implement STARTTLS auto-negotiation

2017-02-21 09:18:57 -05:00 · 2017-02-21 09:18:57 -05:00 · 6d62d7437d
parent 0e06bec55b
commit 6d62d7437d
2 changed files with 106 additions and 11 deletions
--- a/client.go
+++ b/client.go
@ -110,6 +110,9 @@ type Config struct {
 	// socket creation to the server. SSL must be enabled for this to be used.
 	// This only has an affect during the dial process.
 	TLSConfig *tls.Config
+	// DisableSTARTTLS disables the auto-negotiation and upgrade to TLS/SSL
+	// if the server states that it is supported.
+	DisableSTARTTLS bool
 	// Retries is the number of times the client will attempt to reconnect
 	// to the server after the last disconnect.
 	Retries int
--- a/conn.go
+++ b/conn.go
@ -126,6 +126,31 @@ func newConn(conf Config, addr string) (*ircConn, error) {
 	return c, nil
 }

+func (c *ircConn) decode() (event *Event, err error) {
+	line, err := c.io.ReadString(delim)
+	if err != nil {
+		return nil, err
+	}
+
+	event = ParseEvent(line)
+	if event == nil {
+		return nil, fmt.Errorf("unable to parse incoming event: %s", event)
+	}
+
+	return event, nil
+}
+
+func (c *ircConn) encode(event *Event) error {
+	if _, err := c.io.Write(event.Bytes()); err != nil {
+		return err
+	}
+	if _, err := c.io.Write(endline); err != nil {
+		return err
+	}
+
+	return c.io.Flush()
+}
+
 func (c *ircConn) newReadWriter() {
 	c.io = bufio.NewReadWriter(bufio.NewReader(c.sock), bufio.NewWriter(c.sock))
 }
@ -139,6 +164,61 @@ func tlsHandshake(conn net.Conn, conf *tls.Config, server string, validate bool)
 	return net.Conn(tlsConn), nil
 }

+func (c *Client) startTLSHandshake() {
+	if c.Config.Out != nil {
+		fmt.Fprintln(c.Config.Out, "[*] attempting to upgrade connection to SSL/TLS")
+	}
+
+	c.debug.Print("initiating STARTTLS handshake")
+	// Success -- the server supports STARTTLS, and it's awaiting our ACK
+	// and/or handshake before proceeding. Upgrade the connection, then
+	// let our first read with the new connection make the handshake for us.
+	_, done := c.Handlers.AddTmp(RPL_STARTTLS, 3*time.Second, func(client *Client, e Event) bool {
+		defer func() {
+			// Initiate a new readLoop, as the previous one gets closed upon
+			// receiving a RPL_STARTTLS.
+			var rctx context.Context
+			rctx, c.closeRead = context.WithCancel(context.Background())
+			go c.readLoop(rctx)
+		}()
+
+		tlsConn, err := tlsHandshake(c.conn.sock, c.Config.TLSConfig, c.Config.Server, false)
+		if err != nil {
+			c.debug.Printf("unable to complete tls upgrade: %s", err)
+			return true
+		}
+
+		c.conn.sock = tlsConn
+		c.conn.newReadWriter()
+
+		if c.Config.Out != nil {
+			fmt.Fprintln(c.Config.Out, "[*] successfully completed TLS/SSL handshake")
+		}
+		c.debug.Print("completed tls upgrade")
+		return true
+	})
+
+	// If for some reason the server has an error. This should never occur.
+	_, fail := c.Handlers.AddTmp(ERR_STARTTLS, 0, func(client *Client, e Event) bool {
+		c.debug.Print("unable to complete tls upgrade: server returned error")
+		return true
+	})
+
+	// Send the request to see if we can handshake. Once a server that
+	// supports STARTTLS sees this, it should completely halt any other
+	// commands/responses, other than success/fail, and should wait for the
+	// connection to be upgraded/the handshake to go through.
+	c.conn.encode(&Event{Command: STARTTLS})
+
+	// Wait for either a success, or fail. Whichever is first.
+	select {
+	case <-done:
+		return
+	case <-fail:
+		return
+	}
+}
+
 // Close closes the underlying socket.
 func (c *ircConn) Close() error {
 	return c.sock.Close()
@ -172,10 +252,18 @@ func (c *Client) Connect() error {
 	ectx, c.closeExec = context.WithCancel(context.Background())
 	sctx, c.closeSend = context.WithCancel(context.Background())
 	pctx, c.closePing = context.WithCancel(context.Background())
-	go c.readLoop(rctx)
 	go c.execLoop(ectx)
-	go c.sendLoop(sctx)
+	go c.readLoop(rctx)
 	go c.pingLoop(pctx)
+	go c.sendLoop(sctx)
+
+	// Initiate a STARTTLS based handshake, to optionally upgrade the
+	// connection, without user interaction. Even though this has flaws (and
+	// one should really explicitly use SSL: true, and TLSConfig), it would
+	// be better than plain text.
+	if !c.Config.SSL && !c.Config.DisableSTARTTLS {
+		c.startTLSHandshake()
+	}

 	// Send a virtual event allowing hooks for successful socket connection.
 	c.RunHandlers(&Event{Command: INITIALIZED, Trailing: c.Server()})
@ -275,7 +363,6 @@ func (c *Client) disconnectHandler(err error) {
 // IRC server. If there is an error, it calls Reconnect.
 func (c *Client) readLoop(ctx context.Context) {
 	var event *Event
-	var line string
 	var err error

 	for {
@ -283,23 +370,28 @@ func (c *Client) readLoop(ctx context.Context) {
 		case <-ctx.Done():
 			return
 		default:
-			c.conn.sock.SetDeadline(time.Now().Add(300 * time.Second))
-			line, err = c.conn.io.ReadString(delim)
+			// c.conn.sock.SetDeadline(time.Now().Add(300 * time.Second))
+			event, err = c.conn.decode()
 			if err != nil {
 				// Attempt a reconnect (if applicable). If it fails, send
 				// the error to c.Config.HandleError to be dealt with, if
 				// the handler exists.
 				c.disconnectHandler(err)
-
 				return
 			}

-			event = ParseEvent(line)
-			if event == nil {
-				continue
-			}
-
 			c.rx <- event
+
+			// Why do we do this? -- If we let readLoop continue to try and
+			// read from the current socket, it may not pause long enough
+			// to start reading from the upgraded socket. In short, once we
+			// confirmed from the server that we can upgrade via STARTTLS,
+			// stop reading, upgrade, then let the STARTTLS process initiate
+			// a new readLoop.
+			if event.Command == RPL_STARTTLS && !c.Config.DisableSTARTTLS {
+				c.debug.Print("exiting readLoop due to STARTTLS")
+				return
+			}
 		}
 	}
 }