diff options
| author | Přemysl Janouch <p.janouch@gmail.com> | 2018-01-09 05:47:37 +0100 |
|---|---|---|
| committer | Přemysl Janouch <p.janouch@gmail.com> | 2018-01-09 05:47:37 +0100 |
| commit | 6c30452b2849f57dbf621367e1fd5f92197965de (patch) | |
| tree | 05cda387d5e4e2c3aab82a3e15ddbce78845f877 | |
| parent | 670e1c5770230517aa0f1c533268448babe20650 (diff) | |
| download | xK-6c30452b2849f57dbf621367e1fd5f92197965de.tar.gz xK-6c30452b2849f57dbf621367e1fd5f92197965de.tar.xz xK-6c30452b2849f57dbf621367e1fd5f92197965de.zip | |
kike: thorough review, no functional changes
| -rw-r--r-- | kike.c | 18 |
1 files changed, 15 insertions, 3 deletions
@@ -226,6 +226,7 @@ irc_is_valid_hostaddr (const char *hostaddr) return false; } +// TODO: we should actually use this, though what should we do on failure? static bool irc_is_valid_host (const char *host) { @@ -1563,7 +1564,7 @@ irc_handle_time (const struct irc_message *msg, struct client *c) if (msg->params.len > 0 && !irc_is_this_me (c->ctx, msg->params.vector[0])) RETURN_WITH_REPLY (c, IRC_ERR_NOSUCHSERVER, msg->params.vector[0]); - char buf[32]; + char buf[32] = ""; time_t now = time (NULL); struct tm tm; strftime (buf, sizeof buf, "%a %b %d %Y %T", localtime_r (&now, &tm)); @@ -1840,7 +1841,7 @@ mode_processor_do_list (struct mode_processor *self, break; bool found = i != list->len; - if ((found ^ self->adding)) + if (found != self->adding) { if (self->adding) strv_append (list, mask); @@ -2131,6 +2132,7 @@ irc_send_rpl_list (struct client *c, const struct channel *chan) int visible = 0; for (struct channel_user *user = chan->users; user; user = user->next) + // XXX: maybe we should skip IRC_USER_MODE_INVISIBLE visible++; irc_send_reply (c, IRC_RPL_LIST, chan->name, visible, chan->topic); @@ -3470,8 +3472,18 @@ irc_ssl_verify_callback (int verify_ok, X509_STORE_CTX *ctx) (void) verify_ok; (void) ctx; + // RFC 5246: "If the client has sent a certificate with signing ability, + // a digitally-signed CertificateVerify message is sent to explicitly + // verify possession of the private key in the certificate." + // + // The handshake will fail if the client doesn't have a matching private + // key, see OpenSSL's tls_process_cert_verify(), and the CertificateVerify + // message cannot be skipped (except for a case where it doesn't matter). + // Thus we're fine checking just the cryptographic hash of the certificate. + // We only want to provide additional privileges based on the client's - // certificate, so let's not terminate the connection because of a failure. + // certificate, so let's not terminate the connection because of a failure + // (especially since self-signed certificates are likely to be used). return 1; } |