Explicitly clear TLS secrets afer handshake
No need to keep them at runtime; do so unconditionally for the sake of simplicity. Declare TLS config globally so ircConnect() can clear it and declare both client and config statically as they are not used outside the irc.c module.master
parent
40b3f52aaf
commit
ae64d277b8
6
irc.c
6
irc.c
|
@ -43,12 +43,13 @@
|
||||||
|
|
||||||
#include "chat.h"
|
#include "chat.h"
|
||||||
|
|
||||||
struct tls *client;
|
static struct tls *client;
|
||||||
|
static struct tls_config *config;
|
||||||
|
|
||||||
void ircConfig(
|
void ircConfig(
|
||||||
bool insecure, const char *trust, const char *cert, const char *priv
|
bool insecure, const char *trust, const char *cert, const char *priv
|
||||||
) {
|
) {
|
||||||
struct tls_config *config = tls_config_new();
|
config = tls_config_new();
|
||||||
if (!config) errx(EX_SOFTWARE, "tls_config_new");
|
if (!config) errx(EX_SOFTWARE, "tls_config_new");
|
||||||
|
|
||||||
int error;
|
int error;
|
||||||
|
@ -167,6 +168,7 @@ int ircConnect(const char *bindHost, const char *host, const char *port) {
|
||||||
} while (error == TLS_WANT_POLLIN || error == TLS_WANT_POLLOUT);
|
} while (error == TLS_WANT_POLLIN || error == TLS_WANT_POLLOUT);
|
||||||
if (error) errx(EX_PROTOCOL, "tls_handshake: %s", tls_error(client));
|
if (error) errx(EX_PROTOCOL, "tls_handshake: %s", tls_error(client));
|
||||||
|
|
||||||
|
tls_config_clear_keys(config);
|
||||||
return sock;
|
return sock;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue