Explicitly clear TLS secrets afer handshake

No need to keep them at runtime; do so unconditionally for the sake of simplicity. Declare TLS config globally so ircConnect() can clear it and declare both client and config statically as they are not used outside the irc.c module.
author: Klemens Nanni <klemens@posteo.de> 2021-06-29 12:41:03 +0000
committer: June McEnroe <june@causal.agency> 2021-07-13 15:17:35 -0400
commit: ae64d277b8204c156a30d2e8b6a958e5a31f2a7f (patch)
tree: 65ccdab5c7da844febc810c10f3abe9e0058f95f
parent: Revert "Remove explicit tls_handshake(3) from ircConnect" (diff)
download: catgirl-ae64d277b8204c156a30d2e8b6a958e5a31f2a7f.tar.gz
catgirl-ae64d277b8204c156a30d2e8b6a958e5a31f2a7f.zip
1 files changed, 4 insertions, 2 deletions
diff --git a/irc.c b/irc.c
index 61d74bb..c308e46 100644
--- a/irc.c
+++ b/irc.c
@@ -43,12 +43,13 @@
 
 #include "chat.h"
 
-struct tls *client;
+static struct tls *client;
+static struct tls_config *config;
 
 void ircConfig(
 	bool insecure, const char *trust, const char *cert, const char *priv
 ) {
-	struct tls_config *config = tls_config_new();
+	config = tls_config_new();
 	if (!config) errx(EX_SOFTWARE, "tls_config_new");
 
 	int error;
@@ -167,6 +168,7 @@ int ircConnect(const char *bindHost, const char *host, const char *port) {
 	} while (error == TLS_WANT_POLLIN || error == TLS_WANT_POLLOUT);
 	if (error) errx(EX_PROTOCOL, "tls_handshake: %s", tls_error(client));
 
+	tls_config_clear_keys(config);
 	return sock;
 }
author	Klemens Nanni <klemens@posteo.de>	2021-06-29 12:41:03 +0000
committer	June McEnroe <june@causal.agency>	2021-07-13 15:17:35 -0400
commit	ae64d277b8204c156a30d2e8b6a958e5a31f2a7f (patch)
tree	65ccdab5c7da844febc810c10f3abe9e0058f95f
parent	Revert "Remove explicit tls_handshake(3) from ircConnect" (diff)
download	catgirl-ae64d277b8204c156a30d2e8b6a958e5a31f2a7f.tar.gz catgirl-ae64d277b8204c156a30d2e8b6a958e5a31f2a7f.zip