From ae332f6e8d26487ba4556283dcde2bf96da76467 Mon Sep 17 00:00:00 2001 From: Klemens Nanni Date: Tue, 29 Jun 2021 15:34:03 +0200 Subject: Perform TLS handshake after final pledge ircConnect() yields a connected TCP socket after which "inet dns" is no longer needed. Possibly having loaded private key material, it seems a tad more comforting to speak TLS *after* dropping any network capabilities (except for socket read/write to the IRC host, of course). Instead of moving the final pledge into irc.c:ircConnect() and thus complicating the code around pledge across two C modules, simply stub out an mnemonic ircHandshake() and call that explicitly. This restores behaviour gained with 981ebc4 "Remove explicit tls_handshake(3) from ircConnect" which was reverted for other reasons. --- irc.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'irc.c') diff --git a/irc.c b/irc.c index c308e46..e1e5bf9 100644 --- a/irc.c +++ b/irc.c @@ -104,7 +104,6 @@ void ircConfig( error = tls_configure(client, config); if (error) errx(EX_SOFTWARE, "tls_configure: %s", tls_error(client)); - tls_config_free(config); } int ircConnect(const char *bindHost, const char *host, const char *port) { @@ -163,17 +162,22 @@ int ircConnect(const char *bindHost, const char *host, const char *port) { error = tls_connect_socket(client, sock, host); if (error) errx(EX_PROTOCOL, "tls_connect: %s", tls_error(client)); + return sock; +} + +void ircHandshake(void) { + int error; do { error = tls_handshake(client); } while (error == TLS_WANT_POLLIN || error == TLS_WANT_POLLOUT); if (error) errx(EX_PROTOCOL, "tls_handshake: %s", tls_error(client)); tls_config_clear_keys(config); - return sock; } void ircPrintCert(void) { size_t len; + ircHandshake(); const byte *pem = tls_peer_cert_chain_pem(client, &len); printf("subject= %s\n", tls_peer_cert_subject(client)); fwrite(pem, len, 1, stdout); -- cgit 1.4.1-2-gfad0