From 91367caa71fc961cd6d1ab4be16f239980aecc90 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Emmanuel=20Fust=C3=A9?= <efuste@boardofcyber.io>
Date: Wed, 6 Mar 2024 13:57:21 +0100
Subject: [PATCH] Fix and optimisation

There is a race condition if openssl exit during a renego but after
the RENEGOTIATING printing.
In this case we could issue a R before the process exit and be blocked
in the waiting loop.
With the safety guards in place (loop count + timeout) this is harmless
but not optimal.
Fix this by:
- reordering the sleep vs echo to let the process exit and catch the
  pipe error more frequently.
- exit the while loop if RENEGOTIATING is not the last log line. We
  will catch the pipe error on the next for loop echo.
- correct the k variable initialisation
- correct the for (( ; ; )) variable $ convention usage
- reduce the while loop count limit to 120 to align with the global
  timeout
---
 testssl.sh | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/testssl.sh b/testssl.sh
index ae7d5b3..82e1bfe 100755
--- a/testssl.sh
+++ b/testssl.sh
@@ -17113,8 +17113,9 @@ run_renego() {
                               # too early losing all the attempts before the session establishment as OpenSSL will not buffer them
                               # (only the first will be till the establishement of the session).
                               (j=0; while [[ $(grep -ac '^SSL-Session:' $TMPFILE) -ne 1 ]] && [[ $j -lt 30 ]]; do sleep $ssl_reneg_wait; j=$(($j+1)); done; \
-                                   for ((i=0; i < $ssl_reneg_attempts; i++ )); do echo R; sleep $ssl_reneg_wait; j=0; \
-                                       while [[ $(grep -ac '^RENEGOTIATING' $ERRFILE) -ne $(($i+3)) ]] && [[ -f $TEMPDIR/allowed_to_loop ]] && [[ $k -lt 180 ]]; \
+                                   for ((i=0; i < $ssl_reneg_attempts; i++ )); do sleep $ssl_reneg_wait; echo R; k=0; \
+                                       while [[ $(grep -ac '^RENEGOTIATING' $ERRFILE) -ne $(($i+3)) ]] && [[ -f $TEMPDIR/allowed_to_loop ]] \
+                                               && [[ $(tail -n1 $ERRFILE |grep -ac '^RENEGOTIATING') -eq 1 ]] && [[ $k -lt 120 ]]; \
                                        do sleep $ssl_reneg_wait; k=$(($k+1)); done; \
                                    done) | \
                                    $OPENSSL s_client $(s_client_options "$proto $legacycmd $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI") >$TMPFILE 2>>$ERRFILE &