about summary refs log tree commit diff
path: root/irc.c
diff options
context:
space:
mode:
Diffstat (limited to 'irc.c')
-rw-r--r--irc.c107
1 files changed, 63 insertions, 44 deletions
diff --git a/irc.c b/irc.c
index c98193a..28e557b 100644
--- a/irc.c
+++ b/irc.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 2020  C. McEnroe <june@causal.agency>
+/* Copyright (C) 2020  June McEnroe <june@causal.agency>
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -27,6 +27,9 @@
 
 #include <assert.h>
 #include <err.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <limits.h>
 #include <netdb.h>
 #include <netinet/in.h>
 #include <stdarg.h>
@@ -35,27 +38,22 @@
 #include <string.h>
 #include <sys/socket.h>
 #include <sys/stat.h>
-#include <sysexits.h>
 #include <tls.h>
 #include <unistd.h>
 
 #include "chat.h"
 
-struct tls *client;
+static struct tls *client;
+static struct tls_config *config;
 
 void ircConfig(
 	bool insecure, const char *trust, const char *cert, const char *priv
 ) {
-	struct tls_config *config = tls_config_new();
-	if (!config) errx(EX_SOFTWARE, "tls_config_new");
-
-	int error = tls_config_set_ciphers(config, "compat");
-	if (error) {
-		errx(
-			EX_SOFTWARE, "tls_config_set_ciphers: %s",
-			tls_config_error(config)
-		);
-	}
+	int error = 0;
+	char buf[PATH_MAX];
+
+	config = tls_config_new();
+	if (!config) errx(1, "tls_config_new");
 
 	if (insecure) {
 		tls_config_insecure_noverifycert(config);
@@ -63,41 +61,48 @@ void ircConfig(
 	}
 	if (trust) {
 		tls_config_insecure_noverifyname(config);
-		const char *dirs = NULL;
-		for (const char *path; NULL != (path = configPath(&dirs, trust));) {
-			error = tls_config_set_ca_file(config, path);
+		for (int i = 0; configPath(buf, sizeof(buf), trust, i); ++i) {
+			error = tls_config_set_ca_file(config, buf);
 			if (!error) break;
 		}
-		if (error) errx(EX_NOINPUT, "%s: %s", trust, tls_config_error(config));
+		if (error) errx(1, "%s: %s", trust, tls_config_error(config));
 	}
 
+	// Explicitly load the default CA cert file on OpenBSD now so it doesn't
+	// need to be unveiled. Other systems might use a CA directory, so avoid
+	// changing the default behavior.
+#ifdef __OpenBSD__
+	if (!insecure && !trust) {
+		const char *ca = tls_default_ca_cert_file();
+		error = tls_config_set_ca_file(config, ca);
+		if (error) errx(1, "%s: %s", ca, tls_config_error(config));
+	}
+#endif
+
 	if (cert) {
-		const char *dirs = NULL;
-		for (const char *path; NULL != (path = configPath(&dirs, cert));) {
+		for (int i = 0; configPath(buf, sizeof(buf), cert, i); ++i) {
 			if (priv) {
-				error = tls_config_set_cert_file(config, path);
+				error = tls_config_set_cert_file(config, buf);
 			} else {
-				error = tls_config_set_keypair_file(config, path, path);
+				error = tls_config_set_keypair_file(config, buf, buf);
 			}
 			if (!error) break;
 		}
-		if (error) errx(EX_NOINPUT, "%s: %s", cert, tls_config_error(config));
+		if (error) errx(1, "%s: %s", cert, tls_config_error(config));
 	}
 	if (priv) {
-		const char *dirs = NULL;
-		for (const char *path; NULL != (path = configPath(&dirs, priv));) {
-			error = tls_config_set_key_file(config, path);
+		for (int i = 0; configPath(buf, sizeof(buf), priv, i); ++i) {
+			error = tls_config_set_key_file(config, buf);
 			if (!error) break;
 		}
-		if (error) errx(EX_NOINPUT, "%s: %s", priv, tls_config_error(config));
+		if (error) errx(1, "%s: %s", priv, tls_config_error(config));
 	}
 
 	client = tls_client();
-	if (!client) errx(EX_SOFTWARE, "tls_client");
+	if (!client) errx(1, "tls_client");
 
 	error = tls_configure(client, config);
-	if (error) errx(EX_SOFTWARE, "tls_configure: %s", tls_error(client));
-	tls_config_free(config);
+	if (error) errx(1, "tls_configure: %s", tls_error(client));
 }
 
 int ircConnect(const char *bindHost, const char *host, const char *port) {
@@ -114,11 +119,11 @@ int ircConnect(const char *bindHost, const char *host, const char *port) {
 
 	if (bindHost) {
 		error = getaddrinfo(bindHost, NULL, &hints, &head);
-		if (error) errx(EX_NOHOST, "%s: %s", bindHost, gai_strerror(error));
+		if (error) errx(1, "%s: %s", bindHost, gai_strerror(error));
 
 		for (struct addrinfo *ai = head; ai; ai = ai->ai_next) {
 			sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
-			if (sock < 0) err(EX_OSERR, "socket");
+			if (sock < 0) err(1, "socket");
 
 			error = bind(sock, ai->ai_addr, ai->ai_addrlen);
 			if (!error) {
@@ -129,39 +134,49 @@ int ircConnect(const char *bindHost, const char *host, const char *port) {
 			close(sock);
 			sock = -1;
 		}
-		if (sock < 0) err(EX_UNAVAILABLE, "%s", bindHost);
+		if (sock < 0) err(1, "%s", bindHost);
 		freeaddrinfo(head);
 	}
 
 	error = getaddrinfo(host, port, &hints, &head);
-	if (error) errx(EX_NOHOST, "%s:%s: %s", host, port, gai_strerror(error));
+	if (error) errx(1, "%s:%s: %s", host, port, gai_strerror(error));
 
 	for (struct addrinfo *ai = head; ai; ai = ai->ai_next) {
 		if (sock < 0) {
 			sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
-			if (sock < 0) err(EX_OSERR, "socket");
+			if (sock < 0) err(1, "socket");
 		}
 
 		error = connect(sock, ai->ai_addr, ai->ai_addrlen);
 		if (!error) break;
+		if (error && errno == EINTR) break; // connect continues asynchronously
 
 		close(sock);
 		sock = -1;
 	}
-	if (sock < 0) err(EX_UNAVAILABLE, "%s:%s", host, port);
+	if (sock < 0) err(69, "%s:%s", host, port);
 	freeaddrinfo(head);
 
+	fcntl(sock, F_SETFD, FD_CLOEXEC);
 	error = tls_connect_socket(client, sock, host);
-	if (error) errx(EX_PROTOCOL, "tls_connect: %s", tls_error(client));
-
-	error = tls_handshake(client);
-	if (error) errx(EX_PROTOCOL, "tls_handshake: %s", tls_error(client));
+	if (error) errx(1, "tls_connect: %s", tls_error(client));
 
 	return sock;
 }
 
+void ircHandshake(void) {
+	int error;
+	do {
+		error = tls_handshake(client);
+	} while (error == TLS_WANT_POLLIN || error == TLS_WANT_POLLOUT);
+	if (error) errx(1, "tls_handshake: %s", tls_error(client));
+
+	tls_config_clear_keys(config);
+}
+
 void ircPrintCert(void) {
 	size_t len;
+	ircHandshake();
 	const byte *pem = tls_peer_cert_chain_pem(client, &len);
 	printf("subject= %s\n", tls_peer_cert_subject(client));
 	fwrite(pem, len, 1, stdout);
@@ -186,7 +201,7 @@ void ircSend(const char *ptr, size_t len) {
 	while (len) {
 		ssize_t ret = tls_write(client, ptr, len);
 		if (ret == TLS_WANT_POLLIN || ret == TLS_WANT_POLLOUT) continue;
-		if (ret < 0) errx(EX_IOERR, "tls_write: %s", tls_error(client));
+		if (ret < 0) errx(1, "tls_write: %s", tls_error(client));
 		ptr += ret;
 		len -= ret;
 	}
@@ -234,8 +249,12 @@ static struct Message parse(char *line) {
 			char *key = strsep(&tag, "=");
 			for (uint i = 0; i < TagCap; ++i) {
 				if (strcmp(key, TagNames[i])) continue;
-				unescape(tag);
-				msg.tags[i] = tag;
+				if (tag) {
+					unescape(tag);
+					msg.tags[i] = tag;
+				} else {
+					msg.tags[i] = "";
+				}
 				break;
 			}
 		}
@@ -267,8 +286,8 @@ void ircRecv(void) {
 	assert(client);
 	ssize_t ret = tls_read(client, &buf[len], sizeof(buf) - len);
 	if (ret == TLS_WANT_POLLIN || ret == TLS_WANT_POLLOUT) return;
-	if (ret < 0) errx(EX_IOERR, "tls_read: %s", tls_error(client));
-	if (!ret) errx(EX_PROTOCOL, "server closed connection");
+	if (ret < 0) errx(1, "tls_read: %s", tls_error(client));
+	if (!ret) errx(69, "server closed connection");
 	len += ret;
 
 	char *crlf;
generated by cgit-pink 1.4.1 (git 2.36.1) at 2025-07-27 11:08:45 +0000