about summary refs log tree commit diff
Commit message (Collapse)AuthorAge
* Use NS and CS server aliasesJune McEnroe2021-06-21
| | | | | | I think I didn't use these originally because they were misconfigured on tilde.chat, but they work now, and supposedly server aliases should be more secure/reliable.
* Open log files with CLOEXECJune McEnroe2021-06-21
|
* Open save file with CLOEXECJune McEnroe2021-06-21
| | | | | Otherwise a lingering process from /copy for example could hold the lock.
* Use "secure" libtls ciphersKlemens Nanni2021-06-20
| | | | | | | | | | | | | | | | | | | | | | | d3e90b6 'Use libtls "compat" ciphers' from 2018 fell back to "compat" ciphers to support irc.mozilla.org which now yields NXDOMAIN. All modern networks (should) support secure ciphers, so drop the hopefully unneeded list of less secure ciphers by avoiding tls_config_set_ciphers(3) and therefore sticking to the "secure" aka. "default" set of ciphers in libtls. A quick check shows that almost all of the big/known IRC networks support TLS1.3 already; those who do not at least comply with SSL_CTX_set_cipher_list(3)'s "HIGH" set as can be tested like this: echo \ irc.hackint.org \ irc.tilde.chat \ irc.libera.chat \ irc.efnet.nl \ irc.oftc.net | xargs -tn1 \ openssl s_client -quiet -cipher HIGH -no_ign_eof -port 6697 -host
* OpenBSD: Only unveil used directoriesKlemens Nanni2021-06-20
| | | | | | dataMkdir() already picked the appropiate directory so make it return that such that unveilData() can go as only that one directory needs unveiling.
* Handle "\1ACTION\1" empty actionsJune McEnroe2021-06-20
|
* Don't match actions in noticesJune McEnroe2021-06-20
|
* Handle TLS_WANNT_POLL{IN,OUT} from tls_handshake(3)June McEnroe2021-06-20
| | | | For blocking sockets it should be retried immediately.
* Add -m mode option to set user modesJune McEnroe2021-06-18
|
* Handle 338 as whois replyJune McEnroe2021-06-17
| | | | Used by Solanum for "actually using host".
* Match window substrings case-sensitivelyJune McEnroe2021-06-17
| | | | | Case-insensitivity was copied from regular complete(), but other commands which take substrings (/open and /copy) match case-sensitively.
* Match windows by substring in /windowJune McEnroe2021-06-17
| | | | | This could just iterate over idNames instead, but using complete means more recently used windows will match first.
* Clean up if restricted && logEnable, pipe creationJune McEnroe2021-06-17
|
* Add mailing list archive to READMEJune McEnroe2021-06-17
|
* chat.tmux.conf: Make window selection hotkeys match window numbersKlemens Nanni2021-06-17
| | | | | | | | | | | | | | | | | | The 'pick chat network' binding on F1 lists tmux windows as follows and tmux's `choose-tree -Z' lets you jump to the window by pressing the key denoted inside parantheses. Set `base-index 1' so as to make window indices match up the hotkey number instead of being off-by-one due to the session itself being the first entry in the list. (0) - chat-5: 8 windows (group chat: chat-0,chat-1,chat-2,chat-3,chat-4,chat-5,chat-6) (attached) (1) ├─> 1: hackint: "example.com" (2) ├─> 2: efnet: "example.com" ... PS: Update existing sessions by updating chat.tmux.conf, pressing F5 then running `prefix-: move-window -r' to renumber all windows.
* Send PINGs when server is quiet and die if no responseJune McEnroe2021-06-15
| | | | | | | | | Every time we receive from the server, reset a timer. The first time the timer triggers, send a PING. The second time the timer triggers, die from ping timeout. I'm not sure about these two intervals: 2 minutes of idle before a PING, 30s for the server to respond to the PING.
* OpenBSD: Simplify promise creation after seprintf() introductionKlemens Nanni2021-06-15
| | | | | | | | Just truncate the initial promises back to the final ones after pledging for the first time, saving code and memory. Assign `ptr' in all initial `seprintf()' calls for consistency while here.
* OpenBSD: pledge final promises earlierKlemens Nanni2021-06-14
| | | | | | | | No need to wait for so long. This also brings all the pledge code on one screen and helps show how ircConnect() is the only relevant part in between initial and final promises.
* Treat `-T's optional argument as optionalKlemens Nanni2021-06-14
| | | | | | | | | `-T[format]' is not possible with getopt(3) but getopt_long(3) supports "T::" exactly for that, so make the command line option go in line with configuration files and documentation. While here, check `has_arg' explicitly as getopt_long(3) only documents mnemonic values not numerical ones.
* Add \com text macroJune McEnroe2021-06-14
|
* /exec without controlling terminalKlemens Nanni2021-06-13
| | | | | | | | | | | Otherwise "/exec sh </dev/tty" takes over and catgirl must effectively be killed to stop the madness; with this diff: catgirl input| /exec sh </dev/tty catgirl output| /bin/sh: cannot open /dev/tty: Device not configured catgirl output| Process exits with status 1 Do the same for `-C/Copy', `-N/notify' and `-O/open' alike.
* Exit on data directory creation errorKlemens Nanni2021-06-13
| | | | | | | | | | | | | | No point in creating (sub)directories when the given root failed already as is the case when e.g. XDG_DATA_HOME/catgirl/ itself is bogus (cleaned stderr intermangled with ncurses setup/catgirl output): $ env -i TERM=xterm XDG_DATA_HOME=/ ./catgirl -h irc.hackint.eu -n nobody -l catgirl: //catgirl/: Permission denied catgirl: //catgirl/log: No such file or directory catgirl: //catgirl/log/hackint: No such file or directory catgirl: //catgirl/log/hackint/NickServ: No such file or directory catgirl: //catgirl/: Permission denied catgirl: //catgirl/log/hackint/NickServ/2021-06-13.log: No such file or directory
* OpenBSD: no need to read data files (logs)Klemens Nanni2021-06-13
| | | | | One of the last changes missed this, but it is a NOOP anyway since "rpath" is not pledged any longer.
* Reset formatting after realname in setnameJune McEnroe2021-06-12
| | | | Missed this one.
* Fix unknown file signature errorJune McEnroe2021-06-11
|
* Exclusively lock save fileJune McEnroe2021-06-11
| | | | | Prevents two instances of catgirl from using the same save file and clobbering each other's data.
* Open save file with "a+"June McEnroe2021-06-11
| | | | | | Avoids another small TOCTOU. Rewind before loading since "a+" sets the file position at the end. Remove unnecessary fseek after truncation, since "a+" always writes at the end of the file.
* OpenBSD: Drop now unneeded file system access for save fileKlemens Nanni2021-06-11
| | | | | | | All opening happens before unveil/pledge and the file handle is kept open read/write so it can be used without any pledge. Simpler/less code and less chances to write other files (accidentially).
* Open save file once in uiLoad() and keep it open until uiSave()Klemens Nanni2021-06-11
| | | | | | | | | | | | | | | | | Opening the same file *path* twice is a TOCTOU, although not a critical one: worst case we load from one file and save to another - the impact depends on how and when catgirl is started the next anyway. More importantly, keeping the file handle open at runtime allows us to drop all filesystem related promises for `-s/save' on OpenBSD. uiLoad() now opens "r+", meaning "Open for reading and writing." up front so uiSave() can write to it. In the case of a nonexistent save file, it now opens with "w" meaning "Open for writing. The file is created if it does not exist.", i.e. the same write/create semantics as "w" except uiLoad() no longer truncates. existing files. uiSave() now truncates the save file to avoid appending in general.
* Rename file to saveFileKlemens Nanni2021-06-11
| | | | | Separate churn from actual change in upcoming diff, no functional change.
* OpenBSD: Hoist loading save file to drop filesystem read-accessKlemens Nanni2021-06-11
| | | | | | After TLS cert/key files, the save file is the only file being read from; do so before pleding and drop the "rpath" promise all together: log files will only be created and written to.
* Match gemini URLsJune McEnroe2021-06-11
|
* Avoid trailing comma in whois channels listsJune McEnroe2021-06-10
| | | | The format of the reply is defined as "<nick> :{[@|+]<channel><space>}".
* Move unveilAll back into mainJune McEnroe2021-06-10
| | | | It doesn't do as much anymore, so move it back inline.
* Only explicitly load the default CA file on OpenBSDJune McEnroe2021-06-10
|
* OpenBSD: Drop now unneeded promise from initial pledgeKlemens Nanni2021-06-10
| | | | | | | Both ssl(8) as well as ncurses(3) related files are now read completely by the time of ircConfig() and uiInitEarly() respectively, so read access to the filesystem is no longer needed at all unless the "log" or "save" options are used.
* OpenBSD: Remove now obsolete unveil codeKlemens Nanni2021-06-10
| | | | | | | | | | | Previous tls_default_ca_cert_file(3) hoisting makes this possible: all TLS related files are fully loaded into memory by ircConfig() such that ircConnect() will not do any file I/O. Call ircConfig() before pledge(2) in the `-o' "print cert" case so this works out -- that order should have been preserved in the previous a989e15 "OpenBSD: hoist -o/printCert code to simplify" but fixing it now nicely demonstrates the achivement even more so.
* Hoist loading default root certificates into ircConfig()Klemens Nanni2021-06-10
| | | | | | | | | | | | | | | | tls_connect_socket(3) in ircConnect() does that by default already unless tls_config_set_ca_file(3) was used. Loading CA certificates before connecting makes no practical difference except on OpenBSD where this allows for tighter unveil und pledge setups now that all required (TLS related) file I/O is finished by the time ircConnect() gets to do network I/O. In case of the hidden `-!' insecure flag which is implied by `-o' to print server certificates and exit, loading root certificates is not required at all; likewise, using explicit self signed server certificates will not involve certificate authorities either, hence load them only if needed.
* Avoid creating out-of-bounds pointer when checking for seprintf truncationMichael Forney2021-06-09
| | | | | | | It is technically undefined behavior (see C11 6.5.6p8) to construct a pointer more than one past the end of an array. To prevent this, compare n with the remaining space in the array before adding to ptr.
* Remove catfJune McEnroe2021-06-09
|
* Replace catf with seprintfJune McEnroe2021-06-09
|
* Add seprintfJune McEnroe2021-06-09
| | | | | | | | | Based on seprint(2) from Plan 9. I'm not sure if my return value exactly matches Plan 9's in the case of truncation. seprint(2) is described only as returning a pointer to the terminating '\0', but if it does so even in the case of truncation, it is awkward for the caller to detect. This implementation returns end in the truncation case, so that (ptr == end) indicates truncation.
* OpenBSD: pledge minimum promises from the startKlemens Nanni2021-06-09
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | catgirl needs: - "stdio tty" at all times - "rpath inet dns" once at startup for terminfo(5) and ssl(8) - "proc exec" iff -R/restrict options is disabled - "rpath wpath cpath" iff -s/save or -l/log options is enabled Status quo: catgirl starts with the superset of all possible promises "stdio rpath wpath cpath inet dns tty proc exec", drops offline with "stdio rpath wpath cpath tty proc exec" and possibly drops to either of "stdio rpath wpath cpath tty", "stdio tty proc exec" or "stdio tty" depending on the options used. Such step-by-step reduction is straight forward and easy to model along the process runtime, but it comes with the drawback of starting with too broad promises right from the beginning, i.e. `catgirl -R -h host' is able to execute code and write to filesystems even though it must never do so according the (un)used options. Lay out required promises up front and pledge in two stages: 1. initial setup, i.e. fixed "stdio tty" plus temporary "rpath inet dns" plus potential "rpath wpath cpath" plus potential "proc exec" 2. final rutime, i.e. fixed "stdio tty" plus potential "rpath wpath cpath" plus potential "proc exec" This way the above mentioned usage example can never execute or write files, hence less potential for bugs and more accurate modelling of catgirl's runtime -- dropping "inet dns" alone in between also becomes obsolete with this approach.
* OpenBSD: unveil after ncurses(3) init to support TERMINFOKlemens Nanni2021-06-09
| | | | | | | | | | | | initscr(3) in uiInitEarly() attempts more than /usr/share/terminfo/, see `mandoc -O tag=TERMINFO ncurses`. Even though non-default terminfo handling seems rare and it is unlikely to have ever caused a problem for catgirl users on OpenBSD, the current is still wrong by oversimplifying it. Avoid the entire curses/unveil clash by setting up the screen before unveiling.
* OpenBSD: hoist -o/printCert code to simplifyKlemens Nanni2021-06-09
| | | | | | | | | | Nothing but the TLS handshake is required, so skip all other setup. On OpenBSD, unveil() handling needs fixing which will involve code reshuffling -- this is the first related but standalone step. Also pledge this one-off code path individually such with simpler and tighter promises while here.
* Pad kiosk username with zero, not spaceJune McEnroe2021-06-06
| | | | Oops!
* OpenBSD: unveil XDG directories only when neededKlemens Nanni2021-06-06
| | | | | | | | | | | | | | | The (not perfectly obvious) way catgirl crafts directories gets triggered by unveilAll() even if no passed option requires filesystem access: $ env -i TERM=xterm ./catgirl -h irc.hackint.eu -R -n nobody catgirl: HOME unset Here unveil(2) is used due to the "restrict" option, but besides terminfo(5) and certificates catgirl does not need any other files, yet it tries to init the data path -- passing XDG_DATA_HOME=/var/empty makes above invocation work showing how the then successful path setup is not required. Fix this by not unveiling the unneeded data path in the first place.
* Nickname defaults to system's username not IRC usernameKlemens Nanni2021-06-05
| | | | | | | | | | | | | | | "username" alone is ambiguous and without jumping to ENVIRONMENT explaining the use of USER, catgirl's user- and nickname options read like pointing at each other: -n nick | nick = nick Set nickname to nick. The default nickname is the user's name. [...] -u user | user = user Set username to user. The default username is the same as the nickname. Clarify that `-n' does *not* default to `-u's value.
* Avoid writing past the end of the status barMichael Forney2021-06-05
| | | | | | | | | | | | | | | When waddnstr is called with a string that would extend past the end of the window, the string is truncated, the cursor remains at the last column, and ERR is returned. If this error is ignored and the loop continues, the next call to waddnstr overwrites the character at this column, resulting in a slight visual artifact. When the window is too small to fit the full status line, it is effectively truncated by one space on the right, since the string shown for each channel begins with a space. Additionally, if the last window is the current window, the space is shown with a colored background. To fix this, when waddnstr returns ERR, exit the loop in styleAdd() early return -1 to propogate this error down to the caller.
* List windows with /window 1.8June McEnroe2021-05-28
| | | | Reuse the /window command to preserve /wi abbreviation.