TODO: This function and support for these options in the [Global] section
- * could be removed starting with ngIRCd release 19 (one release after
- * marking it "deprecated").
- *
- * @param Var	Variable name.
- * @param Arg	Argument string.
- * @returns	true if a legacy option has been processed; false otherwise.
- */
-static const char*
-CheckLegacyGlobalOption(const char *File, int Line, char *Var, char *Arg)
-{
-	if (strcasecmp(Var, "AllowRemoteOper") == 0
-	    || strcasecmp(Var, "ChrootDir") == 0
-	    || strcasecmp(Var, "ConnectIPv4") == 0
-	    || strcasecmp(Var, "ConnectIPv6") == 0
-	    || strcasecmp(Var, "OperCanUseMode") == 0
-	    || strcasecmp(Var, "OperChanPAutoOp") == 0
-	    || strcasecmp(Var, "OperServerMode") == 0
-	    || strcasecmp(Var, "PredefChannelsOnly") == 0
-	    || strcasecmp(Var, "SyslogFacility") == 0
-	    || strcasecmp(Var, "WebircPassword") == 0) {
-		Handle_OPTIONS(File, Line, Var, Arg);
-		return "[Options]";
-	}
-	if (strcasecmp(Var, "ConnectRetry") == 0
-	    || strcasecmp(Var, "IdleTimeout") == 0
-	    || strcasecmp(Var, "MaxConnections") == 0
-	    || strcasecmp(Var, "MaxConnectionsIP") == 0
-	    || strcasecmp(Var, "MaxJoins") == 0
-	    || strcasecmp(Var, "MaxNickLength") == 0
-	    || strcasecmp(Var, "PingTimeout") == 0
-	    || strcasecmp(Var, "PongTimeout") == 0) {
-		Handle_LIMITS(File, Line, Var, Arg);
-		return "[Limits]";
-	}
-#ifdef SSL_SUPPORT
-	if (strcasecmp(Var, "SSLCertFile") == 0
-	    || strcasecmp(Var, "SSLDHFile") == 0
-	    || strcasecmp(Var, "SSLKeyFile") == 0
-	    || strcasecmp(Var, "SSLKeyFilePassword") == 0
-	    || strcasecmp(Var, "SSLPorts") == 0) {
-		Handle_SSL(File, Line, Var + 3, Arg);
-		return "[SSL]";
-	}
-#endif
-
-	return NULL;
-}
-
-/**
- * Strip "no" prefix of a string.
- *
- * TODO: This function and support for "NoXXX" should be removed starting
- * with ngIRCd release 19! (One release after marking it "deprecated").
- *
- * @param str	Pointer to input string starting with "no".
- * @returns	New pointer to string without "no" prefix.
- */
-static const char *
-NoNo(const char *str)
-{
-	assert(strncasecmp("no", str, 2) == 0 && str[2]);
-	return str + 2;
-}
-
-/**
- * Invert "boolean" string.
- *
- * TODO: This function and support for "NoXXX" should be removed starting
- * with ngIRCd release 19! (One release after marking it "deprecated").
- *
- * @param arg	"Boolean" input string.
- * @returns	Pointer to inverted "boolean string".
- */
-static const char *
-InvertArg(const char *arg)
-{
-	return yesno_to_str(!Check_ArgIsTrue(arg));
-}

 /**
 * Handle variable in [Global] configuration section.
 *
- * @param Line	Line numer in configuration file.
+ * @param Line	Line number in configuration file.
 * @param Var	Variable name.
 * @param Arg	Variable argument.
 */
@ -1410,7 +1344,6 @@ Handle_GLOBAL(const char *File, int Line, char *Var, char *Arg )
 	struct passwd *pwd;
 	struct group *grp;
 	size_t len;
-	const char *section;
 	char *ptr;

 	assert(File != NULL);
@ -1550,43 +1483,13 @@ Handle_GLOBAL(const char *File, int Line, char *Var, char *Arg )
 		return;
 	}

-	if (CheckLegacyNoOption(Var, Arg)) {
-		/* TODO: This function and support for "NoXXX" could be
-		 * be removed starting with ngIRCd release 19 (one release
-		 * after marking it "deprecated"). */
-		Config_Error(LOG_WARNING,
-			     "%s, line %d (section \"Global\"): \"No\"-Prefix is deprecated, use \"%s = %s\" in [Options] section!",
-			     File, Line, NoNo(Var), InvertArg(Arg));
-		if (strcasecmp(Var, "NoIdent") == 0)
-			WarnIdent(File, Line);
-		else if (strcasecmp(Var, "NoPam") == 0)
-			WarnPAM(File, Line);
-		return;
-	}
-	if ((section = CheckLegacyGlobalOption(File, Line, Var, Arg))) {
-		/** TODO: This function and support for these options in the
-		 * [Global] section could be removed starting with ngIRCd
-		 * release 19 (one release after marking it "deprecated"). */
-		if (strncasecmp(Var, "SSL", 3) == 0) {
-			Config_Error(LOG_WARNING,
-				     "%s, line %d (section \"Global\"): \"%s\" is deprecated here, move it to %s and rename to \"%s\"!",
-				     File, Line, Var, section,
-				     Var + 3);
-		} else {
-			Config_Error(LOG_WARNING,
-				     "%s, line %d (section \"Global\"): \"%s\" is deprecated here, move it to %s!",
-				     File, Line, Var, section);
-		}
-		return;
-	}
-
 	Config_Error_Section(File, Line, Var, "Global");
 }

 /**
 * Handle variable in [Limits] configuration section.
 *
- * @param Line	Line numer in configuration file.
+ * @param Line	Line number in configuration file.
 * @param Var	Variable name.
 * @param Arg	Variable argument.
 */
@ -1642,6 +1545,12 @@ Handle_LIMITS(const char *File, int Line, char *Var, char *Arg)
 			Config_Error_NaN(File, Line, Var);
 		return;
 	}
+	if (strcasecmp(Var, "MaxPenaltyTime") == 0) {
+		Conf_MaxPenaltyTime = atol(Arg);
+		if (Conf_MaxPenaltyTime < -1)
+			Conf_MaxPenaltyTime = -1;	/* "unlimited" */
+		return;
+	}
 	if (strcasecmp(Var, "PingTimeout") == 0) {
 		Conf_PingTimeout = atoi(Arg);
 		if (Conf_PingTimeout < 5) {
@ -1669,7 +1578,7 @@ Handle_LIMITS(const char *File, int Line, char *Var, char *Arg)
 /**
 * Handle variable in [Options] configuration section.
 *
- * @param Line	Line numer in configuration file.
+ * @param Line	Line number in configuration file.
 * @param Var	Variable name.
 * @param Arg	Variable argument.
 */
@ -1798,18 +1707,6 @@ Handle_OPTIONS(const char *File, int Line, char *Var, char *Arg)
 		Conf_MorePrivacy = Check_ArgIsTrue(Arg);
 		return;
 	}
-	if (strcasecmp(Var, "NoticeAuth") == 0) {
-		/*
-		 * TODO: This section and support for "NoticeAuth" variable
-		 * could be removed starting with ngIRCd release 24 (one
-		 * release after marking it "deprecated") ...
-		 */
-		Config_Error(LOG_WARNING,
-			     "%s, line %d (section \"Options\"): \"%s\" is deprecated, please use \"NoticeBeforeRegistration\"!",
-			     File, Line, Var);
-		Conf_NoticeBeforeRegistration = Check_ArgIsTrue(Arg);
-		return;
-	}
 	if (strcasecmp(Var, "NoticeBeforeRegistration") == 0) {
 		Conf_NoticeBeforeRegistration = Check_ArgIsTrue(Arg);
 		return;
@ -1841,22 +1738,6 @@ Handle_OPTIONS(const char *File, int Line, char *Var, char *Arg)
 			Config_Error_TooLong(File, Line, Var);
 		return;
 	}
-	if (strcasecmp(Var, "PredefChannelsOnly") == 0) {
-		/*
-		 * TODO: This section and support for "PredefChannelsOnly"
-		 * could be removed starting with ngIRCd release 22 (one
-		 * release after marking it "deprecated") ...
-		 */
-		Config_Error(LOG_WARNING,
-			     "%s, line %d (section \"Options\"): \"%s\" is deprecated, please use \"AllowedChannelTypes\"!",
-			     File, Line, Var);
-		if (Check_ArgIsTrue(Arg))
-			Conf_AllowedChannelTypes[0] = '\0';
-		else
-			strlcpy(Conf_AllowedChannelTypes, CHANTYPES,
-				sizeof(Conf_AllowedChannelTypes));
-		return;
-	}
 #ifndef STRICT_RFC
 	if (strcasecmp(Var, "RequireAuthPing") == 0) {
 		Conf_AuthPing = Check_ArgIsTrue(Arg);
@ -1889,7 +1770,7 @@ Handle_OPTIONS(const char *File, int Line, char *Var, char *Arg)
 /**
 * Handle variable in [SSL] configuration section.
 *
- * @param Line	Line numer in configuration file.
+ * @param Line	Line number in configuration file.
 * @param Var	Variable name.
 * @param Arg	Variable argument.
 */
@ -1933,6 +1814,16 @@ Handle_SSL(const char *File, int Line, char *Var, char *Arg)
 		Conf_SSLOptions.CipherList = strdup_warn(Arg);
 		return;
 	}
+	if (strcasecmp(Var, "CAFile") == 0) {
+		assert(Conf_SSLOptions.CAFile == NULL);
+		Conf_SSLOptions.CAFile = strdup_warn(Arg);
+		return;
+	}
+	if (strcasecmp(Var, "CRLFile") == 0) {
+		assert(Conf_SSLOptions.CRLFile == NULL);
+		Conf_SSLOptions.CRLFile = strdup_warn(Arg);
+		return;
+	}

 	Config_Error_Section(File, Line, Var, "SSL");
 }
@ -1942,7 +1833,7 @@ Handle_SSL(const char *File, int Line, char *Var, char *Arg)
 /**
 * Handle variable in [Operator] configuration section.
 *
- * @param Line	Line numer in configuration file.
+ * @param Line	Line number in configuration file.
 * @param Var	Variable name.
 * @param Arg	Variable argument.
 */
@ -1989,7 +1880,7 @@ Handle_OPERATOR(const char *File, int Line, char *Var, char *Arg )
 /**
 * Handle variable in [Server] configuration section.
 *
- * @param Line	Line numer in configuration file.
+ * @param Line	Line number in configuration file.
 * @param Var	Variable name.
 * @param Arg	Variable argument.
 */
@ -2063,7 +1954,11 @@ Handle_SERVER(const char *File, int Line, char *Var, char *Arg )
 	if( strcasecmp( Var, "SSLConnect" ) == 0 ) {
 		New_Server.SSLConnect = Check_ArgIsTrue(Arg);
 		return;
-        }
+	}
+	if (strcasecmp(Var, "SSLVerify") == 0) {
+		New_Server.SSLVerify = Check_ArgIsTrue(Arg);
+		return;
+	}
 #endif
 	if( strcasecmp( Var, "Group" ) == 0 ) {
 		/* Server group */
@ -2119,7 +2014,7 @@ Handle_Channelname(struct Conf_Channel *new_chan, const char *name)
 /**
 * Handle variable in [Channel] configuration section.
 *
- * @param Line	Line numer in configuration file.
+ * @param Line	Line number in configuration file.
 * @param Var	Variable name.
 * @param Arg	Variable argument.
 */
@ -2146,8 +2041,12 @@ Handle_CHANNEL(const char *File, int Line, char *Var, char *Arg)
 	}
 	if (strcasecmp(Var, "Modes") == 0) {
 		/* Initial modes */
-		len = strlcpy(chan->modes, Arg, sizeof(chan->modes));
-		if (len >= sizeof(chan->modes))
+		if(chan->modes_num >= sizeof(chan->modes)) {
+			Config_Error(LOG_ERR, "Too many Modes, option ignored.");
+			return;
+		}
+		chan->modes[chan->modes_num++] = strndup(Arg, COMMAND_LEN);
+		if(strlen(Arg) >= COMMAND_LEN)
 			Config_Error_TooLong(File, Line, Var);
 		return;
 	}
@ -2158,11 +2057,19 @@ Handle_CHANNEL(const char *File, int Line, char *Var, char *Arg)
 			Config_Error_TooLong(File, Line, Var);
 		return;
 	}
+	if( strcasecmp( Var, "Autojoin" ) == 0 ) {
+		/* Check autojoin */
+		chan->autojoin = Check_ArgIsTrue(Arg);
+		return;
+	}
 	if( strcasecmp( Var, "Key" ) == 0 ) {
 		/* Initial Channel Key (mode k) */
 		len = strlcpy(chan->key, Arg, sizeof(chan->key));
 		if (len >= sizeof(chan->key))
 			Config_Error_TooLong(File, Line, Var);
+		Config_Error(LOG_WARNING,
+			     "%s, line %d (section \"Channel\"): \"%s\" is deprecated here, use \"Modes = +k <key>\"!",
+			     File, Line, Var);
 		return;
 	}
 	if( strcasecmp( Var, "MaxUsers" ) == 0 ) {
@ -2170,6 +2077,9 @@ Handle_CHANNEL(const char *File, int Line, char *Var, char *Arg)
 		chan->maxusers = (unsigned long) atol(Arg);
 		if (!chan->maxusers && strcmp(Arg, "0"))
 			Config_Error_NaN(File, Line, Var);
+		Config_Error(LOG_WARNING,
+			     "%s, line %d (section \"Channel\"): \"%s\" is deprecated here, use \"Modes = +l <limit>\"!",
+			     File, Line, Var);
 		return;
 	}
 	if (strcasecmp(Var, "KeyFile") == 0) {
@ -2198,11 +2108,14 @@ Validate_Config(bool Configtest, bool Rehash)
 {
 	/* Validate configuration settings. */

-#ifdef DEBUG
 	int i, servers, servers_once;
-#endif
+	struct hostent *h;
 	bool config_valid = true;
 	char *ptr;
+#ifdef HAVE_SETRLIMIT
+	struct rlimit rlim;
+	long fd_lim_old;
+#endif

 	/* Emit a warning when the config file is not a full path name */
 	if (NGIRCd_ConfFile[0] && NGIRCd_ConfFile[0] != '/') {
@ -2211,6 +2124,28 @@ Validate_Config(bool Configtest, bool Rehash)
 			NGIRCd_ConfFile);
 	}

+	if (!Conf_ServerName[0]) {
+		/* No server name configured, try to get a sane name from the
+		 * host name. Note: the IRC server name MUST contain
+		 * at least one dot, so the "node name" is not sufficient! */
+		gethostname(Conf_ServerName, sizeof(Conf_ServerName));
+		if (Conf_DNS) {
+			/* Try to get a proper host name ... */
+			h = gethostbyname(Conf_ServerName);
+			if (h)
+				strlcpy(Conf_ServerName, h->h_name,
+					sizeof(Conf_ServerName));
+		}
+		if (!strchr(Conf_ServerName, '.')) {
+			/* (Still) No dot in the name! */
+			strlcat(Conf_ServerName, ".host",
+				sizeof(Conf_ServerName));
+		}
+		Config_Error(LOG_WARNING,
+			     "No server name configured, using host name \"%s\".",
+			     Conf_ServerName);
+	}
+
 	/* Validate configured server name, see RFC 2812 section 2.3.1 */
 	ptr = Conf_ServerName;
 	do {
@ -2225,12 +2160,10 @@ Validate_Config(bool Configtest, bool Rehash)
 		break;
 	} while (*(++ptr));

-	if (!Conf_ServerName[0]) {
-		/* No server name configured! */
+	if (!Conf_ServerName[0] || !strchr(Conf_ServerName, '.')) {
 		config_valid = false;
 		Config_Error(LOG_ALERT,
-			     "No (valid) server name configured in \"%s\" (section 'Global': 'Name')!",
-			     NGIRCd_ConfFile);
+			     "No (valid) server name configured (section 'Global': 'Name')!");
 		if (!Configtest && !Rehash) {
 			Config_Error(LOG_ALERT,
 				     "%s exiting due to fatal errors!",
@ -2239,27 +2172,12 @@ Validate_Config(bool Configtest, bool Rehash)
 		}
 	}

-	if (Conf_ServerName[0] && !strchr(Conf_ServerName, '.')) {
-		/* No dot in server name! */
-		config_valid = false;
-		Config_Error(LOG_ALERT,
-			     "Invalid server name configured in \"%s\" (section 'Global': 'Name'): Dot missing!",
-			     NGIRCd_ConfFile);
-		if (!Configtest) {
-			Config_Error(LOG_ALERT,
-				     "%s exiting due to fatal errors!",
-				     PACKAGE_NAME);
-			exit(1);
-		}
-	}
-
 #ifdef STRICT_RFC
 	if (!Conf_ServerAdminMail[0]) {
 		/* No administrative contact configured! */
 		config_valid = false;
 		Config_Error(LOG_ALERT,
-			     "No administrator email address configured in \"%s\" ('AdminEMail')!",
-			     NGIRCd_ConfFile);
+			     "No administrator email address configured ('AdminEMail')!");
 		if (!Configtest) {
 			Config_Error(LOG_ALERT,
 				     "%s exiting due to fatal errors!",
@ -2282,7 +2200,53 @@ Validate_Config(bool Configtest, bool Rehash)
 			     "This server uses PAM, \"Password\" in [Global] section will be ignored!");
 #endif

-#ifdef DEBUG
+	if (Conf_MaxPenaltyTime != -1)
+		Config_Error(LOG_WARNING,
+			     "Maximum penalty increase ('MaxPenaltyTime') is set to %ld, this is not recommended!",
+			     Conf_MaxPenaltyTime);
+
+#ifdef HAVE_SETRLIMIT
+	if(getrlimit(RLIMIT_NOFILE, &rlim) == 0) {
+		LogDebug("Current file descriptor limit is %ld, maximum %ld. \"MaxConnections\" is %ld.",
+			 (long)rlim.rlim_cur, (long)rlim.rlim_max,
+			 Conf_MaxConnections);
+		fd_lim_old = rlim.rlim_cur;
+		/* Don't request "infinite" file descriptors, use a limit! */
+		if (rlim.rlim_max != RLIM_INFINITY && rlim.rlim_max < MAX_FD_LIMIT)
+			rlim.rlim_cur = rlim.rlim_max;
+		else
+			rlim.rlim_cur = MAX_FD_LIMIT;
+		if ((long)rlim.rlim_cur != fd_lim_old) {
+			/* Try to adjust the current file descriptor limit: */
+			LogDebug("Trying to upgrade \"soft\" file descriptor limit: %ld -> %ld ...",
+				 fd_lim_old, (long)rlim.rlim_cur);
+			if(setrlimit(RLIMIT_NOFILE, &rlim) != 0)
+				Config_Error(LOG_ERR, "Failed to adjust file descriptor limit from %ld to %ld: %s",
+					     fd_lim_old, (long)rlim.rlim_cur,
+					     strerror(errno));
+		}
+		/* Check the (updated?) file descriptor limit: */
+		getrlimit(RLIMIT_NOFILE, &rlim);
+		if (rlim.rlim_cur != RLIM_INFINITY
+		    && (long)rlim.rlim_cur <= (long)Conf_MaxConnections) {
+			Config_Error(LOG_WARNING,
+				     "Current file descriptor limit (%ld) is not higher than configured \"MaxConnections\" (%ld)!",
+				     (long)rlim.rlim_cur, Conf_MaxConnections);
+		} else if (!Configtest) {
+			if (Conf_MaxConnections > 0)
+				Log(LOG_INFO,
+				    "File descriptor limit is %ld; \"MaxConnections\" is set to %ld.",
+				    (long)rlim.rlim_cur, Conf_MaxConnections);
+			else
+				Log(LOG_INFO,
+				    "File descriptor limit is %ld; \"MaxConnections\" is not set.",
+				    (long)rlim.rlim_cur);
+		}
+	} else
+		Config_Error(LOG_ERR, "Failed to get file descriptor limit: %s",
+			     strerror(errno));
+#endif
+
 	servers = servers_once = 0;
 	for (i = 0; i < MAX_SERVERS; i++) {
 		if (Conf_Server[i].name[0]) {
@ -2291,12 +2255,10 @@ Validate_Config(bool Configtest, bool Rehash)
 				servers_once++;
 		}
 	}
-	Log(LOG_DEBUG,
-	    "Configuration: Operators=%ld, Servers=%d[%d], Channels=%ld",
+	LogDebug("Configuration: Operators=%ld, Servers=%d[%d], Channels=%ld",
 	    array_length(&Conf_Opers, sizeof(struct Conf_Oper)),
 	    servers, servers_once,
 	    array_length(&Conf_Channels, sizeof(struct Conf_Channel)));
-#endif

 	return config_valid;
 }
@ -2383,7 +2345,6 @@ va_dcl
 		Log(Level, "%s", msg);
 }

-#ifdef DEBUG

 /**
 * Dump internal state of the "configuration module".
@ -2393,11 +2354,11 @@ Conf_DebugDump(void)
 {
 	int i;

-	Log(LOG_DEBUG, "Configured servers:");
+	LogDebug("Configured servers:");
 	for (i = 0; i < MAX_SERVERS; i++) {
 		if (! Conf_Server[i].name[0])
 			continue;
-		Log(LOG_DEBUG,
+		LogDebug(
 		    " - %s: %s:%d, last=%ld, group=%d, flags=%d, conn=%d",
 		    Conf_Server[i].name, Conf_Server[i].host,
 		    Conf_Server[i].port, Conf_Server[i].lasttry,
@ -2406,7 +2367,6 @@ Conf_DebugDump(void)
 	}
 }

-#endif

 /**
 * Initialize server configuration structure to default values.
@ -2428,6 +2388,11 @@ Init_Server_Struct( CONF_SERVER *Server )
 	Proc_InitStruct(&Server->res_stat);
 	Server->conn_id = NONE;
 	memset(&Server->bind_addr, 0, sizeof(Server->bind_addr));
+
+#ifdef SSL_SUPPORT
+	/* Verify SSL connections by default! */
+	Server->SSLVerify = true;
+#endif
 }

 /* -eof- */
--- a/src/ngircd/conf.h
+++ b/src/ngircd/conf.h
@ -29,7 +29,7 @@

 /**
 * Configured IRC operator.
- * Please note the the name of the IRC operaor and his nick have nothing to
+ * Please note that the name of the IRC operator and his nick have nothing to
 * do with each other! The IRC operator is only identified by the name and
 * password configured in this structure.
 */
@ -61,6 +61,7 @@ typedef struct _Conf_Server
 	ng_ipaddr_t dst_addr[2];	/**< List of addresses to connect to */
 #ifdef SSL_SUPPORT
 	bool SSLConnect;		/**< Establish connection using SSL? */
+	bool SSLVerify;			/**< Verify server certificate using CA? */
 #endif
 	char svs_mask[CLIENT_ID_LEN];	/**< Mask of nicknames that should be
 					     treated and counted as services */
@ -76,6 +77,8 @@ struct SSLOptions {
 	array ListenPorts;		/**< Array of listening SSL ports */
 	array KeyFilePassword;		/**< Key file password */
 	char *CipherList;		/**< Set SSL cipher list to use */
+	char *CAFile;			/**< Trusted CA certificates file */
+	char *CRLFile;			/**< Certificate revocation file */
 };
 #endif

@ -83,11 +86,13 @@ struct SSLOptions {
 /** Pre-defined channels */
 struct Conf_Channel {
 	char name[CHANNEL_NAME_LEN];	/**< Name of the channel */
-	char modes[CHANNEL_MODE_LEN];	/**< Initial channel modes */
+	char *modes[512];		/**< Initial channel modes to evaluate */
 	char key[CLIENT_PASS_LEN];      /**< Channel key ("password", mode "k" ) */
 	char topic[COMMAND_LEN];	/**< Initial topic */
 	char keyfile[512];		/**< Path and name of channel key file */
+	bool autojoin;			/**< 1 to make all users autojoin this channel */
 	unsigned long maxusers;		/**< User limit for this channel, mode "l" */
+	unsigned int modes_num;		/**< Number of channel modes to evaluate */
 };


@ -221,7 +226,7 @@ GLOBAL bool Conf_ConnectIPv6;
 /** Try to connect to remote systems using the IPv4 protocol (true) */
 GLOBAL bool Conf_ConnectIPv4;

-/** Idle timout (seconds), after which the daemon should exit */
+/** Idle timeout (seconds), after which the daemon should exit */
 GLOBAL int Conf_IdleTimeout;

 /** Maximum number of simultaneous connections to this server */
@ -239,6 +244,9 @@ GLOBAL unsigned int Conf_MaxNickLength;
 /** Maximum number of channels returned to /list */
 GLOBAL int Conf_MaxListSize;

+/** Maximum seconds to add per "penalty". -1 = unlimited. */
+GLOBAL time_t Conf_MaxPenaltyTime;
+
 #ifndef STRICT_RFC

 /** Require "AUTH PING-PONG" on login */
@ -276,9 +284,7 @@ GLOBAL bool Conf_SSLInUse PARAMS((void));
 /* Password required by WEBIRC command */
 GLOBAL char Conf_WebircPwd[CLIENT_PASS_LEN];

-#ifdef DEBUG
 GLOBAL void Conf_DebugDump PARAMS((void));
-#endif


 #endif
--- a/src/ngircd/conn-func.c
+++ b/src/ngircd/conn-func.c
@ -1,6 +1,6 @@
 /*
 * ngIRCd -- The Next Generation IRC Daemon
- * Copyright (c)2001-2014 Alexander Barton (alex@barton.de) and Contributors.
+ * Copyright (c)2001-2018 Alexander Barton (alex@barton.de) and Contributors.
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
@ -21,11 +21,9 @@
 #include <assert.h>
 #include <time.h>

-#ifdef DEBUG
-# include "log.h"
-#endif
+#include "log.h"
 #include "conn.h"
-
+#include "conf.h"
 #include "conn-func.h"

 /**
@ -44,13 +42,17 @@ Conn_UpdateIdle(CONN_ID Idx)
 /**
 * Update "ping timestamp", the time of the last outgoing PING request.
 *
+ * the value 0 signals a newly connected client including servers during the
+ * initial "server burst"; and 1 means that no PONG is pending for a PING.
+ *
 * @param Idx Connection index.
+ * @param TimeStamp 0, 1, or time stamp.
 */
 GLOBAL void
-Conn_UpdatePing(CONN_ID Idx)
+Conn_UpdatePing(CONN_ID Idx, time_t TimeStamp)
 {
 	assert(Idx > NONE);
-	My_Connections[Idx].lastping = time(NULL);
+	My_Connections[Idx].lastping = TimeStamp;
 }

 /*
@ -66,7 +68,7 @@ Conn_GetSignon(CONN_ID Idx)
 GLOBAL time_t
 Conn_GetIdle( CONN_ID Idx )
 {
-	/* Return Idle-Timer of a connetion */
+	/* Return Idle-Timer of a connection */
 	assert( Idx > NONE );
 	return time( NULL ) - My_Connections[Idx].lastprivmsg;
 } /* Conn_GetIdle */
@ -85,7 +87,7 @@ Conn_LastPing( CONN_ID Idx )
 * is read. This function only increases the penalty, it is not possible to
 * decrease the penalty time.
 *
- * @param Idex Connection index.
+ * @param Idx Connection index.
 * @param Seconds Seconds to add.
 * @see Conn_ResetPenalty
 */
@ -97,19 +99,24 @@ Conn_SetPenalty(CONN_ID Idx, time_t Seconds)
 	assert(Idx > NONE);
 	assert(Seconds >= 0);

+	/* Limit new penalty to maximum configured, when less than 10 seconds. *
+	   The latter is used to limit brute force attacks, therefore we don't *
+	   want to limit that! */
+	if (Conf_MaxPenaltyTime >= 0
+	    && Seconds > Conf_MaxPenaltyTime
+	    && Seconds < 10)
+		Seconds = Conf_MaxPenaltyTime;
+
 	t = time(NULL);
 	if (My_Connections[Idx].delaytime < t)
 		My_Connections[Idx].delaytime = t;

 	My_Connections[Idx].delaytime += Seconds;

-#ifdef DEBUG
-	Log(LOG_DEBUG,
-	    "Add penalty time on connection %d: %ld second%s, total %ld second%s.",
+	LogDebug("Add penalty time on connection %d: %ld second%s, total %ld second%s.",
 	    Idx, (long)Seconds, Seconds != 1 ? "s" : "",
 	    My_Connections[Idx].delaytime - t,
 	    My_Connections[Idx].delaytime - t != 1 ? "s" : "");
-#endif
 } /* Conn_SetPenalty */

 GLOBAL void
--- a/src/ngircd/conn-func.h
+++ b/src/ngircd/conn-func.h
@ -30,7 +30,7 @@


 GLOBAL void Conn_UpdateIdle PARAMS((CONN_ID Idx));
-GLOBAL void Conn_UpdatePing PARAMS((CONN_ID Idx));
+GLOBAL void Conn_UpdatePing PARAMS((CONN_ID Idx, time_t TimeStamp));

 GLOBAL time_t Conn_GetSignon PARAMS((CONN_ID Idx));
 GLOBAL time_t Conn_GetIdle PARAMS(( CONN_ID Idx ));
--- a/src/ngircd/conn-ssl.c
+++ b/src/ngircd/conn-ssl.c
@ -42,11 +42,16 @@ extern struct SSLOptions Conf_SSLOptions;
 #ifdef HAVE_LIBSSL
 #include <openssl/err.h>
 #include <openssl/rand.h>
+#include <openssl/dh.h>
+#include <openssl/x509v3.h>
+
+#define MAX_CERT_CHAIN_LENGTH	10	/* XXX: do not hardcode */

 static SSL_CTX * ssl_ctx;
 static DH *dh_params;

 static bool ConnSSL_LoadServerKey_openssl PARAMS(( SSL_CTX *c ));
+static bool ConnSSL_SetVerifyProperties_openssl PARAMS((SSL_CTX * c));
 #endif

 #ifdef HAVE_LIBGNUTLS
@ -61,10 +66,19 @@ static bool ConnSSL_LoadServerKey_openssl PARAMS(( SSL_CTX *c ));

 #define MAX_HASH_SIZE	64	/* from gnutls-int.h */

-static gnutls_certificate_credentials_t x509_cred;
+typedef struct {
+	int refcnt;
+	gnutls_certificate_credentials_t x509_cred;
+	gnutls_dh_params_t dh_params;
+} x509_cred_slot;
+
+static array x509_creds = INIT_ARRAY;
+static size_t x509_cred_idx;
+
 static gnutls_dh_params_t dh_params;
-static gnutls_priority_t priorities_cache;
+static gnutls_priority_t priorities_cache = NULL;
 static bool ConnSSL_LoadServerKey_gnutls PARAMS(( void ));
+static bool ConnSSL_SetVerifyProperties_gnutls PARAMS((void));
 #endif

 #define SHA256_STRING_LEN	(32 * 2 + 1)
@ -122,9 +136,37 @@ out:
 /**
 * Log OpenSSL error message.
 *
+ * @param level The log level
 * @param msg The error message.
 * @param info Additional information text or NULL.
 */
+static void
+LogOpenSSL_CertInfo(int level, X509 * cert, const char *msg)
+{
+	BIO *mem;
+	char *memptr;
+	long len;
+
+	assert(cert);
+	assert(msg);
+
+	if (!cert)
+		return;
+	mem = BIO_new(BIO_s_mem());
+	if (!mem)
+		return;
+	X509_NAME_print_ex(mem, X509_get_subject_name(cert), 0,
+			   XN_FLAG_ONELINE);
+	X509_NAME_print_ex(mem, X509_get_issuer_name(cert), 2, XN_FLAG_ONELINE);
+	if (BIO_write(mem, "", 1) == 1) {
+		len = BIO_get_mem_data(mem, &memptr);
+		if (memptr && len > 0)
+			Log(level, "%s: \"%s\".", msg, memptr);
+	}
+	(void)BIO_set_close(mem, BIO_CLOSE);
+	BIO_free(mem);
+}
+
 static void
 LogOpenSSLError(const char *error, const char *info)
 {
@ -167,8 +209,24 @@ pem_passwd_cb(char *buf, int size, int rwflag, void *password)


 static int
-Verify_openssl(UNUSED int preverify_ok, UNUSED X509_STORE_CTX *x509_ctx)
+Verify_openssl(int preverify_ok, X509_STORE_CTX * ctx)
 {
+#ifdef DEBUG
+	if (!preverify_ok) {
+		int err = X509_STORE_CTX_get_error(ctx);
+		LogDebug("Certificate validation failed: %s",
+			 X509_verify_cert_error_string(err));
+	}
+#else
+	(void)preverify_ok;
+	(void)ctx;
+#endif
+
+	/* Always(!) return success as we have to deal with invalid
+	 * (self-signed, expired, ...) client certificates and with invalid
+	 * server certificates when "SSLVerify" is disabled, which we don't
+	 * know at this stage. Therefore we postpone this check, it will be
+	 * (and has to be!) handled in cb_connserver_login_ssl(). */
 	return 1;
 }
 #endif
@ -265,6 +323,21 @@ void ConnSSL_Free(CONNECTION *c)
 		gnutls_bye(sess, GNUTLS_SHUT_RDWR);
 		gnutls_deinit(sess);
 	}
+	x509_cred_slot *slot = array_get(&x509_creds, sizeof(x509_cred_slot), c->ssl_state.x509_cred_idx);
+	assert(slot != NULL);
+	assert(slot->refcnt > 0);
+	assert(slot->x509_cred != NULL);
+	slot->refcnt--;
+	if ((c->ssl_state.x509_cred_idx != x509_cred_idx) && (slot->refcnt <= 0)) {
+		LogDebug("Discarding X509 certificate credentials from slot %zd.",
+			 c->ssl_state.x509_cred_idx);
+		gnutls_certificate_free_keys(slot->x509_cred);
+		gnutls_certificate_free_credentials(slot->x509_cred);
+		slot->x509_cred = NULL;
+		gnutls_dh_params_deinit(slot->dh_params);
+		slot->dh_params = NULL;
+		slot->refcnt = 0;
+	}
 #endif
 	assert(Conn_OPTION_ISSET(c, CONN_SSL));
 	/* can't just set bitmask to 0 -- there are other, non-ssl related flags, e.g. CONN_ZIP. */
@ -310,8 +383,18 @@ ConnSSL_InitLibrary( void )
 		return false;
 	}

-	if (!ConnSSL_LoadServerKey_openssl(newctx))
+	if (!ConnSSL_LoadServerKey_openssl(newctx)) {
+		/* Failed to read new key but an old ssl context
+		 * already exists -> reuse old context */
+		if (ssl_ctx) {
+		        SSL_CTX_free(newctx);
+	                Log(LOG_WARNING,
+			"Re-Initializing of SSL failed, using old keys!");
+			return true;
+		}
+		/* No preexisting old context -> error. */
 		goto out;
+	}

 	if (SSL_CTX_set_cipher_list(newctx, Conf_SSLOptions.CipherList) == 0) {
 		Log(LOG_ERR, "Failed to apply OpenSSL cipher list \"%s\"!",
@ -320,13 +403,16 @@ ConnSSL_InitLibrary( void )
 	}

 	SSL_CTX_set_session_id_context(newctx, (unsigned char *)"ngircd", 6);
-	SSL_CTX_set_options(newctx, SSL_OP_SINGLE_DH_USE|SSL_OP_NO_SSLv2);
+	if (!ConnSSL_SetVerifyProperties_openssl(newctx))
+		goto out;
+	SSL_CTX_set_options(newctx,
+			    SSL_OP_SINGLE_DH_USE | SSL_OP_NO_SSLv2 |
+			    SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 |
+			    SSL_OP_NO_COMPRESSION);
 	SSL_CTX_set_mode(newctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
-	SSL_CTX_set_verify(newctx, SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE,
-			   Verify_openssl);
 	SSL_CTX_free(ssl_ctx);
 	ssl_ctx = newctx;
-	Log(LOG_INFO, "%s initialized.", SSLeay_version(SSLEAY_VERSION));
+	Log(LOG_INFO, "%s initialized.", OpenSSL_version(OPENSSL_VERSION));
 	return true;
 out:
 	SSL_CTX_free(newctx);
@ -337,22 +423,21 @@ out:
 	int err;
 	static bool initialized;

-	if (initialized) {
-		/* TODO: cannot reload gnutls keys: can't simply free x509
-		 * context -- it may still be in use */
-		return false;
-	}
-
-	err = gnutls_global_init();
-	if (err) {
-		Log(LOG_ERR, "Failed to initialize GnuTLS: %s",
-		    gnutls_strerror(err));
-		goto out;
+	if (!initialized) {
+		err = gnutls_global_init();
+		if (err) {
+			Log(LOG_ERR, "Failed to initialize GnuTLS: %s",
+			    gnutls_strerror(err));
+			goto out;
+		}
 	}

 	if (!ConnSSL_LoadServerKey_gnutls())
 		goto out;

+	if (priorities_cache != NULL) {
+		gnutls_priority_deinit(priorities_cache);
+	}
 	if (gnutls_priority_init(&priorities_cache, Conf_SSLOptions.CipherList,
 				 NULL) != GNUTLS_E_SUCCESS) {
 		Log(LOG_ERR,
@ -361,6 +446,9 @@ out:
 		goto out;
 	}

+	if (!ConnSSL_SetVerifyProperties_gnutls())
+		goto out;
+
 	Log(LOG_INFO, "GnuTLS %s initialized.", gnutls_check_version(NULL));
 	initialized = true;
 	return true;
@ -372,12 +460,49 @@ out:


 #ifdef HAVE_LIBGNUTLS
+static bool
+ConnSSL_SetVerifyProperties_gnutls(void)
+{
+	int err;
+
+	if (!Conf_SSLOptions.CAFile)
+		return true;
+
+	x509_cred_slot *slot = array_get(&x509_creds, sizeof(x509_cred_slot), x509_cred_idx);
+	gnutls_certificate_credentials_t x509_cred = slot->x509_cred;
+
+	err = gnutls_certificate_set_x509_trust_file(x509_cred,
+						     Conf_SSLOptions.CAFile,
+						     GNUTLS_X509_FMT_PEM);
+	if (err < 0) {
+		Log(LOG_ERR, "Failed to load x509 trust file %s: %s",
+		    Conf_SSLOptions.CAFile, gnutls_strerror(err));
+		return false;
+	}
+	if (Conf_SSLOptions.CRLFile) {
+		err =
+		    gnutls_certificate_set_x509_crl_file(x509_cred,
+							 Conf_SSLOptions.CRLFile,
+							 GNUTLS_X509_FMT_PEM);
+		if (err < 0) {
+			Log(LOG_ERR, "Failed to load x509 crl file %s: %s",
+			    Conf_SSLOptions.CRLFile, gnutls_strerror(err));
+			return false;
+		}
+	}
+	return true;
+}
+
+
 static bool
 ConnSSL_LoadServerKey_gnutls(void)
 {
 	int err;
 	const char *cert_file;

+	x509_cred_slot *slot = NULL;
+	gnutls_certificate_credentials_t x509_cred;
+
 	err = gnutls_certificate_allocate_credentials(&x509_cred);
 	if (err < 0) {
 		Log(LOG_ERR, "Failed to allocate certificate credentials: %s",
@ -385,12 +510,6 @@ ConnSSL_LoadServerKey_gnutls(void)
 		return false;
 	}

-	cert_file = Conf_SSLOptions.CertFile ? Conf_SSLOptions.CertFile:Conf_SSLOptions.KeyFile;
-	if (!cert_file) {
-		Log(LOG_ERR, "No SSL server key configured!");
-		return false;
-	}
-
 	if (array_bytes(&Conf_SSLOptions.KeyFilePassword))
 		Log(LOG_WARNING,
 		    "Ignoring SSL \"KeyFilePassword\": Not supported by GnuTLS.");
@ -399,15 +518,61 @@ ConnSSL_LoadServerKey_gnutls(void)
 		return false;

 	gnutls_certificate_set_dh_params(x509_cred, dh_params);
-	err = gnutls_certificate_set_x509_key_file(x509_cred, cert_file, Conf_SSLOptions.KeyFile, GNUTLS_X509_FMT_PEM);
-	if (err < 0) {
-		Log(LOG_ERR,
-		    "Failed to set certificate key file (cert %s, key %s): %s",
-		    cert_file,
-		    Conf_SSLOptions.KeyFile ? Conf_SSLOptions.KeyFile : "(NULL)",
-		    gnutls_strerror(err));
-		return false;
+	gnutls_certificate_set_flags(x509_cred, GNUTLS_CERTIFICATE_VERIFY_CRLS);
+
+	cert_file = Conf_SSLOptions.CertFile ?
+			Conf_SSLOptions.CertFile : Conf_SSLOptions.KeyFile;
+	if (Conf_SSLOptions.KeyFile) {
+		err = gnutls_certificate_set_x509_key_file(x509_cred, cert_file,
+							   Conf_SSLOptions.KeyFile,
+							   GNUTLS_X509_FMT_PEM);
+		if (err < 0) {
+			Log(LOG_ERR,
+			    "Failed to set certificate key file (cert %s, key %s): %s",
+			    cert_file,
+			    Conf_SSLOptions.KeyFile ? Conf_SSLOptions.KeyFile : "(NULL)",
+			    gnutls_strerror(err));
+			return false;
+		}
 	}
+
+	/* Free currently active x509 context (if any) unless it is still in use */
+	slot = array_get(&x509_creds, sizeof(x509_cred_slot), x509_cred_idx);
+	if ((slot != NULL) && (slot->refcnt <= 0) && (slot->x509_cred != NULL)) {
+		LogDebug("Discarding X509 certificate credentials from slot %zd.",
+			 x509_cred_idx);
+		gnutls_certificate_free_keys(slot->x509_cred);
+		gnutls_certificate_free_credentials(slot->x509_cred);
+		slot->x509_cred = NULL;
+		gnutls_dh_params_deinit(slot->dh_params);
+		slot->dh_params = NULL;
+		slot->refcnt = 0;
+	}
+
+	/* Find free slot */
+	x509_cred_idx = (size_t) -1;
+	size_t i;
+	for (slot = array_start(&x509_creds), i = 0;
+	     i < array_length(&x509_creds, sizeof(x509_cred_slot));
+	     slot++, i++) {
+		if (slot->refcnt <= 0) {
+			x509_cred_idx = i;
+			break;
+		}
+	}
+	/* ... allocate new slot otherwise. */
+	if (x509_cred_idx == (size_t) -1) {
+		x509_cred_idx = array_length(&x509_creds, sizeof(x509_cred_slot));
+		slot = array_alloc(&x509_creds, sizeof(x509_cred_slot), x509_cred_idx);
+		if (slot == NULL) {
+			Log(LOG_ERR, "Failed to allocate new slot for certificate credentials");
+			return false;
+		}
+	}
+	LogDebug("Storing new X509 certificate credentials in slot %zd.", x509_cred_idx);
+	slot->x509_cred = x509_cred;
+	slot->refcnt = 0;
+
 	return true;
 }
 #endif
@ -420,14 +585,12 @@ ConnSSL_LoadServerKey_openssl(SSL_CTX *ctx)
 	char *cert_key;

 	assert(ctx);
-	if (!Conf_SSLOptions.KeyFile) {
-		Log(LOG_ERR, "No SSL server key configured!");
-		return false;
-	}
-
 	SSL_CTX_set_default_passwd_cb(ctx, pem_passwd_cb);
 	SSL_CTX_set_default_passwd_cb_userdata(ctx, &Conf_SSLOptions.KeyFilePassword);

+	if (!Conf_SSLOptions.KeyFile)
+		return true;
+
 	if (SSL_CTX_use_PrivateKey_file(ctx, Conf_SSLOptions.KeyFile, SSL_FILETYPE_PEM) != 1) {
 		array_free_wipe(&Conf_SSLOptions.KeyFilePassword);
 		LogOpenSSLError("Failed to add private key", Conf_SSLOptions.KeyFile);
@ -458,6 +621,56 @@ ConnSSL_LoadServerKey_openssl(SSL_CTX *ctx)
 }


+static bool
+ConnSSL_SetVerifyProperties_openssl(SSL_CTX * ctx)
+{
+	X509_STORE *store = NULL;
+	X509_LOOKUP *lookup;
+	bool ret = false;
+
+	if (!Conf_SSLOptions.CAFile)
+		return true;
+
+	if (SSL_CTX_load_verify_locations(ctx, Conf_SSLOptions.CAFile, NULL) !=
+	    1) {
+		LogOpenSSLError("SSL_CTX_load_verify_locations", NULL);
+		goto out;
+	}
+
+	if (Conf_SSLOptions.CRLFile) {
+		X509_VERIFY_PARAM *param = X509_VERIFY_PARAM_new();
+		X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK);
+		SSL_CTX_set1_param(ctx, param);
+
+		store = SSL_CTX_get_cert_store(ctx);
+		assert(store);
+		lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
+		if (!lookup) {
+			LogOpenSSLError("X509_STORE_add_lookup",
+					Conf_SSLOptions.CRLFile);
+			goto out;
+		}
+
+		if (X509_load_crl_file
+		    (lookup, Conf_SSLOptions.CRLFile, X509_FILETYPE_PEM) != 1) {
+			LogOpenSSLError("X509_load_crl_file",
+					Conf_SSLOptions.CRLFile);
+			goto out;
+		}
+	}
+
+	SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE,
+			   Verify_openssl);
+	SSL_CTX_set_verify_depth(ctx, MAX_CERT_CHAIN_LENGTH);
+	ret = true;
+out:
+	if (Conf_SSLOptions.CRLFile)
+		free(Conf_SSLOptions.CRLFile);
+	Conf_SSLOptions.CRLFile = NULL;
+	return ret;
+}
+
+
 #endif
 static bool
 ConnSSL_Init_SSL(CONNECTION *c)
@ -509,8 +722,13 @@ ConnSSL_Init_SSL(CONNECTION *c)
 				 (gnutls_transport_ptr_t) (long) c->sock);
 	gnutls_certificate_server_set_request(c->ssl_state.gnutls_session,
 					      GNUTLS_CERT_REQUEST);
+
+	LogDebug("Using X509 credentials from slot %zd.", x509_cred_idx);
+	c->ssl_state.x509_cred_idx = x509_cred_idx;
+	x509_cred_slot *slot = array_get(&x509_creds, sizeof(x509_cred_slot), x509_cred_idx);
+	slot->refcnt++;
 	ret = gnutls_credentials_set(c->ssl_state.gnutls_session,
-				     GNUTLS_CRD_CERTIFICATE, x509_cred);
+				     GNUTLS_CRD_CERTIFICATE, slot->x509_cred);
 	if (ret != 0) {
 		Log(LOG_ERR, "Failed to set SSL credentials: %s",
 		    gnutls_strerror(ret));
@ -524,27 +742,45 @@ ConnSSL_Init_SSL(CONNECTION *c)


 bool
-ConnSSL_PrepareConnect(CONNECTION *c, UNUSED CONF_SERVER *s)
+ConnSSL_PrepareConnect(CONNECTION * c, CONF_SERVER * s)
 {
 	bool ret;
 #ifdef HAVE_LIBGNUTLS
 	int err;

+	(void)s;
 	err = gnutls_init(&c->ssl_state.gnutls_session, GNUTLS_CLIENT);
 	if (err) {
 		Log(LOG_ERR, "Failed to initialize new SSL session: %s",
 		    gnutls_strerror(err));
 		return false;
-        }
+	}
 #endif
 	ret = ConnSSL_Init_SSL(c);
 	if (!ret)
 		return false;
 	Conn_OPTION_ADD(c, CONN_SSL_CONNECT);
+
 #ifdef HAVE_LIBSSL
 	assert(c->ssl_state.ssl);
-	SSL_set_verify(c->ssl_state.ssl, SSL_VERIFY_NONE, NULL);
+
+	X509_VERIFY_PARAM *param = SSL_get0_param(c->ssl_state.ssl);
+	X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
+	int err = X509_VERIFY_PARAM_set1_host(param, s->host, 0);
+	if (err != 1) {
+		Log(LOG_ERR,
+		    "Cannot set up hostname verification for '%s': %u",
+		    s->host, err);
+		return false;
+	}
+
+	if (s->SSLVerify)
+		SSL_set_verify(c->ssl_state.ssl, SSL_VERIFY_PEER,
+			       Verify_openssl);
+	else
+		SSL_set_verify(c->ssl_state.ssl, SSL_VERIFY_NONE, NULL);
 #endif
+
 	return true;
 }

@ -601,9 +837,12 @@ ConnSSL_HandleError(CONNECTION * c, const int code, const char *fname)
 				    "SSL error, client disconnected [in %s()]!",
 				    fname);
 				break;
-			case -1:	/* low level socket I/O error, check errno */
-				Log(LOG_ERR, "SSL error: %s [in %s()]!",
-				    strerror(real_errno), fname);
+			case -1:
+				/* Low level socket I/O error, check errno. But
+				 * we don't need to log this here, the generic
+				 * connection layer will take care of it. */
+				LogDebug("SSL error: %s [in %s()]!",
+					 strerror(real_errno), fname);
 			}
 		}
 		break;
@ -631,8 +870,10 @@ ConnSSL_HandleError(CONNECTION * c, const int code, const char *fname)
 	default:
 		assert(code < 0);
 		if (gnutls_error_is_fatal(code)) {
-			Log(LOG_ERR, "SSL error: %s [%s].",
-			    gnutls_strerror(code), fname);
+			/* We don't need to log this here, the generic
+			 * connection layer will take care of it. */
+			LogDebug("SSL error: %s [%s].",
+				 gnutls_strerror(code), fname);
 			ConnSSL_Free(c);
 			return -1;
 		}
@ -642,18 +883,114 @@ ConnSSL_HandleError(CONNECTION * c, const int code, const char *fname)
 }


-static void
-ConnSSL_LogCertInfo( CONNECTION *c )
+#ifdef HAVE_LIBGNUTLS
+static void *
+LogMalloc(size_t s)
 {
+	void *mem = malloc(s);
+	if (!mem)
+		Log(LOG_ERR, "Out of memory: Could not allocate %lu byte",
+		    (unsigned long)s);
+	return mem;
+}
+
+
+static void
+LogGnuTLS_CertInfo(int level, gnutls_x509_crt_t cert, const char *msg)
+{
+	char *dn, *issuer_dn;
+	size_t size = 0;
+	int err = gnutls_x509_crt_get_dn(cert, NULL, &size);
+	if (size == 0) {
+		Log(LOG_ERR, "gnutls_x509_crt_get_dn: size == 0");
+		return;
+	}
+	if (err && err != GNUTLS_E_SHORT_MEMORY_BUFFER)
+		goto err_crt_get;
+	dn = LogMalloc(size);
+	if (!dn)
+		return;
+	err = gnutls_x509_crt_get_dn(cert, dn, &size);
+	if (err)
+		goto err_crt_get;
+	gnutls_x509_crt_get_issuer_dn(cert, NULL, &size);
+	assert(size);
+	issuer_dn = LogMalloc(size);
+	if (!issuer_dn) {
+		Log(level, "%s: Distinguished Name \"%s\".", msg, dn);
+		free(dn);
+		return;
+	}
+	gnutls_x509_crt_get_issuer_dn(cert, issuer_dn, &size);
+	Log(level, "%s: Distinguished Name \"%s\", Issuer \"%s\".", msg, dn,
+	    issuer_dn);
+	free(dn);
+	free(issuer_dn);
+	return;
+
+      err_crt_get:
+	Log(LOG_ERR, "gnutls_x509_crt_get_dn: %s", gnutls_strerror(err));
+	return;
+}
+#endif
+
+
+static void
+ConnSSL_LogCertInfo( CONNECTION * c, bool connect)
+{
+	bool cert_seen = false, cert_ok = false;
+	char msg[128];
 #ifdef HAVE_LIBSSL
+	const char *comp_alg = "no compression";
+	const void *comp;
+	X509 *peer_cert = NULL;
 	SSL *ssl = c->ssl_state.ssl;

 	assert(ssl);

-	Log(LOG_INFO, "Connection %d: initialized %s using cipher %s.",
-		c->sock, SSL_get_version(ssl), SSL_get_cipher(ssl));
+	comp = SSL_get_current_compression(ssl);
+	if (comp)
+		comp_alg = SSL_COMP_get_name(comp);
+	Log(LOG_INFO, "Connection %d: initialized %s using cipher %s, %s.",
+	    c->sock, SSL_get_version(ssl), SSL_get_cipher(ssl), comp_alg);
+	peer_cert = SSL_get_peer_certificate(ssl);
+	if (peer_cert) {
+		cert_seen = true;
+
+		if (connect) {
+			/* Outgoing connection. Verify the remote server! */
+			int err = SSL_get_verify_result(ssl);
+			if (err == X509_V_OK) {
+				const char *peername = SSL_get0_peername(ssl);
+				if (peername != NULL)
+					cert_ok = true;
+				LogDebug("X509_V_OK, peername = '%s'", peername);
+			} else
+				Log(LOG_WARNING, "Certificate validation failed: %s!",
+				    X509_verify_cert_error_string(err));
+
+			snprintf(msg, sizeof(msg), "Got %svalid server certificate",
+				 cert_ok ? "" : "in");
+			LogOpenSSL_CertInfo(LOG_INFO, peer_cert, msg);
+		} else {
+			/* Incoming connection.
+			 * Accept all certificates, don't depend on their
+			 * validity: for example, we don't know the hostname
+			 * to check, because we not yet even know if this is a
+			 * server connection at all and if so, which one, so we
+			 * don't know a host name to look for. On the other
+			 * hand we want client certificates, for example for
+			 * "CertFP" authentication with services ... */
+			LogOpenSSL_CertInfo(LOG_INFO, peer_cert,
+					    "Got unchecked peer certificate");
+		}
+
+		X509_free(peer_cert);
+	}
 #endif
 #ifdef HAVE_LIBGNUTLS
+	unsigned int status;
+	gnutls_credentials_type_t cred;
 	gnutls_session_t sess = c->ssl_state.gnutls_session;
 	gnutls_cipher_algorithm_t cipher = gnutls_cipher_get(sess);

@ -662,7 +999,86 @@ ConnSSL_LogCertInfo( CONNECTION *c )
 	    gnutls_protocol_get_name(gnutls_protocol_get_version(sess)),
 	    gnutls_cipher_get_name(cipher),
 	    gnutls_mac_get_name(gnutls_mac_get(sess)));
+	cred = gnutls_auth_get_type(c->ssl_state.gnutls_session);
+	if (cred == GNUTLS_CRD_CERTIFICATE) {
+		gnutls_x509_crt_t cert;
+		unsigned cert_list_size;
+		const gnutls_datum_t *cert_list =
+		    gnutls_certificate_get_peers(sess, &cert_list_size);
+
+		if (!cert_list || cert_list_size == 0)
+			goto done_cn_validation;
+
+		cert_seen = true;
+		int err = gnutls_x509_crt_init(&cert);
+		if (err < 0) {
+			Log(LOG_ERR,
+			    "Failed to initialize x509 certificate: %s",
+			    gnutls_strerror(err));
+			goto done_cn_validation;
+		}
+		err = gnutls_x509_crt_import(cert, cert_list,
+					   GNUTLS_X509_FMT_DER);
+		if (err < 0) {
+			Log(LOG_ERR, "Failed to parse the certificate: %s",
+			    gnutls_strerror(err));
+			goto done_cn_validation;
+		}
+
+		if (connect) {
+			int verify =
+			    gnutls_certificate_verify_peers2(c->
+							     ssl_state.gnutls_session,
+							     &status);
+			if (verify < 0) {
+				Log(LOG_ERR,
+				    "gnutls_certificate_verify_peers2 failed: %s",
+				    gnutls_strerror(verify));
+				goto done_cn_validation;
+			} else if (status) {
+				gnutls_datum_t out;
+
+				if (gnutls_certificate_verification_status_print
+				    (status, gnutls_certificate_type_get(sess), &out,
+				     0) == GNUTLS_E_SUCCESS) {
+					Log(LOG_ERR,
+					    "Certificate validation failed: %s",
+					    out.data);
+					gnutls_free(out.data);
+				}
+			}
+
+			err = gnutls_x509_crt_check_hostname(cert, c->host);
+			if (err == 0)
+				Log(LOG_ERR,
+				    "Failed to verify the hostname, expected \"%s\"",
+				    c->host);
+			else
+				cert_ok = verify == 0 && status == 0;
+
+			snprintf(msg, sizeof(msg), "Got %svalid server certificate",
+				cert_ok ? "" : "in");
+			LogGnuTLS_CertInfo(LOG_INFO, cert, msg);
+		} else {
+			/* Incoming connection. Please see comments for OpenSSL! */
+			LogGnuTLS_CertInfo(LOG_INFO, cert,
+					    "Got unchecked peer certificate");
+		}
+
+		gnutls_x509_crt_deinit(cert);
+done_cn_validation:
+		;
+	}
 #endif
+	/*
+	 * can be used later to check if connection was authenticated, e.g.
+	 * if inbound connection tries to register itself as server.
+	 * Could also restrict /OPER to authenticated connections, etc.
+	 */
+	if (cert_ok)
+		Conn_OPTION_ADD(c, CONN_SSL_PEERCERT_OK);
+	if (!cert_seen)
+		Log(LOG_INFO, "Peer did not present a certificate.");
 }


@ -801,7 +1217,7 @@ ConnectAccept( CONNECTION *c, bool connect)
 	(void)ConnSSL_InitCertFp(c);

 	Conn_OPTION_DEL(c, (CONN_SSL_WANT_WRITE|CONN_SSL_WANT_READ|CONN_SSL_CONNECT));
-	ConnSSL_LogCertInfo(c);
+	ConnSSL_LogCertInfo(c, connect);

 	Conn_StartLogin(CONNECTION2ID(c));
 	return 1;
--- a/src/ngircd/conn-zip.c
+++ b/src/ngircd/conn-zip.c
@ -142,7 +142,7 @@ Zip_Flush( CONN_ID Idx )
 	out->avail_out = (uInt)sizeof zipbuf;

 #if DEBUG_ZIP
-	Log(LOG_DEBUG, "out->avail_in %d, out->avail_out %d",
+	LogDebug("out->avail_in %d, out->avail_out %d",
 		out->avail_in, out->avail_out);
 #endif
 	result = deflate( out, Z_SYNC_FLUSH );
@ -165,7 +165,7 @@ Zip_Flush( CONN_ID Idx )

 	zipbuf_used = WRITEBUFFER_SLINK_LEN - out->avail_out;
 #if DEBUG_ZIP
-	Log(LOG_DEBUG, "zipbuf_used: %d", zipbuf_used);
+	LogDebug("zipbuf_used: %d", zipbuf_used);
 #endif
 	if (!array_catb(&My_Connections[Idx].wbuf,
 			(char *)zipbuf, (size_t) zipbuf_used)) {
@ -217,7 +217,7 @@ Unzip_Buffer( CONN_ID Idx )
 	in->avail_out = (uInt)sizeof unzipbuf;

 #if DEBUG_ZIP
-	Log(LOG_DEBUG, "in->avail_in %d, in->avail_out %d",
+	LogDebug("in->avail_in %d, in->avail_out %d",
 		in->avail_in, in->avail_out);
 #endif
 	result = inflate( in, Z_SYNC_FLUSH );
@ -232,7 +232,7 @@ Unzip_Buffer( CONN_ID Idx )
 	in_len = z_rdatalen - in->avail_in;
 	unzipbuf_used = READBUFFER_LEN - in->avail_out;
 #if DEBUG_ZIP
-	Log(LOG_DEBUG, "unzipbuf_used: %d - %d = %d", READBUFFER_LEN,
+	LogDebug("unzipbuf_used: %d - %d = %d", READBUFFER_LEN,
 		in->avail_out, unzipbuf_used);
 #endif
 	assert(unzipbuf_used <= READBUFFER_LEN);
--- a/src/ngircd/conn.c
+++ b/src/ngircd/conn.c
@ -1,6 +1,6 @@
 /*
 * ngIRCd -- The Next Generation IRC Daemon
- * Copyright (c)2001-2014 Alexander Barton (alex@barton.de) and Contributors.
+ * Copyright (c)2001-2024 Alexander Barton (alex@barton.de) and Contributors.
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
@ -10,6 +10,7 @@
 */

 #define CONN_MODULE
+#define CONN_MODULE_GLOBAL_INIT

 #include "portab.h"

@ -65,6 +66,7 @@
 #include "ng_ipaddr.h"
 #include "parse.h"
 #include "resolve.h"
+#include "sighandlers.h"

 #define SERVER_WAIT (NONE - 1)		/** "Wait for outgoing connection" flag */

@ -478,6 +480,15 @@ Conn_InitListeners( void )

 	/* not using systemd socket activation, initialize listening sockets: */

+#ifdef SSL_SUPPORT
+	if (!Conf_SSLOptions.KeyFile &&
+	    array_length(&Conf_SSLOptions.ListenPorts, sizeof (UINT16))) {
+		Log(LOG_ERR,
+		    "Ignoring SSL-enabled listening ports: No key file set!");
+		array_free(&Conf_SSLOptions.ListenPorts);
+	}
+#endif
+
 	/* can't use Conf_ListenAddress directly, see below */
 	copy = strdup(Conf_ListenAddress);
 	if (!copy) {
@ -556,8 +567,8 @@ InitSinaddrListenAddr(ng_ipaddr_t *addr, const char *listen_addrstr, UINT16 Port
 	if (!ret) {
 		assert(listen_addrstr);
 		Log(LOG_CRIT,
-		    "Can't bind to [%s]:%u: can't convert ip address \"%s\"!",
-		    listen_addrstr, Port, listen_addrstr);
+		    "Can't listen on [%s]:%u: Failed to parse IP address!",
+		    listen_addrstr, Port);
 	}
 	return ret;
 }
@ -565,7 +576,7 @@ InitSinaddrListenAddr(ng_ipaddr_t *addr, const char *listen_addrstr, UINT16 Port
 /**
 * Set a socket to "IPv6 only". If the given socket doesn't belong to the
 * AF_INET6 family, or the operating system doesn't support this functionality,
- * this function retruns silently.
+ * this function returns silently.
 *
 * @param af	Address family of the socket.
 * @param sock	Socket handle.
@ -590,7 +601,7 @@ set_v6_only(int af, int sock)
 /**
 * Initialize new listening port.
 *
- * @param listen_addr	Local address to bind the socet to (can be 0.0.0.0).
+ * @param listen_addr	Local address to bind the socket to (can be 0.0.0.0).
 * @param Port		Port number on which the new socket should be listening.
 * @returns		file descriptor of the socket or -1 on failure.
 */
@ -658,10 +669,17 @@ Conn_Handler(void)
 	int i;
 	size_t wdatalen;
 	struct timeval tv;
-	time_t t;
+	time_t t, notify_t = 0;
+	bool command_available;
+	char status[200];
+
+	Log(LOG_NOTICE, "Server \"%s\" (on \"%s\") ready.",
+	    Client_ID(Client_ThisServer()), Client_Hostname(Client_ThisServer()));
+	Signal_NotifySvcMgr("READY=1\n");

 	while (!NGIRCd_SignalQuit && !NGIRCd_SignalRestart) {
 		t = time(NULL);
+		command_available = false;

 		/* Check configured servers and established links */
 		Check_Servers();
@ -730,16 +748,31 @@ Conn_Handler(void)
 				continue;
 			}

+			if (array_bytes(&My_Connections[i].rbuf) >= COMMAND_LEN) {
+				/* There is still more data in the read buffer
+				 * than a single valid command can get long:
+				 * so either there is a complete command, or
+				 * invalid data. Therefore don't try to read in
+				 * even more data from the network but wait for
+				 * this command(s) to be handled first! */
+				io_event_del(My_Connections[i].sock,
+					     IO_WANTREAD);
+				command_available = true;
+				continue;
+			}
+
 			io_event_add(My_Connections[i].sock, IO_WANTREAD);
 		}

-		/* Set the timeout for reading from the network to 1 second,
-		 * which is the granularity with witch we handle "penalty
-		 * times" for example.
+		/* Don't wait for data when there is still at least one command
+		 * available in a read buffer which can be handled immediately;
+		 * set the timeout for reading from the network to 1 second
+		 * otherwise, which is the granularity with witch we handle
+		 * "penalty times" for example.
 		 * Note: tv_sec/usec are undefined(!) after io_dispatch()
 		 * returns, so we have to set it before each call to it! */
 		tv.tv_usec = 0;
-		tv.tv_sec = 1;
+		tv.tv_sec = command_available ? 0 : 1;

 		/* Wait for activity ... */
 		i = io_dispatch(&tv);
@ -751,20 +784,34 @@ Conn_Handler(void)
 			exit(1);
 		}

-		/* Should ngIRCd timeout when idle? */
+		t = time(NULL);
 		if (Conf_IdleTimeout > 0 && NumConnectionsAccepted > 0
-		    && idle_t > 0 && time(NULL) - idle_t >= Conf_IdleTimeout) {
+		    && idle_t > 0 && t - idle_t >= Conf_IdleTimeout) {
+			/* Should ngIRCd timeout when idle? */
 			LogDebug("Server idle timeout reached: %d second%s. Initiating shutdown ...",
 				 Conf_IdleTimeout,
 				 Conf_IdleTimeout == 1 ? "" : "s");
 			NGIRCd_SignalQuit = true;
+		} else if (Signal_NotifySvcMgr_Possible() && t - notify_t > 3) {
+			/* Send the current status to the service manager. */
+			snprintf(status, sizeof(status),
+				 "WATCHDOG=1\nSTATUS=%ld connection%s established (%ld user%s, %ld server%s), %ld maximum. %ld accepted in total.\n",
+				 (long)NumConnections, NumConnections == 1 ? "" : "s",
+				 Client_MyUserCount(), Client_MyUserCount() == 1 ? "" : "s",
+				 Client_MyServerCount(), Client_MyServerCount() == 1 ? "" : "s",
+				 (long)NumConnectionsMax, (long)NumConnectionsAccepted);
+			Signal_NotifySvcMgr(status);
+			notify_t = t;
 		}
 	}

-	if (NGIRCd_SignalQuit)
+	if (NGIRCd_SignalQuit) {
 		Log(LOG_NOTICE | LOG_snotice, "Server going down NOW!");
-	else if (NGIRCd_SignalRestart)
+		Signal_NotifySvcMgr("STOPPING=1\n");
+	} else if (NGIRCd_SignalRestart) {
 		Log(LOG_NOTICE | LOG_snotice, "Server restarting NOW!");
+		Signal_NotifySvcMgr("RELOADING=1\n");
+	}
 } /* Conn_Handler */

 /**
@ -774,7 +821,7 @@ Conn_Handler(void)
 * the result is a valid IRC message (oversized messages are shortened, for
 * example). Then it calls the Conn_Write() function to do the actual sending.
 *
- * @param Idx		Index fo the connection.
+ * @param Idx		Index of the connection.
 * @param Format	Format string, see printf().
 * @returns		true on success, false otherwise.
 */
@ -854,7 +901,7 @@ va_dcl

 #ifdef SNIFFER
 	if (NGIRCd_Sniffer)
-		Log(LOG_DEBUG, " -> connection %d: '%s'.", Idx, buffer);
+		LogDebug("-> connection %d: '%s'.", Idx, buffer);
 #endif

 	len = strlcat( buffer, "\r\n", sizeof( buffer ));
@ -1034,8 +1081,10 @@ Conn_Close(CONN_ID Idx, const char *LogMsg, const char *FwdMsg, bool InformClien
 		}
 #endif
 		/* Send ERROR to client (see RFC 2812, section 3.1.7) */
-		if (FwdMsg)
-			Conn_WriteStr(Idx, "ERROR :%s", FwdMsg);
+		if (c)
+			Conn_WriteStr(Idx, "ERROR :Closing connection: %s[%s@%s] (%s)",
+				      Client_ID(c), Client_User(c), Client_Hostname(c),
+				      FwdMsg ? FwdMsg : "\"\"");
 		else
 			Conn_WriteStr(Idx, "ERROR :Closing connection");
 	}
@ -1081,9 +1130,9 @@ Conn_Close(CONN_ID Idx, const char *LogMsg, const char *FwdMsg, bool InformClien
 		 * the calculation of in_p and out_p: in_z_k and out_z_k
 		 * are non-zero, that's guaranteed by the protocol until
 		 * compression can be enabled. */
-		if (! in_z_k)
+		if (in_z_k <= 0)
 			in_z_k = in_k;
-		if (! out_z_k)
+		if (out_z_k <= 0)
 			out_z_k = out_k;
 		in_p = (int)(( in_k * 100 ) / in_z_k );
 		out_p = (int)(( out_k * 100 ) / out_z_k );
@ -1154,7 +1203,7 @@ Conn_CountMax(void)
 } /* Conn_CountMax */

 /**
- * Get number of connections accepted since the daemon startet.
+ * Get number of connections accepted since the daemon started.
 *
 * @returns	Number of connections accepted.
 */
@ -1268,14 +1317,15 @@ Handle_Write( CONN_ID Idx )
 		if (errno == EAGAIN || errno == EINTR)
 			return true;

-		if (!Conn_OPTION_ISSET(&My_Connections[Idx], CONN_ISCLOSING))
+		if (!Conn_OPTION_ISSET(&My_Connections[Idx], CONN_ISCLOSING)) {
 			Log(LOG_ERR,
 			    "Write error on connection %d (socket %d): %s!",
 			    Idx, My_Connections[Idx].sock, strerror(errno));
-		else
+			Conn_Close(Idx, "Write error", NULL, false);
+		} else
 			LogDebug("Recursive write error on connection %d (socket %d): %s!",
 				 Idx, My_Connections[Idx].sock, strerror(errno));
-		Conn_Close(Idx, "Write error", NULL, false);
+
 		return false;
 	}

@ -1332,13 +1382,14 @@ New_Connection(int Sock, UNUSED bool IsSSL)
 	new_sock = accept(Sock, (struct sockaddr *)&new_addr,
 			  (socklen_t *)&new_sock_len);
 	if (new_sock < 0) {
-		Log(LOG_CRIT, "Can't accept connection: %s!", strerror(errno));
+		Log(LOG_CRIT, "Can't accept connection on socket %d: %s!",
+		    Sock, strerror(errno));
 		return -1;
 	}
 	NumConnectionsAccepted++;

 	if (!ng_ipaddr_tostr_r(&new_addr, ip_str)) {
-		Log(LOG_CRIT, "fd %d: Can't convert IP address!", new_sock);
+		Log(LOG_CRIT, "Can't convert peer IP address of socket %d!", new_sock);
 		Simple_Message(new_sock, "ERROR :Internal Server Error");
 		close(new_sock);
 		return -1;
@ -1351,7 +1402,8 @@ New_Connection(int Sock, UNUSED bool IsSSL)
 	fromhost(&req);
 	if (!hosts_access(&req)) {
 		Log(deny_severity,
-		    "Refused connection from %s (by TCP Wrappers)!", ip_str);
+		    "Refused connection from %s on socket %d (by TCP Wrappers)!",
+		    ip_str, Sock);
 		Simple_Message(new_sock, "ERROR :Connection refused");
 		close(new_sock);
 		return -1;
@ -1376,8 +1428,8 @@ New_Connection(int Sock, UNUSED bool IsSSL)
 	if ((Conf_MaxConnectionsIP > 0) && (cnt >= Conf_MaxConnectionsIP)) {
 		/* Access denied, too many connections from this IP address! */
 		Log(LOG_ERR,
-		    "Refused connection from %s: too may connections (%ld) from this IP address!",
-		    ip_str, cnt);
+		    "Refused connection from %s on socket %d: too may connections (%ld) from this IP address!",
+		    ip_str, Sock, cnt);
 		Simple_Message(new_sock,
 			       "ERROR :Connection refused, too many connections from your IP address");
 		close(new_sock);
@ -1430,7 +1482,7 @@ New_Connection(int Sock, UNUSED bool IsSSL)
 	Account_Connection();

 #ifdef SSL_SUPPORT
-	/* Delay connection initalization until SSL handshake is finished */
+	/* Delay connection initialization until SSL handshake is finished */
 	if (!IsSSL)
 #endif
 		Conn_StartLogin(new_sock);
@ -1450,10 +1502,6 @@ Conn_StartLogin(CONN_ID Idx)

 	assert(Idx >= 0);

-	/* Nothing to do if DNS (and resolver subprocess) is disabled */
-	if (!Conf_DNS)
-		return;
-
 #ifdef IDENTAUTH
 	/* Should we make an IDENT request? */
 	if (Conf_Ident)
@ -1463,13 +1511,21 @@ Conn_StartLogin(CONN_ID Idx)
 	if (Conf_NoticeBeforeRegistration) {
 		/* Send "NOTICE *" messages to the client */
 #ifdef IDENTAUTH
-		if (Conf_Ident)
-			(void)Conn_WriteStr(Idx,
-				"NOTICE * :*** Looking up your hostname and checking ident");
-		else
+		if (Conf_Ident) {
+			if (Conf_DNS)
+				(void)Conn_WriteStr(Idx,
+					"NOTICE * :*** Looking up your hostname and checking ident");
+			else
+				(void)Conn_WriteStr(Idx,
+					"NOTICE * :*** Checking ident");
+		} else
 #endif
+		if(Conf_DNS)
 			(void)Conn_WriteStr(Idx,
 				"NOTICE * :*** Looking up your hostname");
+		else
+			(void)Conn_WriteStr(Idx,
+				"NOTICE * :*** Processing your connection");
 		/* Send buffered data to the client, but break on errors
 		 * because Handle_Write() would have closed the connection
 		 * again in this case! */
@ -1477,8 +1533,9 @@ Conn_StartLogin(CONN_ID Idx)
 			return;
 	}

-	Resolve_Addr(&My_Connections[Idx].proc_stat, &My_Connections[Idx].addr,
-		     ident_sock, cb_Read_Resolver_Result);
+	Resolve_Addr_Ident(&My_Connections[Idx].proc_stat,
+			   &My_Connections[Idx].addr,
+			   ident_sock, cb_Read_Resolver_Result);
 }

 /**
@ -1500,7 +1557,7 @@ Account_Connection(void)
 * a 1:1 mapping today) and enlarge the "connection pool" accordingly.
 *
 * @param Sock	Socket handle.
- * @returns	Connecion index or NONE when the pool is too small.
+ * @returns	Connection index or NONE when the pool is too small.
 */
 static CONN_ID
 Socket2Index( int Sock )
@ -1536,16 +1593,21 @@ Socket2Index( int Sock )
 * @param Idx	Connection index.
 */
 static void
-Read_Request( CONN_ID Idx )
+Read_Request(CONN_ID Idx)
 {
 	ssize_t len;
 	static const unsigned int maxbps = COMMAND_LEN / 2;
 	char readbuf[READBUFFER_LEN];
 	time_t t;
 	CLIENT *c;
-	assert( Idx > NONE );
-	assert( My_Connections[Idx].sock > NONE );

+	assert(Idx > NONE);
+	assert(My_Connections[Idx].sock > NONE);
+
+	/* Check if the read buffer is "full". Basically this shouldn't happen
+	 * here, because as long as there possibly are commands in the read
+	 * buffer (buffer usage > COMMAND_LEN), the socket shouldn't be
+	 * scheduled for reading in Conn_Handler() at all ... */
 #ifdef ZLIB
 	if ((array_bytes(&My_Connections[Idx].rbuf) >= READBUFFER_LEN) ||
 		(array_bytes(&My_Connections[Idx].zip.rbuf) >= READBUFFER_LEN))
@ -1553,7 +1615,6 @@ Read_Request( CONN_ID Idx )
 	if (array_bytes(&My_Connections[Idx].rbuf) >= READBUFFER_LEN)
 #endif
 	{
-		/* Read buffer is full */
 		Log(LOG_ERR,
 		    "Receive buffer space exhausted (connection %d): %d/%d bytes",
 		    Idx, array_bytes(&My_Connections[Idx].rbuf), READBUFFER_LEN);
@ -1561,12 +1622,14 @@ Read_Request( CONN_ID Idx )
 		return;
 	}

+	/* Now read new data from the network, up to READBUFFER_LEN bytes ... */
 #ifdef SSL_SUPPORT
 	if (Conn_OPTION_ISSET(&My_Connections[Idx], CONN_SSL))
-		len = ConnSSL_Read( &My_Connections[Idx], readbuf, sizeof(readbuf));
+		len = ConnSSL_Read(&My_Connections[Idx], readbuf, sizeof(readbuf));
 	else
 #endif
-	len = read(My_Connections[Idx].sock, readbuf, sizeof(readbuf));
+		len = read(My_Connections[Idx].sock, readbuf, sizeof(readbuf));
+
 	if (len == 0) {
 		LogDebug("Client \"%s:%u\" is closing connection %d ...",
 			 My_Connections[Idx].host,
@ -1576,13 +1639,20 @@ Read_Request( CONN_ID Idx )
 	}

 	if (len < 0) {
-		if( errno == EAGAIN ) return;
+		if (errno == EAGAIN)
+			return;
+
 		Log(LOG_ERR, "Read error on connection %d (socket %d): %s!",
 		    Idx, My_Connections[Idx].sock, strerror(errno));
 		Conn_Close(Idx, "Read error", "Client closed connection",
 			   false);
 		return;
 	}
+
+	/* Now append the newly received data to the connection buffer.
+	 * NOTE: This can lead to connection read buffers being bigger(!) than
+	 * READBUFFER_LEN bytes, as we add up to READBUFFER_LEN new bytes to a
+	 * buffer possibly being "almost" READBUFFER_LEN bytes already! */
 #ifdef ZLIB
 	if (Conn_OPTION_ISSET(&My_Connections[Idx], CONN_ZIP)) {
 		if (!array_catb(&My_Connections[Idx].zip.rbuf, readbuf,
@ -1829,6 +1899,9 @@ Check_Connections(void)
 	CLIENT *c;
 	CONN_ID i;
 	char msg[64];
+	time_t time_now;
+
+	time_now = time(NULL);

 	for (i = 0; i < Pool_Size; i++) {
 		if (My_Connections[i].sock < 0)
@ -1843,7 +1916,7 @@ Check_Connections(void)
 			    My_Connections[i].lastdata) {
 				/* We already sent a ping */
 				if (My_Connections[i].lastping <
-				    time(NULL) - Conf_PongTimeout) {
+				    time_now - Conf_PongTimeout) {
 					/* Timeout */
 					snprintf(msg, sizeof(msg),
 						 "Ping timeout: %d seconds",
@ -1852,10 +1925,10 @@ Check_Connections(void)
 					Conn_Close(i, NULL, msg, true);
 				}
 			} else if (My_Connections[i].lastdata <
-				   time(NULL) - Conf_PingTimeout) {
+				   time_now - Conf_PingTimeout) {
 				/* We need to send a PING ... */
 				LogDebug("Connection %d: sending PING ...", i);
-				Conn_UpdatePing(i);
+				Conn_UpdatePing(i, time_now);
 				Conn_WriteStr(i, "PING :%s",
 					      Client_ID(Client_ThisServer()));
 			}
@ -1866,7 +1939,7 @@ Check_Connections(void)
 			 * still not registered. */

 			if (My_Connections[i].lastdata <
-			    time(NULL) - Conf_PongTimeout) {
+			    time_now - Conf_PongTimeout) {
 				LogDebug
 				    ("Unregistered connection %d timed out ...",
 				     i);
@ -1918,8 +1991,11 @@ Check_Servers(void)
 		Conf_Server[i].lasttry = time_now;
 		Conf_Server[i].conn_id = SERVER_WAIT;
 		assert(Proc_GetPipeFd(&Conf_Server[i].res_stat) < 0);
-		Resolve_Name(&Conf_Server[i].res_stat, Conf_Server[i].host,
-			     cb_Connect_to_Server);
+
+		/* Start resolver subprocess ... */
+		if (!Resolve_Name(&Conf_Server[i].res_stat, Conf_Server[i].host,
+				  cb_Connect_to_Server))
+			Conf_Server[i].conn_id = NONE;
 	}
 } /* Check_Servers */

@ -2244,13 +2320,16 @@ cb_Read_Resolver_Result( int r_fd, UNUSED short events )
 	 * the resolver results, so we don't have to worry to override settings
 	 * from these commands here. */
 	if(Client_Type(c) == CLIENT_UNKNOWN) {
-		strlcpy(My_Connections[i].host, readbuf,
-			sizeof(My_Connections[i].host));
-		Client_SetHostname(c, readbuf);
-		if (Conf_NoticeBeforeRegistration)
-			(void)Conn_WriteStr(i,
+		if (readbuf[0]) {
+			/* We got a hostname */
+			strlcpy(My_Connections[i].host, readbuf,
+				sizeof(My_Connections[i].host));
+			Client_SetHostname(c, readbuf);
+			if (Conf_NoticeBeforeRegistration)
+				(void)Conn_WriteStr(i,
 					"NOTICE * :*** Found your hostname: %s",
 					My_Connections[i].host);
+		}
 #ifdef IDENTAUTH
 		++identptr;
 		if (*identptr) {
@ -2298,10 +2377,8 @@ cb_Read_Resolver_Result( int r_fd, UNUSED short events )

 		Class_HandleServerBans(c);
 	}
-#ifdef DEBUG
 	else
 		LogDebug("Resolver: discarding result for already registered connection %d.", i);
-#endif
 } /* cb_Read_Resolver_Result */

 /**
@ -2399,7 +2476,7 @@ Conn_GetFromProc(int fd)
 * @param Reason The reason, see THROTTLE_xxx constants.
 * @param Idx The connection index.
 * @param Client The client of this connection.
- * @param Seconds The time to delay this connection.
+ * @param Value The time to delay this connection.
 */
 static void
 Throttle_Connection(const CONN_ID Idx, CLIENT *Client, const int Reason,
@ -2496,6 +2573,13 @@ cb_listen_ssl(int sock, short irrelevant)
 /**
 * IO callback for new outgoing SSL-enabled server connections.
 *
+ * IMPORTANT: The SSL session has been validated before, but all errors have
+ * been ignored so far! The reason for this is that the generic SSL code has no
+ * idea if the new session actually belongs to a server, as this only becomes
+ * clear when the remote peer sends its PASS command (and we have to handle
+ * invalid client certificates!). Therefore, it is important to check the
+ * status of the SSL session first before continuing the server handshake here!
+ *
 * @param sock		Socket descriptor.
 * @param unused	(ignored IO specification)
 */
@ -2503,6 +2587,7 @@ static void
 cb_connserver_login_ssl(int sock, short unused)
 {
 	CONN_ID idx = Socket2Index(sock);
+	int serveridx;

 	(void) unused;

@ -2521,9 +2606,26 @@ cb_connserver_login_ssl(int sock, short unused)
 			return;
 	}

-	Log( LOG_INFO, "SSL connection %d with \"%s:%d\" established.", idx,
-	    My_Connections[idx].host, Conf_Server[Conf_GetServer( idx )].port );
+	serveridx = Conf_GetServer(idx);
+	assert(serveridx >= 0);

+	/* The SSL handshake is done, but validation results were ignored so
+	 * far, so let's see where we are: */
+	LogDebug("SSL handshake on socket %d done.", idx);
+	if (!Conn_OPTION_ISSET(&My_Connections[idx], CONN_SSL_PEERCERT_OK)) {
+		if (Conf_Server[serveridx].SSLVerify) {
+			Log(LOG_ERR,
+				"Peer certificate check failed for \"%s\" on connection %d!",
+				My_Connections[idx].host, idx);
+			Conn_Close(idx, "Valid certificate required",
+				   NULL, false);
+			return;
+		}
+		Log(LOG_WARNING,
+			"Peer certificate check failed for \"%s\" on connection %d, but \"SSLVerify\" is disabled. Continuing ...",
+			My_Connections[idx].host, idx);
+	}
+	LogDebug("Server certificate accepted, continuing server login ...");
 	server_login(idx);
 }

@ -2645,7 +2747,6 @@ Conn_SetCertFp(UNUSED CONN_ID Idx, UNUSED const char *fingerprint)

 #endif /* SSL_SUPPORT */

-#ifdef DEBUG

 /**
 * Dump internal state of the "connection module".
@ -2655,11 +2756,11 @@ Conn_DebugDump(void)
 {
 	int i;

-	Log(LOG_DEBUG, "Connection status:");
+	LogDebug("Connection status:");
 	for (i = 0; i < Pool_Size; i++) {
 		if (My_Connections[i].sock == NONE)
 			continue;
-		Log(LOG_DEBUG,
+		LogDebug(
 		    " - %d: host=%s, lastdata=%ld, lastping=%ld, delaytime=%ld, flag=%d, options=%d, bps=%d, client=%s",
 		    My_Connections[i].sock, My_Connections[i].host,
 		    My_Connections[i].lastdata, My_Connections[i].lastping,
@ -2669,6 +2770,5 @@ Conn_DebugDump(void)
 	}
 } /* Conn_DumpClients */

-#endif /* DEBUG */

 /* -eof- */
--- a/src/ngircd/conn.h
+++ b/src/ngircd/conn.h
@ -40,7 +40,8 @@
 #define CONN_SSL		32	/* this connection is SSL encrypted */
 #define CONN_SSL_WANT_WRITE	64	/* SSL/TLS library needs to write protocol data */
 #define CONN_SSL_WANT_READ	128	/* SSL/TLS library needs to read protocol data */
-#define CONN_SSL_FLAGS_ALL	(CONN_SSL_CONNECT|CONN_SSL|CONN_SSL_WANT_WRITE|CONN_SSL_WANT_READ)
+#define CONN_SSL_PEERCERT_OK	256	/* peer presented a valid certificate (used to check inbound server auth */
+#define CONN_SSL_FLAGS_ALL	(CONN_SSL_CONNECT|CONN_SSL|CONN_SSL_WANT_WRITE|CONN_SSL_WANT_READ|CONN_SSL_PEERCERT_OK)
 #endif
 typedef int CONN_ID;

@ -105,9 +106,17 @@ typedef struct _Connection
 #endif
 } CONNECTION;

-GLOBAL CONNECTION *My_Connections;
-GLOBAL CONN_ID Pool_Size;
-GLOBAL long WCounter;
+
+#ifdef CONN_MODULE_GLOBAL_INIT
+CONNECTION *My_Connections;
+CONN_ID Pool_Size;
+long WCounter;
+#else
+extern CONNECTION *My_Connections;
+extern CONN_ID Pool_Size;
+extern long WCounter;
+#endif
+

 #define CONNECTION2ID(x) (long)(x - My_Connections)

@ -158,9 +167,7 @@ GLOBAL long Conn_GetAuthPing PARAMS((CONN_ID Idx));
 GLOBAL void Conn_SetAuthPing PARAMS((CONN_ID Idx, long ID));
 #endif

-#ifdef DEBUG
 GLOBAL void Conn_DebugDump PARAMS((void));
-#endif

 #endif

--- a/src/ngircd/defines.h
+++ b/src/ngircd/defines.h
@ -1,6 +1,6 @@
 /*
 * ngIRCd -- The Next Generation IRC Daemon
- * Copyright (c)2001-2014 Alexander Barton (alex@barton.de) and Contributors.
+ * Copyright (c)2001-2024 Alexander Barton (alex@barton.de) and Contributors.
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
@ -39,7 +39,7 @@
 #define LINE_LEN 1024

 /** Max. length of a log message. */
-#define MAX_LOG_MSG_LEN 256
+#define MAX_LOG_MSG_LEN 1024

 /** Max. length of file name. */
 #define FNAME_LEN 256
@ -64,6 +64,9 @@
 /** Size of buffer for PAM service name. */
 #define MAX_PAM_SERVICE_NAME_LEN 64

+/** Maximum number of file descriptors to request. */
+#define MAX_FD_LIMIT 100000
+

 /* Hard-coded (default) options */

@ -123,14 +126,14 @@
 /** Max. host name length (including NULL). */
 #define CLIENT_HOST_LEN 64

-/** Max. mask lenght (including NULL). */
+/** Max. mask length (including NULL). */
 #define MASK_LEN (2 * CLIENT_HOST_LEN)

 /** Max. length of all client modes (including NULL). */
 #define CLIENT_MODE_LEN 21

 /** Max. length of server info texts (including NULL). */
-#define CLIENT_INFO_LEN 64
+#define CLIENT_INFO_LEN 128

 /** Max. length of away messages (including NULL). */
 #define CLIENT_AWAY_LEN 128
@ -203,7 +206,7 @@

 /* Defaults and limits for IRC commands */

-/** Max. number of elemets allowed in channel invite and ban lists. */
+/** Max. number of elements allowed in channel invite and ban lists. */
 #define MAX_HNDL_CHANNEL_LISTS 50

 /** Max. number of channel modes with arguments per MODE command. */
--- a/src/ngircd/hash.c
+++ b/src/ngircd/hash.c
@ -108,16 +108,27 @@ jenkins_hash(UINT8 *k, UINT32 length, UINT32 initval)

 	{
 		case 12: c+=((UINT32)k[11])<<24;
+		/* fall through */
 		case 11: c+=((UINT32)k[10]<<16);
+		/* fall through */
 		case 10: c+=((UINT32)k[9]<<8);
+		/* fall through */
 		case 9 : c+=k[8];
+		/* fall through */
 		case 8 : b+=((UINT32)k[7]<<24);
+		/* fall through */
 		case 7 : b+=((UINT32)k[6]<<16);
+		/* fall through */
 		case 6 : b+=((UINT32)k[5]<<8);
+		/* fall through */
 		case 5 : b+=k[4];
+		/* fall through */
 		case 4 : a+=((UINT32)k[3]<<24);
+		/* fall through */
 		case 3 : a+=((UINT32)k[2]<<16);
+		/* fall through */
 		case 2 : a+=((UINT32)k[1]<<8);
+		/* fall through */
 		case 1 : a+=k[0];
 			 break;
 		case 0 : return c;
--- a/src/ngircd/io.c
+++ b/src/ngircd/io.c
@ -148,7 +148,7 @@ static void io_docallback PARAMS((int fd, short what));
 static void
 io_debug(const char *s, int fd, int what)
 {
-	Log(LOG_DEBUG, "%s: %d, %d\n", s, fd, what);
+	LogDebug("%s: %d, %d\n", s, fd, what);
 }
 #else
 static inline void
--- a/src/ngircd/irc-channel.c
+++ b/src/ngircd/irc-channel.c
@ -1,6 +1,6 @@
 /*
 * ngIRCd -- The Next Generation IRC Daemon
- * Copyright (c)2001-2015 Alexander Barton (alex@barton.de) and Contributors.
+ * Copyright (c)2001-2018 Alexander Barton (alex@barton.de) and Contributors.
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
@ -176,7 +176,7 @@ join_set_channelmodes(CHANNEL *chan, CLIENT *target, const char *flags)
 * and MODE commands.
 *
 * @param To		Forward JOIN (and MODE) command to this peer server
- * @param Prefix	Client used to prefix the genrated commands
+ * @param Prefix	Client used to prefix the generated commands
 * @param Data		Parameters of JOIN command to forward, probably
 *			containing channel modes separated by ASCII 7.
 */
@ -209,7 +209,7 @@ cb_join_forward(CLIENT *To, CLIENT *Prefix, void *Data)
 * This function calls cb_join_forward(), which differentiates between
 * protocol implementations (e.g. RFC 2812, RFC 1459).
 *
- * @param Client	Client used to prefix the genrated commands
+ * @param Client	Client used to prefix the generated commands
 * @param target	Forward JOIN (and MODE) command to this peer server
 * @param chan		Channel structure
 * @param channame	Channel name
@ -248,46 +248,38 @@ join_forward(CLIENT *Client, CLIENT *target, CHANNEL *chan,
 } /* join_forward */

 /**
- * Acknowledge user JOIN request and send "channel info" numerics.
+ * Send channel TOPIC and NAMES list to a newly (N)JOIN'ed client.
 *
- * @param Client	Client used to prefix the genrated commands
- * @param target	Forward commands/numerics to this user
- * @param chan		Channel structure
- * @param channame	Channel name
+ * @param Client	Client used to prefix the generated commands
+ * @param Chan		Channel structure
 */
-static bool
-join_send_topic(CLIENT *Client, CLIENT *target, CHANNEL *chan,
-					const char *channame)
+GLOBAL bool
+IRC_Send_Channel_Info(CLIENT *Client, CHANNEL *Chan)
 {
 	const char *topic;

-	if (Client_Type(Client) != CLIENT_USER)
-		return true;
-	/* acknowledge join */
-	if (!IRC_WriteStrClientPrefix(Client, target, "JOIN :%s", channame))
-		return false;
-
-	/* Send topic to client, if any */
-	topic = Channel_Topic(chan);
+	/* Send the topic (if any) to the new client: */
+	topic = Channel_Topic(Chan);
 	assert(topic != NULL);
 	if (*topic) {
 		if (!IRC_WriteStrClient(Client, RPL_TOPIC_MSG,
-			Client_ID(Client), channame, topic))
+			Client_ID(Client), Channel_Name(Chan), topic))
 				return false;
 #ifndef STRICT_RFC
 		if (!IRC_WriteStrClient(Client, RPL_TOPICSETBY_MSG,
-			Client_ID(Client), channame,
-			Channel_TopicWho(chan),
-			Channel_TopicTime(chan)))
+			Client_ID(Client), Channel_Name(Chan),
+			Channel_TopicWho(Chan),
+			Channel_TopicTime(Chan)))
 				return false;
 #endif
 	}
-	/* send list of channel members to client */
-	if (!IRC_Send_NAMES(Client, chan))
+
+	/* Send list of channel members to the new client: */
+	if (!IRC_Send_NAMES(Client, Chan))
 		return false;
-	return IRC_WriteStrClient(Client, RPL_ENDOFNAMES_MSG, Client_ID(Client),
-				  Channel_Name(chan));
-} /* join_send_topic */
+	return IRC_WriteStrClient(Client, RPL_ENDOFNAMES_MSG,
+				  Client_ID(Client), Channel_Name(Chan));
+}

 /**
 * Handler for the IRC "JOIN" command.
@ -408,8 +400,15 @@ IRC_JOIN( CLIENT *Client, REQUEST *Req )

 		join_forward(Client, target, chan, channame);

-		if (!join_send_topic(Client, target, chan, channame))
-			break; /* write error */
+		if (Client_Type(Client) == CLIENT_USER) {
+			/* Acknowledge join ... */
+			if (!IRC_WriteStrClientPrefix(Client, target,
+						      "JOIN :%s", channame))
+				break; /* write error */
+			/* ... and greet new user: */
+			if (!IRC_Send_Channel_Info(Client, chan))
+				break; /* write error */
+		}

 	join_next:
 		/* next channel? */
@ -497,7 +496,7 @@ IRC_TOPIC( CLIENT *Client, REQUEST *Req )
 		topic_power = true;

 	if (Req->argc == 1) {
-		/* Request actual topic */
+		/* Request current topic */
 		topic = Channel_Topic(chan);
 		if (*topic) {
 			r = IRC_WriteStrClient(from, RPL_TOPIC_MSG,
@ -532,8 +531,6 @@ IRC_TOPIC( CLIENT *Client, REQUEST *Req )
 						  Channel_Name(chan));
 	}

-	/* Set new topic */
-	Channel_SetTopic(chan, from, Req->argv[1]);
 	LogDebug("%s \"%s\" set topic on \"%s\": %s",
 		 Client_TypeText(from), Client_Mask(from), Channel_Name(chan),
 		 Req->argv[1][0] ? Req->argv[1] : "<none>");
@ -545,9 +542,17 @@ IRC_TOPIC( CLIENT *Client, REQUEST *Req )
 	if (!Channel_IsLocal(chan))
 		IRC_WriteStrServersPrefix(Client, from, "TOPIC %s :%s",
 					  Req->argv[0], Req->argv[1]);
-	IRC_WriteStrChannelPrefix(Client, chan, from, false, "TOPIC %s :%s",
-				  Req->argv[0], Req->argv[1]);

+	/* Infrom local clients, but only when the topic really changed. */
+	if (strcmp(Req->argv[1], Channel_Topic(chan)) != 0)
+		IRC_WriteStrChannelPrefix(Client, chan, from, false,
+					    "TOPIC %s :%s", Req->argv[0],
+					    Req->argv[1]);
+
+	/* Update topic, setter, and timestamp. */
+	Channel_SetTopic(chan, from, Req->argv[1]);
+
+	/* Send confirmation when the local client is a user. */
 	if (Client_Type(Client) == CLIENT_USER)
 		return IRC_WriteStrClientPrefix(Client, Client, "TOPIC %s :%s",
 						Req->argv[0], Req->argv[1]);
--- a/src/ngircd/irc-channel.h
+++ b/src/ngircd/irc-channel.h
@ -1,6 +1,6 @@
 /*
 * ngIRCd -- The Next Generation IRC Daemon
- * Copyright (c)2001,2002 by Alexander Barton (alex@barton.de)
+ * Copyright (c)2001-2022 by Alexander Barton (alex@barton.de)
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
@ -25,6 +25,8 @@ GLOBAL bool IRC_LIST PARAMS((CLIENT *Client, REQUEST *Req ));

 GLOBAL bool IRC_CHANINFO PARAMS((CLIENT *Client, REQUEST *Req ));

+GLOBAL bool IRC_Send_Channel_Info PARAMS((CLIENT *Client, CHANNEL *Chan));
+
 #endif

 /* -eof- */
--- a/src/ngircd/irc-info.c
+++ b/src/ngircd/irc-info.c
@ -138,7 +138,7 @@ who_flags_qualifier(CLIENT *Client, const char *chan_user_modes,
 static bool
 IRC_WHO_Channel(CLIENT *Client, CHANNEL *Chan, bool OnlyOps)
 {
-	bool is_visible, is_member, is_ircop;
+	bool is_visible, is_member, is_ircop, is_oper;
 	CL2CHAN *cl2chan;
 	char flags[10];
 	CLIENT *c;
@ -148,9 +148,10 @@ IRC_WHO_Channel(CLIENT *Client, CHANNEL *Chan, bool OnlyOps)
 	assert( Chan != NULL );

 	is_member = Channel_IsMemberOf(Chan, Client);
+	is_oper = Client_HasMode(Client, 'o');

 	/* Secret channel? */
-	if (!is_member && Channel_HasMode(Chan, 's'))
+	if (!is_member && !is_oper && Channel_HasMode(Chan, 's'))
 		return IRC_WriteStrClient(Client, RPL_ENDOFWHO_MSG,
 					  Client_ID(Client), Channel_Name(Chan));

@ -163,7 +164,7 @@ IRC_WHO_Channel(CLIENT *Client, CHANNEL *Chan, bool OnlyOps)
 			continue;

 		is_visible = !Client_HasMode(c, 'i');
-		if (is_member || is_visible) {
+		if (is_member || is_visible || is_oper) {
 			memset(flags, 0, sizeof(flags));

 			if (Client_HasMode(c, 'a'))
@ -817,7 +818,7 @@ IRC_NAMES( CLIENT *Client, REQUEST *Req )

 	/* Now print all clients which are not in any channel */
 	c = Client_First();
-	snprintf(rpl, sizeof(rpl), RPL_NAMREPLY_MSG, Client_ID(from), "*", "*");
+	snprintf(rpl, sizeof(rpl), RPL_NAMREPLY_MSG, Client_ID(from), '*', "*");
 	while (c) {
 		if (Client_Type(c) == CLIENT_USER
 		    && Channel_FirstChannelOf(c) == NULL
@ -829,11 +830,11 @@ IRC_NAMES( CLIENT *Client, REQUEST *Req )
 			strlcat(rpl, Client_ID(c), sizeof(rpl));

 			if (strlen(rpl) > COMMAND_LEN - CLIENT_NICK_LEN - 4) {
-				/* Line is gwoing too long, send now */
+				/* Line is going too long, send now */
 				if (!IRC_WriteStrClient(from, "%s", rpl))
 					return DISCONNECTED;
 				snprintf(rpl, sizeof(rpl), RPL_NAMREPLY_MSG,
-					 Client_ID(from), "*", "*");
+					 Client_ID(from), '*', "*");
 			}
 		}
 		c = Client_Next(c);
@ -909,7 +910,7 @@ IRC_STATS( CLIENT *Client, REQUEST *Req )
 		if (!Op_Check(from, Req))
 			return Op_NoPrivileges(from, Req);
 		more_links = true;
-
+		/* fall through */
 	case 'l':	/* Link status (servers and own link) */
 		time_now = time(NULL);
 		for (con = Conn_First(); con != NONE; con = Conn_Next(con)) {
@ -1264,6 +1265,8 @@ IRC_WHOIS( CLIENT *Client, REQUEST *Req )

 			if (Client_Type(c) != CLIENT_USER)
 				continue;
+			if (Client_HasMode(c, 'i'))
+				continue;
 			if (!MatchCaseInsensitive(query, Client_ID(c)))
 				continue;
 			if (!IRC_WHOIS_SendReply(Client, from, c))
@ -1372,7 +1375,7 @@ IRC_WHOWAS( CLIENT *Client, REQUEST *Req )
 /**
 * Send LUSERS reply to a client.
 *
- * @param Client The receipient of the information.
+ * @param Client The recipient of the information.
 * @return CONNECTED or DISCONNECTED.
 */
 GLOBAL bool
@ -1497,6 +1500,8 @@ IRC_Send_NAMES(CLIENT * Client, CHANNEL * Chan)
 	char str[COMMAND_LEN];
 	CL2CHAN *cl2chan;
 	CLIENT *cl;
+	bool secret_channel;
+	char chan_symbol;

 	assert(Client != NULL);
 	assert(Chan != NULL);
@ -1511,10 +1516,13 @@ IRC_Send_NAMES(CLIENT * Client, CHANNEL * Chan)
 		return CONNECTED;

 	/* Secret channel? */
-	if (!is_member && Channel_HasMode(Chan, 's'))
+	secret_channel = Channel_HasMode(Chan, 's');
+	if (!is_member && secret_channel)
 		return CONNECTED;

-	snprintf(str, sizeof(str), RPL_NAMREPLY_MSG, Client_ID(Client), "=",
+	chan_symbol = secret_channel ? '@' : '=';
+
+	snprintf(str, sizeof(str), RPL_NAMREPLY_MSG, Client_ID(Client), chan_symbol,
 		 Channel_Name(Chan));
 	cl2chan = Channel_FirstMember(Chan);
 	while (cl2chan) {
@ -1537,7 +1545,7 @@ IRC_Send_NAMES(CLIENT * Client, CHANNEL * Chan)
 				if (!IRC_WriteStrClient(Client, "%s", str))
 					return DISCONNECTED;
 				snprintf(str, sizeof(str), RPL_NAMREPLY_MSG,
-					 Client_ID(Client), "=",
+					 Client_ID(Client), chan_symbol,
 					 Channel_Name(Chan));
 			}
 		}
--- a/src/ngircd/irc-login.c
+++ b/src/ngircd/irc-login.c
@ -1,6 +1,6 @@
 /*
 * ngIRCd -- The Next Generation IRC Daemon
- * Copyright (c)2001-2015 Alexander Barton (alex@barton.de) and Contributors.
+ * Copyright (c)2001-2018 Alexander Barton (alex@barton.de) and Contributors.
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
@ -89,7 +89,7 @@ IRC_PASS( CLIENT *Client, REQUEST *Req )

 	/* Protocol version */
 	if (Req->argc >= 2 && strlen(Req->argv[1]) >= 4) {
-		int c2, c4;
+		char c2, c4;

 		c2 = Req->argv[1][2];
 		c4 = Req->argv[1][4];
@ -774,7 +774,7 @@ IRC_PING(CLIENT *Client, REQUEST *Req)
 		return IRC_WriteErrClient(Client, ERR_NOSUCHSERVER_MSG,
 					Client_ID(Client), Req->prefix);

-	Log(LOG_DEBUG, "Connection %d: got PING, sending PONG ...",
+	LogDebug("Connection %d: got PING, sending PONG ...",
 	    Client_Conn(Client));

 #ifdef STRICT_RFC
@ -877,11 +877,17 @@ IRC_PONG(CLIENT *Client, REQUEST *Req)
 		    (long)(time(NULL) - Conn_GetSignon(conn)),
 		    time(NULL) - Conn_GetSignon(conn) == 1 ? "" : "s",
 		    Client_UserCount(), Channel_CountVisible(NULL));
-		Conn_UpdatePing(conn);
-	} else
-		LogDebug("Connection %d: received PONG. Lag: %ld seconds.",
-			 conn, (long)(time(NULL) - Conn_LastPing(conn)));
+	} else {
+		if (Conn_LastPing(conn) > 1)
+			LogDebug("Connection %d: received PONG. Lag: %ld seconds.",
+				 conn, (long)(time(NULL) - Conn_LastPing(conn)));
+		else
+			LogDebug("Got unexpected PONG on connection %d. Ignored.",
+				 conn);
+	}

+	/* We got a PONG, so signal that none is pending on this connection. */
+	Conn_UpdatePing(conn, 1);
 	return CONNECTED;
 } /* IRC_PONG */

--- a/src/ngircd/irc-metadata.c
+++ b/src/ngircd/irc-metadata.c
@ -72,7 +72,9 @@ IRC_METADATA(CLIENT *Client, REQUEST *Req)
 	}

 	if (strcasecmp(Req->argv[1], "cloakhost") == 0) {
-		Client_UpdateCloakedHostname(target, prefix, Req->argv[2]);
+		/* Set or remove a "cloaked hostname". */
+		Client_UpdateCloakedHostname(target, prefix,
+					     *Req->argv[2] ? Req->argv[2] : NULL);
 		if (Client_Conn(target) > NONE && Client_HasMode(target, 'x'))
 			IRC_WriteStrClientPrefix(target, prefix,
 					RPL_HOSTHIDDEN_MSG, Client_ID(target),
--- a/src/ngircd/irc-mode.c
+++ b/src/ngircd/irc-mode.c
@ -1,6 +1,6 @@
 /*
 * ngIRCd -- The Next Generation IRC Daemon
- * Copyright (c)2001-2014 Alexander Barton (alex@barton.de) and Contributors.
+ * Copyright (c)2001-2023 Alexander Barton (alex@barton.de) and Contributors.
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
@ -62,6 +62,7 @@ IRC_MODE( CLIENT *Client, REQUEST *Req )
 {
 	CLIENT *cl, *origin;
 	CHANNEL *chan;
+	bool is_valid_nick, is_valid_chan;

 	assert(Client != NULL);
 	assert(Req != NULL);
@ -76,10 +77,12 @@ IRC_MODE( CLIENT *Client, REQUEST *Req )
 		Client = Client_Search(Req->prefix);

 	/* Channel or user mode? */
+	is_valid_nick = Client_IsValidNick(Req->argv[0]);
+	is_valid_chan = Channel_IsValidName(Req->argv[0]);
 	cl = NULL; chan = NULL;
-	if (Client_IsValidNick(Req->argv[0]))
+	if (is_valid_nick)
 		cl = Client_Search(Req->argv[0]);
-	if (Channel_IsValidName(Req->argv[0]))
+	if (is_valid_chan)
 		chan = Channel_Search(Req->argv[0]);

 	if (cl)
@ -88,8 +91,12 @@ IRC_MODE( CLIENT *Client, REQUEST *Req )
 		return Channel_Mode(Client, Req, origin, chan);

 	/* No target found! */
-	return IRC_WriteErrClient(Client, ERR_NOSUCHNICK_MSG,
-			Client_ID(Client), Req->argv[0]);
+	if (is_valid_nick)
+		return IRC_WriteErrClient(Client, ERR_NOSUCHNICK_MSG,
+				Client_ID(Client), Req->argv[0]);
+	else
+		return IRC_WriteErrClient(Client, ERR_NOSUCHCHANNEL_MSG,
+				Client_ID(Client), Req->argv[0]);
 } /* IRC_MODE */

 /**
@ -281,7 +288,7 @@ Client_Mode( CLIENT *Client, REQUEST *Req, CLIENT *Origin, CLIENT *Target )
 			break;
 		default:
 			if (Client_Type(Client) != CLIENT_SERVER) {
-				Log(LOG_DEBUG,
+				LogDebug(
 				    "Unknown mode \"%c%c\" from \"%s\"!?",
 				    set ? '+' : '-', *mode_ptr,
 				    Client_ID(Origin));
@ -292,7 +299,7 @@ Client_Mode( CLIENT *Client, REQUEST *Req, CLIENT *Origin, CLIENT *Target )
 							*mode_ptr);
 				x[0] = '\0';
 			} else {
-				Log(LOG_DEBUG,
+				LogDebug(
 				    "Handling unknown mode \"%c%c\" from \"%s\" for \"%s\" ...",
 				    set ? '+' : '-', *mode_ptr,
 				    Client_ID(Origin), Client_ID(Target));
@ -575,6 +582,7 @@ Channel_Mode(CLIENT *Client, REQUEST *Req, CLIENT *Origin, CHANNEL *Channel)
 					Client_ID(Origin), Channel_Name(Channel));
 				goto chan_exit;
 			}
+			/* fall through */
 		case 'i': /* Invite only */
 		case 'V': /* Invite disallow */
 		case 'M': /* Only identified nicks can write */
@ -609,33 +617,43 @@ Channel_Mode(CLIENT *Client, REQUEST *Req, CLIENT *Origin, CHANNEL *Channel)
 						Channel_Name(Channel));
 				break;
 			}
-			if (arg_arg > mode_arg) {
-				if (is_oper || is_machine || is_owner ||
-				    is_admin || is_op || is_halfop) {
-					Channel_ModeDel(Channel, 'k');
-					Channel_SetKey(Channel,
-						       Req->argv[arg_arg]);
-					strlcpy(argadd, Channel_Key(Channel),
-						sizeof(argadd));
-					x[0] = *mode_ptr;
-				} else {
+			if (arg_arg <= mode_arg) {
+				if (is_machine)
+					Log(LOG_ERR,
+					    "Got MODE +k without key for \"%s\" from \"%s\"! Ignored.",
+					    Channel_Name(Channel), Client_ID(Origin));
+				else
 					connected = IRC_WriteErrClient(Origin,
-						ERR_CHANOPRIVSNEEDED_MSG,
-						Client_ID(Origin),
-						Channel_Name(Channel));
-				}
-				Req->argv[arg_arg][0] = '\0';
-				arg_arg++;
-			} else {
-#ifdef STRICT_RFC
-				/* Only send error message in "strict" mode,
-				 * this is how ircd2.11 and others behave ... */
-				connected = IRC_WriteErrClient(Origin,
-					ERR_NEEDMOREPARAMS_MSG,
-					Client_ID(Origin), Req->command);
-#endif
+						ERR_NEEDMOREPARAMS_MSG,
+						Client_ID(Origin), Req->command);
 				goto chan_exit;
 			}
+			if (!Req->argv[arg_arg][0] || strchr(Req->argv[arg_arg], ' ')) {
+				if (is_machine)
+					Log(LOG_ERR,
+					    "Got invalid key on MODE +k for \"%s\" from \"%s\"! Ignored.",
+					    Channel_Name(Channel), Client_ID(Origin));
+				else
+					connected = IRC_WriteErrClient(Origin,
+					       ERR_INVALIDMODEPARAM_MSG,
+						Client_ID(Origin),
+						Channel_Name(Channel), 'k');
+				goto chan_exit;
+			}
+			if (is_oper || is_machine || is_owner ||
+			    is_admin || is_op || is_halfop) {
+				Channel_ModeDel(Channel, 'k');
+				Channel_SetKey(Channel, Req->argv[arg_arg]);
+				strlcpy(argadd, Channel_Key(Channel), sizeof(argadd));
+				x[0] = *mode_ptr;
+			} else {
+				connected = IRC_WriteErrClient(Origin,
+					ERR_CHANOPRIVSNEEDED_MSG,
+					Client_ID(Origin),
+					Channel_Name(Channel));
+			}
+			Req->argv[arg_arg][0] = '\0';
+			arg_arg++;
 			break;
 		case 'l': /* Member limit */
 			if (Mode_Limit_Reached(Client, mode_arg_count++))
@ -651,35 +669,44 @@ Channel_Mode(CLIENT *Client, REQUEST *Req, CLIENT *Origin, CHANNEL *Channel)
 						Channel_Name(Channel));
 				break;
 			}
-			if (arg_arg > mode_arg) {
-				if (is_oper || is_machine || is_owner ||
-				    is_admin || is_op || is_halfop) {
-					l = atol(Req->argv[arg_arg]);
-					if (l > 0 && l < 0xFFFF) {
-						Channel_ModeDel(Channel, 'l');
-						Channel_SetMaxUsers(Channel, l);
-						snprintf(argadd, sizeof(argadd),
-							 "%ld", l);
-						x[0] = *mode_ptr;
-					}
-				} else {
+			if (arg_arg <= mode_arg) {
+				if (is_machine)
+					Log(LOG_ERR,
+					    "Got MODE +l without limit for \"%s\" from \"%s\"! Ignored.",
+					    Channel_Name(Channel), Client_ID(Origin));
+				else
 					connected = IRC_WriteErrClient(Origin,
-						ERR_CHANOPRIVSNEEDED_MSG,
-						Client_ID(Origin),
-						Channel_Name(Channel));
-				}
-				Req->argv[arg_arg][0] = '\0';
-				arg_arg++;
-			} else {
-#ifdef STRICT_RFC
-				/* Only send error message in "strict" mode,
-				 * this is how ircd2.11 and others behave ... */
-				connected = IRC_WriteErrClient(Origin,
-					ERR_NEEDMOREPARAMS_MSG,
-					Client_ID(Origin), Req->command);
-#endif
+						ERR_NEEDMOREPARAMS_MSG,
+						Client_ID(Origin), Req->command);
 				goto chan_exit;
 			}
+			l = atol(Req->argv[arg_arg]);
+			if (l <= 0 || l >= 0xFFFF) {
+				if (is_machine)
+					Log(LOG_ERR,
+					    "Got MODE +l with invalid limit for \"%s\" from \"%s\"! Ignored.",
+					    Channel_Name(Channel), Client_ID(Origin));
+				else
+					connected = IRC_WriteErrClient(Origin,
+						ERR_INVALIDMODEPARAM_MSG,
+						Client_ID(Origin),
+						Channel_Name(Channel), 'l');
+				goto chan_exit;
+			}
+			if (is_oper || is_machine || is_owner ||
+			    is_admin || is_op || is_halfop) {
+				Channel_ModeDel(Channel, 'l');
+				Channel_SetMaxUsers(Channel, l);
+				snprintf(argadd, sizeof(argadd), "%ld", l);
+				x[0] = *mode_ptr;
+			} else {
+				connected = IRC_WriteErrClient(Origin,
+					ERR_CHANOPRIVSNEEDED_MSG,
+					Client_ID(Origin),
+					Channel_Name(Channel));
+			}
+			Req->argv[arg_arg][0] = '\0';
+			arg_arg++;
 			break;
 		case 'O': /* IRC operators only */
 			if (set) {
@ -721,6 +748,14 @@ Channel_Mode(CLIENT *Client, REQUEST *Req, CLIENT *Origin, CHANNEL *Channel)
 			break;
 		/* --- Channel user modes --- */
 		case 'q': /* Owner */
+			if(!is_oper && !is_machine && !is_owner) {
+				connected = IRC_WriteErrClient(Origin,
+					ERR_CHANOPPRIVTOOLOW_MSG,
+					Client_ID(Origin),
+					Channel_Name(Channel));
+				goto chan_exit;
+			}
+			/* fall through */
 		case 'a': /* Channel admin */
 			if(!is_oper && !is_machine && !is_owner && !is_admin) {
 				connected = IRC_WriteErrClient(Origin,
@ -729,6 +764,7 @@ Channel_Mode(CLIENT *Client, REQUEST *Req, CLIENT *Origin, CHANNEL *Channel)
 					Channel_Name(Channel));
 				goto chan_exit;
 			}
+			/* fall through */
 		case 'o': /* Channel operator */
 			if(!is_oper && !is_machine && !is_owner &&
 			   !is_admin && !is_op) {
@ -738,6 +774,7 @@ Channel_Mode(CLIENT *Client, REQUEST *Req, CLIENT *Origin, CHANNEL *Channel)
 					Channel_Name(Channel));
 				goto chan_exit;
 			}
+			/* fall through */
 		case 'h': /* Half Op */
 			if(!is_oper && !is_machine && !is_owner &&
 			   !is_admin && !is_op) {
@ -747,6 +784,7 @@ Channel_Mode(CLIENT *Client, REQUEST *Req, CLIENT *Origin, CHANNEL *Channel)
 					Channel_Name(Channel));
 				goto chan_exit;
 			}
+			/* fall through */
 		case 'v': /* Voice */
 			if (arg_arg > mode_arg) {
 				if (is_oper || is_machine || is_owner ||
@ -823,7 +861,7 @@ Channel_Mode(CLIENT *Client, REQUEST *Req, CLIENT *Origin, CHANNEL *Channel)
 			break;
 		default:
 			if (Client_Type(Client) != CLIENT_SERVER) {
-				Log(LOG_DEBUG,
+				LogDebug(
 				    "Unknown mode \"%c%c\" from \"%s\" on %s!?",
 				    set ? '+' : '-', *mode_ptr,
 				    Client_ID(Origin), Channel_Name(Channel));
@ -833,7 +871,7 @@ Channel_Mode(CLIENT *Client, REQUEST *Req, CLIENT *Origin, CHANNEL *Channel)
 					Channel_Name(Channel));
 				x[0] = '\0';
 			} else {
-				Log(LOG_DEBUG,
+				LogDebug(
 				    "Handling unknown mode \"%c%c\" from \"%s\" on %s ...",
 				    set ? '+' : '-', *mode_ptr,
 				    Client_ID(Origin), Channel_Name(Channel));
@ -904,7 +942,7 @@ Channel_Mode(CLIENT *Client, REQUEST *Req, CLIENT *Origin, CHANNEL *Channel)
 		if (Client_Type(Client) == CLIENT_SERVER) {
 			/* MODE requests for local channels from other servers
 			 * are definitely invalid! */
-			if (Channel_IsLocal(Channel)) {
+			if (Channel_IsLocal(Channel) && Client != Client_ThisServer()) {
 				Log(LOG_ALERT, "Got remote MODE command for local channel!? Ignored.");
 				return CONNECTED;
 			}
--- a/Show More
+++ b/Show More
				`@ -1 +0,0 @@`
				<pkg-contents spec="1.12"><f n="ngircd.dest" o="root" g="admin" p="16877" pt="../../ngircd.dest" m="false" t="file"><f n="opt" o="root" g="admin" p="16877"><f n="ngircd" o="root" g="admin" p="16877"><f n="etc" o="root" g="admin" p="16877"><f n="ngircd.motd" o="root" g="admin" p="33188"><mod>group</mod><mod>owner</mod></f><mod>group</mod><mod>owner</mod></f><f n="sbin" o="root" g="admin" p="16877"><f n="ngircd" o="root" g="admin" p="33261"><mod>group</mod><mod>owner</mod></f><mod>group</mod><mod>owner</mod></f><f n="share" o="root" g="admin" p="16877"><f n="doc" o="root" g="admin" p="16877"><f n="ngircd" o="root" g="admin" p="16877"><f n="AUTHORS" o="root" g="admin" p="33188"><mod>group</mod><mod>owner</mod></f><f n="Bopm.txt" o="root" g="admin" p="33188"><mod>group</mod><mod>owner</mod></f><f n="ChangeLog" o="root" g="admin" p="33188"><mod>group</mod><mod>owner</mod></f><f n="COPYING" o="root" g="admin" p="33188"><mod>group</mod><mod>owner</mod></f><f n="FAQ.txt" o="root" g="admin" p="33188"><mod>group</mod><mod>owner</mod></f><f n="GIT.txt" o="root" g="admin" p="33188"><mod>group</mod><mod>owner</mod></f><f n="HowToRelease.txt" o="root" g="admin" p="33188"><mod>group</mod><mod>owner</mod></f><f n="INSTALL" o="root" g="admin" p="33188"><mod>group</mod><mod>owner</mod></f><f n="NEWS" o="root" g="admin" p="33188"><mod>group</mod><mod>owner</mod></f><f n="PAM.txt" o="root" g="admin" p="33188"><mod>group</mod><mod>owner</mod></f><f n="Platforms.txt" o="root" g="admin" p="33188"><mod>group</mod><mod>owner</mod></f><f n="Protocol.txt" o="root" g="admin" p="33188"><mod>group</mod><mod>owner</mod></f><f n="README" o="root" g="admin" p="33188"><mod>group</mod><mod>owner</mod></f><f n="README-AUX.txt" o="root" g="admin" p="33188"><mod>group</mod><mod>owner</mod></f><f n="README-BeOS.txt" o="root" g="admin" p="33188"><mod>group</mod><mod>owner</mod></f><f n="README-Interix.txt" o="root" g="admin" p="33188"><mod>group</mod><mod>owner</mod></f><f n="RFC.txt" o="root" g="admin" p="33188"><mod>group</mod><mod>owner</mod></f><f n="sample-ngircd.conf" o="root" g="admin" p="33188"><mod>group</mod><mod>owner</mod></f><f n="Services.txt" o="root" g="admin" p="33188"><mod>group</mod><mod>owner</mod></f><f n="SSL.txt" o="root" g="admin" p="33188"><mod>group</mod><mod>owner</mod></f><mod>group</mod><mod>owner</mod></f><mod>group</mod><mod>owner</mod></f><f n="man" o="root" g="admin" p="16877"><f n="man5" o="root" g="admin" p="16877"><f n="ngircd.conf.5" o="root" g="admin" p="33188"><mod>group</mod><mod>owner</mod></f><mod>group</mod><mod>owner</mod></f><f n="man8" o="root" g="admin" p="16877"><f n="ngircd.8" o="root" g="admin" p="33188"><mod>group</mod><mod>owner</mod></f><mod>group</mod><mod>owner</mod></f><mod>group</mod><mod>owner</mod></f><mod>group</mod><mod>owner</mod></f><mod>group</mod><mod>owner</mod></f><mod>group</mod><mod>owner</mod></f><mod>group</mod><mod>owner</mod></f></pkg-contents>
				`@ -1 +0,0 @@`
				<pkgref spec="1.12" uuid="46208410-4A1B-48C6-97BD-DE284F13F864"><config><identifier>de.barton.ngircd.daemon.pkg</identifier><version>17.1</version><description></description><post-install type="none"/><requireAuthorization/><installFrom>../../ngircd.dest</installFrom><installTo mod="true">/</installTo><flags><followSymbolicLinks/></flags><packageStore type="internal"></packageStore><mod>extraFiles</mod><mod>installTo</mod><mod>installTo.isAbsoluteType</mod><mod>scripts.preinstall.path</mod><mod>identifier</mod><mod>parent</mod><mod>version</mod><mod>installTo.path</mod><mod>scripts.preupgrade.path</mod><mod>requireAuthorization</mod></config><contents><file-list>02ngircd-contents.xml</file-list><filter>/CVS$</filter><filter>/\.svn$</filter><filter>/\.cvsignore$</filter><filter>/\.cvspass$</filter><filter>/\.DS_Store$</filter></contents><extra-files/></pkgref>
				`@ -1 +0,0 @@`
				`<pkg-contents spec="1.12"><f n="de.barton.ngircd.plist" o="root" g="wheel" p="33188" pt="/Users/alex/Develop/ngircd/alex.git/contrib/MacOSX/de.barton.ngircd.plist" m="false" t="file"><mod>group</mod><mod>owner</mod></f></pkg-contents>`
				`@ -1 +0,0 @@`
				<pkgref spec="1.12" uuid="F0954DA7-0607-4277-AE10-D882AC7C38CA"><config><identifier>de.barton.ngircd.launchscript.pkg</identifier><version>17.1</version><description></description><post-install type="none"/><requireAuthorization/><installFrom relative="true">de.barton.ngircd.plist</installFrom><installTo mod="true">/Library/LaunchDaemons</installTo><flags><followSymbolicLinks/></flags><packageStore type="internal"></packageStore><mod>scripts.preinstall.path</mod><mod>installTo</mod><mod>scripts.postinstall.path</mod><mod>scripts.postinstall.isRelativeType</mod><mod>installFrom.isRelativeType</mod><mod>installTo.isAbsoluteType</mod><mod>version</mod><mod>parent</mod><mod>scripts.preupgrade.path</mod><mod>identifier</mod><mod>scripts.postupgrade.path</mod><mod>requireAuthorization</mod><mod>extraFiles</mod><mod>scripts.postupgrade.isRelativeType</mod><mod>installTo.path</mod></config><scripts><preinstall relative="true" mod="true">preinstall.sh</preinstall><postinstall relative="true" mod="true">postinstall.sh</postinstall><preupgrade relative="true" mod="true">preinstall.sh</preupgrade><postupgrade relative="true" mod="true">postinstall.sh</postupgrade></scripts><contents><file-list>01de-contents.xml</file-list><filter>/CVS$</filter><filter>/\.svn$</filter><filter>/\.cvsignore$</filter><filter>/\.cvspass$</filter><filter>/\.DS_Store$</filter></contents><extra-files/></pkgref>