Hoist loading default root certificates into ircConfig()

tls_connect_socket(3) in ircConnect() does that by default already
unless tls_config_set_ca_file(3) was used.

Loading CA certificates before connecting makes no practical difference
except on OpenBSD where this allows for tighter unveil und pledge setups
now that all required (TLS related) file I/O is finished by the time
ircConnect() gets to do network I/O.

In case of the hidden `-!' insecure flag which is implied by `-o' to
print server certificates and exit, loading root certificates is not
required at all;  likewise, using explicit self signed server
certificates will not involve certificate authorities either, hence load
them only if needed.
master
Klemens Nanni 2021-06-10 01:32:09 +00:00 committed by C. McEnroe
parent 0a1cfca0f4
commit 171a56ee2d
1 changed files with 6 additions and 0 deletions

6
irc.c
View File

@ -71,6 +71,12 @@ void ircConfig(
if (error) errx(EX_NOINPUT, "%s: %s", trust, tls_config_error(config)); if (error) errx(EX_NOINPUT, "%s: %s", trust, tls_config_error(config));
} }
if (!insecure && !trust) {
const char *ca = tls_default_ca_cert_file();
error = tls_config_set_ca_file(config, ca);
if (error) errx(EX_OSFILE, "%s: %s", ca, tls_config_error(config));
}
if (cert) { if (cert) {
const char *dirs = NULL; const char *dirs = NULL;
for (const char *path; NULL != (path = configPath(&dirs, cert));) { for (const char *path; NULL != (path = configPath(&dirs, cert));) {