Commit Graph

1001 Commits (ee82e5d376dc2c329a1833a181f7353aa62dcb64)

Author SHA1 Message Date
C. McEnroe 54c632e8c3 chroot: Factor out and add OpenBSD build 2021-09-27 19:16:45 +00:00
C. McEnroe 191163cc75 Request znc.in/self-message if available
catgirl correctly handles receiving "self-messages". pounce always
sends them.

[1]: https://wiki.znc.in/Query_buffers
[2]: https://defs.ircdocs.horse/info/selfmessages.html
2021-09-20 20:25:11 -04:00
C. McEnroe 506c5ad906 Correct handling of colons in SASL PLAIN
Only the first colon should be replaced with a null byte.

Ported from pounce.
2021-09-09 12:44:01 -04:00
C. McEnroe be9bffdf49 Match id names case-insensitively
This fixes the case where an IRCd does not normalize channel names,
e.g. PRIVMSG #TEST is relayed as-is, rather than as #test or whatever
the canonical casing of the channel name is. It also fixes the case
of opening a query window with incorrect case, e.g. /query nickserv.

However, this solution is only completely correct when
CASEMAPPING=ascii.[1] I do not think the extra mappings of
CASEMAPPING=rfc1459 are relevant enough to justify adding the code
to handle it.

[1]: https://modern.ircdocs.horse/#casemapping-parameter
2021-08-26 12:59:57 -04:00
C. McEnroe 1f800bcf69 Remove trailing tab
How embarrassing.
2021-08-25 17:48:16 -04:00
C. McEnroe df1e561378 Handle tags without values
Otherwise a tag with no value would cause a segfault trying to
unescape the NULL tag pointer. This shouldn't happen for the server
tags we parse, but clients could send @+draft/reply with no value.
2021-08-15 12:24:15 -04:00
C. McEnroe 3f3585d0f3 Fix missing include for flock(2)
On OpenBSD it's in <fcntl.h>, and it gets declared anyway on FreeBSD
and macOS. Curiously, on GNU/Linux, LOCK_* are defined, but flock(2)
isn't declared.
2021-08-09 20:14:24 -04:00
C. McEnroe a585b1b073 Silence maybe uninitialized warning
Wouldn't happen anyway since configPath will always return at least
one path.
2021-08-09 20:12:44 -04:00
C. McEnroe 56139227a4 Use (bright) red for \com text macro 2021-07-26 18:25:05 -04:00
C. McEnroe 78a020df82 chroot: Avoid passing paths to -s 2021-07-20 21:27:24 -04:00
C. McEnroe d9388fa2a8 FreeBSD: Revert caph_enter(3) call to cap_enter(2)
caph_enter(3) is the same as cap_enter(2) except that it returns
success even if the kernel does not support capability mode. Since
we only enter capability mode when explicitly requested by the
restrict option, it should fail loudly if it is not supported. On
the other hand, we make calls to caph_rights_limit(3) and friends
in some places regardless of whether we actually enter capability
mode (to keep the code simple), so those should continue to succeed
even if capability mode is not supported.
2021-07-20 13:25:04 -04:00
C. McEnroe 347e2b461f Don't apply uiThreshold to Network and Debug
Messages don't really need to be hidden from <network> and I think
it could be confusing. Debug messages are all Cold so everything
would be hidden, and I want to keep them that way so that <debug>
doesn't clutter the status line needlessly.
2021-07-20 12:09:24 -04:00
Klemens Nanni f8e3414af0 Add -q/quiet option to raise default message visibility threshold
Silencing all windows with `M-+' (across multiple catgirl instances)
can be cumbersome, so provide an option to hide events, JOIN/PART noise,
etc. by default (each window's threshold will persist across load/save
cycles, i.e. when using the `-s/save' option).

Started out as `-v | visibility = threshold' to set a specific level,
the idea of a simpler toggle comes from june, who also squashed other
bugs (as usual).
2021-07-20 12:03:46 -04:00
Klemens Nanni 773d5bbdc0 chat.tmux.conf: Fix base-index setting
"base-index" expects integer values, tmux prints a warning at load-time
but otherwise ignores the configuration line.
2021-07-15 14:43:30 -04:00
Klemens Nanni e365bae8e0 Use /ns in manual example
Follow a79a3fc "Use NS and CS server aliases".
2021-07-15 14:42:33 -04:00
C. McEnroe 2f8ec18e65 Move platform-dependent sandboxing code out of main
To keep the "main" sequence of events on one screen, while emphasizing
that sandboxing happens either side of ircConnect().
2021-07-13 16:28:33 -04:00
C. McEnroe ce53e309e6 Move all UI initialization together 2021-07-13 15:39:16 -04:00
Klemens Nanni ae332f6e8d Perform TLS handshake after final pledge
ircConnect() yields a connected TCP socket after which "inet dns" is
no longer needed.

Possibly having loaded private key material, it seems a tad more
comforting to speak TLS *after* dropping any network capabilities
(except for socket read/write to the IRC host, of course).

Instead of moving the final pledge into irc.c:ircConnect() and thus
complicating the code around pledge across two C modules, simply
stub out an mnemonic ircHandshake() and call that explicitly.

This restores behaviour gained with
981ebc4 "Remove explicit tls_handshake(3) from ircConnect" which
was reverted for other reasons.
2021-07-13 15:21:57 -04:00
Klemens Nanni ae64d277b8 Explicitly clear TLS secrets afer handshake
No need to keep them at runtime;  do so unconditionally for the sake of
simplicity.

Declare TLS config globally so ircConnect() can clear it and declare
both client and config statically as they are not used outside the irc.c
module.
2021-07-13 15:17:35 -04:00
Klemens Nanni 40b3f52aaf Revert "Remove explicit tls_handshake(3) from ircConnect"
This reverts commit 981ebc4f12.

This broke `-o' to print the server certificate;  without explicit
handshake there will be no tls_read(3) in this short code path.
2021-07-13 15:17:22 -04:00
C. McEnroe 54d899196c FreeBSD: Avoid caph_stream_rights(3)
caph_stream_rights(3) doesn't exist before FreeBSD 13.0 and there's
no good reason to create that dependency. I still run servers on
FreeBSD 12.

This is a partial revert of cbc9545cb3.
2021-07-13 15:16:22 -04:00
Klemens Nanni dfa9a6427f Disable /exec in Kiosk mode (as documented) 2021-07-13 15:16:22 -04:00
Klemens Nanni 2a87dc22ac /whois takes an optional nick argument 2021-07-13 15:16:22 -04:00
C. McEnroe 60660a780e Reword and clarify parts of the manual
Mostly related to the utilities options.
2021-07-13 15:16:22 -04:00
C. McEnroe ddb331d8dc Use CS command for paramless /op and /voice
Should match the actual /cs command.
2021-07-13 15:16:22 -04:00
C. McEnroe 91f00dee0d Condense markup for ignore/highlight format 2021-07-13 15:16:22 -04:00
C. McEnroe cad20da70a Point out precedence of multiple files and flags 2021-07-13 15:16:22 -04:00
C. McEnroe c76d76205f Zero out server password after sending
Also send it directly using ircSend to avoid copying it and logging
it to <debug>.
2021-07-13 15:16:22 -04:00
Klemens Nanni 9559fe9d23 Make -o/printCert not load any files, pledge even earlier
No point in trying to load a self-signed server certificate which we
are about to get from the server in the first place.

No need to read client certificate/key files when all we want is the
server certificate:  in TLS the server always sends its certificate
before the client replies with any key material, i.e. catgirl sending
client data is useless.

catgirl(1) synopsis also notes how these options are irrelevant in the
-o/printCert case.

As a result, ircConfig() no longer requires any filesystem I/O in this
case, so hoist the purely network I/O related pledge() call to enforce
this -- more secure, self-documenting code!
2021-07-13 15:16:22 -04:00
C. McEnroe 320aeaf435 Attempt to keep "security" in README accurate
It's a short summary trying to cover different systems...
2021-07-13 15:16:22 -04:00
Klemens Nanni 5bfba6df52 OpenBSD: merge unveil and pledge logic a bit
This reads somewhat clearer as code is grouped by features instead of
security mechanisms by simply merging identical tests/conditions.

No functional change.
2021-07-13 15:16:22 -04:00
Klemens Nanni 7793ca36bb OpenBSD: unveil logs regardless of restrict mode
Simplify logic and decouple the two features such that the code gets
even more self-ducumenting.

Previously `catgirl -R -l' would never unveil and therefore "proc exec"
could execute arbitrary paths without "rpath" as is usual unveil/pledge
semantic.

Now that `catgirl -l' alone triggers unveil(2), previous "proc exec"
alone is not enough since the first unveil() hides everything else from
filesystem;  unveil all of root executable-only in order to restore
non-restrict mode's visibility.

This leaves yields distinct cases wrt. filesystem visibility
(hoisted save file functionality excluded):

1. restrict on,  log off:  no access
2. restrict on,  log on :  logdir write/create
3. restrict off, log off:  all exec-only
4. restrict off, log on :  logdir write/create, all else exec-only

In the first case `unveil("/", "")' could be used but with no benefit as
the later lack of "rpath wpath cpath", i.e. filesystem access is revoked
entirely by pledge alone already.

Practically, this does not change functionality but improves correctness
and readability.
2021-07-13 15:16:22 -04:00
C. McEnroe 44457f85c6 Save invited channel for /join 2021-07-02 15:24:11 -04:00
C. McEnroe 54251acae3 Move security to the features list
The restrict option now enables real sandboxing on the two main
target systems.
2021-06-28 11:55:07 -04:00
C. McEnroe ca50352169 OpenBSD: unveil the log directory specifically
The call to logOpen() will have already created the directory. Still
use dataMkdir() as a convenient way to get the created path.
2021-06-28 09:57:10 -04:00
C. McEnroe cbc9545cb3 FreeBSD: Use capsicum_helpers.h 2021-06-28 09:11:02 -04:00
C. McEnroe cb62d92f54 Set MANDIR in chroot 2021-06-25 12:19:11 -04:00
C. McEnroe 56c31ae442 FreeBSD: Limit rights on log directory 2021-06-25 12:19:11 -04:00
C. McEnroe b48d0d607c FreeBSD: Limit rights on save file 2021-06-25 11:50:14 -04:00
C. McEnroe 1239ffa689 FreeBSD: Limit rights on stdio and socket 2021-06-25 11:50:14 -04:00
C. McEnroe 981ebc4f12 Remove explicit tls_handshake(3) from ircConnect
The first call to ircFormat, which calls tls_write(3) in turn, will
perform the handshake anyway. This way the handshake happens after
the final pledge(2) call.
2021-06-25 11:50:14 -04:00
C. McEnroe a0cc519829 Move setting CLOEXEC on socket to ircConnect 2021-06-25 11:50:14 -04:00
C. McEnroe 16b34e5cd2 FreeBSD: Enter capabilities mode if restricted 2021-06-25 11:50:14 -04:00
C. McEnroe fece6e6eb6 Keep log directory open, use mkdirat(2) and openat(2) 2021-06-25 11:50:14 -04:00
C. McEnroe 21a9954e7c Encourage packagers to patch in text macros
Maybe no one will ever do it but I think it's a fun idea.
2021-06-24 15:04:37 -04:00
C. McEnroe 60ff44cf4e Stop at previous \ when expanding macros
There was no reason to ever require whitespace before the macro
name.
2021-06-24 14:10:49 -04:00
C. McEnroe 65280c0b60 Replace SIGWINCH XXX comment with better explanation 2021-06-21 18:27:35 -04:00
Klemens Nanni b6cedf7dba Register SIGWINCH handler before TLS connect
Otherwise resizing the terminal will end catgirl until a handler is
registered, e.g. while in ircConnect():

	catgirl: tls_handshake: (null)

Hoist registration right after uiInitEarly() as earliest possible point
in main() since initscr(3) sets up various signals incl. SIGWINCH, i.e.
initialise `cursesWinch' afterwards to pick up curses(3)'s handler.
2021-06-21 18:11:09 -04:00
Klemens Nanni 2b7f62dbd4 Handle EINTR from connect(2) gracefully
Resizing the window early on may return early due to SIGWINCH.
Continue asynchronously in that case instead of exiting.
2021-06-21 17:58:28 -04:00
C. McEnroe a79a3fc9f6 Use NS and CS server aliases
I think I didn't use these originally because they were misconfigured
on tilde.chat, but they work now, and supposedly server aliases
should be more secure/reliable.
2021-06-21 17:26:43 -04:00