Holding the lock around session establishment should not be needed,
but we need to protect tls_certificate read and usage.  Since we
don't have rwlocks in xpdev (yet?), hack together a crappy rwlock
that does what we need.

Also, remove "CONSECUTIVE", which doesn't really make sense when the number
of login attempts in 1.

There's a hidden checkbox on the CodeInputForm now (explaining why the edit/
combo box is now moved up).

Renamed the "Perm Filter Threshold" to "Auto Filter Threshold".

Changed help text from "Permanent" to "Persistent"

More readable/friendly log messages and ip.can reason strings

The number of failed login attempts. It's something.

Update wording and add more help text.

Now a sysop can "perm block" a client (IP address) for a limited amount of
time rather than always forever.

Add more displays of the ip.can details when actively blocking a client.

Moved twit/trash functions from userdat.c to trash.c

For symmetry

I wanted a couple of features for filters (e.g. blocked IP addreses):
- expiration date, optionally (only block for a limited time)
- display details of reason for filter in log messages (at time of block)

I've been thinking for some time that these files should be converted to .ini,
but then it occurred to me that I could do a sort of hybrid where the metadata
was key/value pairs tab-delimited from the search-pattern (first text on the
line). This is backward comaptible, relatively easy to view/edit by hand, and
extensible (easy to add/remove metadata fields in the future). So they'll
remain as text/*.can files.

The maximum line length for findstr/trashcan parsed files extended from 255 to
1000 characters.

Moved all trashcan-related functions from scfglib1.c to (new file) trash.c.

For the first time, I actually tested a build on WSL *before* committing to
Git. So, this *should* pass CI the first time. :-O

So move to nopen.h

Move the nopen-specific constants from sbbsdefs.h to nopen.c

This helps svdmodem to use findstr->nopen without more sbbs/smblib deps

... especially around incoming connection acceptance, blocked-IPs/hostnames

Many searches are done (e.g. in the mail server, QWK import) for either of 2
strings in single file or list, so let's optimize that to a single iteration
through the file/list. This should reduce some redundant file I/O.

I do find this API a little confusing with the filename or list at the end
of the argument list, but kept it consistent with the existing single string
findstr functions (which are now just wrappers for the new 2-string flavors).

I noticed during this update that findstr() did not share the same behavior
as findstr_in_list() (feature added in commit f08f2137) whereby if all the
patterns were negative searches (beginning with '!'), then *all* the
negative matches would have to be successful (not just the first) for the
function to return true. So now findstr() behaves like findstr_in_list()
in this regard.

I also added some optimizations to findstr_in_string().

Using "Warning" log levels more for things that the sysop might be able to do
something about. If it's just an input data validation (from a random TCP/IP
client), use "Notice" log level instead.

The terminal server log output is still the odd ball.

The time span over which consecutive failed logins are attempted is important

'@' is in the name.can by default and the mail server recognizes user@addr
formatted logins/attempts, so truncate at the '@' before comparing against
the name.can file to prevent false !TEMPORARY BAN (1 login attempts, ...
occurences.

The log format and details might need some adjustment, but this is a start.

Also, don't delay 3 seconds before disconnecting socket when mail server has
reached maximum number of clients - we should immediately release resources
(the socket) and be able to accept another connection ASAP instead.

Deal with new CID 470557 and 470554 in mail server: resource (file*)
leaks in error paths (corner case).

Set minimum severity of TLS messages in web sever to INFO. Debug-level would
hide some common TLS session errors.

That's percent minus, to go with percent plus (user's real name).

The string is auto-quoted if it contains a space.

For Keyop's use with rlogin.js, maybe.

When a JS environment (e.g. server, jsexec) is terminated, it's possible
that a require() script was being evaluated. But since termination would
abort that evaluation, it's not unexpected if a symbol ends up not being
defined before the require() script was terminated, so don't report an
error in that case.

Fix issue #681