Perform TLS handshake after final pledge

ircConnect() yields a connected TCP socket after which "inet dns" is
no longer needed.

Possibly having loaded private key material, it seems a tad more
comforting to speak TLS *after* dropping any network capabilities
(except for socket read/write to the IRC host, of course).

Instead of moving the final pledge into irc.c:ircConnect() and thus
complicating the code around pledge across two C modules, simply
stub out an mnemonic ircHandshake() and call that explicitly.

This restores behaviour gained with
981ebc4 "Remove explicit tls_handshake(3) from ircConnect" which
was reverted for other reasons.
master
Klemens Nanni 2021-06-29 15:34:03 +02:00 committed by C. McEnroe
parent ae64d277b8
commit ae332f6e8d
3 changed files with 8 additions and 2 deletions

1
chat.c
View File

@ -345,6 +345,7 @@ int main(int argc, char *argv[]) {
} }
#endif #endif
ircHandshake();
if (pass) { if (pass) {
ircFormat("PASS :"); ircFormat("PASS :");
ircSend(pass, strlen(pass)); ircSend(pass, strlen(pass));

1
chat.h
View File

@ -235,6 +235,7 @@ void ircConfig(
bool insecure, const char *trust, const char *cert, const char *priv bool insecure, const char *trust, const char *cert, const char *priv
); );
int ircConnect(const char *bind, const char *host, const char *port); int ircConnect(const char *bind, const char *host, const char *port);
void ircHandshake(void);
void ircPrintCert(void); void ircPrintCert(void);
void ircRecv(void); void ircRecv(void);
void ircSend(const char *ptr, size_t len); void ircSend(const char *ptr, size_t len);

8
irc.c
View File

@ -104,7 +104,6 @@ void ircConfig(
error = tls_configure(client, config); error = tls_configure(client, config);
if (error) errx(EX_SOFTWARE, "tls_configure: %s", tls_error(client)); if (error) errx(EX_SOFTWARE, "tls_configure: %s", tls_error(client));
tls_config_free(config);
} }
int ircConnect(const char *bindHost, const char *host, const char *port) { int ircConnect(const char *bindHost, const char *host, const char *port) {
@ -163,17 +162,22 @@ int ircConnect(const char *bindHost, const char *host, const char *port) {
error = tls_connect_socket(client, sock, host); error = tls_connect_socket(client, sock, host);
if (error) errx(EX_PROTOCOL, "tls_connect: %s", tls_error(client)); if (error) errx(EX_PROTOCOL, "tls_connect: %s", tls_error(client));
return sock;
}
void ircHandshake(void) {
int error;
do { do {
error = tls_handshake(client); error = tls_handshake(client);
} while (error == TLS_WANT_POLLIN || error == TLS_WANT_POLLOUT); } while (error == TLS_WANT_POLLIN || error == TLS_WANT_POLLOUT);
if (error) errx(EX_PROTOCOL, "tls_handshake: %s", tls_error(client)); if (error) errx(EX_PROTOCOL, "tls_handshake: %s", tls_error(client));
tls_config_clear_keys(config); tls_config_clear_keys(config);
return sock;
} }
void ircPrintCert(void) { void ircPrintCert(void) {
size_t len; size_t len;
ircHandshake();
const byte *pem = tls_peer_cert_chain_pem(client, &len); const byte *pem = tls_peer_cert_chain_pem(client, &len);
printf("subject= %s\n", tls_peer_cert_subject(client)); printf("subject= %s\n", tls_peer_cert_subject(client));
fwrite(pem, len, 1, stdout); fwrite(pem, len, 1, stdout);