Perform TLS handshake after final pledge
ircConnect() yields a connected TCP socket after which "inet dns" is
no longer needed.
Possibly having loaded private key material, it seems a tad more
comforting to speak TLS *after* dropping any network capabilities
(except for socket read/write to the IRC host, of course).
Instead of moving the final pledge into irc.c:ircConnect() and thus
complicating the code around pledge across two C modules, simply
stub out an mnemonic ircHandshake() and call that explicitly.
This restores behaviour gained with
981ebc4
"Remove explicit tls_handshake(3) from ircConnect" which
was reverted for other reasons.
weechat-hashes
parent
ae64d277b8
commit
ae332f6e8d
1
chat.c
1
chat.c
|
@ -345,6 +345,7 @@ int main(int argc, char *argv[]) {
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
ircHandshake();
|
||||||
if (pass) {
|
if (pass) {
|
||||||
ircFormat("PASS :");
|
ircFormat("PASS :");
|
||||||
ircSend(pass, strlen(pass));
|
ircSend(pass, strlen(pass));
|
||||||
|
|
1
chat.h
1
chat.h
|
@ -235,6 +235,7 @@ void ircConfig(
|
||||||
bool insecure, const char *trust, const char *cert, const char *priv
|
bool insecure, const char *trust, const char *cert, const char *priv
|
||||||
);
|
);
|
||||||
int ircConnect(const char *bind, const char *host, const char *port);
|
int ircConnect(const char *bind, const char *host, const char *port);
|
||||||
|
void ircHandshake(void);
|
||||||
void ircPrintCert(void);
|
void ircPrintCert(void);
|
||||||
void ircRecv(void);
|
void ircRecv(void);
|
||||||
void ircSend(const char *ptr, size_t len);
|
void ircSend(const char *ptr, size_t len);
|
||||||
|
|
8
irc.c
8
irc.c
|
@ -104,7 +104,6 @@ void ircConfig(
|
||||||
|
|
||||||
error = tls_configure(client, config);
|
error = tls_configure(client, config);
|
||||||
if (error) errx(EX_SOFTWARE, "tls_configure: %s", tls_error(client));
|
if (error) errx(EX_SOFTWARE, "tls_configure: %s", tls_error(client));
|
||||||
tls_config_free(config);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
int ircConnect(const char *bindHost, const char *host, const char *port) {
|
int ircConnect(const char *bindHost, const char *host, const char *port) {
|
||||||
|
@ -163,17 +162,22 @@ int ircConnect(const char *bindHost, const char *host, const char *port) {
|
||||||
error = tls_connect_socket(client, sock, host);
|
error = tls_connect_socket(client, sock, host);
|
||||||
if (error) errx(EX_PROTOCOL, "tls_connect: %s", tls_error(client));
|
if (error) errx(EX_PROTOCOL, "tls_connect: %s", tls_error(client));
|
||||||
|
|
||||||
|
return sock;
|
||||||
|
}
|
||||||
|
|
||||||
|
void ircHandshake(void) {
|
||||||
|
int error;
|
||||||
do {
|
do {
|
||||||
error = tls_handshake(client);
|
error = tls_handshake(client);
|
||||||
} while (error == TLS_WANT_POLLIN || error == TLS_WANT_POLLOUT);
|
} while (error == TLS_WANT_POLLIN || error == TLS_WANT_POLLOUT);
|
||||||
if (error) errx(EX_PROTOCOL, "tls_handshake: %s", tls_error(client));
|
if (error) errx(EX_PROTOCOL, "tls_handshake: %s", tls_error(client));
|
||||||
|
|
||||||
tls_config_clear_keys(config);
|
tls_config_clear_keys(config);
|
||||||
return sock;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
void ircPrintCert(void) {
|
void ircPrintCert(void) {
|
||||||
size_t len;
|
size_t len;
|
||||||
|
ircHandshake();
|
||||||
const byte *pem = tls_peer_cert_chain_pem(client, &len);
|
const byte *pem = tls_peer_cert_chain_pem(client, &len);
|
||||||
printf("subject= %s\n", tls_peer_cert_subject(client));
|
printf("subject= %s\n", tls_peer_cert_subject(client));
|
||||||
fwrite(pem, len, 1, stdout);
|
fwrite(pem, len, 1, stdout);
|
||||||
|
|
Loading…
Reference in New Issue