From bba1229c863469f7b3541d525af1f0e07e1ccdd1 Mon Sep 17 00:00:00 2001 From: "C. McEnroe" Date: Fri, 13 Nov 2020 19:57:51 -0500 Subject: Wait for POLLIN to do client tls_handshake Otherwise a client could cause pounce to hang (since the sockets are left blocking) by opening a connection without handshaking! Oops, that's pretty bad. Since the sockets are still blocking, a hang can still be caused by a client sending a partial handshake then waiting. More fixes to follow. pounce is slightly protected from this when used with calico, as it applies a timeout to waiting for the ClientHello. --- client.c | 24 +++++++++++++++++++++--- 1 file changed, 21 insertions(+), 3 deletions(-) (limited to 'client.c') diff --git a/client.c b/client.c index 36f8008..6f36539 100644 --- a/client.c +++ b/client.c @@ -48,6 +48,7 @@ char *clientAway; static size_t active; enum Need { + BIT(NeedHandshake), BIT(NeedNick), BIT(NeedUser), BIT(NeedPass), @@ -69,11 +70,23 @@ struct Client *clientAlloc(struct tls *tls) { struct Client *client = calloc(1, sizeof(*client)); if (!client) err(EX_OSERR, "calloc"); client->tls = tls; - client->need = NeedNick | NeedUser | (clientPass ? NeedPass : 0); - if ((clientCaps & CapSASL) && tls_peer_cert_provided(tls)) { + client->need = NeedHandshake | NeedNick | NeedUser; + if (clientPass) client->need |= NeedPass; + return client; +} + +static void clientHandshake(struct Client *client) { + int error = tls_handshake(client->tls); + if (error == TLS_WANT_POLLIN || error == TLS_WANT_POLLOUT) return; + if (error) { + warnx("client tls_handshake: %s", tls_error(client->tls)); + client->error = true; + return; + } + client->need &= ~NeedHandshake; + if ((clientCaps & CapSASL) && tls_peer_cert_provided(client->tls)) { client->need &= ~NeedPass; } - return client; } void clientFree(struct Client *client) { @@ -369,6 +382,11 @@ static bool intercept(const char *line, size_t len) { } void clientRecv(struct Client *client) { + if (client->need & NeedHandshake) { + clientHandshake(client); + return; + } + ssize_t read = tls_read( client->tls, &client->buf[client->len], sizeof(client->buf) - client->len -- cgit 1.4.1