Skip to content

feat: Add native DNSBL and GitSync implementations #83

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
MrLenin wants to merge 10 commits into
base: master
Choose a base branch
from
Draft

feat: Add native DNSBL and GitSync implementations #83

MrLenin wants to merge 10 commits into from

Conversation

@MrLenin
Copy link
Contributor

@MrLenin MrLenin commented Jan 1, 2026
edited
Loading

Note: This PR depends on #82 (security-hardening) being merged first.

Summary

  • Implements native DNSBL (DNS-based Blackhole List) checking without external dependencies
  • Adds native GitSync using libgit2 for configuration synchronization
  • Includes SSH key auto-generation for secure GitSync operations
  • Comprehensive security hardening for both features

Changes

DNSBL Implementation

  • Native async DNS lookups for blacklist checking during client connection
  • Configurable DNSBL servers with per-server reply mappings
  • Whitelist exemption support for trusted hosts
  • Cache with configurable TTL to reduce DNS load
  • /STATS dnsbl for operational visibility

GitSync Implementation

  • Native git operations using libgit2
  • /GITSYNC operator command for manual sync, status, and key management
  • /STATS gitsync for operational visibility
  • Automatic SSH key generation on first run
  • Ability to extract public key from existing ircd.pem (replaces -p parameter from gitsync.sh)
  • Automatic TLS certificate (ircd.pem) updates via git tags
  • Secure command execution with proper input validation
  • Graceful handling of bad configs on rehash with automatic rollback to previous working config

Security Fixes

  • Fix command injection vulnerabilities in GitSync
  • Fix TOCTOU race conditions in file operations
  • Fix DNSBL whitelist bypass vulnerabilities
  • Clear DNSBL server list on rehash to prevent duplicates

Test plan

  • Verify DNSBL queries and caching work
  • Test GitSync clone/pull operations
  • Verify SSH key auto-generation
  • Test /STATS dnsbl output
  • Test /STATS gitsync output
  • Test /GITSYNC command
  • Verify rehash properly clears and reloads DNSBL config
  • Verify GitSync gracefully handles bad configs and restores previous config
  • Test DNSBL rejection with a known-bad host
  • Test GitSync certificate update via tags

🤖 Generated with Claude Code

MrLenin and others added 9 commits January 1, 2026 03:02
@MrLenin @claude
fix: Add missing +1 to ircd_strncpy size parameters
95eeb68 
With BSD strlcpy semantics, ircd_strncpy(dst, src, n) copies at most
n-1 characters. Several call sites were missing the +1 adjustment,
causing the last character to be truncated.

Fixed in:
- umkpasswd.c: strlen(DPATH/CPATH) -> strlen() + 1
- ircd_parser.y: REALLEN -> REALLEN + 1
- m_pass.c: ACCPASSWDLEN -> ACCPASSWDLEN + 1
- m_list.c: CHANNELLEN -> CHANNELLEN + 1
- m_check.c: HOSTLEN/USERLEN/NICKLEN -> + 1
- s_conf.c: calculated tmp -> tmp + 1

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@MrLenin @claude
feat: Implement native DNSBL and Linesync support
831f73e 
Native DNSBL checking during client registration:
- IPv4 and IPv6 support with proper DNS query formatting
- Configurable DNSBL servers via config parser blocks
- Result caching with TTL and periodic expiration
- Bitmask matching and action support (block_all, block_anon, mark)
- SNO_GLINE notifications for blocked clients
- /STATS dnsbl reporting

Linesync - centralized config distribution via HTTPS:
- libcurl integration with autoconf detection (curl-config + fallback)
- SSL/TLS mutual authentication support (CA cert, client cert/key)
- Timer-based periodic sync with configurable interval
- Content validation (multi-block injection protection)
- /LINESYNC oper command with remote relay support:
  - /LINESYNC force|status - local server
  - /LINESYNC <server> force|status - specific remote
  - /LINESYNC * force|status - broadcast to all servers
- PRIV_LINESYNC privilege for oper access control
- /STATS linesync reporting

Feature flags:
- FEAT_NATIVE_DNSBL, FEAT_DNSBL_TIMEOUT, FEAT_DNSBL_CACHETIME
- FEAT_DNSBL_BLOCKMSG
- FEAT_LINESYNC_ENABLE, FEAT_LINESYNC_INTERVAL, FEAT_LINESYNC_URL
- FEAT_LINESYNC_CA_CERT, FEAT_LINESYNC_CLIENT_CERT, FEAT_LINESYNC_CLIENT_KEY

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@MrLenin @claude
refactor: Replace linesync (curl) with gitsync (libgit2)
cc2f533 
Refactor the centralized configuration distribution system from
HTTP/CURL-based linesync to git-based gitsync using libgit2.

Changes:
- Replace USE_CURL with USE_LIBGIT2 preprocessor macro
- Rename FEAT_LINESYNC_* to FEAT_GITSYNC_* feature flags
- Rename PRIV_LINESYNC to PRIV_GITSYNC privilege
- Rename MSG/TOK/CMD_LINESYNC to MSG/TOK/CMD_GITSYNC
- New gitsync.c with libgit2 clone/fetch/reset workflow
- New m_gitsync.c command handlers (mo_gitsync, ms_gitsync)
- SSH key authentication support for private repositories

New feature flags:
- FEAT_GITSYNC_ENABLE - Enable/disable gitsync
- FEAT_GITSYNC_INTERVAL - Sync interval in seconds (default: 300)
- FEAT_GITSYNC_REPOSITORY - Git repository URL
- FEAT_GITSYNC_BRANCH - Branch to sync (default: "master")
- FEAT_GITSYNC_SSH_KEY - Path to SSH private key
- FEAT_GITSYNC_LOCAL_PATH - Local clone path (default: "gitsync")

Build with: ./configure --with-libgit2

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@MrLenin @claude
feat: Complete gitsync implementation with TLS cert tag support
ad2b183 
- Add GITSYNC PUBKEY command to display SSH public key for GitLab/GitHub setup
- Implement gitsync_apply() to write config and trigger rehash
- Add FEAT_GITSYNC_CONF_FILE for configurable output path (default gitsync.conf)
- Add FEAT_GITSYNC_CERT_TAG and FEAT_GITSYNC_CERT_FILE for TLS certificate
  pulling from git tags (matching gitsync.sh -c/-C options)
- Update gitsync.conf placeholder creation on startup
- Add TLS cert update to sync process with automatic ssl_reinit()
- Update stats report to show cert tag configuration
- Update docker ircd.conf to include gitsync.conf instead of linesync.conf

The native gitsync now matches gitsync.sh behavior:
- Phase 1: PUBKEY shows SSH key for GitLab setup
- Config sync: Writes to gitsync.conf, triggers rehash
- TLS cert sync: Pulls from git tag, updates fullchain.pem, reloads SSL

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@MrLenin @claude
feat: Add gitsync security hardening and remote command support
865e85a 
- Implement SSH host key verification using TOFU (Trust On First Use)
  with configurable fingerprint via FEAT_GITSYNC_HOST_FINGERPRINT
- Make all gitsync subcommands remotable (force, status, pubkey, hostkey)
  with proper sub-argument forwarding (pem, reset)
- Block dangerous include directives (absolute paths, path traversal)
  while allowing relative includes for flexibility
- Use mkstemp for secure temp file creation instead of predictable
  PID-based filenames

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@MrLenin @claude
feat: Add native GitSync with libgit2 and SSH key auto-generation
06cab9c 
- Add libgit2-dev to Dockerfile for native git support
- Implement gitsync_generate_ssh_key() using OpenSSL EVP API for Ed25519 keys
- Auto-generate SSH key when GITSYNC_SSH_KEY is set but file doesn't exist
- Keys stored in PEM format (libgit2 compatible) with .pub in OpenSSH format
- Add safe config write with backup/restore on parse errors
- Add conf_get_error_flag() to detect config parse failures after rehash
- Fix duplicate "GitSync completed" message in m_gitsync.c
- Fix empty commit hash after clone by extracting HEAD after git_clone
- Use ECDSA SSL certs for GitHub SSH compatibility

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@MrLenin @claude
fix: DNSBL security vulnerabilities and whitelist exemption
9e71797 
Security fixes for native DNSBL:
- Fix use-after-free: DNS callbacks accessed freed memory after
  dnsbl_cancel(). Now uses cancelled flag; last callback frees request.
- Fix stale server pointer: Created per-query DNSBLQueryContext to
  preserve correct server reference for each DNS lookup callback.
- Fix integer UB: Changed 1 << result_byte to 1U << result_byte and
  added range check for result_byte >= 32.

DNSBL whitelist exemption for iauth:
- Added FLAG_DNSBL_EXEMPT client flag set when native DNSBL whitelists
- IAuth kill commands now check for exemption flag and skip kill
- Allows single-point whitelist configuration in native DNSBL

GitSync improvements:
- GITSYNC PUBKEY now auto-generates SSH key if not present
- Reduced verbose output from key generation

🤖 Generated with [Claude Code](https://claude.ai/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@MrLenin @claude
security: Fix command injection and TOCTOU vulnerabilities in GitSync
818b7ff 
Address critical security vulnerabilities identified in security audit:

- Replace system() with fork()/execlp() in gitsync_generate_ssh_key()
  to prevent command injection via SSH key path configuration

- Replace popen() with fork()/execlp() helpers for ssh-keygen calls:
  - run_ssh_keygen_pubkey(): Extract public key from private key
  - extract_pubkey_from_pem(): Extract SSH key from X509 certificate
    using OpenSSL library APIs (PEM_read_X509, X509_get_pubkey)

- Add validate_safe_path() to reject paths with:
  - Directory traversal attempts (..)
  - Shell metacharacters and special characters
  - Only allows: alphanumeric, underscore, hyphen, dot, forward slash

- Fix TOCTOU race condition in SSH key generation:
  - Use O_CREAT|O_EXCL|O_NOFOLLOW for atomic file creation
  - Add lstat() check to detect symlink attacks
  - Remove vulnerable access() check before key generation

Security: Fixes CVSS 9.8 command injection vulnerabilities

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@MrLenin @claude
fix: Clear DNSBL server list on rehash to prevent duplicates
d3cd71a 
The DNSBL server list was not being cleared during config rehash,
causing entries to accumulate each time the config was reloaded.
This was particularly visible with GitSync triggering periodic
rehashes, resulting in the DNSBL list growing 5x or more.

Add dnsbl_clear_servers() call in rehash() following the existing
pattern used for other config lists (quarantines, nick jupes, etc).

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@MrLenin MrLenin marked this pull request as draft January 1, 2026 10:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@MrLenin