diff options
| author | Klemens Nanni | 2021-06-29 15:34:03 +0200 |
|---|---|---|
| committer | C. McEnroe | 2021-07-13 15:21:57 -0400 |
| commit | ae332f6e8d26487ba4556283dcde2bf96da76467 (patch) | |
| tree | bff82b817567a824ca3e644abed9b3c36388ffe6 | |
| parent | ae64d277b8204c156a30d2e8b6a958e5a31f2a7f (diff) | |
Perform TLS handshake after final pledge
ircConnect() yields a connected TCP socket after which "inet dns" is
no longer needed.
Possibly having loaded private key material, it seems a tad more
comforting to speak TLS *after* dropping any network capabilities
(except for socket read/write to the IRC host, of course).
Instead of moving the final pledge into irc.c:ircConnect() and thus
complicating the code around pledge across two C modules, simply
stub out an mnemonic ircHandshake() and call that explicitly.
This restores behaviour gained with
981ebc4 "Remove explicit tls_handshake(3) from ircConnect" which
was reverted for other reasons.
| -rw-r--r-- | chat.c | 1 | ||||
| -rw-r--r-- | chat.h | 1 | ||||
| -rw-r--r-- | irc.c | 8 |
3 files changed, 8 insertions, 2 deletions
@@ -345,6 +345,7 @@ int main(int argc, char *argv[]) { } #endif + ircHandshake(); if (pass) { ircFormat("PASS :"); ircSend(pass, strlen(pass)); @@ -235,6 +235,7 @@ void ircConfig( bool insecure, const char *trust, const char *cert, const char *priv ); int ircConnect(const char *bind, const char *host, const char *port); +void ircHandshake(void); void ircPrintCert(void); void ircRecv(void); void ircSend(const char *ptr, size_t len); @@ -104,7 +104,6 @@ void ircConfig( error = tls_configure(client, config); if (error) errx(EX_SOFTWARE, "tls_configure: %s", tls_error(client)); - tls_config_free(config); } int ircConnect(const char *bindHost, const char *host, const char *port) { @@ -163,17 +162,22 @@ int ircConnect(const char *bindHost, const char *host, const char *port) { error = tls_connect_socket(client, sock, host); if (error) errx(EX_PROTOCOL, "tls_connect: %s", tls_error(client)); + return sock; +} + +void ircHandshake(void) { + int error; do { error = tls_handshake(client); } while (error == TLS_WANT_POLLIN || error == TLS_WANT_POLLOUT); if (error) errx(EX_PROTOCOL, "tls_handshake: %s", tls_error(client)); tls_config_clear_keys(config); - return sock; } void ircPrintCert(void) { size_t len; + ircHandshake(); const byte *pem = tls_peer_cert_chain_pem(client, &len); printf("subject= %s\n", tls_peer_cert_subject(client)); fwrite(pem, len, 1, stdout); |