make ReloadableListener lock-free

Also stop attaching the *tls.Config to the wrapped connection,
since this forces it to be retained beyond its natural lifetime.

irc/client.go

 	var banMsg string
 	realIP := utils.AddrToIP(wConn.RemoteAddr())
 	var proxiedIP net.IP
-	if wConn.Config.Tor {
+	if wConn.Tor {
 		// cover up details of the tor proxying infrastructure (not a user privacy concern,
 		// but a hardening measure):
 		proxiedIP = utils.IPv4LoopbackAddress
 		lastActive: now,
 		channels:   make(ChannelSet),
 		ctime:      now,
-		isSTSOnly:  wConn.Config.STSOnly,
+		isSTSOnly:  wConn.STSOnly,
 		languages:  server.Languages().Default(),
 		loginThrottle: connection_limits.GenericThrottle{
 			Duration: config.Accounts.LoginThrottling.Duration,
 		lastActive: now,
 		realIP:     realIP,
 		proxiedIP:  proxiedIP,
-		isTor:      wConn.Config.Tor,
-		hideSTS:    wConn.Config.Tor || wConn.Config.HideSTS,
+		isTor:      wConn.Tor,
+		hideSTS:    wConn.Tor || wConn.HideSTS,
 	}
 	client.sessions = []*Session{session}
 
 		client.SetMode(modes.TLS, true)
 	}
 
-	if wConn.Config.TLSConfig != nil {
+	if wConn.TLS {
 		// error is not useful to us here anyways so we can ignore it
 		session.certfp, session.peerCerts, _ = utils.GetCertFP(wConn.Conn, RegisterTimeout)
 	}

irc/listeners.go

 		}
 	}
 
-	if conn.Config.TLSConfig != nil || conn.Config.Tor {
+	if conn.TLS || conn.Tor {
 		// we terminated our own encryption:
 		conn.Secure = true
-	} else if !conn.Config.WebSocket {
+	} else if !conn.WebSocket {
 		// plaintext normal connection: loopback and secureNets are secure
 		realIP := utils.AddrToIP(conn.RemoteAddr())
 		conn.Secure = realIP.IsLoopback() || utils.IPInNets(realIP, config.Server.secureNets)

irc/utils/proxy.go

 	"io"
 	"net"
 	"strings"
-	"sync"
+	"sync/atomic"
 	"time"
 )
 
 type WrappedConn struct {
 	net.Conn
 	ProxiedIP net.IP
-	Config    ListenerConfig
+	TLS       bool
+	Tor       bool
+	STSOnly   bool
+	WebSocket bool
+	HideSTS   bool
 	// Secure indicates whether we believe the connection between us and the client
 	// was secure against interception and modification (including all proxies):
 	Secure bool
 // ReloadableListener is a wrapper for net.Listener that allows reloading
 // of config data for postprocessing connections (TLS, PROXY protocol, etc.)
 type ReloadableListener struct {
-	// TODO: make this lock-free
-	sync.Mutex
 	realListener net.Listener
-	config       ListenerConfig
-	isClosed     bool
+	// nil means the listener is closed:
+	config atomic.Pointer[ListenerConfig]
 }
 
 func NewReloadableListener(realListener net.Listener, config ListenerConfig) *ReloadableListener {
-	return &ReloadableListener{
+	result := &ReloadableListener{
 		realListener: realListener,
-		config:       config,
 	}
+	result.config.Store(&config) // heap escape
+	return result
 }
 
 func (rl *ReloadableListener) Reload(config ListenerConfig) {
-	rl.Lock()
-	rl.config = config
-	rl.Unlock()
+	rl.config.Store(&config)
 }
 
 func (rl *ReloadableListener) Accept() (conn net.Conn, err error) {
 	conn, err = rl.realListener.Accept()
 
-	rl.Lock()
-	config := rl.config
-	isClosed := rl.isClosed
-	rl.Unlock()
+	config := rl.config.Load()
 
-	if isClosed {
+	if config == nil {
+		// Close() was called
 		if err == nil {
 			conn.Close()
 		}
 	return &WrappedConn{
 		Conn:      conn,
 		ProxiedIP: proxiedIP,
-		Config:    config,
+		TLS:       config.TLSConfig != nil,
+		Tor:       config.Tor,
+		STSOnly:   config.STSOnly,
+		WebSocket: config.WebSocket,
+		HideSTS:   config.HideSTS,
+		// Secure will be set later by client code
 	}, nil
 }
 
 func (rl *ReloadableListener) Close() error {
-	rl.Lock()
-	rl.isClosed = true
-	rl.Unlock()
+	rl.config.Store(nil)
 
 	return rl.realListener.Close()
 }