Commit Graph

1005 Commits (master)

Author SHA1 Message Date
C. McEnroe 65280c0b60 Replace SIGWINCH XXX comment with better explanation 2021-06-21 18:27:35 -04:00
Klemens Nanni b6cedf7dba Register SIGWINCH handler before TLS connect
Otherwise resizing the terminal will end catgirl until a handler is
registered, e.g. while in ircConnect():

	catgirl: tls_handshake: (null)

Hoist registration right after uiInitEarly() as earliest possible point
in main() since initscr(3) sets up various signals incl. SIGWINCH, i.e.
initialise `cursesWinch' afterwards to pick up curses(3)'s handler.
2021-06-21 18:11:09 -04:00
Klemens Nanni 2b7f62dbd4 Handle EINTR from connect(2) gracefully
Resizing the window early on may return early due to SIGWINCH.
Continue asynchronously in that case instead of exiting.
2021-06-21 17:58:28 -04:00
C. McEnroe a79a3fc9f6 Use NS and CS server aliases
I think I didn't use these originally because they were misconfigured
on tilde.chat, but they work now, and supposedly server aliases
should be more secure/reliable.
2021-06-21 17:26:43 -04:00
C. McEnroe 73181be1ca Open log files with CLOEXEC 2021-06-21 13:31:05 -04:00
C. McEnroe 1a336de95c Open save file with CLOEXEC
Otherwise a lingering process from /copy for example could hold the
lock.
2021-06-21 13:26:55 -04:00
Klemens Nanni 585039fb6e Use "secure" libtls ciphers
d3e90b6 'Use libtls "compat" ciphers' from 2018 fell back to "compat"
ciphers to support irc.mozilla.org which now yields NXDOMAIN.

All modern networks (should) support secure ciphers, so drop the
hopefully unneeded list of less secure ciphers by avoiding
tls_config_set_ciphers(3) and therefore sticking to the "secure" aka.
"default" set of ciphers in libtls.

A quick check shows that almost all of the big/known IRC networks
support TLS1.3 already;  those who do not at least comply with
SSL_CTX_set_cipher_list(3)'s "HIGH" set as can be tested like this:

	echo \
	  irc.hackint.org \
	  irc.tilde.chat \
	  irc.libera.chat \
	  irc.efnet.nl \
	  irc.oftc.net |
	xargs -tn1 \
	openssl s_client -quiet -cipher HIGH -no_ign_eof -port 6697 -host
2021-06-20 20:25:56 -04:00
Klemens Nanni 3a38e36717 OpenBSD: Only unveil used directories
dataMkdir() already picked the appropiate directory so make it
return that such that unveilData() can go as only that one directory
needs unveiling.
2021-06-20 20:21:00 -04:00
C. McEnroe e2bebca7dc Handle "\1ACTION\1" empty actions 2021-06-20 19:22:20 -04:00
C. McEnroe da374e6e61 Don't match actions in notices 2021-06-20 18:17:38 -04:00
C. McEnroe b3631a7e32 Handle TLS_WANNT_POLL{IN,OUT} from tls_handshake(3)
For blocking sockets it should be retried immediately.
2021-06-20 16:48:53 -04:00
C. McEnroe a5a225c52c Add -m mode option to set user modes 2021-06-18 12:28:09 -04:00
C. McEnroe d3b2f86a4b Handle 338 as whois reply
Used by Solanum for "actually using host".
2021-06-17 20:18:37 -04:00
C. McEnroe 03931d4bb3 Match window substrings case-sensitively
Case-insensitivity was copied from regular complete(), but other
commands which take substrings (/open and /copy) match case-sensitively.
2021-06-17 19:07:56 -04:00
C. McEnroe 0d888b88d0 Match windows by substring in /window
This could just iterate over idNames instead, but using complete
means more recently used windows will match first.
2021-06-17 18:52:47 -04:00
C. McEnroe a8c1f02976 Clean up if restricted && logEnable, pipe creation 2021-06-17 18:26:09 -04:00
C. McEnroe 188fc678bd Add mailing list archive to README 2021-06-17 12:11:55 -04:00
Klemens Nanni 948e6d5479 chat.tmux.conf: Make window selection hotkeys match window numbers
The 'pick chat network' binding on F1 lists tmux windows as follows
and tmux's `choose-tree -Z' lets you jump to the window by pressing the
key denoted inside parantheses.

Set `base-index 1' so as to make window indices match up the hotkey
number instead of being off-by-one due to the session itself being the
first entry in the list.

  (0)   - chat-5: 8 windows (group chat: chat-0,chat-1,chat-2,chat-3,chat-4,chat-5,chat-6) (attached)
  (1)   ├─>   1: hackint: "example.com"
  (2)   ├─>   2: efnet: "example.com"
  ...

PS: Update existing sessions by updating chat.tmux.conf, pressing F5
then running `prefix-: move-window -r' to renumber all windows.
2021-06-17 11:37:40 -04:00
C. McEnroe d2bec49931 Send PINGs when server is quiet and die if no response
Every time we receive from the server, reset a timer. The first
time the timer triggers, send a PING. The second time the timer
triggers, die from ping timeout.

I'm not sure about these two intervals: 2 minutes of idle before a
PING, 30s for the server to respond to the PING.
2021-06-15 16:59:24 -04:00
Klemens Nanni b690bd0b83 OpenBSD: Simplify promise creation after seprintf() introduction
Just truncate the initial promises back to the final ones after pledging
for the first time, saving code and memory.

Assign `ptr' in all initial `seprintf()' calls for consistency while
here.
2021-06-15 13:20:09 -04:00
Klemens Nanni 3e0b38e48e OpenBSD: pledge final promises earlier
No need to wait for so long.

This also brings all the pledge code on one screen and helps show how
ircConnect() is the only relevant part in between initial and final
promises.
2021-06-14 17:15:11 -04:00
Klemens Nanni 1ccadd7c72 Treat `-T's optional argument as optional
`-T[format]' is not possible with getopt(3) but getopt_long(3) supports
"T::" exactly for that, so make the command line option go in line with
configuration files and documentation.

While here, check `has_arg' explicitly as getopt_long(3) only documents
mnemonic values not numerical ones.
2021-06-14 17:00:15 -04:00
C. McEnroe e18c585701 Add \com text macro 2021-06-14 14:29:16 -04:00
Klemens Nanni 9c7ceb23bb /exec without controlling terminal
Otherwise "/exec sh </dev/tty" takes over and catgirl must effectively
be killed to stop the madness;  with this diff:

	catgirl  input| /exec sh </dev/tty
	catgirl output| /bin/sh: cannot open /dev/tty: Device not configured
	catgirl output| Process exits with status 1

Do the same for `-C/Copy', `-N/notify' and `-O/open' alike.
2021-06-13 16:46:34 -04:00
Klemens Nanni 4c0cdae4e5 Exit on data directory creation error
No point in creating (sub)directories when the given root failed already
as is the case when e.g. XDG_DATA_HOME/catgirl/ itself is bogus
(cleaned stderr intermangled with ncurses setup/catgirl output):

	$ env -i TERM=xterm XDG_DATA_HOME=/ ./catgirl -h irc.hackint.eu -n nobody -l
	catgirl: //catgirl/: Permission denied
	catgirl: //catgirl/log: No such file or directory
	catgirl: //catgirl/log/hackint: No such file or directory
	catgirl: //catgirl/log/hackint/NickServ: No such file or directory
	catgirl: //catgirl/: Permission denied
	catgirl: //catgirl/log/hackint/NickServ/2021-06-13.log: No such file or directory
2021-06-13 14:04:48 -04:00
Klemens Nanni 788eb772c8 OpenBSD: no need to read data files (logs)
One of the last changes missed this, but it is a NOOP anyway since
"rpath" is not pledged any longer.
2021-06-13 14:02:59 -04:00
C. McEnroe 2dcadaf260 Reset formatting after realname in setname
Missed this one.
2021-06-12 10:35:53 -04:00
C. McEnroe 161c1ad680 Fix unknown file signature error 2021-06-11 21:22:03 -04:00
C. McEnroe f6e8078c46 Exclusively lock save file
Prevents two instances of catgirl from using the same save file and
clobbering each other's data.
2021-06-11 21:15:34 -04:00
C. McEnroe c6009cf13c Open save file with "a+"
Avoids another small TOCTOU. Rewind before loading since "a+" sets
the file position at the end. Remove unnecessary fseek after
truncation, since "a+" always writes at the end of the file.
2021-06-11 21:02:40 -04:00
Klemens Nanni 772c9789b7 OpenBSD: Drop now unneeded file system access for save file
All opening happens before unveil/pledge and the file handle is kept
open read/write so it can be used without any pledge.

Simpler/less code and less chances to write other files (accidentially).
2021-06-11 20:57:40 -04:00
Klemens Nanni cdd4ccf16f Open save file once in uiLoad() and keep it open until uiSave()
Opening the same file *path* twice is a TOCTOU, although not a critical
one: worst case we load from one file and save to another - the impact
depends on how and when catgirl is started the next anyway.

More importantly, keeping the file handle open at runtime allows us to
drop all filesystem related promises for `-s/save' on OpenBSD.

uiLoad() now opens "r+", meaning "Open for reading and writing." up
front so uiSave() can write to it.  In the case of a nonexistent save
file, it now opens with "w" meaning "Open for writing.  The file is
created if it does not exist.", i.e. the same write/create semantics as
"w" except uiLoad() no longer truncates. existing files.

uiSave() now truncates the save file to avoid appending in general.
2021-06-11 20:57:40 -04:00
Klemens Nanni 8e591c96f8 Rename file to saveFile
Separate churn from actual change in upcoming diff,
no functional change.
2021-06-11 12:52:07 -04:00
Klemens Nanni 4aa3da5786 OpenBSD: Hoist loading save file to drop filesystem read-access
After TLS cert/key files, the save file is the only file being read from;
do so before pleding and drop the "rpath" promise all together:  log files
will only be created and written to.
2021-06-11 12:51:00 -04:00
C. McEnroe 37aa3679bc Match gemini URLs 2021-06-11 11:49:10 -04:00
C. McEnroe 7e4fa80c96 Avoid trailing comma in whois channels lists
The format of the reply is defined as "<nick> :{[@|+]<channel><space>}".
2021-06-10 19:38:12 -04:00
C. McEnroe 275d657b8b Move unveilAll back into main
It doesn't do as much anymore, so move it back inline.
2021-06-10 15:40:45 -04:00
C. McEnroe 0b4004c202 Only explicitly load the default CA file on OpenBSD 2021-06-10 15:23:33 -04:00
Klemens Nanni 552cd49833 OpenBSD: Drop now unneeded promise from initial pledge
Both ssl(8) as well as ncurses(3) related files are now read completely
by the time of ircConfig() and uiInitEarly() respectively, so read
access to the filesystem is no longer needed at all unless the "log" or
"save" options are used.
2021-06-10 14:44:35 -04:00
Klemens Nanni 71a84aa502 OpenBSD: Remove now obsolete unveil code
Previous tls_default_ca_cert_file(3) hoisting makes this possible: all
TLS related files are fully loaded into memory by ircConfig() such that
ircConnect() will not do any file I/O.

Call ircConfig() before pledge(2) in the `-o' "print cert" case so this
works out -- that order should have been preserved in the previous
a989e15 "OpenBSD: hoist -o/printCert code to simplify" but fixing it now
nicely demonstrates the achivement even more so.
2021-06-10 14:44:35 -04:00
Klemens Nanni 171a56ee2d Hoist loading default root certificates into ircConfig()
tls_connect_socket(3) in ircConnect() does that by default already
unless tls_config_set_ca_file(3) was used.

Loading CA certificates before connecting makes no practical difference
except on OpenBSD where this allows for tighter unveil und pledge setups
now that all required (TLS related) file I/O is finished by the time
ircConnect() gets to do network I/O.

In case of the hidden `-!' insecure flag which is implied by `-o' to
print server certificates and exit, loading root certificates is not
required at all;  likewise, using explicit self signed server
certificates will not involve certificate authorities either, hence load
them only if needed.
2021-06-10 14:44:35 -04:00
Michael Forney 0a1cfca0f4 Avoid creating out-of-bounds pointer when checking for seprintf truncation
It is technically undefined behavior (see C11 6.5.6p8) to construct
a pointer more than one past the end of an array. To prevent this,
compare n with the remaining space in the array before adding to
ptr.
2021-06-09 17:54:26 -04:00
C. McEnroe dfc3ac95c1 Remove catf 2021-06-09 11:56:49 -04:00
C. McEnroe e066a954f5 Replace catf with seprintf 2021-06-09 11:56:35 -04:00
C. McEnroe 5c3cd59af6 Add seprintf
Based on seprint(2) from Plan 9. I'm not sure if my return value
exactly matches Plan 9's in the case of truncation. seprint(2) is
described only as returning a pointer to the terminating '\0', but
if it does so even in the case of truncation, it is awkward for the
caller to detect. This implementation returns end in the truncation
case, so that (ptr == end) indicates truncation.
2021-06-09 11:41:15 -04:00
Klemens Nanni 3d931d0f5a OpenBSD: pledge minimum promises from the start
catgirl needs:
- "stdio tty" at all times
- "rpath inet dns" once at startup for terminfo(5) and ssl(8)
- "proc exec" iff -R/restrict options is disabled
- "rpath wpath cpath" iff -s/save or -l/log options is enabled

Status quo:  catgirl starts with the superset of all possible promises
"stdio rpath wpath cpath inet dns tty proc exec", drops offline with
"stdio rpath wpath cpath tty proc exec" and possibly drops to either of
"stdio rpath wpath cpath tty", "stdio tty proc exec" or "stdio tty"
depending on the options used.

Such step-by-step reduction is straight forward and easy to model along
the process runtime, but it comes with the drawback of starting with
too broad promises right from the beginning, i.e. `catgirl -R -h host'
is able to execute code and write to filesystems even though it must
never do so according the (un)used options.

Lay out required promises up front and pledge in two stages:
1. initial setup, i.e. fixed "stdio tty" plus temporary "rpath inet dns"
   plus potential "rpath wpath cpath" plus potential "proc exec"
2. final rutime,  i.e. fixed "stdio tty"
   plus potential "rpath wpath cpath" plus potential "proc exec"

This way the above mentioned usage example can never execute or write
files, hence less potential for bugs and more accurate modelling of
catgirl's runtime -- dropping "inet dns" alone in between also becomes
obsolete with this approach.
2021-06-09 09:41:22 -04:00
Klemens Nanni c97a9eb870 OpenBSD: unveil after ncurses(3) init to support TERMINFO
initscr(3) in uiInitEarly() attempts more than /usr/share/terminfo/, see
`mandoc -O tag=TERMINFO ncurses`.

Even though non-default terminfo handling seems rare and it is unlikely
to have ever caused a problem for catgirl users on OpenBSD, the current
is still wrong by oversimplifying it.

Avoid the entire curses/unveil clash by setting up the screen before
unveiling.
2021-06-09 09:21:51 -04:00
Klemens Nanni a989e156a1 OpenBSD: hoist -o/printCert code to simplify
Nothing but the TLS handshake is required, so skip all other setup.

On OpenBSD, unveil() handling needs fixing which will involve code
reshuffling -- this is the first related but standalone step.

Also pledge this one-off code path individually such with simpler and
tighter promises while here.
2021-06-09 09:21:17 -04:00
C. McEnroe 7ea14eec84 Pad kiosk username with zero, not space
Oops!
2021-06-06 10:24:22 -04:00
Klemens Nanni 0fe004c5c4 OpenBSD: unveil XDG directories only when needed
The (not perfectly obvious) way catgirl crafts directories gets triggered
by unveilAll() even if no passed option requires filesystem access:

	$ env -i TERM=xterm ./catgirl -h irc.hackint.eu -R -n nobody
	catgirl: HOME unset

Here unveil(2) is used due to the "restrict" option, but besides terminfo(5)
and certificates catgirl does not need any other files, yet it tries to init
the data path -- passing XDG_DATA_HOME=/var/empty makes above invocation work
showing how the then successful path setup is not required.

Fix this by not unveiling the unneeded data path in the first place.
2021-06-06 10:18:52 -04:00