diff options
Diffstat (limited to 'irc.c')
| -rw-r--r-- | irc.c | 107 |
1 files changed, 63 insertions, 44 deletions
diff --git a/irc.c b/irc.c index c98193a..28e557b 100644 --- a/irc.c +++ b/irc.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2020 C. McEnroe <june@causal.agency> +/* Copyright (C) 2020 June McEnroe <june@causal.agency> * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -27,6 +27,9 @@ #include <assert.h> #include <err.h> +#include <errno.h> +#include <fcntl.h> +#include <limits.h> #include <netdb.h> #include <netinet/in.h> #include <stdarg.h> @@ -35,27 +38,22 @@ #include <string.h> #include <sys/socket.h> #include <sys/stat.h> -#include <sysexits.h> #include <tls.h> #include <unistd.h> #include "chat.h" -struct tls *client; +static struct tls *client; +static struct tls_config *config; void ircConfig( bool insecure, const char *trust, const char *cert, const char *priv ) { - struct tls_config *config = tls_config_new(); - if (!config) errx(EX_SOFTWARE, "tls_config_new"); - - int error = tls_config_set_ciphers(config, "compat"); - if (error) { - errx( - EX_SOFTWARE, "tls_config_set_ciphers: %s", - tls_config_error(config) - ); - } + int error = 0; + char buf[PATH_MAX]; + + config = tls_config_new(); + if (!config) errx(1, "tls_config_new"); if (insecure) { tls_config_insecure_noverifycert(config); @@ -63,41 +61,48 @@ void ircConfig( } if (trust) { tls_config_insecure_noverifyname(config); - const char *dirs = NULL; - for (const char *path; NULL != (path = configPath(&dirs, trust));) { - error = tls_config_set_ca_file(config, path); + for (int i = 0; configPath(buf, sizeof(buf), trust, i); ++i) { + error = tls_config_set_ca_file(config, buf); if (!error) break; } - if (error) errx(EX_NOINPUT, "%s: %s", trust, tls_config_error(config)); + if (error) errx(1, "%s: %s", trust, tls_config_error(config)); } + // Explicitly load the default CA cert file on OpenBSD now so it doesn't + // need to be unveiled. Other systems might use a CA directory, so avoid + // changing the default behavior. +#ifdef __OpenBSD__ + if (!insecure && !trust) { + const char *ca = tls_default_ca_cert_file(); + error = tls_config_set_ca_file(config, ca); + if (error) errx(1, "%s: %s", ca, tls_config_error(config)); + } +#endif + if (cert) { - const char *dirs = NULL; - for (const char *path; NULL != (path = configPath(&dirs, cert));) { + for (int i = 0; configPath(buf, sizeof(buf), cert, i); ++i) { if (priv) { - error = tls_config_set_cert_file(config, path); + error = tls_config_set_cert_file(config, buf); } else { - error = tls_config_set_keypair_file(config, path, path); + error = tls_config_set_keypair_file(config, buf, buf); } if (!error) break; } - if (error) errx(EX_NOINPUT, "%s: %s", cert, tls_config_error(config)); + if (error) errx(1, "%s: %s", cert, tls_config_error(config)); } if (priv) { - const char *dirs = NULL; - for (const char *path; NULL != (path = configPath(&dirs, priv));) { - error = tls_config_set_key_file(config, path); + for (int i = 0; configPath(buf, sizeof(buf), priv, i); ++i) { + error = tls_config_set_key_file(config, buf); if (!error) break; } - if (error) errx(EX_NOINPUT, "%s: %s", priv, tls_config_error(config)); + if (error) errx(1, "%s: %s", priv, tls_config_error(config)); } client = tls_client(); - if (!client) errx(EX_SOFTWARE, "tls_client"); + if (!client) errx(1, "tls_client"); error = tls_configure(client, config); - if (error) errx(EX_SOFTWARE, "tls_configure: %s", tls_error(client)); - tls_config_free(config); + if (error) errx(1, "tls_configure: %s", tls_error(client)); } int ircConnect(const char *bindHost, const char *host, const char *port) { @@ -114,11 +119,11 @@ int ircConnect(const char *bindHost, const char *host, const char *port) { if (bindHost) { error = getaddrinfo(bindHost, NULL, &hints, &head); - if (error) errx(EX_NOHOST, "%s: %s", bindHost, gai_strerror(error)); + if (error) errx(1, "%s: %s", bindHost, gai_strerror(error)); for (struct addrinfo *ai = head; ai; ai = ai->ai_next) { sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol); - if (sock < 0) err(EX_OSERR, "socket"); + if (sock < 0) err(1, "socket"); error = bind(sock, ai->ai_addr, ai->ai_addrlen); if (!error) { @@ -129,39 +134,49 @@ int ircConnect(const char *bindHost, const char *host, const char *port) { close(sock); sock = -1; } - if (sock < 0) err(EX_UNAVAILABLE, "%s", bindHost); + if (sock < 0) err(1, "%s", bindHost); freeaddrinfo(head); } error = getaddrinfo(host, port, &hints, &head); - if (error) errx(EX_NOHOST, "%s:%s: %s", host, port, gai_strerror(error)); + if (error) errx(1, "%s:%s: %s", host, port, gai_strerror(error)); for (struct addrinfo *ai = head; ai; ai = ai->ai_next) { if (sock < 0) { sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol); - if (sock < 0) err(EX_OSERR, "socket"); + if (sock < 0) err(1, "socket"); } error = connect(sock, ai->ai_addr, ai->ai_addrlen); if (!error) break; + if (error && errno == EINTR) break; // connect continues asynchronously close(sock); sock = -1; } - if (sock < 0) err(EX_UNAVAILABLE, "%s:%s", host, port); + if (sock < 0) err(69, "%s:%s", host, port); freeaddrinfo(head); + fcntl(sock, F_SETFD, FD_CLOEXEC); error = tls_connect_socket(client, sock, host); - if (error) errx(EX_PROTOCOL, "tls_connect: %s", tls_error(client)); - - error = tls_handshake(client); - if (error) errx(EX_PROTOCOL, "tls_handshake: %s", tls_error(client)); + if (error) errx(1, "tls_connect: %s", tls_error(client)); return sock; } +void ircHandshake(void) { + int error; + do { + error = tls_handshake(client); + } while (error == TLS_WANT_POLLIN || error == TLS_WANT_POLLOUT); + if (error) errx(1, "tls_handshake: %s", tls_error(client)); + + tls_config_clear_keys(config); +} + void ircPrintCert(void) { size_t len; + ircHandshake(); const byte *pem = tls_peer_cert_chain_pem(client, &len); printf("subject= %s\n", tls_peer_cert_subject(client)); fwrite(pem, len, 1, stdout); @@ -186,7 +201,7 @@ void ircSend(const char *ptr, size_t len) { while (len) { ssize_t ret = tls_write(client, ptr, len); if (ret == TLS_WANT_POLLIN || ret == TLS_WANT_POLLOUT) continue; - if (ret < 0) errx(EX_IOERR, "tls_write: %s", tls_error(client)); + if (ret < 0) errx(1, "tls_write: %s", tls_error(client)); ptr += ret; len -= ret; } @@ -234,8 +249,12 @@ static struct Message parse(char *line) { char *key = strsep(&tag, "="); for (uint i = 0; i < TagCap; ++i) { if (strcmp(key, TagNames[i])) continue; - unescape(tag); - msg.tags[i] = tag; + if (tag) { + unescape(tag); + msg.tags[i] = tag; + } else { + msg.tags[i] = ""; + } break; } } @@ -267,8 +286,8 @@ void ircRecv(void) { assert(client); ssize_t ret = tls_read(client, &buf[len], sizeof(buf) - len); if (ret == TLS_WANT_POLLIN || ret == TLS_WANT_POLLOUT) return; - if (ret < 0) errx(EX_IOERR, "tls_read: %s", tls_error(client)); - if (!ret) errx(EX_PROTOCOL, "server closed connection"); + if (ret < 0) errx(1, "tls_read: %s", tls_error(client)); + if (!ret) errx(69, "server closed connection"); len += ret; char *crlf; |