about summary refs log tree commit diff
path: root/irc.c (follow)
Commit message (Collapse)AuthorAge
* Perform TLS handshake after final pledgeKlemens Nanni2021-07-13
| | | | | | | | | | | | | | | | | ircConnect() yields a connected TCP socket after which "inet dns" is no longer needed. Possibly having loaded private key material, it seems a tad more comforting to speak TLS *after* dropping any network capabilities (except for socket read/write to the IRC host, of course). Instead of moving the final pledge into irc.c:ircConnect() and thus complicating the code around pledge across two C modules, simply stub out an mnemonic ircHandshake() and call that explicitly. This restores behaviour gained with 981ebc4 "Remove explicit tls_handshake(3) from ircConnect" which was reverted for other reasons.
* Explicitly clear TLS secrets afer handshakeKlemens Nanni2021-07-13
| | | | | | | | | No need to keep them at runtime; do so unconditionally for the sake of simplicity. Declare TLS config globally so ircConnect() can clear it and declare both client and config statically as they are not used outside the irc.c module.
* Revert "Remove explicit tls_handshake(3) from ircConnect"Klemens Nanni2021-07-13
| | | | | | | This reverts commit 981ebc4f12b88fbf52ed0352428a0612dd2c2568. This broke `-o' to print the server certificate; without explicit handshake there will be no tls_read(3) in this short code path.
* Remove explicit tls_handshake(3) from ircConnectJune McEnroe2021-06-25
| | | | | | The first call to ircFormat, which calls tls_write(3) in turn, will perform the handshake anyway. This way the handshake happens after the final pledge(2) call.
* Move setting CLOEXEC on socket to ircConnectJune McEnroe2021-06-25
|
* Handle EINTR from connect(2) gracefullyKlemens Nanni2021-06-21
| | | | | Resizing the window early on may return early due to SIGWINCH. Continue asynchronously in that case instead of exiting.
* Use "secure" libtls ciphersKlemens Nanni2021-06-20
| | | | | | | | | | | | | | | | | | | | | | | d3e90b6 'Use libtls "compat" ciphers' from 2018 fell back to "compat" ciphers to support irc.mozilla.org which now yields NXDOMAIN. All modern networks (should) support secure ciphers, so drop the hopefully unneeded list of less secure ciphers by avoiding tls_config_set_ciphers(3) and therefore sticking to the "secure" aka. "default" set of ciphers in libtls. A quick check shows that almost all of the big/known IRC networks support TLS1.3 already; those who do not at least comply with SSL_CTX_set_cipher_list(3)'s "HIGH" set as can be tested like this: echo \ irc.hackint.org \ irc.tilde.chat \ irc.libera.chat \ irc.efnet.nl \ irc.oftc.net | xargs -tn1 \ openssl s_client -quiet -cipher HIGH -no_ign_eof -port 6697 -host
* Handle TLS_WANNT_POLL{IN,OUT} from tls_handshake(3)June McEnroe2021-06-20
| | | | For blocking sockets it should be retried immediately.
* Only explicitly load the default CA file on OpenBSDJune McEnroe2021-06-10
|
* Hoist loading default root certificates into ircConfig()Klemens Nanni2021-06-10
| | | | | | | | | | | | | | | | tls_connect_socket(3) in ircConnect() does that by default already unless tls_config_set_ca_file(3) was used. Loading CA certificates before connecting makes no practical difference except on OpenBSD where this allows for tighter unveil und pledge setups now that all required (TLS related) file I/O is finished by the time ircConnect() gets to do network I/O. In case of the hidden `-!' insecure flag which is implied by `-o' to print server certificates and exit, loading root certificates is not required at all; likewise, using explicit self signed server certificates will not involve certificate authorities either, hence load them only if needed.
* Print chain to stdout with -oJune McEnroe2021-01-10
|
* Add -o and -t options to trust self-signed certificatesJune McEnroe2021-01-09
|
* Use a static buffer for base directory pathsJune McEnroe2020-08-21
|
* Use configPath to load TLS cert/privJune McEnroe2020-08-20
|
* Say "OpenSSL" in additional permission noticesJune McEnroe2020-08-04
| | | | LibreSSL is "a modified version of that library".
* Remove tls_close error handlingJune McEnroe2020-07-23
| | | | | It seems that sometimes tls_close returns non-zero but tls_error returns a null string... We're exiting anyway, so just ignore it.
* Bump ParamCap to 254June McEnroe2020-06-24
| | | | | | | | | | | | Apparently IRCds have decided that the 15-parameter limit doesn't matter anymore. 254 is the maximum number of single-byte parameters (following a single-byte command) which fit in a 512-byte CR-LF-terminated line. When everyone decides that the 512-byte line length limit doesn't matter either, I will delete my software and people can use some JavaScript garbage instead. This makes struct Message 2080 bytes, but there's only ever one or two of them around at once. Avoid passing it by value to handle.
* Add additional permission for linking with LibreSSLJune McEnroe2020-06-08
| | | | https://www.gnu.org/licenses/gpl-faq.en.html#GPLIncompatibleLibs
* Use the correct hostname in error messagemultiplexd2020-02-17
| | | | | | Previously, the remote host to which catgirl(1) is connecting was used in error reporting instead of the local bind address if the latter could not be resolved.
* Various small cleanupsJune McEnroe2020-02-16
| | | | Haven't really gone through ui.c yet.
* Replace small integers in size_t with uintJune McEnroe2020-02-15
|
* Explicitly close the TLS connectionJune McEnroe2020-02-13
| | | | Just to be nice.
* Implement source address selectionmultiplexd2020-02-13
| | | | | | This commit adds a '-S' command line option and a "bind" configuration file option to specify the source address to bind to when connecting to the IRC server.
* Search for cert and priv in config dirsJune McEnroe2020-02-06
|
* Align word wrapping with tab characterJune McEnroe2020-02-04
| | | | Also fixes handling whitespace directly after control codes.
* Remove style string macrosJune McEnroe2020-02-02
|
* Implement the beginnings of UIJune McEnroe2020-02-01
| | | | It takes so much code to do anything in curses...
* Add -v flagJune McEnroe2020-02-01
|
* Blindly implement login flowJune McEnroe2020-02-01